commit 70dcbe4527a45ab4fea6d58c016e7d3032f31e8cHEAD master

Author: Ming Yue <mingyue86010@gmail.com> Date: Tue Aug 11 17:06:59 2020 -0700 Remove unused wolfSSL files. (#197) * Remove unused wolfSSL files. * Add back some removed ciphers. * Update VS project file. commit 0e0edd96e8236b2ea4a6e6018812807be828c77f Author: RichardBarry <3073890+RichardBarry@users.noreply.github.com> Date: Tue Aug 11 10:50:30 2020 -0700 Use new QEMU test project to improve stream/message buffer tests (#168) * Add Eclipse/GCC project that targets the LM3S8962 QEMU model. * Get the Cortex-M QEMU project working. * Continue working on making stream buffer demo more robust and QEMU project. * Rename directory CORTEX_LM3S8986_QEMU to CORTEX_LM3S6965_QEMU. Work on making the Stream Buffer tests more robust. Check in before adding in the trace recorder. * Rename CORTEX_LM3S6969_QEMU to CORTEX_LM3S6969_GCC_QEMU. * Make the StreamBufferDemo.c common demo file (test file) more robust to other test tasks running at an equally high priority. * Work in progress checkin only - comments in main.c are incorrect. * Correct comments at the top of FreeRTOS/Demo/CORTEX_LM3S6965_GCC_QEMU/main.c Make the message buffer tests more robust in the case the a message buffer becomes full when prvSenderTask() has a higher priority than the reader task. * Disable trace recorder in the LM3S6965 QEMU demo. * I'm dropping FreeRTOS-Kernel reference update, since this seems to break the CMBC CI. Co-authored-by: Yuhui Zheng <10982575+yuhui-zheng@users.noreply.github.com> commit 157a7fc39f19583ac8481e93fa3e1c91b1e1860c Author: Gaurav-Aggarwal-AWS <33462878+aggarg@users.noreply.github.com> Date: Sun Aug 9 22:21:44 2020 -0700 Use chacheable RAM in IAR project for MPU_M7_NUCLEO_H743ZI2 project (#193) This change updates the IAR project for Nucleo H743ZI2 to use the cacheable DTC RAM and enables L1 cache. In order to ensure the correct functioning of cache, the project sets configTEX_S_C_B_SRAM in FreeRTOSConfig.h to not mark the RAM as shareable. Signed-off-by: Gaurav Aggarwal <aggarg@amazon.com> commit f3e43556f90f01b82918ad533b0c616489331919 Author: Gaurav-Aggarwal-AWS <33462878+aggarg@users.noreply.github.com> Date: Sun Aug 9 16:23:53 2020 -0700 Add MPU demo projects for NUCLEO-H743ZI2 board (#155) * Add MPU demo projects for NUCLEO-H743ZI2 board It contains projects for Keil uVision, STM32CubeIDE and IAR EW. This demo shows the use of newly added support for 16 MPU regions. Signed-off-by: Gaurav Aggarwal <aggarg@amazon.com> * Delete not needed CMSIS files Signed-off-by: Gaurav Aggarwal <aggarg@amazon.com> commit 94aa31c3cbae7c929b8a412768b74631f4a6b461 Author: TakayukiMatsuo <62984531+TakayukiMatsuo@users.noreply.github.com> Date: Sat Aug 8 07:58:14 2020 +0900 Update wolfSSL to the latest version(v.4.4.0) (#186) * deleted old version wolfSSL before updating * updated wolfSSL to the latest version(v4.4.0) * updated wolfSSL to the latest version(v4.4.0) * added macros for timing resistance Co-authored-by: RichardBarry <3073890+RichardBarry@users.noreply.github.com> Co-authored-by: Ming Yue <mingyue86010@gmail.com> commit 68518f5866aac58793c737d9a46dd07a6a816aaf Author: RichardBarry <3073890+RichardBarry@users.noreply.github.com> Date: Fri Aug 7 14:59:24 2020 -0700 Removed a 16MByte flash image file that was checked in by mistake (several years ago). (#173) Remove the copies of lwIP that are no longer reference from demo projects. Co-authored-by: Carl Lundin <53273776+lundinc2@users.noreply.github.com> commit d4bf09480a2c77b1a25cce35b32293be61ab586f Author: m17336 <45935231+m17336@users.noreply.github.com> Date: Thu Aug 6 22:37:08 2020 +0300 Update previous AVR ATmega0 and AVR Dx projecs + addition of equivalent projects in MPLAB.X and IAR (#180) * Updated indentation in AVR_ATMega4809_Atmel_Studio and AVR_Dx_Atmel_Studio projects, plus small fixes in their readme files. * Added AVR_ATMega4809_IAR, AVR_ATMega4809_MPLAB.X, AVR_Dx_IAR and AVR_Dx_MPLAB.X demo projects. * Removed build artefacts and added .gitignore files in AVR_ATMega4809_MPLAB.X and AVR_Dx_MPLAB.X projects. Co-authored-by: Yuhui Zheng <10982575+yuhui-zheng@users.noreply.github.com> commit f32a0647c8228ddd066f5d69a85b2e49086e4c95 Author: Aniruddha Kanhere <60444055+AniruddhaKanhere@users.noreply.github.com> Date: Mon Aug 3 16:45:10 2020 -0700 Remove CBMC patch which is not used anymore (#187) * Delete 0002-Change-FreeRTOS_IP_Private.h-union-to-struct.patch * Delete 0002-Change-FreeRTOS_IP_Private.h-union-to-struct.patch commit 08af68ef9049279b265c3d00e9c48fb9594129a8 Author: Aniruddha Kanhere <60444055+AniruddhaKanhere@users.noreply.github.com> Date: Sat Aug 1 16:38:23 2020 -0700 Remove dependency of CBMC on Patches (#181) * Changes to DHCP * CBMC DNS changes * Changes for TCP_IP * Changes to TCP_WIN * Define away static to nothing * Remove patches * Changes after Mark's comments v1 * Update MakefileCommon.json * Correction! commit a7fec906a415363338449447daf10d7517b78848 Author: Aniruddha Kanhere <60444055+AniruddhaKanhere@users.noreply.github.com> Date: Wed Jul 29 17:39:36 2020 -0700 Misc changes (#183) commit 07cf5e07e4a05d6775a2f9e753269f43f82cf6ba Author: Aniruddha Kanhere <60444055+AniruddhaKanhere@users.noreply.github.com> Date: Wed Jul 29 16:15:38 2020 -0700 MISRA compliance changes for FreeRTOS+TCP headers (#165) * misra changes * Update FreeRTOS_IP_Private.h * Update FreeRTOS_IP_Private.h commit e903ac0fed7ce59916899e404f3e5ae5b08d1478 Author: Aniruddha Kanhere <60444055+AniruddhaKanhere@users.noreply.github.com> Date: Wed Jul 29 16:03:14 2020 -0700 UPD MISRA changes (#164) Co-authored-by: Yuhui Zheng <10982575+yuhui-zheng@users.noreply.github.com> commit 97551bf44e7dc7dc1e4484a8fd30f699255e8569 Author: Aniruddha Kanhere <60444055+AniruddhaKanhere@users.noreply.github.com> Date: Wed Jul 29 15:52:00 2020 -0700 MISRA changes in FreeRTOS_TCP_WIN.c (#162) commit f2611cc5e5999c4c87e040a8c2d2e6b5e77a16a6 Author: Aniruddha Kanhere <60444055+AniruddhaKanhere@users.noreply.github.com> Date: Wed Jul 29 15:38:37 2020 -0700 MISRA compliance changes in FreeRTOS_Sockets{.c/.h} (#161) * MISRA changes Sockets * add other changes * Update FreeRTOSIPConfig.h * Update FreeRTOSIPConfig.h * Update FreeRTOSIPConfig.h * Update FreeRTOSIPConfig.h * correction * Add 'U' * Update FreeRTOS_Sockets.h * Update FreeRTOS_Sockets.h * Update FreeRTOS_Sockets.c * Update FreeRTOS_Sockets.h * Update after Gary's comments * Correction reverted commit ae4d4d38d9b2685bae159b4c87619cdb157c0bf7 Author: Aniruddha Kanhere <60444055+AniruddhaKanhere@users.noreply.github.com> Date: Wed Jul 29 13:56:57 2020 -0700 MISRA compliance changes for FreeRTOS_TCP_IP.c (#160) * MISRA tcp-ip changes * Changes after Hein's comments on original PR * Update FreeRTOS_TCP_IP.c Co-authored-by: Yuhui Zheng <10982575+yuhui-zheng@users.noreply.github.com> commit a457f43c66eb0f4be9d8f8678c0e3fb8d7ebd57b Author: Carl Lundin <53273776+lundinc2@users.noreply.github.com> Date: Tue Jul 28 13:01:38 2020 -0700 Add missing error state assignment. (#166) commit 915af50524e15a78ceb6c62b3d33f6562621ee46 Author: Yuhui Zheng <10982575+yuhui-zheng@users.noreply.github.com> Date: Mon Jul 27 17:30:53 2020 -0700 Add Atmel Studio projects for ATMega4809 and AVR128DA48 (#159) * Added explicit cast to allow roll over and avoid integer promotion during cycles counters comparison in recmutex.c. * Fixed type mismatch between declaration and definition of function xAreSemaphoreTasksStillRunning( void ). * Added Atmel Studio demo projects for ATMega4809 and AVR128DA48. * Per https://www.freertos.org/upgrading-to-FreeRTOS-V8.html, I'm updating portBASE_TYPE to BaseType_t. Signed-off-by: Yuhui Zheng <10982575+yuhui-zheng@users.noreply.github.com> * Update register test for ATmega4809 - to cover r28, r29, r31. - call public API taskYIELD() instead of portYIELD(). * Update ATmega4809 readme.md to include info for serial port setup, and minor wording fix. Co-authored-by: Alexandru Niculae - M17336 <alexandru.niculae@microchip.com> commit 4a7a48790d64127f85cc763721b575c51c452833 Author: Carl Lundin <53273776+lundinc2@users.noreply.github.com> Date: Thu Jul 23 10:22:33 2020 -0700 Add Uncrustify file used for Kernel. (#163) commit e0d62163b08769fd74f020709c398f994088ca96 Author: Aniruddha Kanhere <60444055+AniruddhaKanhere@users.noreply.github.com> Date: Wed Jul 22 18:06:23 2020 -0700 Sync with +TCP amazon-FreeRTOS (#158) * DNS.c commit * IP.c commit * Add various source & header files commit 8e36bee30eef2107e128edb58e83ee46e8241a91 Author: Nathan Chong <52972368+nchong-at-aws@users.noreply.github.com> Date: Tue Jul 21 12:51:20 2020 -0400 Prove buffer lemmas (#124) * Prove buffer lemmas * Update queue proofs to latest kernel source All changes were syntactic due to uncrustify code-formatting * Strengthen prvCopyDataToQueue proof * Add extract script for diff comparison Co-authored-by: Yuhui Zheng <10982575+yuhui-zheng@users.noreply.github.com> commit c720c18ada40b502436ea811e8d03dca919726d8 Author: Hein Tibosch <hein_tibosch@yahoo.es> Date: Tue Jul 14 05:35:44 2020 +0800 FreeRTOS+TCP Adding the combined driver for SAM4E and SAME70 v2 (#78) * Adding a combined +TCP driver for SAM4E and SAME70 * Changes after review from Aniruddha Co-authored-by: Hein Tibosch <hein@htibosch.net> Co-authored-by: Aniruddha Kanhere <60444055+AniruddhaKanhere@users.noreply.github.com> commit 4237049b12d9bb6b03694fecf6ea26a353e637c8 Author: Aniruddha Kanhere <60444055+AniruddhaKanhere@users.noreply.github.com> Date: Mon Jul 13 12:07:56 2020 -0700 Add changes from 2225-2227 amazon-FreeRTOS (#134) commit 7caa32863458c4470d3c620945c30824199f524c Author: Aniruddha Kanhere <60444055+AniruddhaKanhere@users.noreply.github.com> Date: Fri Jul 10 23:32:30 2020 -0700 Add Full TCP test suite - not using secure sockets (#131) * Add Full-TCP suite * delete unnecessary files * Change after Joshua's comments commit d7667a0034841f2968f9f9f805030cc608bfbce1 Author: Gaurav-Aggarwal-AWS <33462878+aggarg@users.noreply.github.com> Date: Fri Jul 3 15:45:44 2020 -0700 Remove unnecessary semicolon from the linker file (#121) This was creating problem with the onboard LPCLink debug probe. Signed-off-by: Gaurav Aggarwal <aggarg@amazon.com> commit 529c481c39506d0b331bfd0cdea35e5d1aeaaad0 Author: Nathan Chong <52972368+nchong-at-aws@users.noreply.github.com> Date: Thu Jul 2 15:55:20 2020 -0400 Add VeriFast kernel queue proofs (#117) commit d5fedeaa96b5b1d3c0f6b9b52a8064ab72ff2821 Author: Aniruddha Kanhere <60444055+AniruddhaKanhere@users.noreply.github.com> Date: Wed Jul 1 13:56:27 2020 -0700 Add checks in FreeRTOS_Socket.c (#104) * Add fail-safes to FreeRTOS_Socket.c * Use all 'pd' errors * Correction after Hein's comments * Correction after Hein's comments v2 * Changes after Hein's comments * Update after Gary's comments commit a9b2aac4e9fda2a259380156df9cc0af51384d2d Author: Aniruddha Kanhere <60444055+AniruddhaKanhere@users.noreply.github.com> Date: Fri Jun 26 12:09:36 2020 -0700 Folder structure change + Fix broken Projects (#103) * Update folder structure * Correct project files * Move test folder * Some changes after Yuki's comments commit 98bfc38bf3404414878dc68ea41753bea4e24c8e Author: Hein Tibosch <hein_tibosch@yahoo.es> Date: Thu Jun 25 13:01:45 2020 +0800 FreeRTOS+TCP : add memory statistics and dump packets, v3 (#83) * FreeRTOS+TCP : add memory statistics and dump packets, v3 * Two changes as requested by Aniruddha Co-authored-by: Hein Tibosch <hein@htibosch.net> Co-authored-by: Aniruddha Kanhere <60444055+AniruddhaKanhere@users.noreply.github.com> commit 072a173c9df31c75ff64bde440f3f316cedb9033 Author: S.Burch <8697966+wholl0p@users.noreply.github.com> Date: Mon Jun 22 23:39:26 2020 +0200 Fixed Imports for Infineon XMC1100 Board (#88) Co-authored-by: RichardBarry <3073890+RichardBarry@users.noreply.github.com> commit 2df5eeef5763045c4c74ff0e2a4091b7d19bea89 Author: RichardBarry <3073890+RichardBarry@users.noreply.github.com> Date: Mon Jun 8 14:22:46 2020 -0700 Feature/multiple direct to task notifications (#73) * Add TaskNotifyArray.c with the single task tests updated to use the task notification array up to the point where the timer is created. * Continue working on TaskNotifyArray.c to test the new task notification indexes. Next TaskNotifyArray.c will be refactored to break the tests up a bit. * Refactor and update the comments in TaskNotifyArray.c - no functional changes. * Change from the task notify "array" to task notification "indexed" nomenclature in the new task notification API functions that work on one particular task notification with the array of task notifications. * Update the implementation of the taskNOTIFY_TAKE() and taskNOTIFY_WAIT() trace macros to take the array index of the task notification they are acting on. Rename configNUMBER_OF_TASK_NOTIFICATIONS to configTASK_NOTIFICATION_ARRAY_ENTRIES. Add FreeRTOS/Demo/Common/Minimal/TaskNotifyArray.c to the Visual Studio project - the file implements tests specific to the behaviour of the indexed task notification functions and should be used in addition to the tests already provided in FreeRTOS/Demo/Common/Minimal/TaskNotify.c. commit b9e4ecfaf7286d8493d4a96a93fbb325534ad97b Author: Aniruddha Kanhere <60444055+AniruddhaKanhere@users.noreply.github.com> Date: Fri Jun 5 11:10:58 2020 -0700 Remove Empty and Un-referenced folder from Demo (#86) commit f11bcc8acc57a23fb03603762e758c25b9d0efb7 Author: Aniruddha Kanhere <60444055+AniruddhaKanhere@users.noreply.github.com> Date: Wed Jun 3 16:52:31 2020 -0700 Fix a Bug and corresponding CBMC patch (#84) * Update remove-static-in-freertos-tcp-ip.patch * Update FreeRTOS_TCP_IP.c * Update remove-static-in-freertos-tcp-ip.patch * Update remove-static-in-freertos-tcp-ip.patch Co-authored-by: Yuhui Zheng <10982575+yuhui-zheng@users.noreply.github.com> commit bb9f92f771e5f6ea2b9b09c7e89130a75e562eb7 Author: Yuhui Zheng <10982575+yuhui-zheng@users.noreply.github.com> Date: Wed Jun 3 10:46:55 2020 -0700 Submodule FreeRTOS/Source 10bbbcf0b..6199b72fb (#82) commit 6efc39f44be5b269168836e95aebbdb8ae77dce3 Author: Aniruddha Kanhere <60444055+AniruddhaKanhere@users.noreply.github.com> Date: Tue Jun 2 15:09:25 2020 -0700 Add Project for running integration tests v2 (#80) * Project for integration tests * relative paths in project files * relative paths in project files-1 * relative paths in project files-2 * addressed comments * addressed comments v2 Co-authored-by: Yuhui Zheng <10982575+yuhui-zheng@users.noreply.github.com> commit 0eb5909fb02bac9dc074ff1bc2fe338d77f73764 Author: Yuhui Zheng <10982575+yuhui-zheng@users.noreply.github.com> Date: Thu May 28 17:05:24 2020 -0700 readme.md for ATmega328PB Xplained Mini. (#76) readme.md to get users jump started. commit cb7edd2323a77f3dbea144c1f48f95582becc99e Author: Aniruddha Kanhere <60444055+AniruddhaKanhere@users.noreply.github.com> Date: Thu May 28 10:11:58 2020 -0700 Sync with a:FR (#75) * AFR sync * AFR sync: CBMC * AFR sync: CBMC: remove .bak files * AFR sync: CBMC: more cleanup * Corrected CBMC proofs * Corrected CBMC patches * Corrected CBMC patches-1 * Corrected CBMC patches-2 * remove .bak files (3) Co-authored-by: Yuhui Zheng <10982575+yuhui-zheng@users.noreply.github.com> commit 6557291e5407ca7ec6beca53fced1aaa620c5c02 Author: alfred gedeon <alfred2g@hotmail.com> Date: Wed May 27 14:44:33 2020 -0700 Test: Add Linux Networking support with demo application (#71) * Test: Add Linux Networking support with demo application * Test: revert files affected by uncrustify * Test: revert files affected by uncrustify Co-authored-by: Alfred Gedeon <gedeonag@amazon.com> Co-authored-by: Yuhui Zheng <10982575+yuhui-zheng@users.noreply.github.com> commit 8b079bc394e7b205d72210ce9e052404d782938f Author: Yuhui Zheng <10982575+yuhui-zheng@users.noreply.github.com> Date: Wed May 27 10:44:03 2020 -0700 ATmega328PB Xplained Mini -- demo project for ATmega port. (#70) * Bootstrap a demo from START. No driver is added in this commit. * Add FreeRTOS source code to project. Remove unnecessary folder nesting. Heap_4 is used here. * Copy over main.c, FreeRTOSConfig.h, and regtest.{c, h}. This commit compiles, but will need some work on timer used. * This port has 2KB RAM. We are using 1KB for heap. Further decreasing minimum stack size, and also use stack overflow check 1 to save some stack space. * Preserve EEPROM set to false. * End of the line. * Reduce register test stack size. 32 8-bit register + 10 bytes for stack frame cost. Round up to 50. * Adding Queue test in Integer test. - g3 to easy debugging. - mainCHECK_PERIOD is set to 1000 ticks. Note that this port for now use WDT as tick timer, and period is set to 15ms. - vErrorChecks, is of highest priority. So if this task gets run before other tasks, the very first check will fail. * Avoid false alarm. Since we don't know in which order the tasks are scheduled, clearing any error for the first entry of vErrorChecks. Signed-off-by: Yuhui Zheng <10982575+yuhui-zheng@users.noreply.github.com> * ParTest.c to init, set, toggle onboard user LED at PB5. * Added a task to blink onboard user LED. Need a magic number for stack size. Signed-off-by: Yuhui Zheng <10982575+yuhui-zheng@users.noreply.github.com> * Explicitly setting timing slicing to 0. This is to avoid unecessary context switch when multiple tasks are of the same priority. Signed-off-by: Yuhui Zheng <10982575+yuhui-zheng@users.noreply.github.com> * Add taskYIELD() at the end of the loop in each register test task. This is to give other tasks of the same priority a chance to run, regardless of scheduling algorithm. Signed-off-by: Yuhui Zheng <10982575+yuhui-zheng@users.noreply.github.com> * minor, update comment in main.c. commit 95a3a02f95749fb7a600723076e291f9dee7426c Author: Aniruddha Kanhere <60444055+AniruddhaKanhere@users.noreply.github.com> Date: Fri May 22 16:26:59 2020 -0700 FreeRTOS-Plus: Unit testing Infrastructure and examples (#72) * Added CMock as submodule * Makefile added * Removed TEMP from Makefile * Added configuration files and header files * Update Makefile * Test runner working * make clean * Example added with README * Update README.md * Restored +TCP files * Cleared +TCP changes * removed comments from Makefile * Update README.md * Update README.md * Update README.md * Updated Test/Unit-test/readme.md commit 5003d17feda25490e655c0f1c15d2b13e395c9f7 Author: Hein Tibosch <hein_tibosch@yahoo.es> Date: Wed May 6 14:16:56 2020 -0400 FreeRTOS+TCP : renewing DHCP lease while network is down (#53) Co-authored-by: Hein Tibosch <hein@htibosch.net> Co-authored-by: Gary Wicker <14828980+gkwicker@users.noreply.github.com> commit d95624c5d6ba95ec0474867d7165de2c28ed41b7 Author: AniruddhaKanhere <60444055+AniruddhaKanhere@users.noreply.github.com> Date: Tue May 5 09:57:18 2020 -0700 Move CBMC proofs to FreeRTOS+ directory (#64) * move CBMC proofs to FreeRTOS+ directory * Failing proofs corrected * ParseDNSReply proof added back * removed queue_init.h from -Plus/Test Co-authored-by: Yuhui Zheng <10982575+yuhui-zheng@users.noreply.github.com> commit 95ae7c65758a9473ea16ab08182f056f72331de2 Author: markrtuttle <tuttle@acm.org> Date: Wed Apr 29 04:27:45 2020 +0000 Change cbmc-viewer invocation in CBMC makefile (#63) * Exclude FreeRTOS/Demo from CBMC proof reports. The script cbmc-viewer generates the CBMC proof reports. The script searches source files for symbol definitions and annotates source files with coverage information. This patch causes cbmc-viewer to ignore the directory FreeRTOS/Demo containing 348M of data. The script now terminates in a few seconds. * Make report default target for CBMC Makefile. Modify the Makefile for CBMC proofs to generate the report by default (and not just property checking) and modify property checking to ignore failures (due to property assertions failing) and terminating report generation. Co-authored-by: Mark R. Tuttle <mrtuttle@amazon.com> commit d421ccc89f6f6473dfdd566a00567b0e1fd4cfc3 Author: Yuhui Zheng <10982575+yuhui-zheng@users.noreply.github.com> Date: Sat Apr 25 16:57:35 2020 -0700 Reword readme.md under ./Test. (#61) commit 38412865985235b90dbd9da9708b68c4de5918f5 Author: Carl Lundin <53273776+lundinc2@users.noreply.github.com> Date: Sat Apr 25 16:56:54 2020 -0700 Removed a:FR reference. (#60) commit 4db195c916c7b13c82ab3a34a499fe606f266810 Author: AniruddhaKanhere <60444055+AniruddhaKanhere@users.noreply.github.com> Date: Tue Apr 21 15:40:08 2020 -0700 Adding FreeRTOS+TCP CBMC proofs to FreeRTOS/FreeRTOS (#56) ParseDNSReply is to be added in the next PR. commit 40a31b6d35a866a3a6c551d95bf08dae855da5bd Author: AniruddhaKanhere <60444055+AniruddhaKanhere@users.noreply.github.com> Date: Mon Apr 13 13:58:33 2020 -0700 'uL' -> 'UL' commit 5b3a289b69fc92089aa8bd4d1b44ab816f326f73 Author: AniruddhaKanhere <60444055+AniruddhaKanhere@users.noreply.github.com> Date: Mon Apr 13 13:50:53 2020 -0700 Changes after Gary's comments commit edf68637dd22470a8d4f59fecc15b51379bcfeda Author: AniruddhaKanhere <60444055+AniruddhaKanhere@users.noreply.github.com> Date: Fri Apr 10 16:26:03 2020 -0700 Update FreeRTOS_ARP.c commit 35f3ac32a8899dd714a8a48952a4224fbcebc4aa Author: AniruddhaKanhere <60444055+AniruddhaKanhere@users.noreply.github.com> Date: Fri Apr 10 15:56:18 2020 -0700 correct debug output commit 5e12a70db4b6a8e68a434489683306f040252efa Author: AniruddhaKanhere <60444055+AniruddhaKanhere@users.noreply.github.com> Date: Fri Apr 10 15:44:45 2020 -0700 Debugging flag check added commit 4e8ac8de25ac4088b9c789b88a77cd39df4d9167 Author: AniruddhaKanhere <60444055+AniruddhaKanhere@users.noreply.github.com> Date: Thu Apr 9 16:57:19 2020 -0700 Comment style consistency and Yuhui's suggestions commit e43f7cd086096ad60491fedba69927a1e1a82f20 Author: AniruddhaKanhere <60444055+AniruddhaKanhere@users.noreply.github.com> Date: Thu Apr 9 16:47:41 2020 -0700 Cleanup commit ab3b51c7a0d880a6bf453ec63ae604e15050f310 Author: AniruddhaKanhere <60444055+AniruddhaKanhere@users.noreply.github.com> Date: Thu Apr 9 16:33:03 2020 -0700 Update after Gary's comments commit 97f7009699ffb972c0745dfdb526d1fa4e0faf84 Author: AniruddhaKanhere <60444055+AniruddhaKanhere@users.noreply.github.com> Date: Wed Apr 8 14:30:15 2020 -0700 Update after richard's comments commit a9fcafc074cec559dd67961ef44273df6180c2db Author: AniruddhaKanhere <60444055+AniruddhaKanhere@users.noreply.github.com> Date: Wed Apr 8 14:07:39 2020 -0700 Corrected the formatting - visual studio had messed up the formatting commit c381861014a8043ce30723fc5a8cf5107719c8df Author: AniruddhaKanhere <60444055+AniruddhaKanhere@users.noreply.github.com> Date: Wed Apr 8 13:01:12 2020 -0700 commit 2 after gary's comments commit 75677a8d85fa802cca9058d6e23796d5043a0982 Author: AniruddhaKanhere <60444055+AniruddhaKanhere@users.noreply.github.com> Date: Wed Apr 8 12:51:10 2020 -0700 Commit after Gary's comments commit 666c0da366030109db2c0c5e7253cebb2f899db7 Author: AniruddhaKanhere <60444055+AniruddhaKanhere@users.noreply.github.com> Date: Wed Apr 8 10:56:01 2020 -0700 Update after Yuhui's comments - removed (void) from before memcpy, memset etc. - corrected memcpy style as suggested by Yuhui - Added logging for xNetworkInterfaceOutput. No need to configASSERT commit 4a1148d15b6b8169d2412f8179f734683b179795 Author: AniruddhaKanhere <60444055+AniruddhaKanhere@users.noreply.github.com> Date: Wed Apr 1 16:05:36 2020 -0700 Coverity + MISRA compliance Modified code to conform to the MISRA directives more closely. commit fa74f7dccf6b1a356993c6a894f8e1173b8c8157 Author: Yuhui Zheng <10982575+yuhui-zheng@users.noreply.github.com> Date: Thu Apr 2 20:26:10 2020 -0700 Removing writes to read-only PLIC interrupt pending registers. Signed-off-by: Yuhui Zheng <10982575+yuhui-zheng@users.noreply.github.com> commit 5b9777e11e16609648fb98d2f9a47553ab238950 Author: Yuhui Zheng <10982575+yuhui-zheng@users.noreply.github.com> Date: Tue Mar 31 10:45:23 2020 -0700 A readme file to introduce what ./Test directory is about. commit 211bb4cbd9ae6dfa95e8d8501f37d272bde5ab26 Author: Yuhui Zheng <10982575+yuhui-zheng@users.noreply.github.com> Date: Tue Mar 24 15:14:24 2020 -0700 Ignore whitespace when working with patches. commit 8156f64d1c45dd59ef12279f19a99f03e79e1f8a Author: Yuhui Zheng <10982575+yuhui-zheng@users.noreply.github.com> Date: Tue Feb 25 18:04:23 2020 -0800 Copying CBMC proofs from aws/amazon-freertos repo ./tools/cbmc to this repo ./FreeRTOS/Test/CBMC as is. The commit ID in aws/amazon-freertos is 0c8e0217f2a43bdeb364b58ae01c6c259e03ef1b. commit 9f316c246baafa15c542a5aea81a94f26e3d6507 Author: David Vrabel <david.vrabel@cambridgeconsultants.com> Date: Mon Mar 16 11:21:46 2020 +0000 Demo/Posix_GCC: add demo application for Posix port using GCC This is largely a copy of the Windows demo application with a few key changes: - heap_3 (use malloc()/free()) so tools like valgrind "just work". - printf() wrapped in a mutex to prevent deadlocks on the internal pthread mutexes inside printf(). SCons (https://scons.org/) is used as the build system. This will be built as a 64-bit application, but note that the memory allocation trace points only record the lower 32-bits of the address. commit f78f919b3e2f0d707531a301a8ca07cd02bc4778 Author: Markus Rinne <markus.ka.rinne@gmail.com> Date: Thu Mar 19 21:00:24 2020 +0200 Fix function comments commit 1cd2d38d960a3576addb224582c88489bade5141 Author: David Chalco <david@chalco.io> Date: Fri Mar 20 10:29:05 2020 -0700 unix separators for path and remove .exe suffix from risc compiler (works on windows/mac) commit 938b19419eded12817737ab0644e94ed2ba7e95d Author: Yuhui Zheng <10982575+yuhui-zheng@users.noreply.github.com> Date: Thu Mar 19 18:23:09 2020 -0700 Removing ./FreeRTOS-Labs directory, since: - IoT libraries are now in LTS branch. - FAT/POSIX/Light-weight MQTT are in https://github.com/FreeRTOS/FreeRTOS-Labs. commit 1a4abbc9e91b13fd6394464ade59d5e048320c7c Author: Yuhui Zheng <10982575+yuhui-zheng@users.noreply.github.com> Date: Tue Mar 17 19:30:02 2020 -0700 Maintenance -- clean up readme.txt and add url to GitHub. (#38) * Removing readme.txt, as now we have README.md in place. The only information missing from README.md is about FAQ. * Adding FAQ information in README.md. * Adding a .url to root to redict user to FreeRTOS github home page. commit 47bb466aa19395b7785bcb830e2e4dd35f6bafc5 Author: Yuhui Zheng <10982575+yuhui-zheng@users.noreply.github.com> Date: Tue Mar 17 13:07:44 2020 -0700 Update issue templates Template maintenance. - adding title prefix. - adding examples to "additional context" section. commit f506290041f56867765f8efa70ed2862125bdb7c Author: Yuhui Zheng <10982575+yuhui-zheng@users.noreply.github.com> Date: Tue Mar 17 10:15:07 2020 -0700 Create SECURITY.md Apply the recommended SECURITY.md from AWS to our repo. commit 8982a2f80a80a2a0a47cf82de07b52101bd9d606 Author: Yuhui Zheng <10982575+yuhui-zheng@users.noreply.github.com> Date: Fri Mar 13 12:50:10 2020 -0700 Add ./lib directory to make sure Zynq project compiles. commit ecf0f12aa14ad6fdafe1ef37257cbb4e03e2abd5 Author: AniruddhaKanhere <60444055+AniruddhaKanhere@users.noreply.github.com> Date: Wed Mar 11 10:19:48 2020 -0700 Sync up with Amazon-freertos repo (10th March 2020) (#34) * Sync up with amazon-freertos * Sync up with amazon-freertos * Sync up with amazon-freertos commit 0acffef047973e2e61c2201fd69cd9bbd317f674 Author: Yuhui Zheng <10982575+yuhui-zheng@users.noreply.github.com> Date: Tue Mar 10 10:20:48 2020 -0700 GitHub PR template. (#29) commit c40a6da2e4cb8042b56d1b174051cbbe9813781a Author: AniruddhaKanhere <60444055+AniruddhaKanhere@users.noreply.github.com> Date: Mon Mar 9 11:18:48 2020 -0700 pass payload length when calling UDP callback (#30) * pass payload length when calling UDP callback commit 12d580e93d4d9074b9a867632f0681a511b4ad12 Author: Yuhui Zheng <10982575+yuhui-zheng@users.noreply.github.com> Date: Fri Mar 6 18:16:51 2020 -0800 Update issue templates Initial issue template. Created following https://help.github.com/en/github/building-a-strong-community/configuring-issue-templates-for-your-repository#configuring-the-template-chooser. If change is needed, we could go another round. commit 9debffb5e0e42ff716f58b2270b3af09652294af Author: Yuhui Zheng <10982575+yuhui-zheng@users.noreply.github.com> Date: Fri Mar 6 17:27:46 2020 -0800 Update README.md to remove dead link. See the conversation https://github.com/FreeRTOS/FreeRTOS/commit/42c627b2b88cb3b487fea983d8b566a8bbae54fa#comments . Linkage for both ```./FreeRTOS/Source``` and ```./FreeRTOS/Demo``` are removed, since it looks weird to only provide linkage to Demo. commit 7e1a4bf563240501fc45167aee9d929c533939dd Author: AniruddhaKanhere <60444055+AniruddhaKanhere@users.noreply.github.com> Date: Fri Mar 6 15:18:09 2020 -0800 Fix DHCP option Client-identifier (#28) commit 42c627b2b88cb3b487fea983d8b566a8bbae54fa Author: Yuhui.Zheng <10982575+yuhui-zheng@users.noreply.github.com> Date: Fri Mar 6 09:15:11 2020 -0800 Update readme and revert relative URL. (#27) * Reordering: bumping cloning instruction up. * Rewording readme.md to be clear kernel code is a submodule of this repository. * Reverting relative URL, since user cannot click through on GitHub page. (With URL, user could still download the correct version of the code. Reverting simply due to UI issue.) commit 5751ae9b60e248ebd0b4dd7c58df54364d2bb9d5 Author: Gaurav-Aggarwal-AWS <33462878+aggarg@users.noreply.github.com> Date: Fri Mar 6 09:11:42 2020 -0800 Update CORTEX_MPU_M33F_NXP_LPC55S69_MCUXpresso project (#26) This commit updates the project for LPC55S69 so that it works with the latest version of MCUXpresso and SDK. Signed-off-by: Gaurav Aggarwal <aggarg@amazon.com> commit a9ffffe1f01f45f79e127c15727784984077932f Author: Carl Lundin <53273776+lundinc2@users.noreply.github.com> Date: Thu Mar 5 17:16:13 2020 -0800 Using Relative URL For Submoduling. (#24) commit 52c82076b38fe73d1dc46c97abf74ae9b803696c Author: Carl Lundin <53273776+lundinc2@users.noreply.github.com> Date: Thu Mar 5 09:16:31 2020 -0800 use relative path to point to bundled toolchain instead (#25) commit b877e4ec478de2c24d07ab46241070d7c66f375c Author: lundinc2 <53273776+lundinc2@users.noreply.github.com> Date: Tue Feb 25 13:18:38 2020 -0800 Moved vulnerability reporting and code of conduct to top of CONTRIBUTING.md (#20) commit bef165d46799fb8faa58aaa224f80c16b6538e69 Author: Yuhui.Zheng <10982575+yuhui-zheng@users.noreply.github.com> Date: Tue Feb 18 22:06:38 2020 -0800 Linking test source file from relative path. (#19) commit 89e7bbe292afd3912d1f0b2402cc506878bad869 Author: Yuhui.Zheng <10982575+yuhui-zheng@users.noreply.github.com> Date: Tue Feb 18 17:47:55 2020 -0800 A preliminary .gitignore file, to prevent us checking in files unnecessary. (#18) https://github.com/github/gitignore. commit c2a98127acb48c4562233230e66ca5c282688579 Author: RichardBarry <3073890+RichardBarry@users.noreply.github.com> Date: Sun Feb 16 13:19:53 2020 -0800 Minor wording changes in the 'previous releases' section of the readme.me file. (#17) commit 24c772d1439e5c291c0a29fce0a46996ca8afaa9 Author: Yuhui.Zheng <10982575+yuhui-zheng@users.noreply.github.com> Date: Fri Feb 14 12:47:01 2020 -0800 Submodule kernel directory. (#16) * Removing FreeRTOS/Source in readiness for submoduling. * Submoduling kernel. * README.md update due to submoduling. When releasing, please follow these steps: 1. in local directory, clean directory and check "git status" shows "nothing to commit, working tree clean" for ALL subdirectories. 2. copy source code and instructions only to an empty folder. Git related should not be in this folder -- this covers .git, .gitignore, .github, .gitmodules, gitmessages, ...... 3. zip the folder from step 2. (create both .zip and .7z) 4. attach .zip and .7z to the release. (e.g. attach these two in new release -- https://github.com/FreeRTOS/FreeRTOS/releases/new) 5. PLEASE download both, unzip, diff with your local git repo. (should not see any difference other than git related.) And, sanity check a couple of projects. commit c3f8b91652392dc55e0d7067b90a40de5f5f0837 Author: Rashed Talukder <9218468+rashedtalukder@users.noreply.github.com> Date: Thu Feb 13 17:47:14 2020 -0800 Update readme. Fixed typos and cli commands (#14) commit 4723b825f2989213c1cdb2ebf4d6793e0292e363 Author: Julian Poidevin <julian-poidevin@users.noreply.github.com> Date: Fri Feb 14 02:43:36 2020 +0100 Fixed wrong git clone SSH command (#13) Replaced bad https URL with proper SSH URL commit fc819b821715c42602819e58499846147a6394f5 Author: RichardBarry <3073890+RichardBarry@users.noreply.github.com> Date: Thu Feb 13 17:42:22 2020 -0800 Correct the xTimerCreate() documentation which said NULL was returned if the timer period was passed into the function as 0, whereas that is not the case. (#15) Add a note to the documentation for both the xTimerCreate() and xTimerCreateStatic() functions that the timer period must be greater than 0. commit 1c711ab530b5f0dbd811d7d62e0a3763706ffff4 Author: Rashed Talukder <9218468+rashedtalukder@users.noreply.github.com> Date: Wed Feb 12 23:00:18 2020 -0800 Updated contributions guidelines (#12) commit 84fcc0d5317d96c6b086034093c8c1c83e050819 Author: Cobus van Eeden <35851496+cobusve@users.noreply.github.com> Date: Wed Feb 12 15:05:06 2020 -0800 Updates to Markdown files and readme.txt (#11) git-svn-id: http://svn.code.sf.net/p/freertos/code/trunk@2826 1d2547de-c912-0410-9cb9-b8ca96c0e9e2
author: lundinc <lundinc@1d2547de-c912-0410-9cb9-b8ca96c0e9e2> 2020-08-12 19:11:51 +0000
committer: lundinc <lundinc@1d2547de-c912-0410-9cb9-b8ca96c0e9e2> 2020-08-12 19:11:51 +0000
commit: 42255af1e27a3157d541f0812eaca447c569ca49 (patch)
tree: 5c8702c2f0dc1cb9be1a4d5ff285897d96b97dd2 /FreeRTOS-Plus/Source/WolfSSL/wolfcrypt
parent: f5221dff43de249079c2da081723cb7a456f981f (diff)
download: freertos-42255af1e27a3157d541f0812eaca447c569ca49.tar.gz
133 files changed, 514198 insertions, 23618 deletions
diff --git a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/benchmark/benchmark.c b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/benchmark/benchmark.c
index f284774f3..f79f7c86f 100644
--- a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/benchmark/benchmark.c
+++ b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/benchmark/benchmark.c
@@ -1,8 +1,8 @@
 /* benchmark.c
  *
- * Copyright (C) 2006-2015 wolfSSL Inc.
+ * Copyright (C) 2006-2020 wolfSSL Inc.
  *
- * This file is part of wolfSSL. (formerly known as CyaSSL)
+ * This file is part of wolfSSL.
  *
  * wolfSSL is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -16,9 +16,10 @@
  *
  * You should have received a copy of the GNU General Public License
  * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
  */
 
+
 /* wolfCrypt benchmark */
 
 
@@ -26,17 +27,104 @@
     #include <config.h>
 #endif
 
+#ifndef WOLFSSL_USER_SETTINGS
+    #include <wolfssl/options.h>
+#endif
 #include <wolfssl/wolfcrypt/settings.h>
+#include <wolfssl/version.h>
+#include <wolfssl/wolfcrypt/wc_port.h>
+
+/* Macro to disable benchmark */
+#ifndef NO_CRYPT_BENCHMARK
 
-#include <string.h>
+/* only for stack size check */
+#ifdef HAVE_STACK_SIZE
+    #include <wolfssl/ssl.h>
+    #include <wolfssl/test.h>
+#endif
+
+#ifdef USE_FLAT_BENCHMARK_H
+    #include "benchmark.h"
+#else
+    #include "wolfcrypt/benchmark/benchmark.h"
+#endif
 
+/* printf mappings */
 #ifdef FREESCALE_MQX
     #include <mqx.h>
-    #include <fio.h>
-#else
+    /* see wc_port.h for fio.h and nio.h includes */
+#elif defined(FREESCALE_KSDK_1_3)
+    #include "fsl_debug_console.h"
+    #include "fsl_os_abstraction.h"
+
+    #undef printf
+    #define printf PRINTF
+#elif defined(WOLFSSL_DEOS)
+    #include <deos.h>
+    #undef printf
+    #define printf printx
+#elif defined(MICRIUM)
+      #include <bsp_ser.h>
+      void BSP_Ser_Printf (CPU_CHAR* format, ...);
+      #undef printf
+      #define printf BSP_Ser_Printf
+#elif defined(WOLFSSL_ZEPHYR)
+    #include <stdio.h>
+    #define BENCH_EMBEDDED
+    #define printf printfk
+    static int printfk(const char *fmt, ...)
+    {
+        int ret;
+        char line[150];
+        va_list ap;
+
+        va_start(ap, fmt);
+
+        ret = vsnprintf(line, sizeof(line), fmt, ap);
+        line[sizeof(line)-1] = '\0';
+        printk("%s", line);
+
+        va_end(ap);
+
+        return ret;
+    }
+
+#elif defined(WOLFSSL_TELIT_M2MB)
+    #include <stdarg.h>
     #include <stdio.h>
+    #include <string.h>
+    #include "m2m_log.h" /* for M2M_LOG_INFO - not standard API */
+    /* remap printf */
+    #undef printf
+    #define printf M2M_LOG_INFO
+    /* OS requires occasional sleep() */
+    #ifndef TEST_SLEEP_MS
+        #define TEST_SLEEP_MS 50
+    #endif
+    #define TEST_SLEEP() m2mb_os_taskSleep(M2MB_OS_MS2TICKS(TEST_SLEEP_MS))
+    /* don't use file system for these tests, since ./certs dir isn't loaded */
+    #undef  NO_FILESYSTEM
+    #define NO_FILESYSTEM
+
+#else
+    #if defined(XMALLOC_USER) || defined(FREESCALE_MQX)
+        /* MQX classic needs for EXIT_FAILURE */
+        #include <stdlib.h>  /* we're using malloc / free direct here */
+    #endif
+
+    #ifndef STRING_USER
+        #include <string.h>
+        #include <stdio.h>
+    #endif
+
+    /* enable way for customer to override test/bench printf */
+    #ifdef XPRINTF
+        #undef  printf
+        #define printf XPRINTF
+    #endif
 #endif
 
+#include <wolfssl/wolfcrypt/memory.h>
 #include <wolfssl/wolfcrypt/random.h>
 #include <wolfssl/wolfcrypt/des3.h>
 #include <wolfssl/wolfcrypt/arc4.h>
@@ -51,68 +139,554 @@
 #include <wolfssl/wolfcrypt/sha.h>
 #include <wolfssl/wolfcrypt/sha256.h>
 #include <wolfssl/wolfcrypt/sha512.h>
+#include <wolfssl/wolfcrypt/sha3.h>
 #include <wolfssl/wolfcrypt/rsa.h>
 #include <wolfssl/wolfcrypt/asn.h>
 #include <wolfssl/wolfcrypt/ripemd.h>
+#include <wolfssl/wolfcrypt/cmac.h>
+#ifndef NO_HMAC
+    #include <wolfssl/wolfcrypt/hmac.h>
+#endif
+#ifndef NO_PWDBASED
+    #include <wolfssl/wolfcrypt/pwdbased.h>
+#endif
 #ifdef HAVE_ECC
     #include <wolfssl/wolfcrypt/ecc.h>
 #endif
+#ifdef HAVE_IDEA
+    #include <wolfssl/wolfcrypt/idea.h>
+#endif
 #ifdef HAVE_CURVE25519
     #include <wolfssl/wolfcrypt/curve25519.h>
 #endif
 #ifdef HAVE_ED25519
     #include <wolfssl/wolfcrypt/ed25519.h>
 #endif
+#ifdef HAVE_CURVE448
+    #include <wolfssl/wolfcrypt/curve448.h>
+#endif
+#ifdef HAVE_ED448
+    #include <wolfssl/wolfcrypt/ed448.h>
+#endif
 
 #include <wolfssl/wolfcrypt/dh.h>
-#ifdef HAVE_CAVIUM
-    #include "cavium_sysdep.h"
-    #include "cavium_common.h"
-    #include "cavium_ioctl.h"
+#ifdef HAVE_NTRU
+    #include "libntruencrypt/ntru_crypto.h"
+#endif
+#include <wolfssl/wolfcrypt/random.h>
+#include <wolfssl/wolfcrypt/error-crypt.h>
+#include <wolfssl/wolfcrypt/types.h>
+
+#ifdef WOLF_CRYPTO_CB
+    #include <wolfssl/wolfcrypt/cryptocb.h>
+    #ifdef HAVE_INTEL_QA_SYNC
+        #include <wolfssl/wolfcrypt/port/intel/quickassist_sync.h>
+    #endif
+    #ifdef HAVE_CAVIUM_OCTEON_SYNC
+        #include <wolfssl/wolfcrypt/port/cavium/cavium_octeon_sync.h>
+    #endif
+#endif
+
+#ifdef WOLFSSL_ASYNC_CRYPT
+    #include <wolfssl/wolfcrypt/async.h>
+#endif
+
+
+#ifdef WOLFSSL_STATIC_MEMORY
+    static WOLFSSL_HEAP_HINT* HEAP_HINT;
+#else
+    #define HEAP_HINT NULL
+#endif /* WOLFSSL_STATIC_MEMORY */
+
+#ifndef EXIT_FAILURE
+#define EXIT_FAILURE 1
+#endif
+
+/* optional macro to add sleep between tests */
+#ifndef TEST_SLEEP
+    /* stub the sleep macro */
+    #define TEST_SLEEP()
+#endif
+
+
+/* Bit values for each algorithm that is able to be benchmarked.
+ * Common grouping of algorithms also.
+ * Each algorithm has a unique value for its type e.g. cipher.
+ */
+/* Cipher algorithms. */
+#define BENCH_AES_CBC            0x00000001
+#define BENCH_AES_GCM            0x00000002
+#define BENCH_AES_ECB            0x00000004
+#define BENCH_AES_XTS            0x00000008
+#define BENCH_AES_CTR            0x00000010
+#define BENCH_AES_CCM            0x00000020
+#define BENCH_CAMELLIA           0x00000100
+#define BENCH_ARC4               0x00000200
+#define BENCH_HC128              0x00000400
+#define BENCH_RABBIT             0x00000800
+#define BENCH_CHACHA20           0x00001000
+#define BENCH_CHACHA20_POLY1305  0x00002000
+#define BENCH_DES                0x00004000
+#define BENCH_IDEA               0x00008000
+#define BENCH_AES_CFB            0x00010000
+#define BENCH_AES_OFB            0x00020000
+/* Digest algorithms. */
+#define BENCH_MD5                0x00000001
+#define BENCH_POLY1305           0x00000002
+#define BENCH_SHA                0x00000004
+#define BENCH_SHA224             0x00000010
+#define BENCH_SHA256             0x00000020
+#define BENCH_SHA384             0x00000040
+#define BENCH_SHA512             0x00000080
+#define BENCH_SHA2               (BENCH_SHA224 | BENCH_SHA256 | \
+                                  BENCH_SHA384 | BENCH_SHA512)
+#define BENCH_SHA3_224           0x00000100
+#define BENCH_SHA3_256           0x00000200
+#define BENCH_SHA3_384           0x00000400
+#define BENCH_SHA3_512           0x00000800
+#define BENCH_SHA3               (BENCH_SHA3_224 | BENCH_SHA3_256 | \
+                                  BENCH_SHA3_384 | BENCH_SHA3_512)
+#define BENCH_RIPEMD             0x00001000
+#define BENCH_BLAKE2B            0x00002000
+#define BENCH_BLAKE2S            0x00004000
+
+/* MAC algorithms. */
+#define BENCH_CMAC               0x00000001
+#define BENCH_HMAC_MD5           0x00000002
+#define BENCH_HMAC_SHA           0x00000004
+#define BENCH_HMAC_SHA224        0x00000010
+#define BENCH_HMAC_SHA256        0x00000020
+#define BENCH_HMAC_SHA384        0x00000040
+#define BENCH_HMAC_SHA512        0x00000080
+#define BENCH_HMAC               (BENCH_HMAC_MD5    | BENCH_HMAC_SHA    | \
+                                  BENCH_HMAC_SHA224 | BENCH_HMAC_SHA256 | \
+                                  BENCH_HMAC_SHA384 | BENCH_HMAC_SHA512)
+#define BENCH_PBKDF2             0x00000100
+
+/* Asymmetric algorithms. */
+#define BENCH_RSA_KEYGEN         0x00000001
+#define BENCH_RSA                0x00000002
+#define BENCH_RSA_SZ             0x00000004
+#define BENCH_DH                 0x00000010
+#define BENCH_NTRU               0x00000100
+#define BENCH_NTRU_KEYGEN        0x00000200
+#define BENCH_ECC_MAKEKEY        0x00001000
+#define BENCH_ECC                0x00002000
+#define BENCH_ECC_ENCRYPT        0x00004000
+#define BENCH_CURVE25519_KEYGEN  0x00010000
+#define BENCH_CURVE25519_KA      0x00020000
+#define BENCH_ED25519_KEYGEN     0x00040000
+#define BENCH_ED25519_SIGN       0x00080000
+#define BENCH_CURVE448_KEYGEN    0x00100000
+#define BENCH_CURVE448_KA        0x00200000
+#define BENCH_ED448_KEYGEN       0x00400000
+#define BENCH_ED448_SIGN         0x00800000
+/* Other */
+#define BENCH_RNG                0x00000001
+#define BENCH_SCRYPT             0x00000002
+
+
+/* Benchmark all compiled in algorithms.
+ * When 1, ignore other benchmark algorithm values.
+ *      0, only benchmark algorithm values set.
+ */
+static int bench_all = 1;
+/* Cipher algorithms to benchmark. */
+static int bench_cipher_algs = 0;
+/* Digest algorithms to benchmark. */
+static int bench_digest_algs = 0;
+/* MAC algorithms to benchmark. */
+static int bench_mac_algs = 0;
+/* Asymmetric algorithms to benchmark. */
+static int bench_asym_algs = 0;
+/* Other cryptographic algorithms to benchmark. */
+static int bench_other_algs = 0;
+
+#if !defined(WOLFSSL_BENCHMARK_ALL) && !defined(NO_MAIN_DRIVER)
+
+/* The mapping of command line option to bit values. */
+typedef struct bench_alg {
+    /* Command line option string. */
+    const char* str;
+    /* Bit values to set. */
+    int val;
+} bench_alg;
+
+#ifndef MAIN_NO_ARGS
+/* All recognized cipher algorithm choosing command line options. */
+static const bench_alg bench_cipher_opt[] = {
+    { "-cipher",             -1                      },
+#ifdef HAVE_AES_CBC
+    { "-aes-cbc",            BENCH_AES_CBC           },
+#endif
+#ifdef HAVE_AESGCM
+    { "-aes-gcm",            BENCH_AES_GCM           },
+#endif
+#ifdef WOLFSSL_AES_DIRECT
+    { "-aes-ecb",            BENCH_AES_ECB           },
+#endif
+#ifdef WOLFSSL_AES_XTS
+    { "-aes-xts",            BENCH_AES_XTS           },
+#endif
+#ifdef WOLFSSL_AES_CFB
+    { "-aes-cfb",            BENCH_AES_CFB           },
+#endif
+#ifdef WOLFSSL_AES_OFB
+    { "-aes-ofb",            BENCH_AES_OFB           },
+#endif
+#ifdef WOLFSSL_AES_COUNTER
+    { "-aes-ctr",            BENCH_AES_CTR           },
+#endif
+#ifdef HAVE_AESCCM
+    { "-aes-ccm",            BENCH_AES_CCM           },
+#endif
+#ifdef HAVE_CAMELLIA
+    { "-camellia",           BENCH_CAMELLIA          },
+#endif
+#ifndef NO_RC4
+    { "-arc4",               BENCH_ARC4              },
+#endif
+#ifdef HAVE_HC128
+    { "-hc128",              BENCH_HC128             },
+#endif
+#ifndef NO_RABBIT
+    { "-rabbit",             BENCH_RABBIT            },
+#endif
+#ifdef HAVE_CHACHA
+    { "-chacha20",           BENCH_CHACHA20          },
+#endif
+#if defined(HAVE_CHACHA) && defined(HAVE_POLY1305)
+    { "-chacha20-poly1305",  BENCH_CHACHA20_POLY1305 },
+#endif
+#ifndef NO_DES3
+    { "-des",                BENCH_DES               },
+#endif
+#ifdef HAVE_IDEA
+    { "-idea",               BENCH_IDEA              },
+#endif
+    { NULL, 0}
+};
+
+/* All recognized digest algorithm choosing command line options. */
+static const bench_alg bench_digest_opt[] = {
+    { "-digest",             -1                      },
+#ifndef NO_MD5
+    { "-md5",                BENCH_MD5               },
+#endif
+#ifdef HAVE_POLY1305
+    { "-poly1305",           BENCH_POLY1305          },
+#endif
+#ifndef NO_SHA
+    { "-sha",                BENCH_SHA               },
+#endif
+#if defined(WOLFSSL_SHA224) || !defined(NO_SHA256) || defined(WOLFSSL_SHA384) \
+                                                   || defined(WOLFSSL_SHA512)
+    { "-sha2",               BENCH_SHA2              },
+#endif
+#ifdef WOLFSSL_SHA224
+    { "-sha224",             BENCH_SHA224            },
+#endif
+#ifndef NO_SHA256
+    { "-sha256",             BENCH_SHA256            },
+#endif
+#ifdef WOLFSSL_SHA384
+    { "-sha384",             BENCH_SHA384            },
+#endif
+#ifdef WOLFSSL_SHA512
+    { "-sha512",             BENCH_SHA512            },
+#endif
+#ifdef WOLFSSL_SHA3
+    { "-sha3",               BENCH_SHA3              },
+    #ifndef WOLFSSL_NOSHA3_224
+    { "-sha3-224",           BENCH_SHA3_224          },
+    #endif
+    #ifndef WOLFSSL_NOSHA3_256
+    { "-sha3-256",           BENCH_SHA3_256          },
+    #endif
+    #ifndef WOLFSSL_NOSHA3_384
+    { "-sha3-384",           BENCH_SHA3_384          },
+    #endif
+    #ifndef WOLFSSL_NOSHA3_512
+    { "-sha3-512",           BENCH_SHA3_512          },
+    #endif
+#endif
+#ifdef WOLFSSL_RIPEMD
+    { "-ripemd",             BENCH_RIPEMD            },
+#endif
+#ifdef HAVE_BLAKE2
+    { "-blake2b",            BENCH_BLAKE2B           },
+#endif
+#ifdef HAVE_BLAKE2S
+    { "-blake2s",            BENCH_BLAKE2S           },
+#endif
+    { NULL, 0}
+};
+
+/* All recognized MAC algorithm choosing command line options. */
+static const bench_alg bench_mac_opt[] = {
+    { "-mac",                -1                      },
+#ifdef WOLFSSL_CMAC
+    { "-cmac",               BENCH_CMAC              },
+#endif
+#ifndef NO_HMAC
+    { "-hmac",               BENCH_HMAC              },
+    #ifndef NO_MD5
+    { "-hmac-md5",           BENCH_HMAC_MD5          },
+    #endif
+    #ifndef NO_SHA
+    { "-hmac-sha",           BENCH_HMAC_SHA          },
+    #endif
+    #ifdef WOLFSSL_SHA224
+    { "-hmac-sha224",        BENCH_HMAC_SHA224       },
+    #endif
+    #ifndef NO_SHA256
+    { "-hmac-sha256",        BENCH_HMAC_SHA256       },
+    #endif
+    #ifdef WOLFSSL_SHA384
+    { "-hmac-sha384",        BENCH_HMAC_SHA384       },
+    #endif
+    #ifdef WOLFSSL_SHA512
+    { "-hmac-sha512",        BENCH_HMAC_SHA512       },
+    #endif
+    #ifndef NO_PWDBASED
+    { "-pbkdf2",             BENCH_PBKDF2            },
+    #endif
+#endif
+    { NULL, 0}
+};
+
+/* All recognized asymmetric algorithm choosing command line options. */
+static const bench_alg bench_asym_opt[] = {
+    { "-asym",               -1                      },
+#ifndef NO_RSA
+    #ifdef WOLFSSL_KEY_GEN
+    { "-rsa-kg",             BENCH_RSA_KEYGEN        },
+    #endif
+    { "-rsa",                BENCH_RSA               },
+    { "-rsa-sz",             BENCH_RSA_SZ            },
+#endif
+#ifndef NO_DH
+    { "-dh",                 BENCH_DH                },
 #endif
 #ifdef HAVE_NTRU
-    #include "ntru_crypto.h"
+    { "-ntru",               BENCH_NTRU              },
+    { "-ntru-kg",            BENCH_NTRU_KEYGEN       },
+#endif
+#ifdef HAVE_ECC
+    { "-ecc-kg",             BENCH_ECC_MAKEKEY       },
+    { "-ecc",                BENCH_ECC               },
+    #ifdef HAVE_ECC_ENCRYPT
+    { "-ecc-enc",            BENCH_ECC_ENCRYPT       },
+    #endif
+#endif
+#ifdef HAVE_CURVE25519
+    { "-curve25519-kg",      BENCH_CURVE25519_KEYGEN },
+    #ifdef HAVE_CURVE25519_SHARED_SECRET
+    { "-x25519",             BENCH_CURVE25519_KA     },
+    #endif
+#endif
+#ifdef HAVE_ED25519
+    { "-ed25519-kg",         BENCH_ED25519_KEYGEN    },
+    { "-ed25519",            BENCH_ED25519_SIGN      },
+#endif
+#ifdef HAVE_CURVE448
+    { "-curve448-kg",        BENCH_CURVE448_KEYGEN   },
+    #ifdef HAVE_CURVE448_SHARED_SECRET
+    { "-x448",               BENCH_CURVE448_KA       },
+    #endif
+#endif
+#ifdef HAVE_ED448
+    { "-ed448-kg",           BENCH_ED448_KEYGEN      },
+    { "-ed448",              BENCH_ED448_SIGN        },
+#endif
+    { NULL, 0}
+};
+
+/* All recognized other cryptographic algorithm choosing command line options.
+ */
+static const bench_alg bench_other_opt[] = {
+    { "-other",              -1                      },
+#ifndef WC_NO_RNG
+    { "-rng",                BENCH_RNG               },
+#endif
+#ifdef HAVE_SCRYPT
+    { "-scrypt",             BENCH_SCRYPT            },
+#endif
+    { NULL, 0}
+};
+#endif /* MAIN_NO_ARGS */
+
+#endif /* !WOLFSSL_BENCHMARK_ALL && !NO_MAIN_DRIVER */
+
+
+#ifdef HAVE_WNR
+    const char* wnrConfigFile = "wnr-example.conf";
 #endif
 
 #if defined(WOLFSSL_MDK_ARM)
-    extern FILE * wolfSSL_fopen(const char *fname, const char *mode) ;
+    extern XFILE wolfSSL_fopen(const char *fname, const char *mode);
     #define fopen wolfSSL_fopen
 #endif
 
-#if defined(__GNUC__) && defined(__x86_64__) && !defined(NO_ASM)
+static int lng_index = 0;
+
+#ifndef NO_MAIN_DRIVER
+#ifndef MAIN_NO_ARGS
+static const char* bench_Usage_msg1[][16] = {
+    /* 0 English  */
+    {   "-? <num>    Help, print this usage\n            0: English, 1: Japanese\n",
+        "-csv        Print terminal output in csv format\n",
+        "-base10     Display bytes as power of 10 (eg 1 kB = 1000 Bytes)\n",
+        "-no_aad     No additional authentication data passed.\n",
+        "-dgst_full  Full digest operation performed.\n",
+        "-rsa_sign   Measure RSA sign/verify instead of encrypt/decrypt.\n",
+        "<keySz> -rsa-sz\n            Measure RSA <key size> performance.\n",
+        "-ffhdhe2048 Measure DH using FFDHE 2048-bit parameters.\n",
+        "-ffhdhe3072 Measure DH using FFDHE 3072-bit parameters.\n",
+        "-p256       Measure ECC using P-256 curve.\n",
+        "-p384       Measure ECC using P-384 curve.\n",
+        "-<alg>      Algorithm to benchmark. Available algorithms include:\n",
+        "-lng <num>  Display benchmark result by specified language.\n            0: English, 1: Japanese\n",
+        "<num>       Size of block in bytes\n",
+        "-threads <num> Number of threads to run\n",
+        "-print      Show benchmark stats summary\n"
+    },
+#ifndef NO_MULTIBYTE_PRINT
+    /* 1 Japanese */
+    {   "-? <num>    ヘルプ, 使い方を表示します。\n            0: 英語、 1: 日本語\n",
+        "-csv        csv 形式で端末に出力します。\n",
+        "-base10     バイトを10のべき乗で表示します。(例 1 kB = 1000 Bytes)\n",
+        "-no_aad     追加の認証データを使用しません.\n",
+        "-dgst_full  フルの digest 暗号操作を実施します。\n",
+        "-rsa_sign   暗号/復号化の代わりに RSA の署名/検証を測定します。\n",
+        "<keySz> -rsa-sz\n            RSA <key size> の性能を測定します。\n",
+        "-ffhdhe2048 Measure DH using FFDHE 2048-bit parameters.\n",
+        "-ffhdhe3072 Measure DH using FFDHE 3072-bit parameters.\n",
+        "-p256       Measure ECC using P-256 curve.\n",
+        "-p384       Measure ECC using P-384 curve.\n",
+        "-<alg>      アルゴリズムのベンチマークを実施します。\n            利用可能なアルゴリズムは下記を含みます:\n",
+        "-lng <num>  指定された言語でベンチマーク結果を表示します。\n            0: 英語、 1: 日本語\n",
+        "<num>       ブロックサイズをバイト単位で指定します。\n",
+        "-threads <num> 実行するスレッド数\n",
+        "-print      ベンチマーク統計の要約を表示する\n"
+    },
+#endif
+};
+#endif /* MAIN_NO_ARGS */
+#endif
+
+static const char* bench_result_words1[][4] = {
+    { "took", "seconds" , "Cycles per byte", NULL },           /* 0 English  */
+#ifndef NO_MULTIBYTE_PRINT
+    { "を"   , "秒で処理", "1バイトあたりのサイクル数", NULL },     /* 1 Japanese */
+#endif
+};
+
+#if !defined(NO_RSA) || defined(WOLFSSL_KEY_GEN) || defined(HAVE_NTRU) || \
+    defined(HAVE_ECC) || !defined(NO_DH) || defined(HAVE_ECC_ENCRYPT) || \
+    defined(HAVE_CURVE25519) || defined(HAVE_CURVE25519_SHARED_SECRET)  || \
+    defined(HAVE_ED25519) || defined(HAVE_CURVE448) || \
+    defined(HAVE_CURVE448_SHARED_SECRET) || defined(HAVE_ED448)
+#if defined(HAVE_ECC) || !defined(WOLFSSL_RSA_PUBLIC_ONLY) || \
+    defined(WOLFSSL_PUBLIC_MP) || !defined(NO_DH)
+
+static const char* bench_desc_words[][9] = {
+    /* 0           1          2         3        4        5         6            7            8 */
+    {"public", "private", "key gen", "agree" , "sign", "verify", "encryption", "decryption", NULL}, /* 0 English */
+#ifndef NO_MULTIBYTE_PRINT
+    {"公開鍵", "秘密鍵" ,"鍵生成" , "鍵共有" , "署名", "検証"  , "暗号化"    , "復号化"    , NULL}, /* 1 Japanese */
+#endif
+};
+
+#endif
+#endif
+
+#if defined(__GNUC__) && defined(__x86_64__) && !defined(NO_ASM) && !defined(WOLFSSL_SGX)
     #define HAVE_GET_CYCLES
-    static INLINE word64 get_intel_cycles(void);
-    static word64 total_cycles;
+    static WC_INLINE word64 get_intel_cycles(void);
+    static THREAD_LS_T word64 total_cycles;
+    #define INIT_CYCLE_COUNTER
     #define BEGIN_INTEL_CYCLES total_cycles = get_intel_cycles();
     #define END_INTEL_CYCLES   total_cycles = get_intel_cycles() - total_cycles;
-    #define SHOW_INTEL_CYCLES  printf(" Cycles per byte = %6.2f", \
-                               (float)total_cycles / (numBlocks*sizeof(plain)));
+    /* s == size in bytes that 1 count represents, normally BENCH_SIZE */
+    #define SHOW_INTEL_CYCLES(b, n, s) \
+        XSNPRINTF(b + XSTRLEN(b), n - XSTRLEN(b), " %s = %6.2f\n", \
+            bench_result_words1[lng_index][2], \
+            count == 0 ? 0 : (float)total_cycles / ((word64)count*s))
+    #define SHOW_INTEL_CYCLES_CSV(b, n, s) \
+        XSNPRINTF(b + XSTRLEN(b), n - XSTRLEN(b), "%.2f,\n", \
+            count == 0 ? 0 : (float)total_cycles / ((word64)count*s))
+#elif defined(LINUX_CYCLE_COUNT)
+    #include <linux/perf_event.h>
+    #include <sys/syscall.h>
+    #include <unistd.h>
+
+    static THREAD_LS_T word64 begin_cycles;
+    static THREAD_LS_T word64 total_cycles;
+    static THREAD_LS_T int cycles = -1;
+    static THREAD_LS_T struct perf_event_attr atr;
+
+    #define INIT_CYCLE_COUNTER do { \
+        atr.type   = PERF_TYPE_HARDWARE; \
+        atr.config = PERF_COUNT_HW_CPU_CYCLES; \
+        cycles = (int)syscall(__NR_perf_event_open, &atr, 0, -1, -1, 0); \
+    } while (0);
+
+    #define BEGIN_INTEL_CYCLES read(cycles, &begin_cycles, sizeof(begin_cycles));
+    #define END_INTEL_CYCLES   do { \
+        read(cycles, &total_cycles, sizeof(total_cycles)); \
+        total_cycles = total_cycles - begin_cycles; \
+    } while (0);
+
+    /* s == size in bytes that 1 count represents, normally BENCH_SIZE */
+    #define SHOW_INTEL_CYCLES(b, n, s) \
+        XSNPRINTF(b + XSTRLEN(b), n - XSTRLEN(b), " %s = %6.2f\n", \
+        bench_result_words1[lng_index][2], \
+            (float)total_cycles / (count*s))
+    #define SHOW_INTEL_CYCLES_CSV(b, n, s) \
+        XSNPRINTF(b + XSTRLEN(b), n - XSTRLEN(b), "%.2f,\n", \
+            (float)total_cycles / (count*s))
+
+#elif defined(SYNERGY_CYCLE_COUNT)
+    #include "hal_data.h"
+    static THREAD_LS_T word64 begin_cycles;
+    static THREAD_LS_T word64 total_cycles;
+
+    #define INIT_CYCLE_COUNTER
+    #define BEGIN_INTEL_CYCLES begin_cycles = DWT->CYCCNT = 0;
+    #define END_INTEL_CYCLES   total_cycles =  DWT->CYCCNT - begin_cycles;
+
+    /* s == size in bytes that 1 count represents, normally BENCH_SIZE */
+    #define SHOW_INTEL_CYCLES(b, n, s) \
+        XSNPRINTF(b + XSTRLEN(b), n - XSTRLEN(b), " %s = %6.2f\n", \
+        bench_result_words1[lng_index][2], \
+            (float)total_cycles / (count*s))
+    #define SHOW_INTEL_CYCLES_CSV(b, n, s) \
+        XSNPRINTF(b + XSTRLEN(b), n - XSTRLEN(b), "%.2f,\n", \
+            (float)total_cycles / (count*s))
+
 #else
+    #define INIT_CYCLE_COUNTER
     #define BEGIN_INTEL_CYCLES
     #define END_INTEL_CYCLES
-    #define SHOW_INTEL_CYCLES
+    #define SHOW_INTEL_CYCLES(b, n, s)     b[XSTRLEN(b)] = '\n'
+    #define SHOW_INTEL_CYCLES_CSV(b, n, s)     b[XSTRLEN(b)] = '\n'
 #endif
 
-/* let's use buffers, we have them */
-#if !defined(USE_CERT_BUFFERS_1024) && !defined(USE_CERT_BUFFERS_2048)
-    #define USE_CERT_BUFFERS_2048
+/* determine benchmark buffer to use (if NO_FILESYSTEM) */
+#if !defined(USE_CERT_BUFFERS_1024) && !defined(USE_CERT_BUFFERS_2048) && \
+    !defined(USE_CERT_BUFFERS_3072)
+    #define USE_CERT_BUFFERS_2048 /* default to 2048 */
 #endif
 
-#if defined(USE_CERT_BUFFERS_1024) || defined(USE_CERT_BUFFERS_2048) \
-                                   || !defined(NO_DH)
+#if defined(USE_CERT_BUFFERS_1024) || defined(USE_CERT_BUFFERS_2048) || \
+    defined(USE_CERT_BUFFERS_3072) || !defined(NO_DH)
     /* include test cert and key buffers for use with NO_FILESYSTEM */
-    #if defined(WOLFSSL_MDK_ARM)
-        #include "cert_data.h" /* use certs_test.c for initial data, 
-                                      so other commands can share the data. */
-    #else
-        #include <wolfssl/certs_test.h>
-    #endif
+    #include <wolfssl/certs_test.h>
 #endif
 
-
-#ifdef HAVE_BLAKE2
+#if defined(HAVE_BLAKE2) || defined(HAVE_BLAKE2S)
     #include <wolfssl/wolfcrypt/blake2.h>
-    void bench_blake2(void);
 #endif
 
 #ifdef _MSC_VER
@@ -121,469 +695,2060 @@
 #endif
 
 
-void bench_des(void);
-void bench_arc4(void);
-void bench_hc128(void);
-void bench_rabbit(void);
-void bench_chacha(void);
-void bench_chacha20_poly1305_aead(void);
-void bench_aes(int);
-void bench_aesgcm(void);
-void bench_aesccm(void);
-void bench_aesctr(void);
-void bench_poly1305(void);
-void bench_camellia(void);
-
-void bench_md5(void);
-void bench_sha(void);
-void bench_sha256(void);
-void bench_sha384(void);
-void bench_sha512(void);
-void bench_ripemd(void);
-
-void bench_rsa(void);
-void bench_rsaKeyGen(void);
-void bench_dh(void);
-#ifdef HAVE_ECC
-void bench_eccKeyGen(void);
-void bench_eccKeyAgree(void);
+#ifdef WOLFSSL_CURRTIME_REMAP
+    #define current_time WOLFSSL_CURRTIME_REMAP
+#elif !defined(HAVE_STACK_SIZE)
+    double current_time(int);
 #endif
-#ifdef HAVE_CURVE25519
-void bench_curve25519KeyGen(void);
-void bench_curve25519KeyAgree(void);
+
+#if defined(DEBUG_WOLFSSL) && !defined(HAVE_VALGRIND) && \
+        !defined(HAVE_STACK_SIZE)
+#ifdef __cplusplus
+    extern "C" {
 #endif
-#ifdef HAVE_ED25519
-void bench_ed25519KeyGen(void);
-void bench_ed25519KeySign(void);
+    WOLFSSL_API int wolfSSL_Debugging_ON(void);
+    WOLFSSL_API void wolfSSL_Debugging_OFF(void);
+#ifdef __cplusplus
+    }  /* extern "C" */
 #endif
-#ifdef HAVE_NTRU
-void bench_ntru(void);
-void bench_ntruKeyGen(void);
 #endif
 
-double current_time(int);
+#if (!defined(NO_RSA) && !defined(WOLFSSL_RSA_VERIFY_ONLY)) || !defined(NO_DH) \
+                        || defined(WOLFSSL_KEY_GEN) || defined(HAVE_ECC) \
+                        || defined(HAVE_CURVE25519) || defined(HAVE_ED25519) \
+                        || defined(HAVE_CURVE448) || defined(HAVE_ED448)
+    #define HAVE_LOCAL_RNG
+    static THREAD_LS_T WC_RNG gRng;
+#endif
 
+#if defined(HAVE_ED25519) || defined(HAVE_CURVE25519) || \
+    defined(HAVE_CURVE448) || defined(HAVE_ED448) || \
+    defined(HAVE_ECC) || defined(HAVE_NTRU) || !defined(NO_DH) || \
+    !defined(NO_RSA) || defined(HAVE_SCRYPT)
+    #define BENCH_ASYM
+#endif
 
-#ifdef HAVE_CAVIUM
+#if defined(BENCH_ASYM)
+#if defined(HAVE_ECC) || !defined(WOLFSSL_RSA_PUBLIC_ONLY) || \
+                                   defined(WOLFSSL_PUBLIC_MP) || !defined(NO_DH)
+static const char* bench_result_words2[][5] = {
+    { "ops took", "sec"     , "avg" , "ops/sec", NULL },            /* 0 English  */
+#ifndef NO_MULTIBYTE_PRINT
+    { "回処理を", "秒で実施", "平均", "処理/秒", NULL },            /* 1 Japanese */
+#endif
+};
+#endif
+#endif
 
-static int OpenNitroxDevice(int dma_mode,int dev_id)
-{
-   Csp1CoreAssignment core_assign;
-   Uint32             device;
+/* Asynchronous helper macros */
+static THREAD_LS_T int devId = INVALID_DEVID;
 
-   if (CspInitialize(CAVIUM_DIRECT,CAVIUM_DEV_ID))
-      return -1;
-   if (Csp1GetDevType(&device))
-      return -1;
-   if (device != NPX_DEVICE) {
-      if (ioctl(gpkpdev_hdlr[CAVIUM_DEV_ID], IOCTL_CSP1_GET_CORE_ASSIGNMENT,
-                (Uint32 *)&core_assign)!= 0)
-         return -1;
-   }
-   CspShutdown(CAVIUM_DEV_ID);
+#ifdef WOLFSSL_ASYNC_CRYPT
+    static WOLF_EVENT_QUEUE eventQueue;
 
-   return CspInitialize(dma_mode, dev_id);
-}
+    #define BENCH_ASYNC_GET_DEV(obj)      (&(obj)->asyncDev)
+    #define BENCH_ASYNC_GET_NAME(doAsync) (doAsync) ? "HW" : "SW"
+    #define BENCH_MAX_PENDING             (WOLF_ASYNC_MAX_PENDING)
 
+#ifndef WC_NO_ASYNC_THREADING
+    typedef struct ThreadData {
+        pthread_t thread_id;
+    } ThreadData;
+    static ThreadData* g_threadData;
+    static int g_threadCount;
 #endif
 
-#if defined(DEBUG_WOLFSSL) && !defined(HAVE_VALGRIND)
-    WOLFSSL_API int wolfSSL_Debugging_ON();
-#endif
+    static int bench_async_check(int* ret, WC_ASYNC_DEV* asyncDev,
+        int callAgain, int* times, int limit, int* pending)
+    {
+        int allowNext = 0;
+
+        /* this state can be set from a different thread */
+        WOLF_EVENT_STATE state = asyncDev->event.state;
+
+        /* if algo doesn't require calling again then use this flow */
+        if (state == WOLF_EVENT_STATE_DONE) {
+            if (callAgain) {
+                /* needs called again, so allow it and handle completion in bench_async_handle */
+                allowNext = 1;
+            }
+            else {
+                *ret = asyncDev->event.ret;
+                asyncDev->event.state = WOLF_EVENT_STATE_READY;
+                (*times)++;
+                if (*pending > 0) /* to support case where async blocks */
+                    (*pending)--;
+
+                if ((*times + *pending) < limit)
+                    allowNext = 1;
+            }
+        }
 
-#if !defined(NO_RSA) || !defined(NO_DH) \
-                                || defined(WOLFSSL_KEYGEN) || defined(HAVE_ECC)
-    #define HAVE_LOCAL_RNG
-    static RNG rng;
-#endif
+        /* if slot is available and we haven't reached limit, start another */
+        else if (state == WOLF_EVENT_STATE_READY && (*times + *pending) < limit) {
+            allowNext = 1;
+        }
+
+        return allowNext;
+    }
+
+    static int bench_async_handle(int* ret, WC_ASYNC_DEV* asyncDev,
+        int callAgain, int* times, int* pending)
+    {
+        WOLF_EVENT_STATE state = asyncDev->event.state;
+
+        if (*ret == WC_PENDING_E) {
+            if (state == WOLF_EVENT_STATE_DONE) {
+                *ret = asyncDev->event.ret;
+                asyncDev->event.state = WOLF_EVENT_STATE_READY;
+                (*times)++;
+                (*pending)--;
+            }
+            else {
+                (*pending)++;
+                *ret = wc_AsyncHandle(asyncDev, &eventQueue,
+                    callAgain ? WC_ASYNC_FLAG_CALL_AGAIN : WC_ASYNC_FLAG_NONE);
+            }
+        }
+        else if (*ret >= 0) {
+            *ret = asyncDev->event.ret;
+            asyncDev->event.state = WOLF_EVENT_STATE_READY;
+            (*times)++;
+            if (*pending > 0)  /* to support case where async blocks */
+                (*pending)--;
+        }
+
+        return (*ret >= 0) ? 1 : 0;
+    }
+
+    static WC_INLINE int bench_async_poll(int* pending)
+    {
+        int ret, asyncDone = 0;
+
+        ret = wolfAsync_EventQueuePoll(&eventQueue, NULL, NULL, 0,
+                                       WOLF_POLL_FLAG_CHECK_HW, &asyncDone);
+        if (ret != 0) {
+            printf("Async poll failed %d\n", ret);
+            return ret;
+        }
+
+        if (asyncDone == 0) {
+        #ifndef WC_NO_ASYNC_THREADING
+            /* give time to other threads */
+            wc_AsyncThreadYield();
+        #endif
+        }
+
+        (void)pending;
+
+        return asyncDone;
+    }
 
-/* use kB instead of mB for embedded benchmarking */
-#ifdef BENCH_EMBEDDED
-    static byte plain [1024];
 #else
-    static byte plain [1024*1024];
+    #define BENCH_MAX_PENDING             (1)
+    #define BENCH_ASYNC_GET_NAME(doAsync) ""
+    #define BENCH_ASYNC_GET_DEV(obj)      NULL
+
+    static WC_INLINE int bench_async_check(int* ret, void* asyncDev,
+        int callAgain, int* times, int limit, int* pending)
+    {
+        (void)ret;
+        (void)asyncDev;
+        (void)callAgain;
+        (void)times;
+        (void)limit;
+        (void)pending;
+
+        return 1;
+    }
+
+    static WC_INLINE int bench_async_handle(int* ret, void* asyncDev,
+        int callAgain, int* times, int* pending)
+    {
+        (void)asyncDev;
+        (void)callAgain;
+        (void)pending;
+
+        if (*ret >= 0) {
+            /* operation completed */
+            (*times)++;
+            return 1;
+        }
+        return 0;
+    }
+    #define bench_async_poll(p)
+#endif /* WOLFSSL_ASYNC_CRYPT */
+
+
+
+/* maximum runtime for each benchmark */
+#define BENCH_MIN_RUNTIME_SEC   1.0f
+
+
+#if defined(HAVE_AESGCM) || defined(HAVE_AESCCM)
+    #define AES_AUTH_ADD_SZ 13
+    #define AES_AUTH_TAG_SZ 16
+    #define BENCH_CIPHER_ADD AES_AUTH_TAG_SZ
+    static word32 aesAuthAddSz = AES_AUTH_ADD_SZ;
+#endif
+#ifndef BENCH_CIPHER_ADD
+    #define BENCH_CIPHER_ADD 0
 #endif
 
 
 /* use kB instead of mB for embedded benchmarking */
 #ifdef BENCH_EMBEDDED
-    static byte cipher[1024];
+    enum BenchmarkBounds {
+        scryptCnt  = 1,
+        ntimes     = 2,
+        genTimes   = BENCH_MAX_PENDING,
+        agreeTimes = 2
+    };
+    static int    numBlocks  = 25; /* how many kB to test (en/de)cryption */
+    static word32 bench_size = (1024ul);
 #else
-    static byte cipher[1024*1024];
+    enum BenchmarkBounds {
+        scryptCnt  = 10,
+        ntimes     = 100,
+        genTimes   = BENCH_MAX_PENDING, /* must be at least BENCH_MAX_PENDING */
+        agreeTimes = 100
+    };
+    static int    numBlocks  = 5; /* how many megs to test (en/de)cryption */
+    static word32 bench_size = (1024*1024ul);
+#endif
+static int base2 = 1;
+static int digest_stream = 1;
+#ifndef NO_RSA
+/* Don't measure RSA sign/verify by default */
+static int rsa_sign_verify = 0;
+#endif
+#ifndef NO_DH
+/* Use the FFDHE parameters */
+static int use_ffdhe = 0;
+#endif
+
+/* Don't print out in CSV format by default */
+static int csv_format = 0;
+#ifdef BENCH_ASYM
+static int csv_header_count = 0;
 #endif
 
+/* for compatibility */
+#define BENCH_SIZE bench_size
 
-static const XGEN_ALIGN byte key[] =
+/* globals for cipher tests */
+static THREAD_LS_T byte* bench_plain = NULL;
+static THREAD_LS_T byte* bench_cipher = NULL;
+
+static const XGEN_ALIGN byte bench_key_buf[] =
 {
     0x01,0x23,0x45,0x67,0x89,0xab,0xcd,0xef,
     0xfe,0xde,0xba,0x98,0x76,0x54,0x32,0x10,
-    0x89,0xab,0xcd,0xef,0x01,0x23,0x45,0x67
+    0x89,0xab,0xcd,0xef,0x01,0x23,0x45,0x67,
+    0x01,0x23,0x45,0x67,0x89,0xab,0xcd,0xef
 };
 
-static const XGEN_ALIGN byte iv[] =
+static const XGEN_ALIGN byte bench_iv_buf[] =
 {
     0x12,0x34,0x56,0x78,0x90,0xab,0xcd,0xef,
     0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01,
     0x11,0x21,0x31,0x41,0x51,0x61,0x71,0x81
 };
+static THREAD_LS_T byte* bench_key = NULL;
+static THREAD_LS_T byte* bench_iv = NULL;
 
+#ifdef WOLFSSL_STATIC_MEMORY
+    #ifdef BENCH_EMBEDDED
+        static byte gBenchMemory[50000];
+    #else
+        static byte gBenchMemory[400000];
+    #endif
+#endif
 
-/* so embedded projects can pull in tests on their own */
-#if !defined(NO_MAIN_DRIVER)
-
-int main(int argc, char** argv)
 
+/* This code handles cases with systems where static (non cost) ram variables
+    aren't properly initialized with data */
+static int gBenchStaticInit = 0;
+static void benchmark_static_init(void)
 {
-  (void)argc;
-  (void)argv;
+    if (gBenchStaticInit == 0) {
+        gBenchStaticInit = 1;
+
+        /* Init static variables */
+        bench_all = 1;
+    #ifdef BENCH_EMBEDDED
+        numBlocks  = 25; /* how many kB to test (en/de)cryption */
+        bench_size = (1024ul);
+    #else
+        numBlocks  = 5; /* how many megs to test (en/de)cryption */
+        bench_size = (1024*1024ul);
+    #endif
+    #if defined(HAVE_AESGCM) || defined(HAVE_AESCCM)
+        aesAuthAddSz = AES_AUTH_ADD_SZ;
+    #endif
+        base2 = 1;
+        digest_stream = 1;
+    }
+}
+
+
+
+/******************************************************************************/
+/* Begin Stats Functions */
+/******************************************************************************/
+static int gPrintStats = 0;
+typedef enum bench_stat_type {
+    BENCH_STAT_ASYM,
+    BENCH_STAT_SYM,
+} bench_stat_type_t;
+#if defined(WOLFSSL_ASYNC_CRYPT) && !defined(WC_NO_ASYNC_THREADING)
+    typedef struct bench_stats {
+        struct bench_stats* next;
+        struct bench_stats* prev;
+        const char* algo;
+        const char* desc;
+        double perfsec;
+        int strength;
+        int doAsync;
+        int finishCount;
+        bench_stat_type_t type;
+        int lastRet;
+        const char* perftype;
+    } bench_stats_t;
+    static bench_stats_t* bench_stats_head;
+    static bench_stats_t* bench_stats_tail;
+    static pthread_mutex_t bench_lock = PTHREAD_MUTEX_INITIALIZER;
+
+    static bench_stats_t* bench_stats_add(bench_stat_type_t type,
+        const char* algo, int strength, const char* desc, int doAsync,
+        double perfsec, const char* perftype, int ret)
+    {
+        bench_stats_t* bstat;
+
+        /* protect bench_stats_head and bench_stats_tail access */
+        pthread_mutex_lock(&bench_lock);
+
+        /* locate existing in list */
+        for (bstat = bench_stats_head; bstat != NULL; bstat = bstat->next) {
+            /* match based on algo, strength and desc */
+            if (bstat->algo == algo && bstat->strength == strength && bstat->desc == desc && bstat->doAsync == doAsync) {
+                break;
+            }
+        }
+
+        if (bstat == NULL) {
+            /* allocate new and put on list */
+            bstat = (bench_stats_t*)XMALLOC(sizeof(bench_stats_t), NULL, DYNAMIC_TYPE_INFO);
+            if (bstat) {
+                XMEMSET(bstat, 0, sizeof(bench_stats_t));
+
+                /* add to list */
+                bstat->next = NULL;
+                if (bench_stats_tail == NULL)  {
+                    bench_stats_head = bstat;
+                }
+                else {
+                    bench_stats_tail->next = bstat;
+                    bstat->prev = bench_stats_tail;
+                }
+                bench_stats_tail = bstat; /* add to the end either way */
+            }
+        }
+
+        if (bstat) {
+            bstat->type = type;
+            bstat->algo = algo;
+            bstat->strength = strength;
+            bstat->desc = desc;
+            bstat->doAsync = doAsync;
+            bstat->perfsec += perfsec;
+            bstat->finishCount++;
+            bstat->perftype = perftype;
+            if (bstat->lastRet > ret)
+                bstat->lastRet = ret; /* track last error */
+
+            pthread_mutex_unlock(&bench_lock);
+
+            /* wait until remaining are complete */
+            while (bstat->finishCount < g_threadCount) {
+                wc_AsyncThreadYield();
+            }
+        }
+        else {
+            pthread_mutex_unlock(&bench_lock);
+        }
+
+        return bstat;
+    }
+
+    void bench_stats_print(void)
+    {
+        bench_stats_t* bstat;
+
+        /* protect bench_stats_head and bench_stats_tail access */
+        pthread_mutex_lock(&bench_lock);
+
+        for (bstat = bench_stats_head; bstat != NULL; ) {
+            if (bstat->type == BENCH_STAT_SYM) {
+                printf("%-16s%s %8.3f %s/s\n", bstat->desc,
+                    BENCH_ASYNC_GET_NAME(bstat->doAsync), bstat->perfsec,
+                    base2 ? "MB" : "mB");
+            }
+            else {
+                printf("%-5s %4d %-9s %s %.3f ops/sec\n",
+                    bstat->algo, bstat->strength, bstat->desc,
+                    BENCH_ASYNC_GET_NAME(bstat->doAsync), bstat->perfsec);
+            }
+
+            bstat = bstat->next;
+        }
+
+        pthread_mutex_unlock(&bench_lock);
+    }
+
 #else
-int benchmark_test(void *args) 
+
+    typedef struct bench_stats {
+        const char* algo;
+        const char* desc;
+        double perfsec;
+        const char* perftype;
+        int strength;
+        bench_stat_type_t type;
+        int ret;
+    } bench_stats_t;
+    #define MAX_BENCH_STATS 50
+    static bench_stats_t gStats[MAX_BENCH_STATS];
+    static int gStatsCount;
+
+    static bench_stats_t* bench_stats_add(bench_stat_type_t type,
+            const char* algo, int strength, const char* desc, int doAsync,
+            double perfsec, const char* perftype, int ret)
+    {
+        bench_stats_t* bstat = NULL;
+        if (gStatsCount >= MAX_BENCH_STATS)
+            return bstat;
+
+        bstat = &gStats[gStatsCount++];
+        bstat->algo = algo;
+        bstat->desc = desc;
+        bstat->perfsec = perfsec;
+        bstat->perftype = perftype;
+        bstat->strength = strength;
+        bstat->type = type;
+        bstat->ret = ret;
+
+        (void)doAsync;
+
+        return bstat;
+    }
+
+    void bench_stats_print(void)
+    {
+        int i;
+        bench_stats_t* bstat;
+        for (i=0; i<gStatsCount; i++) {
+            bstat = &gStats[i];
+            if (bstat->type == BENCH_STAT_SYM) {
+                printf("%-16s %8.3f %s/s\n", bstat->desc, bstat->perfsec,
+                    base2 ? "MB" : "mB");
+            }
+            else {
+                printf("%-5s %4d %-9s %.3f ops/sec\n",
+                    bstat->algo, bstat->strength, bstat->desc, bstat->perfsec);
+            }
+        }
+    }
+#endif /* WOLFSSL_ASYNC_CRYPT && !WC_NO_ASYNC_THREADING */
+
+static WC_INLINE void bench_stats_init(void)
 {
+#if defined(WOLFSSL_ASYNC_CRYPT) && !defined(WC_NO_ASYNC_THREADING)
+    bench_stats_head = NULL;
+    bench_stats_tail = NULL;
 #endif
+    INIT_CYCLE_COUNTER
+}
 
-    #if defined(DEBUG_WOLFSSL) && !defined(HAVE_VALGRIND)
-        wolfSSL_Debugging_ON();
-    #endif
+static WC_INLINE void bench_stats_start(int* count, double* start)
+{
+    *count = 0;
+    *start = current_time(1);
+    BEGIN_INTEL_CYCLES
+}
 
-    (void)plain;
-    (void)cipher;
-    (void)key;
-    (void)iv;
+static WC_INLINE int bench_stats_sym_check(double start)
+{
+    return ((current_time(0) - start) < BENCH_MIN_RUNTIME_SEC);
+}
 
-	#ifdef HAVE_CAVIUM
-    int ret = OpenNitroxDevice(CAVIUM_DIRECT, CAVIUM_DEV_ID);
-    if (ret != 0) {
-        printf("Cavium OpenNitroxDevice failed\n");
-        exit(-1);
+
+/* countSz is number of bytes that 1 count represents. Normally bench_size,
+ * except for AES direct that operates on AES_BLOCK_SIZE blocks */
+static void bench_stats_sym_finish(const char* desc, int doAsync, int count,
+                                   int countSz, double start, int ret)
+{
+    double total, persec = 0, blocks = count;
+    const char* blockType;
+    char msg[128] = {0};
+    const char** word = bench_result_words1[lng_index];
+
+    END_INTEL_CYCLES
+    total = current_time(0) - start;
+
+    /* calculate actual bytes */
+    blocks *= countSz;
+
+    if (base2) {
+        /* determine if we should show as KB or MB */
+        if (blocks > (1024ul * 1024ul)) {
+            blocks /= (1024ul * 1024ul);
+            blockType = "MB";
+        }
+        else if (blocks > 1024) {
+            blocks /= 1024; /* make KB */
+            blockType = "KB";
+        }
+        else {
+            blockType = "bytes";
+        }
     }
-#endif /* HAVE_CAVIUM */
+    else {
+        /* determine if we should show as kB or mB */
+        if (blocks > (1000ul * 1000ul)) {
+            blocks /= (1000ul * 1000ul);
+            blockType = "mB";
+        }
+        else if (blocks > 1000) {
+            blocks /= 1000; /* make kB */
+            blockType = "kB";
+        }
+        else {
+            blockType = "bytes";
+        }
+    }
+
+    /* caclulcate blocks per second */
+    if (total > 0) {
+        persec = (1 / total) * blocks;
+    }
+
+    /* format and print to terminal */
+    if (csv_format == 1) {
+        XSNPRINTF(msg, sizeof(msg), "%s,%.3f,", desc, persec);
+        SHOW_INTEL_CYCLES_CSV(msg, sizeof(msg), countSz);
+    } else {
+        XSNPRINTF(msg, sizeof(msg), "%-16s%s %5.0f %s %s %5.3f %s, %8.3f %s/s",
+        desc, BENCH_ASYNC_GET_NAME(doAsync), blocks, blockType, word[0], total, word[1],
+        persec, blockType);
+        SHOW_INTEL_CYCLES(msg, sizeof(msg), countSz);
+    }
+    printf("%s", msg);
+
+    /* show errors */
+    if (ret < 0) {
+        printf("Benchmark %s failed: %d\n", desc, ret);
+    }
+
+    /* Add to thread stats */
+    bench_stats_add(BENCH_STAT_SYM, NULL, 0, desc, doAsync, persec, blockType, ret);
+
+    (void)doAsync;
+    (void)ret;
+
+    TEST_SLEEP();
+}
+
+#ifdef BENCH_ASYM
+#if defined(HAVE_ECC) || !defined(WOLFSSL_RSA_PUBLIC_ONLY) || \
+                                   defined(WOLFSSL_PUBLIC_MP) || !defined(NO_DH)
+static void bench_stats_asym_finish(const char* algo, int strength,
+    const char* desc, int doAsync, int count, double start, int ret)
+{
+    double total, each = 0, opsSec, milliEach;
+    const char **word = bench_result_words2[lng_index];
+    const char* kOpsSec = "Ops/Sec";
+    char msg[128] = {0};
+
+    total = current_time(0) - start;
+    if (count > 0)
+        each  = total / count; /* per second  */
+    opsSec = count / total;    /* ops second */
+    milliEach = each * 1000;   /* milliseconds */
+
+    /* format and print to terminal */
+    if (csv_format == 1) {
+        /* only print out header once */
+        if (csv_header_count == 1) {
+            printf("\nAsymmetric Ciphers:\n\n");
+            printf("Algorithm,avg ms,ops/sec,\n");
+            csv_header_count++;
+        }
+        XSNPRINTF(msg, sizeof(msg), "%s %d %s,%.3f,%.3f,\n", algo, strength, desc, milliEach, opsSec);
+    } else {
+        XSNPRINTF(msg, sizeof(msg), "%-6s %5d %-9s %s %6d %s %5.3f %s, %s %5.3f ms,"
+        " %.3f %s\n", algo, strength, desc, BENCH_ASYNC_GET_NAME(doAsync),
+        count, word[0], total, word[1], word[2], milliEach, opsSec, word[3]);
+    }
+    printf("%s", msg);
+
+    /* show errors */
+    if (ret < 0) {
+        printf("Benchmark %s %s %d failed: %d\n", algo, desc, strength, ret);
+    }
+
+    /* Add to thread stats */
+    bench_stats_add(BENCH_STAT_ASYM, algo, strength, desc, doAsync, opsSec, kOpsSec, ret);
+
+    (void)doAsync;
+    (void)ret;
+
+    TEST_SLEEP();
+}
+#endif
+#endif /* BENCH_ASYM */
+
+static WC_INLINE void bench_stats_free(void)
+{
+#if defined(WOLFSSL_ASYNC_CRYPT) && !defined(WC_NO_ASYNC_THREADING)
+    bench_stats_t* bstat;
+    for (bstat = bench_stats_head; bstat != NULL; ) {
+        bench_stats_t* next = bstat->next;
+        XFREE(bstat, NULL, DYNAMIC_TYPE_INFO);
+        bstat = next;
+    }
+    bench_stats_head = NULL;
+    bench_stats_tail = NULL;
+#endif
+}
+/******************************************************************************/
+/* End Stats Functions */
+/******************************************************************************/
+
+
+static void* benchmarks_do(void* args)
+{
+    int bench_buf_size;
+
+#ifdef WOLFSSL_ASYNC_CRYPT
+#ifndef WC_NO_ASYNC_THREADING
+    ThreadData* threadData = (ThreadData*)args;
+
+    if (wolfAsync_DevOpenThread(&devId, &threadData->thread_id) < 0)
+#else
+    if (wolfAsync_DevOpen(&devId) < 0)
+#endif
+    {
+        printf("Async device open failed\nRunning without async\n");
+    }
+#endif /* WOLFSSL_ASYNC_CRYPT */
+
+    (void)args;
+
+#ifdef WOLFSSL_ASYNC_CRYPT
+    if (wolfEventQueue_Init(&eventQueue) != 0) {
+        printf("Async event queue init failure!\n");
+    }
+#endif
+
+#ifdef WOLF_CRYPTO_CB
+#ifdef HAVE_INTEL_QA_SYNC
+    devId = wc_CryptoCb_InitIntelQa();
+    if (devId == INVALID_DEVID) {
+        printf("Couldn't init the Intel QA\n");
+    }
+#endif
+#ifdef HAVE_CAVIUM_OCTEON_SYNC
+    devId = wc_CryptoCb_InitOcteon();
+    if (devId == INVALID_DEVID) {
+        printf("Couldn't get the Octeon device ID\n");
+    }
+#endif
+#endif
 
 #if defined(HAVE_LOCAL_RNG)
     {
-        int rngRet = wc_InitRng(&rng);
+        int rngRet;
+
+#ifndef HAVE_FIPS
+        rngRet = wc_InitRng_ex(&gRng, HEAP_HINT, devId);
+#else
+        rngRet = wc_InitRng(&gRng);
+#endif
         if (rngRet < 0) {
             printf("InitRNG failed\n");
-            return rngRet;
+            return NULL;
         }
     }
 #endif
 
+    /* setup bench plain, cipher, key and iv globals */
+    /* make sure bench buffer is multiple of 16 (AES block size) */
+    bench_buf_size = (int)bench_size + BENCH_CIPHER_ADD;
+    if (bench_buf_size % 16)
+        bench_buf_size += 16 - (bench_buf_size % 16);
+
+#ifdef WOLFSSL_AFALG_XILINX_AES
+    bench_plain = (byte*)aligned_alloc(64, (size_t)bench_buf_size + 16);
+    bench_cipher = (byte*)aligned_alloc(64, (size_t)bench_buf_size + 16);
+#else
+    bench_plain = (byte*)XMALLOC((size_t)bench_buf_size + 16, HEAP_HINT, DYNAMIC_TYPE_WOLF_BIGINT);
+    bench_cipher = (byte*)XMALLOC((size_t)bench_buf_size + 16, HEAP_HINT, DYNAMIC_TYPE_WOLF_BIGINT);
+#endif
+    if (bench_plain == NULL || bench_cipher == NULL) {
+        XFREE(bench_plain, HEAP_HINT, DYNAMIC_TYPE_WOLF_BIGINT);
+        XFREE(bench_cipher, HEAP_HINT, DYNAMIC_TYPE_WOLF_BIGINT);
+        bench_plain = bench_cipher = NULL;
+
+        printf("Benchmark block buffer alloc failed!\n");
+        goto exit;
+    }
+    XMEMSET(bench_plain, 0, (size_t)bench_buf_size);
+    XMEMSET(bench_cipher, 0, (size_t)bench_buf_size);
+
+#if defined(WOLFSSL_ASYNC_CRYPT) || defined(HAVE_INTEL_QA_SYNC)
+    bench_key = (byte*)XMALLOC(sizeof(bench_key_buf), HEAP_HINT, DYNAMIC_TYPE_WOLF_BIGINT);
+    bench_iv = (byte*)XMALLOC(sizeof(bench_iv_buf), HEAP_HINT, DYNAMIC_TYPE_WOLF_BIGINT);
+    if (bench_key == NULL || bench_iv == NULL) {
+        XFREE(bench_key, HEAP_HINT, DYNAMIC_TYPE_WOLF_BIGINT);
+        XFREE(bench_iv, HEAP_HINT, DYNAMIC_TYPE_WOLF_BIGINT);
+        bench_key = bench_iv = NULL;
+
+        printf("Benchmark cipher buffer alloc failed!\n");
+        goto exit;
+    }
+    XMEMCPY(bench_key, bench_key_buf, sizeof(bench_key_buf));
+    XMEMCPY(bench_iv, bench_iv_buf, sizeof(bench_iv_buf));
+#else
+    bench_key = (byte*)bench_key_buf;
+    bench_iv = (byte*)bench_iv_buf;
+#endif
+
+#ifndef WC_NO_RNG
+    if (bench_all || (bench_other_algs & BENCH_RNG))
+        bench_rng();
+#endif /* WC_NO_RNG */
 #ifndef NO_AES
-    bench_aes(0);
-    bench_aes(1);
+#ifdef HAVE_AES_CBC
+    if (bench_all || (bench_cipher_algs & BENCH_AES_CBC)) {
+    #ifndef NO_SW_BENCH
+        bench_aescbc(0);
+    #endif
+    #if ((defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_3DES)) || \
+         defined(HAVE_INTEL_QA_SYNC) || defined(HAVE_CAVIUM_OCTEON_SYNC)) && \
+        !defined(NO_HW_BENCH)
+        bench_aescbc(1);
+    #endif
+    }
 #endif
 #ifdef HAVE_AESGCM
-    bench_aesgcm();
+    if (bench_all || (bench_cipher_algs & BENCH_AES_GCM)) {
+    #ifndef NO_SW_BENCH
+        bench_aesgcm(0);
+    #endif
+    #if ((defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_3DES)) || \
+         defined(HAVE_INTEL_QA_SYNC) || defined(HAVE_CAVIUM_OCTEON_SYNC)) && \
+        !defined(NO_HW_BENCH)
+        bench_aesgcm(1);
+    #endif
+    }
+#endif
+#ifdef WOLFSSL_AES_DIRECT
+    if (bench_all || (bench_cipher_algs & BENCH_AES_ECB)) {
+    #ifndef NO_SW_BENCH
+        bench_aesecb(0);
+    #endif
+    #if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_AES) && \
+        !defined(NO_HW_BENCH)
+        bench_aesecb(1);
+    #endif
+    }
+#endif
+#ifdef WOLFSSL_AES_XTS
+    if (bench_all || (bench_cipher_algs & BENCH_AES_XTS))
+        bench_aesxts();
+#endif
+#ifdef WOLFSSL_AES_CFB
+    if (bench_all || (bench_cipher_algs & BENCH_AES_CFB))
+        bench_aescfb();
+#endif
+#ifdef WOLFSSL_AES_OFB
+    if (bench_all || (bench_cipher_algs & BENCH_AES_OFB))
+        bench_aesofb();
 #endif
-
 #ifdef WOLFSSL_AES_COUNTER
-    bench_aesctr();
+    if (bench_all || (bench_cipher_algs & BENCH_AES_CTR))
+        bench_aesctr();
 #endif
-
 #ifdef HAVE_AESCCM
-    bench_aesccm();
+    if (bench_all || (bench_cipher_algs & BENCH_AES_CCM))
+        bench_aesccm();
 #endif
+#endif /* !NO_AES */
+
 #ifdef HAVE_CAMELLIA
-    bench_camellia();
+    if (bench_all || (bench_cipher_algs & BENCH_CAMELLIA))
+        bench_camellia();
 #endif
 #ifndef NO_RC4
-    bench_arc4();
+    if (bench_all || (bench_cipher_algs & BENCH_ARC4)) {
+    #ifndef NO_SW_BENCH
+        bench_arc4(0);
+    #endif
+    #if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_ARC4) && \
+        !defined(NO_HW_BENCH)
+        bench_arc4(1);
+    #endif
+    }
 #endif
 #ifdef HAVE_HC128
-    bench_hc128();
+    if (bench_all || (bench_cipher_algs & BENCH_HC128))
+        bench_hc128();
 #endif
 #ifndef NO_RABBIT
-    bench_rabbit();
+    if (bench_all || (bench_cipher_algs & BENCH_RABBIT))
+        bench_rabbit();
 #endif
 #ifdef HAVE_CHACHA
-    bench_chacha();
+    if (bench_all || (bench_cipher_algs & BENCH_CHACHA20))
+        bench_chacha();
 #endif
 #if defined(HAVE_CHACHA) && defined(HAVE_POLY1305)
-    bench_chacha20_poly1305_aead();
+    if (bench_all || (bench_cipher_algs & BENCH_CHACHA20_POLY1305))
+        bench_chacha20_poly1305_aead();
 #endif
 #ifndef NO_DES3
-    bench_des();
+    if (bench_all || (bench_cipher_algs & BENCH_DES)) {
+    #ifndef NO_SW_BENCH
+        bench_des(0);
+    #endif
+    #if ((defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_3DES)) || \
+         defined(HAVE_INTEL_QA_SYNC) || defined(HAVE_CAVIUM_OCTEON_SYNC)) && \
+        !defined(NO_HW_BENCH)
+        bench_des(1);
+    #endif
+    }
+#endif
+#ifdef HAVE_IDEA
+    if (bench_all || (bench_cipher_algs & BENCH_IDEA))
+        bench_idea();
 #endif
-    
-    printf("\n");
 
 #ifndef NO_MD5
-    bench_md5();
+    if (bench_all || (bench_digest_algs & BENCH_MD5)) {
+    #ifndef NO_SW_BENCH
+        bench_md5(0);
+    #endif
+    #if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_MD5) && \
+        !defined(NO_HW_BENCH)
+        bench_md5(1);
+    #endif
+    }
 #endif
 #ifdef HAVE_POLY1305
-    bench_poly1305();
+    if (bench_all || (bench_digest_algs & BENCH_POLY1305))
+        bench_poly1305();
 #endif
 #ifndef NO_SHA
-    bench_sha();
+    if (bench_all || (bench_digest_algs & BENCH_SHA)) {
+    #ifndef NO_SW_BENCH
+        bench_sha(0);
+    #endif
+    #if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_SHA) && \
+        !defined(NO_HW_BENCH)
+        bench_sha(1);
+    #endif
+    }
+#endif
+#ifdef WOLFSSL_SHA224
+    if (bench_all || (bench_digest_algs & BENCH_SHA224)) {
+    #ifndef NO_SW_BENCH
+        bench_sha224(0);
+    #endif
+    #if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_SHA224) && \
+        !defined(NO_HW_BENCH)
+        bench_sha224(1);
+    #endif
+    }
 #endif
 #ifndef NO_SHA256
-    bench_sha256();
+    if (bench_all || (bench_digest_algs & BENCH_SHA256)) {
+    #ifndef NO_SW_BENCH
+        bench_sha256(0);
+    #endif
+    #if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_SHA256) && \
+        !defined(NO_HW_BENCH)
+        bench_sha256(1);
+    #endif
+    }
 #endif
 #ifdef WOLFSSL_SHA384
-    bench_sha384();
+    if (bench_all || (bench_digest_algs & BENCH_SHA384)) {
+    #ifndef NO_SW_BENCH
+        bench_sha384(0);
+    #endif
+    #if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_SHA384) && \
+        !defined(NO_HW_BENCH)
+        bench_sha384(1);
+    #endif
+    }
 #endif
 #ifdef WOLFSSL_SHA512
-    bench_sha512();
+    if (bench_all || (bench_digest_algs & BENCH_SHA512)) {
+    #ifndef NO_SW_BENCH
+        bench_sha512(0);
+    #endif
+    #if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_SHA512) && \
+        !defined(NO_HW_BENCH)
+        bench_sha512(1);
+    #endif
+    }
+#endif
+#ifdef WOLFSSL_SHA3
+    #ifndef WOLFSSL_NOSHA3_224
+    if (bench_all || (bench_digest_algs & BENCH_SHA3_224)) {
+    #ifndef NO_SW_BENCH
+        bench_sha3_224(0);
+    #endif
+    #if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_SHA3) && \
+        !defined(NO_HW_BENCH)
+        bench_sha3_224(1);
+    #endif
+    }
+    #endif /* WOLFSSL_NOSHA3_224 */
+    #ifndef WOLFSSL_NOSHA3_256
+    if (bench_all || (bench_digest_algs & BENCH_SHA3_256)) {
+    #ifndef NO_SW_BENCH
+        bench_sha3_256(0);
+    #endif
+    #if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_SHA3) && \
+        !defined(NO_HW_BENCH)
+        bench_sha3_256(1);
+    #endif
+    }
+    #endif /* WOLFSSL_NOSHA3_256 */
+    #ifndef WOLFSSL_NOSHA3_384
+    if (bench_all || (bench_digest_algs & BENCH_SHA3_384)) {
+    #ifndef NO_SW_BENCH
+        bench_sha3_384(0);
+    #endif
+    #if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_SHA3) && \
+        !defined(NO_HW_BENCH)
+        bench_sha3_384(1);
+    #endif
+    }
+    #endif /* WOLFSSL_NOSHA3_384 */
+    #ifndef WOLFSSL_NOSHA3_512
+    if (bench_all || (bench_digest_algs & BENCH_SHA3_512)) {
+    #ifndef NO_SW_BENCH
+        bench_sha3_512(0);
+    #endif
+    #if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_SHA3) && \
+        !defined(NO_HW_BENCH)
+        bench_sha3_512(1);
+    #endif
+    }
+    #endif /* WOLFSSL_NOSHA3_512 */
 #endif
 #ifdef WOLFSSL_RIPEMD
-    bench_ripemd();
+    if (bench_all || (bench_digest_algs & BENCH_RIPEMD))
+        bench_ripemd();
 #endif
 #ifdef HAVE_BLAKE2
-    bench_blake2();
+    if (bench_all || (bench_digest_algs & BENCH_BLAKE2B))
+        bench_blake2b();
+#endif
+#ifdef HAVE_BLAKE2S
+    if (bench_all || (bench_digest_algs & BENCH_BLAKE2S))
+        bench_blake2s();
+#endif
+#ifdef WOLFSSL_CMAC
+    if (bench_all || (bench_mac_algs & BENCH_CMAC))
+        bench_cmac();
 #endif
 
-    printf("\n");
+#ifndef NO_HMAC
+    #ifndef NO_MD5
+        if (bench_all || (bench_mac_algs & BENCH_HMAC_MD5)) {
+        #ifndef NO_SW_BENCH
+            bench_hmac_md5(0);
+        #endif
+        #if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_HMAC) && \
+                defined(WC_ASYNC_ENABLE_MD5) && !defined(NO_HW_BENCH)
+            bench_hmac_md5(1);
+        #endif
+        }
+    #endif
+    #ifndef NO_SHA
+        if (bench_all || (bench_mac_algs & BENCH_HMAC_SHA)) {
+        #ifndef NO_SW_BENCH
+            bench_hmac_sha(0);
+        #endif
+        #if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_HMAC) && \
+                defined(WC_ASYNC_ENABLE_SHA) && !defined(NO_HW_BENCH)
+            bench_hmac_sha(1);
+        #endif
+        }
+    #endif
+    #ifdef WOLFSSL_SHA224
+        if (bench_all || (bench_mac_algs & BENCH_HMAC_SHA224)) {
+        #ifndef NO_SW_BENCH
+            bench_hmac_sha224(0);
+        #endif
+        #if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_HMAC) && \
+                defined(WC_ASYNC_ENABLE_SHA224) && !defined(NO_HW_BENCH)
+            bench_hmac_sha224(1);
+        #endif
+        }
+    #endif
+    #ifndef NO_SHA256
+        if (bench_all || (bench_mac_algs & BENCH_HMAC_SHA256)) {
+        #ifndef NO_SW_BENCH
+            bench_hmac_sha256(0);
+        #endif
+        #if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_HMAC) && \
+                defined(WC_ASYNC_ENABLE_SHA256) && !defined(NO_HW_BENCH)
+            bench_hmac_sha256(1);
+        #endif
+        }
+    #endif
+    #ifdef WOLFSSL_SHA384
+        if (bench_all || (bench_mac_algs & BENCH_HMAC_SHA384)) {
+        #ifndef NO_SW_BENCH
+            bench_hmac_sha384(0);
+        #endif
+        #if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_HMAC) && \
+                defined(WC_ASYNC_ENABLE_SHA384) && !defined(NO_HW_BENCH)
+            bench_hmac_sha384(1);
+        #endif
+        }
+    #endif
+    #ifdef WOLFSSL_SHA512
+        if (bench_all || (bench_mac_algs & BENCH_HMAC_SHA512)) {
+        #ifndef NO_SW_BENCH
+            bench_hmac_sha512(0);
+        #endif
+        #if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_HMAC) && \
+                defined(WC_ASYNC_ENABLE_SHA512) && !defined(NO_HW_BENCH)
+            bench_hmac_sha512(1);
+        #endif
+        }
+    #endif
+    #ifndef NO_PWDBASED
+        if (bench_all || (bench_mac_algs & BENCH_PBKDF2)) {
+            bench_pbkdf2();
+        }
+    #endif
+#endif /* NO_HMAC */
 
-#ifndef NO_RSA
-    bench_rsa();
+#ifdef HAVE_SCRYPT
+    if (bench_all || (bench_other_algs & BENCH_SCRYPT))
+        bench_scrypt();
 #endif
 
-#ifdef HAVE_NTRU
-    bench_ntru();
-#endif
+#ifndef NO_RSA
+    #ifdef WOLFSSL_KEY_GEN
+        if (bench_all || (bench_asym_algs & BENCH_RSA_KEYGEN)) {
+        #ifndef NO_SW_BENCH
+            if (bench_asym_algs & BENCH_RSA_SZ) {
+                bench_rsaKeyGen_size(0, bench_size);
+            }
+            else {
+                bench_rsaKeyGen(0);
+            }
+        #endif
+        #if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_RSA_KEYGEN) \
+                && !defined(NO_HW_BENCH)
+            if (bench_asym_algs & BENCH_RSA_SZ) {
+                bench_rsaKeyGen_size(1, bench_size);
+            }
+            else {
+                bench_rsaKeyGen(1);
+            }
+        #endif
+        }
+    #endif
+    if (bench_all || (bench_asym_algs & BENCH_RSA)) {
+    #ifndef NO_SW_BENCH
+        bench_rsa(0);
+    #endif
+    #if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_RSA) && \
+        !defined(NO_HW_BENCH)
+        bench_rsa(1);
+    #endif
+    }
 
-#ifndef NO_DH
-    bench_dh();
+    #ifdef WOLFSSL_KEY_GEN
+    if (bench_asym_algs & BENCH_RSA_SZ) {
+    #ifndef NO_SW_BENCH
+        bench_rsa_key(0, bench_size);
+    #endif
+    #if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_RSA) && \
+        !defined(NO_HW_BENCH)
+        bench_rsa_key(1, bench_size);
+    #endif
+    }
+    #endif
 #endif
 
-#if defined(WOLFSSL_KEY_GEN) && !defined(NO_RSA)
-    bench_rsaKeyGen();
+#ifndef NO_DH
+    if (bench_all || (bench_asym_algs & BENCH_DH)) {
+    #ifndef NO_SW_BENCH
+        bench_dh(0);
+    #endif
+    #if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_DH) && \
+        !defined(NO_HW_BENCH)
+        bench_dh(1);
+    #endif
+    }
 #endif
 
 #ifdef HAVE_NTRU
-    bench_ntruKeyGen();
+    if (bench_all || (bench_asym_algs & BENCH_NTRU))
+        bench_ntru();
+    if (bench_all || (bench_asym_algs & BENCH_NTRU_KEYGEN))
+        bench_ntruKeyGen();
 #endif
 
 #ifdef HAVE_ECC
-    bench_eccKeyGen();
-    bench_eccKeyAgree();
-    #if defined(FP_ECC)
-        wc_ecc_fp_free();
+    if (bench_all || (bench_asym_algs & BENCH_ECC_MAKEKEY)) {
+    #ifndef NO_SW_BENCH
+        bench_eccMakeKey(0);
+    #endif
+    #if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_ECC) && \
+        !defined(NO_HW_BENCH)
+        bench_eccMakeKey(1);
+    #endif
+    }
+    if (bench_all || (bench_asym_algs & BENCH_ECC)) {
+    #ifndef NO_SW_BENCH
+        bench_ecc(0);
+    #endif
+    #if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_ECC) && \
+        !defined(NO_HW_BENCH)
+        bench_ecc(1);
+    #endif
+    }
+    #ifdef HAVE_ECC_ENCRYPT
+    if (bench_all || (bench_asym_algs & BENCH_ECC_ENCRYPT))
+        bench_eccEncrypt();
     #endif
 #endif
 
 #ifdef HAVE_CURVE25519
-    bench_curve25519KeyGen();
-    bench_curve25519KeyAgree();
+    if (bench_all || (bench_asym_algs & BENCH_CURVE25519_KEYGEN))
+        bench_curve25519KeyGen();
+    #ifdef HAVE_CURVE25519_SHARED_SECRET
+    if (bench_all || (bench_asym_algs & BENCH_CURVE25519_KA))
+        bench_curve25519KeyAgree();
+    #endif
 #endif
 
 #ifdef HAVE_ED25519
-    bench_ed25519KeyGen();
-    bench_ed25519KeySign();
+    if (bench_all || (bench_asym_algs & BENCH_ED25519_KEYGEN))
+        bench_ed25519KeyGen();
+    if (bench_all || (bench_asym_algs & BENCH_ED25519_SIGN))
+        bench_ed25519KeySign();
 #endif
 
-#if defined(HAVE_LOCAL_RNG)
-    wc_FreeRng(&rng);
+#ifdef HAVE_CURVE448
+    if (bench_all || (bench_asym_algs & BENCH_CURVE448_KEYGEN))
+        bench_curve448KeyGen();
+    #ifdef HAVE_CURVE448_SHARED_SECRET
+    if (bench_all || (bench_asym_algs & BENCH_CURVE448_KA))
+        bench_curve448KeyAgree();
+    #endif
 #endif
 
-    return 0;
-}
+#ifdef HAVE_ED448
+    if (bench_all || (bench_asym_algs & BENCH_ED448_KEYGEN))
+        bench_ed448KeyGen();
+    if (bench_all || (bench_asym_algs & BENCH_ED448_SIGN))
+        bench_ed448KeySign();
+#endif
 
+exit:
+    /* free benchmark buffers */
+    XFREE(bench_plain, HEAP_HINT, DYNAMIC_TYPE_WOLF_BIGINT);
+    XFREE(bench_cipher, HEAP_HINT, DYNAMIC_TYPE_WOLF_BIGINT);
+#ifdef WOLFSSL_ASYNC_CRYPT
+    XFREE(bench_key, HEAP_HINT, DYNAMIC_TYPE_WOLF_BIGINT);
+    XFREE(bench_iv, HEAP_HINT, DYNAMIC_TYPE_WOLF_BIGINT);
+#endif
 
-#ifdef BENCH_EMBEDDED
-enum BenchmarkBounds {
-    numBlocks  = 25, /* how many kB to test (en/de)cryption */
-    ntimes     = 1,
-    genTimes   = 5,  /* public key iterations */
-    agreeTimes = 5
-};
-static const char blockType[] = "kB";   /* used in printf output */
-#else
-enum BenchmarkBounds {
-    numBlocks  = 50,  /* how many megs to test (en/de)cryption */
-    ntimes     = 100,
-    genTimes   = 100,
-    agreeTimes = 100
-};
-static const char blockType[] = "megs"; /* used in printf output */
+#ifdef WOLF_CRYPTO_CB
+#ifdef HAVE_INTEL_QA_SYNC
+    wc_CryptoCb_CleanupIntelQa(&devId);
+#endif
+#ifdef HAVE_CAVIUM_OCTEON_SYNC
+    wc_CryptoCb_CleanupOcteon(&devId);
+#endif
 #endif
 
+#ifdef WOLFSSL_ASYNC_CRYPT
+    /* free event queue */
+    wolfEventQueue_Free(&eventQueue);
+#endif
 
-#ifndef NO_AES
+#if defined(HAVE_LOCAL_RNG)
+    wc_FreeRng(&gRng);
+#endif
 
-void bench_aes(int show)
+#ifdef WOLFSSL_ASYNC_CRYPT
+    wolfAsync_DevClose(&devId);
+#endif
+
+/* cleanup the thread if fixed point cache is enabled and have thread local */
+#if defined(HAVE_THREAD_LS) && defined(HAVE_ECC) && defined(FP_ECC)
+    wc_ecc_fp_free();
+#endif
+
+    (void)bench_cipher_algs;
+    (void)bench_digest_algs;
+    (void)bench_mac_algs;
+    (void)bench_asym_algs;
+    (void)bench_other_algs;
+
+    return NULL;
+}
+
+int benchmark_init(void)
 {
-    Aes    enc;
-    double start, total, persec;
-    int    i;
-    int    ret;
+    int ret = 0;
 
-#ifdef HAVE_CAVIUM
-    if (wc_AesInitCavium(&enc, CAVIUM_DEV_ID) != 0) {
-        printf("aes init cavium failed\n");
-        return;
+    benchmark_static_init();
+
+#ifdef WOLFSSL_STATIC_MEMORY
+    ret = wc_LoadStaticMemory(&HEAP_HINT, gBenchMemory, sizeof(gBenchMemory),
+                                                            WOLFMEM_GENERAL, 1);
+    if (ret != 0) {
+        printf("unable to load static memory %d\n", ret);
+    }
+#endif /* WOLFSSL_STATIC_MEMORY */
+
+    if ((ret = wolfCrypt_Init()) != 0) {
+        printf("wolfCrypt_Init failed %d\n", ret);
+        return EXIT_FAILURE;
     }
+
+    bench_stats_init();
+
+#if defined(DEBUG_WOLFSSL) && !defined(HAVE_VALGRIND)
+    wolfSSL_Debugging_ON();
 #endif
 
-    ret = wc_AesSetKey(&enc, key, 16, iv, AES_ENCRYPTION);
+    if (csv_format == 1) {
+        printf("wolfCrypt Benchmark (block bytes %d, min %.1f sec each)\n",
+        (int)BENCH_SIZE, BENCH_MIN_RUNTIME_SEC);
+        printf("This format allows you to easily copy the output to a csv file.");
+        printf("\n\nSymmetric Ciphers:\n\n");
+        printf("Algorithm,MB/s,Cycles per byte,\n");
+    } else {
+        printf("wolfCrypt Benchmark (block bytes %d, min %.1f sec each)\n",
+        (int)BENCH_SIZE, BENCH_MIN_RUNTIME_SEC);
+    }
+
+#ifdef HAVE_WNR
+    ret = wc_InitNetRandom(wnrConfigFile, NULL, 5000);
     if (ret != 0) {
-        printf("AesSetKey failed, ret = %d\n", ret);
-        return;
+        printf("Whitewood netRandom config init failed %d\n", ret);
     }
-    start = current_time(1);
-    BEGIN_INTEL_CYCLES
+#endif /* HAVE_WNR */
 
-    for(i = 0; i < numBlocks; i++)
-        wc_AesCbcEncrypt(&enc, plain, cipher, sizeof(plain));
+    return ret;
+}
 
-    END_INTEL_CYCLES
-    total = current_time(0) - start;
+int benchmark_free(void)
+{
+    int ret;
 
-    persec = 1 / total * numBlocks;
-#ifdef BENCH_EMBEDDED
-    /* since using kB, convert to MB/s */
-    persec = persec / 1024;
+#ifdef HAVE_WNR
+    ret = wc_FreeNetRandom();
+    if (ret < 0) {
+        printf("Failed to free netRandom context %d\n", ret);
+    }
 #endif
 
-    if (show) {
-        printf("AES      %d %s took %5.3f seconds, %8.3f MB/s", numBlocks,
-                                                  blockType, total, persec);
-        SHOW_INTEL_CYCLES
-        printf("\n");
+    if (gPrintStats || devId != INVALID_DEVID) {
+        bench_stats_print();
     }
-#ifdef HAVE_CAVIUM
-    wc_AesFreeCavium(&enc);
+
+    bench_stats_free();
+
+    if ((ret = wolfCrypt_Cleanup()) != 0) {
+        printf("error %d with wolfCrypt_Cleanup\n", ret);
+    }
+
+    return ret;
+}
+
+/* so embedded projects can pull in tests on their own */
+#ifdef HAVE_STACK_SIZE
+THREAD_RETURN WOLFSSL_THREAD benchmark_test(void* args)
+#else
+int benchmark_test(void *args)
 #endif
+{
+    int ret;
+
+    (void)args;
+
+    printf("------------------------------------------------------------------------------\n");
+    printf(" wolfSSL version %s\n", LIBWOLFSSL_VERSION_STRING);
+    printf("------------------------------------------------------------------------------\n");
+
+    ret = benchmark_init();
+    if (ret != 0)
+        EXIT_TEST(ret);
+
+#if defined(WOLFSSL_ASYNC_CRYPT) && !defined(WC_NO_ASYNC_THREADING)
+{
+    int i;
+
+    if (g_threadCount == 0) {
+    #ifdef WC_ASYNC_BENCH_THREAD_COUNT
+        g_threadCount = WC_ASYNC_BENCH_THREAD_COUNT;
+    #else
+        g_threadCount = wc_AsyncGetNumberOfCpus();
+    #endif
+    }
+
+    printf("CPUs: %d\n", g_threadCount);
+
+    g_threadData = (ThreadData*)XMALLOC(sizeof(ThreadData) * g_threadCount,
+        HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+    if (g_threadData == NULL) {
+        printf("Thread data alloc failed!\n");
+        EXIT_TEST(EXIT_FAILURE);
+    }
+
+    /* Create threads */
+    for (i = 0; i < g_threadCount; i++) {
+        ret = wc_AsyncThreadCreate(&g_threadData[i].thread_id,
+            benchmarks_do, &g_threadData[i]);
+        if (ret != 0) {
+            printf("Error creating benchmark thread %d\n", ret);
+            EXIT_TEST(EXIT_FAILURE);
+        }
+    }
+
+    /* Start threads */
+    for (i = 0; i < g_threadCount; i++) {
+        wc_AsyncThreadJoin(&g_threadData[i].thread_id);
+    }
+
+    XFREE(g_threadData, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
 }
+#else
+    benchmarks_do(NULL);
 #endif
 
+    printf("Benchmark complete\n");
 
-#if defined(HAVE_AESGCM) || defined(HAVE_AESCCM)
-    static byte additional[13];
-    static byte tag[16];
+    ret = benchmark_free();
+
+    EXIT_TEST(ret);
+}
+
+
+#ifndef WC_NO_RNG
+void bench_rng(void)
+{
+    int    ret, i, count;
+    double start;
+    long   pos, len, remain;
+    WC_RNG myrng;
+
+#ifndef HAVE_FIPS
+    ret = wc_InitRng_ex(&myrng, HEAP_HINT, devId);
+#else
+    ret = wc_InitRng(&myrng);
 #endif
+    if (ret < 0) {
+        printf("InitRNG failed %d\n", ret);
+        return;
+    }
 
+    bench_stats_start(&count, &start);
+    do {
+        for (i = 0; i < numBlocks; i++) {
+            /* Split request to handle large RNG request */
+            pos = 0;
+            remain = (int)BENCH_SIZE;
+            while (remain > 0) {
+                len = remain;
+                if (len > RNG_MAX_BLOCK_LEN)
+                    len = RNG_MAX_BLOCK_LEN;
+                ret = wc_RNG_GenerateBlock(&myrng, &bench_plain[pos], (word32)len);
+                if (ret < 0)
+                    goto exit_rng;
+
+                remain -= len;
+                pos += len;
+            }
+        }
+        count += i;
+    } while (bench_stats_sym_check(start));
+exit_rng:
+    bench_stats_sym_finish("RNG", 0, count, bench_size, start, ret);
 
-#ifdef HAVE_AESGCM
-void bench_aesgcm(void)
+    wc_FreeRng(&myrng);
+}
+#endif /* WC_NO_RNG */
+
+
+#ifndef NO_AES
+
+#ifdef HAVE_AES_CBC
+static void bench_aescbc_internal(int doAsync, const byte* key, word32 keySz,
+                                  const byte* iv, const char* encLabel,
+                                  const char* decLabel)
 {
-    Aes    enc;
-    double start, total, persec;
-    int    i;
+    int    ret = 0, i, count = 0, times, pending = 0;
+    Aes    enc[BENCH_MAX_PENDING];
+    double start;
+
+    /* clear for done cleanup */
+    XMEMSET(enc, 0, sizeof(enc));
+
+    /* init keys */
+    for (i = 0; i < BENCH_MAX_PENDING; i++) {
+        if ((ret = wc_AesInit(&enc[i], HEAP_HINT,
+                                doAsync ? devId : INVALID_DEVID)) != 0) {
+            printf("AesInit failed, ret = %d\n", ret);
+            goto exit;
+        }
 
-    wc_AesGcmSetKey(&enc, key, 16);
-    start = current_time(1);
-    BEGIN_INTEL_CYCLES
+        ret = wc_AesSetKey(&enc[i], key, keySz, iv, AES_ENCRYPTION);
+        if (ret != 0) {
+            printf("AesSetKey failed, ret = %d\n", ret);
+            goto exit;
+        }
+    }
 
-    for(i = 0; i < numBlocks; i++)
-        wc_AesGcmEncrypt(&enc, cipher, plain, sizeof(plain), iv, 12,
-                        tag, 16, additional, 13);
+    bench_stats_start(&count, &start);
+    do {
+        for (times = 0; times < numBlocks || pending > 0; ) {
+            bench_async_poll(&pending);
+
+            /* while free pending slots in queue, submit ops */
+            for (i = 0; i < BENCH_MAX_PENDING; i++) {
+                if (bench_async_check(&ret, BENCH_ASYNC_GET_DEV(&enc[i]), 0, &times, numBlocks, &pending)) {
+                    ret = wc_AesCbcEncrypt(&enc[i], bench_plain, bench_cipher,
+                        BENCH_SIZE);
+                    if (!bench_async_handle(&ret, BENCH_ASYNC_GET_DEV(&enc[i]), 0, &times, &pending)) {
+                        goto exit_aes_enc;
+                    }
+                }
+            } /* for i */
+        } /* for times */
+        count += times;
+    } while (bench_stats_sym_check(start));
+exit_aes_enc:
+    bench_stats_sym_finish(encLabel, doAsync, count, bench_size, start, ret);
 
-    END_INTEL_CYCLES
-    total = current_time(0) - start;
+    if (ret < 0) {
+        goto exit;
+    }
 
-    persec = 1 / total * numBlocks;
-#ifdef BENCH_EMBEDDED
-    /* since using kB, convert to MB/s */
-    persec = persec / 1024;
-#endif
+#ifdef HAVE_AES_DECRYPT
+    /* init keys */
+    for (i = 0; i < BENCH_MAX_PENDING; i++) {
+        ret = wc_AesSetKey(&enc[i], key, keySz, iv, AES_DECRYPTION);
+        if (ret != 0) {
+            printf("AesSetKey failed, ret = %d\n", ret);
+            goto exit;
+        }
+    }
 
-    printf("AES-GCM  %d %s took %5.3f seconds, %8.3f MB/s", numBlocks,
-                                              blockType, total, persec);
-    SHOW_INTEL_CYCLES
-    printf("\n");
+    bench_stats_start(&count, &start);
+    do {
+        for (times = 0; times < numBlocks || pending > 0; ) {
+            bench_async_poll(&pending);
+
+            /* while free pending slots in queue, submit ops */
+            for (i = 0; i < BENCH_MAX_PENDING; i++) {
+                if (bench_async_check(&ret, BENCH_ASYNC_GET_DEV(&enc[i]), 0, &times, numBlocks, &pending)) {
+                    ret = wc_AesCbcDecrypt(&enc[i], bench_plain, bench_cipher,
+                        BENCH_SIZE);
+                    if (!bench_async_handle(&ret, BENCH_ASYNC_GET_DEV(&enc[i]), 0, &times, &pending)) {
+                        goto exit_aes_dec;
+                    }
+                }
+            } /* for i */
+        } /* for times */
+        count += times;
+    } while (bench_stats_sym_check(start));
+exit_aes_dec:
+    bench_stats_sym_finish(decLabel, doAsync, count, bench_size, start, ret);
+
+#endif /* HAVE_AES_DECRYPT */
+
+    (void)decLabel;
+exit:
+
+    for (i = 0; i < BENCH_MAX_PENDING; i++) {
+        wc_AesFree(&enc[i]);
+    }
 }
+
+void bench_aescbc(int doAsync)
+{
+#ifdef WOLFSSL_AES_128
+    bench_aescbc_internal(doAsync, bench_key, 16, bench_iv,
+                 "AES-128-CBC-enc", "AES-128-CBC-dec");
+#endif
+#ifdef WOLFSSL_AES_192
+    bench_aescbc_internal(doAsync, bench_key, 24, bench_iv,
+                 "AES-192-CBC-enc", "AES-192-CBC-dec");
+#endif
+#ifdef WOLFSSL_AES_256
+    bench_aescbc_internal(doAsync, bench_key, 32, bench_iv,
+                 "AES-256-CBC-enc", "AES-256-CBC-dec");
 #endif
+}
 
-#ifdef WOLFSSL_AES_COUNTER
-void bench_aesctr(void)
+#endif /* HAVE_AES_CBC */
+
+#ifdef HAVE_AESGCM
+static void bench_aesgcm_internal(int doAsync, const byte* key, word32 keySz,
+                                  const byte* iv, word32 ivSz,
+                                  const char* encLabel, const char* decLabel)
 {
-    Aes    enc;
-    double start, total, persec;
-    int    i;
+    int    ret = 0, i, count = 0, times, pending = 0;
+    Aes    enc[BENCH_MAX_PENDING];
+#ifdef HAVE_AES_DECRYPT
+    Aes    dec[BENCH_MAX_PENDING];
+#endif
+    double start;
 
-    wc_AesSetKeyDirect(&enc, key, AES_BLOCK_SIZE, iv, AES_ENCRYPTION);
-    start = current_time(1);
-    BEGIN_INTEL_CYCLES
+    DECLARE_VAR(bench_additional, byte, AES_AUTH_ADD_SZ, HEAP_HINT);
+    DECLARE_VAR(bench_tag, byte, AES_AUTH_TAG_SZ, HEAP_HINT);
 
-    for(i = 0; i < numBlocks; i++)
-        wc_AesCtrEncrypt(&enc, plain, cipher, sizeof(plain));
+    /* clear for done cleanup */
+    XMEMSET(enc, 0, sizeof(enc));
+#ifdef HAVE_AES_DECRYPT
+    XMEMSET(dec, 0, sizeof(dec));
+#endif
+#ifdef WOLFSSL_ASYNC_CRYPT
+    if (bench_additional)
+#endif
+        XMEMSET(bench_additional, 0, AES_AUTH_ADD_SZ);
+#ifdef WOLFSSL_ASYNC_CRYPT
+    if (bench_tag)
+#endif
+        XMEMSET(bench_tag, 0, AES_AUTH_TAG_SZ);
+
+    /* init keys */
+    for (i = 0; i < BENCH_MAX_PENDING; i++) {
+        if ((ret = wc_AesInit(&enc[i], HEAP_HINT,
+                        doAsync ? devId : INVALID_DEVID)) != 0) {
+            printf("AesInit failed, ret = %d\n", ret);
+            goto exit;
+        }
 
-    END_INTEL_CYCLES
-    total = current_time(0) - start;
+        ret = wc_AesGcmSetKey(&enc[i], key, keySz);
+        if (ret != 0) {
+            printf("AesGcmSetKey failed, ret = %d\n", ret);
+            goto exit;
+        }
+    }
 
-    persec = 1 / total * numBlocks;
-#ifdef BENCH_EMBEDDED
-    /* since using kB, convert to MB/s */
-    persec = persec / 1024;
+    /* GCM uses same routine in backend for both encrypt and decrypt */
+    bench_stats_start(&count, &start);
+    do {
+        for (times = 0; times < numBlocks || pending > 0; ) {
+            bench_async_poll(&pending);
+
+            /* while free pending slots in queue, submit ops */
+            for (i = 0; i < BENCH_MAX_PENDING; i++) {
+                if (bench_async_check(&ret, BENCH_ASYNC_GET_DEV(&enc[i]), 0, &times, numBlocks, &pending)) {
+                    ret = wc_AesGcmEncrypt(&enc[i], bench_cipher,
+                        bench_plain, BENCH_SIZE,
+                        iv, ivSz, bench_tag, AES_AUTH_TAG_SZ,
+                        bench_additional, aesAuthAddSz);
+                    if (!bench_async_handle(&ret, BENCH_ASYNC_GET_DEV(&enc[i]), 0, &times, &pending)) {
+                        goto exit_aes_gcm;
+                    }
+                }
+            } /* for i */
+        } /* for times */
+        count += times;
+    } while (bench_stats_sym_check(start));
+exit_aes_gcm:
+    bench_stats_sym_finish(encLabel, doAsync, count, bench_size, start, ret);
+
+#ifdef HAVE_AES_DECRYPT
+    /* init keys */
+    for (i = 0; i < BENCH_MAX_PENDING; i++) {
+        if ((ret = wc_AesInit(&dec[i], HEAP_HINT,
+                        doAsync ? devId : INVALID_DEVID)) != 0) {
+            printf("AesInit failed, ret = %d\n", ret);
+            goto exit;
+        }
+
+        ret = wc_AesGcmSetKey(&dec[i], key, keySz);
+        if (ret != 0) {
+            printf("AesGcmSetKey failed, ret = %d\n", ret);
+            goto exit;
+        }
+    }
+
+    bench_stats_start(&count, &start);
+    do {
+        for (times = 0; times < numBlocks || pending > 0; ) {
+            bench_async_poll(&pending);
+
+            /* while free pending slots in queue, submit ops */
+            for (i = 0; i < BENCH_MAX_PENDING; i++) {
+                if (bench_async_check(&ret, BENCH_ASYNC_GET_DEV(&dec[i]), 0, &times, numBlocks, &pending)) {
+                    ret = wc_AesGcmDecrypt(&dec[i], bench_plain,
+                        bench_cipher, BENCH_SIZE,
+                        iv, ivSz, bench_tag, AES_AUTH_TAG_SZ,
+                        bench_additional, aesAuthAddSz);
+                    if (!bench_async_handle(&ret, BENCH_ASYNC_GET_DEV(&dec[i]), 0, &times, &pending)) {
+                        goto exit_aes_gcm_dec;
+                    }
+                }
+            } /* for i */
+        } /* for times */
+        count += times;
+    } while (bench_stats_sym_check(start));
+exit_aes_gcm_dec:
+    bench_stats_sym_finish(decLabel, doAsync, count, bench_size, start, ret);
+#endif /* HAVE_AES_DECRYPT */
+
+    (void)decLabel;
+
+exit:
+
+    if (ret < 0) {
+        printf("bench_aesgcm failed: %d\n", ret);
+    }
+#ifdef HAVE_AES_DECRYPT
+    for (i = 0; i < BENCH_MAX_PENDING; i++) {
+        wc_AesFree(&dec[i]);
+    }
 #endif
+    for (i = 0; i < BENCH_MAX_PENDING; i++) {
+        wc_AesFree(&enc[i]);
+    }
 
-    printf("AES-CTR  %d %s took %5.3f seconds, %8.3f MB/s", numBlocks,
-                                              blockType, total, persec);
-    SHOW_INTEL_CYCLES
-    printf("\n");
+    FREE_VAR(bench_additional, HEAP_HINT);
+    FREE_VAR(bench_tag, HEAP_HINT);
 }
+
+void bench_aesgcm(int doAsync)
+{
+#if defined(WOLFSSL_AES_128) && !defined(WOLFSSL_AFALG_XILINX_AES)
+    bench_aesgcm_internal(doAsync, bench_key, 16, bench_iv, 12,
+                          "AES-128-GCM-enc", "AES-128-GCM-dec");
+#endif
+#if defined(WOLFSSL_AES_192) && !defined(WOLFSSL_AFALG_XILINX_AES)
+    bench_aesgcm_internal(doAsync, bench_key, 24, bench_iv, 12,
+                          "AES-192-GCM-enc", "AES-192-GCM-dec");
+#endif
+#ifdef WOLFSSL_AES_256
+    bench_aesgcm_internal(doAsync, bench_key, 32, bench_iv, 12,
+                          "AES-256-GCM-enc", "AES-256-GCM-dec");
 #endif
+}
+#endif /* HAVE_AESGCM */
 
 
+#ifdef WOLFSSL_AES_DIRECT
+static void bench_aesecb_internal(int doAsync, const byte* key, word32 keySz,
+                                  const char* encLabel, const char* decLabel)
+{
+    int    ret, i, count = 0, times, pending = 0;
+    Aes    enc[BENCH_MAX_PENDING];
+    double start;
+
+    /* clear for done cleanup */
+    XMEMSET(enc, 0, sizeof(enc));
+
+    /* init keys */
+    for (i = 0; i < BENCH_MAX_PENDING; i++) {
+        if ((ret = wc_AesInit(&enc[i], HEAP_HINT,
+                                doAsync ? devId : INVALID_DEVID)) != 0) {
+            printf("AesInit failed, ret = %d\n", ret);
+            goto exit;
+        }
 
-#ifdef HAVE_AESCCM
-void bench_aesccm(void)
+        ret = wc_AesSetKey(&enc[i], key, keySz, bench_iv, AES_ENCRYPTION);
+        if (ret != 0) {
+            printf("AesSetKey failed, ret = %d\n", ret);
+            goto exit;
+        }
+    }
+
+    bench_stats_start(&count, &start);
+    do {
+        for (times = 0; times < numBlocks || pending > 0; ) {
+            bench_async_poll(&pending);
+
+            /* while free pending slots in queue, submit ops */
+            for (i = 0; i < BENCH_MAX_PENDING; i++) {
+                if (bench_async_check(&ret, BENCH_ASYNC_GET_DEV(&enc[i]), 0, &times, numBlocks, &pending)) {
+                    wc_AesEncryptDirect(&enc[i], bench_cipher, bench_plain);
+                    ret = 0;
+                    if (!bench_async_handle(&ret, BENCH_ASYNC_GET_DEV(&enc[i]), 0, &times, &pending)) {
+                        goto exit_aes_enc;
+                    }
+                }
+            } /* for i */
+        } /* for times */
+        count += times;
+    } while (bench_stats_sym_check(start));
+exit_aes_enc:
+    bench_stats_sym_finish(encLabel, doAsync, count, AES_BLOCK_SIZE,
+                           start, ret);
+
+#ifdef HAVE_AES_DECRYPT
+    /* init keys */
+    for (i = 0; i < BENCH_MAX_PENDING; i++) {
+        ret = wc_AesSetKey(&enc[i], key, keySz, bench_iv, AES_DECRYPTION);
+        if (ret != 0) {
+            printf("AesSetKey failed, ret = %d\n", ret);
+            goto exit;
+        }
+    }
+
+    bench_stats_start(&count, &start);
+    do {
+        for (times = 0; times < numBlocks || pending > 0; ) {
+            bench_async_poll(&pending);
+
+            /* while free pending slots in queue, submit ops */
+            for (i = 0; i < BENCH_MAX_PENDING; i++) {
+                if (bench_async_check(&ret, BENCH_ASYNC_GET_DEV(&enc[i]), 0, &times, numBlocks, &pending)) {
+                    wc_AesDecryptDirect(&enc[i], bench_plain,
+                                              bench_cipher);
+                    ret = 0;
+                    if (!bench_async_handle(&ret, BENCH_ASYNC_GET_DEV(&enc[i]), 0, &times, &pending)) {
+                        goto exit_aes_dec;
+                    }
+                }
+            } /* for i */
+        } /* for times */
+        count += times;
+    } while (bench_stats_sym_check(start));
+exit_aes_dec:
+    bench_stats_sym_finish(decLabel, doAsync, count, AES_BLOCK_SIZE,
+                           start, ret);
+
+#endif /* HAVE_AES_DECRYPT */
+
+exit:
+
+    for (i = 0; i < BENCH_MAX_PENDING; i++) {
+        wc_AesFree(&enc[i]);
+    }
+}
+
+void bench_aesecb(int doAsync)
 {
-    Aes    enc;
-    double start, total, persec;
-    int    i;
+#ifdef WOLFSSL_AES_128
+    bench_aesecb_internal(doAsync, bench_key, 16,
+                 "AES-128-ECB-enc", "AES-128-ECB-dec");
+#endif
+#ifdef WOLFSSL_AES_192
+    bench_aesecb_internal(doAsync, bench_key, 24,
+                 "AES-192-ECB-enc", "AES-192-ECB-dec");
+#endif
+#ifdef WOLFSSL_AES_256
+    bench_aesecb_internal(doAsync, bench_key, 32,
+                 "AES-256-ECB-enc", "AES-256-ECB-dec");
+#endif
+}
+#endif /* WOLFSSL_AES_DIRECT */
 
-    wc_AesCcmSetKey(&enc, key, 16);
-    start = current_time(1);
-    BEGIN_INTEL_CYCLES
+#ifdef WOLFSSL_AES_CFB
+static void bench_aescfb_internal(const byte* key, word32 keySz, const byte* iv,
+                                  const char* label)
+{
+    Aes    enc;
+    double start;
+    int    i, ret, count;
 
-    for(i = 0; i < numBlocks; i++)
-        wc_AesCcmEncrypt(&enc, cipher, plain, sizeof(plain), iv, 12,
-                        tag, 16, additional, 13);
+    ret = wc_AesSetKey(&enc, key, keySz, iv, AES_ENCRYPTION);
+    if (ret != 0) {
+        printf("AesSetKey failed, ret = %d\n", ret);
+        return;
+    }
 
-    END_INTEL_CYCLES
-    total = current_time(0) - start;
+    bench_stats_start(&count, &start);
+    do {
+        for (i = 0; i < numBlocks; i++) {
+            if((ret = wc_AesCfbEncrypt(&enc, bench_plain, bench_cipher,
+                            BENCH_SIZE)) != 0) {
+                printf("wc_AesCfbEncrypt failed, ret = %d\n", ret);
+                return;
+            }
+        }
+        count += i;
+    } while (bench_stats_sym_check(start));
+    bench_stats_sym_finish(label, 0, count, bench_size, start, ret);
+}
 
-    persec = 1 / total * numBlocks;
-#ifdef BENCH_EMBEDDED
-    /* since using kB, convert to MB/s */
-    persec = persec / 1024;
+void bench_aescfb(void)
+{
+#ifdef WOLFSSL_AES_128
+    bench_aescfb_internal(bench_key, 16, bench_iv, "AES-128-CFB");
+#endif
+#ifdef WOLFSSL_AES_192
+    bench_aescfb_internal(bench_key, 24, bench_iv, "AES-192-CFB");
+#endif
+#ifdef WOLFSSL_AES_256
+    bench_aescfb_internal(bench_key, 32, bench_iv, "AES-256-CFB");
 #endif
+}
+#endif /* WOLFSSL_AES_CFB */
 
-    printf("AES-CCM  %d %s took %5.3f seconds, %8.3f MB/s", numBlocks,
-                                              blockType, total, persec);
-    SHOW_INTEL_CYCLES
-    printf("\n");
+
+#ifdef WOLFSSL_AES_OFB
+static void bench_aesofb_internal(const byte* key, word32 keySz, const byte* iv,
+                                  const char* label)
+{
+    Aes    enc;
+    double start;
+    int    i, ret, count;
+
+    ret = wc_AesSetKey(&enc, key, keySz, iv, AES_ENCRYPTION);
+    if (ret != 0) {
+        printf("AesSetKey failed, ret = %d\n", ret);
+        return;
+    }
+
+    bench_stats_start(&count, &start);
+    do {
+        for (i = 0; i < numBlocks; i++) {
+            if((ret = wc_AesOfbEncrypt(&enc, bench_plain, bench_cipher,
+                            BENCH_SIZE)) != 0) {
+                printf("wc_AesCfbEncrypt failed, ret = %d\n", ret);
+                return;
+            }
+        }
+        count += i;
+    } while (bench_stats_sym_check(start));
+    bench_stats_sym_finish(label, 0, count, bench_size, start, ret);
 }
+
+void bench_aesofb(void)
+{
+#ifdef WOLFSSL_AES_128
+    bench_aesofb_internal(bench_key, 16, bench_iv, "AES-128-OFB");
+#endif
+#ifdef WOLFSSL_AES_192
+    bench_aesofb_internal(bench_key, 24, bench_iv, "AES-192-OFB");
 #endif
+#ifdef WOLFSSL_AES_256
+    bench_aesofb_internal(bench_key, 32, bench_iv, "AES-256-OFB");
+#endif
+}
+#endif /* WOLFSSL_AES_CFB */
 
 
-#ifdef HAVE_POLY1305
-void bench_poly1305()
+#ifdef WOLFSSL_AES_XTS
+void bench_aesxts(void)
 {
-    Poly1305    enc;
-    byte   mac[16];
-    double start, total, persec;
-    int    i;
-    int    ret;
+    XtsAes aes;
+    double start;
+    int    i, count, ret;
+
+    static unsigned char k1[] = {
+        0xa1, 0xb9, 0x0c, 0xba, 0x3f, 0x06, 0xac, 0x35,
+        0x3b, 0x2c, 0x34, 0x38, 0x76, 0x08, 0x17, 0x62,
+        0x09, 0x09, 0x23, 0x02, 0x6e, 0x91, 0x77, 0x18,
+        0x15, 0xf2, 0x9d, 0xab, 0x01, 0x93, 0x2f, 0x2f
+    };
 
+    static unsigned char i1[] = {
+        0x4f, 0xae, 0xf7, 0x11, 0x7c, 0xda, 0x59, 0xc6,
+        0x6e, 0x4b, 0x92, 0x01, 0x3e, 0x76, 0x8a, 0xd5
+    };
 
-    ret = wc_Poly1305SetKey(&enc, key, 32);
+    ret = wc_AesXtsSetKey(&aes, k1, sizeof(k1), AES_ENCRYPTION,
+            HEAP_HINT, devId);
     if (ret != 0) {
-        printf("Poly1305SetKey failed, ret = %d\n", ret);
+        printf("wc_AesXtsSetKey failed, ret = %d\n", ret);
         return;
     }
-    start = current_time(1);
-    BEGIN_INTEL_CYCLES
 
-    for(i = 0; i < numBlocks; i++)
-        wc_Poly1305Update(&enc, plain, sizeof(plain));
+    bench_stats_start(&count, &start);
+    do {
+        for (i = 0; i < numBlocks; i++) {
+            if ((ret = wc_AesXtsEncrypt(&aes, bench_plain, bench_cipher,
+                            BENCH_SIZE, i1, sizeof(i1))) != 0) {
+                printf("wc_AesXtsEncrypt failed, ret = %d\n", ret);
+                return;
+            }
+        }
+        count += i;
+    } while (bench_stats_sym_check(start));
+    bench_stats_sym_finish("AES-XTS-enc", 0, count, bench_size, start, ret);
+    wc_AesXtsFree(&aes);
+
+    /* decryption benchmark */
+    ret = wc_AesXtsSetKey(&aes, k1, sizeof(k1), AES_DECRYPTION,
+            HEAP_HINT, devId);
+    if (ret != 0) {
+        printf("wc_AesXtsSetKey failed, ret = %d\n", ret);
+        return;
+    }
 
-    wc_Poly1305Final(&enc, mac);
-    END_INTEL_CYCLES
-    total = current_time(0) - start;
+    bench_stats_start(&count, &start);
+    do {
+        for (i = 0; i < numBlocks; i++) {
+            if ((ret = wc_AesXtsDecrypt(&aes, bench_plain, bench_cipher,
+                            BENCH_SIZE, i1, sizeof(i1))) != 0) {
+                printf("wc_AesXtsDecrypt failed, ret = %d\n", ret);
+                return;
+            }
+        }
+        count += i;
+    } while (bench_stats_sym_check(start));
+    bench_stats_sym_finish("AES-XTS-dec", 0, count, bench_size, start, ret);
+    wc_AesXtsFree(&aes);
+}
+#endif /* WOLFSSL_AES_XTS */
 
-    persec = 1 / total * numBlocks;
-#ifdef BENCH_EMBEDDED
-    /* since using kB, convert to MB/s */
-    persec = persec / 1024;
+
+#ifdef WOLFSSL_AES_COUNTER
+static void bench_aesctr_internal(const byte* key, word32 keySz, const byte* iv,
+                                  const char* label)
+{
+    Aes    enc;
+    double start;
+    int    i, count, ret = 0;
+
+    wc_AesSetKeyDirect(&enc, key, keySz, iv, AES_ENCRYPTION);
+
+    bench_stats_start(&count, &start);
+    do {
+        for (i = 0; i < numBlocks; i++) {
+            if((ret = wc_AesCtrEncrypt(&enc, bench_plain, bench_cipher, BENCH_SIZE)) != 0) {
+                printf("wc_AesCtrEncrypt failed, ret = %d\n", ret);
+                return;
+            }
+        }
+        count += i;
+    } while (bench_stats_sym_check(start));
+    bench_stats_sym_finish(label, 0, count, bench_size, start, ret);
+}
+
+void bench_aesctr(void)
+{
+#ifdef WOLFSSL_AES_128
+    bench_aesctr_internal(bench_key, 16, bench_iv, "AES-128-CTR");
 #endif
+#ifdef WOLFSSL_AES_192
+    bench_aesctr_internal(bench_key, 24, bench_iv, "AES-192-CTR");
+#endif
+#ifdef WOLFSSL_AES_256
+    bench_aesctr_internal(bench_key, 32, bench_iv, "AES-256-CTR");
+#endif
+}
+#endif /* WOLFSSL_AES_COUNTER */
 
-    printf("POLY1305 %d %s took %5.3f seconds, %8.3f MB/s", numBlocks,
-                                                  blockType, total, persec);
-    SHOW_INTEL_CYCLES
-    printf("\n");
+
+#ifdef HAVE_AESCCM
+void bench_aesccm(void)
+{
+    Aes    enc;
+    double start;
+    int    ret, i, count;
+
+    DECLARE_VAR(bench_additional, byte, AES_AUTH_ADD_SZ, HEAP_HINT);
+    DECLARE_VAR(bench_tag, byte, AES_AUTH_TAG_SZ, HEAP_HINT);
+
+    XMEMSET(bench_tag, 0, AES_AUTH_TAG_SZ);
+    XMEMSET(bench_additional, 0, AES_AUTH_ADD_SZ);
+
+    if ((ret = wc_AesCcmSetKey(&enc, bench_key, 16)) != 0) {
+        printf("wc_AesCcmSetKey failed, ret = %d\n", ret);
+        return;
+    }
+
+    bench_stats_start(&count, &start);
+    do {
+        for (i = 0; i < numBlocks; i++) {
+            wc_AesCcmEncrypt(&enc, bench_cipher, bench_plain, BENCH_SIZE,
+                bench_iv, 12, bench_tag, AES_AUTH_TAG_SZ,
+                bench_additional, aesAuthAddSz);
+        }
+        count += i;
+    } while (bench_stats_sym_check(start));
+    bench_stats_sym_finish("AES-CCM-Enc", 0, count, bench_size, start, ret);
+
+    bench_stats_start(&count, &start);
+    do {
+        for (i = 0; i < numBlocks; i++) {
+            wc_AesCcmDecrypt(&enc, bench_plain, bench_cipher, BENCH_SIZE,
+                bench_iv, 12, bench_tag, AES_AUTH_TAG_SZ,
+                bench_additional, aesAuthAddSz);
+        }
+        count += i;
+    } while (bench_stats_sym_check(start));
+    bench_stats_sym_finish("AES-CCM-Dec", 0, count, bench_size, start, ret);
+
+
+    FREE_VAR(bench_additional, HEAP_HINT);
+    FREE_VAR(bench_tag, HEAP_HINT);
+}
+#endif /* HAVE_AESCCM */
+#endif /* !NO_AES */
+
+
+#ifdef HAVE_POLY1305
+void bench_poly1305(void)
+{
+    Poly1305 enc;
+    byte     mac[16];
+    double   start;
+    int      ret = 0, i, count;
+
+    if (digest_stream) {
+        ret = wc_Poly1305SetKey(&enc, bench_key, 32);
+        if (ret != 0) {
+            printf("Poly1305SetKey failed, ret = %d\n", ret);
+            return;
+        }
+
+        bench_stats_start(&count, &start);
+        do {
+            for (i = 0; i < numBlocks; i++) {
+                ret = wc_Poly1305Update(&enc, bench_plain, BENCH_SIZE);
+                if (ret != 0) {
+                    printf("Poly1305Update failed: %d\n", ret);
+                    break;
+                }
+            }
+            wc_Poly1305Final(&enc, mac);
+            count += i;
+        } while (bench_stats_sym_check(start));
+        bench_stats_sym_finish("POLY1305", 0, count, bench_size, start, ret);
+    }
+    else {
+        bench_stats_start(&count, &start);
+        do {
+            for (i = 0; i < numBlocks; i++) {
+                ret = wc_Poly1305SetKey(&enc, bench_key, 32);
+                if (ret != 0) {
+                    printf("Poly1305SetKey failed, ret = %d\n", ret);
+                    return;
+                }
+                ret = wc_Poly1305Update(&enc, bench_plain, BENCH_SIZE);
+                if (ret != 0) {
+                    printf("Poly1305Update failed: %d\n", ret);
+                    break;
+                }
+                wc_Poly1305Final(&enc, mac);
+            }
+            count += i;
+        } while (bench_stats_sym_check(start));
+        bench_stats_sym_finish("POLY1305", 0, count, bench_size, start, ret);
+    }
 }
 #endif /* HAVE_POLY1305 */
 
@@ -592,143 +2757,185 @@ void bench_poly1305()
 void bench_camellia(void)
 {
     Camellia cam;
-    double start, total, persec;
-    int    i, ret;
+    double   start;
+    int      ret, i, count;
 
-    ret = wc_CamelliaSetKey(&cam, key, 16, iv);
+    ret = wc_CamelliaSetKey(&cam, bench_key, 16, bench_iv);
     if (ret != 0) {
         printf("CamelliaSetKey failed, ret = %d\n", ret);
         return;
     }
-    start = current_time(1);
-    BEGIN_INTEL_CYCLES
 
-    for(i = 0; i < numBlocks; i++)
-        wc_CamelliaCbcEncrypt(&cam, plain, cipher, sizeof(plain));
+    bench_stats_start(&count, &start);
+    do {
+        for (i = 0; i < numBlocks; i++) {
+            ret = wc_CamelliaCbcEncrypt(&cam, bench_plain, bench_cipher,
+                                                            BENCH_SIZE);
+            if (ret < 0) {
+                printf("CamelliaCbcEncrypt failed: %d\n", ret);
+                return;
+            }
+        }
+        count += i;
+    } while (bench_stats_sym_check(start));
+    bench_stats_sym_finish("Camellia", 0, count, bench_size, start, ret);
+}
+#endif
 
-    END_INTEL_CYCLES
-    total = current_time(0) - start;
 
-    persec = 1 / total * numBlocks;
-#ifdef BENCH_EMBEDDED
-    /* since using kB, convert to MB/s */
-    persec = persec / 1024;
-#endif
+#ifndef NO_DES3
+void bench_des(int doAsync)
+{
+    int    ret = 0, i, count = 0, times, pending = 0;
+    Des3   enc[BENCH_MAX_PENDING];
+    double start;
+
+    /* clear for done cleanup */
+    XMEMSET(enc, 0, sizeof(enc));
+
+    /* init keys */
+    for (i = 0; i < BENCH_MAX_PENDING; i++) {
+        if ((ret = wc_Des3Init(&enc[i], HEAP_HINT,
+                                doAsync ? devId : INVALID_DEVID)) != 0) {
+            printf("Des3Init failed, ret = %d\n", ret);
+            goto exit;
+        }
 
-    printf("Camellia %d %s took %5.3f seconds, %8.3f MB/s", numBlocks,
-                                              blockType, total, persec);
-    SHOW_INTEL_CYCLES
-    printf("\n");
+        ret = wc_Des3_SetKey(&enc[i], bench_key, bench_iv, DES_ENCRYPTION);
+        if (ret != 0) {
+            printf("Des3_SetKey failed, ret = %d\n", ret);
+            goto exit;
+        }
+    }
+
+    bench_stats_start(&count, &start);
+    do {
+        for (times = 0; times < numBlocks || pending > 0; ) {
+            bench_async_poll(&pending);
+
+            /* while free pending slots in queue, submit ops */
+            for (i = 0; i < BENCH_MAX_PENDING; i++) {
+                if (bench_async_check(&ret, BENCH_ASYNC_GET_DEV(&enc[i]), 0, &times, numBlocks, &pending)) {
+                    ret = wc_Des3_CbcEncrypt(&enc[i], bench_plain, bench_cipher,
+                        BENCH_SIZE);
+                    if (!bench_async_handle(&ret, BENCH_ASYNC_GET_DEV(&enc[i]), 0, &times, &pending)) {
+                        goto exit_3des;
+                    }
+                }
+            } /* for i */
+        } /* for times */
+        count += times;
+    } while (bench_stats_sym_check(start));
+exit_3des:
+    bench_stats_sym_finish("3DES", doAsync, count, bench_size, start, ret);
+
+exit:
+
+    for (i = 0; i < BENCH_MAX_PENDING; i++) {
+        wc_Des3Free(&enc[i]);
+    }
 }
-#endif
+#endif /* !NO_DES3 */
 
 
-#ifndef NO_DES3
-void bench_des(void)
+#ifdef HAVE_IDEA
+void bench_idea(void)
 {
-    Des3   enc;
-    double start, total, persec;
-    int    i, ret;
+    Idea   enc;
+    double start;
+    int    ret = 0, i, count;
 
-#ifdef HAVE_CAVIUM
-    if (wc_Des3_InitCavium(&enc, CAVIUM_DEV_ID) != 0)
-        printf("des3 init cavium failed\n");
-#endif
-    ret = wc_Des3_SetKey(&enc, key, iv, DES_ENCRYPTION);
+    ret = wc_IdeaSetKey(&enc, bench_key, IDEA_KEY_SIZE, bench_iv,
+        IDEA_ENCRYPTION);
     if (ret != 0) {
         printf("Des3_SetKey failed, ret = %d\n", ret);
         return;
     }
-    start = current_time(1);
-    BEGIN_INTEL_CYCLES
 
-    for(i = 0; i < numBlocks; i++)
-        wc_Des3_CbcEncrypt(&enc, plain, cipher, sizeof(plain));
-
-    END_INTEL_CYCLES
-    total = current_time(0) - start;
-
-    persec = 1 / total * numBlocks;
-#ifdef BENCH_EMBEDDED
-    /* since using kB, convert to MB/s */
-    persec = persec / 1024;
-#endif
-
-    printf("3DES     %d %s took %5.3f seconds, %8.3f MB/s", numBlocks,
-                                              blockType, total, persec);
-    SHOW_INTEL_CYCLES
-    printf("\n");
-#ifdef HAVE_CAVIUM
-    wc_Des3_FreeCavium(&enc);
-#endif
+    bench_stats_start(&count, &start);
+    do {
+        for (i = 0; i < numBlocks; i++) {
+            wc_IdeaCbcEncrypt(&enc, bench_plain, bench_cipher, BENCH_SIZE);
+        }
+        count += i;
+    } while (bench_stats_sym_check(start));
+    bench_stats_sym_finish("IDEA", 0, count, bench_size, start, ret);
 }
-#endif
+#endif /* HAVE_IDEA */
 
 
 #ifndef NO_RC4
-void bench_arc4(void)
+void bench_arc4(int doAsync)
 {
-    Arc4   enc;
-    double start, total, persec;
-    int    i;
-    
-#ifdef HAVE_CAVIUM
-    if (wc_Arc4InitCavium(&enc, CAVIUM_DEV_ID) != 0)
-        printf("arc4 init cavium failed\n");
-#endif
-
-    wc_Arc4SetKey(&enc, key, 16);
-    start = current_time(1);
-    BEGIN_INTEL_CYCLES
-
-    for(i = 0; i < numBlocks; i++)
-        wc_Arc4Process(&enc, cipher, plain, sizeof(plain));
+    int    ret = 0, i, count = 0, times, pending = 0;
+    Arc4   enc[BENCH_MAX_PENDING];
+    double start;
+
+    /* clear for done cleanup */
+    XMEMSET(enc, 0, sizeof(enc));
+
+    /* init keys */
+    for (i = 0; i < BENCH_MAX_PENDING; i++) {
+        if ((ret = wc_Arc4Init(&enc[i], HEAP_HINT,
+                            doAsync ? devId : INVALID_DEVID)) != 0) {
+            printf("Arc4Init failed, ret = %d\n", ret);
+            goto exit;
+        }
 
-    END_INTEL_CYCLES
-    total = current_time(0) - start;
-    persec = 1 / total * numBlocks;
-#ifdef BENCH_EMBEDDED
-    /* since using kB, convert to MB/s */
-    persec = persec / 1024;
-#endif
+        ret = wc_Arc4SetKey(&enc[i], bench_key, 16);
+        if (ret != 0) {
+            printf("Arc4SetKey failed, ret = %d\n", ret);
+            goto exit;
+        }
+    }
 
-    printf("ARC4     %d %s took %5.3f seconds, %8.3f MB/s", numBlocks,
-                                              blockType, total, persec);
-    SHOW_INTEL_CYCLES
-    printf("\n");
-#ifdef HAVE_CAVIUM
-    wc_Arc4FreeCavium(&enc);
-#endif
+    bench_stats_start(&count, &start);
+    do {
+        for (times = 0; times < numBlocks || pending > 0; ) {
+            bench_async_poll(&pending);
+
+            /* while free pending slots in queue, submit ops */
+            for (i = 0; i < BENCH_MAX_PENDING; i++) {
+                if (bench_async_check(&ret, BENCH_ASYNC_GET_DEV(&enc[i]), 0, &times, numBlocks, &pending)) {
+                    ret = wc_Arc4Process(&enc[i], bench_cipher, bench_plain,
+                        BENCH_SIZE);
+                    if (!bench_async_handle(&ret, BENCH_ASYNC_GET_DEV(&enc[i]), 0, &times, &pending)) {
+                        goto exit_arc4;
+                    }
+                }
+            } /* for i */
+        } /* for times */
+        count += times;
+    } while (bench_stats_sym_check(start));
+exit_arc4:
+    bench_stats_sym_finish("ARC4", doAsync, count, bench_size, start, ret);
+
+exit:
+
+    for (i = 0; i < BENCH_MAX_PENDING; i++) {
+        wc_Arc4Free(&enc[i]);
+    }
 }
-#endif
+#endif /* !NO_RC4 */
 
 
 #ifdef HAVE_HC128
 void bench_hc128(void)
 {
     HC128  enc;
-    double start, total, persec;
-    int    i;
-    
-    wc_Hc128_SetKey(&enc, key, iv);
-    start = current_time(1);
-    BEGIN_INTEL_CYCLES
-
-    for(i = 0; i < numBlocks; i++)
-        wc_Hc128_Process(&enc, cipher, plain, sizeof(plain));
+    double start;
+    int    i, count;
 
-    END_INTEL_CYCLES
-    total = current_time(0) - start;
-    persec = 1 / total * numBlocks;
-#ifdef BENCH_EMBEDDED
-    /* since using kB, convert to MB/s */
-    persec = persec / 1024;
-#endif
+    wc_Hc128_SetKey(&enc, bench_key, bench_iv);
 
-    printf("HC128    %d %s took %5.3f seconds, %8.3f MB/s", numBlocks,
-                                              blockType, total, persec);
-    SHOW_INTEL_CYCLES
-    printf("\n");
+    bench_stats_start(&count, &start);
+    do {
+        for (i = 0; i < numBlocks; i++) {
+            wc_Hc128_Process(&enc, bench_cipher, bench_plain, BENCH_SIZE);
+        }
+        count += i;
+    } while (bench_stats_sym_check(start));
+    bench_stats_sym_finish("HC128", 0, count, bench_size, start, 0);
 }
 #endif /* HAVE_HC128 */
 
@@ -736,29 +2943,20 @@ void bench_hc128(void)
 #ifndef NO_RABBIT
 void bench_rabbit(void)
 {
-    Rabbit  enc;
-    double start, total, persec;
-    int    i;
-    
-    wc_RabbitSetKey(&enc, key, iv);
-    start = current_time(1);
-    BEGIN_INTEL_CYCLES
-
-    for(i = 0; i < numBlocks; i++)
-        wc_RabbitProcess(&enc, cipher, plain, sizeof(plain));
+    Rabbit enc;
+    double start;
+    int    i, count;
 
-    END_INTEL_CYCLES
-    total = current_time(0) - start;
-    persec = 1 / total * numBlocks;
-#ifdef BENCH_EMBEDDED
-    /* since using kB, convert to MB/s */
-    persec = persec / 1024;
-#endif
+    wc_RabbitSetKey(&enc, bench_key, bench_iv);
 
-    printf("RABBIT   %d %s took %5.3f seconds, %8.3f MB/s", numBlocks,
-                                              blockType, total, persec);
-    SHOW_INTEL_CYCLES
-    printf("\n");
+    bench_stats_start(&count, &start);
+    do {
+        for (i = 0; i < numBlocks; i++) {
+            wc_RabbitProcess(&enc, bench_cipher, bench_plain, BENCH_SIZE);
+        }
+        count += i;
+    } while (bench_stats_sym_check(start));
+    bench_stats_sym_finish("RABBIT", 0, count, bench_size, start, 0);
 }
 #endif /* NO_RABBIT */
 
@@ -767,356 +2965,1391 @@ void bench_rabbit(void)
 void bench_chacha(void)
 {
     ChaCha enc;
-    double start, total, persec;
-    int    i;
+    double start;
+    int    i, count;
 
-    wc_Chacha_SetKey(&enc, key, 16);
-    start = current_time(1);
-    BEGIN_INTEL_CYCLES
-
-    for (i = 0; i < numBlocks; i++) {
-        wc_Chacha_SetIV(&enc, iv, 0);
-        wc_Chacha_Process(&enc, cipher, plain, sizeof(plain));
-    }
-
-    END_INTEL_CYCLES
-    total = current_time(0) - start;
-    persec = 1 / total * numBlocks;
-#ifdef BENCH_EMBEDDED
-    /* since using kB, convert to MB/s */
-    persec = persec / 1024;
-#endif
-
-    printf("CHACHA   %d %s took %5.3f seconds, %8.3f MB/s", numBlocks, blockType, total, persec);
-    SHOW_INTEL_CYCLES
-    printf("\n");
+    wc_Chacha_SetKey(&enc, bench_key, 16);
 
+    bench_stats_start(&count, &start);
+    do {
+        for (i = 0; i < numBlocks; i++) {
+            wc_Chacha_SetIV(&enc, bench_iv, 0);
+            wc_Chacha_Process(&enc, bench_cipher, bench_plain, BENCH_SIZE);
+        }
+        count += i;
+    } while (bench_stats_sym_check(start));
+    bench_stats_sym_finish("CHACHA", 0, count, bench_size, start, 0);
 }
 #endif /* HAVE_CHACHA*/
 
-#if( defined( HAVE_CHACHA ) && defined( HAVE_POLY1305 ) )
+#if defined(HAVE_CHACHA) && defined(HAVE_POLY1305)
 void bench_chacha20_poly1305_aead(void)
 {
-    double start, total, persec;
-    int    i;
+    double start;
+    int    ret = 0, i, count;
 
     byte authTag[CHACHA20_POLY1305_AEAD_AUTHTAG_SIZE];
-    XMEMSET( authTag, 0, sizeof( authTag ) );
-
-    start = current_time(1);
-    BEGIN_INTEL_CYCLES
-
-    for (i = 0; i < numBlocks; i++)
-    {
-        wc_ChaCha20Poly1305_Encrypt(key, iv, NULL, 0, plain, sizeof(plain),
-                                    cipher, authTag );
-    }
-
-    END_INTEL_CYCLES
-    total = current_time(0) - start;
-    persec = 1 / total * numBlocks;
-#ifdef BENCH_EMBEDDED
-    /* since using kB, convert to MB/s */
-    persec = persec / 1024;
-#endif
-
-    printf("CHA-POLY %d %s took %5.3f seconds, %8.3f MB/s",
-           numBlocks, blockType, total, persec);
-    SHOW_INTEL_CYCLES
-    printf("\n");
-
+    XMEMSET(authTag, 0, sizeof(authTag));
+
+    bench_stats_start(&count, &start);
+    do {
+        for (i = 0; i < numBlocks; i++) {
+            ret = wc_ChaCha20Poly1305_Encrypt(bench_key, bench_iv, NULL, 0,
+                bench_plain, BENCH_SIZE, bench_cipher, authTag);
+            if (ret < 0) {
+                printf("wc_ChaCha20Poly1305_Encrypt error: %d\n", ret);
+                break;
+            }
+        }
+        count += i;
+    } while (bench_stats_sym_check(start));
+    bench_stats_sym_finish("CHA-POLY", 0, count, bench_size, start, ret);
 }
 #endif /* HAVE_CHACHA && HAVE_POLY1305 */
 
 
 #ifndef NO_MD5
-void bench_md5(void)
+void bench_md5(int doAsync)
 {
-    Md5    hash;
-    byte   digest[MD5_DIGEST_SIZE];
-    double start, total, persec;
-    int    i;
+    wc_Md5 hash[BENCH_MAX_PENDING];
+    double start;
+    int    ret = 0, i, count = 0, times, pending = 0;
+    DECLARE_ARRAY(digest, byte, BENCH_MAX_PENDING, WC_MD5_DIGEST_SIZE, HEAP_HINT);
+
+    /* clear for done cleanup */
+    XMEMSET(hash, 0, sizeof(hash));
+
+    if (digest_stream) {
+        /* init keys */
+        for (i = 0; i < BENCH_MAX_PENDING; i++) {
+            ret = wc_InitMd5_ex(&hash[i], HEAP_HINT,
+                        doAsync ? devId : INVALID_DEVID);
+            if (ret != 0) {
+                printf("InitMd5_ex failed, ret = %d\n", ret);
+                goto exit;
+            }
+        #ifdef WOLFSSL_PIC32MZ_HASH
+            wc_Md5SizeSet(&hash[i], numBlocks * BENCH_SIZE);
+        #endif
+        }
 
-    wc_InitMd5(&hash);
-    start = current_time(1);
-    BEGIN_INTEL_CYCLES
+        bench_stats_start(&count, &start);
+        do {
+            for (times = 0; times < numBlocks || pending > 0; ) {
+                bench_async_poll(&pending);
+
+                /* while free pending slots in queue, submit ops */
+                for (i = 0; i < BENCH_MAX_PENDING; i++) {
+                    if (bench_async_check(&ret, BENCH_ASYNC_GET_DEV(&hash[i]), 0, &times, numBlocks, &pending)) {
+                        ret = wc_Md5Update(&hash[i], bench_plain,
+                            BENCH_SIZE);
+                        if (!bench_async_handle(&ret, BENCH_ASYNC_GET_DEV(&hash[i]), 0, &times, &pending)) {
+                            goto exit_md5;
+                        }
+                    }
+                } /* for i */
+            } /* for times */
+            count += times;
+
+            times = 0;
+            do {
+                bench_async_poll(&pending);
+
+                for (i = 0; i < BENCH_MAX_PENDING; i++) {
+                    if (bench_async_check(&ret, BENCH_ASYNC_GET_DEV(&hash[i]), 0, &times, numBlocks, &pending)) {
+                        ret = wc_Md5Final(&hash[i], digest[i]);
+                        if (!bench_async_handle(&ret, BENCH_ASYNC_GET_DEV(&hash[i]), 0, &times, &pending)) {
+                            goto exit_md5;
+                        }
+                    }
+                } /* for i */
+            } while (pending > 0);
+        } while (bench_stats_sym_check(start));
+    }
+    else {
+        bench_stats_start(&count, &start);
+        do {
+            for (times = 0; times < numBlocks; times++) {
+                ret = wc_InitMd5_ex(hash, HEAP_HINT, INVALID_DEVID);
+                ret |= wc_Md5Update(hash, bench_plain, BENCH_SIZE);
+                ret |= wc_Md5Final(hash, digest[0]);
+                if (ret != 0)
+                    goto exit_md5;
+            } /* for times */
+            count += times;
+        } while (bench_stats_sym_check(start));
+    }
+exit_md5:
+    bench_stats_sym_finish("MD5", doAsync, count, bench_size, start, ret);
 
-    for(i = 0; i < numBlocks; i++)
-        wc_Md5Update(&hash, plain, sizeof(plain));
-   
-    wc_Md5Final(&hash, digest);
+exit:
 
-    END_INTEL_CYCLES
-    total = current_time(0) - start;
-    persec = 1 / total * numBlocks;
-#ifdef BENCH_EMBEDDED
-    /* since using kB, convert to MB/s */
-    persec = persec / 1024;
+#ifdef WOLFSSL_ASYNC_CRYPT
+    for (i = 0; i < BENCH_MAX_PENDING; i++) {
+        wc_Md5Free(&hash[i]);
+    }
 #endif
 
-    printf("MD5      %d %s took %5.3f seconds, %8.3f MB/s", numBlocks,
-                                              blockType, total, persec);
-    SHOW_INTEL_CYCLES
-    printf("\n");
+    FREE_ARRAY(digest, BENCH_MAX_PENDING, HEAP_HINT);
 }
-#endif /* NO_MD5 */
+#endif /* !NO_MD5 */
 
 
 #ifndef NO_SHA
-void bench_sha(void)
-{
-    Sha    hash;
-    byte   digest[SHA_DIGEST_SIZE];
-    double start, total, persec;
-    int    i, ret;
-        
-    ret = wc_InitSha(&hash);
-    if (ret != 0) {
-        printf("InitSha failed, ret = %d\n", ret);
-        return;
+void bench_sha(int doAsync)
+{
+    wc_Sha hash[BENCH_MAX_PENDING];
+    double start;
+    int    ret = 0, i, count = 0, times, pending = 0;
+    DECLARE_ARRAY(digest, byte, BENCH_MAX_PENDING, WC_SHA_DIGEST_SIZE, HEAP_HINT);
+
+    /* clear for done cleanup */
+    XMEMSET(hash, 0, sizeof(hash));
+
+    if (digest_stream) {
+        /* init keys */
+        for (i = 0; i < BENCH_MAX_PENDING; i++) {
+            ret = wc_InitSha_ex(&hash[i], HEAP_HINT,
+                doAsync ? devId : INVALID_DEVID);
+            if (ret != 0) {
+                printf("InitSha failed, ret = %d\n", ret);
+                goto exit;
+            }
+        #ifdef WOLFSSL_PIC32MZ_HASH
+            wc_ShaSizeSet(&hash[i], numBlocks * BENCH_SIZE);
+        #endif
+        }
+
+        bench_stats_start(&count, &start);
+        do {
+            for (times = 0; times < numBlocks || pending > 0; ) {
+                bench_async_poll(&pending);
+
+                /* while free pending slots in queue, submit ops */
+                for (i = 0; i < BENCH_MAX_PENDING; i++) {
+                    if (bench_async_check(&ret, BENCH_ASYNC_GET_DEV(&hash[i]), 0, &times, numBlocks, &pending)) {
+                        ret = wc_ShaUpdate(&hash[i], bench_plain,
+                            BENCH_SIZE);
+                        if (!bench_async_handle(&ret, BENCH_ASYNC_GET_DEV(&hash[i]), 0, &times, &pending)) {
+                            goto exit_sha;
+                        }
+                    }
+                } /* for i */
+            } /* for times */
+            count += times;
+
+            times = 0;
+            do {
+                bench_async_poll(&pending);
+
+                for (i = 0; i < BENCH_MAX_PENDING; i++) {
+                    if (bench_async_check(&ret, BENCH_ASYNC_GET_DEV(&hash[i]), 0, &times, numBlocks, &pending)) {
+                        ret = wc_ShaFinal(&hash[i], digest[i]);
+                        if (!bench_async_handle(&ret, BENCH_ASYNC_GET_DEV(&hash[i]), 0, &times, &pending)) {
+                            goto exit_sha;
+                        }
+                    }
+                } /* for i */
+            } while (pending > 0);
+        } while (bench_stats_sym_check(start));
     }
-    start = current_time(1);
-    BEGIN_INTEL_CYCLES
-    
-    for(i = 0; i < numBlocks; i++)
-        wc_ShaUpdate(&hash, plain, sizeof(plain));
-   
-    wc_ShaFinal(&hash, digest);
+    else {
+        bench_stats_start(&count, &start);
+        do {
+            for (times = 0; times < numBlocks; times++) {
+                ret = wc_InitSha_ex(hash, HEAP_HINT, INVALID_DEVID);
+                ret |= wc_ShaUpdate(hash, bench_plain, BENCH_SIZE);
+                ret |= wc_ShaFinal(hash, digest[0]);
+                if (ret != 0)
+                    goto exit_sha;
+            } /* for times */
+            count += times;
+        } while (bench_stats_sym_check(start));
+    }
+exit_sha:
+    bench_stats_sym_finish("SHA", doAsync, count, bench_size, start, ret);
 
-    END_INTEL_CYCLES
-    total = current_time(0) - start;
-    persec = 1 / total * numBlocks;
-#ifdef BENCH_EMBEDDED
-    /* since using kB, convert to MB/s */
-    persec = persec / 1024;
-#endif
+exit:
 
-    printf("SHA      %d %s took %5.3f seconds, %8.3f MB/s", numBlocks,
-                                              blockType, total, persec);
-    SHOW_INTEL_CYCLES
-    printf("\n");
+    for (i = 0; i < BENCH_MAX_PENDING; i++) {
+        wc_ShaFree(&hash[i]);
+    }
+
+    FREE_ARRAY(digest, BENCH_MAX_PENDING, HEAP_HINT);
 }
 #endif /* NO_SHA */
 
 
-#ifndef NO_SHA256
-void bench_sha256(void)
+#ifdef WOLFSSL_SHA224
+void bench_sha224(int doAsync)
 {
-    Sha256 hash;
-    byte   digest[SHA256_DIGEST_SIZE];
-    double start, total, persec;
-    int    i, ret;
+    wc_Sha224 hash[BENCH_MAX_PENDING];
+    double start;
+    int    ret = 0, i, count = 0, times, pending = 0;
+    DECLARE_ARRAY(digest, byte, BENCH_MAX_PENDING, WC_SHA224_DIGEST_SIZE, HEAP_HINT);
+
+    /* clear for done cleanup */
+    XMEMSET(hash, 0, sizeof(hash));
+
+    if (digest_stream) {
+        /* init keys */
+        for (i = 0; i < BENCH_MAX_PENDING; i++) {
+            ret = wc_InitSha224_ex(&hash[i], HEAP_HINT,
+                doAsync ? devId : INVALID_DEVID);
+            if (ret != 0) {
+                printf("InitSha224_ex failed, ret = %d\n", ret);
+                goto exit;
+            }
+        }
 
-    ret = wc_InitSha256(&hash);
-    if (ret != 0) {
-        printf("InitSha256 failed, ret = %d\n", ret);
-        return;
+        bench_stats_start(&count, &start);
+        do {
+            for (times = 0; times < numBlocks || pending > 0; ) {
+                bench_async_poll(&pending);
+
+                /* while free pending slots in queue, submit ops */
+                for (i = 0; i < BENCH_MAX_PENDING; i++) {
+                    if (bench_async_check(&ret, BENCH_ASYNC_GET_DEV(&hash[i]), 0, &times, numBlocks, &pending)) {
+                        ret = wc_Sha224Update(&hash[i], bench_plain,
+                            BENCH_SIZE);
+                        if (!bench_async_handle(&ret, BENCH_ASYNC_GET_DEV(&hash[i]), 0, &times, &pending)) {
+                            goto exit_sha224;
+                        }
+                    }
+                } /* for i */
+            } /* for times */
+            count += times;
+
+            times = 0;
+            do {
+                bench_async_poll(&pending);
+                for (i = 0; i < BENCH_MAX_PENDING; i++) {
+                    if (bench_async_check(&ret, BENCH_ASYNC_GET_DEV(&hash[i]), 0, &times, numBlocks, &pending)) {
+                        ret = wc_Sha224Final(&hash[i], digest[i]);
+                        if (!bench_async_handle(&ret, BENCH_ASYNC_GET_DEV(&hash[i]), 0, &times, &pending)) {
+                            goto exit_sha224;
+                        }
+                    }
+                } /* for i */
+            } while (pending > 0);
+        } while (bench_stats_sym_check(start));
     }
-    start = current_time(1);
-    BEGIN_INTEL_CYCLES
-
-    for(i = 0; i < numBlocks; i++) {
-        ret = wc_Sha256Update(&hash, plain, sizeof(plain));
-        if (ret != 0) {
-            printf("Sha256Update failed, ret = %d\n", ret);
-            return;
-        }
+    else {
+        bench_stats_start(&count, &start);
+        do {
+            for (times = 0; times < numBlocks; times++) {
+                ret = wc_InitSha224_ex(hash, HEAP_HINT, INVALID_DEVID);
+                ret |= wc_Sha224Update(hash, bench_plain, BENCH_SIZE);
+                ret |= wc_Sha224Final(hash, digest[0]);
+                if (ret != 0)
+                    goto exit_sha224;
+            } /* for times */
+            count += times;
+        } while (bench_stats_sym_check(start));
     }
+exit_sha224:
+    bench_stats_sym_finish("SHA-224", doAsync, count, bench_size, start, ret);
 
-    ret = wc_Sha256Final(&hash, digest);
-    if (ret != 0) {
-        printf("Sha256Final failed, ret = %d\n", ret);
-        return;
+exit:
+
+    for (i = 0; i < BENCH_MAX_PENDING; i++) {
+        wc_Sha224Free(&hash[i]);
     }
 
-    END_INTEL_CYCLES
-    total = current_time(0) - start;
-    persec = 1 / total * numBlocks;
-#ifdef BENCH_EMBEDDED
-    /* since using kB, convert to MB/s */
-    persec = persec / 1024;
+    FREE_ARRAY(digest, BENCH_MAX_PENDING, HEAP_HINT);
+}
 #endif
 
-    printf("SHA-256  %d %s took %5.3f seconds, %8.3f MB/s", numBlocks,
-                                              blockType, total, persec);
-    SHOW_INTEL_CYCLES
-    printf("\n");
+#ifndef NO_SHA256
+void bench_sha256(int doAsync)
+{
+    wc_Sha256 hash[BENCH_MAX_PENDING];
+    double start;
+    int    ret = 0, i, count = 0, times, pending = 0;
+    DECLARE_ARRAY(digest, byte, BENCH_MAX_PENDING, WC_SHA256_DIGEST_SIZE, HEAP_HINT);
+
+    /* clear for done cleanup */
+    XMEMSET(hash, 0, sizeof(hash));
+
+    if (digest_stream) {
+        /* init keys */
+        for (i = 0; i < BENCH_MAX_PENDING; i++) {
+            ret = wc_InitSha256_ex(&hash[i], HEAP_HINT,
+                doAsync ? devId : INVALID_DEVID);
+            if (ret != 0) {
+                printf("InitSha256_ex failed, ret = %d\n", ret);
+                goto exit;
+            }
+        #ifdef WOLFSSL_PIC32MZ_HASH
+            wc_Sha256SizeSet(&hash[i], numBlocks * BENCH_SIZE);
+        #endif
+        }
+
+        bench_stats_start(&count, &start);
+        do {
+            for (times = 0; times < numBlocks || pending > 0; ) {
+                bench_async_poll(&pending);
+
+                /* while free pending slots in queue, submit ops */
+                for (i = 0; i < BENCH_MAX_PENDING; i++) {
+                    if (bench_async_check(&ret, BENCH_ASYNC_GET_DEV(&hash[i]), 0, &times, numBlocks, &pending)) {
+                        ret = wc_Sha256Update(&hash[i], bench_plain,
+                            BENCH_SIZE);
+                        if (!bench_async_handle(&ret, BENCH_ASYNC_GET_DEV(&hash[i]), 0, &times, &pending)) {
+                            goto exit_sha256;
+                        }
+                    }
+                } /* for i */
+            } /* for times */
+            count += times;
+
+            times = 0;
+            do {
+                bench_async_poll(&pending);
+                for (i = 0; i < BENCH_MAX_PENDING; i++) {
+                    if (bench_async_check(&ret, BENCH_ASYNC_GET_DEV(&hash[i]), 0, &times, numBlocks, &pending)) {
+                        ret = wc_Sha256Final(&hash[i], digest[i]);
+                        if (!bench_async_handle(&ret, BENCH_ASYNC_GET_DEV(&hash[i]), 0, &times, &pending)) {
+                            goto exit_sha256;
+                        }
+                    }
+                } /* for i */
+            } while (pending > 0);
+        } while (bench_stats_sym_check(start));
+    }
+    else {
+        bench_stats_start(&count, &start);
+        do {
+            for (times = 0; times < numBlocks; times++) {
+                ret = wc_InitSha256_ex(hash, HEAP_HINT, INVALID_DEVID);
+                ret |= wc_Sha256Update(hash, bench_plain, BENCH_SIZE);
+                ret |= wc_Sha256Final(hash, digest[0]);
+                if (ret != 0)
+                    goto exit_sha256;
+            } /* for times */
+            count += times;
+        } while (bench_stats_sym_check(start));
+    }
+exit_sha256:
+    bench_stats_sym_finish("SHA-256", doAsync, count, bench_size, start, ret);
+
+exit:
+
+    for (i = 0; i < BENCH_MAX_PENDING; i++) {
+        wc_Sha256Free(&hash[i]);
+    }
+
+    FREE_ARRAY(digest, BENCH_MAX_PENDING, HEAP_HINT);
 }
 #endif
 
 #ifdef WOLFSSL_SHA384
-void bench_sha384(void)
+void bench_sha384(int doAsync)
 {
-    Sha384 hash;
-    byte   digest[SHA384_DIGEST_SIZE];
-    double start, total, persec;
-    int    i, ret;
+    wc_Sha384 hash[BENCH_MAX_PENDING];
+    double start;
+    int    ret = 0, i, count = 0, times, pending = 0;
+    DECLARE_ARRAY(digest, byte, BENCH_MAX_PENDING, WC_SHA384_DIGEST_SIZE, HEAP_HINT);
+
+    /* clear for done cleanup */
+    XMEMSET(hash, 0, sizeof(hash));
+
+    if (digest_stream) {
+        /* init keys */
+        for (i = 0; i < BENCH_MAX_PENDING; i++) {
+            ret = wc_InitSha384_ex(&hash[i], HEAP_HINT,
+                doAsync ? devId : INVALID_DEVID);
+            if (ret != 0) {
+                printf("InitSha384_ex failed, ret = %d\n", ret);
+                goto exit;
+            }
+        }
 
-    ret = wc_InitSha384(&hash);
-    if (ret != 0) {
-        printf("InitSha384 failed, ret = %d\n", ret);
-        return;
+        bench_stats_start(&count, &start);
+        do {
+            for (times = 0; times < numBlocks || pending > 0; ) {
+                bench_async_poll(&pending);
+
+                /* while free pending slots in queue, submit ops */
+                for (i = 0; i < BENCH_MAX_PENDING; i++) {
+                    if (bench_async_check(&ret, BENCH_ASYNC_GET_DEV(&hash[i]), 0, &times, numBlocks, &pending)) {
+                        ret = wc_Sha384Update(&hash[i], bench_plain,
+                            BENCH_SIZE);
+                        if (!bench_async_handle(&ret, BENCH_ASYNC_GET_DEV(&hash[i]), 0, &times, &pending)) {
+                            goto exit_sha384;
+                        }
+                    }
+                } /* for i */
+            } /* for times */
+            count += times;
+
+            times = 0;
+            do {
+                bench_async_poll(&pending);
+                for (i = 0; i < BENCH_MAX_PENDING; i++) {
+                    if (bench_async_check(&ret, BENCH_ASYNC_GET_DEV(&hash[i]), 0, &times, numBlocks, &pending)) {
+                        ret = wc_Sha384Final(&hash[i], digest[i]);
+                        if (!bench_async_handle(&ret, BENCH_ASYNC_GET_DEV(&hash[i]), 0, &times, &pending)) {
+                            goto exit_sha384;
+                        }
+                    }
+                } /* for i */
+            } while (pending > 0);
+        } while (bench_stats_sym_check(start));
     }
-    start = current_time(1);
-    BEGIN_INTEL_CYCLES
+    else {
+        bench_stats_start(&count, &start);
+        do {
+            for (times = 0; times < numBlocks; times++) {
+                ret = wc_InitSha384_ex(hash, HEAP_HINT, INVALID_DEVID);
+                ret |= wc_Sha384Update(hash, bench_plain, BENCH_SIZE);
+                ret |= wc_Sha384Final(hash, digest[0]);
+                if (ret != 0)
+                    goto exit_sha384;
+            } /* for times */
+            count += times;
+        } while (bench_stats_sym_check(start));
+    }
+exit_sha384:
+    bench_stats_sym_finish("SHA-384", doAsync, count, bench_size, start, ret);
 
-    for(i = 0; i < numBlocks; i++) {
-        ret = wc_Sha384Update(&hash, plain, sizeof(plain));
-        if (ret != 0) {
-            printf("Sha384Update failed, ret = %d\n", ret);
-            return;
+exit:
+
+    for (i = 0; i < BENCH_MAX_PENDING; i++) {
+        wc_Sha384Free(&hash[i]);
+    }
+
+    FREE_ARRAY(digest, BENCH_MAX_PENDING, HEAP_HINT);
+}
+#endif
+
+#ifdef WOLFSSL_SHA512
+void bench_sha512(int doAsync)
+{
+    wc_Sha512 hash[BENCH_MAX_PENDING];
+    double start;
+    int    ret = 0, i, count = 0, times, pending = 0;
+    DECLARE_ARRAY(digest, byte, BENCH_MAX_PENDING, WC_SHA512_DIGEST_SIZE, HEAP_HINT);
+
+    /* clear for done cleanup */
+    XMEMSET(hash, 0, sizeof(hash));
+
+    if (digest_stream) {
+        /* init keys */
+        for (i = 0; i < BENCH_MAX_PENDING; i++) {
+            ret = wc_InitSha512_ex(&hash[i], HEAP_HINT,
+                doAsync ? devId : INVALID_DEVID);
+            if (ret != 0) {
+                printf("InitSha512_ex failed, ret = %d\n", ret);
+                goto exit;
+            }
         }
+
+        bench_stats_start(&count, &start);
+        do {
+            for (times = 0; times < numBlocks || pending > 0; ) {
+                bench_async_poll(&pending);
+
+                /* while free pending slots in queue, submit ops */
+                for (i = 0; i < BENCH_MAX_PENDING; i++) {
+                    if (bench_async_check(&ret, BENCH_ASYNC_GET_DEV(&hash[i]), 0, &times, numBlocks, &pending)) {
+                        ret = wc_Sha512Update(&hash[i], bench_plain,
+                            BENCH_SIZE);
+                        if (!bench_async_handle(&ret, BENCH_ASYNC_GET_DEV(&hash[i]), 0, &times, &pending)) {
+                            goto exit_sha512;
+                        }
+                    }
+                } /* for i */
+            } /* for times */
+            count += times;
+
+            times = 0;
+            do {
+                bench_async_poll(&pending);
+                for (i = 0; i < BENCH_MAX_PENDING; i++) {
+                    if (bench_async_check(&ret, BENCH_ASYNC_GET_DEV(&hash[i]), 0, &times, numBlocks, &pending)) {
+                        ret = wc_Sha512Final(&hash[i], digest[i]);
+                        if (!bench_async_handle(&ret, BENCH_ASYNC_GET_DEV(&hash[i]), 0, &times, &pending)) {
+                            goto exit_sha512;
+                        }
+                    }
+                } /* for i */
+            } while (pending > 0);
+        } while (bench_stats_sym_check(start));
+    }
+    else {
+        bench_stats_start(&count, &start);
+        do {
+            for (times = 0; times < numBlocks; times++) {
+                ret = wc_InitSha512_ex(hash, HEAP_HINT, INVALID_DEVID);
+                ret |= wc_Sha512Update(hash, bench_plain, BENCH_SIZE);
+                ret |= wc_Sha512Final(hash, digest[0]);
+                if (ret != 0)
+                    goto exit_sha512;
+            } /* for times */
+            count += times;
+        } while (bench_stats_sym_check(start));
     }
+exit_sha512:
+    bench_stats_sym_finish("SHA-512", doAsync, count, bench_size, start, ret);
 
-    ret = wc_Sha384Final(&hash, digest);
-    if (ret != 0) {
-        printf("Sha384Final failed, ret = %d\n", ret);
-        return;
+exit:
+
+    for (i = 0; i < BENCH_MAX_PENDING; i++) {
+        wc_Sha512Free(&hash[i]);
     }
 
-    END_INTEL_CYCLES
-    total = current_time(0) - start;
-    persec = 1 / total * numBlocks;
-#ifdef BENCH_EMBEDDED
-    /* since using kB, convert to MB/s */
-    persec = persec / 1024;
+    FREE_ARRAY(digest, BENCH_MAX_PENDING, HEAP_HINT);
+}
 #endif
 
-    printf("SHA-384  %d %s took %5.3f seconds, %8.3f MB/s", numBlocks,
-                                              blockType, total, persec);
-    SHOW_INTEL_CYCLES
-    printf("\n");
+
+#ifdef WOLFSSL_SHA3
+#ifndef WOLFSSL_NOSHA3_224
+void bench_sha3_224(int doAsync)
+{
+    wc_Sha3   hash[BENCH_MAX_PENDING];
+    double start;
+    int    ret = 0, i, count = 0, times, pending = 0;
+    DECLARE_ARRAY(digest, byte, BENCH_MAX_PENDING, WC_SHA3_224_DIGEST_SIZE, HEAP_HINT);
+
+    /* clear for done cleanup */
+    XMEMSET(hash, 0, sizeof(hash));
+
+    if (digest_stream) {
+        /* init keys */
+        for (i = 0; i < BENCH_MAX_PENDING; i++) {
+            ret = wc_InitSha3_224(&hash[i], HEAP_HINT,
+                doAsync ? devId : INVALID_DEVID);
+            if (ret != 0) {
+                printf("InitSha3_224 failed, ret = %d\n", ret);
+                goto exit;
+            }
+        }
+
+        bench_stats_start(&count, &start);
+        do {
+            for (times = 0; times < numBlocks || pending > 0; ) {
+                bench_async_poll(&pending);
+
+                /* while free pending slots in queue, submit ops */
+                for (i = 0; i < BENCH_MAX_PENDING; i++) {
+                    if (bench_async_check(&ret, BENCH_ASYNC_GET_DEV(&hash[i]), 0, &times, numBlocks, &pending)) {
+                        ret = wc_Sha3_224_Update(&hash[i], bench_plain,
+                            BENCH_SIZE);
+                        if (!bench_async_handle(&ret, BENCH_ASYNC_GET_DEV(&hash[i]), 0, &times, &pending)) {
+                            goto exit_sha3_224;
+                        }
+                    }
+                } /* for i */
+            } /* for times */
+            count += times;
+
+            times = 0;
+            do {
+                bench_async_poll(&pending);
+                for (i = 0; i < BENCH_MAX_PENDING; i++) {
+                    if (bench_async_check(&ret, BENCH_ASYNC_GET_DEV(&hash[i]), 0, &times, numBlocks, &pending)) {
+                        ret = wc_Sha3_224_Final(&hash[i], digest[i]);
+                        if (!bench_async_handle(&ret, BENCH_ASYNC_GET_DEV(&hash[i]), 0, &times, &pending)) {
+                            goto exit_sha3_224;
+                        }
+                    }
+                } /* for i */
+            } while (pending > 0);
+        } while (bench_stats_sym_check(start));
+    }
+    else {
+        bench_stats_start(&count, &start);
+        do {
+            for (times = 0; times < numBlocks; times++) {
+                ret = wc_InitSha3_224(hash, HEAP_HINT, INVALID_DEVID);
+                ret |= wc_Sha3_224_Update(hash, bench_plain, BENCH_SIZE);
+                ret |= wc_Sha3_224_Final(hash, digest[0]);
+                if (ret != 0)
+                    goto exit_sha3_224;
+            } /* for times */
+            count += times;
+        } while (bench_stats_sym_check(start));
+    }
+exit_sha3_224:
+    bench_stats_sym_finish("SHA3-224", doAsync, count, bench_size, start, ret);
+
+exit:
+
+    for (i = 0; i < BENCH_MAX_PENDING; i++) {
+        wc_Sha3_224_Free(&hash[i]);
+    }
+
+    FREE_ARRAY(digest, BENCH_MAX_PENDING, HEAP_HINT);
 }
-#endif
+#endif /* WOLFSSL_NOSHA3_224 */
 
-#ifdef WOLFSSL_SHA512
-void bench_sha512(void)
-{
-    Sha512 hash;
-    byte   digest[SHA512_DIGEST_SIZE];
-    double start, total, persec;
-    int    i, ret;
-        
-    ret = wc_InitSha512(&hash);
-    if (ret != 0) {
-        printf("InitSha512 failed, ret = %d\n", ret);
-        return;
+#ifndef WOLFSSL_NOSHA3_256
+void bench_sha3_256(int doAsync)
+{
+    wc_Sha3   hash[BENCH_MAX_PENDING];
+    double start;
+    int    ret = 0, i, count = 0, times, pending = 0;
+    DECLARE_ARRAY(digest, byte, BENCH_MAX_PENDING, WC_SHA3_256_DIGEST_SIZE, HEAP_HINT);
+
+    /* clear for done cleanup */
+    XMEMSET(hash, 0, sizeof(hash));
+
+    if (digest_stream) {
+        /* init keys */
+        for (i = 0; i < BENCH_MAX_PENDING; i++) {
+            ret = wc_InitSha3_256(&hash[i], HEAP_HINT,
+                doAsync ? devId : INVALID_DEVID);
+            if (ret != 0) {
+                printf("InitSha3_256 failed, ret = %d\n", ret);
+                goto exit;
+            }
+        }
+
+        bench_stats_start(&count, &start);
+        do {
+            for (times = 0; times < numBlocks || pending > 0; ) {
+                bench_async_poll(&pending);
+
+                /* while free pending slots in queue, submit ops */
+                for (i = 0; i < BENCH_MAX_PENDING; i++) {
+                    if (bench_async_check(&ret, BENCH_ASYNC_GET_DEV(&hash[i]), 0, &times, numBlocks, &pending)) {
+                        ret = wc_Sha3_256_Update(&hash[i], bench_plain,
+                            BENCH_SIZE);
+                        if (!bench_async_handle(&ret, BENCH_ASYNC_GET_DEV(&hash[i]), 0, &times, &pending)) {
+                            goto exit_sha3_256;
+                        }
+                    }
+                } /* for i */
+            } /* for times */
+            count += times;
+
+            times = 0;
+            do {
+                bench_async_poll(&pending);
+                for (i = 0; i < BENCH_MAX_PENDING; i++) {
+                    if (bench_async_check(&ret, BENCH_ASYNC_GET_DEV(&hash[i]), 0, &times, numBlocks, &pending)) {
+                        ret = wc_Sha3_256_Final(&hash[i], digest[i]);
+                        if (!bench_async_handle(&ret, BENCH_ASYNC_GET_DEV(&hash[i]), 0, &times, &pending)) {
+                            goto exit_sha3_256;
+                        }
+                    }
+                } /* for i */
+            } while (pending > 0);
+        } while (bench_stats_sym_check(start));
     }
-    start = current_time(1);
-    BEGIN_INTEL_CYCLES
-    
-    for(i = 0; i < numBlocks; i++) {
-        ret = wc_Sha512Update(&hash, plain, sizeof(plain));
-        if (ret != 0) {
-            printf("Sha512Update failed, ret = %d\n", ret);
-            return;
+    else {
+        bench_stats_start(&count, &start);
+        do {
+            for (times = 0; times < numBlocks; times++) {
+                ret = wc_InitSha3_256(hash, HEAP_HINT, INVALID_DEVID);
+                ret |= wc_Sha3_256_Update(hash, bench_plain, BENCH_SIZE);
+                ret |= wc_Sha3_256_Final(hash, digest[0]);
+                if (ret != 0)
+                    goto exit_sha3_256;
+            } /* for times */
+            count += times;
+        } while (bench_stats_sym_check(start));
+    }
+exit_sha3_256:
+    bench_stats_sym_finish("SHA3-256", doAsync, count, bench_size, start, ret);
+
+exit:
+
+    for (i = 0; i < BENCH_MAX_PENDING; i++) {
+        wc_Sha3_256_Free(&hash[i]);
+    }
+
+    FREE_ARRAY(digest, BENCH_MAX_PENDING, HEAP_HINT);
+}
+#endif /* WOLFSSL_NOSHA3_256 */
+
+#ifndef WOLFSSL_NOSHA3_384
+void bench_sha3_384(int doAsync)
+{
+    wc_Sha3   hash[BENCH_MAX_PENDING];
+    double start;
+    int    ret = 0, i, count = 0, times, pending = 0;
+    DECLARE_ARRAY(digest, byte, BENCH_MAX_PENDING, WC_SHA3_384_DIGEST_SIZE, HEAP_HINT);
+
+    /* clear for done cleanup */
+    XMEMSET(hash, 0, sizeof(hash));
+
+    if (digest_stream) {
+        /* init keys */
+        for (i = 0; i < BENCH_MAX_PENDING; i++) {
+            ret = wc_InitSha3_384(&hash[i], HEAP_HINT,
+                doAsync ? devId : INVALID_DEVID);
+            if (ret != 0) {
+                printf("InitSha3_384 failed, ret = %d\n", ret);
+                goto exit;
+            }
         }
+
+        bench_stats_start(&count, &start);
+        do {
+            for (times = 0; times < numBlocks || pending > 0; ) {
+                bench_async_poll(&pending);
+
+                /* while free pending slots in queue, submit ops */
+                for (i = 0; i < BENCH_MAX_PENDING; i++) {
+                    if (bench_async_check(&ret, BENCH_ASYNC_GET_DEV(&hash[i]), 0, &times, numBlocks, &pending)) {
+                        ret = wc_Sha3_384_Update(&hash[i], bench_plain,
+                            BENCH_SIZE);
+                        if (!bench_async_handle(&ret, BENCH_ASYNC_GET_DEV(&hash[i]), 0, &times, &pending)) {
+                            goto exit_sha3_384;
+                        }
+                    }
+                } /* for i */
+            } /* for times */
+            count += times;
+
+            times = 0;
+            do {
+                bench_async_poll(&pending);
+                for (i = 0; i < BENCH_MAX_PENDING; i++) {
+                    if (bench_async_check(&ret, BENCH_ASYNC_GET_DEV(&hash[i]), 0, &times, numBlocks, &pending)) {
+                        ret = wc_Sha3_384_Final(&hash[i], digest[i]);
+                        if (!bench_async_handle(&ret, BENCH_ASYNC_GET_DEV(&hash[i]), 0, &times, &pending)) {
+                            goto exit_sha3_384;
+                        }
+                    }
+                } /* for i */
+            } while (pending > 0);
+        } while (bench_stats_sym_check(start));
+    }
+    else {
+        bench_stats_start(&count, &start);
+        do {
+            for (times = 0; times < numBlocks; times++) {
+                ret = wc_InitSha3_384(hash, HEAP_HINT, INVALID_DEVID);
+                ret |= wc_Sha3_384_Update(hash, bench_plain, BENCH_SIZE);
+                ret |= wc_Sha3_384_Final(hash, digest[0]);
+                if (ret != 0)
+                    goto exit_sha3_384;
+            } /* for times */
+            count += times;
+        } while (bench_stats_sym_check(start));
     }
+exit_sha3_384:
+    bench_stats_sym_finish("SHA3-384", doAsync, count, bench_size, start, ret);
 
-    ret = wc_Sha512Final(&hash, digest);
-    if (ret != 0) {
-        printf("Sha512Final failed, ret = %d\n", ret);
-        return;
+exit:
+
+    for (i = 0; i < BENCH_MAX_PENDING; i++) {
+        wc_Sha3_384_Free(&hash[i]);
     }
 
-    END_INTEL_CYCLES
-    total = current_time(0) - start;
-    persec = 1 / total * numBlocks;
-#ifdef BENCH_EMBEDDED
-    /* since using kB, convert to MB/s */
-    persec = persec / 1024;
-#endif
+    FREE_ARRAY(digest, BENCH_MAX_PENDING, HEAP_HINT);
+}
+#endif /* WOLFSSL_NOSHA3_384 */
 
-    printf("SHA-512  %d %s took %5.3f seconds, %8.3f MB/s", numBlocks,
-                                              blockType, total, persec);
-    SHOW_INTEL_CYCLES
-    printf("\n");
+#ifndef WOLFSSL_NOSHA3_512
+void bench_sha3_512(int doAsync)
+{
+    wc_Sha3   hash[BENCH_MAX_PENDING];
+    double start;
+    int    ret = 0, i, count = 0, times, pending = 0;
+    DECLARE_ARRAY(digest, byte, BENCH_MAX_PENDING, WC_SHA3_512_DIGEST_SIZE, HEAP_HINT);
+
+    /* clear for done cleanup */
+    XMEMSET(hash, 0, sizeof(hash));
+
+    if (digest_stream) {
+        /* init keys */
+        for (i = 0; i < BENCH_MAX_PENDING; i++) {
+            ret = wc_InitSha3_512(&hash[i], HEAP_HINT,
+                doAsync ? devId : INVALID_DEVID);
+            if (ret != 0) {
+                printf("InitSha3_512 failed, ret = %d\n", ret);
+                goto exit;
+            }
+        }
+
+        bench_stats_start(&count, &start);
+        do {
+            for (times = 0; times < numBlocks || pending > 0; ) {
+                bench_async_poll(&pending);
+
+                /* while free pending slots in queue, submit ops */
+                for (i = 0; i < BENCH_MAX_PENDING; i++) {
+                    if (bench_async_check(&ret, BENCH_ASYNC_GET_DEV(&hash[i]), 0, &times, numBlocks, &pending)) {
+                        ret = wc_Sha3_512_Update(&hash[i], bench_plain,
+                            BENCH_SIZE);
+                        if (!bench_async_handle(&ret, BENCH_ASYNC_GET_DEV(&hash[i]), 0, &times, &pending)) {
+                            goto exit_sha3_512;
+                        }
+                    }
+                } /* for i */
+            } /* for times */
+            count += times;
+
+            times = 0;
+            do {
+                bench_async_poll(&pending);
+                for (i = 0; i < BENCH_MAX_PENDING; i++) {
+                    if (bench_async_check(&ret, BENCH_ASYNC_GET_DEV(&hash[i]), 0, &times, numBlocks, &pending)) {
+                        ret = wc_Sha3_512_Final(&hash[i], digest[i]);
+                        if (!bench_async_handle(&ret, BENCH_ASYNC_GET_DEV(&hash[i]), 0, &times, &pending)) {
+                            goto exit_sha3_512;
+                        }
+                    }
+                } /* for i */
+            } while (pending > 0);
+        } while (bench_stats_sym_check(start));
+    }
+    else {
+        bench_stats_start(&count, &start);
+        do {
+            for (times = 0; times < numBlocks; times++) {
+                ret = wc_InitSha3_512(hash, HEAP_HINT, INVALID_DEVID);
+                ret |= wc_Sha3_512_Update(hash, bench_plain, BENCH_SIZE);
+                ret |= wc_Sha3_512_Final(hash, digest[0]);
+                if (ret != 0)
+                    goto exit_sha3_512;
+            } /* for times */
+            count += times;
+        } while (bench_stats_sym_check(start));
+    }
+exit_sha3_512:
+    bench_stats_sym_finish("SHA3-512", doAsync, count, bench_size, start, ret);
+
+exit:
+
+    for (i = 0; i < BENCH_MAX_PENDING; i++) {
+        wc_Sha3_512_Free(&hash[i]);
+    }
+
+    FREE_ARRAY(digest, BENCH_MAX_PENDING, HEAP_HINT);
 }
+#endif /* WOLFSSL_NOSHA3_512 */
 #endif
 
+
 #ifdef WOLFSSL_RIPEMD
-void bench_ripemd(void)
+int bench_ripemd(void)
 {
     RipeMd hash;
     byte   digest[RIPEMD_DIGEST_SIZE];
-    double start, total, persec;
-    int    i;
-        
-    wc_InitRipeMd(&hash);
-    start = current_time(1);
-    BEGIN_INTEL_CYCLES
-    
-    for(i = 0; i < numBlocks; i++)
-        wc_RipeMdUpdate(&hash, plain, sizeof(plain));
-   
-    wc_RipeMdFinal(&hash, digest);
+    double start;
+    int    i, count, ret = 0;
 
-    END_INTEL_CYCLES
-    total = current_time(0) - start;
-    persec = 1 / total * numBlocks;
-#ifdef BENCH_EMBEDDED
-    /* since using kB, convert to MB/s */
-    persec = persec / 1024;
-#endif
+    if (digest_stream) {
+        ret = wc_InitRipeMd(&hash);
+        if (ret != 0) {
+            return ret;
+        }
 
-    printf("RIPEMD   %d %s took %5.3f seconds, %8.3f MB/s", numBlocks,
-                                              blockType, total, persec);
-    SHOW_INTEL_CYCLES
-    printf("\n");
+        bench_stats_start(&count, &start);
+        do {
+            for (i = 0; i < numBlocks; i++) {
+                ret = wc_RipeMdUpdate(&hash, bench_plain, BENCH_SIZE);
+                if (ret != 0) {
+                    return ret;
+                }
+            }
+            ret = wc_RipeMdFinal(&hash, digest);
+            if (ret != 0) {
+                return ret;
+            }
+
+            count += i;
+        } while (bench_stats_sym_check(start));
+    }
+    else {
+        bench_stats_start(&count, &start);
+        do {
+            for (i = 0; i < numBlocks; i++) {
+                ret = wc_InitRipeMd(&hash);
+                if (ret != 0) {
+                    return ret;
+                }
+                ret = wc_RipeMdUpdate(&hash, bench_plain, BENCH_SIZE);
+                if (ret != 0) {
+                    return ret;
+                }
+                ret = wc_RipeMdFinal(&hash, digest);
+                if (ret != 0) {
+                    return ret;
+                }
+            }
+            count += i;
+        } while (bench_stats_sym_check(start));
+    }
+    bench_stats_sym_finish("RIPEMD", 0, count, bench_size, start, ret);
+
+    return 0;
 }
 #endif
 
 
 #ifdef HAVE_BLAKE2
-void bench_blake2(void)
+void bench_blake2b(void)
 {
     Blake2b b2b;
     byte    digest[64];
-    double  start, total, persec;
-    int     i, ret;
-       
-    ret = wc_InitBlake2b(&b2b, 64);
-    if (ret != 0) {
-        printf("InitBlake2b failed, ret = %d\n", ret);
-        return;
+    double  start;
+    int     ret = 0, i, count;
+
+    if (digest_stream) {
+        ret = wc_InitBlake2b(&b2b, 64);
+        if (ret != 0) {
+            printf("InitBlake2b failed, ret = %d\n", ret);
+            return;
+        }
+
+        bench_stats_start(&count, &start);
+        do {
+            for (i = 0; i < numBlocks; i++) {
+                ret = wc_Blake2bUpdate(&b2b, bench_plain, BENCH_SIZE);
+                if (ret != 0) {
+                    printf("Blake2bUpdate failed, ret = %d\n", ret);
+                    return;
+                }
+            }
+            ret = wc_Blake2bFinal(&b2b, digest, 64);
+            if (ret != 0) {
+                printf("Blake2bFinal failed, ret = %d\n", ret);
+                return;
+            }
+            count += i;
+        } while (bench_stats_sym_check(start));
     }
-    start = current_time(1);
-    BEGIN_INTEL_CYCLES
-    
-    for(i = 0; i < numBlocks; i++) {
-        ret = wc_Blake2bUpdate(&b2b, plain, sizeof(plain));
+    else {
+        bench_stats_start(&count, &start);
+        do {
+            for (i = 0; i < numBlocks; i++) {
+                ret = wc_InitBlake2b(&b2b, 64);
+                if (ret != 0) {
+                    printf("InitBlake2b failed, ret = %d\n", ret);
+                    return;
+                }
+                ret = wc_Blake2bUpdate(&b2b, bench_plain, BENCH_SIZE);
+                if (ret != 0) {
+                    printf("Blake2bUpdate failed, ret = %d\n", ret);
+                    return;
+                }
+                ret = wc_Blake2bFinal(&b2b, digest, 64);
+                if (ret != 0) {
+                    printf("Blake2bFinal failed, ret = %d\n", ret);
+                    return;
+                }
+            }
+            count += i;
+        } while (bench_stats_sym_check(start));
+    }
+    bench_stats_sym_finish("BLAKE2b", 0, count, bench_size, start, ret);
+}
+#endif
+
+#if defined(HAVE_BLAKE2S)
+void bench_blake2s(void)
+{
+    Blake2s b2s;
+    byte    digest[32];
+    double  start;
+    int     ret = 0, i, count;
+
+    if (digest_stream) {
+        ret = wc_InitBlake2s(&b2s, 32);
         if (ret != 0) {
-            printf("Blake2bUpdate failed, ret = %d\n", ret);
+            printf("InitBlake2s failed, ret = %d\n", ret);
             return;
         }
+
+        bench_stats_start(&count, &start);
+        do {
+            for (i = 0; i < numBlocks; i++) {
+                ret = wc_Blake2sUpdate(&b2s, bench_plain, BENCH_SIZE);
+                if (ret != 0) {
+                    printf("Blake2sUpdate failed, ret = %d\n", ret);
+                    return;
+                }
+            }
+            ret = wc_Blake2sFinal(&b2s, digest, 32);
+            if (ret != 0) {
+                printf("Blake2sFinal failed, ret = %d\n", ret);
+                return;
+            }
+            count += i;
+        } while (bench_stats_sym_check(start));
     }
-   
-    ret = wc_Blake2bFinal(&b2b, digest, 64);
-    if (ret != 0) {
-        printf("Blake2bFinal failed, ret = %d\n", ret);
-        return;
+    else {
+        bench_stats_start(&count, &start);
+        do {
+            for (i = 0; i < numBlocks; i++) {
+                ret = wc_InitBlake2s(&b2s, 32);
+                if (ret != 0) {
+                    printf("InitBlake2b failed, ret = %d\n", ret);
+                    return;
+                }
+                ret = wc_Blake2sUpdate(&b2s, bench_plain, BENCH_SIZE);
+                if (ret != 0) {
+                    printf("Blake2bUpdate failed, ret = %d\n", ret);
+                    return;
+                }
+                ret = wc_Blake2sFinal(&b2s, digest, 32);
+                if (ret != 0) {
+                    printf("Blake2sFinal failed, ret = %d\n", ret);
+                    return;
+                }
+            }
+            count += i;
+        } while (bench_stats_sym_check(start));
     }
+    bench_stats_sym_finish("BLAKE2s", 0, count, bench_size, start, ret);
+}
+#endif
 
-    END_INTEL_CYCLES
-    total = current_time(0) - start;
-    persec = 1 / total * numBlocks;
-#ifdef BENCH_EMBEDDED
-    /* since using kB, convert to MB/s */
-    persec = persec / 1024;
+
+#ifdef WOLFSSL_CMAC
+
+static void bench_cmac_helper(int keySz, const char* outMsg)
+{
+    Cmac    cmac;
+    byte    digest[AES_BLOCK_SIZE];
+    word32  digestSz = sizeof(digest);
+    double  start;
+    int     ret, i, count;
+
+    bench_stats_start(&count, &start);
+    do {
+        ret = wc_InitCmac(&cmac, bench_key, keySz, WC_CMAC_AES, NULL);
+        if (ret != 0) {
+            printf("InitCmac failed, ret = %d\n", ret);
+            return;
+        }
+
+        for (i = 0; i < numBlocks; i++) {
+            ret = wc_CmacUpdate(&cmac, bench_plain, BENCH_SIZE);
+            if (ret != 0) {
+                printf("CmacUpdate failed, ret = %d\n", ret);
+                return;
+            }
+        }
+        /* Note: final force zero's the Cmac struct */
+        ret = wc_CmacFinal(&cmac, digest, &digestSz);
+        if (ret != 0) {
+            printf("CmacFinal failed, ret = %d\n", ret);
+            return;
+        }
+        count += i;
+    } while (bench_stats_sym_check(start));
+    bench_stats_sym_finish(outMsg, 0, count, bench_size, start, ret);
+}
+
+void bench_cmac(void)
+{
+#ifdef WOLFSSL_AES_128
+    bench_cmac_helper(16, "AES-128-CMAC");
+#endif
+#ifdef WOLFSSL_AES_256
+    bench_cmac_helper(32, "AES-256-CMAC");
 #endif
 
-    printf("BLAKE2b  %d %s took %5.3f seconds, %8.3f MB/s", numBlocks,
-                                              blockType, total, persec);
-    SHOW_INTEL_CYCLES
-    printf("\n");
 }
+#endif /* WOLFSSL_CMAC */
+
+#ifdef HAVE_SCRYPT
+
+void bench_scrypt(void)
+{
+    byte   derived[64];
+    double start;
+    int    ret, i, count;
+
+    bench_stats_start(&count, &start);
+    do {
+        for (i = 0; i < scryptCnt; i++) {
+            ret = wc_scrypt(derived, (byte*)"pleaseletmein", 13,
+                            (byte*)"SodiumChloride", 14, 14, 8, 1, sizeof(derived));
+            if (ret != 0) {
+                printf("scrypt failed, ret = %d\n", ret);
+                goto exit;
+            }
+        }
+        count += i;
+    } while (bench_stats_sym_check(start));
+exit:
+    bench_stats_asym_finish("scrypt", 17, "", 0, count, start, ret);
+}
+
+#endif /* HAVE_SCRYPT */
+
+#ifndef NO_HMAC
+
+static void bench_hmac(int doAsync, int type, int digestSz,
+                       byte* key, word32 keySz, const char* label)
+{
+    Hmac   hmac[BENCH_MAX_PENDING];
+    double start;
+    int    ret = 0, i, count = 0, times, pending = 0;
+#ifdef WOLFSSL_ASYNC_CRYPT
+    DECLARE_ARRAY(digest, byte, BENCH_MAX_PENDING, WC_MAX_DIGEST_SIZE, HEAP_HINT);
+#else
+	byte digest[BENCH_MAX_PENDING][WC_MAX_DIGEST_SIZE];
 #endif
 
+	(void)digestSz;
+
+    /* clear for done cleanup */
+    XMEMSET(hmac, 0, sizeof(hmac));
+
+    /* init keys */
+    for (i = 0; i < BENCH_MAX_PENDING; i++) {
+        ret = wc_HmacInit(&hmac[i], HEAP_HINT,
+                doAsync ? devId : INVALID_DEVID);
+        if (ret != 0) {
+            printf("wc_HmacInit failed for %s, ret = %d\n", label, ret);
+            goto exit;
+        }
+
+        ret = wc_HmacSetKey(&hmac[i], type, key, keySz);
+        if (ret != 0) {
+            printf("wc_HmacSetKey failed for %s, ret = %d\n", label, ret);
+            goto exit;
+        }
+    }
+
+    bench_stats_start(&count, &start);
+    do {
+        for (times = 0; times < numBlocks || pending > 0; ) {
+            bench_async_poll(&pending);
+
+            /* while free pending slots in queue, submit ops */
+            for (i = 0; i < BENCH_MAX_PENDING; i++) {
+                if (bench_async_check(&ret, BENCH_ASYNC_GET_DEV(&hmac[i]), 0,
+                                      &times, numBlocks, &pending)) {
+                    ret = wc_HmacUpdate(&hmac[i], bench_plain, BENCH_SIZE);
+                    if (!bench_async_handle(&ret, BENCH_ASYNC_GET_DEV(&hmac[i]),
+                                            0, &times, &pending)) {
+                        goto exit_hmac;
+                    }
+                }
+            } /* for i */
+        } /* for times */
+        count += times;
+
+        times = 0;
+        do {
+            bench_async_poll(&pending);
+
+            for (i = 0; i < BENCH_MAX_PENDING; i++) {
+                if (bench_async_check(&ret, BENCH_ASYNC_GET_DEV(&hmac[i]), 0,
+                                      &times, numBlocks, &pending)) {
+                    ret = wc_HmacFinal(&hmac[i], digest[i]);
+                    if (!bench_async_handle(&ret, BENCH_ASYNC_GET_DEV(&hmac[i]),
+                                            0, &times, &pending)) {
+                        goto exit_hmac;
+                    }
+                }
+            } /* for i */
+        } while (pending > 0);
+    } while (bench_stats_sym_check(start));
+exit_hmac:
+    bench_stats_sym_finish(label, doAsync, count, bench_size, start, ret);
+
+exit:
+
+    for (i = 0; i < BENCH_MAX_PENDING; i++) {
+        wc_HmacFree(&hmac[i]);
+    }
+
+#ifdef WOLFSSL_ASYNC_CRYPT
+    FREE_ARRAY(digest, BENCH_MAX_PENDING, HEAP_HINT);
+#endif
+}
+
+#ifndef NO_MD5
+
+void bench_hmac_md5(int doAsync)
+{
+    byte key[] = { 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b,
+                   0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b };
+
+    bench_hmac(doAsync, WC_MD5, WC_MD5_DIGEST_SIZE, key, sizeof(key),
+               "HMAC-MD5");
+}
+
+#endif /* NO_MD5 */
+
+#ifndef NO_SHA
+
+void bench_hmac_sha(int doAsync)
+{
+    byte key[] = { 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b,
+                   0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b,
+                   0x0b, 0x0b, 0x0b, 0x0b };
+
+    bench_hmac(doAsync, WC_SHA, WC_SHA_DIGEST_SIZE, key, sizeof(key),
+               "HMAC-SHA");
+}
+
+#endif /* NO_SHA */
+
+#ifdef WOLFSSL_SHA224
+
+void bench_hmac_sha224(int doAsync)
+{
+    byte key[] = { 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b,
+                   0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b,
+                   0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b,
+                   0x0b, 0x0b, 0x0b, 0x0b };
+
+    bench_hmac(doAsync, WC_SHA224, WC_SHA224_DIGEST_SIZE, key, sizeof(key),
+               "HMAC-SHA224");
+}
+
+#endif /* WOLFSSL_SHA224 */
+
+#ifndef NO_SHA256
+
+void bench_hmac_sha256(int doAsync)
+{
+    byte key[] = { 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b,
+                   0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b,
+                   0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b,
+                   0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b };
+
+    bench_hmac(doAsync, WC_SHA256, WC_SHA256_DIGEST_SIZE, key, sizeof(key),
+               "HMAC-SHA256");
+}
+
+#endif /* NO_SHA256 */
+
+#ifdef WOLFSSL_SHA384
+
+void bench_hmac_sha384(int doAsync)
+{
+    byte key[] = { 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b,
+                   0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b,
+                   0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b,
+                   0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b,
+                   0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b,
+                   0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b };
+
+    bench_hmac(doAsync, WC_SHA384, WC_SHA384_DIGEST_SIZE, key, sizeof(key),
+               "HMAC-SHA384");
+}
+
+#endif /* WOLFSSL_SHA384 */
+
+#ifdef WOLFSSL_SHA512
+
+void bench_hmac_sha512(int doAsync)
+{
+    byte key[] = { 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b,
+                   0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b,
+                   0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b,
+                   0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b,
+                   0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b,
+                   0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b,
+                   0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b,
+                   0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b };
+
+    bench_hmac(doAsync, WC_SHA512, WC_SHA512_DIGEST_SIZE, key, sizeof(key),
+               "HMAC-SHA512");
+}
+
+#endif /* WOLFSSL_SHA512 */
+
+#ifndef NO_PWDBASED
+void bench_pbkdf2(void)
+{
+    double start;
+    int    ret = 0, count = 0;
+    const char* passwd32 = "passwordpasswordpasswordpassword";
+    const byte salt32[] = { 0x78, 0x57, 0x8E, 0x5a, 0x5d, 0x63, 0xcb, 0x06,
+                            0x78, 0x57, 0x8E, 0x5a, 0x5d, 0x63, 0xcb, 0x06,
+                            0x78, 0x57, 0x8E, 0x5a, 0x5d, 0x63, 0xcb, 0x06,
+                            0x78, 0x57, 0x8E, 0x5a, 0x5d, 0x63, 0xcb, 0x06 };
+    byte derived[32];
+
+    bench_stats_start(&count, &start);
+    do {
+        ret = wc_PBKDF2(derived, (const byte*)passwd32, (int)XSTRLEN(passwd32),
+            salt32, (int)sizeof(salt32), 1000, 32, WC_SHA256);
+        count++;
+    } while (bench_stats_sym_check(start));
+    bench_stats_sym_finish("PBKDF2", 32, count, 32, start, ret);
+}
+#endif /* !NO_PWDBASED */
+
+#endif /* NO_HMAC */
 
 #ifndef NO_RSA
 
+#if defined(WOLFSSL_KEY_GEN)
+static void bench_rsaKeyGen_helper(int doAsync, int keySz)
+{
+    RsaKey genKey[BENCH_MAX_PENDING];
+    double start;
+    int    ret = 0, i, count = 0, times, pending = 0;
+    const long rsa_e_val = WC_RSA_EXPONENT;
+    const char**desc = bench_desc_words[lng_index];
+
+    /* clear for done cleanup */
+    XMEMSET(genKey, 0, sizeof(genKey));
+
+    bench_stats_start(&count, &start);
+    do {
+        /* while free pending slots in queue, submit ops */
+        for (times = 0; times < genTimes || pending > 0; ) {
+            bench_async_poll(&pending);
+
+            for (i = 0; i < BENCH_MAX_PENDING; i++) {
+                if (bench_async_check(&ret, BENCH_ASYNC_GET_DEV(&genKey[i]), 0, &times, genTimes, &pending)) {
+
+                    wc_FreeRsaKey(&genKey[i]);
+                    ret = wc_InitRsaKey_ex(&genKey[i], HEAP_HINT,
+                        doAsync ? devId : INVALID_DEVID);
+                    if (ret < 0) {
+                        goto exit;
+                    }
+
+                    ret = wc_MakeRsaKey(&genKey[i], keySz, rsa_e_val, &gRng);
+                    if (!bench_async_handle(&ret, BENCH_ASYNC_GET_DEV(&genKey[i]), 0, &times, &pending)) {
+                        goto exit;
+                    }
+                }
+            } /* for i */
+        } /* for times */
+        count += times;
+    } while (bench_stats_sym_check(start));
+exit:
+    bench_stats_asym_finish("RSA", keySz, desc[2], doAsync, count, start, ret);
+
+    /* cleanup */
+    for (i = 0; i < BENCH_MAX_PENDING; i++) {
+        wc_FreeRsaKey(&genKey[i]);
+    }
+}
+
+void bench_rsaKeyGen(int doAsync)
+{
+    int    k, keySz;
+#ifndef WOLFSSL_SP_MATH
+    const int  keySizes[2] = {1024, 2048};
+#else
+    const int  keySizes[1] = {2048};
+#endif
 
-#if !defined(USE_CERT_BUFFERS_1024) && !defined(USE_CERT_BUFFERS_2048)
+    for (k = 0; k < (int)(sizeof(keySizes)/sizeof(int)); k++) {
+        keySz = keySizes[k];
+        bench_rsaKeyGen_helper(doAsync, keySz);
+    }
+}
+
+
+void bench_rsaKeyGen_size(int doAsync, int keySz)
+{
+    bench_rsaKeyGen_helper(doAsync, keySz);
+}
+#endif /* WOLFSSL_KEY_GEN */
+
+#if !defined(USE_CERT_BUFFERS_1024) && !defined(USE_CERT_BUFFERS_2048) && \
+    !defined(USE_CERT_BUFFERS_3072)
     #if defined(WOLFSSL_MDK_SHELL)
         static char *certRSAname = "certs/rsa2048.der";
         /* set by shell command */
@@ -1128,88 +4361,442 @@ void bench_blake2(void)
     #endif
 #endif
 
-void bench_rsa(void)
+#define RSA_BUF_SIZE 384  /* for up to 3072 bit */
+
+#if !defined(WOLFSSL_RSA_VERIFY_INLINE) && !defined(WOLFSSL_RSA_PUBLIC_ONLY)
+#elif defined(WOLFSSL_PUBLIC_MP) || !defined(WOLFSSL_RSA_PUBLIC_ONLY)
+    #if defined(USE_CERT_BUFFERS_2048)
+static unsigned char rsa_2048_sig[] = {
+    0x8c, 0x9e, 0x37, 0xbf, 0xc3, 0xa6, 0xba, 0x1c,
+    0x53, 0x22, 0x40, 0x4b, 0x8b, 0x0d, 0x3c, 0x0e,
+    0x2e, 0x8c, 0x31, 0x2c, 0x47, 0xbf, 0x03, 0x48,
+    0x18, 0x46, 0x73, 0x8d, 0xd7, 0xdd, 0x17, 0x64,
+    0x0d, 0x7f, 0xdc, 0x74, 0xed, 0x80, 0xc3, 0xe8,
+    0x9a, 0x18, 0x33, 0xd4, 0xe6, 0xc5, 0xe1, 0x54,
+    0x75, 0xd1, 0xbb, 0x40, 0xde, 0xa8, 0xb9, 0x1b,
+    0x14, 0xe8, 0xc1, 0x39, 0xeb, 0xa0, 0x69, 0x8a,
+    0xc6, 0x9b, 0xef, 0x53, 0xb5, 0x23, 0x2b, 0x78,
+    0x06, 0x43, 0x37, 0x11, 0x81, 0x84, 0x73, 0x33,
+    0x33, 0xfe, 0xf7, 0x5d, 0x2b, 0x84, 0xd6, 0x83,
+    0xd6, 0xdd, 0x55, 0x33, 0xef, 0xd1, 0xf7, 0x12,
+    0xb0, 0xc2, 0x0e, 0xb1, 0x78, 0xd4, 0xa8, 0xa3,
+    0x25, 0xeb, 0xed, 0x9a, 0xb3, 0xee, 0xc3, 0x7e,
+    0xce, 0x13, 0x18, 0x86, 0x31, 0xe1, 0xef, 0x01,
+    0x0f, 0x6e, 0x67, 0x24, 0x74, 0xbd, 0x0b, 0x7f,
+    0xa9, 0xca, 0x6f, 0xaa, 0x83, 0x28, 0x90, 0x40,
+    0xf1, 0xb5, 0x10, 0x0e, 0x26, 0x03, 0x05, 0x5d,
+    0x87, 0xb4, 0xe0, 0x4c, 0x98, 0xd8, 0xc6, 0x42,
+    0x89, 0x77, 0xeb, 0xb6, 0xd4, 0xe6, 0x26, 0xf3,
+    0x31, 0x25, 0xde, 0x28, 0x38, 0x58, 0xe8, 0x2c,
+    0xf4, 0x56, 0x7c, 0xb6, 0xfd, 0x99, 0xb0, 0xb0,
+    0xf4, 0x83, 0xb6, 0x74, 0xa9, 0x5b, 0x9f, 0xe8,
+    0xe9, 0xf1, 0xa1, 0x2a, 0xbd, 0xf6, 0x83, 0x28,
+    0x09, 0xda, 0xa6, 0xd6, 0xcd, 0x61, 0x60, 0xf7,
+    0x13, 0x4e, 0x46, 0x57, 0x38, 0x1e, 0x11, 0x92,
+    0x6b, 0x6b, 0xcf, 0xd3, 0xf4, 0x8b, 0x66, 0x03,
+    0x25, 0xa3, 0x7a, 0x2f, 0xce, 0xc1, 0x85, 0xa5,
+    0x48, 0x91, 0x8a, 0xb3, 0x4f, 0x5d, 0x98, 0xb1,
+    0x69, 0x58, 0x47, 0x69, 0x0c, 0x52, 0xdc, 0x42,
+    0x4c, 0xef, 0xe8, 0xd4, 0x4d, 0x6a, 0x33, 0x7d,
+    0x9e, 0xd2, 0x51, 0xe6, 0x41, 0xbf, 0x4f, 0xa2
+};
+    #elif defined(USE_CERT_BUFFERS_3072)
+static unsigned char rsa_3072_sig[] = {
+    0x1a, 0xd6, 0x0d, 0xfd, 0xe3, 0x41, 0x95, 0x76,
+    0x27, 0x16, 0x7d, 0xc7, 0x94, 0x16, 0xca, 0xa8,
+    0x26, 0x08, 0xbe, 0x78, 0x87, 0x72, 0x4c, 0xd9,
+    0xa7, 0xfc, 0x33, 0x77, 0x2d, 0x53, 0x07, 0xb5,
+    0x8c, 0xce, 0x48, 0x17, 0x9b, 0xff, 0x9f, 0x9b,
+    0x17, 0xc4, 0xbb, 0x72, 0xed, 0xdb, 0xa0, 0x34,
+    0x69, 0x5b, 0xc7, 0x4e, 0xbf, 0xec, 0x13, 0xc5,
+    0x98, 0x71, 0x9a, 0x4e, 0x18, 0x0e, 0xcb, 0xe7,
+    0xc6, 0xd5, 0x21, 0x31, 0x7c, 0x0d, 0xae, 0x14,
+    0x2b, 0x87, 0x4f, 0x77, 0x95, 0x2e, 0x26, 0xe2,
+    0x83, 0xfe, 0x49, 0x1e, 0x87, 0x19, 0x4a, 0x63,
+    0x73, 0x75, 0xf1, 0xf5, 0x71, 0xd2, 0xce, 0xd4,
+    0x39, 0x2b, 0xd9, 0xe0, 0x76, 0x70, 0xc8, 0xf8,
+    0xed, 0xdf, 0x90, 0x57, 0x17, 0xb9, 0x16, 0xf6,
+    0xe9, 0x49, 0x48, 0xce, 0x5a, 0x8b, 0xe4, 0x84,
+    0x7c, 0xf3, 0x31, 0x68, 0x97, 0x45, 0x68, 0x38,
+    0x50, 0x3a, 0x70, 0xbd, 0xb3, 0xd3, 0xd2, 0xe0,
+    0x56, 0x5b, 0xc2, 0x0c, 0x2c, 0x10, 0x70, 0x7b,
+    0xd4, 0x99, 0xf9, 0x38, 0x31, 0xb1, 0x86, 0xa0,
+    0x07, 0xf1, 0xf6, 0x53, 0xb0, 0x44, 0x82, 0x40,
+    0xd2, 0xab, 0x0e, 0x71, 0x5d, 0xe1, 0xea, 0x3a,
+    0x77, 0xc9, 0xef, 0xfe, 0x54, 0x65, 0xa3, 0x49,
+    0xfd, 0xa5, 0x33, 0xaa, 0x16, 0x1a, 0x38, 0xe7,
+    0xaa, 0xb7, 0x13, 0xb2, 0x3b, 0xc7, 0x00, 0x87,
+    0x12, 0xfe, 0xfd, 0xf4, 0x55, 0x6d, 0x1d, 0x4a,
+    0x0e, 0xad, 0xd0, 0x4c, 0x55, 0x91, 0x60, 0xd9,
+    0xef, 0x74, 0x69, 0x22, 0x8c, 0x51, 0x65, 0xc2,
+    0x04, 0xac, 0xd3, 0x8d, 0xf7, 0x35, 0x29, 0x13,
+    0x6d, 0x61, 0x7c, 0x39, 0x2f, 0x41, 0x4c, 0xdf,
+    0x38, 0xfd, 0x1a, 0x7d, 0x42, 0xa7, 0x6f, 0x3f,
+    0x3d, 0x9b, 0xd1, 0x97, 0xab, 0xc0, 0xa7, 0x28,
+    0x1c, 0xc0, 0x02, 0x26, 0xeb, 0xce, 0xf9, 0xe1,
+    0x34, 0x45, 0xaf, 0xbf, 0x8d, 0xb8, 0xe0, 0xff,
+    0xd9, 0x6f, 0x77, 0xf3, 0xf7, 0xed, 0x6a, 0xbb,
+    0x03, 0x52, 0xfb, 0x38, 0xfc, 0xea, 0x9f, 0xc9,
+    0x98, 0xed, 0x21, 0x45, 0xaf, 0x43, 0x2b, 0x64,
+    0x96, 0x82, 0x30, 0xe9, 0xb4, 0x36, 0x89, 0x77,
+    0x07, 0x4a, 0xc6, 0x1f, 0x38, 0x7a, 0xee, 0xb6,
+    0x86, 0xf6, 0x2f, 0x03, 0xec, 0xa2, 0xe5, 0x48,
+    0xe5, 0x5a, 0xf5, 0x1c, 0xd2, 0xd9, 0xd8, 0x2d,
+    0x9d, 0x06, 0x07, 0xc9, 0x8b, 0x5d, 0xe0, 0x0f,
+    0x5e, 0x0c, 0x53, 0x27, 0xff, 0x23, 0xee, 0xca,
+    0x5e, 0x4d, 0xf1, 0x95, 0x77, 0x78, 0x1f, 0xf2,
+    0x44, 0x5b, 0x7d, 0x01, 0x49, 0x61, 0x6f, 0x6d,
+    0xbf, 0xf5, 0x19, 0x06, 0x39, 0xe9, 0xe9, 0x29,
+    0xde, 0x47, 0x5e, 0x2e, 0x1f, 0x68, 0xf4, 0x32,
+    0x5e, 0xe9, 0xd0, 0xa7, 0xb4, 0x2a, 0x45, 0xdf,
+    0x15, 0x7d, 0x0d, 0x5b, 0xef, 0xc6, 0x23, 0xac
+};
+    #else
+        #error Not Supported Yet!
+    #endif
+#endif
+
+#if !defined(WOLFSSL_RSA_PUBLIC_ONLY) || defined(WOLFSSL_PUBLIC_MP)
+static void bench_rsa_helper(int doAsync, RsaKey rsaKey[BENCH_MAX_PENDING],
+        int rsaKeySz)
 {
-    int    i;
-    int    ret;
-    size_t bytes;
-    word32 idx = 0;
-    const byte* tmp;
+    int         ret = 0, i, times, count = 0, pending = 0;
+    word32      idx = 0;
+#ifndef WOLFSSL_RSA_VERIFY_ONLY
+    const char* messageStr = "Everyone gets Friday off.";
+    const int   len = (int)XSTRLEN((char*)messageStr);
+#endif
+    double      start = 0.0f;
+    const char**desc = bench_desc_words[lng_index];
+#ifndef WOLFSSL_RSA_VERIFY_ONLY
+    DECLARE_VAR_INIT(message, byte, len, messageStr, HEAP_HINT);
+#endif
+    #if !defined(WOLFSSL_MDK5_COMPLv5)
+    /* MDK5 compiler regard this as a executable statement, and does not allow declarations after the line. */
+    DECLARE_ARRAY_DYNAMIC_DEC(enc, byte, BENCH_MAX_PENDING, rsaKeySz, HEAP_HINT);
+    #else
+        byte* enc[BENCH_MAX_PENDING];
+    #endif
+    #if !defined(WOLFSSL_RSA_VERIFY_INLINE) && \
+                    !defined(WOLFSSL_RSA_PUBLIC_ONLY)
+        #if !defined(WOLFSSL_MDK5_COMPLv5)
+          /* MDK5 compiler regard this as a executable statement, and does not allow declarations after the line. */
+            DECLARE_ARRAY_DYNAMIC_DEC(out, byte, BENCH_MAX_PENDING, rsaKeySz, HEAP_HINT);
+            #else
+                int idxout;
+              byte* out[BENCH_MAX_PENDING];
+        #endif
+    #else
+        byte* out[BENCH_MAX_PENDING];
+    #endif
 
-    byte      message[] = "Everyone gets Friday off.";
-    byte      enc[256];  /* for up to 2048 bit */
-    const int len = (int)strlen((char*)message);
-    double    start, total, each, milliEach;
+    DECLARE_ARRAY_DYNAMIC_EXE(enc, byte, BENCH_MAX_PENDING, rsaKeySz, HEAP_HINT);
+    #if !defined(WOLFSSL_RSA_VERIFY_INLINE) && \
+                    !defined(WOLFSSL_RSA_PUBLIC_ONLY)
+        DECLARE_ARRAY_DYNAMIC_EXE(out, byte, BENCH_MAX_PENDING, rsaKeySz, HEAP_HINT);
+    #endif
 
-    RsaKey rsaKey;
-    int    rsaKeySz = 2048; /* used in printf */
+    if (!rsa_sign_verify) {
+#ifndef WOLFSSL_RSA_VERIFY_ONLY
+        /* begin public RSA */
+        bench_stats_start(&count, &start);
+        do {
+            for (times = 0; times < ntimes || pending > 0; ) {
+                bench_async_poll(&pending);
+
+                /* while free pending slots in queue, submit ops */
+                for (i = 0; i < BENCH_MAX_PENDING; i++) {
+                    if (bench_async_check(&ret, BENCH_ASYNC_GET_DEV(&rsaKey[i]),
+                                                 1, &times, ntimes, &pending)) {
+                        ret = wc_RsaPublicEncrypt(message, (word32)len, enc[i],
+                                                  rsaKeySz/8, &rsaKey[i],
+                                                  &gRng);
+                        if (!bench_async_handle(&ret, BENCH_ASYNC_GET_DEV(
+                                            &rsaKey[i]), 1, &times, &pending)) {
+                            goto exit_rsa_pub;
+                        }
+                    }
+                } /* for i */
+            } /* for times */
+            count += times;
+        } while (bench_stats_sym_check(start));
+exit_rsa_pub:
+        bench_stats_asym_finish("RSA", rsaKeySz, desc[0], doAsync, count,
+                                                                    start, ret);
+#endif
+
+#ifndef WOLFSSL_RSA_PUBLIC_ONLY
+        if (ret < 0) {
+            goto exit;
+        }
+
+        /* capture resulting encrypt length */
+        idx = (word32)(rsaKeySz/8);
+
+        /* begin private async RSA */
+        bench_stats_start(&count, &start);
+        do {
+            for (times = 0; times < ntimes || pending > 0; ) {
+                bench_async_poll(&pending);
+
+                /* while free pending slots in queue, submit ops */
+                for (i = 0; i < BENCH_MAX_PENDING; i++) {
+                    if (bench_async_check(&ret, BENCH_ASYNC_GET_DEV(&rsaKey[i]),
+                                                 1, &times, ntimes, &pending)) {
+                        ret = wc_RsaPrivateDecrypt(enc[i], idx, out[i],
+                                                       rsaKeySz/8, &rsaKey[i]);
+                        if (!bench_async_handle(&ret,
+                                                BENCH_ASYNC_GET_DEV(&rsaKey[i]),
+                                                1, &times, &pending)) {
+                            goto exit;
+                        }
+                    }
+                } /* for i */
+            } /* for times */
+            count += times;
+        } while (bench_stats_sym_check(start));
+exit:
+        bench_stats_asym_finish("RSA", rsaKeySz, desc[1], doAsync, count,
+                                                                    start, ret);
+#endif
+    }
+    else {
+#ifndef WOLFSSL_RSA_PUBLIC_ONLY
+        /* begin RSA sign */
+        bench_stats_start(&count, &start);
+        do {
+            for (times = 0; times < ntimes || pending > 0; ) {
+                bench_async_poll(&pending);
+
+                /* while free pending slots in queue, submit ops */
+                for (i = 0; i < BENCH_MAX_PENDING; i++) {
+                    if (bench_async_check(&ret, BENCH_ASYNC_GET_DEV(&rsaKey[i]),
+                                                 1, &times, ntimes, &pending)) {
+                        ret = wc_RsaSSL_Sign(message, len, enc[i],
+                                                rsaKeySz/8, &rsaKey[i], &gRng);
+                        if (!bench_async_handle(&ret,
+                                                BENCH_ASYNC_GET_DEV(&rsaKey[i]),
+                                                1, &times, &pending)) {
+                            goto exit_rsa_sign;
+                        }
+                    }
+                } /* for i */
+            } /* for times */
+            count += times;
+        } while (bench_stats_sym_check(start));
+exit_rsa_sign:
+        bench_stats_asym_finish("RSA", rsaKeySz, desc[4], doAsync, count, start,
+                                                                           ret);
+
+        if (ret < 0) {
+            goto exit;
+        }
+#endif
+
+        /* capture resulting encrypt length */
+        idx = rsaKeySz/8;
+
+        /* begin RSA verify */
+        bench_stats_start(&count, &start);
+        do {
+            for (times = 0; times < ntimes || pending > 0; ) {
+                bench_async_poll(&pending);
+
+                /* while free pending slots in queue, submit ops */
+                for (i = 0; i < BENCH_MAX_PENDING; i++) {
+                    if (bench_async_check(&ret, BENCH_ASYNC_GET_DEV(&rsaKey[i]),
+                                                 1, &times, ntimes, &pending)) {
+                    #if !defined(WOLFSSL_RSA_VERIFY_INLINE) && \
+                        !defined(WOLFSSL_RSA_PUBLIC_ONLY)
+                        ret = wc_RsaSSL_Verify(enc[i], idx, out[i],
+                                                      rsaKeySz/8, &rsaKey[i]);
+                    #elif defined(USE_CERT_BUFFERS_2048)
+                        XMEMCPY(enc[i], rsa_2048_sig, sizeof(rsa_2048_sig));
+                        idx = sizeof(rsa_2048_sig);
+                        out[i] = NULL;
+                        ret = wc_RsaSSL_VerifyInline(enc[i], idx, &out[i],
+                                                                    &rsaKey[i]);
+                        if (ret > 0)
+                            ret = 0;
+                    #elif defined(USE_CERT_BUFFERS_3072)
+                        XMEMCPY(enc[i], rsa_3072_sig, sizeof(rsa_3072_sig));
+                        idx = sizeof(rsa_3072_sig);
+                        out[i] = NULL;
+                        ret = wc_RsaSSL_VerifyInline(enc[i], idx, &out[i],
+                                                                    &rsaKey[i]);
+                        if (ret > 0)
+                            ret = 0;
+                    #endif
+                        if (!bench_async_handle(&ret,
+                                                BENCH_ASYNC_GET_DEV(&rsaKey[i]),
+                                                1, &times, &pending)) {
+                            goto exit_rsa_verify;
+                        }
+                    }
+                } /* for i */
+            } /* for times */
+            count += times;
+        } while (bench_stats_sym_check(start));
+exit_rsa_verify:
+        bench_stats_asym_finish("RSA", rsaKeySz, desc[5], doAsync, count,
+                                                                    start, ret);
+    }
+
+    FREE_ARRAY_DYNAMIC(enc, BENCH_MAX_PENDING, HEAP_HINT);
+#if !defined(WOLFSSL_RSA_VERIFY_INLINE) && !defined(WOLFSSL_RSA_PUBLIC_ONLY)
+    FREE_ARRAY_DYNAMIC(out, BENCH_MAX_PENDING, HEAP_HINT);
+#endif
+    FREE_VAR(message, HEAP_HINT);
+}
+#endif
+
+void bench_rsa(int doAsync)
+{
+    int         ret = 0, i;
+    RsaKey      rsaKey[BENCH_MAX_PENDING];
+#if !defined(WOLFSSL_RSA_PUBLIC_ONLY) || defined(WOLFSSL_PUBLIC_MP)
+    int         rsaKeySz; /* used in printf */
+    size_t      bytes;
+    const byte* tmp;
+    word32      idx;
 
 #ifdef USE_CERT_BUFFERS_1024
     tmp = rsa_key_der_1024;
-    bytes = sizeof_rsa_key_der_1024;
+    bytes = (size_t)sizeof_rsa_key_der_1024;
     rsaKeySz = 1024;
 #elif defined(USE_CERT_BUFFERS_2048)
     tmp = rsa_key_der_2048;
-    bytes = sizeof_rsa_key_der_2048;
+    bytes = (size_t)sizeof_rsa_key_der_2048;
+    rsaKeySz = 2048;
+#elif defined(USE_CERT_BUFFERS_3072)
+    tmp = rsa_key_der_3072;
+    bytes = (size_t)sizeof_rsa_key_der_3072;
+    rsaKeySz = 3072;
 #else
     #error "need a cert buffer size"
 #endif /* USE_CERT_BUFFERS */
-
-
-#ifdef HAVE_CAVIUM
-    if (wc_RsaInitCavium(&rsaKey, CAVIUM_DEV_ID) != 0)
-        printf("RSA init cavium failed\n");
 #endif
-    ret = wc_InitRsaKey(&rsaKey, 0);
-    if (ret < 0) {
-        printf("InitRsaKey failed\n");
-        return;
-    }
-    ret = wc_RsaPrivateKeyDecode(tmp, &idx, &rsaKey, (word32)bytes);
 
-    start = current_time(1);
+    /* clear for done cleanup */
+    XMEMSET(rsaKey, 0, sizeof(rsaKey));
 
-    for (i = 0; i < ntimes; i++)
-        ret = wc_RsaPublicEncrypt(message,len,enc,sizeof(enc), &rsaKey, &rng);
+    /* init keys */
+    for (i = 0; i < BENCH_MAX_PENDING; i++) {
+        /* setup an async context for each key */
+        if ((ret = wc_InitRsaKey_ex(&rsaKey[i], HEAP_HINT,
+                                        doAsync ? devId : INVALID_DEVID)) < 0) {
+            goto exit_bench_rsa;
+        }
 
-    total = current_time(0) - start;
-    each  = total / ntimes;   /* per second   */
-    milliEach = each * 1000; /* milliseconds */
+#ifndef WOLFSSL_RSA_VERIFY_ONLY
+    #ifdef WC_RSA_BLINDING
+        ret = wc_RsaSetRNG(&rsaKey[i], &gRng);
+        if (ret != 0)
+            goto exit_bench_rsa;
+    #endif
+#endif
 
-    printf("RSA %d encryption took %6.3f milliseconds, avg over %d"
-           " iterations\n", rsaKeySz, milliEach, ntimes);
+#ifndef WOLFSSL_RSA_PUBLIC_ONLY
+        /* decode the private key */
+        idx = 0;
+        if ((ret = wc_RsaPrivateKeyDecode(tmp, &idx, &rsaKey[i],
+                                                        (word32)bytes)) != 0) {
+            printf("wc_RsaPrivateKeyDecode failed! %d\n", ret);
+            goto exit_bench_rsa;
+        }
+#elif defined(WOLFSSL_PUBLIC_MP)
+    #ifdef USE_CERT_BUFFERS_2048
+        ret = mp_read_unsigned_bin(&rsaKey[i].n, &tmp[12], 256);
+        if (ret != 0) {
+            printf("wc_RsaPrivateKeyDecode failed! %d\n", ret);
+            goto exit_bench_rsa;
+        }
+        ret = mp_set_int(&rsaKey[i].e, WC_RSA_EXPONENT);
+        if (ret != 0) {
+            printf("wc_RsaPrivateKeyDecode failed! %d\n", ret);
+            goto exit_bench_rsa;
+        }
+    #else
+        #error Not supported yet!
+    #endif
+        (void)idx;
+        (void)bytes;
+#endif
 
-    if (ret < 0) {
-        printf("Rsa Public Encrypt failed\n");
-        return;
     }
 
-    start = current_time(1);
-
-    for (i = 0; i < ntimes; i++) {
-         byte  out[256];  /* for up to 2048 bit */
-         wc_RsaPrivateDecrypt(enc, (word32)ret, out, sizeof(out), &rsaKey);
+#if !defined(WOLFSSL_RSA_PUBLIC_ONLY) || defined(WOLFSSL_PUBLIC_MP)
+    bench_rsa_helper(doAsync, rsaKey, rsaKeySz);
+#endif
+exit_bench_rsa:
+    /* cleanup */
+    for (i = 0; i < BENCH_MAX_PENDING; i++) {
+        wc_FreeRsaKey(&rsaKey[i]);
     }
+}
 
-    total = current_time(0) - start;
-    each  = total / ntimes;   /* per second   */
-    milliEach = each * 1000; /* milliseconds */
-
-    printf("RSA %d decryption took %6.3f milliseconds, avg over %d"
-           " iterations\n", rsaKeySz, milliEach, ntimes);
 
-    wc_FreeRsaKey(&rsaKey);
-#ifdef HAVE_CAVIUM
-    wc_RsaFreeCavium(&rsaKey);
-#endif
+#ifdef WOLFSSL_KEY_GEN
+/* bench any size of RSA key */
+void bench_rsa_key(int doAsync, int rsaKeySz)
+{
+    int     ret = 0, i, pending = 0;
+    RsaKey  rsaKey[BENCH_MAX_PENDING];
+    int     isPending[BENCH_MAX_PENDING];
+    long    exp = 65537l;
+
+    /* clear for done cleanup */
+    XMEMSET(rsaKey, 0, sizeof(rsaKey));
+    XMEMSET(isPending, 0, sizeof(isPending));
+
+    /* init keys */
+    do {
+        pending = 0;
+        for (i = 0; i < BENCH_MAX_PENDING; i++) {
+            if (!isPending[i]) { /* if making the key is pending then just call
+                                  * wc_MakeRsaKey again */
+                /* setup an async context for each key */
+                if ((ret = wc_InitRsaKey_ex(&rsaKey[i], HEAP_HINT,
+                                    doAsync ? devId : INVALID_DEVID)) < 0) {
+                    goto exit_bench_rsa_key;
+                }
+
+            #ifdef WC_RSA_BLINDING
+                ret = wc_RsaSetRNG(&rsaKey[i], &gRng);
+                if (ret != 0)
+                    goto exit_bench_rsa_key;
+            #endif
+            }
+
+            /* create the RSA key */
+            ret = wc_MakeRsaKey(&rsaKey[i], rsaKeySz, exp, &gRng);
+            if (ret == WC_PENDING_E) {
+                isPending[i] = 1;
+                pending      = 1;
+            }
+            else if (ret != 0) {
+                printf("wc_MakeRsaKey failed! %d\n", ret);
+                goto exit_bench_rsa_key;
+            }
+        } /* for i */
+    } while (pending > 0);
+
+    bench_rsa_helper(doAsync, rsaKey, rsaKeySz);
+exit_bench_rsa_key:
+
+    /* cleanup */
+    for (i = 0; i < BENCH_MAX_PENDING; i++) {
+        wc_FreeRsaKey(&rsaKey[i]);
+    }
 }
-#endif
+#endif /* WOLFSSL_KEY_GEN */
+#endif /* !NO_RSA */
 
 
 #ifndef NO_DH
 
-
-#if !defined(USE_CERT_BUFFERS_1024) && !defined(USE_CERT_BUFFERS_2048)
+#if !defined(USE_CERT_BUFFERS_1024) && !defined(USE_CERT_BUFFERS_2048) && \
+    !defined(USE_CERT_BUFFERS_3072)
     #if defined(WOLFSSL_MDK_SHELL)
         static char *certDHname = "certs/dh2048.der";
         /* set by shell command */
@@ -1223,134 +4810,186 @@ void bench_rsa(void)
     #endif
 #endif
 
-void bench_dh(void)
-{
-    int    i ;
-    size_t bytes;
-    word32 idx = 0, pubSz, privSz = 0, pubSz2, privSz2, agreeSz;
-    const byte* tmp;
+#define BENCH_DH_KEY_SIZE  384 /* for 3072 bit */
+#define BENCH_DH_PRIV_SIZE (BENCH_DH_KEY_SIZE/8)
 
-    byte   pub[256];    /* for 2048 bit */
-    byte   pub2[256];   /* for 2048 bit */
-    byte   agree[256];  /* for 2048 bit */
-    byte   priv[32];    /* for 2048 bit */
-    byte   priv2[32];   /* for 2048 bit */
+void bench_dh(int doAsync)
+{
+    int    ret = 0, i;
+    int    count = 0, times, pending = 0;
+    const byte* tmp = NULL;
+    double start = 0.0f;
+    DhKey  dhKey[BENCH_MAX_PENDING];
+    int    dhKeySz = BENCH_DH_KEY_SIZE * 8; /* used in printf */
+    const char**desc = bench_desc_words[lng_index];
+#ifndef NO_ASN
+    size_t bytes = 0;
+    word32 idx;
+#endif
+    word32 pubSz[BENCH_MAX_PENDING];
+    word32 privSz[BENCH_MAX_PENDING];
+    word32 pubSz2;
+    word32 privSz2;
+    word32 agreeSz[BENCH_MAX_PENDING];
+#ifdef HAVE_FFDHE_2048
+    const DhParams *params = NULL;
+#endif
 
-    double start, total, each, milliEach;
-    DhKey  dhKey;
-    int    dhKeySz = 2048; /* used in printf */
+    DECLARE_ARRAY(pub, byte, BENCH_MAX_PENDING, BENCH_DH_KEY_SIZE, HEAP_HINT);
+    DECLARE_VAR(pub2, byte, BENCH_DH_KEY_SIZE, HEAP_HINT);
+    DECLARE_ARRAY(agree, byte, BENCH_MAX_PENDING, BENCH_DH_KEY_SIZE, HEAP_HINT);
+    DECLARE_ARRAY(priv, byte, BENCH_MAX_PENDING, BENCH_DH_PRIV_SIZE, HEAP_HINT);
+    DECLARE_VAR(priv2, byte, BENCH_DH_PRIV_SIZE, HEAP_HINT);
 
-    (void)idx;
     (void)tmp;
 
-
-#ifdef USE_CERT_BUFFERS_1024
-    tmp = dh_key_der_1024;
-    bytes = sizeof_dh_key_der_1024;
-    dhKeySz = 1024;
+    if (!use_ffdhe) {
+#if defined(NO_ASN)
+        dhKeySz = 1024;
+        /* do nothing, but don't use default FILE */
+#elif defined(USE_CERT_BUFFERS_1024)
+        tmp = dh_key_der_1024;
+        bytes = (size_t)sizeof_dh_key_der_1024;
+        dhKeySz = 1024;
 #elif defined(USE_CERT_BUFFERS_2048)
-    tmp = dh_key_der_2048;
-    bytes = sizeof_dh_key_der_2048;
-#elif defined(NO_ASN)
-    dhKeySz = 1024;
-    /* do nothing, but don't use default FILE */
+        tmp = dh_key_der_2048;
+        bytes = (size_t)sizeof_dh_key_der_2048;
+        dhKeySz = 2048;
+#elif defined(USE_CERT_BUFFERS_3072)
+        tmp = dh_key_der_3072;
+        bytes = (size_t)sizeof_dh_key_der_3072;
+        dhKeySz = 3072;
 #else
     #error "need to define a cert buffer size"
 #endif /* USE_CERT_BUFFERS */
-
-		
-    wc_InitDhKey(&dhKey);
-#ifdef NO_ASN
-    bytes = wc_DhSetKey(&dhKey, dh_p, sizeof(dh_p), dh_g, sizeof(dh_g));
-#else
-    bytes = wc_DhKeyDecode(tmp, &idx, &dhKey, (word32)bytes);
+    }
+#ifdef HAVE_FFDHE_2048
+    else if (use_ffdhe == 2048) {
+        params = wc_Dh_ffdhe2048_Get();
+        dhKeySz = 2048;
+    }
 #endif
-    if (bytes != 0) {
-        printf("dhekydecode failed, can't benchmark\n");
-        return;
+#ifdef HAVE_FFDHE_3072
+    else if (use_ffdhe == 3072) {
+        params = wc_Dh_ffdhe3072_Get();
+        dhKeySz = 3072;
     }
-
-    start = current_time(1);
-
-    for (i = 0; i < ntimes; i++)
-        wc_DhGenerateKeyPair(&dhKey, &rng, priv, &privSz, pub, &pubSz);
-
-    total = current_time(0) - start;
-    each  = total / ntimes;   /* per second   */
-    milliEach = each * 1000; /* milliseconds */
-
-    printf("DH  %d key generation  %6.3f milliseconds, avg over %d"
-           " iterations\n", dhKeySz, milliEach, ntimes);
-
-    wc_DhGenerateKeyPair(&dhKey, &rng, priv2, &privSz2, pub2, &pubSz2);
-    start = current_time(1);
-
-    for (i = 0; i < ntimes; i++)
-        wc_DhAgree(&dhKey, agree, &agreeSz, priv, privSz, pub2, pubSz2);
-
-    total = current_time(0) - start;
-    each  = total / ntimes;   /* per second   */
-    milliEach = each * 1000; /* milliseconds */
-
-    printf("DH  %d key agreement   %6.3f milliseconds, avg over %d"
-           " iterations\n", dhKeySz, milliEach, ntimes);
-
-    wc_FreeDhKey(&dhKey);
-}
 #endif
 
-#if defined(WOLFSSL_KEY_GEN) && !defined(NO_RSA)
-void bench_rsaKeyGen(void)
-{
-    RsaKey genKey;
-    double start, total, each, milliEach;
-    int    i;
-  
-    /* 1024 bit */ 
-    start = current_time(1);
-
-    for(i = 0; i < genTimes; i++) {
-        wc_InitRsaKey(&genKey, 0); 
-        wc_MakeRsaKey(&genKey, 1024, 65537, &rng);
-        wc_FreeRsaKey(&genKey);
+    /* clear for done cleanup */
+    XMEMSET(dhKey, 0, sizeof(dhKey));
+
+    /* init keys */
+    for (i = 0; i < BENCH_MAX_PENDING; i++) {
+        /* setup an async context for each key */
+        ret = wc_InitDhKey_ex(&dhKey[i], HEAP_HINT,
+                        doAsync ? devId : INVALID_DEVID);
+        if (ret != 0)
+            goto exit;
+
+        /* setup key */
+        if (!use_ffdhe) {
+    #ifdef NO_ASN
+            ret = wc_DhSetKey(&dhKey[i], dh_p, sizeof(dh_p), dh_g,
+                                                                  sizeof(dh_g));
+    #else
+            idx = 0;
+            ret = wc_DhKeyDecode(tmp, &idx, &dhKey[i], (word32)bytes);
+    #endif
+        }
+    #if defined(HAVE_FFDHE_2048) || defined(HAVE_FFDHE_3072)
+        else if (params != NULL) {
+            ret = wc_DhSetKey(&dhKey[i], params->p, params->p_len, params->g,
+                                                                 params->g_len);
+        }
+    #endif
+        if (ret != 0) {
+            printf("DhKeyDecode failed %d, can't benchmark\n", ret);
+            goto exit;
+        }
     }
 
-    total = current_time(0) - start;
-    each  = total / genTimes;  /* per second  */
-    milliEach = each * 1000;   /* millisconds */
-    printf("\n");
-    printf("RSA 1024 key generation  %6.3f milliseconds, avg over %d"
-           " iterations\n", milliEach, genTimes);
+    /* Key Gen */
+    bench_stats_start(&count, &start);
+    do {
+        /* while free pending slots in queue, submit ops */
+        for (times = 0; times < genTimes || pending > 0; ) {
+            bench_async_poll(&pending);
+
+            for (i = 0; i < BENCH_MAX_PENDING; i++) {
+                if (bench_async_check(&ret, BENCH_ASYNC_GET_DEV(&dhKey[i]), 0, &times, genTimes, &pending)) {
+                    privSz[i] = 0;
+                    ret = wc_DhGenerateKeyPair(&dhKey[i], &gRng, priv[i], &privSz[i],
+                        pub[i], &pubSz[i]);
+                    if (!bench_async_handle(&ret, BENCH_ASYNC_GET_DEV(&dhKey[i]), 0, &times, &pending)) {
+                        goto exit_dh_gen;
+                    }
+                }
+            } /* for i */
+        } /* for times */
+        count += times;
+    } while (bench_stats_sym_check(start));
+exit_dh_gen:
+    bench_stats_asym_finish("DH", dhKeySz, desc[2], doAsync, count, start, ret);
+
+    if (ret < 0) {
+        goto exit;
+    }
 
-    /* 2048 bit */
-    start = current_time(1);
+    /* Generate key to use as other public */
+    ret = wc_DhGenerateKeyPair(&dhKey[0], &gRng, priv2, &privSz2, pub2, &pubSz2);
+#ifdef WOLFSSL_ASYNC_CRYPT
+    ret = wc_AsyncWait(ret, &dhKey[0].asyncDev, WC_ASYNC_FLAG_NONE);
+#endif
 
-    for(i = 0; i < genTimes; i++) {
-        wc_InitRsaKey(&genKey, 0); 
-        wc_MakeRsaKey(&genKey, 2048, 65537, &rng);
-        wc_FreeRsaKey(&genKey);
+    /* Key Agree */
+    bench_stats_start(&count, &start);
+    do {
+        for (times = 0; times < agreeTimes || pending > 0; ) {
+            bench_async_poll(&pending);
+
+            /* while free pending slots in queue, submit ops */
+            for (i = 0; i < BENCH_MAX_PENDING; i++) {
+                if (bench_async_check(&ret, BENCH_ASYNC_GET_DEV(&dhKey[i]), 0, &times, agreeTimes, &pending)) {
+                    ret = wc_DhAgree(&dhKey[i], agree[i], &agreeSz[i], priv[i], privSz[i],
+                        pub2, pubSz2);
+                    if (!bench_async_handle(&ret, BENCH_ASYNC_GET_DEV(&dhKey[i]), 0, &times, &pending)) {
+                        goto exit;
+                    }
+                }
+            } /* for i */
+        } /* for times */
+        count += times;
+    } while (bench_stats_sym_check(start));
+exit:
+    bench_stats_asym_finish("DH", dhKeySz, desc[3], doAsync, count, start, ret);
+
+    /* cleanup */
+    for (i = 0; i < BENCH_MAX_PENDING; i++) {
+        wc_FreeDhKey(&dhKey[i]);
     }
 
-    total = current_time(0) - start;
-    each  = total / genTimes;  /* per second  */
-    milliEach = each * 1000;   /* millisconds */
-    printf("RSA 2048 key generation  %6.3f milliseconds, avg over %d"
-           " iterations\n", milliEach, genTimes);
+    FREE_ARRAY(pub, BENCH_MAX_PENDING, HEAP_HINT);
+    FREE_VAR(pub2, HEAP_HINT);
+    FREE_ARRAY(priv, BENCH_MAX_PENDING, HEAP_HINT);
+    FREE_VAR(priv2, HEAP_HINT);
+    FREE_ARRAY(agree, BENCH_MAX_PENDING, HEAP_HINT);
 }
-#endif /* WOLFSSL_KEY_GEN */
+#endif /* !NO_DH */
+
 #ifdef HAVE_NTRU
 byte GetEntropy(ENTROPY_CMD cmd, byte* out);
 
 byte GetEntropy(ENTROPY_CMD cmd, byte* out)
 {
     if (cmd == INIT)
-        return (wc_InitRng(&rng) == 0) ? 1 : 0;
+        return 1; /* using local rng */
 
     if (out == NULL)
         return 0;
 
     if (cmd == GET_BYTE_OF_ENTROPY)
-        return (wc_RNG_GenerateBlock(&rng, out, 1) == 0) ? 1 : 0;
+        return (wc_RNG_GenerateBlock(&gRng, out, 1) == 0) ? 1 : 0;
 
     if (cmd == GET_NUM_BYTES_PER_BYTE_OF_ENTROPY) {
         *out = 1;
@@ -1363,17 +5002,21 @@ byte GetEntropy(ENTROPY_CMD cmd, byte* out)
 void bench_ntru(void)
 {
     int    i;
-    double start, total, each, milliEach;
+    double start;
 
-    byte   public_key[557];
+    byte   public_key[1027];
     word16 public_key_len = sizeof(public_key);
-    byte   private_key[607];
+    byte   private_key[1120];
     word16 private_key_len = sizeof(private_key);
+    word16 ntruBits = 128;
+    word16 type     = 0;
+    word32 ret;
 
-    byte ciphertext[552];
+    byte ciphertext[1022];
     word16 ciphertext_len;
     byte plaintext[16];
     word16 plaintext_len;
+    const char**desc = bench_desc_words[lng_index];
 
     DRBG_HANDLE drbg;
     static byte const aes_key[] = {
@@ -1381,425 +5024,799 @@ void bench_ntru(void)
         0x7b, 0x12, 0x49, 0x88, 0xaf, 0xb3, 0x22, 0xd8
     };
 
-    static byte const cyasslStr[] = {
-        'C', 'y', 'a', 'S', 'S', 'L', ' ', 'N', 'T', 'R', 'U'
+    static byte const wolfsslStr[] = {
+        'w', 'o', 'l', 'f', 'S', 'S', 'L', ' ', 'N', 'T', 'R', 'U'
     };
 
-    word32 rc = ntru_crypto_drbg_instantiate(112, cyasslStr, sizeof(cyasslStr),
-                                            (ENTROPY_FN) GetEntropy, &drbg);
-    if(rc != DRBG_OK) {
-        printf("NTRU drbg instantiate failed\n");
-        return;
-    }
+    for (ntruBits = 128; ntruBits < 257; ntruBits += 64) {
+        switch (ntruBits) {
+            case 128:
+                type = NTRU_EES439EP1;
+                break;
+            case 192:
+                type = NTRU_EES593EP1;
+                break;
+            case 256:
+                type = NTRU_EES743EP1;
+                break;
+        }
 
-    rc = ntru_crypto_ntru_encrypt_keygen(drbg, NTRU_EES401EP2, 
-        &public_key_len, NULL, &private_key_len, NULL);
-    if (rc != NTRU_OK) {
-        ntru_crypto_drbg_uninstantiate(drbg);
-        printf("NTRU failed to get key lengths\n");
-        return;
-    }
+        ret = ntru_crypto_drbg_instantiate(ntruBits, wolfsslStr,
+                sizeof(wolfsslStr), (ENTROPY_FN) GetEntropy, &drbg);
+        if(ret != DRBG_OK) {
+            printf("NTRU drbg instantiate failed\n");
+            return;
+        }
 
-    rc = ntru_crypto_ntru_encrypt_keygen(drbg, NTRU_EES401EP2, &public_key_len,
-                                     public_key, &private_key_len, 
-                                     private_key);
+        /* set key sizes */
+        ret = ntru_crypto_ntru_encrypt_keygen(drbg, type, &public_key_len,
+                                                  NULL, &private_key_len, NULL);
+        if (ret != NTRU_OK) {
+            ntru_crypto_drbg_uninstantiate(drbg);
+            printf("NTRU failed to get key lengths\n");
+            return;
+        }
 
-    ntru_crypto_drbg_uninstantiate(drbg);
+        ret = ntru_crypto_ntru_encrypt_keygen(drbg, type, &public_key_len,
+                                     public_key, &private_key_len,
+                                     private_key);
 
-    if (rc != NTRU_OK) {
         ntru_crypto_drbg_uninstantiate(drbg);
-        printf("NTRU keygen failed\n");
-        return;
-    }
-
-    rc = ntru_crypto_drbg_instantiate(112, NULL, 0, (ENTROPY_FN)GetEntropy,
-                                      &drbg);
-    if (rc != DRBG_OK) {
-        printf("NTRU error occurred during DRBG instantiation\n");
-        return;
-    }
-
-    rc = ntru_crypto_ntru_encrypt(drbg, public_key_len, public_key, sizeof(
-        aes_key), aes_key, &ciphertext_len, NULL);
-
-    if (rc != NTRU_OK) {
-        printf("NTRU error occurred requesting the buffer size needed\n");
-        return;
-    }
-    start = current_time(1);
 
-    for (i = 0; i < ntimes; i++) {
-
-        rc = ntru_crypto_ntru_encrypt(drbg, public_key_len, public_key, sizeof(
-            aes_key), aes_key, &ciphertext_len, ciphertext);
+        if (ret != NTRU_OK) {
+            printf("NTRU keygen failed\n");
+            return;
+        }
 
-        if (rc != NTRU_OK) {
-            printf("NTRU encrypt error\n");
+        ret = ntru_crypto_drbg_instantiate(ntruBits, NULL, 0,
+                (ENTROPY_FN)GetEntropy, &drbg);
+        if (ret != DRBG_OK) {
+            printf("NTRU error occurred during DRBG instantiation\n");
             return;
         }
 
-    }
-    rc = ntru_crypto_drbg_uninstantiate(drbg);
+        ret = ntru_crypto_ntru_encrypt(drbg, public_key_len, public_key,
+                sizeof(aes_key), aes_key, &ciphertext_len, NULL);
 
-    if (rc != DRBG_OK) {
-        printf("NTRU error occurred uninstantiating the DRBG\n");
-        return;
-    }
-
-    total = current_time(0) - start;
-    each  = total / ntimes;   /* per second   */
-    milliEach = each * 1000; /* milliseconds */
+        if (ret != NTRU_OK) {
+            printf("NTRU error occurred requesting the buffer size needed\n");
+            return;
+        }
 
-    printf("NTRU 112 encryption took %6.3f milliseconds, avg over %d"
-           " iterations\n", milliEach, ntimes);
+        bench_stats_start(&i, &start);
+        for (i = 0; i < ntimes; i++) {
+            ret = ntru_crypto_ntru_encrypt(drbg, public_key_len, public_key,
+                    sizeof(aes_key), aes_key, &ciphertext_len, ciphertext);
+            if (ret != NTRU_OK) {
+                printf("NTRU encrypt error\n");
+                return;
+            }
+        }
+        bench_stats_asym_finish("NTRU", ntruBits, desc[6], 0, i, start, ret);
 
+        ret = ntru_crypto_drbg_uninstantiate(drbg);
+        if (ret != DRBG_OK) {
+            printf("NTRU error occurred uninstantiating the DRBG\n");
+            return;
+        }
 
-    rc = ntru_crypto_ntru_decrypt(private_key_len, private_key, ciphertext_len,
-                                  ciphertext, &plaintext_len, NULL);
+        ret = ntru_crypto_ntru_decrypt(private_key_len, private_key,
+                ciphertext_len, ciphertext, &plaintext_len, NULL);
 
-    if (rc != NTRU_OK) {
-        printf("NTRU decrypt error occurred getting the buffer size needed\n");
-        return;
-    }
+        if (ret != NTRU_OK) {
+            printf("NTRU decrypt error occurred getting the buffer size needed\n");
+            return;
+        }
 
-    plaintext_len = sizeof(plaintext);
-    start = current_time(1);
+        plaintext_len = sizeof(plaintext);
 
-    for (i = 0; i < ntimes; i++) {
-        rc = ntru_crypto_ntru_decrypt(private_key_len, private_key,
+        bench_stats_start(&i, &start);
+        for (i = 0; i < ntimes; i++) {
+            ret = ntru_crypto_ntru_decrypt(private_key_len, private_key,
                                       ciphertext_len, ciphertext,
                                       &plaintext_len, plaintext);
 
-        if (rc != NTRU_OK) {
-            printf("NTRU error occurred decrypting the key\n");
-            return;
+            if (ret != NTRU_OK) {
+                printf("NTRU error occurred decrypting the key\n");
+                return;
+            }
         }
+        bench_stats_asym_finish("NTRU", ntruBits, desc[7], 0, i, start, ret);
     }
 
-    total = current_time(0) - start;
-    each  = total / ntimes;   /* per second   */
-    milliEach = each * 1000; /* milliseconds */
-
-    printf("NTRU 112 decryption took %6.3f milliseconds, avg over %d"
-           " iterations\n", milliEach, ntimes);
 }
 
 void bench_ntruKeyGen(void)
 {
-    double start, total, each, milliEach;
+    double start;
     int    i;
 
-    byte   public_key[557]; /* 2048 key equivalent to rsa */
+    byte   public_key[1027];
     word16 public_key_len = sizeof(public_key);
-    byte   private_key[607];
+    byte   private_key[1120];
     word16 private_key_len = sizeof(private_key);
+    word16 ntruBits = 128;
+    word16 type     = 0;
+    word32 ret;
+    const char**desc = bench_desc_words[lng_index];
 
     DRBG_HANDLE drbg;
     static uint8_t const pers_str[] = {
-                'C', 'y', 'a', 'S', 'S', 'L', ' ', 't', 'e', 's', 't'
+                'w', 'o', 'l', 'f',  'S', 'S', 'L', ' ', 't', 'e', 's', 't'
     };
 
-    word32 rc = ntru_crypto_drbg_instantiate(112, pers_str, sizeof(pers_str),
-                                             GetEntropy, &drbg);
-    if(rc != DRBG_OK) {
-        printf("NTRU drbg instantiate failed\n");
-        return;
-    }
+    for (ntruBits = 128; ntruBits < 257; ntruBits += 64) {
+        ret = ntru_crypto_drbg_instantiate(ntruBits, pers_str,
+                sizeof(pers_str), GetEntropy, &drbg);
+        if (ret != DRBG_OK) {
+            printf("NTRU drbg instantiate failed\n");
+            return;
+        }
 
-    start = current_time(1);
+        switch (ntruBits) {
+            case 128:
+                type = NTRU_EES439EP1;
+                break;
+            case 192:
+                type = NTRU_EES593EP1;
+                break;
+            case 256:
+                type = NTRU_EES743EP1;
+                break;
+        }
 
-    for(i = 0; i < genTimes; i++) {
-        ntru_crypto_ntru_encrypt_keygen(drbg, NTRU_EES401EP2, &public_key_len,
-                                     public_key, &private_key_len, 
-                                     private_key);
-    }
+        /* set key sizes */
+        ret = ntru_crypto_ntru_encrypt_keygen(drbg, type, &public_key_len,
+                                                  NULL, &private_key_len, NULL);
 
-    total = current_time(0) - start;
+        bench_stats_start(&i, &start);
+        for (i = 0; i < genTimes; i++) {
+            ret = ntru_crypto_ntru_encrypt_keygen(drbg, type, &public_key_len,
+                                         public_key, &private_key_len,
+                                         private_key);
+        }
+        bench_stats_asym_finish("NTRU", ntruBits, desc[2], 0, i, start, ret);
 
-    rc = ntru_crypto_drbg_uninstantiate(drbg);
+        if (ret != NTRU_OK) {
+            return;
+        }
 
-    if (rc != NTRU_OK) {
-        printf("NTRU drbg uninstantiate failed\n");
-        return;
-    }
+        ret = ntru_crypto_drbg_uninstantiate(drbg);
 
-    each = total / genTimes;
-    milliEach = each * 1000;
+        if (ret != NTRU_OK) {
+            printf("NTRU drbg uninstantiate failed\n");
+            return;
+        }
+    }
+}
+#endif
 
-    printf("\n");
-    printf("NTRU 112 key generation  %6.3f milliseconds, avg over %d"
-        " iterations\n", milliEach, genTimes);
+#ifdef HAVE_ECC
 
-}
+#ifndef BENCH_ECC_SIZE
+    #ifdef HAVE_ECC384
+        #define BENCH_ECC_SIZE  48
+    #else
+        #define BENCH_ECC_SIZE  32
+    #endif
 #endif
 
-#ifdef HAVE_ECC 
-void bench_eccKeyGen(void)
-{
-    ecc_key genKey;
-    double start, total, each, milliEach;
-    int    i;
-  
-    /* 256 bit */ 
-    start = current_time(1);
+/* Default to testing P-256 */
+static int bench_ecc_size = 32;
 
-    for(i = 0; i < genTimes; i++) {
-        wc_ecc_init(&genKey);
-        wc_ecc_make_key(&rng, 32, &genKey);
-        wc_ecc_free(&genKey);
+void bench_eccMakeKey(int doAsync)
+{
+    int ret = 0, i, times, count, pending = 0;
+    const int keySize = bench_ecc_size;
+    ecc_key genKey[BENCH_MAX_PENDING];
+    double start;
+    const char**desc = bench_desc_words[lng_index];
+
+    /* clear for done cleanup */
+    XMEMSET(&genKey, 0, sizeof(genKey));
+
+    /* ECC Make Key */
+    bench_stats_start(&count, &start);
+    do {
+        /* while free pending slots in queue, submit ops */
+        for (times = 0; times < genTimes || pending > 0; ) {
+            bench_async_poll(&pending);
+
+            for (i = 0; i < BENCH_MAX_PENDING; i++) {
+                if (bench_async_check(&ret, BENCH_ASYNC_GET_DEV(&genKey[i]), 0, &times, genTimes, &pending)) {
+
+                    wc_ecc_free(&genKey[i]);
+                    ret = wc_ecc_init_ex(&genKey[i], HEAP_HINT, doAsync ? devId : INVALID_DEVID);
+                    if (ret < 0) {
+                        goto exit;
+                    }
+
+                    ret = wc_ecc_make_key(&gRng, keySize, &genKey[i]);
+                    if (!bench_async_handle(&ret, BENCH_ASYNC_GET_DEV(&genKey[i]), 0, &times, &pending)) {
+                        goto exit;
+                    }
+                }
+            } /* for i */
+        } /* for times */
+        count += times;
+    } while (bench_stats_sym_check(start));
+exit:
+    bench_stats_asym_finish("ECC", keySize * 8, desc[2], doAsync, count, start, ret);
+
+    /* cleanup */
+    for (i = 0; i < BENCH_MAX_PENDING; i++) {
+        wc_ecc_free(&genKey[i]);
     }
-
-    total = current_time(0) - start;
-    each  = total / genTimes;  /* per second  */
-    milliEach = each * 1000;   /* millisconds */
-    printf("\n");
-    printf("ECC  256 key generation  %6.3f milliseconds, avg over %d"
-           " iterations\n", milliEach, genTimes);
 }
 
-
-void bench_eccKeyAgree(void)
+void bench_ecc(int doAsync)
 {
-    ecc_key genKey, genKey2;
-    double start, total, each, milliEach;
-    int    i, ret;
-    byte   shared[32];
-    byte   sig[64+16];  /* der encoding too */
-    byte   digest[32];
-    word32 x = 0;
+    int ret = 0, i, times, count, pending = 0;
+    const int keySize = bench_ecc_size;
+    ecc_key genKey[BENCH_MAX_PENDING];
+#ifdef HAVE_ECC_DHE
+    ecc_key genKey2[BENCH_MAX_PENDING];
+#endif
+#if !defined(NO_ASN) && defined(HAVE_ECC_SIGN)
+#ifdef HAVE_ECC_VERIFY
+    int    verify[BENCH_MAX_PENDING];
+#endif
+#endif
+    word32 x[BENCH_MAX_PENDING];
+    double start;
+    const char**desc = bench_desc_words[lng_index];
 
-    wc_ecc_init(&genKey);
-    wc_ecc_init(&genKey2);
+#ifdef HAVE_ECC_DHE
+    DECLARE_ARRAY(shared, byte, BENCH_MAX_PENDING, BENCH_ECC_SIZE, HEAP_HINT);
+#endif
+#if !defined(NO_ASN) && defined(HAVE_ECC_SIGN)
+    DECLARE_ARRAY(sig, byte, BENCH_MAX_PENDING, ECC_MAX_SIG_SIZE, HEAP_HINT);
+    DECLARE_ARRAY(digest, byte, BENCH_MAX_PENDING, BENCH_ECC_SIZE, HEAP_HINT);
+#endif
 
-    ret = wc_ecc_make_key(&rng, 32, &genKey);
-    if (ret != 0) {
-        printf("ecc_make_key failed\n");
-        return;
+    /* clear for done cleanup */
+    XMEMSET(&genKey, 0, sizeof(genKey));
+#ifdef HAVE_ECC_DHE
+    XMEMSET(&genKey2, 0, sizeof(genKey2));
+#endif
+
+    /* init keys */
+    for (i = 0; i < BENCH_MAX_PENDING; i++) {
+        /* setup an context for each key */
+        if ((ret = wc_ecc_init_ex(&genKey[i], HEAP_HINT,
+                                    doAsync ? devId : INVALID_DEVID)) < 0) {
+            goto exit;
+        }
+        ret = wc_ecc_make_key(&gRng, keySize, &genKey[i]);
+    #ifdef WOLFSSL_ASYNC_CRYPT
+        ret = wc_AsyncWait(ret, &genKey[i].asyncDev, WC_ASYNC_FLAG_NONE);
+    #endif
+        if (ret < 0) {
+            goto exit;
+        }
+
+    #ifdef HAVE_ECC_DHE
+        if ((ret = wc_ecc_init_ex(&genKey2[i], HEAP_HINT, INVALID_DEVID)) < 0) {
+            goto exit;
+        }
+        if ((ret = wc_ecc_make_key(&gRng, keySize, &genKey2[i])) > 0) {
+            goto exit;
+        }
+    #endif
     }
-    ret = wc_ecc_make_key(&rng, 32, &genKey2);
-    if (ret != 0) {
-        printf("ecc_make_key failed\n");
-        return;
+
+#ifdef HAVE_ECC_DHE
+
+    /* ECC Shared Secret */
+    bench_stats_start(&count, &start);
+    do {
+        for (times = 0; times < agreeTimes || pending > 0; ) {
+            bench_async_poll(&pending);
+
+            /* while free pending slots in queue, submit ops */
+            for (i = 0; i < BENCH_MAX_PENDING; i++) {
+                if (bench_async_check(&ret, BENCH_ASYNC_GET_DEV(&genKey[i]), 1, &times, agreeTimes, &pending)) {
+                    x[i] = (word32)keySize;
+                    ret = wc_ecc_shared_secret(&genKey[i], &genKey2[i], shared[i], &x[i]);
+                    if (!bench_async_handle(&ret, BENCH_ASYNC_GET_DEV(&genKey[i]), 1, &times, &pending)) {
+                        goto exit_ecdhe;
+                    }
+                }
+            } /* for i */
+        } /* for times */
+        count += times;
+    } while (bench_stats_sym_check(start));
+exit_ecdhe:
+    bench_stats_asym_finish("ECDHE", keySize * 8, desc[3], doAsync, count, start, ret);
+
+    if (ret < 0) {
+        goto exit;
     }
+#endif /* HAVE_ECC_DHE */
 
-    /* 256 bit */
-    start = current_time(1);
+#if !defined(NO_ASN) && defined(HAVE_ECC_SIGN)
 
-    for(i = 0; i < agreeTimes; i++) {
-        x = sizeof(shared);
-        ret = wc_ecc_shared_secret(&genKey, &genKey2, shared, &x);
-        if (ret != 0) {
-            printf("ecc_shared_secret failed\n");
-            return;
+    /* Init digest to sign */
+    for (i = 0; i < BENCH_MAX_PENDING; i++) {
+        for (count = 0; count < keySize; count++) {
+            digest[i][count] = (byte)count;
         }
     }
 
-    total = current_time(0) - start;
-    each  = total / agreeTimes;  /* per second  */
-    milliEach = each * 1000;   /* millisconds */
-    printf("EC-DHE   key agreement   %6.3f milliseconds, avg over %d"
-           " iterations\n", milliEach, agreeTimes);
+    /* ECC Sign */
+    bench_stats_start(&count, &start);
+    do {
+        for (times = 0; times < agreeTimes || pending > 0; ) {
+            bench_async_poll(&pending);
+
+            /* while free pending slots in queue, submit ops */
+            for (i = 0; i < BENCH_MAX_PENDING; i++) {
+                if (bench_async_check(&ret, BENCH_ASYNC_GET_DEV(&genKey[i]), 1, &times, agreeTimes, &pending)) {
+                    if (genKey[i].state == 0)
+                        x[i] = ECC_MAX_SIG_SIZE;
+                    ret = wc_ecc_sign_hash(digest[i], (word32)keySize, sig[i], &x[i],
+                                                            &gRng, &genKey[i]);
+                    if (!bench_async_handle(&ret, BENCH_ASYNC_GET_DEV(&genKey[i]), 1, &times, &pending)) {
+                        goto exit_ecdsa_sign;
+                    }
+                }
+            } /* for i */
+        } /* for times */
+        count += times;
+    } while (bench_stats_sym_check(start));
+exit_ecdsa_sign:
+    bench_stats_asym_finish("ECDSA", keySize * 8, desc[4], doAsync, count, start, ret);
 
-    /* make dummy digest */
-    for (i = 0; i < (int)sizeof(digest); i++)
-        digest[i] = (byte)i;
+    if (ret < 0) {
+        goto exit;
+    }
+
+#ifdef HAVE_ECC_VERIFY
+
+    /* ECC Verify */
+    bench_stats_start(&count, &start);
+    do {
+        for (times = 0; times < agreeTimes || pending > 0; ) {
+            bench_async_poll(&pending);
+
+            /* while free pending slots in queue, submit ops */
+            for (i = 0; i < BENCH_MAX_PENDING; i++) {
+                if (bench_async_check(&ret, BENCH_ASYNC_GET_DEV(&genKey[i]), 1, &times, agreeTimes, &pending)) {
+                    if (genKey[i].state == 0)
+                        verify[i] = 0;
+                    ret = wc_ecc_verify_hash(sig[i], x[i], digest[i],
+                                        (word32)keySize, &verify[i], &genKey[i]);
+                    if (!bench_async_handle(&ret, BENCH_ASYNC_GET_DEV(&genKey[i]), 1, &times, &pending)) {
+                        goto exit_ecdsa_verify;
+                    }
+                }
+            } /* for i */
+        } /* for times */
+        count += times;
+    } while (bench_stats_sym_check(start));
+exit_ecdsa_verify:
+    bench_stats_asym_finish("ECDSA", keySize * 8, desc[5], doAsync, count, start, ret);
+#endif /* HAVE_ECC_VERIFY */
+#endif /* !NO_ASN && HAVE_ECC_SIGN */
+
+exit:
+
+    /* cleanup */
+    for (i = 0; i < BENCH_MAX_PENDING; i++) {
+        wc_ecc_free(&genKey[i]);
+    #ifdef HAVE_ECC_DHE
+        wc_ecc_free(&genKey2[i]);
+    #endif
+    }
 
+#ifdef HAVE_ECC_DHE
+    FREE_ARRAY(shared, BENCH_MAX_PENDING, HEAP_HINT);
+#endif
+#if !defined(NO_ASN) && defined(HAVE_ECC_SIGN)
+    FREE_ARRAY(sig, BENCH_MAX_PENDING, HEAP_HINT);
+    FREE_ARRAY(digest, BENCH_MAX_PENDING, HEAP_HINT);
+#endif
+}
 
-    start = current_time(1);
 
-    for(i = 0; i < agreeTimes; i++) {
-        x = sizeof(sig);
-        ret = wc_ecc_sign_hash(digest, sizeof(digest), sig, &x, &rng, &genKey);
-        if (ret != 0) {
-            printf("ecc_sign_hash failed\n");
-            return; 
-        }
+#ifdef HAVE_ECC_ENCRYPT
+void bench_eccEncrypt(void)
+{
+    ecc_key userA, userB;
+    const int keySize = bench_ecc_size;
+    byte    msg[48];
+    byte    out[80];
+    word32  outSz   = sizeof(out);
+    word32  bench_plainSz = BENCH_SIZE;
+    int     ret, i, count;
+    double start;
+    const char**desc = bench_desc_words[lng_index];
+
+    ret = wc_ecc_init_ex(&userA, HEAP_HINT, devId);
+    if (ret != 0) {
+        printf("wc_ecc_encrypt make key A failed: %d\n", ret);
+        return;
     }
 
-    total = current_time(0) - start;
-    each  = total / agreeTimes;  /* per second  */
-    milliEach = each * 1000;   /* millisconds */
-    printf("EC-DSA   sign   time     %6.3f milliseconds, avg over %d"
-           " iterations\n", milliEach, agreeTimes);
+    ret = wc_ecc_init_ex(&userB, HEAP_HINT, devId);
+    if (ret != 0) {
+        printf("wc_ecc_encrypt make key B failed: %d\n", ret);
+        wc_ecc_free(&userA);
+        return;
+    }
 
-    start = current_time(1);
+    ret = wc_ecc_make_key(&gRng, keySize, &userA);
+#ifdef WOLFSSL_ASYNC_CRYPT
+    ret = wc_AsyncWait(ret, &userA.asyncDev, WC_ASYNC_FLAG_NONE);
+#endif
+    if (ret != 0)
+        goto exit;
+    ret = wc_ecc_make_key(&gRng, keySize, &userB);
+#ifdef WOLFSSL_ASYNC_CRYPT
+    ret = wc_AsyncWait(ret, &userB.asyncDev, WC_ASYNC_FLAG_NONE);
+#endif
+    if (ret != 0)
+        goto exit;
 
-    for(i = 0; i < agreeTimes; i++) {
-        int verify = 0;
-        ret = wc_ecc_verify_hash(sig, x, digest, sizeof(digest), &verify, &genKey);
-        if (ret != 0) {
-            printf("ecc_verify_hash failed\n");
-            return; 
+    for (i = 0; i < (int)sizeof(msg); i++)
+        msg[i] = i;
+
+    bench_stats_start(&count, &start);
+    do {
+        for (i = 0; i < ntimes; i++) {
+            /* encrypt msg to B */
+            ret = wc_ecc_encrypt(&userA, &userB, msg, sizeof(msg), out, &outSz, NULL);
+            if (ret != 0) {
+                printf("wc_ecc_encrypt failed! %d\n", ret);
+                goto exit_enc;
+            }
         }
-    }
+        count += i;
+    } while (bench_stats_sym_check(start));
+exit_enc:
+    bench_stats_asym_finish("ECC", keySize * 8, desc[6], 0, count, start, ret);
+
+    bench_stats_start(&count, &start);
+    do {
+        for (i = 0; i < ntimes; i++) {
+            /* decrypt msg from A */
+            ret = wc_ecc_decrypt(&userB, &userA, out, outSz, bench_plain, &bench_plainSz, NULL);
+            if (ret != 0) {
+                printf("wc_ecc_decrypt failed! %d\n", ret);
+                goto exit_dec;
+            }
+        }
+        count += i;
+    } while (bench_stats_sym_check(start));
+exit_dec:
+    bench_stats_asym_finish("ECC", keySize * 8, desc[7], 0, count, start, ret);
 
-    total = current_time(0) - start;
-    each  = total / agreeTimes;  /* per second  */
-    milliEach = each * 1000;     /* millisconds */
-    printf("EC-DSA   verify time     %6.3f milliseconds, avg over %d"
-           " iterations\n", milliEach, agreeTimes);
+exit:
 
-    wc_ecc_free(&genKey2);
-    wc_ecc_free(&genKey);
+    /* cleanup */
+    wc_ecc_free(&userB);
+    wc_ecc_free(&userA);
 }
+#endif
 #endif /* HAVE_ECC */
 
 #ifdef HAVE_CURVE25519
 void bench_curve25519KeyGen(void)
 {
     curve25519_key genKey;
-    double start, total, each, milliEach;
-    int    i;
-
-    /* 256 bit */
-    start = current_time(1);
-
-    for(i = 0; i < genTimes; i++) {
-        wc_curve25519_make_key(&rng, 32, &genKey);
-        wc_curve25519_free(&genKey);
-    }
-
-    total = current_time(0) - start;
-    each  = total / genTimes;  /* per second  */
-    milliEach = each * 1000;   /* millisconds */
-    printf("\n");
-    printf("CURVE25519 256 key generation %6.3f milliseconds, avg over %d"
-           " iterations\n", milliEach, genTimes);
+    double start;
+    int    ret = 0, i, count;
+    const char**desc = bench_desc_words[lng_index];
+
+    /* Key Gen */
+    bench_stats_start(&count, &start);
+    do {
+        for (i = 0; i < genTimes; i++) {
+            ret = wc_curve25519_make_key(&gRng, 32, &genKey);
+            wc_curve25519_free(&genKey);
+            if (ret != 0) {
+                printf("wc_curve25519_make_key failed: %d\n", ret);
+                break;
+            }
+        }
+        count += i;
+    } while (bench_stats_sym_check(start));
+    bench_stats_asym_finish("CURVE", 25519, desc[2], 0, count, start, ret);
 }
 
-
+#ifdef HAVE_CURVE25519_SHARED_SECRET
 void bench_curve25519KeyAgree(void)
 {
     curve25519_key genKey, genKey2;
-    double start, total, each, milliEach;
-    int    i, ret;
+    double start;
+    int    ret, i, count;
     byte   shared[32];
+	const char**desc = bench_desc_words[lng_index];
     word32 x = 0;
 
     wc_curve25519_init(&genKey);
     wc_curve25519_init(&genKey2);
 
-    ret = wc_curve25519_make_key(&rng, 32, &genKey);
+    ret = wc_curve25519_make_key(&gRng, 32, &genKey);
     if (ret != 0) {
         printf("curve25519_make_key failed\n");
         return;
     }
-    ret = wc_curve25519_make_key(&rng, 32, &genKey2);
+    ret = wc_curve25519_make_key(&gRng, 32, &genKey2);
     if (ret != 0) {
-        printf("curve25519_make_key failed\n");
+        printf("curve25519_make_key failed: %d\n", ret);
+        wc_curve25519_free(&genKey);
         return;
     }
 
-    /* 256 bit */
-    start = current_time(1);
-
-    for(i = 0; i < agreeTimes; i++) {
-        x = sizeof(shared);
-        ret = wc_curve25519_shared_secret(&genKey, &genKey2, shared, &x);
-        if (ret != 0) {
-            printf("curve25519_shared_secret failed\n");
-            return;
+    /* Shared secret */
+    bench_stats_start(&count, &start);
+    do {
+        for (i = 0; i < agreeTimes; i++) {
+            x = sizeof(shared);
+            ret = wc_curve25519_shared_secret(&genKey, &genKey2, shared, &x);
+            if (ret != 0) {
+                printf("curve25519_shared_secret failed: %d\n", ret);
+                goto exit;
+            }
         }
-    }
-
-    total = current_time(0) - start;
-    each  = total / agreeTimes;  /* per second  */
-    milliEach = each * 1000;   /* millisconds */
-    printf("CURVE25519 key agreement      %6.3f milliseconds, avg over %d"
-           " iterations\n", milliEach, agreeTimes);
+        count += i;
+    } while (bench_stats_sym_check(start));
+exit:
+    bench_stats_asym_finish("CURVE", 25519, desc[3], 0, count, start, ret);
 
     wc_curve25519_free(&genKey2);
     wc_curve25519_free(&genKey);
 }
+#endif /* HAVE_CURVE25519_SHARED_SECRET */
 #endif /* HAVE_CURVE25519 */
 
 #ifdef HAVE_ED25519
 void bench_ed25519KeyGen(void)
 {
     ed25519_key genKey;
-    double start, total, each, milliEach;
-    int    i;
-
-    /* 256 bit */
-    start = current_time(1);
-
-    for(i = 0; i < genTimes; i++) {
-        wc_ed25519_init(&genKey);
-        wc_ed25519_make_key(&rng, 32, &genKey);
-        wc_ed25519_free(&genKey);
-    }
-
-    total = current_time(0) - start;
-    each  = total / genTimes;  /* per second  */
-    milliEach = each * 1000;   /* millisconds */
-    printf("\n");
-    printf("ED25519  key generation  %6.3f milliseconds, avg over %d"
-           " iterations\n", milliEach, genTimes);
+    double start;
+    int    i, count;
+    const char**desc = bench_desc_words[lng_index];
+
+    /* Key Gen */
+    bench_stats_start(&count, &start);
+    do {
+        for (i = 0; i < genTimes; i++) {
+            wc_ed25519_init(&genKey);
+            (void)wc_ed25519_make_key(&gRng, 32, &genKey);
+            wc_ed25519_free(&genKey);
+        }
+        count += i;
+    } while (bench_stats_sym_check(start));
+    bench_stats_asym_finish("ED", 25519, desc[2], 0, count, start, 0);
 }
 
 
 void bench_ed25519KeySign(void)
 {
+    int    ret;
     ed25519_key genKey;
-    double start, total, each, milliEach;
-    int    i, ret;
+#ifdef HAVE_ED25519_SIGN
+    double start;
+    int    i, count;
     byte   sig[ED25519_SIG_SIZE];
     byte   msg[512];
     word32 x = 0;
+#endif
+    const char**desc = bench_desc_words[lng_index];
 
     wc_ed25519_init(&genKey);
 
-    ret = wc_ed25519_make_key(&rng, ED25519_KEY_SIZE, &genKey);
+    ret = wc_ed25519_make_key(&gRng, ED25519_KEY_SIZE, &genKey);
     if (ret != 0) {
         printf("ed25519_make_key failed\n");
         return;
     }
+
+#ifdef HAVE_ED25519_SIGN
     /* make dummy msg */
     for (i = 0; i < (int)sizeof(msg); i++)
         msg[i] = (byte)i;
 
+    bench_stats_start(&count, &start);
+    do {
+        for (i = 0; i < agreeTimes; i++) {
+            x = sizeof(sig);
+            ret = wc_ed25519_sign_msg(msg, sizeof(msg), sig, &x, &genKey);
+            if (ret != 0) {
+                printf("ed25519_sign_msg failed\n");
+                goto exit_ed_sign;
+            }
+        }
+        count += i;
+    } while (bench_stats_sym_check(start));
+exit_ed_sign:
+    bench_stats_asym_finish("ED", 25519, desc[4], 0, count, start, ret);
+
+#ifdef HAVE_ED25519_VERIFY
+    bench_stats_start(&count, &start);
+    do {
+        for (i = 0; i < agreeTimes; i++) {
+            int verify = 0;
+            ret = wc_ed25519_verify_msg(sig, x, msg, sizeof(msg), &verify,
+                                        &genKey);
+            if (ret != 0 || verify != 1) {
+                printf("ed25519_verify_msg failed\n");
+                goto exit_ed_verify;
+            }
+        }
+        count += i;
+    } while (bench_stats_sym_check(start));
+exit_ed_verify:
+    bench_stats_asym_finish("ED", 25519, desc[5], 0, count, start, ret);
+#endif /* HAVE_ED25519_VERIFY */
+#endif /* HAVE_ED25519_SIGN */
 
-    start = current_time(1);
+    wc_ed25519_free(&genKey);
+}
+#endif /* HAVE_ED25519 */
 
-    for(i = 0; i < agreeTimes; i++) {
-        x = sizeof(sig);
-        ret = wc_ed25519_sign_msg(msg, sizeof(msg), sig, &x, &genKey);
-        if (ret != 0) {
-            printf("ed25519_sign_msg failed\n");
-            return;
+#ifdef HAVE_CURVE448
+void bench_curve448KeyGen(void)
+{
+    curve448_key genKey;
+    double start;
+    int    ret = 0, i, count;
+    const char**desc = bench_desc_words[lng_index];
+
+    /* Key Gen */
+    bench_stats_start(&count, &start);
+    do {
+        for (i = 0; i < genTimes; i++) {
+            ret = wc_curve448_make_key(&gRng, 56, &genKey);
+            wc_curve448_free(&genKey);
+            if (ret != 0) {
+                printf("wc_curve448_make_key failed: %d\n", ret);
+                break;
+            }
         }
+        count += i;
+    } while (bench_stats_sym_check(start));
+    bench_stats_asym_finish("CURVE", 448, desc[2], 0, count, start, ret);
+}
+
+#ifdef HAVE_CURVE448_SHARED_SECRET
+void bench_curve448KeyAgree(void)
+{
+    curve448_key genKey, genKey2;
+    double start;
+    int    ret, i, count;
+    byte   shared[56];
+	const char**desc = bench_desc_words[lng_index];
+    word32 x = 0;
+
+    wc_curve448_init(&genKey);
+    wc_curve448_init(&genKey2);
+
+    ret = wc_curve448_make_key(&gRng, 56, &genKey);
+    if (ret != 0) {
+        printf("curve448_make_key failed\n");
+        return;
+    }
+    ret = wc_curve448_make_key(&gRng, 56, &genKey2);
+    if (ret != 0) {
+        printf("curve448_make_key failed: %d\n", ret);
+        wc_curve448_free(&genKey);
+        return;
     }
 
-    total = current_time(0) - start;
-    each  = total / agreeTimes;  /* per second  */
-    milliEach = each * 1000;   /* millisconds */
-    printf("ED25519  sign   time     %6.3f milliseconds, avg over %d"
-           " iterations\n", milliEach, agreeTimes);
-
-    start = current_time(1);
-
-    for(i = 0; i < agreeTimes; i++) {
-        int verify = 0;
-        ret = wc_ed25519_verify_msg(sig, x, msg, sizeof(msg), &verify,
-                                    &genKey);
-        if (ret != 0 || verify != 1) {
-            printf("ed25519_verify_msg failed\n");
-            return;
+    /* Shared secret */
+    bench_stats_start(&count, &start);
+    do {
+        for (i = 0; i < agreeTimes; i++) {
+            x = sizeof(shared);
+            ret = wc_curve448_shared_secret(&genKey, &genKey2, shared, &x);
+            if (ret != 0) {
+                printf("curve448_shared_secret failed: %d\n", ret);
+                goto exit;
+            }
         }
-    }
+        count += i;
+    } while (bench_stats_sym_check(start));
+exit:
+    bench_stats_asym_finish("CURVE", 448, desc[3], 0, count, start, ret);
 
-    total = current_time(0) - start;
-    each  = total / agreeTimes;  /* per second  */
-    milliEach = each * 1000;     /* millisconds */
-    printf("ED25519  verify time     %6.3f milliseconds, avg over %d"
-           " iterations\n", milliEach, agreeTimes);
+    wc_curve448_free(&genKey2);
+    wc_curve448_free(&genKey);
+}
+#endif /* HAVE_CURVE448_SHARED_SECRET */
+#endif /* HAVE_CURVE448 */
 
-    wc_ed25519_free(&genKey);
+#ifdef HAVE_ED448
+void bench_ed448KeyGen(void)
+{
+    ed448_key genKey;
+    double start;
+    int    i, count;
+    const char**desc = bench_desc_words[lng_index];
+
+    /* Key Gen */
+    bench_stats_start(&count, &start);
+    do {
+        for (i = 0; i < genTimes; i++) {
+            wc_ed448_init(&genKey);
+            (void)wc_ed448_make_key(&gRng, ED448_KEY_SIZE, &genKey);
+            wc_ed448_free(&genKey);
+        }
+        count += i;
+    } while (bench_stats_sym_check(start));
+    bench_stats_asym_finish("ED", 448, desc[2], 0, count, start, 0);
 }
-#endif /* HAVE_ED25519 */
 
 
-#ifdef _WIN32
+void bench_ed448KeySign(void)
+{
+    int    ret;
+    ed448_key genKey;
+#ifdef HAVE_ED448_SIGN
+    double start;
+    int    i, count;
+    byte   sig[ED448_SIG_SIZE];
+    byte   msg[512];
+    word32 x = 0;
+#endif
+    const char**desc = bench_desc_words[lng_index];
+
+    wc_ed448_init(&genKey);
+
+    ret = wc_ed448_make_key(&gRng, ED448_KEY_SIZE, &genKey);
+    if (ret != 0) {
+        printf("ed448_make_key failed\n");
+        return;
+    }
+
+#ifdef HAVE_ED448_SIGN
+    /* make dummy msg */
+    for (i = 0; i < (int)sizeof(msg); i++)
+        msg[i] = (byte)i;
+
+    bench_stats_start(&count, &start);
+    do {
+        for (i = 0; i < agreeTimes; i++) {
+            x = sizeof(sig);
+            ret = wc_ed448_sign_msg(msg, sizeof(msg), sig, &x, &genKey,
+                                    NULL, 0);
+            if (ret != 0) {
+                printf("ed448_sign_msg failed\n");
+                goto exit_ed_sign;
+            }
+        }
+        count += i;
+    } while (bench_stats_sym_check(start));
+exit_ed_sign:
+    bench_stats_asym_finish("ED", 448, desc[4], 0, count, start, ret);
+
+#ifdef HAVE_ED448_VERIFY
+    bench_stats_start(&count, &start);
+    do {
+        for (i = 0; i < agreeTimes; i++) {
+            int verify = 0;
+            ret = wc_ed448_verify_msg(sig, x, msg, sizeof(msg), &verify,
+                                      &genKey, NULL, 0);
+            if (ret != 0 || verify != 1) {
+                printf("ed448_verify_msg failed\n");
+                goto exit_ed_verify;
+            }
+        }
+        count += i;
+    } while (bench_stats_sym_check(start));
+exit_ed_verify:
+    bench_stats_asym_finish("ED", 448, desc[5], 0, count, start, ret);
+#endif /* HAVE_ED448_VERIFY */
+#endif /* HAVE_ED448_SIGN */
+
+    wc_ed448_free(&genKey);
+}
+#endif /* HAVE_ED448 */
+
+#ifndef HAVE_STACK_SIZE
+#if defined(_WIN32) && !defined(INTIME_RTOS)
 
     #define WIN32_LEAN_AND_MEAN
     #include <windows.h>
@@ -1808,7 +5825,7 @@ void bench_ed25519KeySign(void)
     {
         static int init = 0;
         static LARGE_INTEGER freq;
-    
+
         LARGE_INTEGER count;
 
         (void)reset;
@@ -1827,10 +5844,10 @@ void bench_ed25519KeySign(void)
     #if defined(WOLFSSL_MICROCHIP_PIC32MZ)
         #define CLOCK 80000000.0
     #else
-        #include <peripheral/timer.h>
         #define CLOCK 40000000.0
     #endif
-
+    extern void WriteCoreTimer(word32 t);
+    extern word32 ReadCoreTimer(void);
     double current_time(int reset)
     {
         unsigned int ns;
@@ -1846,11 +5863,19 @@ void bench_ed25519KeySign(void)
         return ( ns / CLOCK * 2.0);
     }
 
-#elif defined(WOLFSSL_IAR_ARM_TIME) || defined (WOLFSSL_MDK_ARM) || defined(WOLFSSL_USER_CURRTIME)
-    extern   double current_time(int reset);
-    
-#elif defined FREERTOS
+#elif defined(WOLFSSL_IAR_ARM_TIME) || defined (WOLFSSL_MDK_ARM) || \
+      defined(WOLFSSL_USER_CURRTIME) || defined(WOLFSSL_CURRTIME_REMAP)
+    /* declared above at line 239 */
+    /* extern   double current_time(int reset); */
+
+#elif defined(FREERTOS)
 
+    #include "task.h"
+#if defined(WOLFSSL_ESPIDF)
+    /* proto type definition */
+    int construct_argv();
+    extern char* __argv[22];
+#endif
     double current_time(int reset)
     {
         portTickType tickCount;
@@ -1876,6 +5901,107 @@ void bench_ed25519KeySign(void)
         return (double)tv.SECONDS + (double)tv.MILLISECONDS / 1000;
     }
 
+#elif defined(FREESCALE_KSDK_BM)
+
+    double current_time(int reset)
+    {
+        return (double)OSA_TimeGetMsec() / 1000;
+    }
+
+#elif defined(WOLFSSL_EMBOS)
+
+    #include "RTOS.h"
+
+    double current_time(int reset)
+    {
+        double time_now;
+        double current_s = OS_GetTime() / 1000.0;
+        double current_us = OS_GetTime_us() / 1000000.0;
+        time_now = (double)( current_s + current_us);
+
+        (void) reset;
+
+        return time_now;
+    }
+#elif defined(WOLFSSL_SGX)
+    double current_time(int reset);
+
+#elif defined(WOLFSSL_DEOS)
+    double current_time(int reset)
+    {
+        const uint32_t systemTickTimeInHz = 1000000 / systemTickInMicroseconds();
+        uint32_t *systemTickPtr = systemTickPointer();
+
+        (void)reset;
+
+        return (double) *systemTickPtr/systemTickTimeInHz;
+    }
+
+#elif defined(MICRIUM)
+    double current_time(int reset)
+    {
+        CPU_ERR err;
+
+        (void)reset;
+        return (double) CPU_TS_Get32()/CPU_TS_TmrFreqGet(&err);
+    }
+#elif defined(WOLFSSL_ZEPHYR)
+
+    #include <time.h>
+
+    double current_time(int reset)
+    {
+        (void)reset;
+
+     #if defined(CONFIG_ARCH_POSIX)
+         k_cpu_idle();
+     #endif
+
+        return (double)k_uptime_get() / 1000;
+    }
+
+#elif defined(WOLFSSL_NETBURNER)
+    #include <predef.h>
+    #include <utils.h>
+    #include <constants.h>
+
+    double current_time(int reset)
+    {
+        DWORD ticks = TimeTick; /* ticks since system start */
+        (void)reset;
+
+        return (double) ticks/TICKS_PER_SECOND;
+    }
+
+#elif defined(THREADX)
+    #include "tx_api.h"
+    double current_time(int reset)
+    {
+        (void)reset;
+        return (double) tx_time_get() / TX_TIMER_TICKS_PER_SECOND;
+    }
+
+#elif defined(WOLFSSL_XILINX)
+    #ifndef XPAR_CPU_CORTEXA53_0_TIMESTAMP_CLK_FREQ
+    #define XPAR_CPU_CORTEXA53_0_TIMESTAMP_CLK_FREQ 50000000
+    #endif
+    #ifndef COUNTS_PER_SECOND
+    #define COUNTS_PER_SECOND     XPAR_CPU_CORTEXA53_0_TIMESTAMP_CLK_FREQ
+    #endif
+
+    double current_time(int reset)
+    {
+        double timer;
+        uint64_t cntPct = 0;
+        asm volatile("mrs %0, CNTPCT_EL0" : "=r" (cntPct));
+
+        /* Convert to milliseconds */
+        timer = (double)(cntPct / (COUNTS_PER_SECOND / 1000));
+        /* Convert to seconds.millisecond */
+        timer /= 1000;
+        return timer;
+    }
+
 #else
 
     #include <sys/time.h>
@@ -1892,10 +6018,11 @@ void bench_ed25519KeySign(void)
     }
 
 #endif /* _WIN32 */
+#endif /* !HAVE_STACK_SIZE */
 
-#ifdef HAVE_GET_CYCLES
+#if defined(HAVE_GET_CYCLES)
 
-static INLINE word64 get_intel_cycles(void)
+static WC_INLINE word64 get_intel_cycles(void)
 {
     unsigned int lo_c, hi_c;
     __asm__ __volatile__ (
@@ -1908,3 +6035,294 @@ static INLINE word64 get_intel_cycles(void)
 }
 
 #endif /* HAVE_GET_CYCLES */
+
+void benchmark_configure(int block_size)
+{
+    /* must be greater than 0 */
+    if (block_size > 0) {
+        numBlocks = numBlocks * bench_size / block_size;
+        bench_size = (word32)block_size;
+    }
+}
+
+#ifndef NO_MAIN_DRIVER
+
+#ifndef MAIN_NO_ARGS
+
+#ifndef WOLFSSL_BENCHMARK_ALL
+/* Display the algorithm string and keep to 80 characters per line.
+ *
+ * str   Algorithm string to print.
+ * line  Length of line used so far.
+ */
+static void print_alg(const char* str, int* line)
+{
+    int optLen;
+
+    optLen = (int)XSTRLEN(str) + 1;
+    if (optLen + *line > 80) {
+        printf("\n             ");
+        *line = 13;
+    }
+    *line += optLen;
+    printf(" %s", str);
+}
+#endif
+
+/* Display the usage options of the benchmark program. */
+static void Usage(void)
+{
+#ifndef WOLFSSL_BENCHMARK_ALL
+    int i;
+    int line;
+#endif
+
+    printf("benchmark\n");
+    printf("%s", bench_Usage_msg1[lng_index][0]);    /* option -? */
+    printf("%s", bench_Usage_msg1[lng_index][1]);    /* option -csv */
+    printf("%s", bench_Usage_msg1[lng_index][2]);    /* option -base10 */
+#if defined(HAVE_AESGCM) || defined(HAVE_AESCCM)
+    printf("%s", bench_Usage_msg1[lng_index][3]);    /* option -no_add */
+#endif
+    printf("%s", bench_Usage_msg1[lng_index][4]);    /* option -dgst_full */
+#ifndef NO_RSA
+    printf("%s", bench_Usage_msg1[lng_index][5]);    /* option -ras_sign */
+    #ifdef WOLFSSL_KEY_GEN
+    printf("%s", bench_Usage_msg1[lng_index][6]);    /* option -rsa-sz */
+    #endif
+#endif
+#if !defined(NO_DH) && defined(HAVE_FFDHE_2048)
+    printf("%s", bench_Usage_msg1[lng_index][7]);    /* option -ffdhe2048 */
+#endif
+#if !defined(NO_DH) && defined(HAVE_FFDHE_3072)
+    printf("%s", bench_Usage_msg1[lng_index][8]);    /* option -ffdhe3072 */
+#endif
+#if defined(HAVE_ECC) && !defined(NO_ECC256)
+    printf("%s", bench_Usage_msg1[lng_index][9]);    /* option -p256 */
+#endif
+#if defined(HAVE_ECC) && defined(HAVE_ECC384)
+    printf("%s", bench_Usage_msg1[lng_index][10]);   /* option -p384 */
+#endif
+#ifndef WOLFSSL_BENCHMARK_ALL
+    printf("%s", bench_Usage_msg1[lng_index][11]);   /* option -<alg> */
+    printf("             ");
+    line = 13;
+    for (i=0; bench_cipher_opt[i].str != NULL; i++)
+        print_alg(bench_cipher_opt[i].str + 1, &line);
+    printf("\n             ");
+    line = 13;
+    for (i=0; bench_digest_opt[i].str != NULL; i++)
+        print_alg(bench_digest_opt[i].str + 1, &line);
+    printf("\n             ");
+    line = 13;
+    for (i=0; bench_mac_opt[i].str != NULL; i++)
+        print_alg(bench_mac_opt[i].str + 1, &line);
+    printf("\n             ");
+    line = 13;
+    for (i=0; bench_asym_opt[i].str != NULL; i++)
+        print_alg(bench_asym_opt[i].str + 1, &line);
+    printf("\n             ");
+    line = 13;
+    for (i=0; bench_other_opt[i].str != NULL; i++)
+        print_alg(bench_other_opt[i].str + 1, &line);
+    printf("\n");
+#endif
+    printf("%s", bench_Usage_msg1[lng_index][12]);   /* option -lng */
+    printf("%s", bench_Usage_msg1[lng_index][13]);   /* option <num> */
+#if defined(WOLFSSL_ASYNC_CRYPT) && !defined(WC_NO_ASYNC_THREADING)
+    printf("%s", bench_Usage_msg1[lng_index][14]);   /* option -threads <num> */
+#endif
+    printf("%s", bench_Usage_msg1[lng_index][15]);   /* option -print */
+}
+
+/* Match the command line argument with the string.
+ *
+ * arg  Command line argument.
+ * str  String to check for.
+ * return 1 if the command line argument matches the string, 0 otherwise.
+ */
+static int string_matches(const char* arg, const char* str)
+{
+    int len = (int)XSTRLEN(str) + 1;
+    return XSTRNCMP(arg, str, len) == 0;
+}
+#endif /* MAIN_NO_ARGS */
+
+#ifdef WOLFSSL_ESPIDF
+int wolf_benchmark_task( )
+#elif defined(MAIN_NO_ARGS)
+int main()
+#else
+int main(int argc, char** argv)
+#endif
+{
+    int ret = 0;
+#ifndef MAIN_NO_ARGS
+    int optMatched;
+#ifdef WOLFSSL_ESPIDF
+    int argc = construct_argv();
+    char** argv = (char**)__argv;
+#endif
+#ifndef WOLFSSL_BENCHMARK_ALL
+    int i;
+#endif
+#endif
+
+    benchmark_static_init();
+
+#ifndef MAIN_NO_ARGS
+    while (argc > 1) {
+        if (string_matches(argv[1], "-?")) {
+            if(--argc>1){
+                lng_index = XATOI((++argv)[1]);
+                if(lng_index<0||lng_index>1) {
+                    lng_index = 0;
+                }
+            }
+            Usage();
+            return 0;
+        }
+        else if (string_matches(argv[1], "-v")) {
+            printf("-----------------------------------------------------------"
+                   "-------------------\n wolfSSL version %s\n-----------------"
+                   "-----------------------------------------------------------"
+                   "--\n", LIBWOLFSSL_VERSION_STRING);
+            return 0;
+        }
+        else if (string_matches(argv[1], "-lng")) {
+            argc--;
+            argv++;
+            if(argc>1) {
+                lng_index = XATOI(argv[1]);
+                if(lng_index<0||lng_index>1){
+                    printf("invalid number(%d) is specified. [<num> :0-1]\n",lng_index);
+                    lng_index = 0;
+                }
+            }
+        }
+        else if (string_matches(argv[1], "-base10"))
+            base2 = 0;
+#if defined(HAVE_AESGCM) || defined(HAVE_AESCCM)
+        else if (string_matches(argv[1], "-no_aad"))
+            aesAuthAddSz = 0;
+#endif
+        else if (string_matches(argv[1], "-dgst_full"))
+            digest_stream = 0;
+#ifndef NO_RSA
+        else if (string_matches(argv[1], "-rsa_sign"))
+            rsa_sign_verify = 1;
+#endif
+#if !defined(NO_DH) && defined(HAVE_FFDHE_2048)
+        else if (string_matches(argv[1], "-ffdhe2048"))
+            use_ffdhe = 2048;
+#endif
+#if !defined(NO_DH) && defined(HAVE_FFDHE_3072)
+        else if (string_matches(argv[1], "-ffdhe3072"))
+            use_ffdhe = 3072;
+#endif
+#if defined(HAVE_ECC) && !defined(NO_ECC256)
+        else if (string_matches(argv[1], "-p256"))
+            bench_ecc_size = 32;
+#endif
+#if defined(HAVE_ECC) && defined(HAVE_ECC384)
+        else if (string_matches(argv[1], "-p384"))
+            bench_ecc_size = 48;
+#endif
+#ifdef BENCH_ASYM
+        else if (string_matches(argv[1], "-csv")) {
+            csv_format = 1;
+            csv_header_count = 1;
+        }
+#endif
+#if defined(WOLFSSL_ASYNC_CRYPT) && !defined(WC_NO_ASYNC_THREADING)
+        else if (string_matches(argv[1], "-threads")) {
+            argc--;
+            argv++;
+            if (argc > 1) {
+                g_threadCount = XATOI(argv[1]);
+                if (g_threadCount < 1 || lng_index > 128){
+                    printf("invalid number(%d) is specified. [<num> :1-128]\n",
+                        g_threadCount);
+                    g_threadCount = 0;
+                }
+            }
+        }
+#endif
+        else if (string_matches(argv[1], "-print")) {
+            gPrintStats = 1;
+        }
+        else if (argv[1][0] == '-') {
+            optMatched = 0;
+#ifndef WOLFSSL_BENCHMARK_ALL
+            /* Check known algorithm choosing command line options. */
+            /* Known cipher algorithms */
+            for (i=0; !optMatched && bench_cipher_opt[i].str != NULL; i++) {
+                if (string_matches(argv[1], bench_cipher_opt[i].str)) {
+                    bench_cipher_algs |= bench_cipher_opt[i].val;
+                    bench_all = 0;
+                    optMatched = 1;
+                }
+            }
+            /* Known digest algorithms */
+            for (i=0; !optMatched && bench_digest_opt[i].str != NULL; i++) {
+                if (string_matches(argv[1], bench_digest_opt[i].str)) {
+                    bench_digest_algs |= bench_digest_opt[i].val;
+                    bench_all = 0;
+                    optMatched = 1;
+                }
+            }
+            /* Known MAC algorithms */
+            for (i=0; !optMatched && bench_mac_opt[i].str != NULL; i++) {
+                if (string_matches(argv[1], bench_mac_opt[i].str)) {
+                    bench_mac_algs |= bench_mac_opt[i].val;
+                    bench_all = 0;
+                    optMatched = 1;
+                }
+            }
+            /* Known asymmetric algorithms */
+            for (i=0; !optMatched && bench_asym_opt[i].str != NULL; i++) {
+                if (string_matches(argv[1], bench_asym_opt[i].str)) {
+                    bench_asym_algs |= bench_asym_opt[i].val;
+                    bench_all = 0;
+                    optMatched = 1;
+                }
+            }
+            /* Other known cryptographic algorithms */
+            for (i=0; !optMatched && bench_other_opt[i].str != NULL; i++) {
+                if (string_matches(argv[1], bench_other_opt[i].str)) {
+                    bench_other_algs |= bench_other_opt[i].val;
+                    bench_all = 0;
+                    optMatched = 1;
+                }
+            }
+#endif
+            if (!optMatched) {
+                printf("Option not recognized: %s\n", argv[1]);
+                Usage();
+                return 1;
+            }
+        }
+        else {
+            /* parse for block size */
+            benchmark_configure(XATOI(argv[1]));
+        }
+        argc--;
+        argv++;
+    }
+#endif /* MAIN_NO_ARGS */
+
+#ifdef HAVE_STACK_SIZE
+    ret = StackSizeCheck(NULL, benchmark_test);
+#else
+    ret = benchmark_test(NULL);
+#endif
+
+    return ret;
+}
+#endif /* !NO_MAIN_DRIVER */
+
+#else
+    #ifndef NO_MAIN_DRIVER
+        int main() { return 0; }
+    #endif
+#endif /* !NO_CRYPT_BENCHMARK */
diff --git a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/benchmark/benchmark.sln b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/benchmark/benchmark.sln
index e3e9483b8..6c555724a 100644
--- a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/benchmark/benchmark.sln
+++ b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/benchmark/benchmark.sln
@@ -2,17 +2,56 @@
 Microsoft Visual Studio Solution File, Format Version 9.00
 # Visual C++ Express 2005
 Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "benchmark", "benchmark.vcproj", "{615AEC46-5595-4DEA-9490-DBD5DE0F8772}"
+	ProjectSection(ProjectDependencies) = postProject
+		{73973223-5EE8-41CA-8E88-1D60E89A237B} = {73973223-5EE8-41CA-8E88-1D60E89A237B}
+	EndProjectSection
+EndProject
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "wolfssl", "..\..\wolfssl.vcxproj", "{73973223-5EE8-41CA-8E88-1D60E89A237B}"
 EndProject
 Global
 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
 		Debug|Win32 = Debug|Win32
+		Debug|x64 = Debug|x64
+		DLL Debug|Win32 = DLL Debug|Win32
+		DLL Debug|x64 = DLL Debug|x64
+		DLL Release|Win32 = DLL Release|Win32
+		DLL Release|x64 = DLL Release|x64
 		Release|Win32 = Release|Win32
+		Release|x64 = Release|x64
 	EndGlobalSection
 	GlobalSection(ProjectConfigurationPlatforms) = postSolution
 		{615AEC46-5595-4DEA-9490-DBD5DE0F8772}.Debug|Win32.ActiveCfg = Debug|Win32
 		{615AEC46-5595-4DEA-9490-DBD5DE0F8772}.Debug|Win32.Build.0 = Debug|Win32
+		{615AEC46-5595-4DEA-9490-DBD5DE0F8772}.Debug|x64.ActiveCfg = Debug|x64
+		{615AEC46-5595-4DEA-9490-DBD5DE0F8772}.Debug|x64.Build.0 = Debug|x64
+		{615AEC46-5595-4DEA-9490-DBD5DE0F8772}.DLL Debug|Win32.ActiveCfg = Debug|Win32
+		{615AEC46-5595-4DEA-9490-DBD5DE0F8772}.DLL Debug|Win32.Build.0 = Debug|Win32
+		{615AEC46-5595-4DEA-9490-DBD5DE0F8772}.DLL Debug|x64.ActiveCfg = Debug|x64
+		{615AEC46-5595-4DEA-9490-DBD5DE0F8772}.DLL Debug|x64.Build.0 = Debug|x64
+		{615AEC46-5595-4DEA-9490-DBD5DE0F8772}.DLL Release|Win32.ActiveCfg = Release|Win32
+		{615AEC46-5595-4DEA-9490-DBD5DE0F8772}.DLL Release|Win32.Build.0 = Release|Win32
+		{615AEC46-5595-4DEA-9490-DBD5DE0F8772}.DLL Release|x64.ActiveCfg = Release|x64
+		{615AEC46-5595-4DEA-9490-DBD5DE0F8772}.DLL Release|x64.Build.0 = Release|x64
 		{615AEC46-5595-4DEA-9490-DBD5DE0F8772}.Release|Win32.ActiveCfg = Release|Win32
 		{615AEC46-5595-4DEA-9490-DBD5DE0F8772}.Release|Win32.Build.0 = Release|Win32
+		{615AEC46-5595-4DEA-9490-DBD5DE0F8772}.Release|x64.ActiveCfg = Release|x64
+		{615AEC46-5595-4DEA-9490-DBD5DE0F8772}.Release|x64.Build.0 = Release|x64
+		{73973223-5EE8-41CA-8E88-1D60E89A237B}.Debug|Win32.ActiveCfg = Debug|Win32
+		{73973223-5EE8-41CA-8E88-1D60E89A237B}.Debug|Win32.Build.0 = Debug|Win32
+		{73973223-5EE8-41CA-8E88-1D60E89A237B}.Debug|x64.ActiveCfg = Debug|x64
+		{73973223-5EE8-41CA-8E88-1D60E89A237B}.Debug|x64.Build.0 = Debug|x64
+		{73973223-5EE8-41CA-8E88-1D60E89A237B}.DLL Debug|Win32.ActiveCfg = DLL Debug|Win32
+		{73973223-5EE8-41CA-8E88-1D60E89A237B}.DLL Debug|Win32.Build.0 = DLL Debug|Win32
+		{73973223-5EE8-41CA-8E88-1D60E89A237B}.DLL Debug|x64.ActiveCfg = DLL Debug|x64
+		{73973223-5EE8-41CA-8E88-1D60E89A237B}.DLL Debug|x64.Build.0 = DLL Debug|x64
+		{73973223-5EE8-41CA-8E88-1D60E89A237B}.DLL Release|Win32.ActiveCfg = DLL Release|Win32
+		{73973223-5EE8-41CA-8E88-1D60E89A237B}.DLL Release|Win32.Build.0 = DLL Release|Win32
+		{73973223-5EE8-41CA-8E88-1D60E89A237B}.DLL Release|x64.ActiveCfg = DLL Release|x64
+		{73973223-5EE8-41CA-8E88-1D60E89A237B}.DLL Release|x64.Build.0 = DLL Release|x64
+		{73973223-5EE8-41CA-8E88-1D60E89A237B}.Release|Win32.ActiveCfg = Release|Win32
+		{73973223-5EE8-41CA-8E88-1D60E89A237B}.Release|Win32.Build.0 = Release|Win32
+		{73973223-5EE8-41CA-8E88-1D60E89A237B}.Release|x64.ActiveCfg = Release|x64
+		{73973223-5EE8-41CA-8E88-1D60E89A237B}.Release|x64.Build.0 = Release|x64
 	EndGlobalSection
 	GlobalSection(SolutionProperties) = preSolution
 		HideSolutionNode = FALSE
diff --git a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/benchmark/benchmark.vcproj b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/benchmark/benchmark.vcproj
index 5db23c372..86c58c985 100644
--- a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/benchmark/benchmark.vcproj
+++ b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/benchmark/benchmark.vcproj
@@ -38,8 +38,8 @@
 			<Tool
 				Name="VCCLCompilerTool"
 				Optimization="0"
-				AdditionalIncludeDirectories="../include"
-				PreprocessorDefinitions="WIN32;_DEBUG;_CONSOLE;"
+				AdditionalIncludeDirectories="../..;../../IDE/WIN;"
+				PreprocessorDefinitions="WIN32;_DEBUG;_CONSOLE;WOLFSSL_LIB;WOLFSSL_USER_SETTINGS;"
 				MinimalRebuild="true"
 				BasicRuntimeChecks="3"
 				RuntimeLibrary="3"
@@ -59,6 +59,7 @@
 			/>
 			<Tool
 				Name="VCLinkerTool"
+				AdditionalDependencies="Ws2_32.lib"
 				LinkIncremental="2"
 				GenerateDebugInformation="true"
 				SubSystem="1"
@@ -112,8 +113,8 @@
 			/>
 			<Tool
 				Name="VCCLCompilerTool"
-				AdditionalIncludeDirectories="../include"
-				PreprocessorDefinitions="WIN32;NDEBUG;_CONSOLE;"
+				AdditionalIncludeDirectories="../..;../../IDE/WIN;"
+				PreprocessorDefinitions="WIN32;NDEBUG;_CONSOLE;WOLFSSL_LIB;WOLFSSL_USER_SETTINGS;"
 				RuntimeLibrary="2"
 				UsePrecompiledHeader="0"
 				WarningLevel="3"
@@ -131,6 +132,7 @@
 			/>
 			<Tool
 				Name="VCLinkerTool"
+				AdditionalDependencies="Ws2_32.lib"
 				LinkIncremental="2"
 				GenerateDebugInformation="true"
 				SubSystem="1"
diff --git a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/benchmark/include.am b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/benchmark/include.am
index db70ba79c..d91a701d7 100644
--- a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/benchmark/include.am
+++ b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/benchmark/include.am
@@ -1,10 +1,14 @@
 # vim:ft=automake
 # All paths should be given relative to the root
 
+if BUILD_WOLFCRYPT_TESTS
 noinst_PROGRAMS += wolfcrypt/benchmark/benchmark
 wolfcrypt_benchmark_benchmark_SOURCES      = wolfcrypt/benchmark/benchmark.c
-wolfcrypt_benchmark_benchmark_LDADD        = src/libwolfssl.la
+wolfcrypt_benchmark_benchmark_LDADD        = src/libwolfssl.la $(LIB_STATIC_ADD)
 wolfcrypt_benchmark_benchmark_DEPENDENCIES = src/libwolfssl.la
+noinst_HEADERS += wolfcrypt/benchmark/benchmark.h
+endif
 EXTRA_DIST += wolfcrypt/benchmark/benchmark.sln 
 EXTRA_DIST += wolfcrypt/benchmark/benchmark.vcproj
+EXTRA_DIST += wolfcrypt/benchmark/README.md
 DISTCLEANFILES+= wolfcrypt/benchmark/.libs/benchmark
diff --git a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/aes.c b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/aes.c
index 85f01a0d1..4b5b437ca 100644
--- a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/aes.c
+++ b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/aes.c
@@ -1,8 +1,8 @@
 /* aes.c
  *
- * Copyright (C) 2006-2015 wolfSSL Inc.
+ * Copyright (C) 2006-2020 wolfSSL Inc.
  *
- * This file is part of wolfSSL. (formerly known as CyaSSL)
+ * This file is part of wolfSSL.
  *
  * wolfSSL is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -16,194 +16,458 @@
  *
  * You should have received a copy of the GNU General Public License
  * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
  */
 
+
 #ifdef HAVE_CONFIG_H
     #include <config.h>
 #endif
 
 #include <wolfssl/wolfcrypt/settings.h>
+#include <wolfssl/wolfcrypt/error-crypt.h>
 
-#ifndef NO_AES
+#if !defined(NO_AES)
 
-#include <wolfssl/wolfcrypt/aes.h>
+/* Tip: Locate the software cipher modes by searching for "Software AES" */
 
-#ifdef HAVE_FIPS
-int wc_AesSetKey(Aes* aes, const byte* key, word32 len, const byte* iv,
-                          int dir)
-{
-    return AesSetKey_fips(aes, key, len, iv, dir);
-}
+#if defined(HAVE_FIPS) && \
+    defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2)
 
+    /* set NO_WRAPPERS before headers, use direct internal f()s not wrappers */
+    #define FIPS_NO_WRAPPERS
 
-int wc_AesSetIV(Aes* aes, const byte* iv)
-{
-    return AesSetIV_fips(aes, iv);
-}
+    #ifdef USE_WINDOWS_API
+        #pragma code_seg(".fipsA$g")
+        #pragma const_seg(".fipsB$g")
+    #endif
+#endif
 
+#include <wolfssl/wolfcrypt/aes.h>
+#include <wolfssl/wolfcrypt/cpuid.h>
 
-int wc_AesCbcEncrypt(Aes* aes, byte* out, const byte* in, word32 sz)
-{
-    return AesCbcEncrypt_fips(aes, out, in, sz);
-}
+#ifdef WOLF_CRYPTO_CB
+    #include <wolfssl/wolfcrypt/cryptocb.h>
+#endif
 
 
-int wc_AesCbcDecrypt(Aes* aes, byte* out, const byte* in, word32 sz)
-{
-    return AesCbcDecrypt_fips(aes, out, in, sz);
-}
+/* fips wrapper calls, user can call direct */
+#if defined(HAVE_FIPS) && \
+    (!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 2))
 
+    int wc_AesSetKey(Aes* aes, const byte* key, word32 len, const byte* iv,
+                              int dir)
+    {
+        if (aes == NULL ||  !( (len == 16) || (len == 24) || (len == 32)) ) {
+            return BAD_FUNC_ARG;
+        }
 
-int wc_AesCbcDecryptWithKey(byte* out, const byte* in, word32 inSz,
-                                 const byte* key, word32 keySz, const byte* iv)
-{
-    return AesCbcDecryptWithKey(out, in, inSz, key, keySz, iv);
-}
+        return AesSetKey_fips(aes, key, len, iv, dir);
+    }
+    int wc_AesSetIV(Aes* aes, const byte* iv)
+    {
+        if (aes == NULL) {
+            return BAD_FUNC_ARG;
+        }
 
+        return AesSetIV_fips(aes, iv);
+    }
+    #ifdef HAVE_AES_CBC
+        int wc_AesCbcEncrypt(Aes* aes, byte* out, const byte* in, word32 sz)
+        {
+            if (aes == NULL || out == NULL || in == NULL) {
+                return BAD_FUNC_ARG;
+            }
 
-/* AES-CTR */
-#ifdef WOLFSSL_AES_COUNTER
-void wc_AesCtrEncrypt(Aes* aes, byte* out, const byte* in, word32 sz)
-{
-    AesCtrEncrypt(aes, out, in, sz);
-}
-#endif
+            return AesCbcEncrypt_fips(aes, out, in, sz);
+        }
+        #ifdef HAVE_AES_DECRYPT
+            int wc_AesCbcDecrypt(Aes* aes, byte* out, const byte* in, word32 sz)
+            {
+                if (aes == NULL || out == NULL || in == NULL
+                                            || sz % AES_BLOCK_SIZE != 0) {
+                    return BAD_FUNC_ARG;
+                }
 
-/* AES-DIRECT */
-#if defined(WOLFSSL_AES_DIRECT)
-void wc_AesEncryptDirect(Aes* aes, byte* out, const byte* in)
-{
-    AesEncryptDirect(aes, out, in);
-}
+                return AesCbcDecrypt_fips(aes, out, in, sz);
+            }
+        #endif /* HAVE_AES_DECRYPT */
+    #endif /* HAVE_AES_CBC */
 
+    /* AES-CTR */
+    #ifdef WOLFSSL_AES_COUNTER
+        int wc_AesCtrEncrypt(Aes* aes, byte* out, const byte* in, word32 sz)
+        {
+            if (aes == NULL || out == NULL || in == NULL) {
+                return BAD_FUNC_ARG;
+            }
 
-void wc_AesDecryptDirect(Aes* aes, byte* out, const byte* in)
-{
-    AesDecryptDirect(aes, out, in);
-}
+            return AesCtrEncrypt(aes, out, in, sz);
+        }
+    #endif
 
+    /* AES-DIRECT */
+    #if defined(WOLFSSL_AES_DIRECT)
+        void wc_AesEncryptDirect(Aes* aes, byte* out, const byte* in)
+        {
+            AesEncryptDirect(aes, out, in);
+        }
 
-int wc_AesSetKeyDirect(Aes* aes, const byte* key, word32 len,
-                                const byte* iv, int dir)
-{
-    return AesSetKeyDirect(aes, key, len, iv, dir);
-}
-#endif
+        #ifdef HAVE_AES_DECRYPT
+            void wc_AesDecryptDirect(Aes* aes, byte* out, const byte* in)
+            {
+                AesDecryptDirect(aes, out, in);
+            }
+        #endif /* HAVE_AES_DECRYPT */
 
+        int wc_AesSetKeyDirect(Aes* aes, const byte* key, word32 len,
+                                        const byte* iv, int dir)
+        {
+            return AesSetKeyDirect(aes, key, len, iv, dir);
+        }
+    #endif /* WOLFSSL_AES_DIRECT */
 
-#ifdef HAVE_AESGCM
-int wc_AesGcmSetKey(Aes* aes, const byte* key, word32 len)
-{
-    return AesGcmSetKey_fips(aes, key, len);
-}
+    /* AES-GCM */
+    #ifdef HAVE_AESGCM
+        int wc_AesGcmSetKey(Aes* aes, const byte* key, word32 len)
+        {
+            if (aes == NULL || !( (len == 16) || (len == 24) || (len == 32)) ) {
+                return BAD_FUNC_ARG;
+            }
 
+            return AesGcmSetKey_fips(aes, key, len);
+        }
+        int wc_AesGcmEncrypt(Aes* aes, byte* out, const byte* in, word32 sz,
+                                      const byte* iv, word32 ivSz,
+                                      byte* authTag, word32 authTagSz,
+                                      const byte* authIn, word32 authInSz)
+        {
+            if (aes == NULL || authTagSz > AES_BLOCK_SIZE ||
+                        authTagSz < WOLFSSL_MIN_AUTH_TAG_SZ ||
+                        ivSz == 0 || ivSz > AES_BLOCK_SIZE) {
+                return BAD_FUNC_ARG;
+            }
 
-int wc_AesGcmEncrypt(Aes* aes, byte* out, const byte* in, word32 sz,
-                              const byte* iv, word32 ivSz,
-                              byte* authTag, word32 authTagSz,
-                              const byte* authIn, word32 authInSz)
-{
-    return AesGcmEncrypt_fips(aes, out, in, sz, iv, ivSz, authTag, authTagSz,
-                              authIn, authInSz);
-}
+            return AesGcmEncrypt_fips(aes, out, in, sz, iv, ivSz, authTag,
+                authTagSz, authIn, authInSz);
+        }
 
+        #ifdef HAVE_AES_DECRYPT
+            int wc_AesGcmDecrypt(Aes* aes, byte* out, const byte* in, word32 sz,
+                                          const byte* iv, word32 ivSz,
+                                          const byte* authTag, word32 authTagSz,
+                                          const byte* authIn, word32 authInSz)
+            {
+                if (aes == NULL || out == NULL || in == NULL || iv == NULL
+                        || authTag == NULL || authTagSz > AES_BLOCK_SIZE ||
+                        ivSz == 0 || ivSz > AES_BLOCK_SIZE) {
+                    return BAD_FUNC_ARG;
+                }
 
-int wc_AesGcmDecrypt(Aes* aes, byte* out, const byte* in, word32 sz,
-                              const byte* iv, word32 ivSz,
-                              const byte* authTag, word32 authTagSz,
-                              const byte* authIn, word32 authInSz)
-{
-    return AesGcmDecrypt_fips(aes, out, in, sz, iv, ivSz, authTag, authTagSz,
-                              authIn, authInSz);
-}
+                return AesGcmDecrypt_fips(aes, out, in, sz, iv, ivSz, authTag,
+                    authTagSz, authIn, authInSz);
+            }
+        #endif /* HAVE_AES_DECRYPT */
 
+        int wc_GmacSetKey(Gmac* gmac, const byte* key, word32 len)
+        {
+            if (gmac == NULL || key == NULL || !((len == 16) ||
+                                (len == 24) || (len == 32)) ) {
+                return BAD_FUNC_ARG;
+            }
 
-int wc_GmacSetKey(Gmac* gmac, const byte* key, word32 len)
-{
-    return GmacSetKey(gmac, key, len);
-}
+            return GmacSetKey(gmac, key, len);
+        }
+        int wc_GmacUpdate(Gmac* gmac, const byte* iv, word32 ivSz,
+                                      const byte* authIn, word32 authInSz,
+                                      byte* authTag, word32 authTagSz)
+        {
+            if (gmac == NULL || authTagSz > AES_BLOCK_SIZE ||
+                               authTagSz < WOLFSSL_MIN_AUTH_TAG_SZ) {
+                return BAD_FUNC_ARG;
+            }
 
+            return GmacUpdate(gmac, iv, ivSz, authIn, authInSz,
+                              authTag, authTagSz);
+        }
+    #endif /* HAVE_AESGCM */
 
-int wc_GmacUpdate(Gmac* gmac, const byte* iv, word32 ivSz,
-                              const byte* authIn, word32 authInSz,
-                              byte* authTag, word32 authTagSz)
-{
-    return GmacUpdate(gmac, iv, ivSz, authIn, authInSz,
-                      authTag, authTagSz);
-}
+    /* AES-CCM */
+    #if defined(HAVE_AESCCM) && \
+        defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2)
+        int wc_AesCcmSetKey(Aes* aes, const byte* key, word32 keySz)
+        {
+            return AesCcmSetKey(aes, key, keySz);
+        }
+        int wc_AesCcmEncrypt(Aes* aes, byte* out, const byte* in, word32 inSz,
+                                      const byte* nonce, word32 nonceSz,
+                                      byte* authTag, word32 authTagSz,
+                                      const byte* authIn, word32 authInSz)
+        {
+            /* sanity check on arguments */
+            if (aes == NULL || out == NULL || in == NULL || nonce == NULL
+                    || authTag == NULL || nonceSz < 7 || nonceSz > 13)
+                return BAD_FUNC_ARG;
 
-#endif /* HAVE_AESGCM */
-#ifdef HAVE_AESCCM
-void wc_AesCcmSetKey(Aes* aes, const byte* key, word32 keySz)
-{
-    AesCcmSetKey(aes, key, keySz);
-}
+            AesCcmEncrypt(aes, out, in, inSz, nonce, nonceSz, authTag,
+                authTagSz, authIn, authInSz);
+            return 0;
+        }
 
+        #ifdef HAVE_AES_DECRYPT
+            int  wc_AesCcmDecrypt(Aes* aes, byte* out,
+                const byte* in, word32 inSz,
+                const byte* nonce, word32 nonceSz,
+                const byte* authTag, word32 authTagSz,
+                const byte* authIn, word32 authInSz)
+            {
 
-void wc_AesCcmEncrypt(Aes* aes, byte* out, const byte* in, word32 inSz,
-                              const byte* nonce, word32 nonceSz,
-                              byte* authTag, word32 authTagSz,
-                              const byte* authIn, word32 authInSz)
-{
-    AesCcmEncrypt(aes, out, in, inSz, nonce, nonceSz, authTag, authTagSz,
-                  authIn, authInSz);
-}
+                if (aes == NULL || out == NULL || in == NULL || nonce == NULL
+                    || authTag == NULL || nonceSz < 7 || nonceSz > 13) {
+                        return BAD_FUNC_ARG;
+                }
 
+                return AesCcmDecrypt(aes, out, in, inSz, nonce, nonceSz,
+                    authTag, authTagSz, authIn, authInSz);
+            }
+        #endif /* HAVE_AES_DECRYPT */
+    #endif /* HAVE_AESCCM && HAVE_FIPS_VERSION 2 */
 
-int  wc_AesCcmDecrypt(Aes* aes, byte* out, const byte* in, word32 inSz,
-                              const byte* nonce, word32 nonceSz,
-                              const byte* authTag, word32 authTagSz,
-                              const byte* authIn, word32 authInSz)
-{
-    return AesCcmDecrypt(aes, out, in, inSz, nonce, nonceSz, authTag, authTagSz,
-                         authIn, authInSz);
-}
-#endif /* HAVE_AESCCM */
+    int wc_AesInit(Aes* aes, void* h, int i)
+    {
+        if (aes == NULL)
+            return BAD_FUNC_ARG;
 
-#ifdef HAVE_CAVIUM
-int  wc_AesInitCavium(Aes* aes, int i)
-{
-    return AesInitCavium(aes, i);
-}
+        (void)h;
+        (void)i;
 
+        /* FIPS doesn't support:
+            return AesInit(aes, h, i); */
+        return 0;
+    }
+    void wc_AesFree(Aes* aes)
+    {
+        (void)aes;
+        /* FIPS doesn't support:
+            AesFree(aes); */
+    }
 
-void wc_AesFreeCavium(Aes* aes)
-{
-    AesFreeCavium(aes);
-}
-#endif
-#else /* HAVE_FIPS */
+#else /* else build without fips, or for FIPS v2 */
 
-#ifdef WOLFSSL_TI_CRYPT
-#include <wolfcrypt/src/port/ti/ti-aes.c>
+
+#if defined(WOLFSSL_TI_CRYPT)
+    #include <wolfcrypt/src/port/ti/ti-aes.c>
 #else
 
-#include <wolfssl/wolfcrypt/error-crypt.h>
 #include <wolfssl/wolfcrypt/logging.h>
+
 #ifdef NO_INLINE
     #include <wolfssl/wolfcrypt/misc.h>
 #else
+    #define WOLFSSL_MISC_INCLUDED
     #include <wolfcrypt/src/misc.c>
 #endif
+
+#if !defined(WOLFSSL_ARMASM)
+
+#ifdef WOLFSSL_IMX6_CAAM_BLOB
+    /* case of possibly not using hardware acceleration for AES but using key
+       blobs */
+    #include <wolfssl/wolfcrypt/port/caam/wolfcaam.h>
+#endif
+
 #ifdef DEBUG_AESNI
     #include <stdio.h>
 #endif
 
-
 #ifdef _MSC_VER
     /* 4127 warning constant while(1)  */
     #pragma warning(disable: 4127)
 #endif
 
 
-#if defined(STM32F2_CRYPTO)
-     /* STM32F2 hardware AES support for CBC, CTR modes through the STM32F2
-      * Standard Peripheral Library. Documentation located in STM32F2xx
-      * Standard Peripheral Library document (See note in README).
-      * NOTE: no support for AES-GCM/CCM/Direct */
-    #include "stm32f2xx.h"
-    #include "stm32f2xx_cryp.h"
+/* Define AES implementation includes and functions */
+#if defined(STM32_CRYPTO)
+     /* STM32F2/F4/F7/L4 hardware AES support for ECB, CBC, CTR and GCM modes */
+
+#if defined(WOLFSSL_AES_DIRECT) || defined(HAVE_AESGCM) || defined(HAVE_AESCCM)
+
+    static int wc_AesEncrypt(Aes* aes, const byte* inBlock, byte* outBlock)
+    {
+        int ret = 0;
+    #ifdef WOLFSSL_STM32_CUBEMX
+        CRYP_HandleTypeDef hcryp;
+    #else
+        CRYP_InitTypeDef cryptInit;
+        CRYP_KeyInitTypeDef keyInit;
+    #endif
+
+    #ifdef WOLFSSL_STM32_CUBEMX
+        ret = wc_Stm32_Aes_Init(aes, &hcryp);
+        if (ret != 0)
+            return ret;
+
+    #ifdef STM32_CRYPTO_AES_ONLY
+        hcryp.Init.OperatingMode = CRYP_ALGOMODE_ENCRYPT;
+        hcryp.Init.ChainingMode  = CRYP_CHAINMODE_AES_ECB;
+        hcryp.Init.KeyWriteFlag  = CRYP_KEY_WRITE_ENABLE;
+    #elif defined(STM32_HAL_V2)
+        hcryp.Init.Algorithm  = CRYP_AES_ECB;
+    #endif
+        HAL_CRYP_Init(&hcryp);
+
+    #ifdef STM32_CRYPTO_AES_ONLY
+        ret = HAL_CRYPEx_AES(&hcryp, (uint8_t*)inBlock, AES_BLOCK_SIZE,
+            outBlock, STM32_HAL_TIMEOUT);
+    #elif defined(STM32_HAL_V2)
+        ret = HAL_CRYP_Encrypt(&hcryp, (uint32_t*)inBlock, AES_BLOCK_SIZE,
+            (uint32_t*)outBlock, STM32_HAL_TIMEOUT);
+    #else
+        ret = HAL_CRYP_AESECB_Encrypt(&hcryp, (uint8_t*)inBlock, AES_BLOCK_SIZE,
+            outBlock, STM32_HAL_TIMEOUT);
+    #endif
+        if (ret != HAL_OK) {
+            ret = WC_TIMEOUT_E;
+        }
+        HAL_CRYP_DeInit(&hcryp);
+
+    #else /* STD_PERI_LIB */
+        ret = wc_Stm32_Aes_Init(aes, &cryptInit, &keyInit);
+        if (ret != 0)
+            return ret;
+
+        /* reset registers to their default values */
+        CRYP_DeInit();
+
+        /* setup key */
+        CRYP_KeyInit(&keyInit);
+
+        /* set direction and mode */
+        cryptInit.CRYP_AlgoDir  = CRYP_AlgoDir_Encrypt;
+        cryptInit.CRYP_AlgoMode = CRYP_AlgoMode_AES_ECB;
+        CRYP_Init(&cryptInit);
+
+        /* enable crypto processor */
+        CRYP_Cmd(ENABLE);
+
+        /* flush IN/OUT FIFOs */
+        CRYP_FIFOFlush();
+
+        CRYP_DataIn(*(uint32_t*)&inBlock[0]);
+        CRYP_DataIn(*(uint32_t*)&inBlock[4]);
+        CRYP_DataIn(*(uint32_t*)&inBlock[8]);
+        CRYP_DataIn(*(uint32_t*)&inBlock[12]);
+
+        /* wait until the complete message has been processed */
+        while (CRYP_GetFlagStatus(CRYP_FLAG_BUSY) != RESET) {}
+
+        *(uint32_t*)&outBlock[0]  = CRYP_DataOut();
+        *(uint32_t*)&outBlock[4]  = CRYP_DataOut();
+        *(uint32_t*)&outBlock[8]  = CRYP_DataOut();
+        *(uint32_t*)&outBlock[12] = CRYP_DataOut();
+
+        /* disable crypto processor */
+        CRYP_Cmd(DISABLE);
+    #endif /* WOLFSSL_STM32_CUBEMX */
+
+        return ret;
+    }
+#endif /* WOLFSSL_AES_DIRECT || HAVE_AESGCM || HAVE_AESCCM */
+
+#ifdef HAVE_AES_DECRYPT
+    #if defined(WOLFSSL_AES_DIRECT) || defined(HAVE_AESCCM)
+    static int wc_AesDecrypt(Aes* aes, const byte* inBlock, byte* outBlock)
+    {
+        int ret = 0;
+    #ifdef WOLFSSL_STM32_CUBEMX
+        CRYP_HandleTypeDef hcryp;
+    #else
+        CRYP_InitTypeDef cryptInit;
+        CRYP_KeyInitTypeDef keyInit;
+    #endif
+
+    #ifdef WOLFSSL_STM32_CUBEMX
+        ret = wc_Stm32_Aes_Init(aes, &hcryp);
+        if (ret != 0)
+            return ret;
+
+    #ifdef STM32_CRYPTO_AES_ONLY
+        hcryp.Init.OperatingMode = CRYP_ALGOMODE_DECRYPT;
+        hcryp.Init.ChainingMode  = CRYP_CHAINMODE_AES_ECB;
+        hcryp.Init.KeyWriteFlag  = CRYP_KEY_WRITE_ENABLE;
+    #elif defined(STM32_HAL_V2)
+        hcryp.Init.Algorithm  = CRYP_AES_ECB;
+    #endif
+        HAL_CRYP_Init(&hcryp);
+
+    #ifdef STM32_CRYPTO_AES_ONLY
+        ret = HAL_CRYPEx_AES(&hcryp, (uint8_t*)inBlock, AES_BLOCK_SIZE,
+            outBlock, STM32_HAL_TIMEOUT);
+    #elif defined(STM32_HAL_V2)
+        ret = HAL_CRYP_Decrypt(&hcryp, (uint32_t*)inBlock, AES_BLOCK_SIZE,
+            (uint32_t*)outBlock, STM32_HAL_TIMEOUT);
+    #else
+        ret = HAL_CRYP_AESECB_Decrypt(&hcryp, (uint8_t*)inBlock, AES_BLOCK_SIZE,
+            outBlock, STM32_HAL_TIMEOUT);
+    #endif
+        if (ret != HAL_OK) {
+            ret = WC_TIMEOUT_E;
+        }
+        HAL_CRYP_DeInit(&hcryp);
+
+    #else /* STD_PERI_LIB */
+        ret = wc_Stm32_Aes_Init(aes, &cryptInit, &keyInit);
+        if (ret != 0)
+            return ret;
+
+        /* reset registers to their default values */
+        CRYP_DeInit();
+
+        /* set direction and key */
+        CRYP_KeyInit(&keyInit);
+        cryptInit.CRYP_AlgoDir  = CRYP_AlgoDir_Decrypt;
+        cryptInit.CRYP_AlgoMode = CRYP_AlgoMode_AES_Key;
+        CRYP_Init(&cryptInit);
+
+        /* enable crypto processor */
+        CRYP_Cmd(ENABLE);
+
+        /* wait until decrypt key has been initialized */
+        while (CRYP_GetFlagStatus(CRYP_FLAG_BUSY) != RESET) {}
+
+        /* set direction and mode */
+        cryptInit.CRYP_AlgoDir  = CRYP_AlgoDir_Decrypt;
+        cryptInit.CRYP_AlgoMode = CRYP_AlgoMode_AES_ECB;
+        CRYP_Init(&cryptInit);
+
+        /* enable crypto processor */
+        CRYP_Cmd(ENABLE);
+
+        /* flush IN/OUT FIFOs */
+        CRYP_FIFOFlush();
+
+        CRYP_DataIn(*(uint32_t*)&inBlock[0]);
+        CRYP_DataIn(*(uint32_t*)&inBlock[4]);
+        CRYP_DataIn(*(uint32_t*)&inBlock[8]);
+        CRYP_DataIn(*(uint32_t*)&inBlock[12]);
+
+        /* wait until the complete message has been processed */
+        while (CRYP_GetFlagStatus(CRYP_FLAG_BUSY) != RESET) {}
+
+        *(uint32_t*)&outBlock[0]  = CRYP_DataOut();
+        *(uint32_t*)&outBlock[4]  = CRYP_DataOut();
+        *(uint32_t*)&outBlock[8]  = CRYP_DataOut();
+        *(uint32_t*)&outBlock[12] = CRYP_DataOut();
+
+        /* disable crypto processor */
+        CRYP_Cmd(DISABLE);
+    #endif /* WOLFSSL_STM32_CUBEMX */
+
+        return ret;
+    }
+    #endif /* WOLFSSL_AES_DIRECT || HAVE_AESCCM */
+#endif /* HAVE_AES_DECRYPT */
+
 #elif defined(HAVE_COLDFIRE_SEC)
     /* Freescale Coldfire SEC support for CBC mode.
      * NOTE: no support for AES-CTR/GCM/CCM/Direct */
@@ -211,34 +475,453 @@ void wc_AesFreeCavium(Aes* aes)
     #include "sec.h"
     #include "mcf5475_sec.h"
     #include "mcf5475_siu.h"
+#elif defined(FREESCALE_LTC)
+    #include "fsl_ltc.h"
+    #if defined(FREESCALE_LTC_AES_GCM)
+        #undef NEED_AES_TABLES
+        #undef GCM_TABLE
+    #else
+        /* if LTC doesn't have GCM, use software with LTC AES ECB mode */
+        static int wc_AesEncrypt(Aes* aes, const byte* inBlock, byte* outBlock)
+        {
+            wc_AesEncryptDirect(aes, outBlock, inBlock);
+            return 0;
+        }
+        static int wc_AesDecrypt(Aes* aes, const byte* inBlock, byte* outBlock)
+        {
+            wc_AesDecryptDirect(aes, outBlock, inBlock);
+            return 0;
+        }
+    #endif
 #elif defined(FREESCALE_MMCAU)
     /* Freescale mmCAU hardware AES support for Direct, CBC, CCM, GCM modes
      * through the CAU/mmCAU library. Documentation located in
      * ColdFire/ColdFire+ CAU and Kinetis mmCAU Software Library User
-     * Guide (See note in README).
-     * NOTE: no support for AES-CTR */
-    #include "cau_api.h"
+     * Guide (See note in README). */
+    #ifdef FREESCALE_MMCAU_CLASSIC
+        /* MMCAU 1.4 library used with non-KSDK / classic MQX builds */
+        #include "cau_api.h"
+    #else
+        #include "fsl_mmcau.h"
+    #endif
+
+    static int wc_AesEncrypt(Aes* aes, const byte* inBlock, byte* outBlock)
+    {
+        int ret;
+
+    #ifdef FREESCALE_MMCAU_CLASSIC
+        if ((wolfssl_word)outBlock % WOLFSSL_MMCAU_ALIGNMENT) {
+            WOLFSSL_MSG("Bad cau_aes_encrypt alignment");
+            return BAD_ALIGN_E;
+        }
+    #endif
+
+        ret = wolfSSL_CryptHwMutexLock();
+        if(ret == 0) {
+        #ifdef FREESCALE_MMCAU_CLASSIC
+            cau_aes_encrypt(inBlock, (byte*)aes->key, aes->rounds, outBlock);
+        #else
+            MMCAU_AES_EncryptEcb(inBlock, (byte*)aes->key, aes->rounds,
+                                 outBlock);
+        #endif
+            wolfSSL_CryptHwMutexUnLock();
+        }
+        return ret;
+    }
+    #ifdef HAVE_AES_DECRYPT
+    static int wc_AesDecrypt(Aes* aes, const byte* inBlock, byte* outBlock)
+    {
+        int ret;
+
+    #ifdef FREESCALE_MMCAU_CLASSIC
+        if ((wolfssl_word)outBlock % WOLFSSL_MMCAU_ALIGNMENT) {
+            WOLFSSL_MSG("Bad cau_aes_decrypt alignment");
+            return BAD_ALIGN_E;
+        }
+    #endif
+
+        ret = wolfSSL_CryptHwMutexLock();
+        if(ret == 0) {
+        #ifdef FREESCALE_MMCAU_CLASSIC
+            cau_aes_decrypt(inBlock, (byte*)aes->key, aes->rounds, outBlock);
+        #else
+            MMCAU_AES_DecryptEcb(inBlock, (byte*)aes->key, aes->rounds,
+                                 outBlock);
+        #endif
+            wolfSSL_CryptHwMutexUnLock();
+        }
+        return ret;
+    }
+    #endif /* HAVE_AES_DECRYPT */
+
 #elif defined(WOLFSSL_PIC32MZ_CRYPT)
-    /* NOTE: no support for AES-CCM/Direct */
-    #define DEBUG_WOLFSSL
-    #include "wolfssl/wolfcrypt/port/pic32/pic32mz-crypt.h"
-#elif defined(HAVE_CAVIUM)
-    #include <wolfssl/wolfcrypt/logging.h>
-    #include "cavium_common.h"
-
-    /* still leave SW crypto available */
+
+    #include <wolfssl/wolfcrypt/port/pic32/pic32mz-crypt.h>
+
+    #if defined(HAVE_AESGCM) || defined(WOLFSSL_AES_DIRECT)
+    static int wc_AesEncrypt(Aes* aes, const byte* inBlock, byte* outBlock)
+    {
+        return wc_Pic32AesCrypt(aes->key, aes->keylen, NULL, 0,
+            outBlock, inBlock, AES_BLOCK_SIZE,
+            PIC32_ENCRYPTION, PIC32_ALGO_AES, PIC32_CRYPTOALGO_RECB);
+    }
+    #endif
+
+    #if defined(HAVE_AES_DECRYPT) && defined(WOLFSSL_AES_DIRECT)
+    static int wc_AesDecrypt(Aes* aes, const byte* inBlock, byte* outBlock)
+    {
+        return wc_Pic32AesCrypt(aes->key, aes->keylen, NULL, 0,
+            outBlock, inBlock, AES_BLOCK_SIZE,
+            PIC32_DECRYPTION, PIC32_ALGO_AES, PIC32_CRYPTOALGO_RECB);
+    }
+    #endif
+
+#elif defined(WOLFSSL_NRF51_AES)
+    /* Use built-in AES hardware - AES 128 ECB Encrypt Only */
+    #include "wolfssl/wolfcrypt/port/nrf51.h"
+
+    static int wc_AesEncrypt(Aes* aes, const byte* inBlock, byte* outBlock)
+    {
+        return nrf51_aes_encrypt(inBlock, (byte*)aes->key, aes->rounds, outBlock);
+    }
+
+    #ifdef HAVE_AES_DECRYPT
+        #error nRF51 AES Hardware does not support decrypt
+    #endif /* HAVE_AES_DECRYPT */
+
+#elif defined(WOLFSSL_ESP32WROOM32_CRYPT) && \
+    !defined(NO_WOLFSSL_ESP32WROOM32_CRYPT_AES)
+
+    #include "wolfssl/wolfcrypt/port/Espressif/esp32-crypt.h"
+
+    #if defined(HAVE_AESGCM) || defined(WOLFSSL_AES_DIRECT)
+    static int wc_AesEncrypt(Aes* aes, const byte* inBlock, byte* outBlock)
+    {
+        return wc_esp32AesEncrypt(aes, inBlock, outBlock);
+    }
+    #endif
+
+    #if defined(HAVE_AES_DECRYPT) && defined(WOLFSSL_AES_DIRECT)
+    static int wc_AesDecrypt(Aes* aes, const byte* inBlock, byte* outBlock)
+    {
+       return wc_esp32AesDecrypt(aes, inBlock, outBlock);
+    }
+    #endif
+
+#elif defined(WOLFSSL_AESNI)
+
     #define NEED_AES_TABLES
 
-    static int  wc_AesCaviumSetKey(Aes* aes, const byte* key, word32 length,
-                                const byte* iv);
-    static int  wc_AesCaviumCbcEncrypt(Aes* aes, byte* out, const byte* in,
-                                    word32 length);
-    static int  wc_AesCaviumCbcDecrypt(Aes* aes, byte* out, const byte* in,
-                                    word32 length);
+    /* Each platform needs to query info type 1 from cpuid to see if aesni is
+     * supported. Also, let's setup a macro for proper linkage w/o ABI conflicts
+     */
+
+    #ifndef AESNI_ALIGN
+        #define AESNI_ALIGN 16
+    #endif
+
+    #ifdef _MSC_VER
+        #define XASM_LINK(f)
+    #elif defined(__APPLE__)
+        #define XASM_LINK(f) asm("_" f)
+    #else
+        #define XASM_LINK(f) asm(f)
+    #endif /* _MSC_VER */
+
+    static int checkAESNI = 0;
+    static int haveAESNI  = 0;
+    static word32 intel_flags = 0;
+
+    static int Check_CPU_support_AES(void)
+    {
+        intel_flags = cpuid_get_flags();
+
+        return IS_INTEL_AESNI(intel_flags) != 0;
+    }
+
+
+    /* tell C compiler these are asm functions in case any mix up of ABI underscore
+       prefix between clang/gcc/llvm etc */
+    #ifdef HAVE_AES_CBC
+        void AES_CBC_encrypt(const unsigned char* in, unsigned char* out,
+                             unsigned char* ivec, unsigned long length,
+                             const unsigned char* KS, int nr)
+                             XASM_LINK("AES_CBC_encrypt");
+
+        #ifdef HAVE_AES_DECRYPT
+            #if defined(WOLFSSL_AESNI_BY4)
+                void AES_CBC_decrypt_by4(const unsigned char* in, unsigned char* out,
+                                         unsigned char* ivec, unsigned long length,
+                                         const unsigned char* KS, int nr)
+                                         XASM_LINK("AES_CBC_decrypt_by4");
+            #elif defined(WOLFSSL_AESNI_BY6)
+                void AES_CBC_decrypt_by6(const unsigned char* in, unsigned char* out,
+                                         unsigned char* ivec, unsigned long length,
+                                         const unsigned char* KS, int nr)
+                                         XASM_LINK("AES_CBC_decrypt_by6");
+            #else /* WOLFSSL_AESNI_BYx */
+                void AES_CBC_decrypt_by8(const unsigned char* in, unsigned char* out,
+                                         unsigned char* ivec, unsigned long length,
+                                         const unsigned char* KS, int nr)
+                                         XASM_LINK("AES_CBC_decrypt_by8");
+            #endif /* WOLFSSL_AESNI_BYx */
+        #endif /* HAVE_AES_DECRYPT */
+    #endif /* HAVE_AES_CBC */
+
+    void AES_ECB_encrypt(const unsigned char* in, unsigned char* out,
+                         unsigned long length, const unsigned char* KS, int nr)
+                         XASM_LINK("AES_ECB_encrypt");
+
+    #ifdef HAVE_AES_DECRYPT
+        void AES_ECB_decrypt(const unsigned char* in, unsigned char* out,
+                             unsigned long length, const unsigned char* KS, int nr)
+                             XASM_LINK("AES_ECB_decrypt");
+    #endif
+
+    void AES_128_Key_Expansion(const unsigned char* userkey,
+                               unsigned char* key_schedule)
+                               XASM_LINK("AES_128_Key_Expansion");
+
+    void AES_192_Key_Expansion(const unsigned char* userkey,
+                               unsigned char* key_schedule)
+                               XASM_LINK("AES_192_Key_Expansion");
+
+    void AES_256_Key_Expansion(const unsigned char* userkey,
+                               unsigned char* key_schedule)
+                               XASM_LINK("AES_256_Key_Expansion");
+
+
+    static int AES_set_encrypt_key(const unsigned char *userKey, const int bits,
+                                   Aes* aes)
+    {
+        int ret;
+
+        if (!userKey || !aes)
+            return BAD_FUNC_ARG;
+
+        switch (bits) {
+            case 128:
+               AES_128_Key_Expansion (userKey,(byte*)aes->key); aes->rounds = 10;
+               return 0;
+            case 192:
+               AES_192_Key_Expansion (userKey,(byte*)aes->key); aes->rounds = 12;
+               return 0;
+            case 256:
+               AES_256_Key_Expansion (userKey,(byte*)aes->key); aes->rounds = 14;
+               return 0;
+            default:
+                ret = BAD_FUNC_ARG;
+        }
+
+        return ret;
+    }
+
+    #ifdef HAVE_AES_DECRYPT
+        static int AES_set_decrypt_key(const unsigned char* userKey,
+                                                    const int bits, Aes* aes)
+        {
+            int nr;
+            Aes temp_key;
+            __m128i *Key_Schedule = (__m128i*)aes->key;
+            __m128i *Temp_Key_Schedule = (__m128i*)temp_key.key;
+
+            if (!userKey || !aes)
+                return BAD_FUNC_ARG;
+
+            if (AES_set_encrypt_key(userKey,bits,&temp_key) == BAD_FUNC_ARG)
+                return BAD_FUNC_ARG;
+
+            nr = temp_key.rounds;
+            aes->rounds = nr;
+
+            Key_Schedule[nr] = Temp_Key_Schedule[0];
+            Key_Schedule[nr-1] = _mm_aesimc_si128(Temp_Key_Schedule[1]);
+            Key_Schedule[nr-2] = _mm_aesimc_si128(Temp_Key_Schedule[2]);
+            Key_Schedule[nr-3] = _mm_aesimc_si128(Temp_Key_Schedule[3]);
+            Key_Schedule[nr-4] = _mm_aesimc_si128(Temp_Key_Schedule[4]);
+            Key_Schedule[nr-5] = _mm_aesimc_si128(Temp_Key_Schedule[5]);
+            Key_Schedule[nr-6] = _mm_aesimc_si128(Temp_Key_Schedule[6]);
+            Key_Schedule[nr-7] = _mm_aesimc_si128(Temp_Key_Schedule[7]);
+            Key_Schedule[nr-8] = _mm_aesimc_si128(Temp_Key_Schedule[8]);
+            Key_Schedule[nr-9] = _mm_aesimc_si128(Temp_Key_Schedule[9]);
+
+            if (nr>10) {
+                Key_Schedule[nr-10] = _mm_aesimc_si128(Temp_Key_Schedule[10]);
+                Key_Schedule[nr-11] = _mm_aesimc_si128(Temp_Key_Schedule[11]);
+            }
+
+            if (nr>12) {
+                Key_Schedule[nr-12] = _mm_aesimc_si128(Temp_Key_Schedule[12]);
+                Key_Schedule[nr-13] = _mm_aesimc_si128(Temp_Key_Schedule[13]);
+            }
+
+            Key_Schedule[0] = Temp_Key_Schedule[nr];
+
+            return 0;
+        }
+    #endif /* HAVE_AES_DECRYPT */
+
+#elif (defined(WOLFSSL_IMX6_CAAM) && !defined(NO_IMX6_CAAM_AES)) || \
+      ((defined(WOLFSSL_AFALG) || defined(WOLFSSL_DEVCRYPTO_AES)) && \
+        defined(HAVE_AESCCM))
+        static int wc_AesEncrypt(Aes* aes, const byte* inBlock, byte* outBlock)
+        {
+            wc_AesEncryptDirect(aes, outBlock, inBlock);
+            return 0;
+        }
+
+#elif defined(WOLFSSL_AFALG)
+#elif defined(WOLFSSL_DEVCRYPTO_AES)
+
+#elif defined(WOLFSSL_SCE) && !defined(WOLFSSL_SCE_NO_AES)
+    #include "hal_data.h"
+
+    #ifndef WOLFSSL_SCE_AES256_HANDLE
+        #define WOLFSSL_SCE_AES256_HANDLE g_sce_aes_256
+    #endif
+
+    #ifndef WOLFSSL_SCE_AES192_HANDLE
+        #define WOLFSSL_SCE_AES192_HANDLE g_sce_aes_192
+    #endif
+
+    #ifndef WOLFSSL_SCE_AES128_HANDLE
+        #define WOLFSSL_SCE_AES128_HANDLE g_sce_aes_128
+    #endif
+
+    static int AES_ECB_encrypt(Aes* aes, const byte* inBlock, byte* outBlock,
+            int sz)
+    {
+        uint32_t ret;
+
+        if (WOLFSSL_SCE_GSCE_HANDLE.p_cfg->endian_flag ==
+                CRYPTO_WORD_ENDIAN_BIG) {
+            ByteReverseWords((word32*)inBlock, (word32*)inBlock, sz);
+        }
+
+        switch (aes->keylen) {
+        #ifdef WOLFSSL_AES_128
+            case AES_128_KEY_SIZE:
+                ret = WOLFSSL_SCE_AES128_HANDLE.p_api->encrypt(
+                        WOLFSSL_SCE_AES128_HANDLE.p_ctrl, aes->key,
+                        NULL, (sz / sizeof(word32)), (word32*)inBlock,
+                        (word32*)outBlock);
+                break;
+        #endif
+        #ifdef WOLFSSL_AES_192
+            case AES_192_KEY_SIZE:
+                ret = WOLFSSL_SCE_AES192_HANDLE.p_api->encrypt(
+                        WOLFSSL_SCE_AES192_HANDLE.p_ctrl, aes->key,
+                        NULL, (sz / sizeof(word32)), (word32*)inBlock,
+                        (word32*)outBlock);
+                break;
+        #endif
+        #ifdef WOLFSSL_AES_256
+            case AES_256_KEY_SIZE:
+                ret = WOLFSSL_SCE_AES256_HANDLE.p_api->encrypt(
+                        WOLFSSL_SCE_AES256_HANDLE.p_ctrl, aes->key,
+                        NULL, (sz / sizeof(word32)), (word32*)inBlock,
+                        (word32*)outBlock);
+                break;
+        #endif
+            default:
+                WOLFSSL_MSG("Unknown key size");
+                return BAD_FUNC_ARG;
+        }
+
+        if (ret != SSP_SUCCESS) {
+           /* revert input */
+            ByteReverseWords((word32*)inBlock, (word32*)inBlock, sz);
+            return WC_HW_E;
+        }
+
+        if (WOLFSSL_SCE_GSCE_HANDLE.p_cfg->endian_flag ==
+                CRYPTO_WORD_ENDIAN_BIG) {
+            ByteReverseWords((word32*)outBlock, (word32*)outBlock, sz);
+            if (inBlock != outBlock) {
+                /* revert input */
+                ByteReverseWords((word32*)inBlock, (word32*)inBlock, sz);
+            }
+        }
+        return 0;
+    }
+
+    #if defined(HAVE_AES_DECRYPT)
+    static int AES_ECB_decrypt(Aes* aes, const byte* inBlock, byte* outBlock,
+            int sz)
+    {
+        uint32_t ret;
+
+        if (WOLFSSL_SCE_GSCE_HANDLE.p_cfg->endian_flag ==
+                CRYPTO_WORD_ENDIAN_BIG) {
+            ByteReverseWords((word32*)inBlock, (word32*)inBlock, sz);
+        }
+
+        switch (aes->keylen) {
+        #ifdef WOLFSSL_AES_128
+            case AES_128_KEY_SIZE:
+                ret = WOLFSSL_SCE_AES128_HANDLE.p_api->decrypt(
+                        WOLFSSL_SCE_AES128_HANDLE.p_ctrl, aes->key, aes->reg,
+                        (sz / sizeof(word32)), (word32*)inBlock,
+                        (word32*)outBlock);
+                break;
+        #endif
+        #ifdef WOLFSSL_AES_192
+            case AES_192_KEY_SIZE:
+                ret = WOLFSSL_SCE_AES192_HANDLE.p_api->decrypt(
+                        WOLFSSL_SCE_AES192_HANDLE.p_ctrl, aes->key, aes->reg,
+                        (sz / sizeof(word32)), (word32*)inBlock,
+                        (word32*)outBlock);
+                break;
+        #endif
+        #ifdef WOLFSSL_AES_256
+            case AES_256_KEY_SIZE:
+                ret = WOLFSSL_SCE_AES256_HANDLE.p_api->decrypt(
+                        WOLFSSL_SCE_AES256_HANDLE.p_ctrl, aes->key, aes->reg,
+                        (sz / sizeof(word32)), (word32*)inBlock,
+                        (word32*)outBlock);
+                break;
+        #endif
+            default:
+                WOLFSSL_MSG("Unknown key size");
+                return BAD_FUNC_ARG;
+        }
+        if (ret != SSP_SUCCESS) {
+            return WC_HW_E;
+        }
+
+        if (WOLFSSL_SCE_GSCE_HANDLE.p_cfg->endian_flag ==
+                CRYPTO_WORD_ENDIAN_BIG) {
+            ByteReverseWords((word32*)outBlock, (word32*)outBlock, sz);
+            if (inBlock != outBlock) {
+                /* revert input */
+                ByteReverseWords((word32*)inBlock, (word32*)inBlock, sz);
+            }
+        }
+
+        return 0;
+    }
+
+    #endif
+
+    #if defined(HAVE_AESGCM) || defined(WOLFSSL_AES_DIRECT)
+    static int wc_AesEncrypt(Aes* aes, const byte* inBlock, byte* outBlock)
+    {
+        return AES_ECB_encrypt(aes, inBlock, outBlock, AES_BLOCK_SIZE);
+    }
+    #endif
+
+    #if defined(HAVE_AES_DECRYPT) && defined(WOLFSSL_AES_DIRECT)
+    static int wc_AesDecrypt(Aes* aes, const byte* inBlock, byte* outBlock)
+    {
+        return AES_ECB_decrypt(aes, inBlock, outBlock, AES_BLOCK_SIZE);
+    }
+    #endif
 #else
-    /* using CTaoCrypt software AES implementation */
+
+    /* using wolfCrypt software implementation */
     #define NEED_AES_TABLES
-#endif /* STM32F2_CRYPTO */
+#endif
+
 
 
 #ifdef NEED_AES_TABLES
@@ -250,7 +933,8 @@ static const word32 rcon[] = {
     /* for 128-bit blocks, Rijndael never uses more than 10 rcon values */
 };
 
-static const word32 Te[5][256] = {
+#ifndef WOLFSSL_AES_SMALL_TABLES
+static const word32 Te[4][256] = {
 {
     0xc66363a5U, 0xf87c7c84U, 0xee777799U, 0xf67b7b8dU,
     0xfff2f20dU, 0xd66b6bbdU, 0xde6f6fb1U, 0x91c5c554U,
@@ -514,76 +1198,11 @@ static const word32 Te[5][256] = {
     0xbfbfda65U, 0xe6e631d7U, 0x4242c684U, 0x6868b8d0U,
     0x4141c382U, 0x9999b029U, 0x2d2d775aU, 0x0f0f111eU,
     0xb0b0cb7bU, 0x5454fca8U, 0xbbbbd66dU, 0x16163a2cU,
-},
-{
-    0x63636363U, 0x7c7c7c7cU, 0x77777777U, 0x7b7b7b7bU,
-    0xf2f2f2f2U, 0x6b6b6b6bU, 0x6f6f6f6fU, 0xc5c5c5c5U,
-    0x30303030U, 0x01010101U, 0x67676767U, 0x2b2b2b2bU,
-    0xfefefefeU, 0xd7d7d7d7U, 0xababababU, 0x76767676U,
-    0xcacacacaU, 0x82828282U, 0xc9c9c9c9U, 0x7d7d7d7dU,
-    0xfafafafaU, 0x59595959U, 0x47474747U, 0xf0f0f0f0U,
-    0xadadadadU, 0xd4d4d4d4U, 0xa2a2a2a2U, 0xafafafafU,
-    0x9c9c9c9cU, 0xa4a4a4a4U, 0x72727272U, 0xc0c0c0c0U,
-    0xb7b7b7b7U, 0xfdfdfdfdU, 0x93939393U, 0x26262626U,
-    0x36363636U, 0x3f3f3f3fU, 0xf7f7f7f7U, 0xccccccccU,
-    0x34343434U, 0xa5a5a5a5U, 0xe5e5e5e5U, 0xf1f1f1f1U,
-    0x71717171U, 0xd8d8d8d8U, 0x31313131U, 0x15151515U,
-    0x04040404U, 0xc7c7c7c7U, 0x23232323U, 0xc3c3c3c3U,
-    0x18181818U, 0x96969696U, 0x05050505U, 0x9a9a9a9aU,
-    0x07070707U, 0x12121212U, 0x80808080U, 0xe2e2e2e2U,
-    0xebebebebU, 0x27272727U, 0xb2b2b2b2U, 0x75757575U,
-    0x09090909U, 0x83838383U, 0x2c2c2c2cU, 0x1a1a1a1aU,
-    0x1b1b1b1bU, 0x6e6e6e6eU, 0x5a5a5a5aU, 0xa0a0a0a0U,
-    0x52525252U, 0x3b3b3b3bU, 0xd6d6d6d6U, 0xb3b3b3b3U,
-    0x29292929U, 0xe3e3e3e3U, 0x2f2f2f2fU, 0x84848484U,
-    0x53535353U, 0xd1d1d1d1U, 0x00000000U, 0xededededU,
-    0x20202020U, 0xfcfcfcfcU, 0xb1b1b1b1U, 0x5b5b5b5bU,
-    0x6a6a6a6aU, 0xcbcbcbcbU, 0xbebebebeU, 0x39393939U,
-    0x4a4a4a4aU, 0x4c4c4c4cU, 0x58585858U, 0xcfcfcfcfU,
-    0xd0d0d0d0U, 0xefefefefU, 0xaaaaaaaaU, 0xfbfbfbfbU,
-    0x43434343U, 0x4d4d4d4dU, 0x33333333U, 0x85858585U,
-    0x45454545U, 0xf9f9f9f9U, 0x02020202U, 0x7f7f7f7fU,
-    0x50505050U, 0x3c3c3c3cU, 0x9f9f9f9fU, 0xa8a8a8a8U,
-    0x51515151U, 0xa3a3a3a3U, 0x40404040U, 0x8f8f8f8fU,
-    0x92929292U, 0x9d9d9d9dU, 0x38383838U, 0xf5f5f5f5U,
-    0xbcbcbcbcU, 0xb6b6b6b6U, 0xdadadadaU, 0x21212121U,
-    0x10101010U, 0xffffffffU, 0xf3f3f3f3U, 0xd2d2d2d2U,
-    0xcdcdcdcdU, 0x0c0c0c0cU, 0x13131313U, 0xececececU,
-    0x5f5f5f5fU, 0x97979797U, 0x44444444U, 0x17171717U,
-    0xc4c4c4c4U, 0xa7a7a7a7U, 0x7e7e7e7eU, 0x3d3d3d3dU,
-    0x64646464U, 0x5d5d5d5dU, 0x19191919U, 0x73737373U,
-    0x60606060U, 0x81818181U, 0x4f4f4f4fU, 0xdcdcdcdcU,
-    0x22222222U, 0x2a2a2a2aU, 0x90909090U, 0x88888888U,
-    0x46464646U, 0xeeeeeeeeU, 0xb8b8b8b8U, 0x14141414U,
-    0xdedededeU, 0x5e5e5e5eU, 0x0b0b0b0bU, 0xdbdbdbdbU,
-    0xe0e0e0e0U, 0x32323232U, 0x3a3a3a3aU, 0x0a0a0a0aU,
-    0x49494949U, 0x06060606U, 0x24242424U, 0x5c5c5c5cU,
-    0xc2c2c2c2U, 0xd3d3d3d3U, 0xacacacacU, 0x62626262U,
-    0x91919191U, 0x95959595U, 0xe4e4e4e4U, 0x79797979U,
-    0xe7e7e7e7U, 0xc8c8c8c8U, 0x37373737U, 0x6d6d6d6dU,
-    0x8d8d8d8dU, 0xd5d5d5d5U, 0x4e4e4e4eU, 0xa9a9a9a9U,
-    0x6c6c6c6cU, 0x56565656U, 0xf4f4f4f4U, 0xeaeaeaeaU,
-    0x65656565U, 0x7a7a7a7aU, 0xaeaeaeaeU, 0x08080808U,
-    0xbabababaU, 0x78787878U, 0x25252525U, 0x2e2e2e2eU,
-    0x1c1c1c1cU, 0xa6a6a6a6U, 0xb4b4b4b4U, 0xc6c6c6c6U,
-    0xe8e8e8e8U, 0xddddddddU, 0x74747474U, 0x1f1f1f1fU,
-    0x4b4b4b4bU, 0xbdbdbdbdU, 0x8b8b8b8bU, 0x8a8a8a8aU,
-    0x70707070U, 0x3e3e3e3eU, 0xb5b5b5b5U, 0x66666666U,
-    0x48484848U, 0x03030303U, 0xf6f6f6f6U, 0x0e0e0e0eU,
-    0x61616161U, 0x35353535U, 0x57575757U, 0xb9b9b9b9U,
-    0x86868686U, 0xc1c1c1c1U, 0x1d1d1d1dU, 0x9e9e9e9eU,
-    0xe1e1e1e1U, 0xf8f8f8f8U, 0x98989898U, 0x11111111U,
-    0x69696969U, 0xd9d9d9d9U, 0x8e8e8e8eU, 0x94949494U,
-    0x9b9b9b9bU, 0x1e1e1e1eU, 0x87878787U, 0xe9e9e9e9U,
-    0xcecececeU, 0x55555555U, 0x28282828U, 0xdfdfdfdfU,
-    0x8c8c8c8cU, 0xa1a1a1a1U, 0x89898989U, 0x0d0d0d0dU,
-    0xbfbfbfbfU, 0xe6e6e6e6U, 0x42424242U, 0x68686868U,
-    0x41414141U, 0x99999999U, 0x2d2d2d2dU, 0x0f0f0f0fU,
-    0xb0b0b0b0U, 0x54545454U, 0xbbbbbbbbU, 0x16161616U,
 }
 };
 
-static const word32 Td[5][256] = {
+#ifdef HAVE_AES_DECRYPT
+static const word32 Td[4][256] = {
 {
     0x51f4a750U, 0x7e416553U, 0x1a17a4c3U, 0x3a275e96U,
     0x3bab6bcbU, 0x1f9d45f1U, 0xacfa58abU, 0x4be30393U,
@@ -848,232 +1467,166 @@ static const word32 Td[5][256] = {
     0x1dc37216U, 0xe2250cbcU, 0x3c498b28U, 0x0d9541ffU,
     0xa8017139U, 0x0cb3de08U, 0xb4e49cd8U, 0x56c19064U,
     0xcb84617bU, 0x32b670d5U, 0x6c5c7448U, 0xb85742d0U,
-},
-{
-    0x52525252U, 0x09090909U, 0x6a6a6a6aU, 0xd5d5d5d5U,
-    0x30303030U, 0x36363636U, 0xa5a5a5a5U, 0x38383838U,
-    0xbfbfbfbfU, 0x40404040U, 0xa3a3a3a3U, 0x9e9e9e9eU,
-    0x81818181U, 0xf3f3f3f3U, 0xd7d7d7d7U, 0xfbfbfbfbU,
-    0x7c7c7c7cU, 0xe3e3e3e3U, 0x39393939U, 0x82828282U,
-    0x9b9b9b9bU, 0x2f2f2f2fU, 0xffffffffU, 0x87878787U,
-    0x34343434U, 0x8e8e8e8eU, 0x43434343U, 0x44444444U,
-    0xc4c4c4c4U, 0xdedededeU, 0xe9e9e9e9U, 0xcbcbcbcbU,
-    0x54545454U, 0x7b7b7b7bU, 0x94949494U, 0x32323232U,
-    0xa6a6a6a6U, 0xc2c2c2c2U, 0x23232323U, 0x3d3d3d3dU,
-    0xeeeeeeeeU, 0x4c4c4c4cU, 0x95959595U, 0x0b0b0b0bU,
-    0x42424242U, 0xfafafafaU, 0xc3c3c3c3U, 0x4e4e4e4eU,
-    0x08080808U, 0x2e2e2e2eU, 0xa1a1a1a1U, 0x66666666U,
-    0x28282828U, 0xd9d9d9d9U, 0x24242424U, 0xb2b2b2b2U,
-    0x76767676U, 0x5b5b5b5bU, 0xa2a2a2a2U, 0x49494949U,
-    0x6d6d6d6dU, 0x8b8b8b8bU, 0xd1d1d1d1U, 0x25252525U,
-    0x72727272U, 0xf8f8f8f8U, 0xf6f6f6f6U, 0x64646464U,
-    0x86868686U, 0x68686868U, 0x98989898U, 0x16161616U,
-    0xd4d4d4d4U, 0xa4a4a4a4U, 0x5c5c5c5cU, 0xccccccccU,
-    0x5d5d5d5dU, 0x65656565U, 0xb6b6b6b6U, 0x92929292U,
-    0x6c6c6c6cU, 0x70707070U, 0x48484848U, 0x50505050U,
-    0xfdfdfdfdU, 0xededededU, 0xb9b9b9b9U, 0xdadadadaU,
-    0x5e5e5e5eU, 0x15151515U, 0x46464646U, 0x57575757U,
-    0xa7a7a7a7U, 0x8d8d8d8dU, 0x9d9d9d9dU, 0x84848484U,
-    0x90909090U, 0xd8d8d8d8U, 0xababababU, 0x00000000U,
-    0x8c8c8c8cU, 0xbcbcbcbcU, 0xd3d3d3d3U, 0x0a0a0a0aU,
-    0xf7f7f7f7U, 0xe4e4e4e4U, 0x58585858U, 0x05050505U,
-    0xb8b8b8b8U, 0xb3b3b3b3U, 0x45454545U, 0x06060606U,
-    0xd0d0d0d0U, 0x2c2c2c2cU, 0x1e1e1e1eU, 0x8f8f8f8fU,
-    0xcacacacaU, 0x3f3f3f3fU, 0x0f0f0f0fU, 0x02020202U,
-    0xc1c1c1c1U, 0xafafafafU, 0xbdbdbdbdU, 0x03030303U,
-    0x01010101U, 0x13131313U, 0x8a8a8a8aU, 0x6b6b6b6bU,
-    0x3a3a3a3aU, 0x91919191U, 0x11111111U, 0x41414141U,
-    0x4f4f4f4fU, 0x67676767U, 0xdcdcdcdcU, 0xeaeaeaeaU,
-    0x97979797U, 0xf2f2f2f2U, 0xcfcfcfcfU, 0xcecececeU,
-    0xf0f0f0f0U, 0xb4b4b4b4U, 0xe6e6e6e6U, 0x73737373U,
-    0x96969696U, 0xacacacacU, 0x74747474U, 0x22222222U,
-    0xe7e7e7e7U, 0xadadadadU, 0x35353535U, 0x85858585U,
-    0xe2e2e2e2U, 0xf9f9f9f9U, 0x37373737U, 0xe8e8e8e8U,
-    0x1c1c1c1cU, 0x75757575U, 0xdfdfdfdfU, 0x6e6e6e6eU,
-    0x47474747U, 0xf1f1f1f1U, 0x1a1a1a1aU, 0x71717171U,
-    0x1d1d1d1dU, 0x29292929U, 0xc5c5c5c5U, 0x89898989U,
-    0x6f6f6f6fU, 0xb7b7b7b7U, 0x62626262U, 0x0e0e0e0eU,
-    0xaaaaaaaaU, 0x18181818U, 0xbebebebeU, 0x1b1b1b1bU,
-    0xfcfcfcfcU, 0x56565656U, 0x3e3e3e3eU, 0x4b4b4b4bU,
-    0xc6c6c6c6U, 0xd2d2d2d2U, 0x79797979U, 0x20202020U,
-    0x9a9a9a9aU, 0xdbdbdbdbU, 0xc0c0c0c0U, 0xfefefefeU,
-    0x78787878U, 0xcdcdcdcdU, 0x5a5a5a5aU, 0xf4f4f4f4U,
-    0x1f1f1f1fU, 0xddddddddU, 0xa8a8a8a8U, 0x33333333U,
-    0x88888888U, 0x07070707U, 0xc7c7c7c7U, 0x31313131U,
-    0xb1b1b1b1U, 0x12121212U, 0x10101010U, 0x59595959U,
-    0x27272727U, 0x80808080U, 0xececececU, 0x5f5f5f5fU,
-    0x60606060U, 0x51515151U, 0x7f7f7f7fU, 0xa9a9a9a9U,
-    0x19191919U, 0xb5b5b5b5U, 0x4a4a4a4aU, 0x0d0d0d0dU,
-    0x2d2d2d2dU, 0xe5e5e5e5U, 0x7a7a7a7aU, 0x9f9f9f9fU,
-    0x93939393U, 0xc9c9c9c9U, 0x9c9c9c9cU, 0xefefefefU,
-    0xa0a0a0a0U, 0xe0e0e0e0U, 0x3b3b3b3bU, 0x4d4d4d4dU,
-    0xaeaeaeaeU, 0x2a2a2a2aU, 0xf5f5f5f5U, 0xb0b0b0b0U,
-    0xc8c8c8c8U, 0xebebebebU, 0xbbbbbbbbU, 0x3c3c3c3cU,
-    0x83838383U, 0x53535353U, 0x99999999U, 0x61616161U,
-    0x17171717U, 0x2b2b2b2bU, 0x04040404U, 0x7e7e7e7eU,
-    0xbabababaU, 0x77777777U, 0xd6d6d6d6U, 0x26262626U,
-    0xe1e1e1e1U, 0x69696969U, 0x14141414U, 0x63636363U,
-    0x55555555U, 0x21212121U, 0x0c0c0c0cU, 0x7d7d7d7dU,
 }
 };
+#endif /* HAVE_AES_DECRYPT */
+#endif
 
-#define GETBYTE(x, y) (word32)((byte)((x) >> (8 * (y))))
-
-#ifdef WOLFSSL_AESNI
-
-/* Each platform needs to query info type 1 from cpuid to see if aesni is
- * supported. Also, let's setup a macro for proper linkage w/o ABI conflicts
- */
-
-#ifndef _MSC_VER
-
-    #define cpuid(reg, func)\
-        __asm__ __volatile__ ("cpuid":\
-             "=a" (reg[0]), "=b" (reg[1]), "=c" (reg[2]), "=d" (reg[3]) :\
-             "a" (func));
-
-    #define XASM_LINK(f) asm(f)
-#else
-
-    #include <intrin.h>
-    #define cpuid(a,b) __cpuid((int*)a,b)
+#ifdef HAVE_AES_DECRYPT
+#if (defined(HAVE_AES_CBC) && !defined(WOLFSSL_DEVCRYPTO_CBC)) \
+			|| defined(WOLFSSL_AES_DIRECT)
+static const byte Td4[256] =
+{
+    0x52U, 0x09U, 0x6aU, 0xd5U, 0x30U, 0x36U, 0xa5U, 0x38U,
+    0xbfU, 0x40U, 0xa3U, 0x9eU, 0x81U, 0xf3U, 0xd7U, 0xfbU,
+    0x7cU, 0xe3U, 0x39U, 0x82U, 0x9bU, 0x2fU, 0xffU, 0x87U,
+    0x34U, 0x8eU, 0x43U, 0x44U, 0xc4U, 0xdeU, 0xe9U, 0xcbU,
+    0x54U, 0x7bU, 0x94U, 0x32U, 0xa6U, 0xc2U, 0x23U, 0x3dU,
+    0xeeU, 0x4cU, 0x95U, 0x0bU, 0x42U, 0xfaU, 0xc3U, 0x4eU,
+    0x08U, 0x2eU, 0xa1U, 0x66U, 0x28U, 0xd9U, 0x24U, 0xb2U,
+    0x76U, 0x5bU, 0xa2U, 0x49U, 0x6dU, 0x8bU, 0xd1U, 0x25U,
+    0x72U, 0xf8U, 0xf6U, 0x64U, 0x86U, 0x68U, 0x98U, 0x16U,
+    0xd4U, 0xa4U, 0x5cU, 0xccU, 0x5dU, 0x65U, 0xb6U, 0x92U,
+    0x6cU, 0x70U, 0x48U, 0x50U, 0xfdU, 0xedU, 0xb9U, 0xdaU,
+    0x5eU, 0x15U, 0x46U, 0x57U, 0xa7U, 0x8dU, 0x9dU, 0x84U,
+    0x90U, 0xd8U, 0xabU, 0x00U, 0x8cU, 0xbcU, 0xd3U, 0x0aU,
+    0xf7U, 0xe4U, 0x58U, 0x05U, 0xb8U, 0xb3U, 0x45U, 0x06U,
+    0xd0U, 0x2cU, 0x1eU, 0x8fU, 0xcaU, 0x3fU, 0x0fU, 0x02U,
+    0xc1U, 0xafU, 0xbdU, 0x03U, 0x01U, 0x13U, 0x8aU, 0x6bU,
+    0x3aU, 0x91U, 0x11U, 0x41U, 0x4fU, 0x67U, 0xdcU, 0xeaU,
+    0x97U, 0xf2U, 0xcfU, 0xceU, 0xf0U, 0xb4U, 0xe6U, 0x73U,
+    0x96U, 0xacU, 0x74U, 0x22U, 0xe7U, 0xadU, 0x35U, 0x85U,
+    0xe2U, 0xf9U, 0x37U, 0xe8U, 0x1cU, 0x75U, 0xdfU, 0x6eU,
+    0x47U, 0xf1U, 0x1aU, 0x71U, 0x1dU, 0x29U, 0xc5U, 0x89U,
+    0x6fU, 0xb7U, 0x62U, 0x0eU, 0xaaU, 0x18U, 0xbeU, 0x1bU,
+    0xfcU, 0x56U, 0x3eU, 0x4bU, 0xc6U, 0xd2U, 0x79U, 0x20U,
+    0x9aU, 0xdbU, 0xc0U, 0xfeU, 0x78U, 0xcdU, 0x5aU, 0xf4U,
+    0x1fU, 0xddU, 0xa8U, 0x33U, 0x88U, 0x07U, 0xc7U, 0x31U,
+    0xb1U, 0x12U, 0x10U, 0x59U, 0x27U, 0x80U, 0xecU, 0x5fU,
+    0x60U, 0x51U, 0x7fU, 0xa9U, 0x19U, 0xb5U, 0x4aU, 0x0dU,
+    0x2dU, 0xe5U, 0x7aU, 0x9fU, 0x93U, 0xc9U, 0x9cU, 0xefU,
+    0xa0U, 0xe0U, 0x3bU, 0x4dU, 0xaeU, 0x2aU, 0xf5U, 0xb0U,
+    0xc8U, 0xebU, 0xbbU, 0x3cU, 0x83U, 0x53U, 0x99U, 0x61U,
+    0x17U, 0x2bU, 0x04U, 0x7eU, 0xbaU, 0x77U, 0xd6U, 0x26U,
+    0xe1U, 0x69U, 0x14U, 0x63U, 0x55U, 0x21U, 0x0cU, 0x7dU,
+};
+#endif /* HAVE_AES_CBC || WOLFSSL_AES_DIRECT */
+#endif /* HAVE_AES_DECRYPT */
 
-    #define XASM_LINK(f)
+#define GETBYTE(x, y) (word32)((byte)((x) >> (8 * (y))))
 
-#endif /* _MSC_VER */
+#ifdef WOLFSSL_AES_SMALL_TABLES
+static const byte Tsbox[256] = {
+    0x63U, 0x7cU, 0x77U, 0x7bU, 0xf2U, 0x6bU, 0x6fU, 0xc5U,
+    0x30U, 0x01U, 0x67U, 0x2bU, 0xfeU, 0xd7U, 0xabU, 0x76U,
+    0xcaU, 0x82U, 0xc9U, 0x7dU, 0xfaU, 0x59U, 0x47U, 0xf0U,
+    0xadU, 0xd4U, 0xa2U, 0xafU, 0x9cU, 0xa4U, 0x72U, 0xc0U,
+    0xb7U, 0xfdU, 0x93U, 0x26U, 0x36U, 0x3fU, 0xf7U, 0xccU,
+    0x34U, 0xa5U, 0xe5U, 0xf1U, 0x71U, 0xd8U, 0x31U, 0x15U,
+    0x04U, 0xc7U, 0x23U, 0xc3U, 0x18U, 0x96U, 0x05U, 0x9aU,
+    0x07U, 0x12U, 0x80U, 0xe2U, 0xebU, 0x27U, 0xb2U, 0x75U,
+    0x09U, 0x83U, 0x2cU, 0x1aU, 0x1bU, 0x6eU, 0x5aU, 0xa0U,
+    0x52U, 0x3bU, 0xd6U, 0xb3U, 0x29U, 0xe3U, 0x2fU, 0x84U,
+    0x53U, 0xd1U, 0x00U, 0xedU, 0x20U, 0xfcU, 0xb1U, 0x5bU,
+    0x6aU, 0xcbU, 0xbeU, 0x39U, 0x4aU, 0x4cU, 0x58U, 0xcfU,
+    0xd0U, 0xefU, 0xaaU, 0xfbU, 0x43U, 0x4dU, 0x33U, 0x85U,
+    0x45U, 0xf9U, 0x02U, 0x7fU, 0x50U, 0x3cU, 0x9fU, 0xa8U,
+    0x51U, 0xa3U, 0x40U, 0x8fU, 0x92U, 0x9dU, 0x38U, 0xf5U,
+    0xbcU, 0xb6U, 0xdaU, 0x21U, 0x10U, 0xffU, 0xf3U, 0xd2U,
+    0xcdU, 0x0cU, 0x13U, 0xecU, 0x5fU, 0x97U, 0x44U, 0x17U,
+    0xc4U, 0xa7U, 0x7eU, 0x3dU, 0x64U, 0x5dU, 0x19U, 0x73U,
+    0x60U, 0x81U, 0x4fU, 0xdcU, 0x22U, 0x2aU, 0x90U, 0x88U,
+    0x46U, 0xeeU, 0xb8U, 0x14U, 0xdeU, 0x5eU, 0x0bU, 0xdbU,
+    0xe0U, 0x32U, 0x3aU, 0x0aU, 0x49U, 0x06U, 0x24U, 0x5cU,
+    0xc2U, 0xd3U, 0xacU, 0x62U, 0x91U, 0x95U, 0xe4U, 0x79U,
+    0xe7U, 0xc8U, 0x37U, 0x6dU, 0x8dU, 0xd5U, 0x4eU, 0xa9U,
+    0x6cU, 0x56U, 0xf4U, 0xeaU, 0x65U, 0x7aU, 0xaeU, 0x08U,
+    0xbaU, 0x78U, 0x25U, 0x2eU, 0x1cU, 0xa6U, 0xb4U, 0xc6U,
+    0xe8U, 0xddU, 0x74U, 0x1fU, 0x4bU, 0xbdU, 0x8bU, 0x8aU,
+    0x70U, 0x3eU, 0xb5U, 0x66U, 0x48U, 0x03U, 0xf6U, 0x0eU,
+    0x61U, 0x35U, 0x57U, 0xb9U, 0x86U, 0xc1U, 0x1dU, 0x9eU,
+    0xe1U, 0xf8U, 0x98U, 0x11U, 0x69U, 0xd9U, 0x8eU, 0x94U,
+    0x9bU, 0x1eU, 0x87U, 0xe9U, 0xceU, 0x55U, 0x28U, 0xdfU,
+    0x8cU, 0xa1U, 0x89U, 0x0dU, 0xbfU, 0xe6U, 0x42U, 0x68U,
+    0x41U, 0x99U, 0x2dU, 0x0fU, 0xb0U, 0x54U, 0xbbU, 0x16U
+};
 
+#define AES_XTIME(x)    ((byte)((byte)((x) << 1) ^ ((0 - ((x) >> 7)) & 0x1b)))
 
-static int Check_CPU_support_AES(void)
+static word32 col_mul(word32 t, int i2, int i3, int ia, int ib)
 {
-    unsigned int reg[4];  /* put a,b,c,d into 0,1,2,3 */
-    cpuid(reg, 1);        /* query info 1 */
-
-    if (reg[2] & 0x2000000)
-        return 1;
+    byte t3 = GETBYTE(t, i3);
+    byte tm = AES_XTIME(GETBYTE(t, i2) ^ t3);
 
-    return 0;
+    return GETBYTE(t, ia) ^ GETBYTE(t, ib) ^ t3 ^ tm;
 }
 
-static int checkAESNI = 0;
-static int haveAESNI  = 0;
-
-
-/* tell C compiler these are asm functions in case any mix up of ABI underscore
-   prefix between clang/gcc/llvm etc */
-void AES_CBC_encrypt(const unsigned char* in, unsigned char* out,
-                     unsigned char* ivec, unsigned long length,
-                     const unsigned char* KS, int nr)
-                     XASM_LINK("AES_CBC_encrypt");
-
-
-void AES_CBC_decrypt(const unsigned char* in, unsigned char* out,
-                     unsigned char* ivec, unsigned long length,
-                     const unsigned char* KS, int nr)
-                     XASM_LINK("AES_CBC_decrypt");
-
-void AES_ECB_encrypt(const unsigned char* in, unsigned char* out,
-                     unsigned long length, const unsigned char* KS, int nr)
-                     XASM_LINK("AES_ECB_encrypt");
-
-
-void AES_ECB_decrypt(const unsigned char* in, unsigned char* out,
-                     unsigned long length, const unsigned char* KS, int nr)
-                     XASM_LINK("AES_ECB_decrypt");
-
-void AES_128_Key_Expansion(const unsigned char* userkey,
-                           unsigned char* key_schedule)
-                           XASM_LINK("AES_128_Key_Expansion");
+static word32 inv_col_mul(word32 t, int i9, int ib, int id, int ie)
+{
+    byte t9 = GETBYTE(t, i9);
+    byte tb = GETBYTE(t, ib);
+    byte td = GETBYTE(t, id);
+    byte te = GETBYTE(t, ie);
+    byte t0 = t9 ^ tb ^ td;
+    return t0 ^ AES_XTIME(AES_XTIME(AES_XTIME(t0 ^ te) ^ td ^ te) ^ tb ^ te);
+}
+#endif
 
-void AES_192_Key_Expansion(const unsigned char* userkey,
-                           unsigned char* key_schedule)
-                           XASM_LINK("AES_192_Key_Expansion");
+#if defined(HAVE_AES_CBC) || defined(WOLFSSL_AES_DIRECT) || defined(HAVE_AESGCM)
 
-void AES_256_Key_Expansion(const unsigned char* userkey,
-                           unsigned char* key_schedule)
-                           XASM_LINK("AES_256_Key_Expansion");
+#ifndef WC_CACHE_LINE_SZ
+    #if defined(__x86_64__) || defined(_M_X64) || \
+       (defined(__ILP32__) && (__ILP32__ >= 1))
+        #define WC_CACHE_LINE_SZ 64
+    #else
+        /* default cache line size */
+        #define WC_CACHE_LINE_SZ 32
+    #endif
+#endif
 
 
-static int AES_set_encrypt_key(const unsigned char *userKey, const int bits,
-                               Aes* aes)
+#ifndef WOLFSSL_AES_SMALL_TABLES
+/* load 4 Te Tables into cache by cache line stride */
+static WC_INLINE word32 PreFetchTe(void)
 {
-    if (!userKey || !aes)
-        return BAD_FUNC_ARG;
+    word32 x = 0;
+    int i,j;
 
-    if (bits == 128) {
-       AES_128_Key_Expansion (userKey,(byte*)aes->key); aes->rounds = 10;
-       return 0;
-    }
-    else if (bits == 192) {
-       AES_192_Key_Expansion (userKey,(byte*)aes->key); aes->rounds = 12;
-       return 0;
-    }
-    else if (bits == 256) {
-       AES_256_Key_Expansion (userKey,(byte*)aes->key); aes->rounds = 14;
-       return 0;
+    for (i = 0; i < 4; i++) {
+        /* 256 elements, each one is 4 bytes */
+        for (j = 0; j < 256; j += WC_CACHE_LINE_SZ/4) {
+            x &= Te[i][j];
+        }
     }
-    return BAD_FUNC_ARG;
+    return x;
 }
-
-
-static int AES_set_decrypt_key(const unsigned char* userKey, const int bits,
-                               Aes* aes)
+#else
+/* load sbox into cache by cache line stride */
+static WC_INLINE word32 PreFetchSBox(void)
 {
-    int nr;
-    Aes temp_key;
-    __m128i *Key_Schedule = (__m128i*)aes->key;
-    __m128i *Temp_Key_Schedule = (__m128i*)temp_key.key;
-
-    if (!userKey || !aes)
-        return BAD_FUNC_ARG;
-
-    if (AES_set_encrypt_key(userKey,bits,&temp_key) == BAD_FUNC_ARG)
-        return BAD_FUNC_ARG;
-
-    nr = temp_key.rounds;
-    aes->rounds = nr;
-
-    Key_Schedule[nr] = Temp_Key_Schedule[0];
-    Key_Schedule[nr-1] = _mm_aesimc_si128(Temp_Key_Schedule[1]);
-    Key_Schedule[nr-2] = _mm_aesimc_si128(Temp_Key_Schedule[2]);
-    Key_Schedule[nr-3] = _mm_aesimc_si128(Temp_Key_Schedule[3]);
-    Key_Schedule[nr-4] = _mm_aesimc_si128(Temp_Key_Schedule[4]);
-    Key_Schedule[nr-5] = _mm_aesimc_si128(Temp_Key_Schedule[5]);
-    Key_Schedule[nr-6] = _mm_aesimc_si128(Temp_Key_Schedule[6]);
-    Key_Schedule[nr-7] = _mm_aesimc_si128(Temp_Key_Schedule[7]);
-    Key_Schedule[nr-8] = _mm_aesimc_si128(Temp_Key_Schedule[8]);
-    Key_Schedule[nr-9] = _mm_aesimc_si128(Temp_Key_Schedule[9]);
-
-    if(nr>10) {
-        Key_Schedule[nr-10] = _mm_aesimc_si128(Temp_Key_Schedule[10]);
-        Key_Schedule[nr-11] = _mm_aesimc_si128(Temp_Key_Schedule[11]);
-    }
+    word32 x = 0;
+    int i;
 
-    if(nr>12) {
-        Key_Schedule[nr-12] = _mm_aesimc_si128(Temp_Key_Schedule[12]);
-        Key_Schedule[nr-13] = _mm_aesimc_si128(Temp_Key_Schedule[13]);
+    for (i = 0; i < 256; i += WC_CACHE_LINE_SZ/4) {
+        x &= Tsbox[i];
     }
-
-    Key_Schedule[0] = Temp_Key_Schedule[nr];
-
-    return 0;
+    return x;
 }
+#endif
 
-
-
-#endif /* WOLFSSL_AESNI */
-
-
+/* Software AES - ECB Encrypt */
 static void wc_AesEncrypt(Aes* aes, const byte* inBlock, byte* outBlock)
 {
     word32 s0, s1, s2, s3;
     word32 t0, t1, t2, t3;
     word32 r = aes->rounds >> 1;
-
     const word32* rk = aes->key;
+
     if (r > 7 || r == 0) {
         WOLFSSL_MSG("AesEncrypt encountered improper key, set it up");
-        return;  /* stop instead of segfaulting, set up your keys! */
+        return;  /* stop instead of seg-faulting, set up your keys! */
     }
+
 #ifdef WOLFSSL_AESNI
     if (haveAESNI && aes->use_aesni) {
         #ifdef DEBUG_AESNI
@@ -1086,17 +1639,20 @@ static void wc_AesEncrypt(Aes* aes, const byte* inBlock, byte* outBlock)
         #endif
 
         /* check alignment, decrypt doesn't need alignment */
-        if ((wolfssl_word)inBlock % 16) {
+        if ((wolfssl_word)inBlock % AESNI_ALIGN) {
         #ifndef NO_WOLFSSL_ALLOC_ALIGN
-            byte* tmp = (byte*)XMALLOC(AES_BLOCK_SIZE, NULL,
+            byte* tmp = (byte*)XMALLOC(AES_BLOCK_SIZE + AESNI_ALIGN, aes->heap,
                                                       DYNAMIC_TYPE_TMP_BUFFER);
+            byte* tmp_align;
             if (tmp == NULL) return;
 
-            XMEMCPY(tmp, inBlock, AES_BLOCK_SIZE);
-            AES_ECB_encrypt(tmp, tmp, AES_BLOCK_SIZE, (byte*)aes->key,
-                            aes->rounds);
-            XMEMCPY(outBlock, tmp, AES_BLOCK_SIZE);
-            XFREE(tmp, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+            tmp_align = tmp + (AESNI_ALIGN - ((size_t)tmp % AESNI_ALIGN));
+
+            XMEMCPY(tmp_align, inBlock, AES_BLOCK_SIZE);
+            AES_ECB_encrypt(tmp_align, tmp_align, AES_BLOCK_SIZE,
+                    (byte*)aes->key, aes->rounds);
+            XMEMCPY(outBlock, tmp_align, AES_BLOCK_SIZE);
+            XFREE(tmp, aes->heap, DYNAMIC_TYPE_TMP_BUFFER);
             return;
         #else
             WOLFSSL_MSG("AES-ECB encrypt with bad alignment");
@@ -1115,6 +1671,10 @@ static void wc_AesEncrypt(Aes* aes, const byte* inBlock, byte* outBlock)
         #endif
     }
 #endif
+#if defined(WOLFSSL_SCE) && !defined(WOLFSSL_SCE_NO_AES)
+    AES_ECB_encrypt(aes, inBlock, outBlock, AES_BLOCK_SIZE);
+    return;
+#endif
 
     /*
      * map byte array block to cipher state
@@ -1125,46 +1685,50 @@ static void wc_AesEncrypt(Aes* aes, const byte* inBlock, byte* outBlock)
     XMEMCPY(&s2, inBlock + 2 * sizeof(s0), sizeof(s2));
     XMEMCPY(&s3, inBlock + 3 * sizeof(s0), sizeof(s3));
 
-    #ifdef LITTLE_ENDIAN_ORDER
-        s0 = ByteReverseWord32(s0);
-        s1 = ByteReverseWord32(s1);
-        s2 = ByteReverseWord32(s2);
-        s3 = ByteReverseWord32(s3);
-    #endif
+#ifdef LITTLE_ENDIAN_ORDER
+    s0 = ByteReverseWord32(s0);
+    s1 = ByteReverseWord32(s1);
+    s2 = ByteReverseWord32(s2);
+    s3 = ByteReverseWord32(s3);
+#endif
 
+    /* AddRoundKey */
     s0 ^= rk[0];
     s1 ^= rk[1];
     s2 ^= rk[2];
     s3 ^= rk[3];
 
+#ifndef WOLFSSL_AES_SMALL_TABLES
+    s0 |= PreFetchTe();
+
     /*
      * Nr - 1 full rounds:
      */
 
     for (;;) {
         t0 =
-            Te[0][GETBYTE(s0, 3)]  ^
-            Te[1][GETBYTE(s1, 2)]  ^
-            Te[2][GETBYTE(s2, 1)]  ^
-            Te[3][GETBYTE(s3, 0)]  ^
+            Te[0][GETBYTE(s0, 3)] ^
+            Te[1][GETBYTE(s1, 2)] ^
+            Te[2][GETBYTE(s2, 1)] ^
+            Te[3][GETBYTE(s3, 0)] ^
             rk[4];
         t1 =
-            Te[0][GETBYTE(s1, 3)]  ^
-            Te[1][GETBYTE(s2, 2)]  ^
-            Te[2][GETBYTE(s3, 1)]  ^
-            Te[3][GETBYTE(s0, 0)]  ^
+            Te[0][GETBYTE(s1, 3)] ^
+            Te[1][GETBYTE(s2, 2)] ^
+            Te[2][GETBYTE(s3, 1)] ^
+            Te[3][GETBYTE(s0, 0)] ^
             rk[5];
         t2 =
             Te[0][GETBYTE(s2, 3)] ^
-            Te[1][GETBYTE(s3, 2)]  ^
-            Te[2][GETBYTE(s0, 1)]  ^
-            Te[3][GETBYTE(s1, 0)]  ^
+            Te[1][GETBYTE(s3, 2)] ^
+            Te[2][GETBYTE(s0, 1)] ^
+            Te[3][GETBYTE(s1, 0)] ^
             rk[6];
         t3 =
             Te[0][GETBYTE(s3, 3)] ^
-            Te[1][GETBYTE(s0, 2)]  ^
-            Te[2][GETBYTE(s1, 1)]  ^
-            Te[3][GETBYTE(s2, 0)]  ^
+            Te[1][GETBYTE(s0, 2)] ^
+            Te[2][GETBYTE(s1, 1)] ^
+            Te[3][GETBYTE(s2, 0)] ^
             rk[7];
 
         rk += 8;
@@ -1204,44 +1768,158 @@ static void wc_AesEncrypt(Aes* aes, const byte* inBlock, byte* outBlock)
      */
 
     s0 =
-        (Te[4][GETBYTE(t0, 3)] & 0xff000000) ^
-        (Te[4][GETBYTE(t1, 2)] & 0x00ff0000) ^
-        (Te[4][GETBYTE(t2, 1)] & 0x0000ff00) ^
-        (Te[4][GETBYTE(t3, 0)] & 0x000000ff) ^
+        (Te[2][GETBYTE(t0, 3)] & 0xff000000) ^
+        (Te[3][GETBYTE(t1, 2)] & 0x00ff0000) ^
+        (Te[0][GETBYTE(t2, 1)] & 0x0000ff00) ^
+        (Te[1][GETBYTE(t3, 0)] & 0x000000ff) ^
         rk[0];
     s1 =
-        (Te[4][GETBYTE(t1, 3)] & 0xff000000) ^
-        (Te[4][GETBYTE(t2, 2)] & 0x00ff0000) ^
-        (Te[4][GETBYTE(t3, 1)] & 0x0000ff00) ^
-        (Te[4][GETBYTE(t0, 0)] & 0x000000ff) ^
+        (Te[2][GETBYTE(t1, 3)] & 0xff000000) ^
+        (Te[3][GETBYTE(t2, 2)] & 0x00ff0000) ^
+        (Te[0][GETBYTE(t3, 1)] & 0x0000ff00) ^
+        (Te[1][GETBYTE(t0, 0)] & 0x000000ff) ^
         rk[1];
     s2 =
-        (Te[4][GETBYTE(t2, 3)] & 0xff000000) ^
-        (Te[4][GETBYTE(t3, 2)] & 0x00ff0000) ^
-        (Te[4][GETBYTE(t0, 1)] & 0x0000ff00) ^
-        (Te[4][GETBYTE(t1, 0)] & 0x000000ff) ^
+        (Te[2][GETBYTE(t2, 3)] & 0xff000000) ^
+        (Te[3][GETBYTE(t3, 2)] & 0x00ff0000) ^
+        (Te[0][GETBYTE(t0, 1)] & 0x0000ff00) ^
+        (Te[1][GETBYTE(t1, 0)] & 0x000000ff) ^
         rk[2];
     s3 =
-        (Te[4][GETBYTE(t3, 3)] & 0xff000000) ^
-        (Te[4][GETBYTE(t0, 2)] & 0x00ff0000) ^
-        (Te[4][GETBYTE(t1, 1)] & 0x0000ff00) ^
-        (Te[4][GETBYTE(t2, 0)] & 0x000000ff) ^
+        (Te[2][GETBYTE(t3, 3)] & 0xff000000) ^
+        (Te[3][GETBYTE(t0, 2)] & 0x00ff0000) ^
+        (Te[0][GETBYTE(t1, 1)] & 0x0000ff00) ^
+        (Te[1][GETBYTE(t2, 0)] & 0x000000ff) ^
         rk[3];
+#else
+    s0 |= PreFetchSBox();
+
+    r *= 2;
+    /* Two rounds at a time */
+    for (rk += 4; r > 1; r--, rk += 4) {
+        t0 =
+            ((word32)Tsbox[GETBYTE(s0, 3)] << 24) ^
+            ((word32)Tsbox[GETBYTE(s1, 2)] << 16) ^
+            ((word32)Tsbox[GETBYTE(s2, 1)] <<  8) ^
+            ((word32)Tsbox[GETBYTE(s3, 0)]);
+        t1 =
+            ((word32)Tsbox[GETBYTE(s1, 3)] << 24) ^
+            ((word32)Tsbox[GETBYTE(s2, 2)] << 16) ^
+            ((word32)Tsbox[GETBYTE(s3, 1)] <<  8) ^
+            ((word32)Tsbox[GETBYTE(s0, 0)]);
+        t2 =
+            ((word32)Tsbox[GETBYTE(s2, 3)] << 24) ^
+            ((word32)Tsbox[GETBYTE(s3, 2)] << 16) ^
+            ((word32)Tsbox[GETBYTE(s0, 1)] <<  8) ^
+            ((word32)Tsbox[GETBYTE(s1, 0)]);
+        t3 =
+            ((word32)Tsbox[GETBYTE(s3, 3)] << 24) ^
+            ((word32)Tsbox[GETBYTE(s0, 2)] << 16) ^
+            ((word32)Tsbox[GETBYTE(s1, 1)] <<  8) ^
+            ((word32)Tsbox[GETBYTE(s2, 0)]);
+
+        s0 =
+            (col_mul(t0, 3, 2, 0, 1) << 24) ^
+            (col_mul(t0, 2, 1, 0, 3) << 16) ^
+            (col_mul(t0, 1, 0, 2, 3) <<  8) ^
+            (col_mul(t0, 0, 3, 2, 1)      ) ^
+            rk[0];
+        s1 =
+            (col_mul(t1, 3, 2, 0, 1) << 24) ^
+            (col_mul(t1, 2, 1, 0, 3) << 16) ^
+            (col_mul(t1, 1, 0, 2, 3) <<  8) ^
+            (col_mul(t1, 0, 3, 2, 1)      ) ^
+            rk[1];
+        s2 =
+            (col_mul(t2, 3, 2, 0, 1) << 24) ^
+            (col_mul(t2, 2, 1, 0, 3) << 16) ^
+            (col_mul(t2, 1, 0, 2, 3) <<  8) ^
+            (col_mul(t2, 0, 3, 2, 1)      ) ^
+            rk[2];
+        s3 =
+            (col_mul(t3, 3, 2, 0, 1) << 24) ^
+            (col_mul(t3, 2, 1, 0, 3) << 16) ^
+            (col_mul(t3, 1, 0, 2, 3) <<  8) ^
+            (col_mul(t3, 0, 3, 2, 1)      ) ^
+            rk[3];
+    }
+
+    t0 =
+        ((word32)Tsbox[GETBYTE(s0, 3)] << 24) ^
+        ((word32)Tsbox[GETBYTE(s1, 2)] << 16) ^
+        ((word32)Tsbox[GETBYTE(s2, 1)] <<  8) ^
+        ((word32)Tsbox[GETBYTE(s3, 0)]);
+    t1 =
+        ((word32)Tsbox[GETBYTE(s1, 3)] << 24) ^
+        ((word32)Tsbox[GETBYTE(s2, 2)] << 16) ^
+        ((word32)Tsbox[GETBYTE(s3, 1)] <<  8) ^
+        ((word32)Tsbox[GETBYTE(s0, 0)]);
+    t2 =
+        ((word32)Tsbox[GETBYTE(s2, 3)] << 24) ^
+        ((word32)Tsbox[GETBYTE(s3, 2)] << 16) ^
+        ((word32)Tsbox[GETBYTE(s0, 1)] <<  8) ^
+        ((word32)Tsbox[GETBYTE(s1, 0)]);
+    t3 =
+        ((word32)Tsbox[GETBYTE(s3, 3)] << 24) ^
+        ((word32)Tsbox[GETBYTE(s0, 2)] << 16) ^
+        ((word32)Tsbox[GETBYTE(s1, 1)] <<  8) ^
+        ((word32)Tsbox[GETBYTE(s2, 0)]);
+    s0 = t0 ^ rk[0];
+    s1 = t1 ^ rk[1];
+    s2 = t2 ^ rk[2];
+    s3 = t3 ^ rk[3];
+#endif
 
     /* write out */
-    #ifdef LITTLE_ENDIAN_ORDER
-        s0 = ByteReverseWord32(s0);
-        s1 = ByteReverseWord32(s1);
-        s2 = ByteReverseWord32(s2);
-        s3 = ByteReverseWord32(s3);
-    #endif
+#ifdef LITTLE_ENDIAN_ORDER
+    s0 = ByteReverseWord32(s0);
+    s1 = ByteReverseWord32(s1);
+    s2 = ByteReverseWord32(s2);
+    s3 = ByteReverseWord32(s3);
+#endif
 
     XMEMCPY(outBlock,                  &s0, sizeof(s0));
     XMEMCPY(outBlock + sizeof(s0),     &s1, sizeof(s1));
     XMEMCPY(outBlock + 2 * sizeof(s0), &s2, sizeof(s2));
     XMEMCPY(outBlock + 3 * sizeof(s0), &s3, sizeof(s3));
+
 }
+#endif /* HAVE_AES_CBC || WOLFSSL_AES_DIRECT || HAVE_AESGCM */
+
+#if defined(HAVE_AES_DECRYPT)
+#if (defined(HAVE_AES_CBC) && !defined(WOLFSSL_DEVCRYPTO_CBC)) || \
+     defined(WOLFSSL_AES_DIRECT)
+
+#ifndef WOLFSSL_AES_SMALL_TABLES
+/* load 4 Td Tables into cache by cache line stride */
+static WC_INLINE word32 PreFetchTd(void)
+{
+    word32 x = 0;
+    int i,j;
 
+    for (i = 0; i < 4; i++) {
+        /* 256 elements, each one is 4 bytes */
+        for (j = 0; j < 256; j += WC_CACHE_LINE_SZ/4) {
+            x &= Td[i][j];
+        }
+    }
+    return x;
+}
+#endif
+
+/* load Td Table4 into cache by cache line stride */
+static WC_INLINE word32 PreFetchTd4(void)
+{
+    word32 x = 0;
+    int i;
+
+    for (i = 0; i < 256; i += WC_CACHE_LINE_SZ) {
+        x &= (word32)Td4[i];
+    }
+    return x;
+}
+
+/* Software AES - ECB Decrypt */
 static void wc_AesDecrypt(Aes* aes, const byte* inBlock, byte* outBlock)
 {
     word32 s0, s1, s2, s3;
@@ -1251,7 +1929,7 @@ static void wc_AesDecrypt(Aes* aes, const byte* inBlock, byte* outBlock)
     const word32* rk = aes->key;
     if (r > 7 || r == 0) {
         WOLFSSL_MSG("AesDecrypt encountered improper key, set it up");
-        return;  /* stop instead of segfaulting, set up your keys! */
+        return;  /* stop instead of seg-faulting, set up your keys! */
     }
 #ifdef WOLFSSL_AESNI
     if (haveAESNI && aes->use_aesni) {
@@ -1265,7 +1943,8 @@ static void wc_AesDecrypt(Aes* aes, const byte* inBlock, byte* outBlock)
         #endif
 
         /* if input and output same will overwrite input iv */
-        XMEMCPY(aes->tmp, inBlock, AES_BLOCK_SIZE);
+        if ((const byte*)aes->tmp != inBlock)
+            XMEMCPY(aes->tmp, inBlock, AES_BLOCK_SIZE);
         AES_ECB_decrypt(inBlock, outBlock, AES_BLOCK_SIZE, (byte*)aes->key,
                         aes->rounds);
         return;
@@ -1275,6 +1954,9 @@ static void wc_AesDecrypt(Aes* aes, const byte* inBlock, byte* outBlock)
             printf("Skipping AES-NI\n");
         #endif
     }
+#endif /* WOLFSSL_AESNI */
+#if defined(WOLFSSL_SCE) && !defined(WOLFSSL_SCE_NO_AES)
+    return AES_ECB_decrypt(aes, inBlock, outBlock, AES_BLOCK_SIZE);
 #endif
 
     /*
@@ -1286,18 +1968,21 @@ static void wc_AesDecrypt(Aes* aes, const byte* inBlock, byte* outBlock)
     XMEMCPY(&s2, inBlock + 2 * sizeof(s0), sizeof(s2));
     XMEMCPY(&s3, inBlock + 3 * sizeof(s0), sizeof(s3));
 
-    #ifdef LITTLE_ENDIAN_ORDER
-        s0 = ByteReverseWord32(s0);
-        s1 = ByteReverseWord32(s1);
-        s2 = ByteReverseWord32(s2);
-        s3 = ByteReverseWord32(s3);
-    #endif
+#ifdef LITTLE_ENDIAN_ORDER
+    s0 = ByteReverseWord32(s0);
+    s1 = ByteReverseWord32(s1);
+    s2 = ByteReverseWord32(s2);
+    s3 = ByteReverseWord32(s3);
+#endif
 
     s0 ^= rk[0];
     s1 ^= rk[1];
     s2 ^= rk[2];
     s3 ^= rk[3];
 
+#ifndef WOLFSSL_AES_SMALL_TABLES
+    s0 |= PreFetchTd();
+
     /*
      * Nr - 1 full rounds:
      */
@@ -1362,70 +2047,170 @@ static void wc_AesDecrypt(Aes* aes, const byte* inBlock, byte* outBlock)
      * apply last round and
      * map cipher state to byte array block:
      */
+
+    t0 |= PreFetchTd4();
+
     s0 =
-        (Td[4][GETBYTE(t0, 3)] & 0xff000000) ^
-        (Td[4][GETBYTE(t3, 2)] & 0x00ff0000) ^
-        (Td[4][GETBYTE(t2, 1)] & 0x0000ff00) ^
-        (Td[4][GETBYTE(t1, 0)] & 0x000000ff) ^
+        ((word32)Td4[GETBYTE(t0, 3)] << 24) ^
+        ((word32)Td4[GETBYTE(t3, 2)] << 16) ^
+        ((word32)Td4[GETBYTE(t2, 1)] <<  8) ^
+        ((word32)Td4[GETBYTE(t1, 0)]) ^
         rk[0];
     s1 =
-        (Td[4][GETBYTE(t1, 3)] & 0xff000000) ^
-        (Td[4][GETBYTE(t0, 2)] & 0x00ff0000) ^
-        (Td[4][GETBYTE(t3, 1)] & 0x0000ff00) ^
-        (Td[4][GETBYTE(t2, 0)] & 0x000000ff) ^
+        ((word32)Td4[GETBYTE(t1, 3)] << 24) ^
+        ((word32)Td4[GETBYTE(t0, 2)] << 16) ^
+        ((word32)Td4[GETBYTE(t3, 1)] <<  8) ^
+        ((word32)Td4[GETBYTE(t2, 0)]) ^
         rk[1];
     s2 =
-        (Td[4][GETBYTE(t2, 3)] & 0xff000000) ^
-        (Td[4][GETBYTE(t1, 2)] & 0x00ff0000) ^
-        (Td[4][GETBYTE(t0, 1)] & 0x0000ff00) ^
-        (Td[4][GETBYTE(t3, 0)] & 0x000000ff) ^
+        ((word32)Td4[GETBYTE(t2, 3)] << 24) ^
+        ((word32)Td4[GETBYTE(t1, 2)] << 16) ^
+        ((word32)Td4[GETBYTE(t0, 1)] <<  8) ^
+        ((word32)Td4[GETBYTE(t3, 0)]) ^
         rk[2];
     s3 =
-        (Td[4][GETBYTE(t3, 3)] & 0xff000000) ^
-        (Td[4][GETBYTE(t2, 2)] & 0x00ff0000) ^
-        (Td[4][GETBYTE(t1, 1)] & 0x0000ff00) ^
-        (Td[4][GETBYTE(t0, 0)] & 0x000000ff) ^
+        ((word32)Td4[GETBYTE(t3, 3)] << 24) ^
+        ((word32)Td4[GETBYTE(t2, 2)] << 16) ^
+        ((word32)Td4[GETBYTE(t1, 1)] <<  8) ^
+        ((word32)Td4[GETBYTE(t0, 0)]) ^
         rk[3];
+#else
+    s0 |= PreFetchTd4();
+
+    r *= 2;
+    for (rk += 4; r > 1; r--, rk += 4) {
+        t0 =
+            ((word32)Td4[GETBYTE(s0, 3)] << 24) ^
+            ((word32)Td4[GETBYTE(s3, 2)] << 16) ^
+            ((word32)Td4[GETBYTE(s2, 1)] <<  8) ^
+            ((word32)Td4[GETBYTE(s1, 0)]) ^
+            rk[0];
+        t1 =
+            ((word32)Td4[GETBYTE(s1, 3)] << 24) ^
+            ((word32)Td4[GETBYTE(s0, 2)] << 16) ^
+            ((word32)Td4[GETBYTE(s3, 1)] <<  8) ^
+            ((word32)Td4[GETBYTE(s2, 0)]) ^
+            rk[1];
+        t2 =
+            ((word32)Td4[GETBYTE(s2, 3)] << 24) ^
+            ((word32)Td4[GETBYTE(s1, 2)] << 16) ^
+            ((word32)Td4[GETBYTE(s0, 1)] <<  8) ^
+            ((word32)Td4[GETBYTE(s3, 0)]) ^
+            rk[2];
+        t3 =
+            ((word32)Td4[GETBYTE(s3, 3)] << 24) ^
+            ((word32)Td4[GETBYTE(s2, 2)] << 16) ^
+            ((word32)Td4[GETBYTE(s1, 1)] <<  8) ^
+            ((word32)Td4[GETBYTE(s0, 0)]) ^
+            rk[3];
+
+        s0 =
+            (inv_col_mul(t0, 0, 2, 1, 3) << 24) ^
+            (inv_col_mul(t0, 3, 1, 0, 2) << 16) ^
+            (inv_col_mul(t0, 2, 0, 3, 1) <<  8) ^
+            (inv_col_mul(t0, 1, 3, 2, 0)      );
+        s1 =
+            (inv_col_mul(t1, 0, 2, 1, 3) << 24) ^
+            (inv_col_mul(t1, 3, 1, 0, 2) << 16) ^
+            (inv_col_mul(t1, 2, 0, 3, 1) <<  8) ^
+            (inv_col_mul(t1, 1, 3, 2, 0)      );
+        s2 =
+            (inv_col_mul(t2, 0, 2, 1, 3) << 24) ^
+            (inv_col_mul(t2, 3, 1, 0, 2) << 16) ^
+            (inv_col_mul(t2, 2, 0, 3, 1) <<  8) ^
+            (inv_col_mul(t2, 1, 3, 2, 0)      );
+        s3 =
+            (inv_col_mul(t3, 0, 2, 1, 3) << 24) ^
+            (inv_col_mul(t3, 3, 1, 0, 2) << 16) ^
+            (inv_col_mul(t3, 2, 0, 3, 1) <<  8) ^
+            (inv_col_mul(t3, 1, 3, 2, 0)      );
+    }
+
+    t0 =
+        ((word32)Td4[GETBYTE(s0, 3)] << 24) ^
+        ((word32)Td4[GETBYTE(s3, 2)] << 16) ^
+        ((word32)Td4[GETBYTE(s2, 1)] <<  8) ^
+        ((word32)Td4[GETBYTE(s1, 0)]);
+    t1 =
+        ((word32)Td4[GETBYTE(s1, 3)] << 24) ^
+        ((word32)Td4[GETBYTE(s0, 2)] << 16) ^
+        ((word32)Td4[GETBYTE(s3, 1)] <<  8) ^
+        ((word32)Td4[GETBYTE(s2, 0)]);
+    t2 =
+        ((word32)Td4[GETBYTE(s2, 3)] << 24) ^
+        ((word32)Td4[GETBYTE(s1, 2)] << 16) ^
+        ((word32)Td4[GETBYTE(s0, 1)] <<  8) ^
+        ((word32)Td4[GETBYTE(s3, 0)]);
+    t3 =
+        ((word32)Td4[GETBYTE(s3, 3)] << 24) ^
+        ((word32)Td4[GETBYTE(s2, 2)] << 16) ^
+        ((word32)Td4[GETBYTE(s1, 1)] <<  8) ^
+        ((word32)Td4[GETBYTE(s0, 0)]);
+    s0 = t0 ^ rk[0];
+    s1 = t1 ^ rk[1];
+    s2 = t2 ^ rk[2];
+    s3 = t3 ^ rk[3];
+#endif
 
     /* write out */
-    #ifdef LITTLE_ENDIAN_ORDER
-        s0 = ByteReverseWord32(s0);
-        s1 = ByteReverseWord32(s1);
-        s2 = ByteReverseWord32(s2);
-        s3 = ByteReverseWord32(s3);
-    #endif
+#ifdef LITTLE_ENDIAN_ORDER
+    s0 = ByteReverseWord32(s0);
+    s1 = ByteReverseWord32(s1);
+    s2 = ByteReverseWord32(s2);
+    s3 = ByteReverseWord32(s3);
+#endif
 
     XMEMCPY(outBlock,                  &s0, sizeof(s0));
     XMEMCPY(outBlock + sizeof(s0),     &s1, sizeof(s1));
     XMEMCPY(outBlock + 2 * sizeof(s0), &s2, sizeof(s2));
     XMEMCPY(outBlock + 3 * sizeof(s0), &s3, sizeof(s3));
 }
+#endif /* HAVE_AES_CBC || WOLFSSL_AES_DIRECT */
+#endif /* HAVE_AES_DECRYPT */
 
 #endif /* NEED_AES_TABLES */
 
 
+
 /* wc_AesSetKey */
-#ifdef STM32F2_CRYPTO
-    int wc_AesSetKey(Aes* aes, const byte* userKey, word32 keylen, const byte* iv,
-                  int dir)
+#if defined(STM32_CRYPTO)
+
+    int wc_AesSetKey(Aes* aes, const byte* userKey, word32 keylen,
+            const byte* iv, int dir)
     {
-        word32 *rk = aes->key;
+        word32 *rk;
 
-        if (!((keylen == 16) || (keylen == 24) || (keylen == 32)))
+        (void)dir;
+
+        if (aes == NULL || (keylen != 16 &&
+        #ifdef WOLFSSL_AES_192
+            keylen != 24 &&
+        #endif
+            keylen != 32)) {
             return BAD_FUNC_ARG;
+        }
 
+        rk = aes->key;
+        aes->keylen = keylen;
         aes->rounds = keylen/4 + 6;
         XMEMCPY(rk, userKey, keylen);
+    #if !defined(WOLFSSL_STM32_CUBEMX) || defined(STM32_HAL_V2)
         ByteReverseWords(rk, rk, keylen);
+    #endif
+    #if defined(WOLFSSL_AES_CFB) || defined(WOLFSSL_AES_COUNTER) || \
+        defined(WOLFSSL_AES_OFB)
+        aes->left = 0;
+    #endif
 
         return wc_AesSetIV(aes, iv);
     }
-
-    int wc_AesSetKeyDirect(Aes* aes, const byte* userKey, word32 keylen,
-                        const byte* iv, int dir)
-    {
-        return wc_AesSetKey(aes, userKey, keylen, iv, dir);
-    }
+    #if defined(WOLFSSL_AES_DIRECT)
+        int wc_AesSetKeyDirect(Aes* aes, const byte* userKey, word32 keylen,
+                            const byte* iv, int dir)
+        {
+            return wc_AesSetKey(aes, userKey, keylen, iv, dir);
+        }
+    #endif
 
 #elif defined(HAVE_COLDFIRE_SEC)
     #if defined (HAVE_THREADX)
@@ -1447,30 +2232,30 @@ static void wc_AesDecrypt(Aes* aes, const byte* inBlock, byte* outBlock)
 
     extern volatile unsigned char __MBAR[];
 
-    int wc_AesSetKey(Aes* aes, const byte* userKey, word32 keylen, const byte* iv,
-                  int dir)
+    int wc_AesSetKey(Aes* aes, const byte* userKey, word32 keylen,
+        const byte* iv, int dir)
     {
         if (AESBuffIn == NULL) {
-            #if defined (HAVE_THREADX)
-			    int s1, s2, s3, s4, s5 ;
-                s5 = tx_byte_allocate(&mp_ncached,(void *)&secDesc,
-                                      sizeof(SECdescriptorType), TX_NO_WAIT);
-                s1 = tx_byte_allocate(&mp_ncached, (void *)&AESBuffIn,
-                                      AES_BUFFER_SIZE, TX_NO_WAIT);
-                s2 = tx_byte_allocate(&mp_ncached, (void *)&AESBuffOut,
-                                      AES_BUFFER_SIZE, TX_NO_WAIT);
-                s3 = tx_byte_allocate(&mp_ncached, (void *)&secKey,
-                                      AES_BLOCK_SIZE*2, TX_NO_WAIT);
-                s4 = tx_byte_allocate(&mp_ncached, (void *)&secReg,
-                                      AES_BLOCK_SIZE, TX_NO_WAIT);
-
-                if(s1 || s2 || s3 || s4 || s5)
-                    return BAD_FUNC_ARG;
-            #else
-                #warning "Allocate non-Cache buffers"
-            #endif
+        #if defined (HAVE_THREADX)
+            int s1, s2, s3, s4, s5;
+            s5 = tx_byte_allocate(&mp_ncached,(void *)&secDesc,
+                                  sizeof(SECdescriptorType), TX_NO_WAIT);
+            s1 = tx_byte_allocate(&mp_ncached, (void *)&AESBuffIn,
+                                  AES_BUFFER_SIZE, TX_NO_WAIT);
+            s2 = tx_byte_allocate(&mp_ncached, (void *)&AESBuffOut,
+                                  AES_BUFFER_SIZE, TX_NO_WAIT);
+            s3 = tx_byte_allocate(&mp_ncached, (void *)&secKey,
+                                  AES_BLOCK_SIZE*2, TX_NO_WAIT);
+            s4 = tx_byte_allocate(&mp_ncached, (void *)&secReg,
+                                  AES_BLOCK_SIZE, TX_NO_WAIT);
+
+            if (s1 || s2 || s3 || s4 || s5)
+                return BAD_FUNC_ARG;
+        #else
+            #warning "Allocate non-Cache buffers"
+        #endif
 
-            InitMutex(&Mutex_AesSEC);
+            wc_InitMutex(&Mutex_AesSEC);
         }
 
         if (!((keylen == 16) || (keylen == 24) || (keylen == 32)))
@@ -1479,29 +2264,165 @@ static void wc_AesDecrypt(Aes* aes, const byte* inBlock, byte* outBlock)
         if (aes == NULL)
             return BAD_FUNC_ARG;
 
+        aes->keylen = keylen;
         aes->rounds = keylen/4 + 6;
         XMEMCPY(aes->key, userKey, keylen);
 
         if (iv)
             XMEMCPY(aes->reg, iv, AES_BLOCK_SIZE);
 
+    #if defined(WOLFSSL_AES_CFB) || defined(WOLFSSL_AES_COUNTER) || \
+        defined(WOLFSSL_AES_OFB)
+        aes->left = 0;
+    #endif
+
         return 0;
     }
-#elif defined(FREESCALE_MMCAU)
+#elif defined(FREESCALE_LTC)
     int wc_AesSetKey(Aes* aes, const byte* userKey, word32 keylen, const byte* iv,
                   int dir)
     {
-        byte *rk = (byte*)aes->key;
+        if (aes == NULL || !((keylen == 16) || (keylen == 24) || (keylen == 32)))
+            return BAD_FUNC_ARG;
+
+        aes->rounds = keylen/4 + 6;
+        XMEMCPY(aes->key, userKey, keylen);
+
+    #if defined(WOLFSSL_AES_CFB) || defined(WOLFSSL_AES_COUNTER) || \
+        defined(WOLFSSL_AES_OFB)
+        aes->left = 0;
+    #endif
+
+        return wc_AesSetIV(aes, iv);
+    }
+
+    int wc_AesSetKeyDirect(Aes* aes, const byte* userKey, word32 keylen,
+                        const byte* iv, int dir)
+    {
+        return wc_AesSetKey(aes, userKey, keylen, iv, dir);
+    }
+#elif defined(FREESCALE_MMCAU)
+    int wc_AesSetKey(Aes* aes, const byte* userKey, word32 keylen,
+        const byte* iv, int dir)
+    {
+        int ret;
+        byte* rk;
+        byte* tmpKey = (byte*)userKey;
+        int tmpKeyDynamic = 0;
+        word32 alignOffset = 0;
+
+        (void)dir;
 
         if (!((keylen == 16) || (keylen == 24) || (keylen == 32)))
             return BAD_FUNC_ARG;
+        if (aes == NULL)
+            return BAD_FUNC_ARG;
 
+        rk = (byte*)aes->key;
         if (rk == NULL)
             return BAD_FUNC_ARG;
 
+    #if defined(WOLFSSL_AES_CFB) || defined(WOLFSSL_AES_COUNTER) || \
+        defined(WOLFSSL_AES_OFB)
+        aes->left = 0;
+    #endif
+
         aes->rounds = keylen/4 + 6;
-        cau_aes_set_key(userKey, keylen*8, rk);
 
+    #ifdef FREESCALE_MMCAU_CLASSIC
+        if ((wolfssl_word)userKey % WOLFSSL_MMCAU_ALIGNMENT) {
+        #ifndef NO_WOLFSSL_ALLOC_ALIGN
+            byte* tmp = (byte*)XMALLOC(keylen + WOLFSSL_MMCAU_ALIGNMENT,
+                                       aes->heap, DYNAMIC_TYPE_TMP_BUFFER);
+            if (tmp == NULL) {
+                return MEMORY_E;
+            }
+            alignOffset = WOLFSSL_MMCAU_ALIGNMENT -
+                          ((wolfssl_word)tmp % WOLFSSL_MMCAU_ALIGNMENT);
+            tmpKey = tmp + alignOffset;
+            XMEMCPY(tmpKey, userKey, keylen);
+            tmpKeyDynamic = 1;
+        #else
+            WOLFSSL_MSG("Bad cau_aes_set_key alignment");
+            return BAD_ALIGN_E;
+        #endif
+        }
+    #endif
+
+        ret = wolfSSL_CryptHwMutexLock();
+        if(ret == 0) {
+        #ifdef FREESCALE_MMCAU_CLASSIC
+            cau_aes_set_key(tmpKey, keylen*8, rk);
+        #else
+            MMCAU_AES_SetKey(tmpKey, keylen, rk);
+        #endif
+            wolfSSL_CryptHwMutexUnLock();
+
+            ret = wc_AesSetIV(aes, iv);
+        }
+
+        if (tmpKeyDynamic == 1) {
+            XFREE(tmpKey - alignOffset, aes->heap, DYNAMIC_TYPE_TMP_BUFFER);
+        }
+
+        return ret;
+    }
+
+    int wc_AesSetKeyDirect(Aes* aes, const byte* userKey, word32 keylen,
+                        const byte* iv, int dir)
+    {
+        return wc_AesSetKey(aes, userKey, keylen, iv, dir);
+    }
+
+#elif defined(WOLFSSL_NRF51_AES)
+    int wc_AesSetKey(Aes* aes, const byte* userKey, word32 keylen,
+        const byte* iv, int dir)
+    {
+        int ret;
+
+        (void)dir;
+        (void)iv;
+
+        if (aes == NULL || keylen != 16)
+            return BAD_FUNC_ARG;
+
+        aes->keylen = keylen;
+        aes->rounds = keylen/4 + 6;
+        ret = nrf51_aes_set_key(userKey);
+
+    #if defined(WOLFSSL_AES_CFB) || defined(WOLFSSL_AES_COUNTER) || \
+        defined(WOLFSSL_AES_OFB)
+        aes->left = 0;
+    #endif
+
+        return ret;
+    }
+
+    int wc_AesSetKeyDirect(Aes* aes, const byte* userKey, word32 keylen,
+                        const byte* iv, int dir)
+    {
+        return wc_AesSetKey(aes, userKey, keylen, iv, dir);
+    }
+#elif defined(WOLFSSL_ESP32WROOM32_CRYPT) && \
+    !defined(NO_WOLFSSL_ESP32WROOM32_CRYPT_AES)
+
+    int wc_AesSetKey(Aes* aes, const byte* userKey, word32 keylen,
+        const byte* iv, int dir)
+    {
+        (void)dir;
+        (void)iv;
+
+        if (aes == NULL || (keylen != 16 && keylen != 24 && keylen != 32)) {
+            return BAD_FUNC_ARG;
+        }
+
+        aes->keylen = keylen;
+        aes->rounds = keylen/4 + 6;
+
+        XMEMCPY(aes->key, userKey, keylen);
+        #if defined(WOLFSSL_AES_COUNTER)
+            aes->left = 0;
+        #endif
         return wc_AesSetIV(aes, iv);
     }
 
@@ -1510,51 +2431,141 @@ static void wc_AesDecrypt(Aes* aes, const byte* inBlock, byte* outBlock)
     {
         return wc_AesSetKey(aes, userKey, keylen, iv, dir);
     }
+#elif defined(WOLFSSL_CRYPTOCELL) && defined(WOLFSSL_CRYPTOCELL_AES)
+
+    int wc_AesSetKey(Aes* aes, const byte* userKey, word32 keylen, const byte* iv,
+                    int dir)
+    {
+        SaSiError_t ret = SASI_OK;
+        SaSiAesIv_t iv_aes;
+
+        if (aes == NULL ||
+           (keylen != AES_128_KEY_SIZE &&
+            keylen != AES_192_KEY_SIZE &&
+            keylen != AES_256_KEY_SIZE)) {
+            return BAD_FUNC_ARG;
+        }
+    #if defined(AES_MAX_KEY_SIZE)
+        if (keylen > (AES_MAX_KEY_SIZE/8)) {
+            return BAD_FUNC_ARG;
+        }
+    #endif
+        if (dir != AES_ENCRYPTION &&
+            dir != AES_DECRYPTION) {
+            return BAD_FUNC_ARG;
+        }
+
+        if (dir == AES_ENCRYPTION) {
+            aes->ctx.mode = SASI_AES_ENCRYPT;
+            SaSi_AesInit(&aes->ctx.user_ctx,
+                         SASI_AES_ENCRYPT,
+                         SASI_AES_MODE_CBC,
+                         SASI_AES_PADDING_NONE);
+        }
+        else {
+            aes->ctx.mode = SASI_AES_DECRYPT;
+            SaSi_AesInit(&aes->ctx.user_ctx,
+                         SASI_AES_DECRYPT,
+                         SASI_AES_MODE_CBC,
+                         SASI_AES_PADDING_NONE);
+        }
+
+        aes->keylen = keylen;
+        aes->rounds = keylen/4 + 6;
+        XMEMCPY(aes->key, userKey, keylen);
+
+        aes->ctx.key.pKey = (uint8_t*)aes->key;
+        aes->ctx.key.keySize= keylen;
+
+        ret = SaSi_AesSetKey(&aes->ctx.user_ctx,
+                             SASI_AES_USER_KEY,
+                             &aes->ctx.key,
+                             sizeof(aes->ctx.key));
+        if (ret != SASI_OK) {
+            return BAD_FUNC_ARG;
+        }
+
+        ret = wc_AesSetIV(aes, iv);
+
+        if (iv)
+            XMEMCPY(iv_aes, iv, AES_BLOCK_SIZE);
+        else
+            XMEMSET(iv_aes,  0, AES_BLOCK_SIZE);
+
+
+        ret = SaSi_AesSetIv(&aes->ctx.user_ctx, iv_aes);
+        if (ret != SASI_OK) {
+            return ret;
+        }
+       return ret;
+    }
+    #if defined(WOLFSSL_AES_DIRECT)
+        int wc_AesSetKeyDirect(Aes* aes, const byte* userKey, word32 keylen,
+                            const byte* iv, int dir)
+        {
+            return wc_AesSetKey(aes, userKey, keylen, iv, dir);
+        }
+    #endif
+
+#elif defined(WOLFSSL_IMX6_CAAM) && !defined(NO_IMX6_CAAM_AES)
+      /* implemented in wolfcrypt/src/port/caam/caam_aes.c */
+
+#elif defined(WOLFSSL_AFALG)
+    /* implemented in wolfcrypt/src/port/af_alg/afalg_aes.c */
+
+#elif defined(WOLFSSL_DEVCRYPTO_AES)
+    /* implemented in wolfcrypt/src/port/devcrypto/devcrypto_aes.c */
+
 #else
+
+    /* Software AES - SetKey */
     static int wc_AesSetKeyLocal(Aes* aes, const byte* userKey, word32 keylen,
                 const byte* iv, int dir)
     {
-        word32 temp, *rk = aes->key;
+        word32 *rk = aes->key;
+    #ifdef NEED_AES_TABLES
+        word32 temp;
         unsigned int i = 0;
+    #endif
 
         #ifdef WOLFSSL_AESNI
             aes->use_aesni = 0;
         #endif /* WOLFSSL_AESNI */
-        #ifdef WOLFSSL_AES_COUNTER
+        #if defined(WOLFSSL_AES_CFB) || defined(WOLFSSL_AES_COUNTER) || \
+            defined(WOLFSSL_AES_OFB)
             aes->left = 0;
-        #endif /* WOLFSSL_AES_COUNTER */
+        #endif
 
-        aes->rounds = keylen/4 + 6;
+        aes->keylen = keylen;
+        aes->rounds = (keylen/4) + 6;
 
         XMEMCPY(rk, userKey, keylen);
-        #ifdef LITTLE_ENDIAN_ORDER
-            ByteReverseWords(rk, rk, keylen);
-        #endif
-
-        #ifdef WOLFSSL_PIC32MZ_CRYPT
-        {
-            word32 *akey1 = aes->key_ce;
-            word32 *areg = aes->iv_ce ;
-            aes->keylen = keylen ;
-            XMEMCPY(akey1, userKey, keylen);
-            if (iv)
-                XMEMCPY(areg, iv, AES_BLOCK_SIZE);
-            else
-                XMEMSET(areg,  0, AES_BLOCK_SIZE);
-        }
-        #endif
+    #if defined(LITTLE_ENDIAN_ORDER) && !defined(WOLFSSL_PIC32MZ_CRYPT) && \
+        (!defined(WOLFSSL_ESP32WROOM32_CRYPT) || \
+          defined(NO_WOLFSSL_ESP32WROOM32_CRYPT_AES))
+        ByteReverseWords(rk, rk, keylen);
+    #endif
 
-        switch(keylen)
-        {
+#ifdef NEED_AES_TABLES
+        switch (keylen) {
+    #if defined(AES_MAX_KEY_SIZE) && AES_MAX_KEY_SIZE >= 128 && \
+            defined(WOLFSSL_AES_128)
         case 16:
             while (1)
             {
                 temp  = rk[3];
                 rk[4] = rk[0] ^
-                    (Te[4][GETBYTE(temp, 2)] & 0xff000000) ^
-                    (Te[4][GETBYTE(temp, 1)] & 0x00ff0000) ^
-                    (Te[4][GETBYTE(temp, 0)] & 0x0000ff00) ^
-                    (Te[4][GETBYTE(temp, 3)] & 0x000000ff) ^
+            #ifndef WOLFSSL_AES_SMALL_TABLES
+                    (Te[2][GETBYTE(temp, 2)] & 0xff000000) ^
+                    (Te[3][GETBYTE(temp, 1)] & 0x00ff0000) ^
+                    (Te[0][GETBYTE(temp, 0)] & 0x0000ff00) ^
+                    (Te[1][GETBYTE(temp, 3)] & 0x000000ff) ^
+            #else
+                    ((word32)Tsbox[GETBYTE(temp, 2)] << 24) ^
+                    ((word32)Tsbox[GETBYTE(temp, 1)] << 16) ^
+                    ((word32)Tsbox[GETBYTE(temp, 0)] <<  8) ^
+                    ((word32)Tsbox[GETBYTE(temp, 3)]) ^
+            #endif
                     rcon[i];
                 rk[5] = rk[1] ^ rk[4];
                 rk[6] = rk[2] ^ rk[5];
@@ -1564,17 +2575,27 @@ static void wc_AesDecrypt(Aes* aes, const byte* inBlock, byte* outBlock)
                 rk += 4;
             }
             break;
+    #endif /* 128 */
 
+    #if defined(AES_MAX_KEY_SIZE) && AES_MAX_KEY_SIZE >= 192 && \
+            defined(WOLFSSL_AES_192)
         case 24:
             /* for (;;) here triggers a bug in VC60 SP4 w/ Pro Pack */
             while (1)
             {
                 temp = rk[ 5];
                 rk[ 6] = rk[ 0] ^
-                    (Te[4][GETBYTE(temp, 2)] & 0xff000000) ^
-                    (Te[4][GETBYTE(temp, 1)] & 0x00ff0000) ^
-                    (Te[4][GETBYTE(temp, 0)] & 0x0000ff00) ^
-                    (Te[4][GETBYTE(temp, 3)] & 0x000000ff) ^
+            #ifndef WOLFSSL_AES_SMALL_TABLES
+                    (Te[2][GETBYTE(temp, 2)] & 0xff000000) ^
+                    (Te[3][GETBYTE(temp, 1)] & 0x00ff0000) ^
+                    (Te[0][GETBYTE(temp, 0)] & 0x0000ff00) ^
+                    (Te[1][GETBYTE(temp, 3)] & 0x000000ff) ^
+            #else
+                    ((word32)Tsbox[GETBYTE(temp, 2)] << 24) ^
+                    ((word32)Tsbox[GETBYTE(temp, 1)] << 16) ^
+                    ((word32)Tsbox[GETBYTE(temp, 0)] <<  8) ^
+                    ((word32)Tsbox[GETBYTE(temp, 3)]) ^
+            #endif
                     rcon[i];
                 rk[ 7] = rk[ 1] ^ rk[ 6];
                 rk[ 8] = rk[ 2] ^ rk[ 7];
@@ -1586,16 +2607,26 @@ static void wc_AesDecrypt(Aes* aes, const byte* inBlock, byte* outBlock)
                 rk += 6;
             }
             break;
+    #endif /* 192 */
 
+    #if defined(AES_MAX_KEY_SIZE) && AES_MAX_KEY_SIZE >= 256 && \
+            defined(WOLFSSL_AES_256)
         case 32:
             while (1)
             {
                 temp = rk[ 7];
                 rk[ 8] = rk[ 0] ^
-                    (Te[4][GETBYTE(temp, 2)] & 0xff000000) ^
-                    (Te[4][GETBYTE(temp, 1)] & 0x00ff0000) ^
-                    (Te[4][GETBYTE(temp, 0)] & 0x0000ff00) ^
-                    (Te[4][GETBYTE(temp, 3)] & 0x000000ff) ^
+            #ifndef WOLFSSL_AES_SMALL_TABLES
+                    (Te[2][GETBYTE(temp, 2)] & 0xff000000) ^
+                    (Te[3][GETBYTE(temp, 1)] & 0x00ff0000) ^
+                    (Te[0][GETBYTE(temp, 0)] & 0x0000ff00) ^
+                    (Te[1][GETBYTE(temp, 3)] & 0x000000ff) ^
+            #else
+                    ((word32)Tsbox[GETBYTE(temp, 2)] << 24) ^
+                    ((word32)Tsbox[GETBYTE(temp, 1)] << 16) ^
+                    ((word32)Tsbox[GETBYTE(temp, 0)] <<  8) ^
+                    ((word32)Tsbox[GETBYTE(temp, 3)]) ^
+            #endif
                     rcon[i];
                 rk[ 9] = rk[ 1] ^ rk[ 8];
                 rk[10] = rk[ 2] ^ rk[ 9];
@@ -1604,10 +2635,17 @@ static void wc_AesDecrypt(Aes* aes, const byte* inBlock, byte* outBlock)
                     break;
                 temp = rk[11];
                 rk[12] = rk[ 4] ^
-                    (Te[4][GETBYTE(temp, 3)] & 0xff000000) ^
-                    (Te[4][GETBYTE(temp, 2)] & 0x00ff0000) ^
-                    (Te[4][GETBYTE(temp, 1)] & 0x0000ff00) ^
-                    (Te[4][GETBYTE(temp, 0)] & 0x000000ff);
+            #ifndef WOLFSSL_AES_SMALL_TABLES
+                    (Te[2][GETBYTE(temp, 3)] & 0xff000000) ^
+                    (Te[3][GETBYTE(temp, 2)] & 0x00ff0000) ^
+                    (Te[0][GETBYTE(temp, 1)] & 0x0000ff00) ^
+                    (Te[1][GETBYTE(temp, 0)] & 0x000000ff);
+            #else
+                    ((word32)Tsbox[GETBYTE(temp, 3)] << 24) ^
+                    ((word32)Tsbox[GETBYTE(temp, 2)] << 16) ^
+                    ((word32)Tsbox[GETBYTE(temp, 1)] <<  8) ^
+                    ((word32)Tsbox[GETBYTE(temp, 0)]);
+            #endif
                 rk[13] = rk[ 5] ^ rk[12];
                 rk[14] = rk[ 6] ^ rk[13];
                 rk[15] = rk[ 7] ^ rk[14];
@@ -1615,13 +2653,14 @@ static void wc_AesDecrypt(Aes* aes, const byte* inBlock, byte* outBlock)
                 rk += 8;
             }
             break;
+    #endif /* 256 */
 
         default:
             return BAD_FUNC_ARG;
-        }
+        } /* switch */
 
-        if (dir == AES_DECRYPTION)
-        {
+    #if defined(HAVE_AES_DECRYPT)
+        if (dir == AES_DECRYPTION) {
             unsigned int j;
             rk = aes->key;
 
@@ -1632,78 +2671,169 @@ static void wc_AesDecrypt(Aes* aes, const byte* inBlock, byte* outBlock)
                 temp = rk[i + 2]; rk[i + 2] = rk[j + 2]; rk[j + 2] = temp;
                 temp = rk[i + 3]; rk[i + 3] = rk[j + 3]; rk[j + 3] = temp;
             }
+        #if !defined(WOLFSSL_AES_SMALL_TABLES)
             /* apply the inverse MixColumn transform to all round keys but the
                first and the last: */
             for (i = 1; i < aes->rounds; i++) {
                 rk += 4;
                 rk[0] =
-                    Td[0][Te[4][GETBYTE(rk[0], 3)] & 0xff] ^
-                    Td[1][Te[4][GETBYTE(rk[0], 2)] & 0xff] ^
-                    Td[2][Te[4][GETBYTE(rk[0], 1)] & 0xff] ^
-                    Td[3][Te[4][GETBYTE(rk[0], 0)] & 0xff];
+                    Td[0][Te[1][GETBYTE(rk[0], 3)] & 0xff] ^
+                    Td[1][Te[1][GETBYTE(rk[0], 2)] & 0xff] ^
+                    Td[2][Te[1][GETBYTE(rk[0], 1)] & 0xff] ^
+                    Td[3][Te[1][GETBYTE(rk[0], 0)] & 0xff];
                 rk[1] =
-                    Td[0][Te[4][GETBYTE(rk[1], 3)] & 0xff] ^
-                    Td[1][Te[4][GETBYTE(rk[1], 2)] & 0xff] ^
-                    Td[2][Te[4][GETBYTE(rk[1], 1)] & 0xff] ^
-                    Td[3][Te[4][GETBYTE(rk[1], 0)] & 0xff];
+                    Td[0][Te[1][GETBYTE(rk[1], 3)] & 0xff] ^
+                    Td[1][Te[1][GETBYTE(rk[1], 2)] & 0xff] ^
+                    Td[2][Te[1][GETBYTE(rk[1], 1)] & 0xff] ^
+                    Td[3][Te[1][GETBYTE(rk[1], 0)] & 0xff];
                 rk[2] =
-                    Td[0][Te[4][GETBYTE(rk[2], 3)] & 0xff] ^
-                    Td[1][Te[4][GETBYTE(rk[2], 2)] & 0xff] ^
-                    Td[2][Te[4][GETBYTE(rk[2], 1)] & 0xff] ^
-                    Td[3][Te[4][GETBYTE(rk[2], 0)] & 0xff];
+                    Td[0][Te[1][GETBYTE(rk[2], 3)] & 0xff] ^
+                    Td[1][Te[1][GETBYTE(rk[2], 2)] & 0xff] ^
+                    Td[2][Te[1][GETBYTE(rk[2], 1)] & 0xff] ^
+                    Td[3][Te[1][GETBYTE(rk[2], 0)] & 0xff];
                 rk[3] =
-                    Td[0][Te[4][GETBYTE(rk[3], 3)] & 0xff] ^
-                    Td[1][Te[4][GETBYTE(rk[3], 2)] & 0xff] ^
-                    Td[2][Te[4][GETBYTE(rk[3], 1)] & 0xff] ^
-                    Td[3][Te[4][GETBYTE(rk[3], 0)] & 0xff];
+                    Td[0][Te[1][GETBYTE(rk[3], 3)] & 0xff] ^
+                    Td[1][Te[1][GETBYTE(rk[3], 2)] & 0xff] ^
+                    Td[2][Te[1][GETBYTE(rk[3], 1)] & 0xff] ^
+                    Td[3][Te[1][GETBYTE(rk[3], 0)] & 0xff];
             }
+        #endif
+        }
+    #else
+        (void)dir;
+    #endif /* HAVE_AES_DECRYPT */
+        (void)temp;
+#endif /* NEED_AES_TABLES */
+
+#if defined(WOLFSSL_SCE) && !defined(WOLFSSL_SCE_NO_AES)
+        XMEMCPY((byte*)aes->key, userKey, keylen);
+        if (WOLFSSL_SCE_GSCE_HANDLE.p_cfg->endian_flag == CRYPTO_WORD_ENDIAN_BIG) {
+            ByteReverseWords(aes->key, aes->key, 32);
         }
+#endif
 
         return wc_AesSetIV(aes, iv);
     }
 
-    int wc_AesSetKey(Aes* aes, const byte* userKey, word32 keylen, const byte* iv,
-                  int dir)
+    int wc_AesSetKey(Aes* aes, const byte* userKey, word32 keylen,
+        const byte* iv, int dir)
     {
+        int ret;
+    #if defined(AES_MAX_KEY_SIZE)
+        const word32 max_key_len = (AES_MAX_KEY_SIZE / 8);
+    #endif
 
-        if (!((keylen == 16) || (keylen == 24) || (keylen == 32)))
+    #ifdef WOLFSSL_IMX6_CAAM_BLOB
+        byte   local[32];
+        word32 localSz = 32;
+
+        if (keylen == (16 + WC_CAAM_BLOB_SZ) ||
+                keylen == (24 + WC_CAAM_BLOB_SZ) ||
+                keylen == (32 + WC_CAAM_BLOB_SZ)) {
+            if (wc_caamOpenBlob((byte*)userKey, keylen, local, &localSz) != 0) {
+                return BAD_FUNC_ARG;
+            }
+
+            /* set local values */
+            userKey = local;
+            keylen = localSz;
+        }
+    #endif
+        if (aes == NULL ||
+                !((keylen == 16) || (keylen == 24) || (keylen == 32))) {
             return BAD_FUNC_ARG;
+        }
 
-        #ifdef HAVE_CAVIUM
-        if (aes->magic == WOLFSSL_AES_CAVIUM_MAGIC)
-            return wc_AesCaviumSetKey(aes, userKey, keylen, iv);
+    #if defined(AES_MAX_KEY_SIZE)
+        /* Check key length */
+        if (keylen > max_key_len) {
+            return BAD_FUNC_ARG;
+        }
+    #endif
+        aes->keylen = keylen;
+        aes->rounds = keylen/4 + 6;
+
+    #if defined(WOLF_CRYPTO_CB) || (defined(WOLFSSL_DEVCRYPTO) && \
+        (defined(WOLFSSL_DEVCRYPTO_AES) || defined(WOLFSSL_DEVCRYPTO_CBC))) || \
+        (defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_AES))
+        #ifdef WOLF_CRYPTO_CB
+        if (aes->devId != INVALID_DEVID)
         #endif
+        {
+            XMEMCPY(aes->devKey, userKey, keylen);
+        }
+    #endif
 
-        #ifdef WOLFSSL_AESNI
+    #ifdef WOLFSSL_AESNI
         if (checkAESNI == 0) {
             haveAESNI  = Check_CPU_support_AES();
             checkAESNI = 1;
         }
         if (haveAESNI) {
+            #if defined(WOLFSSL_AES_COUNTER) || defined(WOLFSSL_AES_CFB) || \
+                defined(WOLFSSL_AES_OFB)
+                aes->left = 0;
+            #endif /* WOLFSSL_AES_COUNTER */
             aes->use_aesni = 1;
             if (iv)
                 XMEMCPY(aes->reg, iv, AES_BLOCK_SIZE);
+            else
+                XMEMSET(aes->reg, 0, AES_BLOCK_SIZE);
             if (dir == AES_ENCRYPTION)
                 return AES_set_encrypt_key(userKey, keylen * 8, aes);
+        #ifdef HAVE_AES_DECRYPT
             else
                 return AES_set_decrypt_key(userKey, keylen * 8, aes);
+        #endif
         }
-        #endif /* WOLFSSL_AESNI */
+    #endif /* WOLFSSL_AESNI */
+
+        ret = wc_AesSetKeyLocal(aes, userKey, keylen, iv, dir);
 
-        return wc_AesSetKeyLocal(aes, userKey, keylen, iv, dir);
+    #if defined(WOLFSSL_DEVCRYPTO) && \
+        (defined(WOLFSSL_DEVCRYPTO_AES) || defined(WOLFSSL_DEVCRYPTO_CBC))
+        aes->ctx.cfd = -1;
+    #endif
+    #ifdef WOLFSSL_IMX6_CAAM_BLOB
+        ForceZero(local, sizeof(local));
+    #endif
+        return ret;
     }
 
     #if defined(WOLFSSL_AES_DIRECT) || defined(WOLFSSL_AES_COUNTER)
+        /* AES-CTR and AES-DIRECT need to use this for key setup, no aesni yet */
+        int wc_AesSetKeyDirect(Aes* aes, const byte* userKey, word32 keylen,
+                            const byte* iv, int dir)
+        {
+            int ret;
 
-    /* AES-CTR and AES-DIRECT need to use this for key setup, no aesni yet */
-    int wc_AesSetKeyDirect(Aes* aes, const byte* userKey, word32 keylen,
-                        const byte* iv, int dir)
-    {
-        return wc_AesSetKeyLocal(aes, userKey, keylen, iv, dir);
-    }
+        #ifdef WOLFSSL_IMX6_CAAM_BLOB
+            byte   local[32];
+            word32 localSz = 32;
+
+            if (keylen == (16 + WC_CAAM_BLOB_SZ) ||
+             keylen == (24 + WC_CAAM_BLOB_SZ) ||
+             keylen == (32 + WC_CAAM_BLOB_SZ)) {
+                if (wc_caamOpenBlob((byte*)userKey, keylen, local, &localSz)
+                        != 0) {
+                    return BAD_FUNC_ARG;
+                }
 
+                /* set local values */
+                userKey = local;
+                keylen = localSz;
+            }
+        #endif
+            ret = wc_AesSetKeyLocal(aes, userKey, keylen, iv, dir);
+
+        #ifdef WOLFSSL_IMX6_CAAM_BLOB
+            ForceZero(local, sizeof(local));
+        #endif
+
+            return ret;
+        }
     #endif /* WOLFSSL_AES_DIRECT || WOLFSSL_AES_COUNTER */
-#endif /* STM32F2_CRYPTO, wc_AesSetKey block */
+#endif /* wc_AesSetKey block */
 
 
 /* wc_AesSetIV is shared between software and hardware */
@@ -1720,160 +2850,265 @@ int wc_AesSetIV(Aes* aes, const byte* iv)
     return 0;
 }
 
-
-int wc_AesCbcDecryptWithKey(byte* out, const byte* in, word32 inSz,
-                                  const byte* key, word32 keySz, const byte* iv)
-{
-    int  ret = 0;
-#ifdef WOLFSSL_SMALL_STACK
-    Aes* aes = NULL;
-#else
-    Aes  aes[1];
-#endif
-
-#ifdef WOLFSSL_SMALL_STACK
-    aes = (Aes*)XMALLOC(sizeof(Aes), NULL, DYNAMIC_TYPE_TMP_BUFFER);
-    if (aes == NULL)
-        return MEMORY_E;
-#endif
-
-    ret = wc_AesSetKey(aes, key, keySz, iv, AES_DECRYPTION);
-    if (ret == 0)
-        ret = wc_AesCbcDecrypt(aes, out, in, inSz); 
-
-#ifdef WOLFSSL_SMALL_STACK
-    XFREE(aes, NULL, DYNAMIC_TYPE_TMP_BUFFER);
-#endif
-
-    return ret;
-}
-
-
 /* AES-DIRECT */
 #if defined(WOLFSSL_AES_DIRECT)
-    #if defined(FREESCALE_MMCAU)
+    #if defined(HAVE_COLDFIRE_SEC)
+        #error "Coldfire SEC doesn't yet support AES direct"
 
+    #elif defined(FREESCALE_LTC)
         /* Allow direct access to one block encrypt */
         void wc_AesEncryptDirect(Aes* aes, byte* out, const byte* in)
         {
-            byte* key;
+            byte *key;
+            uint32_t keySize;
+
             key = (byte*)aes->key;
+            wc_AesGetKeySize(aes, &keySize);
 
-            return cau_aes_encrypt(in, key, aes->rounds, out);
+            LTC_AES_EncryptEcb(LTC_BASE, in, out, AES_BLOCK_SIZE,
+                key, keySize);
         }
 
         /* Allow direct access to one block decrypt */
         void wc_AesDecryptDirect(Aes* aes, byte* out, const byte* in)
         {
-            byte* key;
+            byte *key;
+            uint32_t keySize;
+
             key = (byte*)aes->key;
+            wc_AesGetKeySize(aes, &keySize);
 
-            return cau_aes_decrypt(in, key, aes->rounds, out);
+            LTC_AES_DecryptEcb(LTC_BASE, in, out, AES_BLOCK_SIZE,
+                key, keySize, kLTC_EncryptKey);
         }
 
-    #elif defined(STM32F2_CRYPTO)
-        #error "STM32F2 crypto doesn't yet support AES direct"
+    #elif defined(WOLFSSL_IMX6_CAAM) && !defined(NO_IMX6_CAAM_AES)
+        /* implemented in wolfcrypt/src/port/caam/caam_aes.c */
 
-    #elif defined(HAVE_COLDFIRE_SEC)
-        #error "Coldfire SEC doesn't yet support AES direct"
+    #elif defined(WOLFSSL_AFALG)
+        /* implemented in wolfcrypt/src/port/af_alg/afalg_aes.c */
 
-    #elif defined(WOLFSSL_PIC32MZ_CRYPT)
-        #error "PIC32MZ doesn't yet support AES direct"
+    #elif defined(WOLFSSL_DEVCRYPTO_AES)
+        /* implemented in wolfcrypt/src/port/devcrypt/devcrypto_aes.c */
+
+    #elif defined(STM32_CRYPTO)
+        /* Allow direct access to one block encrypt */
+        void wc_AesEncryptDirect(Aes* aes, byte* out, const byte* in)
+        {
+            if (wolfSSL_CryptHwMutexLock() == 0) {
+                wc_AesEncrypt(aes, in, out);
+                wolfSSL_CryptHwMutexUnLock();
+            }
+        }
+        #ifdef HAVE_AES_DECRYPT
+        /* Allow direct access to one block decrypt */
+        void wc_AesDecryptDirect(Aes* aes, byte* out, const byte* in)
+        {
+            if (wolfSSL_CryptHwMutexLock() == 0) {
+                wc_AesDecrypt(aes, in, out);
+                wolfSSL_CryptHwMutexUnLock();
+            }
+        }
+        #endif /* HAVE_AES_DECRYPT */
 
+    #elif defined(WOLFSSL_ESP32WROOM32_CRYPT) && \
+        !defined(NO_WOLFSSL_ESP32WROOM32_CRYPT_AES)
+        
+        /* Allow direct access to one block encrypt */
+        void wc_AesEncryptDirect(Aes* aes, byte* out, const byte* in)
+        {
+            wc_AesEncrypt(aes, in, out);
+        }
+        #ifdef HAVE_AES_DECRYPT
+        /* Allow direct access to one block decrypt */
+        void wc_AesDecryptDirect(Aes* aes, byte* out, const byte* in)
+        {
+            wc_AesDecrypt(aes, in, out);
+        }
+        #endif /* HAVE_AES_DECRYPT */
     #else
         /* Allow direct access to one block encrypt */
         void wc_AesEncryptDirect(Aes* aes, byte* out, const byte* in)
         {
             wc_AesEncrypt(aes, in, out);
         }
-
+        #ifdef HAVE_AES_DECRYPT
         /* Allow direct access to one block decrypt */
         void wc_AesDecryptDirect(Aes* aes, byte* out, const byte* in)
         {
             wc_AesDecrypt(aes, in, out);
         }
-
-    #endif /* FREESCALE_MMCAU, AES direct block */
+        #endif /* HAVE_AES_DECRYPT */
+    #endif /* AES direct block */
 #endif /* WOLFSSL_AES_DIRECT */
 
 
 /* AES-CBC */
-#ifdef STM32F2_CRYPTO
+#ifdef HAVE_AES_CBC
+#if defined(STM32_CRYPTO)
+
+#ifdef WOLFSSL_STM32_CUBEMX
     int wc_AesCbcEncrypt(Aes* aes, byte* out, const byte* in, word32 sz)
     {
-        word32 *enc_key, *iv;
-        CRYP_InitTypeDef AES_CRYP_InitStructure;
-        CRYP_KeyInitTypeDef AES_CRYP_KeyInitStructure;
-        CRYP_IVInitTypeDef AES_CRYP_IVInitStructure;
+        int ret = 0;
+        word32 blocks = (sz / AES_BLOCK_SIZE);
+        CRYP_HandleTypeDef hcryp;
 
-        enc_key = aes->key;
-        iv = aes->reg;
+        ret = wc_Stm32_Aes_Init(aes, &hcryp);
+        if (ret != 0)
+            return ret;
 
-        /* crypto structure initialization */
-        CRYP_KeyStructInit(&AES_CRYP_KeyInitStructure);
-        CRYP_StructInit(&AES_CRYP_InitStructure);
-        CRYP_IVStructInit(&AES_CRYP_IVInitStructure);
+        ret = wolfSSL_CryptHwMutexLock();
+        if (ret != 0) {
+            return ret;
+        }
 
-        /* reset registers to their default values */
-        CRYP_DeInit();
+    #ifdef STM32_CRYPTO_AES_ONLY
+        hcryp.Init.OperatingMode = CRYP_ALGOMODE_ENCRYPT;
+        hcryp.Init.ChainingMode  = CRYP_CHAINMODE_AES_CBC;
+        hcryp.Init.KeyWriteFlag  = CRYP_KEY_WRITE_ENABLE;
+    #elif defined(STM32_HAL_V2)
+        hcryp.Init.Algorithm  = CRYP_AES_CBC;
+        ByteReverseWords(aes->reg, aes->reg, AES_BLOCK_SIZE);
+    #endif
+        hcryp.Init.pInitVect = (STM_CRYPT_TYPE*)aes->reg;
+        HAL_CRYP_Init(&hcryp);
 
-        /* load key into correct registers */
-        switch(aes->rounds)
-        {
-            case 10: /* 128-bit key */
-                AES_CRYP_InitStructure.CRYP_KeySize = CRYP_KeySize_128b;
-                AES_CRYP_KeyInitStructure.CRYP_Key2Left  = enc_key[0];
-                AES_CRYP_KeyInitStructure.CRYP_Key2Right = enc_key[1];
-                AES_CRYP_KeyInitStructure.CRYP_Key3Left  = enc_key[2];
-                AES_CRYP_KeyInitStructure.CRYP_Key3Right = enc_key[3];
+        while (blocks--) {
+        #ifdef STM32_CRYPTO_AES_ONLY
+            ret = HAL_CRYPEx_AES(&hcryp, (uint8_t*)in, AES_BLOCK_SIZE,
+                out, STM32_HAL_TIMEOUT);
+        #elif defined(STM32_HAL_V2)
+            ret = HAL_CRYP_Encrypt(&hcryp, (uint32_t*)in, AES_BLOCK_SIZE,
+                (uint32_t*)out, STM32_HAL_TIMEOUT);
+        #else
+            ret = HAL_CRYP_AESCBC_Encrypt(&hcryp, (uint8_t*)in, AES_BLOCK_SIZE,
+                out, STM32_HAL_TIMEOUT);
+        #endif
+            if (ret != HAL_OK) {
+                ret = WC_TIMEOUT_E;
                 break;
+            }
 
-            case 12: /* 192-bit key */
-                AES_CRYP_InitStructure.CRYP_KeySize = CRYP_KeySize_192b;
-                AES_CRYP_KeyInitStructure.CRYP_Key1Left  = enc_key[0];
-                AES_CRYP_KeyInitStructure.CRYP_Key1Right = enc_key[1];
-                AES_CRYP_KeyInitStructure.CRYP_Key2Left  = enc_key[2];
-                AES_CRYP_KeyInitStructure.CRYP_Key2Right = enc_key[3];
-                AES_CRYP_KeyInitStructure.CRYP_Key3Left  = enc_key[4];
-                AES_CRYP_KeyInitStructure.CRYP_Key3Right = enc_key[5];
-                break;
+            /* store iv for next call */
+            XMEMCPY(aes->reg, out + sz - AES_BLOCK_SIZE, AES_BLOCK_SIZE);
 
-            case 14: /* 256-bit key */
-                AES_CRYP_InitStructure.CRYP_KeySize = CRYP_KeySize_256b;
-                AES_CRYP_KeyInitStructure.CRYP_Key0Left  = enc_key[0];
-                AES_CRYP_KeyInitStructure.CRYP_Key0Right = enc_key[1];
-                AES_CRYP_KeyInitStructure.CRYP_Key1Left  = enc_key[2];
-                AES_CRYP_KeyInitStructure.CRYP_Key1Right = enc_key[3];
-                AES_CRYP_KeyInitStructure.CRYP_Key2Left  = enc_key[4];
-                AES_CRYP_KeyInitStructure.CRYP_Key2Right = enc_key[5];
-                AES_CRYP_KeyInitStructure.CRYP_Key3Left  = enc_key[6];
-                AES_CRYP_KeyInitStructure.CRYP_Key3Right = enc_key[7];
-                break;
+            sz  -= AES_BLOCK_SIZE;
+            in  += AES_BLOCK_SIZE;
+            out += AES_BLOCK_SIZE;
+        }
 
-            default:
+        HAL_CRYP_DeInit(&hcryp);
+
+        wolfSSL_CryptHwMutexUnLock();
+
+        return ret;
+    }
+    #ifdef HAVE_AES_DECRYPT
+    int wc_AesCbcDecrypt(Aes* aes, byte* out, const byte* in, word32 sz)
+    {
+        int ret = 0;
+        word32 blocks = (sz / AES_BLOCK_SIZE);
+        CRYP_HandleTypeDef hcryp;
+
+        ret = wc_Stm32_Aes_Init(aes, &hcryp);
+        if (ret != 0)
+            return ret;
+
+        ret = wolfSSL_CryptHwMutexLock();
+        if (ret != 0) {
+            return ret;
+        }
+
+        /* if input and output same will overwrite input iv */
+        XMEMCPY(aes->tmp, in + sz - AES_BLOCK_SIZE, AES_BLOCK_SIZE);
+
+    #ifdef STM32_CRYPTO_AES_ONLY
+        hcryp.Init.OperatingMode = CRYP_ALGOMODE_KEYDERIVATION_DECRYPT;
+        hcryp.Init.ChainingMode  = CRYP_CHAINMODE_AES_CBC;
+        hcryp.Init.KeyWriteFlag  = CRYP_KEY_WRITE_ENABLE;
+    #elif defined(STM32_HAL_V2)
+        hcryp.Init.Algorithm  = CRYP_AES_CBC;
+        ByteReverseWords(aes->reg, aes->reg, AES_BLOCK_SIZE);
+    #endif
+
+        hcryp.Init.pInitVect = (STM_CRYPT_TYPE*)aes->reg;
+        HAL_CRYP_Init(&hcryp);
+
+        while (blocks--) {
+        #ifdef STM32_CRYPTO_AES_ONLY
+            ret = HAL_CRYPEx_AES(&hcryp, (uint8_t*)in, AES_BLOCK_SIZE,
+                out, STM32_HAL_TIMEOUT);
+        #elif defined(STM32_HAL_V2)
+            ret = HAL_CRYP_Decrypt(&hcryp, (uint32_t*)in, AES_BLOCK_SIZE,
+                (uint32_t*)out, STM32_HAL_TIMEOUT);
+        #else
+            ret = HAL_CRYP_AESCBC_Decrypt(&hcryp, (uint8_t*)in, AES_BLOCK_SIZE,
+                out, STM32_HAL_TIMEOUT);
+        #endif
+            if (ret != HAL_OK) {
+                ret = WC_TIMEOUT_E;
                 break;
+            }
+
+            /* store iv for next call */
+            XMEMCPY(aes->reg, aes->tmp, AES_BLOCK_SIZE);
+
+            in  += AES_BLOCK_SIZE;
+            out += AES_BLOCK_SIZE;
+        }
+
+        HAL_CRYP_DeInit(&hcryp);
+        wolfSSL_CryptHwMutexUnLock();
+
+        return ret;
+    }
+    #endif /* HAVE_AES_DECRYPT */
+
+#else /* STD_PERI_LIB */
+    int wc_AesCbcEncrypt(Aes* aes, byte* out, const byte* in, word32 sz)
+    {
+        int ret;
+        word32 *iv;
+        word32 blocks = (sz / AES_BLOCK_SIZE);
+        CRYP_InitTypeDef cryptInit;
+        CRYP_KeyInitTypeDef keyInit;
+        CRYP_IVInitTypeDef ivInit;
+
+        ret = wc_Stm32_Aes_Init(aes, &cryptInit, &keyInit);
+        if (ret != 0)
+            return ret;
+
+        ret = wolfSSL_CryptHwMutexLock();
+        if (ret != 0) {
+            return ret;
         }
-        CRYP_KeyInit(&AES_CRYP_KeyInitStructure);
+
+        /* reset registers to their default values */
+        CRYP_DeInit();
+
+        /* set key */
+        CRYP_KeyInit(&keyInit);
 
         /* set iv */
+        iv = aes->reg;
+        CRYP_IVStructInit(&ivInit);
         ByteReverseWords(iv, iv, AES_BLOCK_SIZE);
-        AES_CRYP_IVInitStructure.CRYP_IV0Left  = iv[0];
-        AES_CRYP_IVInitStructure.CRYP_IV0Right = iv[1];
-        AES_CRYP_IVInitStructure.CRYP_IV1Left  = iv[2];
-        AES_CRYP_IVInitStructure.CRYP_IV1Right = iv[3];
-        CRYP_IVInit(&AES_CRYP_IVInitStructure);
-
-        /* set direction, mode, and datatype */
-        AES_CRYP_InitStructure.CRYP_AlgoDir  = CRYP_AlgoDir_Encrypt;
-        AES_CRYP_InitStructure.CRYP_AlgoMode = CRYP_AlgoMode_AES_CBC;
-        AES_CRYP_InitStructure.CRYP_DataType = CRYP_DataType_8b;
-        CRYP_Init(&AES_CRYP_InitStructure);
+        ivInit.CRYP_IV0Left  = iv[0];
+        ivInit.CRYP_IV0Right = iv[1];
+        ivInit.CRYP_IV1Left  = iv[2];
+        ivInit.CRYP_IV1Right = iv[3];
+        CRYP_IVInit(&ivInit);
+
+        /* set direction and mode */
+        cryptInit.CRYP_AlgoDir  = CRYP_AlgoDir_Encrypt;
+        cryptInit.CRYP_AlgoMode = CRYP_AlgoMode_AES_CBC;
+        CRYP_Init(&cryptInit);
 
         /* enable crypto processor */
         CRYP_Cmd(ENABLE);
 
-        while (sz > 0)
-        {
+        while (blocks--) {
             /* flush IN/OUT FIFOs */
             CRYP_FIFOFlush();
 
@@ -1883,7 +3118,7 @@ int wc_AesCbcDecryptWithKey(byte* out, const byte* in, word32 inSz,
             CRYP_DataIn(*(uint32_t*)&in[12]);
 
             /* wait until the complete message has been processed */
-            while(CRYP_GetFlagStatus(CRYP_FLAG_BUSY) != RESET) {}
+            while (CRYP_GetFlagStatus(CRYP_FLAG_BUSY) != RESET) {}
 
             *(uint32_t*)&out[0]  = CRYP_DataOut();
             *(uint32_t*)&out[4]  = CRYP_DataOut();
@@ -1893,31 +3128,36 @@ int wc_AesCbcDecryptWithKey(byte* out, const byte* in, word32 inSz,
             /* store iv for next call */
             XMEMCPY(aes->reg, out + sz - AES_BLOCK_SIZE, AES_BLOCK_SIZE);
 
-            sz  -= 16;
-            in  += 16;
-            out += 16;
+            sz  -= AES_BLOCK_SIZE;
+            in  += AES_BLOCK_SIZE;
+            out += AES_BLOCK_SIZE;
         }
 
         /* disable crypto processor */
         CRYP_Cmd(DISABLE);
+        wolfSSL_CryptHwMutexUnLock();
 
-        return 0;
+        return ret;
     }
 
+    #ifdef HAVE_AES_DECRYPT
     int wc_AesCbcDecrypt(Aes* aes, byte* out, const byte* in, word32 sz)
     {
-        word32 *dec_key, *iv;
-        CRYP_InitTypeDef AES_CRYP_InitStructure;
-        CRYP_KeyInitTypeDef AES_CRYP_KeyInitStructure;
-        CRYP_IVInitTypeDef AES_CRYP_IVInitStructure;
-
-        dec_key = aes->key;
-        iv = aes->reg;
-
-        /* crypto structure initialization */
-        CRYP_KeyStructInit(&AES_CRYP_KeyInitStructure);
-        CRYP_StructInit(&AES_CRYP_InitStructure);
-        CRYP_IVStructInit(&AES_CRYP_IVInitStructure);
+        int ret;
+        word32 *iv;
+        word32 blocks = (sz / AES_BLOCK_SIZE);
+        CRYP_InitTypeDef cryptInit;
+        CRYP_KeyInitTypeDef keyInit;
+        CRYP_IVInitTypeDef ivInit;
+
+        ret = wc_Stm32_Aes_Init(aes, &cryptInit, &keyInit);
+        if (ret != 0)
+            return ret;
+
+        ret = wolfSSL_CryptHwMutexLock();
+        if (ret != 0) {
+            return ret;
+        }
 
         /* if input and output same will overwrite input iv */
         XMEMCPY(aes->tmp, in + sz - AES_BLOCK_SIZE, AES_BLOCK_SIZE);
@@ -1925,76 +3165,37 @@ int wc_AesCbcDecryptWithKey(byte* out, const byte* in, word32 inSz,
         /* reset registers to their default values */
         CRYP_DeInit();
 
-        /* load key into correct registers */
-        switch(aes->rounds)
-        {
-            case 10: /* 128-bit key */
-                AES_CRYP_InitStructure.CRYP_KeySize = CRYP_KeySize_128b;
-                AES_CRYP_KeyInitStructure.CRYP_Key2Left  = dec_key[0];
-                AES_CRYP_KeyInitStructure.CRYP_Key2Right = dec_key[1];
-                AES_CRYP_KeyInitStructure.CRYP_Key3Left  = dec_key[2];
-                AES_CRYP_KeyInitStructure.CRYP_Key3Right = dec_key[3];
-                break;
-
-            case 12: /* 192-bit key */
-                AES_CRYP_InitStructure.CRYP_KeySize = CRYP_KeySize_192b;
-                AES_CRYP_KeyInitStructure.CRYP_Key1Left  = dec_key[0];
-                AES_CRYP_KeyInitStructure.CRYP_Key1Right = dec_key[1];
-                AES_CRYP_KeyInitStructure.CRYP_Key2Left  = dec_key[2];
-                AES_CRYP_KeyInitStructure.CRYP_Key2Right = dec_key[3];
-                AES_CRYP_KeyInitStructure.CRYP_Key3Left  = dec_key[4];
-                AES_CRYP_KeyInitStructure.CRYP_Key3Right = dec_key[5];
-                break;
-
-            case 14: /* 256-bit key */
-                AES_CRYP_InitStructure.CRYP_KeySize = CRYP_KeySize_256b;
-                AES_CRYP_KeyInitStructure.CRYP_Key0Left  = dec_key[0];
-                AES_CRYP_KeyInitStructure.CRYP_Key0Right = dec_key[1];
-                AES_CRYP_KeyInitStructure.CRYP_Key1Left  = dec_key[2];
-                AES_CRYP_KeyInitStructure.CRYP_Key1Right = dec_key[3];
-                AES_CRYP_KeyInitStructure.CRYP_Key2Left  = dec_key[4];
-                AES_CRYP_KeyInitStructure.CRYP_Key2Right = dec_key[5];
-                AES_CRYP_KeyInitStructure.CRYP_Key3Left  = dec_key[6];
-                AES_CRYP_KeyInitStructure.CRYP_Key3Right = dec_key[7];
-                break;
-
-            default:
-                break;
-        }
-
-        /* set direction, mode, and datatype for key preparation */
-        AES_CRYP_InitStructure.CRYP_AlgoDir  = CRYP_AlgoDir_Decrypt;
-        AES_CRYP_InitStructure.CRYP_AlgoMode = CRYP_AlgoMode_AES_Key;
-        AES_CRYP_InitStructure.CRYP_DataType = CRYP_DataType_32b;
-        CRYP_Init(&AES_CRYP_InitStructure);
-        CRYP_KeyInit(&AES_CRYP_KeyInitStructure);
+        /* set direction and key */
+        CRYP_KeyInit(&keyInit);
+        cryptInit.CRYP_AlgoDir  = CRYP_AlgoDir_Decrypt;
+        cryptInit.CRYP_AlgoMode = CRYP_AlgoMode_AES_Key;
+        CRYP_Init(&cryptInit);
 
         /* enable crypto processor */
         CRYP_Cmd(ENABLE);
 
         /* wait until key has been prepared */
-        while(CRYP_GetFlagStatus(CRYP_FLAG_BUSY) != RESET) {}
+        while (CRYP_GetFlagStatus(CRYP_FLAG_BUSY) != RESET) {}
 
-        /* set direction, mode, and datatype for decryption */
-        AES_CRYP_InitStructure.CRYP_AlgoDir  = CRYP_AlgoDir_Decrypt;
-        AES_CRYP_InitStructure.CRYP_AlgoMode = CRYP_AlgoMode_AES_CBC;
-        AES_CRYP_InitStructure.CRYP_DataType = CRYP_DataType_8b;
-        CRYP_Init(&AES_CRYP_InitStructure);
+        /* set direction and mode */
+        cryptInit.CRYP_AlgoDir  = CRYP_AlgoDir_Decrypt;
+        cryptInit.CRYP_AlgoMode = CRYP_AlgoMode_AES_CBC;
+        CRYP_Init(&cryptInit);
 
         /* set iv */
+        iv = aes->reg;
+        CRYP_IVStructInit(&ivInit);
         ByteReverseWords(iv, iv, AES_BLOCK_SIZE);
-
-        AES_CRYP_IVInitStructure.CRYP_IV0Left  = iv[0];
-        AES_CRYP_IVInitStructure.CRYP_IV0Right = iv[1];
-        AES_CRYP_IVInitStructure.CRYP_IV1Left  = iv[2];
-        AES_CRYP_IVInitStructure.CRYP_IV1Right = iv[3];
-        CRYP_IVInit(&AES_CRYP_IVInitStructure);
+        ivInit.CRYP_IV0Left  = iv[0];
+        ivInit.CRYP_IV0Right = iv[1];
+        ivInit.CRYP_IV1Left  = iv[2];
+        ivInit.CRYP_IV1Right = iv[3];
+        CRYP_IVInit(&ivInit);
 
         /* enable crypto processor */
         CRYP_Cmd(ENABLE);
 
-        while (sz > 0)
-        {
+        while (blocks--) {
             /* flush IN/OUT FIFOs */
             CRYP_FIFOFlush();
 
@@ -2004,7 +3205,7 @@ int wc_AesCbcDecryptWithKey(byte* out, const byte* in, word32 inSz,
             CRYP_DataIn(*(uint32_t*)&in[12]);
 
             /* wait until the complete message has been processed */
-            while(CRYP_GetFlagStatus(CRYP_FLAG_BUSY) != RESET) {}
+            while (CRYP_GetFlagStatus(CRYP_FLAG_BUSY) != RESET) {}
 
             *(uint32_t*)&out[0]  = CRYP_DataOut();
             *(uint32_t*)&out[4]  = CRYP_DataOut();
@@ -2014,24 +3215,26 @@ int wc_AesCbcDecryptWithKey(byte* out, const byte* in, word32 inSz,
             /* store iv for next call */
             XMEMCPY(aes->reg, aes->tmp, AES_BLOCK_SIZE);
 
-            sz -= 16;
-            in += 16;
-            out += 16;
+            in  += AES_BLOCK_SIZE;
+            out += AES_BLOCK_SIZE;
         }
 
         /* disable crypto processor */
         CRYP_Cmd(DISABLE);
+        wolfSSL_CryptHwMutexUnLock();
 
-        return 0;
+        return ret;
     }
+    #endif /* HAVE_AES_DECRYPT */
+#endif /* WOLFSSL_STM32_CUBEMX */
 
 #elif defined(HAVE_COLDFIRE_SEC)
     static int wc_AesCbcCrypt(Aes* aes, byte* po, const byte* pi, word32 sz,
-                           word32 descHeader)
+        word32 descHeader)
     {
         #ifdef DEBUG_WOLFSSL
             int i; int stat1, stat2; int ret;
-	    #endif
+        #endif
 
         int size;
         volatile int v;
@@ -2039,7 +3242,7 @@ int wc_AesCbcDecryptWithKey(byte* out, const byte* in, word32 inSz,
         if ((pi == NULL) || (po == NULL))
             return BAD_FUNC_ARG;    /*wrong pointer*/
 
-        LockMutex(&Mutex_AesSEC);
+        wc_LockMutex(&Mutex_AesSEC);
 
         /* Set descriptor for SEC */
         secDesc->length1 = 0x0;
@@ -2049,9 +3252,9 @@ int wc_AesCbcDecryptWithKey(byte* out, const byte* in, word32 inSz,
         secDesc->pointer2 = (byte *)secReg; /* Initial Vector */
 
         switch(aes->rounds) {
-            case 10: secDesc->length3 = 16 ; break ;
-            case 12: secDesc->length3 = 24 ; break ;
-            case 14: secDesc->length3 = 32 ; break ;
+            case 10: secDesc->length3 = 16; break;
+            case 12: secDesc->length3 = 24; break;
+            case 14: secDesc->length3 = 32; break;
         }
         XMEMCPY(secKey, aes->key, secDesc->length3);
 
@@ -2115,7 +3318,7 @@ int wc_AesCbcDecryptWithKey(byte* out, const byte* in, word32 inSz,
             po += size;
         }
 
-        UnLockMutex(&Mutex_AesSEC);
+        wc_UnLockMutex(&Mutex_AesSEC);
         return 0;
     }
 
@@ -2124,40 +3327,92 @@ int wc_AesCbcDecryptWithKey(byte* out, const byte* in, word32 inSz,
         return (wc_AesCbcCrypt(aes, po, pi, sz, SEC_DESC_AES_CBC_ENCRYPT));
     }
 
+    #ifdef HAVE_AES_DECRYPT
     int wc_AesCbcDecrypt(Aes* aes, byte* po, const byte* pi, word32 sz)
     {
         return (wc_AesCbcCrypt(aes, po, pi, sz, SEC_DESC_AES_CBC_DECRYPT));
     }
+    #endif /* HAVE_AES_DECRYPT */
 
-#elif defined(FREESCALE_MMCAU)
+#elif defined(FREESCALE_LTC)
     int wc_AesCbcEncrypt(Aes* aes, byte* out, const byte* in, word32 sz)
     {
-        int i;
-        int offset = 0;
-        int len = sz;
-
+        uint32_t keySize;
+        status_t status;
         byte *iv, *enc_key;
-        byte temp_block[AES_BLOCK_SIZE];
+        word32 blocks = (sz / AES_BLOCK_SIZE);
 
         iv      = (byte*)aes->reg;
         enc_key = (byte*)aes->key;
 
-        if ((wolfssl_word)out % WOLFSSL_MMCAU_ALIGNMENT) {
-            WOLFSSL_MSG("Bad cau_aes_encrypt alignment");
-            return BAD_ALIGN_E;
+        status = wc_AesGetKeySize(aes, &keySize);
+        if (status != 0) {
+            return status;
         }
 
-        while (len > 0)
-        {
+        status = LTC_AES_EncryptCbc(LTC_BASE, in, out, blocks * AES_BLOCK_SIZE,
+            iv, enc_key, keySize);
+
+        /* store iv for next call */
+        if (status == kStatus_Success) {
+            XMEMCPY(iv, out + sz - AES_BLOCK_SIZE, AES_BLOCK_SIZE);
+        }
+
+        return (status == kStatus_Success) ? 0 : -1;
+    }
+
+    #ifdef HAVE_AES_DECRYPT
+    int wc_AesCbcDecrypt(Aes* aes, byte* out, const byte* in, word32 sz)
+    {
+        uint32_t keySize;
+        status_t status;
+        byte* iv, *dec_key;
+        word32 blocks = (sz / AES_BLOCK_SIZE);
+        byte temp_block[AES_BLOCK_SIZE];
+
+        iv      = (byte*)aes->reg;
+        dec_key = (byte*)aes->key;
+
+        status = wc_AesGetKeySize(aes, &keySize);
+        if (status != 0) {
+            return status;
+        }
+
+        /* get IV for next call */
+        XMEMCPY(temp_block, in + sz - AES_BLOCK_SIZE, AES_BLOCK_SIZE);
+
+        status = LTC_AES_DecryptCbc(LTC_BASE, in, out, blocks * AES_BLOCK_SIZE,
+            iv, dec_key, keySize, kLTC_EncryptKey);
+
+        /* store IV for next call */
+        if (status == kStatus_Success) {
+            XMEMCPY(iv, temp_block, AES_BLOCK_SIZE);
+        }
+
+        return (status == kStatus_Success) ? 0 : -1;
+    }
+    #endif /* HAVE_AES_DECRYPT */
+
+#elif defined(FREESCALE_MMCAU)
+    int wc_AesCbcEncrypt(Aes* aes, byte* out, const byte* in, word32 sz)
+    {
+        int i;
+        int offset = 0;
+        word32 blocks = (sz / AES_BLOCK_SIZE);
+        byte *iv;
+        byte temp_block[AES_BLOCK_SIZE];
+
+        iv      = (byte*)aes->reg;
+
+        while (blocks--) {
             XMEMCPY(temp_block, in + offset, AES_BLOCK_SIZE);
 
             /* XOR block with IV for CBC */
             for (i = 0; i < AES_BLOCK_SIZE; i++)
                 temp_block[i] ^= iv[i];
 
-            cau_aes_encrypt(temp_block, enc_key, aes->rounds, out + offset);
+            wc_AesEncrypt(aes, temp_block, out + offset);
 
-            len    -= AES_BLOCK_SIZE;
             offset += AES_BLOCK_SIZE;
 
             /* store IV for next block */
@@ -2166,29 +3421,21 @@ int wc_AesCbcDecryptWithKey(byte* out, const byte* in, word32 inSz,
 
         return 0;
     }
-
+    #ifdef HAVE_AES_DECRYPT
     int wc_AesCbcDecrypt(Aes* aes, byte* out, const byte* in, word32 sz)
     {
         int i;
         int offset = 0;
-        int len = sz;
-
-        byte* iv, *dec_key;
+        word32 blocks = (sz / AES_BLOCK_SIZE);
+        byte* iv;
         byte temp_block[AES_BLOCK_SIZE];
 
         iv      = (byte*)aes->reg;
-        dec_key = (byte*)aes->key;
 
-        if ((wolfssl_word)out % WOLFSSL_MMCAU_ALIGNMENT) {
-            WOLFSSL_MSG("Bad cau_aes_decrypt alignment");
-            return BAD_ALIGN_E;
-        }
-
-        while (len > 0)
-        {
+        while (blocks--) {
             XMEMCPY(temp_block, in + offset, AES_BLOCK_SIZE);
 
-            cau_aes_decrypt(in + offset, dec_key, aes->rounds, out + offset);
+            wc_AesDecrypt(aes, in + offset, out + offset);
 
             /* XOR block with IV for CBC */
             for (i = 0; i < AES_BLOCK_SIZE; i++)
@@ -2197,132 +3444,131 @@ int wc_AesCbcDecryptWithKey(byte* out, const byte* in, word32 inSz,
             /* store IV for next block */
             XMEMCPY(iv, temp_block, AES_BLOCK_SIZE);
 
-            len    -= AES_BLOCK_SIZE;
             offset += AES_BLOCK_SIZE;
         }
 
         return 0;
     }
+    #endif /* HAVE_AES_DECRYPT */
 
 #elif defined(WOLFSSL_PIC32MZ_CRYPT)
-    /* core hardware crypt engine driver */
-    static void wc_AesCrypt(Aes *aes, byte* out, const byte* in, word32 sz,
-                                            int dir, int algo, int cryptoalgo)
+
+    int wc_AesCbcEncrypt(Aes* aes, byte* out, const byte* in, word32 sz)
     {
-        securityAssociation *sa_p ;
-        bufferDescriptor *bd_p ;
-
-        volatile securityAssociation sa __attribute__((aligned (8)));
-        volatile bufferDescriptor bd __attribute__((aligned (8)));
-        volatile int k ;
-
-        /* get uncached address */
-        sa_p = KVA0_TO_KVA1(&sa) ;
-        bd_p = KVA0_TO_KVA1(&bd) ;
-
-        /* Sync cache and physical memory */
-        if(PIC32MZ_IF_RAM(in)) {
-            XMEMCPY((void *)KVA0_TO_KVA1(in), (void *)in, sz);
-        }
-        XMEMSET((void *)KVA0_TO_KVA1(out), 0, sz);
-        /* Set up the Security Association */
-        XMEMSET((byte *)KVA0_TO_KVA1(&sa), 0, sizeof(sa));
-        sa_p->SA_CTRL.ALGO = algo ; /* AES */
-        sa_p->SA_CTRL.LNC = 1;
-        sa_p->SA_CTRL.LOADIV = 1;
-        sa_p->SA_CTRL.FB = 1;
-        sa_p->SA_CTRL.ENCTYPE = dir ; /* Encryption/Decryption */
-        sa_p->SA_CTRL.CRYPTOALGO = cryptoalgo;
-
-        if(cryptoalgo == PIC32_CRYPTOALGO_AES_GCM){
-            switch(aes->keylen) {
-            case 32:
-                sa_p->SA_CTRL.KEYSIZE = PIC32_AES_KEYSIZE_256 ;
-                break ;
-            case 24:
-                sa_p->SA_CTRL.KEYSIZE = PIC32_AES_KEYSIZE_192 ;
-                break ;
-            case 16:
-                sa_p->SA_CTRL.KEYSIZE = PIC32_AES_KEYSIZE_128 ;
-                break ;
-            }
-        } else
-            sa_p->SA_CTRL.KEYSIZE = PIC32_AES_KEYSIZE_128 ;
-
-        ByteReverseWords(
-        (word32 *)KVA0_TO_KVA1(sa.SA_ENCKEY + 8 - aes->keylen/sizeof(word32)),
-                         (word32 *)aes->key_ce, aes->keylen);
-        ByteReverseWords(
-        (word32*)KVA0_TO_KVA1(sa.SA_ENCIV), (word32 *)aes->iv_ce, 16);
-
-        XMEMSET((byte *)KVA0_TO_KVA1(&bd), 0, sizeof(bd));
-        /* Set up the Buffer Descriptor */
-        bd_p->BD_CTRL.BUFLEN = sz;
-        if(cryptoalgo == PIC32_CRYPTOALGO_AES_GCM) {
-            if(sz % 0x10)
-                bd_p->BD_CTRL.BUFLEN = (sz/0x10 + 1) * 0x10 ;
-        }
-        bd_p->BD_CTRL.LIFM = 1;
-        bd_p->BD_CTRL.SA_FETCH_EN = 1;
-        bd_p->BD_CTRL.LAST_BD = 1;
-        bd_p->BD_CTRL.DESC_EN = 1;
-
-        bd_p->SA_ADDR = (unsigned int)KVA_TO_PA(&sa) ;
-        bd_p->SRCADDR = (unsigned int)KVA_TO_PA(in) ;
-        bd_p->DSTADDR = (unsigned int)KVA_TO_PA(out);
-        bd_p->MSGLEN = sz ;
-
-        CECON = 1 << 6;
-        while (CECON);
-
-        /* Run the engine */
-        CEBDPADDR = (unsigned int)KVA_TO_PA(&bd) ;
-        CEINTEN = 0x07;
-        CECON = 0x27;
-
-        WAIT_ENGINE ;
-
-        if((cryptoalgo == PIC32_CRYPTOALGO_CBC) ||
-           (cryptoalgo == PIC32_CRYPTOALGO_TCBC)||
-           (cryptoalgo == PIC32_CRYPTOALGO_RCBC)) {
-            /* set iv for the next call */
-            if(dir == PIC32_ENCRYPTION) {
-                XMEMCPY((void *)aes->iv_ce,
-                        (void*)KVA0_TO_KVA1(out + sz - AES_BLOCK_SIZE),
-                        AES_BLOCK_SIZE) ;
-            } else {
-                ByteReverseWords((word32*)aes->iv_ce,
-                        (word32 *)KVA0_TO_KVA1(in + sz - AES_BLOCK_SIZE),
-                        AES_BLOCK_SIZE);
-            }
+        int ret;
+
+        /* hardware fails on input that is not a multiple of AES block size */
+        if (sz % AES_BLOCK_SIZE != 0) {
+            return BAD_FUNC_ARG;
+        }
+
+        ret = wc_Pic32AesCrypt(
+            aes->key, aes->keylen, aes->reg, AES_BLOCK_SIZE,
+            out, in, sz, PIC32_ENCRYPTION,
+            PIC32_ALGO_AES, PIC32_CRYPTOALGO_RCBC);
+
+        /* store iv for next call */
+        if (ret == 0) {
+            XMEMCPY(aes->reg, out + sz - AES_BLOCK_SIZE, AES_BLOCK_SIZE);
+        }
+
+        return ret;
+    }
+    #ifdef HAVE_AES_DECRYPT
+    int wc_AesCbcDecrypt(Aes* aes, byte* out, const byte* in, word32 sz)
+    {
+        int ret;
+        byte scratch[AES_BLOCK_SIZE];
+
+        /* hardware fails on input that is not a multiple of AES block size */
+        if (sz % AES_BLOCK_SIZE != 0) {
+            return BAD_FUNC_ARG;
+        }
+        XMEMCPY(scratch, in + sz - AES_BLOCK_SIZE, AES_BLOCK_SIZE);
+
+        ret = wc_Pic32AesCrypt(
+            aes->key, aes->keylen, aes->reg, AES_BLOCK_SIZE,
+            out, in, sz, PIC32_DECRYPTION,
+            PIC32_ALGO_AES, PIC32_CRYPTOALGO_RCBC);
+
+        /* store iv for next call */
+        if (ret == 0) {
+            XMEMCPY((byte*)aes->reg, scratch, AES_BLOCK_SIZE);
         }
-        XMEMCPY((byte *)out, (byte *)KVA0_TO_KVA1(out), sz) ;
-        ByteReverseWords((word32*)out, (word32 *)out, sz);
+
+        return ret;
     }
+    #endif /* HAVE_AES_DECRYPT */
+#elif defined(WOLFSSL_ESP32WROOM32_CRYPT) && \
+    !defined(NO_WOLFSSL_ESP32WROOM32_CRYPT_AES)
 
     int wc_AesCbcEncrypt(Aes* aes, byte* out, const byte* in, word32 sz)
     {
-        wc_AesCrypt(aes, out, in, sz, PIC32_ENCRYPTION, PIC32_ALGO_AES,
-                                                      PIC32_CRYPTOALGO_RCBC );
-        return 0 ;
+        return wc_esp32AesCbcEncrypt(aes, out, in, sz);
+    }
+    int wc_AesCbcDecrypt(Aes* aes, byte* out, const byte* in, word32 sz)
+    {
+        return wc_esp32AesCbcDecrypt(aes, out, in, sz);
+    }
+#elif defined(WOLFSSL_CRYPTOCELL) && defined(WOLFSSL_CRYPTOCELL_AES)
+    int wc_AesCbcEncrypt(Aes* aes, byte* out, const byte* in, word32 sz)
+    {
+        return SaSi_AesBlock(&aes->ctx.user_ctx, (uint8_t* )in, sz, out);
     }
-
     int wc_AesCbcDecrypt(Aes* aes, byte* out, const byte* in, word32 sz)
     {
-        wc_AesCrypt(aes, out, in, sz, PIC32_DECRYPTION, PIC32_ALGO_AES,
-                                                      PIC32_CRYPTOALGO_RCBC);
-        return 0 ;
+        return SaSi_AesBlock(&aes->ctx.user_ctx, (uint8_t* )in, sz, out);
     }
+#elif defined(WOLFSSL_IMX6_CAAM) && !defined(NO_IMX6_CAAM_AES)
+      /* implemented in wolfcrypt/src/port/caam/caam_aes.c */
+
+#elif defined(WOLFSSL_AFALG)
+    /* implemented in wolfcrypt/src/port/af_alg/afalg_aes.c */
+
+#elif defined(WOLFSSL_DEVCRYPTO_CBC)
+    /* implemented in wolfcrypt/src/port/devcrypt/devcrypto_aes.c */
 
 #else
+
+    /* Software AES - CBC Encrypt */
     int wc_AesCbcEncrypt(Aes* aes, byte* out, const byte* in, word32 sz)
     {
-        word32 blocks = sz / AES_BLOCK_SIZE;
+        word32 blocks = (sz / AES_BLOCK_SIZE);
+
+        if (aes == NULL || out == NULL || in == NULL) {
+            return BAD_FUNC_ARG;
+        }
 
-    #ifdef HAVE_CAVIUM
-        if (aes->magic == WOLFSSL_AES_CAVIUM_MAGIC)
-            return wc_AesCaviumCbcEncrypt(aes, out, in, sz);
+    #ifdef WOLF_CRYPTO_CB
+        if (aes->devId != INVALID_DEVID) {
+            int ret = wc_CryptoCb_AesCbcEncrypt(aes, out, in, sz);
+            if (ret != CRYPTOCB_UNAVAILABLE)
+                return ret;
+            /* fall-through when unavailable */
+        }
     #endif
+    #if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_AES)
+        /* if async and byte count above threshold */
+        if (aes->asyncDev.marker == WOLFSSL_ASYNC_MARKER_AES &&
+                                                sz >= WC_ASYNC_THRESH_AES_CBC) {
+        #if defined(HAVE_CAVIUM)
+            return NitroxAesCbcEncrypt(aes, out, in, sz);
+        #elif defined(HAVE_INTEL_QA)
+            return IntelQaSymAesCbcEncrypt(&aes->asyncDev, out, in, sz,
+                (const byte*)aes->devKey, aes->keylen,
+                (byte*)aes->reg, AES_BLOCK_SIZE);
+        #else /* WOLFSSL_ASYNC_CRYPT_TEST */
+            if (wc_AsyncTestInit(&aes->asyncDev, ASYNC_TEST_AES_CBC_ENCRYPT)) {
+                WC_ASYNC_TEST* testDev = &aes->asyncDev.test;
+                testDev->aes.aes = aes;
+                testDev->aes.out = out;
+                testDev->aes.in = in;
+                testDev->aes.sz = sz;
+                return WC_PENDING_E;
+            }
+        #endif
+        }
+    #endif /* WOLFSSL_ASYNC_CRYPT */
 
     #ifdef WOLFSSL_AESNI
         if (haveAESNI) {
@@ -2337,22 +3583,25 @@ int wc_AesCbcDecryptWithKey(byte* out, const byte* in, word32 inSz,
             #endif
 
             /* check alignment, decrypt doesn't need alignment */
-            if ((wolfssl_word)in % 16) {
+            if ((wolfssl_word)in % AESNI_ALIGN) {
             #ifndef NO_WOLFSSL_ALLOC_ALIGN
-                byte* tmp = (byte*)XMALLOC(sz, NULL, DYNAMIC_TYPE_TMP_BUFFER);
-                WOLFSSL_MSG("AES-CBC encrypt with bad alignment");
+                byte* tmp = (byte*)XMALLOC(sz + AES_BLOCK_SIZE + AESNI_ALIGN,
+                                            aes->heap, DYNAMIC_TYPE_TMP_BUFFER);
+                byte* tmp_align;
                 if (tmp == NULL) return MEMORY_E;
 
-                XMEMCPY(tmp, in, sz);
-                AES_CBC_encrypt(tmp, tmp, (byte*)aes->reg, sz, (byte*)aes->key,
-                            aes->rounds);
+                tmp_align = tmp + (AESNI_ALIGN - ((size_t)tmp % AESNI_ALIGN));
+                XMEMCPY(tmp_align, in, sz);
+                AES_CBC_encrypt(tmp_align, tmp_align, (byte*)aes->reg, sz,
+                                                  (byte*)aes->key, aes->rounds);
                 /* store iv for next call */
-                XMEMCPY(aes->reg, tmp + sz - AES_BLOCK_SIZE, AES_BLOCK_SIZE);
+                XMEMCPY(aes->reg, tmp_align + sz - AES_BLOCK_SIZE, AES_BLOCK_SIZE);
 
-                XMEMCPY(out, tmp, sz);
-                XFREE(tmp, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+                XMEMCPY(out, tmp_align, sz);
+                XFREE(tmp, aes->heap, DYNAMIC_TYPE_TMP_BUFFER);
                 return 0;
             #else
+                WOLFSSL_MSG("AES-CBC encrypt with bad alignment");
                 return BAD_ALIGN_E;
             #endif
             }
@@ -2378,13 +3627,46 @@ int wc_AesCbcDecryptWithKey(byte* out, const byte* in, word32 inSz,
         return 0;
     }
 
+    #ifdef HAVE_AES_DECRYPT
+    /* Software AES - CBC Decrypt */
     int wc_AesCbcDecrypt(Aes* aes, byte* out, const byte* in, word32 sz)
     {
-        word32 blocks = sz / AES_BLOCK_SIZE;
+        word32 blocks;
+
+        if (aes == NULL || out == NULL || in == NULL
+                                       || sz % AES_BLOCK_SIZE != 0) {
+            return BAD_FUNC_ARG;
+        }
 
-    #ifdef HAVE_CAVIUM
-        if (aes->magic == WOLFSSL_AES_CAVIUM_MAGIC)
-            return wc_AesCaviumCbcDecrypt(aes, out, in, sz);
+    #ifdef WOLF_CRYPTO_CB
+        if (aes->devId != INVALID_DEVID) {
+            int ret = wc_CryptoCb_AesCbcDecrypt(aes, out, in, sz);
+            if (ret != CRYPTOCB_UNAVAILABLE)
+                return ret;
+            /* fall-through when unavailable */
+        }
+    #endif
+    #if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_AES)
+        /* if async and byte count above threshold */
+        if (aes->asyncDev.marker == WOLFSSL_ASYNC_MARKER_AES &&
+                                                sz >= WC_ASYNC_THRESH_AES_CBC) {
+        #if defined(HAVE_CAVIUM)
+            return NitroxAesCbcDecrypt(aes, out, in, sz);
+        #elif defined(HAVE_INTEL_QA)
+            return IntelQaSymAesCbcDecrypt(&aes->asyncDev, out, in, sz,
+                (const byte*)aes->devKey, aes->keylen,
+                (byte*)aes->reg, AES_BLOCK_SIZE);
+        #else /* WOLFSSL_ASYNC_CRYPT_TEST */
+            if (wc_AsyncTestInit(&aes->asyncDev, ASYNC_TEST_AES_CBC_DECRYPT)) {
+                WC_ASYNC_TEST* testDev = &aes->asyncDev.test;
+                testDev->aes.aes = aes;
+                testDev->aes.out = out;
+                testDev->aes.in = in;
+                testDev->aes.sz = sz;
+                return WC_PENDING_E;
+            }
+        #endif
+        }
     #endif
 
     #ifdef WOLFSSL_AESNI
@@ -2401,18 +3683,28 @@ int wc_AesCbcDecryptWithKey(byte* out, const byte* in, word32 inSz,
 
             /* if input and output same will overwrite input iv */
             XMEMCPY(aes->tmp, in + sz - AES_BLOCK_SIZE, AES_BLOCK_SIZE);
-            AES_CBC_decrypt(in, out, (byte*)aes->reg, sz, (byte*)aes->key,
+            #if defined(WOLFSSL_AESNI_BY4)
+            AES_CBC_decrypt_by4(in, out, (byte*)aes->reg, sz, (byte*)aes->key,
+                            aes->rounds);
+            #elif defined(WOLFSSL_AESNI_BY6)
+            AES_CBC_decrypt_by6(in, out, (byte*)aes->reg, sz, (byte*)aes->key,
                             aes->rounds);
+            #else /* WOLFSSL_AESNI_BYx */
+            AES_CBC_decrypt_by8(in, out, (byte*)aes->reg, sz, (byte*)aes->key,
+                            aes->rounds);
+            #endif /* WOLFSSL_AESNI_BYx */
             /* store iv for next call */
             XMEMCPY(aes->reg, aes->tmp, AES_BLOCK_SIZE);
             return 0;
         }
     #endif
 
+        blocks = sz / AES_BLOCK_SIZE;
         while (blocks--) {
             XMEMCPY(aes->tmp, in, AES_BLOCK_SIZE);
             wc_AesDecrypt(aes, (byte*)aes->tmp, out);
             xorbuf(out, (byte*)aes->reg, AES_BLOCK_SIZE);
+            /* store iv for next call */
             XMEMCPY(aes->reg, aes->tmp, AES_BLOCK_SIZE);
 
             out += AES_BLOCK_SIZE;
@@ -2421,198 +3713,226 @@ int wc_AesCbcDecryptWithKey(byte* out, const byte* in, word32 inSz,
 
         return 0;
     }
+    #endif
 
-#endif /* STM32F2_CRYPTO, AES-CBC block */
+#endif /* AES-CBC block */
+#endif /* HAVE_AES_CBC */
 
 /* AES-CTR */
-#ifdef WOLFSSL_AES_COUNTER
+#if defined(WOLFSSL_AES_COUNTER)
 
-    #ifdef STM32F2_CRYPTO
-        void wc_AesCtrEncrypt(Aes* aes, byte* out, const byte* in, word32 sz)
-        {
-            word32 *enc_key, *iv;
-            CRYP_InitTypeDef AES_CRYP_InitStructure;
-            CRYP_KeyInitTypeDef AES_CRYP_KeyInitStructure;
-            CRYP_IVInitTypeDef AES_CRYP_IVInitStructure;
+    #ifdef STM32_CRYPTO
+        #define NEED_AES_CTR_SOFT
+        #define XTRANSFORM_AESCTRBLOCK wc_AesCtrEncryptBlock
 
-            enc_key = aes->key;
-            iv = aes->reg;
+        int wc_AesCtrEncryptBlock(Aes* aes, byte* out, const byte* in)
+        {
+            int ret = 0;
+        #ifdef WOLFSSL_STM32_CUBEMX
+            CRYP_HandleTypeDef hcryp;
+            #ifdef STM32_HAL_V2
+            word32 iv[AES_BLOCK_SIZE/sizeof(word32)];
+            #endif
+        #else
+            word32 *iv;
+            CRYP_InitTypeDef cryptInit;
+            CRYP_KeyInitTypeDef keyInit;
+            CRYP_IVInitTypeDef ivInit;
+        #endif
 
-            /* crypto structure initialization */
-            CRYP_KeyStructInit(&AES_CRYP_KeyInitStructure);
-            CRYP_StructInit(&AES_CRYP_InitStructure);
-            CRYP_IVStructInit(&AES_CRYP_IVInitStructure);
+            ret = wolfSSL_CryptHwMutexLock();
+            if (ret != 0) {
+                return ret;
+            }
 
-            /* reset registers to their default values */
-            CRYP_DeInit();
+        #ifdef WOLFSSL_STM32_CUBEMX
+            ret = wc_Stm32_Aes_Init(aes, &hcryp);
+            if (ret != 0) {
+                wolfSSL_CryptHwMutexUnLock();
+                return ret;
+            }
 
-            /* load key into correct registers */
-            switch(aes->rounds)
-            {
-                case 10: /* 128-bit key */
-                    AES_CRYP_InitStructure.CRYP_KeySize = CRYP_KeySize_128b;
-                    AES_CRYP_KeyInitStructure.CRYP_Key2Left  = enc_key[0];
-                    AES_CRYP_KeyInitStructure.CRYP_Key2Right = enc_key[1];
-                    AES_CRYP_KeyInitStructure.CRYP_Key3Left  = enc_key[2];
-                    AES_CRYP_KeyInitStructure.CRYP_Key3Right = enc_key[3];
-                    break;
+        #ifdef STM32_CRYPTO_AES_ONLY
+            hcryp.Init.OperatingMode = CRYP_ALGOMODE_ENCRYPT;
+            hcryp.Init.ChainingMode  = CRYP_CHAINMODE_AES_CTR;
+            hcryp.Init.KeyWriteFlag  = CRYP_KEY_WRITE_ENABLE;
+            hcryp.Init.pInitVect = (STM_CRYPT_TYPE*)aes->reg;
+        #elif defined(STM32_HAL_V2)
+            hcryp.Init.Algorithm  = CRYP_AES_CTR;
+            ByteReverseWords(iv, aes->reg, AES_BLOCK_SIZE);
+            hcryp.Init.pInitVect = (STM_CRYPT_TYPE*)iv;
+        #else
+            hcryp.Init.pInitVect = (STM_CRYPT_TYPE*)aes->reg;
+        #endif
+            HAL_CRYP_Init(&hcryp);
+
+        #ifdef STM32_CRYPTO_AES_ONLY
+            ret = HAL_CRYPEx_AES(&hcryp, (byte*)in, AES_BLOCK_SIZE,
+                out, STM32_HAL_TIMEOUT);
+        #elif defined(STM32_HAL_V2)
+            ret = HAL_CRYP_Encrypt(&hcryp, (uint32_t*)in, AES_BLOCK_SIZE,
+                (uint32_t*)out, STM32_HAL_TIMEOUT);
+        #else
+            ret = HAL_CRYP_AESCTR_Encrypt(&hcryp, (byte*)in, AES_BLOCK_SIZE,
+                out, STM32_HAL_TIMEOUT);
+        #endif
+            if (ret != HAL_OK) {
+                ret = WC_TIMEOUT_E;
+            }
+            HAL_CRYP_DeInit(&hcryp);
 
-                case 12: /* 192-bit key */
-                    AES_CRYP_InitStructure.CRYP_KeySize = CRYP_KeySize_192b;
-                    AES_CRYP_KeyInitStructure.CRYP_Key1Left  = enc_key[0];
-                    AES_CRYP_KeyInitStructure.CRYP_Key1Right = enc_key[1];
-                    AES_CRYP_KeyInitStructure.CRYP_Key2Left  = enc_key[2];
-                    AES_CRYP_KeyInitStructure.CRYP_Key2Right = enc_key[3];
-                    AES_CRYP_KeyInitStructure.CRYP_Key3Left  = enc_key[4];
-                    AES_CRYP_KeyInitStructure.CRYP_Key3Right = enc_key[5];
-                    break;
+        #else /* STD_PERI_LIB */
+            ret = wc_Stm32_Aes_Init(aes, &cryptInit, &keyInit);
+            if (ret != 0) {
+                wolfSSL_CryptHwMutexUnLock();
+                return ret;
+            }
 
-                case 14: /* 256-bit key */
-                    AES_CRYP_InitStructure.CRYP_KeySize = CRYP_KeySize_256b;
-                    AES_CRYP_KeyInitStructure.CRYP_Key0Left  = enc_key[0];
-                    AES_CRYP_KeyInitStructure.CRYP_Key0Right = enc_key[1];
-                    AES_CRYP_KeyInitStructure.CRYP_Key1Left  = enc_key[2];
-                    AES_CRYP_KeyInitStructure.CRYP_Key1Right = enc_key[3];
-                    AES_CRYP_KeyInitStructure.CRYP_Key2Left  = enc_key[4];
-                    AES_CRYP_KeyInitStructure.CRYP_Key2Right = enc_key[5];
-                    AES_CRYP_KeyInitStructure.CRYP_Key3Left  = enc_key[6];
-                    AES_CRYP_KeyInitStructure.CRYP_Key3Right = enc_key[7];
-                    break;
+            /* reset registers to their default values */
+            CRYP_DeInit();
 
-                default:
-                    break;
-            }
-            CRYP_KeyInit(&AES_CRYP_KeyInitStructure);
+            /* set key */
+            CRYP_KeyInit(&keyInit);
 
             /* set iv */
-            ByteReverseWords(iv, iv, AES_BLOCK_SIZE);
-            AES_CRYP_IVInitStructure.CRYP_IV0Left  = iv[0];
-            AES_CRYP_IVInitStructure.CRYP_IV0Right = iv[1];
-            AES_CRYP_IVInitStructure.CRYP_IV1Left  = iv[2];
-            AES_CRYP_IVInitStructure.CRYP_IV1Right = iv[3];
-            CRYP_IVInit(&AES_CRYP_IVInitStructure);
-
-            /* set direction, mode, and datatype */
-            AES_CRYP_InitStructure.CRYP_AlgoDir  = CRYP_AlgoDir_Encrypt;
-            AES_CRYP_InitStructure.CRYP_AlgoMode = CRYP_AlgoMode_AES_CTR;
-            AES_CRYP_InitStructure.CRYP_DataType = CRYP_DataType_8b;
-            CRYP_Init(&AES_CRYP_InitStructure);
+            iv = aes->reg;
+            CRYP_IVStructInit(&ivInit);
+            ivInit.CRYP_IV0Left  = ByteReverseWord32(iv[0]);
+            ivInit.CRYP_IV0Right = ByteReverseWord32(iv[1]);
+            ivInit.CRYP_IV1Left  = ByteReverseWord32(iv[2]);
+            ivInit.CRYP_IV1Right = ByteReverseWord32(iv[3]);
+            CRYP_IVInit(&ivInit);
+
+            /* set direction and mode */
+            cryptInit.CRYP_AlgoDir  = CRYP_AlgoDir_Encrypt;
+            cryptInit.CRYP_AlgoMode = CRYP_AlgoMode_AES_CTR;
+            CRYP_Init(&cryptInit);
 
             /* enable crypto processor */
             CRYP_Cmd(ENABLE);
 
-            while (sz > 0)
-            {
-                /* flush IN/OUT FIFOs */
-                CRYP_FIFOFlush();
-
-                CRYP_DataIn(*(uint32_t*)&in[0]);
-                CRYP_DataIn(*(uint32_t*)&in[4]);
-                CRYP_DataIn(*(uint32_t*)&in[8]);
-                CRYP_DataIn(*(uint32_t*)&in[12]);
-
-                /* wait until the complete message has been processed */
-                while(CRYP_GetFlagStatus(CRYP_FLAG_BUSY) != RESET) {}
+            /* flush IN/OUT FIFOs */
+            CRYP_FIFOFlush();
 
-                *(uint32_t*)&out[0]  = CRYP_DataOut();
-                *(uint32_t*)&out[4]  = CRYP_DataOut();
-                *(uint32_t*)&out[8]  = CRYP_DataOut();
-                *(uint32_t*)&out[12] = CRYP_DataOut();
+            CRYP_DataIn(*(uint32_t*)&in[0]);
+            CRYP_DataIn(*(uint32_t*)&in[4]);
+            CRYP_DataIn(*(uint32_t*)&in[8]);
+            CRYP_DataIn(*(uint32_t*)&in[12]);
 
-                /* store iv for next call */
-                XMEMCPY(aes->reg, out + sz - AES_BLOCK_SIZE, AES_BLOCK_SIZE);
+            /* wait until the complete message has been processed */
+            while (CRYP_GetFlagStatus(CRYP_FLAG_BUSY) != RESET) {}
 
-                sz  -= 16;
-                in  += 16;
-                out += 16;
-            }
+            *(uint32_t*)&out[0]  = CRYP_DataOut();
+            *(uint32_t*)&out[4]  = CRYP_DataOut();
+            *(uint32_t*)&out[8]  = CRYP_DataOut();
+            *(uint32_t*)&out[12] = CRYP_DataOut();
 
             /* disable crypto processor */
             CRYP_Cmd(DISABLE);
+
+        #endif /* WOLFSSL_STM32_CUBEMX */
+
+            wolfSSL_CryptHwMutexUnLock();
+            return ret;
         }
 
+
     #elif defined(WOLFSSL_PIC32MZ_CRYPT)
-        void wc_AesCtrEncrypt(Aes* aes, byte* out, const byte* in, word32 sz)
+
+        #define NEED_AES_CTR_SOFT
+        #define XTRANSFORM_AESCTRBLOCK wc_AesCtrEncryptBlock
+
+        int wc_AesCtrEncryptBlock(Aes* aes, byte* out, const byte* in)
         {
-            int i ;
-            char out_block[AES_BLOCK_SIZE] ;
-            int odd ;
-            int even ;
-            char *tmp ; /* (char *)aes->tmp, for short */
-
-            tmp = (char *)aes->tmp ;
-            if(aes->left) {
-                if((aes->left + sz) >= AES_BLOCK_SIZE){
-                    odd = AES_BLOCK_SIZE - aes->left ;
-                } else {
-                    odd = sz ;
-                }
-                XMEMCPY(tmp+aes->left, in, odd) ;
-                if((odd+aes->left) == AES_BLOCK_SIZE){
-                    wc_AesCrypt(aes, out_block, tmp, AES_BLOCK_SIZE,
-                        PIC32_ENCRYPTION, PIC32_ALGO_AES, PIC32_CRYPTOALGO_RCTR);
-                    XMEMCPY(out, out_block+aes->left, odd) ;
-                    aes->left = 0 ;
-                    XMEMSET(tmp, 0x0, AES_BLOCK_SIZE) ;
-                    /* Increment IV */
-                    for (i = AES_BLOCK_SIZE - 1; i >= 0; i--) {
-                        if (++((byte *)aes->iv_ce)[i])
-                            break ;
-                    }
-                }
-                in += odd ;
-                out+= odd ;
-                sz -= odd ;
-            }
-            odd = sz % AES_BLOCK_SIZE ;  /* if there is tail flagment */
-            if(sz / AES_BLOCK_SIZE) {
-                even = (sz/AES_BLOCK_SIZE)*AES_BLOCK_SIZE ;
-                wc_AesCrypt(aes, out, in, even, PIC32_ENCRYPTION, PIC32_ALGO_AES,
-                                                        PIC32_CRYPTOALGO_RCTR);
-                out += even ;
-                in  += even ;
-                do {  /* Increment IV */
-                    for (i = AES_BLOCK_SIZE - 1; i >= 0; i--) {
-                        if (++((byte *)aes->iv_ce)[i])
-                            break ;
-                    }
-                    even -= AES_BLOCK_SIZE ;
-                } while((int)even > 0) ;
-            }
-            if(odd) {
-                XMEMSET(tmp+aes->left, 0x0, AES_BLOCK_SIZE - aes->left) ;
-                XMEMCPY(tmp+aes->left, in, odd) ;
-                wc_AesCrypt(aes, out_block, tmp, AES_BLOCK_SIZE,
-                        PIC32_ENCRYPTION, PIC32_ALGO_AES, PIC32_CRYPTOALGO_RCTR);
-                XMEMCPY(out, out_block+aes->left,odd) ;
-                aes->left += odd ;
-            }
+            word32 tmpIv[AES_BLOCK_SIZE / sizeof(word32)];
+            XMEMCPY(tmpIv, aes->reg, AES_BLOCK_SIZE);
+            return wc_Pic32AesCrypt(
+                aes->key, aes->keylen, tmpIv, AES_BLOCK_SIZE,
+                out, in, AES_BLOCK_SIZE,
+                PIC32_ENCRYPTION, PIC32_ALGO_AES, PIC32_CRYPTOALGO_RCTR);
         }
 
     #elif defined(HAVE_COLDFIRE_SEC)
         #error "Coldfire SEC doesn't currently support AES-CTR mode"
 
-    #elif defined(FREESCALE_MMCAU)
-        #error "Freescale mmCAU doesn't currently support AES-CTR mode"
+    #elif defined(FREESCALE_LTC)
+        int wc_AesCtrEncrypt(Aes* aes, byte* out, const byte* in, word32 sz)
+        {
+            uint32_t keySize;
+            byte *iv, *enc_key;
+            byte* tmp;
+
+            if (aes == NULL || out == NULL || in == NULL) {
+                return BAD_FUNC_ARG;
+            }
+
+            /* consume any unused bytes left in aes->tmp */
+            tmp = (byte*)aes->tmp + AES_BLOCK_SIZE - aes->left;
+            while (aes->left && sz) {
+                *(out++) = *(in++) ^ *(tmp++);
+                aes->left--;
+                sz--;
+            }
+
+            if (sz) {
+                iv      = (byte*)aes->reg;
+                enc_key = (byte*)aes->key;
+
+                wc_AesGetKeySize(aes, &keySize);
+
+                LTC_AES_CryptCtr(LTC_BASE, in, out, sz,
+                    iv, enc_key, keySize, (byte*)aes->tmp,
+                    (uint32_t*)&aes->left);
+            }
+
+            return 0;
+        }
+
+    #elif defined(WOLFSSL_IMX6_CAAM) && !defined(NO_IMX6_CAAM_AES)
+        /* implemented in wolfcrypt/src/port/caam/caam_aes.c */
+
+    #elif defined(WOLFSSL_AFALG)
+        /* implemented in wolfcrypt/src/port/af_alg/afalg_aes.c */
+
+    #elif defined(WOLFSSL_DEVCRYPTO_AES)
+        /* implemented in wolfcrypt/src/port/devcrypt/devcrypto_aes.c */
+   
+    #elif defined(WOLFSSL_ESP32WROOM32_CRYPT) && \
+        !defined(NO_WOLFSSL_ESP32WROOM32_CRYPT_AES)
+        /* esp32 doesn't support CRT mode by hw.     */
+        /* use aes ecnryption plus sw implementation */
+        #define NEED_AES_CTR_SOFT
 
     #else
+
+        /* Use software based AES counter */
+        #define NEED_AES_CTR_SOFT
+    #endif
+
+    #ifdef NEED_AES_CTR_SOFT
         /* Increment AES counter */
-        static INLINE void IncrementAesCounter(byte* inOutCtr)
+        static WC_INLINE void IncrementAesCounter(byte* inOutCtr)
         {
-            int i;
-
             /* in network byte order so start at end and work back */
+            int i;
             for (i = AES_BLOCK_SIZE - 1; i >= 0; i--) {
                 if (++inOutCtr[i])  /* we're done unless we overflow */
                     return;
             }
         }
 
-        void wc_AesCtrEncrypt(Aes* aes, byte* out, const byte* in, word32 sz)
+        /* Software AES - CTR Encrypt */
+        int wc_AesCtrEncrypt(Aes* aes, byte* out, const byte* in, word32 sz)
         {
-            byte* tmp = (byte*)aes->tmp + AES_BLOCK_SIZE - aes->left;
+            byte* tmp;
+            byte scratch[AES_BLOCK_SIZE];
+
+            if (aes == NULL || out == NULL || in == NULL) {
+                return BAD_FUNC_ARG;
+            }
 
             /* consume any unused bytes left in aes->tmp */
+            tmp = (byte*)aes->tmp + AES_BLOCK_SIZE - aes->left;
             while (aes->left && sz) {
                *(out++) = *(in++) ^ *(tmp++);
                aes->left--;
@@ -2621,17 +3941,23 @@ int wc_AesCbcDecryptWithKey(byte* out, const byte* in, word32 inSz,
 
             /* do as many block size ops as possible */
             while (sz >= AES_BLOCK_SIZE) {
-                wc_AesEncrypt(aes, (byte*)aes->reg, out);
+            #ifdef XTRANSFORM_AESCTRBLOCK
+                XTRANSFORM_AESCTRBLOCK(aes, out, in);
+            #else
+                wc_AesEncrypt(aes, (byte*)aes->reg, scratch);
+                xorbuf(scratch, in, AES_BLOCK_SIZE);
+                XMEMCPY(out, scratch, AES_BLOCK_SIZE);
+            #endif
                 IncrementAesCounter((byte*)aes->reg);
-                xorbuf(out, in, AES_BLOCK_SIZE);
 
                 out += AES_BLOCK_SIZE;
                 in  += AES_BLOCK_SIZE;
                 sz  -= AES_BLOCK_SIZE;
                 aes->left = 0;
             }
+            ForceZero(scratch, AES_BLOCK_SIZE);
 
-            /* handle non block size remaining and sotre unused byte count in left */
+            /* handle non block size remaining and store unused byte count in left */
             if (sz) {
                 wc_AesEncrypt(aes, (byte*)aes->reg, (byte*)aes->tmp);
                 IncrementAesCounter((byte*)aes->reg);
@@ -2644,49 +3970,63 @@ int wc_AesCbcDecryptWithKey(byte* out, const byte* in, word32 inSz,
                     aes->left--;
                 }
             }
+
+            return 0;
         }
 
-    #endif /* STM32F2_CRYPTO, AES-CTR block */
+    #endif /* NEED_AES_CTR_SOFT */
 
 #endif /* WOLFSSL_AES_COUNTER */
+#endif /* !WOLFSSL_ARMASM */
 
-#ifdef HAVE_AESGCM
 
 /*
- * The IV for AES GCM, stored in struct Aes's member reg, is comprised of
- * three parts in order:
- *   1. The implicit IV. This is generated from the PRF using the shared
- *      secrets between endpoints. It is 4 bytes long.
- *   2. The explicit IV. This is set by the user of the AES. It needs to be
- *      unique for each call to encrypt. The explicit IV is shared with the
- *      other end of the transaction in the clear.
- *   3. The counter. Each block of data is encrypted with its own sequence
- *      number counter.
+ * The IV for AES GCM and CCM, stored in struct Aes's member reg, is comprised
+ * of two parts in order:
+ *   1. The fixed field which may be 0 or 4 bytes long. In TLS, this is set
+ *      to the implicit IV.
+ *   2. The explicit IV is generated by wolfCrypt. It needs to be managed
+ *      by wolfCrypt to ensure the IV is unique for each call to encrypt.
+ * The IV may be a 96-bit random value, or the 32-bit fixed value and a
+ * 64-bit set of 0 or random data. The final 32-bits of reg is used as a
+ * block counter during the encryption.
  */
 
-#ifdef STM32F2_CRYPTO
-    #error "STM32F2 crypto doesn't currently support AES-GCM mode"
+#if (defined(HAVE_AESGCM) && !defined(WC_NO_RNG)) || defined(HAVE_AESCCM)
+static WC_INLINE void IncCtr(byte* ctr, word32 ctrSz)
+{
+    int i;
+    for (i = ctrSz-1; i >= 0; i--) {
+        if (++ctr[i])
+            break;
+    }
+}
+#endif /* HAVE_AESGCM || HAVE_AESCCM */
 
-#elif defined(HAVE_COLDFIRE_SEC)
+
+#ifdef HAVE_AESGCM
+
+#if defined(HAVE_COLDFIRE_SEC)
     #error "Coldfire SEC doesn't currently support AES-GCM mode"
 
+#elif defined(WOLFSSL_NRF51_AES)
+    #error "nRF51 doesn't currently support AES-GCM mode"
+
 #endif
 
-enum {
-    CTR_SZ = 4
-};
+#ifdef WOLFSSL_ARMASM
+    /* implementation is located in wolfcrypt/src/port/arm/armv8-aes.c */
 
+#elif defined(WOLFSSL_AFALG)
+    /* implemented in wolfcrypt/src/port/afalg/afalg_aes.c */
 
-static INLINE void InitGcmCounter(byte* inOutCtr)
-{
-    inOutCtr[AES_BLOCK_SIZE - 4] = 0;
-    inOutCtr[AES_BLOCK_SIZE - 3] = 0;
-    inOutCtr[AES_BLOCK_SIZE - 2] = 0;
-    inOutCtr[AES_BLOCK_SIZE - 1] = 1;
-}
+#elif defined(WOLFSSL_DEVCRYPTO_AES)
+    /* implemented in wolfcrypt/src/port/devcrypt/devcrypto_aes.c */
 
+#else /* software + AESNI implementation */
 
-static INLINE void IncrementGcmCounter(byte* inOutCtr)
+#if !defined(FREESCALE_LTC_AES_GCM)
+static WC_INLINE void IncrementGcmCounter(byte* inOutCtr)
 {
     int i;
 
@@ -2696,11 +4036,23 @@ static INLINE void IncrementGcmCounter(byte* inOutCtr)
             return;
     }
 }
+#ifdef STM32_CRYPTO_AES_GCM
+static WC_INLINE void DecrementGcmCounter(byte* inOutCtr)
+{
+    int i;
 
+    /* in network byte order so start at end and work back */
+    for (i = AES_BLOCK_SIZE - 1; i >= AES_BLOCK_SIZE - CTR_SZ; i--) {
+        if (--inOutCtr[i] != 0xFF)  /* we're done unless we underflow */
+            return;
+    }
+}
+#endif /* STM32_CRYPTO_AES_GCM */
+#endif /* !FREESCALE_LTC_AES_GCM */
 
 #if defined(GCM_SMALL) || defined(GCM_TABLE)
 
-static INLINE void FlattenSzInBits(byte* buf, word32 sz)
+static WC_INLINE void FlattenSzInBits(byte* buf, word32 sz)
 {
     /* Multiply the sz by 8 */
     word32 szHi = (sz >> (8*sizeof(sz) - 3));
@@ -2718,7 +4070,7 @@ static INLINE void FlattenSzInBits(byte* buf, word32 sz)
 }
 
 
-static INLINE void RIGHTSHIFTX(byte* x)
+static WC_INLINE void RIGHTSHIFTX(byte* x)
 {
     int i;
     int carryOut = 0;
@@ -2762,39 +4114,1250 @@ static void GenerateM0(Aes* aes)
 
 #endif /* GCM_TABLE */
 
-
+/* Software AES - GCM SetKey */
 int wc_AesGcmSetKey(Aes* aes, const byte* key, word32 len)
 {
     int  ret;
     byte iv[AES_BLOCK_SIZE];
 
-    #ifdef FREESCALE_MMCAU
-        byte* rk = (byte*)aes->key;
+    #ifdef WOLFSSL_IMX6_CAAM_BLOB
+        byte   local[32];
+        word32 localSz = 32;
+
+        if (len == (16 + WC_CAAM_BLOB_SZ) ||
+          len == (24 + WC_CAAM_BLOB_SZ) ||
+          len == (32 + WC_CAAM_BLOB_SZ)) {
+            if (wc_caamOpenBlob((byte*)key, len, local, &localSz) != 0) {
+                 return BAD_FUNC_ARG;
+            }
+
+            /* set local values */
+            key = local;
+            len = localSz;
+        }
     #endif
 
     if (!((len == 16) || (len == 24) || (len == 32)))
         return BAD_FUNC_ARG;
 
+#ifdef OPENSSL_EXTRA
+    if (aes != NULL) {
+        XMEMSET(aes->aadH, 0, sizeof(aes->aadH));
+        aes->aadLen = 0;
+    }
+#endif
     XMEMSET(iv, 0, AES_BLOCK_SIZE);
     ret = wc_AesSetKey(aes, key, len, iv, AES_ENCRYPTION);
 
+    #ifdef WOLFSSL_AESNI
+        /* AES-NI code generates its own H value. */
+        if (haveAESNI)
+            return ret;
+    #endif /* WOLFSSL_AESNI */
+
+#if !defined(FREESCALE_LTC_AES_GCM)
     if (ret == 0) {
-    #ifdef FREESCALE_MMCAU
-        cau_aes_encrypt(iv, rk, aes->rounds, aes->H);
-    #else
         wc_AesEncrypt(aes, iv, aes->H);
-    #endif
     #ifdef GCM_TABLE
         GenerateM0(aes);
     #endif /* GCM_TABLE */
     }
+#endif /* FREESCALE_LTC_AES_GCM */
+
+#if defined(WOLFSSL_XILINX_CRYPT)
+    wc_AesGcmSetKey_ex(aes, key, len, XSECURE_CSU_AES_KEY_SRC_KUP);
+#elif defined(WOLFSSL_AFALG_XILINX_AES)
+    wc_AesGcmSetKey_ex(aes, key, len, 0);
+#endif
+
+#ifdef WOLF_CRYPTO_CB
+    if (aes->devId != INVALID_DEVID) {
+        XMEMCPY(aes->devKey, key, len);
+    }
+#endif
+
+#ifdef WOLFSSL_IMX6_CAAM_BLOB
+    ForceZero(local, sizeof(local));
+#endif
 
     return ret;
 }
 
 
-#if defined(GCM_SMALL)
+#ifdef WOLFSSL_AESNI
+
+#if defined(USE_INTEL_SPEEDUP)
+    #define HAVE_INTEL_AVX1
+    #define HAVE_INTEL_AVX2
+#endif /* USE_INTEL_SPEEDUP */
+
+#ifndef _MSC_VER
+
+void AES_GCM_encrypt(const unsigned char *in, unsigned char *out,
+                     const unsigned char* addt, const unsigned char* ivec,
+                     unsigned char *tag, unsigned int nbytes,
+                     unsigned int abytes, unsigned int ibytes,
+                     unsigned int tbytes, const unsigned char* key, int nr)
+                     XASM_LINK("AES_GCM_encrypt");
+#ifdef HAVE_INTEL_AVX1
+void AES_GCM_encrypt_avx1(const unsigned char *in, unsigned char *out,
+                          const unsigned char* addt, const unsigned char* ivec,
+                          unsigned char *tag, unsigned int nbytes,
+                          unsigned int abytes, unsigned int ibytes,
+                          unsigned int tbytes, const unsigned char* key,
+                          int nr)
+                          XASM_LINK("AES_GCM_encrypt_avx1");
+#ifdef HAVE_INTEL_AVX2
+void AES_GCM_encrypt_avx2(const unsigned char *in, unsigned char *out,
+                          const unsigned char* addt, const unsigned char* ivec,
+                          unsigned char *tag, unsigned int nbytes,
+                          unsigned int abytes, unsigned int ibytes,
+                          unsigned int tbytes, const unsigned char* key,
+                          int nr)
+                          XASM_LINK("AES_GCM_encrypt_avx2");
+#endif /* HAVE_INTEL_AVX2 */
+#endif /* HAVE_INTEL_AVX1 */
+
+#ifdef HAVE_AES_DECRYPT
+void AES_GCM_decrypt(const unsigned char *in, unsigned char *out,
+                     const unsigned char* addt, const unsigned char* ivec,
+                     const unsigned char *tag, int nbytes, int abytes,
+                     int ibytes, int tbytes, const unsigned char* key, int nr,
+                     int* res)
+                     XASM_LINK("AES_GCM_decrypt");
+#ifdef HAVE_INTEL_AVX1
+void AES_GCM_decrypt_avx1(const unsigned char *in, unsigned char *out,
+                          const unsigned char* addt, const unsigned char* ivec,
+                          const unsigned char *tag, int nbytes, int abytes,
+                          int ibytes, int tbytes, const unsigned char* key,
+                          int nr, int* res)
+                          XASM_LINK("AES_GCM_decrypt_avx1");
+#ifdef HAVE_INTEL_AVX2
+void AES_GCM_decrypt_avx2(const unsigned char *in, unsigned char *out,
+                          const unsigned char* addt, const unsigned char* ivec,
+                          const unsigned char *tag, int nbytes, int abytes,
+                          int ibytes, int tbytes, const unsigned char* key,
+                          int nr, int* res)
+                          XASM_LINK("AES_GCM_decrypt_avx2");
+#endif /* HAVE_INTEL_AVX2 */
+#endif /* HAVE_INTEL_AVX1 */
+#endif /* HAVE_AES_DECRYPT */
+
+#else /* _MSC_VER */
+
+#define S(w,z) ((char)((unsigned long long)(w) >> (8*(7-(z))) & 0xFF))
+#define M128_INIT(x,y) { S((x),7), S((x),6), S((x),5), S((x),4), \
+                         S((x),3), S((x),2), S((x),1), S((x),0), \
+                         S((y),7), S((y),6), S((y),5), S((y),4), \
+                         S((y),3), S((y),2), S((y),1), S((y),0) }
+
+static const __m128i MOD2_128 =
+        M128_INIT(0x1, (long long int)0xc200000000000000UL);
+
+
+/* See Intel® Carry-Less Multiplication Instruction
+ * and its Usage for Computing the GCM Mode White Paper
+ * by Shay Gueron, Intel Mobility Group, Israel Development Center;
+ * and Michael E. Kounavis, Intel Labs, Circuits and Systems Research */
+
+
+/* Figure 9. AES-GCM – Encrypt With Single Block Ghash at a Time */
+
+static const __m128i ONE   = M128_INIT(0x0, 0x1);
+#ifndef AES_GCM_AESNI_NO_UNROLL
+static const __m128i TWO   = M128_INIT(0x0, 0x2);
+static const __m128i THREE = M128_INIT(0x0, 0x3);
+static const __m128i FOUR  = M128_INIT(0x0, 0x4);
+static const __m128i FIVE  = M128_INIT(0x0, 0x5);
+static const __m128i SIX   = M128_INIT(0x0, 0x6);
+static const __m128i SEVEN = M128_INIT(0x0, 0x7);
+static const __m128i EIGHT = M128_INIT(0x0, 0x8);
+#endif
+static const __m128i BSWAP_EPI64 =
+        M128_INIT(0x0001020304050607, 0x08090a0b0c0d0e0f);
+static const __m128i BSWAP_MASK =
+        M128_INIT(0x08090a0b0c0d0e0f, 0x0001020304050607);
+
+
+/* The following are for MSC based builds which do not allow
+ * inline assembly. Intrinsic functions are used instead. */
+
+#define aes_gcm_calc_iv_12(KEY, ivec, nr, H, Y, T)         \
+do                                                         \
+{                                                          \
+    word32 iv12[4];                                        \
+    iv12[0] = *(word32*)&ivec[0];                          \
+    iv12[1] = *(word32*)&ivec[4];                          \
+    iv12[2] = *(word32*)&ivec[8];                          \
+    iv12[3] = 0x01000000;                                  \
+    Y = _mm_loadu_si128((__m128i*)iv12);                   \
+                                                           \
+    /* (Compute E[ZERO, KS] and E[Y0, KS] together */      \
+    tmp1 = _mm_load_si128(&KEY[0]);                        \
+    tmp2 = _mm_xor_si128(Y, KEY[0]);                       \
+    tmp1 = _mm_aesenc_si128(tmp1, KEY[1]);                 \
+    tmp2 = _mm_aesenc_si128(tmp2, KEY[1]);                 \
+    tmp1 = _mm_aesenc_si128(tmp1, KEY[2]);                 \
+    tmp2 = _mm_aesenc_si128(tmp2, KEY[2]);                 \
+    tmp1 = _mm_aesenc_si128(tmp1, KEY[3]);                 \
+    tmp2 = _mm_aesenc_si128(tmp2, KEY[3]);                 \
+    tmp1 = _mm_aesenc_si128(tmp1, KEY[4]);                 \
+    tmp2 = _mm_aesenc_si128(tmp2, KEY[4]);                 \
+    tmp1 = _mm_aesenc_si128(tmp1, KEY[5]);                 \
+    tmp2 = _mm_aesenc_si128(tmp2, KEY[5]);                 \
+    tmp1 = _mm_aesenc_si128(tmp1, KEY[6]);                 \
+    tmp2 = _mm_aesenc_si128(tmp2, KEY[6]);                 \
+    tmp1 = _mm_aesenc_si128(tmp1, KEY[7]);                 \
+    tmp2 = _mm_aesenc_si128(tmp2, KEY[7]);                 \
+    tmp1 = _mm_aesenc_si128(tmp1, KEY[8]);                 \
+    tmp2 = _mm_aesenc_si128(tmp2, KEY[8]);                 \
+    tmp1 = _mm_aesenc_si128(tmp1, KEY[9]);                 \
+    tmp2 = _mm_aesenc_si128(tmp2, KEY[9]);                 \
+    lastKey = KEY[10];                                     \
+    if (nr > 10) {                                         \
+        tmp1 = _mm_aesenc_si128(tmp1, lastKey);            \
+        tmp2 = _mm_aesenc_si128(tmp2, lastKey);            \
+        tmp1 = _mm_aesenc_si128(tmp1, KEY[11]);            \
+        tmp2 = _mm_aesenc_si128(tmp2, KEY[11]);            \
+        lastKey = KEY[12];                                 \
+        if (nr > 12) {                                     \
+            tmp1 = _mm_aesenc_si128(tmp1, lastKey);        \
+            tmp2 = _mm_aesenc_si128(tmp2, lastKey);        \
+            tmp1 = _mm_aesenc_si128(tmp1, KEY[13]);        \
+            tmp2 = _mm_aesenc_si128(tmp2, KEY[13]);        \
+            lastKey = KEY[14];                             \
+        }                                                  \
+    }                                                      \
+    H = _mm_aesenclast_si128(tmp1, lastKey);               \
+    T = _mm_aesenclast_si128(tmp2, lastKey);               \
+    H = _mm_shuffle_epi8(H, BSWAP_MASK);                   \
+}                                                          \
+while (0)
+
+#define aes_gcm_calc_iv(KEY, ivec, ibytes, nr, H, Y, T)         \
+do                                                              \
+{                                                               \
+    if (ibytes % 16) {                                          \
+        i = ibytes / 16;                                        \
+        for (j=0; j < (int)(ibytes%16); j++)                    \
+            ((unsigned char*)&last_block)[j] = ivec[i*16+j];    \
+    }                                                           \
+    tmp1 = _mm_load_si128(&KEY[0]);                             \
+    tmp1 = _mm_aesenc_si128(tmp1, KEY[1]);                      \
+    tmp1 = _mm_aesenc_si128(tmp1, KEY[2]);                      \
+    tmp1 = _mm_aesenc_si128(tmp1, KEY[3]);                      \
+    tmp1 = _mm_aesenc_si128(tmp1, KEY[4]);                      \
+    tmp1 = _mm_aesenc_si128(tmp1, KEY[5]);                      \
+    tmp1 = _mm_aesenc_si128(tmp1, KEY[6]);                      \
+    tmp1 = _mm_aesenc_si128(tmp1, KEY[7]);                      \
+    tmp1 = _mm_aesenc_si128(tmp1, KEY[8]);                      \
+    tmp1 = _mm_aesenc_si128(tmp1, KEY[9]);                      \
+    lastKey = KEY[10];                                          \
+    if (nr > 10) {                                              \
+        tmp1 = _mm_aesenc_si128(tmp1, lastKey);                 \
+        tmp1 = _mm_aesenc_si128(tmp1, KEY[11]);                 \
+        lastKey = KEY[12];                                      \
+        if (nr > 12) {                                          \
+            tmp1 = _mm_aesenc_si128(tmp1, lastKey);             \
+            tmp1 = _mm_aesenc_si128(tmp1, KEY[13]);             \
+            lastKey = KEY[14];                                  \
+        }                                                       \
+    }                                                           \
+    H = _mm_aesenclast_si128(tmp1, lastKey);                    \
+    H = _mm_shuffle_epi8(H, BSWAP_MASK);                        \
+    Y = _mm_setzero_si128();                                    \
+    for (i=0; i < (int)(ibytes/16); i++) {                      \
+        tmp1 = _mm_loadu_si128(&((__m128i*)ivec)[i]);           \
+        tmp1 = _mm_shuffle_epi8(tmp1, BSWAP_MASK);              \
+        Y = _mm_xor_si128(Y, tmp1);                             \
+        Y = gfmul_sw(Y, H);                                     \
+    }                                                           \
+    if (ibytes % 16) {                                          \
+        tmp1 = last_block;                                      \
+        tmp1 = _mm_shuffle_epi8(tmp1, BSWAP_MASK);              \
+        Y = _mm_xor_si128(Y, tmp1);                             \
+        Y = gfmul_sw(Y, H);                                     \
+    }                                                           \
+    tmp1 = _mm_insert_epi64(tmp1, ibytes*8, 0);                 \
+    tmp1 = _mm_insert_epi64(tmp1, 0, 1);                        \
+    Y = _mm_xor_si128(Y, tmp1);                                 \
+    Y = gfmul_sw(Y, H);                                         \
+    Y = _mm_shuffle_epi8(Y, BSWAP_MASK); /* Compute E(K, Y0) */ \
+    tmp1 = _mm_xor_si128(Y, KEY[0]);                            \
+    tmp1 = _mm_aesenc_si128(tmp1, KEY[1]);                      \
+    tmp1 = _mm_aesenc_si128(tmp1, KEY[2]);                      \
+    tmp1 = _mm_aesenc_si128(tmp1, KEY[3]);                      \
+    tmp1 = _mm_aesenc_si128(tmp1, KEY[4]);                      \
+    tmp1 = _mm_aesenc_si128(tmp1, KEY[5]);                      \
+    tmp1 = _mm_aesenc_si128(tmp1, KEY[6]);                      \
+    tmp1 = _mm_aesenc_si128(tmp1, KEY[7]);                      \
+    tmp1 = _mm_aesenc_si128(tmp1, KEY[8]);                      \
+    tmp1 = _mm_aesenc_si128(tmp1, KEY[9]);                      \
+    lastKey = KEY[10];                                          \
+    if (nr > 10) {                                              \
+        tmp1 = _mm_aesenc_si128(tmp1, lastKey);                 \
+        tmp1 = _mm_aesenc_si128(tmp1, KEY[11]);                 \
+        lastKey = KEY[12];                                      \
+        if (nr > 12) {                                          \
+            tmp1 = _mm_aesenc_si128(tmp1, lastKey);             \
+            tmp1 = _mm_aesenc_si128(tmp1, KEY[13]);             \
+            lastKey = KEY[14];                                  \
+        }                                                       \
+    }                                                           \
+    T = _mm_aesenclast_si128(tmp1, lastKey);                    \
+}                                                               \
+while (0)
+
+#define AES_ENC_8(j)                       \
+    tmp1 = _mm_aesenc_si128(tmp1, KEY[j]); \
+    tmp2 = _mm_aesenc_si128(tmp2, KEY[j]); \
+    tmp3 = _mm_aesenc_si128(tmp3, KEY[j]); \
+    tmp4 = _mm_aesenc_si128(tmp4, KEY[j]); \
+    tmp5 = _mm_aesenc_si128(tmp5, KEY[j]); \
+    tmp6 = _mm_aesenc_si128(tmp6, KEY[j]); \
+    tmp7 = _mm_aesenc_si128(tmp7, KEY[j]); \
+    tmp8 = _mm_aesenc_si128(tmp8, KEY[j]);
+
+#define AES_ENC_LAST_8()                                                  \
+    tmp1 =_mm_aesenclast_si128(tmp1, lastKey);                            \
+    tmp2 =_mm_aesenclast_si128(tmp2, lastKey);                            \
+    tmp1 = _mm_xor_si128(tmp1, _mm_loadu_si128(&((__m128i*)in)[i*8+0]));  \
+    tmp2 = _mm_xor_si128(tmp2, _mm_loadu_si128(&((__m128i*)in)[i*8+1]));  \
+    _mm_storeu_si128(&((__m128i*)out)[i*8+0], tmp1);                      \
+    _mm_storeu_si128(&((__m128i*)out)[i*8+1], tmp2);                      \
+    tmp3 =_mm_aesenclast_si128(tmp3, lastKey);                            \
+    tmp4 =_mm_aesenclast_si128(tmp4, lastKey);                            \
+    tmp3 = _mm_xor_si128(tmp3, _mm_loadu_si128(&((__m128i*)in)[i*8+2]));  \
+    tmp4 = _mm_xor_si128(tmp4, _mm_loadu_si128(&((__m128i*)in)[i*8+3]));  \
+    _mm_storeu_si128(&((__m128i*)out)[i*8+2], tmp3);                      \
+    _mm_storeu_si128(&((__m128i*)out)[i*8+3], tmp4);                      \
+    tmp5 =_mm_aesenclast_si128(tmp5, lastKey);                            \
+    tmp6 =_mm_aesenclast_si128(tmp6, lastKey);                            \
+    tmp5 = _mm_xor_si128(tmp5, _mm_loadu_si128(&((__m128i*)in)[i*8+4]));  \
+    tmp6 = _mm_xor_si128(tmp6, _mm_loadu_si128(&((__m128i*)in)[i*8+5]));  \
+    _mm_storeu_si128(&((__m128i*)out)[i*8+4], tmp5);                      \
+    _mm_storeu_si128(&((__m128i*)out)[i*8+5], tmp6);                      \
+    tmp7 =_mm_aesenclast_si128(tmp7, lastKey);                            \
+    tmp8 =_mm_aesenclast_si128(tmp8, lastKey);                            \
+    tmp7 = _mm_xor_si128(tmp7, _mm_loadu_si128(&((__m128i*)in)[i*8+6]));  \
+    tmp8 = _mm_xor_si128(tmp8, _mm_loadu_si128(&((__m128i*)in)[i*8+7]));  \
+    _mm_storeu_si128(&((__m128i*)out)[i*8+6], tmp7);                      \
+    _mm_storeu_si128(&((__m128i*)out)[i*8+7], tmp8);
+
+
+static __m128i gfmul_sw(__m128i a, __m128i b)
+{
+    __m128i r, t1, t2, t3, t4, t5, t6, t7;
+    t2 = _mm_shuffle_epi32(b, 78);
+    t3 = _mm_shuffle_epi32(a, 78);
+    t2 = _mm_xor_si128(t2, b);
+    t3 = _mm_xor_si128(t3, a);
+    t4 = _mm_clmulepi64_si128(b, a, 0x11);
+    t1 = _mm_clmulepi64_si128(b, a, 0x00);
+    t2 = _mm_clmulepi64_si128(t2, t3, 0x00);
+    t2 = _mm_xor_si128(t2, t1);
+    t2 = _mm_xor_si128(t2, t4);
+    t3 = _mm_slli_si128(t2, 8);
+    t2 = _mm_srli_si128(t2, 8);
+    t1 = _mm_xor_si128(t1, t3);
+    t4 = _mm_xor_si128(t4, t2);
+
+    t5 = _mm_srli_epi32(t1, 31);
+    t6 = _mm_srli_epi32(t4, 31);
+    t1 = _mm_slli_epi32(t1, 1);
+    t4 = _mm_slli_epi32(t4, 1);
+    t7 = _mm_srli_si128(t5, 12);
+    t5 = _mm_slli_si128(t5, 4);
+    t6 = _mm_slli_si128(t6, 4);
+    t4 = _mm_or_si128(t4, t7);
+    t1 = _mm_or_si128(t1, t5);
+    t4 = _mm_or_si128(t4, t6);
+
+    t5 = _mm_slli_epi32(t1, 31);
+    t6 = _mm_slli_epi32(t1, 30);
+    t7 = _mm_slli_epi32(t1, 25);
+    t5 = _mm_xor_si128(t5, t6);
+    t5 = _mm_xor_si128(t5, t7);
+
+    t6 = _mm_srli_si128(t5, 4);
+    t5 = _mm_slli_si128(t5, 12);
+    t1 = _mm_xor_si128(t1, t5);
+    t7 = _mm_srli_epi32(t1, 1);
+    t3 = _mm_srli_epi32(t1, 2);
+    t2 = _mm_srli_epi32(t1, 7);
+
+    t7 = _mm_xor_si128(t7, t3);
+    t7 = _mm_xor_si128(t7, t2);
+    t7 = _mm_xor_si128(t7, t6);
+    t7 = _mm_xor_si128(t7, t1);
+    r = _mm_xor_si128(t4, t7);
+
+    return r;
+}
+
+static void gfmul_only(__m128i a, __m128i b, __m128i* r0, __m128i* r1)
+{
+    __m128i t1, t2, t3, t4;
+
+    /* 128 x 128 Carryless Multiply */
+    t2 = _mm_shuffle_epi32(b, 78);
+    t3 = _mm_shuffle_epi32(a, 78);
+    t2 = _mm_xor_si128(t2, b);
+    t3 = _mm_xor_si128(t3, a);
+    t4 = _mm_clmulepi64_si128(b, a, 0x11);
+    t1 = _mm_clmulepi64_si128(b, a, 0x00);
+    t2 = _mm_clmulepi64_si128(t2, t3, 0x00);
+    t2 = _mm_xor_si128(t2, t1);
+    t2 = _mm_xor_si128(t2, t4);
+    t3 = _mm_slli_si128(t2, 8);
+    t2 = _mm_srli_si128(t2, 8);
+    t1 = _mm_xor_si128(t1, t3);
+    t4 = _mm_xor_si128(t4, t2);
+    *r0 = _mm_xor_si128(t1, *r0);
+    *r1 = _mm_xor_si128(t4, *r1);
+}
+
+static __m128i gfmul_shl1(__m128i a)
+{
+    __m128i t1 = a, t2;
+    t2 = _mm_srli_epi64(t1, 63);
+    t1 = _mm_slli_epi64(t1, 1);
+    t2 = _mm_slli_si128(t2, 8);
+    t1 = _mm_or_si128(t1, t2);
+    /* if (a[1] >> 63) t1 = _mm_xor_si128(t1, MOD2_128); */
+    a = _mm_shuffle_epi32(a, 0xff);
+    a = _mm_srai_epi32(a, 31);
+    a = _mm_and_si128(a, MOD2_128);
+    t1 = _mm_xor_si128(t1, a);
+    return t1;
+}
+
+static __m128i ghash_red(__m128i r0, __m128i r1)
+{
+    __m128i t2, t3;
+    __m128i t5, t6, t7;
+
+    t5 = _mm_slli_epi32(r0, 31);
+    t6 = _mm_slli_epi32(r0, 30);
+    t7 = _mm_slli_epi32(r0, 25);
+    t5 = _mm_xor_si128(t5, t6);
+    t5 = _mm_xor_si128(t5, t7);
+
+    t6 = _mm_srli_si128(t5, 4);
+    t5 = _mm_slli_si128(t5, 12);
+    r0 = _mm_xor_si128(r0, t5);
+    t7 = _mm_srli_epi32(r0, 1);
+    t3 = _mm_srli_epi32(r0, 2);
+    t2 = _mm_srli_epi32(r0, 7);
+
+    t7 = _mm_xor_si128(t7, t3);
+    t7 = _mm_xor_si128(t7, t2);
+    t7 = _mm_xor_si128(t7, t6);
+    t7 = _mm_xor_si128(t7, r0);
+    return _mm_xor_si128(r1, t7);
+}
+
+static __m128i gfmul_shifted(__m128i a, __m128i b)
+{
+    __m128i t0 = _mm_setzero_si128(), t1 = _mm_setzero_si128();
+    gfmul_only(a, b, &t0, &t1);
+    return ghash_red(t0, t1);
+}
+
+#ifndef AES_GCM_AESNI_NO_UNROLL
+static __m128i gfmul8(__m128i a1, __m128i a2, __m128i a3, __m128i a4,
+                      __m128i a5, __m128i a6, __m128i a7, __m128i a8,
+                      __m128i b1, __m128i b2, __m128i b3, __m128i b4,
+                      __m128i b5, __m128i b6, __m128i b7, __m128i b8)
+{
+    __m128i t0 = _mm_setzero_si128(), t1 = _mm_setzero_si128();
+    gfmul_only(a1, b8, &t0, &t1);
+    gfmul_only(a2, b7, &t0, &t1);
+    gfmul_only(a3, b6, &t0, &t1);
+    gfmul_only(a4, b5, &t0, &t1);
+    gfmul_only(a5, b4, &t0, &t1);
+    gfmul_only(a6, b3, &t0, &t1);
+    gfmul_only(a7, b2, &t0, &t1);
+    gfmul_only(a8, b1, &t0, &t1);
+    return ghash_red(t0, t1);
+}
+#endif
+
+
+static void AES_GCM_encrypt(const unsigned char *in,
+                              unsigned char *out,
+                              const unsigned char* addt,
+                              const unsigned char* ivec,
+                              unsigned char *tag, unsigned int nbytes,
+                              unsigned int abytes, unsigned int ibytes,
+                              unsigned int tbytes,
+                              const unsigned char* key, int nr)
+{
+    int i, j ,k;
+    __m128i ctr1;
+    __m128i H, Y, T;
+    __m128i X = _mm_setzero_si128();
+    __m128i *KEY = (__m128i*)key, lastKey;
+    __m128i last_block = _mm_setzero_si128();
+    __m128i tmp1, tmp2;
+#ifndef AES_GCM_AESNI_NO_UNROLL
+    __m128i HT[8];
+    __m128i r0, r1;
+    __m128i XV;
+    __m128i tmp3, tmp4, tmp5, tmp6, tmp7, tmp8;
+#endif
+
+    if (ibytes == GCM_NONCE_MID_SZ)
+        aes_gcm_calc_iv_12(KEY, ivec, nr, H, Y, T);
+    else
+        aes_gcm_calc_iv(KEY, ivec, ibytes, nr, H, Y, T);
+
+    for (i=0; i < (int)(abytes/16); i++) {
+        tmp1 = _mm_loadu_si128(&((__m128i*)addt)[i]);
+        tmp1 = _mm_shuffle_epi8(tmp1, BSWAP_MASK);
+        X = _mm_xor_si128(X, tmp1);
+        X = gfmul_sw(X, H);
+    }
+    if (abytes%16) {
+        last_block = _mm_setzero_si128();
+        for (j=0; j < (int)(abytes%16); j++)
+            ((unsigned char*)&last_block)[j] = addt[i*16+j];
+        tmp1 = last_block;
+        tmp1 = _mm_shuffle_epi8(tmp1, BSWAP_MASK);
+        X = _mm_xor_si128(X, tmp1);
+        X = gfmul_sw(X, H);
+    }
+    tmp1 = _mm_shuffle_epi8(Y, BSWAP_EPI64);
+    ctr1 = _mm_add_epi32(tmp1, ONE);
+    H = gfmul_shl1(H);
+
+#ifndef AES_GCM_AESNI_NO_UNROLL
+    i = 0;
+    if (nbytes >= 16*8) {
+        HT[0] = H;
+        HT[1] = gfmul_shifted(H, H);
+        HT[2] = gfmul_shifted(H, HT[1]);
+        HT[3] = gfmul_shifted(HT[1], HT[1]);
+        HT[4] = gfmul_shifted(HT[1], HT[2]);
+        HT[5] = gfmul_shifted(HT[2], HT[2]);
+        HT[6] = gfmul_shifted(HT[2], HT[3]);
+        HT[7] = gfmul_shifted(HT[3], HT[3]);
+
+        tmp1 = _mm_shuffle_epi8(ctr1, BSWAP_EPI64);
+        tmp2 = _mm_add_epi32(ctr1, ONE);
+        tmp2 = _mm_shuffle_epi8(tmp2, BSWAP_EPI64);
+        tmp3 = _mm_add_epi32(ctr1, TWO);
+        tmp3 = _mm_shuffle_epi8(tmp3, BSWAP_EPI64);
+        tmp4 = _mm_add_epi32(ctr1, THREE);
+        tmp4 = _mm_shuffle_epi8(tmp4, BSWAP_EPI64);
+        tmp5 = _mm_add_epi32(ctr1, FOUR);
+        tmp5 = _mm_shuffle_epi8(tmp5, BSWAP_EPI64);
+        tmp6 = _mm_add_epi32(ctr1, FIVE);
+        tmp6 = _mm_shuffle_epi8(tmp6, BSWAP_EPI64);
+        tmp7 = _mm_add_epi32(ctr1, SIX);
+        tmp7 = _mm_shuffle_epi8(tmp7, BSWAP_EPI64);
+        tmp8 = _mm_add_epi32(ctr1, SEVEN);
+        tmp8 = _mm_shuffle_epi8(tmp8, BSWAP_EPI64);
+        ctr1 = _mm_add_epi32(ctr1, EIGHT);
+        tmp1 =_mm_xor_si128(tmp1, KEY[0]);
+        tmp2 =_mm_xor_si128(tmp2, KEY[0]);
+        tmp3 =_mm_xor_si128(tmp3, KEY[0]);
+        tmp4 =_mm_xor_si128(tmp4, KEY[0]);
+        tmp5 =_mm_xor_si128(tmp5, KEY[0]);
+        tmp6 =_mm_xor_si128(tmp6, KEY[0]);
+        tmp7 =_mm_xor_si128(tmp7, KEY[0]);
+        tmp8 =_mm_xor_si128(tmp8, KEY[0]);
+        AES_ENC_8(1);
+        AES_ENC_8(2);
+        AES_ENC_8(3);
+        AES_ENC_8(4);
+        AES_ENC_8(5);
+        AES_ENC_8(6);
+        AES_ENC_8(7);
+        AES_ENC_8(8);
+        AES_ENC_8(9);
+        lastKey = KEY[10];
+        if (nr > 10) {
+            AES_ENC_8(10);
+            AES_ENC_8(11);
+            lastKey = KEY[12];
+            if (nr > 12) {
+                AES_ENC_8(12);
+                AES_ENC_8(13);
+                lastKey = KEY[14];
+            }
+        }
+        AES_ENC_LAST_8();
+
+        for (i=1; i < (int)(nbytes/16/8); i++) {
+                r0 = _mm_setzero_si128();
+                r1 = _mm_setzero_si128();
+            tmp1 = _mm_shuffle_epi8(ctr1, BSWAP_EPI64);
+            tmp2 = _mm_add_epi32(ctr1, ONE);
+            tmp2 = _mm_shuffle_epi8(tmp2, BSWAP_EPI64);
+            tmp3 = _mm_add_epi32(ctr1, TWO);
+            tmp3 = _mm_shuffle_epi8(tmp3, BSWAP_EPI64);
+            tmp4 = _mm_add_epi32(ctr1, THREE);
+            tmp4 = _mm_shuffle_epi8(tmp4, BSWAP_EPI64);
+            tmp5 = _mm_add_epi32(ctr1, FOUR);
+            tmp5 = _mm_shuffle_epi8(tmp5, BSWAP_EPI64);
+            tmp6 = _mm_add_epi32(ctr1, FIVE);
+            tmp6 = _mm_shuffle_epi8(tmp6, BSWAP_EPI64);
+            tmp7 = _mm_add_epi32(ctr1, SIX);
+            tmp7 = _mm_shuffle_epi8(tmp7, BSWAP_EPI64);
+            tmp8 = _mm_add_epi32(ctr1, SEVEN);
+            tmp8 = _mm_shuffle_epi8(tmp8, BSWAP_EPI64);
+            ctr1 = _mm_add_epi32(ctr1, EIGHT);
+            tmp1 =_mm_xor_si128(tmp1, KEY[0]);
+            tmp2 =_mm_xor_si128(tmp2, KEY[0]);
+            tmp3 =_mm_xor_si128(tmp3, KEY[0]);
+            tmp4 =_mm_xor_si128(tmp4, KEY[0]);
+            tmp5 =_mm_xor_si128(tmp5, KEY[0]);
+            tmp6 =_mm_xor_si128(tmp6, KEY[0]);
+            tmp7 =_mm_xor_si128(tmp7, KEY[0]);
+            tmp8 =_mm_xor_si128(tmp8, KEY[0]);
+                /* 128 x 128 Carryless Multiply */
+                XV = _mm_loadu_si128(&((__m128i*)out)[(i-1)*8+0]);
+                XV = _mm_shuffle_epi8(XV, BSWAP_MASK);
+                XV = _mm_xor_si128(XV, X);
+                gfmul_only(XV, HT[7], &r0, &r1);
+            tmp1 = _mm_aesenc_si128(tmp1, KEY[1]);
+            tmp2 = _mm_aesenc_si128(tmp2, KEY[1]);
+            tmp3 = _mm_aesenc_si128(tmp3, KEY[1]);
+            tmp4 = _mm_aesenc_si128(tmp4, KEY[1]);
+            tmp5 = _mm_aesenc_si128(tmp5, KEY[1]);
+            tmp6 = _mm_aesenc_si128(tmp6, KEY[1]);
+            tmp7 = _mm_aesenc_si128(tmp7, KEY[1]);
+            tmp8 = _mm_aesenc_si128(tmp8, KEY[1]);
+                /* 128 x 128 Carryless Multiply */
+                XV = _mm_loadu_si128(&((__m128i*)out)[(i-1)*8+1]);
+                XV = _mm_shuffle_epi8(XV, BSWAP_MASK);
+                gfmul_only(XV, HT[6], &r0, &r1);
+            tmp1 = _mm_aesenc_si128(tmp1, KEY[2]);
+            tmp2 = _mm_aesenc_si128(tmp2, KEY[2]);
+            tmp3 = _mm_aesenc_si128(tmp3, KEY[2]);
+            tmp4 = _mm_aesenc_si128(tmp4, KEY[2]);
+            tmp5 = _mm_aesenc_si128(tmp5, KEY[2]);
+            tmp6 = _mm_aesenc_si128(tmp6, KEY[2]);
+            tmp7 = _mm_aesenc_si128(tmp7, KEY[2]);
+            tmp8 = _mm_aesenc_si128(tmp8, KEY[2]);
+                /* 128 x 128 Carryless Multiply */
+                XV = _mm_loadu_si128(&((__m128i*)out)[(i-1)*8+2]);
+                XV = _mm_shuffle_epi8(XV, BSWAP_MASK);
+                gfmul_only(XV, HT[5], &r0, &r1);
+            tmp1 = _mm_aesenc_si128(tmp1, KEY[3]);
+            tmp2 = _mm_aesenc_si128(tmp2, KEY[3]);
+            tmp3 = _mm_aesenc_si128(tmp3, KEY[3]);
+            tmp4 = _mm_aesenc_si128(tmp4, KEY[3]);
+            tmp5 = _mm_aesenc_si128(tmp5, KEY[3]);
+            tmp6 = _mm_aesenc_si128(tmp6, KEY[3]);
+            tmp7 = _mm_aesenc_si128(tmp7, KEY[3]);
+            tmp8 = _mm_aesenc_si128(tmp8, KEY[3]);
+                /* 128 x 128 Carryless Multiply */
+                XV = _mm_loadu_si128(&((__m128i*)out)[(i-1)*8+3]);
+                XV = _mm_shuffle_epi8(XV, BSWAP_MASK);
+                gfmul_only(XV, HT[4], &r0, &r1);
+            tmp1 = _mm_aesenc_si128(tmp1, KEY[4]);
+            tmp2 = _mm_aesenc_si128(tmp2, KEY[4]);
+            tmp3 = _mm_aesenc_si128(tmp3, KEY[4]);
+            tmp4 = _mm_aesenc_si128(tmp4, KEY[4]);
+            tmp5 = _mm_aesenc_si128(tmp5, KEY[4]);
+            tmp6 = _mm_aesenc_si128(tmp6, KEY[4]);
+            tmp7 = _mm_aesenc_si128(tmp7, KEY[4]);
+            tmp8 = _mm_aesenc_si128(tmp8, KEY[4]);
+                /* 128 x 128 Carryless Multiply */
+                XV = _mm_loadu_si128(&((__m128i*)out)[(i-1)*8+4]);
+                XV = _mm_shuffle_epi8(XV, BSWAP_MASK);
+                gfmul_only(XV, HT[3], &r0, &r1);
+            tmp1 = _mm_aesenc_si128(tmp1, KEY[5]);
+            tmp2 = _mm_aesenc_si128(tmp2, KEY[5]);
+            tmp3 = _mm_aesenc_si128(tmp3, KEY[5]);
+            tmp4 = _mm_aesenc_si128(tmp4, KEY[5]);
+            tmp5 = _mm_aesenc_si128(tmp5, KEY[5]);
+            tmp6 = _mm_aesenc_si128(tmp6, KEY[5]);
+            tmp7 = _mm_aesenc_si128(tmp7, KEY[5]);
+            tmp8 = _mm_aesenc_si128(tmp8, KEY[5]);
+                /* 128 x 128 Carryless Multiply */
+                XV = _mm_loadu_si128(&((__m128i*)out)[(i-1)*8+5]);
+                XV = _mm_shuffle_epi8(XV, BSWAP_MASK);
+                gfmul_only(XV, HT[2], &r0, &r1);
+            tmp1 = _mm_aesenc_si128(tmp1, KEY[6]);
+            tmp2 = _mm_aesenc_si128(tmp2, KEY[6]);
+            tmp3 = _mm_aesenc_si128(tmp3, KEY[6]);
+            tmp4 = _mm_aesenc_si128(tmp4, KEY[6]);
+            tmp5 = _mm_aesenc_si128(tmp5, KEY[6]);
+            tmp6 = _mm_aesenc_si128(tmp6, KEY[6]);
+            tmp7 = _mm_aesenc_si128(tmp7, KEY[6]);
+            tmp8 = _mm_aesenc_si128(tmp8, KEY[6]);
+                /* 128 x 128 Carryless Multiply */
+                XV = _mm_loadu_si128(&((__m128i*)out)[(i-1)*8+6]);
+                XV = _mm_shuffle_epi8(XV, BSWAP_MASK);
+                gfmul_only(XV, HT[1], &r0, &r1);
+            tmp1 = _mm_aesenc_si128(tmp1, KEY[7]);
+            tmp2 = _mm_aesenc_si128(tmp2, KEY[7]);
+            tmp3 = _mm_aesenc_si128(tmp3, KEY[7]);
+            tmp4 = _mm_aesenc_si128(tmp4, KEY[7]);
+            tmp5 = _mm_aesenc_si128(tmp5, KEY[7]);
+            tmp6 = _mm_aesenc_si128(tmp6, KEY[7]);
+            tmp7 = _mm_aesenc_si128(tmp7, KEY[7]);
+            tmp8 = _mm_aesenc_si128(tmp8, KEY[7]);
+                /* 128 x 128 Carryless Multiply */
+                XV = _mm_loadu_si128(&((__m128i*)out)[(i-1)*8+7]);
+                XV = _mm_shuffle_epi8(XV, BSWAP_MASK);
+                gfmul_only(XV, HT[0], &r0, &r1);
+            tmp1 = _mm_aesenc_si128(tmp1, KEY[8]);
+            tmp2 = _mm_aesenc_si128(tmp2, KEY[8]);
+            tmp3 = _mm_aesenc_si128(tmp3, KEY[8]);
+            tmp4 = _mm_aesenc_si128(tmp4, KEY[8]);
+            tmp5 = _mm_aesenc_si128(tmp5, KEY[8]);
+            tmp6 = _mm_aesenc_si128(tmp6, KEY[8]);
+            tmp7 = _mm_aesenc_si128(tmp7, KEY[8]);
+            tmp8 = _mm_aesenc_si128(tmp8, KEY[8]);
+                /* Reduction */
+                X = ghash_red(r0, r1);
+            tmp1 = _mm_aesenc_si128(tmp1, KEY[9]);
+            tmp2 = _mm_aesenc_si128(tmp2, KEY[9]);
+            tmp3 = _mm_aesenc_si128(tmp3, KEY[9]);
+            tmp4 = _mm_aesenc_si128(tmp4, KEY[9]);
+            tmp5 = _mm_aesenc_si128(tmp5, KEY[9]);
+            tmp6 = _mm_aesenc_si128(tmp6, KEY[9]);
+            tmp7 = _mm_aesenc_si128(tmp7, KEY[9]);
+            tmp8 = _mm_aesenc_si128(tmp8, KEY[9]);
+            lastKey = KEY[10];
+            if (nr > 10) {
+                tmp1 = _mm_aesenc_si128(tmp1, KEY[10]);
+                tmp2 = _mm_aesenc_si128(tmp2, KEY[10]);
+                tmp3 = _mm_aesenc_si128(tmp3, KEY[10]);
+                tmp4 = _mm_aesenc_si128(tmp4, KEY[10]);
+                tmp5 = _mm_aesenc_si128(tmp5, KEY[10]);
+                tmp6 = _mm_aesenc_si128(tmp6, KEY[10]);
+                tmp7 = _mm_aesenc_si128(tmp7, KEY[10]);
+                tmp8 = _mm_aesenc_si128(tmp8, KEY[10]);
+                tmp1 = _mm_aesenc_si128(tmp1, KEY[11]);
+                tmp2 = _mm_aesenc_si128(tmp2, KEY[11]);
+                tmp3 = _mm_aesenc_si128(tmp3, KEY[11]);
+                tmp4 = _mm_aesenc_si128(tmp4, KEY[11]);
+                tmp5 = _mm_aesenc_si128(tmp5, KEY[11]);
+                tmp6 = _mm_aesenc_si128(tmp6, KEY[11]);
+                tmp7 = _mm_aesenc_si128(tmp7, KEY[11]);
+                tmp8 = _mm_aesenc_si128(tmp8, KEY[11]);
+                lastKey = KEY[12];
+                if (nr > 12) {
+                    tmp1 = _mm_aesenc_si128(tmp1, KEY[12]);
+                    tmp2 = _mm_aesenc_si128(tmp2, KEY[12]);
+                    tmp3 = _mm_aesenc_si128(tmp3, KEY[12]);
+                    tmp4 = _mm_aesenc_si128(tmp4, KEY[12]);
+                    tmp5 = _mm_aesenc_si128(tmp5, KEY[12]);
+                    tmp6 = _mm_aesenc_si128(tmp6, KEY[12]);
+                    tmp7 = _mm_aesenc_si128(tmp7, KEY[12]);
+                    tmp8 = _mm_aesenc_si128(tmp8, KEY[12]);
+                    tmp1 = _mm_aesenc_si128(tmp1, KEY[13]);
+                    tmp2 = _mm_aesenc_si128(tmp2, KEY[13]);
+                    tmp3 = _mm_aesenc_si128(tmp3, KEY[13]);
+                    tmp4 = _mm_aesenc_si128(tmp4, KEY[13]);
+                    tmp5 = _mm_aesenc_si128(tmp5, KEY[13]);
+                    tmp6 = _mm_aesenc_si128(tmp6, KEY[13]);
+                    tmp7 = _mm_aesenc_si128(tmp7, KEY[13]);
+                    tmp8 = _mm_aesenc_si128(tmp8, KEY[13]);
+                    lastKey = KEY[14];
+                }
+            }
+            AES_ENC_LAST_8();
+        }
 
+        tmp1 = _mm_shuffle_epi8(tmp1, BSWAP_MASK);
+        tmp2 = _mm_shuffle_epi8(tmp2, BSWAP_MASK);
+        tmp3 = _mm_shuffle_epi8(tmp3, BSWAP_MASK);
+        tmp4 = _mm_shuffle_epi8(tmp4, BSWAP_MASK);
+        tmp5 = _mm_shuffle_epi8(tmp5, BSWAP_MASK);
+        tmp6 = _mm_shuffle_epi8(tmp6, BSWAP_MASK);
+        tmp7 = _mm_shuffle_epi8(tmp7, BSWAP_MASK);
+        tmp8 = _mm_shuffle_epi8(tmp8, BSWAP_MASK);
+        tmp1 = _mm_xor_si128(X, tmp1);
+        X = gfmul8(tmp1, tmp2, tmp3, tmp4, tmp5, tmp6, tmp7, tmp8,
+                   HT[0], HT[1], HT[2], HT[3], HT[4], HT[5], HT[6], HT[7]);
+    }
+    for (k = i*8; k < (int)(nbytes/16); k++) {
+        tmp1 = _mm_shuffle_epi8(ctr1, BSWAP_EPI64);
+        ctr1 = _mm_add_epi32(ctr1, ONE);
+        tmp1 = _mm_xor_si128(tmp1, KEY[0]);
+        tmp1 = _mm_aesenc_si128(tmp1, KEY[1]);
+        tmp1 = _mm_aesenc_si128(tmp1, KEY[2]);
+        tmp1 = _mm_aesenc_si128(tmp1, KEY[3]);
+        tmp1 = _mm_aesenc_si128(tmp1, KEY[4]);
+        tmp1 = _mm_aesenc_si128(tmp1, KEY[5]);
+        tmp1 = _mm_aesenc_si128(tmp1, KEY[6]);
+        tmp1 = _mm_aesenc_si128(tmp1, KEY[7]);
+        tmp1 = _mm_aesenc_si128(tmp1, KEY[8]);
+        tmp1 = _mm_aesenc_si128(tmp1, KEY[9]);
+        lastKey = KEY[10];
+        if (nr > 10) {
+            tmp1 = _mm_aesenc_si128(tmp1, lastKey);
+            tmp1 = _mm_aesenc_si128(tmp1, KEY[11]);
+            lastKey = KEY[12];
+            if (nr > 12) {
+                tmp1 = _mm_aesenc_si128(tmp1, lastKey);
+                tmp1 = _mm_aesenc_si128(tmp1, KEY[13]);
+                lastKey = KEY[14];
+            }
+        }
+        tmp1 = _mm_aesenclast_si128(tmp1, lastKey);
+        tmp1 = _mm_xor_si128(tmp1, _mm_loadu_si128(&((__m128i*)in)[k]));
+        _mm_storeu_si128(&((__m128i*)out)[k], tmp1);
+        tmp1 = _mm_shuffle_epi8(tmp1, BSWAP_MASK);
+        X =_mm_xor_si128(X, tmp1);
+        X = gfmul_shifted(X, H);
+    }
+#else /* AES_GCM_AESNI_NO_UNROLL */
+    for (k = 0; k < (int)(nbytes/16) && k < 1; k++) {
+        tmp1 = _mm_shuffle_epi8(ctr1, BSWAP_EPI64);
+        ctr1 = _mm_add_epi32(ctr1, ONE);
+        tmp1 = _mm_xor_si128(tmp1, KEY[0]);
+        tmp1 = _mm_aesenc_si128(tmp1, KEY[1]);
+        tmp1 = _mm_aesenc_si128(tmp1, KEY[2]);
+        tmp1 = _mm_aesenc_si128(tmp1, KEY[3]);
+        tmp1 = _mm_aesenc_si128(tmp1, KEY[4]);
+        tmp1 = _mm_aesenc_si128(tmp1, KEY[5]);
+        tmp1 = _mm_aesenc_si128(tmp1, KEY[6]);
+        tmp1 = _mm_aesenc_si128(tmp1, KEY[7]);
+        tmp1 = _mm_aesenc_si128(tmp1, KEY[8]);
+        tmp1 = _mm_aesenc_si128(tmp1, KEY[9]);
+        lastKey = KEY[10];
+        if (nr > 10) {
+            tmp1 = _mm_aesenc_si128(tmp1, lastKey);
+            tmp1 = _mm_aesenc_si128(tmp1, KEY[11]);
+            lastKey = KEY[12];
+            if (nr > 12) {
+                tmp1 = _mm_aesenc_si128(tmp1, lastKey);
+                tmp1 = _mm_aesenc_si128(tmp1, KEY[13]);
+                lastKey = KEY[14];
+            }
+        }
+        tmp1 = _mm_aesenclast_si128(tmp1, lastKey);
+        tmp1 = _mm_xor_si128(tmp1, _mm_loadu_si128(&((__m128i*)in)[k]));
+        _mm_storeu_si128(&((__m128i*)out)[k], tmp1);
+        tmp1 = _mm_shuffle_epi8(tmp1, BSWAP_MASK);
+        X =_mm_xor_si128(X, tmp1);
+    }
+    for (; k < (int)(nbytes/16); k++) {
+        tmp1 = _mm_shuffle_epi8(ctr1, BSWAP_EPI64);
+        ctr1 = _mm_add_epi32(ctr1, ONE);
+        tmp1 = _mm_xor_si128(tmp1, KEY[0]);
+        tmp1 = _mm_aesenc_si128(tmp1, KEY[1]);
+        tmp1 = _mm_aesenc_si128(tmp1, KEY[2]);
+        tmp1 = _mm_aesenc_si128(tmp1, KEY[3]);
+        tmp1 = _mm_aesenc_si128(tmp1, KEY[4]);
+        tmp1 = _mm_aesenc_si128(tmp1, KEY[5]);
+        tmp1 = _mm_aesenc_si128(tmp1, KEY[6]);
+        tmp1 = _mm_aesenc_si128(tmp1, KEY[7]);
+        tmp1 = _mm_aesenc_si128(tmp1, KEY[8]);
+        tmp1 = _mm_aesenc_si128(tmp1, KEY[9]);
+        X = gfmul_shifted(X, H);
+        lastKey = KEY[10];
+        if (nr > 10) {
+            tmp1 = _mm_aesenc_si128(tmp1, lastKey);
+            tmp1 = _mm_aesenc_si128(tmp1, KEY[11]);
+            lastKey = KEY[12];
+            if (nr > 12) {
+                tmp1 = _mm_aesenc_si128(tmp1, lastKey);
+                tmp1 = _mm_aesenc_si128(tmp1, KEY[13]);
+                lastKey = KEY[14];
+            }
+        }
+        tmp1 = _mm_aesenclast_si128(tmp1, lastKey);
+        tmp1 = _mm_xor_si128(tmp1, _mm_loadu_si128(&((__m128i*)in)[k]));
+        _mm_storeu_si128(&((__m128i*)out)[k], tmp1);
+        tmp1 = _mm_shuffle_epi8(tmp1, BSWAP_MASK);
+        X =_mm_xor_si128(X, tmp1);
+    }
+    if (k > 0) {
+        X = gfmul_shifted(X, H);
+    }
+#endif /* AES_GCM_AESNI_NO_UNROLL */
+
+    /* If one partial block remains */
+    if (nbytes % 16) {
+        tmp1 = _mm_shuffle_epi8(ctr1, BSWAP_EPI64);
+        tmp1 = _mm_xor_si128(tmp1, KEY[0]);
+        tmp1 = _mm_aesenc_si128(tmp1, KEY[1]);
+        tmp1 = _mm_aesenc_si128(tmp1, KEY[2]);
+        tmp1 = _mm_aesenc_si128(tmp1, KEY[3]);
+        tmp1 = _mm_aesenc_si128(tmp1, KEY[4]);
+        tmp1 = _mm_aesenc_si128(tmp1, KEY[5]);
+        tmp1 = _mm_aesenc_si128(tmp1, KEY[6]);
+        tmp1 = _mm_aesenc_si128(tmp1, KEY[7]);
+        tmp1 = _mm_aesenc_si128(tmp1, KEY[8]);
+        tmp1 = _mm_aesenc_si128(tmp1, KEY[9]);
+        lastKey = KEY[10];
+        if (nr > 10) {
+            tmp1 = _mm_aesenc_si128(tmp1, lastKey);
+            tmp1 = _mm_aesenc_si128(tmp1, KEY[11]);
+            lastKey = KEY[12];
+            if (nr > 12) {
+                tmp1 = _mm_aesenc_si128(tmp1, lastKey);
+                tmp1 = _mm_aesenc_si128(tmp1, KEY[13]);
+                lastKey = KEY[14];
+            }
+        }
+        tmp1 = _mm_aesenclast_si128(tmp1, lastKey);
+        last_block = tmp1;
+        for (j=0; j < (int)(nbytes%16); j++)
+            ((unsigned char*)&last_block)[j] = in[k*16+j];
+        tmp1 = _mm_xor_si128(tmp1, last_block);
+        last_block = tmp1;
+        for (j=0; j < (int)(nbytes%16); j++)
+            out[k*16+j] = ((unsigned char*)&last_block)[j];
+        tmp1 = last_block;
+        tmp1 = _mm_shuffle_epi8(tmp1, BSWAP_MASK);
+        X =_mm_xor_si128(X, tmp1);
+        X = gfmul_shifted(X, H);
+    }
+    tmp1 = _mm_insert_epi64(tmp1, nbytes*8, 0);
+    tmp1 = _mm_insert_epi64(tmp1, abytes*8, 1);
+    X = _mm_xor_si128(X, tmp1);
+    X = gfmul_shifted(X, H);
+    X = _mm_shuffle_epi8(X, BSWAP_MASK);
+    T = _mm_xor_si128(X, T);
+    /*_mm_storeu_si128((__m128i*)tag, T);*/
+    XMEMCPY(tag, &T, tbytes);
+}
+
+#ifdef HAVE_AES_DECRYPT
+
+static void AES_GCM_decrypt(const unsigned char *in,
+                           unsigned char *out,
+                           const unsigned char* addt,
+                           const unsigned char* ivec,
+                           const unsigned char *tag, int nbytes, int abytes,
+                           int ibytes, word32 tbytes, const unsigned char* key,
+                           int nr, int* res)
+{
+    int i, j ,k;
+    __m128i H, Y, T;
+    __m128i *KEY = (__m128i*)key, lastKey;
+    __m128i ctr1;
+    __m128i last_block = _mm_setzero_si128();
+    __m128i X = _mm_setzero_si128();
+    __m128i tmp1, tmp2, XV;
+#ifndef AES_GCM_AESNI_NO_UNROLL
+    __m128i HT[8];
+    __m128i r0, r1;
+    __m128i tmp3, tmp4, tmp5, tmp6, tmp7, tmp8;
+#endif /* AES_GCM_AESNI_NO_UNROLL */
+
+    if (ibytes == GCM_NONCE_MID_SZ)
+        aes_gcm_calc_iv_12(KEY, ivec, nr, H, Y, T);
+    else
+        aes_gcm_calc_iv(KEY, ivec, ibytes, nr, H, Y, T);
+
+    for (i=0; i<abytes/16; i++) {
+        tmp1 = _mm_loadu_si128(&((__m128i*)addt)[i]);
+        tmp1 = _mm_shuffle_epi8(tmp1, BSWAP_MASK);
+        X = _mm_xor_si128(X, tmp1);
+        X = gfmul_sw(X, H);
+    }
+    if (abytes%16) {
+        last_block = _mm_setzero_si128();
+        for (j=0; j<abytes%16; j++)
+            ((unsigned char*)&last_block)[j] = addt[i*16+j];
+        tmp1 = last_block;
+        tmp1 = _mm_shuffle_epi8(tmp1, BSWAP_MASK);
+        X = _mm_xor_si128(X, tmp1);
+        X = gfmul_sw(X, H);
+    }
+
+    tmp1 = _mm_shuffle_epi8(Y, BSWAP_EPI64);
+    ctr1 = _mm_add_epi32(tmp1, ONE);
+    H = gfmul_shl1(H);
+    i = 0;
+
+#ifndef AES_GCM_AESNI_NO_UNROLL
+
+    if (0 < nbytes/16/8) {
+        HT[0] = H;
+        HT[1] = gfmul_shifted(H, H);
+        HT[2] = gfmul_shifted(H, HT[1]);
+        HT[3] = gfmul_shifted(HT[1], HT[1]);
+        HT[4] = gfmul_shifted(HT[1], HT[2]);
+        HT[5] = gfmul_shifted(HT[2], HT[2]);
+        HT[6] = gfmul_shifted(HT[2], HT[3]);
+        HT[7] = gfmul_shifted(HT[3], HT[3]);
+
+        for (; i < nbytes/16/8; i++) {
+                r0 = _mm_setzero_si128();
+                r1 = _mm_setzero_si128();
+
+            tmp1 = _mm_shuffle_epi8(ctr1, BSWAP_EPI64);
+            tmp2 = _mm_add_epi32(ctr1, ONE);
+            tmp2 = _mm_shuffle_epi8(tmp2, BSWAP_EPI64);
+            tmp3 = _mm_add_epi32(ctr1, TWO);
+            tmp3 = _mm_shuffle_epi8(tmp3, BSWAP_EPI64);
+            tmp4 = _mm_add_epi32(ctr1, THREE);
+            tmp4 = _mm_shuffle_epi8(tmp4, BSWAP_EPI64);
+            tmp5 = _mm_add_epi32(ctr1, FOUR);
+            tmp5 = _mm_shuffle_epi8(tmp5, BSWAP_EPI64);
+            tmp6 = _mm_add_epi32(ctr1, FIVE);
+            tmp6 = _mm_shuffle_epi8(tmp6, BSWAP_EPI64);
+            tmp7 = _mm_add_epi32(ctr1, SIX);
+            tmp7 = _mm_shuffle_epi8(tmp7, BSWAP_EPI64);
+            tmp8 = _mm_add_epi32(ctr1, SEVEN);
+            tmp8 = _mm_shuffle_epi8(tmp8, BSWAP_EPI64);
+            ctr1 = _mm_add_epi32(ctr1, EIGHT);
+            tmp1 =_mm_xor_si128(tmp1, KEY[0]);
+            tmp2 =_mm_xor_si128(tmp2, KEY[0]);
+            tmp3 =_mm_xor_si128(tmp3, KEY[0]);
+            tmp4 =_mm_xor_si128(tmp4, KEY[0]);
+            tmp5 =_mm_xor_si128(tmp5, KEY[0]);
+            tmp6 =_mm_xor_si128(tmp6, KEY[0]);
+            tmp7 =_mm_xor_si128(tmp7, KEY[0]);
+            tmp8 =_mm_xor_si128(tmp8, KEY[0]);
+                /* 128 x 128 Carryless Multiply */
+                XV = _mm_loadu_si128(&((__m128i*)in)[i*8+0]);
+                XV = _mm_shuffle_epi8(XV, BSWAP_MASK);
+                XV = _mm_xor_si128(XV, X);
+                gfmul_only(XV, HT[7], &r0, &r1);
+            tmp1 = _mm_aesenc_si128(tmp1, KEY[1]);
+            tmp2 = _mm_aesenc_si128(tmp2, KEY[1]);
+            tmp3 = _mm_aesenc_si128(tmp3, KEY[1]);
+            tmp4 = _mm_aesenc_si128(tmp4, KEY[1]);
+            tmp5 = _mm_aesenc_si128(tmp5, KEY[1]);
+            tmp6 = _mm_aesenc_si128(tmp6, KEY[1]);
+            tmp7 = _mm_aesenc_si128(tmp7, KEY[1]);
+            tmp8 = _mm_aesenc_si128(tmp8, KEY[1]);
+                /* 128 x 128 Carryless Multiply */
+                XV = _mm_loadu_si128(&((__m128i*)in)[i*8+1]);
+                XV = _mm_shuffle_epi8(XV, BSWAP_MASK);
+                gfmul_only(XV, HT[6], &r0, &r1);
+            tmp1 = _mm_aesenc_si128(tmp1, KEY[2]);
+            tmp2 = _mm_aesenc_si128(tmp2, KEY[2]);
+            tmp3 = _mm_aesenc_si128(tmp3, KEY[2]);
+            tmp4 = _mm_aesenc_si128(tmp4, KEY[2]);
+            tmp5 = _mm_aesenc_si128(tmp5, KEY[2]);
+            tmp6 = _mm_aesenc_si128(tmp6, KEY[2]);
+            tmp7 = _mm_aesenc_si128(tmp7, KEY[2]);
+            tmp8 = _mm_aesenc_si128(tmp8, KEY[2]);
+                /* 128 x 128 Carryless Multiply */
+                XV = _mm_loadu_si128(&((__m128i*)in)[i*8+2]);
+                XV = _mm_shuffle_epi8(XV, BSWAP_MASK);
+                gfmul_only(XV, HT[5], &r0, &r1);
+            tmp1 = _mm_aesenc_si128(tmp1, KEY[3]);
+            tmp2 = _mm_aesenc_si128(tmp2, KEY[3]);
+            tmp3 = _mm_aesenc_si128(tmp3, KEY[3]);
+            tmp4 = _mm_aesenc_si128(tmp4, KEY[3]);
+            tmp5 = _mm_aesenc_si128(tmp5, KEY[3]);
+            tmp6 = _mm_aesenc_si128(tmp6, KEY[3]);
+            tmp7 = _mm_aesenc_si128(tmp7, KEY[3]);
+            tmp8 = _mm_aesenc_si128(tmp8, KEY[3]);
+                /* 128 x 128 Carryless Multiply */
+                XV = _mm_loadu_si128(&((__m128i*)in)[i*8+3]);
+                XV = _mm_shuffle_epi8(XV, BSWAP_MASK);
+                gfmul_only(XV, HT[4], &r0, &r1);
+            tmp1 = _mm_aesenc_si128(tmp1, KEY[4]);
+            tmp2 = _mm_aesenc_si128(tmp2, KEY[4]);
+            tmp3 = _mm_aesenc_si128(tmp3, KEY[4]);
+            tmp4 = _mm_aesenc_si128(tmp4, KEY[4]);
+            tmp5 = _mm_aesenc_si128(tmp5, KEY[4]);
+            tmp6 = _mm_aesenc_si128(tmp6, KEY[4]);
+            tmp7 = _mm_aesenc_si128(tmp7, KEY[4]);
+            tmp8 = _mm_aesenc_si128(tmp8, KEY[4]);
+                /* 128 x 128 Carryless Multiply */
+                XV = _mm_loadu_si128(&((__m128i*)in)[i*8+4]);
+                XV = _mm_shuffle_epi8(XV, BSWAP_MASK);
+                gfmul_only(XV, HT[3], &r0, &r1);
+            tmp1 = _mm_aesenc_si128(tmp1, KEY[5]);
+            tmp2 = _mm_aesenc_si128(tmp2, KEY[5]);
+            tmp3 = _mm_aesenc_si128(tmp3, KEY[5]);
+            tmp4 = _mm_aesenc_si128(tmp4, KEY[5]);
+            tmp5 = _mm_aesenc_si128(tmp5, KEY[5]);
+            tmp6 = _mm_aesenc_si128(tmp6, KEY[5]);
+            tmp7 = _mm_aesenc_si128(tmp7, KEY[5]);
+            tmp8 = _mm_aesenc_si128(tmp8, KEY[5]);
+                /* 128 x 128 Carryless Multiply */
+                XV = _mm_loadu_si128(&((__m128i*)in)[i*8+5]);
+                XV = _mm_shuffle_epi8(XV, BSWAP_MASK);
+                gfmul_only(XV, HT[2], &r0, &r1);
+            tmp1 = _mm_aesenc_si128(tmp1, KEY[6]);
+            tmp2 = _mm_aesenc_si128(tmp2, KEY[6]);
+            tmp3 = _mm_aesenc_si128(tmp3, KEY[6]);
+            tmp4 = _mm_aesenc_si128(tmp4, KEY[6]);
+            tmp5 = _mm_aesenc_si128(tmp5, KEY[6]);
+            tmp6 = _mm_aesenc_si128(tmp6, KEY[6]);
+            tmp7 = _mm_aesenc_si128(tmp7, KEY[6]);
+            tmp8 = _mm_aesenc_si128(tmp8, KEY[6]);
+                /* 128 x 128 Carryless Multiply */
+                XV = _mm_loadu_si128(&((__m128i*)in)[i*8+6]);
+                XV = _mm_shuffle_epi8(XV, BSWAP_MASK);
+                gfmul_only(XV, HT[1], &r0, &r1);
+            tmp1 = _mm_aesenc_si128(tmp1, KEY[7]);
+            tmp2 = _mm_aesenc_si128(tmp2, KEY[7]);
+            tmp3 = _mm_aesenc_si128(tmp3, KEY[7]);
+            tmp4 = _mm_aesenc_si128(tmp4, KEY[7]);
+            tmp5 = _mm_aesenc_si128(tmp5, KEY[7]);
+            tmp6 = _mm_aesenc_si128(tmp6, KEY[7]);
+            tmp7 = _mm_aesenc_si128(tmp7, KEY[7]);
+            tmp8 = _mm_aesenc_si128(tmp8, KEY[7]);
+                /* 128 x 128 Carryless Multiply */
+                XV = _mm_loadu_si128(&((__m128i*)in)[i*8+7]);
+                XV = _mm_shuffle_epi8(XV, BSWAP_MASK);
+                gfmul_only(XV, HT[0], &r0, &r1);
+            tmp1 = _mm_aesenc_si128(tmp1, KEY[8]);
+            tmp2 = _mm_aesenc_si128(tmp2, KEY[8]);
+            tmp3 = _mm_aesenc_si128(tmp3, KEY[8]);
+            tmp4 = _mm_aesenc_si128(tmp4, KEY[8]);
+            tmp5 = _mm_aesenc_si128(tmp5, KEY[8]);
+            tmp6 = _mm_aesenc_si128(tmp6, KEY[8]);
+            tmp7 = _mm_aesenc_si128(tmp7, KEY[8]);
+            tmp8 = _mm_aesenc_si128(tmp8, KEY[8]);
+                /* Reduction */
+                X = ghash_red(r0, r1);
+            tmp1 = _mm_aesenc_si128(tmp1, KEY[9]);
+            tmp2 = _mm_aesenc_si128(tmp2, KEY[9]);
+            tmp3 = _mm_aesenc_si128(tmp3, KEY[9]);
+            tmp4 = _mm_aesenc_si128(tmp4, KEY[9]);
+            tmp5 = _mm_aesenc_si128(tmp5, KEY[9]);
+            tmp6 = _mm_aesenc_si128(tmp6, KEY[9]);
+            tmp7 = _mm_aesenc_si128(tmp7, KEY[9]);
+            tmp8 = _mm_aesenc_si128(tmp8, KEY[9]);
+            lastKey = KEY[10];
+            if (nr > 10) {
+                tmp1 = _mm_aesenc_si128(tmp1, KEY[10]);
+                tmp2 = _mm_aesenc_si128(tmp2, KEY[10]);
+                tmp3 = _mm_aesenc_si128(tmp3, KEY[10]);
+                tmp4 = _mm_aesenc_si128(tmp4, KEY[10]);
+                tmp5 = _mm_aesenc_si128(tmp5, KEY[10]);
+                tmp6 = _mm_aesenc_si128(tmp6, KEY[10]);
+                tmp7 = _mm_aesenc_si128(tmp7, KEY[10]);
+                tmp8 = _mm_aesenc_si128(tmp8, KEY[10]);
+                tmp1 = _mm_aesenc_si128(tmp1, KEY[11]);
+                tmp2 = _mm_aesenc_si128(tmp2, KEY[11]);
+                tmp3 = _mm_aesenc_si128(tmp3, KEY[11]);
+                tmp4 = _mm_aesenc_si128(tmp4, KEY[11]);
+                tmp5 = _mm_aesenc_si128(tmp5, KEY[11]);
+                tmp6 = _mm_aesenc_si128(tmp6, KEY[11]);
+                tmp7 = _mm_aesenc_si128(tmp7, KEY[11]);
+                tmp8 = _mm_aesenc_si128(tmp8, KEY[11]);
+                lastKey = KEY[12];
+                if (nr > 12) {
+                    tmp1 = _mm_aesenc_si128(tmp1, KEY[12]);
+                    tmp2 = _mm_aesenc_si128(tmp2, KEY[12]);
+                    tmp3 = _mm_aesenc_si128(tmp3, KEY[12]);
+                    tmp4 = _mm_aesenc_si128(tmp4, KEY[12]);
+                    tmp5 = _mm_aesenc_si128(tmp5, KEY[12]);
+                    tmp6 = _mm_aesenc_si128(tmp6, KEY[12]);
+                    tmp7 = _mm_aesenc_si128(tmp7, KEY[12]);
+                    tmp8 = _mm_aesenc_si128(tmp8, KEY[12]);
+                    tmp1 = _mm_aesenc_si128(tmp1, KEY[13]);
+                    tmp2 = _mm_aesenc_si128(tmp2, KEY[13]);
+                    tmp3 = _mm_aesenc_si128(tmp3, KEY[13]);
+                    tmp4 = _mm_aesenc_si128(tmp4, KEY[13]);
+                    tmp5 = _mm_aesenc_si128(tmp5, KEY[13]);
+                    tmp6 = _mm_aesenc_si128(tmp6, KEY[13]);
+                    tmp7 = _mm_aesenc_si128(tmp7, KEY[13]);
+                    tmp8 = _mm_aesenc_si128(tmp8, KEY[13]);
+                    lastKey = KEY[14];
+                }
+            }
+            AES_ENC_LAST_8();
+        }
+    }
+
+#endif /* AES_GCM_AESNI_NO_UNROLL */
+
+    for (k = i*8; k < nbytes/16; k++) {
+        tmp1 = _mm_shuffle_epi8(ctr1, BSWAP_EPI64);
+        ctr1 = _mm_add_epi32(ctr1, ONE);
+        tmp1 = _mm_xor_si128(tmp1, KEY[0]);
+        tmp1 = _mm_aesenc_si128(tmp1, KEY[1]);
+        tmp1 = _mm_aesenc_si128(tmp1, KEY[2]);
+        tmp1 = _mm_aesenc_si128(tmp1, KEY[3]);
+        tmp1 = _mm_aesenc_si128(tmp1, KEY[4]);
+        tmp1 = _mm_aesenc_si128(tmp1, KEY[5]);
+        tmp1 = _mm_aesenc_si128(tmp1, KEY[6]);
+        tmp1 = _mm_aesenc_si128(tmp1, KEY[7]);
+        tmp1 = _mm_aesenc_si128(tmp1, KEY[8]);
+        tmp1 = _mm_aesenc_si128(tmp1, KEY[9]);
+        /* 128 x 128 Carryless Multiply */
+        XV = _mm_loadu_si128(&((__m128i*)in)[k]);
+        XV = _mm_shuffle_epi8(XV, BSWAP_MASK);
+        XV = _mm_xor_si128(XV, X);
+        X = gfmul_shifted(XV, H);
+        lastKey = KEY[10];
+        if (nr > 10) {
+            tmp1 = _mm_aesenc_si128(tmp1, lastKey);
+            tmp1 = _mm_aesenc_si128(tmp1, KEY[11]);
+            lastKey = KEY[12];
+            if (nr > 12) {
+                tmp1 = _mm_aesenc_si128(tmp1, lastKey);
+                tmp1 = _mm_aesenc_si128(tmp1, KEY[13]);
+                lastKey = KEY[14];
+            }
+        }
+        tmp1 = _mm_aesenclast_si128(tmp1, lastKey);
+        tmp2 = _mm_loadu_si128(&((__m128i*)in)[k]);
+        tmp1 = _mm_xor_si128(tmp1, tmp2);
+        _mm_storeu_si128(&((__m128i*)out)[k], tmp1);
+    }
+
+    /* If one partial block remains */
+    if (nbytes % 16) {
+        tmp1 = _mm_shuffle_epi8(ctr1, BSWAP_EPI64);
+        tmp1 = _mm_xor_si128(tmp1, KEY[0]);
+        tmp1 = _mm_aesenc_si128(tmp1, KEY[1]);
+        tmp1 = _mm_aesenc_si128(tmp1, KEY[2]);
+        tmp1 = _mm_aesenc_si128(tmp1, KEY[3]);
+        tmp1 = _mm_aesenc_si128(tmp1, KEY[4]);
+        tmp1 = _mm_aesenc_si128(tmp1, KEY[5]);
+        tmp1 = _mm_aesenc_si128(tmp1, KEY[6]);
+        tmp1 = _mm_aesenc_si128(tmp1, KEY[7]);
+        tmp1 = _mm_aesenc_si128(tmp1, KEY[8]);
+        tmp1 = _mm_aesenc_si128(tmp1, KEY[9]);
+        lastKey = KEY[10];
+        if (nr > 10) {
+            tmp1 = _mm_aesenc_si128(tmp1, lastKey);
+            tmp1 = _mm_aesenc_si128(tmp1, KEY[11]);
+            lastKey = KEY[12];
+            if (nr > 12) {
+                tmp1 = _mm_aesenc_si128(tmp1, lastKey);
+                tmp1 = _mm_aesenc_si128(tmp1, KEY[13]);
+                lastKey = KEY[14];
+            }
+        }
+        tmp1 = _mm_aesenclast_si128(tmp1, lastKey);
+        last_block = _mm_setzero_si128();
+        for (j=0; j < nbytes%16; j++)
+            ((unsigned char*)&last_block)[j] = in[k*16+j];
+        XV = last_block;
+        tmp1 = _mm_xor_si128(tmp1, last_block);
+        last_block = tmp1;
+        for (j=0; j < nbytes%16; j++)
+            out[k*16+j] = ((unsigned char*)&last_block)[j];
+        XV = _mm_shuffle_epi8(XV, BSWAP_MASK);
+        XV = _mm_xor_si128(XV, X);
+        X = gfmul_shifted(XV, H);
+    }
+
+    tmp1 = _mm_insert_epi64(tmp1, nbytes*8, 0);
+    tmp1 = _mm_insert_epi64(tmp1, abytes*8, 1);
+    /* 128 x 128 Carryless Multiply */
+    X = _mm_xor_si128(X, tmp1);
+    X = gfmul_shifted(X, H);
+    X = _mm_shuffle_epi8(X, BSWAP_MASK);
+    T = _mm_xor_si128(X, T);
+
+/*    if (0xffff !=
+           _mm_movemask_epi8(_mm_cmpeq_epi8(T, _mm_loadu_si128((__m128i*)tag)))) */
+    if (XMEMCMP(tag, &T, tbytes) != 0)
+        *res = 0; /* in case the authentication failed */
+    else
+        *res = 1; /* when successful returns 1 */
+}
+
+#endif /* HAVE_AES_DECRYPT */
+#endif /* _MSC_VER */
+#endif /* WOLFSSL_AESNI */
+
+
+#if defined(GCM_SMALL)
 static void GMULT(byte* X, byte* Y)
 {
     byte Z[AES_BLOCK_SIZE];
@@ -2820,8 +5383,8 @@ static void GMULT(byte* X, byte* Y)
 }
 
 
-static void GHASH(Aes* aes, const byte* a, word32 aSz,
-                                const byte* c, word32 cSz, byte* s, word32 sSz)
+void GHASH(Aes* aes, const byte* a, word32 aSz, const byte* c,
+    word32 cSz, byte* s, word32 sSz)
 {
     byte x[AES_BLOCK_SIZE];
     byte scratch[AES_BLOCK_SIZE];
@@ -2969,8 +5532,8 @@ static void GMULT(byte *x, byte m[256][AES_BLOCK_SIZE])
 }
 
 
-static void GHASH(Aes* aes, const byte* a, word32 aSz,
-                                const byte* c, word32 cSz, byte* s, word32 sSz)
+void GHASH(Aes* aes, const byte* a, word32 aSz, const byte* c,
+    word32 cSz, byte* s, word32 sSz)
 {
     byte x[AES_BLOCK_SIZE];
     byte scratch[AES_BLOCK_SIZE];
@@ -3025,12 +5588,13 @@ static void GHASH(Aes* aes, const byte* a, word32 aSz,
 /* end GCM_TABLE */
 #elif defined(WORD64_AVAILABLE) && !defined(GCM_WORD32)
 
+#if !defined(FREESCALE_LTC_AES_GCM)
 static void GMULT(word64* X, word64* Y)
 {
     word64 Z[2] = {0,0};
-    word64 V[2] ; 
+    word64 V[2];
     int i, j;
-    V[0] = X[0] ;  V[1] = X[1] ;
+    V[0] = X[0];  V[1] = X[1];
 
     for (i = 0; i < 2; i++)
     {
@@ -3044,13 +5608,15 @@ static void GMULT(word64* X, word64* Y)
 
             if (V[1] & 0x0000000000000001) {
                 V[1] >>= 1;
-                V[1] |= ((V[0] & 0x0000000000000001) ? 0x8000000000000000ULL : 0);
+                V[1] |= ((V[0] & 0x0000000000000001) ?
+                    0x8000000000000000ULL : 0);
                 V[0] >>= 1;
                 V[0] ^= 0xE100000000000000ULL;
             }
             else {
                 V[1] >>= 1;
-                V[1] |= ((V[0] & 0x0000000000000001) ? 0x8000000000000000ULL : 0);
+                V[1] |= ((V[0] & 0x0000000000000001) ?
+                    0x8000000000000000ULL : 0);
                 V[0] >>= 1;
             }
             y <<= 1;
@@ -3061,8 +5627,8 @@ static void GMULT(word64* X, word64* Y)
 }
 
 
-static void GHASH(Aes* aes, const byte* a, word32 aSz,
-                                const byte* c, word32 cSz, byte* s, word32 sSz)
+void GHASH(Aes* aes, const byte* a, word32 aSz, const byte* c,
+    word32 cSz, byte* s, word32 sSz)
 {
     word64 x[2] = {0,0};
     word32 blocks, partial;
@@ -3070,7 +5636,7 @@ static void GHASH(Aes* aes, const byte* a, word32 aSz,
 
     XMEMCPY(bigH, aes->H, AES_BLOCK_SIZE);
     #ifdef LITTLE_ENDIAN_ORDER
-        ByteReverseWords64(bigH, bigH, AES_BLOCK_SIZE); 
+        ByteReverseWords64(bigH, bigH, AES_BLOCK_SIZE);
     #endif
 
     /* Hash in A, the Additional Authentication Data */
@@ -3098,6 +5664,13 @@ static void GHASH(Aes* aes, const byte* a, word32 aSz,
             x[1] ^= bigA[1];
             GMULT(x, bigH);
         }
+#ifdef OPENSSL_EXTRA
+        /* store AAD partial tag for next call */
+        aes->aadH[0] = (word32)((x[0] & 0xFFFFFFFF00000000) >> 32);
+        aes->aadH[1] = (word32)(x[0] & 0xFFFFFFFF);
+        aes->aadH[2] = (word32)((x[1] & 0xFFFFFFFF00000000) >> 32);
+        aes->aadH[3] = (word32)(x[1] & 0xFFFFFFFF);
+#endif
     }
 
     /* Hash in C, the Ciphertext */
@@ -3105,6 +5678,13 @@ static void GHASH(Aes* aes, const byte* a, word32 aSz,
         word64 bigC[2];
         blocks = cSz / AES_BLOCK_SIZE;
         partial = cSz % AES_BLOCK_SIZE;
+#ifdef OPENSSL_EXTRA
+        /* Start from last AAD partial tag */
+        if(aes->aadLen) {
+            x[0] = ((word64)aes->aadH[0]) << 32 | aes->aadH[1];
+            x[1] = ((word64)aes->aadH[2]) << 32 | aes->aadH[3];
+         }
+#endif
         while (blocks--) {
             XMEMCPY(bigC, c, AES_BLOCK_SIZE);
             #ifdef LITTLE_ENDIAN_ORDER
@@ -3129,9 +5709,12 @@ static void GHASH(Aes* aes, const byte* a, word32 aSz,
 
     /* Hash in the lengths in bits of A and C */
     {
-        word64 len[2] ; 
-        len[0] = aSz ; len[1] = cSz;
-
+        word64 len[2];
+        len[0] = aSz; len[1] = cSz;
+#ifdef OPENSSL_EXTRA
+        if (aes->aadLen)
+            len[0] = (word64)aes->aadLen;
+#endif
         /* Lengths are in bytes. Convert to bits. */
         len[0] *= 8;
         len[1] *= 8;
@@ -3145,6 +5728,7 @@ static void GHASH(Aes* aes, const byte* a, word32 aSz,
     #endif
     XMEMCPY(s, x, sSz);
 }
+#endif /* !FREESCALE_LTC_AES_GCM */
 
 /* end defined(WORD64_AVAILABLE) && !defined(GCM_WORD32) */
 #else /* GCM_WORD32 */
@@ -3152,7 +5736,7 @@ static void GHASH(Aes* aes, const byte* a, word32 aSz,
 static void GMULT(word32* X, word32* Y)
 {
     word32 Z[4] = {0,0,0,0};
-    word32 V[4] ;
+    word32 V[4];
     int i, j;
 
     V[0] = X[0];  V[1] = X[1]; V[2] =  X[2]; V[3] =  X[3];
@@ -3197,8 +5781,8 @@ static void GMULT(word32* X, word32* Y)
 }
 
 
-static void GHASH(Aes* aes, const byte* a, word32 aSz,
-                                const byte* c, word32 cSz, byte* s, word32 sSz)
+void GHASH(Aes* aes, const byte* a, word32 aSz, const byte* c,
+    word32 cSz, byte* s, word32 sSz)
 {
     word32 x[4] = {0,0,0,0};
     word32 blocks, partial;
@@ -3296,165 +5880,1071 @@ static void GHASH(Aes* aes, const byte* a, word32 aSz,
 #endif /* end GCM_WORD32 */
 
 
+#if !defined(WOLFSSL_XILINX_CRYPT) && !defined(WOLFSSL_AFALG_XILINX_AES)
+#ifdef FREESCALE_LTC_AES_GCM
 int wc_AesGcmEncrypt(Aes* aes, byte* out, const byte* in, word32 sz,
                    const byte* iv, word32 ivSz,
                    byte* authTag, word32 authTagSz,
                    const byte* authIn, word32 authInSz)
 {
+    status_t status;
+    word32 keySize;
+
+    /* argument checks */
+    if (aes == NULL || authTagSz > AES_BLOCK_SIZE || ivSz == 0) {
+        return BAD_FUNC_ARG;
+    }
+
+    if (authTagSz < WOLFSSL_MIN_AUTH_TAG_SZ) {
+        WOLFSSL_MSG("GcmEncrypt authTagSz too small error");
+        return BAD_FUNC_ARG;
+    }
+
+    status = wc_AesGetKeySize(aes, &keySize);
+    if (status)
+        return status;
+
+    status = LTC_AES_EncryptTagGcm(LTC_BASE, in, out, sz, iv, ivSz,
+        authIn, authInSz, (byte*)aes->key, keySize, authTag, authTagSz);
+
+    return (status == kStatus_Success) ? 0 : AES_GCM_AUTH_E;
+}
+
+#else
+
+#ifdef STM32_CRYPTO_AES_GCM
+
+/* this function supports inline encrypt */
+static int wc_AesGcmEncrypt_STM32(Aes* aes, byte* out, const byte* in, word32 sz,
+                                  const byte* iv, word32 ivSz,
+                                  byte* authTag, word32 authTagSz,
+                                  const byte* authIn, word32 authInSz)
+{
+    int ret;
+#ifdef WOLFSSL_STM32_CUBEMX
+    CRYP_HandleTypeDef hcryp;
+#else
+    word32 keyCopy[AES_256_KEY_SIZE/sizeof(word32)];
+#endif
+    word32 keySize;
+    int status = HAL_OK;
+    word32 blocks = sz / AES_BLOCK_SIZE;
+    word32 partial = sz % AES_BLOCK_SIZE;
+    byte tag[AES_BLOCK_SIZE];
+    byte partialBlock[AES_BLOCK_SIZE];
+    byte ctr[AES_BLOCK_SIZE];
+    byte* authInPadded = NULL;
+    int authPadSz;
+
+    ret = wc_AesGetKeySize(aes, &keySize);
+    if (ret != 0)
+        return ret;
+
+#ifdef WOLFSSL_STM32_CUBEMX
+    ret = wc_Stm32_Aes_Init(aes, &hcryp);
+    if (ret != 0)
+        return ret;
+#endif
+
+    ret = wolfSSL_CryptHwMutexLock();
+    if (ret != 0) {
+        return ret;
+    }
+
+    XMEMSET(ctr, 0, AES_BLOCK_SIZE);
+    if (ivSz == GCM_NONCE_MID_SZ) {
+        XMEMCPY(ctr, iv, ivSz);
+        ctr[AES_BLOCK_SIZE - 1] = 1;
+    }
+    else {
+        GHASH(aes, NULL, 0, iv, ivSz, ctr, AES_BLOCK_SIZE);
+    }
+    /* Hardware requires counter + 1 */
+    IncrementGcmCounter(ctr);
+
+    if (authInSz == 0 || (authInSz % AES_BLOCK_SIZE) != 0) {
+        /* Need to pad the AAD to a full block with zeros. */
+        authPadSz = ((authInSz / AES_BLOCK_SIZE) + 1) * AES_BLOCK_SIZE;
+        authInPadded = (byte*)XMALLOC(authPadSz, aes->heap,
+            DYNAMIC_TYPE_TMP_BUFFER);
+        if (authInPadded == NULL) {
+            wolfSSL_CryptHwMutexUnLock();
+            return MEMORY_E;
+        }
+        XMEMSET(authInPadded, 0, authPadSz);
+        XMEMCPY(authInPadded, authIn, authInSz);
+    } else {
+        authPadSz = authInSz;
+        authInPadded = (byte*)authIn;
+    }
+
+#ifdef WOLFSSL_STM32_CUBEMX
+    hcryp.Init.pInitVect = (STM_CRYPT_TYPE*)ctr;
+    hcryp.Init.Header = (STM_CRYPT_TYPE*)authInPadded;
+    hcryp.Init.HeaderSize = authInSz;
+
+#ifdef STM32_CRYPTO_AES_ONLY
+    /* Set the CRYP parameters */
+    hcryp.Init.ChainingMode  = CRYP_CHAINMODE_AES_GCM_GMAC;
+    hcryp.Init.OperatingMode = CRYP_ALGOMODE_ENCRYPT;
+    hcryp.Init.GCMCMACPhase  = CRYP_INIT_PHASE;
+    HAL_CRYP_Init(&hcryp);
+
+    /* GCM init phase */
+    status = HAL_CRYPEx_AES_Auth(&hcryp, NULL, 0, NULL, STM32_HAL_TIMEOUT);
+    if (status == HAL_OK) {
+        /* GCM header phase */
+        hcryp.Init.GCMCMACPhase  = CRYP_HEADER_PHASE;
+        status = HAL_CRYPEx_AES_Auth(&hcryp, NULL, 0, NULL, STM32_HAL_TIMEOUT);
+    }
+    if (status == HAL_OK) {
+        /* GCM payload phase - blocks */
+        hcryp.Init.GCMCMACPhase  = CRYP_PAYLOAD_PHASE;
+        if (blocks) {
+            status = HAL_CRYPEx_AES_Auth(&hcryp, (byte*)in,
+                (blocks * AES_BLOCK_SIZE), out, STM32_HAL_TIMEOUT);
+        }
+    }
+    if (status == HAL_OK && (partial != 0 || blocks == 0)) {
+        /* GCM payload phase - partial remainder */
+        XMEMSET(partialBlock, 0, sizeof(partialBlock));
+        XMEMCPY(partialBlock, in + (blocks * AES_BLOCK_SIZE), partial);
+        status = HAL_CRYPEx_AES_Auth(&hcryp, partialBlock, partial,
+            partialBlock, STM32_HAL_TIMEOUT);
+        XMEMCPY(out + (blocks * AES_BLOCK_SIZE), partialBlock, partial);
+    }
+    if (status == HAL_OK) {
+        /* GCM final phase */
+        hcryp.Init.GCMCMACPhase  = CRYP_FINAL_PHASE;
+        status = HAL_CRYPEx_AES_Auth(&hcryp, NULL, sz, tag, STM32_HAL_TIMEOUT);
+    }
+#elif defined(STM32_HAL_V2)
+    hcryp.Init.Algorithm  = CRYP_AES_GCM;
+    ByteReverseWords((word32*)partialBlock, (word32*)ctr, AES_BLOCK_SIZE);
+    hcryp.Init.pInitVect = (STM_CRYPT_TYPE*)partialBlock;
+    HAL_CRYP_Init(&hcryp);
+
+    /* GCM payload phase - can handle partial blocks */
+    status = HAL_CRYP_Encrypt(&hcryp, (uint32_t*)in,
+        (blocks * AES_BLOCK_SIZE) + partial, (uint32_t*)out, STM32_HAL_TIMEOUT);
+    if (status == HAL_OK) {
+        /* Compute the authTag */
+        status = HAL_CRYPEx_AESGCM_GenerateAuthTAG(&hcryp, (uint32_t*)tag,
+            STM32_HAL_TIMEOUT);
+    }
+#else
+    HAL_CRYP_Init(&hcryp);
+    if (blocks) {
+        /* GCM payload phase - blocks */
+        status = HAL_CRYPEx_AESGCM_Encrypt(&hcryp, (byte*)in,
+            (blocks * AES_BLOCK_SIZE), out, STM32_HAL_TIMEOUT);
+    }
+    if (status == HAL_OK && (partial != 0 || blocks == 0)) {
+        /* GCM payload phase - partial remainder */
+        XMEMSET(partialBlock, 0, sizeof(partialBlock));
+        XMEMCPY(partialBlock, in + (blocks * AES_BLOCK_SIZE), partial);
+        status = HAL_CRYPEx_AESGCM_Encrypt(&hcryp, partialBlock, partial,
+            partialBlock, STM32_HAL_TIMEOUT);
+        XMEMCPY(out + (blocks * AES_BLOCK_SIZE), partialBlock, partial);
+    }
+    if (status == HAL_OK) {
+        /* Compute the authTag */
+        status = HAL_CRYPEx_AESGCM_Finish(&hcryp, sz, tag, STM32_HAL_TIMEOUT);
+    }
+#endif
+
+    if (status != HAL_OK)
+        ret = AES_GCM_AUTH_E;
+    HAL_CRYP_DeInit(&hcryp);
+
+#else /* STD_PERI_LIB */
+    ByteReverseWords(keyCopy, (word32*)aes->key, keySize);
+    status = CRYP_AES_GCM(MODE_ENCRYPT, (uint8_t*)ctr,
+                         (uint8_t*)keyCopy,      keySize * 8,
+                         (uint8_t*)in,           sz,
+                         (uint8_t*)authInPadded, authInSz,
+                         (uint8_t*)out,          tag);
+    if (status != SUCCESS)
+        ret = AES_GCM_AUTH_E;
+#endif /* WOLFSSL_STM32_CUBEMX */
+
+    if (ret == 0) {
+        /* return authTag */
+        if (authTag) {
+            /* STM32 GCM won't compute Auth correctly for partial or
+                when IV != 12, so use software here */
+            if (sz == 0 || partial != 0 || ivSz != GCM_NONCE_MID_SZ) {
+                DecrementGcmCounter(ctr); /* hardware requires +1, so subtract it */
+                GHASH(aes, authIn, authInSz, out, sz, authTag, authTagSz);
+                wc_AesEncrypt(aes, ctr, tag);
+                xorbuf(authTag, tag, authTagSz);
+            }
+            else {
+                XMEMCPY(authTag, tag, authTagSz);
+            }
+        }
+    }
+
+    /* Free memory if not a multiple of AES_BLOCK_SZ */
+    if (authInPadded != authIn) {
+        XFREE(authInPadded, aes->heap, DYNAMIC_TYPE_TMP_BUFFER);
+    }
+
+    wolfSSL_CryptHwMutexUnLock();
+
+    return ret;
+}
+
+#endif /* STM32_CRYPTO_AES_GCM */
+
+#ifdef WOLFSSL_AESNI
+int AES_GCM_encrypt_C(Aes* aes, byte* out, const byte* in, word32 sz,
+                      const byte* iv, word32 ivSz,
+                      byte* authTag, word32 authTagSz,
+                      const byte* authIn, word32 authInSz);
+#else
+static
+#endif
+int AES_GCM_encrypt_C(Aes* aes, byte* out, const byte* in, word32 sz,
+                      const byte* iv, word32 ivSz,
+                      byte* authTag, word32 authTagSz,
+                      const byte* authIn, word32 authInSz)
+{
+    int ret = 0;
     word32 blocks = sz / AES_BLOCK_SIZE;
     word32 partial = sz % AES_BLOCK_SIZE;
     const byte* p = in;
     byte* c = out;
     byte counter[AES_BLOCK_SIZE];
-    byte *ctr ;
+    byte initialCounter[AES_BLOCK_SIZE];
+    byte *ctr;
     byte scratch[AES_BLOCK_SIZE];
-
-#ifdef FREESCALE_MMCAU
-    byte* key = (byte*)aes->key;
+#ifdef OPENSSL_EXTRA
+    word32 aadTemp;
 #endif
-
-    WOLFSSL_ENTER("AesGcmEncrypt");
+    ctr = counter;
+    XMEMSET(initialCounter, 0, AES_BLOCK_SIZE);
+    XMEMSET(scratch, 0, AES_BLOCK_SIZE);
+    if (ivSz == GCM_NONCE_MID_SZ) {
+        XMEMCPY(initialCounter, iv, ivSz);
+        initialCounter[AES_BLOCK_SIZE - 1] = 1;
+    }
+    else {
+#ifdef OPENSSL_EXTRA
+        aadTemp = aes->aadLen;
+        aes->aadLen = 0;
+#endif
+        GHASH(aes, NULL, 0, iv, ivSz, initialCounter, AES_BLOCK_SIZE);
+#ifdef OPENSSL_EXTRA
+        aes->aadLen = aadTemp;
+#endif
+    }
+    XMEMCPY(ctr, initialCounter, AES_BLOCK_SIZE);
 
 #ifdef WOLFSSL_PIC32MZ_CRYPT
-    ctr = (char *)aes->iv_ce ;
-#else
-    ctr = counter ;
+    if (blocks) {
+        /* use initial IV for HW, but don't use it below */
+        XMEMCPY(aes->reg, ctr, AES_BLOCK_SIZE);
+
+        ret = wc_Pic32AesCrypt(
+            aes->key, aes->keylen, aes->reg, AES_BLOCK_SIZE,
+            out, in, (blocks * AES_BLOCK_SIZE),
+            PIC32_ENCRYPTION, PIC32_ALGO_AES, PIC32_CRYPTOALGO_AES_GCM);
+        if (ret != 0)
+            return ret;
+    }
+    /* process remainder using partial handling */
 #endif
 
-    XMEMSET(ctr, 0, AES_BLOCK_SIZE);
-    XMEMCPY(ctr, iv, ivSz);
-    InitGcmCounter(ctr);
+#if defined(HAVE_AES_ECB) && !defined(WOLFSSL_PIC32MZ_CRYPT)
+    /* some hardware acceleration can gain performance from doing AES encryption
+     * of the whole buffer at once */
+    if (c != p && blocks > 0) { /* can not handle inline encryption */
+        while (blocks--) {
+            IncrementGcmCounter(ctr);
+            XMEMCPY(c, ctr, AES_BLOCK_SIZE);
+            c += AES_BLOCK_SIZE;
+        }
+
+        /* reset number of blocks and then do encryption */
+        blocks = sz / AES_BLOCK_SIZE;
+        wc_AesEcbEncrypt(aes, out, out, AES_BLOCK_SIZE * blocks);
+        xorbuf(out, p, AES_BLOCK_SIZE * blocks);
+        p += AES_BLOCK_SIZE * blocks;
+    }
+    else
+#endif /* HAVE_AES_ECB && !WOLFSSL_PIC32MZ_CRYPT */
 
-#ifdef WOLFSSL_PIC32MZ_CRYPT
-    if(blocks)
-        wc_AesCrypt(aes, out, in, blocks*AES_BLOCK_SIZE,
-             PIC32_ENCRYPTION, PIC32_ALGO_AES, PIC32_CRYPTOALGO_AES_GCM );
-#endif
     while (blocks--) {
         IncrementGcmCounter(ctr);
-        #ifndef WOLFSSL_PIC32MZ_CRYPT
-            #ifdef FREESCALE_MMCAU
-                cau_aes_encrypt(ctr, key, aes->rounds, scratch);
-            #else
-                wc_AesEncrypt(aes, ctr, scratch);
-            #endif
+    #if !defined(WOLFSSL_PIC32MZ_CRYPT)
+        wc_AesEncrypt(aes, ctr, scratch);
         xorbuf(scratch, p, AES_BLOCK_SIZE);
         XMEMCPY(c, scratch, AES_BLOCK_SIZE);
-        #endif
+    #endif
         p += AES_BLOCK_SIZE;
         c += AES_BLOCK_SIZE;
     }
 
     if (partial != 0) {
         IncrementGcmCounter(ctr);
-        #ifdef FREESCALE_MMCAU
-            cau_aes_encrypt(ctr, key, aes->rounds, scratch);
-        #else
-            wc_AesEncrypt(aes, ctr, scratch);
-        #endif
+        wc_AesEncrypt(aes, ctr, scratch);
         xorbuf(scratch, p, partial);
         XMEMCPY(c, scratch, partial);
+    }
+    if (authTag) {
+        GHASH(aes, authIn, authInSz, out, sz, authTag, authTagSz);
+        wc_AesEncrypt(aes, initialCounter, scratch);
+        xorbuf(authTag, scratch, authTagSz);
+#ifdef OPENSSL_EXTRA
+        if (!in && !sz)
+            /* store AAD size for next call */
+            aes->aadLen = authInSz;
+#endif
+    }
+
+    return ret;
+}
 
+/* Software AES - GCM Encrypt */
+int wc_AesGcmEncrypt(Aes* aes, byte* out, const byte* in, word32 sz,
+                   const byte* iv, word32 ivSz,
+                   byte* authTag, word32 authTagSz,
+                   const byte* authIn, word32 authInSz)
+{
+    /* argument checks */
+    if (aes == NULL || authTagSz > AES_BLOCK_SIZE || ivSz == 0) {
+        return BAD_FUNC_ARG;
     }
 
-    GHASH(aes, authIn, authInSz, out, sz, authTag, authTagSz);
-    InitGcmCounter(ctr);
-    #ifdef FREESCALE_MMCAU
-        cau_aes_encrypt(ctr, key, aes->rounds, scratch);
-    #else
-        wc_AesEncrypt(aes, ctr, scratch);
+    if (authTagSz < WOLFSSL_MIN_AUTH_TAG_SZ) {
+        WOLFSSL_MSG("GcmEncrypt authTagSz too small error");
+        return BAD_FUNC_ARG;
+    }
+
+#ifdef WOLF_CRYPTO_CB
+    if (aes->devId != INVALID_DEVID) {
+        int ret = wc_CryptoCb_AesGcmEncrypt(aes, out, in, sz, iv, ivSz,
+            authTag, authTagSz, authIn, authInSz);
+        if (ret != CRYPTOCB_UNAVAILABLE)
+            return ret;
+        /* fall-through when unavailable */
+    }
+#endif
+
+#if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_AES)
+    /* if async and byte count above threshold */
+    /* only 12-byte IV is supported in HW */
+    if (aes->asyncDev.marker == WOLFSSL_ASYNC_MARKER_AES &&
+                    sz >= WC_ASYNC_THRESH_AES_GCM && ivSz == GCM_NONCE_MID_SZ) {
+    #if defined(HAVE_CAVIUM)
+        #ifdef HAVE_CAVIUM_V
+        if (authInSz == 20) { /* Nitrox V GCM is only working with 20 byte AAD */
+            return NitroxAesGcmEncrypt(aes, out, in, sz,
+                (const byte*)aes->devKey, aes->keylen, iv, ivSz,
+                authTag, authTagSz, authIn, authInSz);
+        }
+        #endif
+    #elif defined(HAVE_INTEL_QA)
+        return IntelQaSymAesGcmEncrypt(&aes->asyncDev, out, in, sz,
+            (const byte*)aes->devKey, aes->keylen, iv, ivSz,
+            authTag, authTagSz, authIn, authInSz);
+    #else /* WOLFSSL_ASYNC_CRYPT_TEST */
+        if (wc_AsyncTestInit(&aes->asyncDev, ASYNC_TEST_AES_GCM_ENCRYPT)) {
+            WC_ASYNC_TEST* testDev = &aes->asyncDev.test;
+            testDev->aes.aes = aes;
+            testDev->aes.out = out;
+            testDev->aes.in = in;
+            testDev->aes.sz = sz;
+            testDev->aes.iv = iv;
+            testDev->aes.ivSz = ivSz;
+            testDev->aes.authTag = authTag;
+            testDev->aes.authTagSz = authTagSz;
+            testDev->aes.authIn = authIn;
+            testDev->aes.authInSz = authInSz;
+            return WC_PENDING_E;
+        }
     #endif
-    xorbuf(authTag, scratch, authTagSz);
+    }
+#endif /* WOLFSSL_ASYNC_CRYPT */
 
-    return 0;
+#ifdef STM32_CRYPTO_AES_GCM
+    /* The STM standard peripheral library API's doesn't support partial blocks */
+    #ifdef STD_PERI_LIB
+    if (partial == 0)
+    #endif
+    {
+        return wc_AesGcmEncrypt_STM32(
+            aes, out, in, sz, iv, ivSz,
+            authTag, authTagSz, authIn, authInSz);
+    }
+#endif /* STM32_CRYPTO_AES_GCM */
+
+#ifdef WOLFSSL_AESNI
+    #ifdef HAVE_INTEL_AVX2
+    if (IS_INTEL_AVX2(intel_flags)) {
+        AES_GCM_encrypt_avx2(in, out, authIn, iv, authTag, sz, authInSz, ivSz,
+                                 authTagSz, (const byte*)aes->key, aes->rounds);
+        return 0;
+    }
+    else
+    #endif
+    #ifdef HAVE_INTEL_AVX1
+    if (IS_INTEL_AVX1(intel_flags)) {
+        AES_GCM_encrypt_avx1(in, out, authIn, iv, authTag, sz, authInSz, ivSz,
+                                 authTagSz, (const byte*)aes->key, aes->rounds);
+        return 0;
+    }
+    else
+    #endif
+    if (haveAESNI) {
+        AES_GCM_encrypt(in, out, authIn, iv, authTag, sz, authInSz, ivSz,
+                                 authTagSz, (const byte*)aes->key, aes->rounds);
+        return 0;
+    }
+    else
+#endif
+    {
+        return AES_GCM_encrypt_C(aes, out, in, sz, iv, ivSz, authTag, authTagSz,
+                                                              authIn, authInSz);
+    }
 }
+#endif
 
 
+
+/* AES GCM Decrypt */
+#if defined(HAVE_AES_DECRYPT) || defined(HAVE_AESGCM_DECRYPT)
+#ifdef FREESCALE_LTC_AES_GCM
 int  wc_AesGcmDecrypt(Aes* aes, byte* out, const byte* in, word32 sz,
                    const byte* iv, word32 ivSz,
                    const byte* authTag, word32 authTagSz,
                    const byte* authIn, word32 authInSz)
 {
+    int ret;
+    word32 keySize;
+    status_t status;
+
+    /* argument checks */
+    /* If the sz is non-zero, both in and out must be set. If sz is 0,
+     * in and out are don't cares, as this is is the GMAC case. */
+    if (aes == NULL || iv == NULL || (sz != 0 && (in == NULL || out == NULL)) ||
+        authTag == NULL || authTagSz > AES_BLOCK_SIZE || authTagSz == 0 ||
+        ivSz == 0) {
+
+        return BAD_FUNC_ARG;
+    }
+
+    ret = wc_AesGetKeySize(aes, &keySize);
+    if (ret != 0) {
+        return ret;
+    }
+
+    status = LTC_AES_DecryptTagGcm(LTC_BASE, in, out, sz, iv, ivSz,
+        authIn, authInSz, (byte*)aes->key, keySize, authTag, authTagSz);
+
+    return (status == kStatus_Success) ? 0 : AES_GCM_AUTH_E;
+}
+
+#else
+
+#ifdef STM32_CRYPTO_AES_GCM
+/* this function supports inline decrypt */
+static int wc_AesGcmDecrypt_STM32(Aes* aes, byte* out,
+                                  const byte* in, word32 sz,
+                                  const byte* iv, word32 ivSz,
+                                  const byte* authTag, word32 authTagSz,
+                                  const byte* authIn, word32 authInSz)
+{
+    int ret;
+#ifdef WOLFSSL_STM32_CUBEMX
+    CRYP_HandleTypeDef hcryp;
+#else
+    word32 keyCopy[AES_256_KEY_SIZE/sizeof(word32)];
+#endif
+    word32 keySize;
+    int status = HAL_OK;
     word32 blocks = sz / AES_BLOCK_SIZE;
     word32 partial = sz % AES_BLOCK_SIZE;
-    const byte* c = in;
-    byte* p = out;
-    byte counter[AES_BLOCK_SIZE];
-    byte *ctr ;
-    byte scratch[AES_BLOCK_SIZE];
-
-#ifdef FREESCALE_MMCAU
-    byte* key = (byte*)aes->key;
+    byte tag[AES_BLOCK_SIZE];
+    byte partialBlock[AES_BLOCK_SIZE];
+    byte ctr[AES_BLOCK_SIZE];
+    byte* authInPadded = NULL;
+    int authPadSz;
+
+    ret = wc_AesGetKeySize(aes, &keySize);
+    if (ret != 0)
+        return ret;
+
+#ifdef WOLFSSL_STM32_CUBEMX
+    ret = wc_Stm32_Aes_Init(aes, &hcryp);
+    if (ret != 0)
+        return ret;
 #endif
 
-    WOLFSSL_ENTER("AesGcmDecrypt");
+    ret = wolfSSL_CryptHwMutexLock();
+    if (ret != 0) {
+        return ret;
+    }
 
-#ifdef WOLFSSL_PIC32MZ_CRYPT
-    ctr = (char *)aes->iv_ce ;
+    XMEMSET(ctr, 0, AES_BLOCK_SIZE);
+    if (ivSz == GCM_NONCE_MID_SZ) {
+        XMEMCPY(ctr, iv, ivSz);
+        ctr[AES_BLOCK_SIZE - 1] = 1;
+    }
+    else {
+        GHASH(aes, NULL, 0, iv, ivSz, ctr, AES_BLOCK_SIZE);
+    }
+    /* Hardware requires counter + 1 */
+    IncrementGcmCounter(ctr);
+
+    if (authInSz == 0 || (authInSz % AES_BLOCK_SIZE) != 0) {
+        /* Need to pad the AAD to a full block with zeros. */
+        authPadSz = ((authInSz / AES_BLOCK_SIZE) + 1) * AES_BLOCK_SIZE;
+        authInPadded = (byte*)XMALLOC(authPadSz, aes->heap,
+            DYNAMIC_TYPE_TMP_BUFFER);
+        if (authInPadded == NULL) {
+            wolfSSL_CryptHwMutexUnLock();
+            return MEMORY_E;
+        }
+        XMEMSET(authInPadded, 0, authPadSz);
+        XMEMCPY(authInPadded, authIn, authInSz);
+    } else {
+        authPadSz = authInSz;
+        authInPadded = (byte*)authIn;
+    }
+
+#ifdef WOLFSSL_STM32_CUBEMX
+    hcryp.Init.pInitVect = (STM_CRYPT_TYPE*)ctr;
+    hcryp.Init.Header = (STM_CRYPT_TYPE*)authInPadded;
+    hcryp.Init.HeaderSize = authInSz;
+
+#ifdef STM32_CRYPTO_AES_ONLY
+    /* Set the CRYP parameters */
+    hcryp.Init.ChainingMode  = CRYP_CHAINMODE_AES_GCM_GMAC;
+    hcryp.Init.OperatingMode = CRYP_ALGOMODE_DECRYPT;
+    hcryp.Init.GCMCMACPhase  = CRYP_INIT_PHASE;
+    HAL_CRYP_Init(&hcryp);
+
+    /* GCM init phase */
+    status = HAL_CRYPEx_AES_Auth(&hcryp, NULL, 0, NULL, STM32_HAL_TIMEOUT);
+    if (status == HAL_OK) {
+        /* GCM header phase */
+        hcryp.Init.GCMCMACPhase = CRYP_HEADER_PHASE;
+        status = HAL_CRYPEx_AES_Auth(&hcryp, NULL, 0, NULL, STM32_HAL_TIMEOUT);
+    }
+    if (status == HAL_OK) {
+        /* GCM payload phase - blocks */
+        hcryp.Init.GCMCMACPhase  = CRYP_PAYLOAD_PHASE;
+        if (blocks) {
+            status = HAL_CRYPEx_AES_Auth(&hcryp, (byte*)in,
+                (blocks * AES_BLOCK_SIZE), out, STM32_HAL_TIMEOUT);
+        }
+    }
+    if (status == HAL_OK && (partial != 0 || blocks == 0)) {
+        /* GCM payload phase - partial remainder */
+        XMEMSET(partialBlock, 0, sizeof(partialBlock));
+        XMEMCPY(partialBlock, in + (blocks * AES_BLOCK_SIZE), partial);
+        status = HAL_CRYPEx_AES_Auth(&hcryp, partialBlock, partial,
+            partialBlock, STM32_HAL_TIMEOUT);
+        XMEMCPY(out + (blocks * AES_BLOCK_SIZE), partialBlock, partial);
+    }
+    if (status == HAL_OK) {
+        /* GCM final phase */
+        hcryp.Init.GCMCMACPhase = CRYP_FINAL_PHASE;
+        status = HAL_CRYPEx_AES_Auth(&hcryp, NULL, sz, tag, STM32_HAL_TIMEOUT);
+    }
+#elif defined(STM32_HAL_V2)
+    hcryp.Init.Algorithm = CRYP_AES_GCM;
+    ByteReverseWords((word32*)partialBlock, (word32*)ctr, AES_BLOCK_SIZE);
+    hcryp.Init.pInitVect = (STM_CRYPT_TYPE*)partialBlock;
+    HAL_CRYP_Init(&hcryp);
+
+    /* GCM payload phase - can handle partial blocks */
+    status = HAL_CRYP_Decrypt(&hcryp, (uint32_t*)in,
+        (blocks * AES_BLOCK_SIZE) + partial, (uint32_t*)out, STM32_HAL_TIMEOUT);
+    if (status == HAL_OK) {
+        /* Compute the authTag */
+        status = HAL_CRYPEx_AESGCM_GenerateAuthTAG(&hcryp, (uint32_t*)tag,
+            STM32_HAL_TIMEOUT);
+    }
 #else
-    ctr = counter ;
+    HAL_CRYP_Init(&hcryp);
+    if (blocks) {
+        /* GCM payload phase - blocks */
+        status = HAL_CRYPEx_AESGCM_Decrypt(&hcryp, (byte*)in,
+            (blocks * AES_BLOCK_SIZE), out, STM32_HAL_TIMEOUT);
+    }
+    if (status == HAL_OK && (partial != 0 || blocks == 0)) {
+        /* GCM payload phase - partial remainder */
+        XMEMSET(partialBlock, 0, sizeof(partialBlock));
+        XMEMCPY(partialBlock, in + (blocks * AES_BLOCK_SIZE), partial);
+        status = HAL_CRYPEx_AESGCM_Decrypt(&hcryp, partialBlock, partial,
+            partialBlock, STM32_HAL_TIMEOUT);
+        XMEMCPY(out + (blocks * AES_BLOCK_SIZE), partialBlock, partial);
+    }
+    if (status == HAL_OK) {
+        /* Compute the authTag */
+        status = HAL_CRYPEx_AESGCM_Finish(&hcryp, sz, tag, STM32_HAL_TIMEOUT);
+    }
 #endif
 
-    XMEMSET(ctr, 0, AES_BLOCK_SIZE);
-    XMEMCPY(ctr, iv, ivSz);
-    InitGcmCounter(ctr);
+    if (status != HAL_OK)
+        ret = AES_GCM_AUTH_E;
+
+    HAL_CRYP_DeInit(&hcryp);
+
+#else /* STD_PERI_LIB */
+    ByteReverseWords(keyCopy, (word32*)aes->key, aes->keylen);
+
+    /* Input size and auth size need to be the actual sizes, even though
+     * they are not block aligned, because this length (in bits) is used
+     * in the final GHASH. */
+    status = CRYP_AES_GCM(MODE_DECRYPT, (uint8_t*)ctr,
+                         (uint8_t*)keyCopy,      keySize * 8,
+                         (uint8_t*)in,           sz,
+                         (uint8_t*)authInPadded, authInSz,
+                         (uint8_t*)out,          tag);
+    if (status != SUCCESS)
+        ret = AES_GCM_AUTH_E;
+#endif /* WOLFSSL_STM32_CUBEMX */
+
+    /* STM32 GCM hardware only supports IV of 12 bytes, so use software for auth */
+    if (sz == 0 || ivSz != GCM_NONCE_MID_SZ) {
+        DecrementGcmCounter(ctr); /* hardware requires +1, so subtract it */
+        GHASH(aes, authIn, authInSz, in, sz, tag, sizeof(tag));
+        wc_AesEncrypt(aes, ctr, partialBlock);
+        xorbuf(tag, partialBlock, sizeof(tag));
+    }
 
-    /* Calculate the authTag again using the received auth data and the
-     * cipher text. */
-    {
-        byte Tprime[AES_BLOCK_SIZE];
-        byte EKY0[AES_BLOCK_SIZE];
+    if (ConstantCompare(authTag, tag, authTagSz) != 0) {
+        ret = AES_GCM_AUTH_E;
+    }
 
-        GHASH(aes, authIn, authInSz, in, sz, Tprime, sizeof(Tprime));
-        #ifdef FREESCALE_MMCAU
-            cau_aes_encrypt(ctr, key, aes->rounds, EKY0);
-        #else
-            wc_AesEncrypt(aes, ctr, EKY0);
-        #endif
-        xorbuf(Tprime, EKY0, sizeof(Tprime));
+    /* Free memory if not a multiple of AES_BLOCK_SZ */
+    if (authInPadded != authIn) {
+        XFREE(authInPadded, aes->heap, DYNAMIC_TYPE_TMP_BUFFER);
+    }
 
-        if (ConstantCompare(authTag, Tprime, authTagSz) != 0) {
-            return AES_GCM_AUTH_E;
-        }
+    wolfSSL_CryptHwMutexUnLock();
+
+    return ret;
+}
+
+#endif /* STM32_CRYPTO_AES_GCM */
+
+#ifdef WOLFSSL_AESNI
+int AES_GCM_decrypt_C(Aes* aes, byte* out, const byte* in, word32 sz,
+                      const byte* iv, word32 ivSz,
+                      const byte* authTag, word32 authTagSz,
+                      const byte* authIn, word32 authInSz);
+#else
+static
+#endif
+int AES_GCM_decrypt_C(Aes* aes, byte* out, const byte* in, word32 sz,
+                      const byte* iv, word32 ivSz,
+                      const byte* authTag, word32 authTagSz,
+                      const byte* authIn, word32 authInSz)
+{
+    int ret = 0;
+    word32 blocks = sz / AES_BLOCK_SIZE;
+    word32 partial = sz % AES_BLOCK_SIZE;
+    const byte* c = in;
+    byte* p = out;
+    byte counter[AES_BLOCK_SIZE];
+    byte initialCounter[AES_BLOCK_SIZE];
+    byte *ctr;
+    byte scratch[AES_BLOCK_SIZE];
+    byte Tprime[AES_BLOCK_SIZE];
+    byte EKY0[AES_BLOCK_SIZE];
+#ifdef OPENSSL_EXTRA
+    word32 aadTemp;
+#endif
+    ctr = counter;
+    XMEMSET(initialCounter, 0, AES_BLOCK_SIZE);
+    if (ivSz == GCM_NONCE_MID_SZ) {
+        XMEMCPY(initialCounter, iv, ivSz);
+        initialCounter[AES_BLOCK_SIZE - 1] = 1;
+    }
+    else {
+#ifdef OPENSSL_EXTRA
+        aadTemp = aes->aadLen;
+        aes->aadLen = 0;
+#endif
+        GHASH(aes, NULL, 0, iv, ivSz, initialCounter, AES_BLOCK_SIZE);
+#ifdef OPENSSL_EXTRA
+        aes->aadLen = aadTemp;
+#endif
+    }
+    XMEMCPY(ctr, initialCounter, AES_BLOCK_SIZE);
+
+    /* Calc the authTag again using the received auth data and the cipher text */
+    GHASH(aes, authIn, authInSz, in, sz, Tprime, sizeof(Tprime));
+    wc_AesEncrypt(aes, ctr, EKY0);
+    xorbuf(Tprime, EKY0, sizeof(Tprime));
+
+#ifdef OPENSSL_EXTRA
+    if (!out) {
+        /* authenticated, non-confidential data */
+        /* store AAD size for next call */
+        aes->aadLen = authInSz;
+    }
+#endif
+    if (ConstantCompare(authTag, Tprime, authTagSz) != 0) {
+        return AES_GCM_AUTH_E;
     }
 
-#ifdef WOLFSSL_PIC32MZ_CRYPT
-    if(blocks)
-        wc_AesCrypt(aes, out, in, blocks*AES_BLOCK_SIZE,
-             PIC32_DECRYPTION, PIC32_ALGO_AES, PIC32_CRYPTOALGO_AES_GCM );
+#if defined(WOLFSSL_PIC32MZ_CRYPT)
+    if (blocks) {
+        /* use initial IV for HW, but don't use it below */
+        XMEMCPY(aes->reg, ctr, AES_BLOCK_SIZE);
+
+        ret = wc_Pic32AesCrypt(
+            aes->key, aes->keylen, aes->reg, AES_BLOCK_SIZE,
+            out, in, (blocks * AES_BLOCK_SIZE),
+            PIC32_DECRYPTION, PIC32_ALGO_AES, PIC32_CRYPTOALGO_AES_GCM);
+        if (ret != 0)
+            return ret;
+    }
+    /* process remainder using partial handling */
 #endif
 
+#if defined(HAVE_AES_ECB) && !defined(WOLFSSL_PIC32MZ_CRYPT)
+    /* some hardware acceleration can gain performance from doing AES encryption
+     * of the whole buffer at once */
+    if (c != p && blocks > 0) { /* can not handle inline decryption */
+        while (blocks--) {
+            IncrementGcmCounter(ctr);
+            XMEMCPY(p, ctr, AES_BLOCK_SIZE);
+            p += AES_BLOCK_SIZE;
+        }
+
+        /* reset number of blocks and then do encryption */
+        blocks = sz / AES_BLOCK_SIZE;
+
+        wc_AesEcbEncrypt(aes, out, out, AES_BLOCK_SIZE * blocks);
+        xorbuf(out, c, AES_BLOCK_SIZE * blocks);
+        c += AES_BLOCK_SIZE * blocks;
+    }
+    else
+#endif /* HAVE_AES_ECB && !PIC32MZ */
     while (blocks--) {
         IncrementGcmCounter(ctr);
-        #ifndef WOLFSSL_PIC32MZ_CRYPT
-            #ifdef FREESCALE_MMCAU
-                cau_aes_encrypt(ctr, key, aes->rounds, scratch);
-            #else
-                wc_AesEncrypt(aes, ctr, scratch);
-            #endif
+    #if !defined(WOLFSSL_PIC32MZ_CRYPT)
+        wc_AesEncrypt(aes, ctr, scratch);
         xorbuf(scratch, c, AES_BLOCK_SIZE);
         XMEMCPY(p, scratch, AES_BLOCK_SIZE);
-        #endif
+    #endif
         p += AES_BLOCK_SIZE;
         c += AES_BLOCK_SIZE;
     }
+
     if (partial != 0) {
         IncrementGcmCounter(ctr);
-        #ifdef FREESCALE_MMCAU
-            cau_aes_encrypt(ctr, key, aes->rounds, scratch);
-        #else
-            wc_AesEncrypt(aes, ctr, scratch);
-        #endif
+        wc_AesEncrypt(aes, ctr, scratch);
         xorbuf(scratch, c, partial);
         XMEMCPY(p, scratch, partial);
     }
-    return 0;
+
+    return ret;
+}
+
+/* Software AES - GCM Decrypt */
+int wc_AesGcmDecrypt(Aes* aes, byte* out, const byte* in, word32 sz,
+                     const byte* iv, word32 ivSz,
+                     const byte* authTag, word32 authTagSz,
+                     const byte* authIn, word32 authInSz)
+{
+#ifdef WOLFSSL_AESNI
+    int res = AES_GCM_AUTH_E;
+#endif
+
+    /* argument checks */
+    /* If the sz is non-zero, both in and out must be set. If sz is 0,
+     * in and out are don't cares, as this is is the GMAC case. */
+    if (aes == NULL || iv == NULL || (sz != 0 && (in == NULL || out == NULL)) ||
+        authTag == NULL || authTagSz > AES_BLOCK_SIZE || authTagSz == 0 ||
+        ivSz == 0) {
+
+        return BAD_FUNC_ARG;
+    }
+
+#ifdef WOLF_CRYPTO_CB
+    if (aes->devId != INVALID_DEVID) {
+        int ret = wc_CryptoCb_AesGcmDecrypt(aes, out, in, sz, iv, ivSz,
+            authTag, authTagSz, authIn, authInSz);
+        if (ret != CRYPTOCB_UNAVAILABLE)
+            return ret;
+        /* fall-through when unavailable */
+    }
+#endif
+
+#if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_AES)
+    /* if async and byte count above threshold */
+    /* only 12-byte IV is supported in HW */
+    if (aes->asyncDev.marker == WOLFSSL_ASYNC_MARKER_AES &&
+                    sz >= WC_ASYNC_THRESH_AES_GCM && ivSz == GCM_NONCE_MID_SZ) {
+    #if defined(HAVE_CAVIUM)
+        #ifdef HAVE_CAVIUM_V
+        if (authInSz == 20) { /* Nitrox V GCM is only working with 20 byte AAD */
+            return NitroxAesGcmDecrypt(aes, out, in, sz,
+                (const byte*)aes->devKey, aes->keylen, iv, ivSz,
+                authTag, authTagSz, authIn, authInSz);
+        }
+        #endif
+    #elif defined(HAVE_INTEL_QA)
+        return IntelQaSymAesGcmDecrypt(&aes->asyncDev, out, in, sz,
+            (const byte*)aes->devKey, aes->keylen, iv, ivSz,
+            authTag, authTagSz, authIn, authInSz);
+    #else /* WOLFSSL_ASYNC_CRYPT_TEST */
+        if (wc_AsyncTestInit(&aes->asyncDev, ASYNC_TEST_AES_GCM_DECRYPT)) {
+            WC_ASYNC_TEST* testDev = &aes->asyncDev.test;
+            testDev->aes.aes = aes;
+            testDev->aes.out = out;
+            testDev->aes.in = in;
+            testDev->aes.sz = sz;
+            testDev->aes.iv = iv;
+            testDev->aes.ivSz = ivSz;
+            testDev->aes.authTag = (byte*)authTag;
+            testDev->aes.authTagSz = authTagSz;
+            testDev->aes.authIn = authIn;
+            testDev->aes.authInSz = authInSz;
+            return WC_PENDING_E;
+        }
+    #endif
+    }
+#endif /* WOLFSSL_ASYNC_CRYPT */
+
+#ifdef STM32_CRYPTO_AES_GCM
+    /* The STM standard peripheral library API's doesn't support partial blocks */
+    #ifdef STD_PERI_LIB
+    if (partial == 0)
+    #endif
+    {
+        return wc_AesGcmDecrypt_STM32(
+            aes, out, in, sz, iv, ivSz,
+            authTag, authTagSz, authIn, authInSz);
+    }
+#endif /* STM32_CRYPTO_AES_GCM */
+
+#ifdef WOLFSSL_AESNI
+    #ifdef HAVE_INTEL_AVX2
+    if (IS_INTEL_AVX2(intel_flags)) {
+        AES_GCM_decrypt_avx2(in, out, authIn, iv, authTag, sz, authInSz, ivSz,
+                                 authTagSz, (byte*)aes->key, aes->rounds, &res);
+        if (res == 0)
+            return AES_GCM_AUTH_E;
+        return 0;
+    }
+    else
+    #endif
+    #ifdef HAVE_INTEL_AVX1
+    if (IS_INTEL_AVX1(intel_flags)) {
+        AES_GCM_decrypt_avx1(in, out, authIn, iv, authTag, sz, authInSz, ivSz,
+                                 authTagSz, (byte*)aes->key, aes->rounds, &res);
+        if (res == 0)
+            return AES_GCM_AUTH_E;
+        return 0;
+    }
+    else
+    #endif
+    if (haveAESNI) {
+        AES_GCM_decrypt(in, out, authIn, iv, authTag, sz, authInSz, ivSz,
+                                 authTagSz, (byte*)aes->key, aes->rounds, &res);
+        if (res == 0)
+            return AES_GCM_AUTH_E;
+        return 0;
+    }
+    else
+#endif
+    {
+        return AES_GCM_decrypt_C(aes, out, in, sz, iv, ivSz, authTag, authTagSz,
+                                                              authIn, authInSz);
+    }
+}
+#endif
+#endif /* HAVE_AES_DECRYPT || HAVE_AESGCM_DECRYPT */
+#endif /* WOLFSSL_XILINX_CRYPT */
+#endif /* end of block for AESGCM implementation selection */
+
+
+/* Common to all, abstract functions that build off of lower level AESGCM
+ * functions */
+#ifndef WC_NO_RNG
+
+int wc_AesGcmSetExtIV(Aes* aes, const byte* iv, word32 ivSz)
+{
+    int ret = 0;
+
+    if (aes == NULL || iv == NULL ||
+        (ivSz != GCM_NONCE_MIN_SZ && ivSz != GCM_NONCE_MID_SZ &&
+         ivSz != GCM_NONCE_MAX_SZ)) {
+
+        ret = BAD_FUNC_ARG;
+    }
+
+    if (ret == 0) {
+        XMEMCPY((byte*)aes->reg, iv, ivSz);
+
+        /* If the IV is 96, allow for a 2^64 invocation counter.
+         * For any other size for the nonce, limit the invocation
+         * counter to 32-bits. (SP 800-38D 8.3) */
+        aes->invokeCtr[0] = 0;
+        aes->invokeCtr[1] = (ivSz == GCM_NONCE_MID_SZ) ? 0 : 0xFFFFFFFF;
+        aes->nonceSz = ivSz;
+    }
+
+    return ret;
+}
+
+
+int wc_AesGcmSetIV(Aes* aes, word32 ivSz,
+                   const byte* ivFixed, word32 ivFixedSz,
+                   WC_RNG* rng)
+{
+    int ret = 0;
+
+    if (aes == NULL || rng == NULL ||
+        (ivSz != GCM_NONCE_MIN_SZ && ivSz != GCM_NONCE_MID_SZ &&
+         ivSz != GCM_NONCE_MAX_SZ) ||
+        (ivFixed == NULL && ivFixedSz != 0) ||
+        (ivFixed != NULL && ivFixedSz != AES_IV_FIXED_SZ)) {
+
+        ret = BAD_FUNC_ARG;
+    }
+
+    if (ret == 0) {
+        byte* iv = (byte*)aes->reg;
+
+        if (ivFixedSz)
+            XMEMCPY(iv, ivFixed, ivFixedSz);
+
+        ret = wc_RNG_GenerateBlock(rng, iv + ivFixedSz, ivSz - ivFixedSz);
+    }
+
+    if (ret == 0) {
+        /* If the IV is 96, allow for a 2^64 invocation counter.
+         * For any other size for the nonce, limit the invocation
+         * counter to 32-bits. (SP 800-38D 8.3) */
+        aes->invokeCtr[0] = 0;
+        aes->invokeCtr[1] = (ivSz == GCM_NONCE_MID_SZ) ? 0 : 0xFFFFFFFF;
+        aes->nonceSz = ivSz;
+    }
+
+    return ret;
+}
+
+
+int wc_AesGcmEncrypt_ex(Aes* aes, byte* out, const byte* in, word32 sz,
+                        byte* ivOut, word32 ivOutSz,
+                        byte* authTag, word32 authTagSz,
+                        const byte* authIn, word32 authInSz)
+{
+    int ret = 0;
+
+    if (aes == NULL || (sz != 0 && (in == NULL || out == NULL)) ||
+        ivOut == NULL || ivOutSz != aes->nonceSz ||
+        (authIn == NULL && authInSz != 0)) {
+
+        ret = BAD_FUNC_ARG;
+    }
+
+    if (ret == 0) {
+        aes->invokeCtr[0]++;
+        if (aes->invokeCtr[0] == 0) {
+            aes->invokeCtr[1]++;
+            if (aes->invokeCtr[1] == 0)
+                ret = AES_GCM_OVERFLOW_E;
+        }
+    }
+
+    if (ret == 0) {
+        XMEMCPY(ivOut, aes->reg, ivOutSz);
+        ret = wc_AesGcmEncrypt(aes, out, in, sz,
+                               (byte*)aes->reg, ivOutSz,
+                               authTag, authTagSz,
+                               authIn, authInSz);
+        if (ret == 0)
+            IncCtr((byte*)aes->reg, ivOutSz);
+    }
+
+    return ret;
+}
+
+int wc_Gmac(const byte* key, word32 keySz, byte* iv, word32 ivSz,
+            const byte* authIn, word32 authInSz,
+            byte* authTag, word32 authTagSz, WC_RNG* rng)
+{
+    Aes aes;
+    int ret;
+
+    if (key == NULL || iv == NULL || (authIn == NULL && authInSz != 0) ||
+        authTag == NULL || authTagSz == 0 || rng == NULL) {
+
+        return BAD_FUNC_ARG;
+    }
+
+    ret = wc_AesInit(&aes, NULL, INVALID_DEVID);
+    if (ret == 0) {
+        ret = wc_AesGcmSetKey(&aes, key, keySz);
+        if (ret == 0)
+            ret = wc_AesGcmSetIV(&aes, ivSz, NULL, 0, rng);
+        if (ret == 0)
+            ret = wc_AesGcmEncrypt_ex(&aes, NULL, NULL, 0, iv, ivSz,
+                                  authTag, authTagSz, authIn, authInSz);
+        wc_AesFree(&aes);
+    }
+    ForceZero(&aes, sizeof(aes));
+
+    return ret;
 }
 
+int wc_GmacVerify(const byte* key, word32 keySz,
+                  const byte* iv, word32 ivSz,
+                  const byte* authIn, word32 authInSz,
+                  const byte* authTag, word32 authTagSz)
+{
+    int ret;
+#ifndef NO_AES_DECRYPT
+    Aes aes;
+
+    if (key == NULL || iv == NULL || (authIn == NULL && authInSz != 0) ||
+        authTag == NULL || authTagSz == 0 || authTagSz > AES_BLOCK_SIZE) {
+
+        return BAD_FUNC_ARG;
+    }
+
+    ret = wc_AesInit(&aes, NULL, INVALID_DEVID);
+    if (ret == 0) {
+        ret = wc_AesGcmSetKey(&aes, key, keySz);
+        if (ret == 0)
+            ret = wc_AesGcmDecrypt(&aes, NULL, NULL, 0, iv, ivSz,
+                                  authTag, authTagSz, authIn, authInSz);
+        wc_AesFree(&aes);
+    }
+    ForceZero(&aes, sizeof(aes));
+#else
+    (void)key;
+    (void)keySz;
+    (void)iv;
+    (void)ivSz;
+    (void)authIn;
+    (void)authInSz;
+    (void)authTag;
+    (void)authTagSz;
+    ret = NOT_COMPILED_IN;
+#endif
+    return ret;
+}
+
+#endif /* WC_NO_RNG */
 
 
 WOLFSSL_API int wc_GmacSetKey(Gmac* gmac, const byte* key, word32 len)
 {
+    if (gmac == NULL || key == NULL) {
+        return BAD_FUNC_ARG;
+    }
     return wc_AesGcmSetKey(&gmac->aes, key, len);
 }
 
@@ -3472,69 +6962,114 @@ WOLFSSL_API int wc_GmacUpdate(Gmac* gmac, const byte* iv, word32 ivSz,
 
 #ifdef HAVE_AESCCM
 
-#ifdef STM32F2_CRYPTO
-    #error "STM32F2 crypto doesn't currently support AES-CCM mode"
+int wc_AesCcmSetKey(Aes* aes, const byte* key, word32 keySz)
+{
+    if (!((keySz == 16) || (keySz == 24) || (keySz == 32)))
+        return BAD_FUNC_ARG;
+
+    return wc_AesSetKey(aes, key, keySz, NULL, AES_ENCRYPTION);
+}
+
+#ifdef WOLFSSL_ARMASM
+    /* implementation located in wolfcrypt/src/port/arm/armv8-aes.c */
 
 #elif defined(HAVE_COLDFIRE_SEC)
     #error "Coldfire SEC doesn't currently support AES-CCM mode"
 
-#elif defined(WOLFSSL_PIC32MZ_CRYPT)
-    #error "PIC32MZ doesn't currently support AES-CCM mode"
+#elif defined(WOLFSSL_IMX6_CAAM) && !defined(NO_IMX6_CAAM_AES)
+    /* implemented in wolfcrypt/src/port/caam_aes.c */
 
-#endif
+#elif defined(FREESCALE_LTC)
 
-void wc_AesCcmSetKey(Aes* aes, const byte* key, word32 keySz)
+/* return 0 on success */
+int wc_AesCcmEncrypt(Aes* aes, byte* out, const byte* in, word32 inSz,
+                   const byte* nonce, word32 nonceSz,
+                   byte* authTag, word32 authTagSz,
+                   const byte* authIn, word32 authInSz)
 {
-    byte nonce[AES_BLOCK_SIZE];
+    byte *key;
+    uint32_t keySize;
+    status_t status;
 
-    if (!((keySz == 16) || (keySz == 24) || (keySz == 32)))
-        return;
+    /* sanity check on arguments */
+    if (aes == NULL || out == NULL || in == NULL || nonce == NULL
+            || authTag == NULL || nonceSz < 7 || nonceSz > 13)
+        return BAD_FUNC_ARG;
+
+    key = (byte*)aes->key;
+
+    status = wc_AesGetKeySize(aes, &keySize);
+    if (status != 0) {
+        return status;
+    }
 
-    XMEMSET(nonce, 0, sizeof(nonce));
-    wc_AesSetKey(aes, key, keySz, nonce, AES_ENCRYPTION);
+    status = LTC_AES_EncryptTagCcm(LTC_BASE, in, out, inSz,
+        nonce, nonceSz, authIn, authInSz, key, keySize, authTag, authTagSz);
+
+    return (kStatus_Success == status) ? 0 : BAD_FUNC_ARG;
 }
 
+#ifdef HAVE_AES_DECRYPT
+int  wc_AesCcmDecrypt(Aes* aes, byte* out, const byte* in, word32 inSz,
+                   const byte* nonce, word32 nonceSz,
+                   const byte* authTag, word32 authTagSz,
+                   const byte* authIn, word32 authInSz)
+{
+    byte *key;
+    uint32_t keySize;
+    status_t status;
+
+    /* sanity check on arguments */
+    if (aes == NULL || out == NULL || in == NULL || nonce == NULL
+            || authTag == NULL || nonceSz < 7 || nonceSz > 13)
+        return BAD_FUNC_ARG;
+
+    key = (byte*)aes->key;
 
+    status = wc_AesGetKeySize(aes, &keySize);
+    if (status != 0) {
+        return status;
+    }
+
+    status = LTC_AES_DecryptTagCcm(LTC_BASE, in, out, inSz,
+        nonce, nonceSz, authIn, authInSz, key, keySize, authTag, authTagSz);
+
+    if (status == kStatus_Success) {
+        return 0;
+    }
+    else {
+        XMEMSET(out, 0, inSz);
+        return AES_CCM_AUTH_E;
+    }
+}
+#endif /* HAVE_AES_DECRYPT */
+
+#else
+
+/* Software CCM */
 static void roll_x(Aes* aes, const byte* in, word32 inSz, byte* out)
 {
-    #ifdef FREESCALE_MMCAU
-        byte* key = (byte*)aes->key;
-    #endif
-
     /* process the bulk of the data */
     while (inSz >= AES_BLOCK_SIZE) {
         xorbuf(out, in, AES_BLOCK_SIZE);
         in += AES_BLOCK_SIZE;
         inSz -= AES_BLOCK_SIZE;
 
-        #ifdef FREESCALE_MMCAU
-            cau_aes_encrypt(out, key, aes->rounds, out);
-        #else
-            wc_AesEncrypt(aes, out, out);
-        #endif
+        wc_AesEncrypt(aes, out, out);
     }
 
     /* process remainder of the data */
     if (inSz > 0) {
         xorbuf(out, in, inSz);
-        #ifdef FREESCALE_MMCAU
-            cau_aes_encrypt(out, key, aes->rounds, out);
-        #else
-            wc_AesEncrypt(aes, out, out);
-        #endif
+        wc_AesEncrypt(aes, out, out);
     }
 }
 
-
 static void roll_auth(Aes* aes, const byte* in, word32 inSz, byte* out)
 {
     word32 authLenSz;
     word32 remainder;
 
-    #ifdef FREESCALE_MMCAU
-        byte* key = (byte*)aes->key;
-    #endif
-
     /* encode the length in */
     if (inSz <= 0xFEFF) {
         authLenSz = 2;
@@ -3568,18 +7103,14 @@ static void roll_auth(Aes* aes, const byte* in, word32 inSz, byte* out)
         xorbuf(out + authLenSz, in, inSz);
         inSz = 0;
     }
-    #ifdef FREESCALE_MMCAU
-        cau_aes_encrypt(out, key, aes->rounds, out);
-    #else
-        wc_AesEncrypt(aes, out, out);
-    #endif
+    wc_AesEncrypt(aes, out, out);
 
     if (inSz > 0)
         roll_x(aes, in, inSz, out);
 }
 
 
-static INLINE void AesCcmCtrInc(byte* B, word32 lenSz)
+static WC_INLINE void AesCcmCtrInc(byte* B, word32 lenSz)
 {
     word32 i;
 
@@ -3588,34 +7119,85 @@ static INLINE void AesCcmCtrInc(byte* B, word32 lenSz)
     }
 }
 
+#ifdef WOLFSSL_AESNI
+static WC_INLINE void AesCcmCtrIncSet4(byte* B, word32 lenSz)
+{
+    word32 i;
+
+    /* B+1 = B */
+    XMEMCPY(B + AES_BLOCK_SIZE * 1, B, AES_BLOCK_SIZE);
+    /* B+2,B+3 = B,B+1 */
+    XMEMCPY(B + AES_BLOCK_SIZE * 2, B, AES_BLOCK_SIZE * 2);
+
+    for (i = 0; i < lenSz; i++) {
+        if (++B[AES_BLOCK_SIZE * 1 - 1 - i] != 0) break;
+    }
+    B[AES_BLOCK_SIZE * 2 - 1] += 2;
+    if (B[AES_BLOCK_SIZE * 2 - 1] < 2) {
+        for (i = 1; i < lenSz; i++) {
+            if (++B[AES_BLOCK_SIZE * 2 - 1 - i] != 0) break;
+        }
+    }
+    B[AES_BLOCK_SIZE * 3 - 1] += 3;
+    if (B[AES_BLOCK_SIZE * 3 - 1] < 3) {
+        for (i = 1; i < lenSz; i++) {
+            if (++B[AES_BLOCK_SIZE * 3 - 1 - i] != 0) break;
+        }
+    }
+}
+
+static WC_INLINE void AesCcmCtrInc4(byte* B, word32 lenSz)
+{
+    word32 i;
 
-void wc_AesCcmEncrypt(Aes* aes, byte* out, const byte* in, word32 inSz,
+    B[AES_BLOCK_SIZE - 1] += 4;
+    if (B[AES_BLOCK_SIZE - 1] < 4) {
+        for (i = 1; i < lenSz; i++) {
+            if (++B[AES_BLOCK_SIZE - 1 - i] != 0) break;
+        }
+    }
+}
+#endif
+
+/* Software AES - CCM Encrypt */
+/* return 0 on success */
+int wc_AesCcmEncrypt(Aes* aes, byte* out, const byte* in, word32 inSz,
                    const byte* nonce, word32 nonceSz,
                    byte* authTag, word32 authTagSz,
                    const byte* authIn, word32 authInSz)
 {
+#ifndef WOLFSSL_AESNI
     byte A[AES_BLOCK_SIZE];
     byte B[AES_BLOCK_SIZE];
+#else
+    ALIGN128 byte A[AES_BLOCK_SIZE * 4];
+    ALIGN128 byte B[AES_BLOCK_SIZE * 4];
+#endif
     byte lenSz;
     word32 i;
+    byte mask = 0xFF;
+    const word32 wordSz = (word32)sizeof(word32);
 
-    #ifdef FREESCALE_MMCAU
-        byte* key = (byte*)aes->key;
-    #endif
+    /* sanity check on arguments */
+    if (aes == NULL || out == NULL || in == NULL || nonce == NULL
+            || authTag == NULL || nonceSz < 7 || nonceSz > 13 ||
+            authTagSz > AES_BLOCK_SIZE)
+        return BAD_FUNC_ARG;
 
+    XMEMSET(A, 0, sizeof(A));
     XMEMCPY(B+1, nonce, nonceSz);
     lenSz = AES_BLOCK_SIZE - 1 - (byte)nonceSz;
     B[0] = (authInSz > 0 ? 64 : 0)
          + (8 * (((byte)authTagSz - 2) / 2))
          + (lenSz - 1);
-    for (i = 0; i < lenSz; i++)
-        B[AES_BLOCK_SIZE - 1 - i] = (inSz >> (8 * i)) & 0xFF;
+    for (i = 0; i < lenSz; i++) {
+        if (mask && i >= wordSz)
+            mask = 0x00;
+        B[AES_BLOCK_SIZE - 1 - i] = (inSz >> ((8 * i) & mask)) & mask;
+    }
+
+    wc_AesEncrypt(aes, B, A);
 
-    #ifdef FREESCALE_MMCAU
-        cau_aes_encrypt(B, key, aes->rounds, A);
-    #else
-        wc_AesEncrypt(aes, B, A);
-    #endif
     if (authInSz > 0)
         roll_auth(aes, authIn, authInSz, A);
     if (inSz > 0)
@@ -3625,20 +7207,32 @@ void wc_AesCcmEncrypt(Aes* aes, byte* out, const byte* in, word32 inSz,
     B[0] = lenSz - 1;
     for (i = 0; i < lenSz; i++)
         B[AES_BLOCK_SIZE - 1 - i] = 0;
-    #ifdef FREESCALE_MMCAU
-        cau_aes_encrypt(B, key, aes->rounds, A);
-    #else
-        wc_AesEncrypt(aes, B, A);
-    #endif
+    wc_AesEncrypt(aes, B, A);
     xorbuf(authTag, A, authTagSz);
 
     B[15] = 1;
+#ifdef WOLFSSL_AESNI
+    if (haveAESNI && aes->use_aesni) {
+        while (inSz >= AES_BLOCK_SIZE * 4) {
+            AesCcmCtrIncSet4(B, lenSz);
+
+            AES_ECB_encrypt(B, A, AES_BLOCK_SIZE * 4, (byte*)aes->key,
+                            aes->rounds);
+            xorbuf(A, in, AES_BLOCK_SIZE * 4);
+            XMEMCPY(out, A, AES_BLOCK_SIZE * 4);
+
+            inSz -= AES_BLOCK_SIZE * 4;
+            in += AES_BLOCK_SIZE * 4;
+            out += AES_BLOCK_SIZE * 4;
+
+            if (inSz < AES_BLOCK_SIZE * 4) {
+                AesCcmCtrInc4(B, lenSz);
+            }
+        }
+    }
+#endif
     while (inSz >= AES_BLOCK_SIZE) {
-        #ifdef FREESCALE_MMCAU
-            cau_aes_encrypt(B, key, aes->rounds, A);
-        #else
-            wc_AesEncrypt(aes, B, A);
-        #endif
+        wc_AesEncrypt(aes, B, A);
         xorbuf(A, in, AES_BLOCK_SIZE);
         XMEMCPY(out, A, AES_BLOCK_SIZE);
 
@@ -3648,35 +7242,43 @@ void wc_AesCcmEncrypt(Aes* aes, byte* out, const byte* in, word32 inSz,
         out += AES_BLOCK_SIZE;
     }
     if (inSz > 0) {
-        #ifdef FREESCALE_MMCAU
-            cau_aes_encrypt(B, key, aes->rounds, A);
-        #else
-            wc_AesEncrypt(aes, B, A);
-        #endif
+        wc_AesEncrypt(aes, B, A);
         xorbuf(A, in, inSz);
         XMEMCPY(out, A, inSz);
     }
 
     ForceZero(A, AES_BLOCK_SIZE);
     ForceZero(B, AES_BLOCK_SIZE);
-}
 
+    return 0;
+}
 
+#ifdef HAVE_AES_DECRYPT
+/* Software AES - CCM Decrypt */
 int  wc_AesCcmDecrypt(Aes* aes, byte* out, const byte* in, word32 inSz,
                    const byte* nonce, word32 nonceSz,
                    const byte* authTag, word32 authTagSz,
                    const byte* authIn, word32 authInSz)
 {
+#ifndef WOLFSSL_AESNI
     byte A[AES_BLOCK_SIZE];
     byte B[AES_BLOCK_SIZE];
+#else
+    ALIGN128 byte B[AES_BLOCK_SIZE * 4];
+    ALIGN128 byte A[AES_BLOCK_SIZE * 4];
+#endif
     byte* o;
     byte lenSz;
     word32 i, oSz;
     int result = 0;
+    byte mask = 0xFF;
+    const word32 wordSz = (word32)sizeof(word32);
 
-    #ifdef FREESCALE_MMCAU
-        byte* key = (byte*)aes->key;
-    #endif
+    /* sanity check on arguments */
+    if (aes == NULL || out == NULL || in == NULL || nonce == NULL
+            || authTag == NULL || nonceSz < 7 || nonceSz > 13 ||
+            authTagSz > AES_BLOCK_SIZE)
+        return BAD_FUNC_ARG;
 
     o = out;
     oSz = inSz;
@@ -3688,12 +7290,28 @@ int  wc_AesCcmDecrypt(Aes* aes, byte* out, const byte* in, word32 inSz,
         B[AES_BLOCK_SIZE - 1 - i] = 0;
     B[15] = 1;
 
+#ifdef WOLFSSL_AESNI
+    if (haveAESNI && aes->use_aesni) {
+        while (oSz >= AES_BLOCK_SIZE * 4) {
+            AesCcmCtrIncSet4(B, lenSz);
+
+            AES_ECB_encrypt(B, A, AES_BLOCK_SIZE * 4, (byte*)aes->key,
+                            aes->rounds);
+            xorbuf(A, in, AES_BLOCK_SIZE * 4);
+            XMEMCPY(o, A, AES_BLOCK_SIZE * 4);
+
+            oSz -= AES_BLOCK_SIZE * 4;
+            in += AES_BLOCK_SIZE * 4;
+            o += AES_BLOCK_SIZE * 4;
+
+            if (oSz < AES_BLOCK_SIZE * 4) {
+                AesCcmCtrInc4(B, lenSz);
+            }
+        }
+    }
+#endif
     while (oSz >= AES_BLOCK_SIZE) {
-        #ifdef FREESCALE_MMCAU
-            cau_aes_encrypt(B, key, aes->rounds, A);
-        #else
-            wc_AesEncrypt(aes, B, A);
-        #endif
+        wc_AesEncrypt(aes, B, A);
         xorbuf(A, in, AES_BLOCK_SIZE);
         XMEMCPY(o, A, AES_BLOCK_SIZE);
 
@@ -3703,22 +7321,14 @@ int  wc_AesCcmDecrypt(Aes* aes, byte* out, const byte* in, word32 inSz,
         o += AES_BLOCK_SIZE;
     }
     if (inSz > 0) {
-        #ifdef FREESCALE_MMCAU
-            cau_aes_encrypt(B, key, aes->rounds, A);
-        #else
-            wc_AesEncrypt(aes, B, A);
-        #endif
+        wc_AesEncrypt(aes, B, A);
         xorbuf(A, in, oSz);
         XMEMCPY(o, A, oSz);
     }
 
     for (i = 0; i < lenSz; i++)
         B[AES_BLOCK_SIZE - 1 - i] = 0;
-    #ifdef FREESCALE_MMCAU
-        cau_aes_encrypt(B, key, aes->rounds, A);
-    #else
-        wc_AesEncrypt(aes, B, A);
-    #endif
+    wc_AesEncrypt(aes, B, A);
 
     o = out;
     oSz = inSz;
@@ -3726,14 +7336,14 @@ int  wc_AesCcmDecrypt(Aes* aes, byte* out, const byte* in, word32 inSz,
     B[0] = (authInSz > 0 ? 64 : 0)
          + (8 * (((byte)authTagSz - 2) / 2))
          + (lenSz - 1);
-    for (i = 0; i < lenSz; i++)
-        B[AES_BLOCK_SIZE - 1 - i] = (inSz >> (8 * i)) & 0xFF;
+    for (i = 0; i < lenSz; i++) {
+        if (mask && i >= wordSz)
+            mask = 0x00;
+        B[AES_BLOCK_SIZE - 1 - i] = (inSz >> ((8 * i) & mask)) & mask;
+    }
+
+    wc_AesEncrypt(aes, B, A);
 
-    #ifdef FREESCALE_MMCAU
-        cau_aes_encrypt(B, key, aes->rounds, A);
-    #else
-        wc_AesEncrypt(aes, B, A);
-    #endif
     if (authInSz > 0)
         roll_auth(aes, authIn, authInSz, A);
     if (inSz > 0)
@@ -3742,11 +7352,7 @@ int  wc_AesCcmDecrypt(Aes* aes, byte* out, const byte* in, word32 inSz,
     B[0] = lenSz - 1;
     for (i = 0; i < lenSz; i++)
         B[AES_BLOCK_SIZE - 1 - i] = 0;
-    #ifdef FREESCALE_MMCAU
-        cau_aes_encrypt(B, key, aes->rounds, B);
-    #else
-        wc_AesEncrypt(aes, B, B);
-    #endif
+    wc_AesEncrypt(aes, B, B);
     xorbuf(A, B, authTagSz);
 
     if (ConstantCompare(A, authTag, authTagSz) != 0) {
@@ -3764,134 +7370,1335 @@ int  wc_AesCcmDecrypt(Aes* aes, byte* out, const byte* in, word32 inSz,
     return result;
 }
 
-#endif /* HAVE_AESCCM */
+#endif /* HAVE_AES_DECRYPT */
+#endif /* software CCM */
 
+/* abstract functions that call lower level AESCCM functions */
+#ifndef WC_NO_RNG
 
-#ifdef HAVE_CAVIUM
+int wc_AesCcmSetNonce(Aes* aes, const byte* nonce, word32 nonceSz)
+{
+    int ret = 0;
+
+    if (aes == NULL || nonce == NULL ||
+        nonceSz < CCM_NONCE_MIN_SZ || nonceSz > CCM_NONCE_MAX_SZ) {
 
-#include <wolfssl/ctaocrypt/logging.h>
-#include "cavium_common.h"
+        ret = BAD_FUNC_ARG;
+    }
 
-/* Initiliaze Aes for use with Nitrox device */
-int wc_AesInitCavium(Aes* aes, int devId)
+    if (ret == 0) {
+        XMEMCPY(aes->reg, nonce, nonceSz);
+        aes->nonceSz = nonceSz;
+
+        /* Invocation counter should be 2^61 */
+        aes->invokeCtr[0] = 0;
+        aes->invokeCtr[1] = 0xE0000000;
+    }
+
+    return ret;
+}
+
+
+int wc_AesCcmEncrypt_ex(Aes* aes, byte* out, const byte* in, word32 sz,
+                        byte* ivOut, word32 ivOutSz,
+                        byte* authTag, word32 authTagSz,
+                        const byte* authIn, word32 authInSz)
 {
+    int ret = 0;
+
+    if (aes == NULL || out == NULL ||
+        (in == NULL && sz != 0) ||
+        ivOut == NULL ||
+        (authIn == NULL && authInSz != 0) ||
+        (ivOutSz != aes->nonceSz)) {
+
+        ret = BAD_FUNC_ARG;
+    }
+
+    if (ret == 0) {
+        aes->invokeCtr[0]++;
+        if (aes->invokeCtr[0] == 0) {
+            aes->invokeCtr[1]++;
+            if (aes->invokeCtr[1] == 0)
+                ret = AES_CCM_OVERFLOW_E;
+        }
+    }
+
+    if (ret == 0) {
+        ret = wc_AesCcmEncrypt(aes, out, in, sz,
+                               (byte*)aes->reg, aes->nonceSz,
+                               authTag, authTagSz,
+                               authIn, authInSz);
+        if (ret == 0) {
+            XMEMCPY(ivOut, aes->reg, aes->nonceSz);
+            IncCtr((byte*)aes->reg, aes->nonceSz);
+        }
+    }
+
+    return ret;
+}
+
+#endif /* WC_NO_RNG */
+
+#endif /* HAVE_AESCCM */
+
+
+/* Initialize Aes for use with async hardware */
+int wc_AesInit(Aes* aes, void* heap, int devId)
+{
+    int ret = 0;
+
     if (aes == NULL)
-        return -1;
+        return BAD_FUNC_ARG;
 
-    if (CspAllocContext(CONTEXT_SSL, &aes->contextHandle, devId) != 0)
-        return -1;
+    aes->heap = heap;
 
+#ifdef WOLF_CRYPTO_CB
     aes->devId = devId;
-    aes->magic = WOLFSSL_AES_CAVIUM_MAGIC;
-
-    return 0;
+    aes->devCtx = NULL;
+#else
+    (void)devId;
+#endif
+#if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_AES)
+    ret = wolfAsync_DevCtxInit(&aes->asyncDev, WOLFSSL_ASYNC_MARKER_AES,
+                                                        aes->heap, devId);
+#endif /* WOLFSSL_ASYNC_CRYPT */
+
+#ifdef WOLFSSL_AFALG
+    aes->alFd = -1;
+    aes->rdFd = -1;
+#endif
+#if defined(WOLFSSL_DEVCRYPTO) && \
+   (defined(WOLFSSL_DEVCRYPTO_AES) || defined(WOLFSSL_DEVCRYPTO_CBC))
+    aes->ctx.cfd = -1;
+#endif
+#if defined(WOLFSSL_CRYPTOCELL) && defined(WOLFSSL_CRYPTOCELL_AES)
+    XMEMSET(&aes->ctx, 0, sizeof(aes->ctx));
+#endif
+#ifdef HAVE_AESGCM
+#ifdef OPENSSL_EXTRA
+    XMEMSET(aes->aadH, 0, sizeof(aes->aadH));
+    aes->aadLen = 0;
+#endif
+#endif
+    return ret;
 }
 
+#ifdef HAVE_PKCS11
+int  wc_AesInit_Id(Aes* aes, unsigned char* id, int len, void* heap, int devId)
+{
+    int ret = 0;
 
-/* Free Aes from use with Nitrox device */
-void wc_AesFreeCavium(Aes* aes)
+    if (aes == NULL)
+        ret = BAD_FUNC_ARG;
+    if (ret == 0 && (len < 0 || len > AES_MAX_ID_LEN))
+        ret = BUFFER_E;
+
+    if (ret == 0)
+        ret  = wc_AesInit(aes, heap, devId);
+    if (ret == 0) {
+        XMEMCPY(aes->id, id, len);
+        aes->idLen = len;
+    }
+
+    return ret;
+}
+#endif
+
+/* Free Aes from use with async hardware */
+void wc_AesFree(Aes* aes)
 {
     if (aes == NULL)
         return;
 
-    if (aes->magic != WOLFSSL_AES_CAVIUM_MAGIC)
-        return;
+#if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_AES)
+    wolfAsync_DevCtxFree(&aes->asyncDev, WOLFSSL_ASYNC_MARKER_AES);
+#endif /* WOLFSSL_ASYNC_CRYPT */
+#if defined(WOLFSSL_AFALG) || defined(WOLFSSL_AFALG_XILINX_AES)
+    if (aes->rdFd > 0) { /* negative is error case */
+        close(aes->rdFd);
+    }
+    if (aes->alFd > 0) {
+        close(aes->alFd);
+    }
+#endif /* WOLFSSL_AFALG */
+#if defined(WOLFSSL_DEVCRYPTO) && \
+    (defined(WOLFSSL_DEVCRYPTO_AES) || defined(WOLFSSL_DEVCRYPTO_CBC))
+    wc_DevCryptoFree(&aes->ctx);
+#endif
+#if defined(WOLF_CRYPTO_CB) || (defined(WOLFSSL_DEVCRYPTO) && \
+    (defined(WOLFSSL_DEVCRYPTO_AES) || defined(WOLFSSL_DEVCRYPTO_CBC))) || \
+    (defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_AES))
+    ForceZero((byte*)aes->devKey, AES_MAX_KEY_SIZE/WOLFSSL_BIT_SIZE);
+#endif
+}
+
+
+int wc_AesGetKeySize(Aes* aes, word32* keySize)
+{
+    int ret = 0;
+
+    if (aes == NULL || keySize == NULL) {
+        return BAD_FUNC_ARG;
+    }
+#if defined(WOLFSSL_CRYPTOCELL) && defined(WOLFSSL_CRYPTOCELL_AES)
+    *keySize = aes->ctx.key.keySize;
+    return ret;
+#endif
+    switch (aes->rounds) {
+#ifdef WOLFSSL_AES_128
+    case 10:
+        *keySize = 16;
+        break;
+#endif
+#ifdef WOLFSSL_AES_192
+    case 12:
+        *keySize = 24;
+        break;
+#endif
+#ifdef WOLFSSL_AES_256
+    case 14:
+        *keySize = 32;
+        break;
+#endif
+    default:
+        *keySize = 0;
+        ret = BAD_FUNC_ARG;
+    }
+
+    return ret;
+}
+
+#endif /* !WOLFSSL_TI_CRYPT */
+
+#ifdef HAVE_AES_ECB
+#if defined(WOLFSSL_IMX6_CAAM) && !defined(NO_IMX6_CAAM_AES)
+    /* implemented in wolfcrypt/src/port/caam/caam_aes.c */
 
-    CspFreeContext(CONTEXT_SSL, aes->contextHandle, aes->devId);
-    aes->magic = 0;
+#elif defined(WOLFSSL_AFALG)
+    /* implemented in wolfcrypt/src/port/af_alg/afalg_aes.c */
+
+#elif defined(WOLFSSL_DEVCRYPTO_AES)
+    /* implemented in wolfcrypt/src/port/devcrypt/devcrypto_aes.c */
+
+#elif defined(WOLFSSL_SCE) && !defined(WOLFSSL_SCE_NO_AES)
+
+/* Software AES - ECB */
+int wc_AesEcbEncrypt(Aes* aes, byte* out, const byte* in, word32 sz)
+{
+    if ((in == NULL) || (out == NULL) || (aes == NULL))
+        return BAD_FUNC_ARG;
+
+        return AES_ECB_encrypt(aes, in, out, sz);
 }
 
 
-static int wc_AesCaviumSetKey(Aes* aes, const byte* key, word32 length,
-                           const byte* iv)
+int wc_AesEcbDecrypt(Aes* aes, byte* out, const byte* in, word32 sz)
 {
-    if (aes == NULL)
-        return -1;
+    if ((in == NULL) || (out == NULL) || (aes == NULL))
+        return BAD_FUNC_ARG;
 
-    XMEMCPY(aes->key, key, length);   /* key still holds key, iv still in reg */
-    if (length == 16)
-        aes->type = AES_128;
-    else if (length == 24)
-        aes->type = AES_192;
-    else if (length == 32)
-        aes->type = AES_256;
+        return AES_ECB_decrypt(aes, in, out, sz);
+}
 
-    return wc_AesSetIV(aes, iv);
+#else
+
+/* Software AES - ECB */
+int wc_AesEcbEncrypt(Aes* aes, byte* out, const byte* in, word32 sz)
+{
+    word32 blocks = sz / AES_BLOCK_SIZE;
+
+    if ((in == NULL) || (out == NULL) || (aes == NULL))
+      return BAD_FUNC_ARG;
+    while (blocks>0) {
+      wc_AesEncryptDirect(aes, out, in);
+      out += AES_BLOCK_SIZE;
+      in  += AES_BLOCK_SIZE;
+      sz  -= AES_BLOCK_SIZE;
+      blocks--;
+    }
+    return 0;
 }
 
 
-static int AesCaviumCbcEncrypt(Aes* aes, byte* out, const byte* in,
-                               word32 length)
+int wc_AesEcbDecrypt(Aes* aes, byte* out, const byte* in, word32 sz)
 {
-    wolfssl_word offset = 0;
-    word32 requestId;
+    word32 blocks = sz / AES_BLOCK_SIZE;
 
-    while (length > WOLFSSL_MAX_16BIT) {
-        word16 slen = (word16)WOLFSSL_MAX_16BIT;
-        if (CspEncryptAes(CAVIUM_BLOCKING, aes->contextHandle, CAVIUM_NO_UPDATE,
-                          aes->type, slen, (byte*)in + offset, out + offset,
-                          (byte*)aes->reg, (byte*)aes->key, &requestId,
-                          aes->devId) != 0) {
-            WOLFSSL_MSG("Bad Cavium Aes Encrypt");
-            return -1;
+    if ((in == NULL) || (out == NULL) || (aes == NULL))
+      return BAD_FUNC_ARG;
+    while (blocks>0) {
+      wc_AesDecryptDirect(aes, out, in);
+      out += AES_BLOCK_SIZE;
+      in  += AES_BLOCK_SIZE;
+      sz  -= AES_BLOCK_SIZE;
+      blocks--;
+    }
+    return 0;
+}
+#endif
+#endif /* HAVE_AES_ECB */
+
+#if defined(WOLFSSL_AES_CFB) || defined(WOLFSSL_AES_OFB)
+/* Feedback AES mode
+ *
+ * aes structure holding key to use for encryption
+ * out buffer to hold result of encryption (must be at least as large as input
+ *     buffer)
+ * in  buffer to encrypt
+ * sz  size of input buffer
+ * mode flag to specify AES mode
+ *
+ * returns 0 on success and negative error values on failure
+ */
+/* Software AES - CFB Encrypt */
+static int wc_AesFeedbackEncrypt(Aes* aes, byte* out, const byte* in,
+        word32 sz, byte mode)
+{
+    byte*  tmp = NULL;
+#ifdef WOLFSSL_AES_CFB
+    byte*  reg = NULL;
+#endif
+
+    if (aes == NULL || out == NULL || in == NULL) {
+        return BAD_FUNC_ARG;
+    }
+
+#ifdef WOLFSSL_AES_CFB
+    if (aes->left && sz) {
+        reg = (byte*)aes->reg + AES_BLOCK_SIZE - aes->left;
+    }
+#endif
+
+    /* consume any unused bytes left in aes->tmp */
+    tmp = (byte*)aes->tmp + AES_BLOCK_SIZE - aes->left;
+    while (aes->left && sz) {
+        *(out) = *(in++) ^ *(tmp++);
+    #ifdef WOLFSSL_AES_CFB
+        if (mode == AES_CFB_MODE) {
+            *(reg++) = *out;
         }
-        length -= WOLFSSL_MAX_16BIT;
-        offset += WOLFSSL_MAX_16BIT;
-        XMEMCPY(aes->reg, out + offset - AES_BLOCK_SIZE, AES_BLOCK_SIZE);
+    #endif
+        out++;
+        aes->left--;
+        sz--;
     }
-    if (length) {
-        word16 slen = (word16)length;
-        if (CspEncryptAes(CAVIUM_BLOCKING, aes->contextHandle, CAVIUM_NO_UPDATE,
-                          aes->type, slen, (byte*)in + offset, out + offset,
-                          (byte*)aes->reg, (byte*)aes->key, &requestId,
-                          aes->devId) != 0) {
-            WOLFSSL_MSG("Bad Cavium Aes Encrypt");
-            return -1;
+
+    while (sz >= AES_BLOCK_SIZE) {
+        /* Using aes->tmp here for inline case i.e. in=out */
+        wc_AesEncryptDirect(aes, (byte*)aes->tmp, (byte*)aes->reg);
+    #ifdef WOLFSSL_AES_OFB
+        if (mode == AES_OFB_MODE) {
+            XMEMCPY(aes->reg, aes->tmp, AES_BLOCK_SIZE);
         }
-        XMEMCPY(aes->reg, out + offset+length - AES_BLOCK_SIZE, AES_BLOCK_SIZE);
+    #endif
+        xorbuf((byte*)aes->tmp, in, AES_BLOCK_SIZE);
+    #ifdef WOLFSSL_AES_CFB
+        if (mode == AES_CFB_MODE) {
+            XMEMCPY(aes->reg, aes->tmp, AES_BLOCK_SIZE);
+        }
+    #endif
+        XMEMCPY(out, aes->tmp, AES_BLOCK_SIZE);
+        out += AES_BLOCK_SIZE;
+        in  += AES_BLOCK_SIZE;
+        sz  -= AES_BLOCK_SIZE;
+        aes->left = 0;
     }
+
+    /* encrypt left over data */
+    if (sz) {
+        wc_AesEncryptDirect(aes, (byte*)aes->tmp, (byte*)aes->reg);
+        aes->left = AES_BLOCK_SIZE;
+        tmp = (byte*)aes->tmp;
+    #ifdef WOLFSSL_AES_OFB
+        if (mode == AES_OFB_MODE) {
+            XMEMCPY(aes->reg, aes->tmp, AES_BLOCK_SIZE);
+        }
+    #endif
+    #ifdef WOLFSSL_AES_CFB
+        reg = (byte*)aes->reg;
+    #endif
+
+        while (sz--) {
+            *(out) = *(in++) ^ *(tmp++);
+        #ifdef WOLFSSL_AES_CFB
+            if (mode == AES_CFB_MODE) {
+                *(reg++) = *out;
+            }
+        #endif
+            out++;
+            aes->left--;
+        }
+    }
+
     return 0;
 }
 
-static int AesCaviumCbcDecrypt(Aes* aes, byte* out, const byte* in,
-                               word32 length)
+
+#ifdef HAVE_AES_DECRYPT
+/* CFB 128
+ *
+ * aes structure holding key to use for decryption
+ * out buffer to hold result of decryption (must be at least as large as input
+ *     buffer)
+ * in  buffer to decrypt
+ * sz  size of input buffer
+ *
+ * returns 0 on success and negative error values on failure
+ */
+/* Software AES - CFB Decrypt */
+static int wc_AesFeedbackDecrypt(Aes* aes, byte* out, const byte* in, word32 sz,
+        byte mode)
 {
-    word32 requestId;
-    wolfssl_word offset = 0;
+    byte*  tmp;
+
+    if (aes == NULL || out == NULL || in == NULL) {
+        return BAD_FUNC_ARG;
+    }
+
+    #ifdef WOLFSSL_AES_CFB
+    /* check if more input needs copied over to aes->reg */
+    if (aes->left && sz && mode == AES_CFB_MODE) {
+        int size = min(aes->left, sz);
+        XMEMCPY((byte*)aes->reg + AES_BLOCK_SIZE - aes->left, in, size);
+    }
+    #endif
+
+    /* consume any unused bytes left in aes->tmp */
+    tmp = (byte*)aes->tmp + AES_BLOCK_SIZE - aes->left;
+    while (aes->left && sz) {
+        *(out++) = *(in++) ^ *(tmp++);
+        aes->left--;
+        sz--;
+    }
 
-    while (length > WOLFSSL_MAX_16BIT) {
-        word16 slen = (word16)WOLFSSL_MAX_16BIT;
-        XMEMCPY(aes->tmp, in + offset + slen - AES_BLOCK_SIZE, AES_BLOCK_SIZE);
-        if (CspDecryptAes(CAVIUM_BLOCKING, aes->contextHandle, CAVIUM_NO_UPDATE,
-                          aes->type, slen, (byte*)in + offset, out + offset,
-                          (byte*)aes->reg, (byte*)aes->key, &requestId,
-                          aes->devId) != 0) {
-            WOLFSSL_MSG("Bad Cavium Aes Decrypt");
-            return -1;
+    while (sz > AES_BLOCK_SIZE) {
+        /* Using aes->tmp here for inline case i.e. in=out */
+        wc_AesEncryptDirect(aes, (byte*)aes->tmp, (byte*)aes->reg);
+    #ifdef WOLFSSL_AES_OFB
+        if (mode == AES_OFB_MODE) {
+            XMEMCPY((byte*)aes->reg, (byte*)aes->tmp, AES_BLOCK_SIZE);
+        }
+    #endif
+        xorbuf((byte*)aes->tmp, in, AES_BLOCK_SIZE);
+    #ifdef WOLFSSL_AES_CFB
+        if (mode == AES_CFB_MODE) {
+            XMEMCPY(aes->reg, in, AES_BLOCK_SIZE);
         }
-        length -= WOLFSSL_MAX_16BIT;
-        offset += WOLFSSL_MAX_16BIT;
-        XMEMCPY(aes->reg, aes->tmp, AES_BLOCK_SIZE);
+    #endif
+        XMEMCPY(out, (byte*)aes->tmp, AES_BLOCK_SIZE);
+        out += AES_BLOCK_SIZE;
+        in  += AES_BLOCK_SIZE;
+        sz  -= AES_BLOCK_SIZE;
+        aes->left = 0;
     }
-    if (length) {
-        word16 slen = (word16)length;
-        XMEMCPY(aes->tmp, in + offset + slen - AES_BLOCK_SIZE, AES_BLOCK_SIZE);
-        if (CspDecryptAes(CAVIUM_BLOCKING, aes->contextHandle, CAVIUM_NO_UPDATE,
-                          aes->type, slen, (byte*)in + offset, out + offset,
-                          (byte*)aes->reg, (byte*)aes->key, &requestId,
-                          aes->devId) != 0) {
-            WOLFSSL_MSG("Bad Cavium Aes Decrypt");
-            return -1;
+
+    /* decrypt left over data */
+    if (sz) {
+        wc_AesEncryptDirect(aes, (byte*)aes->tmp, (byte*)aes->reg);
+    #ifdef WOLFSSL_AES_CFB
+        if (mode == AES_CFB_MODE) {
+            XMEMCPY(aes->reg, in, sz);
+        }
+    #endif
+    #ifdef WOLFSSL_AES_OFB
+        if (mode == AES_OFB_MODE) {
+            XMEMCPY(aes->reg, aes->tmp, AES_BLOCK_SIZE);
+        }
+    #endif
+
+        aes->left = AES_BLOCK_SIZE;
+        tmp = (byte*)aes->tmp;
+
+        while (sz--) {
+            *(out++) = *(in++) ^ *(tmp++);
+            aes->left--;
         }
-        XMEMCPY(aes->reg, aes->tmp, AES_BLOCK_SIZE);
     }
+
     return 0;
 }
+#endif /* HAVE_AES_DECRYPT */
+#endif /* WOLFSSL_AES_CFB */
 
-#endif /* HAVE_CAVIUM */
+#ifdef WOLFSSL_AES_CFB
+/* CFB 128
+ *
+ * aes structure holding key to use for encryption
+ * out buffer to hold result of encryption (must be at least as large as input
+ *     buffer)
+ * in  buffer to encrypt
+ * sz  size of input buffer
+ *
+ * returns 0 on success and negative error values on failure
+ */
+/* Software AES - CFB Encrypt */
+int wc_AesCfbEncrypt(Aes* aes, byte* out, const byte* in, word32 sz)
+{
+    return wc_AesFeedbackEncrypt(aes, out, in, sz, AES_CFB_MODE);
+}
 
-#endif /* WOLFSSL_TI_CRYPT */
 
-#endif /* HAVE_FIPS */
+#ifdef HAVE_AES_DECRYPT
+/* CFB 128
+ *
+ * aes structure holding key to use for decryption
+ * out buffer to hold result of decryption (must be at least as large as input
+ *     buffer)
+ * in  buffer to decrypt
+ * sz  size of input buffer
+ *
+ * returns 0 on success and negative error values on failure
+ */
+/* Software AES - CFB Decrypt */
+int wc_AesCfbDecrypt(Aes* aes, byte* out, const byte* in, word32 sz)
+{
+    return wc_AesFeedbackDecrypt(aes, out, in, sz, AES_CFB_MODE);
+}
+#endif /* HAVE_AES_DECRYPT */
+
+
+/* shift the whole AES_BLOCK_SIZE array left by 8 or 1 bits */
+static void shiftLeftArray(byte* ary, byte shift)
+{
+    int i;
+
+    if (shift == WOLFSSL_BIT_SIZE) {
+        /* shifting over by 8 bits */
+        for (i = 0; i < AES_BLOCK_SIZE - 1; i++) {
+            ary[i] = ary[i+1];
+        }
+        ary[i] = 0;
+    }
+    else {
+        byte carry = 0;
+
+        /* shifting over by 7 or less bits */
+        for (i = 0; i < AES_BLOCK_SIZE - 1; i++) {
+            carry = ary[i+1] & (0XFF << (WOLFSSL_BIT_SIZE - shift));
+            carry >>= (WOLFSSL_BIT_SIZE - shift);
+            ary[i] = (ary[i] << shift) + carry;
+        }
+        ary[i] = ary[i] << shift;
+    }
+}
+
+
+/* returns 0 on success and negative values on failure */
+static int wc_AesFeedbackCFB8(Aes* aes, byte* out, const byte* in,
+        word32 sz, byte dir)
+{
+    byte *pt;
+
+    if (aes == NULL || out == NULL || in == NULL) {
+        return BAD_FUNC_ARG;
+    }
+
+    if (sz == 0) {
+        return 0;
+    }
+
+    while (sz > 0) {
+        wc_AesEncryptDirect(aes, (byte*)aes->tmp, (byte*)aes->reg);
+        if (dir == AES_DECRYPTION) {
+            pt = (byte*)aes->reg;
+
+            /* LSB + CAT */
+            shiftLeftArray(pt, WOLFSSL_BIT_SIZE);
+            pt[AES_BLOCK_SIZE - 1] = in[0];
+        }
+
+        /* MSB + XOR */
+        out[0] = aes->tmp[0] ^ in[0];
+        if (dir == AES_ENCRYPTION) {
+            pt = (byte*)aes->reg;
+
+            /* LSB + CAT */
+            shiftLeftArray(pt, WOLFSSL_BIT_SIZE);
+            pt[AES_BLOCK_SIZE - 1] = out[0];
+        }
+
+        out += 1;
+        in  += 1;
+        sz  -= 1;
+    }
+
+    return 0;
+}
+
+
+/* returns 0 on success and negative values on failure */
+static int wc_AesFeedbackCFB1(Aes* aes, byte* out, const byte* in,
+        word32 sz, byte dir)
+{
+    byte tmp;
+    byte cur = 0; /* hold current work in order to handle inline in=out */
+    byte* pt;
+    int bit = 7;
+
+    if (aes == NULL || out == NULL || in == NULL) {
+        return BAD_FUNC_ARG;
+    }
+
+    if (sz == 0) {
+        return 0;
+    }
+
+    while (sz > 0) {
+        wc_AesEncryptDirect(aes, (byte*)aes->tmp, (byte*)aes->reg);
+        if (dir == AES_DECRYPTION) {
+            pt = (byte*)aes->reg;
+
+            /* LSB + CAT */
+            tmp = (0X01 << bit) & in[0];
+            tmp = tmp >> bit;
+            tmp &= 0x01;
+            shiftLeftArray((byte*)aes->reg, 1);
+            pt[AES_BLOCK_SIZE - 1] |= tmp;
+        }
 
-#endif /* NO_AES */
+        /* MSB  + XOR */
+        tmp = (0X01 << bit) & in[0];
+        pt = (byte*)aes->tmp;
+        tmp = (pt[0] >> 7) ^ (tmp >> bit);
+        tmp &= 0x01;
+        cur |= (tmp << bit);
+
+
+        if (dir == AES_ENCRYPTION) {
+            pt = (byte*)aes->reg;
+
+            /* LSB + CAT */
+            shiftLeftArray((byte*)aes->reg, 1);
+            pt[AES_BLOCK_SIZE - 1] |= tmp;
+        }
+
+        bit--;
+        if (bit < 0) {
+            out[0] = cur;
+            out += 1;
+            in  += 1;
+            sz  -= 1;
+            bit = 7;
+            cur = 0;
+        }
+        else {
+            sz -= 1;
+        }
+    }
+
+    if (bit > 0 && bit < 7) {
+        out[0] = cur;
+    }
+
+    return 0;
+}
+
+
+/* CFB 1
+ *
+ * aes structure holding key to use for encryption
+ * out buffer to hold result of encryption (must be at least as large as input
+ *     buffer)
+ * in  buffer to encrypt (packed to left, i.e. 101 is 0x90)
+ * sz  size of input buffer in bits (0x1 would be size of 1 and 0xFF size of 8)
+ *
+ * returns 0 on success and negative values on failure
+ */
+int wc_AesCfb1Encrypt(Aes* aes, byte* out, const byte* in, word32 sz)
+{
+    return wc_AesFeedbackCFB1(aes, out, in, sz, AES_ENCRYPTION);
+}
+
+
+/* CFB 8
+ *
+ * aes structure holding key to use for encryption
+ * out buffer to hold result of encryption (must be at least as large as input
+ *     buffer)
+ * in  buffer to encrypt
+ * sz  size of input buffer
+ *
+ * returns 0 on success and negative values on failure
+ */
+int wc_AesCfb8Encrypt(Aes* aes, byte* out, const byte* in, word32 sz)
+{
+    return wc_AesFeedbackCFB8(aes, out, in, sz, AES_ENCRYPTION);
+}
+#ifdef HAVE_AES_DECRYPT
+
+/* CFB 1
+ *
+ * aes structure holding key to use for encryption
+ * out buffer to hold result of encryption (must be at least as large as input
+ *     buffer)
+ * in  buffer to encrypt
+ * sz  size of input buffer in bits (0x1 would be size of 1 and 0xFF size of 8)
+ *
+ * returns 0 on success and negative values on failure
+ */
+int wc_AesCfb1Decrypt(Aes* aes, byte* out, const byte* in, word32 sz)
+{
+    return wc_AesFeedbackCFB1(aes, out, in, sz, AES_DECRYPTION);
+}
+
+
+/* CFB 8
+ *
+ * aes structure holding key to use for encryption
+ * out buffer to hold result of encryption (must be at least as large as input
+ *     buffer)
+ * in  buffer to encrypt
+ * sz  size of input buffer
+ *
+ * returns 0 on success and negative values on failure
+ */
+int wc_AesCfb8Decrypt(Aes* aes, byte* out, const byte* in, word32 sz)
+{
+    return wc_AesFeedbackCFB8(aes, out, in, sz, AES_DECRYPTION);
+}
+#endif /* HAVE_AES_DECRYPT */
+#endif /* WOLFSSL_AES_CFB */
+
+#ifdef WOLFSSL_AES_OFB
+/* OFB
+ *
+ * aes structure holding key to use for encryption
+ * out buffer to hold result of encryption (must be at least as large as input
+ *     buffer)
+ * in  buffer to encrypt
+ * sz  size of input buffer
+ *
+ * returns 0 on success and negative error values on failure
+ */
+/* Software AES - CFB Encrypt */
+int wc_AesOfbEncrypt(Aes* aes, byte* out, const byte* in, word32 sz)
+{
+    return wc_AesFeedbackEncrypt(aes, out, in, sz, AES_OFB_MODE);
+}
+
+
+#ifdef HAVE_AES_DECRYPT
+/* OFB
+ *
+ * aes structure holding key to use for decryption
+ * out buffer to hold result of decryption (must be at least as large as input
+ *     buffer)
+ * in  buffer to decrypt
+ * sz  size of input buffer
+ *
+ * returns 0 on success and negative error values on failure
+ */
+/* Software AES - OFB Decrypt */
+int wc_AesOfbDecrypt(Aes* aes, byte* out, const byte* in, word32 sz)
+{
+    return wc_AesFeedbackDecrypt(aes, out, in, sz, AES_OFB_MODE);
+}
+#endif /* HAVE_AES_DECRYPT */
+#endif /* WOLFSSL_AES_OFB */
+
+
+#ifdef HAVE_AES_KEYWRAP
+
+/* Initialize key wrap counter with value */
+static WC_INLINE void InitKeyWrapCounter(byte* inOutCtr, word32 value)
+{
+    int i;
+    word32 bytes;
+
+    bytes = sizeof(word32);
+    for (i = 0; i < (int)sizeof(word32); i++) {
+        inOutCtr[i+sizeof(word32)] = (value >> ((bytes - 1) * 8)) & 0xFF;
+        bytes--;
+    }
+}
+
+/* Increment key wrap counter */
+static WC_INLINE void IncrementKeyWrapCounter(byte* inOutCtr)
+{
+    int i;
+
+    /* in network byte order so start at end and work back */
+    for (i = KEYWRAP_BLOCK_SIZE - 1; i >= 0; i--) {
+        if (++inOutCtr[i])  /* we're done unless we overflow */
+            return;
+    }
+}
+
+/* Decrement key wrap counter */
+static WC_INLINE void DecrementKeyWrapCounter(byte* inOutCtr)
+{
+    int i;
+
+    for (i = KEYWRAP_BLOCK_SIZE - 1; i >= 0; i--) {
+        if (--inOutCtr[i] != 0xFF)  /* we're done unless we underflow */
+            return;
+    }
+}
+
+/* perform AES key wrap (RFC3394), return out sz on success, negative on err */
+int wc_AesKeyWrap(const byte* key, word32 keySz, const byte* in, word32 inSz,
+                  byte* out, word32 outSz, const byte* iv)
+{
+    Aes aes;
+    byte* r;
+    word32 i;
+    int ret, j;
+
+    byte t[KEYWRAP_BLOCK_SIZE];
+    byte tmp[AES_BLOCK_SIZE];
+
+    /* n must be at least 2, output size is n + 8 bytes */
+    if (key == NULL || in  == NULL || inSz < 2 ||
+        out == NULL || outSz < (inSz + KEYWRAP_BLOCK_SIZE))
+        return BAD_FUNC_ARG;
+
+    /* input must be multiple of 64-bits */
+    if (inSz % KEYWRAP_BLOCK_SIZE != 0)
+        return BAD_FUNC_ARG;
+
+    /* user IV is optional */
+    if (iv == NULL) {
+        XMEMSET(tmp, 0xA6, KEYWRAP_BLOCK_SIZE);
+    } else {
+        XMEMCPY(tmp, iv, KEYWRAP_BLOCK_SIZE);
+    }
+
+    r = out + 8;
+    XMEMCPY(r, in, inSz);
+    XMEMSET(t, 0, sizeof(t));
+
+    ret = wc_AesInit(&aes, NULL, INVALID_DEVID);
+    if (ret != 0)
+        return ret;
+
+    ret = wc_AesSetKey(&aes, key, keySz, NULL, AES_ENCRYPTION);
+    if (ret != 0)
+        return ret;
+
+    for (j = 0; j <= 5; j++) {
+        for (i = 1; i <= inSz / KEYWRAP_BLOCK_SIZE; i++) {
+
+            /* load R[i] */
+            XMEMCPY(tmp + KEYWRAP_BLOCK_SIZE, r, KEYWRAP_BLOCK_SIZE);
+
+            wc_AesEncryptDirect(&aes, tmp, tmp);
+
+            /* calculate new A */
+            IncrementKeyWrapCounter(t);
+            xorbuf(tmp, t, KEYWRAP_BLOCK_SIZE);
+
+            /* save R[i] */
+            XMEMCPY(r, tmp + KEYWRAP_BLOCK_SIZE, KEYWRAP_BLOCK_SIZE);
+            r += KEYWRAP_BLOCK_SIZE;
+        }
+        r = out + KEYWRAP_BLOCK_SIZE;
+    }
+
+    /* C[0] = A */
+    XMEMCPY(out, tmp, KEYWRAP_BLOCK_SIZE);
+
+    wc_AesFree(&aes);
+
+    return inSz + KEYWRAP_BLOCK_SIZE;
+}
+
+int wc_AesKeyUnWrap(const byte* key, word32 keySz, const byte* in, word32 inSz,
+                    byte* out, word32 outSz, const byte* iv)
+{
+    Aes aes;
+    byte* r;
+    word32 i, n;
+    int ret, j;
+
+    byte t[KEYWRAP_BLOCK_SIZE];
+    byte tmp[AES_BLOCK_SIZE];
+
+    const byte* expIv;
+    const byte defaultIV[] = {
+        0xA6, 0xA6, 0xA6, 0xA6, 0xA6, 0xA6, 0xA6, 0xA6
+    };
+
+    (void)iv;
+
+    if (key == NULL || in == NULL || inSz < 3 ||
+        out == NULL || outSz < (inSz - KEYWRAP_BLOCK_SIZE))
+        return BAD_FUNC_ARG;
+
+    /* input must be multiple of 64-bits */
+    if (inSz % KEYWRAP_BLOCK_SIZE != 0)
+        return BAD_FUNC_ARG;
+
+    /* user IV optional */
+    if (iv != NULL) {
+        expIv = iv;
+    } else {
+        expIv = defaultIV;
+    }
+
+    /* A = C[0], R[i] = C[i] */
+    XMEMCPY(tmp, in, KEYWRAP_BLOCK_SIZE);
+    XMEMCPY(out, in + KEYWRAP_BLOCK_SIZE, inSz - KEYWRAP_BLOCK_SIZE);
+    XMEMSET(t, 0, sizeof(t));
+
+    ret = wc_AesInit(&aes, NULL, INVALID_DEVID);
+    if (ret != 0)
+        return ret;
+
+    ret = wc_AesSetKey(&aes, key, keySz, NULL, AES_DECRYPTION);
+    if (ret != 0)
+        return ret;
+
+    /* initialize counter to 6n */
+    n = (inSz - 1) / KEYWRAP_BLOCK_SIZE;
+    InitKeyWrapCounter(t, 6 * n);
+
+    for (j = 5; j >= 0; j--) {
+        for (i = n; i >= 1; i--) {
+
+            /* calculate A */
+            xorbuf(tmp, t, KEYWRAP_BLOCK_SIZE);
+            DecrementKeyWrapCounter(t);
+
+            /* load R[i], starting at end of R */
+            r = out + ((i - 1) * KEYWRAP_BLOCK_SIZE);
+            XMEMCPY(tmp + KEYWRAP_BLOCK_SIZE, r, KEYWRAP_BLOCK_SIZE);
+            wc_AesDecryptDirect(&aes, tmp, tmp);
+
+            /* save R[i] */
+            XMEMCPY(r, tmp + KEYWRAP_BLOCK_SIZE, KEYWRAP_BLOCK_SIZE);
+        }
+    }
+
+    wc_AesFree(&aes);
+
+    /* verify IV */
+    if (XMEMCMP(tmp, expIv, KEYWRAP_BLOCK_SIZE) != 0)
+        return BAD_KEYWRAP_IV_E;
+
+    return inSz - KEYWRAP_BLOCK_SIZE;
+}
+
+#endif /* HAVE_AES_KEYWRAP */
+
+#ifdef WOLFSSL_AES_XTS
+
+/* Galios Field to use */
+#define GF_XTS 0x87
+
+/* This is to help with setting keys to correct encrypt or decrypt type.
+ *
+ * tweak AES key for tweak in XTS
+ * aes   AES key for encrypt/decrypt process
+ * key   buffer holding aes key | tweak key
+ * len   length of key buffer in bytes. Should be twice that of key size. i.e.
+ *       32 for a 16 byte key.
+ * dir   direction, either AES_ENCRYPTION or AES_DECRYPTION
+ * heap  heap hint to use for memory. Can be NULL
+ * devId id to use with async crypto. Can be 0
+ *
+ * Note: is up to user to call wc_AesFree on tweak and aes key when done.
+ *
+ * return 0 on success
+ */
+int wc_AesXtsSetKey(XtsAes* aes, const byte* key, word32 len, int dir,
+        void* heap, int devId)
+{
+    word32 keySz;
+    int    ret = 0;
+
+    if (aes == NULL || key == NULL) {
+        return BAD_FUNC_ARG;
+    }
+
+    if ((ret = wc_AesInit(&aes->tweak, heap, devId)) != 0) {
+        return ret;
+    }
+    if ((ret = wc_AesInit(&aes->aes, heap, devId)) != 0) {
+        return ret;
+    }
+
+    keySz = len/2;
+    if (keySz != 16 && keySz != 32) {
+        WOLFSSL_MSG("Unsupported key size");
+        return WC_KEY_SIZE_E;
+    }
+
+    if ((ret = wc_AesSetKey(&aes->aes, key, keySz, NULL, dir)) == 0) {
+        ret = wc_AesSetKey(&aes->tweak, key + keySz, keySz, NULL,
+                AES_ENCRYPTION);
+        if (ret != 0) {
+            wc_AesFree(&aes->aes);
+        }
+    }
+
+    return ret;
+}
+
+
+/* This is used to free up resources used by Aes structs
+ *
+ * aes AES keys to free
+ *
+ * return 0 on success
+ */
+int wc_AesXtsFree(XtsAes* aes)
+{
+    if (aes != NULL) {
+        wc_AesFree(&aes->aes);
+        wc_AesFree(&aes->tweak);
+    }
+
+    return 0;
+}
+
+
+/* Same process as wc_AesXtsEncrypt but uses a word64 type as the tweak value
+ * instead of a byte array. This just converts the word64 to a byte array and
+ * calls wc_AesXtsEncrypt.
+ *
+ * aes    AES keys to use for block encrypt/decrypt
+ * out    output buffer to hold cipher text
+ * in     input plain text buffer to encrypt
+ * sz     size of both out and in buffers
+ * sector value to use for tweak
+ *
+ * returns 0 on success
+ */
+int wc_AesXtsEncryptSector(XtsAes* aes, byte* out, const byte* in,
+        word32 sz, word64 sector)
+{
+    byte* pt;
+    byte  i[AES_BLOCK_SIZE];
+
+    XMEMSET(i, 0, AES_BLOCK_SIZE);
+#ifdef BIG_ENDIAN_ORDER
+    sector = ByteReverseWord64(sector);
+#endif
+    pt = (byte*)&sector;
+    XMEMCPY(i, pt, sizeof(word64));
+
+    return wc_AesXtsEncrypt(aes, out, in, sz, (const byte*)i, AES_BLOCK_SIZE);
+}
+
+
+/* Same process as wc_AesXtsDecrypt but uses a word64 type as the tweak value
+ * instead of a byte array. This just converts the word64 to a byte array.
+ *
+ * aes    AES keys to use for block encrypt/decrypt
+ * out    output buffer to hold plain text
+ * in     input cipher text buffer to encrypt
+ * sz     size of both out and in buffers
+ * sector value to use for tweak
+ *
+ * returns 0 on success
+ */
+int wc_AesXtsDecryptSector(XtsAes* aes, byte* out, const byte* in, word32 sz,
+        word64 sector)
+{
+    byte* pt;
+    byte  i[AES_BLOCK_SIZE];
+
+    XMEMSET(i, 0, AES_BLOCK_SIZE);
+#ifdef BIG_ENDIAN_ORDER
+    sector = ByteReverseWord64(sector);
+#endif
+    pt = (byte*)&sector;
+    XMEMCPY(i, pt, sizeof(word64));
+
+    return wc_AesXtsDecrypt(aes, out, in, sz, (const byte*)i, AES_BLOCK_SIZE);
+}
+
+#ifdef HAVE_AES_ECB
+/* helper function for encrypting / decrypting full buffer at once */
+static int _AesXtsHelper(Aes* aes, byte* out, const byte* in, word32 sz, int dir)
+{
+    word32 outSz   = sz;
+    word32 totalSz = (sz / AES_BLOCK_SIZE) * AES_BLOCK_SIZE; /* total bytes */
+    byte*  pt      = out;
+
+    outSz -= AES_BLOCK_SIZE;
+
+    while (outSz > 0) {
+        word32 j;
+        byte carry = 0;
+
+        /* multiply by shift left and propagate carry */
+        for (j = 0; j < AES_BLOCK_SIZE && outSz > 0; j++, outSz--) {
+            byte tmpC;
+
+            tmpC   = (pt[j] >> 7) & 0x01;
+            pt[j+AES_BLOCK_SIZE] = ((pt[j] << 1) + carry) & 0xFF;
+            carry  = tmpC;
+        }
+        if (carry) {
+            pt[AES_BLOCK_SIZE] ^= GF_XTS;
+        }
+
+        pt += AES_BLOCK_SIZE;
+    }
+
+    xorbuf(out, in, totalSz);
+    if (dir == AES_ENCRYPTION) {
+        return wc_AesEcbEncrypt(aes, out, out, totalSz);
+    }
+    else {
+        return wc_AesEcbDecrypt(aes, out, out, totalSz);
+    }
+}
+#endif /* HAVE_AES_ECB */
+
+
+/* AES with XTS mode. (XTS) XEX encryption with Tweak and cipher text Stealing.
+ *
+ * xaes  AES keys to use for block encrypt/decrypt
+ * out   output buffer to hold cipher text
+ * in    input plain text buffer to encrypt
+ * sz    size of both out and in buffers
+ * i     value to use for tweak
+ * iSz   size of i buffer, should always be AES_BLOCK_SIZE but having this input
+ *       adds a sanity check on how the user calls the function.
+ *
+ * returns 0 on success
+ */
+/* Software AES - XTS Encrypt  */
+int wc_AesXtsEncrypt(XtsAes* xaes, byte* out, const byte* in, word32 sz,
+        const byte* i, word32 iSz)
+{
+    int ret = 0;
+    word32 blocks = (sz / AES_BLOCK_SIZE);
+    Aes *aes, *tweak;
+
+    if (xaes == NULL || out == NULL || in == NULL) {
+        return BAD_FUNC_ARG;
+    }
+
+    aes   = &xaes->aes;
+    tweak = &xaes->tweak;
+
+    if (iSz < AES_BLOCK_SIZE) {
+        return BAD_FUNC_ARG;
+    }
+
+    if (blocks > 0) {
+        byte tmp[AES_BLOCK_SIZE];
+
+        XMEMSET(tmp, 0, AES_BLOCK_SIZE); /* set to 0's in case of improper AES
+                                          * key setup passed to encrypt direct*/
+
+        wc_AesEncryptDirect(tweak, tmp, i);
+
+    #ifdef HAVE_AES_ECB
+        /* encrypt all of buffer at once when possible */
+        if (in != out) { /* can not handle inline */
+            XMEMCPY(out, tmp, AES_BLOCK_SIZE);
+            if ((ret = _AesXtsHelper(aes, out, in, sz, AES_ENCRYPTION)) != 0) {
+                return ret;
+            }
+        }
+    #endif
+
+        while (blocks > 0) {
+            word32 j;
+            byte carry = 0;
+            byte buf[AES_BLOCK_SIZE];
+
+    #ifdef HAVE_AES_ECB
+            if (in == out) { /* check for if inline */
+    #endif
+            XMEMCPY(buf, in, AES_BLOCK_SIZE);
+            xorbuf(buf, tmp, AES_BLOCK_SIZE);
+            wc_AesEncryptDirect(aes, out, buf);
+    #ifdef HAVE_AES_ECB
+            }
+    #endif
+            xorbuf(out, tmp, AES_BLOCK_SIZE);
+
+            /* multiply by shift left and propagate carry */
+            for (j = 0; j < AES_BLOCK_SIZE; j++) {
+                byte tmpC;
+
+                tmpC   = (tmp[j] >> 7) & 0x01;
+                tmp[j] = ((tmp[j] << 1) + carry) & 0xFF;
+                carry  = tmpC;
+            }
+            if (carry) {
+                tmp[0] ^= GF_XTS;
+            }
+
+            in  += AES_BLOCK_SIZE;
+            out += AES_BLOCK_SIZE;
+            sz  -= AES_BLOCK_SIZE;
+            blocks--;
+        }
+
+        /* stealing operation of XTS to handle left overs */
+        if (sz > 0) {
+            byte buf[AES_BLOCK_SIZE];
+
+            XMEMCPY(buf, out - AES_BLOCK_SIZE, AES_BLOCK_SIZE);
+            if (sz >= AES_BLOCK_SIZE) { /* extra sanity check before copy */
+                return BUFFER_E;
+            }
+            XMEMCPY(out, buf, sz);
+            XMEMCPY(buf, in, sz);
+
+            xorbuf(buf, tmp, AES_BLOCK_SIZE);
+            wc_AesEncryptDirect(aes, out - AES_BLOCK_SIZE, buf);
+            xorbuf(out - AES_BLOCK_SIZE, tmp, AES_BLOCK_SIZE);
+        }
+    }
+    else {
+        WOLFSSL_MSG("Plain text input too small for encryption");
+        return BAD_FUNC_ARG;
+    }
+
+    return ret;
+}
+
+
+/* Same process as encryption but Aes key is AES_DECRYPTION type.
+ *
+ * xaes  AES keys to use for block encrypt/decrypt
+ * out   output buffer to hold plain text
+ * in    input cipher text buffer to decrypt
+ * sz    size of both out and in buffers
+ * i     value to use for tweak
+ * iSz   size of i buffer, should always be AES_BLOCK_SIZE but having this input
+ *       adds a sanity check on how the user calls the function.
+ *
+ * returns 0 on success
+ */
+/* Software AES - XTS Decrypt */
+int wc_AesXtsDecrypt(XtsAes* xaes, byte* out, const byte* in, word32 sz,
+        const byte* i, word32 iSz)
+{
+    int ret = 0;
+    word32 blocks = (sz / AES_BLOCK_SIZE);
+    Aes *aes, *tweak;
+
+    if (xaes == NULL || out == NULL || in == NULL) {
+        return BAD_FUNC_ARG;
+    }
+
+    aes   = &xaes->aes;
+    tweak = &xaes->tweak;
+
+    if (iSz < AES_BLOCK_SIZE) {
+        return BAD_FUNC_ARG;
+    }
+
+    if (blocks > 0) {
+        word32 j;
+        byte carry = 0;
+        byte tmp[AES_BLOCK_SIZE];
+        byte stl = (sz % AES_BLOCK_SIZE);
+
+        XMEMSET(tmp, 0, AES_BLOCK_SIZE); /* set to 0's in case of improper AES
+                                          * key setup passed to decrypt direct*/
+
+        wc_AesEncryptDirect(tweak, tmp, i);
+
+        /* if Stealing then break out of loop one block early to handle special
+         * case */
+        if (stl > 0) {
+            blocks--;
+        }
+
+    #ifdef HAVE_AES_ECB
+        /* decrypt all of buffer at once when possible */
+        if (in != out) { /* can not handle inline */
+            XMEMCPY(out, tmp, AES_BLOCK_SIZE);
+            if ((ret = _AesXtsHelper(aes, out, in, sz, AES_DECRYPTION)) != 0) {
+                return ret;
+            }
+        }
+    #endif
+
+        while (blocks > 0) {
+            byte buf[AES_BLOCK_SIZE];
+
+    #ifdef HAVE_AES_ECB
+            if (in == out) { /* check for if inline */
+    #endif
+            XMEMCPY(buf, in, AES_BLOCK_SIZE);
+            xorbuf(buf, tmp, AES_BLOCK_SIZE);
+            wc_AesDecryptDirect(aes, out, buf);
+    #ifdef HAVE_AES_ECB
+            }
+    #endif
+            xorbuf(out, tmp, AES_BLOCK_SIZE);
+
+            /* multiply by shift left and propagate carry */
+            for (j = 0; j < AES_BLOCK_SIZE; j++) {
+                byte tmpC;
+
+                tmpC   = (tmp[j] >> 7) & 0x01;
+                tmp[j] = ((tmp[j] << 1) + carry) & 0xFF;
+                carry  = tmpC;
+            }
+            if (carry) {
+                tmp[0] ^= GF_XTS;
+            }
+            carry = 0;
+
+            in  += AES_BLOCK_SIZE;
+            out += AES_BLOCK_SIZE;
+            sz  -= AES_BLOCK_SIZE;
+            blocks--;
+        }
+
+        /* stealing operation of XTS to handle left overs */
+        if (sz > 0) {
+            byte buf[AES_BLOCK_SIZE];
+            byte tmp2[AES_BLOCK_SIZE];
+
+            /* multiply by shift left and propagate carry */
+            for (j = 0; j < AES_BLOCK_SIZE; j++) {
+                byte tmpC;
+
+                tmpC   = (tmp[j] >> 7) & 0x01;
+                tmp2[j] = ((tmp[j] << 1) + carry) & 0xFF;
+                carry  = tmpC;
+            }
+            if (carry) {
+                tmp2[0] ^= GF_XTS;
+            }
+
+            XMEMCPY(buf, in, AES_BLOCK_SIZE);
+            xorbuf(buf, tmp2, AES_BLOCK_SIZE);
+            wc_AesDecryptDirect(aes, out, buf);
+            xorbuf(out, tmp2, AES_BLOCK_SIZE);
+
+            /* tmp2 holds partial | last */
+            XMEMCPY(tmp2, out, AES_BLOCK_SIZE);
+            in  += AES_BLOCK_SIZE;
+            out += AES_BLOCK_SIZE;
+            sz  -= AES_BLOCK_SIZE;
+
+            /* Make buffer with end of cipher text | last */
+            XMEMCPY(buf, tmp2, AES_BLOCK_SIZE);
+            if (sz >= AES_BLOCK_SIZE) { /* extra sanity check before copy */
+                return BUFFER_E;
+            }
+            XMEMCPY(buf, in,   sz);
+            XMEMCPY(out, tmp2, sz);
+
+            xorbuf(buf, tmp, AES_BLOCK_SIZE);
+            wc_AesDecryptDirect(aes, tmp2, buf);
+            xorbuf(tmp2, tmp, AES_BLOCK_SIZE);
+            XMEMCPY(out - AES_BLOCK_SIZE, tmp2, AES_BLOCK_SIZE);
+        }
+    }
+    else {
+        WOLFSSL_MSG("Plain text input too small for encryption");
+        return BAD_FUNC_ARG;
+    }
+
+    return ret;
+}
+
+#endif /* WOLFSSL_AES_XTS */
+
+#endif /* HAVE_FIPS */
+#endif /* !NO_AES */
diff --git a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/aes_asm.S b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/aes_asm.S
new file mode 100644
index 000000000..ae1c801d6
--- /dev/null
+++ b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/aes_asm.S
@@ -0,0 +1,1338 @@
+/* aes_asm.S
+ *
+ * Copyright (C) 2006-2020 wolfSSL Inc.
+ *
+ * This file is part of wolfSSL.
+ *
+ * wolfSSL is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * wolfSSL is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
+ */
+
+
+
+/* This file is in at&t asm syntax, see .asm for intel syntax */
+
+/* See Intel® Advanced Encryption Standard (AES) Instructions Set White Paper
+ * by Intel Mobility Group, Israel Development Center, Israel Shay Gueron
+ */
+
+
+/*
+AES_CBC_encrypt (const unsigned char *in,
+	unsigned char *out,
+	unsigned char ivec[16],
+	unsigned long length,
+	const unsigned char *KS,
+	int nr)
+*/
+#ifndef __APPLE__
+.globl AES_CBC_encrypt
+AES_CBC_encrypt:
+#else
+.globl _AES_CBC_encrypt
+_AES_CBC_encrypt:
+#endif
+# parameter 1: %rdi
+# parameter 2: %rsi
+# parameter 3: %rdx
+# parameter 4: %rcx
+# parameter 5: %r8
+# parameter 6: %r9d
+movq	%rcx, %r10
+shrq	$4, %rcx
+shlq	$60, %r10
+je	NO_PARTS
+addq	$1, %rcx
+NO_PARTS:
+subq	$16, %rsi
+movdqa	(%rdx), %xmm1
+LOOP:
+pxor	(%rdi), %xmm1
+pxor	(%r8), %xmm1
+addq	$16,%rsi
+addq	$16,%rdi
+cmpl	$12, %r9d
+aesenc	16(%r8),%xmm1
+aesenc	32(%r8),%xmm1
+aesenc	48(%r8),%xmm1
+aesenc	64(%r8),%xmm1
+aesenc	80(%r8),%xmm1
+aesenc	96(%r8),%xmm1
+aesenc	112(%r8),%xmm1
+aesenc	128(%r8),%xmm1
+aesenc	144(%r8),%xmm1
+movdqa	160(%r8),%xmm2
+jb	LAST
+cmpl	$14, %r9d
+
+aesenc	160(%r8),%xmm1
+aesenc	176(%r8),%xmm1
+movdqa	192(%r8),%xmm2
+jb	LAST
+aesenc	192(%r8),%xmm1
+aesenc	208(%r8),%xmm1
+movdqa	224(%r8),%xmm2
+LAST:
+decq	%rcx
+aesenclast %xmm2,%xmm1
+movdqu	%xmm1,(%rsi)
+jne	LOOP
+ret
+
+
+#if defined(WOLFSSL_AESNI_BY4)
+
+/*
+AES_CBC_decrypt_by4 (const unsigned char *in,
+  unsigned char *out,
+  unsigned char ivec[16],
+  unsigned long length,
+  const unsigned char *KS,
+  int nr)
+*/
+#ifndef __APPLE__
+.globl AES_CBC_decrypt_by4
+AES_CBC_decrypt_by4:
+#else
+.globl _AES_CBC_decrypt_by4
+_AES_CBC_decrypt_by4:
+#endif
+# parameter 1: %rdi
+# parameter 2: %rsi
+# parameter 3: %rdx
+# parameter 4: %rcx
+# parameter 5: %r8
+# parameter 6: %r9d
+
+        movq        %rcx, %r10
+        shrq        $4, %rcx
+        shlq        $60, %r10
+        je          DNO_PARTS_4
+        addq        $1, %rcx
+DNO_PARTS_4:
+        movq        %rcx, %r10
+        shlq        $62, %r10
+        shrq        $62, %r10
+        shrq        $2, %rcx
+        movdqu      (%rdx),%xmm5
+        je          DREMAINDER_4
+        subq        $64, %rsi
+DLOOP_4:
+        movdqu      (%rdi), %xmm1
+        movdqu      16(%rdi), %xmm2
+        movdqu      32(%rdi), %xmm3
+        movdqu      48(%rdi), %xmm4
+        movdqa      %xmm1, %xmm6
+        movdqa      %xmm2, %xmm7
+        movdqa      %xmm3, %xmm8
+        movdqa      %xmm4, %xmm15
+        movdqa      (%r8), %xmm9
+        movdqa      16(%r8), %xmm10
+        movdqa      32(%r8), %xmm11
+        movdqa      48(%r8), %xmm12
+        pxor        %xmm9, %xmm1
+        pxor        %xmm9, %xmm2
+        pxor        %xmm9, %xmm3
+        pxor        %xmm9, %xmm4
+        aesdec      %xmm10, %xmm1
+        aesdec      %xmm10, %xmm2
+        aesdec      %xmm10, %xmm3
+        aesdec      %xmm10, %xmm4
+        aesdec      %xmm11, %xmm1
+        aesdec      %xmm11, %xmm2
+        aesdec      %xmm11, %xmm3
+        aesdec      %xmm11, %xmm4
+        aesdec      %xmm12, %xmm1
+        aesdec      %xmm12, %xmm2
+        aesdec      %xmm12, %xmm3
+        aesdec      %xmm12, %xmm4
+        movdqa      64(%r8), %xmm9
+        movdqa      80(%r8), %xmm10
+        movdqa      96(%r8), %xmm11
+        movdqa      112(%r8), %xmm12
+        aesdec      %xmm9, %xmm1
+        aesdec      %xmm9, %xmm2
+        aesdec      %xmm9, %xmm3
+        aesdec      %xmm9, %xmm4
+        aesdec      %xmm10, %xmm1
+        aesdec      %xmm10, %xmm2
+        aesdec      %xmm10, %xmm3
+        aesdec      %xmm10, %xmm4
+        aesdec      %xmm11, %xmm1
+        aesdec      %xmm11, %xmm2
+        aesdec      %xmm11, %xmm3
+        aesdec      %xmm11, %xmm4
+        aesdec      %xmm12, %xmm1
+        aesdec      %xmm12, %xmm2
+        aesdec      %xmm12, %xmm3
+        aesdec      %xmm12, %xmm4
+        movdqa      128(%r8), %xmm9
+        movdqa      144(%r8), %xmm10
+        movdqa      160(%r8), %xmm11
+        cmpl        $12, %r9d
+        aesdec      %xmm9, %xmm1
+        aesdec      %xmm9, %xmm2
+        aesdec      %xmm9, %xmm3
+        aesdec      %xmm9, %xmm4
+        aesdec      %xmm10, %xmm1
+        aesdec      %xmm10, %xmm2
+        aesdec      %xmm10, %xmm3
+        aesdec      %xmm10, %xmm4
+        jb          DLAST_4
+        movdqa      160(%r8), %xmm9
+        movdqa      176(%r8), %xmm10
+        movdqa      192(%r8), %xmm11
+        cmpl        $14, %r9d
+        aesdec      %xmm9, %xmm1
+        aesdec      %xmm9, %xmm2
+        aesdec      %xmm9, %xmm3
+        aesdec      %xmm9, %xmm4
+        aesdec      %xmm10, %xmm1
+        aesdec      %xmm10, %xmm2
+        aesdec      %xmm10, %xmm3
+        aesdec      %xmm10, %xmm4
+        jb          DLAST_4
+        movdqa      192(%r8), %xmm9
+        movdqa      208(%r8), %xmm10
+        movdqa      224(%r8), %xmm11
+        aesdec      %xmm9, %xmm1
+        aesdec      %xmm9, %xmm2
+        aesdec      %xmm9, %xmm3
+        aesdec      %xmm9, %xmm4
+        aesdec      %xmm10, %xmm1
+        aesdec      %xmm10, %xmm2
+        aesdec      %xmm10, %xmm3
+        aesdec      %xmm10, %xmm4
+DLAST_4:
+        addq        $64, %rdi
+        addq        $64, %rsi
+        decq        %rcx
+        aesdeclast  %xmm11, %xmm1
+        aesdeclast  %xmm11, %xmm2
+        aesdeclast  %xmm11, %xmm3
+        aesdeclast  %xmm11, %xmm4
+        pxor        %xmm5, %xmm1
+        pxor        %xmm6, %xmm2
+        pxor        %xmm7, %xmm3
+        pxor        %xmm8, %xmm4
+        movdqu      %xmm1, (%rsi)
+        movdqu      %xmm2, 16(%rsi)
+        movdqu      %xmm3, 32(%rsi)
+        movdqu      %xmm4, 48(%rsi)
+        movdqa      %xmm15,%xmm5
+        jne         DLOOP_4
+        addq        $64, %rsi
+DREMAINDER_4:
+        cmpq        $0, %r10
+        je          DEND_4
+DLOOP_4_2:
+        movdqu      (%rdi), %xmm1
+        movdqa      %xmm1, %xmm15
+        addq        $16, %rdi
+        pxor        (%r8), %xmm1
+        movdqu      160(%r8), %xmm2
+        cmpl        $12, %r9d
+        aesdec      16(%r8), %xmm1
+        aesdec      32(%r8), %xmm1
+        aesdec      48(%r8), %xmm1
+        aesdec      64(%r8), %xmm1
+        aesdec      80(%r8), %xmm1
+        aesdec      96(%r8), %xmm1
+        aesdec      112(%r8), %xmm1
+        aesdec      128(%r8), %xmm1
+        aesdec      144(%r8), %xmm1
+        jb          DLAST_4_2
+        movdqu      192(%r8), %xmm2
+        cmpl        $14, %r9d
+        aesdec      160(%r8), %xmm1
+        aesdec      176(%r8), %xmm1
+        jb          DLAST_4_2
+        movdqu      224(%r8), %xmm2
+        aesdec      192(%r8), %xmm1
+        aesdec      208(%r8), %xmm1
+DLAST_4_2:
+        aesdeclast  %xmm2, %xmm1
+        pxor        %xmm5, %xmm1
+        movdqa      %xmm15, %xmm5
+        movdqu      %xmm1, (%rsi)
+        addq        $16, %rsi
+        decq        %r10
+        jne         DLOOP_4_2
+DEND_4:
+        ret
+
+#elif defined(WOLFSSL_AESNI_BY6)
+
+/*
+AES_CBC_decrypt_by6 (const unsigned char *in,
+  unsigned char *out,
+  unsigned char ivec[16],
+  unsigned long length,
+  const unsigned char *KS,
+  int nr)
+*/
+#ifndef __APPLE__
+.globl AES_CBC_decrypt_by6
+AES_CBC_decrypt_by6:
+#else
+.globl _AES_CBC_decrypt_by6
+_AES_CBC_decrypt_by6:
+#endif
+# parameter 1: %rdi - in
+# parameter 2: %rsi - out
+# parameter 3: %rdx - ivec
+# parameter 4: %rcx - length
+# parameter 5: %r8  - KS
+# parameter 6: %r9d - nr
+
+        movq        %rcx, %r10
+        shrq        $4, %rcx
+        shlq        $60, %r10
+        je          DNO_PARTS_6
+        addq        $1, %rcx
+DNO_PARTS_6:
+        movq        %rax, %r12
+        movq        %rdx, %r13
+        movq        %rbx, %r14
+        movq        $0, %rdx
+        movq        %rcx, %rax
+        movq        $6, %rbx
+        div         %rbx
+        movq        %rax, %rcx
+        movq        %rdx, %r10
+        movq        %r12, %rax
+        movq        %r13, %rdx
+        movq        %r14, %rbx
+        cmpq        $0, %rcx
+        movdqu      (%rdx), %xmm7
+        je          DREMAINDER_6
+        subq        $96, %rsi
+DLOOP_6:
+        movdqu      (%rdi), %xmm1
+        movdqu      16(%rdi), %xmm2
+        movdqu      32(%rdi), %xmm3
+        movdqu      48(%rdi), %xmm4
+        movdqu      64(%rdi), %xmm5
+        movdqu      80(%rdi), %xmm6
+        movdqa      (%r8), %xmm8
+        movdqa      16(%r8), %xmm9
+        movdqa      32(%r8), %xmm10
+        movdqa      48(%r8), %xmm11
+        pxor        %xmm8, %xmm1
+        pxor        %xmm8, %xmm2
+        pxor        %xmm8, %xmm3
+        pxor        %xmm8, %xmm4
+        pxor        %xmm8, %xmm5
+        pxor        %xmm8, %xmm6
+        aesdec      %xmm9, %xmm1
+        aesdec      %xmm9, %xmm2
+        aesdec      %xmm9, %xmm3
+        aesdec      %xmm9, %xmm4
+        aesdec      %xmm9, %xmm5
+        aesdec      %xmm9, %xmm6
+        aesdec      %xmm10, %xmm1
+        aesdec      %xmm10, %xmm2
+        aesdec      %xmm10, %xmm3
+        aesdec      %xmm10, %xmm4
+        aesdec      %xmm10, %xmm5
+        aesdec      %xmm10, %xmm6
+        aesdec      %xmm11, %xmm1
+        aesdec      %xmm11, %xmm2
+        aesdec      %xmm11, %xmm3
+        aesdec      %xmm11, %xmm4
+        aesdec      %xmm11, %xmm5
+        aesdec      %xmm11, %xmm6
+        movdqa      64(%r8), %xmm8
+        movdqa      80(%r8), %xmm9
+        movdqa      96(%r8), %xmm10
+        movdqa      112(%r8), %xmm11
+        aesdec      %xmm8, %xmm1
+        aesdec      %xmm8, %xmm2
+        aesdec      %xmm8, %xmm3
+        aesdec      %xmm8, %xmm4
+        aesdec      %xmm8, %xmm5
+        aesdec      %xmm8, %xmm6
+        aesdec      %xmm9, %xmm1
+        aesdec      %xmm9, %xmm2
+        aesdec      %xmm9, %xmm3
+        aesdec      %xmm9, %xmm4
+        aesdec      %xmm9, %xmm5
+        aesdec      %xmm9, %xmm6
+        aesdec      %xmm10, %xmm1
+        aesdec      %xmm10, %xmm2
+        aesdec      %xmm10, %xmm3
+        aesdec      %xmm10, %xmm4
+        aesdec      %xmm10, %xmm5
+        aesdec      %xmm10, %xmm6
+        aesdec      %xmm11, %xmm1
+        aesdec      %xmm11, %xmm2
+        aesdec      %xmm11, %xmm3
+        aesdec      %xmm11, %xmm4
+        aesdec      %xmm11, %xmm5
+        aesdec      %xmm11, %xmm6
+        movdqa      128(%r8), %xmm8
+        movdqa      144(%r8), %xmm9
+        movdqa      160(%r8), %xmm10
+        cmpl        $12, %r9d
+        aesdec      %xmm8, %xmm1
+        aesdec      %xmm8, %xmm2
+        aesdec      %xmm8, %xmm3
+        aesdec      %xmm8, %xmm4
+        aesdec      %xmm8, %xmm5
+        aesdec      %xmm8, %xmm6
+        aesdec      %xmm9, %xmm1
+        aesdec      %xmm9, %xmm2
+        aesdec      %xmm9, %xmm3
+        aesdec      %xmm9, %xmm4
+        aesdec      %xmm9, %xmm5
+        aesdec      %xmm9, %xmm6
+        jb          DLAST_6
+        movdqa      160(%r8), %xmm8
+        movdqa      176(%r8), %xmm9
+        movdqa      192(%r8), %xmm10
+        cmpl        $14, %r9d
+        aesdec      %xmm8, %xmm1
+        aesdec      %xmm8, %xmm2
+        aesdec      %xmm8, %xmm3
+        aesdec      %xmm8, %xmm4
+        aesdec      %xmm8, %xmm5
+        aesdec      %xmm8, %xmm6
+        aesdec      %xmm9, %xmm1
+        aesdec      %xmm9, %xmm2
+        aesdec      %xmm9, %xmm3
+        aesdec      %xmm9, %xmm4
+        aesdec      %xmm9, %xmm5
+        aesdec      %xmm9, %xmm6
+        jb          DLAST_6
+        movdqa      192(%r8), %xmm8
+        movdqa      208(%r8), %xmm9
+        movdqa      224(%r8), %xmm10
+        aesdec      %xmm8, %xmm1
+        aesdec      %xmm8, %xmm2
+        aesdec      %xmm8, %xmm3
+        aesdec      %xmm8, %xmm4
+        aesdec      %xmm8, %xmm5
+        aesdec      %xmm8, %xmm6
+        aesdec      %xmm9, %xmm1
+        aesdec      %xmm9, %xmm2
+        aesdec      %xmm9, %xmm3
+        aesdec      %xmm9, %xmm4
+        aesdec      %xmm9, %xmm5
+        aesdec      %xmm9, %xmm6
+DLAST_6:
+        addq        $96, %rsi
+        aesdeclast  %xmm10, %xmm1
+        aesdeclast  %xmm10, %xmm2
+        aesdeclast  %xmm10, %xmm3
+        aesdeclast  %xmm10, %xmm4
+        aesdeclast  %xmm10, %xmm5
+        aesdeclast  %xmm10, %xmm6
+        movdqu      (%rdi), %xmm8
+        movdqu      16(%rdi), %xmm9
+        movdqu      32(%rdi), %xmm10
+        movdqu      48(%rdi), %xmm11
+        movdqu      64(%rdi), %xmm12
+        movdqu      80(%rdi), %xmm13
+        pxor        %xmm7, %xmm1
+        pxor        %xmm8, %xmm2
+        pxor        %xmm9, %xmm3
+        pxor        %xmm10, %xmm4
+        pxor        %xmm11, %xmm5
+        pxor        %xmm12, %xmm6
+        movdqu      %xmm13, %xmm7
+        movdqu      %xmm1, (%rsi)
+        movdqu      %xmm2, 16(%rsi)
+        movdqu      %xmm3, 32(%rsi)
+        movdqu      %xmm4, 48(%rsi)
+        movdqu      %xmm5, 64(%rsi)
+        movdqu      %xmm6, 80(%rsi)
+        addq        $96, %rdi
+        decq        %rcx
+        jne         DLOOP_6
+        addq        $96, %rsi
+DREMAINDER_6:
+        cmpq        $0, %r10
+        je          DEND_6
+DLOOP_6_2:
+        movdqu      (%rdi), %xmm1
+        movdqa      %xmm1, %xmm10
+        addq        $16, %rdi
+        pxor        (%r8), %xmm1
+        movdqu      160(%r8), %xmm2
+        cmpl        $12, %r9d
+        aesdec      16(%r8), %xmm1
+        aesdec      32(%r8), %xmm1
+        aesdec      48(%r8), %xmm1
+        aesdec      64(%r8), %xmm1
+        aesdec      80(%r8), %xmm1
+        aesdec      96(%r8), %xmm1
+        aesdec      112(%r8), %xmm1
+        aesdec      128(%r8), %xmm1
+        aesdec      144(%r8), %xmm1
+        jb          DLAST_6_2
+        movdqu      192(%r8), %xmm2
+        cmpl        $14, %r9d
+        aesdec      160(%r8), %xmm1
+        aesdec      176(%r8), %xmm1
+        jb          DLAST_6_2
+        movdqu      224(%r8), %xmm2
+        aesdec      192(%r8), %xmm1
+        aesdec      208(%r8), %xmm1
+DLAST_6_2:
+        aesdeclast  %xmm2, %xmm1
+        pxor        %xmm7, %xmm1
+        movdqa      %xmm10, %xmm7
+        movdqu      %xmm1, (%rsi)
+        addq        $16, %rsi
+        decq        %r10
+        jne         DLOOP_6_2
+DEND_6:
+        ret
+
+#else /* WOLFSSL_AESNI_BYx */
+
+/*
+AES_CBC_decrypt_by8 (const unsigned char *in,
+  unsigned char *out,
+  unsigned char ivec[16],
+  unsigned long length,
+  const unsigned char *KS,
+  int nr)
+*/
+#ifndef __APPLE__
+.globl AES_CBC_decrypt_by8
+AES_CBC_decrypt_by8:
+#else
+.globl _AES_CBC_decrypt_by8
+_AES_CBC_decrypt_by8:
+#endif
+# parameter 1: %rdi - in
+# parameter 2: %rsi - out
+# parameter 3: %rdx - ivec
+# parameter 4: %rcx - length
+# parameter 5: %r8  - KS
+# parameter 6: %r9d - nr
+
+        movq        %rcx, %r10
+        shrq        $4, %rcx
+        shlq        $60, %r10
+        je          DNO_PARTS_8
+        addq        $1, %rcx
+DNO_PARTS_8:
+        movq        %rcx, %r10
+        shlq        $61, %r10
+        shrq        $61, %r10
+        shrq        $3, %rcx
+        movdqu      (%rdx), %xmm9
+        je          DREMAINDER_8
+        subq        $128, %rsi
+DLOOP_8:
+        movdqu      (%rdi), %xmm1
+        movdqu      16(%rdi), %xmm2
+        movdqu      32(%rdi), %xmm3
+        movdqu      48(%rdi), %xmm4
+        movdqu      64(%rdi), %xmm5
+        movdqu      80(%rdi), %xmm6
+        movdqu      96(%rdi), %xmm7
+        movdqu      112(%rdi), %xmm8
+        movdqa      (%r8), %xmm10
+        movdqa      16(%r8), %xmm11
+        movdqa      32(%r8), %xmm12
+        movdqa      48(%r8), %xmm13
+        pxor        %xmm10, %xmm1
+        pxor        %xmm10, %xmm2
+        pxor        %xmm10, %xmm3
+        pxor        %xmm10, %xmm4
+        pxor        %xmm10, %xmm5
+        pxor        %xmm10, %xmm6
+        pxor        %xmm10, %xmm7
+        pxor        %xmm10, %xmm8
+        aesdec      %xmm11, %xmm1
+        aesdec      %xmm11, %xmm2
+        aesdec      %xmm11, %xmm3
+        aesdec      %xmm11, %xmm4
+        aesdec      %xmm11, %xmm5
+        aesdec      %xmm11, %xmm6
+        aesdec      %xmm11, %xmm7
+        aesdec      %xmm11, %xmm8
+        aesdec      %xmm12, %xmm1
+        aesdec      %xmm12, %xmm2
+        aesdec      %xmm12, %xmm3
+        aesdec      %xmm12, %xmm4
+        aesdec      %xmm12, %xmm5
+        aesdec      %xmm12, %xmm6
+        aesdec      %xmm12, %xmm7
+        aesdec      %xmm12, %xmm8
+        aesdec      %xmm13, %xmm1
+        aesdec      %xmm13, %xmm2
+        aesdec      %xmm13, %xmm3
+        aesdec      %xmm13, %xmm4
+        aesdec      %xmm13, %xmm5
+        aesdec      %xmm13, %xmm6
+        aesdec      %xmm13, %xmm7
+        aesdec      %xmm13, %xmm8
+        movdqa      64(%r8), %xmm10
+        movdqa      80(%r8), %xmm11
+        movdqa      96(%r8), %xmm12
+        movdqa      112(%r8), %xmm13
+        aesdec      %xmm10, %xmm1
+        aesdec      %xmm10, %xmm2
+        aesdec      %xmm10, %xmm3
+        aesdec      %xmm10, %xmm4
+        aesdec      %xmm10, %xmm5
+        aesdec      %xmm10, %xmm6
+        aesdec      %xmm10, %xmm7
+        aesdec      %xmm10, %xmm8
+        aesdec      %xmm11, %xmm1
+        aesdec      %xmm11, %xmm2
+        aesdec      %xmm11, %xmm3
+        aesdec      %xmm11, %xmm4
+        aesdec      %xmm11, %xmm5
+        aesdec      %xmm11, %xmm6
+        aesdec      %xmm11, %xmm7
+        aesdec      %xmm11, %xmm8
+        aesdec      %xmm12, %xmm1
+        aesdec      %xmm12, %xmm2
+        aesdec      %xmm12, %xmm3
+        aesdec      %xmm12, %xmm4
+        aesdec      %xmm12, %xmm5
+        aesdec      %xmm12, %xmm6
+        aesdec      %xmm12, %xmm7
+        aesdec      %xmm12, %xmm8
+        aesdec      %xmm13, %xmm1
+        aesdec      %xmm13, %xmm2
+        aesdec      %xmm13, %xmm3
+        aesdec      %xmm13, %xmm4
+        aesdec      %xmm13, %xmm5
+        aesdec      %xmm13, %xmm6
+        aesdec      %xmm13, %xmm7
+        aesdec      %xmm13, %xmm8
+        movdqa      128(%r8), %xmm10
+        movdqa      144(%r8), %xmm11
+        movdqa      160(%r8), %xmm12
+        cmpl        $12, %r9d
+        aesdec      %xmm10, %xmm1
+        aesdec      %xmm10, %xmm2
+        aesdec      %xmm10, %xmm3
+        aesdec      %xmm10, %xmm4
+        aesdec      %xmm10, %xmm5
+        aesdec      %xmm10, %xmm6
+        aesdec      %xmm10, %xmm7
+        aesdec      %xmm10, %xmm8
+        aesdec      %xmm11, %xmm1
+        aesdec      %xmm11, %xmm2
+        aesdec      %xmm11, %xmm3
+        aesdec      %xmm11, %xmm4
+        aesdec      %xmm11, %xmm5
+        aesdec      %xmm11, %xmm6
+        aesdec      %xmm11, %xmm7
+        aesdec      %xmm11, %xmm8
+        jb          DLAST_8
+        movdqa      160(%r8), %xmm10
+        movdqa      176(%r8), %xmm11
+        movdqa      192(%r8), %xmm12
+        cmpl        $14, %r9d
+        aesdec      %xmm10, %xmm1
+        aesdec      %xmm10, %xmm2
+        aesdec      %xmm10, %xmm3
+        aesdec      %xmm10, %xmm4
+        aesdec      %xmm10, %xmm5
+        aesdec      %xmm10, %xmm6
+        aesdec      %xmm10, %xmm7
+        aesdec      %xmm10, %xmm8
+        aesdec      %xmm11, %xmm1
+        aesdec      %xmm11, %xmm2
+        aesdec      %xmm11, %xmm3
+        aesdec      %xmm11, %xmm4
+        aesdec      %xmm11, %xmm5
+        aesdec      %xmm11, %xmm6
+        aesdec      %xmm11, %xmm7
+        aesdec      %xmm11, %xmm8
+        jb          DLAST_8
+        movdqa      192(%r8), %xmm10
+        movdqa      208(%r8), %xmm11
+        movdqa      224(%r8), %xmm12
+        aesdec      %xmm10, %xmm1
+        aesdec      %xmm10, %xmm2
+        aesdec      %xmm10, %xmm3
+        aesdec      %xmm10, %xmm4
+        aesdec      %xmm10, %xmm5
+        aesdec      %xmm10, %xmm6
+        aesdec      %xmm10, %xmm7
+        aesdec      %xmm10, %xmm8
+        aesdec      %xmm11, %xmm1
+        aesdec      %xmm11, %xmm2
+        aesdec      %xmm11, %xmm3
+        aesdec      %xmm11, %xmm4
+        aesdec      %xmm11, %xmm5
+        aesdec      %xmm11, %xmm6
+        aesdec      %xmm11, %xmm7
+        aesdec      %xmm11, %xmm8
+DLAST_8:
+        addq        $128, %rsi
+        aesdeclast  %xmm12, %xmm1
+        aesdeclast  %xmm12, %xmm2
+        aesdeclast  %xmm12, %xmm3
+        aesdeclast  %xmm12, %xmm4
+        aesdeclast  %xmm12, %xmm5
+        aesdeclast  %xmm12, %xmm6
+        aesdeclast  %xmm12, %xmm7
+        aesdeclast  %xmm12, %xmm8
+        movdqu      (%rdi), %xmm10
+        movdqu      16(%rdi), %xmm11
+        movdqu      32(%rdi), %xmm12
+        movdqu      48(%rdi), %xmm13
+        pxor        %xmm9, %xmm1
+        pxor        %xmm10, %xmm2
+        pxor        %xmm11, %xmm3
+        pxor        %xmm12, %xmm4
+        pxor        %xmm13, %xmm5
+        movdqu      64(%rdi), %xmm10
+        movdqu      80(%rdi), %xmm11
+        movdqu      96(%rdi), %xmm12
+        movdqu      112(%rdi), %xmm9
+        pxor        %xmm10, %xmm6
+        pxor        %xmm11, %xmm7
+        pxor        %xmm12, %xmm8
+        movdqu      %xmm1, (%rsi)
+        movdqu      %xmm2, 16(%rsi)
+        movdqu      %xmm3, 32(%rsi)
+        movdqu      %xmm4, 48(%rsi)
+        movdqu      %xmm5, 64(%rsi)
+        movdqu      %xmm6, 80(%rsi)
+        movdqu      %xmm7, 96(%rsi)
+        movdqu      %xmm8, 112(%rsi)
+        addq        $128, %rdi
+        decq        %rcx
+        jne         DLOOP_8
+        addq        $128, %rsi
+DREMAINDER_8:
+        cmpq        $0, %r10
+        je          DEND_8
+DLOOP_8_2:
+        movdqu      (%rdi), %xmm1
+        movdqa      %xmm1, %xmm10
+        addq        $16, %rdi
+        pxor        (%r8), %xmm1
+        movdqu      160(%r8), %xmm2
+        cmpl        $12, %r9d
+        aesdec      16(%r8), %xmm1
+        aesdec      32(%r8), %xmm1
+        aesdec      48(%r8), %xmm1
+        aesdec      64(%r8), %xmm1
+        aesdec      80(%r8), %xmm1
+        aesdec      96(%r8), %xmm1
+        aesdec      112(%r8), %xmm1
+        aesdec      128(%r8), %xmm1
+        aesdec      144(%r8), %xmm1
+        jb          DLAST_8_2
+        movdqu      192(%r8), %xmm2
+        cmpl        $14, %r9d
+        aesdec      160(%r8), %xmm1
+        aesdec      176(%r8), %xmm1
+        jb          DLAST_8_2
+        movdqu      224(%r8), %xmm2
+        aesdec      192(%r8), %xmm1
+        aesdec      208(%r8), %xmm1
+DLAST_8_2:
+        aesdeclast  %xmm2, %xmm1
+        pxor        %xmm9, %xmm1
+        movdqa      %xmm10, %xmm9
+        movdqu      %xmm1, (%rsi)
+        addq        $16, %rsi
+        decq        %r10
+        jne         DLOOP_8_2
+DEND_8:
+        ret
+
+#endif /* WOLFSSL_AESNI_BYx */
+
+
+/*
+AES_ECB_encrypt (const unsigned char *in,
+	unsigned char *out,
+	unsigned long length,
+	const unsigned char *KS,
+	int nr)
+*/
+#ifndef __APPLE__
+.globl AES_ECB_encrypt
+AES_ECB_encrypt:
+#else
+.globl _AES_ECB_encrypt
+_AES_ECB_encrypt:
+#endif
+# parameter 1: %rdi
+# parameter 2: %rsi
+# parameter 3: %rdx
+# parameter 4: %rcx
+# parameter 5: %r8d
+        movq    %rdx, %r10
+        shrq    $4, %rdx
+        shlq    $60, %r10
+        je      EECB_NO_PARTS_4
+        addq    $1, %rdx
+EECB_NO_PARTS_4:
+        movq    %rdx, %r10
+        shlq    $62, %r10
+        shrq    $62, %r10
+        shrq    $2, %rdx
+        je      EECB_REMAINDER_4
+        subq    $64, %rsi
+EECB_LOOP_4:
+        movdqu  (%rdi), %xmm1
+        movdqu  16(%rdi), %xmm2
+        movdqu  32(%rdi), %xmm3
+        movdqu  48(%rdi), %xmm4
+        movdqa  (%rcx), %xmm9
+        movdqa  16(%rcx), %xmm10
+        movdqa  32(%rcx), %xmm11
+        movdqa  48(%rcx), %xmm12
+        pxor    %xmm9, %xmm1
+        pxor    %xmm9, %xmm2
+        pxor    %xmm9, %xmm3
+        pxor    %xmm9, %xmm4
+        aesenc  %xmm10, %xmm1
+        aesenc  %xmm10, %xmm2
+        aesenc  %xmm10, %xmm3
+        aesenc  %xmm10, %xmm4
+        aesenc  %xmm11, %xmm1
+        aesenc  %xmm11, %xmm2
+        aesenc  %xmm11, %xmm3
+        aesenc  %xmm11, %xmm4
+        aesenc  %xmm12, %xmm1
+        aesenc  %xmm12, %xmm2
+        aesenc  %xmm12, %xmm3
+        aesenc  %xmm12, %xmm4
+        movdqa  64(%rcx), %xmm9
+        movdqa  80(%rcx), %xmm10
+        movdqa  96(%rcx), %xmm11
+        movdqa  112(%rcx), %xmm12
+        aesenc  %xmm9, %xmm1
+        aesenc  %xmm9, %xmm2
+        aesenc  %xmm9, %xmm3
+        aesenc  %xmm9, %xmm4
+        aesenc  %xmm10, %xmm1
+        aesenc  %xmm10, %xmm2
+        aesenc  %xmm10, %xmm3
+        aesenc  %xmm10, %xmm4
+        aesenc  %xmm11, %xmm1
+        aesenc  %xmm11, %xmm2
+        aesenc  %xmm11, %xmm3
+        aesenc  %xmm11, %xmm4
+        aesenc  %xmm12, %xmm1
+        aesenc  %xmm12, %xmm2
+        aesenc  %xmm12, %xmm3
+        aesenc  %xmm12, %xmm4
+        movdqa  128(%rcx), %xmm9
+        movdqa  144(%rcx), %xmm10
+        movdqa  160(%rcx), %xmm11
+        cmpl    $12, %r8d
+        aesenc  %xmm9, %xmm1
+        aesenc  %xmm9, %xmm2
+        aesenc  %xmm9, %xmm3
+        aesenc  %xmm9, %xmm4
+        aesenc  %xmm10, %xmm1
+        aesenc  %xmm10, %xmm2
+        aesenc  %xmm10, %xmm3
+        aesenc  %xmm10, %xmm4
+        jb      EECB_LAST_4
+        movdqa  160(%rcx), %xmm9
+        movdqa  176(%rcx), %xmm10
+        movdqa  192(%rcx), %xmm11
+        cmpl    $14, %r8d
+        aesenc  %xmm9, %xmm1
+        aesenc  %xmm9, %xmm2
+        aesenc  %xmm9, %xmm3
+        aesenc  %xmm9, %xmm4
+        aesenc  %xmm10, %xmm1
+        aesenc  %xmm10, %xmm2
+        aesenc  %xmm10, %xmm3
+        aesenc  %xmm10, %xmm4
+        jb      EECB_LAST_4
+        movdqa  192(%rcx), %xmm9
+        movdqa  208(%rcx), %xmm10
+        movdqa  224(%rcx), %xmm11
+        aesenc  %xmm9, %xmm1
+        aesenc  %xmm9, %xmm2
+        aesenc  %xmm9, %xmm3
+        aesenc  %xmm9, %xmm4
+        aesenc  %xmm10, %xmm1
+        aesenc  %xmm10, %xmm2
+        aesenc  %xmm10, %xmm3
+        aesenc  %xmm10, %xmm4
+EECB_LAST_4:
+        addq    $64, %rdi
+        addq    $64, %rsi
+        decq    %rdx
+        aesenclast %xmm11, %xmm1
+        aesenclast %xmm11, %xmm2
+        aesenclast %xmm11, %xmm3
+        aesenclast %xmm11, %xmm4
+        movdqu  %xmm1, (%rsi)
+        movdqu  %xmm2, 16(%rsi)
+        movdqu  %xmm3, 32(%rsi)
+        movdqu  %xmm4, 48(%rsi)
+        jne     EECB_LOOP_4
+        addq    $64, %rsi
+EECB_REMAINDER_4:
+        cmpq    $0, %r10
+        je      EECB_END_4
+EECB_LOOP_4_2:
+        movdqu  (%rdi), %xmm1
+        addq    $16, %rdi
+        pxor    (%rcx), %xmm1
+        movdqu  160(%rcx), %xmm2
+        aesenc  16(%rcx), %xmm1
+        aesenc  32(%rcx), %xmm1
+        aesenc  48(%rcx), %xmm1
+        aesenc  64(%rcx), %xmm1
+        aesenc  80(%rcx), %xmm1
+        aesenc  96(%rcx), %xmm1
+        aesenc  112(%rcx), %xmm1
+        aesenc  128(%rcx), %xmm1
+        aesenc  144(%rcx), %xmm1
+        cmpl    $12, %r8d
+        jb      EECB_LAST_4_2
+        movdqu  192(%rcx), %xmm2
+        aesenc  160(%rcx), %xmm1
+        aesenc  176(%rcx), %xmm1
+        cmpl    $14, %r8d
+        jb      EECB_LAST_4_2
+        movdqu  224(%rcx), %xmm2
+        aesenc  192(%rcx), %xmm1
+        aesenc  208(%rcx), %xmm1
+EECB_LAST_4_2:
+        aesenclast %xmm2, %xmm1
+        movdqu  %xmm1, (%rsi)
+        addq    $16, %rsi
+        decq    %r10
+        jne     EECB_LOOP_4_2
+EECB_END_4:
+        ret
+
+
+/*
+AES_ECB_decrypt (const unsigned char *in,
+  unsigned char *out,
+  unsigned long length,
+  const unsigned char *KS,
+  int nr)
+*/
+#ifndef __APPLE__
+.globl AES_ECB_decrypt
+AES_ECB_decrypt:
+#else
+.globl _AES_ECB_decrypt
+_AES_ECB_decrypt:
+#endif
+# parameter 1: %rdi
+# parameter 2: %rsi
+# parameter 3: %rdx
+# parameter 4: %rcx
+# parameter 5: %r8d
+
+        movq    %rdx, %r10
+        shrq    $4, %rdx
+        shlq    $60, %r10
+        je      DECB_NO_PARTS_4
+        addq    $1, %rdx
+DECB_NO_PARTS_4:
+        movq    %rdx, %r10
+        shlq    $62, %r10
+        shrq    $62, %r10
+        shrq    $2, %rdx
+        je      DECB_REMAINDER_4
+        subq    $64, %rsi
+DECB_LOOP_4:
+        movdqu  (%rdi), %xmm1
+        movdqu  16(%rdi), %xmm2
+        movdqu  32(%rdi), %xmm3
+        movdqu  48(%rdi), %xmm4
+        movdqa  (%rcx), %xmm9
+        movdqa  16(%rcx), %xmm10
+        movdqa  32(%rcx), %xmm11
+        movdqa  48(%rcx), %xmm12
+        pxor    %xmm9, %xmm1
+        pxor    %xmm9, %xmm2
+        pxor    %xmm9, %xmm3
+        pxor    %xmm9, %xmm4
+        aesdec  %xmm10, %xmm1
+        aesdec  %xmm10, %xmm2
+        aesdec  %xmm10, %xmm3
+        aesdec  %xmm10, %xmm4
+        aesdec  %xmm11, %xmm1
+        aesdec  %xmm11, %xmm2
+        aesdec  %xmm11, %xmm3
+        aesdec  %xmm11, %xmm4
+        aesdec  %xmm12, %xmm1
+        aesdec  %xmm12, %xmm2
+        aesdec  %xmm12, %xmm3
+        aesdec  %xmm12, %xmm4
+        movdqa  64(%rcx), %xmm9
+        movdqa  80(%rcx), %xmm10
+        movdqa  96(%rcx), %xmm11
+        movdqa  112(%rcx), %xmm12
+        aesdec  %xmm9, %xmm1
+        aesdec  %xmm9, %xmm2
+        aesdec  %xmm9, %xmm3
+        aesdec  %xmm9, %xmm4
+        aesdec  %xmm10, %xmm1
+        aesdec  %xmm10, %xmm2
+        aesdec  %xmm10, %xmm3
+        aesdec  %xmm10, %xmm4
+        aesdec  %xmm11, %xmm1
+        aesdec  %xmm11, %xmm2
+        aesdec  %xmm11, %xmm3
+        aesdec  %xmm11, %xmm4
+        aesdec  %xmm12, %xmm1
+        aesdec  %xmm12, %xmm2
+        aesdec  %xmm12, %xmm3
+        aesdec  %xmm12, %xmm4
+        movdqa  128(%rcx), %xmm9
+        movdqa  144(%rcx), %xmm10
+        movdqa  160(%rcx), %xmm11
+        cmpl    $12, %r8d
+        aesdec  %xmm9, %xmm1
+        aesdec  %xmm9, %xmm2
+        aesdec  %xmm9, %xmm3
+        aesdec  %xmm9, %xmm4
+        aesdec  %xmm10, %xmm1
+        aesdec  %xmm10, %xmm2
+        aesdec  %xmm10, %xmm3
+        aesdec  %xmm10, %xmm4
+        jb      DECB_LAST_4
+        movdqa  160(%rcx), %xmm9
+        movdqa  176(%rcx), %xmm10
+        movdqa  192(%rcx), %xmm11
+        cmpl    $14, %r8d
+        aesdec  %xmm9, %xmm1
+        aesdec  %xmm9, %xmm2
+        aesdec  %xmm9, %xmm3
+        aesdec  %xmm9, %xmm4
+        aesdec  %xmm10, %xmm1
+        aesdec  %xmm10, %xmm2
+        aesdec  %xmm10, %xmm3
+        aesdec  %xmm10, %xmm4
+        jb      DECB_LAST_4
+        movdqa  192(%rcx), %xmm9
+        movdqa  208(%rcx), %xmm10
+        movdqa  224(%rcx), %xmm11
+        aesdec  %xmm9, %xmm1
+        aesdec  %xmm9, %xmm2
+        aesdec  %xmm9, %xmm3
+        aesdec  %xmm9, %xmm4
+        aesdec  %xmm10, %xmm1
+        aesdec  %xmm10, %xmm2
+        aesdec  %xmm10, %xmm3
+        aesdec  %xmm10, %xmm4
+DECB_LAST_4:
+        addq    $64, %rdi
+        addq    $64, %rsi
+        decq    %rdx
+        aesdeclast %xmm11, %xmm1
+        aesdeclast %xmm11, %xmm2
+        aesdeclast %xmm11, %xmm3
+        aesdeclast %xmm11, %xmm4
+        movdqu  %xmm1, (%rsi)
+        movdqu  %xmm2, 16(%rsi)
+        movdqu  %xmm3, 32(%rsi)
+        movdqu  %xmm4, 48(%rsi)
+        jne     DECB_LOOP_4
+        addq    $64, %rsi
+DECB_REMAINDER_4:
+        cmpq    $0, %r10
+        je      DECB_END_4
+DECB_LOOP_4_2:
+        movdqu  (%rdi), %xmm1
+        addq    $16, %rdi
+        pxor    (%rcx), %xmm1
+        movdqu  160(%rcx), %xmm2
+        cmpl    $12, %r8d
+        aesdec  16(%rcx), %xmm1
+        aesdec  32(%rcx), %xmm1
+        aesdec  48(%rcx), %xmm1
+        aesdec  64(%rcx), %xmm1
+        aesdec  80(%rcx), %xmm1
+        aesdec  96(%rcx), %xmm1
+        aesdec  112(%rcx), %xmm1
+        aesdec  128(%rcx), %xmm1
+        aesdec  144(%rcx), %xmm1
+        jb      DECB_LAST_4_2
+        cmpl    $14, %r8d
+        movdqu  192(%rcx), %xmm2
+        aesdec  160(%rcx), %xmm1
+        aesdec  176(%rcx), %xmm1
+        jb      DECB_LAST_4_2
+        movdqu  224(%rcx), %xmm2
+        aesdec  192(%rcx), %xmm1
+        aesdec  208(%rcx), %xmm1
+DECB_LAST_4_2:
+        aesdeclast %xmm2, %xmm1
+        movdqu  %xmm1, (%rsi)
+        addq    $16, %rsi
+        decq    %r10
+        jne     DECB_LOOP_4_2
+DECB_END_4:
+        ret
+
+
+
+
+/*
+void AES_128_Key_Expansion(const unsigned char* userkey,
+   unsigned char* key_schedule);
+*/
+.align  16,0x90
+#ifndef __APPLE__
+.globl AES_128_Key_Expansion
+AES_128_Key_Expansion:
+#else
+.globl _AES_128_Key_Expansion
+_AES_128_Key_Expansion:
+#endif
+# parameter 1: %rdi
+# parameter 2: %rsi
+movl    $10, 240(%rsi)
+
+movdqu  (%rdi), %xmm1
+movdqa    %xmm1, (%rsi)
+
+
+ASSISTS:
+aeskeygenassist $1, %xmm1, %xmm2
+call PREPARE_ROUNDKEY_128
+movdqa %xmm1, 16(%rsi)
+aeskeygenassist $2, %xmm1, %xmm2
+call PREPARE_ROUNDKEY_128
+movdqa %xmm1, 32(%rsi)
+aeskeygenassist $4, %xmm1, %xmm2
+call PREPARE_ROUNDKEY_128
+movdqa %xmm1, 48(%rsi)
+aeskeygenassist $8, %xmm1, %xmm2
+call PREPARE_ROUNDKEY_128
+movdqa %xmm1, 64(%rsi)
+aeskeygenassist $16, %xmm1, %xmm2
+call PREPARE_ROUNDKEY_128
+movdqa %xmm1, 80(%rsi)
+aeskeygenassist $32, %xmm1, %xmm2
+call PREPARE_ROUNDKEY_128
+movdqa %xmm1, 96(%rsi)
+aeskeygenassist $64, %xmm1, %xmm2
+call PREPARE_ROUNDKEY_128
+movdqa %xmm1, 112(%rsi)
+aeskeygenassist $0x80, %xmm1, %xmm2
+call PREPARE_ROUNDKEY_128
+movdqa %xmm1, 128(%rsi)
+aeskeygenassist $0x1b, %xmm1, %xmm2
+call PREPARE_ROUNDKEY_128
+movdqa %xmm1, 144(%rsi)
+aeskeygenassist $0x36, %xmm1, %xmm2
+call PREPARE_ROUNDKEY_128
+movdqa %xmm1, 160(%rsi)
+ret
+
+PREPARE_ROUNDKEY_128:
+pshufd $255, %xmm2, %xmm2
+movdqa %xmm1, %xmm3
+pslldq $4, %xmm3
+pxor %xmm3, %xmm1
+pslldq $4, %xmm3
+pxor %xmm3, %xmm1
+pslldq $4, %xmm3
+pxor %xmm3, %xmm1
+pxor %xmm2, %xmm1
+ret
+
+
+/*
+void AES_192_Key_Expansion (const unsigned char *userkey,
+  unsigned char *key)
+*/
+#ifndef __APPLE__
+.globl AES_192_Key_Expansion
+AES_192_Key_Expansion:
+#else
+.globl _AES_192_Key_Expansion
+_AES_192_Key_Expansion:
+#endif
+# parameter 1: %rdi
+# parameter 2: %rsi
+
+movdqu (%rdi), %xmm1
+movq 16(%rdi), %xmm3
+movdqa %xmm1, (%rsi)
+movdqa %xmm3, %xmm5
+
+aeskeygenassist $0x1, %xmm3, %xmm2
+call PREPARE_ROUNDKEY_192
+shufpd $0, %xmm1, %xmm5
+movdqa %xmm5, 16(%rsi)
+movdqa %xmm1, %xmm6
+shufpd $1, %xmm3, %xmm6
+movdqa %xmm6, 32(%rsi)
+
+aeskeygenassist $0x2, %xmm3, %xmm2
+call PREPARE_ROUNDKEY_192
+movdqa %xmm1, 48(%rsi)
+movdqa %xmm3, %xmm5
+
+aeskeygenassist $0x4, %xmm3, %xmm2
+call PREPARE_ROUNDKEY_192
+shufpd $0, %xmm1, %xmm5
+movdqa %xmm5, 64(%rsi)
+movdqa %xmm1, %xmm6
+shufpd $1, %xmm3, %xmm6
+movdqa %xmm6, 80(%rsi)
+
+aeskeygenassist $0x8, %xmm3, %xmm2
+call PREPARE_ROUNDKEY_192
+movdqa %xmm1, 96(%rsi)
+movdqa %xmm3, %xmm5
+
+aeskeygenassist $0x10, %xmm3, %xmm2
+call PREPARE_ROUNDKEY_192
+shufpd $0, %xmm1, %xmm5
+movdqa %xmm5, 112(%rsi)
+movdqa %xmm1, %xmm6
+shufpd $1, %xmm3, %xmm6
+movdqa %xmm6, 128(%rsi)
+
+aeskeygenassist $0x20, %xmm3, %xmm2
+call PREPARE_ROUNDKEY_192
+movdqa %xmm1, 144(%rsi)
+movdqa %xmm3, %xmm5
+
+aeskeygenassist $0x40, %xmm3, %xmm2
+call PREPARE_ROUNDKEY_192
+shufpd $0, %xmm1, %xmm5
+movdqa %xmm5, 160(%rsi)
+movdqa %xmm1, %xmm6
+shufpd $1, %xmm3, %xmm6
+movdqa %xmm6, 176(%rsi)
+
+aeskeygenassist $0x80, %xmm3, %xmm2
+call PREPARE_ROUNDKEY_192
+movdqa %xmm1, 192(%rsi)
+movdqa %xmm3, 208(%rsi)
+ret
+
+PREPARE_ROUNDKEY_192:
+pshufd $0x55, %xmm2, %xmm2
+movdqu %xmm1, %xmm4
+pslldq $4, %xmm4
+pxor   %xmm4, %xmm1
+
+pslldq $4, %xmm4
+pxor   %xmm4, %xmm1
+pslldq $4, %xmm4
+pxor  %xmm4, %xmm1
+pxor   %xmm2, %xmm1
+pshufd $0xff, %xmm1, %xmm2
+movdqu %xmm3, %xmm4
+pslldq $4, %xmm4
+pxor   %xmm4, %xmm3
+pxor   %xmm2, %xmm3
+ret
+
+
+/*
+void AES_256_Key_Expansion (const unsigned char *userkey,
+  unsigned char *key)
+*/
+#ifndef __APPLE__
+.globl AES_256_Key_Expansion
+AES_256_Key_Expansion:
+#else
+.globl _AES_256_Key_Expansion
+_AES_256_Key_Expansion:
+#endif
+# parameter 1: %rdi
+# parameter 2: %rsi
+
+movdqu (%rdi), %xmm1
+movdqu 16(%rdi), %xmm3
+movdqa %xmm1, (%rsi)
+movdqa %xmm3, 16(%rsi)
+
+aeskeygenassist $0x1, %xmm3, %xmm2
+call MAKE_RK256_a
+movdqa %xmm1, 32(%rsi)
+aeskeygenassist $0x0, %xmm1, %xmm2
+call MAKE_RK256_b
+movdqa %xmm3, 48(%rsi)
+aeskeygenassist $0x2, %xmm3, %xmm2
+call MAKE_RK256_a
+movdqa %xmm1, 64(%rsi)
+aeskeygenassist $0x0, %xmm1, %xmm2
+call MAKE_RK256_b
+movdqa %xmm3, 80(%rsi)
+aeskeygenassist $0x4, %xmm3, %xmm2
+call MAKE_RK256_a
+movdqa %xmm1, 96(%rsi)
+aeskeygenassist $0x0, %xmm1, %xmm2
+call MAKE_RK256_b
+movdqa %xmm3, 112(%rsi)
+aeskeygenassist $0x8, %xmm3, %xmm2
+call MAKE_RK256_a
+movdqa %xmm1, 128(%rsi)
+aeskeygenassist $0x0, %xmm1, %xmm2
+call MAKE_RK256_b
+movdqa %xmm3, 144(%rsi)
+aeskeygenassist $0x10, %xmm3, %xmm2
+call MAKE_RK256_a
+movdqa %xmm1, 160(%rsi)
+aeskeygenassist $0x0, %xmm1, %xmm2
+call MAKE_RK256_b
+movdqa %xmm3, 176(%rsi)
+aeskeygenassist $0x20, %xmm3, %xmm2
+call MAKE_RK256_a
+movdqa %xmm1, 192(%rsi)
+
+aeskeygenassist $0x0, %xmm1, %xmm2
+call MAKE_RK256_b
+movdqa %xmm3, 208(%rsi)
+aeskeygenassist $0x40, %xmm3, %xmm2
+call MAKE_RK256_a
+movdqa %xmm1, 224(%rsi)
+
+ret
+
+MAKE_RK256_a:
+pshufd $0xff, %xmm2, %xmm2
+movdqa %xmm1, %xmm4
+pslldq $4, %xmm4
+pxor   %xmm4, %xmm1
+pslldq $4, %xmm4
+pxor  %xmm4, %xmm1
+pslldq $4, %xmm4
+pxor  %xmm4, %xmm1
+pxor   %xmm2, %xmm1
+ret
+
+MAKE_RK256_b:
+pshufd $0xaa, %xmm2, %xmm2
+movdqa %xmm3, %xmm4
+pslldq $4, %xmm4
+pxor   %xmm4, %xmm3
+pslldq $4, %xmm4
+pxor  %xmm4, %xmm3
+pslldq $4, %xmm4
+pxor  %xmm4, %xmm3
+pxor   %xmm2, %xmm3
+ret
+
+#if defined(__linux__) && defined(__ELF__)
+    .section .note.GNU-stack,"",%progbits
+#endif
diff --git a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/aes_asm.asm b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/aes_asm.asm
index 1e3d2d99e..b3cc94d9e 100644
--- a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/aes_asm.asm
+++ b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/aes_asm.asm
@@ -1,31 +1,49 @@
-;	/*aes_asm . asm
-;	*
-;	*Copyright[C]2006	-2014	wolfSSL	Inc	.
-;	*
-;	*This	file	is	part	of	wolfssl. (formerly known as CyaSSL)
-;	*
-;	*wolfSSL	is	free	software/ you can redistribute it and/or modify
-;	*it	under	the	terms	of	the	GNU	General	Public	License	as	published	by
-;	*the	Free	Software	Foundation/ either version 2 of the License, or
-;	*[at	your	option]any	later	version	.
-;	*
-;	*wolfSSL	,is	distributed	in	the	hope	that	it	will	be	useful
-;	*but	WITHOUT	ANY	WARRANTY/ without even the implied warranty of
-;	*MERCHANTABILITY	or	FITNESS	FOR	A	PARTICULAR	PURPOSE	.	See	the
-;	*GNU	General	Public	License	for	more	details	.
-;	*
-;	*You	should	have	received	a	copy	of	the	GNU	General	Public	License
-;	*along	with	this	program/ if not, write to the Free Software
-;	*Foundation,Inc	.,51	Franklin	Street,Fifth	Floor,Boston,MA	02110-1301,USA
-;	*/
+; /* aes_asm.asm
+;  *
+;  * Copyright (C) 2006-2020 wolfSSL Inc.
+;  *
+;  * This file is part of wolfSSL.
+;  *
+;  * wolfSSL is free software; you can redistribute it and/or modify
+;  * it under the terms of the GNU General Public License as published by
+;  * the Free Software Foundation; either version 2 of the License, or
+;  * (at your option) any later version.
+;  *
+;  * wolfSSL is distributed in the hope that it will be useful,
+;  * but WITHOUT ANY WARRANTY; without even the implied warranty of
+;  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+;  * GNU General Public License for more details.
+;  *
+;  * You should have received a copy of the GNU General Public License
+;  * along with this program; if not, write to the Free Software
+;  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
+;  */
+
 ;
 ;
-;	/*See	IntelA	dvanced	Encryption	Standard[AES]Instructions	Set	White	Paper
-;	*by	Israel,Intel	Mobility	Group	Development	Center,Israel	Shay	Gueron
-;	*/
+;  /* See Intel Advanced Encryption Standard (AES) Instructions Set White Paper
+;   * by Israel, Intel Mobility Group Development Center, Israel Shay Gueron
+;   */
 ;
 ;   /* This file is in intel asm syntax, see .s for at&t syntax */
 ;
+
+
+fips_version = 0
+IFDEF HAVE_FIPS
+  fips_version = 1
+  IFDEF HAVE_FIPS_VERSION
+    fips_version = HAVE_FIPS_VERSION
+  ENDIF
+ENDIF
+
+IF fips_version GE 2
+  fipsAh SEGMENT ALIAS(".fipsA$h") 'CODE'
+ELSE
+  _text SEGMENT
+ENDIF
+
+
 ;	/*
 ;	AES_CBC_encrypt[const	,unsigned	char*in
 ;	unsigned	,char*out
@@ -34,7 +52,6 @@
 ;	const	,unsigned	char*KS
 ;	int	nr]
 ;	*/
-_text SEGMENT
 AES_CBC_encrypt PROC
 ;#	parameter	1:	rdi
 ;#	parameter	2:	rsi
@@ -101,220 +118,753 @@ LAST:
 AES_CBC_encrypt ENDP
 
 
-
-;	/*
-;	AES_CBC_decrypt[const	,unsigned	char*in
-;	unsigned	,char*out
-;	unsigned	,char	ivec+16
-;	unsigned	,long	length
-;	const	,unsigned	char*KS
-;	int	nr]
-;	*/
-;	.	globl	AES_CBC_decrypt
-AES_CBC_decrypt PROC
-;#	parameter	1:	rdi
-;#	parameter	2:	rsi
-;#	parameter	3:	rdx
-;#	parameter	4:	rcx
-;#	parameter	5:	r8
-;#	parameter	6:	r9d
-
-; save rdi and rsi to rax and r11, restore before ret
-	mov rax,rdi
-	mov r11,rsi
-
-; convert to what we had for att&t convention
-	mov rdi,rcx
-	mov rsi,rdx
-	mov rdx,r8
-	mov rcx,r9
-	mov r8,[rsp+40]
-	mov r9d,[rsp+48]
-
-; on microsoft xmm6-xmm15 are non volaitle, let's save on stack and restore at end
-	sub rsp,8+8*16  ; 8 = align stack , 8 xmm6-12,15 16 bytes each
-	movdqa [rsp+0], xmm6
-	movdqa [rsp+16], xmm7
-	movdqa [rsp+32], xmm8
-	movdqa [rsp+48], xmm9
-	movdqa [rsp+64], xmm10
-	movdqa [rsp+80], xmm11
-	movdqa [rsp+96], xmm12
-	movdqa [rsp+112], xmm15
-
-	mov	r10,rcx
-	shr	rcx,4
-	shl	r10,60
-	je	DNO_PARTS_4
-	add	rcx,1
+; void AES_CBC_decrypt_by4(const unsigned char* in,
+;                          unsigned char* out,
+;                          unsigned char ivec[16],
+;                          unsigned long length,
+;                          const unsigned char* KS,
+;                          int nr)
+AES_CBC_decrypt_by4 PROC
+; parameter 1: rdi
+; parameter 2: rsi
+; parameter 3: rdx
+; parameter 4: rcx
+; parameter 5: r8
+; parameter 6: r9d
+
+        ; save rdi and rsi to rax and r11, restore before ret
+        mov         rax, rdi
+        mov         r11, rsi
+        ; convert to what we had for att&t convention
+        mov         rdi, rcx
+        mov         rsi, rdx
+        mov         rdx, r8
+        mov         rcx,r9
+        mov         r8, [rsp+40]
+        mov         r9d, [rsp+48]
+        ; on microsoft xmm6-xmm15 are non volatile,
+        ; let's save on stack and restore at end
+        sub         rsp, 8+8*16  ; 8 = align stack , 8 xmm6-12,15 16 bytes each
+        movdqa      [rsp+0], xmm6
+        movdqa      [rsp+16], xmm7
+        movdqa      [rsp+32], xmm8
+        movdqa      [rsp+48], xmm9
+        movdqa      [rsp+64], xmm10
+        movdqa      [rsp+80], xmm11
+        movdqa      [rsp+96], xmm12
+        movdqa      [rsp+112], xmm15
+        ; back to our original code, more or less
+        mov         r10, rcx
+        shr         rcx, 4
+        shl         r10, 60
+        je          DNO_PARTS_4
+        add         rcx, 1
 DNO_PARTS_4:
-	mov	r10,rcx
-	shl	r10,62
-	shr	r10,62
-	shr	rcx,2
-	movdqu xmm5,[rdx]
-	je	DREMAINDER_4
-	sub	rsi,64
+        mov         r10, rcx
+        shl         r10, 62
+        shr         r10, 62
+        shr         rcx, 2
+        movdqu      xmm5, [rdx]
+        je          DREMAINDER_4
+        sub         rsi, 64
 DLOOP_4:
-	movdqu  xmm1,[rdi]
-	movdqu	xmm2,16[rdi]
-	movdqu	xmm3,32[rdi]
-	movdqu	xmm4,48[rdi]
-	movdqa	xmm6,xmm1
-	movdqa	xmm7,xmm2
-	movdqa	xmm8,xmm3
-	movdqa	xmm15,xmm4
-	movdqa  xmm9,[r8]
-	movdqa	xmm10,16[r8]
-	movdqa	xmm11,32[r8]
-	movdqa	xmm12,48[r8]
-	pxor	xmm1,xmm9
-	pxor	xmm2,xmm9
-	pxor	xmm3,xmm9
-
-	pxor	xmm4,xmm9
-	aesdec	xmm1,xmm10
-	aesdec	xmm2,xmm10
-	aesdec	xmm3,xmm10
-	aesdec	xmm4,xmm10
-	aesdec	xmm1,xmm11
-	aesdec	xmm2,xmm11
-	aesdec	xmm3,xmm11
-	aesdec	xmm4,xmm11
-	aesdec	xmm1,xmm12
-	aesdec	xmm2,xmm12
-	aesdec	xmm3,xmm12
-	aesdec	xmm4,xmm12
-	movdqa	xmm9,64[r8]
-	movdqa	xmm10,80[r8]
-	movdqa	xmm11,96[r8]
-	movdqa	xmm12,112[r8]
-	aesdec	xmm1,xmm9
-	aesdec	xmm2,xmm9
-	aesdec	xmm3,xmm9
-	aesdec	xmm4,xmm9
-	aesdec	xmm1,xmm10
-	aesdec	xmm2,xmm10
-	aesdec	xmm3,xmm10
-	aesdec	xmm4,xmm10
-	aesdec	xmm1,xmm11
-	aesdec	xmm2,xmm11
-	aesdec	xmm3,xmm11
-	aesdec	xmm4,xmm11
-	aesdec	xmm1,xmm12
-	aesdec	xmm2,xmm12
-	aesdec	xmm3,xmm12
-	aesdec	xmm4,xmm12
-	movdqa	xmm9,128[r8]
-	movdqa	xmm10,144[r8]
-	movdqa	xmm11,160[r8]
-	cmp	r9d,12
-	aesdec	xmm1,xmm9
-	aesdec	xmm2,xmm9
-	aesdec	xmm3,xmm9
-	aesdec	xmm4,xmm9
-	aesdec	xmm1,xmm10
-	aesdec	xmm2,xmm10
-	aesdec	xmm3,xmm10
-	aesdec	xmm4,xmm10
-	jb	DLAST_4
-	movdqa	xmm9,160[r8]
-	movdqa	xmm10,176[r8]
-	movdqa	xmm11,192[r8]
-	cmp	r9d,14
-	aesdec	xmm1,xmm9
-	aesdec	xmm2,xmm9
-	aesdec	xmm3,xmm9
-	aesdec	xmm4,xmm9
-	aesdec	xmm1,xmm10
-	aesdec	xmm2,xmm10
-	aesdec	xmm3,xmm10
-	aesdec	xmm4,xmm10
-	jb	DLAST_4
-
-	movdqa	xmm9,192[r8]
-	movdqa	xmm10,208[r8]
-	movdqa	xmm11,224[r8]
-	aesdec	xmm1,xmm9
-	aesdec	xmm2,xmm9
-	aesdec	xmm3,xmm9
-	aesdec	xmm4,xmm9
-	aesdec	xmm1,xmm10
-	aesdec	xmm2,xmm10
-	aesdec	xmm3,xmm10
-	aesdec	xmm4,xmm10
+        movdqu      xmm1, [rdi]
+        movdqu      xmm2, 16[rdi]
+        movdqu      xmm3, 32[rdi]
+        movdqu      xmm4, 48[rdi]
+        movdqa      xmm6, xmm1
+        movdqa      xmm7, xmm2
+        movdqa      xmm8, xmm3
+        movdqa      xmm15, xmm4
+        movdqa      xmm9, [r8]
+        movdqa      xmm10, 16[r8]
+        movdqa      xmm11, 32[r8]
+        movdqa      xmm12, 48[r8]
+        pxor        xmm1, xmm9
+        pxor        xmm2, xmm9
+        pxor        xmm3, xmm9
+        pxor        xmm4, xmm9
+        aesdec      xmm1, xmm10
+        aesdec      xmm2, xmm10
+        aesdec      xmm3, xmm10
+        aesdec      xmm4, xmm10
+        aesdec      xmm1, xmm11
+        aesdec      xmm2, xmm11
+        aesdec      xmm3, xmm11
+        aesdec      xmm4, xmm11
+        aesdec      xmm1, xmm12
+        aesdec      xmm2, xmm12
+        aesdec      xmm3, xmm12
+        aesdec      xmm4, xmm12
+        movdqa      xmm9, 64[r8]
+        movdqa      xmm10, 80[r8]
+        movdqa      xmm11, 96[r8]
+        movdqa      xmm12, 112[r8]
+        aesdec      xmm1, xmm9
+        aesdec      xmm2, xmm9
+        aesdec      xmm3, xmm9
+        aesdec      xmm4, xmm9
+        aesdec      xmm1, xmm10
+        aesdec      xmm2, xmm10
+        aesdec      xmm3, xmm10
+        aesdec      xmm4, xmm10
+        aesdec      xmm1, xmm11
+        aesdec      xmm2, xmm11
+        aesdec      xmm3, xmm11
+        aesdec      xmm4, xmm11
+        aesdec      xmm1, xmm12
+        aesdec      xmm2, xmm12
+        aesdec      xmm3, xmm12
+        aesdec      xmm4, xmm12
+        movdqa      xmm9, 128[r8]
+        movdqa      xmm10, 144[r8]
+        movdqa      xmm11, 160[r8]
+        cmp         r9d, 12
+        aesdec      xmm1, xmm9
+        aesdec      xmm2, xmm9
+        aesdec      xmm3, xmm9
+        aesdec      xmm4, xmm9
+        aesdec      xmm1, xmm10
+        aesdec      xmm2, xmm10
+        aesdec      xmm3, xmm10
+        aesdec      xmm4, xmm10
+        jb          DLAST_4
+        movdqa      xmm9, 160[r8]
+        movdqa      xmm10, 176[r8]
+        movdqa      xmm11, 192[r8]
+        cmp         r9d, 14
+        aesdec      xmm1, xmm9
+        aesdec      xmm2, xmm9
+        aesdec      xmm3, xmm9
+        aesdec      xmm4, xmm9
+        aesdec      xmm1, xmm10
+        aesdec      xmm2, xmm10
+        aesdec      xmm3, xmm10
+        aesdec      xmm4, xmm10
+        jb          DLAST_4
+        movdqa      xmm9, 192[r8]
+        movdqa      xmm10, 208[r8]
+        movdqa      xmm11, 224[r8]
+        aesdec      xmm1, xmm9
+        aesdec      xmm2, xmm9
+        aesdec      xmm3, xmm9
+        aesdec      xmm4, xmm9
+        aesdec      xmm1, xmm10
+        aesdec      xmm2, xmm10
+        aesdec      xmm3, xmm10
+        aesdec      xmm4, xmm10
 DLAST_4:
-	add	rdi,64
-	add	rsi,64
-	dec	rcx
-	aesdeclast	xmm1,xmm11
-	aesdeclast	xmm2,xmm11
-	aesdeclast	xmm3,xmm11
-	aesdeclast	xmm4,xmm11
-	pxor	xmm1,xmm5
-	pxor	xmm2,xmm6
-	pxor	xmm3,xmm7
-	pxor	xmm4,xmm8
-	movdqu	[rsi],xmm1
-	movdqu	16[rsi],xmm2
-	movdqu	32[rsi],xmm3
-	movdqu	48[rsi],xmm4
-	movdqa	xmm5,xmm15
-	jne	DLOOP_4
-	add	rsi,64
+        add         rdi, 64
+        add         rsi, 64
+        dec         rcx
+        aesdeclast  xmm1, xmm11
+        aesdeclast  xmm2, xmm11
+        aesdeclast  xmm3, xmm11
+        aesdeclast  xmm4, xmm11
+        pxor        xmm1, xmm5
+        pxor        xmm2, xmm6
+        pxor        xmm3, xmm7
+        pxor        xmm4, xmm8
+        movdqu      [rsi], xmm1
+        movdqu      16[rsi], xmm2
+        movdqu      32[rsi], xmm3
+        movdqu      48[rsi], xmm4
+        movdqa      xmm5, xmm15
+        jne         DLOOP_4
+        add         rsi, 64
 DREMAINDER_4:
-	cmp	r10,0
-	je	DEND_4
+        cmp         r10, 0
+        je          DEND_4
 DLOOP_4_2:
-	movdqu  xmm1,[rdi]
-	movdqa	xmm15,xmm1
-	add	rdi,16
-	pxor	xmm1,[r8]
-	movdqu	xmm2,160[r8]
-	cmp	r9d,12
-	aesdec	xmm1,16[r8]
-	aesdec	xmm1,32[r8]
-	aesdec	xmm1,48[r8]
-	aesdec	xmm1,64[r8]
-	aesdec	xmm1,80[r8]
-	aesdec	xmm1,96[r8]
-	aesdec	xmm1,112[r8]
-	aesdec	xmm1,128[r8]
-	aesdec	xmm1,144[r8]
-	jb	DLAST_4_2
-	movdqu	xmm2,192[r8]
-	cmp	r9d,14
-	aesdec	xmm1,160[r8]
-	aesdec	xmm1,176[r8]
-	jb	DLAST_4_2
-	movdqu	xmm2,224[r8]
-	aesdec	xmm1,192[r8]
-	aesdec	xmm1,208[r8]
+        movdqu      xmm1, [rdi]
+        movdqa      xmm15, xmm1
+        add         rdi, 16
+        pxor        xmm1, [r8]
+        movdqu      xmm2, 160[r8]
+        cmp         r9d, 12
+        aesdec      xmm1, 16[r8]
+        aesdec      xmm1, 32[r8]
+        aesdec      xmm1, 48[r8]
+        aesdec      xmm1, 64[r8]
+        aesdec      xmm1, 80[r8]
+        aesdec      xmm1, 96[r8]
+        aesdec      xmm1, 112[r8]
+        aesdec      xmm1, 128[r8]
+        aesdec      xmm1, 144[r8]
+        jb          DLAST_4_2
+        movdqu      xmm2, 192[r8]
+        cmp         r9d, 14
+        aesdec      xmm1, 160[r8]
+        aesdec      xmm1, 176[r8]
+        jb          DLAST_4_2
+        movdqu      xmm2, 224[r8]
+        aesdec      xmm1, 192[r8]
+        aesdec      xmm1, 208[r8]
 DLAST_4_2:
-	aesdeclast	xmm1,xmm2
-	pxor	xmm1,xmm5
-	movdqa	xmm5,xmm15
-	movdqu	[rsi],xmm1
-
-	add	rsi,16
-	dec	r10
-	jne	DLOOP_4_2
+        aesdeclast  xmm1, xmm2
+        pxor        xmm1, xmm5
+        movdqa      xmm5, xmm15
+        movdqu      [rsi], xmm1
+        add         rsi, 16
+        dec         r10
+        jne         DLOOP_4_2
 DEND_4:
-	; restore non volatile rdi,rsi
-	mov rdi,rax
-	mov rsi,r11
-	; restore non volatile xmms from stack
-	movdqa xmm6, [rsp+0]
-	movdqa xmm7, [rsp+16]
-	movdqa xmm8, [rsp+32]
-	movdqa xmm9, [rsp+48]
-	movdqa xmm10, [rsp+64]
-	movdqa xmm11, [rsp+80]
-	movdqa xmm12, [rsp+96]
-	movdqa xmm15, [rsp+112]
-	add rsp,8+8*16 ; 8 = align stack , 8 xmm6-12,15 16 bytes each
-	ret
-AES_CBC_decrypt ENDP
+        ; restore non volatile rdi,rsi
+        mov         rdi, rax
+        mov         rsi, r11
+        ; restore non volatile xmms from stack
+        movdqa      xmm6, [rsp+0]
+        movdqa      xmm7, [rsp+16]
+        movdqa      xmm8, [rsp+32]
+        movdqa      xmm9, [rsp+48]
+        movdqa      xmm10, [rsp+64]
+        movdqa      xmm11, [rsp+80]
+        movdqa      xmm12, [rsp+96]
+        movdqa      xmm15, [rsp+112]
+        add         rsp, 8+8*16 ; 8 = align stack , 8 xmm6-12,15 16 bytes each
+        ret
+AES_CBC_decrypt_by4 ENDP
+
+
+; void AES_CBC_decrypt_by6(const unsigned char *in,
+;                          unsigned char *out,
+;                          unsigned char ivec[16],
+;                          unsigned long length,
+;                          const unsigned char *KS,
+;                          int nr)
+AES_CBC_decrypt_by6 PROC
+; parameter 1: rdi - in
+; parameter 2: rsi - out
+; parameter 3: rdx - ivec
+; parameter 4: rcx - length
+; parameter 5: r8  - KS
+; parameter 6: r9d - nr
+
+        ; save rdi and rsi to rax and r11, restore before ret
+        mov         rax, rdi
+        mov         r11, rsi
+        ; convert to what we had for att&t convention
+        mov         rdi, rcx
+        mov         rsi, rdx
+        mov         rdx, r8
+        mov         rcx, r9
+        mov         r8, [rsp+40]
+        mov         r9d, [rsp+48]
+        ; on microsoft xmm6-xmm15 are non volatile,
+        ; let's save on stack and restore at end
+        sub         rsp, 8+9*16  ; 8 = align stack , 9 xmm6-14 16 bytes each
+        movdqa      [rsp+0], xmm6
+        movdqa      [rsp+16], xmm7
+        movdqa      [rsp+32], xmm8
+        movdqa      [rsp+48], xmm9
+        movdqa      [rsp+64], xmm10
+        movdqa      [rsp+80], xmm11
+        movdqa      [rsp+96], xmm12
+        movdqa      [rsp+112], xmm13
+        movdqa      [rsp+128], xmm14
+        ; back to our original code, more or less
+        mov         r10, rcx
+        shr         rcx, 4
+        shl         r10, 60
+        je          DNO_PARTS_6
+        add         rcx, 1
+DNO_PARTS_6:
+        mov         r12, rax
+        mov         r13, rdx
+        mov         r14, rbx
+        mov         rdx, 0
+        mov         rax, rcx
+        mov         rbx, 6
+        div         rbx
+        mov         rcx, rax
+        mov         r10, rdx
+        mov         rax, r12
+        mov         rdx, r13
+        mov         rbx, r14
+        cmp         rcx, 0
+        movdqu      xmm7, [rdx]
+        je          DREMAINDER_6
+        sub         rsi, 96
+DLOOP_6:
+        movdqu      xmm1, [rdi]
+        movdqu      xmm2, 16[rdi]
+        movdqu      xmm3, 32[rdi]
+        movdqu      xmm4, 48[rdi]
+        movdqu      xmm5, 64[rdi]
+        movdqu      xmm6, 80[rdi]
+        movdqa      xmm8, [r8]
+        movdqa      xmm9, 16[r8]
+        movdqa      xmm10, 32[r8]
+        movdqa      xmm11, 48[r8]
+        pxor        xmm1, xmm8
+        pxor        xmm2, xmm8
+        pxor        xmm3, xmm8
+        pxor        xmm4, xmm8
+        pxor        xmm5, xmm8
+        pxor        xmm6, xmm8
+        aesdec      xmm1, xmm9
+        aesdec      xmm2, xmm9
+        aesdec      xmm3, xmm9
+        aesdec      xmm4, xmm9
+        aesdec      xmm5, xmm9
+        aesdec      xmm6, xmm9
+        aesdec      xmm1, xmm10
+        aesdec      xmm2, xmm10
+        aesdec      xmm3, xmm10
+        aesdec      xmm4, xmm10
+        aesdec      xmm5, xmm10
+        aesdec      xmm6, xmm10
+        aesdec      xmm1, xmm11
+        aesdec      xmm2, xmm11
+        aesdec      xmm3, xmm11
+        aesdec      xmm4, xmm11
+        aesdec      xmm5, xmm11
+        aesdec      xmm6, xmm11
+        movdqa      xmm8, 64[r8]
+        movdqa      xmm9, 80[r8]
+        movdqa      xmm10, 96[r8]
+        movdqa      xmm11, 112[r8]
+        aesdec      xmm1, xmm8
+        aesdec      xmm2, xmm8
+        aesdec      xmm3, xmm8
+        aesdec      xmm4, xmm8
+        aesdec      xmm5, xmm8
+        aesdec      xmm6, xmm8
+        aesdec      xmm1, xmm9
+        aesdec      xmm2, xmm9
+        aesdec      xmm3, xmm9
+        aesdec      xmm4, xmm9
+        aesdec      xmm5, xmm9
+        aesdec      xmm6, xmm9
+        aesdec      xmm1, xmm10
+        aesdec      xmm2, xmm10
+        aesdec      xmm3, xmm10
+        aesdec      xmm4, xmm10
+        aesdec      xmm5, xmm10
+        aesdec      xmm6, xmm10
+        aesdec      xmm1, xmm11
+        aesdec      xmm2, xmm11
+        aesdec      xmm3, xmm11
+        aesdec      xmm4, xmm11
+        aesdec      xmm5, xmm11
+        aesdec      xmm6, xmm11
+        movdqa      xmm8, 128[r8]
+        movdqa      xmm9, 144[r8]
+        movdqa      xmm10, 160[r8]
+        cmp         r9d, 12
+        aesdec      xmm1, xmm8
+        aesdec      xmm2, xmm8
+        aesdec      xmm3, xmm8
+        aesdec      xmm4, xmm8
+        aesdec      xmm5, xmm8
+        aesdec      xmm6, xmm8
+        aesdec      xmm1, xmm9
+        aesdec      xmm2, xmm9
+        aesdec      xmm3, xmm9
+        aesdec      xmm4, xmm9
+        aesdec      xmm5, xmm9
+        aesdec      xmm6, xmm9
+        jb          DLAST_6
+        movdqa      xmm8, 160[r8]
+        movdqa      xmm9, 176[r8]
+        movdqa      xmm10, 192[r8]
+        cmp         r9d, 14
+        aesdec      xmm1, xmm8
+        aesdec      xmm2, xmm8
+        aesdec      xmm3, xmm8
+        aesdec      xmm4, xmm8
+        aesdec      xmm5, xmm8
+        aesdec      xmm6, xmm8
+        aesdec      xmm1, xmm9
+        aesdec      xmm2, xmm9
+        aesdec      xmm3, xmm9
+        aesdec      xmm4, xmm9
+        aesdec      xmm5, xmm9
+        aesdec      xmm6, xmm9
+        jb          DLAST_6
+        movdqa      xmm8, 192[r8]
+        movdqa      xmm9, 208[r8]
+        movdqa      xmm10, 224[r8]
+        aesdec      xmm1, xmm8
+        aesdec      xmm2, xmm8
+        aesdec      xmm3, xmm8
+        aesdec      xmm4, xmm8
+        aesdec      xmm5, xmm8
+        aesdec      xmm6, xmm8
+        aesdec      xmm1, xmm9
+        aesdec      xmm2, xmm9
+        aesdec      xmm3, xmm9
+        aesdec      xmm4, xmm9
+        aesdec      xmm5, xmm9
+        aesdec      xmm6, xmm9
+DLAST_6:
+        add         rsi, 96
+        aesdeclast  xmm1, xmm10
+        aesdeclast  xmm2, xmm10
+        aesdeclast  xmm3, xmm10
+        aesdeclast  xmm4, xmm10
+        aesdeclast  xmm5, xmm10
+        aesdeclast  xmm6, xmm10
+        movdqu      xmm8, [rdi]
+        movdqu      xmm9, 16[rdi]
+        movdqu      xmm10, 32[rdi]
+        movdqu      xmm11, 48[rdi]
+        movdqu      xmm12, 64[rdi]
+        movdqu      xmm13, 80[rdi]
+        pxor        xmm1, xmm7
+        pxor        xmm2, xmm8
+        pxor        xmm3, xmm9
+        pxor        xmm4, xmm10
+        pxor        xmm5, xmm11
+        pxor        xmm6, xmm12
+        movdqu      xmm7, xmm13
+        movdqu      [rsi], xmm1
+        movdqu      16[rsi], xmm2
+        movdqu      32[rsi], xmm3
+        movdqu      48[rsi], xmm4
+        movdqu      64[rsi], xmm5
+        movdqu      80[rsi], xmm6
+        add         rdi, 96
+        dec         rcx
+        jne         DLOOP_6
+        add         rsi, 96
+DREMAINDER_6:
+        cmp         r10, 0
+        je          DEND_6
+DLOOP_6_2:
+        movdqu      xmm1, [rdi]
+        movdqa      xmm10, xmm1
+        add         rdi, 16
+        pxor        xmm1, [r8]
+        movdqu      xmm2, 160[r8]
+        cmp         r9d, 12
+        aesdec      xmm1, 16[r8]
+        aesdec      xmm1, 32[r8]
+        aesdec      xmm1, 48[r8]
+        aesdec      xmm1, 64[r8]
+        aesdec      xmm1, 80[r8]
+        aesdec      xmm1, 96[r8]
+        aesdec      xmm1, 112[r8]
+        aesdec      xmm1, 128[r8]
+        aesdec      xmm1, 144[r8]
+        jb          DLAST_6_2
+        movdqu      xmm2, 192[r8]
+        cmp         r9d, 14
+        aesdec      xmm1, 160[r8]
+        aesdec      xmm1, 176[r8]
+        jb          DLAST_6_2
+        movdqu      xmm2, 224[r8]
+        aesdec      xmm1, 192[r8]
+        aesdec      xmm1, 208[r8]
+DLAST_6_2:
+        aesdeclast  xmm1, xmm2
+        pxor        xmm1, xmm7
+        movdqa      xmm7, xmm10
+        movdqu      [rsi], xmm1
+        add         rsi, 16
+        dec         r10
+        jne         DLOOP_6_2
+DEND_6:
+        ; restore non volatile rdi,rsi
+        mov         rdi, rax
+        mov         rsi, r11
+        ; restore non volatile xmms from stack
+        movdqa      xmm6, [rsp+0]
+        movdqa      xmm7, [rsp+16]
+        movdqa      xmm8, [rsp+32]
+        movdqa      xmm9, [rsp+48]
+        movdqa      xmm10, [rsp+64]
+        movdqa      xmm11, [rsp+80]
+        movdqa      xmm12, [rsp+96]
+        movdqa      xmm13, [rsp+112]
+        movdqa      xmm14, [rsp+128]
+        add         rsp, 8+9*16 ; 8 = align stack , 9 xmm6-14 16 bytes each
+        ret
+AES_CBC_decrypt_by6 ENDP
+
+
+; void AES_CBC_decrypt_by8(const unsigned char *in,
+;                          unsigned char *out,
+;                          unsigned char ivec[16],
+;                          unsigned long length,
+;                          const unsigned char *KS,
+;                          int nr)
+AES_CBC_decrypt_by8 PROC
+; parameter 1: rdi - in
+; parameter 2: rsi - out
+; parameter 3: rdx - ivec
+; parameter 4: rcx - length
+; parameter 5: r8  - KS
+; parameter 6: r9d - nr
+
+        ; save rdi and rsi to rax and r11, restore before ret
+        mov         rax, rdi
+        mov         r11, rsi
+        ; convert to what we had for att&t convention
+        mov         rdi, rcx
+        mov         rsi, rdx
+        mov         rdx, r8
+        mov         rcx,r9
+        mov         r8, [rsp+40]
+        mov         r9d, [rsp+48]
+        ; on microsoft xmm6-xmm15 are non volatile,
+        ; let's save on stack and restore at end
+        sub         rsp, 8+8*16  ; 8 = align stack , 8 xmm6-13 16 bytes each
+        movdqa      [rsp+0], xmm6
+        movdqa      [rsp+16], xmm7
+        movdqa      [rsp+32], xmm8
+        movdqa      [rsp+48], xmm9
+        movdqa      [rsp+64], xmm10
+        movdqa      [rsp+80], xmm11
+        movdqa      [rsp+96], xmm12
+        movdqa      [rsp+112], xmm13
+        ; back to our original code, more or less
+        mov         r10, rcx
+        shr         rcx, 4
+        shl         r10, 60
+        je          DNO_PARTS_8
+        add         rcx, 1
+DNO_PARTS_8:
+        mov         r10, rcx
+        shl         r10, 61
+        shr         r10, 61
+        shr         rcx, 3
+        movdqu      xmm9, [rdx]
+        je          DREMAINDER_8
+        sub         rsi, 128
+DLOOP_8:
+        movdqu      xmm1, [rdi]
+        movdqu      xmm2, 16[rdi]
+        movdqu      xmm3, 32[rdi]
+        movdqu      xmm4, 48[rdi]
+        movdqu      xmm5, 64[rdi]
+        movdqu      xmm6, 80[rdi]
+        movdqu      xmm7, 96[rdi]
+        movdqu      xmm8, 112[rdi]
+        movdqa      xmm10, [r8]
+        movdqa      xmm11, 16[r8]
+        movdqa      xmm12, 32[r8]
+        movdqa      xmm13, 48[r8]
+        pxor        xmm1, xmm10
+        pxor        xmm2, xmm10
+        pxor        xmm3, xmm10
+        pxor        xmm4, xmm10
+        pxor        xmm5, xmm10
+        pxor        xmm6, xmm10
+        pxor        xmm7, xmm10
+        pxor        xmm8, xmm10
+        aesdec      xmm1, xmm11
+        aesdec      xmm2, xmm11
+        aesdec      xmm3, xmm11
+        aesdec      xmm4, xmm11
+        aesdec      xmm5, xmm11
+        aesdec      xmm6, xmm11
+        aesdec      xmm7, xmm11
+        aesdec      xmm8, xmm11
+        aesdec      xmm1, xmm12
+        aesdec      xmm2, xmm12
+        aesdec      xmm3, xmm12
+        aesdec      xmm4, xmm12
+        aesdec      xmm5, xmm12
+        aesdec      xmm6, xmm12
+        aesdec      xmm7, xmm12
+        aesdec      xmm8, xmm12
+        aesdec      xmm1, xmm13
+        aesdec      xmm2, xmm13
+        aesdec      xmm3, xmm13
+        aesdec      xmm4, xmm13
+        aesdec      xmm5, xmm13
+        aesdec      xmm6, xmm13
+        aesdec      xmm7, xmm13
+        aesdec      xmm8, xmm13
+        movdqa      xmm10, 64[r8]
+        movdqa      xmm11, 80[r8]
+        movdqa      xmm12, 96[r8]
+        movdqa      xmm13, 112[r8]
+        aesdec      xmm1, xmm10
+        aesdec      xmm2, xmm10
+        aesdec      xmm3, xmm10
+        aesdec      xmm4, xmm10
+        aesdec      xmm5, xmm10
+        aesdec      xmm6, xmm10
+        aesdec      xmm7, xmm10
+        aesdec      xmm8, xmm10
+        aesdec      xmm1, xmm11
+        aesdec      xmm2, xmm11
+        aesdec      xmm3, xmm11
+        aesdec      xmm4, xmm11
+        aesdec      xmm5, xmm11
+        aesdec      xmm6, xmm11
+        aesdec      xmm7, xmm11
+        aesdec      xmm8, xmm11
+        aesdec      xmm1, xmm12
+        aesdec      xmm2, xmm12
+        aesdec      xmm3, xmm12
+        aesdec      xmm4, xmm12
+        aesdec      xmm5, xmm12
+        aesdec      xmm6, xmm12
+        aesdec      xmm7, xmm12
+        aesdec      xmm8, xmm12
+        aesdec      xmm1, xmm13
+        aesdec      xmm2, xmm13
+        aesdec      xmm3, xmm13
+        aesdec      xmm4, xmm13
+        aesdec      xmm5, xmm13
+        aesdec      xmm6, xmm13
+        aesdec      xmm7, xmm13
+        aesdec      xmm8, xmm13
+        movdqa      xmm10, 128[r8]
+        movdqa      xmm11, 144[r8]
+        movdqa      xmm12, 160[r8]
+        cmp         r9d, 12
+        aesdec      xmm1, xmm10
+        aesdec      xmm2, xmm10
+        aesdec      xmm3, xmm10
+        aesdec      xmm4, xmm10
+        aesdec      xmm5, xmm10
+        aesdec      xmm6, xmm10
+        aesdec      xmm7, xmm10
+        aesdec      xmm8, xmm10
+        aesdec      xmm1, xmm11
+        aesdec      xmm2, xmm11
+        aesdec      xmm3, xmm11
+        aesdec      xmm4, xmm11
+        aesdec      xmm5, xmm11
+        aesdec      xmm6, xmm11
+        aesdec      xmm7, xmm11
+        aesdec      xmm8, xmm11
+        jb          DLAST_8
+        movdqa      xmm10, 160[r8]
+        movdqa      xmm11, 176[r8]
+        movdqa      xmm12, 192[r8]
+        cmp         r9d, 14
+        aesdec      xmm1, xmm10
+        aesdec      xmm2, xmm10
+        aesdec      xmm3, xmm10
+        aesdec      xmm4, xmm10
+        aesdec      xmm5, xmm10
+        aesdec      xmm6, xmm10
+        aesdec      xmm7, xmm10
+        aesdec      xmm8, xmm10
+        aesdec      xmm1, xmm11
+        aesdec      xmm2, xmm11
+        aesdec      xmm3, xmm11
+        aesdec      xmm4, xmm11
+        aesdec      xmm5, xmm11
+        aesdec      xmm6, xmm11
+        aesdec      xmm7, xmm11
+        aesdec      xmm8, xmm11
+        jb          DLAST_8
+        movdqa      xmm10, 192[r8]
+        movdqa      xmm11, 208[r8]
+        movdqa      xmm12, 224[r8]
+        aesdec      xmm1, xmm10
+        aesdec      xmm2, xmm10
+        aesdec      xmm3, xmm10
+        aesdec      xmm4, xmm10
+        aesdec      xmm5, xmm10
+        aesdec      xmm6, xmm10
+        aesdec      xmm7, xmm10
+        aesdec      xmm8, xmm10
+        aesdec      xmm1, xmm11
+        aesdec      xmm2, xmm11
+        aesdec      xmm3, xmm11
+        aesdec      xmm4, xmm11
+        aesdec      xmm5, xmm11
+        aesdec      xmm6, xmm11
+        aesdec      xmm7, xmm11
+        aesdec      xmm8, xmm11
+DLAST_8:
+        add         rsi, 128
+        aesdeclast  xmm1, xmm12
+        aesdeclast  xmm2, xmm12
+        aesdeclast  xmm3, xmm12
+        aesdeclast  xmm4, xmm12
+        aesdeclast  xmm5, xmm12
+        aesdeclast  xmm6, xmm12
+        aesdeclast  xmm7, xmm12
+        aesdeclast  xmm8, xmm12
+        movdqu      xmm10, [rdi]
+        movdqu      xmm11, 16[rdi]
+        movdqu      xmm12, 32[rdi]
+        movdqu      xmm13, 48[rdi]
+        pxor        xmm1, xmm9
+        pxor        xmm2, xmm10
+        pxor        xmm3, xmm11
+        pxor        xmm4, xmm12
+        pxor        xmm5, xmm13
+        movdqu      xmm10, 64[rdi]
+        movdqu      xmm11, 80[rdi]
+        movdqu      xmm12, 96[rdi]
+        movdqu      xmm9, 112[rdi]
+        pxor        xmm6, xmm10
+        pxor        xmm7, xmm11
+        pxor        xmm8, xmm12
+        movdqu      [rsi], xmm1
+        movdqu      16[rsi], xmm2
+        movdqu      32[rsi], xmm3
+        movdqu      48[rsi], xmm4
+        movdqu      64[rsi], xmm5
+        movdqu      80[rsi], xmm6
+        movdqu      96[rsi], xmm7
+        movdqu      112[rsi], xmm8
+        add         rdi, 128
+        dec         rcx
+        jne         DLOOP_8
+        add         rsi, 128
+DREMAINDER_8:
+        cmp         r10, 0 
+        je          DEND_8
+DLOOP_8_2:
+        movdqu      xmm1, [rdi]
+        movdqa      xmm10, xmm1
+        add         rdi, 16
+        pxor        xmm1, [r8]
+        movdqu      xmm2, 160[r8]
+        cmp         r9d, 12
+        aesdec      xmm1, 16[r8]
+        aesdec      xmm1, 32[r8]
+        aesdec      xmm1, 48[r8]
+        aesdec      xmm1, 64[r8]
+        aesdec      xmm1, 80[r8]
+        aesdec      xmm1, 96[r8]
+        aesdec      xmm1, 112[r8]
+        aesdec      xmm1, 128[r8]
+        aesdec      xmm1, 144[r8]
+        jb          DLAST_8_2
+        movdqu      xmm2, 192[r8]
+        cmp         r9d, 14
+        aesdec      xmm1, 160[r8]
+        aesdec      xmm1, 176[r8]
+        jb          DLAST_8_2
+        movdqu      xmm2, 224[r8]
+        aesdec      xmm1, 192[r8]
+        aesdec      xmm1, 208[r8]
+DLAST_8_2:
+        aesdeclast  xmm1, xmm2
+        pxor        xmm1, xmm9
+        movdqa      xmm9, xmm10
+        movdqu      [rsi], xmm1
+        add         rsi, 16
+        dec         r10
+        jne         DLOOP_8_2
+DEND_8:
+        ; restore non volatile rdi,rsi
+        mov         rdi, rax
+        mov         rsi, r11
+        ; restore non volatile xmms from stack
+        movdqa      xmm6, [rsp+0]
+        movdqa      xmm7, [rsp+16]
+        movdqa      xmm8, [rsp+32]
+        movdqa      xmm9, [rsp+48]
+        movdqa      xmm10, [rsp+64]
+        movdqa      xmm11, [rsp+80]
+        movdqa      xmm12, [rsp+96]
+        movdqa      xmm13, [rsp+112]
+        add         rsp, 8+8*16 ; 8 = align stack , 8 xmm6-13 16 bytes each
+        ret
+AES_CBC_decrypt_by8 ENDP
+
 
 ;	/*
 ;	AES_ECB_encrypt[const	,unsigned	char*in
@@ -794,7 +1344,7 @@ AES_192_Key_Expansion PROC
 	movdqa [rsp+0], xmm6
 
 	movdqu  xmm1,[rdi]
-	movdqu	xmm3,16[rdi]
+	movq	xmm3,qword ptr 16[rdi]
 	movdqa	[rsi],xmm1
 	movdqa	xmm5,xmm3
 
@@ -969,4 +1519,11 @@ MAKE_RK256_b:
 	pxor	xmm3,xmm2
 	ret
 
+
+IF fips_version GE 2
+  fipsAh ENDS
+ELSE
+  _text ENDS
+ENDIF
+
 END
diff --git a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/aes_gcm_asm.S b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/aes_gcm_asm.S
new file mode 100644
index 000000000..e878690e8
--- /dev/null
+++ b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/aes_gcm_asm.S
@@ -0,0 +1,8733 @@
+/* aes_gcm_asm
+ *
+ * Copyright (C) 2006-2020 wolfSSL Inc.
+ *
+ * This file is part of wolfSSL.
+ *
+ * wolfSSL is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * wolfSSL is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
+ */
+
+#ifndef HAVE_INTEL_AVX1
+#define HAVE_INTEL_AVX1
+#endif /* HAVE_INTEL_AVX1 */
+#ifndef NO_AVX2_SUPPORT
+#define HAVE_INTEL_AVX2
+#endif /* NO_AVX2_SUPPORT */
+
+#ifndef __APPLE__
+.data
+#else
+.section	__DATA,__data
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+.align	16
+#else
+.p2align	4
+#endif /* __APPLE__ */
+L_aes_gcm_one:
+.quad	0x0, 0x1
+#ifndef __APPLE__
+.data
+#else
+.section	__DATA,__data
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+.align	16
+#else
+.p2align	4
+#endif /* __APPLE__ */
+L_aes_gcm_two:
+.quad	0x0, 0x2
+#ifndef __APPLE__
+.data
+#else
+.section	__DATA,__data
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+.align	16
+#else
+.p2align	4
+#endif /* __APPLE__ */
+L_aes_gcm_three:
+.quad	0x0, 0x3
+#ifndef __APPLE__
+.data
+#else
+.section	__DATA,__data
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+.align	16
+#else
+.p2align	4
+#endif /* __APPLE__ */
+L_aes_gcm_four:
+.quad	0x0, 0x4
+#ifndef __APPLE__
+.data
+#else
+.section	__DATA,__data
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+.align	16
+#else
+.p2align	4
+#endif /* __APPLE__ */
+L_aes_gcm_five:
+.quad	0x0, 0x5
+#ifndef __APPLE__
+.data
+#else
+.section	__DATA,__data
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+.align	16
+#else
+.p2align	4
+#endif /* __APPLE__ */
+L_aes_gcm_six:
+.quad	0x0, 0x6
+#ifndef __APPLE__
+.data
+#else
+.section	__DATA,__data
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+.align	16
+#else
+.p2align	4
+#endif /* __APPLE__ */
+L_aes_gcm_seven:
+.quad	0x0, 0x7
+#ifndef __APPLE__
+.data
+#else
+.section	__DATA,__data
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+.align	16
+#else
+.p2align	4
+#endif /* __APPLE__ */
+L_aes_gcm_eight:
+.quad	0x0, 0x8
+#ifndef __APPLE__
+.data
+#else
+.section	__DATA,__data
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+.align	16
+#else
+.p2align	4
+#endif /* __APPLE__ */
+L_aes_gcm_bswap_epi64:
+.quad	0x1020304050607, 0x8090a0b0c0d0e0f
+#ifndef __APPLE__
+.data
+#else
+.section	__DATA,__data
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+.align	16
+#else
+.p2align	4
+#endif /* __APPLE__ */
+L_aes_gcm_bswap_mask:
+.quad	0x8090a0b0c0d0e0f, 0x1020304050607
+#ifndef __APPLE__
+.data
+#else
+.section	__DATA,__data
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+.align	16
+#else
+.p2align	4
+#endif /* __APPLE__ */
+L_aes_gcm_mod2_128:
+.quad	0x1, 0xc200000000000000
+#ifndef __APPLE__
+.text
+.globl	AES_GCM_encrypt
+.type	AES_GCM_encrypt,@function
+.align	4
+AES_GCM_encrypt:
+#else
+.section	__TEXT,__text
+.globl	_AES_GCM_encrypt
+.p2align	2
+_AES_GCM_encrypt:
+#endif /* __APPLE__ */
+        pushq	%r13
+        pushq	%r12
+        pushq	%rbx
+        pushq	%r14
+        pushq	%r15
+        movq	%rdx, %r12
+        movq	%rcx, %rax
+        movl	48(%rsp), %r11d
+        movl	56(%rsp), %ebx
+        movl	64(%rsp), %r14d
+        movq	72(%rsp), %r15
+        movl	80(%rsp), %r10d
+        subq	$0xa0, %rsp
+        pxor	%xmm4, %xmm4
+        pxor	%xmm6, %xmm6
+        cmpl	$12, %ebx
+        movl	%ebx, %edx
+        jne	L_AES_GCM_encrypt_iv_not_12
+        # # Calculate values when IV is 12 bytes
+        # Set counter based on IV
+        movl	$0x1000000, %ecx
+        pinsrq	$0x00, (%rax), %xmm4
+        pinsrd	$2, 8(%rax), %xmm4
+        pinsrd	$3, %ecx, %xmm4
+        # H = Encrypt X(=0) and T = Encrypt counter
+        movdqa	%xmm4, %xmm1
+        movdqa	(%r15), %xmm5
+        pxor	%xmm5, %xmm1
+        movdqa	16(%r15), %xmm7
+        aesenc	%xmm7, %xmm5
+        aesenc	%xmm7, %xmm1
+        movdqa	32(%r15), %xmm7
+        aesenc	%xmm7, %xmm5
+        aesenc	%xmm7, %xmm1
+        movdqa	48(%r15), %xmm7
+        aesenc	%xmm7, %xmm5
+        aesenc	%xmm7, %xmm1
+        movdqa	64(%r15), %xmm7
+        aesenc	%xmm7, %xmm5
+        aesenc	%xmm7, %xmm1
+        movdqa	80(%r15), %xmm7
+        aesenc	%xmm7, %xmm5
+        aesenc	%xmm7, %xmm1
+        movdqa	96(%r15), %xmm7
+        aesenc	%xmm7, %xmm5
+        aesenc	%xmm7, %xmm1
+        movdqa	112(%r15), %xmm7
+        aesenc	%xmm7, %xmm5
+        aesenc	%xmm7, %xmm1
+        movdqa	128(%r15), %xmm7
+        aesenc	%xmm7, %xmm5
+        aesenc	%xmm7, %xmm1
+        movdqa	144(%r15), %xmm7
+        aesenc	%xmm7, %xmm5
+        aesenc	%xmm7, %xmm1
+        cmpl	$11, %r10d
+        movdqa	160(%r15), %xmm7
+        jl	L_AES_GCM_encrypt_calc_iv_12_last
+        aesenc	%xmm7, %xmm5
+        aesenc	%xmm7, %xmm1
+        movdqa	176(%r15), %xmm7
+        aesenc	%xmm7, %xmm5
+        aesenc	%xmm7, %xmm1
+        cmpl	$13, %r10d
+        movdqa	192(%r15), %xmm7
+        jl	L_AES_GCM_encrypt_calc_iv_12_last
+        aesenc	%xmm7, %xmm5
+        aesenc	%xmm7, %xmm1
+        movdqa	208(%r15), %xmm7
+        aesenc	%xmm7, %xmm5
+        aesenc	%xmm7, %xmm1
+        movdqa	224(%r15), %xmm7
+L_AES_GCM_encrypt_calc_iv_12_last:
+        aesenclast	%xmm7, %xmm5
+        aesenclast	%xmm7, %xmm1
+        pshufb	L_aes_gcm_bswap_mask(%rip), %xmm5
+        movdqa	%xmm1, 144(%rsp)
+        jmp	L_AES_GCM_encrypt_iv_done
+L_AES_GCM_encrypt_iv_not_12:
+        # Calculate values when IV is not 12 bytes
+        # H = Encrypt X(=0)
+        movdqa	(%r15), %xmm5
+        aesenc	16(%r15), %xmm5
+        aesenc	32(%r15), %xmm5
+        aesenc	48(%r15), %xmm5
+        aesenc	64(%r15), %xmm5
+        aesenc	80(%r15), %xmm5
+        aesenc	96(%r15), %xmm5
+        aesenc	112(%r15), %xmm5
+        aesenc	128(%r15), %xmm5
+        aesenc	144(%r15), %xmm5
+        cmpl	$11, %r10d
+        movdqa	160(%r15), %xmm9
+        jl	L_AES_GCM_encrypt_calc_iv_1_aesenc_avx_last
+        aesenc	%xmm9, %xmm5
+        aesenc	176(%r15), %xmm5
+        cmpl	$13, %r10d
+        movdqa	192(%r15), %xmm9
+        jl	L_AES_GCM_encrypt_calc_iv_1_aesenc_avx_last
+        aesenc	%xmm9, %xmm5
+        aesenc	208(%r15), %xmm5
+        movdqa	224(%r15), %xmm9
+L_AES_GCM_encrypt_calc_iv_1_aesenc_avx_last:
+        aesenclast	%xmm9, %xmm5
+        pshufb	L_aes_gcm_bswap_mask(%rip), %xmm5
+        # Calc counter
+        # Initialization vector
+        cmpl	$0x00, %edx
+        movq	$0x00, %rcx
+        je	L_AES_GCM_encrypt_calc_iv_done
+        cmpl	$16, %edx
+        jl	L_AES_GCM_encrypt_calc_iv_lt16
+        andl	$0xfffffff0, %edx
+L_AES_GCM_encrypt_calc_iv_16_loop:
+        movdqu	(%rax,%rcx,1), %xmm8
+        pshufb	L_aes_gcm_bswap_mask(%rip), %xmm8
+        pxor	%xmm8, %xmm4
+        pshufd	$0x4e, %xmm4, %xmm1
+        pshufd	$0x4e, %xmm5, %xmm2
+        movdqa	%xmm5, %xmm3
+        movdqa	%xmm5, %xmm0
+        pclmulqdq	$0x11, %xmm4, %xmm3
+        pclmulqdq	$0x00, %xmm4, %xmm0
+        pxor	%xmm4, %xmm1
+        pxor	%xmm5, %xmm2
+        pclmulqdq	$0x00, %xmm2, %xmm1
+        pxor	%xmm0, %xmm1
+        pxor	%xmm3, %xmm1
+        movdqa	%xmm1, %xmm2
+        movdqa	%xmm0, %xmm7
+        movdqa	%xmm3, %xmm4
+        pslldq	$8, %xmm2
+        psrldq	$8, %xmm1
+        pxor	%xmm2, %xmm7
+        pxor	%xmm1, %xmm4
+        movdqa	%xmm7, %xmm0
+        movdqa	%xmm4, %xmm1
+        psrld	$31, %xmm0
+        psrld	$31, %xmm1
+        pslld	$0x01, %xmm7
+        pslld	$0x01, %xmm4
+        movdqa	%xmm0, %xmm2
+        pslldq	$4, %xmm0
+        psrldq	$12, %xmm2
+        pslldq	$4, %xmm1
+        por	%xmm2, %xmm4
+        por	%xmm0, %xmm7
+        por	%xmm1, %xmm4
+        movdqa	%xmm7, %xmm0
+        movdqa	%xmm7, %xmm1
+        movdqa	%xmm7, %xmm2
+        pslld	$31, %xmm0
+        pslld	$30, %xmm1
+        pslld	$25, %xmm2
+        pxor	%xmm1, %xmm0
+        pxor	%xmm2, %xmm0
+        movdqa	%xmm0, %xmm1
+        psrldq	$4, %xmm1
+        pslldq	$12, %xmm0
+        pxor	%xmm0, %xmm7
+        movdqa	%xmm7, %xmm2
+        movdqa	%xmm7, %xmm3
+        movdqa	%xmm7, %xmm0
+        psrld	$0x01, %xmm2
+        psrld	$2, %xmm3
+        psrld	$7, %xmm0
+        pxor	%xmm3, %xmm2
+        pxor	%xmm0, %xmm2
+        pxor	%xmm1, %xmm2
+        pxor	%xmm7, %xmm2
+        pxor	%xmm2, %xmm4
+        addl	$16, %ecx
+        cmpl	%edx, %ecx
+        jl	L_AES_GCM_encrypt_calc_iv_16_loop
+        movl	%ebx, %edx
+        cmpl	%edx, %ecx
+        je	L_AES_GCM_encrypt_calc_iv_done
+L_AES_GCM_encrypt_calc_iv_lt16:
+        subq	$16, %rsp
+        pxor	%xmm8, %xmm8
+        xorl	%ebx, %ebx
+        movdqa	%xmm8, (%rsp)
+L_AES_GCM_encrypt_calc_iv_loop:
+        movzbl	(%rax,%rcx,1), %r13d
+        movb	%r13b, (%rsp,%rbx,1)
+        incl	%ecx
+        incl	%ebx
+        cmpl	%edx, %ecx
+        jl	L_AES_GCM_encrypt_calc_iv_loop
+        movdqa	(%rsp), %xmm8
+        addq	$16, %rsp
+        pshufb	L_aes_gcm_bswap_mask(%rip), %xmm8
+        pxor	%xmm8, %xmm4
+        pshufd	$0x4e, %xmm4, %xmm1
+        pshufd	$0x4e, %xmm5, %xmm2
+        movdqa	%xmm5, %xmm3
+        movdqa	%xmm5, %xmm0
+        pclmulqdq	$0x11, %xmm4, %xmm3
+        pclmulqdq	$0x00, %xmm4, %xmm0
+        pxor	%xmm4, %xmm1
+        pxor	%xmm5, %xmm2
+        pclmulqdq	$0x00, %xmm2, %xmm1
+        pxor	%xmm0, %xmm1
+        pxor	%xmm3, %xmm1
+        movdqa	%xmm1, %xmm2
+        movdqa	%xmm0, %xmm7
+        movdqa	%xmm3, %xmm4
+        pslldq	$8, %xmm2
+        psrldq	$8, %xmm1
+        pxor	%xmm2, %xmm7
+        pxor	%xmm1, %xmm4
+        movdqa	%xmm7, %xmm0
+        movdqa	%xmm4, %xmm1
+        psrld	$31, %xmm0
+        psrld	$31, %xmm1
+        pslld	$0x01, %xmm7
+        pslld	$0x01, %xmm4
+        movdqa	%xmm0, %xmm2
+        pslldq	$4, %xmm0
+        psrldq	$12, %xmm2
+        pslldq	$4, %xmm1
+        por	%xmm2, %xmm4
+        por	%xmm0, %xmm7
+        por	%xmm1, %xmm4
+        movdqa	%xmm7, %xmm0
+        movdqa	%xmm7, %xmm1
+        movdqa	%xmm7, %xmm2
+        pslld	$31, %xmm0
+        pslld	$30, %xmm1
+        pslld	$25, %xmm2
+        pxor	%xmm1, %xmm0
+        pxor	%xmm2, %xmm0
+        movdqa	%xmm0, %xmm1
+        psrldq	$4, %xmm1
+        pslldq	$12, %xmm0
+        pxor	%xmm0, %xmm7
+        movdqa	%xmm7, %xmm2
+        movdqa	%xmm7, %xmm3
+        movdqa	%xmm7, %xmm0
+        psrld	$0x01, %xmm2
+        psrld	$2, %xmm3
+        psrld	$7, %xmm0
+        pxor	%xmm3, %xmm2
+        pxor	%xmm0, %xmm2
+        pxor	%xmm1, %xmm2
+        pxor	%xmm7, %xmm2
+        pxor	%xmm2, %xmm4
+L_AES_GCM_encrypt_calc_iv_done:
+        # T = Encrypt counter
+        pxor	%xmm0, %xmm0
+        shll	$3, %edx
+        pinsrq	$0x00, %rdx, %xmm0
+        pxor	%xmm0, %xmm4
+        pshufd	$0x4e, %xmm4, %xmm1
+        pshufd	$0x4e, %xmm5, %xmm2
+        movdqa	%xmm5, %xmm3
+        movdqa	%xmm5, %xmm0
+        pclmulqdq	$0x11, %xmm4, %xmm3
+        pclmulqdq	$0x00, %xmm4, %xmm0
+        pxor	%xmm4, %xmm1
+        pxor	%xmm5, %xmm2
+        pclmulqdq	$0x00, %xmm2, %xmm1
+        pxor	%xmm0, %xmm1
+        pxor	%xmm3, %xmm1
+        movdqa	%xmm1, %xmm2
+        movdqa	%xmm0, %xmm7
+        movdqa	%xmm3, %xmm4
+        pslldq	$8, %xmm2
+        psrldq	$8, %xmm1
+        pxor	%xmm2, %xmm7
+        pxor	%xmm1, %xmm4
+        movdqa	%xmm7, %xmm0
+        movdqa	%xmm4, %xmm1
+        psrld	$31, %xmm0
+        psrld	$31, %xmm1
+        pslld	$0x01, %xmm7
+        pslld	$0x01, %xmm4
+        movdqa	%xmm0, %xmm2
+        pslldq	$4, %xmm0
+        psrldq	$12, %xmm2
+        pslldq	$4, %xmm1
+        por	%xmm2, %xmm4
+        por	%xmm0, %xmm7
+        por	%xmm1, %xmm4
+        movdqa	%xmm7, %xmm0
+        movdqa	%xmm7, %xmm1
+        movdqa	%xmm7, %xmm2
+        pslld	$31, %xmm0
+        pslld	$30, %xmm1
+        pslld	$25, %xmm2
+        pxor	%xmm1, %xmm0
+        pxor	%xmm2, %xmm0
+        movdqa	%xmm0, %xmm1
+        psrldq	$4, %xmm1
+        pslldq	$12, %xmm0
+        pxor	%xmm0, %xmm7
+        movdqa	%xmm7, %xmm2
+        movdqa	%xmm7, %xmm3
+        movdqa	%xmm7, %xmm0
+        psrld	$0x01, %xmm2
+        psrld	$2, %xmm3
+        psrld	$7, %xmm0
+        pxor	%xmm3, %xmm2
+        pxor	%xmm0, %xmm2
+        pxor	%xmm1, %xmm2
+        pxor	%xmm7, %xmm2
+        pxor	%xmm2, %xmm4
+        pshufb	L_aes_gcm_bswap_mask(%rip), %xmm4
+        #   Encrypt counter
+        movdqa	(%r15), %xmm8
+        pxor	%xmm4, %xmm8
+        aesenc	16(%r15), %xmm8
+        aesenc	32(%r15), %xmm8
+        aesenc	48(%r15), %xmm8
+        aesenc	64(%r15), %xmm8
+        aesenc	80(%r15), %xmm8
+        aesenc	96(%r15), %xmm8
+        aesenc	112(%r15), %xmm8
+        aesenc	128(%r15), %xmm8
+        aesenc	144(%r15), %xmm8
+        cmpl	$11, %r10d
+        movdqa	160(%r15), %xmm9
+        jl	L_AES_GCM_encrypt_calc_iv_2_aesenc_avx_last
+        aesenc	%xmm9, %xmm8
+        aesenc	176(%r15), %xmm8
+        cmpl	$13, %r10d
+        movdqa	192(%r15), %xmm9
+        jl	L_AES_GCM_encrypt_calc_iv_2_aesenc_avx_last
+        aesenc	%xmm9, %xmm8
+        aesenc	208(%r15), %xmm8
+        movdqa	224(%r15), %xmm9
+L_AES_GCM_encrypt_calc_iv_2_aesenc_avx_last:
+        aesenclast	%xmm9, %xmm8
+        movdqa	%xmm8, 144(%rsp)
+L_AES_GCM_encrypt_iv_done:
+        # Additional authentication data
+        movl	%r11d, %edx
+        cmpl	$0x00, %edx
+        je	L_AES_GCM_encrypt_calc_aad_done
+        xorl	%ecx, %ecx
+        cmpl	$16, %edx
+        jl	L_AES_GCM_encrypt_calc_aad_lt16
+        andl	$0xfffffff0, %edx
+L_AES_GCM_encrypt_calc_aad_16_loop:
+        movdqu	(%r12,%rcx,1), %xmm8
+        pshufb	L_aes_gcm_bswap_mask(%rip), %xmm8
+        pxor	%xmm8, %xmm6
+        pshufd	$0x4e, %xmm6, %xmm1
+        pshufd	$0x4e, %xmm5, %xmm2
+        movdqa	%xmm5, %xmm3
+        movdqa	%xmm5, %xmm0
+        pclmulqdq	$0x11, %xmm6, %xmm3
+        pclmulqdq	$0x00, %xmm6, %xmm0
+        pxor	%xmm6, %xmm1
+        pxor	%xmm5, %xmm2
+        pclmulqdq	$0x00, %xmm2, %xmm1
+        pxor	%xmm0, %xmm1
+        pxor	%xmm3, %xmm1
+        movdqa	%xmm1, %xmm2
+        movdqa	%xmm0, %xmm7
+        movdqa	%xmm3, %xmm6
+        pslldq	$8, %xmm2
+        psrldq	$8, %xmm1
+        pxor	%xmm2, %xmm7
+        pxor	%xmm1, %xmm6
+        movdqa	%xmm7, %xmm0
+        movdqa	%xmm6, %xmm1
+        psrld	$31, %xmm0
+        psrld	$31, %xmm1
+        pslld	$0x01, %xmm7
+        pslld	$0x01, %xmm6
+        movdqa	%xmm0, %xmm2
+        pslldq	$4, %xmm0
+        psrldq	$12, %xmm2
+        pslldq	$4, %xmm1
+        por	%xmm2, %xmm6
+        por	%xmm0, %xmm7
+        por	%xmm1, %xmm6
+        movdqa	%xmm7, %xmm0
+        movdqa	%xmm7, %xmm1
+        movdqa	%xmm7, %xmm2
+        pslld	$31, %xmm0
+        pslld	$30, %xmm1
+        pslld	$25, %xmm2
+        pxor	%xmm1, %xmm0
+        pxor	%xmm2, %xmm0
+        movdqa	%xmm0, %xmm1
+        psrldq	$4, %xmm1
+        pslldq	$12, %xmm0
+        pxor	%xmm0, %xmm7
+        movdqa	%xmm7, %xmm2
+        movdqa	%xmm7, %xmm3
+        movdqa	%xmm7, %xmm0
+        psrld	$0x01, %xmm2
+        psrld	$2, %xmm3
+        psrld	$7, %xmm0
+        pxor	%xmm3, %xmm2
+        pxor	%xmm0, %xmm2
+        pxor	%xmm1, %xmm2
+        pxor	%xmm7, %xmm2
+        pxor	%xmm2, %xmm6
+        addl	$16, %ecx
+        cmpl	%edx, %ecx
+        jl	L_AES_GCM_encrypt_calc_aad_16_loop
+        movl	%r11d, %edx
+        cmpl	%edx, %ecx
+        je	L_AES_GCM_encrypt_calc_aad_done
+L_AES_GCM_encrypt_calc_aad_lt16:
+        subq	$16, %rsp
+        pxor	%xmm8, %xmm8
+        xorl	%ebx, %ebx
+        movdqa	%xmm8, (%rsp)
+L_AES_GCM_encrypt_calc_aad_loop:
+        movzbl	(%r12,%rcx,1), %r13d
+        movb	%r13b, (%rsp,%rbx,1)
+        incl	%ecx
+        incl	%ebx
+        cmpl	%edx, %ecx
+        jl	L_AES_GCM_encrypt_calc_aad_loop
+        movdqa	(%rsp), %xmm8
+        addq	$16, %rsp
+        pshufb	L_aes_gcm_bswap_mask(%rip), %xmm8
+        pxor	%xmm8, %xmm6
+        pshufd	$0x4e, %xmm6, %xmm1
+        pshufd	$0x4e, %xmm5, %xmm2
+        movdqa	%xmm5, %xmm3
+        movdqa	%xmm5, %xmm0
+        pclmulqdq	$0x11, %xmm6, %xmm3
+        pclmulqdq	$0x00, %xmm6, %xmm0
+        pxor	%xmm6, %xmm1
+        pxor	%xmm5, %xmm2
+        pclmulqdq	$0x00, %xmm2, %xmm1
+        pxor	%xmm0, %xmm1
+        pxor	%xmm3, %xmm1
+        movdqa	%xmm1, %xmm2
+        movdqa	%xmm0, %xmm7
+        movdqa	%xmm3, %xmm6
+        pslldq	$8, %xmm2
+        psrldq	$8, %xmm1
+        pxor	%xmm2, %xmm7
+        pxor	%xmm1, %xmm6
+        movdqa	%xmm7, %xmm0
+        movdqa	%xmm6, %xmm1
+        psrld	$31, %xmm0
+        psrld	$31, %xmm1
+        pslld	$0x01, %xmm7
+        pslld	$0x01, %xmm6
+        movdqa	%xmm0, %xmm2
+        pslldq	$4, %xmm0
+        psrldq	$12, %xmm2
+        pslldq	$4, %xmm1
+        por	%xmm2, %xmm6
+        por	%xmm0, %xmm7
+        por	%xmm1, %xmm6
+        movdqa	%xmm7, %xmm0
+        movdqa	%xmm7, %xmm1
+        movdqa	%xmm7, %xmm2
+        pslld	$31, %xmm0
+        pslld	$30, %xmm1
+        pslld	$25, %xmm2
+        pxor	%xmm1, %xmm0
+        pxor	%xmm2, %xmm0
+        movdqa	%xmm0, %xmm1
+        psrldq	$4, %xmm1
+        pslldq	$12, %xmm0
+        pxor	%xmm0, %xmm7
+        movdqa	%xmm7, %xmm2
+        movdqa	%xmm7, %xmm3
+        movdqa	%xmm7, %xmm0
+        psrld	$0x01, %xmm2
+        psrld	$2, %xmm3
+        psrld	$7, %xmm0
+        pxor	%xmm3, %xmm2
+        pxor	%xmm0, %xmm2
+        pxor	%xmm1, %xmm2
+        pxor	%xmm7, %xmm2
+        pxor	%xmm2, %xmm6
+L_AES_GCM_encrypt_calc_aad_done:
+        # Calculate counter and H
+        pshufb	L_aes_gcm_bswap_epi64(%rip), %xmm4
+        movdqa	%xmm5, %xmm9
+        paddd	L_aes_gcm_one(%rip), %xmm4
+        movdqa	%xmm5, %xmm8
+        movdqa	%xmm4, 128(%rsp)
+        psrlq	$63, %xmm9
+        psllq	$0x01, %xmm8
+        pslldq	$8, %xmm9
+        por	%xmm9, %xmm8
+        pshufd	$0xff, %xmm5, %xmm5
+        psrad	$31, %xmm5
+        pand	L_aes_gcm_mod2_128(%rip), %xmm5
+        pxor	%xmm8, %xmm5
+        xorq	%rbx, %rbx
+        cmpl	$0x80, %r9d
+        movl	%r9d, %r13d
+        jl	L_AES_GCM_encrypt_done_128
+        andl	$0xffffff80, %r13d
+        movdqa	%xmm6, %xmm2
+        # H ^ 1
+        movdqa	%xmm5, (%rsp)
+        # H ^ 2
+        pshufd	$0x4e, %xmm5, %xmm9
+        pshufd	$0x4e, %xmm5, %xmm10
+        movdqa	%xmm5, %xmm11
+        movdqa	%xmm5, %xmm8
+        pclmulqdq	$0x11, %xmm5, %xmm11
+        pclmulqdq	$0x00, %xmm5, %xmm8
+        pxor	%xmm5, %xmm9
+        pxor	%xmm5, %xmm10
+        pclmulqdq	$0x00, %xmm10, %xmm9
+        pxor	%xmm8, %xmm9
+        pxor	%xmm11, %xmm9
+        movdqa	%xmm9, %xmm10
+        movdqa	%xmm11, %xmm0
+        pslldq	$8, %xmm10
+        psrldq	$8, %xmm9
+        pxor	%xmm10, %xmm8
+        pxor	%xmm9, %xmm0
+        movdqa	%xmm8, %xmm12
+        movdqa	%xmm8, %xmm13
+        movdqa	%xmm8, %xmm14
+        pslld	$31, %xmm12
+        pslld	$30, %xmm13
+        pslld	$25, %xmm14
+        pxor	%xmm13, %xmm12
+        pxor	%xmm14, %xmm12
+        movdqa	%xmm12, %xmm13
+        psrldq	$4, %xmm13
+        pslldq	$12, %xmm12
+        pxor	%xmm12, %xmm8
+        movdqa	%xmm8, %xmm14
+        movdqa	%xmm8, %xmm10
+        movdqa	%xmm8, %xmm9
+        psrld	$0x01, %xmm14
+        psrld	$2, %xmm10
+        psrld	$7, %xmm9
+        pxor	%xmm10, %xmm14
+        pxor	%xmm9, %xmm14
+        pxor	%xmm13, %xmm14
+        pxor	%xmm8, %xmm14
+        pxor	%xmm14, %xmm0
+        movdqa	%xmm0, 16(%rsp)
+        # H ^ 3
+        pshufd	$0x4e, %xmm5, %xmm9
+        pshufd	$0x4e, %xmm0, %xmm10
+        movdqa	%xmm0, %xmm11
+        movdqa	%xmm0, %xmm8
+        pclmulqdq	$0x11, %xmm5, %xmm11
+        pclmulqdq	$0x00, %xmm5, %xmm8
+        pxor	%xmm5, %xmm9
+        pxor	%xmm0, %xmm10
+        pclmulqdq	$0x00, %xmm10, %xmm9
+        pxor	%xmm8, %xmm9
+        pxor	%xmm11, %xmm9
+        movdqa	%xmm9, %xmm10
+        movdqa	%xmm11, %xmm1
+        pslldq	$8, %xmm10
+        psrldq	$8, %xmm9
+        pxor	%xmm10, %xmm8
+        pxor	%xmm9, %xmm1
+        movdqa	%xmm8, %xmm12
+        movdqa	%xmm8, %xmm13
+        movdqa	%xmm8, %xmm14
+        pslld	$31, %xmm12
+        pslld	$30, %xmm13
+        pslld	$25, %xmm14
+        pxor	%xmm13, %xmm12
+        pxor	%xmm14, %xmm12
+        movdqa	%xmm12, %xmm13
+        psrldq	$4, %xmm13
+        pslldq	$12, %xmm12
+        pxor	%xmm12, %xmm8
+        movdqa	%xmm8, %xmm14
+        movdqa	%xmm8, %xmm10
+        movdqa	%xmm8, %xmm9
+        psrld	$0x01, %xmm14
+        psrld	$2, %xmm10
+        psrld	$7, %xmm9
+        pxor	%xmm10, %xmm14
+        pxor	%xmm9, %xmm14
+        pxor	%xmm13, %xmm14
+        pxor	%xmm8, %xmm14
+        pxor	%xmm14, %xmm1
+        movdqa	%xmm1, 32(%rsp)
+        # H ^ 4
+        pshufd	$0x4e, %xmm0, %xmm9
+        pshufd	$0x4e, %xmm0, %xmm10
+        movdqa	%xmm0, %xmm11
+        movdqa	%xmm0, %xmm8
+        pclmulqdq	$0x11, %xmm0, %xmm11
+        pclmulqdq	$0x00, %xmm0, %xmm8
+        pxor	%xmm0, %xmm9
+        pxor	%xmm0, %xmm10
+        pclmulqdq	$0x00, %xmm10, %xmm9
+        pxor	%xmm8, %xmm9
+        pxor	%xmm11, %xmm9
+        movdqa	%xmm9, %xmm10
+        movdqa	%xmm11, %xmm3
+        pslldq	$8, %xmm10
+        psrldq	$8, %xmm9
+        pxor	%xmm10, %xmm8
+        pxor	%xmm9, %xmm3
+        movdqa	%xmm8, %xmm12
+        movdqa	%xmm8, %xmm13
+        movdqa	%xmm8, %xmm14
+        pslld	$31, %xmm12
+        pslld	$30, %xmm13
+        pslld	$25, %xmm14
+        pxor	%xmm13, %xmm12
+        pxor	%xmm14, %xmm12
+        movdqa	%xmm12, %xmm13
+        psrldq	$4, %xmm13
+        pslldq	$12, %xmm12
+        pxor	%xmm12, %xmm8
+        movdqa	%xmm8, %xmm14
+        movdqa	%xmm8, %xmm10
+        movdqa	%xmm8, %xmm9
+        psrld	$0x01, %xmm14
+        psrld	$2, %xmm10
+        psrld	$7, %xmm9
+        pxor	%xmm10, %xmm14
+        pxor	%xmm9, %xmm14
+        pxor	%xmm13, %xmm14
+        pxor	%xmm8, %xmm14
+        pxor	%xmm14, %xmm3
+        movdqa	%xmm3, 48(%rsp)
+        # H ^ 5
+        pshufd	$0x4e, %xmm0, %xmm9
+        pshufd	$0x4e, %xmm1, %xmm10
+        movdqa	%xmm1, %xmm11
+        movdqa	%xmm1, %xmm8
+        pclmulqdq	$0x11, %xmm0, %xmm11
+        pclmulqdq	$0x00, %xmm0, %xmm8
+        pxor	%xmm0, %xmm9
+        pxor	%xmm1, %xmm10
+        pclmulqdq	$0x00, %xmm10, %xmm9
+        pxor	%xmm8, %xmm9
+        pxor	%xmm11, %xmm9
+        movdqa	%xmm9, %xmm10
+        movdqa	%xmm11, %xmm7
+        pslldq	$8, %xmm10
+        psrldq	$8, %xmm9
+        pxor	%xmm10, %xmm8
+        pxor	%xmm9, %xmm7
+        movdqa	%xmm8, %xmm12
+        movdqa	%xmm8, %xmm13
+        movdqa	%xmm8, %xmm14
+        pslld	$31, %xmm12
+        pslld	$30, %xmm13
+        pslld	$25, %xmm14
+        pxor	%xmm13, %xmm12
+        pxor	%xmm14, %xmm12
+        movdqa	%xmm12, %xmm13
+        psrldq	$4, %xmm13
+        pslldq	$12, %xmm12
+        pxor	%xmm12, %xmm8
+        movdqa	%xmm8, %xmm14
+        movdqa	%xmm8, %xmm10
+        movdqa	%xmm8, %xmm9
+        psrld	$0x01, %xmm14
+        psrld	$2, %xmm10
+        psrld	$7, %xmm9
+        pxor	%xmm10, %xmm14
+        pxor	%xmm9, %xmm14
+        pxor	%xmm13, %xmm14
+        pxor	%xmm8, %xmm14
+        pxor	%xmm14, %xmm7
+        movdqa	%xmm7, 64(%rsp)
+        # H ^ 6
+        pshufd	$0x4e, %xmm1, %xmm9
+        pshufd	$0x4e, %xmm1, %xmm10
+        movdqa	%xmm1, %xmm11
+        movdqa	%xmm1, %xmm8
+        pclmulqdq	$0x11, %xmm1, %xmm11
+        pclmulqdq	$0x00, %xmm1, %xmm8
+        pxor	%xmm1, %xmm9
+        pxor	%xmm1, %xmm10
+        pclmulqdq	$0x00, %xmm10, %xmm9
+        pxor	%xmm8, %xmm9
+        pxor	%xmm11, %xmm9
+        movdqa	%xmm9, %xmm10
+        movdqa	%xmm11, %xmm7
+        pslldq	$8, %xmm10
+        psrldq	$8, %xmm9
+        pxor	%xmm10, %xmm8
+        pxor	%xmm9, %xmm7
+        movdqa	%xmm8, %xmm12
+        movdqa	%xmm8, %xmm13
+        movdqa	%xmm8, %xmm14
+        pslld	$31, %xmm12
+        pslld	$30, %xmm13
+        pslld	$25, %xmm14
+        pxor	%xmm13, %xmm12
+        pxor	%xmm14, %xmm12
+        movdqa	%xmm12, %xmm13
+        psrldq	$4, %xmm13
+        pslldq	$12, %xmm12
+        pxor	%xmm12, %xmm8
+        movdqa	%xmm8, %xmm14
+        movdqa	%xmm8, %xmm10
+        movdqa	%xmm8, %xmm9
+        psrld	$0x01, %xmm14
+        psrld	$2, %xmm10
+        psrld	$7, %xmm9
+        pxor	%xmm10, %xmm14
+        pxor	%xmm9, %xmm14
+        pxor	%xmm13, %xmm14
+        pxor	%xmm8, %xmm14
+        pxor	%xmm14, %xmm7
+        movdqa	%xmm7, 80(%rsp)
+        # H ^ 7
+        pshufd	$0x4e, %xmm1, %xmm9
+        pshufd	$0x4e, %xmm3, %xmm10
+        movdqa	%xmm3, %xmm11
+        movdqa	%xmm3, %xmm8
+        pclmulqdq	$0x11, %xmm1, %xmm11
+        pclmulqdq	$0x00, %xmm1, %xmm8
+        pxor	%xmm1, %xmm9
+        pxor	%xmm3, %xmm10
+        pclmulqdq	$0x00, %xmm10, %xmm9
+        pxor	%xmm8, %xmm9
+        pxor	%xmm11, %xmm9
+        movdqa	%xmm9, %xmm10
+        movdqa	%xmm11, %xmm7
+        pslldq	$8, %xmm10
+        psrldq	$8, %xmm9
+        pxor	%xmm10, %xmm8
+        pxor	%xmm9, %xmm7
+        movdqa	%xmm8, %xmm12
+        movdqa	%xmm8, %xmm13
+        movdqa	%xmm8, %xmm14
+        pslld	$31, %xmm12
+        pslld	$30, %xmm13
+        pslld	$25, %xmm14
+        pxor	%xmm13, %xmm12
+        pxor	%xmm14, %xmm12
+        movdqa	%xmm12, %xmm13
+        psrldq	$4, %xmm13
+        pslldq	$12, %xmm12
+        pxor	%xmm12, %xmm8
+        movdqa	%xmm8, %xmm14
+        movdqa	%xmm8, %xmm10
+        movdqa	%xmm8, %xmm9
+        psrld	$0x01, %xmm14
+        psrld	$2, %xmm10
+        psrld	$7, %xmm9
+        pxor	%xmm10, %xmm14
+        pxor	%xmm9, %xmm14
+        pxor	%xmm13, %xmm14
+        pxor	%xmm8, %xmm14
+        pxor	%xmm14, %xmm7
+        movdqa	%xmm7, 96(%rsp)
+        # H ^ 8
+        pshufd	$0x4e, %xmm3, %xmm9
+        pshufd	$0x4e, %xmm3, %xmm10
+        movdqa	%xmm3, %xmm11
+        movdqa	%xmm3, %xmm8
+        pclmulqdq	$0x11, %xmm3, %xmm11
+        pclmulqdq	$0x00, %xmm3, %xmm8
+        pxor	%xmm3, %xmm9
+        pxor	%xmm3, %xmm10
+        pclmulqdq	$0x00, %xmm10, %xmm9
+        pxor	%xmm8, %xmm9
+        pxor	%xmm11, %xmm9
+        movdqa	%xmm9, %xmm10
+        movdqa	%xmm11, %xmm7
+        pslldq	$8, %xmm10
+        psrldq	$8, %xmm9
+        pxor	%xmm10, %xmm8
+        pxor	%xmm9, %xmm7
+        movdqa	%xmm8, %xmm12
+        movdqa	%xmm8, %xmm13
+        movdqa	%xmm8, %xmm14
+        pslld	$31, %xmm12
+        pslld	$30, %xmm13
+        pslld	$25, %xmm14
+        pxor	%xmm13, %xmm12
+        pxor	%xmm14, %xmm12
+        movdqa	%xmm12, %xmm13
+        psrldq	$4, %xmm13
+        pslldq	$12, %xmm12
+        pxor	%xmm12, %xmm8
+        movdqa	%xmm8, %xmm14
+        movdqa	%xmm8, %xmm10
+        movdqa	%xmm8, %xmm9
+        psrld	$0x01, %xmm14
+        psrld	$2, %xmm10
+        psrld	$7, %xmm9
+        pxor	%xmm10, %xmm14
+        pxor	%xmm9, %xmm14
+        pxor	%xmm13, %xmm14
+        pxor	%xmm8, %xmm14
+        pxor	%xmm14, %xmm7
+        movdqa	%xmm7, 112(%rsp)
+        # First 128 bytes of input
+        movdqa	128(%rsp), %xmm8
+        movdqa	L_aes_gcm_bswap_epi64(%rip), %xmm1
+        movdqa	%xmm8, %xmm0
+        pshufb	%xmm1, %xmm8
+        movdqa	%xmm0, %xmm9
+        paddd	L_aes_gcm_one(%rip), %xmm9
+        pshufb	%xmm1, %xmm9
+        movdqa	%xmm0, %xmm10
+        paddd	L_aes_gcm_two(%rip), %xmm10
+        pshufb	%xmm1, %xmm10
+        movdqa	%xmm0, %xmm11
+        paddd	L_aes_gcm_three(%rip), %xmm11
+        pshufb	%xmm1, %xmm11
+        movdqa	%xmm0, %xmm12
+        paddd	L_aes_gcm_four(%rip), %xmm12
+        pshufb	%xmm1, %xmm12
+        movdqa	%xmm0, %xmm13
+        paddd	L_aes_gcm_five(%rip), %xmm13
+        pshufb	%xmm1, %xmm13
+        movdqa	%xmm0, %xmm14
+        paddd	L_aes_gcm_six(%rip), %xmm14
+        pshufb	%xmm1, %xmm14
+        movdqa	%xmm0, %xmm15
+        paddd	L_aes_gcm_seven(%rip), %xmm15
+        pshufb	%xmm1, %xmm15
+        paddd	L_aes_gcm_eight(%rip), %xmm0
+        movdqa	(%r15), %xmm7
+        movdqa	%xmm0, 128(%rsp)
+        pxor	%xmm7, %xmm8
+        pxor	%xmm7, %xmm9
+        pxor	%xmm7, %xmm10
+        pxor	%xmm7, %xmm11
+        pxor	%xmm7, %xmm12
+        pxor	%xmm7, %xmm13
+        pxor	%xmm7, %xmm14
+        pxor	%xmm7, %xmm15
+        movdqa	16(%r15), %xmm7
+        aesenc	%xmm7, %xmm8
+        aesenc	%xmm7, %xmm9
+        aesenc	%xmm7, %xmm10
+        aesenc	%xmm7, %xmm11
+        aesenc	%xmm7, %xmm12
+        aesenc	%xmm7, %xmm13
+        aesenc	%xmm7, %xmm14
+        aesenc	%xmm7, %xmm15
+        movdqa	32(%r15), %xmm7
+        aesenc	%xmm7, %xmm8
+        aesenc	%xmm7, %xmm9
+        aesenc	%xmm7, %xmm10
+        aesenc	%xmm7, %xmm11
+        aesenc	%xmm7, %xmm12
+        aesenc	%xmm7, %xmm13
+        aesenc	%xmm7, %xmm14
+        aesenc	%xmm7, %xmm15
+        movdqa	48(%r15), %xmm7
+        aesenc	%xmm7, %xmm8
+        aesenc	%xmm7, %xmm9
+        aesenc	%xmm7, %xmm10
+        aesenc	%xmm7, %xmm11
+        aesenc	%xmm7, %xmm12
+        aesenc	%xmm7, %xmm13
+        aesenc	%xmm7, %xmm14
+        aesenc	%xmm7, %xmm15
+        movdqa	64(%r15), %xmm7
+        aesenc	%xmm7, %xmm8
+        aesenc	%xmm7, %xmm9
+        aesenc	%xmm7, %xmm10
+        aesenc	%xmm7, %xmm11
+        aesenc	%xmm7, %xmm12
+        aesenc	%xmm7, %xmm13
+        aesenc	%xmm7, %xmm14
+        aesenc	%xmm7, %xmm15
+        movdqa	80(%r15), %xmm7
+        aesenc	%xmm7, %xmm8
+        aesenc	%xmm7, %xmm9
+        aesenc	%xmm7, %xmm10
+        aesenc	%xmm7, %xmm11
+        aesenc	%xmm7, %xmm12
+        aesenc	%xmm7, %xmm13
+        aesenc	%xmm7, %xmm14
+        aesenc	%xmm7, %xmm15
+        movdqa	96(%r15), %xmm7
+        aesenc	%xmm7, %xmm8
+        aesenc	%xmm7, %xmm9
+        aesenc	%xmm7, %xmm10
+        aesenc	%xmm7, %xmm11
+        aesenc	%xmm7, %xmm12
+        aesenc	%xmm7, %xmm13
+        aesenc	%xmm7, %xmm14
+        aesenc	%xmm7, %xmm15
+        movdqa	112(%r15), %xmm7
+        aesenc	%xmm7, %xmm8
+        aesenc	%xmm7, %xmm9
+        aesenc	%xmm7, %xmm10
+        aesenc	%xmm7, %xmm11
+        aesenc	%xmm7, %xmm12
+        aesenc	%xmm7, %xmm13
+        aesenc	%xmm7, %xmm14
+        aesenc	%xmm7, %xmm15
+        movdqa	128(%r15), %xmm7
+        aesenc	%xmm7, %xmm8
+        aesenc	%xmm7, %xmm9
+        aesenc	%xmm7, %xmm10
+        aesenc	%xmm7, %xmm11
+        aesenc	%xmm7, %xmm12
+        aesenc	%xmm7, %xmm13
+        aesenc	%xmm7, %xmm14
+        aesenc	%xmm7, %xmm15
+        movdqa	144(%r15), %xmm7
+        aesenc	%xmm7, %xmm8
+        aesenc	%xmm7, %xmm9
+        aesenc	%xmm7, %xmm10
+        aesenc	%xmm7, %xmm11
+        aesenc	%xmm7, %xmm12
+        aesenc	%xmm7, %xmm13
+        aesenc	%xmm7, %xmm14
+        aesenc	%xmm7, %xmm15
+        cmpl	$11, %r10d
+        movdqa	160(%r15), %xmm7
+        jl	L_AES_GCM_encrypt_enc_done
+        aesenc	%xmm7, %xmm8
+        aesenc	%xmm7, %xmm9
+        aesenc	%xmm7, %xmm10
+        aesenc	%xmm7, %xmm11
+        aesenc	%xmm7, %xmm12
+        aesenc	%xmm7, %xmm13
+        aesenc	%xmm7, %xmm14
+        aesenc	%xmm7, %xmm15
+        movdqa	176(%r15), %xmm7
+        aesenc	%xmm7, %xmm8
+        aesenc	%xmm7, %xmm9
+        aesenc	%xmm7, %xmm10
+        aesenc	%xmm7, %xmm11
+        aesenc	%xmm7, %xmm12
+        aesenc	%xmm7, %xmm13
+        aesenc	%xmm7, %xmm14
+        aesenc	%xmm7, %xmm15
+        cmpl	$13, %r10d
+        movdqa	192(%r15), %xmm7
+        jl	L_AES_GCM_encrypt_enc_done
+        aesenc	%xmm7, %xmm8
+        aesenc	%xmm7, %xmm9
+        aesenc	%xmm7, %xmm10
+        aesenc	%xmm7, %xmm11
+        aesenc	%xmm7, %xmm12
+        aesenc	%xmm7, %xmm13
+        aesenc	%xmm7, %xmm14
+        aesenc	%xmm7, %xmm15
+        movdqa	208(%r15), %xmm7
+        aesenc	%xmm7, %xmm8
+        aesenc	%xmm7, %xmm9
+        aesenc	%xmm7, %xmm10
+        aesenc	%xmm7, %xmm11
+        aesenc	%xmm7, %xmm12
+        aesenc	%xmm7, %xmm13
+        aesenc	%xmm7, %xmm14
+        aesenc	%xmm7, %xmm15
+        movdqa	224(%r15), %xmm7
+L_AES_GCM_encrypt_enc_done:
+        aesenclast	%xmm7, %xmm8
+        aesenclast	%xmm7, %xmm9
+        movdqu	(%rdi), %xmm0
+        movdqu	16(%rdi), %xmm1
+        pxor	%xmm0, %xmm8
+        pxor	%xmm1, %xmm9
+        movdqu	%xmm8, (%rsi)
+        movdqu	%xmm9, 16(%rsi)
+        aesenclast	%xmm7, %xmm10
+        aesenclast	%xmm7, %xmm11
+        movdqu	32(%rdi), %xmm0
+        movdqu	48(%rdi), %xmm1
+        pxor	%xmm0, %xmm10
+        pxor	%xmm1, %xmm11
+        movdqu	%xmm10, 32(%rsi)
+        movdqu	%xmm11, 48(%rsi)
+        aesenclast	%xmm7, %xmm12
+        aesenclast	%xmm7, %xmm13
+        movdqu	64(%rdi), %xmm0
+        movdqu	80(%rdi), %xmm1
+        pxor	%xmm0, %xmm12
+        pxor	%xmm1, %xmm13
+        movdqu	%xmm12, 64(%rsi)
+        movdqu	%xmm13, 80(%rsi)
+        aesenclast	%xmm7, %xmm14
+        aesenclast	%xmm7, %xmm15
+        movdqu	96(%rdi), %xmm0
+        movdqu	112(%rdi), %xmm1
+        pxor	%xmm0, %xmm14
+        pxor	%xmm1, %xmm15
+        movdqu	%xmm14, 96(%rsi)
+        movdqu	%xmm15, 112(%rsi)
+        cmpl	$0x80, %r13d
+        movl	$0x80, %ebx
+        jle	L_AES_GCM_encrypt_end_128
+        # More 128 bytes of input
+L_AES_GCM_encrypt_ghash_128:
+        leaq	(%rdi,%rbx,1), %rcx
+        leaq	(%rsi,%rbx,1), %rdx
+        movdqa	128(%rsp), %xmm8
+        movdqa	L_aes_gcm_bswap_epi64(%rip), %xmm1
+        movdqa	%xmm8, %xmm0
+        pshufb	%xmm1, %xmm8
+        movdqa	%xmm0, %xmm9
+        paddd	L_aes_gcm_one(%rip), %xmm9
+        pshufb	%xmm1, %xmm9
+        movdqa	%xmm0, %xmm10
+        paddd	L_aes_gcm_two(%rip), %xmm10
+        pshufb	%xmm1, %xmm10
+        movdqa	%xmm0, %xmm11
+        paddd	L_aes_gcm_three(%rip), %xmm11
+        pshufb	%xmm1, %xmm11
+        movdqa	%xmm0, %xmm12
+        paddd	L_aes_gcm_four(%rip), %xmm12
+        pshufb	%xmm1, %xmm12
+        movdqa	%xmm0, %xmm13
+        paddd	L_aes_gcm_five(%rip), %xmm13
+        pshufb	%xmm1, %xmm13
+        movdqa	%xmm0, %xmm14
+        paddd	L_aes_gcm_six(%rip), %xmm14
+        pshufb	%xmm1, %xmm14
+        movdqa	%xmm0, %xmm15
+        paddd	L_aes_gcm_seven(%rip), %xmm15
+        pshufb	%xmm1, %xmm15
+        paddd	L_aes_gcm_eight(%rip), %xmm0
+        movdqa	(%r15), %xmm7
+        movdqa	%xmm0, 128(%rsp)
+        pxor	%xmm7, %xmm8
+        pxor	%xmm7, %xmm9
+        pxor	%xmm7, %xmm10
+        pxor	%xmm7, %xmm11
+        pxor	%xmm7, %xmm12
+        pxor	%xmm7, %xmm13
+        pxor	%xmm7, %xmm14
+        pxor	%xmm7, %xmm15
+        movdqa	112(%rsp), %xmm7
+        movdqu	-128(%rdx), %xmm0
+        aesenc	16(%r15), %xmm8
+        pshufb	L_aes_gcm_bswap_mask(%rip), %xmm0
+        pxor	%xmm2, %xmm0
+        pshufd	$0x4e, %xmm7, %xmm1
+        pshufd	$0x4e, %xmm0, %xmm5
+        pxor	%xmm7, %xmm1
+        pxor	%xmm0, %xmm5
+        movdqa	%xmm0, %xmm3
+        pclmulqdq	$0x11, %xmm7, %xmm3
+        aesenc	16(%r15), %xmm9
+        aesenc	16(%r15), %xmm10
+        movdqa	%xmm0, %xmm2
+        pclmulqdq	$0x00, %xmm7, %xmm2
+        aesenc	16(%r15), %xmm11
+        aesenc	16(%r15), %xmm12
+        pclmulqdq	$0x00, %xmm5, %xmm1
+        aesenc	16(%r15), %xmm13
+        aesenc	16(%r15), %xmm14
+        aesenc	16(%r15), %xmm15
+        pxor	%xmm2, %xmm1
+        pxor	%xmm3, %xmm1
+        movdqa	96(%rsp), %xmm7
+        movdqu	-112(%rdx), %xmm0
+        pshufd	$0x4e, %xmm7, %xmm4
+        pshufb	L_aes_gcm_bswap_mask(%rip), %xmm0
+        aesenc	32(%r15), %xmm8
+        pxor	%xmm7, %xmm4
+        pshufd	$0x4e, %xmm0, %xmm5
+        pxor	%xmm0, %xmm5
+        movdqa	%xmm0, %xmm6
+        pclmulqdq	$0x11, %xmm7, %xmm6
+        aesenc	32(%r15), %xmm9
+        aesenc	32(%r15), %xmm10
+        pclmulqdq	$0x00, %xmm0, %xmm7
+        aesenc	32(%r15), %xmm11
+        aesenc	32(%r15), %xmm12
+        pclmulqdq	$0x00, %xmm5, %xmm4
+        aesenc	32(%r15), %xmm13
+        aesenc	32(%r15), %xmm14
+        aesenc	32(%r15), %xmm15
+        pxor	%xmm7, %xmm1
+        pxor	%xmm7, %xmm2
+        pxor	%xmm6, %xmm1
+        pxor	%xmm6, %xmm3
+        pxor	%xmm4, %xmm1
+        movdqa	80(%rsp), %xmm7
+        movdqu	-96(%rdx), %xmm0
+        pshufd	$0x4e, %xmm7, %xmm4
+        pshufb	L_aes_gcm_bswap_mask(%rip), %xmm0
+        aesenc	48(%r15), %xmm8
+        pxor	%xmm7, %xmm4
+        pshufd	$0x4e, %xmm0, %xmm5
+        pxor	%xmm0, %xmm5
+        movdqa	%xmm0, %xmm6
+        pclmulqdq	$0x11, %xmm7, %xmm6
+        aesenc	48(%r15), %xmm9
+        aesenc	48(%r15), %xmm10
+        pclmulqdq	$0x00, %xmm0, %xmm7
+        aesenc	48(%r15), %xmm11
+        aesenc	48(%r15), %xmm12
+        pclmulqdq	$0x00, %xmm5, %xmm4
+        aesenc	48(%r15), %xmm13
+        aesenc	48(%r15), %xmm14
+        aesenc	48(%r15), %xmm15
+        pxor	%xmm7, %xmm1
+        pxor	%xmm7, %xmm2
+        pxor	%xmm6, %xmm1
+        pxor	%xmm6, %xmm3
+        pxor	%xmm4, %xmm1
+        movdqa	64(%rsp), %xmm7
+        movdqu	-80(%rdx), %xmm0
+        pshufd	$0x4e, %xmm7, %xmm4
+        pshufb	L_aes_gcm_bswap_mask(%rip), %xmm0
+        aesenc	64(%r15), %xmm8
+        pxor	%xmm7, %xmm4
+        pshufd	$0x4e, %xmm0, %xmm5
+        pxor	%xmm0, %xmm5
+        movdqa	%xmm0, %xmm6
+        pclmulqdq	$0x11, %xmm7, %xmm6
+        aesenc	64(%r15), %xmm9
+        aesenc	64(%r15), %xmm10
+        pclmulqdq	$0x00, %xmm0, %xmm7
+        aesenc	64(%r15), %xmm11
+        aesenc	64(%r15), %xmm12
+        pclmulqdq	$0x00, %xmm5, %xmm4
+        aesenc	64(%r15), %xmm13
+        aesenc	64(%r15), %xmm14
+        aesenc	64(%r15), %xmm15
+        pxor	%xmm7, %xmm1
+        pxor	%xmm7, %xmm2
+        pxor	%xmm6, %xmm1
+        pxor	%xmm6, %xmm3
+        pxor	%xmm4, %xmm1
+        movdqa	48(%rsp), %xmm7
+        movdqu	-64(%rdx), %xmm0
+        pshufd	$0x4e, %xmm7, %xmm4
+        pshufb	L_aes_gcm_bswap_mask(%rip), %xmm0
+        aesenc	80(%r15), %xmm8
+        pxor	%xmm7, %xmm4
+        pshufd	$0x4e, %xmm0, %xmm5
+        pxor	%xmm0, %xmm5
+        movdqa	%xmm0, %xmm6
+        pclmulqdq	$0x11, %xmm7, %xmm6
+        aesenc	80(%r15), %xmm9
+        aesenc	80(%r15), %xmm10
+        pclmulqdq	$0x00, %xmm0, %xmm7
+        aesenc	80(%r15), %xmm11
+        aesenc	80(%r15), %xmm12
+        pclmulqdq	$0x00, %xmm5, %xmm4
+        aesenc	80(%r15), %xmm13
+        aesenc	80(%r15), %xmm14
+        aesenc	80(%r15), %xmm15
+        pxor	%xmm7, %xmm1
+        pxor	%xmm7, %xmm2
+        pxor	%xmm6, %xmm1
+        pxor	%xmm6, %xmm3
+        pxor	%xmm4, %xmm1
+        movdqa	32(%rsp), %xmm7
+        movdqu	-48(%rdx), %xmm0
+        pshufd	$0x4e, %xmm7, %xmm4
+        pshufb	L_aes_gcm_bswap_mask(%rip), %xmm0
+        aesenc	96(%r15), %xmm8
+        pxor	%xmm7, %xmm4
+        pshufd	$0x4e, %xmm0, %xmm5
+        pxor	%xmm0, %xmm5
+        movdqa	%xmm0, %xmm6
+        pclmulqdq	$0x11, %xmm7, %xmm6
+        aesenc	96(%r15), %xmm9
+        aesenc	96(%r15), %xmm10
+        pclmulqdq	$0x00, %xmm0, %xmm7
+        aesenc	96(%r15), %xmm11
+        aesenc	96(%r15), %xmm12
+        pclmulqdq	$0x00, %xmm5, %xmm4
+        aesenc	96(%r15), %xmm13
+        aesenc	96(%r15), %xmm14
+        aesenc	96(%r15), %xmm15
+        pxor	%xmm7, %xmm1
+        pxor	%xmm7, %xmm2
+        pxor	%xmm6, %xmm1
+        pxor	%xmm6, %xmm3
+        pxor	%xmm4, %xmm1
+        movdqa	16(%rsp), %xmm7
+        movdqu	-32(%rdx), %xmm0
+        pshufd	$0x4e, %xmm7, %xmm4
+        pshufb	L_aes_gcm_bswap_mask(%rip), %xmm0
+        aesenc	112(%r15), %xmm8
+        pxor	%xmm7, %xmm4
+        pshufd	$0x4e, %xmm0, %xmm5
+        pxor	%xmm0, %xmm5
+        movdqa	%xmm0, %xmm6
+        pclmulqdq	$0x11, %xmm7, %xmm6
+        aesenc	112(%r15), %xmm9
+        aesenc	112(%r15), %xmm10
+        pclmulqdq	$0x00, %xmm0, %xmm7
+        aesenc	112(%r15), %xmm11
+        aesenc	112(%r15), %xmm12
+        pclmulqdq	$0x00, %xmm5, %xmm4
+        aesenc	112(%r15), %xmm13
+        aesenc	112(%r15), %xmm14
+        aesenc	112(%r15), %xmm15
+        pxor	%xmm7, %xmm1
+        pxor	%xmm7, %xmm2
+        pxor	%xmm6, %xmm1
+        pxor	%xmm6, %xmm3
+        pxor	%xmm4, %xmm1
+        movdqa	(%rsp), %xmm7
+        movdqu	-16(%rdx), %xmm0
+        pshufd	$0x4e, %xmm7, %xmm4
+        pshufb	L_aes_gcm_bswap_mask(%rip), %xmm0
+        aesenc	128(%r15), %xmm8
+        pxor	%xmm7, %xmm4
+        pshufd	$0x4e, %xmm0, %xmm5
+        pxor	%xmm0, %xmm5
+        movdqa	%xmm0, %xmm6
+        pclmulqdq	$0x11, %xmm7, %xmm6
+        aesenc	128(%r15), %xmm9
+        aesenc	128(%r15), %xmm10
+        pclmulqdq	$0x00, %xmm0, %xmm7
+        aesenc	128(%r15), %xmm11
+        aesenc	128(%r15), %xmm12
+        pclmulqdq	$0x00, %xmm5, %xmm4
+        aesenc	128(%r15), %xmm13
+        aesenc	128(%r15), %xmm14
+        aesenc	128(%r15), %xmm15
+        pxor	%xmm7, %xmm1
+        pxor	%xmm7, %xmm2
+        pxor	%xmm6, %xmm1
+        pxor	%xmm6, %xmm3
+        pxor	%xmm4, %xmm1
+        movdqa	%xmm1, %xmm5
+        psrldq	$8, %xmm1
+        pslldq	$8, %xmm5
+        aesenc	144(%r15), %xmm8
+        pxor	%xmm5, %xmm2
+        pxor	%xmm1, %xmm3
+        movdqa	%xmm2, %xmm7
+        movdqa	%xmm2, %xmm4
+        movdqa	%xmm2, %xmm5
+        aesenc	144(%r15), %xmm9
+        pslld	$31, %xmm7
+        pslld	$30, %xmm4
+        pslld	$25, %xmm5
+        aesenc	144(%r15), %xmm10
+        pxor	%xmm4, %xmm7
+        pxor	%xmm5, %xmm7
+        aesenc	144(%r15), %xmm11
+        movdqa	%xmm7, %xmm4
+        pslldq	$12, %xmm7
+        psrldq	$4, %xmm4
+        aesenc	144(%r15), %xmm12
+        pxor	%xmm7, %xmm2
+        movdqa	%xmm2, %xmm5
+        movdqa	%xmm2, %xmm1
+        movdqa	%xmm2, %xmm0
+        aesenc	144(%r15), %xmm13
+        psrld	$0x01, %xmm5
+        psrld	$2, %xmm1
+        psrld	$7, %xmm0
+        aesenc	144(%r15), %xmm14
+        pxor	%xmm1, %xmm5
+        pxor	%xmm0, %xmm5
+        aesenc	144(%r15), %xmm15
+        pxor	%xmm4, %xmm5
+        pxor	%xmm5, %xmm2
+        pxor	%xmm3, %xmm2
+        cmpl	$11, %r10d
+        movdqa	160(%r15), %xmm7
+        jl	L_AES_GCM_encrypt_aesenc_128_ghash_avx_done
+        aesenc	%xmm7, %xmm8
+        aesenc	%xmm7, %xmm9
+        aesenc	%xmm7, %xmm10
+        aesenc	%xmm7, %xmm11
+        aesenc	%xmm7, %xmm12
+        aesenc	%xmm7, %xmm13
+        aesenc	%xmm7, %xmm14
+        aesenc	%xmm7, %xmm15
+        movdqa	176(%r15), %xmm7
+        aesenc	%xmm7, %xmm8
+        aesenc	%xmm7, %xmm9
+        aesenc	%xmm7, %xmm10
+        aesenc	%xmm7, %xmm11
+        aesenc	%xmm7, %xmm12
+        aesenc	%xmm7, %xmm13
+        aesenc	%xmm7, %xmm14
+        aesenc	%xmm7, %xmm15
+        cmpl	$13, %r10d
+        movdqa	192(%r15), %xmm7
+        jl	L_AES_GCM_encrypt_aesenc_128_ghash_avx_done
+        aesenc	%xmm7, %xmm8
+        aesenc	%xmm7, %xmm9
+        aesenc	%xmm7, %xmm10
+        aesenc	%xmm7, %xmm11
+        aesenc	%xmm7, %xmm12
+        aesenc	%xmm7, %xmm13
+        aesenc	%xmm7, %xmm14
+        aesenc	%xmm7, %xmm15
+        movdqa	208(%r15), %xmm7
+        aesenc	%xmm7, %xmm8
+        aesenc	%xmm7, %xmm9
+        aesenc	%xmm7, %xmm10
+        aesenc	%xmm7, %xmm11
+        aesenc	%xmm7, %xmm12
+        aesenc	%xmm7, %xmm13
+        aesenc	%xmm7, %xmm14
+        aesenc	%xmm7, %xmm15
+        movdqa	224(%r15), %xmm7
+L_AES_GCM_encrypt_aesenc_128_ghash_avx_done:
+        aesenclast	%xmm7, %xmm8
+        aesenclast	%xmm7, %xmm9
+        movdqu	(%rcx), %xmm0
+        movdqu	16(%rcx), %xmm1
+        pxor	%xmm0, %xmm8
+        pxor	%xmm1, %xmm9
+        movdqu	%xmm8, (%rdx)
+        movdqu	%xmm9, 16(%rdx)
+        aesenclast	%xmm7, %xmm10
+        aesenclast	%xmm7, %xmm11
+        movdqu	32(%rcx), %xmm0
+        movdqu	48(%rcx), %xmm1
+        pxor	%xmm0, %xmm10
+        pxor	%xmm1, %xmm11
+        movdqu	%xmm10, 32(%rdx)
+        movdqu	%xmm11, 48(%rdx)
+        aesenclast	%xmm7, %xmm12
+        aesenclast	%xmm7, %xmm13
+        movdqu	64(%rcx), %xmm0
+        movdqu	80(%rcx), %xmm1
+        pxor	%xmm0, %xmm12
+        pxor	%xmm1, %xmm13
+        movdqu	%xmm12, 64(%rdx)
+        movdqu	%xmm13, 80(%rdx)
+        aesenclast	%xmm7, %xmm14
+        aesenclast	%xmm7, %xmm15
+        movdqu	96(%rcx), %xmm0
+        movdqu	112(%rcx), %xmm1
+        pxor	%xmm0, %xmm14
+        pxor	%xmm1, %xmm15
+        movdqu	%xmm14, 96(%rdx)
+        movdqu	%xmm15, 112(%rdx)
+        addl	$0x80, %ebx
+        cmpl	%r13d, %ebx
+        jl	L_AES_GCM_encrypt_ghash_128
+L_AES_GCM_encrypt_end_128:
+        movdqa	L_aes_gcm_bswap_mask(%rip), %xmm4
+        pshufb	%xmm4, %xmm8
+        pshufb	%xmm4, %xmm9
+        pshufb	%xmm4, %xmm10
+        pshufb	%xmm4, %xmm11
+        pxor	%xmm2, %xmm8
+        pshufb	%xmm4, %xmm12
+        pshufb	%xmm4, %xmm13
+        pshufb	%xmm4, %xmm14
+        pshufb	%xmm4, %xmm15
+        movdqa	112(%rsp), %xmm7
+        pshufd	$0x4e, %xmm8, %xmm1
+        pshufd	$0x4e, %xmm7, %xmm2
+        movdqa	%xmm7, %xmm3
+        movdqa	%xmm7, %xmm0
+        pclmulqdq	$0x11, %xmm8, %xmm3
+        pclmulqdq	$0x00, %xmm8, %xmm0
+        pxor	%xmm8, %xmm1
+        pxor	%xmm7, %xmm2
+        pclmulqdq	$0x00, %xmm2, %xmm1
+        pxor	%xmm0, %xmm1
+        pxor	%xmm3, %xmm1
+        movdqa	%xmm1, %xmm2
+        movdqa	%xmm0, %xmm4
+        movdqa	%xmm3, %xmm6
+        pslldq	$8, %xmm2
+        psrldq	$8, %xmm1
+        pxor	%xmm2, %xmm4
+        pxor	%xmm1, %xmm6
+        movdqa	96(%rsp), %xmm7
+        pshufd	$0x4e, %xmm9, %xmm1
+        pshufd	$0x4e, %xmm7, %xmm2
+        movdqa	%xmm7, %xmm3
+        movdqa	%xmm7, %xmm0
+        pclmulqdq	$0x11, %xmm9, %xmm3
+        pclmulqdq	$0x00, %xmm9, %xmm0
+        pxor	%xmm9, %xmm1
+        pxor	%xmm7, %xmm2
+        pclmulqdq	$0x00, %xmm2, %xmm1
+        pxor	%xmm0, %xmm1
+        pxor	%xmm3, %xmm1
+        movdqa	%xmm1, %xmm2
+        pxor	%xmm0, %xmm4
+        pxor	%xmm3, %xmm6
+        pslldq	$8, %xmm2
+        psrldq	$8, %xmm1
+        pxor	%xmm2, %xmm4
+        pxor	%xmm1, %xmm6
+        movdqa	80(%rsp), %xmm7
+        pshufd	$0x4e, %xmm10, %xmm1
+        pshufd	$0x4e, %xmm7, %xmm2
+        movdqa	%xmm7, %xmm3
+        movdqa	%xmm7, %xmm0
+        pclmulqdq	$0x11, %xmm10, %xmm3
+        pclmulqdq	$0x00, %xmm10, %xmm0
+        pxor	%xmm10, %xmm1
+        pxor	%xmm7, %xmm2
+        pclmulqdq	$0x00, %xmm2, %xmm1
+        pxor	%xmm0, %xmm1
+        pxor	%xmm3, %xmm1
+        movdqa	%xmm1, %xmm2
+        pxor	%xmm0, %xmm4
+        pxor	%xmm3, %xmm6
+        pslldq	$8, %xmm2
+        psrldq	$8, %xmm1
+        pxor	%xmm2, %xmm4
+        pxor	%xmm1, %xmm6
+        movdqa	64(%rsp), %xmm7
+        pshufd	$0x4e, %xmm11, %xmm1
+        pshufd	$0x4e, %xmm7, %xmm2
+        movdqa	%xmm7, %xmm3
+        movdqa	%xmm7, %xmm0
+        pclmulqdq	$0x11, %xmm11, %xmm3
+        pclmulqdq	$0x00, %xmm11, %xmm0
+        pxor	%xmm11, %xmm1
+        pxor	%xmm7, %xmm2
+        pclmulqdq	$0x00, %xmm2, %xmm1
+        pxor	%xmm0, %xmm1
+        pxor	%xmm3, %xmm1
+        movdqa	%xmm1, %xmm2
+        pxor	%xmm0, %xmm4
+        pxor	%xmm3, %xmm6
+        pslldq	$8, %xmm2
+        psrldq	$8, %xmm1
+        pxor	%xmm2, %xmm4
+        pxor	%xmm1, %xmm6
+        movdqa	48(%rsp), %xmm7
+        pshufd	$0x4e, %xmm12, %xmm1
+        pshufd	$0x4e, %xmm7, %xmm2
+        movdqa	%xmm7, %xmm3
+        movdqa	%xmm7, %xmm0
+        pclmulqdq	$0x11, %xmm12, %xmm3
+        pclmulqdq	$0x00, %xmm12, %xmm0
+        pxor	%xmm12, %xmm1
+        pxor	%xmm7, %xmm2
+        pclmulqdq	$0x00, %xmm2, %xmm1
+        pxor	%xmm0, %xmm1
+        pxor	%xmm3, %xmm1
+        movdqa	%xmm1, %xmm2
+        pxor	%xmm0, %xmm4
+        pxor	%xmm3, %xmm6
+        pslldq	$8, %xmm2
+        psrldq	$8, %xmm1
+        pxor	%xmm2, %xmm4
+        pxor	%xmm1, %xmm6
+        movdqa	32(%rsp), %xmm7
+        pshufd	$0x4e, %xmm13, %xmm1
+        pshufd	$0x4e, %xmm7, %xmm2
+        movdqa	%xmm7, %xmm3
+        movdqa	%xmm7, %xmm0
+        pclmulqdq	$0x11, %xmm13, %xmm3
+        pclmulqdq	$0x00, %xmm13, %xmm0
+        pxor	%xmm13, %xmm1
+        pxor	%xmm7, %xmm2
+        pclmulqdq	$0x00, %xmm2, %xmm1
+        pxor	%xmm0, %xmm1
+        pxor	%xmm3, %xmm1
+        movdqa	%xmm1, %xmm2
+        pxor	%xmm0, %xmm4
+        pxor	%xmm3, %xmm6
+        pslldq	$8, %xmm2
+        psrldq	$8, %xmm1
+        pxor	%xmm2, %xmm4
+        pxor	%xmm1, %xmm6
+        movdqa	16(%rsp), %xmm7
+        pshufd	$0x4e, %xmm14, %xmm1
+        pshufd	$0x4e, %xmm7, %xmm2
+        movdqa	%xmm7, %xmm3
+        movdqa	%xmm7, %xmm0
+        pclmulqdq	$0x11, %xmm14, %xmm3
+        pclmulqdq	$0x00, %xmm14, %xmm0
+        pxor	%xmm14, %xmm1
+        pxor	%xmm7, %xmm2
+        pclmulqdq	$0x00, %xmm2, %xmm1
+        pxor	%xmm0, %xmm1
+        pxor	%xmm3, %xmm1
+        movdqa	%xmm1, %xmm2
+        pxor	%xmm0, %xmm4
+        pxor	%xmm3, %xmm6
+        pslldq	$8, %xmm2
+        psrldq	$8, %xmm1
+        pxor	%xmm2, %xmm4
+        pxor	%xmm1, %xmm6
+        movdqa	(%rsp), %xmm7
+        pshufd	$0x4e, %xmm15, %xmm1
+        pshufd	$0x4e, %xmm7, %xmm2
+        movdqa	%xmm7, %xmm3
+        movdqa	%xmm7, %xmm0
+        pclmulqdq	$0x11, %xmm15, %xmm3
+        pclmulqdq	$0x00, %xmm15, %xmm0
+        pxor	%xmm15, %xmm1
+        pxor	%xmm7, %xmm2
+        pclmulqdq	$0x00, %xmm2, %xmm1
+        pxor	%xmm0, %xmm1
+        pxor	%xmm3, %xmm1
+        movdqa	%xmm1, %xmm2
+        pxor	%xmm0, %xmm4
+        pxor	%xmm3, %xmm6
+        pslldq	$8, %xmm2
+        psrldq	$8, %xmm1
+        pxor	%xmm2, %xmm4
+        pxor	%xmm1, %xmm6
+        movdqa	%xmm4, %xmm0
+        movdqa	%xmm4, %xmm1
+        movdqa	%xmm4, %xmm2
+        pslld	$31, %xmm0
+        pslld	$30, %xmm1
+        pslld	$25, %xmm2
+        pxor	%xmm1, %xmm0
+        pxor	%xmm2, %xmm0
+        movdqa	%xmm0, %xmm1
+        psrldq	$4, %xmm1
+        pslldq	$12, %xmm0
+        pxor	%xmm0, %xmm4
+        movdqa	%xmm4, %xmm2
+        movdqa	%xmm4, %xmm3
+        movdqa	%xmm4, %xmm0
+        psrld	$0x01, %xmm2
+        psrld	$2, %xmm3
+        psrld	$7, %xmm0
+        pxor	%xmm3, %xmm2
+        pxor	%xmm0, %xmm2
+        pxor	%xmm1, %xmm2
+        pxor	%xmm4, %xmm2
+        pxor	%xmm2, %xmm6
+        movdqa	(%rsp), %xmm5
+L_AES_GCM_encrypt_done_128:
+        movl	%r9d, %edx
+        cmpl	%edx, %ebx
+        jge	L_AES_GCM_encrypt_done_enc
+        movl	%r9d, %r13d
+        andl	$0xfffffff0, %r13d
+        cmpl	%r13d, %ebx
+        jge	L_AES_GCM_encrypt_last_block_done
+        leaq	(%rdi,%rbx,1), %rcx
+        leaq	(%rsi,%rbx,1), %rdx
+        movdqa	128(%rsp), %xmm8
+        movdqa	%xmm8, %xmm9
+        pshufb	L_aes_gcm_bswap_epi64(%rip), %xmm8
+        paddd	L_aes_gcm_one(%rip), %xmm9
+        pxor	(%r15), %xmm8
+        movdqa	%xmm9, 128(%rsp)
+        aesenc	16(%r15), %xmm8
+        aesenc	32(%r15), %xmm8
+        aesenc	48(%r15), %xmm8
+        aesenc	64(%r15), %xmm8
+        aesenc	80(%r15), %xmm8
+        aesenc	96(%r15), %xmm8
+        aesenc	112(%r15), %xmm8
+        aesenc	128(%r15), %xmm8
+        aesenc	144(%r15), %xmm8
+        cmpl	$11, %r10d
+        movdqa	160(%r15), %xmm9
+        jl	L_AES_GCM_encrypt_aesenc_block_aesenc_avx_last
+        aesenc	%xmm9, %xmm8
+        aesenc	176(%r15), %xmm8
+        cmpl	$13, %r10d
+        movdqa	192(%r15), %xmm9
+        jl	L_AES_GCM_encrypt_aesenc_block_aesenc_avx_last
+        aesenc	%xmm9, %xmm8
+        aesenc	208(%r15), %xmm8
+        movdqa	224(%r15), %xmm9
+L_AES_GCM_encrypt_aesenc_block_aesenc_avx_last:
+        aesenclast	%xmm9, %xmm8
+        movdqu	(%rcx), %xmm9
+        pxor	%xmm9, %xmm8
+        movdqu	%xmm8, (%rdx)
+        pshufb	L_aes_gcm_bswap_mask(%rip), %xmm8
+        pxor	%xmm8, %xmm6
+        addl	$16, %ebx
+        cmpl	%r13d, %ebx
+        jge	L_AES_GCM_encrypt_last_block_ghash
+L_AES_GCM_encrypt_last_block_start:
+        leaq	(%rdi,%rbx,1), %rcx
+        leaq	(%rsi,%rbx,1), %rdx
+        movdqa	128(%rsp), %xmm8
+        movdqa	%xmm8, %xmm9
+        pshufb	L_aes_gcm_bswap_epi64(%rip), %xmm8
+        paddd	L_aes_gcm_one(%rip), %xmm9
+        pxor	(%r15), %xmm8
+        movdqa	%xmm9, 128(%rsp)
+        movdqa	%xmm6, %xmm10
+        pclmulqdq	$16, %xmm5, %xmm10
+        aesenc	16(%r15), %xmm8
+        aesenc	32(%r15), %xmm8
+        movdqa	%xmm6, %xmm11
+        pclmulqdq	$0x01, %xmm5, %xmm11
+        aesenc	48(%r15), %xmm8
+        aesenc	64(%r15), %xmm8
+        movdqa	%xmm6, %xmm12
+        pclmulqdq	$0x00, %xmm5, %xmm12
+        aesenc	80(%r15), %xmm8
+        movdqa	%xmm6, %xmm1
+        pclmulqdq	$0x11, %xmm5, %xmm1
+        aesenc	96(%r15), %xmm8
+        pxor	%xmm11, %xmm10
+        movdqa	%xmm10, %xmm2
+        psrldq	$8, %xmm10
+        pslldq	$8, %xmm2
+        aesenc	112(%r15), %xmm8
+        movdqa	%xmm1, %xmm3
+        pxor	%xmm12, %xmm2
+        pxor	%xmm10, %xmm3
+        movdqa	L_aes_gcm_mod2_128(%rip), %xmm0
+        movdqa	%xmm2, %xmm11
+        pclmulqdq	$16, %xmm0, %xmm11
+        aesenc	128(%r15), %xmm8
+        pshufd	$0x4e, %xmm2, %xmm10
+        pxor	%xmm11, %xmm10
+        movdqa	%xmm10, %xmm11
+        pclmulqdq	$16, %xmm0, %xmm11
+        aesenc	144(%r15), %xmm8
+        pshufd	$0x4e, %xmm10, %xmm6
+        pxor	%xmm11, %xmm6
+        pxor	%xmm3, %xmm6
+        cmpl	$11, %r10d
+        movdqa	160(%r15), %xmm9
+        jl	L_AES_GCM_encrypt_aesenc_gfmul_last
+        aesenc	%xmm9, %xmm8
+        aesenc	176(%r15), %xmm8
+        cmpl	$13, %r10d
+        movdqa	192(%r15), %xmm9
+        jl	L_AES_GCM_encrypt_aesenc_gfmul_last
+        aesenc	%xmm9, %xmm8
+        aesenc	208(%r15), %xmm8
+        movdqa	224(%r15), %xmm9
+L_AES_GCM_encrypt_aesenc_gfmul_last:
+        aesenclast	%xmm9, %xmm8
+        movdqu	(%rcx), %xmm9
+        pxor	%xmm9, %xmm8
+        movdqu	%xmm8, (%rdx)
+        pshufb	L_aes_gcm_bswap_mask(%rip), %xmm8
+        pxor	%xmm8, %xmm6
+        addl	$16, %ebx
+        cmpl	%r13d, %ebx
+        jl	L_AES_GCM_encrypt_last_block_start
+L_AES_GCM_encrypt_last_block_ghash:
+        pshufd	$0x4e, %xmm5, %xmm9
+        pshufd	$0x4e, %xmm6, %xmm10
+        movdqa	%xmm6, %xmm11
+        movdqa	%xmm6, %xmm8
+        pclmulqdq	$0x11, %xmm5, %xmm11
+        pclmulqdq	$0x00, %xmm5, %xmm8
+        pxor	%xmm5, %xmm9
+        pxor	%xmm6, %xmm10
+        pclmulqdq	$0x00, %xmm10, %xmm9
+        pxor	%xmm8, %xmm9
+        pxor	%xmm11, %xmm9
+        movdqa	%xmm9, %xmm10
+        movdqa	%xmm11, %xmm6
+        pslldq	$8, %xmm10
+        psrldq	$8, %xmm9
+        pxor	%xmm10, %xmm8
+        pxor	%xmm9, %xmm6
+        movdqa	%xmm8, %xmm12
+        movdqa	%xmm8, %xmm13
+        movdqa	%xmm8, %xmm14
+        pslld	$31, %xmm12
+        pslld	$30, %xmm13
+        pslld	$25, %xmm14
+        pxor	%xmm13, %xmm12
+        pxor	%xmm14, %xmm12
+        movdqa	%xmm12, %xmm13
+        psrldq	$4, %xmm13
+        pslldq	$12, %xmm12
+        pxor	%xmm12, %xmm8
+        movdqa	%xmm8, %xmm14
+        movdqa	%xmm8, %xmm10
+        movdqa	%xmm8, %xmm9
+        psrld	$0x01, %xmm14
+        psrld	$2, %xmm10
+        psrld	$7, %xmm9
+        pxor	%xmm10, %xmm14
+        pxor	%xmm9, %xmm14
+        pxor	%xmm13, %xmm14
+        pxor	%xmm8, %xmm14
+        pxor	%xmm14, %xmm6
+L_AES_GCM_encrypt_last_block_done:
+        movl	%r9d, %ecx
+        movl	%ecx, %edx
+        andl	$15, %ecx
+        jz	L_AES_GCM_encrypt_aesenc_last15_enc_avx_done
+        movdqa	128(%rsp), %xmm4
+        pshufb	L_aes_gcm_bswap_epi64(%rip), %xmm4
+        pxor	(%r15), %xmm4
+        aesenc	16(%r15), %xmm4
+        aesenc	32(%r15), %xmm4
+        aesenc	48(%r15), %xmm4
+        aesenc	64(%r15), %xmm4
+        aesenc	80(%r15), %xmm4
+        aesenc	96(%r15), %xmm4
+        aesenc	112(%r15), %xmm4
+        aesenc	128(%r15), %xmm4
+        aesenc	144(%r15), %xmm4
+        cmpl	$11, %r10d
+        movdqa	160(%r15), %xmm9
+        jl	L_AES_GCM_encrypt_aesenc_last15_enc_avx_aesenc_avx_last
+        aesenc	%xmm9, %xmm4
+        aesenc	176(%r15), %xmm4
+        cmpl	$13, %r10d
+        movdqa	192(%r15), %xmm9
+        jl	L_AES_GCM_encrypt_aesenc_last15_enc_avx_aesenc_avx_last
+        aesenc	%xmm9, %xmm4
+        aesenc	208(%r15), %xmm4
+        movdqa	224(%r15), %xmm9
+L_AES_GCM_encrypt_aesenc_last15_enc_avx_aesenc_avx_last:
+        aesenclast	%xmm9, %xmm4
+        subq	$16, %rsp
+        xorl	%ecx, %ecx
+        movdqa	%xmm4, (%rsp)
+L_AES_GCM_encrypt_aesenc_last15_enc_avx_loop:
+        movzbl	(%rdi,%rbx,1), %r13d
+        xorb	(%rsp,%rcx,1), %r13b
+        movb	%r13b, (%rsi,%rbx,1)
+        movb	%r13b, (%rsp,%rcx,1)
+        incl	%ebx
+        incl	%ecx
+        cmpl	%edx, %ebx
+        jl	L_AES_GCM_encrypt_aesenc_last15_enc_avx_loop
+        xorq	%r13, %r13
+        cmpl	$16, %ecx
+        je	L_AES_GCM_encrypt_aesenc_last15_enc_avx_finish_enc
+L_AES_GCM_encrypt_aesenc_last15_enc_avx_byte_loop:
+        movb	%r13b, (%rsp,%rcx,1)
+        incl	%ecx
+        cmpl	$16, %ecx
+        jl	L_AES_GCM_encrypt_aesenc_last15_enc_avx_byte_loop
+L_AES_GCM_encrypt_aesenc_last15_enc_avx_finish_enc:
+        movdqa	(%rsp), %xmm4
+        addq	$16, %rsp
+        pshufb	L_aes_gcm_bswap_mask(%rip), %xmm4
+        pxor	%xmm4, %xmm6
+        pshufd	$0x4e, %xmm5, %xmm9
+        pshufd	$0x4e, %xmm6, %xmm10
+        movdqa	%xmm6, %xmm11
+        movdqa	%xmm6, %xmm8
+        pclmulqdq	$0x11, %xmm5, %xmm11
+        pclmulqdq	$0x00, %xmm5, %xmm8
+        pxor	%xmm5, %xmm9
+        pxor	%xmm6, %xmm10
+        pclmulqdq	$0x00, %xmm10, %xmm9
+        pxor	%xmm8, %xmm9
+        pxor	%xmm11, %xmm9
+        movdqa	%xmm9, %xmm10
+        movdqa	%xmm11, %xmm6
+        pslldq	$8, %xmm10
+        psrldq	$8, %xmm9
+        pxor	%xmm10, %xmm8
+        pxor	%xmm9, %xmm6
+        movdqa	%xmm8, %xmm12
+        movdqa	%xmm8, %xmm13
+        movdqa	%xmm8, %xmm14
+        pslld	$31, %xmm12
+        pslld	$30, %xmm13
+        pslld	$25, %xmm14
+        pxor	%xmm13, %xmm12
+        pxor	%xmm14, %xmm12
+        movdqa	%xmm12, %xmm13
+        psrldq	$4, %xmm13
+        pslldq	$12, %xmm12
+        pxor	%xmm12, %xmm8
+        movdqa	%xmm8, %xmm14
+        movdqa	%xmm8, %xmm10
+        movdqa	%xmm8, %xmm9
+        psrld	$0x01, %xmm14
+        psrld	$2, %xmm10
+        psrld	$7, %xmm9
+        pxor	%xmm10, %xmm14
+        pxor	%xmm9, %xmm14
+        pxor	%xmm13, %xmm14
+        pxor	%xmm8, %xmm14
+        pxor	%xmm14, %xmm6
+L_AES_GCM_encrypt_aesenc_last15_enc_avx_done:
+L_AES_GCM_encrypt_done_enc:
+        movl	%r9d, %edx
+        movl	%r11d, %ecx
+        shlq	$3, %rdx
+        shlq	$3, %rcx
+        pinsrq	$0x00, %rdx, %xmm0
+        pinsrq	$0x01, %rcx, %xmm0
+        pxor	%xmm0, %xmm6
+        pshufd	$0x4e, %xmm5, %xmm9
+        pshufd	$0x4e, %xmm6, %xmm10
+        movdqa	%xmm6, %xmm11
+        movdqa	%xmm6, %xmm8
+        pclmulqdq	$0x11, %xmm5, %xmm11
+        pclmulqdq	$0x00, %xmm5, %xmm8
+        pxor	%xmm5, %xmm9
+        pxor	%xmm6, %xmm10
+        pclmulqdq	$0x00, %xmm10, %xmm9
+        pxor	%xmm8, %xmm9
+        pxor	%xmm11, %xmm9
+        movdqa	%xmm9, %xmm10
+        movdqa	%xmm11, %xmm6
+        pslldq	$8, %xmm10
+        psrldq	$8, %xmm9
+        pxor	%xmm10, %xmm8
+        pxor	%xmm9, %xmm6
+        movdqa	%xmm8, %xmm12
+        movdqa	%xmm8, %xmm13
+        movdqa	%xmm8, %xmm14
+        pslld	$31, %xmm12
+        pslld	$30, %xmm13
+        pslld	$25, %xmm14
+        pxor	%xmm13, %xmm12
+        pxor	%xmm14, %xmm12
+        movdqa	%xmm12, %xmm13
+        psrldq	$4, %xmm13
+        pslldq	$12, %xmm12
+        pxor	%xmm12, %xmm8
+        movdqa	%xmm8, %xmm14
+        movdqa	%xmm8, %xmm10
+        movdqa	%xmm8, %xmm9
+        psrld	$0x01, %xmm14
+        psrld	$2, %xmm10
+        psrld	$7, %xmm9
+        pxor	%xmm10, %xmm14
+        pxor	%xmm9, %xmm14
+        pxor	%xmm13, %xmm14
+        pxor	%xmm8, %xmm14
+        pxor	%xmm14, %xmm6
+        pshufb	L_aes_gcm_bswap_mask(%rip), %xmm6
+        movdqa	144(%rsp), %xmm0
+        pxor	%xmm6, %xmm0
+        cmpl	$16, %r14d
+        je	L_AES_GCM_encrypt_store_tag_16
+        xorq	%rcx, %rcx
+        movdqa	%xmm0, (%rsp)
+L_AES_GCM_encrypt_store_tag_loop:
+        movzbl	(%rsp,%rcx,1), %r13d
+        movb	%r13b, (%r8,%rcx,1)
+        incl	%ecx
+        cmpl	%r14d, %ecx
+        jne	L_AES_GCM_encrypt_store_tag_loop
+        jmp	L_AES_GCM_encrypt_store_tag_done
+L_AES_GCM_encrypt_store_tag_16:
+        movdqu	%xmm0, (%r8)
+L_AES_GCM_encrypt_store_tag_done:
+        addq	$0xa0, %rsp
+        popq	%r15
+        popq	%r14
+        popq	%rbx
+        popq	%r12
+        popq	%r13
+        repz retq
+#ifndef __APPLE__
+.size	AES_GCM_encrypt,.-AES_GCM_encrypt
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+.text
+.globl	AES_GCM_decrypt
+.type	AES_GCM_decrypt,@function
+.align	4
+AES_GCM_decrypt:
+#else
+.section	__TEXT,__text
+.globl	_AES_GCM_decrypt
+.p2align	2
+_AES_GCM_decrypt:
+#endif /* __APPLE__ */
+        pushq	%r13
+        pushq	%r12
+        pushq	%rbx
+        pushq	%r14
+        pushq	%r15
+        pushq	%rbp
+        movq	%rdx, %r12
+        movq	%rcx, %rax
+        movl	56(%rsp), %r11d
+        movl	64(%rsp), %ebx
+        movl	72(%rsp), %r14d
+        movq	80(%rsp), %r15
+        movl	88(%rsp), %r10d
+        movq	96(%rsp), %rbp
+        subq	$0xa8, %rsp
+        pxor	%xmm4, %xmm4
+        pxor	%xmm6, %xmm6
+        cmpl	$12, %ebx
+        movl	%ebx, %edx
+        jne	L_AES_GCM_decrypt_iv_not_12
+        # # Calculate values when IV is 12 bytes
+        # Set counter based on IV
+        movl	$0x1000000, %ecx
+        pinsrq	$0x00, (%rax), %xmm4
+        pinsrd	$2, 8(%rax), %xmm4
+        pinsrd	$3, %ecx, %xmm4
+        # H = Encrypt X(=0) and T = Encrypt counter
+        movdqa	%xmm4, %xmm1
+        movdqa	(%r15), %xmm5
+        pxor	%xmm5, %xmm1
+        movdqa	16(%r15), %xmm7
+        aesenc	%xmm7, %xmm5
+        aesenc	%xmm7, %xmm1
+        movdqa	32(%r15), %xmm7
+        aesenc	%xmm7, %xmm5
+        aesenc	%xmm7, %xmm1
+        movdqa	48(%r15), %xmm7
+        aesenc	%xmm7, %xmm5
+        aesenc	%xmm7, %xmm1
+        movdqa	64(%r15), %xmm7
+        aesenc	%xmm7, %xmm5
+        aesenc	%xmm7, %xmm1
+        movdqa	80(%r15), %xmm7
+        aesenc	%xmm7, %xmm5
+        aesenc	%xmm7, %xmm1
+        movdqa	96(%r15), %xmm7
+        aesenc	%xmm7, %xmm5
+        aesenc	%xmm7, %xmm1
+        movdqa	112(%r15), %xmm7
+        aesenc	%xmm7, %xmm5
+        aesenc	%xmm7, %xmm1
+        movdqa	128(%r15), %xmm7
+        aesenc	%xmm7, %xmm5
+        aesenc	%xmm7, %xmm1
+        movdqa	144(%r15), %xmm7
+        aesenc	%xmm7, %xmm5
+        aesenc	%xmm7, %xmm1
+        cmpl	$11, %r10d
+        movdqa	160(%r15), %xmm7
+        jl	L_AES_GCM_decrypt_calc_iv_12_last
+        aesenc	%xmm7, %xmm5
+        aesenc	%xmm7, %xmm1
+        movdqa	176(%r15), %xmm7
+        aesenc	%xmm7, %xmm5
+        aesenc	%xmm7, %xmm1
+        cmpl	$13, %r10d
+        movdqa	192(%r15), %xmm7
+        jl	L_AES_GCM_decrypt_calc_iv_12_last
+        aesenc	%xmm7, %xmm5
+        aesenc	%xmm7, %xmm1
+        movdqa	208(%r15), %xmm7
+        aesenc	%xmm7, %xmm5
+        aesenc	%xmm7, %xmm1
+        movdqa	224(%r15), %xmm7
+L_AES_GCM_decrypt_calc_iv_12_last:
+        aesenclast	%xmm7, %xmm5
+        aesenclast	%xmm7, %xmm1
+        pshufb	L_aes_gcm_bswap_mask(%rip), %xmm5
+        movdqa	%xmm1, 144(%rsp)
+        jmp	L_AES_GCM_decrypt_iv_done
+L_AES_GCM_decrypt_iv_not_12:
+        # Calculate values when IV is not 12 bytes
+        # H = Encrypt X(=0)
+        movdqa	(%r15), %xmm5
+        aesenc	16(%r15), %xmm5
+        aesenc	32(%r15), %xmm5
+        aesenc	48(%r15), %xmm5
+        aesenc	64(%r15), %xmm5
+        aesenc	80(%r15), %xmm5
+        aesenc	96(%r15), %xmm5
+        aesenc	112(%r15), %xmm5
+        aesenc	128(%r15), %xmm5
+        aesenc	144(%r15), %xmm5
+        cmpl	$11, %r10d
+        movdqa	160(%r15), %xmm9
+        jl	L_AES_GCM_decrypt_calc_iv_1_aesenc_avx_last
+        aesenc	%xmm9, %xmm5
+        aesenc	176(%r15), %xmm5
+        cmpl	$13, %r10d
+        movdqa	192(%r15), %xmm9
+        jl	L_AES_GCM_decrypt_calc_iv_1_aesenc_avx_last
+        aesenc	%xmm9, %xmm5
+        aesenc	208(%r15), %xmm5
+        movdqa	224(%r15), %xmm9
+L_AES_GCM_decrypt_calc_iv_1_aesenc_avx_last:
+        aesenclast	%xmm9, %xmm5
+        pshufb	L_aes_gcm_bswap_mask(%rip), %xmm5
+        # Calc counter
+        # Initialization vector
+        cmpl	$0x00, %edx
+        movq	$0x00, %rcx
+        je	L_AES_GCM_decrypt_calc_iv_done
+        cmpl	$16, %edx
+        jl	L_AES_GCM_decrypt_calc_iv_lt16
+        andl	$0xfffffff0, %edx
+L_AES_GCM_decrypt_calc_iv_16_loop:
+        movdqu	(%rax,%rcx,1), %xmm8
+        pshufb	L_aes_gcm_bswap_mask(%rip), %xmm8
+        pxor	%xmm8, %xmm4
+        pshufd	$0x4e, %xmm4, %xmm1
+        pshufd	$0x4e, %xmm5, %xmm2
+        movdqa	%xmm5, %xmm3
+        movdqa	%xmm5, %xmm0
+        pclmulqdq	$0x11, %xmm4, %xmm3
+        pclmulqdq	$0x00, %xmm4, %xmm0
+        pxor	%xmm4, %xmm1
+        pxor	%xmm5, %xmm2
+        pclmulqdq	$0x00, %xmm2, %xmm1
+        pxor	%xmm0, %xmm1
+        pxor	%xmm3, %xmm1
+        movdqa	%xmm1, %xmm2
+        movdqa	%xmm0, %xmm7
+        movdqa	%xmm3, %xmm4
+        pslldq	$8, %xmm2
+        psrldq	$8, %xmm1
+        pxor	%xmm2, %xmm7
+        pxor	%xmm1, %xmm4
+        movdqa	%xmm7, %xmm0
+        movdqa	%xmm4, %xmm1
+        psrld	$31, %xmm0
+        psrld	$31, %xmm1
+        pslld	$0x01, %xmm7
+        pslld	$0x01, %xmm4
+        movdqa	%xmm0, %xmm2
+        pslldq	$4, %xmm0
+        psrldq	$12, %xmm2
+        pslldq	$4, %xmm1
+        por	%xmm2, %xmm4
+        por	%xmm0, %xmm7
+        por	%xmm1, %xmm4
+        movdqa	%xmm7, %xmm0
+        movdqa	%xmm7, %xmm1
+        movdqa	%xmm7, %xmm2
+        pslld	$31, %xmm0
+        pslld	$30, %xmm1
+        pslld	$25, %xmm2
+        pxor	%xmm1, %xmm0
+        pxor	%xmm2, %xmm0
+        movdqa	%xmm0, %xmm1
+        psrldq	$4, %xmm1
+        pslldq	$12, %xmm0
+        pxor	%xmm0, %xmm7
+        movdqa	%xmm7, %xmm2
+        movdqa	%xmm7, %xmm3
+        movdqa	%xmm7, %xmm0
+        psrld	$0x01, %xmm2
+        psrld	$2, %xmm3
+        psrld	$7, %xmm0
+        pxor	%xmm3, %xmm2
+        pxor	%xmm0, %xmm2
+        pxor	%xmm1, %xmm2
+        pxor	%xmm7, %xmm2
+        pxor	%xmm2, %xmm4
+        addl	$16, %ecx
+        cmpl	%edx, %ecx
+        jl	L_AES_GCM_decrypt_calc_iv_16_loop
+        movl	%ebx, %edx
+        cmpl	%edx, %ecx
+        je	L_AES_GCM_decrypt_calc_iv_done
+L_AES_GCM_decrypt_calc_iv_lt16:
+        subq	$16, %rsp
+        pxor	%xmm8, %xmm8
+        xorl	%ebx, %ebx
+        movdqa	%xmm8, (%rsp)
+L_AES_GCM_decrypt_calc_iv_loop:
+        movzbl	(%rax,%rcx,1), %r13d
+        movb	%r13b, (%rsp,%rbx,1)
+        incl	%ecx
+        incl	%ebx
+        cmpl	%edx, %ecx
+        jl	L_AES_GCM_decrypt_calc_iv_loop
+        movdqa	(%rsp), %xmm8
+        addq	$16, %rsp
+        pshufb	L_aes_gcm_bswap_mask(%rip), %xmm8
+        pxor	%xmm8, %xmm4
+        pshufd	$0x4e, %xmm4, %xmm1
+        pshufd	$0x4e, %xmm5, %xmm2
+        movdqa	%xmm5, %xmm3
+        movdqa	%xmm5, %xmm0
+        pclmulqdq	$0x11, %xmm4, %xmm3
+        pclmulqdq	$0x00, %xmm4, %xmm0
+        pxor	%xmm4, %xmm1
+        pxor	%xmm5, %xmm2
+        pclmulqdq	$0x00, %xmm2, %xmm1
+        pxor	%xmm0, %xmm1
+        pxor	%xmm3, %xmm1
+        movdqa	%xmm1, %xmm2
+        movdqa	%xmm0, %xmm7
+        movdqa	%xmm3, %xmm4
+        pslldq	$8, %xmm2
+        psrldq	$8, %xmm1
+        pxor	%xmm2, %xmm7
+        pxor	%xmm1, %xmm4
+        movdqa	%xmm7, %xmm0
+        movdqa	%xmm4, %xmm1
+        psrld	$31, %xmm0
+        psrld	$31, %xmm1
+        pslld	$0x01, %xmm7
+        pslld	$0x01, %xmm4
+        movdqa	%xmm0, %xmm2
+        pslldq	$4, %xmm0
+        psrldq	$12, %xmm2
+        pslldq	$4, %xmm1
+        por	%xmm2, %xmm4
+        por	%xmm0, %xmm7
+        por	%xmm1, %xmm4
+        movdqa	%xmm7, %xmm0
+        movdqa	%xmm7, %xmm1
+        movdqa	%xmm7, %xmm2
+        pslld	$31, %xmm0
+        pslld	$30, %xmm1
+        pslld	$25, %xmm2
+        pxor	%xmm1, %xmm0
+        pxor	%xmm2, %xmm0
+        movdqa	%xmm0, %xmm1
+        psrldq	$4, %xmm1
+        pslldq	$12, %xmm0
+        pxor	%xmm0, %xmm7
+        movdqa	%xmm7, %xmm2
+        movdqa	%xmm7, %xmm3
+        movdqa	%xmm7, %xmm0
+        psrld	$0x01, %xmm2
+        psrld	$2, %xmm3
+        psrld	$7, %xmm0
+        pxor	%xmm3, %xmm2
+        pxor	%xmm0, %xmm2
+        pxor	%xmm1, %xmm2
+        pxor	%xmm7, %xmm2
+        pxor	%xmm2, %xmm4
+L_AES_GCM_decrypt_calc_iv_done:
+        # T = Encrypt counter
+        pxor	%xmm0, %xmm0
+        shll	$3, %edx
+        pinsrq	$0x00, %rdx, %xmm0
+        pxor	%xmm0, %xmm4
+        pshufd	$0x4e, %xmm4, %xmm1
+        pshufd	$0x4e, %xmm5, %xmm2
+        movdqa	%xmm5, %xmm3
+        movdqa	%xmm5, %xmm0
+        pclmulqdq	$0x11, %xmm4, %xmm3
+        pclmulqdq	$0x00, %xmm4, %xmm0
+        pxor	%xmm4, %xmm1
+        pxor	%xmm5, %xmm2
+        pclmulqdq	$0x00, %xmm2, %xmm1
+        pxor	%xmm0, %xmm1
+        pxor	%xmm3, %xmm1
+        movdqa	%xmm1, %xmm2
+        movdqa	%xmm0, %xmm7
+        movdqa	%xmm3, %xmm4
+        pslldq	$8, %xmm2
+        psrldq	$8, %xmm1
+        pxor	%xmm2, %xmm7
+        pxor	%xmm1, %xmm4
+        movdqa	%xmm7, %xmm0
+        movdqa	%xmm4, %xmm1
+        psrld	$31, %xmm0
+        psrld	$31, %xmm1
+        pslld	$0x01, %xmm7
+        pslld	$0x01, %xmm4
+        movdqa	%xmm0, %xmm2
+        pslldq	$4, %xmm0
+        psrldq	$12, %xmm2
+        pslldq	$4, %xmm1
+        por	%xmm2, %xmm4
+        por	%xmm0, %xmm7
+        por	%xmm1, %xmm4
+        movdqa	%xmm7, %xmm0
+        movdqa	%xmm7, %xmm1
+        movdqa	%xmm7, %xmm2
+        pslld	$31, %xmm0
+        pslld	$30, %xmm1
+        pslld	$25, %xmm2
+        pxor	%xmm1, %xmm0
+        pxor	%xmm2, %xmm0
+        movdqa	%xmm0, %xmm1
+        psrldq	$4, %xmm1
+        pslldq	$12, %xmm0
+        pxor	%xmm0, %xmm7
+        movdqa	%xmm7, %xmm2
+        movdqa	%xmm7, %xmm3
+        movdqa	%xmm7, %xmm0
+        psrld	$0x01, %xmm2
+        psrld	$2, %xmm3
+        psrld	$7, %xmm0
+        pxor	%xmm3, %xmm2
+        pxor	%xmm0, %xmm2
+        pxor	%xmm1, %xmm2
+        pxor	%xmm7, %xmm2
+        pxor	%xmm2, %xmm4
+        pshufb	L_aes_gcm_bswap_mask(%rip), %xmm4
+        #   Encrypt counter
+        movdqa	(%r15), %xmm8
+        pxor	%xmm4, %xmm8
+        aesenc	16(%r15), %xmm8
+        aesenc	32(%r15), %xmm8
+        aesenc	48(%r15), %xmm8
+        aesenc	64(%r15), %xmm8
+        aesenc	80(%r15), %xmm8
+        aesenc	96(%r15), %xmm8
+        aesenc	112(%r15), %xmm8
+        aesenc	128(%r15), %xmm8
+        aesenc	144(%r15), %xmm8
+        cmpl	$11, %r10d
+        movdqa	160(%r15), %xmm9
+        jl	L_AES_GCM_decrypt_calc_iv_2_aesenc_avx_last
+        aesenc	%xmm9, %xmm8
+        aesenc	176(%r15), %xmm8
+        cmpl	$13, %r10d
+        movdqa	192(%r15), %xmm9
+        jl	L_AES_GCM_decrypt_calc_iv_2_aesenc_avx_last
+        aesenc	%xmm9, %xmm8
+        aesenc	208(%r15), %xmm8
+        movdqa	224(%r15), %xmm9
+L_AES_GCM_decrypt_calc_iv_2_aesenc_avx_last:
+        aesenclast	%xmm9, %xmm8
+        movdqa	%xmm8, 144(%rsp)
+L_AES_GCM_decrypt_iv_done:
+        # Additional authentication data
+        movl	%r11d, %edx
+        cmpl	$0x00, %edx
+        je	L_AES_GCM_decrypt_calc_aad_done
+        xorl	%ecx, %ecx
+        cmpl	$16, %edx
+        jl	L_AES_GCM_decrypt_calc_aad_lt16
+        andl	$0xfffffff0, %edx
+L_AES_GCM_decrypt_calc_aad_16_loop:
+        movdqu	(%r12,%rcx,1), %xmm8
+        pshufb	L_aes_gcm_bswap_mask(%rip), %xmm8
+        pxor	%xmm8, %xmm6
+        pshufd	$0x4e, %xmm6, %xmm1
+        pshufd	$0x4e, %xmm5, %xmm2
+        movdqa	%xmm5, %xmm3
+        movdqa	%xmm5, %xmm0
+        pclmulqdq	$0x11, %xmm6, %xmm3
+        pclmulqdq	$0x00, %xmm6, %xmm0
+        pxor	%xmm6, %xmm1
+        pxor	%xmm5, %xmm2
+        pclmulqdq	$0x00, %xmm2, %xmm1
+        pxor	%xmm0, %xmm1
+        pxor	%xmm3, %xmm1
+        movdqa	%xmm1, %xmm2
+        movdqa	%xmm0, %xmm7
+        movdqa	%xmm3, %xmm6
+        pslldq	$8, %xmm2
+        psrldq	$8, %xmm1
+        pxor	%xmm2, %xmm7
+        pxor	%xmm1, %xmm6
+        movdqa	%xmm7, %xmm0
+        movdqa	%xmm6, %xmm1
+        psrld	$31, %xmm0
+        psrld	$31, %xmm1
+        pslld	$0x01, %xmm7
+        pslld	$0x01, %xmm6
+        movdqa	%xmm0, %xmm2
+        pslldq	$4, %xmm0
+        psrldq	$12, %xmm2
+        pslldq	$4, %xmm1
+        por	%xmm2, %xmm6
+        por	%xmm0, %xmm7
+        por	%xmm1, %xmm6
+        movdqa	%xmm7, %xmm0
+        movdqa	%xmm7, %xmm1
+        movdqa	%xmm7, %xmm2
+        pslld	$31, %xmm0
+        pslld	$30, %xmm1
+        pslld	$25, %xmm2
+        pxor	%xmm1, %xmm0
+        pxor	%xmm2, %xmm0
+        movdqa	%xmm0, %xmm1
+        psrldq	$4, %xmm1
+        pslldq	$12, %xmm0
+        pxor	%xmm0, %xmm7
+        movdqa	%xmm7, %xmm2
+        movdqa	%xmm7, %xmm3
+        movdqa	%xmm7, %xmm0
+        psrld	$0x01, %xmm2
+        psrld	$2, %xmm3
+        psrld	$7, %xmm0
+        pxor	%xmm3, %xmm2
+        pxor	%xmm0, %xmm2
+        pxor	%xmm1, %xmm2
+        pxor	%xmm7, %xmm2
+        pxor	%xmm2, %xmm6
+        addl	$16, %ecx
+        cmpl	%edx, %ecx
+        jl	L_AES_GCM_decrypt_calc_aad_16_loop
+        movl	%r11d, %edx
+        cmpl	%edx, %ecx
+        je	L_AES_GCM_decrypt_calc_aad_done
+L_AES_GCM_decrypt_calc_aad_lt16:
+        subq	$16, %rsp
+        pxor	%xmm8, %xmm8
+        xorl	%ebx, %ebx
+        movdqa	%xmm8, (%rsp)
+L_AES_GCM_decrypt_calc_aad_loop:
+        movzbl	(%r12,%rcx,1), %r13d
+        movb	%r13b, (%rsp,%rbx,1)
+        incl	%ecx
+        incl	%ebx
+        cmpl	%edx, %ecx
+        jl	L_AES_GCM_decrypt_calc_aad_loop
+        movdqa	(%rsp), %xmm8
+        addq	$16, %rsp
+        pshufb	L_aes_gcm_bswap_mask(%rip), %xmm8
+        pxor	%xmm8, %xmm6
+        pshufd	$0x4e, %xmm6, %xmm1
+        pshufd	$0x4e, %xmm5, %xmm2
+        movdqa	%xmm5, %xmm3
+        movdqa	%xmm5, %xmm0
+        pclmulqdq	$0x11, %xmm6, %xmm3
+        pclmulqdq	$0x00, %xmm6, %xmm0
+        pxor	%xmm6, %xmm1
+        pxor	%xmm5, %xmm2
+        pclmulqdq	$0x00, %xmm2, %xmm1
+        pxor	%xmm0, %xmm1
+        pxor	%xmm3, %xmm1
+        movdqa	%xmm1, %xmm2
+        movdqa	%xmm0, %xmm7
+        movdqa	%xmm3, %xmm6
+        pslldq	$8, %xmm2
+        psrldq	$8, %xmm1
+        pxor	%xmm2, %xmm7
+        pxor	%xmm1, %xmm6
+        movdqa	%xmm7, %xmm0
+        movdqa	%xmm6, %xmm1
+        psrld	$31, %xmm0
+        psrld	$31, %xmm1
+        pslld	$0x01, %xmm7
+        pslld	$0x01, %xmm6
+        movdqa	%xmm0, %xmm2
+        pslldq	$4, %xmm0
+        psrldq	$12, %xmm2
+        pslldq	$4, %xmm1
+        por	%xmm2, %xmm6
+        por	%xmm0, %xmm7
+        por	%xmm1, %xmm6
+        movdqa	%xmm7, %xmm0
+        movdqa	%xmm7, %xmm1
+        movdqa	%xmm7, %xmm2
+        pslld	$31, %xmm0
+        pslld	$30, %xmm1
+        pslld	$25, %xmm2
+        pxor	%xmm1, %xmm0
+        pxor	%xmm2, %xmm0
+        movdqa	%xmm0, %xmm1
+        psrldq	$4, %xmm1
+        pslldq	$12, %xmm0
+        pxor	%xmm0, %xmm7
+        movdqa	%xmm7, %xmm2
+        movdqa	%xmm7, %xmm3
+        movdqa	%xmm7, %xmm0
+        psrld	$0x01, %xmm2
+        psrld	$2, %xmm3
+        psrld	$7, %xmm0
+        pxor	%xmm3, %xmm2
+        pxor	%xmm0, %xmm2
+        pxor	%xmm1, %xmm2
+        pxor	%xmm7, %xmm2
+        pxor	%xmm2, %xmm6
+L_AES_GCM_decrypt_calc_aad_done:
+        # Calculate counter and H
+        pshufb	L_aes_gcm_bswap_epi64(%rip), %xmm4
+        movdqa	%xmm5, %xmm9
+        paddd	L_aes_gcm_one(%rip), %xmm4
+        movdqa	%xmm5, %xmm8
+        movdqa	%xmm4, 128(%rsp)
+        psrlq	$63, %xmm9
+        psllq	$0x01, %xmm8
+        pslldq	$8, %xmm9
+        por	%xmm9, %xmm8
+        pshufd	$0xff, %xmm5, %xmm5
+        psrad	$31, %xmm5
+        pand	L_aes_gcm_mod2_128(%rip), %xmm5
+        pxor	%xmm8, %xmm5
+        xorl	%ebx, %ebx
+        cmpl	$0x80, %r9d
+        movl	%r9d, %r13d
+        jl	L_AES_GCM_decrypt_done_128
+        andl	$0xffffff80, %r13d
+        movdqa	%xmm6, %xmm2
+        # H ^ 1
+        movdqa	%xmm5, (%rsp)
+        # H ^ 2
+        pshufd	$0x4e, %xmm5, %xmm9
+        pshufd	$0x4e, %xmm5, %xmm10
+        movdqa	%xmm5, %xmm11
+        movdqa	%xmm5, %xmm8
+        pclmulqdq	$0x11, %xmm5, %xmm11
+        pclmulqdq	$0x00, %xmm5, %xmm8
+        pxor	%xmm5, %xmm9
+        pxor	%xmm5, %xmm10
+        pclmulqdq	$0x00, %xmm10, %xmm9
+        pxor	%xmm8, %xmm9
+        pxor	%xmm11, %xmm9
+        movdqa	%xmm9, %xmm10
+        movdqa	%xmm11, %xmm0
+        pslldq	$8, %xmm10
+        psrldq	$8, %xmm9
+        pxor	%xmm10, %xmm8
+        pxor	%xmm9, %xmm0
+        movdqa	%xmm8, %xmm12
+        movdqa	%xmm8, %xmm13
+        movdqa	%xmm8, %xmm14
+        pslld	$31, %xmm12
+        pslld	$30, %xmm13
+        pslld	$25, %xmm14
+        pxor	%xmm13, %xmm12
+        pxor	%xmm14, %xmm12
+        movdqa	%xmm12, %xmm13
+        psrldq	$4, %xmm13
+        pslldq	$12, %xmm12
+        pxor	%xmm12, %xmm8
+        movdqa	%xmm8, %xmm14
+        movdqa	%xmm8, %xmm10
+        movdqa	%xmm8, %xmm9
+        psrld	$0x01, %xmm14
+        psrld	$2, %xmm10
+        psrld	$7, %xmm9
+        pxor	%xmm10, %xmm14
+        pxor	%xmm9, %xmm14
+        pxor	%xmm13, %xmm14
+        pxor	%xmm8, %xmm14
+        pxor	%xmm14, %xmm0
+        movdqa	%xmm0, 16(%rsp)
+        # H ^ 3
+        pshufd	$0x4e, %xmm5, %xmm9
+        pshufd	$0x4e, %xmm0, %xmm10
+        movdqa	%xmm0, %xmm11
+        movdqa	%xmm0, %xmm8
+        pclmulqdq	$0x11, %xmm5, %xmm11
+        pclmulqdq	$0x00, %xmm5, %xmm8
+        pxor	%xmm5, %xmm9
+        pxor	%xmm0, %xmm10
+        pclmulqdq	$0x00, %xmm10, %xmm9
+        pxor	%xmm8, %xmm9
+        pxor	%xmm11, %xmm9
+        movdqa	%xmm9, %xmm10
+        movdqa	%xmm11, %xmm1
+        pslldq	$8, %xmm10
+        psrldq	$8, %xmm9
+        pxor	%xmm10, %xmm8
+        pxor	%xmm9, %xmm1
+        movdqa	%xmm8, %xmm12
+        movdqa	%xmm8, %xmm13
+        movdqa	%xmm8, %xmm14
+        pslld	$31, %xmm12
+        pslld	$30, %xmm13
+        pslld	$25, %xmm14
+        pxor	%xmm13, %xmm12
+        pxor	%xmm14, %xmm12
+        movdqa	%xmm12, %xmm13
+        psrldq	$4, %xmm13
+        pslldq	$12, %xmm12
+        pxor	%xmm12, %xmm8
+        movdqa	%xmm8, %xmm14
+        movdqa	%xmm8, %xmm10
+        movdqa	%xmm8, %xmm9
+        psrld	$0x01, %xmm14
+        psrld	$2, %xmm10
+        psrld	$7, %xmm9
+        pxor	%xmm10, %xmm14
+        pxor	%xmm9, %xmm14
+        pxor	%xmm13, %xmm14
+        pxor	%xmm8, %xmm14
+        pxor	%xmm14, %xmm1
+        movdqa	%xmm1, 32(%rsp)
+        # H ^ 4
+        pshufd	$0x4e, %xmm0, %xmm9
+        pshufd	$0x4e, %xmm0, %xmm10
+        movdqa	%xmm0, %xmm11
+        movdqa	%xmm0, %xmm8
+        pclmulqdq	$0x11, %xmm0, %xmm11
+        pclmulqdq	$0x00, %xmm0, %xmm8
+        pxor	%xmm0, %xmm9
+        pxor	%xmm0, %xmm10
+        pclmulqdq	$0x00, %xmm10, %xmm9
+        pxor	%xmm8, %xmm9
+        pxor	%xmm11, %xmm9
+        movdqa	%xmm9, %xmm10
+        movdqa	%xmm11, %xmm3
+        pslldq	$8, %xmm10
+        psrldq	$8, %xmm9
+        pxor	%xmm10, %xmm8
+        pxor	%xmm9, %xmm3
+        movdqa	%xmm8, %xmm12
+        movdqa	%xmm8, %xmm13
+        movdqa	%xmm8, %xmm14
+        pslld	$31, %xmm12
+        pslld	$30, %xmm13
+        pslld	$25, %xmm14
+        pxor	%xmm13, %xmm12
+        pxor	%xmm14, %xmm12
+        movdqa	%xmm12, %xmm13
+        psrldq	$4, %xmm13
+        pslldq	$12, %xmm12
+        pxor	%xmm12, %xmm8
+        movdqa	%xmm8, %xmm14
+        movdqa	%xmm8, %xmm10
+        movdqa	%xmm8, %xmm9
+        psrld	$0x01, %xmm14
+        psrld	$2, %xmm10
+        psrld	$7, %xmm9
+        pxor	%xmm10, %xmm14
+        pxor	%xmm9, %xmm14
+        pxor	%xmm13, %xmm14
+        pxor	%xmm8, %xmm14
+        pxor	%xmm14, %xmm3
+        movdqa	%xmm3, 48(%rsp)
+        # H ^ 5
+        pshufd	$0x4e, %xmm0, %xmm9
+        pshufd	$0x4e, %xmm1, %xmm10
+        movdqa	%xmm1, %xmm11
+        movdqa	%xmm1, %xmm8
+        pclmulqdq	$0x11, %xmm0, %xmm11
+        pclmulqdq	$0x00, %xmm0, %xmm8
+        pxor	%xmm0, %xmm9
+        pxor	%xmm1, %xmm10
+        pclmulqdq	$0x00, %xmm10, %xmm9
+        pxor	%xmm8, %xmm9
+        pxor	%xmm11, %xmm9
+        movdqa	%xmm9, %xmm10
+        movdqa	%xmm11, %xmm7
+        pslldq	$8, %xmm10
+        psrldq	$8, %xmm9
+        pxor	%xmm10, %xmm8
+        pxor	%xmm9, %xmm7
+        movdqa	%xmm8, %xmm12
+        movdqa	%xmm8, %xmm13
+        movdqa	%xmm8, %xmm14
+        pslld	$31, %xmm12
+        pslld	$30, %xmm13
+        pslld	$25, %xmm14
+        pxor	%xmm13, %xmm12
+        pxor	%xmm14, %xmm12
+        movdqa	%xmm12, %xmm13
+        psrldq	$4, %xmm13
+        pslldq	$12, %xmm12
+        pxor	%xmm12, %xmm8
+        movdqa	%xmm8, %xmm14
+        movdqa	%xmm8, %xmm10
+        movdqa	%xmm8, %xmm9
+        psrld	$0x01, %xmm14
+        psrld	$2, %xmm10
+        psrld	$7, %xmm9
+        pxor	%xmm10, %xmm14
+        pxor	%xmm9, %xmm14
+        pxor	%xmm13, %xmm14
+        pxor	%xmm8, %xmm14
+        pxor	%xmm14, %xmm7
+        movdqa	%xmm7, 64(%rsp)
+        # H ^ 6
+        pshufd	$0x4e, %xmm1, %xmm9
+        pshufd	$0x4e, %xmm1, %xmm10
+        movdqa	%xmm1, %xmm11
+        movdqa	%xmm1, %xmm8
+        pclmulqdq	$0x11, %xmm1, %xmm11
+        pclmulqdq	$0x00, %xmm1, %xmm8
+        pxor	%xmm1, %xmm9
+        pxor	%xmm1, %xmm10
+        pclmulqdq	$0x00, %xmm10, %xmm9
+        pxor	%xmm8, %xmm9
+        pxor	%xmm11, %xmm9
+        movdqa	%xmm9, %xmm10
+        movdqa	%xmm11, %xmm7
+        pslldq	$8, %xmm10
+        psrldq	$8, %xmm9
+        pxor	%xmm10, %xmm8
+        pxor	%xmm9, %xmm7
+        movdqa	%xmm8, %xmm12
+        movdqa	%xmm8, %xmm13
+        movdqa	%xmm8, %xmm14
+        pslld	$31, %xmm12
+        pslld	$30, %xmm13
+        pslld	$25, %xmm14
+        pxor	%xmm13, %xmm12
+        pxor	%xmm14, %xmm12
+        movdqa	%xmm12, %xmm13
+        psrldq	$4, %xmm13
+        pslldq	$12, %xmm12
+        pxor	%xmm12, %xmm8
+        movdqa	%xmm8, %xmm14
+        movdqa	%xmm8, %xmm10
+        movdqa	%xmm8, %xmm9
+        psrld	$0x01, %xmm14
+        psrld	$2, %xmm10
+        psrld	$7, %xmm9
+        pxor	%xmm10, %xmm14
+        pxor	%xmm9, %xmm14
+        pxor	%xmm13, %xmm14
+        pxor	%xmm8, %xmm14
+        pxor	%xmm14, %xmm7
+        movdqa	%xmm7, 80(%rsp)
+        # H ^ 7
+        pshufd	$0x4e, %xmm1, %xmm9
+        pshufd	$0x4e, %xmm3, %xmm10
+        movdqa	%xmm3, %xmm11
+        movdqa	%xmm3, %xmm8
+        pclmulqdq	$0x11, %xmm1, %xmm11
+        pclmulqdq	$0x00, %xmm1, %xmm8
+        pxor	%xmm1, %xmm9
+        pxor	%xmm3, %xmm10
+        pclmulqdq	$0x00, %xmm10, %xmm9
+        pxor	%xmm8, %xmm9
+        pxor	%xmm11, %xmm9
+        movdqa	%xmm9, %xmm10
+        movdqa	%xmm11, %xmm7
+        pslldq	$8, %xmm10
+        psrldq	$8, %xmm9
+        pxor	%xmm10, %xmm8
+        pxor	%xmm9, %xmm7
+        movdqa	%xmm8, %xmm12
+        movdqa	%xmm8, %xmm13
+        movdqa	%xmm8, %xmm14
+        pslld	$31, %xmm12
+        pslld	$30, %xmm13
+        pslld	$25, %xmm14
+        pxor	%xmm13, %xmm12
+        pxor	%xmm14, %xmm12
+        movdqa	%xmm12, %xmm13
+        psrldq	$4, %xmm13
+        pslldq	$12, %xmm12
+        pxor	%xmm12, %xmm8
+        movdqa	%xmm8, %xmm14
+        movdqa	%xmm8, %xmm10
+        movdqa	%xmm8, %xmm9
+        psrld	$0x01, %xmm14
+        psrld	$2, %xmm10
+        psrld	$7, %xmm9
+        pxor	%xmm10, %xmm14
+        pxor	%xmm9, %xmm14
+        pxor	%xmm13, %xmm14
+        pxor	%xmm8, %xmm14
+        pxor	%xmm14, %xmm7
+        movdqa	%xmm7, 96(%rsp)
+        # H ^ 8
+        pshufd	$0x4e, %xmm3, %xmm9
+        pshufd	$0x4e, %xmm3, %xmm10
+        movdqa	%xmm3, %xmm11
+        movdqa	%xmm3, %xmm8
+        pclmulqdq	$0x11, %xmm3, %xmm11
+        pclmulqdq	$0x00, %xmm3, %xmm8
+        pxor	%xmm3, %xmm9
+        pxor	%xmm3, %xmm10
+        pclmulqdq	$0x00, %xmm10, %xmm9
+        pxor	%xmm8, %xmm9
+        pxor	%xmm11, %xmm9
+        movdqa	%xmm9, %xmm10
+        movdqa	%xmm11, %xmm7
+        pslldq	$8, %xmm10
+        psrldq	$8, %xmm9
+        pxor	%xmm10, %xmm8
+        pxor	%xmm9, %xmm7
+        movdqa	%xmm8, %xmm12
+        movdqa	%xmm8, %xmm13
+        movdqa	%xmm8, %xmm14
+        pslld	$31, %xmm12
+        pslld	$30, %xmm13
+        pslld	$25, %xmm14
+        pxor	%xmm13, %xmm12
+        pxor	%xmm14, %xmm12
+        movdqa	%xmm12, %xmm13
+        psrldq	$4, %xmm13
+        pslldq	$12, %xmm12
+        pxor	%xmm12, %xmm8
+        movdqa	%xmm8, %xmm14
+        movdqa	%xmm8, %xmm10
+        movdqa	%xmm8, %xmm9
+        psrld	$0x01, %xmm14
+        psrld	$2, %xmm10
+        psrld	$7, %xmm9
+        pxor	%xmm10, %xmm14
+        pxor	%xmm9, %xmm14
+        pxor	%xmm13, %xmm14
+        pxor	%xmm8, %xmm14
+        pxor	%xmm14, %xmm7
+        movdqa	%xmm7, 112(%rsp)
+L_AES_GCM_decrypt_ghash_128:
+        leaq	(%rdi,%rbx,1), %rcx
+        leaq	(%rsi,%rbx,1), %rdx
+        movdqa	128(%rsp), %xmm8
+        movdqa	L_aes_gcm_bswap_epi64(%rip), %xmm1
+        movdqa	%xmm8, %xmm0
+        pshufb	%xmm1, %xmm8
+        movdqa	%xmm0, %xmm9
+        paddd	L_aes_gcm_one(%rip), %xmm9
+        pshufb	%xmm1, %xmm9
+        movdqa	%xmm0, %xmm10
+        paddd	L_aes_gcm_two(%rip), %xmm10
+        pshufb	%xmm1, %xmm10
+        movdqa	%xmm0, %xmm11
+        paddd	L_aes_gcm_three(%rip), %xmm11
+        pshufb	%xmm1, %xmm11
+        movdqa	%xmm0, %xmm12
+        paddd	L_aes_gcm_four(%rip), %xmm12
+        pshufb	%xmm1, %xmm12
+        movdqa	%xmm0, %xmm13
+        paddd	L_aes_gcm_five(%rip), %xmm13
+        pshufb	%xmm1, %xmm13
+        movdqa	%xmm0, %xmm14
+        paddd	L_aes_gcm_six(%rip), %xmm14
+        pshufb	%xmm1, %xmm14
+        movdqa	%xmm0, %xmm15
+        paddd	L_aes_gcm_seven(%rip), %xmm15
+        pshufb	%xmm1, %xmm15
+        paddd	L_aes_gcm_eight(%rip), %xmm0
+        movdqa	(%r15), %xmm7
+        movdqa	%xmm0, 128(%rsp)
+        pxor	%xmm7, %xmm8
+        pxor	%xmm7, %xmm9
+        pxor	%xmm7, %xmm10
+        pxor	%xmm7, %xmm11
+        pxor	%xmm7, %xmm12
+        pxor	%xmm7, %xmm13
+        pxor	%xmm7, %xmm14
+        pxor	%xmm7, %xmm15
+        movdqa	112(%rsp), %xmm7
+        movdqu	(%rcx), %xmm0
+        aesenc	16(%r15), %xmm8
+        pshufb	L_aes_gcm_bswap_mask(%rip), %xmm0
+        pxor	%xmm2, %xmm0
+        pshufd	$0x4e, %xmm7, %xmm1
+        pshufd	$0x4e, %xmm0, %xmm5
+        pxor	%xmm7, %xmm1
+        pxor	%xmm0, %xmm5
+        movdqa	%xmm0, %xmm3
+        pclmulqdq	$0x11, %xmm7, %xmm3
+        aesenc	16(%r15), %xmm9
+        aesenc	16(%r15), %xmm10
+        movdqa	%xmm0, %xmm2
+        pclmulqdq	$0x00, %xmm7, %xmm2
+        aesenc	16(%r15), %xmm11
+        aesenc	16(%r15), %xmm12
+        pclmulqdq	$0x00, %xmm5, %xmm1
+        aesenc	16(%r15), %xmm13
+        aesenc	16(%r15), %xmm14
+        aesenc	16(%r15), %xmm15
+        pxor	%xmm2, %xmm1
+        pxor	%xmm3, %xmm1
+        movdqa	96(%rsp), %xmm7
+        movdqu	16(%rcx), %xmm0
+        pshufd	$0x4e, %xmm7, %xmm4
+        pshufb	L_aes_gcm_bswap_mask(%rip), %xmm0
+        aesenc	32(%r15), %xmm8
+        pxor	%xmm7, %xmm4
+        pshufd	$0x4e, %xmm0, %xmm5
+        pxor	%xmm0, %xmm5
+        movdqa	%xmm0, %xmm6
+        pclmulqdq	$0x11, %xmm7, %xmm6
+        aesenc	32(%r15), %xmm9
+        aesenc	32(%r15), %xmm10
+        pclmulqdq	$0x00, %xmm0, %xmm7
+        aesenc	32(%r15), %xmm11
+        aesenc	32(%r15), %xmm12
+        pclmulqdq	$0x00, %xmm5, %xmm4
+        aesenc	32(%r15), %xmm13
+        aesenc	32(%r15), %xmm14
+        aesenc	32(%r15), %xmm15
+        pxor	%xmm7, %xmm1
+        pxor	%xmm7, %xmm2
+        pxor	%xmm6, %xmm1
+        pxor	%xmm6, %xmm3
+        pxor	%xmm4, %xmm1
+        movdqa	80(%rsp), %xmm7
+        movdqu	32(%rcx), %xmm0
+        pshufd	$0x4e, %xmm7, %xmm4
+        pshufb	L_aes_gcm_bswap_mask(%rip), %xmm0
+        aesenc	48(%r15), %xmm8
+        pxor	%xmm7, %xmm4
+        pshufd	$0x4e, %xmm0, %xmm5
+        pxor	%xmm0, %xmm5
+        movdqa	%xmm0, %xmm6
+        pclmulqdq	$0x11, %xmm7, %xmm6
+        aesenc	48(%r15), %xmm9
+        aesenc	48(%r15), %xmm10
+        pclmulqdq	$0x00, %xmm0, %xmm7
+        aesenc	48(%r15), %xmm11
+        aesenc	48(%r15), %xmm12
+        pclmulqdq	$0x00, %xmm5, %xmm4
+        aesenc	48(%r15), %xmm13
+        aesenc	48(%r15), %xmm14
+        aesenc	48(%r15), %xmm15
+        pxor	%xmm7, %xmm1
+        pxor	%xmm7, %xmm2
+        pxor	%xmm6, %xmm1
+        pxor	%xmm6, %xmm3
+        pxor	%xmm4, %xmm1
+        movdqa	64(%rsp), %xmm7
+        movdqu	48(%rcx), %xmm0
+        pshufd	$0x4e, %xmm7, %xmm4
+        pshufb	L_aes_gcm_bswap_mask(%rip), %xmm0
+        aesenc	64(%r15), %xmm8
+        pxor	%xmm7, %xmm4
+        pshufd	$0x4e, %xmm0, %xmm5
+        pxor	%xmm0, %xmm5
+        movdqa	%xmm0, %xmm6
+        pclmulqdq	$0x11, %xmm7, %xmm6
+        aesenc	64(%r15), %xmm9
+        aesenc	64(%r15), %xmm10
+        pclmulqdq	$0x00, %xmm0, %xmm7
+        aesenc	64(%r15), %xmm11
+        aesenc	64(%r15), %xmm12
+        pclmulqdq	$0x00, %xmm5, %xmm4
+        aesenc	64(%r15), %xmm13
+        aesenc	64(%r15), %xmm14
+        aesenc	64(%r15), %xmm15
+        pxor	%xmm7, %xmm1
+        pxor	%xmm7, %xmm2
+        pxor	%xmm6, %xmm1
+        pxor	%xmm6, %xmm3
+        pxor	%xmm4, %xmm1
+        movdqa	48(%rsp), %xmm7
+        movdqu	64(%rcx), %xmm0
+        pshufd	$0x4e, %xmm7, %xmm4
+        pshufb	L_aes_gcm_bswap_mask(%rip), %xmm0
+        aesenc	80(%r15), %xmm8
+        pxor	%xmm7, %xmm4
+        pshufd	$0x4e, %xmm0, %xmm5
+        pxor	%xmm0, %xmm5
+        movdqa	%xmm0, %xmm6
+        pclmulqdq	$0x11, %xmm7, %xmm6
+        aesenc	80(%r15), %xmm9
+        aesenc	80(%r15), %xmm10
+        pclmulqdq	$0x00, %xmm0, %xmm7
+        aesenc	80(%r15), %xmm11
+        aesenc	80(%r15), %xmm12
+        pclmulqdq	$0x00, %xmm5, %xmm4
+        aesenc	80(%r15), %xmm13
+        aesenc	80(%r15), %xmm14
+        aesenc	80(%r15), %xmm15
+        pxor	%xmm7, %xmm1
+        pxor	%xmm7, %xmm2
+        pxor	%xmm6, %xmm1
+        pxor	%xmm6, %xmm3
+        pxor	%xmm4, %xmm1
+        movdqa	32(%rsp), %xmm7
+        movdqu	80(%rcx), %xmm0
+        pshufd	$0x4e, %xmm7, %xmm4
+        pshufb	L_aes_gcm_bswap_mask(%rip), %xmm0
+        aesenc	96(%r15), %xmm8
+        pxor	%xmm7, %xmm4
+        pshufd	$0x4e, %xmm0, %xmm5
+        pxor	%xmm0, %xmm5
+        movdqa	%xmm0, %xmm6
+        pclmulqdq	$0x11, %xmm7, %xmm6
+        aesenc	96(%r15), %xmm9
+        aesenc	96(%r15), %xmm10
+        pclmulqdq	$0x00, %xmm0, %xmm7
+        aesenc	96(%r15), %xmm11
+        aesenc	96(%r15), %xmm12
+        pclmulqdq	$0x00, %xmm5, %xmm4
+        aesenc	96(%r15), %xmm13
+        aesenc	96(%r15), %xmm14
+        aesenc	96(%r15), %xmm15
+        pxor	%xmm7, %xmm1
+        pxor	%xmm7, %xmm2
+        pxor	%xmm6, %xmm1
+        pxor	%xmm6, %xmm3
+        pxor	%xmm4, %xmm1
+        movdqa	16(%rsp), %xmm7
+        movdqu	96(%rcx), %xmm0
+        pshufd	$0x4e, %xmm7, %xmm4
+        pshufb	L_aes_gcm_bswap_mask(%rip), %xmm0
+        aesenc	112(%r15), %xmm8
+        pxor	%xmm7, %xmm4
+        pshufd	$0x4e, %xmm0, %xmm5
+        pxor	%xmm0, %xmm5
+        movdqa	%xmm0, %xmm6
+        pclmulqdq	$0x11, %xmm7, %xmm6
+        aesenc	112(%r15), %xmm9
+        aesenc	112(%r15), %xmm10
+        pclmulqdq	$0x00, %xmm0, %xmm7
+        aesenc	112(%r15), %xmm11
+        aesenc	112(%r15), %xmm12
+        pclmulqdq	$0x00, %xmm5, %xmm4
+        aesenc	112(%r15), %xmm13
+        aesenc	112(%r15), %xmm14
+        aesenc	112(%r15), %xmm15
+        pxor	%xmm7, %xmm1
+        pxor	%xmm7, %xmm2
+        pxor	%xmm6, %xmm1
+        pxor	%xmm6, %xmm3
+        pxor	%xmm4, %xmm1
+        movdqa	(%rsp), %xmm7
+        movdqu	112(%rcx), %xmm0
+        pshufd	$0x4e, %xmm7, %xmm4
+        pshufb	L_aes_gcm_bswap_mask(%rip), %xmm0
+        aesenc	128(%r15), %xmm8
+        pxor	%xmm7, %xmm4
+        pshufd	$0x4e, %xmm0, %xmm5
+        pxor	%xmm0, %xmm5
+        movdqa	%xmm0, %xmm6
+        pclmulqdq	$0x11, %xmm7, %xmm6
+        aesenc	128(%r15), %xmm9
+        aesenc	128(%r15), %xmm10
+        pclmulqdq	$0x00, %xmm0, %xmm7
+        aesenc	128(%r15), %xmm11
+        aesenc	128(%r15), %xmm12
+        pclmulqdq	$0x00, %xmm5, %xmm4
+        aesenc	128(%r15), %xmm13
+        aesenc	128(%r15), %xmm14
+        aesenc	128(%r15), %xmm15
+        pxor	%xmm7, %xmm1
+        pxor	%xmm7, %xmm2
+        pxor	%xmm6, %xmm1
+        pxor	%xmm6, %xmm3
+        pxor	%xmm4, %xmm1
+        movdqa	%xmm1, %xmm5
+        psrldq	$8, %xmm1
+        pslldq	$8, %xmm5
+        aesenc	144(%r15), %xmm8
+        pxor	%xmm5, %xmm2
+        pxor	%xmm1, %xmm3
+        movdqa	%xmm2, %xmm7
+        movdqa	%xmm2, %xmm4
+        movdqa	%xmm2, %xmm5
+        aesenc	144(%r15), %xmm9
+        pslld	$31, %xmm7
+        pslld	$30, %xmm4
+        pslld	$25, %xmm5
+        aesenc	144(%r15), %xmm10
+        pxor	%xmm4, %xmm7
+        pxor	%xmm5, %xmm7
+        aesenc	144(%r15), %xmm11
+        movdqa	%xmm7, %xmm4
+        pslldq	$12, %xmm7
+        psrldq	$4, %xmm4
+        aesenc	144(%r15), %xmm12
+        pxor	%xmm7, %xmm2
+        movdqa	%xmm2, %xmm5
+        movdqa	%xmm2, %xmm1
+        movdqa	%xmm2, %xmm0
+        aesenc	144(%r15), %xmm13
+        psrld	$0x01, %xmm5
+        psrld	$2, %xmm1
+        psrld	$7, %xmm0
+        aesenc	144(%r15), %xmm14
+        pxor	%xmm1, %xmm5
+        pxor	%xmm0, %xmm5
+        aesenc	144(%r15), %xmm15
+        pxor	%xmm4, %xmm5
+        pxor	%xmm5, %xmm2
+        pxor	%xmm3, %xmm2
+        cmpl	$11, %r10d
+        movdqa	160(%r15), %xmm7
+        jl	L_AES_GCM_decrypt_aesenc_128_ghash_avx_done
+        aesenc	%xmm7, %xmm8
+        aesenc	%xmm7, %xmm9
+        aesenc	%xmm7, %xmm10
+        aesenc	%xmm7, %xmm11
+        aesenc	%xmm7, %xmm12
+        aesenc	%xmm7, %xmm13
+        aesenc	%xmm7, %xmm14
+        aesenc	%xmm7, %xmm15
+        movdqa	176(%r15), %xmm7
+        aesenc	%xmm7, %xmm8
+        aesenc	%xmm7, %xmm9
+        aesenc	%xmm7, %xmm10
+        aesenc	%xmm7, %xmm11
+        aesenc	%xmm7, %xmm12
+        aesenc	%xmm7, %xmm13
+        aesenc	%xmm7, %xmm14
+        aesenc	%xmm7, %xmm15
+        cmpl	$13, %r10d
+        movdqa	192(%r15), %xmm7
+        jl	L_AES_GCM_decrypt_aesenc_128_ghash_avx_done
+        aesenc	%xmm7, %xmm8
+        aesenc	%xmm7, %xmm9
+        aesenc	%xmm7, %xmm10
+        aesenc	%xmm7, %xmm11
+        aesenc	%xmm7, %xmm12
+        aesenc	%xmm7, %xmm13
+        aesenc	%xmm7, %xmm14
+        aesenc	%xmm7, %xmm15
+        movdqa	208(%r15), %xmm7
+        aesenc	%xmm7, %xmm8
+        aesenc	%xmm7, %xmm9
+        aesenc	%xmm7, %xmm10
+        aesenc	%xmm7, %xmm11
+        aesenc	%xmm7, %xmm12
+        aesenc	%xmm7, %xmm13
+        aesenc	%xmm7, %xmm14
+        aesenc	%xmm7, %xmm15
+        movdqa	224(%r15), %xmm7
+L_AES_GCM_decrypt_aesenc_128_ghash_avx_done:
+        aesenclast	%xmm7, %xmm8
+        aesenclast	%xmm7, %xmm9
+        movdqu	(%rcx), %xmm0
+        movdqu	16(%rcx), %xmm1
+        pxor	%xmm0, %xmm8
+        pxor	%xmm1, %xmm9
+        movdqu	%xmm8, (%rdx)
+        movdqu	%xmm9, 16(%rdx)
+        aesenclast	%xmm7, %xmm10
+        aesenclast	%xmm7, %xmm11
+        movdqu	32(%rcx), %xmm0
+        movdqu	48(%rcx), %xmm1
+        pxor	%xmm0, %xmm10
+        pxor	%xmm1, %xmm11
+        movdqu	%xmm10, 32(%rdx)
+        movdqu	%xmm11, 48(%rdx)
+        aesenclast	%xmm7, %xmm12
+        aesenclast	%xmm7, %xmm13
+        movdqu	64(%rcx), %xmm0
+        movdqu	80(%rcx), %xmm1
+        pxor	%xmm0, %xmm12
+        pxor	%xmm1, %xmm13
+        movdqu	%xmm12, 64(%rdx)
+        movdqu	%xmm13, 80(%rdx)
+        aesenclast	%xmm7, %xmm14
+        aesenclast	%xmm7, %xmm15
+        movdqu	96(%rcx), %xmm0
+        movdqu	112(%rcx), %xmm1
+        pxor	%xmm0, %xmm14
+        pxor	%xmm1, %xmm15
+        movdqu	%xmm14, 96(%rdx)
+        movdqu	%xmm15, 112(%rdx)
+        addl	$0x80, %ebx
+        cmpl	%r13d, %ebx
+        jl	L_AES_GCM_decrypt_ghash_128
+        movdqa	%xmm2, %xmm6
+        movdqa	(%rsp), %xmm5
+L_AES_GCM_decrypt_done_128:
+        movl	%r9d, %edx
+        cmpl	%edx, %ebx
+        jge	L_AES_GCM_decrypt_done_dec
+        movl	%r9d, %r13d
+        andl	$0xfffffff0, %r13d
+        cmpl	%r13d, %ebx
+        jge	L_AES_GCM_decrypt_last_block_done
+L_AES_GCM_decrypt_last_block_start:
+        leaq	(%rdi,%rbx,1), %rcx
+        leaq	(%rsi,%rbx,1), %rdx
+        movdqu	(%rcx), %xmm1
+        movdqa	%xmm5, %xmm0
+        pshufb	L_aes_gcm_bswap_mask(%rip), %xmm1
+        pxor	%xmm6, %xmm1
+        movdqa	128(%rsp), %xmm8
+        movdqa	%xmm8, %xmm9
+        pshufb	L_aes_gcm_bswap_epi64(%rip), %xmm8
+        paddd	L_aes_gcm_one(%rip), %xmm9
+        pxor	(%r15), %xmm8
+        movdqa	%xmm9, 128(%rsp)
+        movdqa	%xmm1, %xmm10
+        pclmulqdq	$16, %xmm0, %xmm10
+        aesenc	16(%r15), %xmm8
+        aesenc	32(%r15), %xmm8
+        movdqa	%xmm1, %xmm11
+        pclmulqdq	$0x01, %xmm0, %xmm11
+        aesenc	48(%r15), %xmm8
+        aesenc	64(%r15), %xmm8
+        movdqa	%xmm1, %xmm12
+        pclmulqdq	$0x00, %xmm0, %xmm12
+        aesenc	80(%r15), %xmm8
+        movdqa	%xmm1, %xmm1
+        pclmulqdq	$0x11, %xmm0, %xmm1
+        aesenc	96(%r15), %xmm8
+        pxor	%xmm11, %xmm10
+        movdqa	%xmm10, %xmm2
+        psrldq	$8, %xmm10
+        pslldq	$8, %xmm2
+        aesenc	112(%r15), %xmm8
+        movdqa	%xmm1, %xmm3
+        pxor	%xmm12, %xmm2
+        pxor	%xmm10, %xmm3
+        movdqa	L_aes_gcm_mod2_128(%rip), %xmm0
+        movdqa	%xmm2, %xmm11
+        pclmulqdq	$16, %xmm0, %xmm11
+        aesenc	128(%r15), %xmm8
+        pshufd	$0x4e, %xmm2, %xmm10
+        pxor	%xmm11, %xmm10
+        movdqa	%xmm10, %xmm11
+        pclmulqdq	$16, %xmm0, %xmm11
+        aesenc	144(%r15), %xmm8
+        pshufd	$0x4e, %xmm10, %xmm6
+        pxor	%xmm11, %xmm6
+        pxor	%xmm3, %xmm6
+        cmpl	$11, %r10d
+        movdqa	160(%r15), %xmm9
+        jl	L_AES_GCM_decrypt_aesenc_gfmul_last
+        aesenc	%xmm9, %xmm8
+        aesenc	176(%r15), %xmm8
+        cmpl	$13, %r10d
+        movdqa	192(%r15), %xmm9
+        jl	L_AES_GCM_decrypt_aesenc_gfmul_last
+        aesenc	%xmm9, %xmm8
+        aesenc	208(%r15), %xmm8
+        movdqa	224(%r15), %xmm9
+L_AES_GCM_decrypt_aesenc_gfmul_last:
+        aesenclast	%xmm9, %xmm8
+        movdqu	(%rcx), %xmm9
+        pxor	%xmm9, %xmm8
+        movdqu	%xmm8, (%rdx)
+        addl	$16, %ebx
+        cmpl	%r13d, %ebx
+        jl	L_AES_GCM_decrypt_last_block_start
+L_AES_GCM_decrypt_last_block_done:
+        movl	%r9d, %ecx
+        movl	%ecx, %edx
+        andl	$15, %ecx
+        jz	L_AES_GCM_decrypt_aesenc_last15_dec_avx_done
+        movdqa	128(%rsp), %xmm4
+        pshufb	L_aes_gcm_bswap_epi64(%rip), %xmm4
+        pxor	(%r15), %xmm4
+        aesenc	16(%r15), %xmm4
+        aesenc	32(%r15), %xmm4
+        aesenc	48(%r15), %xmm4
+        aesenc	64(%r15), %xmm4
+        aesenc	80(%r15), %xmm4
+        aesenc	96(%r15), %xmm4
+        aesenc	112(%r15), %xmm4
+        aesenc	128(%r15), %xmm4
+        aesenc	144(%r15), %xmm4
+        cmpl	$11, %r10d
+        movdqa	160(%r15), %xmm9
+        jl	L_AES_GCM_decrypt_aesenc_last15_dec_avx_aesenc_avx_last
+        aesenc	%xmm9, %xmm4
+        aesenc	176(%r15), %xmm4
+        cmpl	$13, %r10d
+        movdqa	192(%r15), %xmm9
+        jl	L_AES_GCM_decrypt_aesenc_last15_dec_avx_aesenc_avx_last
+        aesenc	%xmm9, %xmm4
+        aesenc	208(%r15), %xmm4
+        movdqa	224(%r15), %xmm9
+L_AES_GCM_decrypt_aesenc_last15_dec_avx_aesenc_avx_last:
+        aesenclast	%xmm9, %xmm4
+        subq	$32, %rsp
+        xorl	%ecx, %ecx
+        movdqa	%xmm4, (%rsp)
+        pxor	%xmm0, %xmm0
+        movdqa	%xmm0, 16(%rsp)
+L_AES_GCM_decrypt_aesenc_last15_dec_avx_loop:
+        movzbl	(%rdi,%rbx,1), %r13d
+        movb	%r13b, 16(%rsp,%rcx,1)
+        xorb	(%rsp,%rcx,1), %r13b
+        movb	%r13b, (%rsi,%rbx,1)
+        incl	%ebx
+        incl	%ecx
+        cmpl	%edx, %ebx
+        jl	L_AES_GCM_decrypt_aesenc_last15_dec_avx_loop
+        movdqa	16(%rsp), %xmm4
+        addq	$32, %rsp
+        pshufb	L_aes_gcm_bswap_mask(%rip), %xmm4
+        pxor	%xmm4, %xmm6
+        pshufd	$0x4e, %xmm5, %xmm9
+        pshufd	$0x4e, %xmm6, %xmm10
+        movdqa	%xmm6, %xmm11
+        movdqa	%xmm6, %xmm8
+        pclmulqdq	$0x11, %xmm5, %xmm11
+        pclmulqdq	$0x00, %xmm5, %xmm8
+        pxor	%xmm5, %xmm9
+        pxor	%xmm6, %xmm10
+        pclmulqdq	$0x00, %xmm10, %xmm9
+        pxor	%xmm8, %xmm9
+        pxor	%xmm11, %xmm9
+        movdqa	%xmm9, %xmm10
+        movdqa	%xmm11, %xmm6
+        pslldq	$8, %xmm10
+        psrldq	$8, %xmm9
+        pxor	%xmm10, %xmm8
+        pxor	%xmm9, %xmm6
+        movdqa	%xmm8, %xmm12
+        movdqa	%xmm8, %xmm13
+        movdqa	%xmm8, %xmm14
+        pslld	$31, %xmm12
+        pslld	$30, %xmm13
+        pslld	$25, %xmm14
+        pxor	%xmm13, %xmm12
+        pxor	%xmm14, %xmm12
+        movdqa	%xmm12, %xmm13
+        psrldq	$4, %xmm13
+        pslldq	$12, %xmm12
+        pxor	%xmm12, %xmm8
+        movdqa	%xmm8, %xmm14
+        movdqa	%xmm8, %xmm10
+        movdqa	%xmm8, %xmm9
+        psrld	$0x01, %xmm14
+        psrld	$2, %xmm10
+        psrld	$7, %xmm9
+        pxor	%xmm10, %xmm14
+        pxor	%xmm9, %xmm14
+        pxor	%xmm13, %xmm14
+        pxor	%xmm8, %xmm14
+        pxor	%xmm14, %xmm6
+L_AES_GCM_decrypt_aesenc_last15_dec_avx_done:
+L_AES_GCM_decrypt_done_dec:
+        movl	%r9d, %edx
+        movl	%r11d, %ecx
+        shlq	$3, %rdx
+        shlq	$3, %rcx
+        pinsrq	$0x00, %rdx, %xmm0
+        pinsrq	$0x01, %rcx, %xmm0
+        pxor	%xmm0, %xmm6
+        pshufd	$0x4e, %xmm5, %xmm9
+        pshufd	$0x4e, %xmm6, %xmm10
+        movdqa	%xmm6, %xmm11
+        movdqa	%xmm6, %xmm8
+        pclmulqdq	$0x11, %xmm5, %xmm11
+        pclmulqdq	$0x00, %xmm5, %xmm8
+        pxor	%xmm5, %xmm9
+        pxor	%xmm6, %xmm10
+        pclmulqdq	$0x00, %xmm10, %xmm9
+        pxor	%xmm8, %xmm9
+        pxor	%xmm11, %xmm9
+        movdqa	%xmm9, %xmm10
+        movdqa	%xmm11, %xmm6
+        pslldq	$8, %xmm10
+        psrldq	$8, %xmm9
+        pxor	%xmm10, %xmm8
+        pxor	%xmm9, %xmm6
+        movdqa	%xmm8, %xmm12
+        movdqa	%xmm8, %xmm13
+        movdqa	%xmm8, %xmm14
+        pslld	$31, %xmm12
+        pslld	$30, %xmm13
+        pslld	$25, %xmm14
+        pxor	%xmm13, %xmm12
+        pxor	%xmm14, %xmm12
+        movdqa	%xmm12, %xmm13
+        psrldq	$4, %xmm13
+        pslldq	$12, %xmm12
+        pxor	%xmm12, %xmm8
+        movdqa	%xmm8, %xmm14
+        movdqa	%xmm8, %xmm10
+        movdqa	%xmm8, %xmm9
+        psrld	$0x01, %xmm14
+        psrld	$2, %xmm10
+        psrld	$7, %xmm9
+        pxor	%xmm10, %xmm14
+        pxor	%xmm9, %xmm14
+        pxor	%xmm13, %xmm14
+        pxor	%xmm8, %xmm14
+        pxor	%xmm14, %xmm6
+        pshufb	L_aes_gcm_bswap_mask(%rip), %xmm6
+        movdqa	144(%rsp), %xmm0
+        pxor	%xmm6, %xmm0
+        cmpl	$16, %r14d
+        je	L_AES_GCM_decrypt_cmp_tag_16
+        subq	$16, %rsp
+        xorq	%rcx, %rcx
+        xorq	%rbx, %rbx
+        movdqa	%xmm0, (%rsp)
+L_AES_GCM_decrypt_cmp_tag_loop:
+        movzbl	(%rsp,%rcx,1), %r13d
+        xorb	(%r8,%rcx,1), %r13b
+        orb	%r13b, %bl
+        incl	%ecx
+        cmpl	%r14d, %ecx
+        jne	L_AES_GCM_decrypt_cmp_tag_loop
+        cmpb	$0x00, %bl
+        sete	%bl
+        addq	$16, %rsp
+        xorq	%rcx, %rcx
+        jmp	L_AES_GCM_decrypt_cmp_tag_done
+L_AES_GCM_decrypt_cmp_tag_16:
+        movdqu	(%r8), %xmm1
+        pcmpeqb	%xmm1, %xmm0
+        pmovmskb	%xmm0, %rdx
+        # %%edx == 0xFFFF then return 1 else => return 0
+        xorl	%ebx, %ebx
+        cmpl	$0xffff, %edx
+        sete	%bl
+L_AES_GCM_decrypt_cmp_tag_done:
+        movl	%ebx, (%rbp)
+        addq	$0xa8, %rsp
+        popq	%rbp
+        popq	%r15
+        popq	%r14
+        popq	%rbx
+        popq	%r12
+        popq	%r13
+        repz retq
+#ifndef __APPLE__
+.size	AES_GCM_decrypt,.-AES_GCM_decrypt
+#endif /* __APPLE__ */
+#ifdef HAVE_INTEL_AVX1
+#ifndef __APPLE__
+.data
+#else
+.section	__DATA,__data
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+.align	16
+#else
+.p2align	4
+#endif /* __APPLE__ */
+L_avx1_aes_gcm_one:
+.quad	0x0, 0x1
+#ifndef __APPLE__
+.data
+#else
+.section	__DATA,__data
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+.align	16
+#else
+.p2align	4
+#endif /* __APPLE__ */
+L_avx1_aes_gcm_two:
+.quad	0x0, 0x2
+#ifndef __APPLE__
+.data
+#else
+.section	__DATA,__data
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+.align	16
+#else
+.p2align	4
+#endif /* __APPLE__ */
+L_avx1_aes_gcm_three:
+.quad	0x0, 0x3
+#ifndef __APPLE__
+.data
+#else
+.section	__DATA,__data
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+.align	16
+#else
+.p2align	4
+#endif /* __APPLE__ */
+L_avx1_aes_gcm_four:
+.quad	0x0, 0x4
+#ifndef __APPLE__
+.data
+#else
+.section	__DATA,__data
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+.align	16
+#else
+.p2align	4
+#endif /* __APPLE__ */
+L_avx1_aes_gcm_five:
+.quad	0x0, 0x5
+#ifndef __APPLE__
+.data
+#else
+.section	__DATA,__data
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+.align	16
+#else
+.p2align	4
+#endif /* __APPLE__ */
+L_avx1_aes_gcm_six:
+.quad	0x0, 0x6
+#ifndef __APPLE__
+.data
+#else
+.section	__DATA,__data
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+.align	16
+#else
+.p2align	4
+#endif /* __APPLE__ */
+L_avx1_aes_gcm_seven:
+.quad	0x0, 0x7
+#ifndef __APPLE__
+.data
+#else
+.section	__DATA,__data
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+.align	16
+#else
+.p2align	4
+#endif /* __APPLE__ */
+L_avx1_aes_gcm_eight:
+.quad	0x0, 0x8
+#ifndef __APPLE__
+.data
+#else
+.section	__DATA,__data
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+.align	16
+#else
+.p2align	4
+#endif /* __APPLE__ */
+L_avx1_aes_gcm_bswap_epi64:
+.quad	0x1020304050607, 0x8090a0b0c0d0e0f
+#ifndef __APPLE__
+.data
+#else
+.section	__DATA,__data
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+.align	16
+#else
+.p2align	4
+#endif /* __APPLE__ */
+L_avx1_aes_gcm_bswap_mask:
+.quad	0x8090a0b0c0d0e0f, 0x1020304050607
+#ifndef __APPLE__
+.data
+#else
+.section	__DATA,__data
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+.align	16
+#else
+.p2align	4
+#endif /* __APPLE__ */
+L_avx1_aes_gcm_mod2_128:
+.quad	0x1, 0xc200000000000000
+#ifndef __APPLE__
+.text
+.globl	AES_GCM_encrypt_avx1
+.type	AES_GCM_encrypt_avx1,@function
+.align	4
+AES_GCM_encrypt_avx1:
+#else
+.section	__TEXT,__text
+.globl	_AES_GCM_encrypt_avx1
+.p2align	2
+_AES_GCM_encrypt_avx1:
+#endif /* __APPLE__ */
+        pushq	%r13
+        pushq	%r12
+        pushq	%rbx
+        pushq	%r14
+        pushq	%r15
+        movq	%rdx, %r12
+        movq	%rcx, %rax
+        movl	48(%rsp), %r11d
+        movl	56(%rsp), %ebx
+        movl	64(%rsp), %r14d
+        movq	72(%rsp), %r15
+        movl	80(%rsp), %r10d
+        subq	$0xa0, %rsp
+        vpxor	%xmm4, %xmm4, %xmm4
+        vpxor	%xmm6, %xmm6, %xmm6
+        movl	%ebx, %edx
+        cmpl	$12, %edx
+        jne	L_AES_GCM_encrypt_avx1_iv_not_12
+        # # Calculate values when IV is 12 bytes
+        # Set counter based on IV
+        movl	$0x1000000, %ecx
+        vpinsrq	$0x00, (%rax), %xmm4, %xmm4
+        vpinsrd	$2, 8(%rax), %xmm4, %xmm4
+        vpinsrd	$3, %ecx, %xmm4, %xmm4
+        # H = Encrypt X(=0) and T = Encrypt counter
+        vmovdqa	(%r15), %xmm5
+        vpxor	%xmm5, %xmm4, %xmm1
+        vmovdqa	16(%r15), %xmm7
+        vaesenc	%xmm7, %xmm5, %xmm5
+        vaesenc	%xmm7, %xmm1, %xmm1
+        vmovdqa	32(%r15), %xmm7
+        vaesenc	%xmm7, %xmm5, %xmm5
+        vaesenc	%xmm7, %xmm1, %xmm1
+        vmovdqa	48(%r15), %xmm7
+        vaesenc	%xmm7, %xmm5, %xmm5
+        vaesenc	%xmm7, %xmm1, %xmm1
+        vmovdqa	64(%r15), %xmm7
+        vaesenc	%xmm7, %xmm5, %xmm5
+        vaesenc	%xmm7, %xmm1, %xmm1
+        vmovdqa	80(%r15), %xmm7
+        vaesenc	%xmm7, %xmm5, %xmm5
+        vaesenc	%xmm7, %xmm1, %xmm1
+        vmovdqa	96(%r15), %xmm7
+        vaesenc	%xmm7, %xmm5, %xmm5
+        vaesenc	%xmm7, %xmm1, %xmm1
+        vmovdqa	112(%r15), %xmm7
+        vaesenc	%xmm7, %xmm5, %xmm5
+        vaesenc	%xmm7, %xmm1, %xmm1
+        vmovdqa	128(%r15), %xmm7
+        vaesenc	%xmm7, %xmm5, %xmm5
+        vaesenc	%xmm7, %xmm1, %xmm1
+        vmovdqa	144(%r15), %xmm7
+        vaesenc	%xmm7, %xmm5, %xmm5
+        vaesenc	%xmm7, %xmm1, %xmm1
+        cmpl	$11, %r10d
+        vmovdqa	160(%r15), %xmm7
+        jl	L_AES_GCM_encrypt_avx1_calc_iv_12_last
+        vaesenc	%xmm7, %xmm5, %xmm5
+        vaesenc	%xmm7, %xmm1, %xmm1
+        vmovdqa	176(%r15), %xmm7
+        vaesenc	%xmm7, %xmm5, %xmm5
+        vaesenc	%xmm7, %xmm1, %xmm1
+        cmpl	$13, %r10d
+        vmovdqa	192(%r15), %xmm7
+        jl	L_AES_GCM_encrypt_avx1_calc_iv_12_last
+        vaesenc	%xmm7, %xmm5, %xmm5
+        vaesenc	%xmm7, %xmm1, %xmm1
+        vmovdqa	208(%r15), %xmm7
+        vaesenc	%xmm7, %xmm5, %xmm5
+        vaesenc	%xmm7, %xmm1, %xmm1
+        vmovdqa	224(%r15), %xmm7
+L_AES_GCM_encrypt_avx1_calc_iv_12_last:
+        vaesenclast	%xmm7, %xmm5, %xmm5
+        vaesenclast	%xmm7, %xmm1, %xmm1
+        vpshufb	L_avx1_aes_gcm_bswap_mask(%rip), %xmm5, %xmm5
+        vmovdqa	%xmm1, 144(%rsp)
+        jmp	L_AES_GCM_encrypt_avx1_iv_done
+L_AES_GCM_encrypt_avx1_iv_not_12:
+        # Calculate values when IV is not 12 bytes
+        # H = Encrypt X(=0)
+        vmovdqa	(%r15), %xmm5
+        vaesenc	16(%r15), %xmm5, %xmm5
+        vaesenc	32(%r15), %xmm5, %xmm5
+        vaesenc	48(%r15), %xmm5, %xmm5
+        vaesenc	64(%r15), %xmm5, %xmm5
+        vaesenc	80(%r15), %xmm5, %xmm5
+        vaesenc	96(%r15), %xmm5, %xmm5
+        vaesenc	112(%r15), %xmm5, %xmm5
+        vaesenc	128(%r15), %xmm5, %xmm5
+        vaesenc	144(%r15), %xmm5, %xmm5
+        cmpl	$11, %r10d
+        vmovdqa	160(%r15), %xmm9
+        jl	L_AES_GCM_encrypt_avx1_calc_iv_1_aesenc_avx_last
+        vaesenc	%xmm9, %xmm5, %xmm5
+        vaesenc	176(%r15), %xmm5, %xmm5
+        cmpl	$13, %r10d
+        vmovdqa	192(%r15), %xmm9
+        jl	L_AES_GCM_encrypt_avx1_calc_iv_1_aesenc_avx_last
+        vaesenc	%xmm9, %xmm5, %xmm5
+        vaesenc	208(%r15), %xmm5, %xmm5
+        vmovdqa	224(%r15), %xmm9
+L_AES_GCM_encrypt_avx1_calc_iv_1_aesenc_avx_last:
+        vaesenclast	%xmm9, %xmm5, %xmm5
+        vpshufb	L_avx1_aes_gcm_bswap_mask(%rip), %xmm5, %xmm5
+        # Calc counter
+        # Initialization vector
+        cmpl	$0x00, %edx
+        movq	$0x00, %rcx
+        je	L_AES_GCM_encrypt_avx1_calc_iv_done
+        cmpl	$16, %edx
+        jl	L_AES_GCM_encrypt_avx1_calc_iv_lt16
+        andl	$0xfffffff0, %edx
+L_AES_GCM_encrypt_avx1_calc_iv_16_loop:
+        vmovdqu	(%rax,%rcx,1), %xmm8
+        vpshufb	L_avx1_aes_gcm_bswap_mask(%rip), %xmm8, %xmm8
+        vpxor	%xmm8, %xmm4, %xmm4
+        # ghash_gfmul_avx
+        vpshufd	$0x4e, %xmm4, %xmm1
+        vpshufd	$0x4e, %xmm5, %xmm2
+        vpclmulqdq	$0x11, %xmm4, %xmm5, %xmm3
+        vpclmulqdq	$0x00, %xmm4, %xmm5, %xmm0
+        vpxor	%xmm4, %xmm1, %xmm1
+        vpxor	%xmm5, %xmm2, %xmm2
+        vpclmulqdq	$0x00, %xmm2, %xmm1, %xmm1
+        vpxor	%xmm0, %xmm1, %xmm1
+        vpxor	%xmm3, %xmm1, %xmm1
+        vmovdqa	%xmm0, %xmm7
+        vmovdqa	%xmm3, %xmm4
+        vpslldq	$8, %xmm1, %xmm2
+        vpsrldq	$8, %xmm1, %xmm1
+        vpxor	%xmm2, %xmm7, %xmm7
+        vpxor	%xmm1, %xmm4, %xmm4
+        vpsrld	$31, %xmm7, %xmm0
+        vpsrld	$31, %xmm4, %xmm1
+        vpslld	$0x01, %xmm7, %xmm7
+        vpslld	$0x01, %xmm4, %xmm4
+        vpsrldq	$12, %xmm0, %xmm2
+        vpslldq	$4, %xmm0, %xmm0
+        vpslldq	$4, %xmm1, %xmm1
+        vpor	%xmm2, %xmm4, %xmm4
+        vpor	%xmm0, %xmm7, %xmm7
+        vpor	%xmm1, %xmm4, %xmm4
+        vpslld	$31, %xmm7, %xmm0
+        vpslld	$30, %xmm7, %xmm1
+        vpslld	$25, %xmm7, %xmm2
+        vpxor	%xmm1, %xmm0, %xmm0
+        vpxor	%xmm2, %xmm0, %xmm0
+        vmovdqa	%xmm0, %xmm1
+        vpsrldq	$4, %xmm1, %xmm1
+        vpslldq	$12, %xmm0, %xmm0
+        vpxor	%xmm0, %xmm7, %xmm7
+        vpsrld	$0x01, %xmm7, %xmm2
+        vpsrld	$2, %xmm7, %xmm3
+        vpsrld	$7, %xmm7, %xmm0
+        vpxor	%xmm3, %xmm2, %xmm2
+        vpxor	%xmm0, %xmm2, %xmm2
+        vpxor	%xmm1, %xmm2, %xmm2
+        vpxor	%xmm7, %xmm2, %xmm2
+        vpxor	%xmm2, %xmm4, %xmm4
+        addl	$16, %ecx
+        cmpl	%edx, %ecx
+        jl	L_AES_GCM_encrypt_avx1_calc_iv_16_loop
+        movl	%ebx, %edx
+        cmpl	%edx, %ecx
+        je	L_AES_GCM_encrypt_avx1_calc_iv_done
+L_AES_GCM_encrypt_avx1_calc_iv_lt16:
+        subq	$16, %rsp
+        vpxor	%xmm8, %xmm8, %xmm8
+        xorl	%ebx, %ebx
+        vmovdqa	%xmm8, (%rsp)
+L_AES_GCM_encrypt_avx1_calc_iv_loop:
+        movzbl	(%rax,%rcx,1), %r13d
+        movb	%r13b, (%rsp,%rbx,1)
+        incl	%ecx
+        incl	%ebx
+        cmpl	%edx, %ecx
+        jl	L_AES_GCM_encrypt_avx1_calc_iv_loop
+        vmovdqa	(%rsp), %xmm8
+        addq	$16, %rsp
+        vpshufb	L_avx1_aes_gcm_bswap_mask(%rip), %xmm8, %xmm8
+        vpxor	%xmm8, %xmm4, %xmm4
+        # ghash_gfmul_avx
+        vpshufd	$0x4e, %xmm4, %xmm1
+        vpshufd	$0x4e, %xmm5, %xmm2
+        vpclmulqdq	$0x11, %xmm4, %xmm5, %xmm3
+        vpclmulqdq	$0x00, %xmm4, %xmm5, %xmm0
+        vpxor	%xmm4, %xmm1, %xmm1
+        vpxor	%xmm5, %xmm2, %xmm2
+        vpclmulqdq	$0x00, %xmm2, %xmm1, %xmm1
+        vpxor	%xmm0, %xmm1, %xmm1
+        vpxor	%xmm3, %xmm1, %xmm1
+        vmovdqa	%xmm0, %xmm7
+        vmovdqa	%xmm3, %xmm4
+        vpslldq	$8, %xmm1, %xmm2
+        vpsrldq	$8, %xmm1, %xmm1
+        vpxor	%xmm2, %xmm7, %xmm7
+        vpxor	%xmm1, %xmm4, %xmm4
+        vpsrld	$31, %xmm7, %xmm0
+        vpsrld	$31, %xmm4, %xmm1
+        vpslld	$0x01, %xmm7, %xmm7
+        vpslld	$0x01, %xmm4, %xmm4
+        vpsrldq	$12, %xmm0, %xmm2
+        vpslldq	$4, %xmm0, %xmm0
+        vpslldq	$4, %xmm1, %xmm1
+        vpor	%xmm2, %xmm4, %xmm4
+        vpor	%xmm0, %xmm7, %xmm7
+        vpor	%xmm1, %xmm4, %xmm4
+        vpslld	$31, %xmm7, %xmm0
+        vpslld	$30, %xmm7, %xmm1
+        vpslld	$25, %xmm7, %xmm2
+        vpxor	%xmm1, %xmm0, %xmm0
+        vpxor	%xmm2, %xmm0, %xmm0
+        vmovdqa	%xmm0, %xmm1
+        vpsrldq	$4, %xmm1, %xmm1
+        vpslldq	$12, %xmm0, %xmm0
+        vpxor	%xmm0, %xmm7, %xmm7
+        vpsrld	$0x01, %xmm7, %xmm2
+        vpsrld	$2, %xmm7, %xmm3
+        vpsrld	$7, %xmm7, %xmm0
+        vpxor	%xmm3, %xmm2, %xmm2
+        vpxor	%xmm0, %xmm2, %xmm2
+        vpxor	%xmm1, %xmm2, %xmm2
+        vpxor	%xmm7, %xmm2, %xmm2
+        vpxor	%xmm2, %xmm4, %xmm4
+L_AES_GCM_encrypt_avx1_calc_iv_done:
+        # T = Encrypt counter
+        vpxor	%xmm0, %xmm0, %xmm0
+        shll	$3, %edx
+        vpinsrq	$0x00, %rdx, %xmm0, %xmm0
+        vpxor	%xmm0, %xmm4, %xmm4
+        # ghash_gfmul_avx
+        vpshufd	$0x4e, %xmm4, %xmm1
+        vpshufd	$0x4e, %xmm5, %xmm2
+        vpclmulqdq	$0x11, %xmm4, %xmm5, %xmm3
+        vpclmulqdq	$0x00, %xmm4, %xmm5, %xmm0
+        vpxor	%xmm4, %xmm1, %xmm1
+        vpxor	%xmm5, %xmm2, %xmm2
+        vpclmulqdq	$0x00, %xmm2, %xmm1, %xmm1
+        vpxor	%xmm0, %xmm1, %xmm1
+        vpxor	%xmm3, %xmm1, %xmm1
+        vmovdqa	%xmm0, %xmm7
+        vmovdqa	%xmm3, %xmm4
+        vpslldq	$8, %xmm1, %xmm2
+        vpsrldq	$8, %xmm1, %xmm1
+        vpxor	%xmm2, %xmm7, %xmm7
+        vpxor	%xmm1, %xmm4, %xmm4
+        vpsrld	$31, %xmm7, %xmm0
+        vpsrld	$31, %xmm4, %xmm1
+        vpslld	$0x01, %xmm7, %xmm7
+        vpslld	$0x01, %xmm4, %xmm4
+        vpsrldq	$12, %xmm0, %xmm2
+        vpslldq	$4, %xmm0, %xmm0
+        vpslldq	$4, %xmm1, %xmm1
+        vpor	%xmm2, %xmm4, %xmm4
+        vpor	%xmm0, %xmm7, %xmm7
+        vpor	%xmm1, %xmm4, %xmm4
+        vpslld	$31, %xmm7, %xmm0
+        vpslld	$30, %xmm7, %xmm1
+        vpslld	$25, %xmm7, %xmm2
+        vpxor	%xmm1, %xmm0, %xmm0
+        vpxor	%xmm2, %xmm0, %xmm0
+        vmovdqa	%xmm0, %xmm1
+        vpsrldq	$4, %xmm1, %xmm1
+        vpslldq	$12, %xmm0, %xmm0
+        vpxor	%xmm0, %xmm7, %xmm7
+        vpsrld	$0x01, %xmm7, %xmm2
+        vpsrld	$2, %xmm7, %xmm3
+        vpsrld	$7, %xmm7, %xmm0
+        vpxor	%xmm3, %xmm2, %xmm2
+        vpxor	%xmm0, %xmm2, %xmm2
+        vpxor	%xmm1, %xmm2, %xmm2
+        vpxor	%xmm7, %xmm2, %xmm2
+        vpxor	%xmm2, %xmm4, %xmm4
+        vpshufb	L_avx1_aes_gcm_bswap_mask(%rip), %xmm4, %xmm4
+        #   Encrypt counter
+        vmovdqa	(%r15), %xmm8
+        vpxor	%xmm4, %xmm8, %xmm8
+        vaesenc	16(%r15), %xmm8, %xmm8
+        vaesenc	32(%r15), %xmm8, %xmm8
+        vaesenc	48(%r15), %xmm8, %xmm8
+        vaesenc	64(%r15), %xmm8, %xmm8
+        vaesenc	80(%r15), %xmm8, %xmm8
+        vaesenc	96(%r15), %xmm8, %xmm8
+        vaesenc	112(%r15), %xmm8, %xmm8
+        vaesenc	128(%r15), %xmm8, %xmm8
+        vaesenc	144(%r15), %xmm8, %xmm8
+        cmpl	$11, %r10d
+        vmovdqa	160(%r15), %xmm9
+        jl	L_AES_GCM_encrypt_avx1_calc_iv_2_aesenc_avx_last
+        vaesenc	%xmm9, %xmm8, %xmm8
+        vaesenc	176(%r15), %xmm8, %xmm8
+        cmpl	$13, %r10d
+        vmovdqa	192(%r15), %xmm9
+        jl	L_AES_GCM_encrypt_avx1_calc_iv_2_aesenc_avx_last
+        vaesenc	%xmm9, %xmm8, %xmm8
+        vaesenc	208(%r15), %xmm8, %xmm8
+        vmovdqa	224(%r15), %xmm9
+L_AES_GCM_encrypt_avx1_calc_iv_2_aesenc_avx_last:
+        vaesenclast	%xmm9, %xmm8, %xmm8
+        vmovdqa	%xmm8, 144(%rsp)
+L_AES_GCM_encrypt_avx1_iv_done:
+        # Additional authentication data
+        movl	%r11d, %edx
+        cmpl	$0x00, %edx
+        je	L_AES_GCM_encrypt_avx1_calc_aad_done
+        xorl	%ecx, %ecx
+        cmpl	$16, %edx
+        jl	L_AES_GCM_encrypt_avx1_calc_aad_lt16
+        andl	$0xfffffff0, %edx
+L_AES_GCM_encrypt_avx1_calc_aad_16_loop:
+        vmovdqu	(%r12,%rcx,1), %xmm8
+        vpshufb	L_avx1_aes_gcm_bswap_mask(%rip), %xmm8, %xmm8
+        vpxor	%xmm8, %xmm6, %xmm6
+        # ghash_gfmul_avx
+        vpshufd	$0x4e, %xmm6, %xmm1
+        vpshufd	$0x4e, %xmm5, %xmm2
+        vpclmulqdq	$0x11, %xmm6, %xmm5, %xmm3
+        vpclmulqdq	$0x00, %xmm6, %xmm5, %xmm0
+        vpxor	%xmm6, %xmm1, %xmm1
+        vpxor	%xmm5, %xmm2, %xmm2
+        vpclmulqdq	$0x00, %xmm2, %xmm1, %xmm1
+        vpxor	%xmm0, %xmm1, %xmm1
+        vpxor	%xmm3, %xmm1, %xmm1
+        vmovdqa	%xmm0, %xmm7
+        vmovdqa	%xmm3, %xmm6
+        vpslldq	$8, %xmm1, %xmm2
+        vpsrldq	$8, %xmm1, %xmm1
+        vpxor	%xmm2, %xmm7, %xmm7
+        vpxor	%xmm1, %xmm6, %xmm6
+        vpsrld	$31, %xmm7, %xmm0
+        vpsrld	$31, %xmm6, %xmm1
+        vpslld	$0x01, %xmm7, %xmm7
+        vpslld	$0x01, %xmm6, %xmm6
+        vpsrldq	$12, %xmm0, %xmm2
+        vpslldq	$4, %xmm0, %xmm0
+        vpslldq	$4, %xmm1, %xmm1
+        vpor	%xmm2, %xmm6, %xmm6
+        vpor	%xmm0, %xmm7, %xmm7
+        vpor	%xmm1, %xmm6, %xmm6
+        vpslld	$31, %xmm7, %xmm0
+        vpslld	$30, %xmm7, %xmm1
+        vpslld	$25, %xmm7, %xmm2
+        vpxor	%xmm1, %xmm0, %xmm0
+        vpxor	%xmm2, %xmm0, %xmm0
+        vmovdqa	%xmm0, %xmm1
+        vpsrldq	$4, %xmm1, %xmm1
+        vpslldq	$12, %xmm0, %xmm0
+        vpxor	%xmm0, %xmm7, %xmm7
+        vpsrld	$0x01, %xmm7, %xmm2
+        vpsrld	$2, %xmm7, %xmm3
+        vpsrld	$7, %xmm7, %xmm0
+        vpxor	%xmm3, %xmm2, %xmm2
+        vpxor	%xmm0, %xmm2, %xmm2
+        vpxor	%xmm1, %xmm2, %xmm2
+        vpxor	%xmm7, %xmm2, %xmm2
+        vpxor	%xmm2, %xmm6, %xmm6
+        addl	$16, %ecx
+        cmpl	%edx, %ecx
+        jl	L_AES_GCM_encrypt_avx1_calc_aad_16_loop
+        movl	%r11d, %edx
+        cmpl	%edx, %ecx
+        je	L_AES_GCM_encrypt_avx1_calc_aad_done
+L_AES_GCM_encrypt_avx1_calc_aad_lt16:
+        subq	$16, %rsp
+        vpxor	%xmm8, %xmm8, %xmm8
+        xorl	%ebx, %ebx
+        vmovdqa	%xmm8, (%rsp)
+L_AES_GCM_encrypt_avx1_calc_aad_loop:
+        movzbl	(%r12,%rcx,1), %r13d
+        movb	%r13b, (%rsp,%rbx,1)
+        incl	%ecx
+        incl	%ebx
+        cmpl	%edx, %ecx
+        jl	L_AES_GCM_encrypt_avx1_calc_aad_loop
+        vmovdqa	(%rsp), %xmm8
+        addq	$16, %rsp
+        vpshufb	L_avx1_aes_gcm_bswap_mask(%rip), %xmm8, %xmm8
+        vpxor	%xmm8, %xmm6, %xmm6
+        # ghash_gfmul_avx
+        vpshufd	$0x4e, %xmm6, %xmm1
+        vpshufd	$0x4e, %xmm5, %xmm2
+        vpclmulqdq	$0x11, %xmm6, %xmm5, %xmm3
+        vpclmulqdq	$0x00, %xmm6, %xmm5, %xmm0
+        vpxor	%xmm6, %xmm1, %xmm1
+        vpxor	%xmm5, %xmm2, %xmm2
+        vpclmulqdq	$0x00, %xmm2, %xmm1, %xmm1
+        vpxor	%xmm0, %xmm1, %xmm1
+        vpxor	%xmm3, %xmm1, %xmm1
+        vmovdqa	%xmm0, %xmm7
+        vmovdqa	%xmm3, %xmm6
+        vpslldq	$8, %xmm1, %xmm2
+        vpsrldq	$8, %xmm1, %xmm1
+        vpxor	%xmm2, %xmm7, %xmm7
+        vpxor	%xmm1, %xmm6, %xmm6
+        vpsrld	$31, %xmm7, %xmm0
+        vpsrld	$31, %xmm6, %xmm1
+        vpslld	$0x01, %xmm7, %xmm7
+        vpslld	$0x01, %xmm6, %xmm6
+        vpsrldq	$12, %xmm0, %xmm2
+        vpslldq	$4, %xmm0, %xmm0
+        vpslldq	$4, %xmm1, %xmm1
+        vpor	%xmm2, %xmm6, %xmm6
+        vpor	%xmm0, %xmm7, %xmm7
+        vpor	%xmm1, %xmm6, %xmm6
+        vpslld	$31, %xmm7, %xmm0
+        vpslld	$30, %xmm7, %xmm1
+        vpslld	$25, %xmm7, %xmm2
+        vpxor	%xmm1, %xmm0, %xmm0
+        vpxor	%xmm2, %xmm0, %xmm0
+        vmovdqa	%xmm0, %xmm1
+        vpsrldq	$4, %xmm1, %xmm1
+        vpslldq	$12, %xmm0, %xmm0
+        vpxor	%xmm0, %xmm7, %xmm7
+        vpsrld	$0x01, %xmm7, %xmm2
+        vpsrld	$2, %xmm7, %xmm3
+        vpsrld	$7, %xmm7, %xmm0
+        vpxor	%xmm3, %xmm2, %xmm2
+        vpxor	%xmm0, %xmm2, %xmm2
+        vpxor	%xmm1, %xmm2, %xmm2
+        vpxor	%xmm7, %xmm2, %xmm2
+        vpxor	%xmm2, %xmm6, %xmm6
+L_AES_GCM_encrypt_avx1_calc_aad_done:
+        # Calculate counter and H
+        vpsrlq	$63, %xmm5, %xmm9
+        vpsllq	$0x01, %xmm5, %xmm8
+        vpslldq	$8, %xmm9, %xmm9
+        vpor	%xmm9, %xmm8, %xmm8
+        vpshufd	$0xff, %xmm5, %xmm5
+        vpsrad	$31, %xmm5, %xmm5
+        vpshufb	L_avx1_aes_gcm_bswap_epi64(%rip), %xmm4, %xmm4
+        vpand	L_avx1_aes_gcm_mod2_128(%rip), %xmm5, %xmm5
+        vpaddd	L_avx1_aes_gcm_one(%rip), %xmm4, %xmm4
+        vpxor	%xmm8, %xmm5, %xmm5
+        vmovdqa	%xmm4, 128(%rsp)
+        xorl	%ebx, %ebx
+        cmpl	$0x80, %r9d
+        movl	%r9d, %r13d
+        jl	L_AES_GCM_encrypt_avx1_done_128
+        andl	$0xffffff80, %r13d
+        vmovdqa	%xmm6, %xmm2
+        # H ^ 1
+        vmovdqa	%xmm5, (%rsp)
+        # H ^ 2
+        vpclmulqdq	$0x00, %xmm5, %xmm5, %xmm8
+        vpclmulqdq	$0x11, %xmm5, %xmm5, %xmm0
+        vpslld	$31, %xmm8, %xmm12
+        vpslld	$30, %xmm8, %xmm13
+        vpslld	$25, %xmm8, %xmm14
+        vpxor	%xmm13, %xmm12, %xmm12
+        vpxor	%xmm14, %xmm12, %xmm12
+        vpsrldq	$4, %xmm12, %xmm13
+        vpslldq	$12, %xmm12, %xmm12
+        vpxor	%xmm12, %xmm8, %xmm8
+        vpsrld	$0x01, %xmm8, %xmm14
+        vpsrld	$2, %xmm8, %xmm10
+        vpsrld	$7, %xmm8, %xmm9
+        vpxor	%xmm10, %xmm14, %xmm14
+        vpxor	%xmm9, %xmm14, %xmm14
+        vpxor	%xmm13, %xmm14, %xmm14
+        vpxor	%xmm8, %xmm14, %xmm14
+        vpxor	%xmm14, %xmm0, %xmm0
+        vmovdqa	%xmm0, 16(%rsp)
+        # H ^ 3
+        # ghash_gfmul_red_avx
+        vpshufd	$0x4e, %xmm5, %xmm9
+        vpshufd	$0x4e, %xmm0, %xmm10
+        vpclmulqdq	$0x11, %xmm5, %xmm0, %xmm11
+        vpclmulqdq	$0x00, %xmm5, %xmm0, %xmm8
+        vpxor	%xmm5, %xmm9, %xmm9
+        vpxor	%xmm0, %xmm10, %xmm10
+        vpclmulqdq	$0x00, %xmm10, %xmm9, %xmm9
+        vpxor	%xmm8, %xmm9, %xmm9
+        vpxor	%xmm11, %xmm9, %xmm9
+        vpslldq	$8, %xmm9, %xmm10
+        vpsrldq	$8, %xmm9, %xmm9
+        vpxor	%xmm10, %xmm8, %xmm8
+        vpxor	%xmm9, %xmm11, %xmm1
+        vpslld	$31, %xmm8, %xmm12
+        vpslld	$30, %xmm8, %xmm13
+        vpslld	$25, %xmm8, %xmm14
+        vpxor	%xmm13, %xmm12, %xmm12
+        vpxor	%xmm14, %xmm12, %xmm12
+        vpsrldq	$4, %xmm12, %xmm13
+        vpslldq	$12, %xmm12, %xmm12
+        vpxor	%xmm12, %xmm8, %xmm8
+        vpsrld	$0x01, %xmm8, %xmm14
+        vpsrld	$2, %xmm8, %xmm10
+        vpsrld	$7, %xmm8, %xmm9
+        vpxor	%xmm10, %xmm14, %xmm14
+        vpxor	%xmm9, %xmm14, %xmm14
+        vpxor	%xmm13, %xmm14, %xmm14
+        vpxor	%xmm8, %xmm14, %xmm14
+        vpxor	%xmm14, %xmm1, %xmm1
+        vmovdqa	%xmm1, 32(%rsp)
+        # H ^ 4
+        vpclmulqdq	$0x00, %xmm0, %xmm0, %xmm8
+        vpclmulqdq	$0x11, %xmm0, %xmm0, %xmm3
+        vpslld	$31, %xmm8, %xmm12
+        vpslld	$30, %xmm8, %xmm13
+        vpslld	$25, %xmm8, %xmm14
+        vpxor	%xmm13, %xmm12, %xmm12
+        vpxor	%xmm14, %xmm12, %xmm12
+        vpsrldq	$4, %xmm12, %xmm13
+        vpslldq	$12, %xmm12, %xmm12
+        vpxor	%xmm12, %xmm8, %xmm8
+        vpsrld	$0x01, %xmm8, %xmm14
+        vpsrld	$2, %xmm8, %xmm10
+        vpsrld	$7, %xmm8, %xmm9
+        vpxor	%xmm10, %xmm14, %xmm14
+        vpxor	%xmm9, %xmm14, %xmm14
+        vpxor	%xmm13, %xmm14, %xmm14
+        vpxor	%xmm8, %xmm14, %xmm14
+        vpxor	%xmm14, %xmm3, %xmm3
+        vmovdqa	%xmm3, 48(%rsp)
+        # H ^ 5
+        # ghash_gfmul_red_avx
+        vpshufd	$0x4e, %xmm0, %xmm9
+        vpshufd	$0x4e, %xmm1, %xmm10
+        vpclmulqdq	$0x11, %xmm0, %xmm1, %xmm11
+        vpclmulqdq	$0x00, %xmm0, %xmm1, %xmm8
+        vpxor	%xmm0, %xmm9, %xmm9
+        vpxor	%xmm1, %xmm10, %xmm10
+        vpclmulqdq	$0x00, %xmm10, %xmm9, %xmm9
+        vpxor	%xmm8, %xmm9, %xmm9
+        vpxor	%xmm11, %xmm9, %xmm9
+        vpslldq	$8, %xmm9, %xmm10
+        vpsrldq	$8, %xmm9, %xmm9
+        vpxor	%xmm10, %xmm8, %xmm8
+        vpxor	%xmm9, %xmm11, %xmm7
+        vpslld	$31, %xmm8, %xmm12
+        vpslld	$30, %xmm8, %xmm13
+        vpslld	$25, %xmm8, %xmm14
+        vpxor	%xmm13, %xmm12, %xmm12
+        vpxor	%xmm14, %xmm12, %xmm12
+        vpsrldq	$4, %xmm12, %xmm13
+        vpslldq	$12, %xmm12, %xmm12
+        vpxor	%xmm12, %xmm8, %xmm8
+        vpsrld	$0x01, %xmm8, %xmm14
+        vpsrld	$2, %xmm8, %xmm10
+        vpsrld	$7, %xmm8, %xmm9
+        vpxor	%xmm10, %xmm14, %xmm14
+        vpxor	%xmm9, %xmm14, %xmm14
+        vpxor	%xmm13, %xmm14, %xmm14
+        vpxor	%xmm8, %xmm14, %xmm14
+        vpxor	%xmm14, %xmm7, %xmm7
+        vmovdqa	%xmm7, 64(%rsp)
+        # H ^ 6
+        vpclmulqdq	$0x00, %xmm1, %xmm1, %xmm8
+        vpclmulqdq	$0x11, %xmm1, %xmm1, %xmm7
+        vpslld	$31, %xmm8, %xmm12
+        vpslld	$30, %xmm8, %xmm13
+        vpslld	$25, %xmm8, %xmm14
+        vpxor	%xmm13, %xmm12, %xmm12
+        vpxor	%xmm14, %xmm12, %xmm12
+        vpsrldq	$4, %xmm12, %xmm13
+        vpslldq	$12, %xmm12, %xmm12
+        vpxor	%xmm12, %xmm8, %xmm8
+        vpsrld	$0x01, %xmm8, %xmm14
+        vpsrld	$2, %xmm8, %xmm10
+        vpsrld	$7, %xmm8, %xmm9
+        vpxor	%xmm10, %xmm14, %xmm14
+        vpxor	%xmm9, %xmm14, %xmm14
+        vpxor	%xmm13, %xmm14, %xmm14
+        vpxor	%xmm8, %xmm14, %xmm14
+        vpxor	%xmm14, %xmm7, %xmm7
+        vmovdqa	%xmm7, 80(%rsp)
+        # H ^ 7
+        # ghash_gfmul_red_avx
+        vpshufd	$0x4e, %xmm1, %xmm9
+        vpshufd	$0x4e, %xmm3, %xmm10
+        vpclmulqdq	$0x11, %xmm1, %xmm3, %xmm11
+        vpclmulqdq	$0x00, %xmm1, %xmm3, %xmm8
+        vpxor	%xmm1, %xmm9, %xmm9
+        vpxor	%xmm3, %xmm10, %xmm10
+        vpclmulqdq	$0x00, %xmm10, %xmm9, %xmm9
+        vpxor	%xmm8, %xmm9, %xmm9
+        vpxor	%xmm11, %xmm9, %xmm9
+        vpslldq	$8, %xmm9, %xmm10
+        vpsrldq	$8, %xmm9, %xmm9
+        vpxor	%xmm10, %xmm8, %xmm8
+        vpxor	%xmm9, %xmm11, %xmm7
+        vpslld	$31, %xmm8, %xmm12
+        vpslld	$30, %xmm8, %xmm13
+        vpslld	$25, %xmm8, %xmm14
+        vpxor	%xmm13, %xmm12, %xmm12
+        vpxor	%xmm14, %xmm12, %xmm12
+        vpsrldq	$4, %xmm12, %xmm13
+        vpslldq	$12, %xmm12, %xmm12
+        vpxor	%xmm12, %xmm8, %xmm8
+        vpsrld	$0x01, %xmm8, %xmm14
+        vpsrld	$2, %xmm8, %xmm10
+        vpsrld	$7, %xmm8, %xmm9
+        vpxor	%xmm10, %xmm14, %xmm14
+        vpxor	%xmm9, %xmm14, %xmm14
+        vpxor	%xmm13, %xmm14, %xmm14
+        vpxor	%xmm8, %xmm14, %xmm14
+        vpxor	%xmm14, %xmm7, %xmm7
+        vmovdqa	%xmm7, 96(%rsp)
+        # H ^ 8
+        vpclmulqdq	$0x00, %xmm3, %xmm3, %xmm8
+        vpclmulqdq	$0x11, %xmm3, %xmm3, %xmm7
+        vpslld	$31, %xmm8, %xmm12
+        vpslld	$30, %xmm8, %xmm13
+        vpslld	$25, %xmm8, %xmm14
+        vpxor	%xmm13, %xmm12, %xmm12
+        vpxor	%xmm14, %xmm12, %xmm12
+        vpsrldq	$4, %xmm12, %xmm13
+        vpslldq	$12, %xmm12, %xmm12
+        vpxor	%xmm12, %xmm8, %xmm8
+        vpsrld	$0x01, %xmm8, %xmm14
+        vpsrld	$2, %xmm8, %xmm10
+        vpsrld	$7, %xmm8, %xmm9
+        vpxor	%xmm10, %xmm14, %xmm14
+        vpxor	%xmm9, %xmm14, %xmm14
+        vpxor	%xmm13, %xmm14, %xmm14
+        vpxor	%xmm8, %xmm14, %xmm14
+        vpxor	%xmm14, %xmm7, %xmm7
+        vmovdqa	%xmm7, 112(%rsp)
+        # First 128 bytes of input
+        vmovdqa	128(%rsp), %xmm0
+        vmovdqa	L_avx1_aes_gcm_bswap_epi64(%rip), %xmm1
+        vpshufb	%xmm1, %xmm0, %xmm8
+        vpaddd	L_avx1_aes_gcm_one(%rip), %xmm0, %xmm9
+        vpshufb	%xmm1, %xmm9, %xmm9
+        vpaddd	L_avx1_aes_gcm_two(%rip), %xmm0, %xmm10
+        vpshufb	%xmm1, %xmm10, %xmm10
+        vpaddd	L_avx1_aes_gcm_three(%rip), %xmm0, %xmm11
+        vpshufb	%xmm1, %xmm11, %xmm11
+        vpaddd	L_avx1_aes_gcm_four(%rip), %xmm0, %xmm12
+        vpshufb	%xmm1, %xmm12, %xmm12
+        vpaddd	L_avx1_aes_gcm_five(%rip), %xmm0, %xmm13
+        vpshufb	%xmm1, %xmm13, %xmm13
+        vpaddd	L_avx1_aes_gcm_six(%rip), %xmm0, %xmm14
+        vpshufb	%xmm1, %xmm14, %xmm14
+        vpaddd	L_avx1_aes_gcm_seven(%rip), %xmm0, %xmm15
+        vpshufb	%xmm1, %xmm15, %xmm15
+        vpaddd	L_avx1_aes_gcm_eight(%rip), %xmm0, %xmm0
+        vmovdqa	(%r15), %xmm7
+        vmovdqa	%xmm0, 128(%rsp)
+        vpxor	%xmm7, %xmm8, %xmm8
+        vpxor	%xmm7, %xmm9, %xmm9
+        vpxor	%xmm7, %xmm10, %xmm10
+        vpxor	%xmm7, %xmm11, %xmm11
+        vpxor	%xmm7, %xmm12, %xmm12
+        vpxor	%xmm7, %xmm13, %xmm13
+        vpxor	%xmm7, %xmm14, %xmm14
+        vpxor	%xmm7, %xmm15, %xmm15
+        vmovdqa	16(%r15), %xmm7
+        vaesenc	%xmm7, %xmm8, %xmm8
+        vaesenc	%xmm7, %xmm9, %xmm9
+        vaesenc	%xmm7, %xmm10, %xmm10
+        vaesenc	%xmm7, %xmm11, %xmm11
+        vaesenc	%xmm7, %xmm12, %xmm12
+        vaesenc	%xmm7, %xmm13, %xmm13
+        vaesenc	%xmm7, %xmm14, %xmm14
+        vaesenc	%xmm7, %xmm15, %xmm15
+        vmovdqa	32(%r15), %xmm7
+        vaesenc	%xmm7, %xmm8, %xmm8
+        vaesenc	%xmm7, %xmm9, %xmm9
+        vaesenc	%xmm7, %xmm10, %xmm10
+        vaesenc	%xmm7, %xmm11, %xmm11
+        vaesenc	%xmm7, %xmm12, %xmm12
+        vaesenc	%xmm7, %xmm13, %xmm13
+        vaesenc	%xmm7, %xmm14, %xmm14
+        vaesenc	%xmm7, %xmm15, %xmm15
+        vmovdqa	48(%r15), %xmm7
+        vaesenc	%xmm7, %xmm8, %xmm8
+        vaesenc	%xmm7, %xmm9, %xmm9
+        vaesenc	%xmm7, %xmm10, %xmm10
+        vaesenc	%xmm7, %xmm11, %xmm11
+        vaesenc	%xmm7, %xmm12, %xmm12
+        vaesenc	%xmm7, %xmm13, %xmm13
+        vaesenc	%xmm7, %xmm14, %xmm14
+        vaesenc	%xmm7, %xmm15, %xmm15
+        vmovdqa	64(%r15), %xmm7
+        vaesenc	%xmm7, %xmm8, %xmm8
+        vaesenc	%xmm7, %xmm9, %xmm9
+        vaesenc	%xmm7, %xmm10, %xmm10
+        vaesenc	%xmm7, %xmm11, %xmm11
+        vaesenc	%xmm7, %xmm12, %xmm12
+        vaesenc	%xmm7, %xmm13, %xmm13
+        vaesenc	%xmm7, %xmm14, %xmm14
+        vaesenc	%xmm7, %xmm15, %xmm15
+        vmovdqa	80(%r15), %xmm7
+        vaesenc	%xmm7, %xmm8, %xmm8
+        vaesenc	%xmm7, %xmm9, %xmm9
+        vaesenc	%xmm7, %xmm10, %xmm10
+        vaesenc	%xmm7, %xmm11, %xmm11
+        vaesenc	%xmm7, %xmm12, %xmm12
+        vaesenc	%xmm7, %xmm13, %xmm13
+        vaesenc	%xmm7, %xmm14, %xmm14
+        vaesenc	%xmm7, %xmm15, %xmm15
+        vmovdqa	96(%r15), %xmm7
+        vaesenc	%xmm7, %xmm8, %xmm8
+        vaesenc	%xmm7, %xmm9, %xmm9
+        vaesenc	%xmm7, %xmm10, %xmm10
+        vaesenc	%xmm7, %xmm11, %xmm11
+        vaesenc	%xmm7, %xmm12, %xmm12
+        vaesenc	%xmm7, %xmm13, %xmm13
+        vaesenc	%xmm7, %xmm14, %xmm14
+        vaesenc	%xmm7, %xmm15, %xmm15
+        vmovdqa	112(%r15), %xmm7
+        vaesenc	%xmm7, %xmm8, %xmm8
+        vaesenc	%xmm7, %xmm9, %xmm9
+        vaesenc	%xmm7, %xmm10, %xmm10
+        vaesenc	%xmm7, %xmm11, %xmm11
+        vaesenc	%xmm7, %xmm12, %xmm12
+        vaesenc	%xmm7, %xmm13, %xmm13
+        vaesenc	%xmm7, %xmm14, %xmm14
+        vaesenc	%xmm7, %xmm15, %xmm15
+        vmovdqa	128(%r15), %xmm7
+        vaesenc	%xmm7, %xmm8, %xmm8
+        vaesenc	%xmm7, %xmm9, %xmm9
+        vaesenc	%xmm7, %xmm10, %xmm10
+        vaesenc	%xmm7, %xmm11, %xmm11
+        vaesenc	%xmm7, %xmm12, %xmm12
+        vaesenc	%xmm7, %xmm13, %xmm13
+        vaesenc	%xmm7, %xmm14, %xmm14
+        vaesenc	%xmm7, %xmm15, %xmm15
+        vmovdqa	144(%r15), %xmm7
+        vaesenc	%xmm7, %xmm8, %xmm8
+        vaesenc	%xmm7, %xmm9, %xmm9
+        vaesenc	%xmm7, %xmm10, %xmm10
+        vaesenc	%xmm7, %xmm11, %xmm11
+        vaesenc	%xmm7, %xmm12, %xmm12
+        vaesenc	%xmm7, %xmm13, %xmm13
+        vaesenc	%xmm7, %xmm14, %xmm14
+        vaesenc	%xmm7, %xmm15, %xmm15
+        cmpl	$11, %r10d
+        vmovdqa	160(%r15), %xmm7
+        jl	L_AES_GCM_encrypt_avx1_aesenc_128_enc_done
+        vaesenc	%xmm7, %xmm8, %xmm8
+        vaesenc	%xmm7, %xmm9, %xmm9
+        vaesenc	%xmm7, %xmm10, %xmm10
+        vaesenc	%xmm7, %xmm11, %xmm11
+        vaesenc	%xmm7, %xmm12, %xmm12
+        vaesenc	%xmm7, %xmm13, %xmm13
+        vaesenc	%xmm7, %xmm14, %xmm14
+        vaesenc	%xmm7, %xmm15, %xmm15
+        vmovdqa	176(%r15), %xmm7
+        vaesenc	%xmm7, %xmm8, %xmm8
+        vaesenc	%xmm7, %xmm9, %xmm9
+        vaesenc	%xmm7, %xmm10, %xmm10
+        vaesenc	%xmm7, %xmm11, %xmm11
+        vaesenc	%xmm7, %xmm12, %xmm12
+        vaesenc	%xmm7, %xmm13, %xmm13
+        vaesenc	%xmm7, %xmm14, %xmm14
+        vaesenc	%xmm7, %xmm15, %xmm15
+        cmpl	$13, %r10d
+        vmovdqa	192(%r15), %xmm7
+        jl	L_AES_GCM_encrypt_avx1_aesenc_128_enc_done
+        vaesenc	%xmm7, %xmm8, %xmm8
+        vaesenc	%xmm7, %xmm9, %xmm9
+        vaesenc	%xmm7, %xmm10, %xmm10
+        vaesenc	%xmm7, %xmm11, %xmm11
+        vaesenc	%xmm7, %xmm12, %xmm12
+        vaesenc	%xmm7, %xmm13, %xmm13
+        vaesenc	%xmm7, %xmm14, %xmm14
+        vaesenc	%xmm7, %xmm15, %xmm15
+        vmovdqa	208(%r15), %xmm7
+        vaesenc	%xmm7, %xmm8, %xmm8
+        vaesenc	%xmm7, %xmm9, %xmm9
+        vaesenc	%xmm7, %xmm10, %xmm10
+        vaesenc	%xmm7, %xmm11, %xmm11
+        vaesenc	%xmm7, %xmm12, %xmm12
+        vaesenc	%xmm7, %xmm13, %xmm13
+        vaesenc	%xmm7, %xmm14, %xmm14
+        vaesenc	%xmm7, %xmm15, %xmm15
+        vmovdqa	224(%r15), %xmm7
+L_AES_GCM_encrypt_avx1_aesenc_128_enc_done:
+        vaesenclast	%xmm7, %xmm8, %xmm8
+        vaesenclast	%xmm7, %xmm9, %xmm9
+        vmovdqu	(%rdi), %xmm0
+        vmovdqu	16(%rdi), %xmm1
+        vpxor	%xmm0, %xmm8, %xmm8
+        vpxor	%xmm1, %xmm9, %xmm9
+        vmovdqu	%xmm8, (%rsi)
+        vmovdqu	%xmm9, 16(%rsi)
+        vaesenclast	%xmm7, %xmm10, %xmm10
+        vaesenclast	%xmm7, %xmm11, %xmm11
+        vmovdqu	32(%rdi), %xmm0
+        vmovdqu	48(%rdi), %xmm1
+        vpxor	%xmm0, %xmm10, %xmm10
+        vpxor	%xmm1, %xmm11, %xmm11
+        vmovdqu	%xmm10, 32(%rsi)
+        vmovdqu	%xmm11, 48(%rsi)
+        vaesenclast	%xmm7, %xmm12, %xmm12
+        vaesenclast	%xmm7, %xmm13, %xmm13
+        vmovdqu	64(%rdi), %xmm0
+        vmovdqu	80(%rdi), %xmm1
+        vpxor	%xmm0, %xmm12, %xmm12
+        vpxor	%xmm1, %xmm13, %xmm13
+        vmovdqu	%xmm12, 64(%rsi)
+        vmovdqu	%xmm13, 80(%rsi)
+        vaesenclast	%xmm7, %xmm14, %xmm14
+        vaesenclast	%xmm7, %xmm15, %xmm15
+        vmovdqu	96(%rdi), %xmm0
+        vmovdqu	112(%rdi), %xmm1
+        vpxor	%xmm0, %xmm14, %xmm14
+        vpxor	%xmm1, %xmm15, %xmm15
+        vmovdqu	%xmm14, 96(%rsi)
+        vmovdqu	%xmm15, 112(%rsi)
+        cmpl	$0x80, %r13d
+        movl	$0x80, %ebx
+        jle	L_AES_GCM_encrypt_avx1_end_128
+        # More 128 bytes of input
+L_AES_GCM_encrypt_avx1_ghash_128:
+        leaq	(%rdi,%rbx,1), %rcx
+        leaq	(%rsi,%rbx,1), %rdx
+        vmovdqa	128(%rsp), %xmm0
+        vmovdqa	L_avx1_aes_gcm_bswap_epi64(%rip), %xmm1
+        vpshufb	%xmm1, %xmm0, %xmm8
+        vpaddd	L_avx1_aes_gcm_one(%rip), %xmm0, %xmm9
+        vpshufb	%xmm1, %xmm9, %xmm9
+        vpaddd	L_avx1_aes_gcm_two(%rip), %xmm0, %xmm10
+        vpshufb	%xmm1, %xmm10, %xmm10
+        vpaddd	L_avx1_aes_gcm_three(%rip), %xmm0, %xmm11
+        vpshufb	%xmm1, %xmm11, %xmm11
+        vpaddd	L_avx1_aes_gcm_four(%rip), %xmm0, %xmm12
+        vpshufb	%xmm1, %xmm12, %xmm12
+        vpaddd	L_avx1_aes_gcm_five(%rip), %xmm0, %xmm13
+        vpshufb	%xmm1, %xmm13, %xmm13
+        vpaddd	L_avx1_aes_gcm_six(%rip), %xmm0, %xmm14
+        vpshufb	%xmm1, %xmm14, %xmm14
+        vpaddd	L_avx1_aes_gcm_seven(%rip), %xmm0, %xmm15
+        vpshufb	%xmm1, %xmm15, %xmm15
+        vpaddd	L_avx1_aes_gcm_eight(%rip), %xmm0, %xmm0
+        vmovdqa	(%r15), %xmm7
+        vmovdqa	%xmm0, 128(%rsp)
+        vpxor	%xmm7, %xmm8, %xmm8
+        vpxor	%xmm7, %xmm9, %xmm9
+        vpxor	%xmm7, %xmm10, %xmm10
+        vpxor	%xmm7, %xmm11, %xmm11
+        vpxor	%xmm7, %xmm12, %xmm12
+        vpxor	%xmm7, %xmm13, %xmm13
+        vpxor	%xmm7, %xmm14, %xmm14
+        vpxor	%xmm7, %xmm15, %xmm15
+        vmovdqa	112(%rsp), %xmm7
+        vmovdqu	-128(%rdx), %xmm0
+        vaesenc	16(%r15), %xmm8, %xmm8
+        vpshufb	L_avx1_aes_gcm_bswap_mask(%rip), %xmm0, %xmm0
+        vpxor	%xmm2, %xmm0, %xmm0
+        vpshufd	$0x4e, %xmm7, %xmm1
+        vpshufd	$0x4e, %xmm0, %xmm5
+        vpxor	%xmm7, %xmm1, %xmm1
+        vpxor	%xmm0, %xmm5, %xmm5
+        vpclmulqdq	$0x11, %xmm7, %xmm0, %xmm3
+        vaesenc	16(%r15), %xmm9, %xmm9
+        vaesenc	16(%r15), %xmm10, %xmm10
+        vpclmulqdq	$0x00, %xmm7, %xmm0, %xmm2
+        vaesenc	16(%r15), %xmm11, %xmm11
+        vaesenc	16(%r15), %xmm12, %xmm12
+        vpclmulqdq	$0x00, %xmm5, %xmm1, %xmm1
+        vaesenc	16(%r15), %xmm13, %xmm13
+        vaesenc	16(%r15), %xmm14, %xmm14
+        vaesenc	16(%r15), %xmm15, %xmm15
+        vpxor	%xmm2, %xmm1, %xmm1
+        vpxor	%xmm3, %xmm1, %xmm1
+        vmovdqa	96(%rsp), %xmm7
+        vmovdqu	-112(%rdx), %xmm0
+        vpshufd	$0x4e, %xmm7, %xmm4
+        vpshufb	L_avx1_aes_gcm_bswap_mask(%rip), %xmm0, %xmm0
+        vaesenc	32(%r15), %xmm8, %xmm8
+        vpxor	%xmm7, %xmm4, %xmm4
+        vpshufd	$0x4e, %xmm0, %xmm5
+        vpxor	%xmm0, %xmm5, %xmm5
+        vpclmulqdq	$0x11, %xmm7, %xmm0, %xmm6
+        vaesenc	32(%r15), %xmm9, %xmm9
+        vaesenc	32(%r15), %xmm10, %xmm10
+        vpclmulqdq	$0x00, %xmm7, %xmm0, %xmm7
+        vaesenc	32(%r15), %xmm11, %xmm11
+        vaesenc	32(%r15), %xmm12, %xmm12
+        vpclmulqdq	$0x00, %xmm5, %xmm4, %xmm4
+        vaesenc	32(%r15), %xmm13, %xmm13
+        vaesenc	32(%r15), %xmm14, %xmm14
+        vaesenc	32(%r15), %xmm15, %xmm15
+        vpxor	%xmm7, %xmm1, %xmm1
+        vpxor	%xmm7, %xmm2, %xmm2
+        vpxor	%xmm6, %xmm1, %xmm1
+        vpxor	%xmm6, %xmm3, %xmm3
+        vpxor	%xmm4, %xmm1, %xmm1
+        vmovdqa	80(%rsp), %xmm7
+        vmovdqu	-96(%rdx), %xmm0
+        vpshufd	$0x4e, %xmm7, %xmm4
+        vpshufb	L_avx1_aes_gcm_bswap_mask(%rip), %xmm0, %xmm0
+        vaesenc	48(%r15), %xmm8, %xmm8
+        vpxor	%xmm7, %xmm4, %xmm4
+        vpshufd	$0x4e, %xmm0, %xmm5
+        vpxor	%xmm0, %xmm5, %xmm5
+        vpclmulqdq	$0x11, %xmm7, %xmm0, %xmm6
+        vaesenc	48(%r15), %xmm9, %xmm9
+        vaesenc	48(%r15), %xmm10, %xmm10
+        vpclmulqdq	$0x00, %xmm7, %xmm0, %xmm7
+        vaesenc	48(%r15), %xmm11, %xmm11
+        vaesenc	48(%r15), %xmm12, %xmm12
+        vpclmulqdq	$0x00, %xmm5, %xmm4, %xmm4
+        vaesenc	48(%r15), %xmm13, %xmm13
+        vaesenc	48(%r15), %xmm14, %xmm14
+        vaesenc	48(%r15), %xmm15, %xmm15
+        vpxor	%xmm7, %xmm1, %xmm1
+        vpxor	%xmm7, %xmm2, %xmm2
+        vpxor	%xmm6, %xmm1, %xmm1
+        vpxor	%xmm6, %xmm3, %xmm3
+        vpxor	%xmm4, %xmm1, %xmm1
+        vmovdqa	64(%rsp), %xmm7
+        vmovdqu	-80(%rdx), %xmm0
+        vpshufd	$0x4e, %xmm7, %xmm4
+        vpshufb	L_avx1_aes_gcm_bswap_mask(%rip), %xmm0, %xmm0
+        vaesenc	64(%r15), %xmm8, %xmm8
+        vpxor	%xmm7, %xmm4, %xmm4
+        vpshufd	$0x4e, %xmm0, %xmm5
+        vpxor	%xmm0, %xmm5, %xmm5
+        vpclmulqdq	$0x11, %xmm7, %xmm0, %xmm6
+        vaesenc	64(%r15), %xmm9, %xmm9
+        vaesenc	64(%r15), %xmm10, %xmm10
+        vpclmulqdq	$0x00, %xmm7, %xmm0, %xmm7
+        vaesenc	64(%r15), %xmm11, %xmm11
+        vaesenc	64(%r15), %xmm12, %xmm12
+        vpclmulqdq	$0x00, %xmm5, %xmm4, %xmm4
+        vaesenc	64(%r15), %xmm13, %xmm13
+        vaesenc	64(%r15), %xmm14, %xmm14
+        vaesenc	64(%r15), %xmm15, %xmm15
+        vpxor	%xmm7, %xmm1, %xmm1
+        vpxor	%xmm7, %xmm2, %xmm2
+        vpxor	%xmm6, %xmm1, %xmm1
+        vpxor	%xmm6, %xmm3, %xmm3
+        vpxor	%xmm4, %xmm1, %xmm1
+        vmovdqa	48(%rsp), %xmm7
+        vmovdqu	-64(%rdx), %xmm0
+        vpshufd	$0x4e, %xmm7, %xmm4
+        vpshufb	L_avx1_aes_gcm_bswap_mask(%rip), %xmm0, %xmm0
+        vaesenc	80(%r15), %xmm8, %xmm8
+        vpxor	%xmm7, %xmm4, %xmm4
+        vpshufd	$0x4e, %xmm0, %xmm5
+        vpxor	%xmm0, %xmm5, %xmm5
+        vpclmulqdq	$0x11, %xmm7, %xmm0, %xmm6
+        vaesenc	80(%r15), %xmm9, %xmm9
+        vaesenc	80(%r15), %xmm10, %xmm10
+        vpclmulqdq	$0x00, %xmm7, %xmm0, %xmm7
+        vaesenc	80(%r15), %xmm11, %xmm11
+        vaesenc	80(%r15), %xmm12, %xmm12
+        vpclmulqdq	$0x00, %xmm5, %xmm4, %xmm4
+        vaesenc	80(%r15), %xmm13, %xmm13
+        vaesenc	80(%r15), %xmm14, %xmm14
+        vaesenc	80(%r15), %xmm15, %xmm15
+        vpxor	%xmm7, %xmm1, %xmm1
+        vpxor	%xmm7, %xmm2, %xmm2
+        vpxor	%xmm6, %xmm1, %xmm1
+        vpxor	%xmm6, %xmm3, %xmm3
+        vpxor	%xmm4, %xmm1, %xmm1
+        vmovdqa	32(%rsp), %xmm7
+        vmovdqu	-48(%rdx), %xmm0
+        vpshufd	$0x4e, %xmm7, %xmm4
+        vpshufb	L_avx1_aes_gcm_bswap_mask(%rip), %xmm0, %xmm0
+        vaesenc	96(%r15), %xmm8, %xmm8
+        vpxor	%xmm7, %xmm4, %xmm4
+        vpshufd	$0x4e, %xmm0, %xmm5
+        vpxor	%xmm0, %xmm5, %xmm5
+        vpclmulqdq	$0x11, %xmm7, %xmm0, %xmm6
+        vaesenc	96(%r15), %xmm9, %xmm9
+        vaesenc	96(%r15), %xmm10, %xmm10
+        vpclmulqdq	$0x00, %xmm7, %xmm0, %xmm7
+        vaesenc	96(%r15), %xmm11, %xmm11
+        vaesenc	96(%r15), %xmm12, %xmm12
+        vpclmulqdq	$0x00, %xmm5, %xmm4, %xmm4
+        vaesenc	96(%r15), %xmm13, %xmm13
+        vaesenc	96(%r15), %xmm14, %xmm14
+        vaesenc	96(%r15), %xmm15, %xmm15
+        vpxor	%xmm7, %xmm1, %xmm1
+        vpxor	%xmm7, %xmm2, %xmm2
+        vpxor	%xmm6, %xmm1, %xmm1
+        vpxor	%xmm6, %xmm3, %xmm3
+        vpxor	%xmm4, %xmm1, %xmm1
+        vmovdqa	16(%rsp), %xmm7
+        vmovdqu	-32(%rdx), %xmm0
+        vpshufd	$0x4e, %xmm7, %xmm4
+        vpshufb	L_avx1_aes_gcm_bswap_mask(%rip), %xmm0, %xmm0
+        vaesenc	112(%r15), %xmm8, %xmm8
+        vpxor	%xmm7, %xmm4, %xmm4
+        vpshufd	$0x4e, %xmm0, %xmm5
+        vpxor	%xmm0, %xmm5, %xmm5
+        vpclmulqdq	$0x11, %xmm7, %xmm0, %xmm6
+        vaesenc	112(%r15), %xmm9, %xmm9
+        vaesenc	112(%r15), %xmm10, %xmm10
+        vpclmulqdq	$0x00, %xmm7, %xmm0, %xmm7
+        vaesenc	112(%r15), %xmm11, %xmm11
+        vaesenc	112(%r15), %xmm12, %xmm12
+        vpclmulqdq	$0x00, %xmm5, %xmm4, %xmm4
+        vaesenc	112(%r15), %xmm13, %xmm13
+        vaesenc	112(%r15), %xmm14, %xmm14
+        vaesenc	112(%r15), %xmm15, %xmm15
+        vpxor	%xmm7, %xmm1, %xmm1
+        vpxor	%xmm7, %xmm2, %xmm2
+        vpxor	%xmm6, %xmm1, %xmm1
+        vpxor	%xmm6, %xmm3, %xmm3
+        vpxor	%xmm4, %xmm1, %xmm1
+        vmovdqa	(%rsp), %xmm7
+        vmovdqu	-16(%rdx), %xmm0
+        vpshufd	$0x4e, %xmm7, %xmm4
+        vpshufb	L_avx1_aes_gcm_bswap_mask(%rip), %xmm0, %xmm0
+        vaesenc	128(%r15), %xmm8, %xmm8
+        vpxor	%xmm7, %xmm4, %xmm4
+        vpshufd	$0x4e, %xmm0, %xmm5
+        vpxor	%xmm0, %xmm5, %xmm5
+        vpclmulqdq	$0x11, %xmm7, %xmm0, %xmm6
+        vaesenc	128(%r15), %xmm9, %xmm9
+        vaesenc	128(%r15), %xmm10, %xmm10
+        vpclmulqdq	$0x00, %xmm7, %xmm0, %xmm7
+        vaesenc	128(%r15), %xmm11, %xmm11
+        vaesenc	128(%r15), %xmm12, %xmm12
+        vpclmulqdq	$0x00, %xmm5, %xmm4, %xmm4
+        vaesenc	128(%r15), %xmm13, %xmm13
+        vaesenc	128(%r15), %xmm14, %xmm14
+        vaesenc	128(%r15), %xmm15, %xmm15
+        vpxor	%xmm7, %xmm1, %xmm1
+        vpxor	%xmm7, %xmm2, %xmm2
+        vpxor	%xmm6, %xmm1, %xmm1
+        vpxor	%xmm6, %xmm3, %xmm3
+        vpxor	%xmm4, %xmm1, %xmm1
+        vpslldq	$8, %xmm1, %xmm5
+        vpsrldq	$8, %xmm1, %xmm1
+        vaesenc	144(%r15), %xmm8, %xmm8
+        vpxor	%xmm5, %xmm2, %xmm2
+        vpxor	%xmm1, %xmm3, %xmm3
+        vaesenc	144(%r15), %xmm9, %xmm9
+        vpslld	$31, %xmm2, %xmm7
+        vpslld	$30, %xmm2, %xmm4
+        vpslld	$25, %xmm2, %xmm5
+        vaesenc	144(%r15), %xmm10, %xmm10
+        vpxor	%xmm4, %xmm7, %xmm7
+        vpxor	%xmm5, %xmm7, %xmm7
+        vaesenc	144(%r15), %xmm11, %xmm11
+        vpsrldq	$4, %xmm7, %xmm4
+        vpslldq	$12, %xmm7, %xmm7
+        vaesenc	144(%r15), %xmm12, %xmm12
+        vpxor	%xmm7, %xmm2, %xmm2
+        vpsrld	$0x01, %xmm2, %xmm5
+        vaesenc	144(%r15), %xmm13, %xmm13
+        vpsrld	$2, %xmm2, %xmm1
+        vpsrld	$7, %xmm2, %xmm0
+        vaesenc	144(%r15), %xmm14, %xmm14
+        vpxor	%xmm1, %xmm5, %xmm5
+        vpxor	%xmm0, %xmm5, %xmm5
+        vaesenc	144(%r15), %xmm15, %xmm15
+        vpxor	%xmm4, %xmm5, %xmm5
+        vpxor	%xmm5, %xmm2, %xmm2
+        vpxor	%xmm3, %xmm2, %xmm2
+        cmpl	$11, %r10d
+        vmovdqa	160(%r15), %xmm7
+        jl	L_AES_GCM_encrypt_avx1_aesenc_128_ghash_avx_done
+        vaesenc	%xmm7, %xmm8, %xmm8
+        vaesenc	%xmm7, %xmm9, %xmm9
+        vaesenc	%xmm7, %xmm10, %xmm10
+        vaesenc	%xmm7, %xmm11, %xmm11
+        vaesenc	%xmm7, %xmm12, %xmm12
+        vaesenc	%xmm7, %xmm13, %xmm13
+        vaesenc	%xmm7, %xmm14, %xmm14
+        vaesenc	%xmm7, %xmm15, %xmm15
+        vmovdqa	176(%r15), %xmm7
+        vaesenc	%xmm7, %xmm8, %xmm8
+        vaesenc	%xmm7, %xmm9, %xmm9
+        vaesenc	%xmm7, %xmm10, %xmm10
+        vaesenc	%xmm7, %xmm11, %xmm11
+        vaesenc	%xmm7, %xmm12, %xmm12
+        vaesenc	%xmm7, %xmm13, %xmm13
+        vaesenc	%xmm7, %xmm14, %xmm14
+        vaesenc	%xmm7, %xmm15, %xmm15
+        cmpl	$13, %r10d
+        vmovdqa	192(%r15), %xmm7
+        jl	L_AES_GCM_encrypt_avx1_aesenc_128_ghash_avx_done
+        vaesenc	%xmm7, %xmm8, %xmm8
+        vaesenc	%xmm7, %xmm9, %xmm9
+        vaesenc	%xmm7, %xmm10, %xmm10
+        vaesenc	%xmm7, %xmm11, %xmm11
+        vaesenc	%xmm7, %xmm12, %xmm12
+        vaesenc	%xmm7, %xmm13, %xmm13
+        vaesenc	%xmm7, %xmm14, %xmm14
+        vaesenc	%xmm7, %xmm15, %xmm15
+        vmovdqa	208(%r15), %xmm7
+        vaesenc	%xmm7, %xmm8, %xmm8
+        vaesenc	%xmm7, %xmm9, %xmm9
+        vaesenc	%xmm7, %xmm10, %xmm10
+        vaesenc	%xmm7, %xmm11, %xmm11
+        vaesenc	%xmm7, %xmm12, %xmm12
+        vaesenc	%xmm7, %xmm13, %xmm13
+        vaesenc	%xmm7, %xmm14, %xmm14
+        vaesenc	%xmm7, %xmm15, %xmm15
+        vmovdqa	224(%r15), %xmm7
+L_AES_GCM_encrypt_avx1_aesenc_128_ghash_avx_done:
+        vaesenclast	%xmm7, %xmm8, %xmm8
+        vaesenclast	%xmm7, %xmm9, %xmm9
+        vmovdqu	(%rcx), %xmm0
+        vmovdqu	16(%rcx), %xmm1
+        vpxor	%xmm0, %xmm8, %xmm8
+        vpxor	%xmm1, %xmm9, %xmm9
+        vmovdqu	%xmm8, (%rdx)
+        vmovdqu	%xmm9, 16(%rdx)
+        vaesenclast	%xmm7, %xmm10, %xmm10
+        vaesenclast	%xmm7, %xmm11, %xmm11
+        vmovdqu	32(%rcx), %xmm0
+        vmovdqu	48(%rcx), %xmm1
+        vpxor	%xmm0, %xmm10, %xmm10
+        vpxor	%xmm1, %xmm11, %xmm11
+        vmovdqu	%xmm10, 32(%rdx)
+        vmovdqu	%xmm11, 48(%rdx)
+        vaesenclast	%xmm7, %xmm12, %xmm12
+        vaesenclast	%xmm7, %xmm13, %xmm13
+        vmovdqu	64(%rcx), %xmm0
+        vmovdqu	80(%rcx), %xmm1
+        vpxor	%xmm0, %xmm12, %xmm12
+        vpxor	%xmm1, %xmm13, %xmm13
+        vmovdqu	%xmm12, 64(%rdx)
+        vmovdqu	%xmm13, 80(%rdx)
+        vaesenclast	%xmm7, %xmm14, %xmm14
+        vaesenclast	%xmm7, %xmm15, %xmm15
+        vmovdqu	96(%rcx), %xmm0
+        vmovdqu	112(%rcx), %xmm1
+        vpxor	%xmm0, %xmm14, %xmm14
+        vpxor	%xmm1, %xmm15, %xmm15
+        vmovdqu	%xmm14, 96(%rdx)
+        vmovdqu	%xmm15, 112(%rdx)
+        addl	$0x80, %ebx
+        cmpl	%r13d, %ebx
+        jl	L_AES_GCM_encrypt_avx1_ghash_128
+L_AES_GCM_encrypt_avx1_end_128:
+        vmovdqa	L_avx1_aes_gcm_bswap_mask(%rip), %xmm4
+        vpshufb	%xmm4, %xmm8, %xmm8
+        vpshufb	%xmm4, %xmm9, %xmm9
+        vpshufb	%xmm4, %xmm10, %xmm10
+        vpshufb	%xmm4, %xmm11, %xmm11
+        vpxor	%xmm2, %xmm8, %xmm8
+        vpshufb	%xmm4, %xmm12, %xmm12
+        vpshufb	%xmm4, %xmm13, %xmm13
+        vpshufb	%xmm4, %xmm14, %xmm14
+        vpshufb	%xmm4, %xmm15, %xmm15
+        vmovdqa	(%rsp), %xmm7
+        vmovdqa	16(%rsp), %xmm5
+        # ghash_gfmul_avx
+        vpshufd	$0x4e, %xmm15, %xmm1
+        vpshufd	$0x4e, %xmm7, %xmm2
+        vpclmulqdq	$0x11, %xmm15, %xmm7, %xmm3
+        vpclmulqdq	$0x00, %xmm15, %xmm7, %xmm0
+        vpxor	%xmm15, %xmm1, %xmm1
+        vpxor	%xmm7, %xmm2, %xmm2
+        vpclmulqdq	$0x00, %xmm2, %xmm1, %xmm1
+        vpxor	%xmm0, %xmm1, %xmm1
+        vpxor	%xmm3, %xmm1, %xmm1
+        vmovdqa	%xmm0, %xmm4
+        vmovdqa	%xmm3, %xmm6
+        vpslldq	$8, %xmm1, %xmm2
+        vpsrldq	$8, %xmm1, %xmm1
+        vpxor	%xmm2, %xmm4, %xmm4
+        vpxor	%xmm1, %xmm6, %xmm6
+        # ghash_gfmul_xor_avx
+        vpshufd	$0x4e, %xmm14, %xmm1
+        vpshufd	$0x4e, %xmm5, %xmm2
+        vpclmulqdq	$0x11, %xmm14, %xmm5, %xmm3
+        vpclmulqdq	$0x00, %xmm14, %xmm5, %xmm0
+        vpxor	%xmm14, %xmm1, %xmm1
+        vpxor	%xmm5, %xmm2, %xmm2
+        vpclmulqdq	$0x00, %xmm2, %xmm1, %xmm1
+        vpxor	%xmm0, %xmm1, %xmm1
+        vpxor	%xmm3, %xmm1, %xmm1
+        vpxor	%xmm0, %xmm4, %xmm4
+        vpxor	%xmm3, %xmm6, %xmm6
+        vpslldq	$8, %xmm1, %xmm2
+        vpsrldq	$8, %xmm1, %xmm1
+        vpxor	%xmm2, %xmm4, %xmm4
+        vpxor	%xmm1, %xmm6, %xmm6
+        vmovdqa	32(%rsp), %xmm7
+        vmovdqa	48(%rsp), %xmm5
+        # ghash_gfmul_xor_avx
+        vpshufd	$0x4e, %xmm13, %xmm1
+        vpshufd	$0x4e, %xmm7, %xmm2
+        vpclmulqdq	$0x11, %xmm13, %xmm7, %xmm3
+        vpclmulqdq	$0x00, %xmm13, %xmm7, %xmm0
+        vpxor	%xmm13, %xmm1, %xmm1
+        vpxor	%xmm7, %xmm2, %xmm2
+        vpclmulqdq	$0x00, %xmm2, %xmm1, %xmm1
+        vpxor	%xmm0, %xmm1, %xmm1
+        vpxor	%xmm3, %xmm1, %xmm1
+        vpxor	%xmm0, %xmm4, %xmm4
+        vpxor	%xmm3, %xmm6, %xmm6
+        vpslldq	$8, %xmm1, %xmm2
+        vpsrldq	$8, %xmm1, %xmm1
+        vpxor	%xmm2, %xmm4, %xmm4
+        vpxor	%xmm1, %xmm6, %xmm6
+        # ghash_gfmul_xor_avx
+        vpshufd	$0x4e, %xmm12, %xmm1
+        vpshufd	$0x4e, %xmm5, %xmm2
+        vpclmulqdq	$0x11, %xmm12, %xmm5, %xmm3
+        vpclmulqdq	$0x00, %xmm12, %xmm5, %xmm0
+        vpxor	%xmm12, %xmm1, %xmm1
+        vpxor	%xmm5, %xmm2, %xmm2
+        vpclmulqdq	$0x00, %xmm2, %xmm1, %xmm1
+        vpxor	%xmm0, %xmm1, %xmm1
+        vpxor	%xmm3, %xmm1, %xmm1
+        vpxor	%xmm0, %xmm4, %xmm4
+        vpxor	%xmm3, %xmm6, %xmm6
+        vpslldq	$8, %xmm1, %xmm2
+        vpsrldq	$8, %xmm1, %xmm1
+        vpxor	%xmm2, %xmm4, %xmm4
+        vpxor	%xmm1, %xmm6, %xmm6
+        vmovdqa	64(%rsp), %xmm7
+        vmovdqa	80(%rsp), %xmm5
+        # ghash_gfmul_xor_avx
+        vpshufd	$0x4e, %xmm11, %xmm1
+        vpshufd	$0x4e, %xmm7, %xmm2
+        vpclmulqdq	$0x11, %xmm11, %xmm7, %xmm3
+        vpclmulqdq	$0x00, %xmm11, %xmm7, %xmm0
+        vpxor	%xmm11, %xmm1, %xmm1
+        vpxor	%xmm7, %xmm2, %xmm2
+        vpclmulqdq	$0x00, %xmm2, %xmm1, %xmm1
+        vpxor	%xmm0, %xmm1, %xmm1
+        vpxor	%xmm3, %xmm1, %xmm1
+        vpxor	%xmm0, %xmm4, %xmm4
+        vpxor	%xmm3, %xmm6, %xmm6
+        vpslldq	$8, %xmm1, %xmm2
+        vpsrldq	$8, %xmm1, %xmm1
+        vpxor	%xmm2, %xmm4, %xmm4
+        vpxor	%xmm1, %xmm6, %xmm6
+        # ghash_gfmul_xor_avx
+        vpshufd	$0x4e, %xmm10, %xmm1
+        vpshufd	$0x4e, %xmm5, %xmm2
+        vpclmulqdq	$0x11, %xmm10, %xmm5, %xmm3
+        vpclmulqdq	$0x00, %xmm10, %xmm5, %xmm0
+        vpxor	%xmm10, %xmm1, %xmm1
+        vpxor	%xmm5, %xmm2, %xmm2
+        vpclmulqdq	$0x00, %xmm2, %xmm1, %xmm1
+        vpxor	%xmm0, %xmm1, %xmm1
+        vpxor	%xmm3, %xmm1, %xmm1
+        vpxor	%xmm0, %xmm4, %xmm4
+        vpxor	%xmm3, %xmm6, %xmm6
+        vpslldq	$8, %xmm1, %xmm2
+        vpsrldq	$8, %xmm1, %xmm1
+        vpxor	%xmm2, %xmm4, %xmm4
+        vpxor	%xmm1, %xmm6, %xmm6
+        vmovdqa	96(%rsp), %xmm7
+        vmovdqa	112(%rsp), %xmm5
+        # ghash_gfmul_xor_avx
+        vpshufd	$0x4e, %xmm9, %xmm1
+        vpshufd	$0x4e, %xmm7, %xmm2
+        vpclmulqdq	$0x11, %xmm9, %xmm7, %xmm3
+        vpclmulqdq	$0x00, %xmm9, %xmm7, %xmm0
+        vpxor	%xmm9, %xmm1, %xmm1
+        vpxor	%xmm7, %xmm2, %xmm2
+        vpclmulqdq	$0x00, %xmm2, %xmm1, %xmm1
+        vpxor	%xmm0, %xmm1, %xmm1
+        vpxor	%xmm3, %xmm1, %xmm1
+        vpxor	%xmm0, %xmm4, %xmm4
+        vpxor	%xmm3, %xmm6, %xmm6
+        vpslldq	$8, %xmm1, %xmm2
+        vpsrldq	$8, %xmm1, %xmm1
+        vpxor	%xmm2, %xmm4, %xmm4
+        vpxor	%xmm1, %xmm6, %xmm6
+        # ghash_gfmul_xor_avx
+        vpshufd	$0x4e, %xmm8, %xmm1
+        vpshufd	$0x4e, %xmm5, %xmm2
+        vpclmulqdq	$0x11, %xmm8, %xmm5, %xmm3
+        vpclmulqdq	$0x00, %xmm8, %xmm5, %xmm0
+        vpxor	%xmm8, %xmm1, %xmm1
+        vpxor	%xmm5, %xmm2, %xmm2
+        vpclmulqdq	$0x00, %xmm2, %xmm1, %xmm1
+        vpxor	%xmm0, %xmm1, %xmm1
+        vpxor	%xmm3, %xmm1, %xmm1
+        vpxor	%xmm0, %xmm4, %xmm4
+        vpxor	%xmm3, %xmm6, %xmm6
+        vpslldq	$8, %xmm1, %xmm2
+        vpsrldq	$8, %xmm1, %xmm1
+        vpxor	%xmm2, %xmm4, %xmm4
+        vpxor	%xmm1, %xmm6, %xmm6
+        vpslld	$31, %xmm4, %xmm0
+        vpslld	$30, %xmm4, %xmm1
+        vpslld	$25, %xmm4, %xmm2
+        vpxor	%xmm1, %xmm0, %xmm0
+        vpxor	%xmm2, %xmm0, %xmm0
+        vmovdqa	%xmm0, %xmm1
+        vpsrldq	$4, %xmm1, %xmm1
+        vpslldq	$12, %xmm0, %xmm0
+        vpxor	%xmm0, %xmm4, %xmm4
+        vpsrld	$0x01, %xmm4, %xmm2
+        vpsrld	$2, %xmm4, %xmm3
+        vpsrld	$7, %xmm4, %xmm0
+        vpxor	%xmm3, %xmm2, %xmm2
+        vpxor	%xmm0, %xmm2, %xmm2
+        vpxor	%xmm1, %xmm2, %xmm2
+        vpxor	%xmm4, %xmm2, %xmm2
+        vpxor	%xmm2, %xmm6, %xmm6
+        vmovdqa	(%rsp), %xmm5
+L_AES_GCM_encrypt_avx1_done_128:
+        movl	%r9d, %edx
+        cmpl	%edx, %ebx
+        jge	L_AES_GCM_encrypt_avx1_done_enc
+        movl	%r9d, %r13d
+        andl	$0xfffffff0, %r13d
+        cmpl	%r13d, %ebx
+        jge	L_AES_GCM_encrypt_avx1_last_block_done
+        vmovdqa	128(%rsp), %xmm9
+        vpshufb	L_avx1_aes_gcm_bswap_epi64(%rip), %xmm9, %xmm8
+        vpaddd	L_avx1_aes_gcm_one(%rip), %xmm9, %xmm9
+        vmovdqa	%xmm9, 128(%rsp)
+        vpxor	(%r15), %xmm8, %xmm8
+        vaesenc	16(%r15), %xmm8, %xmm8
+        vaesenc	32(%r15), %xmm8, %xmm8
+        vaesenc	48(%r15), %xmm8, %xmm8
+        vaesenc	64(%r15), %xmm8, %xmm8
+        vaesenc	80(%r15), %xmm8, %xmm8
+        vaesenc	96(%r15), %xmm8, %xmm8
+        vaesenc	112(%r15), %xmm8, %xmm8
+        vaesenc	128(%r15), %xmm8, %xmm8
+        vaesenc	144(%r15), %xmm8, %xmm8
+        cmpl	$11, %r10d
+        vmovdqa	160(%r15), %xmm9
+        jl	L_AES_GCM_encrypt_avx1_aesenc_block_last
+        vaesenc	%xmm9, %xmm8, %xmm8
+        vaesenc	176(%r15), %xmm8, %xmm8
+        cmpl	$13, %r10d
+        vmovdqa	192(%r15), %xmm9
+        jl	L_AES_GCM_encrypt_avx1_aesenc_block_last
+        vaesenc	%xmm9, %xmm8, %xmm8
+        vaesenc	208(%r15), %xmm8, %xmm8
+        vmovdqa	224(%r15), %xmm9
+L_AES_GCM_encrypt_avx1_aesenc_block_last:
+        vaesenclast	%xmm9, %xmm8, %xmm8
+        vmovdqu	(%rdi,%rbx,1), %xmm9
+        vpxor	%xmm9, %xmm8, %xmm8
+        vmovdqu	%xmm8, (%rsi,%rbx,1)
+        vpshufb	L_avx1_aes_gcm_bswap_mask(%rip), %xmm8, %xmm8
+        vpxor	%xmm8, %xmm6, %xmm6
+        addl	$16, %ebx
+        cmpl	%r13d, %ebx
+        jge	L_AES_GCM_encrypt_avx1_last_block_ghash
+L_AES_GCM_encrypt_avx1_last_block_start:
+        vmovdqu	(%rdi,%rbx,1), %xmm13
+        vmovdqa	128(%rsp), %xmm9
+        vpshufb	L_avx1_aes_gcm_bswap_epi64(%rip), %xmm9, %xmm8
+        vpaddd	L_avx1_aes_gcm_one(%rip), %xmm9, %xmm9
+        vmovdqa	%xmm9, 128(%rsp)
+        vpxor	(%r15), %xmm8, %xmm8
+        vpclmulqdq	$16, %xmm5, %xmm6, %xmm10
+        vaesenc	16(%r15), %xmm8, %xmm8
+        vaesenc	32(%r15), %xmm8, %xmm8
+        vpclmulqdq	$0x01, %xmm5, %xmm6, %xmm11
+        vaesenc	48(%r15), %xmm8, %xmm8
+        vaesenc	64(%r15), %xmm8, %xmm8
+        vpclmulqdq	$0x00, %xmm5, %xmm6, %xmm12
+        vaesenc	80(%r15), %xmm8, %xmm8
+        vpclmulqdq	$0x11, %xmm5, %xmm6, %xmm1
+        vaesenc	96(%r15), %xmm8, %xmm8
+        vpxor	%xmm11, %xmm10, %xmm10
+        vpslldq	$8, %xmm10, %xmm2
+        vpsrldq	$8, %xmm10, %xmm10
+        vaesenc	112(%r15), %xmm8, %xmm8
+        vpxor	%xmm12, %xmm2, %xmm2
+        vpxor	%xmm10, %xmm1, %xmm3
+        vmovdqa	L_avx1_aes_gcm_mod2_128(%rip), %xmm0
+        vpclmulqdq	$16, %xmm0, %xmm2, %xmm11
+        vaesenc	128(%r15), %xmm8, %xmm8
+        vpshufd	$0x4e, %xmm2, %xmm10
+        vpxor	%xmm11, %xmm10, %xmm10
+        vpclmulqdq	$16, %xmm0, %xmm10, %xmm11
+        vaesenc	144(%r15), %xmm8, %xmm8
+        vpshufd	$0x4e, %xmm10, %xmm10
+        vpxor	%xmm11, %xmm10, %xmm10
+        vpxor	%xmm3, %xmm10, %xmm6
+        cmpl	$11, %r10d
+        vmovdqa	160(%r15), %xmm9
+        jl	L_AES_GCM_encrypt_avx1_aesenc_gfmul_last
+        vaesenc	%xmm9, %xmm8, %xmm8
+        vaesenc	176(%r15), %xmm8, %xmm8
+        cmpl	$13, %r10d
+        vmovdqa	192(%r15), %xmm9
+        jl	L_AES_GCM_encrypt_avx1_aesenc_gfmul_last
+        vaesenc	%xmm9, %xmm8, %xmm8
+        vaesenc	208(%r15), %xmm8, %xmm8
+        vmovdqa	224(%r15), %xmm9
+L_AES_GCM_encrypt_avx1_aesenc_gfmul_last:
+        vaesenclast	%xmm9, %xmm8, %xmm8
+        vmovdqa	%xmm13, %xmm0
+        vpxor	%xmm0, %xmm8, %xmm8
+        vmovdqu	%xmm8, (%rsi,%rbx,1)
+        vpshufb	L_avx1_aes_gcm_bswap_mask(%rip), %xmm8, %xmm8
+        addl	$16, %ebx
+        vpxor	%xmm8, %xmm6, %xmm6
+        cmpl	%r13d, %ebx
+        jl	L_AES_GCM_encrypt_avx1_last_block_start
+L_AES_GCM_encrypt_avx1_last_block_ghash:
+        # ghash_gfmul_red_avx
+        vpshufd	$0x4e, %xmm5, %xmm9
+        vpshufd	$0x4e, %xmm6, %xmm10
+        vpclmulqdq	$0x11, %xmm5, %xmm6, %xmm11
+        vpclmulqdq	$0x00, %xmm5, %xmm6, %xmm8
+        vpxor	%xmm5, %xmm9, %xmm9
+        vpxor	%xmm6, %xmm10, %xmm10
+        vpclmulqdq	$0x00, %xmm10, %xmm9, %xmm9
+        vpxor	%xmm8, %xmm9, %xmm9
+        vpxor	%xmm11, %xmm9, %xmm9
+        vpslldq	$8, %xmm9, %xmm10
+        vpsrldq	$8, %xmm9, %xmm9
+        vpxor	%xmm10, %xmm8, %xmm8
+        vpxor	%xmm9, %xmm11, %xmm6
+        vpslld	$31, %xmm8, %xmm12
+        vpslld	$30, %xmm8, %xmm13
+        vpslld	$25, %xmm8, %xmm14
+        vpxor	%xmm13, %xmm12, %xmm12
+        vpxor	%xmm14, %xmm12, %xmm12
+        vpsrldq	$4, %xmm12, %xmm13
+        vpslldq	$12, %xmm12, %xmm12
+        vpxor	%xmm12, %xmm8, %xmm8
+        vpsrld	$0x01, %xmm8, %xmm14
+        vpsrld	$2, %xmm8, %xmm10
+        vpsrld	$7, %xmm8, %xmm9
+        vpxor	%xmm10, %xmm14, %xmm14
+        vpxor	%xmm9, %xmm14, %xmm14
+        vpxor	%xmm13, %xmm14, %xmm14
+        vpxor	%xmm8, %xmm14, %xmm14
+        vpxor	%xmm14, %xmm6, %xmm6
+L_AES_GCM_encrypt_avx1_last_block_done:
+        movl	%r9d, %ecx
+        movl	%ecx, %edx
+        andl	$15, %ecx
+        jz	L_AES_GCM_encrypt_avx1_aesenc_last15_enc_avx_done
+        vmovdqa	128(%rsp), %xmm4
+        vpshufb	L_avx1_aes_gcm_bswap_epi64(%rip), %xmm4, %xmm4
+        vpxor	(%r15), %xmm4, %xmm4
+        vaesenc	16(%r15), %xmm4, %xmm4
+        vaesenc	32(%r15), %xmm4, %xmm4
+        vaesenc	48(%r15), %xmm4, %xmm4
+        vaesenc	64(%r15), %xmm4, %xmm4
+        vaesenc	80(%r15), %xmm4, %xmm4
+        vaesenc	96(%r15), %xmm4, %xmm4
+        vaesenc	112(%r15), %xmm4, %xmm4
+        vaesenc	128(%r15), %xmm4, %xmm4
+        vaesenc	144(%r15), %xmm4, %xmm4
+        cmpl	$11, %r10d
+        vmovdqa	160(%r15), %xmm9
+        jl	L_AES_GCM_encrypt_avx1_aesenc_last15_enc_avx_aesenc_avx_last
+        vaesenc	%xmm9, %xmm4, %xmm4
+        vaesenc	176(%r15), %xmm4, %xmm4
+        cmpl	$13, %r10d
+        vmovdqa	192(%r15), %xmm9
+        jl	L_AES_GCM_encrypt_avx1_aesenc_last15_enc_avx_aesenc_avx_last
+        vaesenc	%xmm9, %xmm4, %xmm4
+        vaesenc	208(%r15), %xmm4, %xmm4
+        vmovdqa	224(%r15), %xmm9
+L_AES_GCM_encrypt_avx1_aesenc_last15_enc_avx_aesenc_avx_last:
+        vaesenclast	%xmm9, %xmm4, %xmm4
+        subq	$16, %rsp
+        xorl	%ecx, %ecx
+        vmovdqa	%xmm4, (%rsp)
+L_AES_GCM_encrypt_avx1_aesenc_last15_enc_avx_loop:
+        movzbl	(%rdi,%rbx,1), %r13d
+        xorb	(%rsp,%rcx,1), %r13b
+        movb	%r13b, (%rsi,%rbx,1)
+        movb	%r13b, (%rsp,%rcx,1)
+        incl	%ebx
+        incl	%ecx
+        cmpl	%edx, %ebx
+        jl	L_AES_GCM_encrypt_avx1_aesenc_last15_enc_avx_loop
+        xorq	%r13, %r13
+        cmpl	$16, %ecx
+        je	L_AES_GCM_encrypt_avx1_aesenc_last15_enc_avx_finish_enc
+L_AES_GCM_encrypt_avx1_aesenc_last15_enc_avx_byte_loop:
+        movb	%r13b, (%rsp,%rcx,1)
+        incl	%ecx
+        cmpl	$16, %ecx
+        jl	L_AES_GCM_encrypt_avx1_aesenc_last15_enc_avx_byte_loop
+L_AES_GCM_encrypt_avx1_aesenc_last15_enc_avx_finish_enc:
+        vmovdqa	(%rsp), %xmm4
+        addq	$16, %rsp
+        vpshufb	L_avx1_aes_gcm_bswap_mask(%rip), %xmm4, %xmm4
+        vpxor	%xmm4, %xmm6, %xmm6
+        # ghash_gfmul_red_avx
+        vpshufd	$0x4e, %xmm5, %xmm9
+        vpshufd	$0x4e, %xmm6, %xmm10
+        vpclmulqdq	$0x11, %xmm5, %xmm6, %xmm11
+        vpclmulqdq	$0x00, %xmm5, %xmm6, %xmm8
+        vpxor	%xmm5, %xmm9, %xmm9
+        vpxor	%xmm6, %xmm10, %xmm10
+        vpclmulqdq	$0x00, %xmm10, %xmm9, %xmm9
+        vpxor	%xmm8, %xmm9, %xmm9
+        vpxor	%xmm11, %xmm9, %xmm9
+        vpslldq	$8, %xmm9, %xmm10
+        vpsrldq	$8, %xmm9, %xmm9
+        vpxor	%xmm10, %xmm8, %xmm8
+        vpxor	%xmm9, %xmm11, %xmm6
+        vpslld	$31, %xmm8, %xmm12
+        vpslld	$30, %xmm8, %xmm13
+        vpslld	$25, %xmm8, %xmm14
+        vpxor	%xmm13, %xmm12, %xmm12
+        vpxor	%xmm14, %xmm12, %xmm12
+        vpsrldq	$4, %xmm12, %xmm13
+        vpslldq	$12, %xmm12, %xmm12
+        vpxor	%xmm12, %xmm8, %xmm8
+        vpsrld	$0x01, %xmm8, %xmm14
+        vpsrld	$2, %xmm8, %xmm10
+        vpsrld	$7, %xmm8, %xmm9
+        vpxor	%xmm10, %xmm14, %xmm14
+        vpxor	%xmm9, %xmm14, %xmm14
+        vpxor	%xmm13, %xmm14, %xmm14
+        vpxor	%xmm8, %xmm14, %xmm14
+        vpxor	%xmm14, %xmm6, %xmm6
+L_AES_GCM_encrypt_avx1_aesenc_last15_enc_avx_done:
+L_AES_GCM_encrypt_avx1_done_enc:
+        movl	%r9d, %edx
+        movl	%r11d, %ecx
+        shlq	$3, %rdx
+        shlq	$3, %rcx
+        vpinsrq	$0x00, %rdx, %xmm0, %xmm0
+        vpinsrq	$0x01, %rcx, %xmm0, %xmm0
+        vpxor	%xmm0, %xmm6, %xmm6
+        # ghash_gfmul_red_avx
+        vpshufd	$0x4e, %xmm5, %xmm9
+        vpshufd	$0x4e, %xmm6, %xmm10
+        vpclmulqdq	$0x11, %xmm5, %xmm6, %xmm11
+        vpclmulqdq	$0x00, %xmm5, %xmm6, %xmm8
+        vpxor	%xmm5, %xmm9, %xmm9
+        vpxor	%xmm6, %xmm10, %xmm10
+        vpclmulqdq	$0x00, %xmm10, %xmm9, %xmm9
+        vpxor	%xmm8, %xmm9, %xmm9
+        vpxor	%xmm11, %xmm9, %xmm9
+        vpslldq	$8, %xmm9, %xmm10
+        vpsrldq	$8, %xmm9, %xmm9
+        vpxor	%xmm10, %xmm8, %xmm8
+        vpxor	%xmm9, %xmm11, %xmm6
+        vpslld	$31, %xmm8, %xmm12
+        vpslld	$30, %xmm8, %xmm13
+        vpslld	$25, %xmm8, %xmm14
+        vpxor	%xmm13, %xmm12, %xmm12
+        vpxor	%xmm14, %xmm12, %xmm12
+        vpsrldq	$4, %xmm12, %xmm13
+        vpslldq	$12, %xmm12, %xmm12
+        vpxor	%xmm12, %xmm8, %xmm8
+        vpsrld	$0x01, %xmm8, %xmm14
+        vpsrld	$2, %xmm8, %xmm10
+        vpsrld	$7, %xmm8, %xmm9
+        vpxor	%xmm10, %xmm14, %xmm14
+        vpxor	%xmm9, %xmm14, %xmm14
+        vpxor	%xmm13, %xmm14, %xmm14
+        vpxor	%xmm8, %xmm14, %xmm14
+        vpxor	%xmm14, %xmm6, %xmm6
+        vpshufb	L_avx1_aes_gcm_bswap_mask(%rip), %xmm6, %xmm6
+        vpxor	144(%rsp), %xmm6, %xmm0
+        cmpl	$16, %r14d
+        je	L_AES_GCM_encrypt_avx1_store_tag_16
+        xorq	%rcx, %rcx
+        vmovdqa	%xmm0, (%rsp)
+L_AES_GCM_encrypt_avx1_store_tag_loop:
+        movzbl	(%rsp,%rcx,1), %r13d
+        movb	%r13b, (%r8,%rcx,1)
+        incl	%ecx
+        cmpl	%r14d, %ecx
+        jne	L_AES_GCM_encrypt_avx1_store_tag_loop
+        jmp	L_AES_GCM_encrypt_avx1_store_tag_done
+L_AES_GCM_encrypt_avx1_store_tag_16:
+        vmovdqu	%xmm0, (%r8)
+L_AES_GCM_encrypt_avx1_store_tag_done:
+        vzeroupper
+        addq	$0xa0, %rsp
+        popq	%r15
+        popq	%r14
+        popq	%rbx
+        popq	%r12
+        popq	%r13
+        repz retq
+#ifndef __APPLE__
+.size	AES_GCM_encrypt_avx1,.-AES_GCM_encrypt_avx1
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+.text
+.globl	AES_GCM_decrypt_avx1
+.type	AES_GCM_decrypt_avx1,@function
+.align	4
+AES_GCM_decrypt_avx1:
+#else
+.section	__TEXT,__text
+.globl	_AES_GCM_decrypt_avx1
+.p2align	2
+_AES_GCM_decrypt_avx1:
+#endif /* __APPLE__ */
+        pushq	%r13
+        pushq	%r12
+        pushq	%rbx
+        pushq	%r14
+        pushq	%r15
+        pushq	%rbp
+        movq	%rdx, %r12
+        movq	%rcx, %rax
+        movl	56(%rsp), %r11d
+        movl	64(%rsp), %ebx
+        movl	72(%rsp), %r14d
+        movq	80(%rsp), %r15
+        movl	88(%rsp), %r10d
+        movq	96(%rsp), %rbp
+        subq	$0xa8, %rsp
+        vpxor	%xmm4, %xmm4, %xmm4
+        vpxor	%xmm6, %xmm6, %xmm6
+        cmpl	$12, %ebx
+        movl	%ebx, %edx
+        jne	L_AES_GCM_decrypt_avx1_iv_not_12
+        # # Calculate values when IV is 12 bytes
+        # Set counter based on IV
+        movl	$0x1000000, %ecx
+        vpinsrq	$0x00, (%rax), %xmm4, %xmm4
+        vpinsrd	$2, 8(%rax), %xmm4, %xmm4
+        vpinsrd	$3, %ecx, %xmm4, %xmm4
+        # H = Encrypt X(=0) and T = Encrypt counter
+        vmovdqa	(%r15), %xmm5
+        vpxor	%xmm5, %xmm4, %xmm1
+        vmovdqa	16(%r15), %xmm7
+        vaesenc	%xmm7, %xmm5, %xmm5
+        vaesenc	%xmm7, %xmm1, %xmm1
+        vmovdqa	32(%r15), %xmm7
+        vaesenc	%xmm7, %xmm5, %xmm5
+        vaesenc	%xmm7, %xmm1, %xmm1
+        vmovdqa	48(%r15), %xmm7
+        vaesenc	%xmm7, %xmm5, %xmm5
+        vaesenc	%xmm7, %xmm1, %xmm1
+        vmovdqa	64(%r15), %xmm7
+        vaesenc	%xmm7, %xmm5, %xmm5
+        vaesenc	%xmm7, %xmm1, %xmm1
+        vmovdqa	80(%r15), %xmm7
+        vaesenc	%xmm7, %xmm5, %xmm5
+        vaesenc	%xmm7, %xmm1, %xmm1
+        vmovdqa	96(%r15), %xmm7
+        vaesenc	%xmm7, %xmm5, %xmm5
+        vaesenc	%xmm7, %xmm1, %xmm1
+        vmovdqa	112(%r15), %xmm7
+        vaesenc	%xmm7, %xmm5, %xmm5
+        vaesenc	%xmm7, %xmm1, %xmm1
+        vmovdqa	128(%r15), %xmm7
+        vaesenc	%xmm7, %xmm5, %xmm5
+        vaesenc	%xmm7, %xmm1, %xmm1
+        vmovdqa	144(%r15), %xmm7
+        vaesenc	%xmm7, %xmm5, %xmm5
+        vaesenc	%xmm7, %xmm1, %xmm1
+        cmpl	$11, %r10d
+        vmovdqa	160(%r15), %xmm7
+        jl	L_AES_GCM_decrypt_avx1_calc_iv_12_last
+        vaesenc	%xmm7, %xmm5, %xmm5
+        vaesenc	%xmm7, %xmm1, %xmm1
+        vmovdqa	176(%r15), %xmm7
+        vaesenc	%xmm7, %xmm5, %xmm5
+        vaesenc	%xmm7, %xmm1, %xmm1
+        cmpl	$13, %r10d
+        vmovdqa	192(%r15), %xmm7
+        jl	L_AES_GCM_decrypt_avx1_calc_iv_12_last
+        vaesenc	%xmm7, %xmm5, %xmm5
+        vaesenc	%xmm7, %xmm1, %xmm1
+        vmovdqa	208(%r15), %xmm7
+        vaesenc	%xmm7, %xmm5, %xmm5
+        vaesenc	%xmm7, %xmm1, %xmm1
+        vmovdqa	224(%r15), %xmm7
+L_AES_GCM_decrypt_avx1_calc_iv_12_last:
+        vaesenclast	%xmm7, %xmm5, %xmm5
+        vaesenclast	%xmm7, %xmm1, %xmm1
+        vpshufb	L_avx1_aes_gcm_bswap_mask(%rip), %xmm5, %xmm5
+        vmovdqa	%xmm1, 144(%rsp)
+        jmp	L_AES_GCM_decrypt_avx1_iv_done
+L_AES_GCM_decrypt_avx1_iv_not_12:
+        # Calculate values when IV is not 12 bytes
+        # H = Encrypt X(=0)
+        vmovdqa	(%r15), %xmm5
+        vaesenc	16(%r15), %xmm5, %xmm5
+        vaesenc	32(%r15), %xmm5, %xmm5
+        vaesenc	48(%r15), %xmm5, %xmm5
+        vaesenc	64(%r15), %xmm5, %xmm5
+        vaesenc	80(%r15), %xmm5, %xmm5
+        vaesenc	96(%r15), %xmm5, %xmm5
+        vaesenc	112(%r15), %xmm5, %xmm5
+        vaesenc	128(%r15), %xmm5, %xmm5
+        vaesenc	144(%r15), %xmm5, %xmm5
+        cmpl	$11, %r10d
+        vmovdqa	160(%r15), %xmm9
+        jl	L_AES_GCM_decrypt_avx1_calc_iv_1_aesenc_avx_last
+        vaesenc	%xmm9, %xmm5, %xmm5
+        vaesenc	176(%r15), %xmm5, %xmm5
+        cmpl	$13, %r10d
+        vmovdqa	192(%r15), %xmm9
+        jl	L_AES_GCM_decrypt_avx1_calc_iv_1_aesenc_avx_last
+        vaesenc	%xmm9, %xmm5, %xmm5
+        vaesenc	208(%r15), %xmm5, %xmm5
+        vmovdqa	224(%r15), %xmm9
+L_AES_GCM_decrypt_avx1_calc_iv_1_aesenc_avx_last:
+        vaesenclast	%xmm9, %xmm5, %xmm5
+        vpshufb	L_avx1_aes_gcm_bswap_mask(%rip), %xmm5, %xmm5
+        # Calc counter
+        # Initialization vector
+        cmpl	$0x00, %edx
+        movq	$0x00, %rcx
+        je	L_AES_GCM_decrypt_avx1_calc_iv_done
+        cmpl	$16, %edx
+        jl	L_AES_GCM_decrypt_avx1_calc_iv_lt16
+        andl	$0xfffffff0, %edx
+L_AES_GCM_decrypt_avx1_calc_iv_16_loop:
+        vmovdqu	(%rax,%rcx,1), %xmm8
+        vpshufb	L_avx1_aes_gcm_bswap_mask(%rip), %xmm8, %xmm8
+        vpxor	%xmm8, %xmm4, %xmm4
+        # ghash_gfmul_avx
+        vpshufd	$0x4e, %xmm4, %xmm1
+        vpshufd	$0x4e, %xmm5, %xmm2
+        vpclmulqdq	$0x11, %xmm4, %xmm5, %xmm3
+        vpclmulqdq	$0x00, %xmm4, %xmm5, %xmm0
+        vpxor	%xmm4, %xmm1, %xmm1
+        vpxor	%xmm5, %xmm2, %xmm2
+        vpclmulqdq	$0x00, %xmm2, %xmm1, %xmm1
+        vpxor	%xmm0, %xmm1, %xmm1
+        vpxor	%xmm3, %xmm1, %xmm1
+        vmovdqa	%xmm0, %xmm7
+        vmovdqa	%xmm3, %xmm4
+        vpslldq	$8, %xmm1, %xmm2
+        vpsrldq	$8, %xmm1, %xmm1
+        vpxor	%xmm2, %xmm7, %xmm7
+        vpxor	%xmm1, %xmm4, %xmm4
+        vpsrld	$31, %xmm7, %xmm0
+        vpsrld	$31, %xmm4, %xmm1
+        vpslld	$0x01, %xmm7, %xmm7
+        vpslld	$0x01, %xmm4, %xmm4
+        vpsrldq	$12, %xmm0, %xmm2
+        vpslldq	$4, %xmm0, %xmm0
+        vpslldq	$4, %xmm1, %xmm1
+        vpor	%xmm2, %xmm4, %xmm4
+        vpor	%xmm0, %xmm7, %xmm7
+        vpor	%xmm1, %xmm4, %xmm4
+        vpslld	$31, %xmm7, %xmm0
+        vpslld	$30, %xmm7, %xmm1
+        vpslld	$25, %xmm7, %xmm2
+        vpxor	%xmm1, %xmm0, %xmm0
+        vpxor	%xmm2, %xmm0, %xmm0
+        vmovdqa	%xmm0, %xmm1
+        vpsrldq	$4, %xmm1, %xmm1
+        vpslldq	$12, %xmm0, %xmm0
+        vpxor	%xmm0, %xmm7, %xmm7
+        vpsrld	$0x01, %xmm7, %xmm2
+        vpsrld	$2, %xmm7, %xmm3
+        vpsrld	$7, %xmm7, %xmm0
+        vpxor	%xmm3, %xmm2, %xmm2
+        vpxor	%xmm0, %xmm2, %xmm2
+        vpxor	%xmm1, %xmm2, %xmm2
+        vpxor	%xmm7, %xmm2, %xmm2
+        vpxor	%xmm2, %xmm4, %xmm4
+        addl	$16, %ecx
+        cmpl	%edx, %ecx
+        jl	L_AES_GCM_decrypt_avx1_calc_iv_16_loop
+        movl	%ebx, %edx
+        cmpl	%edx, %ecx
+        je	L_AES_GCM_decrypt_avx1_calc_iv_done
+L_AES_GCM_decrypt_avx1_calc_iv_lt16:
+        subq	$16, %rsp
+        vpxor	%xmm8, %xmm8, %xmm8
+        xorl	%ebx, %ebx
+        vmovdqa	%xmm8, (%rsp)
+L_AES_GCM_decrypt_avx1_calc_iv_loop:
+        movzbl	(%rax,%rcx,1), %r13d
+        movb	%r13b, (%rsp,%rbx,1)
+        incl	%ecx
+        incl	%ebx
+        cmpl	%edx, %ecx
+        jl	L_AES_GCM_decrypt_avx1_calc_iv_loop
+        vmovdqa	(%rsp), %xmm8
+        addq	$16, %rsp
+        vpshufb	L_avx1_aes_gcm_bswap_mask(%rip), %xmm8, %xmm8
+        vpxor	%xmm8, %xmm4, %xmm4
+        # ghash_gfmul_avx
+        vpshufd	$0x4e, %xmm4, %xmm1
+        vpshufd	$0x4e, %xmm5, %xmm2
+        vpclmulqdq	$0x11, %xmm4, %xmm5, %xmm3
+        vpclmulqdq	$0x00, %xmm4, %xmm5, %xmm0
+        vpxor	%xmm4, %xmm1, %xmm1
+        vpxor	%xmm5, %xmm2, %xmm2
+        vpclmulqdq	$0x00, %xmm2, %xmm1, %xmm1
+        vpxor	%xmm0, %xmm1, %xmm1
+        vpxor	%xmm3, %xmm1, %xmm1
+        vmovdqa	%xmm0, %xmm7
+        vmovdqa	%xmm3, %xmm4
+        vpslldq	$8, %xmm1, %xmm2
+        vpsrldq	$8, %xmm1, %xmm1
+        vpxor	%xmm2, %xmm7, %xmm7
+        vpxor	%xmm1, %xmm4, %xmm4
+        vpsrld	$31, %xmm7, %xmm0
+        vpsrld	$31, %xmm4, %xmm1
+        vpslld	$0x01, %xmm7, %xmm7
+        vpslld	$0x01, %xmm4, %xmm4
+        vpsrldq	$12, %xmm0, %xmm2
+        vpslldq	$4, %xmm0, %xmm0
+        vpslldq	$4, %xmm1, %xmm1
+        vpor	%xmm2, %xmm4, %xmm4
+        vpor	%xmm0, %xmm7, %xmm7
+        vpor	%xmm1, %xmm4, %xmm4
+        vpslld	$31, %xmm7, %xmm0
+        vpslld	$30, %xmm7, %xmm1
+        vpslld	$25, %xmm7, %xmm2
+        vpxor	%xmm1, %xmm0, %xmm0
+        vpxor	%xmm2, %xmm0, %xmm0
+        vmovdqa	%xmm0, %xmm1
+        vpsrldq	$4, %xmm1, %xmm1
+        vpslldq	$12, %xmm0, %xmm0
+        vpxor	%xmm0, %xmm7, %xmm7
+        vpsrld	$0x01, %xmm7, %xmm2
+        vpsrld	$2, %xmm7, %xmm3
+        vpsrld	$7, %xmm7, %xmm0
+        vpxor	%xmm3, %xmm2, %xmm2
+        vpxor	%xmm0, %xmm2, %xmm2
+        vpxor	%xmm1, %xmm2, %xmm2
+        vpxor	%xmm7, %xmm2, %xmm2
+        vpxor	%xmm2, %xmm4, %xmm4
+L_AES_GCM_decrypt_avx1_calc_iv_done:
+        # T = Encrypt counter
+        vpxor	%xmm0, %xmm0, %xmm0
+        shll	$3, %edx
+        vpinsrq	$0x00, %rdx, %xmm0, %xmm0
+        vpxor	%xmm0, %xmm4, %xmm4
+        # ghash_gfmul_avx
+        vpshufd	$0x4e, %xmm4, %xmm1
+        vpshufd	$0x4e, %xmm5, %xmm2
+        vpclmulqdq	$0x11, %xmm4, %xmm5, %xmm3
+        vpclmulqdq	$0x00, %xmm4, %xmm5, %xmm0
+        vpxor	%xmm4, %xmm1, %xmm1
+        vpxor	%xmm5, %xmm2, %xmm2
+        vpclmulqdq	$0x00, %xmm2, %xmm1, %xmm1
+        vpxor	%xmm0, %xmm1, %xmm1
+        vpxor	%xmm3, %xmm1, %xmm1
+        vmovdqa	%xmm0, %xmm7
+        vmovdqa	%xmm3, %xmm4
+        vpslldq	$8, %xmm1, %xmm2
+        vpsrldq	$8, %xmm1, %xmm1
+        vpxor	%xmm2, %xmm7, %xmm7
+        vpxor	%xmm1, %xmm4, %xmm4
+        vpsrld	$31, %xmm7, %xmm0
+        vpsrld	$31, %xmm4, %xmm1
+        vpslld	$0x01, %xmm7, %xmm7
+        vpslld	$0x01, %xmm4, %xmm4
+        vpsrldq	$12, %xmm0, %xmm2
+        vpslldq	$4, %xmm0, %xmm0
+        vpslldq	$4, %xmm1, %xmm1
+        vpor	%xmm2, %xmm4, %xmm4
+        vpor	%xmm0, %xmm7, %xmm7
+        vpor	%xmm1, %xmm4, %xmm4
+        vpslld	$31, %xmm7, %xmm0
+        vpslld	$30, %xmm7, %xmm1
+        vpslld	$25, %xmm7, %xmm2
+        vpxor	%xmm1, %xmm0, %xmm0
+        vpxor	%xmm2, %xmm0, %xmm0
+        vmovdqa	%xmm0, %xmm1
+        vpsrldq	$4, %xmm1, %xmm1
+        vpslldq	$12, %xmm0, %xmm0
+        vpxor	%xmm0, %xmm7, %xmm7
+        vpsrld	$0x01, %xmm7, %xmm2
+        vpsrld	$2, %xmm7, %xmm3
+        vpsrld	$7, %xmm7, %xmm0
+        vpxor	%xmm3, %xmm2, %xmm2
+        vpxor	%xmm0, %xmm2, %xmm2
+        vpxor	%xmm1, %xmm2, %xmm2
+        vpxor	%xmm7, %xmm2, %xmm2
+        vpxor	%xmm2, %xmm4, %xmm4
+        vpshufb	L_avx1_aes_gcm_bswap_mask(%rip), %xmm4, %xmm4
+        #   Encrypt counter
+        vmovdqa	(%r15), %xmm8
+        vpxor	%xmm4, %xmm8, %xmm8
+        vaesenc	16(%r15), %xmm8, %xmm8
+        vaesenc	32(%r15), %xmm8, %xmm8
+        vaesenc	48(%r15), %xmm8, %xmm8
+        vaesenc	64(%r15), %xmm8, %xmm8
+        vaesenc	80(%r15), %xmm8, %xmm8
+        vaesenc	96(%r15), %xmm8, %xmm8
+        vaesenc	112(%r15), %xmm8, %xmm8
+        vaesenc	128(%r15), %xmm8, %xmm8
+        vaesenc	144(%r15), %xmm8, %xmm8
+        cmpl	$11, %r10d
+        vmovdqa	160(%r15), %xmm9
+        jl	L_AES_GCM_decrypt_avx1_calc_iv_2_aesenc_avx_last
+        vaesenc	%xmm9, %xmm8, %xmm8
+        vaesenc	176(%r15), %xmm8, %xmm8
+        cmpl	$13, %r10d
+        vmovdqa	192(%r15), %xmm9
+        jl	L_AES_GCM_decrypt_avx1_calc_iv_2_aesenc_avx_last
+        vaesenc	%xmm9, %xmm8, %xmm8
+        vaesenc	208(%r15), %xmm8, %xmm8
+        vmovdqa	224(%r15), %xmm9
+L_AES_GCM_decrypt_avx1_calc_iv_2_aesenc_avx_last:
+        vaesenclast	%xmm9, %xmm8, %xmm8
+        vmovdqa	%xmm8, 144(%rsp)
+L_AES_GCM_decrypt_avx1_iv_done:
+        # Additional authentication data
+        movl	%r11d, %edx
+        cmpl	$0x00, %edx
+        je	L_AES_GCM_decrypt_avx1_calc_aad_done
+        xorl	%ecx, %ecx
+        cmpl	$16, %edx
+        jl	L_AES_GCM_decrypt_avx1_calc_aad_lt16
+        andl	$0xfffffff0, %edx
+L_AES_GCM_decrypt_avx1_calc_aad_16_loop:
+        vmovdqu	(%r12,%rcx,1), %xmm8
+        vpshufb	L_avx1_aes_gcm_bswap_mask(%rip), %xmm8, %xmm8
+        vpxor	%xmm8, %xmm6, %xmm6
+        # ghash_gfmul_avx
+        vpshufd	$0x4e, %xmm6, %xmm1
+        vpshufd	$0x4e, %xmm5, %xmm2
+        vpclmulqdq	$0x11, %xmm6, %xmm5, %xmm3
+        vpclmulqdq	$0x00, %xmm6, %xmm5, %xmm0
+        vpxor	%xmm6, %xmm1, %xmm1
+        vpxor	%xmm5, %xmm2, %xmm2
+        vpclmulqdq	$0x00, %xmm2, %xmm1, %xmm1
+        vpxor	%xmm0, %xmm1, %xmm1
+        vpxor	%xmm3, %xmm1, %xmm1
+        vmovdqa	%xmm0, %xmm7
+        vmovdqa	%xmm3, %xmm6
+        vpslldq	$8, %xmm1, %xmm2
+        vpsrldq	$8, %xmm1, %xmm1
+        vpxor	%xmm2, %xmm7, %xmm7
+        vpxor	%xmm1, %xmm6, %xmm6
+        vpsrld	$31, %xmm7, %xmm0
+        vpsrld	$31, %xmm6, %xmm1
+        vpslld	$0x01, %xmm7, %xmm7
+        vpslld	$0x01, %xmm6, %xmm6
+        vpsrldq	$12, %xmm0, %xmm2
+        vpslldq	$4, %xmm0, %xmm0
+        vpslldq	$4, %xmm1, %xmm1
+        vpor	%xmm2, %xmm6, %xmm6
+        vpor	%xmm0, %xmm7, %xmm7
+        vpor	%xmm1, %xmm6, %xmm6
+        vpslld	$31, %xmm7, %xmm0
+        vpslld	$30, %xmm7, %xmm1
+        vpslld	$25, %xmm7, %xmm2
+        vpxor	%xmm1, %xmm0, %xmm0
+        vpxor	%xmm2, %xmm0, %xmm0
+        vmovdqa	%xmm0, %xmm1
+        vpsrldq	$4, %xmm1, %xmm1
+        vpslldq	$12, %xmm0, %xmm0
+        vpxor	%xmm0, %xmm7, %xmm7
+        vpsrld	$0x01, %xmm7, %xmm2
+        vpsrld	$2, %xmm7, %xmm3
+        vpsrld	$7, %xmm7, %xmm0
+        vpxor	%xmm3, %xmm2, %xmm2
+        vpxor	%xmm0, %xmm2, %xmm2
+        vpxor	%xmm1, %xmm2, %xmm2
+        vpxor	%xmm7, %xmm2, %xmm2
+        vpxor	%xmm2, %xmm6, %xmm6
+        addl	$16, %ecx
+        cmpl	%edx, %ecx
+        jl	L_AES_GCM_decrypt_avx1_calc_aad_16_loop
+        movl	%r11d, %edx
+        cmpl	%edx, %ecx
+        je	L_AES_GCM_decrypt_avx1_calc_aad_done
+L_AES_GCM_decrypt_avx1_calc_aad_lt16:
+        subq	$16, %rsp
+        vpxor	%xmm8, %xmm8, %xmm8
+        xorl	%ebx, %ebx
+        vmovdqa	%xmm8, (%rsp)
+L_AES_GCM_decrypt_avx1_calc_aad_loop:
+        movzbl	(%r12,%rcx,1), %r13d
+        movb	%r13b, (%rsp,%rbx,1)
+        incl	%ecx
+        incl	%ebx
+        cmpl	%edx, %ecx
+        jl	L_AES_GCM_decrypt_avx1_calc_aad_loop
+        vmovdqa	(%rsp), %xmm8
+        addq	$16, %rsp
+        vpshufb	L_avx1_aes_gcm_bswap_mask(%rip), %xmm8, %xmm8
+        vpxor	%xmm8, %xmm6, %xmm6
+        # ghash_gfmul_avx
+        vpshufd	$0x4e, %xmm6, %xmm1
+        vpshufd	$0x4e, %xmm5, %xmm2
+        vpclmulqdq	$0x11, %xmm6, %xmm5, %xmm3
+        vpclmulqdq	$0x00, %xmm6, %xmm5, %xmm0
+        vpxor	%xmm6, %xmm1, %xmm1
+        vpxor	%xmm5, %xmm2, %xmm2
+        vpclmulqdq	$0x00, %xmm2, %xmm1, %xmm1
+        vpxor	%xmm0, %xmm1, %xmm1
+        vpxor	%xmm3, %xmm1, %xmm1
+        vmovdqa	%xmm0, %xmm7
+        vmovdqa	%xmm3, %xmm6
+        vpslldq	$8, %xmm1, %xmm2
+        vpsrldq	$8, %xmm1, %xmm1
+        vpxor	%xmm2, %xmm7, %xmm7
+        vpxor	%xmm1, %xmm6, %xmm6
+        vpsrld	$31, %xmm7, %xmm0
+        vpsrld	$31, %xmm6, %xmm1
+        vpslld	$0x01, %xmm7, %xmm7
+        vpslld	$0x01, %xmm6, %xmm6
+        vpsrldq	$12, %xmm0, %xmm2
+        vpslldq	$4, %xmm0, %xmm0
+        vpslldq	$4, %xmm1, %xmm1
+        vpor	%xmm2, %xmm6, %xmm6
+        vpor	%xmm0, %xmm7, %xmm7
+        vpor	%xmm1, %xmm6, %xmm6
+        vpslld	$31, %xmm7, %xmm0
+        vpslld	$30, %xmm7, %xmm1
+        vpslld	$25, %xmm7, %xmm2
+        vpxor	%xmm1, %xmm0, %xmm0
+        vpxor	%xmm2, %xmm0, %xmm0
+        vmovdqa	%xmm0, %xmm1
+        vpsrldq	$4, %xmm1, %xmm1
+        vpslldq	$12, %xmm0, %xmm0
+        vpxor	%xmm0, %xmm7, %xmm7
+        vpsrld	$0x01, %xmm7, %xmm2
+        vpsrld	$2, %xmm7, %xmm3
+        vpsrld	$7, %xmm7, %xmm0
+        vpxor	%xmm3, %xmm2, %xmm2
+        vpxor	%xmm0, %xmm2, %xmm2
+        vpxor	%xmm1, %xmm2, %xmm2
+        vpxor	%xmm7, %xmm2, %xmm2
+        vpxor	%xmm2, %xmm6, %xmm6
+L_AES_GCM_decrypt_avx1_calc_aad_done:
+        # Calculate counter and H
+        vpsrlq	$63, %xmm5, %xmm9
+        vpsllq	$0x01, %xmm5, %xmm8
+        vpslldq	$8, %xmm9, %xmm9
+        vpor	%xmm9, %xmm8, %xmm8
+        vpshufd	$0xff, %xmm5, %xmm5
+        vpsrad	$31, %xmm5, %xmm5
+        vpshufb	L_avx1_aes_gcm_bswap_epi64(%rip), %xmm4, %xmm4
+        vpand	L_avx1_aes_gcm_mod2_128(%rip), %xmm5, %xmm5
+        vpaddd	L_avx1_aes_gcm_one(%rip), %xmm4, %xmm4
+        vpxor	%xmm8, %xmm5, %xmm5
+        vmovdqa	%xmm4, 128(%rsp)
+        xorl	%ebx, %ebx
+        cmpl	$0x80, %r9d
+        movl	%r9d, %r13d
+        jl	L_AES_GCM_decrypt_avx1_done_128
+        andl	$0xffffff80, %r13d
+        vmovdqa	%xmm6, %xmm2
+        # H ^ 1
+        vmovdqa	%xmm5, (%rsp)
+        # H ^ 2
+        vpclmulqdq	$0x00, %xmm5, %xmm5, %xmm8
+        vpclmulqdq	$0x11, %xmm5, %xmm5, %xmm0
+        vpslld	$31, %xmm8, %xmm12
+        vpslld	$30, %xmm8, %xmm13
+        vpslld	$25, %xmm8, %xmm14
+        vpxor	%xmm13, %xmm12, %xmm12
+        vpxor	%xmm14, %xmm12, %xmm12
+        vpsrldq	$4, %xmm12, %xmm13
+        vpslldq	$12, %xmm12, %xmm12
+        vpxor	%xmm12, %xmm8, %xmm8
+        vpsrld	$0x01, %xmm8, %xmm14
+        vpsrld	$2, %xmm8, %xmm10
+        vpsrld	$7, %xmm8, %xmm9
+        vpxor	%xmm10, %xmm14, %xmm14
+        vpxor	%xmm9, %xmm14, %xmm14
+        vpxor	%xmm13, %xmm14, %xmm14
+        vpxor	%xmm8, %xmm14, %xmm14
+        vpxor	%xmm14, %xmm0, %xmm0
+        vmovdqa	%xmm0, 16(%rsp)
+        # H ^ 3
+        # ghash_gfmul_red_avx
+        vpshufd	$0x4e, %xmm5, %xmm9
+        vpshufd	$0x4e, %xmm0, %xmm10
+        vpclmulqdq	$0x11, %xmm5, %xmm0, %xmm11
+        vpclmulqdq	$0x00, %xmm5, %xmm0, %xmm8
+        vpxor	%xmm5, %xmm9, %xmm9
+        vpxor	%xmm0, %xmm10, %xmm10
+        vpclmulqdq	$0x00, %xmm10, %xmm9, %xmm9
+        vpxor	%xmm8, %xmm9, %xmm9
+        vpxor	%xmm11, %xmm9, %xmm9
+        vpslldq	$8, %xmm9, %xmm10
+        vpsrldq	$8, %xmm9, %xmm9
+        vpxor	%xmm10, %xmm8, %xmm8
+        vpxor	%xmm9, %xmm11, %xmm1
+        vpslld	$31, %xmm8, %xmm12
+        vpslld	$30, %xmm8, %xmm13
+        vpslld	$25, %xmm8, %xmm14
+        vpxor	%xmm13, %xmm12, %xmm12
+        vpxor	%xmm14, %xmm12, %xmm12
+        vpsrldq	$4, %xmm12, %xmm13
+        vpslldq	$12, %xmm12, %xmm12
+        vpxor	%xmm12, %xmm8, %xmm8
+        vpsrld	$0x01, %xmm8, %xmm14
+        vpsrld	$2, %xmm8, %xmm10
+        vpsrld	$7, %xmm8, %xmm9
+        vpxor	%xmm10, %xmm14, %xmm14
+        vpxor	%xmm9, %xmm14, %xmm14
+        vpxor	%xmm13, %xmm14, %xmm14
+        vpxor	%xmm8, %xmm14, %xmm14
+        vpxor	%xmm14, %xmm1, %xmm1
+        vmovdqa	%xmm1, 32(%rsp)
+        # H ^ 4
+        vpclmulqdq	$0x00, %xmm0, %xmm0, %xmm8
+        vpclmulqdq	$0x11, %xmm0, %xmm0, %xmm3
+        vpslld	$31, %xmm8, %xmm12
+        vpslld	$30, %xmm8, %xmm13
+        vpslld	$25, %xmm8, %xmm14
+        vpxor	%xmm13, %xmm12, %xmm12
+        vpxor	%xmm14, %xmm12, %xmm12
+        vpsrldq	$4, %xmm12, %xmm13
+        vpslldq	$12, %xmm12, %xmm12
+        vpxor	%xmm12, %xmm8, %xmm8
+        vpsrld	$0x01, %xmm8, %xmm14
+        vpsrld	$2, %xmm8, %xmm10
+        vpsrld	$7, %xmm8, %xmm9
+        vpxor	%xmm10, %xmm14, %xmm14
+        vpxor	%xmm9, %xmm14, %xmm14
+        vpxor	%xmm13, %xmm14, %xmm14
+        vpxor	%xmm8, %xmm14, %xmm14
+        vpxor	%xmm14, %xmm3, %xmm3
+        vmovdqa	%xmm3, 48(%rsp)
+        # H ^ 5
+        # ghash_gfmul_red_avx
+        vpshufd	$0x4e, %xmm0, %xmm9
+        vpshufd	$0x4e, %xmm1, %xmm10
+        vpclmulqdq	$0x11, %xmm0, %xmm1, %xmm11
+        vpclmulqdq	$0x00, %xmm0, %xmm1, %xmm8
+        vpxor	%xmm0, %xmm9, %xmm9
+        vpxor	%xmm1, %xmm10, %xmm10
+        vpclmulqdq	$0x00, %xmm10, %xmm9, %xmm9
+        vpxor	%xmm8, %xmm9, %xmm9
+        vpxor	%xmm11, %xmm9, %xmm9
+        vpslldq	$8, %xmm9, %xmm10
+        vpsrldq	$8, %xmm9, %xmm9
+        vpxor	%xmm10, %xmm8, %xmm8
+        vpxor	%xmm9, %xmm11, %xmm7
+        vpslld	$31, %xmm8, %xmm12
+        vpslld	$30, %xmm8, %xmm13
+        vpslld	$25, %xmm8, %xmm14
+        vpxor	%xmm13, %xmm12, %xmm12
+        vpxor	%xmm14, %xmm12, %xmm12
+        vpsrldq	$4, %xmm12, %xmm13
+        vpslldq	$12, %xmm12, %xmm12
+        vpxor	%xmm12, %xmm8, %xmm8
+        vpsrld	$0x01, %xmm8, %xmm14
+        vpsrld	$2, %xmm8, %xmm10
+        vpsrld	$7, %xmm8, %xmm9
+        vpxor	%xmm10, %xmm14, %xmm14
+        vpxor	%xmm9, %xmm14, %xmm14
+        vpxor	%xmm13, %xmm14, %xmm14
+        vpxor	%xmm8, %xmm14, %xmm14
+        vpxor	%xmm14, %xmm7, %xmm7
+        vmovdqa	%xmm7, 64(%rsp)
+        # H ^ 6
+        vpclmulqdq	$0x00, %xmm1, %xmm1, %xmm8
+        vpclmulqdq	$0x11, %xmm1, %xmm1, %xmm7
+        vpslld	$31, %xmm8, %xmm12
+        vpslld	$30, %xmm8, %xmm13
+        vpslld	$25, %xmm8, %xmm14
+        vpxor	%xmm13, %xmm12, %xmm12
+        vpxor	%xmm14, %xmm12, %xmm12
+        vpsrldq	$4, %xmm12, %xmm13
+        vpslldq	$12, %xmm12, %xmm12
+        vpxor	%xmm12, %xmm8, %xmm8
+        vpsrld	$0x01, %xmm8, %xmm14
+        vpsrld	$2, %xmm8, %xmm10
+        vpsrld	$7, %xmm8, %xmm9
+        vpxor	%xmm10, %xmm14, %xmm14
+        vpxor	%xmm9, %xmm14, %xmm14
+        vpxor	%xmm13, %xmm14, %xmm14
+        vpxor	%xmm8, %xmm14, %xmm14
+        vpxor	%xmm14, %xmm7, %xmm7
+        vmovdqa	%xmm7, 80(%rsp)
+        # H ^ 7
+        # ghash_gfmul_red_avx
+        vpshufd	$0x4e, %xmm1, %xmm9
+        vpshufd	$0x4e, %xmm3, %xmm10
+        vpclmulqdq	$0x11, %xmm1, %xmm3, %xmm11
+        vpclmulqdq	$0x00, %xmm1, %xmm3, %xmm8
+        vpxor	%xmm1, %xmm9, %xmm9
+        vpxor	%xmm3, %xmm10, %xmm10
+        vpclmulqdq	$0x00, %xmm10, %xmm9, %xmm9
+        vpxor	%xmm8, %xmm9, %xmm9
+        vpxor	%xmm11, %xmm9, %xmm9
+        vpslldq	$8, %xmm9, %xmm10
+        vpsrldq	$8, %xmm9, %xmm9
+        vpxor	%xmm10, %xmm8, %xmm8
+        vpxor	%xmm9, %xmm11, %xmm7
+        vpslld	$31, %xmm8, %xmm12
+        vpslld	$30, %xmm8, %xmm13
+        vpslld	$25, %xmm8, %xmm14
+        vpxor	%xmm13, %xmm12, %xmm12
+        vpxor	%xmm14, %xmm12, %xmm12
+        vpsrldq	$4, %xmm12, %xmm13
+        vpslldq	$12, %xmm12, %xmm12
+        vpxor	%xmm12, %xmm8, %xmm8
+        vpsrld	$0x01, %xmm8, %xmm14
+        vpsrld	$2, %xmm8, %xmm10
+        vpsrld	$7, %xmm8, %xmm9
+        vpxor	%xmm10, %xmm14, %xmm14
+        vpxor	%xmm9, %xmm14, %xmm14
+        vpxor	%xmm13, %xmm14, %xmm14
+        vpxor	%xmm8, %xmm14, %xmm14
+        vpxor	%xmm14, %xmm7, %xmm7
+        vmovdqa	%xmm7, 96(%rsp)
+        # H ^ 8
+        vpclmulqdq	$0x00, %xmm3, %xmm3, %xmm8
+        vpclmulqdq	$0x11, %xmm3, %xmm3, %xmm7
+        vpslld	$31, %xmm8, %xmm12
+        vpslld	$30, %xmm8, %xmm13
+        vpslld	$25, %xmm8, %xmm14
+        vpxor	%xmm13, %xmm12, %xmm12
+        vpxor	%xmm14, %xmm12, %xmm12
+        vpsrldq	$4, %xmm12, %xmm13
+        vpslldq	$12, %xmm12, %xmm12
+        vpxor	%xmm12, %xmm8, %xmm8
+        vpsrld	$0x01, %xmm8, %xmm14
+        vpsrld	$2, %xmm8, %xmm10
+        vpsrld	$7, %xmm8, %xmm9
+        vpxor	%xmm10, %xmm14, %xmm14
+        vpxor	%xmm9, %xmm14, %xmm14
+        vpxor	%xmm13, %xmm14, %xmm14
+        vpxor	%xmm8, %xmm14, %xmm14
+        vpxor	%xmm14, %xmm7, %xmm7
+        vmovdqa	%xmm7, 112(%rsp)
+L_AES_GCM_decrypt_avx1_ghash_128:
+        leaq	(%rdi,%rbx,1), %rcx
+        leaq	(%rsi,%rbx,1), %rdx
+        vmovdqa	128(%rsp), %xmm0
+        vmovdqa	L_avx1_aes_gcm_bswap_epi64(%rip), %xmm1
+        vpshufb	%xmm1, %xmm0, %xmm8
+        vpaddd	L_avx1_aes_gcm_one(%rip), %xmm0, %xmm9
+        vpshufb	%xmm1, %xmm9, %xmm9
+        vpaddd	L_avx1_aes_gcm_two(%rip), %xmm0, %xmm10
+        vpshufb	%xmm1, %xmm10, %xmm10
+        vpaddd	L_avx1_aes_gcm_three(%rip), %xmm0, %xmm11
+        vpshufb	%xmm1, %xmm11, %xmm11
+        vpaddd	L_avx1_aes_gcm_four(%rip), %xmm0, %xmm12
+        vpshufb	%xmm1, %xmm12, %xmm12
+        vpaddd	L_avx1_aes_gcm_five(%rip), %xmm0, %xmm13
+        vpshufb	%xmm1, %xmm13, %xmm13
+        vpaddd	L_avx1_aes_gcm_six(%rip), %xmm0, %xmm14
+        vpshufb	%xmm1, %xmm14, %xmm14
+        vpaddd	L_avx1_aes_gcm_seven(%rip), %xmm0, %xmm15
+        vpshufb	%xmm1, %xmm15, %xmm15
+        vpaddd	L_avx1_aes_gcm_eight(%rip), %xmm0, %xmm0
+        vmovdqa	(%r15), %xmm7
+        vmovdqa	%xmm0, 128(%rsp)
+        vpxor	%xmm7, %xmm8, %xmm8
+        vpxor	%xmm7, %xmm9, %xmm9
+        vpxor	%xmm7, %xmm10, %xmm10
+        vpxor	%xmm7, %xmm11, %xmm11
+        vpxor	%xmm7, %xmm12, %xmm12
+        vpxor	%xmm7, %xmm13, %xmm13
+        vpxor	%xmm7, %xmm14, %xmm14
+        vpxor	%xmm7, %xmm15, %xmm15
+        vmovdqa	112(%rsp), %xmm7
+        vmovdqu	(%rcx), %xmm0
+        vaesenc	16(%r15), %xmm8, %xmm8
+        vpshufb	L_avx1_aes_gcm_bswap_mask(%rip), %xmm0, %xmm0
+        vpxor	%xmm2, %xmm0, %xmm0
+        vpshufd	$0x4e, %xmm7, %xmm1
+        vpshufd	$0x4e, %xmm0, %xmm5
+        vpxor	%xmm7, %xmm1, %xmm1
+        vpxor	%xmm0, %xmm5, %xmm5
+        vpclmulqdq	$0x11, %xmm7, %xmm0, %xmm3
+        vaesenc	16(%r15), %xmm9, %xmm9
+        vaesenc	16(%r15), %xmm10, %xmm10
+        vpclmulqdq	$0x00, %xmm7, %xmm0, %xmm2
+        vaesenc	16(%r15), %xmm11, %xmm11
+        vaesenc	16(%r15), %xmm12, %xmm12
+        vpclmulqdq	$0x00, %xmm5, %xmm1, %xmm1
+        vaesenc	16(%r15), %xmm13, %xmm13
+        vaesenc	16(%r15), %xmm14, %xmm14
+        vaesenc	16(%r15), %xmm15, %xmm15
+        vpxor	%xmm2, %xmm1, %xmm1
+        vpxor	%xmm3, %xmm1, %xmm1
+        vmovdqa	96(%rsp), %xmm7
+        vmovdqu	16(%rcx), %xmm0
+        vpshufd	$0x4e, %xmm7, %xmm4
+        vpshufb	L_avx1_aes_gcm_bswap_mask(%rip), %xmm0, %xmm0
+        vaesenc	32(%r15), %xmm8, %xmm8
+        vpxor	%xmm7, %xmm4, %xmm4
+        vpshufd	$0x4e, %xmm0, %xmm5
+        vpxor	%xmm0, %xmm5, %xmm5
+        vpclmulqdq	$0x11, %xmm7, %xmm0, %xmm6
+        vaesenc	32(%r15), %xmm9, %xmm9
+        vaesenc	32(%r15), %xmm10, %xmm10
+        vpclmulqdq	$0x00, %xmm7, %xmm0, %xmm7
+        vaesenc	32(%r15), %xmm11, %xmm11
+        vaesenc	32(%r15), %xmm12, %xmm12
+        vpclmulqdq	$0x00, %xmm5, %xmm4, %xmm4
+        vaesenc	32(%r15), %xmm13, %xmm13
+        vaesenc	32(%r15), %xmm14, %xmm14
+        vaesenc	32(%r15), %xmm15, %xmm15
+        vpxor	%xmm7, %xmm1, %xmm1
+        vpxor	%xmm7, %xmm2, %xmm2
+        vpxor	%xmm6, %xmm1, %xmm1
+        vpxor	%xmm6, %xmm3, %xmm3
+        vpxor	%xmm4, %xmm1, %xmm1
+        vmovdqa	80(%rsp), %xmm7
+        vmovdqu	32(%rcx), %xmm0
+        vpshufd	$0x4e, %xmm7, %xmm4
+        vpshufb	L_avx1_aes_gcm_bswap_mask(%rip), %xmm0, %xmm0
+        vaesenc	48(%r15), %xmm8, %xmm8
+        vpxor	%xmm7, %xmm4, %xmm4
+        vpshufd	$0x4e, %xmm0, %xmm5
+        vpxor	%xmm0, %xmm5, %xmm5
+        vpclmulqdq	$0x11, %xmm7, %xmm0, %xmm6
+        vaesenc	48(%r15), %xmm9, %xmm9
+        vaesenc	48(%r15), %xmm10, %xmm10
+        vpclmulqdq	$0x00, %xmm7, %xmm0, %xmm7
+        vaesenc	48(%r15), %xmm11, %xmm11
+        vaesenc	48(%r15), %xmm12, %xmm12
+        vpclmulqdq	$0x00, %xmm5, %xmm4, %xmm4
+        vaesenc	48(%r15), %xmm13, %xmm13
+        vaesenc	48(%r15), %xmm14, %xmm14
+        vaesenc	48(%r15), %xmm15, %xmm15
+        vpxor	%xmm7, %xmm1, %xmm1
+        vpxor	%xmm7, %xmm2, %xmm2
+        vpxor	%xmm6, %xmm1, %xmm1
+        vpxor	%xmm6, %xmm3, %xmm3
+        vpxor	%xmm4, %xmm1, %xmm1
+        vmovdqa	64(%rsp), %xmm7
+        vmovdqu	48(%rcx), %xmm0
+        vpshufd	$0x4e, %xmm7, %xmm4
+        vpshufb	L_avx1_aes_gcm_bswap_mask(%rip), %xmm0, %xmm0
+        vaesenc	64(%r15), %xmm8, %xmm8
+        vpxor	%xmm7, %xmm4, %xmm4
+        vpshufd	$0x4e, %xmm0, %xmm5
+        vpxor	%xmm0, %xmm5, %xmm5
+        vpclmulqdq	$0x11, %xmm7, %xmm0, %xmm6
+        vaesenc	64(%r15), %xmm9, %xmm9
+        vaesenc	64(%r15), %xmm10, %xmm10
+        vpclmulqdq	$0x00, %xmm7, %xmm0, %xmm7
+        vaesenc	64(%r15), %xmm11, %xmm11
+        vaesenc	64(%r15), %xmm12, %xmm12
+        vpclmulqdq	$0x00, %xmm5, %xmm4, %xmm4
+        vaesenc	64(%r15), %xmm13, %xmm13
+        vaesenc	64(%r15), %xmm14, %xmm14
+        vaesenc	64(%r15), %xmm15, %xmm15
+        vpxor	%xmm7, %xmm1, %xmm1
+        vpxor	%xmm7, %xmm2, %xmm2
+        vpxor	%xmm6, %xmm1, %xmm1
+        vpxor	%xmm6, %xmm3, %xmm3
+        vpxor	%xmm4, %xmm1, %xmm1
+        vmovdqa	48(%rsp), %xmm7
+        vmovdqu	64(%rcx), %xmm0
+        vpshufd	$0x4e, %xmm7, %xmm4
+        vpshufb	L_avx1_aes_gcm_bswap_mask(%rip), %xmm0, %xmm0
+        vaesenc	80(%r15), %xmm8, %xmm8
+        vpxor	%xmm7, %xmm4, %xmm4
+        vpshufd	$0x4e, %xmm0, %xmm5
+        vpxor	%xmm0, %xmm5, %xmm5
+        vpclmulqdq	$0x11, %xmm7, %xmm0, %xmm6
+        vaesenc	80(%r15), %xmm9, %xmm9
+        vaesenc	80(%r15), %xmm10, %xmm10
+        vpclmulqdq	$0x00, %xmm7, %xmm0, %xmm7
+        vaesenc	80(%r15), %xmm11, %xmm11
+        vaesenc	80(%r15), %xmm12, %xmm12
+        vpclmulqdq	$0x00, %xmm5, %xmm4, %xmm4
+        vaesenc	80(%r15), %xmm13, %xmm13
+        vaesenc	80(%r15), %xmm14, %xmm14
+        vaesenc	80(%r15), %xmm15, %xmm15
+        vpxor	%xmm7, %xmm1, %xmm1
+        vpxor	%xmm7, %xmm2, %xmm2
+        vpxor	%xmm6, %xmm1, %xmm1
+        vpxor	%xmm6, %xmm3, %xmm3
+        vpxor	%xmm4, %xmm1, %xmm1
+        vmovdqa	32(%rsp), %xmm7
+        vmovdqu	80(%rcx), %xmm0
+        vpshufd	$0x4e, %xmm7, %xmm4
+        vpshufb	L_avx1_aes_gcm_bswap_mask(%rip), %xmm0, %xmm0
+        vaesenc	96(%r15), %xmm8, %xmm8
+        vpxor	%xmm7, %xmm4, %xmm4
+        vpshufd	$0x4e, %xmm0, %xmm5
+        vpxor	%xmm0, %xmm5, %xmm5
+        vpclmulqdq	$0x11, %xmm7, %xmm0, %xmm6
+        vaesenc	96(%r15), %xmm9, %xmm9
+        vaesenc	96(%r15), %xmm10, %xmm10
+        vpclmulqdq	$0x00, %xmm7, %xmm0, %xmm7
+        vaesenc	96(%r15), %xmm11, %xmm11
+        vaesenc	96(%r15), %xmm12, %xmm12
+        vpclmulqdq	$0x00, %xmm5, %xmm4, %xmm4
+        vaesenc	96(%r15), %xmm13, %xmm13
+        vaesenc	96(%r15), %xmm14, %xmm14
+        vaesenc	96(%r15), %xmm15, %xmm15
+        vpxor	%xmm7, %xmm1, %xmm1
+        vpxor	%xmm7, %xmm2, %xmm2
+        vpxor	%xmm6, %xmm1, %xmm1
+        vpxor	%xmm6, %xmm3, %xmm3
+        vpxor	%xmm4, %xmm1, %xmm1
+        vmovdqa	16(%rsp), %xmm7
+        vmovdqu	96(%rcx), %xmm0
+        vpshufd	$0x4e, %xmm7, %xmm4
+        vpshufb	L_avx1_aes_gcm_bswap_mask(%rip), %xmm0, %xmm0
+        vaesenc	112(%r15), %xmm8, %xmm8
+        vpxor	%xmm7, %xmm4, %xmm4
+        vpshufd	$0x4e, %xmm0, %xmm5
+        vpxor	%xmm0, %xmm5, %xmm5
+        vpclmulqdq	$0x11, %xmm7, %xmm0, %xmm6
+        vaesenc	112(%r15), %xmm9, %xmm9
+        vaesenc	112(%r15), %xmm10, %xmm10
+        vpclmulqdq	$0x00, %xmm7, %xmm0, %xmm7
+        vaesenc	112(%r15), %xmm11, %xmm11
+        vaesenc	112(%r15), %xmm12, %xmm12
+        vpclmulqdq	$0x00, %xmm5, %xmm4, %xmm4
+        vaesenc	112(%r15), %xmm13, %xmm13
+        vaesenc	112(%r15), %xmm14, %xmm14
+        vaesenc	112(%r15), %xmm15, %xmm15
+        vpxor	%xmm7, %xmm1, %xmm1
+        vpxor	%xmm7, %xmm2, %xmm2
+        vpxor	%xmm6, %xmm1, %xmm1
+        vpxor	%xmm6, %xmm3, %xmm3
+        vpxor	%xmm4, %xmm1, %xmm1
+        vmovdqa	(%rsp), %xmm7
+        vmovdqu	112(%rcx), %xmm0
+        vpshufd	$0x4e, %xmm7, %xmm4
+        vpshufb	L_avx1_aes_gcm_bswap_mask(%rip), %xmm0, %xmm0
+        vaesenc	128(%r15), %xmm8, %xmm8
+        vpxor	%xmm7, %xmm4, %xmm4
+        vpshufd	$0x4e, %xmm0, %xmm5
+        vpxor	%xmm0, %xmm5, %xmm5
+        vpclmulqdq	$0x11, %xmm7, %xmm0, %xmm6
+        vaesenc	128(%r15), %xmm9, %xmm9
+        vaesenc	128(%r15), %xmm10, %xmm10
+        vpclmulqdq	$0x00, %xmm7, %xmm0, %xmm7
+        vaesenc	128(%r15), %xmm11, %xmm11
+        vaesenc	128(%r15), %xmm12, %xmm12
+        vpclmulqdq	$0x00, %xmm5, %xmm4, %xmm4
+        vaesenc	128(%r15), %xmm13, %xmm13
+        vaesenc	128(%r15), %xmm14, %xmm14
+        vaesenc	128(%r15), %xmm15, %xmm15
+        vpxor	%xmm7, %xmm1, %xmm1
+        vpxor	%xmm7, %xmm2, %xmm2
+        vpxor	%xmm6, %xmm1, %xmm1
+        vpxor	%xmm6, %xmm3, %xmm3
+        vpxor	%xmm4, %xmm1, %xmm1
+        vpslldq	$8, %xmm1, %xmm5
+        vpsrldq	$8, %xmm1, %xmm1
+        vaesenc	144(%r15), %xmm8, %xmm8
+        vpxor	%xmm5, %xmm2, %xmm2
+        vpxor	%xmm1, %xmm3, %xmm3
+        vaesenc	144(%r15), %xmm9, %xmm9
+        vpslld	$31, %xmm2, %xmm7
+        vpslld	$30, %xmm2, %xmm4
+        vpslld	$25, %xmm2, %xmm5
+        vaesenc	144(%r15), %xmm10, %xmm10
+        vpxor	%xmm4, %xmm7, %xmm7
+        vpxor	%xmm5, %xmm7, %xmm7
+        vaesenc	144(%r15), %xmm11, %xmm11
+        vpsrldq	$4, %xmm7, %xmm4
+        vpslldq	$12, %xmm7, %xmm7
+        vaesenc	144(%r15), %xmm12, %xmm12
+        vpxor	%xmm7, %xmm2, %xmm2
+        vpsrld	$0x01, %xmm2, %xmm5
+        vaesenc	144(%r15), %xmm13, %xmm13
+        vpsrld	$2, %xmm2, %xmm1
+        vpsrld	$7, %xmm2, %xmm0
+        vaesenc	144(%r15), %xmm14, %xmm14
+        vpxor	%xmm1, %xmm5, %xmm5
+        vpxor	%xmm0, %xmm5, %xmm5
+        vaesenc	144(%r15), %xmm15, %xmm15
+        vpxor	%xmm4, %xmm5, %xmm5
+        vpxor	%xmm5, %xmm2, %xmm2
+        vpxor	%xmm3, %xmm2, %xmm2
+        cmpl	$11, %r10d
+        vmovdqa	160(%r15), %xmm7
+        jl	L_AES_GCM_decrypt_avx1_aesenc_128_ghash_avx_done
+        vaesenc	%xmm7, %xmm8, %xmm8
+        vaesenc	%xmm7, %xmm9, %xmm9
+        vaesenc	%xmm7, %xmm10, %xmm10
+        vaesenc	%xmm7, %xmm11, %xmm11
+        vaesenc	%xmm7, %xmm12, %xmm12
+        vaesenc	%xmm7, %xmm13, %xmm13
+        vaesenc	%xmm7, %xmm14, %xmm14
+        vaesenc	%xmm7, %xmm15, %xmm15
+        vmovdqa	176(%r15), %xmm7
+        vaesenc	%xmm7, %xmm8, %xmm8
+        vaesenc	%xmm7, %xmm9, %xmm9
+        vaesenc	%xmm7, %xmm10, %xmm10
+        vaesenc	%xmm7, %xmm11, %xmm11
+        vaesenc	%xmm7, %xmm12, %xmm12
+        vaesenc	%xmm7, %xmm13, %xmm13
+        vaesenc	%xmm7, %xmm14, %xmm14
+        vaesenc	%xmm7, %xmm15, %xmm15
+        cmpl	$13, %r10d
+        vmovdqa	192(%r15), %xmm7
+        jl	L_AES_GCM_decrypt_avx1_aesenc_128_ghash_avx_done
+        vaesenc	%xmm7, %xmm8, %xmm8
+        vaesenc	%xmm7, %xmm9, %xmm9
+        vaesenc	%xmm7, %xmm10, %xmm10
+        vaesenc	%xmm7, %xmm11, %xmm11
+        vaesenc	%xmm7, %xmm12, %xmm12
+        vaesenc	%xmm7, %xmm13, %xmm13
+        vaesenc	%xmm7, %xmm14, %xmm14
+        vaesenc	%xmm7, %xmm15, %xmm15
+        vmovdqa	208(%r15), %xmm7
+        vaesenc	%xmm7, %xmm8, %xmm8
+        vaesenc	%xmm7, %xmm9, %xmm9
+        vaesenc	%xmm7, %xmm10, %xmm10
+        vaesenc	%xmm7, %xmm11, %xmm11
+        vaesenc	%xmm7, %xmm12, %xmm12
+        vaesenc	%xmm7, %xmm13, %xmm13
+        vaesenc	%xmm7, %xmm14, %xmm14
+        vaesenc	%xmm7, %xmm15, %xmm15
+        vmovdqa	224(%r15), %xmm7
+L_AES_GCM_decrypt_avx1_aesenc_128_ghash_avx_done:
+        vaesenclast	%xmm7, %xmm8, %xmm8
+        vaesenclast	%xmm7, %xmm9, %xmm9
+        vmovdqu	(%rcx), %xmm0
+        vmovdqu	16(%rcx), %xmm1
+        vpxor	%xmm0, %xmm8, %xmm8
+        vpxor	%xmm1, %xmm9, %xmm9
+        vmovdqu	%xmm8, (%rdx)
+        vmovdqu	%xmm9, 16(%rdx)
+        vaesenclast	%xmm7, %xmm10, %xmm10
+        vaesenclast	%xmm7, %xmm11, %xmm11
+        vmovdqu	32(%rcx), %xmm0
+        vmovdqu	48(%rcx), %xmm1
+        vpxor	%xmm0, %xmm10, %xmm10
+        vpxor	%xmm1, %xmm11, %xmm11
+        vmovdqu	%xmm10, 32(%rdx)
+        vmovdqu	%xmm11, 48(%rdx)
+        vaesenclast	%xmm7, %xmm12, %xmm12
+        vaesenclast	%xmm7, %xmm13, %xmm13
+        vmovdqu	64(%rcx), %xmm0
+        vmovdqu	80(%rcx), %xmm1
+        vpxor	%xmm0, %xmm12, %xmm12
+        vpxor	%xmm1, %xmm13, %xmm13
+        vmovdqu	%xmm12, 64(%rdx)
+        vmovdqu	%xmm13, 80(%rdx)
+        vaesenclast	%xmm7, %xmm14, %xmm14
+        vaesenclast	%xmm7, %xmm15, %xmm15
+        vmovdqu	96(%rcx), %xmm0
+        vmovdqu	112(%rcx), %xmm1
+        vpxor	%xmm0, %xmm14, %xmm14
+        vpxor	%xmm1, %xmm15, %xmm15
+        vmovdqu	%xmm14, 96(%rdx)
+        vmovdqu	%xmm15, 112(%rdx)
+        addl	$0x80, %ebx
+        cmpl	%r13d, %ebx
+        jl	L_AES_GCM_decrypt_avx1_ghash_128
+        vmovdqa	%xmm2, %xmm6
+        vmovdqa	(%rsp), %xmm5
+L_AES_GCM_decrypt_avx1_done_128:
+        movl	%r9d, %edx
+        cmpl	%edx, %ebx
+        jge	L_AES_GCM_decrypt_avx1_done_dec
+        movl	%r9d, %r13d
+        andl	$0xfffffff0, %r13d
+        cmpl	%r13d, %ebx
+        jge	L_AES_GCM_decrypt_avx1_last_block_done
+L_AES_GCM_decrypt_avx1_last_block_start:
+        vmovdqu	(%rdi,%rbx,1), %xmm13
+        vmovdqa	%xmm5, %xmm0
+        vpshufb	L_avx1_aes_gcm_bswap_mask(%rip), %xmm13, %xmm1
+        vpxor	%xmm6, %xmm1, %xmm1
+        vmovdqa	128(%rsp), %xmm9
+        vpshufb	L_avx1_aes_gcm_bswap_epi64(%rip), %xmm9, %xmm8
+        vpaddd	L_avx1_aes_gcm_one(%rip), %xmm9, %xmm9
+        vmovdqa	%xmm9, 128(%rsp)
+        vpxor	(%r15), %xmm8, %xmm8
+        vpclmulqdq	$16, %xmm0, %xmm1, %xmm10
+        vaesenc	16(%r15), %xmm8, %xmm8
+        vaesenc	32(%r15), %xmm8, %xmm8
+        vpclmulqdq	$0x01, %xmm0, %xmm1, %xmm11
+        vaesenc	48(%r15), %xmm8, %xmm8
+        vaesenc	64(%r15), %xmm8, %xmm8
+        vpclmulqdq	$0x00, %xmm0, %xmm1, %xmm12
+        vaesenc	80(%r15), %xmm8, %xmm8
+        vpclmulqdq	$0x11, %xmm0, %xmm1, %xmm1
+        vaesenc	96(%r15), %xmm8, %xmm8
+        vpxor	%xmm11, %xmm10, %xmm10
+        vpslldq	$8, %xmm10, %xmm2
+        vpsrldq	$8, %xmm10, %xmm10
+        vaesenc	112(%r15), %xmm8, %xmm8
+        vpxor	%xmm12, %xmm2, %xmm2
+        vpxor	%xmm10, %xmm1, %xmm3
+        vmovdqa	L_avx1_aes_gcm_mod2_128(%rip), %xmm0
+        vpclmulqdq	$16, %xmm0, %xmm2, %xmm11
+        vaesenc	128(%r15), %xmm8, %xmm8
+        vpshufd	$0x4e, %xmm2, %xmm10
+        vpxor	%xmm11, %xmm10, %xmm10
+        vpclmulqdq	$16, %xmm0, %xmm10, %xmm11
+        vaesenc	144(%r15), %xmm8, %xmm8
+        vpshufd	$0x4e, %xmm10, %xmm10
+        vpxor	%xmm11, %xmm10, %xmm10
+        vpxor	%xmm3, %xmm10, %xmm6
+        cmpl	$11, %r10d
+        vmovdqa	160(%r15), %xmm9
+        jl	L_AES_GCM_decrypt_avx1_aesenc_gfmul_last
+        vaesenc	%xmm9, %xmm8, %xmm8
+        vaesenc	176(%r15), %xmm8, %xmm8
+        cmpl	$13, %r10d
+        vmovdqa	192(%r15), %xmm9
+        jl	L_AES_GCM_decrypt_avx1_aesenc_gfmul_last
+        vaesenc	%xmm9, %xmm8, %xmm8
+        vaesenc	208(%r15), %xmm8, %xmm8
+        vmovdqa	224(%r15), %xmm9
+L_AES_GCM_decrypt_avx1_aesenc_gfmul_last:
+        vaesenclast	%xmm9, %xmm8, %xmm8
+        vmovdqa	%xmm13, %xmm0
+        vpxor	%xmm0, %xmm8, %xmm8
+        vmovdqu	%xmm8, (%rsi,%rbx,1)
+        addl	$16, %ebx
+        cmpl	%r13d, %ebx
+        jl	L_AES_GCM_decrypt_avx1_last_block_start
+L_AES_GCM_decrypt_avx1_last_block_done:
+        movl	%r9d, %ecx
+        movl	%ecx, %edx
+        andl	$15, %ecx
+        jz	L_AES_GCM_decrypt_avx1_aesenc_last15_dec_avx_done
+        vmovdqa	128(%rsp), %xmm4
+        vpshufb	L_avx1_aes_gcm_bswap_epi64(%rip), %xmm4, %xmm4
+        vpxor	(%r15), %xmm4, %xmm4
+        vaesenc	16(%r15), %xmm4, %xmm4
+        vaesenc	32(%r15), %xmm4, %xmm4
+        vaesenc	48(%r15), %xmm4, %xmm4
+        vaesenc	64(%r15), %xmm4, %xmm4
+        vaesenc	80(%r15), %xmm4, %xmm4
+        vaesenc	96(%r15), %xmm4, %xmm4
+        vaesenc	112(%r15), %xmm4, %xmm4
+        vaesenc	128(%r15), %xmm4, %xmm4
+        vaesenc	144(%r15), %xmm4, %xmm4
+        cmpl	$11, %r10d
+        vmovdqa	160(%r15), %xmm9
+        jl	L_AES_GCM_decrypt_avx1_aesenc_last15_dec_avx_aesenc_avx_last
+        vaesenc	%xmm9, %xmm4, %xmm4
+        vaesenc	176(%r15), %xmm4, %xmm4
+        cmpl	$13, %r10d
+        vmovdqa	192(%r15), %xmm9
+        jl	L_AES_GCM_decrypt_avx1_aesenc_last15_dec_avx_aesenc_avx_last
+        vaesenc	%xmm9, %xmm4, %xmm4
+        vaesenc	208(%r15), %xmm4, %xmm4
+        vmovdqa	224(%r15), %xmm9
+L_AES_GCM_decrypt_avx1_aesenc_last15_dec_avx_aesenc_avx_last:
+        vaesenclast	%xmm9, %xmm4, %xmm4
+        subq	$32, %rsp
+        xorl	%ecx, %ecx
+        vmovdqa	%xmm4, (%rsp)
+        vpxor	%xmm0, %xmm0, %xmm0
+        vmovdqa	%xmm0, 16(%rsp)
+L_AES_GCM_decrypt_avx1_aesenc_last15_dec_avx_loop:
+        movzbl	(%rdi,%rbx,1), %r13d
+        movb	%r13b, 16(%rsp,%rcx,1)
+        xorb	(%rsp,%rcx,1), %r13b
+        movb	%r13b, (%rsi,%rbx,1)
+        incl	%ebx
+        incl	%ecx
+        cmpl	%edx, %ebx
+        jl	L_AES_GCM_decrypt_avx1_aesenc_last15_dec_avx_loop
+        vmovdqa	16(%rsp), %xmm4
+        addq	$32, %rsp
+        vpshufb	L_avx1_aes_gcm_bswap_mask(%rip), %xmm4, %xmm4
+        vpxor	%xmm4, %xmm6, %xmm6
+        # ghash_gfmul_red_avx
+        vpshufd	$0x4e, %xmm5, %xmm9
+        vpshufd	$0x4e, %xmm6, %xmm10
+        vpclmulqdq	$0x11, %xmm5, %xmm6, %xmm11
+        vpclmulqdq	$0x00, %xmm5, %xmm6, %xmm8
+        vpxor	%xmm5, %xmm9, %xmm9
+        vpxor	%xmm6, %xmm10, %xmm10
+        vpclmulqdq	$0x00, %xmm10, %xmm9, %xmm9
+        vpxor	%xmm8, %xmm9, %xmm9
+        vpxor	%xmm11, %xmm9, %xmm9
+        vpslldq	$8, %xmm9, %xmm10
+        vpsrldq	$8, %xmm9, %xmm9
+        vpxor	%xmm10, %xmm8, %xmm8
+        vpxor	%xmm9, %xmm11, %xmm6
+        vpslld	$31, %xmm8, %xmm12
+        vpslld	$30, %xmm8, %xmm13
+        vpslld	$25, %xmm8, %xmm14
+        vpxor	%xmm13, %xmm12, %xmm12
+        vpxor	%xmm14, %xmm12, %xmm12
+        vpsrldq	$4, %xmm12, %xmm13
+        vpslldq	$12, %xmm12, %xmm12
+        vpxor	%xmm12, %xmm8, %xmm8
+        vpsrld	$0x01, %xmm8, %xmm14
+        vpsrld	$2, %xmm8, %xmm10
+        vpsrld	$7, %xmm8, %xmm9
+        vpxor	%xmm10, %xmm14, %xmm14
+        vpxor	%xmm9, %xmm14, %xmm14
+        vpxor	%xmm13, %xmm14, %xmm14
+        vpxor	%xmm8, %xmm14, %xmm14
+        vpxor	%xmm14, %xmm6, %xmm6
+L_AES_GCM_decrypt_avx1_aesenc_last15_dec_avx_done:
+L_AES_GCM_decrypt_avx1_done_dec:
+        movl	%r9d, %edx
+        movl	%r11d, %ecx
+        shlq	$3, %rdx
+        shlq	$3, %rcx
+        vpinsrq	$0x00, %rdx, %xmm0, %xmm0
+        vpinsrq	$0x01, %rcx, %xmm0, %xmm0
+        vpxor	%xmm0, %xmm6, %xmm6
+        # ghash_gfmul_red_avx
+        vpshufd	$0x4e, %xmm5, %xmm9
+        vpshufd	$0x4e, %xmm6, %xmm10
+        vpclmulqdq	$0x11, %xmm5, %xmm6, %xmm11
+        vpclmulqdq	$0x00, %xmm5, %xmm6, %xmm8
+        vpxor	%xmm5, %xmm9, %xmm9
+        vpxor	%xmm6, %xmm10, %xmm10
+        vpclmulqdq	$0x00, %xmm10, %xmm9, %xmm9
+        vpxor	%xmm8, %xmm9, %xmm9
+        vpxor	%xmm11, %xmm9, %xmm9
+        vpslldq	$8, %xmm9, %xmm10
+        vpsrldq	$8, %xmm9, %xmm9
+        vpxor	%xmm10, %xmm8, %xmm8
+        vpxor	%xmm9, %xmm11, %xmm6
+        vpslld	$31, %xmm8, %xmm12
+        vpslld	$30, %xmm8, %xmm13
+        vpslld	$25, %xmm8, %xmm14
+        vpxor	%xmm13, %xmm12, %xmm12
+        vpxor	%xmm14, %xmm12, %xmm12
+        vpsrldq	$4, %xmm12, %xmm13
+        vpslldq	$12, %xmm12, %xmm12
+        vpxor	%xmm12, %xmm8, %xmm8
+        vpsrld	$0x01, %xmm8, %xmm14
+        vpsrld	$2, %xmm8, %xmm10
+        vpsrld	$7, %xmm8, %xmm9
+        vpxor	%xmm10, %xmm14, %xmm14
+        vpxor	%xmm9, %xmm14, %xmm14
+        vpxor	%xmm13, %xmm14, %xmm14
+        vpxor	%xmm8, %xmm14, %xmm14
+        vpxor	%xmm14, %xmm6, %xmm6
+        vpshufb	L_avx1_aes_gcm_bswap_mask(%rip), %xmm6, %xmm6
+        vpxor	144(%rsp), %xmm6, %xmm0
+        cmpl	$16, %r14d
+        je	L_AES_GCM_decrypt_avx1_cmp_tag_16
+        subq	$16, %rsp
+        xorq	%rcx, %rcx
+        xorq	%rbx, %rbx
+        vmovdqa	%xmm0, (%rsp)
+L_AES_GCM_decrypt_avx1_cmp_tag_loop:
+        movzbl	(%rsp,%rcx,1), %r13d
+        xorb	(%r8,%rcx,1), %r13b
+        orb	%r13b, %bl
+        incl	%ecx
+        cmpl	%r14d, %ecx
+        jne	L_AES_GCM_decrypt_avx1_cmp_tag_loop
+        cmpb	$0x00, %bl
+        sete	%bl
+        addq	$16, %rsp
+        xorq	%rcx, %rcx
+        jmp	L_AES_GCM_decrypt_avx1_cmp_tag_done
+L_AES_GCM_decrypt_avx1_cmp_tag_16:
+        vmovdqu	(%r8), %xmm1
+        vpcmpeqb	%xmm1, %xmm0, %xmm0
+        vpmovmskb	%xmm0, %rdx
+        # %%edx == 0xFFFF then return 1 else => return 0
+        xorl	%ebx, %ebx
+        cmpl	$0xffff, %edx
+        sete	%bl
+L_AES_GCM_decrypt_avx1_cmp_tag_done:
+        movl	%ebx, (%rbp)
+        vzeroupper
+        addq	$0xa8, %rsp
+        popq	%rbp
+        popq	%r15
+        popq	%r14
+        popq	%rbx
+        popq	%r12
+        popq	%r13
+        repz retq
+#ifndef __APPLE__
+.size	AES_GCM_decrypt_avx1,.-AES_GCM_decrypt_avx1
+#endif /* __APPLE__ */
+#endif /* HAVE_INTEL_AVX1 */
+#ifdef HAVE_INTEL_AVX2
+#ifndef __APPLE__
+.data
+#else
+.section	__DATA,__data
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+.align	16
+#else
+.p2align	4
+#endif /* __APPLE__ */
+L_avx2_aes_gcm_one:
+.quad	0x0, 0x1
+#ifndef __APPLE__
+.data
+#else
+.section	__DATA,__data
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+.align	16
+#else
+.p2align	4
+#endif /* __APPLE__ */
+L_avx2_aes_gcm_two:
+.quad	0x0, 0x2
+#ifndef __APPLE__
+.data
+#else
+.section	__DATA,__data
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+.align	16
+#else
+.p2align	4
+#endif /* __APPLE__ */
+L_avx2_aes_gcm_three:
+.quad	0x0, 0x3
+#ifndef __APPLE__
+.data
+#else
+.section	__DATA,__data
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+.align	16
+#else
+.p2align	4
+#endif /* __APPLE__ */
+L_avx2_aes_gcm_four:
+.quad	0x0, 0x4
+#ifndef __APPLE__
+.data
+#else
+.section	__DATA,__data
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+.align	16
+#else
+.p2align	4
+#endif /* __APPLE__ */
+L_avx2_aes_gcm_five:
+.quad	0x0, 0x5
+#ifndef __APPLE__
+.data
+#else
+.section	__DATA,__data
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+.align	16
+#else
+.p2align	4
+#endif /* __APPLE__ */
+L_avx2_aes_gcm_six:
+.quad	0x0, 0x6
+#ifndef __APPLE__
+.data
+#else
+.section	__DATA,__data
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+.align	16
+#else
+.p2align	4
+#endif /* __APPLE__ */
+L_avx2_aes_gcm_seven:
+.quad	0x0, 0x7
+#ifndef __APPLE__
+.data
+#else
+.section	__DATA,__data
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+.align	16
+#else
+.p2align	4
+#endif /* __APPLE__ */
+L_avx2_aes_gcm_eight:
+.quad	0x0, 0x8
+#ifndef __APPLE__
+.data
+#else
+.section	__DATA,__data
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+.align	16
+#else
+.p2align	4
+#endif /* __APPLE__ */
+L_avx2_aes_gcm_bswap_one:
+.quad	0x0, 0x100000000000000
+#ifndef __APPLE__
+.data
+#else
+.section	__DATA,__data
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+.align	16
+#else
+.p2align	4
+#endif /* __APPLE__ */
+L_avx2_aes_gcm_bswap_epi64:
+.quad	0x1020304050607, 0x8090a0b0c0d0e0f
+#ifndef __APPLE__
+.data
+#else
+.section	__DATA,__data
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+.align	16
+#else
+.p2align	4
+#endif /* __APPLE__ */
+L_avx2_aes_gcm_bswap_mask:
+.quad	0x8090a0b0c0d0e0f, 0x1020304050607
+#ifndef __APPLE__
+.data
+#else
+.section	__DATA,__data
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+.align	16
+#else
+.p2align	4
+#endif /* __APPLE__ */
+L_avx2_aes_gcm_mod2_128:
+.quad	0x1, 0xc200000000000000
+#ifndef __APPLE__
+.text
+.globl	AES_GCM_encrypt_avx2
+.type	AES_GCM_encrypt_avx2,@function
+.align	4
+AES_GCM_encrypt_avx2:
+#else
+.section	__TEXT,__text
+.globl	_AES_GCM_encrypt_avx2
+.p2align	2
+_AES_GCM_encrypt_avx2:
+#endif /* __APPLE__ */
+        pushq	%r13
+        pushq	%r12
+        pushq	%r15
+        pushq	%rbx
+        pushq	%r14
+        movq	%rdx, %r12
+        movq	%rcx, %rax
+        movq	%r8, %r15
+        movq	%rsi, %r8
+        movl	%r9d, %r10d
+        movl	48(%rsp), %r11d
+        movl	56(%rsp), %ebx
+        movl	64(%rsp), %r14d
+        movq	72(%rsp), %rsi
+        movl	80(%rsp), %r9d
+        subq	$0xa0, %rsp
+        vpxor	%xmm4, %xmm4, %xmm4
+        vpxor	%xmm6, %xmm6, %xmm6
+        movl	%ebx, %edx
+        cmpl	$12, %edx
+        je	L_AES_GCM_encrypt_avx2_iv_12
+        # Calculate values when IV is not 12 bytes
+        # H = Encrypt X(=0)
+        vmovdqa	(%rsi), %xmm5
+        vaesenc	16(%rsi), %xmm5, %xmm5
+        vaesenc	32(%rsi), %xmm5, %xmm5
+        vaesenc	48(%rsi), %xmm5, %xmm5
+        vaesenc	64(%rsi), %xmm5, %xmm5
+        vaesenc	80(%rsi), %xmm5, %xmm5
+        vaesenc	96(%rsi), %xmm5, %xmm5
+        vaesenc	112(%rsi), %xmm5, %xmm5
+        vaesenc	128(%rsi), %xmm5, %xmm5
+        vaesenc	144(%rsi), %xmm5, %xmm5
+        cmpl	$11, %r9d
+        vmovdqa	160(%rsi), %xmm0
+        jl	L_AES_GCM_encrypt_avx2_calc_iv_1_aesenc_avx_last
+        vaesenc	%xmm0, %xmm5, %xmm5
+        vaesenc	176(%rsi), %xmm5, %xmm5
+        cmpl	$13, %r9d
+        vmovdqa	192(%rsi), %xmm0
+        jl	L_AES_GCM_encrypt_avx2_calc_iv_1_aesenc_avx_last
+        vaesenc	%xmm0, %xmm5, %xmm5
+        vaesenc	208(%rsi), %xmm5, %xmm5
+        vmovdqa	224(%rsi), %xmm0
+L_AES_GCM_encrypt_avx2_calc_iv_1_aesenc_avx_last:
+        vaesenclast	%xmm0, %xmm5, %xmm5
+        vpshufb	L_avx2_aes_gcm_bswap_mask(%rip), %xmm5, %xmm5
+        # Calc counter
+        # Initialization vector
+        cmpl	$0x00, %edx
+        movq	$0x00, %rcx
+        je	L_AES_GCM_encrypt_avx2_calc_iv_done
+        cmpl	$16, %edx
+        jl	L_AES_GCM_encrypt_avx2_calc_iv_lt16
+        andl	$0xfffffff0, %edx
+L_AES_GCM_encrypt_avx2_calc_iv_16_loop:
+        vmovdqu	(%rax,%rcx,1), %xmm0
+        vpshufb	L_avx2_aes_gcm_bswap_mask(%rip), %xmm0, %xmm0
+        vpxor	%xmm0, %xmm4, %xmm4
+        # ghash_gfmul_avx
+        vpclmulqdq	$16, %xmm4, %xmm5, %xmm2
+        vpclmulqdq	$0x01, %xmm4, %xmm5, %xmm1
+        vpclmulqdq	$0x00, %xmm4, %xmm5, %xmm0
+        vpclmulqdq	$0x11, %xmm4, %xmm5, %xmm3
+        vpxor	%xmm1, %xmm2, %xmm2
+        vpslldq	$8, %xmm2, %xmm1
+        vpsrldq	$8, %xmm2, %xmm2
+        vpxor	%xmm1, %xmm0, %xmm7
+        vpxor	%xmm2, %xmm3, %xmm4
+        # ghash_mid
+        vpsrld	$31, %xmm7, %xmm0
+        vpsrld	$31, %xmm4, %xmm1
+        vpslld	$0x01, %xmm7, %xmm7
+        vpslld	$0x01, %xmm4, %xmm4
+        vpsrldq	$12, %xmm0, %xmm2
+        vpslldq	$4, %xmm0, %xmm0
+        vpslldq	$4, %xmm1, %xmm1
+        vpor	%xmm2, %xmm4, %xmm4
+        vpor	%xmm0, %xmm7, %xmm7
+        vpor	%xmm1, %xmm4, %xmm4
+        # ghash_red
+        vmovdqa	L_avx2_aes_gcm_mod2_128(%rip), %xmm2
+        vpclmulqdq	$16, %xmm2, %xmm7, %xmm0
+        vpshufd	$0x4e, %xmm7, %xmm1
+        vpxor	%xmm0, %xmm1, %xmm1
+        vpclmulqdq	$16, %xmm2, %xmm1, %xmm0
+        vpshufd	$0x4e, %xmm1, %xmm1
+        vpxor	%xmm0, %xmm1, %xmm1
+        vpxor	%xmm1, %xmm4, %xmm4
+        addl	$16, %ecx
+        cmpl	%edx, %ecx
+        jl	L_AES_GCM_encrypt_avx2_calc_iv_16_loop
+        movl	%ebx, %edx
+        cmpl	%edx, %ecx
+        je	L_AES_GCM_encrypt_avx2_calc_iv_done
+L_AES_GCM_encrypt_avx2_calc_iv_lt16:
+        vpxor	%xmm0, %xmm0, %xmm0
+        xorl	%ebx, %ebx
+        vmovdqa	%xmm0, (%rsp)
+L_AES_GCM_encrypt_avx2_calc_iv_loop:
+        movzbl	(%rax,%rcx,1), %r13d
+        movb	%r13b, (%rsp,%rbx,1)
+        incl	%ecx
+        incl	%ebx
+        cmpl	%edx, %ecx
+        jl	L_AES_GCM_encrypt_avx2_calc_iv_loop
+        vmovdqa	(%rsp), %xmm0
+        vpshufb	L_avx2_aes_gcm_bswap_mask(%rip), %xmm0, %xmm0
+        vpxor	%xmm0, %xmm4, %xmm4
+        # ghash_gfmul_avx
+        vpclmulqdq	$16, %xmm4, %xmm5, %xmm2
+        vpclmulqdq	$0x01, %xmm4, %xmm5, %xmm1
+        vpclmulqdq	$0x00, %xmm4, %xmm5, %xmm0
+        vpclmulqdq	$0x11, %xmm4, %xmm5, %xmm3
+        vpxor	%xmm1, %xmm2, %xmm2
+        vpslldq	$8, %xmm2, %xmm1
+        vpsrldq	$8, %xmm2, %xmm2
+        vpxor	%xmm1, %xmm0, %xmm7
+        vpxor	%xmm2, %xmm3, %xmm4
+        # ghash_mid
+        vpsrld	$31, %xmm7, %xmm0
+        vpsrld	$31, %xmm4, %xmm1
+        vpslld	$0x01, %xmm7, %xmm7
+        vpslld	$0x01, %xmm4, %xmm4
+        vpsrldq	$12, %xmm0, %xmm2
+        vpslldq	$4, %xmm0, %xmm0
+        vpslldq	$4, %xmm1, %xmm1
+        vpor	%xmm2, %xmm4, %xmm4
+        vpor	%xmm0, %xmm7, %xmm7
+        vpor	%xmm1, %xmm4, %xmm4
+        # ghash_red
+        vmovdqa	L_avx2_aes_gcm_mod2_128(%rip), %xmm2
+        vpclmulqdq	$16, %xmm2, %xmm7, %xmm0
+        vpshufd	$0x4e, %xmm7, %xmm1
+        vpxor	%xmm0, %xmm1, %xmm1
+        vpclmulqdq	$16, %xmm2, %xmm1, %xmm0
+        vpshufd	$0x4e, %xmm1, %xmm1
+        vpxor	%xmm0, %xmm1, %xmm1
+        vpxor	%xmm1, %xmm4, %xmm4
+L_AES_GCM_encrypt_avx2_calc_iv_done:
+        # T = Encrypt counter
+        vpxor	%xmm0, %xmm0, %xmm0
+        shll	$3, %edx
+        vpinsrq	$0x00, %rdx, %xmm0, %xmm0
+        vpxor	%xmm0, %xmm4, %xmm4
+        # ghash_gfmul_avx
+        vpclmulqdq	$16, %xmm4, %xmm5, %xmm2
+        vpclmulqdq	$0x01, %xmm4, %xmm5, %xmm1
+        vpclmulqdq	$0x00, %xmm4, %xmm5, %xmm0
+        vpclmulqdq	$0x11, %xmm4, %xmm5, %xmm3
+        vpxor	%xmm1, %xmm2, %xmm2
+        vpslldq	$8, %xmm2, %xmm1
+        vpsrldq	$8, %xmm2, %xmm2
+        vpxor	%xmm1, %xmm0, %xmm7
+        vpxor	%xmm2, %xmm3, %xmm4
+        # ghash_mid
+        vpsrld	$31, %xmm7, %xmm0
+        vpsrld	$31, %xmm4, %xmm1
+        vpslld	$0x01, %xmm7, %xmm7
+        vpslld	$0x01, %xmm4, %xmm4
+        vpsrldq	$12, %xmm0, %xmm2
+        vpslldq	$4, %xmm0, %xmm0
+        vpslldq	$4, %xmm1, %xmm1
+        vpor	%xmm2, %xmm4, %xmm4
+        vpor	%xmm0, %xmm7, %xmm7
+        vpor	%xmm1, %xmm4, %xmm4
+        # ghash_red
+        vmovdqa	L_avx2_aes_gcm_mod2_128(%rip), %xmm2
+        vpclmulqdq	$16, %xmm2, %xmm7, %xmm0
+        vpshufd	$0x4e, %xmm7, %xmm1
+        vpxor	%xmm0, %xmm1, %xmm1
+        vpclmulqdq	$16, %xmm2, %xmm1, %xmm0
+        vpshufd	$0x4e, %xmm1, %xmm1
+        vpxor	%xmm0, %xmm1, %xmm1
+        vpxor	%xmm1, %xmm4, %xmm4
+        vpshufb	L_avx2_aes_gcm_bswap_mask(%rip), %xmm4, %xmm4
+        #   Encrypt counter
+        vmovdqa	(%rsi), %xmm15
+        vpxor	%xmm4, %xmm15, %xmm15
+        vaesenc	16(%rsi), %xmm15, %xmm15
+        vaesenc	32(%rsi), %xmm15, %xmm15
+        vaesenc	48(%rsi), %xmm15, %xmm15
+        vaesenc	64(%rsi), %xmm15, %xmm15
+        vaesenc	80(%rsi), %xmm15, %xmm15
+        vaesenc	96(%rsi), %xmm15, %xmm15
+        vaesenc	112(%rsi), %xmm15, %xmm15
+        vaesenc	128(%rsi), %xmm15, %xmm15
+        vaesenc	144(%rsi), %xmm15, %xmm15
+        cmpl	$11, %r9d
+        vmovdqa	160(%rsi), %xmm0
+        jl	L_AES_GCM_encrypt_avx2_calc_iv_2_aesenc_avx_last
+        vaesenc	%xmm0, %xmm15, %xmm15
+        vaesenc	176(%rsi), %xmm15, %xmm15
+        cmpl	$13, %r9d
+        vmovdqa	192(%rsi), %xmm0
+        jl	L_AES_GCM_encrypt_avx2_calc_iv_2_aesenc_avx_last
+        vaesenc	%xmm0, %xmm15, %xmm15
+        vaesenc	208(%rsi), %xmm15, %xmm15
+        vmovdqa	224(%rsi), %xmm0
+L_AES_GCM_encrypt_avx2_calc_iv_2_aesenc_avx_last:
+        vaesenclast	%xmm0, %xmm15, %xmm15
+        jmp	L_AES_GCM_encrypt_avx2_iv_done
+L_AES_GCM_encrypt_avx2_iv_12:
+        # # Calculate values when IV is 12 bytes
+        # Set counter based on IV
+        vmovdqa	L_avx2_aes_gcm_bswap_one(%rip), %xmm4
+        vmovdqa	(%rsi), %xmm5
+        vpblendd	$7, (%rax), %xmm4, %xmm4
+        # H = Encrypt X(=0) and T = Encrypt counter
+        vmovdqa	16(%rsi), %xmm7
+        vpxor	%xmm5, %xmm4, %xmm15
+        vaesenc	%xmm7, %xmm5, %xmm5
+        vaesenc	%xmm7, %xmm15, %xmm15
+        vmovdqa	32(%rsi), %xmm0
+        vaesenc	%xmm0, %xmm5, %xmm5
+        vaesenc	%xmm0, %xmm15, %xmm15
+        vmovdqa	48(%rsi), %xmm0
+        vaesenc	%xmm0, %xmm5, %xmm5
+        vaesenc	%xmm0, %xmm15, %xmm15
+        vmovdqa	64(%rsi), %xmm0
+        vaesenc	%xmm0, %xmm5, %xmm5
+        vaesenc	%xmm0, %xmm15, %xmm15
+        vmovdqa	80(%rsi), %xmm0
+        vaesenc	%xmm0, %xmm5, %xmm5
+        vaesenc	%xmm0, %xmm15, %xmm15
+        vmovdqa	96(%rsi), %xmm0
+        vaesenc	%xmm0, %xmm5, %xmm5
+        vaesenc	%xmm0, %xmm15, %xmm15
+        vmovdqa	112(%rsi), %xmm0
+        vaesenc	%xmm0, %xmm5, %xmm5
+        vaesenc	%xmm0, %xmm15, %xmm15
+        vmovdqa	128(%rsi), %xmm0
+        vaesenc	%xmm0, %xmm5, %xmm5
+        vaesenc	%xmm0, %xmm15, %xmm15
+        vmovdqa	144(%rsi), %xmm0
+        vaesenc	%xmm0, %xmm5, %xmm5
+        vaesenc	%xmm0, %xmm15, %xmm15
+        cmpl	$11, %r9d
+        vmovdqa	160(%rsi), %xmm0
+        jl	L_AES_GCM_encrypt_avx2_calc_iv_12_last
+        vaesenc	%xmm0, %xmm5, %xmm5
+        vaesenc	%xmm0, %xmm15, %xmm15
+        vmovdqa	176(%rsi), %xmm0
+        vaesenc	%xmm0, %xmm5, %xmm5
+        vaesenc	%xmm0, %xmm15, %xmm15
+        cmpl	$13, %r9d
+        vmovdqa	192(%rsi), %xmm0
+        jl	L_AES_GCM_encrypt_avx2_calc_iv_12_last
+        vaesenc	%xmm0, %xmm5, %xmm5
+        vaesenc	%xmm0, %xmm15, %xmm15
+        vmovdqa	208(%rsi), %xmm0
+        vaesenc	%xmm0, %xmm5, %xmm5
+        vaesenc	%xmm0, %xmm15, %xmm15
+        vmovdqa	224(%rsi), %xmm0
+L_AES_GCM_encrypt_avx2_calc_iv_12_last:
+        vaesenclast	%xmm0, %xmm5, %xmm5
+        vaesenclast	%xmm0, %xmm15, %xmm15
+        vpshufb	L_avx2_aes_gcm_bswap_mask(%rip), %xmm5, %xmm5
+L_AES_GCM_encrypt_avx2_iv_done:
+        # Additional authentication data
+        movl	%r11d, %edx
+        cmpl	$0x00, %edx
+        je	L_AES_GCM_encrypt_avx2_calc_aad_done
+        xorl	%ecx, %ecx
+        cmpl	$16, %edx
+        jl	L_AES_GCM_encrypt_avx2_calc_aad_lt16
+        andl	$0xfffffff0, %edx
+L_AES_GCM_encrypt_avx2_calc_aad_16_loop:
+        vmovdqu	(%r12,%rcx,1), %xmm0
+        vpshufb	L_avx2_aes_gcm_bswap_mask(%rip), %xmm0, %xmm0
+        vpxor	%xmm0, %xmm6, %xmm6
+        # ghash_gfmul_avx
+        vpclmulqdq	$16, %xmm6, %xmm5, %xmm2
+        vpclmulqdq	$0x01, %xmm6, %xmm5, %xmm1
+        vpclmulqdq	$0x00, %xmm6, %xmm5, %xmm0
+        vpclmulqdq	$0x11, %xmm6, %xmm5, %xmm3
+        vpxor	%xmm1, %xmm2, %xmm2
+        vpslldq	$8, %xmm2, %xmm1
+        vpsrldq	$8, %xmm2, %xmm2
+        vpxor	%xmm1, %xmm0, %xmm7
+        vpxor	%xmm2, %xmm3, %xmm6
+        # ghash_mid
+        vpsrld	$31, %xmm7, %xmm0
+        vpsrld	$31, %xmm6, %xmm1
+        vpslld	$0x01, %xmm7, %xmm7
+        vpslld	$0x01, %xmm6, %xmm6
+        vpsrldq	$12, %xmm0, %xmm2
+        vpslldq	$4, %xmm0, %xmm0
+        vpslldq	$4, %xmm1, %xmm1
+        vpor	%xmm2, %xmm6, %xmm6
+        vpor	%xmm0, %xmm7, %xmm7
+        vpor	%xmm1, %xmm6, %xmm6
+        # ghash_red
+        vmovdqa	L_avx2_aes_gcm_mod2_128(%rip), %xmm2
+        vpclmulqdq	$16, %xmm2, %xmm7, %xmm0
+        vpshufd	$0x4e, %xmm7, %xmm1
+        vpxor	%xmm0, %xmm1, %xmm1
+        vpclmulqdq	$16, %xmm2, %xmm1, %xmm0
+        vpshufd	$0x4e, %xmm1, %xmm1
+        vpxor	%xmm0, %xmm1, %xmm1
+        vpxor	%xmm1, %xmm6, %xmm6
+        addl	$16, %ecx
+        cmpl	%edx, %ecx
+        jl	L_AES_GCM_encrypt_avx2_calc_aad_16_loop
+        movl	%r11d, %edx
+        cmpl	%edx, %ecx
+        je	L_AES_GCM_encrypt_avx2_calc_aad_done
+L_AES_GCM_encrypt_avx2_calc_aad_lt16:
+        vpxor	%xmm0, %xmm0, %xmm0
+        xorl	%ebx, %ebx
+        vmovdqa	%xmm0, (%rsp)
+L_AES_GCM_encrypt_avx2_calc_aad_loop:
+        movzbl	(%r12,%rcx,1), %r13d
+        movb	%r13b, (%rsp,%rbx,1)
+        incl	%ecx
+        incl	%ebx
+        cmpl	%edx, %ecx
+        jl	L_AES_GCM_encrypt_avx2_calc_aad_loop
+        vmovdqa	(%rsp), %xmm0
+        vpshufb	L_avx2_aes_gcm_bswap_mask(%rip), %xmm0, %xmm0
+        vpxor	%xmm0, %xmm6, %xmm6
+        # ghash_gfmul_avx
+        vpclmulqdq	$16, %xmm6, %xmm5, %xmm2
+        vpclmulqdq	$0x01, %xmm6, %xmm5, %xmm1
+        vpclmulqdq	$0x00, %xmm6, %xmm5, %xmm0
+        vpclmulqdq	$0x11, %xmm6, %xmm5, %xmm3
+        vpxor	%xmm1, %xmm2, %xmm2
+        vpslldq	$8, %xmm2, %xmm1
+        vpsrldq	$8, %xmm2, %xmm2
+        vpxor	%xmm1, %xmm0, %xmm7
+        vpxor	%xmm2, %xmm3, %xmm6
+        # ghash_mid
+        vpsrld	$31, %xmm7, %xmm0
+        vpsrld	$31, %xmm6, %xmm1
+        vpslld	$0x01, %xmm7, %xmm7
+        vpslld	$0x01, %xmm6, %xmm6
+        vpsrldq	$12, %xmm0, %xmm2
+        vpslldq	$4, %xmm0, %xmm0
+        vpslldq	$4, %xmm1, %xmm1
+        vpor	%xmm2, %xmm6, %xmm6
+        vpor	%xmm0, %xmm7, %xmm7
+        vpor	%xmm1, %xmm6, %xmm6
+        # ghash_red
+        vmovdqa	L_avx2_aes_gcm_mod2_128(%rip), %xmm2
+        vpclmulqdq	$16, %xmm2, %xmm7, %xmm0
+        vpshufd	$0x4e, %xmm7, %xmm1
+        vpxor	%xmm0, %xmm1, %xmm1
+        vpclmulqdq	$16, %xmm2, %xmm1, %xmm0
+        vpshufd	$0x4e, %xmm1, %xmm1
+        vpxor	%xmm0, %xmm1, %xmm1
+        vpxor	%xmm1, %xmm6, %xmm6
+L_AES_GCM_encrypt_avx2_calc_aad_done:
+        # Calculate counter and H
+        vpsrlq	$63, %xmm5, %xmm1
+        vpsllq	$0x01, %xmm5, %xmm0
+        vpslldq	$8, %xmm1, %xmm1
+        vpor	%xmm1, %xmm0, %xmm0
+        vpshufd	$0xff, %xmm5, %xmm5
+        vpsrad	$31, %xmm5, %xmm5
+        vpshufb	L_avx2_aes_gcm_bswap_epi64(%rip), %xmm4, %xmm4
+        vpand	L_avx2_aes_gcm_mod2_128(%rip), %xmm5, %xmm5
+        vpaddd	L_avx2_aes_gcm_one(%rip), %xmm4, %xmm4
+        vpxor	%xmm0, %xmm5, %xmm5
+        xorl	%ebx, %ebx
+        cmpl	$0x80, %r10d
+        movl	%r10d, %r13d
+        jl	L_AES_GCM_encrypt_avx2_done_128
+        andl	$0xffffff80, %r13d
+        vmovdqa	%xmm4, 128(%rsp)
+        vmovdqa	%xmm15, 144(%rsp)
+        vmovdqa	L_avx2_aes_gcm_mod2_128(%rip), %xmm3
+        # H ^ 1 and H ^ 2
+        vpclmulqdq	$0x00, %xmm5, %xmm5, %xmm9
+        vpclmulqdq	$0x11, %xmm5, %xmm5, %xmm10
+        vpclmulqdq	$16, %xmm3, %xmm9, %xmm8
+        vpshufd	$0x4e, %xmm9, %xmm9
+        vpxor	%xmm8, %xmm9, %xmm9
+        vpclmulqdq	$16, %xmm3, %xmm9, %xmm8
+        vpshufd	$0x4e, %xmm9, %xmm9
+        vpxor	%xmm8, %xmm9, %xmm9
+        vpxor	%xmm9, %xmm10, %xmm0
+        vmovdqa	%xmm5, (%rsp)
+        vmovdqa	%xmm0, 16(%rsp)
+        # H ^ 3 and H ^ 4
+        vpclmulqdq	$16, %xmm5, %xmm0, %xmm11
+        vpclmulqdq	$0x01, %xmm5, %xmm0, %xmm10
+        vpclmulqdq	$0x00, %xmm5, %xmm0, %xmm9
+        vpclmulqdq	$0x11, %xmm5, %xmm0, %xmm12
+        vpclmulqdq	$0x00, %xmm0, %xmm0, %xmm13
+        vpclmulqdq	$0x11, %xmm0, %xmm0, %xmm14
+        vpxor	%xmm10, %xmm11, %xmm11
+        vpslldq	$8, %xmm11, %xmm10
+        vpsrldq	$8, %xmm11, %xmm11
+        vpxor	%xmm9, %xmm10, %xmm10
+        vpclmulqdq	$16, %xmm3, %xmm13, %xmm8
+        vpclmulqdq	$16, %xmm3, %xmm10, %xmm9
+        vpshufd	$0x4e, %xmm10, %xmm10
+        vpshufd	$0x4e, %xmm13, %xmm13
+        vpxor	%xmm9, %xmm10, %xmm10
+        vpxor	%xmm8, %xmm13, %xmm13
+        vpclmulqdq	$16, %xmm3, %xmm10, %xmm9
+        vpclmulqdq	$16, %xmm3, %xmm13, %xmm8
+        vpshufd	$0x4e, %xmm10, %xmm10
+        vpshufd	$0x4e, %xmm13, %xmm13
+        vpxor	%xmm11, %xmm12, %xmm12
+        vpxor	%xmm8, %xmm13, %xmm13
+        vpxor	%xmm12, %xmm10, %xmm10
+        vpxor	%xmm14, %xmm13, %xmm2
+        vpxor	%xmm9, %xmm10, %xmm1
+        vmovdqa	%xmm1, 32(%rsp)
+        vmovdqa	%xmm2, 48(%rsp)
+        # H ^ 5 and H ^ 6
+        vpclmulqdq	$16, %xmm0, %xmm1, %xmm11
+        vpclmulqdq	$0x01, %xmm0, %xmm1, %xmm10
+        vpclmulqdq	$0x00, %xmm0, %xmm1, %xmm9
+        vpclmulqdq	$0x11, %xmm0, %xmm1, %xmm12
+        vpclmulqdq	$0x00, %xmm1, %xmm1, %xmm13
+        vpclmulqdq	$0x11, %xmm1, %xmm1, %xmm14
+        vpxor	%xmm10, %xmm11, %xmm11
+        vpslldq	$8, %xmm11, %xmm10
+        vpsrldq	$8, %xmm11, %xmm11
+        vpxor	%xmm9, %xmm10, %xmm10
+        vpclmulqdq	$16, %xmm3, %xmm13, %xmm8
+        vpclmulqdq	$16, %xmm3, %xmm10, %xmm9
+        vpshufd	$0x4e, %xmm10, %xmm10
+        vpshufd	$0x4e, %xmm13, %xmm13
+        vpxor	%xmm9, %xmm10, %xmm10
+        vpxor	%xmm8, %xmm13, %xmm13
+        vpclmulqdq	$16, %xmm3, %xmm10, %xmm9
+        vpclmulqdq	$16, %xmm3, %xmm13, %xmm8
+        vpshufd	$0x4e, %xmm10, %xmm10
+        vpshufd	$0x4e, %xmm13, %xmm13
+        vpxor	%xmm11, %xmm12, %xmm12
+        vpxor	%xmm8, %xmm13, %xmm13
+        vpxor	%xmm12, %xmm10, %xmm10
+        vpxor	%xmm14, %xmm13, %xmm0
+        vpxor	%xmm9, %xmm10, %xmm7
+        vmovdqa	%xmm7, 64(%rsp)
+        vmovdqa	%xmm0, 80(%rsp)
+        # H ^ 7 and H ^ 8
+        vpclmulqdq	$16, %xmm1, %xmm2, %xmm11
+        vpclmulqdq	$0x01, %xmm1, %xmm2, %xmm10
+        vpclmulqdq	$0x00, %xmm1, %xmm2, %xmm9
+        vpclmulqdq	$0x11, %xmm1, %xmm2, %xmm12
+        vpclmulqdq	$0x00, %xmm2, %xmm2, %xmm13
+        vpclmulqdq	$0x11, %xmm2, %xmm2, %xmm14
+        vpxor	%xmm10, %xmm11, %xmm11
+        vpslldq	$8, %xmm11, %xmm10
+        vpsrldq	$8, %xmm11, %xmm11
+        vpxor	%xmm9, %xmm10, %xmm10
+        vpclmulqdq	$16, %xmm3, %xmm13, %xmm8
+        vpclmulqdq	$16, %xmm3, %xmm10, %xmm9
+        vpshufd	$0x4e, %xmm10, %xmm10
+        vpshufd	$0x4e, %xmm13, %xmm13
+        vpxor	%xmm9, %xmm10, %xmm10
+        vpxor	%xmm8, %xmm13, %xmm13
+        vpclmulqdq	$16, %xmm3, %xmm10, %xmm9
+        vpclmulqdq	$16, %xmm3, %xmm13, %xmm8
+        vpshufd	$0x4e, %xmm10, %xmm10
+        vpshufd	$0x4e, %xmm13, %xmm13
+        vpxor	%xmm11, %xmm12, %xmm12
+        vpxor	%xmm8, %xmm13, %xmm13
+        vpxor	%xmm12, %xmm10, %xmm10
+        vpxor	%xmm14, %xmm13, %xmm0
+        vpxor	%xmm9, %xmm10, %xmm7
+        vmovdqa	%xmm7, 96(%rsp)
+        vmovdqa	%xmm0, 112(%rsp)
+        # First 128 bytes of input
+        # aesenc_128
+        # aesenc_ctr
+        vmovdqa	128(%rsp), %xmm0
+        vmovdqa	L_avx2_aes_gcm_bswap_epi64(%rip), %xmm1
+        vpaddd	L_avx2_aes_gcm_one(%rip), %xmm0, %xmm9
+        vpshufb	%xmm1, %xmm0, %xmm8
+        vpaddd	L_avx2_aes_gcm_two(%rip), %xmm0, %xmm10
+        vpshufb	%xmm1, %xmm9, %xmm9
+        vpaddd	L_avx2_aes_gcm_three(%rip), %xmm0, %xmm11
+        vpshufb	%xmm1, %xmm10, %xmm10
+        vpaddd	L_avx2_aes_gcm_four(%rip), %xmm0, %xmm12
+        vpshufb	%xmm1, %xmm11, %xmm11
+        vpaddd	L_avx2_aes_gcm_five(%rip), %xmm0, %xmm13
+        vpshufb	%xmm1, %xmm12, %xmm12
+        vpaddd	L_avx2_aes_gcm_six(%rip), %xmm0, %xmm14
+        vpshufb	%xmm1, %xmm13, %xmm13
+        vpaddd	L_avx2_aes_gcm_seven(%rip), %xmm0, %xmm15
+        vpshufb	%xmm1, %xmm14, %xmm14
+        vpaddd	L_avx2_aes_gcm_eight(%rip), %xmm0, %xmm0
+        vpshufb	%xmm1, %xmm15, %xmm15
+        # aesenc_xor
+        vmovdqa	(%rsi), %xmm7
+        vmovdqa	%xmm0, 128(%rsp)
+        vpxor	%xmm7, %xmm8, %xmm8
+        vpxor	%xmm7, %xmm9, %xmm9
+        vpxor	%xmm7, %xmm10, %xmm10
+        vpxor	%xmm7, %xmm11, %xmm11
+        vpxor	%xmm7, %xmm12, %xmm12
+        vpxor	%xmm7, %xmm13, %xmm13
+        vpxor	%xmm7, %xmm14, %xmm14
+        vpxor	%xmm7, %xmm15, %xmm15
+        vmovdqa	16(%rsi), %xmm7
+        vaesenc	%xmm7, %xmm8, %xmm8
+        vaesenc	%xmm7, %xmm9, %xmm9
+        vaesenc	%xmm7, %xmm10, %xmm10
+        vaesenc	%xmm7, %xmm11, %xmm11
+        vaesenc	%xmm7, %xmm12, %xmm12
+        vaesenc	%xmm7, %xmm13, %xmm13
+        vaesenc	%xmm7, %xmm14, %xmm14
+        vaesenc	%xmm7, %xmm15, %xmm15
+        vmovdqa	32(%rsi), %xmm7
+        vaesenc	%xmm7, %xmm8, %xmm8
+        vaesenc	%xmm7, %xmm9, %xmm9
+        vaesenc	%xmm7, %xmm10, %xmm10
+        vaesenc	%xmm7, %xmm11, %xmm11
+        vaesenc	%xmm7, %xmm12, %xmm12
+        vaesenc	%xmm7, %xmm13, %xmm13
+        vaesenc	%xmm7, %xmm14, %xmm14
+        vaesenc	%xmm7, %xmm15, %xmm15
+        vmovdqa	48(%rsi), %xmm7
+        vaesenc	%xmm7, %xmm8, %xmm8
+        vaesenc	%xmm7, %xmm9, %xmm9
+        vaesenc	%xmm7, %xmm10, %xmm10
+        vaesenc	%xmm7, %xmm11, %xmm11
+        vaesenc	%xmm7, %xmm12, %xmm12
+        vaesenc	%xmm7, %xmm13, %xmm13
+        vaesenc	%xmm7, %xmm14, %xmm14
+        vaesenc	%xmm7, %xmm15, %xmm15
+        vmovdqa	64(%rsi), %xmm7
+        vaesenc	%xmm7, %xmm8, %xmm8
+        vaesenc	%xmm7, %xmm9, %xmm9
+        vaesenc	%xmm7, %xmm10, %xmm10
+        vaesenc	%xmm7, %xmm11, %xmm11
+        vaesenc	%xmm7, %xmm12, %xmm12
+        vaesenc	%xmm7, %xmm13, %xmm13
+        vaesenc	%xmm7, %xmm14, %xmm14
+        vaesenc	%xmm7, %xmm15, %xmm15
+        vmovdqa	80(%rsi), %xmm7
+        vaesenc	%xmm7, %xmm8, %xmm8
+        vaesenc	%xmm7, %xmm9, %xmm9
+        vaesenc	%xmm7, %xmm10, %xmm10
+        vaesenc	%xmm7, %xmm11, %xmm11
+        vaesenc	%xmm7, %xmm12, %xmm12
+        vaesenc	%xmm7, %xmm13, %xmm13
+        vaesenc	%xmm7, %xmm14, %xmm14
+        vaesenc	%xmm7, %xmm15, %xmm15
+        vmovdqa	96(%rsi), %xmm7
+        vaesenc	%xmm7, %xmm8, %xmm8
+        vaesenc	%xmm7, %xmm9, %xmm9
+        vaesenc	%xmm7, %xmm10, %xmm10
+        vaesenc	%xmm7, %xmm11, %xmm11
+        vaesenc	%xmm7, %xmm12, %xmm12
+        vaesenc	%xmm7, %xmm13, %xmm13
+        vaesenc	%xmm7, %xmm14, %xmm14
+        vaesenc	%xmm7, %xmm15, %xmm15
+        vmovdqa	112(%rsi), %xmm7
+        vaesenc	%xmm7, %xmm8, %xmm8
+        vaesenc	%xmm7, %xmm9, %xmm9
+        vaesenc	%xmm7, %xmm10, %xmm10
+        vaesenc	%xmm7, %xmm11, %xmm11
+        vaesenc	%xmm7, %xmm12, %xmm12
+        vaesenc	%xmm7, %xmm13, %xmm13
+        vaesenc	%xmm7, %xmm14, %xmm14
+        vaesenc	%xmm7, %xmm15, %xmm15
+        vmovdqa	128(%rsi), %xmm7
+        vaesenc	%xmm7, %xmm8, %xmm8
+        vaesenc	%xmm7, %xmm9, %xmm9
+        vaesenc	%xmm7, %xmm10, %xmm10
+        vaesenc	%xmm7, %xmm11, %xmm11
+        vaesenc	%xmm7, %xmm12, %xmm12
+        vaesenc	%xmm7, %xmm13, %xmm13
+        vaesenc	%xmm7, %xmm14, %xmm14
+        vaesenc	%xmm7, %xmm15, %xmm15
+        vmovdqa	144(%rsi), %xmm7
+        vaesenc	%xmm7, %xmm8, %xmm8
+        vaesenc	%xmm7, %xmm9, %xmm9
+        vaesenc	%xmm7, %xmm10, %xmm10
+        vaesenc	%xmm7, %xmm11, %xmm11
+        vaesenc	%xmm7, %xmm12, %xmm12
+        vaesenc	%xmm7, %xmm13, %xmm13
+        vaesenc	%xmm7, %xmm14, %xmm14
+        vaesenc	%xmm7, %xmm15, %xmm15
+        cmpl	$11, %r9d
+        vmovdqa	160(%rsi), %xmm7
+        jl	L_AES_GCM_encrypt_avx2_aesenc_128_enc_done
+        vaesenc	%xmm7, %xmm8, %xmm8
+        vaesenc	%xmm7, %xmm9, %xmm9
+        vaesenc	%xmm7, %xmm10, %xmm10
+        vaesenc	%xmm7, %xmm11, %xmm11
+        vaesenc	%xmm7, %xmm12, %xmm12
+        vaesenc	%xmm7, %xmm13, %xmm13
+        vaesenc	%xmm7, %xmm14, %xmm14
+        vaesenc	%xmm7, %xmm15, %xmm15
+        vmovdqa	176(%rsi), %xmm7
+        vaesenc	%xmm7, %xmm8, %xmm8
+        vaesenc	%xmm7, %xmm9, %xmm9
+        vaesenc	%xmm7, %xmm10, %xmm10
+        vaesenc	%xmm7, %xmm11, %xmm11
+        vaesenc	%xmm7, %xmm12, %xmm12
+        vaesenc	%xmm7, %xmm13, %xmm13
+        vaesenc	%xmm7, %xmm14, %xmm14
+        vaesenc	%xmm7, %xmm15, %xmm15
+        cmpl	$13, %r9d
+        vmovdqa	192(%rsi), %xmm7
+        jl	L_AES_GCM_encrypt_avx2_aesenc_128_enc_done
+        vaesenc	%xmm7, %xmm8, %xmm8
+        vaesenc	%xmm7, %xmm9, %xmm9
+        vaesenc	%xmm7, %xmm10, %xmm10
+        vaesenc	%xmm7, %xmm11, %xmm11
+        vaesenc	%xmm7, %xmm12, %xmm12
+        vaesenc	%xmm7, %xmm13, %xmm13
+        vaesenc	%xmm7, %xmm14, %xmm14
+        vaesenc	%xmm7, %xmm15, %xmm15
+        vmovdqa	208(%rsi), %xmm7
+        vaesenc	%xmm7, %xmm8, %xmm8
+        vaesenc	%xmm7, %xmm9, %xmm9
+        vaesenc	%xmm7, %xmm10, %xmm10
+        vaesenc	%xmm7, %xmm11, %xmm11
+        vaesenc	%xmm7, %xmm12, %xmm12
+        vaesenc	%xmm7, %xmm13, %xmm13
+        vaesenc	%xmm7, %xmm14, %xmm14
+        vaesenc	%xmm7, %xmm15, %xmm15
+        vmovdqa	224(%rsi), %xmm7
+L_AES_GCM_encrypt_avx2_aesenc_128_enc_done:
+        # aesenc_last
+        vaesenclast	%xmm7, %xmm8, %xmm8
+        vaesenclast	%xmm7, %xmm9, %xmm9
+        vaesenclast	%xmm7, %xmm10, %xmm10
+        vaesenclast	%xmm7, %xmm11, %xmm11
+        vmovdqu	(%rdi), %xmm0
+        vmovdqu	16(%rdi), %xmm1
+        vmovdqu	32(%rdi), %xmm2
+        vmovdqu	48(%rdi), %xmm3
+        vpxor	%xmm0, %xmm8, %xmm8
+        vpxor	%xmm1, %xmm9, %xmm9
+        vpxor	%xmm2, %xmm10, %xmm10
+        vpxor	%xmm3, %xmm11, %xmm11
+        vmovdqu	%xmm8, (%r8)
+        vmovdqu	%xmm9, 16(%r8)
+        vmovdqu	%xmm10, 32(%r8)
+        vmovdqu	%xmm11, 48(%r8)
+        vaesenclast	%xmm7, %xmm12, %xmm12
+        vaesenclast	%xmm7, %xmm13, %xmm13
+        vaesenclast	%xmm7, %xmm14, %xmm14
+        vaesenclast	%xmm7, %xmm15, %xmm15
+        vmovdqu	64(%rdi), %xmm0
+        vmovdqu	80(%rdi), %xmm1
+        vmovdqu	96(%rdi), %xmm2
+        vmovdqu	112(%rdi), %xmm3
+        vpxor	%xmm0, %xmm12, %xmm12
+        vpxor	%xmm1, %xmm13, %xmm13
+        vpxor	%xmm2, %xmm14, %xmm14
+        vpxor	%xmm3, %xmm15, %xmm15
+        vmovdqu	%xmm12, 64(%r8)
+        vmovdqu	%xmm13, 80(%r8)
+        vmovdqu	%xmm14, 96(%r8)
+        vmovdqu	%xmm15, 112(%r8)
+        cmpl	$0x80, %r13d
+        movl	$0x80, %ebx
+        jle	L_AES_GCM_encrypt_avx2_end_128
+        # More 128 bytes of input
+L_AES_GCM_encrypt_avx2_ghash_128:
+        # aesenc_128_ghash
+        leaq	(%rdi,%rbx,1), %rcx
+        leaq	(%r8,%rbx,1), %rdx
+        # aesenc_ctr
+        vmovdqa	128(%rsp), %xmm0
+        vmovdqa	L_avx2_aes_gcm_bswap_epi64(%rip), %xmm1
+        vpaddd	L_avx2_aes_gcm_one(%rip), %xmm0, %xmm9
+        vpshufb	%xmm1, %xmm0, %xmm8
+        vpaddd	L_avx2_aes_gcm_two(%rip), %xmm0, %xmm10
+        vpshufb	%xmm1, %xmm9, %xmm9
+        vpaddd	L_avx2_aes_gcm_three(%rip), %xmm0, %xmm11
+        vpshufb	%xmm1, %xmm10, %xmm10
+        vpaddd	L_avx2_aes_gcm_four(%rip), %xmm0, %xmm12
+        vpshufb	%xmm1, %xmm11, %xmm11
+        vpaddd	L_avx2_aes_gcm_five(%rip), %xmm0, %xmm13
+        vpshufb	%xmm1, %xmm12, %xmm12
+        vpaddd	L_avx2_aes_gcm_six(%rip), %xmm0, %xmm14
+        vpshufb	%xmm1, %xmm13, %xmm13
+        vpaddd	L_avx2_aes_gcm_seven(%rip), %xmm0, %xmm15
+        vpshufb	%xmm1, %xmm14, %xmm14
+        vpaddd	L_avx2_aes_gcm_eight(%rip), %xmm0, %xmm0
+        vpshufb	%xmm1, %xmm15, %xmm15
+        # aesenc_xor
+        vmovdqa	(%rsi), %xmm7
+        vmovdqa	%xmm0, 128(%rsp)
+        vpxor	%xmm7, %xmm8, %xmm8
+        vpxor	%xmm7, %xmm9, %xmm9
+        vpxor	%xmm7, %xmm10, %xmm10
+        vpxor	%xmm7, %xmm11, %xmm11
+        vpxor	%xmm7, %xmm12, %xmm12
+        vpxor	%xmm7, %xmm13, %xmm13
+        vpxor	%xmm7, %xmm14, %xmm14
+        vpxor	%xmm7, %xmm15, %xmm15
+        # aesenc_pclmul_1
+        vmovdqu	-128(%rdx), %xmm1
+        vmovdqu	16(%rsi), %xmm0
+        vpshufb	L_avx2_aes_gcm_bswap_mask(%rip), %xmm1, %xmm1
+        vmovdqa	112(%rsp), %xmm2
+        vpxor	%xmm6, %xmm1, %xmm1
+        vpclmulqdq	$16, %xmm2, %xmm1, %xmm5
+        vpclmulqdq	$0x01, %xmm2, %xmm1, %xmm3
+        vpclmulqdq	$0x00, %xmm2, %xmm1, %xmm6
+        vpclmulqdq	$0x11, %xmm2, %xmm1, %xmm7
+        vaesenc	%xmm0, %xmm8, %xmm8
+        vaesenc	%xmm0, %xmm9, %xmm9
+        vaesenc	%xmm0, %xmm10, %xmm10
+        vaesenc	%xmm0, %xmm11, %xmm11
+        vaesenc	%xmm0, %xmm12, %xmm12
+        vaesenc	%xmm0, %xmm13, %xmm13
+        vaesenc	%xmm0, %xmm14, %xmm14
+        vaesenc	%xmm0, %xmm15, %xmm15
+        # aesenc_pclmul_2
+        vmovdqu	-112(%rdx), %xmm1
+        vmovdqa	96(%rsp), %xmm0
+        vpshufb	L_avx2_aes_gcm_bswap_mask(%rip), %xmm1, %xmm1
+        vpxor	%xmm3, %xmm5, %xmm5
+        vpclmulqdq	$16, %xmm0, %xmm1, %xmm2
+        vpclmulqdq	$0x01, %xmm0, %xmm1, %xmm3
+        vpclmulqdq	$0x00, %xmm0, %xmm1, %xmm4
+        vpclmulqdq	$0x11, %xmm0, %xmm1, %xmm1
+        vmovdqu	32(%rsi), %xmm0
+        vpxor	%xmm1, %xmm7, %xmm7
+        vaesenc	%xmm0, %xmm8, %xmm8
+        vaesenc	%xmm0, %xmm9, %xmm9
+        vaesenc	%xmm0, %xmm10, %xmm10
+        vaesenc	%xmm0, %xmm11, %xmm11
+        vaesenc	%xmm0, %xmm12, %xmm12
+        vaesenc	%xmm0, %xmm13, %xmm13
+        vaesenc	%xmm0, %xmm14, %xmm14
+        vaesenc	%xmm0, %xmm15, %xmm15
+        # aesenc_pclmul_n
+        vmovdqu	-96(%rdx), %xmm1
+        vmovdqa	80(%rsp), %xmm0
+        vpshufb	L_avx2_aes_gcm_bswap_mask(%rip), %xmm1, %xmm1
+        vpxor	%xmm2, %xmm5, %xmm5
+        vpclmulqdq	$16, %xmm0, %xmm1, %xmm2
+        vpxor	%xmm3, %xmm5, %xmm5
+        vpclmulqdq	$0x01, %xmm0, %xmm1, %xmm3
+        vpxor	%xmm4, %xmm6, %xmm6
+        vpclmulqdq	$0x00, %xmm0, %xmm1, %xmm4
+        vpclmulqdq	$0x11, %xmm0, %xmm1, %xmm1
+        vmovdqu	48(%rsi), %xmm0
+        vpxor	%xmm1, %xmm7, %xmm7
+        vaesenc	%xmm0, %xmm8, %xmm8
+        vaesenc	%xmm0, %xmm9, %xmm9
+        vaesenc	%xmm0, %xmm10, %xmm10
+        vaesenc	%xmm0, %xmm11, %xmm11
+        vaesenc	%xmm0, %xmm12, %xmm12
+        vaesenc	%xmm0, %xmm13, %xmm13
+        vaesenc	%xmm0, %xmm14, %xmm14
+        vaesenc	%xmm0, %xmm15, %xmm15
+        # aesenc_pclmul_n
+        vmovdqu	-80(%rdx), %xmm1
+        vmovdqa	64(%rsp), %xmm0
+        vpshufb	L_avx2_aes_gcm_bswap_mask(%rip), %xmm1, %xmm1
+        vpxor	%xmm2, %xmm5, %xmm5
+        vpclmulqdq	$16, %xmm0, %xmm1, %xmm2
+        vpxor	%xmm3, %xmm5, %xmm5
+        vpclmulqdq	$0x01, %xmm0, %xmm1, %xmm3
+        vpxor	%xmm4, %xmm6, %xmm6
+        vpclmulqdq	$0x00, %xmm0, %xmm1, %xmm4
+        vpclmulqdq	$0x11, %xmm0, %xmm1, %xmm1
+        vmovdqu	64(%rsi), %xmm0
+        vpxor	%xmm1, %xmm7, %xmm7
+        vaesenc	%xmm0, %xmm8, %xmm8
+        vaesenc	%xmm0, %xmm9, %xmm9
+        vaesenc	%xmm0, %xmm10, %xmm10
+        vaesenc	%xmm0, %xmm11, %xmm11
+        vaesenc	%xmm0, %xmm12, %xmm12
+        vaesenc	%xmm0, %xmm13, %xmm13
+        vaesenc	%xmm0, %xmm14, %xmm14
+        vaesenc	%xmm0, %xmm15, %xmm15
+        # aesenc_pclmul_n
+        vmovdqu	-64(%rdx), %xmm1
+        vmovdqa	48(%rsp), %xmm0
+        vpshufb	L_avx2_aes_gcm_bswap_mask(%rip), %xmm1, %xmm1
+        vpxor	%xmm2, %xmm5, %xmm5
+        vpclmulqdq	$16, %xmm0, %xmm1, %xmm2
+        vpxor	%xmm3, %xmm5, %xmm5
+        vpclmulqdq	$0x01, %xmm0, %xmm1, %xmm3
+        vpxor	%xmm4, %xmm6, %xmm6
+        vpclmulqdq	$0x00, %xmm0, %xmm1, %xmm4
+        vpclmulqdq	$0x11, %xmm0, %xmm1, %xmm1
+        vmovdqu	80(%rsi), %xmm0
+        vpxor	%xmm1, %xmm7, %xmm7
+        vaesenc	%xmm0, %xmm8, %xmm8
+        vaesenc	%xmm0, %xmm9, %xmm9
+        vaesenc	%xmm0, %xmm10, %xmm10
+        vaesenc	%xmm0, %xmm11, %xmm11
+        vaesenc	%xmm0, %xmm12, %xmm12
+        vaesenc	%xmm0, %xmm13, %xmm13
+        vaesenc	%xmm0, %xmm14, %xmm14
+        vaesenc	%xmm0, %xmm15, %xmm15
+        # aesenc_pclmul_n
+        vmovdqu	-48(%rdx), %xmm1
+        vmovdqa	32(%rsp), %xmm0
+        vpshufb	L_avx2_aes_gcm_bswap_mask(%rip), %xmm1, %xmm1
+        vpxor	%xmm2, %xmm5, %xmm5
+        vpclmulqdq	$16, %xmm0, %xmm1, %xmm2
+        vpxor	%xmm3, %xmm5, %xmm5
+        vpclmulqdq	$0x01, %xmm0, %xmm1, %xmm3
+        vpxor	%xmm4, %xmm6, %xmm6
+        vpclmulqdq	$0x00, %xmm0, %xmm1, %xmm4
+        vpclmulqdq	$0x11, %xmm0, %xmm1, %xmm1
+        vmovdqu	96(%rsi), %xmm0
+        vpxor	%xmm1, %xmm7, %xmm7
+        vaesenc	%xmm0, %xmm8, %xmm8
+        vaesenc	%xmm0, %xmm9, %xmm9
+        vaesenc	%xmm0, %xmm10, %xmm10
+        vaesenc	%xmm0, %xmm11, %xmm11
+        vaesenc	%xmm0, %xmm12, %xmm12
+        vaesenc	%xmm0, %xmm13, %xmm13
+        vaesenc	%xmm0, %xmm14, %xmm14
+        vaesenc	%xmm0, %xmm15, %xmm15
+        # aesenc_pclmul_n
+        vmovdqu	-32(%rdx), %xmm1
+        vmovdqa	16(%rsp), %xmm0
+        vpshufb	L_avx2_aes_gcm_bswap_mask(%rip), %xmm1, %xmm1
+        vpxor	%xmm2, %xmm5, %xmm5
+        vpclmulqdq	$16, %xmm0, %xmm1, %xmm2
+        vpxor	%xmm3, %xmm5, %xmm5
+        vpclmulqdq	$0x01, %xmm0, %xmm1, %xmm3
+        vpxor	%xmm4, %xmm6, %xmm6
+        vpclmulqdq	$0x00, %xmm0, %xmm1, %xmm4
+        vpclmulqdq	$0x11, %xmm0, %xmm1, %xmm1
+        vmovdqu	112(%rsi), %xmm0
+        vpxor	%xmm1, %xmm7, %xmm7
+        vaesenc	%xmm0, %xmm8, %xmm8
+        vaesenc	%xmm0, %xmm9, %xmm9
+        vaesenc	%xmm0, %xmm10, %xmm10
+        vaesenc	%xmm0, %xmm11, %xmm11
+        vaesenc	%xmm0, %xmm12, %xmm12
+        vaesenc	%xmm0, %xmm13, %xmm13
+        vaesenc	%xmm0, %xmm14, %xmm14
+        vaesenc	%xmm0, %xmm15, %xmm15
+        # aesenc_pclmul_n
+        vmovdqu	-16(%rdx), %xmm1
+        vmovdqa	(%rsp), %xmm0
+        vpshufb	L_avx2_aes_gcm_bswap_mask(%rip), %xmm1, %xmm1
+        vpxor	%xmm2, %xmm5, %xmm5
+        vpclmulqdq	$16, %xmm0, %xmm1, %xmm2
+        vpxor	%xmm3, %xmm5, %xmm5
+        vpclmulqdq	$0x01, %xmm0, %xmm1, %xmm3
+        vpxor	%xmm4, %xmm6, %xmm6
+        vpclmulqdq	$0x00, %xmm0, %xmm1, %xmm4
+        vpclmulqdq	$0x11, %xmm0, %xmm1, %xmm1
+        vmovdqu	128(%rsi), %xmm0
+        vpxor	%xmm1, %xmm7, %xmm7
+        vaesenc	%xmm0, %xmm8, %xmm8
+        vaesenc	%xmm0, %xmm9, %xmm9
+        vaesenc	%xmm0, %xmm10, %xmm10
+        vaesenc	%xmm0, %xmm11, %xmm11
+        vaesenc	%xmm0, %xmm12, %xmm12
+        vaesenc	%xmm0, %xmm13, %xmm13
+        vaesenc	%xmm0, %xmm14, %xmm14
+        vaesenc	%xmm0, %xmm15, %xmm15
+        # aesenc_pclmul_l
+        vpxor	%xmm2, %xmm5, %xmm5
+        vpxor	%xmm4, %xmm6, %xmm6
+        vpxor	%xmm3, %xmm5, %xmm5
+        vpslldq	$8, %xmm5, %xmm1
+        vpsrldq	$8, %xmm5, %xmm5
+        vmovdqa	144(%rsi), %xmm4
+        vmovdqa	L_avx2_aes_gcm_mod2_128(%rip), %xmm0
+        vaesenc	%xmm4, %xmm8, %xmm8
+        vpxor	%xmm1, %xmm6, %xmm6
+        vpxor	%xmm5, %xmm7, %xmm7
+        vpclmulqdq	$16, %xmm0, %xmm6, %xmm3
+        vaesenc	%xmm4, %xmm9, %xmm9
+        vaesenc	%xmm4, %xmm10, %xmm10
+        vaesenc	%xmm4, %xmm11, %xmm11
+        vpshufd	$0x4e, %xmm6, %xmm6
+        vpxor	%xmm3, %xmm6, %xmm6
+        vpclmulqdq	$16, %xmm0, %xmm6, %xmm3
+        vaesenc	%xmm4, %xmm12, %xmm12
+        vaesenc	%xmm4, %xmm13, %xmm13
+        vaesenc	%xmm4, %xmm14, %xmm14
+        vpshufd	$0x4e, %xmm6, %xmm6
+        vpxor	%xmm3, %xmm6, %xmm6
+        vpxor	%xmm7, %xmm6, %xmm6
+        vaesenc	%xmm4, %xmm15, %xmm15
+        cmpl	$11, %r9d
+        vmovdqa	160(%rsi), %xmm7
+        jl	L_AES_GCM_encrypt_avx2_aesenc_128_ghash_avx_done
+        vaesenc	%xmm7, %xmm8, %xmm8
+        vaesenc	%xmm7, %xmm9, %xmm9
+        vaesenc	%xmm7, %xmm10, %xmm10
+        vaesenc	%xmm7, %xmm11, %xmm11
+        vaesenc	%xmm7, %xmm12, %xmm12
+        vaesenc	%xmm7, %xmm13, %xmm13
+        vaesenc	%xmm7, %xmm14, %xmm14
+        vaesenc	%xmm7, %xmm15, %xmm15
+        vmovdqa	176(%rsi), %xmm7
+        vaesenc	%xmm7, %xmm8, %xmm8
+        vaesenc	%xmm7, %xmm9, %xmm9
+        vaesenc	%xmm7, %xmm10, %xmm10
+        vaesenc	%xmm7, %xmm11, %xmm11
+        vaesenc	%xmm7, %xmm12, %xmm12
+        vaesenc	%xmm7, %xmm13, %xmm13
+        vaesenc	%xmm7, %xmm14, %xmm14
+        vaesenc	%xmm7, %xmm15, %xmm15
+        cmpl	$13, %r9d
+        vmovdqa	192(%rsi), %xmm7
+        jl	L_AES_GCM_encrypt_avx2_aesenc_128_ghash_avx_done
+        vaesenc	%xmm7, %xmm8, %xmm8
+        vaesenc	%xmm7, %xmm9, %xmm9
+        vaesenc	%xmm7, %xmm10, %xmm10
+        vaesenc	%xmm7, %xmm11, %xmm11
+        vaesenc	%xmm7, %xmm12, %xmm12
+        vaesenc	%xmm7, %xmm13, %xmm13
+        vaesenc	%xmm7, %xmm14, %xmm14
+        vaesenc	%xmm7, %xmm15, %xmm15
+        vmovdqa	208(%rsi), %xmm7
+        vaesenc	%xmm7, %xmm8, %xmm8
+        vaesenc	%xmm7, %xmm9, %xmm9
+        vaesenc	%xmm7, %xmm10, %xmm10
+        vaesenc	%xmm7, %xmm11, %xmm11
+        vaesenc	%xmm7, %xmm12, %xmm12
+        vaesenc	%xmm7, %xmm13, %xmm13
+        vaesenc	%xmm7, %xmm14, %xmm14
+        vaesenc	%xmm7, %xmm15, %xmm15
+        vmovdqa	224(%rsi), %xmm7
+L_AES_GCM_encrypt_avx2_aesenc_128_ghash_avx_done:
+        # aesenc_last
+        vaesenclast	%xmm7, %xmm8, %xmm8
+        vaesenclast	%xmm7, %xmm9, %xmm9
+        vaesenclast	%xmm7, %xmm10, %xmm10
+        vaesenclast	%xmm7, %xmm11, %xmm11
+        vmovdqu	(%rcx), %xmm0
+        vmovdqu	16(%rcx), %xmm1
+        vmovdqu	32(%rcx), %xmm2
+        vmovdqu	48(%rcx), %xmm3
+        vpxor	%xmm0, %xmm8, %xmm8
+        vpxor	%xmm1, %xmm9, %xmm9
+        vpxor	%xmm2, %xmm10, %xmm10
+        vpxor	%xmm3, %xmm11, %xmm11
+        vmovdqu	%xmm8, (%rdx)
+        vmovdqu	%xmm9, 16(%rdx)
+        vmovdqu	%xmm10, 32(%rdx)
+        vmovdqu	%xmm11, 48(%rdx)
+        vaesenclast	%xmm7, %xmm12, %xmm12
+        vaesenclast	%xmm7, %xmm13, %xmm13
+        vaesenclast	%xmm7, %xmm14, %xmm14
+        vaesenclast	%xmm7, %xmm15, %xmm15
+        vmovdqu	64(%rcx), %xmm0
+        vmovdqu	80(%rcx), %xmm1
+        vmovdqu	96(%rcx), %xmm2
+        vmovdqu	112(%rcx), %xmm3
+        vpxor	%xmm0, %xmm12, %xmm12
+        vpxor	%xmm1, %xmm13, %xmm13
+        vpxor	%xmm2, %xmm14, %xmm14
+        vpxor	%xmm3, %xmm15, %xmm15
+        vmovdqu	%xmm12, 64(%rdx)
+        vmovdqu	%xmm13, 80(%rdx)
+        vmovdqu	%xmm14, 96(%rdx)
+        vmovdqu	%xmm15, 112(%rdx)
+        # aesenc_128_ghash - end
+        addl	$0x80, %ebx
+        cmpl	%r13d, %ebx
+        jl	L_AES_GCM_encrypt_avx2_ghash_128
+L_AES_GCM_encrypt_avx2_end_128:
+        vmovdqa	L_avx2_aes_gcm_bswap_mask(%rip), %xmm4
+        vpshufb	%xmm4, %xmm8, %xmm8
+        vpshufb	%xmm4, %xmm9, %xmm9
+        vpshufb	%xmm4, %xmm10, %xmm10
+        vpshufb	%xmm4, %xmm11, %xmm11
+        vpshufb	%xmm4, %xmm12, %xmm12
+        vpshufb	%xmm4, %xmm13, %xmm13
+        vpshufb	%xmm4, %xmm14, %xmm14
+        vpshufb	%xmm4, %xmm15, %xmm15
+        vpxor	%xmm6, %xmm8, %xmm8
+        vmovdqu	(%rsp), %xmm7
+        vpclmulqdq	$16, %xmm15, %xmm7, %xmm5
+        vpclmulqdq	$0x01, %xmm15, %xmm7, %xmm1
+        vpclmulqdq	$0x00, %xmm15, %xmm7, %xmm4
+        vpclmulqdq	$0x11, %xmm15, %xmm7, %xmm6
+        vpxor	%xmm1, %xmm5, %xmm5
+        vmovdqu	16(%rsp), %xmm7
+        vpclmulqdq	$16, %xmm14, %xmm7, %xmm2
+        vpclmulqdq	$0x01, %xmm14, %xmm7, %xmm1
+        vpclmulqdq	$0x00, %xmm14, %xmm7, %xmm0
+        vpclmulqdq	$0x11, %xmm14, %xmm7, %xmm3
+        vpxor	%xmm1, %xmm2, %xmm2
+        vpxor	%xmm3, %xmm6, %xmm6
+        vpxor	%xmm2, %xmm5, %xmm5
+        vpxor	%xmm0, %xmm4, %xmm4
+        vmovdqu	32(%rsp), %xmm15
+        vmovdqu	48(%rsp), %xmm7
+        vpclmulqdq	$16, %xmm13, %xmm15, %xmm2
+        vpclmulqdq	$0x01, %xmm13, %xmm15, %xmm1
+        vpclmulqdq	$0x00, %xmm13, %xmm15, %xmm0
+        vpclmulqdq	$0x11, %xmm13, %xmm15, %xmm3
+        vpxor	%xmm1, %xmm2, %xmm2
+        vpxor	%xmm3, %xmm6, %xmm6
+        vpxor	%xmm2, %xmm5, %xmm5
+        vpxor	%xmm0, %xmm4, %xmm4
+        vpclmulqdq	$16, %xmm12, %xmm7, %xmm2
+        vpclmulqdq	$0x01, %xmm12, %xmm7, %xmm1
+        vpclmulqdq	$0x00, %xmm12, %xmm7, %xmm0
+        vpclmulqdq	$0x11, %xmm12, %xmm7, %xmm3
+        vpxor	%xmm1, %xmm2, %xmm2
+        vpxor	%xmm3, %xmm6, %xmm6
+        vpxor	%xmm2, %xmm5, %xmm5
+        vpxor	%xmm0, %xmm4, %xmm4
+        vmovdqu	64(%rsp), %xmm15
+        vmovdqu	80(%rsp), %xmm7
+        vpclmulqdq	$16, %xmm11, %xmm15, %xmm2
+        vpclmulqdq	$0x01, %xmm11, %xmm15, %xmm1
+        vpclmulqdq	$0x00, %xmm11, %xmm15, %xmm0
+        vpclmulqdq	$0x11, %xmm11, %xmm15, %xmm3
+        vpxor	%xmm1, %xmm2, %xmm2
+        vpxor	%xmm3, %xmm6, %xmm6
+        vpxor	%xmm2, %xmm5, %xmm5
+        vpxor	%xmm0, %xmm4, %xmm4
+        vpclmulqdq	$16, %xmm10, %xmm7, %xmm2
+        vpclmulqdq	$0x01, %xmm10, %xmm7, %xmm1
+        vpclmulqdq	$0x00, %xmm10, %xmm7, %xmm0
+        vpclmulqdq	$0x11, %xmm10, %xmm7, %xmm3
+        vpxor	%xmm1, %xmm2, %xmm2
+        vpxor	%xmm3, %xmm6, %xmm6
+        vpxor	%xmm2, %xmm5, %xmm5
+        vpxor	%xmm0, %xmm4, %xmm4
+        vmovdqu	96(%rsp), %xmm15
+        vmovdqu	112(%rsp), %xmm7
+        vpclmulqdq	$16, %xmm9, %xmm15, %xmm2
+        vpclmulqdq	$0x01, %xmm9, %xmm15, %xmm1
+        vpclmulqdq	$0x00, %xmm9, %xmm15, %xmm0
+        vpclmulqdq	$0x11, %xmm9, %xmm15, %xmm3
+        vpxor	%xmm1, %xmm2, %xmm2
+        vpxor	%xmm3, %xmm6, %xmm6
+        vpxor	%xmm2, %xmm5, %xmm5
+        vpxor	%xmm0, %xmm4, %xmm4
+        vpclmulqdq	$16, %xmm8, %xmm7, %xmm2
+        vpclmulqdq	$0x01, %xmm8, %xmm7, %xmm1
+        vpclmulqdq	$0x00, %xmm8, %xmm7, %xmm0
+        vpclmulqdq	$0x11, %xmm8, %xmm7, %xmm3
+        vpxor	%xmm1, %xmm2, %xmm2
+        vpxor	%xmm3, %xmm6, %xmm6
+        vpxor	%xmm2, %xmm5, %xmm5
+        vpxor	%xmm0, %xmm4, %xmm4
+        vpslldq	$8, %xmm5, %xmm7
+        vpsrldq	$8, %xmm5, %xmm5
+        vpxor	%xmm7, %xmm4, %xmm4
+        vpxor	%xmm5, %xmm6, %xmm6
+        # ghash_red
+        vmovdqa	L_avx2_aes_gcm_mod2_128(%rip), %xmm2
+        vpclmulqdq	$16, %xmm2, %xmm4, %xmm0
+        vpshufd	$0x4e, %xmm4, %xmm1
+        vpxor	%xmm0, %xmm1, %xmm1
+        vpclmulqdq	$16, %xmm2, %xmm1, %xmm0
+        vpshufd	$0x4e, %xmm1, %xmm1
+        vpxor	%xmm0, %xmm1, %xmm1
+        vpxor	%xmm1, %xmm6, %xmm6
+        vmovdqa	(%rsp), %xmm5
+        vmovdqu	128(%rsp), %xmm4
+        vmovdqu	144(%rsp), %xmm15
+L_AES_GCM_encrypt_avx2_done_128:
+        cmpl	%r10d, %ebx
+        je	L_AES_GCM_encrypt_avx2_done_enc
+        movl	%r10d, %r13d
+        andl	$0xfffffff0, %r13d
+        cmpl	%r13d, %ebx
+        jge	L_AES_GCM_encrypt_avx2_last_block_done
+        # aesenc_block
+        vmovdqa	%xmm4, %xmm1
+        vpshufb	L_avx2_aes_gcm_bswap_epi64(%rip), %xmm1, %xmm0
+        vpaddd	L_avx2_aes_gcm_one(%rip), %xmm1, %xmm1
+        vpxor	(%rsi), %xmm0, %xmm0
+        vmovdqa	16(%rsi), %xmm2
+        vaesenc	%xmm2, %xmm0, %xmm0
+        vmovdqa	32(%rsi), %xmm2
+        vaesenc	%xmm2, %xmm0, %xmm0
+        vmovdqa	48(%rsi), %xmm2
+        vaesenc	%xmm2, %xmm0, %xmm0
+        vmovdqa	64(%rsi), %xmm2
+        vaesenc	%xmm2, %xmm0, %xmm0
+        vmovdqa	80(%rsi), %xmm2
+        vaesenc	%xmm2, %xmm0, %xmm0
+        vmovdqa	96(%rsi), %xmm2
+        vaesenc	%xmm2, %xmm0, %xmm0
+        vmovdqa	112(%rsi), %xmm2
+        vaesenc	%xmm2, %xmm0, %xmm0
+        vmovdqa	128(%rsi), %xmm2
+        vaesenc	%xmm2, %xmm0, %xmm0
+        vmovdqa	144(%rsi), %xmm2
+        vaesenc	%xmm2, %xmm0, %xmm0
+        vmovdqa	%xmm1, %xmm4
+        cmpl	$11, %r9d
+        vmovdqa	160(%rsi), %xmm1
+        jl	L_AES_GCM_encrypt_avx2_aesenc_block_last
+        vaesenc	%xmm1, %xmm0, %xmm0
+        vmovdqa	176(%rsi), %xmm2
+        vaesenc	%xmm2, %xmm0, %xmm0
+        cmpl	$13, %r9d
+        vmovdqa	192(%rsi), %xmm1
+        jl	L_AES_GCM_encrypt_avx2_aesenc_block_last
+        vaesenc	%xmm1, %xmm0, %xmm0
+        vmovdqa	208(%rsi), %xmm2
+        vaesenc	%xmm2, %xmm0, %xmm0
+        vmovdqa	224(%rsi), %xmm1
+L_AES_GCM_encrypt_avx2_aesenc_block_last:
+        vaesenclast	%xmm1, %xmm0, %xmm0
+        vmovdqu	(%rdi,%rbx,1), %xmm1
+        vpxor	%xmm1, %xmm0, %xmm0
+        vmovdqu	%xmm0, (%r8,%rbx,1)
+        vpshufb	L_avx2_aes_gcm_bswap_mask(%rip), %xmm0, %xmm0
+        vpxor	%xmm0, %xmm6, %xmm6
+        addl	$16, %ebx
+        cmpl	%r13d, %ebx
+        jge	L_AES_GCM_encrypt_avx2_last_block_ghash
+L_AES_GCM_encrypt_avx2_last_block_start:
+        vmovdqu	(%rdi,%rbx,1), %xmm12
+        vpshufb	L_avx2_aes_gcm_bswap_epi64(%rip), %xmm4, %xmm11
+        vpaddd	L_avx2_aes_gcm_one(%rip), %xmm4, %xmm4
+        # aesenc_gfmul_sb
+        vpclmulqdq	$0x01, %xmm5, %xmm6, %xmm2
+        vpclmulqdq	$16, %xmm5, %xmm6, %xmm3
+        vpclmulqdq	$0x00, %xmm5, %xmm6, %xmm1
+        vpclmulqdq	$0x11, %xmm5, %xmm6, %xmm8
+        vpxor	(%rsi), %xmm11, %xmm11
+        vaesenc	16(%rsi), %xmm11, %xmm11
+        vpxor	%xmm2, %xmm3, %xmm3
+        vpslldq	$8, %xmm3, %xmm2
+        vpsrldq	$8, %xmm3, %xmm3
+        vaesenc	32(%rsi), %xmm11, %xmm11
+        vpxor	%xmm1, %xmm2, %xmm2
+        vpclmulqdq	$16, L_avx2_aes_gcm_mod2_128(%rip), %xmm2, %xmm1
+        vaesenc	48(%rsi), %xmm11, %xmm11
+        vaesenc	64(%rsi), %xmm11, %xmm11
+        vaesenc	80(%rsi), %xmm11, %xmm11
+        vpshufd	$0x4e, %xmm2, %xmm2
+        vpxor	%xmm1, %xmm2, %xmm2
+        vpclmulqdq	$16, L_avx2_aes_gcm_mod2_128(%rip), %xmm2, %xmm1
+        vaesenc	96(%rsi), %xmm11, %xmm11
+        vaesenc	112(%rsi), %xmm11, %xmm11
+        vaesenc	128(%rsi), %xmm11, %xmm11
+        vpshufd	$0x4e, %xmm2, %xmm2
+        vaesenc	144(%rsi), %xmm11, %xmm11
+        vpxor	%xmm3, %xmm8, %xmm8
+        vpxor	%xmm8, %xmm2, %xmm2
+        vmovdqa	160(%rsi), %xmm0
+        cmpl	$11, %r9d
+        jl	L_AES_GCM_encrypt_avx2_aesenc_gfmul_sb_last
+        vaesenc	%xmm0, %xmm11, %xmm11
+        vaesenc	176(%rsi), %xmm11, %xmm11
+        vmovdqa	192(%rsi), %xmm0
+        cmpl	$13, %r9d
+        jl	L_AES_GCM_encrypt_avx2_aesenc_gfmul_sb_last
+        vaesenc	%xmm0, %xmm11, %xmm11
+        vaesenc	208(%rsi), %xmm11, %xmm11
+        vmovdqa	224(%rsi), %xmm0
+L_AES_GCM_encrypt_avx2_aesenc_gfmul_sb_last:
+        vaesenclast	%xmm0, %xmm11, %xmm11
+        vpxor	%xmm1, %xmm2, %xmm6
+        vpxor	%xmm12, %xmm11, %xmm11
+        vmovdqu	%xmm11, (%r8,%rbx,1)
+        vpshufb	L_avx2_aes_gcm_bswap_mask(%rip), %xmm11, %xmm11
+        vpxor	%xmm11, %xmm6, %xmm6
+        addl	$16, %ebx
+        cmpl	%r13d, %ebx
+        jl	L_AES_GCM_encrypt_avx2_last_block_start
+L_AES_GCM_encrypt_avx2_last_block_ghash:
+        # ghash_gfmul_red
+        vpclmulqdq	$16, %xmm5, %xmm6, %xmm10
+        vpclmulqdq	$0x01, %xmm5, %xmm6, %xmm9
+        vpclmulqdq	$0x00, %xmm5, %xmm6, %xmm8
+        vpxor	%xmm9, %xmm10, %xmm10
+        vpslldq	$8, %xmm10, %xmm9
+        vpsrldq	$8, %xmm10, %xmm10
+        vpxor	%xmm8, %xmm9, %xmm9
+        vpclmulqdq	$0x11, %xmm5, %xmm6, %xmm6
+        vpclmulqdq	$16, L_avx2_aes_gcm_mod2_128(%rip), %xmm9, %xmm8
+        vpshufd	$0x4e, %xmm9, %xmm9
+        vpxor	%xmm8, %xmm9, %xmm9
+        vpclmulqdq	$16, L_avx2_aes_gcm_mod2_128(%rip), %xmm9, %xmm8
+        vpshufd	$0x4e, %xmm9, %xmm9
+        vpxor	%xmm10, %xmm6, %xmm6
+        vpxor	%xmm9, %xmm6, %xmm6
+        vpxor	%xmm8, %xmm6, %xmm6
+L_AES_GCM_encrypt_avx2_last_block_done:
+        movl	%r10d, %ecx
+        movl	%r10d, %edx
+        andl	$15, %ecx
+        jz	L_AES_GCM_encrypt_avx2_done_enc
+        # aesenc_last15_enc
+        vpshufb	L_avx2_aes_gcm_bswap_epi64(%rip), %xmm4, %xmm4
+        vpxor	(%rsi), %xmm4, %xmm4
+        vaesenc	16(%rsi), %xmm4, %xmm4
+        vaesenc	32(%rsi), %xmm4, %xmm4
+        vaesenc	48(%rsi), %xmm4, %xmm4
+        vaesenc	64(%rsi), %xmm4, %xmm4
+        vaesenc	80(%rsi), %xmm4, %xmm4
+        vaesenc	96(%rsi), %xmm4, %xmm4
+        vaesenc	112(%rsi), %xmm4, %xmm4
+        vaesenc	128(%rsi), %xmm4, %xmm4
+        vaesenc	144(%rsi), %xmm4, %xmm4
+        cmpl	$11, %r9d
+        vmovdqa	160(%rsi), %xmm0
+        jl	L_AES_GCM_encrypt_avx2_aesenc_last15_enc_avx_aesenc_avx_last
+        vaesenc	%xmm0, %xmm4, %xmm4
+        vaesenc	176(%rsi), %xmm4, %xmm4
+        cmpl	$13, %r9d
+        vmovdqa	192(%rsi), %xmm0
+        jl	L_AES_GCM_encrypt_avx2_aesenc_last15_enc_avx_aesenc_avx_last
+        vaesenc	%xmm0, %xmm4, %xmm4
+        vaesenc	208(%rsi), %xmm4, %xmm4
+        vmovdqa	224(%rsi), %xmm0
+L_AES_GCM_encrypt_avx2_aesenc_last15_enc_avx_aesenc_avx_last:
+        vaesenclast	%xmm0, %xmm4, %xmm4
+        xorl	%ecx, %ecx
+        vpxor	%xmm0, %xmm0, %xmm0
+        vmovdqa	%xmm4, (%rsp)
+        vmovdqa	%xmm0, 16(%rsp)
+L_AES_GCM_encrypt_avx2_aesenc_last15_enc_avx_loop:
+        movzbl	(%rdi,%rbx,1), %r13d
+        xorb	(%rsp,%rcx,1), %r13b
+        movb	%r13b, 16(%rsp,%rcx,1)
+        movb	%r13b, (%r8,%rbx,1)
+        incl	%ebx
+        incl	%ecx
+        cmpl	%edx, %ebx
+        jl	L_AES_GCM_encrypt_avx2_aesenc_last15_enc_avx_loop
+L_AES_GCM_encrypt_avx2_aesenc_last15_enc_avx_finish_enc:
+        vmovdqa	16(%rsp), %xmm4
+        vpshufb	L_avx2_aes_gcm_bswap_mask(%rip), %xmm4, %xmm4
+        vpxor	%xmm4, %xmm6, %xmm6
+        # ghash_gfmul_red
+        vpclmulqdq	$16, %xmm5, %xmm6, %xmm2
+        vpclmulqdq	$0x01, %xmm5, %xmm6, %xmm1
+        vpclmulqdq	$0x00, %xmm5, %xmm6, %xmm0
+        vpxor	%xmm1, %xmm2, %xmm2
+        vpslldq	$8, %xmm2, %xmm1
+        vpsrldq	$8, %xmm2, %xmm2
+        vpxor	%xmm0, %xmm1, %xmm1
+        vpclmulqdq	$0x11, %xmm5, %xmm6, %xmm6
+        vpclmulqdq	$16, L_avx2_aes_gcm_mod2_128(%rip), %xmm1, %xmm0
+        vpshufd	$0x4e, %xmm1, %xmm1
+        vpxor	%xmm0, %xmm1, %xmm1
+        vpclmulqdq	$16, L_avx2_aes_gcm_mod2_128(%rip), %xmm1, %xmm0
+        vpshufd	$0x4e, %xmm1, %xmm1
+        vpxor	%xmm2, %xmm6, %xmm6
+        vpxor	%xmm1, %xmm6, %xmm6
+        vpxor	%xmm0, %xmm6, %xmm6
+L_AES_GCM_encrypt_avx2_done_enc:
+        # calc_tag
+        shlq	$3, %r10
+        vpinsrq	$0x00, %r10, %xmm0, %xmm0
+        shlq	$3, %r11
+        vpinsrq	$0x01, %r11, %xmm1, %xmm1
+        vpblendd	$12, %xmm1, %xmm0, %xmm0
+        vpxor	%xmm6, %xmm0, %xmm0
+        # ghash_gfmul_red
+        vpclmulqdq	$16, %xmm5, %xmm0, %xmm4
+        vpclmulqdq	$0x01, %xmm5, %xmm0, %xmm3
+        vpclmulqdq	$0x00, %xmm5, %xmm0, %xmm2
+        vpxor	%xmm3, %xmm4, %xmm4
+        vpslldq	$8, %xmm4, %xmm3
+        vpsrldq	$8, %xmm4, %xmm4
+        vpxor	%xmm2, %xmm3, %xmm3
+        vpclmulqdq	$0x11, %xmm5, %xmm0, %xmm0
+        vpclmulqdq	$16, L_avx2_aes_gcm_mod2_128(%rip), %xmm3, %xmm2
+        vpshufd	$0x4e, %xmm3, %xmm3
+        vpxor	%xmm2, %xmm3, %xmm3
+        vpclmulqdq	$16, L_avx2_aes_gcm_mod2_128(%rip), %xmm3, %xmm2
+        vpshufd	$0x4e, %xmm3, %xmm3
+        vpxor	%xmm4, %xmm0, %xmm0
+        vpxor	%xmm3, %xmm0, %xmm0
+        vpxor	%xmm2, %xmm0, %xmm0
+        vpshufb	L_avx2_aes_gcm_bswap_mask(%rip), %xmm0, %xmm0
+        vpxor	%xmm15, %xmm0, %xmm0
+        # store_tag
+        cmpl	$16, %r14d
+        je	L_AES_GCM_encrypt_avx2_store_tag_16
+        xorq	%rcx, %rcx
+        vmovdqa	%xmm0, (%rsp)
+L_AES_GCM_encrypt_avx2_store_tag_loop:
+        movzbl	(%rsp,%rcx,1), %r13d
+        movb	%r13b, (%r15,%rcx,1)
+        incl	%ecx
+        cmpl	%r14d, %ecx
+        jne	L_AES_GCM_encrypt_avx2_store_tag_loop
+        jmp	L_AES_GCM_encrypt_avx2_store_tag_done
+L_AES_GCM_encrypt_avx2_store_tag_16:
+        vmovdqu	%xmm0, (%r15)
+L_AES_GCM_encrypt_avx2_store_tag_done:
+        vzeroupper
+        addq	$0xa0, %rsp
+        popq	%r14
+        popq	%rbx
+        popq	%r15
+        popq	%r12
+        popq	%r13
+        repz retq
+#ifndef __APPLE__
+.size	AES_GCM_encrypt_avx2,.-AES_GCM_encrypt_avx2
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+.text
+.globl	AES_GCM_decrypt_avx2
+.type	AES_GCM_decrypt_avx2,@function
+.align	4
+AES_GCM_decrypt_avx2:
+#else
+.section	__TEXT,__text
+.globl	_AES_GCM_decrypt_avx2
+.p2align	2
+_AES_GCM_decrypt_avx2:
+#endif /* __APPLE__ */
+        pushq	%r13
+        pushq	%r12
+        pushq	%r14
+        pushq	%rbx
+        pushq	%r15
+        pushq	%rbp
+        movq	%rdx, %r12
+        movq	%rcx, %rax
+        movq	%r8, %r14
+        movq	%rsi, %r8
+        movl	%r9d, %r10d
+        movl	56(%rsp), %r11d
+        movl	64(%rsp), %ebx
+        movl	72(%rsp), %r15d
+        movq	80(%rsp), %rsi
+        movl	88(%rsp), %r9d
+        movq	96(%rsp), %rbp
+        subq	$0xa8, %rsp
+        vpxor	%xmm4, %xmm4, %xmm4
+        vpxor	%xmm6, %xmm6, %xmm6
+        movl	%ebx, %edx
+        cmpl	$12, %edx
+        je	L_AES_GCM_decrypt_avx2_iv_12
+        # Calculate values when IV is not 12 bytes
+        # H = Encrypt X(=0)
+        vmovdqa	(%rsi), %xmm5
+        vaesenc	16(%rsi), %xmm5, %xmm5
+        vaesenc	32(%rsi), %xmm5, %xmm5
+        vaesenc	48(%rsi), %xmm5, %xmm5
+        vaesenc	64(%rsi), %xmm5, %xmm5
+        vaesenc	80(%rsi), %xmm5, %xmm5
+        vaesenc	96(%rsi), %xmm5, %xmm5
+        vaesenc	112(%rsi), %xmm5, %xmm5
+        vaesenc	128(%rsi), %xmm5, %xmm5
+        vaesenc	144(%rsi), %xmm5, %xmm5
+        cmpl	$11, %r9d
+        vmovdqa	160(%rsi), %xmm0
+        jl	L_AES_GCM_decrypt_avx2_calc_iv_1_aesenc_avx_last
+        vaesenc	%xmm0, %xmm5, %xmm5
+        vaesenc	176(%rsi), %xmm5, %xmm5
+        cmpl	$13, %r9d
+        vmovdqa	192(%rsi), %xmm0
+        jl	L_AES_GCM_decrypt_avx2_calc_iv_1_aesenc_avx_last
+        vaesenc	%xmm0, %xmm5, %xmm5
+        vaesenc	208(%rsi), %xmm5, %xmm5
+        vmovdqa	224(%rsi), %xmm0
+L_AES_GCM_decrypt_avx2_calc_iv_1_aesenc_avx_last:
+        vaesenclast	%xmm0, %xmm5, %xmm5
+        vpshufb	L_avx2_aes_gcm_bswap_mask(%rip), %xmm5, %xmm5
+        # Calc counter
+        # Initialization vector
+        cmpl	$0x00, %edx
+        movq	$0x00, %rcx
+        je	L_AES_GCM_decrypt_avx2_calc_iv_done
+        cmpl	$16, %edx
+        jl	L_AES_GCM_decrypt_avx2_calc_iv_lt16
+        andl	$0xfffffff0, %edx
+L_AES_GCM_decrypt_avx2_calc_iv_16_loop:
+        vmovdqu	(%rax,%rcx,1), %xmm0
+        vpshufb	L_avx2_aes_gcm_bswap_mask(%rip), %xmm0, %xmm0
+        vpxor	%xmm0, %xmm4, %xmm4
+        # ghash_gfmul_avx
+        vpclmulqdq	$16, %xmm4, %xmm5, %xmm2
+        vpclmulqdq	$0x01, %xmm4, %xmm5, %xmm1
+        vpclmulqdq	$0x00, %xmm4, %xmm5, %xmm0
+        vpclmulqdq	$0x11, %xmm4, %xmm5, %xmm3
+        vpxor	%xmm1, %xmm2, %xmm2
+        vpslldq	$8, %xmm2, %xmm1
+        vpsrldq	$8, %xmm2, %xmm2
+        vpxor	%xmm1, %xmm0, %xmm7
+        vpxor	%xmm2, %xmm3, %xmm4
+        # ghash_mid
+        vpsrld	$31, %xmm7, %xmm0
+        vpsrld	$31, %xmm4, %xmm1
+        vpslld	$0x01, %xmm7, %xmm7
+        vpslld	$0x01, %xmm4, %xmm4
+        vpsrldq	$12, %xmm0, %xmm2
+        vpslldq	$4, %xmm0, %xmm0
+        vpslldq	$4, %xmm1, %xmm1
+        vpor	%xmm2, %xmm4, %xmm4
+        vpor	%xmm0, %xmm7, %xmm7
+        vpor	%xmm1, %xmm4, %xmm4
+        # ghash_red
+        vmovdqa	L_avx2_aes_gcm_mod2_128(%rip), %xmm2
+        vpclmulqdq	$16, %xmm2, %xmm7, %xmm0
+        vpshufd	$0x4e, %xmm7, %xmm1
+        vpxor	%xmm0, %xmm1, %xmm1
+        vpclmulqdq	$16, %xmm2, %xmm1, %xmm0
+        vpshufd	$0x4e, %xmm1, %xmm1
+        vpxor	%xmm0, %xmm1, %xmm1
+        vpxor	%xmm1, %xmm4, %xmm4
+        addl	$16, %ecx
+        cmpl	%edx, %ecx
+        jl	L_AES_GCM_decrypt_avx2_calc_iv_16_loop
+        movl	%ebx, %edx
+        cmpl	%edx, %ecx
+        je	L_AES_GCM_decrypt_avx2_calc_iv_done
+L_AES_GCM_decrypt_avx2_calc_iv_lt16:
+        vpxor	%xmm0, %xmm0, %xmm0
+        xorl	%ebx, %ebx
+        vmovdqa	%xmm0, (%rsp)
+L_AES_GCM_decrypt_avx2_calc_iv_loop:
+        movzbl	(%rax,%rcx,1), %r13d
+        movb	%r13b, (%rsp,%rbx,1)
+        incl	%ecx
+        incl	%ebx
+        cmpl	%edx, %ecx
+        jl	L_AES_GCM_decrypt_avx2_calc_iv_loop
+        vmovdqa	(%rsp), %xmm0
+        vpshufb	L_avx2_aes_gcm_bswap_mask(%rip), %xmm0, %xmm0
+        vpxor	%xmm0, %xmm4, %xmm4
+        # ghash_gfmul_avx
+        vpclmulqdq	$16, %xmm4, %xmm5, %xmm2
+        vpclmulqdq	$0x01, %xmm4, %xmm5, %xmm1
+        vpclmulqdq	$0x00, %xmm4, %xmm5, %xmm0
+        vpclmulqdq	$0x11, %xmm4, %xmm5, %xmm3
+        vpxor	%xmm1, %xmm2, %xmm2
+        vpslldq	$8, %xmm2, %xmm1
+        vpsrldq	$8, %xmm2, %xmm2
+        vpxor	%xmm1, %xmm0, %xmm7
+        vpxor	%xmm2, %xmm3, %xmm4
+        # ghash_mid
+        vpsrld	$31, %xmm7, %xmm0
+        vpsrld	$31, %xmm4, %xmm1
+        vpslld	$0x01, %xmm7, %xmm7
+        vpslld	$0x01, %xmm4, %xmm4
+        vpsrldq	$12, %xmm0, %xmm2
+        vpslldq	$4, %xmm0, %xmm0
+        vpslldq	$4, %xmm1, %xmm1
+        vpor	%xmm2, %xmm4, %xmm4
+        vpor	%xmm0, %xmm7, %xmm7
+        vpor	%xmm1, %xmm4, %xmm4
+        # ghash_red
+        vmovdqa	L_avx2_aes_gcm_mod2_128(%rip), %xmm2
+        vpclmulqdq	$16, %xmm2, %xmm7, %xmm0
+        vpshufd	$0x4e, %xmm7, %xmm1
+        vpxor	%xmm0, %xmm1, %xmm1
+        vpclmulqdq	$16, %xmm2, %xmm1, %xmm0
+        vpshufd	$0x4e, %xmm1, %xmm1
+        vpxor	%xmm0, %xmm1, %xmm1
+        vpxor	%xmm1, %xmm4, %xmm4
+L_AES_GCM_decrypt_avx2_calc_iv_done:
+        # T = Encrypt counter
+        vpxor	%xmm0, %xmm0, %xmm0
+        shll	$3, %edx
+        vpinsrq	$0x00, %rdx, %xmm0, %xmm0
+        vpxor	%xmm0, %xmm4, %xmm4
+        # ghash_gfmul_avx
+        vpclmulqdq	$16, %xmm4, %xmm5, %xmm2
+        vpclmulqdq	$0x01, %xmm4, %xmm5, %xmm1
+        vpclmulqdq	$0x00, %xmm4, %xmm5, %xmm0
+        vpclmulqdq	$0x11, %xmm4, %xmm5, %xmm3
+        vpxor	%xmm1, %xmm2, %xmm2
+        vpslldq	$8, %xmm2, %xmm1
+        vpsrldq	$8, %xmm2, %xmm2
+        vpxor	%xmm1, %xmm0, %xmm7
+        vpxor	%xmm2, %xmm3, %xmm4
+        # ghash_mid
+        vpsrld	$31, %xmm7, %xmm0
+        vpsrld	$31, %xmm4, %xmm1
+        vpslld	$0x01, %xmm7, %xmm7
+        vpslld	$0x01, %xmm4, %xmm4
+        vpsrldq	$12, %xmm0, %xmm2
+        vpslldq	$4, %xmm0, %xmm0
+        vpslldq	$4, %xmm1, %xmm1
+        vpor	%xmm2, %xmm4, %xmm4
+        vpor	%xmm0, %xmm7, %xmm7
+        vpor	%xmm1, %xmm4, %xmm4
+        # ghash_red
+        vmovdqa	L_avx2_aes_gcm_mod2_128(%rip), %xmm2
+        vpclmulqdq	$16, %xmm2, %xmm7, %xmm0
+        vpshufd	$0x4e, %xmm7, %xmm1
+        vpxor	%xmm0, %xmm1, %xmm1
+        vpclmulqdq	$16, %xmm2, %xmm1, %xmm0
+        vpshufd	$0x4e, %xmm1, %xmm1
+        vpxor	%xmm0, %xmm1, %xmm1
+        vpxor	%xmm1, %xmm4, %xmm4
+        vpshufb	L_avx2_aes_gcm_bswap_mask(%rip), %xmm4, %xmm4
+        #   Encrypt counter
+        vmovdqa	(%rsi), %xmm15
+        vpxor	%xmm4, %xmm15, %xmm15
+        vaesenc	16(%rsi), %xmm15, %xmm15
+        vaesenc	32(%rsi), %xmm15, %xmm15
+        vaesenc	48(%rsi), %xmm15, %xmm15
+        vaesenc	64(%rsi), %xmm15, %xmm15
+        vaesenc	80(%rsi), %xmm15, %xmm15
+        vaesenc	96(%rsi), %xmm15, %xmm15
+        vaesenc	112(%rsi), %xmm15, %xmm15
+        vaesenc	128(%rsi), %xmm15, %xmm15
+        vaesenc	144(%rsi), %xmm15, %xmm15
+        cmpl	$11, %r9d
+        vmovdqa	160(%rsi), %xmm0
+        jl	L_AES_GCM_decrypt_avx2_calc_iv_2_aesenc_avx_last
+        vaesenc	%xmm0, %xmm15, %xmm15
+        vaesenc	176(%rsi), %xmm15, %xmm15
+        cmpl	$13, %r9d
+        vmovdqa	192(%rsi), %xmm0
+        jl	L_AES_GCM_decrypt_avx2_calc_iv_2_aesenc_avx_last
+        vaesenc	%xmm0, %xmm15, %xmm15
+        vaesenc	208(%rsi), %xmm15, %xmm15
+        vmovdqa	224(%rsi), %xmm0
+L_AES_GCM_decrypt_avx2_calc_iv_2_aesenc_avx_last:
+        vaesenclast	%xmm0, %xmm15, %xmm15
+        jmp	L_AES_GCM_decrypt_avx2_iv_done
+L_AES_GCM_decrypt_avx2_iv_12:
+        # # Calculate values when IV is 12 bytes
+        # Set counter based on IV
+        vmovdqa	L_avx2_aes_gcm_bswap_one(%rip), %xmm4
+        vmovdqa	(%rsi), %xmm5
+        vpblendd	$7, (%rax), %xmm4, %xmm4
+        # H = Encrypt X(=0) and T = Encrypt counter
+        vmovdqa	16(%rsi), %xmm7
+        vpxor	%xmm5, %xmm4, %xmm15
+        vaesenc	%xmm7, %xmm5, %xmm5
+        vaesenc	%xmm7, %xmm15, %xmm15
+        vmovdqa	32(%rsi), %xmm0
+        vaesenc	%xmm0, %xmm5, %xmm5
+        vaesenc	%xmm0, %xmm15, %xmm15
+        vmovdqa	48(%rsi), %xmm0
+        vaesenc	%xmm0, %xmm5, %xmm5
+        vaesenc	%xmm0, %xmm15, %xmm15
+        vmovdqa	64(%rsi), %xmm0
+        vaesenc	%xmm0, %xmm5, %xmm5
+        vaesenc	%xmm0, %xmm15, %xmm15
+        vmovdqa	80(%rsi), %xmm0
+        vaesenc	%xmm0, %xmm5, %xmm5
+        vaesenc	%xmm0, %xmm15, %xmm15
+        vmovdqa	96(%rsi), %xmm0
+        vaesenc	%xmm0, %xmm5, %xmm5
+        vaesenc	%xmm0, %xmm15, %xmm15
+        vmovdqa	112(%rsi), %xmm0
+        vaesenc	%xmm0, %xmm5, %xmm5
+        vaesenc	%xmm0, %xmm15, %xmm15
+        vmovdqa	128(%rsi), %xmm0
+        vaesenc	%xmm0, %xmm5, %xmm5
+        vaesenc	%xmm0, %xmm15, %xmm15
+        vmovdqa	144(%rsi), %xmm0
+        vaesenc	%xmm0, %xmm5, %xmm5
+        vaesenc	%xmm0, %xmm15, %xmm15
+        cmpl	$11, %r9d
+        vmovdqa	160(%rsi), %xmm0
+        jl	L_AES_GCM_decrypt_avx2_calc_iv_12_last
+        vaesenc	%xmm0, %xmm5, %xmm5
+        vaesenc	%xmm0, %xmm15, %xmm15
+        vmovdqa	176(%rsi), %xmm0
+        vaesenc	%xmm0, %xmm5, %xmm5
+        vaesenc	%xmm0, %xmm15, %xmm15
+        cmpl	$13, %r9d
+        vmovdqa	192(%rsi), %xmm0
+        jl	L_AES_GCM_decrypt_avx2_calc_iv_12_last
+        vaesenc	%xmm0, %xmm5, %xmm5
+        vaesenc	%xmm0, %xmm15, %xmm15
+        vmovdqa	208(%rsi), %xmm0
+        vaesenc	%xmm0, %xmm5, %xmm5
+        vaesenc	%xmm0, %xmm15, %xmm15
+        vmovdqa	224(%rsi), %xmm0
+L_AES_GCM_decrypt_avx2_calc_iv_12_last:
+        vaesenclast	%xmm0, %xmm5, %xmm5
+        vaesenclast	%xmm0, %xmm15, %xmm15
+        vpshufb	L_avx2_aes_gcm_bswap_mask(%rip), %xmm5, %xmm5
+L_AES_GCM_decrypt_avx2_iv_done:
+        # Additional authentication data
+        movl	%r11d, %edx
+        cmpl	$0x00, %edx
+        je	L_AES_GCM_decrypt_avx2_calc_aad_done
+        xorl	%ecx, %ecx
+        cmpl	$16, %edx
+        jl	L_AES_GCM_decrypt_avx2_calc_aad_lt16
+        andl	$0xfffffff0, %edx
+L_AES_GCM_decrypt_avx2_calc_aad_16_loop:
+        vmovdqu	(%r12,%rcx,1), %xmm0
+        vpshufb	L_avx2_aes_gcm_bswap_mask(%rip), %xmm0, %xmm0
+        vpxor	%xmm0, %xmm6, %xmm6
+        # ghash_gfmul_avx
+        vpclmulqdq	$16, %xmm6, %xmm5, %xmm2
+        vpclmulqdq	$0x01, %xmm6, %xmm5, %xmm1
+        vpclmulqdq	$0x00, %xmm6, %xmm5, %xmm0
+        vpclmulqdq	$0x11, %xmm6, %xmm5, %xmm3
+        vpxor	%xmm1, %xmm2, %xmm2
+        vpslldq	$8, %xmm2, %xmm1
+        vpsrldq	$8, %xmm2, %xmm2
+        vpxor	%xmm1, %xmm0, %xmm7
+        vpxor	%xmm2, %xmm3, %xmm6
+        # ghash_mid
+        vpsrld	$31, %xmm7, %xmm0
+        vpsrld	$31, %xmm6, %xmm1
+        vpslld	$0x01, %xmm7, %xmm7
+        vpslld	$0x01, %xmm6, %xmm6
+        vpsrldq	$12, %xmm0, %xmm2
+        vpslldq	$4, %xmm0, %xmm0
+        vpslldq	$4, %xmm1, %xmm1
+        vpor	%xmm2, %xmm6, %xmm6
+        vpor	%xmm0, %xmm7, %xmm7
+        vpor	%xmm1, %xmm6, %xmm6
+        # ghash_red
+        vmovdqa	L_avx2_aes_gcm_mod2_128(%rip), %xmm2
+        vpclmulqdq	$16, %xmm2, %xmm7, %xmm0
+        vpshufd	$0x4e, %xmm7, %xmm1
+        vpxor	%xmm0, %xmm1, %xmm1
+        vpclmulqdq	$16, %xmm2, %xmm1, %xmm0
+        vpshufd	$0x4e, %xmm1, %xmm1
+        vpxor	%xmm0, %xmm1, %xmm1
+        vpxor	%xmm1, %xmm6, %xmm6
+        addl	$16, %ecx
+        cmpl	%edx, %ecx
+        jl	L_AES_GCM_decrypt_avx2_calc_aad_16_loop
+        movl	%r11d, %edx
+        cmpl	%edx, %ecx
+        je	L_AES_GCM_decrypt_avx2_calc_aad_done
+L_AES_GCM_decrypt_avx2_calc_aad_lt16:
+        vpxor	%xmm0, %xmm0, %xmm0
+        xorl	%ebx, %ebx
+        vmovdqa	%xmm0, (%rsp)
+L_AES_GCM_decrypt_avx2_calc_aad_loop:
+        movzbl	(%r12,%rcx,1), %r13d
+        movb	%r13b, (%rsp,%rbx,1)
+        incl	%ecx
+        incl	%ebx
+        cmpl	%edx, %ecx
+        jl	L_AES_GCM_decrypt_avx2_calc_aad_loop
+        vmovdqa	(%rsp), %xmm0
+        vpshufb	L_avx2_aes_gcm_bswap_mask(%rip), %xmm0, %xmm0
+        vpxor	%xmm0, %xmm6, %xmm6
+        # ghash_gfmul_avx
+        vpclmulqdq	$16, %xmm6, %xmm5, %xmm2
+        vpclmulqdq	$0x01, %xmm6, %xmm5, %xmm1
+        vpclmulqdq	$0x00, %xmm6, %xmm5, %xmm0
+        vpclmulqdq	$0x11, %xmm6, %xmm5, %xmm3
+        vpxor	%xmm1, %xmm2, %xmm2
+        vpslldq	$8, %xmm2, %xmm1
+        vpsrldq	$8, %xmm2, %xmm2
+        vpxor	%xmm1, %xmm0, %xmm7
+        vpxor	%xmm2, %xmm3, %xmm6
+        # ghash_mid
+        vpsrld	$31, %xmm7, %xmm0
+        vpsrld	$31, %xmm6, %xmm1
+        vpslld	$0x01, %xmm7, %xmm7
+        vpslld	$0x01, %xmm6, %xmm6
+        vpsrldq	$12, %xmm0, %xmm2
+        vpslldq	$4, %xmm0, %xmm0
+        vpslldq	$4, %xmm1, %xmm1
+        vpor	%xmm2, %xmm6, %xmm6
+        vpor	%xmm0, %xmm7, %xmm7
+        vpor	%xmm1, %xmm6, %xmm6
+        # ghash_red
+        vmovdqa	L_avx2_aes_gcm_mod2_128(%rip), %xmm2
+        vpclmulqdq	$16, %xmm2, %xmm7, %xmm0
+        vpshufd	$0x4e, %xmm7, %xmm1
+        vpxor	%xmm0, %xmm1, %xmm1
+        vpclmulqdq	$16, %xmm2, %xmm1, %xmm0
+        vpshufd	$0x4e, %xmm1, %xmm1
+        vpxor	%xmm0, %xmm1, %xmm1
+        vpxor	%xmm1, %xmm6, %xmm6
+L_AES_GCM_decrypt_avx2_calc_aad_done:
+        # Calculate counter and H
+        vpsrlq	$63, %xmm5, %xmm1
+        vpsllq	$0x01, %xmm5, %xmm0
+        vpslldq	$8, %xmm1, %xmm1
+        vpor	%xmm1, %xmm0, %xmm0
+        vpshufd	$0xff, %xmm5, %xmm5
+        vpsrad	$31, %xmm5, %xmm5
+        vpshufb	L_avx2_aes_gcm_bswap_epi64(%rip), %xmm4, %xmm4
+        vpand	L_avx2_aes_gcm_mod2_128(%rip), %xmm5, %xmm5
+        vpaddd	L_avx2_aes_gcm_one(%rip), %xmm4, %xmm4
+        vpxor	%xmm0, %xmm5, %xmm5
+        xorl	%ebx, %ebx
+        cmpl	$0x80, %r10d
+        movl	%r10d, %r13d
+        jl	L_AES_GCM_decrypt_avx2_done_128
+        andl	$0xffffff80, %r13d
+        vmovdqa	%xmm4, 128(%rsp)
+        vmovdqa	%xmm15, 144(%rsp)
+        vmovdqa	L_avx2_aes_gcm_mod2_128(%rip), %xmm3
+        # H ^ 1 and H ^ 2
+        vpclmulqdq	$0x00, %xmm5, %xmm5, %xmm9
+        vpclmulqdq	$0x11, %xmm5, %xmm5, %xmm10
+        vpclmulqdq	$16, %xmm3, %xmm9, %xmm8
+        vpshufd	$0x4e, %xmm9, %xmm9
+        vpxor	%xmm8, %xmm9, %xmm9
+        vpclmulqdq	$16, %xmm3, %xmm9, %xmm8
+        vpshufd	$0x4e, %xmm9, %xmm9
+        vpxor	%xmm8, %xmm9, %xmm9
+        vpxor	%xmm9, %xmm10, %xmm0
+        vmovdqa	%xmm5, (%rsp)
+        vmovdqa	%xmm0, 16(%rsp)
+        # H ^ 3 and H ^ 4
+        vpclmulqdq	$16, %xmm5, %xmm0, %xmm11
+        vpclmulqdq	$0x01, %xmm5, %xmm0, %xmm10
+        vpclmulqdq	$0x00, %xmm5, %xmm0, %xmm9
+        vpclmulqdq	$0x11, %xmm5, %xmm0, %xmm12
+        vpclmulqdq	$0x00, %xmm0, %xmm0, %xmm13
+        vpclmulqdq	$0x11, %xmm0, %xmm0, %xmm14
+        vpxor	%xmm10, %xmm11, %xmm11
+        vpslldq	$8, %xmm11, %xmm10
+        vpsrldq	$8, %xmm11, %xmm11
+        vpxor	%xmm9, %xmm10, %xmm10
+        vpclmulqdq	$16, %xmm3, %xmm13, %xmm8
+        vpclmulqdq	$16, %xmm3, %xmm10, %xmm9
+        vpshufd	$0x4e, %xmm10, %xmm10
+        vpshufd	$0x4e, %xmm13, %xmm13
+        vpxor	%xmm9, %xmm10, %xmm10
+        vpxor	%xmm8, %xmm13, %xmm13
+        vpclmulqdq	$16, %xmm3, %xmm10, %xmm9
+        vpclmulqdq	$16, %xmm3, %xmm13, %xmm8
+        vpshufd	$0x4e, %xmm10, %xmm10
+        vpshufd	$0x4e, %xmm13, %xmm13
+        vpxor	%xmm11, %xmm12, %xmm12
+        vpxor	%xmm8, %xmm13, %xmm13
+        vpxor	%xmm12, %xmm10, %xmm10
+        vpxor	%xmm14, %xmm13, %xmm2
+        vpxor	%xmm9, %xmm10, %xmm1
+        vmovdqa	%xmm1, 32(%rsp)
+        vmovdqa	%xmm2, 48(%rsp)
+        # H ^ 5 and H ^ 6
+        vpclmulqdq	$16, %xmm0, %xmm1, %xmm11
+        vpclmulqdq	$0x01, %xmm0, %xmm1, %xmm10
+        vpclmulqdq	$0x00, %xmm0, %xmm1, %xmm9
+        vpclmulqdq	$0x11, %xmm0, %xmm1, %xmm12
+        vpclmulqdq	$0x00, %xmm1, %xmm1, %xmm13
+        vpclmulqdq	$0x11, %xmm1, %xmm1, %xmm14
+        vpxor	%xmm10, %xmm11, %xmm11
+        vpslldq	$8, %xmm11, %xmm10
+        vpsrldq	$8, %xmm11, %xmm11
+        vpxor	%xmm9, %xmm10, %xmm10
+        vpclmulqdq	$16, %xmm3, %xmm13, %xmm8
+        vpclmulqdq	$16, %xmm3, %xmm10, %xmm9
+        vpshufd	$0x4e, %xmm10, %xmm10
+        vpshufd	$0x4e, %xmm13, %xmm13
+        vpxor	%xmm9, %xmm10, %xmm10
+        vpxor	%xmm8, %xmm13, %xmm13
+        vpclmulqdq	$16, %xmm3, %xmm10, %xmm9
+        vpclmulqdq	$16, %xmm3, %xmm13, %xmm8
+        vpshufd	$0x4e, %xmm10, %xmm10
+        vpshufd	$0x4e, %xmm13, %xmm13
+        vpxor	%xmm11, %xmm12, %xmm12
+        vpxor	%xmm8, %xmm13, %xmm13
+        vpxor	%xmm12, %xmm10, %xmm10
+        vpxor	%xmm14, %xmm13, %xmm0
+        vpxor	%xmm9, %xmm10, %xmm7
+        vmovdqa	%xmm7, 64(%rsp)
+        vmovdqa	%xmm0, 80(%rsp)
+        # H ^ 7 and H ^ 8
+        vpclmulqdq	$16, %xmm1, %xmm2, %xmm11
+        vpclmulqdq	$0x01, %xmm1, %xmm2, %xmm10
+        vpclmulqdq	$0x00, %xmm1, %xmm2, %xmm9
+        vpclmulqdq	$0x11, %xmm1, %xmm2, %xmm12
+        vpclmulqdq	$0x00, %xmm2, %xmm2, %xmm13
+        vpclmulqdq	$0x11, %xmm2, %xmm2, %xmm14
+        vpxor	%xmm10, %xmm11, %xmm11
+        vpslldq	$8, %xmm11, %xmm10
+        vpsrldq	$8, %xmm11, %xmm11
+        vpxor	%xmm9, %xmm10, %xmm10
+        vpclmulqdq	$16, %xmm3, %xmm13, %xmm8
+        vpclmulqdq	$16, %xmm3, %xmm10, %xmm9
+        vpshufd	$0x4e, %xmm10, %xmm10
+        vpshufd	$0x4e, %xmm13, %xmm13
+        vpxor	%xmm9, %xmm10, %xmm10
+        vpxor	%xmm8, %xmm13, %xmm13
+        vpclmulqdq	$16, %xmm3, %xmm10, %xmm9
+        vpclmulqdq	$16, %xmm3, %xmm13, %xmm8
+        vpshufd	$0x4e, %xmm10, %xmm10
+        vpshufd	$0x4e, %xmm13, %xmm13
+        vpxor	%xmm11, %xmm12, %xmm12
+        vpxor	%xmm8, %xmm13, %xmm13
+        vpxor	%xmm12, %xmm10, %xmm10
+        vpxor	%xmm14, %xmm13, %xmm0
+        vpxor	%xmm9, %xmm10, %xmm7
+        vmovdqa	%xmm7, 96(%rsp)
+        vmovdqa	%xmm0, 112(%rsp)
+L_AES_GCM_decrypt_avx2_ghash_128:
+        # aesenc_128_ghash
+        leaq	(%rdi,%rbx,1), %rcx
+        leaq	(%r8,%rbx,1), %rdx
+        # aesenc_ctr
+        vmovdqa	128(%rsp), %xmm0
+        vmovdqa	L_avx2_aes_gcm_bswap_epi64(%rip), %xmm1
+        vpaddd	L_avx2_aes_gcm_one(%rip), %xmm0, %xmm9
+        vpshufb	%xmm1, %xmm0, %xmm8
+        vpaddd	L_avx2_aes_gcm_two(%rip), %xmm0, %xmm10
+        vpshufb	%xmm1, %xmm9, %xmm9
+        vpaddd	L_avx2_aes_gcm_three(%rip), %xmm0, %xmm11
+        vpshufb	%xmm1, %xmm10, %xmm10
+        vpaddd	L_avx2_aes_gcm_four(%rip), %xmm0, %xmm12
+        vpshufb	%xmm1, %xmm11, %xmm11
+        vpaddd	L_avx2_aes_gcm_five(%rip), %xmm0, %xmm13
+        vpshufb	%xmm1, %xmm12, %xmm12
+        vpaddd	L_avx2_aes_gcm_six(%rip), %xmm0, %xmm14
+        vpshufb	%xmm1, %xmm13, %xmm13
+        vpaddd	L_avx2_aes_gcm_seven(%rip), %xmm0, %xmm15
+        vpshufb	%xmm1, %xmm14, %xmm14
+        vpaddd	L_avx2_aes_gcm_eight(%rip), %xmm0, %xmm0
+        vpshufb	%xmm1, %xmm15, %xmm15
+        # aesenc_xor
+        vmovdqa	(%rsi), %xmm7
+        vmovdqa	%xmm0, 128(%rsp)
+        vpxor	%xmm7, %xmm8, %xmm8
+        vpxor	%xmm7, %xmm9, %xmm9
+        vpxor	%xmm7, %xmm10, %xmm10
+        vpxor	%xmm7, %xmm11, %xmm11
+        vpxor	%xmm7, %xmm12, %xmm12
+        vpxor	%xmm7, %xmm13, %xmm13
+        vpxor	%xmm7, %xmm14, %xmm14
+        vpxor	%xmm7, %xmm15, %xmm15
+        # aesenc_pclmul_1
+        vmovdqu	(%rcx), %xmm1
+        vmovdqu	16(%rsi), %xmm0
+        vpshufb	L_avx2_aes_gcm_bswap_mask(%rip), %xmm1, %xmm1
+        vmovdqa	112(%rsp), %xmm2
+        vpxor	%xmm6, %xmm1, %xmm1
+        vpclmulqdq	$16, %xmm2, %xmm1, %xmm5
+        vpclmulqdq	$0x01, %xmm2, %xmm1, %xmm3
+        vpclmulqdq	$0x00, %xmm2, %xmm1, %xmm6
+        vpclmulqdq	$0x11, %xmm2, %xmm1, %xmm7
+        vaesenc	%xmm0, %xmm8, %xmm8
+        vaesenc	%xmm0, %xmm9, %xmm9
+        vaesenc	%xmm0, %xmm10, %xmm10
+        vaesenc	%xmm0, %xmm11, %xmm11
+        vaesenc	%xmm0, %xmm12, %xmm12
+        vaesenc	%xmm0, %xmm13, %xmm13
+        vaesenc	%xmm0, %xmm14, %xmm14
+        vaesenc	%xmm0, %xmm15, %xmm15
+        # aesenc_pclmul_2
+        vmovdqu	16(%rcx), %xmm1
+        vmovdqa	96(%rsp), %xmm0
+        vpshufb	L_avx2_aes_gcm_bswap_mask(%rip), %xmm1, %xmm1
+        vpxor	%xmm3, %xmm5, %xmm5
+        vpclmulqdq	$16, %xmm0, %xmm1, %xmm2
+        vpclmulqdq	$0x01, %xmm0, %xmm1, %xmm3
+        vpclmulqdq	$0x00, %xmm0, %xmm1, %xmm4
+        vpclmulqdq	$0x11, %xmm0, %xmm1, %xmm1
+        vmovdqu	32(%rsi), %xmm0
+        vpxor	%xmm1, %xmm7, %xmm7
+        vaesenc	%xmm0, %xmm8, %xmm8
+        vaesenc	%xmm0, %xmm9, %xmm9
+        vaesenc	%xmm0, %xmm10, %xmm10
+        vaesenc	%xmm0, %xmm11, %xmm11
+        vaesenc	%xmm0, %xmm12, %xmm12
+        vaesenc	%xmm0, %xmm13, %xmm13
+        vaesenc	%xmm0, %xmm14, %xmm14
+        vaesenc	%xmm0, %xmm15, %xmm15
+        # aesenc_pclmul_n
+        vmovdqu	32(%rcx), %xmm1
+        vmovdqa	80(%rsp), %xmm0
+        vpshufb	L_avx2_aes_gcm_bswap_mask(%rip), %xmm1, %xmm1
+        vpxor	%xmm2, %xmm5, %xmm5
+        vpclmulqdq	$16, %xmm0, %xmm1, %xmm2
+        vpxor	%xmm3, %xmm5, %xmm5
+        vpclmulqdq	$0x01, %xmm0, %xmm1, %xmm3
+        vpxor	%xmm4, %xmm6, %xmm6
+        vpclmulqdq	$0x00, %xmm0, %xmm1, %xmm4
+        vpclmulqdq	$0x11, %xmm0, %xmm1, %xmm1
+        vmovdqu	48(%rsi), %xmm0
+        vpxor	%xmm1, %xmm7, %xmm7
+        vaesenc	%xmm0, %xmm8, %xmm8
+        vaesenc	%xmm0, %xmm9, %xmm9
+        vaesenc	%xmm0, %xmm10, %xmm10
+        vaesenc	%xmm0, %xmm11, %xmm11
+        vaesenc	%xmm0, %xmm12, %xmm12
+        vaesenc	%xmm0, %xmm13, %xmm13
+        vaesenc	%xmm0, %xmm14, %xmm14
+        vaesenc	%xmm0, %xmm15, %xmm15
+        # aesenc_pclmul_n
+        vmovdqu	48(%rcx), %xmm1
+        vmovdqa	64(%rsp), %xmm0
+        vpshufb	L_avx2_aes_gcm_bswap_mask(%rip), %xmm1, %xmm1
+        vpxor	%xmm2, %xmm5, %xmm5
+        vpclmulqdq	$16, %xmm0, %xmm1, %xmm2
+        vpxor	%xmm3, %xmm5, %xmm5
+        vpclmulqdq	$0x01, %xmm0, %xmm1, %xmm3
+        vpxor	%xmm4, %xmm6, %xmm6
+        vpclmulqdq	$0x00, %xmm0, %xmm1, %xmm4
+        vpclmulqdq	$0x11, %xmm0, %xmm1, %xmm1
+        vmovdqu	64(%rsi), %xmm0
+        vpxor	%xmm1, %xmm7, %xmm7
+        vaesenc	%xmm0, %xmm8, %xmm8
+        vaesenc	%xmm0, %xmm9, %xmm9
+        vaesenc	%xmm0, %xmm10, %xmm10
+        vaesenc	%xmm0, %xmm11, %xmm11
+        vaesenc	%xmm0, %xmm12, %xmm12
+        vaesenc	%xmm0, %xmm13, %xmm13
+        vaesenc	%xmm0, %xmm14, %xmm14
+        vaesenc	%xmm0, %xmm15, %xmm15
+        # aesenc_pclmul_n
+        vmovdqu	64(%rcx), %xmm1
+        vmovdqa	48(%rsp), %xmm0
+        vpshufb	L_avx2_aes_gcm_bswap_mask(%rip), %xmm1, %xmm1
+        vpxor	%xmm2, %xmm5, %xmm5
+        vpclmulqdq	$16, %xmm0, %xmm1, %xmm2
+        vpxor	%xmm3, %xmm5, %xmm5
+        vpclmulqdq	$0x01, %xmm0, %xmm1, %xmm3
+        vpxor	%xmm4, %xmm6, %xmm6
+        vpclmulqdq	$0x00, %xmm0, %xmm1, %xmm4
+        vpclmulqdq	$0x11, %xmm0, %xmm1, %xmm1
+        vmovdqu	80(%rsi), %xmm0
+        vpxor	%xmm1, %xmm7, %xmm7
+        vaesenc	%xmm0, %xmm8, %xmm8
+        vaesenc	%xmm0, %xmm9, %xmm9
+        vaesenc	%xmm0, %xmm10, %xmm10
+        vaesenc	%xmm0, %xmm11, %xmm11
+        vaesenc	%xmm0, %xmm12, %xmm12
+        vaesenc	%xmm0, %xmm13, %xmm13
+        vaesenc	%xmm0, %xmm14, %xmm14
+        vaesenc	%xmm0, %xmm15, %xmm15
+        # aesenc_pclmul_n
+        vmovdqu	80(%rcx), %xmm1
+        vmovdqa	32(%rsp), %xmm0
+        vpshufb	L_avx2_aes_gcm_bswap_mask(%rip), %xmm1, %xmm1
+        vpxor	%xmm2, %xmm5, %xmm5
+        vpclmulqdq	$16, %xmm0, %xmm1, %xmm2
+        vpxor	%xmm3, %xmm5, %xmm5
+        vpclmulqdq	$0x01, %xmm0, %xmm1, %xmm3
+        vpxor	%xmm4, %xmm6, %xmm6
+        vpclmulqdq	$0x00, %xmm0, %xmm1, %xmm4
+        vpclmulqdq	$0x11, %xmm0, %xmm1, %xmm1
+        vmovdqu	96(%rsi), %xmm0
+        vpxor	%xmm1, %xmm7, %xmm7
+        vaesenc	%xmm0, %xmm8, %xmm8
+        vaesenc	%xmm0, %xmm9, %xmm9
+        vaesenc	%xmm0, %xmm10, %xmm10
+        vaesenc	%xmm0, %xmm11, %xmm11
+        vaesenc	%xmm0, %xmm12, %xmm12
+        vaesenc	%xmm0, %xmm13, %xmm13
+        vaesenc	%xmm0, %xmm14, %xmm14
+        vaesenc	%xmm0, %xmm15, %xmm15
+        # aesenc_pclmul_n
+        vmovdqu	96(%rcx), %xmm1
+        vmovdqa	16(%rsp), %xmm0
+        vpshufb	L_avx2_aes_gcm_bswap_mask(%rip), %xmm1, %xmm1
+        vpxor	%xmm2, %xmm5, %xmm5
+        vpclmulqdq	$16, %xmm0, %xmm1, %xmm2
+        vpxor	%xmm3, %xmm5, %xmm5
+        vpclmulqdq	$0x01, %xmm0, %xmm1, %xmm3
+        vpxor	%xmm4, %xmm6, %xmm6
+        vpclmulqdq	$0x00, %xmm0, %xmm1, %xmm4
+        vpclmulqdq	$0x11, %xmm0, %xmm1, %xmm1
+        vmovdqu	112(%rsi), %xmm0
+        vpxor	%xmm1, %xmm7, %xmm7
+        vaesenc	%xmm0, %xmm8, %xmm8
+        vaesenc	%xmm0, %xmm9, %xmm9
+        vaesenc	%xmm0, %xmm10, %xmm10
+        vaesenc	%xmm0, %xmm11, %xmm11
+        vaesenc	%xmm0, %xmm12, %xmm12
+        vaesenc	%xmm0, %xmm13, %xmm13
+        vaesenc	%xmm0, %xmm14, %xmm14
+        vaesenc	%xmm0, %xmm15, %xmm15
+        # aesenc_pclmul_n
+        vmovdqu	112(%rcx), %xmm1
+        vmovdqa	(%rsp), %xmm0
+        vpshufb	L_avx2_aes_gcm_bswap_mask(%rip), %xmm1, %xmm1
+        vpxor	%xmm2, %xmm5, %xmm5
+        vpclmulqdq	$16, %xmm0, %xmm1, %xmm2
+        vpxor	%xmm3, %xmm5, %xmm5
+        vpclmulqdq	$0x01, %xmm0, %xmm1, %xmm3
+        vpxor	%xmm4, %xmm6, %xmm6
+        vpclmulqdq	$0x00, %xmm0, %xmm1, %xmm4
+        vpclmulqdq	$0x11, %xmm0, %xmm1, %xmm1
+        vmovdqu	128(%rsi), %xmm0
+        vpxor	%xmm1, %xmm7, %xmm7
+        vaesenc	%xmm0, %xmm8, %xmm8
+        vaesenc	%xmm0, %xmm9, %xmm9
+        vaesenc	%xmm0, %xmm10, %xmm10
+        vaesenc	%xmm0, %xmm11, %xmm11
+        vaesenc	%xmm0, %xmm12, %xmm12
+        vaesenc	%xmm0, %xmm13, %xmm13
+        vaesenc	%xmm0, %xmm14, %xmm14
+        vaesenc	%xmm0, %xmm15, %xmm15
+        # aesenc_pclmul_l
+        vpxor	%xmm2, %xmm5, %xmm5
+        vpxor	%xmm4, %xmm6, %xmm6
+        vpxor	%xmm3, %xmm5, %xmm5
+        vpslldq	$8, %xmm5, %xmm1
+        vpsrldq	$8, %xmm5, %xmm5
+        vmovdqa	144(%rsi), %xmm4
+        vmovdqa	L_avx2_aes_gcm_mod2_128(%rip), %xmm0
+        vaesenc	%xmm4, %xmm8, %xmm8
+        vpxor	%xmm1, %xmm6, %xmm6
+        vpxor	%xmm5, %xmm7, %xmm7
+        vpclmulqdq	$16, %xmm0, %xmm6, %xmm3
+        vaesenc	%xmm4, %xmm9, %xmm9
+        vaesenc	%xmm4, %xmm10, %xmm10
+        vaesenc	%xmm4, %xmm11, %xmm11
+        vpshufd	$0x4e, %xmm6, %xmm6
+        vpxor	%xmm3, %xmm6, %xmm6
+        vpclmulqdq	$16, %xmm0, %xmm6, %xmm3
+        vaesenc	%xmm4, %xmm12, %xmm12
+        vaesenc	%xmm4, %xmm13, %xmm13
+        vaesenc	%xmm4, %xmm14, %xmm14
+        vpshufd	$0x4e, %xmm6, %xmm6
+        vpxor	%xmm3, %xmm6, %xmm6
+        vpxor	%xmm7, %xmm6, %xmm6
+        vaesenc	%xmm4, %xmm15, %xmm15
+        cmpl	$11, %r9d
+        vmovdqa	160(%rsi), %xmm7
+        jl	L_AES_GCM_decrypt_avx2_aesenc_128_ghash_avx_done
+        vaesenc	%xmm7, %xmm8, %xmm8
+        vaesenc	%xmm7, %xmm9, %xmm9
+        vaesenc	%xmm7, %xmm10, %xmm10
+        vaesenc	%xmm7, %xmm11, %xmm11
+        vaesenc	%xmm7, %xmm12, %xmm12
+        vaesenc	%xmm7, %xmm13, %xmm13
+        vaesenc	%xmm7, %xmm14, %xmm14
+        vaesenc	%xmm7, %xmm15, %xmm15
+        vmovdqa	176(%rsi), %xmm7
+        vaesenc	%xmm7, %xmm8, %xmm8
+        vaesenc	%xmm7, %xmm9, %xmm9
+        vaesenc	%xmm7, %xmm10, %xmm10
+        vaesenc	%xmm7, %xmm11, %xmm11
+        vaesenc	%xmm7, %xmm12, %xmm12
+        vaesenc	%xmm7, %xmm13, %xmm13
+        vaesenc	%xmm7, %xmm14, %xmm14
+        vaesenc	%xmm7, %xmm15, %xmm15
+        cmpl	$13, %r9d
+        vmovdqa	192(%rsi), %xmm7
+        jl	L_AES_GCM_decrypt_avx2_aesenc_128_ghash_avx_done
+        vaesenc	%xmm7, %xmm8, %xmm8
+        vaesenc	%xmm7, %xmm9, %xmm9
+        vaesenc	%xmm7, %xmm10, %xmm10
+        vaesenc	%xmm7, %xmm11, %xmm11
+        vaesenc	%xmm7, %xmm12, %xmm12
+        vaesenc	%xmm7, %xmm13, %xmm13
+        vaesenc	%xmm7, %xmm14, %xmm14
+        vaesenc	%xmm7, %xmm15, %xmm15
+        vmovdqa	208(%rsi), %xmm7
+        vaesenc	%xmm7, %xmm8, %xmm8
+        vaesenc	%xmm7, %xmm9, %xmm9
+        vaesenc	%xmm7, %xmm10, %xmm10
+        vaesenc	%xmm7, %xmm11, %xmm11
+        vaesenc	%xmm7, %xmm12, %xmm12
+        vaesenc	%xmm7, %xmm13, %xmm13
+        vaesenc	%xmm7, %xmm14, %xmm14
+        vaesenc	%xmm7, %xmm15, %xmm15
+        vmovdqa	224(%rsi), %xmm7
+L_AES_GCM_decrypt_avx2_aesenc_128_ghash_avx_done:
+        # aesenc_last
+        vaesenclast	%xmm7, %xmm8, %xmm8
+        vaesenclast	%xmm7, %xmm9, %xmm9
+        vaesenclast	%xmm7, %xmm10, %xmm10
+        vaesenclast	%xmm7, %xmm11, %xmm11
+        vmovdqu	(%rcx), %xmm0
+        vmovdqu	16(%rcx), %xmm1
+        vmovdqu	32(%rcx), %xmm2
+        vmovdqu	48(%rcx), %xmm3
+        vpxor	%xmm0, %xmm8, %xmm8
+        vpxor	%xmm1, %xmm9, %xmm9
+        vpxor	%xmm2, %xmm10, %xmm10
+        vpxor	%xmm3, %xmm11, %xmm11
+        vmovdqu	%xmm8, (%rdx)
+        vmovdqu	%xmm9, 16(%rdx)
+        vmovdqu	%xmm10, 32(%rdx)
+        vmovdqu	%xmm11, 48(%rdx)
+        vaesenclast	%xmm7, %xmm12, %xmm12
+        vaesenclast	%xmm7, %xmm13, %xmm13
+        vaesenclast	%xmm7, %xmm14, %xmm14
+        vaesenclast	%xmm7, %xmm15, %xmm15
+        vmovdqu	64(%rcx), %xmm0
+        vmovdqu	80(%rcx), %xmm1
+        vmovdqu	96(%rcx), %xmm2
+        vmovdqu	112(%rcx), %xmm3
+        vpxor	%xmm0, %xmm12, %xmm12
+        vpxor	%xmm1, %xmm13, %xmm13
+        vpxor	%xmm2, %xmm14, %xmm14
+        vpxor	%xmm3, %xmm15, %xmm15
+        vmovdqu	%xmm12, 64(%rdx)
+        vmovdqu	%xmm13, 80(%rdx)
+        vmovdqu	%xmm14, 96(%rdx)
+        vmovdqu	%xmm15, 112(%rdx)
+        # aesenc_128_ghash - end
+        addl	$0x80, %ebx
+        cmpl	%r13d, %ebx
+        jl	L_AES_GCM_decrypt_avx2_ghash_128
+        vmovdqa	(%rsp), %xmm5
+        vmovdqa	128(%rsp), %xmm4
+        vmovdqa	144(%rsp), %xmm15
+L_AES_GCM_decrypt_avx2_done_128:
+        cmpl	%r10d, %ebx
+        jge	L_AES_GCM_decrypt_avx2_done_dec
+        movl	%r10d, %r13d
+        andl	$0xfffffff0, %r13d
+        cmpl	%r13d, %ebx
+        jge	L_AES_GCM_decrypt_avx2_last_block_done
+L_AES_GCM_decrypt_avx2_last_block_start:
+        vmovdqu	(%rdi,%rbx,1), %xmm11
+        vpshufb	L_avx2_aes_gcm_bswap_epi64(%rip), %xmm4, %xmm10
+        vpshufb	L_avx2_aes_gcm_bswap_mask(%rip), %xmm11, %xmm12
+        vpaddd	L_avx2_aes_gcm_one(%rip), %xmm4, %xmm4
+        vpxor	%xmm6, %xmm12, %xmm12
+        # aesenc_gfmul_sb
+        vpclmulqdq	$0x01, %xmm5, %xmm12, %xmm2
+        vpclmulqdq	$16, %xmm5, %xmm12, %xmm3
+        vpclmulqdq	$0x00, %xmm5, %xmm12, %xmm1
+        vpclmulqdq	$0x11, %xmm5, %xmm12, %xmm8
+        vpxor	(%rsi), %xmm10, %xmm10
+        vaesenc	16(%rsi), %xmm10, %xmm10
+        vpxor	%xmm2, %xmm3, %xmm3
+        vpslldq	$8, %xmm3, %xmm2
+        vpsrldq	$8, %xmm3, %xmm3
+        vaesenc	32(%rsi), %xmm10, %xmm10
+        vpxor	%xmm1, %xmm2, %xmm2
+        vpclmulqdq	$16, L_avx2_aes_gcm_mod2_128(%rip), %xmm2, %xmm1
+        vaesenc	48(%rsi), %xmm10, %xmm10
+        vaesenc	64(%rsi), %xmm10, %xmm10
+        vaesenc	80(%rsi), %xmm10, %xmm10
+        vpshufd	$0x4e, %xmm2, %xmm2
+        vpxor	%xmm1, %xmm2, %xmm2
+        vpclmulqdq	$16, L_avx2_aes_gcm_mod2_128(%rip), %xmm2, %xmm1
+        vaesenc	96(%rsi), %xmm10, %xmm10
+        vaesenc	112(%rsi), %xmm10, %xmm10
+        vaesenc	128(%rsi), %xmm10, %xmm10
+        vpshufd	$0x4e, %xmm2, %xmm2
+        vaesenc	144(%rsi), %xmm10, %xmm10
+        vpxor	%xmm3, %xmm8, %xmm8
+        vpxor	%xmm8, %xmm2, %xmm2
+        vmovdqa	160(%rsi), %xmm0
+        cmpl	$11, %r9d
+        jl	L_AES_GCM_decrypt_avx2_aesenc_gfmul_sb_last
+        vaesenc	%xmm0, %xmm10, %xmm10
+        vaesenc	176(%rsi), %xmm10, %xmm10
+        vmovdqa	192(%rsi), %xmm0
+        cmpl	$13, %r9d
+        jl	L_AES_GCM_decrypt_avx2_aesenc_gfmul_sb_last
+        vaesenc	%xmm0, %xmm10, %xmm10
+        vaesenc	208(%rsi), %xmm10, %xmm10
+        vmovdqa	224(%rsi), %xmm0
+L_AES_GCM_decrypt_avx2_aesenc_gfmul_sb_last:
+        vaesenclast	%xmm0, %xmm10, %xmm10
+        vpxor	%xmm1, %xmm2, %xmm6
+        vpxor	%xmm11, %xmm10, %xmm10
+        vmovdqu	%xmm10, (%r8,%rbx,1)
+        addl	$16, %ebx
+        cmpl	%r13d, %ebx
+        jl	L_AES_GCM_decrypt_avx2_last_block_start
+L_AES_GCM_decrypt_avx2_last_block_done:
+        movl	%r10d, %ecx
+        movl	%r10d, %edx
+        andl	$15, %ecx
+        jz	L_AES_GCM_decrypt_avx2_done_dec
+        # aesenc_last15_dec
+        vpshufb	L_avx2_aes_gcm_bswap_epi64(%rip), %xmm4, %xmm4
+        vpxor	(%rsi), %xmm4, %xmm4
+        vaesenc	16(%rsi), %xmm4, %xmm4
+        vaesenc	32(%rsi), %xmm4, %xmm4
+        vaesenc	48(%rsi), %xmm4, %xmm4
+        vaesenc	64(%rsi), %xmm4, %xmm4
+        vaesenc	80(%rsi), %xmm4, %xmm4
+        vaesenc	96(%rsi), %xmm4, %xmm4
+        vaesenc	112(%rsi), %xmm4, %xmm4
+        vaesenc	128(%rsi), %xmm4, %xmm4
+        vaesenc	144(%rsi), %xmm4, %xmm4
+        cmpl	$11, %r9d
+        vmovdqa	160(%rsi), %xmm1
+        jl	L_AES_GCM_decrypt_avx2_aesenc_last15_dec_avx_aesenc_avx_last
+        vaesenc	%xmm1, %xmm4, %xmm4
+        vaesenc	176(%rsi), %xmm4, %xmm4
+        cmpl	$13, %r9d
+        vmovdqa	192(%rsi), %xmm1
+        jl	L_AES_GCM_decrypt_avx2_aesenc_last15_dec_avx_aesenc_avx_last
+        vaesenc	%xmm1, %xmm4, %xmm4
+        vaesenc	208(%rsi), %xmm4, %xmm4
+        vmovdqa	224(%rsi), %xmm1
+L_AES_GCM_decrypt_avx2_aesenc_last15_dec_avx_aesenc_avx_last:
+        vaesenclast	%xmm1, %xmm4, %xmm4
+        xorl	%ecx, %ecx
+        vpxor	%xmm0, %xmm0, %xmm0
+        vmovdqa	%xmm4, (%rsp)
+        vmovdqa	%xmm0, 16(%rsp)
+L_AES_GCM_decrypt_avx2_aesenc_last15_dec_avx_loop:
+        movzbl	(%rdi,%rbx,1), %r13d
+        movb	%r13b, 16(%rsp,%rcx,1)
+        xorb	(%rsp,%rcx,1), %r13b
+        movb	%r13b, (%r8,%rbx,1)
+        incl	%ebx
+        incl	%ecx
+        cmpl	%edx, %ebx
+        jl	L_AES_GCM_decrypt_avx2_aesenc_last15_dec_avx_loop
+        vmovdqa	16(%rsp), %xmm4
+        vpshufb	L_avx2_aes_gcm_bswap_mask(%rip), %xmm4, %xmm4
+        vpxor	%xmm4, %xmm6, %xmm6
+        # ghash_gfmul_red
+        vpclmulqdq	$16, %xmm5, %xmm6, %xmm2
+        vpclmulqdq	$0x01, %xmm5, %xmm6, %xmm1
+        vpclmulqdq	$0x00, %xmm5, %xmm6, %xmm0
+        vpxor	%xmm1, %xmm2, %xmm2
+        vpslldq	$8, %xmm2, %xmm1
+        vpsrldq	$8, %xmm2, %xmm2
+        vpxor	%xmm0, %xmm1, %xmm1
+        vpclmulqdq	$0x11, %xmm5, %xmm6, %xmm6
+        vpclmulqdq	$16, L_avx2_aes_gcm_mod2_128(%rip), %xmm1, %xmm0
+        vpshufd	$0x4e, %xmm1, %xmm1
+        vpxor	%xmm0, %xmm1, %xmm1
+        vpclmulqdq	$16, L_avx2_aes_gcm_mod2_128(%rip), %xmm1, %xmm0
+        vpshufd	$0x4e, %xmm1, %xmm1
+        vpxor	%xmm2, %xmm6, %xmm6
+        vpxor	%xmm1, %xmm6, %xmm6
+        vpxor	%xmm0, %xmm6, %xmm6
+L_AES_GCM_decrypt_avx2_done_dec:
+        # calc_tag
+        shlq	$3, %r10
+        vpinsrq	$0x00, %r10, %xmm0, %xmm0
+        shlq	$3, %r11
+        vpinsrq	$0x01, %r11, %xmm1, %xmm1
+        vpblendd	$12, %xmm1, %xmm0, %xmm0
+        vpxor	%xmm6, %xmm0, %xmm0
+        # ghash_gfmul_red
+        vpclmulqdq	$16, %xmm5, %xmm0, %xmm4
+        vpclmulqdq	$0x01, %xmm5, %xmm0, %xmm3
+        vpclmulqdq	$0x00, %xmm5, %xmm0, %xmm2
+        vpxor	%xmm3, %xmm4, %xmm4
+        vpslldq	$8, %xmm4, %xmm3
+        vpsrldq	$8, %xmm4, %xmm4
+        vpxor	%xmm2, %xmm3, %xmm3
+        vpclmulqdq	$0x11, %xmm5, %xmm0, %xmm0
+        vpclmulqdq	$16, L_avx2_aes_gcm_mod2_128(%rip), %xmm3, %xmm2
+        vpshufd	$0x4e, %xmm3, %xmm3
+        vpxor	%xmm2, %xmm3, %xmm3
+        vpclmulqdq	$16, L_avx2_aes_gcm_mod2_128(%rip), %xmm3, %xmm2
+        vpshufd	$0x4e, %xmm3, %xmm3
+        vpxor	%xmm4, %xmm0, %xmm0
+        vpxor	%xmm3, %xmm0, %xmm0
+        vpxor	%xmm2, %xmm0, %xmm0
+        vpshufb	L_avx2_aes_gcm_bswap_mask(%rip), %xmm0, %xmm0
+        vpxor	%xmm15, %xmm0, %xmm0
+        # cmp_tag
+        cmpl	$16, %r15d
+        je	L_AES_GCM_decrypt_avx2_cmp_tag_16
+        xorq	%rdx, %rdx
+        xorq	%rax, %rax
+        vmovdqa	%xmm0, (%rsp)
+L_AES_GCM_decrypt_avx2_cmp_tag_loop:
+        movzbl	(%rsp,%rdx,1), %r13d
+        xorb	(%r14,%rdx,1), %r13b
+        orb	%r13b, %al
+        incl	%edx
+        cmpl	%r15d, %edx
+        jne	L_AES_GCM_decrypt_avx2_cmp_tag_loop
+        cmpb	$0x00, %al
+        sete	%al
+        jmp	L_AES_GCM_decrypt_avx2_cmp_tag_done
+L_AES_GCM_decrypt_avx2_cmp_tag_16:
+        vmovdqu	(%r14), %xmm1
+        vpcmpeqb	%xmm1, %xmm0, %xmm0
+        vpmovmskb	%xmm0, %rdx
+        # %%edx == 0xFFFF then return 1 else => return 0
+        xorl	%eax, %eax
+        cmpl	$0xffff, %edx
+        sete	%al
+L_AES_GCM_decrypt_avx2_cmp_tag_done:
+        movl	%eax, (%rbp)
+        vzeroupper
+        addq	$0xa8, %rsp
+        popq	%rbp
+        popq	%r15
+        popq	%rbx
+        popq	%r14
+        popq	%r12
+        popq	%r13
+        repz retq
+#ifndef __APPLE__
+.size	AES_GCM_decrypt_avx2,.-AES_GCM_decrypt_avx2
+#endif /* __APPLE__ */
+#endif /* HAVE_INTEL_AVX2 */
diff --git a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/arc4.c b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/arc4.c
index 21ed2e79d..7eb8268e3 100644
--- a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/arc4.c
+++ b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/arc4.c
@@ -1,8 +1,8 @@
 /* arc4.c
  *
- * Copyright (C) 2006-2015 wolfSSL Inc.
+ * Copyright (C) 2006-2020 wolfSSL Inc.
  *
- * This file is part of wolfSSL. (formerly known as CyaSSL)
+ * This file is part of wolfSSL.
  *
  * wolfSSL is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -16,9 +16,10 @@
  *
  * You should have received a copy of the GNU General Public License
  * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
  */
 
+
 #ifdef HAVE_CONFIG_H
     #include <config.h>
 #endif
@@ -27,23 +28,25 @@
 
 #ifndef NO_RC4
 
+#include <wolfssl/wolfcrypt/error-crypt.h>
 #include <wolfssl/wolfcrypt/arc4.h>
 
-#ifdef HAVE_CAVIUM
-    static void wc_Arc4CaviumSetKey(Arc4* arc4, const byte* key, word32 length);
-    static void wc_Arc4CaviumProcess(Arc4* arc4, byte* out, const byte* in,
-                                  word32 length);
-#endif
-
 
-void wc_Arc4SetKey(Arc4* arc4, const byte* key, word32 length)
+int wc_Arc4SetKey(Arc4* arc4, const byte* key, word32 length)
 {
+    int ret = 0;
     word32 i;
     word32 keyIndex = 0, stateIndex = 0;
 
-#ifdef HAVE_CAVIUM
-    if (arc4->magic == WOLFSSL_ARC4_CAVIUM_MAGIC)
-        return wc_Arc4CaviumSetKey(arc4, key, length);
+    if (arc4 == NULL || key == NULL || length == 0) {
+        return BAD_FUNC_ARG;
+    }
+
+#if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_ARC4) && \
+        defined(HAVE_CAVIUM) && !defined(HAVE_CAVIUM_V)
+    if (arc4->asyncDev.marker == WOLFSSL_ASYNC_MARKER_ARC4) {
+        return NitroxArc4SetKey(arc4, key, length);
+    }
 #endif
 
     arc4->x = 1;
@@ -62,10 +65,12 @@ void wc_Arc4SetKey(Arc4* arc4, const byte* key, word32 length)
         if (++keyIndex >= length)
             keyIndex = 0;
     }
+
+    return ret;
 }
 
 
-static INLINE byte MakeByte(word32* x, word32* y, byte* s)
+static WC_INLINE byte MakeByte(word32* x, word32* y, byte* s)
 {
     word32 a = s[*x], b;
     *y = (*y+a) & 0xff;
@@ -79,14 +84,21 @@ static INLINE byte MakeByte(word32* x, word32* y, byte* s)
 }
 
 
-void wc_Arc4Process(Arc4* arc4, byte* out, const byte* in, word32 length)
+int wc_Arc4Process(Arc4* arc4, byte* out, const byte* in, word32 length)
 {
+    int ret = 0;
     word32 x;
     word32 y;
 
-#ifdef HAVE_CAVIUM
-    if (arc4->magic == WOLFSSL_ARC4_CAVIUM_MAGIC)
-        return wc_Arc4CaviumProcess(arc4, out, in, length);
+    if (arc4 == NULL || out == NULL || in == NULL) {
+        return BAD_FUNC_ARG;
+    }
+
+#if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_ARC4) && \
+        defined(HAVE_CAVIUM) && !defined(HAVE_CAVIUM_V)
+    if (arc4->asyncDev.marker == WOLFSSL_ASYNC_MARKER_ARC4) {
+        return NitroxArc4Process(arc4, out, in, length);
+    }
 #endif
 
     x = arc4->x;
@@ -97,82 +109,41 @@ void wc_Arc4Process(Arc4* arc4, byte* out, const byte* in, word32 length)
 
     arc4->x = (byte)x;
     arc4->y = (byte)y;
-}
-
 
-#ifdef HAVE_CAVIUM
-
-#include <wolfssl/wolfcrypt/logging.h>
-#include "cavium_common.h"
+    return ret;
+}
 
-/* Initiliaze Arc4 for use with Nitrox device */
-int wc_Arc4InitCavium(Arc4* arc4, int devId)
+/* Initialize Arc4 for use with async device */
+int wc_Arc4Init(Arc4* arc4, void* heap, int devId)
 {
+    int ret = 0;
+
     if (arc4 == NULL)
-        return -1;
+        return BAD_FUNC_ARG;
 
-    if (CspAllocContext(CONTEXT_SSL, &arc4->contextHandle, devId) != 0)
-        return -1;
+    arc4->heap = heap;
 
-    arc4->devId = devId;
-    arc4->magic = WOLFSSL_ARC4_CAVIUM_MAGIC;
+#if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_ARC4)
+    ret = wolfAsync_DevCtxInit(&arc4->asyncDev, WOLFSSL_ASYNC_MARKER_ARC4,
+        arc4->heap, devId);
+#else
+    (void)devId;
+#endif /* WOLFSSL_ASYNC_CRYPT */
 
-    return 0;
+    return ret;
 }
 
 
-/* Free Arc4 from use with Nitrox device */
-void wc_Arc4FreeCavium(Arc4* arc4)
+/* Free Arc4 from use with async device */
+void wc_Arc4Free(Arc4* arc4)
 {
     if (arc4 == NULL)
         return;
 
-    if (arc4->magic != WOLFSSL_ARC4_CAVIUM_MAGIC)
-        return;
-
-    CspFreeContext(CONTEXT_SSL, arc4->contextHandle, arc4->devId);
-    arc4->magic = 0;
-}
-
-
-static void wc_Arc4CaviumSetKey(Arc4* arc4, const byte* key, word32 length)
-{
-    word32 requestId;
-
-    if (CspInitializeRc4(CAVIUM_BLOCKING, arc4->contextHandle, length,
-                         (byte*)key, &requestId, arc4->devId) != 0) {
-        WOLFSSL_MSG("Bad Cavium Arc4 Init");
-    }
+#if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_ARC4)
+    wolfAsync_DevCtxFree(&arc4->asyncDev, WOLFSSL_ASYNC_MARKER_ARC4);
+#endif /* WOLFSSL_ASYNC_CRYPT */
 }
 
-
-static void wc_Arc4CaviumProcess(Arc4* arc4, byte* out, const byte* in,
-                              word32 length)
-{
-    wolfssl_word offset = 0;
-    word32 requestId;
-
-    while (length > WOLFSSL_MAX_16BIT) {
-        word16 slen = (word16)WOLFSSL_MAX_16BIT;
-        if (CspEncryptRc4(CAVIUM_BLOCKING, arc4->contextHandle,CAVIUM_UPDATE,
-                          slen, (byte*)in + offset, out + offset, &requestId,
-                          arc4->devId) != 0) {
-            WOLFSSL_MSG("Bad Cavium Arc4 Encrypt");
-        }
-        length -= WOLFSSL_MAX_16BIT;
-        offset += WOLFSSL_MAX_16BIT;
-    }
-    if (length) {
-        word16 slen = (word16)length;
-        if (CspEncryptRc4(CAVIUM_BLOCKING, arc4->contextHandle,CAVIUM_UPDATE,
-                          slen, (byte*)in + offset, out + offset, &requestId,
-                          arc4->devId) != 0) {
-            WOLFSSL_MSG("Bad Cavium Arc4 Encrypt");
-        }
-    }
-}
-
-#endif /* HAVE_CAVIUM */
-
 #endif /* NO_RC4 */
 
diff --git a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/asm.c b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/asm.c
index 9f8458588..0af4447c7 100644
--- a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/asm.c
+++ b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/asm.c
@@ -1,8 +1,8 @@
 /* asm.c
  *
- * Copyright (C) 2006-2015 wolfSSL Inc.
+ * Copyright (C) 2006-2020 wolfSSL Inc.
  *
- * This file is part of wolfSSL. (formerly known as CyaSSL)
+ * This file is part of wolfSSL.
  *
  * wolfSSL is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -16,9 +16,10 @@
  *
  * You should have received a copy of the GNU General Public License
  * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
  */
 
+
 #ifdef HAVE_CONFIG_H
     #include <config.h>
 #endif
@@ -50,7 +51,7 @@
 #else
 
     #include <intrin.h>
-    #define cpuid(a,b) __cpuid((int*)a,b)
+    #define cpuid(a,b,c) __cpuidex((int*)a,b,c)
 
     #define XASM_LINK(f)
 
@@ -58,9 +59,9 @@
 
 #define EAX 0
 #define EBX 1
-#define ECX 2 
+#define ECX 2
 #define EDX 3
-    
+
 #define CPUID_AVX1   0x1
 #define CPUID_AVX2   0x2
 #define CPUID_RDRAND 0x4
@@ -74,30 +75,40 @@
 #define IS_INTEL_ADX        (cpuid_flags&CPUID_ADX)
 #define IS_INTEL_RDRAND     (cpuid_flags&CPUID_RDRAND)
 #define IS_INTEL_RDSEED     (cpuid_flags&CPUID_RDSEED)
-#define SET_FLAGS         
+#define SET_FLAGS
 
 static word32 cpuid_check = 0 ;
 static word32 cpuid_flags = 0 ;
 
 static word32 cpuid_flag(word32 leaf, word32 sub, word32 num, word32 bit) {
-    int got_intel_cpu=0;
-    unsigned int reg[5]; 
-    
+    int got_intel_cpu = 0;
+    int got_amd_cpu = 0;
+    unsigned int reg[5];
+
     reg[4] = '\0' ;
-    cpuid(reg, 0, 0);  
-    if(memcmp((char *)&(reg[EBX]), "Genu", 4) == 0 &&  
-                memcmp((char *)&(reg[EDX]), "ineI", 4) == 0 &&  
-                memcmp((char *)&(reg[ECX]), "ntel", 4) == 0) {  
-        got_intel_cpu = 1;  
-    }    
-    if (got_intel_cpu) {
+    cpuid(reg, 0, 0);
+
+    /* check for intel cpu */
+    if( memcmp((char *)&(reg[EBX]), "Genu", 4) == 0 &&
+        memcmp((char *)&(reg[EDX]), "ineI", 4) == 0 &&
+        memcmp((char *)&(reg[ECX]), "ntel", 4) == 0) {
+        got_intel_cpu = 1;
+    }
+
+    /* check for AMD cpu */
+    if( memcmp((char *)&(reg[EBX]), "Auth", 4) == 0 &&
+        memcmp((char *)&(reg[EDX]), "enti", 4) == 0 &&
+        memcmp((char *)&(reg[ECX]), "cAMD", 4) == 0) {
+        got_amd_cpu = 1;
+    }
+    if (got_intel_cpu || got_amd_cpu) {
         cpuid(reg, leaf, sub);
         return((reg[num]>>bit)&0x1) ;
     }
     return 0 ;
 }
 
-INLINE static int set_cpuid_flags(void) {  
+WC_INLINE static int set_cpuid_flags(void) {
     if(cpuid_check == 0) {
         if(cpuid_flag(7, 0, EBX, 8)){  cpuid_flags |= CPUID_BMI2 ; }
         if(cpuid_flag(7, 0, EBX,19)){  cpuid_flags |= CPUID_ADX  ; }
@@ -116,17 +127,17 @@ INLINE static int set_cpuid_flags(void) {
     #define IF_HAVE_INTEL_MULX(func, ret)
 #endif
 
-#if defined(TFM_X86) && !defined(TFM_SSE2) 
+#if defined(TFM_X86) && !defined(TFM_SSE2)
 /* x86-32 code */
 
-#define MONT_START 
+#define MONT_START
 #define MONT_FINI
 #define LOOP_END
 #define LOOP_START \
    mu = c[x] * mp
 
 #define INNERMUL                                          \
-__asm__(                                                      \
+__asm__(                                                  \
    "movl %5,%%eax \n\t"                                   \
    "mull %4       \n\t"                                   \
    "addl %1,%%eax \n\t"                                   \
@@ -135,11 +146,11 @@ __asm__(                                                      \
    "adcl $0,%%edx \n\t"                                   \
    "movl %%edx,%1 \n\t"                                   \
 :"=g"(_c[LO]), "=r"(cy)                                   \
-:"0"(_c[LO]), "1"(cy), "g"(mu), "g"(*tmpm++)              \
+:"0"(_c[LO]), "1"(cy), "r"(mu), "r"(*tmpm++)              \
 : "%eax", "%edx", "cc")
 
 #define PROPCARRY                           \
-__asm__(                                        \
+__asm__(                                    \
    "addl   %1,%0    \n\t"                   \
    "setb   %%al     \n\t"                   \
    "movzbl %%al,%1 \n\t"                    \
@@ -151,14 +162,14 @@ __asm__(                                        \
 #elif defined(TFM_X86_64)
 /* x86-64 code */
 
-#define MONT_START 
+#define MONT_START
 #define MONT_FINI
 #define LOOP_END
 #define LOOP_START \
-   mu = c[x] * mp;
+   mu = c[x] * mp
 
 #define INNERMUL                                          \
-__asm__(                                                      \
+__asm__(                                                  \
    "movq %5,%%rax \n\t"                                   \
    "mulq %4       \n\t"                                   \
    "addq %1,%%rax \n\t"                                   \
@@ -171,70 +182,63 @@ __asm__(                                                      \
 : "%rax", "%rdx", "cc")
 
 #if defined(HAVE_INTEL_MULX)
-#define MULX_INIT(a0, c0, cy)\
-    __asm__ volatile(                                     \
-             "xorq  %%r10, %%r10\n\t"                     \
-             "movq  %1,%%rdx\n\t"                         \
-             "addq  %2, %0\n\t"       /* c0+=cy; Set CF, OF */ \
-             "adoxq %%r10, %%r10\n\t" /* Reset   OF */    \
-             :"+m"(c0):"r"(a0),"r"(cy):"%r8","%r9", "%r10","%r11","%r12","%rdx") ; \
-
-#define MULX_INNERMUL_R1(c0, c1, pre, rdx)\
-   {                                                      \
-    __asm__  volatile (                                   \
-         "movq  %3, %%rdx\n\t"                            \
-         "mulx  %%r11,%%r9, %%r8 \n\t"                    \
-         "movq  %2, %%r12\n\t"                            \
-         "adoxq  %%r9,%0     \n\t"                        \
-         "adcxq  %%r8,%1     \n\t"                        \
-         :"+r"(c0),"+r"(c1):"m"(pre),"r"(rdx):"%r8","%r9", "%r10", "%r11","%r12","%rdx"    \
-    ); }
-    
-
-#define MULX_INNERMUL_R2(c0, c1, pre, rdx)\
-   {                                                      \
-    __asm__  volatile (                                   \
-         "movq  %3, %%rdx\n\t"                            \
-         "mulx  %%r12,%%r9, %%r8 \n\t"                    \
-         "movq  %2, %%r11\n\t"                            \
-         "adoxq  %%r9,%0     \n\t"                        \
-         "adcxq  %%r8,%1     \n\t"                        \
-         :"+r"(c0),"+r"(c1):"m"(pre),"r"(rdx):"%r8","%r9", "%r10", "%r11","%r12","%rdx"    \
-    ); }
-
-#define MULX_LOAD_R1(val)\
-    __asm__  volatile (                                   \
-        "movq %0, %%r11\n\t"\
-        ::"m"(val):"%r8","%r9", "%r10", "%r11","%r12","%rdx"\
-) ;
-
-#define MULX_INNERMUL_LAST(c0, c1, rdx)\
-   {                                                      \
-    __asm__  volatile (                                   \
-         "movq   %2, %%rdx\n\t"                           \
-         "mulx   %%r12,%%r9, %%r8 \n\t"                   \
-         "movq   $0, %%r10      \n\t"                     \
-         "adoxq  %%r10, %%r9   \n\t"                      \
-         "adcq   $0,%%r8       \n\t"                      \
-         "addq   %%r9,%0       \n\t"                      \
-         "adcq   $0,%%r8       \n\t"                      \
-         "movq   %%r8,%1       \n\t"                      \
-         :"+m"(c0),"=m"(c1):"r"(rdx):"%r8","%r9","%r10", "%r11", "%r12","%rdx"\
-    ); }
-
-#define MULX_INNERMUL8(x,y,z,cy)\
-{       word64 rdx = y ;\
-        MULX_LOAD_R1(x[0]) ;\
-        MULX_INIT(y, _c0, cy) ; /* rdx=y; z0+=cy; */ \
-        MULX_INNERMUL_R1(_c0, _c1, x[1], rdx) ;\
-        MULX_INNERMUL_R2(_c1, _c2, x[2], rdx) ;\
-        MULX_INNERMUL_R1(_c2, _c3, x[3], rdx) ;\
-        MULX_INNERMUL_R2(_c3, _c4, x[4], rdx) ;\
-        MULX_INNERMUL_R1(_c4, _c5, x[5], rdx) ;\
-        MULX_INNERMUL_R2(_c5, _c6, x[6], rdx) ;\
-        MULX_INNERMUL_R1(_c6, _c7, x[7], rdx) ;\
-        MULX_INNERMUL_LAST(_c7, cy, rdx) ;\
-}
+#define MULX_INNERMUL8(x,y,z,cy)                                       \
+    __asm__  volatile (                                                \
+        "movq	%[yn], %%rdx\n\t"                                      \
+        "xorq	%%rcx, %%rcx\n\t"                                      \
+        "movq   0(%[c]), %%r8\n\t"                                     \
+        "movq   8(%[c]), %%r9\n\t"                                     \
+        "movq   16(%[c]), %%r10\n\t"                                   \
+        "movq   24(%[c]), %%r11\n\t"                                   \
+        "movq   32(%[c]), %%r12\n\t"                                   \
+        "movq   40(%[c]), %%r13\n\t"                                   \
+        "movq   48(%[c]), %%r14\n\t"                                   \
+        "movq   56(%[c]), %%r15\n\t"                                   \
+                                                                       \
+        "mulx	0(%[xp]), %%rax, %%rcx\n\t"                            \
+        "adcxq	%[cy], %%r8\n\t"                                       \
+        "adoxq	%%rax, %%r8\n\t"                                       \
+        "mulx	8(%[xp]), %%rax, %[cy]\n\t"                            \
+        "adcxq	%%rcx, %%r9\n\t"                                       \
+        "adoxq	%%rax, %%r9\n\t"                                       \
+        "mulx	16(%[xp]), %%rax, %%rcx\n\t"                           \
+        "adcxq	%[cy], %%r10\n\t"                                      \
+        "adoxq	%%rax, %%r10\n\t"                                      \
+        "mulx	24(%[xp]), %%rax, %[cy]\n\t"                           \
+        "adcxq	%%rcx, %%r11\n\t"                                      \
+        "adoxq	%%rax, %%r11\n\t"                                      \
+        "mulx	32(%[xp]), %%rax, %%rcx\n\t"                           \
+        "adcxq	%[cy], %%r12\n\t"                                      \
+        "adoxq	%%rax, %%r12\n\t"                                      \
+        "mulx	40(%[xp]), %%rax, %[cy]\n\t"                           \
+        "adcxq	%%rcx, %%r13\n\t"                                      \
+        "adoxq	%%rax, %%r13\n\t"                                      \
+        "mulx	48(%[xp]), %%rax, %%rcx\n\t"                           \
+        "adcxq	%[cy], %%r14\n\t"                                      \
+        "adoxq	%%rax, %%r14\n\t"                                      \
+        "adcxq	%%rcx, %%r15\n\t"                                      \
+        "mulx	56(%[xp]), %%rax, %[cy]\n\t"                           \
+        "movq	$0, %%rdx\n\t"                                         \
+        "adoxq	%%rdx, %%rax\n\t"                                      \
+        "adcxq	%%rdx, %[cy]\n\t"                                      \
+        "adoxq	%%rdx, %[cy]\n\t"                                      \
+        "addq   %%rax, %%r15\n\t"                                      \
+        "adcq   $0, %[cy]\n\t"                                         \
+                                                                       \
+        "movq   %%r8,   0(%[c])\n\t"                                   \
+        "movq   %%r9,   8(%[c])\n\t"                                   \
+        "movq   %%r10, 16(%[c])\n\t"                                   \
+        "movq   %%r11, 24(%[c])\n\t"                                   \
+        "movq   %%r12, 32(%[c])\n\t"                                   \
+        "movq   %%r13, 40(%[c])\n\t"                                   \
+        "movq   %%r14, 48(%[c])\n\t"                                   \
+        "movq   %%r15, 56(%[c])\n\t"                                   \
+        : [cy] "+r" (cy)                                               \
+        : [xp] "r" (x), [c] "r" (c_mulx), [yn] "rm" (y)                \
+        :"%r8", "%r9", "%r10", "%r11", "%r12", "%r13", "%r14", "%r15", \
+         "%rdx", "%rax", "%rcx" \
+    )
+
 #define INNERMUL8_MULX \
 {\
     MULX_INNERMUL8(tmpm, mu, _c, cy);\
@@ -242,7 +246,7 @@ __asm__(                                                      \
 #endif
 
 #define INNERMUL8 \
- __asm__(                  \
+ __asm__(                    \
  "movq 0(%5),%%rax    \n\t"  \
  "movq 0(%2),%%r10    \n\t"  \
  "movq 0x8(%5),%%r11  \n\t"  \
@@ -332,10 +336,10 @@ __asm__(                                                      \
  \
 :"=r"(_c), "=r"(cy)                    \
 : "0"(_c),  "1"(cy), "g"(mu), "r"(tmpm)\
-: "%rax", "%rdx", "%r10", "%r11", "cc")\
+: "%rax", "%rdx", "%r10", "%r11", "cc")
 
 #define PROPCARRY                           \
-__asm__(                                        \
+__asm__(                                    \
    "addq   %1,%0    \n\t"                   \
    "setb   %%al     \n\t"                   \
    "movzbq %%al,%1 \n\t"                    \
@@ -344,7 +348,7 @@ __asm__(                                        \
 : "%rax", "cc")
 
 /******************************************************************/
-#elif defined(TFM_SSE2)  
+#elif defined(TFM_SSE2)
 /* SSE2 code (assumes 32-bit fp_digits) */
 /* XMM register assignments:
  * xmm0  *tmpm++, then Mu * (*tmpm++)
@@ -361,7 +365,7 @@ __asm__(                                        \
    __asm__("emms")
 
 #define LOOP_START          \
-__asm__(                        \
+__asm__(                    \
 "movd %0,%%mm1        \n\t" \
 "pxor %%mm3,%%mm3     \n\t" \
 "pmuludq %%mm2,%%mm1  \n\t" \
@@ -369,7 +373,7 @@ __asm__(                        \
 
 /* pmuludq on mmx registers does a 32x32->64 multiply. */
 #define INNERMUL               \
-__asm__(                           \
+__asm__(                       \
    "movd %1,%%mm4        \n\t" \
    "movd %2,%%mm0        \n\t" \
    "paddq %%mm4,%%mm3    \n\t" \
@@ -380,7 +384,7 @@ __asm__(                           \
 :"=g"(_c[LO]) : "0"(_c[LO]), "g"(*tmpm++) );
 
 #define INNERMUL8 \
-__asm__(                           \
+__asm__(                       \
    "movd 0(%1),%%mm4     \n\t" \
    "movd 0(%2),%%mm0     \n\t" \
    "paddq %%mm4,%%mm3    \n\t" \
@@ -453,7 +457,7 @@ __asm__(                           \
 __asm__( "movd %%mm3,%0  \n" :"=r"(cy))
 
 #define PROPCARRY                           \
-__asm__(                                        \
+__asm__(                                    \
    "addl   %1,%0    \n\t"                   \
    "setb   %%al     \n\t"                   \
    "movzbl %%al,%1 \n\t"                    \
@@ -465,7 +469,7 @@ __asm__(                                        \
 #elif defined(TFM_ARM)
    /* ARMv4 code */
 
-#define MONT_START 
+#define MONT_START
 #define MONT_FINI
 #define LOOP_END
 #define LOOP_START \
@@ -475,7 +479,7 @@ __asm__(                                        \
 #ifdef __thumb__
 
 #define INNERMUL                    \
-__asm__(                                \
+__asm__(                            \
     " LDR    r0,%1            \n\t" \
     " ADDS   r0,r0,%0         \n\t" \
     " ITE    CS               \n\t" \
@@ -486,7 +490,7 @@ __asm__(                                \
 :"=r"(cy),"=m"(_c[0]):"0"(cy),"r"(mu),"r"(*tmpm++),"m"(_c[0]):"r0","cc");
 
 #define PROPCARRY                  \
-__asm__(                               \
+__asm__(                           \
     " LDR   r0,%1            \n\t" \
     " ADDS  r0,r0,%0         \n\t" \
     " STR   r0,%1            \n\t" \
@@ -502,7 +506,7 @@ __asm__(                               \
 #else  /* __thumb__ */
 
 #define INNERMUL                    \
-__asm__(                                \
+__asm__(                            \
     " LDR    r0,%1            \n\t" \
     " ADDS   r0,r0,%0         \n\t" \
     " MOVCS  %0,#1            \n\t" \
@@ -512,7 +516,7 @@ __asm__(                                \
 :"=r"(cy),"=m"(_c[0]):"0"(cy),"r"(mu),"r"(*tmpm++),"1"(_c[0]):"r0","cc");
 
 #define PROPCARRY                  \
-__asm__(                               \
+__asm__(                           \
     " LDR   r0,%1            \n\t" \
     " ADDS  r0,r0,%0         \n\t" \
     " STR   r0,%1            \n\t" \
@@ -525,76 +529,72 @@ __asm__(                               \
 #elif defined(TFM_PPC32)
 
 /* PPC32 */
-#define MONT_START 
+#define MONT_START
 #define MONT_FINI
 #define LOOP_END
 #define LOOP_START \
    mu = c[x] * mp
 
 #define INNERMUL                     \
-__asm__(                                 \
+__asm__(                             \
    " mullw    16,%3,%4       \n\t"   \
    " mulhwu   17,%3,%4       \n\t"   \
-   " addc     16,16,%0       \n\t"   \
+   " addc     16,16,%2       \n\t"   \
    " addze    17,17          \n\t"   \
-   " lwz      18,%1          \n\t"   \
-   " addc     16,16,18       \n\t"   \
+   " addc     %1,16,%5       \n\t"   \
    " addze    %0,17          \n\t"   \
-   " stw      16,%1          \n\t"   \
-:"=r"(cy),"=m"(_c[0]):"0"(cy),"r"(mu),"r"(tmpm[0]),"1"(_c[0]):"16", "17", "18","cc"); ++tmpm;
+:"=r"(cy),"=r"(_c[0]):"0"(cy),"r"(mu),"r"(tmpm[0]),"1"(_c[0]):"16", "17", "cc"); ++tmpm;
 
 #define PROPCARRY                    \
-__asm__(                                 \
-   " lwz      16,%1         \n\t"    \
-   " addc     16,16,%0      \n\t"    \
-   " stw      16,%1         \n\t"    \
-   " xor      %0,%0,%0      \n\t"    \
-   " addze    %0,%0         \n\t"    \
-:"=r"(cy),"=m"(_c[0]):"0"(cy),"1"(_c[0]):"16","cc");
+__asm__(                             \
+   " addc     %1,%3,%2      \n\t"    \
+   " xor      %0,%2,%2      \n\t"    \
+   " addze    %0,%2         \n\t"    \
+:"=r"(cy),"=r"(_c[0]):"0"(cy),"1"(_c[0]):"cc");
 
 #elif defined(TFM_PPC64)
 
 /* PPC64 */
-#define MONT_START 
+#define MONT_START
 #define MONT_FINI
 #define LOOP_END
 #define LOOP_START \
    mu = c[x] * mp
 
-#define INNERMUL                     \
-__asm__(                                 \
-   " mulld    16,%3,%4       \n\t"   \
-   " mulhdu   17,%3,%4       \n\t"   \
-   " addc     16,16,%0       \n\t"   \
-   " addze    17,17          \n\t"   \
-   " ldx      18,0,%1        \n\t"   \
-   " addc     16,16,18       \n\t"   \
-   " addze    %0,17          \n\t"   \
-   " sdx      16,0,%1        \n\t"   \
-:"=r"(cy),"=m"(_c[0]):"0"(cy),"r"(mu),"r"(tmpm[0]),"1"(_c[0]):"16", "17", "18","cc"); ++tmpm;
-
-#define PROPCARRY                    \
-__asm__(                                 \
-   " ldx      16,0,%1       \n\t"    \
-   " addc     16,16,%0      \n\t"    \
-   " sdx      16,0,%1       \n\t"    \
-   " xor      %0,%0,%0      \n\t"    \
-   " addze    %0,%0         \n\t"    \
-:"=r"(cy),"=m"(_c[0]):"0"(cy),"1"(_c[0]):"16","cc");
+#define INNERMUL                      \
+__asm__(                              \
+   " mulld    r16,%3,%4       \n\t"   \
+   " mulhdu   r17,%3,%4       \n\t"   \
+   " addc     r16,16,%0       \n\t"   \
+   " addze    r17,r17         \n\t"   \
+   " ldx      r18,0,%1        \n\t"   \
+   " addc     r16,r16,r18     \n\t"   \
+   " addze    %0,r17          \n\t"   \
+   " sdx      r16,0,%1        \n\t"   \
+:"=r"(cy),"=m"(_c[0]):"0"(cy),"r"(mu),"r"(tmpm[0]),"1"(_c[0]):"r16", "r17", "r18","cc"); ++tmpm;
+
+#define PROPCARRY                     \
+__asm__(                              \
+   " ldx      r16,0,%1       \n\t"    \
+   " addc     r16,r16,%0     \n\t"    \
+   " sdx      r16,0,%1       \n\t"    \
+   " xor      %0,%0,%0       \n\t"    \
+   " addze    %0,%0          \n\t"    \
+:"=r"(cy),"=m"(_c[0]):"0"(cy),"1"(_c[0]):"r16","cc");
 
 /******************************************************************/
 
 #elif defined(TFM_AVR32)
 
 /* AVR32 */
-#define MONT_START 
+#define MONT_START
 #define MONT_FINI
 #define LOOP_END
 #define LOOP_START \
    mu = c[x] * mp
 
 #define INNERMUL                    \
-__asm__(                                \
+__asm__(                            \
     " ld.w   r2,%1            \n\t" \
     " add    r2,%0            \n\t" \
     " eor    r3,r3            \n\t" \
@@ -605,7 +605,7 @@ __asm__(                                \
 :"=r"(cy),"=r"(_c):"0"(cy),"r"(mu),"r"(*tmpm++),"1"(_c):"r2","r3");
 
 #define PROPCARRY                    \
-__asm__(                                 \
+__asm__(                             \
    " ld.w     r2,%1         \n\t"    \
    " add      r2,%0         \n\t"    \
    " st.w     %1,r2         \n\t"    \
@@ -613,10 +613,44 @@ __asm__(                                 \
    " acr      %0            \n\t"    \
 :"=r"(cy),"=r"(&_c[0]):"0"(cy),"1"(&_c[0]):"r2","cc");
 
+/******************************************************************/
+#elif defined(TFM_MIPS)
+
+/* MIPS */
+#define MONT_START
+#define MONT_FINI
+#define LOOP_END
+#define LOOP_START \
+   mu = c[x] * mp
+
+#define INNERMUL                     \
+__asm__(                             \
+   " multu    %3,%4          \n\t"   \
+   " mflo     $12            \n\t"   \
+   " mfhi     $13            \n\t"   \
+   " addu     $12,$12,%0     \n\t"   \
+   " sltu     $10,$12,%0     \n\t"   \
+   " addu     $13,$13,$10    \n\t"   \
+   " lw       $10,%1         \n\t"   \
+   " addu     $12,$12,$10    \n\t"   \
+   " sltu     $10,$12,$10    \n\t"   \
+   " addu     %0,$13,$10     \n\t"   \
+   " sw       $12,%1         \n\t"   \
+:"+r"(cy),"+m"(_c[0]):""(cy),"r"(mu),"r"(tmpm[0]),""(_c[0]):"$10","$12","$13"); ++tmpm;
+
+#define PROPCARRY                    \
+__asm__(                             \
+   " lw       $10,%1        \n\t"    \
+   " addu     $10,$10,%0    \n\t"    \
+   " sw       $10,%1        \n\t"    \
+   " sltu     %0,$10,%0     \n\t"    \
+:"+r"(cy),"+m"(_c[0]):""(cy),""(_c[0]):"$10");
+
+/******************************************************************/
 #else
 
 /* ISO C code */
-#define MONT_START 
+#define MONT_START
 #define MONT_FINI
 #define LOOP_END
 #define LOOP_START \
@@ -663,7 +697,7 @@ __asm__(                                 \
 #define COMBA_FINI
 
 #define SQRADD(i, j)                                      \
-__asm__(                                            \
+__asm__(                                                  \
      "movl  %6,%%eax     \n\t"                            \
      "mull  %%eax        \n\t"                            \
      "addl  %%eax,%0     \n\t"                            \
@@ -672,7 +706,7 @@ __asm__(                                            \
      :"=r"(c0), "=r"(c1), "=r"(c2): "0"(c0), "1"(c1), "2"(c2), "m"(i) :"%eax","%edx","cc");
 
 #define SQRADD2(i, j)                                     \
-__asm__(                                            \
+__asm__(                                                  \
      "movl  %6,%%eax     \n\t"                            \
      "mull  %7           \n\t"                            \
      "addl  %%eax,%0     \n\t"                            \
@@ -692,10 +726,8 @@ __asm__(                                                     \
      "xorl  %2,%2        \n\t"                            \
      :"=r"(sc0), "=r"(sc1), "=r"(sc2): "g"(i), "g"(j) :"%eax","%edx","cc");
 
-/* TAO removed sc0,1,2 as input to remove warning so %6,%7 become %3,%4 */
-
 #define SQRADDAC(i, j)                                    \
-__asm__(                                                     \
+__asm__(                                                  \
      "movl  %6,%%eax     \n\t"                            \
      "mull  %7           \n\t"                            \
      "addl  %%eax,%0     \n\t"                            \
@@ -704,7 +736,7 @@ __asm__(                                                     \
      :"=r"(sc0), "=r"(sc1), "=r"(sc2): "0"(sc0), "1"(sc1), "2"(sc2), "g"(i), "g"(j) :"%eax","%edx","cc");
 
 #define SQRADDDB                                          \
-__asm__(                                                     \
+__asm__(                                                  \
      "addl %6,%0         \n\t"                            \
      "adcl %7,%1         \n\t"                            \
      "adcl %8,%2         \n\t"                            \
@@ -733,16 +765,16 @@ __asm__(                                                     \
 #define COMBA_FINI
 
 #define SQRADD(i, j)                                      \
-__asm__(                                                     \
+__asm__(                                                  \
      "movq  %6,%%rax     \n\t"                            \
      "mulq  %%rax        \n\t"                            \
      "addq  %%rax,%0     \n\t"                            \
      "adcq  %%rdx,%1     \n\t"                            \
      "adcq  $0,%2        \n\t"                            \
-     :"=r"(c0), "=r"(c1), "=r"(c2): "0"(c0), "1"(c1), "2"(c2), "g"(i) :"%rax","%rdx","cc");
+     :"=r"(c0), "=r"(c1), "=r"(c2): "0"(c0), "1"(c1), "2"(c2), "x"(i) :"%rax","%rdx","cc");
 
 #define SQRADD2(i, j)                                     \
-__asm__(                                                     \
+__asm__(                                                  \
      "movq  %6,%%rax     \n\t"                            \
      "mulq  %7           \n\t"                            \
      "addq  %%rax,%0     \n\t"                            \
@@ -754,7 +786,7 @@ __asm__(                                                     \
      :"=r"(c0), "=r"(c1), "=r"(c2): "0"(c0), "1"(c1), "2"(c2), "g"(i), "g"(j)  :"%rax","%rdx","cc");
 
 #define SQRADDSC(i, j)                                    \
-__asm__(                                                     \
+__asm__(                                                  \
      "movq  %3,%%rax     \n\t"                            \
      "mulq  %4           \n\t"                            \
      "movq  %%rax,%0     \n\t"                            \
@@ -762,10 +794,8 @@ __asm__(                                                     \
      "xorq  %2,%2        \n\t"                            \
      :"=r"(sc0), "=r"(sc1), "=r"(sc2): "g"(i), "g"(j) :"%rax","%rdx","cc");
 
-/* TAO removed sc0,1,2 as input to remove warning so %6,%7 become %3,%4 */
-
 #define SQRADDAC(i, j)                                                         \
-__asm__(                                                     \
+__asm__(                                                  \
      "movq  %6,%%rax     \n\t"                            \
      "mulq  %7           \n\t"                            \
      "addq  %%rax,%0     \n\t"                            \
@@ -774,7 +804,7 @@ __asm__(                                                     \
      :"=r"(sc0), "=r"(sc1), "=r"(sc2): "0"(sc0), "1"(sc1), "2"(sc2), "g"(i), "g"(j) :"%rax","%rdx","cc");
 
 #define SQRADDDB                                          \
-__asm__(                                                     \
+__asm__(                                                  \
      "addq %6,%0         \n\t"                            \
      "adcq %7,%1         \n\t"                            \
      "adcq %8,%2         \n\t"                            \
@@ -804,7 +834,7 @@ __asm__(                                                     \
    __asm__("emms");
 
 #define SQRADD(i, j)                                      \
-__asm__(                                            \
+__asm__(                                                  \
      "movd  %6,%%mm0     \n\t"                            \
      "pmuludq %%mm0,%%mm0\n\t"                            \
      "movd  %%mm0,%%eax  \n\t"                            \
@@ -816,7 +846,7 @@ __asm__(                                            \
      :"=r"(c0), "=r"(c1), "=r"(c2): "0"(c0), "1"(c1), "2"(c2), "m"(i) :"%eax","cc");
 
 #define SQRADD2(i, j)                                     \
-__asm__(                                            \
+__asm__(                                                  \
      "movd  %6,%%mm0     \n\t"                            \
      "movd  %7,%%mm1     \n\t"                            \
      "pmuludq %%mm1,%%mm0\n\t"                            \
@@ -832,7 +862,7 @@ __asm__(                                            \
      :"=r"(c0), "=r"(c1), "=r"(c2): "0"(c0), "1"(c1), "2"(c2), "m"(i), "m"(j)  :"%eax","%edx","cc");
 
 #define SQRADDSC(i, j)                                                         \
-__asm__(                                            \
+__asm__(                                                  \
      "movd  %3,%%mm0     \n\t"                            \
      "movd  %4,%%mm1     \n\t"                            \
      "pmuludq %%mm1,%%mm0\n\t"                            \
@@ -845,7 +875,7 @@ __asm__(                                            \
 /* TAO removed sc0,1,2 as input to remove warning so %6,%7 become %3,%4 */
 
 #define SQRADDAC(i, j)                                                         \
-__asm__(                                            \
+__asm__(                                                  \
      "movd  %6,%%mm0     \n\t"                            \
      "movd  %7,%%mm1     \n\t"                            \
      "pmuludq %%mm1,%%mm0\n\t"                            \
@@ -858,7 +888,7 @@ __asm__(                                            \
      :"=r"(sc0), "=r"(sc1), "=r"(sc2): "0"(sc0), "1"(sc1), "2"(sc2), "m"(i), "m"(j)  :"%eax","%edx","cc");
 
 #define SQRADDDB                                          \
-__asm__(                                                     \
+__asm__(                                                  \
      "addl %6,%0         \n\t"                            \
      "adcl %7,%1         \n\t"                            \
      "adcl %8,%2         \n\t"                            \
@@ -889,16 +919,16 @@ __asm__(                                                     \
 
 /* multiplies point i and j, updates carry "c1" and digit c2 */
 #define SQRADD(i, j)                                             \
-__asm__(                                                             \
+__asm__(                                                         \
 "  UMULL  r0,r1,%6,%6              \n\t"                         \
 "  ADDS   %0,%0,r0                 \n\t"                         \
 "  ADCS   %1,%1,r1                 \n\t"                         \
 "  ADC    %2,%2,#0                 \n\t"                         \
 :"=r"(c0), "=r"(c1), "=r"(c2) : "0"(c0), "1"(c1), "2"(c2), "r"(i) : "r0", "r1", "cc");
-	
+
 /* for squaring some of the terms are doubled... */
 #define SQRADD2(i, j)                                            \
-__asm__(                                                             \
+__asm__(                                                         \
 "  UMULL  r0,r1,%6,%7              \n\t"                         \
 "  ADDS   %0,%0,r0                 \n\t"                         \
 "  ADCS   %1,%1,r1                 \n\t"                         \
@@ -909,7 +939,7 @@ __asm__(                                                             \
 :"=r"(c0), "=r"(c1), "=r"(c2) : "0"(c0), "1"(c1), "2"(c2), "r"(i), "r"(j) : "r0", "r1", "cc");
 
 #define SQRADDSC(i, j)                                           \
-__asm__(                                                             \
+__asm__(                                                         \
 "  UMULL  %0,%1,%3,%4              \n\t"                         \
 "  SUB    %2,%2,%2                 \n\t"                         \
 :"=r"(sc0), "=r"(sc1), "=r"(sc2) : "r"(i), "r"(j) : "cc");
@@ -917,7 +947,7 @@ __asm__(                                                             \
 /* TAO removed sc0,1,2 as input to remove warning so %6,%7 become %3,%4 */
 
 #define SQRADDAC(i, j)                                           \
-__asm__(                                                             \
+__asm__(                                                         \
 "  UMULL  r0,r1,%6,%7              \n\t"                         \
 "  ADDS   %0,%0,r0                 \n\t"                         \
 "  ADCS   %1,%1,r1                 \n\t"                         \
@@ -925,7 +955,7 @@ __asm__(                                                             \
 :"=r"(sc0), "=r"(sc1), "=r"(sc2) : "0"(sc0), "1"(sc1), "2"(sc2), "r"(i), "r"(j) : "r0", "r1", "cc");
 
 #define SQRADDDB                                                 \
-__asm__(                                                             \
+__asm__(                                                         \
 "  ADDS  %0,%0,%3                     \n\t"                      \
 "  ADCS  %1,%1,%4                     \n\t"                      \
 "  ADC   %2,%2,%5                     \n\t"                      \
@@ -956,7 +986,7 @@ __asm__(                                                             \
 
 /* multiplies point i and j, updates carry "c1" and digit c2 */
 #define SQRADD(i, j)             \
-__asm__(                             \
+__asm__(                         \
    " mullw  16,%6,%6       \n\t" \
    " addc   %0,%0,16       \n\t" \
    " mulhwu 16,%6,%6       \n\t" \
@@ -966,7 +996,7 @@ __asm__(                             \
 
 /* for squaring some of the terms are doubled... */
 #define SQRADD2(i, j)            \
-__asm__(                             \
+__asm__(                         \
    " mullw  16,%6,%7       \n\t" \
    " mulhwu 17,%6,%7       \n\t" \
    " addc   %0,%0,16       \n\t" \
@@ -978,14 +1008,14 @@ __asm__(                             \
 :"=r"(c0), "=r"(c1), "=r"(c2):"0"(c0), "1"(c1), "2"(c2), "r"(i), "r"(j):"16", "17","cc");
 
 #define SQRADDSC(i, j)            \
-__asm__(                              \
+__asm__(                          \
    " mullw  %0,%6,%7        \n\t" \
    " mulhwu %1,%6,%7        \n\t" \
    " xor    %2,%2,%2        \n\t" \
 :"=r"(sc0), "=r"(sc1), "=r"(sc2):"0"(sc0), "1"(sc1), "2"(sc2), "r"(i),"r"(j) : "cc");
 
 #define SQRADDAC(i, j)           \
-__asm__(                             \
+__asm__(                         \
    " mullw  16,%6,%7       \n\t" \
    " addc   %0,%0,16       \n\t" \
    " mulhwu 16,%6,%7       \n\t" \
@@ -994,7 +1024,7 @@ __asm__(                             \
 :"=r"(sc0), "=r"(sc1), "=r"(sc2):"0"(sc0), "1"(sc1), "2"(sc2), "r"(i), "r"(j):"16", "cc");
 
 #define SQRADDDB                  \
-__asm__(                              \
+__asm__(                          \
    " addc   %0,%0,%3        \n\t" \
    " adde   %1,%1,%4        \n\t" \
    " adde   %2,%2,%5        \n\t" \
@@ -1023,46 +1053,46 @@ __asm__(                              \
 #define COMBA_FINI
 
 /* multiplies point i and j, updates carry "c1" and digit c2 */
-#define SQRADD(i, j)             \
-__asm__(                             \
-   " mulld  16,%6,%6       \n\t" \
-   " addc   %0,%0,16       \n\t" \
-   " mulhdu 16,%6,%6       \n\t" \
-   " adde   %1,%1,16       \n\t" \
-   " addze  %2,%2          \n\t" \
-:"=r"(c0), "=r"(c1), "=r"(c2):"0"(c0), "1"(c1), "2"(c2), "r"(i):"16","cc");
+#define SQRADD(i, j)              \
+__asm__(                          \
+   " mulld  r16,%6,%6       \n\t" \
+   " addc   %0,%0,r16       \n\t" \
+   " mulhdu r16,%6,%6       \n\t" \
+   " adde   %1,%1,r16       \n\t" \
+   " addze  %2,%2           \n\t" \
+:"=r"(c0), "=r"(c1), "=r"(c2):"0"(c0), "1"(c1), "2"(c2), "r"(i):"r16","cc");
 
 /* for squaring some of the terms are doubled... */
-#define SQRADD2(i, j)            \
-__asm__(                             \
-   " mulld  16,%6,%7       \n\t" \
-   " mulhdu 17,%6,%7       \n\t" \
-   " addc   %0,%0,16       \n\t" \
-   " adde   %1,%1,17       \n\t" \
-   " addze  %2,%2          \n\t" \
-   " addc   %0,%0,16       \n\t" \
-   " adde   %1,%1,17       \n\t" \
-   " addze  %2,%2          \n\t" \
-:"=r"(c0), "=r"(c1), "=r"(c2):"0"(c0), "1"(c1), "2"(c2), "r"(i), "r"(j):"16", "17","cc");
+#define SQRADD2(i, j)             \
+__asm__(                          \
+   " mulld  r16,%6,%7       \n\t" \
+   " mulhdu r17,%6,%7       \n\t" \
+   " addc   %0,%0,r16       \n\t" \
+   " adde   %1,%1,r17       \n\t" \
+   " addze  %2,%2           \n\t" \
+   " addc   %0,%0,r16       \n\t" \
+   " adde   %1,%1,r17       \n\t" \
+   " addze  %2,%2           \n\t" \
+:"=r"(c0), "=r"(c1), "=r"(c2):"0"(c0), "1"(c1), "2"(c2), "r"(i), "r"(j):"r16", "r17","cc");
 
 #define SQRADDSC(i, j)            \
-__asm__(                              \
+__asm__(                          \
    " mulld  %0,%6,%7        \n\t" \
    " mulhdu %1,%6,%7        \n\t" \
    " xor    %2,%2,%2        \n\t" \
 :"=r"(sc0), "=r"(sc1), "=r"(sc2):"0"(sc0), "1"(sc1), "2"(sc2), "r"(i),"r"(j) : "cc");
 
-#define SQRADDAC(i, j)           \
-__asm__(                             \
-   " mulld  16,%6,%7       \n\t" \
-   " addc   %0,%0,16       \n\t" \
-   " mulhdu 16,%6,%7       \n\t" \
-   " adde   %1,%1,16       \n\t" \
-   " addze  %2,%2          \n\t" \
-:"=r"(sc0), "=r"(sc1), "=r"(sc2):"0"(sc0), "1"(sc1), "2"(sc2), "r"(i), "r"(j):"16", "cc");
+#define SQRADDAC(i, j)            \
+__asm__(                          \
+   " mulld  r16,%6,%7       \n\t" \
+   " addc   %0,%0,r16       \n\t" \
+   " mulhdu r16,%6,%7       \n\t" \
+   " adde   %1,%1,r16       \n\t" \
+   " addze  %2,%2           \n\t" \
+:"=r"(sc0), "=r"(sc1), "=r"(sc2):"0"(sc0), "1"(sc1), "2"(sc2), "r"(i), "r"(j):"r16", "cc");
 
 #define SQRADDDB                  \
-__asm__(                              \
+__asm__(                          \
    " addc   %0,%0,%3        \n\t" \
    " adde   %1,%1,%4        \n\t" \
    " adde   %2,%2,%5        \n\t" \
@@ -1094,7 +1124,7 @@ __asm__(                              \
 
 /* multiplies point i and j, updates carry "c1" and digit c2 */
 #define SQRADD(i, j)             \
-__asm__(                             \
+__asm__(                         \
    " mulu.d r2,%6,%6       \n\t" \
    " add    %0,%0,r2       \n\t" \
    " adc    %1,%1,r3       \n\t" \
@@ -1103,7 +1133,7 @@ __asm__(                             \
 
 /* for squaring some of the terms are doubled... */
 #define SQRADD2(i, j)            \
-__asm__(                             \
+__asm__(                         \
    " mulu.d r2,%6,%7       \n\t" \
    " add    %0,%0,r2       \n\t" \
    " adc    %1,%1,r3       \n\t" \
@@ -1114,7 +1144,7 @@ __asm__(                             \
 :"=r"(c0), "=r"(c1), "=r"(c2):"0"(c0), "1"(c1), "2"(c2), "r"(i), "r"(j):"r2", "r3");
 
 #define SQRADDSC(i, j)            \
-__asm__(                              \
+__asm__(                          \
    " mulu.d r2,%6,%7        \n\t" \
    " mov    %0,r2           \n\t" \
    " mov    %1,r3           \n\t" \
@@ -1122,7 +1152,7 @@ __asm__(                              \
 :"=r"(sc0), "=r"(sc1), "=r"(sc2):"0"(sc0), "1"(sc1), "2"(sc2), "r"(i),"r"(j) : "r2", "r3");
 
 #define SQRADDAC(i, j)           \
-__asm__(                             \
+__asm__(                         \
    " mulu.d r2,%6,%7       \n\t" \
    " add    %0,%0,r2       \n\t" \
    " adc    %1,%1,r3       \n\t" \
@@ -1130,7 +1160,7 @@ __asm__(                             \
 :"=r"(sc0), "=r"(sc1), "=r"(sc2):"0"(sc0), "1"(sc1), "2"(sc2), "r"(i), "r"(j):"r2", "r3");
 
 #define SQRADDDB                  \
-__asm__(                              \
+__asm__(                          \
    " add    %0,%0,%3        \n\t" \
    " adc    %1,%1,%4        \n\t" \
    " adc    %2,%2,%5        \n\t" \
@@ -1139,6 +1169,112 @@ __asm__(                              \
    " adc    %2,%2,%5        \n\t" \
 :"=r"(c0), "=r"(c1), "=r"(c2) : "r"(sc0), "r"(sc1), "r"(sc2), "0"(c0), "1"(c1), "2"(c2) : "cc");
 
+#elif defined(TFM_MIPS)
+
+/* MIPS */
+#define COMBA_START
+
+#define CLEAR_CARRY \
+   c0 = c1 = c2 = 0;
+
+#define COMBA_STORE(x) \
+   x = c0;
+
+#define COMBA_STORE2(x) \
+   x = c1;
+
+#define CARRY_FORWARD \
+   do { c0 = c1; c1 = c2; c2 = 0; } while (0);
+
+#define COMBA_FINI
+
+/* multiplies point i and j, updates carry "c1" and digit c2 */
+#define SQRADD(i, j)              \
+__asm__(                          \
+   " multu  %6,%6          \n\t"  \
+   " mflo   $12            \n\t"  \
+   " mfhi   $13            \n\t"  \
+   " addu    %0,%0,$12     \n\t"  \
+   " sltu   $12,%0,$12     \n\t"  \
+   " addu    %1,%1,$13     \n\t"  \
+   " sltu   $13,%1,$13     \n\t"  \
+   " addu    %1,%1,$12     \n\t"  \
+   " sltu   $12,%1,$12     \n\t"  \
+   " addu    %2,%2,$13     \n\t"  \
+   " addu    %2,%2,$12     \n\t"  \
+:"=r"(c0), "=r"(c1), "=r"(c2):"0"(c0), "1"(c1), "2"(c2), "r"(i):"$12","$13");
+
+/* for squaring some of the terms are doubled... */
+#define SQRADD2(i, j)            \
+__asm__(                         \
+   " multu  %6,%7          \n\t" \
+   " mflo   $12            \n\t" \
+   " mfhi   $13            \n\t" \
+                                 \
+   " addu    %0,%0,$12     \n\t" \
+   " sltu   $14,%0,$12     \n\t" \
+   " addu    %1,%1,$13     \n\t" \
+   " sltu   $15,%1,$13     \n\t" \
+   " addu    %1,%1,$14     \n\t" \
+   " sltu   $14,%1,$14     \n\t" \
+   " addu    %2,%2,$15     \n\t" \
+   " addu    %2,%2,$14     \n\t" \
+                                 \
+   " addu    %0,%0,$12     \n\t" \
+   " sltu   $14,%0,$12     \n\t" \
+   " addu    %1,%1,$13     \n\t" \
+   " sltu   $15,%1,$13     \n\t" \
+   " addu    %1,%1,$14     \n\t" \
+   " sltu   $14,%1,$14     \n\t" \
+   " addu    %2,%2,$15     \n\t" \
+   " addu    %2,%2,$14     \n\t" \
+:"=r"(c0), "=r"(c1), "=r"(c2):"0"(c0), "1"(c1), "2"(c2), "r"(i), "r"(j):"$12", "$13", "$14", "$15");
+
+#define SQRADDSC(i, j)            \
+__asm__(                          \
+   " multu  %6,%7          \n\t"  \
+   " mflo   %0             \n\t"  \
+   " mfhi   %1             \n\t"  \
+   " xor    %2,%2,%2       \n\t"  \
+:"=r"(sc0), "=r"(sc1), "=r"(sc2):"0"(sc0), "1"(sc1), "2"(sc2), "r"(i),"r"(j) : "cc");
+
+#define SQRADDAC(i, j)           \
+__asm__(                         \
+   " multu  %6,%7          \n\t" \
+   " mflo   $12            \n\t" \
+   " mfhi   $13            \n\t" \
+   " addu    %0,%0,$12     \n\t" \
+   " sltu   $12,%0,$12     \n\t" \
+   " addu    %1,%1,$13     \n\t" \
+   " sltu   $13,%1,$13     \n\t" \
+   " addu    %1,%1,$12     \n\t" \
+   " sltu   $12,%1,$12     \n\t" \
+   " addu    %2,%2,$13     \n\t" \
+   " addu    %2,%2,$12     \n\t" \
+:"=r"(sc0), "=r"(sc1), "=r"(sc2):"0"(sc0), "1"(sc1), "2"(sc2), "r"(i), "r"(j):"$12", "$13", "$14");
+
+#define SQRADDDB                  \
+__asm__(                          \
+   " addu    %0,%0,%3       \n\t" \
+   " sltu   $10,%0,%3       \n\t" \
+   " addu    %1,%1,$10      \n\t" \
+   " sltu   $10,%1,$10      \n\t" \
+   " addu    %1,%1,%4       \n\t" \
+   " sltu   $11,%1,%4       \n\t" \
+   " addu    %2,%2,$10      \n\t" \
+   " addu    %2,%2,$11      \n\t" \
+   " addu    %2,%2,%5       \n\t" \
+                                  \
+   " addu    %0,%0,%3       \n\t" \
+   " sltu   $10,%0,%3       \n\t" \
+   " addu    %1,%1,$10      \n\t" \
+   " sltu   $10,%1,$10      \n\t" \
+   " addu    %1,%1,%4       \n\t" \
+   " sltu   $11,%1,%4       \n\t" \
+   " addu    %2,%2,$10      \n\t" \
+   " addu    %2,%2,$11      \n\t" \
+   " addu    %2,%2,%5       \n\t" \
+:"=r"(c0), "=r"(c1), "=r"(c2) : "r"(sc0), "r"(sc1), "r"(sc2), "0"(c0), "1"(c1), "2"(c2) : "$10", "$11");
 
 #else
 
@@ -1169,7 +1305,7 @@ __asm__(                              \
    t = c1 + (t >> DIGIT_BIT);             c1 = (fp_digit)t;    \
                                           c2 +=(fp_digit) (t >> DIGIT_BIT); \
    } while (0);
-  
+
 
 /* for squaring some of the terms are doubled... */
 #define SQRADD2(i, j)                                                 \
@@ -1177,10 +1313,10 @@ __asm__(                              \
    t  = ((fp_word)i) * ((fp_word)j);                                  \
    tt = (fp_word)c0 + t;                 c0 = (fp_digit)tt;           \
    tt = (fp_word)c1 + (tt >> DIGIT_BIT); c1 = (fp_digit)tt;           \
-                                         c2 +=(fp_digit)( tt >> DIGIT_BIT);    \
+                                         c2 +=(fp_digit)(tt >> DIGIT_BIT);     \
    tt = (fp_word)c0 + t;                 c0 = (fp_digit)tt;                    \
    tt = (fp_word)c1 + (tt >> DIGIT_BIT); c1 = (fp_digit)tt;            \
-                                         c2 +=(fp_digit) (tt >> DIGIT_BIT);    \
+                                         c2 +=(fp_digit)(tt >> DIGIT_BIT);     \
    } while (0);
 
 #define SQRADDSC(i, j)                                                         \
@@ -1210,46 +1346,46 @@ __asm__(                              \
     #include "fp_sqr_comba_small_set.i"
 #endif
 
-#if defined(TFM_SQR3)
+#if defined(TFM_SQR3) && FP_SIZE >= 6
     #include "fp_sqr_comba_3.i"
 #endif
-#if defined(TFM_SQR4)
+#if defined(TFM_SQR4) && FP_SIZE >= 8
     #include "fp_sqr_comba_4.i"
 #endif
-#if defined(TFM_SQR6)
+#if defined(TFM_SQR6) && FP_SIZE >= 12
     #include "fp_sqr_comba_6.i"
 #endif
-#if defined(TFM_SQR7)
+#if defined(TFM_SQR7) && FP_SIZE >= 14
     #include "fp_sqr_comba_7.i"
 #endif
-#if defined(TFM_SQR8)
+#if defined(TFM_SQR8) && FP_SIZE >= 16
     #include "fp_sqr_comba_8.i"
 #endif
-#if defined(TFM_SQR9)
+#if defined(TFM_SQR9) && FP_SIZE >= 18
     #include "fp_sqr_comba_9.i"
 #endif
-#if defined(TFM_SQR12)
+#if defined(TFM_SQR12) && FP_SIZE >= 24
     #include "fp_sqr_comba_12.i"
 #endif
-#if defined(TFM_SQR17)
+#if defined(TFM_SQR17) && FP_SIZE >= 34
     #include "fp_sqr_comba_17.i"
 #endif
-#if defined(TFM_SQR20)
+#if defined(TFM_SQR20) && FP_SIZE >= 40
     #include "fp_sqr_comba_20.i"
 #endif
-#if defined(TFM_SQR24)
+#if defined(TFM_SQR24) && FP_SIZE >= 48
     #include "fp_sqr_comba_24.i"
 #endif
-#if defined(TFM_SQR28)
+#if defined(TFM_SQR28) && FP_SIZE >= 56
     #include "fp_sqr_comba_28.i"
 #endif
-#if defined(TFM_SQR32)
+#if defined(TFM_SQR32) && FP_SIZE >= 64
     #include "fp_sqr_comba_32.i"
 #endif
-#if defined(TFM_SQR48)
+#if defined(TFM_SQR48) && FP_SIZE >= 96
     #include "fp_sqr_comba_48.i"
 #endif
-#if defined(TFM_SQR64)
+#if defined(TFM_SQR64) && FP_SIZE >= 128
     #include "fp_sqr_comba_64.i"
 #endif
 /* end fp_sqr_comba.c asm */
@@ -1283,7 +1419,7 @@ __asm__(                              \
 
 /* this should multiply i and j  */
 #define MULADD(i, j)                                      \
-__asm__(                                                      \
+__asm__(                                                  \
      "movl  %6,%%eax     \n\t"                            \
      "mull  %7           \n\t"                            \
      "addl  %%eax,%0     \n\t"                            \
@@ -1318,7 +1454,7 @@ __asm__(                                                      \
 
 /* this should multiply i and j  */
 #define MULADD(i, j)                                      \
-__asm__  (                                                    \
+__asm__  (                                                \
      "movq  %6,%%rax     \n\t"                            \
      "mulq  %7           \n\t"                            \
      "addq  %%rax,%0     \n\t"                            \
@@ -1328,61 +1464,54 @@ __asm__  (                                                    \
 
 
 #if defined(HAVE_INTEL_MULX)
-#define MULADD_MULX(b0, c0, c1, rdx)\
-    __asm__  volatile (                                   \
-         "movq   %3, %%rdx\n\t"                           \
-         "mulx  %2,%%r9, %%r8 \n\t"                       \
-         "adoxq  %%r9,%0     \n\t"                        \
-         "adcxq  %%r8,%1     \n\t"                        \
-         :"+r"(c0),"+r"(c1):"r"(b0), "r"(rdx):"%r8","%r9","%r10","%rdx"\
+#define MULADD_BODY(a,b,c)                              \
+    __asm__ volatile(                                   \
+         "movq  %[a0],%%rdx\n\t"                        \
+         "xorq  %%rcx, %%rcx\n\t"                       \
+         "movq  0(%[cp]),%%r8\n\t"                      \
+         "movq  8(%[cp]),%%r9\n\t"                      \
+         "movq  16(%[cp]),%%r10\n\t"                    \
+         "movq  24(%[cp]),%%r11\n\t"                    \
+         "movq  32(%[cp]),%%r12\n\t"                    \
+         "movq  40(%[cp]),%%r13\n\t"                    \
+                                                        \
+         "mulx  (%[bp]),%%rax, %%rbx\n\t"               \
+         "adoxq  %%rax, %%r8\n\t"                       \
+         "mulx  8(%[bp]),%%rax, %%rcx\n\t"              \
+         "adcxq  %%rbx, %%r9\n\t"                       \
+         "adoxq  %%rax, %%r9\n\t"                       \
+         "mulx  16(%[bp]),%%rax, %%rbx\n\t"             \
+         "adcxq  %%rcx, %%r10\n\t"                      \
+         "adoxq  %%rax, %%r10\n\t"                      \
+         "mulx  24(%[bp]),%%rax, %%rcx\n\t"             \
+         "adcxq  %%rbx, %%r11\n\t"                      \
+         "adoxq  %%rax, %%r11\n\t"                      \
+         "adcxq  %%rcx, %%r12\n\t"                      \
+         "mov $0, %%rdx\n\t"                            \
+         "adox %%rdx, %%r12\n\t"                        \
+         "adcx %%rdx, %%r13\n\t"                        \
+                                                        \
+         "movq  %%r8, 0(%[cp])\n\t"                     \
+         "movq  %%r9, 8(%[cp])\n\t"                     \
+         "movq  %%r10, 16(%[cp])\n\t"                   \
+         "movq  %%r11, 24(%[cp])\n\t"                   \
+         "movq  %%r12, 32(%[cp])\n\t"                   \
+         "movq  %%r13, 40(%[cp])\n\t"                   \
+      :                                                 \
+      : [a0] "r" (a->dp[ix]), [bp] "r" (&(b->dp[iy])),  \
+        [cp] "r" (&(c->dp[iz]))                         \
+      : "%r8", "%r9", "%r10", "%r11", "%r12", "%r13",   \
+        "%rdx", "%rax", "%rcx", "%rbx"                  \
     )
 
-
-#define MULADD_MULX_ADD_CARRY(c0, c1)\
-    __asm__ volatile(\
-    "mov $0, %%r10\n\t"\
-    "movq %1, %%r8\n\t"\
-    "adox %%r10, %0\n\t"\
-    "adcx %%r10, %1\n\t"\
-    :"+r"(c0),"+r"(c1)::"%r8","%r9","%r10","%rdx") ;
-
-#define MULADD_SET_A(a0)\
-    __asm__ volatile("add $0, %%r8\n\t"                   \
-             "movq  %0,%%rdx\n\t"                         \
-             ::"r"(a0):"%r8","%r9","%r10","%rdx") ;
-
-#define MULADD_BODY(a,b,c)\
-    {   word64 rdx = a->dp[ix] ;      \
-        cp = &(c->dp[iz]) ;           \
-        c0 = cp[0] ; c1 = cp[1];      \
-        MULADD_SET_A(rdx) ;           \
-        MULADD_MULX(b0, c0, c1, rdx) ;\
-        cp[0]=c0; c0=cp[2];           \
-        MULADD_MULX(b1, c1, c0, rdx) ;\
-        cp[1]=c1; c1=cp[3];           \
-        MULADD_MULX(b2, c0, c1, rdx) ;\
-        cp[2]=c0; c0=cp[4];           \
-        MULADD_MULX(b3, c1, c0, rdx) ;\
-        cp[3]=c1; c1=cp[5];           \
-        MULADD_MULX_ADD_CARRY(c0, c1);\
-        cp[4]=c0; cp[5]=c1;           \
+#define TFM_INTEL_MUL_COMBA(a, b, c)       \
+    for (iz=0; iz<pa; iz++) c->dp[iz] = 0; \
+    for (ix=0; ix<a->used; ix++) {         \
+        for (iy=0; iy<b->used; iy+=4) {    \
+            iz = ix + iy;                  \
+            MULADD_BODY(a, b, c);          \
+        }                                  \
     }
-
-#define TFM_INTEL_MUL_COMBA(a, b, c)\
-  for(ix=0; ix<pa; ix++)c->dp[ix]=0 ; \
-  for(iy=0; (iy<b->used); iy+=4) {    \
-    fp_digit *bp ;                    \
-    bp = &(b->dp[iy+0]) ;             \
-    fp_digit b0 = bp[0] , b1= bp[1],  \
-             b2= bp[2], b3= bp[3];    \
-    ix=0, iz=iy;                      \
-    while(ix<a->used) {               \
-        fp_digit c0, c1;              \
-        fp_digit *cp ;                \
-        MULADD_BODY(a,b,c);           \
-        ix++ ; iz++ ;                 \
-    }                                 \
-};
 #endif
 
 #elif defined(TFM_SSE2)
@@ -1413,7 +1542,7 @@ __asm__  (                                                    \
 
 /* this should multiply i and j  */
 #define MULADD(i, j)                                     \
-__asm__(                                                     \
+__asm__(                                                 \
     "movd  %6,%%mm0     \n\t"                            \
     "movd  %7,%%mm1     \n\t"                            \
     "pmuludq %%mm1,%%mm0\n\t"                            \
@@ -1428,7 +1557,7 @@ __asm__(                                                     \
 #elif defined(TFM_ARM)
 /* ARM code */
 
-#define COMBA_START 
+#define COMBA_START
 
 #define COMBA_CLEAR \
    c0 = c1 = c2 = 0;
@@ -1445,7 +1574,7 @@ __asm__(                                                     \
 #define COMBA_FINI
 
 #define MULADD(i, j)                                          \
-__asm__(                                                          \
+__asm__(                                                      \
 "  UMULL  r0,r1,%6,%7           \n\t"                         \
 "  ADDS   %0,%0,r0              \n\t"                         \
 "  ADCS   %1,%1,r1              \n\t"                         \
@@ -1469,11 +1598,11 @@ __asm__(                                                          \
 #define COMBA_STORE2(x) \
    x = c1;
 
-#define COMBA_FINI 
-   
+#define COMBA_FINI
+
 /* untested: will mulhwu change the flags?  Docs say no */
-#define MULADD(i, j)              \
-__asm__(                              \
+#define MULADD(i, j)             \
+__asm__(                         \
    " mullw  16,%6,%7       \n\t" \
    " addc   %0,%0,16       \n\t" \
    " mulhwu 16,%6,%7       \n\t" \
@@ -1498,17 +1627,17 @@ __asm__(                              \
 #define COMBA_STORE2(x) \
    x = c1;
 
-#define COMBA_FINI 
-   
-/* untested: will mulhwu change the flags?  Docs say no */
+#define COMBA_FINI
+
+/* untested: will mulhdu change the flags?  Docs say no */
 #define MULADD(i, j)              \
-____asm__(                              \
-   " mulld  16,%6,%7       \n\t" \
-   " addc   %0,%0,16       \n\t" \
-   " mulhdu 16,%6,%7       \n\t" \
-   " adde   %1,%1,16       \n\t" \
-   " addze  %2,%2          \n\t" \
-:"=r"(c0), "=r"(c1), "=r"(c2):"0"(c0), "1"(c1), "2"(c2), "r"(i), "r"(j):"16");
+____asm__(                        \
+   " mulld  r16,%6,%7       \n\t" \
+   " addc   %0,%0,16        \n\t" \
+   " mulhdu r16,%6,%7       \n\t" \
+   " adde   %1,%1,16        \n\t" \
+   " addze  %2,%2           \n\t" \
+:"=r"(c0), "=r"(c1), "=r"(c2):"0"(c0), "1"(c1), "2"(c2), "r"(i), "r"(j):"r16");
 
 #elif defined(TFM_AVR32)
 
@@ -1528,16 +1657,50 @@ ____asm__(                              \
 #define COMBA_STORE2(x) \
    x = c1;
 
-#define COMBA_FINI 
-   
+#define COMBA_FINI
+
 #define MULADD(i, j)             \
-____asm__(                             \
+____asm__(                       \
    " mulu.d r2,%6,%7        \n\t"\
    " add    %0,r2           \n\t"\
    " adc    %1,%1,r3        \n\t"\
    " acr    %2              \n\t"\
 :"=r"(c0), "=r"(c1), "=r"(c2):"0"(c0), "1"(c1), "2"(c2), "r"(i), "r"(j):"r2","r3");
 
+#elif defined(TFM_MIPS)
+
+/* MIPS */
+#define COMBA_START
+
+#define COMBA_CLEAR \
+   c0 = c1 = c2 = 0;
+
+#define COMBA_FORWARD \
+   do { c0 = c1; c1 = c2; c2 = 0; } while (0);
+
+#define COMBA_STORE(x) \
+   x = c0;
+
+#define COMBA_STORE2(x) \
+   x = c1;
+
+#define COMBA_FINI
+
+#define MULADD(i, j)              \
+__asm__(                          \
+   " multu  %6,%7          \n\t"  \
+   " mflo   $12            \n\t"  \
+   " mfhi   $13            \n\t"  \
+   " addu    %0,%0,$12     \n\t"  \
+   " sltu   $12,%0,$12     \n\t"  \
+   " addu    %1,%1,$13     \n\t"  \
+   " sltu   $13,%1,$13     \n\t"  \
+   " addu    %1,%1,$12     \n\t"  \
+   " sltu   $12,%1,$12     \n\t"  \
+   " addu    %2,%2,$13     \n\t"  \
+   " addu    %2,%2,$12     \n\t"  \
+:"=r"(c0), "=r"(c1), "=r"(c2):"0"(c0), "1"(c1), "2"(c2), "r"(i), "r"(j):"$12","$13");
+
 #else
 /* ISO C code */
 
@@ -1555,13 +1718,15 @@ ____asm__(                             \
 #define COMBA_STORE2(x) \
    x = c1;
 
-#define COMBA_FINI 
-   
+#define COMBA_FINI
+
 #define MULADD(i, j)                                                                                                                                  \
-   do { fp_word t;                                                    \
-   t = (fp_word)c0 + ((fp_word)i) * ((fp_word)j); c0 = (fp_digit)t;   \
-   t = (fp_word)c1 + (t >> DIGIT_BIT);                                \
-   c1 = (fp_digit)t; c2 += (fp_digit)(t >> DIGIT_BIT);                \
+   do { fp_word t;                                      \
+   t = (fp_word)c0 + ((fp_word)i) * ((fp_word)j);       \
+   c0 = (fp_digit)t;                                    \
+   t = (fp_word)c1 + (t >> DIGIT_BIT);                  \
+   c1 = (fp_digit)t;                                    \
+   c2 += (fp_digit)(t >> DIGIT_BIT);                    \
    } while (0);
 
 #endif
@@ -1571,46 +1736,46 @@ ____asm__(                             \
     #include "fp_mul_comba_small_set.i"
 #endif
 
-#if defined(TFM_MUL3)
+#if defined(TFM_MUL3) && FP_SIZE >= 6
     #include "fp_mul_comba_3.i"
 #endif
-#if defined(TFM_MUL4)
+#if defined(TFM_MUL4) && FP_SIZE >= 8
     #include "fp_mul_comba_4.i"
 #endif
-#if defined(TFM_MUL6)
+#if defined(TFM_MUL6) && FP_SIZE >= 12
     #include "fp_mul_comba_6.i"
 #endif
-#if defined(TFM_MUL7)
+#if defined(TFM_MUL7) && FP_SIZE >= 14
     #include "fp_mul_comba_7.i"
 #endif
-#if defined(TFM_MUL8)
+#if defined(TFM_MUL8) && FP_SIZE >= 16
     #include "fp_mul_comba_8.i"
 #endif
-#if defined(TFM_MUL9)
+#if defined(TFM_MUL9) && FP_SIZE >= 18
     #include "fp_mul_comba_9.i"
 #endif
-#if defined(TFM_MUL12)
+#if defined(TFM_MUL12) && FP_SIZE >= 24
     #include "fp_mul_comba_12.i"
 #endif
-#if defined(TFM_MUL17)
+#if defined(TFM_MUL17) && FP_SIZE >= 34
     #include "fp_mul_comba_17.i"
 #endif
-#if defined(TFM_MUL20)
+#if defined(TFM_MUL20) && FP_SIZE >= 40
     #include "fp_mul_comba_20.i"
 #endif
-#if defined(TFM_MUL24)
+#if defined(TFM_MUL24) && FP_SIZE >= 48
     #include "fp_mul_comba_24.i"
 #endif
-#if defined(TFM_MUL28)
+#if defined(TFM_MUL28) && FP_SIZE >= 56
     #include "fp_mul_comba_28.i"
 #endif
-#if defined(TFM_MUL32)
+#if defined(TFM_MUL32) && FP_SIZE >= 64
     #include "fp_mul_comba_32.i"
 #endif
-#if defined(TFM_MUL48)
+#if defined(TFM_MUL48) && FP_SIZE >= 96
     #include "fp_mul_comba_48.i"
 #endif
-#if defined(TFM_MUL64)
+#if defined(TFM_MUL64) && FP_SIZE >= 128
     #include "fp_mul_comba_64.i"
 #endif
 
diff --git a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/asn.c b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/asn.c
index e3d9ff44b..c4e60043f 100644
--- a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/asn.c
+++ b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/asn.c
@@ -1,8 +1,8 @@
 /* asn.c
  *
- * Copyright (C) 2006-2015 wolfSSL Inc.
+ * Copyright (C) 2006-2020 wolfSSL Inc.
  *
- * This file is part of wolfSSL. (formerly known as CyaSSL)
+ * This file is part of wolfSSL.
  *
  * wolfSSL is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -16,21 +16,47 @@
  *
  * You should have received a copy of the GNU General Public License
  * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
  */
 
+
 #ifdef HAVE_CONFIG_H
     #include <config.h>
 #endif
 
 #include <wolfssl/wolfcrypt/settings.h>
 
-#ifndef NO_ASN
+/*
+ASN Options:
+ * NO_ASN_TIME: Disables time parts of the ASN code for systems without an RTC
+    or wishing to save space.
+ * IGNORE_NAME_CONSTRAINTS: Skip ASN name checks.
+ * ASN_DUMP_OID: Allows dump of OID information for debugging.
+ * RSA_DECODE_EXTRA: Decodes extra information in RSA public key.
+ * WOLFSSL_CERT_GEN: Cert generation. Saves extra certificate info in GetName.
+ * WOLFSSL_NO_ASN_STRICT: Disable strict RFC compliance checks to
+    restore 3.13.0 behavior.
+ * WOLFSSL_NO_OCSP_OPTIONAL_CERTS: Skip optional OCSP certs (responder issuer
+    must still be trusted)
+ * WOLFSSL_NO_TRUSTED_CERTS_VERIFY: Workaround for situation where entire cert
+    chain is not loaded. This only matches on subject and public key and
+    does not perform a PKI validation, so it is not a secure solution.
+    Only enabled for OCSP.
+ * WOLFSSL_NO_OCSP_ISSUER_CHECK: Can be defined for backwards compatibility to
+    disable checking of OCSP subject hash with issuer hash.
+ * WOLFSSL_SMALL_CERT_VERIFY: Verify the certificate signature without using
+    DecodedCert. Doubles up on some code but allows smaller dynamic memory
+    usage.
+ * WOLFSSL_NO_OCSP_DATE_CHECK: Disable date checks for OCSP responses. This
+    may be required when the system's real-time clock is not very accurate.
+    It is recommended to enforce the nonce check instead if possible.
+ * WOLFSSL_FORCE_OCSP_NONCE_CHECK: Require nonces to be available in OCSP
+    responses. The nonces are optional and may not be supported by all
+    responders. If it can be ensured that the used responder sends nonces this
+    option may improve security.
+*/
 
-#ifdef HAVE_RTP_SYS
-    #include "os.h"           /* dc_rtc_api needs    */
-    #include "dc_rtc_api.h"   /* to get current time */
-#endif
+#ifndef NO_ASN
 
 #include <wolfssl/wolfcrypt/asn.h>
 #include <wolfssl/wolfcrypt/coding.h>
@@ -39,17 +65,25 @@
 #include <wolfssl/wolfcrypt/error-crypt.h>
 #include <wolfssl/wolfcrypt/pwdbased.h>
 #include <wolfssl/wolfcrypt/des3.h>
+#include <wolfssl/wolfcrypt/aes.h>
+#include <wolfssl/wolfcrypt/wc_encrypt.h>
 #include <wolfssl/wolfcrypt/logging.h>
 
 #include <wolfssl/wolfcrypt/random.h>
-
+#include <wolfssl/wolfcrypt/hash.h>
+#ifdef NO_INLINE
+    #include <wolfssl/wolfcrypt/misc.h>
+#else
+    #define WOLFSSL_MISC_INCLUDED
+    #include <wolfcrypt/src/misc.c>
+#endif
 
 #ifndef NO_RC4
     #include <wolfssl/wolfcrypt/arc4.h>
 #endif
 
 #ifdef HAVE_NTRU
-    #include "ntru_crypto.h"
+    #include "libntruencrypt/ntru_crypto.h"
 #endif
 
 #if defined(WOLFSSL_SHA512) || defined(WOLFSSL_SHA384)
@@ -64,478 +98,640 @@
     #include <wolfssl/wolfcrypt/ecc.h>
 #endif
 
-#ifdef WOLFSSL_DEBUG_ENCODING
-    #ifdef FREESCALE_MQX
-        #include <fio.h>
-    #else
-        #include <stdio.h>
-    #endif
+#ifdef HAVE_ED25519
+    #include <wolfssl/wolfcrypt/ed25519.h>
 #endif
 
-#ifdef _MSC_VER
-    /* 4996 warning to use MS extensions e.g., strcpy_s instead of XSTRNCPY */
-    #pragma warning(disable: 4996)
+#ifdef HAVE_ED448
+    #include <wolfssl/wolfcrypt/ed448.h>
 #endif
 
-
-#ifndef TRUE
-    #define TRUE  1
+#ifndef NO_RSA
+    #include <wolfssl/wolfcrypt/rsa.h>
+#if defined(WOLFSSL_XILINX_CRYPT) || defined(WOLFSSL_CRYPTOCELL)
+extern int wc_InitRsaHw(RsaKey* key);
 #endif
-#ifndef FALSE
-    #define FALSE 0
 #endif
 
+#ifdef WOLF_CRYPTO_CB
+    #include <wolfssl/wolfcrypt/cryptocb.h>
+#endif
 
-#ifdef HAVE_RTP_SYS
-    /* uses parital <time.h> structures */
-    #define XTIME(tl)  (0)
-    #define XGMTIME(c, t) my_gmtime((c))
-    #define XVALIDATE_DATE(d, f, t) ValidateDate((d), (f), (t))
-#elif defined(MICRIUM)
-    #if (NET_SECURE_MGR_CFG_EN == DEF_ENABLED)
-        #define XVALIDATE_DATE(d,f,t) NetSecure_ValidateDateHandler((d),(f),(t))
-    #else
-        #define XVALIDATE_DATE(d, f, t) (0)
-    #endif
-    #define NO_TIME_H
-    /* since Micrium not defining XTIME or XGMTIME, CERT_GEN not available */
-#elif defined(MICROCHIP_TCPIP_V5) || defined(MICROCHIP_TCPIP)
-    #include <time.h>
-    #define XTIME(t1) pic32_time((t1))
-    #define XGMTIME(c, t) gmtime((c))
-    #define XVALIDATE_DATE(d, f, t) ValidateDate((d), (f), (t))
-#elif defined(FREESCALE_MQX)
-    #define XTIME(t1)  mqx_time((t1))
-    #define XGMTIME(c, t) mqx_gmtime((c), (t))
-    #define XVALIDATE_DATE(d, f, t) ValidateDate((d), (f), (t))
-#elif defined(WOLFSSL_MDK_ARM)
-    #if defined(WOLFSSL_MDK5)
-        #include "cmsis_os.h"
-    #else
-        #include <rtl.h>
-    #endif
-    #undef RNG
-    #include "wolfssl_MDK_ARM.h"
-    #undef RNG
-    #define RNG wolfSSL_RNG /*for avoiding name conflict in "stm32f2xx.h" */
-    #define XTIME(tl)  (0)
-    #define XGMTIME(c, t) wolfssl_MDK_gmtime((c))
-    #define XVALIDATE_DATE(d, f, t)  ValidateDate((d), (f), (t))
-#elif defined(USER_TIME)
-    /* user time, and gmtime compatible functions, there is a gmtime 
-       implementation here that WINCE uses, so really just need some ticks
-       since the EPOCH 
-    */
-
-    struct tm {
-    int tm_sec;     /* seconds after the minute [0-60] */
-    int tm_min;     /* minutes after the hour [0-59] */
-    int tm_hour;    /* hours since midnight [0-23] */
-    int tm_mday;    /* day of the month [1-31] */
-    int tm_mon;     /* months since January [0-11] */
-    int tm_year;    /* years since 1900 */
-    int tm_wday;    /* days since Sunday [0-6] */
-    int tm_yday;    /* days since January 1 [0-365] */
-    int tm_isdst;   /* Daylight Savings Time flag */
-    long    tm_gmtoff;  /* offset from CUT in seconds */
-    char    *tm_zone;   /* timezone abbreviation */
-    };
-    typedef long time_t;
-
-    /* forward declaration */
-    struct tm* gmtime(const time_t* timer);
-    extern time_t XTIME(time_t * timer);
-
-    #define XGMTIME(c, t) gmtime((c))
-    #define XVALIDATE_DATE(d, f, t) ValidateDate((d), (f), (t))
-
-    #ifdef STACK_TRAP
-        /* for stack trap tracking, don't call os gmtime on OS X/linux,
-           uses a lot of stack spce */
-        extern time_t time(time_t * timer);
-        #define XTIME(tl)  time((tl))
-    #endif /* STACK_TRAP */
-
-#elif defined(TIME_OVERRIDES)
-    /* user would like to override time() and gmtime() functionality */
+#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
+    #include <wolfssl/openssl/objects.h>
+#endif
 
-    #ifndef HAVE_TIME_T_TYPE
-        typedef long time_t;
-    #endif
-    extern time_t XTIME(time_t * timer);
-
-    #ifndef HAVE_TM_TYPE
-        struct tm {
-            int  tm_sec;     /* seconds after the minute [0-60] */
-            int  tm_min;     /* minutes after the hour [0-59] */
-            int  tm_hour;    /* hours since midnight [0-23] */
-            int  tm_mday;    /* day of the month [1-31] */
-            int  tm_mon;     /* months since January [0-11] */
-            int  tm_year;    /* years since 1900 */
-            int  tm_wday;    /* days since Sunday [0-6] */
-            int  tm_yday;    /* days since January 1 [0-365] */
-            int  tm_isdst;   /* Daylight Savings Time flag */
-            long tm_gmtoff;  /* offset from CUT in seconds */
-            char *tm_zone;   /* timezone abbreviation */
-        };
-    #endif
-    extern struct tm* XGMTIME(const time_t* timer, struct tm* tmp);
+#ifdef _MSC_VER
+    /* 4996 warning to use MS extensions e.g., strcpy_s instead of XSTRNCPY */
+    #pragma warning(disable: 4996)
+#endif
 
-    #ifndef HAVE_VALIDATE_DATE
-        #define XVALIDATE_DATE(d, f, t) ValidateDate((d), (f), (t))
+#define ERROR_OUT(err, eLabel) { ret = (err); goto eLabel; }
+
+#if defined(HAVE_SELFTEST) || ( !defined(NO_SKID) && \
+                                ( !defined(HAVE_FIPS) || \
+                                  !defined(HAVE_FIPS_VERSION) ))
+    #ifndef WOLFSSL_AES_KEY_SIZE_ENUM
+    #define WOLFSSL_AES_KEY_SIZE_ENUM
+    enum Asn_Misc {
+        AES_IV_SIZE         = 16,
+        AES_128_KEY_SIZE    = 16,
+        AES_192_KEY_SIZE    = 24,
+        AES_256_KEY_SIZE    = 32
+    };
     #endif
-#else
-    /* default */
-    /* uses complete <time.h> facility */
-    #include <time.h>
-    #define XTIME(tl)     time((tl))
-    #define XGMTIME(c, t) gmtime((c))
-    #define XVALIDATE_DATE(d, f, t) ValidateDate((d), (f), (t))
 #endif
-
-
-#ifdef _WIN32_WCE
-/* no time() or gmtime() even though in time.h header?? */
-
-#include <windows.h>
-
-
-time_t time(time_t* timer)
+#ifdef WOLFSSL_RENESAS_TSIP_TLS
+void tsip_inform_key_position(const word32 key_n_start,
+                const word32 key_n_len, const word32 key_e_start,
+                const word32 key_e_len);
+int tsip_tls_CertVerify(const byte *cert, word32 certSz,
+                        const byte *signature, word32 sigSz,
+                        word32 key_n_start, word32 key_n_len,
+                        word32 key_e_start, word32 key_e_len,
+                        byte *tsip_encRsaKeyIdx);
+#endif
+int GetLength(const byte* input, word32* inOutIdx, int* len,
+                           word32 maxIdx)
 {
-    SYSTEMTIME     sysTime;
-    FILETIME       fTime;
-    ULARGE_INTEGER intTime;
-    time_t         localTime;
-
-    if (timer == NULL)
-        timer = &localTime;
-
-    GetSystemTime(&sysTime);
-    SystemTimeToFileTime(&sysTime, &fTime);
-
-    XMEMCPY(&intTime, &fTime, sizeof(FILETIME));
-    /* subtract EPOCH */
-    intTime.QuadPart -= 0x19db1ded53e8000;
-    /* to secs */
-    intTime.QuadPart /= 10000000;
-    *timer = (time_t)intTime.QuadPart;
-
-    return *timer;
+    return GetLength_ex(input, inOutIdx, len, maxIdx, 1);
 }
 
-#endif /*  _WIN32_WCE */
-#if defined( _WIN32_WCE ) || defined( USER_TIME )
 
-struct tm* gmtime(const time_t* timer)
+/* give option to check length value found against index. 1 to check 0 to not */
+int GetLength_ex(const byte* input, word32* inOutIdx, int* len,
+                           word32 maxIdx, int check)
 {
-    #define YEAR0          1900
-    #define EPOCH_YEAR     1970
-    #define SECS_DAY       (24L * 60L * 60L)
-    #define LEAPYEAR(year) (!((year) % 4) && (((year) % 100) || !((year) %400)))
-    #define YEARSIZE(year) (LEAPYEAR(year) ? 366 : 365)
+    int     length = 0;
+    word32  idx = *inOutIdx;
+    byte    b;
 
-    static const int _ytab[2][12] =
-    {
-        {31, 28, 31, 30, 31, 30, 31, 31, 30, 31, 30, 31},
-        {31, 29, 31, 30, 31, 30, 31, 31, 30, 31, 30, 31}
-    };
+    *len = 0;    /* default length */
 
-    static struct tm st_time;
-    struct tm* ret = &st_time;
-    time_t secs = *timer;
-    unsigned long dayclock, dayno;
-    int year = EPOCH_YEAR;
+    if ((idx + 1) > maxIdx) {   /* for first read */
+        WOLFSSL_MSG("GetLength bad index on input");
+        return BUFFER_E;
+    }
 
-    dayclock = (unsigned long)secs % SECS_DAY;
-    dayno    = (unsigned long)secs / SECS_DAY;
+    b = input[idx++];
+    if (b >= ASN_LONG_LENGTH) {
+        word32 bytes = b & 0x7F;
 
-    ret->tm_sec  = (int) dayclock % 60;
-    ret->tm_min  = (int)(dayclock % 3600) / 60;
-    ret->tm_hour = (int) dayclock / 3600;
-    ret->tm_wday = (int) (dayno + 4) % 7;        /* day 0 a Thursday */
+        if ((idx + bytes) > maxIdx) {   /* for reading bytes */
+            WOLFSSL_MSG("GetLength bad long length");
+            return BUFFER_E;
+        }
 
-    while(dayno >= (unsigned long)YEARSIZE(year)) {
-        dayno -= YEARSIZE(year);
-        year++;
+        if (bytes > sizeof(length)) {
+            return ASN_PARSE_E;
+        }
+        while (bytes--) {
+            b = input[idx++];
+            length = (length << 8) | b;
+        }
+        if (length < 0) {
+            return ASN_PARSE_E;
+        }
     }
+    else
+        length = b;
 
-    ret->tm_year = year - YEAR0;
-    ret->tm_yday = (int)dayno;
-    ret->tm_mon  = 0;
-
-    while(dayno >= (unsigned long)_ytab[LEAPYEAR(year)][ret->tm_mon]) {
-        dayno -= _ytab[LEAPYEAR(year)][ret->tm_mon];
-        ret->tm_mon++;
+    if (check && (idx + length) > maxIdx) {   /* for user of length */
+        WOLFSSL_MSG("GetLength value exceeds buffer length");
+        return BUFFER_E;
     }
 
-    ret->tm_mday  = (int)++dayno;
-    ret->tm_isdst = 0;
+    *inOutIdx = idx;
+    if (length > 0)
+        *len = length;
 
-    return ret;
+    return length;
 }
 
-#endif /* _WIN32_WCE  || USER_TIME */
 
+/* input : buffer to read from
+ * inOutIdx : index to start reading from, gets advanced by 1 if successful
+ * maxIdx : maximum index value
+ * tag : ASN tag value found
+ *
+ * returns 0 on success
+ */
+int GetASNTag(const byte* input, word32* inOutIdx, byte* tag, word32 maxIdx)
+{
+    word32 idx;
 
-#ifdef HAVE_RTP_SYS
+    if (tag == NULL || inOutIdx == NULL || input == NULL) {
+        return BAD_FUNC_ARG;
+    }
 
-#define YEAR0          1900
+    idx = *inOutIdx;
+    if (idx + ASN_TAG_SZ > maxIdx) {
+        WOLFSSL_MSG("Buffer too small for ASN tag");
+        return BUFFER_E;
+    }
 
-struct tm* my_gmtime(const time_t* timer)       /* has a gmtime() but hangs */
-{
-    static struct tm st_time;
-    struct tm* ret = &st_time;
+    *tag = input[idx];
+    *inOutIdx = idx + ASN_TAG_SZ;
+    return 0;
+}
 
-    DC_RTC_CALENDAR cal;
-    dc_rtc_time_get(&cal, TRUE);
 
-    ret->tm_year  = cal.year - YEAR0;       /* gm starts at 1900 */
-    ret->tm_mon   = cal.month - 1;          /* gm starts at 0 */
-    ret->tm_mday  = cal.day;
-    ret->tm_hour  = cal.hour;
-    ret->tm_min   = cal.minute;
-    ret->tm_sec   = cal.second;
+static int GetASNHeader_ex(const byte* input, byte tag, word32* inOutIdx, int* len,
+                        word32 maxIdx, int check)
+{
+    word32 idx = *inOutIdx;
+    byte   tagFound;
+    int    length;
 
-    return ret;
-}
+    if (GetASNTag(input, &idx, &tagFound, maxIdx) != 0)
+        return ASN_PARSE_E;
 
-#endif /* HAVE_RTP_SYS */
+    if (tagFound != tag)
+        return ASN_PARSE_E;
+
+    if (GetLength_ex(input, &idx, &length, maxIdx, check) < 0)
+        return ASN_PARSE_E;
 
+    *len      = length;
+    *inOutIdx = idx;
+    return length;
+}
 
-#if defined(MICROCHIP_TCPIP_V5) || defined(MICROCHIP_TCPIP)
 
-/*
- * time() is just a stub in Microchip libraries. We need our own
- * implementation. Use SNTP client to get seconds since epoch.
+/* Get the DER/BER encoding of an ASN.1 header.
+ *
+ * input     Buffer holding DER/BER encoded data.
+ * tag       ASN.1 tag value expected in header.
+ * inOutIdx  Current index into buffer to parse.
+ * len       The number of bytes in the ASN.1 data.
+ * maxIdx    Length of data in buffer.
+ * returns BUFFER_E when there is not enough data to parse.
+ *         ASN_PARSE_E when the expected tag is not found or length is invalid.
+ *         Otherwise, the number of bytes in the ASN.1 data.
  */
-time_t pic32_time(time_t* timer)
+static int GetASNHeader(const byte* input, byte tag, word32* inOutIdx, int* len,
+                        word32 maxIdx)
 {
-#ifdef MICROCHIP_TCPIP_V5
-    DWORD sec = 0;
-#else
-    uint32_t sec = 0;
-#endif
-    time_t localTime;
-
-    if (timer == NULL)
-        timer = &localTime;
+    return GetASNHeader_ex(input, tag, inOutIdx, len, maxIdx, 1);
+}
 
-#ifdef MICROCHIP_MPLAB_HARMONY
-    sec = TCPIP_SNTP_UTCSecondsGet();
-#else
-    sec = SNTPGetUTCSeconds();
-#endif
-    *timer = (time_t) sec;
+static int GetHeader(const byte* input, byte* tag, word32* inOutIdx, int* len,
+                     word32 maxIdx, int check)
+{
+    word32 idx = *inOutIdx;
+    int    length;
 
-    return *timer;
-}
+    if ((idx + 1) > maxIdx)
+        return BUFFER_E;
 
-#endif /* MICROCHIP_TCPIP */
+    *tag = input[idx++];
 
+    if (GetLength_ex(input, &idx, &length, maxIdx, check) < 0)
+        return ASN_PARSE_E;
 
-#ifdef FREESCALE_MQX
+    *len      = length;
+    *inOutIdx = idx;
+    return length;
+}
 
-time_t mqx_time(time_t* timer)
+int GetSequence(const byte* input, word32* inOutIdx, int* len,
+                           word32 maxIdx)
 {
-    time_t localTime;
-    TIME_STRUCT time_s;
-
-    if (timer == NULL)
-        timer = &localTime;
+    return GetASNHeader(input, ASN_SEQUENCE | ASN_CONSTRUCTED, inOutIdx, len,
+                        maxIdx);
+}
 
-    _time_get(&time_s);
-    *timer = (time_t) time_s.SECONDS;
 
-    return *timer;
+int GetSequence_ex(const byte* input, word32* inOutIdx, int* len,
+                           word32 maxIdx, int check)
+{
+    return GetASNHeader_ex(input, ASN_SEQUENCE | ASN_CONSTRUCTED, inOutIdx, len,
+                        maxIdx, check);
 }
 
-/* CodeWarrior GCC toolchain only has gmtime_r(), no gmtime() */
-struct tm* mqx_gmtime(const time_t* clock, struct tm* tmpTime)
+
+int GetSet(const byte* input, word32* inOutIdx, int* len,
+                        word32 maxIdx)
 {
-    return gmtime_r(clock, tmpTime);
+    return GetASNHeader(input, ASN_SET | ASN_CONSTRUCTED, inOutIdx, len,
+                        maxIdx);
 }
 
-#endif /* FREESCALE_MQX */
 
-#ifdef WOLFSSL_TIRTOS
+int GetSet_ex(const byte* input, word32* inOutIdx, int* len,
+                        word32 maxIdx, int check)
+{
+    return GetASNHeader_ex(input, ASN_SET | ASN_CONSTRUCTED, inOutIdx, len,
+                        maxIdx, check);
+}
 
-time_t XTIME(time_t * timer)
+/* Get the DER/BER encoded ASN.1 NULL element.
+ * Ensure that the all fields are as expected and move index past the element.
+ *
+ * input     Buffer holding DER/BER encoded data.
+ * inOutIdx  Current index into buffer to parse.
+ * maxIdx    Length of data in buffer.
+ * returns BUFFER_E when there is not enough data to parse.
+ *         ASN_TAG_NULL_E when the NULL tag is not found.
+ *         ASN_EXPECT_0_E when the length is not zero.
+ *         Otherwise, 0 to indicate success.
+ */
+static int GetASNNull(const byte* input, word32* inOutIdx, word32 maxIdx)
 {
-    time_t sec = 0;
+    word32 idx = *inOutIdx;
+    byte   b;
+
+    if ((idx + 2) > maxIdx)
+        return BUFFER_E;
 
-    sec = (time_t) Seconds_get();
+    b = input[idx++];
+    if (b != ASN_TAG_NULL)
+        return ASN_TAG_NULL_E;
 
-    if (timer != NULL)
-        *timer = sec;
+    if (input[idx++] != 0)
+        return ASN_EXPECT_0_E;
 
-    return sec;
+    *inOutIdx = idx;
+    return 0;
 }
 
-#endif /* WOLFSSL_TIRTOS */
-
-static INLINE word32 btoi(byte b)
+/* Set the DER/BER encoding of the ASN.1 NULL element.
+ *
+ * output  Buffer to write into.
+ * returns the number of bytes added to the buffer.
+ */
+static int SetASNNull(byte* output)
 {
-    return b - 0x30;
-}
+    output[0] = ASN_TAG_NULL;
+    output[1] = 0;
 
+    return 2;
+}
 
-/* two byte date/time, add to value */
-static INLINE void GetTime(int* value, const byte* date, int* idx)
+/* Get the DER/BER encoding of an ASN.1 BOOLEAN.
+ *
+ * input     Buffer holding DER/BER encoded data.
+ * inOutIdx  Current index into buffer to parse.
+ * maxIdx    Length of data in buffer.
+ * returns BUFFER_E when there is not enough data to parse.
+ *         ASN_PARSE_E when the BOOLEAN tag is not found or length is not 1.
+ *         Otherwise, 0 to indicate the value was false and 1 to indicate true.
+ */
+static int GetBoolean(const byte* input, word32* inOutIdx, word32 maxIdx)
 {
-    int i = *idx;
+    word32 idx = *inOutIdx;
+    byte   b;
 
-    *value += btoi(date[i++]) * 10;
-    *value += btoi(date[i++]);
+    if ((idx + 3) > maxIdx)
+        return BUFFER_E;
 
-    *idx = i;
+    b = input[idx++];
+    if (b != ASN_BOOLEAN)
+        return ASN_PARSE_E;
+
+    if (input[idx++] != 1)
+        return ASN_PARSE_E;
+
+    b = input[idx++] != 0;
+
+    *inOutIdx = idx;
+    return b;
 }
 
+#ifdef ASN1_SET_BOOLEAN
+/* Set the DER/BER encoding of the ASN.1 NULL element.
+ * Note: Function not required as yet.
+ *
+ * val     Boolean value to encode.
+ * output  Buffer to write into.
+ * returns the number of bytes added to the buffer.
+ */
+static int SetBoolean(int val, byte* output)
+{
+    output[0] = ASN_BOOLEAN;
+    output[1] = 1;
+    output[2] = val ? -1 : 0;
 
-#if defined(MICRIUM)
+    return 3;
+}
+#endif
 
-CPU_INT32S NetSecure_ValidateDateHandler(CPU_INT08U *date, CPU_INT08U format,
-                                         CPU_INT08U dateType)
+/* Get the DER/BER encoding of an ASN.1 OCTET_STRING header.
+ *
+ * input     Buffer holding DER/BER encoded data.
+ * inOutIdx  Current index into buffer to parse.
+ * len       The number of bytes in the ASN.1 data.
+ * maxIdx    Length of data in buffer.
+ * returns BUFFER_E when there is not enough data to parse.
+ *         ASN_PARSE_E when the OCTET_STRING tag is not found or length is
+ *         invalid.
+ *         Otherwise, the number of bytes in the ASN.1 data.
+ */
+int GetOctetString(const byte* input, word32* inOutIdx, int* len,
+                          word32 maxIdx)
 {
-    CPU_BOOLEAN  rtn_code;
-    CPU_INT32S   i;
-    CPU_INT32S   val;    
-    CPU_INT16U   year;
-    CPU_INT08U   month;
-    CPU_INT16U   day;
-    CPU_INT08U   hour;
-    CPU_INT08U   min;
-    CPU_INT08U   sec;
+    return GetASNHeader(input, ASN_OCTET_STRING, inOutIdx, len, maxIdx);
+}
 
-    i    = 0;
-    year = 0u;
+/* Get the DER/BER encoding of an ASN.1 INTEGER header.
+ * Removes the leading zero byte when found.
+ *
+ * input     Buffer holding DER/BER encoded data.
+ * inOutIdx  Current index into buffer to parse.
+ * len       The number of bytes in the ASN.1 data (excluding any leading zero).
+ * maxIdx    Length of data in buffer.
+ * returns BUFFER_E when there is not enough data to parse.
+ *         ASN_PARSE_E when the INTEGER tag is not found, length is invalid,
+ *         or invalid use of or missing leading zero.
+ *         Otherwise, 0 to indicate success.
+ */
+static int GetASNInt(const byte* input, word32* inOutIdx, int* len,
+                     word32 maxIdx)
+{
+    int    ret;
 
-    if (format == ASN_UTC_TIME) {
-        if (btoi(date[0]) >= 5)
-            year = 1900;
-        else
-            year = 2000;
-    }
-    else  { /* format == GENERALIZED_TIME */
-        year += btoi(date[i++]) * 1000;
-        year += btoi(date[i++]) * 100;
-    }    
+    ret = GetASNHeader(input, ASN_INTEGER, inOutIdx, len, maxIdx);
+    if (ret < 0)
+        return ret;
 
-    val = year;
-    GetTime(&val, date, &i);
-    year = (CPU_INT16U)val;
+    if (*len > 0) {
+        /* remove leading zero, unless there is only one 0x00 byte */
+        if ((input[*inOutIdx] == 0x00) && (*len > 1)) {
+            (*inOutIdx)++;
+            (*len)--;
 
-    val = 0;
-    GetTime(&val, date, &i);   
-    month = (CPU_INT08U)val;   
+            if (*len > 0 && (input[*inOutIdx] & 0x80) == 0)
+                return ASN_PARSE_E;
+        }
+    }
 
-    val = 0;
-    GetTime(&val, date, &i);  
-    day = (CPU_INT16U)val;
+    return 0;
+}
 
-    val = 0;
-    GetTime(&val, date, &i);  
-    hour = (CPU_INT08U)val;
+/* Get the DER/BER encoding of an ASN.1 INTEGER that has a value of no more than
+ * 7 bits.
+ *
+ * input     Buffer holding DER/BER encoded data.
+ * inOutIdx  Current index into buffer to parse.
+ * maxIdx    Length of data in buffer.
+ * returns BUFFER_E when there is not enough data to parse.
+ *         ASN_PARSE_E when the INTEGER tag is not found or length is invalid.
+ *         Otherwise, the 7-bit value.
+ */
+static int GetInteger7Bit(const byte* input, word32* inOutIdx, word32 maxIdx)
+{
+    word32 idx = *inOutIdx;
+    byte   b;
 
-    val = 0;
-    GetTime(&val, date, &i);  
-    min = (CPU_INT08U)val;
+    if ((idx + 3) > maxIdx)
+        return BUFFER_E;
 
-    val = 0;
-    GetTime(&val, date, &i);  
-    sec = (CPU_INT08U)val;
+    if (GetASNTag(input, &idx, &b, maxIdx) != 0)
+        return ASN_PARSE_E;
+    if (b != ASN_INTEGER)
+        return ASN_PARSE_E;
+    if (input[idx++] != 1)
+        return ASN_PARSE_E;
+    b = input[idx++];
 
-    return NetSecure_ValidateDate(year, month, day, hour, min, sec, dateType); 
+    *inOutIdx = idx;
+    return b;
 }
 
-#endif /* MICRIUM */
 
+#if !defined(NO_DSA) && !defined(NO_SHA)
+static const char sigSha1wDsaName[] = "SHAwDSA";
+#endif /* NO_DSA */
+#ifndef NO_RSA
+#ifdef WOLFSSL_MD2
+    static const char  sigMd2wRsaName[] = "md2WithRSAEncryption";
+#endif
+#ifndef NO_MD5
+    static const char  sigMd5wRsaName[] = "md5WithRSAEncryption";
+#endif
+#ifndef NO_SHA
+    static const char  sigSha1wRsaName[] = "sha1WithRSAEncryption";
+#endif
+#ifdef WOLFSSL_SHA224
+    static const char sigSha224wRsaName[] = "sha224WithRSAEncryption";
+#endif
+#ifndef NO_SHA256
+    static const char sigSha256wRsaName[] = "sha256WithRSAEncryption";
+#endif
+#ifdef WOLFSSL_SHA384
+    static const char sigSha384wRsaName[] = "sha384WithRSAEncryption";
+#endif
+#ifdef WOLFSSL_SHA512
+    static const char sigSha512wRsaName[] = "sha512WithRSAEncryption";
+#endif
+#endif /* NO_RSA */
+#ifdef HAVE_ECC
+#ifndef NO_SHA
+    static const char sigSha1wEcdsaName[] = "SHAwECDSA";
+#endif
+#ifdef WOLFSSL_SHA224
+    static const char sigSha224wEcdsaName[] = "SHA224wECDSA";
+#endif
+#ifndef NO_SHA256
+    static const char sigSha256wEcdsaName[] = "SHA256wECDSA";
+#endif
+#ifdef WOLFSSL_SHA384
+    static const char sigSha384wEcdsaName[] = "SHA384wECDSA";
+#endif
+#ifdef WOLFSSL_SHA512
+    static const char sigSha512wEcdsaName[] = "SHA512wECDSA";
+#endif
+#endif /* HAVE_ECC */
+static const char sigUnknownName[] = "Unknown";
 
-WOLFSSL_LOCAL int GetLength(const byte* input, word32* inOutIdx, int* len,
-                           word32 maxIdx)
-{
-    int     length = 0;
-    word32  i = *inOutIdx;
-    byte    b;
-
-    *len = 0;    /* default length */
 
-    if ( (i+1) > maxIdx) {   /* for first read */
-        WOLFSSL_MSG("GetLength bad index on input");
-        return BUFFER_E;
+/* Get the human readable string for a signature type
+ *
+ * oid  Oid value for signature
+ */
+const char* GetSigName(int oid) {
+    switch (oid) {
+    #if !defined(NO_DSA) && !defined(NO_SHA)
+        case CTC_SHAwDSA:
+            return sigSha1wDsaName;
+    #endif /* NO_DSA && NO_SHA */
+    #ifndef NO_RSA
+        #ifdef WOLFSSL_MD2
+        case CTC_MD2wRSA:
+            return sigMd2wRsaName;
+        #endif
+        #ifndef NO_MD5
+        case CTC_MD5wRSA:
+            return sigMd5wRsaName;
+        #endif
+        #ifndef NO_SHA
+        case CTC_SHAwRSA:
+            return sigSha1wRsaName;
+        #endif
+        #ifdef WOLFSSL_SHA224
+        case CTC_SHA224wRSA:
+            return sigSha224wRsaName;
+        #endif
+        #ifndef NO_SHA256
+        case CTC_SHA256wRSA:
+            return sigSha256wRsaName;
+        #endif
+        #ifdef WOLFSSL_SHA384
+        case CTC_SHA384wRSA:
+            return sigSha384wRsaName;
+        #endif
+        #ifdef WOLFSSL_SHA512
+        case CTC_SHA512wRSA:
+            return sigSha512wRsaName;
+        #endif
+    #endif /* NO_RSA */
+    #ifdef HAVE_ECC
+        #ifndef NO_SHA
+        case CTC_SHAwECDSA:
+            return sigSha1wEcdsaName;
+        #endif
+        #ifdef WOLFSSL_SHA224
+        case CTC_SHA224wECDSA:
+            return sigSha224wEcdsaName;
+        #endif
+        #ifndef NO_SHA256
+        case CTC_SHA256wECDSA:
+            return sigSha256wEcdsaName;
+        #endif
+        #ifdef WOLFSSL_SHA384
+        case CTC_SHA384wECDSA:
+            return sigSha384wEcdsaName;
+        #endif
+        #ifdef WOLFSSL_SHA512
+        case CTC_SHA512wECDSA:
+            return sigSha512wEcdsaName;
+        #endif
+    #endif /* HAVE_ECC */
+        default:
+            return sigUnknownName;
     }
+}
 
-    b = input[i++];
-    if (b >= ASN_LONG_LENGTH) {        
-        word32 bytes = b & 0x7F;
 
-        if ( (i+bytes) > maxIdx) {   /* for reading bytes */
-            WOLFSSL_MSG("GetLength bad long length");
-            return BUFFER_E;
-        }
+#if !defined(NO_DSA) || defined(HAVE_ECC) || !defined(NO_CERTS) || \
+   (!defined(NO_RSA) && \
+        (defined(WOLFSSL_CERT_GEN) || \
+        ((defined(WOLFSSL_KEY_GEN) || defined(OPENSSL_EXTRA)) && !defined(HAVE_USER_RSA))))
+/* Set the DER/BER encoding of the ASN.1 INTEGER header.
+ *
+ * len        Length of data to encode.
+ * firstByte  First byte of data, most significant byte of integer, to encode.
+ * output     Buffer to write into.
+ * returns the number of bytes added to the buffer.
+ */
+static int SetASNInt(int len, byte firstByte, byte* output)
+{
+    word32 idx = 0;
 
-        while (bytes--) {
-            b = input[i++];
-            length = (length << 8) | b;
-        }
-    }
-    else
-        length = b;
-    
-    if ( (i+length) > maxIdx) {   /* for user of length */
-        WOLFSSL_MSG("GetLength value exceeds buffer length");
-        return BUFFER_E;
+    if (output)
+        output[idx] = ASN_INTEGER;
+    idx++;
+    if (firstByte & 0x80)
+        len++;
+    idx += SetLength(len, output ? output + idx : NULL);
+    if (firstByte & 0x80) {
+        if (output)
+            output[idx] = 0x00;
+        idx++;
     }
 
-    *inOutIdx = i;
-    if (length > 0)
-        *len = length;
-
-    return length;
+    return idx;
 }
+#endif
 
-
-WOLFSSL_LOCAL int GetSequence(const byte* input, word32* inOutIdx, int* len,
-                           word32 maxIdx)
+#if !defined(NO_DSA) || defined(HAVE_ECC) || (defined(WOLFSSL_CERT_GEN) && \
+    !defined(NO_RSA)) || ((defined(WOLFSSL_KEY_GEN) || \
+    defined(OPENSSL_EXTRA)) && !defined(NO_RSA) && !defined(HAVE_USER_RSA))
+/* Set the DER/BER encoding of the ASN.1 INTEGER element with an mp_int.
+ * The number is assumed to be positive.
+ *
+ * n       Multi-precision integer to encode.
+ * maxSz   Maximum size of the encoded integer.
+ *         A negative value indicates no check of length requested.
+ * output  Buffer to write into.
+ * returns BUFFER_E when the data is too long for the buffer.
+ *         MP_TO_E when encoding the integer fails.
+ *         Otherwise, the number of bytes added to the buffer.
+ */
+static int SetASNIntMP(mp_int* n, int maxSz, byte* output)
 {
-    int    length = -1;
-    word32 idx    = *inOutIdx;
+    int idx = 0;
+    int leadingBit;
+    int length;
+    int err;
 
-    if (input[idx++] != (ASN_SEQUENCE | ASN_CONSTRUCTED) ||
-            GetLength(input, &idx, &length, maxIdx) < 0)
-        return ASN_PARSE_E;
+    leadingBit = mp_leading_bit(n);
+    length = mp_unsigned_bin_size(n);
+    idx = SetASNInt(length, leadingBit ? 0x80 : 0x00, output);
+    if (maxSz >= 0 && (idx + length) > maxSz)
+        return BUFFER_E;
 
-    *len      = length;
-    *inOutIdx = idx;
+    if (output) {
+        err = mp_to_unsigned_bin(n, output + idx);
+        if (err != MP_OKAY)
+            return MP_TO_E;
+    }
+    idx += length;
 
-    return length;
+    return idx;
 }
+#endif
 
-
-WOLFSSL_LOCAL int GetSet(const byte* input, word32* inOutIdx, int* len,
-                        word32 maxIdx)
+#if !defined(NO_RSA) && defined(HAVE_USER_RSA) && \
+    (defined(WOLFSSL_CERT_GEN) || defined(OPENSSL_EXTRA))
+/* Set the DER/BER encoding of the ASN.1 INTEGER element with an mp_int from
+ * an RSA key.
+ * The number is assumed to be positive.
+ *
+ * n       Multi-precision integer to encode.
+ * output  Buffer to write into.
+ * returns BUFFER_E when the data is too long for the buffer.
+ *         MP_TO_E when encoding the integer fails.
+ *         Otherwise, the number of bytes added to the buffer.
+ */
+static int SetASNIntRSA(void* n, byte* output)
 {
-    int    length = -1;
-    word32 idx    = *inOutIdx;
+    int idx = 0;
+    int leadingBit;
+    int length;
+    int err;
 
-    if (input[idx++] != (ASN_SET | ASN_CONSTRUCTED) ||
-            GetLength(input, &idx, &length, maxIdx) < 0)
-        return ASN_PARSE_E;
+    leadingBit = wc_Rsa_leading_bit(n);
+    length = wc_Rsa_unsigned_bin_size(n);
+    idx = SetASNInt(length, leadingBit ? 0x80 : 0x00, output);
+    if ((idx + length) > MAX_RSA_INT_SZ)
+        return BUFFER_E;
 
-    *len      = length;
-    *inOutIdx = idx;
+    if (output) {
+        err = wc_Rsa_to_unsigned_bin(n, output + idx, length);
+        if (err != MP_OKAY)
+            return MP_TO_E;
+    }
+    idx += length;
 
-    return length;
+    return idx;
 }
+#endif /* !NO_RSA && HAVE_USER_RSA && WOLFSSL_CERT_GEN */
 
-
-/* winodws header clash for WinCE using GetVersion */
-WOLFSSL_LOCAL int GetMyVersion(const byte* input, word32* inOutIdx, int* version)
+/* Windows header clash for WinCE using GetVersion */
+int GetMyVersion(const byte* input, word32* inOutIdx,
+                               int* version, word32 maxIdx)
 {
     word32 idx = *inOutIdx;
+    byte   tag;
 
-    WOLFSSL_ENTER("GetMyVersion");
+    if ((idx + MIN_VERSION_SZ) > maxIdx)
+        return ASN_PARSE_E;
 
-    if (input[idx++] != ASN_INTEGER)
+    if (GetASNTag(input, &idx, &tag, maxIdx) != 0)
+        return ASN_PARSE_E;
+
+    if (tag != ASN_INTEGER)
         return ASN_PARSE_E;
 
     if (input[idx++] != 0x01)
@@ -550,20 +746,31 @@ WOLFSSL_LOCAL int GetMyVersion(const byte* input, word32* inOutIdx, int* version
 
 #ifndef NO_PWDBASED
 /* Get small count integer, 32 bits or less */
-static int GetShortInt(const byte* input, word32* inOutIdx, int* number)
+int GetShortInt(const byte* input, word32* inOutIdx, int* number, word32 maxIdx)
 {
     word32 idx = *inOutIdx;
     word32 len;
+    byte   tag;
 
     *number = 0;
 
-    if (input[idx++] != ASN_INTEGER)
+    /* check for type and length bytes */
+    if ((idx + 2) > maxIdx)
+        return BUFFER_E;
+
+    if (GetASNTag(input, &idx, &tag, maxIdx) != 0)
+        return ASN_PARSE_E;
+
+    if (tag != ASN_INTEGER)
         return ASN_PARSE_E;
 
     len = input[idx++];
     if (len > 4)
         return ASN_PARSE_E;
 
+    if (len + idx > maxIdx)
+        return ASN_PARSE_E;
+
     while (len--) {
         *number  = *number << 8 | input[idx++];
     }
@@ -572,18 +779,68 @@ static int GetShortInt(const byte* input, word32* inOutIdx, int* number)
 
     return *number;
 }
-#endif /* !NO_PWDBASED */
 
 
+/* Set small integer, 32 bits or less. DER encoding with no leading 0s
+ * returns total amount written including ASN tag and length byte on success */
+int SetShortInt(byte* input, word32* inOutIdx, word32 number, word32 maxIdx)
+{
+    word32 idx = *inOutIdx;
+    word32 len = 0;
+    int    i;
+    byte ar[MAX_LENGTH_SZ];
+
+    /* check for room for type and length bytes */
+    if ((idx + 2) > maxIdx)
+        return BUFFER_E;
+
+    input[idx++] = ASN_INTEGER;
+    idx++; /* place holder for length byte */
+    if (MAX_LENGTH_SZ + idx > maxIdx)
+        return ASN_PARSE_E;
+
+    /* find first non zero byte */
+    XMEMSET(ar, 0, MAX_LENGTH_SZ);
+    c32toa(number, ar);
+    for (i = 0; i < MAX_LENGTH_SZ; i++) {
+        if (ar[i] != 0) {
+            break;
+        }
+    }
+
+    /* handle case of 0 */
+    if (i == MAX_LENGTH_SZ) {
+        input[idx++] = 0; len++;
+    }
+
+    for (; i < MAX_LENGTH_SZ && idx < maxIdx; i++) {
+        input[idx++] = ar[i]; len++;
+    }
+
+    /* jump back to beginning of input buffer using unaltered inOutIdx value
+     * and set number of bytes for integer, then update the index value */
+    input[*inOutIdx + 1] = (byte)len;
+    *inOutIdx = idx;
+
+    return len + 2; /* size of integer bytes plus ASN TAG and length byte */
+}
+#endif /* !NO_PWDBASED */
+
 /* May not have one, not an error */
-static int GetExplicitVersion(const byte* input, word32* inOutIdx, int* version)
+static int GetExplicitVersion(const byte* input, word32* inOutIdx, int* version,
+                              word32 maxIdx)
 {
     word32 idx = *inOutIdx;
+    byte tag;
 
     WOLFSSL_ENTER("GetExplicitVersion");
-    if (input[idx++] == (ASN_CONTEXT_SPECIFIC | ASN_CONSTRUCTED)) {
-        *inOutIdx = ++idx;  /* eat header */
-        return GetMyVersion(input, inOutIdx, version);
+
+    if (GetASNTag(input, &idx, &tag, maxIdx) != 0)
+        return ASN_PARSE_E;
+
+    if (tag == (ASN_CONTEXT_SPECIFIC | ASN_CONSTRUCTED)) {
+        *inOutIdx = ++idx;  /* skip header */
+        return GetMyVersion(input, inOutIdx, version, maxIdx);
     }
 
     /* go back as is */
@@ -592,257 +849,2267 @@ static int GetExplicitVersion(const byte* input, word32* inOutIdx, int* version)
     return 0;
 }
 
-
-WOLFSSL_LOCAL int GetInt(mp_int* mpi, const byte* input, word32* inOutIdx,
-                  word32 maxIdx)
+int GetInt(mp_int* mpi, const byte* input, word32* inOutIdx, word32 maxIdx)
 {
-    word32 i = *inOutIdx;
-    byte   b = input[i++];
+    word32 idx = *inOutIdx;
+    int    ret;
     int    length;
 
-    if (b != ASN_INTEGER)
-        return ASN_PARSE_E;
-
-    if (GetLength(input, &i, &length, maxIdx) < 0)
-        return ASN_PARSE_E;
-
-    if ( (b = input[i++]) == 0x00)
-        length--;
-    else
-        i--;
+    ret = GetASNInt(input, &idx, &length, maxIdx);
+    if (ret != 0)
+        return ret;
 
     if (mp_init(mpi) != MP_OKAY)
         return MP_INIT_E;
 
-    if (mp_read_unsigned_bin(mpi, (byte*)input + i, length) != 0) {
+    if (mp_read_unsigned_bin(mpi, (byte*)input + idx, length) != 0) {
+        mp_clear(mpi);
+        return ASN_GETINT_E;
+    }
+
+#ifdef HAVE_WOLF_BIGINT
+    if (wc_bigint_from_unsigned_bin(&mpi->raw, input + idx, length) != 0) {
         mp_clear(mpi);
         return ASN_GETINT_E;
     }
+#endif /* HAVE_WOLF_BIGINT */
+
+    *inOutIdx = idx + length;
 
-    *inOutIdx = i + length;
     return 0;
 }
 
+#if (!defined(WOLFSSL_KEY_GEN) && !defined(OPENSSL_EXTRA) && defined(RSA_LOW_MEM)) \
+    || defined(WOLFSSL_RSA_PUBLIC_ONLY) || (!defined(NO_DSA) && defined(WOLFSSL_QT))
+#if !defined(NO_RSA) && !defined(HAVE_USER_RSA)
+static int SkipInt(const byte* input, word32* inOutIdx, word32 maxIdx)
+{
+    word32 idx = *inOutIdx;
+    int    ret;
+    int    length;
 
-static int GetObjectId(const byte* input, word32* inOutIdx, word32* oid,
-                     word32 maxIdx)
+    ret = GetASNInt(input, &idx, &length, maxIdx);
+    if (ret != 0)
+        return ret;
+
+    *inOutIdx = idx + length;
+
+    return 0;
+}
+#endif
+#endif
+
+static int CheckBitString(const byte* input, word32* inOutIdx, int* len,
+                          word32 maxIdx, int zeroBits, byte* unusedBits)
 {
+    word32 idx = *inOutIdx;
     int    length;
-    word32 i = *inOutIdx;
     byte   b;
-    *oid = 0;
-    
-    b = input[i++];
-    if (b != ASN_OBJECT_ID) 
-        return ASN_OBJECT_ID_E;
-    
-    if (GetLength(input, &i, &length, maxIdx) < 0)
+
+    if (GetASNTag(input, &idx, &b, maxIdx) != 0) {
+        return ASN_BITSTR_E;
+    }
+
+    if (b != ASN_BIT_STRING) {
+        return ASN_BITSTR_E;
+    }
+
+    if (GetLength(input, &idx, &length, maxIdx) < 0)
         return ASN_PARSE_E;
-    
-    while(length--)
-        *oid += input[i++];
-    /* just sum it up for now */
-    
-    *inOutIdx = i;
-    
+
+    /* extra sanity check that length is greater than 0 */
+    if (length <= 0) {
+        WOLFSSL_MSG("Error length was 0 in CheckBitString");
+        return BUFFER_E;
+    }
+
+    if (idx + 1 > maxIdx) {
+        WOLFSSL_MSG("Attempted buffer read larger than input buffer");
+        return BUFFER_E;
+    }
+
+    b = input[idx];
+    if (zeroBits && b != 0x00)
+        return ASN_EXPECT_0_E;
+    if (b >= 0x08)
+        return ASN_PARSE_E;
+    if (b != 0) {
+        if ((byte)(input[idx + length - 1] << (8 - b)) != 0)
+            return ASN_PARSE_E;
+    }
+    idx++;
+    length--; /* length has been checked for greater than 0 */
+
+    *inOutIdx = idx;
+    if (len != NULL)
+        *len = length;
+    if (unusedBits != NULL)
+        *unusedBits = b;
+
     return 0;
 }
 
+/* RSA (with CertGen or KeyGen) OR ECC OR ED25519 OR ED448 (with CertGen or
+ * KeyGen) */
+#if (!defined(NO_RSA) && !defined(HAVE_USER_RSA) && \
+        (defined(WOLFSSL_CERT_GEN) || defined(WOLFSSL_KEY_GEN) || defined(OPENSSL_EXTRA))) || \
+    (defined(HAVE_ECC) && defined(HAVE_ECC_KEY_EXPORT)) || \
+    ((defined(HAVE_ED25519) || defined(HAVE_ED448)) && \
+        (defined(WOLFSSL_CERT_GEN) || defined(WOLFSSL_KEY_GEN) || defined(OPENSSL_EXTRA)))
 
-WOLFSSL_LOCAL int GetAlgoId(const byte* input, word32* inOutIdx, word32* oid,
-                     word32 maxIdx)
+/* Set the DER/BER encoding of the ASN.1 BIT_STRING header.
+ *
+ * len         Length of data to encode.
+ * unusedBits  The number of unused bits in the last byte of data.
+ *             That is, the number of least significant zero bits before a one.
+ *             The last byte is the most-significant non-zero byte of a number.
+ * output      Buffer to write into.
+ * returns the number of bytes added to the buffer.
+ */
+word32 SetBitString(word32 len, byte unusedBits, byte* output)
 {
-    int    length;
-    word32 i = *inOutIdx;
-    byte   b;
-    *oid = 0;
-   
-    WOLFSSL_ENTER("GetAlgoId");
+    word32 idx = 0;
 
-    if (GetSequence(input, &i, &length, maxIdx) < 0)
-        return ASN_PARSE_E;
-    
-    b = input[i++];
-    if (b != ASN_OBJECT_ID) 
-        return ASN_OBJECT_ID_E;
-    
-    if (GetLength(input, &i, &length, maxIdx) < 0)
+    if (output)
+        output[idx] = ASN_BIT_STRING;
+    idx++;
+
+    idx += SetLength(len + 1, output ? output + idx : NULL);
+    if (output)
+        output[idx] = unusedBits;
+    idx++;
+
+    return idx;
+}
+#endif /* !NO_RSA || HAVE_ECC || HAVE_ED25519 || HAVE_ED448 */
+
+#ifdef ASN_BER_TO_DER
+/* Pull informtation from the ASN.1 BER encoded item header */
+static int GetBerHeader(const byte* data, word32* idx, word32 maxIdx,
+                        byte* pTag, word32* pLen, int* indef)
+{
+    int len = 0;
+    byte tag;
+    word32 i = *idx;
+
+    *indef = 0;
+
+    /* Check there is enough data for a minimal header */
+    if (i + 2 > maxIdx) {
         return ASN_PARSE_E;
-    
-    while(length--) {
-        /* odd HC08 compiler behavior here when input[i++] */
-        *oid += input[i];
+    }
+
+    /* Retrieve tag */
+    tag = data[i++];
+
+    /* Indefinite length handled specially */
+    if (data[i] == 0x80) {
+        /* Check valid tag for indefinite */
+        if (((tag & 0xc0) == 0) && ((tag & ASN_CONSTRUCTED) == 0x00)) {
+            return ASN_PARSE_E;
+        }
         i++;
+        *indef = 1;
     }
-    /* just sum it up for now */
-    
-    /* could have NULL tag and 0 terminator, but may not */
-    b = input[i++];
-    
-    if (b == ASN_TAG_NULL) {
-        b = input[i++];
-        if (b != 0)
-            return ASN_EXPECT_0_E;
+    else if (GetLength(data, &i, &len, maxIdx) < 0) {
+        return ASN_PARSE_E;
     }
-    else
-    /* go back, didn't have it */
-        i--;
-    
-    *inOutIdx = i;
-    
+
+    /* Return tag, length and index after BER item header */
+    *pTag = tag;
+    *pLen = len;
+    *idx = i;
     return 0;
 }
 
+#ifndef INDEF_ITEMS_MAX
+#define INDEF_ITEMS_MAX       20
+#endif
+
+/* Indef length item data */
+typedef struct Indef {
+    word32 start;
+    int depth;
+    int headerLen;
+    word32 len;
+} Indef;
+
+/* Indef length items */
+typedef struct IndefItems
+{
+    Indef len[INDEF_ITEMS_MAX];
+    int cnt;
+    int idx;
+    int depth;
+} IndefItems;
+
+
+/* Get header length of current item */
+static int IndefItems_HeaderLen(IndefItems* items)
+{
+    return items->len[items->idx].headerLen;
+}
+
+/* Get data length of current item */
+static word32 IndefItems_Len(IndefItems* items)
+{
+    return items->len[items->idx].len;
+}
+
+/* Add a indefinite length item */
+static int IndefItems_AddItem(IndefItems* items, word32 start)
+{
+    int ret = 0;
+    int i;
+
+    if (items->cnt == INDEF_ITEMS_MAX) {
+        ret = MEMORY_E;
+    }
+    else {
+        i = items->cnt++;
+        items->len[i].start = start;
+        items->len[i].depth = items->depth++;
+        items->len[i].headerLen = 1;
+        items->len[i].len = 0;
+        items->idx = i;
+    }
+
+    return ret;
+}
+
+/* Increase data length of current item */
+static void IndefItems_AddData(IndefItems* items, word32 length)
+{
+    items->len[items->idx].len += length;
+}
+
+/* Update header length of current item to reflect data length */
+static void IndefItems_UpdateHeaderLen(IndefItems* items)
+{
+    items->len[items->idx].headerLen +=
+                                    SetLength(items->len[items->idx].len, NULL);
+}
+
+/* Go to indefinite parent of current item */
+static void IndefItems_Up(IndefItems* items)
+{
+    int i;
+    int depth = items->len[items->idx].depth - 1;
+
+    for (i = items->cnt - 1; i >= 0; i--) {
+        if (items->len[i].depth == depth) {
+            break;
+        }
+    }
+    items->idx = i;
+    items->depth = depth + 1;
+}
+
+/* Calculate final length by adding length of indefinite child items */
+static void IndefItems_CalcLength(IndefItems* items)
+{
+    int i;
+    int idx = items->idx;
+
+    for (i = idx + 1; i < items->cnt; i++) {
+        if (items->len[i].depth == items->depth) {
+            items->len[idx].len += items->len[i].headerLen;
+            items->len[idx].len += items->len[i].len;
+        }
+    }
+    items->len[idx].headerLen += SetLength(items->len[idx].len, NULL);
+}
+
+/* Add more data to indefinite length item */
+static void IndefItems_MoreData(IndefItems* items, word32 length)
+{
+    if (items->cnt > 0 && items->idx >= 0) {
+        items->len[items->idx].len += length;
+    }
+}
+
+/* Convert a BER encoding with indefinite length items to DER.
+ *
+ * ber    BER encoded data.
+ * berSz  Length of BER encoded data.
+ * der    Buffer to hold DER encoded version of data.
+ *        NULL indicates only the length is required.
+ * derSz  The size of the buffer to hold the DER encoded data.
+ *        Will be set if der is NULL, otherwise the value is checked as der is
+ *        filled.
+ * returns ASN_PARSE_E if the BER data is invalid and BAD_FUNC_ARG if ber or
+ * derSz are NULL.
+ */
+int wc_BerToDer(const byte* ber, word32 berSz, byte* der, word32* derSz)
+{
+    int ret = 0;
+    word32 i, j;
+#ifdef WOLFSSL_SMALL_STACK
+    IndefItems* indefItems = NULL;
+#else
+    IndefItems indefItems[1];
+#endif
+    byte tag, basic;
+    word32 length;
+    int indef;
+
+    if (ber == NULL || derSz == NULL)
+        return BAD_FUNC_ARG;
+
+#ifdef WOLFSSL_SMALL_STACK
+    indefItems = XMALLOC(sizeof(IndefItems), NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    if (indefItems == NULL) {
+        ret = MEMORY_E;
+        goto end;
+    }
+#endif
+
+    XMEMSET(indefItems, 0, sizeof(*indefItems));
+
+    /* Calculate indefinite item lengths */
+    for (i = 0; i < berSz; ) {
+        word32 start = i;
+
+        /* Get next BER item */
+        ret = GetBerHeader(ber, &i, berSz, &tag, &length, &indef);
+        if (ret != 0) {
+            goto end;
+        }
+
+        if (indef) {
+            /* Indefinite item - add to list */
+            ret = IndefItems_AddItem(indefItems, i);
+            if (ret != 0) {
+                goto end;
+            }
+
+            if ((tag & 0xC0) == 0 &&
+                tag != (ASN_SEQUENCE | ASN_CONSTRUCTED) &&
+                tag != (ASN_SET      | ASN_CONSTRUCTED)) {
+                /* Constructed basic type - get repeating tag */
+                basic = tag & (~ASN_CONSTRUCTED);
+
+                /* Add up lengths of each item below */
+                for (; i < berSz; ) {
+                    /* Get next BER_item */
+                    ret = GetBerHeader(ber, &i, berSz, &tag, &length, &indef);
+                    if (ret != 0) {
+                        goto end;
+                    }
+
+                    /* End of content closes item */
+                    if (tag == ASN_EOC) {
+                        /* Must be zero length */
+                        if (length != 0) {
+                            ret = ASN_PARSE_E;
+                            goto end;
+                        }
+                        break;
+                    }
+
+                    /* Must not be indefinite and tag must match parent */
+                    if (indef || tag != basic) {
+                        ret = ASN_PARSE_E;
+                        goto end;
+                    }
+
+                    /* Add to length */
+                    IndefItems_AddData(indefItems, length);
+                    /* Skip data */
+                    i += length;
+                }
+
+                /* Ensure we got an EOC and not end of data */
+                if (tag != ASN_EOC) {
+                    ret = ASN_PARSE_E;
+                    goto end;
+                }
+
+                /* Set the header length to include the length field */
+                IndefItems_UpdateHeaderLen(indefItems);
+                /* Go to indefinte parent item */
+                IndefItems_Up(indefItems);
+            }
+        }
+        else if (tag == ASN_EOC) {
+            /* End-of-content must be 0 length */
+            if (length != 0) {
+                ret = ASN_PARSE_E;
+                goto end;
+            }
+            /* Check there is an item to close - missing EOC */
+            if (indefItems->depth == 0) {
+                ret = ASN_PARSE_E;
+                goto end;
+            }
+
+            /* Finish calculation of data length for indefinite item */
+            IndefItems_CalcLength(indefItems);
+            /* Go to indefinte parent item */
+            IndefItems_Up(indefItems);
+        }
+        else {
+            /* Known length item to add in - make sure enough data for it */
+            if (i + length > berSz) {
+                ret = ASN_PARSE_E;
+                goto end;
+            }
+
+            /* Include all data - can't have indefinite inside definite */
+            i += length;
+            /* Add entire item to current indefinite item */
+            IndefItems_MoreData(indefItems, i - start);
+        }
+    }
+    /* Check we had a EOC for each indefinite item */
+    if (indefItems->depth != 0) {
+        ret = ASN_PARSE_E;
+        goto end;
+    }
+
+    /* Write out DER */
+
+    j = 0;
+    /* Reset index */
+    indefItems->idx = 0;
+    for (i = 0; i < berSz; ) {
+        word32 start = i;
+
+        /* Get item - checked above */
+        (void)GetBerHeader(ber, &i, berSz, &tag, &length, &indef);
+        if (indef) {
+            if (der != NULL) {
+                /* Check enough space for header */
+                if (j + IndefItems_HeaderLen(indefItems) > *derSz) {
+                    ret = BUFFER_E;
+                    goto end;
+                }
+
+                if ((tag & 0xC0) == 0 &&
+                    tag != (ASN_SEQUENCE | ASN_CONSTRUCTED) &&
+                    tag != (ASN_SET      | ASN_CONSTRUCTED)) {
+                    /* Remove constructed tag for basic types */
+                    tag &= ~ASN_CONSTRUCTED;
+                }
+                /* Add tag and length */
+                der[j] = tag;
+                (void)SetLength(IndefItems_Len(indefItems), der + j + 1);
+            }
+            /* Add header length of indefinite item */
+            j += IndefItems_HeaderLen(indefItems);
+
+            if ((tag & 0xC0) == 0 &&
+                tag != (ASN_SEQUENCE | ASN_CONSTRUCTED) &&
+                tag != (ASN_SET      | ASN_CONSTRUCTED)) {
+                /* For basic type - get each child item and add data */
+                for (; i < berSz; ) {
+                    (void)GetBerHeader(ber, &i, berSz, &tag, &length, &indef);
+                    if (tag == ASN_EOC) {
+                        break;
+                    }
+                    if (der != NULL) {
+                        if (j + length > *derSz) {
+                            ret = BUFFER_E;
+                            goto end;
+                        }
+                        XMEMCPY(der + j, ber + i, length);
+                    }
+                    j += length;
+                    i += length;
+                }
+            }
+
+            /* Move to next indef item in list */
+            indefItems->idx++;
+        }
+        else if (tag == ASN_EOC) {
+            /* End-Of-Content is not written out in DER */
+        }
+        else {
+            /* Write out definite length item as is. */
+            i += length;
+            if (der != NULL) {
+                /* Ensure space for item */
+                if (j + i - start > *derSz) {
+                    ret = BUFFER_E;
+                    goto end;
+                }
+                /* Copy item as is */
+                XMEMCPY(der + j, ber + start, i - start);
+            }
+            j += i - start;
+        }
+    }
+
+    /* Return the length of the DER encoded ASN.1 */
+    *derSz = j;
+    if (der == NULL) {
+        ret = LENGTH_ONLY_E;
+    }
+end:
+#ifdef WOLFSSL_SMALL_STACK
+    if (indefItems != NULL) {
+        XFREE(indefItems, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    }
+#endif
+    return ret;
+}
+#endif
+
+#if defined(WOLFSSL_CERT_GEN) || defined(WOLFSSL_KEY_GEN)
+
+#if (!defined(NO_RSA) && !defined(HAVE_USER_RSA)) || \
+    defined(HAVE_ECC) || defined(HAVE_ED25519) || defined(HAVE_ED448)
+
+#ifdef WOLFSSL_CERT_EXT
+/* Set the DER/BER encoding of the ASN.1 BIT_STRING with a 16-bit value.
+ *
+ * val         16-bit value to encode.
+ * output      Buffer to write into.
+ * returns the number of bytes added to the buffer.
+ */
+static word32 SetBitString16Bit(word16 val, byte* output)
+{
+    word32 idx;
+    int    len;
+    byte   lastByte;
+    byte   unusedBits = 0;
+
+    if ((val >> 8) != 0) {
+        len = 2;
+        lastByte = (byte)(val >> 8);
+    }
+    else {
+        len = 1;
+        lastByte = (byte)val;
+    }
+
+    while (((lastByte >> unusedBits) & 0x01) == 0x00)
+        unusedBits++;
+
+    idx = SetBitString(len, unusedBits, output);
+    output[idx++] = (byte)val;
+    if (len > 1)
+        output[idx++] = (byte)(val >> 8);
+
+    return idx;
+}
+#endif /* WOLFSSL_CERT_EXT */
+#endif /* !NO_RSA || HAVE_ECC || HAVE_ED25519 || defined(HAVE_ED448) */
+#endif /* WOLFSSL_CERT_GEN || WOLFSSL_KEY_GEN */
+
+
+
+/* hashType */
+#ifdef WOLFSSL_MD2
+    static const byte hashMd2hOid[] = {42, 134, 72, 134, 247, 13, 2, 2};
+#endif
+#ifndef NO_MD5
+    static const byte hashMd5hOid[] = {42, 134, 72, 134, 247, 13, 2, 5};
+#endif
+#ifndef NO_SHA
+    static const byte hashSha1hOid[] = {43, 14, 3, 2, 26};
+#endif
+#ifdef WOLFSSL_SHA224
+    static const byte hashSha224hOid[] = {96, 134, 72, 1, 101, 3, 4, 2, 4};
+#endif
+#ifndef NO_SHA256
+    static const byte hashSha256hOid[] = {96, 134, 72, 1, 101, 3, 4, 2, 1};
+#endif
+#ifdef WOLFSSL_SHA384
+    static const byte hashSha384hOid[] = {96, 134, 72, 1, 101, 3, 4, 2, 2};
+#endif
+#ifdef WOLFSSL_SHA512
+    static const byte hashSha512hOid[] = {96, 134, 72, 1, 101, 3, 4, 2, 3};
+#endif
+
+/* hmacType */
+#ifndef NO_HMAC
+    #ifdef WOLFSSL_SHA224
+    static const byte hmacSha224Oid[] = {42, 134, 72, 134, 247, 13, 2, 8};
+    #endif
+    #ifndef NO_SHA256
+    static const byte hmacSha256Oid[] = {42, 134, 72, 134, 247, 13, 2, 9};
+    #endif
+    #ifdef WOLFSSL_SHA384
+    static const byte hmacSha384Oid[] = {42, 134, 72, 134, 247, 13, 2, 10};
+    #endif
+    #ifdef WOLFSSL_SHA512
+    static const byte hmacSha512Oid[] = {42, 134, 72, 134, 247, 13, 2, 11};
+    #endif
+#endif
+
+/* sigType */
+#if !defined(NO_DSA) && !defined(NO_SHA)
+    static const byte sigSha1wDsaOid[] = {42, 134, 72, 206, 56, 4, 3};
+#endif /* NO_DSA */
 #ifndef NO_RSA
+    #ifdef WOLFSSL_MD2
+    static const byte sigMd2wRsaOid[] = {42, 134, 72, 134, 247, 13, 1, 1, 2};
+    #endif
+    #ifndef NO_MD5
+    static const byte sigMd5wRsaOid[] = {42, 134, 72, 134, 247, 13, 1, 1, 4};
+    #endif
+    #ifndef NO_SHA
+    static const byte sigSha1wRsaOid[] = {42, 134, 72, 134, 247, 13, 1, 1, 5};
+    #endif
+    #ifdef WOLFSSL_SHA224
+    static const byte sigSha224wRsaOid[] = {42, 134, 72, 134, 247, 13, 1, 1,14};
+    #endif
+    #ifndef NO_SHA256
+    static const byte sigSha256wRsaOid[] = {42, 134, 72, 134, 247, 13, 1, 1,11};
+    #endif
+    #ifdef WOLFSSL_SHA384
+    static const byte sigSha384wRsaOid[] = {42, 134, 72, 134, 247, 13, 1, 1,12};
+    #endif
+    #ifdef WOLFSSL_SHA512
+    static const byte sigSha512wRsaOid[] = {42, 134, 72, 134, 247, 13, 1, 1,13};
+    #endif
+#endif /* NO_RSA */
+#ifdef HAVE_ECC
+    #ifndef NO_SHA
+    static const byte sigSha1wEcdsaOid[] = {42, 134, 72, 206, 61, 4, 1};
+    #endif
+    #ifdef WOLFSSL_SHA224
+    static const byte sigSha224wEcdsaOid[] = {42, 134, 72, 206, 61, 4, 3, 1};
+    #endif
+    #ifndef NO_SHA256
+    static const byte sigSha256wEcdsaOid[] = {42, 134, 72, 206, 61, 4, 3, 2};
+    #endif
+    #ifdef WOLFSSL_SHA384
+    static const byte sigSha384wEcdsaOid[] = {42, 134, 72, 206, 61, 4, 3, 3};
+    #endif
+    #ifdef WOLFSSL_SHA512
+    static const byte sigSha512wEcdsaOid[] = {42, 134, 72, 206, 61, 4, 3, 4};
+    #endif
+#endif /* HAVE_ECC */
+#ifdef HAVE_ED25519
+    static const byte sigEd25519Oid[] = {43, 101, 112};
+#endif /* HAVE_ED25519 */
+#ifdef HAVE_ED448
+    static const byte sigEd448Oid[] = {43, 101, 113};
+#endif /* HAVE_ED448 */
+
+/* keyType */
+#ifndef NO_DSA
+    static const byte keyDsaOid[] = {42, 134, 72, 206, 56, 4, 1};
+#endif /* NO_DSA */
+#ifndef NO_RSA
+    static const byte keyRsaOid[] = {42, 134, 72, 134, 247, 13, 1, 1, 1};
+#endif /* NO_RSA */
+#ifdef HAVE_NTRU
+    static const byte keyNtruOid[] = {43, 6, 1, 4, 1, 193, 22, 1, 1, 1, 1};
+#endif /* HAVE_NTRU */
+#ifdef HAVE_ECC
+    static const byte keyEcdsaOid[] = {42, 134, 72, 206, 61, 2, 1};
+#endif /* HAVE_ECC */
+#ifdef HAVE_ED25519
+    static const byte keyEd25519Oid[] = {43, 101, 112};
+#endif /* HAVE_ED25519 */
+#ifdef HAVE_ED448
+    static const byte keyEd448Oid[] = {43, 101, 113};
+#endif /* HAVE_ED448 */
+#if !defined(NO_DH) && (defined(WOLFSSL_QT) || defined(OPENSSL_ALL))
+    static const byte keyDhOid[] = {42, 134, 72, 134, 247, 13, 1, 3, 1};
+#endif /* ! NO_DH ... */
+
+/* curveType */
+#ifdef HAVE_ECC
+    /* See "ecc_sets" table in ecc.c */
+#endif /* HAVE_ECC */
 
+#ifdef HAVE_AES_CBC
+/* blkType */
+    #ifdef WOLFSSL_AES_128
+    static const byte blkAes128CbcOid[] = {96, 134, 72, 1, 101, 3, 4, 1, 2};
+    #endif
+    #ifdef WOLFSSL_AES_192
+    static const byte blkAes192CbcOid[] = {96, 134, 72, 1, 101, 3, 4, 1, 22};
+    #endif
+    #ifdef WOLFSSL_AES_256
+    static const byte blkAes256CbcOid[] = {96, 134, 72, 1, 101, 3, 4, 1, 42};
+    #endif
+#endif /* HAVE_AES_CBC */
+#ifdef HAVE_AESGCM
+    #ifdef WOLFSSL_AES_128
+    static const byte blkAes128GcmOid[] = {96, 134, 72, 1, 101, 3, 4, 1, 6};
+    #endif
+    #ifdef WOLFSSL_AES_192
+    static const byte blkAes192GcmOid[] = {96, 134, 72, 1, 101, 3, 4, 1, 26};
+    #endif
+    #ifdef WOLFSSL_AES_256
+    static const byte blkAes256GcmOid[] = {96, 134, 72, 1, 101, 3, 4, 1, 46};
+    #endif
+#endif /* HAVE_AESGCM */
+#ifdef HAVE_AESCCM
+    #ifdef WOLFSSL_AES_128
+    static const byte blkAes128CcmOid[] = {96, 134, 72, 1, 101, 3, 4, 1, 7};
+    #endif
+    #ifdef WOLFSSL_AES_192
+    static const byte blkAes192CcmOid[] = {96, 134, 72, 1, 101, 3, 4, 1, 27};
+    #endif
+    #ifdef WOLFSSL_AES_256
+    static const byte blkAes256CcmOid[] = {96, 134, 72, 1, 101, 3, 4, 1, 47};
+    #endif
+#endif /* HAVE_AESCCM */
 
-#ifdef HAVE_CAVIUM
+#ifndef NO_DES3
+    static const byte blkDesCbcOid[]  = {43, 14, 3, 2, 7};
+    static const byte blkDes3CbcOid[] = {42, 134, 72, 134, 247, 13, 3, 7};
+#endif
 
-static int GetCaviumInt(byte** buff, word16* buffSz, const byte* input,
-                        word32* inOutIdx, word32 maxIdx, void* heap)
+/* keyWrapType */
+#ifdef WOLFSSL_AES_128
+    static const byte wrapAes128Oid[] = {96, 134, 72, 1, 101, 3, 4, 1, 5};
+#endif
+#ifdef WOLFSSL_AES_192
+    static const byte wrapAes192Oid[] = {96, 134, 72, 1, 101, 3, 4, 1, 25};
+#endif
+#ifdef WOLFSSL_AES_256
+    static const byte wrapAes256Oid[] = {96, 134, 72, 1, 101, 3, 4, 1, 45};
+#endif
+#ifdef HAVE_PKCS7
+/* From RFC 3211 */
+static const byte wrapPwriKekOid[] = {42, 134, 72, 134, 247, 13, 1, 9, 16, 3,9};
+#endif
+
+/* cmsKeyAgreeType */
+#ifndef NO_SHA
+    static const byte dhSinglePass_stdDH_sha1kdf_Oid[]   =
+                                          {43, 129, 5, 16, 134, 72, 63, 0, 2};
+#endif
+#ifdef WOLFSSL_SHA224
+    static const byte dhSinglePass_stdDH_sha224kdf_Oid[] = {43, 129, 4, 1, 11, 0};
+#endif
+#ifndef NO_SHA256
+    static const byte dhSinglePass_stdDH_sha256kdf_Oid[] = {43, 129, 4, 1, 11, 1};
+#endif
+#ifdef WOLFSSL_SHA384
+    static const byte dhSinglePass_stdDH_sha384kdf_Oid[] = {43, 129, 4, 1, 11, 2};
+#endif
+#ifdef WOLFSSL_SHA512
+    static const byte dhSinglePass_stdDH_sha512kdf_Oid[] = {43, 129, 4, 1, 11, 3};
+#endif
+
+/* ocspType */
+#ifdef HAVE_OCSP
+    static const byte ocspBasicOid[] = {43, 6, 1, 5, 5, 7, 48, 1, 1};
+    static const byte ocspNonceOid[] = {43, 6, 1, 5, 5, 7, 48, 1, 2};
+#endif /* HAVE_OCSP */
+
+/* certExtType */
+static const byte extBasicCaOid[] = {85, 29, 19};
+static const byte extAltNamesOid[] = {85, 29, 17};
+static const byte extCrlDistOid[] = {85, 29, 31};
+static const byte extAuthInfoOid[] = {43, 6, 1, 5, 5, 7, 1, 1};
+static const byte extAuthKeyOid[] = {85, 29, 35};
+static const byte extSubjKeyOid[] = {85, 29, 14};
+static const byte extCertPolicyOid[] = {85, 29, 32};
+static const byte extKeyUsageOid[] = {85, 29, 15};
+static const byte extInhibitAnyOid[] = {85, 29, 54};
+static const byte extExtKeyUsageOid[] = {85, 29, 37};
+#ifndef IGNORE_NAME_CONSTRAINTS
+    static const byte extNameConsOid[] = {85, 29, 30};
+#endif
+
+/* certAuthInfoType */
+#ifdef HAVE_OCSP
+    static const byte extAuthInfoOcspOid[] = {43, 6, 1, 5, 5, 7, 48, 1};
+#endif
+static const byte extAuthInfoCaIssuerOid[] = {43, 6, 1, 5, 5, 7, 48, 2};
+
+/* certPolicyType */
+static const byte extCertPolicyAnyOid[] = {85, 29, 32, 0};
+
+/* certKeyUseType */
+static const byte extAltNamesHwNameOid[] = {43, 6, 1, 5, 5, 7, 8, 4};
+
+/* certKeyUseType */
+static const byte extExtKeyUsageAnyOid[] = {85, 29, 37, 0};
+static const byte extExtKeyUsageServerAuthOid[]   = {43, 6, 1, 5, 5, 7, 3, 1};
+static const byte extExtKeyUsageClientAuthOid[]   = {43, 6, 1, 5, 5, 7, 3, 2};
+static const byte extExtKeyUsageCodeSigningOid[]  = {43, 6, 1, 5, 5, 7, 3, 3};
+static const byte extExtKeyUsageEmailProtectOid[] = {43, 6, 1, 5, 5, 7, 3, 4};
+static const byte extExtKeyUsageTimestampOid[]    = {43, 6, 1, 5, 5, 7, 3, 8};
+static const byte extExtKeyUsageOcspSignOid[]     = {43, 6, 1, 5, 5, 7, 3, 9};
+
+/* kdfType */
+static const byte pbkdf2Oid[] = {42, 134, 72, 134, 247, 13, 1, 5, 12};
+
+/* PKCS5 */
+#if !defined(NO_DES3) && !defined(NO_SHA)
+static const byte pbeSha1Des[] = {42, 134, 72, 134, 247, 13, 1, 5, 10};
+#endif
+static const byte pbes2[] = {42, 134, 72, 134, 247, 13, 1, 5, 13};
+
+/* PKCS12 */
+#if !defined(NO_RC4) && !defined(NO_SHA)
+static const byte pbeSha1RC4128[] = {42, 134, 72, 134, 247, 13, 1, 12, 1, 1};
+#endif
+#if !defined(NO_DES3) && !defined(NO_SHA)
+static const byte pbeSha1Des3[] = {42, 134, 72, 134, 247, 13, 1, 12, 1, 3};
+#endif
+
+#ifdef HAVE_LIBZ
+/* zlib compression */
+static const byte zlibCompress[] = {42, 134, 72, 134, 247, 13, 1, 9, 16, 3, 8};
+#endif
+#ifdef WOLFSSL_APACHE_HTTPD
+/* tlsExtType */
+static const byte tlsFeatureOid[] = {43, 6, 1, 5, 5, 7, 1, 24};
+/* certNameType */
+static const byte dnsSRVOid[] = {43, 6, 1, 5, 5, 7, 8, 7};
+#endif
+
+
+/* returns a pointer to the OID string on success and NULL on fail */
+const byte* OidFromId(word32 id, word32 type, word32* oidSz)
 {
-    word32 i = *inOutIdx;
-    byte   b = input[i++];
+    const byte* oid = NULL;
+
+    *oidSz = 0;
+
+    switch (type) {
+
+        case oidHashType:
+            switch (id) {
+            #ifdef WOLFSSL_MD2
+                case MD2h:
+                    oid = hashMd2hOid;
+                    *oidSz = sizeof(hashMd2hOid);
+                    break;
+            #endif
+            #ifndef NO_MD5
+                case MD5h:
+                    oid = hashMd5hOid;
+                    *oidSz = sizeof(hashMd5hOid);
+                    break;
+            #endif
+            #ifndef NO_SHA
+                case SHAh:
+                    oid = hashSha1hOid;
+                    *oidSz = sizeof(hashSha1hOid);
+                    break;
+            #endif
+            #ifdef WOLFSSL_SHA224
+                case SHA224h:
+                    oid = hashSha224hOid;
+                    *oidSz = sizeof(hashSha224hOid);
+                    break;
+            #endif
+            #ifndef NO_SHA256
+                case SHA256h:
+                    oid = hashSha256hOid;
+                    *oidSz = sizeof(hashSha256hOid);
+                    break;
+            #endif
+            #ifdef WOLFSSL_SHA384
+                case SHA384h:
+                    oid = hashSha384hOid;
+                    *oidSz = sizeof(hashSha384hOid);
+                    break;
+            #endif
+            #ifdef WOLFSSL_SHA512
+                case SHA512h:
+                    oid = hashSha512hOid;
+                    *oidSz = sizeof(hashSha512hOid);
+                    break;
+            #endif
+            }
+            break;
+
+        case oidSigType:
+            switch (id) {
+                #if !defined(NO_DSA) && !defined(NO_SHA)
+                case CTC_SHAwDSA:
+                    oid = sigSha1wDsaOid;
+                    *oidSz = sizeof(sigSha1wDsaOid);
+                    break;
+                #endif /* NO_DSA */
+                #ifndef NO_RSA
+                #ifdef WOLFSSL_MD2
+                case CTC_MD2wRSA:
+                    oid = sigMd2wRsaOid;
+                    *oidSz = sizeof(sigMd2wRsaOid);
+                    break;
+                #endif
+                #ifndef NO_MD5
+                case CTC_MD5wRSA:
+                    oid = sigMd5wRsaOid;
+                    *oidSz = sizeof(sigMd5wRsaOid);
+                    break;
+                #endif
+                #ifndef NO_SHA
+                case CTC_SHAwRSA:
+                    oid = sigSha1wRsaOid;
+                    *oidSz = sizeof(sigSha1wRsaOid);
+                    break;
+                #endif
+                #ifdef WOLFSSL_SHA224
+                case CTC_SHA224wRSA:
+                    oid = sigSha224wRsaOid;
+                    *oidSz = sizeof(sigSha224wRsaOid);
+                    break;
+                #endif
+                #ifndef NO_SHA256
+                case CTC_SHA256wRSA:
+                    oid = sigSha256wRsaOid;
+                    *oidSz = sizeof(sigSha256wRsaOid);
+                    break;
+                #endif
+                #ifdef WOLFSSL_SHA384
+                case CTC_SHA384wRSA:
+                    oid = sigSha384wRsaOid;
+                    *oidSz = sizeof(sigSha384wRsaOid);
+                    break;
+                #endif
+                #ifdef WOLFSSL_SHA512
+                case CTC_SHA512wRSA:
+                    oid = sigSha512wRsaOid;
+                    *oidSz = sizeof(sigSha512wRsaOid);
+                    break;
+                #endif /* WOLFSSL_SHA512 */
+                #endif /* NO_RSA */
+                #ifdef HAVE_ECC
+                #ifndef NO_SHA
+                case CTC_SHAwECDSA:
+                    oid = sigSha1wEcdsaOid;
+                    *oidSz = sizeof(sigSha1wEcdsaOid);
+                    break;
+                #endif
+                #ifdef WOLFSSL_SHA224
+                case CTC_SHA224wECDSA:
+                    oid = sigSha224wEcdsaOid;
+                    *oidSz = sizeof(sigSha224wEcdsaOid);
+                    break;
+                #endif
+                #ifndef NO_SHA256
+                case CTC_SHA256wECDSA:
+                    oid = sigSha256wEcdsaOid;
+                    *oidSz = sizeof(sigSha256wEcdsaOid);
+                    break;
+                #endif
+                #ifdef WOLFSSL_SHA384
+                case CTC_SHA384wECDSA:
+                    oid = sigSha384wEcdsaOid;
+                    *oidSz = sizeof(sigSha384wEcdsaOid);
+                    break;
+                #endif
+                #ifdef WOLFSSL_SHA512
+                case CTC_SHA512wECDSA:
+                    oid = sigSha512wEcdsaOid;
+                    *oidSz = sizeof(sigSha512wEcdsaOid);
+                    break;
+                #endif
+                #endif /* HAVE_ECC */
+                #ifdef HAVE_ED25519
+                case CTC_ED25519:
+                    oid = sigEd25519Oid;
+                    *oidSz = sizeof(sigEd25519Oid);
+                    break;
+                #endif
+                #ifdef HAVE_ED448
+                case CTC_ED448:
+                    oid = sigEd448Oid;
+                    *oidSz = sizeof(sigEd448Oid);
+                    break;
+                #endif
+                default:
+                    break;
+            }
+            break;
+
+        case oidKeyType:
+            switch (id) {
+                #ifndef NO_DSA
+                case DSAk:
+                    oid = keyDsaOid;
+                    *oidSz = sizeof(keyDsaOid);
+                    break;
+                #endif /* NO_DSA */
+                #ifndef NO_RSA
+                case RSAk:
+                    oid = keyRsaOid;
+                    *oidSz = sizeof(keyRsaOid);
+                    break;
+                #endif /* NO_RSA */
+                #ifdef HAVE_NTRU
+                case NTRUk:
+                    oid = keyNtruOid;
+                    *oidSz = sizeof(keyNtruOid);
+                    break;
+                #endif /* HAVE_NTRU */
+                #ifdef HAVE_ECC
+                case ECDSAk:
+                    oid = keyEcdsaOid;
+                    *oidSz = sizeof(keyEcdsaOid);
+                    break;
+                #endif /* HAVE_ECC */
+                #ifdef HAVE_ED25519
+                case ED25519k:
+                    oid = keyEd25519Oid;
+                    *oidSz = sizeof(keyEd25519Oid);
+                    break;
+                #endif /* HAVE_ED25519 */
+                #ifdef HAVE_ED448
+                case ED448k:
+                    oid = keyEd448Oid;
+                    *oidSz = sizeof(keyEd448Oid);
+                    break;
+                #endif /* HAVE_ED448 */
+                #if !defined(NO_DH) && (defined(WOLFSSL_QT) || defined(OPENSSL_ALL))
+                case DHk:
+                    oid = keyDhOid;
+                    *oidSz = sizeof(keyDhOid);
+                    break;
+                #endif /* ! NO_DH && (WOLFSSL_QT || OPENSSL_ALL */
+                default:
+                    break;
+            }
+            break;
+
+        #ifdef HAVE_ECC
+        case oidCurveType:
+            if (wc_ecc_get_oid(id, &oid, oidSz) < 0) {
+                WOLFSSL_MSG("ECC OID not found");
+            }
+            break;
+        #endif /* HAVE_ECC */
+
+        case oidBlkType:
+            switch (id) {
+    #ifdef HAVE_AES_CBC
+        #ifdef WOLFSSL_AES_128
+                case AES128CBCb:
+                    oid = blkAes128CbcOid;
+                    *oidSz = sizeof(blkAes128CbcOid);
+                    break;
+        #endif
+        #ifdef WOLFSSL_AES_192
+                case AES192CBCb:
+                    oid = blkAes192CbcOid;
+                    *oidSz = sizeof(blkAes192CbcOid);
+                    break;
+        #endif
+        #ifdef WOLFSSL_AES_256
+                case AES256CBCb:
+                    oid = blkAes256CbcOid;
+                    *oidSz = sizeof(blkAes256CbcOid);
+                    break;
+        #endif
+    #endif /* HAVE_AES_CBC */
+    #ifdef HAVE_AESGCM
+        #ifdef WOLFSSL_AES_128
+                case AES128GCMb:
+                    oid = blkAes128GcmOid;
+                    *oidSz = sizeof(blkAes128GcmOid);
+                    break;
+        #endif
+        #ifdef WOLFSSL_AES_192
+                case AES192GCMb:
+                    oid = blkAes192GcmOid;
+                    *oidSz = sizeof(blkAes192GcmOid);
+                    break;
+        #endif
+        #ifdef WOLFSSL_AES_256
+                case AES256GCMb:
+                    oid = blkAes256GcmOid;
+                    *oidSz = sizeof(blkAes256GcmOid);
+                    break;
+        #endif
+    #endif /* HAVE_AESGCM */
+    #ifdef HAVE_AESCCM
+        #ifdef WOLFSSL_AES_128
+                case AES128CCMb:
+                    oid = blkAes128CcmOid;
+                    *oidSz = sizeof(blkAes128CcmOid);
+                    break;
+        #endif
+        #ifdef WOLFSSL_AES_192
+                case AES192CCMb:
+                    oid = blkAes192CcmOid;
+                    *oidSz = sizeof(blkAes192CcmOid);
+                    break;
+        #endif
+        #ifdef WOLFSSL_AES_256
+                case AES256CCMb:
+                    oid = blkAes256CcmOid;
+                    *oidSz = sizeof(blkAes256CcmOid);
+                    break;
+        #endif
+    #endif /* HAVE_AESCCM */
+    #ifndef NO_DES3
+                case DESb:
+                    oid = blkDesCbcOid;
+                    *oidSz = sizeof(blkDesCbcOid);
+                    break;
+                case DES3b:
+                    oid = blkDes3CbcOid;
+                    *oidSz = sizeof(blkDes3CbcOid);
+                    break;
+    #endif /* !NO_DES3 */
+            }
+            break;
+
+        #ifdef HAVE_OCSP
+        case oidOcspType:
+            switch (id) {
+                case OCSP_BASIC_OID:
+                    oid = ocspBasicOid;
+                    *oidSz = sizeof(ocspBasicOid);
+                    break;
+                case OCSP_NONCE_OID:
+                    oid = ocspNonceOid;
+                    *oidSz = sizeof(ocspNonceOid);
+                    break;
+            }
+            break;
+        #endif /* HAVE_OCSP */
+
+        case oidCertExtType:
+            switch (id) {
+                case BASIC_CA_OID:
+                    oid = extBasicCaOid;
+                    *oidSz = sizeof(extBasicCaOid);
+                    break;
+                case ALT_NAMES_OID:
+                    oid = extAltNamesOid;
+                    *oidSz = sizeof(extAltNamesOid);
+                    break;
+                case CRL_DIST_OID:
+                    oid = extCrlDistOid;
+                    *oidSz = sizeof(extCrlDistOid);
+                    break;
+                case AUTH_INFO_OID:
+                    oid = extAuthInfoOid;
+                    *oidSz = sizeof(extAuthInfoOid);
+                    break;
+                case AUTH_KEY_OID:
+                    oid = extAuthKeyOid;
+                    *oidSz = sizeof(extAuthKeyOid);
+                    break;
+                case SUBJ_KEY_OID:
+                    oid = extSubjKeyOid;
+                    *oidSz = sizeof(extSubjKeyOid);
+                    break;
+                case CERT_POLICY_OID:
+                    oid = extCertPolicyOid;
+                    *oidSz = sizeof(extCertPolicyOid);
+                    break;
+                case KEY_USAGE_OID:
+                    oid = extKeyUsageOid;
+                    *oidSz = sizeof(extKeyUsageOid);
+                    break;
+                case INHIBIT_ANY_OID:
+                    oid = extInhibitAnyOid;
+                    *oidSz = sizeof(extInhibitAnyOid);
+                    break;
+                case EXT_KEY_USAGE_OID:
+                    oid = extExtKeyUsageOid;
+                    *oidSz = sizeof(extExtKeyUsageOid);
+                    break;
+            #ifndef IGNORE_NAME_CONSTRAINTS
+                case NAME_CONS_OID:
+                    oid = extNameConsOid;
+                    *oidSz = sizeof(extNameConsOid);
+                    break;
+            #endif
+            }
+            break;
+
+        case oidCrlExtType:
+            #ifdef HAVE_CRL
+            switch (id) {
+                case AUTH_KEY_OID:
+                    oid = extAuthKeyOid;
+                    *oidSz = sizeof(extAuthKeyOid);
+                    break;
+            }
+            #endif
+            break;
+
+        case oidCertAuthInfoType:
+            switch (id) {
+            #ifdef HAVE_OCSP
+                case AIA_OCSP_OID:
+                    oid = extAuthInfoOcspOid;
+                    *oidSz = sizeof(extAuthInfoOcspOid);
+                    break;
+            #endif
+                case AIA_CA_ISSUER_OID:
+                    oid = extAuthInfoCaIssuerOid;
+                    *oidSz = sizeof(extAuthInfoCaIssuerOid);
+                    break;
+            }
+            break;
+
+        case oidCertPolicyType:
+            switch (id) {
+                case CP_ANY_OID:
+                    oid = extCertPolicyAnyOid;
+                    *oidSz = sizeof(extCertPolicyAnyOid);
+                    break;
+            }
+            break;
+
+        case oidCertAltNameType:
+            switch (id) {
+                case HW_NAME_OID:
+                    oid = extAltNamesHwNameOid;
+                    *oidSz = sizeof(extAltNamesHwNameOid);
+                    break;
+            }
+            break;
+
+        case oidCertKeyUseType:
+            switch (id) {
+                case EKU_ANY_OID:
+                    oid = extExtKeyUsageAnyOid;
+                    *oidSz = sizeof(extExtKeyUsageAnyOid);
+                    break;
+                case EKU_SERVER_AUTH_OID:
+                    oid = extExtKeyUsageServerAuthOid;
+                    *oidSz = sizeof(extExtKeyUsageServerAuthOid);
+                    break;
+                case EKU_CLIENT_AUTH_OID:
+                    oid = extExtKeyUsageClientAuthOid;
+                    *oidSz = sizeof(extExtKeyUsageClientAuthOid);
+                    break;
+                case EKU_CODESIGNING_OID:
+                    oid = extExtKeyUsageCodeSigningOid;
+                    *oidSz = sizeof(extExtKeyUsageCodeSigningOid);
+                    break;
+                case EKU_EMAILPROTECT_OID:
+                    oid = extExtKeyUsageEmailProtectOid;
+                    *oidSz = sizeof(extExtKeyUsageEmailProtectOid);
+                    break;
+                case EKU_TIMESTAMP_OID:
+                    oid = extExtKeyUsageTimestampOid;
+                    *oidSz = sizeof(extExtKeyUsageTimestampOid);
+                    break;
+                case EKU_OCSP_SIGN_OID:
+                    oid = extExtKeyUsageOcspSignOid;
+                    *oidSz = sizeof(extExtKeyUsageOcspSignOid);
+                    break;
+            }
+            break;
+
+        case oidKdfType:
+            switch (id) {
+                case PBKDF2_OID:
+                    oid = pbkdf2Oid;
+                    *oidSz = sizeof(pbkdf2Oid);
+                    break;
+            }
+            break;
+
+        case oidPBEType:
+            switch (id) {
+        #if !defined(NO_SHA) && !defined(NO_RC4)
+                case PBE_SHA1_RC4_128:
+                    oid = pbeSha1RC4128;
+                    *oidSz = sizeof(pbeSha1RC4128);
+                    break;
+        #endif
+        #if !defined(NO_SHA) && !defined(NO_DES3)
+                case PBE_SHA1_DES:
+                    oid = pbeSha1Des;
+                    *oidSz = sizeof(pbeSha1Des);
+                    break;
+
+        #endif
+        #if !defined(NO_SHA) && !defined(NO_DES3)
+                case PBE_SHA1_DES3:
+                    oid = pbeSha1Des3;
+                    *oidSz = sizeof(pbeSha1Des3);
+                    break;
+        #endif
+                case PBES2:
+                    oid = pbes2;
+                    *oidSz = sizeof(pbes2);
+                    break;
+            }
+            break;
+
+        case oidKeyWrapType:
+            switch (id) {
+            #ifdef WOLFSSL_AES_128
+                case AES128_WRAP:
+                    oid = wrapAes128Oid;
+                    *oidSz = sizeof(wrapAes128Oid);
+                    break;
+            #endif
+            #ifdef WOLFSSL_AES_192
+                case AES192_WRAP:
+                    oid = wrapAes192Oid;
+                    *oidSz = sizeof(wrapAes192Oid);
+                    break;
+            #endif
+            #ifdef WOLFSSL_AES_256
+                case AES256_WRAP:
+                    oid = wrapAes256Oid;
+                    *oidSz = sizeof(wrapAes256Oid);
+                    break;
+            #endif
+            #ifdef HAVE_PKCS7
+                case PWRI_KEK_WRAP:
+                    oid = wrapPwriKekOid;
+                    *oidSz = sizeof(wrapPwriKekOid);
+                    break;
+            #endif
+            }
+            break;
+
+        case oidCmsKeyAgreeType:
+            switch (id) {
+            #ifndef NO_SHA
+                case dhSinglePass_stdDH_sha1kdf_scheme:
+                    oid = dhSinglePass_stdDH_sha1kdf_Oid;
+                    *oidSz = sizeof(dhSinglePass_stdDH_sha1kdf_Oid);
+                    break;
+            #endif
+            #ifdef WOLFSSL_SHA224
+                case dhSinglePass_stdDH_sha224kdf_scheme:
+                    oid = dhSinglePass_stdDH_sha224kdf_Oid;
+                    *oidSz = sizeof(dhSinglePass_stdDH_sha224kdf_Oid);
+                    break;
+            #endif
+            #ifndef NO_SHA256
+                case dhSinglePass_stdDH_sha256kdf_scheme:
+                    oid = dhSinglePass_stdDH_sha256kdf_Oid;
+                    *oidSz = sizeof(dhSinglePass_stdDH_sha256kdf_Oid);
+                    break;
+            #endif
+            #ifdef WOLFSSL_SHA384
+                case dhSinglePass_stdDH_sha384kdf_scheme:
+                    oid = dhSinglePass_stdDH_sha384kdf_Oid;
+                    *oidSz = sizeof(dhSinglePass_stdDH_sha384kdf_Oid);
+                    break;
+            #endif
+            #ifdef WOLFSSL_SHA512
+                case dhSinglePass_stdDH_sha512kdf_scheme:
+                    oid = dhSinglePass_stdDH_sha512kdf_Oid;
+                    *oidSz = sizeof(dhSinglePass_stdDH_sha512kdf_Oid);
+                    break;
+            #endif
+            }
+            break;
+
+#ifndef NO_HMAC
+        case oidHmacType:
+            switch (id) {
+        #ifdef WOLFSSL_SHA224
+                case HMAC_SHA224_OID:
+                    oid = hmacSha224Oid;
+                    *oidSz = sizeof(hmacSha224Oid);
+                    break;
+        #endif
+        #ifndef NO_SHA256
+                case HMAC_SHA256_OID:
+                    oid = hmacSha256Oid;
+                    *oidSz = sizeof(hmacSha256Oid);
+                    break;
+        #endif
+        #ifdef WOLFSSL_SHA384
+                case HMAC_SHA384_OID:
+                    oid = hmacSha384Oid;
+                    *oidSz = sizeof(hmacSha384Oid);
+                    break;
+        #endif
+        #ifdef WOLFSSL_SHA512
+                case HMAC_SHA512_OID:
+                    oid = hmacSha512Oid;
+                    *oidSz = sizeof(hmacSha512Oid);
+                    break;
+        #endif
+            }
+            break;
+#endif /* !NO_HMAC */
+
+#ifdef HAVE_LIBZ
+        case oidCompressType:
+            switch (id) {
+                case ZLIBc:
+                    oid = zlibCompress;
+                    *oidSz = sizeof(zlibCompress);
+                    break;
+            }
+            break;
+#endif /* HAVE_LIBZ */
+#ifdef WOLFSSL_APACHE_HTTPD
+        case oidCertNameType:
+            switch (id) {
+                 case NID_id_on_dnsSRV:
+                    oid = dnsSRVOid;
+                    *oidSz = sizeof(dnsSRVOid);
+                    break;
+            }
+            break;
+        case oidTlsExtType:
+            switch (id) {
+                case TLS_FEATURE_OID:
+                    oid = tlsFeatureOid;
+                    *oidSz = sizeof(tlsFeatureOid);
+                    break;
+            }
+            break;
+#endif /* WOLFSSL_APACHE_HTTPD */
+        case oidIgnoreType:
+        default:
+            break;
+    }
+
+    return oid;
+}
+
+#ifdef HAVE_OID_ENCODING
+int EncodeObjectId(const word16* in, word32 inSz, byte* out, word32* outSz)
+{
+    int i, x, len;
+    word32 d, t;
+
+    /* check args */
+    if (in == NULL || outSz == NULL) {
+        return BAD_FUNC_ARG;
+    }
+
+    /* compute length of encoded OID */
+    d = (in[0] * 40) + in[1];
+    len = 0;
+    for (i = 1; i < (int)inSz; i++) {
+        x = 0;
+        t = d;
+        while (t) {
+            x++;
+            t >>= 1;
+        }
+        len += (x / 7) + ((x % 7) ? 1 : 0) + (d == 0 ? 1 : 0);
+
+        if (i < (int)inSz - 1) {
+            d = in[i + 1];
+        }
+    }
+
+    if (out) {
+        /* verify length */
+        if ((int)*outSz < len) {
+            return BUFFER_E; /* buffer provided is not large enough */
+        }
+
+        /* calc first byte */
+        d = (in[0] * 40) + in[1];
+
+        /* encode bytes */
+        x = 0;
+        for (i = 1; i < (int)inSz; i++) {
+            if (d) {
+                int y = x, z;
+                byte mask = 0;
+                while (d) {
+                    out[x++] = (byte)((d & 0x7F) | mask);
+                    d     >>= 7;
+                    mask  |= 0x80;  /* upper bit is set on all but the last byte */
+                }
+                /* now swap bytes y...x-1 */
+                z = x - 1;
+                while (y < z) {
+                    mask = out[y];
+                    out[y] = out[z];
+                    out[z] = mask;
+                    ++y;
+                    --z;
+                }
+            }
+            else {
+              out[x++] = 0x00; /* zero value */
+            }
+
+            /* next word */
+            if (i < (int)inSz - 1) {
+                d = in[i + 1];
+            }
+        }
+    }
+
+    /* return length */
+    *outSz = len;
+
+    return 0;
+}
+#endif /* HAVE_OID_ENCODING */
+
+#ifdef HAVE_OID_DECODING
+int DecodeObjectId(const byte* in, word32 inSz, word16* out, word32* outSz)
+{
+    int x = 0, y = 0;
+    word32 t = 0;
+
+    /* check args */
+    if (in == NULL || outSz == NULL) {
+        return BAD_FUNC_ARG;
+    }
+
+    /* decode bytes */
+    while (inSz--) {
+        t = (t << 7) | (in[x] & 0x7F);
+        if (!(in[x] & 0x80)) {
+            if (y >= (int)*outSz) {
+                return BUFFER_E;
+            }
+            if (y == 0) {
+                out[0] = (t / 40);
+                out[1] = (t % 40);
+                y = 2;
+            }
+            else {
+                out[y++] = t;
+            }
+            t = 0; /* reset tmp */
+        }
+        x++;
+    }
+
+    /* return length */
+    *outSz = y;
+
+    return 0;
+}
+#endif /* HAVE_OID_DECODING */
+
+/* Get the DER/BER encoding of an ASN.1 OBJECT_ID header.
+ *
+ * input     Buffer holding DER/BER encoded data.
+ * inOutIdx  Current index into buffer to parse.
+ * len       The number of bytes in the ASN.1 data.
+ * maxIdx    Length of data in buffer.
+ * returns BUFFER_E when there is not enough data to parse.
+ *         ASN_OBJECt_ID_E when the OBJECT_ID tag is not found.
+ *         ASN_PARSE_E when length is invalid.
+ *         Otherwise, 0 to indicate success.
+ */
+int GetASNObjectId(const byte* input, word32* inOutIdx, int* len,
+                          word32 maxIdx)
+{
+    word32 idx = *inOutIdx;
     int    length;
+    byte   tag;
 
-    if (b != ASN_INTEGER)
+    if ((idx + 1) > maxIdx)
+        return BUFFER_E;
+
+    if (GetASNTag(input, &idx, &tag, maxIdx) != 0)
         return ASN_PARSE_E;
 
-    if (GetLength(input, &i, &length, maxIdx) < 0)
+    if (tag != ASN_OBJECT_ID)
+        return ASN_OBJECT_ID_E;
+
+    if (GetLength(input, &idx, &length, maxIdx) < 0)
         return ASN_PARSE_E;
 
-    if ( (b = input[i++]) == 0x00)
-        length--;
-    else
-        i--;
+    *len = length;
+    *inOutIdx = idx;
+    return 0;
+}
 
-    *buffSz = (word16)length;
-    *buff   = XMALLOC(*buffSz, heap, DYNAMIC_TYPE_CAVIUM_RSA);
-    if (*buff == NULL)
-        return MEMORY_E;
+/* Set the DER/BER encoding of the ASN.1 OBJECT_ID header.
+ *
+ * len         Length of the OBJECT_ID data.
+ * output      Buffer to write into.
+ * returns the number of bytes added to the buffer.
+ */
+int SetObjectId(int len, byte* output)
+{
+    int idx = 0;
+
+    output[idx++] = ASN_OBJECT_ID;
+    idx += SetLength(len, output + idx);
 
-    XMEMCPY(*buff, input + i, *buffSz);
+    return idx;
+}
+
+int GetObjectId(const byte* input, word32* inOutIdx, word32* oid,
+                                  word32 oidType, word32 maxIdx)
+{
+    int    ret = 0, length;
+    word32 idx = *inOutIdx;
+#ifndef NO_VERIFY_OID
+    word32 actualOidSz = 0;
+    const byte* actualOid;
+#endif /* NO_VERIFY_OID */
+
+    (void)oidType;
+    WOLFSSL_ENTER("GetObjectId()");
+    *oid = 0;
+
+    ret = GetASNObjectId(input, &idx, &length, maxIdx);
+    if (ret != 0)
+        return ret;
+
+#ifndef NO_VERIFY_OID
+    actualOid = &input[idx];
+    if (length > 0)
+        actualOidSz = (word32)length;
+#endif /* NO_VERIFY_OID */
+
+    while (length--) {
+        /* odd HC08 compiler behavior here when input[idx++] */
+        *oid += (word32)input[idx];
+        idx++;
+    }
+    /* just sum it up for now */
+
+    *inOutIdx = idx;
+
+#ifndef NO_VERIFY_OID
+    {
+        const byte* checkOid = NULL;
+        word32 checkOidSz;
+    #ifdef ASN_DUMP_OID
+        word32 i;
+    #endif
+
+        if (oidType != oidIgnoreType) {
+            checkOid = OidFromId(*oid, oidType, &checkOidSz);
+
+        #ifdef ASN_DUMP_OID
+            /* support for dumping OID information */
+            printf("OID (Type %d, Sz %d, Sum %d): ", oidType, actualOidSz, *oid);
+            for (i=0; i<actualOidSz; i++) {
+                printf("%d, ", actualOid[i]);
+            }
+            printf("\n");
+            #ifdef HAVE_OID_DECODING
+            {
+                word16 decOid[16];
+                word32 decOidSz = sizeof(decOid);
+                ret = DecodeObjectId(actualOid, actualOidSz, decOid, &decOidSz);
+                if (ret == 0) {
+                    printf("  Decoded (Sz %d): ", decOidSz);
+                    for (i=0; i<decOidSz; i++) {
+                        printf("%d.", decOid[i]);
+                    }
+                    printf("\n");
+                }
+                else {
+                    printf("DecodeObjectId failed: %d\n", ret);
+                }
+            }
+            #endif /* HAVE_OID_DECODING */
+        #endif /* ASN_DUMP_OID */
+
+            if (checkOid != NULL &&
+                (checkOidSz != actualOidSz ||
+                    XMEMCMP(actualOid, checkOid, checkOidSz) != 0)) {
+                WOLFSSL_MSG("OID Check Failed");
+                return ASN_UNKNOWN_OID_E;
+            }
+        }
+    }
+#endif /* NO_VERIFY_OID */
+
+    return ret;
+}
+
+static int SkipObjectId(const byte* input, word32* inOutIdx, word32 maxIdx)
+{
+    word32 idx = *inOutIdx;
+    int    length;
+    int ret;
+
+    ret = GetASNObjectId(input, &idx, &length, maxIdx);
+    if (ret != 0)
+        return ret;
+
+    idx += length;
+    *inOutIdx = idx;
 
-    *inOutIdx = i + length;
     return 0;
 }
 
-static int CaviumRsaPrivateKeyDecode(const byte* input, word32* inOutIdx,
-                                     RsaKey* key, word32 inSz)
+int GetAlgoId(const byte* input, word32* inOutIdx, word32* oid,
+                     word32 oidType, word32 maxIdx)
 {
-    int   version, length;
-    void* h = key->heap;
+    int    length;
+    word32 idx = *inOutIdx;
+    int    ret;
+    *oid = 0;
 
-    if (GetSequence(input, inOutIdx, &length, inSz) < 0)
-        return ASN_PARSE_E;
+    WOLFSSL_ENTER("GetAlgoId");
 
-    if (GetMyVersion(input, inOutIdx, &version) < 0)
+    if (GetSequence(input, &idx, &length, maxIdx) < 0)
         return ASN_PARSE_E;
 
-    key->type = RSA_PRIVATE;
+    if (GetObjectId(input, &idx, oid, oidType, maxIdx) < 0)
+        return ASN_OBJECT_ID_E;
 
-    if (GetCaviumInt(&key->c_n,  &key->c_nSz,   input, inOutIdx, inSz, h) < 0 ||
-        GetCaviumInt(&key->c_e,  &key->c_eSz,   input, inOutIdx, inSz, h) < 0 ||
-        GetCaviumInt(&key->c_d,  &key->c_dSz,   input, inOutIdx, inSz, h) < 0 ||
-        GetCaviumInt(&key->c_p,  &key->c_pSz,   input, inOutIdx, inSz, h) < 0 ||
-        GetCaviumInt(&key->c_q,  &key->c_qSz,   input, inOutIdx, inSz, h) < 0 ||
-        GetCaviumInt(&key->c_dP, &key->c_dP_Sz, input, inOutIdx, inSz, h) < 0 ||
-        GetCaviumInt(&key->c_dQ, &key->c_dQ_Sz, input, inOutIdx, inSz, h) < 0 ||
-        GetCaviumInt(&key->c_u,  &key->c_uSz,   input, inOutIdx, inSz, h) < 0 )
-            return ASN_RSA_KEY_E;
+    /* could have NULL tag and 0 terminator, but may not */
+    if (idx < maxIdx) {
+        word32 localIdx = idx; /*use localIdx to not advance when checking tag*/
+        byte   tag;
+
+        if (GetASNTag(input, &localIdx, &tag, maxIdx) == 0) {
+            if (tag == ASN_TAG_NULL) {
+                ret = GetASNNull(input, &idx, maxIdx);
+                if (ret != 0)
+                    return ret;
+            }
+        }
+    }
+
+    *inOutIdx = idx;
 
     return 0;
 }
 
+#ifndef NO_RSA
 
-#endif /* HAVE_CAVIUM */
-
+#ifndef HAVE_USER_RSA
 int wc_RsaPrivateKeyDecode(const byte* input, word32* inOutIdx, RsaKey* key,
                         word32 inSz)
 {
-    int    version, length;
-
-#ifdef HAVE_CAVIUM
-    if (key->magic == WOLFSSL_RSA_CAVIUM_MAGIC)
-        return CaviumRsaPrivateKeyDecode(input, inOutIdx, key, inSz);
-#endif
+    int version, length;
 
+    if (inOutIdx == NULL) {
+        return BAD_FUNC_ARG;
+    }
     if (GetSequence(input, inOutIdx, &length, inSz) < 0)
         return ASN_PARSE_E;
 
-    if (GetMyVersion(input, inOutIdx, &version) < 0)
+    if (GetMyVersion(input, inOutIdx, &version, inSz) < 0)
         return ASN_PARSE_E;
 
     key->type = RSA_PRIVATE;
 
     if (GetInt(&key->n,  input, inOutIdx, inSz) < 0 ||
         GetInt(&key->e,  input, inOutIdx, inSz) < 0 ||
+#ifndef WOLFSSL_RSA_PUBLIC_ONLY
         GetInt(&key->d,  input, inOutIdx, inSz) < 0 ||
         GetInt(&key->p,  input, inOutIdx, inSz) < 0 ||
-        GetInt(&key->q,  input, inOutIdx, inSz) < 0 ||
-        GetInt(&key->dP, input, inOutIdx, inSz) < 0 ||
+        GetInt(&key->q,  input, inOutIdx, inSz) < 0)
+#else
+        SkipInt(input, inOutIdx, inSz) < 0 ||
+        SkipInt(input, inOutIdx, inSz) < 0 ||
+        SkipInt(input, inOutIdx, inSz) < 0 )
+
+#endif
+            return ASN_RSA_KEY_E;
+#if (defined(WOLFSSL_KEY_GEN) || defined(OPENSSL_EXTRA) || !defined(RSA_LOW_MEM)) \
+    && !defined(WOLFSSL_RSA_PUBLIC_ONLY)
+    if (GetInt(&key->dP, input, inOutIdx, inSz) < 0 ||
         GetInt(&key->dQ, input, inOutIdx, inSz) < 0 ||
         GetInt(&key->u,  input, inOutIdx, inSz) < 0 )  return ASN_RSA_KEY_E;
+#else
+    if (SkipInt(input, inOutIdx, inSz) < 0 ||
+        SkipInt(input, inOutIdx, inSz) < 0 ||
+        SkipInt(input, inOutIdx, inSz) < 0 )  return ASN_RSA_KEY_E;
+#endif
+
+#if defined(WOLFSSL_XILINX_CRYPT) || defined(WOLFSSL_CRYPTOCELL)
+    if (wc_InitRsaHw(key) != 0) {
+        return BAD_STATE_E;
+    }
+#endif
 
     return 0;
 }
-
+#endif /* HAVE_USER_RSA */
 #endif /* NO_RSA */
 
-/* Remove PKCS8 header, move beginning of traditional to beginning of input */
-int ToTraditional(byte* input, word32 sz)
+#if defined(HAVE_PKCS8) || defined(HAVE_PKCS12)
+
+/* Remove PKCS8 header, place inOutIdx at beginning of traditional,
+ * return traditional length on success, negative on error */
+int ToTraditionalInline_ex(const byte* input, word32* inOutIdx, word32 sz,
+                           word32* algId)
 {
-    word32 inOutIdx = 0, oid;
+    word32 idx;
     int    version, length;
+    int    ret;
+    byte   tag;
+
+    if (input == NULL || inOutIdx == NULL)
+        return BAD_FUNC_ARG;
+
+    idx = *inOutIdx;
 
-    if (GetSequence(input, &inOutIdx, &length, sz) < 0)
+    if (GetSequence(input, &idx, &length, sz) < 0)
+        return ASN_PARSE_E;
+
+    if (GetMyVersion(input, &idx, &version, sz) < 0)
         return ASN_PARSE_E;
 
-    if (GetMyVersion(input, &inOutIdx, &version) < 0)
+    if (GetAlgoId(input, &idx, algId, oidKeyType, sz) < 0)
         return ASN_PARSE_E;
 
-    if (GetAlgoId(input, &inOutIdx, &oid, sz) < 0)
+    if (GetASNTag(input, &idx, &tag, sz) < 0)
         return ASN_PARSE_E;
+    idx = idx - 1; /* reset idx after finding tag */
 
-    if (input[inOutIdx] == ASN_OBJECT_ID) {
-        /* pkcs8 ecc uses slightly different format */
-        inOutIdx++;  /* past id */
-        if (GetLength(input, &inOutIdx, &length, sz) < 0)
+    if (tag == ASN_OBJECT_ID) {
+        if (SkipObjectId(input, &idx, sz) < 0)
             return ASN_PARSE_E;
-        inOutIdx += length;  /* over sub id, key input will verify */
     }
 
-    if (input[inOutIdx++] != ASN_OCTET_STRING)
-        return ASN_PARSE_E;
+    ret = GetOctetString(input, &idx, &length, sz);
+    if (ret < 0) {
+        if (ret == BUFFER_E)
+            return ASN_PARSE_E;
+        /* Some private keys don't expect an octet string */
+        WOLFSSL_MSG("Couldn't find Octet string");
+    }
 
-    if (GetLength(input, &inOutIdx, &length, sz) < 0)
-        return ASN_PARSE_E;
+    *inOutIdx = idx;
+
+    return length;
+}
+
+int ToTraditionalInline(const byte* input, word32* inOutIdx, word32 sz)
+{
+    word32 oid;
+
+    return ToTraditionalInline_ex(input, inOutIdx, sz, &oid);
+}
+
+/* Remove PKCS8 header, move beginning of traditional to beginning of input */
+int ToTraditional_ex(byte* input, word32 sz, word32* algId)
+{
+    word32 inOutIdx = 0;
+    int    length;
+
+    if (input == NULL)
+        return BAD_FUNC_ARG;
+
+    length = ToTraditionalInline_ex(input, &inOutIdx, sz, algId);
+    if (length < 0)
+        return length;
 
     XMEMMOVE(input, input + inOutIdx, length);
 
     return length;
 }
 
+int ToTraditional(byte* input, word32 sz)
+{
+    word32 oid;
+
+    return ToTraditional_ex(input, sz, &oid);
+}
+
+#endif /* HAVE_PKCS8 || HAVE_PKCS12 */
+
+#ifdef HAVE_PKCS8
+
+/* find beginning of traditional key inside PKCS#8 unencrypted buffer
+ * return traditional length on success, with inOutIdx at beginning of
+ * traditional
+ * return negative on failure/error */
+int wc_GetPkcs8TraditionalOffset(byte* input, word32* inOutIdx, word32 sz)
+{
+    int length;
+    word32 algId;
+
+    if (input == NULL || inOutIdx == NULL || (*inOutIdx > sz))
+        return BAD_FUNC_ARG;
+
+    length = ToTraditionalInline_ex(input, inOutIdx, sz, &algId);
+
+    return length;
+}
+
+
+/* PKCS#8 from RFC 5208
+ * This function takes in a DER key and converts it to PKCS#8 format. Used
+ * in creating PKCS#12 shrouded key bags.
+ * Reverse of ToTraditional
+ *
+ * PrivateKeyInfo ::= SEQUENCE {
+ *  version Version,
+ *  privateKeyAlgorithm PrivateKeyAlgorithmIdentifier,
+ *  privateKey          PrivateKey,
+ *  attributes          optional
+ *  }
+ *  Version ::= INTEGER
+ *  PrivateKeyAlgorithmIdentifier ::= AlgorithmIdentifier
+ *  PrivateKey ::= OCTET STRING
+ *
+ * out      buffer to place result in
+ * outSz    size of out buffer
+ * key      buffer with DER key
+ * keySz    size of key buffer
+ * algoID   algorithm ID i.e. RSAk
+ * curveOID ECC curve oid if used. Should be NULL for RSA keys.
+ * oidSz    size of curve oid. Is set to 0 if curveOID is NULL.
+ *
+ * Returns the size of PKCS#8 placed into out. In error cases returns negative
+ * values.
+ */
+int wc_CreatePKCS8Key(byte* out, word32* outSz, byte* key, word32 keySz,
+        int algoID, const byte* curveOID, word32 oidSz)
+{
+        word32 keyIdx = 0;
+        word32 tmpSz  = 0;
+        word32 sz;
+
+
+        /* If out is NULL then return the max size needed
+         * + 2 for ASN_OBJECT_ID and ASN_OCTET_STRING tags */
+        if (out == NULL && outSz != NULL) {
+            *outSz = keySz + MAX_SEQ_SZ + MAX_VERSION_SZ + MAX_ALGO_SZ
+                     + MAX_LENGTH_SZ + MAX_LENGTH_SZ + 2;
+
+            if (curveOID != NULL)
+                *outSz += oidSz + MAX_LENGTH_SZ + 1;
+
+            WOLFSSL_MSG("Checking size of PKCS8");
+
+            return LENGTH_ONLY_E;
+        }
+
+        WOLFSSL_ENTER("wc_CreatePKCS8Key()");
+
+        if (key == NULL || out == NULL || outSz == NULL) {
+            return BAD_FUNC_ARG;
+        }
+
+        /* check the buffer has enough room for largest possible size */
+        if (curveOID != NULL) {
+            if (*outSz < (keySz + MAX_SEQ_SZ + MAX_VERSION_SZ + MAX_ALGO_SZ
+                   + MAX_LENGTH_SZ + MAX_LENGTH_SZ + 3 + oidSz + MAX_LENGTH_SZ))
+                return BUFFER_E;
+        }
+        else {
+            oidSz = 0; /* with no curveOID oid size must be 0 */
+            if (*outSz < (keySz + MAX_SEQ_SZ + MAX_VERSION_SZ + MAX_ALGO_SZ
+                      + MAX_LENGTH_SZ + MAX_LENGTH_SZ + 2))
+                return BUFFER_E;
+        }
+
+        /* PrivateKeyInfo ::= SEQUENCE */
+        keyIdx += MAX_SEQ_SZ; /* save room for sequence */
+
+        /*  version Version
+         *  no header information just INTEGER */
+        sz = SetMyVersion(PKCS8v0, out + keyIdx, 0);
+        tmpSz += sz; keyIdx += sz;
+
+        /*  privateKeyAlgorithm PrivateKeyAlgorithmIdentifier */
+        sz = 0; /* set sz to 0 and get privateKey oid buffer size needed */
+        if (curveOID != NULL && oidSz > 0) {
+            byte buf[MAX_LENGTH_SZ];
+            sz = SetLength(oidSz, buf);
+            sz += 1; /* plus one for ASN object id */
+        }
+        sz = SetAlgoID(algoID, out + keyIdx, oidKeyType, oidSz + sz);
+        tmpSz += sz; keyIdx += sz;
+
+        /*  privateKey          PrivateKey *
+         * pkcs8 ecc uses slightly different format. Places curve oid in
+         * buffer */
+        if (curveOID != NULL && oidSz > 0) {
+            sz = SetObjectId(oidSz, out + keyIdx);
+            keyIdx += sz; tmpSz += sz;
+            XMEMCPY(out + keyIdx, curveOID, oidSz);
+            keyIdx += oidSz; tmpSz += oidSz;
+        }
+
+        sz = SetOctetString(keySz, out + keyIdx);
+        keyIdx += sz; tmpSz += sz;
+        XMEMCPY(out + keyIdx, key, keySz);
+        tmpSz += keySz;
+
+        /*  attributes          optional
+         * No attributes currently added */
+
+        /* rewind and add sequence */
+        sz = SetSequence(tmpSz, out);
+        XMEMMOVE(out + sz, out + MAX_SEQ_SZ, tmpSz);
+
+        return tmpSz + sz;
+}
+
+#endif /* HAVE_PKCS8 */
+
+#if defined(HAVE_PKCS12) || !defined(NO_CHECK_PRIVATE_KEY)
+/* check that the private key is a pair for the public key in certificate
+ * return 1 (true) on match
+ * return 0 or negative value on failure/error
+ *
+ * key   : buffer holding DER format key
+ * keySz : size of key buffer
+ * der   : a initialized and parsed DecodedCert holding a certificate */
+int wc_CheckPrivateKey(byte* key, word32 keySz, DecodedCert* der)
+{
+    int ret;
+    (void)keySz;
+
+    if (key == NULL || der == NULL) {
+        return BAD_FUNC_ARG;
+    }
+
+    #if !defined(NO_RSA) && !defined(NO_ASN_CRYPT)
+    /* test if RSA key */
+    if (der->keyOID == RSAk) {
+    #ifdef WOLFSSL_SMALL_STACK
+        RsaKey* a;
+        RsaKey* b = NULL;
+    #else
+        RsaKey a[1], b[1];
+    #endif
+        word32 keyIdx = 0;
+
+    #ifdef WOLFSSL_SMALL_STACK
+        a = (RsaKey*)XMALLOC(sizeof(RsaKey), NULL, DYNAMIC_TYPE_RSA);
+        if (a == NULL)
+            return MEMORY_E;
+        b = (RsaKey*)XMALLOC(sizeof(RsaKey), NULL, DYNAMIC_TYPE_RSA);
+        if (b == NULL) {
+            XFREE(a, NULL, DYNAMIC_TYPE_RSA);
+            return MEMORY_E;
+        }
+    #endif
+
+        if ((ret = wc_InitRsaKey(a, NULL)) < 0) {
+    #ifdef WOLFSSL_SMALL_STACK
+            XFREE(b, NULL, DYNAMIC_TYPE_RSA);
+            XFREE(a, NULL, DYNAMIC_TYPE_RSA);
+    #endif
+            return ret;
+        }
+        if ((ret = wc_InitRsaKey(b, NULL)) < 0) {
+            wc_FreeRsaKey(a);
+    #ifdef WOLFSSL_SMALL_STACK
+            XFREE(b, NULL, DYNAMIC_TYPE_RSA);
+            XFREE(a, NULL, DYNAMIC_TYPE_RSA);
+    #endif
+            return ret;
+        }
+        if ((ret = wc_RsaPrivateKeyDecode(key, &keyIdx, a, keySz)) == 0) {
+            WOLFSSL_MSG("Checking RSA key pair");
+            keyIdx = 0; /* reset to 0 for parsing public key */
+
+            if ((ret = wc_RsaPublicKeyDecode(der->publicKey, &keyIdx, b,
+                                                       der->pubKeySize)) == 0) {
+                /* limit for user RSA crypto because of RsaKey
+                 * dereference. */
+            #if defined(HAVE_USER_RSA)
+                WOLFSSL_MSG("Cannot verify RSA pair with user RSA");
+                ret = 1; /* return first RSA cert as match */
+            #else
+                /* both keys extracted successfully now check n and e
+                 * values are the same. This is dereferencing RsaKey */
+                if (mp_cmp(&(a->n), &(b->n)) != MP_EQ ||
+                    mp_cmp(&(a->e), &(b->e)) != MP_EQ) {
+                    ret = MP_CMP_E;
+                }
+                else
+                    ret = 1;
+            #endif
+            }
+        }
+        wc_FreeRsaKey(b);
+        wc_FreeRsaKey(a);
+    #ifdef WOLFSSL_SMALL_STACK
+        XFREE(b, NULL, DYNAMIC_TYPE_RSA);
+        XFREE(a, NULL, DYNAMIC_TYPE_RSA);
+    #endif
+    }
+    else
+    #endif /* !NO_RSA && !NO_ASN_CRYPT */
+
+    #if defined(HAVE_ECC) && defined(HAVE_ECC_KEY_EXPORT) && !defined(NO_ASN_CRYPT)
+    if (der->keyOID == ECDSAk) {
+    #ifdef WOLFSSL_SMALL_STACK
+        ecc_key* key_pair;
+        byte*    privDer;
+    #else
+        ecc_key  key_pair[1];
+        byte     privDer[MAX_ECC_BYTES];
+    #endif
+        word32   privSz = MAX_ECC_BYTES;
+        word32   keyIdx = 0;
+
+    #ifdef WOLFSSL_SMALL_STACK
+        key_pair = (ecc_key*)XMALLOC(sizeof(ecc_key), NULL, DYNAMIC_TYPE_ECC);
+        if (key_pair == NULL)
+            return MEMORY_E;
+        privDer = (byte*)XMALLOC(MAX_ECC_BYTES, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+        if (privDer == NULL) {
+            XFREE(key_pair, NULL, DYNAMIC_TYPE_ECC);
+            return MEMORY_E;
+        }
+    #endif
+
+        if ((ret = wc_ecc_init(key_pair)) < 0) {
+    #ifdef WOLFSSL_SMALL_STACK
+            XFREE(privDer, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+            XFREE(key_pair, NULL, DYNAMIC_TYPE_ECC);
+    #endif
+            return ret;
+        }
+
+        if ((ret = wc_EccPrivateKeyDecode(key, &keyIdx, key_pair,
+                                                                 keySz)) == 0) {
+            WOLFSSL_MSG("Checking ECC key pair");
+
+            if ((ret = wc_ecc_export_private_only(key_pair, privDer, &privSz))
+                                                                         == 0) {
+                wc_ecc_free(key_pair);
+                ret = wc_ecc_init(key_pair);
+                if (ret == 0) {
+                    ret = wc_ecc_import_private_key((const byte*)privDer,
+                                            privSz, (const byte*)der->publicKey,
+                                            der->pubKeySize, key_pair);
+                }
+
+                /* public and private extracted successfully now check if is
+                 * a pair and also do sanity checks on key. wc_ecc_check_key
+                 * checks that private * base generator equals pubkey */
+                if (ret == 0) {
+                    if ((ret = wc_ecc_check_key(key_pair)) == 0) {
+                        ret = 1;
+                    }
+                }
+                ForceZero(privDer, privSz);
+            }
+        }
+        wc_ecc_free(key_pair);
+    #ifdef WOLFSSL_SMALL_STACK
+        XFREE(privDer, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+        XFREE(key_pair, NULL, DYNAMIC_TYPE_ECC);
+    #endif
+    }
+    else
+    #endif /* HAVE_ECC && HAVE_ECC_KEY_EXPORT && !NO_ASN_CRYPT */
+
+    #if defined(HAVE_ED25519) && !defined(NO_ASN_CRYPT)
+    if (der->keyOID == ED25519k) {
+    #ifdef WOLFSSL_SMALL_STACK
+        ed25519_key* key_pair;
+    #else
+        ed25519_key  key_pair[1];
+    #endif
+        word32       keyIdx = 0;
+
+    #ifdef WOLFSSL_SMALL_STACK
+        key_pair = (ed25519_key*)XMALLOC(sizeof(ed25519_key), NULL,
+                                                          DYNAMIC_TYPE_ED25519);
+        if (key_pair == NULL)
+            return MEMORY_E;
+    #endif
+
+        if ((ret = wc_ed25519_init(key_pair)) < 0) {
+    #ifdef WOLFSSL_SMALL_STACK
+            XFREE(key_pair, NULL, DYNAMIC_TYPE_ED25519);
+    #endif
+            return ret;
+        }
+        if ((ret = wc_Ed25519PrivateKeyDecode(key, &keyIdx, key_pair,
+                                                                 keySz)) == 0) {
+            WOLFSSL_MSG("Checking ED25519 key pair");
+            keyIdx = 0;
+            if ((ret = wc_ed25519_import_public(der->publicKey, der->pubKeySize,
+                                                              key_pair)) == 0) {
+                /* public and private extracted successfully no check if is
+                 * a pair and also do sanity checks on key. wc_ecc_check_key
+                 * checks that private * base generator equals pubkey */
+                if ((ret = wc_ed25519_check_key(key_pair)) == 0)
+                    ret = 1;
+            }
+        }
+        wc_ed25519_free(key_pair);
+    #ifdef WOLFSSL_SMALL_STACK
+        XFREE(key_pair, NULL, DYNAMIC_TYPE_ED25519);
+    #endif
+    }
+    else
+    #endif /* HAVE_ED25519 && !NO_ASN_CRYPT */
+
+    #if defined(HAVE_ED448) && !defined(NO_ASN_CRYPT)
+    if (der->keyOID == ED448k) {
+    #ifdef WOLFSSL_SMALL_STACK
+        ed448_key* key_pair = NULL;
+    #else
+        ed448_key  key_pair[1];
+    #endif
+        word32     keyIdx = 0;
+
+    #ifdef WOLFSSL_SMALL_STACK
+        key_pair = (ed448_key*)XMALLOC(sizeof(ed448_key), NULL,
+                                                            DYNAMIC_TYPE_ED448);
+        if (key_pair == NULL)
+            return MEMORY_E;
+    #endif
+
+        if ((ret = wc_ed448_init(key_pair)) < 0) {
+    #ifdef WOLFSSL_SMALL_STACK
+            XFREE(key_pair, NULL, DYNAMIC_TYPE_ED448);
+    #endif
+            return ret;
+        }
+        if ((ret = wc_Ed448PrivateKeyDecode(key, &keyIdx, key_pair,
+                                                                 keySz)) == 0) {
+            WOLFSSL_MSG("Checking ED448 key pair");
+            keyIdx = 0;
+            if ((ret = wc_ed448_import_public(der->publicKey, der->pubKeySize,
+                                                              key_pair)) == 0) {
+                /* public and private extracted successfully no check if is
+                 * a pair and also do sanity checks on key. wc_ecc_check_key
+                 * checks that private * base generator equals pubkey */
+                if ((ret = wc_ed448_check_key(key_pair)) == 0)
+                    ret = 1;
+            }
+        }
+        wc_ed448_free(key_pair);
+    #ifdef WOLFSSL_SMALL_STACK
+        XFREE(key_pair, NULL, DYNAMIC_TYPE_ED448);
+    #endif
+    }
+    else
+    #endif /* HAVE_ED448 && !NO_ASN_CRYPT */
+    {
+        ret = 0;
+    }
+
+    (void)keySz;
+
+    return ret;
+}
+
+#endif /* HAVE_PKCS12 || !NO_CHECK_PRIVATE_KEY */
 
 #ifndef NO_PWDBASED
 
+#if defined(HAVE_PKCS8) || defined(HAVE_PKCS12)
 /* Check To see if PKCS version algo is supported, set id if it is return 0
    < 0 on error */
-static int CheckAlgo(int first, int second, int* id, int* version)
+static int CheckAlgo(int first, int second, int* id, int* version, int* blockSz)
 {
     *id      = ALGO_ID_E;
     *version = PKCS5;   /* default */
+    if (blockSz) *blockSz = 8; /* default */
 
     if (first == 1) {
         switch (second) {
-        case 1:
+#if !defined(NO_SHA)
+    #ifndef NO_RC4
+        case PBE_SHA1_RC4_128:
             *id = PBE_SHA1_RC4_128;
-            *version = PKCS12;
+            *version = PKCS12v1;
             return 0;
-        case 3:
+    #endif
+    #ifndef NO_DES3
+        case PBE_SHA1_DES3:
             *id = PBE_SHA1_DES3;
-            *version = PKCS12;
+            *version = PKCS12v1;
+            if (blockSz) *blockSz = DES_BLOCK_SIZE;
             return 0;
+        case PBE_SHA1_DES:
+            *id = PBE_SHA1_DES;
+            *version = PKCS12v1;
+            if (blockSz) *blockSz = DES_BLOCK_SIZE;
+            return 0;
+    #endif
+#endif /* !NO_SHA */
         default:
             return ALGO_ID_E;
         }
@@ -857,213 +3124,655 @@ static int CheckAlgo(int first, int second, int* id, int* version)
     }
 
     switch (second) {
+#ifndef NO_DES3
+    #ifndef NO_MD5
     case 3:                   /* see RFC 2898 for ids */
         *id = PBE_MD5_DES;
+        if (blockSz) *blockSz = DES_BLOCK_SIZE;
         return 0;
+    #endif
+    #ifndef NO_SHA
     case 10:
         *id = PBE_SHA1_DES;
+        if (blockSz) *blockSz = DES_BLOCK_SIZE;
         return 0;
+    #endif
+#endif /* !NO_DES3 */
     default:
         return ALGO_ID_E;
 
     }
 }
 
-
 /* Check To see if PKCS v2 algo is supported, set id if it is return 0
    < 0 on error */
-static int CheckAlgoV2(int oid, int* id)
+static int CheckAlgoV2(int oid, int* id, int* blockSz)
 {
+    if (blockSz) *blockSz = 8; /* default */
+    (void)id; /* not used if AES and DES3 disabled */
     switch (oid) {
-    case 69:
+#if !defined(NO_DES3) && !defined(NO_SHA)
+    case DESb:
         *id = PBE_SHA1_DES;
+        if (blockSz) *blockSz = DES_BLOCK_SIZE;
         return 0;
-    case 652:
+    case DES3b:
         *id = PBE_SHA1_DES3;
+        if (blockSz) *blockSz = DES_BLOCK_SIZE;
         return 0;
+#endif
+#ifdef WOLFSSL_AES_256
+    case AES256CBCb:
+        *id = PBE_AES256_CBC;
+        if (blockSz) *blockSz = AES_BLOCK_SIZE;
+        return 0;
+#endif
+#ifdef WOLFSSL_AES_128
+    case AES128CBCb:
+        *id = PBE_AES128_CBC;
+        if (blockSz) *blockSz = AES_BLOCK_SIZE;
+        return 0;
+#endif
     default:
+        WOLFSSL_MSG("No PKCS v2 algo found");
         return ALGO_ID_E;
 
     }
 }
 
+#endif /* HAVE_PKCS8 || HAVE_PKCS12 */
+
+#ifdef HAVE_PKCS8
 
-/* Decrypt intput in place from parameters based on id */
-static int DecryptKey(const char* password, int passwordSz, byte* salt,
-                      int saltSz, int iterations, int id, byte* input,
-                      int length, int version, byte* cbcIv)
+int wc_GetKeyOID(byte* key, word32 keySz, const byte** curveOID, word32* oidSz,
+        int* algoID, void* heap)
 {
-    int typeH;
-    int derivedLen;
-    int decryptionType;
-    int ret = 0;
-#ifdef WOLFSSL_SMALL_STACK
-    byte* key;
-#else
-    byte key[MAX_KEY_SIZE];
-#endif
+    word32 tmpIdx = 0;
 
-    switch (id) {
-        case PBE_MD5_DES:
-            typeH = MD5;
-            derivedLen = 16;           /* may need iv for v1.5 */
-            decryptionType = DES_TYPE;
-            break;
+    if (key == NULL || algoID == NULL)
+        return BAD_FUNC_ARG;
 
-        case PBE_SHA1_DES:
-            typeH = SHA;
-            derivedLen = 16;           /* may need iv for v1.5 */
-            decryptionType = DES_TYPE;
-            break;
+    *algoID = 0;
 
-        case PBE_SHA1_DES3:
-            typeH = SHA;
-            derivedLen = 32;           /* may need iv for v1.5 */
-            decryptionType = DES3_TYPE;
-            break;
+    #if !defined(NO_RSA) && !defined(NO_ASN_CRYPT)
+    {
+        RsaKey rsa;
 
-        case PBE_SHA1_RC4_128:
-            typeH = SHA;
-            derivedLen = 16;
-            decryptionType = RC4_TYPE;
-            break;
+        wc_InitRsaKey(&rsa, heap);
+        if (wc_RsaPrivateKeyDecode(key, &tmpIdx, &rsa, keySz) == 0) {
+            *algoID = RSAk;
+        }
+        else {
+            WOLFSSL_MSG("Not RSA DER key");
+        }
+        wc_FreeRsaKey(&rsa);
+    }
+    #endif /* !NO_RSA && !NO_ASN_CRYPT */
+    #if defined(HAVE_ECC) && !defined(NO_ASN_CRYPT)
+    if (*algoID == 0) {
+        ecc_key ecc;
+
+        tmpIdx = 0;
+        wc_ecc_init_ex(&ecc, heap, INVALID_DEVID);
+        if (wc_EccPrivateKeyDecode(key, &tmpIdx, &ecc, keySz) == 0) {
+            *algoID = ECDSAk;
+
+            /* now find oid */
+            if (wc_ecc_get_oid(ecc.dp->oidSum, curveOID, oidSz) < 0) {
+                WOLFSSL_MSG("Error getting ECC curve OID");
+                wc_ecc_free(&ecc);
+                return BAD_FUNC_ARG;
+            }
+        }
+        else {
+            WOLFSSL_MSG("Not ECC DER key either");
+        }
+        wc_ecc_free(&ecc);
+    }
+#endif /* HAVE_ECC && !NO_ASN_CRYPT */
+#if defined(HAVE_ED25519) && !defined(NO_ASN_CRYPT)
+    if (*algoID != RSAk && *algoID != ECDSAk) {
+        ed25519_key ed25519;
+
+        tmpIdx = 0;
+        if (wc_ed25519_init(&ed25519) == 0) {
+            if (wc_Ed25519PrivateKeyDecode(key, &tmpIdx, &ed25519, keySz)
+                                                                         == 0) {
+                *algoID = ED25519k;
+            }
+            else {
+                WOLFSSL_MSG("Not ED25519 DER key");
+            }
+            wc_ed25519_free(&ed25519);
+        }
+        else {
+            WOLFSSL_MSG("GetKeyOID wc_ed25519_init failed");
+        }
+    }
+#endif /* HAVE_ED25519 && !NO_ASN_CRYPT */
+#if defined(HAVE_ED448) && !defined(NO_ASN_CRYPT)
+    if (*algoID != RSAk && *algoID != ECDSAk && *algoID != ED25519k) {
+        ed448_key ed448;
+
+        tmpIdx = 0;
+        if (wc_ed448_init(&ed448) == 0) {
+            if (wc_Ed448PrivateKeyDecode(key, &tmpIdx, &ed448, keySz) == 0) {
+                *algoID = ED448k;
+            }
+            else {
+                WOLFSSL_MSG("Not ED448 DER key");
+            }
+            wc_ed448_free(&ed448);
+        }
+        else {
+            WOLFSSL_MSG("GetKeyOID wc_ed448_init failed");
+        }
+    }
+#endif /* HAVE_ED448 && !NO_ASN_CRYPT */
 
-        default:
-            return ALGO_ID_E;
+    /* if flag is not set then is neither RSA or ECC key that could be
+     * found */
+    if (*algoID == 0) {
+        WOLFSSL_MSG("Bad key DER or compile options");
+        return BAD_FUNC_ARG;
     }
 
-#ifdef WOLFSSL_SMALL_STACK
-    key = (byte*)XMALLOC(MAX_KEY_SIZE, NULL, DYNAMIC_TYPE_TMP_BUFFER);
-    if (key == NULL)
-        return MEMORY_E;
-#endif
+    (void)tmpIdx;
+    (void)curveOID;
+    (void)oidSz;
+    (void)keySz;
+    (void)heap;
 
-    if (version == PKCS5v2)
-        ret = wc_PBKDF2(key, (byte*)password, passwordSz, salt, saltSz, iterations,
-               derivedLen, typeH);
-#ifndef NO_SHA
-    else if (version == PKCS5)
-        ret = wc_PBKDF1(key, (byte*)password, passwordSz, salt, saltSz, iterations,
-               derivedLen, typeH);
-#endif
-    else if (version == PKCS12) {
-        int  i, idx = 0;
-        byte unicodePasswd[MAX_UNICODE_SZ];
+    return 1;
+}
+
+#endif /* HAVE_PKCS8 */
+
+#if defined(HAVE_PKCS8) || defined(HAVE_PKCS12)
+
+#define PKCS8_MIN_BLOCK_SIZE 8
+static int Pkcs8Pad(byte* buf, int sz, int blockSz)
+{
+    int i, padSz;
+
+    /* calculate pad size */
+    padSz = blockSz - (sz & (blockSz - 1));
+
+    /* pad with padSz value */
+    if (buf) {
+        for (i = 0; i < padSz; i++) {
+            buf[sz+i] = (byte)(padSz & 0xFF);
+        }
+    }
+
+    /* return adjusted length */
+    return sz + padSz;
+}
+
+#endif /* HAVE_PKCS8 || HAVE_PKCS12 */
+
+#ifdef HAVE_PKCS8
+
+/*
+ * Used when creating PKCS12 shrouded key bags
+ * vPKCS is the version of PKCS to use
+ * vAlgo is the algorithm version to use
+ *
+ * if salt is NULL a random number is generated
+ *
+ * returns the size of encrypted data on success
+ */
+int UnTraditionalEnc(byte* key, word32 keySz, byte* out, word32* outSz,
+        const char* password, int passwordSz, int vPKCS, int vAlgo,
+        byte* salt, word32 saltSz, int itt, WC_RNG* rng, void* heap)
+{
+    int algoID = 0;
+    byte*  tmp;
+    word32 tmpSz = 0;
+    word32 sz;
+    word32 seqSz;
+    word32 inOutIdx = 0;
+    word32 totalSz = 0;
+    int    version, id;
+    int    ret;
+    int    blockSz = 0;
+
+    const byte* curveOID = NULL;
+    word32 oidSz   = 0;
 
-        if ( (passwordSz * 2 + 2) > (int)sizeof(unicodePasswd)) {
 #ifdef WOLFSSL_SMALL_STACK
-            XFREE(key, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    byte*  saltTmp = NULL;
+    byte*  cbcIv   = NULL;
+#else
+    byte   saltTmp[MAX_IV_SIZE];
+    byte   cbcIv[MAX_IV_SIZE];
 #endif
-            return UNICODE_SIZE_E; 
+
+    WOLFSSL_ENTER("UnTraditionalEnc()");
+
+    if (saltSz > MAX_SALT_SIZE)
+        return ASN_PARSE_E;
+
+
+    inOutIdx += MAX_SEQ_SZ; /* leave room for size of finished shroud */
+    if (CheckAlgo(vPKCS, vAlgo, &id, &version, &blockSz) < 0) {
+        WOLFSSL_MSG("Bad/Unsupported algorithm ID");
+        return ASN_INPUT_E;  /* Algo ID error */
+    }
+
+    if (out != NULL) {
+        if (*outSz < inOutIdx + MAX_ALGO_SZ + MAX_SALT_SIZE + MAX_SEQ_SZ + 1 +
+                MAX_LENGTH_SZ + MAX_SHORT_SZ + 1)
+                return BUFFER_E;
+
+        if (version == PKCS5v2) {
+            WOLFSSL_MSG("PKCS5v2 Not supported yet\n");
+            return ASN_VERSION_E;
         }
 
-        for (i = 0; i < passwordSz; i++) {
-            unicodePasswd[idx++] = 0x00;
-            unicodePasswd[idx++] = (byte)password[i];
+        if (salt == NULL || saltSz == 0) {
+            saltSz = 8;
+        #ifdef WOLFSSL_SMALL_STACK
+            saltTmp = (byte*)XMALLOC(saltSz, heap, DYNAMIC_TYPE_TMP_BUFFER);
+            if (saltTmp == NULL)
+                return MEMORY_E;
+        #endif
+            salt = saltTmp;
+
+            if ((ret = wc_RNG_GenerateBlock(rng, saltTmp, saltSz)) != 0) {
+                WOLFSSL_MSG("Error generating random salt");
+            #ifdef WOLFSSL_SMALL_STACK
+                if (saltTmp != NULL)
+                    XFREE(saltTmp, heap, DYNAMIC_TYPE_TMP_BUFFER);
+            #endif
+                return ret;
+            }
         }
-        /* add trailing NULL */
-        unicodePasswd[idx++] = 0x00;
-        unicodePasswd[idx++] = 0x00;
 
-        ret =  wc_PKCS12_PBKDF(key, unicodePasswd, idx, salt, saltSz,
-                            iterations, derivedLen, typeH, 1);
-        if (decryptionType != RC4_TYPE)
-            ret += wc_PKCS12_PBKDF(cbcIv, unicodePasswd, idx, salt, saltSz,
-                                iterations, 8, typeH, 2);
+
+        /* leave room for a sequence (contains salt and iterations int) */
+        inOutIdx += MAX_SEQ_SZ; sz = 0;
+        inOutIdx += MAX_ALGO_SZ;
+
+        /* place salt in buffer */
+        out[inOutIdx++] = ASN_OCTET_STRING; sz++;
+        tmpSz = SetLength(saltSz, out + inOutIdx);
+        inOutIdx += tmpSz; sz += tmpSz;
+        XMEMCPY(out + inOutIdx, salt, saltSz);
+        inOutIdx += saltSz; sz += saltSz;
+
+        /* place iteration count in buffer */
+        ret = SetShortInt(out, &inOutIdx, itt, *outSz);
+        if (ret < 0) {
+            return ret;
+        }
+        sz += (word32)ret;
+
+        /* wind back index and set sequence then clean up buffer */
+        inOutIdx -= (sz + MAX_SEQ_SZ);
+        tmpSz = SetSequence(sz, out + inOutIdx);
+        XMEMMOVE(out + inOutIdx + tmpSz, out + inOutIdx + MAX_SEQ_SZ, sz);
+        totalSz += tmpSz + sz; sz += tmpSz;
+
+        /* add in algo ID */
+        inOutIdx -= MAX_ALGO_SZ;
+        tmpSz =  SetAlgoID(id, out + inOutIdx, oidPBEType, sz);
+        XMEMMOVE(out + inOutIdx + tmpSz, out + inOutIdx + MAX_ALGO_SZ, sz);
+        totalSz += tmpSz; inOutIdx += tmpSz + sz;
+
+        /* octet string containing encrypted key */
+        out[inOutIdx++] = ASN_OCTET_STRING; totalSz++;
     }
-    else {
+
+    /* check key type and get OID if ECC */
+    if ((ret = wc_GetKeyOID(key, keySz, &curveOID, &oidSz, &algoID, heap))< 0) {
+        WOLFSSL_MSG("Error getting key OID");
+        return ret;
+    }
+
+    /* PKCS#8 wrapping around key */
+    if (wc_CreatePKCS8Key(NULL, &tmpSz, key, keySz, algoID, curveOID, oidSz)
+            != LENGTH_ONLY_E) {
+    #ifdef WOLFSSL_SMALL_STACK
+        if (saltTmp != NULL)
+            XFREE(saltTmp, heap, DYNAMIC_TYPE_TMP_BUFFER);
+    #endif
+        return MEMORY_E;
+    }
+
+    /* check if should return max size */
+    if (out == NULL) {
+        /* account for salt size */
+        if (salt == NULL || saltSz == 0) {
+            tmpSz += MAX_SALT_SIZE;
+        }
+        else {
+            tmpSz += saltSz;
+        }
+
+        /* plus 3 for tags */
+        *outSz = tmpSz + MAX_ALGO_SZ + MAX_LENGTH_SZ +MAX_LENGTH_SZ + MAX_SEQ_SZ
+            + MAX_LENGTH_SZ + MAX_SEQ_SZ + 3;
+        return LENGTH_ONLY_E;
+    }
+
+    /* reserve buffer for crypto and make sure it supports full blocks */
+    tmp = (byte*)XMALLOC(tmpSz + (blockSz-1), heap, DYNAMIC_TYPE_TMP_BUFFER);
+    if (tmp == NULL) {
+    #ifdef WOLFSSL_SMALL_STACK
+        if (saltTmp != NULL)
+            XFREE(saltTmp, heap, DYNAMIC_TYPE_TMP_BUFFER);
+    #endif
+        return MEMORY_E;
+    }
+
+    if ((ret = wc_CreatePKCS8Key(tmp, &tmpSz, key, keySz, algoID, curveOID,
+                    oidSz)) < 0) {
+        XFREE(tmp, heap, DYNAMIC_TYPE_TMP_BUFFER);
+        WOLFSSL_MSG("Error wrapping key with PKCS#8");
+    #ifdef WOLFSSL_SMALL_STACK
+        if (saltTmp != NULL)
+            XFREE(saltTmp, heap, DYNAMIC_TYPE_TMP_BUFFER);
+    #endif
+        return ret;
+    }
+    tmpSz = ret;
+
+    /* adjust size to pad */
+    tmpSz = Pkcs8Pad(tmp, tmpSz, blockSz);
+
 #ifdef WOLFSSL_SMALL_STACK
-        XFREE(key, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    cbcIv = (byte*)XMALLOC(MAX_IV_SIZE, heap, DYNAMIC_TYPE_TMP_BUFFER);
+    if (cbcIv == NULL) {
+        if (saltTmp != NULL)
+            XFREE(saltTmp, heap, DYNAMIC_TYPE_TMP_BUFFER);
+        XFREE(salt, heap, DYNAMIC_TYPE_TMP_BUFFER);
+        return MEMORY_E;
+    }
 #endif
-        return ALGO_ID_E;
+
+    /* encrypt PKCS#8 wrapped key */
+    if ((ret = wc_CryptKey(password, passwordSz, salt, saltSz, itt, id,
+               tmp, tmpSz, version, cbcIv, 1, 0)) < 0) {
+        XFREE(tmp, heap, DYNAMIC_TYPE_TMP_BUFFER);
+        WOLFSSL_MSG("Error encrypting key");
+    #ifdef WOLFSSL_SMALL_STACK
+        if (saltTmp != NULL)
+            XFREE(saltTmp, heap, DYNAMIC_TYPE_TMP_BUFFER);
+        if (cbcIv != NULL)
+            XFREE(cbcIv, heap, DYNAMIC_TYPE_TMP_BUFFER);
+    #endif
+        return ret;  /* encryption failure */
     }
+    totalSz += tmpSz;
 
-    if (ret != 0) {
 #ifdef WOLFSSL_SMALL_STACK
-        XFREE(key, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    if (saltTmp != NULL)
+        XFREE(saltTmp, heap, DYNAMIC_TYPE_TMP_BUFFER);
+    if (cbcIv != NULL)
+        XFREE(cbcIv, heap, DYNAMIC_TYPE_TMP_BUFFER);
 #endif
-        return ret;
+
+    if (*outSz < inOutIdx + tmpSz + MAX_LENGTH_SZ) {
+        XFREE(tmp, heap, DYNAMIC_TYPE_TMP_BUFFER);
+        return BUFFER_E;
     }
 
-    switch (decryptionType) {
-#ifndef NO_DES3
-        case DES_TYPE:
-        {
-            Des    dec;
-            byte*  desIv = key + 8;
+    /* set length of key and copy over encrypted key */
+    seqSz = SetLength(tmpSz, out + inOutIdx);
+    inOutIdx += seqSz; totalSz += seqSz;
+    XMEMCPY(out + inOutIdx, tmp, tmpSz);
+    XFREE(tmp, heap, DYNAMIC_TYPE_TMP_BUFFER);
 
-            if (version == PKCS5v2 || version == PKCS12)
-                desIv = cbcIv;
+    /* set total size at beginning */
+    sz = SetSequence(totalSz, out);
+    XMEMMOVE(out + sz, out + MAX_SEQ_SZ, totalSz);
 
-            ret = wc_Des_SetKey(&dec, key, desIv, DES_DECRYPTION);
-            if (ret != 0) {
-#ifdef WOLFSSL_SMALL_STACK
-                XFREE(key, NULL, DYNAMIC_TYPE_TMP_BUFFER);
-#endif
-                return ret;
-            }
+    (void)rng;
 
-            wc_Des_CbcDecrypt(&dec, input, input, length);
-            break;
-        }
+    return totalSz + sz;
+}
 
-        case DES3_TYPE:
-        {
-            Des3   dec;
-            byte*  desIv = key + 24;
+static int GetAlgoV2(int encAlgId, const byte** oid, int *len, int* id,
+                     int *blkSz)
+{
+    int ret = 0;
 
-            if (version == PKCS5v2 || version == PKCS12)
-                desIv = cbcIv;
-            ret = wc_Des3_SetKey(&dec, key, desIv, DES_DECRYPTION);
-            if (ret != 0) {
-#ifdef WOLFSSL_SMALL_STACK
-                XFREE(key, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    switch (encAlgId) {
+#if !defined(NO_DES3) && !defined(NO_SHA)
+    case DESb:
+        *len = sizeof(blkDesCbcOid);
+        *oid = blkDesCbcOid;
+        *id = PBE_SHA1_DES;
+        *blkSz = 8;
+        break;
+    case DES3b:
+        *len = sizeof(blkDes3CbcOid);
+        *oid = blkDes3CbcOid;
+        *id = PBE_SHA1_DES3;
+        *blkSz = 8;
+        break;
 #endif
-                return ret;
-            }
-            ret = wc_Des3_CbcDecrypt(&dec, input, input, length);
-            if (ret != 0) {
+#if defined(WOLFSSL_AES_256) && defined(HAVE_AES_CBC)
+    case AES256CBCb:
+        *len = sizeof(blkAes256CbcOid);
+        *oid = blkAes256CbcOid;
+        *id = PBE_AES256_CBC;
+        *blkSz = 16;
+        break;
+#endif
+    default:
+        (void)len;
+        (void)oid;
+        (void)id;
+        (void)blkSz;
+        ret = ALGO_ID_E;
+    }
+
+    return ret;
+}
+
+/* Converts Encrypted PKCS#8 to 'traditional' (i.e. PKCS#8 removed from
+ * decrypted key.)
+ */
+int TraditionalEnc(byte* key, word32 keySz, byte* out, word32* outSz,
+        const char* password, int passwordSz, int vPKCS, int vAlgo,
+        int encAlgId, byte* salt, word32 saltSz, int itt, WC_RNG* rng,
+        void* heap)
+{
+    int ret = 0;
+    int version, blockSz, id;
+    word32 idx = 0, encIdx;
 #ifdef WOLFSSL_SMALL_STACK
-                XFREE(key, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    byte* saltTmp = NULL;
+#else
+    byte saltTmp[MAX_SALT_SIZE];
 #endif
-                return ret;
-            }
-            break;
+    byte cbcIv[MAX_IV_SIZE];
+    byte *pkcs8Key = NULL;
+    word32 pkcs8KeySz = 0, padSz = 0;
+    int algId = 0;
+    const byte* curveOid = NULL;
+    word32 curveOidSz = 0;
+    const byte* pbeOid = NULL;
+    word32 pbeOidSz = 0;
+    const byte* encOid = NULL;
+    int encOidSz = 0;
+    word32 pbeLen = 0, kdfLen = 0, encLen = 0;
+    word32 innerLen = 0, outerLen;
+
+    ret = CheckAlgo(vPKCS, vAlgo, &id, &version, &blockSz);
+    /* create random salt if one not provided */
+    if (ret == 0 && (salt == NULL || saltSz == 0)) {
+        saltSz = 8;
+    #ifdef WOLFSSL_SMALL_STACK
+        saltTmp = (byte*)XMALLOC(saltSz, heap, DYNAMIC_TYPE_TMP_BUFFER);
+        if (saltTmp == NULL)
+            return MEMORY_E;
+    #endif
+        salt = saltTmp;
+
+        if ((ret = wc_RNG_GenerateBlock(rng, saltTmp, saltSz)) != 0) {
+            WOLFSSL_MSG("Error generating random salt");
+        #ifdef WOLFSSL_SMALL_STACK
+            XFREE(saltTmp, heap, DYNAMIC_TYPE_TMP_BUFFER);
+        #endif
+            return ret;
         }
-#endif
-#ifndef NO_RC4
-        case RC4_TYPE:
-        {
-            Arc4    dec;
+    }
 
-            wc_Arc4SetKey(&dec, key, derivedLen);
-            wc_Arc4Process(&dec, input, input, length);
-            break;
+    if (ret == 0) {
+        /* check key type and get OID if ECC */
+        ret = wc_GetKeyOID(key, keySz, &curveOid, &curveOidSz, &algId, heap);
+        if (ret == 1)
+            ret = 0;
+    }
+    if (ret == 0) {
+        ret = wc_CreatePKCS8Key(NULL, &pkcs8KeySz, key, keySz, algId, curveOid,
+                                                                    curveOidSz);
+        if (ret == LENGTH_ONLY_E)
+            ret = 0;
+    }
+    if (ret == 0) {
+        pkcs8Key = (byte*)XMALLOC(pkcs8KeySz, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+        if (pkcs8Key == NULL)
+            ret = MEMORY_E;
+    }
+    if (ret == 0) {
+        ret = wc_CreatePKCS8Key(pkcs8Key, &pkcs8KeySz, key, keySz, algId,
+                                                          curveOid, curveOidSz);
+        if (ret >= 0) {
+            pkcs8KeySz = ret;
+            ret = 0;
         }
-#endif
+    }
 
-        default:
-#ifdef WOLFSSL_SMALL_STACK
-            XFREE(key, NULL, DYNAMIC_TYPE_TMP_BUFFER);
-#endif
-            return ALGO_ID_E; 
+    if (ret == 0 && version == PKCS5v2)
+        ret = GetAlgoV2(encAlgId, &encOid, &encOidSz, &id, &blockSz);
+
+    if (ret == 0) {
+        padSz = (blockSz - (pkcs8KeySz & (blockSz - 1))) & (blockSz - 1);
+        /* inner = OCT salt INT itt */
+        innerLen = 2 + saltSz + 2 + (itt < 256 ? 1 : 2);
+
+        if (version != PKCS5v2) {
+            pbeOid = OidFromId(id, oidPBEType, &pbeOidSz);
+            /* pbe = OBJ pbse1 SEQ [ inner ] */
+            pbeLen = 2 + pbeOidSz + 2 + innerLen;
+        }
+        else {
+            pbeOid = pbes2;
+            pbeOidSz = sizeof(pbes2);
+            /* kdf = OBJ pbkdf2 [ SEQ innerLen ] */
+            kdfLen = 2 + sizeof(pbkdf2Oid) + 2 + innerLen;
+            /* enc = OBJ enc_alg OCT iv */
+            encLen = 2 + encOidSz + 2 + blockSz;
+            /* pbe = OBJ pbse2 SEQ [ SEQ [ kdf ] SEQ [ enc ] ] */
+            pbeLen = 2 + sizeof(pbes2) + 2 + 2 + kdfLen + 2 + encLen;
+
+            ret = wc_RNG_GenerateBlock(rng, cbcIv, blockSz);
+        }
+    }
+    if (ret == 0) {
+        /* outer = SEQ [ pbe ] OCT encrypted_PKCS#8_key */
+        outerLen = 2 + pbeLen;
+        outerLen += SetOctetString(pkcs8KeySz + padSz, out);
+        outerLen += pkcs8KeySz + padSz;
+
+        idx += SetSequence(outerLen, out + idx);
+
+        encIdx = idx + outerLen - pkcs8KeySz - padSz;
+        /* Put Encrypted content in place. */
+        XMEMCPY(out + encIdx, pkcs8Key, pkcs8KeySz);
+        if (padSz > 0) {
+            XMEMSET(out + encIdx + pkcs8KeySz, padSz, padSz);
+            pkcs8KeySz += padSz;
+        }
+        ret = wc_CryptKey(password, passwordSz, salt, saltSz, itt, id,
+                                out + encIdx, pkcs8KeySz, version, cbcIv, 1, 0);
+    }
+    if (ret == 0) {
+        if (version != PKCS5v2) {
+            /* PBE algorithm */
+            idx += SetSequence(pbeLen, out + idx);
+            idx += SetObjectId(pbeOidSz, out + idx);
+            XMEMCPY(out + idx, pbeOid, pbeOidSz);
+            idx += pbeOidSz;
+        }
+        else {
+            /* PBES2 algorithm identifier */
+            idx += SetSequence(pbeLen, out + idx);
+            idx += SetObjectId(pbeOidSz, out + idx);
+            XMEMCPY(out + idx, pbeOid, pbeOidSz);
+            idx += pbeOidSz;
+            /* PBES2 Parameters: SEQ [ kdf ] SEQ [ enc ] */
+            idx += SetSequence(2 + kdfLen + 2 + encLen, out + idx);
+            /* KDF Algorithm Identifier */
+            idx += SetSequence(kdfLen, out + idx);
+            idx += SetObjectId(sizeof(pbkdf2Oid), out + idx);
+            XMEMCPY(out + idx, pbkdf2Oid, sizeof(pbkdf2Oid));
+            idx += sizeof(pbkdf2Oid);
+        }
+        idx += SetSequence(innerLen, out + idx);
+        idx += SetOctetString(saltSz, out + idx);
+        XMEMCPY(out + idx, salt, saltSz); idx += saltSz;
+        ret = SetShortInt(out, &idx, itt, *outSz);
+        if (ret > 0)
+            ret = 0;
+    }
+    if (ret == 0) {
+        if (version == PKCS5v2) {
+            /* Encryption Algorithm Identifier */
+            idx += SetSequence(encLen, out + idx);
+            idx += SetObjectId(encOidSz, out + idx);
+            XMEMCPY(out + idx, encOid, encOidSz);
+            idx += encOidSz;
+            /* Encryption Algorithm Parameter: CBC IV */
+            idx += SetOctetString(blockSz, out + idx);
+            XMEMCPY(out + idx, cbcIv, blockSz);
+            idx += blockSz;
+        }
+        idx += SetOctetString(pkcs8KeySz, out + idx);
+        /* Default PRF - no need to write out OID */
+        idx += pkcs8KeySz;
+
+        ret = idx;
     }
 
+    if (pkcs8Key != NULL) {
+        ForceZero(pkcs8Key, pkcs8KeySz);
+        XFREE(pkcs8Key, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    }
 #ifdef WOLFSSL_SMALL_STACK
-    XFREE(key, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    if (saltTmp != NULL) {
+        XFREE(saltTmp, heap, DYNAMIC_TYPE_TMP_BUFFER);
+    }
 #endif
 
-    return 0;
+    (void)rng;
+
+    return ret;
 }
 
+#endif /* HAVE_PKCS8 */
 
-/* Remove Encrypted PKCS8 header, move beginning of traditional to beginning
-   of input */
-int ToTraditionalEnc(byte* input, word32 sz,const char* password,int passwordSz)
+#if defined(HAVE_PKCS8) || defined(HAVE_PKCS12)
+/* decrypt PKCS
+ *
+ * NOTE: input buffer is overwritten with decrypted data!
+ *
+ * input[in/out] data to decrypt and results are written to
+ * sz            size of input buffer
+ * password      password if used. Can be NULL for no password
+ * passwordSz    size of password buffer
+ *
+ * returns the total size of decrypted content on success.
+ */
+int DecryptContent(byte* input, word32 sz, const char* password, int passwordSz)
 {
-    word32 inOutIdx = 0, oid;
-    int    first, second, length, version, saltSz, id;
-    int    iterations = 0;
+    word32 inOutIdx = 0, seqEnd, oid, shaOid = 0;
+    int    ret = 0, first, second, length = 0, version, saltSz, id;
+    int    iterations = 0, keySz = 0;
 #ifdef WOLFSSL_SMALL_STACK
     byte*  salt = NULL;
     byte*  cbcIv = NULL;
@@ -1071,205 +3780,560 @@ int ToTraditionalEnc(byte* input, word32 sz,const char* password,int passwordSz)
     byte   salt[MAX_SALT_SIZE];
     byte   cbcIv[MAX_IV_SIZE];
 #endif
-    
-    if (GetSequence(input, &inOutIdx, &length, sz) < 0)
-        return ASN_PARSE_E;
+    byte   tag;
 
-    if (GetAlgoId(input, &inOutIdx, &oid, sz) < 0)
-        return ASN_PARSE_E;
-    
-    first  = input[inOutIdx - 2];   /* PKCS version alwyas 2nd to last byte */
+    if (passwordSz < 0) {
+        WOLFSSL_MSG("Bad password size");
+        return BAD_FUNC_ARG;
+    }
+
+    if (GetAlgoId(input, &inOutIdx, &oid, oidIgnoreType, sz) < 0) {
+        ERROR_OUT(ASN_PARSE_E, exit_dc);
+    }
+
+    first  = input[inOutIdx - 2];   /* PKCS version always 2nd to last byte */
     second = input[inOutIdx - 1];   /* version.algo, algo id last byte */
 
-    if (CheckAlgo(first, second, &id, &version) < 0)
-        return ASN_INPUT_E;  /* Algo ID error */
+    if (CheckAlgo(first, second, &id, &version, NULL) < 0) {
+        ERROR_OUT(ASN_INPUT_E, exit_dc); /* Algo ID error */
+    }
 
     if (version == PKCS5v2) {
+        if (GetSequence(input, &inOutIdx, &length, sz) < 0) {
+            ERROR_OUT(ASN_PARSE_E, exit_dc);
+        }
 
-        if (GetSequence(input, &inOutIdx, &length, sz) < 0)
-            return ASN_PARSE_E;
+        if (GetAlgoId(input, &inOutIdx, &oid, oidKdfType, sz) < 0) {
+            ERROR_OUT(ASN_PARSE_E, exit_dc);
+        }
 
-        if (GetAlgoId(input, &inOutIdx, &oid, sz) < 0)
-            return ASN_PARSE_E;
+        if (oid != PBKDF2_OID) {
+            ERROR_OUT(ASN_PARSE_E, exit_dc);
+        }
+    }
 
-        if (oid != PBKDF2_OID)
-            return ASN_PARSE_E;
+    if (GetSequence(input, &inOutIdx, &length, sz) <= 0) {
+        ERROR_OUT(ASN_PARSE_E, exit_dc);
     }
+    /* Find the end of this SEQUENCE so we can check for the OPTIONAL and
+     * DEFAULT items. */
+    seqEnd = inOutIdx + length;
 
-    if (GetSequence(input, &inOutIdx, &length, sz) < 0)
-        return ASN_PARSE_E;
+    ret = GetOctetString(input, &inOutIdx, &saltSz, sz);
+    if (ret < 0)
+        goto exit_dc;
 
-    if (input[inOutIdx++] != ASN_OCTET_STRING)
-        return ASN_PARSE_E;
-    
-    if (GetLength(input, &inOutIdx, &saltSz, sz) < 0)
-        return ASN_PARSE_E;
+    if (saltSz > MAX_SALT_SIZE) {
+        ERROR_OUT(ASN_PARSE_E, exit_dc);
+    }
 
-    if (saltSz > MAX_SALT_SIZE)
-        return ASN_PARSE_E;
-     
 #ifdef WOLFSSL_SMALL_STACK
     salt = (byte*)XMALLOC(MAX_SALT_SIZE, NULL, DYNAMIC_TYPE_TMP_BUFFER);
-    if (salt == NULL)
-        return MEMORY_E;
+    if (salt == NULL) {
+        ERROR_OUT(MEMORY_E, exit_dc);
+    }
 #endif
 
     XMEMCPY(salt, &input[inOutIdx], saltSz);
     inOutIdx += saltSz;
 
-    if (GetShortInt(input, &inOutIdx, &iterations) < 0) {
-#ifdef WOLFSSL_SMALL_STACK
-        XFREE(salt,  NULL, DYNAMIC_TYPE_TMP_BUFFER);
-#endif
-        return ASN_PARSE_E;
+    if (GetShortInt(input, &inOutIdx, &iterations, sz) < 0) {
+        ERROR_OUT(ASN_PARSE_E, exit_dc);
+    }
+
+    /* OPTIONAL key length */
+    if (seqEnd > inOutIdx) {
+        word32 localIdx = inOutIdx;
+
+        if (GetASNTag(input, &localIdx, &tag, sz) < 0) {
+            ERROR_OUT(ASN_PARSE_E, exit_dc);
+        }
+
+        if (tag == ASN_INTEGER &&
+                GetShortInt(input, &inOutIdx, &keySz, sz) < 0) {
+            ERROR_OUT(ASN_PARSE_E, exit_dc);
+        }
+    }
+
+    /* DEFAULT HMAC is SHA-1 */
+    if (seqEnd > inOutIdx) {
+        if (GetAlgoId(input, &inOutIdx, &oid, oidHmacType, sz) < 0) {
+            ERROR_OUT(ASN_PARSE_E, exit_dc);
+        }
+
+        shaOid = oid;
     }
 
 #ifdef WOLFSSL_SMALL_STACK
     cbcIv = (byte*)XMALLOC(MAX_IV_SIZE, NULL, DYNAMIC_TYPE_TMP_BUFFER);
     if (cbcIv == NULL) {
-        XFREE(salt,  NULL, DYNAMIC_TYPE_TMP_BUFFER);
-        return MEMORY_E;
+        ERROR_OUT(MEMORY_E, exit_dc);
     }
 #endif
 
     if (version == PKCS5v2) {
         /* get encryption algo */
-        if (GetAlgoId(input, &inOutIdx, &oid, sz) < 0) {
-#ifdef WOLFSSL_SMALL_STACK
-            XFREE(salt,  NULL, DYNAMIC_TYPE_TMP_BUFFER);
-            XFREE(cbcIv, NULL, DYNAMIC_TYPE_TMP_BUFFER);
-#endif
-            return ASN_PARSE_E;
+        if (GetAlgoId(input, &inOutIdx, &oid, oidBlkType, sz) < 0) {
+            ERROR_OUT(ASN_PARSE_E, exit_dc);
         }
 
-        if (CheckAlgoV2(oid, &id) < 0) {
-#ifdef WOLFSSL_SMALL_STACK
-            XFREE(salt,  NULL, DYNAMIC_TYPE_TMP_BUFFER);
-            XFREE(cbcIv, NULL, DYNAMIC_TYPE_TMP_BUFFER);
-#endif
-            return ASN_PARSE_E;  /* PKCS v2 algo id error */
+        if (CheckAlgoV2(oid, &id, NULL) < 0) {
+            ERROR_OUT(ASN_PARSE_E, exit_dc); /* PKCS v2 algo id error */
         }
 
-        if (input[inOutIdx++] != ASN_OCTET_STRING) {
-#ifdef WOLFSSL_SMALL_STACK
-            XFREE(salt,  NULL, DYNAMIC_TYPE_TMP_BUFFER);
-            XFREE(cbcIv, NULL, DYNAMIC_TYPE_TMP_BUFFER);
-#endif
-            return ASN_PARSE_E;
-        }
-    
-        if (GetLength(input, &inOutIdx, &length, sz) < 0) {
-#ifdef WOLFSSL_SMALL_STACK
-            XFREE(salt,  NULL, DYNAMIC_TYPE_TMP_BUFFER);
-            XFREE(cbcIv, NULL, DYNAMIC_TYPE_TMP_BUFFER);
-#endif
-            return ASN_PARSE_E;
+        if (shaOid == 0)
+            shaOid = oid;
+
+        ret = GetOctetString(input, &inOutIdx, &length, sz);
+        if (ret < 0)
+            goto exit_dc;
+
+        if (length > MAX_IV_SIZE) {
+            ERROR_OUT(ASN_PARSE_E, exit_dc);
         }
 
         XMEMCPY(cbcIv, &input[inOutIdx], length);
         inOutIdx += length;
     }
 
-    if (input[inOutIdx++] != ASN_OCTET_STRING) {
+    if (GetASNTag(input, &inOutIdx, &tag, sz) < 0) {
+        ERROR_OUT(ASN_PARSE_E, exit_dc);
+    }
+
+    if (tag != (ASN_CONTEXT_SPECIFIC | 0) && tag != ASN_OCTET_STRING) {
+        ERROR_OUT(ASN_PARSE_E, exit_dc);
+    }
+
+    if (GetLength(input, &inOutIdx, &length, sz) < 0) {
+        ERROR_OUT(ASN_PARSE_E, exit_dc);
+    }
+
+    ret = wc_CryptKey(password, passwordSz, salt, saltSz, iterations, id,
+                   input + inOutIdx, length, version, cbcIv, 0, shaOid);
+
+exit_dc:
 #ifdef WOLFSSL_SMALL_STACK
-        XFREE(salt,  NULL, DYNAMIC_TYPE_TMP_BUFFER);
-        XFREE(cbcIv, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    XFREE(salt,  NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    XFREE(cbcIv, NULL, DYNAMIC_TYPE_TMP_BUFFER);
 #endif
-        return ASN_PARSE_E;
+
+    if (ret == 0) {
+        XMEMMOVE(input, input + inOutIdx, length);
+        ret = length;
     }
 
-    if (GetLength(input, &inOutIdx, &length, sz) < 0) {
+    return ret;
+}
+
+
+/* Remove Encrypted PKCS8 header, move beginning of traditional to beginning
+   of input */
+int ToTraditionalEnc(byte* input, word32 sz,const char* password,
+                     int passwordSz, word32* algId)
+{
+    int ret, length;
+    word32 inOutIdx = 0;
+
+    if (GetSequence(input, &inOutIdx, &length, sz) < 0) {
+        ret = ASN_PARSE_E;
+    }
+    else {
+        ret = DecryptContent(input + inOutIdx, sz - inOutIdx, password,
+                passwordSz);
+        if (ret > 0) {
+            XMEMMOVE(input, input + inOutIdx, ret);
+            ret = ToTraditional_ex(input, ret, algId);
+        }
+    }
+
+    return ret;
+}
+
+#endif /* HAVE_PKCS8 || HAVE_PKCS12 */
+
+#ifdef HAVE_PKCS12
+
+/* encrypt PKCS 12 content
+ *
+ * NOTE: if out is NULL then outSz is set with the total buffer size needed and
+ *       the error value LENGTH_ONLY_E is returned.
+ *
+ * input      data to encrypt
+ * inputSz    size of input buffer
+ * out        buffer to hold the result
+ * outSz      size of out buffer
+ * password   password if used. Can be NULL for no password
+ * passwordSz size of password buffer
+ * vPKCS      version of PKCS i.e. PKCS5v2
+ * vAlgo      algorithm version
+ * salt       buffer holding salt if used. If NULL then a random salt is created
+ * saltSz     size of salt buffer if it is not NULL
+ * itt        number of iterations used
+ * rng        random number generator to use
+ * heap       possible heap hint for mallocs/frees
+ *
+ * returns the total size of encrypted content on success.
+ *
+ * data returned is :
+ * [ seq - obj [ seq -salt,itt]] , construct with encrypted data
+ */
+int EncryptContent(byte* input, word32 inputSz, byte* out, word32* outSz,
+        const char* password, int passwordSz, int vPKCS, int vAlgo,
+        byte* salt, word32 saltSz, int itt, WC_RNG* rng, void* heap)
+{
+    word32 sz;
+    word32 inOutIdx = 0;
+    word32 tmpIdx   = 0;
+    word32 totalSz  = 0;
+    word32 seqSz;
+    word32 innerSz;
+    int    ret;
+    int    version, id, blockSz = 0;
 #ifdef WOLFSSL_SMALL_STACK
-        XFREE(salt,  NULL, DYNAMIC_TYPE_TMP_BUFFER);
-        XFREE(cbcIv, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    byte*  saltTmp = NULL;
+    byte*  cbcIv   = NULL;
+#else
+    byte   saltTmp[MAX_SALT_SIZE];
+    byte   cbcIv[MAX_IV_SIZE];
 #endif
+    byte   seq[MAX_SEQ_SZ];
+    byte   shr[MAX_SHORT_SZ];
+    word32 maxShr = MAX_SHORT_SZ;
+    word32 algoSz;
+    const  byte* algoName;
+
+    (void)heap;
+
+    WOLFSSL_ENTER("EncryptContent()");
+
+    if (CheckAlgo(vPKCS, vAlgo, &id, &version, &blockSz) < 0)
+        return ASN_INPUT_E;  /* Algo ID error */
+
+    if (version == PKCS5v2) {
+        WOLFSSL_MSG("PKCS#5 version 2 not supported yet");
+        return BAD_FUNC_ARG;
+    }
+
+    if (saltSz > MAX_SALT_SIZE)
         return ASN_PARSE_E;
+
+    if (outSz == NULL) {
+        return BAD_FUNC_ARG;
+    }
+
+    /* calculate size */
+    /* size of constructed string at end */
+    sz = Pkcs8Pad(NULL, inputSz, blockSz);
+    totalSz  = ASN_TAG_SZ;
+    totalSz += SetLength(sz, seq);
+    totalSz += sz;
+
+    /* size of sequence holding object id and sub sequence of salt and itt */
+    algoName = OidFromId(id, oidPBEType, &algoSz);
+    if (algoName == NULL) {
+        WOLFSSL_MSG("Unknown Algorithm");
+        return 0;
+    }
+    innerSz = SetObjectId(algoSz, seq);
+    innerSz += algoSz;
+
+    /* get subsequence of salt and itt */
+    if (salt == NULL || saltSz == 0) {
+        sz = 8;
+    }
+    else {
+        sz = saltSz;
+    }
+    seqSz  = SetOctetString(sz, seq);
+    seqSz += sz;
+
+    tmpIdx = 0;
+    seqSz += SetShortInt(shr, &tmpIdx, itt, maxShr);
+    innerSz += seqSz + SetSequence(seqSz, seq);
+    totalSz += innerSz + SetSequence(innerSz, seq);
+
+    if (out == NULL) {
+        *outSz = totalSz;
+        return LENGTH_ONLY_E;
+    }
+
+    inOutIdx = 0;
+    if (totalSz > *outSz)
+        return BUFFER_E;
+
+    inOutIdx += SetSequence(innerSz, out + inOutIdx);
+    inOutIdx += SetObjectId(algoSz, out + inOutIdx);
+    XMEMCPY(out + inOutIdx, algoName, algoSz);
+    inOutIdx += algoSz;
+    inOutIdx += SetSequence(seqSz, out + inOutIdx);
+
+    /* create random salt if one not provided */
+    if (salt == NULL || saltSz == 0) {
+        saltSz = 8;
+    #ifdef WOLFSSL_SMALL_STACK
+        saltTmp = (byte*)XMALLOC(saltSz, heap, DYNAMIC_TYPE_TMP_BUFFER);
+        if (saltTmp == NULL)
+            return MEMORY_E;
+    #endif
+        salt = saltTmp;
+
+        if ((ret = wc_RNG_GenerateBlock(rng, saltTmp, saltSz)) != 0) {
+            WOLFSSL_MSG("Error generating random salt");
+        #ifdef WOLFSSL_SMALL_STACK
+            XFREE(saltTmp, heap, DYNAMIC_TYPE_TMP_BUFFER);
+        #endif
+            return ret;
+        }
+    }
+    inOutIdx += SetOctetString(saltSz, out + inOutIdx);
+    if (saltSz + inOutIdx > *outSz) {
+    #ifdef WOLFSSL_SMALL_STACK
+        XFREE(saltTmp, heap, DYNAMIC_TYPE_TMP_BUFFER);
+    #endif
+        return BUFFER_E;
     }
+    XMEMCPY(out + inOutIdx, salt, saltSz);
+    inOutIdx += saltSz;
 
-    if (DecryptKey(password, passwordSz, salt, saltSz, iterations, id,
-                   input + inOutIdx, length, version, cbcIv) < 0) {
+    /* place iteration setting in buffer */
+    ret = SetShortInt(out, &inOutIdx, itt, *outSz);
+    if (ret < 0) {
+    #ifdef WOLFSSL_SMALL_STACK
+        XFREE(saltTmp, heap, DYNAMIC_TYPE_TMP_BUFFER);
+    #endif
+        return ret;
+    }
+
+    if (inOutIdx + 1 > *outSz) {
+    #ifdef WOLFSSL_SMALL_STACK
+        XFREE(saltTmp, heap, DYNAMIC_TYPE_TMP_BUFFER);
+    #endif
+        return BUFFER_E;
+    }
+    out[inOutIdx++] = ASN_CONTEXT_SPECIFIC | 0;
+
+    /* get pad size and verify buffer room */
+    sz = Pkcs8Pad(NULL, inputSz, blockSz);
+    if (sz + inOutIdx > *outSz) {
+    #ifdef WOLFSSL_SMALL_STACK
+        XFREE(saltTmp, heap, DYNAMIC_TYPE_TMP_BUFFER);
+    #endif
+        return BUFFER_E;
+    }
+    inOutIdx += SetLength(sz, out + inOutIdx);
+
+    /* copy input to output buffer and pad end */
+    XMEMCPY(out + inOutIdx, input, inputSz);
+    sz = Pkcs8Pad(out + inOutIdx, inputSz, blockSz);
 #ifdef WOLFSSL_SMALL_STACK
-        XFREE(salt,  NULL, DYNAMIC_TYPE_TMP_BUFFER);
-        XFREE(cbcIv, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    cbcIv = (byte*)XMALLOC(MAX_IV_SIZE, heap, DYNAMIC_TYPE_TMP_BUFFER);
+    if (cbcIv == NULL) {
+        XFREE(saltTmp, heap, DYNAMIC_TYPE_TMP_BUFFER);
+        return MEMORY_E;
+    }
 #endif
-        return ASN_INPUT_E;  /* decrypt failure */
+
+    /* encrypt */
+    if ((ret = wc_CryptKey(password, passwordSz, salt, saltSz, itt, id,
+                   out + inOutIdx, sz, version, cbcIv, 1, 0)) < 0) {
+
+    #ifdef WOLFSSL_SMALL_STACK
+        XFREE(cbcIv,   heap, DYNAMIC_TYPE_TMP_BUFFER);
+        XFREE(saltTmp, heap, DYNAMIC_TYPE_TMP_BUFFER);
+    #endif
+        return ret;  /* encrypt failure */
     }
 
 #ifdef WOLFSSL_SMALL_STACK
-    XFREE(salt,  NULL, DYNAMIC_TYPE_TMP_BUFFER);
-    XFREE(cbcIv, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    XFREE(cbcIv,   heap, DYNAMIC_TYPE_TMP_BUFFER);
+    XFREE(saltTmp, heap, DYNAMIC_TYPE_TMP_BUFFER);
 #endif
 
-    XMEMMOVE(input, input + inOutIdx, length);
-    return ToTraditional(input, length);
+    (void)rng;
+
+    return inOutIdx + sz;
 }
 
+
+#endif /* HAVE_PKCS12 */
 #endif /* NO_PWDBASED */
 
 #ifndef NO_RSA
 
-int wc_RsaPublicKeyDecode(const byte* input, word32* inOutIdx, RsaKey* key,
-                       word32 inSz)
+#ifndef HAVE_USER_RSA
+#ifdef WOLFSSL_RENESAS_TSIP
+/* This function is to retrieve key position information in a cert.*
+ * The information will be used to call TSIP TLS-linked API for    *
+ * certificate verification.                                       */
+static int RsaPublicKeyDecodeRawIndex(const byte* input, word32* inOutIdx,
+                                      word32 inSz, word32* key_n,
+                                      word32* key_n_len, word32* key_e,
+                                      word32* key_e_len)
 {
-    int    length;
+
+    int ret = 0;
+    int length = 0;
+#if defined(OPENSSL_EXTRA) || defined(RSA_DECODE_EXTRA)
+    byte b;
+#endif
+
+    if (input == NULL || inOutIdx == NULL)
+        return BAD_FUNC_ARG;
 
     if (GetSequence(input, inOutIdx, &length, inSz) < 0)
         return ASN_PARSE_E;
 
-    key->type = RSA_PUBLIC;
-
 #if defined(OPENSSL_EXTRA) || defined(RSA_DECODE_EXTRA)
-    {
-    byte b = input[*inOutIdx];
+    if ((*inOutIdx + 1) > inSz)
+        return BUFFER_E;
+
+    b = input[*inOutIdx];
     if (b != ASN_INTEGER) {
         /* not from decoded cert, will have algo id, skip past */
         if (GetSequence(input, inOutIdx, &length, inSz) < 0)
             return ASN_PARSE_E;
-        
-        b = input[(*inOutIdx)++];
-        if (b != ASN_OBJECT_ID) 
-            return ASN_OBJECT_ID_E;
-        
-        if (GetLength(input, inOutIdx, &length, inSz) < 0)
+
+        if (SkipObjectId(input, inOutIdx, inSz) < 0)
             return ASN_PARSE_E;
-        
-        *inOutIdx += length;   /* skip past */
-        
-        /* could have NULL tag and 0 terminator, but may not */
-        b = input[(*inOutIdx)++];
-        
-        if (b == ASN_TAG_NULL) {
-            b = input[(*inOutIdx)++];
-            if (b != 0) 
-                return ASN_EXPECT_0_E;
+
+        /* Option NULL ASN.1 tag */
+        if (*inOutIdx  >= inSz) {
+            return BUFFER_E;
         }
-        else
-        /* go back, didn't have it */
-            (*inOutIdx)--;
-        
+        if (input[*inOutIdx] == ASN_TAG_NULL) {
+            ret = GetASNNull(input, inOutIdx, inSz);
+            if (ret != 0)
+                return ret;
+        }
+
         /* should have bit tag length and seq next */
-        b = input[(*inOutIdx)++];
-        if (b != ASN_BIT_STRING)
-            return ASN_BITSTR_E;
-        
-        if (GetLength(input, inOutIdx, &length, inSz) < 0)
+        ret = CheckBitString(input, inOutIdx, NULL, inSz, 1, NULL);
+        if (ret != 0)
+            return ret;
+
+        if (GetSequence(input, inOutIdx, &length, inSz) < 0)
             return ASN_PARSE_E;
-        
-        /* could have 0 */
-        b = input[(*inOutIdx)++];
-        if (b != 0)
-            (*inOutIdx)--;
-        
+    }
+#endif /* OPENSSL_EXTRA */
+
+    /* Get modulus */
+    ret = GetASNInt(input, inOutIdx, &length, inSz);
+    *key_n += *inOutIdx;
+    if (ret < 0) {
+        return ASN_RSA_KEY_E;
+    }
+    if (key_n_len)
+        *key_n_len = length;
+    *inOutIdx += length;
+
+    /* Get exponent */
+    ret = GetASNInt(input, inOutIdx, &length, inSz);
+    *key_e += *inOutIdx;
+    if (ret < 0) {
+        return ASN_RSA_KEY_E;
+    }
+    if (key_e_len)
+        *key_e_len = length;
+
+    return ret;
+}
+#endif /* WOLFSSL_RENESAS_TSIP */
+
+int wc_RsaPublicKeyDecode_ex(const byte* input, word32* inOutIdx, word32 inSz,
+    const byte** n, word32* nSz, const byte** e, word32* eSz)
+{
+    int ret = 0;
+    int length = 0;
+#if defined(OPENSSL_EXTRA) || defined(RSA_DECODE_EXTRA)
+    word32 localIdx;
+    byte   tag;
+#endif
+
+    if (input == NULL || inOutIdx == NULL)
+        return BAD_FUNC_ARG;
+
+    if (GetSequence(input, inOutIdx, &length, inSz) < 0)
+        return ASN_PARSE_E;
+
+#if defined(OPENSSL_EXTRA) || defined(RSA_DECODE_EXTRA)
+    localIdx = *inOutIdx;
+    if (GetASNTag(input, &localIdx, &tag, inSz) < 0)
+        return BUFFER_E;
+
+    if (tag != ASN_INTEGER) {
+        /* not from decoded cert, will have algo id, skip past */
         if (GetSequence(input, inOutIdx, &length, inSz) < 0)
             return ASN_PARSE_E;
-    }  /* end if */
-    }  /* openssl var block */
+
+        if (SkipObjectId(input, inOutIdx, inSz) < 0)
+            return ASN_PARSE_E;
+
+        /* Option NULL ASN.1 tag */
+        if (*inOutIdx  >= inSz) {
+            return BUFFER_E;
+        }
+
+        localIdx = *inOutIdx;
+        if (GetASNTag(input, &localIdx, &tag, inSz) < 0)
+            return ASN_PARSE_E;
+
+        if (tag == ASN_TAG_NULL) {
+            ret = GetASNNull(input, inOutIdx, inSz);
+            if (ret != 0)
+                return ret;
+        }
+
+        /* should have bit tag length and seq next */
+        ret = CheckBitString(input, inOutIdx, NULL, inSz, 1, NULL);
+        if (ret != 0)
+            return ret;
+
+        if (GetSequence(input, inOutIdx, &length, inSz) < 0)
+            return ASN_PARSE_E;
+    }
 #endif /* OPENSSL_EXTRA */
 
-    if (GetInt(&key->n,  input, inOutIdx, inSz) < 0 ||
-        GetInt(&key->e,  input, inOutIdx, inSz) < 0 )  return ASN_RSA_KEY_E;
+    /* Get modulus */
+    ret = GetASNInt(input, inOutIdx, &length, inSz);
+    if (ret < 0) {
+        return ASN_RSA_KEY_E;
+    }
+    if (nSz)
+        *nSz = length;
+    if (n)
+        *n = &input[*inOutIdx];
+    *inOutIdx += length;
 
-    return 0;
+    /* Get exponent */
+    ret = GetASNInt(input, inOutIdx, &length, inSz);
+    if (ret < 0) {
+        return ASN_RSA_KEY_E;
+    }
+    if (eSz)
+        *eSz = length;
+    if (e)
+        *e = &input[*inOutIdx];
+    *inOutIdx += length;
+
+    return ret;
+}
+
+int wc_RsaPublicKeyDecode(const byte* input, word32* inOutIdx, RsaKey* key,
+                       word32 inSz)
+{
+    int ret;
+    const byte *n = NULL, *e = NULL;
+    word32 nSz = 0, eSz = 0;
+
+    if (key == NULL)
+        return BAD_FUNC_ARG;
+
+    ret = wc_RsaPublicKeyDecode_ex(input, inOutIdx, inSz, &n, &nSz, &e, &eSz);
+    if (ret == 0) {
+        ret = wc_RsaPublicKeyDecodeRaw(n, nSz, e, eSz, key);
+    }
+
+    return ret;
 }
 
 /* import RSA public key elements (n, e) into RsaKey structure (key) */
@@ -1288,6 +4352,12 @@ int wc_RsaPublicKeyDecodeRaw(const byte* n, word32 nSz, const byte* e,
         mp_clear(&key->n);
         return ASN_GETINT_E;
     }
+#ifdef HAVE_WOLF_BIGINT
+    if ((int)nSz > 0 && wc_bigint_from_unsigned_bin(&key->n.raw, n, nSz) != 0) {
+        mp_clear(&key->n);
+        return ASN_GETINT_E;
+    }
+#endif /* HAVE_WOLF_BIGINT */
 
     if (mp_init(&key->e) != MP_OKAY) {
         mp_clear(&key->n);
@@ -1299,76 +4369,143 @@ int wc_RsaPublicKeyDecodeRaw(const byte* n, word32 nSz, const byte* e,
         mp_clear(&key->e);
         return ASN_GETINT_E;
     }
+#ifdef HAVE_WOLF_BIGINT
+    if ((int)eSz > 0 && wc_bigint_from_unsigned_bin(&key->e.raw, e, eSz) != 0) {
+        mp_clear(&key->n);
+        mp_clear(&key->e);
+        return ASN_GETINT_E;
+    }
+#endif /* HAVE_WOLF_BIGINT */
+
+#ifdef WOLFSSL_XILINX_CRYPT
+    if (wc_InitRsaHw(key) != 0) {
+        return BAD_STATE_E;
+    }
+#endif
 
     return 0;
 }
-
-#endif
+#endif /* HAVE_USER_RSA */
+#endif /* !NO_RSA */
 
 #ifndef NO_DH
 
 int wc_DhKeyDecode(const byte* input, word32* inOutIdx, DhKey* key, word32 inSz)
 {
-    int    length;
+    int ret = 0;
+    int length;
+    #if defined(WOLFSSL_QT) || defined(OPENSSL_ALL)
+    word32 oid = 0, temp = 0;
+    #endif
+
+    WOLFSSL_ENTER("wc_DhKeyDecode");
+
+    if (inOutIdx == NULL)
+        return BAD_FUNC_ARG;
 
     if (GetSequence(input, inOutIdx, &length, inSz) < 0)
         return ASN_PARSE_E;
 
+    #if defined(WOLFSSL_QT) || defined(OPENSSL_ALL)
+    temp = *inOutIdx;
+    #endif
+
+    /* Assume input started after 1.2.840.113549.1.3.1 dhKeyAgreement */
     if (GetInt(&key->p,  input, inOutIdx, inSz) < 0 ||
-        GetInt(&key->g,  input, inOutIdx, inSz) < 0 )  return ASN_DH_KEY_E;
+        GetInt(&key->g,  input, inOutIdx, inSz) < 0) {
+        ret = ASN_DH_KEY_E;
+    }
 
-    return 0;
+    #if defined(WOLFSSL_QT) || defined(OPENSSL_ALL)
+    /* If ASN_DH_KEY_E: Check if input started at beginning of key */
+    if (ret == ASN_DH_KEY_E) {
+        /* rewind back to after the first sequence */
+        *inOutIdx = temp;
+        if (GetSequence(input, inOutIdx, &length, inSz) < 0)
+            return ASN_PARSE_E;
+
+        /* Check for dhKeyAgreement */
+        ret = GetObjectId(input, inOutIdx, &oid, oidKeyType, inSz);
+        if (oid != DHk || ret < 0)
+            return ASN_DH_KEY_E;
+
+        if (GetSequence(input, inOutIdx, &length, inSz) < 0)
+            return ASN_PARSE_E;
+
+        if (GetInt(&key->p,  input, inOutIdx, inSz) < 0 ||
+            GetInt(&key->g,  input, inOutIdx, inSz) < 0) {
+            return ASN_DH_KEY_E;
+        }
+    }
+
+    temp = *inOutIdx;
+    ret = (CheckBitString(input, inOutIdx, &length, inSz, 0, NULL) == 0);
+    if (ret > 0) {
+        /* Found Bit String */
+        if (GetInt(&key->pub, input, inOutIdx, inSz) == 0) {
+            WOLFSSL_MSG("Found Public Key");
+            ret = 0;
+        }
+    } else {
+        *inOutIdx = temp;
+        ret = (GetOctetString(input, inOutIdx, &length, inSz) >= 0);
+        if (ret > 0) {
+            /* Found Octet String */
+            if (GetInt(&key->priv, input, inOutIdx, inSz) == 0) {
+                WOLFSSL_MSG("Found Private Key");
+                ret = 0;
+            }
+        } else {
+            /* Don't use length from failed CheckBitString/GetOctetString */
+            *inOutIdx = temp;
+            ret = 0;
+        }
+    }
+    #endif /* WOLFSSL_QT || OPENSSL_ALL */
+
+    WOLFSSL_MSG("wc_DhKeyDecode Success");
+
+    return ret;
 }
 
 
 int wc_DhParamsLoad(const byte* input, word32 inSz, byte* p, word32* pInOutSz,
                  byte* g, word32* gInOutSz)
 {
-    word32 i = 0;
-    byte   b;
+    word32 idx = 0;
+    int    ret;
     int    length;
 
-    if (GetSequence(input, &i, &length, inSz) < 0)
-        return ASN_PARSE_E;
-
-    b = input[i++];
-    if (b != ASN_INTEGER)
-        return ASN_PARSE_E;
-
-    if (GetLength(input, &i, &length, inSz) < 0)
+    if (GetSequence(input, &idx, &length, inSz) <= 0)
         return ASN_PARSE_E;
 
-    if ( (b = input[i++]) == 0x00)
-        length--;
-    else
-        i--;
+    ret = GetASNInt(input, &idx, &length, inSz);
+    if (ret != 0)
+        return ret;
 
     if (length <= (int)*pInOutSz) {
-        XMEMCPY(p, &input[i], length);
+        XMEMCPY(p, &input[idx], length);
         *pInOutSz = length;
     }
-    else
+    else {
         return BUFFER_E;
+    }
+    idx += length;
 
-    i += length;
-
-    b = input[i++];
-    if (b != ASN_INTEGER)
-        return ASN_PARSE_E;
-
-    if (GetLength(input, &i, &length, inSz) < 0)
-        return ASN_PARSE_E;
+    ret = GetASNInt(input, &idx, &length, inSz);
+    if (ret != 0)
+        return ret;
 
     if (length <= (int)*gInOutSz) {
-        XMEMCPY(g, &input[i], length);
+        XMEMCPY(g, &input[idx], length);
         *gInOutSz = length;
     }
-    else
+    else {
         return BUFFER_E;
+    }
 
     return 0;
 }
-
 #endif /* NO_DH */
 
 
@@ -1378,6 +4515,11 @@ int DsaPublicKeyDecode(const byte* input, word32* inOutIdx, DsaKey* key,
                         word32 inSz)
 {
     int    length;
+    int    ret = 0;
+    word32 oid;
+
+    if (input == NULL || inOutIdx == NULL || key == NULL)
+        return BAD_FUNC_ARG;
 
     if (GetSequence(input, inOutIdx, &length, inSz) < 0)
         return ASN_PARSE_E;
@@ -1385,148 +4527,431 @@ int DsaPublicKeyDecode(const byte* input, word32* inOutIdx, DsaKey* key,
     if (GetInt(&key->p,  input, inOutIdx, inSz) < 0 ||
         GetInt(&key->q,  input, inOutIdx, inSz) < 0 ||
         GetInt(&key->g,  input, inOutIdx, inSz) < 0 ||
-        GetInt(&key->y,  input, inOutIdx, inSz) < 0 )  return ASN_DH_KEY_E;
+        GetInt(&key->y,  input, inOutIdx, inSz) < 0 )
+        ret = ASN_DH_KEY_E;
+
+    if (ret != 0) {
+        if (GetSequence(input, inOutIdx, &length, inSz) < 0)
+            return ASN_PARSE_E;
+
+        ret = GetObjectId(input, inOutIdx, &oid, oidIgnoreType, inSz);
+        if (ret != 0)
+            return ret;
+
+        if (GetSequence(input, inOutIdx, &length, inSz) < 0)
+            return ASN_PARSE_E;
+
+        if (GetInt(&key->p,  input, inOutIdx, inSz) < 0 ||
+            GetInt(&key->q,  input, inOutIdx, inSz) < 0 ||
+            GetInt(&key->g,  input, inOutIdx, inSz) < 0)
+            return ASN_DH_KEY_E;
+
+        if (CheckBitString(input, inOutIdx, &length, inSz, 0, NULL) < 0)
+            return ASN_PARSE_E;
+
+        if (GetInt(&key->y,  input, inOutIdx, inSz) < 0 )
+            return ASN_DH_KEY_E;
+
+        ret = 0;
+    }
 
     key->type = DSA_PUBLIC;
-    return 0;
+    return ret;
 }
 
 
 int DsaPrivateKeyDecode(const byte* input, word32* inOutIdx, DsaKey* key,
                         word32 inSz)
 {
-    int    length, version;
+    int    length, version, ret = 0, temp = 0;
+
+    /* Sanity checks on input */
+    if (input == NULL || inOutIdx == NULL || key == NULL) {
+        return BAD_FUNC_ARG;
+    }
 
     if (GetSequence(input, inOutIdx, &length, inSz) < 0)
         return ASN_PARSE_E;
 
-    if (GetMyVersion(input, inOutIdx, &version) < 0)
-        return ASN_PARSE_E;
+    temp = (int)*inOutIdx;
 
-    if (GetInt(&key->p,  input, inOutIdx, inSz) < 0 ||
-        GetInt(&key->q,  input, inOutIdx, inSz) < 0 ||
-        GetInt(&key->g,  input, inOutIdx, inSz) < 0 ||
-        GetInt(&key->y,  input, inOutIdx, inSz) < 0 ||
-        GetInt(&key->x,  input, inOutIdx, inSz) < 0 )  return ASN_DH_KEY_E;
+    /* Default case expects a certificate with OctetString but no version ID */
+    ret = GetInt(&key->p, input, inOutIdx, inSz);
+    if (ret < 0) {
+        mp_clear(&key->p);
+        ret = ASN_PARSE_E;
+    }
+    else {
+        ret = GetInt(&key->q, input, inOutIdx, inSz);
+        if (ret < 0) {
+            mp_clear(&key->p);
+            mp_clear(&key->q);
+            ret = ASN_PARSE_E;
+        }
+        else {
+            ret = GetInt(&key->g, input, inOutIdx, inSz);
+            if (ret < 0) {
+                mp_clear(&key->p);
+                mp_clear(&key->q);
+                mp_clear(&key->g);
+                ret = ASN_PARSE_E;
+            }
+            else {
+                ret = GetOctetString(input, inOutIdx, &length, inSz);
+                if (ret < 0) {
+                    mp_clear(&key->p);
+                    mp_clear(&key->q);
+                    mp_clear(&key->g);
+                    ret = ASN_PARSE_E;
+                }
+                else {
+                    ret = GetInt(&key->y, input, inOutIdx, inSz);
+                    if (ret < 0) {
+                        mp_clear(&key->p);
+                        mp_clear(&key->q);
+                        mp_clear(&key->g);
+                        mp_clear(&key->y);
+                        ret = ASN_PARSE_E;
+                    }
+                }
+            }
+        }
+    }
+    /* An alternate pass if default certificate fails parsing */
+    if (ret == ASN_PARSE_E) {
+        *inOutIdx = temp;
+        if (GetMyVersion(input, inOutIdx, &version, inSz) < 0)
+            return ASN_PARSE_E;
+
+        if (GetInt(&key->p,  input, inOutIdx, inSz) < 0 ||
+            GetInt(&key->q,  input, inOutIdx, inSz) < 0 ||
+            GetInt(&key->g,  input, inOutIdx, inSz) < 0 ||
+            GetInt(&key->y,  input, inOutIdx, inSz) < 0 ||
+            GetInt(&key->x,  input, inOutIdx, inSz) < 0 )
+            return ASN_DH_KEY_E;
+    }
 
     key->type = DSA_PRIVATE;
     return 0;
 }
 
-#endif /* NO_DSA */
+static mp_int* GetDsaInt(DsaKey* key, int idx)
+{
+    if (idx == 0)
+        return &key->p;
+    if (idx == 1)
+        return &key->q;
+    if (idx == 2)
+        return &key->g;
+    if (idx == 3)
+        return &key->y;
+    if (idx == 4)
+        return &key->x;
+
+    return NULL;
+}
+
+/* Release Tmp DSA resources */
+static WC_INLINE void FreeTmpDsas(byte** tmps, void* heap)
+{
+    int i;
+
+    for (i = 0; i < DSA_INTS; i++)
+        XFREE(tmps[i], heap, DYNAMIC_TYPE_DSA);
 
+    (void)heap;
+}
 
-void InitDecodedCert(DecodedCert* cert, byte* source, word32 inSz, void* heap)
+#if !defined(HAVE_SELFTEST) && defined(WOLFSSL_KEY_GEN)
+/* Write a public DSA key to output */
+int wc_SetDsaPublicKey(byte* output, DsaKey* key,
+                           int outLen, int with_header)
 {
-    cert->publicKey       = 0;
-    cert->pubKeySize      = 0;
-    cert->pubKeyStored    = 0;
-    cert->version         = 0;
-    cert->signature       = 0;
-    cert->subjectCN       = 0;
-    cert->subjectCNLen    = 0;
-    cert->subjectCNEnc    = CTC_UTF8;
-    cert->subjectCNStored = 0;
-    cert->weOwnAltNames   = 0;
-    cert->altNames        = NULL;
-#ifndef IGNORE_NAME_CONSTRAINTS
-    cert->altEmailNames   = NULL;
-    cert->permittedNames  = NULL;
-    cert->excludedNames   = NULL;
-#endif /* IGNORE_NAME_CONSTRAINTS */
-    cert->issuer[0]       = '\0';
-    cert->subject[0]      = '\0';
-    cert->source          = source;  /* don't own */
-    cert->srcIdx          = 0;
-    cert->maxIdx          = inSz;    /* can't go over this index */
-    cert->heap            = heap;
-    XMEMSET(cert->serial, 0, EXTERNAL_SERIAL_SIZE);
-    cert->serialSz        = 0;
-    cert->extensions      = 0;
-    cert->extensionsSz    = 0;
-    cert->extensionsIdx   = 0;
-    cert->extAuthInfo     = NULL;
-    cert->extAuthInfoSz   = 0;
-    cert->extCrlInfo      = NULL;
-    cert->extCrlInfoSz    = 0;
-    XMEMSET(cert->extSubjKeyId, 0, KEYID_SIZE);
-    cert->extSubjKeyIdSet = 0;
-    XMEMSET(cert->extAuthKeyId, 0, KEYID_SIZE);
-    cert->extAuthKeyIdSet = 0;
-    cert->extKeyUsageSet  = 0;
-    cert->extKeyUsage     = 0;
-    cert->extExtKeyUsageSet = 0;
-    cert->extExtKeyUsage    = 0;
-    cert->isCA            = 0;
-#ifdef HAVE_PKCS7
-    cert->issuerRaw       = NULL;
-    cert->issuerRawLen    = 0;
+    /* p, g, q = DSA params, y = public exponent */
+#ifdef WOLFSSL_SMALL_STACK
+    byte* p = NULL;
+    byte* g = NULL;
+    byte* q = NULL;
+    byte* y = NULL;
+#else
+    byte p[MAX_DSA_INT_SZ];
+    byte g[MAX_DSA_INT_SZ];
+    byte q[MAX_DSA_INT_SZ];
+    byte y[MAX_DSA_INT_SZ];
 #endif
-#ifdef WOLFSSL_CERT_GEN
-    cert->subjectSN       = 0;
-    cert->subjectSNLen    = 0;
-    cert->subjectSNEnc    = CTC_UTF8;
-    cert->subjectC        = 0;
-    cert->subjectCLen     = 0;
-    cert->subjectCEnc     = CTC_PRINTABLE;
-    cert->subjectL        = 0;
-    cert->subjectLLen     = 0;
-    cert->subjectLEnc     = CTC_UTF8;
-    cert->subjectST       = 0;
-    cert->subjectSTLen    = 0;
-    cert->subjectSTEnc    = CTC_UTF8;
-    cert->subjectO        = 0;
-    cert->subjectOLen     = 0;
-    cert->subjectOEnc     = CTC_UTF8;
-    cert->subjectOU       = 0;
-    cert->subjectOULen    = 0;
-    cert->subjectOUEnc    = CTC_UTF8;
-    cert->subjectEmail    = 0;
-    cert->subjectEmailLen = 0;
-#endif /* WOLFSSL_CERT_GEN */
-    cert->beforeDate      = NULL;
-    cert->beforeDateLen   = 0;
-    cert->afterDate       = NULL;
-    cert->afterDateLen    = 0;
-#ifdef OPENSSL_EXTRA
-    XMEMSET(&cert->issuerName, 0, sizeof(DecodedName));
-    XMEMSET(&cert->subjectName, 0, sizeof(DecodedName));
-    cert->extBasicConstSet = 0;
-    cert->extBasicConstCrit = 0;
-    cert->extBasicConstPlSet = 0;
-    cert->pathLength = 0;
-    cert->extSubjAltNameSet = 0;
-    cert->extSubjAltNameCrit = 0;
-    cert->extAuthKeyIdCrit = 0;
-    cert->extSubjKeyIdCrit = 0;
-    cert->extKeyUsageCrit = 0;
-    cert->extExtKeyUsageCrit = 0;
-    cert->extExtKeyUsageSrc = NULL;
-    cert->extExtKeyUsageSz = 0;
-    cert->extExtKeyUsageCount = 0;
-    cert->extAuthKeyIdSrc = NULL;
-    cert->extAuthKeyIdSz = 0;
-    cert->extSubjKeyIdSrc = NULL;
-    cert->extSubjKeyIdSz = 0;
-#endif /* OPENSSL_EXTRA */
-#if defined(OPENSSL_EXTRA) || !defined(IGNORE_NAME_CONSTRAINTS)
-    cert->extNameConstraintSet = 0;
-#endif /* OPENSSL_EXTRA || !IGNORE_NAME_CONSTRAINTS */
-#ifdef HAVE_ECC
-    cert->pkCurveOID = 0;
-#endif /* HAVE_ECC */
-#ifdef WOLFSSL_SEP
-    cert->deviceTypeSz = 0;
-    cert->deviceType = NULL;
-    cert->hwTypeSz = 0;
-    cert->hwType = NULL;
-    cert->hwSerialNumSz = 0;
-    cert->hwSerialNum = NULL;
-    #ifdef OPENSSL_EXTRA
-        cert->extCertPolicySet = 0;
-        cert->extCertPolicyCrit = 0;
-    #endif /* OPENSSL_EXTRA */
-#endif /* WOLFSSL_SEP */
+    byte innerSeq[MAX_SEQ_SZ];
+    byte outerSeq[MAX_SEQ_SZ];
+    byte bitString[1 + MAX_LENGTH_SZ + 1];
+    int  idx, pSz, gSz, qSz, ySz, innerSeqSz, outerSeqSz, bitStringSz = 0;
+
+    WOLFSSL_ENTER("wc_SetDsaPublicKey");
+
+    if (output == NULL || key == NULL || outLen < MAX_SEQ_SZ) {
+        return BAD_FUNC_ARG;
+    }
+
+    /* p */
+#ifdef WOLFSSL_SMALL_STACK
+    p = (byte*)XMALLOC(MAX_DSA_INT_SZ, key->heap, DYNAMIC_TYPE_TMP_BUFFER);
+    if (p == NULL)
+        return MEMORY_E;
+#endif
+    if ((pSz = SetASNIntMP(&key->p, MAX_DSA_INT_SZ, p)) < 0) {
+        WOLFSSL_MSG("SetASNIntMP Error with p");
+#ifdef WOLFSSL_SMALL_STACK
+        XFREE(p, key->heap, DYNAMIC_TYPE_TMP_BUFFER);
+#endif
+        return pSz;
+    }
+
+    /* q */
+#ifdef WOLFSSL_SMALL_STACK
+    q = (byte*)XMALLOC(MAX_DSA_INT_SZ, key->heap, DYNAMIC_TYPE_TMP_BUFFER);
+    if (q == NULL)
+        return MEMORY_E;
+#endif
+    if ((qSz = SetASNIntMP(&key->q, MAX_DSA_INT_SZ, q)) < 0) {
+        WOLFSSL_MSG("SetASNIntMP Error with q");
+#ifdef WOLFSSL_SMALL_STACK
+        XFREE(p, key->heap, DYNAMIC_TYPE_TMP_BUFFER);
+        XFREE(q, key->heap, DYNAMIC_TYPE_TMP_BUFFER);
+#endif
+        return qSz;
+    }
+
+    /* g */
+#ifdef WOLFSSL_SMALL_STACK
+    g = (byte*)XMALLOC(MAX_DSA_INT_SZ, key->heap, DYNAMIC_TYPE_TMP_BUFFER);
+    if (g == NULL)
+        return MEMORY_E;
+#endif
+    if ((gSz = SetASNIntMP(&key->g, MAX_DSA_INT_SZ, g)) < 0) {
+        WOLFSSL_MSG("SetASNIntMP Error with g");
+#ifdef WOLFSSL_SMALL_STACK
+        XFREE(p, key->heap, DYNAMIC_TYPE_TMP_BUFFER);
+        XFREE(q, key->heap, DYNAMIC_TYPE_TMP_BUFFER);
+        XFREE(g, key->heap, DYNAMIC_TYPE_TMP_BUFFER);
+#endif
+        return gSz;
+    }
+
+    /* y */
+#ifdef WOLFSSL_SMALL_STACK
+    y = (byte*)XMALLOC(MAX_DSA_INT_SZ, key->heap, DYNAMIC_TYPE_TMP_BUFFER);
+    if (y == NULL)
+        return MEMORY_E;
+#endif
+    if ((ySz = SetASNIntMP(&key->y, MAX_DSA_INT_SZ, y)) < 0) {
+        WOLFSSL_MSG("SetASNIntMP Error with y");
+#ifdef WOLFSSL_SMALL_STACK
+        XFREE(p, key->heap, DYNAMIC_TYPE_TMP_BUFFER);
+        XFREE(q, key->heap, DYNAMIC_TYPE_TMP_BUFFER);
+        XFREE(g, key->heap, DYNAMIC_TYPE_TMP_BUFFER);
+        XFREE(y, key->heap, DYNAMIC_TYPE_TMP_BUFFER);
+#endif
+        return ySz;
+    }
+
+    innerSeqSz  = SetSequence(pSz + qSz + gSz, innerSeq);
+
+    /* check output size */
+    if ((innerSeqSz + pSz + qSz + gSz) > outLen) {
+#ifdef WOLFSSL_SMALL_STACK
+        XFREE(p,    key->heap, DYNAMIC_TYPE_TMP_BUFFER);
+        XFREE(q,    key->heap, DYNAMIC_TYPE_TMP_BUFFER);
+        XFREE(g,    key->heap, DYNAMIC_TYPE_TMP_BUFFER);
+        XFREE(y,    key->heap, DYNAMIC_TYPE_TMP_BUFFER);
+#endif
+        WOLFSSL_MSG("Error, output size smaller than outlen");
+        return BUFFER_E;
+    }
+
+    if (with_header) {
+        int algoSz;
+#ifdef WOLFSSL_SMALL_STACK
+        byte* algo = NULL;
+
+        algo = (byte*)XMALLOC(MAX_ALGO_SZ, key->heap, DYNAMIC_TYPE_TMP_BUFFER);
+        if (algo == NULL) {
+            XFREE(p,    key->heap, DYNAMIC_TYPE_TMP_BUFFER);
+            XFREE(q,    key->heap, DYNAMIC_TYPE_TMP_BUFFER);
+            XFREE(g,    key->heap, DYNAMIC_TYPE_TMP_BUFFER);
+            XFREE(y,    key->heap, DYNAMIC_TYPE_TMP_BUFFER);
+            return MEMORY_E;
+        }
+#else
+        byte algo[MAX_ALGO_SZ];
+#endif
+        algoSz = SetAlgoID(DSAk, algo, oidKeyType, 0);
+        bitStringSz  = SetBitString(ySz, 0, bitString);
+        outerSeqSz = SetSequence(algoSz + innerSeqSz + pSz + qSz + gSz,
+                                                                      outerSeq);
+
+        idx = SetSequence(algoSz + innerSeqSz + pSz + qSz + gSz + bitStringSz +
+                                                      ySz + outerSeqSz, output);
+
+        /* check output size */
+        if ((idx + algoSz + bitStringSz + innerSeqSz + pSz + qSz + gSz + ySz) >
+                                                                       outLen) {
+            #ifdef WOLFSSL_SMALL_STACK
+                XFREE(p,    key->heap, DYNAMIC_TYPE_TMP_BUFFER);
+                XFREE(q,    key->heap, DYNAMIC_TYPE_TMP_BUFFER);
+                XFREE(g,    key->heap, DYNAMIC_TYPE_TMP_BUFFER);
+                XFREE(y,    key->heap, DYNAMIC_TYPE_TMP_BUFFER);
+                XFREE(algo, key->heap, DYNAMIC_TYPE_TMP_BUFFER);
+            #endif
+            WOLFSSL_MSG("Error, output size smaller than outlen");
+            return BUFFER_E;
+        }
+
+        /* outerSeq */
+        XMEMCPY(output + idx, outerSeq, outerSeqSz);
+        idx += outerSeqSz;
+        /* algo */
+        XMEMCPY(output + idx, algo, algoSz);
+        idx += algoSz;
+#ifdef WOLFSSL_SMALL_STACK
+        XFREE(algo, key->heap, DYNAMIC_TYPE_TMP_BUFFER);
+#endif
+    } else {
+        idx = 0;
+    }
+
+    /* innerSeq */
+    XMEMCPY(output + idx, innerSeq, innerSeqSz);
+    idx += innerSeqSz;
+    /* p */
+    XMEMCPY(output + idx, p, pSz);
+    idx += pSz;
+    /* q */
+    XMEMCPY(output + idx, q, qSz);
+    idx += qSz;
+    /* g */
+    XMEMCPY(output + idx, g, gSz);
+    idx += gSz;
+    /* bit string */
+    XMEMCPY(output + idx, bitString, bitStringSz);
+    idx += bitStringSz;
+    /* y */
+    XMEMCPY(output + idx, y, ySz);
+    idx += ySz;
+
+#ifdef WOLFSSL_SMALL_STACK
+    XFREE(p,    key->heap, DYNAMIC_TYPE_TMP_BUFFER);
+    XFREE(q,    key->heap, DYNAMIC_TYPE_TMP_BUFFER);
+    XFREE(g,    key->heap, DYNAMIC_TYPE_TMP_BUFFER);
+    XFREE(y,    key->heap, DYNAMIC_TYPE_TMP_BUFFER);
+#endif
+    return idx;
+}
+
+/* Convert DSA Public key to DER format, write to output (inLen), return bytes
+   written */
+int wc_DsaKeyToPublicDer(DsaKey* key, byte* output, word32 inLen)
+{
+    return wc_SetDsaPublicKey(output, key, inLen, 1);
+}
+#endif /* !HAVE_SELFTEST && WOLFSSL_KEY_GEN */
+
+/* Convert private DsaKey key to DER format, write to output (inLen),
+   return bytes written */
+int wc_DsaKeyToDer(DsaKey* key, byte* output, word32 inLen)
+{
+    word32 seqSz, verSz, rawLen, intTotalLen = 0;
+    word32 sizes[DSA_INTS];
+    int    i, j, outLen, ret = 0, mpSz;
+
+    byte  seq[MAX_SEQ_SZ];
+    byte  ver[MAX_VERSION_SZ];
+    byte* tmps[DSA_INTS];
+
+    if (!key || !output)
+        return BAD_FUNC_ARG;
+
+    if (key->type != DSA_PRIVATE)
+        return BAD_FUNC_ARG;
+
+    for (i = 0; i < DSA_INTS; i++)
+        tmps[i] = NULL;
+
+    /* write all big ints from key to DER tmps */
+    for (i = 0; i < DSA_INTS; i++) {
+        mp_int* keyInt = GetDsaInt(key, i);
+
+        rawLen = mp_unsigned_bin_size(keyInt) + 1;
+        tmps[i] = (byte*)XMALLOC(rawLen + MAX_SEQ_SZ, key->heap,
+                                                              DYNAMIC_TYPE_DSA);
+        if (tmps[i] == NULL) {
+            ret = MEMORY_E;
+            break;
+        }
+
+        mpSz = SetASNIntMP(keyInt, -1, tmps[i]);
+        if (mpSz < 0) {
+            ret = mpSz;
+            break;
+        }
+        intTotalLen += (sizes[i] = mpSz);
+    }
+
+    if (ret != 0) {
+        FreeTmpDsas(tmps, key->heap);
+        return ret;
+    }
+
+    /* make headers */
+    verSz = SetMyVersion(0, ver, FALSE);
+    seqSz = SetSequence(verSz + intTotalLen, seq);
+
+    outLen = seqSz + verSz + intTotalLen;
+    if (outLen > (int)inLen) {
+        FreeTmpDsas(tmps, key->heap);
+        return BAD_FUNC_ARG;
+    }
+
+    /* write to output */
+    XMEMCPY(output, seq, seqSz);
+    j = seqSz;
+    XMEMCPY(output + j, ver, verSz);
+    j += verSz;
+
+    for (i = 0; i < DSA_INTS; i++) {
+        XMEMCPY(output + j, tmps[i], sizes[i]);
+        j += sizes[i];
+    }
+    FreeTmpDsas(tmps, key->heap);
+
+    return outLen;
+}
+
+#endif /* NO_DSA */
+
+void InitDecodedCert(DecodedCert* cert,
+                     const byte* source, word32 inSz, void* heap)
+{
+    if (cert != NULL) {
+        XMEMSET(cert, 0, sizeof(DecodedCert));
+
+        cert->subjectCNEnc    = CTC_UTF8;
+        cert->issuer[0]       = '\0';
+        cert->subject[0]      = '\0';
+        cert->source          = source;  /* don't own */
+        cert->maxIdx          = inSz;    /* can't go over this index */
+        cert->heap            = heap;
+        cert->maxPathLen      = WOLFSSL_MAX_PATH_LEN;
+    #ifdef WOLFSSL_CERT_GEN
+        cert->subjectSNEnc    = CTC_UTF8;
+        cert->subjectCEnc     = CTC_PRINTABLE;
+        cert->subjectLEnc     = CTC_UTF8;
+        cert->subjectSTEnc    = CTC_UTF8;
+        cert->subjectOEnc     = CTC_UTF8;
+        cert->subjectOUEnc    = CTC_UTF8;
+    #endif /* WOLFSSL_CERT_GEN */
+
+    #ifndef NO_CERTS
+        InitSignatureCtx(&cert->sigCtx, heap, INVALID_DEVID);
+    #endif
+    }
 }
 
 
@@ -1562,10 +4987,12 @@ void FreeNameSubtrees(Base_entry* names, void* heap)
 
 void FreeDecodedCert(DecodedCert* cert)
 {
+    if (cert == NULL)
+        return;
     if (cert->subjectCNStored == 1)
         XFREE(cert->subjectCN, cert->heap, DYNAMIC_TYPE_SUBJECT_CN);
     if (cert->pubKeyStored == 1)
-        XFREE(cert->publicKey, cert->heap, DYNAMIC_TYPE_PUBLIC_KEY);
+        XFREE((void*)cert->publicKey, cert->heap, DYNAMIC_TYPE_PUBLIC_KEY);
     if (cert->weOwnAltNames && cert->altNames)
         FreeAltNames(cert->altNames, cert->heap);
 #ifndef IGNORE_NAME_CONSTRAINTS
@@ -1577,126 +5004,92 @@ void FreeDecodedCert(DecodedCert* cert)
         FreeNameSubtrees(cert->excludedNames, cert->heap);
 #endif /* IGNORE_NAME_CONSTRAINTS */
 #ifdef WOLFSSL_SEP
-    XFREE(cert->deviceType, cert->heap, 0);
-    XFREE(cert->hwType, cert->heap, 0);
-    XFREE(cert->hwSerialNum, cert->heap, 0);
+    XFREE(cert->deviceType, cert->heap, DYNAMIC_TYPE_X509_EXT);
+    XFREE(cert->hwType, cert->heap, DYNAMIC_TYPE_X509_EXT);
+    XFREE(cert->hwSerialNum, cert->heap, DYNAMIC_TYPE_X509_EXT);
 #endif /* WOLFSSL_SEP */
-#ifdef OPENSSL_EXTRA
+#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
     if (cert->issuerName.fullName != NULL)
-        XFREE(cert->issuerName.fullName, NULL, DYNAMIC_TYPE_X509);
+        XFREE(cert->issuerName.fullName, cert->heap, DYNAMIC_TYPE_X509);
     if (cert->subjectName.fullName != NULL)
-        XFREE(cert->subjectName.fullName, NULL, DYNAMIC_TYPE_X509);
+        XFREE(cert->subjectName.fullName, cert->heap, DYNAMIC_TYPE_X509);
 #endif /* OPENSSL_EXTRA */
+#ifdef WOLFSSL_RENESAS_TSIP_TLS
+    if (cert->tsip_encRsaKeyIdx != NULL)
+        XFREE(cert->tsip_encRsaKeyIdx, cert->heap, DYNAMIC_TYPE_RSA);
+#endif
+#ifndef NO_CERTS
+    FreeSignatureCtx(&cert->sigCtx);
+#endif
 }
 
-
 static int GetCertHeader(DecodedCert* cert)
 {
     int ret = 0, len;
-    byte serialTmp[EXTERNAL_SERIAL_SIZE];
-#if defined(WOLFSSL_SMALL_STACK) && defined(USE_FAST_MATH)
-    mp_int* mpi = NULL;
-#else
-    mp_int stack_mpi;
-    mp_int* mpi = &stack_mpi;
-#endif
 
     if (GetSequence(cert->source, &cert->srcIdx, &len, cert->maxIdx) < 0)
         return ASN_PARSE_E;
 
+    /* Reset the max index for the size indicated in the outer wrapper. */
+    cert->maxIdx = len + cert->srcIdx;
     cert->certBegin = cert->srcIdx;
 
     if (GetSequence(cert->source, &cert->srcIdx, &len, cert->maxIdx) < 0)
         return ASN_PARSE_E;
-    cert->sigIndex = len + cert->srcIdx;
 
-    if (GetExplicitVersion(cert->source, &cert->srcIdx, &cert->version) < 0)
+    cert->sigIndex = len + cert->srcIdx;
+    if (cert->sigIndex > cert->maxIdx)
         return ASN_PARSE_E;
 
-#if defined(WOLFSSL_SMALL_STACK) && defined(USE_FAST_MATH)
-    mpi = (mp_int*)XMALLOC(sizeof(mp_int), NULL, DYNAMIC_TYPE_TMP_BUFFER);
-    if (mpi == NULL)
-        return MEMORY_E;
-#endif
-
-    if (GetInt(mpi, cert->source, &cert->srcIdx, cert->maxIdx) < 0) {
-#if defined(WOLFSSL_SMALL_STACK) && defined(USE_FAST_MATH)
-        XFREE(mpi, NULL, DYNAMIC_TYPE_TMP_BUFFER);
-#endif
+    if (GetExplicitVersion(cert->source, &cert->srcIdx, &cert->version,
+                                                            cert->sigIndex) < 0)
         return ASN_PARSE_E;
-    }
 
-    len = mp_unsigned_bin_size(mpi);
-    if (len < (int)sizeof(serialTmp)) {
-        if ( (ret = mp_to_unsigned_bin(mpi, serialTmp)) == MP_OKAY) {
-            XMEMCPY(cert->serial, serialTmp, len);
-            cert->serialSz = len;
-        }
-    }
-    mp_clear(mpi);
-
-#if defined(WOLFSSL_SMALL_STACK) && defined(USE_FAST_MATH)
-    XFREE(mpi, NULL, DYNAMIC_TYPE_TMP_BUFFER);
-#endif
+    if (GetSerialNumber(cert->source, &cert->srcIdx, cert->serial,
+                                           &cert->serialSz, cert->sigIndex) < 0)
+        return ASN_PARSE_E;
 
     return ret;
 }
 
 #if !defined(NO_RSA)
 /* Store Rsa Key, may save later, Dsa could use in future */
-static int StoreRsaKey(DecodedCert* cert)
+static int StoreRsaKey(DecodedCert* cert, word32 bitStringEnd)
 {
     int    length;
     word32 recvd = cert->srcIdx;
 
-    if (GetSequence(cert->source, &cert->srcIdx, &length, cert->maxIdx) < 0)
+    if (GetSequence(cert->source, &cert->srcIdx, &length, bitStringEnd) < 0)
         return ASN_PARSE_E;
-   
+
     recvd = cert->srcIdx - recvd;
     length += recvd;
 
     while (recvd--)
        cert->srcIdx--;
-
+#if defined(WOLFSSL_RENESAS_TSIP)
+    cert->sigCtx.pubkey_n_start = cert->sigCtx.pubkey_e_start = cert->srcIdx;
+#endif
     cert->pubKeySize = length;
     cert->publicKey = cert->source + cert->srcIdx;
     cert->srcIdx += length;
 
     return 0;
 }
-#endif
-
+#endif /* !NO_RSA */
 
 #ifdef HAVE_ECC
 
-    /* return 0 on sucess if the ECC curve oid sum is supported */
+    /* return 0 on success if the ECC curve oid sum is supported */
     static int CheckCurve(word32 oid)
     {
         int ret = 0;
+        word32 oidSz = 0;
 
-        switch (oid) {
-#if defined(HAVE_ALL_CURVES) || defined(HAVE_ECC160)
-            case ECC_160R1:
-#endif
-#if defined(HAVE_ALL_CURVES) || defined(HAVE_ECC192)
-            case ECC_192R1:
-#endif
-#if defined(HAVE_ALL_CURVES) || defined(HAVE_ECC224)
-            case ECC_224R1:
-#endif
-#if defined(HAVE_ALL_CURVES) || !defined(NO_ECC256)
-            case ECC_256R1:
-#endif
-#if defined(HAVE_ALL_CURVES) || defined(HAVE_ECC384)
-            case ECC_384R1:
-#endif
-#if defined(HAVE_ALL_CURVES) || defined(HAVE_ECC521)
-            case ECC_521R1:
-#endif
-                break;
-
-            default:
-                ret = ALGO_ID_E;
+        ret = wc_ecc_get_oid(oid, NULL, &oidSz);
+        if (ret < 0 || oidSz == 0) {
+            WOLFSSL_MSG("CheckCurve not found");
+            ret = ALGO_ID_E;
         }
 
         return ret;
@@ -1704,35 +5097,46 @@ static int StoreRsaKey(DecodedCert* cert)
 
 #endif /* HAVE_ECC */
 
-
 static int GetKey(DecodedCert* cert)
 {
     int length;
-#ifdef HAVE_NTRU
+#if !defined(NO_DSA) && defined(WOLFSSL_QT)
+    int tmpLen;
+#endif
+#if defined(HAVE_ECC) || defined(HAVE_NTRU)
     int tmpIdx = cert->srcIdx;
 #endif
 
     if (GetSequence(cert->source, &cert->srcIdx, &length, cert->maxIdx) < 0)
         return ASN_PARSE_E;
-   
-    if (GetAlgoId(cert->source, &cert->srcIdx, &cert->keyOID, cert->maxIdx) < 0)
+
+#if !defined(NO_DSA) && defined(WOLFSSL_QT)
+    tmpLen = length + 4;
+#endif
+
+    if (GetAlgoId(cert->source, &cert->srcIdx,
+                  &cert->keyOID, oidKeyType, cert->maxIdx) < 0)
         return ASN_PARSE_E;
 
     switch (cert->keyOID) {
    #ifndef NO_RSA
         case RSAk:
         {
-            byte b = cert->source[cert->srcIdx++];
-            if (b != ASN_BIT_STRING)
-                return ASN_BITSTR_E;
+            int ret;
 
-            if (GetLength(cert->source,&cert->srcIdx,&length,cert->maxIdx) < 0)
-                return ASN_PARSE_E;
-            b = cert->source[cert->srcIdx++];
-            if (b != 0x00)
-                return ASN_EXPECT_0_E;
-    
-            return StoreRsaKey(cert);
+            ret = CheckBitString(cert->source, &cert->srcIdx, &length,
+                                 cert->maxIdx, 1, NULL);
+            if (ret != 0)
+                return ret;
+
+            #ifdef HAVE_OCSP
+                ret = CalcHashId(cert->source + cert->srcIdx, length,
+                        cert->subjectKeyHash);
+                if (ret != 0)
+                    return ret;
+            #endif
+
+            return StoreRsaKey(cert, cert->srcIdx + length);
         }
 
     #endif /* NO_RSA */
@@ -1744,6 +5148,7 @@ static int GetKey(DecodedCert* cert)
             word16      keyLen;
             word32      rc;
             word32      remaining = cert->maxIdx - cert->srcIdx;
+            byte*       publicKey;
 #ifdef WOLFSSL_SMALL_STACK
             byte*       keyBlob = NULL;
 #else
@@ -1757,8 +5162,8 @@ static int GetKey(DecodedCert* cert)
                 return ASN_NTRU_KEY_E;
 
 #ifdef WOLFSSL_SMALL_STACK
-            keyBlob = (byte*)XMALLOC(MAX_NTRU_KEY_SZ, NULL,
-                                                       DYNAMIC_TYPE_TMP_BUFFER);
+            keyBlob = (byte*)XMALLOC(MAX_NTRU_KEY_SZ, cert->heap,
+                                     DYNAMIC_TYPE_TMP_BUFFER);
             if (keyBlob == NULL)
                 return MEMORY_E;
 #endif
@@ -1767,34 +5172,35 @@ static int GetKey(DecodedCert* cert)
                                 &keyLen, keyBlob, &next, &remaining);
             if (rc != NTRU_OK) {
 #ifdef WOLFSSL_SMALL_STACK
-                XFREE(keyBlob, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+                XFREE(keyBlob, cert->heap, DYNAMIC_TYPE_TMP_BUFFER);
 #endif
                 return ASN_NTRU_KEY_E;
             }
 
             if ( (next - key) < 0) {
 #ifdef WOLFSSL_SMALL_STACK
-                XFREE(keyBlob, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+                XFREE(keyBlob, cert->heap, DYNAMIC_TYPE_TMP_BUFFER);
 #endif
                 return ASN_NTRU_KEY_E;
             }
 
             cert->srcIdx = tmpIdx + (int)(next - key);
 
-            cert->publicKey = (byte*) XMALLOC(keyLen, cert->heap,
-                                              DYNAMIC_TYPE_PUBLIC_KEY);
-            if (cert->publicKey == NULL) {
+            publicKey = (byte*)XMALLOC(keyLen, cert->heap,
+                                       DYNAMIC_TYPE_PUBLIC_KEY);
+            if (publicKey == NULL) {
 #ifdef WOLFSSL_SMALL_STACK
-                XFREE(keyBlob, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+                XFREE(keyBlob, cert->heap, DYNAMIC_TYPE_TMP_BUFFER);
 #endif
                 return MEMORY_E;
             }
-            XMEMCPY(cert->publicKey, keyBlob, keyLen);
+            XMEMCPY(publicKey, keyBlob, keyLen);
+            cert->publicKey = publicKey;
             cert->pubKeyStored = 1;
             cert->pubKeySize   = keyLen;
 
 #ifdef WOLFSSL_SMALL_STACK
-            XFREE(keyBlob, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+            XFREE(keyBlob, cert->heap, DYNAMIC_TYPE_TMP_BUFFER);
 #endif
 
             return 0;
@@ -1803,40 +5209,78 @@ static int GetKey(DecodedCert* cert)
     #ifdef HAVE_ECC
         case ECDSAk:
         {
-            int    oidSz = 0;
-            byte   b = cert->source[cert->srcIdx++];
-        
-            if (b != ASN_OBJECT_ID) 
-                return ASN_OBJECT_ID_E;
-
-            if (GetLength(cert->source,&cert->srcIdx,&oidSz,cert->maxIdx) < 0)
+            int ret;
+            byte seq[5];
+            int pubLen = length + 1 + SetLength(length, seq);
+            word32 localIdx;
+            byte* publicKey;
+            byte  tag;
+
+            localIdx = cert->srcIdx;
+            if (GetASNTag(cert->source, &localIdx, &tag, cert->maxIdx) < 0)
                 return ASN_PARSE_E;
 
-            while(oidSz--)
-                cert->pkCurveOID += cert->source[cert->srcIdx++];
+            if (tag != (ASN_SEQUENCE | ASN_CONSTRUCTED)) {
+                if (GetObjectId(cert->source, &cert->srcIdx,
+                            &cert->pkCurveOID, oidCurveType, cert->maxIdx) < 0)
+                    return ASN_PARSE_E;
 
-            if (CheckCurve(cert->pkCurveOID) < 0)
-                return ECC_CURVE_OID_E;
+                if (CheckCurve(cert->pkCurveOID) < 0)
+                    return ECC_CURVE_OID_E;
+
+                /* key header */
+                ret = CheckBitString(cert->source, &cert->srcIdx, &length,
+                                                         cert->maxIdx, 1, NULL);
+                if (ret != 0)
+                    return ret;
+            #ifdef HAVE_OCSP
+                ret = CalcHashId(cert->source + cert->srcIdx, length,
+                        cert->subjectKeyHash);
+                if (ret != 0)
+                    return ret;
+            #endif
+            }
 
-            /* key header */
-            b = cert->source[cert->srcIdx++];
-            if (b != ASN_BIT_STRING)
-                return ASN_BITSTR_E;
+            publicKey = (byte*)XMALLOC(pubLen, cert->heap,
+                                       DYNAMIC_TYPE_PUBLIC_KEY);
+            if (publicKey == NULL)
+                return MEMORY_E;
+            XMEMCPY(publicKey, &cert->source[tmpIdx], pubLen);
+            cert->publicKey = publicKey;
+            cert->pubKeyStored = 1;
+            cert->pubKeySize   = pubLen;
 
-            if (GetLength(cert->source,&cert->srcIdx,&length,cert->maxIdx) < 0)
-                return ASN_PARSE_E;
-            b = cert->source[cert->srcIdx++];
-            if (b != 0x00)
-                return ASN_EXPECT_0_E;
+            cert->srcIdx = tmpIdx + pubLen;
 
-            /* actual key, use length - 1 since ate preceding 0 */
-            length -= 1;
+            return 0;
+        }
+    #endif /* HAVE_ECC */
+    #ifdef HAVE_ED25519
+        case ED25519k:
+        {
+            byte* publicKey;
+            int ret;
+
+            cert->pkCurveOID = ED25519k;
 
-            cert->publicKey = (byte*) XMALLOC(length, cert->heap,
-                                              DYNAMIC_TYPE_PUBLIC_KEY);
-            if (cert->publicKey == NULL)
+            ret = CheckBitString(cert->source, &cert->srcIdx, &length,
+                                 cert->maxIdx, 1, NULL);
+            if (ret != 0)
+                return ret;
+
+            #ifdef HAVE_OCSP
+                ret = CalcHashId(cert->source + cert->srcIdx, length,
+                        cert->subjectKeyHash);
+                if (ret != 0)
+                    return ret;
+            #endif
+
+            publicKey = (byte*) XMALLOC(length, cert->heap,
+                                        DYNAMIC_TYPE_PUBLIC_KEY);
+            if (publicKey == NULL)
                 return MEMORY_E;
-            XMEMCPY(cert->publicKey, &cert->source[cert->srcIdx], length);
+            XMEMCPY(publicKey, &cert->source[cert->srcIdx], length);
+            cert->publicKey = publicKey;
             cert->pubKeyStored = 1;
             cert->pubKeySize   = length;
 
@@ -1844,25 +5288,238 @@ static int GetKey(DecodedCert* cert)
 
             return 0;
         }
-    #endif /* HAVE_ECC */
+    #endif /* HAVE_ED25519 */
+    #ifdef HAVE_ED448
+        case ED448k:
+        {
+            byte* publicKey;
+            int ret;
+
+            cert->pkCurveOID = ED448k;
+
+            ret = CheckBitString(cert->source, &cert->srcIdx, &length,
+                                 cert->maxIdx, 1, NULL);
+            if (ret != 0)
+                return ret;
+
+            #ifdef HAVE_OCSP
+                ret = CalcHashId(cert->source + cert->srcIdx, length,
+                                 cert->subjectKeyHash);
+                if (ret != 0)
+                    return ret;
+            #endif
+
+            publicKey = (byte*) XMALLOC(length, cert->heap,
+                                        DYNAMIC_TYPE_PUBLIC_KEY);
+            if (publicKey == NULL)
+                return MEMORY_E;
+            XMEMCPY(publicKey, &cert->source[cert->srcIdx], length);
+            cert->publicKey = publicKey;
+            cert->pubKeyStored = 1;
+            cert->pubKeySize   = length;
+
+            cert->srcIdx += length;
+
+            return 0;
+        }
+    #endif /* HAVE_ED448 */
+    #if !defined(NO_DSA) && defined(WOLFSSL_QT)
+        case DSAk:
+        {
+            int ret;
+            ret = GetSequence(cert->source, &cert->srcIdx, &length,
+                           cert->maxIdx);
+            if (ret < 0)
+                return ret;
+
+            ret = SkipInt(cert->source, &cert->srcIdx, cert->maxIdx);
+            if (ret != 0)
+                return ret;
+            ret = SkipInt(cert->source, &cert->srcIdx, cert->maxIdx);
+            if (ret != 0)
+                return ret;
+            ret = SkipInt(cert->source, &cert->srcIdx, cert->maxIdx);
+            if (ret != 0)
+                return ret;
+
+            ret = CheckBitString(cert->source, &cert->srcIdx, &length,
+                                                         cert->maxIdx, 1, NULL);
+            if (ret != 0)
+                return ret;
+
+            ret = GetASNInt(cert->source, &cert->srcIdx, &length, cert->maxIdx);
+            if (ret !=0)
+                return ASN_PARSE_E;
+
+            cert->publicKey = cert->source + tmpIdx;
+            cert->pubKeySize = tmpLen;
+            cert->srcIdx += length;
+            return 0;
+        }
+    #endif /* NO_DSA && QT */
         default:
             return ASN_UNKNOWN_OID_E;
     }
 }
 
+#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
+#if defined(HAVE_ECC)
+/* Converts ECC curve enum values in ecc_curve_id to the associated OpenSSL NID
+    value */
+WOLFSSL_API int EccEnumToNID(int n)
+{
+    WOLFSSL_ENTER("EccEnumToNID()");
+
+    switch(n) {
+        case ECC_SECP192R1:
+            return NID_X9_62_prime192v1;
+        case ECC_PRIME192V2:
+            return NID_X9_62_prime192v2;
+        case ECC_PRIME192V3:
+            return NID_X9_62_prime192v3;
+        case ECC_PRIME239V1:
+            return NID_X9_62_prime239v1;
+        case ECC_PRIME239V2:
+            return NID_X9_62_prime239v2;
+        case ECC_PRIME239V3:
+            return NID_X9_62_prime239v3;
+        case ECC_SECP256R1:
+            return NID_X9_62_prime256v1;
+        case ECC_SECP112R1:
+            return NID_secp112r1;
+        case ECC_SECP112R2:
+            return NID_secp112r2;
+        case ECC_SECP128R1:
+            return NID_secp128r1;
+        case ECC_SECP128R2:
+            return NID_secp128r2;
+        case ECC_SECP160R1:
+            return NID_secp160r1;
+        case ECC_SECP160R2:
+            return NID_secp160r2;
+        case ECC_SECP224R1:
+            return NID_secp224r1;
+        case ECC_SECP384R1:
+            return NID_secp384r1;
+        case ECC_SECP521R1:
+            return NID_secp521r1;
+        case ECC_SECP160K1:
+            return NID_secp160k1;
+        case ECC_SECP192K1:
+            return NID_secp192k1;
+        case ECC_SECP224K1:
+            return NID_secp224k1;
+        case ECC_SECP256K1:
+            return NID_secp256k1;
+        case ECC_BRAINPOOLP160R1:
+            return NID_brainpoolP160r1;
+        case ECC_BRAINPOOLP192R1:
+            return NID_brainpoolP192r1;
+        case ECC_BRAINPOOLP224R1:
+            return NID_brainpoolP224r1;
+        case ECC_BRAINPOOLP256R1:
+            return NID_brainpoolP256r1;
+        case ECC_BRAINPOOLP320R1:
+            return NID_brainpoolP320r1;
+        case ECC_BRAINPOOLP384R1:
+            return NID_brainpoolP384r1;
+        case ECC_BRAINPOOLP512R1:
+            return NID_brainpoolP512r1;
+        default:
+            WOLFSSL_MSG("NID not found");
+            return -1;
+    }
+}
+#endif /* HAVE_ECC */
+#endif /* OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL */
+
+#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
+int wc_OBJ_sn2nid(const char *sn)
+{
+    const struct {
+        const char *sn;
+        int  nid;
+    } sn2nid[] = {
+        {WOLFSSL_COMMON_NAME, NID_commonName},
+        {WOLFSSL_COUNTRY_NAME, NID_countryName},
+        {WOLFSSL_LOCALITY_NAME, NID_localityName},
+        {WOLFSSL_STATE_NAME, NID_stateOrProvinceName},
+        {WOLFSSL_ORG_NAME, NID_organizationName},
+        {WOLFSSL_ORGUNIT_NAME, NID_organizationalUnitName},
+        {WOLFSSL_EMAIL_ADDR, NID_emailAddress},
+        {NULL, -1}};
+
+    int i;
+    #ifdef HAVE_ECC
+    int eccEnum;
+    #endif
+    WOLFSSL_ENTER("OBJ_sn2nid");
+    for(i=0; sn2nid[i].sn != NULL; i++) {
+        if(XSTRNCMP(sn, sn2nid[i].sn, XSTRLEN(sn2nid[i].sn)) == 0) {
+            return sn2nid[i].nid;
+        }
+    }
+    #ifdef HAVE_ECC
+    /* Nginx uses this OpenSSL string. */
+    if (XSTRNCMP(sn, "prime256v1", 10) == 0)
+        sn = "SECP256R1";
+    if (XSTRNCMP(sn, "secp384r1", 10) == 0)
+        sn = "SECP384R1";
+    /* find based on name and return NID */
+    for (i = 0; ecc_sets[i].size != 0 && ecc_sets[i].name != NULL; i++) {
+        if (XSTRNCMP(sn, ecc_sets[i].name, ECC_MAXNAME) == 0) {
+            eccEnum = ecc_sets[i].id;
+            /* Convert enum value in ecc_curve_id to OpenSSL NID */
+            return EccEnumToNID(eccEnum);
+        }
+    }
+    #endif
+
+    return NID_undef;
+}
+#endif
+
+/* Routine for calculating hashId */
+int CalcHashId(const byte* data, word32 len, byte* hash)
+{
+    int ret;
+
+#ifdef WOLF_CRYPTO_CB
+    /* try to use a registered crypto callback */
+    ret = wc_CryptoCb_Sha256Hash(NULL, data, len, hash);
+    if (ret != CRYPTOCB_UNAVAILABLE)
+        return ret;
+    /* fall-through when unavailable */
+#endif
+
+#if defined(NO_SHA) && !defined(NO_SHA256)
+    ret = wc_Sha256Hash(data, len, hash);
+#elif !defined(NO_SHA)
+    ret = wc_ShaHash(data, len, hash);
+#else
+    ret = NOT_COMPILED_IN;
+#endif
+
+    return ret;
+}
 
 /* process NAME, either issuer or subject */
-static int GetName(DecodedCert* cert, int nameType)
+static int GetName(DecodedCert* cert, int nameType, int maxIdx)
 {
     int    length;  /* length of all distinguished names */
     int    dummy;
     int    ret;
     char*  full;
     byte*  hash;
-    word32 idx;
-    #ifdef OPENSSL_EXTRA
+    word32 idx, localIdx = 0;
+    byte   tag;
+    #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
         DecodedName* dName =
                   (nameType == ISSUER) ? &cert->issuerName : &cert->subjectName;
+        int dcnum = 0;
+        #ifdef OPENSSL_EXTRA
+        int count = 0;
+        #endif
     #endif /* OPENSSL_EXTRA */
 
     WOLFSSL_MSG("Getting Cert Name");
@@ -1876,13 +5533,20 @@ static int GetName(DecodedCert* cert, int nameType)
         hash = cert->subjectHash;
     }
 
-    if (cert->source[cert->srcIdx] == ASN_OBJECT_ID) {
+    if (cert->srcIdx >= (word32)maxIdx) {
+        return BUFFER_E;
+    }
+
+    localIdx = cert->srcIdx;
+    if (GetASNTag(cert->source, &localIdx, &tag, maxIdx) < 0) {
+        return ASN_PARSE_E;
+    }
+
+    if (tag == ASN_OBJECT_ID) {
         WOLFSSL_MSG("Trying optional prefix...");
 
-        if (GetLength(cert->source, &cert->srcIdx, &length, cert->maxIdx) < 0)
+        if (SkipObjectId(cert->source, &cert->srcIdx, maxIdx) < 0)
             return ASN_PARSE_E;
-
-        cert->srcIdx += length;
         WOLFSSL_MSG("Got optional prefix");
     }
 
@@ -1890,21 +5554,17 @@ static int GetName(DecodedCert* cert, int nameType)
      * calculated over the entire DER encoding of the Name field, including
      * the tag and length. */
     idx = cert->srcIdx;
-    if (GetSequence(cert->source, &cert->srcIdx, &length, cert->maxIdx) < 0)
+    if (GetSequence(cert->source, &cert->srcIdx, &length, maxIdx) < 0)
         return ASN_PARSE_E;
 
-#ifdef NO_SHA
-    ret = wc_Sha256Hash(&cert->source[idx], length + cert->srcIdx - idx, hash);
-#else
-    ret = wc_ShaHash(&cert->source[idx], length + cert->srcIdx - idx, hash);
-#endif
+    ret = CalcHashId(&cert->source[idx], length + cert->srcIdx - idx, hash);
     if (ret != 0)
         return ret;
 
     length += cert->srcIdx;
     idx = 0;
 
-#ifdef HAVE_PKCS7
+#if defined(HAVE_PKCS7) || defined(WOLFSSL_CERT_EXT)
     /* store pointer to raw issuer */
     if (nameType == ISSUER) {
         cert->issuerRaw = &cert->source[cert->srcIdx];
@@ -1919,45 +5579,39 @@ static int GetName(DecodedCert* cert, int nameType)
 #endif
 
     while (cert->srcIdx < (word32)length) {
-        byte   b;
-        byte   joint[2];
-        byte   tooBig = FALSE;
-        int    oidSz;
-
-        if (GetSet(cert->source, &cert->srcIdx, &dummy, cert->maxIdx) < 0) {
+        byte        b       = 0;
+        byte        joint[3];
+        byte        tooBig  = FALSE;
+        int         oidSz;
+        const char* copy    = NULL;
+        int         copyLen = 0;
+        int         strLen  = 0;
+        byte        id      = 0;
+
+        if (GetSet(cert->source, &cert->srcIdx, &dummy, maxIdx) < 0) {
             WOLFSSL_MSG("Cert name lacks set header, trying sequence");
         }
 
-        if (GetSequence(cert->source, &cert->srcIdx, &dummy, cert->maxIdx) < 0)
+        if (GetSequence(cert->source, &cert->srcIdx, &dummy, maxIdx) <= 0)
             return ASN_PARSE_E;
 
-        b = cert->source[cert->srcIdx++];
-        if (b != ASN_OBJECT_ID) 
-            return ASN_OBJECT_ID_E;
+        ret = GetASNObjectId(cert->source, &cert->srcIdx, &oidSz, maxIdx);
+        if (ret != 0)
+            return ret;
 
-        if (GetLength(cert->source, &cert->srcIdx, &oidSz, cert->maxIdx) < 0)
+        /* make sure there is room for joint */
+        if ((cert->srcIdx + sizeof(joint)) > (word32)maxIdx)
             return ASN_PARSE_E;
 
         XMEMCPY(joint, &cert->source[cert->srcIdx], sizeof(joint));
 
         /* v1 name types */
         if (joint[0] == 0x55 && joint[1] == 0x04) {
-            byte   id;
-            byte   copy = FALSE;
-            int    strLen;
-
-            cert->srcIdx += 2;
-            id = cert->source[cert->srcIdx++]; 
-            b  = cert->source[cert->srcIdx++]; /* encoding */
-
-            if (GetLength(cert->source, &cert->srcIdx, &strLen,
-                          cert->maxIdx) < 0)
+            cert->srcIdx += 3;
+            id = joint[2];
+            if (GetHeader(cert->source, &b, &cert->srcIdx, &strLen,
+                          maxIdx, 1) < 0) {
                 return ASN_PARSE_E;
-
-            if ( (strLen + 14) > (int)(ASN_NAME_MAX - idx)) {
-                /* include biggest pre fix header too 4 = "/serialNumber=" */
-                WOLFSSL_MSG("ASN Name too big, skipping");
-                tooBig = TRUE;
             }
 
             if (id == ASN_COMMON_NAME) {
@@ -1967,22 +5621,16 @@ static int GetName(DecodedCert* cert, int nameType)
                     cert->subjectCNEnc = b;
                 }
 
-                if (!tooBig) {
-                    XMEMCPY(&full[idx], "/CN=", 4);
-                    idx += 4;
-                    copy = TRUE;
-                }
-                #ifdef OPENSSL_EXTRA
+                copy = WOLFSSL_COMMON_NAME;
+                copyLen = sizeof(WOLFSSL_COMMON_NAME) - 1;
+                #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
                     dName->cnIdx = cert->srcIdx;
                     dName->cnLen = strLen;
                 #endif /* OPENSSL_EXTRA */
             }
             else if (id == ASN_SUR_NAME) {
-                if (!tooBig) {
-                    XMEMCPY(&full[idx], "/SN=", 4);
-                    idx += 4;
-                    copy = TRUE;
-                }
+                copy = WOLFSSL_SUR_NAME;
+                copyLen = sizeof(WOLFSSL_SUR_NAME) - 1;
                 #ifdef WOLFSSL_CERT_GEN
                     if (nameType == SUBJECT) {
                         cert->subjectSN = (char*)&cert->source[cert->srcIdx];
@@ -1990,17 +5638,14 @@ static int GetName(DecodedCert* cert, int nameType)
                         cert->subjectSNEnc = b;
                     }
                 #endif /* WOLFSSL_CERT_GEN */
-                #ifdef OPENSSL_EXTRA
+                #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
                     dName->snIdx = cert->srcIdx;
                     dName->snLen = strLen;
                 #endif /* OPENSSL_EXTRA */
             }
             else if (id == ASN_COUNTRY_NAME) {
-                if (!tooBig) {
-                    XMEMCPY(&full[idx], "/C=", 3);
-                    idx += 3;
-                    copy = TRUE;
-                }
+                copy = WOLFSSL_COUNTRY_NAME;
+                copyLen = sizeof(WOLFSSL_COUNTRY_NAME) - 1;
                 #ifdef WOLFSSL_CERT_GEN
                     if (nameType == SUBJECT) {
                         cert->subjectC = (char*)&cert->source[cert->srcIdx];
@@ -2008,17 +5653,14 @@ static int GetName(DecodedCert* cert, int nameType)
                         cert->subjectCEnc = b;
                     }
                 #endif /* WOLFSSL_CERT_GEN */
-                #ifdef OPENSSL_EXTRA
+                #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
                     dName->cIdx = cert->srcIdx;
                     dName->cLen = strLen;
                 #endif /* OPENSSL_EXTRA */
             }
             else if (id == ASN_LOCALITY_NAME) {
-                if (!tooBig) {
-                    XMEMCPY(&full[idx], "/L=", 3);
-                    idx += 3;
-                    copy = TRUE;
-                }
+                copy = WOLFSSL_LOCALITY_NAME;
+                copyLen = sizeof(WOLFSSL_LOCALITY_NAME) - 1;
                 #ifdef WOLFSSL_CERT_GEN
                     if (nameType == SUBJECT) {
                         cert->subjectL = (char*)&cert->source[cert->srcIdx];
@@ -2026,17 +5668,14 @@ static int GetName(DecodedCert* cert, int nameType)
                         cert->subjectLEnc = b;
                     }
                 #endif /* WOLFSSL_CERT_GEN */
-                #ifdef OPENSSL_EXTRA
+                #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
                     dName->lIdx = cert->srcIdx;
                     dName->lLen = strLen;
                 #endif /* OPENSSL_EXTRA */
             }
             else if (id == ASN_STATE_NAME) {
-                if (!tooBig) {
-                    XMEMCPY(&full[idx], "/ST=", 4);
-                    idx += 4;
-                    copy = TRUE;
-                }
+                copy = WOLFSSL_STATE_NAME;
+                copyLen = sizeof(WOLFSSL_STATE_NAME) - 1;
                 #ifdef WOLFSSL_CERT_GEN
                     if (nameType == SUBJECT) {
                         cert->subjectST = (char*)&cert->source[cert->srcIdx];
@@ -2044,17 +5683,14 @@ static int GetName(DecodedCert* cert, int nameType)
                         cert->subjectSTEnc = b;
                     }
                 #endif /* WOLFSSL_CERT_GEN */
-                #ifdef OPENSSL_EXTRA
+                #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
                     dName->stIdx = cert->srcIdx;
                     dName->stLen = strLen;
                 #endif /* OPENSSL_EXTRA */
             }
             else if (id == ASN_ORG_NAME) {
-                if (!tooBig) {
-                    XMEMCPY(&full[idx], "/O=", 3);
-                    idx += 3;
-                    copy = TRUE;
-                }
+                copy = WOLFSSL_ORG_NAME;
+                copyLen = sizeof(WOLFSSL_ORG_NAME) - 1;
                 #ifdef WOLFSSL_CERT_GEN
                     if (nameType == SUBJECT) {
                         cert->subjectO = (char*)&cert->source[cert->srcIdx];
@@ -2062,17 +5698,14 @@ static int GetName(DecodedCert* cert, int nameType)
                         cert->subjectOEnc = b;
                     }
                 #endif /* WOLFSSL_CERT_GEN */
-                #ifdef OPENSSL_EXTRA
+                #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
                     dName->oIdx = cert->srcIdx;
                     dName->oLen = strLen;
                 #endif /* OPENSSL_EXTRA */
             }
             else if (id == ASN_ORGUNIT_NAME) {
-                if (!tooBig) {
-                    XMEMCPY(&full[idx], "/OU=", 4);
-                    idx += 4;
-                    copy = TRUE;
-                }
+                copy = WOLFSSL_ORGUNIT_NAME;
+                copyLen = sizeof(WOLFSSL_ORGUNIT_NAME) - 1;
                 #ifdef WOLFSSL_CERT_GEN
                     if (nameType == SUBJECT) {
                         cert->subjectOU = (char*)&cert->source[cert->srcIdx];
@@ -2080,75 +5713,148 @@ static int GetName(DecodedCert* cert, int nameType)
                         cert->subjectOUEnc = b;
                     }
                 #endif /* WOLFSSL_CERT_GEN */
-                #ifdef OPENSSL_EXTRA
+                #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
                     dName->ouIdx = cert->srcIdx;
                     dName->ouLen = strLen;
                 #endif /* OPENSSL_EXTRA */
             }
             else if (id == ASN_SERIAL_NUMBER) {
-                if (!tooBig) {
-                   XMEMCPY(&full[idx], "/serialNumber=", 14);
-                   idx += 14;
-                   copy = TRUE;
-                }
-                #ifdef OPENSSL_EXTRA
+                copy = WOLFSSL_SERIAL_NUMBER;
+                copyLen = sizeof(WOLFSSL_SERIAL_NUMBER) - 1;
+                #ifdef WOLFSSL_CERT_GEN
+                    if (nameType == SUBJECT) {
+                        cert->subjectSND = (char*)&cert->source[cert->srcIdx];
+                        cert->subjectSNDLen = strLen;
+                        cert->subjectSNDEnc = b;
+                    }
+                #endif /* WOLFSSL_CERT_GEN */
+                #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
                     dName->snIdx = cert->srcIdx;
                     dName->snLen = strLen;
                 #endif /* OPENSSL_EXTRA */
             }
+        #ifdef WOLFSSL_CERT_EXT
+            else if (id == ASN_BUS_CAT) {
+                copy = WOLFSSL_BUS_CAT;
+                copyLen = sizeof(WOLFSSL_BUS_CAT) - 1;
+            #ifdef WOLFSSL_CERT_GEN
+                if (nameType == SUBJECT) {
+                    cert->subjectBC = (char*)&cert->source[cert->srcIdx];
+                    cert->subjectBCLen = strLen;
+                    cert->subjectBCEnc = b;
+                }
+            #endif /* WOLFSSL_CERT_GEN */
+            #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
+                dName->bcIdx = cert->srcIdx;
+                dName->bcLen = strLen;
+            #endif /* OPENSSL_EXTRA */
+            }
+        #endif /* WOLFSSL_CERT_EXT */
+        }
+    #ifdef WOLFSSL_CERT_EXT
+        else if ((cert->srcIdx + ASN_JOI_PREFIX_SZ + 2 <= (word32)maxIdx) &&
+                 (0 == XMEMCMP(&cert->source[cert->srcIdx], ASN_JOI_PREFIX,
+                               ASN_JOI_PREFIX_SZ)) &&
+                 ((cert->source[cert->srcIdx+ASN_JOI_PREFIX_SZ] == ASN_JOI_C) ||
+                  (cert->source[cert->srcIdx+ASN_JOI_PREFIX_SZ] == ASN_JOI_ST)))
+        {
+            cert->srcIdx += ASN_JOI_PREFIX_SZ;
+            id = cert->source[cert->srcIdx++];
+            b = cert->source[cert->srcIdx++]; /* encoding */
 
-            if (copy && !tooBig) {
-                XMEMCPY(&full[idx], &cert->source[cert->srcIdx], strLen);
-                idx += strLen;
+            if (GetLength(cert->source, &cert->srcIdx, &strLen,
+                          maxIdx) < 0)
+                return ASN_PARSE_E;
+
+            /* Check for jurisdiction of incorporation country name */
+            if (id == ASN_JOI_C) {
+                copy = WOLFSSL_JOI_C;
+                copyLen = sizeof(WOLFSSL_JOI_C) - 1;
+                #ifdef WOLFSSL_CERT_GEN
+                    if (nameType == SUBJECT) {
+                        cert->subjectJC = (char*)&cert->source[cert->srcIdx];
+                        cert->subjectJCLen = strLen;
+                        cert->subjectJCEnc = b;
+                    }
+                #endif /* WOLFSSL_CERT_GEN */
+                #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
+                    dName->jcIdx = cert->srcIdx;
+                    dName->jcLen = strLen;
+                #endif /* OPENSSL_EXTRA */
+            }
+
+            /* Check for jurisdiction of incorporation state name */
+            else if (id == ASN_JOI_ST) {
+                copy = WOLFSSL_JOI_ST;
+                copyLen = sizeof(WOLFSSL_JOI_ST) - 1;
+                #ifdef WOLFSSL_CERT_GEN
+                    if (nameType == SUBJECT) {
+                        cert->subjectJS = (char*)&cert->source[cert->srcIdx];
+                        cert->subjectJSLen = strLen;
+                        cert->subjectJSEnc = b;
+                    }
+                #endif /* WOLFSSL_CERT_GEN */
+                #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
+                    dName->jsIdx = cert->srcIdx;
+                    dName->jsLen = strLen;
+                #endif /* OPENSSL_EXTRA */
             }
 
-            cert->srcIdx += strLen;
+            if ((strLen + copyLen) > (int)(ASN_NAME_MAX - idx)) {
+                WOLFSSL_MSG("ASN Name too big, skipping");
+                tooBig = TRUE;
+            }
         }
+    #endif /* WOLFSSL_CERT_EXT */
         else {
             /* skip */
             byte email = FALSE;
-            byte uid   = FALSE;
-            int  adv;
+            byte pilot = FALSE;
 
-            if (joint[0] == 0x2a && joint[1] == 0x86)  /* email id hdr */
+            if (joint[0] == 0x2a && joint[1] == 0x86) {  /* email id hdr */
+                id = ASN_EMAIL_NAME;
                 email = TRUE;
+            }
 
-            if (joint[0] == 0x9  && joint[1] == 0x92)  /* uid id hdr */
-                uid = TRUE;
+            if (joint[0] == 0x9  && joint[1] == 0x92) { /* uid id hdr */
+                /* last value of OID is the type of pilot attribute */
+                id    = cert->source[cert->srcIdx + oidSz - 1];
+                pilot = TRUE;
+            }
 
             cert->srcIdx += oidSz + 1;
 
-            if (GetLength(cert->source, &cert->srcIdx, &adv, cert->maxIdx) < 0)
+            if (GetLength(cert->source, &cert->srcIdx, &strLen, maxIdx) < 0)
                 return ASN_PARSE_E;
 
-            if (adv > (int)(ASN_NAME_MAX - idx)) {
+            if (strLen > (int)(ASN_NAME_MAX - idx)) {
                 WOLFSSL_MSG("ASN name too big, skipping");
                 tooBig = TRUE;
             }
 
             if (email) {
-                if ( (14 + adv) > (int)(ASN_NAME_MAX - idx)) {
+                copyLen = sizeof(WOLFSSL_EMAIL_ADDR) - 1;
+                if ((copyLen + strLen) > (int)(ASN_NAME_MAX - idx)) {
                     WOLFSSL_MSG("ASN name too big, skipping");
                     tooBig = TRUE;
                 }
-                if (!tooBig) {
-                    XMEMCPY(&full[idx], "/emailAddress=", 14);
-                    idx += 14;
+                else {
+                    copy = WOLFSSL_EMAIL_ADDR;
                 }
 
                 #ifdef WOLFSSL_CERT_GEN
                     if (nameType == SUBJECT) {
                         cert->subjectEmail = (char*)&cert->source[cert->srcIdx];
-                        cert->subjectEmailLen = adv;
+                        cert->subjectEmailLen = strLen;
                     }
                 #endif /* WOLFSSL_CERT_GEN */
-                #ifdef OPENSSL_EXTRA
+                #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
                     dName->emailIdx = cert->srcIdx;
-                    dName->emailLen = adv;
+                    dName->emailLen = strLen;
                 #endif /* OPENSSL_EXTRA */
                 #ifndef IGNORE_NAME_CONSTRAINTS
                     {
-                        DNS_entry* emailName = NULL;
+                        DNS_entry* emailName;
 
                         emailName = (DNS_entry*)XMALLOC(sizeof(DNS_entry),
                                               cert->heap, DYNAMIC_TYPE_ALTNAME);
@@ -2156,52 +5862,85 @@ static int GetName(DecodedCert* cert, int nameType)
                             WOLFSSL_MSG("\tOut of Memory");
                             return MEMORY_E;
                         }
-                        emailName->name = (char*)XMALLOC(adv + 1,
+                        emailName->type = 0;
+                        emailName->name = (char*)XMALLOC(strLen + 1,
                                               cert->heap, DYNAMIC_TYPE_ALTNAME);
                         if (emailName->name == NULL) {
                             WOLFSSL_MSG("\tOut of Memory");
+                            XFREE(emailName, cert->heap, DYNAMIC_TYPE_ALTNAME);
                             return MEMORY_E;
                         }
-                        XMEMCPY(emailName->name,
-                                              &cert->source[cert->srcIdx], adv);
-                        emailName->name[adv] = 0;
+                        emailName->len = strLen;
+                        XMEMCPY(emailName->name, &cert->source[cert->srcIdx],
+                                                                        strLen);
+                        emailName->name[strLen] = '\0';
 
                         emailName->next = cert->altEmailNames;
                         cert->altEmailNames = emailName;
                     }
                 #endif /* IGNORE_NAME_CONSTRAINTS */
-                if (!tooBig) {
-                    XMEMCPY(&full[idx], &cert->source[cert->srcIdx], adv);
-                    idx += adv;
-                }
             }
 
-            if (uid) {
-                if ( (5 + adv) > (int)(ASN_NAME_MAX - idx)) {
-                    WOLFSSL_MSG("ASN name too big, skipping");
-                    tooBig = TRUE;
-                }
-                if (!tooBig) {
-                    XMEMCPY(&full[idx], "/UID=", 5);
-                    idx += 5;
+            if (pilot) {
+                switch (id) {
+                    case ASN_USER_ID:
+                        copy = WOLFSSL_USER_ID;
+                        copyLen = sizeof(WOLFSSL_USER_ID) - 1;
+                    #if defined(OPENSSL_EXTRA) || \
+                        defined(OPENSSL_EXTRA_X509_SMALL)
+                        dName->uidIdx = cert->srcIdx;
+                        dName->uidLen = strLen;
+                    #endif /* OPENSSL_EXTRA */
+                        break;
 
-                    XMEMCPY(&full[idx], &cert->source[cert->srcIdx], adv);
-                    idx += adv;
+                    case ASN_DOMAIN_COMPONENT:
+                        copy = WOLFSSL_DOMAIN_COMPONENT;
+                        copyLen = sizeof(WOLFSSL_DOMAIN_COMPONENT) - 1;
+                    #if defined(OPENSSL_EXTRA) || \
+                        defined(OPENSSL_EXTRA_X509_SMALL)
+                        dName->dcIdx[dcnum] = cert->srcIdx;
+                        dName->dcLen[dcnum] = strLen;
+                        dName->dcNum = dcnum + 1;
+                        dcnum++;
+                    #endif /* OPENSSL_EXTRA */
+                        break;
+
+                    default:
+                        WOLFSSL_MSG("Unknown pilot attribute type");
+                        return ASN_PARSE_E;
                 }
-                #ifdef OPENSSL_EXTRA
-                    dName->uidIdx = cert->srcIdx;
-                    dName->uidLen = adv;
-                #endif /* OPENSSL_EXTRA */
             }
+        }
+        if ((copyLen + strLen) > (int)(ASN_NAME_MAX - idx))
+        {
+            WOLFSSL_MSG("ASN Name too big, skipping");
+            tooBig = TRUE;
+        }
+        if ((copy != NULL) && !tooBig) {
+            XMEMCPY(&full[idx], copy, copyLen);
+            idx += copyLen;
+            XMEMCPY(&full[idx], &cert->source[cert->srcIdx], strLen);
+            idx += strLen;
 
-            cert->srcIdx += adv;
+        #ifdef OPENSSL_EXTRA
+            if (count < DOMAIN_COMPONENT_MAX) {
+                /* store order that DN was parsed */
+                dName->loc[count++] = id;
+            }
+        #endif
         }
+        cert->srcIdx += strLen;
     }
     full[idx++] = 0;
+#if defined(OPENSSL_EXTRA)
+    /* store order that DN was parsed */
+    dName->locSz = count;
+#endif
 
-    #ifdef OPENSSL_EXTRA
+    #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
     {
         int totalLen = 0;
+        int i = 0;
 
         if (dName->cnLen != 0)
             totalLen += dName->cnLen + 4;
@@ -2223,14 +5962,20 @@ static int GetName(DecodedCert* cert, int nameType)
             totalLen += dName->uidLen + 5;
         if (dName->serialLen != 0)
             totalLen += dName->serialLen + 14;
+        if (dName->dcNum != 0){
+            for (i = 0;i < dName->dcNum;i++)
+                totalLen += dName->dcLen[i] + 4;
+        }
 
-        dName->fullName = (char*)XMALLOC(totalLen + 1, NULL, DYNAMIC_TYPE_X509);
+        dName->fullName = (char*)XMALLOC(totalLen + 1, cert->heap,
+                                                             DYNAMIC_TYPE_X509);
         if (dName->fullName != NULL) {
             idx = 0;
 
             if (dName->cnLen != 0) {
                 dName->entryCount++;
-                XMEMCPY(&dName->fullName[idx], "/CN=", 4);
+                XMEMCPY(&dName->fullName[idx], WOLFSSL_COMMON_NAME, 4);
+                dName->cnNid = wc_OBJ_sn2nid((const char *)WOLFSSL_COMMON_NAME);
                 idx += 4;
                 XMEMCPY(&dName->fullName[idx],
                                      &cert->source[dName->cnIdx], dName->cnLen);
@@ -2239,7 +5984,8 @@ static int GetName(DecodedCert* cert, int nameType)
             }
             if (dName->snLen != 0) {
                 dName->entryCount++;
-                XMEMCPY(&dName->fullName[idx], "/SN=", 4);
+                XMEMCPY(&dName->fullName[idx], WOLFSSL_SUR_NAME, 4);
+                dName->snNid = wc_OBJ_sn2nid((const char *)WOLFSSL_SUR_NAME);
                 idx += 4;
                 XMEMCPY(&dName->fullName[idx],
                                      &cert->source[dName->snIdx], dName->snLen);
@@ -2248,7 +5994,8 @@ static int GetName(DecodedCert* cert, int nameType)
             }
             if (dName->cLen != 0) {
                 dName->entryCount++;
-                XMEMCPY(&dName->fullName[idx], "/C=", 3);
+                XMEMCPY(&dName->fullName[idx], WOLFSSL_COUNTRY_NAME, 3);
+                dName->cNid = wc_OBJ_sn2nid((const char *)WOLFSSL_COUNTRY_NAME);
                 idx += 3;
                 XMEMCPY(&dName->fullName[idx],
                                        &cert->source[dName->cIdx], dName->cLen);
@@ -2257,7 +6004,8 @@ static int GetName(DecodedCert* cert, int nameType)
             }
             if (dName->lLen != 0) {
                 dName->entryCount++;
-                XMEMCPY(&dName->fullName[idx], "/L=", 3);
+                XMEMCPY(&dName->fullName[idx], WOLFSSL_LOCALITY_NAME, 3);
+                dName->lNid = wc_OBJ_sn2nid((const char *)WOLFSSL_LOCALITY_NAME);
                 idx += 3;
                 XMEMCPY(&dName->fullName[idx],
                                        &cert->source[dName->lIdx], dName->lLen);
@@ -2266,7 +6014,8 @@ static int GetName(DecodedCert* cert, int nameType)
             }
             if (dName->stLen != 0) {
                 dName->entryCount++;
-                XMEMCPY(&dName->fullName[idx], "/ST=", 4);
+                XMEMCPY(&dName->fullName[idx], WOLFSSL_STATE_NAME, 4);
+                dName->stNid = wc_OBJ_sn2nid((const char *)WOLFSSL_STATE_NAME);
                 idx += 4;
                 XMEMCPY(&dName->fullName[idx],
                                      &cert->source[dName->stIdx], dName->stLen);
@@ -2275,7 +6024,8 @@ static int GetName(DecodedCert* cert, int nameType)
             }
             if (dName->oLen != 0) {
                 dName->entryCount++;
-                XMEMCPY(&dName->fullName[idx], "/O=", 3);
+                XMEMCPY(&dName->fullName[idx], WOLFSSL_ORG_NAME, 3);
+                dName->oNid = wc_OBJ_sn2nid((const char *)WOLFSSL_ORG_NAME);
                 idx += 3;
                 XMEMCPY(&dName->fullName[idx],
                                        &cert->source[dName->oIdx], dName->oLen);
@@ -2284,7 +6034,8 @@ static int GetName(DecodedCert* cert, int nameType)
             }
             if (dName->ouLen != 0) {
                 dName->entryCount++;
-                XMEMCPY(&dName->fullName[idx], "/OU=", 4);
+                XMEMCPY(&dName->fullName[idx], WOLFSSL_ORGUNIT_NAME, 4);
+                dName->ouNid = wc_OBJ_sn2nid((const char *)WOLFSSL_ORGUNIT_NAME);
                 idx += 4;
                 XMEMCPY(&dName->fullName[idx],
                                      &cert->source[dName->ouIdx], dName->ouLen);
@@ -2294,15 +6045,28 @@ static int GetName(DecodedCert* cert, int nameType)
             if (dName->emailLen != 0) {
                 dName->entryCount++;
                 XMEMCPY(&dName->fullName[idx], "/emailAddress=", 14);
+                dName->emailNid = wc_OBJ_sn2nid((const char *)"/emailAddress=");
                 idx += 14;
                 XMEMCPY(&dName->fullName[idx],
                                &cert->source[dName->emailIdx], dName->emailLen);
                 dName->emailIdx = idx;
                 idx += dName->emailLen;
             }
+            for (i = 0;i < dName->dcNum;i++){
+                if (dName->dcLen[i] != 0) {
+                    dName->entryCount++;
+                    XMEMCPY(&dName->fullName[idx], WOLFSSL_DOMAIN_COMPONENT, 4);
+                    idx += 4;
+                    XMEMCPY(&dName->fullName[idx],
+                                    &cert->source[dName->dcIdx[i]], dName->dcLen[i]);
+                    dName->dcIdx[i] = idx;
+                    idx += dName->dcLen[i];
+                }
+            }
             if (dName->uidLen != 0) {
                 dName->entryCount++;
                 XMEMCPY(&dName->fullName[idx], "/UID=", 5);
+                dName->uidNid = wc_OBJ_sn2nid((const char *)"/UID=");
                 idx += 5;
                 XMEMCPY(&dName->fullName[idx],
                                    &cert->source[dName->uidIdx], dName->uidLen);
@@ -2311,7 +6075,8 @@ static int GetName(DecodedCert* cert, int nameType)
             }
             if (dName->serialLen != 0) {
                 dName->entryCount++;
-                XMEMCPY(&dName->fullName[idx], "/serialNumber=", 14);
+                XMEMCPY(&dName->fullName[idx], WOLFSSL_SERIAL_NUMBER, 14);
+                dName->serialNid = wc_OBJ_sn2nid((const char *)WOLFSSL_SERIAL_NUMBER);
                 idx += 14;
                 XMEMCPY(&dName->fullName[idx],
                              &cert->source[dName->serialIdx], dName->serialLen);
@@ -2328,17 +6093,203 @@ static int GetName(DecodedCert* cert, int nameType)
 }
 
 
-#ifndef NO_TIME_H
+#ifndef NO_ASN_TIME
+
+/* two byte date/time, add to value */
+static WC_INLINE int GetTime(int* value, const byte* date, int* idx)
+{
+    int i = *idx;
+
+    if (date[i] < 0x30 || date[i] > 0x39 || date[i+1] < 0x30 ||
+                                                             date[i+1] > 0x39) {
+        return ASN_PARSE_E;
+    }
+
+    *value += btoi(date[i++]) * 10;
+    *value += btoi(date[i++]);
+
+    *idx = i;
+
+    return 0;
+}
+
+int ExtractDate(const unsigned char* date, unsigned char format,
+                                                  struct tm* certTime, int* idx)
+{
+    XMEMSET(certTime, 0, sizeof(struct tm));
+
+    if (format == ASN_UTC_TIME) {
+        if (btoi(date[*idx]) >= 5)
+            certTime->tm_year = 1900;
+        else
+            certTime->tm_year = 2000;
+    }
+    else  { /* format == GENERALIZED_TIME */
+        if (GetTime(&certTime->tm_year, date, idx) != 0) return 0;
+        certTime->tm_year *= 100;
+    }
+
+    /* adjust tm_year, tm_mon */
+    if (GetTime(&certTime->tm_year, date, idx) != 0) return 0;
+    certTime->tm_year -= 1900;
+    if (GetTime(&certTime->tm_mon , date, idx) != 0) return 0;
+    certTime->tm_mon  -= 1;
+    if (GetTime(&certTime->tm_mday, date, idx) != 0) return 0;
+    if (GetTime(&certTime->tm_hour, date, idx) != 0) return 0;
+    if (GetTime(&certTime->tm_min , date, idx) != 0) return 0;
+    if (GetTime(&certTime->tm_sec , date, idx) != 0) return 0;
+
+    return 1;
+}
+
+
+#if defined(OPENSSL_ALL) || defined(WOLFSSL_MYSQL_COMPATIBLE) || \
+    defined(OPENSSL_EXTRA) || defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY)
+int GetTimeString(byte* date, int format, char* buf, int len)
+{
+    struct tm t;
+    int idx = 0;
+
+    if (!ExtractDate(date, (unsigned char)format, &t, &idx)) {
+        return 0;
+    }
+
+    if (date[idx] != 'Z') {
+        WOLFSSL_MSG("UTCtime, not Zulu") ;
+        return 0;
+    }
+
+    /* place month in buffer */
+    buf[0] = '\0';
+    switch(t.tm_mon) {
+        case 0:  XSTRNCAT(buf, "Jan ", 5); break;
+        case 1:  XSTRNCAT(buf, "Feb ", 5); break;
+        case 2:  XSTRNCAT(buf, "Mar ", 5); break;
+        case 3:  XSTRNCAT(buf, "Apr ", 5); break;
+        case 4:  XSTRNCAT(buf, "May ", 5); break;
+        case 5:  XSTRNCAT(buf, "Jun ", 5); break;
+        case 6:  XSTRNCAT(buf, "Jul ", 5); break;
+        case 7:  XSTRNCAT(buf, "Aug ", 5); break;
+        case 8:  XSTRNCAT(buf, "Sep ", 5); break;
+        case 9:  XSTRNCAT(buf, "Oct ", 5); break;
+        case 10: XSTRNCAT(buf, "Nov ", 5); break;
+        case 11: XSTRNCAT(buf, "Dec ", 5); break;
+        default:
+            return 0;
+
+    }
+    idx = 4; /* use idx now for char buffer */
+
+    XSNPRINTF(buf + idx, len - idx, "%2d %02d:%02d:%02d %d GMT",
+              t.tm_mday, t.tm_hour, t.tm_min, t.tm_sec, t.tm_year + 1900);
+
+    return 1;
+}
+#endif /* OPENSSL_ALL || WOLFSSL_MYSQL_COMPATIBLE || WOLFSSL_NGINX || WOLFSSL_HAPROXY */
+
+
+#if !defined(NO_ASN_TIME) && defined(HAVE_PKCS7)
+
+/* Set current time string, either UTC or GeneralizedTime.
+ * (void*) tm should be a pointer to time_t, output is placed in buf.
+ *
+ * Return time string length placed in buf on success, negative on error */
+int GetAsnTimeString(void* currTime, byte* buf, word32 len)
+{
+    struct tm* ts      = NULL;
+    struct tm* tmpTime = NULL;
+#if defined(NEED_TMP_TIME)
+    struct tm tmpTimeStorage;
+    tmpTime = &tmpTimeStorage;
+#else
+    (void)tmpTime;
+#endif
+    byte* data_ptr  = buf;
+    word32 data_len = 0;
+    int year, mon, day, hour, mini, sec;
+
+    WOLFSSL_ENTER("SetAsnTimeString");
+
+    if (buf == NULL || len == 0)
+        return BAD_FUNC_ARG;
+
+    ts = (struct tm *)XGMTIME((time_t*)currTime, tmpTime);
+    if (ts == NULL){
+        WOLFSSL_MSG("failed to get time data.");
+        return ASN_TIME_E;
+    }
+
+    /* Note ASN_UTC_TIME_SIZE and ASN_GENERALIZED_TIME_SIZE include space for
+     * the null terminator. ASN encoded values leave off the terminator. */
+
+    if (ts->tm_year >= 50 && ts->tm_year < 150) {
+        /* UTC Time */
+        char utc_str[ASN_UTC_TIME_SIZE];
+        data_len = ASN_UTC_TIME_SIZE - 1 + 2;
+
+        if (len < data_len)
+            return BUFFER_E;
+
+        if (ts->tm_year >= 50 && ts->tm_year < 100) {
+            year = ts->tm_year;
+        } else if (ts->tm_year >= 100 && ts->tm_year < 150) {
+            year = ts->tm_year - 100;
+        }
+        else {
+            WOLFSSL_MSG("unsupported year range");
+            return BAD_FUNC_ARG;
+        }
+        mon  = ts->tm_mon + 1;
+        day  = ts->tm_mday;
+        hour = ts->tm_hour;
+        mini = ts->tm_min;
+        sec  = ts->tm_sec;
+        XSNPRINTF((char *)utc_str, ASN_UTC_TIME_SIZE,
+                  "%02d%02d%02d%02d%02d%02dZ", year, mon, day, hour, mini, sec);
+        *data_ptr = (byte) ASN_UTC_TIME; data_ptr++;
+        /* -1 below excludes null terminator */
+        *data_ptr = (byte) ASN_UTC_TIME_SIZE - 1; data_ptr++;
+        XMEMCPY(data_ptr,(byte *)utc_str, ASN_UTC_TIME_SIZE - 1);
+
+    } else {
+        /* GeneralizedTime */
+        char gt_str[ASN_GENERALIZED_TIME_SIZE];
+        data_len = ASN_GENERALIZED_TIME_SIZE - 1 + 2;
+
+        if (len < data_len)
+            return BUFFER_E;
+
+        year = ts->tm_year + 1900;
+        mon  = ts->tm_mon + 1;
+        day  = ts->tm_mday;
+        hour = ts->tm_hour;
+        mini = ts->tm_min;
+        sec  = ts->tm_sec;
+        XSNPRINTF((char *)gt_str, ASN_GENERALIZED_TIME_SIZE,
+                  "%4d%02d%02d%02d%02d%02dZ", year, mon, day, hour, mini, sec);
+        *data_ptr = (byte) ASN_GENERALIZED_TIME; data_ptr++;
+        /* -1 below excludes null terminator */
+        *data_ptr = (byte) ASN_GENERALIZED_TIME_SIZE - 1; data_ptr++;
+        XMEMCPY(data_ptr,(byte *)gt_str, ASN_GENERALIZED_TIME_SIZE - 1);
+    }
+
+    return data_len;
+}
+
+#endif /* !NO_ASN_TIME && HAVE_PKCS7 */
+
+
+#if defined(USE_WOLF_VALIDDATE)
 
 /* to the second */
-static int DateGreaterThan(const struct tm* a, const struct tm* b)
+int DateGreaterThan(const struct tm* a, const struct tm* b)
 {
     if (a->tm_year > b->tm_year)
         return 1;
 
     if (a->tm_year == b->tm_year && a->tm_mon > b->tm_mon)
         return 1;
-    
+
     if (a->tm_year == b->tm_year && a->tm_mon == b->tm_mon &&
            a->tm_mday > b->tm_mday)
         return 1;
@@ -2361,12 +6312,11 @@ static int DateGreaterThan(const struct tm* a, const struct tm* b)
 }
 
 
-static INLINE int DateLessThan(const struct tm* a, const struct tm* b)
+static WC_INLINE int DateLessThan(const struct tm* a, const struct tm* b)
 {
     return DateGreaterThan(b,a);
 }
 
-
 /* like atoi but only use first byte */
 /* Make sure before and after dates are valid */
 int ValidateDate(const byte* date, byte format, int dateType)
@@ -2374,64 +6324,142 @@ int ValidateDate(const byte* date, byte format, int dateType)
     time_t ltime;
     struct tm  certTime;
     struct tm* localTime;
-    struct tm* tmpTime = NULL;
+    struct tm* tmpTime;
     int    i = 0;
+    int    timeDiff = 0 ;
+    int    diffHH = 0 ; int diffMM = 0 ;
+    int    diffSign = 0 ;
 
-#if defined(FREESCALE_MQX) || defined(TIME_OVERRIDES)
+#if defined(NEED_TMP_TIME)
     struct tm tmpTimeStorage;
     tmpTime = &tmpTimeStorage;
 #else
-    (void)tmpTime;
+    tmpTime = NULL;
 #endif
+    (void)tmpTime;
 
     ltime = XTIME(0);
-    XMEMSET(&certTime, 0, sizeof(certTime));
 
-    if (format == ASN_UTC_TIME) {
-        if (btoi(date[0]) >= 5)
-            certTime.tm_year = 1900;
-        else
-            certTime.tm_year = 2000;
+#ifdef WOLFSSL_BEFORE_DATE_CLOCK_SKEW
+    if (dateType == BEFORE) {
+        WOLFSSL_MSG("Skewing local time for before date check");
+        ltime += WOLFSSL_BEFORE_DATE_CLOCK_SKEW;
     }
-    else  { /* format == GENERALIZED_TIME */
-        certTime.tm_year += btoi(date[i++]) * 1000;
-        certTime.tm_year += btoi(date[i++]) * 100;
+#endif
+
+#ifdef WOLFSSL_AFTER_DATE_CLOCK_SKEW
+    if (dateType == AFTER) {
+        WOLFSSL_MSG("Skewing local time for after date check");
+        ltime -= WOLFSSL_AFTER_DATE_CLOCK_SKEW;
     }
+#endif
 
-    /* adjust tm_year, tm_mon */
-    GetTime((int*)&certTime.tm_year, date, &i); certTime.tm_year -= 1900;
-    GetTime((int*)&certTime.tm_mon,  date, &i); certTime.tm_mon  -= 1;
-    GetTime((int*)&certTime.tm_mday, date, &i);
-    GetTime((int*)&certTime.tm_hour, date, &i);
-    GetTime((int*)&certTime.tm_min,  date, &i);
-    GetTime((int*)&certTime.tm_sec,  date, &i);
-
-        if (date[i] != 'Z') {     /* only Zulu supported for this profile */
-        WOLFSSL_MSG("Only Zulu time supported for this profile");
+    if (!ExtractDate(date, format, &certTime, &i)) {
+        WOLFSSL_MSG("Error extracting the date");
         return 0;
     }
 
+    if ((date[i] == '+') || (date[i] == '-')) {
+        WOLFSSL_MSG("Using time differential, not Zulu") ;
+        diffSign = date[i++] == '+' ? 1 : -1 ;
+        if (GetTime(&diffHH, date, &i) != 0)
+            return 0;
+        if (GetTime(&diffMM, date, &i) != 0)
+            return 0;
+        timeDiff = diffSign * (diffHH*60 + diffMM) * 60 ;
+    } else if (date[i] != 'Z') {
+        WOLFSSL_MSG("UTCtime, neither Zulu or time differential") ;
+        return 0;
+    }
+
+    ltime -= (time_t)timeDiff ;
     localTime = XGMTIME(&ltime, tmpTime);
 
+    if (localTime == NULL) {
+        WOLFSSL_MSG("XGMTIME failed");
+        return 0;
+    }
+
     if (dateType == BEFORE) {
-        if (DateLessThan(localTime, &certTime))
+        if (DateLessThan(localTime, &certTime)) {
+            WOLFSSL_MSG("Date BEFORE check failed");
             return 0;
+        }
     }
-    else
-        if (DateGreaterThan(localTime, &certTime))
+    else {  /* dateType == AFTER */
+        if (DateGreaterThan(localTime, &certTime)) {
+            WOLFSSL_MSG("Date AFTER check failed");
             return 0;
+        }
+    }
 
     return 1;
 }
+#endif /* USE_WOLF_VALIDDATE */
+
+int wc_GetTime(void* timePtr, word32 timeSize)
+{
+    time_t* ltime = (time_t*)timePtr;
+
+    if (timePtr == NULL) {
+        return BAD_FUNC_ARG;
+    }
+
+    if ((word32)sizeof(time_t) > timeSize) {
+        return BUFFER_E;
+    }
+
+    *ltime = XTIME(0);
+
+    return 0;
+}
 
-#endif /* NO_TIME_H */
+#endif /* !NO_ASN_TIME */
 
 
-static int GetDate(DecodedCert* cert, int dateType)
+/* Get date buffer, format and length. Returns 0=success or error */
+static int GetDateInfo(const byte* source, word32* idx, const byte** pDate,
+                        byte* pFormat, int* pLength, word32 maxIdx)
 {
-    int    length;
+    int length;
+    byte format;
+
+    if (source == NULL || idx == NULL)
+        return BAD_FUNC_ARG;
+
+    /* get ASN format header */
+    if (*idx+1 > maxIdx)
+        return BUFFER_E;
+    format = source[*idx];
+    *idx += 1;
+    if (format != ASN_UTC_TIME && format != ASN_GENERALIZED_TIME)
+        return ASN_TIME_E;
+
+    /* get length */
+    if (GetLength(source, idx, &length, maxIdx) < 0)
+        return ASN_PARSE_E;
+    if (length > MAX_DATE_SIZE || length < MIN_DATE_SIZE)
+        return ASN_DATE_SZ_E;
+
+    /* return format, date and length */
+    if (pFormat)
+        *pFormat = format;
+    if (pDate)
+        *pDate = &source[*idx];
+    if (pLength)
+        *pLength = length;
+
+    *idx += length;
+
+    return 0;
+}
+
+static int GetDate(DecodedCert* cert, int dateType, int verify, int maxIdx)
+{
+    int    ret, length;
+    const byte *datePtr = NULL;
     byte   date[MAX_DATE_SIZE];
-    byte   b;
+    byte   format;
     word32 startIdx = 0;
 
     if (dateType == BEFORE)
@@ -2440,49 +6468,50 @@ static int GetDate(DecodedCert* cert, int dateType)
         cert->afterDate = &cert->source[cert->srcIdx];
     startIdx = cert->srcIdx;
 
-    b = cert->source[cert->srcIdx++];
-    if (b != ASN_UTC_TIME && b != ASN_GENERALIZED_TIME)
-        return ASN_TIME_E;
-
-    if (GetLength(cert->source, &cert->srcIdx, &length, cert->maxIdx) < 0)
-        return ASN_PARSE_E;
-
-    if (length > MAX_DATE_SIZE || length < MIN_DATE_SIZE)
-        return ASN_DATE_SZ_E;
+    ret = GetDateInfo(cert->source, &cert->srcIdx, &datePtr, &format,
+                      &length, maxIdx);
+    if (ret < 0)
+        return ret;
 
-    XMEMCPY(date, &cert->source[cert->srcIdx], length);
-    cert->srcIdx += length;
+    XMEMSET(date, 0, MAX_DATE_SIZE);
+    XMEMCPY(date, datePtr, length);
 
     if (dateType == BEFORE)
         cert->beforeDateLen = cert->srcIdx - startIdx;
     else
         cert->afterDateLen  = cert->srcIdx - startIdx;
 
-    if (!XVALIDATE_DATE(date, b, dateType)) {
+#ifndef NO_ASN_TIME
+    if (verify != NO_VERIFY && verify != VERIFY_SKIP_DATE &&
+            !XVALIDATE_DATE(date, format, dateType)) {
         if (dateType == BEFORE)
             return ASN_BEFORE_DATE_E;
         else
             return ASN_AFTER_DATE_E;
     }
+#else
+    (void)verify;
+#endif
 
     return 0;
 }
 
-
-static int GetValidity(DecodedCert* cert, int verify)
+static int GetValidity(DecodedCert* cert, int verify, int maxIdx)
 {
     int length;
     int badDate = 0;
 
-    if (GetSequence(cert->source, &cert->srcIdx, &length, cert->maxIdx) < 0)
+    if (GetSequence(cert->source, &cert->srcIdx, &length, maxIdx) < 0)
         return ASN_PARSE_E;
 
-    if (GetDate(cert, BEFORE) < 0 && verify)
-        badDate = ASN_BEFORE_DATE_E;           /* continue parsing */
-    
-    if (GetDate(cert, AFTER) < 0 && verify)
+    maxIdx = cert->srcIdx + length;
+
+    if (GetDate(cert, BEFORE, verify, maxIdx) < 0)
+        badDate = ASN_BEFORE_DATE_E; /* continue parsing */
+
+    if (GetDate(cert, AFTER, verify, maxIdx) < 0)
         return ASN_AFTER_DATE_E;
-   
+
     if (badDate != 0)
         return badDate;
 
@@ -2490,32 +6519,111 @@ static int GetValidity(DecodedCert* cert, int verify)
 }
 
 
-int DecodeToKey(DecodedCert* cert, int verify)
+int wc_GetDateInfo(const byte* certDate, int certDateSz, const byte** date,
+    byte* format, int* length)
 {
-    int badDate = 0;
     int ret;
+    word32 idx = 0;
+
+    ret = GetDateInfo(certDate, &idx, date, format, length, certDateSz);
+    if (ret < 0)
+        return ret;
+
+    return 0;
+}
+
+#ifndef NO_ASN_TIME
+int wc_GetDateAsCalendarTime(const byte* date, int length, byte format,
+    struct tm* timearg)
+{
+    int idx = 0;
+    (void)length;
+    if (!ExtractDate(date, format, timearg, &idx))
+        return ASN_TIME_E;
+    return 0;
+}
+
+#if defined(WOLFSSL_CERT_GEN) && defined(WOLFSSL_ALT_NAMES)
+int wc_GetCertDates(Cert* cert, struct tm* before, struct tm* after)
+{
+    int ret = 0;
+    const byte* date;
+    byte format;
+    int length;
 
+    if (cert == NULL)
+        return BAD_FUNC_ARG;
+
+    if (before && cert->beforeDateSz > 0) {
+        ret = wc_GetDateInfo(cert->beforeDate, cert->beforeDateSz, &date,
+                             &format, &length);
+        if (ret == 0)
+            ret = wc_GetDateAsCalendarTime(date, length, format, before);
+    }
+    if (after && cert->afterDateSz > 0) {
+        ret = wc_GetDateInfo(cert->afterDate, cert->afterDateSz, &date,
+                             &format, &length);
+        if (ret == 0)
+            ret = wc_GetDateAsCalendarTime(date, length, format, after);
+    }
+
+    return ret;
+}
+#endif /* WOLFSSL_CERT_GEN && WOLFSSL_ALT_NAMES */
+#endif /* !NO_ASN_TIME */
+
+/* parses certificate up to point of X.509 public key
+ *
+ * if cert date is invalid then badDate gets set to error value, otherwise is 0
+ *
+ * returns a negative value on fail case
+ */
+int wc_GetPubX509(DecodedCert* cert, int verify, int* badDate)
+{
+    int ret;
+
+    if (cert == NULL || badDate == NULL)
+        return BAD_FUNC_ARG;
+
+    *badDate = 0;
     if ( (ret = GetCertHeader(cert)) < 0)
         return ret;
 
     WOLFSSL_MSG("Got Cert Header");
 
+    /* Using the sigIndex as the upper bound because that's where the
+     * actual certificate data ends. */
     if ( (ret = GetAlgoId(cert->source, &cert->srcIdx, &cert->signatureOID,
-                          cert->maxIdx)) < 0)
+                          oidSigType, cert->sigIndex)) < 0)
         return ret;
 
     WOLFSSL_MSG("Got Algo ID");
 
-    if ( (ret = GetName(cert, ISSUER)) < 0)
+    if ( (ret = GetName(cert, ISSUER, cert->sigIndex)) < 0)
         return ret;
 
-    if ( (ret = GetValidity(cert, verify)) < 0)
-        badDate = ret;
+    if ( (ret = GetValidity(cert, verify, cert->sigIndex)) < 0)
+        *badDate = ret;
 
-    if ( (ret = GetName(cert, SUBJECT)) < 0)
+    if ( (ret = GetName(cert, SUBJECT, cert->sigIndex)) < 0)
         return ret;
 
     WOLFSSL_MSG("Got Subject Name");
+    return ret;
+}
+
+int DecodeToKey(DecodedCert* cert, int verify)
+{
+    int badDate = 0;
+    int ret;
+
+    if ( (ret = wc_GetPubX509(cert, verify, &badDate)) < 0)
+        return ret;
+
+    /* Determine if self signed */
+    cert->selfSigned = XMEMCMP(cert->issuerHash,
+                               cert->subjectHash,
+                               KEYID_SIZE) == 0 ? 1 : 0;
 
     if ( (ret = GetKey(cert)) < 0)
         return ret;
@@ -2528,40 +6636,36 @@ int DecodeToKey(DecodedCert* cert, int verify)
     return ret;
 }
 
-
 static int GetSignature(DecodedCert* cert)
 {
-    int    length;
-    byte   b = cert->source[cert->srcIdx++];
-
-    if (b != ASN_BIT_STRING)
-        return ASN_BITSTR_E;
-
-    if (GetLength(cert->source, &cert->srcIdx, &length, cert->maxIdx) < 0)
-        return ASN_PARSE_E;
+    int length;
+    int ret;
+    ret = CheckBitString(cert->source, &cert->srcIdx, &length, cert->maxIdx, 1,
+                         NULL);
+    if (ret != 0)
+        return ret;
 
     cert->sigLength = length;
-
-    b = cert->source[cert->srcIdx++];
-    if (b != 0x00)
-        return ASN_EXPECT_0_E;
-
-    cert->sigLength--;
     cert->signature = &cert->source[cert->srcIdx];
     cert->srcIdx += cert->sigLength;
 
     return 0;
 }
 
+static word32 SetOctetString8Bit(word32 len, byte* output)
+{
+    output[0] = ASN_OCTET_STRING;
+    output[1] = (byte)len;
+    return 2;
+}
 
 static word32 SetDigest(const byte* digest, word32 digSz, byte* output)
 {
-    output[0] = ASN_OCTET_STRING;
-    output[1] = (byte)digSz;
-    XMEMCPY(&output[2], digest, digSz);
+    word32 idx = SetOctetString8Bit(digSz, output);
+    XMEMCPY(&output[idx], digest, digSz);
 
-    return digSz + 2;
-} 
+    return idx + digSz;
+}
 
 
 static word32 BytePrecision(word32 value)
@@ -2575,17 +6679,23 @@ static word32 BytePrecision(word32 value)
 }
 
 
-WOLFSSL_LOCAL word32 SetLength(word32 length, byte* output)
+word32 SetLength(word32 length, byte* output)
 {
     word32 i = 0, j;
 
-    if (length < ASN_LONG_LENGTH)
-        output[i++] = (byte)length;
+    if (length < ASN_LONG_LENGTH) {
+        if (output)
+            output[i] = (byte)length;
+        i++;
+    }
     else {
-        output[i++] = (byte)(BytePrecision(length) | ASN_LONG_LENGTH);
-      
+        if (output)
+            output[i] = (byte)(BytePrecision(length) | ASN_LONG_LENGTH);
+        i++;
+
         for (j = BytePrecision(length); j; --j) {
-            output[i] = (byte)(length >> ((j - 1) * WOLFSSL_BIT_SIZE));
+            if (output)
+                output[i] = (byte)(length >> ((j - 1) * WOLFSSL_BIT_SIZE));
             i++;
         }
     }
@@ -2593,27 +6703,27 @@ WOLFSSL_LOCAL word32 SetLength(word32 length, byte* output)
     return i;
 }
 
-
-WOLFSSL_LOCAL word32 SetSequence(word32 len, byte* output)
+word32 SetSequence(word32 len, byte* output)
 {
-    output[0] = ASN_SEQUENCE | ASN_CONSTRUCTED;
-    return SetLength(len, output + 1) + 1;
+    if (output)
+        output[0] = ASN_SEQUENCE | ASN_CONSTRUCTED;
+    return SetLength(len, output ? output + 1 : NULL) + 1;
 }
 
-WOLFSSL_LOCAL word32 SetOctetString(word32 len, byte* output)
+word32 SetOctetString(word32 len, byte* output)
 {
     output[0] = ASN_OCTET_STRING;
     return SetLength(len, output + 1) + 1;
 }
 
 /* Write a set header to output */
-WOLFSSL_LOCAL word32 SetSet(word32 len, byte* output)
+word32 SetSet(word32 len, byte* output)
 {
     output[0] = ASN_SET | ASN_CONSTRUCTED;
     return SetLength(len, output + 1) + 1;
 }
 
-WOLFSSL_LOCAL word32 SetImplicit(byte tag, byte number, word32 len, byte* output)
+word32 SetImplicit(byte tag, byte number, word32 len, byte* output)
 {
 
     output[0] = ((tag == ASN_SEQUENCE || tag == ASN_SET) ? ASN_CONSTRUCTED : 0)
@@ -2621,323 +6731,121 @@ WOLFSSL_LOCAL word32 SetImplicit(byte tag, byte number, word32 len, byte* output
     return SetLength(len, output + 1) + 1;
 }
 
-WOLFSSL_LOCAL word32 SetExplicit(byte number, word32 len, byte* output)
+word32 SetExplicit(byte number, word32 len, byte* output)
 {
     output[0] = ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC | number;
     return SetLength(len, output + 1) + 1;
 }
 
 
-#if defined(HAVE_ECC) && (defined(WOLFSSL_CERT_GEN) || defined(WOLFSSL_KEY_GEN))
+#if defined(HAVE_ECC) && defined(HAVE_ECC_KEY_EXPORT)
 
-static word32 SetCurve(ecc_key* key, byte* output)
+static int SetCurve(ecc_key* key, byte* output)
 {
-
-    /* curve types */
-#if defined(HAVE_ALL_CURVES) || defined(HAVE_ECC192)
-    static const byte ECC_192v1_AlgoID[] = { 0x2a, 0x86, 0x48, 0xCE, 0x3d,
-                                             0x03, 0x01, 0x01};
-#endif
-#if defined(HAVE_ALL_CURVES) || !defined(NO_ECC256)
-    static const byte ECC_256v1_AlgoID[] = { 0x2a, 0x86, 0x48, 0xCE, 0x3d,
-                                            0x03, 0x01, 0x07};
-#endif
-#if defined(HAVE_ALL_CURVES) || defined(HAVE_ECC160)
-    static const byte ECC_160r1_AlgoID[] = { 0x2b, 0x81, 0x04, 0x00,
-                                             0x02};
-#endif
-#if defined(HAVE_ALL_CURVES) || defined(HAVE_ECC224)
-    static const byte ECC_224r1_AlgoID[] = { 0x2b, 0x81, 0x04, 0x00,
-                                             0x21};
-#endif
-#if defined(HAVE_ALL_CURVES) || defined(HAVE_ECC384)
-    static const byte ECC_384r1_AlgoID[] = { 0x2b, 0x81, 0x04, 0x00,
-                                             0x22};
-#endif
-#if defined(HAVE_ALL_CURVES) || defined(HAVE_ECC521)
-    static const byte ECC_521r1_AlgoID[] = { 0x2b, 0x81, 0x04, 0x00,
-                                             0x23};
-#endif
-
-    int    oidSz = 0;
-    int    idx = 0;
-    int    lenSz = 0;
-    const  byte* oid = 0;
-
-    output[0] = ASN_OBJECT_ID;
-    idx++;
-
-    switch (key->dp->size) {
-#if defined(HAVE_ALL_CURVES) || defined(HAVE_ECC160)
-        case 20:
-            oidSz = sizeof(ECC_160r1_AlgoID);
-            oid   =        ECC_160r1_AlgoID;
-            break;
-#endif
-
-#if defined(HAVE_ALL_CURVES) || defined(HAVE_ECC192)
-        case 24:
-            oidSz = sizeof(ECC_192v1_AlgoID);
-            oid   =        ECC_192v1_AlgoID;
-            break;
-#endif
-
-#if defined(HAVE_ALL_CURVES) || defined(HAVE_ECC224)
-        case 28:
-            oidSz = sizeof(ECC_224r1_AlgoID);
-            oid   =        ECC_224r1_AlgoID;
-            break;
+#ifdef HAVE_OID_ENCODING
+    int ret;
 #endif
+    int idx = 0;
+    word32 oidSz = 0;
 
-#if defined(HAVE_ALL_CURVES) || !defined(NO_ECC256)
-        case 32:
-            oidSz = sizeof(ECC_256v1_AlgoID);
-            oid   =        ECC_256v1_AlgoID;
-            break;
-#endif
+    /* validate key */
+    if (key == NULL || key->dp == NULL) {
+        return BAD_FUNC_ARG;
+    }
 
-#if defined(HAVE_ALL_CURVES) || defined(HAVE_ECC384)
-        case 48:
-            oidSz = sizeof(ECC_384r1_AlgoID);
-            oid   =        ECC_384r1_AlgoID;
-            break;
+#ifdef HAVE_OID_ENCODING
+    ret = EncodeObjectId(key->dp->oid, key->dp->oidSz, NULL, &oidSz);
+    if (ret != 0) {
+        return ret;
+    }
+#else
+    oidSz = key->dp->oidSz;
 #endif
 
-#if defined(HAVE_ALL_CURVES) || defined(HAVE_ECC521)
-        case 66:
-            oidSz = sizeof(ECC_521r1_AlgoID);
-            oid   =        ECC_521r1_AlgoID;
-            break;
-#endif
+    idx += SetObjectId(oidSz, output);
 
-        default:
-            return ASN_UNKNOWN_OID_E;
+#ifdef HAVE_OID_ENCODING
+    ret = EncodeObjectId(key->dp->oid, key->dp->oidSz, output+idx, &oidSz);
+    if (ret != 0) {
+        return ret;
     }
-    lenSz = SetLength(oidSz, output+idx);
-    idx += lenSz;
-
-    XMEMCPY(output+idx, oid, oidSz);
+#else
+    XMEMCPY(output+idx, key->dp->oid, oidSz);
+#endif
     idx += oidSz;
 
     return idx;
 }
 
-#endif /* HAVE_ECC && WOLFSSL_CERT_GEN */
+#endif /* HAVE_ECC && HAVE_ECC_KEY_EXPORT */
 
 
-WOLFSSL_LOCAL word32 SetAlgoID(int algoOID, byte* output, int type, int curveSz)
+#ifdef HAVE_ECC
+static WC_INLINE int IsSigAlgoECDSA(int algoOID)
 {
-    /* adding TAG_NULL and 0 to end */
-    
-    /* hashTypes */
-    static const byte shaAlgoID[]    = { 0x2b, 0x0e, 0x03, 0x02, 0x1a,
-                                         0x05, 0x00 };
-    static const byte sha256AlgoID[] = { 0x60, 0x86, 0x48, 0x01, 0x65, 0x03,
-                                         0x04, 0x02, 0x01, 0x05, 0x00 };
-    static const byte sha384AlgoID[] = { 0x60, 0x86, 0x48, 0x01, 0x65, 0x03,
-                                         0x04, 0x02, 0x02, 0x05, 0x00 };
-    static const byte sha512AlgoID[] = { 0x60, 0x86, 0x48, 0x01, 0x65, 0x03,
-                                         0x04, 0x02, 0x03, 0x05, 0x00 };
-    static const byte md5AlgoID[]    = { 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d,
-                                         0x02, 0x05, 0x05, 0x00  };
-    static const byte md2AlgoID[]    = { 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d,
-                                         0x02, 0x02, 0x05, 0x00};
-
-    /* blkTypes, no NULL tags because IV is there instead */
-    static const byte desCbcAlgoID[]  = { 0x2B, 0x0E, 0x03, 0x02, 0x07 };
-    static const byte des3CbcAlgoID[] = { 0x2A, 0x86, 0x48, 0x86, 0xF7,
-                                          0x0D, 0x03, 0x07 };
-
-    /* RSA sigTypes */
-    #ifndef NO_RSA
-        static const byte md5wRSA_AlgoID[] = { 0x2a, 0x86, 0x48, 0x86, 0xf7,
-                                            0x0d, 0x01, 0x01, 0x04, 0x05, 0x00};
-        static const byte shawRSA_AlgoID[] = { 0x2a, 0x86, 0x48, 0x86, 0xf7,
-                                            0x0d, 0x01, 0x01, 0x05, 0x05, 0x00};
-        static const byte sha256wRSA_AlgoID[] = { 0x2a, 0x86, 0x48, 0x86, 0xf7,
-                                            0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00};
-        static const byte sha384wRSA_AlgoID[] = {0x2a, 0x86, 0x48, 0x86, 0xf7,
-                                            0x0d, 0x01, 0x01, 0x0c, 0x05, 0x00};
-        static const byte sha512wRSA_AlgoID[] = {0x2a, 0x86, 0x48, 0x86, 0xf7,
-                                            0x0d, 0x01, 0x01, 0x0d, 0x05, 0x00};
-    #endif /* NO_RSA */
- 
-    /* ECDSA sigTypes */
-    #ifdef HAVE_ECC 
-        static const byte shawECDSA_AlgoID[] = { 0x2a, 0x86, 0x48, 0xCE, 0x3d,
-                                                 0x04, 0x01, 0x05, 0x00};
-        static const byte sha256wECDSA_AlgoID[] = { 0x2a, 0x86, 0x48, 0xCE,0x3d,
-                                                 0x04, 0x03, 0x02, 0x05, 0x00};
-        static const byte sha384wECDSA_AlgoID[] = { 0x2a, 0x86, 0x48, 0xCE,0x3d,
-                                                 0x04, 0x03, 0x03, 0x05, 0x00};
-        static const byte sha512wECDSA_AlgoID[] = { 0x2a, 0x86, 0x48, 0xCE,0x3d,
-                                                 0x04, 0x03, 0x04, 0x05, 0x00};
-    #endif /* HAVE_ECC */
- 
-    /* RSA keyType */
-    #ifndef NO_RSA
-        static const byte RSA_AlgoID[] = { 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d,
-                                            0x01, 0x01, 0x01, 0x05, 0x00};
-    #endif /* NO_RSA */
+    /* ECDSA sigAlgo must not have ASN1 NULL parameters */
+    if (algoOID == CTC_SHAwECDSA || algoOID == CTC_SHA256wECDSA ||
+        algoOID == CTC_SHA384wECDSA || algoOID == CTC_SHA512wECDSA) {
+        return 1;
+    }
 
-    #ifdef HAVE_ECC 
-        /* ECC keyType */
-        /* no tags, so set tagSz smaller later */
-        static const byte ECC_AlgoID[] = { 0x2a, 0x86, 0x48, 0xCE, 0x3d,
-                                           0x02, 0x01};
-    #endif /* HAVE_ECC */
+    return 0;
+}
+#endif
 
-    int    algoSz = 0;
-    int    tagSz  = 2;   /* tag null and terminator */
-    word32 idSz, seqSz;
+word32 SetAlgoID(int algoOID, byte* output, int type, int curveSz)
+{
+    word32 tagSz, idSz, seqSz, algoSz = 0;
     const  byte* algoName = 0;
-    byte ID_Length[MAX_LENGTH_SZ];
-    byte seqArray[MAX_SEQ_SZ + 1];  /* add object_id to end */
-
-    if (type == hashType) {
-        switch (algoOID) {
-        case SHAh:
-            algoSz = sizeof(shaAlgoID);
-            algoName = shaAlgoID;
-            break;
-
-        case SHA256h:
-            algoSz = sizeof(sha256AlgoID);
-            algoName = sha256AlgoID;
-            break;
-
-        case SHA384h:
-            algoSz = sizeof(sha384AlgoID);
-            algoName = sha384AlgoID;
-            break;
-
-        case SHA512h:
-            algoSz = sizeof(sha512AlgoID);
-            algoName = sha512AlgoID;
-            break;
+    byte   ID_Length[1 + MAX_LENGTH_SZ];
+    byte   seqArray[MAX_SEQ_SZ + 1];  /* add object_id to end */
+    int    length = 0;
+
+    tagSz = (type == oidHashType ||
+             (type == oidSigType
+        #ifdef HAVE_ECC
+              && !IsSigAlgoECDSA(algoOID)
+        #endif
+        #ifdef HAVE_ED25519
+              && algoOID != ED25519k
+        #endif
+        #ifdef HAVE_ED448
+              && algoOID != ED448k
+        #endif
+              ) ||
+             (type == oidKeyType && algoOID == RSAk)) ? 2 : 0;
 
-        case MD2h:
-            algoSz = sizeof(md2AlgoID);
-            algoName = md2AlgoID;
-            break;
+    algoName = OidFromId(algoOID, type, &algoSz);
 
-        case MD5h:
-            algoSz = sizeof(md5AlgoID);
-            algoName = md5AlgoID;
-            break;
-
-        default:
-            WOLFSSL_MSG("Unknown Hash Algo");
-            return 0;  /* UNKOWN_HASH_E; */
-        }
-    }
-    else if (type == blkType) {
-        switch (algoOID) {
-        case DESb:
-            algoSz = sizeof(desCbcAlgoID);
-            algoName = desCbcAlgoID;
-            tagSz = 0;
-            break;
-        case DES3b:
-            algoSz = sizeof(des3CbcAlgoID);
-            algoName = des3CbcAlgoID;
-            tagSz = 0;
-            break;
-        default:
-            WOLFSSL_MSG("Unknown Block Algo");
-            return 0;
-        }
+    if (algoName == NULL) {
+        WOLFSSL_MSG("Unknown Algorithm");
+        return 0;
     }
-    else if (type == sigType) {    /* sigType */
-        switch (algoOID) {
-        #ifndef NO_RSA
-            case CTC_MD5wRSA:
-                algoSz = sizeof(md5wRSA_AlgoID);
-                algoName = md5wRSA_AlgoID;
-                break;
 
-            case CTC_SHAwRSA:
-                algoSz = sizeof(shawRSA_AlgoID);
-                algoName = shawRSA_AlgoID;
-                break;
-
-            case CTC_SHA256wRSA:
-                algoSz = sizeof(sha256wRSA_AlgoID);
-                algoName = sha256wRSA_AlgoID;
-                break;
-
-            case CTC_SHA384wRSA:
-                algoSz = sizeof(sha384wRSA_AlgoID);
-                algoName = sha384wRSA_AlgoID;
-                break;
-
-            case CTC_SHA512wRSA:
-                algoSz = sizeof(sha512wRSA_AlgoID);
-                algoName = sha512wRSA_AlgoID;
-                break;
-        #endif /* NO_RSA */
-        #ifdef HAVE_ECC 
-            case CTC_SHAwECDSA:
-                algoSz = sizeof(shawECDSA_AlgoID);
-                algoName = shawECDSA_AlgoID;
-                break;
-
-            case CTC_SHA256wECDSA:
-                algoSz = sizeof(sha256wECDSA_AlgoID);
-                algoName = sha256wECDSA_AlgoID;
-                break;
-
-            case CTC_SHA384wECDSA:
-                algoSz = sizeof(sha384wECDSA_AlgoID);
-                algoName = sha384wECDSA_AlgoID;
-                break;
+    idSz  = SetObjectId(algoSz, ID_Length);
+    seqSz = SetSequence(idSz + algoSz + tagSz + curveSz, seqArray);
 
-            case CTC_SHA512wECDSA:
-                algoSz = sizeof(sha512wECDSA_AlgoID);
-                algoName = sha512wECDSA_AlgoID;
-                break;
-        #endif /* HAVE_ECC */
-        default:
-            WOLFSSL_MSG("Unknown Signature Algo");
-            return 0;
-        }
-    }
-    else if (type == keyType) {    /* keyType */
-        switch (algoOID) {
-        #ifndef NO_RSA
-            case RSAk:
-                algoSz = sizeof(RSA_AlgoID);
-                algoName = RSA_AlgoID;
-                break;
-        #endif /* NO_RSA */
-        #ifdef HAVE_ECC 
-            case ECDSAk:
-                algoSz = sizeof(ECC_AlgoID);
-                algoName = ECC_AlgoID;
-                tagSz = 0;
-                break;
-        #endif /* HAVE_ECC */
-        default:
-            WOLFSSL_MSG("Unknown Key Algo");
-            return 0;
-        }
+    /* Copy only algo to output for DSA keys */
+    if (algoOID == DSAk && output) {
+        XMEMCPY(output, ID_Length, idSz);
+        XMEMCPY(output + idSz, algoName, algoSz);
+        if (tagSz == 2)
+            SetASNNull(&output[seqSz + idSz + algoSz]);
     }
-    else {
-        WOLFSSL_MSG("Unknown Algo type");
-        return 0;
+    else if (output) {
+        XMEMCPY(output, seqArray, seqSz);
+        XMEMCPY(output + seqSz, ID_Length, idSz);
+        XMEMCPY(output + seqSz + idSz, algoName, algoSz);
+        if (tagSz == 2)
+            SetASNNull(&output[seqSz + idSz + algoSz]);
     }
 
-    idSz  = SetLength(algoSz - tagSz, ID_Length); /* don't include tags */
-    seqSz = SetSequence(idSz + algoSz + 1 + curveSz, seqArray); 
-                 /* +1 for object id, curveID of curveSz follows for ecc */
-    seqArray[seqSz++] = ASN_OBJECT_ID;
-
-    XMEMCPY(output, seqArray, seqSz);
-    XMEMCPY(output + seqSz, ID_Length, idSz);
-    XMEMCPY(output + seqSz + idSz, algoName, algoSz);
-
-    return seqSz + idSz + algoSz;
+    if (algoOID == DSAk)
+        length = idSz + algoSz + tagSz;
+    else
+        length = seqSz + idSz + algoSz + tagSz;
 
+    return length;
 }
 
 
@@ -2950,7 +6858,7 @@ word32 wc_EncodeSignature(byte* out, const byte* digest, word32 digSz,
     word32 encDigSz, algoSz, seqSz;
 
     encDigSz = SetDigest(digest, digSz, digArray);
-    algoSz   = SetAlgoID(hashOID, algoArray, hashType, 0);
+    algoSz   = SetAlgoID(hashOID, algoArray, oidHashType, 0);
     seqSz    = SetSequence(encDigSz + algoSz, seqArray);
 
     XMEMCPY(out, seqArray, seqSz);
@@ -2961,288 +6869,569 @@ word32 wc_EncodeSignature(byte* out, const byte* digest, word32 digSz,
 }
 
 
+#ifndef NO_CERTS
+
 int wc_GetCTC_HashOID(int type)
 {
-    switch (type) {
-#ifdef WOLFSSL_MD2
-        case MD2:
-            return MD2h;
-#endif
-#ifndef NO_MD5
-        case MD5:
-            return MD5h;
-#endif
-#ifndef NO_SHA
-        case SHA:
-            return SHAh;
-#endif
-#ifndef NO_SHA256
-        case SHA256:
-            return SHA256h;
-#endif
-#ifdef WOLFSSL_SHA384
-        case SHA384:
-            return SHA384h;
-#endif
-#ifdef WOLFSSL_SHA512
-        case SHA512:
-            return SHA512h;
-#endif
-        default:
-            return 0;
-    };
+    int ret;
+    enum wc_HashType hType;
+
+    hType = wc_HashTypeConvert(type);
+    ret = wc_HashGetOID(hType);
+    if (ret < 0)
+        ret = 0; /* backwards compatibility */
+
+    return ret;
 }
 
+void InitSignatureCtx(SignatureCtx* sigCtx, void* heap, int devId)
+{
+    if (sigCtx) {
+        XMEMSET(sigCtx, 0, sizeof(SignatureCtx));
+        sigCtx->devId = devId;
+        sigCtx->heap = heap;
+    }
+}
 
-/* return true (1) or false (0) for Confirmation */
-static int ConfirmSignature(const byte* buf, word32 bufSz,
-    const byte* key, word32 keySz, word32 keyOID,
-    const byte* sig, word32 sigSz, word32 sigOID,
-    void* heap)
+void FreeSignatureCtx(SignatureCtx* sigCtx)
 {
-    int  typeH = 0, digestSz = 0, ret = 0;
-#ifdef WOLFSSL_SMALL_STACK
-    byte* digest;
-#else
-    byte digest[MAX_DIGEST_SIZE];
-#endif
+    if (sigCtx == NULL)
+        return;
 
-#ifdef WOLFSSL_SMALL_STACK
-    digest = (byte*)XMALLOC(MAX_DIGEST_SIZE, NULL, DYNAMIC_TYPE_TMP_BUFFER);
-    if (digest == NULL)
-        return 0; /* not confirmed */
+    if (sigCtx->digest) {
+        XFREE(sigCtx->digest, sigCtx->heap, DYNAMIC_TYPE_DIGEST);
+        sigCtx->digest = NULL;
+    }
+#ifndef NO_RSA
+    if (sigCtx->plain) {
+        XFREE(sigCtx->plain, sigCtx->heap, DYNAMIC_TYPE_SIGNATURE);
+        sigCtx->plain = NULL;
+    }
+#endif
+#ifndef NO_ASN_CRYPT
+    if (sigCtx->key.ptr) {
+        switch (sigCtx->keyOID) {
+        #ifndef NO_RSA
+            case RSAk:
+                wc_FreeRsaKey(sigCtx->key.rsa);
+                XFREE(sigCtx->key.ptr, sigCtx->heap, DYNAMIC_TYPE_RSA);
+                break;
+        #endif /* !NO_RSA */
+        #ifdef HAVE_ECC
+            case ECDSAk:
+                wc_ecc_free(sigCtx->key.ecc);
+                XFREE(sigCtx->key.ecc, sigCtx->heap, DYNAMIC_TYPE_ECC);
+                break;
+        #endif /* HAVE_ECC */
+        #ifdef HAVE_ED25519
+            case ED25519k:
+                wc_ed25519_free(sigCtx->key.ed25519);
+                XFREE(sigCtx->key.ed25519, sigCtx->heap, DYNAMIC_TYPE_ED25519);
+                break;
+        #endif /* HAVE_ED25519 */
+        #ifdef HAVE_ED448
+            case ED448k:
+                wc_ed448_free(sigCtx->key.ed448);
+                XFREE(sigCtx->key.ed448, sigCtx->heap, DYNAMIC_TYPE_ED448);
+                break;
+        #endif /* HAVE_ED448 */
+            default:
+                break;
+        } /* switch (keyOID) */
+        sigCtx->key.ptr = NULL;
+    }
 #endif
 
-    (void)key;
-    (void)keySz;
-    (void)sig;
-    (void)sigSz;
-    (void)heap;
+    /* reset state, we are done */
+    sigCtx->state = SIG_STATE_BEGIN;
+}
+
+#ifndef NO_ASN_CRYPT
+static int HashForSignature(const byte* buf, word32 bufSz, word32 sigOID,
+                            byte* digest, int* typeH, int* digestSz, int verify)
+{
+    int ret = 0;
+
+    (void)verify;
 
     switch (sigOID) {
-    #ifndef NO_MD5
-        case CTC_MD5wRSA:
-        if (wc_Md5Hash(buf, bufSz, digest) == 0) {
-            typeH    = MD5h;
-            digestSz = MD5_DIGEST_SIZE;
-        }
-        break;
-    #endif
     #if defined(WOLFSSL_MD2)
         case CTC_MD2wRSA:
-        if (wc_Md2Hash(buf, bufSz, digest) == 0) {
-            typeH    = MD2h;
-            digestSz = MD2_DIGEST_SIZE;
-        }
+            if (!verify) {
+                ret = HASH_TYPE_E;
+                WOLFSSL_MSG("MD2 not supported for signing");
+            }
+            else if ((ret = wc_Md2Hash(buf, bufSz, digest)) == 0) {
+                *typeH    = MD2h;
+                *digestSz = MD2_DIGEST_SIZE;
+            }
         break;
     #endif
+    #ifndef NO_MD5
+        case CTC_MD5wRSA:
+            if ((ret = wc_Md5Hash(buf, bufSz, digest)) == 0) {
+                *typeH    = MD5h;
+                *digestSz = WC_MD5_DIGEST_SIZE;
+            }
+            break;
+    #endif
     #ifndef NO_SHA
         case CTC_SHAwRSA:
         case CTC_SHAwDSA:
         case CTC_SHAwECDSA:
-        if (wc_ShaHash(buf, bufSz, digest) == 0) {    
-            typeH    = SHAh;
-            digestSz = SHA_DIGEST_SIZE;                
-        }
-        break;
+            if ((ret = wc_ShaHash(buf, bufSz, digest)) == 0) {
+                *typeH    = SHAh;
+                *digestSz = WC_SHA_DIGEST_SIZE;
+            }
+            break;
+    #endif
+    #ifdef WOLFSSL_SHA224
+        case CTC_SHA224wRSA:
+        case CTC_SHA224wECDSA:
+            if ((ret = wc_Sha224Hash(buf, bufSz, digest)) == 0) {
+                *typeH    = SHA224h;
+                *digestSz = WC_SHA224_DIGEST_SIZE;
+            }
+            break;
     #endif
     #ifndef NO_SHA256
         case CTC_SHA256wRSA:
         case CTC_SHA256wECDSA:
-        if (wc_Sha256Hash(buf, bufSz, digest) == 0) {    
-            typeH    = SHA256h;
-            digestSz = SHA256_DIGEST_SIZE;
-        }
-        break;
+            if ((ret = wc_Sha256Hash(buf, bufSz, digest)) == 0) {
+                *typeH    = SHA256h;
+                *digestSz = WC_SHA256_DIGEST_SIZE;
+            }
+            break;
+    #endif
+    #ifdef WOLFSSL_SHA384
+        case CTC_SHA384wRSA:
+        case CTC_SHA384wECDSA:
+            if ((ret = wc_Sha384Hash(buf, bufSz, digest)) == 0) {
+                *typeH    = SHA384h;
+                *digestSz = WC_SHA384_DIGEST_SIZE;
+            }
+            break;
     #endif
     #ifdef WOLFSSL_SHA512
         case CTC_SHA512wRSA:
         case CTC_SHA512wECDSA:
-        if (wc_Sha512Hash(buf, bufSz, digest) == 0) {    
-            typeH    = SHA512h;
-            digestSz = SHA512_DIGEST_SIZE;
-        }
-        break;
+            if ((ret = wc_Sha512Hash(buf, bufSz, digest)) == 0) {
+                *typeH    = SHA512h;
+                *digestSz = WC_SHA512_DIGEST_SIZE;
+            }
+            break;
     #endif
-    #ifdef WOLFSSL_SHA384
-        case CTC_SHA384wRSA:
-        case CTC_SHA384wECDSA:
-        if (wc_Sha384Hash(buf, bufSz, digest) == 0) {    
-            typeH    = SHA384h;
-            digestSz = SHA384_DIGEST_SIZE;
-        }            
-        break;
+    #ifdef HAVE_ED25519
+        case CTC_ED25519:
+            /* Hashes done in signing operation.
+             * Two dependent hashes with prefixes performed.
+             */
+            break;
+    #endif
+    #ifdef HAVE_ED448
+        case CTC_ED448:
+            /* Hashes done in signing operation.
+             * Two dependent hashes with prefixes performed.
+             */
+            break;
     #endif
         default:
-            WOLFSSL_MSG("Verify Signautre has unsupported type");
+            ret = HASH_TYPE_E;
+            WOLFSSL_MSG("Hash for Signature has unsupported type");
     }
-    
-    if (typeH == 0) {
-#ifdef WOLFSSL_SMALL_STACK
-        XFREE(digest, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+
+    return ret;
+}
+#endif /* !NO_ASN_CRYPT */
+
+/* Return codes: 0=Success, Negative (see error-crypt.h), ASN_SIG_CONFIRM_E */
+static int ConfirmSignature(SignatureCtx* sigCtx,
+    const byte* buf, word32 bufSz,
+    const byte* key, word32 keySz, word32 keyOID,
+    const byte* sig, word32 sigSz, word32 sigOID, byte* rsaKeyIdx)
+{
+    int ret = 0;
+#ifndef WOLFSSL_RENESAS_TSIP_TLS
+    (void)rsaKeyIdx;
 #endif
-        return 0; /* not confirmed */
+    if (sigCtx == NULL || buf == NULL || bufSz == 0 || key == NULL ||
+        keySz == 0 || sig == NULL || sigSz == 0) {
+        return BAD_FUNC_ARG;
     }
 
-    switch (keyOID) {
-    #ifndef NO_RSA
-        case RSAk:
+    (void)key;
+    (void)keySz;
+    (void)sig;
+    (void)sigSz;
+
+    WOLFSSL_ENTER("ConfirmSignature");
+
+#ifndef NO_ASN_CRYPT
+    switch (sigCtx->state) {
+        case SIG_STATE_BEGIN:
         {
-            word32 idx = 0;
-            int    encodedSigSz, verifySz;
-            byte*  out;
-#ifdef WOLFSSL_SMALL_STACK
-            RsaKey* pubKey;
-            byte* plain;
-            byte* encodedSig;
-#else
-            RsaKey pubKey[1];
-            byte plain[MAX_ENCODED_SIG_SZ];
-            byte encodedSig[MAX_ENCODED_SIG_SZ];
-#endif
+            sigCtx->keyOID = keyOID; /* must set early for cleanup */
 
-#ifdef WOLFSSL_SMALL_STACK
-            pubKey = (RsaKey*)XMALLOC(sizeof(RsaKey), NULL,
-                                                       DYNAMIC_TYPE_TMP_BUFFER);
-            plain = (byte*)XMALLOC(MAX_ENCODED_SIG_SZ, NULL,
-                                                       DYNAMIC_TYPE_TMP_BUFFER);
-            encodedSig = (byte*)XMALLOC(MAX_ENCODED_SIG_SZ, NULL,
-                                                       DYNAMIC_TYPE_TMP_BUFFER);
-            
-            if (pubKey == NULL || plain == NULL || encodedSig == NULL) {
-                WOLFSSL_MSG("Failed to allocate memory at ConfirmSignature");
-                
-                if (pubKey)
-                    XFREE(pubKey, NULL, DYNAMIC_TYPE_TMP_BUFFER);
-                if (plain)
-                    XFREE(plain, NULL, DYNAMIC_TYPE_TMP_BUFFER);
-                if (encodedSig)
-                    XFREE(encodedSig, NULL, DYNAMIC_TYPE_TMP_BUFFER);
-                
-                break; /* not confirmed */
+            sigCtx->digest = (byte*)XMALLOC(WC_MAX_DIGEST_SIZE, sigCtx->heap,
+                                                    DYNAMIC_TYPE_DIGEST);
+            if (sigCtx->digest == NULL) {
+                ERROR_OUT(MEMORY_E, exit_cs);
             }
-#endif
 
-            if (sigSz > MAX_ENCODED_SIG_SZ) {
-                WOLFSSL_MSG("Verify Signautre is too big");
+            sigCtx->state = SIG_STATE_HASH;
+        } /* SIG_STATE_BEGIN */
+        FALL_THROUGH;
+
+        case SIG_STATE_HASH:
+        {
+            ret = HashForSignature(buf, bufSz, sigOID, sigCtx->digest,
+                                   &sigCtx->typeH, &sigCtx->digestSz, 1);
+            if (ret != 0) {
+                goto exit_cs;
             }
-            else if (wc_InitRsaKey(pubKey, heap) != 0) {
-                WOLFSSL_MSG("InitRsaKey failed");
+
+            sigCtx->state = SIG_STATE_KEY;
+        } /* SIG_STATE_HASH */
+        FALL_THROUGH;
+
+        case SIG_STATE_KEY:
+        {
+            switch (keyOID) {
+            #ifndef NO_RSA
+                case RSAk:
+                {
+                    word32 idx = 0;
+
+                    sigCtx->key.rsa = (RsaKey*)XMALLOC(sizeof(RsaKey),
+                                                sigCtx->heap, DYNAMIC_TYPE_RSA);
+                    sigCtx->plain = (byte*)XMALLOC(MAX_ENCODED_SIG_SZ,
+                                         sigCtx->heap, DYNAMIC_TYPE_SIGNATURE);
+                    if (sigCtx->key.rsa == NULL || sigCtx->plain == NULL) {
+                        ERROR_OUT(MEMORY_E, exit_cs);
+                    }
+                    if ((ret = wc_InitRsaKey_ex(sigCtx->key.rsa, sigCtx->heap,
+                                                        sigCtx->devId)) != 0) {
+                        goto exit_cs;
+                    }
+                    if (sigSz > MAX_ENCODED_SIG_SZ) {
+                        WOLFSSL_MSG("Verify Signature is too big");
+                        ERROR_OUT(BUFFER_E, exit_cs);
+                    }
+                    if ((ret = wc_RsaPublicKeyDecode(key, &idx, sigCtx->key.rsa,
+                                                                 keySz)) != 0) {
+                        WOLFSSL_MSG("ASN Key decode error RSA");
+                        goto exit_cs;
+                    }
+                    XMEMCPY(sigCtx->plain, sig, sigSz);
+                    sigCtx->out = NULL;
+
+                #ifdef WOLFSSL_ASYNC_CRYPT
+                    sigCtx->asyncDev = &sigCtx->key.rsa->asyncDev;
+                #endif
+                    break;
+                }
+            #endif /* !NO_RSA */
+            #ifdef HAVE_ECC
+                case ECDSAk:
+                {
+                    word32 idx = 0;
+
+                    sigCtx->verify = 0;
+                    sigCtx->key.ecc = (ecc_key*)XMALLOC(sizeof(ecc_key),
+                                                sigCtx->heap, DYNAMIC_TYPE_ECC);
+                    if (sigCtx->key.ecc == NULL) {
+                        ERROR_OUT(MEMORY_E, exit_cs);
+                    }
+                    if ((ret = wc_ecc_init_ex(sigCtx->key.ecc, sigCtx->heap,
+                                                          sigCtx->devId)) < 0) {
+                        goto exit_cs;
+                    }
+                    ret = wc_EccPublicKeyDecode(key, &idx, sigCtx->key.ecc,
+                                                                         keySz);
+                    if (ret < 0) {
+                        WOLFSSL_MSG("ASN Key import error ECC");
+                        goto exit_cs;
+                    }
+                #ifdef WOLFSSL_ASYNC_CRYPT
+                    sigCtx->asyncDev = &sigCtx->key.ecc->asyncDev;
+                #endif
+                    break;
+                }
+            #endif /* HAVE_ECC */
+            #ifdef HAVE_ED25519
+                case ED25519k:
+                {
+                    sigCtx->verify = 0;
+                    sigCtx->key.ed25519 = (ed25519_key*)XMALLOC(
+                                              sizeof(ed25519_key), sigCtx->heap,
+                                              DYNAMIC_TYPE_ED25519);
+                    if (sigCtx->key.ed25519 == NULL) {
+                        ERROR_OUT(MEMORY_E, exit_cs);
+                    }
+                    if ((ret = wc_ed25519_init(sigCtx->key.ed25519)) < 0) {
+                        goto exit_cs;
+                    }
+                    if ((ret = wc_ed25519_import_public(key, keySz,
+                                                    sigCtx->key.ed25519)) < 0) {
+                        WOLFSSL_MSG("ASN Key import error ED25519");
+                        goto exit_cs;
+                    }
+                #ifdef WOLFSSL_ASYNC_CRYPT
+                    sigCtx->asyncDev = &sigCtx->key.ed25519->asyncDev;
+                #endif
+                    break;
+                }
+            #endif
+            #ifdef HAVE_ED448
+                case ED448k:
+                {
+                    sigCtx->verify = 0;
+                    sigCtx->key.ed448 = (ed448_key*)XMALLOC(
+                                                sizeof(ed448_key), sigCtx->heap,
+                                                DYNAMIC_TYPE_ED448);
+                    if (sigCtx->key.ed448 == NULL) {
+                        ERROR_OUT(MEMORY_E, exit_cs);
+                    }
+                    if ((ret = wc_ed448_init(sigCtx->key.ed448)) < 0) {
+                        goto exit_cs;
+                    }
+                    if ((ret = wc_ed448_import_public(key, keySz,
+                                                      sigCtx->key.ed448)) < 0) {
+                        WOLFSSL_MSG("ASN Key import error ED448");
+                        goto exit_cs;
+                    }
+                #ifdef WOLFSSL_ASYNC_CRYPT
+                    sigCtx->asyncDev = &sigCtx->key.ed448->asyncDev;
+                #endif
+                    break;
+                }
+            #endif
+                default:
+                    WOLFSSL_MSG("Verify Key type unknown");
+                    ret = ASN_UNKNOWN_OID_E;
+                    break;
+            } /* switch (keyOID) */
+
+            if (ret != 0) {
+                goto exit_cs;
             }
-            else if (wc_RsaPublicKeyDecode(key, &idx, pubKey, keySz) < 0) {
-                WOLFSSL_MSG("ASN Key decode error RSA");
+
+            sigCtx->state = SIG_STATE_DO;
+
+        #ifdef WOLFSSL_ASYNC_CRYPT
+            if (sigCtx->devId != INVALID_DEVID && sigCtx->asyncDev && sigCtx->asyncCtx) {
+                /* make sure event is initialized */
+                WOLF_EVENT* event = &sigCtx->asyncDev->event;
+                ret = wolfAsync_EventInit(event, WOLF_EVENT_TYPE_ASYNC_WOLFSSL,
+                    sigCtx->asyncCtx, WC_ASYNC_FLAG_CALL_AGAIN);
             }
-            else {
-                XMEMCPY(plain, sig, sigSz);
+        #endif
+        } /* SIG_STATE_KEY */
+        FALL_THROUGH;
 
-                if ((verifySz = wc_RsaSSL_VerifyInline(plain, sigSz, &out,
-                                                                 pubKey)) < 0) {
-                    WOLFSSL_MSG("Rsa SSL verify error");
+        case SIG_STATE_DO:
+        {
+            switch (keyOID) {
+            #ifndef NO_RSA
+                case RSAk:
+                {
+                #ifdef HAVE_PK_CALLBACKS
+                    if (sigCtx->pkCbRsa) {
+                        ret = sigCtx->pkCbRsa(
+                                sigCtx->plain, sigSz, &sigCtx->out,
+                                key, keySz,
+                                sigCtx->pkCtxRsa);
+                    }
+                    else
+                #endif /* HAVE_PK_CALLBACKS */
+                    {
+                     #ifdef WOLFSSL_RENESAS_TSIP_TLS
+                        if (rsaKeyIdx != NULL)
+                        {
+                            ret = tsip_tls_CertVerify(buf, bufSz, sigCtx->plain,
+                                sigSz,
+                                sigCtx->pubkey_n_start - sigCtx->certBegin,
+                                sigCtx->pubkey_n_len - 1,
+                                sigCtx->pubkey_e_start - sigCtx->certBegin,
+                                sigCtx->pubkey_e_len - 1,
+                                rsaKeyIdx);
+
+                            if (ret == 0){
+                                sigCtx->verifyByTSIP = 1;
+                                ret = 0;
+                            } else {
+                                WOLFSSL_MSG("RSA Verify by tsip didn't match");
+                                ret = ASN_SIG_CONFIRM_E;
+                            }
+                        } else
+                    #endif
+                        ret = wc_RsaSSL_VerifyInline(sigCtx->plain, sigSz,
+                                                 &sigCtx->out, sigCtx->key.rsa);
+                    }
+                    break;
                 }
-                else {
-                    /* make sure we're right justified */
-                    encodedSigSz =
-                        wc_EncodeSignature(encodedSig, digest, digestSz, typeH);
-                    if (encodedSigSz != verifySz ||
-                                XMEMCMP(out, encodedSig, encodedSigSz) != 0) {
-                        WOLFSSL_MSG("Rsa SSL verify match encode error");
+            #endif /* !NO_RSA */
+            #if defined(HAVE_ECC)
+                case ECDSAk:
+                {
+                #ifdef HAVE_PK_CALLBACKS
+                    if (sigCtx->pkCbEcc) {
+                        ret = sigCtx->pkCbEcc(
+                                sig, sigSz,
+                                sigCtx->digest, sigCtx->digestSz,
+                                key, keySz, &sigCtx->verify,
+                                sigCtx->pkCtxEcc);
                     }
                     else
-                        ret = 1; /* match */
-
-                    #ifdef WOLFSSL_DEBUG_ENCODING
+                #endif /* HAVE_PK_CALLBACKS */
                     {
-                        int x;
-
-                        printf("wolfssl encodedSig:\n");
+                        ret = wc_ecc_verify_hash(sig, sigSz, sigCtx->digest,
+                                            sigCtx->digestSz, &sigCtx->verify,
+                                            sigCtx->key.ecc);
+                    }
+                    break;
+                }
+            #endif /* HAVE_ECC */
+            #ifdef HAVE_ED25519
+                case ED25519k:
+                {
+                    ret = wc_ed25519_verify_msg(sig, sigSz, buf, bufSz,
+                                          &sigCtx->verify, sigCtx->key.ed25519);
+                    break;
+                }
+            #endif
+            #ifdef HAVE_ED448
+                case ED448k:
+                {
+                    ret = wc_ed448_verify_msg(sig, sigSz, buf, bufSz,
+                                             &sigCtx->verify, sigCtx->key.ed448,
+                                             NULL, 0);
+                    break;
+                }
+            #endif
+                default:
+                    break;
+            }  /* switch (keyOID) */
 
-                        for (x = 0; x < encodedSigSz; x++) {
-                            printf("%02x ", encodedSig[x]);
-                            if ( (x % 16) == 15)
-                                printf("\n");
-                        }
+        #ifdef WOLFSSL_ASYNC_CRYPT
+            if (ret == WC_PENDING_E) {
+                goto exit_cs;
+            }
+        #endif
 
-                        printf("\n");
-                        printf("actual digest:\n");
+            if (ret < 0) {
+                /* treat all RSA errors as ASN_SIG_CONFIRM_E */
+                ret = ASN_SIG_CONFIRM_E;
+                goto exit_cs;
+            }
 
-                        for (x = 0; x < verifySz; x++) {
-                            printf("%02x ", out[x]);
-                            if ( (x % 16) == 15)
-                                printf("\n");
-                        }
+            sigCtx->state = SIG_STATE_CHECK;
+        } /* SIG_STATE_DO */
+        FALL_THROUGH;
 
-                        printf("\n");
+        case SIG_STATE_CHECK:
+        {
+            switch (keyOID) {
+            #ifndef NO_RSA
+                case RSAk:
+                {
+                    int encodedSigSz, verifySz;
+                #ifdef WOLFSSL_RENESAS_TSIP
+                    if (sigCtx->verifyByTSIP == 1) break;
+                #endif
+                #ifdef WOLFSSL_SMALL_STACK
+                    byte* encodedSig = (byte*)XMALLOC(MAX_ENCODED_SIG_SZ,
+                                        sigCtx->heap, DYNAMIC_TYPE_TMP_BUFFER);
+                    if (encodedSig == NULL) {
+                        ERROR_OUT(MEMORY_E, exit_cs);
                     }
-                    #endif /* WOLFSSL_DEBUG_ENCODING */
+                #else
+                    byte encodedSig[MAX_ENCODED_SIG_SZ];
+                #endif
 
-                }
+                    verifySz = ret;
 
-            }
+                    /* make sure we're right justified */
+                    encodedSigSz = wc_EncodeSignature(encodedSig,
+                            sigCtx->digest, sigCtx->digestSz, sigCtx->typeH);
+                    if (encodedSigSz == verifySz && sigCtx->out != NULL &&
+                        XMEMCMP(sigCtx->out, encodedSig, encodedSigSz) == 0) {
+                        ret = 0;
+                    }
+                    else {
+                        WOLFSSL_MSG("RSA SSL verify match encode error");
+                        ret = ASN_SIG_CONFIRM_E;
+                    }
 
-            wc_FreeRsaKey(pubKey);
+                #ifdef WOLFSSL_SMALL_STACK
+                    XFREE(encodedSig, sigCtx->heap, DYNAMIC_TYPE_TMP_BUFFER);
+                #endif
+                    break;
+                }
+            #endif /* NO_RSA */
+            #ifdef HAVE_ECC
+                case ECDSAk:
+                {
+                    if (sigCtx->verify == 1) {
+                        ret = 0;
+                    }
+                    else {
+                        WOLFSSL_MSG("ECC Verify didn't match");
+                        ret = ASN_SIG_CONFIRM_E;
+                    }
+                    break;
+                }
+            #endif /* HAVE_ECC */
+            #ifdef HAVE_ED25519
+                case ED25519k:
+                {
+                    if (sigCtx->verify == 1) {
+                        ret = 0;
+                    }
+                    else {
+                        WOLFSSL_MSG("ED25519 Verify didn't match");
+                        ret = ASN_SIG_CONFIRM_E;
+                    }
+                    break;
+                }
+            #endif /* HAVE_ED25519 */
+            #ifdef HAVE_ED448
+                case ED448k:
+                {
+                    if (sigCtx->verify == 1) {
+                        ret = 0;
+                    }
+                    else {
+                        WOLFSSL_MSG("ED448 Verify didn't match");
+                        ret = ASN_SIG_CONFIRM_E;
+                    }
+                    break;
+                }
+            #endif /* HAVE_ED448 */
+                default:
+                    break;
+            }  /* switch (keyOID) */
 
-#ifdef WOLFSSL_SMALL_STACK
-            XFREE(pubKey,     NULL, DYNAMIC_TYPE_TMP_BUFFER);
-            XFREE(plain,      NULL, DYNAMIC_TYPE_TMP_BUFFER);
-            XFREE(encodedSig, NULL, DYNAMIC_TYPE_TMP_BUFFER);
-#endif
             break;
-        }
+        } /* SIG_STATE_CHECK */
+    } /* switch (sigCtx->state) */
 
-    #endif /* NO_RSA */
-    #ifdef HAVE_ECC
-        case ECDSAk:
-        {
-            int verify = 0;
-#ifdef WOLFSSL_SMALL_STACK
-            ecc_key* pubKey;
-#else
-            ecc_key pubKey[1];
-#endif
+exit_cs:
 
-#ifdef WOLFSSL_SMALL_STACK
-            pubKey = (ecc_key*)XMALLOC(sizeof(ecc_key), NULL,
-                                                       DYNAMIC_TYPE_TMP_BUFFER);
-            if (pubKey == NULL) {
-                WOLFSSL_MSG("Failed to allocate pubKey");
-                break; /* not confirmed */
-            }
-#endif
+#endif /* !NO_ASN_CRYPT */
 
-            if (wc_ecc_init(pubKey) < 0) {
-                WOLFSSL_MSG("Failed to initialize key");
-                break; /* not confirmed */
-            }
-            if (wc_ecc_import_x963(key, keySz, pubKey) < 0) {
-                WOLFSSL_MSG("ASN Key import error ECC");
-            }
-            else {   
-                if (wc_ecc_verify_hash(sig, sigSz, digest, digestSz, &verify,
-                                                                pubKey) != 0) {
-                    WOLFSSL_MSG("ECC verify hash error");
-                }
-                else if (1 != verify) {
-                    WOLFSSL_MSG("ECC Verify didn't match");
-                } else
-                    ret = 1; /* match */
+    (void)keyOID;
+    (void)sigOID;
 
-            }
-            wc_ecc_free(pubKey);
+    WOLFSSL_LEAVE("ConfirmSignature", ret);
 
-#ifdef WOLFSSL_SMALL_STACK
-            XFREE(pubKey, NULL, DYNAMIC_TYPE_TMP_BUFFER);
-#endif
-            break;
-        }
-    #endif /* HAVE_ECC */
-        default:
-            WOLFSSL_MSG("Verify Key type unknown");
-    }
-    
-#ifdef WOLFSSL_SMALL_STACK
-    XFREE(digest, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+#ifdef WOLFSSL_ASYNC_CRYPT
+    if (ret == WC_PENDING_E)
+        return ret;
 #endif
 
+    FreeSignatureCtx(sigCtx);
+
     return ret;
 }
 
@@ -3250,7 +7439,7 @@ static int ConfirmSignature(const byte* buf, word32 bufSz,
 #ifndef IGNORE_NAME_CONSTRAINTS
 
 static int MatchBaseName(int type, const char* name, int nameSz,
-                                                   const char* base, int baseSz)
+                         const char* base, int baseSz)
 {
     if (base == NULL || baseSz <= 0 || name == NULL || nameSz <= 0 ||
             name[0] == '.' || nameSz < baseSz ||
@@ -3302,7 +7491,7 @@ static int MatchBaseName(int type, const char* name, int nameSz,
     }
 
     while (nameSz > 0) {
-        if (XTOLOWER((unsigned char)*name++) != 
+        if (XTOLOWER((unsigned char)*name++) !=
                                                XTOLOWER((unsigned char)*base++))
             return 0;
         nameSz--;
@@ -3322,34 +7511,44 @@ static int ConfirmNameConstraints(Signer* signer, DecodedCert* cert)
         Base_entry* base = signer->excludedNames;
 
         while (base != NULL) {
-            if (base->type == ASN_DNS_TYPE) {
-                DNS_entry* name = cert->altNames;
-                while (name != NULL) {
-                    if (MatchBaseName(ASN_DNS_TYPE,
-                                          name->name, (int)XSTRLEN(name->name),
-                                          base->name, base->nameSz))
-                        return 0;
-                    name = name->next;
+            switch (base->type) {
+                case ASN_DNS_TYPE:
+                {
+                    DNS_entry* name = cert->altNames;
+                    while (name != NULL) {
+                        if (MatchBaseName(ASN_DNS_TYPE,
+                                          name->name, name->len,
+                                          base->name, base->nameSz)) {
+                            return 0;
+                        }
+                        name = name->next;
+                    }
+                    break;
                 }
-            }
-            else if (base->type == ASN_RFC822_TYPE) {
-                DNS_entry* name = cert->altEmailNames;
-                while (name != NULL) {
-                    if (MatchBaseName(ASN_RFC822_TYPE,
-                                          name->name, (int)XSTRLEN(name->name),
-                                          base->name, base->nameSz))
-                        return 0;
-
-                    name = name->next;
+                case ASN_RFC822_TYPE:
+                {
+                    DNS_entry* name = cert->altEmailNames;
+                    while (name != NULL) {
+                        if (MatchBaseName(ASN_RFC822_TYPE,
+                                          name->name, name->len,
+                                          base->name, base->nameSz)) {
+                            return 0;
+                        }
+                        name = name->next;
+                    }
+                    break;
                 }
-            }
-            else if (base->type == ASN_DIR_TYPE) {
-                if (cert->subjectRawLen == base->nameSz &&
-                    XMEMCMP(cert->subjectRaw, base->name, base->nameSz) == 0) {
-
-                    return 0;
+                case ASN_DIR_TYPE:
+                {
+                    /* allow permitted dirName smaller than actual subject */
+                    if (cert->subjectRawLen >= base->nameSz &&
+                        XMEMCMP(cert->subjectRaw, base->name,
+                                                        base->nameSz) == 0) {
+                        return 0;
+                    }
+                    break;
                 }
-            }
+            }; /* switch */
             base = base->next;
         }
     }
@@ -3365,47 +7564,56 @@ static int ConfirmNameConstraints(Signer* signer, DecodedCert* cert)
         Base_entry* base = signer->permittedNames;
 
         while (base != NULL) {
-            if (base->type == ASN_DNS_TYPE) {
-                DNS_entry* name = cert->altNames;
+            switch (base->type) {
+                case ASN_DNS_TYPE:
+                {
+                    DNS_entry* name = cert->altNames;
 
-                if (name != NULL)
-                    needDns = 1;
+                    if (name != NULL)
+                        needDns = 1;
 
-                while (name != NULL) {
-                    matchDns = MatchBaseName(ASN_DNS_TYPE,
-                                          name->name, (int)XSTRLEN(name->name),
+                    while (name != NULL) {
+                        matchDns = MatchBaseName(ASN_DNS_TYPE,
+                                          name->name, name->len,
                                           base->name, base->nameSz);
-                    name = name->next;
+                        name = name->next;
+                    }
+                    break;
                 }
-            }
-            else if (base->type == ASN_RFC822_TYPE) {
-                DNS_entry* name = cert->altEmailNames;
+                case ASN_RFC822_TYPE:
+                {
+                    DNS_entry* name = cert->altEmailNames;
 
-                if (name != NULL)
-                    needEmail = 1;
+                    if (name != NULL)
+                        needEmail = 1;
 
-                while (name != NULL) {
-                    matchEmail = MatchBaseName(ASN_DNS_TYPE,
-                                          name->name, (int)XSTRLEN(name->name),
+                    while (name != NULL) {
+                        matchEmail = MatchBaseName(ASN_DNS_TYPE,
+                                          name->name, name->len,
                                           base->name, base->nameSz);
-                    name = name->next;
+                        name = name->next;
+                    }
+                    break;
                 }
-            }
-            else if (base->type == ASN_DIR_TYPE) {
-                needDir = 1;
-                if (cert->subjectRaw != NULL &&
-                    cert->subjectRawLen == base->nameSz &&
-                    XMEMCMP(cert->subjectRaw, base->name, base->nameSz) == 0) {
-
-                    matchDir = 1;
+                case ASN_DIR_TYPE:
+                {
+                    /* allow permitted dirName smaller than actual subject */
+                    needDir = 1;
+                    if (cert->subjectRaw != NULL &&
+                        cert->subjectRawLen >= base->nameSz &&
+                        XMEMCMP(cert->subjectRaw, base->name,
+                                                        base->nameSz) == 0) {
+                        matchDir = 1;
+                    }
+                    break;
                 }
-            }
+            } /* switch */
             base = base->next;
         }
 
-        if ((needDns && !matchDns) || (needEmail && !matchEmail) ||
-            (needDir && !matchDir)) {
-
+        if ((needDns   && !matchDns) ||
+            (needEmail && !matchEmail) ||
+            (needDir   && !matchDir)) {
             return 0;
         }
     }
@@ -3415,8 +7623,7 @@ static int ConfirmNameConstraints(Signer* signer, DecodedCert* cert)
 
 #endif /* IGNORE_NAME_CONSTRAINTS */
 
-
-static int DecodeAltNames(byte* input, int sz, DecodedCert* cert)
+static int DecodeAltNames(const byte* input, int sz, DecodedCert* cert)
 {
     word32 idx = 0;
     int length = 0;
@@ -3428,10 +7635,17 @@ static int DecodeAltNames(byte* input, int sz, DecodedCert* cert)
         return ASN_PARSE_E;
     }
 
+    if (length == 0) {
+        /* RFC 5280 4.2.1.6.  Subject Alternative Name
+           If the subjectAltName extension is present, the sequence MUST
+           contain at least one entry. */
+        return ASN_PARSE_E;
+    }
+
     cert->weOwnAltNames = 1;
 
     while (length > 0) {
-        byte       b = input[idx++];
+        byte b = input[idx++];
 
         length--;
 
@@ -3452,17 +7666,18 @@ static int DecodeAltNames(byte* input, int sz, DecodedCert* cert)
                                         DYNAMIC_TYPE_ALTNAME);
             if (dnsEntry == NULL) {
                 WOLFSSL_MSG("\tOut of Memory");
-                return ASN_PARSE_E;
+                return MEMORY_E;
             }
 
+            dnsEntry->type = ASN_DNS_TYPE;
             dnsEntry->name = (char*)XMALLOC(strLen + 1, cert->heap,
                                          DYNAMIC_TYPE_ALTNAME);
             if (dnsEntry->name == NULL) {
                 WOLFSSL_MSG("\tOut of Memory");
                 XFREE(dnsEntry, cert->heap, DYNAMIC_TYPE_ALTNAME);
-                return ASN_PARSE_E;
+                return MEMORY_E;
             }
-
+            dnsEntry->len = strLen;
             XMEMCPY(dnsEntry->name, &input[idx], strLen);
             dnsEntry->name[strLen] = '\0';
 
@@ -3472,7 +7687,7 @@ static int DecodeAltNames(byte* input, int sz, DecodedCert* cert)
             length -= strLen;
             idx    += strLen;
         }
-#ifndef IGNORE_NAME_CONSTRAINTS
+    #ifndef IGNORE_NAME_CONSTRAINTS
         else if (b == (ASN_CONTEXT_SPECIFIC | ASN_RFC822_TYPE)) {
             DNS_entry* emailEntry;
             int strLen;
@@ -3488,17 +7703,18 @@ static int DecodeAltNames(byte* input, int sz, DecodedCert* cert)
                                         DYNAMIC_TYPE_ALTNAME);
             if (emailEntry == NULL) {
                 WOLFSSL_MSG("\tOut of Memory");
-                return ASN_PARSE_E;
+                return MEMORY_E;
             }
 
+            emailEntry->type = ASN_RFC822_TYPE;
             emailEntry->name = (char*)XMALLOC(strLen + 1, cert->heap,
                                          DYNAMIC_TYPE_ALTNAME);
             if (emailEntry->name == NULL) {
                 WOLFSSL_MSG("\tOut of Memory");
                 XFREE(emailEntry, cert->heap, DYNAMIC_TYPE_ALTNAME);
-                return ASN_PARSE_E;
+                return MEMORY_E;
             }
-
+            emailEntry->len = strLen;
             XMEMCPY(emailEntry->name, &input[idx], strLen);
             emailEntry->name[strLen] = '\0';
 
@@ -3508,6 +7724,120 @@ static int DecodeAltNames(byte* input, int sz, DecodedCert* cert)
             length -= strLen;
             idx    += strLen;
         }
+        else if (b == (ASN_CONTEXT_SPECIFIC | ASN_URI_TYPE)) {
+            DNS_entry* uriEntry;
+            int strLen;
+            word32 lenStartIdx = idx;
+
+            WOLFSSL_MSG("\tPutting URI into list but not using");
+            if (GetLength(input, &idx, &strLen, sz) < 0) {
+                WOLFSSL_MSG("\tfail: str length");
+                return ASN_PARSE_E;
+            }
+            length -= (idx - lenStartIdx);
+
+            /* check that strLen at index is not past input buffer */
+            if (strLen + (int)idx > sz) {
+                return BUFFER_E;
+            }
+
+        #ifndef WOLFSSL_NO_ASN_STRICT
+            /* Verify RFC 5280 Sec 4.2.1.6 rule:
+                "The name MUST NOT be a relative URI" */
+
+            {
+                int i;
+
+                /* skip past scheme (i.e http,ftp,...) finding first ':' char */
+                for (i = 0; i < strLen; i++) {
+                    if (input[idx + i] == ':') {
+                        break;
+                    }
+                    if (input[idx + i] == '/') {
+                        i = strLen; /* error, found relative path since '/' was
+                                     * encountered before ':'. Returning error
+                                     * value in next if statement. */
+                    }
+                }
+
+                /* test if no ':' char was found and test that the next two
+                 * chars are // to match the pattern "://" */
+                if (i >= strLen - 2 || (input[idx + i + 1] != '/' ||
+                                        input[idx + i + 2] != '/')) {
+                    WOLFSSL_MSG("\tAlt Name must be absolute URI");
+                    return ASN_ALT_NAME_E;
+                }
+            }
+        #endif
+
+            uriEntry = (DNS_entry*)XMALLOC(sizeof(DNS_entry), cert->heap,
+                                        DYNAMIC_TYPE_ALTNAME);
+            if (uriEntry == NULL) {
+                WOLFSSL_MSG("\tOut of Memory");
+                return MEMORY_E;
+            }
+
+            uriEntry->type = ASN_URI_TYPE;
+            uriEntry->name = (char*)XMALLOC(strLen + 1, cert->heap,
+                                         DYNAMIC_TYPE_ALTNAME);
+            if (uriEntry->name == NULL) {
+                WOLFSSL_MSG("\tOut of Memory");
+                XFREE(uriEntry, cert->heap, DYNAMIC_TYPE_ALTNAME);
+                return MEMORY_E;
+            }
+            uriEntry->len = strLen;
+            XMEMCPY(uriEntry->name, &input[idx], strLen);
+            uriEntry->name[strLen] = '\0';
+
+            uriEntry->next = cert->altNames;
+            cert->altNames = uriEntry;
+
+            length -= strLen;
+            idx    += strLen;
+        }
+#if defined(WOLFSSL_QT) || defined(OPENSSL_ALL)
+        else if (b == (ASN_CONTEXT_SPECIFIC | ASN_IP_TYPE)) {
+            DNS_entry* ipAddr;
+            int strLen;
+            word32 lenStartIdx = idx;
+            WOLFSSL_MSG("Decoding Subject Alt. Name: IP Address");
+
+            if (GetLength(input, &idx, &strLen, sz) < 0) {
+                WOLFSSL_MSG("\tfail: str length");
+                return ASN_PARSE_E;
+            }
+            length -= (idx - lenStartIdx);
+            /* check that strLen at index is not past input buffer */
+            if (strLen + (int)idx > sz) {
+                return BUFFER_E;
+            }
+
+            ipAddr = (DNS_entry*)XMALLOC(sizeof(DNS_entry), cert->heap,
+                                        DYNAMIC_TYPE_ALTNAME);
+            if (ipAddr == NULL) {
+                WOLFSSL_MSG("\tOut of Memory");
+                return MEMORY_E;
+            }
+
+            ipAddr->type = ASN_IP_TYPE;
+            ipAddr->name = (char*)XMALLOC(strLen + 1, cert->heap,
+                                         DYNAMIC_TYPE_ALTNAME);
+            if (ipAddr->name == NULL) {
+                WOLFSSL_MSG("\tOut of Memory");
+                XFREE(ipAddr, cert->heap, DYNAMIC_TYPE_ALTNAME);
+                return MEMORY_E;
+            }
+            ipAddr->len = strLen;
+            XMEMCPY(ipAddr->name, &input[idx], strLen);
+            ipAddr->name[strLen] = '\0';
+
+            ipAddr->next   = cert->altNames;
+            cert->altNames = ipAddr;
+
+            length -= strLen;
+            idx    += strLen;
+        }
+#endif /* WOLFSSL_QT || OPENSSL_ALL */
 #endif /* IGNORE_NAME_CONSTRAINTS */
 #ifdef WOLFSSL_SEP
         else if (b == (ASN_CONTEXT_SPECIFIC | ASN_CONSTRUCTED | ASN_OTHER_TYPE))
@@ -3515,6 +7845,8 @@ static int DecodeAltNames(byte* input, int sz, DecodedCert* cert)
             int strLen;
             word32 lenStartIdx = idx;
             word32 oid = 0;
+            int    ret;
+            byte   tag;
 
             if (GetLength(input, &idx, &strLen, sz) < 0) {
                 WOLFSSL_MSG("\tfail: other name length");
@@ -3523,7 +7855,7 @@ static int DecodeAltNames(byte* input, int sz, DecodedCert* cert)
             /* Consume the rest of this sequence. */
             length -= (strLen + idx - lenStartIdx);
 
-            if (GetObjectId(input, &idx, &oid, sz) < 0) {
+            if (GetObjectId(input, &idx, &oid, oidCertAltNameType, sz) < 0) {
                 WOLFSSL_MSG("\tbad OID");
                 return ASN_PARSE_E;
             }
@@ -3533,7 +7865,11 @@ static int DecodeAltNames(byte* input, int sz, DecodedCert* cert)
                 return ASN_PARSE_E;
             }
 
-            if (input[idx++] != (ASN_CONTEXT_SPECIFIC | ASN_CONSTRUCTED)) {
+            if (GetASNTag(input, &idx, &tag, sz) < 0) {
+                return ASN_PARSE_E;
+            }
+
+            if (tag != (ASN_CONTEXT_SPECIFIC | ASN_CONSTRUCTED)) {
                 WOLFSSL_MSG("\twrong type");
                 return ASN_PARSE_E;
             }
@@ -3548,17 +7884,14 @@ static int DecodeAltNames(byte* input, int sz, DecodedCert* cert)
                 return ASN_PARSE_E;
             }
 
-            if (input[idx++] != ASN_OBJECT_ID) {
-                WOLFSSL_MSG("\texpected OID");
-                return ASN_PARSE_E;
-            }
-
-            if (GetLength(input, &idx, &strLen, sz) < 0) {
-                WOLFSSL_MSG("\tfailed: str len");
-                return ASN_PARSE_E;
+            ret = GetASNObjectId(input, &idx, &strLen, sz);
+            if (ret != 0) {
+                WOLFSSL_MSG("\tbad OID");
+                return ret;
             }
 
-            cert->hwType = (byte*)XMALLOC(strLen, cert->heap, 0);
+            cert->hwType = (byte*)XMALLOC(strLen, cert->heap,
+                                          DYNAMIC_TYPE_X509_EXT);
             if (cert->hwType == NULL) {
                 WOLFSSL_MSG("\tOut of Memory");
                 return MEMORY_E;
@@ -3568,17 +7901,12 @@ static int DecodeAltNames(byte* input, int sz, DecodedCert* cert)
             cert->hwTypeSz = strLen;
             idx += strLen;
 
-            if (input[idx++] != ASN_OCTET_STRING) {
-                WOLFSSL_MSG("\texpected Octet String");
-                return ASN_PARSE_E;
-            }
-
-            if (GetLength(input, &idx, &strLen, sz) < 0) {
-                WOLFSSL_MSG("\tfailed: str len");
-                return ASN_PARSE_E;
-            }
+            ret = GetOctetString(input, &idx, &strLen, sz);
+            if (ret < 0)
+                return ret;
 
-            cert->hwSerialNum = (byte*)XMALLOC(strLen + 1, cert->heap, 0);
+            cert->hwSerialNum = (byte*)XMALLOC(strLen + 1, cert->heap,
+                                               DYNAMIC_TYPE_X509_EXT);
             if (cert->hwSerialNum == NULL) {
                 WOLFSSL_MSG("\tOut of Memory");
                 return MEMORY_E;
@@ -3589,7 +7917,7 @@ static int DecodeAltNames(byte* input, int sz, DecodedCert* cert)
             cert->hwSerialNumSz = strLen;
             idx += strLen;
         }
-#endif /* WOLFSSL_SEP */
+    #endif /* WOLFSSL_SEP */
         else {
             int strLen;
             word32 lenStartIdx = idx;
@@ -3607,13 +7935,14 @@ static int DecodeAltNames(byte* input, int sz, DecodedCert* cert)
     return 0;
 }
 
-
-static int DecodeBasicCaConstraint(byte* input, int sz, DecodedCert* cert)
+static int DecodeBasicCaConstraint(const byte* input, int sz, DecodedCert* cert)
 {
     word32 idx = 0;
     int length = 0;
+    int ret;
 
     WOLFSSL_ENTER("DecodeBasicCaConstraint");
+
     if (GetSequence(input, &idx, &length, sz) < 0) {
         WOLFSSL_MSG("\tfail: bad SEQUENCE");
         return ASN_PARSE_E;
@@ -3625,40 +7954,35 @@ static int DecodeBasicCaConstraint(byte* input, int sz, DecodedCert* cert)
     /* If the basic ca constraint is false, this extension may be named, but
      * left empty. So, if the length is 0, just return. */
 
-    if (input[idx++] != ASN_BOOLEAN)
-    {
-        WOLFSSL_MSG("\tfail: constraint not BOOLEAN");
-        return ASN_PARSE_E;
-    }
+    ret = GetBoolean(input, &idx, sz);
 
-    if (GetLength(input, &idx, &length, sz) < 0)
-    {
-        WOLFSSL_MSG("\tfail: length");
-        return ASN_PARSE_E;
+#ifndef WOLFSSL_X509_BASICCONS_INT
+    if (ret < 0) {
+        WOLFSSL_MSG("\tfail: constraint not valid BOOLEAN");
+        return ret;
     }
 
-    if (input[idx++])
-        cert->isCA = 1;
-
-    #ifdef OPENSSL_EXTRA
-        /* If there isn't any more data, return. */
-        if (idx >= (word32)sz)
-            return 0;
-
-        /* Anything left should be the optional pathlength */
-        if (input[idx++] != ASN_INTEGER) {
-            WOLFSSL_MSG("\tfail: pathlen not INTEGER");
-            return ASN_PARSE_E;
-        }
+    cert->isCA = (byte)ret;
+#else
+    if (ret < 0) {
+        if(input[idx] == ASN_INTEGER) {
+            /* For OpenSSL compatibility, if ASN_INTEGER it is valid format */
+            cert->isCA = FALSE;
+        } else return ret;
+    } else
+        cert->isCA = (byte)ret;
+#endif
 
-        if (input[idx++] != 1) {
-            WOLFSSL_MSG("\tfail: pathlen too long");
-            return ASN_PARSE_E;
-        }
+    /* If there isn't any more data, return. */
+    if (idx >= (word32)sz) {
+        return 0;
+    }
 
-        cert->pathLength = input[idx];
-        cert->extBasicConstPlSet = 1;
-    #endif /* OPENSSL_EXTRA */
+    ret = GetInteger7Bit(input, &idx, sz);
+    if (ret < 0)
+        return ret;
+    cert->pathLength = (byte)ret;
+    cert->pathLengthSet = 1;
 
     return 0;
 }
@@ -3669,10 +7993,11 @@ static int DecodeBasicCaConstraint(byte* input, int sz, DecodedCert* cert)
 #define GENERALNAME_URI 6
     /* From RFC3280 SS4.2.1.7, GeneralName */
 
-static int DecodeCrlDist(byte* input, int sz, DecodedCert* cert)
+static int DecodeCrlDist(const byte* input, int sz, DecodedCert* cert)
 {
-    word32 idx = 0;
+    word32 idx = 0, localIdx;
     int length = 0;
+    byte tag   = 0;
 
     WOLFSSL_ENTER("DecodeCrlDist");
 
@@ -3687,20 +8012,26 @@ static int DecodeCrlDist(byte* input, int sz, DecodedCert* cert)
     /* The Distribution Point has three explicit optional members
      *  First check for a DistributionPointName
      */
-    if (input[idx] == (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC | 0))
+    localIdx = idx;
+    if (GetASNTag(input, &localIdx, &tag, sz) == 0 &&
+            tag == (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC | 0))
     {
         idx++;
         if (GetLength(input, &idx, &length, sz) < 0)
             return ASN_PARSE_E;
 
-        if (input[idx] == 
-                    (ASN_CONTEXT_SPECIFIC | ASN_CONSTRUCTED | CRLDP_FULL_NAME))
+        localIdx = idx;
+        if (GetASNTag(input, &localIdx, &tag, sz) == 0 &&
+                tag == (ASN_CONTEXT_SPECIFIC | ASN_CONSTRUCTED |
+                    CRLDP_FULL_NAME))
         {
             idx++;
             if (GetLength(input, &idx, &length, sz) < 0)
                 return ASN_PARSE_E;
 
-            if (input[idx] == (ASN_CONTEXT_SPECIFIC | GENERALNAME_URI))
+            localIdx = idx;
+            if (GetASNTag(input, &localIdx, &tag, sz) == 0 &&
+                    tag == (ASN_CONTEXT_SPECIFIC | GENERALNAME_URI))
             {
                 idx++;
                 if (GetLength(input, &idx, &length, sz) < 0)
@@ -3714,14 +8045,17 @@ static int DecodeCrlDist(byte* input, int sz, DecodedCert* cert)
                 /* This isn't a URI, skip it. */
                 idx += length;
         }
-        else
+        else {
             /* This isn't a FULLNAME, skip it. */
             idx += length;
+        }
     }
 
     /* Check for reasonFlags */
+    localIdx = idx;
     if (idx < (word32)sz &&
-        input[idx] == (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC | 1))
+        GetASNTag(input, &localIdx, &tag, sz) == 0 &&
+        tag == (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC | 1))
     {
         idx++;
         if (GetLength(input, &idx, &length, sz) < 0)
@@ -3730,8 +8064,10 @@ static int DecodeCrlDist(byte* input, int sz, DecodedCert* cert)
     }
 
     /* Check for cRLIssuer */
+    localIdx = idx;
     if (idx < (word32)sz &&
-        input[idx] == (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC | 2))
+        GetASNTag(input, &localIdx, &tag, sz) == 0 &&
+        tag == (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC | 2))
     {
         idx++;
         if (GetLength(input, &idx, &length, sz) < 0)
@@ -3749,15 +8085,16 @@ static int DecodeCrlDist(byte* input, int sz, DecodedCert* cert)
 }
 
 
-static int DecodeAuthInfo(byte* input, int sz, DecodedCert* cert)
+static int DecodeAuthInfo(const byte* input, int sz, DecodedCert* cert)
 /*
- *  Read the first of the Authority Information Access records. If there are
+ *  Read Authority Information Access records. If there are
  *  any issues, return without saving the record.
  */
 {
     word32 idx = 0;
     int length = 0;
-    byte b;
+    int count  = 0;
+    byte b = 0;
     word32 oid;
 
     WOLFSSL_ENTER("DecodeAuthInfo");
@@ -3766,27 +8103,43 @@ static int DecodeAuthInfo(byte* input, int sz, DecodedCert* cert)
     if (GetSequence(input, &idx, &length, sz) < 0)
         return ASN_PARSE_E;
 
-    while (idx < (word32)sz) {
+    while ((idx < (word32)sz) && (count < MAX_AIA_SZ)) {
         /* Unwrap a single AIA */
         if (GetSequence(input, &idx, &length, sz) < 0)
             return ASN_PARSE_E;
 
         oid = 0;
-        if (GetObjectId(input, &idx, &oid, sz) < 0)
+        if (GetObjectId(input, &idx, &oid, oidCertAuthInfoType, sz) < 0)
             return ASN_PARSE_E;
 
         /* Only supporting URIs right now. */
-        b = input[idx++];
+        if (GetASNTag(input, &idx, &b, sz) < 0)
+            return ASN_PARSE_E;
+
         if (GetLength(input, &idx, &length, sz) < 0)
             return ASN_PARSE_E;
 
+        /* Set ocsp entry */
         if (b == (ASN_CONTEXT_SPECIFIC | GENERALNAME_URI) &&
             oid == AIA_OCSP_OID)
         {
             cert->extAuthInfoSz = length;
             cert->extAuthInfo = input + idx;
+            count++;
+        #if !defined(OPENSSL_ALL) || !defined(WOLFSSL_QT)
             break;
+        #endif
+        }
+        #if defined(OPENSSL_ALL) || defined(WOLFSSL_QT)
+        /* Set CaIssuers entry */
+        else if ((b == (ASN_CONTEXT_SPECIFIC | GENERALNAME_URI)) &&
+            oid == AIA_CA_ISSUER_OID)
+        {
+            cert->extAuthInfoCaIssuerSz = length;
+            cert->extAuthInfoCaIssuer = input + idx;
+            count++;
         }
+        #endif
         idx += length;
     }
 
@@ -3794,10 +8147,11 @@ static int DecodeAuthInfo(byte* input, int sz, DecodedCert* cert)
 }
 
 
-static int DecodeAuthKeyId(byte* input, int sz, DecodedCert* cert)
+static int DecodeAuthKeyId(const byte* input, int sz, DecodedCert* cert)
 {
     word32 idx = 0;
     int length = 0, ret = 0;
+    byte tag;
 
     WOLFSSL_ENTER("DecodeAuthKeyId");
 
@@ -3806,124 +8160,107 @@ static int DecodeAuthKeyId(byte* input, int sz, DecodedCert* cert)
         return ASN_PARSE_E;
     }
 
-    if (input[idx++] != (ASN_CONTEXT_SPECIFIC | 0)) {
+    if (GetASNTag(input, &idx, &tag, sz) < 0) {
+        return ASN_PARSE_E;
+    }
+
+    if (tag != (ASN_CONTEXT_SPECIFIC | 0)) {
         WOLFSSL_MSG("\tinfo: OPTIONAL item 0, not available\n");
+        cert->extAuthKeyIdSet = 0;
         return 0;
     }
 
-    if (GetLength(input, &idx, &length, sz) < 0) {
+    if (GetLength(input, &idx, &length, sz) <= 0) {
         WOLFSSL_MSG("\tfail: extension data length");
         return ASN_PARSE_E;
     }
 
-    #ifdef OPENSSL_EXTRA
-        cert->extAuthKeyIdSrc = &input[idx];
-        cert->extAuthKeyIdSz = length;
-    #endif /* OPENSSL_EXTRA */
+#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
+    cert->extAuthKeyIdSrc = &input[idx];
+    cert->extAuthKeyIdSz = length;
+#endif /* OPENSSL_EXTRA */
 
     if (length == KEYID_SIZE) {
         XMEMCPY(cert->extAuthKeyId, input + idx, length);
     }
-    else {
-    #ifdef NO_SHA
-        ret = wc_Sha256Hash(input + idx, length, cert->extAuthKeyId);
-    #else
-        ret = wc_ShaHash(input + idx, length, cert->extAuthKeyId);
-    #endif
-    }
+    else
+        ret = CalcHashId(input + idx, length, cert->extAuthKeyId);
 
     return ret;
 }
 
 
-static int DecodeSubjKeyId(byte* input, int sz, DecodedCert* cert)
+static int DecodeSubjKeyId(const byte* input, int sz, DecodedCert* cert)
 {
     word32 idx = 0;
     int length = 0, ret = 0;
 
     WOLFSSL_ENTER("DecodeSubjKeyId");
 
-    if (input[idx++] != ASN_OCTET_STRING) {
-        WOLFSSL_MSG("\tfail: should be an OCTET STRING");
+    if (sz <= 0)
         return ASN_PARSE_E;
-    }
 
-    if (GetLength(input, &idx, &length, sz) < 0) {
-        WOLFSSL_MSG("\tfail: extension data length");
-        return ASN_PARSE_E;
-    }
+    ret = GetOctetString(input, &idx, &length, sz);
+    if (ret < 0)
+        return ret;
 
-    #ifdef OPENSSL_EXTRA
+    #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
         cert->extSubjKeyIdSrc = &input[idx];
         cert->extSubjKeyIdSz = length;
     #endif /* OPENSSL_EXTRA */
 
-    if (length == SIGNER_DIGEST_SIZE) {
+    if (length == KEYID_SIZE) {
         XMEMCPY(cert->extSubjKeyId, input + idx, length);
     }
-    else {
-    #ifdef NO_SHA
-        ret = wc_Sha256Hash(input + idx, length, cert->extSubjKeyId);
-    #else
-        ret = wc_ShaHash(input + idx, length, cert->extSubjKeyId);
-    #endif
-    }
+    else
+        ret = CalcHashId(input + idx, length, cert->extSubjKeyId);
 
     return ret;
 }
 
 
-static int DecodeKeyUsage(byte* input, int sz, DecodedCert* cert)
+static int DecodeKeyUsage(const byte* input, int sz, DecodedCert* cert)
 {
     word32 idx = 0;
     int length;
-    byte unusedBits;
+    int ret;
     WOLFSSL_ENTER("DecodeKeyUsage");
 
-    if (input[idx++] != ASN_BIT_STRING) {
-        WOLFSSL_MSG("\tfail: key usage expected bit string");
-        return ASN_PARSE_E;
-    }
-
-    if (GetLength(input, &idx, &length, sz) < 0) {
-        WOLFSSL_MSG("\tfail: key usage bad length");
-        return ASN_PARSE_E;
-    }
-
-    unusedBits = input[idx++];
-    length--;
+    ret = CheckBitString(input, &idx, &length, sz, 0, NULL);
+    if (ret != 0)
+        return ret;
 
-    if (length == 2) {
-        cert->extKeyUsage = (word16)((input[idx] << 8) | input[idx+1]);
-        cert->extKeyUsage >>= unusedBits;
-    }
-    else if (length == 1)
-        cert->extKeyUsage = (word16)(input[idx] << 1);
+    cert->extKeyUsage = (word16)(input[idx]);
+    if (length == 2)
+        cert->extKeyUsage |= (word16)(input[idx+1] << 8);
 
     return 0;
 }
 
 
-static int DecodeExtKeyUsage(byte* input, int sz, DecodedCert* cert)
+static int DecodeExtKeyUsage(const byte* input, int sz, DecodedCert* cert)
 {
     word32 idx = 0, oid;
-    int length;
+    int length, ret;
 
-    WOLFSSL_ENTER("DecodeExtKeyUsage");
+    WOLFSSL_MSG("DecodeExtKeyUsage");
 
     if (GetSequence(input, &idx, &length, sz) < 0) {
         WOLFSSL_MSG("\tfail: should be a SEQUENCE");
         return ASN_PARSE_E;
     }
 
-    #ifdef OPENSSL_EXTRA
-        cert->extExtKeyUsageSrc = input + idx;
-        cert->extExtKeyUsageSz = length;
-    #endif
+#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
+    cert->extExtKeyUsageSrc = input + idx;
+    cert->extExtKeyUsageSz = length;
+#endif
 
     while (idx < (word32)sz) {
-        if (GetObjectId(input, &idx, &oid, sz) < 0)
-            return ASN_PARSE_E;
+        ret = GetObjectId(input, &idx, &oid, oidCertKeyUseType, sz);
+        if (ret == ASN_UNKNOWN_OID_E)
+            continue;
+        else if (ret < 0)
+            return ret;
 
         switch (oid) {
             case EKU_ANY_OID:
@@ -3935,14 +8272,23 @@ static int DecodeExtKeyUsage(byte* input, int sz, DecodedCert* cert)
             case EKU_CLIENT_AUTH_OID:
                 cert->extExtKeyUsage |= EXTKEYUSE_CLIENT_AUTH;
                 break;
+            case EKU_CODESIGNING_OID:
+                cert->extExtKeyUsage |= EXTKEYUSE_CODESIGN;
+                break;
+            case EKU_EMAILPROTECT_OID:
+                cert->extExtKeyUsage |= EXTKEYUSE_EMAILPROT;
+                break;
+            case EKU_TIMESTAMP_OID:
+                cert->extExtKeyUsage |= EXTKEYUSE_TIMESTAMP;
+                break;
             case EKU_OCSP_SIGN_OID:
                 cert->extExtKeyUsage |= EXTKEYUSE_OCSP_SIGN;
                 break;
         }
 
-        #ifdef OPENSSL_EXTRA
-            cert->extExtKeyUsageCount++;
-        #endif
+    #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
+        cert->extExtKeyUsageCount++;
+    #endif
     }
 
     return 0;
@@ -3950,7 +8296,9 @@ static int DecodeExtKeyUsage(byte* input, int sz, DecodedCert* cert)
 
 
 #ifndef IGNORE_NAME_CONSTRAINTS
-static int DecodeSubtree(byte* input, int sz, Base_entry** head, void* heap)
+#define ASN_TYPE_MASK 0xF
+static int DecodeSubtree(const byte* input, int sz,
+                         Base_entry** head, void* heap)
 {
     word32 idx = 0;
 
@@ -3959,27 +8307,37 @@ static int DecodeSubtree(byte* input, int sz, Base_entry** head, void* heap)
     while (idx < (word32)sz) {
         int seqLength, strLength;
         word32 nameIdx;
-        byte b;
+        byte b, bType;
 
         if (GetSequence(input, &idx, &seqLength, sz) < 0) {
             WOLFSSL_MSG("\tfail: should be a SEQUENCE");
             return ASN_PARSE_E;
         }
-
         nameIdx = idx;
         b = input[nameIdx++];
+
         if (GetLength(input, &nameIdx, &strLength, sz) <= 0) {
             WOLFSSL_MSG("\tinvalid length");
             return ASN_PARSE_E;
         }
 
-        if (b == (ASN_CONTEXT_SPECIFIC | ASN_DNS_TYPE) ||
-            b == (ASN_CONTEXT_SPECIFIC | ASN_RFC822_TYPE) ||
-            b == (ASN_CONTEXT_SPECIFIC | ASN_CONSTRUCTED | ASN_DIR_TYPE)) {
+        /* Get type, LSB 4-bits */
+        bType = (b & ASN_TYPE_MASK);
+
+        if (bType == ASN_DNS_TYPE || bType == ASN_RFC822_TYPE ||
+                                                        bType == ASN_DIR_TYPE) {
+            Base_entry* entry;
 
-            Base_entry* entry = (Base_entry*)XMALLOC(sizeof(Base_entry),
-                                                    heap, DYNAMIC_TYPE_ALTNAME);
+            /* if constructed has leading sequence */
+            if (b & ASN_CONSTRUCTED) {
+                if (GetSequence(input, &nameIdx, &strLength, sz) < 0) {
+                    WOLFSSL_MSG("\tfail: constructed be a SEQUENCE");
+                    return ASN_PARSE_E;
+                }
+            }
 
+            entry = (Base_entry*)XMALLOC(sizeof(Base_entry), heap,
+                                                          DYNAMIC_TYPE_ALTNAME);
             if (entry == NULL) {
                 WOLFSSL_MSG("allocate error");
                 return MEMORY_E;
@@ -3988,12 +8346,13 @@ static int DecodeSubtree(byte* input, int sz, Base_entry** head, void* heap)
             entry->name = (char*)XMALLOC(strLength, heap, DYNAMIC_TYPE_ALTNAME);
             if (entry->name == NULL) {
                 WOLFSSL_MSG("allocate error");
+                XFREE(entry, heap, DYNAMIC_TYPE_ALTNAME);
                 return MEMORY_E;
             }
 
             XMEMCPY(entry->name, &input[nameIdx], strLength);
             entry->nameSz = strLength;
-            entry->type = b & 0x0F;
+            entry->type = bType;
 
             entry->next = *head;
             *head = entry;
@@ -4006,7 +8365,7 @@ static int DecodeSubtree(byte* input, int sz, Base_entry** head, void* heap)
 }
 
 
-static int DecodeNameConstraints(byte* input, int sz, DecodedCert* cert)
+static int DecodeNameConstraints(const byte* input, int sz, DecodedCert* cert)
 {
     word32 idx = 0;
     int length = 0;
@@ -4045,51 +8404,176 @@ static int DecodeNameConstraints(byte* input, int sz, DecodedCert* cert)
 }
 #endif /* IGNORE_NAME_CONSTRAINTS */
 
+#if (defined(WOLFSSL_CERT_EXT) && !defined(WOLFSSL_SEP)) || defined(OPENSSL_EXTRA)
 
-#ifdef WOLFSSL_SEP
-    static int DecodeCertPolicy(byte* input, int sz, DecodedCert* cert)
+/* Decode ITU-T X.690 OID format to a string representation
+ * return string length */
+int DecodePolicyOID(char *out, word32 outSz, const byte *in, word32 inSz)
+{
+    word32 val, inIdx = 0, outIdx = 0;
+    int w = 0;
+
+    if (out == NULL || in == NULL || outSz < 4 || inSz < 2)
+        return BAD_FUNC_ARG;
+
+    /* The first byte expands into b/40 dot b%40. */
+    val = in[inIdx++];
+
+    w = XSNPRINTF(out, outSz, "%u.%u", val / 40, val % 40);
+    if (w < 0)
+        goto exit;
+    outIdx += w;
+    val = 0;
+
+    while (inIdx < inSz && outIdx < outSz) {
+        /* extract the next OID digit from in to val */
+        /* first bit is used to set if value is coded on 1 or multiple bytes */
+        if (in[inIdx] & 0x80) {
+            val += in[inIdx] & 0x7F;
+            val *= 128;
+        }
+        else {
+            /* write val as text into out */
+            val += in[inIdx];
+            w = XSNPRINTF(out + outIdx, outSz - outIdx, ".%u", val);
+            if (w < 0)
+                goto exit;
+            outIdx += w;
+            val = 0;
+        }
+        inIdx++;
+    }
+    if (outIdx == outSz)
+        outIdx--;
+    out[outIdx] = 0;
+
+    w = (int)outIdx;
+
+exit:
+    return w;
+}
+#endif /* WOLFSSL_CERT_EXT && !WOLFSSL_SEP */
+
+#if defined(WOLFSSL_SEP) || defined(WOLFSSL_CERT_EXT) || defined(WOLFSSL_QT)
+    /* Reference: https://tools.ietf.org/html/rfc5280#section-4.2.1.4 */
+    static int DecodeCertPolicy(const byte* input, int sz, DecodedCert* cert)
     {
         word32 idx = 0;
-        int length = 0;
+        word32 oldIdx;
+        int ret;
+        int total_length = 0, policy_length = 0, length = 0;
+    #if !defined(WOLFSSL_SEP) && defined(WOLFSSL_CERT_EXT) && \
+        !defined(WOLFSSL_DUP_CERTPOL)
+        int i;
+    #endif
 
         WOLFSSL_ENTER("DecodeCertPolicy");
+        #if defined(WOLFSSL_SEP) || defined(WOLFSSL_CERT_EXT)
+        /* Check if cert is null before dereferencing below */
+        if (cert == NULL)
+            return BAD_FUNC_ARG;
+        #endif
 
-        /* Unwrap certificatePolicies */
-        if (GetSequence(input, &idx, &length, sz) < 0) {
-            WOLFSSL_MSG("\tdeviceType isn't OID");
-            return ASN_PARSE_E;
-        }
+    #if defined(WOLFSSL_CERT_EXT)
+         cert->extCertPoliciesNb = 0;
+    #endif
 
-        if (GetSequence(input, &idx, &length, sz) < 0) {
-            WOLFSSL_MSG("\tdeviceType isn't OID");
+        if (GetSequence(input, &idx, &total_length, sz) < 0) {
+            WOLFSSL_MSG("\tGet CertPolicy total seq failed");
             return ASN_PARSE_E;
         }
 
-        if (input[idx++] != ASN_OBJECT_ID) {
-            WOLFSSL_MSG("\tdeviceType isn't OID");
+        /* Validate total length */
+        if (total_length > (sz - (int)idx)) {
+            WOLFSSL_MSG("\tCertPolicy length mismatch");
             return ASN_PARSE_E;
         }
 
-        if (GetLength(input, &idx, &length, sz) < 0) {
-            WOLFSSL_MSG("\tCouldn't read length of deviceType");
-            return ASN_PARSE_E;
-        }
+        /* Unwrap certificatePolicies */
+        do {
+            if (GetSequence(input, &idx, &policy_length, sz) < 0) {
+                WOLFSSL_MSG("\tGet CertPolicy seq failed");
+                return ASN_PARSE_E;
+            }
 
-        if (length > 0) {
-            cert->deviceType = (byte*)XMALLOC(length, cert->heap, 0);
-            if (cert->deviceType == NULL) {
-                WOLFSSL_MSG("\tCouldn't alloc memory for deviceType");
-                return MEMORY_E;
+            oldIdx = idx;
+            ret = GetASNObjectId(input, &idx, &length, sz);
+            if (ret != 0)
+                return ret;
+            policy_length -= idx - oldIdx;
+
+            if (length > 0) {
+                /* Verify length won't overrun buffer */
+                if (length > (sz - (int)idx)) {
+                    WOLFSSL_MSG("\tCertPolicy length exceeds input buffer");
+                    return ASN_PARSE_E;
+                }
+
+        #if defined(WOLFSSL_SEP)
+                cert->deviceType = (byte*)XMALLOC(length, cert->heap,
+                                                         DYNAMIC_TYPE_X509_EXT);
+                if (cert->deviceType == NULL) {
+                    WOLFSSL_MSG("\tCouldn't alloc memory for deviceType");
+                    return MEMORY_E;
+                }
+                cert->deviceTypeSz = length;
+                XMEMCPY(cert->deviceType, input + idx, length);
+                break;
+        #elif defined(WOLFSSL_CERT_EXT)
+                /* decode cert policy */
+                if (DecodePolicyOID(cert->extCertPolicies[
+                                       cert->extCertPoliciesNb], MAX_CERTPOL_SZ,
+                                       input + idx, length) <= 0) {
+                    WOLFSSL_MSG("\tCouldn't decode CertPolicy");
+                    return ASN_PARSE_E;
+                }
+            #ifndef WOLFSSL_DUP_CERTPOL
+                /* From RFC 5280 section 4.2.1.3 "A certificate policy OID MUST
+                 * NOT appear more than once in a certificate policies
+                 * extension". This is a sanity check for duplicates.
+                 * extCertPolicies should only have OID values, additional
+                 * qualifiers need to be stored in a separate array. */
+                for (i = 0; i < cert->extCertPoliciesNb; i++) {
+                    if (XMEMCMP(cert->extCertPolicies[i],
+                            cert->extCertPolicies[cert->extCertPoliciesNb],
+                            MAX_CERTPOL_SZ) == 0) {
+                            WOLFSSL_MSG("Duplicate policy OIDs not allowed");
+                            WOLFSSL_MSG("Use WOLFSSL_DUP_CERTPOL if wanted");
+                            return CERTPOLICIES_E;
+                    }
+                }
+            #endif /* !WOLFSSL_DUP_CERTPOL */
+                cert->extCertPoliciesNb++;
+        #else
+                WOLFSSL_LEAVE("DecodeCertPolicy : unsupported mode", 0);
+                return 0;
+        #endif
             }
-            cert->deviceTypeSz = length;
-            XMEMCPY(cert->deviceType, input + idx, length);
-        }
+            idx += policy_length;
+        } while((int)idx < total_length
+    #if defined(WOLFSSL_CERT_EXT)
+            && cert->extCertPoliciesNb < MAX_CERTPOL_NB
+    #endif
+        );
 
         WOLFSSL_LEAVE("DecodeCertPolicy", 0);
         return 0;
     }
 #endif /* WOLFSSL_SEP */
 
+/* Macro to check if bit is set, if not sets and return success.
+    Otherwise returns failure */
+/* Macro required here because bit-field operation */
+#ifndef WOLFSSL_NO_ASN_STRICT
+    #define VERIFY_AND_SET_OID(bit) \
+        if (bit == 0) \
+            bit = 1; \
+        else \
+            return ASN_OBJECT_ID_E;
+#else
+    /* With no strict defined, the verify is skipped */
+#define VERIFY_AND_SET_OID(bit) bit = 1;
+#endif
 
 static int DecodeCertExtensions(DecodedCert* cert)
 /*
@@ -4097,68 +8581,85 @@ static int DecodeCertExtensions(DecodedCert* cert)
  *  index. It is works starting with the recorded extensions pointer.
  */
 {
+    int ret = 0;
     word32 idx = 0;
     int sz = cert->extensionsSz;
-    byte* input = cert->extensions;
+    const byte* input = cert->extensions;
     int length;
     word32 oid;
     byte critical = 0;
     byte criticalFail = 0;
+    byte tag = 0;
 
     WOLFSSL_ENTER("DecodeCertExtensions");
 
     if (input == NULL || sz == 0)
         return BAD_FUNC_ARG;
 
-    if (input[idx++] != ASN_EXTENSIONS)
+    if (GetASNTag(input, &idx, &tag, sz) < 0) {
         return ASN_PARSE_E;
+    }
 
-    if (GetLength(input, &idx, &length, sz) < 0)
+    if (tag != ASN_EXTENSIONS) {
+        WOLFSSL_MSG("\tfail: should be an EXTENSIONS");
         return ASN_PARSE_E;
+    }
 
-    if (GetSequence(input, &idx, &length, sz) < 0)
+    if (GetLength(input, &idx, &length, sz) < 0) {
+        WOLFSSL_MSG("\tfail: invalid length");
         return ASN_PARSE_E;
-    
+    }
+
+    if (GetSequence(input, &idx, &length, sz) < 0) {
+        WOLFSSL_MSG("\tfail: should be a SEQUENCE (1)");
+        return ASN_PARSE_E;
+    }
+
     while (idx < (word32)sz) {
+        word32 localIdx;
+
         if (GetSequence(input, &idx, &length, sz) < 0) {
             WOLFSSL_MSG("\tfail: should be a SEQUENCE");
             return ASN_PARSE_E;
         }
 
         oid = 0;
-        if (GetObjectId(input, &idx, &oid, sz) < 0) {
+        if ((ret = GetObjectId(input, &idx, &oid, oidCertExtType, sz)) < 0) {
             WOLFSSL_MSG("\tfail: OBJECT ID");
-            return ASN_PARSE_E;
+            return ret;
         }
 
         /* check for critical flag */
         critical = 0;
-        if (input[idx] == ASN_BOOLEAN) {
-            int boolLength = 0;
-            idx++;
-            if (GetLength(input, &idx, &boolLength, sz) < 0) {
-                WOLFSSL_MSG("\tfail: critical boolean length");
-                return ASN_PARSE_E;
-            }
-            if (input[idx++])
-                critical = 1;
+        if ((idx + 1) > (word32)sz) {
+            WOLFSSL_MSG("\tfail: malformed buffer");
+            return BUFFER_E;
         }
 
-        /* process the extension based on the OID */
-        if (input[idx++] != ASN_OCTET_STRING) {
-            WOLFSSL_MSG("\tfail: should be an OCTET STRING");
-            return ASN_PARSE_E;
+        localIdx = idx;
+        if (GetASNTag(input, &localIdx, &tag, sz) == 0) {
+            if (tag == ASN_BOOLEAN) {
+                ret = GetBoolean(input, &idx, sz);
+                if (ret < 0) {
+                    WOLFSSL_MSG("\tfail: critical boolean");
+                    return ret;
+                }
+
+                critical = (byte)ret;
+            }
         }
 
-        if (GetLength(input, &idx, &length, sz) < 0) {
-            WOLFSSL_MSG("\tfail: extension data length");
-            return ASN_PARSE_E;
+        /* process the extension based on the OID */
+        ret = GetOctetString(input, &idx, &length, sz);
+        if (ret < 0) {
+            WOLFSSL_MSG("\tfail: bad OCTET STRING");
+            return ret;
         }
 
         switch (oid) {
             case BASIC_CA_OID:
-                #ifdef OPENSSL_EXTRA
-                    cert->extBasicConstSet = 1;
+                VERIFY_AND_SET_OID(cert->extBasicConstSet);
+                #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
                     cert->extBasicConstCrit = critical;
                 #endif
                 if (DecodeBasicCaConstraint(&input[idx], length, cert) < 0)
@@ -4166,57 +8667,95 @@ static int DecodeCertExtensions(DecodedCert* cert)
                 break;
 
             case CRL_DIST_OID:
+                VERIFY_AND_SET_OID(cert->extCRLdistSet);
+                #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
+                    cert->extCRLdistCrit = critical;
+                #endif
                 if (DecodeCrlDist(&input[idx], length, cert) < 0)
                     return ASN_PARSE_E;
                 break;
 
             case AUTH_INFO_OID:
+                VERIFY_AND_SET_OID(cert->extAuthInfoSet);
+                #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
+                    cert->extAuthInfoCrit = critical;
+                #endif
                 if (DecodeAuthInfo(&input[idx], length, cert) < 0)
                     return ASN_PARSE_E;
                 break;
 
             case ALT_NAMES_OID:
-                #ifdef OPENSSL_EXTRA
-                    cert->extSubjAltNameSet = 1;
+                VERIFY_AND_SET_OID(cert->extSubjAltNameSet);
+                #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
                     cert->extSubjAltNameCrit = critical;
                 #endif
-                if (DecodeAltNames(&input[idx], length, cert) < 0)
-                    return ASN_PARSE_E;
+                ret = DecodeAltNames(&input[idx], length, cert);
+                if (ret < 0)
+                    return ret;
                 break;
 
             case AUTH_KEY_OID:
-                cert->extAuthKeyIdSet = 1;
-                #ifdef OPENSSL_EXTRA
+                VERIFY_AND_SET_OID(cert->extAuthKeyIdSet);
+                #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
                     cert->extAuthKeyIdCrit = critical;
                 #endif
+                #ifndef WOLFSSL_ALLOW_CRIT_SKID
+                    /* This check is added due to RFC 5280 section 4.2.1.1
+                     * stating that conforming CA's must mark this extension
+                     * as non-critical. When parsing extensions check that
+                     * certificate was made in compliance with this. */
+                    if (critical) {
+                        WOLFSSL_MSG("Critical Auth Key ID is not allowed");
+                        WOLFSSL_MSG("Use macro WOLFSSL_ALLOW_CRIT_SKID if wanted");
+                        return ASN_CRIT_EXT_E;
+                    }
+                #endif
                 if (DecodeAuthKeyId(&input[idx], length, cert) < 0)
                     return ASN_PARSE_E;
                 break;
 
             case SUBJ_KEY_OID:
-                cert->extSubjKeyIdSet = 1;
-                #ifdef OPENSSL_EXTRA
+                VERIFY_AND_SET_OID(cert->extSubjKeyIdSet);
+                #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
                     cert->extSubjKeyIdCrit = critical;
                 #endif
+                #ifndef WOLFSSL_ALLOW_CRIT_SKID
+                    /* This check is added due to RFC 5280 section 4.2.1.2
+                     * stating that conforming CA's must mark this extension
+                     * as non-critical. When parsing extensions check that
+                     * certificate was made in compliance with this. */
+                    if (critical) {
+                        WOLFSSL_MSG("Critical Subject Key ID is not allowed");
+                        WOLFSSL_MSG("Use macro WOLFSSL_ALLOW_CRIT_SKID if wanted");
+                        return ASN_CRIT_EXT_E;
+                    }
+                #endif
+
                 if (DecodeSubjKeyId(&input[idx], length, cert) < 0)
                     return ASN_PARSE_E;
                 break;
 
             case CERT_POLICY_OID:
-                WOLFSSL_MSG("Certificate Policy extension not supported yet.");
-                #ifdef WOLFSSL_SEP
-                    #ifdef OPENSSL_EXTRA
-                        cert->extCertPolicySet = 1;
+                #if defined(WOLFSSL_SEP) || defined(WOLFSSL_QT)
+                    VERIFY_AND_SET_OID(cert->extCertPolicySet);
+                    #if defined(OPENSSL_EXTRA) || \
+                        defined(OPENSSL_EXTRA_X509_SMALL)
                         cert->extCertPolicyCrit = critical;
                     #endif
-                    if (DecodeCertPolicy(&input[idx], length, cert) < 0)
+                #endif
+                #if defined(WOLFSSL_SEP) || defined(WOLFSSL_CERT_EXT) || \
+                    defined(WOLFSSL_QT)
+                    if (DecodeCertPolicy(&input[idx], length, cert) < 0) {
                         return ASN_PARSE_E;
+                    }
+                #else
+                    WOLFSSL_MSG("Certificate Policy extension not supported yet.");
                 #endif
                 break;
 
             case KEY_USAGE_OID:
-                cert->extKeyUsageSet = 1;
-                #ifdef OPENSSL_EXTRA
+                VERIFY_AND_SET_OID(cert->extKeyUsageSet);
+                #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
                     cert->extKeyUsageCrit = critical;
                 #endif
                 if (DecodeKeyUsage(&input[idx], length, cert) < 0)
@@ -4224,8 +8763,8 @@ static int DecodeCertExtensions(DecodedCert* cert)
                 break;
 
             case EXT_KEY_USAGE_OID:
-                cert->extExtKeyUsageSet = 1;
-                #ifdef OPENSSL_EXTRA
+                VERIFY_AND_SET_OID(cert->extExtKeyUsageSet);
+                #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
                     cert->extExtKeyUsageCrit = critical;
                 #endif
                 if (DecodeExtKeyUsage(&input[idx], length, cert) < 0)
@@ -4234,8 +8773,17 @@ static int DecodeCertExtensions(DecodedCert* cert)
 
             #ifndef IGNORE_NAME_CONSTRAINTS
             case NAME_CONS_OID:
-                cert->extNameConstraintSet = 1;
-                #ifdef OPENSSL_EXTRA
+            #ifndef WOLFSSL_NO_ASN_STRICT
+                /* Verify RFC 5280 Sec 4.2.1.10 rule:
+                    "The name constraints extension,
+                    which MUST be used only in a CA certificate" */
+                if (!cert->isCA) {
+                    WOLFSSL_MSG("Name constraints allowed only for CA certs");
+                    return ASN_NAME_INVALID_E;
+                }
+            #endif
+                VERIFY_AND_SET_OID(cert->extNameConstraintSet);
+                #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
                     cert->extNameConstraintCrit = critical;
                 #endif
                 if (DecodeNameConstraints(&input[idx], length, cert) < 0)
@@ -4244,17 +8792,31 @@ static int DecodeCertExtensions(DecodedCert* cert)
             #endif /* IGNORE_NAME_CONSTRAINTS */
 
             case INHIBIT_ANY_OID:
+                VERIFY_AND_SET_OID(cert->inhibitAnyOidSet);
                 WOLFSSL_MSG("Inhibit anyPolicy extension not supported yet.");
                 break;
 
+       #ifndef IGNORE_NETSCAPE_CERT_TYPE
+            case NETSCAPE_CT_OID:
+                WOLFSSL_MSG("Netscape certificate type extension not supported "
+                            "yet.");
+                if (CheckBitString(input, &idx, &length, idx + length, 0,
+                                                                    NULL) < 0) {
+                    return ASN_PARSE_E;
+                }
+                break;
+        #endif
+
             default:
+            #ifndef WOLFSSL_NO_ASN_STRICT
                 /* While it is a failure to not support critical extensions,
                  * still parse the certificate ignoring the unsupported
-                 * extention to allow caller to accept it with the verify
+                 * extension to allow caller to accept it with the verify
                  * callback. */
                 if (critical)
                     criticalFail = 1;
-                break;
+            #endif
+            break;
         }
         idx += length;
     }
@@ -4262,7 +8824,6 @@ static int DecodeCertExtensions(DecodedCert* cert)
     return criticalFail ? ASN_CRIT_EXT_E : 0;
 }
 
-
 int ParseCert(DecodedCert* cert, int type, int verify, void* cm)
 {
     int   ret;
@@ -4297,126 +8858,662 @@ int ParseCert(DecodedCert* cert, int type, int verify, void* cm)
     return ret;
 }
 
-
 /* from SSL proper, for locking can't do find here anymore */
 #ifdef __cplusplus
     extern "C" {
 #endif
-    WOLFSSL_LOCAL Signer* GetCA(void* signers, byte* hash);
+    Signer* GetCA(void* signers, byte* hash);
     #ifndef NO_SKID
-        WOLFSSL_LOCAL Signer* GetCAByName(void* signers, byte* hash);
+        Signer* GetCAByName(void* signers, byte* hash);
     #endif
 #ifdef __cplusplus
-    } 
+    }
 #endif
 
+#if defined(WOLFCRYPT_ONLY) || defined(NO_CERTS)
+
+/* dummy functions, not using wolfSSL so don't need actual ones */
+Signer* GetCA(void* signers, byte* hash)
+{
+    (void)hash;
+
+    return (Signer*)signers;
+}
+
+#ifndef NO_SKID
+Signer* GetCAByName(void* signers, byte* hash)
+{
+    (void)hash;
+
+    return (Signer*)signers;
+}
+#endif /* NO_SKID */
+
+#endif /* WOLFCRYPT_ONLY || NO_CERTS */
+
+#if defined(WOLFSSL_NO_TRUSTED_CERTS_VERIFY) && !defined(NO_SKID)
+static Signer* GetCABySubjectAndPubKey(DecodedCert* cert, void* cm)
+{
+    Signer* ca = NULL;
+    if (cert->extSubjKeyIdSet)
+        ca = GetCA(cm, cert->extSubjKeyId);
+    if (ca == NULL)
+        ca = GetCAByName(cm, cert->subjectHash);
+    if (ca) {
+        if ((ca->pubKeySize == cert->pubKeySize) &&
+               (XMEMCMP(ca->publicKey, cert->publicKey, ca->pubKeySize) == 0)) {
+            return ca;
+        }
+    }
+    return NULL;
+}
+#endif
+
+#if defined(WOLFSSL_SMALL_CERT_VERIFY) || defined(OPENSSL_EXTRA)
+/* Only quick step through the certificate to find fields that are then used
+ * in certificate signature verification.
+ * Must use the signature OID from the signed part of the certificate.
+ *
+ * This is only for minimizing dynamic memory usage during TLS certificate
+ * chain processing.
+ * Doesn't support:
+ *   OCSP Only: alt lookup using subject and pub key w/o sig check
+ */
+static int CheckCertSignature_ex(const byte* cert, word32 certSz, void* heap,
+        void* cm, const byte* pubKey, word32 pubKeySz, int pubKeyOID)
+{
+#ifndef WOLFSSL_SMALL_STACK
+    SignatureCtx  sigCtx[1];
+#else
+    SignatureCtx* sigCtx;
+#endif
+    byte          hash[KEYID_SIZE];
+    Signer*       ca = NULL;
+    word32        idx = 0;
+    int           len;
+    word32        tbsCertIdx = 0;
+    word32        sigIndex   = 0;
+    word32        signatureOID = 0;
+    word32        oid = 0;
+    word32        issuerIdx = 0;
+    word32        issuerSz  = 0;
+#ifndef NO_SKID
+    int           extLen = 0;
+    word32        extIdx = 0;
+    word32        extEndIdx = 0;
+    int           extAuthKeyIdSet = 0;
+#endif
+    int           ret = 0;
+    word32        localIdx;
+    byte          tag;
+
+
+    if (cert == NULL) {
+        return BAD_FUNC_ARG;
+    }
+
+#ifdef WOLFSSL_SMALL_STACK
+    sigCtx = (SignatureCtx*)XMALLOC(sizeof(*sigCtx), heap, DYNAMIC_TYPE_SIGNATURE);
+    if (sigCtx == NULL)
+        return MEMORY_E;
+#endif
+    InitSignatureCtx(sigCtx, heap, INVALID_DEVID);
+
+    /* Certificate SEQUENCE */
+    if (GetSequence(cert, &idx, &len, certSz) < 0)
+        ret = ASN_PARSE_E;
+    if (ret == 0) {
+        tbsCertIdx = idx;
+
+        /* TBSCertificate SEQUENCE */
+        if (GetSequence(cert, &idx, &len, certSz) < 0)
+            ret = ASN_PARSE_E;
+    }
+    if (ret == 0) {
+        sigIndex = len + idx;
+
+        if ((idx + 1) > certSz)
+            ret = BUFFER_E;
+    }
+    if (ret == 0) {
+        /* version - optional */
+        localIdx = idx;
+        if (GetASNTag(cert, &localIdx, &tag, certSz) == 0) {
+            if (tag == (ASN_CONTEXT_SPECIFIC | ASN_CONSTRUCTED)) {
+                idx++;
+                if (GetLength(cert, &idx, &len, certSz) < 0)
+                    ret = ASN_PARSE_E;
+                idx += len;
+            }
+        }
+    }
+
+    if (ret == 0) {
+        /* serialNumber */
+        if (GetASNHeader(cert, ASN_INTEGER, &idx, &len, certSz) < 0)
+            ret = ASN_PARSE_E;
+    }
+    if (ret == 0) {
+        idx += len;
+
+        /* signature */
+        if (GetAlgoId(cert, &idx, &signatureOID, oidSigType, certSz) < 0)
+            ret = ASN_PARSE_E;
+    }
+
+    if (ret == 0) {
+        issuerIdx = idx;
+        /* issuer */
+        if (GetSequence(cert, &idx, &len, certSz) < 0)
+            ret = ASN_PARSE_E;
+    }
+    if (ret == 0) {
+        issuerSz = len + idx - issuerIdx;
+    }
+#ifndef NO_SKID
+    if (ret == 0) {
+        idx += len;
+
+        /* validity */
+        if (GetSequence(cert, &idx, &len, certSz) < 0)
+            ret = ASN_PARSE_E;
+    }
+    if (ret == 0) {
+        idx += len;
+
+        /* subject */
+        if (GetSequence(cert, &idx, &len, certSz) < 0)
+            ret = ASN_PARSE_E;
+    }
+    if (ret == 0) {
+        idx += len;
+
+        /* subjectPublicKeyInfo */
+        if (GetSequence(cert, &idx, &len, certSz) < 0)
+            ret = ASN_PARSE_E;
+    }
+    if (ret == 0) {
+        idx += len;
+
+        if ((idx + 1) > certSz)
+            ret = BUFFER_E;
+    }
+    if (ret == 0) {
+        /* issuerUniqueID - optional */
+        localIdx = idx;
+        if (GetASNTag(cert, &localIdx, &tag, certSz) == 0) {
+            if (tag == (ASN_CONTEXT_SPECIFIC | ASN_CONSTRUCTED | 1)) {
+                idx++;
+                if (GetLength(cert, &idx, &len, certSz) < 0)
+                    ret = ASN_PARSE_E;
+                idx += len;
+            }
+        }
+    }
+    if (ret == 0) {
+        if ((idx + 1) > certSz)
+            ret = BUFFER_E;
+    }
+    if (ret == 0) {
+        /* subjectUniqueID - optional */
+        localIdx = idx;
+        if (GetASNTag(cert, &localIdx, &tag, certSz) == 0) {
+            if (tag == (ASN_CONTEXT_SPECIFIC | ASN_CONSTRUCTED | 2)) {
+                idx++;
+                if (GetLength(cert, &idx, &len, certSz) < 0)
+                    ret = ASN_PARSE_E;
+                idx += len;
+            }
+        }
+    }
+
+    if (ret == 0) {
+        if ((idx + 1) > certSz)
+            ret = BUFFER_E;
+    }
+    /* extensions - optional */
+    localIdx = idx;
+    if (ret == 0 && GetASNTag(cert, &localIdx, &tag, certSz) == 0 &&
+            tag == (ASN_CONTEXT_SPECIFIC | ASN_CONSTRUCTED | 3)) {
+        idx++;
+        if (GetLength(cert, &idx, &extLen, certSz) < 0)
+            ret = ASN_PARSE_E;
+        if (ret == 0) {
+            if (GetSequence(cert, &idx, &extLen, certSz) < 0)
+                ret = ASN_PARSE_E;
+        }
+        if (ret == 0) {
+            extEndIdx = idx + extLen;
+
+            /* Check each extension for the ones we want. */
+            while (ret == 0 && idx < extEndIdx) {
+                if (GetSequence(cert, &idx, &len, certSz) < 0)
+                    ret = ASN_PARSE_E;
+                if (ret == 0) {
+                    extIdx = idx;
+                    if (GetObjectId(cert, &extIdx, &oid, oidCertExtType,
+                                                                  certSz) < 0) {
+                        ret = ASN_PARSE_E;
+                    }
+
+                    if (ret == 0) {
+                        if ((extIdx + 1) > certSz)
+                            ret = BUFFER_E;
+                    }
+                }
+
+                if (ret == 0) {
+                    localIdx = extIdx;
+                    if (GetASNTag(cert, &localIdx, &tag, certSz) == 0 &&
+                            tag == ASN_BOOLEAN) {
+                        if (GetBoolean(cert, &extIdx, certSz) < 0)
+                            ret = ASN_PARSE_E;
+                    }
+                }
+                if (ret == 0) {
+                    if (GetOctetString(cert, &extIdx, &extLen, certSz) < 0)
+                        ret = ASN_PARSE_E;
+                }
+
+                if (ret == 0) {
+                    switch (oid) {
+                    case AUTH_KEY_OID:
+                        if (GetSequence(cert, &extIdx, &extLen, certSz) < 0)
+                            ret = ASN_PARSE_E;
+
+                        if (ret == 0 && (extIdx + 1) >= certSz)
+                            ret = BUFFER_E;
+
+                        if (ret == 0 &&
+                                GetASNTag(cert, &extIdx, &tag, certSz) == 0 &&
+                                tag == (ASN_CONTEXT_SPECIFIC | 0)) {
+                            if (GetLength(cert, &extIdx, &extLen, certSz) <= 0)
+                                ret = ASN_PARSE_E;
+                            if (ret == 0) {
+                                extAuthKeyIdSet = 1;
+                                if (extLen == KEYID_SIZE)
+                                    XMEMCPY(hash, cert + extIdx, extLen);
+                                else {
+                                    ret = CalcHashId(cert + extIdx, extLen,
+                                                                          hash);
+                                }
+                            }
+                        }
+                        break;
+
+                    default:
+                        break;
+                    }
+                }
+                idx += len;
+            }
+        }
+    }
+
+    if (ret == 0 && pubKey == NULL) {
+        if (extAuthKeyIdSet)
+            ca = GetCA(cm, hash);
+        if (ca == NULL) {
+            ret = CalcHashId(cert + issuerIdx, issuerSz, hash);
+            if (ret == 0)
+                ca = GetCAByName(cm, hash);
+        }
+    }
+#else
+    if (ret == 0 && pubKey == NULL) {
+        ret = CalcHashId(cert + issuerIdx, issuerSz, hash);
+        if (ret == 0)
+            ca = GetCA(cm, hash);
+    }
+#endif /* !NO_SKID */
+    if (ca == NULL && pubKey == NULL)
+        ret = ASN_NO_SIGNER_E;
+
+    if (ret == 0) {
+        idx = sigIndex;
+        /* signatureAlgorithm */
+        if (GetAlgoId(cert, &idx, &oid, oidSigType, certSz) < 0)
+            ret = ASN_PARSE_E;
+    }
+    if (ret == 0) {
+        if (oid != signatureOID)
+            ret = ASN_SIG_OID_E;
+    }
+    if (ret == 0) {
+        /* signatureValue */
+        if (CheckBitString(cert, &idx, &len, certSz, 1, NULL) < 0)
+            ret = ASN_PARSE_E;
+    }
+
+    if (ret == 0) {
+        if (pubKey != NULL) {
+            ret = ConfirmSignature(sigCtx, cert + tbsCertIdx,
+                               sigIndex - tbsCertIdx,
+                               pubKey, pubKeySz, pubKeyOID,
+                               cert + idx, len, signatureOID, NULL);
+        }
+        else {
+            ret = ConfirmSignature(sigCtx, cert + tbsCertIdx,
+                               sigIndex - tbsCertIdx,
+                               ca->publicKey, ca->pubKeySize, ca->keyOID,
+                               cert + idx, len, signatureOID, NULL);
+        }
+        if (ret != 0) {
+            WOLFSSL_MSG("Confirm signature failed");
+        }
+    }
+
+    FreeSignatureCtx(sigCtx);
+#ifdef WOLFSSL_SMALL_STACK
+    if (sigCtx != NULL)
+        XFREE(sigCtx, heap, DYNAMIC_TYPE_SIGNATURE);
+#endif
+    return ret;
+}
+
+#ifdef OPENSSL_EXTRA
+/* Call CheckCertSignature_ex using a public key buffer for verification
+ */
+int CheckCertSignaturePubKey(const byte* cert, word32 certSz, void* heap,
+        const byte* pubKey, word32 pubKeySz, int pubKeyOID)
+{
+    return CheckCertSignature_ex(cert, certSz, heap, NULL,
+            pubKey, pubKeySz, pubKeyOID);
+}
+#endif /* OPENSSL_EXTRA */
+#ifdef WOLFSSL_SMALL_CERT_VERIFY
+/* Call CheckCertSignature_ex using a certificate manager (cm)
+ */
+int CheckCertSignature(const byte* cert, word32 certSz, void* heap, void* cm)
+{
+    return CheckCertSignature_ex(cert, certSz, heap, cm, NULL, 0, 0);
+}
+#endif /* WOLFSSL_SMALL_CERT_VERIFY */
+#endif /* WOLFSSL_SMALL_CERT_VERIFY || OPENSSL_EXTRA */
 
 int ParseCertRelative(DecodedCert* cert, int type, int verify, void* cm)
 {
+    int    ret = 0;
+    int    checkPathLen = 0;
+    int    decrementMaxPathLen = 0;
     word32 confirmOID;
-    int    ret;
-    int    badDate     = 0;
-    int    criticalExt = 0;
+#if defined(WOLFSSL_RENESAS_TSIP)
+    int    idx = 0;
+#endif
+    byte*  tsip_encRsaKeyIdx;
 
-    if ((ret = DecodeToKey(cert, verify)) < 0) {
-        if (ret == ASN_BEFORE_DATE_E || ret == ASN_AFTER_DATE_E)
-            badDate = ret;
-        else
-            return ret;
+    if (cert == NULL) {
+        return BAD_FUNC_ARG;
     }
 
-    WOLFSSL_MSG("Parsed Past Key");
+    if (cert->sigCtx.state == SIG_STATE_BEGIN) {
+        cert->badDate = 0;
+        cert->criticalExt = 0;
+        if ((ret = DecodeToKey(cert, verify)) < 0) {
+            if (ret == ASN_BEFORE_DATE_E || ret == ASN_AFTER_DATE_E)
+                cert->badDate = ret;
+            else
+                return ret;
+        }
+
+        WOLFSSL_MSG("Parsed Past Key");
 
-    if (cert->srcIdx < cert->sigIndex) {
+        if (cert->srcIdx < cert->sigIndex) {
         #ifndef ALLOW_V1_EXTENSIONS
             if (cert->version < 2) {
-                WOLFSSL_MSG("    v1 and v2 certs not allowed extensions");
+                WOLFSSL_MSG("\tv1 and v2 certs not allowed extensions");
                 return ASN_VERSION_E;
             }
         #endif
-        /* save extensions */
-        cert->extensions    = &cert->source[cert->srcIdx];
-        cert->extensionsSz  =  cert->sigIndex - cert->srcIdx;
-        cert->extensionsIdx = cert->srcIdx;   /* for potential later use */
-
-        if ((ret = DecodeCertExtensions(cert)) < 0) {
-            if (ret == ASN_CRIT_EXT_E)
-                criticalExt = ret;
-            else
-                return ret;
-        }
 
-        /* advance past extensions */
-        cert->srcIdx =  cert->sigIndex;
-    }
+            /* save extensions */
+            cert->extensions    = &cert->source[cert->srcIdx];
+            cert->extensionsSz  = cert->sigIndex - cert->srcIdx;
+            cert->extensionsIdx = cert->srcIdx;   /* for potential later use */
 
-    if ((ret = GetAlgoId(cert->source, &cert->srcIdx, &confirmOID,
-                         cert->maxIdx)) < 0)
-        return ret;
+            if ((ret = DecodeCertExtensions(cert)) < 0) {
+                if (ret == ASN_CRIT_EXT_E)
+                    cert->criticalExt = ret;
+                else
+                    return ret;
+            }
 
-    if ((ret = GetSignature(cert)) < 0)
-        return ret;
+            /* advance past extensions */
+            cert->srcIdx = cert->sigIndex;
+        }
+
+        if ((ret = GetAlgoId(cert->source, &cert->srcIdx, &confirmOID,
+                             oidSigType, cert->maxIdx)) < 0)
+            return ret;
+
+        if ((ret = GetSignature(cert)) < 0)
+            return ret;
 
-    if (confirmOID != cert->signatureOID)
-        return ASN_SIG_OID_E;
+        if (confirmOID != cert->signatureOID)
+            return ASN_SIG_OID_E;
 
     #ifndef NO_SKID
-        if (cert->extSubjKeyIdSet == 0
-                          && cert->publicKey != NULL && cert->pubKeySize > 0) {
-        #ifdef NO_SHA
-            ret = wc_Sha256Hash(cert->publicKey, cert->pubKeySize,
+        if (cert->extSubjKeyIdSet == 0 && cert->publicKey != NULL &&
+                                                         cert->pubKeySize > 0) {
+            ret = CalcHashId(cert->publicKey, cert->pubKeySize,
                                                             cert->extSubjKeyId);
-        #else
-            ret = wc_ShaHash(cert->publicKey, cert->pubKeySize,
-                                                            cert->extSubjKeyId);
-        #endif
             if (ret != 0)
                 return ret;
         }
-    #endif
+    #endif /* !NO_SKID */
 
-    if (verify && type != CA_TYPE) {
-        Signer* ca = NULL;
-        #ifndef NO_SKID
-            if (cert->extAuthKeyIdSet)
-                ca = GetCA(cm, cert->extAuthKeyId);
-            if (ca == NULL)
-                ca = GetCAByName(cm, cert->issuerHash);
-        #else /* NO_SKID */
-            ca = GetCA(cm, cert->issuerHash);
-        #endif /* NO SKID */
-        WOLFSSL_MSG("About to verify certificate signature");
- 
-        if (ca) {
-#ifdef HAVE_OCSP
-            /* Need the ca's public key hash for OCSP */
-    #ifdef NO_SHA
-            ret = wc_Sha256Hash(ca->publicKey, ca->pubKeySize,
-                                cert->issuerKeyHash);
-    #else /* NO_SHA */
-            ret = wc_ShaHash(ca->publicKey, ca->pubKeySize,
-                                cert->issuerKeyHash);
-    #endif /* NO_SHA */
-            if (ret != 0)
-                return ret;
-#endif /* HAVE_OCSP */
-            /* try to confirm/verify signature */
-            if (!ConfirmSignature(cert->source + cert->certBegin,
+        if (!cert->selfSigned || (verify != NO_VERIFY && type != CA_TYPE &&
+                                                   type != TRUSTED_PEER_TYPE)) {
+            cert->ca = NULL;
+    #ifndef NO_SKID
+            if (cert->extAuthKeyIdSet) {
+                cert->ca = GetCA(cm, cert->extAuthKeyId);
+            }
+            if (cert->ca == NULL && cert->extSubjKeyIdSet
+                                 && verify != VERIFY_OCSP) {
+                cert->ca = GetCA(cm, cert->extSubjKeyId);
+            }
+            if (cert->ca != NULL && XMEMCMP(cert->issuerHash,
+                                  cert->ca->subjectNameHash, KEYID_SIZE) != 0) {
+                cert->ca = NULL;
+            }
+            if (cert->ca == NULL) {
+                cert->ca = GetCAByName(cm, cert->issuerHash);
+                /* If AKID is available then this CA doesn't have the public
+                 * key required */
+                if (cert->ca && cert->extAuthKeyIdSet) {
+                    WOLFSSL_MSG("CA SKID doesn't match AKID");
+                    cert->ca = NULL;
+                }
+            }
+
+            /* OCSP Only: alt lookup using subject and pub key w/o sig check */
+        #ifdef WOLFSSL_NO_TRUSTED_CERTS_VERIFY
+            if (cert->ca == NULL && verify == VERIFY_OCSP) {
+                cert->ca = GetCABySubjectAndPubKey(cert, cm);
+                if (cert->ca) {
+                    ret = 0; /* success */
+                    goto exit_pcr;
+                }
+            }
+        #endif /* WOLFSSL_NO_TRUSTED_CERTS_VERIFY */
+    #else
+            cert->ca = GetCA(cm, cert->issuerHash);
+    #endif /* !NO_SKID */
+        }
+
+        if (cert->selfSigned) {
+            cert->maxPathLen = WOLFSSL_MAX_PATH_LEN;
+        } else {
+            /* RFC 5280 Section 4.2.1.9:
+             *
+             * load/receive check
+             *
+             * 1) Is CA boolean set?
+             *      No  - SKIP CHECK
+             *      Yes - Check key usage
+             * 2) Is Key usage extension present?
+             *      No  - goto 3
+             *      Yes - check keyCertSign assertion
+             *     2.a) Is keyCertSign asserted?
+             *          No  - goto 4
+             *          Yes - goto 3
+             * 3) Is pathLen set?
+             *      No  - goto 4
+             *      Yes - check pathLen against maxPathLen.
+             *      3.a) Is pathLen less than maxPathLen?
+             *           No - goto 4
+             *           Yes - set maxPathLen to pathLen and EXIT
+             * 4) Is maxPathLen > 0?
+             *      Yes - Reduce by 1
+             *      No  - ERROR
+             */
+
+            if (cert->ca && cert->pathLengthSet) {
+                cert->maxPathLen = cert->pathLength;
+                if (cert->isCA) {
+                    WOLFSSL_MSG("\tCA boolean set");
+                    if (cert->extKeyUsageSet) {
+                         WOLFSSL_MSG("\tExtension Key Usage Set");
+                         if ((cert->extKeyUsage & KEYUSE_KEY_CERT_SIGN) != 0) {
+                            checkPathLen = 1;
+                         } else {
+                            decrementMaxPathLen = 1;
+                         }
+                    } else {
+                        checkPathLen = 1;
+                    } /* !cert->ca check */
+                } /* cert is not a CA (assuming entity cert) */
+
+                if (checkPathLen && cert->pathLengthSet) {
+                    if (cert->pathLength < cert->ca->maxPathLen) {
+                        WOLFSSL_MSG("\tmaxPathLen status: set to pathLength");
+                        cert->maxPathLen = cert->pathLength;
+                    } else {
+                        decrementMaxPathLen = 1;
+                    }
+                }
+
+                if (decrementMaxPathLen && cert->ca->maxPathLen > 0) {
+                    WOLFSSL_MSG("\tmaxPathLen status: reduce by 1");
+                    cert->maxPathLen = cert->ca->maxPathLen - 1;
+                    if (verify != NO_VERIFY && type != CA_TYPE &&
+                                                    type != TRUSTED_PEER_TYPE) {
+                        WOLFSSL_MSG("\tmaxPathLen status: OK");
+                    }
+                } else if (decrementMaxPathLen && cert->ca->maxPathLen == 0) {
+                    cert->maxPathLen = 0;
+                    if (verify != NO_VERIFY && type != CA_TYPE &&
+                                                    type != TRUSTED_PEER_TYPE) {
+                        WOLFSSL_MSG("\tNon-entity cert, maxPathLen is 0");
+                        WOLFSSL_MSG("\tmaxPathLen status: ERROR");
+                        return ASN_PATHLEN_INV_E;
+                    }
+                }
+            } else if (cert->ca && cert->isCA) {
+                /* case where cert->pathLength extension is not set */
+                if (cert->ca->maxPathLen > 0) {
+                    cert->maxPathLen = cert->ca->maxPathLen - 1;
+                } else {
+                    cert->maxPathLen = 0;
+                    if (verify != NO_VERIFY && type != CA_TYPE &&
+                                                    type != TRUSTED_PEER_TYPE) {
+                        WOLFSSL_MSG("\tNon-entity cert, maxPathLen is 0");
+                        WOLFSSL_MSG("\tmaxPathLen status: ERROR");
+                        return ASN_PATHLEN_INV_E;
+                    }
+                }
+            }
+            #ifdef HAVE_OCSP
+            if (verify != NO_VERIFY && type != CA_TYPE &&
+                                                    type != TRUSTED_PEER_TYPE) {
+                if (cert->ca) {
+                    /* Need the CA's public key hash for OCSP */
+                    XMEMCPY(cert->issuerKeyHash, cert->ca->subjectKeyHash,
+                                                                    KEYID_SIZE);
+                }
+
+            }
+            #endif /* HAVE_OCSP */
+        }
+    }
+#if defined(WOLFSSL_RENESAS_TSIP)
+    /* prepare for TSIP TLS cert verification API use */
+    if (cert->keyOID == RSAk) {
+        /* to call TSIP API, it needs keys position info in bytes */
+        if ((ret = RsaPublicKeyDecodeRawIndex(cert->publicKey, (word32*)&idx,
+                                   cert->pubKeySize,
+                                   &cert->sigCtx.pubkey_n_start,
+                                   &cert->sigCtx.pubkey_n_len,
+                                   &cert->sigCtx.pubkey_e_start,
+                                   &cert->sigCtx.pubkey_e_len)) != 0) {
+            WOLFSSL_MSG("Decoding index from cert failed.");
+            return ret;
+        }
+        cert->sigCtx.certBegin = cert->certBegin;
+    }
+    /* check if we can use TSIP for cert verification */
+    /* if the ca is verified as tsip root ca.         */
+    /* TSIP can only handle 2048 bits(256 byte) key.  */
+    if (cert->ca && tsip_checkCA(cert->ca->cm_idx) != 0 &&
+        cert->sigCtx.pubkey_n_len == 256) {
+
+        /* assign memory to encrypted tsip Rsa key index */
+        if (!cert->tsip_encRsaKeyIdx)
+            cert->tsip_encRsaKeyIdx =
+                            (byte*)XMALLOC(TSIP_TLS_ENCPUBKEY_SZ_BY_CERTVRFY,
+                             cert->heap, DYNAMIC_TYPE_RSA);
+        if (cert->tsip_encRsaKeyIdx == NULL)
+                return MEMORY_E;
+    } else {
+        if (cert->ca) {
+            /* TSIP isn't usable */
+            if (tsip_checkCA(cert->ca->cm_idx) == 0)
+                WOLFSSL_MSG("TSIP isn't usable because the ca isn't verified "
+                            "by TSIP.");
+            else if (cert->sigCtx.pubkey_n_len != 256)
+                WOLFSSL_MSG("TSIP isn't usable because the ca isn't signed by "
+                            "RSA 2048.");
+            else
+                WOLFSSL_MSG("TSIP isn't usable");
+        }
+        cert->tsip_encRsaKeyIdx = NULL;
+    }
+
+    tsip_encRsaKeyIdx = cert->tsip_encRsaKeyIdx;
+#else
+    tsip_encRsaKeyIdx = NULL;
+#endif
+
+    if (verify != NO_VERIFY && type != CA_TYPE && type != TRUSTED_PEER_TYPE) {
+        if (cert->ca) {
+            if (verify == VERIFY || verify == VERIFY_OCSP ||
+                                                 verify == VERIFY_SKIP_DATE) {
+                /* try to confirm/verify signature */
+                if ((ret = ConfirmSignature(&cert->sigCtx,
+                        cert->source + cert->certBegin,
                         cert->sigIndex - cert->certBegin,
-                    ca->publicKey, ca->pubKeySize, ca->keyOID,
-                    cert->signature, cert->sigLength, cert->signatureOID,
-                    cert->heap)) {
-                WOLFSSL_MSG("Confirm signature failed");
-                return ASN_SIG_CONFIRM_E;
+                        cert->ca->publicKey, cert->ca->pubKeySize,
+                        cert->ca->keyOID, cert->signature,
+                        cert->sigLength, cert->signatureOID,
+                        tsip_encRsaKeyIdx)) != 0) {
+                    if (ret != 0 && ret != WC_PENDING_E) {
+                        WOLFSSL_MSG("Confirm signature failed");
+                    }
+                    return ret;
+                }
             }
-#ifndef IGNORE_NAME_CONSTRAINTS
-            /* check that this cert's name is permitted by the signer's
-             * name constraints */
-            if (!ConfirmNameConstraints(ca, cert)) {
-                WOLFSSL_MSG("Confirm name constraint failed");
-                return ASN_NAME_INVALID_E;
+        #ifndef IGNORE_NAME_CONSTRAINTS
+            if (verify == VERIFY || verify == VERIFY_OCSP ||
+                        verify == VERIFY_NAME || verify == VERIFY_SKIP_DATE) {
+                /* check that this cert's name is permitted by the signer's
+                 * name constraints */
+                if (!ConfirmNameConstraints(cert->ca, cert)) {
+                    WOLFSSL_MSG("Confirm name constraint failed");
+                    return ASN_NAME_INVALID_E;
+                }
             }
-#endif /* IGNORE_NAME_CONSTRAINTS */
+        #endif /* IGNORE_NAME_CONSTRAINTS */
         }
         else {
             /* no signer */
@@ -4425,15 +9522,22 @@ int ParseCertRelative(DecodedCert* cert, int type, int verify, void* cm)
         }
     }
 
-    if (badDate != 0)
-        return badDate;
+#if defined(WOLFSSL_NO_TRUSTED_CERTS_VERIFY) && !defined(NO_SKID)
+exit_pcr:
+#endif
 
-    if (criticalExt != 0)
-        return criticalExt;
+    if (cert->badDate != 0) {
+        if (verify != VERIFY_SKIP_DATE) {
+            return cert->badDate;
+        }
+        WOLFSSL_MSG("Date error: Verify option is skipping");
+    }
 
-    return 0;
-}
+    if (cert->criticalExt != 0)
+        return cert->criticalExt;
 
+    return ret;
+}
 
 /* Create and init an new signer */
 Signer* MakeSigner(void* heap)
@@ -4441,16 +9545,7 @@ Signer* MakeSigner(void* heap)
     Signer* signer = (Signer*) XMALLOC(sizeof(Signer), heap,
                                        DYNAMIC_TYPE_SIGNER);
     if (signer) {
-        signer->pubKeySize = 0;
-        signer->keyOID     = 0;
-        signer->publicKey  = NULL;
-        signer->nameLen    = 0;
-        signer->name       = NULL;
-        #ifndef IGNORE_NAME_CONSTRAINTS
-            signer->permittedNames = NULL;
-            signer->excludedNames = NULL;
-        #endif /* IGNORE_NAME_CONSTRAINTS */
-        signer->next       = NULL;
+        XMEMSET(signer, 0, sizeof(Signer));
     }
     (void)heap;
 
@@ -4462,13 +9557,16 @@ Signer* MakeSigner(void* heap)
 void FreeSigner(Signer* signer, void* heap)
 {
     XFREE(signer->name, heap, DYNAMIC_TYPE_SUBJECT_CN);
-    XFREE(signer->publicKey, heap, DYNAMIC_TYPE_PUBLIC_KEY);
-    #ifndef IGNORE_NAME_CONSTRAINTS
-        if (signer->permittedNames)
-            FreeNameSubtrees(signer->permittedNames, heap);
-        if (signer->excludedNames)
-            FreeNameSubtrees(signer->excludedNames, heap);
-    #endif
+    XFREE((void*)signer->publicKey, heap, DYNAMIC_TYPE_PUBLIC_KEY);
+#ifndef IGNORE_NAME_CONSTRAINTS
+    if (signer->permittedNames)
+        FreeNameSubtrees(signer->permittedNames, heap);
+    if (signer->excludedNames)
+        FreeNameSubtrees(signer->excludedNames, heap);
+#endif
+#ifdef WOLFSSL_SIGNER_DER_CERT
+    FreeDer(&signer->derCert);
+#endif
     XFREE(signer, heap, DYNAMIC_TYPE_SIGNER);
 
     (void)heap;
@@ -4491,14 +9589,59 @@ void FreeSignerTable(Signer** table, int rows, void* heap)
     }
 }
 
+#ifdef WOLFSSL_TRUST_PEER_CERT
+/* Free an individual trusted peer cert */
+void FreeTrustedPeer(TrustedPeerCert* tp, void* heap)
+{
+    if (tp == NULL) {
+        return;
+    }
+
+    if (tp->name) {
+        XFREE(tp->name, heap, DYNAMIC_TYPE_SUBJECT_CN);
+    }
+
+    if (tp->sig) {
+        XFREE(tp->sig, heap, DYNAMIC_TYPE_SIGNATURE);
+    }
+#ifndef IGNORE_NAME_CONSTRAINTS
+    if (tp->permittedNames)
+        FreeNameSubtrees(tp->permittedNames, heap);
+    if (tp->excludedNames)
+        FreeNameSubtrees(tp->excludedNames, heap);
+#endif
+    XFREE(tp, heap, DYNAMIC_TYPE_CERT);
+
+    (void)heap;
+}
+
+/* Free the whole Trusted Peer linked list */
+void FreeTrustedPeerTable(TrustedPeerCert** table, int rows, void* heap)
+{
+    int i;
+
+    for (i = 0; i < rows; i++) {
+        TrustedPeerCert* tp = table[i];
+        while (tp) {
+            TrustedPeerCert* next = tp->next;
+            FreeTrustedPeer(tp, heap);
+            tp = next;
+        }
+        table[i] = NULL;
+    }
+}
+#endif /* WOLFSSL_TRUST_PEER_CERT */
 
-WOLFSSL_LOCAL int SetMyVersion(word32 version, byte* output, int header)
+int SetMyVersion(word32 version, byte* output, int header)
 {
     int i = 0;
 
+    if (output == NULL)
+        return BAD_FUNC_ARG;
+
     if (header) {
         output[i++] = ASN_CONTEXT_SPECIFIC | ASN_CONSTRUCTED;
-        output[i++] = ASN_BIT_STRING;
+        output[i++] = 3;
     }
     output[i++] = ASN_INTEGER;
     output[i++] = 0x01;
@@ -4507,65 +9650,558 @@ WOLFSSL_LOCAL int SetMyVersion(word32 version, byte* output, int header)
     return i;
 }
 
+int SetSerialNumber(const byte* sn, word32 snSz, byte* output,
+    word32 outputSz, int maxSnSz)
+{
+    int i;
+    int snSzInt = (int)snSz;
+
+    if (sn == NULL || output == NULL || snSzInt < 0)
+        return BAD_FUNC_ARG;
+
+    /* remove leading zeros */
+    while (snSzInt > 0 && sn[0] == 0) {
+        snSzInt--;
+        sn++;
+    }
+    /* RFC 5280 - 4.1.2.2:
+     *   Serial numbers must be a positive value (and not zero) */
+    if (snSzInt == 0)
+        return BAD_FUNC_ARG;
+
+    if (sn[0] & 0x80)
+        maxSnSz--;
+    /* truncate if input is too long */
+    if (snSzInt > maxSnSz)
+        snSzInt = maxSnSz;
+
+    i = SetASNInt(snSzInt, sn[0], NULL);
+    /* truncate if input is too long */
+    if (snSzInt > (int)outputSz - i)
+        snSzInt = (int)outputSz - i;
+    /* sanity check number of bytes to copy */
+    if (snSzInt <= 0) {
+        return BUFFER_E;
+    }
+
+    /* write out ASN.1 Integer */
+    (void)SetASNInt(snSzInt, sn[0], output);
+    XMEMCPY(output + i, sn, snSzInt);
 
-WOLFSSL_LOCAL int SetSerialNumber(const byte* sn, word32 snSz, byte* output)
+    /* compute final length */
+    i += snSzInt;
+
+    return i;
+}
+
+#endif /* !NO_CERTS */
+
+int GetSerialNumber(const byte* input, word32* inOutIdx,
+    byte* serial, int* serialSz, word32 maxIdx)
 {
     int result = 0;
+    int ret;
+
+    WOLFSSL_ENTER("GetSerialNumber");
+
+    if (serial == NULL || input == NULL || serialSz == NULL) {
+        return BAD_FUNC_ARG;
+    }
+
+    /* First byte is ASN type */
+    if ((*inOutIdx+1) > maxIdx) {
+        WOLFSSL_MSG("Bad idx first");
+        return BUFFER_E;
+    }
+
+    ret = GetASNInt(input, inOutIdx, serialSz, maxIdx);
+    if (ret != 0)
+        return ret;
+
+    if (*serialSz > EXTERNAL_SERIAL_SIZE) {
+        WOLFSSL_MSG("Serial size bad");
+        return ASN_PARSE_E;
+    }
+
+    /* return serial */
+    XMEMCPY(serial, &input[*inOutIdx], *serialSz);
+    *inOutIdx += *serialSz;
+
+    return result;
+}
 
-    WOLFSSL_ENTER("SetSerialNumber");
+#ifndef NO_CERTS
 
-    if (snSz <= EXTERNAL_SERIAL_SIZE) {
-        output[0] = ASN_INTEGER;
-        /* The serial number is always positive. When encoding the
-         * INTEGER, if the MSB is 1, add a padding zero to keep the
-         * number positive. */
-        if (sn[0] & 0x80) {
-            output[1] = (byte)snSz + 1;
-            output[2] = 0;
-            XMEMCPY(&output[3], sn, snSz);
-            result = snSz + 3;
+int AllocDer(DerBuffer** pDer, word32 length, int type, void* heap)
+{
+    int ret = BAD_FUNC_ARG;
+    if (pDer) {
+        int dynType = 0;
+        DerBuffer* der;
+
+        /* Determine dynamic type */
+        switch (type) {
+            case CA_TYPE:   dynType = DYNAMIC_TYPE_CA;   break;
+            case CERT_TYPE: dynType = DYNAMIC_TYPE_CERT; break;
+            case CRL_TYPE:  dynType = DYNAMIC_TYPE_CRL;  break;
+            case DSA_TYPE:  dynType = DYNAMIC_TYPE_DSA;  break;
+            case ECC_TYPE:  dynType = DYNAMIC_TYPE_ECC;  break;
+            case RSA_TYPE:  dynType = DYNAMIC_TYPE_RSA;  break;
+            default:        dynType = DYNAMIC_TYPE_KEY;  break;
         }
-        else {
-            output[1] = (byte)snSz;
-            XMEMCPY(&output[2], sn, snSz);
-            result = snSz + 2;
+
+        /* Setup new buffer */
+        *pDer = (DerBuffer*)XMALLOC(sizeof(DerBuffer) + length, heap, dynType);
+        if (*pDer == NULL) {
+            return MEMORY_E;
         }
+        XMEMSET(*pDer, 0, sizeof(DerBuffer) + length);
+
+        der = *pDer;
+        der->type = type;
+        der->dynType = dynType; /* Cache this for FreeDer */
+        der->heap = heap;
+        der->buffer = (byte*)der + sizeof(DerBuffer);
+        der->length = length;
+        ret = 0; /* Success */
     }
-    return result;
+    return ret;
 }
 
+void FreeDer(DerBuffer** pDer)
+{
+    if (pDer && *pDer)
+    {
+        DerBuffer* der = (DerBuffer*)*pDer;
 
+        /* ForceZero private keys */
+        if (der->type == PRIVATEKEY_TYPE) {
+            ForceZero(der->buffer, der->length);
+        }
+        der->buffer = NULL;
+        der->length = 0;
+        XFREE(der, der->heap, der->dynType);
 
+        *pDer = NULL;
+    }
+}
 
-#if defined(WOLFSSL_KEY_GEN) || defined(WOLFSSL_CERT_GEN)
+int wc_AllocDer(DerBuffer** pDer, word32 length, int type, void* heap)
+{
+    return AllocDer(pDer, length, type, heap);
+}
+void wc_FreeDer(DerBuffer** pDer)
+{
+    FreeDer(pDer);
+}
+
+
+#if defined(WOLFSSL_PEM_TO_DER) || defined(WOLFSSL_DER_TO_PEM)
+
+/* Max X509 header length indicates the max length + 2 ('\n', '\0') */
+#define MAX_X509_HEADER_SZ  (37 + 2)
+
+wcchar BEGIN_CERT           = "-----BEGIN CERTIFICATE-----";
+wcchar END_CERT             = "-----END CERTIFICATE-----";
+#ifdef WOLFSSL_CERT_REQ
+    wcchar BEGIN_CERT_REQ   = "-----BEGIN CERTIFICATE REQUEST-----";
+    wcchar END_CERT_REQ     = "-----END CERTIFICATE REQUEST-----";
+#endif
+#ifndef NO_DH
+    wcchar BEGIN_DH_PARAM   = "-----BEGIN DH PARAMETERS-----";
+    wcchar END_DH_PARAM     = "-----END DH PARAMETERS-----";
+#endif
+#ifndef NO_DSA
+    wcchar BEGIN_DSA_PARAM  = "-----BEGIN DSA PARAMETERS-----";
+    wcchar END_DSA_PARAM    = "-----END DSA PARAMETERS-----";
+#endif
+wcchar BEGIN_X509_CRL       = "-----BEGIN X509 CRL-----";
+wcchar END_X509_CRL         = "-----END X509 CRL-----";
+wcchar BEGIN_RSA_PRIV       = "-----BEGIN RSA PRIVATE KEY-----";
+wcchar END_RSA_PRIV         = "-----END RSA PRIVATE KEY-----";
+wcchar BEGIN_PRIV_KEY       = "-----BEGIN PRIVATE KEY-----";
+wcchar END_PRIV_KEY         = "-----END PRIVATE KEY-----";
+wcchar BEGIN_ENC_PRIV_KEY   = "-----BEGIN ENCRYPTED PRIVATE KEY-----";
+wcchar END_ENC_PRIV_KEY     = "-----END ENCRYPTED PRIVATE KEY-----";
+#ifdef HAVE_ECC
+    wcchar BEGIN_EC_PRIV    = "-----BEGIN EC PRIVATE KEY-----";
+    wcchar END_EC_PRIV      = "-----END EC PRIVATE KEY-----";
+#endif
+#if defined(HAVE_ECC) || defined(HAVE_ED25519) || defined(HAVE_ED448) || \
+                                                                !defined(NO_DSA)
+    wcchar BEGIN_DSA_PRIV   = "-----BEGIN DSA PRIVATE KEY-----";
+    wcchar END_DSA_PRIV     = "-----END DSA PRIVATE KEY-----";
+#endif
+#ifdef OPENSSL_EXTRA
+    const char BEGIN_PRIV_KEY_PREFIX[] = "-----BEGIN";
+    const char PRIV_KEY_SUFFIX[] = "PRIVATE KEY-----";
+    const char END_PRIV_KEY_PREFIX[]   = "-----END";
+#endif
+wcchar BEGIN_PUB_KEY        = "-----BEGIN PUBLIC KEY-----";
+wcchar END_PUB_KEY          = "-----END PUBLIC KEY-----";
+#if defined(HAVE_ED25519) || defined(HAVE_ED448)
+    wcchar BEGIN_EDDSA_PRIV = "-----BEGIN EDDSA PRIVATE KEY-----";
+    wcchar END_EDDSA_PRIV   = "-----END EDDSA PRIVATE KEY-----";
+#endif
+#ifdef HAVE_CRL
+    const char *const BEGIN_CRL = "-----BEGIN X509 CRL-----";
+    wcchar END_CRL   = "-----END X509 CRL-----";
+#endif
+
+
+static WC_INLINE char* SkipEndOfLineChars(char* line, const char* endOfLine)
+{
+    /* eat end of line characters */
+    while (line < endOfLine &&
+              (line[0] == '\r' || line[0] == '\n')) {
+        line++;
+    }
+    return line;
+}
+
+int wc_PemGetHeaderFooter(int type, const char** header, const char** footer)
+{
+    int ret = BAD_FUNC_ARG;
+
+    switch (type) {
+        case CA_TYPE:       /* same as below */
+        case TRUSTED_PEER_TYPE:
+        case CERT_TYPE:
+            if (header) *header = BEGIN_CERT;
+            if (footer) *footer = END_CERT;
+            ret = 0;
+            break;
+
+        case CRL_TYPE:
+            if (header) *header = BEGIN_X509_CRL;
+            if (footer) *footer = END_X509_CRL;
+            ret = 0;
+            break;
+    #ifndef NO_DH
+        case DH_PARAM_TYPE:
+            if (header) *header = BEGIN_DH_PARAM;
+            if (footer) *footer = END_DH_PARAM;
+            ret = 0;
+            break;
+    #endif
+    #ifndef NO_DSA
+        case DSA_PARAM_TYPE:
+            if (header) *header = BEGIN_DSA_PARAM;
+            if (footer) *footer = END_DSA_PARAM;
+            ret = 0;
+            break;
+    #endif
+    #ifdef WOLFSSL_CERT_REQ
+        case CERTREQ_TYPE:
+            if (header) *header = BEGIN_CERT_REQ;
+            if (footer) *footer = END_CERT_REQ;
+            ret = 0;
+            break;
+    #endif
+    #ifndef NO_DSA
+        case DSA_TYPE:
+        case DSA_PRIVATEKEY_TYPE:
+            if (header) *header = BEGIN_DSA_PRIV;
+            if (footer) *footer = END_DSA_PRIV;
+            ret = 0;
+            break;
+    #endif
+    #ifdef HAVE_ECC
+        case ECC_TYPE:
+        case ECC_PRIVATEKEY_TYPE:
+            if (header) *header = BEGIN_EC_PRIV;
+            if (footer) *footer = END_EC_PRIV;
+            ret = 0;
+            break;
+    #endif
+        case RSA_TYPE:
+        case PRIVATEKEY_TYPE:
+            if (header) *header = BEGIN_RSA_PRIV;
+            if (footer) *footer = END_RSA_PRIV;
+            ret = 0;
+            break;
+    #ifdef HAVE_ED25519
+        case ED25519_TYPE:
+    #endif
+    #ifdef HAVE_ED448
+        case ED448_TYPE:
+    #endif
+    #if defined(HAVE_ED25519) || defined(HAVE_ED448)
+        case EDDSA_PRIVATEKEY_TYPE:
+            if (header) *header = BEGIN_EDDSA_PRIV;
+            if (footer) *footer = END_EDDSA_PRIV;
+            ret = 0;
+            break;
+    #endif
+        case PUBLICKEY_TYPE:
+        case ECC_PUBLICKEY_TYPE:
+            if (header) *header = BEGIN_PUB_KEY;
+            if (footer) *footer = END_PUB_KEY;
+            ret = 0;
+            break;
+    #if !defined(NO_DH) && (defined(WOLFSSL_QT) || defined(OPENSSL_ALL))
+        case DH_PRIVATEKEY_TYPE:
+    #endif
+        case PKCS8_PRIVATEKEY_TYPE:
+            if (header) *header = BEGIN_PRIV_KEY;
+            if (footer) *footer = END_PRIV_KEY;
+            ret = 0;
+            break;
+        case PKCS8_ENC_PRIVATEKEY_TYPE:
+            if (header) *header = BEGIN_ENC_PRIV_KEY;
+            if (footer) *footer = END_ENC_PRIV_KEY;
+            ret = 0;
+            break;
+        default:
+            break;
+    }
+    return ret;
+}
+
+#ifdef WOLFSSL_ENCRYPTED_KEYS
+
+static wcchar kProcTypeHeader = "Proc-Type";
+static wcchar kDecInfoHeader = "DEK-Info";
+
+#ifdef WOLFSSL_PEM_TO_DER
+#ifndef NO_DES3
+    static wcchar kEncTypeDes = "DES-CBC";
+    static wcchar kEncTypeDes3 = "DES-EDE3-CBC";
+#endif
+#if !defined(NO_AES) && defined(HAVE_AES_CBC) && defined(WOLFSSL_AES_128)
+    static wcchar kEncTypeAesCbc128 = "AES-128-CBC";
+#endif
+#if !defined(NO_AES) && defined(HAVE_AES_CBC) && defined(WOLFSSL_AES_192)
+    static wcchar kEncTypeAesCbc192 = "AES-192-CBC";
+#endif
+#if !defined(NO_AES) && defined(HAVE_AES_CBC) && defined(WOLFSSL_AES_256)
+    static wcchar kEncTypeAesCbc256 = "AES-256-CBC";
+#endif
+
+int wc_EncryptedInfoGet(EncryptedInfo* info, const char* cipherInfo)
+{
+    int ret = 0;
+
+    if (info == NULL || cipherInfo == NULL)
+        return BAD_FUNC_ARG;
+
+    /* determine cipher information */
+#ifndef NO_DES3
+    if (XSTRNCMP(cipherInfo, kEncTypeDes, XSTRLEN(kEncTypeDes)) == 0) {
+        info->cipherType = WC_CIPHER_DES;
+        info->keySz = DES_KEY_SIZE;
+        if (info->ivSz == 0) info->ivSz  = DES_IV_SIZE;
+    }
+    else if (XSTRNCMP(cipherInfo, kEncTypeDes3, XSTRLEN(kEncTypeDes3)) == 0) {
+        info->cipherType = WC_CIPHER_DES3;
+        info->keySz = DES3_KEY_SIZE;
+        if (info->ivSz == 0) info->ivSz  = DES_IV_SIZE;
+    }
+    else
+#endif /* !NO_DES3 */
+#if !defined(NO_AES) && defined(HAVE_AES_CBC) && defined(WOLFSSL_AES_128)
+    if (XSTRNCMP(cipherInfo, kEncTypeAesCbc128, XSTRLEN(kEncTypeAesCbc128)) == 0) {
+        info->cipherType = WC_CIPHER_AES_CBC;
+        info->keySz = AES_128_KEY_SIZE;
+        if (info->ivSz == 0) info->ivSz  = AES_IV_SIZE;
+    }
+    else
+#endif
+#if !defined(NO_AES) && defined(HAVE_AES_CBC) && defined(WOLFSSL_AES_192)
+    if (XSTRNCMP(cipherInfo, kEncTypeAesCbc192, XSTRLEN(kEncTypeAesCbc192)) == 0) {
+        info->cipherType = WC_CIPHER_AES_CBC;
+        info->keySz = AES_192_KEY_SIZE;
+        if (info->ivSz == 0) info->ivSz  = AES_IV_SIZE;
+    }
+    else
+#endif
+#if !defined(NO_AES) && defined(HAVE_AES_CBC) && defined(WOLFSSL_AES_256)
+    if (XSTRNCMP(cipherInfo, kEncTypeAesCbc256, XSTRLEN(kEncTypeAesCbc256)) == 0) {
+        info->cipherType = WC_CIPHER_AES_CBC;
+        info->keySz = AES_256_KEY_SIZE;
+        if (info->ivSz == 0) info->ivSz  = AES_IV_SIZE;
+    }
+    else
+#endif
+    {
+        ret = NOT_COMPILED_IN;
+    }
+    return ret;
+}
+
+int wc_EncryptedInfoParse(EncryptedInfo* info, char** pBuffer, size_t bufSz)
+{
+    int err = 0;
+    char*  bufferStart;
+    char*  bufferEnd;
+    char*  line;
+    word32 lineSz;
+    char*  finish;
+    word32 finishSz;
+    char*  start = NULL;
+    word32 startSz;
+    char*  newline = NULL;
+
+    if (info == NULL || pBuffer == NULL || bufSz == 0)
+        return BAD_FUNC_ARG;
+
+    bufferStart = *pBuffer;
+    bufferEnd = bufferStart + bufSz;
+
+    /* find encrypted info marker */
+    line = XSTRNSTR(bufferStart, kProcTypeHeader,
+                    min((word32)bufSz, PEM_LINE_LEN));
+    if (line != NULL) {
+        if (line >= bufferEnd) {
+            return BUFFER_E;
+        }
+
+        lineSz = (word32)(bufferEnd - line);
+
+        /* find DEC-Info marker */
+        start = XSTRNSTR(line, kDecInfoHeader, min(lineSz, PEM_LINE_LEN));
+
+        if (start == NULL)
+            return BUFFER_E;
+
+        /* skip dec-info and ": " */
+        start += XSTRLEN(kDecInfoHeader);
+        if (start >= bufferEnd)
+            return BUFFER_E;
+
+        if (start[0] == ':') {
+            start++;
+            if (start >= bufferEnd)
+                return BUFFER_E;
+        }
+        if (start[0] == ' ')
+            start++;
+
+        startSz = (word32)(bufferEnd - start);
+        finish = XSTRNSTR(start, ",", min(startSz, PEM_LINE_LEN));
+
+        if ((start != NULL) && (finish != NULL) && (start < finish)) {
+            if (finish >= bufferEnd) {
+                return BUFFER_E;
+            }
+
+            finishSz = (word32)(bufferEnd - finish);
+            newline = XSTRNSTR(finish, "\r", min(finishSz, PEM_LINE_LEN));
+
+            /* get cipher name */
+            if (NAME_SZ < (finish - start)) /* buffer size of info->name */
+                return BUFFER_E;
+            if (XMEMCPY(info->name, start, finish - start) == NULL)
+                return BUFFER_E;
+            info->name[finish - start] = '\0'; /* null term */
+
+            /* populate info */
+            err = wc_EncryptedInfoGet(info, info->name);
+            if (err != 0)
+                return err;
+
+            /* get IV */
+            if (finishSz < info->ivSz + 1)
+                return BUFFER_E;
+
+            if (newline == NULL) {
+                newline = XSTRNSTR(finish, "\n", min(finishSz,
+                                                     PEM_LINE_LEN));
+            }
+            if ((newline != NULL) && (newline > finish)) {
+                finish++;
+                info->ivSz = (word32)(newline - finish);
+                if (info->ivSz > IV_SZ)
+                    return BUFFER_E;
+                if (XMEMCPY(info->iv, finish, info->ivSz) == NULL)
+                    return BUFFER_E;
+                info->set = 1;
+            }
+            else
+                return BUFFER_E;
+        }
+        else
+            return BUFFER_E;
+
+        /* eat end of line characters */
+        newline = SkipEndOfLineChars(newline, bufferEnd);
+
+        /* return new headerEnd */
+
+        *pBuffer = newline;
+    }
+
+    return err;
+}
+#endif /* WOLFSSL_PEM_TO_DER */
+
+#ifdef WOLFSSL_DER_TO_PEM
+static int wc_EncryptedInfoAppend(char* dest, int destSz, char* cipherInfo)
+{
+    if (cipherInfo != NULL) {
+        int cipherInfoStrLen = (int)XSTRLEN((char*)cipherInfo);
+
+        if (cipherInfoStrLen > HEADER_ENCRYPTED_KEY_SIZE - (9+14+10+3))
+            cipherInfoStrLen = HEADER_ENCRYPTED_KEY_SIZE - (9+14+10+3);
+
+        if (destSz - (int)XSTRLEN(dest) >= cipherInfoStrLen + (9+14+8+2+2+1)) {
+            /* strncat's src length needs to include the NULL */
+            XSTRNCAT(dest, kProcTypeHeader, 10);
+            XSTRNCAT(dest, ": 4,ENCRYPTED\n", 15);
+            XSTRNCAT(dest, kDecInfoHeader, 9);
+            XSTRNCAT(dest, ": ", 3);
+            XSTRNCAT(dest, cipherInfo, destSz - (int)XSTRLEN(dest) - 1);
+            XSTRNCAT(dest, "\n\n", 4);
+        }
+    }
+    return 0;
+}
+#endif /* WOLFSSL_DER_TO_PEM */
+#endif /* WOLFSSL_ENCRYPTED_KEYS */
+
+#ifdef WOLFSSL_DER_TO_PEM
+
+/* Used for compatibility API */
+int wc_DerToPem(const byte* der, word32 derSz,
+                byte* output, word32 outSz, int type)
+{
+    return wc_DerToPemEx(der, derSz, output, outSz, NULL, type);
+}
 
 /* convert der buffer to pem into output, can't do inplace, der and output
    need to be different */
-int wc_DerToPem(const byte* der, word32 derSz, byte* output, word32 outSz,
-             int type)
+int wc_DerToPemEx(const byte* der, word32 derSz, byte* output, word32 outSz,
+             byte *cipher_info, int type)
 {
+    const char* headerStr = NULL;
+    const char* footerStr = NULL;
 #ifdef WOLFSSL_SMALL_STACK
     char* header = NULL;
     char* footer = NULL;
 #else
-    char header[80];
-    char footer[80];
+    char header[MAX_X509_HEADER_SZ + HEADER_ENCRYPTED_KEY_SIZE];
+    char footer[MAX_X509_HEADER_SZ];
 #endif
-
-    int headerLen = 80;
-    int footerLen = 80;
+    int headerLen = MAX_X509_HEADER_SZ + HEADER_ENCRYPTED_KEY_SIZE;
+    int footerLen = MAX_X509_HEADER_SZ;
     int i;
     int err;
     int outLen;   /* return length or error */
 
+    (void)cipher_info;
+
     if (der == output)      /* no in place conversion */
         return BAD_FUNC_ARG;
 
+    err = wc_PemGetHeaderFooter(type, &headerStr, &footerStr);
+    if (err != 0)
+        return err;
+
 #ifdef WOLFSSL_SMALL_STACK
     header = (char*)XMALLOC(headerLen, NULL, DYNAMIC_TYPE_TMP_BUFFER);
     if (header == NULL)
         return MEMORY_E;
-    
+
     footer = (char*)XMALLOC(footerLen, NULL, DYNAMIC_TYPE_TMP_BUFFER);
     if (footer == NULL) {
         XFREE(header, NULL, DYNAMIC_TYPE_TMP_BUFFER);
@@ -4573,39 +10209,44 @@ int wc_DerToPem(const byte* der, word32 derSz, byte* output, word32 outSz,
     }
 #endif
 
-    if (type == CERT_TYPE) {
-        XSTRNCPY(header, "-----BEGIN CERTIFICATE-----\n", headerLen);
-        XSTRNCPY(footer, "-----END CERTIFICATE-----\n",   footerLen);
-    }
-    else if (type == PRIVATEKEY_TYPE) {
-        XSTRNCPY(header, "-----BEGIN RSA PRIVATE KEY-----\n", headerLen);
-        XSTRNCPY(footer, "-----END RSA PRIVATE KEY-----\n",   footerLen);
-    }
-    #ifdef HAVE_ECC
-    else if (type == ECC_PRIVATEKEY_TYPE) {
-        XSTRNCPY(header, "-----BEGIN EC PRIVATE KEY-----\n", headerLen);
-        XSTRNCPY(footer, "-----END EC PRIVATE KEY-----\n",   footerLen);
-    }
+    /* build header and footer based on type */
+    XSTRNCPY(header, headerStr, headerLen - 1);
+    header[headerLen - 2] = 0;
+    XSTRNCPY(footer, footerStr, footerLen - 1);
+    footer[footerLen - 2] = 0;
+
+    /* add new line to end */
+    XSTRNCAT(header, "\n", 2);
+    XSTRNCAT(footer, "\n", 2);
+
+#ifdef WOLFSSL_ENCRYPTED_KEYS
+    err = wc_EncryptedInfoAppend(header, headerLen, (char*)cipher_info);
+    if (err != 0) {
+    #ifdef WOLFSSL_SMALL_STACK
+        XFREE(header, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+        XFREE(footer, NULL, DYNAMIC_TYPE_TMP_BUFFER);
     #endif
-    #ifdef WOLFSSL_CERT_REQ
-    else if (type == CERTREQ_TYPE)
-    {
-        XSTRNCPY(header,
-                       "-----BEGIN CERTIFICATE REQUEST-----\n", headerLen);
-        XSTRNCPY(footer, "-----END CERTIFICATE REQUEST-----\n", footerLen);
+        return err;
     }
-    #endif
-    else {
+#endif
+
+    headerLen = (int)XSTRLEN(header);
+    footerLen = (int)XSTRLEN(footer);
+
+    /* if null output and 0 size passed in then return size needed */
+    if (!output && outSz == 0) {
 #ifdef WOLFSSL_SMALL_STACK
         XFREE(header, NULL, DYNAMIC_TYPE_TMP_BUFFER);
         XFREE(footer, NULL, DYNAMIC_TYPE_TMP_BUFFER);
 #endif
-        return BAD_FUNC_ARG;
+        outLen = 0;
+        if ((err = Base64_Encode(der, derSz, NULL, (word32*)&outLen))
+                != LENGTH_ONLY_E) {
+            return err;
+        }
+        return headerLen + footerLen + outLen;
     }
 
-    headerLen = (int)XSTRLEN(header);
-    footerLen = (int)XSTRLEN(footer);
-
     if (!der || !output) {
 #ifdef WOLFSSL_SMALL_STACK
         XFREE(header, NULL, DYNAMIC_TYPE_TMP_BUFFER);
@@ -4657,12 +10298,846 @@ int wc_DerToPem(const byte* der, word32 derSz, byte* output, word32 outSz,
     return outLen + headerLen + footerLen;
 }
 
+#endif /* WOLFSSL_DER_TO_PEM */
+
+#ifdef WOLFSSL_PEM_TO_DER
+
+/* Remove PEM header/footer, convert to ASN1, store any encrypted data
+   info->consumed tracks of PEM bytes consumed in case multiple parts */
+int PemToDer(const unsigned char* buff, long longSz, int type,
+              DerBuffer** pDer, void* heap, EncryptedInfo* info, int* keyFormat)
+{
+    const char* header      = NULL;
+    const char* footer      = NULL;
+    char*       headerEnd;
+    char*       footerEnd;
+    char*       consumedEnd;
+    char*       bufferEnd   = (char*)(buff + longSz);
+    long        neededSz;
+    int         ret         = 0;
+    int         sz          = (int)longSz;
+    int         encrypted_key = 0;
+    DerBuffer*  der;
+#if defined(HAVE_PKCS8) || defined(WOLFSSL_ENCRYPTED_KEYS)
+    word32      algId = 0;
+    #if defined(WOLFSSL_ENCRYPTED_KEYS) && !defined(NO_DES3) && !defined(NO_WOLFSSL_SKIP_TRAILING_PAD)
+        int     padVal = 0;
+    #endif
+#endif
+#ifdef OPENSSL_EXTRA
+    char        beginBuf[PEM_LINE_LEN + 1]; /* add 1 for null terminator */
+    char        endBuf[PEM_LINE_LEN + 1];   /* add 1 for null terminator */
+#endif
+
+    WOLFSSL_ENTER("PemToDer");
+
+    /* get PEM header and footer based on type */
+    ret = wc_PemGetHeaderFooter(type, &header, &footer);
+    if (ret != 0)
+        return ret;
+
+    /* map header if not found for type */
+    for (;;) {
+        headerEnd = XSTRNSTR((char*)buff, header, sz);
+
+        if (headerEnd) {
+            break;
+        } else
+        if (type == PRIVATEKEY_TYPE) {
+            if (header == BEGIN_RSA_PRIV) {
+                header =  BEGIN_PRIV_KEY;       footer = END_PRIV_KEY;
+            } else
+            if (header == BEGIN_PRIV_KEY) {
+                header =  BEGIN_ENC_PRIV_KEY;   footer = END_ENC_PRIV_KEY;
+            } else
+    #ifdef HAVE_ECC
+            if (header == BEGIN_ENC_PRIV_KEY) {
+                header =  BEGIN_EC_PRIV;        footer = END_EC_PRIV;
+            } else
+            if (header == BEGIN_EC_PRIV) {
+                header =  BEGIN_DSA_PRIV;       footer = END_DSA_PRIV;
+            } else
+    #endif
+    #if defined(HAVE_ED25519) || defined(HAVE_ED448)
+        #ifdef HAVE_ECC
+            if (header == BEGIN_DSA_PRIV)
+        #else
+            if (header == BEGIN_ENC_PRIV_KEY)
+        #endif
+            {
+                header =  BEGIN_EDDSA_PRIV;     footer = END_EDDSA_PRIV;
+            } else
+    #endif
+            {
+                break;
+            }
+        } else
+#ifdef HAVE_CRL
+        if ((type == CRL_TYPE) && (header != BEGIN_CRL)) {
+            header =  BEGIN_CRL;                footer = END_CRL;
+        } else
+#endif
+        {
+            break;
+        }
+    }
+
+    if (!headerEnd) {
+#ifdef OPENSSL_EXTRA
+        char* beginEnd;
+        int endLen;
+        /* see if there is a -----BEGIN * PRIVATE KEY----- header */
+        headerEnd = XSTRNSTR((char*)buff, PRIV_KEY_SUFFIX, sz);
+        if (headerEnd) {
+            beginEnd = headerEnd + XSTR_SIZEOF(PRIV_KEY_SUFFIX);
+            /* back up to BEGIN_PRIV_KEY_PREFIX */
+            headerEnd -= XSTR_SIZEOF(BEGIN_PRIV_KEY_PREFIX);
+            while (headerEnd > (char*)buff &&
+                    XSTRNCMP(headerEnd, BEGIN_PRIV_KEY_PREFIX,
+                            XSTR_SIZEOF(BEGIN_PRIV_KEY_PREFIX)) != 0) {
+                headerEnd--;
+            }
+            if (headerEnd <= (char*)buff ||
+                    XSTRNCMP(headerEnd, BEGIN_PRIV_KEY_PREFIX,
+                    XSTR_SIZEOF(BEGIN_PRIV_KEY_PREFIX)) != 0 ||
+                    beginEnd - headerEnd > PEM_LINE_LEN) {
+                WOLFSSL_MSG("Couldn't find PEM header");
+                return ASN_NO_PEM_HEADER;
+            }
+            /* headerEnd now points to beginning of header */
+            XMEMCPY(beginBuf, headerEnd, beginEnd - headerEnd);
+            beginBuf[beginEnd - headerEnd] = '\0';
+            /* look for matching footer */
+            footer = XSTRNSTR(beginEnd,
+                            beginBuf + XSTR_SIZEOF(BEGIN_PRIV_KEY_PREFIX),
+                            (unsigned int)((char*)buff + sz - beginEnd));
+            if (!footer) {
+                WOLFSSL_MSG("Couldn't find PEM footer");
+                return ASN_NO_PEM_HEADER;
+            }
+            footer -= XSTR_SIZEOF(END_PRIV_KEY_PREFIX);
+            endLen = (unsigned int)(beginEnd - headerEnd -
+                        (XSTR_SIZEOF(BEGIN_PRIV_KEY_PREFIX) -
+                                XSTR_SIZEOF(END_PRIV_KEY_PREFIX)));
+            XMEMCPY(endBuf, footer, endLen);
+            endBuf[endLen] = '\0';
+
+            header = beginBuf;
+            footer = endBuf;
+            headerEnd = beginEnd;
+        } else {
+            WOLFSSL_MSG("Couldn't find PEM header");
+            return ASN_NO_PEM_HEADER;
+        }
+#else
+        WOLFSSL_MSG("Couldn't find PEM header");
+        return ASN_NO_PEM_HEADER;
+#endif
+    } else {
+        headerEnd += XSTRLEN(header);
+    }
+
+    /* eat end of line characters */
+    headerEnd = SkipEndOfLineChars(headerEnd, bufferEnd);
+
+    if (type == PRIVATEKEY_TYPE) {
+        /* keyFormat is Key_Sum enum */
+        if (keyFormat) {
+        #ifdef HAVE_ECC
+            if (header == BEGIN_EC_PRIV)
+                *keyFormat = ECDSAk;
+        #endif
+        #if !defined(NO_DSA)
+            if (header == BEGIN_DSA_PRIV)
+                *keyFormat = DSAk;
+        #endif
+        }
+    }
+
+#ifdef WOLFSSL_ENCRYPTED_KEYS
+    if (info) {
+        ret = wc_EncryptedInfoParse(info, &headerEnd, bufferEnd - headerEnd);
+        if (ret < 0)
+            return ret;
+        if (info->set)
+            encrypted_key = 1;
+    }
+#endif /* WOLFSSL_ENCRYPTED_KEYS */
+
+    /* find footer */
+    footerEnd = XSTRNSTR(headerEnd, footer, (unsigned int)((char*)buff + sz - headerEnd));
+    if (!footerEnd) {
+        if (info)
+            info->consumed = longSz; /* No more certs if no footer */
+        return BUFFER_E;
+    }
+
+    consumedEnd = footerEnd + XSTRLEN(footer);
+
+    if (consumedEnd < bufferEnd) { /* handle no end of line on last line */
+        /* eat end of line characters */
+        consumedEnd = SkipEndOfLineChars(consumedEnd, bufferEnd);
+        /* skip possible null term */
+        if (consumedEnd < bufferEnd && consumedEnd[0] == '\0')
+            consumedEnd++;
+    }
+
+    if (info)
+        info->consumed = (long)(consumedEnd - (char*)buff);
+
+    /* set up der buffer */
+    neededSz = (long)(footerEnd - headerEnd);
+    if (neededSz > sz || neededSz <= 0)
+        return BUFFER_E;
+
+    ret = AllocDer(pDer, (word32)neededSz, type, heap);
+    if (ret < 0) {
+        return ret;
+    }
+    der = *pDer;
+
+    if (Base64_Decode((byte*)headerEnd, (word32)neededSz,
+                      der->buffer, &der->length) < 0)
+        return BUFFER_E;
+
+    if ((header == BEGIN_PRIV_KEY
+#ifdef OPENSSL_EXTRA
+         || header == beginBuf
+#endif
+#ifdef HAVE_ECC
+         || header == BEGIN_EC_PRIV
+#endif
+        ) && !encrypted_key)
+    {
+    #ifdef HAVE_PKCS8
+        /* pkcs8 key, convert and adjust length */
+        if ((ret = ToTraditional_ex(der->buffer, der->length, &algId)) > 0) {
+            der->length = ret;
+            if (keyFormat) {
+                *keyFormat = algId;
+            }
+        }
+        else {
+            /* ignore failure here and assume key is not pkcs8 wrapped */
+        }
+    #endif
+
+        return 0;
+    }
+
+#ifdef WOLFSSL_ENCRYPTED_KEYS
+    if (encrypted_key || header == BEGIN_ENC_PRIV_KEY) {
+        int   passwordSz = NAME_SZ;
+    #ifdef WOLFSSL_SMALL_STACK
+        char* password = NULL;
+    #else
+        char  password[NAME_SZ];
+    #endif
+
+        if (!info || !info->passwd_cb) {
+            WOLFSSL_MSG("No password callback set");
+            return NO_PASSWORD;
+        }
+
+    #ifdef WOLFSSL_SMALL_STACK
+        password = (char*)XMALLOC(passwordSz, heap, DYNAMIC_TYPE_STRING);
+        if (password == NULL)
+            return MEMORY_E;
+    #endif
+
+        /* get password */
+        ret = info->passwd_cb(password, passwordSz, PEM_PASS_READ,
+            info->passwd_userdata);
+        if (ret >= 0) {
+            passwordSz = ret;
+
+            /* convert and adjust length */
+            if (header == BEGIN_ENC_PRIV_KEY) {
+            #ifndef NO_PWDBASED
+                ret = ToTraditionalEnc(der->buffer, der->length,
+                                       password, passwordSz, &algId);
+
+                if (ret >= 0) {
+                    der->length = ret;
+                    if (keyFormat) {
+                        *keyFormat = algId;
+                    }
+                    ret = 0;
+                }
+            #else
+                ret = NOT_COMPILED_IN;
+            #endif
+            }
+            /* decrypt the key */
+            else {
+                if (passwordSz == 0) {
+                    /* The key is encrypted but does not have a password */
+                    WOLFSSL_MSG("No password for encrypted key");
+                    ret = NO_PASSWORD;
+                }
+                else {
+                    ret = wc_BufferKeyDecrypt(info, der->buffer, der->length,
+                        (byte*)password, passwordSz, WC_MD5);
+
+#ifndef NO_WOLFSSL_SKIP_TRAILING_PAD
+                #ifndef NO_DES3
+                    if (info->cipherType == WC_CIPHER_DES3) {
+                        padVal = der->buffer[der->length-1];
+                        if (padVal <= DES_BLOCK_SIZE) {
+                            der->length -= padVal;
+                        }
+                    }
+                #endif /* !NO_DES3 */
+#endif /* !NO_WOLFSSL_SKIP_TRAILING_PAD */
+                }
+            }
+#ifdef OPENSSL_EXTRA
+            if (ret) {
+                PEMerr(0, PEM_R_BAD_DECRYPT);
+            }
+#endif
+            ForceZero(password, passwordSz);
+        }
+#ifdef OPENSSL_EXTRA
+        else {
+            PEMerr(0, PEM_R_BAD_PASSWORD_READ);
+        }
+#endif
+
+    #ifdef WOLFSSL_SMALL_STACK
+        XFREE(password, heap, DYNAMIC_TYPE_STRING);
+    #endif
+    }
+#endif /* WOLFSSL_ENCRYPTED_KEYS */
+
+    return ret;
+}
+
+int wc_PemToDer(const unsigned char* buff, long longSz, int type,
+              DerBuffer** pDer, void* heap, EncryptedInfo* info, int* eccKey)
+{
+    return PemToDer(buff, longSz, type, pDer, heap, info, eccKey);
+}
+
+
+/* our KeyPemToDer password callback, password in userData */
+static WC_INLINE int OurPasswordCb(char* passwd, int sz, int rw, void* userdata)
+{
+    (void)rw;
+
+    if (userdata == NULL)
+        return 0;
+
+    XSTRNCPY(passwd, (char*)userdata, sz);
+    return min((word32)sz, (word32)XSTRLEN((char*)userdata));
+}
+
+/* Return bytes written to buff or < 0 for error */
+int wc_KeyPemToDer(const unsigned char* pem, int pemSz,
+                        unsigned char* buff, int buffSz, const char* pass)
+{
+    int            eccKey = 0;
+    int            ret;
+    DerBuffer*     der = NULL;
+#ifdef WOLFSSL_SMALL_STACK
+    EncryptedInfo* info = NULL;
+#else
+    EncryptedInfo  info[1];
+#endif
+
+    WOLFSSL_ENTER("wc_KeyPemToDer");
+
+    if (pem == NULL || buff == NULL || buffSz <= 0) {
+        WOLFSSL_MSG("Bad pem der args");
+        return BAD_FUNC_ARG;
+    }
+
+#ifdef WOLFSSL_SMALL_STACK
+    info = (EncryptedInfo*)XMALLOC(sizeof(EncryptedInfo), NULL,
+                                   DYNAMIC_TYPE_ENCRYPTEDINFO);
+    if (info == NULL)
+        return MEMORY_E;
+#endif
+
+    XMEMSET(info, 0, sizeof(EncryptedInfo));
+    info->passwd_cb = OurPasswordCb;
+    info->passwd_userdata = (void*)pass;
+
+    ret = PemToDer(pem, pemSz, PRIVATEKEY_TYPE, &der, NULL, info, &eccKey);
+
+#ifdef WOLFSSL_SMALL_STACK
+    XFREE(info, NULL, DYNAMIC_TYPE_ENCRYPTEDINFO);
+#endif
+
+    if (ret < 0 || der == NULL) {
+        WOLFSSL_MSG("Bad Pem To Der");
+    }
+    else {
+        if (der->length <= (word32)buffSz) {
+            XMEMCPY(buff, der->buffer, der->length);
+            ret = der->length;
+        }
+        else {
+            WOLFSSL_MSG("Bad der length");
+            ret = BAD_FUNC_ARG;
+        }
+    }
+
+    FreeDer(&der);
+    return ret;
+}
+
+
+/* Return bytes written to buff or < 0 for error */
+int wc_CertPemToDer(const unsigned char* pem, int pemSz,
+                        unsigned char* buff, int buffSz, int type)
+{
+    int            eccKey = 0;
+    int            ret;
+    DerBuffer*     der = NULL;
+
+    WOLFSSL_ENTER("wc_CertPemToDer");
+
+    if (pem == NULL || buff == NULL || buffSz <= 0) {
+        WOLFSSL_MSG("Bad pem der args");
+        return BAD_FUNC_ARG;
+    }
+
+    if (type != CERT_TYPE && type != CA_TYPE && type != CERTREQ_TYPE) {
+        WOLFSSL_MSG("Bad cert type");
+        return BAD_FUNC_ARG;
+    }
+
+
+    ret = PemToDer(pem, pemSz, type, &der, NULL, NULL, &eccKey);
+    if (ret < 0 || der == NULL) {
+        WOLFSSL_MSG("Bad Pem To Der");
+    }
+    else {
+        if (der->length <= (word32)buffSz) {
+            XMEMCPY(buff, der->buffer, der->length);
+            ret = der->length;
+        }
+        else {
+            WOLFSSL_MSG("Bad der length");
+            ret = BAD_FUNC_ARG;
+        }
+    }
+
+    FreeDer(&der);
+    return ret;
+}
+
+#endif /* WOLFSSL_PEM_TO_DER */
+#endif /* WOLFSSL_PEM_TO_DER || WOLFSSL_DER_TO_PEM */
+
+
+#ifdef WOLFSSL_PEM_TO_DER
+#if defined(WOLFSSL_CERT_EXT) || defined(WOLFSSL_PUB_PEM_TO_DER)
+/* Return bytes written to buff or < 0 for error */
+int wc_PubKeyPemToDer(const unsigned char* pem, int pemSz,
+                           unsigned char* buff, int buffSz)
+{
+    int ret;
+    DerBuffer* der = NULL;
+
+    WOLFSSL_ENTER("wc_PubKeyPemToDer");
+
+    if (pem == NULL || buff == NULL || buffSz <= 0) {
+        WOLFSSL_MSG("Bad pem der args");
+        return BAD_FUNC_ARG;
+    }
+
+    ret = PemToDer(pem, pemSz, PUBLICKEY_TYPE, &der, NULL, NULL, NULL);
+    if (ret < 0 || der == NULL) {
+        WOLFSSL_MSG("Bad Pem To Der");
+    }
+    else {
+        if (der->length <= (word32)buffSz) {
+            XMEMCPY(buff, der->buffer, der->length);
+            ret = der->length;
+        }
+        else {
+            WOLFSSL_MSG("Bad der length");
+            ret = BAD_FUNC_ARG;
+        }
+    }
+
+    FreeDer(&der);
+    return ret;
+}
+#endif /* WOLFSSL_CERT_EXT || WOLFSSL_PUB_PEM_TO_DER */
+#endif /* WOLFSSL_PEM_TO_DER */
+
+#ifndef NO_FILESYSTEM
+
+#ifdef WOLFSSL_CERT_GEN
+/* load pem cert from file into der buffer, return der size or error */
+int wc_PemCertToDer(const char* fileName, unsigned char* derBuf, int derSz)
+{
+#ifdef WOLFSSL_SMALL_STACK
+    byte   staticBuffer[1]; /* force XMALLOC */
+#else
+    byte   staticBuffer[FILE_BUFFER_SIZE];
+#endif
+    byte*  fileBuf = staticBuffer;
+    int    dynamic = 0;
+    int    ret     = 0;
+    long   sz      = 0;
+    XFILE  file;
+    DerBuffer* converted = NULL;
+
+    WOLFSSL_ENTER("wc_PemCertToDer");
+
+    if (fileName == NULL) {
+        ret = BAD_FUNC_ARG;
+    }
+    else {
+        file = XFOPEN(fileName, "rb");
+        if (file == XBADFILE) {
+            ret = BUFFER_E;
+        }
+    }
+
+    if (ret == 0) {
+        if(XFSEEK(file, 0, XSEEK_END) != 0)
+            ret = BUFFER_E;
+        sz = XFTELL(file);
+        XREWIND(file);
+
+        if (sz <= 0) {
+            ret = BUFFER_E;
+        }
+        else if (sz > (long)sizeof(staticBuffer)) {
+        #ifdef WOLFSSL_STATIC_MEMORY
+            WOLFSSL_MSG("File was larger then static buffer");
+            return MEMORY_E;
+        #endif
+            fileBuf = (byte*)XMALLOC(sz, NULL, DYNAMIC_TYPE_FILE);
+            if (fileBuf == NULL)
+                ret = MEMORY_E;
+            else
+                dynamic = 1;
+        }
+
+        if (ret == 0) {
+            if ( (ret = (int)XFREAD(fileBuf, 1, sz, file)) != sz) {
+                ret = BUFFER_E;
+            }
+        #ifdef WOLFSSL_PEM_TO_DER
+            else {
+                ret = PemToDer(fileBuf, sz, CA_TYPE, &converted,  0, NULL,NULL);
+            }
+        #endif
+
+            if (ret == 0) {
+                if (converted->length < (word32)derSz) {
+                    XMEMCPY(derBuf, converted->buffer, converted->length);
+                    ret = converted->length;
+                }
+                else
+                    ret = BUFFER_E;
+            }
+
+            FreeDer(&converted);
+        }
+
+        XFCLOSE(file);
+        if (dynamic)
+            XFREE(fileBuf, NULL, DYNAMIC_TYPE_FILE);
+    }
+
+    return ret;
+}
+#endif /* WOLFSSL_CERT_GEN */
+
+#if defined(WOLFSSL_CERT_EXT) || defined(WOLFSSL_PUB_PEM_TO_DER)
+/* load pem public key from file into der buffer, return der size or error */
+int wc_PemPubKeyToDer(const char* fileName,
+                           unsigned char* derBuf, int derSz)
+{
+#ifdef WOLFSSL_SMALL_STACK
+    byte   staticBuffer[1]; /* force XMALLOC */
+#else
+    byte   staticBuffer[FILE_BUFFER_SIZE];
+#endif
+    byte*  fileBuf = staticBuffer;
+    int    dynamic = 0;
+    int    ret     = 0;
+    long   sz      = 0;
+    XFILE  file;
+    DerBuffer* converted = NULL;
+
+    WOLFSSL_ENTER("wc_PemPubKeyToDer");
+
+    if (fileName == NULL) {
+        ret = BAD_FUNC_ARG;
+    }
+    else {
+        file = XFOPEN(fileName, "rb");
+        if (file == XBADFILE) {
+            ret = BUFFER_E;
+        }
+    }
+
+    if (ret == 0) {
+        if(XFSEEK(file, 0, XSEEK_END) != 0)
+            ret = BUFFER_E;
+        sz = XFTELL(file);
+        XREWIND(file);
+
+        if (sz <= 0) {
+            ret = BUFFER_E;
+        }
+        else if (sz > (long)sizeof(staticBuffer)) {
+        #ifdef WOLFSSL_STATIC_MEMORY
+            WOLFSSL_MSG("File was larger then static buffer");
+            return MEMORY_E;
+        #endif
+            fileBuf = (byte*)XMALLOC(sz, NULL, DYNAMIC_TYPE_FILE);
+            if (fileBuf == NULL)
+                ret = MEMORY_E;
+            else
+                dynamic = 1;
+        }
+        if (ret == 0) {
+            if ( (ret = (int)XFREAD(fileBuf, 1, sz, file)) != sz) {
+                ret = BUFFER_E;
+            }
+        #ifdef WOLFSSL_PEM_TO_DER
+            else {
+                ret = PemToDer(fileBuf, sz, PUBLICKEY_TYPE, &converted,
+                               0, NULL, NULL);
+            }
+        #endif
+
+            if (ret == 0) {
+                if (converted->length < (word32)derSz) {
+                    XMEMCPY(derBuf, converted->buffer, converted->length);
+                    ret = converted->length;
+                }
+                else
+                    ret = BUFFER_E;
+            }
+
+            FreeDer(&converted);
+        }
+
+        XFCLOSE(file);
+        if (dynamic)
+            XFREE(fileBuf, NULL, DYNAMIC_TYPE_FILE);
+    }
+
+    return ret;
+}
+#endif /* WOLFSSL_CERT_EXT || WOLFSSL_PUB_PEM_TO_DER */
+
+#endif /* !NO_FILESYSTEM */
+
+
+#if !defined(NO_RSA) && (defined(WOLFSSL_CERT_GEN) || \
+    ((defined(WOLFSSL_KEY_GEN) || defined(OPENSSL_EXTRA)) && !defined(HAVE_USER_RSA)))
+/* USER RSA ifdef portions used instead of refactor in consideration for
+   possible fips build */
+/* Write a public RSA key to output */
+static int SetRsaPublicKey(byte* output, RsaKey* key,
+                           int outLen, int with_header)
+{
+#ifdef WOLFSSL_SMALL_STACK
+    byte* n = NULL;
+    byte* e = NULL;
+#else
+    byte n[MAX_RSA_INT_SZ];
+    byte e[MAX_RSA_E_SZ];
+#endif
+    byte seq[MAX_SEQ_SZ];
+    byte bitString[1 + MAX_LENGTH_SZ + 1];
+    int  nSz;
+    int  eSz;
+    int  seqSz;
+    int  bitStringSz;
+    int  idx;
+
+    if (output == NULL || key == NULL || outLen < MAX_SEQ_SZ)
+        return BAD_FUNC_ARG;
+
+    /* n */
+#ifdef WOLFSSL_SMALL_STACK
+    n = (byte*)XMALLOC(MAX_RSA_INT_SZ, key->heap, DYNAMIC_TYPE_TMP_BUFFER);
+    if (n == NULL)
+        return MEMORY_E;
+#endif
+
+#ifdef HAVE_USER_RSA
+    nSz = SetASNIntRSA(key->n, n);
+#else
+    nSz = SetASNIntMP(&key->n, MAX_RSA_INT_SZ, n);
+#endif
+    if (nSz < 0) {
+#ifdef WOLFSSL_SMALL_STACK
+        XFREE(n, key->heap, DYNAMIC_TYPE_TMP_BUFFER);
+#endif
+        return nSz;
+    }
+
+    /* e */
+#ifdef WOLFSSL_SMALL_STACK
+    e = (byte*)XMALLOC(MAX_RSA_E_SZ, key->heap, DYNAMIC_TYPE_TMP_BUFFER);
+    if (e == NULL) {
+#ifdef WOLFSSL_SMALL_STACK
+        XFREE(n, key->heap, DYNAMIC_TYPE_TMP_BUFFER);
+#endif
+        return MEMORY_E;
+    }
+#endif
+
+#ifdef HAVE_USER_RSA
+    eSz = SetASNIntRSA(key->e, e);
+#else
+    eSz = SetASNIntMP(&key->e, MAX_RSA_INT_SZ, e);
+#endif
+    if (eSz < 0) {
+#ifdef WOLFSSL_SMALL_STACK
+        XFREE(n, key->heap, DYNAMIC_TYPE_TMP_BUFFER);
+        XFREE(e, key->heap, DYNAMIC_TYPE_TMP_BUFFER);
+#endif
+        return eSz;
+    }
+
+    seqSz  = SetSequence(nSz + eSz, seq);
+
+    /* check output size */
+    if ( (seqSz + nSz + eSz) > outLen) {
+#ifdef WOLFSSL_SMALL_STACK
+        XFREE(n,    key->heap, DYNAMIC_TYPE_TMP_BUFFER);
+        XFREE(e,    key->heap, DYNAMIC_TYPE_TMP_BUFFER);
+#endif
+        return BUFFER_E;
+    }
+
+    /* headers */
+    if (with_header) {
+        int  algoSz;
+#ifdef WOLFSSL_SMALL_STACK
+        byte* algo;
+
+        algo = (byte*)XMALLOC(MAX_ALGO_SZ, key->heap, DYNAMIC_TYPE_TMP_BUFFER);
+        if (algo == NULL) {
+            XFREE(n, key->heap, DYNAMIC_TYPE_TMP_BUFFER);
+            XFREE(e, key->heap, DYNAMIC_TYPE_TMP_BUFFER);
+            return MEMORY_E;
+        }
+#else
+        byte algo[MAX_ALGO_SZ];
+#endif
+        algoSz = SetAlgoID(RSAk, algo, oidKeyType, 0);
+        bitStringSz  = SetBitString(seqSz + nSz + eSz, 0, bitString);
+
+        idx = SetSequence(nSz + eSz + seqSz + bitStringSz + algoSz, output);
+
+        /* check output size */
+        if ( (idx + algoSz + bitStringSz + seqSz + nSz + eSz) > outLen) {
+            #ifdef WOLFSSL_SMALL_STACK
+                XFREE(n,    key->heap, DYNAMIC_TYPE_TMP_BUFFER);
+                XFREE(e,    key->heap, DYNAMIC_TYPE_TMP_BUFFER);
+                XFREE(algo, key->heap, DYNAMIC_TYPE_TMP_BUFFER);
+            #endif
+
+            return BUFFER_E;
+        }
+
+        /* algo */
+        XMEMCPY(output + idx, algo, algoSz);
+        idx += algoSz;
+        /* bit string */
+        XMEMCPY(output + idx, bitString, bitStringSz);
+        idx += bitStringSz;
+#ifdef WOLFSSL_SMALL_STACK
+        XFREE(algo, key->heap, DYNAMIC_TYPE_TMP_BUFFER);
+#endif
+    }
+    else
+        idx = 0;
+
+    /* seq */
+    XMEMCPY(output + idx, seq, seqSz);
+    idx += seqSz;
+    /* n */
+    XMEMCPY(output + idx, n, nSz);
+    idx += nSz;
+    /* e */
+    XMEMCPY(output + idx, e, eSz);
+    idx += eSz;
+
+#ifdef WOLFSSL_SMALL_STACK
+    XFREE(n,    key->heap, DYNAMIC_TYPE_TMP_BUFFER);
+    XFREE(e,    key->heap, DYNAMIC_TYPE_TMP_BUFFER);
+#endif
+
+    return idx;
+}
+
+#endif /* !NO_RSA && (WOLFSSL_CERT_GEN || (WOLFSSL_KEY_GEN &&
+                                           !HAVE_USER_RSA))) */
+
+#if !defined(NO_RSA) && (defined(WOLFSSL_CERT_GEN) || defined(OPENSSL_EXTRA))
+int wc_RsaPublicKeyDerSize(RsaKey* key, int with_header)
+{
+    int  idx = 0;
+    int  nSz, eSz, seqSz, bitStringSz, algoSz;
+
+    if (key == NULL)
+        return BAD_FUNC_ARG;
+
+    /* n */
+#ifdef HAVE_USER_RSA
+    nSz = SetASNIntRSA(key->n, NULL);
+#else
+    nSz = SetASNIntMP(&key->n, MAX_RSA_INT_SZ, NULL);
+#endif
+    if (nSz < 0) {
+        return nSz;
+    }
+
+    /* e */
+#ifdef HAVE_USER_RSA
+    eSz = SetASNIntRSA(key->e, NULL);
+#else
+    eSz = SetASNIntMP(&key->e, MAX_RSA_INT_SZ, NULL);
+#endif
+    if (eSz < 0) {
+        return eSz;
+    }
 
-#endif /* WOLFSSL_KEY_GEN || WOLFSSL_CERT_GEN */
+    seqSz  = SetSequence(nSz + eSz, NULL);
 
+    /* headers */
+    if (with_header) {
+        algoSz = SetAlgoID(RSAk, NULL, oidKeyType, 0);
+        bitStringSz = SetBitString(seqSz + nSz + eSz, 0, NULL);
 
-#if defined(WOLFSSL_KEY_GEN) && !defined(NO_RSA)
+        idx += SetSequence(nSz + eSz + seqSz + bitStringSz + algoSz, NULL);
 
+        /* algo */
+        idx += algoSz;
+        /* bit string */
+        idx += bitStringSz;
+    }
+
+    /* seq */
+    idx += seqSz;
+    /* n */
+    idx += nSz;
+    /* e */
+    idx += eSz;
+
+    return idx;
+}
+
+#endif /* !NO_RSA && WOLFSSL_CERT_GEN */
+
+
+#if defined(WOLFSSL_KEY_GEN) && !defined(NO_RSA) && !defined(HAVE_USER_RSA)
 
 static mp_int* GetRsaInt(RsaKey* key, int idx)
 {
@@ -4688,13 +11163,13 @@ static mp_int* GetRsaInt(RsaKey* key, int idx)
 
 
 /* Release Tmp RSA resources */
-static INLINE void FreeTmpRsas(byte** tmps, void* heap)
+static WC_INLINE void FreeTmpRsas(byte** tmps, void* heap)
 {
     int i;
 
     (void)heap;
 
-    for (i = 0; i < RSA_INTS; i++) 
+    for (i = 0; i < RSA_INTS; i++)
         XFREE(tmps[i], heap, DYNAMIC_TYPE_RSA);
 }
 
@@ -4705,13 +11180,13 @@ int wc_RsaKeyToDer(RsaKey* key, byte* output, word32 inLen)
 {
     word32 seqSz, verSz, rawLen, intTotalLen = 0;
     word32 sizes[RSA_INTS];
-    int    i, j, outLen, ret = 0;
+    int    i, j, outLen, ret = 0, mpSz;
 
     byte  seq[MAX_SEQ_SZ];
     byte  ver[MAX_VERSION_SZ];
     byte* tmps[RSA_INTS];
 
-    if (!key || !output)
+    if (!key)
         return BAD_FUNC_ARG;
 
     if (key->type != RSA_PRIVATE)
@@ -4723,7 +11198,8 @@ int wc_RsaKeyToDer(RsaKey* key, byte* output, word32 inLen)
     /* write all big ints from key to DER tmps */
     for (i = 0; i < RSA_INTS; i++) {
         mp_int* keyInt = GetRsaInt(key, i);
-        rawLen = mp_unsigned_bin_size(keyInt);
+
+        rawLen = mp_unsigned_bin_size(keyInt) + 1;
         tmps[i] = (byte*)XMALLOC(rawLen + MAX_SEQ_SZ, key->heap,
                                  DYNAMIC_TYPE_RSA);
         if (tmps[i] == NULL) {
@@ -4731,24 +11207,12 @@ int wc_RsaKeyToDer(RsaKey* key, byte* output, word32 inLen)
             break;
         }
 
-        tmps[i][0] = ASN_INTEGER;
-        sizes[i] = SetLength(rawLen, tmps[i] + 1) + 1;  /* int tag */
-
-        if (sizes[i] <= MAX_SEQ_SZ) {
-            int err = mp_to_unsigned_bin(keyInt, tmps[i] + sizes[i]);
-            if (err == MP_OKAY) {
-                sizes[i] += rawLen;
-                intTotalLen += sizes[i];
-            }
-            else {
-                ret = err;
-                break;
-            }
-        }
-        else {
-            ret = ASN_INPUT_E;
+        mpSz = SetASNIntMP(keyInt, MAX_RSA_INT_SZ, tmps[i]);
+        if (mpSz < 0) {
+            ret = mpSz;
             break;
         }
+        intTotalLen += (sizes[i] = mpSz);
     }
 
     if (ret != 0) {
@@ -4761,42 +11225,43 @@ int wc_RsaKeyToDer(RsaKey* key, byte* output, word32 inLen)
     seqSz = SetSequence(verSz + intTotalLen, seq);
 
     outLen = seqSz + verSz + intTotalLen;
-    if (outLen > (int)inLen)
-        return BAD_FUNC_ARG;
+    if (output) {
+        if (outLen > (int)inLen) {
+            FreeTmpRsas(tmps, key->heap);
+            return BAD_FUNC_ARG;
+        }
 
-    /* write to output */
-    XMEMCPY(output, seq, seqSz);
-    j = seqSz;
-    XMEMCPY(output + j, ver, verSz);
-    j += verSz;
+        /* write to output */
+        XMEMCPY(output, seq, seqSz);
+        j = seqSz;
+        XMEMCPY(output + j, ver, verSz);
+        j += verSz;
 
-    for (i = 0; i < RSA_INTS; i++) {
-        XMEMCPY(output + j, tmps[i], sizes[i]);
-        j += sizes[i];
+        for (i = 0; i < RSA_INTS; i++) {
+            XMEMCPY(output + j, tmps[i], sizes[i]);
+            j += sizes[i];
+        }
     }
     FreeTmpRsas(tmps, key->heap);
 
     return outLen;
 }
+#endif
 
-#endif /* WOLFSSL_KEY_GEN && !NO_RSA */
-
-
-#if defined(WOLFSSL_CERT_GEN) && !defined(NO_RSA)
-
-
-#ifndef WOLFSSL_HAVE_MIN
-#define WOLFSSL_HAVE_MIN
+#if (defined(WOLFSSL_KEY_GEN) || defined(OPENSSL_EXTRA)) && !defined(NO_RSA) && !defined(HAVE_USER_RSA)
+/* Convert Rsa Public key to DER format, write to output (inLen), return bytes
+   written */
+int wc_RsaKeyToPublicDer(RsaKey* key, byte* output, word32 inLen)
+{
+    return SetRsaPublicKey(output, key, inLen, 1);
+}
 
-    static INLINE word32 min(word32 a, word32 b)
-    {
-        return a > b ? b : a;
-    }
+#endif /* (WOLFSSL_KEY_GEN || OPENSSL_EXTRA) && !NO_RSA && !HAVE_USER_RSA */
 
-#endif /* WOLFSSL_HAVE_MIN */
 
+#ifdef WOLFSSL_CERT_GEN
 
-/* Initialize and Set Certficate defaults:
+/* Initialize and Set Certificate defaults:
    version    = 3 (0x2)
    serial     = 0
    sigType    = SHA_WITH_RSA
@@ -4805,57 +11270,57 @@ int wc_RsaKeyToDer(RsaKey* key, byte* output, word32 inLen)
    selfSigned = 1 (true) use subject as issuer
    subject    = blank
 */
-void wc_InitCert(Cert* cert)
+int wc_InitCert(Cert* cert)
 {
+#ifdef WOLFSSL_MULTI_ATTRIB
+    int i = 0;
+#endif
+    if (cert == NULL) {
+        return BAD_FUNC_ARG;
+    }
+
+    XMEMSET(cert, 0, sizeof(Cert));
+
     cert->version    = 2;   /* version 3 is hex 2 */
+#ifndef NO_SHA
     cert->sigType    = CTC_SHAwRSA;
+#elif !defined(NO_SHA256)
+    cert->sigType    = CTC_SHA256wRSA;
+#else
+    cert->sigType    = 0;
+#endif
     cert->daysValid  = 500;
     cert->selfSigned = 1;
-    cert->isCA       = 0;
-    cert->bodySz     = 0;
-#ifdef WOLFSSL_ALT_NAMES
-    cert->altNamesSz   = 0;
-    cert->beforeDateSz = 0;
-    cert->afterDateSz  = 0;
-#endif
     cert->keyType    = RSA_KEY;
-    XMEMSET(cert->serial, 0, CTC_SERIAL_SIZE);
 
-    cert->issuer.country[0] = '\0';
     cert->issuer.countryEnc = CTC_PRINTABLE;
-    cert->issuer.state[0] = '\0';
     cert->issuer.stateEnc = CTC_UTF8;
-    cert->issuer.locality[0] = '\0';
     cert->issuer.localityEnc = CTC_UTF8;
-    cert->issuer.sur[0] = '\0';
     cert->issuer.surEnc = CTC_UTF8;
-    cert->issuer.org[0] = '\0';
     cert->issuer.orgEnc = CTC_UTF8;
-    cert->issuer.unit[0] = '\0';
     cert->issuer.unitEnc = CTC_UTF8;
-    cert->issuer.commonName[0] = '\0';
     cert->issuer.commonNameEnc = CTC_UTF8;
-    cert->issuer.email[0] = '\0';
 
-    cert->subject.country[0] = '\0';
     cert->subject.countryEnc = CTC_PRINTABLE;
-    cert->subject.state[0] = '\0';
     cert->subject.stateEnc = CTC_UTF8;
-    cert->subject.locality[0] = '\0';
     cert->subject.localityEnc = CTC_UTF8;
-    cert->subject.sur[0] = '\0';
     cert->subject.surEnc = CTC_UTF8;
-    cert->subject.org[0] = '\0';
     cert->subject.orgEnc = CTC_UTF8;
-    cert->subject.unit[0] = '\0';
     cert->subject.unitEnc = CTC_UTF8;
-    cert->subject.commonName[0] = '\0';
     cert->subject.commonNameEnc = CTC_UTF8;
-    cert->subject.email[0] = '\0';
 
-#ifdef WOLFSSL_CERT_REQ
-    cert->challengePw[0] ='\0';
+#ifdef WOLFSSL_MULTI_ATTRIB
+    for (i = 0; i < CTC_MAX_ATTRIB; i++) {
+        cert->issuer.name[i].type   = CTC_UTF8;
+        cert->subject.name[i].type  = CTC_UTF8;
+    }
+#endif /* WOLFSSL_MULTI_ATTRIB */
+
+#ifdef WOLFSSL_HEAP_TEST
+    cert->heap = (void*)WOLFSSL_HEAP_TEST;
 #endif
+
+    return 0;
 }
 
 
@@ -4863,26 +11328,46 @@ void wc_InitCert(Cert* cert)
 typedef struct DerCert {
     byte size[MAX_LENGTH_SZ];          /* length encoded */
     byte version[MAX_VERSION_SZ];      /* version encoded */
-    byte serial[CTC_SERIAL_SIZE + MAX_LENGTH_SZ]; /* serial number encoded */
+    byte serial[(int)CTC_SERIAL_SIZE + (int)MAX_LENGTH_SZ]; /* serial number encoded */
     byte sigAlgo[MAX_ALGO_SZ];         /* signature algo encoded */
     byte issuer[ASN_NAME_MAX];         /* issuer  encoded */
     byte subject[ASN_NAME_MAX];        /* subject encoded */
     byte validity[MAX_DATE_SIZE*2 + MAX_SEQ_SZ*2];  /* before and after dates */
     byte publicKey[MAX_PUBLIC_KEY_SZ]; /* rsa / ntru public key encoded */
     byte ca[MAX_CA_SZ];                /* basic constraint CA true size */
-    byte extensions[MAX_EXTENSIONS_SZ];  /* all extensions */
+    byte extensions[MAX_EXTENSIONS_SZ]; /* all extensions */
+#ifdef WOLFSSL_CERT_EXT
+    byte skid[MAX_KID_SZ];             /* Subject Key Identifier extension */
+    byte akid[MAX_KID_SZ];             /* Authority Key Identifier extension */
+    byte keyUsage[MAX_KEYUSAGE_SZ];    /* Key Usage extension */
+    byte extKeyUsage[MAX_EXTKEYUSAGE_SZ]; /* Extended Key Usage extension */
+    byte certPolicies[MAX_CERTPOL_NB*MAX_CERTPOL_SZ]; /* Certificate Policies */
+#endif
 #ifdef WOLFSSL_CERT_REQ
     byte attrib[MAX_ATTRIB_SZ];        /* Cert req attributes encoded */
 #endif
+#ifdef WOLFSSL_ALT_NAMES
+    byte altNames[CTC_MAX_ALT_SIZE];   /* Alternative Names encoded */
+#endif
     int  sizeSz;                       /* encoded size length */
     int  versionSz;                    /* encoded version length */
     int  serialSz;                     /* encoded serial length */
-    int  sigAlgoSz;                    /* enocded sig alog length */
+    int  sigAlgoSz;                    /* encoded sig algo length */
     int  issuerSz;                     /* encoded issuer length */
     int  subjectSz;                    /* encoded subject length */
     int  validitySz;                   /* encoded validity length */
     int  publicKeySz;                  /* encoded public key length */
     int  caSz;                         /* encoded CA extension length */
+#ifdef WOLFSSL_CERT_EXT
+    int  skidSz;                       /* encoded SKID extension length */
+    int  akidSz;                       /* encoded SKID extension length */
+    int  keyUsageSz;                   /* encoded KeyUsage extension length */
+    int  extKeyUsageSz;                /* encoded ExtendedKeyUsage extension length */
+    int  certPoliciesSz;               /* encoded CertPolicies extension length*/
+#endif
+#ifdef WOLFSSL_ALT_NAMES
+    int  altNamesSz;                   /* encoded AltNames extension length */
+#endif
     int  extensionsSz;                 /* encoded extensions total length */
     int  total;                        /* total encoded lengths */
 #ifdef WOLFSSL_CERT_REQ
@@ -4894,6 +11379,12 @@ typedef struct DerCert {
 #ifdef WOLFSSL_CERT_REQ
 
 /* Write a set header to output */
+static word32 SetPrintableString(word32 len, byte* output)
+{
+    output[0] = ASN_PRINTABLE_STRING;
+    return SetLength(len, output + 1) + 1;
+}
+
 static word32 SetUTF8String(word32 len, byte* output)
 {
     output[0] = ASN_UTF8STRING;
@@ -4903,258 +11394,444 @@ static word32 SetUTF8String(word32 len, byte* output)
 #endif /* WOLFSSL_CERT_REQ */
 
 
-/* Write a serial number to output */
-static int SetSerial(const byte* serial, byte* output)
+#ifndef WOLFSSL_CERT_GEN_CACHE
+/* wc_SetCert_Free is only public when WOLFSSL_CERT_GEN_CACHE is not defined */
+static
+#endif
+void wc_SetCert_Free(Cert* cert)
 {
-    int length = 0;
+    if (cert != NULL) {
+        cert->der = NULL;
+        if (cert->decodedCert) {
+            FreeDecodedCert((DecodedCert*)cert->decodedCert);
+
+            XFREE(cert->decodedCert, cert->heap, DYNAMIC_TYPE_DCERT);
+            cert->decodedCert = NULL;
+        }
+    }
+}
+
+static int wc_SetCert_LoadDer(Cert* cert, const byte* der, word32 derSz)
+{
+    int ret;
+
+    if (cert == NULL) {
+        ret = BAD_FUNC_ARG;
+    }
+    else {
+        /* Allocate DecodedCert struct and Zero */
+        cert->decodedCert = (void*)XMALLOC(sizeof(DecodedCert), cert->heap,
+            DYNAMIC_TYPE_DCERT);
 
-    output[length++] = ASN_INTEGER;
-    length += SetLength(CTC_SERIAL_SIZE, &output[length]);
-    XMEMCPY(&output[length], serial, CTC_SERIAL_SIZE);
+        if (cert->decodedCert == NULL) {
+            ret = MEMORY_E;
+        }
+        else {
+            XMEMSET(cert->decodedCert, 0, sizeof(DecodedCert));
+
+            InitDecodedCert((DecodedCert*)cert->decodedCert, der, derSz,
+                    cert->heap);
+            ret = ParseCertRelative((DecodedCert*)cert->decodedCert,
+                    CERT_TYPE, 0, NULL);
+            if (ret >= 0) {
+                cert->der = (byte*)der;
+            }
+            else {
+                wc_SetCert_Free(cert);
+            }
+        }
+    }
 
-    return length + CTC_SERIAL_SIZE;
+    return ret;
 }
 
+#endif /* WOLFSSL_CERT_GEN */
 
-#ifdef HAVE_ECC 
 
+#if defined(HAVE_ECC) && defined(HAVE_ECC_KEY_EXPORT)
 
 /* Write a public ECC key to output */
-static int SetEccPublicKey(byte* output, ecc_key* key)
+static int SetEccPublicKey(byte* output, ecc_key* key, int with_header)
 {
-    byte len[MAX_LENGTH_SZ + 1];  /* trailing 0 */
+    byte bitString[1 + MAX_LENGTH_SZ + 1];
     int  algoSz;
     int  curveSz;
-    int  lenSz;
+    int  bitStringSz;
     int  idx;
     word32 pubSz = ECC_BUFSIZE;
 #ifdef WOLFSSL_SMALL_STACK
     byte* algo = NULL;
     byte* curve = NULL;
-    byte* pub = NULL;
+    byte* pub;
 #else
     byte algo[MAX_ALGO_SZ];
     byte curve[MAX_ALGO_SZ];
     byte pub[ECC_BUFSIZE];
 #endif
+    int ret;
 
 #ifdef WOLFSSL_SMALL_STACK
-    pub = (byte*)XMALLOC(ECC_BUFSIZE, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    pub = (byte*)XMALLOC(ECC_BUFSIZE, key->heap, DYNAMIC_TYPE_TMP_BUFFER);
     if (pub == NULL)
         return MEMORY_E;
 #endif
 
-    int ret = wc_ecc_export_x963(key, pub, &pubSz);
+#ifdef HAVE_SELFTEST
+    /* older version of ecc.c can not handle dp being NULL */
+    if (key != NULL && key->dp == NULL) {
+        ret = BAD_FUNC_ARG;
+    }
+    else {
+        ret = wc_ecc_export_x963(key, pub, &pubSz);
+    }
+#else
+    ret = wc_ecc_export_x963(key, pub, &pubSz);
+#endif
     if (ret != 0) {
 #ifdef WOLFSSL_SMALL_STACK
-        XFREE(pub, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+        XFREE(pub, key->heap, DYNAMIC_TYPE_TMP_BUFFER);
 #endif
         return ret;
     }
 
+    /* headers */
+    if (with_header) {
 #ifdef WOLFSSL_SMALL_STACK
-    curve = (byte*)XMALLOC(MAX_ALGO_SZ, NULL, DYNAMIC_TYPE_TMP_BUFFER);
-    if (curve == NULL) {
-        XFREE(pub, NULL, DYNAMIC_TYPE_TMP_BUFFER);
-        return MEMORY_E;
-    }
+        curve = (byte*)XMALLOC(MAX_ALGO_SZ, key->heap, DYNAMIC_TYPE_TMP_BUFFER);
+        if (curve == NULL) {
+            XFREE(pub, key->heap, DYNAMIC_TYPE_TMP_BUFFER);
+            return MEMORY_E;
+        }
 #endif
-
-    /* headers */
-    curveSz = SetCurve(key, curve);
-    if (curveSz <= 0) {
+        curveSz = SetCurve(key, curve);
+        if (curveSz <= 0) {
 #ifdef WOLFSSL_SMALL_STACK
-        XFREE(curve, NULL, DYNAMIC_TYPE_TMP_BUFFER);
-        XFREE(pub,   NULL, DYNAMIC_TYPE_TMP_BUFFER);
+            XFREE(curve, key->heap, DYNAMIC_TYPE_TMP_BUFFER);
+            XFREE(pub,   key->heap, DYNAMIC_TYPE_TMP_BUFFER);
 #endif
-        return curveSz;
-    }
+            return curveSz;
+        }
 
 #ifdef WOLFSSL_SMALL_STACK
-    algo = (byte*)XMALLOC(MAX_ALGO_SZ, NULL, DYNAMIC_TYPE_TMP_BUFFER);
-    if (algo == NULL) {
-        XFREE(curve, NULL, DYNAMIC_TYPE_TMP_BUFFER);
-        XFREE(pub,   NULL, DYNAMIC_TYPE_TMP_BUFFER);
-        return MEMORY_E;
-    }
+        algo = (byte*)XMALLOC(MAX_ALGO_SZ, key->heap, DYNAMIC_TYPE_TMP_BUFFER);
+        if (algo == NULL) {
+            XFREE(curve, key->heap, DYNAMIC_TYPE_TMP_BUFFER);
+            XFREE(pub,   key->heap, DYNAMIC_TYPE_TMP_BUFFER);
+            return MEMORY_E;
+        }
 #endif
+        algoSz  = SetAlgoID(ECDSAk, algo, oidKeyType, curveSz);
+
+        bitStringSz = SetBitString(pubSz, 0, bitString);
+
+        idx = SetSequence(pubSz + curveSz + bitStringSz + algoSz, output);
+        /* algo */
+        if (output)
+            XMEMCPY(output + idx, algo, algoSz);
+        idx += algoSz;
+        /* curve */
+        if (output)
+            XMEMCPY(output + idx, curve, curveSz);
+        idx += curveSz;
+        /* bit string */
+        if (output)
+            XMEMCPY(output + idx, bitString, bitStringSz);
+        idx += bitStringSz;
+    }
+    else
+        idx = 0;
 
-    algoSz  = SetAlgoID(ECDSAk, algo, keyType, curveSz);
-    lenSz   = SetLength(pubSz + 1, len);
-    len[lenSz++] = 0;   /* trailing 0 */
-
-    /* write */
-    idx = SetSequence(pubSz + curveSz + lenSz + 1 + algoSz, output);
-        /* 1 is for ASN_BIT_STRING */
-    /* algo */
-    XMEMCPY(output + idx, algo, algoSz);
-    idx += algoSz;
-    /* curve */
-    XMEMCPY(output + idx, curve, curveSz);
-    idx += curveSz;
-    /* bit string */
-    output[idx++] = ASN_BIT_STRING;
-    /* length */
-    XMEMCPY(output + idx, len, lenSz);
-    idx += lenSz;
     /* pub */
-    XMEMCPY(output + idx, pub, pubSz);
+    if (output)
+        XMEMCPY(output + idx, pub, pubSz);
     idx += pubSz;
 
 #ifdef WOLFSSL_SMALL_STACK
-    XFREE(algo,  NULL, DYNAMIC_TYPE_TMP_BUFFER);
-    XFREE(curve, NULL, DYNAMIC_TYPE_TMP_BUFFER);
-    XFREE(pub,   NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    if (with_header) {
+        XFREE(algo,  key->heap, DYNAMIC_TYPE_TMP_BUFFER);
+        XFREE(curve, key->heap, DYNAMIC_TYPE_TMP_BUFFER);
+    }
+    XFREE(pub,   key->heap, DYNAMIC_TYPE_TMP_BUFFER);
 #endif
 
     return idx;
 }
 
 
-#endif /* HAVE_ECC */
+/* returns the size of buffer used, the public ECC key in DER format is stored
+   in output buffer
+   with_AlgCurve is a flag for when to include a header that has the Algorithm
+   and Curve information */
+int wc_EccPublicKeyToDer(ecc_key* key, byte* output, word32 inLen,
+                                                              int with_AlgCurve)
+{
+    word32 infoSz = 0;
+    word32 keySz  = 0;
+    int ret;
 
+    if (key == NULL) {
+        return BAD_FUNC_ARG;
+    }
 
-/* Write a public RSA key to output */
-static int SetRsaPublicKey(byte* output, RsaKey* key)
+    if (with_AlgCurve) {
+        /* buffer space for algorithm/curve */
+        infoSz += MAX_SEQ_SZ;
+        infoSz += 2 * MAX_ALGO_SZ;
+
+        /* buffer space for public key sequence */
+        infoSz += MAX_SEQ_SZ;
+        infoSz += TRAILING_ZERO;
+    }
+
+#ifdef HAVE_SELFTEST
+    /* older version of ecc.c can not handle dp being NULL */
+    if (key != NULL && key->dp == NULL) {
+        keySz = 1 + 2 * MAX_ECC_BYTES;
+        ret = LENGTH_ONLY_E;
+    }
+    else {
+        ret = wc_ecc_export_x963(key, NULL, &keySz);
+    }
+#else
+    ret = wc_ecc_export_x963(key, NULL, &keySz);
+#endif
+    if (ret != LENGTH_ONLY_E) {
+        WOLFSSL_MSG("Error in getting ECC public key size");
+        return ret;
+    }
+
+    /* if output null then just return size */
+    if (output == NULL) {
+        return keySz + infoSz;
+    }
+
+    if (inLen < keySz + infoSz) {
+        return BUFFER_E;
+    }
+
+    return SetEccPublicKey(output, key, with_AlgCurve);
+}
+
+int wc_EccPublicKeyDerSize(ecc_key* key, int with_AlgCurve)
+{
+    return wc_EccPublicKeyToDer(key, NULL, 0, with_AlgCurve);
+}
+
+#endif /* HAVE_ECC && HAVE_ECC_KEY_EXPORT */
+
+#if defined(HAVE_ED25519) && (defined(WOLFSSL_CERT_GEN) || \
+                              defined(WOLFSSL_KEY_GEN))
+
+/* Write a public ECC key to output */
+static int SetEd25519PublicKey(byte* output, ed25519_key* key, int with_header)
 {
+    byte bitString[1 + MAX_LENGTH_SZ + 1];
+    int  algoSz;
+    int  bitStringSz;
+    int  idx;
+    word32 pubSz = ED25519_PUB_KEY_SIZE;
 #ifdef WOLFSSL_SMALL_STACK
-    byte* n = NULL;
-    byte* e = NULL;
     byte* algo = NULL;
+    byte* pub;
 #else
-    byte n[MAX_RSA_INT_SZ];
-    byte e[MAX_RSA_E_SZ];
     byte algo[MAX_ALGO_SZ];
+    byte pub[ED25519_PUB_KEY_SIZE];
 #endif
-    byte seq[MAX_SEQ_SZ];
-    byte len[MAX_LENGTH_SZ + 1];  /* trailing 0 */
-    int  nSz;
-    int  eSz;
-    int  algoSz;
-    int  seqSz;
-    int  lenSz;
-    int  idx;
-    int  rawLen;
-    int  leadingBit;
-    int  err;
 
-    /* n */
 #ifdef WOLFSSL_SMALL_STACK
-    n = (byte*)XMALLOC(MAX_RSA_INT_SZ, NULL, DYNAMIC_TYPE_TMP_BUFFER);
-    if (n == NULL)
+    pub = (byte*)XMALLOC(ECC_BUFSIZE, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    if (pub == NULL)
         return MEMORY_E;
 #endif
 
-    leadingBit = mp_leading_bit(&key->n);
-    rawLen = mp_unsigned_bin_size(&key->n) + leadingBit;
-    n[0] = ASN_INTEGER;
-    nSz  = SetLength(rawLen, n + 1) + 1;  /* int tag */
-
-    if ( (nSz + rawLen) < MAX_RSA_INT_SZ) {
-        if (leadingBit)
-            n[nSz] = 0;
-        err = mp_to_unsigned_bin(&key->n, n + nSz + leadingBit);
-        if (err == MP_OKAY)
-            nSz += rawLen;
-        else {
+    idx = wc_ed25519_export_public(key, pub, &pubSz);
+    if (idx != 0) {
 #ifdef WOLFSSL_SMALL_STACK
-            XFREE(n, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+        XFREE(pub, key->heap, DYNAMIC_TYPE_TMP_BUFFER);
 #endif
-            return MP_TO_E;
+        return idx;
+    }
+
+    /* headers */
+    if (with_header) {
+#ifdef WOLFSSL_SMALL_STACK
+        algo = (byte*)XMALLOC(MAX_ALGO_SZ, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+        if (algo == NULL) {
+            XFREE(pub, key->heap, DYNAMIC_TYPE_TMP_BUFFER);
+            return MEMORY_E;
         }
+#endif
+        algoSz  = SetAlgoID(ED25519k, algo, oidKeyType, 0);
+
+        bitStringSz = SetBitString(pubSz, 0, bitString);
+
+        idx = SetSequence(pubSz + bitStringSz + algoSz, output);
+        /* algo */
+        XMEMCPY(output + idx, algo, algoSz);
+        idx += algoSz;
+        /* bit string */
+        XMEMCPY(output + idx, bitString, bitStringSz);
+        idx += bitStringSz;
     }
-    else {
+    else
+        idx = 0;
+
+    /* pub */
+    XMEMCPY(output + idx, pub, pubSz);
+    idx += pubSz;
+
 #ifdef WOLFSSL_SMALL_STACK
-        XFREE(n, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    if (with_header) {
+        XFREE(algo, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    }
+    XFREE(pub, NULL, DYNAMIC_TYPE_TMP_BUFFER);
 #endif
+
+    return idx;
+}
+
+int wc_Ed25519PublicKeyToDer(ed25519_key* key, byte* output, word32 inLen,
+                                                                    int withAlg)
+{
+    word32 infoSz = 0;
+    word32 keySz  = 0;
+    int ret;
+
+    if (output == NULL || key == NULL) {
+        return BAD_FUNC_ARG;
+    }
+
+    if (withAlg) {
+        /* buffer space for algorithm */
+        infoSz += MAX_SEQ_SZ;
+        infoSz += MAX_ALGO_SZ;
+
+        /* buffer space for public key sequence */
+        infoSz += MAX_SEQ_SZ;
+        infoSz += TRAILING_ZERO;
+    }
+
+    if ((ret = wc_ed25519_export_public(key, output, &keySz)) != BUFFER_E) {
+        WOLFSSL_MSG("Error in getting ECC public key size");
+        return ret;
+    }
+
+    if (inLen < keySz + infoSz) {
         return BUFFER_E;
     }
 
-    /* e */
-#ifdef WOLFSSL_SMALL_STACK
-    e = (byte*)XMALLOC(MAX_RSA_E_SZ, NULL, DYNAMIC_TYPE_TMP_BUFFER);
-    if (e == NULL) {
+    return SetEd25519PublicKey(output, key, withAlg);
+}
+#endif /* HAVE_ED25519 && (WOLFSSL_CERT_GEN || WOLFSSL_KEY_GEN) */
+#if defined(HAVE_ED448) && (defined(WOLFSSL_CERT_GEN) || \
+                                                       defined(WOLFSSL_KEY_GEN))
+
+/* Write a public ECC key to output */
+static int SetEd448PublicKey(byte* output, ed448_key* key, int with_header)
+{
+    byte bitString[1 + MAX_LENGTH_SZ + 1];
+    int  algoSz;
+    int  bitStringSz;
+    int  idx;
+    word32 pubSz = ED448_PUB_KEY_SIZE;
 #ifdef WOLFSSL_SMALL_STACK
-        XFREE(n, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    byte* algo = NULL;
+    byte* pub = NULL;
+#else
+    byte algo[MAX_ALGO_SZ];
+    byte pub[ED448_PUB_KEY_SIZE];
 #endif
+
+#ifdef WOLFSSL_SMALL_STACK
+    pub = (byte*)XMALLOC(ECC_BUFSIZE, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    if (pub == NULL)
         return MEMORY_E;
-    }
 #endif
 
-    leadingBit = mp_leading_bit(&key->e);
-    rawLen = mp_unsigned_bin_size(&key->e) + leadingBit;
-    e[0] = ASN_INTEGER;
-    eSz  = SetLength(rawLen, e + 1) + 1;  /* int tag */
-
-    if ( (eSz + rawLen) < MAX_RSA_E_SZ) {
-        if (leadingBit)
-            e[eSz] = 0;
-        err = mp_to_unsigned_bin(&key->e, e + eSz + leadingBit);
-        if (err == MP_OKAY)
-            eSz += rawLen;
-        else {
+    idx = wc_ed448_export_public(key, pub, &pubSz);
+    if (idx != 0) {
 #ifdef WOLFSSL_SMALL_STACK
-            XFREE(n, NULL, DYNAMIC_TYPE_TMP_BUFFER);
-            XFREE(e, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+        XFREE(pub, key->heap, DYNAMIC_TYPE_TMP_BUFFER);
 #endif
-            return MP_TO_E;
-        }
+        return idx;
     }
-    else {
+
+    /* headers */
+    if (with_header) {
 #ifdef WOLFSSL_SMALL_STACK
-        XFREE(n, NULL, DYNAMIC_TYPE_TMP_BUFFER);
-        XFREE(e, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+        algo = (byte*)XMALLOC(MAX_ALGO_SZ, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+        if (algo == NULL) {
+            XFREE(pub, key->heap, DYNAMIC_TYPE_TMP_BUFFER);
+            return MEMORY_E;
+        }
 #endif
-        return BUFFER_E;
+        algoSz  = SetAlgoID(ED448k, algo, oidKeyType, 0);
+
+        bitStringSz = SetBitString(pubSz, 0, bitString);
+
+        idx = SetSequence(pubSz + bitStringSz + algoSz, output);
+        /* algo */
+        XMEMCPY(output + idx, algo, algoSz);
+        idx += algoSz;
+        /* bit string */
+        XMEMCPY(output + idx, bitString, bitStringSz);
+        idx += bitStringSz;
     }
+    else
+        idx = 0;
+
+    /* pub */
+    XMEMCPY(output + idx, pub, pubSz);
+    idx += pubSz;
 
 #ifdef WOLFSSL_SMALL_STACK
-    algo = (byte*)XMALLOC(MAX_ALGO_SZ, NULL, DYNAMIC_TYPE_TMP_BUFFER);
-    if (algo == NULL) {
-        XFREE(n, NULL, DYNAMIC_TYPE_TMP_BUFFER);
-        XFREE(e, NULL, DYNAMIC_TYPE_TMP_BUFFER);
-        return MEMORY_E;
+    if (with_header) {
+        XFREE(algo, NULL, DYNAMIC_TYPE_TMP_BUFFER);
     }
+    XFREE(pub, NULL, DYNAMIC_TYPE_TMP_BUFFER);
 #endif
 
-    /* headers */
-    algoSz = SetAlgoID(RSAk, algo, keyType, 0);
-    seqSz  = SetSequence(nSz + eSz, seq);
-    lenSz  = SetLength(seqSz + nSz + eSz + 1, len);
-    len[lenSz++] = 0;   /* trailing 0 */
+    return idx;
+}
 
-    /* write */
-    idx = SetSequence(nSz + eSz + seqSz + lenSz + 1 + algoSz, output);
-        /* 1 is for ASN_BIT_STRING */
-    /* algo */
-    XMEMCPY(output + idx, algo, algoSz);
-    idx += algoSz;
-    /* bit string */
-    output[idx++] = ASN_BIT_STRING;
-    /* length */
-    XMEMCPY(output + idx, len, lenSz);
-    idx += lenSz;
-    /* seq */
-    XMEMCPY(output + idx, seq, seqSz);
-    idx += seqSz;
-    /* n */
-    XMEMCPY(output + idx, n, nSz);
-    idx += nSz;
-    /* e */
-    XMEMCPY(output + idx, e, eSz);
-    idx += eSz;
+int wc_Ed448PublicKeyToDer(ed448_key* key, byte* output, word32 inLen,
+                                                                    int withAlg)
+{
+    word32 infoSz = 0;
+    word32 keySz  = 0;
+    int ret;
 
-#ifdef WOLFSSL_SMALL_STACK
-    XFREE(n,    NULL, DYNAMIC_TYPE_TMP_BUFFER);
-    XFREE(e,    NULL, DYNAMIC_TYPE_TMP_BUFFER);
-    XFREE(algo, NULL, DYNAMIC_TYPE_TMP_BUFFER);
-#endif
+    if (output == NULL || key == NULL) {
+        return BAD_FUNC_ARG;
+    }
 
-    return idx;
+    if (withAlg) {
+        /* buffer space for algorithm */
+        infoSz += MAX_SEQ_SZ;
+        infoSz += MAX_ALGO_SZ;
+
+        /* buffer space for public key sequence */
+        infoSz += MAX_SEQ_SZ;
+        infoSz += TRAILING_ZERO;
+    }
+
+    if ((ret = wc_ed448_export_public(key, output, &keySz)) != BUFFER_E) {
+        WOLFSSL_MSG("Error in getting ECC public key size");
+        return ret;
+    }
+
+    if (inLen < keySz + infoSz) {
+        return BUFFER_E;
+    }
+
+    return SetEd448PublicKey(output, key, withAlg);
 }
+#endif /* HAVE_ED448 && (WOLFSSL_CERT_GEN || WOLFSSL_KEY_GEN) */
+
 
+#ifdef WOLFSSL_CERT_GEN
 
-static INLINE byte itob(int number)
+static WC_INLINE byte itob(int number)
 {
     return (byte)number + 0x30;
 }
@@ -5184,7 +11861,7 @@ static void SetTime(struct tm* date, byte* output)
 
     output[i++] = itob(date->tm_sec / 10);
     output[i++] = itob(date->tm_sec % 10);
-    
+
     output[i] = 'Z';  /* Zulu profile */
 }
 
@@ -5200,28 +11877,19 @@ static int CopyValidity(byte* output, Cert* cert)
 
     /* headers and output */
     seqSz = SetSequence(cert->beforeDateSz + cert->afterDateSz, output);
-    XMEMCPY(output + seqSz, cert->beforeDate, cert->beforeDateSz);
-    XMEMCPY(output + seqSz + cert->beforeDateSz, cert->afterDate,
-                                                 cert->afterDateSz);
+    if (output) {
+        XMEMCPY(output + seqSz, cert->beforeDate, cert->beforeDateSz);
+        XMEMCPY(output + seqSz + cert->beforeDateSz, cert->afterDate,
+                                                     cert->afterDateSz);
+    }
     return seqSz + cert->beforeDateSz + cert->afterDateSz;
 }
 
 #endif
 
 
-/* for systems where mktime() doesn't normalize fully */
-static void RebuildTime(time_t* in, struct tm* out)
-{
-    #ifdef FREESCALE_MQX
-        out = localtime_r(in, out);
-    #else
-        (void)in;
-        (void)out;
-    #endif
-}
-
-
-/* Set Date validity from now until now + daysValid */
+/* Set Date validity from now until now + daysValid
+ * return size in bytes written to output, 0 on error */
 static int SetValidity(byte* output, int daysValid)
 {
     byte before[MAX_DATE_SIZE];
@@ -5231,55 +11899,60 @@ static int SetValidity(byte* output, int daysValid)
     int afterSz;
     int seqSz;
 
-    time_t     ticks;
-    time_t     normalTime;
-    struct tm* now;
-    struct tm* tmpTime = NULL;
-    struct tm  local;
+    time_t now;
+    time_t then;
+    struct tm* tmpTime;
+    struct tm* expandedTime;
+    struct tm localTime;
 
-#if defined(FREESCALE_MQX) || defined(TIME_OVERRIDES)
+#if defined(NEED_TMP_TIME)
     /* for use with gmtime_r */
     struct tm tmpTimeStorage;
     tmpTime = &tmpTimeStorage;
 #else
-    (void)tmpTime;
+    tmpTime = NULL;
 #endif
+    (void)tmpTime;
 
-    ticks = XTIME(0);
-    now   = XGMTIME(&ticks, tmpTime);
+    now = XTIME(0);
 
     /* before now */
-    local = *now;
     before[0] = ASN_GENERALIZED_TIME;
-    beforeSz  = SetLength(ASN_GEN_TIME_SZ, before + 1) + 1;  /* gen tag */
-
-    /* subtract 1 day for more compliance */
-    local.tm_mday -= 1;
-    normalTime = mktime(&local);
-    RebuildTime(&normalTime, &local);
+    beforeSz = SetLength(ASN_GEN_TIME_SZ, before + 1) + 1;  /* gen tag */
+
+    /* subtract 1 day of seconds for more compliance */
+    then = now - 86400;
+    expandedTime = XGMTIME(&then, tmpTime);
+    if (expandedTime == NULL) {
+        WOLFSSL_MSG("XGMTIME failed");
+        return 0;   /* error */
+    }
+    localTime = *expandedTime;
 
     /* adjust */
-    local.tm_year += 1900;
-    local.tm_mon  +=    1;
+    localTime.tm_year += 1900;
+    localTime.tm_mon +=    1;
 
-    SetTime(&local, before + beforeSz);
+    SetTime(&localTime, before + beforeSz);
     beforeSz += ASN_GEN_TIME_SZ;
 
-    /* after now + daysValid */
-    local = *now;
     after[0] = ASN_GENERALIZED_TIME;
     afterSz  = SetLength(ASN_GEN_TIME_SZ, after + 1) + 1;  /* gen tag */
 
-    /* add daysValid */
-    local.tm_mday += daysValid;
-    normalTime = mktime(&local);
-    RebuildTime(&normalTime, &local);
+    /* add daysValid of seconds */
+    then = now + (daysValid * (time_t)86400);
+    expandedTime = XGMTIME(&then, tmpTime);
+    if (expandedTime == NULL) {
+        WOLFSSL_MSG("XGMTIME failed");
+        return 0;   /* error */
+    }
+    localTime = *expandedTime;
 
     /* adjust */
-    local.tm_year += 1900;
-    local.tm_mon  +=    1;
+    localTime.tm_year += 1900;
+    localTime.tm_mon  +=    1;
 
-    SetTime(&local, after + afterSz);
+    SetTime(&localTime, after + afterSz);
     afterSz += ASN_GEN_TIME_SZ;
 
     /* headers and output */
@@ -5327,6 +12000,16 @@ static const char* GetOneName(CertName* name, int idx)
        return name->commonName;
 
     case 7:
+       return name->serialDev;
+
+#ifdef WOLFSSL_CERT_EXT
+    case 8:
+       return name->busCat;
+
+    case 9:
+#else
+    case 8:
+#endif
        return name->email;
 
     default:
@@ -5360,6 +12043,20 @@ static char GetNameType(CertName* name, int idx)
     case 6:
        return name->commonNameEnc;
 
+    case 7:
+       return name->serialDevEnc;
+
+#ifdef WOLFSSL_CERT_EXT
+    case 8:
+       return name->busCatEnc;
+
+    case 9:
+#else
+    case 8:
+#endif
+        /* FALL THROUGH */
+        /* The last index, email name, does not have encoding type.
+           The empty case here is to keep track of it for future reference. */
     default:
        return 0;
     }
@@ -5392,54 +12089,589 @@ static byte GetNameId(int idx)
        return ASN_COMMON_NAME;
 
     case 7:
-       /* email uses different id type */
-       return 0;
+       return ASN_SERIAL_NUMBER;
+
+#ifdef WOLFSSL_CERT_EXT
+    case 8:
+        return ASN_BUS_CAT;
+
+    case 9:
+#else
+    case 8:
+#endif
+        return ASN_EMAIL_NAME;
 
     default:
        return 0;
     }
 }
 
+/*
+ Extensions ::= SEQUENCE OF Extension
+
+ Extension ::= SEQUENCE {
+ extnId     OBJECT IDENTIFIER,
+ critical   BOOLEAN DEFAULT FALSE,
+ extnValue  OCTET STRING }
+ */
 
 /* encode all extensions, return total bytes written */
-static int SetExtensions(byte* output, const byte* ext, int extSz, int header)
+static int SetExtensions(byte* out, word32 outSz, int *IdxInOut,
+                         const byte* ext, int extSz)
+{
+    if (out == NULL || IdxInOut == NULL || ext == NULL)
+        return BAD_FUNC_ARG;
+
+    if (outSz < (word32)(*IdxInOut+extSz))
+        return BUFFER_E;
+
+    XMEMCPY(&out[*IdxInOut], ext, extSz);  /* extensions */
+    *IdxInOut += extSz;
+
+    return *IdxInOut;
+}
+
+/* encode extensions header, return total bytes written */
+static int SetExtensionsHeader(byte* out, word32 outSz, int extSz)
 {
     byte sequence[MAX_SEQ_SZ];
     byte len[MAX_LENGTH_SZ];
+    int seqSz, lenSz, idx = 0;
 
-    int sz = 0;
-    int seqSz = SetSequence(extSz, sequence);
+    if (out == NULL)
+        return BAD_FUNC_ARG;
 
-    if (header) {
-        int lenSz = SetLength(seqSz + extSz, len);
-        output[0] = ASN_EXTENSIONS; /* extensions id */
-        sz++;
-        XMEMCPY(&output[sz], len, lenSz);  /* length */
-        sz += lenSz;
-    }
-    XMEMCPY(&output[sz], sequence, seqSz);  /* sequence */
-    sz += seqSz;
-    XMEMCPY(&output[sz], ext, extSz);  /* extensions */
-    sz += extSz;
+    if (outSz < 3)
+        return BUFFER_E;
 
-    return sz;
+    seqSz = SetSequence(extSz, sequence);
+
+    /* encode extensions length provided */
+    lenSz = SetLength(extSz+seqSz, len);
+
+    if (outSz < (word32)(lenSz+seqSz+1))
+        return BUFFER_E;
+
+    out[idx++] = ASN_EXTENSIONS; /* extensions id */
+    XMEMCPY(&out[idx], len, lenSz);  /* length */
+    idx += lenSz;
+
+    XMEMCPY(&out[idx], sequence, seqSz);  /* sequence */
+    idx += seqSz;
+
+    return idx;
 }
 
 
 /* encode CA basic constraint true, return total bytes written */
-static int SetCa(byte* output)
+static int SetCa(byte* out, word32 outSz)
 {
-    static const byte ca[] = { 0x30, 0x0c, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x04,
+    const byte ca[] = { 0x30, 0x0c, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x04,
                                0x05, 0x30, 0x03, 0x01, 0x01, 0xff };
-    
-    XMEMCPY(output, ca, sizeof(ca));
+
+    if (out == NULL)
+        return BAD_FUNC_ARG;
+
+    if (outSz < sizeof(ca))
+        return BUFFER_E;
+
+    XMEMCPY(out, ca, sizeof(ca));
 
     return (int)sizeof(ca);
 }
 
 
+#ifdef WOLFSSL_CERT_EXT
+/* encode OID and associated value, return total bytes written */
+static int SetOidValue(byte* out, word32 outSz, const byte *oid, word32 oidSz,
+                       byte *in, word32 inSz)
+{
+    int idx = 0;
+
+    if (out == NULL || oid == NULL || in == NULL)
+        return BAD_FUNC_ARG;
+
+    if (outSz < 3)
+        return BUFFER_E;
+
+    /* sequence,  + 1 => byte to put value size */
+    idx = SetSequence(inSz + oidSz + 1, out);
+
+    if ((idx + inSz + oidSz + 1) > outSz)
+        return BUFFER_E;
+
+    XMEMCPY(out+idx, oid, oidSz);
+    idx += oidSz;
+    out[idx++] = (byte)inSz;
+    XMEMCPY(out+idx, in, inSz);
+
+    return (idx+inSz);
+}
+
+/* encode Subject Key Identifier, return total bytes written
+ * RFC5280 : non-critical */
+static int SetSKID(byte* output, word32 outSz, const byte *input, word32 length)
+{
+    byte skid_len[1 + MAX_LENGTH_SZ];
+    byte skid_enc_len[MAX_LENGTH_SZ];
+    int idx = 0, skid_lenSz, skid_enc_lenSz;
+    const byte skid_oid[] = { 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04 };
+
+    if (output == NULL || input == NULL)
+        return BAD_FUNC_ARG;
+
+    /* Octet String header */
+    skid_lenSz = SetOctetString(length, skid_len);
+
+    /* length of encoded value */
+    skid_enc_lenSz = SetLength(length + skid_lenSz, skid_enc_len);
+
+    if (outSz < 3)
+        return BUFFER_E;
+
+    idx = SetSequence(length + sizeof(skid_oid) + skid_lenSz + skid_enc_lenSz,
+                      output);
+
+    if ((length + sizeof(skid_oid) + skid_lenSz + skid_enc_lenSz) > outSz)
+        return BUFFER_E;
+
+    /* put oid */
+    XMEMCPY(output+idx, skid_oid, sizeof(skid_oid));
+    idx += sizeof(skid_oid);
+
+    /* put encoded len */
+    XMEMCPY(output+idx, skid_enc_len, skid_enc_lenSz);
+    idx += skid_enc_lenSz;
+
+    /* put octet header */
+    XMEMCPY(output+idx, skid_len, skid_lenSz);
+    idx += skid_lenSz;
+
+    /* put value */
+    XMEMCPY(output+idx, input, length);
+    idx += length;
+
+    return idx;
+}
+
+/* encode Authority Key Identifier, return total bytes written
+ * RFC5280 : non-critical */
+static int SetAKID(byte* output, word32 outSz,
+                                         byte *input, word32 length, void* heap)
+{
+    byte    *enc_val;
+    int     ret, enc_valSz;
+    const byte akid_oid[] = { 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04 };
+    const byte akid_cs[] = { 0x80 };
+
+    (void)heap;
+
+    if (output == NULL || input == NULL)
+        return BAD_FUNC_ARG;
+
+    enc_valSz = length + 3 + sizeof(akid_cs);
+    enc_val = (byte *)XMALLOC(enc_valSz, heap, DYNAMIC_TYPE_TMP_BUFFER);
+    if (enc_val == NULL)
+        return MEMORY_E;
+
+    /* sequence for ContentSpec & value */
+    ret = SetOidValue(enc_val, enc_valSz, akid_cs, sizeof(akid_cs),
+                      input, length);
+    if (ret > 0) {
+        enc_valSz = ret;
+
+        ret = SetOidValue(output, outSz, akid_oid, sizeof(akid_oid),
+                          enc_val, enc_valSz);
+    }
+
+    XFREE(enc_val, heap, DYNAMIC_TYPE_TMP_BUFFER);
+    return ret;
+}
+
+/* encode Key Usage, return total bytes written
+ * RFC5280 : critical */
+static int SetKeyUsage(byte* output, word32 outSz, word16 input)
+{
+    byte ku[5];
+    int  idx;
+    const byte keyusage_oid[] = { 0x06, 0x03, 0x55, 0x1d, 0x0f,
+                                         0x01, 0x01, 0xff, 0x04};
+    if (output == NULL)
+        return BAD_FUNC_ARG;
+
+    idx = SetBitString16Bit(input, ku);
+    return SetOidValue(output, outSz, keyusage_oid, sizeof(keyusage_oid),
+                       ku, idx);
+}
+
+static int SetOjectIdValue(byte* output, word32 outSz, int* idx,
+    const byte* oid, word32 oidSz)
+{
+    /* verify room */
+    if (*idx + 2 + oidSz >= outSz)
+        return ASN_PARSE_E;
+
+    *idx += SetObjectId(oidSz, &output[*idx]);
+    XMEMCPY(&output[*idx], oid, oidSz);
+    *idx += oidSz;
+
+    return 0;
+}
+
+/* encode Extended Key Usage (RFC 5280 4.2.1.12), return total bytes written */
+static int SetExtKeyUsage(Cert* cert, byte* output, word32 outSz, byte input)
+{
+    int idx = 0, oidListSz = 0, totalSz, ret = 0;
+    const byte extkeyusage_oid[] = { 0x06, 0x03, 0x55, 0x1d, 0x25 };
+
+    if (output == NULL)
+        return BAD_FUNC_ARG;
+
+    /* Skip to OID List */
+    totalSz = 2 + sizeof(extkeyusage_oid) + 4;
+    idx = totalSz;
+
+    /* Build OID List */
+    /* If any set, then just use it */
+    if (input & EXTKEYUSE_ANY) {
+        ret |= SetOjectIdValue(output, outSz, &idx,
+            extExtKeyUsageAnyOid, sizeof(extExtKeyUsageAnyOid));
+    }
+    else {
+        if (input & EXTKEYUSE_SERVER_AUTH)
+            ret |= SetOjectIdValue(output, outSz, &idx,
+                extExtKeyUsageServerAuthOid, sizeof(extExtKeyUsageServerAuthOid));
+        if (input & EXTKEYUSE_CLIENT_AUTH)
+            ret |= SetOjectIdValue(output, outSz, &idx,
+                extExtKeyUsageClientAuthOid, sizeof(extExtKeyUsageClientAuthOid));
+        if (input & EXTKEYUSE_CODESIGN)
+            ret |= SetOjectIdValue(output, outSz, &idx,
+                extExtKeyUsageCodeSigningOid, sizeof(extExtKeyUsageCodeSigningOid));
+        if (input & EXTKEYUSE_EMAILPROT)
+            ret |= SetOjectIdValue(output, outSz, &idx,
+                extExtKeyUsageEmailProtectOid, sizeof(extExtKeyUsageEmailProtectOid));
+        if (input & EXTKEYUSE_TIMESTAMP)
+            ret |= SetOjectIdValue(output, outSz, &idx,
+                extExtKeyUsageTimestampOid, sizeof(extExtKeyUsageTimestampOid));
+        if (input & EXTKEYUSE_OCSP_SIGN)
+            ret |= SetOjectIdValue(output, outSz, &idx,
+                extExtKeyUsageOcspSignOid, sizeof(extExtKeyUsageOcspSignOid));
+    #ifdef WOLFSSL_EKU_OID
+        /* iterate through OID values */
+        if (input & EXTKEYUSE_USER) {
+            int i, sz;
+            for (i = 0; i < CTC_MAX_EKU_NB; i++) {
+                sz = cert->extKeyUsageOIDSz[i];
+                if (sz > 0) {
+                    ret |= SetOjectIdValue(output, outSz, &idx,
+                        cert->extKeyUsageOID[i], sz);
+                }
+            }
+        }
+    #endif /* WOLFSSL_EKU_OID */
+    }
+    if (ret != 0)
+        return ASN_PARSE_E;
+
+    /* Calculate Sizes */
+    oidListSz = idx - totalSz;
+    totalSz = idx - 2; /* exclude first seq/len (2) */
+
+    /* 1. Seq + Total Len (2) */
+    idx = SetSequence(totalSz, output);
+
+    /* 2. Object ID (2) */
+    XMEMCPY(&output[idx], extkeyusage_oid, sizeof(extkeyusage_oid));
+    idx += sizeof(extkeyusage_oid);
+
+    /* 3. Octet String (2) */
+    idx += SetOctetString(totalSz - idx, &output[idx]);
+
+    /* 4. Seq + OidListLen (2) */
+    idx += SetSequence(oidListSz, &output[idx]);
+
+    /* 5. Oid List (already set in-place above) */
+    idx += oidListSz;
+
+    (void)cert;
+    return idx;
+}
+
+/* encode Certificate Policies, return total bytes written
+ * each input value must be ITU-T X.690 formatted : a.b.c...
+ * input must be an array of values with a NULL terminated for the latest
+ * RFC5280 : non-critical */
+static int SetCertificatePolicies(byte *output,
+                                  word32 outputSz,
+                                  char input[MAX_CERTPOL_NB][MAX_CERTPOL_SZ],
+                                  word16 nb_certpol,
+                                  void* heap)
+{
+    byte    oid[MAX_OID_SZ],
+            der_oid[MAX_CERTPOL_NB][MAX_OID_SZ],
+            out[MAX_CERTPOL_SZ];
+    word32  oidSz;
+    word32  outSz, i = 0, der_oidSz[MAX_CERTPOL_NB];
+    int     ret;
+
+    const byte certpol_oid[] = { 0x06, 0x03, 0x55, 0x1d, 0x20, 0x04 };
+    const byte oid_oid[] = { 0x06 };
+
+    if (output == NULL || input == NULL || nb_certpol > MAX_CERTPOL_NB)
+        return BAD_FUNC_ARG;
+
+    for (i = 0; i < nb_certpol; i++) {
+        oidSz = sizeof(oid);
+        XMEMSET(oid, 0, oidSz);
+
+        ret = EncodePolicyOID(oid, &oidSz, input[i], heap);
+        if (ret != 0)
+            return ret;
+
+        /* compute sequence value for the oid */
+        ret = SetOidValue(der_oid[i], MAX_OID_SZ, oid_oid,
+                          sizeof(oid_oid), oid, oidSz);
+        if (ret <= 0)
+            return ret;
+        else
+            der_oidSz[i] = (word32)ret;
+    }
+
+    /* concatenate oid, keep two byte for sequence/size of the created value */
+    for (i = 0, outSz = 2; i < nb_certpol; i++) {
+        XMEMCPY(out+outSz, der_oid[i], der_oidSz[i]);
+        outSz += der_oidSz[i];
+    }
+
+    /* add sequence */
+    ret = SetSequence(outSz-2, out);
+    if (ret <= 0)
+        return ret;
+
+    /* add Policy OID to compute final value */
+    return SetOidValue(output, outputSz, certpol_oid, sizeof(certpol_oid),
+                      out, outSz);
+}
+#endif /* WOLFSSL_CERT_EXT */
+
+
+#ifdef WOLFSSL_ALT_NAMES
+
+/* encode Alternative Names, return total bytes written */
+static int SetAltNames(byte *output, word32 outSz,
+        const byte *input, word32 length)
+{
+    byte san_len[1 + MAX_LENGTH_SZ];
+    int idx = 0, san_lenSz;
+    const byte san_oid[] = { 0x06, 0x03, 0x55, 0x1d, 0x11 };
+
+    if (output == NULL || input == NULL)
+        return BAD_FUNC_ARG;
+
+    if (outSz < length)
+        return BUFFER_E;
+
+    /* Octet String header */
+    san_lenSz = SetOctetString(length, san_len);
+
+    if (outSz < MAX_SEQ_SZ)
+        return BUFFER_E;
+
+    idx = SetSequence(length + sizeof(san_oid) + san_lenSz, output);
+
+    if ((length + sizeof(san_oid) + san_lenSz) > outSz)
+        return BUFFER_E;
+
+    /* put oid */
+    XMEMCPY(output+idx, san_oid, sizeof(san_oid));
+    idx += sizeof(san_oid);
+
+    /* put octet header */
+    XMEMCPY(output+idx, san_len, san_lenSz);
+    idx += san_lenSz;
+
+    /* put value */
+    XMEMCPY(output+idx, input, length);
+    idx += length;
+
+    return idx;
+}
+
+
+#ifdef WOLFSSL_CERT_GEN
+
+int FlattenAltNames(byte* output, word32 outputSz, const DNS_entry* names)
+{
+    word32 idx;
+    const DNS_entry* curName;
+    word32 namesSz = 0;
+
+    if (output == NULL)
+        return BAD_FUNC_ARG;
+
+    if (names == NULL)
+        return 0;
+
+    curName = names;
+    do {
+        namesSz += curName->len + 2 +
+            ((curName->len < ASN_LONG_LENGTH) ? 0
+             : BytePrecision(curName->len));
+        curName = curName->next;
+    } while (curName != NULL);
+
+    if (outputSz < MAX_SEQ_SZ + namesSz)
+        return BUFFER_E;
+
+    idx = SetSequence(namesSz, output);
+
+    curName = names;
+    do {
+        output[idx++] = ASN_CONTEXT_SPECIFIC | curName->type;
+        idx += SetLength(curName->len, output + idx);
+        XMEMCPY(output + idx, curName->name, curName->len);
+        idx += curName->len;
+        curName = curName->next;
+    } while (curName != NULL);
+
+    return idx;
+}
+
+#endif /* WOLFSSL_CERT_GEN */
+
+#endif /* WOLFSSL_ALT_NAMES */
+
+/* Encodes one attribute of the name (issuer/subject)
+ *
+ * name     structure to hold result of encoding
+ * nameStr  value to be encoded
+ * nameType type of encoding i.e CTC_UTF8
+ * type     id of attribute i.e ASN_COMMON_NAME
+ *
+ * returns length on success
+ */
+static int wc_EncodeName(EncodedName* name, const char* nameStr, char nameType,
+        byte type)
+{
+    word32 idx = 0;
+
+    if (nameStr) {
+        /* bottom up */
+        byte firstLen[1 + MAX_LENGTH_SZ];
+        byte secondLen[MAX_LENGTH_SZ];
+        byte sequence[MAX_SEQ_SZ];
+        byte set[MAX_SET_SZ];
+
+        int strLen  = (int)XSTRLEN(nameStr);
+        int thisLen = strLen;
+        int firstSz, secondSz, seqSz, setSz;
+
+        if (strLen == 0) { /* no user data for this item */
+            name->used = 0;
+            return 0;
+        }
+
+        /* Restrict country code size */
+        if (ASN_COUNTRY_NAME == type && strLen != CTC_COUNTRY_SIZE) {
+            return ASN_COUNTRY_SIZE_E;
+        }
+
+        secondSz = SetLength(strLen, secondLen);
+        thisLen += secondSz;
+        switch (type) {
+            case ASN_EMAIL_NAME: /* email */
+                thisLen += EMAIL_JOINT_LEN;
+                firstSz  = EMAIL_JOINT_LEN;
+                break;
+
+            case ASN_DOMAIN_COMPONENT:
+                thisLen += PILOT_JOINT_LEN;
+                firstSz  = PILOT_JOINT_LEN;
+                break;
+
+            default:
+                thisLen++;                                 /* str type */
+                thisLen += JOINT_LEN;
+                firstSz  = JOINT_LEN + 1;
+        }
+        thisLen++; /* id  type */
+        firstSz  = SetObjectId(firstSz, firstLen);
+        thisLen += firstSz;
+
+        seqSz = SetSequence(thisLen, sequence);
+        thisLen += seqSz;
+        setSz = SetSet(thisLen, set);
+        thisLen += setSz;
+
+        if (thisLen > (int)sizeof(name->encoded)) {
+            return BUFFER_E;
+        }
+
+        /* store it */
+        idx = 0;
+        /* set */
+        XMEMCPY(name->encoded, set, setSz);
+        idx += setSz;
+        /* seq */
+        XMEMCPY(name->encoded + idx, sequence, seqSz);
+        idx += seqSz;
+        /* asn object id */
+        XMEMCPY(name->encoded + idx, firstLen, firstSz);
+        idx += firstSz;
+        switch (type) {
+            case ASN_EMAIL_NAME:
+                {
+                    const byte EMAIL_OID[] = { 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d,
+                                       0x01, 0x09, 0x01, 0x16 };
+                    /* email joint id */
+                    XMEMCPY(name->encoded + idx, EMAIL_OID, sizeof(EMAIL_OID));
+                    idx += (int)sizeof(EMAIL_OID);
+                }
+                break;
+
+            case ASN_DOMAIN_COMPONENT:
+                {
+                    const byte PILOT_OID[] = { 0x09, 0x92, 0x26, 0x89,
+                                    0x93, 0xF2, 0x2C, 0x64, 0x01
+                    };
+
+                    XMEMCPY(name->encoded + idx, PILOT_OID,
+                                                     sizeof(PILOT_OID));
+                    idx += (int)sizeof(PILOT_OID);
+                    /* id type */
+                    name->encoded[idx++] = type;
+                    /* str type */
+                    name->encoded[idx++] = nameType;
+                }
+                break;
+
+            default:
+                name->encoded[idx++] = 0x55;
+                name->encoded[idx++] = 0x04;
+                /* id type */
+                name->encoded[idx++] = type;
+                /* str type */
+                name->encoded[idx++] = nameType;
+        }
+        /* second length */
+        XMEMCPY(name->encoded + idx, secondLen, secondSz);
+        idx += secondSz;
+        /* str value */
+        XMEMCPY(name->encoded + idx, nameStr, strLen);
+        idx += strLen;
+
+        name->type = type;
+        name->totalLen = idx;
+        name->used = 1;
+    }
+    else
+        name->used = 0;
+
+    return idx;
+}
+
 /* encode CertName into output, return total bytes written */
-static int SetName(byte* output, CertName* name)
+int SetName(byte* output, word32 outputSz, CertName* name)
 {
     int          totalBytes = 0, i, idx;
 #ifdef WOLFSSL_SMALL_STACK
@@ -5447,6 +12679,16 @@ static int SetName(byte* output, CertName* name)
 #else
     EncodedName  names[NAME_ENTRIES];
 #endif
+#ifdef WOLFSSL_MULTI_ATTRIB
+    EncodedName addNames[CTC_MAX_ATTRIB];
+    int j, type;
+#endif
+
+    if (output == NULL || name == NULL)
+        return BAD_FUNC_ARG;
+
+    if (outputSz < 3)
+        return BUFFER_E;
 
 #ifdef WOLFSSL_SMALL_STACK
     names = (EncodedName*)XMALLOC(sizeof(EncodedName) * NAME_ENTRIES, NULL,
@@ -5456,96 +12698,38 @@ static int SetName(byte* output, CertName* name)
 #endif
 
     for (i = 0; i < NAME_ENTRIES; i++) {
+        int ret;
         const char* nameStr = GetOneName(name, i);
-        if (nameStr) {
-            /* bottom up */
-            byte firstLen[MAX_LENGTH_SZ];
-            byte secondLen[MAX_LENGTH_SZ];
-            byte sequence[MAX_SEQ_SZ];
-            byte set[MAX_SET_SZ];
-
-            int email = i == (NAME_ENTRIES - 1) ? 1 : 0;
-            int strLen  = (int)XSTRLEN(nameStr);
-            int thisLen = strLen;
-            int firstSz, secondSz, seqSz, setSz;
-
-            if (strLen == 0) { /* no user data for this item */
-                names[i].used = 0;
-                continue;
-            }
-
-            secondSz = SetLength(strLen, secondLen);
-            thisLen += secondSz;
-            if (email) {
-                thisLen += EMAIL_JOINT_LEN;
-                thisLen ++;                               /* id type */
-                firstSz  = SetLength(EMAIL_JOINT_LEN, firstLen);
-            }
-            else {
-                thisLen++;                                 /* str type */
-                thisLen++;                                 /* id  type */
-                thisLen += JOINT_LEN;    
-                firstSz = SetLength(JOINT_LEN + 1, firstLen);
-            }
-            thisLen += firstSz;
-            thisLen++;                                /* object id */
-
-            seqSz = SetSequence(thisLen, sequence);
-            thisLen += seqSz;
-            setSz = SetSet(thisLen, set);
-            thisLen += setSz;
 
-            if (thisLen > (int)sizeof(names[i].encoded)) {
-#ifdef WOLFSSL_SMALL_STACK
+        ret = wc_EncodeName(&names[i], nameStr, GetNameType(name, i),
+                          GetNameId(i));
+        if (ret < 0) {
+        #ifdef WOLFSSL_SMALL_STACK
                 XFREE(names, NULL, DYNAMIC_TYPE_TMP_BUFFER);
-#endif
+        #endif
+                return BUFFER_E;
+        }
+        totalBytes += ret;
+    }
+#ifdef WOLFSSL_MULTI_ATTRIB
+    for (i = 0; i < CTC_MAX_ATTRIB; i++) {
+        if (name->name[i].sz > 0) {
+            int ret;
+            ret = wc_EncodeName(&addNames[i], name->name[i].value,
+                        name->name[i].type, name->name[i].id);
+            if (ret < 0) {
+            #ifdef WOLFSSL_SMALL_STACK
+                XFREE(names, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+            #endif
                 return BUFFER_E;
             }
-
-            /* store it */
-            idx = 0;
-            /* set */
-            XMEMCPY(names[i].encoded, set, setSz);
-            idx += setSz;
-            /* seq */
-            XMEMCPY(names[i].encoded + idx, sequence, seqSz);
-            idx += seqSz;
-            /* asn object id */
-            names[i].encoded[idx++] = ASN_OBJECT_ID;
-            /* first length */
-            XMEMCPY(names[i].encoded + idx, firstLen, firstSz);
-            idx += firstSz;
-            if (email) {
-                const byte EMAIL_OID[] = { 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d,
-                                           0x01, 0x09, 0x01, 0x16 };
-                /* email joint id */
-                XMEMCPY(names[i].encoded + idx, EMAIL_OID, sizeof(EMAIL_OID));
-                idx += (int)sizeof(EMAIL_OID);
-            }
-            else {
-                /* joint id */
-                byte bType = GetNameId(i);
-                names[i].encoded[idx++] = 0x55;
-                names[i].encoded[idx++] = 0x04;
-                /* id type */
-                names[i].encoded[idx++] = bType; 
-                /* str type */
-                names[i].encoded[idx++] = GetNameType(name, i);
-            }
-            /* second length */
-            XMEMCPY(names[i].encoded + idx, secondLen, secondSz);
-            idx += secondSz;
-            /* str value */
-            XMEMCPY(names[i].encoded + idx, nameStr, strLen);
-            idx += strLen;
-
-            totalBytes += idx;
-            names[i].totalLen = idx;
-            names[i].used = 1;
+            totalBytes += ret;
+        }
+        else {
+            addNames[i].used = 0;
         }
-        else
-            names[i].used = 0;
     }
+#endif /* WOLFSSL_MULTI_ATTRIB */
 
     /* header */
     idx = SetSequence(totalBytes, output);
@@ -5558,7 +12742,54 @@ static int SetName(byte* output, CertName* name)
     }
 
     for (i = 0; i < NAME_ENTRIES; i++) {
+    #ifdef WOLFSSL_MULTI_ATTRIB
+        type = GetNameId(i);
+
+        /* list all DC values before OUs */
+        if (type == ASN_ORGUNIT_NAME) {
+            type = ASN_DOMAIN_COMPONENT;
+            for (j = 0; j < CTC_MAX_ATTRIB; j++) {
+                if (name->name[j].sz > 0 && type == name->name[j].id) {
+                    if (outputSz < (word32)(idx+addNames[j].totalLen)) {
+                    #ifdef WOLFSSL_SMALL_STACK
+                        XFREE(names, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+                    #endif
+                        return BUFFER_E;
+                    }
+
+                    XMEMCPY(output + idx, addNames[j].encoded,
+                            addNames[j].totalLen);
+                    idx += addNames[j].totalLen;
+                }
+            }
+            type = ASN_ORGUNIT_NAME;
+        }
+
+        /* write all similar types to the buffer */
+        for (j = 0; j < CTC_MAX_ATTRIB; j++) {
+            if (name->name[j].sz > 0 && type == name->name[j].id) {
+                if (outputSz < (word32)(idx+addNames[j].totalLen)) {
+                #ifdef WOLFSSL_SMALL_STACK
+                    XFREE(names, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+                #endif
+                    return BUFFER_E;
+                }
+
+                XMEMCPY(output + idx, addNames[j].encoded,
+                        addNames[j].totalLen);
+                idx += addNames[j].totalLen;
+            }
+        }
+    #endif /* WOLFSSL_MULTI_ATTRIB */
+
         if (names[i].used) {
+            if (outputSz < (word32)(idx+names[i].totalLen)) {
+#ifdef WOLFSSL_SMALL_STACK
+                XFREE(names, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+#endif
+                return BUFFER_E;
+            }
+
             XMEMCPY(output + idx, names[i].encoded, names[i].totalLen);
             idx += names[i].totalLen;
         }
@@ -5573,13 +12804,19 @@ static int SetName(byte* output, CertName* name)
 
 /* encode info from cert into DER encoded format */
 static int EncodeCert(Cert* cert, DerCert* der, RsaKey* rsaKey, ecc_key* eccKey,
-                      RNG* rng, const byte* ntruKey, word16 ntruSz)
+                      WC_RNG* rng, const byte* ntruKey, word16 ntruSz,
+                      ed25519_key* ed25519Key, ed448_key* ed448Key)
 {
     int ret;
 
-    (void)eccKey;
-    (void)ntruKey;
-    (void)ntruSz;
+    if (cert == NULL || der == NULL || rng == NULL)
+        return BAD_FUNC_ARG;
+
+    /* make sure at least one key type is provided */
+    if (rsaKey == NULL && eccKey == NULL && ed25519Key == NULL &&
+                                          ed448Key == NULL && ntruKey == NULL) {
+        return PUBLIC_KEY_E;
+    }
 
     /* init */
     XMEMSET(der, 0, sizeof(DerCert));
@@ -5587,65 +12824,95 @@ static int EncodeCert(Cert* cert, DerCert* der, RsaKey* rsaKey, ecc_key* eccKey,
     /* version */
     der->versionSz = SetMyVersion(cert->version, der->version, TRUE);
 
-    /* serial number */
-    ret = wc_RNG_GenerateBlock(rng, cert->serial, CTC_SERIAL_SIZE);
-    if (ret != 0)
-        return ret;
-
-    cert->serial[0] = 0x01;   /* ensure positive */
-    der->serialSz  = SetSerial(cert->serial, der->serial);
+    /* serial number (must be positive) */
+    if (cert->serialSz == 0) {
+        /* generate random serial */
+        cert->serialSz = CTC_GEN_SERIAL_SZ;
+        ret = wc_RNG_GenerateBlock(rng, cert->serial, cert->serialSz);
+        if (ret != 0)
+            return ret;
+        /* Clear the top bit to avoid a negative value */
+        cert->serial[0] &= 0x7f;
+    }
+    der->serialSz = SetSerialNumber(cert->serial, cert->serialSz, der->serial,
+        sizeof(der->serial), CTC_SERIAL_SIZE);
+    if (der->serialSz < 0)
+        return der->serialSz;
 
     /* signature algo */
-    der->sigAlgoSz = SetAlgoID(cert->sigType, der->sigAlgo, sigType, 0);
-    if (der->sigAlgoSz == 0)
+    der->sigAlgoSz = SetAlgoID(cert->sigType, der->sigAlgo, oidSigType, 0);
+    if (der->sigAlgoSz <= 0)
         return ALGO_ID_E;
 
     /* public key */
+#ifndef NO_RSA
     if (cert->keyType == RSA_KEY) {
         if (rsaKey == NULL)
             return PUBLIC_KEY_E;
-        der->publicKeySz = SetRsaPublicKey(der->publicKey, rsaKey);
-        if (der->publicKeySz <= 0)
-            return PUBLIC_KEY_E;
+        der->publicKeySz = SetRsaPublicKey(der->publicKey, rsaKey,
+                                           sizeof(der->publicKey), 1);
     }
+#endif
 
 #ifdef HAVE_ECC
     if (cert->keyType == ECC_KEY) {
         if (eccKey == NULL)
             return PUBLIC_KEY_E;
-        der->publicKeySz = SetEccPublicKey(der->publicKey, eccKey);
-        if (der->publicKeySz <= 0)
+        der->publicKeySz = SetEccPublicKey(der->publicKey, eccKey, 1);
+    }
+#endif
+
+#ifdef HAVE_ED25519
+    if (cert->keyType == ED25519_KEY) {
+        if (ed25519Key == NULL)
             return PUBLIC_KEY_E;
+        der->publicKeySz = SetEd25519PublicKey(der->publicKey, ed25519Key, 1);
     }
-#endif /* HAVE_ECC */
+#endif
+
+#ifdef HAVE_ED448
+    if (cert->keyType == ED448_KEY) {
+        if (ed448Key == NULL)
+            return PUBLIC_KEY_E;
+        der->publicKeySz = SetEd448PublicKey(der->publicKey, ed448Key, 1);
+    }
+#endif
 
 #ifdef HAVE_NTRU
     if (cert->keyType == NTRU_KEY) {
         word32 rc;
         word16 encodedSz;
 
-        rc  = ntru_crypto_ntru_encrypt_publicKey2SubjectPublicKeyInfo( ntruSz,
+        if (ntruKey == NULL)
+            return PUBLIC_KEY_E;
+
+        rc  = ntru_crypto_ntru_encrypt_publicKey2SubjectPublicKeyInfo(ntruSz,
                                                    ntruKey, &encodedSz, NULL);
         if (rc != NTRU_OK)
             return PUBLIC_KEY_E;
         if (encodedSz > MAX_PUBLIC_KEY_SZ)
             return PUBLIC_KEY_E;
 
-        rc  = ntru_crypto_ntru_encrypt_publicKey2SubjectPublicKeyInfo( ntruSz,
+        rc  = ntru_crypto_ntru_encrypt_publicKey2SubjectPublicKeyInfo(ntruSz,
                                          ntruKey, &encodedSz, der->publicKey);
         if (rc != NTRU_OK)
             return PUBLIC_KEY_E;
 
         der->publicKeySz = encodedSz;
     }
+#else
+    (void)ntruSz;
 #endif /* HAVE_NTRU */
 
+    if (der->publicKeySz <= 0)
+        return PUBLIC_KEY_E;
+
     der->validitySz = 0;
 #ifdef WOLFSSL_ALT_NAMES
     /* date validity copy ? */
     if (cert->beforeDateSz && cert->afterDateSz) {
         der->validitySz = CopyValidity(der->validity, cert);
-        if (der->validitySz == 0)
+        if (der->validitySz <= 0)
             return DATE_E;
     }
 #endif
@@ -5653,49 +12920,247 @@ static int EncodeCert(Cert* cert, DerCert* der, RsaKey* rsaKey, ecc_key* eccKey,
     /* date validity */
     if (der->validitySz == 0) {
         der->validitySz = SetValidity(der->validity, cert->daysValid);
-        if (der->validitySz == 0)
+        if (der->validitySz <= 0)
             return DATE_E;
     }
 
     /* subject name */
-    der->subjectSz = SetName(der->subject, &cert->subject);
-    if (der->subjectSz == 0)
+#ifdef WOLFSSL_CERT_EXT
+    if (XSTRLEN((const char*)cert->sbjRaw) > 0) {
+        /* Use the raw subject */
+        int idx;
+
+        der->subjectSz = min(sizeof(der->subject),
+                (word32)XSTRLEN((const char*)cert->sbjRaw));
+        /* header */
+        idx = SetSequence(der->subjectSz, der->subject);
+        if (der->subjectSz + idx > (int)sizeof(der->subject)) {
+            return SUBJECT_E;
+        }
+
+        XMEMCPY((char*)der->subject + idx, (const char*)cert->sbjRaw,
+                der->subjectSz);
+        der->subjectSz += idx;
+    }
+    else
+#endif
+    {
+        /* Use the name structure */
+        der->subjectSz = SetName(der->subject, sizeof(der->subject),
+                &cert->subject);
+    }
+    if (der->subjectSz <= 0)
         return SUBJECT_E;
 
     /* issuer name */
-    der->issuerSz = SetName(der->issuer, cert->selfSigned ?
-             &cert->subject : &cert->issuer);
-    if (der->issuerSz == 0)
+#ifdef WOLFSSL_CERT_EXT
+    if (XSTRLEN((const char*)cert->issRaw) > 0) {
+        /* Use the raw issuer */
+        int idx;
+
+        der->issuerSz = min(sizeof(der->issuer),
+                (word32)XSTRLEN((const char*)cert->issRaw));
+        /* header */
+        idx = SetSequence(der->issuerSz, der->issuer);
+        if (der->issuerSz + idx > (int)sizeof(der->issuer)) {
+            return ISSUER_E;
+        }
+
+        XMEMCPY((char*)der->issuer + idx, (const char*)cert->issRaw,
+                der->issuerSz);
+        der->issuerSz += idx;
+    }
+    else
+#endif
+    {
+        /* Use the name structure */
+        der->issuerSz = SetName(der->issuer, sizeof(der->issuer),
+                cert->selfSigned ? &cert->subject : &cert->issuer);
+    }
+    if (der->issuerSz <= 0)
         return ISSUER_E;
 
+    /* set the extensions */
+    der->extensionsSz = 0;
+
     /* CA */
     if (cert->isCA) {
-        der->caSz = SetCa(der->ca);
-        if (der->caSz == 0)
+        der->caSz = SetCa(der->ca, sizeof(der->ca));
+        if (der->caSz <= 0)
             return CA_TRUE_E;
+
+        der->extensionsSz += der->caSz;
     }
     else
         der->caSz = 0;
 
-    /* extensions, just CA now */
-    if (cert->isCA) {
-        der->extensionsSz = SetExtensions(der->extensions,
-                                          der->ca, der->caSz, TRUE);
-        if (der->extensionsSz == 0)
-            return EXTENSIONS_E;
+#ifdef WOLFSSL_ALT_NAMES
+    /* Alternative Name */
+    if (cert->altNamesSz) {
+        der->altNamesSz = SetAltNames(der->altNames, sizeof(der->altNames),
+                                      cert->altNames, cert->altNamesSz);
+        if (der->altNamesSz <= 0)
+            return ALT_NAME_E;
+
+        der->extensionsSz += der->altNamesSz;
     }
     else
-        der->extensionsSz = 0;
+        der->altNamesSz = 0;
+#endif
 
-#ifdef WOLFSSL_ALT_NAMES
-    if (der->extensionsSz == 0 && cert->altNamesSz) {
-        der->extensionsSz = SetExtensions(der->extensions, cert->altNames,
-                                          cert->altNamesSz, TRUE);
-        if (der->extensionsSz == 0)
-            return EXTENSIONS_E;
+#ifdef WOLFSSL_CERT_EXT
+    /* SKID */
+    if (cert->skidSz) {
+        /* check the provided SKID size */
+        if (cert->skidSz > (int)min(CTC_MAX_SKID_SIZE, sizeof(der->skid)))
+            return SKID_E;
+
+        /* Note: different skid buffers sizes for der (MAX_KID_SZ) and
+            cert (CTC_MAX_SKID_SIZE). */
+        der->skidSz = SetSKID(der->skid, sizeof(der->skid),
+                              cert->skid, cert->skidSz);
+        if (der->skidSz <= 0)
+            return SKID_E;
+
+        der->extensionsSz += der->skidSz;
+    }
+    else
+        der->skidSz = 0;
+
+    /* AKID */
+    if (cert->akidSz) {
+        /* check the provided AKID size */
+        if (cert->akidSz > (int)min(CTC_MAX_AKID_SIZE, sizeof(der->akid)))
+            return AKID_E;
+
+        der->akidSz = SetAKID(der->akid, sizeof(der->akid),
+                              cert->akid, cert->akidSz, cert->heap);
+        if (der->akidSz <= 0)
+            return AKID_E;
+
+        der->extensionsSz += der->akidSz;
+    }
+    else
+        der->akidSz = 0;
+
+    /* Key Usage */
+    if (cert->keyUsage != 0){
+        der->keyUsageSz = SetKeyUsage(der->keyUsage, sizeof(der->keyUsage),
+                                      cert->keyUsage);
+        if (der->keyUsageSz <= 0)
+            return KEYUSAGE_E;
+
+        der->extensionsSz += der->keyUsageSz;
+    }
+    else
+        der->keyUsageSz = 0;
+
+    /* Extended Key Usage */
+    if (cert->extKeyUsage != 0){
+        der->extKeyUsageSz = SetExtKeyUsage(cert, der->extKeyUsage,
+                                sizeof(der->extKeyUsage), cert->extKeyUsage);
+        if (der->extKeyUsageSz <= 0)
+            return EXTKEYUSAGE_E;
+
+        der->extensionsSz += der->extKeyUsageSz;
+    }
+    else
+        der->extKeyUsageSz = 0;
+
+    /* Certificate Policies */
+    if (cert->certPoliciesNb != 0) {
+        der->certPoliciesSz = SetCertificatePolicies(der->certPolicies,
+                                                     sizeof(der->certPolicies),
+                                                     cert->certPolicies,
+                                                     cert->certPoliciesNb,
+                                                     cert->heap);
+        if (der->certPoliciesSz <= 0)
+            return CERTPOLICIES_E;
+
+        der->extensionsSz += der->certPoliciesSz;
     }
+    else
+        der->certPoliciesSz = 0;
+#endif /* WOLFSSL_CERT_EXT */
+
+    /* put extensions */
+    if (der->extensionsSz > 0) {
+
+        /* put the start of extensions sequence (ID, Size) */
+        der->extensionsSz = SetExtensionsHeader(der->extensions,
+                                                sizeof(der->extensions),
+                                                der->extensionsSz);
+        if (der->extensionsSz <= 0)
+            return EXTENSIONS_E;
+
+        /* put CA */
+        if (der->caSz) {
+            ret = SetExtensions(der->extensions, sizeof(der->extensions),
+                                &der->extensionsSz,
+                                der->ca, der->caSz);
+            if (ret == 0)
+                return EXTENSIONS_E;
+        }
+
+#ifdef WOLFSSL_ALT_NAMES
+        /* put Alternative Names */
+        if (der->altNamesSz) {
+            ret = SetExtensions(der->extensions, sizeof(der->extensions),
+                                &der->extensionsSz,
+                                der->altNames, der->altNamesSz);
+            if (ret <= 0)
+                return EXTENSIONS_E;
+        }
 #endif
 
+#ifdef WOLFSSL_CERT_EXT
+        /* put SKID */
+        if (der->skidSz) {
+            ret = SetExtensions(der->extensions, sizeof(der->extensions),
+                                &der->extensionsSz,
+                                der->skid, der->skidSz);
+            if (ret <= 0)
+                return EXTENSIONS_E;
+        }
+
+        /* put AKID */
+        if (der->akidSz) {
+            ret = SetExtensions(der->extensions, sizeof(der->extensions),
+                                &der->extensionsSz,
+                                der->akid, der->akidSz);
+            if (ret <= 0)
+                return EXTENSIONS_E;
+        }
+
+        /* put KeyUsage */
+        if (der->keyUsageSz) {
+            ret = SetExtensions(der->extensions, sizeof(der->extensions),
+                                &der->extensionsSz,
+                                der->keyUsage, der->keyUsageSz);
+            if (ret <= 0)
+                return EXTENSIONS_E;
+        }
+
+        /* put ExtendedKeyUsage */
+        if (der->extKeyUsageSz) {
+            ret = SetExtensions(der->extensions, sizeof(der->extensions),
+                                &der->extensionsSz,
+                                der->extKeyUsage, der->extKeyUsageSz);
+            if (ret <= 0)
+                return EXTENSIONS_E;
+        }
+
+        /* put Certificate Policies */
+        if (der->certPoliciesSz) {
+            ret = SetExtensions(der->extensions, sizeof(der->extensions),
+                                &der->extensionsSz,
+                                der->certPolicies, der->certPoliciesSz);
+            if (ret <= 0)
+                return EXTENSIONS_E;
+        }
+#endif /* WOLFSSL_CERT_EXT */
+    }
+
     der->total = der->versionSz + der->serialSz + der->sigAlgoSz +
         der->publicKeySz + der->validitySz + der->subjectSz + der->issuerSz +
         der->extensionsSz;
@@ -5705,37 +13170,37 @@ static int EncodeCert(Cert* cert, DerCert* der, RsaKey* rsaKey, ecc_key* eccKey,
 
 
 /* write DER encoded cert to buffer, size already checked */
-static int WriteCertBody(DerCert* der, byte* buffer)
+static int WriteCertBody(DerCert* der, byte* buf)
 {
     int idx;
 
     /* signed part header */
-    idx = SetSequence(der->total, buffer);
+    idx = SetSequence(der->total, buf);
     /* version */
-    XMEMCPY(buffer + idx, der->version, der->versionSz);
+    XMEMCPY(buf + idx, der->version, der->versionSz);
     idx += der->versionSz;
     /* serial */
-    XMEMCPY(buffer + idx, der->serial, der->serialSz);
+    XMEMCPY(buf + idx, der->serial, der->serialSz);
     idx += der->serialSz;
     /* sig algo */
-    XMEMCPY(buffer + idx, der->sigAlgo, der->sigAlgoSz);
+    XMEMCPY(buf + idx, der->sigAlgo, der->sigAlgoSz);
     idx += der->sigAlgoSz;
     /* issuer */
-    XMEMCPY(buffer + idx, der->issuer, der->issuerSz);
+    XMEMCPY(buf + idx, der->issuer, der->issuerSz);
     idx += der->issuerSz;
     /* validity */
-    XMEMCPY(buffer + idx, der->validity, der->validitySz);
+    XMEMCPY(buf + idx, der->validity, der->validitySz);
     idx += der->validitySz;
     /* subject */
-    XMEMCPY(buffer + idx, der->subject, der->subjectSz);
+    XMEMCPY(buf + idx, der->subject, der->subjectSz);
     idx += der->subjectSz;
     /* public key */
-    XMEMCPY(buffer + idx, der->publicKey, der->publicKeySz);
+    XMEMCPY(buf + idx, der->publicKey, der->publicKeySz);
     idx += der->publicKeySz;
     if (der->extensionsSz) {
         /* extensions */
-        XMEMCPY(buffer + idx, der->extensions, min(der->extensionsSz,
-                                                   sizeof(der->extensions)));
+        XMEMCPY(buf + idx, der->extensions, min(der->extensionsSz,
+                                                   (int)sizeof(der->extensions)));
         idx += der->extensionsSz;
     }
 
@@ -5744,97 +13209,126 @@ static int WriteCertBody(DerCert* der, byte* buffer)
 
 
 /* Make RSA signature from buffer (sz), write to sig (sigSz) */
-static int MakeSignature(const byte* buffer, int sz, byte* sig, int sigSz,
-                         RsaKey* rsaKey, ecc_key* eccKey, RNG* rng,
-                         int sigAlgoType)
+static int MakeSignature(CertSignCtx* certSignCtx, const byte* buf, int sz,
+    byte* sig, int sigSz, RsaKey* rsaKey, ecc_key* eccKey,
+    ed25519_key* ed25519Key, ed448_key* ed448Key, WC_RNG* rng, int sigAlgoType,
+    void* heap)
 {
-    int encSigSz, digestSz, typeH = 0, ret = 0;
-    byte digest[SHA256_DIGEST_SIZE]; /* max size */
-#ifdef WOLFSSL_SMALL_STACK
-    byte* encSig;
-#else
-    byte encSig[MAX_ENCODED_DIG_SZ + MAX_ALGO_SZ + MAX_SEQ_SZ];
-#endif
+    int digestSz = 0, typeH = 0, ret = 0;
 
-    (void)digest;
     (void)digestSz;
-    (void)encSig;
-    (void)encSigSz;
     (void)typeH;
-
-    (void)buffer;
+    (void)buf;
     (void)sz;
     (void)sig;
     (void)sigSz;
     (void)rsaKey;
     (void)eccKey;
+    (void)ed25519Key;
+    (void)ed448Key;
     (void)rng;
+    (void)heap;
 
-    switch (sigAlgoType) {
-    #ifndef NO_MD5
-        case CTC_MD5wRSA:
-        if ((ret = wc_Md5Hash(buffer, sz, digest)) == 0) {
-            typeH    = MD5h;
-            digestSz = MD5_DIGEST_SIZE;
+    switch (certSignCtx->state) {
+    case CERTSIGN_STATE_BEGIN:
+    case CERTSIGN_STATE_DIGEST:
+
+        certSignCtx->state = CERTSIGN_STATE_DIGEST;
+        certSignCtx->digest = (byte*)XMALLOC(WC_MAX_DIGEST_SIZE, heap,
+            DYNAMIC_TYPE_TMP_BUFFER);
+        if (certSignCtx->digest == NULL) {
+            ret = MEMORY_E; goto exit_ms;
         }
-        break;
-    #endif
-    #ifndef NO_SHA
-        case CTC_SHAwRSA:
-        case CTC_SHAwECDSA:
-        if ((ret = wc_ShaHash(buffer, sz, digest)) == 0) {
-            typeH    = SHAh;
-            digestSz = SHA_DIGEST_SIZE;          
+
+        ret = HashForSignature(buf, sz, sigAlgoType, certSignCtx->digest,
+                               &typeH, &digestSz, 0);
+        /* set next state, since WC_PENDING_E rentry for these are not "call again" */
+        certSignCtx->state = CERTSIGN_STATE_ENCODE;
+        if (ret != 0) {
+            goto exit_ms;
         }
-        break;
-    #endif
-    #ifndef NO_SHA256
-        case CTC_SHA256wRSA:
-        case CTC_SHA256wECDSA:
-        if ((ret = wc_Sha256Hash(buffer, sz, digest)) == 0) {
-            typeH    = SHA256h;
-            digestSz = SHA256_DIGEST_SIZE;
+        FALL_THROUGH;
+
+    case CERTSIGN_STATE_ENCODE:
+    #ifndef NO_RSA
+        if (rsaKey) {
+            certSignCtx->encSig = (byte*)XMALLOC(MAX_DER_DIGEST_SZ, heap,
+                DYNAMIC_TYPE_TMP_BUFFER);
+            if (certSignCtx->encSig == NULL) {
+                ret = MEMORY_E; goto exit_ms;
+            }
+
+            /* signature */
+            certSignCtx->encSigSz = wc_EncodeSignature(certSignCtx->encSig,
+                                          certSignCtx->digest, digestSz, typeH);
         }
+    #endif /* !NO_RSA */
+        FALL_THROUGH;
+
+    case CERTSIGN_STATE_DO:
+        certSignCtx->state = CERTSIGN_STATE_DO;
+        ret = ALGO_ID_E; /* default to error */
+
+    #ifndef NO_RSA
+        if (rsaKey) {
+            /* signature */
+            ret = wc_RsaSSL_Sign(certSignCtx->encSig, certSignCtx->encSigSz,
+                                 sig, sigSz, rsaKey, rng);
+        }
+    #endif /* !NO_RSA */
+
+    #ifdef HAVE_ECC
+        if (!rsaKey && eccKey) {
+            word32 outSz = sigSz;
+
+            ret = wc_ecc_sign_hash(certSignCtx->digest, digestSz,
+                                   sig, &outSz, rng, eccKey);
+            if (ret == 0)
+                ret = outSz;
+        }
+    #endif /* HAVE_ECC */
+
+    #ifdef HAVE_ED25519
+        if (!rsaKey && !eccKey && ed25519Key) {
+            word32 outSz = sigSz;
+
+            ret = wc_ed25519_sign_msg(buf, sz, sig, &outSz, ed25519Key);
+            if (ret == 0)
+                ret = outSz;
+        }
+    #endif /* HAVE_ECC */
+
+    #ifdef HAVE_ED448
+        if (!rsaKey && !eccKey && !ed25519Key && ed448Key) {
+            word32 outSz = sigSz;
+
+            ret = wc_ed448_sign_msg(buf, sz, sig, &outSz, ed448Key, NULL, 0);
+            if (ret == 0)
+                ret = outSz;
+        }
+    #endif /* HAVE_ECC */
         break;
-    #endif
-        default:
-            WOLFSSL_MSG("MakeSignautre called with unsupported type");
-            ret = ALGO_ID_E;
     }
-    
-    if (ret != 0)
+
+exit_ms:
+
+#ifdef WOLFSSL_ASYNC_CRYPT
+    if (ret == WC_PENDING_E) {
         return ret;
-    
-#ifdef WOLFSSL_SMALL_STACK
-    encSig = (byte*)XMALLOC(MAX_ENCODED_DIG_SZ + MAX_ALGO_SZ + MAX_SEQ_SZ,
-                                                 NULL, DYNAMIC_TYPE_TMP_BUFFER);
-    if (encSig == NULL)
-        return MEMORY_E;
+    }
 #endif
-    
-    ret = ALGO_ID_E;
-    
+
 #ifndef NO_RSA
     if (rsaKey) {
-        /* signature */
-        encSigSz = wc_EncodeSignature(encSig, digest, digestSz, typeH);
-        ret = wc_RsaSSL_Sign(encSig, encSigSz, sig, sigSz, rsaKey, rng);
+        XFREE(certSignCtx->encSig, heap, DYNAMIC_TYPE_TMP_BUFFER);
     }
-#endif
-    
-#ifdef HAVE_ECC
-    if (!rsaKey && eccKey) {
-        word32 outSz = sigSz;
-        ret = wc_ecc_sign_hash(digest, digestSz, sig, &outSz, rng, eccKey);
+#endif /* !NO_RSA */
 
-        if (ret == 0)
-            ret = outSz;
-    }
-#endif
+    XFREE(certSignCtx->digest, heap, DYNAMIC_TYPE_TMP_BUFFER);
+    certSignCtx->digest = NULL;
 
-#ifdef WOLFSSL_SMALL_STACK
-    XFREE(encSig, NULL, DYNAMIC_TYPE_TMP_BUFFER);
-#endif
+    /* reset state */
+    certSignCtx->state = CERTSIGN_STATE_BEGIN;
 
     return ret;
 }
@@ -5842,27 +13336,27 @@ static int MakeSignature(const byte* buffer, int sz, byte* sig, int sigSz,
 
 /* add signature to end of buffer, size of buffer assumed checked, return
    new length */
-static int AddSignature(byte* buffer, int bodySz, const byte* sig, int sigSz,
+static int AddSignature(byte* buf, int bodySz, const byte* sig, int sigSz,
                         int sigAlgoType)
 {
     byte seq[MAX_SEQ_SZ];
     int  idx = bodySz, seqSz;
 
     /* algo */
-    idx += SetAlgoID(sigAlgoType, buffer + idx, sigType, 0);
+    idx += SetAlgoID(sigAlgoType, buf ? buf + idx : NULL, oidSigType, 0);
     /* bit string */
-    buffer[idx++] = ASN_BIT_STRING;
-    /* length */
-    idx += SetLength(sigSz + 1, buffer + idx);
-    buffer[idx++] = 0;   /* trailing 0 */
+    idx += SetBitString(sigSz, 0, buf ? buf + idx : NULL);
     /* signature */
-    XMEMCPY(buffer + idx, sig, sigSz);
+    if (buf)
+        XMEMCPY(buf + idx, sig, sigSz);
     idx += sigSz;
 
     /* make room for overall header */
     seqSz = SetSequence(idx, seq);
-    XMEMMOVE(buffer + seqSz, buffer, idx);
-    XMEMCPY(buffer, seq, seqSz);
+    if (buf) {
+        XMEMMOVE(buf + seqSz, buf, idx);
+        XMEMCPY(buf, seq, seqSz);
+    }
 
     return idx + seqSz;
 }
@@ -5870,8 +13364,9 @@ static int AddSignature(byte* buffer, int bodySz, const byte* sig, int sigSz,
 
 /* Make an x509 Certificate v3 any key type from cert input, write to buffer */
 static int MakeAnyCert(Cert* cert, byte* derBuffer, word32 derSz,
-                       RsaKey* rsaKey, ecc_key* eccKey, RNG* rng,
-                       const byte* ntruKey, word16 ntruSz)
+                       RsaKey* rsaKey, ecc_key* eccKey, WC_RNG* rng,
+                       const byte* ntruKey, word16 ntruSz,
+                       ed25519_key* ed25519Key, ed448_key* ed448Key)
 {
     int ret;
 #ifdef WOLFSSL_SMALL_STACK
@@ -5880,16 +13375,21 @@ static int MakeAnyCert(Cert* cert, byte* derBuffer, word32 derSz,
     DerCert der[1];
 #endif
 
-    cert->keyType = eccKey ? ECC_KEY : (rsaKey ? RSA_KEY : NTRU_KEY);
+    if (derBuffer == NULL) {
+        return BAD_FUNC_ARG;
+    }
+
+    cert->keyType = eccKey ? ECC_KEY : (rsaKey ? RSA_KEY :
+            (ed25519Key ? ED25519_KEY : (ed448Key ? ED448_KEY : NTRU_KEY)));
 
 #ifdef WOLFSSL_SMALL_STACK
-    der = (DerCert*)XMALLOC(sizeof(DerCert), NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    der = (DerCert*)XMALLOC(sizeof(DerCert), cert->heap, DYNAMIC_TYPE_TMP_BUFFER);
     if (der == NULL)
         return MEMORY_E;
 #endif
 
-    ret = EncodeCert(cert, der, rsaKey, eccKey, rng, ntruKey, ntruSz);
-
+    ret = EncodeCert(cert, der, rsaKey, eccKey, rng, ntruKey, ntruSz,
+                     ed25519Key, ed448Key);
     if (ret == 0) {
         if (der->total + MAX_SEQ_SZ * 2 > (int)derSz)
             ret = BUFFER_E;
@@ -5898,7 +13398,7 @@ static int MakeAnyCert(Cert* cert, byte* derBuffer, word32 derSz,
     }
 
 #ifdef WOLFSSL_SMALL_STACK
-    XFREE(der, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    XFREE(der, cert->heap, DYNAMIC_TYPE_TMP_BUFFER);
 #endif
 
     return ret;
@@ -5906,19 +13406,41 @@ static int MakeAnyCert(Cert* cert, byte* derBuffer, word32 derSz,
 
 
 /* Make an x509 Certificate v3 RSA or ECC from cert input, write to buffer */
+int wc_MakeCert_ex(Cert* cert, byte* derBuffer, word32 derSz, int keyType,
+                   void* key, WC_RNG* rng)
+{
+    RsaKey*      rsaKey = NULL;
+    ecc_key*     eccKey = NULL;
+    ed25519_key* ed25519Key = NULL;
+    ed448_key*   ed448Key = NULL;
+
+    if (keyType == RSA_TYPE)
+        rsaKey = (RsaKey*)key;
+    else if (keyType == ECC_TYPE)
+        eccKey = (ecc_key*)key;
+    else if (keyType == ED25519_TYPE)
+        ed25519Key = (ed25519_key*)key;
+    else if (keyType == ED448_TYPE)
+        ed448Key = (ed448_key*)key;
+
+    return MakeAnyCert(cert, derBuffer, derSz, rsaKey, eccKey, rng, NULL, 0,
+                       ed25519Key, ed448Key);
+}
+/* Make an x509 Certificate v3 RSA or ECC from cert input, write to buffer */
 int wc_MakeCert(Cert* cert, byte* derBuffer, word32 derSz, RsaKey* rsaKey,
-             ecc_key* eccKey, RNG* rng)
+             ecc_key* eccKey, WC_RNG* rng)
 {
-    return MakeAnyCert(cert, derBuffer, derSz, rsaKey, eccKey, rng, NULL, 0);
+    return MakeAnyCert(cert, derBuffer, derSz, rsaKey, eccKey, rng, NULL, 0,
+                       NULL, NULL);
 }
 
 
 #ifdef HAVE_NTRU
 
 int wc_MakeNtruCert(Cert* cert, byte* derBuffer, word32 derSz,
-                  const byte* ntruKey, word16 keySz, RNG* rng)
+                  const byte* ntruKey, word16 keySz, WC_RNG* rng)
 {
-    return MakeAnyCert(cert, derBuffer, derSz, NULL, NULL, rng, ntruKey, keySz);
+    return MakeAnyCert(cert, derBuffer, derSz, NULL, NULL, rng, ntruKey, keySz, NULL);
 }
 
 #endif /* HAVE_NTRU */
@@ -5926,12 +13448,13 @@ int wc_MakeNtruCert(Cert* cert, byte* derBuffer, word32 derSz,
 
 #ifdef WOLFSSL_CERT_REQ
 
-static int SetReqAttrib(byte* output, char* pw, int extSz)
+static int SetReqAttrib(byte* output, char* pw, int pwPrintableString,
+                        int extSz)
 {
-    static const byte cpOid[] =
+    const byte cpOid[] =
         { ASN_OBJECT_ID, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01,
                          0x09, 0x07 };
-    static const byte erOid[] =
+    const byte erOid[] =
         { ASN_OBJECT_ID, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01,
                          0x09, 0x0e };
 
@@ -5955,7 +13478,11 @@ static int SetReqAttrib(byte* output, char* pw, int extSz)
 
     if (pw && pw[0]) {
         pwSz = (int)XSTRLEN(pw);
-        cpStrSz = SetUTF8String(pwSz, cpStr);
+        if (pwPrintableString) {
+            cpStrSz = SetPrintableString(pwSz, cpStr);
+        } else {
+            cpStrSz = SetUTF8String(pwSz, cpStr);
+        }
         cpSetSz = SetSet(cpStrSz + pwSz, cpSet);
         cpSeqSz = SetSequence(sizeof(cpOid) + cpSetSz + cpStrSz + pwSz, cpSeq);
         cpSz = cpSeqSz + sizeof(cpOid) + cpSetSz + cpStrSz + pwSz;
@@ -5998,10 +13525,21 @@ static int SetReqAttrib(byte* output, char* pw, int extSz)
 
 
 /* encode info from cert into DER encoded format */
-static int EncodeCertReq(Cert* cert, DerCert* der,
-                         RsaKey* rsaKey, ecc_key* eccKey)
+static int EncodeCertReq(Cert* cert, DerCert* der, RsaKey* rsaKey,
+                         ecc_key* eccKey, ed25519_key* ed25519Key,
+                         ed448_key* ed448Key)
 {
     (void)eccKey;
+    (void)ed25519Key;
+    (void)ed448Key;
+
+    if (cert == NULL || der == NULL)
+        return BAD_FUNC_ARG;
+
+    if (rsaKey == NULL && eccKey == NULL && ed25519Key == NULL &&
+                                                             ed448Key == NULL) {
+            return PUBLIC_KEY_E;
+    }
 
     /* init */
     XMEMSET(der, 0, sizeof(DerCert));
@@ -6010,51 +13548,163 @@ static int EncodeCertReq(Cert* cert, DerCert* der,
     der->versionSz = SetMyVersion(cert->version, der->version, FALSE);
 
     /* subject name */
-    der->subjectSz = SetName(der->subject, &cert->subject);
-    if (der->subjectSz == 0)
+    der->subjectSz = SetName(der->subject, sizeof(der->subject), &cert->subject);
+    if (der->subjectSz <= 0)
         return SUBJECT_E;
 
     /* public key */
+#ifndef NO_RSA
     if (cert->keyType == RSA_KEY) {
         if (rsaKey == NULL)
             return PUBLIC_KEY_E;
-        der->publicKeySz = SetRsaPublicKey(der->publicKey, rsaKey);
-        if (der->publicKeySz <= 0)
-            return PUBLIC_KEY_E;
+        der->publicKeySz = SetRsaPublicKey(der->publicKey, rsaKey,
+                                           sizeof(der->publicKey), 1);
     }
+#endif
 
 #ifdef HAVE_ECC
     if (cert->keyType == ECC_KEY) {
-        if (eccKey == NULL)
+        der->publicKeySz = SetEccPublicKey(der->publicKey, eccKey, 1);
+    }
+#endif
+
+#ifdef HAVE_ED25519
+    if (cert->keyType == ED25519_KEY) {
+        if (ed25519Key == NULL)
             return PUBLIC_KEY_E;
-        der->publicKeySz = SetEccPublicKey(der->publicKey, eccKey);
-        if (der->publicKeySz <= 0)
+        der->publicKeySz = SetEd25519PublicKey(der->publicKey, ed25519Key, 1);
+    }
+#endif
+
+#ifdef HAVE_ED448
+    if (cert->keyType == ED448_KEY) {
+        if (ed448Key == NULL)
             return PUBLIC_KEY_E;
+        der->publicKeySz = SetEd448PublicKey(der->publicKey, ed448Key, 1);
     }
-#endif /* HAVE_ECC */
+#endif
+    if (der->publicKeySz <= 0)
+        return PUBLIC_KEY_E;
+
+    /* set the extensions */
+    der->extensionsSz = 0;
 
     /* CA */
     if (cert->isCA) {
-        der->caSz = SetCa(der->ca);
-        if (der->caSz == 0)
+        der->caSz = SetCa(der->ca, sizeof(der->ca));
+        if (der->caSz <= 0)
             return CA_TRUE_E;
+
+        der->extensionsSz += der->caSz;
     }
     else
         der->caSz = 0;
 
-    /* extensions, just CA now */
-    if (cert->isCA) {
-        der->extensionsSz = SetExtensions(der->extensions,
-                                          der->ca, der->caSz, FALSE);
-        if (der->extensionsSz == 0)
-            return EXTENSIONS_E;
+#ifdef WOLFSSL_CERT_EXT
+    /* SKID */
+    if (cert->skidSz) {
+        /* check the provided SKID size */
+        if (cert->skidSz > (int)min(CTC_MAX_SKID_SIZE, sizeof(der->skid)))
+            return SKID_E;
+
+        der->skidSz = SetSKID(der->skid, sizeof(der->skid),
+                              cert->skid, cert->skidSz);
+        if (der->skidSz <= 0)
+            return SKID_E;
+
+        der->extensionsSz += der->skidSz;
+    }
+    else
+        der->skidSz = 0;
+
+    /* Key Usage */
+    if (cert->keyUsage != 0){
+        der->keyUsageSz = SetKeyUsage(der->keyUsage, sizeof(der->keyUsage),
+                                      cert->keyUsage);
+        if (der->keyUsageSz <= 0)
+            return KEYUSAGE_E;
+
+        der->extensionsSz += der->keyUsageSz;
     }
     else
-        der->extensionsSz = 0;
+        der->keyUsageSz = 0;
 
-    der->attribSz = SetReqAttrib(der->attrib,
-                                 cert->challengePw, der->extensionsSz);
-    if (der->attribSz == 0)
+    /* Extended Key Usage */
+    if (cert->extKeyUsage != 0){
+        der->extKeyUsageSz = SetExtKeyUsage(cert, der->extKeyUsage,
+                                sizeof(der->extKeyUsage), cert->extKeyUsage);
+        if (der->extKeyUsageSz <= 0)
+            return EXTKEYUSAGE_E;
+
+        der->extensionsSz += der->extKeyUsageSz;
+    }
+    else
+        der->extKeyUsageSz = 0;
+
+#endif /* WOLFSSL_CERT_EXT */
+
+    /* put extensions */
+    if (der->extensionsSz > 0) {
+        int ret;
+
+        /* put the start of sequence (ID, Size) */
+        der->extensionsSz = SetSequence(der->extensionsSz, der->extensions);
+        if (der->extensionsSz <= 0)
+            return EXTENSIONS_E;
+
+        /* put CA */
+        if (der->caSz) {
+            ret = SetExtensions(der->extensions, sizeof(der->extensions),
+                                &der->extensionsSz,
+                                der->ca, der->caSz);
+            if (ret <= 0)
+                return EXTENSIONS_E;
+        }
+
+#ifdef WOLFSSL_CERT_EXT
+        /* put SKID */
+        if (der->skidSz) {
+            ret = SetExtensions(der->extensions, sizeof(der->extensions),
+                                &der->extensionsSz,
+                                der->skid, der->skidSz);
+            if (ret <= 0)
+                return EXTENSIONS_E;
+        }
+
+        /* put AKID */
+        if (der->akidSz) {
+            ret = SetExtensions(der->extensions, sizeof(der->extensions),
+                                &der->extensionsSz,
+                                der->akid, der->akidSz);
+            if (ret <= 0)
+                return EXTENSIONS_E;
+        }
+
+        /* put KeyUsage */
+        if (der->keyUsageSz) {
+            ret = SetExtensions(der->extensions, sizeof(der->extensions),
+                                &der->extensionsSz,
+                                der->keyUsage, der->keyUsageSz);
+            if (ret <= 0)
+                return EXTENSIONS_E;
+        }
+
+        /* put ExtendedKeyUsage */
+        if (der->extKeyUsageSz) {
+            ret = SetExtensions(der->extensions, sizeof(der->extensions),
+                                &der->extensionsSz,
+                                der->extKeyUsage, der->extKeyUsageSz);
+            if (ret <= 0)
+                return EXTENSIONS_E;
+        }
+
+#endif /* WOLFSSL_CERT_EXT */
+    }
+
+    der->attribSz = SetReqAttrib(der->attrib, cert->challengePw,
+                                 cert->challengePwPrintableString,
+                                 der->extensionsSz);
+    if (der->attribSz <= 0)
         return REQ_ATTRIBUTE_E;
 
     der->total = der->versionSz + der->subjectSz + der->publicKeySz +
@@ -6065,28 +13715,33 @@ static int EncodeCertReq(Cert* cert, DerCert* der,
 
 
 /* write DER encoded cert req to buffer, size already checked */
-static int WriteCertReqBody(DerCert* der, byte* buffer)
+static int WriteCertReqBody(DerCert* der, byte* buf)
 {
     int idx;
 
     /* signed part header */
-    idx = SetSequence(der->total, buffer);
+    idx = SetSequence(der->total, buf);
     /* version */
-    XMEMCPY(buffer + idx, der->version, der->versionSz);
+    if (buf)
+        XMEMCPY(buf + idx, der->version, der->versionSz);
     idx += der->versionSz;
     /* subject */
-    XMEMCPY(buffer + idx, der->subject, der->subjectSz);
+    if (buf)
+        XMEMCPY(buf + idx, der->subject, der->subjectSz);
     idx += der->subjectSz;
     /* public key */
-    XMEMCPY(buffer + idx, der->publicKey, der->publicKeySz);
+    if (buf)
+        XMEMCPY(buf + idx, der->publicKey, der->publicKeySz);
     idx += der->publicKeySz;
     /* attributes */
-    XMEMCPY(buffer + idx, der->attrib, der->attribSz);
+    if (buf)
+        XMEMCPY(buf + idx, der->attrib, der->attribSz);
     idx += der->attribSz;
     /* extensions */
     if (der->extensionsSz) {
-        XMEMCPY(buffer + idx, der->extensions, min(der->extensionsSz,
-                                                   sizeof(der->extensions)));
+        if (buf)
+            XMEMCPY(buf + idx, der->extensions, min(der->extensionsSz,
+                                               (int)sizeof(der->extensions)));
         idx += der->extensionsSz;
     }
 
@@ -6094,8 +13749,9 @@ static int WriteCertReqBody(DerCert* der, byte* buffer)
 }
 
 
-int wc_MakeCertReq(Cert* cert, byte* derBuffer, word32 derSz,
-                RsaKey* rsaKey, ecc_key* eccKey)
+static int MakeCertReq(Cert* cert, byte* derBuffer, word32 derSz,
+                   RsaKey* rsaKey, ecc_key* eccKey, ed25519_key* ed25519Key,
+                   ed448_key* ed448Key)
 {
     int ret;
 #ifdef WOLFSSL_SMALL_STACK
@@ -6104,15 +13760,17 @@ int wc_MakeCertReq(Cert* cert, byte* derBuffer, word32 derSz,
     DerCert der[1];
 #endif
 
-    cert->keyType = eccKey ? ECC_KEY : RSA_KEY;
+    cert->keyType = eccKey ? ECC_KEY : (ed25519Key ? ED25519_KEY :
+                                       (ed448Key ? ED448_KEY: RSA_KEY));
 
 #ifdef WOLFSSL_SMALL_STACK
-    der = (DerCert*)XMALLOC(sizeof(DerCert), NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    der = (DerCert*)XMALLOC(sizeof(DerCert), cert->heap,
+                                                    DYNAMIC_TYPE_TMP_BUFFER);
     if (der == NULL)
         return MEMORY_E;
 #endif
 
-    ret = EncodeCertReq(cert, der, rsaKey, eccKey);
+    ret = EncodeCertReq(cert, der, rsaKey, eccKey, ed25519Key, ed448Key);
 
     if (ret == 0) {
         if (der->total + MAX_SEQ_SZ * 2 > (int)derSz)
@@ -6122,100 +13780,669 @@ int wc_MakeCertReq(Cert* cert, byte* derBuffer, word32 derSz,
     }
 
 #ifdef WOLFSSL_SMALL_STACK
-    XFREE(der, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    XFREE(der, cert->heap, DYNAMIC_TYPE_TMP_BUFFER);
 #endif
 
     return ret;
 }
 
+int wc_MakeCertReq_ex(Cert* cert, byte* derBuffer, word32 derSz, int keyType,
+                      void* key)
+{
+    RsaKey*      rsaKey = NULL;
+    ecc_key*     eccKey = NULL;
+    ed25519_key* ed25519Key = NULL;
+    ed448_key*   ed448Key = NULL;
+
+    if (keyType == RSA_TYPE)
+        rsaKey = (RsaKey*)key;
+    else if (keyType == ECC_TYPE)
+        eccKey = (ecc_key*)key;
+    else if (keyType == ED25519_TYPE)
+        ed25519Key = (ed25519_key*)key;
+    else if (keyType == ED448_TYPE)
+        ed448Key = (ed448_key*)key;
+
+    return MakeCertReq(cert, derBuffer, derSz, rsaKey, eccKey, ed25519Key,
+                       ed448Key);
+}
+
+int wc_MakeCertReq(Cert* cert, byte* derBuffer, word32 derSz,
+                   RsaKey* rsaKey, ecc_key* eccKey)
+{
+    return MakeCertReq(cert, derBuffer, derSz, rsaKey, eccKey, NULL, NULL);
+}
 #endif /* WOLFSSL_CERT_REQ */
 
 
-int wc_SignCert(int requestSz, int sType, byte* buffer, word32 buffSz,
-             RsaKey* rsaKey, ecc_key* eccKey, RNG* rng)
+static int SignCert(int requestSz, int sType, byte* buf, word32 buffSz,
+                    RsaKey* rsaKey, ecc_key* eccKey, ed25519_key* ed25519Key,
+                    ed448_key* ed448Key, WC_RNG* rng)
 {
-    int sigSz;
-#ifdef WOLFSSL_SMALL_STACK
-    byte* sig;
+    int sigSz = 0;
+    void* heap = NULL;
+    CertSignCtx* certSignCtx;
+#ifndef WOLFSSL_ASYNC_CRYPT
+    CertSignCtx  certSignCtx_lcl;
+
+    certSignCtx = &certSignCtx_lcl;
+    XMEMSET(certSignCtx, 0, sizeof(CertSignCtx));
 #else
-    byte sig[MAX_ENCODED_SIG_SZ];
+    certSignCtx = NULL;
 #endif
 
     if (requestSz < 0)
         return requestSz;
 
-#ifdef WOLFSSL_SMALL_STACK
-    sig = (byte*)XMALLOC(MAX_ENCODED_SIG_SZ, NULL, DYNAMIC_TYPE_TMP_BUFFER);
-    if (sig == NULL)
-        return MEMORY_E;
+    /* locate ctx */
+    if (rsaKey) {
+    #ifndef NO_RSA
+    #ifdef WOLFSSL_ASYNC_CRYPT
+        certSignCtx = &rsaKey->certSignCtx;
+    #endif
+        heap = rsaKey->heap;
+    #else
+        return NOT_COMPILED_IN;
+    #endif /* NO_RSA */
+    }
+    else if (eccKey) {
+    #ifdef HAVE_ECC
+    #ifdef WOLFSSL_ASYNC_CRYPT
+        certSignCtx = &eccKey->certSignCtx;
+    #endif
+        heap = eccKey->heap;
+    #else
+        return NOT_COMPILED_IN;
+    #endif /* HAVE_ECC */
+    }
+
+#ifdef WOLFSSL_ASYNC_CRYPT
+    if (certSignCtx == NULL) {
+        return BAD_FUNC_ARG;
+    }
 #endif
 
-    sigSz = MakeSignature(buffer, requestSz, sig, MAX_ENCODED_SIG_SZ, rsaKey,
-                          eccKey, rng, sType);
+    if (certSignCtx->sig == NULL) {
+        certSignCtx->sig = (byte*)XMALLOC(MAX_ENCODED_SIG_SZ, heap,
+            DYNAMIC_TYPE_TMP_BUFFER);
+        if (certSignCtx->sig == NULL)
+            return MEMORY_E;
+    }
+
+    sigSz = MakeSignature(certSignCtx, buf, requestSz, certSignCtx->sig,
+        MAX_ENCODED_SIG_SZ, rsaKey, eccKey, ed25519Key, ed448Key, rng, sType,
+        heap);
+#ifdef WOLFSSL_ASYNC_CRYPT
+    if (sigSz == WC_PENDING_E) {
+        /* Not free'ing certSignCtx->sig here because it could still be in use
+         * with async operations. */
+        return sigSz;
+    }
+#endif
 
     if (sigSz >= 0) {
         if (requestSz + MAX_SEQ_SZ * 2 + sigSz > (int)buffSz)
             sigSz = BUFFER_E;
         else
-            sigSz = AddSignature(buffer, requestSz, sig, sigSz, sType);
+            sigSz = AddSignature(buf, requestSz, certSignCtx->sig, sigSz,
+                                 sType);
     }
-    
-#ifdef WOLFSSL_SMALL_STACK
-    XFREE(sig, NULL, DYNAMIC_TYPE_TMP_BUFFER);
-#endif
+
+    XFREE(certSignCtx->sig, heap, DYNAMIC_TYPE_TMP_BUFFER);
+    certSignCtx->sig = NULL;
 
     return sigSz;
 }
 
+int wc_SignCert_ex(int requestSz, int sType, byte* buf, word32 buffSz,
+                   int keyType, void* key, WC_RNG* rng)
+{
+    RsaKey*      rsaKey = NULL;
+    ecc_key*     eccKey = NULL;
+    ed25519_key* ed25519Key = NULL;
+    ed448_key*   ed448Key = NULL;
+
+    if (keyType == RSA_TYPE)
+        rsaKey = (RsaKey*)key;
+    else if (keyType == ECC_TYPE)
+        eccKey = (ecc_key*)key;
+    else if (keyType == ED25519_TYPE)
+        ed25519Key = (ed25519_key*)key;
+    else if (keyType == ED448_TYPE)
+        ed448Key = (ed448_key*)key;
+
+    return SignCert(requestSz, sType, buf, buffSz, rsaKey, eccKey, ed25519Key,
+                    ed448Key, rng);
+}
+
+int wc_SignCert(int requestSz, int sType, byte* buf, word32 buffSz,
+                RsaKey* rsaKey, ecc_key* eccKey, WC_RNG* rng)
+{
+    return SignCert(requestSz, sType, buf, buffSz, rsaKey, eccKey, NULL, NULL,
+                    rng);
+}
 
-int wc_MakeSelfCert(Cert* cert, byte* buffer, word32 buffSz, RsaKey* key, RNG* rng)
+int wc_MakeSelfCert(Cert* cert, byte* buf, word32 buffSz,
+                    RsaKey* key, WC_RNG* rng)
 {
-    int ret = wc_MakeCert(cert, buffer, buffSz, key, NULL, rng);
+    int ret;
 
+    ret = wc_MakeCert(cert, buf, buffSz, key, NULL, rng);
     if (ret < 0)
         return ret;
 
-    return wc_SignCert(cert->bodySz, cert->sigType, buffer, buffSz, key, NULL,rng);
+    return wc_SignCert(cert->bodySz, cert->sigType,
+                       buf, buffSz, key, NULL, rng);
 }
 
 
-#ifdef WOLFSSL_ALT_NAMES 
+#ifdef WOLFSSL_CERT_EXT
 
-/* Set Alt Names from der cert, return 0 on success */
-static int SetAltNamesFromCert(Cert* cert, const byte* der, int derSz)
+/* Get raw subject from cert, which may contain OIDs not parsed by Decode.
+   The raw subject pointer will only be valid while "cert" is valid. */
+int wc_GetSubjectRaw(byte **subjectRaw, Cert *cert)
 {
-    int ret;
-#ifdef WOLFSSL_SMALL_STACK
-    DecodedCert* decoded;
+    int rc = BAD_FUNC_ARG;
+    if ((subjectRaw != NULL) && (cert != NULL)) {
+        *subjectRaw = cert->sbjRaw;
+        rc = 0;
+    }
+    return rc;
+}
+
+/* Set KID from public key */
+static int SetKeyIdFromPublicKey(Cert *cert, RsaKey *rsakey, ecc_key *eckey,
+                                 byte *ntruKey, word16 ntruKeySz,
+                                 ed25519_key* ed25519Key, ed448_key* ed448Key,
+                                 int kid_type)
+{
+    byte *buf;
+    int   bufferSz, ret;
+
+    if (cert == NULL ||
+        (rsakey == NULL && eckey == NULL && ntruKey == NULL &&
+                                      ed25519Key == NULL && ed448Key == NULL) ||
+        (kid_type != SKID_TYPE && kid_type != AKID_TYPE))
+        return BAD_FUNC_ARG;
+
+    buf = (byte *)XMALLOC(MAX_PUBLIC_KEY_SZ, cert->heap,
+                                                       DYNAMIC_TYPE_TMP_BUFFER);
+    if (buf == NULL)
+        return MEMORY_E;
+
+    /* Public Key */
+    bufferSz = -1;
+#ifndef NO_RSA
+    /* RSA public key */
+    if (rsakey != NULL)
+        bufferSz = SetRsaPublicKey(buf, rsakey, MAX_PUBLIC_KEY_SZ, 0);
+#endif
+#ifdef HAVE_ECC
+    /* ECC public key */
+    if (eckey != NULL)
+        bufferSz = SetEccPublicKey(buf, eckey, 0);
+#endif
+#ifdef HAVE_NTRU
+    /* NTRU public key */
+    if (ntruKey != NULL) {
+        bufferSz = MAX_PUBLIC_KEY_SZ;
+        ret = ntru_crypto_ntru_encrypt_publicKey2SubjectPublicKeyInfo(
+                        ntruKeySz, ntruKey, (word16 *)(&bufferSz), buf);
+        if (ret != NTRU_OK)
+            bufferSz = -1;
+    }
 #else
-    DecodedCert decoded[1];
+    (void)ntruKeySz;
+#endif
+#ifdef HAVE_ED25519
+    /* ED25519 public key */
+    if (ed25519Key != NULL)
+        bufferSz = SetEd25519PublicKey(buf, ed25519Key, 0);
+#endif
+#ifdef HAVE_ED448
+    /* ED448 public key */
+    if (ed448Key != NULL)
+        bufferSz = SetEd448PublicKey(buffer, ed448Key, 0);
 #endif
 
-    if (derSz < 0)
+    if (bufferSz <= 0) {
+        XFREE(buf, cert->heap, DYNAMIC_TYPE_TMP_BUFFER);
+        return PUBLIC_KEY_E;
+    }
+
+    /* Compute SKID by hashing public key */
+    if (kid_type == SKID_TYPE) {
+        ret = CalcHashId(buf, bufferSz, cert->skid);
+        cert->skidSz = KEYID_SIZE;
+    }
+    else if (kid_type == AKID_TYPE) {
+        ret = CalcHashId(buf, bufferSz, cert->akid);
+        cert->akidSz = KEYID_SIZE;
+    }
+    else
+        ret = BAD_FUNC_ARG;
+
+    XFREE(buf, cert->heap, DYNAMIC_TYPE_TMP_BUFFER);
+    return ret;
+}
+
+int wc_SetSubjectKeyIdFromPublicKey_ex(Cert *cert, int keyType, void* key)
+{
+    RsaKey*      rsaKey = NULL;
+    ecc_key*     eccKey = NULL;
+    ed25519_key* ed25519Key = NULL;
+    ed448_key*   ed448Key = NULL;
+
+    if (keyType == RSA_TYPE)
+        rsaKey = (RsaKey*)key;
+    else if (keyType == ECC_TYPE)
+        eccKey = (ecc_key*)key;
+    else if (keyType == ED25519_TYPE)
+        ed25519Key = (ed25519_key*)key;
+    else if (keyType == ED448_TYPE)
+        ed448Key = (ed448_key*)key;
+
+    return SetKeyIdFromPublicKey(cert, rsaKey, eccKey, NULL, 0, ed25519Key,
+                                 ed448Key, SKID_TYPE);
+}
+
+/* Set SKID from RSA or ECC public key */
+int wc_SetSubjectKeyIdFromPublicKey(Cert *cert, RsaKey *rsakey, ecc_key *eckey)
+{
+    return SetKeyIdFromPublicKey(cert, rsakey, eckey, NULL, 0, NULL, NULL,
+                                 SKID_TYPE);
+}
+
+#ifdef HAVE_NTRU
+/* Set SKID from NTRU public key */
+int wc_SetSubjectKeyIdFromNtruPublicKey(Cert *cert,
+                                        byte *ntruKey, word16 ntruKeySz)
+{
+    return SetKeyIdFromPublicKey(cert, NULL,NULL,ntruKey, ntruKeySz, NULL, NULL,
+                                 SKID_TYPE);
+}
+#endif
+
+int wc_SetAuthKeyIdFromPublicKey_ex(Cert *cert, int keyType, void* key)
+{
+    RsaKey*      rsaKey = NULL;
+    ecc_key*     eccKey = NULL;
+    ed25519_key* ed25519Key = NULL;
+    ed448_key*   ed448Key = NULL;
+
+    if (keyType == RSA_TYPE)
+        rsaKey = (RsaKey*)key;
+    else if (keyType == ECC_TYPE)
+        eccKey = (ecc_key*)key;
+    else if (keyType == ED25519_TYPE)
+        ed25519Key = (ed25519_key*)key;
+    else if (keyType == ED448_TYPE)
+        ed448Key = (ed448_key*)key;
+
+    return SetKeyIdFromPublicKey(cert, rsaKey, eccKey, NULL, 0, ed25519Key,
+                                 ed448Key, AKID_TYPE);
+}
+
+/* Set SKID from RSA or ECC public key */
+int wc_SetAuthKeyIdFromPublicKey(Cert *cert, RsaKey *rsakey, ecc_key *eckey)
+{
+    return SetKeyIdFromPublicKey(cert, rsakey, eckey, NULL, 0, NULL, NULL,
+                                 AKID_TYPE);
+}
+
+
+#if !defined(NO_FILESYSTEM) && !defined(NO_ASN_CRYPT)
+
+/* Set SKID from public key file in PEM */
+int wc_SetSubjectKeyId(Cert *cert, const char* file)
+{
+    int     ret, derSz;
+    byte*   der;
+    word32  idx;
+    RsaKey  *rsakey = NULL;
+    ecc_key *eckey = NULL;
+
+    if (cert == NULL || file == NULL)
+        return BAD_FUNC_ARG;
+
+    der = (byte*)XMALLOC(MAX_PUBLIC_KEY_SZ, cert->heap, DYNAMIC_TYPE_CERT);
+    if (der == NULL) {
+        WOLFSSL_MSG("wc_SetSubjectKeyId memory Problem");
+        return MEMORY_E;
+    }
+    derSz = MAX_PUBLIC_KEY_SZ;
+
+    XMEMSET(der, 0, derSz);
+    derSz = wc_PemPubKeyToDer(file, der, derSz);
+    if (derSz <= 0) {
+        XFREE(der, cert->heap, DYNAMIC_TYPE_CERT);
         return derSz;
+    }
 
-#ifdef WOLFSSL_SMALL_STACK
-    decoded = (DecodedCert*)XMALLOC(sizeof(DecodedCert), NULL,
-                                                       DYNAMIC_TYPE_TMP_BUFFER);
-    if (decoded == NULL)
+    /* Load PubKey in internal structure */
+#ifndef NO_RSA
+    rsakey = (RsaKey*) XMALLOC(sizeof(RsaKey), cert->heap, DYNAMIC_TYPE_RSA);
+    if (rsakey == NULL) {
+        XFREE(der, cert->heap, DYNAMIC_TYPE_CERT);
+        return MEMORY_E;
+    }
+
+    if (wc_InitRsaKey(rsakey, cert->heap) != 0) {
+        WOLFSSL_MSG("wc_InitRsaKey failure");
+        XFREE(rsakey, cert->heap, DYNAMIC_TYPE_RSA);
+        XFREE(der, cert->heap, DYNAMIC_TYPE_CERT);
         return MEMORY_E;
+    }
+
+    idx = 0;
+    ret = wc_RsaPublicKeyDecode(der, &idx, rsakey, derSz);
+    if (ret != 0)
 #endif
-    
-    InitDecodedCert(decoded, (byte*)der, derSz, 0);
-    ret = ParseCertRelative(decoded, CA_TYPE, NO_VERIFY, 0);
+    {
+#ifndef NO_RSA
+        WOLFSSL_MSG("wc_RsaPublicKeyDecode failed");
+        wc_FreeRsaKey(rsakey);
+        XFREE(rsakey, cert->heap, DYNAMIC_TYPE_RSA);
+        rsakey = NULL;
+#endif
+#ifdef HAVE_ECC
+        /* Check to load ecc public key */
+        eckey = (ecc_key*) XMALLOC(sizeof(ecc_key), cert->heap,
+                                                              DYNAMIC_TYPE_ECC);
+        if (eckey == NULL) {
+            XFREE(der, cert->heap, DYNAMIC_TYPE_CERT);
+            return MEMORY_E;
+        }
 
-    if (ret < 0) {
-        WOLFSSL_MSG("ParseCertRelative error");
+        if (wc_ecc_init(eckey) != 0) {
+            WOLFSSL_MSG("wc_ecc_init failure");
+            wc_ecc_free(eckey);
+            XFREE(eckey, cert->heap, DYNAMIC_TYPE_ECC);
+            XFREE(der, cert->heap, DYNAMIC_TYPE_CERT);
+            return MEMORY_E;
+        }
+
+        idx = 0;
+        ret = wc_EccPublicKeyDecode(der, &idx, eckey, derSz);
+        if (ret != 0) {
+            WOLFSSL_MSG("wc_EccPublicKeyDecode failed");
+            XFREE(der, cert->heap, DYNAMIC_TYPE_CERT);
+            wc_ecc_free(eckey);
+            XFREE(eckey, cert->heap, DYNAMIC_TYPE_ECC);
+            return PUBLIC_KEY_E;
+        }
+#else
+        XFREE(der, cert->heap, DYNAMIC_TYPE_CERT);
+        return PUBLIC_KEY_E;
+#endif /* HAVE_ECC */
+    }
+
+    XFREE(der, cert->heap, DYNAMIC_TYPE_CERT);
+
+    ret = wc_SetSubjectKeyIdFromPublicKey(cert, rsakey, eckey);
+
+#ifndef NO_RSA
+    wc_FreeRsaKey(rsakey);
+    XFREE(rsakey, cert->heap, DYNAMIC_TYPE_RSA);
+#endif
+#ifdef HAVE_ECC
+    wc_ecc_free(eckey);
+    XFREE(eckey, cert->heap, DYNAMIC_TYPE_ECC);
+#endif
+    return ret;
+}
+
+#endif /* !NO_FILESYSTEM && !NO_ASN_CRYPT */
+
+static int SetAuthKeyIdFromDcert(Cert* cert, DecodedCert* decoded)
+{
+    int ret = 0;
+
+    /* Subject Key Id not found !! */
+    if (decoded->extSubjKeyIdSet == 0) {
+        ret = ASN_NO_SKID;
+    }
+
+    /* SKID invalid size */
+    else if (sizeof(cert->akid) < sizeof(decoded->extSubjKeyId)) {
+        ret = MEMORY_E;
+    }
+
+    else {
+        /* Put the SKID of CA to AKID of certificate */
+        XMEMCPY(cert->akid, decoded->extSubjKeyId, KEYID_SIZE);
+        cert->akidSz = KEYID_SIZE;
+    }
+
+    return ret;
+}
+
+/* Set AKID from certificate contains in buffer (DER encoded) */
+int wc_SetAuthKeyIdFromCert(Cert *cert, const byte *der, int derSz)
+{
+    int ret = 0;
+
+    if (cert == NULL) {
+        ret = BAD_FUNC_ARG;
+    }
+    else {
+        /* Check if decodedCert is cached */
+        if (cert->der != der) {
+            /* Allocate cache for the decoded cert */
+            ret = wc_SetCert_LoadDer(cert, der, derSz);
+        }
+
+        if (ret >= 0) {
+            ret = SetAuthKeyIdFromDcert(cert, (DecodedCert*)cert->decodedCert);
+#ifndef WOLFSSL_CERT_GEN_CACHE
+            wc_SetCert_Free(cert);
+#endif
+        }
+    }
+
+    return ret;
+}
+
+
+#ifndef NO_FILESYSTEM
+
+/* Set AKID from certificate file in PEM */
+int wc_SetAuthKeyId(Cert *cert, const char* file)
+{
+    int         ret;
+    int         derSz;
+    byte*       der;
+
+    if (cert == NULL || file == NULL)
+        return BAD_FUNC_ARG;
+
+    der = (byte*)XMALLOC(EIGHTK_BUF, cert->heap, DYNAMIC_TYPE_CERT);
+    if (der == NULL) {
+        WOLFSSL_MSG("wc_SetAuthKeyId OOF Problem");
+        return MEMORY_E;
+    }
+
+    derSz = wc_PemCertToDer(file, der, EIGHTK_BUF);
+    if (derSz <= 0)
+    {
+        XFREE(der, cert->heap, DYNAMIC_TYPE_CERT);
+        return derSz;
     }
-    else if (decoded->extensions) {
-        byte   b;
+
+    ret = wc_SetAuthKeyIdFromCert(cert, der, derSz);
+    XFREE(der, cert->heap, DYNAMIC_TYPE_CERT);
+
+    return ret;
+}
+
+#endif /* !NO_FILESYSTEM */
+
+/* Set KeyUsage from human readable string */
+int wc_SetKeyUsage(Cert *cert, const char *value)
+{
+    int ret = 0;
+    char *token, *str, *ptr;
+    word32 len;
+
+    if (cert == NULL || value == NULL)
+        return BAD_FUNC_ARG;
+
+    cert->keyUsage = 0;
+
+    /* duplicate string (including terminator) */
+    len = (word32)XSTRLEN(value);
+    str = (char*)XMALLOC(len+1, cert->heap, DYNAMIC_TYPE_TMP_BUFFER);
+    if (str == NULL)
+        return MEMORY_E;
+    XMEMCPY(str, value, len+1);
+
+    /* parse value, and set corresponding Key Usage value */
+    if ((token = XSTRTOK(str, ",", &ptr)) == NULL) {
+        XFREE(str, cert->heap, DYNAMIC_TYPE_TMP_BUFFER);
+        return KEYUSAGE_E;
+    }
+    while (token != NULL)
+    {
+        len = (word32)XSTRLEN(token);
+
+        if (!XSTRNCASECMP(token, "digitalSignature", len))
+            cert->keyUsage |= KEYUSE_DIGITAL_SIG;
+        else if (!XSTRNCASECMP(token, "nonRepudiation", len) ||
+                 !XSTRNCASECMP(token, "contentCommitment", len))
+            cert->keyUsage |= KEYUSE_CONTENT_COMMIT;
+        else if (!XSTRNCASECMP(token, "keyEncipherment", len))
+            cert->keyUsage |= KEYUSE_KEY_ENCIPHER;
+        else if (!XSTRNCASECMP(token, "dataEncipherment", len))
+            cert->keyUsage |= KEYUSE_DATA_ENCIPHER;
+        else if (!XSTRNCASECMP(token, "keyAgreement", len))
+            cert->keyUsage |= KEYUSE_KEY_AGREE;
+        else if (!XSTRNCASECMP(token, "keyCertSign", len))
+            cert->keyUsage |= KEYUSE_KEY_CERT_SIGN;
+        else if (!XSTRNCASECMP(token, "cRLSign", len))
+            cert->keyUsage |= KEYUSE_CRL_SIGN;
+        else if (!XSTRNCASECMP(token, "encipherOnly", len))
+            cert->keyUsage |= KEYUSE_ENCIPHER_ONLY;
+        else if (!XSTRNCASECMP(token, "decipherOnly", len))
+            cert->keyUsage |= KEYUSE_DECIPHER_ONLY;
+        else {
+            ret = KEYUSAGE_E;
+            break;
+        }
+
+        token = XSTRTOK(NULL, ",", &ptr);
+    }
+
+    XFREE(str, cert->heap, DYNAMIC_TYPE_TMP_BUFFER);
+    return ret;
+}
+
+/* Set ExtendedKeyUsage from human readable string */
+int wc_SetExtKeyUsage(Cert *cert, const char *value)
+{
+    int ret = 0;
+    char *token, *str, *ptr;
+    word32 len;
+
+    if (cert == NULL || value == NULL)
+        return BAD_FUNC_ARG;
+
+    cert->extKeyUsage = 0;
+
+    /* duplicate string (including terminator) */
+    len = (word32)XSTRLEN(value);
+    str = (char*)XMALLOC(len+1, cert->heap, DYNAMIC_TYPE_TMP_BUFFER);
+    if (str == NULL)
+        return MEMORY_E;
+    XMEMCPY(str, value, len+1);
+
+    /* parse value, and set corresponding Key Usage value */
+    if ((token = XSTRTOK(str, ",", &ptr)) == NULL) {
+        XFREE(str, cert->heap, DYNAMIC_TYPE_TMP_BUFFER);
+        return EXTKEYUSAGE_E;
+    }
+
+    while (token != NULL)
+    {
+        len = (word32)XSTRLEN(token);
+
+        if (!XSTRNCASECMP(token, "any", len))
+            cert->extKeyUsage |= EXTKEYUSE_ANY;
+        else if (!XSTRNCASECMP(token, "serverAuth", len))
+            cert->extKeyUsage |= EXTKEYUSE_SERVER_AUTH;
+        else if (!XSTRNCASECMP(token, "clientAuth", len))
+            cert->extKeyUsage |= EXTKEYUSE_CLIENT_AUTH;
+        else if (!XSTRNCASECMP(token, "codeSigning", len))
+            cert->extKeyUsage |= EXTKEYUSE_CODESIGN;
+        else if (!XSTRNCASECMP(token, "emailProtection", len))
+            cert->extKeyUsage |= EXTKEYUSE_EMAILPROT;
+        else if (!XSTRNCASECMP(token, "timeStamping", len))
+            cert->extKeyUsage |= EXTKEYUSE_TIMESTAMP;
+        else if (!XSTRNCASECMP(token, "OCSPSigning", len))
+            cert->extKeyUsage |= EXTKEYUSE_OCSP_SIGN;
+        else {
+            ret = EXTKEYUSAGE_E;
+            break;
+        }
+
+        token = XSTRTOK(NULL, ",", &ptr);
+    }
+
+    XFREE(str, cert->heap, DYNAMIC_TYPE_TMP_BUFFER);
+    return ret;
+}
+
+#ifdef WOLFSSL_EKU_OID
+/*
+ * cert structure to set EKU oid in
+ * oid  the oid in byte representation
+ * sz   size of oid buffer
+ * idx  index of array to place oid
+ *
+ * returns 0 on success
+ */
+int wc_SetExtKeyUsageOID(Cert *cert, const char *in, word32 sz, byte idx,
+        void* heap)
+{
+    byte oid[MAX_OID_SZ];
+    word32 oidSz = MAX_OID_SZ;
+
+    if (idx >= CTC_MAX_EKU_NB || sz >= CTC_MAX_EKU_OID_SZ) {
+        WOLFSSL_MSG("Either idx or sz was too large");
+        return BAD_FUNC_ARG;
+    }
+
+    if (EncodePolicyOID(oid, &oidSz, in, heap) != 0) {
+        return BUFFER_E;
+    }
+
+    XMEMCPY(cert->extKeyUsageOID[idx], oid, oidSz);
+    cert->extKeyUsageOIDSz[idx] = oidSz;
+    cert->extKeyUsage |= EXTKEYUSE_USER;
+
+    return 0;
+}
+#endif /* WOLFSSL_EKU_OID */
+#endif /* WOLFSSL_CERT_EXT */
+
+
+#ifdef WOLFSSL_ALT_NAMES
+
+static int SetAltNamesFromDcert(Cert* cert, DecodedCert* decoded)
+{
+    int ret = 0;
+    byte tag;
+
+    if (decoded->extensions) {
         int    length;
         word32 maxExtensionsIdx;
 
         decoded->srcIdx = decoded->extensionsIdx;
-        b = decoded->source[decoded->srcIdx++];
-        
-        if (b != ASN_EXTENSIONS) {
+        if (GetASNTag(decoded->source, &decoded->srcIdx, &tag, decoded->maxIdx)
+                != 0) {
+            return ASN_PARSE_E;
+        }
+
+        if (tag != ASN_EXTENSIONS) {
             ret = ASN_PARSE_E;
         }
         else if (GetLength(decoded->source, &decoded->srcIdx, &length,
@@ -6244,7 +14471,7 @@ static int SetAltNamesFromCert(Cert* cert, const byte* der, int derSz)
                 decoded->srcIdx = startIdx;
 
                 if (GetAlgoId(decoded->source, &decoded->srcIdx, &oid,
-                              decoded->maxIdx) < 0) {
+                              oidCertExtType, decoded->maxIdx) < 0) {
                     ret = ASN_PARSE_E;
                     break;
                 }
@@ -6267,17 +14494,13 @@ static int SetAltNamesFromCert(Cert* cert, const byte* der, int derSz)
         }
     }
 
-    FreeDecodedCert(decoded);
-#ifdef WOLFSSL_SMALL_STACK
-    XFREE(decoded, NULL, DYNAMIC_TYPE_TMP_BUFFER);
-#endif
-
-    return ret < 0 ? ret : 0;
+    return ret;
 }
 
+#ifndef NO_FILESYSTEM
 
-/* Set Dates from der cert, return 0 on success */
-static int SetDatesFromCert(Cert* cert, const byte* der, int derSz)
+/* Set Alt Names from der cert, return 0 on success */
+static int SetAltNamesFromCert(Cert* cert, const byte* der, int derSz)
 {
     int ret;
 #ifdef WOLFSSL_SMALL_STACK
@@ -6286,28 +14509,45 @@ static int SetDatesFromCert(Cert* cert, const byte* der, int derSz)
     DecodedCert decoded[1];
 #endif
 
-    WOLFSSL_ENTER("SetDatesFromCert");
     if (derSz < 0)
         return derSz;
-    
+
 #ifdef WOLFSSL_SMALL_STACK
-    decoded = (DecodedCert*)XMALLOC(sizeof(DecodedCert), NULL,
+    decoded = (DecodedCert*)XMALLOC(sizeof(DecodedCert), cert->heap,
                                                        DYNAMIC_TYPE_TMP_BUFFER);
     if (decoded == NULL)
         return MEMORY_E;
 #endif
 
-    InitDecodedCert(decoded, (byte*)der, derSz, 0);
+    InitDecodedCert(decoded, der, derSz, NULL);
     ret = ParseCertRelative(decoded, CA_TYPE, NO_VERIFY, 0);
 
     if (ret < 0) {
         WOLFSSL_MSG("ParseCertRelative error");
     }
-    else if (decoded->beforeDate == NULL || decoded->afterDate == NULL) {
+    else {
+        ret = SetAltNamesFromDcert(cert, decoded);
+    }
+
+    FreeDecodedCert(decoded);
+#ifdef WOLFSSL_SMALL_STACK
+    XFREE(decoded, cert->heap, DYNAMIC_TYPE_TMP_BUFFER);
+#endif
+
+    return ret < 0 ? ret : 0;
+}
+
+#endif
+
+static int SetDatesFromDcert(Cert* cert, DecodedCert* decoded)
+{
+    int ret = 0;
+
+    if (decoded->beforeDate == NULL || decoded->afterDate == NULL) {
         WOLFSSL_MSG("Couldn't extract dates");
         ret = -1;
     }
-    else if (decoded->beforeDateLen > MAX_DATE_SIZE || 
+    else if (decoded->beforeDateLen > MAX_DATE_SIZE ||
                                         decoded->afterDateLen > MAX_DATE_SIZE) {
         WOLFSSL_MSG("Bad date size");
         ret = -1;
@@ -6320,23 +14560,108 @@ static int SetDatesFromCert(Cert* cert, const byte* der, int derSz)
         cert->afterDateSz  = decoded->afterDateLen;
     }
 
-    FreeDecodedCert(decoded);
-
-#ifdef WOLFSSL_SMALL_STACK
-    XFREE(decoded, NULL, DYNAMIC_TYPE_TMP_BUFFER);
-#endif
-
-    return ret < 0 ? ret : 0;
+    return ret;
 }
 
+#endif /* WOLFSSL_ALT_NAMES */
 
-#endif /* WOLFSSL_ALT_NAMES && !NO_RSA */
+static void SetNameFromDcert(CertName* cn, DecodedCert* decoded)
+{
+    int sz;
+
+    if (decoded->subjectCN) {
+        sz = (decoded->subjectCNLen < CTC_NAME_SIZE) ? decoded->subjectCNLen
+                                                     : CTC_NAME_SIZE - 1;
+        XSTRNCPY(cn->commonName, decoded->subjectCN, sz);
+        cn->commonName[sz] = '\0';
+        cn->commonNameEnc = decoded->subjectCNEnc;
+    }
+    if (decoded->subjectC) {
+        sz = (decoded->subjectCLen < CTC_NAME_SIZE) ? decoded->subjectCLen
+                                                    : CTC_NAME_SIZE - 1;
+        XSTRNCPY(cn->country, decoded->subjectC, sz);
+        cn->country[sz] = '\0';
+        cn->countryEnc = decoded->subjectCEnc;
+    }
+    if (decoded->subjectST) {
+        sz = (decoded->subjectSTLen < CTC_NAME_SIZE) ? decoded->subjectSTLen
+                                                     : CTC_NAME_SIZE - 1;
+        XSTRNCPY(cn->state, decoded->subjectST, sz);
+        cn->state[sz] = '\0';
+        cn->stateEnc = decoded->subjectSTEnc;
+    }
+    if (decoded->subjectL) {
+        sz = (decoded->subjectLLen < CTC_NAME_SIZE) ? decoded->subjectLLen
+                                                    : CTC_NAME_SIZE - 1;
+        XSTRNCPY(cn->locality, decoded->subjectL, sz);
+        cn->locality[sz] = '\0';
+        cn->localityEnc = decoded->subjectLEnc;
+    }
+    if (decoded->subjectO) {
+        sz = (decoded->subjectOLen < CTC_NAME_SIZE) ? decoded->subjectOLen
+                                                    : CTC_NAME_SIZE - 1;
+        XSTRNCPY(cn->org, decoded->subjectO, sz);
+        cn->org[sz] = '\0';
+        cn->orgEnc = decoded->subjectOEnc;
+    }
+    if (decoded->subjectOU) {
+        sz = (decoded->subjectOULen < CTC_NAME_SIZE) ? decoded->subjectOULen
+                                                     : CTC_NAME_SIZE - 1;
+        XSTRNCPY(cn->unit, decoded->subjectOU, sz);
+        cn->unit[sz] = '\0';
+        cn->unitEnc = decoded->subjectOUEnc;
+    }
+    if (decoded->subjectSN) {
+        sz = (decoded->subjectSNLen < CTC_NAME_SIZE) ? decoded->subjectSNLen
+                                                     : CTC_NAME_SIZE - 1;
+        XSTRNCPY(cn->sur, decoded->subjectSN, sz);
+        cn->sur[sz] = '\0';
+        cn->surEnc = decoded->subjectSNEnc;
+    }
+    if (decoded->subjectSND) {
+        sz = (decoded->subjectSNDLen < CTC_NAME_SIZE) ? decoded->subjectSNDLen
+                                                     : CTC_NAME_SIZE - 1;
+        XSTRNCPY(cn->serialDev, decoded->subjectSND, sz);
+        cn->serialDev[sz] = '\0';
+        cn->serialDevEnc = decoded->subjectSNDEnc;
+    }
+#ifdef WOLFSSL_CERT_EXT
+    if (decoded->subjectBC) {
+        sz = (decoded->subjectBCLen < CTC_NAME_SIZE) ? decoded->subjectBCLen
+                                                     : CTC_NAME_SIZE - 1;
+        XSTRNCPY(cn->busCat, decoded->subjectBC, sz);
+        cn->busCat[sz] = '\0';
+        cn->busCatEnc = decoded->subjectBCEnc;
+    }
+    if (decoded->subjectJC) {
+        sz = (decoded->subjectJCLen < CTC_NAME_SIZE) ? decoded->subjectJCLen
+                                                     : CTC_NAME_SIZE - 1;
+        XSTRNCPY(cn->joiC, decoded->subjectJC, sz);
+        cn->joiC[sz] = '\0';
+        cn->joiCEnc = decoded->subjectJCEnc;
+    }
+    if (decoded->subjectJS) {
+        sz = (decoded->subjectJSLen < CTC_NAME_SIZE) ? decoded->subjectJSLen
+                                                     : CTC_NAME_SIZE - 1;
+        XSTRNCPY(cn->joiSt, decoded->subjectJS, sz);
+        cn->joiSt[sz] = '\0';
+        cn->joiStEnc = decoded->subjectJSEnc;
+    }
+#endif
+    if (decoded->subjectEmail) {
+        sz = (decoded->subjectEmailLen < CTC_NAME_SIZE)
+           ?  decoded->subjectEmailLen : CTC_NAME_SIZE - 1;
+        XSTRNCPY(cn->email, decoded->subjectEmail, sz);
+        cn->email[sz] = '\0';
+    }
+}
 
+#ifndef NO_FILESYSTEM
 
 /* Set cn name from der buffer, return 0 on success */
 static int SetNameFromCert(CertName* cn, const byte* der, int derSz)
 {
-    int ret, sz;
+    int ret;
 #ifdef WOLFSSL_SMALL_STACK
     DecodedCert* decoded;
 #else
@@ -6353,68 +14678,14 @@ static int SetNameFromCert(CertName* cn, const byte* der, int derSz)
         return MEMORY_E;
 #endif
 
-    InitDecodedCert(decoded, (byte*)der, derSz, 0);
+    InitDecodedCert(decoded, der, derSz, NULL);
     ret = ParseCertRelative(decoded, CA_TYPE, NO_VERIFY, 0);
 
     if (ret < 0) {
         WOLFSSL_MSG("ParseCertRelative error");
     }
     else {
-        if (decoded->subjectCN) {
-            sz = (decoded->subjectCNLen < CTC_NAME_SIZE) ? decoded->subjectCNLen
-                                                         : CTC_NAME_SIZE - 1;
-            strncpy(cn->commonName, decoded->subjectCN, CTC_NAME_SIZE);
-            cn->commonName[sz] = 0;
-            cn->commonNameEnc = decoded->subjectCNEnc;
-        }
-        if (decoded->subjectC) {
-            sz = (decoded->subjectCLen < CTC_NAME_SIZE) ? decoded->subjectCLen
-                                                        : CTC_NAME_SIZE - 1;
-            strncpy(cn->country, decoded->subjectC, CTC_NAME_SIZE);
-            cn->country[sz] = 0;
-            cn->countryEnc = decoded->subjectCEnc;
-        }
-        if (decoded->subjectST) {
-            sz = (decoded->subjectSTLen < CTC_NAME_SIZE) ? decoded->subjectSTLen
-                                                         : CTC_NAME_SIZE - 1;
-            strncpy(cn->state, decoded->subjectST, CTC_NAME_SIZE);
-            cn->state[sz] = 0;
-            cn->stateEnc = decoded->subjectSTEnc;
-        }
-        if (decoded->subjectL) {
-            sz = (decoded->subjectLLen < CTC_NAME_SIZE) ? decoded->subjectLLen
-                                                        : CTC_NAME_SIZE - 1;
-            strncpy(cn->locality, decoded->subjectL, CTC_NAME_SIZE);
-            cn->locality[sz] = 0;
-            cn->localityEnc = decoded->subjectLEnc;
-        }
-        if (decoded->subjectO) {
-            sz = (decoded->subjectOLen < CTC_NAME_SIZE) ? decoded->subjectOLen
-                                                        : CTC_NAME_SIZE - 1;
-            strncpy(cn->org, decoded->subjectO, CTC_NAME_SIZE);
-            cn->org[sz] = 0;
-            cn->orgEnc = decoded->subjectOEnc;
-        }
-        if (decoded->subjectOU) {
-            sz = (decoded->subjectOULen < CTC_NAME_SIZE) ? decoded->subjectOULen
-                                                         : CTC_NAME_SIZE - 1;
-            strncpy(cn->unit, decoded->subjectOU, CTC_NAME_SIZE);
-            cn->unit[sz] = 0;
-            cn->unitEnc = decoded->subjectOUEnc;
-        }
-        if (decoded->subjectSN) {
-            sz = (decoded->subjectSNLen < CTC_NAME_SIZE) ? decoded->subjectSNLen
-                                                         : CTC_NAME_SIZE - 1;
-            strncpy(cn->sur, decoded->subjectSN, CTC_NAME_SIZE);
-            cn->sur[sz] = 0;
-            cn->surEnc = decoded->subjectSNEnc;
-        }
-        if (decoded->subjectEmail) {
-            sz = (decoded->subjectEmailLen < CTC_NAME_SIZE)
-               ?  decoded->subjectEmailLen : CTC_NAME_SIZE - 1;
-            strncpy(cn->email, decoded->subjectEmail, CTC_NAME_SIZE);
-            cn->email[sz] = 0;
-        }
+        SetNameFromDcert(cn, decoded);
     }
 
     FreeDecodedCert(decoded);
@@ -6426,24 +14697,26 @@ static int SetNameFromCert(CertName* cn, const byte* der, int derSz)
     return ret < 0 ? ret : 0;
 }
 
-
-#ifndef NO_FILESYSTEM
-
 /* Set cert issuer from issuerFile in PEM */
 int wc_SetIssuer(Cert* cert, const char* issuerFile)
 {
     int         ret;
     int         derSz;
-    byte*       der = (byte*)XMALLOC(EIGHTK_BUF, NULL, DYNAMIC_TYPE_CERT);
+    byte*       der;
 
+    if (cert == NULL) {
+        return BAD_FUNC_ARG;
+    }
+
+    der = (byte*)XMALLOC(EIGHTK_BUF, cert->heap, DYNAMIC_TYPE_CERT);
     if (der == NULL) {
         WOLFSSL_MSG("wc_SetIssuer OOF Problem");
         return MEMORY_E;
     }
-    derSz = wolfSSL_PemCertToDer(issuerFile, der, EIGHTK_BUF);
+    derSz = wc_PemCertToDer(issuerFile, der, EIGHTK_BUF);
     cert->selfSigned = 0;
     ret = SetNameFromCert(&cert->issuer, der, derSz);
-    XFREE(der, NULL, DYNAMIC_TYPE_CERT);
+    XFREE(der, cert->heap, DYNAMIC_TYPE_CERT);
 
     return ret;
 }
@@ -6454,77 +14727,367 @@ int wc_SetSubject(Cert* cert, const char* subjectFile)
 {
     int         ret;
     int         derSz;
-    byte*       der = (byte*)XMALLOC(EIGHTK_BUF, NULL, DYNAMIC_TYPE_CERT);
+    byte*       der;
+
+    if (cert == NULL) {
+        return BAD_FUNC_ARG;
+    }
 
+    der = (byte*)XMALLOC(EIGHTK_BUF, cert->heap, DYNAMIC_TYPE_CERT);
     if (der == NULL) {
         WOLFSSL_MSG("wc_SetSubject OOF Problem");
         return MEMORY_E;
     }
-    derSz = wolfSSL_PemCertToDer(subjectFile, der, EIGHTK_BUF);
+
+    derSz = wc_PemCertToDer(subjectFile, der, EIGHTK_BUF);
     ret = SetNameFromCert(&cert->subject, der, derSz);
-    XFREE(der, NULL, DYNAMIC_TYPE_CERT);
+    XFREE(der, cert->heap, DYNAMIC_TYPE_CERT);
 
     return ret;
 }
 
-
 #ifdef WOLFSSL_ALT_NAMES
 
-/* Set atl names from file in PEM */
+/* Set alt names from file in PEM */
 int wc_SetAltNames(Cert* cert, const char* file)
 {
     int         ret;
     int         derSz;
-    byte*       der = (byte*)XMALLOC(EIGHTK_BUF, NULL, DYNAMIC_TYPE_CERT);
+    byte*       der;
+
+    if (cert == NULL) {
+        return BAD_FUNC_ARG;
+    }
 
+    der = (byte*)XMALLOC(EIGHTK_BUF, cert->heap, DYNAMIC_TYPE_CERT);
     if (der == NULL) {
         WOLFSSL_MSG("wc_SetAltNames OOF Problem");
         return MEMORY_E;
     }
-    derSz = wolfSSL_PemCertToDer(file, der, EIGHTK_BUF);
+    derSz = wc_PemCertToDer(file, der, EIGHTK_BUF);
     ret = SetAltNamesFromCert(cert, der, derSz);
-    XFREE(der, NULL, DYNAMIC_TYPE_CERT);
+    XFREE(der, cert->heap, DYNAMIC_TYPE_CERT);
 
     return ret;
 }
 
 #endif /* WOLFSSL_ALT_NAMES */
 
-#endif /* NO_FILESYSTEM */
+#endif /* !NO_FILESYSTEM */
 
 /* Set cert issuer from DER buffer */
 int wc_SetIssuerBuffer(Cert* cert, const byte* der, int derSz)
 {
-    cert->selfSigned = 0;
-    return SetNameFromCert(&cert->issuer, der, derSz);
-}
+    int ret = 0;
+
+    if (cert == NULL) {
+        ret = BAD_FUNC_ARG;
+    }
+    else {
+        cert->selfSigned = 0;
+
+        /* Check if decodedCert is cached */
+        if (cert->der != der) {
+            /* Allocate cache for the decoded cert */
+            ret = wc_SetCert_LoadDer(cert, der, derSz);
+        }
 
+        if (ret >= 0) {
+            SetNameFromDcert(&cert->issuer, (DecodedCert*)cert->decodedCert);
+#ifndef WOLFSSL_CERT_GEN_CACHE
+            wc_SetCert_Free(cert);
+#endif
+        }
+    }
+
+    return ret;
+}
 
 /* Set cert subject from DER buffer */
 int wc_SetSubjectBuffer(Cert* cert, const byte* der, int derSz)
 {
-    return SetNameFromCert(&cert->subject, der, derSz);
+    int ret = 0;
+
+    if (cert == NULL) {
+        ret = BAD_FUNC_ARG;
+    }
+    else {
+        /* Check if decodedCert is cached */
+        if (cert->der != der) {
+            /* Allocate cache for the decoded cert */
+            ret = wc_SetCert_LoadDer(cert, der, derSz);
+        }
+
+        if (ret >= 0) {
+            SetNameFromDcert(&cert->subject, (DecodedCert*)cert->decodedCert);
+#ifndef WOLFSSL_CERT_GEN_CACHE
+            wc_SetCert_Free(cert);
+#endif
+        }
+    }
+
+    return ret;
+}
+#ifdef WOLFSSL_CERT_EXT
+/* Set cert raw subject from DER buffer */
+int wc_SetSubjectRaw(Cert* cert, const byte* der, int derSz)
+{
+    int ret = 0;
+
+    if (cert == NULL) {
+        ret = BAD_FUNC_ARG;
+    }
+    else {
+        /* Check if decodedCert is cached */
+        if (cert->der != der) {
+            /* Allocate cache for the decoded cert */
+            ret = wc_SetCert_LoadDer(cert, der, derSz);
+        }
+
+        if (ret >= 0) {
+            if ((((DecodedCert*)cert->decodedCert)->subjectRaw) &&
+                (((DecodedCert*)cert->decodedCert)->subjectRawLen <=
+                        (int)sizeof(CertName))) {
+                XMEMCPY(cert->sbjRaw,
+                        ((DecodedCert*)cert->decodedCert)->subjectRaw,
+                        ((DecodedCert*)cert->decodedCert)->subjectRawLen);
+            }
+#ifndef WOLFSSL_CERT_GEN_CACHE
+            wc_SetCert_Free(cert);
+#endif
+        }
+    }
+
+    return ret;
 }
 
+/* Set cert raw issuer from DER buffer */
+int wc_SetIssuerRaw(Cert* cert, const byte* der, int derSz)
+{
+    int ret = 0;
+
+    if (cert == NULL) {
+        ret = BAD_FUNC_ARG;
+    }
+    else {
+        /* Check if decodedCert is cached */
+        if (cert->der != der) {
+            /* Allocate cache for the decoded cert */
+            ret = wc_SetCert_LoadDer(cert, der, derSz);
+        }
+
+        if (ret >= 0) {
+            if ((((DecodedCert*)cert->decodedCert)->issuerRaw) &&
+                (((DecodedCert*)cert->decodedCert)->issuerRawLen <=
+                        (int)sizeof(CertName))) {
+                XMEMCPY(cert->issRaw,
+                        ((DecodedCert*)cert->decodedCert)->issuerRaw,
+                        ((DecodedCert*)cert->decodedCert)->issuerRawLen);
+            }
+#ifndef WOLFSSL_CERT_GEN_CACHE
+            wc_SetCert_Free(cert);
+#endif
+        }
+    }
+    return ret;
+}
+#endif
 
 #ifdef WOLFSSL_ALT_NAMES
 
 /* Set cert alt names from DER buffer */
 int wc_SetAltNamesBuffer(Cert* cert, const byte* der, int derSz)
 {
-    return SetAltNamesFromCert(cert, der, derSz);
+    int ret = 0;
+
+    if (cert == NULL) {
+     ret = BAD_FUNC_ARG;
+    }
+    else {
+        /* Check if decodedCert is cached */
+        if (cert->der != der) {
+            /* Allocate cache for the decoded cert */
+            ret = wc_SetCert_LoadDer(cert, der, derSz);
+        }
+
+        if (ret >= 0) {
+            ret = SetAltNamesFromDcert(cert, (DecodedCert*)cert->decodedCert);
+#ifndef WOLFSSL_CERT_GEN_CACHE
+            wc_SetCert_Free(cert);
+#endif
+       }
+    }
+
+    return(ret);
 }
 
 /* Set cert dates from DER buffer */
 int wc_SetDatesBuffer(Cert* cert, const byte* der, int derSz)
 {
-    return SetDatesFromCert(cert, der, derSz);
+    int ret = 0;
+
+    if (cert == NULL) {
+     ret = BAD_FUNC_ARG;
+    }
+    else {
+        /* Check if decodedCert is cached */
+        if (cert->der != der) {
+            /* Allocate cache for the decoded cert */
+            ret = wc_SetCert_LoadDer(cert, der, derSz);
+        }
+
+        if (ret >= 0) {
+            ret = SetDatesFromDcert(cert, (DecodedCert*)cert->decodedCert);
+#ifndef WOLFSSL_CERT_GEN_CACHE
+            wc_SetCert_Free(cert);
+#endif
+        }
+    }
+
+    return(ret);
 }
 
 #endif /* WOLFSSL_ALT_NAMES */
 
 #endif /* WOLFSSL_CERT_GEN */
 
+#if (defined(WOLFSSL_CERT_GEN) && defined(WOLFSSL_CERT_EXT)) \
+        || defined(OPENSSL_EXTRA)
+/* Encode OID string representation to ITU-T X.690 format */
+int EncodePolicyOID(byte *out, word32 *outSz, const char *in, void* heap)
+{
+    word32 val, idx = 0, nb_val;
+    char *token, *str, *ptr;
+    word32 len;
+
+    (void)heap;
+
+    if (out == NULL || outSz == NULL || *outSz < 2 || in == NULL)
+        return BAD_FUNC_ARG;
+
+    /* duplicate string (including terminator) */
+    len = (word32)XSTRLEN(in);
+    str = (char *)XMALLOC(len+1, heap, DYNAMIC_TYPE_TMP_BUFFER);
+    if (str == NULL)
+        return MEMORY_E;
+    XMEMCPY(str, in, len+1);
+
+    nb_val = 0;
+
+    /* parse value, and set corresponding Policy OID value */
+    token = XSTRTOK(str, ".", &ptr);
+    while (token != NULL)
+    {
+        val = (word32)XATOI(token);
+
+        if (nb_val == 0) {
+            if (val > 2) {
+                XFREE(str, heap, DYNAMIC_TYPE_TMP_BUFFER);
+                return ASN_OBJECT_ID_E;
+            }
+
+            out[idx] = (byte)(40 * val);
+        }
+        else if (nb_val == 1) {
+            if (val > 127) {
+                XFREE(str, heap, DYNAMIC_TYPE_TMP_BUFFER);
+                return ASN_OBJECT_ID_E;
+            }
+
+            if (idx > *outSz) {
+                XFREE(str, heap, DYNAMIC_TYPE_TMP_BUFFER);
+                return BUFFER_E;
+            }
+
+            out[idx++] += (byte)val;
+        }
+        else {
+            word32  tb = 0, x;
+            int     i = 0;
+            byte    oid[MAX_OID_SZ];
+
+            while (val >= 128) {
+                x = val % 128;
+                val /= 128;
+                oid[i++] = (byte) (((tb++) ? 0x80 : 0) | x);
+            }
+
+            if ((idx+(word32)i) > *outSz) {
+                XFREE(str, heap, DYNAMIC_TYPE_TMP_BUFFER);
+                return BUFFER_E;
+            }
+
+            oid[i] = (byte) (((tb++) ? 0x80 : 0) | val);
+
+            /* push value in the right order */
+            while (i >= 0)
+                out[idx++] = oid[i--];
+        }
+
+        token = XSTRTOK(NULL, ".", &ptr);
+        nb_val++;
+    }
+
+    *outSz = idx;
+
+    XFREE(str, heap, DYNAMIC_TYPE_TMP_BUFFER);
+    return 0;
+}
+#endif /* WOLFSSL_CERT_EXT || OPENSSL_EXTRA */
+
+#endif /* !NO_CERTS */
+
+#if !defined(NO_DH) && (defined(WOLFSSL_QT) || defined(OPENSSL_ALL))
+/* Helper function for wolfSSL_i2d_DHparams */
+int StoreDHparams(byte* out, word32* outLen, mp_int* p, mp_int* g)
+{
+    word32 idx = 0;
+    int pSz;
+    int gSz;
+    unsigned int tmp;
+    word32 headerSz = 4; /* 2*ASN_TAG + 2*LEN(ENUM) */
+
+    /* If the leading bit on the INTEGER is a 1, add a leading zero */
+    int pLeadingZero = mp_leading_bit(p);
+    int gLeadingZero = mp_leading_bit(g);
+    int pLen = mp_unsigned_bin_size(p);
+    int gLen = mp_unsigned_bin_size(g);
+
+    WOLFSSL_ENTER("StoreDHparams");
+    if (out == NULL) {
+        WOLFSSL_MSG("Null buffer error");
+        return BUFFER_E;
+    }
+
+    tmp = pLeadingZero + gLeadingZero + pLen + gLen;
+    if (*outLen < (tmp + headerSz)) {
+        return BUFFER_E;
+    }
+
+    /* Set sequence */
+    idx = SetSequence(tmp + headerSz + 2, out);
+
+    /* Encode p */
+    pSz = SetASNIntMP(p, -1, &out[idx]);
+    if (pSz < 0) {
+        WOLFSSL_MSG("SetASNIntMP failed");
+        return pSz;
+    }
+    idx += pSz;
+
+    /* Encode g */
+    gSz = SetASNIntMP(g, -1, &out[idx]);
+    if (gSz < 0) {
+        WOLFSSL_MSG("SetASNIntMP failed");
+        return gSz;
+    }
+    idx += gSz;
+
+    *outLen = idx;
+
+    return 0;
+}
+#endif /* !NO_DH && WOLFSSL_QT || OPENSSL_ALL */
 
 #ifdef HAVE_ECC
 
@@ -6532,8 +15095,8 @@ int wc_SetDatesBuffer(Cert* cert, const byte* der, int derSz)
 int StoreECC_DSA_Sig(byte* out, word32* outLen, mp_int* r, mp_int* s)
 {
     word32 idx = 0;
-    word32 rSz;                           /* encoding size */
-    word32 sSz;
+    int    rSz;                           /* encoding size */
+    int    sSz;
     word32 headerSz = 4;   /* 2*ASN_TAG + 2*LEN(ENUM) */
 
     /* If the leading bit on the INTEGER is a 1, add a leading zero */
@@ -6541,33 +15104,24 @@ int StoreECC_DSA_Sig(byte* out, word32* outLen, mp_int* r, mp_int* s)
     int sLeadingZero = mp_leading_bit(s);
     int rLen = mp_unsigned_bin_size(r);   /* big int size */
     int sLen = mp_unsigned_bin_size(s);
-    int err;
 
     if (*outLen < (rLen + rLeadingZero + sLen + sLeadingZero +
                    headerSz + 2))  /* SEQ_TAG + LEN(ENUM) */
-        return BAD_FUNC_ARG;
+        return BUFFER_E;
 
-    idx = SetSequence(rLen+rLeadingZero+sLen+sLeadingZero+headerSz, out);
+    idx = SetSequence(rLen + rLeadingZero + sLen+sLeadingZero + headerSz, out);
 
     /* store r */
-    out[idx++] = ASN_INTEGER;
-    rSz = SetLength(rLen + rLeadingZero, &out[idx]);
+    rSz = SetASNIntMP(r, -1, &out[idx]);
+    if (rSz < 0)
+        return rSz;
     idx += rSz;
-    if (rLeadingZero)
-        out[idx++] = 0;
-    err = mp_to_unsigned_bin(r, &out[idx]);
-    if (err != MP_OKAY) return err;
-    idx += rLen;
 
     /* store s */
-    out[idx++] = ASN_INTEGER;
-    sSz = SetLength(sLen + sLeadingZero, &out[idx]);
+    sSz = SetASNIntMP(s, -1, &out[idx]);
+    if (sSz < 0)
+        return sSz;
     idx += sSz;
-    if (sLeadingZero)
-        out[idx++] = 0;
-    err = mp_to_unsigned_bin(s, &out[idx]);
-    if (err != MP_OKAY) return err;
-    idx += sLen;
 
     *outLen = idx;
 
@@ -6575,23 +15129,35 @@ int StoreECC_DSA_Sig(byte* out, word32* outLen, mp_int* r, mp_int* s)
 }
 
 
-/* Der Decode ECC-DSA Signautre, r & s stored as big ints */
+/* Der Decode ECC-DSA Signature, r & s stored as big ints */
 int DecodeECC_DSA_Sig(const byte* sig, word32 sigLen, mp_int* r, mp_int* s)
 {
     word32 idx = 0;
     int    len = 0;
 
-    if (GetSequence(sig, &idx, &len, sigLen) < 0)
+    if (GetSequence(sig, &idx, &len, sigLen) < 0) {
         return ASN_ECC_KEY_E;
+    }
 
-    if ((word32)len > (sigLen - idx))
+#ifndef NO_STRICT_ECDSA_LEN
+    /* enable strict length checking for signature */
+    if (sigLen != idx + (word32)len) {
+        return ASN_ECC_KEY_E;
+    }
+#else
+    /* allow extra signature bytes at end */
+    if ((word32)len > (sigLen - idx)) {
         return ASN_ECC_KEY_E;
+    }
+#endif
 
-    if (GetInt(r, sig, &idx, sigLen) < 0)
+    if (GetInt(r, sig, &idx, sigLen) < 0) {
         return ASN_ECC_KEY_E;
+    }
 
-    if (GetInt(s, sig, &idx, sigLen) < 0)
+    if (GetInt(s, sig, &idx, sigLen) < 0) {
         return ASN_ECC_KEY_E;
+    }
 
     return 0;
 }
@@ -6600,18 +15166,20 @@ int DecodeECC_DSA_Sig(const byte* sig, word32 sigLen, mp_int* r, mp_int* s)
 int wc_EccPrivateKeyDecode(const byte* input, word32* inOutIdx, ecc_key* key,
                         word32 inSz)
 {
-    word32 oid = 0;
+    word32 oidSum;
     int    version, length;
-    int    privSz, pubSz;
+    int    privSz, pubSz = 0;
     byte   b;
     int    ret = 0;
+    int    curve_id = ECC_CURVE_DEF;
 #ifdef WOLFSSL_SMALL_STACK
     byte* priv;
     byte* pub;
 #else
-    byte priv[ECC_MAXSIZE];
-    byte pub[ECC_MAXSIZE * 2 + 1]; /* public key has two parts plus header */
+    byte priv[ECC_MAXSIZE+1];
+    byte pub[2*(ECC_MAXSIZE+1)]; /* public key has two parts plus header */
 #endif
+    byte* pubData = NULL;
 
     if (input == NULL || inOutIdx == NULL || key == NULL || inSz == 0)
         return BAD_FUNC_ARG;
@@ -6619,14 +15187,17 @@ int wc_EccPrivateKeyDecode(const byte* input, word32* inOutIdx, ecc_key* key,
     if (GetSequence(input, inOutIdx, &length, inSz) < 0)
         return ASN_PARSE_E;
 
-    if (GetMyVersion(input, inOutIdx, &version) < 0)
+    if (GetMyVersion(input, inOutIdx, &version, inSz) < 0)
+        return ASN_PARSE_E;
+
+    if (*inOutIdx >= inSz)
         return ASN_PARSE_E;
 
     b = input[*inOutIdx];
     *inOutIdx += 1;
 
     /* priv type */
-    if (b != 4 && b != 6 && b != 7) 
+    if (b != 4 && b != 6 && b != 7)
         return ASN_PARSE_E;
 
     if (GetLength(input, inOutIdx, &length, inSz) < 0)
@@ -6636,13 +15207,13 @@ int wc_EccPrivateKeyDecode(const byte* input, word32* inOutIdx, ecc_key* key,
         return BUFFER_E;
 
 #ifdef WOLFSSL_SMALL_STACK
-    priv = (byte*)XMALLOC(ECC_MAXSIZE, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    priv = (byte*)XMALLOC(ECC_MAXSIZE+1, key->heap, DYNAMIC_TYPE_TMP_BUFFER);
     if (priv == NULL)
         return MEMORY_E;
-    
-    pub = (byte*)XMALLOC(ECC_MAXSIZE * 2 + 1, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+
+    pub = (byte*)XMALLOC(2*(ECC_MAXSIZE+1), key->heap, DYNAMIC_TYPE_TMP_BUFFER);
     if (pub == NULL) {
-        XFREE(priv, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+        XFREE(priv, key->heap, DYNAMIC_TYPE_TMP_BUFFER);
         return MEMORY_E;
     }
 #endif
@@ -6652,36 +15223,30 @@ int wc_EccPrivateKeyDecode(const byte* input, word32* inOutIdx, ecc_key* key,
     XMEMCPY(priv, &input[*inOutIdx], privSz);
     *inOutIdx += length;
 
-    /* prefix 0, may have */
-    b = input[*inOutIdx];
-    if (b == ECC_PREFIX_0) {
-        *inOutIdx += 1;
-
-        if (GetLength(input, inOutIdx, &length, inSz) < 0)
-            ret = ASN_PARSE_E;
-        else {
-            /* object id */
-            b = input[*inOutIdx];
+    if ((*inOutIdx + 1) < inSz) {
+        /* prefix 0, may have */
+        b = input[*inOutIdx];
+        if (b == ECC_PREFIX_0) {
             *inOutIdx += 1;
 
-            if (b != ASN_OBJECT_ID) {
-                ret = ASN_OBJECT_ID_E;
-            }
-            else if (GetLength(input, inOutIdx, &length, inSz) < 0) {
+            if (GetLength(input, inOutIdx, &length, inSz) <= 0)
                 ret = ASN_PARSE_E;
-            }
             else {
-                while(length--) {
-                    oid += input[*inOutIdx];
-                    *inOutIdx += 1;
+                ret = GetObjectId(input, inOutIdx, &oidSum, oidIgnoreType,
+                                  inSz);
+                if (ret == 0) {
+                    if ((ret = CheckCurve(oidSum)) < 0)
+                        ret = ECC_CURVE_OID_E;
+                    else {
+                        curve_id = ret;
+                        ret = 0;
+                    }
                 }
-                if (CheckCurve(oid) < 0)
-                    ret = ECC_CURVE_OID_E;
             }
         }
     }
 
-    if (ret == 0) {
+    if (ret == 0 && (*inOutIdx + 1) < inSz) {
         /* prefix 1 */
         b = input[*inOutIdx];
         *inOutIdx += 1;
@@ -6689,142 +15254,879 @@ int wc_EccPrivateKeyDecode(const byte* input, word32* inOutIdx, ecc_key* key,
         if (b != ECC_PREFIX_1) {
             ret = ASN_ECC_KEY_E;
         }
-        else if (GetLength(input, inOutIdx, &length, inSz) < 0) {
+        else if (GetLength(input, inOutIdx, &length, inSz) <= 0) {
             ret = ASN_PARSE_E;
         }
         else {
             /* key header */
-            b = input[*inOutIdx];
-            *inOutIdx += 1;
-            
-            if (b != ASN_BIT_STRING) {
-                ret = ASN_BITSTR_E;
-            }
-            else if (GetLength(input, inOutIdx, &length, inSz) < 0) {
-                ret = ASN_PARSE_E;
-            }
-            else {
-                b = input[*inOutIdx];
-                *inOutIdx += 1;
-
-                if (b != 0x00) {
-                    ret = ASN_EXPECT_0_E;
-                }
-                else {
-                    /* pub key */
-                    pubSz = length - 1;  /* null prefix */
-                    if (pubSz < (ECC_MAXSIZE*2 + 1)) {
-                        XMEMCPY(pub, &input[*inOutIdx], pubSz);
-                        *inOutIdx += length;
-                        ret = wc_ecc_import_private_key(priv, privSz, pub, pubSz,
-                                                     key);
-                    } else
-                        ret = BUFFER_E;
+            ret = CheckBitString(input, inOutIdx, &length, inSz, 0, NULL);
+            if (ret == 0) {
+                /* pub key */
+                pubSz = length;
+                if (pubSz < 2*(ECC_MAXSIZE+1)) {
+                    XMEMCPY(pub, &input[*inOutIdx], pubSz);
+                    *inOutIdx += length;
+                    pubData = pub;
                 }
+                else
+                    ret = BUFFER_E;
             }
         }
     }
 
+    if (ret == 0) {
+        ret = wc_ecc_import_private_key_ex(priv, privSz, pubData, pubSz, key,
+                                                                      curve_id);
+    }
+
 #ifdef WOLFSSL_SMALL_STACK
-    XFREE(priv, NULL, DYNAMIC_TYPE_TMP_BUFFER);
-    XFREE(pub,  NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    XFREE(priv, key->heap, DYNAMIC_TYPE_TMP_BUFFER);
+    XFREE(pub,  key->heap, DYNAMIC_TYPE_TMP_BUFFER);
 #endif
 
     return ret;
 }
 
 
-#ifdef WOLFSSL_KEY_GEN
+#ifdef WOLFSSL_CUSTOM_CURVES
+static void ByteToHex(byte n, char* str)
+{
+    const char hexChar[] = { '0', '1', '2', '3', '4', '5', '6', '7',
+                                    '8', '9', 'a', 'b', 'c', 'd', 'e', 'f' };
 
-/* Write a Private ecc key to DER format, length on success else < 0 */
-int wc_EccKeyToDer(ecc_key* key, byte* output, word32 inLen)
+    str[0] = hexChar[n >> 4];
+    str[1] = hexChar[n & 0xf];
+}
+
+/* returns 0 on success */
+static int ASNToHexString(const byte* input, word32* inOutIdx, char** out,
+                          word32 inSz, void* heap, int heapType)
+{
+    int len;
+    int i;
+    char* str;
+    word32 localIdx;
+    byte   tag;
+
+    if (*inOutIdx >= inSz) {
+        return BUFFER_E;
+    }
+
+    localIdx = *inOutIdx;
+    if (GetASNTag(input, &localIdx, &tag, inSz) == 0 && tag == ASN_INTEGER) {
+        if (GetASNInt(input, inOutIdx, &len, inSz) < 0)
+            return ASN_PARSE_E;
+    }
+    else {
+        if (GetOctetString(input, inOutIdx, &len, inSz) < 0)
+            return ASN_PARSE_E;
+    }
+
+    str = (char*)XMALLOC(len * 2 + 1, heap, heapType);
+    for (i=0; i<len; i++)
+        ByteToHex(input[*inOutIdx + i], str + i*2);
+    str[len*2] = '\0';
+
+    *inOutIdx += len;
+    *out = str;
+
+    (void)heap;
+    (void)heapType;
+
+    return 0;
+}
+#endif /* WOLFSSL_CUSTOM_CURVES */
+
+#ifdef WOLFSSL_CUSTOM_CURVES
+static int EccKeyParamCopy(char** dst, char* src)
+{
+    int ret = 0;
+#ifdef WOLFSSL_ECC_CURVE_STATIC
+    word32 length;
+#endif
+
+    if (dst == NULL || src == NULL)
+        return BAD_FUNC_ARG;
+
+#ifndef WOLFSSL_ECC_CURVE_STATIC
+    *dst = src;
+#else
+    length = (int)XSTRLEN(src) + 1;
+    if (length > MAX_ECC_STRING) {
+        WOLFSSL_MSG("ECC Param too large for buffer");
+        ret = BUFFER_E;
+    }
+    else {
+        XSTRNCPY(*dst, src, length);
+    }
+    XFREE(src, key->heap, DYNAMIC_TYPE_ECC_BUFFER);
+#endif
+
+    return ret;
+}
+#endif /* WOLFSSL_CUSTOM_CURVES */
+
+int wc_EccPublicKeyDecode(const byte* input, word32* inOutIdx,
+                          ecc_key* key, word32 inSz)
+{
+    int    length;
+    int    ret;
+    int    curve_id = ECC_CURVE_DEF;
+    word32 oidSum, localIdx;
+    byte   tag;
+
+    if (input == NULL || inOutIdx == NULL || key == NULL || inSz == 0)
+        return BAD_FUNC_ARG;
+
+    if (GetSequence(input, inOutIdx, &length, inSz) < 0)
+        return ASN_PARSE_E;
+
+    if (GetSequence(input, inOutIdx, &length, inSz) < 0)
+        return ASN_PARSE_E;
+
+    ret = SkipObjectId(input, inOutIdx, inSz);
+    if (ret != 0)
+        return ret;
+
+    if (*inOutIdx >= inSz) {
+        return BUFFER_E;
+    }
+
+    localIdx = *inOutIdx;
+    if (GetASNTag(input, &localIdx, &tag, inSz) == 0 &&
+            tag == (ASN_SEQUENCE | ASN_CONSTRUCTED)) {
+#ifdef WOLFSSL_CUSTOM_CURVES
+        ecc_set_type* curve;
+        int len;
+        char* point = NULL;
+
+        ret = 0;
+
+        curve = (ecc_set_type*)XMALLOC(sizeof(*curve), key->heap,
+                                                       DYNAMIC_TYPE_ECC_BUFFER);
+        if (curve == NULL)
+            ret = MEMORY_E;
+
+        if (ret == 0) {
+            static const char customName[] = "Custom";
+            XMEMSET(curve, 0, sizeof(*curve));
+        #ifndef WOLFSSL_ECC_CURVE_STATIC
+            curve->name = customName;
+        #else
+            XMEMCPY((void*)curve->name, customName, sizeof(customName));
+        #endif
+            curve->id = ECC_CURVE_CUSTOM;
+
+            if (GetSequence(input, inOutIdx, &length, inSz) < 0)
+                ret = ASN_PARSE_E;
+        }
+
+        if (ret == 0) {
+            GetInteger7Bit(input, inOutIdx, inSz);
+            if (GetSequence(input, inOutIdx, &length, inSz) < 0)
+                ret = ASN_PARSE_E;
+        }
+        if (ret == 0) {
+            char* p = NULL;
+            SkipObjectId(input, inOutIdx, inSz);
+            ret = ASNToHexString(input, inOutIdx, &p, inSz,
+                                            key->heap, DYNAMIC_TYPE_ECC_BUFFER);
+            if (ret == 0)
+                ret = EccKeyParamCopy((char**)&curve->prime, p);
+        }
+        if (ret == 0) {
+            curve->size = (int)XSTRLEN(curve->prime) / 2;
+
+            if (GetSequence(input, inOutIdx, &length, inSz) < 0)
+                ret = ASN_PARSE_E;
+        }
+        if (ret == 0) {
+            char* af = NULL;
+            ret = ASNToHexString(input, inOutIdx, &af, inSz,
+                                            key->heap, DYNAMIC_TYPE_ECC_BUFFER);
+            if (ret == 0)
+                ret = EccKeyParamCopy((char**)&curve->Af, af);
+        }
+        if (ret == 0) {
+            char* bf = NULL;
+            ret = ASNToHexString(input, inOutIdx, &bf, inSz,
+                                            key->heap, DYNAMIC_TYPE_ECC_BUFFER);
+            if (ret == 0)
+                ret = EccKeyParamCopy((char**)&curve->Bf, bf);
+        }
+        if (ret == 0) {
+            localIdx = *inOutIdx;
+            if (*inOutIdx < inSz && GetASNTag(input, &localIdx, &tag, inSz)
+                    == 0 && tag == ASN_BIT_STRING) {
+                len = 0;
+                ret = GetASNHeader(input, ASN_BIT_STRING, inOutIdx, &len, inSz);
+                *inOutIdx += len;
+            }
+        }
+        if (ret == 0) {
+            ret = ASNToHexString(input, inOutIdx, (char**)&point, inSz,
+                                            key->heap, DYNAMIC_TYPE_ECC_BUFFER);
+
+            /* sanity check that point buffer is not smaller than the expected
+             * size to hold ( 0 4 || Gx || Gy )
+             * where Gx and Gy are each the size of curve->size * 2 */
+            if (ret == 0 && (int)XSTRLEN(point) < (curve->size * 4) + 2) {
+                XFREE(point, key->heap, DYNAMIC_TYPE_ECC_BUFFER);
+                ret = BUFFER_E;
+            }
+        }
+        if (ret == 0) {
+        #ifndef WOLFSSL_ECC_CURVE_STATIC
+            curve->Gx = (const char*)XMALLOC(curve->size * 2 + 2, key->heap,
+                                                       DYNAMIC_TYPE_ECC_BUFFER);
+            curve->Gy = (const char*)XMALLOC(curve->size * 2 + 2, key->heap,
+                                                       DYNAMIC_TYPE_ECC_BUFFER);
+            if (curve->Gx == NULL || curve->Gy == NULL) {
+                XFREE(point, key->heap, DYNAMIC_TYPE_ECC_BUFFER);
+                ret = MEMORY_E;
+            }
+        #else
+            if (curve->size * 2 + 2 > MAX_ECC_STRING) {
+                WOLFSSL_MSG("curve size is too large to fit in buffer");
+                ret = BUFFER_E;
+            }
+        #endif
+        }
+        if (ret == 0) {
+            char* o = NULL;
+
+            XMEMCPY((char*)curve->Gx, point + 2, curve->size * 2);
+            XMEMCPY((char*)curve->Gy, point + curve->size * 2 + 2,
+                                                               curve->size * 2);
+            ((char*)curve->Gx)[curve->size * 2] = '\0';
+            ((char*)curve->Gy)[curve->size * 2] = '\0';
+            XFREE(point, key->heap, DYNAMIC_TYPE_ECC_BUFFER);
+            ret = ASNToHexString(input, inOutIdx, &o, inSz,
+                                            key->heap, DYNAMIC_TYPE_ECC_BUFFER);
+            if (ret == 0)
+                ret = EccKeyParamCopy((char**)&curve->order, o);
+        }
+        if (ret == 0) {
+            curve->cofactor = GetInteger7Bit(input, inOutIdx, inSz);
+
+        #ifndef WOLFSSL_ECC_CURVE_STATIC
+            curve->oid = NULL;
+        #else
+            XMEMSET((void*)curve->oid, 0, sizeof(curve->oid));
+        #endif
+            curve->oidSz = 0;
+            curve->oidSum = 0;
+
+            if (wc_ecc_set_custom_curve(key, curve) < 0) {
+                ret = ASN_PARSE_E;
+            }
+        #ifdef WOLFSSL_CUSTOM_CURVES
+            key->deallocSet = 1;
+        #endif
+            curve = NULL;
+        }
+        if (curve != NULL)
+            wc_ecc_free_curve(curve, key->heap);
+
+        if (ret < 0)
+            return ret;
+#else
+        return ASN_PARSE_E;
+#endif /* WOLFSSL_CUSTOM_CURVES */
+    }
+    else {
+        /* ecc params information */
+        ret = GetObjectId(input, inOutIdx, &oidSum, oidIgnoreType, inSz);
+        if (ret != 0)
+            return ret;
+
+        /* get curve id */
+        curve_id = wc_ecc_get_oid(oidSum, NULL, 0);
+        if (curve_id < 0)
+            return ECC_CURVE_OID_E;
+    }
+
+    /* key header */
+    ret = CheckBitString(input, inOutIdx, &length, inSz, 1, NULL);
+    if (ret != 0)
+        return ret;
+
+    /* This is the raw point data compressed or uncompressed. */
+    if (wc_ecc_import_x963_ex(input + *inOutIdx, length, key,
+                                                            curve_id) != 0) {
+        return ASN_ECC_KEY_E;
+    }
+
+    *inOutIdx += length;
+
+    return 0;
+}
+
+#if defined(HAVE_ECC_KEY_EXPORT) && !defined(NO_ASN_CRYPT)
+/* build DER formatted ECC key, include optional public key if requested,
+ * return length on success, negative on error */
+static int wc_BuildEccKeyDer(ecc_key* key, byte* output, word32 inLen,
+                             int pubIn)
 {
-    byte   curve[MAX_ALGO_SZ];
+    byte   curve[MAX_ALGO_SZ+2];
     byte   ver[MAX_VERSION_SZ];
     byte   seq[MAX_SEQ_SZ];
-    int    ret;
-    int    curveSz;
-    int    verSz;
+    byte   *prv = NULL, *pub = NULL;
+    int    ret, totalSz, curveSz, verSz;
     int    privHdrSz  = ASN_ECC_HEADER_SZ;
     int    pubHdrSz   = ASN_ECC_CONTEXT_SZ + ASN_ECC_HEADER_SZ;
-    int    curveHdrSz = ASN_ECC_CONTEXT_SZ;
-    word32 seqSz;
-    word32 idx = 0;
-    word32 pubSz = ECC_BUFSIZE;
-    word32 privSz;
-    word32 totalSz;
+
+    word32 idx = 0, prvidx = 0, pubidx = 0, curveidx = 0;
+    word32 seqSz, privSz, pubSz = ECC_BUFSIZE;
 
     if (key == NULL || output == NULL || inLen == 0)
         return BAD_FUNC_ARG;
 
-    ret = wc_ecc_export_x963(key, NULL, &pubSz);
-    if (ret != LENGTH_ONLY_E) {
-        return ret;
-    }
-    curveSz = SetCurve(key, curve);
-    if (curveSz < 0) {
+    /* curve */
+    curve[curveidx++] = ECC_PREFIX_0;
+    curveidx++ /* to put the size after computation */;
+    curveSz = SetCurve(key, curve+curveidx);
+    if (curveSz < 0)
         return curveSz;
-    }
+    /* set computed size */
+    curve[1] = (byte)curveSz;
+    curveidx += curveSz;
 
+    /* private */
     privSz = key->dp->size;
+    prv = (byte*)XMALLOC(privSz + privHdrSz + MAX_SEQ_SZ,
+                         key->heap, DYNAMIC_TYPE_TMP_BUFFER);
+    if (prv == NULL) {
+        return MEMORY_E;
+    }
+    prvidx += SetOctetString8Bit(key->dp->size, &prv[prvidx]);
+    ret = wc_ecc_export_private_only(key, prv + prvidx, &privSz);
+    if (ret < 0) {
+        XFREE(prv, key->heap, DYNAMIC_TYPE_TMP_BUFFER);
+        return ret;
+    }
+    prvidx += privSz;
 
-    verSz = SetMyVersion(1, ver, FALSE);
-    if (verSz < 0) {
-        return verSz;
+    /* pubIn */
+    if (pubIn) {
+        ret = wc_ecc_export_x963(key, NULL, &pubSz);
+        if (ret != LENGTH_ONLY_E) {
+            XFREE(prv, key->heap, DYNAMIC_TYPE_TMP_BUFFER);
+            return ret;
+        }
+
+        pub = (byte*)XMALLOC(pubSz + pubHdrSz + MAX_SEQ_SZ,
+                             key->heap, DYNAMIC_TYPE_TMP_BUFFER);
+        if (pub == NULL) {
+            XFREE(prv, key->heap, DYNAMIC_TYPE_TMP_BUFFER);
+            return MEMORY_E;
+        }
+
+        pub[pubidx++] = ECC_PREFIX_1;
+        if (pubSz > 128) /* leading zero + extra size byte */
+            pubidx += SetLength(pubSz + ASN_ECC_CONTEXT_SZ + 2, pub+pubidx);
+        else /* leading zero */
+            pubidx += SetLength(pubSz + ASN_ECC_CONTEXT_SZ + 1, pub+pubidx);
+
+        /* SetBitString adds leading zero */
+        pubidx += SetBitString(pubSz, 0, pub + pubidx);
+        ret = wc_ecc_export_x963(key, pub + pubidx, &pubSz);
+        if (ret != 0) {
+            XFREE(prv, key->heap, DYNAMIC_TYPE_TMP_BUFFER);
+            XFREE(pub, key->heap, DYNAMIC_TYPE_TMP_BUFFER);
+            return ret;
+        }
+        pubidx += pubSz;
     }
 
-    totalSz = verSz + privSz + privHdrSz + curveSz + curveHdrSz +
-              pubSz + pubHdrSz + 1;  /* plus null byte b4 public */
-    seqSz = SetSequence(totalSz, seq);
-    totalSz += seqSz;
+    /* make headers */
+    verSz = SetMyVersion(1, ver, FALSE);
+    seqSz = SetSequence(verSz + prvidx + pubidx + curveidx, seq);
 
-    if (totalSz > inLen) {
-        return BUFFER_E;
+    totalSz = prvidx + pubidx + curveidx + verSz + seqSz;
+    if (totalSz > (int)inLen) {
+        XFREE(prv, key->heap, DYNAMIC_TYPE_TMP_BUFFER);
+        if (pubIn) {
+            XFREE(pub, key->heap, DYNAMIC_TYPE_TMP_BUFFER);
+        }
+        return BAD_FUNC_ARG;
     }
 
-    /* write it out */
+    /* write out */
     /* seq */
     XMEMCPY(output + idx, seq, seqSz);
-    idx += seqSz;
+    idx = seqSz;
 
-   /* ver */
+    /* ver */
     XMEMCPY(output + idx, ver, verSz);
     idx += verSz;
 
     /* private */
-    output[idx++] = ASN_OCTET_STRING;
-    output[idx++] = (byte)privSz;
-    ret = wc_ecc_export_private_only(key, output + idx, &privSz);
+    XMEMCPY(output + idx, prv, prvidx);
+    idx += prvidx;
+    XFREE(prv, key->heap, DYNAMIC_TYPE_TMP_BUFFER);
+
+    /* curve */
+    XMEMCPY(output + idx, curve, curveidx);
+    idx += curveidx;
+
+    /* pubIn */
+    if (pubIn) {
+        XMEMCPY(output + idx, pub, pubidx);
+        /* idx += pubidx;  not used after write, if more data remove comment */
+        XFREE(pub, key->heap, DYNAMIC_TYPE_TMP_BUFFER);
+    }
+
+    return totalSz;
+}
+
+/* Write a Private ecc key, including public to DER format,
+ * length on success else < 0 */
+int wc_EccKeyToDer(ecc_key* key, byte* output, word32 inLen)
+{
+    return wc_BuildEccKeyDer(key, output, inLen, 1);
+}
+
+
+/* Write only private ecc key to DER format,
+ * length on success else < 0 */
+int wc_EccPrivateKeyToDer(ecc_key* key, byte* output, word32 inLen)
+{
+    return wc_BuildEccKeyDer(key, output, inLen, 0);
+}
+
+#ifdef HAVE_PKCS8
+/* Write only private ecc key to unencrypted PKCS#8 format.
+ *
+ * If output is NULL, places required PKCS#8 buffer size in outLen and
+ * returns LENGTH_ONLY_E.
+ *
+ * return length on success else < 0 */
+int wc_EccPrivateKeyToPKCS8(ecc_key* key, byte* output, word32* outLen)
+{
+    int ret, tmpDerSz;
+    int algoID = 0;
+    word32 oidSz = 0;
+    word32 pkcs8Sz = 0;
+    const byte* curveOID = NULL;
+    byte* tmpDer = NULL;
+
+    if (key == NULL || outLen == NULL)
+        return BAD_FUNC_ARG;
+
+    /* set algoID, get curve OID */
+    algoID = ECDSAk;
+    ret = wc_ecc_get_oid(key->dp->oidSum, &curveOID, &oidSz);
+    if (ret < 0)
+        return ret;
+
+    /* temp buffer for plain DER key */
+    tmpDer = (byte*)XMALLOC(ECC_BUFSIZE, key->heap, DYNAMIC_TYPE_TMP_BUFFER);
+    if (tmpDer == NULL)
+        return MEMORY_E;
+
+    XMEMSET(tmpDer, 0, ECC_BUFSIZE);
+
+    tmpDerSz = wc_BuildEccKeyDer(key, tmpDer, ECC_BUFSIZE, 0);
+    if (tmpDerSz < 0) {
+        XFREE(tmpDer, key->heap, DYNAMIC_TYPE_TMP_BUFFER);
+        return tmpDerSz;
+    }
+
+    /* get pkcs8 expected output size */
+    ret = wc_CreatePKCS8Key(NULL, &pkcs8Sz, tmpDer, tmpDerSz, algoID,
+                            curveOID, oidSz);
+    if (ret != LENGTH_ONLY_E) {
+        XFREE(tmpDer, key->heap, DYNAMIC_TYPE_TMP_BUFFER);
+        return ret;
+    }
+
+    if (output == NULL) {
+        XFREE(tmpDer, key->heap, DYNAMIC_TYPE_TMP_BUFFER);
+        *outLen = pkcs8Sz;
+        return LENGTH_ONLY_E;
+
+    } else if (*outLen < pkcs8Sz) {
+        XFREE(tmpDer, key->heap, DYNAMIC_TYPE_TMP_BUFFER);
+        WOLFSSL_MSG("Input buffer too small for ECC PKCS#8 key");
+        return BUFFER_E;
+    }
+
+    ret = wc_CreatePKCS8Key(output, &pkcs8Sz, tmpDer, tmpDerSz,
+                            algoID, curveOID, oidSz);
     if (ret < 0) {
+        XFREE(tmpDer, key->heap, DYNAMIC_TYPE_TMP_BUFFER);
         return ret;
     }
-    idx += privSz;
 
-    /* curve */
-    output[idx++] = ECC_PREFIX_0;
-    output[idx++] = (byte)curveSz;
-    XMEMCPY(output + idx, curve, curveSz);
-    idx += curveSz;
-
-    /* public */
-    output[idx++] = ECC_PREFIX_1;
-    output[idx++] = (byte)pubSz + ASN_ECC_CONTEXT_SZ + 1;  /* plus null byte */
-    output[idx++] = ASN_BIT_STRING;
-    output[idx++] = (byte)pubSz + 1;  /* plus null byte */
-    output[idx++] = (byte)0;          /* null byte */
-    ret = wc_ecc_export_x963(key, output + idx, &pubSz);
-    if (ret != 0) {
+    XFREE(tmpDer, key->heap, DYNAMIC_TYPE_TMP_BUFFER);
+
+    *outLen = ret;
+    return ret;
+}
+#endif /* HAVE_PKCS8 */
+#endif /* HAVE_ECC_KEY_EXPORT && !NO_ASN_CRYPT */
+#endif /* HAVE_ECC */
+
+
+#ifdef HAVE_ED25519
+
+int wc_Ed25519PrivateKeyDecode(const byte* input, word32* inOutIdx,
+                               ed25519_key* key, word32 inSz)
+{
+    word32      oid;
+    int         ret, version, length, endKeyIdx, privSz, pubSz;
+    const byte* priv;
+    const byte* pub;
+
+    if (input == NULL || inOutIdx == NULL || key == NULL || inSz == 0)
+        return BAD_FUNC_ARG;
+
+    if (GetSequence(input, inOutIdx, &length, inSz) >= 0) {
+        endKeyIdx = *inOutIdx + length;
+
+        if (GetMyVersion(input, inOutIdx, &version, inSz) < 0)
+            return ASN_PARSE_E;
+        if (version != 0) {
+            WOLFSSL_MSG("Unrecognized version of ED25519 private key");
+            return ASN_PARSE_E;
+        }
+
+        if (GetAlgoId(input, inOutIdx, &oid, oidKeyType, inSz) < 0)
+            return ASN_PARSE_E;
+        if (oid != ED25519k)
+            return ASN_PARSE_E;
+
+        if (GetOctetString(input, inOutIdx, &length, inSz) < 0)
+            return ASN_PARSE_E;
+
+        if (GetOctetString(input, inOutIdx, &privSz, inSz) < 0)
+            return ASN_PARSE_E;
+
+        priv = input + *inOutIdx;
+        *inOutIdx += privSz;
+    }
+    else {
+        if (GetOctetString(input, inOutIdx, &privSz, inSz) < 0)
+            return ASN_PARSE_E;
+
+        if (privSz != 32)
+            return ASN_PARSE_E;
+
+        priv = input + *inOutIdx;
+        *inOutIdx += privSz;
+        endKeyIdx = *inOutIdx;
+    }
+
+    if (endKeyIdx == (int)*inOutIdx) {
+        ret = wc_ed25519_import_private_only(priv, privSz, key);
+    }
+    else {
+        if (GetASNHeader(input, ASN_CONTEXT_SPECIFIC | ASN_CONSTRUCTED | 1,
+                         inOutIdx, &length, inSz) < 0) {
+            return ASN_PARSE_E;
+        }
+        if (GetOctetString(input, inOutIdx, &pubSz, inSz) < 0)
+            return ASN_PARSE_E;
+        pub = input + *inOutIdx;
+        *inOutIdx += pubSz;
+
+        ret = wc_ed25519_import_private_key(priv, privSz, pub, pubSz, key);
+    }
+    if (ret == 0 && endKeyIdx != (int)*inOutIdx)
+        return ASN_PARSE_E;
+
+    return ret;
+}
+
+
+int wc_Ed25519PublicKeyDecode(const byte* input, word32* inOutIdx,
+                              ed25519_key* key, word32 inSz)
+{
+    int    length;
+    int    ret;
+
+    if (input == NULL || inOutIdx == NULL || key == NULL || inSz == 0)
+        return BAD_FUNC_ARG;
+
+    if (GetSequence(input, inOutIdx, &length, inSz) < 0)
+        return ASN_PARSE_E;
+
+    if (GetSequence(input, inOutIdx, &length, inSz) < 0)
+        return ASN_PARSE_E;
+
+    ret = SkipObjectId(input, inOutIdx, inSz);
+    if (ret != 0)
+        return ret;
+
+    /* key header */
+    ret = CheckBitString(input, inOutIdx, NULL, inSz, 1, NULL);
+    if (ret != 0)
         return ret;
+
+    /* This is the raw point data compressed or uncompressed. */
+    if (wc_ed25519_import_public(input + *inOutIdx, inSz - *inOutIdx, key) != 0)
+        return ASN_ECC_KEY_E;
+
+    return 0;
+}
+
+
+#ifdef WOLFSSL_KEY_GEN
+
+/* build DER formatted ED25519 key,
+ * return length on success, negative on error */
+static int wc_BuildEd25519KeyDer(ed25519_key* key, byte* output, word32 inLen,
+                                 int pubOut)
+{
+    byte   algoArray[MAX_ALGO_SZ];
+    byte   ver[MAX_VERSION_SZ];
+    byte   seq[MAX_SEQ_SZ];
+    int    ret;
+    word32 idx = 0, seqSz, verSz, algoSz, privSz, pubSz = 0;
+
+    if (key == NULL || output == NULL || inLen == 0)
+        return BAD_FUNC_ARG;
+
+    if (pubOut)
+        pubSz = 2 + 2 + ED25519_PUB_KEY_SIZE;
+    privSz = 2 + 2 + ED25519_KEY_SIZE;
+    algoSz = SetAlgoID(ED25519k, algoArray, oidKeyType, 0);
+    verSz  = SetMyVersion(0, ver, FALSE);
+    seqSz  = SetSequence(verSz + algoSz + privSz + pubSz, seq);
+
+    if (seqSz + verSz + algoSz + privSz + pubSz > inLen)
+        return BAD_FUNC_ARG;
+
+    /* write out */
+    /* seq */
+    XMEMCPY(output + idx, seq, seqSz);
+    idx = seqSz;
+    /* ver */
+    XMEMCPY(output + idx, ver, verSz);
+    idx += verSz;
+    /* algo */
+    XMEMCPY(output + idx, algoArray, algoSz);
+    idx += algoSz;
+    /* privKey */
+    idx += SetOctetString(2 + ED25519_KEY_SIZE, output + idx);
+    idx += SetOctetString(ED25519_KEY_SIZE, output + idx);
+    ret = wc_ed25519_export_private_only(key, output + idx, &privSz);
+    if (ret != 0)
+        return ret;
+    idx += privSz;
+    /* pubKey */
+    if (pubOut) {
+        idx += SetExplicit(1, 2 + ED25519_PUB_KEY_SIZE, output + idx);
+        idx += SetOctetString(ED25519_KEY_SIZE, output + idx);
+        ret = wc_ed25519_export_public(key, output + idx, &pubSz);
+        if (ret != 0)
+            return ret;
+        idx += pubSz;
     }
-    /* idx += pubSz if do more later */
 
-    return totalSz;
+    return idx;
+}
+
+/* Write a Private ecc key, including public to DER format,
+ * length on success else < 0 */
+int wc_Ed25519KeyToDer(ed25519_key* key, byte* output, word32 inLen)
+{
+    return wc_BuildEd25519KeyDer(key, output, inLen, 1);
+}
+
+
+
+/* Write only private ecc key to DER format,
+ * length on success else < 0 */
+int wc_Ed25519PrivateKeyToDer(ed25519_key* key, byte* output, word32 inLen)
+{
+    return wc_BuildEd25519KeyDer(key, output, inLen, 0);
 }
 
 #endif /* WOLFSSL_KEY_GEN */
 
-#endif  /* HAVE_ECC */
+#endif /* HAVE_ED25519 */
 
+#ifdef HAVE_ED448
+
+int wc_Ed448PrivateKeyDecode(const byte* input, word32* inOutIdx,
+                             ed448_key* key, word32 inSz)
+{
+    word32      oid;
+    int         ret, version, length, endKeyIdx, privSz, pubSz;
+    const byte* priv;
+    const byte* pub;
+
+    if (input == NULL || inOutIdx == NULL || key == NULL || inSz == 0)
+        return BAD_FUNC_ARG;
+
+    if (GetSequence(input, inOutIdx, &length, inSz) >= 0) {
+        endKeyIdx = *inOutIdx + length;
+
+        if (GetMyVersion(input, inOutIdx, &version, inSz) < 0)
+            return ASN_PARSE_E;
+        if (version != 0) {
+            WOLFSSL_MSG("Unrecognized version of ED448 private key");
+            return ASN_PARSE_E;
+        }
+
+        if (GetAlgoId(input, inOutIdx, &oid, oidKeyType, inSz) < 0)
+            return ASN_PARSE_E;
+        if (oid != ED448k)
+            return ASN_PARSE_E;
+
+        if (GetOctetString(input, inOutIdx, &length, inSz) < 0)
+            return ASN_PARSE_E;
+
+        if (GetOctetString(input, inOutIdx, &privSz, inSz) < 0)
+            return ASN_PARSE_E;
+
+        priv = input + *inOutIdx;
+        *inOutIdx += privSz;
+    }
+    else {
+        if (GetOctetString(input, inOutIdx, &privSz, inSz) < 0)
+            return ASN_PARSE_E;
+
+        if (privSz != 57)
+            return ASN_PARSE_E;
+
+        priv = input + *inOutIdx;
+        *inOutIdx += privSz;
+        endKeyIdx = *inOutIdx;
+    }
+
+    if (endKeyIdx == (int)*inOutIdx) {
+        ret = wc_ed448_import_private_only(priv, privSz, key);
+    }
+    else {
+        if (GetASNHeader(input, ASN_CONTEXT_SPECIFIC | ASN_CONSTRUCTED | 1,
+                         inOutIdx, &length, inSz) < 0) {
+            return ASN_PARSE_E;
+        }
+        if (GetOctetString(input, inOutIdx, &pubSz, inSz) < 0)
+            return ASN_PARSE_E;
+        pub = input + *inOutIdx;
+        *inOutIdx += pubSz;
+
+        ret = wc_ed448_import_private_key(priv, privSz, pub, pubSz, key);
+    }
+    if (ret == 0 && endKeyIdx != (int)*inOutIdx)
+        return ASN_PARSE_E;
+
+    return ret;
+}
+
+
+int wc_Ed448PublicKeyDecode(const byte* input, word32* inOutIdx,
+                            ed448_key* key, word32 inSz)
+{
+    int    length;
+    int    ret;
+
+    if (input == NULL || inOutIdx == NULL || key == NULL || inSz == 0)
+        return BAD_FUNC_ARG;
+
+    if (GetSequence(input, inOutIdx, &length, inSz) < 0)
+        return ASN_PARSE_E;
+
+    if (GetSequence(input, inOutIdx, &length, inSz) < 0)
+        return ASN_PARSE_E;
+
+    ret = SkipObjectId(input, inOutIdx, inSz);
+    if (ret != 0)
+        return ret;
+
+    /* key header */
+    ret = CheckBitString(input, inOutIdx, NULL, inSz, 1, NULL);
+    if (ret != 0)
+        return ret;
+
+    /* This is the raw point data compressed or uncompressed. */
+    if (wc_ed448_import_public(input + *inOutIdx, inSz - *inOutIdx, key) != 0)
+        return ASN_ECC_KEY_E;
+
+    return 0;
+}
+
+
+#ifdef WOLFSSL_KEY_GEN
+
+/* build DER formatted ED448 key,
+ * return length on success, negative on error */
+static int wc_BuildEd448KeyDer(ed448_key* key, byte* output, word32 inLen,
+                               int pubOut)
+{
+    byte   algoArray[MAX_ALGO_SZ];
+    byte   ver[MAX_VERSION_SZ];
+    byte   seq[MAX_SEQ_SZ];
+    int    ret;
+    word32 idx = 0, seqSz, verSz, algoSz, privSz, pubSz = 0;
+
+    if (key == NULL || output == NULL || inLen == 0)
+        return BAD_FUNC_ARG;
+
+    if (pubOut) {
+        pubSz = 2 + 2 + ED448_PUB_KEY_SIZE;
+    }
+    privSz = 2 + 2 + ED448_KEY_SIZE;
+    algoSz = SetAlgoID(ED448k, algoArray, oidKeyType, 0);
+    verSz  = SetMyVersion(0, ver, FALSE);
+    seqSz  = SetSequence(verSz + algoSz + privSz + pubSz, seq);
+
+    if (seqSz + verSz + algoSz + privSz + pubSz > inLen)
+        return BAD_FUNC_ARG;
+
+    /* write out */
+    /* seq */
+    XMEMCPY(output + idx, seq, seqSz);
+    idx = seqSz;
+    /* ver */
+    XMEMCPY(output + idx, ver, verSz);
+    idx += verSz;
+    /* algo */
+    XMEMCPY(output + idx, algoArray, algoSz);
+    idx += algoSz;
+    /* privKey */
+    idx += SetOctetString(2 + ED448_KEY_SIZE, output + idx);
+    idx += SetOctetString(ED448_KEY_SIZE, output + idx);
+    ret = wc_ed448_export_private_only(key, output + idx, &privSz);
+    if (ret != 0)
+        return ret;
+    idx += privSz;
+    /* pubKey */
+    if (pubOut) {
+        idx += SetExplicit(1, 2 + ED448_PUB_KEY_SIZE, output + idx);
+        idx += SetOctetString(ED448_KEY_SIZE, output + idx);
+        ret = wc_ed448_export_public(key, output + idx, &pubSz);
+        if (ret != 0)
+            return ret;
+        idx += pubSz;
+    }
+
+    return idx;
+}
+
+/* Write a Private ecc key, including public to DER format,
+ * length on success else < 0 */
+int wc_Ed448KeyToDer(ed448_key* key, byte* output, word32 inLen)
+{
+    return wc_BuildEd448KeyDer(key, output, inLen, 1);
+}
+
+
+
+/* Write only private ecc key to DER format,
+ * length on success else < 0 */
+int wc_Ed448PrivateKeyToDer(ed448_key* key, byte* output, word32 inLen)
+{
+    return wc_BuildEd448KeyDer(key, output, inLen, 0);
+}
+
+#endif /* WOLFSSL_KEY_GEN */
+
+#endif /* HAVE_ED448 */
 
 #if defined(HAVE_OCSP) || defined(HAVE_CRL)
 
@@ -6832,46 +16134,47 @@ int wc_EccKeyToDer(ecc_key* key, byte* output, word32 inLen)
 static int GetBasicDate(const byte* source, word32* idx, byte* date,
                         byte* format, int maxIdx)
 {
-    int    length;
+    int    ret, length;
+    const byte *datePtr = NULL;
 
     WOLFSSL_ENTER("GetBasicDate");
 
-    *format = source[*idx];
-    *idx += 1;
-    if (*format != ASN_UTC_TIME && *format != ASN_GENERALIZED_TIME)
-        return ASN_TIME_E;
-
-    if (GetLength(source, idx, &length, maxIdx) < 0)
-        return ASN_PARSE_E;
-
-    if (length > MAX_DATE_SIZE || length < MIN_DATE_SIZE)
-        return ASN_DATE_SZ_E;
+    ret = GetDateInfo(source, idx, &datePtr, format, &length, maxIdx);
+    if (ret < 0)
+        return ret;
 
-    XMEMCPY(date, &source[*idx], length);
-    *idx += length;
+    XMEMCPY(date, datePtr, length);
 
     return 0;
 }
 
-#endif
+#endif /* HAVE_OCSP || HAVE_CRL */
 
 
 #ifdef HAVE_OCSP
 
-static int GetEnumerated(const byte* input, word32* inOutIdx, int *value)
+static int GetEnumerated(const byte* input, word32* inOutIdx, int *value,
+        int sz)
 {
     word32 idx = *inOutIdx;
     word32 len;
+    byte   tag;
 
     WOLFSSL_ENTER("GetEnumerated");
 
     *value = 0;
 
-    if (input[idx++] != ASN_ENUMERATED)
+    if (GetASNTag(input, &idx, &tag, sz) < 0)
+        return ASN_PARSE_E;
+
+    if (tag != ASN_ENUMERATED)
         return ASN_PARSE_E;
 
+    if ((int)idx >= sz)
+        return BUFFER_E;
+
     len = input[idx++];
-    if (len > 4)
+    if (len > 4 || (int)(len + idx) > sz)
         return ASN_PARSE_E;
 
     while (len--) {
@@ -6887,9 +16190,11 @@ static int GetEnumerated(const byte* input, word32* inOutIdx, int *value)
 static int DecodeSingleResponse(byte* source,
                             word32* ioIndex, OcspResponse* resp, word32 size)
 {
-    word32 idx = *ioIndex, prevIndex, oid;
+    word32 idx = *ioIndex, prevIndex, oid, localIdx;
     int length, wrapperSz;
     CertStatus* cs = resp->status;
+    int ret;
+    byte tag;
 
     WOLFSSL_ENTER("DecodeSingleResponse");
 
@@ -6910,45 +16215,27 @@ static int DecodeSingleResponse(byte* source,
     if (GetSequence(source, &idx, &length, size) < 0)
         return ASN_PARSE_E;
     /* Skip the hash algorithm */
-    if (GetAlgoId(source, &idx, &oid, size) < 0)
+    if (GetAlgoId(source, &idx, &oid, oidIgnoreType, size) < 0)
         return ASN_PARSE_E;
     /* Save reference to the hash of CN */
-    if (source[idx++] != ASN_OCTET_STRING)
-        return ASN_PARSE_E;
-    if (GetLength(source, &idx, &length, size) < 0)
-        return ASN_PARSE_E;
+    ret = GetOctetString(source, &idx, &length, size);
+    if (ret < 0)
+        return ret;
     resp->issuerHash = source + idx;
     idx += length;
     /* Save reference to the hash of the issuer public key */
-    if (source[idx++] != ASN_OCTET_STRING)
-        return ASN_PARSE_E;
-    if (GetLength(source, &idx, &length, size) < 0)
-        return ASN_PARSE_E;
+    ret = GetOctetString(source, &idx, &length, size);
+    if (ret < 0)
+        return ret;
     resp->issuerKeyHash = source + idx;
     idx += length;
 
-    /* Read the serial number, it is handled as a string, not as a 
-     * proper number. Just XMEMCPY the data over, rather than load it
-     * as an mp_int. */
-    if (source[idx++] != ASN_INTEGER)
-        return ASN_PARSE_E;
-    if (GetLength(source, &idx, &length, size) < 0)
+    /* Get serial number */
+    if (GetSerialNumber(source, &idx, cs->serial, &cs->serialSz, size) < 0)
         return ASN_PARSE_E;
-    if (length <= EXTERNAL_SERIAL_SIZE)
-    {
-        if (source[idx] == 0)
-        {
-            idx++;
-            length--;
-        }
-        XMEMCPY(cs->serial, source + idx, length);
-        cs->serialSz = length;
-    }
-    else
-    {
-        return ASN_GETINT_E;
-    }
-    idx += length;
+
+    if ( idx >= size )
+        return BUFFER_E;
 
     /* CertStatus */
     switch (source[idx++])
@@ -6971,27 +16258,66 @@ static int DecodeSingleResponse(byte* source,
             return ASN_PARSE_E;
     }
 
+#if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY)
+    cs->thisDateAsn = source + idx;
+    localIdx = 0;
+    if (GetDateInfo(cs->thisDateAsn, &localIdx, NULL,
+                    (byte*)&cs->thisDateParsed.type,
+                    &cs->thisDateParsed.length, size) < 0)
+        return ASN_PARSE_E;
+    XMEMCPY(cs->thisDateParsed.data,
+            cs->thisDateAsn + localIdx - cs->thisDateParsed.length,
+            cs->thisDateParsed.length);
+#endif
     if (GetBasicDate(source, &idx, cs->thisDate,
                                                 &cs->thisDateFormat, size) < 0)
         return ASN_PARSE_E;
+
+#ifndef NO_ASN_TIME
+#ifndef WOLFSSL_NO_OCSP_DATE_CHECK
     if (!XVALIDATE_DATE(cs->thisDate, cs->thisDateFormat, BEFORE))
         return ASN_BEFORE_DATE_E;
-    
+#endif
+#endif
+
     /* The following items are optional. Only check for them if there is more
      * unprocessed data in the singleResponse wrapper. */
-    
+
+    localIdx = idx;
     if (((int)(idx - prevIndex) < wrapperSz) &&
-        (source[idx] == (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC | 0)))
+        GetASNTag(source, &localIdx, &tag, size) == 0 &&
+        tag == (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC | 0))
     {
         idx++;
         if (GetLength(source, &idx, &length, size) < 0)
             return ASN_PARSE_E;
+#if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY)
+        cs->nextDateAsn = source + idx;
+        localIdx = 0;
+        if (GetDateInfo(cs->nextDateAsn, &localIdx, NULL,
+                        (byte*)&cs->nextDateParsed.type,
+                        &cs->nextDateParsed.length, size) < 0)
+            return ASN_PARSE_E;
+        XMEMCPY(cs->nextDateParsed.data,
+                cs->nextDateAsn + localIdx - cs->nextDateParsed.length,
+                cs->nextDateParsed.length);
+#endif
         if (GetBasicDate(source, &idx, cs->nextDate,
                                                 &cs->nextDateFormat, size) < 0)
             return ASN_PARSE_E;
+
+#ifndef NO_ASN_TIME
+#ifndef WOLFSSL_NO_OCSP_DATE_CHECK
+        if (!XVALIDATE_DATE(cs->nextDate, cs->nextDateFormat, AFTER))
+            return ASN_AFTER_DATE_E;
+#endif
+#endif
     }
+
+    localIdx = idx;
     if (((int)(idx - prevIndex) < wrapperSz) &&
-        (source[idx] == (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC | 1)))
+        GetASNTag(source, &localIdx, &tag, size) == 0 &&
+        tag == (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC | 1))
     {
         idx++;
         if (GetLength(source, &idx, &length, size) < 0)
@@ -7011,48 +16337,66 @@ static int DecodeOcspRespExtensions(byte* source,
     int length;
     int ext_bound; /* boundary index for the sequence of extensions */
     word32 oid;
+    int ret;
+    byte tag;
 
     WOLFSSL_ENTER("DecodeOcspRespExtensions");
 
-    if (source[idx++] != (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC | 1))
+    if ((idx + 1) > sz)
+        return BUFFER_E;
+
+    if (GetASNTag(source, &idx, &tag, sz) < 0)
+        return ASN_PARSE_E;
+
+    if (tag != (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC | 1))
         return ASN_PARSE_E;
 
-    if (GetLength(source, &idx, &length, sz) < 0) return ASN_PARSE_E;
+    if (GetLength(source, &idx, &length, sz) < 0)
+        return ASN_PARSE_E;
+
+    if (GetSequence(source, &idx, &length, sz) < 0)
+        return ASN_PARSE_E;
 
-    if (GetSequence(source, &idx, &length, sz) < 0) return ASN_PARSE_E;
-   
     ext_bound = idx + length;
 
     while (idx < (word32)ext_bound) {
+        word32 localIdx;
+
         if (GetSequence(source, &idx, &length, sz) < 0) {
             WOLFSSL_MSG("\tfail: should be a SEQUENCE");
             return ASN_PARSE_E;
         }
 
         oid = 0;
-        if (GetObjectId(source, &idx, &oid, sz) < 0) {
+        if (GetObjectId(source, &idx, &oid, oidOcspType, sz) < 0) {
             WOLFSSL_MSG("\tfail: OBJECT ID");
             return ASN_PARSE_E;
         }
 
         /* check for critical flag */
-        if (source[idx] == ASN_BOOLEAN) {
-            WOLFSSL_MSG("\tfound optional critical flag, moving past");
-            idx += (ASN_BOOL_SIZE + 1);
+        if ((idx + 1) > (word32)sz) {
+            WOLFSSL_MSG("\tfail: malformed buffer");
+            return BUFFER_E;
         }
 
-        /* process the extension based on the OID */
-        if (source[idx++] != ASN_OCTET_STRING) {
-            WOLFSSL_MSG("\tfail: should be an OCTET STRING");
-            return ASN_PARSE_E;
+        localIdx = idx;
+        if (GetASNTag(source, &localIdx, &tag, sz) == 0 && tag == ASN_BOOLEAN) {
+            WOLFSSL_MSG("\tfound optional critical flag, moving past");
+            ret = GetBoolean(source, &idx, sz);
+            if (ret < 0)
+                return ret;
         }
 
-        if (GetLength(source, &idx, &length, sz) < 0) {
-            WOLFSSL_MSG("\tfail: extension data length");
-            return ASN_PARSE_E;
-        }
+        ret = GetOctetString(source, &idx, &length, sz);
+        if (ret < 0)
+            return ret;
 
         if (oid == OCSP_NONCE_OID) {
+            /* get data inside extra OCTET_STRING */
+            ret = GetOctetString(source, &idx, &length, sz);
+            if (ret < 0)
+                return ret;
+
             resp->nonce = source + idx;
             resp->nonceSz = length;
         }
@@ -7068,10 +16412,11 @@ static int DecodeOcspRespExtensions(byte* source,
 static int DecodeResponseData(byte* source,
                             word32* ioIndex, OcspResponse* resp, word32 size)
 {
-    word32 idx = *ioIndex, prev_idx;
+    word32 idx = *ioIndex, prev_idx, localIdx;
     int length;
     int version;
-    word32 responderId = 0;
+    int ret;
+    byte tag;
 
     WOLFSSL_ENTER("DecodeResponseData");
 
@@ -7085,49 +16430,64 @@ static int DecodeResponseData(byte* source,
      * item isn't an EXPLICIT[0], then set version to zero and move
      * onto the next item.
      */
-    if (source[idx] == (ASN_CONTEXT_SPECIFIC | ASN_CONSTRUCTED))
-    {    
+    localIdx = idx;
+    if (GetASNTag(source, &localIdx, &tag, size) == 0 &&
+            tag == (ASN_CONTEXT_SPECIFIC | ASN_CONSTRUCTED))
+    {
         idx += 2; /* Eat the value and length */
-        if (GetMyVersion(source, &idx, &version) < 0)
+        if (GetMyVersion(source, &idx, &version, size) < 0)
             return ASN_PARSE_E;
     } else
         version = 0;
 
-    responderId = source[idx++];
-    if ((responderId == (ASN_CONTEXT_SPECIFIC | ASN_CONSTRUCTED | 1)) ||
-        (responderId == (ASN_CONTEXT_SPECIFIC | ASN_CONSTRUCTED | 2)))
+    localIdx = idx;
+    if (GetASNTag(source, &localIdx, &tag, size) == 0 &&
+        ( tag == (ASN_CONTEXT_SPECIFIC | ASN_CONSTRUCTED | 1) ||
+          tag == (ASN_CONTEXT_SPECIFIC | ASN_CONSTRUCTED | 2) ))
     {
+        idx++; /* advance past ASN tag */
         if (GetLength(source, &idx, &length, size) < 0)
             return ASN_PARSE_E;
         idx += length;
     }
     else
         return ASN_PARSE_E;
-    
+
     /* save pointer to the producedAt time */
     if (GetBasicDate(source, &idx, resp->producedDate,
                                         &resp->producedDateFormat, size) < 0)
         return ASN_PARSE_E;
 
-    if (DecodeSingleResponse(source, &idx, resp, size) < 0)
-        return ASN_PARSE_E;
+    if ((ret = DecodeSingleResponse(source, &idx, resp, size)) < 0)
+        return ret; /* ASN_PARSE_E, ASN_BEFORE_DATE_E, ASN_AFTER_DATE_E */
 
-    if (DecodeOcspRespExtensions(source, &idx, resp, size) < 0)
-        return ASN_PARSE_E;
+    /*
+     * Check the length of the ResponseData against the current index to
+     * see if there are extensions, they are optional.
+     */
+    if (idx - prev_idx < resp->responseSz)
+        if (DecodeOcspRespExtensions(source, &idx, resp, size) < 0)
+            return ASN_PARSE_E;
 
     *ioIndex = idx;
     return 0;
 }
 
 
+#ifndef WOLFSSL_NO_OCSP_OPTIONAL_CERTS
+
 static int DecodeCerts(byte* source,
                             word32* ioIndex, OcspResponse* resp, word32 size)
 {
     word32 idx = *ioIndex;
+    byte tag;
 
     WOLFSSL_ENTER("DecodeCerts");
 
-    if (source[idx++] == (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC))
+    if (GetASNTag(source, &idx, &tag, size) < 0)
+        return ASN_PARSE_E;
+
+    if (tag == (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC))
     {
         int length;
 
@@ -7146,14 +16506,20 @@ static int DecodeCerts(byte* source,
     return 0;
 }
 
-static int DecodeBasicOcspResponse(byte* source,
-                            word32* ioIndex, OcspResponse* resp, word32 size)
+#endif /* WOLFSSL_NO_OCSP_OPTIONAL_CERTS */
+
+
+static int DecodeBasicOcspResponse(byte* source, word32* ioIndex,
+            OcspResponse* resp, word32 size, void* cm, void* heap, int noVerify)
 {
-    int length;
+    int    length;
     word32 idx = *ioIndex;
     word32 end_index;
+    int    ret;
+    int    sigLength;
 
     WOLFSSL_ENTER("DecodeBasicOcspResponse");
+    (void)heap;
 
     if (GetSequence(source, &idx, &length, size) < 0)
         return ASN_PARSE_E;
@@ -7162,51 +16528,102 @@ static int DecodeBasicOcspResponse(byte* source,
         return ASN_INPUT_E;
     end_index = idx + length;
 
-    if (DecodeResponseData(source, &idx, resp, size) < 0)
-        return ASN_PARSE_E;
-    
+    if ((ret = DecodeResponseData(source, &idx, resp, size)) < 0)
+        return ret; /* ASN_PARSE_E, ASN_BEFORE_DATE_E, ASN_AFTER_DATE_E */
+
     /* Get the signature algorithm */
-    if (GetAlgoId(source, &idx, &resp->sigOID, size) < 0)
+    if (GetAlgoId(source, &idx, &resp->sigOID, oidSigType, size) < 0)
         return ASN_PARSE_E;
 
-    /* Obtain pointer to the start of the signature, and save the size */
-    if (source[idx++] == ASN_BIT_STRING)
-    {
-        int sigLength = 0;
-        if (GetLength(source, &idx, &sigLength, size) < 0)
-            return ASN_PARSE_E;
-        resp->sigSz = sigLength;
-        resp->sig = source + idx;
-        idx += sigLength;
-    }
+    ret = CheckBitString(source, &idx, &sigLength, size, 1, NULL);
+    if (ret != 0)
+        return ret;
+
+    resp->sigSz = sigLength;
+    resp->sig = source + idx;
+    idx += sigLength;
 
     /*
      * Check the length of the BasicOcspResponse against the current index to
      * see if there are certificates, they are optional.
      */
+#ifndef WOLFSSL_NO_OCSP_OPTIONAL_CERTS
     if (idx < end_index)
     {
         DecodedCert cert;
-        int ret;
 
         if (DecodeCerts(source, &idx, resp, size) < 0)
             return ASN_PARSE_E;
 
-        InitDecodedCert(&cert, resp->cert, resp->certSz, 0);
-        ret = ParseCertRelative(&cert, CA_TYPE, NO_VERIFY, 0);
-        if (ret < 0)
+        InitDecodedCert(&cert, resp->cert, resp->certSz, heap);
+
+        /* Don't verify if we don't have access to Cert Manager. */
+        ret = ParseCertRelative(&cert, CERT_TYPE,
+                                noVerify ? NO_VERIFY : VERIFY_OCSP, cm);
+        if (ret < 0) {
+            WOLFSSL_MSG("\tOCSP Responder certificate parsing failed");
+            FreeDecodedCert(&cert);
             return ret;
+        }
+
+#ifndef WOLFSSL_NO_OCSP_ISSUER_CHECK
+        if ((cert.extExtKeyUsage & EXTKEYUSE_OCSP_SIGN) == 0) {
+            if (XMEMCMP(cert.subjectHash,
+                        resp->issuerHash, KEYID_SIZE) == 0) {
+                WOLFSSL_MSG("\tOCSP Response signed by issuer");
+            }
+            else {
+                WOLFSSL_MSG("\tOCSP Responder key usage check failed");
+    #ifdef OPENSSL_EXTRA
+                resp->verifyError = OCSP_BAD_ISSUER;
+    #else
+                FreeDecodedCert(&cert);
+                return BAD_OCSP_RESPONDER;
+    #endif
+            }
+        }
+#endif
+
+        /* ConfirmSignature is blocking here */
+        ret = ConfirmSignature(&cert.sigCtx,
+            resp->response, resp->responseSz,
+            cert.publicKey, cert.pubKeySize, cert.keyOID,
+            resp->sig, resp->sigSz, resp->sigOID, NULL);
 
-        ret = ConfirmSignature(resp->response, resp->responseSz,
-                            cert.publicKey, cert.pubKeySize, cert.keyOID,
-                            resp->sig, resp->sigSz, resp->sigOID, NULL);
         FreeDecodedCert(&cert);
 
-        if (ret == 0)
-        {
+        if (ret != 0) {
+            WOLFSSL_MSG("\tOCSP Confirm signature failed");
+            return ASN_OCSP_CONFIRM_E;
+        }
+    }
+    else
+#endif /* WOLFSSL_NO_OCSP_OPTIONAL_CERTS */
+    {
+        Signer* ca;
+        int sigValid = -1;
+
+        #ifndef NO_SKID
+            ca = GetCA(cm, resp->issuerKeyHash);
+        #else
+            ca = GetCA(cm, resp->issuerHash);
+        #endif
+
+        if (ca) {
+            SignatureCtx sigCtx;
+            InitSignatureCtx(&sigCtx, heap, INVALID_DEVID);
+
+            /* ConfirmSignature is blocking here */
+            sigValid = ConfirmSignature(&sigCtx, resp->response,
+                resp->responseSz, ca->publicKey, ca->pubKeySize, ca->keyOID,
+                                resp->sig, resp->sigSz, resp->sigOID, NULL);
+        }
+        if (ca == NULL || sigValid != 0) {
             WOLFSSL_MSG("\tOCSP Confirm signature failed");
             return ASN_OCSP_CONFIRM_E;
         }
+
+        (void)noVerify;
     }
 
     *ioIndex = idx;
@@ -7219,39 +16636,34 @@ void InitOcspResponse(OcspResponse* resp, CertStatus* status,
 {
     WOLFSSL_ENTER("InitOcspResponse");
 
+    XMEMSET(status, 0, sizeof(CertStatus));
+    XMEMSET(resp,   0, sizeof(OcspResponse));
+
     resp->responseStatus = -1;
-    resp->response = NULL;
-    resp->responseSz = 0;
-    resp->producedDateFormat = 0;
-    resp->issuerHash = NULL;
-    resp->issuerKeyHash = NULL;
-    resp->sig = NULL;
-    resp->sigSz = 0;
-    resp->sigOID = 0;
-    resp->status = status;
-    resp->nonce = NULL;
-    resp->nonceSz = 0;
-    resp->source = source;
-    resp->maxIdx = inSz;
+    resp->status         = status;
+    resp->source         = source;
+    resp->maxIdx         = inSz;
 }
 
 
-int OcspResponseDecode(OcspResponse* resp)
+int OcspResponseDecode(OcspResponse* resp, void* cm, void* heap, int noVerify)
 {
+    int ret;
     int length = 0;
     word32 idx = 0;
     byte* source = resp->source;
     word32 size = resp->maxIdx;
     word32 oid;
+    byte   tag;
 
     WOLFSSL_ENTER("OcspResponseDecode");
 
     /* peel the outer SEQUENCE wrapper */
     if (GetSequence(source, &idx, &length, size) < 0)
         return ASN_PARSE_E;
-    
+
     /* First get the responseStatus, an ENUMERATED */
-    if (GetEnumerated(source, &idx, &resp->responseStatus) < 0)
+    if (GetEnumerated(source, &idx, &resp->responseStatus, size) < 0)
         return ASN_PARSE_E;
 
     if (resp->responseStatus != OCSP_SUCCESSFUL)
@@ -7260,7 +16672,9 @@ int OcspResponseDecode(OcspResponse* resp)
     /* Next is an EXPLICIT record called ResponseBytes, OPTIONAL */
     if (idx >= size)
         return ASN_INPUT_E;
-    if (source[idx++] != (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC))
+    if (GetASNTag(source, &idx, &tag, size) < 0)
+        return ASN_PARSE_E;
+    if (tag != (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC))
         return ASN_PARSE_E;
     if (GetLength(source, &idx, &length, size) < 0)
         return ASN_PARSE_E;
@@ -7270,77 +16684,72 @@ int OcspResponseDecode(OcspResponse* resp)
         return ASN_PARSE_E;
 
     /* Check ObjectID for the resposeBytes */
-    if (GetObjectId(source, &idx, &oid, size) < 0)
+    if (GetObjectId(source, &idx, &oid, oidOcspType, size) < 0)
         return ASN_PARSE_E;
     if (oid != OCSP_BASIC_OID)
         return ASN_PARSE_E;
-    if (source[idx++] != ASN_OCTET_STRING)
-        return ASN_PARSE_E;
+    ret = GetOctetString(source, &idx, &length, size);
+    if (ret < 0)
+        return ret;
 
-    if (GetLength(source, &idx, &length, size) < 0)
-        return ASN_PARSE_E;
+    ret = DecodeBasicOcspResponse(source, &idx, resp, size, cm, heap, noVerify);
+    if (ret < 0)
+        return ret;
 
-    if (DecodeBasicOcspResponse(source, &idx, resp, size) < 0)
-        return ASN_PARSE_E;
-    
     return 0;
 }
 
 
-static word32 SetOcspReqExtensions(word32 extSz, byte* output,
-                                            const byte* nonce, word32 nonceSz)
+word32 EncodeOcspRequestExtensions(OcspRequest* req, byte* output, word32 size)
 {
-    static const byte NonceObjId[] = { 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07,
+    const byte NonceObjId[] = { 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07,
                                        0x30, 0x01, 0x02 };
     byte seqArray[5][MAX_SEQ_SZ];
-    word32 seqSz[5], totalSz;
+    word32 seqSz[5], totalSz = (word32)sizeof(NonceObjId);
 
     WOLFSSL_ENTER("SetOcspReqExtensions");
 
-    if (nonce == NULL || nonceSz == 0) return 0;
-    
-    seqArray[0][0] = ASN_OCTET_STRING;
-    seqSz[0] = 1 + SetLength(nonceSz, &seqArray[0][1]);
+    if (!req || !output || !req->nonceSz)
+        return 0;
+
+    totalSz += req->nonceSz;
+    totalSz += seqSz[0] = SetOctetString(req->nonceSz, seqArray[0]);
+    totalSz += seqSz[1] = SetOctetString(req->nonceSz + seqSz[0], seqArray[1]);
+    totalSz += seqSz[2] = SetObjectId(sizeof(NonceObjId), seqArray[2]);
+    totalSz += seqSz[3] = SetSequence(totalSz, seqArray[3]);
+    totalSz += seqSz[4] = SetSequence(totalSz, seqArray[4]);
 
-    seqArray[1][0] = ASN_OBJECT_ID;
-    seqSz[1] = 1 + SetLength(sizeof(NonceObjId), &seqArray[1][1]);
+    if (totalSz > size)
+        return 0;
 
-    totalSz = seqSz[0] + seqSz[1] + nonceSz + (word32)sizeof(NonceObjId);
+    totalSz = 0;
 
-    seqSz[2] = SetSequence(totalSz, seqArray[2]);
-    totalSz += seqSz[2];
+    XMEMCPY(output + totalSz, seqArray[4], seqSz[4]);
+    totalSz += seqSz[4];
 
-    seqSz[3] = SetSequence(totalSz, seqArray[3]);
+    XMEMCPY(output + totalSz, seqArray[3], seqSz[3]);
     totalSz += seqSz[3];
 
-    seqArray[4][0] = (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC | 2);
-    seqSz[4] = 1 + SetLength(totalSz, &seqArray[4][1]);
-    totalSz += seqSz[4];
+    XMEMCPY(output + totalSz, seqArray[2], seqSz[2]);
+    totalSz += seqSz[2];
 
-    if (totalSz < extSz)
-    {
-        totalSz = 0;
-        XMEMCPY(output + totalSz, seqArray[4], seqSz[4]);
-        totalSz += seqSz[4];
-        XMEMCPY(output + totalSz, seqArray[3], seqSz[3]);
-        totalSz += seqSz[3];
-        XMEMCPY(output + totalSz, seqArray[2], seqSz[2]);
-        totalSz += seqSz[2];
-        XMEMCPY(output + totalSz, seqArray[1], seqSz[1]);
-        totalSz += seqSz[1];
-        XMEMCPY(output + totalSz, NonceObjId, sizeof(NonceObjId));
-        totalSz += (word32)sizeof(NonceObjId);
-        XMEMCPY(output + totalSz, seqArray[0], seqSz[0]);
-        totalSz += seqSz[0];
-        XMEMCPY(output + totalSz, nonce, nonceSz);
-        totalSz += nonceSz;
-    }
+    XMEMCPY(output + totalSz, NonceObjId, sizeof(NonceObjId));
+    totalSz += (word32)sizeof(NonceObjId);
+
+    XMEMCPY(output + totalSz, seqArray[1], seqSz[1]);
+    totalSz += seqSz[1];
+
+    XMEMCPY(output + totalSz, seqArray[0], seqSz[0]);
+    totalSz += seqSz[0];
+
+    XMEMCPY(output + totalSz, req->nonce, req->nonceSz);
+    totalSz += req->nonceSz;
 
     return totalSz;
 }
 
 
-int EncodeOcspRequest(OcspRequest* req)
+int EncodeOcspRequest(OcspRequest* req, byte* output, word32 size)
 {
     byte seqArray[5][MAX_SEQ_SZ];
     /* The ASN.1 of the OCSP Request is an onion of sequences */
@@ -7349,66 +16758,65 @@ int EncodeOcspRequest(OcspRequest* req)
     byte issuerKeyArray[MAX_ENCODED_DIG_SZ];
     byte snArray[MAX_SN_SZ];
     byte extArray[MAX_OCSP_EXT_SZ];
-    byte* output = req->dest;
-    word32 seqSz[5], algoSz, issuerSz, issuerKeySz, snSz, extSz, totalSz;
-    int i;
+    word32 seqSz[5], algoSz, issuerSz, issuerKeySz, extSz, totalSz;
+    int i, snSz;
 
     WOLFSSL_ENTER("EncodeOcspRequest");
 
 #ifdef NO_SHA
-    algoSz = SetAlgoID(SHA256h, algoArray, hashType, 0);
+    algoSz = SetAlgoID(SHA256h, algoArray, oidHashType, 0);
 #else
-    algoSz = SetAlgoID(SHAh, algoArray, hashType, 0);
+    algoSz = SetAlgoID(SHAh, algoArray, oidHashType, 0);
 #endif
 
-    req->issuerHash = req->cert->issuerHash;
-    issuerSz = SetDigest(req->cert->issuerHash, KEYID_SIZE, issuerArray);
-
-    req->issuerKeyHash = req->cert->issuerKeyHash;
-    issuerKeySz = SetDigest(req->cert->issuerKeyHash,
-                                                    KEYID_SIZE, issuerKeyArray);
-
-    req->serial = req->cert->serial;
-    req->serialSz = req->cert->serialSz;
-    snSz = SetSerialNumber(req->cert->serial, req->cert->serialSz, snArray);
-
-    extSz = 0;
-    if (req->useNonce) {
-        RNG rng;
-        if (wc_InitRng(&rng) != 0) {
-            WOLFSSL_MSG("\tCannot initialize RNG. Skipping the OSCP Nonce.");
-        } else {
-            if (wc_RNG_GenerateBlock(&rng, req->nonce, MAX_OCSP_NONCE_SZ) != 0)
-                WOLFSSL_MSG("\tCannot run RNG. Skipping the OSCP Nonce.");
-            else {
-                req->nonceSz = MAX_OCSP_NONCE_SZ;
-                extSz = SetOcspReqExtensions(MAX_OCSP_EXT_SZ, extArray,
-                                                      req->nonce, req->nonceSz);
-            }
-            wc_FreeRng(&rng);
-        }
+    issuerSz    = SetDigest(req->issuerHash,    KEYID_SIZE,    issuerArray);
+    issuerKeySz = SetDigest(req->issuerKeyHash, KEYID_SIZE,    issuerKeyArray);
+    snSz        = SetSerialNumber(req->serial,  req->serialSz, snArray,
+                                                          MAX_SN_SZ, MAX_SN_SZ);
+    extSz       = 0;
+
+    if (snSz < 0)
+        return snSz;
+
+    if (req->nonceSz) {
+        /* TLS Extensions use this function too - put extensions after
+         * ASN.1: Context Specific [2].
+         */
+        extSz = EncodeOcspRequestExtensions(req, extArray + 2,
+                                            OCSP_NONCE_EXT_SZ);
+        extSz += SetExplicit(2, extSz, extArray);
     }
 
     totalSz = algoSz + issuerSz + issuerKeySz + snSz;
-
     for (i = 4; i >= 0; i--) {
         seqSz[i] = SetSequence(totalSz, seqArray[i]);
         totalSz += seqSz[i];
         if (i == 2) totalSz += extSz;
     }
+
+    if (output == NULL)
+        return totalSz;
+    if (totalSz > size)
+        return BUFFER_E;
+
     totalSz = 0;
     for (i = 0; i < 5; i++) {
         XMEMCPY(output + totalSz, seqArray[i], seqSz[i]);
         totalSz += seqSz[i];
     }
+
     XMEMCPY(output + totalSz, algoArray, algoSz);
     totalSz += algoSz;
+
     XMEMCPY(output + totalSz, issuerArray, issuerSz);
     totalSz += issuerSz;
+
     XMEMCPY(output + totalSz, issuerKeyArray, issuerKeySz);
     totalSz += issuerKeySz;
+
     XMEMCPY(output + totalSz, snArray, snSz);
     totalSz += snSz;
+
     if (extSz != 0) {
         XMEMCPY(output + totalSz, extArray, extSz);
         totalSz += extSz;
@@ -7418,19 +16826,91 @@ int EncodeOcspRequest(OcspRequest* req)
 }
 
 
-void InitOcspRequest(OcspRequest* req, DecodedCert* cert, byte useNonce,
-                                                    byte* dest, word32 destSz)
+int InitOcspRequest(OcspRequest* req, DecodedCert* cert, byte useNonce,
+                                                                     void* heap)
 {
+    int ret;
+
     WOLFSSL_ENTER("InitOcspRequest");
 
-    req->cert = cert;
-    req->useNonce = useNonce;
-    req->nonceSz = 0;
-    req->issuerHash = NULL;
-    req->issuerKeyHash = NULL;
-    req->serial = NULL;
-    req->dest = dest;
-    req->destSz = destSz;
+    if (req == NULL)
+        return BAD_FUNC_ARG;
+
+    ForceZero(req, sizeof(OcspRequest));
+    req->heap = heap;
+
+    if (cert) {
+        XMEMCPY(req->issuerHash,    cert->issuerHash,    KEYID_SIZE);
+        XMEMCPY(req->issuerKeyHash, cert->issuerKeyHash, KEYID_SIZE);
+
+        req->serial = (byte*)XMALLOC(cert->serialSz, req->heap,
+                                                     DYNAMIC_TYPE_OCSP_REQUEST);
+        if (req->serial == NULL)
+            return MEMORY_E;
+
+        XMEMCPY(req->serial, cert->serial, cert->serialSz);
+        req->serialSz = cert->serialSz;
+
+        if (cert->extAuthInfoSz != 0 && cert->extAuthInfo != NULL) {
+            req->url = (byte*)XMALLOC(cert->extAuthInfoSz + 1, req->heap,
+                                                     DYNAMIC_TYPE_OCSP_REQUEST);
+            if (req->url == NULL) {
+                XFREE(req->serial, req->heap, DYNAMIC_TYPE_OCSP);
+                return MEMORY_E;
+            }
+
+            XMEMCPY(req->url, cert->extAuthInfo, cert->extAuthInfoSz);
+            req->urlSz = cert->extAuthInfoSz;
+            req->url[req->urlSz] = 0;
+        }
+    }
+
+    if (useNonce) {
+        WC_RNG rng;
+
+    #ifndef HAVE_FIPS
+        ret = wc_InitRng_ex(&rng, req->heap, INVALID_DEVID);
+    #else
+        ret = wc_InitRng(&rng);
+    #endif
+        if (ret != 0) {
+            WOLFSSL_MSG("\tCannot initialize RNG. Skipping the OSCP Nonce.");
+        } else {
+            if (wc_RNG_GenerateBlock(&rng, req->nonce, MAX_OCSP_NONCE_SZ) != 0)
+                WOLFSSL_MSG("\tCannot run RNG. Skipping the OSCP Nonce.");
+            else
+                req->nonceSz = MAX_OCSP_NONCE_SZ;
+
+            wc_FreeRng(&rng);
+        }
+    }
+
+    return 0;
+}
+
+void FreeOcspRequest(OcspRequest* req)
+{
+    WOLFSSL_ENTER("FreeOcspRequest");
+
+    if (req) {
+        if (req->serial)
+            XFREE(req->serial, req->heap, DYNAMIC_TYPE_OCSP_REQUEST);
+        req->serial = NULL;
+
+#ifdef OPENSSL_EXTRA
+        if (req->serialInt) {
+            if (req->serialInt->isDynamic) {
+                XFREE(req->serialInt->data, NULL, DYNAMIC_TYPE_OPENSSL);
+            }
+            XFREE(req->serialInt, NULL, DYNAMIC_TYPE_OPENSSL);
+        }
+        req->serialInt = NULL;
+#endif
+
+        if (req->url)
+            XFREE(req->url, req->heap, DYNAMIC_TYPE_OCSP_REQUEST);
+        req->url = NULL;
+    }
 }
 
 
@@ -7454,14 +16934,18 @@ int CompareOcspReqResp(OcspRequest* req, OcspResponse* resp)
 
     /* Nonces are not critical. The responder may not necessarily add
      * the nonce to the response. */
-    if (req->useNonce && resp->nonceSz != 0) {
+    if (req->nonceSz
+#ifndef WOLFSSL_FORCE_OCSP_NONCE_CHECK
+            && resp->nonceSz != 0
+#endif
+    ) {
         cmp = req->nonceSz - resp->nonceSz;
         if (cmp != 0)
         {
             WOLFSSL_MSG("\tnonceSz mismatch");
             return cmp;
         }
-    
+
         cmp = XMEMCMP(req->nonce, resp->nonce, req->nonceSz);
         if (cmp != 0)
         {
@@ -7501,20 +16985,22 @@ int CompareOcspReqResp(OcspRequest* req, OcspResponse* resp)
     return 0;
 }
 
-#endif
+#endif /* HAVE_OCSP */
 
 
-/* store SHA hash of NAME */
-WOLFSSL_LOCAL int GetNameHash(const byte* source, word32* idx, byte* hash,
+/* store WC_SHA hash of NAME */
+int GetNameHash(const byte* source, word32* idx, byte* hash,
                              int maxIdx)
 {
     int    length;  /* length of all distinguished names */
     int    ret;
     word32 dummy;
+    byte   tag;
 
     WOLFSSL_ENTER("GetNameHash");
 
-    if (source[*idx] == ASN_OBJECT_ID) {
+    dummy = *idx;
+    if (GetASNTag(source, &dummy, &tag, maxIdx) == 0 && tag == ASN_OBJECT_ID) {
         WOLFSSL_MSG("Trying optional prefix...");
 
         if (GetLength(source, idx, &length, maxIdx) < 0)
@@ -7531,11 +17017,7 @@ WOLFSSL_LOCAL int GetNameHash(const byte* source, word32* idx, byte* hash,
     if (GetSequence(source, idx, &length, maxIdx) < 0)
         return ASN_PARSE_E;
 
-#ifdef NO_SHA
-    ret = wc_Sha256Hash(source + dummy, length + *idx - dummy, hash);
-#else
-    ret = wc_ShaHash(source + dummy, length + *idx - dummy, hash);
-#endif
+    ret = CalcHashId(source + dummy, length + *idx - dummy, hash);
 
     *idx += length;
 
@@ -7546,16 +17028,15 @@ WOLFSSL_LOCAL int GetNameHash(const byte* source, word32* idx, byte* hash,
 #ifdef HAVE_CRL
 
 /* initialize decoded CRL */
-void InitDecodedCRL(DecodedCRL* dcrl)
+void InitDecodedCRL(DecodedCRL* dcrl, void* heap)
 {
     WOLFSSL_MSG("InitDecodedCRL");
 
-    dcrl->certBegin    = 0;
-    dcrl->sigIndex     = 0;
-    dcrl->sigLength    = 0;
-    dcrl->signatureOID = 0;
-    dcrl->certs        = NULL;
-    dcrl->totalCerts   = 0;
+    XMEMSET(dcrl, 0, sizeof(DecodedCRL));
+    dcrl->heap = heap;
+    #ifdef WOLFSSL_HEAP_TEST
+        dcrl->heap = (void*)WOLFSSL_HEAP_TEST;
+    #endif
 }
 
 
@@ -7568,7 +17049,7 @@ void FreeDecodedCRL(DecodedCRL* dcrl)
 
     while(tmp) {
         RevokedCert* next = tmp->next;
-        XFREE(tmp, NULL, DYNAMIC_TYPE_REVOKED);
+        XFREE(tmp, dcrl->heap, DYNAMIC_TYPE_REVOKED);
         tmp = next;
     }
 }
@@ -7578,7 +17059,7 @@ void FreeDecodedCRL(DecodedCRL* dcrl)
 static int GetRevoked(const byte* buff, word32* idx, DecodedCRL* dcrl,
                       int maxIdx)
 {
-    int    len;
+    int    ret, len;
     word32 end;
     byte   b;
     RevokedCert* rc;
@@ -7590,56 +17071,33 @@ static int GetRevoked(const byte* buff, word32* idx, DecodedCRL* dcrl,
 
     end = *idx + len;
 
-    /* get serial number */
-    b = buff[*idx];
-    *idx += 1;
-
-    if (b != ASN_INTEGER) {
-        WOLFSSL_MSG("Expecting Integer");
-        return ASN_PARSE_E;
-    }
-
-    if (GetLength(buff, idx, &len, maxIdx) < 0)
-        return ASN_PARSE_E;
-
-    if (len > EXTERNAL_SERIAL_SIZE) {
-        WOLFSSL_MSG("Serial Size too big");
-        return ASN_PARSE_E;
-    }
-
-    rc = (RevokedCert*)XMALLOC(sizeof(RevokedCert), NULL, DYNAMIC_TYPE_CRL);
+    rc = (RevokedCert*)XMALLOC(sizeof(RevokedCert), dcrl->heap,
+                                                          DYNAMIC_TYPE_REVOKED);
     if (rc == NULL) {
         WOLFSSL_MSG("Alloc Revoked Cert failed");
         return MEMORY_E;
     }
 
-    XMEMCPY(rc->serialNumber, &buff[*idx], len);
-    rc->serialSz = len;
+    if (GetSerialNumber(buff, idx, rc->serialNumber, &rc->serialSz,
+                                                                maxIdx) < 0) {
+        XFREE(rc, dcrl->heap, DYNAMIC_TYPE_REVOKED);
+        return ASN_PARSE_E;
+    }
 
     /* add to list */
     rc->next = dcrl->certs;
     dcrl->certs = rc;
     dcrl->totalCerts++;
 
-    *idx += len;
-
     /* get date */
-    b = buff[*idx];
-    *idx += 1;
-
-    if (b != ASN_UTC_TIME && b != ASN_GENERALIZED_TIME) {
+    ret = GetDateInfo(buff, idx, NULL, &b, NULL, maxIdx);
+    if (ret < 0) {
         WOLFSSL_MSG("Expecting Date");
-        return ASN_PARSE_E;
+        return ret;
     }
 
-    if (GetLength(buff, idx, &len, maxIdx) < 0)
-        return ASN_PARSE_E;
-
-    /* skip for now */
-    *idx += len;
-
-    if (*idx != end)  /* skip extensions */
-        *idx = end;
+    /* skip extensions */
+    *idx = end;
 
     return 0;
 }
@@ -7650,29 +17108,244 @@ static int GetCRL_Signature(const byte* source, word32* idx, DecodedCRL* dcrl,
                             int maxIdx)
 {
     int    length;
-    byte   b;
+    int    ret;
 
     WOLFSSL_ENTER("GetCRL_Signature");
 
-    b = source[*idx];
-    *idx += 1;
-    if (b != ASN_BIT_STRING)
-        return ASN_BITSTR_E;
+    ret = CheckBitString(source, idx, &length, maxIdx, 1, NULL);
+    if (ret != 0)
+        return ret;
+    dcrl->sigLength = length;
 
-    if (GetLength(source, idx, &length, maxIdx) < 0)
+    dcrl->signature = (byte*)&source[*idx];
+    *idx += dcrl->sigLength;
+
+    return 0;
+}
+
+int VerifyCRL_Signature(SignatureCtx* sigCtx, const byte* toBeSigned,
+                        word32 tbsSz, const byte* signature, word32 sigSz,
+                        word32 signatureOID, Signer *ca, void* heap)
+{
+    /* try to confirm/verify signature */
+#ifndef IGNORE_KEY_EXTENSIONS
+    if ((ca->keyUsage & KEYUSE_CRL_SIGN) == 0) {
+        WOLFSSL_MSG("CA cannot sign CRLs");
+        return ASN_CRL_NO_SIGNER_E;
+    }
+#endif /* IGNORE_KEY_EXTENSIONS */
+
+    InitSignatureCtx(sigCtx, heap, INVALID_DEVID);
+    if (ConfirmSignature(sigCtx, toBeSigned, tbsSz, ca->publicKey,
+                         ca->pubKeySize, ca->keyOID, signature, sigSz,
+                         signatureOID, NULL) != 0) {
+        WOLFSSL_MSG("CRL Confirm signature failed");
+        return ASN_CRL_CONFIRM_E;
+    }
+
+    return 0;
+}
+
+
+static int ParseCRL_CertList(DecodedCRL* dcrl, const byte* buf,
+        word32* inOutIdx, int sz)
+{
+    word32 oid, dateIdx, idx, checkIdx;
+    int version, doNextDate = 1;
+    byte tag;
+
+    if (dcrl == NULL || inOutIdx == NULL || buf == NULL) {
+        return BAD_FUNC_ARG;
+    }
+
+    /* may have version */
+    idx = *inOutIdx;
+
+    checkIdx = idx;
+    if (GetASNTag(buf, &checkIdx, &tag, sz) == 0 && tag == ASN_INTEGER) {
+        if (GetMyVersion(buf, &idx, &version, sz) < 0)
+            return ASN_PARSE_E;
+    }
+
+    if (GetAlgoId(buf, &idx, &oid, oidIgnoreType, sz) < 0)
         return ASN_PARSE_E;
 
-    dcrl->sigLength = length;
+    if (GetNameHash(buf, &idx, dcrl->issuerHash, sz) < 0)
+        return ASN_PARSE_E;
 
-    b = source[*idx];
-    *idx += 1;
-    if (b != 0x00)
-        return ASN_EXPECT_0_E;
+    if (GetBasicDate(buf, &idx, dcrl->lastDate, &dcrl->lastDateFormat, sz) < 0)
+        return ASN_PARSE_E;
 
-    dcrl->sigLength--;
-    dcrl->signature = (byte*)&source[*idx];
+    dateIdx = idx;
 
-    *idx += dcrl->sigLength;
+    if (GetBasicDate(buf, &idx, dcrl->nextDate, &dcrl->nextDateFormat, sz) < 0)
+    {
+#ifndef WOLFSSL_NO_CRL_NEXT_DATE
+        (void)dateIdx;
+        return ASN_PARSE_E;
+#else
+        dcrl->nextDateFormat = ASN_OTHER_TYPE;  /* skip flag */
+        doNextDate = 0;
+        idx = dateIdx;
+#endif
+    }
+
+    if (doNextDate) {
+#ifndef NO_ASN_TIME
+        if (!XVALIDATE_DATE(dcrl->nextDate, dcrl->nextDateFormat, AFTER)) {
+            WOLFSSL_MSG("CRL after date is no longer valid");
+            return ASN_AFTER_DATE_E;
+        }
+#endif
+    }
+
+    checkIdx = idx;
+    if (idx != dcrl->sigIndex &&
+           GetASNTag(buf, &checkIdx, &tag, sz) == 0 && tag != CRL_EXTENSIONS) {
+
+        int len;
+
+        if (GetSequence(buf, &idx, &len, sz) < 0)
+            return ASN_PARSE_E;
+        len += idx;
+
+        while (idx < (word32)len) {
+            if (GetRevoked(buf, &idx, dcrl, len) < 0)
+                return ASN_PARSE_E;
+        }
+    }
+
+    *inOutIdx = idx;
+
+    return 0;
+}
+
+
+#ifndef NO_SKID
+static int ParseCRL_AuthKeyIdExt(const byte* input, int sz, DecodedCRL* dcrl)
+{
+    word32 idx = 0;
+    int length = 0, ret = 0;
+    byte tag;
+
+    WOLFSSL_ENTER("ParseCRL_AuthKeyIdExt");
+
+    if (GetSequence(input, &idx, &length, sz) < 0) {
+        WOLFSSL_MSG("\tfail: should be a SEQUENCE\n");
+        return ASN_PARSE_E;
+    }
+
+    if (GetASNTag(input, &idx, &tag, sz) < 0) {
+        return ASN_PARSE_E;
+    }
+
+    if (tag != (ASN_CONTEXT_SPECIFIC | 0)) {
+        WOLFSSL_MSG("\tinfo: OPTIONAL item 0, not available\n");
+        return 0;
+    }
+
+    if (GetLength(input, &idx, &length, sz) <= 0) {
+        WOLFSSL_MSG("\tfail: extension data length");
+        return ASN_PARSE_E;
+    }
+
+    dcrl->extAuthKeyIdSet = 1;
+    if (length == KEYID_SIZE) {
+        XMEMCPY(dcrl->extAuthKeyId, input + idx, length);
+    }
+    else {
+        ret = CalcHashId(input + idx, length, dcrl->extAuthKeyId);
+    }
+
+    return ret;
+}
+#endif
+
+
+static int ParseCRL_Extensions(DecodedCRL* dcrl, const byte* buf,
+        word32* inOutIdx, word32 sz)
+{
+    int length;
+    word32 idx;
+    word32 ext_bound; /* boundary index for the sequence of extensions */
+    word32 oid;
+    byte tag;
+
+    WOLFSSL_ENTER("ParseCRL_Extensions");
+    (void)dcrl;
+
+    if (inOutIdx == NULL)
+        return BAD_FUNC_ARG;
+
+    idx = *inOutIdx;
+
+    /* CRL Extensions are optional */
+    if ((idx + 1) > sz)
+        return 0;
+
+    /* CRL Extensions are optional */
+    if (GetASNTag(buf, &idx, &tag, sz) < 0)
+        return 0;
+
+    /* CRL Extensions are optional */
+    if (tag != (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC | 0))
+        return 0;
+
+    if (GetLength(buf, &idx, &length, sz) < 0)
+        return ASN_PARSE_E;
+
+    if (GetSequence(buf, &idx, &length, sz) < 0)
+        return ASN_PARSE_E;
+
+    ext_bound = idx + length;
+
+    while (idx < (word32)ext_bound) {
+        word32 localIdx;
+        int ret;
+
+        if (GetSequence(buf, &idx, &length, sz) < 0) {
+            WOLFSSL_MSG("\tfail: should be a SEQUENCE");
+            return ASN_PARSE_E;
+        }
+
+        oid = 0;
+        if (GetObjectId(buf, &idx, &oid, oidCrlExtType, sz) < 0) {
+            WOLFSSL_MSG("\tfail: OBJECT ID");
+            return ASN_PARSE_E;
+        }
+
+        /* check for critical flag */
+        if ((idx + 1) > (word32)sz) {
+            WOLFSSL_MSG("\tfail: malformed buffer");
+            return BUFFER_E;
+        }
+
+        localIdx = idx;
+        if (GetASNTag(buf, &localIdx, &tag, sz) == 0 && tag == ASN_BOOLEAN) {
+            WOLFSSL_MSG("\tfound optional critical flag, moving past");
+            ret = GetBoolean(buf, &idx, sz);
+            if (ret < 0)
+                return ret;
+        }
+
+        ret = GetOctetString(buf, &idx, &length, sz);
+        if (ret < 0)
+            return ret;
+
+        if (oid == AUTH_KEY_OID) {
+        #ifndef NO_SKID
+            ret = ParseCRL_AuthKeyIdExt(buf + idx, length, dcrl);
+            if (ret < 0) {
+                WOLFSSL_MSG("\tcouldn't parse AuthKeyId extension");
+                return ret;
+            }
+        #endif
+        }
+
+        idx += length;
+    }
+
+    *inOutIdx = idx;
 
     return 0;
 }
@@ -7681,15 +17354,16 @@ static int GetCRL_Signature(const byte* source, word32* idx, DecodedCRL* dcrl,
 /* prase crl buffer into decoded state, 0 on success */
 int ParseCRL(DecodedCRL* dcrl, const byte* buff, word32 sz, void* cm)
 {
-    int     version, len;
-    word32  oid, idx = 0;
-    Signer* ca = NULL;
+    int          len;
+    word32       idx = 0;
+    Signer*      ca = NULL;
+    SignatureCtx sigCtx;
 
     WOLFSSL_MSG("ParseCRL");
 
     /* raw crl hash */
     /* hash here if needed for optimized comparisons
-     * Sha     sha;
+     * wc_Sha sha;
      * wc_InitSha(&sha);
      * wc_ShaUpdate(&sha, buff, sz);
      * wc_ShaFinal(&sha, dcrl->crlHash); */
@@ -7698,98 +17372,154 @@ int ParseCRL(DecodedCRL* dcrl, const byte* buff, word32 sz, void* cm)
         return ASN_PARSE_E;
 
     dcrl->certBegin = idx;
+    /* Normalize sz for the length inside the outer sequence. */
+    sz = len + idx;
 
     if (GetSequence(buff, &idx, &len, sz) < 0)
         return ASN_PARSE_E;
     dcrl->sigIndex = len + idx;
 
-    /* may have version */
-    if (buff[idx] == ASN_INTEGER) {
-        if (GetMyVersion(buff, &idx, &version) < 0)
-            return ASN_PARSE_E;
-    }
-
-    if (GetAlgoId(buff, &idx, &oid, sz) < 0)
+    if (ParseCRL_CertList(dcrl, buff, &idx, idx + len) < 0)
         return ASN_PARSE_E;
 
-    if (GetNameHash(buff, &idx, dcrl->issuerHash, sz) < 0)
+    if (ParseCRL_Extensions(dcrl, buff, &idx, idx + len) < 0)
         return ASN_PARSE_E;
 
-    if (GetBasicDate(buff, &idx, dcrl->lastDate, &dcrl->lastDateFormat, sz) < 0)
+    idx = dcrl->sigIndex;
+
+    if (GetAlgoId(buff, &idx, &dcrl->signatureOID, oidSigType, sz) < 0)
         return ASN_PARSE_E;
 
-    if (GetBasicDate(buff, &idx, dcrl->nextDate, &dcrl->nextDateFormat, sz) < 0)
+    if (GetCRL_Signature(buff, &idx, dcrl, sz) < 0)
         return ASN_PARSE_E;
 
-    if (!XVALIDATE_DATE(dcrl->nextDate, dcrl->nextDateFormat, AFTER)) {
-        WOLFSSL_MSG("CRL after date is no longer valid");
-        return ASN_AFTER_DATE_E;
+    /* openssl doesn't add skid by default for CRLs cause firefox chokes
+       if experiencing issues uncomment NO_SKID define in CRL section of
+       wolfssl/wolfcrypt/settings.h */
+#ifndef NO_SKID
+    if (dcrl->extAuthKeyIdSet) {
+        ca = GetCA(cm, dcrl->extAuthKeyId); /* more unique than issuerHash */
+    }
+    if (ca != NULL && XMEMCMP(dcrl->issuerHash, ca->subjectNameHash,
+                KEYID_SIZE) != 0) {
+        ca = NULL;
+    }
+    if (ca == NULL) {
+        ca = GetCAByName(cm, dcrl->issuerHash); /* last resort */
+        /* If AKID is available then this CA doesn't have the public
+         * key required */
+        if (ca && dcrl->extAuthKeyIdSet) {
+            WOLFSSL_MSG("CA SKID doesn't match AKID");
+            ca = NULL;
+        }
     }
+#else
+    ca = GetCA(cm, dcrl->issuerHash);
+#endif /* !NO_SKID */
+    WOLFSSL_MSG("About to verify CRL signature");
 
-    if (idx != dcrl->sigIndex && buff[idx] != CRL_EXTENSIONS) {
-        if (GetSequence(buff, &idx, &len, sz) < 0)
-            return ASN_PARSE_E;
+    if (ca == NULL) {
+        WOLFSSL_MSG("Did NOT find CRL issuer CA");
+        return ASN_CRL_NO_SIGNER_E;
+    }
 
-        len += idx;
+    WOLFSSL_MSG("Found CRL issuer CA");
+    return VerifyCRL_Signature(&sigCtx, buff + dcrl->certBegin,
+           dcrl->sigIndex - dcrl->certBegin, dcrl->signature, dcrl->sigLength,
+           dcrl->signatureOID, ca, dcrl->heap);
+}
 
-        while (idx < (word32)len) {
-            if (GetRevoked(buff, &idx, dcrl, sz) < 0)
-                return ASN_PARSE_E;
+#endif /* HAVE_CRL */
+
+
+
+#ifdef WOLFSSL_CERT_PIV
+
+int wc_ParseCertPIV(wc_CertPIV* piv, const byte* buf, word32 totalSz)
+{
+    int length = 0;
+    word32 idx = 0;
+
+    WOLFSSL_ENTER("wc_ParseCertPIV");
+
+    if (piv == NULL || buf == NULL || totalSz == 0)
+        return BAD_FUNC_ARG;
+
+    XMEMSET(piv, 0, sizeof(wc_CertPIV));
+
+    /* Detect Identiv PIV (with 0x0A, 0x0B and 0x0C sections) */
+    /* Certificate (0A 82 05FA) */
+    if (GetASNHeader(buf, ASN_PIV_CERT, &idx, &length, totalSz) >= 0) {
+        /* Identiv Type PIV card */
+        piv->isIdentiv = 1;
+
+        piv->cert =   &buf[idx];
+        piv->certSz = length;
+        idx += length;
+
+        /* Nonce (0B 14) */
+        if (GetASNHeader(buf, ASN_PIV_NONCE, &idx, &length, totalSz) >= 0) {
+            piv->nonce =   &buf[idx];
+            piv->nonceSz = length;
+            idx += length;
         }
-    }
 
-    if (idx != dcrl->sigIndex)
-        idx = dcrl->sigIndex;   /* skip extensions */
+        /* Signed Nonce (0C 82 0100) */
+        if (GetASNHeader(buf, ASN_PIV_SIGNED_NONCE, &idx, &length, totalSz) >= 0) {
+            piv->signedNonce =   &buf[idx];
+            piv->signedNonceSz = length;
+        }
 
-    if (GetAlgoId(buff, &idx, &dcrl->signatureOID, sz) < 0)
-        return ASN_PARSE_E;
+        idx = 0;
+        buf = piv->cert;
+        totalSz = piv->certSz;
+    }
 
-    if (GetCRL_Signature(buff, &idx, dcrl, sz) < 0)
+    /* Certificate Buffer Total Size (53 82 05F6) */
+    if (GetASNHeader(buf, ASN_APPLICATION | ASN_PRINTABLE_STRING, &idx,
+                                                   &length, totalSz) < 0) {
         return ASN_PARSE_E;
+    }
+    /* PIV Certificate (70 82 05ED) */
+    if (GetASNHeader(buf, ASN_PIV_TAG_CERT, &idx, &length,
+                                                         totalSz) < 0) {
+        return ASN_PARSE_E;
+    }
 
-    /* openssl doesn't add skid by default for CRLs cause firefox chokes
-       we're not assuming it's available yet */
-    #if !defined(NO_SKID) && defined(CRL_SKID_READY)
-        if (dcrl->extAuthKeyIdSet)
-            ca = GetCA(cm, dcrl->extAuthKeyId);
-        if (ca == NULL)
-            ca = GetCAByName(cm, dcrl->issuerHash);
-    #else /* NO_SKID */
-        ca = GetCA(cm, dcrl->issuerHash);
-    #endif /* NO_SKID */
-    WOLFSSL_MSG("About to verify CRL signature");
+    /* Capture certificate buffer pointer and length */
+    piv->cert =   &buf[idx];
+    piv->certSz = length;
+    idx += length;
 
-    if (ca) {
-        WOLFSSL_MSG("Found CRL issuer CA");
-        /* try to confirm/verify signature */
-        #ifndef IGNORE_KEY_EXTENSIONS
-            if ((ca->keyUsage & KEYUSE_CRL_SIGN) == 0) {
-                WOLFSSL_MSG("CA cannot sign CRLs");
-                return ASN_CRL_NO_SIGNER_E;
-            }
-        #endif /* IGNORE_KEY_EXTENSIONS */
-        if (!ConfirmSignature(buff + dcrl->certBegin,
-                dcrl->sigIndex - dcrl->certBegin,
-                ca->publicKey, ca->pubKeySize, ca->keyOID,
-                dcrl->signature, dcrl->sigLength, dcrl->signatureOID, NULL)) {
-            WOLFSSL_MSG("CRL Confirm signature failed");
-            return ASN_CRL_CONFIRM_E;
+    /* PIV Certificate Info (71 01 00) */
+    if (GetASNHeader(buf, ASN_PIV_TAG_CERT_INFO, &idx, &length,
+                                                        totalSz) >= 0) {
+        if (length >= 1) {
+            piv->compression = (buf[idx] & ASN_PIV_CERT_INFO_COMPRESSED);
+            piv->isX509 =      (buf[idx] & ASN_PIV_CERT_INFO_ISX509);
         }
+        idx += length;
     }
-    else {
-        WOLFSSL_MSG("Did NOT find CRL issuer CA");
-        return ASN_CRL_NO_SIGNER_E;
+
+    /* PIV Error Detection (FE 00) */
+    if (GetASNHeader(buf, ASN_PIV_TAG_ERR_DET, &idx, &length,
+                                                        totalSz) >= 0) {
+        piv->certErrDet =   &buf[idx];
+        piv->certErrDetSz = length;
+        idx += length;
     }
 
     return 0;
 }
 
-#endif /* HAVE_CRL */
-#endif
+#endif /* WOLFSSL_CERT_PIV */
 
-#ifdef WOLFSSL_SEP
 
+#undef ERROR_OUT
 
+#endif /* !NO_ASN */
 
-#endif /* WOLFSSL_SEP */
+#ifdef WOLFSSL_SEP
 
+
+#endif /* WOLFSSL_SEP */
diff --git a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/async.c b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/async.c
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/async.c
diff --git a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/blake2b.c b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/blake2b.c
index 6ae5afd23..1541947dd 100644
--- a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/blake2b.c
+++ b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/blake2b.c
@@ -12,9 +12,9 @@
 */
 /* blake2b.c
  *
- * Copyright (C) 2006-2015 wolfSSL Inc.
+ * Copyright (C) 2006-2020 wolfSSL Inc.
  *
- * This file is part of wolfSSL. (formerly known as CyaSSL)
+ * This file is part of wolfSSL.
  *
  * wolfSSL is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -28,10 +28,11 @@
  *
  * You should have received a copy of the GNU General Public License
  * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
  */
 
 
+
 #ifdef HAVE_CONFIG_H
     #include <config.h>
 #endif
@@ -69,14 +70,14 @@ static const byte blake2b_sigma[12][16] =
 };
 
 
-static INLINE int blake2b_set_lastnode( blake2b_state *S )
+static WC_INLINE int blake2b_set_lastnode( blake2b_state *S )
 {
   S->f[1] = ~0ULL;
   return 0;
 }
 
 /* Some helper functions, not necessarily useful */
-static INLINE int blake2b_set_lastblock( blake2b_state *S )
+static WC_INLINE int blake2b_set_lastblock( blake2b_state *S )
 {
   if( S->last_node ) blake2b_set_lastnode( S );
 
@@ -84,7 +85,7 @@ static INLINE int blake2b_set_lastblock( blake2b_state *S )
   return 0;
 }
 
-static INLINE int blake2b_increment_counter( blake2b_state *S, const word64
+static WC_INLINE int blake2b_increment_counter( blake2b_state *S, const word64
                                              inc )
 {
   S->t[0] += inc;
@@ -92,7 +93,7 @@ static INLINE int blake2b_increment_counter( blake2b_state *S, const word64
   return 0;
 }
 
-static INLINE int blake2b_init0( blake2b_state *S )
+static WC_INLINE int blake2b_init0( blake2b_state *S )
 {
   int i;
   XMEMSET( S, 0, sizeof( blake2b_state ) );
@@ -106,8 +107,9 @@ static INLINE int blake2b_init0( blake2b_state *S )
 int blake2b_init_param( blake2b_state *S, const blake2b_param *P )
 {
   word32 i;
+  byte *p ;
   blake2b_init0( S );
-  byte *p = ( byte * )( P );
+  p =  ( byte * )( P );
 
   /* IV XOR ParamBlock */
   for( i = 0; i < 8; ++i )
@@ -124,6 +126,7 @@ int blake2b_init( blake2b_state *S, const byte outlen )
 
   if ( ( !outlen ) || ( outlen > BLAKE2B_OUTBYTES ) ) return -1;
 
+#ifdef WOLFSSL_BLAKE2B_INIT_EACH_FIELD
   P->digest_length = outlen;
   P->key_length    = 0;
   P->fanout        = 1;
@@ -135,6 +138,12 @@ int blake2b_init( blake2b_state *S, const byte outlen )
   XMEMSET( P->reserved, 0, sizeof( P->reserved ) );
   XMEMSET( P->salt,     0, sizeof( P->salt ) );
   XMEMSET( P->personal, 0, sizeof( P->personal ) );
+#else
+  XMEMSET( P, 0, sizeof( *P ) );
+  P->digest_length = outlen;
+  P->fanout        = 1;
+  P->depth         = 1;
+#endif
   return blake2b_init_param( S, P );
 }
 
@@ -148,6 +157,7 @@ int blake2b_init_key( blake2b_state *S, const byte outlen, const void *key,
 
   if ( !key || !keylen || keylen > BLAKE2B_KEYBYTES ) return -1;
 
+#ifdef WOLFSSL_BLAKE2B_INIT_EACH_FIELD
   P->digest_length = outlen;
   P->key_length    = keylen;
   P->fanout        = 1;
@@ -159,6 +169,13 @@ int blake2b_init_key( blake2b_state *S, const byte outlen, const void *key,
   XMEMSET( P->reserved, 0, sizeof( P->reserved ) );
   XMEMSET( P->salt,     0, sizeof( P->salt ) );
   XMEMSET( P->personal, 0, sizeof( P->personal ) );
+#else
+  XMEMSET( P, 0, sizeof( *P ) );
+  P->digest_length = outlen;
+  P->key_length    = keylen;
+  P->fanout        = 1;
+  P->depth         = 1;
+#endif
 
   if( blake2b_init_param( S, P ) < 0 ) return -1;
 
@@ -300,8 +317,7 @@ int blake2b_update( blake2b_state *S, const byte *in, word64 inlen )
     {
       XMEMCPY( S->buf + left, in, (wolfssl_word)inlen );
       S->buflen += inlen; /* Be lazy, do not compress */
-      in += inlen;
-      inlen -= inlen;
+      inlen = 0;
     }
   }
 
@@ -387,7 +403,7 @@ int main( int argc, char **argv )
       return -1;
     }
 
-    if( 0 != memcmp( hash, blake2b_keyed_kat[i], BLAKE2B_OUTBYTES ) )
+    if( 0 != XMEMCMP( hash, blake2b_keyed_kat[i], BLAKE2B_OUTBYTES ) )
     {
       puts( "error" );
       return -1;
@@ -402,9 +418,12 @@ int main( int argc, char **argv )
 
 /* wolfCrypt API */
 
-/* Init Blake2b digest, track size incase final doesn't want to "remember" */
+/* Init Blake2b digest, track size in case final doesn't want to "remember" */
 int wc_InitBlake2b(Blake2b* b2b, word32 digestSz)
 {
+    if (b2b == NULL){
+        return -1;
+    }
     b2b->digestSz = digestSz;
 
     return blake2b_init(b2b->S, (byte)digestSz);
diff --git a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/blake2s.c b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/blake2s.c
new file mode 100644
index 000000000..651a1d18d
--- /dev/null
+++ b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/blake2s.c
@@ -0,0 +1,446 @@
+/*
+   BLAKE2 reference source code package - reference C implementations
+
+   Written in 2012 by Samuel Neves <sneves@dei.uc.pt>
+
+   To the extent possible under law, the author(s) have dedicated all copyright
+   and related and neighboring rights to this software to the public domain
+   worldwide. This software is distributed without any warranty.
+
+   You should have received a copy of the CC0 Public Domain Dedication along with
+   this software. If not, see <http://creativecommons.org/publicdomain/zero/1.0/>.
+*/
+/* blake2s.c
+ *
+ * Copyright (C) 2006-2020 wolfSSL Inc.
+ *
+ * This file is part of wolfSSL.
+ *
+ * wolfSSL is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * wolfSSL is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
+ */
+
+
+
+#ifdef HAVE_CONFIG_H
+    #include <config.h>
+#endif
+
+#include <wolfssl/wolfcrypt/settings.h>
+
+#ifdef HAVE_BLAKE2S
+
+#include <wolfssl/wolfcrypt/blake2.h>
+#include <wolfssl/wolfcrypt/blake2-impl.h>
+
+
+static const word32 blake2s_IV[8] =
+{
+  0x6a09e667, 0xbb67ae85, 0x3c6ef372, 0xa54ff53a,
+  0x510e527f, 0x9b05688c, 0x1f83d9ab, 0x5be0cd19
+};
+
+static const byte blake2s_sigma[10][16] =
+{
+  {  0,  1,  2,  3,  4,  5,  6,  7,  8,  9, 10, 11, 12, 13, 14, 15 } ,
+  { 14, 10,  4,  8,  9, 15, 13,  6,  1, 12,  0,  2, 11,  7,  5,  3 } ,
+  { 11,  8, 12,  0,  5,  2, 15, 13, 10, 14,  3,  6,  7,  1,  9,  4 } ,
+  {  7,  9,  3,  1, 13, 12, 11, 14,  2,  6,  5, 10,  4,  0, 15,  8 } ,
+  {  9,  0,  5,  7,  2,  4, 10, 15, 14,  1, 11, 12,  6,  8,  3, 13 } ,
+  {  2, 12,  6, 10,  0, 11,  8,  3,  4, 13,  7,  5, 15, 14,  1,  9 } ,
+  { 12,  5,  1, 15, 14, 13,  4, 10,  0,  7,  6,  3,  9,  2,  8, 11 } ,
+  { 13, 11,  7, 14, 12,  1,  3,  9,  5,  0, 15,  4,  8,  6,  2, 10 } ,
+  {  6, 15, 14,  9, 11,  3,  0,  8, 12,  2, 13,  7,  1,  4, 10,  5 } ,
+  { 10,  2,  8,  4,  7,  6,  1,  5, 15, 11,  9, 14,  3, 12, 13 , 0 }
+};
+
+
+static WC_INLINE int blake2s_set_lastnode( blake2s_state *S )
+{
+  S->f[1] = ~0;
+  return 0;
+}
+
+/* Some helper functions, not necessarily useful */
+static WC_INLINE int blake2s_set_lastblock( blake2s_state *S )
+{
+  if( S->last_node ) blake2s_set_lastnode( S );
+
+  S->f[0] = ~0;
+  return 0;
+}
+
+static WC_INLINE int blake2s_increment_counter( blake2s_state *S, const word32
+                                             inc )
+{
+  S->t[0] += inc;
+  S->t[1] += ( S->t[0] < inc );
+  return 0;
+}
+
+static WC_INLINE int blake2s_init0( blake2s_state *S )
+{
+  int i;
+  XMEMSET( S, 0, sizeof( blake2s_state ) );
+
+  for( i = 0; i < 8; ++i ) S->h[i] = blake2s_IV[i];
+
+  return 0;
+}
+
+/* init xors IV with input parameter block */
+int blake2s_init_param( blake2s_state *S, const blake2s_param *P )
+{
+  word32 i;
+  byte *p ;
+  blake2s_init0( S );
+  p =  ( byte * )( P );
+
+  /* IV XOR ParamBlock */
+  for( i = 0; i < 8; ++i )
+    S->h[i] ^= load32( p + sizeof( S->h[i] ) * i );
+
+  return 0;
+}
+
+
+
+int blake2s_init( blake2s_state *S, const byte outlen )
+{
+  blake2s_param P[1];
+
+  if ( ( !outlen ) || ( outlen > BLAKE2S_OUTBYTES ) ) return -1;
+
+#ifdef WOLFSSL_BLAKE2S_INIT_EACH_FIELD
+  P->digest_length = outlen;
+  P->key_length    = 0;
+  P->fanout        = 1;
+  P->depth         = 1;
+  store32( &P->leaf_length, 0 );
+  store32( &P->node_offset, 0 );
+  P->node_depth    = 0;
+  P->inner_length  = 0;
+  XMEMSET( P->reserved, 0, sizeof( P->reserved ) );
+  XMEMSET( P->salt,     0, sizeof( P->salt ) );
+  XMEMSET( P->personal, 0, sizeof( P->personal ) );
+#else
+  XMEMSET( P, 0, sizeof( *P ) );
+  P->digest_length = outlen;
+  P->fanout        = 1;
+  P->depth         = 1;
+#endif
+  return blake2s_init_param( S, P );
+}
+
+
+int blake2s_init_key( blake2s_state *S, const byte outlen, const void *key,
+                      const byte keylen )
+{
+  blake2s_param P[1];
+
+  if ( ( !outlen ) || ( outlen > BLAKE2S_OUTBYTES ) ) return -1;
+
+  if ( !key || !keylen || keylen > BLAKE2S_KEYBYTES ) return -1;
+
+#ifdef WOLFSSL_BLAKE2S_INIT_EACH_FIELD
+  P->digest_length = outlen;
+  P->key_length    = keylen;
+  P->fanout        = 1;
+  P->depth         = 1;
+  store32( &P->leaf_length, 0 );
+  store64( &P->node_offset, 0 );
+  P->node_depth    = 0;
+  P->inner_length  = 0;
+  XMEMSET( P->reserved, 0, sizeof( P->reserved ) );
+  XMEMSET( P->salt,     0, sizeof( P->salt ) );
+  XMEMSET( P->personal, 0, sizeof( P->personal ) );
+#else
+  XMEMSET( P, 0, sizeof( *P ) );
+  P->digest_length = outlen;
+  P->key_length    = keylen;
+  P->fanout        = 1;
+  P->depth         = 1;
+#endif
+
+  if( blake2s_init_param( S, P ) < 0 ) return -1;
+
+  {
+#ifdef WOLFSSL_SMALL_STACK
+    byte* block;
+
+    block = (byte*)XMALLOC(BLAKE2S_BLOCKBYTES, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+
+    if ( block == NULL ) return -1;
+#else
+    byte block[BLAKE2S_BLOCKBYTES];
+#endif
+
+    XMEMSET( block, 0, BLAKE2S_BLOCKBYTES );
+    XMEMCPY( block, key, keylen );
+    blake2s_update( S, block, BLAKE2S_BLOCKBYTES );
+    secure_zero_memory( block, BLAKE2S_BLOCKBYTES ); /* Burn the key from */
+                                                     /* memory */
+
+#ifdef WOLFSSL_SMALL_STACK
+    XFREE(block, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+#endif
+  }
+  return 0;
+}
+
+static int blake2s_compress( blake2s_state *S,
+                             const byte block[BLAKE2S_BLOCKBYTES] )
+{
+  int i;
+
+#ifdef WOLFSSL_SMALL_STACK
+  word32* m;
+  word32* v;
+
+  m = (word32*)XMALLOC(sizeof(word32) * 16, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+
+  if ( m == NULL ) return -1;
+
+  v = (word32*)XMALLOC(sizeof(word32) * 16, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+
+  if ( v == NULL )
+  {
+    XFREE(m, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    return -1;
+  }
+#else
+  word32 m[16];
+  word32 v[16];
+#endif
+
+  for( i = 0; i < 16; ++i )
+    m[i] = load32( block + i * sizeof( m[i] ) );
+
+  for( i = 0; i < 8; ++i )
+    v[i] = S->h[i];
+
+  v[ 8] = blake2s_IV[0];
+  v[ 9] = blake2s_IV[1];
+  v[10] = blake2s_IV[2];
+  v[11] = blake2s_IV[3];
+  v[12] = S->t[0] ^ blake2s_IV[4];
+  v[13] = S->t[1] ^ blake2s_IV[5];
+  v[14] = S->f[0] ^ blake2s_IV[6];
+  v[15] = S->f[1] ^ blake2s_IV[7];
+#define G(r,i,a,b,c,d) \
+  do { \
+    a = a + b + m[blake2s_sigma[r][2*i+0]]; \
+    d = rotr32(d ^ a, 16); \
+    c = c + d; \
+    b = rotr32(b ^ c, 12); \
+    a = a + b + m[blake2s_sigma[r][2*i+1]]; \
+    d = rotr32(d ^ a, 8); \
+    c = c + d; \
+    b = rotr32(b ^ c, 7); \
+  } while(0)
+#define ROUND(r)  \
+  do { \
+    G(r,0,v[ 0],v[ 4],v[ 8],v[12]); \
+    G(r,1,v[ 1],v[ 5],v[ 9],v[13]); \
+    G(r,2,v[ 2],v[ 6],v[10],v[14]); \
+    G(r,3,v[ 3],v[ 7],v[11],v[15]); \
+    G(r,4,v[ 0],v[ 5],v[10],v[15]); \
+    G(r,5,v[ 1],v[ 6],v[11],v[12]); \
+    G(r,6,v[ 2],v[ 7],v[ 8],v[13]); \
+    G(r,7,v[ 3],v[ 4],v[ 9],v[14]); \
+  } while(0)
+  ROUND( 0 );
+  ROUND( 1 );
+  ROUND( 2 );
+  ROUND( 3 );
+  ROUND( 4 );
+  ROUND( 5 );
+  ROUND( 6 );
+  ROUND( 7 );
+  ROUND( 8 );
+  ROUND( 9 );
+
+  for( i = 0; i < 8; ++i )
+    S->h[i] = S->h[i] ^ v[i] ^ v[i + 8];
+
+#undef G
+#undef ROUND
+
+#ifdef WOLFSSL_SMALL_STACK
+  XFREE(m, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+  XFREE(v, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+#endif
+
+  return 0;
+}
+
+/* inlen now in bytes */
+int blake2s_update( blake2s_state *S, const byte *in, word32 inlen )
+{
+  while( inlen > 0 )
+  {
+    word32 left = S->buflen;
+    word32 fill = 2 * BLAKE2S_BLOCKBYTES - left;
+
+    if( inlen > fill )
+    {
+      XMEMCPY( S->buf + left, in, (wolfssl_word)fill ); /* Fill buffer */
+      S->buflen += fill;
+      blake2s_increment_counter( S, BLAKE2S_BLOCKBYTES );
+
+      if ( blake2s_compress( S, S->buf ) < 0 ) return -1; /* Compress */
+
+      XMEMCPY( S->buf, S->buf + BLAKE2S_BLOCKBYTES, BLAKE2S_BLOCKBYTES );
+              /* Shift buffer left */
+      S->buflen -= BLAKE2S_BLOCKBYTES;
+      in += fill;
+      inlen -= fill;
+    }
+    else /* inlen <= fill */
+    {
+      XMEMCPY( S->buf + left, in, (wolfssl_word)inlen );
+      S->buflen += inlen; /* Be lazy, do not compress */
+      inlen = 0;
+    }
+  }
+
+  return 0;
+}
+
+/* Is this correct? */
+int blake2s_final( blake2s_state *S, byte *out, byte outlen )
+{
+  int     i;
+  byte buffer[BLAKE2S_BLOCKBYTES];
+
+  if( S->buflen > BLAKE2S_BLOCKBYTES )
+  {
+    blake2s_increment_counter( S, BLAKE2S_BLOCKBYTES );
+
+    if ( blake2s_compress( S, S->buf ) < 0 ) return -1;
+
+    S->buflen -= BLAKE2S_BLOCKBYTES;
+    XMEMCPY( S->buf, S->buf + BLAKE2S_BLOCKBYTES, (wolfssl_word)S->buflen );
+  }
+
+  blake2s_increment_counter( S, S->buflen );
+  blake2s_set_lastblock( S );
+  XMEMSET( S->buf + S->buflen, 0, (wolfssl_word)(2 * BLAKE2S_BLOCKBYTES - S->buflen) );
+         /* Padding */
+  if ( blake2s_compress( S, S->buf ) < 0 ) return -1;
+
+  for( i = 0; i < 8; ++i ) /* Output full hash to temp buffer */
+    store64( buffer + sizeof( S->h[i] ) * i, S->h[i] );
+
+  XMEMCPY( out, buffer, outlen );
+  return 0;
+}
+
+/* inlen, at least, should be word32. Others can be size_t. */
+int blake2s( byte *out, const void *in, const void *key, const byte outlen,
+             const word32 inlen, byte keylen )
+{
+  blake2s_state S[1];
+
+  /* Verify parameters */
+  if ( NULL == in ) return -1;
+
+  if ( NULL == out ) return -1;
+
+  if( NULL == key ) keylen = 0;
+
+  if( keylen > 0 )
+  {
+    if( blake2s_init_key( S, outlen, key, keylen ) < 0 ) return -1;
+  }
+  else
+  {
+    if( blake2s_init( S, outlen ) < 0 ) return -1;
+  }
+
+  if ( blake2s_update( S, ( byte * )in, inlen ) < 0) return -1;
+
+  return blake2s_final( S, out, outlen );
+}
+
+#if defined(BLAKE2S_SELFTEST)
+#include <string.h>
+#include "blake2-kat.h"
+int main( int argc, char **argv )
+{
+  byte key[BLAKE2S_KEYBYTES];
+  byte buf[KAT_LENGTH];
+
+  for( word32 i = 0; i < BLAKE2S_KEYBYTES; ++i )
+    key[i] = ( byte )i;
+
+  for( word32 i = 0; i < KAT_LENGTH; ++i )
+    buf[i] = ( byte )i;
+
+  for( word32 i = 0; i < KAT_LENGTH; ++i )
+  {
+    byte hash[BLAKE2S_OUTBYTES];
+    if ( blake2s( hash, buf, key, BLAKE2S_OUTBYTES, i, BLAKE2S_KEYBYTES ) < 0 )
+    {
+      puts( "error" );
+      return -1;
+    }
+
+    if( 0 != XMEMCMP( hash, blake2s_keyed_kat[i], BLAKE2S_OUTBYTES ) )
+    {
+      puts( "error" );
+      return -1;
+    }
+  }
+
+  puts( "ok" );
+  return 0;
+}
+#endif
+
+
+/* wolfCrypt API */
+
+/* Init Blake2s digest, track size in case final doesn't want to "remember" */
+int wc_InitBlake2s(Blake2s* b2s, word32 digestSz)
+{
+    if (b2s == NULL){
+        return -1;
+    }
+    b2s->digestSz = digestSz;
+
+    return blake2s_init(b2s->S, (byte)digestSz);
+}
+
+
+/* Blake2s Update */
+int wc_Blake2sUpdate(Blake2s* b2s, const byte* data, word32 sz)
+{
+    return blake2s_update(b2s->S, data, sz);
+}
+
+
+/* Blake2s Final, if pass in zero size we use init digestSz */
+int wc_Blake2sFinal(Blake2s* b2s, byte* final, word32 requestSz)
+{
+    word32 sz = requestSz ? requestSz : b2s->digestSz;
+
+    return blake2s_final(b2s->S, final, (byte)sz);
+}
+
+
+/* end CTaoCrypt API */
+
+#endif  /* HAVE_BLAKE2S */
+
diff --git a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/camellia.c b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/camellia.c
index 071019c6c..89ee6617a 100644
--- a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/camellia.c
+++ b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/camellia.c
@@ -27,9 +27,9 @@
 
 /* camellia.c
  *
- * Copyright (C) 2006-2015 wolfSSL Inc.
+ * Copyright (C) 2006-2020 wolfSSL Inc.
  *
- * This file is part of wolfSSL. (formerly known as CyaSSL)
+ * This file is part of wolfSSL.
  *
  * wolfSSL is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -43,11 +43,12 @@
  *
  * You should have received a copy of the GNU General Public License
  * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
  */
 
+
 /*
- * Algorithm Specification 
+ * Algorithm Specification
  *  http://info.isl.ntt.co.jp/crypt/eng/camellia/specifications.html
  */
 
@@ -66,6 +67,7 @@
 #ifdef NO_INLINE
     #include <wolfssl/wolfcrypt/misc.h>
 #else
+    #define WOLFSSL_MISC_INCLUDED
     #include <wolfcrypt/src/misc.c>
 #endif
 
@@ -510,7 +512,7 @@ static int camellia_setup128(const unsigned char *key, u32 *subkey)
 #endif
 
     /**
-     *  k == kll || klr || krl || krr (|| is concatination)
+     *  k == kll || klr || krl || krr (|| is concatenation)
      */
     kll = GETU32(key     );
     klr = GETU32(key +  4);
@@ -744,7 +746,7 @@ static int camellia_setup256(const unsigned char *key, u32 *subkey)
 
     /**
      *  key = (kll || klr || krl || krr || krll || krlr || krrl || krrr)
-     *  (|| is concatination)
+     *  (|| is concatenation)
      */
 
     kll  = GETU32(key     );
@@ -1015,7 +1017,7 @@ static int camellia_setup256(const unsigned char *key, u32 *subkey)
     CamelliaSubkeyR(30) = CamelliaSubkeyL(30) ^ dw, CamelliaSubkeyL(30) = dw;
     dw = CamelliaSubkeyL(31) ^ CamelliaSubkeyR(31), dw = CAMELLIA_RL8(dw);
     CamelliaSubkeyR(31) = CamelliaSubkeyL(31) ^ dw,CamelliaSubkeyL(31) = dw;
-    
+
 #ifdef WOLFSSL_SMALL_STACK
     XFREE(subL, NULL, DYNAMIC_TYPE_TMP_BUFFER);
     XFREE(subR, NULL, DYNAMIC_TYPE_TMP_BUFFER);
@@ -1029,13 +1031,13 @@ static int camellia_setup192(const unsigned char *key, u32 *subkey)
     unsigned char kk[32];
     u32 krll, krlr, krrl,krrr;
 
-    memcpy(kk, key, 24);
-    memcpy((unsigned char *)&krll, key+16,4);
-    memcpy((unsigned char *)&krlr, key+20,4);
+    XMEMCPY(kk, key, 24);
+    XMEMCPY((unsigned char *)&krll, key+16,4);
+    XMEMCPY((unsigned char *)&krlr, key+20,4);
     krrl = ~krll;
     krrr = ~krlr;
-    memcpy(kk+24, (unsigned char *)&krrl, 4);
-    memcpy(kk+28, (unsigned char *)&krrr, 4);
+    XMEMCPY(kk+24, (unsigned char *)&krrl, 4);
+    XMEMCPY(kk+28, (unsigned char *)&krrr, 4);
 
     return camellia_setup256(kk, subkey);
 }
@@ -1132,14 +1134,14 @@ static void camellia_encrypt128(const u32 *subkey, u32 *io)
     io[1] = io[3];
     io[2] = t0;
     io[3] = t1;
-	
+
     return;
 }
 
 static void camellia_decrypt128(const u32 *subkey, u32 *io)
 {
-    u32 il,ir,t0,t1;               /* temporary valiables */
-    
+    u32 il,ir,t0,t1;               /* temporary variables */
+
     /* pre whitening but absorb kw2*/
     io[0] ^= CamelliaSubkeyL(24);
     io[1] ^= CamelliaSubkeyR(24);
@@ -1231,7 +1233,7 @@ static void camellia_decrypt128(const u32 *subkey, u32 *io)
  */
 static void camellia_encrypt256(const u32 *subkey, u32 *io)
 {
-    u32 il,ir,t0,t1;           /* temporary valiables */
+    u32 il,ir,t0,t1;           /* temporary variables */
 
     /* pre whitening but absorb kw2*/
     io[0] ^= CamelliaSubkeyL(0);
@@ -1345,12 +1347,12 @@ static void camellia_encrypt256(const u32 *subkey, u32 *io)
 
 static void camellia_decrypt256(const u32 *subkey, u32 *io)
 {
-    u32 il,ir,t0,t1;           /* temporary valiables */
+    u32 il,ir,t0,t1;           /* temporary variables */
 
     /* pre whitening but absorb kw2*/
     io[0] ^= CamelliaSubkeyL(32);
     io[1] ^= CamelliaSubkeyR(32);
-	
+
     /* main iteration */
     CAMELLIA_ROUNDSM(io[0],io[1],
 		     CamelliaSubkeyL(31),CamelliaSubkeyR(31),
@@ -1462,9 +1464,9 @@ static void camellia_decrypt256(const u32 *subkey, u32 *io)
  * API for compatibility
  */
 
-static void Camellia_EncryptBlock(const int keyBitLength, 
-			   const unsigned char *plaintext, 
-			   const KEY_TABLE_TYPE keyTable, 
+static void Camellia_EncryptBlock(const int keyBitLength,
+			   const unsigned char *plaintext,
+			   const KEY_TABLE_TYPE keyTable,
 			   unsigned char *ciphertext)
 {
     u32 tmp[4];
@@ -1493,9 +1495,9 @@ static void Camellia_EncryptBlock(const int keyBitLength,
     PUTU32(ciphertext + 12, tmp[3]);
 }
 
-static void Camellia_DecryptBlock(const int keyBitLength, 
-			   const unsigned char *ciphertext, 
-			   const KEY_TABLE_TYPE keyTable, 
+static void Camellia_DecryptBlock(const int keyBitLength,
+			   const unsigned char *ciphertext,
+			   const KEY_TABLE_TYPE keyTable,
 			   unsigned char *plaintext)
 {
     u32 tmp[4];
@@ -1572,21 +1574,35 @@ int wc_CamelliaSetIV(Camellia* cam, const byte* iv)
 }
 
 
-void wc_CamelliaEncryptDirect(Camellia* cam, byte* out, const byte* in)
+int wc_CamelliaEncryptDirect(Camellia* cam, byte* out, const byte* in)
 {
+    if (cam == NULL || out == NULL || in == NULL) {
+        return BAD_FUNC_ARG;
+    }
     Camellia_EncryptBlock(cam->keySz, in, cam->key, out);
+
+    return 0;
 }
 
 
-void wc_CamelliaDecryptDirect(Camellia* cam, byte* out, const byte* in)
+int wc_CamelliaDecryptDirect(Camellia* cam, byte* out, const byte* in)
 {
+    if (cam == NULL || out == NULL || in == NULL) {
+        return BAD_FUNC_ARG;
+    }
     Camellia_DecryptBlock(cam->keySz, in, cam->key, out);
+
+    return 0;
 }
 
 
-void wc_CamelliaCbcEncrypt(Camellia* cam, byte* out, const byte* in, word32 sz)
+int wc_CamelliaCbcEncrypt(Camellia* cam, byte* out, const byte* in, word32 sz)
 {
-    word32 blocks = sz / CAMELLIA_BLOCK_SIZE;
+    word32 blocks;
+    if (cam == NULL || out == NULL || in == NULL) {
+        return BAD_FUNC_ARG;
+    }
+    blocks = sz / CAMELLIA_BLOCK_SIZE;
 
     while (blocks--) {
         xorbuf((byte*)cam->reg, in, CAMELLIA_BLOCK_SIZE);
@@ -1597,12 +1613,18 @@ void wc_CamelliaCbcEncrypt(Camellia* cam, byte* out, const byte* in, word32 sz)
         out += CAMELLIA_BLOCK_SIZE;
         in  += CAMELLIA_BLOCK_SIZE;
     }
+
+    return 0;
 }
 
 
-void wc_CamelliaCbcDecrypt(Camellia* cam, byte* out, const byte* in, word32 sz)
+int wc_CamelliaCbcDecrypt(Camellia* cam, byte* out, const byte* in, word32 sz)
 {
-    word32 blocks = sz / CAMELLIA_BLOCK_SIZE;
+    word32 blocks;
+    if (cam == NULL || out == NULL || in == NULL) {
+        return BAD_FUNC_ARG;
+    }
+    blocks = sz / CAMELLIA_BLOCK_SIZE;
 
     while (blocks--) {
         XMEMCPY(cam->tmp, in, CAMELLIA_BLOCK_SIZE);
@@ -1613,6 +1635,8 @@ void wc_CamelliaCbcDecrypt(Camellia* cam, byte* out, const byte* in, word32 sz)
         out += CAMELLIA_BLOCK_SIZE;
         in  += CAMELLIA_BLOCK_SIZE;
     }
+
+    return 0;
 }
 
 
diff --git a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/chacha.c b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/chacha.c
index 4e95bdbd0..38a1ede7d 100644
--- a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/chacha.c
+++ b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/chacha.c
@@ -1,8 +1,8 @@
 /* chacha.c
  *
- * Copyright (C) 2006-2015 wolfSSL Inc.
+ * Copyright (C) 2006-2020 wolfSSL Inc.
  *
- * This file is part of wolfSSL. (formerly known as CyaSSL)
+ * This file is part of wolfSSL.
  *
  * wolfSSL is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -16,8 +16,10 @@
  *
  * You should have received a copy of the GNU General Public License
  * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
- *
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
+ */
+
+/*
  *  based from
  *  chacha-ref.c version 20080118
  *  D. J. Bernstein
@@ -25,20 +27,26 @@
  */
 
 
+#ifdef WOLFSSL_ARMASM
+    /* implementation is located in wolfcrypt/src/port/arm/armv8-chacha.c */
+
+#else
 #ifdef HAVE_CONFIG_H
     #include <config.h>
 #endif
 
 #include <wolfssl/wolfcrypt/settings.h>
 
-#ifdef HAVE_CHACHA
+#if defined(HAVE_CHACHA) && !defined(WOLFSSL_ARMASM)
 
 #include <wolfssl/wolfcrypt/chacha.h>
 #include <wolfssl/wolfcrypt/error-crypt.h>
 #include <wolfssl/wolfcrypt/logging.h>
+#include <wolfssl/wolfcrypt/cpuid.h>
 #ifdef NO_INLINE
     #include <wolfssl/wolfcrypt/misc.h>
 #else
+    #define WOLFSSL_MISC_INCLUDED
     #include <wolfcrypt/src/misc.c>
 #endif
 
@@ -46,6 +54,31 @@
     #include <stdio.h>
 #endif
 
+#ifdef USE_INTEL_CHACHA_SPEEDUP
+    #include <emmintrin.h>
+    #include <immintrin.h>
+
+    #if defined(__GNUC__) && ((__GNUC__ < 4) || \
+                              (__GNUC__ == 4 && __GNUC_MINOR__ <= 8))
+        #undef  NO_AVX2_SUPPORT
+        #define NO_AVX2_SUPPORT
+    #endif
+    #if defined(__clang__) && ((__clang_major__ < 3) || \
+                               (__clang_major__ == 3 && __clang_minor__ <= 5))
+        #undef  NO_AVX2_SUPPORT
+        #define NO_AVX2_SUPPORT
+    #elif defined(__clang__) && defined(NO_AVX2_SUPPORT)
+        #undef NO_AVX2_SUPPORT
+    #endif
+
+    #ifndef NO_AVX2_SUPPORT
+        #define HAVE_INTEL_AVX2
+    #endif
+
+    static int cpuidFlagsSet = 0;
+    static int cpuidFlags = 0;
+#endif
+
 #ifdef BIG_ENDIAN_ORDER
     #define LITTLE32(x) ByteReverseWord32(x)
 #else
@@ -77,12 +110,12 @@
   */
 int wc_Chacha_SetIV(ChaCha* ctx, const byte* inIv, word32 counter)
 {
-    word32 temp[3];       /* used for alignment of memory */
+    word32 temp[CHACHA_IV_WORDS];/* used for alignment of memory */
 
 #ifdef CHACHA_AEAD_TEST
     word32 i;
     printf("NONCE : ");
-    for (i = 0; i < 12; i++) {
+    for (i = 0; i < CHACHA_IV_BYTES; i++) {
         printf("%02x", inIv[i]);
     }
     printf("\n\n");
@@ -91,12 +124,13 @@ int wc_Chacha_SetIV(ChaCha* ctx, const byte* inIv, word32 counter)
     if (ctx == NULL)
         return BAD_FUNC_ARG;
 
-    XMEMCPY(temp, inIv, 12);
+    XMEMCPY(temp, inIv, CHACHA_IV_BYTES);
 
-    ctx->X[12] = LITTLE32(counter); /* block counter */
-    ctx->X[13] = LITTLE32(temp[0]); /* fixed variable from nonce */
-    ctx->X[14] = LITTLE32(temp[1]); /* counter from nonce */
-    ctx->X[15] = LITTLE32(temp[2]); /* counter from nonce */
+    ctx->left = 0; /* resets state */
+    ctx->X[CHACHA_IV_BYTES+0] = counter;           /* block counter */
+    ctx->X[CHACHA_IV_BYTES+1] = LITTLE32(temp[0]); /* fixed variable from nonce */
+    ctx->X[CHACHA_IV_BYTES+2] = LITTLE32(temp[1]); /* counter from nonce */
+    ctx->X[CHACHA_IV_BYTES+3] = LITTLE32(temp[2]); /* counter from nonce */
 
     return 0;
 }
@@ -121,7 +155,7 @@ int wc_Chacha_SetKey(ChaCha* ctx, const byte* key, word32 keySz)
     if (ctx == NULL)
         return BAD_FUNC_ARG;
 
-    if (keySz != 16 && keySz != 32)
+    if (keySz != (CHACHA_MAX_KEY_SZ/2) && keySz != CHACHA_MAX_KEY_SZ)
         return BAD_FUNC_ARG;
 
 #ifdef XSTREAM_ALIGN
@@ -152,7 +186,7 @@ int wc_Chacha_SetKey(ChaCha* ctx, const byte* key, word32 keySz)
     ctx->X[5] = U8TO32_LITTLE(k +  4);
     ctx->X[6] = U8TO32_LITTLE(k +  8);
     ctx->X[7] = U8TO32_LITTLE(k + 12);
-    if (keySz == 32) {
+    if (keySz == CHACHA_MAX_KEY_SZ) {
         k += 16;
         constants = sigma;
     }
@@ -167,6 +201,7 @@ int wc_Chacha_SetKey(ChaCha* ctx, const byte* key, word32 keySz)
     ctx->X[ 1] = constants[1];
     ctx->X[ 2] = constants[2];
     ctx->X[ 3] = constants[3];
+    ctx->left = 0; /* resets state */
 
     return 0;
 }
@@ -174,12 +209,13 @@ int wc_Chacha_SetKey(ChaCha* ctx, const byte* key, word32 keySz)
 /**
   * Converts word into bytes with rotations having been done.
   */
-static INLINE void wc_Chacha_wordtobyte(word32 output[16], const word32 input[16])
+static WC_INLINE void wc_Chacha_wordtobyte(word32 output[CHACHA_CHUNK_WORDS],
+    const word32 input[CHACHA_CHUNK_WORDS])
 {
-    word32 x[16];
+    word32 x[CHACHA_CHUNK_WORDS];
     word32 i;
 
-    for (i = 0; i < 16; i++) {
+    for (i = 0; i < CHACHA_CHUNK_WORDS; i++) {
         x[i] = input[i];
     }
 
@@ -194,54 +230,114 @@ static INLINE void wc_Chacha_wordtobyte(word32 output[16], const word32 input[16
         QUARTERROUND(3, 4,  9, 14)
     }
 
-    for (i = 0; i < 16; i++) {
+    for (i = 0; i < CHACHA_CHUNK_WORDS; i++) {
         x[i] = PLUS(x[i], input[i]);
     }
 
-    for (i = 0; i < 16; i++) {
+    for (i = 0; i < CHACHA_CHUNK_WORDS; i++) {
         output[i] = LITTLE32(x[i]);
     }
 }
 
+#ifdef __cplusplus
+    extern "C" {
+#endif
+
+extern void chacha_encrypt_x64(ChaCha* ctx, const byte* m, byte* c,
+                               word32 bytes);
+extern void chacha_encrypt_avx1(ChaCha* ctx, const byte* m, byte* c,
+                                word32 bytes);
+extern void chacha_encrypt_avx2(ChaCha* ctx, const byte* m, byte* c,
+                                word32 bytes);
+
+#ifdef __cplusplus
+    }  /* extern "C" */
+#endif
+
+
 /**
   * Encrypt a stream of bytes
   */
 static void wc_Chacha_encrypt_bytes(ChaCha* ctx, const byte* m, byte* c,
-                                 word32 bytes)
+                                    word32 bytes)
 {
     byte*  output;
-    word32 temp[16]; /* used to make sure aligned */
+    word32 temp[CHACHA_CHUNK_WORDS]; /* used to make sure aligned */
     word32 i;
 
-    output = (byte*)temp;
+    /* handle left overs */
+    if (bytes > 0 && ctx->left > 0) {
+        wc_Chacha_wordtobyte(temp, ctx->X); /* recreate the stream */
+        output = (byte*)temp + CHACHA_CHUNK_BYTES - ctx->left;
+        for (i = 0; i < bytes && i < ctx->left; i++) {
+            c[i] = m[i] ^ output[i];
+        }
+        ctx->left = ctx->left - i;
 
-    if (!bytes) return;
-    for (;;) {
+        /* Used up all of the stream that was left, increment the counter */
+        if (ctx->left == 0) {
+            ctx->X[CHACHA_IV_BYTES] = PLUSONE(ctx->X[CHACHA_IV_BYTES]);
+        }
+        bytes = bytes - i;
+        c += i;
+        m += i;
+    }
+
+    output = (byte*)temp;
+    while (bytes >= CHACHA_CHUNK_BYTES) {
         wc_Chacha_wordtobyte(temp, ctx->X);
-        ctx->X[12] = PLUSONE(ctx->X[12]);
-        if (bytes <= 64) {
-            for (i = 0; i < bytes; ++i) {
-                c[i] = m[i] ^ output[i];
-            }
-            return;
+        ctx->X[CHACHA_IV_BYTES] = PLUSONE(ctx->X[CHACHA_IV_BYTES]);
+        for (i = 0; i < CHACHA_CHUNK_BYTES; ++i) {
+            c[i] = m[i] ^ output[i];
         }
-        for (i = 0; i < 64; ++i) {
+        bytes -= CHACHA_CHUNK_BYTES;
+        c += CHACHA_CHUNK_BYTES;
+        m += CHACHA_CHUNK_BYTES;
+    }
+
+    if (bytes) {
+        /* in this case there will always be some left over since bytes is less
+         * than CHACHA_CHUNK_BYTES, so do not increment counter after getting
+         * stream in order for the stream to be recreated on next call */
+        wc_Chacha_wordtobyte(temp, ctx->X);
+        for (i = 0; i < bytes; ++i) {
             c[i] = m[i] ^ output[i];
         }
-        bytes -= 64;
-        c += 64;
-        m += 64;
+        ctx->left = CHACHA_CHUNK_BYTES - i;
     }
 }
 
+
 /**
   * API to encrypt/decrypt a message of any size.
   */
-int wc_Chacha_Process(ChaCha* ctx, byte* output, const byte* input, word32 msglen)
+int wc_Chacha_Process(ChaCha* ctx, byte* output, const byte* input,
+                      word32 msglen)
 {
     if (ctx == NULL)
         return BAD_FUNC_ARG;
 
+#ifdef USE_INTEL_CHACHA_SPEEDUP
+    if (!cpuidFlagsSet) {
+        cpuidFlags = cpuid_get_flags();
+        cpuidFlagsSet = 1;
+    }
+
+    #ifdef HAVE_INTEL_AVX2
+    if (IS_INTEL_AVX2(cpuidFlags)) {
+        chacha_encrypt_avx2(ctx, input, output, msglen);
+        return 0;
+    }
+    #endif
+    if (IS_INTEL_AVX1(cpuidFlags)) {
+        chacha_encrypt_avx1(ctx, input, output, msglen);
+        return 0;
+    }
+    else {
+        chacha_encrypt_x64(ctx, input, output, msglen);
+        return 0;
+    }
+#endif
     wc_Chacha_encrypt_bytes(ctx, input, output, msglen);
 
     return 0;
@@ -249,3 +345,4 @@ int wc_Chacha_Process(ChaCha* ctx, byte* output, const byte* input, word32 msgle
 
 #endif /* HAVE_CHACHA*/
 
+#endif /* WOLFSSL_ARMASM */
diff --git a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/chacha20_poly1305.c b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/chacha20_poly1305.c
index 4a2b1be22..64bc4c199 100644
--- a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/chacha20_poly1305.c
+++ b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/chacha20_poly1305.c
@@ -1,8 +1,8 @@
 /* chacha.c
  *
- * Copyright (C) 2006-2015 wolfSSL Inc.
+ * Copyright (C) 2006-2020 wolfSSL Inc.
  *
- * This file is part of wolfSSL. (formerly known as CyaSSL)
+ * This file is part of wolfSSL.
  *
  * wolfSSL is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -16,10 +16,11 @@
  *
  * You should have received a copy of the GNU General Public License
  * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
  */
 
 
+
 #ifdef HAVE_CONFIG_H
     #include <config.h>
 #endif
@@ -31,29 +32,15 @@
 #include <wolfssl/wolfcrypt/chacha20_poly1305.h>
 #include <wolfssl/wolfcrypt/error-crypt.h>
 #include <wolfssl/wolfcrypt/logging.h>
-#include <wolfssl/wolfcrypt/chacha.h>
-#include <wolfssl/wolfcrypt/poly1305.h>
 
 #ifdef NO_INLINE
 #include <wolfssl/wolfcrypt/misc.h>
 #else
+#define WOLFSSL_MISC_INCLUDED
 #include <wolfcrypt/src/misc.c>
 #endif
 
-#ifdef CHACHA_AEAD_TEST
-#include <stdio.h>
-#endif
-
 #define CHACHA20_POLY1305_AEAD_INITIAL_COUNTER  0
-#define CHACHA20_POLY1305_MAC_PADDING_ALIGNMENT 16
-
-static void word32ToLittle64(const word32 inLittle32, byte outLittle64[8]);
-static int calculateAuthTag(
-                  const byte inAuthKey[CHACHA20_POLY1305_AEAD_KEYSIZE],
-                  const byte* inAAD, const word32 inAADLen,
-                  const byte *inCiphertext, const word32 inCiphertextLen,
-                  byte outAuthTag[CHACHA20_POLY1305_AEAD_AUTHTAG_SIZE]);
-
 int wc_ChaCha20Poly1305_Encrypt(
                 const byte inKey[CHACHA20_POLY1305_AEAD_KEYSIZE],
                 const byte inIV[CHACHA20_POLY1305_AEAD_IV_SIZE],
@@ -62,12 +49,10 @@ int wc_ChaCha20Poly1305_Encrypt(
                 byte* outCiphertext,
                 byte outAuthTag[CHACHA20_POLY1305_AEAD_AUTHTAG_SIZE])
 {
-    int err;
-    byte poly1305Key[CHACHA20_POLY1305_AEAD_KEYSIZE];
-    ChaCha chaChaCtx;
+    int ret;
+    ChaChaPoly_Aead aead;
 
     /* Validate function arguments */
-
     if (!inKey || !inIV ||
         !inPlaintext || !inPlaintextLen ||
         !outCiphertext ||
@@ -76,35 +61,18 @@ int wc_ChaCha20Poly1305_Encrypt(
         return BAD_FUNC_ARG;
     }
 
-    XMEMSET(poly1305Key, 0, sizeof(poly1305Key));
-
-    /* Create the Poly1305 key */
-    err = wc_Chacha_SetKey(&chaChaCtx, inKey, CHACHA20_POLY1305_AEAD_KEYSIZE);
-    if (err != 0) return err;
-
-    err = wc_Chacha_SetIV(&chaChaCtx, inIV,
-                           CHACHA20_POLY1305_AEAD_INITIAL_COUNTER);
-    if (err != 0) return err;
-
-    err = wc_Chacha_Process(&chaChaCtx, poly1305Key, poly1305Key,
-                             CHACHA20_POLY1305_AEAD_KEYSIZE);
-    if (err != 0) return err;
-
-    /* Encrypt the plaintext using ChaCha20 */
-    err = wc_Chacha_Process(&chaChaCtx, outCiphertext, inPlaintext,
-                            inPlaintextLen);
-    /* Calculate the Poly1305 auth tag */
-    if (err == 0)
-        err = calculateAuthTag(poly1305Key,
-                               inAAD, inAADLen,
-                               outCiphertext, inPlaintextLen,
-                               outAuthTag);
-    ForceZero(poly1305Key, sizeof(poly1305Key));
-
-    return err;
+    ret = wc_ChaCha20Poly1305_Init(&aead, inKey, inIV,
+        CHACHA20_POLY1305_AEAD_ENCRYPT);
+    if (ret == 0)
+        ret = wc_ChaCha20Poly1305_UpdateAad(&aead, inAAD, inAADLen);
+    if (ret == 0)
+        ret = wc_ChaCha20Poly1305_UpdateData(&aead, inPlaintext, outCiphertext,
+            inPlaintextLen);
+    if (ret == 0)
+        ret = wc_ChaCha20Poly1305_Final(&aead, outAuthTag);
+    return ret;
 }
 
-
 int wc_ChaCha20Poly1305_Decrypt(
                 const byte inKey[CHACHA20_POLY1305_AEAD_KEYSIZE],
                 const byte inIV[CHACHA20_POLY1305_AEAD_IV_SIZE],
@@ -113,13 +81,11 @@ int wc_ChaCha20Poly1305_Decrypt(
                 const byte inAuthTag[CHACHA20_POLY1305_AEAD_AUTHTAG_SIZE],
                 byte* outPlaintext)
 {
-    int err;
-    byte poly1305Key[CHACHA20_POLY1305_AEAD_KEYSIZE];
-    ChaCha chaChaCtx;
+    int ret;
+    ChaChaPoly_Aead aead;
     byte calculatedAuthTag[CHACHA20_POLY1305_AEAD_AUTHTAG_SIZE];
 
     /* Validate function arguments */
-
     if (!inKey || !inIV ||
         !inCiphertext || !inCiphertextLen ||
         !inAuthTag ||
@@ -129,146 +95,192 @@ int wc_ChaCha20Poly1305_Decrypt(
     }
 
     XMEMSET(calculatedAuthTag, 0, sizeof(calculatedAuthTag));
-    XMEMSET(poly1305Key, 0, sizeof(poly1305Key));
-
-    /* Create the Poly1305 key */
-    err = wc_Chacha_SetKey(&chaChaCtx, inKey, CHACHA20_POLY1305_AEAD_KEYSIZE);
-    if (err != 0) return err;
-
-    err = wc_Chacha_SetIV(&chaChaCtx, inIV,
-                           CHACHA20_POLY1305_AEAD_INITIAL_COUNTER);
-    if (err != 0) return err;
-
-    err = wc_Chacha_Process(&chaChaCtx, poly1305Key, poly1305Key,
-                             CHACHA20_POLY1305_AEAD_KEYSIZE);
-    if (err != 0) return err;
-
-    /* Calculate the Poly1305 auth tag */
-    err = calculateAuthTag(poly1305Key,
-                           inAAD, inAADLen,
-                           inCiphertext, inCiphertextLen,
-                           calculatedAuthTag);
-
-    /* Compare the calculated auth tag with the received one */
-    if (err == 0 && ConstantCompare(inAuthTag, calculatedAuthTag,
-                                    CHACHA20_POLY1305_AEAD_AUTHTAG_SIZE) != 0)
-    {
-        err = MAC_CMP_FAILED_E;
-    }
 
-    /* Decrypt the received ciphertext */
-    if (err == 0)
-        err = wc_Chacha_Process(&chaChaCtx, outPlaintext, inCiphertext,
-                                inCiphertextLen);
-    ForceZero(poly1305Key, sizeof(poly1305Key));
-
-    return err;
+    ret = wc_ChaCha20Poly1305_Init(&aead, inKey, inIV,
+        CHACHA20_POLY1305_AEAD_DECRYPT);
+    if (ret == 0)
+        ret = wc_ChaCha20Poly1305_UpdateAad(&aead, inAAD, inAADLen);
+    if (ret == 0)
+        ret = wc_ChaCha20Poly1305_UpdateData(&aead, inCiphertext, outPlaintext,
+            inCiphertextLen);
+    if (ret == 0)
+        ret = wc_ChaCha20Poly1305_Final(&aead, calculatedAuthTag);
+    if (ret == 0)
+        ret = wc_ChaCha20Poly1305_CheckTag(inAuthTag, calculatedAuthTag);
+    return ret;
 }
 
+int wc_ChaCha20Poly1305_CheckTag(
+    const byte authTag[CHACHA20_POLY1305_AEAD_AUTHTAG_SIZE],
+    const byte authTagChk[CHACHA20_POLY1305_AEAD_AUTHTAG_SIZE])
+{
+    int ret = 0;
+    if (authTag == NULL || authTagChk == NULL) {
+        return BAD_FUNC_ARG;
+    }
+    if (ConstantCompare(authTag, authTagChk,
+            CHACHA20_POLY1305_AEAD_AUTHTAG_SIZE) != 0) {
+        ret = MAC_CMP_FAILED_E;
+    }
+    return ret;
+}
 
-static int calculateAuthTag(
-                const byte inAuthKey[CHACHA20_POLY1305_AEAD_KEYSIZE],
-                const byte *inAAD, const word32 inAADLen,
-                const byte *inCiphertext, const word32 inCiphertextLen,
-                 byte outAuthTag[CHACHA20_POLY1305_AEAD_AUTHTAG_SIZE])
+int wc_ChaCha20Poly1305_Init(ChaChaPoly_Aead* aead,
+    const byte inKey[CHACHA20_POLY1305_AEAD_KEYSIZE],
+    const byte inIV[CHACHA20_POLY1305_AEAD_IV_SIZE],
+    int isEncrypt)
 {
-    int err;
-    Poly1305 poly1305Ctx;
-    byte padding[CHACHA20_POLY1305_MAC_PADDING_ALIGNMENT - 1];
-    word32 paddingLen;
-    byte little64[8];
+    int ret;
+    byte authKey[CHACHA20_POLY1305_AEAD_KEYSIZE];
 
-    XMEMSET(padding, 0, sizeof(padding));
+    /* check arguments */
+    if (aead == NULL || inKey == NULL || inIV == NULL) {
+        return BAD_FUNC_ARG;
+    }
 
-    /* Initialize Poly1305 */
+    /* setup aead context */
+    XMEMSET(aead, 0, sizeof(ChaChaPoly_Aead));
+    XMEMSET(authKey, 0, sizeof(authKey));
+    aead->isEncrypt = isEncrypt;
+
+    /* Initialize the ChaCha20 context (key and iv) */
+    ret = wc_Chacha_SetKey(&aead->chacha, inKey,
+        CHACHA20_POLY1305_AEAD_KEYSIZE);
+    if (ret == 0) {
+        ret = wc_Chacha_SetIV(&aead->chacha, inIV,
+            CHACHA20_POLY1305_AEAD_INITIAL_COUNTER);
+    }
 
-    err = wc_Poly1305SetKey(&poly1305Ctx, inAuthKey,
-                            CHACHA20_POLY1305_AEAD_KEYSIZE);
-    if (err)
-    {
-        return err;
+    /* Create the Poly1305 key */
+    if (ret == 0) {
+        ret = wc_Chacha_Process(&aead->chacha, authKey, authKey,
+            CHACHA20_POLY1305_AEAD_KEYSIZE);
     }
 
-    /* Create the authTag by MAC'ing the following items: */
+    /* Initialize Poly1305 context */
+    if (ret == 0) {
+        ret = wc_Poly1305SetKey(&aead->poly, authKey,
+            CHACHA20_POLY1305_AEAD_KEYSIZE);
+    }
 
-    /* -- AAD */
+    /* advance counter by 1 after creating Poly1305 key */
+    if (ret == 0) {
+        ret = wc_Chacha_SetIV(&aead->chacha, inIV,
+            CHACHA20_POLY1305_AEAD_INITIAL_COUNTER + 1);
+    }
 
-    if (inAAD && inAADLen)
-    {
-        err = wc_Poly1305Update(&poly1305Ctx, inAAD, inAADLen);
+    if (ret == 0) {
+        aead->state = CHACHA20_POLY1305_STATE_READY;
+    }
 
-        /* -- padding1: pad the AAD to 16 bytes */
+    return ret;
+}
 
-        paddingLen = -inAADLen & (CHACHA20_POLY1305_MAC_PADDING_ALIGNMENT - 1);
-        if (paddingLen)
-        {
-            err += wc_Poly1305Update(&poly1305Ctx, padding, paddingLen);
-        }
+/* optional additional authentication data */
+int wc_ChaCha20Poly1305_UpdateAad(ChaChaPoly_Aead* aead,
+    const byte* inAAD, word32 inAADLen)
+{
+    int ret = 0;
 
-        if (err)
-        {
-            return err;
+    if (aead == NULL || (inAAD == NULL && inAADLen > 0)) {
+        return BAD_FUNC_ARG;
+    }
+    if (aead->state != CHACHA20_POLY1305_STATE_READY &&
+        aead->state != CHACHA20_POLY1305_STATE_AAD) {
+        return BAD_STATE_E;
+    }
+
+    if (inAAD && inAADLen > 0) {
+        ret = wc_Poly1305Update(&aead->poly, inAAD, inAADLen);
+        if (ret == 0) {
+            aead->aadLen += inAADLen;
+            aead->state = CHACHA20_POLY1305_STATE_AAD;
         }
     }
 
-    /* -- Ciphertext */
+    return ret;
+}
 
-    err = wc_Poly1305Update(&poly1305Ctx, inCiphertext, inCiphertextLen);
-    if (err)
-    {
-        return err;
+/* inData and outData can be same pointer (inline) */
+int wc_ChaCha20Poly1305_UpdateData(ChaChaPoly_Aead* aead,
+    const byte* inData, byte* outData, word32 dataLen)
+{
+    int ret = 0;
+
+    if (aead == NULL || inData == NULL || outData == NULL) {
+        return BAD_FUNC_ARG;
+    }
+    if (aead->state != CHACHA20_POLY1305_STATE_READY &&
+        aead->state != CHACHA20_POLY1305_STATE_AAD &&
+        aead->state != CHACHA20_POLY1305_STATE_DATA) {
+        return BAD_STATE_E;
     }
 
-    /* -- padding2: pad the ciphertext to 16 bytes */
+    /* Pad the AAD */
+    if (aead->state == CHACHA20_POLY1305_STATE_AAD) {
+        ret = wc_Poly1305_Pad(&aead->poly, aead->aadLen);
+    }
 
-    paddingLen = -inCiphertextLen &
-                                  (CHACHA20_POLY1305_MAC_PADDING_ALIGNMENT - 1);
-    if (paddingLen)
-    {
-        err = wc_Poly1305Update(&poly1305Ctx, padding, paddingLen);
-        if (err)
-        {
-            return err;
+    /* advance state */
+    aead->state = CHACHA20_POLY1305_STATE_DATA;
+
+    /* Perform ChaCha20 encrypt/decrypt and Poly1305 auth calc */
+    if (ret == 0) {
+        if (aead->isEncrypt) {
+            ret = wc_Chacha_Process(&aead->chacha, outData, inData, dataLen);
+            if (ret == 0)
+                ret = wc_Poly1305Update(&aead->poly, outData, dataLen);
+        }
+        else {
+            ret = wc_Poly1305Update(&aead->poly, inData, dataLen);
+            if (ret == 0)
+                ret = wc_Chacha_Process(&aead->chacha, outData, inData, dataLen);
         }
     }
+    if (ret == 0) {
+        aead->dataLen += dataLen;
+    }
+    return ret;
+}
 
-    /* -- AAD length as a 64-bit little endian integer */
-
-    word32ToLittle64(inAADLen, little64);
+int wc_ChaCha20Poly1305_Final(ChaChaPoly_Aead* aead,
+    byte outAuthTag[CHACHA20_POLY1305_AEAD_AUTHTAG_SIZE])
+{
+    int ret = 0;
 
-    err = wc_Poly1305Update(&poly1305Ctx, little64, sizeof(little64));
-    if (err)
-    {
-        return err;
+    if (aead == NULL || outAuthTag == NULL) {
+        return BAD_FUNC_ARG;
+    }
+    if (aead->state != CHACHA20_POLY1305_STATE_AAD &&
+        aead->state != CHACHA20_POLY1305_STATE_DATA) {
+        return BAD_STATE_E;
     }
 
-    /* -- Ciphertext length as a 64-bit little endian integer */
+    /* Pad the AAD - Make sure it is done */
+    if (aead->state == CHACHA20_POLY1305_STATE_AAD) {
+        ret = wc_Poly1305_Pad(&aead->poly, aead->aadLen);
+    }
 
-    word32ToLittle64(inCiphertextLen, little64);
+    /* Pad the ciphertext to 16 bytes */
+    if (ret == 0) {
+        ret = wc_Poly1305_Pad(&aead->poly, aead->dataLen);
+    }
 
-    err = wc_Poly1305Update(&poly1305Ctx, little64, sizeof(little64));
-    if (err)
-    {
-        return err;
+    /* Add the aad length and plaintext/ciphertext length */
+    if (ret == 0) {
+        ret = wc_Poly1305_EncodeSizes(&aead->poly, aead->aadLen,
+            aead->dataLen);
     }
 
     /* Finalize the auth tag */
+    if (ret == 0) {
+        ret = wc_Poly1305Final(&aead->poly, outAuthTag);
+    }
 
-    err = wc_Poly1305Final(&poly1305Ctx, outAuthTag);
-
-    return err;
-}
-
-
-static void word32ToLittle64(const word32 inLittle32, byte outLittle64[8])
-{
-    XMEMSET(outLittle64, 0, 8);
+    /* reset and cleanup sensitive context */
+    ForceZero(aead, sizeof(ChaChaPoly_Aead));
 
-    outLittle64[0] = (inLittle32 & 0x000000FF);
-    outLittle64[1] = (inLittle32 & 0x0000FF00) >> 8;
-    outLittle64[2] = (inLittle32 & 0x00FF0000) >> 16;
-    outLittle64[3] = (inLittle32 & 0xFF000000) >> 24;
+    return ret;
 }
 
-
 #endif /* HAVE_CHACHA && HAVE_POLY1305 */
diff --git a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/chacha_asm.S b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/chacha_asm.S
new file mode 100644
index 000000000..f9d5fff81
--- /dev/null
+++ b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/chacha_asm.S
@@ -0,0 +1,1420 @@
+/* chacha_asm
+ *
+ * Copyright (C) 2006-2020 wolfSSL Inc.
+ *
+ * This file is part of wolfSSL.
+ *
+ * wolfSSL is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * wolfSSL is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
+ */
+
+#ifndef HAVE_INTEL_AVX1
+#define HAVE_INTEL_AVX1
+#endif /* HAVE_INTEL_AVX1 */
+#ifndef NO_AVX2_SUPPORT
+#define HAVE_INTEL_AVX2
+#endif /* NO_AVX2_SUPPORT */
+
+#ifndef __APPLE__
+.text
+.globl	chacha_encrypt_x64
+.type	chacha_encrypt_x64,@function
+.align	4
+chacha_encrypt_x64:
+#else
+.section	__TEXT,__text
+.globl	_chacha_encrypt_x64
+.p2align	2
+_chacha_encrypt_x64:
+#endif /* __APPLE__ */
+        pushq	%rbx
+        pushq	%rbp
+        pushq	%r12
+        pushq	%r13
+        pushq	%r14
+        pushq	%r15
+        subq	$0x40, %rsp
+        cmpl	$0x40, %ecx
+        jl	L_chacha_x64_small
+L_chacha_x64_start:
+        subq	$48, %rsp
+        movq	%rdx, 24(%rsp)
+        movq	%rsi, 32(%rsp)
+        movq	%rcx, 40(%rsp)
+        movq	32(%rdi), %rax
+        movq	40(%rdi), %rbx
+        movq	%rax, 8(%rsp)
+        movq	%rbx, 16(%rsp)
+        movl	(%rdi), %eax
+        movl	4(%rdi), %ebx
+        movl	8(%rdi), %ecx
+        movl	12(%rdi), %edx
+        movl	16(%rdi), %r8d
+        movl	20(%rdi), %r9d
+        movl	24(%rdi), %r10d
+        movl	28(%rdi), %r11d
+        movl	48(%rdi), %r12d
+        movl	52(%rdi), %r13d
+        movl	56(%rdi), %r14d
+        movl	60(%rdi), %r15d
+        movb	$10, (%rsp)
+        movl	8(%rsp), %esi
+        movl	12(%rsp), %ebp
+L_chacha_x64_block_crypt_start:
+        addl	%r8d, %eax
+        addl	%r9d, %ebx
+        xorl	%eax, %r12d
+        xorl	%ebx, %r13d
+        roll	$16, %r12d
+        roll	$16, %r13d
+        addl	%r12d, %esi
+        addl	%r13d, %ebp
+        xorl	%esi, %r8d
+        xorl	%ebp, %r9d
+        roll	$12, %r8d
+        roll	$12, %r9d
+        addl	%r8d, %eax
+        addl	%r9d, %ebx
+        xorl	%eax, %r12d
+        xorl	%ebx, %r13d
+        roll	$8, %r12d
+        roll	$8, %r13d
+        addl	%r12d, %esi
+        addl	%r13d, %ebp
+        xorl	%esi, %r8d
+        xorl	%ebp, %r9d
+        roll	$7, %r8d
+        roll	$7, %r9d
+        movl	%esi, 8(%rsp)
+        movl	%ebp, 12(%rsp)
+        movl	16(%rsp), %esi
+        movl	20(%rsp), %ebp
+        addl	%r10d, %ecx
+        addl	%r11d, %edx
+        xorl	%ecx, %r14d
+        xorl	%edx, %r15d
+        roll	$16, %r14d
+        roll	$16, %r15d
+        addl	%r14d, %esi
+        addl	%r15d, %ebp
+        xorl	%esi, %r10d
+        xorl	%ebp, %r11d
+        roll	$12, %r10d
+        roll	$12, %r11d
+        addl	%r10d, %ecx
+        addl	%r11d, %edx
+        xorl	%ecx, %r14d
+        xorl	%edx, %r15d
+        roll	$8, %r14d
+        roll	$8, %r15d
+        addl	%r14d, %esi
+        addl	%r15d, %ebp
+        xorl	%esi, %r10d
+        xorl	%ebp, %r11d
+        roll	$7, %r10d
+        roll	$7, %r11d
+        addl	%r9d, %eax
+        addl	%r10d, %ebx
+        xorl	%eax, %r15d
+        xorl	%ebx, %r12d
+        roll	$16, %r15d
+        roll	$16, %r12d
+        addl	%r15d, %esi
+        addl	%r12d, %ebp
+        xorl	%esi, %r9d
+        xorl	%ebp, %r10d
+        roll	$12, %r9d
+        roll	$12, %r10d
+        addl	%r9d, %eax
+        addl	%r10d, %ebx
+        xorl	%eax, %r15d
+        xorl	%ebx, %r12d
+        roll	$8, %r15d
+        roll	$8, %r12d
+        addl	%r15d, %esi
+        addl	%r12d, %ebp
+        xorl	%esi, %r9d
+        xorl	%ebp, %r10d
+        roll	$7, %r9d
+        roll	$7, %r10d
+        movl	%esi, 16(%rsp)
+        movl	%ebp, 20(%rsp)
+        movl	8(%rsp), %esi
+        movl	12(%rsp), %ebp
+        addl	%r11d, %ecx
+        addl	%r8d, %edx
+        xorl	%ecx, %r13d
+        xorl	%edx, %r14d
+        roll	$16, %r13d
+        roll	$16, %r14d
+        addl	%r13d, %esi
+        addl	%r14d, %ebp
+        xorl	%esi, %r11d
+        xorl	%ebp, %r8d
+        roll	$12, %r11d
+        roll	$12, %r8d
+        addl	%r11d, %ecx
+        addl	%r8d, %edx
+        xorl	%ecx, %r13d
+        xorl	%edx, %r14d
+        roll	$8, %r13d
+        roll	$8, %r14d
+        addl	%r13d, %esi
+        addl	%r14d, %ebp
+        xorl	%esi, %r11d
+        xorl	%ebp, %r8d
+        roll	$7, %r11d
+        roll	$7, %r8d
+        decb	(%rsp)
+        jnz	L_chacha_x64_block_crypt_start
+        movl	%esi, 8(%rsp)
+        movl	%ebp, 12(%rsp)
+        movq	32(%rsp), %rsi
+        movq	24(%rsp), %rbp
+        addl	(%rdi), %eax
+        addl	4(%rdi), %ebx
+        addl	8(%rdi), %ecx
+        addl	12(%rdi), %edx
+        addl	16(%rdi), %r8d
+        addl	20(%rdi), %r9d
+        addl	24(%rdi), %r10d
+        addl	28(%rdi), %r11d
+        addl	48(%rdi), %r12d
+        addl	52(%rdi), %r13d
+        addl	56(%rdi), %r14d
+        addl	60(%rdi), %r15d
+        xorl	(%rsi), %eax
+        xorl	4(%rsi), %ebx
+        xorl	8(%rsi), %ecx
+        xorl	12(%rsi), %edx
+        xorl	16(%rsi), %r8d
+        xorl	20(%rsi), %r9d
+        xorl	24(%rsi), %r10d
+        xorl	28(%rsi), %r11d
+        xorl	48(%rsi), %r12d
+        xorl	52(%rsi), %r13d
+        xorl	56(%rsi), %r14d
+        xorl	60(%rsi), %r15d
+        movl	%eax, (%rbp)
+        movl	%ebx, 4(%rbp)
+        movl	%ecx, 8(%rbp)
+        movl	%edx, 12(%rbp)
+        movl	%r8d, 16(%rbp)
+        movl	%r9d, 20(%rbp)
+        movl	%r10d, 24(%rbp)
+        movl	%r11d, 28(%rbp)
+        movl	%r12d, 48(%rbp)
+        movl	%r13d, 52(%rbp)
+        movl	%r14d, 56(%rbp)
+        movl	%r15d, 60(%rbp)
+        movl	8(%rsp), %eax
+        movl	12(%rsp), %ebx
+        movl	16(%rsp), %ecx
+        movl	20(%rsp), %edx
+        addl	32(%rdi), %eax
+        addl	36(%rdi), %ebx
+        addl	40(%rdi), %ecx
+        addl	44(%rdi), %edx
+        xorl	32(%rsi), %eax
+        xorl	36(%rsi), %ebx
+        xorl	40(%rsi), %ecx
+        xorl	44(%rsi), %edx
+        movl	%eax, 32(%rbp)
+        movl	%ebx, 36(%rbp)
+        movl	%ecx, 40(%rbp)
+        movl	%edx, 44(%rbp)
+        movq	24(%rsp), %rdx
+        movq	40(%rsp), %rcx
+        addl	$0x01, 48(%rdi)
+        addq	$48, %rsp
+        subl	$0x40, %ecx
+        addq	$0x40, %rsi
+        addq	$0x40, %rdx
+        cmpl	$0x40, %ecx
+        jge	L_chacha_x64_start
+L_chacha_x64_small:
+        cmpl	$0x00, %ecx
+        je	L_chacha_x64_done
+        subq	$48, %rsp
+        movq	%rdx, 24(%rsp)
+        movq	%rsi, 32(%rsp)
+        movq	%rcx, 40(%rsp)
+        movq	32(%rdi), %rax
+        movq	40(%rdi), %rbx
+        movq	%rax, 8(%rsp)
+        movq	%rbx, 16(%rsp)
+        movl	(%rdi), %eax
+        movl	4(%rdi), %ebx
+        movl	8(%rdi), %ecx
+        movl	12(%rdi), %edx
+        movl	16(%rdi), %r8d
+        movl	20(%rdi), %r9d
+        movl	24(%rdi), %r10d
+        movl	28(%rdi), %r11d
+        movl	48(%rdi), %r12d
+        movl	52(%rdi), %r13d
+        movl	56(%rdi), %r14d
+        movl	60(%rdi), %r15d
+        movb	$10, (%rsp)
+        movl	8(%rsp), %esi
+        movl	12(%rsp), %ebp
+L_chacha_x64_partial_crypt_start:
+        addl	%r8d, %eax
+        addl	%r9d, %ebx
+        xorl	%eax, %r12d
+        xorl	%ebx, %r13d
+        roll	$16, %r12d
+        roll	$16, %r13d
+        addl	%r12d, %esi
+        addl	%r13d, %ebp
+        xorl	%esi, %r8d
+        xorl	%ebp, %r9d
+        roll	$12, %r8d
+        roll	$12, %r9d
+        addl	%r8d, %eax
+        addl	%r9d, %ebx
+        xorl	%eax, %r12d
+        xorl	%ebx, %r13d
+        roll	$8, %r12d
+        roll	$8, %r13d
+        addl	%r12d, %esi
+        addl	%r13d, %ebp
+        xorl	%esi, %r8d
+        xorl	%ebp, %r9d
+        roll	$7, %r8d
+        roll	$7, %r9d
+        movl	%esi, 8(%rsp)
+        movl	%ebp, 12(%rsp)
+        movl	16(%rsp), %esi
+        movl	20(%rsp), %ebp
+        addl	%r10d, %ecx
+        addl	%r11d, %edx
+        xorl	%ecx, %r14d
+        xorl	%edx, %r15d
+        roll	$16, %r14d
+        roll	$16, %r15d
+        addl	%r14d, %esi
+        addl	%r15d, %ebp
+        xorl	%esi, %r10d
+        xorl	%ebp, %r11d
+        roll	$12, %r10d
+        roll	$12, %r11d
+        addl	%r10d, %ecx
+        addl	%r11d, %edx
+        xorl	%ecx, %r14d
+        xorl	%edx, %r15d
+        roll	$8, %r14d
+        roll	$8, %r15d
+        addl	%r14d, %esi
+        addl	%r15d, %ebp
+        xorl	%esi, %r10d
+        xorl	%ebp, %r11d
+        roll	$7, %r10d
+        roll	$7, %r11d
+        addl	%r9d, %eax
+        addl	%r10d, %ebx
+        xorl	%eax, %r15d
+        xorl	%ebx, %r12d
+        roll	$16, %r15d
+        roll	$16, %r12d
+        addl	%r15d, %esi
+        addl	%r12d, %ebp
+        xorl	%esi, %r9d
+        xorl	%ebp, %r10d
+        roll	$12, %r9d
+        roll	$12, %r10d
+        addl	%r9d, %eax
+        addl	%r10d, %ebx
+        xorl	%eax, %r15d
+        xorl	%ebx, %r12d
+        roll	$8, %r15d
+        roll	$8, %r12d
+        addl	%r15d, %esi
+        addl	%r12d, %ebp
+        xorl	%esi, %r9d
+        xorl	%ebp, %r10d
+        roll	$7, %r9d
+        roll	$7, %r10d
+        movl	%esi, 16(%rsp)
+        movl	%ebp, 20(%rsp)
+        movl	8(%rsp), %esi
+        movl	12(%rsp), %ebp
+        addl	%r11d, %ecx
+        addl	%r8d, %edx
+        xorl	%ecx, %r13d
+        xorl	%edx, %r14d
+        roll	$16, %r13d
+        roll	$16, %r14d
+        addl	%r13d, %esi
+        addl	%r14d, %ebp
+        xorl	%esi, %r11d
+        xorl	%ebp, %r8d
+        roll	$12, %r11d
+        roll	$12, %r8d
+        addl	%r11d, %ecx
+        addl	%r8d, %edx
+        xorl	%ecx, %r13d
+        xorl	%edx, %r14d
+        roll	$8, %r13d
+        roll	$8, %r14d
+        addl	%r13d, %esi
+        addl	%r14d, %ebp
+        xorl	%esi, %r11d
+        xorl	%ebp, %r8d
+        roll	$7, %r11d
+        roll	$7, %r8d
+        decb	(%rsp)
+        jnz	L_chacha_x64_partial_crypt_start
+        movl	%esi, 8(%rsp)
+        movl	%ebp, 12(%rsp)
+        movq	32(%rsp), %rsi
+        addl	(%rdi), %eax
+        addl	4(%rdi), %ebx
+        addl	8(%rdi), %ecx
+        addl	12(%rdi), %edx
+        addl	16(%rdi), %r8d
+        addl	20(%rdi), %r9d
+        addl	24(%rdi), %r10d
+        addl	28(%rdi), %r11d
+        addl	48(%rdi), %r12d
+        addl	52(%rdi), %r13d
+        addl	56(%rdi), %r14d
+        addl	60(%rdi), %r15d
+        movl	%eax, 48(%rsp)
+        movl	%ebx, 52(%rsp)
+        movl	%ecx, 56(%rsp)
+        movl	%edx, 60(%rsp)
+        movl	%r8d, 64(%rsp)
+        movl	%r9d, 68(%rsp)
+        movl	%r10d, 72(%rsp)
+        movl	%r11d, 76(%rsp)
+        movl	%r12d, 96(%rsp)
+        movl	%r13d, 100(%rsp)
+        movl	%r14d, 104(%rsp)
+        movl	%r15d, 108(%rsp)
+        movl	8(%rsp), %eax
+        movl	12(%rsp), %ebx
+        movl	16(%rsp), %ecx
+        movl	20(%rsp), %edx
+        addl	32(%rdi), %eax
+        addl	36(%rdi), %ebx
+        addl	40(%rdi), %ecx
+        addl	44(%rdi), %edx
+        movl	%eax, 80(%rsp)
+        movl	%ebx, 84(%rsp)
+        movl	%ecx, 88(%rsp)
+        movl	%edx, 92(%rsp)
+        movq	24(%rsp), %rdx
+        movq	40(%rsp), %rcx
+        addl	$0x01, 48(%rdi)
+        addq	$48, %rsp
+        movl	%ecx, %r8d
+        xorq	%rbx, %rbx
+        andl	$7, %r8d
+        jz	L_chacha_x64_partial_start64
+L_chacha_x64_partial_start8:
+        movzbl	(%rsp,%rbx,1), %eax
+        xorb	(%rsi,%rbx,1), %al
+        movb	%al, (%rdx,%rbx,1)
+        incl	%ebx
+        cmpl	%r8d, %ebx
+        jne	L_chacha_x64_partial_start8
+        je	L_chacha_x64_partial_end64
+L_chacha_x64_partial_start64:
+        movq	(%rsp,%rbx,1), %rax
+        xorq	(%rsi,%rbx,1), %rax
+        movq	%rax, (%rdx,%rbx,1)
+        addl	$8, %ebx
+L_chacha_x64_partial_end64:
+        cmpl	%ecx, %ebx
+        jne	L_chacha_x64_partial_start64
+L_chacha_x64_done:
+        addq	$0x40, %rsp
+        popq	%r15
+        popq	%r14
+        popq	%r13
+        popq	%r12
+        popq	%rbp
+        popq	%rbx
+        repz retq
+#ifndef __APPLE__
+.size	chacha_encrypt_x64,.-chacha_encrypt_x64
+#endif /* __APPLE__ */
+#ifdef HAVE_INTEL_AVX1
+#ifndef __APPLE__
+.data
+#else
+.section	__DATA,__data
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+.align	16
+#else
+.p2align	4
+#endif /* __APPLE__ */
+L_chacha20_avx1_rotl8:
+.quad	0x605040702010003, 0xe0d0c0f0a09080b
+#ifndef __APPLE__
+.data
+#else
+.section	__DATA,__data
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+.align	16
+#else
+.p2align	4
+#endif /* __APPLE__ */
+L_chacha20_avx1_rotl16:
+.quad	0x504070601000302, 0xd0c0f0e09080b0a
+#ifndef __APPLE__
+.data
+#else
+.section	__DATA,__data
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+.align	16
+#else
+.p2align	4
+#endif /* __APPLE__ */
+L_chacha20_avx1_add:
+.quad	0x100000000, 0x300000002
+#ifndef __APPLE__
+.data
+#else
+.section	__DATA,__data
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+.align	16
+#else
+.p2align	4
+#endif /* __APPLE__ */
+L_chacha20_avx1_four:
+.quad	0x400000004, 0x400000004
+#ifndef __APPLE__
+.text
+.globl	chacha_encrypt_avx1
+.type	chacha_encrypt_avx1,@function
+.align	4
+chacha_encrypt_avx1:
+#else
+.section	__TEXT,__text
+.globl	_chacha_encrypt_avx1
+.p2align	2
+_chacha_encrypt_avx1:
+#endif /* __APPLE__ */
+        subq	$0x190, %rsp
+        movq	%rsp, %r9
+        leaq	256(%rsp), %r10
+        andq	$-16, %r9
+        andq	$-16, %r10
+        movl	%ecx, %eax
+        shrl	$8, %eax
+        jz	L_chacha20_avx1_end128
+        vpshufd	$0x00, (%rdi), %xmm0
+        vpshufd	$0x00, 4(%rdi), %xmm1
+        vpshufd	$0x00, 8(%rdi), %xmm2
+        vpshufd	$0x00, 12(%rdi), %xmm3
+        vpshufd	$0x00, 16(%rdi), %xmm4
+        vpshufd	$0x00, 20(%rdi), %xmm5
+        vpshufd	$0x00, 24(%rdi), %xmm6
+        vpshufd	$0x00, 28(%rdi), %xmm7
+        vpshufd	$0x00, 32(%rdi), %xmm8
+        vpshufd	$0x00, 36(%rdi), %xmm9
+        vpshufd	$0x00, 40(%rdi), %xmm10
+        vpshufd	$0x00, 44(%rdi), %xmm11
+        vpshufd	$0x00, 48(%rdi), %xmm12
+        vpshufd	$0x00, 52(%rdi), %xmm13
+        vpshufd	$0x00, 56(%rdi), %xmm14
+        vpshufd	$0x00, 60(%rdi), %xmm15
+        vpaddd	L_chacha20_avx1_add(%rip), %xmm12, %xmm12
+        vmovdqa	%xmm0, (%r9)
+        vmovdqa	%xmm1, 16(%r9)
+        vmovdqa	%xmm2, 32(%r9)
+        vmovdqa	%xmm3, 48(%r9)
+        vmovdqa	%xmm4, 64(%r9)
+        vmovdqa	%xmm5, 80(%r9)
+        vmovdqa	%xmm6, 96(%r9)
+        vmovdqa	%xmm7, 112(%r9)
+        vmovdqa	%xmm8, 128(%r9)
+        vmovdqa	%xmm9, 144(%r9)
+        vmovdqa	%xmm10, 160(%r9)
+        vmovdqa	%xmm11, 176(%r9)
+        vmovdqa	%xmm12, 192(%r9)
+        vmovdqa	%xmm13, 208(%r9)
+        vmovdqa	%xmm14, 224(%r9)
+        vmovdqa	%xmm15, 240(%r9)
+L_chacha20_avx1_start128:
+        vmovdqa	%xmm11, 48(%r10)
+        movb	$10, %r8b
+L_chacha20_avx1_loop128:
+        vpaddd	%xmm4, %xmm0, %xmm0
+        vpxor	%xmm0, %xmm12, %xmm12
+        vmovdqa	48(%r10), %xmm11
+        vpshufb	L_chacha20_avx1_rotl16(%rip), %xmm12, %xmm12
+        vpaddd	%xmm12, %xmm8, %xmm8
+        vpxor	%xmm8, %xmm4, %xmm4
+        vpaddd	%xmm5, %xmm1, %xmm1
+        vpxor	%xmm1, %xmm13, %xmm13
+        vpshufb	L_chacha20_avx1_rotl16(%rip), %xmm13, %xmm13
+        vpaddd	%xmm13, %xmm9, %xmm9
+        vpxor	%xmm9, %xmm5, %xmm5
+        vpaddd	%xmm6, %xmm2, %xmm2
+        vpxor	%xmm2, %xmm14, %xmm14
+        vpshufb	L_chacha20_avx1_rotl16(%rip), %xmm14, %xmm14
+        vpaddd	%xmm14, %xmm10, %xmm10
+        vpxor	%xmm10, %xmm6, %xmm6
+        vpaddd	%xmm7, %xmm3, %xmm3
+        vpxor	%xmm3, %xmm15, %xmm15
+        vpshufb	L_chacha20_avx1_rotl16(%rip), %xmm15, %xmm15
+        vpaddd	%xmm15, %xmm11, %xmm11
+        vpxor	%xmm11, %xmm7, %xmm7
+        vmovdqa	%xmm11, 48(%r10)
+        vpsrld	$20, %xmm4, %xmm11
+        vpslld	$12, %xmm4, %xmm4
+        vpxor	%xmm11, %xmm4, %xmm4
+        vpsrld	$20, %xmm5, %xmm11
+        vpslld	$12, %xmm5, %xmm5
+        vpxor	%xmm11, %xmm5, %xmm5
+        vpsrld	$20, %xmm6, %xmm11
+        vpslld	$12, %xmm6, %xmm6
+        vpxor	%xmm11, %xmm6, %xmm6
+        vpsrld	$20, %xmm7, %xmm11
+        vpslld	$12, %xmm7, %xmm7
+        vpxor	%xmm11, %xmm7, %xmm7
+        vpaddd	%xmm4, %xmm0, %xmm0
+        vpxor	%xmm0, %xmm12, %xmm12
+        vmovdqa	48(%r10), %xmm11
+        vpshufb	L_chacha20_avx1_rotl8(%rip), %xmm12, %xmm12
+        vpaddd	%xmm12, %xmm8, %xmm8
+        vpxor	%xmm8, %xmm4, %xmm4
+        vpaddd	%xmm5, %xmm1, %xmm1
+        vpxor	%xmm1, %xmm13, %xmm13
+        vpshufb	L_chacha20_avx1_rotl8(%rip), %xmm13, %xmm13
+        vpaddd	%xmm13, %xmm9, %xmm9
+        vpxor	%xmm9, %xmm5, %xmm5
+        vpaddd	%xmm6, %xmm2, %xmm2
+        vpxor	%xmm2, %xmm14, %xmm14
+        vpshufb	L_chacha20_avx1_rotl8(%rip), %xmm14, %xmm14
+        vpaddd	%xmm14, %xmm10, %xmm10
+        vpxor	%xmm10, %xmm6, %xmm6
+        vpaddd	%xmm7, %xmm3, %xmm3
+        vpxor	%xmm3, %xmm15, %xmm15
+        vpshufb	L_chacha20_avx1_rotl8(%rip), %xmm15, %xmm15
+        vpaddd	%xmm15, %xmm11, %xmm11
+        vpxor	%xmm11, %xmm7, %xmm7
+        vmovdqa	%xmm11, 48(%r10)
+        vpsrld	$25, %xmm4, %xmm11
+        vpslld	$7, %xmm4, %xmm4
+        vpxor	%xmm11, %xmm4, %xmm4
+        vpsrld	$25, %xmm5, %xmm11
+        vpslld	$7, %xmm5, %xmm5
+        vpxor	%xmm11, %xmm5, %xmm5
+        vpsrld	$25, %xmm6, %xmm11
+        vpslld	$7, %xmm6, %xmm6
+        vpxor	%xmm11, %xmm6, %xmm6
+        vpsrld	$25, %xmm7, %xmm11
+        vpslld	$7, %xmm7, %xmm7
+        vpxor	%xmm11, %xmm7, %xmm7
+        vpaddd	%xmm5, %xmm0, %xmm0
+        vpxor	%xmm0, %xmm15, %xmm15
+        vmovdqa	48(%r10), %xmm11
+        vpshufb	L_chacha20_avx1_rotl16(%rip), %xmm15, %xmm15
+        vpaddd	%xmm15, %xmm10, %xmm10
+        vpxor	%xmm10, %xmm5, %xmm5
+        vpaddd	%xmm6, %xmm1, %xmm1
+        vpxor	%xmm1, %xmm12, %xmm12
+        vpshufb	L_chacha20_avx1_rotl16(%rip), %xmm12, %xmm12
+        vpaddd	%xmm12, %xmm11, %xmm11
+        vpxor	%xmm11, %xmm6, %xmm6
+        vpaddd	%xmm7, %xmm2, %xmm2
+        vpxor	%xmm2, %xmm13, %xmm13
+        vpshufb	L_chacha20_avx1_rotl16(%rip), %xmm13, %xmm13
+        vpaddd	%xmm13, %xmm8, %xmm8
+        vpxor	%xmm8, %xmm7, %xmm7
+        vpaddd	%xmm4, %xmm3, %xmm3
+        vpxor	%xmm3, %xmm14, %xmm14
+        vpshufb	L_chacha20_avx1_rotl16(%rip), %xmm14, %xmm14
+        vpaddd	%xmm14, %xmm9, %xmm9
+        vpxor	%xmm9, %xmm4, %xmm4
+        vmovdqa	%xmm11, 48(%r10)
+        vpsrld	$20, %xmm5, %xmm11
+        vpslld	$12, %xmm5, %xmm5
+        vpxor	%xmm11, %xmm5, %xmm5
+        vpsrld	$20, %xmm6, %xmm11
+        vpslld	$12, %xmm6, %xmm6
+        vpxor	%xmm11, %xmm6, %xmm6
+        vpsrld	$20, %xmm7, %xmm11
+        vpslld	$12, %xmm7, %xmm7
+        vpxor	%xmm11, %xmm7, %xmm7
+        vpsrld	$20, %xmm4, %xmm11
+        vpslld	$12, %xmm4, %xmm4
+        vpxor	%xmm11, %xmm4, %xmm4
+        vpaddd	%xmm5, %xmm0, %xmm0
+        vpxor	%xmm0, %xmm15, %xmm15
+        vmovdqa	48(%r10), %xmm11
+        vpshufb	L_chacha20_avx1_rotl8(%rip), %xmm15, %xmm15
+        vpaddd	%xmm15, %xmm10, %xmm10
+        vpxor	%xmm10, %xmm5, %xmm5
+        vpaddd	%xmm6, %xmm1, %xmm1
+        vpxor	%xmm1, %xmm12, %xmm12
+        vpshufb	L_chacha20_avx1_rotl8(%rip), %xmm12, %xmm12
+        vpaddd	%xmm12, %xmm11, %xmm11
+        vpxor	%xmm11, %xmm6, %xmm6
+        vpaddd	%xmm7, %xmm2, %xmm2
+        vpxor	%xmm2, %xmm13, %xmm13
+        vpshufb	L_chacha20_avx1_rotl8(%rip), %xmm13, %xmm13
+        vpaddd	%xmm13, %xmm8, %xmm8
+        vpxor	%xmm8, %xmm7, %xmm7
+        vpaddd	%xmm4, %xmm3, %xmm3
+        vpxor	%xmm3, %xmm14, %xmm14
+        vpshufb	L_chacha20_avx1_rotl8(%rip), %xmm14, %xmm14
+        vpaddd	%xmm14, %xmm9, %xmm9
+        vpxor	%xmm9, %xmm4, %xmm4
+        vmovdqa	%xmm11, 48(%r10)
+        vpsrld	$25, %xmm5, %xmm11
+        vpslld	$7, %xmm5, %xmm5
+        vpxor	%xmm11, %xmm5, %xmm5
+        vpsrld	$25, %xmm6, %xmm11
+        vpslld	$7, %xmm6, %xmm6
+        vpxor	%xmm11, %xmm6, %xmm6
+        vpsrld	$25, %xmm7, %xmm11
+        vpslld	$7, %xmm7, %xmm7
+        vpxor	%xmm11, %xmm7, %xmm7
+        vpsrld	$25, %xmm4, %xmm11
+        vpslld	$7, %xmm4, %xmm4
+        vpxor	%xmm11, %xmm4, %xmm4
+        decb	%r8b
+        jnz	L_chacha20_avx1_loop128
+        vmovdqa	48(%r10), %xmm11
+        vpaddd	(%r9), %xmm0, %xmm0
+        vpaddd	16(%r9), %xmm1, %xmm1
+        vpaddd	32(%r9), %xmm2, %xmm2
+        vpaddd	48(%r9), %xmm3, %xmm3
+        vpaddd	64(%r9), %xmm4, %xmm4
+        vpaddd	80(%r9), %xmm5, %xmm5
+        vpaddd	96(%r9), %xmm6, %xmm6
+        vpaddd	112(%r9), %xmm7, %xmm7
+        vpaddd	128(%r9), %xmm8, %xmm8
+        vpaddd	144(%r9), %xmm9, %xmm9
+        vpaddd	160(%r9), %xmm10, %xmm10
+        vpaddd	176(%r9), %xmm11, %xmm11
+        vpaddd	192(%r9), %xmm12, %xmm12
+        vpaddd	208(%r9), %xmm13, %xmm13
+        vpaddd	224(%r9), %xmm14, %xmm14
+        vpaddd	240(%r9), %xmm15, %xmm15
+        vmovdqa	%xmm8, (%r10)
+        vmovdqa	%xmm9, 16(%r10)
+        vmovdqa	%xmm10, 32(%r10)
+        vmovdqa	%xmm11, 48(%r10)
+        vmovdqa	%xmm12, 64(%r10)
+        vmovdqa	%xmm13, 80(%r10)
+        vmovdqa	%xmm14, 96(%r10)
+        vmovdqa	%xmm15, 112(%r10)
+        vpunpckldq	%xmm1, %xmm0, %xmm8
+        vpunpckldq	%xmm3, %xmm2, %xmm9
+        vpunpckhdq	%xmm1, %xmm0, %xmm12
+        vpunpckhdq	%xmm3, %xmm2, %xmm13
+        vpunpckldq	%xmm5, %xmm4, %xmm10
+        vpunpckldq	%xmm7, %xmm6, %xmm11
+        vpunpckhdq	%xmm5, %xmm4, %xmm14
+        vpunpckhdq	%xmm7, %xmm6, %xmm15
+        vpunpcklqdq	%xmm9, %xmm8, %xmm0
+        vpunpcklqdq	%xmm11, %xmm10, %xmm1
+        vpunpckhqdq	%xmm9, %xmm8, %xmm2
+        vpunpckhqdq	%xmm11, %xmm10, %xmm3
+        vpunpcklqdq	%xmm13, %xmm12, %xmm4
+        vpunpcklqdq	%xmm15, %xmm14, %xmm5
+        vpunpckhqdq	%xmm13, %xmm12, %xmm6
+        vpunpckhqdq	%xmm15, %xmm14, %xmm7
+        vmovdqu	(%rsi), %xmm8
+        vmovdqu	16(%rsi), %xmm9
+        vmovdqu	64(%rsi), %xmm10
+        vmovdqu	80(%rsi), %xmm11
+        vmovdqu	128(%rsi), %xmm12
+        vmovdqu	144(%rsi), %xmm13
+        vmovdqu	192(%rsi), %xmm14
+        vmovdqu	208(%rsi), %xmm15
+        vpxor	%xmm8, %xmm0, %xmm0
+        vpxor	%xmm9, %xmm1, %xmm1
+        vpxor	%xmm10, %xmm2, %xmm2
+        vpxor	%xmm11, %xmm3, %xmm3
+        vpxor	%xmm12, %xmm4, %xmm4
+        vpxor	%xmm13, %xmm5, %xmm5
+        vpxor	%xmm14, %xmm6, %xmm6
+        vpxor	%xmm15, %xmm7, %xmm7
+        vmovdqu	%xmm0, (%rdx)
+        vmovdqu	%xmm1, 16(%rdx)
+        vmovdqu	%xmm2, 64(%rdx)
+        vmovdqu	%xmm3, 80(%rdx)
+        vmovdqu	%xmm4, 128(%rdx)
+        vmovdqu	%xmm5, 144(%rdx)
+        vmovdqu	%xmm6, 192(%rdx)
+        vmovdqu	%xmm7, 208(%rdx)
+        vmovdqa	(%r10), %xmm0
+        vmovdqa	16(%r10), %xmm1
+        vmovdqa	32(%r10), %xmm2
+        vmovdqa	48(%r10), %xmm3
+        vmovdqa	64(%r10), %xmm4
+        vmovdqa	80(%r10), %xmm5
+        vmovdqa	96(%r10), %xmm6
+        vmovdqa	112(%r10), %xmm7
+        vpunpckldq	%xmm1, %xmm0, %xmm8
+        vpunpckldq	%xmm3, %xmm2, %xmm9
+        vpunpckhdq	%xmm1, %xmm0, %xmm12
+        vpunpckhdq	%xmm3, %xmm2, %xmm13
+        vpunpckldq	%xmm5, %xmm4, %xmm10
+        vpunpckldq	%xmm7, %xmm6, %xmm11
+        vpunpckhdq	%xmm5, %xmm4, %xmm14
+        vpunpckhdq	%xmm7, %xmm6, %xmm15
+        vpunpcklqdq	%xmm9, %xmm8, %xmm0
+        vpunpcklqdq	%xmm11, %xmm10, %xmm1
+        vpunpckhqdq	%xmm9, %xmm8, %xmm2
+        vpunpckhqdq	%xmm11, %xmm10, %xmm3
+        vpunpcklqdq	%xmm13, %xmm12, %xmm4
+        vpunpcklqdq	%xmm15, %xmm14, %xmm5
+        vpunpckhqdq	%xmm13, %xmm12, %xmm6
+        vpunpckhqdq	%xmm15, %xmm14, %xmm7
+        vmovdqu	32(%rsi), %xmm8
+        vmovdqu	48(%rsi), %xmm9
+        vmovdqu	96(%rsi), %xmm10
+        vmovdqu	112(%rsi), %xmm11
+        vmovdqu	160(%rsi), %xmm12
+        vmovdqu	176(%rsi), %xmm13
+        vmovdqu	224(%rsi), %xmm14
+        vmovdqu	240(%rsi), %xmm15
+        vpxor	%xmm8, %xmm0, %xmm0
+        vpxor	%xmm9, %xmm1, %xmm1
+        vpxor	%xmm10, %xmm2, %xmm2
+        vpxor	%xmm11, %xmm3, %xmm3
+        vpxor	%xmm12, %xmm4, %xmm4
+        vpxor	%xmm13, %xmm5, %xmm5
+        vpxor	%xmm14, %xmm6, %xmm6
+        vpxor	%xmm15, %xmm7, %xmm7
+        vmovdqu	%xmm0, 32(%rdx)
+        vmovdqu	%xmm1, 48(%rdx)
+        vmovdqu	%xmm2, 96(%rdx)
+        vmovdqu	%xmm3, 112(%rdx)
+        vmovdqu	%xmm4, 160(%rdx)
+        vmovdqu	%xmm5, 176(%rdx)
+        vmovdqu	%xmm6, 224(%rdx)
+        vmovdqu	%xmm7, 240(%rdx)
+        vmovdqa	192(%r9), %xmm12
+        addq	$0x100, %rsi
+        addq	$0x100, %rdx
+        vpaddd	L_chacha20_avx1_four(%rip), %xmm12, %xmm12
+        subl	$0x100, %ecx
+        vmovdqa	%xmm12, 192(%r9)
+        cmpl	$0x100, %ecx
+        jl	L_chacha20_avx1_done128
+        vmovdqa	(%r9), %xmm0
+        vmovdqa	16(%r9), %xmm1
+        vmovdqa	32(%r9), %xmm2
+        vmovdqa	48(%r9), %xmm3
+        vmovdqa	64(%r9), %xmm4
+        vmovdqa	80(%r9), %xmm5
+        vmovdqa	96(%r9), %xmm6
+        vmovdqa	112(%r9), %xmm7
+        vmovdqa	128(%r9), %xmm8
+        vmovdqa	144(%r9), %xmm9
+        vmovdqa	160(%r9), %xmm10
+        vmovdqa	176(%r9), %xmm11
+        vmovdqa	192(%r9), %xmm12
+        vmovdqa	208(%r9), %xmm13
+        vmovdqa	224(%r9), %xmm14
+        vmovdqa	240(%r9), %xmm15
+        jmp	L_chacha20_avx1_start128
+L_chacha20_avx1_done128:
+        shl	$2, %eax
+        addl	%eax, 48(%rdi)
+L_chacha20_avx1_end128:
+        cmpl	$0x40, %ecx
+        jl	L_chacha20_avx1_block_done
+L_chacha20_avx1_block_start:
+        vmovdqu	(%rdi), %xmm0
+        vmovdqu	16(%rdi), %xmm1
+        vmovdqu	32(%rdi), %xmm2
+        vmovdqu	48(%rdi), %xmm3
+        vmovdqa	%xmm0, %xmm5
+        vmovdqa	%xmm1, %xmm6
+        vmovdqa	%xmm2, %xmm7
+        vmovdqa	%xmm3, %xmm8
+        movb	$10, %al
+L_chacha20_avx1_block_crypt_start:
+        vpaddd	%xmm1, %xmm0, %xmm0
+        vpxor	%xmm0, %xmm3, %xmm3
+        vpshufb	L_chacha20_avx1_rotl16(%rip), %xmm3, %xmm3
+        vpaddd	%xmm3, %xmm2, %xmm2
+        vpxor	%xmm2, %xmm1, %xmm1
+        vpsrld	$20, %xmm1, %xmm4
+        vpslld	$12, %xmm1, %xmm1
+        vpxor	%xmm4, %xmm1, %xmm1
+        vpaddd	%xmm1, %xmm0, %xmm0
+        vpxor	%xmm0, %xmm3, %xmm3
+        vpshufb	L_chacha20_avx1_rotl8(%rip), %xmm3, %xmm3
+        vpaddd	%xmm3, %xmm2, %xmm2
+        vpxor	%xmm2, %xmm1, %xmm1
+        vpsrld	$25, %xmm1, %xmm4
+        vpslld	$7, %xmm1, %xmm1
+        vpxor	%xmm4, %xmm1, %xmm1
+        vpshufd	$57, %xmm1, %xmm1
+        vpshufd	$0x4e, %xmm2, %xmm2
+        vpshufd	$0x93, %xmm3, %xmm3
+        vpaddd	%xmm1, %xmm0, %xmm0
+        vpxor	%xmm0, %xmm3, %xmm3
+        vpshufb	L_chacha20_avx1_rotl16(%rip), %xmm3, %xmm3
+        vpaddd	%xmm3, %xmm2, %xmm2
+        vpxor	%xmm2, %xmm1, %xmm1
+        vpsrld	$20, %xmm1, %xmm4
+        vpslld	$12, %xmm1, %xmm1
+        vpxor	%xmm4, %xmm1, %xmm1
+        vpaddd	%xmm1, %xmm0, %xmm0
+        vpxor	%xmm0, %xmm3, %xmm3
+        vpshufb	L_chacha20_avx1_rotl8(%rip), %xmm3, %xmm3
+        vpaddd	%xmm3, %xmm2, %xmm2
+        vpxor	%xmm2, %xmm1, %xmm1
+        vpsrld	$25, %xmm1, %xmm4
+        vpslld	$7, %xmm1, %xmm1
+        vpxor	%xmm4, %xmm1, %xmm1
+        vpshufd	$0x93, %xmm1, %xmm1
+        vpshufd	$0x4e, %xmm2, %xmm2
+        vpshufd	$57, %xmm3, %xmm3
+        decb	%al
+        jnz	L_chacha20_avx1_block_crypt_start
+        vpaddd	%xmm5, %xmm0, %xmm0
+        vpaddd	%xmm6, %xmm1, %xmm1
+        vpaddd	%xmm7, %xmm2, %xmm2
+        vpaddd	%xmm8, %xmm3, %xmm3
+        vmovdqu	(%rsi), %xmm5
+        vmovdqu	16(%rsi), %xmm6
+        vmovdqu	32(%rsi), %xmm7
+        vmovdqu	48(%rsi), %xmm8
+        vpxor	%xmm5, %xmm0, %xmm0
+        vpxor	%xmm6, %xmm1, %xmm1
+        vpxor	%xmm7, %xmm2, %xmm2
+        vpxor	%xmm8, %xmm3, %xmm3
+        vmovdqu	%xmm0, (%rdx)
+        vmovdqu	%xmm1, 16(%rdx)
+        vmovdqu	%xmm2, 32(%rdx)
+        vmovdqu	%xmm3, 48(%rdx)
+        addl	$0x01, 48(%rdi)
+        subl	$0x40, %ecx
+        addq	$0x40, %rsi
+        addq	$0x40, %rdx
+        cmpl	$0x40, %ecx
+        jge	L_chacha20_avx1_block_start
+L_chacha20_avx1_block_done:
+        cmpl	$0x00, %ecx
+        je	L_chacha20_avx1_partial_done
+        vmovdqu	(%rdi), %xmm0
+        vmovdqu	16(%rdi), %xmm1
+        vmovdqu	32(%rdi), %xmm2
+        vmovdqu	48(%rdi), %xmm3
+        vmovdqa	%xmm0, %xmm5
+        vmovdqa	%xmm1, %xmm6
+        vmovdqa	%xmm2, %xmm7
+        vmovdqa	%xmm3, %xmm8
+        movb	$10, %al
+L_chacha20_avx1_partial_crypt_start:
+        vpaddd	%xmm1, %xmm0, %xmm0
+        vpxor	%xmm0, %xmm3, %xmm3
+        vpshufb	L_chacha20_avx1_rotl16(%rip), %xmm3, %xmm3
+        vpaddd	%xmm3, %xmm2, %xmm2
+        vpxor	%xmm2, %xmm1, %xmm1
+        vpsrld	$20, %xmm1, %xmm4
+        vpslld	$12, %xmm1, %xmm1
+        vpxor	%xmm4, %xmm1, %xmm1
+        vpaddd	%xmm1, %xmm0, %xmm0
+        vpxor	%xmm0, %xmm3, %xmm3
+        vpshufb	L_chacha20_avx1_rotl8(%rip), %xmm3, %xmm3
+        vpaddd	%xmm3, %xmm2, %xmm2
+        vpxor	%xmm2, %xmm1, %xmm1
+        vpsrld	$25, %xmm1, %xmm4
+        vpslld	$7, %xmm1, %xmm1
+        vpxor	%xmm4, %xmm1, %xmm1
+        vpshufd	$57, %xmm1, %xmm1
+        vpshufd	$0x4e, %xmm2, %xmm2
+        vpshufd	$0x93, %xmm3, %xmm3
+        vpaddd	%xmm1, %xmm0, %xmm0
+        vpxor	%xmm0, %xmm3, %xmm3
+        vpshufb	L_chacha20_avx1_rotl16(%rip), %xmm3, %xmm3
+        vpaddd	%xmm3, %xmm2, %xmm2
+        vpxor	%xmm2, %xmm1, %xmm1
+        vpsrld	$20, %xmm1, %xmm4
+        vpslld	$12, %xmm1, %xmm1
+        vpxor	%xmm4, %xmm1, %xmm1
+        vpaddd	%xmm1, %xmm0, %xmm0
+        vpxor	%xmm0, %xmm3, %xmm3
+        vpshufb	L_chacha20_avx1_rotl8(%rip), %xmm3, %xmm3
+        vpaddd	%xmm3, %xmm2, %xmm2
+        vpxor	%xmm2, %xmm1, %xmm1
+        vpsrld	$25, %xmm1, %xmm4
+        vpslld	$7, %xmm1, %xmm1
+        vpxor	%xmm4, %xmm1, %xmm1
+        vpshufd	$0x93, %xmm1, %xmm1
+        vpshufd	$0x4e, %xmm2, %xmm2
+        vpshufd	$57, %xmm3, %xmm3
+        decb	%al
+        jnz	L_chacha20_avx1_partial_crypt_start
+        vpaddd	%xmm5, %xmm0, %xmm0
+        vpaddd	%xmm6, %xmm1, %xmm1
+        vpaddd	%xmm7, %xmm2, %xmm2
+        vpaddd	%xmm8, %xmm3, %xmm3
+        vmovdqu	%xmm0, (%r10)
+        vmovdqu	%xmm1, 16(%r10)
+        vmovdqu	%xmm2, 32(%r10)
+        vmovdqu	%xmm3, 48(%r10)
+        addl	$0x01, 48(%rdi)
+        movl	%ecx, %r8d
+        xorq	%r11, %r11
+        andl	$7, %r8d
+        jz	L_chacha20_avx1_partial_start64
+L_chacha20_avx1_partial_start8:
+        movzbl	(%r10,%r11,1), %eax
+        xorb	(%rsi,%r11,1), %al
+        movb	%al, (%rdx,%r11,1)
+        incl	%r11d
+        cmpl	%r8d, %r11d
+        jne	L_chacha20_avx1_partial_start8
+        je	L_chacha20_avx1_partial_end64
+L_chacha20_avx1_partial_start64:
+        movq	(%r10,%r11,1), %rax
+        xorq	(%rsi,%r11,1), %rax
+        movq	%rax, (%rdx,%r11,1)
+        addl	$8, %r11d
+L_chacha20_avx1_partial_end64:
+        cmpl	%ecx, %r11d
+        jne	L_chacha20_avx1_partial_start64
+L_chacha20_avx1_partial_done:
+        addq	$0x190, %rsp
+        repz retq
+#ifndef __APPLE__
+.size	chacha_encrypt_avx1,.-chacha_encrypt_avx1
+#endif /* __APPLE__ */
+#endif /* HAVE_INTEL_AVX1 */
+#ifdef HAVE_INTEL_AVX2
+#ifndef __APPLE__
+.data
+#else
+.section	__DATA,__data
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+.align	32
+#else
+.p2align	5
+#endif /* __APPLE__ */
+L_chacha20_avx2_rotl8:
+.quad	0x605040702010003, 0xe0d0c0f0a09080b
+.quad	0x605040702010003, 0xe0d0c0f0a09080b
+#ifndef __APPLE__
+.data
+#else
+.section	__DATA,__data
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+.align	32
+#else
+.p2align	5
+#endif /* __APPLE__ */
+L_chacha20_avx2_rotl16:
+.quad	0x504070601000302, 0xd0c0f0e09080b0a
+.quad	0x504070601000302, 0xd0c0f0e09080b0a
+#ifndef __APPLE__
+.data
+#else
+.section	__DATA,__data
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+.align	32
+#else
+.p2align	5
+#endif /* __APPLE__ */
+L_chacha20_avx2_add:
+.quad	0x100000000, 0x300000002
+.quad	0x500000004, 0x700000006
+#ifndef __APPLE__
+.data
+#else
+.section	__DATA,__data
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+.align	32
+#else
+.p2align	5
+#endif /* __APPLE__ */
+L_chacha20_avx2_eight:
+.quad	0x800000008, 0x800000008
+.quad	0x800000008, 0x800000008
+#ifndef __APPLE__
+.text
+.globl	chacha_encrypt_avx2
+.type	chacha_encrypt_avx2,@function
+.align	4
+chacha_encrypt_avx2:
+#else
+.section	__TEXT,__text
+.globl	_chacha_encrypt_avx2
+.p2align	2
+_chacha_encrypt_avx2:
+#endif /* __APPLE__ */
+        subq	$0x310, %rsp
+        movq	%rsp, %r9
+        leaq	512(%rsp), %r10
+        andq	$-32, %r9
+        andq	$-32, %r10
+        movl	%ecx, %eax
+        shrl	$9, %eax
+        jz	L_chacha20_avx2_end256
+        vpbroadcastd	(%rdi), %ymm0
+        vpbroadcastd	4(%rdi), %ymm1
+        vpbroadcastd	8(%rdi), %ymm2
+        vpbroadcastd	12(%rdi), %ymm3
+        vpbroadcastd	16(%rdi), %ymm4
+        vpbroadcastd	20(%rdi), %ymm5
+        vpbroadcastd	24(%rdi), %ymm6
+        vpbroadcastd	28(%rdi), %ymm7
+        vpbroadcastd	32(%rdi), %ymm8
+        vpbroadcastd	36(%rdi), %ymm9
+        vpbroadcastd	40(%rdi), %ymm10
+        vpbroadcastd	44(%rdi), %ymm11
+        vpbroadcastd	48(%rdi), %ymm12
+        vpbroadcastd	52(%rdi), %ymm13
+        vpbroadcastd	56(%rdi), %ymm14
+        vpbroadcastd	60(%rdi), %ymm15
+        vpaddd	L_chacha20_avx2_add(%rip), %ymm12, %ymm12
+        vmovdqa	%ymm0, (%r9)
+        vmovdqa	%ymm1, 32(%r9)
+        vmovdqa	%ymm2, 64(%r9)
+        vmovdqa	%ymm3, 96(%r9)
+        vmovdqa	%ymm4, 128(%r9)
+        vmovdqa	%ymm5, 160(%r9)
+        vmovdqa	%ymm6, 192(%r9)
+        vmovdqa	%ymm7, 224(%r9)
+        vmovdqa	%ymm8, 256(%r9)
+        vmovdqa	%ymm9, 288(%r9)
+        vmovdqa	%ymm10, 320(%r9)
+        vmovdqa	%ymm11, 352(%r9)
+        vmovdqa	%ymm12, 384(%r9)
+        vmovdqa	%ymm13, 416(%r9)
+        vmovdqa	%ymm14, 448(%r9)
+        vmovdqa	%ymm15, 480(%r9)
+L_chacha20_avx2_start256:
+        movb	$10, %r8b
+        vmovdqa	%ymm11, 96(%r10)
+L_chacha20_avx2_loop256:
+        vpaddd	%ymm4, %ymm0, %ymm0
+        vpxor	%ymm0, %ymm12, %ymm12
+        vmovdqa	96(%r10), %ymm11
+        vpshufb	L_chacha20_avx2_rotl16(%rip), %ymm12, %ymm12
+        vpaddd	%ymm12, %ymm8, %ymm8
+        vpxor	%ymm8, %ymm4, %ymm4
+        vpaddd	%ymm5, %ymm1, %ymm1
+        vpxor	%ymm1, %ymm13, %ymm13
+        vpshufb	L_chacha20_avx2_rotl16(%rip), %ymm13, %ymm13
+        vpaddd	%ymm13, %ymm9, %ymm9
+        vpxor	%ymm9, %ymm5, %ymm5
+        vpaddd	%ymm6, %ymm2, %ymm2
+        vpxor	%ymm2, %ymm14, %ymm14
+        vpshufb	L_chacha20_avx2_rotl16(%rip), %ymm14, %ymm14
+        vpaddd	%ymm14, %ymm10, %ymm10
+        vpxor	%ymm10, %ymm6, %ymm6
+        vpaddd	%ymm7, %ymm3, %ymm3
+        vpxor	%ymm3, %ymm15, %ymm15
+        vpshufb	L_chacha20_avx2_rotl16(%rip), %ymm15, %ymm15
+        vpaddd	%ymm15, %ymm11, %ymm11
+        vpxor	%ymm11, %ymm7, %ymm7
+        vmovdqa	%ymm11, 96(%r10)
+        vpsrld	$20, %ymm4, %ymm11
+        vpslld	$12, %ymm4, %ymm4
+        vpxor	%ymm11, %ymm4, %ymm4
+        vpsrld	$20, %ymm5, %ymm11
+        vpslld	$12, %ymm5, %ymm5
+        vpxor	%ymm11, %ymm5, %ymm5
+        vpsrld	$20, %ymm6, %ymm11
+        vpslld	$12, %ymm6, %ymm6
+        vpxor	%ymm11, %ymm6, %ymm6
+        vpsrld	$20, %ymm7, %ymm11
+        vpslld	$12, %ymm7, %ymm7
+        vpxor	%ymm11, %ymm7, %ymm7
+        vpaddd	%ymm4, %ymm0, %ymm0
+        vpxor	%ymm0, %ymm12, %ymm12
+        vmovdqa	96(%r10), %ymm11
+        vpshufb	L_chacha20_avx2_rotl8(%rip), %ymm12, %ymm12
+        vpaddd	%ymm12, %ymm8, %ymm8
+        vpxor	%ymm8, %ymm4, %ymm4
+        vpaddd	%ymm5, %ymm1, %ymm1
+        vpxor	%ymm1, %ymm13, %ymm13
+        vpshufb	L_chacha20_avx2_rotl8(%rip), %ymm13, %ymm13
+        vpaddd	%ymm13, %ymm9, %ymm9
+        vpxor	%ymm9, %ymm5, %ymm5
+        vpaddd	%ymm6, %ymm2, %ymm2
+        vpxor	%ymm2, %ymm14, %ymm14
+        vpshufb	L_chacha20_avx2_rotl8(%rip), %ymm14, %ymm14
+        vpaddd	%ymm14, %ymm10, %ymm10
+        vpxor	%ymm10, %ymm6, %ymm6
+        vpaddd	%ymm7, %ymm3, %ymm3
+        vpxor	%ymm3, %ymm15, %ymm15
+        vpshufb	L_chacha20_avx2_rotl8(%rip), %ymm15, %ymm15
+        vpaddd	%ymm15, %ymm11, %ymm11
+        vpxor	%ymm11, %ymm7, %ymm7
+        vmovdqa	%ymm11, 96(%r10)
+        vpsrld	$25, %ymm4, %ymm11
+        vpslld	$7, %ymm4, %ymm4
+        vpxor	%ymm11, %ymm4, %ymm4
+        vpsrld	$25, %ymm5, %ymm11
+        vpslld	$7, %ymm5, %ymm5
+        vpxor	%ymm11, %ymm5, %ymm5
+        vpsrld	$25, %ymm6, %ymm11
+        vpslld	$7, %ymm6, %ymm6
+        vpxor	%ymm11, %ymm6, %ymm6
+        vpsrld	$25, %ymm7, %ymm11
+        vpslld	$7, %ymm7, %ymm7
+        vpxor	%ymm11, %ymm7, %ymm7
+        vpaddd	%ymm5, %ymm0, %ymm0
+        vpxor	%ymm0, %ymm15, %ymm15
+        vmovdqa	96(%r10), %ymm11
+        vpshufb	L_chacha20_avx2_rotl16(%rip), %ymm15, %ymm15
+        vpaddd	%ymm15, %ymm10, %ymm10
+        vpxor	%ymm10, %ymm5, %ymm5
+        vpaddd	%ymm6, %ymm1, %ymm1
+        vpxor	%ymm1, %ymm12, %ymm12
+        vpshufb	L_chacha20_avx2_rotl16(%rip), %ymm12, %ymm12
+        vpaddd	%ymm12, %ymm11, %ymm11
+        vpxor	%ymm11, %ymm6, %ymm6
+        vpaddd	%ymm7, %ymm2, %ymm2
+        vpxor	%ymm2, %ymm13, %ymm13
+        vpshufb	L_chacha20_avx2_rotl16(%rip), %ymm13, %ymm13
+        vpaddd	%ymm13, %ymm8, %ymm8
+        vpxor	%ymm8, %ymm7, %ymm7
+        vpaddd	%ymm4, %ymm3, %ymm3
+        vpxor	%ymm3, %ymm14, %ymm14
+        vpshufb	L_chacha20_avx2_rotl16(%rip), %ymm14, %ymm14
+        vpaddd	%ymm14, %ymm9, %ymm9
+        vpxor	%ymm9, %ymm4, %ymm4
+        vmovdqa	%ymm11, 96(%r10)
+        vpsrld	$20, %ymm5, %ymm11
+        vpslld	$12, %ymm5, %ymm5
+        vpxor	%ymm11, %ymm5, %ymm5
+        vpsrld	$20, %ymm6, %ymm11
+        vpslld	$12, %ymm6, %ymm6
+        vpxor	%ymm11, %ymm6, %ymm6
+        vpsrld	$20, %ymm7, %ymm11
+        vpslld	$12, %ymm7, %ymm7
+        vpxor	%ymm11, %ymm7, %ymm7
+        vpsrld	$20, %ymm4, %ymm11
+        vpslld	$12, %ymm4, %ymm4
+        vpxor	%ymm11, %ymm4, %ymm4
+        vpaddd	%ymm5, %ymm0, %ymm0
+        vpxor	%ymm0, %ymm15, %ymm15
+        vmovdqa	96(%r10), %ymm11
+        vpshufb	L_chacha20_avx2_rotl8(%rip), %ymm15, %ymm15
+        vpaddd	%ymm15, %ymm10, %ymm10
+        vpxor	%ymm10, %ymm5, %ymm5
+        vpaddd	%ymm6, %ymm1, %ymm1
+        vpxor	%ymm1, %ymm12, %ymm12
+        vpshufb	L_chacha20_avx2_rotl8(%rip), %ymm12, %ymm12
+        vpaddd	%ymm12, %ymm11, %ymm11
+        vpxor	%ymm11, %ymm6, %ymm6
+        vpaddd	%ymm7, %ymm2, %ymm2
+        vpxor	%ymm2, %ymm13, %ymm13
+        vpshufb	L_chacha20_avx2_rotl8(%rip), %ymm13, %ymm13
+        vpaddd	%ymm13, %ymm8, %ymm8
+        vpxor	%ymm8, %ymm7, %ymm7
+        vpaddd	%ymm4, %ymm3, %ymm3
+        vpxor	%ymm3, %ymm14, %ymm14
+        vpshufb	L_chacha20_avx2_rotl8(%rip), %ymm14, %ymm14
+        vpaddd	%ymm14, %ymm9, %ymm9
+        vpxor	%ymm9, %ymm4, %ymm4
+        vmovdqa	%ymm11, 96(%r10)
+        vpsrld	$25, %ymm5, %ymm11
+        vpslld	$7, %ymm5, %ymm5
+        vpxor	%ymm11, %ymm5, %ymm5
+        vpsrld	$25, %ymm6, %ymm11
+        vpslld	$7, %ymm6, %ymm6
+        vpxor	%ymm11, %ymm6, %ymm6
+        vpsrld	$25, %ymm7, %ymm11
+        vpslld	$7, %ymm7, %ymm7
+        vpxor	%ymm11, %ymm7, %ymm7
+        vpsrld	$25, %ymm4, %ymm11
+        vpslld	$7, %ymm4, %ymm4
+        vpxor	%ymm11, %ymm4, %ymm4
+        decb	%r8b
+        jnz	L_chacha20_avx2_loop256
+        vmovdqa	96(%r10), %ymm11
+        vpaddd	(%r9), %ymm0, %ymm0
+        vpaddd	32(%r9), %ymm1, %ymm1
+        vpaddd	64(%r9), %ymm2, %ymm2
+        vpaddd	96(%r9), %ymm3, %ymm3
+        vpaddd	128(%r9), %ymm4, %ymm4
+        vpaddd	160(%r9), %ymm5, %ymm5
+        vpaddd	192(%r9), %ymm6, %ymm6
+        vpaddd	224(%r9), %ymm7, %ymm7
+        vpaddd	256(%r9), %ymm8, %ymm8
+        vpaddd	288(%r9), %ymm9, %ymm9
+        vpaddd	320(%r9), %ymm10, %ymm10
+        vpaddd	352(%r9), %ymm11, %ymm11
+        vpaddd	384(%r9), %ymm12, %ymm12
+        vpaddd	416(%r9), %ymm13, %ymm13
+        vpaddd	448(%r9), %ymm14, %ymm14
+        vpaddd	480(%r9), %ymm15, %ymm15
+        vmovdqa	%ymm8, (%r10)
+        vmovdqa	%ymm9, 32(%r10)
+        vmovdqa	%ymm10, 64(%r10)
+        vmovdqa	%ymm11, 96(%r10)
+        vmovdqa	%ymm12, 128(%r10)
+        vmovdqa	%ymm13, 160(%r10)
+        vmovdqa	%ymm14, 192(%r10)
+        vmovdqa	%ymm15, 224(%r10)
+        vpunpckldq	%ymm1, %ymm0, %ymm8
+        vpunpckldq	%ymm3, %ymm2, %ymm9
+        vpunpckhdq	%ymm1, %ymm0, %ymm12
+        vpunpckhdq	%ymm3, %ymm2, %ymm13
+        vpunpckldq	%ymm5, %ymm4, %ymm10
+        vpunpckldq	%ymm7, %ymm6, %ymm11
+        vpunpckhdq	%ymm5, %ymm4, %ymm14
+        vpunpckhdq	%ymm7, %ymm6, %ymm15
+        vpunpcklqdq	%ymm9, %ymm8, %ymm0
+        vpunpcklqdq	%ymm11, %ymm10, %ymm1
+        vpunpckhqdq	%ymm9, %ymm8, %ymm2
+        vpunpckhqdq	%ymm11, %ymm10, %ymm3
+        vpunpcklqdq	%ymm13, %ymm12, %ymm4
+        vpunpcklqdq	%ymm15, %ymm14, %ymm5
+        vpunpckhqdq	%ymm13, %ymm12, %ymm6
+        vpunpckhqdq	%ymm15, %ymm14, %ymm7
+        vperm2i128	$32, %ymm1, %ymm0, %ymm8
+        vperm2i128	$32, %ymm3, %ymm2, %ymm9
+        vperm2i128	$49, %ymm1, %ymm0, %ymm12
+        vperm2i128	$49, %ymm3, %ymm2, %ymm13
+        vperm2i128	$32, %ymm5, %ymm4, %ymm10
+        vperm2i128	$32, %ymm7, %ymm6, %ymm11
+        vperm2i128	$49, %ymm5, %ymm4, %ymm14
+        vperm2i128	$49, %ymm7, %ymm6, %ymm15
+        vmovdqu	(%rsi), %ymm0
+        vmovdqu	64(%rsi), %ymm1
+        vmovdqu	128(%rsi), %ymm2
+        vmovdqu	192(%rsi), %ymm3
+        vmovdqu	256(%rsi), %ymm4
+        vmovdqu	320(%rsi), %ymm5
+        vmovdqu	384(%rsi), %ymm6
+        vmovdqu	448(%rsi), %ymm7
+        vpxor	%ymm0, %ymm8, %ymm8
+        vpxor	%ymm1, %ymm9, %ymm9
+        vpxor	%ymm2, %ymm10, %ymm10
+        vpxor	%ymm3, %ymm11, %ymm11
+        vpxor	%ymm4, %ymm12, %ymm12
+        vpxor	%ymm5, %ymm13, %ymm13
+        vpxor	%ymm6, %ymm14, %ymm14
+        vpxor	%ymm7, %ymm15, %ymm15
+        vmovdqu	%ymm8, (%rdx)
+        vmovdqu	%ymm9, 64(%rdx)
+        vmovdqu	%ymm10, 128(%rdx)
+        vmovdqu	%ymm11, 192(%rdx)
+        vmovdqu	%ymm12, 256(%rdx)
+        vmovdqu	%ymm13, 320(%rdx)
+        vmovdqu	%ymm14, 384(%rdx)
+        vmovdqu	%ymm15, 448(%rdx)
+        vmovdqa	(%r10), %ymm0
+        vmovdqa	32(%r10), %ymm1
+        vmovdqa	64(%r10), %ymm2
+        vmovdqa	96(%r10), %ymm3
+        vmovdqa	128(%r10), %ymm4
+        vmovdqa	160(%r10), %ymm5
+        vmovdqa	192(%r10), %ymm6
+        vmovdqa	224(%r10), %ymm7
+        vpunpckldq	%ymm1, %ymm0, %ymm8
+        vpunpckldq	%ymm3, %ymm2, %ymm9
+        vpunpckhdq	%ymm1, %ymm0, %ymm12
+        vpunpckhdq	%ymm3, %ymm2, %ymm13
+        vpunpckldq	%ymm5, %ymm4, %ymm10
+        vpunpckldq	%ymm7, %ymm6, %ymm11
+        vpunpckhdq	%ymm5, %ymm4, %ymm14
+        vpunpckhdq	%ymm7, %ymm6, %ymm15
+        vpunpcklqdq	%ymm9, %ymm8, %ymm0
+        vpunpcklqdq	%ymm11, %ymm10, %ymm1
+        vpunpckhqdq	%ymm9, %ymm8, %ymm2
+        vpunpckhqdq	%ymm11, %ymm10, %ymm3
+        vpunpcklqdq	%ymm13, %ymm12, %ymm4
+        vpunpcklqdq	%ymm15, %ymm14, %ymm5
+        vpunpckhqdq	%ymm13, %ymm12, %ymm6
+        vpunpckhqdq	%ymm15, %ymm14, %ymm7
+        vperm2i128	$32, %ymm1, %ymm0, %ymm8
+        vperm2i128	$32, %ymm3, %ymm2, %ymm9
+        vperm2i128	$49, %ymm1, %ymm0, %ymm12
+        vperm2i128	$49, %ymm3, %ymm2, %ymm13
+        vperm2i128	$32, %ymm5, %ymm4, %ymm10
+        vperm2i128	$32, %ymm7, %ymm6, %ymm11
+        vperm2i128	$49, %ymm5, %ymm4, %ymm14
+        vperm2i128	$49, %ymm7, %ymm6, %ymm15
+        vmovdqu	32(%rsi), %ymm0
+        vmovdqu	96(%rsi), %ymm1
+        vmovdqu	160(%rsi), %ymm2
+        vmovdqu	224(%rsi), %ymm3
+        vmovdqu	288(%rsi), %ymm4
+        vmovdqu	352(%rsi), %ymm5
+        vmovdqu	416(%rsi), %ymm6
+        vmovdqu	480(%rsi), %ymm7
+        vpxor	%ymm0, %ymm8, %ymm8
+        vpxor	%ymm1, %ymm9, %ymm9
+        vpxor	%ymm2, %ymm10, %ymm10
+        vpxor	%ymm3, %ymm11, %ymm11
+        vpxor	%ymm4, %ymm12, %ymm12
+        vpxor	%ymm5, %ymm13, %ymm13
+        vpxor	%ymm6, %ymm14, %ymm14
+        vpxor	%ymm7, %ymm15, %ymm15
+        vmovdqu	%ymm8, 32(%rdx)
+        vmovdqu	%ymm9, 96(%rdx)
+        vmovdqu	%ymm10, 160(%rdx)
+        vmovdqu	%ymm11, 224(%rdx)
+        vmovdqu	%ymm12, 288(%rdx)
+        vmovdqu	%ymm13, 352(%rdx)
+        vmovdqu	%ymm14, 416(%rdx)
+        vmovdqu	%ymm15, 480(%rdx)
+        vmovdqa	384(%r9), %ymm12
+        addq	$0x200, %rsi
+        addq	$0x200, %rdx
+        vpaddd	L_chacha20_avx2_eight(%rip), %ymm12, %ymm12
+        subl	$0x200, %ecx
+        vmovdqa	%ymm12, 384(%r9)
+        cmpl	$0x200, %ecx
+        jl	L_chacha20_avx2_done256
+        vmovdqa	(%r9), %ymm0
+        vmovdqa	32(%r9), %ymm1
+        vmovdqa	64(%r9), %ymm2
+        vmovdqa	96(%r9), %ymm3
+        vmovdqa	128(%r9), %ymm4
+        vmovdqa	160(%r9), %ymm5
+        vmovdqa	192(%r9), %ymm6
+        vmovdqa	224(%r9), %ymm7
+        vmovdqa	256(%r9), %ymm8
+        vmovdqa	288(%r9), %ymm9
+        vmovdqa	320(%r9), %ymm10
+        vmovdqa	352(%r9), %ymm11
+        vmovdqa	384(%r9), %ymm12
+        vmovdqa	416(%r9), %ymm13
+        vmovdqa	448(%r9), %ymm14
+        vmovdqa	480(%r9), %ymm15
+        jmp	L_chacha20_avx2_start256
+L_chacha20_avx2_done256:
+        shl	$3, %eax
+        addl	%eax, 48(%rdi)
+L_chacha20_avx2_end256:
+#ifndef __APPLE__
+        callq	chacha_encrypt_avx1@plt
+#else
+        callq	_chacha_encrypt_avx1
+#endif /* __APPLE__ */
+        addq	$0x310, %rsp
+        repz retq
+#ifndef __APPLE__
+.size	chacha_encrypt_avx2,.-chacha_encrypt_avx2
+#endif /* __APPLE__ */
+#endif /* HAVE_INTEL_AVX2 */
diff --git a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/cmac.c b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/cmac.c
new file mode 100644
index 000000000..9d30bb5f3
--- /dev/null
+++ b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/cmac.c
@@ -0,0 +1,215 @@
+/* cmac.c
+ *
+ * Copyright (C) 2006-2020 wolfSSL Inc.
+ *
+ * This file is part of wolfSSL.
+ *
+ * wolfSSL is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * wolfSSL is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
+ */
+
+
+#ifdef HAVE_CONFIG_H
+    #include <config.h>
+#endif
+
+#include <wolfssl/wolfcrypt/settings.h>
+
+#if defined(WOLFSSL_CMAC) && !defined(NO_AES) && defined(WOLFSSL_AES_DIRECT)
+
+#if defined(HAVE_FIPS) && \
+	defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2)
+
+    /* set NO_WRAPPERS before headers, use direct internal f()s not wrappers */
+    #define FIPS_NO_WRAPPERS
+
+    #ifdef USE_WINDOWS_API
+        #pragma code_seg(".fipsA$n")
+        #pragma const_seg(".fipsB$n")
+    #endif
+#endif
+
+#ifdef NO_INLINE
+    #include <wolfssl/wolfcrypt/misc.h>
+#else
+    #define WOLFSSL_MISC_INCLUDED
+    #include <wolfcrypt/src/misc.c>
+#endif
+
+#include <wolfssl/wolfcrypt/error-crypt.h>
+#include <wolfssl/wolfcrypt/aes.h>
+#include <wolfssl/wolfcrypt/cmac.h>
+
+
+static void ShiftAndXorRb(byte* out, byte* in)
+{
+    int i, j, xorRb;
+    int mask = 0, last = 0;
+    byte Rb = 0x87;
+
+    xorRb = (in[0] & 0x80) != 0;
+
+    for (i = 1, j = AES_BLOCK_SIZE - 1; i <= AES_BLOCK_SIZE; i++, j--) {
+        last = (in[j] & 0x80) ? 1 : 0;
+        out[j] = (byte)((in[j] << 1) | mask);
+        mask = last;
+        if (xorRb) {
+            out[j] ^= Rb;
+            Rb = 0;
+        }
+    }
+}
+
+
+int wc_InitCmac(Cmac* cmac, const byte* key, word32 keySz,
+                int type, void* unused)
+{
+    int ret;
+
+    (void)unused;
+
+    if (cmac == NULL || key == NULL || keySz == 0 || type != WC_CMAC_AES)
+        return BAD_FUNC_ARG;
+
+    XMEMSET(cmac, 0, sizeof(Cmac));
+    ret = wc_AesSetKey(&cmac->aes, key, keySz, NULL, AES_ENCRYPTION);
+    if (ret == 0) {
+        byte l[AES_BLOCK_SIZE];
+
+        XMEMSET(l, 0, AES_BLOCK_SIZE);
+        wc_AesEncryptDirect(&cmac->aes, l, l);
+        ShiftAndXorRb(cmac->k1, l);
+        ShiftAndXorRb(cmac->k2, cmac->k1);
+        ForceZero(l, AES_BLOCK_SIZE);
+    }
+    return ret;
+}
+
+
+int wc_CmacUpdate(Cmac* cmac, const byte* in, word32 inSz)
+{
+    if ((cmac == NULL) || (in == NULL && inSz != 0))
+        return BAD_FUNC_ARG;
+
+    while (inSz != 0) {
+        word32 add = min(inSz, AES_BLOCK_SIZE - cmac->bufferSz);
+        XMEMCPY(&cmac->buffer[cmac->bufferSz], in, add);
+
+        cmac->bufferSz += add;
+        in += add;
+        inSz -= add;
+
+        if (cmac->bufferSz == AES_BLOCK_SIZE && inSz != 0) {
+            if (cmac->totalSz != 0)
+                xorbuf(cmac->buffer, cmac->digest, AES_BLOCK_SIZE);
+            wc_AesEncryptDirect(&cmac->aes,
+                                cmac->digest,
+                                cmac->buffer);
+            cmac->totalSz += AES_BLOCK_SIZE;
+            cmac->bufferSz = 0;
+        }
+    }
+
+    return 0;
+}
+
+
+int wc_CmacFinal(Cmac* cmac, byte* out, word32* outSz)
+{
+    const byte* subKey;
+
+    if (cmac == NULL || out == NULL || outSz == NULL)
+        return BAD_FUNC_ARG;
+
+    if (*outSz < WC_CMAC_TAG_MIN_SZ || *outSz > WC_CMAC_TAG_MAX_SZ)
+        return BUFFER_E;
+
+    if (cmac->bufferSz == AES_BLOCK_SIZE) {
+        subKey = cmac->k1;
+    }
+    else {
+        word32 remainder = AES_BLOCK_SIZE - cmac->bufferSz;
+
+        if (remainder == 0)
+            remainder = AES_BLOCK_SIZE;
+
+        if (remainder > 1)
+            XMEMSET(cmac->buffer + AES_BLOCK_SIZE - remainder, 0, remainder);
+        cmac->buffer[AES_BLOCK_SIZE - remainder] = 0x80;
+        subKey = cmac->k2;
+    }
+    xorbuf(cmac->buffer, cmac->digest, AES_BLOCK_SIZE);
+    xorbuf(cmac->buffer, subKey, AES_BLOCK_SIZE);
+    wc_AesEncryptDirect(&cmac->aes, cmac->digest, cmac->buffer);
+
+    XMEMCPY(out, cmac->digest, *outSz);
+
+    ForceZero(cmac, sizeof(Cmac));
+
+    return 0;
+}
+
+
+int wc_AesCmacGenerate(byte* out, word32* outSz,
+                       const byte* in, word32 inSz,
+                       const byte* key, word32 keySz)
+{
+    Cmac cmac;
+    int ret;
+
+    if (out == NULL || (in == NULL && inSz > 0) || key == NULL || keySz == 0)
+        return BAD_FUNC_ARG;
+
+    ret = wc_InitCmac(&cmac, key, keySz, WC_CMAC_AES, NULL);
+    if (ret != 0)
+        return ret;
+
+    ret = wc_CmacUpdate(&cmac, in, inSz);
+    if (ret != 0)
+        return ret;
+
+    ret = wc_CmacFinal(&cmac, out, outSz);
+    if (ret != 0)
+        return ret;
+
+    return 0;
+}
+
+
+int wc_AesCmacVerify(const byte* check, word32 checkSz,
+                     const byte* in, word32 inSz,
+                     const byte* key, word32 keySz)
+{
+    byte a[AES_BLOCK_SIZE];
+    word32 aSz = sizeof(a);
+    int result;
+    int compareRet;
+
+    if (check == NULL || checkSz == 0 || (in == NULL && inSz != 0) ||
+        key == NULL || keySz == 0)
+
+        return BAD_FUNC_ARG;
+
+    XMEMSET(a, 0, aSz);
+    result = wc_AesCmacGenerate(a, &aSz, in, inSz, key, keySz);
+    compareRet = ConstantCompare(check, a, min(checkSz, aSz));
+
+    if (result == 0)
+        result = compareRet ? 1 : 0;
+
+    return result;
+}
+
+
+#endif /* WOLFSSL_CMAC && NO_AES && WOLFSSL_AES_DIRECT */
diff --git a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/coding.c b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/coding.c
index 6ead79caf..f6c814e01 100644
--- a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/coding.c
+++ b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/coding.c
@@ -1,8 +1,8 @@
 /* coding.c
  *
- * Copyright (C) 2006-2015 wolfSSL Inc.
+ * Copyright (C) 2006-2020 wolfSSL Inc.
  *
- * This file is part of wolfSSL. (formerly known as CyaSSL)
+ * This file is part of wolfSSL.
  *
  * wolfSSL is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -16,9 +16,10 @@
  *
  * You should have received a copy of the GNU General Public License
  * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
  */
 
+
 #ifdef HAVE_CONFIG_H
     #include <config.h>
 #endif
@@ -35,10 +36,14 @@
 enum {
     BAD         = 0xFF,  /* invalid encoding */
     PAD         = '=',
-    PEM_LINE_SZ = 64
+    PEM_LINE_SZ = 64,
+    BASE64_MIN  = 0x2B,
+    BASE16_MIN  = 0x30,
 };
 
 
+#ifdef WOLFSSL_BASE64_DECODE
+
 static
 const byte base64Decode[] = { 62, BAD, BAD, BAD, 63,   /* + starts at 0x2B */
                               52, 53, 54, 55, 56, 57, 58, 59, 60, 61,
@@ -52,27 +57,81 @@ const byte base64Decode[] = { 62, BAD, BAD, BAD, 63,   /* + starts at 0x2B */
                               46, 47, 48, 49, 50, 51
                             };
 
+static WC_INLINE int Base64_SkipNewline(const byte* in, word32 *inLen, word32 *outJ)
+{
+    word32 len = *inLen;
+    word32 j = *outJ;
+    if (len && (in[j] == ' ' || in[j] == '\r' || in[j] == '\n')) {
+        byte endLine = in[j++];
+        len--;
+        while (len && endLine == ' ') {   /* allow trailing whitespace */
+            endLine = in[j++];
+            len--;
+        }
+        if (endLine == '\r') {
+            if (len) {
+                endLine = in[j++];
+                len--;
+            }
+        }
+        if (endLine != '\n') {
+            WOLFSSL_MSG("Bad end of line in Base64 Decode");
+            return ASN_INPUT_E;
+        }
+    }
+    if (!len) {
+        return BUFFER_E;
+    }
+    *inLen = len;
+    *outJ = j;
+    return 0;
+}
 
 int Base64_Decode(const byte* in, word32 inLen, byte* out, word32* outLen)
 {
     word32 i = 0;
     word32 j = 0;
     word32 plainSz = inLen - ((inLen + (PEM_LINE_SZ - 1)) / PEM_LINE_SZ );
-    const byte maxIdx = (byte)sizeof(base64Decode) + 0x2B - 1;
+    int ret;
+    const byte maxIdx = (byte)sizeof(base64Decode) + BASE64_MIN - 1;
 
     plainSz = (plainSz * 3 + 3) / 4;
     if (plainSz > *outLen) return BAD_FUNC_ARG;
 
     while (inLen > 3) {
-        byte b1, b2, b3;
-        byte e1 = in[j++];
-        byte e2 = in[j++];
-        byte e3 = in[j++];
-        byte e4 = in[j++];
-
         int pad3 = 0;
         int pad4 = 0;
 
+        byte b1, b2, b3;
+        byte e1, e2, e3, e4;
+        if ((ret = Base64_SkipNewline(in, &inLen, &j)) != 0) {
+            if (ret == BUFFER_E) {
+                /* Running out of buffer here is not an error */
+                break;
+            }
+            return ret;
+        }
+        e1 = in[j++];
+        if (e1 == '\0') {
+            break;
+        }
+        inLen--;
+        if ((ret = Base64_SkipNewline(in, &inLen, &j)) != 0) {
+            return ret;
+        }
+        e2 = in[j++];
+        inLen--;
+        if ((ret = Base64_SkipNewline(in, &inLen, &j)) != 0) {
+            return ret;
+        }
+        e3 = in[j++];
+        inLen--;
+        if ((ret = Base64_SkipNewline(in, &inLen, &j)) != 0) {
+            return ret;
+        }
+        e4 = in[j++];
+        inLen--;
+
         if (e1 == 0)            /* end file 0's */
             break;
         if (e3 == PAD)
@@ -80,7 +139,7 @@ int Base64_Decode(const byte* in, word32 inLen, byte* out, word32* outLen)
         if (e4 == PAD)
             pad4 = 1;
 
-        if (e1 < 0x2B || e2 < 0x2B || e3 < 0x2B || e4 < 0x2B) {
+        if (e1 < BASE64_MIN || e2 < BASE64_MIN || e3 < BASE64_MIN || e4 < BASE64_MIN) {
             WOLFSSL_MSG("Bad Base64 Decode data, too small");
             return ASN_INPUT_E;
         }
@@ -90,10 +149,15 @@ int Base64_Decode(const byte* in, word32 inLen, byte* out, word32* outLen)
             return ASN_INPUT_E;
         }
 
-        e1 = base64Decode[e1 - 0x2B];
-        e2 = base64Decode[e2 - 0x2B];
-        e3 = (e3 == PAD) ? 0 : base64Decode[e3 - 0x2B];
-        e4 = (e4 == PAD) ? 0 : base64Decode[e4 - 0x2B];
+        if (i + 1 + !pad3 + !pad4 > *outLen) {
+            WOLFSSL_MSG("Bad Base64 Decode out buffer, too small");
+            return BAD_FUNC_ARG;
+        }
+
+        e1 = base64Decode[e1 - BASE64_MIN];
+        e2 = base64Decode[e2 - BASE64_MIN];
+        e3 = (e3 == PAD) ? 0 : base64Decode[e3 - BASE64_MIN];
+        e4 = (e4 == PAD) ? 0 : base64Decode[e4 - BASE64_MIN];
 
         b1 = (byte)((e1 << 2) | (e2 >> 4));
         b2 = (byte)(((e2 & 0xF) << 4) | (e3 >> 2));
@@ -106,32 +170,17 @@ int Base64_Decode(const byte* in, word32 inLen, byte* out, word32* outLen)
             out[i++] = b3;
         else
             break;
-
-        inLen -= 4;
-        if (inLen && (in[j] == ' ' || in[j] == '\r' || in[j] == '\n')) {
-            byte endLine = in[j++];
-            inLen--;
-            while (inLen && endLine == ' ') {   /* allow trailing whitespace */
-                endLine = in[j++];
-                inLen--;
-            }
-            if (endLine == '\r') {
-                if (inLen) {
-                    endLine = in[j++];
-                    inLen--;
-                }
-            }
-            if (endLine != '\n') {
-                WOLFSSL_MSG("Bad end of line in Base64 Decode");
-                return ASN_INPUT_E;
-            }
-        }
     }
+/* If the output buffer has a room for an extra byte, add a null terminator */
+    if (out && *outLen > i)
+        out[i]= '\0';
+
     *outLen = i;
 
     return 0;
 }
 
+#endif /* WOLFSSL_BASE64_DECODE */
 
 #if defined(WOLFSSL_BASE64_ENCODE)
 
@@ -150,7 +199,7 @@ const byte base64Encode[] = { 'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J',
 /* make sure *i (idx) won't exceed max, store and possibly escape to out,
  * raw means use e w/o decode,  0 on success */
 static int CEscape(int escaped, byte e, byte* out, word32* i, word32 max,
-                  int raw)
+                  int raw, int getSzOnly)
 {
     int    doEscape = 0;
     word32 needed = 1;
@@ -166,8 +215,8 @@ static int CEscape(int escaped, byte e, byte* out, word32* i, word32 max,
     else
         basic = base64Encode[e];
 
-    /* check whether to escape */
-    if (escaped) {
+    /* check whether to escape. Only escape for EncodeEsc */
+    if (escaped == WC_ESC_NL_ENC) {
         switch ((char)basic) {
             case '+' :
                 plus     = 1;
@@ -191,31 +240,37 @@ static int CEscape(int escaped, byte e, byte* out, word32* i, word32 max,
     }
 
     /* check size */
-    if ( (idx+needed) > max) {
+    if ( (idx+needed) > max && !getSzOnly) {
         WOLFSSL_MSG("Escape buffer max too small");
         return BUFFER_E;
     }
 
     /* store it */
     if (doEscape == 0) {
-        out[idx++] = basic;
+        if(getSzOnly)
+            idx++;
+        else
+            out[idx++] = basic;
     }
     else {
-        out[idx++] = '%';  /* start escape */
-
-        if (plus) {
-            out[idx++] = '2';
-            out[idx++] = 'B';
-        }
-        else if (equals) {
-            out[idx++] = '3';
-            out[idx++] = 'D';
-        }
-        else if (newline) {
-            out[idx++] = '0';
-            out[idx++] = 'A';
+        if(getSzOnly)
+            idx+=3;
+        else {
+            out[idx++] = '%';  /* start escape */
+
+            if (plus) {
+                out[idx++] = '2';
+                out[idx++] = 'B';
+            }
+            else if (equals) {
+                out[idx++] = '3';
+                out[idx++] = 'D';
+            }
+            else if (newline) {
+                out[idx++] = '0';
+                out[idx++] = 'A';
+            }
         }
-
     }
     *i = idx;
 
@@ -223,7 +278,8 @@ static int CEscape(int escaped, byte e, byte* out, word32* i, word32 max,
 }
 
 
-/* internal worker, handles both escaped and normal line endings */
+/* internal worker, handles both escaped and normal line endings.
+   If out buffer is NULL, will return sz needed in outLen */
 static int DoBase64_Encode(const byte* in, word32 inLen, byte* out,
                            word32* outLen, int escaped)
 {
@@ -232,18 +288,23 @@ static int DoBase64_Encode(const byte* in, word32 inLen, byte* out,
            j = 0,
            n = 0;   /* new line counter */
 
+    int    getSzOnly = (out == NULL);
+
     word32 outSz = (inLen + 3 - 1) / 3 * 4;
     word32 addSz = (outSz + PEM_LINE_SZ - 1) / PEM_LINE_SZ;  /* new lines */
 
-    if (escaped)
+    if (escaped == WC_ESC_NL_ENC)
         addSz *= 3;   /* instead of just \n, we're doing %0A triplet */
+    else if (escaped == WC_NO_NL_ENC)
+        addSz = 0;    /* encode without \n */
 
     outSz += addSz;
 
     /* if escaped we can't predetermine size for one pass encoding, but
-     * make sure we have enough if no escapes are in input */
-    if (outSz > *outLen) return BAD_FUNC_ARG;
-    
+     * make sure we have enough if no escapes are in input
+     * Also need to ensure outLen valid before dereference */
+    if (!outLen || (outSz > *outLen && !getSzOnly)) return BAD_FUNC_ARG;
+
     while (inLen > 2) {
         byte b1 = in[j++];
         byte b2 = in[j++];
@@ -256,19 +317,20 @@ static int DoBase64_Encode(const byte* in, word32 inLen, byte* out,
         byte e4 = b3 & 0x3F;
 
         /* store */
-        ret = CEscape(escaped, e1, out, &i, *outLen, 0);
+        ret = CEscape(escaped, e1, out, &i, *outLen, 0, getSzOnly);
         if (ret != 0) break;
-        ret = CEscape(escaped, e2, out, &i, *outLen, 0);
+        ret = CEscape(escaped, e2, out, &i, *outLen, 0, getSzOnly);
         if (ret != 0) break;
-        ret = CEscape(escaped, e3, out, &i, *outLen, 0);
+        ret = CEscape(escaped, e3, out, &i, *outLen, 0, getSzOnly);
         if (ret != 0) break;
-        ret = CEscape(escaped, e4, out, &i, *outLen, 0);
+        ret = CEscape(escaped, e4, out, &i, *outLen, 0, getSzOnly);
         if (ret != 0) break;
 
         inLen -= 3;
 
-        if ((++n % (PEM_LINE_SZ / 4)) == 0 && inLen) {
-            ret = CEscape(escaped, '\n', out, &i, *outLen, 1);
+        /* Insert newline after PEM_LINE_SZ, unless no \n requested */
+        if (escaped != WC_NO_NL_ENC && (++n % (PEM_LINE_SZ/4)) == 0 && inLen) {
+            ret = CEscape(escaped, '\n', out, &i, *outLen, 1, getSzOnly);
             if (ret != 0) break;
         }
     }
@@ -284,50 +346,61 @@ static int DoBase64_Encode(const byte* in, word32 inLen, byte* out,
         byte e2 = (byte)(((b1 & 0x3) << 4) | (b2 >> 4));
         byte e3 = (byte)((b2 & 0xF) << 2);
 
-        ret = CEscape(escaped, e1, out, &i, *outLen, 0);
-        if (ret == 0) 
-            ret = CEscape(escaped, e2, out, &i, *outLen, 0);
+        ret = CEscape(escaped, e1, out, &i, *outLen, 0, getSzOnly);
+        if (ret == 0)
+            ret = CEscape(escaped, e2, out, &i, *outLen, 0, getSzOnly);
         if (ret == 0) {
             /* third */
             if (twoBytes)
-                ret = CEscape(escaped, e3, out, &i, *outLen, 0);
-            else 
-                ret = CEscape(escaped, '=', out, &i, *outLen, 1);
+                ret = CEscape(escaped, e3, out, &i, *outLen, 0, getSzOnly);
+            else
+                ret = CEscape(escaped, '=', out, &i, *outLen, 1, getSzOnly);
         }
         /* fourth always pad */
         if (ret == 0)
-            ret = CEscape(escaped, '=', out, &i, *outLen, 1);
-    } 
+            ret = CEscape(escaped, '=', out, &i, *outLen, 1, getSzOnly);
+    }
 
-    if (ret == 0) 
-        ret = CEscape(escaped, '\n', out, &i, *outLen, 1);
+    if (ret == 0 && escaped != WC_NO_NL_ENC)
+        ret = CEscape(escaped, '\n', out, &i, *outLen, 1, getSzOnly);
 
-    if (i != outSz && escaped == 0 && ret == 0)
-        return ASN_INPUT_E; 
+    if (i != outSz && escaped != 1 && ret == 0)
+        return ASN_INPUT_E;
+/* If the output buffer has a room for an extra byte, add a null terminator */
+    if (out && *outLen > i)
+        out[i]= '\0';
 
     *outLen = i;
-    return ret; 
+
+    if (ret == 0)
+        return getSzOnly ? LENGTH_ONLY_E : 0;
+
+    return ret;
 }
 
 
 /* Base64 Encode, PEM style, with \n line endings */
 int Base64_Encode(const byte* in, word32 inLen, byte* out, word32* outLen)
 {
-    return DoBase64_Encode(in, inLen, out, outLen, 0);
+    return DoBase64_Encode(in, inLen, out, outLen, WC_STD_ENC);
 }
 
 
-/* Base64 Encode, with %0A esacped line endings instead of \n */
+/* Base64 Encode, with %0A escaped line endings instead of \n */
 int Base64_EncodeEsc(const byte* in, word32 inLen, byte* out, word32* outLen)
 {
-    return DoBase64_Encode(in, inLen, out, outLen, 1);
+    return DoBase64_Encode(in, inLen, out, outLen, WC_ESC_NL_ENC);
 }
 
+int Base64_Encode_NoNl(const byte* in, word32 inLen, byte* out, word32* outLen)
+{
+    return DoBase64_Encode(in, inLen, out, outLen, WC_NO_NL_ENC);
+}
 
-#endif  /* defined(WOLFSSL_BASE64_ENCODE) */
+#endif /* WOLFSSL_BASE64_ENCODE */
 
 
-#if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER) || defined(HAVE_FIPS)
+#ifdef WOLFSSL_BASE16
 
 static
 const byte hexDecode[] = { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9,
@@ -345,8 +418,11 @@ int Base16_Decode(const byte* in, word32 inLen, byte* out, word32* outLen)
     word32 inIdx  = 0;
     word32 outIdx = 0;
 
+    if (in == NULL || out == NULL || outLen == NULL)
+        return BAD_FUNC_ARG;
+
     if (inLen == 1 && *outLen && in) {
-        byte b = in[inIdx++] - 0x30;  /* 0 starts at 0x30 */
+        byte b = in[inIdx++] - BASE16_MIN;  /* 0 starts at 0x30 */
 
         /* sanity check */
         if (b >=  sizeof(hexDecode)/sizeof(hexDecode[0]))
@@ -356,7 +432,7 @@ int Base16_Decode(const byte* in, word32 inLen, byte* out, word32* outLen)
 
         if (b == BAD)
             return ASN_INPUT_E;
-        
+
         out[outIdx++] = b;
 
         *outLen = outIdx;
@@ -370,8 +446,8 @@ int Base16_Decode(const byte* in, word32 inLen, byte* out, word32* outLen)
         return BAD_FUNC_ARG;
 
     while (inLen) {
-        byte b  = in[inIdx++] - 0x30;  /* 0 starts at 0x30 */
-        byte b2 = in[inIdx++] - 0x30;
+        byte b  = in[inIdx++] - BASE16_MIN;  /* 0 starts at 0x30 */
+        byte b2 = in[inIdx++] - BASE16_MIN;
 
         /* sanity checks */
         if (b >=  sizeof(hexDecode)/sizeof(hexDecode[0]))
@@ -384,7 +460,7 @@ int Base16_Decode(const byte* in, word32 inLen, byte* out, word32* outLen)
 
         if (b == BAD || b2 == BAD)
             return ASN_INPUT_E;
-        
+
         out[outIdx++] = (byte)((b << 4) | b2);
         inLen -= 2;
     }
@@ -393,7 +469,43 @@ int Base16_Decode(const byte* in, word32 inLen, byte* out, word32* outLen)
     return 0;
 }
 
+int Base16_Encode(const byte* in, word32 inLen, byte* out, word32* outLen)
+{
+    word32 outIdx = 0;
+    word32 i;
+    byte   hb, lb;
+
+    if (in == NULL || out == NULL || outLen == NULL)
+        return BAD_FUNC_ARG;
+
+    if (*outLen < (2 * inLen + 1))
+        return BAD_FUNC_ARG;
+
+    for (i = 0; i < inLen; i++) {
+        hb = in[i] >> 4;
+        lb = in[i] & 0x0f;
+
+        /* ASCII value */
+        hb += '0';
+        if (hb > '9')
+            hb += 7;
+
+        /* ASCII value */
+        lb += '0';
+        if (lb>'9')
+            lb += 7;
+
+        out[outIdx++] = hb;
+        out[outIdx++] = lb;
+    }
+
+    /* force 0 at this end */
+    out[outIdx++] = 0;
+
+    *outLen = outIdx;
+    return 0;
+}
 
-#endif /* (OPENSSL_EXTRA) || (HAVE_WEBSERVER) || (HAVE_FIPS) */
+#endif /* WOLFSSL_BASE16 */
 
-#endif /* NO_CODING */
+#endif /* !NO_CODING */
diff --git a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/compress.c b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/compress.c
index a01c071dc..28d04f02d 100644
--- a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/compress.c
+++ b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/compress.c
@@ -1,9 +1,9 @@
 /* compress.c
  *
- * Copyright (C) 2006-2015 wolfSSL Inc.
+ * Copyright (C) 2006-2020 wolfSSL Inc.
+ *
+ * This file is part of wolfSSL.
  *
- * This file is part of wolfSSL. (formerly known as CyaSSL)
- wc_*
  * wolfSSL is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
  * the Free Software Foundation; either version 2 of the License, or
@@ -16,10 +16,11 @@
  *
  * You should have received a copy of the GNU General Public License
  * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
  */
 
 
+
 #ifdef HAVE_CONFIG_H
     #include <config.h>
 #endif
@@ -35,6 +36,7 @@
 #ifdef NO_INLINE
     #include <wolfssl/wolfcrypt/misc.h>
 #else
+    #define WOLFSSL_MISC_INCLUDED
     #include <wolfcrypt/src/misc.c>
 #endif
 
@@ -65,23 +67,24 @@ static void myFree(void* opaque, void* memory)
 #endif
 
 
-int wc_Compress(byte* out, word32 outSz, const byte* in, word32 inSz, word32 flags)
 /*
  * out - pointer to destination buffer
  * outSz - size of destination buffer
  * in - pointer to source buffer to compress
  * inSz - size of source to compress
- * flags - flags to control how compress operates 
+ * flags - flags to control how compress operates
  *
  * return:
  *    negative - error code
  *    positive - bytes stored in out buffer
- * 
+ *
  * Note, the output buffer still needs to be larger than the input buffer.
  * The right chunk of data won't compress at all, and the lookup table will
  * add to the size of the output. The libz code says the compressed
  * buffer should be srcSz + 0.1% + 12.
  */
+int wc_Compress_ex(byte* out, word32 outSz, const byte* in, word32 inSz,
+    word32 flags, word32 windowBits)
 {
     z_stream stream;
     int result = 0;
@@ -101,7 +104,8 @@ int wc_Compress(byte* out, word32 outSz, const byte* in, word32 inSz, word32 fla
     stream.opaque = (voidpf)0;
 
     if (deflateInit2(&stream, Z_DEFAULT_COMPRESSION, Z_DEFLATED,
-                     DEFLATE_DEFAULT_WINDOWBITS, DEFLATE_DEFAULT_MEMLEVEL,
+                     DEFLATE_DEFAULT_WINDOWBITS | windowBits,
+                     DEFLATE_DEFAULT_MEMLEVEL,
                      flags ? Z_FIXED : Z_DEFAULT_STRATEGY) != Z_OK)
         return COMPRESS_INIT_E;
 
@@ -118,19 +122,37 @@ int wc_Compress(byte* out, word32 outSz, const byte* in, word32 inSz, word32 fla
     return result;
 }
 
+int wc_Compress(byte* out, word32 outSz, const byte* in, word32 inSz, word32 flags)
+{
+    return wc_Compress_ex(out, outSz, in, inSz, flags, 0);
+}
 
-int wc_DeCompress(byte* out, word32 outSz, const byte* in, word32 inSz)
+
+/* windowBits:
+* deflateInit() and inflateInit(), as well as deflateInit2() and inflateInit2()
+    with windowBits in 0..15 all process zlib-wrapped deflate data.
+    (See RFC 1950 and RFC 1951.)
+* deflateInit2() and inflateInit2() with negative windowBits in -1..-15 process
+    raw deflate data with no header or trailer.
+* deflateInit2() and inflateInit2() with windowBits in 16..31, i.e. 16
+    added to 0..15, process gzip-wrapped deflate data (RFC 1952).
+* inflateInit2() with windowBits in 32..47 (32 added to 0..15) will
+    automatically detect either a gzip or zlib header (but not raw deflate
+    data), and decompress accordingly.
+*/
+int wc_DeCompress_ex(byte* out, word32 outSz, const byte* in, word32 inSz,
+    int windowBits)
 /*
  * out - pointer to destination buffer
  * outSz - size of destination buffer
  * in - pointer to source buffer to compress
  * inSz - size of source to compress
- * flags - flags to control how compress operates 
+ * windowBits - flags to control how decompress operates
  *
  * return:
  *    negative - error code
  *    positive - bytes stored in out buffer
- */ 
+ */
 {
     z_stream stream;
     int result = 0;
@@ -148,14 +170,15 @@ int wc_DeCompress(byte* out, word32 outSz, const byte* in, word32 inSz)
     stream.zfree = (free_func)myFree;
     stream.opaque = (voidpf)0;
 
-    if (inflateInit2(&stream, DEFLATE_DEFAULT_WINDOWBITS) != Z_OK)
+    if (inflateInit2(&stream, DEFLATE_DEFAULT_WINDOWBITS | windowBits) != Z_OK)
         return DECOMPRESS_INIT_E;
 
-    if (inflate(&stream, Z_FINISH) != Z_STREAM_END) {
+    result = inflate(&stream, Z_FINISH);
+    if (result != Z_STREAM_END) {
         inflateEnd(&stream);
         return DECOMPRESS_E;
     }
-    
+
     result = (int)stream.total_out;
 
     if (inflateEnd(&stream) != Z_OK)
@@ -165,5 +188,11 @@ int wc_DeCompress(byte* out, word32 outSz, const byte* in, word32 inSz)
 }
 
 
+int wc_DeCompress(byte* out, word32 outSz, const byte* in, word32 inSz)
+{
+    return wc_DeCompress_ex(out, outSz, in, inSz, 0);
+}
+
+
 #endif /* HAVE_LIBZ */
 
diff --git a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/cpuid.c b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/cpuid.c
new file mode 100644
index 000000000..85c4bf2d6
--- /dev/null
+++ b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/cpuid.c
@@ -0,0 +1,110 @@
+/* cpuid.c
+ *
+ * Copyright (C) 2006-2020 wolfSSL Inc.
+ *
+ * This file is part of wolfSSL.
+ *
+ * wolfSSL is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * wolfSSL is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
+ */
+
+
+#ifdef HAVE_CONFIG_H
+    #include <config.h>
+#endif
+
+#include <wolfssl/wolfcrypt/settings.h>
+
+#include <wolfssl/wolfcrypt/cpuid.h>
+
+#if (defined(WOLFSSL_X86_64_BUILD) || defined(USE_INTEL_SPEEDUP) || \
+     defined(WOLFSSL_AESNI)) && !defined(WOLFSSL_NO_ASM)
+    /* Each platform needs to query info type 1 from cpuid to see if aesni is
+     * supported. Also, let's setup a macro for proper linkage w/o ABI conflicts
+     */
+
+    #ifndef _MSC_VER
+        #define cpuid(reg, leaf, sub)\
+            __asm__ __volatile__ ("cpuid":\
+                "=a" (reg[0]), "=b" (reg[1]), "=c" (reg[2]), "=d" (reg[3]) :\
+                "a" (leaf), "c"(sub));
+
+        #define XASM_LINK(f) asm(f)
+    #else
+        #include <intrin.h>
+
+        #define cpuid(a,b,c) __cpuidex((int*)a,b,c)
+
+        #define XASM_LINK(f)
+    #endif /* _MSC_VER */
+
+    #define EAX 0
+    #define EBX 1
+    #define ECX 2
+    #define EDX 3
+
+    static word32 cpuid_check = 0;
+    static word32 cpuid_flags = 0;
+
+    static word32 cpuid_flag(word32 leaf, word32 sub, word32 num, word32 bit)
+    {
+        int got_intel_cpu = 0;
+        int got_amd_cpu = 0;
+        unsigned int reg[5];
+        reg[4] = '\0';
+        cpuid(reg, 0, 0);
+
+        /* check for Intel cpu */
+        if (XMEMCMP((char *)&(reg[EBX]), "Genu", 4) == 0 &&
+            XMEMCMP((char *)&(reg[EDX]), "ineI", 4) == 0 &&
+            XMEMCMP((char *)&(reg[ECX]), "ntel", 4) == 0) {
+            got_intel_cpu = 1;
+        }
+
+        /* check for AMD cpu */
+        if (XMEMCMP((char *)&(reg[EBX]), "Auth", 4) == 0 &&
+            XMEMCMP((char *)&(reg[EDX]), "enti", 4) == 0 &&
+            XMEMCMP((char *)&(reg[ECX]), "cAMD", 4) == 0) {
+            got_amd_cpu = 1;
+        }
+
+        if (got_intel_cpu || got_amd_cpu) {
+            cpuid(reg, leaf, sub);
+            return ((reg[num] >> bit) & 0x1);
+        }
+        return 0;
+    }
+
+
+    void cpuid_set_flags(void)
+    {
+        if (!cpuid_check) {
+            if (cpuid_flag(1, 0, ECX, 28)) { cpuid_flags |= CPUID_AVX1  ; }
+            if (cpuid_flag(7, 0, EBX,  5)) { cpuid_flags |= CPUID_AVX2  ; }
+            if (cpuid_flag(7, 0, EBX,  8)) { cpuid_flags |= CPUID_BMI2  ; }
+            if (cpuid_flag(1, 0, ECX, 30)) { cpuid_flags |= CPUID_RDRAND; }
+            if (cpuid_flag(7, 0, EBX, 18)) { cpuid_flags |= CPUID_RDSEED; }
+            if (cpuid_flag(1, 0, ECX, 25)) { cpuid_flags |= CPUID_AESNI ; }
+            if (cpuid_flag(7, 0, EBX, 19)) { cpuid_flags |= CPUID_ADX   ; }
+            cpuid_check = 1;
+        }
+    }
+
+    word32 cpuid_get_flags(void)
+    {
+        if (!cpuid_check)
+            cpuid_set_flags();
+        return cpuid_flags;
+    }
+#endif
diff --git a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/cryptocb.c b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/cryptocb.c
new file mode 100644
index 000000000..79f89dbb1
--- /dev/null
+++ b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/cryptocb.c
@@ -0,0 +1,648 @@
+/* cryptocb.c
+ *
+ * Copyright (C) 2006-2020 wolfSSL Inc.
+ *
+ * This file is part of wolfSSL.
+ *
+ * wolfSSL is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * wolfSSL is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+/* This framework provides a central place for crypto hardware integration
+   using the devId scheme. If not supported return `CRYPTOCB_UNAVAILABLE`. */
+
+#ifdef HAVE_CONFIG_H
+    #include <config.h>
+#endif
+
+#include <wolfssl/wolfcrypt/settings.h>
+
+#ifdef WOLF_CRYPTO_CB
+
+#include <wolfssl/wolfcrypt/cryptocb.h>
+#include <wolfssl/wolfcrypt/error-crypt.h>
+#include <wolfssl/wolfcrypt/logging.h>
+
+
+/* TODO: Consider linked list with mutex */
+#ifndef MAX_CRYPTO_DEVID_CALLBACKS
+#define MAX_CRYPTO_DEVID_CALLBACKS 8
+#endif
+
+typedef struct CryptoCb {
+    int devId;
+    CryptoDevCallbackFunc cb;
+    void* ctx;
+} CryptoCb;
+static WOLFSSL_GLOBAL CryptoCb gCryptoDev[MAX_CRYPTO_DEVID_CALLBACKS];
+
+static CryptoCb* wc_CryptoCb_FindDevice(int devId)
+{
+    int i;
+    for (i=0; i<MAX_CRYPTO_DEVID_CALLBACKS; i++) {
+        if (gCryptoDev[i].devId == devId)
+            return &gCryptoDev[i];
+    }
+    return NULL;
+}
+static CryptoCb* wc_CryptoCb_FindDeviceByIndex(int startIdx)
+{
+    int i;
+    for (i=startIdx; i<MAX_CRYPTO_DEVID_CALLBACKS; i++) {
+        if (gCryptoDev[i].devId != INVALID_DEVID)
+            return &gCryptoDev[i];
+    }
+    return NULL;
+}
+
+static WC_INLINE int wc_CryptoCb_TranslateErrorCode(int ret)
+{
+    if (ret == NOT_COMPILED_IN) {
+        /* backwards compatibility for older NOT_COMPILED_IN syntax */
+        ret = CRYPTOCB_UNAVAILABLE;
+    }
+    return ret;
+}
+
+void wc_CryptoCb_Init(void)
+{
+    int i;
+    for (i=0; i<MAX_CRYPTO_DEVID_CALLBACKS; i++) {
+        gCryptoDev[i].devId = INVALID_DEVID;
+    }
+}
+
+int wc_CryptoCb_RegisterDevice(int devId, CryptoDevCallbackFunc cb, void* ctx)
+{
+    /* find existing or new */
+    CryptoCb* dev = wc_CryptoCb_FindDevice(devId);
+    if (dev == NULL)
+        dev = wc_CryptoCb_FindDevice(INVALID_DEVID);
+
+    if (dev == NULL)
+        return BUFFER_E; /* out of devices */
+
+    dev->devId = devId;
+    dev->cb = cb;
+    dev->ctx = ctx;
+
+    return 0;
+}
+
+void wc_CryptoCb_UnRegisterDevice(int devId)
+{
+    CryptoCb* dev = wc_CryptoCb_FindDevice(devId);
+    if (dev) {
+        XMEMSET(dev, 0, sizeof(*dev));
+        dev->devId = INVALID_DEVID;
+    }
+}
+
+#ifndef NO_RSA
+int wc_CryptoCb_Rsa(const byte* in, word32 inLen, byte* out,
+    word32* outLen, int type, RsaKey* key, WC_RNG* rng)
+{
+    int ret = CRYPTOCB_UNAVAILABLE;
+    CryptoCb* dev;
+
+    if (key == NULL)
+        return ret;
+
+    /* locate registered callback */
+    dev = wc_CryptoCb_FindDevice(key->devId);
+    if (dev && dev->cb) {
+        wc_CryptoInfo cryptoInfo;
+        XMEMSET(&cryptoInfo, 0, sizeof(cryptoInfo));
+        cryptoInfo.algo_type = WC_ALGO_TYPE_PK;
+        cryptoInfo.pk.type = WC_PK_TYPE_RSA;
+        cryptoInfo.pk.rsa.in = in;
+        cryptoInfo.pk.rsa.inLen = inLen;
+        cryptoInfo.pk.rsa.out = out;
+        cryptoInfo.pk.rsa.outLen = outLen;
+        cryptoInfo.pk.rsa.type = type;
+        cryptoInfo.pk.rsa.key = key;
+        cryptoInfo.pk.rsa.rng = rng;
+
+        ret = dev->cb(dev->devId, &cryptoInfo, dev->ctx);
+    }
+
+    return wc_CryptoCb_TranslateErrorCode(ret);
+}
+
+#ifdef WOLFSSL_KEY_GEN
+int wc_CryptoCb_MakeRsaKey(RsaKey* key, int size, long e, WC_RNG* rng)
+{
+    int ret = CRYPTOCB_UNAVAILABLE;
+    CryptoCb* dev;
+
+    if (key == NULL)
+        return ret;
+
+    /* locate registered callback */
+    dev = wc_CryptoCb_FindDevice(key->devId);
+    if (dev && dev->cb) {
+        wc_CryptoInfo cryptoInfo;
+        XMEMSET(&cryptoInfo, 0, sizeof(cryptoInfo));
+        cryptoInfo.algo_type = WC_ALGO_TYPE_PK;
+        cryptoInfo.pk.type = WC_PK_TYPE_RSA_KEYGEN;
+        cryptoInfo.pk.rsakg.key = key;
+        cryptoInfo.pk.rsakg.size = size;
+        cryptoInfo.pk.rsakg.e = e;
+        cryptoInfo.pk.rsakg.rng = rng;
+
+        ret = dev->cb(dev->devId, &cryptoInfo, dev->ctx);
+    }
+
+    return wc_CryptoCb_TranslateErrorCode(ret);
+}
+#endif
+#endif /* !NO_RSA */
+
+#ifdef HAVE_ECC
+int wc_CryptoCb_MakeEccKey(WC_RNG* rng, int keySize, ecc_key* key, int curveId)
+{
+    int ret = CRYPTOCB_UNAVAILABLE;
+    CryptoCb* dev;
+
+    if (key == NULL)
+        return ret;
+
+    /* locate registered callback */
+    dev = wc_CryptoCb_FindDevice(key->devId);
+    if (dev && dev->cb) {
+        wc_CryptoInfo cryptoInfo;
+        XMEMSET(&cryptoInfo, 0, sizeof(cryptoInfo));
+        cryptoInfo.algo_type = WC_ALGO_TYPE_PK;
+        cryptoInfo.pk.type = WC_PK_TYPE_EC_KEYGEN;
+        cryptoInfo.pk.eckg.rng = rng;
+        cryptoInfo.pk.eckg.size = keySize;
+        cryptoInfo.pk.eckg.key = key;
+        cryptoInfo.pk.eckg.curveId = curveId;
+
+        ret = dev->cb(dev->devId, &cryptoInfo, dev->ctx);
+    }
+
+    return wc_CryptoCb_TranslateErrorCode(ret);
+}
+
+int wc_CryptoCb_Ecdh(ecc_key* private_key, ecc_key* public_key,
+    byte* out, word32* outlen)
+{
+    int ret = CRYPTOCB_UNAVAILABLE;
+    CryptoCb* dev;
+
+    if (private_key == NULL)
+        return ret;
+
+    /* locate registered callback */
+    dev = wc_CryptoCb_FindDevice(private_key->devId);
+    if (dev && dev->cb) {
+        wc_CryptoInfo cryptoInfo;
+        XMEMSET(&cryptoInfo, 0, sizeof(cryptoInfo));
+        cryptoInfo.algo_type = WC_ALGO_TYPE_PK;
+        cryptoInfo.pk.type = WC_PK_TYPE_ECDH;
+        cryptoInfo.pk.ecdh.private_key = private_key;
+        cryptoInfo.pk.ecdh.public_key = public_key;
+        cryptoInfo.pk.ecdh.out = out;
+        cryptoInfo.pk.ecdh.outlen = outlen;
+
+        ret = dev->cb(dev->devId, &cryptoInfo, dev->ctx);
+    }
+
+    return wc_CryptoCb_TranslateErrorCode(ret);
+}
+
+int wc_CryptoCb_EccSign(const byte* in, word32 inlen, byte* out,
+    word32 *outlen, WC_RNG* rng, ecc_key* key)
+{
+    int ret = CRYPTOCB_UNAVAILABLE;
+    CryptoCb* dev;
+
+    if (key == NULL)
+        return ret;
+
+    /* locate registered callback */
+    dev = wc_CryptoCb_FindDevice(key->devId);
+    if (dev && dev->cb) {
+        wc_CryptoInfo cryptoInfo;
+        XMEMSET(&cryptoInfo, 0, sizeof(cryptoInfo));
+        cryptoInfo.algo_type = WC_ALGO_TYPE_PK;
+        cryptoInfo.pk.type = WC_PK_TYPE_ECDSA_SIGN;
+        cryptoInfo.pk.eccsign.in = in;
+        cryptoInfo.pk.eccsign.inlen = inlen;
+        cryptoInfo.pk.eccsign.out = out;
+        cryptoInfo.pk.eccsign.outlen = outlen;
+        cryptoInfo.pk.eccsign.rng = rng;
+        cryptoInfo.pk.eccsign.key = key;
+
+        ret = dev->cb(dev->devId, &cryptoInfo, dev->ctx);
+    }
+
+    return wc_CryptoCb_TranslateErrorCode(ret);
+}
+
+int wc_CryptoCb_EccVerify(const byte* sig, word32 siglen,
+    const byte* hash, word32 hashlen, int* res, ecc_key* key)
+{
+    int ret = CRYPTOCB_UNAVAILABLE;
+    CryptoCb* dev;
+
+    if (key == NULL)
+        return ret;
+
+    /* locate registered callback */
+    dev = wc_CryptoCb_FindDevice(key->devId);
+    if (dev && dev->cb) {
+        wc_CryptoInfo cryptoInfo;
+        XMEMSET(&cryptoInfo, 0, sizeof(cryptoInfo));
+        cryptoInfo.algo_type = WC_ALGO_TYPE_PK;
+        cryptoInfo.pk.type = WC_PK_TYPE_ECDSA_VERIFY;
+        cryptoInfo.pk.eccverify.sig = sig;
+        cryptoInfo.pk.eccverify.siglen = siglen;
+        cryptoInfo.pk.eccverify.hash = hash;
+        cryptoInfo.pk.eccverify.hashlen = hashlen;
+        cryptoInfo.pk.eccverify.res = res;
+        cryptoInfo.pk.eccverify.key = key;
+
+        ret = dev->cb(dev->devId, &cryptoInfo, dev->ctx);
+    }
+
+    return wc_CryptoCb_TranslateErrorCode(ret);
+}
+#endif /* HAVE_ECC */
+
+#ifndef NO_AES
+#ifdef HAVE_AESGCM
+int wc_CryptoCb_AesGcmEncrypt(Aes* aes, byte* out,
+                               const byte* in, word32 sz,
+                               const byte* iv, word32 ivSz,
+                               byte* authTag, word32 authTagSz,
+                               const byte* authIn, word32 authInSz)
+{
+    int ret = CRYPTOCB_UNAVAILABLE;
+    CryptoCb* dev;
+
+    /* locate registered callback */
+    if (aes) {
+        dev = wc_CryptoCb_FindDevice(aes->devId);
+    }
+    else {
+        /* locate first callback and try using it */
+        dev = wc_CryptoCb_FindDeviceByIndex(0);
+    }
+
+    if (dev && dev->cb) {
+        wc_CryptoInfo cryptoInfo;
+        XMEMSET(&cryptoInfo, 0, sizeof(cryptoInfo));
+        cryptoInfo.algo_type = WC_ALGO_TYPE_CIPHER;
+        cryptoInfo.cipher.type = WC_CIPHER_AES_GCM;
+        cryptoInfo.cipher.enc = 1;
+        cryptoInfo.cipher.aesgcm_enc.aes       = aes;
+        cryptoInfo.cipher.aesgcm_enc.out       = out;
+        cryptoInfo.cipher.aesgcm_enc.in        = in;
+        cryptoInfo.cipher.aesgcm_enc.sz        = sz;
+        cryptoInfo.cipher.aesgcm_enc.iv        = iv;
+        cryptoInfo.cipher.aesgcm_enc.ivSz      = ivSz;
+        cryptoInfo.cipher.aesgcm_enc.authTag   = authTag;
+        cryptoInfo.cipher.aesgcm_enc.authTagSz = authTagSz;
+        cryptoInfo.cipher.aesgcm_enc.authIn    = authIn;
+        cryptoInfo.cipher.aesgcm_enc.authInSz  = authInSz;
+
+        ret = dev->cb(dev->devId, &cryptoInfo, dev->ctx);
+    }
+
+    return wc_CryptoCb_TranslateErrorCode(ret);
+}
+
+int wc_CryptoCb_AesGcmDecrypt(Aes* aes, byte* out,
+                               const byte* in, word32 sz,
+                               const byte* iv, word32 ivSz,
+                               const byte* authTag, word32 authTagSz,
+                               const byte* authIn, word32 authInSz)
+{
+    int ret = CRYPTOCB_UNAVAILABLE;
+    CryptoCb* dev;
+
+    /* locate registered callback */
+    if (aes) {
+        dev = wc_CryptoCb_FindDevice(aes->devId);
+    }
+    else {
+        /* locate first callback and try using it */
+        dev = wc_CryptoCb_FindDeviceByIndex(0);
+    }
+
+    if (dev && dev->cb) {
+        wc_CryptoInfo cryptoInfo;
+        XMEMSET(&cryptoInfo, 0, sizeof(cryptoInfo));
+        cryptoInfo.algo_type = WC_ALGO_TYPE_CIPHER;
+        cryptoInfo.cipher.type = WC_CIPHER_AES_GCM;
+        cryptoInfo.cipher.enc = 0;
+        cryptoInfo.cipher.aesgcm_dec.aes       = aes;
+        cryptoInfo.cipher.aesgcm_dec.out       = out;
+        cryptoInfo.cipher.aesgcm_dec.in        = in;
+        cryptoInfo.cipher.aesgcm_dec.sz        = sz;
+        cryptoInfo.cipher.aesgcm_dec.iv        = iv;
+        cryptoInfo.cipher.aesgcm_dec.ivSz      = ivSz;
+        cryptoInfo.cipher.aesgcm_dec.authTag   = authTag;
+        cryptoInfo.cipher.aesgcm_dec.authTagSz = authTagSz;
+        cryptoInfo.cipher.aesgcm_dec.authIn    = authIn;
+        cryptoInfo.cipher.aesgcm_dec.authInSz  = authInSz;
+
+        ret = dev->cb(dev->devId, &cryptoInfo, dev->ctx);
+    }
+
+    return wc_CryptoCb_TranslateErrorCode(ret);
+}
+#endif /* HAVE_AESGCM */
+
+#ifdef HAVE_AES_CBC
+int wc_CryptoCb_AesCbcEncrypt(Aes* aes, byte* out,
+                               const byte* in, word32 sz)
+{
+    int ret = CRYPTOCB_UNAVAILABLE;
+    CryptoCb* dev;
+
+    /* locate registered callback */
+    if (aes) {
+        dev = wc_CryptoCb_FindDevice(aes->devId);
+    }
+    else {
+        /* locate first callback and try using it */
+        dev = wc_CryptoCb_FindDeviceByIndex(0);
+    }
+
+    if (dev && dev->cb) {
+        wc_CryptoInfo cryptoInfo;
+        XMEMSET(&cryptoInfo, 0, sizeof(cryptoInfo));
+        cryptoInfo.algo_type = WC_ALGO_TYPE_CIPHER;
+        cryptoInfo.cipher.type = WC_CIPHER_AES_CBC;
+        cryptoInfo.cipher.enc = 1;
+        cryptoInfo.cipher.aescbc.aes = aes;
+        cryptoInfo.cipher.aescbc.out = out;
+        cryptoInfo.cipher.aescbc.in = in;
+        cryptoInfo.cipher.aescbc.sz = sz;
+
+        ret = dev->cb(dev->devId, &cryptoInfo, dev->ctx);
+    }
+
+    return wc_CryptoCb_TranslateErrorCode(ret);
+}
+
+int wc_CryptoCb_AesCbcDecrypt(Aes* aes, byte* out,
+                               const byte* in, word32 sz)
+{
+    int ret = CRYPTOCB_UNAVAILABLE;
+    CryptoCb* dev;
+
+    /* locate registered callback */
+    if (aes) {
+        dev = wc_CryptoCb_FindDevice(aes->devId);
+    }
+    else {
+        /* locate first callback and try using it */
+        dev = wc_CryptoCb_FindDeviceByIndex(0);
+    }
+
+    if (dev && dev->cb) {
+        wc_CryptoInfo cryptoInfo;
+        XMEMSET(&cryptoInfo, 0, sizeof(cryptoInfo));
+        cryptoInfo.algo_type = WC_ALGO_TYPE_CIPHER;
+        cryptoInfo.cipher.type = WC_CIPHER_AES_CBC;
+        cryptoInfo.cipher.enc = 0;
+        cryptoInfo.cipher.aescbc.aes = aes;
+        cryptoInfo.cipher.aescbc.out = out;
+        cryptoInfo.cipher.aescbc.in = in;
+        cryptoInfo.cipher.aescbc.sz = sz;
+
+        ret = dev->cb(dev->devId, &cryptoInfo, dev->ctx);
+    }
+
+    return wc_CryptoCb_TranslateErrorCode(ret);
+}
+#endif /* HAVE_AES_CBC */
+#endif /* !NO_AES */
+
+#ifndef NO_DES3
+int wc_CryptoCb_Des3Encrypt(Des3* des3, byte* out,
+                               const byte* in, word32 sz)
+{
+    int ret = CRYPTOCB_UNAVAILABLE;
+    CryptoCb* dev;
+
+    /* locate registered callback */
+    if (des3) {
+        dev = wc_CryptoCb_FindDevice(des3->devId);
+    }
+    else {
+        /* locate first callback and try using it */
+        dev = wc_CryptoCb_FindDeviceByIndex(0);
+    }
+
+    if (dev && dev->cb) {
+        wc_CryptoInfo cryptoInfo;
+        XMEMSET(&cryptoInfo, 0, sizeof(cryptoInfo));
+        cryptoInfo.algo_type = WC_ALGO_TYPE_CIPHER;
+        cryptoInfo.cipher.type = WC_CIPHER_DES3;
+        cryptoInfo.cipher.enc = 1;
+        cryptoInfo.cipher.des3.des = des3;
+        cryptoInfo.cipher.des3.out = out;
+        cryptoInfo.cipher.des3.in = in;
+        cryptoInfo.cipher.des3.sz = sz;
+
+        ret = dev->cb(dev->devId, &cryptoInfo, dev->ctx);
+    }
+
+    return wc_CryptoCb_TranslateErrorCode(ret);
+}
+
+int wc_CryptoCb_Des3Decrypt(Des3* des3, byte* out,
+                               const byte* in, word32 sz)
+{
+    int ret = CRYPTOCB_UNAVAILABLE;
+    CryptoCb* dev;
+
+    /* locate registered callback */
+    if (des3) {
+        dev = wc_CryptoCb_FindDevice(des3->devId);
+    }
+    else {
+        /* locate first callback and try using it */
+        dev = wc_CryptoCb_FindDeviceByIndex(0);
+    }
+
+    if (dev && dev->cb) {
+        wc_CryptoInfo cryptoInfo;
+        XMEMSET(&cryptoInfo, 0, sizeof(cryptoInfo));
+        cryptoInfo.algo_type = WC_ALGO_TYPE_CIPHER;
+        cryptoInfo.cipher.type = WC_CIPHER_DES3;
+        cryptoInfo.cipher.enc = 0;
+        cryptoInfo.cipher.des3.des = des3;
+        cryptoInfo.cipher.des3.out = out;
+        cryptoInfo.cipher.des3.in = in;
+        cryptoInfo.cipher.des3.sz = sz;
+
+        ret = dev->cb(dev->devId, &cryptoInfo, dev->ctx);
+    }
+
+    return wc_CryptoCb_TranslateErrorCode(ret);
+}
+#endif /* !NO_DES3 */
+
+#ifndef NO_SHA
+int wc_CryptoCb_ShaHash(wc_Sha* sha, const byte* in,
+    word32 inSz, byte* digest)
+{
+    int ret = CRYPTOCB_UNAVAILABLE;
+    CryptoCb* dev;
+
+    /* locate registered callback */
+    if (sha) {
+        dev = wc_CryptoCb_FindDevice(sha->devId);
+    }
+    else {
+        /* locate first callback and try using it */
+        dev = wc_CryptoCb_FindDeviceByIndex(0);
+    }
+
+    if (dev && dev->cb) {
+        wc_CryptoInfo cryptoInfo;
+        XMEMSET(&cryptoInfo, 0, sizeof(cryptoInfo));
+        cryptoInfo.algo_type = WC_ALGO_TYPE_HASH;
+        cryptoInfo.hash.type = WC_HASH_TYPE_SHA;
+        cryptoInfo.hash.sha1 = sha;
+        cryptoInfo.hash.in = in;
+        cryptoInfo.hash.inSz = inSz;
+        cryptoInfo.hash.digest = digest;
+
+        ret = dev->cb(dev->devId, &cryptoInfo, dev->ctx);
+    }
+
+    return wc_CryptoCb_TranslateErrorCode(ret);
+}
+#endif /* !NO_SHA */
+
+#ifndef NO_SHA256
+int wc_CryptoCb_Sha256Hash(wc_Sha256* sha256, const byte* in,
+    word32 inSz, byte* digest)
+{
+    int ret = CRYPTOCB_UNAVAILABLE;
+    CryptoCb* dev;
+
+    /* locate registered callback */
+    if (sha256) {
+        dev = wc_CryptoCb_FindDevice(sha256->devId);
+    }
+    else {
+        /* locate first callback and try using it */
+        dev = wc_CryptoCb_FindDeviceByIndex(0);
+    }
+
+    if (dev && dev->cb) {
+        wc_CryptoInfo cryptoInfo;
+        XMEMSET(&cryptoInfo, 0, sizeof(cryptoInfo));
+        cryptoInfo.algo_type = WC_ALGO_TYPE_HASH;
+        cryptoInfo.hash.type = WC_HASH_TYPE_SHA256;
+        cryptoInfo.hash.sha256 = sha256;
+        cryptoInfo.hash.in = in;
+        cryptoInfo.hash.inSz = inSz;
+        cryptoInfo.hash.digest = digest;
+
+        ret = dev->cb(dev->devId, &cryptoInfo, dev->ctx);
+    }
+
+    return wc_CryptoCb_TranslateErrorCode(ret);
+}
+#endif /* !NO_SHA256 */
+
+#ifndef NO_HMAC
+int wc_CryptoCb_Hmac(Hmac* hmac, int macType, const byte* in, word32 inSz,
+    byte* digest)
+{
+    int ret = CRYPTOCB_UNAVAILABLE;
+    CryptoCb* dev;
+
+    if (hmac == NULL)
+        return ret;
+
+    /* locate registered callback */
+    dev = wc_CryptoCb_FindDevice(hmac->devId);
+    if (dev && dev->cb) {
+        wc_CryptoInfo cryptoInfo;
+        XMEMSET(&cryptoInfo, 0, sizeof(cryptoInfo));
+        cryptoInfo.algo_type = WC_ALGO_TYPE_HMAC;
+        cryptoInfo.hmac.macType = macType;
+        cryptoInfo.hmac.in = in;
+        cryptoInfo.hmac.inSz = inSz;
+        cryptoInfo.hmac.digest = digest;
+        cryptoInfo.hmac.hmac = hmac;
+
+        ret = dev->cb(dev->devId, &cryptoInfo, dev->ctx);
+    }
+
+    return wc_CryptoCb_TranslateErrorCode(ret);
+}
+#endif /* !NO_HMAC */
+
+#ifndef WC_NO_RNG
+int wc_CryptoCb_RandomBlock(WC_RNG* rng, byte* out, word32 sz)
+{
+    int ret = CRYPTOCB_UNAVAILABLE;
+    CryptoCb* dev;
+
+    /* locate registered callback */
+    if (rng) {
+        dev = wc_CryptoCb_FindDevice(rng->devId);
+    }
+    else {
+        /* locate first callback and try using it */
+        dev = wc_CryptoCb_FindDeviceByIndex(0);
+    }
+
+    if (dev && dev->cb) {
+        wc_CryptoInfo cryptoInfo;
+        XMEMSET(&cryptoInfo, 0, sizeof(cryptoInfo));
+        cryptoInfo.algo_type = WC_ALGO_TYPE_RNG;
+        cryptoInfo.rng.rng = rng;
+        cryptoInfo.rng.out = out;
+        cryptoInfo.rng.sz = sz;
+
+        ret = dev->cb(dev->devId, &cryptoInfo, dev->ctx);
+    }
+
+    return wc_CryptoCb_TranslateErrorCode(ret);
+}
+
+int wc_CryptoCb_RandomSeed(OS_Seed* os, byte* seed, word32 sz)
+{
+    int ret = CRYPTOCB_UNAVAILABLE;
+    CryptoCb* dev;
+
+    /* locate registered callback */
+    dev = wc_CryptoCb_FindDevice(os->devId);
+    if (dev && dev->cb) {
+        wc_CryptoInfo cryptoInfo;
+        XMEMSET(&cryptoInfo, 0, sizeof(cryptoInfo));
+        cryptoInfo.algo_type = WC_ALGO_TYPE_SEED;
+        cryptoInfo.seed.os = os;
+        cryptoInfo.seed.seed = seed;
+        cryptoInfo.seed.sz = sz;
+
+        ret = dev->cb(dev->devId, &cryptoInfo, dev->ctx);
+    }
+
+    return wc_CryptoCb_TranslateErrorCode(ret);
+}
+#endif /* !WC_NO_RNG */
+
+#endif /* WOLF_CRYPTO_CB */
diff --git a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/curve25519.c b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/curve25519.c
index b745a046c..39e1216a0 100644
--- a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/curve25519.c
+++ b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/curve25519.c
@@ -1,8 +1,8 @@
 /* curve25519.c
  *
- * Copyright (C) 2006-2015 wolfSSL Inc.
+ * Copyright (C) 2006-2020 wolfSSL Inc.
  *
- * This file is part of wolfSSL. (formerly known as CyaSSL)
+ * This file is part of wolfSSL.
  *
  * wolfSSL is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -16,9 +16,10 @@
  *
  * You should have received a copy of the GNU General Public License
  * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
  */
 
+
  /* Based On Daniel J Bernstein's curve25519 Public Domain ref10 work. */
 
 
@@ -35,202 +36,449 @@
 #ifdef NO_INLINE
     #include <wolfssl/wolfcrypt/misc.h>
 #else
+    #define WOLFSSL_MISC_INCLUDED
     #include <wolfcrypt/src/misc.c>
 #endif
 
+#if defined(FREESCALE_LTC_ECC)
+    #include <wolfssl/wolfcrypt/port/nxp/ksdk_port.h>
+#endif
+
 const curve25519_set_type curve25519_sets[] = {
-{
-        32,
+    {
+        CURVE25519_KEYSIZE,
         "CURVE25519",
-}
+    }
 };
 
+int wc_curve25519_make_key(WC_RNG* rng, int keysize, curve25519_key* key)
+{
+#ifdef FREESCALE_LTC_ECC
+    const ECPoint* basepoint = wc_curve25519_GetBasePoint();
+#else
+    unsigned char basepoint[CURVE25519_KEYSIZE] = {9};
+#endif
+    int  ret;
+
+    if (key == NULL || rng == NULL)
+        return BAD_FUNC_ARG;
 
+    /* currently only a key size of 32 bytes is used */
+    if (keysize != CURVE25519_KEYSIZE)
+        return ECC_BAD_ARG_E;
 
-int wc_curve25519_make_key(RNG* rng, int keysize, curve25519_key* key)
-{
-  unsigned char basepoint[CURVE25519_KEYSIZE] = {9};
-  unsigned char n[CURVE25519_KEYSIZE];
-  unsigned char p[CURVE25519_KEYSIZE];
-  int  i;
-  int  ret;
-
-  if (key == NULL || rng == NULL)
-      return ECC_BAD_ARG_E;
-
-  /* currently only a key size of 32 bytes is used */
-  if (keysize != CURVE25519_KEYSIZE)
-      return ECC_BAD_ARG_E;
-
-  /* get random number from RNG */
-  ret = wc_RNG_GenerateBlock(rng, n, keysize);
-  if (ret != 0)
-      return ret;
-
-  for (i = 0; i < keysize; ++i) key->k.point[i] = n[i];
-  key->k.point[ 0] &= 248;
-  key->k.point[31] &= 127;
-  key->k.point[31] |= 64;
-
-  /* compute public key */
-  ret = curve25519(p, key->k.point, basepoint);
-
-  /* store keys in big endian format */
-  for (i = 0; i < keysize; ++i) n[i] = key->k.point[i];
-  for (i = 0; i < keysize; ++i) {
-      key->p.point[keysize - i - 1] = p[i];
-      key->k.point[keysize - i - 1] = n[i];
-  }
-
-  ForceZero(n, keysize);
-  ForceZero(p, keysize);
-
-  return ret;
+#ifndef FREESCALE_LTC_ECC
+    fe_init();
+#endif
+
+    /* random number for private key */
+    ret = wc_RNG_GenerateBlock(rng, key->k.point, keysize);
+    if (ret != 0)
+        return ret;
+
+    /* Clamp the private key */
+    key->k.point[0] &= 248;
+    key->k.point[CURVE25519_KEYSIZE-1] &= 63; /* same &=127 because |=64 after */
+    key->k.point[CURVE25519_KEYSIZE-1] |= 64;
+
+    /* compute public key */
+    #ifdef FREESCALE_LTC_ECC
+        ret = wc_curve25519(&key->p, key->k.point, basepoint, kLTC_Weierstrass); /* input basepoint on Weierstrass curve */
+    #else
+        ret = curve25519(key->p.point, key->k.point, basepoint);
+    #endif
+    if (ret != 0) {
+        ForceZero(key->k.point, keysize);
+        ForceZero(key->p.point, keysize);
+        return ret;
+    }
+
+    return ret;
 }
 
+#ifdef HAVE_CURVE25519_SHARED_SECRET
 
 int wc_curve25519_shared_secret(curve25519_key* private_key,
                                 curve25519_key* public_key,
                                 byte* out, word32* outlen)
 {
-    unsigned char k[CURVE25519_KEYSIZE];
-    unsigned char p[CURVE25519_KEYSIZE];
-    unsigned char o[CURVE25519_KEYSIZE];
+    return wc_curve25519_shared_secret_ex(private_key, public_key,
+                                          out, outlen, EC25519_BIG_ENDIAN);
+}
+
+int wc_curve25519_shared_secret_ex(curve25519_key* private_key,
+                                   curve25519_key* public_key,
+                                   byte* out, word32* outlen, int endian)
+{
+    #ifdef FREESCALE_LTC_ECC
+        ECPoint o = {{0}};
+    #else
+        unsigned char o[CURVE25519_KEYSIZE];
+    #endif
     int ret = 0;
-    int i;
 
     /* sanity check */
-    if (private_key == NULL || public_key == NULL || out == NULL ||
-            outlen == NULL)
+    if (private_key == NULL || public_key == NULL ||
+        out == NULL || outlen == NULL || *outlen < CURVE25519_KEYSIZE)
         return BAD_FUNC_ARG;
 
     /* avoid implementation fingerprinting */
-    if (public_key->p.point[0] > 0x7F)
+    if (public_key->p.point[CURVE25519_KEYSIZE-1] > 0x7F)
         return ECC_BAD_ARG_E;
 
-    XMEMSET(p,   0, sizeof(p));
-    XMEMSET(k,   0, sizeof(k));
-    XMEMSET(out, 0, CURVE25519_KEYSIZE);
+    #ifdef FREESCALE_LTC_ECC
+        ret = wc_curve25519(&o, private_key->k.point, &public_key->p, kLTC_Curve25519 /* input point P on Curve25519 */);
+    #else
+        ret = curve25519(o, private_key->k.point, public_key->p.point);
+    #endif
+    if (ret != 0) {
+        #ifdef FREESCALE_LTC_ECC
+            ForceZero(o.point, CURVE25519_KEYSIZE);
+            ForceZero(o.pointY, CURVE25519_KEYSIZE);
+        #else
+            ForceZero(o, CURVE25519_KEYSIZE);
+        #endif
+        return ret;
+    }
 
-    for (i = 0; i < CURVE25519_KEYSIZE; ++i) {
-        p[i] = public_key->p.point [CURVE25519_KEYSIZE - i - 1];
-        k[i] = private_key->k.point[CURVE25519_KEYSIZE - i - 1];
+    if (endian == EC25519_BIG_ENDIAN) {
+        int i;
+        /* put shared secret key in Big Endian format */
+        for (i = 0; i < CURVE25519_KEYSIZE; i++)
+            #ifdef FREESCALE_LTC_ECC
+                out[i] = o.point[CURVE25519_KEYSIZE - i -1];
+            #else
+                out[i] = o[CURVE25519_KEYSIZE - i -1];
+            #endif
     }
+    else /* put shared secret key in Little Endian format */
+        #ifdef FREESCALE_LTC_ECC
+            XMEMCPY(out, o.point, CURVE25519_KEYSIZE);
+        #else
+            XMEMCPY(out, o, CURVE25519_KEYSIZE);
+        #endif
 
-    ret     = curve25519(o , k, p);
     *outlen = CURVE25519_KEYSIZE;
 
-    for (i = 0; i < CURVE25519_KEYSIZE; ++i) {
-        out[i] = o[CURVE25519_KEYSIZE - i -1];
-    }
-
-    ForceZero(p, sizeof(p));
-    ForceZero(k, sizeof(k));
-    ForceZero(o, sizeof(o));
+    #ifdef FREESCALE_LTC_ECC
+        ForceZero(o.point, CURVE25519_KEYSIZE);
+        ForceZero(o.pointY, CURVE25519_KEYSIZE);
+    #else
+        ForceZero(o, CURVE25519_KEYSIZE);
+    #endif
 
     return ret;
 }
 
+#endif /* HAVE_CURVE25519_SHARED_SECRET */
+
+#ifdef HAVE_CURVE25519_KEY_EXPORT
 
-/* curve25519 uses a serialized string for key representation */
+/* export curve25519 public key (Big endian)
+ * return 0 on success */
 int wc_curve25519_export_public(curve25519_key* key, byte* out, word32* outLen)
 {
-    word32 keySz;
+    return wc_curve25519_export_public_ex(key, out, outLen, EC25519_BIG_ENDIAN);
+}
 
+/* export curve25519 public key (Big or Little endian)
+ * return 0 on success */
+int wc_curve25519_export_public_ex(curve25519_key* key, byte* out,
+                                   word32* outLen, int endian)
+{
     if (key == NULL || out == NULL || outLen == NULL)
         return BAD_FUNC_ARG;
 
-    /* check size of outgoing key */
-    keySz  = wc_curve25519_size(key);
+    /* check and set outgoing key size */
+    if (*outLen < CURVE25519_KEYSIZE) {
+        *outLen = CURVE25519_KEYSIZE;
+        return ECC_BAD_ARG_E;
+    }
+    *outLen = CURVE25519_KEYSIZE;
 
-    /* copy in public key */
-    XMEMCPY(out, key->p.point, keySz);
-    *outLen = keySz;
+    if (endian == EC25519_BIG_ENDIAN) {
+        int i;
+
+        /* read keys in Big Endian format */
+        for (i = 0; i < CURVE25519_KEYSIZE; i++)
+            out[i] = key->p.point[CURVE25519_KEYSIZE - i - 1];
+    }
+    else
+        XMEMCPY(out, key->p.point, CURVE25519_KEYSIZE);
 
     return 0;
 }
 
-/* import curve25519 public key
-   return 0 on success */
+#endif /* HAVE_CURVE25519_KEY_EXPORT */
+
+#ifdef HAVE_CURVE25519_KEY_IMPORT
+
+/* import curve25519 public key (Big endian)
+ *  return 0 on success */
 int wc_curve25519_import_public(const byte* in, word32 inLen,
                                 curve25519_key* key)
 {
-    word32 keySz;
+    return wc_curve25519_import_public_ex(in, inLen, key, EC25519_BIG_ENDIAN);
+}
 
+/* import curve25519 public key (Big or Little endian)
+ * return 0 on success */
+int wc_curve25519_import_public_ex(const byte* in, word32 inLen,
+                                curve25519_key* key, int endian)
+{
     /* sanity check */
     if (key == NULL || in == NULL)
-        return ECC_BAD_ARG_E;
+        return BAD_FUNC_ARG;
 
     /* check size of incoming keys */
-    keySz = wc_curve25519_size(key);
-    if (inLen != keySz)
+    if (inLen != CURVE25519_KEYSIZE)
        return ECC_BAD_ARG_E;
 
-    XMEMCPY(key->p.point, in, inLen);
+    if (endian == EC25519_BIG_ENDIAN) {
+        int i;
+
+        /* read keys in Big Endian format */
+        for (i = 0; i < CURVE25519_KEYSIZE; i++)
+            key->p.point[i] = in[CURVE25519_KEYSIZE - i - 1];
+    }
+    else
+        XMEMCPY(key->p.point, in, inLen);
 
     key->dp = &curve25519_sets[0];
 
+    /* LTC needs also Y coordinate - let's compute it */
+    #ifdef FREESCALE_LTC_ECC
+        ltc_pkha_ecc_point_t ltcPoint;
+        ltcPoint.X = &key->p.point[0];
+        ltcPoint.Y = &key->p.pointY[0];
+        LTC_PKHA_Curve25519ComputeY(&ltcPoint);
+    #endif
+
     return 0;
 }
 
+/* Check the public key value (big or little endian)
+ *
+ * pub     Public key bytes.
+ * pubSz   Size of public key in bytes.
+ * endian  Public key bytes passed in as big-endian or little-endian.
+ * returns BAD_FUNC_ARGS when pub is NULL,
+ *         BUFFER_E when size of public key is zero;
+ *         ECC_OUT_OF_RANGE_E if the high bit is set;
+ *         ECC_BAD_ARG_E if key length is not 32 bytes, public key value is
+ *         zero or one; and
+ *         0 otherwise.
+ */
+int wc_curve25519_check_public(const byte* pub, word32 pubSz, int endian)
+{
+    word32 i;
+
+    if (pub == NULL)
+        return BAD_FUNC_ARG;
+
+    /* Check for empty key data */
+    if (pubSz == 0)
+        return BUFFER_E;
 
-/* export curve25519 private key only raw, outLen is in/out size
-   return 0 on success */
+    /* Check key length */
+    if (pubSz != CURVE25519_KEYSIZE)
+        return ECC_BAD_ARG_E;
+
+
+    if (endian == EC25519_LITTLE_ENDIAN) {
+        /* Check for value of zero or one */
+        for (i = pubSz - 1; i > 0; i--) {
+            if (pub[i] != 0)
+                break;
+        }
+        if (i == 0 && (pub[0] == 0 || pub[0] == 1))
+            return ECC_BAD_ARG_E;
+
+        /* Check high bit set */
+        if (pub[CURVE25519_KEYSIZE-1] & 0x80)
+            return ECC_OUT_OF_RANGE_E;
+    }
+    else {
+        /* Check for value of zero or one */
+        for (i = 0; i < pubSz-1; i++) {
+            if (pub[i] != 0)
+                break;
+        }
+        if (i == pubSz - 1 && (pub[i] == 0 || pub[i] == 1))
+            return ECC_BAD_ARG_E;
+
+        /* Check high bit set */
+        if (pub[0] & 0x80)
+            return ECC_OUT_OF_RANGE_E;
+    }
+
+    return 0;
+}
+
+#endif /* HAVE_CURVE25519_KEY_IMPORT */
+
+
+#ifdef HAVE_CURVE25519_KEY_EXPORT
+
+/* export curve25519 private key only raw (Big endian)
+ * outLen is in/out size
+ * return 0 on success */
 int wc_curve25519_export_private_raw(curve25519_key* key, byte* out,
                                      word32* outLen)
 {
-    word32 keySz;
+    return wc_curve25519_export_private_raw_ex(key, out, outLen,
+                                               EC25519_BIG_ENDIAN);
+}
 
+/* export curve25519 private key only raw (Big or Little endian)
+ * outLen is in/out size
+ * return 0 on success */
+int wc_curve25519_export_private_raw_ex(curve25519_key* key, byte* out,
+                                        word32* outLen, int endian)
+{
     /* sanity check */
     if (key == NULL || out == NULL || outLen == NULL)
+        return BAD_FUNC_ARG;
+
+    /* check size of outgoing buffer */
+    if (*outLen < CURVE25519_KEYSIZE) {
+        *outLen = CURVE25519_KEYSIZE;
         return ECC_BAD_ARG_E;
+    }
+    *outLen = CURVE25519_KEYSIZE;
+
+    if (endian == EC25519_BIG_ENDIAN) {
+        int i;
 
-    keySz = wc_curve25519_size(key);
-    *outLen = keySz;
-    XMEMSET(out, 0, keySz);
-    XMEMCPY(out, key->k.point, keySz);
+        /* put the key in Big Endian format */
+        for (i = 0; i < CURVE25519_KEYSIZE; i++)
+            out[i] = key->k.point[CURVE25519_KEYSIZE - i - 1];
+    }
+    else
+        XMEMCPY(out, key->k.point, CURVE25519_KEYSIZE);
 
     return 0;
 }
 
+/* curve25519 key pair export (Big or Little endian)
+ * return 0 on success */
+int wc_curve25519_export_key_raw(curve25519_key* key,
+                                 byte* priv, word32 *privSz,
+                                 byte* pub, word32 *pubSz)
+{
+    return wc_curve25519_export_key_raw_ex(key, priv, privSz,
+                                           pub, pubSz, EC25519_BIG_ENDIAN);
+}
 
-/* curve25519 private key import.
-   Public key to match private key needs to be imported too */
+/* curve25519 key pair export (Big or Little endian)
+ * return 0 on success */
+int wc_curve25519_export_key_raw_ex(curve25519_key* key,
+                                    byte* priv, word32 *privSz,
+                                    byte* pub, word32 *pubSz,
+                                    int endian)
+{
+    int ret;
+
+    /* export private part */
+    ret = wc_curve25519_export_private_raw_ex(key, priv, privSz, endian);
+    if (ret != 0)
+        return ret;
+
+    /* export public part */
+    return wc_curve25519_export_public_ex(key, pub, pubSz, endian);
+}
+
+#endif /* HAVE_CURVE25519_KEY_EXPORT */
+
+#ifdef HAVE_CURVE25519_KEY_IMPORT
+
+/* curve25519 private key import (Big endian)
+ * Public key to match private key needs to be imported too
+ * return 0 on success */
 int wc_curve25519_import_private_raw(const byte* priv, word32 privSz,
-                             const byte* pub, word32 pubSz, curve25519_key* key)
+                                     const byte* pub, word32 pubSz,
+                                     curve25519_key* key)
 {
-    int ret = 0;
-    word32 keySz;
+    return wc_curve25519_import_private_raw_ex(priv, privSz, pub, pubSz,
+                                               key, EC25519_BIG_ENDIAN);
+}
 
+/* curve25519 private key import (Big or Little endian)
+ * Public key to match private key needs to be imported too
+ * return 0 on success */
+int wc_curve25519_import_private_raw_ex(const byte* priv, word32 privSz,
+                                        const byte* pub, word32 pubSz,
+                                        curve25519_key* key, int endian)
+{
+    int ret;
+
+    /* import private part */
+    ret = wc_curve25519_import_private_ex(priv, privSz, key, endian);
+    if (ret != 0)
+        return ret;
+
+    /* import public part */
+    return wc_curve25519_import_public_ex(pub, pubSz, key, endian);
+}
+
+/* curve25519 private key import only. (Big endian)
+ * return 0 on success */
+int wc_curve25519_import_private(const byte* priv, word32 privSz,
+                                 curve25519_key* key)
+{
+    return wc_curve25519_import_private_ex(priv, privSz,
+                                           key, EC25519_BIG_ENDIAN);
+}
+
+/* curve25519 private key import only. (Big or Little endian)
+ * return 0 on success */
+int wc_curve25519_import_private_ex(const byte* priv, word32 privSz,
+                                    curve25519_key* key, int endian)
+{
     /* sanity check */
-    if (key == NULL || priv == NULL || pub == NULL)
-        return ECC_BAD_ARG_E;
+    if (key == NULL || priv == NULL)
+        return BAD_FUNC_ARG;
 
     /* check size of incoming keys */
-    keySz = wc_curve25519_size(key);
-    if (privSz != keySz || pubSz != keySz)
-       return ECC_BAD_ARG_E;
+    if ((int)privSz != CURVE25519_KEYSIZE)
+        return ECC_BAD_ARG_E;
 
-    XMEMCPY(key->k.point, priv, privSz);
-    XMEMCPY(key->p.point, pub, pubSz);
+    if (endian == EC25519_BIG_ENDIAN) {
+        int i;
 
-    return ret;
+        /* read the key in Big Endian format */
+        for (i = 0; i < CURVE25519_KEYSIZE; i++)
+            key->k.point[i] = priv[CURVE25519_KEYSIZE - i - 1];
+    }
+    else
+        XMEMCPY(key->k.point, priv, CURVE25519_KEYSIZE);
+
+    key->dp = &curve25519_sets[0];
+
+    /* Clamp the key */
+    key->k.point[0] &= 248;
+    key->k.point[privSz-1] &= 63; /* same &=127 because |=64 after */
+    key->k.point[privSz-1] |= 64;
+
+    return 0;
 }
 
+#endif /* HAVE_CURVE25519_KEY_IMPORT */
+
 
 int wc_curve25519_init(curve25519_key* key)
 {
-    word32 keySz;
-
     if (key == NULL)
-       return ECC_BAD_ARG_E;
+       return BAD_FUNC_ARG;
+
+    XMEMSET(key, 0, sizeof(*key));
 
     /* currently the format for curve25519 */
     key->dp = &curve25519_sets[0];
-    keySz   = key->dp->size;
 
-    XMEMSET(key->k.point, 0, keySz);
-    XMEMSET(key->p.point, 0, keySz);
+#ifndef FREESCALE_LTC_ECC
+    fe_init();
+#endif
 
     return 0;
 }
@@ -245,13 +493,18 @@ void wc_curve25519_free(curve25519_key* key)
    key->dp = NULL;
    ForceZero(key->p.point, sizeof(key->p.point));
    ForceZero(key->k.point, sizeof(key->k.point));
+   #ifdef FREESCALE_LTC_ECC
+       ForceZero(key->p.point, sizeof(key->p.pointY));
+       ForceZero(key->k.point, sizeof(key->k.pointY));
+   #endif
 }
 
 
 /* get key size */
 int wc_curve25519_size(curve25519_key* key)
 {
-    if (key == NULL) return 0;
+    if (key == NULL)
+        return 0;
 
     return key->dp->size;
 }
diff --git a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/curve448.c b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/curve448.c
new file mode 100644
index 000000000..135f2380e
--- /dev/null
+++ b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/curve448.c
@@ -0,0 +1,635 @@
+/* curve448.c
+ *
+ * Copyright (C) 2006-2020 wolfSSL Inc.
+ *
+ * This file is part of wolfSSL.
+ *
+ * wolfSSL is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * wolfSSL is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
+ */
+
+/* Implemented to: RFC 7748 */
+
+/* Based On Daniel J Bernstein's curve25519 Public Domain ref10 work.
+ * Reworked for curve448 by Sean Parkinson.
+ */
+
+#ifdef HAVE_CONFIG_H
+    #include <config.h>
+#endif
+
+#include <wolfssl/wolfcrypt/settings.h>
+
+#ifdef HAVE_CURVE448
+
+#include <wolfssl/wolfcrypt/curve448.h>
+#include <wolfssl/wolfcrypt/error-crypt.h>
+#ifdef NO_INLINE
+    #include <wolfssl/wolfcrypt/misc.h>
+#else
+    #define WOLFSSL_MISC_INCLUDED
+    #include <wolfcrypt/src/misc.c>
+#endif
+
+
+/* Make a new curve448 private/public key.
+ *
+ * rng      [in]  Random number generator.
+ * keysize  [in]  Size of the key to generate.
+ * key      [in]  Curve448 key object.
+ * returns BAD_FUNC_ARG when rng or key are NULL,
+ *         ECC_BAD_ARG_E when keysize is not CURVE448_KEY_SIZE,
+ *         0 otherwise.
+ */
+int wc_curve448_make_key(WC_RNG* rng, int keysize, curve448_key* key)
+{
+    unsigned char basepoint[CURVE448_KEY_SIZE] = {5};
+    int  ret = 0;
+
+    if ((key == NULL) || (rng == NULL)) {
+        ret = BAD_FUNC_ARG;
+    }
+
+    /* currently only a key size of 56 bytes is used */
+    if ((ret == 0) && (keysize != CURVE448_KEY_SIZE)) {
+        ret = ECC_BAD_ARG_E;
+    }
+
+    if (ret == 0) {
+        fe448_init();
+
+        /* random number for private key */
+        ret = wc_RNG_GenerateBlock(rng, key->k, keysize);
+    }
+    if (ret == 0) {
+        /* Clamp the private key */
+        key->k[0] &= 0xfc;
+        key->k[CURVE448_KEY_SIZE-1] |= 0x80;
+
+        /* compute public key */
+        ret = curve448(key->p, key->k, basepoint);
+        if (ret != 0) {
+            ForceZero(key->k, keysize);
+            ForceZero(key->p, keysize);
+        }
+    }
+
+    return ret;
+}
+
+#ifdef HAVE_CURVE448_SHARED_SECRET
+
+/* Calculate the shared secret from the private key and peer's public key.
+ * Calculation over curve448.
+ * Secret encoded big-endian.
+ *
+ * private_key  [in]      Curve448 private key.
+ * public_key   [in]      Curve448 public key.
+ * out          [in]      Array to hold shared secret.
+ * outLen       [in/out]  On in, the number of bytes in array.
+ *                        On out, the number bytes put into array.
+ * returns BAD_FUNC_ARG when a parameter is NULL or outLen is less than
+ *         CURVE448_KEY_SIZE,
+ *         0 otherwise.
+ */
+int wc_curve448_shared_secret(curve448_key* private_key,
+                              curve448_key* public_key,
+                              byte* out, word32* outLen)
+{
+    return wc_curve448_shared_secret_ex(private_key, public_key, out, outLen,
+                                        EC448_BIG_ENDIAN);
+}
+
+/* Calculate the shared secret from the private key and peer's public key.
+ * Calculation over curve448.
+ *
+ * private_key  [in]      Curve448 private key.
+ * public_key   [in]      Curve448 public key.
+ * out          [in]      Array to hold shared secret.
+ * outLen       [in/out]  On in, the number of bytes in array.
+ *                        On out, the number bytes put into array.
+ * endian       [in]      Endianness to use when encoding number in array.
+ * returns BAD_FUNC_ARG when a parameter is NULL or outLen is less than
+ *         CURVE448_PUB_KEY_SIZE,
+ *         0 otherwise.
+ */
+int wc_curve448_shared_secret_ex(curve448_key* private_key,
+                                 curve448_key* public_key,
+                                 byte* out, word32* outLen, int endian)
+{
+    unsigned char o[CURVE448_PUB_KEY_SIZE];
+    int ret = 0;
+    int i;
+
+    /* sanity check */
+    if ((private_key == NULL) || (public_key == NULL) || (out == NULL) ||
+                        (outLen == NULL) || (*outLen < CURVE448_PUB_KEY_SIZE)) {
+        ret = BAD_FUNC_ARG;
+    }
+
+    if (ret == 0) {
+        ret = curve448(o, private_key->k, public_key->p);
+    }
+    if (ret == 0) {
+        if (endian == EC448_BIG_ENDIAN) {
+            /* put shared secret key in Big Endian format */
+            for (i = 0; i < CURVE448_PUB_KEY_SIZE; i++) {
+                 out[i] = o[CURVE448_PUB_KEY_SIZE - i -1];
+            }
+        }
+        else {
+            /* put shared secret key in Little Endian format */
+            XMEMCPY(out, o, CURVE448_PUB_KEY_SIZE);
+        }
+
+        *outLen = CURVE448_PUB_KEY_SIZE;
+    }
+
+    ForceZero(o, CURVE448_PUB_KEY_SIZE);
+
+    return ret;
+}
+
+#endif /* HAVE_CURVE448_SHARED_SECRET */
+
+#ifdef HAVE_CURVE448_KEY_EXPORT
+
+/* Export the curve448 public key.
+ * Public key encoded big-endian.
+ *
+ * key     [in]      Curve448 public key.
+ * out     [in]      Array to hold public key.
+ * outLen  [in/out]  On in, the number of bytes in array.
+ *                   On out, the number bytes put into array.
+ * returns BAD_FUNC_ARG when a parameter is NULL,
+ *         ECC_BAD_ARG_E when outLen is less than CURVE448_PUB_KEY_SIZE,
+ *         0 otherwise.
+ */
+int wc_curve448_export_public(curve448_key* key, byte* out, word32* outLen)
+{
+    return wc_curve448_export_public_ex(key, out, outLen, EC448_BIG_ENDIAN);
+}
+
+/* Export the curve448 public key.
+ *
+ * key     [in]      Curve448 public key.
+ * out     [in]      Array to hold public key.
+ * outLen  [in/out]  On in, the number of bytes in array.
+ *                   On out, the number bytes put into array.
+ * endian  [in]      Endianness to use when encoding number in array.
+ * returns BAD_FUNC_ARG when a parameter is NULL,
+ *         ECC_BAD_ARG_E when outLen is less than CURVE448_PUB_KEY_SIZE,
+ *         0 otherwise.
+ */
+int wc_curve448_export_public_ex(curve448_key* key, byte* out, word32* outLen,
+                                 int endian)
+{
+    int ret = 0;
+    int i;
+
+    if ((key == NULL) || (out == NULL) || (outLen == NULL)) {
+        ret = BAD_FUNC_ARG;
+    }
+
+    /* check and set outgoing key size */
+    if ((ret == 0) && (*outLen < CURVE448_PUB_KEY_SIZE)) {
+        *outLen = CURVE448_PUB_KEY_SIZE;
+        ret = ECC_BAD_ARG_E;
+    }
+    if (ret == 0) {
+        *outLen = CURVE448_PUB_KEY_SIZE;
+
+        if (endian == EC448_BIG_ENDIAN) {
+            /* read keys in Big Endian format */
+            for (i = 0; i < CURVE448_PUB_KEY_SIZE; i++) {
+                out[i] = key->p[CURVE448_PUB_KEY_SIZE - i - 1];
+            }
+        }
+        else {
+            XMEMCPY(out, key->p, CURVE448_PUB_KEY_SIZE);
+        }
+    }
+
+    return ret;
+}
+
+#endif /* HAVE_CURVE448_KEY_EXPORT */
+
+#ifdef HAVE_CURVE448_KEY_IMPORT
+
+/* Import a curve448 public key from a byte array.
+ * Public key encoded in big-endian.
+ *
+ * in      [in]  Array holding public key.
+ * inLen   [in]  Number of bytes of data in array.
+ * key     [in]  Curve448 public key.
+ * returns BAD_FUNC_ARG when a parameter is NULL,
+ *         ECC_BAD_ARG_E when inLen is less than CURVE448_PUB_KEY_SIZE,
+ *         0 otherwise.
+ */
+int wc_curve448_import_public(const byte* in, word32 inLen, curve448_key* key)
+{
+    return wc_curve448_import_public_ex(in, inLen, key, EC448_BIG_ENDIAN);
+}
+
+/* Import a curve448 public key from a byte array.
+ *
+ * in      [in]  Array holding public key.
+ * inLen   [in]  Number of bytes of data in array.
+ * key     [in]  Curve448 public key.
+ * endian  [in]  Endianness of encoded number in byte array.
+ * returns BAD_FUNC_ARG when a parameter is NULL,
+ *         ECC_BAD_ARG_E when inLen is less than CURVE448_PUB_KEY_SIZE,
+ *         0 otherwise.
+ */
+int wc_curve448_import_public_ex(const byte* in, word32 inLen,
+                                 curve448_key* key, int endian)
+{
+    int ret = 0;
+    int i;
+
+    /* sanity check */
+    if ((key == NULL) || (in == NULL)) {
+        ret = BAD_FUNC_ARG;
+    }
+
+    /* check size of incoming keys */
+    if ((ret == 0) && (inLen != CURVE448_PUB_KEY_SIZE)) {
+       ret = ECC_BAD_ARG_E;
+    }
+
+    if (ret == 0) {
+        if (endian == EC448_BIG_ENDIAN) {
+            /* read keys in Big Endian format */
+            for (i = 0; i < CURVE448_PUB_KEY_SIZE; i++) {
+                key->p[i] = in[CURVE448_PUB_KEY_SIZE - i - 1];
+            }
+        }
+        else
+            XMEMCPY(key->p, in, inLen);
+    }
+
+    return ret;
+}
+
+/* Check the public key value (big or little endian)
+ *
+ * pub     [in]  Public key bytes.
+ * pubSz   [in]  Size of public key in bytes.
+ * endian  [in]  Public key bytes passed in as big-endian or little-endian.
+ * returns BAD_FUNC_ARGS when pub is NULL,
+ *         ECC_BAD_ARG_E when key length is not 56 bytes, public key value is
+ *         zero or one;
+ *         BUFFER_E when size of public key is zero;
+ *         0 otherwise.
+ */
+int wc_curve448_check_public(const byte* pub, word32 pubSz, int endian)
+{
+    int ret = 0;
+    word32 i;
+
+    if (pub == NULL) {
+        ret = BAD_FUNC_ARG;
+    }
+
+    /* Check for empty key data */
+    if ((ret == 0) && (pubSz == 0)) {
+        ret = BUFFER_E;
+    }
+
+    /* Check key length */
+    if ((ret == 0) && (pubSz != CURVE448_PUB_KEY_SIZE)) {
+        ret = ECC_BAD_ARG_E;
+    }
+
+    if (ret == 0) {
+        if (endian == EC448_LITTLE_ENDIAN) {
+            /* Check for value of zero or one */
+            for (i = pubSz - 1; i > 0; i--) {
+                if (pub[i] != 0) {
+                    break;
+                }
+            }
+            if ((i == 0) && (pub[0] == 0 || pub[0] == 1)) {
+                return ECC_BAD_ARG_E;
+            }
+        }
+        else {
+            /* Check for value of zero or one */
+            for (i = 0; i < pubSz-1; i++) {
+                if (pub[i] != 0) {
+                    break;
+                }
+            }
+            if ((i == pubSz - 1) && (pub[i] == 0 || pub[i] == 1)) {
+                ret = ECC_BAD_ARG_E;
+            }
+        }
+    }
+
+    return ret;
+}
+
+#endif /* HAVE_CURVE448_KEY_IMPORT */
+
+
+#ifdef HAVE_CURVE448_KEY_EXPORT
+
+/* Export the curve448 private key raw form.
+ * Private key encoded big-endian.
+ *
+ * key     [in]      Curve448 private key.
+ * out     [in]      Array to hold private key.
+ * outLen  [in/out]  On in, the number of bytes in array.
+ *                   On out, the number bytes put into array.
+ * returns BAD_FUNC_ARG when a parameter is NULL,
+ *         ECC_BAD_ARG_E when outLen is less than CURVE448_KEY_SIZE,
+ *         0 otherwise.
+ */
+int wc_curve448_export_private_raw(curve448_key* key, byte* out, word32* outLen)
+{
+    return wc_curve448_export_private_raw_ex(key, out, outLen,
+                                             EC448_BIG_ENDIAN);
+}
+
+/* Export the curve448 private key raw form.
+ *
+ * key     [in]      Curve448 private key.
+ * out     [in]      Array to hold private key.
+ * outLen  [in/out]  On in, the number of bytes in array.
+ *                   On out, the number bytes put into array.
+ * endian  [in]      Endianness to use when encoding number in array.
+ * returns BAD_FUNC_ARG when a parameter is NULL,
+ *         ECC_BAD_ARG_E when outLen is less than CURVE448_KEY_SIZE,
+ *         0 otherwise.
+ */
+int wc_curve448_export_private_raw_ex(curve448_key* key, byte* out,
+                                      word32* outLen, int endian)
+{
+    int ret = 0;
+    int i;
+
+    /* sanity check */
+    if ((key == NULL) || (out == NULL) || (outLen == NULL)) {
+        ret = BAD_FUNC_ARG;
+    }
+
+    /* check size of outgoing buffer */
+    if ((ret == 0) && (*outLen < CURVE448_KEY_SIZE)) {
+        *outLen = CURVE448_KEY_SIZE;
+        ret = ECC_BAD_ARG_E;
+    }
+    if (ret == 0) {
+        *outLen = CURVE448_KEY_SIZE;
+
+        if (endian == EC448_BIG_ENDIAN) {
+            /* put the key in Big Endian format */
+            for (i = 0; i < CURVE448_KEY_SIZE; i++) {
+                out[i] = key->k[CURVE448_KEY_SIZE - i - 1];
+            }
+        }
+        else {
+            XMEMCPY(out, key->k, CURVE448_KEY_SIZE);
+        }
+    }
+
+    return ret;
+}
+
+/* Export the curve448 private and public keys in raw form.
+ * Private and public key encoded big-endian.
+ *
+ * key     [in]      Curve448 private key.
+ * priv    [in]      Array to hold private key.
+ * privSz  [in/out]  On in, the number of bytes in private key array.
+ *                   On out, the number bytes put into private key array.
+ * pub     [in]      Array to hold public key.
+ * pubSz   [in/out]  On in, the number of bytes in public key array.
+ *                   On out, the number bytes put into public key array.
+ * returns BAD_FUNC_ARG when a parameter is NULL,
+ *         ECC_BAD_ARG_E when privSz is less than CURVE448_KEY_SIZE or pubSz is
+ *         less than CURVE448_PUB_KEY_SIZE,
+ *         0 otherwise.
+ */
+int wc_curve448_export_key_raw(curve448_key* key, byte* priv, word32 *privSz,
+                               byte* pub, word32 *pubSz)
+{
+    return wc_curve448_export_key_raw_ex(key, priv, privSz, pub, pubSz,
+                                         EC448_BIG_ENDIAN);
+}
+
+/* Export the curve448 private and public keys in raw form.
+ *
+ * key     [in]      Curve448 private key.
+ * priv    [in]      Array to hold private key.
+ * privSz  [in/out]  On in, the number of bytes in private key array.
+ *                   On out, the number bytes put into private key array.
+ * pub     [in]      Array to hold public key.
+ * pubSz   [in/out]  On in, the number of bytes in public key array.
+ *                   On out, the number bytes put into public key array.
+ * endian  [in]      Endianness to use when encoding number in array.
+ * returns BAD_FUNC_ARG when a parameter is NULL,
+ *         ECC_BAD_ARG_E when privSz is less than CURVE448_KEY_SIZE or pubSz is
+ *         less than CURVE448_PUB_KEY_SIZE,
+ *         0 otherwise.
+ */
+int wc_curve448_export_key_raw_ex(curve448_key* key, byte* priv, word32 *privSz,
+                                  byte* pub, word32 *pubSz, int endian)
+{
+    int ret;
+
+    /* export private part */
+    ret = wc_curve448_export_private_raw_ex(key, priv, privSz, endian);
+    if (ret == 0) {
+        /* export public part */
+        ret = wc_curve448_export_public_ex(key, pub, pubSz, endian);
+    }
+
+    return ret;
+}
+
+#endif /* HAVE_CURVE448_KEY_EXPORT */
+
+#ifdef HAVE_CURVE448_KEY_IMPORT
+
+/* Import curve448 private and public keys from a byte arrays.
+ * Private and public keys encoded in big-endian.
+ *
+ * piv     [in]  Array holding private key.
+ * privSz  [in]  Number of bytes of data in private key array.
+ * pub     [in]  Array holding public key.
+ * pubSz   [in]  Number of bytes of data in public key array.
+ * key     [in]  Curve448 private/public key.
+ * returns BAD_FUNC_ARG when a parameter is NULL,
+ *         ECC_BAD_ARG_E when privSz is less than CURVE448_KEY_SIZE or pubSz is
+ *         less than CURVE448_PUB_KEY_SIZE,
+ *         0 otherwise.
+ */
+int wc_curve448_import_private_raw(const byte* priv, word32 privSz,
+                                   const byte* pub, word32 pubSz,
+                                   curve448_key* key)
+{
+    return wc_curve448_import_private_raw_ex(priv, privSz, pub, pubSz, key,
+                                             EC448_BIG_ENDIAN);
+}
+
+/* Import curve448 private and public keys from a byte arrays.
+ *
+ * piv     [in]  Array holding private key.
+ * privSz  [in]  Number of bytes of data in private key array.
+ * pub     [in]  Array holding public key.
+ * pubSz   [in]  Number of bytes of data in public key array.
+ * key     [in]  Curve448 private/public key.
+ * endian  [in]  Endianness of encoded numbers in byte arrays.
+ * returns BAD_FUNC_ARG when a parameter is NULL,
+ *         ECC_BAD_ARG_E when privSz is less than CURVE448_KEY_SIZE or pubSz is
+ *         less than CURVE448_PUB_KEY_SIZE,
+ *         0 otherwise.
+ */
+int wc_curve448_import_private_raw_ex(const byte* priv, word32 privSz,
+                                      const byte* pub, word32 pubSz,
+                                      curve448_key* key, int endian)
+{
+    int ret;
+
+    /* import private part */
+    ret = wc_curve448_import_private_ex(priv, privSz, key, endian);
+    if (ret == 0) {
+        /* import public part */
+        return wc_curve448_import_public_ex(pub, pubSz, key, endian);
+    }
+
+    return ret;
+}
+
+/* Import curve448 private key from a byte array.
+ * Private key encoded in big-endian.
+ *
+ * piv     [in]  Array holding private key.
+ * privSz  [in]  Number of bytes of data in private key array.
+ * key     [in]  Curve448 private/public key.
+ * returns BAD_FUNC_ARG when a parameter is NULL,
+ *         ECC_BAD_ARG_E when privSz is less than CURVE448_KEY_SIZE,
+ *         0 otherwise.
+ */
+int wc_curve448_import_private(const byte* priv, word32 privSz,
+                               curve448_key* key)
+{
+    return wc_curve448_import_private_ex(priv, privSz, key, EC448_BIG_ENDIAN);
+}
+
+/* Import curve448 private key from a byte array.
+ *
+ * piv     [in]  Array holding private key.
+ * privSz  [in]  Number of bytes of data in private key array.
+ * key     [in]  Curve448 private/public key.
+ * endian  [in]  Endianness of encoded number in byte array.
+ * returns BAD_FUNC_ARG when a parameter is NULL,
+ *         ECC_BAD_ARG_E when privSz is less than CURVE448_KEY_SIZE,
+ *         0 otherwise.
+ */
+int wc_curve448_import_private_ex(const byte* priv, word32 privSz,
+                                  curve448_key* key, int endian)
+{
+    int ret = 0;
+    int i;
+
+    /* sanity check */
+    if ((key == NULL) || (priv == NULL)) {
+        ret = BAD_FUNC_ARG;
+    }
+
+    /* check size of incoming keys */
+    if ((ret == 0) && ((int)privSz != CURVE448_KEY_SIZE)) {
+        ret = ECC_BAD_ARG_E;
+    }
+
+    if (ret == 0) {
+        if (endian == EC448_BIG_ENDIAN) {
+            /* read the key in Big Endian format */
+            for (i = 0; i < CURVE448_KEY_SIZE; i++) {
+                key->k[i] = priv[CURVE448_KEY_SIZE - i - 1];
+            }
+        }
+        else {
+            XMEMCPY(key->k, priv, CURVE448_KEY_SIZE);
+        }
+
+        /* Clamp the key */
+        key->k[0] &= 0xfc;
+        key->k[CURVE448_KEY_SIZE-1] |= 0x80;
+    }
+
+    return ret;
+}
+
+#endif /* HAVE_CURVE448_KEY_IMPORT */
+
+
+/* Initialize the curve448 key.
+ *
+ * key  [in]  Curve448 key object.
+ * returns BAD_FUNC_ARG when key is NULL,
+ *         0 otherwise.
+ */
+int wc_curve448_init(curve448_key* key)
+{
+    int ret = 0;
+
+    if (key == NULL) {
+       ret = BAD_FUNC_ARG;
+    }
+
+    if (ret == 0) {
+        XMEMSET(key, 0, sizeof(*key));
+
+        fe448_init();
+    }
+
+    return ret;
+}
+
+
+/* Clears the curve448 key data.
+ *
+ * key  [in]  Curve448 key object.
+ */
+void wc_curve448_free(curve448_key* key)
+{
+   if (key != NULL) {
+       ForceZero(key->p, sizeof(key->p));
+       ForceZero(key->k, sizeof(key->k));
+   }
+}
+
+
+/* Get the curve448 key's size.
+ *
+ * key  [in]  Curve448 key object.
+ * returns 0 if key is NULL,
+ *         CURVE448_KEY_SIZE otherwise.
+ */
+int wc_curve448_size(curve448_key* key)
+{
+    int ret = 0;
+
+    if (key != NULL) {
+        ret = CURVE448_KEY_SIZE;
+    }
+
+    return ret;
+}
+
+#endif /* HAVE_CURVE448 */
+
diff --git a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/des3.c b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/des3.c
index f886ecdc7..b4b0187cd 100644
--- a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/des3.c
+++ b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/des3.c
@@ -1,8 +1,8 @@
 /* des3.c
  *
- * Copyright (C) 2006-2015 wolfSSL Inc.
+ * Copyright (C) 2006-2020 wolfSSL Inc.
  *
- * This file is part of wolfSSL. (formerly known as CyaSSL)
+ * This file is part of wolfSSL.
  *
  * wolfSSL is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -16,160 +16,149 @@
  *
  * You should have received a copy of the GNU General Public License
  * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
  */
 
+
 #ifdef HAVE_CONFIG_H
     #include <config.h>
 #endif
 
 #include <wolfssl/wolfcrypt/settings.h>
-
-#ifndef NO_DES3
-
-#include <wolfssl/wolfcrypt/des3.h>
-
-#ifdef HAVE_FIPS
-#ifdef HAVE_CAVIUM
-    static int wc_Des3_CaviumSetKey(Des3* des3, const byte* key, const byte* iv);
-    static int wc_Des3_CaviumCbcEncrypt(Des3* des3, byte* out, const byte* in,
-                                      word32 length);
-    static int wc_Des3_CaviumCbcDecrypt(Des3* des3, byte* out, const byte* in,
-                                      word32 length);
-#endif
-
-int wc_Des_SetKey(Des* des, const byte* key, const byte* iv, int dir)
-{
-    return Des_SetKey(des, key, iv, dir);
-}
-
-
-int wc_Des3_SetKey(Des3* des, const byte* key, const byte* iv, int dir)
-{
-    return Des3_SetKey_fips(des, key, iv, dir);
-}
-
-
-int wc_Des_CbcEncrypt(Des* des, byte* out, const byte* in, word32 sz)
-{
-    return Des_CbcEncrypt(des, out, in, sz);
-}
-
-
-int wc_Des_CbcDecrypt(Des* des, byte* out, const byte* in, word32 sz)
-{
-    return Des_CbcDecrypt(des, out, in, sz);
-}
-
-
-int wc_Des3_CbcEncrypt(Des3* des, byte* out, const byte* in, word32 sz)
-{
-    return Des3_CbcEncrypt_fips(des, out, in, sz);
-}
-
-
-int wc_Des3_CbcDecrypt(Des3* des, byte* out, const byte* in, word32 sz)
-{
-    return Des3_CbcDecrypt_fips(des, out, in, sz);
-}
-
-
-#ifdef WOLFSSL_DES_ECB
-
-/* One block, compatibility only */
-int wc_Des_EcbEncrypt(Des* des, byte* out, const byte* in, word32 sz)
-{
-    return Des_EcbEncrypt(des, out, in, sz);
-}
-
-#endif /* WOLFSSL_DES_ECB */
+#include <wolfssl/wolfcrypt/error-crypt.h>
+#include <wolfssl/wolfcrypt/logging.h>
 
 
-void wc_Des_SetIV(Des* des, const byte* iv)
-{
-    Des_SetIV(des, iv);
-}
+#ifndef NO_DES3
 
+#if defined(HAVE_FIPS) && \
+	defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2)
 
-int wc_Des_CbcDecryptWithKey(byte* out, const byte* in, word32 sz,
-                                                const byte* key, const byte* iv)
-{
-    return Des_CbcDecryptWithKey(out, in, sz, key, iv);
-}
+    /* set NO_WRAPPERS before headers, use direct internal f()s not wrappers */
+    #define FIPS_NO_WRAPPERS
 
+    #ifdef USE_WINDOWS_API
+        #pragma code_seg(".fipsA$i")
+        #pragma const_seg(".fipsB$i")
+    #endif
+#endif
 
-int wc_Des3_SetIV(Des3* des, const byte* iv)
-{
-    return Des3_SetIV_fips(des, iv);
-}
+#include <wolfssl/wolfcrypt/des3.h>
 
+#ifdef WOLF_CRYPTO_CB
+    #include <wolfssl/wolfcrypt/cryptocb.h>
+#endif
 
-int wc_Des3_CbcDecryptWithKey(byte* out, const byte* in, word32 sz,
-                                                const byte* key, const byte* iv)
-{
-    return Des3_CbcDecryptWithKey(out, in, sz, key, iv);
-}
+/* fips wrapper calls, user can call direct */
+#if defined(HAVE_FIPS) && \
+    (!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 2))
 
+    int wc_Des_SetKey(Des* des, const byte* key, const byte* iv, int dir)
+    {
+        return Des_SetKey(des, key, iv, dir);
+    }
+    int wc_Des3_SetKey(Des3* des, const byte* key, const byte* iv, int dir)
+    {
+        if (des == NULL || key == NULL || dir < 0) {
+            return BAD_FUNC_ARG;
+        }
 
-#ifdef HAVE_CAVIUM
+        return Des3_SetKey_fips(des, key, iv, dir);
+    }
+    int wc_Des_CbcEncrypt(Des* des, byte* out, const byte* in, word32 sz)
+    {
+        return Des_CbcEncrypt(des, out, in, sz);
+    }
+    int wc_Des_CbcDecrypt(Des* des, byte* out, const byte* in, word32 sz)
+    {
+        return Des_CbcDecrypt(des, out, in, sz);
+    }
+    int wc_Des3_CbcEncrypt(Des3* des, byte* out, const byte* in, word32 sz)
+    {
+        if (des == NULL || out == NULL || in == NULL) {
+            return BAD_FUNC_ARG;
+        }
+        return Des3_CbcEncrypt_fips(des, out, in, sz);
+    }
+    int wc_Des3_CbcDecrypt(Des3* des, byte* out, const byte* in, word32 sz)
+    {
+        if (des == NULL || out == NULL || in == NULL) {
+            return BAD_FUNC_ARG;
+        }
+        return Des3_CbcDecrypt_fips(des, out, in, sz);
+    }
 
-/* Initiliaze Des3 for use with Nitrox device */
-int wc_Des3_InitCavium(Des3* des3, int devId)
-{
-    return Des3_InitCavium(des3, devId);
-}
+    #ifdef WOLFSSL_DES_ECB
+        /* One block, compatibility only */
+        int wc_Des_EcbEncrypt(Des* des, byte* out, const byte* in, word32 sz)
+        {
+            return Des_EcbEncrypt(des, out, in, sz);
+        }
+        int wc_Des3_EcbEncrypt(Des3* des, byte* out, const byte* in, word32 sz)
+        {
+            return Des3_EcbEncrypt(des, out, in, sz);
+        }
+    #endif /* WOLFSSL_DES_ECB */
 
+    void wc_Des_SetIV(Des* des, const byte* iv)
+    {
+        Des_SetIV(des, iv);
+    }
+    int wc_Des3_SetIV(Des3* des, const byte* iv)
+    {
+        return Des3_SetIV_fips(des, iv);
+    }
 
-/* Free Des3 from use with Nitrox device */
-void wc_Des3_FreeCavium(Des3* des3)
-{
-    Des3_FreeCavium(des3);
-}
+    int wc_Des3Init(Des3* des3, void* heap, int devId)
+    {
+        (void)des3;
+        (void)heap;
+        (void)devId;
+        /* FIPS doesn't support:
+            return Des3Init(des3, heap, devId); */
+        return 0;
+    }
+    void wc_Des3Free(Des3* des3)
+    {
+        (void)des3;
+        /* FIPS doesn't support:
+            Des3Free(des3); */
+    }
 
+#else /* else build without fips, or for FIPS v2 */
 
-#endif /* HAVE_CAVIUM */
-#else /* build without fips */
 
 #if defined(WOLFSSL_TI_CRYPT)
     #include <wolfcrypt/src/port/ti/ti-des3.c>
 #else
 
-#include <wolfssl/wolfcrypt/error-crypt.h>
-#include <wolfssl/wolfcrypt/logging.h>
 
 #ifdef NO_INLINE
     #include <wolfssl/wolfcrypt/misc.h>
 #else
+    #define WOLFSSL_MISC_INCLUDED
     #include <wolfcrypt/src/misc.c>
 #endif
 
 
-#ifdef HAVE_CAVIUM
-    static int wc_Des3_CaviumSetKey(Des3* des3, const byte* key, const byte* iv);
-    static int wc_Des3_CaviumCbcEncrypt(Des3* des3, byte* out, const byte* in,
-                                      word32 length);
-    static int wc_Des3_CaviumCbcDecrypt(Des3* des3, byte* out, const byte* in,
-                                      word32 length);
-#endif
-
+/* Hardware Acceleration */
+#if defined(STM32_CRYPTO)
 
-
-
-#ifdef STM32F2_CRYPTO
     /*
-     * STM32F2 hardware DES/3DES support through the STM32F2 standard
-     * peripheral library. Documentation located in STM32F2xx Standard
-     * Peripheral Library document (See note in README).
+     * STM32F2/F4 hardware DES/3DES support through the standard
+     * peripheral library. (See note in README).
      */
-    #include "stm32f2xx.h"
-		#include "stm32f2xx_cryp.h"
 
     int wc_Des_SetKey(Des* des, const byte* key, const byte* iv, int dir)
     {
         word32 *dkey = des->key;
 
+        (void)dir;
+
         XMEMCPY(dkey, key, 8);
+    #ifndef WOLFSSL_STM32_CUBEMX
         ByteReverseWords(dkey, dkey, 8);
+    #endif
 
         wc_Des_SetIV(des, iv);
 
@@ -178,29 +167,95 @@ void wc_Des3_FreeCavium(Des3* des3)
 
     int wc_Des3_SetKey(Des3* des, const byte* key, const byte* iv, int dir)
     {
-        word32 *dkey1 = des->key[0];
-        word32 *dkey2 = des->key[1];
-        word32 *dkey3 = des->key[2];
+        if (des == NULL || key == NULL)
+            return BAD_FUNC_ARG;
 
-        XMEMCPY(dkey1, key, 8);         /* set key 1 */
-        XMEMCPY(dkey2, key + 8, 8);     /* set key 2 */
-        XMEMCPY(dkey3, key + 16, 8);    /* set key 3 */
+        (void)dir;
+
+    #ifndef WOLFSSL_STM32_CUBEMX
+        {
+            word32 *dkey1 = des->key[0];
+            word32 *dkey2 = des->key[1];
+            word32 *dkey3 = des->key[2];
 
-        ByteReverseWords(dkey1, dkey1, 8);
-        ByteReverseWords(dkey2, dkey2, 8);
-        ByteReverseWords(dkey3, dkey3, 8);
+            XMEMCPY(dkey1, key, 8);         /* set key 1 */
+            XMEMCPY(dkey2, key + 8, 8);     /* set key 2 */
+            XMEMCPY(dkey3, key + 16, 8);    /* set key 3 */
+
+            ByteReverseWords(dkey1, dkey1, 8);
+            ByteReverseWords(dkey2, dkey2, 8);
+            ByteReverseWords(dkey3, dkey3, 8);
+        }
+    #else
+        XMEMCPY(des->key[0], key, DES3_KEYLEN); /* CUBEMX wants keys in sequential memory */
+    #endif
 
         return wc_Des3_SetIV(des, iv);
     }
 
-    void DesCrypt(Des* des, byte* out, const byte* in, word32 sz,
+    static void DesCrypt(Des* des, byte* out, const byte* in, word32 sz,
                   int dir, int mode)
     {
+        int ret;
+    #ifdef WOLFSSL_STM32_CUBEMX
+        CRYP_HandleTypeDef hcryp;
+    #else
         word32 *dkey, *iv;
         CRYP_InitTypeDef DES_CRYP_InitStructure;
         CRYP_KeyInitTypeDef DES_CRYP_KeyInitStructure;
         CRYP_IVInitTypeDef DES_CRYP_IVInitStructure;
+    #endif
 
+        ret = wolfSSL_CryptHwMutexLock();
+        if (ret != 0) {
+            return;
+        }
+
+    #ifdef WOLFSSL_STM32_CUBEMX
+        XMEMSET(&hcryp, 0, sizeof(CRYP_HandleTypeDef));
+        hcryp.Instance = CRYP;
+        hcryp.Init.KeySize  = CRYP_KEYSIZE_128B;
+        hcryp.Init.DataType = CRYP_DATATYPE_8B;
+        hcryp.Init.pKey = (uint8_t*)des->key;
+        hcryp.Init.pInitVect = (uint8_t*)des->reg;
+
+        HAL_CRYP_Init(&hcryp);
+
+        while (sz > 0) {
+            /* if input and output same will overwrite input iv */
+            XMEMCPY(des->tmp, in + sz - DES_BLOCK_SIZE, DES_BLOCK_SIZE);
+
+            if (mode == DES_CBC) {
+                if (dir == DES_ENCRYPTION) {
+                    HAL_CRYP_DESCBC_Encrypt(&hcryp, (uint8_t*)in,
+                                    DES_BLOCK_SIZE, out, STM32_HAL_TIMEOUT);
+                }
+                else {
+                    HAL_CRYP_DESCBC_Decrypt(&hcryp, (uint8_t*)in,
+                                    DES_BLOCK_SIZE, out, STM32_HAL_TIMEOUT);
+                }
+            }
+            else {
+                if (dir == DES_ENCRYPTION) {
+                    HAL_CRYP_DESECB_Encrypt(&hcryp, (uint8_t*)in,
+                                    DES_BLOCK_SIZE, out, STM32_HAL_TIMEOUT);
+                }
+                else {
+                    HAL_CRYP_DESECB_Decrypt(&hcryp, (uint8_t*)in,
+                                    DES_BLOCK_SIZE, out, STM32_HAL_TIMEOUT);
+                }
+            }
+
+            /* store iv for next call */
+            XMEMCPY(des->reg, des->tmp, DES_BLOCK_SIZE);
+
+            sz  -= DES_BLOCK_SIZE;
+            in  += DES_BLOCK_SIZE;
+            out += DES_BLOCK_SIZE;
+        }
+
+        HAL_CRYP_DeInit(&hcryp);
+    #else
         dkey = des->key;
         iv = des->reg;
 
@@ -242,8 +297,7 @@ void wc_Des3_FreeCavium(Des3* des3)
         /* enable crypto processor */
         CRYP_Cmd(ENABLE);
 
-        while (sz > 0)
-        {
+        while (sz > 0) {
             /* flush IN/OUT FIFOs */
             CRYP_FIFOFlush();
 
@@ -269,6 +323,8 @@ void wc_Des3_FreeCavium(Des3* des3)
 
         /* disable crypto processor */
         CRYP_Cmd(DISABLE);
+    #endif /* WOLFSSL_STM32_CUBEMX */
+        wolfSSL_CryptHwMutexUnLock();
     }
 
     int wc_Des_CbcEncrypt(Des* des, byte* out, const byte* in, word32 sz)
@@ -289,81 +345,121 @@ void wc_Des3_FreeCavium(Des3* des3)
         return 0;
     }
 
-    void Des3Crypt(Des3* des, byte* out, const byte* in, word32 sz,
+    static void Des3Crypt(Des3* des, byte* out, const byte* in, word32 sz,
                    int dir)
     {
-        word32 *dkey1, *dkey2, *dkey3, *iv;
-        CRYP_InitTypeDef DES3_CRYP_InitStructure;
-        CRYP_KeyInitTypeDef DES3_CRYP_KeyInitStructure;
-        CRYP_IVInitTypeDef DES3_CRYP_IVInitStructure;
-
-        dkey1 = des->key[0];
-        dkey2 = des->key[1];
-        dkey3 = des->key[2];
-        iv = des->reg;
+        if (des == NULL || out == NULL || in == NULL)
+            return BAD_FUNC_ARG;
 
-        /* crypto structure initialization */
-        CRYP_KeyStructInit(&DES3_CRYP_KeyInitStructure);
-        CRYP_StructInit(&DES3_CRYP_InitStructure);
-        CRYP_IVStructInit(&DES3_CRYP_IVInitStructure);
+    #ifdef WOLFSSL_STM32_CUBEMX
+        {
+            CRYP_HandleTypeDef hcryp;
+
+            XMEMSET(&hcryp, 0, sizeof(CRYP_HandleTypeDef));
+            hcryp.Instance = CRYP;
+            hcryp.Init.KeySize  = CRYP_KEYSIZE_128B;
+            hcryp.Init.DataType = CRYP_DATATYPE_8B;
+            hcryp.Init.pKey = (uint8_t*)des->key;
+            hcryp.Init.pInitVect = (uint8_t*)des->reg;
+
+            HAL_CRYP_Init(&hcryp);
+
+            while (sz > 0)
+            {
+                if (dir == DES_ENCRYPTION) {
+                    HAL_CRYP_TDESCBC_Encrypt(&hcryp, (byte*)in,
+                                       DES_BLOCK_SIZE, out, STM32_HAL_TIMEOUT);
+                }
+                else {
+                    HAL_CRYP_TDESCBC_Decrypt(&hcryp, (byte*)in,
+                                       DES_BLOCK_SIZE, out, STM32_HAL_TIMEOUT);
+                }
 
-        /* reset registers to their default values */
-        CRYP_DeInit();
+                /* store iv for next call */
+                XMEMCPY(des->reg, out + sz - DES_BLOCK_SIZE, DES_BLOCK_SIZE);
 
-        /* set direction, mode, and datatype */
-        if (dir == DES_ENCRYPTION) {
-            DES3_CRYP_InitStructure.CRYP_AlgoDir  = CRYP_AlgoDir_Encrypt;
-        } else {
-            DES3_CRYP_InitStructure.CRYP_AlgoDir  = CRYP_AlgoDir_Decrypt;
-        }
+                sz  -= DES_BLOCK_SIZE;
+                in  += DES_BLOCK_SIZE;
+                out += DES_BLOCK_SIZE;
+            }
 
-        DES3_CRYP_InitStructure.CRYP_AlgoMode = CRYP_AlgoMode_TDES_CBC;
-        DES3_CRYP_InitStructure.CRYP_DataType = CRYP_DataType_8b;
-        CRYP_Init(&DES3_CRYP_InitStructure);
+            HAL_CRYP_DeInit(&hcryp);
+        }
+    #else
+        {
+            word32 *dkey1, *dkey2, *dkey3, *iv;
+            CRYP_InitTypeDef DES3_CRYP_InitStructure;
+            CRYP_KeyInitTypeDef DES3_CRYP_KeyInitStructure;
+            CRYP_IVInitTypeDef DES3_CRYP_IVInitStructure;
+
+            dkey1 = des->key[0];
+            dkey2 = des->key[1];
+            dkey3 = des->key[2];
+            iv = des->reg;
+
+            /* crypto structure initialization */
+            CRYP_KeyStructInit(&DES3_CRYP_KeyInitStructure);
+            CRYP_StructInit(&DES3_CRYP_InitStructure);
+            CRYP_IVStructInit(&DES3_CRYP_IVInitStructure);
+
+            /* reset registers to their default values */
+            CRYP_DeInit();
+
+            /* set direction, mode, and datatype */
+            if (dir == DES_ENCRYPTION) {
+                DES3_CRYP_InitStructure.CRYP_AlgoDir  = CRYP_AlgoDir_Encrypt;
+            } else {
+                DES3_CRYP_InitStructure.CRYP_AlgoDir  = CRYP_AlgoDir_Decrypt;
+            }
 
-        /* load key into correct registers */
-        DES3_CRYP_KeyInitStructure.CRYP_Key1Left  = dkey1[0];
-        DES3_CRYP_KeyInitStructure.CRYP_Key1Right = dkey1[1];
-        DES3_CRYP_KeyInitStructure.CRYP_Key2Left  = dkey2[0];
-        DES3_CRYP_KeyInitStructure.CRYP_Key2Right = dkey2[1];
-        DES3_CRYP_KeyInitStructure.CRYP_Key3Left  = dkey3[0];
-        DES3_CRYP_KeyInitStructure.CRYP_Key3Right = dkey3[1];
-        CRYP_KeyInit(&DES3_CRYP_KeyInitStructure);
+            DES3_CRYP_InitStructure.CRYP_AlgoMode = CRYP_AlgoMode_TDES_CBC;
+            DES3_CRYP_InitStructure.CRYP_DataType = CRYP_DataType_8b;
+            CRYP_Init(&DES3_CRYP_InitStructure);
 
-        /* set iv */
-        ByteReverseWords(iv, iv, DES_BLOCK_SIZE);
-        DES3_CRYP_IVInitStructure.CRYP_IV0Left  = iv[0];
-        DES3_CRYP_IVInitStructure.CRYP_IV0Right = iv[1];
-        CRYP_IVInit(&DES3_CRYP_IVInitStructure);
+            /* load key into correct registers */
+            DES3_CRYP_KeyInitStructure.CRYP_Key1Left  = dkey1[0];
+            DES3_CRYP_KeyInitStructure.CRYP_Key1Right = dkey1[1];
+            DES3_CRYP_KeyInitStructure.CRYP_Key2Left  = dkey2[0];
+            DES3_CRYP_KeyInitStructure.CRYP_Key2Right = dkey2[1];
+            DES3_CRYP_KeyInitStructure.CRYP_Key3Left  = dkey3[0];
+            DES3_CRYP_KeyInitStructure.CRYP_Key3Right = dkey3[1];
+            CRYP_KeyInit(&DES3_CRYP_KeyInitStructure);
 
-        /* enable crypto processor */
-        CRYP_Cmd(ENABLE);
+            /* set iv */
+            ByteReverseWords(iv, iv, DES_BLOCK_SIZE);
+            DES3_CRYP_IVInitStructure.CRYP_IV0Left  = iv[0];
+            DES3_CRYP_IVInitStructure.CRYP_IV0Right = iv[1];
+            CRYP_IVInit(&DES3_CRYP_IVInitStructure);
 
-        while (sz > 0)
-        {
-            /* flush IN/OUT FIFOs */
-            CRYP_FIFOFlush();
+            /* enable crypto processor */
+            CRYP_Cmd(ENABLE);
 
-            CRYP_DataIn(*(uint32_t*)&in[0]);
-            CRYP_DataIn(*(uint32_t*)&in[4]);
+            while (sz > 0)
+            {
+                /* flush IN/OUT FIFOs */
+                CRYP_FIFOFlush();
 
-            /* wait until the complete message has been processed */
-            while(CRYP_GetFlagStatus(CRYP_FLAG_BUSY) != RESET) {}
+                CRYP_DataIn(*(uint32_t*)&in[0]);
+                CRYP_DataIn(*(uint32_t*)&in[4]);
 
-            *(uint32_t*)&out[0]  = CRYP_DataOut();
-            *(uint32_t*)&out[4]  = CRYP_DataOut();
+                /* wait until the complete message has been processed */
+                while(CRYP_GetFlagStatus(CRYP_FLAG_BUSY) != RESET) {}
 
-            /* store iv for next call */
-            XMEMCPY(des->reg, out + sz - DES_BLOCK_SIZE, DES_BLOCK_SIZE);
+                *(uint32_t*)&out[0]  = CRYP_DataOut();
+                *(uint32_t*)&out[4]  = CRYP_DataOut();
 
-            sz  -= DES_BLOCK_SIZE;
-            in  += DES_BLOCK_SIZE;
-            out += DES_BLOCK_SIZE;
-        }
+                /* store iv for next call */
+                XMEMCPY(des->reg, out + sz - DES_BLOCK_SIZE, DES_BLOCK_SIZE);
 
-        /* disable crypto processor */
-        CRYP_Cmd(DISABLE);
+                sz  -= DES_BLOCK_SIZE;
+                in  += DES_BLOCK_SIZE;
+                out += DES_BLOCK_SIZE;
+            }
 
+            /* disable crypto processor */
+            CRYP_Cmd(DISABLE);
+        }
+    #endif /* WOLFSSL_STM32_CUBEMX */
     }
 
     int wc_Des3_CbcEncrypt(Des3* des, byte* out, const byte* in, word32 sz)
@@ -380,238 +476,333 @@ void wc_Des3_FreeCavium(Des3* des3)
 
 #elif defined(HAVE_COLDFIRE_SEC)
 
-#include <wolfssl/ctaocrypt/types.h>
+    #include <wolfssl/ctaocrypt/types.h>
 
-#include "sec.h"
-#include "mcf5475_sec.h"
-#include "mcf5475_siu.h"
+    #include "sec.h"
+    #include "mcf5475_sec.h"
+    #include "mcf5475_siu.h"
 
-#if defined (HAVE_THREADX)
-#include "memory_pools.h"
-extern TX_BYTE_POOL mp_ncached;  /* Non Cached memory pool */
-#endif
+    #if defined (HAVE_THREADX)
+    #include "memory_pools.h"
+    extern TX_BYTE_POOL mp_ncached;  /* Non Cached memory pool */
+    #endif
 
-#define DES_BUFFER_SIZE (DES_BLOCK_SIZE * 64)
-static unsigned char *desBuffIn = NULL ;
-static unsigned char *desBuffOut = NULL ;
-static byte *secIV ; 
-static byte *secKey ; 
-static volatile SECdescriptorType *secDesc ;
+    #define DES_BUFFER_SIZE (DES_BLOCK_SIZE * 64)
+    static unsigned char *desBuffIn = NULL;
+    static unsigned char *desBuffOut = NULL;
+    static byte *secIV;
+    static byte *secKey;
+    static volatile SECdescriptorType *secDesc;
 
-static wolfSSL_Mutex Mutex_DesSEC ;
+    static wolfSSL_Mutex Mutex_DesSEC;
 
-#define SEC_DESC_DES_CBC_ENCRYPT  0x20500010
-#define SEC_DESC_DES_CBC_DECRYPT  0x20400010
-#define SEC_DESC_DES3_CBC_ENCRYPT 0x20700010
-#define SEC_DESC_DES3_CBC_DECRYPT 0x20600010
+    #define SEC_DESC_DES_CBC_ENCRYPT  0x20500010
+    #define SEC_DESC_DES_CBC_DECRYPT  0x20400010
+    #define SEC_DESC_DES3_CBC_ENCRYPT 0x20700010
+    #define SEC_DESC_DES3_CBC_DECRYPT 0x20600010
 
-#define DES_IVLEN 8
-#define DES_KEYLEN 8
-#define DES3_IVLEN 8
-#define DES3_KEYLEN 24
+    #define DES_IVLEN 8
+    #define DES_KEYLEN 8
+    #define DES3_IVLEN 8
+    #define DES3_KEYLEN 24
 
-extern volatile unsigned char __MBAR[];
+    extern volatile unsigned char __MBAR[];
 
-static void wc_Des_Cbc(byte* out, const byte* in, word32 sz, 
-                    byte *key, byte *iv, word32 desc)
-{
-    #ifdef DEBUG_WOLFSSL
-    int ret ;  int stat1,stat2 ; 
-	  #endif
-    int size ;
-    volatile int v ;
- 
-    LockMutex(&Mutex_DesSEC) ;
-    
-    secDesc->length1 = 0x0;
-    secDesc->pointer1 = NULL;
-    if((desc==SEC_DESC_DES_CBC_ENCRYPT)||(desc==SEC_DESC_DES_CBC_DECRYPT)){
-        secDesc->length2 = DES_IVLEN ;  
-        secDesc->length3 = DES_KEYLEN ;
-    } else {
-        secDesc->length2 = DES3_IVLEN ; 
-        secDesc->length3 = DES3_KEYLEN ;
-    }
-    secDesc->pointer2 = secIV ;
-    secDesc->pointer3 = secKey;
-    secDesc->pointer4 = desBuffIn ;
-    secDesc->pointer5 = desBuffOut ;
-    secDesc->length6 = 0; 
-    secDesc->pointer6 = NULL; 
-    secDesc->length7 = 0x0;
-    secDesc->pointer7 = NULL;
-    secDesc->nextDescriptorPtr = NULL ; 
-    
-    while(sz) {
-        XMEMCPY(secIV, iv, secDesc->length2) ;
-        if((sz%DES_BUFFER_SIZE) == sz) {
-            size = sz ;
-            sz = 0 ;
+    static void wc_Des_Cbc(byte* out, const byte* in, word32 sz,
+                        byte *key, byte *iv, word32 desc)
+    {
+        #ifdef DEBUG_WOLFSSL
+        int ret;  int stat1,stat2;
+    	  #endif
+        int size;
+        volatile int v;
+
+        wc_LockMutex(&Mutex_DesSEC) ;
+
+        secDesc->length1 = 0x0;
+        secDesc->pointer1 = NULL;
+        if((desc==SEC_DESC_DES_CBC_ENCRYPT)||(desc==SEC_DESC_DES_CBC_DECRYPT)){
+            secDesc->length2 = DES_IVLEN;
+            secDesc->length3 = DES_KEYLEN;
         } else {
-            size = DES_BUFFER_SIZE ;
-            sz -= DES_BUFFER_SIZE ;
-        }
-        
-        XMEMCPY(desBuffIn, in, size) ;
-        XMEMCPY(secKey, key, secDesc->length3) ;
-        
-        secDesc->header = desc ;
-        secDesc->length4 = size;
-        secDesc->length5 = size;
-        /* Point SEC to the location of the descriptor */
-        MCF_SEC_FR0 = (uint32)secDesc;
-        /* Initialize SEC and wait for encryption to complete */
-        MCF_SEC_CCCR0 = 0x0000001a;
-        /* poll SISR to determine when channel is complete */
-        v=0 ;
-        while((secDesc->header>> 24) != 0xff) {
-            if(v++ > 1000)break ;
-        }
-				
-#ifdef DEBUG_WOLFSSL
-        ret = MCF_SEC_SISRH;
-        stat1 = MCF_SEC_DSR ; 
-        stat2 = MCF_SEC_DISR ; 
-        if(ret & 0xe0000000) {
-            /* db_printf("Des_Cbc(%x):ISRH=%08x, DSR=%08x, DISR=%08x\n", desc, ret, stat1, stat2) ; */
+            secDesc->length2 = DES3_IVLEN;
+            secDesc->length3 = DES3_KEYLEN;
         }
-#endif
-				
-        XMEMCPY(out, desBuffOut, size) ;
+        secDesc->pointer2 = secIV;
+        secDesc->pointer3 = secKey;
+        secDesc->pointer4 = desBuffIn;
+        secDesc->pointer5 = desBuffOut;
+        secDesc->length6 = 0;
+        secDesc->pointer6 = NULL;
+        secDesc->length7 = 0x0;
+        secDesc->pointer7 = NULL;
+        secDesc->nextDescriptorPtr = NULL;
+
+        while(sz) {
+            XMEMCPY(secIV, iv, secDesc->length2);
+            if((sz%DES_BUFFER_SIZE) == sz) {
+                size = sz;
+                sz = 0;
+            } else {
+                size = DES_BUFFER_SIZE;
+                sz -= DES_BUFFER_SIZE;
+            }
+
+            XMEMCPY(desBuffIn, in, size);
+            XMEMCPY(secKey, key, secDesc->length3);
+
+            secDesc->header = desc;
+            secDesc->length4 = size;
+            secDesc->length5 = size;
+            /* Point SEC to the location of the descriptor */
+            MCF_SEC_FR0 = (uint32)secDesc;
+            /* Initialize SEC and wait for encryption to complete */
+            MCF_SEC_CCCR0 = 0x0000001a;
+            /* poll SISR to determine when channel is complete */
+            v=0;
+            while((secDesc->header>> 24) != 0xff) {
+                if(v++ > 1000)break;
+            }
+
+        #ifdef DEBUG_WOLFSSL
+            ret = MCF_SEC_SISRH;
+            stat1 = MCF_SEC_DSR;
+            stat2 = MCF_SEC_DISR;
+            if(ret & 0xe0000000) {
+                /* db_printf("Des_Cbc(%x):ISRH=%08x, DSR=%08x, DISR=%08x\n", desc, ret, stat1, stat2); */
+            }
+        #endif
+
+            XMEMCPY(out, desBuffOut, size);
+
+            if ((desc==SEC_DESC_DES3_CBC_ENCRYPT)||(desc==SEC_DESC_DES_CBC_ENCRYPT)) {
+                XMEMCPY((void*)iv, (void*)&(out[size-secDesc->length2]), secDesc->length2);
+            } else {
+                XMEMCPY((void*)iv, (void*)&(in[size-secDesc->length2]), secDesc->length2);
+            }
+
+            in  += size;
+            out += size;
 
-        if((desc==SEC_DESC_DES3_CBC_ENCRYPT)||(desc==SEC_DESC_DES_CBC_ENCRYPT)) {
-            XMEMCPY((void*)iv, (void*)&(out[size-secDesc->length2]), secDesc->length2) ;
-        } else {
-            XMEMCPY((void*)iv, (void*)&(in[size-secDesc->length2]), secDesc->length2) ;
         }
-        
-        in  += size ;   
-        out += size ;
-                
-    }
-    UnLockMutex(&Mutex_DesSEC) ;
-    
-}
+        wc_UnLockMutex(&Mutex_DesSEC) ;
 
+    }
 
-int wc_Des_CbcEncrypt(Des* des, byte* out, const byte* in, word32 sz)
-{
-    wc_Des_Cbc(out, in, sz,  (byte *)des->key,  (byte *)des->reg, SEC_DESC_DES_CBC_ENCRYPT) ;
-    return 0;
-}
 
-int wc_Des_CbcDecrypt(Des* des, byte* out, const byte* in, word32 sz)
-{
-    wc_Des_Cbc(out, in, sz,   (byte *)des->key,  (byte *)des->reg, SEC_DESC_DES_CBC_DECRYPT) ;
-    return 0;
-}
+    int wc_Des_CbcEncrypt(Des* des, byte* out, const byte* in, word32 sz)
+    {
+        wc_Des_Cbc(out, in, sz,  (byte *)des->key,  (byte *)des->reg, SEC_DESC_DES_CBC_ENCRYPT);
+        return 0;
+    }
 
-int wc_Des3_CbcEncrypt(Des3* des3, byte* out, const byte* in, word32 sz)
-{
-    wc_Des_Cbc(out, in, sz,  (byte *)des3->key,  (byte *)des3->reg, SEC_DESC_DES3_CBC_ENCRYPT) ;
-	  return 0;
-}
+    int wc_Des_CbcDecrypt(Des* des, byte* out, const byte* in, word32 sz)
+    {
+        wc_Des_Cbc(out, in, sz,   (byte *)des->key,  (byte *)des->reg, SEC_DESC_DES_CBC_DECRYPT);
+        return 0;
+    }
 
+    int wc_Des3_CbcEncrypt(Des3* des3, byte* out, const byte* in, word32 sz)
+    {
+        wc_Des_Cbc(out, in, sz,  (byte *)des3->key,  (byte *)des3->reg, SEC_DESC_DES3_CBC_ENCRYPT);
+    	  return 0;
+    }
 
-int wc_Des3_CbcDecrypt(Des3* des3, byte* out, const byte* in, word32 sz)
-{
-    wc_Des_Cbc(out, in, sz,   (byte *)des3->key,  (byte *)des3->reg, SEC_DESC_DES3_CBC_DECRYPT) ;
-	  return 0;
-}
 
-static void setParity(byte *buf, int len) 
-{
-    int i, j ;
-    byte v ;
-    int bits ;
+    int wc_Des3_CbcDecrypt(Des3* des3, byte* out, const byte* in, word32 sz)
+    {
+        wc_Des_Cbc(out, in, sz,   (byte *)des3->key,  (byte *)des3->reg, SEC_DESC_DES3_CBC_DECRYPT);
+    	  return 0;
+    }
 
-    for(i=0; i<len; i++) 
+    static void setParity(byte *buf, int len)
     {
-        v = buf[i] >> 1 ;
-        buf[i] = v << 1 ;
-        bits = 0 ;
-        for(j=0; j<7; j++)
-        {
-            bits += (v&0x1) ;
-            v = v >> 1 ;
+        int i, j;
+        byte v;
+        int bits;
+
+        for (i=0; i<len; i++) {
+            v = buf[i] >> 1;
+            buf[i] = v << 1;
+            bits = 0;
+            for (j=0; j<7; j++) {
+                bits += (v&0x1);
+                v = v >> 1;
+            }
+            buf[i] |= (1 - (bits&0x1));
         }
-        buf[i] |= (1 - (bits&0x1)) ;
-    }
-    
-}
 
+    }
 
-int wc_Des_SetKey(Des* des, const byte* key, const byte* iv, int dir)
-{
-    if(desBuffIn == NULL) {
+    int wc_Des_SetKey(Des* des, const byte* key, const byte* iv, int dir)
+    {
+        if(desBuffIn == NULL) {
         #if defined (HAVE_THREADX)
-			  int s1, s2, s3, s4, s5 ;
-        s5 = tx_byte_allocate(&mp_ncached,(void *)&secDesc, 
-                                                     sizeof(SECdescriptorType), TX_NO_WAIT);
-        s1 = tx_byte_allocate(&mp_ncached,(void *)&desBuffIn,  DES_BUFFER_SIZE, TX_NO_WAIT);
-        s2 = tx_byte_allocate(&mp_ncached,(void *)&desBuffOut, DES_BUFFER_SIZE, TX_NO_WAIT);
-        /* Don't know des or des3 to be used. Allocate larger buffers */
-        s3 = tx_byte_allocate(&mp_ncached,(void *)&secKey,     DES3_KEYLEN,TX_NO_WAIT);
-        s4 = tx_byte_allocate(&mp_ncached,(void *)&secIV,      DES3_IVLEN,  TX_NO_WAIT);              
+    			  int s1, s2, s3, s4, s5;
+            s5 = tx_byte_allocate(&mp_ncached,(void *)&secDesc,
+                                                         sizeof(SECdescriptorType), TX_NO_WAIT);
+            s1 = tx_byte_allocate(&mp_ncached,(void *)&desBuffIn,  DES_BUFFER_SIZE, TX_NO_WAIT);
+            s2 = tx_byte_allocate(&mp_ncached,(void *)&desBuffOut, DES_BUFFER_SIZE, TX_NO_WAIT);
+            /* Don't know des or des3 to be used. Allocate larger buffers */
+            s3 = tx_byte_allocate(&mp_ncached,(void *)&secKey,     DES3_KEYLEN,TX_NO_WAIT);
+            s4 = tx_byte_allocate(&mp_ncached,(void *)&secIV,      DES3_IVLEN,  TX_NO_WAIT);
         #else
-        #warning "Allocate non-Cache buffers"
+            #warning "Allocate non-Cache buffers"
         #endif
-        
-        InitMutex(&Mutex_DesSEC) ;
-    }
-     
-    XMEMCPY(des->key, key, DES_KEYLEN);  
-    setParity((byte *)des->key, DES_KEYLEN) ;  
-		
-    if (iv) {
-        XMEMCPY(des->reg, iv, DES_IVLEN);
-    }   else {
-        XMEMSET(des->reg, 0x0, DES_IVLEN) ;
+
+            InitMutex(&Mutex_DesSEC);
+        }
+
+        XMEMCPY(des->key, key, DES_KEYLEN);
+        setParity((byte *)des->key, DES_KEYLEN);
+
+        if (iv) {
+            XMEMCPY(des->reg, iv, DES_IVLEN);
+        }   else {
+            XMEMSET(des->reg, 0x0, DES_IVLEN);
+        }
+    		return 0;
     }
-		return 0;
-}
 
-int wc_Des3_SetKey(Des3* des3, const byte* key, const byte* iv, int dir)
-{
-    
-    if(desBuffIn == NULL) {
+    int wc_Des3_SetKey(Des3* des3, const byte* key, const byte* iv, int dir)
+    {
+        if (des3 == NULL || key == NULL) {
+            return BAD_FUNC_ARG;
+        }
+
+        if (desBuffIn == NULL) {
         #if defined (HAVE_THREADX)
-			  int s1, s2, s3, s4, s5 ;
-        s5 = tx_byte_allocate(&mp_ncached,(void *)&secDesc, 
-                                                     sizeof(SECdescriptorType), TX_NO_WAIT);
-        s1 = tx_byte_allocate(&mp_ncached,(void *)&desBuffIn,  DES_BUFFER_SIZE, TX_NO_WAIT);
-        s2 = tx_byte_allocate(&mp_ncached,(void *)&desBuffOut, DES_BUFFER_SIZE, TX_NO_WAIT);
-        s3 = tx_byte_allocate(&mp_ncached,(void *)&secKey,     DES3_KEYLEN,TX_NO_WAIT);
-        s4 = tx_byte_allocate(&mp_ncached,(void *)&secIV,      DES3_IVLEN,  TX_NO_WAIT);              
+            int s1, s2, s3, s4, s5;
+            s5 = tx_byte_allocate(&mp_ncached,(void *)&secDesc,
+                                                         sizeof(SECdescriptorType), TX_NO_WAIT);
+            s1 = tx_byte_allocate(&mp_ncached,(void *)&desBuffIn,  DES_BUFFER_SIZE, TX_NO_WAIT);
+            s2 = tx_byte_allocate(&mp_ncached,(void *)&desBuffOut, DES_BUFFER_SIZE, TX_NO_WAIT);
+            s3 = tx_byte_allocate(&mp_ncached,(void *)&secKey,     DES3_KEYLEN,TX_NO_WAIT);
+            s4 = tx_byte_allocate(&mp_ncached,(void *)&secIV,      DES3_IVLEN,  TX_NO_WAIT);
         #else
-        #warning "Allocate non-Cache buffers"
+            #warning "Allocate non-Cache buffers"
         #endif
-        
-        InitMutex(&Mutex_DesSEC) ;
+
+            InitMutex(&Mutex_DesSEC);
+        }
+
+        XMEMCPY(des3->key[0], key, DES3_KEYLEN);
+        setParity((byte *)des3->key[0], DES3_KEYLEN);
+
+        if (iv) {
+            XMEMCPY(des3->reg, iv, DES3_IVLEN);
+        }   else {
+            XMEMSET(des3->reg, 0x0, DES3_IVLEN);
+        }
+        return 0;
+
+    }
+#elif defined(FREESCALE_LTC_DES)
+
+    #include "fsl_ltc.h"
+    int wc_Des_SetKey(Des* des, const byte* key, const byte* iv, int dir)
+    {
+        byte* dkey;
+
+        if (des == NULL || key == NULL) {
+            return BAD_FUNC_ARG;
+        }
+
+        dkey = (byte*)des->key;
+
+        XMEMCPY(dkey, key, 8);
+
+        wc_Des_SetIV(des, iv);
+
+        return 0;
+    }
+
+    int wc_Des3_SetKey(Des3* des, const byte* key, const byte* iv, int dir)
+    {
+        int ret = 0;
+        byte* dkey1 = (byte*)des->key[0];
+        byte* dkey2 = (byte*)des->key[1];
+        byte* dkey3 = (byte*)des->key[2];
+
+        XMEMCPY(dkey1, key, 8);         /* set key 1 */
+        XMEMCPY(dkey2, key + 8, 8);     /* set key 2 */
+        XMEMCPY(dkey3, key + 16, 8);    /* set key 3 */
+
+        ret = wc_Des3_SetIV(des, iv);
+        if (ret != 0)
+            return ret;
+
+        return ret;
     }
-    
-    XMEMCPY(des3->key[0], key, DES3_KEYLEN); 
-    setParity((byte *)des3->key[0], DES3_KEYLEN) ;  
-		
-    if (iv) {
-        XMEMCPY(des3->reg, iv, DES3_IVLEN);
-    }   else {
-        XMEMSET(des3->reg, 0x0, DES3_IVLEN) ;
+
+    int wc_Des_CbcEncrypt(Des* des, byte* out, const byte* in, word32 sz)
+    {
+        status_t status;
+        status = LTC_DES_EncryptCbc(LTC_BASE, in, out, sz, (byte*)des->reg, (byte*)des->key);
+        if (status == kStatus_Success)
+            return 0;
+        else
+            return -1;
     }
-    return 0;
 
-}
+    int wc_Des_CbcDecrypt(Des* des, byte* out, const byte* in, word32 sz)
+    {
+        status_t status;
+        status = LTC_DES_DecryptCbc(LTC_BASE, in, out, sz, (byte*)des->reg, (byte*)des->key);
+        if (status == kStatus_Success)
+            return 0;
+        else
+            return -1;
+    }
+
+    int wc_Des3_CbcEncrypt(Des3* des, byte* out, const byte* in, word32 sz)
+    {
+        status_t status;
+        status = LTC_DES3_EncryptCbc(LTC_BASE,
+                                 in,
+                                 out,
+                                 sz,
+                                 (byte*)des->reg,
+                                 (byte*)des->key[0],
+                                 (byte*)des->key[1],
+                                 (byte*)des->key[2]);
+        if (status == kStatus_Success)
+            return 0;
+        else
+            return -1;
+    }
+
+    int wc_Des3_CbcDecrypt(Des3* des, byte* out, const byte* in, word32 sz)
+    {
+        status_t status;
+        status = LTC_DES3_DecryptCbc(LTC_BASE,
+                                 in,
+                                 out,
+                                 sz,
+                                 (byte*)des->reg,
+                                 (byte*)des->key[0],
+                                 (byte*)des->key[1],
+                                 (byte*)des->key[2]);
+        if (status == kStatus_Success)
+            return 0;
+        else
+            return -1;
 
-#elif defined FREESCALE_MMCAU
+    }
+
+#elif defined(FREESCALE_MMCAU)
     /*
      * Freescale mmCAU hardware DES/3DES support through the CAU/mmCAU library.
      * Documentation located in ColdFire/ColdFire+ CAU and Kinetis mmCAU
      * Software Library User Guide (See note in README).
      */
-    #include "cau_api.h"
+    #ifdef FREESCALE_MMCAU_CLASSIC
+        #include "cau_api.h"
+    #else
+        #include "fsl_mmcau.h"
+    #endif
 
-    const unsigned char parityLookup[128] =
-    {
+    const unsigned char parityLookup[128] = {
         1,0,0,1,0,1,1,0,0,1,1,0,1,0,0,1,0,1,1,0,1,0,0,1,1,0,0,1,0,1,1,0,
         0,1,1,0,1,0,0,1,1,0,0,1,0,1,1,0,1,0,0,1,0,1,1,0,0,1,1,0,1,0,0,1,
         0,1,1,0,1,0,0,1,1,0,0,1,0,1,1,0,1,0,0,1,0,1,1,0,0,1,1,0,1,0,0,1,
@@ -621,7 +812,14 @@ int wc_Des3_SetKey(Des3* des3, const byte* key, const byte* iv, int dir)
     int wc_Des_SetKey(Des* des, const byte* key, const byte* iv, int dir)
     {
         int i = 0;
-        byte* dkey = (byte*)des->key;
+        byte* dkey;
+
+
+        if (des == NULL || key == NULL) {
+            return BAD_FUNC_ARG;
+        }
+
+        dkey = (byte*)des->key;
 
         XMEMCPY(dkey, key, 8);
 
@@ -668,15 +866,18 @@ int wc_Des3_SetKey(Des3* des3, const byte* key, const byte* iv, int dir)
         int i;
         int offset = 0;
         int len = sz;
+        int ret = 0;
         byte *iv;
         byte temp_block[DES_BLOCK_SIZE];
 
         iv = (byte*)des->reg;
 
+    #ifdef FREESCALE_MMCAU_CLASSIC
         if ((wolfssl_word)out % WOLFSSL_MMCAU_ALIGNMENT) {
-            WOLFSSL_MSG("Bad cau_des_encrypt alignment"); 
+            WOLFSSL_MSG("Bad cau_des_encrypt alignment");
             return BAD_ALIGN_E;
         }
+    #endif
 
         while (len > 0)
         {
@@ -686,7 +887,16 @@ int wc_Des3_SetKey(Des3* des3, const byte* key, const byte* iv, int dir)
             for (i = 0; i < DES_BLOCK_SIZE; i++)
                 temp_block[i] ^= iv[i];
 
+            ret = wolfSSL_CryptHwMutexLock();
+            if(ret != 0) {
+                return ret;
+            }
+        #ifdef FREESCALE_MMCAU_CLASSIC
             cau_des_encrypt(temp_block, (byte*)des->key, out + offset);
+        #else
+            MMCAU_DES_EncryptEcb(temp_block, (byte*)des->key, out + offset);
+        #endif
+            wolfSSL_CryptHwMutexUnLock();
 
             len    -= DES_BLOCK_SIZE;
             offset += DES_BLOCK_SIZE;
@@ -695,7 +905,7 @@ int wc_Des3_SetKey(Des3* des3, const byte* key, const byte* iv, int dir)
             XMEMCPY(iv, out + offset - DES_BLOCK_SIZE, DES_BLOCK_SIZE);
         }
 
-        return 0;
+        return ret;
     }
 
     int wc_Des_CbcDecrypt(Des* des, byte* out, const byte* in, word32 sz)
@@ -703,21 +913,34 @@ int wc_Des3_SetKey(Des3* des3, const byte* key, const byte* iv, int dir)
         int i;
         int offset = 0;
         int len = sz;
+        int ret = 0;
         byte* iv;
         byte temp_block[DES_BLOCK_SIZE];
 
         iv = (byte*)des->reg;
 
+    #ifdef FREESCALE_MMCAU_CLASSIC
         if ((wolfssl_word)out % WOLFSSL_MMCAU_ALIGNMENT) {
-            WOLFSSL_MSG("Bad cau_des_decrypt alignment"); 
+            WOLFSSL_MSG("Bad cau_des_decrypt alignment");
             return BAD_ALIGN_E;
         }
+    #endif
 
         while (len > 0)
         {
             XMEMCPY(temp_block, in + offset, DES_BLOCK_SIZE);
 
+            ret = wolfSSL_CryptHwMutexLock();
+            if(ret != 0) {
+                return ret;
+            }
+
+        #ifdef FREESCALE_MMCAU_CLASSIC
             cau_des_decrypt(in + offset, (byte*)des->key, out + offset);
+        #else
+            MMCAU_DES_DecryptEcb(in + offset, (byte*)des->key, out + offset);
+        #endif
+            wolfSSL_CryptHwMutexUnLock();
 
             /* XOR block with IV for CBC */
             for (i = 0; i < DES_BLOCK_SIZE; i++)
@@ -730,7 +953,7 @@ int wc_Des3_SetKey(Des3* des3, const byte* key, const byte* iv, int dir)
             offset += DES_BLOCK_SIZE;
         }
 
-        return 0;
+        return ret;
     }
 
     int wc_Des3_CbcEncrypt(Des3* des, byte* out, const byte* in, word32 sz)
@@ -738,16 +961,19 @@ int wc_Des3_SetKey(Des3* des3, const byte* key, const byte* iv, int dir)
         int i;
         int offset = 0;
         int len = sz;
+        int ret = 0;
 
         byte *iv;
         byte temp_block[DES_BLOCK_SIZE];
 
         iv = (byte*)des->reg;
 
+    #ifdef FREESCALE_MMCAU_CLASSIC
         if ((wolfssl_word)out % WOLFSSL_MMCAU_ALIGNMENT) {
-            WOLFSSL_MSG("Bad 3ede cau_des_encrypt alignment"); 
+            WOLFSSL_MSG("Bad 3ede cau_des_encrypt alignment");
             return BAD_ALIGN_E;
         }
+    #endif
 
         while (len > 0)
         {
@@ -757,9 +983,20 @@ int wc_Des3_SetKey(Des3* des3, const byte* key, const byte* iv, int dir)
             for (i = 0; i < DES_BLOCK_SIZE; i++)
                 temp_block[i] ^= iv[i];
 
-            cau_des_encrypt(temp_block  , (byte*)des->key[0], out + offset);
+            ret = wolfSSL_CryptHwMutexLock();
+            if(ret != 0) {
+                return ret;
+            }
+    #ifdef FREESCALE_MMCAU_CLASSIC
+            cau_des_encrypt(temp_block,   (byte*)des->key[0], out + offset);
             cau_des_decrypt(out + offset, (byte*)des->key[1], out + offset);
             cau_des_encrypt(out + offset, (byte*)des->key[2], out + offset);
+    #else
+            MMCAU_DES_EncryptEcb(temp_block  , (byte*)des->key[0], out + offset);
+            MMCAU_DES_DecryptEcb(out + offset, (byte*)des->key[1], out + offset);
+            MMCAU_DES_EncryptEcb(out + offset, (byte*)des->key[2], out + offset);
+    #endif
+            wolfSSL_CryptHwMutexUnLock();
 
             len    -= DES_BLOCK_SIZE;
             offset += DES_BLOCK_SIZE;
@@ -768,7 +1005,7 @@ int wc_Des3_SetKey(Des3* des3, const byte* key, const byte* iv, int dir)
             XMEMCPY(iv, out + offset - DES_BLOCK_SIZE, DES_BLOCK_SIZE);
         }
 
-        return 0;
+        return ret;
     }
 
     int wc_Des3_CbcDecrypt(Des3* des, byte* out, const byte* in, word32 sz)
@@ -776,24 +1013,38 @@ int wc_Des3_SetKey(Des3* des3, const byte* key, const byte* iv, int dir)
         int i;
         int offset = 0;
         int len = sz;
+        int ret = 0;
 
         byte* iv;
         byte temp_block[DES_BLOCK_SIZE];
 
         iv = (byte*)des->reg;
 
+    #ifdef FREESCALE_MMCAU_CLASSIC
         if ((wolfssl_word)out % WOLFSSL_MMCAU_ALIGNMENT) {
-            WOLFSSL_MSG("Bad 3ede cau_des_decrypt alignment"); 
+            WOLFSSL_MSG("Bad 3ede cau_des_decrypt alignment");
             return BAD_ALIGN_E;
         }
+    #endif
 
         while (len > 0)
         {
             XMEMCPY(temp_block, in + offset, DES_BLOCK_SIZE);
 
-            cau_des_decrypt(in + offset , (byte*)des->key[2], out + offset);
+            ret = wolfSSL_CryptHwMutexLock();
+            if(ret != 0) {
+                return ret;
+            }
+        #ifdef FREESCALE_MMCAU_CLASSIC
+            cau_des_decrypt(in + offset,  (byte*)des->key[2], out + offset);
             cau_des_encrypt(out + offset, (byte*)des->key[1], out + offset);
             cau_des_decrypt(out + offset, (byte*)des->key[0], out + offset);
+        #else
+            MMCAU_DES_DecryptEcb(in + offset , (byte*)des->key[2], out + offset);
+            MMCAU_DES_EncryptEcb(out + offset, (byte*)des->key[1], out + offset);
+            MMCAU_DES_DecryptEcb(out + offset, (byte*)des->key[0], out + offset);
+        #endif
+            wolfSSL_CryptHwMutexUnLock();
 
             /* XOR block with IV for CBC */
             for (i = 0; i < DES_BLOCK_SIZE; i++)
@@ -806,680 +1057,707 @@ int wc_Des3_SetKey(Des3* des3, const byte* key, const byte* iv, int dir)
             offset += DES_BLOCK_SIZE;
         }
 
-        return 0;
+        return ret;
     }
 
 
 #elif defined(WOLFSSL_PIC32MZ_CRYPT)
 
-    #include "wolfssl/wolfcrypt/port/pic32/pic32mz-crypt.h"
-
-void wc_Des_SetIV(Des* des, const byte* iv);
-int  wc_Des3_SetIV(Des3* des, const byte* iv);
+    /* PIC32MZ DES hardware requires size multiple of block size */
+    #include <wolfssl/wolfcrypt/port/pic32/pic32mz-crypt.h>
 
     int wc_Des_SetKey(Des* des, const byte* key, const byte* iv, int dir)
     {
-        word32 *dkey = des->key ;
-        word32 *dreg = des->reg ;
+        if (des == NULL || key == NULL || iv == NULL)
+            return BAD_FUNC_ARG;
 
-        XMEMCPY((byte *)dkey, (byte *)key, 8);
-        ByteReverseWords(dkey, dkey, 8);
-        XMEMCPY((byte *)dreg, (byte *)iv, 8);
-        ByteReverseWords(dreg, dreg, 8);
+        XMEMCPY(des->key, key, DES_KEYLEN);
+        XMEMCPY(des->reg, iv, DES_IVLEN);
 
         return 0;
     }
 
     int wc_Des3_SetKey(Des3* des, const byte* key, const byte* iv, int dir)
     {
-        word32 *dkey1 = des->key[0];
-        word32 *dreg = des->reg ;
+        if (des == NULL || key == NULL || iv == NULL)
+            return BAD_FUNC_ARG;
 
-        XMEMCPY(dkey1, key, 24);
-        ByteReverseWords(dkey1, dkey1, 24);
-        XMEMCPY(dreg, iv, 8);
-        ByteReverseWords(dreg, dreg, 8) ;
+        XMEMCPY(des->key[0], key, DES3_KEYLEN);
+        XMEMCPY(des->reg, iv, DES3_IVLEN);
 
         return 0;
     }
 
-    void DesCrypt(word32 *key, word32 *iv, byte* out, const byte* in, word32 sz,
-                  int dir, int algo, int cryptoalgo)
+    int wc_Des_CbcEncrypt(Des* des, byte* out, const byte* in, word32 sz)
     {
-        securityAssociation *sa_p ;
-        bufferDescriptor *bd_p ;
-        const byte *in_p, *in_l ;
-        byte *out_p, *out_l ;
-        volatile securityAssociation sa __attribute__((aligned (8)));
-        volatile bufferDescriptor bd __attribute__((aligned (8)));
-        volatile int k ;
-        
-        /* get uncached address */
-
-        in_l = in;
-        out_l = out ;
-        sa_p = KVA0_TO_KVA1(&sa) ; 
-        bd_p = KVA0_TO_KVA1(&bd) ;
-        in_p = KVA0_TO_KVA1(in_l) ;
-        out_p= KVA0_TO_KVA1(out_l);
-        
-        if(PIC32MZ_IF_RAM(in_p))
-            XMEMCPY((void *)in_p, (void *)in, sz);
-        XMEMSET((void *)out_p, 0, sz);
-
-        /* Set up the Security Association */
-        XMEMSET((byte *)KVA0_TO_KVA1(&sa), 0, sizeof(sa));
-        sa_p->SA_CTRL.ALGO = algo ; 
-        sa_p->SA_CTRL.LNC = 1;
-        sa_p->SA_CTRL.LOADIV = 1;
-        sa_p->SA_CTRL.FB = 1;
-        sa_p->SA_CTRL.ENCTYPE = dir ; /* Encryption/Decryption */
-        sa_p->SA_CTRL.CRYPTOALGO = cryptoalgo;
-        sa_p->SA_CTRL.KEYSIZE = 1 ; /* KEY is 192 bits */
-        XMEMCPY((byte *)KVA0_TO_KVA1(&sa.SA_ENCKEY[algo==PIC32_ALGO_TDES ? 2 : 6]),
-                (byte *)key, algo==PIC32_ALGO_TDES ? 24 : 8);
-        XMEMCPY((byte *)KVA0_TO_KVA1(&sa.SA_ENCIV[2]), (byte *)iv, 8);
-
-        XMEMSET((byte *)KVA0_TO_KVA1(&bd), 0, sizeof(bd));
-        /* Set up the Buffer Descriptor */
-        bd_p->BD_CTRL.BUFLEN = sz;
-        bd_p->BD_CTRL.LIFM = 1;
-        bd_p->BD_CTRL.SA_FETCH_EN = 1;
-        bd_p->BD_CTRL.LAST_BD = 1;
-        bd_p->BD_CTRL.DESC_EN = 1;
-    
-        bd_p->SA_ADDR = (unsigned int)KVA_TO_PA(&sa) ; /* (unsigned int)sa_p; */
-        bd_p->SRCADDR = (unsigned int)KVA_TO_PA(in) ; /* (unsigned int)in_p; */
-        bd_p->DSTADDR = (unsigned int)KVA_TO_PA(out); /* (unsigned int)out_p; */
-        bd_p->NXTPTR = (unsigned int)KVA_TO_PA(&bd);
-        bd_p->MSGLEN = sz ;
-        
-        /* Fire in the hole! */
-        CECON = 1 << 6;
-        while (CECON);
-        
-        /* Run the engine */
-        CEBDPADDR = (unsigned int)KVA_TO_PA(&bd) ; /* (unsigned int)bd_p ; */
-        CEINTEN = 0x07;
-        CECON = 0x27;
-
-        WAIT_ENGINE ;
-
-        if((cryptoalgo == PIC32_CRYPTOALGO_CBC) ||
-           (cryptoalgo == PIC32_CRYPTOALGO_TCBC)||
-           (cryptoalgo == PIC32_CRYPTOALGO_RCBC)) {
-            /* set iv for the next call */
-            if(dir == PIC32_ENCRYPTION) {
-	        XMEMCPY((void *)iv, (void*)&(out_p[sz-DES_IVLEN]), DES_IVLEN) ;
-	        } else {
-                ByteReverseWords((word32*)iv, (word32 *)&(in_p[sz-DES_IVLEN]),
-                                 DES_IVLEN);
-	        }
+        word32 blocks = sz / DES_BLOCK_SIZE;
 
-        }
+        if (des == NULL || out == NULL || in == NULL)
+            return BAD_FUNC_ARG;
 
-        ByteReverseWords((word32*)out, (word32 *)KVA0_TO_KVA1(out), sz);
-    }
-
-    int wc_Des_CbcEncrypt(Des* des, byte* out, const byte* in, word32 sz)
-    {
-        DesCrypt(des->key, des->reg, out, in, sz, 
-                PIC32_ENCRYPTION, PIC32_ALGO_DES, PIC32_CRYPTOALGO_CBC );
-        return 0;
+        return wc_Pic32DesCrypt(des->key, DES_KEYLEN, des->reg, DES_IVLEN,
+            out, in, (blocks * DES_BLOCK_SIZE),
+            PIC32_ENCRYPTION, PIC32_ALGO_DES, PIC32_CRYPTOALGO_CBC);
     }
 
     int wc_Des_CbcDecrypt(Des* des, byte* out, const byte* in, word32 sz)
     {
-        DesCrypt(des->key, des->reg, out, in, sz, 
-                PIC32_DECRYPTION, PIC32_ALGO_DES, PIC32_CRYPTOALGO_CBC);
-        return 0;
+        word32 blocks = sz / DES_BLOCK_SIZE;
+
+        if (des == NULL || out == NULL || in == NULL)
+            return BAD_FUNC_ARG;
+
+        return wc_Pic32DesCrypt(des->key, DES_KEYLEN, des->reg, DES_IVLEN,
+            out, in, (blocks * DES_BLOCK_SIZE),
+            PIC32_DECRYPTION, PIC32_ALGO_DES, PIC32_CRYPTOALGO_CBC);
     }
 
     int wc_Des3_CbcEncrypt(Des3* des, byte* out, const byte* in, word32 sz)
     {
-        DesCrypt(des->key[0], des->reg, out, in, sz, 
-                PIC32_ENCRYPTION, PIC32_ALGO_TDES, PIC32_CRYPTOALGO_TCBC);
-        return 0;
+        word32 blocks = sz / DES_BLOCK_SIZE;
+
+        if (des == NULL || out == NULL || in == NULL)
+            return BAD_FUNC_ARG;
+
+        return wc_Pic32DesCrypt(des->key[0], DES3_KEYLEN, des->reg, DES3_IVLEN,
+            out, in, (blocks * DES_BLOCK_SIZE),
+            PIC32_ENCRYPTION, PIC32_ALGO_TDES, PIC32_CRYPTOALGO_TCBC);
     }
 
     int wc_Des3_CbcDecrypt(Des3* des, byte* out, const byte* in, word32 sz)
     {
-        DesCrypt(des->key[0], des->reg, out, in, sz, 
-                PIC32_DECRYPTION, PIC32_ALGO_TDES, PIC32_CRYPTOALGO_TCBC);
-        return 0;
+        word32 blocks = sz / DES_BLOCK_SIZE;
+
+        if (des == NULL || out == NULL || in == NULL)
+            return BAD_FUNC_ARG;
+
+        return wc_Pic32DesCrypt(des->key[0], DES3_KEYLEN, des->reg, DES3_IVLEN,
+            out, in, (blocks * DES_BLOCK_SIZE),
+            PIC32_DECRYPTION, PIC32_ALGO_TDES, PIC32_CRYPTOALGO_TCBC);
     }
-    
-#else /* CTaoCrypt software implementation */
-
-/* permuted choice table (key) */
-static const byte pc1[] = {
-       57, 49, 41, 33, 25, 17,  9,
-        1, 58, 50, 42, 34, 26, 18,
-       10,  2, 59, 51, 43, 35, 27,
-       19, 11,  3, 60, 52, 44, 36,
-
-       63, 55, 47, 39, 31, 23, 15,
-        7, 62, 54, 46, 38, 30, 22,
-       14,  6, 61, 53, 45, 37, 29,
-       21, 13,  5, 28, 20, 12,  4
-};
-
-/* number left rotations of pc1 */
-static const byte totrot[] = {
-       1,2,4,6,8,10,12,14,15,17,19,21,23,25,27,28
-};
-
-/* permuted choice key (table) */
-static const byte pc2[] = {
-       14, 17, 11, 24,  1,  5,
-        3, 28, 15,  6, 21, 10,
-       23, 19, 12,  4, 26,  8,
-       16,  7, 27, 20, 13,  2,
-       41, 52, 31, 37, 47, 55,
-       30, 40, 51, 45, 33, 48,
-       44, 49, 39, 56, 34, 53,
-       46, 42, 50, 36, 29, 32
-};
-
-/* End of DES-defined tables */
-
-/* bit 0 is left-most in byte */
-static const int bytebit[] = {
-       0200,0100,040,020,010,04,02,01
-};
-
-static const word32 Spbox[8][64] = {
-{
-0x01010400,0x00000000,0x00010000,0x01010404,
-0x01010004,0x00010404,0x00000004,0x00010000,
-0x00000400,0x01010400,0x01010404,0x00000400,
-0x01000404,0x01010004,0x01000000,0x00000004,
-0x00000404,0x01000400,0x01000400,0x00010400,
-0x00010400,0x01010000,0x01010000,0x01000404,
-0x00010004,0x01000004,0x01000004,0x00010004,
-0x00000000,0x00000404,0x00010404,0x01000000,
-0x00010000,0x01010404,0x00000004,0x01010000,
-0x01010400,0x01000000,0x01000000,0x00000400,
-0x01010004,0x00010000,0x00010400,0x01000004,
-0x00000400,0x00000004,0x01000404,0x00010404,
-0x01010404,0x00010004,0x01010000,0x01000404,
-0x01000004,0x00000404,0x00010404,0x01010400,
-0x00000404,0x01000400,0x01000400,0x00000000,
-0x00010004,0x00010400,0x00000000,0x01010004},
-{
-0x80108020,0x80008000,0x00008000,0x00108020,
-0x00100000,0x00000020,0x80100020,0x80008020,
-0x80000020,0x80108020,0x80108000,0x80000000,
-0x80008000,0x00100000,0x00000020,0x80100020,
-0x00108000,0x00100020,0x80008020,0x00000000,
-0x80000000,0x00008000,0x00108020,0x80100000,
-0x00100020,0x80000020,0x00000000,0x00108000,
-0x00008020,0x80108000,0x80100000,0x00008020,
-0x00000000,0x00108020,0x80100020,0x00100000,
-0x80008020,0x80100000,0x80108000,0x00008000,
-0x80100000,0x80008000,0x00000020,0x80108020,
-0x00108020,0x00000020,0x00008000,0x80000000,
-0x00008020,0x80108000,0x00100000,0x80000020,
-0x00100020,0x80008020,0x80000020,0x00100020,
-0x00108000,0x00000000,0x80008000,0x00008020,
-0x80000000,0x80100020,0x80108020,0x00108000},
-{
-0x00000208,0x08020200,0x00000000,0x08020008,
-0x08000200,0x00000000,0x00020208,0x08000200,
-0x00020008,0x08000008,0x08000008,0x00020000,
-0x08020208,0x00020008,0x08020000,0x00000208,
-0x08000000,0x00000008,0x08020200,0x00000200,
-0x00020200,0x08020000,0x08020008,0x00020208,
-0x08000208,0x00020200,0x00020000,0x08000208,
-0x00000008,0x08020208,0x00000200,0x08000000,
-0x08020200,0x08000000,0x00020008,0x00000208,
-0x00020000,0x08020200,0x08000200,0x00000000,
-0x00000200,0x00020008,0x08020208,0x08000200,
-0x08000008,0x00000200,0x00000000,0x08020008,
-0x08000208,0x00020000,0x08000000,0x08020208,
-0x00000008,0x00020208,0x00020200,0x08000008,
-0x08020000,0x08000208,0x00000208,0x08020000,
-0x00020208,0x00000008,0x08020008,0x00020200},
-{
-0x00802001,0x00002081,0x00002081,0x00000080,
-0x00802080,0x00800081,0x00800001,0x00002001,
-0x00000000,0x00802000,0x00802000,0x00802081,
-0x00000081,0x00000000,0x00800080,0x00800001,
-0x00000001,0x00002000,0x00800000,0x00802001,
-0x00000080,0x00800000,0x00002001,0x00002080,
-0x00800081,0x00000001,0x00002080,0x00800080,
-0x00002000,0x00802080,0x00802081,0x00000081,
-0x00800080,0x00800001,0x00802000,0x00802081,
-0x00000081,0x00000000,0x00000000,0x00802000,
-0x00002080,0x00800080,0x00800081,0x00000001,
-0x00802001,0x00002081,0x00002081,0x00000080,
-0x00802081,0x00000081,0x00000001,0x00002000,
-0x00800001,0x00002001,0x00802080,0x00800081,
-0x00002001,0x00002080,0x00800000,0x00802001,
-0x00000080,0x00800000,0x00002000,0x00802080},
-{
-0x00000100,0x02080100,0x02080000,0x42000100,
-0x00080000,0x00000100,0x40000000,0x02080000,
-0x40080100,0x00080000,0x02000100,0x40080100,
-0x42000100,0x42080000,0x00080100,0x40000000,
-0x02000000,0x40080000,0x40080000,0x00000000,
-0x40000100,0x42080100,0x42080100,0x02000100,
-0x42080000,0x40000100,0x00000000,0x42000000,
-0x02080100,0x02000000,0x42000000,0x00080100,
-0x00080000,0x42000100,0x00000100,0x02000000,
-0x40000000,0x02080000,0x42000100,0x40080100,
-0x02000100,0x40000000,0x42080000,0x02080100,
-0x40080100,0x00000100,0x02000000,0x42080000,
-0x42080100,0x00080100,0x42000000,0x42080100,
-0x02080000,0x00000000,0x40080000,0x42000000,
-0x00080100,0x02000100,0x40000100,0x00080000,
-0x00000000,0x40080000,0x02080100,0x40000100},
-{
-0x20000010,0x20400000,0x00004000,0x20404010,
-0x20400000,0x00000010,0x20404010,0x00400000,
-0x20004000,0x00404010,0x00400000,0x20000010,
-0x00400010,0x20004000,0x20000000,0x00004010,
-0x00000000,0x00400010,0x20004010,0x00004000,
-0x00404000,0x20004010,0x00000010,0x20400010,
-0x20400010,0x00000000,0x00404010,0x20404000,
-0x00004010,0x00404000,0x20404000,0x20000000,
-0x20004000,0x00000010,0x20400010,0x00404000,
-0x20404010,0x00400000,0x00004010,0x20000010,
-0x00400000,0x20004000,0x20000000,0x00004010,
-0x20000010,0x20404010,0x00404000,0x20400000,
-0x00404010,0x20404000,0x00000000,0x20400010,
-0x00000010,0x00004000,0x20400000,0x00404010,
-0x00004000,0x00400010,0x20004010,0x00000000,
-0x20404000,0x20000000,0x00400010,0x20004010},
-{
-0x00200000,0x04200002,0x04000802,0x00000000,
-0x00000800,0x04000802,0x00200802,0x04200800,
-0x04200802,0x00200000,0x00000000,0x04000002,
-0x00000002,0x04000000,0x04200002,0x00000802,
-0x04000800,0x00200802,0x00200002,0x04000800,
-0x04000002,0x04200000,0x04200800,0x00200002,
-0x04200000,0x00000800,0x00000802,0x04200802,
-0x00200800,0x00000002,0x04000000,0x00200800,
-0x04000000,0x00200800,0x00200000,0x04000802,
-0x04000802,0x04200002,0x04200002,0x00000002,
-0x00200002,0x04000000,0x04000800,0x00200000,
-0x04200800,0x00000802,0x00200802,0x04200800,
-0x00000802,0x04000002,0x04200802,0x04200000,
-0x00200800,0x00000000,0x00000002,0x04200802,
-0x00000000,0x00200802,0x04200000,0x00000800,
-0x04000002,0x04000800,0x00000800,0x00200002},
-{
-0x10001040,0x00001000,0x00040000,0x10041040,
-0x10000000,0x10001040,0x00000040,0x10000000,
-0x00040040,0x10040000,0x10041040,0x00041000,
-0x10041000,0x00041040,0x00001000,0x00000040,
-0x10040000,0x10000040,0x10001000,0x00001040,
-0x00041000,0x00040040,0x10040040,0x10041000,
-0x00001040,0x00000000,0x00000000,0x10040040,
-0x10000040,0x10001000,0x00041040,0x00040000,
-0x00041040,0x00040000,0x10041000,0x00001000,
-0x00000040,0x10040040,0x00001000,0x00041040,
-0x10001000,0x00000040,0x10000040,0x10040000,
-0x10040040,0x10000000,0x00040000,0x10001040,
-0x00000000,0x10041040,0x00040040,0x10000040,
-0x10040000,0x10001000,0x10001040,0x00000000,
-0x10041040,0x00041000,0x00041000,0x00001040,
-0x00001040,0x00040040,0x10000000,0x10041000}
-};
-
-
-static INLINE void IPERM(word32* left, word32* right)
-{
-    word32 work;
 
-    *right = rotlFixed(*right, 4U);
-    work = (*left ^ *right) & 0xf0f0f0f0;
-    *left ^= work;
+    #ifdef WOLFSSL_DES_ECB
+        int wc_Des_EcbEncrypt(Des* des, byte* out, const byte* in, word32 sz)
+        {
+            word32 blocks = sz / DES_BLOCK_SIZE;
 
-    *right = rotrFixed(*right^work, 20U);
-    work = (*left ^ *right) & 0xffff0000;
-    *left ^= work;
+            if (des == NULL || out == NULL || in == NULL)
+                return BAD_FUNC_ARG;
 
-    *right = rotrFixed(*right^work, 18U);
-    work = (*left ^ *right) & 0x33333333;
-    *left ^= work;
+            return wc_Pic32DesCrypt(des->key, DES_KEYLEN, des->reg, DES_IVLEN,
+                out, in, (blocks * DES_BLOCK_SIZE),
+                    PIC32_ENCRYPTION, PIC32_ALGO_DES, PIC32_CRYPTOALGO_ECB);
+        }
 
-    *right = rotrFixed(*right^work, 6U);
-    work = (*left ^ *right) & 0x00ff00ff;
-    *left ^= work;
+        int wc_Des3_EcbEncrypt(Des3* des, byte* out, const byte* in, word32 sz)
+        {
+            word32 blocks = sz / DES_BLOCK_SIZE;
 
-    *right = rotlFixed(*right^work, 9U);
-    work = (*left ^ *right) & 0xaaaaaaaa;
-    *left = rotlFixed(*left^work, 1U);
-    *right ^= work;
-}
+            if (des == NULL || out == NULL || in == NULL)
+                return BAD_FUNC_ARG;
 
+            return wc_Pic32DesCrypt(des->key[0], DES3_KEYLEN, des->reg, DES3_IVLEN,
+                out, in, (blocks * DES_BLOCK_SIZE),
+                PIC32_ENCRYPTION, PIC32_ALGO_TDES, PIC32_CRYPTOALGO_TECB);
+        }
+    #endif /* WOLFSSL_DES_ECB */
 
-static INLINE void FPERM(word32* left, word32* right)
-{
-    word32 work;
+#else
+    #define NEED_SOFT_DES
 
-    *right = rotrFixed(*right, 1U);
-    work = (*left ^ *right) & 0xaaaaaaaa;
-    *right ^= work;
+#endif
 
-    *left = rotrFixed(*left^work, 9U);
-    work = (*left ^ *right) & 0x00ff00ff;
-    *right ^= work;
 
-    *left = rotlFixed(*left^work, 6U);
-    work = (*left ^ *right) & 0x33333333;
-    *right ^= work;
+#ifdef NEED_SOFT_DES
+
+    /* permuted choice table (key) */
+    static const byte pc1[] = {
+           57, 49, 41, 33, 25, 17,  9,
+            1, 58, 50, 42, 34, 26, 18,
+           10,  2, 59, 51, 43, 35, 27,
+           19, 11,  3, 60, 52, 44, 36,
+
+           63, 55, 47, 39, 31, 23, 15,
+            7, 62, 54, 46, 38, 30, 22,
+           14,  6, 61, 53, 45, 37, 29,
+           21, 13,  5, 28, 20, 12,  4
+    };
+
+    /* number left rotations of pc1 */
+    static const byte totrot[] = {
+           1,2,4,6,8,10,12,14,15,17,19,21,23,25,27,28
+    };
+
+    /* permuted choice key (table) */
+    static const byte pc2[] = {
+           14, 17, 11, 24,  1,  5,
+            3, 28, 15,  6, 21, 10,
+           23, 19, 12,  4, 26,  8,
+           16,  7, 27, 20, 13,  2,
+           41, 52, 31, 37, 47, 55,
+           30, 40, 51, 45, 33, 48,
+           44, 49, 39, 56, 34, 53,
+           46, 42, 50, 36, 29, 32
+    };
+
+    /* End of DES-defined tables */
+
+    /* bit 0 is left-most in byte */
+    static const int bytebit[] = {
+        0200,0100,040,020,010,04,02,01
+    };
+
+    static const word32 Spbox[8][64] = {
+    {   0x01010400,0x00000000,0x00010000,0x01010404,
+        0x01010004,0x00010404,0x00000004,0x00010000,
+        0x00000400,0x01010400,0x01010404,0x00000400,
+        0x01000404,0x01010004,0x01000000,0x00000004,
+        0x00000404,0x01000400,0x01000400,0x00010400,
+        0x00010400,0x01010000,0x01010000,0x01000404,
+        0x00010004,0x01000004,0x01000004,0x00010004,
+        0x00000000,0x00000404,0x00010404,0x01000000,
+        0x00010000,0x01010404,0x00000004,0x01010000,
+        0x01010400,0x01000000,0x01000000,0x00000400,
+        0x01010004,0x00010000,0x00010400,0x01000004,
+        0x00000400,0x00000004,0x01000404,0x00010404,
+        0x01010404,0x00010004,0x01010000,0x01000404,
+        0x01000004,0x00000404,0x00010404,0x01010400,
+        0x00000404,0x01000400,0x01000400,0x00000000,
+        0x00010004,0x00010400,0x00000000,0x01010004},
+    {   0x80108020,0x80008000,0x00008000,0x00108020,
+        0x00100000,0x00000020,0x80100020,0x80008020,
+        0x80000020,0x80108020,0x80108000,0x80000000,
+        0x80008000,0x00100000,0x00000020,0x80100020,
+        0x00108000,0x00100020,0x80008020,0x00000000,
+        0x80000000,0x00008000,0x00108020,0x80100000,
+        0x00100020,0x80000020,0x00000000,0x00108000,
+        0x00008020,0x80108000,0x80100000,0x00008020,
+        0x00000000,0x00108020,0x80100020,0x00100000,
+        0x80008020,0x80100000,0x80108000,0x00008000,
+        0x80100000,0x80008000,0x00000020,0x80108020,
+        0x00108020,0x00000020,0x00008000,0x80000000,
+        0x00008020,0x80108000,0x00100000,0x80000020,
+        0x00100020,0x80008020,0x80000020,0x00100020,
+        0x00108000,0x00000000,0x80008000,0x00008020,
+        0x80000000,0x80100020,0x80108020,0x00108000},
+    {   0x00000208,0x08020200,0x00000000,0x08020008,
+        0x08000200,0x00000000,0x00020208,0x08000200,
+        0x00020008,0x08000008,0x08000008,0x00020000,
+        0x08020208,0x00020008,0x08020000,0x00000208,
+        0x08000000,0x00000008,0x08020200,0x00000200,
+        0x00020200,0x08020000,0x08020008,0x00020208,
+        0x08000208,0x00020200,0x00020000,0x08000208,
+        0x00000008,0x08020208,0x00000200,0x08000000,
+        0x08020200,0x08000000,0x00020008,0x00000208,
+        0x00020000,0x08020200,0x08000200,0x00000000,
+        0x00000200,0x00020008,0x08020208,0x08000200,
+        0x08000008,0x00000200,0x00000000,0x08020008,
+        0x08000208,0x00020000,0x08000000,0x08020208,
+        0x00000008,0x00020208,0x00020200,0x08000008,
+        0x08020000,0x08000208,0x00000208,0x08020000,
+        0x00020208,0x00000008,0x08020008,0x00020200},
+    {   0x00802001,0x00002081,0x00002081,0x00000080,
+        0x00802080,0x00800081,0x00800001,0x00002001,
+        0x00000000,0x00802000,0x00802000,0x00802081,
+        0x00000081,0x00000000,0x00800080,0x00800001,
+        0x00000001,0x00002000,0x00800000,0x00802001,
+        0x00000080,0x00800000,0x00002001,0x00002080,
+        0x00800081,0x00000001,0x00002080,0x00800080,
+        0x00002000,0x00802080,0x00802081,0x00000081,
+        0x00800080,0x00800001,0x00802000,0x00802081,
+        0x00000081,0x00000000,0x00000000,0x00802000,
+        0x00002080,0x00800080,0x00800081,0x00000001,
+        0x00802001,0x00002081,0x00002081,0x00000080,
+        0x00802081,0x00000081,0x00000001,0x00002000,
+        0x00800001,0x00002001,0x00802080,0x00800081,
+        0x00002001,0x00002080,0x00800000,0x00802001,
+        0x00000080,0x00800000,0x00002000,0x00802080},
+    {   0x00000100,0x02080100,0x02080000,0x42000100,
+        0x00080000,0x00000100,0x40000000,0x02080000,
+        0x40080100,0x00080000,0x02000100,0x40080100,
+        0x42000100,0x42080000,0x00080100,0x40000000,
+        0x02000000,0x40080000,0x40080000,0x00000000,
+        0x40000100,0x42080100,0x42080100,0x02000100,
+        0x42080000,0x40000100,0x00000000,0x42000000,
+        0x02080100,0x02000000,0x42000000,0x00080100,
+        0x00080000,0x42000100,0x00000100,0x02000000,
+        0x40000000,0x02080000,0x42000100,0x40080100,
+        0x02000100,0x40000000,0x42080000,0x02080100,
+        0x40080100,0x00000100,0x02000000,0x42080000,
+        0x42080100,0x00080100,0x42000000,0x42080100,
+        0x02080000,0x00000000,0x40080000,0x42000000,
+        0x00080100,0x02000100,0x40000100,0x00080000,
+        0x00000000,0x40080000,0x02080100,0x40000100},
+    {   0x20000010,0x20400000,0x00004000,0x20404010,
+        0x20400000,0x00000010,0x20404010,0x00400000,
+        0x20004000,0x00404010,0x00400000,0x20000010,
+        0x00400010,0x20004000,0x20000000,0x00004010,
+        0x00000000,0x00400010,0x20004010,0x00004000,
+        0x00404000,0x20004010,0x00000010,0x20400010,
+        0x20400010,0x00000000,0x00404010,0x20404000,
+        0x00004010,0x00404000,0x20404000,0x20000000,
+        0x20004000,0x00000010,0x20400010,0x00404000,
+        0x20404010,0x00400000,0x00004010,0x20000010,
+        0x00400000,0x20004000,0x20000000,0x00004010,
+        0x20000010,0x20404010,0x00404000,0x20400000,
+        0x00404010,0x20404000,0x00000000,0x20400010,
+        0x00000010,0x00004000,0x20400000,0x00404010,
+        0x00004000,0x00400010,0x20004010,0x00000000,
+        0x20404000,0x20000000,0x00400010,0x20004010},
+    {   0x00200000,0x04200002,0x04000802,0x00000000,
+        0x00000800,0x04000802,0x00200802,0x04200800,
+        0x04200802,0x00200000,0x00000000,0x04000002,
+        0x00000002,0x04000000,0x04200002,0x00000802,
+        0x04000800,0x00200802,0x00200002,0x04000800,
+        0x04000002,0x04200000,0x04200800,0x00200002,
+        0x04200000,0x00000800,0x00000802,0x04200802,
+        0x00200800,0x00000002,0x04000000,0x00200800,
+        0x04000000,0x00200800,0x00200000,0x04000802,
+        0x04000802,0x04200002,0x04200002,0x00000002,
+        0x00200002,0x04000000,0x04000800,0x00200000,
+        0x04200800,0x00000802,0x00200802,0x04200800,
+        0x00000802,0x04000002,0x04200802,0x04200000,
+        0x00200800,0x00000000,0x00000002,0x04200802,
+        0x00000000,0x00200802,0x04200000,0x00000800,
+        0x04000002,0x04000800,0x00000800,0x00200002},
+    {   0x10001040,0x00001000,0x00040000,0x10041040,
+        0x10000000,0x10001040,0x00000040,0x10000000,
+        0x00040040,0x10040000,0x10041040,0x00041000,
+        0x10041000,0x00041040,0x00001000,0x00000040,
+        0x10040000,0x10000040,0x10001000,0x00001040,
+        0x00041000,0x00040040,0x10040040,0x10041000,
+        0x00001040,0x00000000,0x00000000,0x10040040,
+        0x10000040,0x10001000,0x00041040,0x00040000,
+        0x00041040,0x00040000,0x10041000,0x00001000,
+        0x00000040,0x10040040,0x00001000,0x00041040,
+        0x10001000,0x00000040,0x10000040,0x10040000,
+        0x10040040,0x10000000,0x00040000,0x10001040,
+        0x00000000,0x10041040,0x00040040,0x10000040,
+        0x10040000,0x10001000,0x10001040,0x00000000,
+        0x10041040,0x00041000,0x00041000,0x00001040,
+        0x00001040,0x00040040,0x10000000,0x10041000}
+    };
+
+    static WC_INLINE void IPERM(word32* left, word32* right)
+    {
+        word32 work;
 
-    *left = rotlFixed(*left^work, 18U);
-    work = (*left ^ *right) & 0xffff0000;
-    *right ^= work;
+        *right = rotlFixed(*right, 4U);
+        work = (*left ^ *right) & 0xf0f0f0f0;
+        *left ^= work;
 
-    *left = rotlFixed(*left^work, 20U);
-    work = (*left ^ *right) & 0xf0f0f0f0;
-    *right ^= work;
+        *right = rotrFixed(*right^work, 20U);
+        work = (*left ^ *right) & 0xffff0000;
+        *left ^= work;
 
-    *left = rotrFixed(*left^work, 4U);
-}
+        *right = rotrFixed(*right^work, 18U);
+        work = (*left ^ *right) & 0x33333333;
+        *left ^= work;
 
+        *right = rotrFixed(*right^work, 6U);
+        work = (*left ^ *right) & 0x00ff00ff;
+        *left ^= work;
 
-static int DesSetKey(const byte* key, int dir, word32* out)
-{
-#ifdef WOLFSSL_SMALL_STACK
-    byte* buffer = (byte*)XMALLOC(56+56+8, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+        *right = rotlFixed(*right^work, 9U);
+        work = (*left ^ *right) & 0xaaaaaaaa;
+        *left = rotlFixed(*left^work, 1U);
+        *right ^= work;
+    }
 
-    if (buffer == NULL)
-        return MEMORY_E;
-#else
-    byte buffer[56+56+8];
-#endif
+    static WC_INLINE void FPERM(word32* left, word32* right)
+    {
+        word32 work;
+
+        *right = rotrFixed(*right, 1U);
+        work = (*left ^ *right) & 0xaaaaaaaa;
+        *right ^= work;
+
+        *left = rotrFixed(*left^work, 9U);
+        work = (*left ^ *right) & 0x00ff00ff;
+        *right ^= work;
+
+        *left = rotlFixed(*left^work, 6U);
+        work = (*left ^ *right) & 0x33333333;
+        *right ^= work;
+
+        *left = rotlFixed(*left^work, 18U);
+        work = (*left ^ *right) & 0xffff0000;
+        *right ^= work;
 
+        *left = rotlFixed(*left^work, 20U);
+        work = (*left ^ *right) & 0xf0f0f0f0;
+        *right ^= work;
+
+        *left = rotrFixed(*left^work, 4U);
+    }
+
+    static int DesSetKey(const byte* key, int dir, word32* out)
     {
-        byte* const  pc1m = buffer;               /* place to modify pc1 into */
-        byte* const  pcr  = pc1m + 56;            /* place to rotate pc1 into */
-        byte* const  ks   = pcr  + 56;
-        register int i, j, l;
-        int          m;
-
-        for (j = 0; j < 56; j++) {             /* convert pc1 to bits of key  */
-            l = pc1[j] - 1;                    /* integer bit location        */
-            m = l & 07;                        /* find bit                    */
-            pc1m[j] = (key[l >> 3] &           /* find which key byte l is in */
-                bytebit[m])                    /* and which bit of that byte  */
-                ? 1 : 0;                       /* and store 1-bit result      */
-        }
+        #define DES_KEY_BUFFER_SIZE (56+56+8)
+    #ifdef WOLFSSL_SMALL_STACK
+        byte* buffer = (byte*)XMALLOC(DES_KEY_BUFFER_SIZE, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+
+        if (buffer == NULL)
+            return MEMORY_E;
+    #else
+        byte buffer[DES_KEY_BUFFER_SIZE];
+    #endif
 
-        for (i = 0; i < 16; i++) {            /* key chunk for each iteration */
-            XMEMSET(ks, 0, 8);                /* Clear key schedule */
+        {
+            byte* const  pc1m = buffer;            /* place to modify pc1 into */
+            byte* const  pcr  = pc1m + 56;         /* place to rotate pc1 into */
+            byte* const  ks   = pcr  + 56;
+            register int i, j, l;
+            int          m;
+
+            for (j = 0; j < 56; j++) {             /* convert pc1 to bits of key  */
+                l = pc1[j] - 1;                    /* integer bit location        */
+                m = l & 07;                        /* find bit                    */
+                pc1m[j] = (key[l >> 3] &           /* find which key byte l is in */
+                    bytebit[m])                    /* and which bit of that byte  */
+                    ? 1 : 0;                       /* and store 1-bit result      */
+            }
 
-            for (j = 0; j < 56; j++)          /* rotate pc1 the right amount  */
-                pcr[j] =
-                      pc1m[(l = j + totrot[i]) < (j < 28 ? 28 : 56) ? l : l-28];
+            for (i = 0; i < 16; i++) {            /* key chunk for each iteration */
+                XMEMSET(ks, 0, 8);                /* Clear key schedule */
 
-            /* rotate left and right halves independently */
-            for (j = 0; j < 48; j++) {        /* select bits individually     */
-                if (pcr[pc2[j] - 1]) {        /* check bit that goes to ks[j] */
-                    l= j % 6;                 /* mask it in if it's there     */
-                    ks[j/6] |= bytebit[l] >> 2;
+                for (j = 0; j < 56; j++)          /* rotate pc1 the right amount  */
+                    pcr[j] =
+                          pc1m[(l = j + totrot[i]) < (j < 28 ? 28 : 56) ? l : l-28];
+
+                /* rotate left and right halves independently */
+                for (j = 0; j < 48; j++) {        /* select bits individually     */
+                    if (pcr[pc2[j] - 1]) {        /* check bit that goes to ks[j] */
+                        l= j % 6;                 /* mask it in if it's there     */
+                        ks[j/6] |= bytebit[l] >> 2;
+                    }
                 }
-            }
 
-            /* Now convert to odd/even interleaved form for use in F */
-            out[2*i] = ((word32) ks[0] << 24)
-                     | ((word32) ks[2] << 16)
-                     | ((word32) ks[4] << 8)
-                     | ((word32) ks[6]);
+                /* Now convert to odd/even interleaved form for use in F */
+                out[2*i] = ((word32) ks[0] << 24)
+                         | ((word32) ks[2] << 16)
+                         | ((word32) ks[4] << 8)
+                         | ((word32) ks[6]);
 
-            out[2*i + 1] = ((word32) ks[1] << 24)
-                         | ((word32) ks[3] << 16)
-                         | ((word32) ks[5] << 8)
-                         | ((word32) ks[7]);
-        }
+                out[2*i + 1] = ((word32) ks[1] << 24)
+                             | ((word32) ks[3] << 16)
+                             | ((word32) ks[5] << 8)
+                             | ((word32) ks[7]);
+            }
+
+            /* reverse key schedule order */
+            if (dir == DES_DECRYPTION) {
+                for (i = 0; i < 16; i += 2) {
+                    word32 swap = out[i];
+                    out[i] = out[DES_KS_SIZE - 2 - i];
+                    out[DES_KS_SIZE - 2 - i] = swap;
 
-        /* reverse key schedule order */
-        if (dir == DES_DECRYPTION) {
-            for (i = 0; i < 16; i += 2) {
-                word32 swap = out[i];
-                out[i] = out[DES_KS_SIZE - 2 - i];
-                out[DES_KS_SIZE - 2 - i] = swap;
-    
-                swap = out[i + 1];
-                out[i + 1] = out[DES_KS_SIZE - 1 - i];
-                out[DES_KS_SIZE - 1 - i] = swap;
+                    swap = out[i + 1];
+                    out[i + 1] = out[DES_KS_SIZE - 1 - i];
+                    out[DES_KS_SIZE - 1 - i] = swap;
+                }
             }
+
+    #ifdef WOLFSSL_SMALL_STACK
+            XFREE(buffer, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    #endif
         }
 
-#ifdef WOLFSSL_SMALL_STACK
-        XFREE(buffer, NULL, DYNAMIC_TYPE_TMP_BUFFER);
-#endif
+        return 0;
     }
 
-    return 0;
-}
+    int wc_Des_SetKey(Des* des, const byte* key, const byte* iv, int dir)
+    {
+        wc_Des_SetIV(des, iv);
 
+        return DesSetKey(key, dir, des->key);
+    }
 
-static INLINE int Reverse(int dir)
-{
-    return !dir;
-}
+    int wc_Des3_SetKey(Des3* des, const byte* key, const byte* iv, int dir)
+    {
+        int ret;
 
+        if (des == NULL || key == NULL || dir < 0) {
+            return BAD_FUNC_ARG;
+        }
 
-int wc_Des_SetKey(Des* des, const byte* key, const byte* iv, int dir)
-{
-    wc_Des_SetIV(des, iv);
+    #if defined(WOLF_CRYPTO_CB) || \
+        (defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_3DES))
+        #ifdef WOLF_CRYPTO_CB
+        if (des->devId != INVALID_DEVID)
+        #endif
+        {
+            XMEMCPY(des->devKey, key, DES3_KEYLEN);
+        }
+    #endif
 
-    return DesSetKey(key, dir, des->key);
-}
+        ret = DesSetKey(key + (dir == DES_ENCRYPTION ? 0:16), dir, des->key[0]);
+        if (ret != 0)
+            return ret;
 
+        ret = DesSetKey(key + 8, !dir, des->key[1]);
+        if (ret != 0)
+            return ret;
 
-int wc_Des3_SetKey(Des3* des, const byte* key, const byte* iv, int dir)
-{
-    int ret;
+        ret = DesSetKey(key + (dir == DES_DECRYPTION ? 0:16), dir, des->key[2]);
+        if (ret != 0)
+            return ret;
 
-#ifdef HAVE_CAVIUM
-    if (des->magic == WOLFSSL_3DES_CAVIUM_MAGIC)
-        return wc_Des3_CaviumSetKey(des, key, iv);
-#endif
+        return wc_Des3_SetIV(des, iv);
+    }
 
-    ret = DesSetKey(key + (dir == DES_ENCRYPTION ? 0:16), dir, des->key[0]);
-    if (ret != 0)
-        return ret;
+    static void DesRawProcessBlock(word32* lIn, word32* rIn, const word32* kptr)
+    {
+        word32 l = *lIn, r = *rIn, i;
 
-    ret = DesSetKey(key + 8, Reverse(dir), des->key[1]);
-    if (ret != 0)
-        return ret;
+        for (i=0; i<8; i++)
+        {
+            word32 work = rotrFixed(r, 4U) ^ kptr[4*i+0];
+            l ^= Spbox[6][(work) & 0x3f]
+              ^  Spbox[4][(work >> 8) & 0x3f]
+              ^  Spbox[2][(work >> 16) & 0x3f]
+              ^  Spbox[0][(work >> 24) & 0x3f];
+            work = r ^ kptr[4*i+1];
+            l ^= Spbox[7][(work) & 0x3f]
+              ^  Spbox[5][(work >> 8) & 0x3f]
+              ^  Spbox[3][(work >> 16) & 0x3f]
+              ^  Spbox[1][(work >> 24) & 0x3f];
+
+            work = rotrFixed(l, 4U) ^ kptr[4*i+2];
+            r ^= Spbox[6][(work) & 0x3f]
+              ^  Spbox[4][(work >> 8) & 0x3f]
+              ^  Spbox[2][(work >> 16) & 0x3f]
+              ^  Spbox[0][(work >> 24) & 0x3f];
+            work = l ^ kptr[4*i+3];
+            r ^= Spbox[7][(work) & 0x3f]
+              ^  Spbox[5][(work >> 8) & 0x3f]
+              ^  Spbox[3][(work >> 16) & 0x3f]
+              ^  Spbox[1][(work >> 24) & 0x3f];
+        }
 
-    ret = DesSetKey(key + (dir == DES_DECRYPTION ? 0:16), dir, des->key[2]);
-    if (ret != 0)
-        return ret;
+        *lIn = l; *rIn = r;
+    }
 
-    return wc_Des3_SetIV(des, iv);
-}
+    static void DesProcessBlock(Des* des, const byte* in, byte* out)
+    {
+        word32 l, r;
 
+        XMEMCPY(&l, in, sizeof(l));
+        XMEMCPY(&r, in + sizeof(l), sizeof(r));
+        #ifdef LITTLE_ENDIAN_ORDER
+            l = ByteReverseWord32(l);
+            r = ByteReverseWord32(r);
+        #endif
+        IPERM(&l,&r);
 
-static void DesRawProcessBlock(word32* lIn, word32* rIn, const word32* kptr)
-{
-    word32 l = *lIn, r = *rIn, i;
+        DesRawProcessBlock(&l, &r, des->key);
 
-    for (i=0; i<8; i++)
-    {
-        word32 work = rotrFixed(r, 4U) ^ kptr[4*i+0];
-        l ^= Spbox[6][(work) & 0x3f]
-          ^  Spbox[4][(work >> 8) & 0x3f]
-          ^  Spbox[2][(work >> 16) & 0x3f]
-          ^  Spbox[0][(work >> 24) & 0x3f];
-        work = r ^ kptr[4*i+1];
-        l ^= Spbox[7][(work) & 0x3f]
-          ^  Spbox[5][(work >> 8) & 0x3f]
-          ^  Spbox[3][(work >> 16) & 0x3f]
-          ^  Spbox[1][(work >> 24) & 0x3f];
-
-        work = rotrFixed(l, 4U) ^ kptr[4*i+2];
-        r ^= Spbox[6][(work) & 0x3f]
-          ^  Spbox[4][(work >> 8) & 0x3f]
-          ^  Spbox[2][(work >> 16) & 0x3f]
-          ^  Spbox[0][(work >> 24) & 0x3f];
-        work = l ^ kptr[4*i+3];
-        r ^= Spbox[7][(work) & 0x3f]
-          ^  Spbox[5][(work >> 8) & 0x3f]
-          ^  Spbox[3][(work >> 16) & 0x3f]
-          ^  Spbox[1][(work >> 24) & 0x3f];
+        FPERM(&l,&r);
+        #ifdef LITTLE_ENDIAN_ORDER
+            l = ByteReverseWord32(l);
+            r = ByteReverseWord32(r);
+        #endif
+        XMEMCPY(out, &r, sizeof(r));
+        XMEMCPY(out + sizeof(r), &l, sizeof(l));
     }
 
-    *lIn = l; *rIn = r;
-}
-
+    static void Des3ProcessBlock(Des3* des, const byte* in, byte* out)
+    {
+        word32 l, r;
 
-static void DesProcessBlock(Des* des, const byte* in, byte* out)
-{
-    word32 l, r;
+        XMEMCPY(&l, in, sizeof(l));
+        XMEMCPY(&r, in + sizeof(l), sizeof(r));
+        #ifdef LITTLE_ENDIAN_ORDER
+            l = ByteReverseWord32(l);
+            r = ByteReverseWord32(r);
+        #endif
+        IPERM(&l,&r);
 
-    XMEMCPY(&l, in, sizeof(l));
-    XMEMCPY(&r, in + sizeof(l), sizeof(r));
-    #ifdef LITTLE_ENDIAN_ORDER
-        l = ByteReverseWord32(l);
-        r = ByteReverseWord32(r);
-    #endif
-    IPERM(&l,&r);
-    
-    DesRawProcessBlock(&l, &r, des->key);   
-
-    FPERM(&l,&r);
-    #ifdef LITTLE_ENDIAN_ORDER
-        l = ByteReverseWord32(l);
-        r = ByteReverseWord32(r);
-    #endif
-    XMEMCPY(out, &r, sizeof(r));
-    XMEMCPY(out + sizeof(r), &l, sizeof(l));
-}
+        DesRawProcessBlock(&l, &r, des->key[0]);
+        DesRawProcessBlock(&r, &l, des->key[1]);
+        DesRawProcessBlock(&l, &r, des->key[2]);
 
+        FPERM(&l,&r);
+        #ifdef LITTLE_ENDIAN_ORDER
+            l = ByteReverseWord32(l);
+            r = ByteReverseWord32(r);
+        #endif
+        XMEMCPY(out, &r, sizeof(r));
+        XMEMCPY(out + sizeof(r), &l, sizeof(l));
+    }
 
-static void Des3ProcessBlock(Des3* des, const byte* in, byte* out)
-{
-    word32 l, r;
+    int wc_Des_CbcEncrypt(Des* des, byte* out, const byte* in, word32 sz)
+    {
+        word32 blocks = sz / DES_BLOCK_SIZE;
 
-    XMEMCPY(&l, in, sizeof(l));
-    XMEMCPY(&r, in + sizeof(l), sizeof(r));
-    #ifdef LITTLE_ENDIAN_ORDER
-        l = ByteReverseWord32(l);
-        r = ByteReverseWord32(r);
-    #endif
-    IPERM(&l,&r);
-    
-    DesRawProcessBlock(&l, &r, des->key[0]);   
-    DesRawProcessBlock(&r, &l, des->key[1]);   
-    DesRawProcessBlock(&l, &r, des->key[2]);   
-
-    FPERM(&l,&r);
-    #ifdef LITTLE_ENDIAN_ORDER
-        l = ByteReverseWord32(l);
-        r = ByteReverseWord32(r);
-    #endif
-    XMEMCPY(out, &r, sizeof(r));
-    XMEMCPY(out + sizeof(r), &l, sizeof(l));
-}
+        while (blocks--) {
+            xorbuf((byte*)des->reg, in, DES_BLOCK_SIZE);
+            DesProcessBlock(des, (byte*)des->reg, (byte*)des->reg);
+            XMEMCPY(out, des->reg, DES_BLOCK_SIZE);
 
+            out += DES_BLOCK_SIZE;
+            in  += DES_BLOCK_SIZE;
+        }
+        return 0;
+    }
 
-int wc_Des_CbcEncrypt(Des* des, byte* out, const byte* in, word32 sz)
-{
-    word32 blocks = sz / DES_BLOCK_SIZE;
+    int wc_Des_CbcDecrypt(Des* des, byte* out, const byte* in, word32 sz)
+    {
+        word32 blocks = sz / DES_BLOCK_SIZE;
 
-    while (blocks--) {
-        xorbuf((byte*)des->reg, in, DES_BLOCK_SIZE);
-        DesProcessBlock(des, (byte*)des->reg, (byte*)des->reg);
-        XMEMCPY(out, des->reg, DES_BLOCK_SIZE);
+        while (blocks--) {
+            XMEMCPY(des->tmp, in, DES_BLOCK_SIZE);
+            DesProcessBlock(des, (byte*)des->tmp, out);
+            xorbuf(out, (byte*)des->reg, DES_BLOCK_SIZE);
+            XMEMCPY(des->reg, des->tmp, DES_BLOCK_SIZE);
 
-        out += DES_BLOCK_SIZE;
-        in  += DES_BLOCK_SIZE; 
+            out += DES_BLOCK_SIZE;
+            in  += DES_BLOCK_SIZE;
+        }
+        return 0;
     }
-    return 0;
-}
 
+    int wc_Des3_CbcEncrypt(Des3* des, byte* out, const byte* in, word32 sz)
+    {
+        word32 blocks;
+
+        if (des == NULL || out == NULL || in == NULL) {
+            return BAD_FUNC_ARG;
+        }
 
-int wc_Des_CbcDecrypt(Des* des, byte* out, const byte* in, word32 sz)
-{
-    word32 blocks = sz / DES_BLOCK_SIZE;
-    byte   hold[DES_BLOCK_SIZE];
+    #ifdef WOLF_CRYPTO_CB
+        if (des->devId != INVALID_DEVID) {
+            int ret = wc_CryptoCb_Des3Encrypt(des, out, in, sz);
+            if (ret != CRYPTOCB_UNAVAILABLE)
+                return ret;
+            /* fall-through when unavailable */
+        }
+    #endif
 
-    while (blocks--) {
-        XMEMCPY(des->tmp, in, DES_BLOCK_SIZE);
-        DesProcessBlock(des, (byte*)des->tmp, out);
-        xorbuf(out, (byte*)des->reg, DES_BLOCK_SIZE);
+    #if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_3DES)
+        if (des->asyncDev.marker == WOLFSSL_ASYNC_MARKER_3DES &&
+                                            sz >= WC_ASYNC_THRESH_DES3_CBC) {
+        #if defined(HAVE_CAVIUM)
+            return NitroxDes3CbcEncrypt(des, out, in, sz);
+        #elif defined(HAVE_INTEL_QA)
+            return IntelQaSymDes3CbcEncrypt(&des->asyncDev, out, in, sz,
+                (const byte*)des->devKey, DES3_KEYLEN, (byte*)des->reg, DES3_IVLEN);
+        #else /* WOLFSSL_ASYNC_CRYPT_TEST */
+            if (wc_AsyncTestInit(&des->asyncDev, ASYNC_TEST_DES3_CBC_ENCRYPT)) {
+                WC_ASYNC_TEST* testDev = &des->asyncDev.test;
+                testDev->des.des = des;
+                testDev->des.out = out;
+                testDev->des.in = in;
+                testDev->des.sz = sz;
+                return WC_PENDING_E;
+            }
+        #endif
+        }
+    #endif /* WOLFSSL_ASYNC_CRYPT */
 
-        XMEMCPY(hold, des->reg, DES_BLOCK_SIZE);
-        XMEMCPY(des->reg, des->tmp, DES_BLOCK_SIZE);
-        XMEMCPY(des->tmp, hold, DES_BLOCK_SIZE);
+        blocks = sz / DES_BLOCK_SIZE;
+        while (blocks--) {
+            xorbuf((byte*)des->reg, in, DES_BLOCK_SIZE);
+            Des3ProcessBlock(des, (byte*)des->reg, (byte*)des->reg);
+            XMEMCPY(out, des->reg, DES_BLOCK_SIZE);
 
-        out += DES_BLOCK_SIZE;
-        in  += DES_BLOCK_SIZE; 
+            out += DES_BLOCK_SIZE;
+            in  += DES_BLOCK_SIZE;
+        }
+        return 0;
     }
-    return 0;
-}
 
 
-int wc_Des3_CbcEncrypt(Des3* des, byte* out, const byte* in, word32 sz)
-{
-    word32 blocks;
+    int wc_Des3_CbcDecrypt(Des3* des, byte* out, const byte* in, word32 sz)
+    {
+        word32 blocks;
 
-#ifdef HAVE_CAVIUM
-    if (des->magic == WOLFSSL_3DES_CAVIUM_MAGIC)
-        return wc_Des3_CaviumCbcEncrypt(des, out, in, sz);
-#endif
+        if (des == NULL || out == NULL || in == NULL) {
+            return BAD_FUNC_ARG;
+        }
 
-    blocks = sz / DES_BLOCK_SIZE;
-    while (blocks--) {
-        xorbuf((byte*)des->reg, in, DES_BLOCK_SIZE);
-        Des3ProcessBlock(des, (byte*)des->reg, (byte*)des->reg);
-        XMEMCPY(out, des->reg, DES_BLOCK_SIZE);
+    #ifdef WOLF_CRYPTO_CB
+        if (des->devId != INVALID_DEVID) {
+            int ret = wc_CryptoCb_Des3Decrypt(des, out, in, sz);
+            if (ret != CRYPTOCB_UNAVAILABLE)
+                return ret;
+            /* fall-through when unavailable */
+        }
+    #endif
 
-        out += DES_BLOCK_SIZE;
-        in  += DES_BLOCK_SIZE; 
-    }
-    return 0;
-}
+    #if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_3DES)
+        if (des->asyncDev.marker == WOLFSSL_ASYNC_MARKER_3DES &&
+                                            sz >= WC_ASYNC_THRESH_DES3_CBC) {
+        #if defined(HAVE_CAVIUM)
+            return NitroxDes3CbcDecrypt(des, out, in, sz);
+        #elif defined(HAVE_INTEL_QA)
+            return IntelQaSymDes3CbcDecrypt(&des->asyncDev, out, in, sz,
+                (const byte*)des->devKey, DES3_KEYLEN, (byte*)des->reg, DES3_IVLEN);
+        #else /* WOLFSSL_ASYNC_CRYPT_TEST */
+            if (wc_AsyncTestInit(&des->asyncDev, ASYNC_TEST_DES3_CBC_DECRYPT)) {
+                WC_ASYNC_TEST* testDev = &des->asyncDev.test;
+                testDev->des.des = des;
+                testDev->des.out = out;
+                testDev->des.in = in;
+                testDev->des.sz = sz;
+                return WC_PENDING_E;
+            }
+        #endif
+        }
+    #endif /* WOLFSSL_ASYNC_CRYPT */
 
+        blocks = sz / DES_BLOCK_SIZE;
+        while (blocks--) {
+            XMEMCPY(des->tmp, in, DES_BLOCK_SIZE);
+            Des3ProcessBlock(des, (byte*)des->tmp, out);
+            xorbuf(out, (byte*)des->reg, DES_BLOCK_SIZE);
+            XMEMCPY(des->reg, des->tmp, DES_BLOCK_SIZE);
 
-int wc_Des3_CbcDecrypt(Des3* des, byte* out, const byte* in, word32 sz)
-{
-    word32 blocks;
+            out += DES_BLOCK_SIZE;
+            in  += DES_BLOCK_SIZE;
+        }
+        return 0;
+    }
 
-#ifdef HAVE_CAVIUM
-    if (des->magic == WOLFSSL_3DES_CAVIUM_MAGIC)
-        return wc_Des3_CaviumCbcDecrypt(des, out, in, sz);
-#endif
+    #ifdef WOLFSSL_DES_ECB
+        /* One block, compatibility only */
+        int wc_Des_EcbEncrypt(Des* des, byte* out, const byte* in, word32 sz)
+        {
+            word32 blocks = sz / DES_BLOCK_SIZE;
 
-    blocks = sz / DES_BLOCK_SIZE;
-    while (blocks--) {
-        XMEMCPY(des->tmp, in, DES_BLOCK_SIZE);
-        Des3ProcessBlock(des, (byte*)des->tmp, out);
-        xorbuf(out, (byte*)des->reg, DES_BLOCK_SIZE);
-        XMEMCPY(des->reg, des->tmp, DES_BLOCK_SIZE);
+            if (des == NULL || out == NULL || in == NULL) {
+                return BAD_FUNC_ARG;
+            }
 
-        out += DES_BLOCK_SIZE;
-        in  += DES_BLOCK_SIZE; 
-    }
-    return 0;
-}
+            while (blocks--) {
+                DesProcessBlock(des, in, out);
 
-#ifdef WOLFSSL_DES_ECB
+                out += DES_BLOCK_SIZE;
+                in  += DES_BLOCK_SIZE;
+            }
+            return 0;
+        }
 
-/* One block, compatibility only */
-int wc_Des_EcbEncrypt(Des* des, byte* out, const byte* in, word32 sz)
-{
-    word32 blocks = sz / DES_BLOCK_SIZE;
+        int wc_Des3_EcbEncrypt(Des3* des, byte* out, const byte* in, word32 sz)
+        {
+            word32 blocks = sz / DES_BLOCK_SIZE;
+
+            if (des == NULL || out == NULL || in == NULL) {
+                return BAD_FUNC_ARG;
+            }
 
-    while (blocks--) {
-        DesProcessBlock(des, in, out);
+            while (blocks--) {
+                Des3ProcessBlock(des, in, out);
 
-        out += DES_BLOCK_SIZE;
-        in  += DES_BLOCK_SIZE; 
-    }
-    return 0;
-}
+                out += DES_BLOCK_SIZE;
+                in  += DES_BLOCK_SIZE;
+            }
+            return 0;
+        }
+    #endif /* WOLFSSL_DES_ECB */
 
-#endif /* WOLFSSL_DES_ECB */
+#endif /* NEED_SOFT_DES */
 
-#endif /* STM32F2_CRYPTO */
 
 void wc_Des_SetIV(Des* des, const byte* iv)
 {
@@ -1489,37 +1767,11 @@ void wc_Des_SetIV(Des* des, const byte* iv)
         XMEMSET(des->reg,  0, DES_BLOCK_SIZE);
 }
 
-
-int wc_Des_CbcDecryptWithKey(byte* out, const byte* in, word32 sz,
-                                                const byte* key, const byte* iv)
-{
-    int ret  = 0;
-#ifdef WOLFSSL_SMALL_STACK
-    Des* des = NULL;
-#else
-    Des  des[1];
-#endif
-
-#ifdef WOLFSSL_SMALL_STACK
-    des = (Des*)XMALLOC(sizeof(Des), NULL, DYNAMIC_TYPE_TMP_BUFFER);
-    if (des == NULL)
-        return MEMORY_E;
-#endif
-
-    ret = wc_Des_SetKey(des, key, iv, DES_DECRYPTION);
-    if (ret == 0)
-        ret = wc_Des_CbcDecrypt(des, out, in, sz); 
-
-#ifdef WOLFSSL_SMALL_STACK
-    XFREE(des, NULL, DYNAMIC_TYPE_TMP_BUFFER);
-#endif
-
-    return ret;
-}
-
-
 int wc_Des3_SetIV(Des3* des, const byte* iv)
 {
+    if (des == NULL) {
+        return BAD_FUNC_ARG;
+    }
     if (des && iv)
         XMEMCPY(des->reg, iv, DES_BLOCK_SIZE);
     else if (des)
@@ -1529,150 +1781,45 @@ int wc_Des3_SetIV(Des3* des, const byte* iv)
 }
 
 
-int wc_Des3_CbcDecryptWithKey(byte* out, const byte* in, word32 sz,
-                                                const byte* key, const byte* iv)
+/* Initialize Des3 for use with async device */
+int wc_Des3Init(Des3* des3, void* heap, int devId)
 {
-    int ret    = 0;
-#ifdef WOLFSSL_SMALL_STACK
-    Des3* des3 = NULL;
-#else
-    Des3  des3[1];
-#endif
-
-#ifdef WOLFSSL_SMALL_STACK
-    des3 = (Des3*)XMALLOC(sizeof(Des3), NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    int ret = 0;
     if (des3 == NULL)
-        return MEMORY_E;
-#endif
+        return BAD_FUNC_ARG;
 
-    ret = wc_Des3_SetKey(des3, key, iv, DES_DECRYPTION);
-    if (ret == 0)
-        ret = wc_Des3_CbcDecrypt(des3, out, in, sz); 
+    des3->heap = heap;
 
-#ifdef WOLFSSL_SMALL_STACK
-    XFREE(des3, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+#ifdef WOLF_CRYPTO_CB
+    des3->devId = devId;
+    des3->devCtx = NULL;
+#else
+    (void)devId;
 #endif
 
-    return ret;
-}
-
-
-#ifdef HAVE_CAVIUM
-
-#include "cavium_common.h"
-
-/* Initiliaze Des3 for use with Nitrox device */
-int wc_Des3_InitCavium(Des3* des3, int devId)
-{
-    if (des3 == NULL)
-        return -1;
-
-    if (CspAllocContext(CONTEXT_SSL, &des3->contextHandle, devId) != 0)
-        return -1;
+#if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_3DES)
+    ret = wolfAsync_DevCtxInit(&des3->asyncDev, WOLFSSL_ASYNC_MARKER_3DES,
+                                                        des3->heap, devId);
+#endif
 
-    des3->devId = devId;
-    des3->magic = WOLFSSL_3DES_CAVIUM_MAGIC;
-   
-    return 0;
+    return ret;
 }
 
-
-/* Free Des3 from use with Nitrox device */
-void wc_Des3_FreeCavium(Des3* des3)
+/* Free Des3 from use with async device */
+void wc_Des3Free(Des3* des3)
 {
     if (des3 == NULL)
         return;
 
-    if (des3->magic != WOLFSSL_3DES_CAVIUM_MAGIC)
-        return;
-
-    CspFreeContext(CONTEXT_SSL, des3->contextHandle, des3->devId);
-    des3->magic = 0;
-}
-
-
-static int wc_Des3_CaviumSetKey(Des3* des3, const byte* key, const byte* iv)
-{
-    if (des3 == NULL)
-        return -1;
-
-    /* key[0] holds key, iv in reg */
-    XMEMCPY(des3->key[0], key, DES_BLOCK_SIZE*3);
-
-    return wc_Des3_SetIV(des3, iv);
-}
-
-
-static int wc_Des3_CaviumCbcEncrypt(Des3* des3, byte* out, const byte* in,
-                                  word32 length)
-{
-    wolfssl_word offset = 0;
-    word32 requestId;
-   
-    while (length > WOLFSSL_MAX_16BIT) {
-        word16 slen = (word16)WOLFSSL_MAX_16BIT;
-        if (CspEncrypt3Des(CAVIUM_BLOCKING, des3->contextHandle,
-                           CAVIUM_NO_UPDATE, slen, (byte*)in + offset,
-                           out + offset, (byte*)des3->reg, (byte*)des3->key[0],
-                           &requestId, des3->devId) != 0) {
-            WOLFSSL_MSG("Bad Cavium 3DES Cbc Encrypt");
-            return -1;
-        }
-        length -= WOLFSSL_MAX_16BIT;
-        offset += WOLFSSL_MAX_16BIT;
-        XMEMCPY(des3->reg, out + offset - DES_BLOCK_SIZE, DES_BLOCK_SIZE);
-    }
-    if (length) {
-        word16 slen = (word16)length;
-
-        if (CspEncrypt3Des(CAVIUM_BLOCKING, des3->contextHandle,
-                           CAVIUM_NO_UPDATE, slen, (byte*)in + offset,
-                           out + offset, (byte*)des3->reg, (byte*)des3->key[0],
-                           &requestId, des3->devId) != 0) {
-            WOLFSSL_MSG("Bad Cavium 3DES Cbc Encrypt");
-            return -1;
-        }
-        XMEMCPY(des3->reg, out+offset+length - DES_BLOCK_SIZE, DES_BLOCK_SIZE);
-    }
-    return 0;
-}
-
-static int wc_Des3_CaviumCbcDecrypt(Des3* des3, byte* out, const byte* in,
-                                 word32 length)
-{
-    word32 requestId;
-    wolfssl_word offset = 0;
-
-    while (length > WOLFSSL_MAX_16BIT) {
-        word16 slen = (word16)WOLFSSL_MAX_16BIT;
-        XMEMCPY(des3->tmp, in + offset + slen - DES_BLOCK_SIZE, DES_BLOCK_SIZE);
-        if (CspDecrypt3Des(CAVIUM_BLOCKING, des3->contextHandle,
-                           CAVIUM_NO_UPDATE, slen, (byte*)in+offset, out+offset,
-                           (byte*)des3->reg, (byte*)des3->key[0], &requestId,
-                           des3->devId) != 0) {
-            WOLFSSL_MSG("Bad Cavium 3Des Decrypt");
-            return -1;
-        }
-        length -= WOLFSSL_MAX_16BIT;
-        offset += WOLFSSL_MAX_16BIT;
-        XMEMCPY(des3->reg, des3->tmp, DES_BLOCK_SIZE);
-    }
-    if (length) {
-        word16 slen = (word16)length;
-        XMEMCPY(des3->tmp, in + offset + slen - DES_BLOCK_SIZE,DES_BLOCK_SIZE);
-        if (CspDecrypt3Des(CAVIUM_BLOCKING, des3->contextHandle,
-                           CAVIUM_NO_UPDATE, slen, (byte*)in+offset, out+offset,
-                           (byte*)des3->reg, (byte*)des3->key[0], &requestId,
-                           des3->devId) != 0) {
-            WOLFSSL_MSG("Bad Cavium 3Des Decrypt");
-            return -1;
-        }
-        XMEMCPY(des3->reg, des3->tmp, DES_BLOCK_SIZE);
-    }
-    return 0;
+#if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_3DES)
+    wolfAsync_DevCtxFree(&des3->asyncDev, WOLFSSL_ASYNC_MARKER_3DES);
+#endif /* WOLFSSL_ASYNC_CRYPT */
+#if defined(WOLF_CRYPTO_CB) || \
+        (defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_3DES))
+    ForceZero(des3->devKey, sizeof(des3->devKey));
+#endif
 }
 
-#endif /* HAVE_CAVIUM */
 #endif /* WOLFSSL_TI_CRYPT */
 #endif /* HAVE_FIPS */
 #endif /* NO_DES3 */
diff --git a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/dh.c b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/dh.c
index bc4ce11d3..6c53be8f3 100644
--- a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/dh.c
+++ b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/dh.c
@@ -1,8 +1,8 @@
 /* dh.c
  *
- * Copyright (C) 2006-2015 wolfSSL Inc.
+ * Copyright (C) 2006-2020 wolfSSL Inc.
  *
- * This file is part of wolfSSL. (formerly known as CyaSSL)
+ * This file is part of wolfSSL.
  *
  * wolfSSL is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -16,9 +16,10 @@
  *
  * You should have received a copy of the GNU General Public License
  * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
  */
 
+
 #ifdef HAVE_CONFIG_H
     #include <config.h>
 #endif
@@ -27,10 +28,46 @@
 
 #ifndef NO_DH
 
+#if defined(HAVE_FIPS) && \
+    defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2)
+
+    /* set NO_WRAPPERS before headers, use direct internal f()s not wrappers */
+    #define FIPS_NO_WRAPPERS
+
+    #ifdef USE_WINDOWS_API
+        #pragma code_seg(".fipsA$m")
+        #pragma const_seg(".fipsB$m")
+    #endif
+#endif
+
 #include <wolfssl/wolfcrypt/dh.h>
 #include <wolfssl/wolfcrypt/error-crypt.h>
+#include <wolfssl/wolfcrypt/logging.h>
 
-#ifndef USER_MATH_LIB
+#ifdef WOLFSSL_HAVE_SP_DH
+#include <wolfssl/wolfcrypt/sp.h>
+#endif
+
+#ifdef NO_INLINE
+    #include <wolfssl/wolfcrypt/misc.h>
+#else
+    #define WOLFSSL_MISC_INCLUDED
+    #include <wolfcrypt/src/misc.c>
+#endif
+
+
+/*
+Possible DH enable options:
+ * NO_RSA:              Overall control of DH                 default: on (not defined)
+ * WOLFSSL_OLD_PRIME_CHECK: Disables the new prime number check. It does not
+                        directly effect this file, but it does speed up DH
+                        removing the testing. It is not recommended to
+                        disable the prime checking.           default: off
+
+*/
+
+
+#if !defined(USER_MATH_LIB) && !defined(WOLFSSL_DH_CONST)
     #include <math.h>
     #define XPOW(x,y) pow((x),(y))
     #define XLOG(x)   log((x))
@@ -38,179 +75,2417 @@
     /* user's own math lib */
 #endif
 
+#ifdef HAVE_FFDHE_2048
+static const byte dh_ffdhe2048_p[] = {
+    0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+    0xAD, 0xF8, 0x54, 0x58, 0xA2, 0xBB, 0x4A, 0x9A,
+    0xAF, 0xDC, 0x56, 0x20, 0x27, 0x3D, 0x3C, 0xF1,
+    0xD8, 0xB9, 0xC5, 0x83, 0xCE, 0x2D, 0x36, 0x95,
+    0xA9, 0xE1, 0x36, 0x41, 0x14, 0x64, 0x33, 0xFB,
+    0xCC, 0x93, 0x9D, 0xCE, 0x24, 0x9B, 0x3E, 0xF9,
+    0x7D, 0x2F, 0xE3, 0x63, 0x63, 0x0C, 0x75, 0xD8,
+    0xF6, 0x81, 0xB2, 0x02, 0xAE, 0xC4, 0x61, 0x7A,
+    0xD3, 0xDF, 0x1E, 0xD5, 0xD5, 0xFD, 0x65, 0x61,
+    0x24, 0x33, 0xF5, 0x1F, 0x5F, 0x06, 0x6E, 0xD0,
+    0x85, 0x63, 0x65, 0x55, 0x3D, 0xED, 0x1A, 0xF3,
+    0xB5, 0x57, 0x13, 0x5E, 0x7F, 0x57, 0xC9, 0x35,
+    0x98, 0x4F, 0x0C, 0x70, 0xE0, 0xE6, 0x8B, 0x77,
+    0xE2, 0xA6, 0x89, 0xDA, 0xF3, 0xEF, 0xE8, 0x72,
+    0x1D, 0xF1, 0x58, 0xA1, 0x36, 0xAD, 0xE7, 0x35,
+    0x30, 0xAC, 0xCA, 0x4F, 0x48, 0x3A, 0x79, 0x7A,
+    0xBC, 0x0A, 0xB1, 0x82, 0xB3, 0x24, 0xFB, 0x61,
+    0xD1, 0x08, 0xA9, 0x4B, 0xB2, 0xC8, 0xE3, 0xFB,
+    0xB9, 0x6A, 0xDA, 0xB7, 0x60, 0xD7, 0xF4, 0x68,
+    0x1D, 0x4F, 0x42, 0xA3, 0xDE, 0x39, 0x4D, 0xF4,
+    0xAE, 0x56, 0xED, 0xE7, 0x63, 0x72, 0xBB, 0x19,
+    0x0B, 0x07, 0xA7, 0xC8, 0xEE, 0x0A, 0x6D, 0x70,
+    0x9E, 0x02, 0xFC, 0xE1, 0xCD, 0xF7, 0xE2, 0xEC,
+    0xC0, 0x34, 0x04, 0xCD, 0x28, 0x34, 0x2F, 0x61,
+    0x91, 0x72, 0xFE, 0x9C, 0xE9, 0x85, 0x83, 0xFF,
+    0x8E, 0x4F, 0x12, 0x32, 0xEE, 0xF2, 0x81, 0x83,
+    0xC3, 0xFE, 0x3B, 0x1B, 0x4C, 0x6F, 0xAD, 0x73,
+    0x3B, 0xB5, 0xFC, 0xBC, 0x2E, 0xC2, 0x20, 0x05,
+    0xC5, 0x8E, 0xF1, 0x83, 0x7D, 0x16, 0x83, 0xB2,
+    0xC6, 0xF3, 0x4A, 0x26, 0xC1, 0xB2, 0xEF, 0xFA,
+    0x88, 0x6B, 0x42, 0x38, 0x61, 0x28, 0x5C, 0x97,
+    0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF
+};
+static const byte dh_ffdhe2048_g[] = { 0x02 };
+#ifdef HAVE_FFDHE_Q
+static const byte dh_ffdhe2048_q[] = {
+    0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+    0xD6, 0xFC, 0x2A, 0x2C, 0x51, 0x5D, 0xA5, 0x4D,
+    0x57, 0xEE, 0x2B, 0x10, 0x13, 0x9E, 0x9E, 0x78,
+    0xEC, 0x5C, 0xE2, 0xC1, 0xE7, 0x16, 0x9B, 0x4A,
+    0xD4, 0xF0, 0x9B, 0x20, 0x8A, 0x32, 0x19, 0xFD,
+    0xE6, 0x49, 0xCE, 0xE7, 0x12, 0x4D, 0x9F, 0x7C,
+    0xBE, 0x97, 0xF1, 0xB1, 0xB1, 0x86, 0x3A, 0xEC,
+    0x7B, 0x40, 0xD9, 0x01, 0x57, 0x62, 0x30, 0xBD,
+    0x69, 0xEF, 0x8F, 0x6A, 0xEA, 0xFE, 0xB2, 0xB0,
+    0x92, 0x19, 0xFA, 0x8F, 0xAF, 0x83, 0x37, 0x68,
+    0x42, 0xB1, 0xB2, 0xAA, 0x9E, 0xF6, 0x8D, 0x79,
+    0xDA, 0xAB, 0x89, 0xAF, 0x3F, 0xAB, 0xE4, 0x9A,
+    0xCC, 0x27, 0x86, 0x38, 0x70, 0x73, 0x45, 0xBB,
+    0xF1, 0x53, 0x44, 0xED, 0x79, 0xF7, 0xF4, 0x39,
+    0x0E, 0xF8, 0xAC, 0x50, 0x9B, 0x56, 0xF3, 0x9A,
+    0x98, 0x56, 0x65, 0x27, 0xA4, 0x1D, 0x3C, 0xBD,
+    0x5E, 0x05, 0x58, 0xC1, 0x59, 0x92, 0x7D, 0xB0,
+    0xE8, 0x84, 0x54, 0xA5, 0xD9, 0x64, 0x71, 0xFD,
+    0xDC, 0xB5, 0x6D, 0x5B, 0xB0, 0x6B, 0xFA, 0x34,
+    0x0E, 0xA7, 0xA1, 0x51, 0xEF, 0x1C, 0xA6, 0xFA,
+    0x57, 0x2B, 0x76, 0xF3, 0xB1, 0xB9, 0x5D, 0x8C,
+    0x85, 0x83, 0xD3, 0xE4, 0x77, 0x05, 0x36, 0xB8,
+    0x4F, 0x01, 0x7E, 0x70, 0xE6, 0xFB, 0xF1, 0x76,
+    0x60, 0x1A, 0x02, 0x66, 0x94, 0x1A, 0x17, 0xB0,
+    0xC8, 0xB9, 0x7F, 0x4E, 0x74, 0xC2, 0xC1, 0xFF,
+    0xC7, 0x27, 0x89, 0x19, 0x77, 0x79, 0x40, 0xC1,
+    0xE1, 0xFF, 0x1D, 0x8D, 0xA6, 0x37, 0xD6, 0xB9,
+    0x9D, 0xDA, 0xFE, 0x5E, 0x17, 0x61, 0x10, 0x02,
+    0xE2, 0xC7, 0x78, 0xC1, 0xBE, 0x8B, 0x41, 0xD9,
+    0x63, 0x79, 0xA5, 0x13, 0x60, 0xD9, 0x77, 0xFD,
+    0x44, 0x35, 0xA1, 0x1C, 0x30, 0x94, 0x2E, 0x4B,
+    0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF
+};
+#endif /* HAVE_FFDHE_Q */
 
-#ifndef WOLFSSL_HAVE_MIN
-#define WOLFSSL_HAVE_MIN
+const DhParams* wc_Dh_ffdhe2048_Get(void)
+{
+    static const DhParams ffdhe2048 = {
+        #ifdef HAVE_FFDHE_Q
+            dh_ffdhe2048_q, sizeof(dh_ffdhe2048_q),
+        #endif /* HAVE_FFDHE_Q */
+        dh_ffdhe2048_p, sizeof(dh_ffdhe2048_p),
+        dh_ffdhe2048_g, sizeof(dh_ffdhe2048_g)
+    };
+    return &ffdhe2048;
+}
+#endif
 
-    static INLINE word32 min(word32 a, word32 b)
-    {
-        return a > b ? b : a;
-    }
+#ifdef HAVE_FFDHE_3072
+static const byte dh_ffdhe3072_p[] = {
+    0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+    0xAD, 0xF8, 0x54, 0x58, 0xA2, 0xBB, 0x4A, 0x9A,
+    0xAF, 0xDC, 0x56, 0x20, 0x27, 0x3D, 0x3C, 0xF1,
+    0xD8, 0xB9, 0xC5, 0x83, 0xCE, 0x2D, 0x36, 0x95,
+    0xA9, 0xE1, 0x36, 0x41, 0x14, 0x64, 0x33, 0xFB,
+    0xCC, 0x93, 0x9D, 0xCE, 0x24, 0x9B, 0x3E, 0xF9,
+    0x7D, 0x2F, 0xE3, 0x63, 0x63, 0x0C, 0x75, 0xD8,
+    0xF6, 0x81, 0xB2, 0x02, 0xAE, 0xC4, 0x61, 0x7A,
+    0xD3, 0xDF, 0x1E, 0xD5, 0xD5, 0xFD, 0x65, 0x61,
+    0x24, 0x33, 0xF5, 0x1F, 0x5F, 0x06, 0x6E, 0xD0,
+    0x85, 0x63, 0x65, 0x55, 0x3D, 0xED, 0x1A, 0xF3,
+    0xB5, 0x57, 0x13, 0x5E, 0x7F, 0x57, 0xC9, 0x35,
+    0x98, 0x4F, 0x0C, 0x70, 0xE0, 0xE6, 0x8B, 0x77,
+    0xE2, 0xA6, 0x89, 0xDA, 0xF3, 0xEF, 0xE8, 0x72,
+    0x1D, 0xF1, 0x58, 0xA1, 0x36, 0xAD, 0xE7, 0x35,
+    0x30, 0xAC, 0xCA, 0x4F, 0x48, 0x3A, 0x79, 0x7A,
+    0xBC, 0x0A, 0xB1, 0x82, 0xB3, 0x24, 0xFB, 0x61,
+    0xD1, 0x08, 0xA9, 0x4B, 0xB2, 0xC8, 0xE3, 0xFB,
+    0xB9, 0x6A, 0xDA, 0xB7, 0x60, 0xD7, 0xF4, 0x68,
+    0x1D, 0x4F, 0x42, 0xA3, 0xDE, 0x39, 0x4D, 0xF4,
+    0xAE, 0x56, 0xED, 0xE7, 0x63, 0x72, 0xBB, 0x19,
+    0x0B, 0x07, 0xA7, 0xC8, 0xEE, 0x0A, 0x6D, 0x70,
+    0x9E, 0x02, 0xFC, 0xE1, 0xCD, 0xF7, 0xE2, 0xEC,
+    0xC0, 0x34, 0x04, 0xCD, 0x28, 0x34, 0x2F, 0x61,
+    0x91, 0x72, 0xFE, 0x9C, 0xE9, 0x85, 0x83, 0xFF,
+    0x8E, 0x4F, 0x12, 0x32, 0xEE, 0xF2, 0x81, 0x83,
+    0xC3, 0xFE, 0x3B, 0x1B, 0x4C, 0x6F, 0xAD, 0x73,
+    0x3B, 0xB5, 0xFC, 0xBC, 0x2E, 0xC2, 0x20, 0x05,
+    0xC5, 0x8E, 0xF1, 0x83, 0x7D, 0x16, 0x83, 0xB2,
+    0xC6, 0xF3, 0x4A, 0x26, 0xC1, 0xB2, 0xEF, 0xFA,
+    0x88, 0x6B, 0x42, 0x38, 0x61, 0x1F, 0xCF, 0xDC,
+    0xDE, 0x35, 0x5B, 0x3B, 0x65, 0x19, 0x03, 0x5B,
+    0xBC, 0x34, 0xF4, 0xDE, 0xF9, 0x9C, 0x02, 0x38,
+    0x61, 0xB4, 0x6F, 0xC9, 0xD6, 0xE6, 0xC9, 0x07,
+    0x7A, 0xD9, 0x1D, 0x26, 0x91, 0xF7, 0xF7, 0xEE,
+    0x59, 0x8C, 0xB0, 0xFA, 0xC1, 0x86, 0xD9, 0x1C,
+    0xAE, 0xFE, 0x13, 0x09, 0x85, 0x13, 0x92, 0x70,
+    0xB4, 0x13, 0x0C, 0x93, 0xBC, 0x43, 0x79, 0x44,
+    0xF4, 0xFD, 0x44, 0x52, 0xE2, 0xD7, 0x4D, 0xD3,
+    0x64, 0xF2, 0xE2, 0x1E, 0x71, 0xF5, 0x4B, 0xFF,
+    0x5C, 0xAE, 0x82, 0xAB, 0x9C, 0x9D, 0xF6, 0x9E,
+    0xE8, 0x6D, 0x2B, 0xC5, 0x22, 0x36, 0x3A, 0x0D,
+    0xAB, 0xC5, 0x21, 0x97, 0x9B, 0x0D, 0xEA, 0xDA,
+    0x1D, 0xBF, 0x9A, 0x42, 0xD5, 0xC4, 0x48, 0x4E,
+    0x0A, 0xBC, 0xD0, 0x6B, 0xFA, 0x53, 0xDD, 0xEF,
+    0x3C, 0x1B, 0x20, 0xEE, 0x3F, 0xD5, 0x9D, 0x7C,
+    0x25, 0xE4, 0x1D, 0x2B, 0x66, 0xC6, 0x2E, 0x37,
+    0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF
+};
+static const byte dh_ffdhe3072_g[] = { 0x02 };
+#ifdef HAVE_FFDHE_Q
+static const byte dh_ffdhe3072_q[] = {
+    0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+    0xD6, 0xFC, 0x2A, 0x2C, 0x51, 0x5D, 0xA5, 0x4D,
+    0x57, 0xEE, 0x2B, 0x10, 0x13, 0x9E, 0x9E, 0x78,
+    0xEC, 0x5C, 0xE2, 0xC1, 0xE7, 0x16, 0x9B, 0x4A,
+    0xD4, 0xF0, 0x9B, 0x20, 0x8A, 0x32, 0x19, 0xFD,
+    0xE6, 0x49, 0xCE, 0xE7, 0x12, 0x4D, 0x9F, 0x7C,
+    0xBE, 0x97, 0xF1, 0xB1, 0xB1, 0x86, 0x3A, 0xEC,
+    0x7B, 0x40, 0xD9, 0x01, 0x57, 0x62, 0x30, 0xBD,
+    0x69, 0xEF, 0x8F, 0x6A, 0xEA, 0xFE, 0xB2, 0xB0,
+    0x92, 0x19, 0xFA, 0x8F, 0xAF, 0x83, 0x37, 0x68,
+    0x42, 0xB1, 0xB2, 0xAA, 0x9E, 0xF6, 0x8D, 0x79,
+    0xDA, 0xAB, 0x89, 0xAF, 0x3F, 0xAB, 0xE4, 0x9A,
+    0xCC, 0x27, 0x86, 0x38, 0x70, 0x73, 0x45, 0xBB,
+    0xF1, 0x53, 0x44, 0xED, 0x79, 0xF7, 0xF4, 0x39,
+    0x0E, 0xF8, 0xAC, 0x50, 0x9B, 0x56, 0xF3, 0x9A,
+    0x98, 0x56, 0x65, 0x27, 0xA4, 0x1D, 0x3C, 0xBD,
+    0x5E, 0x05, 0x58, 0xC1, 0x59, 0x92, 0x7D, 0xB0,
+    0xE8, 0x84, 0x54, 0xA5, 0xD9, 0x64, 0x71, 0xFD,
+    0xDC, 0xB5, 0x6D, 0x5B, 0xB0, 0x6B, 0xFA, 0x34,
+    0x0E, 0xA7, 0xA1, 0x51, 0xEF, 0x1C, 0xA6, 0xFA,
+    0x57, 0x2B, 0x76, 0xF3, 0xB1, 0xB9, 0x5D, 0x8C,
+    0x85, 0x83, 0xD3, 0xE4, 0x77, 0x05, 0x36, 0xB8,
+    0x4F, 0x01, 0x7E, 0x70, 0xE6, 0xFB, 0xF1, 0x76,
+    0x60, 0x1A, 0x02, 0x66, 0x94, 0x1A, 0x17, 0xB0,
+    0xC8, 0xB9, 0x7F, 0x4E, 0x74, 0xC2, 0xC1, 0xFF,
+    0xC7, 0x27, 0x89, 0x19, 0x77, 0x79, 0x40, 0xC1,
+    0xE1, 0xFF, 0x1D, 0x8D, 0xA6, 0x37, 0xD6, 0xB9,
+    0x9D, 0xDA, 0xFE, 0x5E, 0x17, 0x61, 0x10, 0x02,
+    0xE2, 0xC7, 0x78, 0xC1, 0xBE, 0x8B, 0x41, 0xD9,
+    0x63, 0x79, 0xA5, 0x13, 0x60, 0xD9, 0x77, 0xFD,
+    0x44, 0x35, 0xA1, 0x1C, 0x30, 0x8F, 0xE7, 0xEE,
+    0x6F, 0x1A, 0xAD, 0x9D, 0xB2, 0x8C, 0x81, 0xAD,
+    0xDE, 0x1A, 0x7A, 0x6F, 0x7C, 0xCE, 0x01, 0x1C,
+    0x30, 0xDA, 0x37, 0xE4, 0xEB, 0x73, 0x64, 0x83,
+    0xBD, 0x6C, 0x8E, 0x93, 0x48, 0xFB, 0xFB, 0xF7,
+    0x2C, 0xC6, 0x58, 0x7D, 0x60, 0xC3, 0x6C, 0x8E,
+    0x57, 0x7F, 0x09, 0x84, 0xC2, 0x89, 0xC9, 0x38,
+    0x5A, 0x09, 0x86, 0x49, 0xDE, 0x21, 0xBC, 0xA2,
+    0x7A, 0x7E, 0xA2, 0x29, 0x71, 0x6B, 0xA6, 0xE9,
+    0xB2, 0x79, 0x71, 0x0F, 0x38, 0xFA, 0xA5, 0xFF,
+    0xAE, 0x57, 0x41, 0x55, 0xCE, 0x4E, 0xFB, 0x4F,
+    0x74, 0x36, 0x95, 0xE2, 0x91, 0x1B, 0x1D, 0x06,
+    0xD5, 0xE2, 0x90, 0xCB, 0xCD, 0x86, 0xF5, 0x6D,
+    0x0E, 0xDF, 0xCD, 0x21, 0x6A, 0xE2, 0x24, 0x27,
+    0x05, 0x5E, 0x68, 0x35, 0xFD, 0x29, 0xEE, 0xF7,
+    0x9E, 0x0D, 0x90, 0x77, 0x1F, 0xEA, 0xCE, 0xBE,
+    0x12, 0xF2, 0x0E, 0x95, 0xB3, 0x63, 0x17, 0x1B,
+    0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF
+};
+#endif /* HAVE_FFDHE_Q */
 
-#endif /* WOLFSSL_HAVE_MIN */
+const DhParams* wc_Dh_ffdhe3072_Get(void)
+{
+    static const DhParams ffdhe3072 = {
+        #ifdef HAVE_FFDHE_Q
+            dh_ffdhe3072_q, sizeof(dh_ffdhe3072_q),
+        #endif /* HAVE_FFDHE_Q */
+        dh_ffdhe3072_p, sizeof(dh_ffdhe3072_p),
+        dh_ffdhe3072_g, sizeof(dh_ffdhe3072_g)
+    };
+    return &ffdhe3072;
+}
+#endif
 
+#ifdef HAVE_FFDHE_4096
+static const byte dh_ffdhe4096_p[] = {
+    0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+    0xAD, 0xF8, 0x54, 0x58, 0xA2, 0xBB, 0x4A, 0x9A,
+    0xAF, 0xDC, 0x56, 0x20, 0x27, 0x3D, 0x3C, 0xF1,
+    0xD8, 0xB9, 0xC5, 0x83, 0xCE, 0x2D, 0x36, 0x95,
+    0xA9, 0xE1, 0x36, 0x41, 0x14, 0x64, 0x33, 0xFB,
+    0xCC, 0x93, 0x9D, 0xCE, 0x24, 0x9B, 0x3E, 0xF9,
+    0x7D, 0x2F, 0xE3, 0x63, 0x63, 0x0C, 0x75, 0xD8,
+    0xF6, 0x81, 0xB2, 0x02, 0xAE, 0xC4, 0x61, 0x7A,
+    0xD3, 0xDF, 0x1E, 0xD5, 0xD5, 0xFD, 0x65, 0x61,
+    0x24, 0x33, 0xF5, 0x1F, 0x5F, 0x06, 0x6E, 0xD0,
+    0x85, 0x63, 0x65, 0x55, 0x3D, 0xED, 0x1A, 0xF3,
+    0xB5, 0x57, 0x13, 0x5E, 0x7F, 0x57, 0xC9, 0x35,
+    0x98, 0x4F, 0x0C, 0x70, 0xE0, 0xE6, 0x8B, 0x77,
+    0xE2, 0xA6, 0x89, 0xDA, 0xF3, 0xEF, 0xE8, 0x72,
+    0x1D, 0xF1, 0x58, 0xA1, 0x36, 0xAD, 0xE7, 0x35,
+    0x30, 0xAC, 0xCA, 0x4F, 0x48, 0x3A, 0x79, 0x7A,
+    0xBC, 0x0A, 0xB1, 0x82, 0xB3, 0x24, 0xFB, 0x61,
+    0xD1, 0x08, 0xA9, 0x4B, 0xB2, 0xC8, 0xE3, 0xFB,
+    0xB9, 0x6A, 0xDA, 0xB7, 0x60, 0xD7, 0xF4, 0x68,
+    0x1D, 0x4F, 0x42, 0xA3, 0xDE, 0x39, 0x4D, 0xF4,
+    0xAE, 0x56, 0xED, 0xE7, 0x63, 0x72, 0xBB, 0x19,
+    0x0B, 0x07, 0xA7, 0xC8, 0xEE, 0x0A, 0x6D, 0x70,
+    0x9E, 0x02, 0xFC, 0xE1, 0xCD, 0xF7, 0xE2, 0xEC,
+    0xC0, 0x34, 0x04, 0xCD, 0x28, 0x34, 0x2F, 0x61,
+    0x91, 0x72, 0xFE, 0x9C, 0xE9, 0x85, 0x83, 0xFF,
+    0x8E, 0x4F, 0x12, 0x32, 0xEE, 0xF2, 0x81, 0x83,
+    0xC3, 0xFE, 0x3B, 0x1B, 0x4C, 0x6F, 0xAD, 0x73,
+    0x3B, 0xB5, 0xFC, 0xBC, 0x2E, 0xC2, 0x20, 0x05,
+    0xC5, 0x8E, 0xF1, 0x83, 0x7D, 0x16, 0x83, 0xB2,
+    0xC6, 0xF3, 0x4A, 0x26, 0xC1, 0xB2, 0xEF, 0xFA,
+    0x88, 0x6B, 0x42, 0x38, 0x61, 0x1F, 0xCF, 0xDC,
+    0xDE, 0x35, 0x5B, 0x3B, 0x65, 0x19, 0x03, 0x5B,
+    0xBC, 0x34, 0xF4, 0xDE, 0xF9, 0x9C, 0x02, 0x38,
+    0x61, 0xB4, 0x6F, 0xC9, 0xD6, 0xE6, 0xC9, 0x07,
+    0x7A, 0xD9, 0x1D, 0x26, 0x91, 0xF7, 0xF7, 0xEE,
+    0x59, 0x8C, 0xB0, 0xFA, 0xC1, 0x86, 0xD9, 0x1C,
+    0xAE, 0xFE, 0x13, 0x09, 0x85, 0x13, 0x92, 0x70,
+    0xB4, 0x13, 0x0C, 0x93, 0xBC, 0x43, 0x79, 0x44,
+    0xF4, 0xFD, 0x44, 0x52, 0xE2, 0xD7, 0x4D, 0xD3,
+    0x64, 0xF2, 0xE2, 0x1E, 0x71, 0xF5, 0x4B, 0xFF,
+    0x5C, 0xAE, 0x82, 0xAB, 0x9C, 0x9D, 0xF6, 0x9E,
+    0xE8, 0x6D, 0x2B, 0xC5, 0x22, 0x36, 0x3A, 0x0D,
+    0xAB, 0xC5, 0x21, 0x97, 0x9B, 0x0D, 0xEA, 0xDA,
+    0x1D, 0xBF, 0x9A, 0x42, 0xD5, 0xC4, 0x48, 0x4E,
+    0x0A, 0xBC, 0xD0, 0x6B, 0xFA, 0x53, 0xDD, 0xEF,
+    0x3C, 0x1B, 0x20, 0xEE, 0x3F, 0xD5, 0x9D, 0x7C,
+    0x25, 0xE4, 0x1D, 0x2B, 0x66, 0x9E, 0x1E, 0xF1,
+    0x6E, 0x6F, 0x52, 0xC3, 0x16, 0x4D, 0xF4, 0xFB,
+    0x79, 0x30, 0xE9, 0xE4, 0xE5, 0x88, 0x57, 0xB6,
+    0xAC, 0x7D, 0x5F, 0x42, 0xD6, 0x9F, 0x6D, 0x18,
+    0x77, 0x63, 0xCF, 0x1D, 0x55, 0x03, 0x40, 0x04,
+    0x87, 0xF5, 0x5B, 0xA5, 0x7E, 0x31, 0xCC, 0x7A,
+    0x71, 0x35, 0xC8, 0x86, 0xEF, 0xB4, 0x31, 0x8A,
+    0xED, 0x6A, 0x1E, 0x01, 0x2D, 0x9E, 0x68, 0x32,
+    0xA9, 0x07, 0x60, 0x0A, 0x91, 0x81, 0x30, 0xC4,
+    0x6D, 0xC7, 0x78, 0xF9, 0x71, 0xAD, 0x00, 0x38,
+    0x09, 0x29, 0x99, 0xA3, 0x33, 0xCB, 0x8B, 0x7A,
+    0x1A, 0x1D, 0xB9, 0x3D, 0x71, 0x40, 0x00, 0x3C,
+    0x2A, 0x4E, 0xCE, 0xA9, 0xF9, 0x8D, 0x0A, 0xCC,
+    0x0A, 0x82, 0x91, 0xCD, 0xCE, 0xC9, 0x7D, 0xCF,
+    0x8E, 0xC9, 0xB5, 0x5A, 0x7F, 0x88, 0xA4, 0x6B,
+    0x4D, 0xB5, 0xA8, 0x51, 0xF4, 0x41, 0x82, 0xE1,
+    0xC6, 0x8A, 0x00, 0x7E, 0x5E, 0x65, 0x5F, 0x6A,
+    0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF
+};
+static const byte dh_ffdhe4096_g[] = { 0x02 };
+#ifdef HAVE_FFDHE_Q
+static const byte dh_ffdhe4096_q[] = {
+    0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+    0xD6, 0xFC, 0x2A, 0x2C, 0x51, 0x5D, 0xA5, 0x4D,
+    0x57, 0xEE, 0x2B, 0x10, 0x13, 0x9E, 0x9E, 0x78,
+    0xEC, 0x5C, 0xE2, 0xC1, 0xE7, 0x16, 0x9B, 0x4A,
+    0xD4, 0xF0, 0x9B, 0x20, 0x8A, 0x32, 0x19, 0xFD,
+    0xE6, 0x49, 0xCE, 0xE7, 0x12, 0x4D, 0x9F, 0x7C,
+    0xBE, 0x97, 0xF1, 0xB1, 0xB1, 0x86, 0x3A, 0xEC,
+    0x7B, 0x40, 0xD9, 0x01, 0x57, 0x62, 0x30, 0xBD,
+    0x69, 0xEF, 0x8F, 0x6A, 0xEA, 0xFE, 0xB2, 0xB0,
+    0x92, 0x19, 0xFA, 0x8F, 0xAF, 0x83, 0x37, 0x68,
+    0x42, 0xB1, 0xB2, 0xAA, 0x9E, 0xF6, 0x8D, 0x79,
+    0xDA, 0xAB, 0x89, 0xAF, 0x3F, 0xAB, 0xE4, 0x9A,
+    0xCC, 0x27, 0x86, 0x38, 0x70, 0x73, 0x45, 0xBB,
+    0xF1, 0x53, 0x44, 0xED, 0x79, 0xF7, 0xF4, 0x39,
+    0x0E, 0xF8, 0xAC, 0x50, 0x9B, 0x56, 0xF3, 0x9A,
+    0x98, 0x56, 0x65, 0x27, 0xA4, 0x1D, 0x3C, 0xBD,
+    0x5E, 0x05, 0x58, 0xC1, 0x59, 0x92, 0x7D, 0xB0,
+    0xE8, 0x84, 0x54, 0xA5, 0xD9, 0x64, 0x71, 0xFD,
+    0xDC, 0xB5, 0x6D, 0x5B, 0xB0, 0x6B, 0xFA, 0x34,
+    0x0E, 0xA7, 0xA1, 0x51, 0xEF, 0x1C, 0xA6, 0xFA,
+    0x57, 0x2B, 0x76, 0xF3, 0xB1, 0xB9, 0x5D, 0x8C,
+    0x85, 0x83, 0xD3, 0xE4, 0x77, 0x05, 0x36, 0xB8,
+    0x4F, 0x01, 0x7E, 0x70, 0xE6, 0xFB, 0xF1, 0x76,
+    0x60, 0x1A, 0x02, 0x66, 0x94, 0x1A, 0x17, 0xB0,
+    0xC8, 0xB9, 0x7F, 0x4E, 0x74, 0xC2, 0xC1, 0xFF,
+    0xC7, 0x27, 0x89, 0x19, 0x77, 0x79, 0x40, 0xC1,
+    0xE1, 0xFF, 0x1D, 0x8D, 0xA6, 0x37, 0xD6, 0xB9,
+    0x9D, 0xDA, 0xFE, 0x5E, 0x17, 0x61, 0x10, 0x02,
+    0xE2, 0xC7, 0x78, 0xC1, 0xBE, 0x8B, 0x41, 0xD9,
+    0x63, 0x79, 0xA5, 0x13, 0x60, 0xD9, 0x77, 0xFD,
+    0x44, 0x35, 0xA1, 0x1C, 0x30, 0x8F, 0xE7, 0xEE,
+    0x6F, 0x1A, 0xAD, 0x9D, 0xB2, 0x8C, 0x81, 0xAD,
+    0xDE, 0x1A, 0x7A, 0x6F, 0x7C, 0xCE, 0x01, 0x1C,
+    0x30, 0xDA, 0x37, 0xE4, 0xEB, 0x73, 0x64, 0x83,
+    0xBD, 0x6C, 0x8E, 0x93, 0x48, 0xFB, 0xFB, 0xF7,
+    0x2C, 0xC6, 0x58, 0x7D, 0x60, 0xC3, 0x6C, 0x8E,
+    0x57, 0x7F, 0x09, 0x84, 0xC2, 0x89, 0xC9, 0x38,
+    0x5A, 0x09, 0x86, 0x49, 0xDE, 0x21, 0xBC, 0xA2,
+    0x7A, 0x7E, 0xA2, 0x29, 0x71, 0x6B, 0xA6, 0xE9,
+    0xB2, 0x79, 0x71, 0x0F, 0x38, 0xFA, 0xA5, 0xFF,
+    0xAE, 0x57, 0x41, 0x55, 0xCE, 0x4E, 0xFB, 0x4F,
+    0x74, 0x36, 0x95, 0xE2, 0x91, 0x1B, 0x1D, 0x06,
+    0xD5, 0xE2, 0x90, 0xCB, 0xCD, 0x86, 0xF5, 0x6D,
+    0x0E, 0xDF, 0xCD, 0x21, 0x6A, 0xE2, 0x24, 0x27,
+    0x05, 0x5E, 0x68, 0x35, 0xFD, 0x29, 0xEE, 0xF7,
+    0x9E, 0x0D, 0x90, 0x77, 0x1F, 0xEA, 0xCE, 0xBE,
+    0x12, 0xF2, 0x0E, 0x95, 0xB3, 0x4F, 0x0F, 0x78,
+    0xB7, 0x37, 0xA9, 0x61, 0x8B, 0x26, 0xFA, 0x7D,
+    0xBC, 0x98, 0x74, 0xF2, 0x72, 0xC4, 0x2B, 0xDB,
+    0x56, 0x3E, 0xAF, 0xA1, 0x6B, 0x4F, 0xB6, 0x8C,
+    0x3B, 0xB1, 0xE7, 0x8E, 0xAA, 0x81, 0xA0, 0x02,
+    0x43, 0xFA, 0xAD, 0xD2, 0xBF, 0x18, 0xE6, 0x3D,
+    0x38, 0x9A, 0xE4, 0x43, 0x77, 0xDA, 0x18, 0xC5,
+    0x76, 0xB5, 0x0F, 0x00, 0x96, 0xCF, 0x34, 0x19,
+    0x54, 0x83, 0xB0, 0x05, 0x48, 0xC0, 0x98, 0x62,
+    0x36, 0xE3, 0xBC, 0x7C, 0xB8, 0xD6, 0x80, 0x1C,
+    0x04, 0x94, 0xCC, 0xD1, 0x99, 0xE5, 0xC5, 0xBD,
+    0x0D, 0x0E, 0xDC, 0x9E, 0xB8, 0xA0, 0x00, 0x1E,
+    0x15, 0x27, 0x67, 0x54, 0xFC, 0xC6, 0x85, 0x66,
+    0x05, 0x41, 0x48, 0xE6, 0xE7, 0x64, 0xBE, 0xE7,
+    0xC7, 0x64, 0xDA, 0xAD, 0x3F, 0xC4, 0x52, 0x35,
+    0xA6, 0xDA, 0xD4, 0x28, 0xFA, 0x20, 0xC1, 0x70,
+    0xE3, 0x45, 0x00, 0x3F, 0x2F, 0x32, 0xAF, 0xB5,
+    0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF
+};
+#endif /* HAVE_FFDHE_Q */
 
-void wc_InitDhKey(DhKey* key)
+const DhParams* wc_Dh_ffdhe4096_Get(void)
 {
-    (void)key;
-/* TomsFastMath doesn't use memory allocation */
-#ifndef USE_FAST_MATH
-    key->p.dp = 0;
-    key->g.dp = 0;
+    static const DhParams ffdhe4096 = {
+        #ifdef HAVE_FFDHE_Q
+            dh_ffdhe4096_q, sizeof(dh_ffdhe4096_q),
+        #endif /* HAVE_FFDHE_Q */
+        dh_ffdhe4096_p, sizeof(dh_ffdhe4096_p),
+        dh_ffdhe4096_g, sizeof(dh_ffdhe4096_g)
+    };
+    return &ffdhe4096;
+}
 #endif
+
+#ifdef HAVE_FFDHE_6144
+static const byte dh_ffdhe6144_p[] = {
+    0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+    0xAD, 0xF8, 0x54, 0x58, 0xA2, 0xBB, 0x4A, 0x9A,
+    0xAF, 0xDC, 0x56, 0x20, 0x27, 0x3D, 0x3C, 0xF1,
+    0xD8, 0xB9, 0xC5, 0x83, 0xCE, 0x2D, 0x36, 0x95,
+    0xA9, 0xE1, 0x36, 0x41, 0x14, 0x64, 0x33, 0xFB,
+    0xCC, 0x93, 0x9D, 0xCE, 0x24, 0x9B, 0x3E, 0xF9,
+    0x7D, 0x2F, 0xE3, 0x63, 0x63, 0x0C, 0x75, 0xD8,
+    0xF6, 0x81, 0xB2, 0x02, 0xAE, 0xC4, 0x61, 0x7A,
+    0xD3, 0xDF, 0x1E, 0xD5, 0xD5, 0xFD, 0x65, 0x61,
+    0x24, 0x33, 0xF5, 0x1F, 0x5F, 0x06, 0x6E, 0xD0,
+    0x85, 0x63, 0x65, 0x55, 0x3D, 0xED, 0x1A, 0xF3,
+    0xB5, 0x57, 0x13, 0x5E, 0x7F, 0x57, 0xC9, 0x35,
+    0x98, 0x4F, 0x0C, 0x70, 0xE0, 0xE6, 0x8B, 0x77,
+    0xE2, 0xA6, 0x89, 0xDA, 0xF3, 0xEF, 0xE8, 0x72,
+    0x1D, 0xF1, 0x58, 0xA1, 0x36, 0xAD, 0xE7, 0x35,
+    0x30, 0xAC, 0xCA, 0x4F, 0x48, 0x3A, 0x79, 0x7A,
+    0xBC, 0x0A, 0xB1, 0x82, 0xB3, 0x24, 0xFB, 0x61,
+    0xD1, 0x08, 0xA9, 0x4B, 0xB2, 0xC8, 0xE3, 0xFB,
+    0xB9, 0x6A, 0xDA, 0xB7, 0x60, 0xD7, 0xF4, 0x68,
+    0x1D, 0x4F, 0x42, 0xA3, 0xDE, 0x39, 0x4D, 0xF4,
+    0xAE, 0x56, 0xED, 0xE7, 0x63, 0x72, 0xBB, 0x19,
+    0x0B, 0x07, 0xA7, 0xC8, 0xEE, 0x0A, 0x6D, 0x70,
+    0x9E, 0x02, 0xFC, 0xE1, 0xCD, 0xF7, 0xE2, 0xEC,
+    0xC0, 0x34, 0x04, 0xCD, 0x28, 0x34, 0x2F, 0x61,
+    0x91, 0x72, 0xFE, 0x9C, 0xE9, 0x85, 0x83, 0xFF,
+    0x8E, 0x4F, 0x12, 0x32, 0xEE, 0xF2, 0x81, 0x83,
+    0xC3, 0xFE, 0x3B, 0x1B, 0x4C, 0x6F, 0xAD, 0x73,
+    0x3B, 0xB5, 0xFC, 0xBC, 0x2E, 0xC2, 0x20, 0x05,
+    0xC5, 0x8E, 0xF1, 0x83, 0x7D, 0x16, 0x83, 0xB2,
+    0xC6, 0xF3, 0x4A, 0x26, 0xC1, 0xB2, 0xEF, 0xFA,
+    0x88, 0x6B, 0x42, 0x38, 0x61, 0x1F, 0xCF, 0xDC,
+    0xDE, 0x35, 0x5B, 0x3B, 0x65, 0x19, 0x03, 0x5B,
+    0xBC, 0x34, 0xF4, 0xDE, 0xF9, 0x9C, 0x02, 0x38,
+    0x61, 0xB4, 0x6F, 0xC9, 0xD6, 0xE6, 0xC9, 0x07,
+    0x7A, 0xD9, 0x1D, 0x26, 0x91, 0xF7, 0xF7, 0xEE,
+    0x59, 0x8C, 0xB0, 0xFA, 0xC1, 0x86, 0xD9, 0x1C,
+    0xAE, 0xFE, 0x13, 0x09, 0x85, 0x13, 0x92, 0x70,
+    0xB4, 0x13, 0x0C, 0x93, 0xBC, 0x43, 0x79, 0x44,
+    0xF4, 0xFD, 0x44, 0x52, 0xE2, 0xD7, 0x4D, 0xD3,
+    0x64, 0xF2, 0xE2, 0x1E, 0x71, 0xF5, 0x4B, 0xFF,
+    0x5C, 0xAE, 0x82, 0xAB, 0x9C, 0x9D, 0xF6, 0x9E,
+    0xE8, 0x6D, 0x2B, 0xC5, 0x22, 0x36, 0x3A, 0x0D,
+    0xAB, 0xC5, 0x21, 0x97, 0x9B, 0x0D, 0xEA, 0xDA,
+    0x1D, 0xBF, 0x9A, 0x42, 0xD5, 0xC4, 0x48, 0x4E,
+    0x0A, 0xBC, 0xD0, 0x6B, 0xFA, 0x53, 0xDD, 0xEF,
+    0x3C, 0x1B, 0x20, 0xEE, 0x3F, 0xD5, 0x9D, 0x7C,
+    0x25, 0xE4, 0x1D, 0x2B, 0x66, 0x9E, 0x1E, 0xF1,
+    0x6E, 0x6F, 0x52, 0xC3, 0x16, 0x4D, 0xF4, 0xFB,
+    0x79, 0x30, 0xE9, 0xE4, 0xE5, 0x88, 0x57, 0xB6,
+    0xAC, 0x7D, 0x5F, 0x42, 0xD6, 0x9F, 0x6D, 0x18,
+    0x77, 0x63, 0xCF, 0x1D, 0x55, 0x03, 0x40, 0x04,
+    0x87, 0xF5, 0x5B, 0xA5, 0x7E, 0x31, 0xCC, 0x7A,
+    0x71, 0x35, 0xC8, 0x86, 0xEF, 0xB4, 0x31, 0x8A,
+    0xED, 0x6A, 0x1E, 0x01, 0x2D, 0x9E, 0x68, 0x32,
+    0xA9, 0x07, 0x60, 0x0A, 0x91, 0x81, 0x30, 0xC4,
+    0x6D, 0xC7, 0x78, 0xF9, 0x71, 0xAD, 0x00, 0x38,
+    0x09, 0x29, 0x99, 0xA3, 0x33, 0xCB, 0x8B, 0x7A,
+    0x1A, 0x1D, 0xB9, 0x3D, 0x71, 0x40, 0x00, 0x3C,
+    0x2A, 0x4E, 0xCE, 0xA9, 0xF9, 0x8D, 0x0A, 0xCC,
+    0x0A, 0x82, 0x91, 0xCD, 0xCE, 0xC9, 0x7D, 0xCF,
+    0x8E, 0xC9, 0xB5, 0x5A, 0x7F, 0x88, 0xA4, 0x6B,
+    0x4D, 0xB5, 0xA8, 0x51, 0xF4, 0x41, 0x82, 0xE1,
+    0xC6, 0x8A, 0x00, 0x7E, 0x5E, 0x0D, 0xD9, 0x02,
+    0x0B, 0xFD, 0x64, 0xB6, 0x45, 0x03, 0x6C, 0x7A,
+    0x4E, 0x67, 0x7D, 0x2C, 0x38, 0x53, 0x2A, 0x3A,
+    0x23, 0xBA, 0x44, 0x42, 0xCA, 0xF5, 0x3E, 0xA6,
+    0x3B, 0xB4, 0x54, 0x32, 0x9B, 0x76, 0x24, 0xC8,
+    0x91, 0x7B, 0xDD, 0x64, 0xB1, 0xC0, 0xFD, 0x4C,
+    0xB3, 0x8E, 0x8C, 0x33, 0x4C, 0x70, 0x1C, 0x3A,
+    0xCD, 0xAD, 0x06, 0x57, 0xFC, 0xCF, 0xEC, 0x71,
+    0x9B, 0x1F, 0x5C, 0x3E, 0x4E, 0x46, 0x04, 0x1F,
+    0x38, 0x81, 0x47, 0xFB, 0x4C, 0xFD, 0xB4, 0x77,
+    0xA5, 0x24, 0x71, 0xF7, 0xA9, 0xA9, 0x69, 0x10,
+    0xB8, 0x55, 0x32, 0x2E, 0xDB, 0x63, 0x40, 0xD8,
+    0xA0, 0x0E, 0xF0, 0x92, 0x35, 0x05, 0x11, 0xE3,
+    0x0A, 0xBE, 0xC1, 0xFF, 0xF9, 0xE3, 0xA2, 0x6E,
+    0x7F, 0xB2, 0x9F, 0x8C, 0x18, 0x30, 0x23, 0xC3,
+    0x58, 0x7E, 0x38, 0xDA, 0x00, 0x77, 0xD9, 0xB4,
+    0x76, 0x3E, 0x4E, 0x4B, 0x94, 0xB2, 0xBB, 0xC1,
+    0x94, 0xC6, 0x65, 0x1E, 0x77, 0xCA, 0xF9, 0x92,
+    0xEE, 0xAA, 0xC0, 0x23, 0x2A, 0x28, 0x1B, 0xF6,
+    0xB3, 0xA7, 0x39, 0xC1, 0x22, 0x61, 0x16, 0x82,
+    0x0A, 0xE8, 0xDB, 0x58, 0x47, 0xA6, 0x7C, 0xBE,
+    0xF9, 0xC9, 0x09, 0x1B, 0x46, 0x2D, 0x53, 0x8C,
+    0xD7, 0x2B, 0x03, 0x74, 0x6A, 0xE7, 0x7F, 0x5E,
+    0x62, 0x29, 0x2C, 0x31, 0x15, 0x62, 0xA8, 0x46,
+    0x50, 0x5D, 0xC8, 0x2D, 0xB8, 0x54, 0x33, 0x8A,
+    0xE4, 0x9F, 0x52, 0x35, 0xC9, 0x5B, 0x91, 0x17,
+    0x8C, 0xCF, 0x2D, 0xD5, 0xCA, 0xCE, 0xF4, 0x03,
+    0xEC, 0x9D, 0x18, 0x10, 0xC6, 0x27, 0x2B, 0x04,
+    0x5B, 0x3B, 0x71, 0xF9, 0xDC, 0x6B, 0x80, 0xD6,
+    0x3F, 0xDD, 0x4A, 0x8E, 0x9A, 0xDB, 0x1E, 0x69,
+    0x62, 0xA6, 0x95, 0x26, 0xD4, 0x31, 0x61, 0xC1,
+    0xA4, 0x1D, 0x57, 0x0D, 0x79, 0x38, 0xDA, 0xD4,
+    0xA4, 0x0E, 0x32, 0x9C, 0xD0, 0xE4, 0x0E, 0x65,
+    0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF
+};
+static const byte dh_ffdhe6144_g[] = { 0x02 };
+#ifdef HAVE_FFDHE_Q
+static const byte dh_ffdhe6144_q[] = {
+    0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+    0xD6, 0xFC, 0x2A, 0x2C, 0x51, 0x5D, 0xA5, 0x4D,
+    0x57, 0xEE, 0x2B, 0x10, 0x13, 0x9E, 0x9E, 0x78,
+    0xEC, 0x5C, 0xE2, 0xC1, 0xE7, 0x16, 0x9B, 0x4A,
+    0xD4, 0xF0, 0x9B, 0x20, 0x8A, 0x32, 0x19, 0xFD,
+    0xE6, 0x49, 0xCE, 0xE7, 0x12, 0x4D, 0x9F, 0x7C,
+    0xBE, 0x97, 0xF1, 0xB1, 0xB1, 0x86, 0x3A, 0xEC,
+    0x7B, 0x40, 0xD9, 0x01, 0x57, 0x62, 0x30, 0xBD,
+    0x69, 0xEF, 0x8F, 0x6A, 0xEA, 0xFE, 0xB2, 0xB0,
+    0x92, 0x19, 0xFA, 0x8F, 0xAF, 0x83, 0x37, 0x68,
+    0x42, 0xB1, 0xB2, 0xAA, 0x9E, 0xF6, 0x8D, 0x79,
+    0xDA, 0xAB, 0x89, 0xAF, 0x3F, 0xAB, 0xE4, 0x9A,
+    0xCC, 0x27, 0x86, 0x38, 0x70, 0x73, 0x45, 0xBB,
+    0xF1, 0x53, 0x44, 0xED, 0x79, 0xF7, 0xF4, 0x39,
+    0x0E, 0xF8, 0xAC, 0x50, 0x9B, 0x56, 0xF3, 0x9A,
+    0x98, 0x56, 0x65, 0x27, 0xA4, 0x1D, 0x3C, 0xBD,
+    0x5E, 0x05, 0x58, 0xC1, 0x59, 0x92, 0x7D, 0xB0,
+    0xE8, 0x84, 0x54, 0xA5, 0xD9, 0x64, 0x71, 0xFD,
+    0xDC, 0xB5, 0x6D, 0x5B, 0xB0, 0x6B, 0xFA, 0x34,
+    0x0E, 0xA7, 0xA1, 0x51, 0xEF, 0x1C, 0xA6, 0xFA,
+    0x57, 0x2B, 0x76, 0xF3, 0xB1, 0xB9, 0x5D, 0x8C,
+    0x85, 0x83, 0xD3, 0xE4, 0x77, 0x05, 0x36, 0xB8,
+    0x4F, 0x01, 0x7E, 0x70, 0xE6, 0xFB, 0xF1, 0x76,
+    0x60, 0x1A, 0x02, 0x66, 0x94, 0x1A, 0x17, 0xB0,
+    0xC8, 0xB9, 0x7F, 0x4E, 0x74, 0xC2, 0xC1, 0xFF,
+    0xC7, 0x27, 0x89, 0x19, 0x77, 0x79, 0x40, 0xC1,
+    0xE1, 0xFF, 0x1D, 0x8D, 0xA6, 0x37, 0xD6, 0xB9,
+    0x9D, 0xDA, 0xFE, 0x5E, 0x17, 0x61, 0x10, 0x02,
+    0xE2, 0xC7, 0x78, 0xC1, 0xBE, 0x8B, 0x41, 0xD9,
+    0x63, 0x79, 0xA5, 0x13, 0x60, 0xD9, 0x77, 0xFD,
+    0x44, 0x35, 0xA1, 0x1C, 0x30, 0x8F, 0xE7, 0xEE,
+    0x6F, 0x1A, 0xAD, 0x9D, 0xB2, 0x8C, 0x81, 0xAD,
+    0xDE, 0x1A, 0x7A, 0x6F, 0x7C, 0xCE, 0x01, 0x1C,
+    0x30, 0xDA, 0x37, 0xE4, 0xEB, 0x73, 0x64, 0x83,
+    0xBD, 0x6C, 0x8E, 0x93, 0x48, 0xFB, 0xFB, 0xF7,
+    0x2C, 0xC6, 0x58, 0x7D, 0x60, 0xC3, 0x6C, 0x8E,
+    0x57, 0x7F, 0x09, 0x84, 0xC2, 0x89, 0xC9, 0x38,
+    0x5A, 0x09, 0x86, 0x49, 0xDE, 0x21, 0xBC, 0xA2,
+    0x7A, 0x7E, 0xA2, 0x29, 0x71, 0x6B, 0xA6, 0xE9,
+    0xB2, 0x79, 0x71, 0x0F, 0x38, 0xFA, 0xA5, 0xFF,
+    0xAE, 0x57, 0x41, 0x55, 0xCE, 0x4E, 0xFB, 0x4F,
+    0x74, 0x36, 0x95, 0xE2, 0x91, 0x1B, 0x1D, 0x06,
+    0xD5, 0xE2, 0x90, 0xCB, 0xCD, 0x86, 0xF5, 0x6D,
+    0x0E, 0xDF, 0xCD, 0x21, 0x6A, 0xE2, 0x24, 0x27,
+    0x05, 0x5E, 0x68, 0x35, 0xFD, 0x29, 0xEE, 0xF7,
+    0x9E, 0x0D, 0x90, 0x77, 0x1F, 0xEA, 0xCE, 0xBE,
+    0x12, 0xF2, 0x0E, 0x95, 0xB3, 0x4F, 0x0F, 0x78,
+    0xB7, 0x37, 0xA9, 0x61, 0x8B, 0x26, 0xFA, 0x7D,
+    0xBC, 0x98, 0x74, 0xF2, 0x72, 0xC4, 0x2B, 0xDB,
+    0x56, 0x3E, 0xAF, 0xA1, 0x6B, 0x4F, 0xB6, 0x8C,
+    0x3B, 0xB1, 0xE7, 0x8E, 0xAA, 0x81, 0xA0, 0x02,
+    0x43, 0xFA, 0xAD, 0xD2, 0xBF, 0x18, 0xE6, 0x3D,
+    0x38, 0x9A, 0xE4, 0x43, 0x77, 0xDA, 0x18, 0xC5,
+    0x76, 0xB5, 0x0F, 0x00, 0x96, 0xCF, 0x34, 0x19,
+    0x54, 0x83, 0xB0, 0x05, 0x48, 0xC0, 0x98, 0x62,
+    0x36, 0xE3, 0xBC, 0x7C, 0xB8, 0xD6, 0x80, 0x1C,
+    0x04, 0x94, 0xCC, 0xD1, 0x99, 0xE5, 0xC5, 0xBD,
+    0x0D, 0x0E, 0xDC, 0x9E, 0xB8, 0xA0, 0x00, 0x1E,
+    0x15, 0x27, 0x67, 0x54, 0xFC, 0xC6, 0x85, 0x66,
+    0x05, 0x41, 0x48, 0xE6, 0xE7, 0x64, 0xBE, 0xE7,
+    0xC7, 0x64, 0xDA, 0xAD, 0x3F, 0xC4, 0x52, 0x35,
+    0xA6, 0xDA, 0xD4, 0x28, 0xFA, 0x20, 0xC1, 0x70,
+    0xE3, 0x45, 0x00, 0x3F, 0x2F, 0x06, 0xEC, 0x81,
+    0x05, 0xFE, 0xB2, 0x5B, 0x22, 0x81, 0xB6, 0x3D,
+    0x27, 0x33, 0xBE, 0x96, 0x1C, 0x29, 0x95, 0x1D,
+    0x11, 0xDD, 0x22, 0x21, 0x65, 0x7A, 0x9F, 0x53,
+    0x1D, 0xDA, 0x2A, 0x19, 0x4D, 0xBB, 0x12, 0x64,
+    0x48, 0xBD, 0xEE, 0xB2, 0x58, 0xE0, 0x7E, 0xA6,
+    0x59, 0xC7, 0x46, 0x19, 0xA6, 0x38, 0x0E, 0x1D,
+    0x66, 0xD6, 0x83, 0x2B, 0xFE, 0x67, 0xF6, 0x38,
+    0xCD, 0x8F, 0xAE, 0x1F, 0x27, 0x23, 0x02, 0x0F,
+    0x9C, 0x40, 0xA3, 0xFD, 0xA6, 0x7E, 0xDA, 0x3B,
+    0xD2, 0x92, 0x38, 0xFB, 0xD4, 0xD4, 0xB4, 0x88,
+    0x5C, 0x2A, 0x99, 0x17, 0x6D, 0xB1, 0xA0, 0x6C,
+    0x50, 0x07, 0x78, 0x49, 0x1A, 0x82, 0x88, 0xF1,
+    0x85, 0x5F, 0x60, 0xFF, 0xFC, 0xF1, 0xD1, 0x37,
+    0x3F, 0xD9, 0x4F, 0xC6, 0x0C, 0x18, 0x11, 0xE1,
+    0xAC, 0x3F, 0x1C, 0x6D, 0x00, 0x3B, 0xEC, 0xDA,
+    0x3B, 0x1F, 0x27, 0x25, 0xCA, 0x59, 0x5D, 0xE0,
+    0xCA, 0x63, 0x32, 0x8F, 0x3B, 0xE5, 0x7C, 0xC9,
+    0x77, 0x55, 0x60, 0x11, 0x95, 0x14, 0x0D, 0xFB,
+    0x59, 0xD3, 0x9C, 0xE0, 0x91, 0x30, 0x8B, 0x41,
+    0x05, 0x74, 0x6D, 0xAC, 0x23, 0xD3, 0x3E, 0x5F,
+    0x7C, 0xE4, 0x84, 0x8D, 0xA3, 0x16, 0xA9, 0xC6,
+    0x6B, 0x95, 0x81, 0xBA, 0x35, 0x73, 0xBF, 0xAF,
+    0x31, 0x14, 0x96, 0x18, 0x8A, 0xB1, 0x54, 0x23,
+    0x28, 0x2E, 0xE4, 0x16, 0xDC, 0x2A, 0x19, 0xC5,
+    0x72, 0x4F, 0xA9, 0x1A, 0xE4, 0xAD, 0xC8, 0x8B,
+    0xC6, 0x67, 0x96, 0xEA, 0xE5, 0x67, 0x7A, 0x01,
+    0xF6, 0x4E, 0x8C, 0x08, 0x63, 0x13, 0x95, 0x82,
+    0x2D, 0x9D, 0xB8, 0xFC, 0xEE, 0x35, 0xC0, 0x6B,
+    0x1F, 0xEE, 0xA5, 0x47, 0x4D, 0x6D, 0x8F, 0x34,
+    0xB1, 0x53, 0x4A, 0x93, 0x6A, 0x18, 0xB0, 0xE0,
+    0xD2, 0x0E, 0xAB, 0x86, 0xBC, 0x9C, 0x6D, 0x6A,
+    0x52, 0x07, 0x19, 0x4E, 0x68, 0x72, 0x07, 0x32,
+    0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF
+};
+#endif /* HAVE_FFDHE_Q */
+
+const DhParams* wc_Dh_ffdhe6144_Get(void)
+{
+    static const DhParams ffdhe6144 = {
+        #ifdef HAVE_FFDHE_Q
+            dh_ffdhe6144_q, sizeof(dh_ffdhe6144_q),
+        #endif /* HAVE_FFDHE_Q */
+        dh_ffdhe6144_p, sizeof(dh_ffdhe6144_p),
+        dh_ffdhe6144_g, sizeof(dh_ffdhe6144_g)
+    };
+    return &ffdhe6144;
 }
+#endif
 
+#ifdef HAVE_FFDHE_8192
+static const byte dh_ffdhe8192_p[] = {
+    0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+    0xAD, 0xF8, 0x54, 0x58, 0xA2, 0xBB, 0x4A, 0x9A,
+    0xAF, 0xDC, 0x56, 0x20, 0x27, 0x3D, 0x3C, 0xF1,
+    0xD8, 0xB9, 0xC5, 0x83, 0xCE, 0x2D, 0x36, 0x95,
+    0xA9, 0xE1, 0x36, 0x41, 0x14, 0x64, 0x33, 0xFB,
+    0xCC, 0x93, 0x9D, 0xCE, 0x24, 0x9B, 0x3E, 0xF9,
+    0x7D, 0x2F, 0xE3, 0x63, 0x63, 0x0C, 0x75, 0xD8,
+    0xF6, 0x81, 0xB2, 0x02, 0xAE, 0xC4, 0x61, 0x7A,
+    0xD3, 0xDF, 0x1E, 0xD5, 0xD5, 0xFD, 0x65, 0x61,
+    0x24, 0x33, 0xF5, 0x1F, 0x5F, 0x06, 0x6E, 0xD0,
+    0x85, 0x63, 0x65, 0x55, 0x3D, 0xED, 0x1A, 0xF3,
+    0xB5, 0x57, 0x13, 0x5E, 0x7F, 0x57, 0xC9, 0x35,
+    0x98, 0x4F, 0x0C, 0x70, 0xE0, 0xE6, 0x8B, 0x77,
+    0xE2, 0xA6, 0x89, 0xDA, 0xF3, 0xEF, 0xE8, 0x72,
+    0x1D, 0xF1, 0x58, 0xA1, 0x36, 0xAD, 0xE7, 0x35,
+    0x30, 0xAC, 0xCA, 0x4F, 0x48, 0x3A, 0x79, 0x7A,
+    0xBC, 0x0A, 0xB1, 0x82, 0xB3, 0x24, 0xFB, 0x61,
+    0xD1, 0x08, 0xA9, 0x4B, 0xB2, 0xC8, 0xE3, 0xFB,
+    0xB9, 0x6A, 0xDA, 0xB7, 0x60, 0xD7, 0xF4, 0x68,
+    0x1D, 0x4F, 0x42, 0xA3, 0xDE, 0x39, 0x4D, 0xF4,
+    0xAE, 0x56, 0xED, 0xE7, 0x63, 0x72, 0xBB, 0x19,
+    0x0B, 0x07, 0xA7, 0xC8, 0xEE, 0x0A, 0x6D, 0x70,
+    0x9E, 0x02, 0xFC, 0xE1, 0xCD, 0xF7, 0xE2, 0xEC,
+    0xC0, 0x34, 0x04, 0xCD, 0x28, 0x34, 0x2F, 0x61,
+    0x91, 0x72, 0xFE, 0x9C, 0xE9, 0x85, 0x83, 0xFF,
+    0x8E, 0x4F, 0x12, 0x32, 0xEE, 0xF2, 0x81, 0x83,
+    0xC3, 0xFE, 0x3B, 0x1B, 0x4C, 0x6F, 0xAD, 0x73,
+    0x3B, 0xB5, 0xFC, 0xBC, 0x2E, 0xC2, 0x20, 0x05,
+    0xC5, 0x8E, 0xF1, 0x83, 0x7D, 0x16, 0x83, 0xB2,
+    0xC6, 0xF3, 0x4A, 0x26, 0xC1, 0xB2, 0xEF, 0xFA,
+    0x88, 0x6B, 0x42, 0x38, 0x61, 0x1F, 0xCF, 0xDC,
+    0xDE, 0x35, 0x5B, 0x3B, 0x65, 0x19, 0x03, 0x5B,
+    0xBC, 0x34, 0xF4, 0xDE, 0xF9, 0x9C, 0x02, 0x38,
+    0x61, 0xB4, 0x6F, 0xC9, 0xD6, 0xE6, 0xC9, 0x07,
+    0x7A, 0xD9, 0x1D, 0x26, 0x91, 0xF7, 0xF7, 0xEE,
+    0x59, 0x8C, 0xB0, 0xFA, 0xC1, 0x86, 0xD9, 0x1C,
+    0xAE, 0xFE, 0x13, 0x09, 0x85, 0x13, 0x92, 0x70,
+    0xB4, 0x13, 0x0C, 0x93, 0xBC, 0x43, 0x79, 0x44,
+    0xF4, 0xFD, 0x44, 0x52, 0xE2, 0xD7, 0x4D, 0xD3,
+    0x64, 0xF2, 0xE2, 0x1E, 0x71, 0xF5, 0x4B, 0xFF,
+    0x5C, 0xAE, 0x82, 0xAB, 0x9C, 0x9D, 0xF6, 0x9E,
+    0xE8, 0x6D, 0x2B, 0xC5, 0x22, 0x36, 0x3A, 0x0D,
+    0xAB, 0xC5, 0x21, 0x97, 0x9B, 0x0D, 0xEA, 0xDA,
+    0x1D, 0xBF, 0x9A, 0x42, 0xD5, 0xC4, 0x48, 0x4E,
+    0x0A, 0xBC, 0xD0, 0x6B, 0xFA, 0x53, 0xDD, 0xEF,
+    0x3C, 0x1B, 0x20, 0xEE, 0x3F, 0xD5, 0x9D, 0x7C,
+    0x25, 0xE4, 0x1D, 0x2B, 0x66, 0x9E, 0x1E, 0xF1,
+    0x6E, 0x6F, 0x52, 0xC3, 0x16, 0x4D, 0xF4, 0xFB,
+    0x79, 0x30, 0xE9, 0xE4, 0xE5, 0x88, 0x57, 0xB6,
+    0xAC, 0x7D, 0x5F, 0x42, 0xD6, 0x9F, 0x6D, 0x18,
+    0x77, 0x63, 0xCF, 0x1D, 0x55, 0x03, 0x40, 0x04,
+    0x87, 0xF5, 0x5B, 0xA5, 0x7E, 0x31, 0xCC, 0x7A,
+    0x71, 0x35, 0xC8, 0x86, 0xEF, 0xB4, 0x31, 0x8A,
+    0xED, 0x6A, 0x1E, 0x01, 0x2D, 0x9E, 0x68, 0x32,
+    0xA9, 0x07, 0x60, 0x0A, 0x91, 0x81, 0x30, 0xC4,
+    0x6D, 0xC7, 0x78, 0xF9, 0x71, 0xAD, 0x00, 0x38,
+    0x09, 0x29, 0x99, 0xA3, 0x33, 0xCB, 0x8B, 0x7A,
+    0x1A, 0x1D, 0xB9, 0x3D, 0x71, 0x40, 0x00, 0x3C,
+    0x2A, 0x4E, 0xCE, 0xA9, 0xF9, 0x8D, 0x0A, 0xCC,
+    0x0A, 0x82, 0x91, 0xCD, 0xCE, 0xC9, 0x7D, 0xCF,
+    0x8E, 0xC9, 0xB5, 0x5A, 0x7F, 0x88, 0xA4, 0x6B,
+    0x4D, 0xB5, 0xA8, 0x51, 0xF4, 0x41, 0x82, 0xE1,
+    0xC6, 0x8A, 0x00, 0x7E, 0x5E, 0x0D, 0xD9, 0x02,
+    0x0B, 0xFD, 0x64, 0xB6, 0x45, 0x03, 0x6C, 0x7A,
+    0x4E, 0x67, 0x7D, 0x2C, 0x38, 0x53, 0x2A, 0x3A,
+    0x23, 0xBA, 0x44, 0x42, 0xCA, 0xF5, 0x3E, 0xA6,
+    0x3B, 0xB4, 0x54, 0x32, 0x9B, 0x76, 0x24, 0xC8,
+    0x91, 0x7B, 0xDD, 0x64, 0xB1, 0xC0, 0xFD, 0x4C,
+    0xB3, 0x8E, 0x8C, 0x33, 0x4C, 0x70, 0x1C, 0x3A,
+    0xCD, 0xAD, 0x06, 0x57, 0xFC, 0xCF, 0xEC, 0x71,
+    0x9B, 0x1F, 0x5C, 0x3E, 0x4E, 0x46, 0x04, 0x1F,
+    0x38, 0x81, 0x47, 0xFB, 0x4C, 0xFD, 0xB4, 0x77,
+    0xA5, 0x24, 0x71, 0xF7, 0xA9, 0xA9, 0x69, 0x10,
+    0xB8, 0x55, 0x32, 0x2E, 0xDB, 0x63, 0x40, 0xD8,
+    0xA0, 0x0E, 0xF0, 0x92, 0x35, 0x05, 0x11, 0xE3,
+    0x0A, 0xBE, 0xC1, 0xFF, 0xF9, 0xE3, 0xA2, 0x6E,
+    0x7F, 0xB2, 0x9F, 0x8C, 0x18, 0x30, 0x23, 0xC3,
+    0x58, 0x7E, 0x38, 0xDA, 0x00, 0x77, 0xD9, 0xB4,
+    0x76, 0x3E, 0x4E, 0x4B, 0x94, 0xB2, 0xBB, 0xC1,
+    0x94, 0xC6, 0x65, 0x1E, 0x77, 0xCA, 0xF9, 0x92,
+    0xEE, 0xAA, 0xC0, 0x23, 0x2A, 0x28, 0x1B, 0xF6,
+    0xB3, 0xA7, 0x39, 0xC1, 0x22, 0x61, 0x16, 0x82,
+    0x0A, 0xE8, 0xDB, 0x58, 0x47, 0xA6, 0x7C, 0xBE,
+    0xF9, 0xC9, 0x09, 0x1B, 0x46, 0x2D, 0x53, 0x8C,
+    0xD7, 0x2B, 0x03, 0x74, 0x6A, 0xE7, 0x7F, 0x5E,
+    0x62, 0x29, 0x2C, 0x31, 0x15, 0x62, 0xA8, 0x46,
+    0x50, 0x5D, 0xC8, 0x2D, 0xB8, 0x54, 0x33, 0x8A,
+    0xE4, 0x9F, 0x52, 0x35, 0xC9, 0x5B, 0x91, 0x17,
+    0x8C, 0xCF, 0x2D, 0xD5, 0xCA, 0xCE, 0xF4, 0x03,
+    0xEC, 0x9D, 0x18, 0x10, 0xC6, 0x27, 0x2B, 0x04,
+    0x5B, 0x3B, 0x71, 0xF9, 0xDC, 0x6B, 0x80, 0xD6,
+    0x3F, 0xDD, 0x4A, 0x8E, 0x9A, 0xDB, 0x1E, 0x69,
+    0x62, 0xA6, 0x95, 0x26, 0xD4, 0x31, 0x61, 0xC1,
+    0xA4, 0x1D, 0x57, 0x0D, 0x79, 0x38, 0xDA, 0xD4,
+    0xA4, 0x0E, 0x32, 0x9C, 0xCF, 0xF4, 0x6A, 0xAA,
+    0x36, 0xAD, 0x00, 0x4C, 0xF6, 0x00, 0xC8, 0x38,
+    0x1E, 0x42, 0x5A, 0x31, 0xD9, 0x51, 0xAE, 0x64,
+    0xFD, 0xB2, 0x3F, 0xCE, 0xC9, 0x50, 0x9D, 0x43,
+    0x68, 0x7F, 0xEB, 0x69, 0xED, 0xD1, 0xCC, 0x5E,
+    0x0B, 0x8C, 0xC3, 0xBD, 0xF6, 0x4B, 0x10, 0xEF,
+    0x86, 0xB6, 0x31, 0x42, 0xA3, 0xAB, 0x88, 0x29,
+    0x55, 0x5B, 0x2F, 0x74, 0x7C, 0x93, 0x26, 0x65,
+    0xCB, 0x2C, 0x0F, 0x1C, 0xC0, 0x1B, 0xD7, 0x02,
+    0x29, 0x38, 0x88, 0x39, 0xD2, 0xAF, 0x05, 0xE4,
+    0x54, 0x50, 0x4A, 0xC7, 0x8B, 0x75, 0x82, 0x82,
+    0x28, 0x46, 0xC0, 0xBA, 0x35, 0xC3, 0x5F, 0x5C,
+    0x59, 0x16, 0x0C, 0xC0, 0x46, 0xFD, 0x82, 0x51,
+    0x54, 0x1F, 0xC6, 0x8C, 0x9C, 0x86, 0xB0, 0x22,
+    0xBB, 0x70, 0x99, 0x87, 0x6A, 0x46, 0x0E, 0x74,
+    0x51, 0xA8, 0xA9, 0x31, 0x09, 0x70, 0x3F, 0xEE,
+    0x1C, 0x21, 0x7E, 0x6C, 0x38, 0x26, 0xE5, 0x2C,
+    0x51, 0xAA, 0x69, 0x1E, 0x0E, 0x42, 0x3C, 0xFC,
+    0x99, 0xE9, 0xE3, 0x16, 0x50, 0xC1, 0x21, 0x7B,
+    0x62, 0x48, 0x16, 0xCD, 0xAD, 0x9A, 0x95, 0xF9,
+    0xD5, 0xB8, 0x01, 0x94, 0x88, 0xD9, 0xC0, 0xA0,
+    0xA1, 0xFE, 0x30, 0x75, 0xA5, 0x77, 0xE2, 0x31,
+    0x83, 0xF8, 0x1D, 0x4A, 0x3F, 0x2F, 0xA4, 0x57,
+    0x1E, 0xFC, 0x8C, 0xE0, 0xBA, 0x8A, 0x4F, 0xE8,
+    0xB6, 0x85, 0x5D, 0xFE, 0x72, 0xB0, 0xA6, 0x6E,
+    0xDE, 0xD2, 0xFB, 0xAB, 0xFB, 0xE5, 0x8A, 0x30,
+    0xFA, 0xFA, 0xBE, 0x1C, 0x5D, 0x71, 0xA8, 0x7E,
+    0x2F, 0x74, 0x1E, 0xF8, 0xC1, 0xFE, 0x86, 0xFE,
+    0xA6, 0xBB, 0xFD, 0xE5, 0x30, 0x67, 0x7F, 0x0D,
+    0x97, 0xD1, 0x1D, 0x49, 0xF7, 0xA8, 0x44, 0x3D,
+    0x08, 0x22, 0xE5, 0x06, 0xA9, 0xF4, 0x61, 0x4E,
+    0x01, 0x1E, 0x2A, 0x94, 0x83, 0x8F, 0xF8, 0x8C,
+    0xD6, 0x8C, 0x8B, 0xB7, 0xC5, 0xC6, 0x42, 0x4C,
+    0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF
+};
+static const byte dh_ffdhe8192_g[] = { 0x02 };
+#ifdef HAVE_FFDHE_Q
+static const byte dh_ffdhe8192_q[] = {
+    0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+    0xD6, 0xFC, 0x2A, 0x2C, 0x51, 0x5D, 0xA5, 0x4D,
+    0x57, 0xEE, 0x2B, 0x10, 0x13, 0x9E, 0x9E, 0x78,
+    0xEC, 0x5C, 0xE2, 0xC1, 0xE7, 0x16, 0x9B, 0x4A,
+    0xD4, 0xF0, 0x9B, 0x20, 0x8A, 0x32, 0x19, 0xFD,
+    0xE6, 0x49, 0xCE, 0xE7, 0x12, 0x4D, 0x9F, 0x7C,
+    0xBE, 0x97, 0xF1, 0xB1, 0xB1, 0x86, 0x3A, 0xEC,
+    0x7B, 0x40, 0xD9, 0x01, 0x57, 0x62, 0x30, 0xBD,
+    0x69, 0xEF, 0x8F, 0x6A, 0xEA, 0xFE, 0xB2, 0xB0,
+    0x92, 0x19, 0xFA, 0x8F, 0xAF, 0x83, 0x37, 0x68,
+    0x42, 0xB1, 0xB2, 0xAA, 0x9E, 0xF6, 0x8D, 0x79,
+    0xDA, 0xAB, 0x89, 0xAF, 0x3F, 0xAB, 0xE4, 0x9A,
+    0xCC, 0x27, 0x86, 0x38, 0x70, 0x73, 0x45, 0xBB,
+    0xF1, 0x53, 0x44, 0xED, 0x79, 0xF7, 0xF4, 0x39,
+    0x0E, 0xF8, 0xAC, 0x50, 0x9B, 0x56, 0xF3, 0x9A,
+    0x98, 0x56, 0x65, 0x27, 0xA4, 0x1D, 0x3C, 0xBD,
+    0x5E, 0x05, 0x58, 0xC1, 0x59, 0x92, 0x7D, 0xB0,
+    0xE8, 0x84, 0x54, 0xA5, 0xD9, 0x64, 0x71, 0xFD,
+    0xDC, 0xB5, 0x6D, 0x5B, 0xB0, 0x6B, 0xFA, 0x34,
+    0x0E, 0xA7, 0xA1, 0x51, 0xEF, 0x1C, 0xA6, 0xFA,
+    0x57, 0x2B, 0x76, 0xF3, 0xB1, 0xB9, 0x5D, 0x8C,
+    0x85, 0x83, 0xD3, 0xE4, 0x77, 0x05, 0x36, 0xB8,
+    0x4F, 0x01, 0x7E, 0x70, 0xE6, 0xFB, 0xF1, 0x76,
+    0x60, 0x1A, 0x02, 0x66, 0x94, 0x1A, 0x17, 0xB0,
+    0xC8, 0xB9, 0x7F, 0x4E, 0x74, 0xC2, 0xC1, 0xFF,
+    0xC7, 0x27, 0x89, 0x19, 0x77, 0x79, 0x40, 0xC1,
+    0xE1, 0xFF, 0x1D, 0x8D, 0xA6, 0x37, 0xD6, 0xB9,
+    0x9D, 0xDA, 0xFE, 0x5E, 0x17, 0x61, 0x10, 0x02,
+    0xE2, 0xC7, 0x78, 0xC1, 0xBE, 0x8B, 0x41, 0xD9,
+    0x63, 0x79, 0xA5, 0x13, 0x60, 0xD9, 0x77, 0xFD,
+    0x44, 0x35, 0xA1, 0x1C, 0x30, 0x8F, 0xE7, 0xEE,
+    0x6F, 0x1A, 0xAD, 0x9D, 0xB2, 0x8C, 0x81, 0xAD,
+    0xDE, 0x1A, 0x7A, 0x6F, 0x7C, 0xCE, 0x01, 0x1C,
+    0x30, 0xDA, 0x37, 0xE4, 0xEB, 0x73, 0x64, 0x83,
+    0xBD, 0x6C, 0x8E, 0x93, 0x48, 0xFB, 0xFB, 0xF7,
+    0x2C, 0xC6, 0x58, 0x7D, 0x60, 0xC3, 0x6C, 0x8E,
+    0x57, 0x7F, 0x09, 0x84, 0xC2, 0x89, 0xC9, 0x38,
+    0x5A, 0x09, 0x86, 0x49, 0xDE, 0x21, 0xBC, 0xA2,
+    0x7A, 0x7E, 0xA2, 0x29, 0x71, 0x6B, 0xA6, 0xE9,
+    0xB2, 0x79, 0x71, 0x0F, 0x38, 0xFA, 0xA5, 0xFF,
+    0xAE, 0x57, 0x41, 0x55, 0xCE, 0x4E, 0xFB, 0x4F,
+    0x74, 0x36, 0x95, 0xE2, 0x91, 0x1B, 0x1D, 0x06,
+    0xD5, 0xE2, 0x90, 0xCB, 0xCD, 0x86, 0xF5, 0x6D,
+    0x0E, 0xDF, 0xCD, 0x21, 0x6A, 0xE2, 0x24, 0x27,
+    0x05, 0x5E, 0x68, 0x35, 0xFD, 0x29, 0xEE, 0xF7,
+    0x9E, 0x0D, 0x90, 0x77, 0x1F, 0xEA, 0xCE, 0xBE,
+    0x12, 0xF2, 0x0E, 0x95, 0xB3, 0x4F, 0x0F, 0x78,
+    0xB7, 0x37, 0xA9, 0x61, 0x8B, 0x26, 0xFA, 0x7D,
+    0xBC, 0x98, 0x74, 0xF2, 0x72, 0xC4, 0x2B, 0xDB,
+    0x56, 0x3E, 0xAF, 0xA1, 0x6B, 0x4F, 0xB6, 0x8C,
+    0x3B, 0xB1, 0xE7, 0x8E, 0xAA, 0x81, 0xA0, 0x02,
+    0x43, 0xFA, 0xAD, 0xD2, 0xBF, 0x18, 0xE6, 0x3D,
+    0x38, 0x9A, 0xE4, 0x43, 0x77, 0xDA, 0x18, 0xC5,
+    0x76, 0xB5, 0x0F, 0x00, 0x96, 0xCF, 0x34, 0x19,
+    0x54, 0x83, 0xB0, 0x05, 0x48, 0xC0, 0x98, 0x62,
+    0x36, 0xE3, 0xBC, 0x7C, 0xB8, 0xD6, 0x80, 0x1C,
+    0x04, 0x94, 0xCC, 0xD1, 0x99, 0xE5, 0xC5, 0xBD,
+    0x0D, 0x0E, 0xDC, 0x9E, 0xB8, 0xA0, 0x00, 0x1E,
+    0x15, 0x27, 0x67, 0x54, 0xFC, 0xC6, 0x85, 0x66,
+    0x05, 0x41, 0x48, 0xE6, 0xE7, 0x64, 0xBE, 0xE7,
+    0xC7, 0x64, 0xDA, 0xAD, 0x3F, 0xC4, 0x52, 0x35,
+    0xA6, 0xDA, 0xD4, 0x28, 0xFA, 0x20, 0xC1, 0x70,
+    0xE3, 0x45, 0x00, 0x3F, 0x2F, 0x06, 0xEC, 0x81,
+    0x05, 0xFE, 0xB2, 0x5B, 0x22, 0x81, 0xB6, 0x3D,
+    0x27, 0x33, 0xBE, 0x96, 0x1C, 0x29, 0x95, 0x1D,
+    0x11, 0xDD, 0x22, 0x21, 0x65, 0x7A, 0x9F, 0x53,
+    0x1D, 0xDA, 0x2A, 0x19, 0x4D, 0xBB, 0x12, 0x64,
+    0x48, 0xBD, 0xEE, 0xB2, 0x58, 0xE0, 0x7E, 0xA6,
+    0x59, 0xC7, 0x46, 0x19, 0xA6, 0x38, 0x0E, 0x1D,
+    0x66, 0xD6, 0x83, 0x2B, 0xFE, 0x67, 0xF6, 0x38,
+    0xCD, 0x8F, 0xAE, 0x1F, 0x27, 0x23, 0x02, 0x0F,
+    0x9C, 0x40, 0xA3, 0xFD, 0xA6, 0x7E, 0xDA, 0x3B,
+    0xD2, 0x92, 0x38, 0xFB, 0xD4, 0xD4, 0xB4, 0x88,
+    0x5C, 0x2A, 0x99, 0x17, 0x6D, 0xB1, 0xA0, 0x6C,
+    0x50, 0x07, 0x78, 0x49, 0x1A, 0x82, 0x88, 0xF1,
+    0x85, 0x5F, 0x60, 0xFF, 0xFC, 0xF1, 0xD1, 0x37,
+    0x3F, 0xD9, 0x4F, 0xC6, 0x0C, 0x18, 0x11, 0xE1,
+    0xAC, 0x3F, 0x1C, 0x6D, 0x00, 0x3B, 0xEC, 0xDA,
+    0x3B, 0x1F, 0x27, 0x25, 0xCA, 0x59, 0x5D, 0xE0,
+    0xCA, 0x63, 0x32, 0x8F, 0x3B, 0xE5, 0x7C, 0xC9,
+    0x77, 0x55, 0x60, 0x11, 0x95, 0x14, 0x0D, 0xFB,
+    0x59, 0xD3, 0x9C, 0xE0, 0x91, 0x30, 0x8B, 0x41,
+    0x05, 0x74, 0x6D, 0xAC, 0x23, 0xD3, 0x3E, 0x5F,
+    0x7C, 0xE4, 0x84, 0x8D, 0xA3, 0x16, 0xA9, 0xC6,
+    0x6B, 0x95, 0x81, 0xBA, 0x35, 0x73, 0xBF, 0xAF,
+    0x31, 0x14, 0x96, 0x18, 0x8A, 0xB1, 0x54, 0x23,
+    0x28, 0x2E, 0xE4, 0x16, 0xDC, 0x2A, 0x19, 0xC5,
+    0x72, 0x4F, 0xA9, 0x1A, 0xE4, 0xAD, 0xC8, 0x8B,
+    0xC6, 0x67, 0x96, 0xEA, 0xE5, 0x67, 0x7A, 0x01,
+    0xF6, 0x4E, 0x8C, 0x08, 0x63, 0x13, 0x95, 0x82,
+    0x2D, 0x9D, 0xB8, 0xFC, 0xEE, 0x35, 0xC0, 0x6B,
+    0x1F, 0xEE, 0xA5, 0x47, 0x4D, 0x6D, 0x8F, 0x34,
+    0xB1, 0x53, 0x4A, 0x93, 0x6A, 0x18, 0xB0, 0xE0,
+    0xD2, 0x0E, 0xAB, 0x86, 0xBC, 0x9C, 0x6D, 0x6A,
+    0x52, 0x07, 0x19, 0x4E, 0x67, 0xFA, 0x35, 0x55,
+    0x1B, 0x56, 0x80, 0x26, 0x7B, 0x00, 0x64, 0x1C,
+    0x0F, 0x21, 0x2D, 0x18, 0xEC, 0xA8, 0xD7, 0x32,
+    0x7E, 0xD9, 0x1F, 0xE7, 0x64, 0xA8, 0x4E, 0xA1,
+    0xB4, 0x3F, 0xF5, 0xB4, 0xF6, 0xE8, 0xE6, 0x2F,
+    0x05, 0xC6, 0x61, 0xDE, 0xFB, 0x25, 0x88, 0x77,
+    0xC3, 0x5B, 0x18, 0xA1, 0x51, 0xD5, 0xC4, 0x14,
+    0xAA, 0xAD, 0x97, 0xBA, 0x3E, 0x49, 0x93, 0x32,
+    0xE5, 0x96, 0x07, 0x8E, 0x60, 0x0D, 0xEB, 0x81,
+    0x14, 0x9C, 0x44, 0x1C, 0xE9, 0x57, 0x82, 0xF2,
+    0x2A, 0x28, 0x25, 0x63, 0xC5, 0xBA, 0xC1, 0x41,
+    0x14, 0x23, 0x60, 0x5D, 0x1A, 0xE1, 0xAF, 0xAE,
+    0x2C, 0x8B, 0x06, 0x60, 0x23, 0x7E, 0xC1, 0x28,
+    0xAA, 0x0F, 0xE3, 0x46, 0x4E, 0x43, 0x58, 0x11,
+    0x5D, 0xB8, 0x4C, 0xC3, 0xB5, 0x23, 0x07, 0x3A,
+    0x28, 0xD4, 0x54, 0x98, 0x84, 0xB8, 0x1F, 0xF7,
+    0x0E, 0x10, 0xBF, 0x36, 0x1C, 0x13, 0x72, 0x96,
+    0x28, 0xD5, 0x34, 0x8F, 0x07, 0x21, 0x1E, 0x7E,
+    0x4C, 0xF4, 0xF1, 0x8B, 0x28, 0x60, 0x90, 0xBD,
+    0xB1, 0x24, 0x0B, 0x66, 0xD6, 0xCD, 0x4A, 0xFC,
+    0xEA, 0xDC, 0x00, 0xCA, 0x44, 0x6C, 0xE0, 0x50,
+    0x50, 0xFF, 0x18, 0x3A, 0xD2, 0xBB, 0xF1, 0x18,
+    0xC1, 0xFC, 0x0E, 0xA5, 0x1F, 0x97, 0xD2, 0x2B,
+    0x8F, 0x7E, 0x46, 0x70, 0x5D, 0x45, 0x27, 0xF4,
+    0x5B, 0x42, 0xAE, 0xFF, 0x39, 0x58, 0x53, 0x37,
+    0x6F, 0x69, 0x7D, 0xD5, 0xFD, 0xF2, 0xC5, 0x18,
+    0x7D, 0x7D, 0x5F, 0x0E, 0x2E, 0xB8, 0xD4, 0x3F,
+    0x17, 0xBA, 0x0F, 0x7C, 0x60, 0xFF, 0x43, 0x7F,
+    0x53, 0x5D, 0xFE, 0xF2, 0x98, 0x33, 0xBF, 0x86,
+    0xCB, 0xE8, 0x8E, 0xA4, 0xFB, 0xD4, 0x22, 0x1E,
+    0x84, 0x11, 0x72, 0x83, 0x54, 0xFA, 0x30, 0xA7,
+    0x00, 0x8F, 0x15, 0x4A, 0x41, 0xC7, 0xFC, 0x46,
+    0x6B, 0x46, 0x45, 0xDB, 0xE2, 0xE3, 0x21, 0x26,
+    0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF
+};
+#endif /* HAVE_FFDHE_Q */
 
-void wc_FreeDhKey(DhKey* key)
+const DhParams* wc_Dh_ffdhe8192_Get(void)
 {
-    (void)key;
-/* TomsFastMath doesn't use memory allocation */
-#ifndef USE_FAST_MATH
-    mp_clear(&key->p);
-    mp_clear(&key->g);
+    static const DhParams ffdhe8192 = {
+        #ifdef HAVE_FFDHE_Q
+            dh_ffdhe8192_q, sizeof(dh_ffdhe8192_q),
+        #endif /* HAVE_FFDHE_Q */
+        dh_ffdhe8192_p, sizeof(dh_ffdhe8192_p),
+        dh_ffdhe8192_g, sizeof(dh_ffdhe8192_g)
+    };
+    return &ffdhe8192;
+}
 #endif
+
+int wc_InitDhKey_ex(DhKey* key, void* heap, int devId)
+{
+    int ret = 0;
+
+    if (key == NULL)
+        return BAD_FUNC_ARG;
+
+    key->heap = heap; /* for XMALLOC/XFREE in future */
+
+#if !defined(WOLFSSL_QT) && !defined(OPENSSL_ALL)
+    if (mp_init_multi(&key->p, &key->g, &key->q, NULL, NULL, NULL) != MP_OKAY)
+#else
+    if (mp_init_multi(&key->p,&key->g,&key->q,&key->pub,&key->priv,NULL) != MP_OKAY)
+#endif
+        return MEMORY_E;
+
+#if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_DH)
+    /* handle as async */
+    ret = wolfAsync_DevCtxInit(&key->asyncDev, WOLFSSL_ASYNC_MARKER_DH,
+        key->heap, devId);
+#else
+    (void)devId;
+#endif
+
+    return ret;
+}
+
+int wc_InitDhKey(DhKey* key)
+{
+    return wc_InitDhKey_ex(key, NULL, INVALID_DEVID);
 }
 
 
-static word32 DiscreteLogWorkFactor(word32 n)
+int wc_FreeDhKey(DhKey* key)
 {
-    /* assuming discrete log takes about the same time as factoring */
-    if (n<5)
-        return 0;
-    else
-        return (word32)(2.4 * XPOW((double)n, 1.0/3.0) *
-                XPOW(XLOG((double)n), 2.0/3.0) - 5);
+    if (key) {
+        mp_clear(&key->p);
+        mp_clear(&key->g);
+        mp_clear(&key->q);
+
+    #if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_DH)
+        wolfAsync_DevCtxFree(&key->asyncDev, WOLFSSL_ASYNC_MARKER_DH);
+    #endif
+    }
+    return 0;
 }
 
 
-static int GeneratePrivate(DhKey* key, RNG* rng, byte* priv, word32* privSz)
+#ifndef WC_NO_RNG
+/* if defined to not use floating point values do not compile in */
+#ifndef WOLFSSL_DH_CONST
+    static word32 DiscreteLogWorkFactor(word32 n)
+    {
+        /* assuming discrete log takes about the same time as factoring */
+        if (n < 5)
+            return 0;
+        else
+            return (word32)(2.4 * XPOW((double)n, 1.0/3.0) *
+                    XPOW(XLOG((double)n), 2.0/3.0) - 5);
+    }
+#endif /* WOLFSSL_DH_CONST*/
+
+
+/* if not using fixed points use DiscreteLogWorkFactor function for unusual size
+   otherwise round up on size needed */
+#ifndef WOLFSSL_DH_CONST
+    #define WOLFSSL_DH_ROUND(x)
+#else
+    #define WOLFSSL_DH_ROUND(x) \
+        do {                    \
+            if (x % 128) {      \
+                x &= 0xffffff80;\
+                x += 128;       \
+            }                   \
+        }                       \
+        while (0)
+#endif
+
+
+#ifndef WOLFSSL_NO_DH186
+/* validate that (L,N) match allowed sizes from SP 800-56A, Section 5.5.1.1.
+ * modLen - represents L, the size of p in bits
+ * divLen - represents N, the size of q in bits
+ * return 0 on success, -1 on error */
+static int CheckDhLN(int modLen, int divLen)
 {
-    int ret;
-    word32 sz = mp_unsigned_bin_size(&key->p);
-    sz = min(sz, 2 * DiscreteLogWorkFactor(sz * WOLFSSL_BIT_SIZE) /
-                                           WOLFSSL_BIT_SIZE + 1);
+    int ret = -1;
 
-    ret = wc_RNG_GenerateBlock(rng, priv, sz);
-    if (ret != 0)
-        return ret;
+    switch (modLen) {
+        /* FA */
+        case 1024:
+            if (divLen == 160)
+                ret = 0;
+            break;
+        /* FB, FC */
+        case 2048:
+            if (divLen == 224 || divLen == 256)
+                ret = 0;
+            break;
+        default:
+            break;
+    }
 
-    priv[0] |= 0x0C;
+    return ret;
+}
 
-    *privSz = sz;
 
-    return 0;
+/* Create DH private key
+ *
+ * Based on NIST FIPS 186-4,
+ * "B.1.1 Key Pair Generation Using Extra Random Bits"
+ *
+ * dh     - pointer to initialized DhKey structure, needs to have dh->q
+ * rng    - pointer to initialized WC_RNG structure
+ * priv   - output location for generated private key
+ * privSz - IN/OUT, size of priv buffer, size of generated private key
+ *
+ * return 0 on success, negative on error */
+static int GeneratePrivateDh186(DhKey* key, WC_RNG* rng, byte* priv,
+                                word32* privSz)
+{
+    byte* cBuf;
+    int qSz, pSz, cSz, err;
+#ifdef WOLFSSL_SMALL_STACK
+    mp_int* tmpQ = NULL;
+    mp_int* tmpX = NULL;
+#else
+    mp_int tmpQ[1], tmpX[1];
+#endif
+
+    /* Parameters validated in calling functions. */
+
+    if (mp_iszero(&key->q) == MP_YES) {
+        WOLFSSL_MSG("DH q parameter needed for FIPS 186-4 key generation");
+        return BAD_FUNC_ARG;
+    }
+
+    qSz = mp_unsigned_bin_size(&key->q);
+    pSz = mp_unsigned_bin_size(&key->p);
+
+    /* verify (L,N) pair bit lengths */
+    if (CheckDhLN(pSz * WOLFSSL_BIT_SIZE, qSz * WOLFSSL_BIT_SIZE) != 0) {
+        WOLFSSL_MSG("DH param sizes do not match SP 800-56A requirements");
+        return BAD_FUNC_ARG;
+    }
+
+    /* generate extra 64 bits so that bias from mod function is negligible */
+    cSz = qSz + (64 / WOLFSSL_BIT_SIZE);
+    cBuf = (byte*)XMALLOC(cSz, key->heap, DYNAMIC_TYPE_TMP_BUFFER);
+    if (cBuf == NULL) {
+        return MEMORY_E;
+    }
+#ifdef WOLFSSL_SMALL_STACK
+    tmpQ = (mp_int*)XMALLOC(sizeof(mp_int), key->heap, DYNAMIC_TYPE_DH);
+    if (tmpQ == NULL) {
+        XFREE(cBuf, key->heap, DYNAMIC_TYPE_TMP_BUFFER);
+        return MEMORY_E;
+    }
+    tmpX = (mp_int*)XMALLOC(sizeof(mp_int), key->heap, DYNAMIC_TYPE_DH);
+    if (tmpX == NULL) {
+        XFREE(cBuf, key->heap, DYNAMIC_TYPE_TMP_BUFFER);
+        XFREE(tmpQ, key->heap, DYNAMIC_TYPE_DH);
+        return MEMORY_E;
+    }
+#endif
+
+
+    if ((err = mp_init_multi(tmpX, tmpQ, NULL, NULL, NULL, NULL))
+                   != MP_OKAY) {
+        XFREE(cBuf, key->heap, DYNAMIC_TYPE_TMP_BUFFER);
+#ifdef WOLFSSL_SMALL_STACK
+        XFREE(tmpQ, key->heap, DYNAMIC_TYPE_DH);
+        XFREE(tmpX, key->heap, DYNAMIC_TYPE_DH);
+#endif
+        return err;
+    }
+
+    do {
+        /* generate N+64 bits (c) from RBG into tmpX, making sure positive.
+         * Hash_DRBG uses SHA-256 which matches maximum
+         * requested_security_strength of (L,N) */
+        err = wc_RNG_GenerateBlock(rng, cBuf, cSz);
+        if (err == MP_OKAY)
+            err = mp_read_unsigned_bin(tmpX, cBuf, cSz);
+        if (err != MP_OKAY) {
+            mp_clear(tmpX);
+            mp_clear(tmpQ);
+            XFREE(cBuf, key->heap, DYNAMIC_TYPE_TMP_BUFFER);
+#ifdef WOLFSSL_SMALL_STACK
+            XFREE(tmpQ, key->heap, DYNAMIC_TYPE_DH);
+            XFREE(tmpX, key->heap, DYNAMIC_TYPE_DH);
+#endif
+            return err;
+        }
+    } while (mp_cmp_d(tmpX, 1) != MP_GT);
+
+    ForceZero(cBuf, cSz);
+    XFREE(cBuf, key->heap, DYNAMIC_TYPE_TMP_BUFFER);
+
+    /* tmpQ = q - 1 */
+    if (err == MP_OKAY)
+        err = mp_copy(&key->q, tmpQ);
+
+    if (err == MP_OKAY)
+        err = mp_sub_d(tmpQ, 1, tmpQ);
+
+    /* x = c mod (q-1), tmpX holds c */
+    if (err == MP_OKAY)
+        err = mp_mod(tmpX, tmpQ, tmpX);
+
+    /* x = c mod (q-1) + 1 */
+    if (err == MP_OKAY)
+        err = mp_add_d(tmpX, 1, tmpX);
+
+    /* copy tmpX into priv */
+    if (err == MP_OKAY) {
+        pSz = mp_unsigned_bin_size(tmpX);
+        if (pSz > (int)*privSz) {
+            WOLFSSL_MSG("DH private key output buffer too small");
+            err = BAD_FUNC_ARG;
+        } else {
+            *privSz = pSz;
+            err = mp_to_unsigned_bin(tmpX, priv);
+        }
+    }
+
+    mp_forcezero(tmpX);
+    mp_clear(tmpX);
+    mp_clear(tmpQ);
+#ifdef WOLFSSL_SMALL_STACK
+    XFREE(tmpQ, key->heap, DYNAMIC_TYPE_DH);
+    XFREE(tmpX, key->heap, DYNAMIC_TYPE_DH);
+#endif
+
+    return err;
+}
+#endif /* WOLFSSL_NO_DH186 */
+#endif /* !WC_NO_RNG */
+
+static int GeneratePrivateDh(DhKey* key, WC_RNG* rng, byte* priv,
+                             word32* privSz)
+{
+#ifndef WC_NO_RNG
+    int ret = 0;
+    word32 sz = 0;
+
+#ifndef WOLFSSL_NO_DH186
+    if (mp_iszero(&key->q) == MP_NO) {
+
+        /* q param available, use NIST FIPS 186-4, "B.1.1 Key Pair
+         * Generation Using Extra Random Bits" */
+        ret = GeneratePrivateDh186(key, rng, priv, privSz);
+
+    } else
+#endif
+    {
+
+        sz = mp_unsigned_bin_size(&key->p);
+
+        /* Table of predetermined values from the operation
+           2 * DiscreteLogWorkFactor(sz * WOLFSSL_BIT_SIZE) /
+           WOLFSSL_BIT_SIZE + 1
+           Sizes in table checked against RFC 3526
+         */
+        WOLFSSL_DH_ROUND(sz); /* if using fixed points only, then round up */
+        switch (sz) {
+            case 128:  sz = 21; break;
+            case 256:  sz = 29; break;
+            case 384:  sz = 34; break;
+            case 512:  sz = 39; break;
+            case 640:  sz = 42; break;
+            case 768:  sz = 46; break;
+            case 896:  sz = 49; break;
+            case 1024: sz = 52; break;
+            default:
+            #ifndef WOLFSSL_DH_CONST
+                /* if using floating points and size of p is not in table */
+                sz = min(sz, 2 * DiscreteLogWorkFactor(sz * WOLFSSL_BIT_SIZE) /
+                                           WOLFSSL_BIT_SIZE + 1);
+                break;
+            #else
+                return BAD_FUNC_ARG;
+            #endif
+        }
+
+        ret = wc_RNG_GenerateBlock(rng, priv, sz);
+
+        if (ret == 0) {
+            priv[0] |= 0x0C;
+            *privSz = sz;
+        }
+    }
+
+    return ret;
+#else
+    (void)key;
+    (void)rng;
+    (void)priv;
+    (void)privSz;
+    return NOT_COMPILED_IN;
+#endif /* WC_NO_RNG */
 }
 
 
-static int GeneratePublic(DhKey* key, const byte* priv, word32 privSz,
-                          byte* pub, word32* pubSz)
+static int GeneratePublicDh(DhKey* key, byte* priv, word32 privSz,
+    byte* pub, word32* pubSz)
 {
     int ret = 0;
+#ifndef WOLFSSL_SP_MATH
+#ifdef WOLFSSL_SMALL_STACK
+    mp_int* x;
+    mp_int* y;
+#else
+    mp_int x[1];
+    mp_int y[1];
+#endif
+#endif
 
-    mp_int x; 
-    mp_int y;
+#ifdef WOLFSSL_HAVE_SP_DH
+#ifndef WOLFSSL_SP_NO_2048
+    if (mp_count_bits(&key->p) == 2048)
+        return sp_DhExp_2048(&key->g, priv, privSz, &key->p, pub, pubSz);
+#endif
+#ifndef WOLFSSL_SP_NO_3072
+    if (mp_count_bits(&key->p) == 3072)
+        return sp_DhExp_3072(&key->g, priv, privSz, &key->p, pub, pubSz);
+#endif
+#ifdef WOLFSSL_SP_4096
+    if (mp_count_bits(&key->p) == 4096)
+        return sp_DhExp_4096(&key->g, priv, privSz, &key->p, pub, pubSz);
+#endif
+#endif
 
-    if (mp_init_multi(&x, &y, 0, 0, 0, 0) != MP_OKAY)
+#ifndef WOLFSSL_SP_MATH
+#ifdef WOLFSSL_SMALL_STACK
+    x = (mp_int*)XMALLOC(sizeof(mp_int), key->heap, DYNAMIC_TYPE_DH);
+    if (x == NULL)
+        return MEMORY_E;
+    y = (mp_int*)XMALLOC(sizeof(mp_int), key->heap, DYNAMIC_TYPE_DH);
+    if (y == NULL) {
+        XFREE(x, key->heap, DYNAMIC_TYPE_DH);
+        return MEMORY_E;
+    }
+#endif
+    if (mp_init_multi(x, y, 0, 0, 0, 0) != MP_OKAY) {
+    #ifdef WOLFSSL_SMALL_STACK
+        XFREE(y, key->heap, DYNAMIC_TYPE_DH);
+        XFREE(x, key->heap, DYNAMIC_TYPE_DH);
+    #endif
         return MP_INIT_E;
+    }
 
-    if (mp_read_unsigned_bin(&x, priv, privSz) != MP_OKAY)
+    if (mp_read_unsigned_bin(x, priv, privSz) != MP_OKAY)
         ret = MP_READ_E;
 
-    if (ret == 0 && mp_exptmod(&key->g, &x, &key->p, &y) != MP_OKAY)
+    if (ret == 0 && mp_exptmod(&key->g, x, &key->p, y) != MP_OKAY)
         ret = MP_EXPTMOD_E;
 
-    if (ret == 0 && mp_to_unsigned_bin(&y, pub) != MP_OKAY)
+    if (ret == 0 && mp_to_unsigned_bin(y, pub) != MP_OKAY)
         ret = MP_TO_E;
 
     if (ret == 0)
-        *pubSz = mp_unsigned_bin_size(&y);
+        *pubSz = mp_unsigned_bin_size(y);
 
-    mp_clear(&y);
-    mp_clear(&x);
+    mp_clear(y);
+    mp_clear(x);
+#ifdef WOLFSSL_SMALL_STACK
+    XFREE(y, key->heap, DYNAMIC_TYPE_DH);
+    XFREE(x, key->heap, DYNAMIC_TYPE_DH);
+#endif
+#else
+    ret = WC_KEY_SIZE_E;
+#endif
 
     return ret;
 }
 
+static int wc_DhGenerateKeyPair_Sync(DhKey* key, WC_RNG* rng,
+    byte* priv, word32* privSz, byte* pub, word32* pubSz)
+{
+    int ret;
 
-int wc_DhGenerateKeyPair(DhKey* key, RNG* rng, byte* priv, word32* privSz,
-                      byte* pub, word32* pubSz)
+    if (key == NULL || rng == NULL || priv == NULL || privSz == NULL ||
+        pub == NULL || pubSz == NULL) {
+        return BAD_FUNC_ARG;
+    }
+
+    ret = GeneratePrivateDh(key, rng, priv, privSz);
+
+    return (ret != 0) ? ret : GeneratePublicDh(key, priv, *privSz, pub, pubSz);
+}
+
+#if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_DH)
+static int wc_DhGenerateKeyPair_Async(DhKey* key, WC_RNG* rng,
+    byte* priv, word32* privSz, byte* pub, word32* pubSz)
 {
-    int ret = GeneratePrivate(key, rng, priv, privSz);
+    int ret;
+
+#if defined(HAVE_INTEL_QA)
+    word32 pBits;
+
+    /* QAT DH sizes: 768, 1024, 1536, 2048, 3072 and 4096 bits */
+    pBits = mp_unsigned_bin_size(&key->p) * 8;
+    if (pBits == 768 ||  pBits == 1024 || pBits == 1536 ||
+        pBits == 2048 || pBits == 3072 || pBits == 4096) {
+        mp_int x;
 
-    return (ret != 0) ? ret : GeneratePublic(key, priv, *privSz, pub, pubSz);
+        ret = mp_init(&x);
+        if (ret != MP_OKAY)
+            return ret;
+
+        ret = GeneratePrivateDh(key, rng, priv, privSz);
+        if (ret == 0)
+            ret = mp_read_unsigned_bin(&x, priv, *privSz);
+        if (ret == MP_OKAY)
+            ret = wc_mp_to_bigint(&x, &x.raw);
+        if (ret == MP_OKAY)
+            ret = wc_mp_to_bigint(&key->p, &key->p.raw);
+        if (ret == MP_OKAY)
+            ret = wc_mp_to_bigint(&key->g, &key->g.raw);
+        if (ret == MP_OKAY)
+            ret = IntelQaDhKeyGen(&key->asyncDev, &key->p.raw, &key->g.raw,
+                &x.raw, pub, pubSz);
+        mp_clear(&x);
+
+        return ret;
+    }
+
+#elif defined(HAVE_CAVIUM)
+    /* TODO: Not implemented - use software for now */
+
+#else /* WOLFSSL_ASYNC_CRYPT_TEST */
+    if (wc_AsyncTestInit(&key->asyncDev, ASYNC_TEST_DH_GEN)) {
+        WC_ASYNC_TEST* testDev = &key->asyncDev.test;
+        testDev->dhGen.key = key;
+        testDev->dhGen.rng = rng;
+        testDev->dhGen.priv = priv;
+        testDev->dhGen.privSz = privSz;
+        testDev->dhGen.pub = pub;
+        testDev->dhGen.pubSz = pubSz;
+        return WC_PENDING_E;
+    }
+#endif
+
+    /* otherwise use software DH */
+    ret = wc_DhGenerateKeyPair_Sync(key, rng, priv, privSz, pub, pubSz);
+
+    return ret;
 }
+#endif /* WOLFSSL_ASYNC_CRYPT && WC_ASYNC_ENABLE_DH */
 
-int wc_DhAgree(DhKey* key, byte* agree, word32* agreeSz, const byte* priv,
-            word32 privSz, const byte* otherPub, word32 pubSz)
+
+/* Check DH Public Key for invalid numbers, optionally allowing
+ * the public key to be checked against the large prime (q).
+ * Check per process in SP 800-56Ar3, section 5.6.2.3.1.
+ *
+ * key     DH key group parameters.
+ * pub     Public Key.
+ * pubSz   Public Key size.
+ * prime   Large prime (q), optionally NULL to skip check
+ * primeSz Size of large prime
+ *
+ *  returns 0 on success or error code
+ */
+int wc_DhCheckPubKey_ex(DhKey* key, const byte* pub, word32 pubSz,
+                        const byte* prime, word32 primeSz)
 {
     int ret = 0;
+#ifdef WOLFSSL_SMALL_STACK
+    mp_int* y = NULL;
+    mp_int* p = NULL;
+    mp_int* q = NULL;
+#else
+    mp_int y[1];
+    mp_int p[1];
+    mp_int q[1];
+#endif
+
+    if (key == NULL || pub == NULL) {
+        return BAD_FUNC_ARG;
+    }
 
-    mp_int x; 
-    mp_int y;
-    mp_int z;
+#ifdef WOLFSSL_SMALL_STACK
+    y = (mp_int*)XMALLOC(sizeof(mp_int), key->heap, DYNAMIC_TYPE_DH);
+    if (y == NULL)
+        return MEMORY_E;
+    p = (mp_int*)XMALLOC(sizeof(mp_int), key->heap, DYNAMIC_TYPE_DH);
+    if (p == NULL) {
+        XFREE(y, key->heap, DYNAMIC_TYPE_DH);
+        return MEMORY_E;
+    }
+    q = (mp_int*)XMALLOC(sizeof(mp_int), key->heap, DYNAMIC_TYPE_DH);
+    if (q == NULL) {
+        XFREE(p, key->heap, DYNAMIC_TYPE_DH);
+        XFREE(y, key->heap, DYNAMIC_TYPE_DH);
+        return MEMORY_E;
+    }
+#endif
 
-    if (mp_init_multi(&x, &y, &z, 0, 0, 0) != MP_OKAY)
+    if (mp_init_multi(y, p, q, NULL, NULL, NULL) != MP_OKAY) {
+    #ifdef WOLFSSL_SMALL_STACK
+        XFREE(q, key->heap, DYNAMIC_TYPE_DH);
+        XFREE(p, key->heap, DYNAMIC_TYPE_DH);
+        XFREE(y, key->heap, DYNAMIC_TYPE_DH);
+    #endif
         return MP_INIT_E;
+    }
 
-    if (mp_read_unsigned_bin(&x, priv, privSz) != MP_OKAY)
+    if (mp_read_unsigned_bin(y, pub, pubSz) != MP_OKAY) {
         ret = MP_READ_E;
+    }
+
+    if (ret == 0 && prime != NULL) {
+        if (mp_read_unsigned_bin(q, prime, primeSz) != MP_OKAY)
+            ret = MP_READ_E;
+
+    } else if (mp_iszero(&key->q) == MP_NO) {
+        /* use q available in DhKey */
+        if (mp_copy(&key->q, q) != MP_OKAY)
+            ret = MP_INIT_E;
+    }
+
+    /* SP 800-56Ar3, section 5.6.2.3.1, process step 1 */
+    /* pub (y) should not be 0 or 1 */
+    if (ret == 0 && mp_cmp_d(y, 2) == MP_LT) {
+        ret = MP_CMP_E;
+    }
 
-    if (ret == 0 && mp_read_unsigned_bin(&y, otherPub, pubSz) != MP_OKAY)
+    /* pub (y) shouldn't be greater than or equal to p - 1 */
+    if (ret == 0 && mp_copy(&key->p, p) != MP_OKAY) {
+        ret = MP_INIT_E;
+    }
+    if (ret == 0 && mp_sub_d(p, 2, p) != MP_OKAY) {
+        ret = MP_SUB_E;
+    }
+    if (ret == 0 && mp_cmp(y, p) == MP_GT) {
+        ret = MP_CMP_E;
+    }
+
+    if (ret == 0 && (prime != NULL || (mp_iszero(&key->q) == MP_NO) )) {
+
+        /* restore key->p into p */
+        if (mp_copy(&key->p, p) != MP_OKAY)
+            ret = MP_INIT_E;
+    }
+
+    if (ret == 0 && prime != NULL) {
+#ifdef WOLFSSL_HAVE_SP_DH
+#ifndef WOLFSSL_SP_NO_2048
+        if (mp_count_bits(&key->p) == 2048) {
+            ret = sp_ModExp_2048(y, q, p, y);
+            if (ret != 0)
+                ret = MP_EXPTMOD_E;
+        }
+        else
+#endif
+#ifndef WOLFSSL_SP_NO_3072
+        if (mp_count_bits(&key->p) == 3072) {
+            ret = sp_ModExp_3072(y, q, p, y);
+            if (ret != 0)
+                ret = MP_EXPTMOD_E;
+        }
+        else
+#endif
+#ifdef WOLFSSL_SP_NO_4096
+        if (mp_count_bits(&key->p) == 4096) {
+            ret = sp_ModExp_4096(y, q, p, y);
+            if (ret != 0)
+                ret = MP_EXPTMOD_E;
+        }
+        else
+#endif
+#endif
+
+        {
+    /* SP 800-56Ar3, section 5.6.2.3.1, process step 2 */
+#ifndef WOLFSSL_SP_MATH
+            /* calculate (y^q) mod(p), store back into y */
+            if (mp_exptmod(y, q, p, y) != MP_OKAY)
+                ret = MP_EXPTMOD_E;
+#else
+            ret = WC_KEY_SIZE_E;
+#endif
+        }
+
+        /* verify above == 1 */
+        if (ret == 0 && mp_cmp_d(y, 1) != MP_EQ)
+            ret = MP_CMP_E;
+    }
+
+    mp_clear(y);
+    mp_clear(p);
+    mp_clear(q);
+#ifdef WOLFSSL_SMALL_STACK
+    XFREE(q, key->heap, DYNAMIC_TYPE_DH);
+    XFREE(p, key->heap, DYNAMIC_TYPE_DH);
+    XFREE(y, key->heap, DYNAMIC_TYPE_DH);
+#endif
+
+    return ret;
+}
+
+
+/* Check DH Public Key for invalid numbers
+ *
+ * key   DH key group parameters.
+ * pub   Public Key.
+ * pubSz Public Key size.
+ *
+ *  returns 0 on success or error code
+ */
+int wc_DhCheckPubKey(DhKey* key, const byte* pub, word32 pubSz)
+{
+    return wc_DhCheckPubKey_ex(key, pub, pubSz, NULL, 0);
+}
+
+
+/**
+ * Quick validity check of public key value against prime.
+ * Checks are:
+ *   - Public key not 0 or 1
+ *   - Public key not equal to prime or prime - 1
+ *   - Public key not bigger than prime.
+ *
+ * prime    Big-endian encoding of prime in bytes.
+ * primeSz  Size of prime in bytes.
+ * pub      Big-endian encoding of public key in bytes.
+ * pubSz    Size of public key in bytes.
+ */
+int wc_DhCheckPubValue(const byte* prime, word32 primeSz, const byte* pub,
+                       word32 pubSz)
+{
+    int ret = 0;
+    word32 i;
+
+    for (i = 0; i < pubSz && pub[i] == 0; i++) {
+    }
+    pubSz -= i;
+    pub += i;
+
+    if (pubSz == 0 || (pubSz == 1 && pub[0] == 1))
+        ret = MP_VAL;
+    else if (pubSz == primeSz) {
+        for (i = 0; i < pubSz-1 && pub[i] == prime[i]; i++) {
+        }
+        if (i == pubSz-1 && (pub[i] == prime[i] || pub[i] == prime[i] - 1))
+            ret = MP_VAL;
+        else if (pub[i] > prime[i])
+            ret = MP_VAL;
+    }
+    else if (pubSz > primeSz)
+        ret = MP_VAL;
+
+    return ret;
+}
+
+
+/* Check DH Private Key for invalid numbers, optionally allowing
+ * the private key to be checked against the large prime (q).
+ * Check per process in SP 800-56Ar3, section 5.6.2.1.2.
+ *
+ * key     DH key group parameters.
+ * priv    Private Key.
+ * privSz  Private Key size.
+ * prime   Large prime (q), optionally NULL to skip check
+ * primeSz Size of large prime
+ *
+ *  returns 0 on success or error code
+ */
+int wc_DhCheckPrivKey_ex(DhKey* key, const byte* priv, word32 privSz,
+                         const byte* prime, word32 primeSz)
+{
+    int ret = 0;
+#ifdef WOLFSSL_SMALL_STACK
+    mp_int* x = NULL;
+    mp_int* q = NULL;
+#else
+    mp_int x[1];
+    mp_int q[1];
+#endif
+
+    if (key == NULL || priv == NULL) {
+        return BAD_FUNC_ARG;
+    }
+
+#ifdef WOLFSSL_SMALL_STACK
+    x = (mp_int*)XMALLOC(sizeof(mp_int), key->heap, DYNAMIC_TYPE_DH);
+    if (x == NULL)
+        return MEMORY_E;
+    q = (mp_int*)XMALLOC(sizeof(mp_int), key->heap, DYNAMIC_TYPE_DH);
+    if (q == NULL) {
+        XFREE(x, key->heap, DYNAMIC_TYPE_DH);
+        return MEMORY_E;
+    }
+#endif
+
+    if (mp_init_multi(x, q, NULL, NULL, NULL, NULL) != MP_OKAY) {
+    #ifdef WOLFSSL_SMALL_STACK
+        XFREE(q, key->heap, DYNAMIC_TYPE_DH);
+        XFREE(x, key->heap, DYNAMIC_TYPE_DH);
+    #endif
+        return MP_INIT_E;
+    }
+
+    if (mp_read_unsigned_bin(x, priv, privSz) != MP_OKAY) {
         ret = MP_READ_E;
+    }
+
+    if (ret == 0) {
+        if (prime != NULL) {
+            if (mp_read_unsigned_bin(q, prime, primeSz) != MP_OKAY)
+                ret = MP_READ_E;
+        }
+        else if (mp_iszero(&key->q) == MP_NO) {
+            /* use q available in DhKey */
+            if (mp_copy(&key->q, q) != MP_OKAY)
+                ret = MP_INIT_E;
+        }
+    }
+
+    /* priv (x) should not be 0 */
+    if (ret == 0) {
+        if (mp_cmp_d(x, 0) == MP_EQ)
+            ret = MP_CMP_E;
+    }
+
+    if (ret == 0) {
+        if (mp_iszero(q) == MP_NO) {
+            /* priv (x) shouldn't be greater than q - 1 */
+            if (ret == 0) {
+                if (mp_copy(&key->q, q) != MP_OKAY)
+                    ret = MP_INIT_E;
+            }
+            if (ret == 0) {
+                if (mp_sub_d(q, 1, q) != MP_OKAY)
+                    ret = MP_SUB_E;
+            }
+            if (ret == 0) {
+                if (mp_cmp(x, q) == MP_GT)
+                    ret = DH_CHECK_PRIV_E;
+            }
+        }
+    }
+
+    mp_clear(x);
+    mp_clear(q);
+#ifdef WOLFSSL_SMALL_STACK
+    XFREE(q, key->heap, DYNAMIC_TYPE_DH);
+    XFREE(x, key->heap, DYNAMIC_TYPE_DH);
+#endif
+
+    return ret;
+}
+
+
+/* Check DH Private Key for invalid numbers
+ *
+ * key    DH key group parameters.
+ * priv   Private Key.
+ * privSz Private Key size.
+ *
+ *  returns 0 on success or error code
+ */
+int wc_DhCheckPrivKey(DhKey* key, const byte* priv, word32 privSz)
+{
+    return wc_DhCheckPrivKey_ex(key, priv, privSz, NULL, 0);
+}
+
 
-    if (ret == 0 && mp_exptmod(&y, &x, &key->p, &z) != MP_OKAY)
+/* Check DH Keys for pair-wise consistency per process in
+ * SP 800-56Ar3, section 5.6.2.1.4, method (b) for FFC.
+ *
+ * key    DH key group parameters.
+ * pub    Public Key.
+ * pubSz  Public Key size.
+ * priv   Private Key.
+ * privSz Private Key size.
+ *
+ *  returns 0 on success or error code
+ */
+int wc_DhCheckKeyPair(DhKey* key, const byte* pub, word32 pubSz,
+                      const byte* priv, word32 privSz)
+{
+#ifdef WOLFSSL_SMALL_STACK
+    mp_int* publicKey = NULL;
+    mp_int* privateKey = NULL;
+    mp_int* checkKey = NULL;
+#else
+    mp_int publicKey[1];
+    mp_int privateKey[1];
+    mp_int checkKey[1];
+#endif
+    int ret = 0;
+
+    if (key == NULL || pub == NULL || priv == NULL)
+        return BAD_FUNC_ARG;
+
+#ifdef WOLFSSL_SMALL_STACK
+    publicKey = (mp_int*)XMALLOC(sizeof(mp_int), key->heap, DYNAMIC_TYPE_DH);
+    if (publicKey == NULL)
+        return MEMORY_E;
+    privateKey = (mp_int*)XMALLOC(sizeof(mp_int), key->heap, DYNAMIC_TYPE_DH);
+    if (privateKey == NULL) {
+        XFREE(publicKey, key->heap, DYNAMIC_TYPE_DH);
+        return MEMORY_E;
+    }
+    checkKey = (mp_int*)XMALLOC(sizeof(mp_int), key->heap, DYNAMIC_TYPE_DH);
+    if (checkKey == NULL) {
+        XFREE(privateKey, key->heap, DYNAMIC_TYPE_DH);
+        XFREE(publicKey, key->heap, DYNAMIC_TYPE_DH);
+        return MEMORY_E;
+    }
+#endif
+
+    if (mp_init_multi(publicKey, privateKey, checkKey,
+                      NULL, NULL, NULL) != MP_OKAY) {
+
+    #ifdef WOLFSSL_SMALL_STACK
+        XFREE(privateKey, key->heap, DYNAMIC_TYPE_DH);
+        XFREE(publicKey, key->heap, DYNAMIC_TYPE_DH);
+        XFREE(checkKey, key->heap, DYNAMIC_TYPE_DH);
+    #endif
+        return MP_INIT_E;
+    }
+
+    /* Load the private and public keys into big integers. */
+    if (mp_read_unsigned_bin(publicKey, pub, pubSz) != MP_OKAY ||
+        mp_read_unsigned_bin(privateKey, priv, privSz) != MP_OKAY) {
+
+        ret = MP_READ_E;
+    }
+
+    /* Calculate checkKey = g^privateKey mod p */
+    if (ret == 0) {
+#ifdef WOLFSSL_HAVE_SP_DH
+#ifndef WOLFSSL_SP_NO_2048
+        if (mp_count_bits(&key->p) == 2048) {
+            ret = sp_ModExp_2048(&key->g, privateKey, &key->p, checkKey);
+            if (ret != 0)
+                ret = MP_EXPTMOD_E;
+        }
+        else
+#endif
+#ifndef WOLFSSL_SP_NO_3072
+        if (mp_count_bits(&key->p) == 3072) {
+            ret = sp_ModExp_3072(&key->g, privateKey, &key->p, checkKey);
+            if (ret != 0)
+                ret = MP_EXPTMOD_E;
+        }
+        else
+#endif
+#ifdef WOLFSSL_SP_4096
+        if (mp_count_bits(&key->p) == 4096) {
+            ret = sp_ModExp_4096(&key->g, privateKey, &key->p, checkKey);
+            if (ret != 0)
+                ret = MP_EXPTMOD_E;
+        }
+        else
+#endif
+#endif
+        {
+#ifndef WOLFSSL_SP_MATH
+            if (mp_exptmod(&key->g, privateKey, &key->p, checkKey) != MP_OKAY)
+                ret = MP_EXPTMOD_E;
+#else
+            ret = WC_KEY_SIZE_E;
+#endif
+        }
+    }
+
+    /* Compare the calculated public key to the supplied check value. */
+    if (ret == 0) {
+        if (mp_cmp(checkKey, publicKey) != MP_EQ)
+            ret = MP_CMP_E;
+    }
+
+    mp_forcezero(privateKey);
+    mp_clear(privateKey);
+    mp_clear(publicKey);
+    mp_clear(checkKey);
+#ifdef WOLFSSL_SMALL_STACK
+    XFREE(checkKey, key->heap, DYNAMIC_TYPE_DH);
+    XFREE(privateKey, key->heap, DYNAMIC_TYPE_DH);
+    XFREE(publicKey, key->heap, DYNAMIC_TYPE_DH);
+#endif
+
+    return ret;
+}
+
+
+int wc_DhGenerateKeyPair(DhKey* key, WC_RNG* rng,
+    byte* priv, word32* privSz, byte* pub, word32* pubSz)
+{
+    int ret;
+
+    if (key == NULL || rng == NULL || priv == NULL || privSz == NULL ||
+                                                pub == NULL || pubSz == NULL) {
+        return BAD_FUNC_ARG;
+    }
+
+#if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_DH)
+    if (key->asyncDev.marker == WOLFSSL_ASYNC_MARKER_DH) {
+        ret = wc_DhGenerateKeyPair_Async(key, rng, priv, privSz, pub, pubSz);
+    }
+    else
+#endif
+    {
+        ret = wc_DhGenerateKeyPair_Sync(key, rng, priv, privSz, pub, pubSz);
+    }
+
+    return ret;
+}
+
+
+static int wc_DhAgree_Sync(DhKey* key, byte* agree, word32* agreeSz,
+    const byte* priv, word32 privSz, const byte* otherPub, word32 pubSz)
+{
+    int ret = 0;
+#ifdef WOLFSSL_SMALL_STACK
+    mp_int* y;
+#ifndef WOLFSSL_SP_MATH
+    mp_int* x;
+    mp_int* z;
+#endif
+#else
+    mp_int y[1];
+#ifndef WOLFSSL_SP_MATH
+    mp_int x[1];
+    mp_int z[1];
+#endif
+#endif
+
+#ifdef WOLFSSL_VALIDATE_FFC_IMPORT
+    if (wc_DhCheckPrivKey(key, priv, privSz) != 0) {
+        WOLFSSL_MSG("wc_DhAgree wc_DhCheckPrivKey failed");
+        return DH_CHECK_PRIV_E;
+    }
+
+    if (wc_DhCheckPubKey(key, otherPub, pubSz) != 0) {
+        WOLFSSL_MSG("wc_DhAgree wc_DhCheckPubKey failed");
+        return DH_CHECK_PUB_E;
+    }
+#endif
+
+#ifdef WOLFSSL_SMALL_STACK
+    y = (mp_int*)XMALLOC(sizeof(mp_int), key->heap, DYNAMIC_TYPE_DH);
+    if (y == NULL)
+        return MEMORY_E;
+#ifndef WOLFSSL_SP_MATH
+    x = (mp_int*)XMALLOC(sizeof(mp_int), key->heap, DYNAMIC_TYPE_DH);
+    if (x == NULL) {
+        XFREE(y, key->heap, DYNAMIC_TYPE_DH);
+        return MEMORY_E;
+    }
+    z = (mp_int*)XMALLOC(sizeof(mp_int), key->heap, DYNAMIC_TYPE_DH);
+    if (z == NULL) {
+        XFREE(x, key->heap, DYNAMIC_TYPE_DH);
+        XFREE(y, key->heap, DYNAMIC_TYPE_DH);
+        return MEMORY_E;
+    }
+#endif
+#endif
+
+#ifdef WOLFSSL_HAVE_SP_DH
+#ifndef WOLFSSL_SP_NO_2048
+    if (mp_count_bits(&key->p) == 2048) {
+        if (mp_init(y) != MP_OKAY)
+            return MP_INIT_E;
+
+        if (ret == 0 && mp_read_unsigned_bin(y, otherPub, pubSz) != MP_OKAY)
+            ret = MP_READ_E;
+
+        if (ret == 0)
+            ret = sp_DhExp_2048(y, priv, privSz, &key->p, agree, agreeSz);
+
+        mp_clear(y);
+    #ifdef WOLFSSL_SMALL_STACK
+    #ifndef WOLFSSL_SP_MATH
+        XFREE(z, key->heap, DYNAMIC_TYPE_DH);
+        XFREE(x, key->heap, DYNAMIC_TYPE_DH);
+    #endif
+        XFREE(y, key->heap, DYNAMIC_TYPE_DH);
+    #endif
+        return ret;
+    }
+#endif
+#ifndef WOLFSSL_SP_NO_3072
+    if (mp_count_bits(&key->p) == 3072) {
+        if (mp_init(y) != MP_OKAY)
+            return MP_INIT_E;
+
+        if (ret == 0 && mp_read_unsigned_bin(y, otherPub, pubSz) != MP_OKAY)
+            ret = MP_READ_E;
+
+        if (ret == 0)
+            ret = sp_DhExp_3072(y, priv, privSz, &key->p, agree, agreeSz);
+
+        mp_clear(y);
+    #ifdef WOLFSSL_SMALL_STACK
+    #ifndef WOLFSSL_SP_MATH
+        XFREE(z, key->heap, DYNAMIC_TYPE_DH);
+        XFREE(x, key->heap, DYNAMIC_TYPE_DH);
+    #endif
+        XFREE(y, key->heap, DYNAMIC_TYPE_DH);
+    #endif
+        return ret;
+    }
+#endif
+#ifdef WOLFSSL_SP_4096
+    if (mp_count_bits(&key->p) == 4096) {
+        if (mp_init(y) != MP_OKAY)
+            return MP_INIT_E;
+
+        if (ret == 0 && mp_read_unsigned_bin(y, otherPub, pubSz) != MP_OKAY)
+            ret = MP_READ_E;
+
+        if (ret == 0)
+            ret = sp_DhExp_4096(y, priv, privSz, &key->p, agree, agreeSz);
+
+        mp_clear(y);
+    #ifdef WOLFSSL_SMALL_STACK
+    #ifndef WOLFSSL_SP_MATH
+        XFREE(z, key->heap, DYNAMIC_TYPE_DH);
+        XFREE(x, key->heap, DYNAMIC_TYPE_DH);
+    #endif
+        XFREE(y, key->heap, DYNAMIC_TYPE_DH);
+    #endif
+        return ret;
+    }
+#endif
+#endif
+
+#ifndef WOLFSSL_SP_MATH
+    if (mp_init_multi(x, y, z, 0, 0, 0) != MP_OKAY) {
+    #ifdef WOLFSSL_SMALL_STACK
+        XFREE(z, key->heap, DYNAMIC_TYPE_DH);
+        XFREE(x, key->heap, DYNAMIC_TYPE_DH);
+        XFREE(y, key->heap, DYNAMIC_TYPE_DH);
+    #endif
+        return MP_INIT_E;
+    }
+
+    if (mp_read_unsigned_bin(x, priv, privSz) != MP_OKAY)
+        ret = MP_READ_E;
+
+    if (ret == 0 && mp_read_unsigned_bin(y, otherPub, pubSz) != MP_OKAY)
+        ret = MP_READ_E;
+
+    if (ret == 0 && mp_exptmod(y, x, &key->p, z) != MP_OKAY)
         ret = MP_EXPTMOD_E;
 
-    if (ret == 0 && mp_to_unsigned_bin(&z, agree) != MP_OKAY)
+    /* make sure z is not one (SP800-56A, 5.7.1.1) */
+    if (ret == 0 && (mp_cmp_d(z, 1) == MP_EQ))
+        ret = MP_VAL;
+
+    if (ret == 0 && mp_to_unsigned_bin(z, agree) != MP_OKAY)
         ret = MP_TO_E;
 
     if (ret == 0)
-        *agreeSz = mp_unsigned_bin_size(&z);
+        *agreeSz = mp_unsigned_bin_size(z);
+
+    mp_clear(z);
+    mp_clear(y);
+    mp_forcezero(x);
+#endif
+
+#ifdef WOLFSSL_SMALL_STACK
+#ifndef WOLFSSL_SP_MATH
+    XFREE(z, key->heap, DYNAMIC_TYPE_DH);
+    XFREE(x, key->heap, DYNAMIC_TYPE_DH);
+#endif
+    XFREE(y, key->heap, DYNAMIC_TYPE_DH);
+#endif
+
+    return ret;
+}
+
+#if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_DH)
+static int wc_DhAgree_Async(DhKey* key, byte* agree, word32* agreeSz,
+    const byte* priv, word32 privSz, const byte* otherPub, word32 pubSz)
+{
+    int ret;
+
+#if defined(HAVE_INTEL_QA)
+    word32 pBits;
+
+    /* QAT DH sizes: 768, 1024, 1536, 2048, 3072 and 4096 bits */
+    pBits = mp_unsigned_bin_size(&key->p) * 8;
+    if (pBits == 768 ||  pBits == 1024 || pBits == 1536 ||
+        pBits == 2048 || pBits == 3072 || pBits == 4096) {
+        ret = wc_mp_to_bigint(&key->p, &key->p.raw);
+        if (ret == MP_OKAY)
+            ret = IntelQaDhAgree(&key->asyncDev, &key->p.raw,
+                agree, agreeSz, priv, privSz, otherPub, pubSz);
+        return ret;
+    }
+
+#elif defined(HAVE_CAVIUM)
+    /* TODO: Not implemented - use software for now */
+
+#else /* WOLFSSL_ASYNC_CRYPT_TEST */
+    if (wc_AsyncTestInit(&key->asyncDev, ASYNC_TEST_DH_AGREE)) {
+        WC_ASYNC_TEST* testDev = &key->asyncDev.test;
+        testDev->dhAgree.key = key;
+        testDev->dhAgree.agree = agree;
+        testDev->dhAgree.agreeSz = agreeSz;
+        testDev->dhAgree.priv = priv;
+        testDev->dhAgree.privSz = privSz;
+        testDev->dhAgree.otherPub = otherPub;
+        testDev->dhAgree.pubSz = pubSz;
+        return WC_PENDING_E;
+    }
+#endif
 
-    mp_clear(&z);
-    mp_clear(&y);
-    mp_clear(&x);
+    /* otherwise use software DH */
+    ret = wc_DhAgree_Sync(key, agree, agreeSz, priv, privSz, otherPub, pubSz);
 
     return ret;
 }
+#endif /* WOLFSSL_ASYNC_CRYPT */
+
+int wc_DhAgree(DhKey* key, byte* agree, word32* agreeSz, const byte* priv,
+            word32 privSz, const byte* otherPub, word32 pubSz)
+{
+    int ret = 0;
+
+    if (key == NULL || agree == NULL || agreeSz == NULL || priv == NULL ||
+                                                            otherPub == NULL) {
+        return BAD_FUNC_ARG;
+    }
+
+#if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_DH)
+    if (key->asyncDev.marker == WOLFSSL_ASYNC_MARKER_DH) {
+        ret = wc_DhAgree_Async(key, agree, agreeSz, priv, privSz, otherPub, pubSz);
+    }
+    else
+#endif
+    {
+        ret = wc_DhAgree_Sync(key, agree, agreeSz, priv, privSz, otherPub, pubSz);
+    }
+
+    return ret;
+}
+
+#if defined(WOLFSSL_QT) || defined(OPENSSL_ALL)
+/* Sets private and public key in DhKey if both are available, otherwise sets
+    either private or public key, depending on which is available.
+    Returns WOLFSSL_SUCCESS if at least one of the keys was set. */
+WOLFSSL_LOCAL int wc_DhSetFullKeys(DhKey* key,const byte* priv_key,word32 privSz,
+                                   const byte* pub_key, word32 pubSz)
+{
+    byte havePriv = 0;
+    byte havePub = 0;
+    mp_int* keyPriv = NULL;
+    mp_int* keyPub  = NULL;
+
+    if (key == NULL) {
+        return BAD_FUNC_ARG;
+    }
+
+    havePriv = ( (priv_key != NULL) && (privSz > 0) );
+    havePub  = ( (pub_key  != NULL) && (pubSz  > 0) );
+
+    if (!havePub && !havePriv) {
+        WOLFSSL_MSG("No Public or Private Key to Set");
+        return BAD_FUNC_ARG;
+    }
+    /* Set Private Key */
+    if (havePriv == TRUE) {
+        /* may have leading 0 */
+        if (priv_key[0] == 0) {
+            privSz--; priv_key++;
+        }
+        if (mp_init(&key->priv) != MP_OKAY)
+            havePriv = FALSE;
+    }
+
+    if (havePriv == TRUE) {
+        if (mp_read_unsigned_bin(&key->priv, priv_key, privSz) != MP_OKAY) {
+            havePriv = FALSE;
+        } else {
+            keyPriv = &key->priv;
+            WOLFSSL_MSG("DH Private Key Set.");
+        }
+    }
+
+    /* Set Public Key */
+    if (havePub == TRUE) {
+        /* may have leading 0 */
+        if (pub_key[0] == 0) {
+            pubSz--; pub_key++;
+        }
+        if (mp_init(&key->pub) != MP_OKAY)
+            havePub = FALSE;
+    }
+
+    if (havePub == TRUE) {
+        if (mp_read_unsigned_bin(&key->pub, pub_key, pubSz) != MP_OKAY) {
+            havePub = FALSE;
+        } else {
+            keyPub = &key->pub;
+            WOLFSSL_MSG("DH Public Key Set.");
+        }
+    }
+    /* Free Memory if error occured */
+    if (havePriv == FALSE && keyPriv != NULL)
+        mp_clear(keyPriv);
+    if (havePub == FALSE && keyPub != NULL)
+        mp_clear(keyPub);
+
+    /* WOLFSSL_SUCCESS if private or public was set else WOLFSSL_FAILURE */
+    return havePriv || havePub;
+}
+#endif
+
+static int _DhSetKey(DhKey* key, const byte* p, word32 pSz, const byte* g,
+                   word32 gSz, const byte* q, word32 qSz, int trusted,
+                   WC_RNG* rng)
+{
+    int ret = 0;
+    mp_int* keyP = NULL;
+    mp_int* keyG = NULL;
+
+    if (key == NULL || p == NULL || g == NULL || pSz == 0 || gSz == 0) {
+        ret = BAD_FUNC_ARG;
+    }
+
+    if (ret == 0) {
+        /* may have leading 0 */
+        if (p[0] == 0) {
+            pSz--; p++;
+        }
+
+        if (g[0] == 0) {
+            gSz--; g++;
+        }
+
+        if (q != NULL) {
+            if (q[0] == 0) {
+                qSz--; q++;
+            }
+        }
+
+        if (mp_init(&key->p) != MP_OKAY)
+            ret = MP_INIT_E;
+    }
+
+    if (ret == 0) {
+        if (mp_read_unsigned_bin(&key->p, p, pSz) != MP_OKAY)
+            ret = ASN_DH_KEY_E;
+        else
+            keyP = &key->p;
+    }
+
+    if (ret == 0 && !trusted) {
+        int isPrime = 0;
+        if (rng != NULL)
+            ret = mp_prime_is_prime_ex(keyP, 8, &isPrime, rng);
+        else
+            ret = mp_prime_is_prime(keyP, 8, &isPrime);
+
+        if (ret == 0 && isPrime == 0)
+            ret = DH_CHECK_PUB_E;
+    }
+
+    if (ret == 0 && mp_init(&key->g) != MP_OKAY)
+        ret = MP_INIT_E;
+    if (ret == 0) {
+        if (mp_read_unsigned_bin(&key->g, g, gSz) != MP_OKAY)
+            ret = ASN_DH_KEY_E;
+        else
+            keyG = &key->g;
+    }
+
+    if (ret == 0 && q != NULL) {
+        if (mp_init(&key->q) != MP_OKAY)
+            ret = MP_INIT_E;
+    }
+    if (ret == 0 && q != NULL) {
+        if (mp_read_unsigned_bin(&key->q, q, qSz) != MP_OKAY)
+            ret = MP_INIT_E;
+    }
+
+    if (ret != 0 && key != NULL) {
+        if (keyG)
+            mp_clear(keyG);
+        if (keyP)
+            mp_clear(keyP);
+    }
+
+    return ret;
+}
+
+
+int wc_DhSetCheckKey(DhKey* key, const byte* p, word32 pSz, const byte* g,
+                   word32 gSz, const byte* q, word32 qSz, int trusted,
+                   WC_RNG* rng)
+{
+    return _DhSetKey(key, p, pSz, g, gSz, q, qSz, trusted, rng);
+}
+
+
+int wc_DhSetKey_ex(DhKey* key, const byte* p, word32 pSz, const byte* g,
+                   word32 gSz, const byte* q, word32 qSz)
+{
+    return _DhSetKey(key, p, pSz, g, gSz, q, qSz, 1, NULL);
+}
 
 
 /* not in asn anymore since no actual asn types used */
 int wc_DhSetKey(DhKey* key, const byte* p, word32 pSz, const byte* g,
                 word32 gSz)
 {
-    if (key == NULL || p == NULL || g == NULL || pSz == 0 || gSz == 0)
-        return BAD_FUNC_ARG;
+    return _DhSetKey(key, p, pSz, g, gSz, NULL, 0, 1, NULL);
+}
+
+
+#ifdef WOLFSSL_KEY_GEN
+
+/* modulus_size in bits */
+int wc_DhGenerateParams(WC_RNG *rng, int modSz, DhKey *dh)
+{
+    mp_int  tmp, tmp2;
+    int     groupSz = 0, bufSz = 0,
+            primeCheckCount = 0,
+            primeCheck = MP_NO,
+            ret = 0;
+    unsigned char *buf = NULL;
 
-    /* may have leading 0 */
-    if (p[0] == 0) {
-        pSz--; p++;
+    if (rng == NULL || dh == NULL)
+        ret = BAD_FUNC_ARG;
+
+    /* set group size in bytes from modulus size
+     * FIPS 186-4 defines valid values (1024, 160) (2048, 256) (3072, 256)
+     */
+    if (ret == 0) {
+        switch (modSz) {
+            case 1024:
+                groupSz = 20;
+                break;
+            case 2048:
+            case 3072:
+                groupSz = 32;
+                break;
+            default:
+                ret = BAD_FUNC_ARG;
+                break;
+        }
     }
 
-    if (g[0] == 0) {
-        gSz--; g++;
+    if (ret == 0) {
+        /* modulus size in bytes */
+        modSz /= WOLFSSL_BIT_SIZE;
+        bufSz = modSz - groupSz;
+
+        /* allocate ram */
+        buf = (unsigned char *)XMALLOC(bufSz,
+                                       dh->heap, DYNAMIC_TYPE_TMP_BUFFER);
+        if (buf == NULL)
+            ret = MEMORY_E;
     }
 
-    if (mp_init(&key->p) != MP_OKAY)
-        return MP_INIT_E;
-    if (mp_read_unsigned_bin(&key->p, p, pSz) != 0) {
-        mp_clear(&key->p);
-        return ASN_DH_KEY_E;
+    /* make a random string that will be multiplied against q */
+    if (ret == 0)
+        ret = wc_RNG_GenerateBlock(rng, buf, bufSz);
+
+    if (ret == 0) {
+        /* force magnitude */
+        buf[0] |= 0xC0;
+        /* force even */
+        buf[bufSz - 1] &= ~1;
+
+        if (mp_init_multi(&tmp, &tmp2, &dh->p, &dh->q, &dh->g, 0)
+                != MP_OKAY) {
+            ret = MP_INIT_E;
+        }
     }
 
-    if (mp_init(&key->g) != MP_OKAY) {
-        mp_clear(&key->p);
-        return MP_INIT_E;
+    if (ret == 0) {
+        if (mp_read_unsigned_bin(&tmp2, buf, bufSz) != MP_OKAY)
+            ret = MP_READ_E;
     }
-    if (mp_read_unsigned_bin(&key->g, g, gSz) != 0) {
-        mp_clear(&key->g);
-        mp_clear(&key->p);
-        return ASN_DH_KEY_E;
+
+    /* make our prime q */
+    if (ret == 0) {
+        if (mp_rand_prime(&dh->q, groupSz, rng, NULL) != MP_OKAY)
+            ret = PRIME_GEN_E;
     }
 
-    return 0;
+    /* p = random * q */
+    if (ret == 0) {
+        if (mp_mul(&dh->q, &tmp2, &dh->p) != MP_OKAY)
+            ret = MP_MUL_E;
+    }
+
+    /* p = random * q + 1, so q is a prime divisor of p-1 */
+    if (ret == 0) {
+        if (mp_add_d(&dh->p, 1, &dh->p) != MP_OKAY)
+            ret = MP_ADD_E;
+    }
+
+    /* tmp = 2q  */
+    if (ret == 0) {
+        if (mp_add(&dh->q, &dh->q, &tmp) != MP_OKAY)
+            ret = MP_ADD_E;
+    }
+
+    /* loop until p is prime */
+    if (ret == 0) {
+        do {
+            if (mp_prime_is_prime_ex(&dh->p, 8, &primeCheck, rng) != MP_OKAY)
+                ret = PRIME_GEN_E;
+
+            if (primeCheck != MP_YES) {
+                /* p += 2q */
+                if (mp_add(&tmp, &dh->p, &dh->p) != MP_OKAY)
+                    ret = MP_ADD_E;
+                else
+                    primeCheckCount++;
+            }
+        } while (ret == 0 && primeCheck == MP_NO);
+    }
+
+    /* tmp2 += (2*loop_check_prime)
+     * to have p = (q * tmp2) + 1 prime
+     */
+    if ((ret == 0) && (primeCheckCount)) {
+        if (mp_add_d(&tmp2, 2 * primeCheckCount, &tmp2) != MP_OKAY)
+            ret = MP_ADD_E;
+    }
+
+    /* find a value g for which g^tmp2 != 1 */
+    if ((ret == 0) && (mp_set(&dh->g, 1) != MP_OKAY))
+        ret = MP_ZERO_E;
+
+    if (ret == 0) {
+        do {
+            if (mp_add_d(&dh->g, 1, &dh->g) != MP_OKAY)
+                ret = MP_ADD_E;
+            else if (mp_exptmod(&dh->g, &tmp2, &dh->p, &tmp) != MP_OKAY)
+                ret = MP_EXPTMOD_E;
+        } while (ret == 0 && mp_cmp_d(&tmp, 1) == MP_EQ);
+    }
+
+    if (ret == 0) {
+        /* at this point tmp generates a group of order q mod p */
+        mp_exch(&tmp, &dh->g);
+    }
+
+    /* clear the parameters if there was an error */
+    if ((ret != 0) && (dh != NULL)) {
+        mp_clear(&dh->q);
+        mp_clear(&dh->p);
+        mp_clear(&dh->g);
+    }
+
+    if (buf != NULL) {
+        ForceZero(buf, bufSz);
+        if (dh != NULL) {
+            XFREE(buf, dh->heap, DYNAMIC_TYPE_TMP_BUFFER);
+        }
+    }
+    mp_clear(&tmp);
+    mp_clear(&tmp2);
+
+    return ret;
 }
 
 
-#endif /* NO_DH */
+/* Export raw DH parameters from DhKey structure
+ *
+ * dh   - pointer to initialized DhKey structure
+ * p    - output location for DH (p) parameter
+ * pSz  - [IN/OUT] size of output buffer for p, size of p
+ * q    - output location for DH (q) parameter
+ * qSz  - [IN/OUT] size of output buffer for q, size of q
+ * g    - output location for DH (g) parameter
+ * gSz  - [IN/OUT] size of output buffer for g, size of g
+ *
+ * If p, q, and g pointers are all passed in as NULL, the function
+ * will set pSz, qSz, and gSz to the required output buffer sizes for p,
+ * q, and g. In this case, the function will return LENGTH_ONLY_E.
+ *
+ * returns 0 on success, negative upon failure
+ */
+int wc_DhExportParamsRaw(DhKey* dh, byte* p, word32* pSz,
+                         byte* q, word32* qSz, byte* g, word32* gSz)
+{
+    int ret = 0;
+    word32 pLen = 0, qLen = 0, gLen = 0;
+
+    if (dh == NULL || pSz == NULL || qSz == NULL || gSz == NULL)
+        ret = BAD_FUNC_ARG;
+
+    /* get required output buffer sizes */
+    if (ret == 0) {
+        pLen = mp_unsigned_bin_size(&dh->p);
+        qLen = mp_unsigned_bin_size(&dh->q);
+        gLen = mp_unsigned_bin_size(&dh->g);
+
+        /* return buffer sizes and LENGTH_ONLY_E if buffers are NULL */
+        if (p == NULL && q == NULL && g == NULL) {
+            *pSz = pLen;
+            *qSz = qLen;
+            *gSz = gLen;
+            ret = LENGTH_ONLY_E;
+        }
+    }
+
+    if (ret == 0) {
+        if (p == NULL || q == NULL || g == NULL)
+            ret = BAD_FUNC_ARG;
+    }
+
+    /* export p */
+    if (ret == 0) {
+        if (*pSz < pLen) {
+            WOLFSSL_MSG("Output buffer for DH p parameter too small, "
+                        "required size placed into pSz");
+            *pSz = pLen;
+            ret = BUFFER_E;
+        }
+    }
+
+    if (ret == 0) {
+        *pSz = pLen;
+        if (mp_to_unsigned_bin(&dh->p, p) != MP_OKAY)
+            ret = MP_TO_E;
+    }
+
+    /* export q */
+    if (ret == 0) {
+        if (*qSz < qLen) {
+            WOLFSSL_MSG("Output buffer for DH q parameter too small, "
+                        "required size placed into qSz");
+            *qSz = qLen;
+            ret = BUFFER_E;
+        }
+    }
+
+    if (ret == 0) {
+        *qSz = qLen;
+        if (mp_to_unsigned_bin(&dh->q, q) != MP_OKAY)
+            ret = MP_TO_E;
+    }
+
+    /* export g */
+    if (ret == 0) {
+        if (*gSz < gLen) {
+            WOLFSSL_MSG("Output buffer for DH g parameter too small, "
+                        "required size placed into gSz");
+            *gSz = gLen;
+            ret = BUFFER_E;
+        }
+    }
+
+    if (ret == 0) {
+        *gSz = gLen;
+        if (mp_to_unsigned_bin(&dh->g, g) != MP_OKAY)
+            ret = MP_TO_E;
+    }
+
+    return ret;
+}
 
+#endif /* WOLFSSL_KEY_GEN */
+
+#endif /* NO_DH */
diff --git a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/dsa.c b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/dsa.c
index f2124b197..4b83a571d 100644
--- a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/dsa.c
+++ b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/dsa.c
@@ -1,8 +1,8 @@
 /* dsa.c
  *
- * Copyright (C) 2006-2015 wolfSSL Inc.
+ * Copyright (C) 2006-2020 wolfSSL Inc.
  *
- * This file is part of wolfSSL. (formerly known as CyaSSL)
+ * This file is part of wolfSSL.
  *
  * wolfSSL is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -16,9 +16,10 @@
  *
  * You should have received a copy of the GNU General Public License
  * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
  */
 
+
 #ifdef HAVE_CONFIG_H
     #include <config.h>
 #endif
@@ -27,97 +28,703 @@
 
 #ifndef NO_DSA
 
-#include <wolfssl/wolfcrypt/dsa.h>
-#include <wolfssl/wolfcrypt/sha.h>
 #include <wolfssl/wolfcrypt/random.h>
+#include <wolfssl/wolfcrypt/integer.h>
 #include <wolfssl/wolfcrypt/error-crypt.h>
+#include <wolfssl/wolfcrypt/logging.h>
+#include <wolfssl/wolfcrypt/sha.h>
+#include <wolfssl/wolfcrypt/dsa.h>
 
+#ifdef NO_INLINE
+    #include <wolfssl/wolfcrypt/misc.h>
+#else
+    #define WOLFSSL_MISC_INCLUDED
+    #include <wolfcrypt/src/misc.c>
+#endif
 
-enum {
-    DSA_HALF_SIZE = 20,   /* r and s size  */
-    DSA_SIG_SIZE  = 40    /* signature size */
-};
-
-
-#ifndef WOLFSSL_HAVE_MIN
-#define WOLFSSL_HAVE_MIN
-
-    static INLINE word32 min(word32 a, word32 b)
-    {
-        return a > b ? b : a;
-    }
+int wc_InitDsaKey(DsaKey* key)
+{
+    if (key == NULL)
+        return BAD_FUNC_ARG;
 
-#endif /* WOLFSSL_HAVE_MIN */
+    key->type = -1;  /* haven't decided yet */
+    key->heap = NULL;
+
+    return mp_init_multi(
+        /* public  alloc parts */
+        &key->p,
+        &key->q,
+        &key->g,
+        &key->y,
+
+        /* private alloc parts */
+        &key->x,
+        NULL
+    );
+}
 
 
-void wc_InitDsaKey(DsaKey* key)
+int wc_InitDsaKey_h(DsaKey* key, void* h)
 {
-    key->type = -1;  /* haven't decided yet */
-
-/* TomsFastMath doesn't use memory allocation */
-#ifndef USE_FAST_MATH
-    key->p.dp = 0;   /* public  alloc parts */
-    key->q.dp = 0;    
-    key->g.dp = 0;    
-    key->y.dp = 0;    
+    int ret = wc_InitDsaKey(key);
+    if (ret == 0)
+        key->heap = h;
 
-    key->x.dp = 0;   /* private alloc parts */
-#endif
+    return ret;
 }
 
 
 void wc_FreeDsaKey(DsaKey* key)
 {
-    (void)key;
-/* TomsFastMath doesn't use memory allocation */
-#ifndef USE_FAST_MATH
+    if (key == NULL)
+        return;
+
     if (key->type == DSA_PRIVATE)
-        mp_clear(&key->x);
+        mp_forcezero(&key->x);
+
+    mp_clear(&key->x);
     mp_clear(&key->y);
     mp_clear(&key->g);
     mp_clear(&key->q);
     mp_clear(&key->p);
-#endif
 }
 
 
-int wc_DsaSign(const byte* digest, byte* out, DsaKey* key, RNG* rng)
+/* validate that (L,N) match allowed sizes from FIPS 186-4, Section 4.2.
+ * modLen - represents L, the size of p (prime modulus) in bits
+ * divLen - represents N, the size of q (prime divisor) in bits
+ * return 0 on success, -1 on error */
+static int CheckDsaLN(int modLen, int divLen)
+{
+    int ret = -1;
+
+    switch (modLen) {
+        case 1024:
+            if (divLen == 160)
+                ret = 0;
+            break;
+        case 2048:
+            if (divLen == 224 || divLen == 256)
+                ret = 0;
+            break;
+        case 3072:
+            if (divLen == 256)
+                ret = 0;
+            break;
+        default:
+            break;
+    }
+
+    return ret;
+}
+
+
+#ifdef WOLFSSL_KEY_GEN
+
+/* Create DSA key pair (&dsa->x, &dsa->y)
+ *
+ * Based on NIST FIPS 186-4,
+ * "B.1.1 Key Pair Generation Using Extra Random Bits"
+ *
+ * rng - pointer to initialized WC_RNG structure
+ * dsa - pointer to initialized DsaKey structure, will hold generated key
+ *
+ * return 0 on success, negative on error */
+int wc_MakeDsaKey(WC_RNG *rng, DsaKey *dsa)
+{
+    byte* cBuf;
+    int qSz, pSz, cSz, err;
+    mp_int tmpQ;
+
+    if (rng == NULL || dsa == NULL)
+        return BAD_FUNC_ARG;
+
+    qSz = mp_unsigned_bin_size(&dsa->q);
+    pSz = mp_unsigned_bin_size(&dsa->p);
+
+    /* verify (L,N) pair bit lengths */
+    if (CheckDsaLN(pSz * WOLFSSL_BIT_SIZE, qSz * WOLFSSL_BIT_SIZE) != 0)
+        return BAD_FUNC_ARG;
+
+    /* generate extra 64 bits so that bias from mod function is negligible */
+    cSz = qSz + (64 / WOLFSSL_BIT_SIZE);
+    cBuf = (byte*)XMALLOC(cSz, dsa->heap, DYNAMIC_TYPE_TMP_BUFFER);
+    if (cBuf == NULL) {
+        return MEMORY_E;
+    }
+
+    if ((err = mp_init_multi(&dsa->x, &dsa->y, &tmpQ, NULL, NULL, NULL))
+                   != MP_OKAY) {
+        XFREE(cBuf, dsa->heap, DYNAMIC_TYPE_TMP_BUFFER);
+        return err;
+    }
+
+    do {
+        /* generate N+64 bits (c) from RBG into &dsa->x, making sure positive.
+         * Hash_DRBG uses SHA-256 which matches maximum
+         * requested_security_strength of (L,N) */
+        err = wc_RNG_GenerateBlock(rng, cBuf, cSz);
+        if (err != MP_OKAY) {
+            mp_clear(&dsa->x);
+            mp_clear(&dsa->y);
+            mp_clear(&tmpQ);
+            XFREE(cBuf, dsa->heap, DYNAMIC_TYPE_TMP_BUFFER);
+            return err;
+        }
+
+        err = mp_read_unsigned_bin(&dsa->x, cBuf, cSz);
+        if (err != MP_OKAY) {
+            mp_clear(&dsa->x);
+            mp_clear(&dsa->y);
+            mp_clear(&tmpQ);
+            XFREE(cBuf, dsa->heap, DYNAMIC_TYPE_TMP_BUFFER);
+            return err;
+        }
+    } while (mp_cmp_d(&dsa->x, 1) != MP_GT);
+
+    XFREE(cBuf, dsa->heap, DYNAMIC_TYPE_TMP_BUFFER);
+
+    /* tmpQ = q - 1 */
+    if (err == MP_OKAY)
+        err = mp_copy(&dsa->q, &tmpQ);
+
+    if (err == MP_OKAY)
+        err = mp_sub_d(&tmpQ, 1, &tmpQ);
+
+    /* x = c mod (q-1), &dsa->x holds c */
+    if (err == MP_OKAY)
+        err = mp_mod(&dsa->x, &tmpQ, &dsa->x);
+
+    /* x = c mod (q-1) + 1 */
+    if (err == MP_OKAY)
+        err = mp_add_d(&dsa->x, 1, &dsa->x);
+
+    /* public key : y = g^x mod p */
+    if (err == MP_OKAY)
+        err = mp_exptmod_ex(&dsa->g, &dsa->x, dsa->q.used, &dsa->p, &dsa->y);
+
+    if (err == MP_OKAY)
+        dsa->type = DSA_PRIVATE;
+
+    if (err != MP_OKAY) {
+        mp_clear(&dsa->x);
+        mp_clear(&dsa->y);
+    }
+    mp_clear(&tmpQ);
+
+    return err;
+}
+
+
+/* modulus_size in bits */
+int wc_MakeDsaParameters(WC_RNG *rng, int modulus_size, DsaKey *dsa)
+{
+    mp_int  tmp, tmp2;
+    int     err, msize, qsize,
+            loop_check_prime = 0,
+            check_prime = MP_NO;
+    unsigned char   *buf;
+
+    if (rng == NULL || dsa == NULL)
+        return BAD_FUNC_ARG;
+
+    /* set group size in bytes from modulus size
+     * FIPS 186-4 defines valid values (1024, 160) (2048, 256) (3072, 256)
+     */
+    switch (modulus_size) {
+        case 1024:
+            qsize = 20;
+            break;
+        case 2048:
+        case 3072:
+            qsize = 32;
+            break;
+        default:
+            return BAD_FUNC_ARG;
+    }
+
+    /* modulus size in bytes */
+    msize = modulus_size / WOLFSSL_BIT_SIZE;
+
+    /* allocate ram */
+    buf = (unsigned char *)XMALLOC(msize - qsize,
+                                   dsa->heap, DYNAMIC_TYPE_TMP_BUFFER);
+    if (buf == NULL) {
+        return MEMORY_E;
+    }
+
+    /* make a random string that will be multiplied against q */
+    err = wc_RNG_GenerateBlock(rng, buf, msize - qsize);
+    if (err != MP_OKAY) {
+        XFREE(buf, dsa->heap, DYNAMIC_TYPE_TMP_BUFFER);
+        return err;
+    }
+
+    /* force magnitude */
+    buf[0] |= 0xC0;
+
+    /* force even */
+    buf[msize - qsize - 1] &= ~1;
+
+    if (mp_init_multi(&tmp2, &dsa->p, &dsa->q, 0, 0, 0) != MP_OKAY) {
+        mp_clear(&dsa->q);
+        XFREE(buf, dsa->heap, DYNAMIC_TYPE_TMP_BUFFER);
+        return MP_INIT_E;
+    }
+
+    err = mp_read_unsigned_bin(&tmp2, buf, msize - qsize);
+    if (err != MP_OKAY) {
+        mp_clear(&dsa->q);
+        mp_clear(&dsa->p);
+        mp_clear(&tmp2);
+        XFREE(buf, dsa->heap, DYNAMIC_TYPE_TMP_BUFFER);
+        return err;
+    }
+    XFREE(buf, dsa->heap, DYNAMIC_TYPE_TMP_BUFFER);
+
+    /* make our prime q */
+    err = mp_rand_prime(&dsa->q, qsize, rng, NULL);
+    if (err != MP_OKAY) {
+        mp_clear(&dsa->q);
+        mp_clear(&dsa->p);
+        mp_clear(&tmp2);
+        return err;
+    }
+
+    /* p = random * q */
+    err = mp_mul(&dsa->q, &tmp2, &dsa->p);
+    if (err != MP_OKAY) {
+        mp_clear(&dsa->q);
+        mp_clear(&dsa->p);
+        mp_clear(&tmp2);
+        return err;
+    }
+
+    /* p = random * q + 1, so q is a prime divisor of p-1 */
+    err = mp_add_d(&dsa->p, 1, &dsa->p);
+    if (err != MP_OKAY) {
+        mp_clear(&dsa->q);
+        mp_clear(&dsa->p);
+        mp_clear(&tmp2);
+        return err;
+    }
+
+    if (mp_init(&tmp) != MP_OKAY) {
+        mp_clear(&dsa->q);
+        mp_clear(&dsa->p);
+        mp_clear(&tmp2);
+        return MP_INIT_E;
+    }
+
+    /* tmp = 2q  */
+    err = mp_add(&dsa->q, &dsa->q, &tmp);
+    if (err != MP_OKAY) {
+        mp_clear(&dsa->q);
+        mp_clear(&dsa->p);
+        mp_clear(&tmp);
+        mp_clear(&tmp2);
+        return err;
+    }
+
+    /* loop until p is prime */
+    while (check_prime == MP_NO) {
+        err = mp_prime_is_prime_ex(&dsa->p, 8, &check_prime, rng);
+        if (err != MP_OKAY) {
+            mp_clear(&dsa->q);
+            mp_clear(&dsa->p);
+            mp_clear(&tmp);
+            mp_clear(&tmp2);
+            return err;
+        }
+
+        if (check_prime != MP_YES) {
+            /* p += 2q */
+            err = mp_add(&tmp, &dsa->p, &dsa->p);
+            if (err != MP_OKAY) {
+                mp_clear(&dsa->q);
+                mp_clear(&dsa->p);
+                mp_clear(&tmp);
+                mp_clear(&tmp2);
+                return err;
+            }
+
+            loop_check_prime++;
+        }
+    }
+
+    /* tmp2 += (2*loop_check_prime)
+     * to have p = (q * tmp2) + 1 prime
+     */
+    if (loop_check_prime) {
+        err = mp_add_d(&tmp2, 2*loop_check_prime, &tmp2);
+        if (err != MP_OKAY) {
+            mp_clear(&dsa->q);
+            mp_clear(&dsa->p);
+            mp_clear(&tmp);
+            mp_clear(&tmp2);
+            return err;
+        }
+    }
+
+    if (mp_init(&dsa->g) != MP_OKAY) {
+        mp_clear(&dsa->q);
+        mp_clear(&dsa->p);
+        mp_clear(&tmp);
+        mp_clear(&tmp2);
+        return MP_INIT_E;
+    }
+
+    /* find a value g for which g^tmp2 != 1 */
+    if (mp_set(&dsa->g, 1) != MP_OKAY) {
+        mp_clear(&dsa->q);
+        mp_clear(&dsa->p);
+        mp_clear(&tmp);
+        mp_clear(&tmp2);
+        return MP_INIT_E;
+    }
+
+    do {
+        err = mp_add_d(&dsa->g, 1, &dsa->g);
+        if (err != MP_OKAY) {
+            mp_clear(&dsa->q);
+            mp_clear(&dsa->p);
+            mp_clear(&dsa->g);
+            mp_clear(&tmp);
+            mp_clear(&tmp2);
+            return err;
+        }
+
+        err = mp_exptmod(&dsa->g, &tmp2, &dsa->p, &tmp);
+        if (err != MP_OKAY) {
+            mp_clear(&dsa->q);
+            mp_clear(&dsa->p);
+            mp_clear(&dsa->g);
+            mp_clear(&tmp);
+            mp_clear(&tmp2);
+            return err;
+        }
+
+    } while (mp_cmp_d(&tmp, 1) == MP_EQ);
+
+    /* at this point tmp generates a group of order q mod p */
+    mp_exch(&tmp, &dsa->g);
+
+    mp_clear(&tmp);
+    mp_clear(&tmp2);
+
+    return MP_OKAY;
+}
+#endif /* WOLFSSL_KEY_GEN */
+
+
+static int _DsaImportParamsRaw(DsaKey* dsa, const char* p, const char* q,
+                          const char* g, int trusted, WC_RNG* rng)
+{
+    int err;
+    word32 pSz, qSz;
+
+    if (dsa == NULL || p == NULL || q == NULL || g == NULL)
+        return BAD_FUNC_ARG;
+
+    /* read p */
+    err = mp_read_radix(&dsa->p, p, MP_RADIX_HEX);
+    if (err == MP_OKAY && !trusted) {
+        int isPrime = 1;
+        if (rng == NULL)
+            err = mp_prime_is_prime(&dsa->p, 8, &isPrime);
+        else
+            err = mp_prime_is_prime_ex(&dsa->p, 8, &isPrime, rng);
+
+        if (err == MP_OKAY) {
+            if (!isPrime)
+                err = DH_CHECK_PUB_E;
+        }
+    }
+
+    /* read q */
+    if (err == MP_OKAY)
+        err = mp_read_radix(&dsa->q, q, MP_RADIX_HEX);
+
+    /* read g */
+    if (err == MP_OKAY)
+        err = mp_read_radix(&dsa->g, g, MP_RADIX_HEX);
+
+    /* verify (L,N) pair bit lengths */
+    pSz = mp_unsigned_bin_size(&dsa->p);
+    qSz = mp_unsigned_bin_size(&dsa->q);
+
+    if (CheckDsaLN(pSz * WOLFSSL_BIT_SIZE, qSz * WOLFSSL_BIT_SIZE) != 0) {
+        WOLFSSL_MSG("Invalid DSA p or q parameter size");
+        err = BAD_FUNC_ARG;
+    }
+
+    if (err != MP_OKAY) {
+        mp_clear(&dsa->p);
+        mp_clear(&dsa->q);
+        mp_clear(&dsa->g);
+    }
+
+    return err;
+}
+
+
+/* Import raw DSA parameters into DsaKey structure for use with wc_MakeDsaKey(),
+ * input parameters (p,q,g) should be represented as ASCII hex values.
+ *
+ * dsa  - pointer to initialized DsaKey structure
+ * p    - DSA (p) parameter, ASCII hex string
+ * pSz  - length of p
+ * q    - DSA (q) parameter, ASCII hex string
+ * qSz  - length of q
+ * g    - DSA (g) parameter, ASCII hex string
+ * gSz  - length of g
+ *
+ * returns 0 on success, negative upon failure
+ */
+int wc_DsaImportParamsRaw(DsaKey* dsa, const char* p, const char* q,
+                          const char* g)
+{
+    return _DsaImportParamsRaw(dsa, p, q, g, 1, NULL);
+}
+
+
+/* Import raw DSA parameters into DsaKey structure for use with wc_MakeDsaKey(),
+ * input parameters (p,q,g) should be represented as ASCII hex values. Check
+ * that the p value is probably prime.
+ *
+ * dsa  - pointer to initialized DsaKey structure
+ * p    - DSA (p) parameter, ASCII hex string
+ * pSz  - length of p
+ * q    - DSA (q) parameter, ASCII hex string
+ * qSz  - length of q
+ * g    - DSA (g) parameter, ASCII hex string
+ * gSz  - length of g
+ * trusted - trust that p is OK
+ * rng  - random number generator for the prime test
+ *
+ * returns 0 on success, negative upon failure
+ */
+int wc_DsaImportParamsRawCheck(DsaKey* dsa, const char* p, const char* q,
+                          const char* g, int trusted, WC_RNG* rng)
+{
+    return _DsaImportParamsRaw(dsa, p, q, g, trusted, rng);
+}
+
+
+/* Export raw DSA parameters from DsaKey structure
+ *
+ * dsa  - pointer to initialized DsaKey structure
+ * p    - output location for DSA (p) parameter
+ * pSz  - [IN/OUT] size of output buffer for p, size of p
+ * q    - output location for DSA (q) parameter
+ * qSz  - [IN/OUT] size of output buffer for q, size of q
+ * g    - output location for DSA (g) parameter
+ * gSz  - [IN/OUT] size of output buffer for g, size of g
+ *
+ * If p, q, and g pointers are all passed in as NULL, the function
+ * will set pSz, qSz, and gSz to the required output buffer sizes for p,
+ * q, and g. In this case, the function will return LENGTH_ONLY_E.
+ *
+ * returns 0 on success, negative upon failure
+ */
+int wc_DsaExportParamsRaw(DsaKey* dsa, byte* p, word32* pSz,
+                          byte* q, word32* qSz, byte* g, word32* gSz)
+{
+    int err;
+    word32 pLen, qLen, gLen;
+
+    if (dsa == NULL || pSz == NULL || qSz == NULL || gSz == NULL)
+        return BAD_FUNC_ARG;
+
+    /* get required output buffer sizes */
+    pLen = mp_unsigned_bin_size(&dsa->p);
+    qLen = mp_unsigned_bin_size(&dsa->q);
+    gLen = mp_unsigned_bin_size(&dsa->g);
+
+    /* return buffer sizes and LENGTH_ONLY_E if buffers are NULL */
+    if (p == NULL && q == NULL && g == NULL) {
+        *pSz = pLen;
+        *qSz = qLen;
+        *gSz = gLen;
+        return LENGTH_ONLY_E;
+    }
+
+    if (p == NULL || q == NULL || g == NULL)
+        return BAD_FUNC_ARG;
+
+    /* export p */
+    if (*pSz < pLen) {
+        WOLFSSL_MSG("Output buffer for DSA p parameter too small, "
+                    "required size placed into pSz");
+        *pSz = pLen;
+        return BUFFER_E;
+    }
+    *pSz = pLen;
+    err = mp_to_unsigned_bin(&dsa->p, p);
+
+    /* export q */
+    if (err == MP_OKAY) {
+        if (*qSz < qLen) {
+            WOLFSSL_MSG("Output buffer for DSA q parameter too small, "
+                        "required size placed into qSz");
+            *qSz = qLen;
+            return BUFFER_E;
+        }
+        *qSz = qLen;
+        err = mp_to_unsigned_bin(&dsa->q, q);
+    }
+
+    /* export g */
+    if (err == MP_OKAY) {
+        if (*gSz < gLen) {
+            WOLFSSL_MSG("Output buffer for DSA g parameter too small, "
+                        "required size placed into gSz");
+            *gSz = gLen;
+            return BUFFER_E;
+        }
+        *gSz = gLen;
+        err = mp_to_unsigned_bin(&dsa->g, g);
+    }
+
+    return err;
+}
+
+
+/* Export raw DSA key (x, y) from DsaKey structure
+ *
+ * dsa  - pointer to initialized DsaKey structure
+ * x    - output location for private key
+ * xSz  - [IN/OUT] size of output buffer for x, size of x
+ * y    - output location for public key
+ * ySz  - [IN/OUT] size of output buffer for y, size of y
+ *
+ * If x and y pointers are all passed in as NULL, the function
+ * will set xSz and ySz to the required output buffer sizes for x
+ * and y. In this case, the function will return LENGTH_ONLY_E.
+ *
+ * returns 0 on success, negative upon failure
+ */
+int wc_DsaExportKeyRaw(DsaKey* dsa, byte* x, word32* xSz, byte* y, word32* ySz)
+{
+    int err;
+    word32 xLen, yLen;
+
+    if (dsa == NULL || xSz == NULL || ySz == NULL)
+        return BAD_FUNC_ARG;
+
+    /* get required output buffer sizes */
+    xLen = mp_unsigned_bin_size(&dsa->x);
+    yLen = mp_unsigned_bin_size(&dsa->y);
+
+    /* return buffer sizes and LENGTH_ONLY_E if buffers are NULL */
+    if (x == NULL && y == NULL) {
+        *xSz = xLen;
+        *ySz = yLen;
+        return LENGTH_ONLY_E;
+    }
+
+    if (x == NULL || y == NULL)
+        return BAD_FUNC_ARG;
+
+    /* export x */
+    if (*xSz < xLen) {
+        WOLFSSL_MSG("Output buffer for DSA private key (x) too small, "
+                    "required size placed into xSz");
+        *xSz = xLen;
+        return BUFFER_E;
+    }
+    *xSz = xLen;
+    err = mp_to_unsigned_bin(&dsa->x, x);
+
+    /* export y */
+    if (err == MP_OKAY) {
+        if (*ySz < yLen) {
+            WOLFSSL_MSG("Output buffer to DSA public key (y) too small, "
+                        "required size placed into ySz");
+            *ySz = yLen;
+            return BUFFER_E;
+        }
+        *ySz = yLen;
+        err = mp_to_unsigned_bin(&dsa->y, y);
+    }
+
+    return err;
+}
+
+
+int wc_DsaSign(const byte* digest, byte* out, DsaKey* key, WC_RNG* rng)
 {
-    mp_int k, kInv, r, s, H;
-    int    ret, sz;
-    byte   buffer[DSA_HALF_SIZE];
+    mp_int  k, kInv, r, s, H;
+#ifndef WOLFSSL_MP_INVMOD_CONSTANT_TIME
+    mp_int  b;
+#endif
+    mp_int* qMinus1;
+    int     ret = 0, sz;
+    byte    buffer[DSA_HALF_SIZE];
+    byte*   tmp;  /* initial output pointer */
 
-    sz = min(sizeof(buffer), mp_unsigned_bin_size(&key->q));
+    if (digest == NULL || out == NULL || key == NULL || rng == NULL) {
+        return BAD_FUNC_ARG;
+    }
 
-    /* generate k */
-    ret = wc_RNG_GenerateBlock(rng, buffer, sz);
-    if (ret != 0)
-        return ret;
+    tmp = out;
 
-    buffer[0] |= 0x0C;
+    sz = min((int)sizeof(buffer), mp_unsigned_bin_size(&key->q));
 
+#ifdef WOLFSSL_MP_INVMOD_CONSTANT_TIME
     if (mp_init_multi(&k, &kInv, &r, &s, &H, 0) != MP_OKAY)
+#else
+    if (mp_init_multi(&k, &kInv, &r, &s, &H, &b) != MP_OKAY)
+#endif
+    {
         return MP_INIT_E;
+    }
+    qMinus1 = &kInv;
 
-    if (mp_read_unsigned_bin(&k, buffer, sz) != MP_OKAY)
-        ret = MP_READ_E;
+    /* NIST FIPS 186-4: B.2.2
+     * Per-Message Secret Number Generation by Testing Candidates
+     * Generate k in range [1, q-1].
+     *   Check that k is less than q-1: range [0, q-2].
+     *   Add 1 to k: range [1, q-1].
+     */
+    if (mp_sub_d(&key->q, 1, qMinus1))
+        ret = MP_SUB_E;
 
-    if (ret == 0 && mp_cmp_d(&k, 1) != MP_GT)
-        ret = MP_CMP_E;
+    if (ret == 0) {
+        do {
+            /* Step 4: generate k */
+            ret = wc_RNG_GenerateBlock(rng, buffer, sz);
+
+            /* Step 5 */
+            if (ret == 0 && mp_read_unsigned_bin(&k, buffer, sz) != MP_OKAY)
+                ret = MP_READ_E;
+
+            /* k is a random numnber and it should be less than q-1
+             * if k greater than repeat
+             */
+        /* Step 6 */
+        } while (ret == 0 && mp_cmp(&k, qMinus1) != MP_LT);
+    }
+    /* Step 7 */
+    if (ret == 0 && mp_add_d(&k, 1, &k) != MP_OKAY)
+        ret = MP_MOD_E;
 
+#ifdef WOLFSSL_MP_INVMOD_CONSTANT_TIME
     /* inverse k mod q */
     if (ret == 0 && mp_invmod(&k, &key->q, &kInv) != MP_OKAY)
         ret = MP_INVMOD_E;
 
     /* generate r, r = (g exp k mod p) mod q */
-    if (ret == 0 && mp_exptmod(&key->g, &k, &key->p, &r) != MP_OKAY)
+    if (ret == 0 && mp_exptmod_ex(&key->g, &k, key->q.used, &key->p,
+                                                               &r) != MP_OKAY) {
         ret = MP_EXPTMOD_E;
+    }
 
     if (ret == 0 && mp_mod(&r, &key->q, &r) != MP_OKAY)
         ret = MP_MOD_E;
 
     /* generate H from sha digest */
-    if (ret == 0 && mp_read_unsigned_bin(&H, digest,SHA_DIGEST_SIZE) != MP_OKAY)
+    if (ret == 0 && mp_read_unsigned_bin(&H, digest,WC_SHA_DIGEST_SIZE) != MP_OKAY)
         ret = MP_READ_E;
 
     /* generate s, s = (kInv * (H + x*r)) % q */
@@ -129,28 +736,105 @@ int wc_DsaSign(const byte* digest, byte* out, DsaKey* key, RNG* rng)
 
     if (ret == 0 && mp_mulmod(&s, &kInv, &key->q, &s) != MP_OKAY)
         ret = MP_MULMOD_E;
+#else
+    /* Blinding value
+     * Generate b in range [1, q-1].
+     */
+    if (ret == 0) {
+        do {
+            ret = wc_RNG_GenerateBlock(rng, buffer, sz);
+            if (ret == 0 && mp_read_unsigned_bin(&b, buffer, sz) != MP_OKAY)
+                ret = MP_READ_E;
+        } while (ret == 0 && mp_cmp(&b, qMinus1) != MP_LT);
+    }
+    if (ret == 0 && mp_add_d(&b, 1, &b) != MP_OKAY)
+        ret = MP_MOD_E;
+
+    /* set H from sha digest */
+    if (ret == 0 && mp_read_unsigned_bin(&H, digest,
+                                               WC_SHA_DIGEST_SIZE) != MP_OKAY) {
+        ret = MP_READ_E;
+    }
+
+    /* generate r, r = (g exp k mod p) mod q */
+    if (ret == 0 && mp_exptmod_ex(&key->g, &k, key->q.used, &key->p,
+                                                               &r) != MP_OKAY) {
+        ret = MP_EXPTMOD_E;
+    }
+
+    /* calculate s = (H + xr)/k
+                   = b.(H/k.b + x.r/k.b) */
+
+    /* k = k.b */
+    if (ret == 0 && mp_mulmod(&k, &b, &key->q, &k) != MP_OKAY)
+        ret = MP_MULMOD_E;
+
+    /* kInv = 1/k.b mod q */
+    if (ret == 0 && mp_invmod(&k, &key->q, &kInv) != MP_OKAY)
+        ret = MP_INVMOD_E;
+
+    if (ret == 0 && mp_mod(&r, &key->q, &r) != MP_OKAY)
+        ret = MP_MOD_E;
+
+    /* s = x.r */
+    if (ret == 0 && mp_mul(&key->x, &r, &s) != MP_OKAY)
+        ret = MP_MUL_E;
+
+    /* s = x.r/k.b */
+    if (ret == 0 && mp_mulmod(&s, &kInv, &key->q, &s) != MP_OKAY)
+        ret = MP_MULMOD_E;
+
+    /* H = H/k.b */
+    if (ret == 0 && mp_mulmod(&H, &kInv, &key->q, &H) != MP_OKAY)
+        ret = MP_MULMOD_E;
+
+    /* s = H/k.b + x.r/k.b
+         = (H + x.r)/k.b */
+    if (ret == 0 && mp_add(&s, &H, &s) != MP_OKAY)
+        ret = MP_ADD_E;
+
+    /* s = b.(e + x.r)/k.b
+         = (e + x.r)/k */
+    if (ret == 0 && mp_mulmod(&s, &b, &key->q, &s) != MP_OKAY)
+        ret = MP_MULMOD_E;
+
+    /* s = (e + x.r)/k */
+    if (ret == 0 && mp_mod(&s, &key->q, &s) != MP_OKAY)
+        ret = MP_MOD_E;
+#endif
+
+    /* detect zero r or s */
+    if (ret == 0 && (mp_iszero(&r) == MP_YES || mp_iszero(&s) == MP_YES))
+        ret = MP_ZERO_E;
 
     /* write out */
     if (ret == 0)  {
         int rSz = mp_unsigned_bin_size(&r);
         int sSz = mp_unsigned_bin_size(&s);
 
-        if (rSz == DSA_HALF_SIZE - 1) {
-            out[0] = 0;
-            out++;
+        while (rSz++ < DSA_HALF_SIZE) {
+            *out++ = 0x00;  /* pad front with zeros */
         }
 
         if (mp_to_unsigned_bin(&r, out) != MP_OKAY)
             ret = MP_TO_E;
         else {
-            if (sSz == DSA_HALF_SIZE - 1) {
-                out[rSz] = 0;
-                out++;
-            }    
-            ret = mp_to_unsigned_bin(&s, out + rSz);
+            out = tmp + DSA_HALF_SIZE;  /* advance to s in output */
+            while (sSz++ < DSA_HALF_SIZE) {
+                *out++ = 0x00;  /* pad front with zeros */
+            }
+            ret = mp_to_unsigned_bin(&s, out);
         }
     }
 
+    ForceZero(buffer, sz);
+    mp_forcezero(&kInv);
+    mp_forcezero(&k);
+#ifndef WOLFSSL_MP_INVMOD_CONSTANT_TIME
+    mp_forcezero(&b);
+
+    mp_clear(&b);
+#endif
     mp_clear(&H);
     mp_clear(&s);
     mp_clear(&r);
@@ -166,6 +850,10 @@ int wc_DsaVerify(const byte* digest, const byte* sig, DsaKey* key, int* answer)
     mp_int w, u1, u2, v, r, s;
     int    ret = 0;
 
+    if (digest == NULL || sig == NULL || key == NULL || answer == NULL) {
+        return BAD_FUNC_ARG;
+    }
+
     if (mp_init_multi(&w, &u1, &u2, &v, &r, &s) != MP_OKAY)
         return MP_INIT_E;
 
@@ -183,7 +871,7 @@ int wc_DsaVerify(const byte* digest, const byte* sig, DsaKey* key, int* answer)
     }
 
     /* put H into u1 from sha digest */
-    if (ret == 0 && mp_read_unsigned_bin(&u1,digest,SHA_DIGEST_SIZE) != MP_OKAY)
+    if (ret == 0 && mp_read_unsigned_bin(&u1,digest,WC_SHA_DIGEST_SIZE) != MP_OKAY)
         ret = MP_READ_E;
 
     /* w = s invmod q */
diff --git a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/ecc.c b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/ecc.c
index 897d46adf..22db7f167 100644
--- a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/ecc.c
+++ b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/ecc.c
@@ -1,8 +1,8 @@
 /* ecc.c
  *
- * Copyright (C) 2006-2015 wolfSSL Inc.
+ * Copyright (C) 2006-2020 wolfSSL Inc.
  *
- * This file is part of wolfSSL. (formerly known as CyaSSL)
+ * This file is part of wolfSSL.
  *
  * wolfSSL is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -16,10 +16,11 @@
  *
  * You should have received a copy of the GNU General Public License
  * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
  */
 
 
+
 #ifdef HAVE_CONFIG_H
     #include <config.h>
 #endif
@@ -27,31 +28,149 @@
 /* in case user set HAVE_ECC there */
 #include <wolfssl/wolfcrypt/settings.h>
 
+/* public ASN interface */
+#include <wolfssl/wolfcrypt/asn_public.h>
+
+/*
+Possible ECC enable options:
+ * HAVE_ECC:            Overall control of ECC                  default: on
+ * HAVE_ECC_ENCRYPT:    ECC encrypt/decrypt w/AES and HKDF      default: off
+ * HAVE_ECC_SIGN:       ECC sign                                default: on
+ * HAVE_ECC_VERIFY:     ECC verify                              default: on
+ * HAVE_ECC_DHE:        ECC build shared secret                 default: on
+ * HAVE_ECC_CDH:        ECC cofactor DH shared secret           default: off
+ * HAVE_ECC_KEY_IMPORT: ECC Key import                          default: on
+ * HAVE_ECC_KEY_EXPORT: ECC Key export                          default: on
+ * ECC_SHAMIR:          Enables Shamir calc method              default: on
+ * HAVE_COMP_KEY:       Enables compressed key                  default: off
+ * WOLFSSL_VALIDATE_ECC_IMPORT: Validate ECC key on import      default: off
+ * WOLFSSL_VALIDATE_ECC_KEYGEN: Validate ECC key gen            default: off
+ * WOLFSSL_CUSTOM_CURVES: Allow non-standard curves.            default: off
+ *                        Includes the curve "a" variable in calculation
+ * ECC_DUMP_OID:        Enables dump of OID encoding and sum    default: off
+ * ECC_CACHE_CURVE:     Enables cache of curve info to improve perofrmance
+                                                                default: off
+ * FP_ECC:              ECC Fixed Point Cache                   default: off
+ * USE_ECC_B_PARAM:     Enable ECC curve B param                default: off
+                         (on for HAVE_COMP_KEY)
+ * WOLFSSL_ECC_CURVE_STATIC:                                    default off (on for windows)
+                        For the ECC curve paramaters `ecc_set_type` use fixed
+                        array for hex string
+ */
+
+/*
+ECC Curve Types:
+ * NO_ECC_SECP          Disables SECP curves                    default: off (not defined)
+ * HAVE_ECC_SECPR2      Enables SECP R2 curves                  default: off
+ * HAVE_ECC_SECPR3      Enables SECP R3 curves                  default: off
+ * HAVE_ECC_BRAINPOOL   Enables Brainpool curves                default: off
+ * HAVE_ECC_KOBLITZ     Enables Koblitz curves                  default: off
+ */
+
+/*
+ECC Curve Sizes:
+ * ECC_USER_CURVES: Allows custom combination of key sizes below
+ * HAVE_ALL_CURVES: Enable all key sizes (on unless ECC_USER_CURVES is defined)
+ * HAVE_ECC112: 112 bit key
+ * HAVE_ECC128: 128 bit key
+ * HAVE_ECC160: 160 bit key
+ * HAVE_ECC192: 192 bit key
+ * HAVE_ECC224: 224 bit key
+ * HAVE_ECC239: 239 bit key
+ * NO_ECC256: Disables 256 bit key (on by default)
+ * HAVE_ECC320: 320 bit key
+ * HAVE_ECC384: 384 bit key
+ * HAVE_ECC512: 512 bit key
+ * HAVE_ECC521: 521 bit key
+ */
+
+
 #ifdef HAVE_ECC
 
+/* Make sure custom curves is enabled for Brainpool or Koblitz curve types */
+#if (defined(HAVE_ECC_BRAINPOOL) || defined(HAVE_ECC_KOBLITZ)) &&\
+    !defined(WOLFSSL_CUSTOM_CURVES)
+    #error Brainpool and Koblitz curves requires WOLFSSL_CUSTOM_CURVES
+#endif
+
+#if defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2)
+    /* set NO_WRAPPERS before headers, use direct internal f()s not wrappers */
+    #define FIPS_NO_WRAPPERS
+
+	#ifdef USE_WINDOWS_API
+		#pragma code_seg(".fipsA$f")
+		#pragma const_seg(".fipsB$f")
+	#endif
+#endif
+
 #include <wolfssl/wolfcrypt/ecc.h>
 #include <wolfssl/wolfcrypt/asn.h>
 #include <wolfssl/wolfcrypt/error-crypt.h>
+#include <wolfssl/wolfcrypt/logging.h>
+#include <wolfssl/wolfcrypt/types.h>
+
+#ifdef WOLFSSL_HAVE_SP_ECC
+#include <wolfssl/wolfcrypt/sp.h>
+#endif
 
 #ifdef HAVE_ECC_ENCRYPT
     #include <wolfssl/wolfcrypt/hmac.h>
     #include <wolfssl/wolfcrypt/aes.h>
 #endif
 
+#ifdef HAVE_X963_KDF
+    #include <wolfssl/wolfcrypt/hash.h>
+#endif
+
+#ifdef WOLF_CRYPTO_CB
+    #include <wolfssl/wolfcrypt/cryptocb.h>
+#endif
+
 #ifdef NO_INLINE
     #include <wolfssl/wolfcrypt/misc.h>
 #else
+    #define WOLFSSL_MISC_INCLUDED
     #include <wolfcrypt/src/misc.c>
 #endif
 
-/* map
+#if defined(FREESCALE_LTC_ECC)
+    #include <wolfssl/wolfcrypt/port/nxp/ksdk_port.h>
+#endif
 
-   ptmul -> mulmod
+#if defined(WOLFSSL_STM32_PKA)
+    #include <wolfssl/wolfcrypt/port/st/stm32.h>
+#endif
 
-*/
+#ifdef WOLFSSL_SP_MATH
+    #define GEN_MEM_ERR MP_MEM
+#elif defined(USE_FAST_MATH)
+    #define GEN_MEM_ERR FP_MEM
+#else
+    #define GEN_MEM_ERR MP_MEM
+#endif
+
+
+/* internal ECC states */
+enum {
+    ECC_STATE_NONE = 0,
+
+    ECC_STATE_SHARED_SEC_GEN,
+    ECC_STATE_SHARED_SEC_RES,
+
+    ECC_STATE_SIGN_DO,
+    ECC_STATE_SIGN_ENCODE,
 
+    ECC_STATE_VERIFY_DECODE,
+    ECC_STATE_VERIFY_DO,
+    ECC_STATE_VERIFY_RES,
+};
+
+
+/* map
+   ptmul -> mulmod
+*/
 
-/* p256 curve on by default whether user curves or not */
+/* 256-bit curve on by default whether user curves or not */
 #if defined(HAVE_ECC112) || defined(HAVE_ALL_CURVES)
     #define ECC112
 #endif
@@ -67,939 +186,2334 @@
 #if defined(HAVE_ECC224) || defined(HAVE_ALL_CURVES)
     #define ECC224
 #endif
+#if defined(HAVE_ECC239) || defined(HAVE_ALL_CURVES)
+    #define ECC239
+#endif
 #if !defined(NO_ECC256)  || defined(HAVE_ALL_CURVES)
     #define ECC256
 #endif
+#if defined(HAVE_ECC320) || defined(HAVE_ALL_CURVES)
+    #define ECC320
+#endif
 #if defined(HAVE_ECC384) || defined(HAVE_ALL_CURVES)
     #define ECC384
 #endif
+#if defined(HAVE_ECC512) || defined(HAVE_ALL_CURVES)
+    #define ECC512
+#endif
 #if defined(HAVE_ECC521) || defined(HAVE_ALL_CURVES)
     #define ECC521
 #endif
 
-
-
-/* This holds the key settings.  ***MUST*** be organized by size from
-   smallest to largest. */
+/* The encoded OID's for ECC curves */
+#ifdef ECC112
+    #ifndef NO_ECC_SECP
+        #ifdef HAVE_OID_ENCODING
+            #define CODED_SECP112R1    {1,3,132,0,6}
+            #define CODED_SECP112R1_SZ 5
+        #else
+            #define CODED_SECP112R1    {0x2B,0x81,0x04,0x00,0x06}
+            #define CODED_SECP112R1_SZ 5
+        #endif
+        #ifndef WOLFSSL_ECC_CURVE_STATIC
+            static const ecc_oid_t ecc_oid_secp112r1[] = CODED_SECP112R1;
+        #else
+            #define ecc_oid_secp112r1 CODED_SECP112R1
+        #endif
+        #define ecc_oid_secp112r1_sz CODED_SECP112R1_SZ
+    #endif /* !NO_ECC_SECP */
+    #ifdef HAVE_ECC_SECPR2
+        #ifdef HAVE_OID_ENCODING
+            #define CODED_SECP112R2    {1,3,132,0,7}
+            #define CODED_SECP112R2_SZ 5
+        #else
+            #define CODED_SECP112R2    {0x2B,0x81,0x04,0x00,0x07}
+            #define CODED_SECP112R2_SZ 5
+        #endif
+        #ifndef WOLFSSL_ECC_CURVE_STATIC
+            static const ecc_oid_t ecc_oid_secp112r2[] = CODED_SECP112R2;
+        #else
+            #define ecc_oid_secp112r2 CODED_SECP112R2
+        #endif
+        #define ecc_oid_secp112r2_sz CODED_SECP112R2_SZ
+    #endif /* HAVE_ECC_SECPR2 */
+#endif /* ECC112 */
+#ifdef ECC128
+    #ifndef NO_ECC_SECP
+        #ifdef HAVE_OID_ENCODING
+            #define CODED_SECP128R1    {1,3,132,0,28}
+            #define CODED_SECP128R1_SZ 5
+        #else
+            #define CODED_SECP128R1    {0x2B,0x81,0x04,0x00,0x1C}
+            #define CODED_SECP128R1_SZ 5
+        #endif
+        #ifndef WOLFSSL_ECC_CURVE_STATIC
+            static const ecc_oid_t ecc_oid_secp128r1[] = CODED_SECP128R1;
+        #else
+            #define ecc_oid_secp128r1 CODED_SECP128R1
+        #endif
+        #define ecc_oid_secp128r1_sz CODED_SECP128R1_SZ
+    #endif /* !NO_ECC_SECP */
+    #ifdef HAVE_ECC_SECPR2
+        #ifdef HAVE_OID_ENCODING
+            #define CODED_SECP128R2    {1,3,132,0,29}
+            #define CODED_SECP128R2_SZ 5
+        #else
+            #define CODED_SECP128R2    {0x2B,0x81,0x04,0x00,0x1D}
+            #define CODED_SECP128R2_SZ 5
+        #endif
+        #ifndef WOLFSSL_ECC_CURVE_STATIC
+            static const ecc_oid_t ecc_oid_secp128r2[] = CODED_SECP128R2;
+        #else
+            #define ecc_oid_secp128r2 CODED_SECP128R2
+        #endif
+        #define ecc_oid_secp128r2_sz CODED_SECP128R2_SZ
+    #endif /* HAVE_ECC_SECPR2 */
+#endif /* ECC128 */
+#ifdef ECC160
+    #ifndef NO_ECC_SECP
+        #ifdef HAVE_OID_ENCODING
+            #define CODED_SECP160R1    {1,3,132,0,8}
+            #define CODED_SECP160R1_SZ 5
+        #else
+            #define CODED_SECP160R1    {0x2B,0x81,0x04,0x00,0x08}
+            #define CODED_SECP160R1_SZ 5
+        #endif
+        #ifndef WOLFSSL_ECC_CURVE_STATIC
+            static const ecc_oid_t ecc_oid_secp160r1[] = CODED_SECP160R1;
+        #else
+            #define ecc_oid_secp160r1 CODED_SECP160R1
+        #endif
+        #define ecc_oid_secp160r1_sz CODED_SECP160R1_SZ
+    #endif /* !NO_ECC_SECP */
+    #ifdef HAVE_ECC_SECPR2
+        #ifdef HAVE_OID_ENCODING
+            #define CODED_SECP160R2    {1,3,132,0,30}
+            #define CODED_SECP160R2_SZ 5
+        #else
+            #define CODED_SECP160R2    {0x2B,0x81,0x04,0x00,0x1E}
+            #define CODED_SECP160R2_SZ 5
+        #endif
+        #ifndef WOLFSSL_ECC_CURVE_STATIC
+            static const ecc_oid_t ecc_oid_secp160r2[] = CODED_SECP160R2;
+        #else
+            #define ecc_oid_secp160r2 CODED_SECP160R2
+        #endif
+        #define ecc_oid_secp160r2_sz CODED_SECP160R2_SZ
+    #endif /* HAVE_ECC_SECPR2 */
+    #ifdef HAVE_ECC_KOBLITZ
+        #ifdef HAVE_OID_ENCODING
+            #define CODED_SECP160K1    {1,3,132,0,9}
+            #define CODED_SECP160K1_SZ 5
+        #else
+            #define CODED_SECP160K1    {0x2B,0x81,0x04,0x00,0x09}
+            #define CODED_SECP160K1_SZ 5
+        #endif
+        #ifndef WOLFSSL_ECC_CURVE_STATIC
+            static const ecc_oid_t ecc_oid_secp160k1[] = CODED_SECP160K1;
+        #else
+            #define ecc_oid_secp160k1 CODED_SECP160K1
+        #endif
+        #define ecc_oid_secp160k1_sz CODED_SECP160K1_SZ
+    #endif /* HAVE_ECC_KOBLITZ */
+    #ifdef HAVE_ECC_BRAINPOOL
+        #ifdef HAVE_OID_ENCODING
+            #define CODED_BRAINPOOLP160R1    {1,3,36,3,3,2,8,1,1,1}
+            #define CODED_BRAINPOOLP160R1_SZ 10
+        #else
+            #define CODED_BRAINPOOLP160R1    {0x2B,0x24,0x03,0x03,0x02,0x08,0x01,0x01,0x01}
+            #define CODED_BRAINPOOLP160R1_SZ 9
+        #endif
+        #ifndef WOLFSSL_ECC_CURVE_STATIC
+            static const ecc_oid_t ecc_oid_brainpoolp160r1[] = CODED_BRAINPOOLP160R1;
+        #else
+            #define ecc_oid_brainpoolp160r1 CODED_BRAINPOOLP160R1
+        #endif
+        #define ecc_oid_brainpoolp160r1_sz CODED_BRAINPOOLP160R1_SZ
+    #endif /* HAVE_ECC_BRAINPOOL */
+#endif /* ECC160 */
+#ifdef ECC192
+    #ifndef NO_ECC_SECP
+        #ifdef HAVE_OID_ENCODING
+            #define CODED_SECP192R1    {1,2,840,10045,3,1,1}
+            #define CODED_SECP192R1_SZ 7
+        #else
+            #define CODED_SECP192R1    {0x2A,0x86,0x48,0xCE,0x3D,0x03,0x01,0x01}
+            #define CODED_SECP192R1_SZ 8
+        #endif
+        #ifndef WOLFSSL_ECC_CURVE_STATIC
+            static const ecc_oid_t ecc_oid_secp192r1[] = CODED_SECP192R1;
+        #else
+            #define ecc_oid_secp192r1 CODED_SECP192R1
+        #endif
+        #define ecc_oid_secp192r1_sz CODED_SECP192R1_SZ
+    #endif /* !NO_ECC_SECP */
+    #ifdef HAVE_ECC_SECPR2
+        #ifdef HAVE_OID_ENCODING
+            #define CODED_PRIME192V2    {1,2,840,10045,3,1,2}
+            #define CODED_PRIME192V2_SZ 7
+        #else
+            #define CODED_PRIME192V2    {0x2A,0x86,0x48,0xCE,0x3D,0x03,0x01,0x02}
+            #define CODED_PRIME192V2_SZ 8
+        #endif
+        #ifndef WOLFSSL_ECC_CURVE_STATIC
+            static const ecc_oid_t ecc_oid_prime192v2[] = CODED_PRIME192V2;
+        #else
+            #define ecc_oid_prime192v2 CODED_PRIME192V2
+        #endif
+        #define ecc_oid_prime192v2_sz CODED_PRIME192V2_SZ
+    #endif /* HAVE_ECC_SECPR2 */
+    #ifdef HAVE_ECC_SECPR3
+        #ifdef HAVE_OID_ENCODING
+            #define CODED_PRIME192V3    {1,2,840,10045,3,1,3}
+            #define CODED_PRIME192V3_SZ 7
+        #else
+            #define CODED_PRIME192V3    {0x2A,0x86,0x48,0xCE,0x3D,0x03,0x01,0x03}
+            #define CODED_PRIME192V3_SZ 8
+        #endif
+        #ifndef WOLFSSL_ECC_CURVE_STATIC
+            static const ecc_oid_t ecc_oid_prime192v3[] = CODED_PRIME192V3;
+        #else
+            #define ecc_oid_prime192v3 CODED_PRIME192V3
+        #endif
+        #define ecc_oid_prime192v3_sz CODED_PRIME192V3_SZ
+    #endif /* HAVE_ECC_SECPR3 */
+    #ifdef HAVE_ECC_KOBLITZ
+        #ifdef HAVE_OID_ENCODING
+            #define CODED_SECP192K1    {1,3,132,0,31}
+            #define CODED_SECP192K1_SZ 5
+        #else
+            #define CODED_SECP192K1    {0x2B,0x81,0x04,0x00,0x1F}
+            #define CODED_SECP192K1_SZ 5
+        #endif
+        #ifndef WOLFSSL_ECC_CURVE_STATIC
+            static const ecc_oid_t ecc_oid_secp192k1[] = CODED_SECP192K1;
+        #else
+            #define ecc_oid_secp192k1 CODED_SECP192K1
+        #endif
+        #define ecc_oid_secp192k1_sz CODED_SECP192K1_SZ
+    #endif /* HAVE_ECC_KOBLITZ */
+    #ifdef HAVE_ECC_BRAINPOOL
+        #ifdef HAVE_OID_ENCODING
+            #define CODED_BRAINPOOLP192R1    {1,3,36,3,3,2,8,1,1,3}
+            #define CODED_BRAINPOOLP192R1_SZ 10
+        #else
+            #define CODED_BRAINPOOLP192R1    {0x2B,0x24,0x03,0x03,0x02,0x08,0x01,0x01,0x03}
+            #define CODED_BRAINPOOLP192R1_SZ 9
+        #endif
+        #ifndef WOLFSSL_ECC_CURVE_STATIC
+            static const ecc_oid_t ecc_oid_brainpoolp192r1[] = CODED_BRAINPOOLP192R1;
+        #else
+            #define ecc_oid_brainpoolp192r1 CODED_BRAINPOOLP192R1
+        #endif
+        #define ecc_oid_brainpoolp192r1_sz CODED_BRAINPOOLP192R1_SZ
+    #endif /* HAVE_ECC_BRAINPOOL */
+#endif /* ECC192 */
+#ifdef ECC224
+    #ifndef NO_ECC_SECP
+        #ifdef HAVE_OID_ENCODING
+            #define CODED_SECP224R1    {1,3,132,0,33}
+            #define CODED_SECP224R1_SZ 5
+        #else
+            #define CODED_SECP224R1    {0x2B,0x81,0x04,0x00,0x21}
+            #define CODED_SECP224R1_SZ 5
+        #endif
+        #ifndef WOLFSSL_ECC_CURVE_STATIC
+            static const ecc_oid_t ecc_oid_secp224r1[] = CODED_SECP224R1;
+        #else
+            #define ecc_oid_secp224r1 CODED_SECP224R1
+        #endif
+        #define ecc_oid_secp224r1_sz CODED_SECP224R1_SZ
+    #endif /* !NO_ECC_SECP */
+    #ifdef HAVE_ECC_KOBLITZ
+        #ifdef HAVE_OID_ENCODING
+            #define CODED_SECP224K1    {1,3,132,0,32}
+            #define CODED_SECP224K1_SZ 5
+        #else
+            #define CODED_SECP224K1    {0x2B,0x81,0x04,0x00,0x20}
+            #define CODED_SECP224K1_SZ 5
+        #endif
+        #ifndef WOLFSSL_ECC_CURVE_STATIC
+            static const ecc_oid_t ecc_oid_secp224k1[] = CODED_SECP224K1;
+        #else
+            #define ecc_oid_secp224k1 CODED_SECP224K1
+        #endif
+        #define ecc_oid_secp224k1_sz CODED_SECP224K1_SZ
+    #endif /* HAVE_ECC_KOBLITZ */
+    #ifdef HAVE_ECC_BRAINPOOL
+        #ifdef HAVE_OID_ENCODING
+            #define CODED_BRAINPOOLP224R1    {1,3,36,3,3,2,8,1,1,5}
+            #define CODED_BRAINPOOLP224R1_SZ 10
+        #else
+            #define CODED_BRAINPOOLP224R1    {0x2B,0x24,0x03,0x03,0x02,0x08,0x01,0x01,0x05}
+            #define CODED_BRAINPOOLP224R1_SZ 9
+        #endif
+        #ifndef WOLFSSL_ECC_CURVE_STATIC
+            static const ecc_oid_t ecc_oid_brainpoolp224r1[] = CODED_BRAINPOOLP224R1;
+        #else
+            #define ecc_oid_brainpoolp224r1 CODED_BRAINPOOLP224R1
+        #endif
+        #define ecc_oid_brainpoolp224r1_sz CODED_BRAINPOOLP224R1_SZ
+    #endif /* HAVE_ECC_BRAINPOOL */
+#endif /* ECC224 */
+#ifdef ECC239
+    #ifndef NO_ECC_SECP
+        #ifdef HAVE_OID_ENCODING
+            #define CODED_PRIME239V1    {1,2,840,10045,3,1,4}
+            #define CODED_PRIME239V1_SZ 7
+        #else
+            #define CODED_PRIME239V1    {0x2A,0x86,0x48,0xCE,0x3D,0x03,0x01,0x04}
+            #define CODED_PRIME239V1_SZ 8
+        #endif
+        #ifndef WOLFSSL_ECC_CURVE_STATIC
+            static const ecc_oid_t ecc_oid_prime239v1[] = CODED_PRIME239V1;
+        #else
+            #define ecc_oid_prime239v1 CODED_PRIME239V1
+        #endif
+        #define ecc_oid_prime239v1_sz CODED_PRIME239V1_SZ
+    #endif /* !NO_ECC_SECP */
+    #ifdef HAVE_ECC_SECPR2
+        #ifdef HAVE_OID_ENCODING
+            #define CODED_PRIME239V2    {1,2,840,10045,3,1,5}
+            #define CODED_PRIME239V2_SZ 7
+        #else
+            #define CODED_PRIME239V2    {0x2A,0x86,0x48,0xCE,0x3D,0x03,0x01,0x05}
+            #define CODED_PRIME239V2_SZ 8
+        #endif
+        #ifndef WOLFSSL_ECC_CURVE_STATIC
+            static const ecc_oid_t ecc_oid_prime239v2[] = CODED_PRIME239V2;
+        #else
+            #define ecc_oid_prime239v2 CODED_PRIME239V2
+        #endif
+        #define ecc_oid_prime239v2_sz CODED_PRIME239V2_SZ
+    #endif /* HAVE_ECC_SECPR2 */
+    #ifdef HAVE_ECC_SECPR3
+        #ifdef HAVE_OID_ENCODING
+            #define CODED_PRIME239V3    {1,2,840,10045,3,1,6}
+            #define CODED_PRIME239V3_SZ 7
+        #else
+            #define CODED_PRIME239V3    {0x2A,0x86,0x48,0xCE,0x3D,0x03,0x01,0x06}
+            #define CODED_PRIME239V3_SZ 8
+        #endif
+        #ifndef WOLFSSL_ECC_CURVE_STATIC
+            static const ecc_oid_t ecc_oid_prime239v3[] = CODED_PRIME239V3;
+        #else
+            #define ecc_oid_prime239v3 CODED_PRIME239V3
+        #endif
+        #define ecc_oid_prime239v3_sz CODED_PRIME239V3_SZ
+    #endif /* HAVE_ECC_SECPR3 */
+#endif /* ECC239 */
+#ifdef ECC256
+    #ifndef NO_ECC_SECP
+        #ifdef HAVE_OID_ENCODING
+            #define CODED_SECP256R1    {1,2,840,10045,3,1,7}
+            #define CODED_SECP256R1_SZ 7
+        #else
+            #define CODED_SECP256R1    {0x2A,0x86,0x48,0xCE,0x3D,0x03,0x01,0x07}
+            #define CODED_SECP256R1_SZ 8
+        #endif
+        #ifndef WOLFSSL_ECC_CURVE_STATIC
+            static const ecc_oid_t ecc_oid_secp256r1[] = CODED_SECP256R1;
+        #else
+            #define ecc_oid_secp256r1 CODED_SECP256R1
+        #endif
+        #define ecc_oid_secp256r1_sz CODED_SECP256R1_SZ
+    #endif /* !NO_ECC_SECP */
+    #ifdef HAVE_ECC_KOBLITZ
+        #ifdef HAVE_OID_ENCODING
+            #define CODED_SECP256K1    {1,3,132,0,10}
+            #define CODED_SECP256K1_SZ 5
+        #else
+            #define CODED_SECP256K1    {0x2B,0x81,0x04,0x00,0x0A}
+            #define CODED_SECP256K1_SZ 5
+        #endif
+        #ifndef WOLFSSL_ECC_CURVE_STATIC
+            static const ecc_oid_t ecc_oid_secp256k1[] = CODED_SECP256K1;
+        #else
+            #define ecc_oid_secp256k1 CODED_SECP256K1
+        #endif
+        #define ecc_oid_secp256k1_sz CODED_SECP256K1_SZ
+    #endif /* HAVE_ECC_KOBLITZ */
+    #ifdef HAVE_ECC_BRAINPOOL
+        #ifdef HAVE_OID_ENCODING
+            #define CODED_BRAINPOOLP256R1    {1,3,36,3,3,2,8,1,1,7}
+            #define CODED_BRAINPOOLP256R1_SZ 10
+        #else
+            #define CODED_BRAINPOOLP256R1    {0x2B,0x24,0x03,0x03,0x02,0x08,0x01,0x01,0x07}
+            #define CODED_BRAINPOOLP256R1_SZ 9
+        #endif
+        #ifndef WOLFSSL_ECC_CURVE_STATIC
+            static const ecc_oid_t ecc_oid_brainpoolp256r1[] = CODED_BRAINPOOLP256R1;
+        #else
+            #define ecc_oid_brainpoolp256r1 CODED_BRAINPOOLP256R1
+        #endif
+        #define ecc_oid_brainpoolp256r1_sz CODED_BRAINPOOLP256R1_SZ
+    #endif /* HAVE_ECC_BRAINPOOL */
+#endif /* ECC256 */
+#ifdef ECC320
+    #ifdef HAVE_ECC_BRAINPOOL
+        #ifdef HAVE_OID_ENCODING
+            #define CODED_BRAINPOOLP320R1    {1,3,36,3,3,2,8,1,1,9}
+            #define CODED_BRAINPOOLP320R1_SZ 10
+        #else
+            #define CODED_BRAINPOOLP320R1    {0x2B,0x24,0x03,0x03,0x02,0x08,0x01,0x01,0x09}
+            #define CODED_BRAINPOOLP320R1_SZ 9
+        #endif
+        #ifndef WOLFSSL_ECC_CURVE_STATIC
+            static const ecc_oid_t ecc_oid_brainpoolp320r1[] = CODED_BRAINPOOLP320R1;
+        #else
+            #define ecc_oid_brainpoolp320r1 CODED_BRAINPOOLP320R1
+        #endif
+        #define ecc_oid_brainpoolp320r1_sz CODED_BRAINPOOLP320R1_SZ
+    #endif /* HAVE_ECC_BRAINPOOL */
+#endif /* ECC320 */
+#ifdef ECC384
+    #ifndef NO_ECC_SECP
+        #ifdef HAVE_OID_ENCODING
+            #define CODED_SECP384R1    {1,3,132,0,34}
+            #define CODED_SECP384R1_SZ 5
+        #else
+            #define CODED_SECP384R1    {0x2B,0x81,0x04,0x00,0x22}
+            #define CODED_SECP384R1_SZ 5
+        #endif
+        #ifndef WOLFSSL_ECC_CURVE_STATIC
+            static const ecc_oid_t ecc_oid_secp384r1[] = CODED_SECP384R1;
+            #define CODED_SECP384R1_OID ecc_oid_secp384r1
+        #else
+			#define ecc_oid_secp384r1 CODED_SECP384R1
+        #endif
+        #define ecc_oid_secp384r1_sz CODED_SECP384R1_SZ
+    #endif /* !NO_ECC_SECP */
+    #ifdef HAVE_ECC_BRAINPOOL
+        #ifdef HAVE_OID_ENCODING
+            #define CODED_BRAINPOOLP384R1    {1,3,36,3,3,2,8,1,1,11}
+            #define CODED_BRAINPOOLP384R1_SZ 10
+        #else
+            #define CODED_BRAINPOOLP384R1    {0x2B,0x24,0x03,0x03,0x02,0x08,0x01,0x01,0x0B}
+            #define CODED_BRAINPOOLP384R1_SZ 9
+        #endif
+        #ifndef WOLFSSL_ECC_CURVE_STATIC
+            static const ecc_oid_t ecc_oid_brainpoolp384r1[] = CODED_BRAINPOOLP384R1;
+        #else
+            #define ecc_oid_brainpoolp384r1 CODED_BRAINPOOLP384R1
+        #endif
+        #define ecc_oid_brainpoolp384r1_sz CODED_BRAINPOOLP384R1_SZ
+    #endif /* HAVE_ECC_BRAINPOOL */
+#endif /* ECC384 */
+#ifdef ECC512
+    #ifdef HAVE_ECC_BRAINPOOL
+        #ifdef HAVE_OID_ENCODING
+            #define CODED_BRAINPOOLP512R1    {1,3,36,3,3,2,8,1,1,13}
+            #define CODED_BRAINPOOLP512R1_SZ 10
+        #else
+            #define CODED_BRAINPOOLP512R1    {0x2B,0x24,0x03,0x03,0x02,0x08,0x01,0x01,0x0D}
+            #define CODED_BRAINPOOLP512R1_SZ 9
+        #endif
+        #ifndef WOLFSSL_ECC_CURVE_STATIC
+            static const ecc_oid_t ecc_oid_brainpoolp512r1[] = CODED_BRAINPOOLP512R1;
+        #else
+            #define ecc_oid_brainpoolp512r1 CODED_BRAINPOOLP512R1
+        #endif
+        #define ecc_oid_brainpoolp512r1_sz CODED_BRAINPOOLP512R1_SZ
+    #endif /* HAVE_ECC_BRAINPOOL */
+#endif /* ECC512 */
+#ifdef ECC521
+    #ifndef NO_ECC_SECP
+        #ifdef HAVE_OID_ENCODING
+            #define CODED_SECP521R1     {1,3,132,0,35}
+            #define CODED_SECP521R1_SZ 5
+        #else
+            #define CODED_SECP521R1     {0x2B,0x81,0x04,0x00,0x23}
+            #define CODED_SECP521R1_SZ 5
+        #endif
+        #ifndef WOLFSSL_ECC_CURVE_STATIC
+            static const ecc_oid_t ecc_oid_secp521r1[] = CODED_SECP521R1;
+        #else
+            #define ecc_oid_secp521r1 CODED_SECP521R1
+        #endif
+        #define ecc_oid_secp521r1_sz CODED_SECP521R1_SZ
+    #endif /* !NO_ECC_SECP */
+#endif /* ECC521 */
+
+
+/* This holds the key settings.
+   ***MUST*** be organized by size from smallest to largest. */
 
 const ecc_set_type ecc_sets[] = {
 #ifdef ECC112
-{
-        14,
-        "SECP112R1",
-        "DB7C2ABF62E35E668076BEAD208B",
-        "DB7C2ABF62E35E668076BEAD2088",
-        "659EF8BA043916EEDE8911702B22",
-        "DB7C2ABF62E35E7628DFAC6561C5",
-        "09487239995A5EE76B55F9C2F098",
-        "A89CE5AF8724C0A23E0E0FF77500"
-},
-#endif
+    #ifndef NO_ECC_SECP
+    {
+        14,                             /* size/bytes */
+        ECC_SECP112R1,                  /* ID         */
+        "SECP112R1",                    /* curve name */
+        "DB7C2ABF62E35E668076BEAD208B", /* prime      */
+        "DB7C2ABF62E35E668076BEAD2088", /* A          */
+        "659EF8BA043916EEDE8911702B22", /* B          */
+        "DB7C2ABF62E35E7628DFAC6561C5", /* order      */
+        "9487239995A5EE76B55F9C2F098",  /* Gx         */
+        "A89CE5AF8724C0A23E0E0FF77500", /* Gy         */
+        ecc_oid_secp112r1,              /* oid/oidSz  */
+        ecc_oid_secp112r1_sz,
+        ECC_SECP112R1_OID,              /* oid sum    */
+        1,                              /* cofactor   */
+    },
+    #endif /* !NO_ECC_SECP */
+    #ifdef HAVE_ECC_SECPR2
+    {
+        14,                             /* size/bytes */
+        ECC_SECP112R2,                  /* ID         */
+        "SECP112R2",                    /* curve name */
+        "DB7C2ABF62E35E668076BEAD208B", /* prime      */
+        "6127C24C05F38A0AAAF65C0EF02C", /* A          */
+        "51DEF1815DB5ED74FCC34C85D709", /* B          */
+        "36DF0AAFD8B8D7597CA10520D04B", /* order      */
+        "4BA30AB5E892B4E1649DD0928643", /* Gx         */
+        "ADCD46F5882E3747DEF36E956E97", /* Gy         */
+        ecc_oid_secp112r2,              /* oid/oidSz  */
+        ecc_oid_secp112r2_sz,
+        ECC_SECP112R2_OID,              /* oid sum    */
+        4,                              /* cofactor   */
+    },
+    #endif /* HAVE_ECC_SECPR2 */
+#endif /* ECC112 */
 #ifdef ECC128
-{
-        16,
-        "SECP128R1",
-        "FFFFFFFDFFFFFFFFFFFFFFFFFFFFFFFF",
-        "FFFFFFFDFFFFFFFFFFFFFFFFFFFFFFFC",
-        "E87579C11079F43DD824993C2CEE5ED3",
-        "FFFFFFFE0000000075A30D1B9038A115",
-        "161FF7528B899B2D0C28607CA52C5B86",
-        "CF5AC8395BAFEB13C02DA292DDED7A83",
-},
-#endif
+    #ifndef NO_ECC_SECP
+    {
+        16,                                 /* size/bytes */
+        ECC_SECP128R1,                      /* ID         */
+        "SECP128R1",                        /* curve name */
+        "FFFFFFFDFFFFFFFFFFFFFFFFFFFFFFFF", /* prime      */
+        "FFFFFFFDFFFFFFFFFFFFFFFFFFFFFFFC", /* A          */
+        "E87579C11079F43DD824993C2CEE5ED3", /* B          */
+        "FFFFFFFE0000000075A30D1B9038A115", /* order      */
+        "161FF7528B899B2D0C28607CA52C5B86", /* Gx         */
+        "CF5AC8395BAFEB13C02DA292DDED7A83", /* Gy         */
+        ecc_oid_secp128r1,                  /* oid/oidSz  */
+        ecc_oid_secp128r1_sz,
+        ECC_SECP128R1_OID,                  /* oid sum    */
+        1,                                  /* cofactor   */
+    },
+    #endif /* !NO_ECC_SECP */
+    #ifdef HAVE_ECC_SECPR2
+    {
+        16,                                 /* size/bytes */
+        ECC_SECP128R2,                      /* ID         */
+        "SECP128R2",                        /* curve name */
+        "FFFFFFFDFFFFFFFFFFFFFFFFFFFFFFFF", /* prime      */
+        "D6031998D1B3BBFEBF59CC9BBFF9AEE1", /* A          */
+        "5EEEFCA380D02919DC2C6558BB6D8A5D", /* B          */
+        "3FFFFFFF7FFFFFFFBE0024720613B5A3", /* order      */
+        "7B6AA5D85E572983E6FB32A7CDEBC140", /* Gx         */
+        "27B6916A894D3AEE7106FE805FC34B44", /* Gy         */
+        ecc_oid_secp128r2,                  /* oid/oidSz  */
+        ecc_oid_secp128r2_sz,
+        ECC_SECP128R2_OID,                  /* oid sum    */
+        4,                                  /* cofactor   */
+    },
+    #endif /* HAVE_ECC_SECPR2 */
+#endif /* ECC128 */
 #ifdef ECC160
-{
-        20,
-        "SECP160R1",
-        "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF7FFFFFFF",
-        "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF7FFFFFFC",
-        "1C97BEFC54BD7A8B65ACF89F81D4D4ADC565FA45",
-        "0100000000000000000001F4C8F927AED3CA752257",
-        "4A96B5688EF573284664698968C38BB913CBFC82",
-        "23A628553168947D59DCC912042351377AC5FB32",
-},
-#endif
+    #ifndef NO_ECC_SECP
+    {
+        20,                                         /* size/bytes */
+        ECC_SECP160R1,                              /* ID         */
+        "SECP160R1",                                /* curve name */
+        "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF7FFFFFFF", /* prime      */
+        "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF7FFFFFFC", /* A          */
+        "1C97BEFC54BD7A8B65ACF89F81D4D4ADC565FA45", /* B          */
+        "100000000000000000001F4C8F927AED3CA752257",/* order      */
+        "4A96B5688EF573284664698968C38BB913CBFC82", /* Gx         */
+        "23A628553168947D59DCC912042351377AC5FB32", /* Gy         */
+        ecc_oid_secp160r1,                          /* oid/oidSz  */
+        ecc_oid_secp160r1_sz,
+        ECC_SECP160R1_OID,                          /* oid sum    */
+        1,                                          /* cofactor   */
+    },
+    #endif /* !NO_ECC_SECP */
+    #ifdef HAVE_ECC_SECPR2
+    {
+        20,                                         /* size/bytes */
+        ECC_SECP160R2,                              /* ID         */
+        "SECP160R2",                                /* curve name */
+        "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFAC73", /* prime      */
+        "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFAC70", /* A          */
+        "B4E134D3FB59EB8BAB57274904664D5AF50388BA", /* B          */
+        "100000000000000000000351EE786A818F3A1A16B",/* order      */
+        "52DCB034293A117E1F4FF11B30F7199D3144CE6D", /* Gx         */
+        "FEAFFEF2E331F296E071FA0DF9982CFEA7D43F2E", /* Gy         */
+        ecc_oid_secp160r2,                          /* oid/oidSz  */
+        ecc_oid_secp160r2_sz,
+        ECC_SECP160R2_OID,                          /* oid sum    */
+        1,                                          /* cofactor   */
+    },
+    #endif /* HAVE_ECC_SECPR2 */
+    #ifdef HAVE_ECC_KOBLITZ
+    {
+        20,                                         /* size/bytes */
+        ECC_SECP160K1,                              /* ID         */
+        "SECP160K1",                                /* curve name */
+        "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFAC73", /* prime      */
+        "0000000000000000000000000000000000000000", /* A          */
+        "0000000000000000000000000000000000000007", /* B          */
+        "100000000000000000001B8FA16DFAB9ACA16B6B3",/* order      */
+        "3B4C382CE37AA192A4019E763036F4F5DD4D7EBB", /* Gx         */
+        "938CF935318FDCED6BC28286531733C3F03C4FEE", /* Gy         */
+        ecc_oid_secp160k1,                          /* oid/oidSz  */
+        ecc_oid_secp160k1_sz,
+        ECC_SECP160K1_OID,                          /* oid sum    */
+        1,                                          /* cofactor   */
+    },
+    #endif /* HAVE_ECC_KOBLITZ */
+    #ifdef HAVE_ECC_BRAINPOOL
+    {
+        20,                                         /* size/bytes */
+        ECC_BRAINPOOLP160R1,                        /* ID         */
+        "BRAINPOOLP160R1",                          /* curve name */
+        "E95E4A5F737059DC60DFC7AD95B3D8139515620F", /* prime      */
+        "340E7BE2A280EB74E2BE61BADA745D97E8F7C300", /* A          */
+        "1E589A8595423412134FAA2DBDEC95C8D8675E58", /* B          */
+        "E95E4A5F737059DC60DF5991D45029409E60FC09", /* order      */
+        "BED5AF16EA3F6A4F62938C4631EB5AF7BDBCDBC3", /* Gx         */
+        "1667CB477A1A8EC338F94741669C976316DA6321", /* Gy         */
+        ecc_oid_brainpoolp160r1,                    /* oid/oidSz  */
+        ecc_oid_brainpoolp160r1_sz,
+        ECC_BRAINPOOLP160R1_OID,                    /* oid sum    */
+        1,                                          /* cofactor   */
+    },
+    #endif /* HAVE_ECC_BRAINPOOL */
+#endif /* ECC160 */
 #ifdef ECC192
-{
-        24,
-        "ECC-192",
-        "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFF",
-        "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFC",
-        "64210519E59C80E70FA7E9AB72243049FEB8DEECC146B9B1",
-        "FFFFFFFFFFFFFFFFFFFFFFFF99DEF836146BC9B1B4D22831",
-        "188DA80EB03090F67CBF20EB43A18800F4FF0AFD82FF1012",
-        "7192B95FFC8DA78631011ED6B24CDD573F977A11E794811",
-},
-#endif
+    #ifndef NO_ECC_SECP
+    {
+        24,                                                 /* size/bytes */
+        ECC_SECP192R1,                                      /* ID         */
+        "SECP192R1",                                        /* curve name */
+        "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFF", /* prime      */
+        "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFC", /* A          */
+        "64210519E59C80E70FA7E9AB72243049FEB8DEECC146B9B1", /* B          */
+        "FFFFFFFFFFFFFFFFFFFFFFFF99DEF836146BC9B1B4D22831", /* order      */
+        "188DA80EB03090F67CBF20EB43A18800F4FF0AFD82FF1012", /* Gx         */
+        "7192B95FFC8DA78631011ED6B24CDD573F977A11E794811",  /* Gy         */
+        ecc_oid_secp192r1,                                  /* oid/oidSz  */
+        ecc_oid_secp192r1_sz,
+        ECC_SECP192R1_OID,                                  /* oid sum    */
+        1,                                                  /* cofactor   */
+    },
+    #endif /* !NO_ECC_SECP */
+    #ifdef HAVE_ECC_SECPR2
+    {
+        24,                                                 /* size/bytes */
+        ECC_PRIME192V2,                                     /* ID         */
+        "PRIME192V2",                                       /* curve name */
+        "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFF", /* prime      */
+        "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFC", /* A          */
+        "CC22D6DFB95C6B25E49C0D6364A4E5980C393AA21668D953", /* B          */
+        "FFFFFFFFFFFFFFFFFFFFFFFE5FB1A724DC80418648D8DD31", /* order      */
+        "EEA2BAE7E1497842F2DE7769CFE9C989C072AD696F48034A", /* Gx         */
+        "6574D11D69B6EC7A672BB82A083DF2F2B0847DE970B2DE15", /* Gy         */
+        ecc_oid_prime192v2,                                 /* oid/oidSz  */
+        ecc_oid_prime192v2_sz,
+        ECC_PRIME192V2_OID,                                 /* oid sum    */
+        1,                                                  /* cofactor   */
+    },
+    #endif /* HAVE_ECC_SECPR2 */
+    #ifdef HAVE_ECC_SECPR3
+    {
+        24,                                                 /* size/bytes */
+        ECC_PRIME192V3,                                     /* ID         */
+        "PRIME192V3",                                       /* curve name */
+        "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFF", /* prime      */
+        "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFC", /* A          */
+        "22123DC2395A05CAA7423DAECCC94760A7D462256BD56916", /* B          */
+        "FFFFFFFFFFFFFFFFFFFFFFFF7A62D031C83F4294F640EC13", /* order      */
+        "7D29778100C65A1DA1783716588DCE2B8B4AEE8E228F1896", /* Gx         */
+        "38A90F22637337334B49DCB66A6DC8F9978ACA7648A943B0", /* Gy         */
+        ecc_oid_prime192v3,                                 /* oid/oidSz  */
+        ecc_oid_prime192v3_sz,
+        ECC_PRIME192V3_OID,                                 /* oid sum    */
+        1,                                                  /* cofactor   */
+    },
+    #endif /* HAVE_ECC_SECPR3 */
+    #ifdef HAVE_ECC_KOBLITZ
+    {
+        24,                                                 /* size/bytes */
+        ECC_SECP192K1,                                      /* ID         */
+        "SECP192K1",                                        /* curve name */
+        "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFEE37", /* prime      */
+        "000000000000000000000000000000000000000000000000", /* A          */
+        "000000000000000000000000000000000000000000000003", /* B          */
+        "FFFFFFFFFFFFFFFFFFFFFFFE26F2FC170F69466A74DEFD8D", /* order      */
+        "DB4FF10EC057E9AE26B07D0280B7F4341DA5D1B1EAE06C7D", /* Gx         */
+        "9B2F2F6D9C5628A7844163D015BE86344082AA88D95E2F9D", /* Gy         */
+        ecc_oid_secp192k1,                                  /* oid/oidSz  */
+        ecc_oid_secp192k1_sz,
+        ECC_SECP192K1_OID,                                  /* oid sum    */
+        1,                                                  /* cofactor   */
+    },
+    #endif /* HAVE_ECC_KOBLITZ */
+    #ifdef HAVE_ECC_BRAINPOOL
+    {
+        24,                                                 /* size/bytes */
+        ECC_BRAINPOOLP192R1,                                /* ID         */
+        "BRAINPOOLP192R1",                                  /* curve name */
+        "C302F41D932A36CDA7A3463093D18DB78FCE476DE1A86297", /* prime      */
+        "6A91174076B1E0E19C39C031FE8685C1CAE040E5C69A28EF", /* A          */
+        "469A28EF7C28CCA3DC721D044F4496BCCA7EF4146FBF25C9", /* B          */
+        "C302F41D932A36CDA7A3462F9E9E916B5BE8F1029AC4ACC1", /* order      */
+        "C0A0647EAAB6A48753B033C56CB0F0900A2F5C4853375FD6", /* Gx         */
+        "14B690866ABD5BB88B5F4828C1490002E6773FA2FA299B8F", /* Gy         */
+        ecc_oid_brainpoolp192r1,                            /* oid/oidSz  */
+        ecc_oid_brainpoolp192r1_sz,
+        ECC_BRAINPOOLP192R1_OID,                            /* oid sum    */
+        1,                                                  /* cofactor   */
+    },
+    #endif /* HAVE_ECC_BRAINPOOL */
+#endif /* ECC192 */
 #ifdef ECC224
-{
-        28,
-        "ECC-224",
-        "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF000000000000000000000001",
-        "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFE",
-        "B4050A850C04B3ABF54132565044B0B7D7BFD8BA270B39432355FFB4",
-        "FFFFFFFFFFFFFFFFFFFFFFFFFFFF16A2E0B8F03E13DD29455C5C2A3D",
-        "B70E0CBD6BB4BF7F321390B94A03C1D356C21122343280D6115C1D21",
-        "BD376388B5F723FB4C22DFE6CD4375A05A07476444D5819985007E34",
-},
-#endif
+    #ifndef NO_ECC_SECP
+    {
+        28,                                                         /* size/bytes */
+        ECC_SECP224R1,                                              /* ID         */
+        "SECP224R1",                                                /* curve name */
+        "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF000000000000000000000001", /* prime      */
+        "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFE", /* A          */
+        "B4050A850C04B3ABF54132565044B0B7D7BFD8BA270B39432355FFB4", /* B          */
+        "FFFFFFFFFFFFFFFFFFFFFFFFFFFF16A2E0B8F03E13DD29455C5C2A3D", /* order      */
+        "B70E0CBD6BB4BF7F321390B94A03C1D356C21122343280D6115C1D21", /* Gx         */
+        "BD376388B5F723FB4C22DFE6CD4375A05A07476444D5819985007E34", /* Gy         */
+        ecc_oid_secp224r1,                                          /* oid/oidSz  */
+        ecc_oid_secp224r1_sz,
+        ECC_SECP224R1_OID,                                          /* oid sum    */
+        1,                                                          /* cofactor   */
+    },
+    #endif /* !NO_ECC_SECP */
+    #ifdef HAVE_ECC_KOBLITZ
+    {
+        28,                                                         /* size/bytes */
+        ECC_SECP224K1,                                              /* ID         */
+        "SECP224K1",                                                /* curve name */
+        "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFE56D", /* prime      */
+        "00000000000000000000000000000000000000000000000000000000", /* A          */
+        "00000000000000000000000000000000000000000000000000000005", /* B          */
+        "10000000000000000000000000001DCE8D2EC6184CAF0A971769FB1F7",/* order      */
+        "A1455B334DF099DF30FC28A169A467E9E47075A90F7E650EB6B7A45C", /* Gx         */
+        "7E089FED7FBA344282CAFBD6F7E319F7C0B0BD59E2CA4BDB556D61A5", /* Gy         */
+        ecc_oid_secp224k1,                                          /* oid/oidSz  */
+        ecc_oid_secp224k1_sz,
+        ECC_SECP224K1_OID,                                          /* oid sum    */
+        1,                                                          /* cofactor   */
+    },
+    #endif /* HAVE_ECC_KOBLITZ */
+    #ifdef HAVE_ECC_BRAINPOOL
+    {
+        28,                                                         /* size/bytes */
+        ECC_BRAINPOOLP224R1,                                        /* ID         */
+        "BRAINPOOLP224R1",                                          /* curve name */
+        "D7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF", /* prime      */
+        "68A5E62CA9CE6C1C299803A6C1530B514E182AD8B0042A59CAD29F43", /* A          */
+        "2580F63CCFE44138870713B1A92369E33E2135D266DBB372386C400B", /* B          */
+        "D7C134AA264366862A18302575D0FB98D116BC4B6DDEBCA3A5A7939F", /* order      */
+        "0D9029AD2C7E5CF4340823B2A87DC68C9E4CE3174C1E6EFDEE12C07D", /* Gx         */
+        "58AA56F772C0726F24C6B89E4ECDAC24354B9E99CAA3F6D3761402CD", /* Gy         */
+        ecc_oid_brainpoolp224r1,                                    /* oid/oidSz  */
+        ecc_oid_brainpoolp224r1_sz,
+        ECC_BRAINPOOLP224R1_OID,                                    /* oid sum    */
+        1,                                                          /* cofactor   */
+    },
+    #endif /* HAVE_ECC_BRAINPOOL */
+#endif /* ECC224 */
+#ifdef ECC239
+    #ifndef NO_ECC_SECP
+    {
+        30,                                                             /* size/bytes */
+        ECC_PRIME239V1,                                                 /* ID         */
+        "PRIME239V1",                                                   /* curve name */
+        "7FFFFFFFFFFFFFFFFFFFFFFF7FFFFFFFFFFF8000000000007FFFFFFFFFFF", /* prime      */
+        "7FFFFFFFFFFFFFFFFFFFFFFF7FFFFFFFFFFF8000000000007FFFFFFFFFFC", /* A          */
+        "6B016C3BDCF18941D0D654921475CA71A9DB2FB27D1D37796185C2942C0A", /* B          */
+        "7FFFFFFFFFFFFFFFFFFFFFFF7FFFFF9E5E9A9F5D9071FBD1522688909D0B", /* order      */
+        "0FFA963CDCA8816CCC33B8642BEDF905C3D358573D3F27FBBD3B3CB9AAAF", /* Gx         */
+        "7DEBE8E4E90A5DAE6E4054CA530BA04654B36818CE226B39FCCB7B02F1AE", /* Gy         */
+        ecc_oid_prime239v1,                                             /* oid/oidSz  */
+        ecc_oid_prime239v1_sz,
+        ECC_PRIME239V1_OID,                                             /* oid sum    */
+        1,                                                              /* cofactor   */
+    },
+    #endif /* !NO_ECC_SECP */
+    #ifdef HAVE_ECC_SECPR2
+    {
+        30,                                                             /* size/bytes */
+        ECC_PRIME239V2,                                                 /* ID         */
+        "PRIME239V2",                                                   /* curve name */
+        "7FFFFFFFFFFFFFFFFFFFFFFF7FFFFFFFFFFF8000000000007FFFFFFFFFFF", /* prime      */
+        "7FFFFFFFFFFFFFFFFFFFFFFF7FFFFFFFFFFF8000000000007FFFFFFFFFFC", /* A          */
+        "617FAB6832576CBBFED50D99F0249C3FEE58B94BA0038C7AE84C8C832F2C", /* B          */
+        "7FFFFFFFFFFFFFFFFFFFFFFF800000CFA7E8594377D414C03821BC582063", /* order      */
+        "38AF09D98727705120C921BB5E9E26296A3CDCF2F35757A0EAFD87B830E7", /* Gx         */
+        "5B0125E4DBEA0EC7206DA0FC01D9B081329FB555DE6EF460237DFF8BE4BA", /* Gy         */
+        ecc_oid_prime239v2,                                             /* oid/oidSz  */
+        ecc_oid_prime239v2_sz,
+        ECC_PRIME239V2_OID,                                             /* oid sum    */
+        1,                                                              /* cofactor   */
+    },
+    #endif /* HAVE_ECC_SECPR2 */
+    #ifdef HAVE_ECC_SECPR3
+    {
+        30,                                                             /* size/bytes */
+        ECC_PRIME239V3,                                                 /* ID         */
+        "PRIME239V3",                                                   /* curve name */
+        "7FFFFFFFFFFFFFFFFFFFFFFF7FFFFFFFFFFF8000000000007FFFFFFFFFFF", /* prime      */
+        "7FFFFFFFFFFFFFFFFFFFFFFF7FFFFFFFFFFF8000000000007FFFFFFFFFFC", /* A          */
+        "255705FA2A306654B1F4CB03D6A750A30C250102D4988717D9BA15AB6D3E", /* B          */
+        "7FFFFFFFFFFFFFFFFFFFFFFF7FFFFF975DEB41B3A6057C3C432146526551", /* order      */
+        "6768AE8E18BB92CFCF005C949AA2C6D94853D0E660BBF854B1C9505FE95A", /* Gx         */
+        "1607E6898F390C06BC1D552BAD226F3B6FCFE48B6E818499AF18E3ED6CF3", /* Gy         */
+        ecc_oid_prime239v3,                                             /* oid/oidSz  */
+        ecc_oid_prime239v3_sz,
+        ECC_PRIME239V3_OID,                                             /* oid sum    */
+        1,                                                              /* cofactor   */
+    },
+    #endif /* HAVE_ECC_SECPR3 */
+#endif /* ECC239 */
 #ifdef ECC256
-{
-        32,
-        "ECC-256",
-        "FFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF",
-        "FFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFC",
-        "5AC635D8AA3A93E7B3EBBD55769886BC651D06B0CC53B0F63BCE3C3E27D2604B",
-        "FFFFFFFF00000000FFFFFFFFFFFFFFFFBCE6FAADA7179E84F3B9CAC2FC632551",
-        "6B17D1F2E12C4247F8BCE6E563A440F277037D812DEB33A0F4A13945D898C296",
-        "4FE342E2FE1A7F9B8EE7EB4A7C0F9E162BCE33576B315ECECBB6406837BF51F5",
-},
-#endif
+    #ifndef NO_ECC_SECP
+    {
+        32,                                                                 /* size/bytes */
+        ECC_SECP256R1,                                                      /* ID         */
+        "SECP256R1",                                                        /* curve name */
+        "FFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF", /* prime      */
+        "FFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFC", /* A          */
+        "5AC635D8AA3A93E7B3EBBD55769886BC651D06B0CC53B0F63BCE3C3E27D2604B", /* B          */
+        "FFFFFFFF00000000FFFFFFFFFFFFFFFFBCE6FAADA7179E84F3B9CAC2FC632551", /* order      */
+        "6B17D1F2E12C4247F8BCE6E563A440F277037D812DEB33A0F4A13945D898C296", /* Gx         */
+        "4FE342E2FE1A7F9B8EE7EB4A7C0F9E162BCE33576B315ECECBB6406837BF51F5", /* Gy         */
+		ecc_oid_secp256r1,                                                  /* oid/oidSz  */
+        ecc_oid_secp256r1_sz,
+        ECC_SECP256R1_OID,                                                  /* oid sum    */
+        1,                                                                  /* cofactor   */
+    },
+    #endif /* !NO_ECC_SECP */
+    #ifdef HAVE_ECC_KOBLITZ
+    {
+        32,                                                                 /* size/bytes */
+        ECC_SECP256K1,                                                      /* ID         */
+        "SECP256K1",                                                        /* curve name */
+        "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2F", /* prime      */
+        "0000000000000000000000000000000000000000000000000000000000000000", /* A          */
+        "0000000000000000000000000000000000000000000000000000000000000007", /* B          */
+        "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141", /* order      */
+        "79BE667EF9DCBBAC55A06295CE870B07029BFCDB2DCE28D959F2815B16F81798", /* Gx         */
+        "483ADA7726A3C4655DA4FBFC0E1108A8FD17B448A68554199C47D08FFB10D4B8", /* Gy         */
+        ecc_oid_secp256k1,                                                  /* oid/oidSz  */
+        ecc_oid_secp256k1_sz,
+        ECC_SECP256K1_OID,                                                  /* oid sum    */
+        1,                                                                  /* cofactor   */
+    },
+    #endif /* HAVE_ECC_KOBLITZ */
+    #ifdef HAVE_ECC_BRAINPOOL
+    {
+        32,                                                                 /* size/bytes */
+        ECC_BRAINPOOLP256R1,                                                /* ID         */
+        "BRAINPOOLP256R1",                                                  /* curve name */
+        "A9FB57DBA1EEA9BC3E660A909D838D726E3BF623D52620282013481D1F6E5377", /* prime      */
+        "7D5A0975FC2C3057EEF67530417AFFE7FB8055C126DC5C6CE94A4B44F330B5D9", /* A          */
+        "26DC5C6CE94A4B44F330B5D9BBD77CBF958416295CF7E1CE6BCCDC18FF8C07B6", /* B          */
+        "A9FB57DBA1EEA9BC3E660A909D838D718C397AA3B561A6F7901E0E82974856A7", /* order      */
+        "8BD2AEB9CB7E57CB2C4B482FFC81B7AFB9DE27E1E3BD23C23A4453BD9ACE3262", /* Gx         */
+        "547EF835C3DAC4FD97F8461A14611DC9C27745132DED8E545C1D54C72F046997", /* Gy         */
+        ecc_oid_brainpoolp256r1,                                            /* oid/oidSz  */
+        ecc_oid_brainpoolp256r1_sz,
+        ECC_BRAINPOOLP256R1_OID,                                            /* oid sum    */
+        1,                                                                  /* cofactor   */
+    },
+    #endif /* HAVE_ECC_BRAINPOOL */
+#endif /* ECC256 */
+#ifdef ECC320
+    #ifdef HAVE_ECC_BRAINPOOL
+    {
+        40,                                                                                 /* size/bytes */
+        ECC_BRAINPOOLP320R1,                                                                /* ID         */
+        "BRAINPOOLP320R1",                                                                  /* curve name */
+        "D35E472036BC4FB7E13C785ED201E065F98FCFA6F6F40DEF4F92B9EC7893EC28FCD412B1F1B32E27", /* prime      */
+        "3EE30B568FBAB0F883CCEBD46D3F3BB8A2A73513F5EB79DA66190EB085FFA9F492F375A97D860EB4", /* A          */
+        "520883949DFDBC42D3AD198640688A6FE13F41349554B49ACC31DCCD884539816F5EB4AC8FB1F1A6", /* B          */
+        "D35E472036BC4FB7E13C785ED201E065F98FCFA5B68F12A32D482EC7EE8658E98691555B44C59311", /* order      */
+        "43BD7E9AFB53D8B85289BCC48EE5BFE6F20137D10A087EB6E7871E2A10A599C710AF8D0D39E20611", /* Gx         */
+        "14FDD05545EC1CC8AB4093247F77275E0743FFED117182EAA9C77877AAAC6AC7D35245D1692E8EE1", /* Gy         */
+        ecc_oid_brainpoolp320r1, ecc_oid_brainpoolp320r1_sz,                                /* oid/oidSz  */
+        ECC_BRAINPOOLP320R1_OID,                                                            /* oid sum    */
+        1,                                                                                  /* cofactor   */
+    },
+    #endif /* HAVE_ECC_BRAINPOOL */
+#endif /* ECC320 */
 #ifdef ECC384
-{
-        48,
-        "ECC-384",
-        "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFF0000000000000000FFFFFFFF",
-        "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFF0000000000000000FFFFFFFC",
-        "B3312FA7E23EE7E4988E056BE3F82D19181D9C6EFE8141120314088F5013875AC656398D8A2ED19D2A85C8EDD3EC2AEF",
-        "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFC7634D81F4372DDF581A0DB248B0A77AECEC196ACCC52973",
-        "AA87CA22BE8B05378EB1C71EF320AD746E1D3B628BA79B9859F741E082542A385502F25DBF55296C3A545E3872760AB7",
-        "3617DE4A96262C6F5D9E98BF9292DC29F8F41DBD289A147CE9DA3113B5F0B8C00A60B1CE1D7E819D7A431D7C90EA0E5F",
-},
-#endif
+    #ifndef NO_ECC_SECP
+    {
+        48,                                                                                                 /* size/bytes */
+        ECC_SECP384R1,                                                                                      /* ID         */
+        "SECP384R1",                                                                                        /* curve name */
+        "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFF0000000000000000FFFFFFFF", /* prime      */
+        "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFF0000000000000000FFFFFFFC", /* A          */
+        "B3312FA7E23EE7E4988E056BE3F82D19181D9C6EFE8141120314088F5013875AC656398D8A2ED19D2A85C8EDD3EC2AEF", /* B          */
+        "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFC7634D81F4372DDF581A0DB248B0A77AECEC196ACCC52973", /* order      */
+        "AA87CA22BE8B05378EB1C71EF320AD746E1D3B628BA79B9859F741E082542A385502F25DBF55296C3A545E3872760AB7", /* Gx         */
+        "3617DE4A96262C6F5D9E98BF9292DC29F8F41DBD289A147CE9DA3113B5F0B8C00A60B1CE1D7E819D7A431D7C90EA0E5F", /* Gy         */
+        ecc_oid_secp384r1, ecc_oid_secp384r1_sz,                                                            /* oid/oidSz  */
+        ECC_SECP384R1_OID,                                                                                  /* oid sum    */
+        1,                                                                                                  /* cofactor   */
+    },
+    #endif /* !NO_ECC_SECP */
+    #ifdef HAVE_ECC_BRAINPOOL
+    {
+        48,                                                                                                 /* size/bytes */
+        ECC_BRAINPOOLP384R1,                                                                                /* ID         */
+        "BRAINPOOLP384R1",                                                                                  /* curve name */
+        "8CB91E82A3386D280F5D6F7E50E641DF152F7109ED5456B412B1DA197FB71123ACD3A729901D1A71874700133107EC53", /* prime      */
+        "7BC382C63D8C150C3C72080ACE05AFA0C2BEA28E4FB22787139165EFBA91F90F8AA5814A503AD4EB04A8C7DD22CE2826", /* A          */
+        "04A8C7DD22CE28268B39B55416F0447C2FB77DE107DCD2A62E880EA53EEB62D57CB4390295DBC9943AB78696FA504C11", /* B          */
+        "8CB91E82A3386D280F5D6F7E50E641DF152F7109ED5456B31F166E6CAC0425A7CF3AB6AF6B7FC3103B883202E9046565", /* order      */
+        "1D1C64F068CF45FFA2A63A81B7C13F6B8847A3E77EF14FE3DB7FCAFE0CBD10E8E826E03436D646AAEF87B2E247D4AF1E", /* Gx         */
+        "8ABE1D7520F9C2A45CB1EB8E95CFD55262B70B29FEEC5864E19C054FF99129280E4646217791811142820341263C5315", /* Gy         */
+        ecc_oid_brainpoolp384r1, ecc_oid_brainpoolp384r1_sz,                                                /* oid/oidSz  */
+        ECC_BRAINPOOLP384R1_OID,                                                                            /* oid sum    */
+        1,                                                                                                  /* cofactor   */
+    },
+    #endif /* HAVE_ECC_BRAINPOOL */
+#endif /* ECC384 */
+#ifdef ECC512
+    #ifdef HAVE_ECC_BRAINPOOL
+    {
+        64,                                                                                                                                 /* size/bytes */
+        ECC_BRAINPOOLP512R1,                                                                                                                /* ID         */
+        "BRAINPOOLP512R1",                                                                                                                  /* curve name */
+        "AADD9DB8DBE9C48B3FD4E6AE33C9FC07CB308DB3B3C9D20ED6639CCA703308717D4D9B009BC66842AECDA12AE6A380E62881FF2F2D82C68528AA6056583A48F3", /* prime      */
+        "7830A3318B603B89E2327145AC234CC594CBDD8D3DF91610A83441CAEA9863BC2DED5D5AA8253AA10A2EF1C98B9AC8B57F1117A72BF2C7B9E7C1AC4D77FC94CA", /* A          */
+        "3DF91610A83441CAEA9863BC2DED5D5AA8253AA10A2EF1C98B9AC8B57F1117A72BF2C7B9E7C1AC4D77FC94CADC083E67984050B75EBAE5DD2809BD638016F723", /* B          */
+        "AADD9DB8DBE9C48B3FD4E6AE33C9FC07CB308DB3B3C9D20ED6639CCA70330870553E5C414CA92619418661197FAC10471DB1D381085DDADDB58796829CA90069", /* order      */
+        "81AEE4BDD82ED9645A21322E9C4C6A9385ED9F70B5D916C1B43B62EEF4D0098EFF3B1F78E2D0D48D50D1687B93B97D5F7C6D5047406A5E688B352209BCB9F822", /* Gx         */
+        "7DDE385D566332ECC0EABFA9CF7822FDF209F70024A57B1AA000C55B881F8111B2DCDE494A5F485E5BCA4BD88A2763AED1CA2B2FA8F0540678CD1E0F3AD80892", /* Gy         */
+        ecc_oid_brainpoolp512r1, ecc_oid_brainpoolp512r1_sz,                                                                                /* oid/oidSz  */
+        ECC_BRAINPOOLP512R1_OID,                                                                                                            /* oid sum    */
+        1,                                                                                                                                  /* cofactor   */
+    },
+    #endif /* HAVE_ECC_BRAINPOOL */
+#endif /* ECC512 */
 #ifdef ECC521
-{
-        66,
-        "ECC-521",
-        "1FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF",
-        "1FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFC",
-        "51953EB9618E1C9A1F929A21A0B68540EEA2DA725B99B315F3B8B489918EF109E156193951EC7E937B1652C0BD3BB1BF073573DF883D2C34F1EF451FD46B503F00",
-        "1FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFA51868783BF2F966B7FCC0148F709A5D03BB5C9B8899C47AEBB6FB71E91386409",
-        "C6858E06B70404E9CD9E3ECB662395B4429C648139053FB521F828AF606B4D3DBAA14B5E77EFE75928FE1DC127A2FFA8DE3348B3C1856A429BF97E7E31C2E5BD66",
-        "11839296A789A3BC0045C8A5FB42C7D1BD998F54449579B446817AFBD17273E662C97EE72995EF42640C550B9013FAD0761353C7086A272C24088BE94769FD16650",
-},
+    #ifndef NO_ECC_SECP
+    {
+        66,                                                                                                                                    /* size/bytes */
+        ECC_SECP521R1,                                                                                                                         /* ID         */
+        "SECP521R1",                                                                                                                           /* curve name */
+        "1FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", /* prime      */
+        "1FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFC", /* A          */
+        "51953EB9618E1C9A1F929A21A0B68540EEA2DA725B99B315F3B8B489918EF109E156193951EC7E937B1652C0BD3BB1BF073573DF883D2C34F1EF451FD46B503F00",  /* B          */
+        "1FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFA51868783BF2F966B7FCC0148F709A5D03BB5C9B8899C47AEBB6FB71E91386409", /* order      */
+        "C6858E06B70404E9CD9E3ECB662395B4429C648139053FB521F828AF606B4D3DBAA14B5E77EFE75928FE1DC127A2FFA8DE3348B3C1856A429BF97E7E31C2E5BD66",  /* Gx         */
+        "11839296A789A3BC0045C8A5FB42C7D1BD998F54449579B446817AFBD17273E662C97EE72995EF42640C550B9013FAD0761353C7086A272C24088BE94769FD16650", /* Gy         */
+        ecc_oid_secp521r1, ecc_oid_secp521r1_sz,                                                                                               /* oid/oidSz  */
+        ECC_SECP521R1_OID,                                                                                                                     /* oid sum    */
+        1,                                                                                                                                     /* cofactor   */
+    },
+    #endif /* !NO_ECC_SECP */
+#endif /* ECC521 */
+#if defined(WOLFSSL_CUSTOM_CURVES) && defined(ECC_CACHE_CURVE)
+    /* place holder for custom curve index for cache */
+    {
+        1, /* non-zero */
+        ECC_CURVE_CUSTOM,
+        #ifndef WOLFSSL_ECC_CURVE_STATIC
+            NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
+        #else
+            {0},{0},{0},{0},{0},{0},{0},{0},
+        #endif
+        0, 0, 0
+    },
 #endif
-{
-   0,
-   NULL, NULL, NULL, NULL, NULL, NULL, NULL
-}
+    {
+        0,
+        ECC_CURVE_INVALID,
+        #ifndef WOLFSSL_ECC_CURVE_STATIC
+            NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
+        #else
+            {0},{0},{0},{0},{0},{0},{0},{0},
+        #endif
+        0, 0, 0
+    }
 };
+#define ECC_SET_COUNT   (sizeof(ecc_sets)/sizeof(ecc_set_type))
+const size_t ecc_sets_count = ECC_SET_COUNT - 1;
 
 
-ecc_point* ecc_new_point(void);
-void ecc_del_point(ecc_point* p);
-int  ecc_map(ecc_point*, mp_int*, mp_digit*);
-int  ecc_projective_add_point(ecc_point* P, ecc_point* Q, ecc_point* R,
-                              mp_int* modulus, mp_digit* mp);
-int  ecc_projective_dbl_point(ecc_point* P, ecc_point* R, mp_int* modulus,
-                              mp_digit* mp);
-static int ecc_mulmod(mp_int* k, ecc_point *G, ecc_point *R, mp_int* modulus,
-                      int map);
-static int ecc_check_pubkey_order(ecc_key* key, mp_int* prime, mp_int* order);
-#ifdef ECC_SHAMIR
-static int ecc_mul2add(ecc_point* A, mp_int* kA, ecc_point* B, mp_int* kB,
-                       ecc_point* C, mp_int* modulus);
+#ifdef HAVE_OID_ENCODING
+    /* encoded OID cache */
+    typedef struct {
+        word32 oidSz;
+        byte oid[ECC_MAX_OID_LEN];
+    } oid_cache_t;
+    static oid_cache_t ecc_oid_cache[ECC_SET_COUNT];
 #endif
 
-int mp_jacobi(mp_int* a, mp_int* p, int* c);
-int mp_sqrtmod_prime(mp_int* n, mp_int* prime, mp_int* ret);
-int mp_submod(mp_int* a, mp_int* b, mp_int* c, mp_int* d);
 
 #ifdef HAVE_COMP_KEY
 static int wc_ecc_export_x963_compressed(ecc_key*, byte* out, word32* outLen);
 #endif
 
-/* helper for either lib */
-static int get_digit_count(mp_int* a)
+
+#if (defined(WOLFSSL_VALIDATE_ECC_KEYGEN) || !defined(WOLFSSL_SP_MATH)) && \
+    !defined(WOLFSSL_ATECC508A)
+static int ecc_check_pubkey_order(ecc_key* key, ecc_point* pubkey, mp_int* a,
+        mp_int* prime, mp_int* order);
+#endif
+
+int mp_jacobi(mp_int* a, mp_int* n, int* c);
+int mp_sqrtmod_prime(mp_int* n, mp_int* prime, mp_int* ret);
+
+
+/* Curve Specs */
+typedef struct ecc_curve_spec {
+    const ecc_set_type* dp;
+
+    mp_int* prime;
+    mp_int* Af;
+    #ifdef USE_ECC_B_PARAM
+        mp_int* Bf;
+    #endif
+    mp_int* order;
+    mp_int* Gx;
+    mp_int* Gy;
+
+#ifdef ECC_CACHE_CURVE
+    mp_int prime_lcl;
+    mp_int Af_lcl;
+    #ifdef USE_ECC_B_PARAM
+        mp_int Bf_lcl;
+    #endif
+    mp_int order_lcl;
+    mp_int Gx_lcl;
+    mp_int Gy_lcl;
+#else
+    mp_int* spec_ints;
+    word32 spec_count;
+    word32 spec_use;
+#endif
+
+    byte load_mask;
+} ecc_curve_spec;
+
+enum ecc_curve_load_mask {
+    ECC_CURVE_FIELD_NONE    = 0x00,
+    ECC_CURVE_FIELD_PRIME   = 0x01,
+    ECC_CURVE_FIELD_AF      = 0x02,
+#ifdef USE_ECC_B_PARAM
+    ECC_CURVE_FIELD_BF      = 0x04,
+#endif
+    ECC_CURVE_FIELD_ORDER   = 0x08,
+    ECC_CURVE_FIELD_GX      = 0x10,
+    ECC_CURVE_FIELD_GY      = 0x20,
+#ifdef USE_ECC_B_PARAM
+    ECC_CURVE_FIELD_ALL     = 0x3F,
+    ECC_CURVE_FIELD_COUNT   = 6,
+#else
+    ECC_CURVE_FIELD_ALL     = 0x3B,
+    ECC_CURVE_FIELD_COUNT   = 5,
+#endif
+};
+
+#ifdef ECC_CACHE_CURVE
+    /* cache (mp_int) of the curve parameters */
+    static ecc_curve_spec* ecc_curve_spec_cache[ECC_SET_COUNT];
+    #ifndef SINGLE_THREADED
+        static wolfSSL_Mutex ecc_curve_cache_mutex;
+    #endif
+
+    #define DECLARE_CURVE_SPECS(curve, intcount) ecc_curve_spec* curve = NULL
+    #define ALLOC_CURVE_SPECS(intcount)
+    #define FREE_CURVE_SPECS()
+#elif defined(WOLFSSL_SMALL_STACK)
+    #define DECLARE_CURVE_SPECS(curve, intcount)                        \
+        mp_int* spec_ints = NULL;                                       \
+        ecc_curve_spec curve_lcl;                                       \
+        ecc_curve_spec* curve = &curve_lcl;                             \
+        XMEMSET(curve, 0, sizeof(ecc_curve_spec));                      \
+        curve->spec_count = intcount
+
+    #define ALLOC_CURVE_SPECS(intcount)                                 \
+        spec_ints = (mp_int*)XMALLOC(sizeof(mp_int) * (intcount), NULL, \
+                            DYNAMIC_TYPE_ECC);                          \
+        if (spec_ints == NULL)                                          \
+            return MEMORY_E;                                            \
+        curve->spec_ints = spec_ints
+    #define FREE_CURVE_SPECS()                                          \
+        XFREE(spec_ints, NULL, DYNAMIC_TYPE_ECC)
+#else
+    #define DECLARE_CURVE_SPECS(curve, intcount) \
+        mp_int spec_ints[(intcount)]; \
+        ecc_curve_spec curve_lcl; \
+        ecc_curve_spec* curve = &curve_lcl; \
+        XMEMSET(curve, 0, sizeof(ecc_curve_spec)); \
+        curve->spec_ints = spec_ints; \
+        curve->spec_count = intcount
+    #define ALLOC_CURVE_SPECS(intcount)
+    #define FREE_CURVE_SPECS()
+#endif /* ECC_CACHE_CURVE */
+
+static void _wc_ecc_curve_free(ecc_curve_spec* curve)
 {
-    if (a == NULL)
-        return 0;
+    if (curve == NULL) {
+        return;
+    }
 
-    return a->used;
+    if (curve->load_mask & ECC_CURVE_FIELD_PRIME)
+        mp_clear(curve->prime);
+    if (curve->load_mask & ECC_CURVE_FIELD_AF)
+        mp_clear(curve->Af);
+#ifdef USE_ECC_B_PARAM
+    if (curve->load_mask & ECC_CURVE_FIELD_BF)
+        mp_clear(curve->Bf);
+#endif
+    if (curve->load_mask & ECC_CURVE_FIELD_ORDER)
+        mp_clear(curve->order);
+    if (curve->load_mask & ECC_CURVE_FIELD_GX)
+        mp_clear(curve->Gx);
+    if (curve->load_mask & ECC_CURVE_FIELD_GY)
+        mp_clear(curve->Gy);
+
+    curve->load_mask = 0;
 }
 
-/* helper for either lib */
-static mp_digit get_digit(mp_int* a, int n)
+static void wc_ecc_curve_free(ecc_curve_spec* curve)
 {
-    if (a == NULL)
-        return 0;
-
-    return (n >= a->used || n < 0) ? 0 : a->dp[n];
+    /* don't free cached curves */
+#ifndef ECC_CACHE_CURVE
+    _wc_ecc_curve_free(curve);
+#endif
+    (void)curve;
 }
 
+static int wc_ecc_curve_load_item(const char* src, mp_int** dst,
+    ecc_curve_spec* curve, byte mask)
+{
+    int err;
 
-#if defined(USE_FAST_MATH)
+#ifndef ECC_CACHE_CURVE
+    /* get mp_int from temp */
+    if (curve->spec_use >= curve->spec_count) {
+        WOLFSSL_MSG("Invalid DECLARE_CURVE_SPECS count");
+        return ECC_BAD_ARG_E;
+    }
+    *dst = &curve->spec_ints[curve->spec_use++];
+#endif
 
-/* fast math accelerated version, but not for fp ecc yet */
+    err = mp_init(*dst);
+    if (err == MP_OKAY) {
+        curve->load_mask |= mask;
 
-/**
-   Add two ECC points
-   P        The point to add
-   Q        The point to add
-   R        [out] The destination of the double
-   modulus  The modulus of the field the ECC curve is in
-   mp       The "b" value from montgomery_setup()
-   return   MP_OKAY on success
-*/
-int ecc_projective_add_point(ecc_point *P, ecc_point *Q, ecc_point *R,
-                             mp_int* modulus, mp_digit* mp)
-{
-   fp_int t1, t2, x, y, z;
-   int    err;
+        err = mp_read_radix(*dst, src, MP_RADIX_HEX);
 
-   if (P == NULL || Q == NULL || R == NULL || modulus == NULL || mp == NULL)
-       return ECC_BAD_ARG_E;
+    #ifdef HAVE_WOLF_BIGINT
+        if (err == MP_OKAY)
+            err = wc_mp_to_bigint(*dst, &(*dst)->raw);
+    #endif
+    }
+    return err;
+}
 
-   if ((err = mp_init_multi(&t1, &t2, &x, &y, &z, NULL)) != MP_OKAY) {
-      return err;
-   }
+static int wc_ecc_curve_load(const ecc_set_type* dp, ecc_curve_spec** pCurve,
+    byte load_mask)
+{
+    int ret = 0, x;
+    ecc_curve_spec* curve;
+    byte load_items = 0; /* mask of items to load */
 
-   /* should we dbl instead? */
-   fp_sub(modulus, Q->y, &t1);
-   if ( (fp_cmp(P->x, Q->x) == FP_EQ) && 
-        (get_digit_count(Q->z) && fp_cmp(P->z, Q->z) == FP_EQ) &&
-        (fp_cmp(P->y, Q->y) == FP_EQ || fp_cmp(P->y, &t1) == FP_EQ)) {
-        return ecc_projective_dbl_point(P, R, modulus, mp);
-   }
+    if (dp == NULL || pCurve == NULL)
+        return BAD_FUNC_ARG;
 
-   fp_copy(P->x, &x);
-   fp_copy(P->y, &y);
-   fp_copy(P->z, &z);
+#ifdef ECC_CACHE_CURVE
+    x = wc_ecc_get_curve_idx(dp->id);
+    if (x == ECC_CURVE_INVALID)
+        return ECC_BAD_ARG_E;
 
-   /* if Z is one then these are no-operations */
-   if (get_digit_count(Q->z)) {
-      /* T1 = Z' * Z' */
-      fp_sqr(Q->z, &t1);
-      fp_montgomery_reduce(&t1, modulus, *mp);
-      /* X = X * T1 */
-      fp_mul(&t1, &x, &x);
-      fp_montgomery_reduce(&x, modulus, *mp);
-      /* T1 = Z' * T1 */
-      fp_mul(Q->z, &t1, &t1);
-      fp_montgomery_reduce(&t1, modulus, *mp);
-      /* Y = Y * T1 */
-      fp_mul(&t1, &y, &y);
-      fp_montgomery_reduce(&y, modulus, *mp);
-   }
+#if !defined(SINGLE_THREADED)
+    ret = wc_LockMutex(&ecc_curve_cache_mutex);
+    if (ret != 0) {
+        return ret;
+    }
+#endif
 
-   /* T1 = Z*Z */
-   fp_sqr(&z, &t1);
-   fp_montgomery_reduce(&t1, modulus, *mp);
-   /* T2 = X' * T1 */
-   fp_mul(Q->x, &t1, &t2);
-   fp_montgomery_reduce(&t2, modulus, *mp);
-   /* T1 = Z * T1 */
-   fp_mul(&z, &t1, &t1);
-   fp_montgomery_reduce(&t1, modulus, *mp);
-   /* T1 = Y' * T1 */
-   fp_mul(Q->y, &t1, &t1);
-   fp_montgomery_reduce(&t1, modulus, *mp);
+    /* make sure cache has been allocated */
+    if (ecc_curve_spec_cache[x] == NULL) {
+        ecc_curve_spec_cache[x] = (ecc_curve_spec*)XMALLOC(
+            sizeof(ecc_curve_spec), NULL, DYNAMIC_TYPE_ECC);
+        if (ecc_curve_spec_cache[x] == NULL) {
+        #if defined(ECC_CACHE_CURVE) && !defined(SINGLE_THREADED)
+            wc_UnLockMutex(&ecc_curve_cache_mutex);
+        #endif
+            return MEMORY_E;
+        }
+        XMEMSET(ecc_curve_spec_cache[x], 0, sizeof(ecc_curve_spec));
+    }
 
-   /* Y = Y - T1 */
-   fp_sub(&y, &t1, &y);
-   if (fp_cmp_d(&y, 0) == FP_LT) {
-      fp_add(&y, modulus, &y);
-   }
-   /* T1 = 2T1 */
-   fp_add(&t1, &t1, &t1);
-   if (fp_cmp(&t1, modulus) != FP_LT) {
-      fp_sub(&t1, modulus, &t1);
-   }
-   /* T1 = Y + T1 */
-   fp_add(&t1, &y, &t1);
-   if (fp_cmp(&t1, modulus) != FP_LT) {
-      fp_sub(&t1, modulus, &t1);
-   }
-   /* X = X - T2 */
-   fp_sub(&x, &t2, &x);
-   if (fp_cmp_d(&x, 0) == FP_LT) {
-      fp_add(&x, modulus, &x);
-   }
-   /* T2 = 2T2 */
-   fp_add(&t2, &t2, &t2);
-   if (fp_cmp(&t2, modulus) != FP_LT) {
-      fp_sub(&t2, modulus, &t2);
-   }
-   /* T2 = X + T2 */
-   fp_add(&t2, &x, &t2);
-   if (fp_cmp(&t2, modulus) != FP_LT) {
-      fp_sub(&t2, modulus, &t2);
-   }
+    /* set curve pointer to cache */
+    *pCurve = ecc_curve_spec_cache[x];
+
+#endif /* ECC_CACHE_CURVE */
+    curve = *pCurve;
+
+    /* make sure the curve is initialized */
+    if (curve->dp != dp) {
+        curve->load_mask = 0;
+
+    #ifdef ECC_CACHE_CURVE
+        curve->prime = &curve->prime_lcl;
+        curve->Af = &curve->Af_lcl;
+        #ifdef USE_ECC_B_PARAM
+            curve->Bf = &curve->Bf_lcl;
+        #endif
+        curve->order = &curve->order_lcl;
+        curve->Gx = &curve->Gx_lcl;
+        curve->Gy = &curve->Gy_lcl;
+    #endif
+    }
+    curve->dp = dp; /* set dp info */
+
+    /* determine items to load */
+    load_items = (((byte)~(word32)curve->load_mask) & load_mask);
+    curve->load_mask |= load_items;
+
+    /* load items */
+    x = 0;
+    if (load_items & ECC_CURVE_FIELD_PRIME)
+        x += wc_ecc_curve_load_item(dp->prime, &curve->prime, curve,
+            ECC_CURVE_FIELD_PRIME);
+    if (load_items & ECC_CURVE_FIELD_AF)
+        x += wc_ecc_curve_load_item(dp->Af, &curve->Af, curve,
+            ECC_CURVE_FIELD_AF);
+#ifdef USE_ECC_B_PARAM
+    if (load_items & ECC_CURVE_FIELD_BF)
+        x += wc_ecc_curve_load_item(dp->Bf, &curve->Bf, curve,
+            ECC_CURVE_FIELD_BF);
+#endif
+    if (load_items & ECC_CURVE_FIELD_ORDER)
+        x += wc_ecc_curve_load_item(dp->order, &curve->order, curve,
+            ECC_CURVE_FIELD_ORDER);
+    if (load_items & ECC_CURVE_FIELD_GX)
+        x += wc_ecc_curve_load_item(dp->Gx, &curve->Gx, curve,
+            ECC_CURVE_FIELD_GX);
+    if (load_items & ECC_CURVE_FIELD_GY)
+        x += wc_ecc_curve_load_item(dp->Gy, &curve->Gy, curve,
+            ECC_CURVE_FIELD_GY);
+
+    /* check for error */
+    if (x != 0) {
+        wc_ecc_curve_free(curve);
+        ret = MP_READ_E;
+    }
 
-   /* if Z' != 1 */
-   if (get_digit_count(Q->z)) {
-      /* Z = Z * Z' */
-      fp_mul(&z, Q->z, &z);
-      fp_montgomery_reduce(&z, modulus, *mp);
-   }
+#if defined(ECC_CACHE_CURVE) && !defined(SINGLE_THREADED)
+    wc_UnLockMutex(&ecc_curve_cache_mutex);
+#endif
 
-   /* Z = Z * X */
-   fp_mul(&z, &x, &z);
-   fp_montgomery_reduce(&z, modulus, *mp);
+    return ret;
+}
 
-   /* T1 = T1 * X  */
-   fp_mul(&t1, &x, &t1);
-   fp_montgomery_reduce(&t1, modulus, *mp);
-   /* X = X * X */
-   fp_sqr(&x, &x);
-   fp_montgomery_reduce(&x, modulus, *mp);
-   /* T2 = T2 * x */
-   fp_mul(&t2, &x, &t2);
-   fp_montgomery_reduce(&t2, modulus, *mp);
-   /* T1 = T1 * X  */
-   fp_mul(&t1, &x, &t1);
-   fp_montgomery_reduce(&t1, modulus, *mp);
- 
-   /* X = Y*Y */
-   fp_sqr(&y, &x);
-   fp_montgomery_reduce(&x, modulus, *mp);
-   /* X = X - T2 */
-   fp_sub(&x, &t2, &x);
-   if (fp_cmp_d(&x, 0) == FP_LT) {
-      fp_add(&x, modulus, &x);
-   }
+#ifdef ECC_CACHE_CURVE
+int wc_ecc_curve_cache_init(void)
+{
+    int ret = 0;
+#if defined(ECC_CACHE_CURVE) && !defined(SINGLE_THREADED)
+    ret = wc_InitMutex(&ecc_curve_cache_mutex);
+#endif
+    return ret;
+}
 
-   /* T2 = T2 - X */
-   fp_sub(&t2, &x, &t2);
-   if (fp_cmp_d(&t2, 0) == FP_LT) {
-      fp_add(&t2, modulus, &t2);
-   } 
-   /* T2 = T2 - X */
-   fp_sub(&t2, &x, &t2);
-   if (fp_cmp_d(&t2, 0) == FP_LT) {
-      fp_add(&t2, modulus, &t2);
-   }
-   /* T2 = T2 * Y */
-   fp_mul(&t2, &y, &t2);
-   fp_montgomery_reduce(&t2, modulus, *mp);
-   /* Y = T2 - T1 */
-   fp_sub(&t2, &t1, &y);
-   if (fp_cmp_d(&y, 0) == FP_LT) {
-      fp_add(&y, modulus, &y);
-   }
-   /* Y = Y/2 */
-   if (fp_isodd(&y)) {
-      fp_add(&y, modulus, &y);
-   }
-   fp_div_2(&y, &y);
+void wc_ecc_curve_cache_free(void)
+{
+    int x;
+
+    /* free all ECC curve caches */
+    for (x = 0; x < (int)ECC_SET_COUNT; x++) {
+        if (ecc_curve_spec_cache[x]) {
+            _wc_ecc_curve_free(ecc_curve_spec_cache[x]);
+            XFREE(ecc_curve_spec_cache[x], NULL, DYNAMIC_TYPE_ECC);
+            ecc_curve_spec_cache[x] = NULL;
+        }
+    }
 
-   fp_copy(&x, R->x);
-   fp_copy(&y, R->y);
-   fp_copy(&z, R->z);
-   
-   return MP_OKAY;
+#if defined(ECC_CACHE_CURVE) && !defined(SINGLE_THREADED)
+    wc_FreeMutex(&ecc_curve_cache_mutex);
+#endif
 }
+#endif /* ECC_CACHE_CURVE */
 
 
-/**
-   Double an ECC point
-   P   The point to double
-   R   [out] The destination of the double
-   modulus  The modulus of the field the ECC curve is in
-   mp       The "b" value from montgomery_setup()
-   return   MP_OKAY on success
-*/
-int ecc_projective_dbl_point(ecc_point *P, ecc_point *R, mp_int* modulus,
-                             mp_digit* mp)
+/* Retrieve the curve name for the ECC curve id.
+ *
+ * curve_id  The id of the curve.
+ * returns the name stored from the curve if available, otherwise NULL.
+ */
+const char* wc_ecc_get_name(int curve_id)
 {
-   fp_int   t1, t2;
-   int      err;
+    int curve_idx = wc_ecc_get_curve_idx(curve_id);
+    if (curve_idx == ECC_CURVE_INVALID)
+        return NULL;
+    return ecc_sets[curve_idx].name;
+}
 
-   if (P == NULL || R == NULL || modulus == NULL || mp == NULL)
-       return ECC_BAD_ARG_E;
+int wc_ecc_set_curve(ecc_key* key, int keysize, int curve_id)
+{
+    if (keysize <= 0 && curve_id < 0) {
+        return BAD_FUNC_ARG;
+    }
 
-   if (P != R) {
-      fp_copy(P->x, R->x);
-      fp_copy(P->y, R->y);
-      fp_copy(P->z, R->z);
-   }
+    if (keysize > ECC_MAXSIZE) {
+        return ECC_BAD_ARG_E;
+    }
 
-   if ((err = mp_init_multi(&t1, &t2, NULL, NULL, NULL, NULL)) != MP_OKAY) {
-      return err;
-   }
+    /* handle custom case */
+    if (key->idx != ECC_CUSTOM_IDX) {
+        int x;
 
-   /* t1 = Z * Z */
-   fp_sqr(R->z, &t1);
-   fp_montgomery_reduce(&t1, modulus, *mp);
-   /* Z = Y * Z */
-   fp_mul(R->z, R->y, R->z);
-   fp_montgomery_reduce(R->z, modulus, *mp);
-   /* Z = 2Z */
-   fp_add(R->z, R->z, R->z);
-   if (fp_cmp(R->z, modulus) != FP_LT) {
-      fp_sub(R->z, modulus, R->z);
-   }
-   
-   /* &t2 = X - T1 */
-   fp_sub(R->x, &t1, &t2);
-   if (fp_cmp_d(&t2, 0) == FP_LT) {
-      fp_add(&t2, modulus, &t2);
-   }
-   /* T1 = X + T1 */
-   fp_add(&t1, R->x, &t1);
-   if (fp_cmp(&t1, modulus) != FP_LT) {
-      fp_sub(&t1, modulus, &t1);
-   }
-   /* T2 = T1 * T2 */
-   fp_mul(&t1, &t2, &t2);
-   fp_montgomery_reduce(&t2, modulus, *mp);
-   /* T1 = 2T2 */
-   fp_add(&t2, &t2, &t1);
-   if (fp_cmp(&t1, modulus) != FP_LT) {
-      fp_sub(&t1, modulus, &t1);
-   }
-   /* T1 = T1 + T2 */
-   fp_add(&t1, &t2, &t1);
-   if (fp_cmp(&t1, modulus) != FP_LT) {
-      fp_sub(&t1, modulus, &t1);
-   }
+        /* default values */
+        key->idx = 0;
+        key->dp = NULL;
 
-   /* Y = 2Y */
-   fp_add(R->y, R->y, R->y);
-   if (fp_cmp(R->y, modulus) != FP_LT) {
-      fp_sub(R->y, modulus, R->y);
-   }
-   /* Y = Y * Y */
-   fp_sqr(R->y, R->y);
-   fp_montgomery_reduce(R->y, modulus, *mp);
-   /* T2 = Y * Y */
-   fp_sqr(R->y, &t2);
-   fp_montgomery_reduce(&t2, modulus, *mp);
-   /* T2 = T2/2 */
-   if (fp_isodd(&t2)) {
-      fp_add(&t2, modulus, &t2);
-   }
-   fp_div_2(&t2, &t2);
-   /* Y = Y * X */
-   fp_mul(R->y, R->x, R->y);
-   fp_montgomery_reduce(R->y, modulus, *mp);
+        /* find ecc_set based on curve_id or key size */
+        for (x = 0; ecc_sets[x].size != 0; x++) {
+            if (curve_id > ECC_CURVE_DEF) {
+                if (curve_id == ecc_sets[x].id)
+                  break;
+            }
+            else if (keysize <= ecc_sets[x].size) {
+                break;
+            }
+        }
+        if (ecc_sets[x].size == 0) {
+            WOLFSSL_MSG("ECC Curve not found");
+            return ECC_CURVE_OID_E;
+        }
 
-   /* X  = T1 * T1 */
-   fp_sqr(&t1, R->x);
-   fp_montgomery_reduce(R->x, modulus, *mp);
-   /* X = X - Y */
-   fp_sub(R->x, R->y, R->x);
-   if (fp_cmp_d(R->x, 0) == FP_LT) {
-      fp_add(R->x, modulus, R->x);
-   }
-   /* X = X - Y */
-   fp_sub(R->x, R->y, R->x);
-   if (fp_cmp_d(R->x, 0) == FP_LT) {
-      fp_add(R->x, modulus, R->x);
-   }
+        key->idx = x;
+        key->dp  = &ecc_sets[x];
+    }
 
-   /* Y = Y - X */     
-   fp_sub(R->y, R->x, R->y);
-   if (fp_cmp_d(R->y, 0) == FP_LT) {
-      fp_add(R->y, modulus, R->y);
-   }
-   /* Y = Y * T1 */
-   fp_mul(R->y, &t1, R->y);
-   fp_montgomery_reduce(R->y, modulus, *mp);
-   /* Y = Y - T2 */
-   fp_sub(R->y, &t2, R->y);
-   if (fp_cmp_d(R->y, 0) == FP_LT) {
-      fp_add(R->y, modulus, R->y);
-   }
- 
-   return MP_OKAY;
+    return 0;
 }
 
-#else /* USE_FAST_MATH */
+
+#ifdef ALT_ECC_SIZE
+static void alt_fp_init(mp_int* a)
+{
+    a->size = FP_SIZE_ECC;
+    mp_zero(a);
+}
+#endif /* ALT_ECC_SIZE */
+
+
+#ifndef WOLFSSL_ATECC508A
+
+#if !defined(WOLFSSL_SP_MATH) || defined(WOLFSSL_PUBLIC_ECC_ADD_DBL)
 
 /**
    Add two ECC points
    P        The point to add
    Q        The point to add
    R        [out] The destination of the double
+   a        ECC curve parameter a
    modulus  The modulus of the field the ECC curve is in
    mp       The "b" value from montgomery_setup()
    return   MP_OKAY on success
 */
 int ecc_projective_add_point(ecc_point* P, ecc_point* Q, ecc_point* R,
-                             mp_int* modulus, mp_digit* mp)
+                             mp_int* a, mp_int* modulus, mp_digit mp)
 {
-   mp_int t1;
-   mp_int t2;
-   mp_int x;
-   mp_int y;
-   mp_int z;
-   int    err;
+#ifndef WOLFSSL_SP_MATH
+#ifdef WOLFSSL_SMALL_STACK
+   mp_int* t1 = NULL;
+   mp_int* t2 = NULL;
+#ifdef ALT_ECC_SIZE
+   mp_int* rx = NULL;
+   mp_int* ry = NULL;
+   mp_int* rz = NULL;
+#endif
+#else
+   mp_int  t1[1], t2[1];
+#ifdef ALT_ECC_SIZE
+   mp_int  rx[1], ry[1], rz[1];
+#endif
+#endif
+   mp_int  *x, *y, *z;
+   int     err;
 
-   if (P == NULL || Q == NULL || R == NULL || modulus == NULL || mp == NULL)
+   if (P == NULL || Q == NULL || R == NULL || modulus == NULL) {
        return ECC_BAD_ARG_E;
+   }
+
+   /* if Q == R then swap P and Q, so we don't require a local x,y,z */
+   if (Q == R) {
+      ecc_point* tPt  = P;
+      P = Q;
+      Q = tPt;
+   }
 
-   if ((err = mp_init_multi(&t1, &t2, &x, &y, &z, NULL)) != MP_OKAY) {
+#ifdef WOLFSSL_SMALL_STACK
+#ifdef WOLFSSL_SMALL_STACK_CACHE
+   if (R->key != NULL) {
+       t1 = R->key->t1;
+       t2 = R->key->t2;
+#ifdef ALT_ECC_SIZE
+       rx = R->key->x;
+       ry = R->key->y;
+       rz = R->key->z;
+#endif
+   }
+   else
+#endif /* WOLFSSL_SMALL_STACK_CACHE */
+   {
+       t1 = (mp_int*)XMALLOC(sizeof(mp_int), NULL, DYNAMIC_TYPE_ECC);
+       t2 = (mp_int*)XMALLOC(sizeof(mp_int), NULL, DYNAMIC_TYPE_ECC);
+       if (t1 == NULL || t2 == NULL) {
+           XFREE(t1, NULL, DYNAMIC_TYPE_ECC);
+           XFREE(t2, NULL, DYNAMIC_TYPE_ECC);
+           return MEMORY_E;
+       }
+#ifdef ALT_ECC_SIZE
+       rx = (mp_int*)XMALLOC(sizeof(mp_int), NULL, DYNAMIC_TYPE_ECC);
+       ry = (mp_int*)XMALLOC(sizeof(mp_int), NULL, DYNAMIC_TYPE_ECC);
+       rz = (mp_int*)XMALLOC(sizeof(mp_int), NULL, DYNAMIC_TYPE_ECC);
+       if (rx == NULL || ry == NULL || rz == NULL) {
+           XFREE(rz, NULL, DYNAMIC_TYPE_ECC);
+           XFREE(ry, NULL, DYNAMIC_TYPE_ECC);
+           XFREE(rx, NULL, DYNAMIC_TYPE_ECC);
+           XFREE(t2, NULL, DYNAMIC_TYPE_ECC);
+           XFREE(t1, NULL, DYNAMIC_TYPE_ECC);
+           return MEMORY_E;
+       }
+#endif
+   }
+#endif /* WOLFSSL_SMALL_STACK */
+
+   if ((err = mp_init_multi(t1, t2, NULL, NULL, NULL, NULL)) != MP_OKAY) {
+#ifdef WOLFSSL_SMALL_STACK
+   #ifdef WOLFSSL_SMALL_STACK_CACHE
+       if (R->key == NULL)
+   #endif
+       {
+       #ifdef ALT_ECC_SIZE
+          XFREE(rz, NULL, DYNAMIC_TYPE_ECC);
+          XFREE(ry, NULL, DYNAMIC_TYPE_ECC);
+          XFREE(rx, NULL, DYNAMIC_TYPE_ECC);
+       #endif
+          XFREE(t2, NULL, DYNAMIC_TYPE_ECC);
+          XFREE(t1, NULL, DYNAMIC_TYPE_ECC);
+       }
+#endif
       return err;
    }
-   
-   /* should we dbl instead? */
-   err = mp_sub(modulus, Q->y, &t1);
 
+   /* should we dbl instead? */
+   if (err == MP_OKAY)
+       err = mp_sub(modulus, Q->y, t1);
    if (err == MP_OKAY) {
-       if ( (mp_cmp(P->x, Q->x) == MP_EQ) && 
+       if ( (mp_cmp(P->x, Q->x) == MP_EQ) &&
             (get_digit_count(Q->z) && mp_cmp(P->z, Q->z) == MP_EQ) &&
-            (mp_cmp(P->y, Q->y) == MP_EQ || mp_cmp(P->y, &t1) == MP_EQ)) {
-                mp_clear(&t1);
-                mp_clear(&t2);
-                mp_clear(&x);
-                mp_clear(&y);
-                mp_clear(&z);
-
-                return ecc_projective_dbl_point(P, R, modulus, mp);
+            (mp_cmp(P->y, Q->y) == MP_EQ || mp_cmp(P->y, t1) == MP_EQ)) {
+           mp_clear(t1);
+           mp_clear(t2);
+    #ifdef WOLFSSL_SMALL_STACK
+       #ifdef WOLFSSL_SMALL_STACK_CACHE
+           if (R->key == NULL)
+       #endif
+           {
+            #ifdef ALT_ECC_SIZE
+               XFREE(rz, NULL, DYNAMIC_TYPE_ECC);
+               XFREE(ry, NULL, DYNAMIC_TYPE_ECC);
+               XFREE(rx, NULL, DYNAMIC_TYPE_ECC);
+            #endif
+               XFREE(t2, NULL, DYNAMIC_TYPE_ECC);
+               XFREE(t1, NULL, DYNAMIC_TYPE_ECC);
+           }
+        #endif
+          return ecc_projective_dbl_point(P, R, a, modulus, mp);
        }
    }
 
+   if (err != MP_OKAY) {
+      goto done;
+   }
+
+/* If use ALT_ECC_SIZE we need to use local stack variable since
+   ecc_point x,y,z is reduced size */
+#ifdef ALT_ECC_SIZE
+   /* Use local stack variable */
+   x = rx;
+   y = ry;
+   z = rz;
+
+   if ((err = mp_init_multi(x, y, z, NULL, NULL, NULL)) != MP_OKAY) {
+      goto done;
+   }
+#else
+   /* Use destination directly */
+   x = R->x;
+   y = R->y;
+   z = R->z;
+#endif
+
    if (err == MP_OKAY)
-       err = mp_copy(P->x, &x);
+       err = mp_copy(P->x, x);
    if (err == MP_OKAY)
-       err = mp_copy(P->y, &y);
+       err = mp_copy(P->y, y);
    if (err == MP_OKAY)
-       err = mp_copy(P->z, &z);
+       err = mp_copy(P->z, z);
 
    /* if Z is one then these are no-operations */
    if (err == MP_OKAY) {
-       if (get_digit_count(Q->z)) {
+       if (!mp_iszero(Q->z)) {
            /* T1 = Z' * Z' */
-           err = mp_sqr(Q->z, &t1);
+           err = mp_sqr(Q->z, t1);
            if (err == MP_OKAY)
-               err = mp_montgomery_reduce(&t1, modulus, *mp);
+               err = mp_montgomery_reduce(t1, modulus, mp);
 
            /* X = X * T1 */
            if (err == MP_OKAY)
-               err = mp_mul(&t1, &x, &x);
+               err = mp_mul(t1, x, x);
            if (err == MP_OKAY)
-               err = mp_montgomery_reduce(&x, modulus, *mp);
+               err = mp_montgomery_reduce(x, modulus, mp);
 
            /* T1 = Z' * T1 */
            if (err == MP_OKAY)
-               err = mp_mul(Q->z, &t1, &t1);
+               err = mp_mul(Q->z, t1, t1);
            if (err == MP_OKAY)
-               err = mp_montgomery_reduce(&t1, modulus, *mp);
+               err = mp_montgomery_reduce(t1, modulus, mp);
 
            /* Y = Y * T1 */
            if (err == MP_OKAY)
-               err = mp_mul(&t1, &y, &y);
+               err = mp_mul(t1, y, y);
            if (err == MP_OKAY)
-               err = mp_montgomery_reduce(&y, modulus, *mp);
+               err = mp_montgomery_reduce(y, modulus, mp);
        }
    }
 
    /* T1 = Z*Z */
    if (err == MP_OKAY)
-       err = mp_sqr(&z, &t1);
+       err = mp_sqr(z, t1);
    if (err == MP_OKAY)
-       err = mp_montgomery_reduce(&t1, modulus, *mp);
+       err = mp_montgomery_reduce(t1, modulus, mp);
 
    /* T2 = X' * T1 */
    if (err == MP_OKAY)
-       err = mp_mul(Q->x, &t1, &t2);
+       err = mp_mul(Q->x, t1, t2);
    if (err == MP_OKAY)
-       err = mp_montgomery_reduce(&t2, modulus, *mp);
+       err = mp_montgomery_reduce(t2, modulus, mp);
 
    /* T1 = Z * T1 */
    if (err == MP_OKAY)
-       err = mp_mul(&z, &t1, &t1);
+       err = mp_mul(z, t1, t1);
    if (err == MP_OKAY)
-       err = mp_montgomery_reduce(&t1, modulus, *mp);
+       err = mp_montgomery_reduce(t1, modulus, mp);
 
    /* T1 = Y' * T1 */
    if (err == MP_OKAY)
-       err = mp_mul(Q->y, &t1, &t1);
+       err = mp_mul(Q->y, t1, t1);
    if (err == MP_OKAY)
-       err = mp_montgomery_reduce(&t1, modulus, *mp);
+       err = mp_montgomery_reduce(t1, modulus, mp);
 
    /* Y = Y - T1 */
    if (err == MP_OKAY)
-       err = mp_sub(&y, &t1, &y);
+       err = mp_sub(y, t1, y);
    if (err == MP_OKAY) {
-       if (mp_cmp_d(&y, 0) == MP_LT)
-           err = mp_add(&y, modulus, &y);
+       if (mp_isneg(y))
+           err = mp_add(y, modulus, y);
    }
    /* T1 = 2T1 */
    if (err == MP_OKAY)
-       err = mp_add(&t1, &t1, &t1);
+       err = mp_add(t1, t1, t1);
    if (err == MP_OKAY) {
-       if (mp_cmp(&t1, modulus) != MP_LT)
-           err = mp_sub(&t1, modulus, &t1);
+       if (mp_cmp(t1, modulus) != MP_LT)
+           err = mp_sub(t1, modulus, t1);
    }
    /* T1 = Y + T1 */
    if (err == MP_OKAY)
-       err = mp_add(&t1, &y, &t1);
+       err = mp_add(t1, y, t1);
    if (err == MP_OKAY) {
-       if (mp_cmp(&t1, modulus) != MP_LT)
-           err = mp_sub(&t1, modulus, &t1);
+       if (mp_cmp(t1, modulus) != MP_LT)
+           err = mp_sub(t1, modulus, t1);
    }
    /* X = X - T2 */
    if (err == MP_OKAY)
-       err = mp_sub(&x, &t2, &x);
+       err = mp_sub(x, t2, x);
    if (err == MP_OKAY) {
-       if (mp_cmp_d(&x, 0) == MP_LT)
-           err = mp_add(&x, modulus, &x);
+       if (mp_isneg(x))
+           err = mp_add(x, modulus, x);
    }
    /* T2 = 2T2 */
    if (err == MP_OKAY)
-       err = mp_add(&t2, &t2, &t2);
+       err = mp_add(t2, t2, t2);
    if (err == MP_OKAY) {
-       if (mp_cmp(&t2, modulus) != MP_LT)
-           err = mp_sub(&t2, modulus, &t2);
+       if (mp_cmp(t2, modulus) != MP_LT)
+           err = mp_sub(t2, modulus, t2);
    }
    /* T2 = X + T2 */
    if (err == MP_OKAY)
-       err = mp_add(&t2, &x, &t2);
+       err = mp_add(t2, x, t2);
    if (err == MP_OKAY) {
-       if (mp_cmp(&t2, modulus) != MP_LT)
-           err = mp_sub(&t2, modulus, &t2);
+       if (mp_cmp(t2, modulus) != MP_LT)
+           err = mp_sub(t2, modulus, t2);
    }
 
    if (err == MP_OKAY) {
-       if (get_digit_count(Q->z)) {
+       if (!mp_iszero(Q->z)) {
            /* Z = Z * Z' */
-           err = mp_mul(&z, Q->z, &z);
+           err = mp_mul(z, Q->z, z);
            if (err == MP_OKAY)
-               err = mp_montgomery_reduce(&z, modulus, *mp);
+               err = mp_montgomery_reduce(z, modulus, mp);
        }
    }
 
    /* Z = Z * X */
    if (err == MP_OKAY)
-       err = mp_mul(&z, &x, &z);
+       err = mp_mul(z, x, z);
    if (err == MP_OKAY)
-       err = mp_montgomery_reduce(&z, modulus, *mp);
+       err = mp_montgomery_reduce(z, modulus, mp);
 
    /* T1 = T1 * X  */
    if (err == MP_OKAY)
-       err = mp_mul(&t1, &x, &t1);
+       err = mp_mul(t1, x, t1);
    if (err == MP_OKAY)
-       err = mp_montgomery_reduce(&t1, modulus, *mp);
+       err = mp_montgomery_reduce(t1, modulus, mp);
 
    /* X = X * X */
    if (err == MP_OKAY)
-       err = mp_sqr(&x, &x);
+       err = mp_sqr(x, x);
    if (err == MP_OKAY)
-       err = mp_montgomery_reduce(&x, modulus, *mp);
-   
+       err = mp_montgomery_reduce(x, modulus, mp);
+
    /* T2 = T2 * x */
    if (err == MP_OKAY)
-       err = mp_mul(&t2, &x, &t2);
+       err = mp_mul(t2, x, t2);
    if (err == MP_OKAY)
-       err = mp_montgomery_reduce(&t2, modulus, *mp);
+       err = mp_montgomery_reduce(t2, modulus, mp);
 
    /* T1 = T1 * X  */
    if (err == MP_OKAY)
-       err = mp_mul(&t1, &x, &t1);
+       err = mp_mul(t1, x, t1);
    if (err == MP_OKAY)
-       err = mp_montgomery_reduce(&t1, modulus, *mp);
- 
+       err = mp_montgomery_reduce(t1, modulus, mp);
+
    /* X = Y*Y */
    if (err == MP_OKAY)
-       err = mp_sqr(&y, &x);
+       err = mp_sqr(y, x);
    if (err == MP_OKAY)
-       err = mp_montgomery_reduce(&x, modulus, *mp);
+       err = mp_montgomery_reduce(x, modulus, mp);
 
    /* X = X - T2 */
    if (err == MP_OKAY)
-       err = mp_sub(&x, &t2, &x);
+       err = mp_sub(x, t2, x);
    if (err == MP_OKAY) {
-       if (mp_cmp_d(&x, 0) == MP_LT)
-           err = mp_add(&x, modulus, &x);
+       if (mp_isneg(x))
+           err = mp_add(x, modulus, x);
    }
    /* T2 = T2 - X */
    if (err == MP_OKAY)
-       err = mp_sub(&t2, &x, &t2);
+       err = mp_sub(t2, x, t2);
    if (err == MP_OKAY) {
-       if (mp_cmp_d(&t2, 0) == MP_LT)
-           err = mp_add(&t2, modulus, &t2);
-   } 
+       if (mp_isneg(t2))
+           err = mp_add(t2, modulus, t2);
+   }
    /* T2 = T2 - X */
    if (err == MP_OKAY)
-       err = mp_sub(&t2, &x, &t2);
+       err = mp_sub(t2, x, t2);
    if (err == MP_OKAY) {
-       if (mp_cmp_d(&t2, 0) == MP_LT)
-           err = mp_add(&t2, modulus, &t2);
+       if (mp_isneg(t2))
+           err = mp_add(t2, modulus, t2);
    }
    /* T2 = T2 * Y */
    if (err == MP_OKAY)
-       err = mp_mul(&t2, &y, &t2);
+       err = mp_mul(t2, y, t2);
    if (err == MP_OKAY)
-       err = mp_montgomery_reduce(&t2, modulus, *mp);
+       err = mp_montgomery_reduce(t2, modulus, mp);
 
    /* Y = T2 - T1 */
    if (err == MP_OKAY)
-       err = mp_sub(&t2, &t1, &y);
+       err = mp_sub(t2, t1, y);
    if (err == MP_OKAY) {
-       if (mp_cmp_d(&y, 0) == MP_LT)
-           err = mp_add(&y, modulus, &y);
+       if (mp_isneg(y))
+           err = mp_add(y, modulus, y);
    }
    /* Y = Y/2 */
    if (err == MP_OKAY) {
-       if (mp_isodd(&y))
-           err = mp_add(&y, modulus, &y);
+       if (mp_isodd(y) == MP_YES)
+           err = mp_add(y, modulus, y);
    }
    if (err == MP_OKAY)
-       err = mp_div_2(&y, &y);
+       err = mp_div_2(y, y);
 
+#ifdef ALT_ECC_SIZE
    if (err == MP_OKAY)
-       err = mp_copy(&x, R->x);
+       err = mp_copy(x, R->x);
    if (err == MP_OKAY)
-       err = mp_copy(&y, R->y);
+       err = mp_copy(y, R->y);
    if (err == MP_OKAY)
-       err = mp_copy(&z, R->z);
+       err = mp_copy(z, R->z);
+#endif
+
+done:
 
    /* clean up */
-   mp_clear(&t1);
-   mp_clear(&t2);
-   mp_clear(&x);
-   mp_clear(&y);
-   mp_clear(&z);
+   mp_clear(t1);
+   mp_clear(t2);
+#ifdef WOLFSSL_SMALL_STACK
+#ifdef WOLFSSL_SMALL_STACK_CACHE
+   if (R->key == NULL)
+#endif
+   {
+   #ifdef ALT_ECC_SIZE
+      XFREE(rz, NULL, DYNAMIC_TYPE_ECC);
+      XFREE(ry, NULL, DYNAMIC_TYPE_ECC);
+      XFREE(rx, NULL, DYNAMIC_TYPE_ECC);
+   #endif
+      XFREE(t2, NULL, DYNAMIC_TYPE_ECC);
+      XFREE(t1, NULL, DYNAMIC_TYPE_ECC);
+   }
+#endif
 
    return err;
+#else
+    if (P == NULL || Q == NULL || R == NULL || modulus == NULL) {
+        return ECC_BAD_ARG_E;
+    }
+
+    (void)a;
+    (void)mp;
+
+#ifndef WOLFSSL_SP_NO_256
+    if (mp_count_bits(modulus) == 256) {
+        return sp_ecc_proj_add_point_256(P->x, P->y, P->z, Q->x, Q->y, Q->z,
+                                         R->x, R->y, R->z);
+    }
+#endif
+#ifdef WOLFSSL_SP_384
+    if (mp_count_bits(modulus) == 384) {
+        return sp_ecc_proj_add_point_384(P->x, P->y, P->z, Q->x, Q->y, Q->z,
+                                         R->x, R->y, R->z);
+    }
+#endif
+    return ECC_BAD_ARG_E;
+#endif
 }
 
+/* ### Point doubling in Jacobian coordinate system ###
+ *
+ * let us have a curve:                 y^2 = x^3 + a*x + b
+ * in Jacobian coordinates it becomes:  y^2 = x^3 + a*x*z^4 + b*z^6
+ *
+ * The doubling of P = (Xp, Yp, Zp) is given by R = (Xr, Yr, Zr) where:
+ * Xr = M^2 - 2*S
+ * Yr = M * (S - Xr) - 8*T
+ * Zr = 2 * Yp * Zp
+ *
+ * M = 3 * Xp^2 + a*Zp^4
+ * T = Yp^4
+ * S = 4 * Xp * Yp^2
+ *
+ * SPECIAL CASE: when a == 3 we can compute M as
+ * M = 3 * (Xp^2 - Zp^4) = 3 * (Xp + Zp^2) * (Xp - Zp^2)
+ */
 
 /**
    Double an ECC point
    P   The point to double
    R   [out] The destination of the double
+   a   ECC curve parameter a
    modulus  The modulus of the field the ECC curve is in
    mp       The "b" value from montgomery_setup()
    return   MP_OKAY on success
 */
-int ecc_projective_dbl_point(ecc_point *P, ecc_point *R, mp_int* modulus,
-                             mp_digit* mp)
+int ecc_projective_dbl_point(ecc_point *P, ecc_point *R, mp_int* a,
+                                       mp_int* modulus, mp_digit mp)
 {
-   mp_int t1;
-   mp_int t2;
+#ifndef WOLFSSL_SP_MATH
+#ifdef WOLFSSL_SMALL_STACK
+   mp_int* t1 = NULL;
+   mp_int* t2 = NULL;
+#ifdef ALT_ECC_SIZE
+   mp_int* rx = NULL;
+   mp_int* ry = NULL;
+   mp_int* rz = NULL;
+#endif
+#else
+   mp_int  t1[1], t2[1];
+#ifdef ALT_ECC_SIZE
+   mp_int  rx[1], ry[1], rz[1];
+#endif
+#endif
+   mp_int *x, *y, *z;
    int    err;
 
-   if (P == NULL || R == NULL || modulus == NULL || mp == NULL)
+   if (P == NULL || R == NULL || modulus == NULL)
        return ECC_BAD_ARG_E;
 
-   if ((err = mp_init_multi(&t1, &t2, NULL, NULL, NULL, NULL)) != MP_OKAY) {
+#ifdef WOLFSSL_SMALL_STACK
+#ifdef WOLFSSL_SMALL_STACK_CACHE
+   if (R->key != NULL) {
+       t1 = R->key->t1;
+       t2 = R->key->t2;
+   #ifdef ALT_ECC_SIZE
+       rx = R->key->x;
+       ry = R->key->y;
+       rz = R->key->z;
+   #endif
+   }
+   else
+#endif /* WOLFSSL_SMALL_STACK_CACHE */
+   {
+       t1 = (mp_int*)XMALLOC(sizeof(mp_int), NULL, DYNAMIC_TYPE_ECC);
+       t2 = (mp_int*)XMALLOC(sizeof(mp_int), NULL, DYNAMIC_TYPE_ECC);
+       if (t1 == NULL || t2 == NULL) {
+           XFREE(t2, NULL, DYNAMIC_TYPE_ECC);
+           XFREE(t1, NULL, DYNAMIC_TYPE_ECC);
+           return MEMORY_E;
+       }
+    #ifdef ALT_ECC_SIZE
+       rx = (mp_int*)XMALLOC(sizeof(mp_int), NULL, DYNAMIC_TYPE_ECC);
+       ry = (mp_int*)XMALLOC(sizeof(mp_int), NULL, DYNAMIC_TYPE_ECC);
+       rz = (mp_int*)XMALLOC(sizeof(mp_int), NULL, DYNAMIC_TYPE_ECC);
+       if (rx == NULL || ry == NULL || rz == NULL) {
+           XFREE(rz, NULL, DYNAMIC_TYPE_ECC);
+           XFREE(ry, NULL, DYNAMIC_TYPE_ECC);
+           XFREE(rx, NULL, DYNAMIC_TYPE_ECC);
+           XFREE(t2, NULL, DYNAMIC_TYPE_ECC);
+           XFREE(t1, NULL, DYNAMIC_TYPE_ECC);
+           return MEMORY_E;
+       }
+    #endif
+    }
+#endif
+
+   if ((err = mp_init_multi(t1, t2, NULL, NULL, NULL, NULL)) != MP_OKAY) {
+#ifdef WOLFSSL_SMALL_STACK
+#ifdef WOLFSSL_SMALL_STACK_CACHE
+    if (R->key == NULL)
+#endif
+    {
+    #ifdef ALT_ECC_SIZE
+       XFREE(rz, NULL, DYNAMIC_TYPE_ECC);
+       XFREE(ry, NULL, DYNAMIC_TYPE_ECC);
+       XFREE(rx, NULL, DYNAMIC_TYPE_ECC);
+    #endif
+       XFREE(t2, NULL, DYNAMIC_TYPE_ECC);
+       XFREE(t1, NULL, DYNAMIC_TYPE_ECC);
+     }
+#endif
       return err;
    }
 
-   if (P != R) {
-      err = mp_copy(P->x, R->x);
-      if (err == MP_OKAY)
-          err = mp_copy(P->y, R->y);
-      if (err == MP_OKAY)
-          err = mp_copy(P->z, R->z);
+/* If use ALT_ECC_SIZE we need to use local stack variable since
+   ecc_point x,y,z is reduced size */
+#ifdef ALT_ECC_SIZE
+   /* Use local stack variable */
+   x = rx;
+   y = ry;
+   z = rz;
+
+   if ((err = mp_init_multi(x, y, z, NULL, NULL, NULL)) != MP_OKAY) {
+       mp_clear(t1);
+       mp_clear(t2);
+    #ifdef WOLFSSL_SMALL_STACK
+    #ifdef WOLFSSL_SMALL_STACK_CACHE
+       if (R->key == NULL)
+    #endif
+       {
+       #ifdef ALT_ECC_SIZE
+          XFREE(rz, NULL, DYNAMIC_TYPE_ECC);
+          XFREE(ry, NULL, DYNAMIC_TYPE_ECC);
+          XFREE(rx, NULL, DYNAMIC_TYPE_ECC);
+       #endif
+          XFREE(t2, NULL, DYNAMIC_TYPE_ECC);
+          XFREE(t1, NULL, DYNAMIC_TYPE_ECC);
+       }
+    #endif
+       return err;
    }
+#else
+   /* Use destination directly */
+   x = R->x;
+   y = R->y;
+   z = R->z;
+#endif
 
-   /* t1 = Z * Z */
    if (err == MP_OKAY)
-       err = mp_sqr(R->z, &t1);
+       err = mp_copy(P->x, x);
+   if (err == MP_OKAY)
+       err = mp_copy(P->y, y);
    if (err == MP_OKAY)
-       err = mp_montgomery_reduce(&t1, modulus, *mp);
+       err = mp_copy(P->z, z);
+
+   /* T1 = Z * Z */
+   if (err == MP_OKAY)
+       err = mp_sqr(z, t1);
+   if (err == MP_OKAY)
+       err = mp_montgomery_reduce(t1, modulus, mp);
 
    /* Z = Y * Z */
    if (err == MP_OKAY)
-       err = mp_mul(R->z, R->y, R->z);
+       err = mp_mul(z, y, z);
    if (err == MP_OKAY)
-       err = mp_montgomery_reduce(R->z, modulus, *mp);
+       err = mp_montgomery_reduce(z, modulus, mp);
 
    /* Z = 2Z */
    if (err == MP_OKAY)
-       err = mp_add(R->z, R->z, R->z);
+       err = mp_add(z, z, z);
    if (err == MP_OKAY) {
-       if (mp_cmp(R->z, modulus) != MP_LT)
-           err = mp_sub(R->z, modulus, R->z);
+       if (mp_cmp(z, modulus) != MP_LT)
+           err = mp_sub(z, modulus, z);
    }
 
-   /* T2 = X - T1 */
-   if (err == MP_OKAY)
-       err = mp_sub(R->x, &t1, &t2);
-   if (err == MP_OKAY) {
-       if (mp_cmp_d(&t2, 0) == MP_LT)
-           err = mp_add(&t2, modulus, &t2);
-   }
-   /* T1 = X + T1 */
-   if (err == MP_OKAY)
-       err = mp_add(&t1, R->x, &t1);
+   /* Determine if curve "a" should be used in calc */
+#ifdef WOLFSSL_CUSTOM_CURVES
    if (err == MP_OKAY) {
-       if (mp_cmp(&t1, modulus) != MP_LT)
-           err = mp_sub(&t1, modulus, &t1);
+      /* Use a and prime to determine if a == 3 */
+      err = mp_submod(modulus, a, modulus, t2);
    }
-   /* T2 = T1 * T2 */
-   if (err == MP_OKAY)
-       err = mp_mul(&t1, &t2, &t2);
-   if (err == MP_OKAY)
-       err = mp_montgomery_reduce(&t2, modulus, *mp);
+   if (err == MP_OKAY && mp_cmp_d(t2, 3) != MP_EQ) {
+      /* use "a" in calc */
 
-   /* T1 = 2T2 */
-   if (err == MP_OKAY)
-       err = mp_add(&t2, &t2, &t1);
-   if (err == MP_OKAY) {
-       if (mp_cmp(&t1, modulus) != MP_LT)
-           err = mp_sub(&t1, modulus, &t1);
+      /* T2 = T1 * T1 */
+      if (err == MP_OKAY)
+          err = mp_sqr(t1, t2);
+      if (err == MP_OKAY)
+          err = mp_montgomery_reduce(t2, modulus, mp);
+      /* T1 = T2 * a */
+      if (err == MP_OKAY)
+          err = mp_mulmod(t2, a, modulus, t1);
+      /* T2 = X * X */
+      if (err == MP_OKAY)
+          err = mp_sqr(x, t2);
+      if (err == MP_OKAY)
+          err = mp_montgomery_reduce(t2, modulus, mp);
+      /* T1 = T2 + T1 */
+      if (err == MP_OKAY)
+          err = mp_add(t1, t2, t1);
+      if (err == MP_OKAY) {
+         if (mp_cmp(t1, modulus) != MP_LT)
+            err = mp_sub(t1, modulus, t1);
+      }
+      /* T1 = T2 + T1 */
+      if (err == MP_OKAY)
+          err = mp_add(t1, t2, t1);
+      if (err == MP_OKAY) {
+          if (mp_cmp(t1, modulus) != MP_LT)
+              err = mp_sub(t1, modulus, t1);
+      }
+      /* T1 = T2 + T1 */
+      if (err == MP_OKAY)
+          err = mp_add(t1, t2, t1);
+      if (err == MP_OKAY) {
+         if (mp_cmp(t1, modulus) != MP_LT)
+            err = mp_sub(t1, modulus, t1);
+      }
    }
-   /* T1 = T1 + T2 */
-   if (err == MP_OKAY)
-       err = mp_add(&t1, &t2, &t1);
-   if (err == MP_OKAY) {
-       if (mp_cmp(&t1, modulus) != MP_LT)
-           err = mp_sub(&t1, modulus, &t1);
+   else
+#endif /* WOLFSSL_CUSTOM_CURVES */
+   {
+      /* assumes "a" == 3 */
+      (void)a;
+
+      /* T2 = X - T1 */
+      if (err == MP_OKAY)
+          err = mp_sub(x, t1, t2);
+      if (err == MP_OKAY) {
+          if (mp_isneg(t2))
+              err = mp_add(t2, modulus, t2);
+      }
+      /* T1 = X + T1 */
+      if (err == MP_OKAY)
+          err = mp_add(t1, x, t1);
+      if (err == MP_OKAY) {
+          if (mp_cmp(t1, modulus) != MP_LT)
+              err = mp_sub(t1, modulus, t1);
+      }
+      /* T2 = T1 * T2 */
+      if (err == MP_OKAY)
+          err = mp_mul(t1, t2, t2);
+      if (err == MP_OKAY)
+          err = mp_montgomery_reduce(t2, modulus, mp);
+
+      /* T1 = 2T2 */
+      if (err == MP_OKAY)
+          err = mp_add(t2, t2, t1);
+      if (err == MP_OKAY) {
+          if (mp_cmp(t1, modulus) != MP_LT)
+              err = mp_sub(t1, modulus, t1);
+      }
+      /* T1 = T1 + T2 */
+      if (err == MP_OKAY)
+          err = mp_add(t1, t2, t1);
+      if (err == MP_OKAY) {
+          if (mp_cmp(t1, modulus) != MP_LT)
+              err = mp_sub(t1, modulus, t1);
+      }
    }
+
    /* Y = 2Y */
    if (err == MP_OKAY)
-       err = mp_add(R->y, R->y, R->y);
+       err = mp_add(y, y, y);
    if (err == MP_OKAY) {
-       if (mp_cmp(R->y, modulus) != MP_LT)
-           err = mp_sub(R->y, modulus, R->y);
+       if (mp_cmp(y, modulus) != MP_LT)
+           err = mp_sub(y, modulus, y);
    }
    /* Y = Y * Y */
    if (err == MP_OKAY)
-       err = mp_sqr(R->y, R->y);
+       err = mp_sqr(y, y);
    if (err == MP_OKAY)
-       err = mp_montgomery_reduce(R->y, modulus, *mp);
-   
+       err = mp_montgomery_reduce(y, modulus, mp);
+
    /* T2 = Y * Y */
    if (err == MP_OKAY)
-       err = mp_sqr(R->y, &t2);
+       err = mp_sqr(y, t2);
    if (err == MP_OKAY)
-       err = mp_montgomery_reduce(&t2, modulus, *mp);
+       err = mp_montgomery_reduce(t2, modulus, mp);
 
    /* T2 = T2/2 */
    if (err == MP_OKAY) {
-       if (mp_isodd(&t2))
-           err = mp_add(&t2, modulus, &t2);
+       if (mp_isodd(t2) == MP_YES)
+           err = mp_add(t2, modulus, t2);
    }
    if (err == MP_OKAY)
-       err = mp_div_2(&t2, &t2);
-   
+       err = mp_div_2(t2, t2);
+
    /* Y = Y * X */
    if (err == MP_OKAY)
-       err = mp_mul(R->y, R->x, R->y);
+       err = mp_mul(y, x, y);
    if (err == MP_OKAY)
-       err = mp_montgomery_reduce(R->y, modulus, *mp);
+       err = mp_montgomery_reduce(y, modulus, mp);
 
-   /* X  = T1 * T1 */
+   /* X = T1 * T1 */
    if (err == MP_OKAY)
-       err = mp_sqr(&t1, R->x);
+       err = mp_sqr(t1, x);
    if (err == MP_OKAY)
-       err = mp_montgomery_reduce(R->x, modulus, *mp);
+       err = mp_montgomery_reduce(x, modulus, mp);
 
    /* X = X - Y */
    if (err == MP_OKAY)
-       err = mp_sub(R->x, R->y, R->x);
+       err = mp_sub(x, y, x);
    if (err == MP_OKAY) {
-       if (mp_cmp_d(R->x, 0) == MP_LT)
-           err = mp_add(R->x, modulus, R->x);
+       if (mp_isneg(x))
+           err = mp_add(x, modulus, x);
    }
    /* X = X - Y */
    if (err == MP_OKAY)
-       err = mp_sub(R->x, R->y, R->x);
+       err = mp_sub(x, y, x);
    if (err == MP_OKAY) {
-       if (mp_cmp_d(R->x, 0) == MP_LT)
-           err = mp_add(R->x, modulus, R->x);
+       if (mp_isneg(x))
+           err = mp_add(x, modulus, x);
    }
-   /* Y = Y - X */     
+
+   /* Y = Y - X */
    if (err == MP_OKAY)
-       err = mp_sub(R->y, R->x, R->y);
+       err = mp_sub(y, x, y);
    if (err == MP_OKAY) {
-       if (mp_cmp_d(R->y, 0) == MP_LT)
-           err = mp_add(R->y, modulus, R->y);
+       if (mp_isneg(y))
+           err = mp_add(y, modulus, y);
    }
    /* Y = Y * T1 */
    if (err == MP_OKAY)
-       err = mp_mul(R->y, &t1, R->y);
+       err = mp_mul(y, t1, y);
    if (err == MP_OKAY)
-       err = mp_montgomery_reduce(R->y, modulus, *mp);
+       err = mp_montgomery_reduce(y, modulus, mp);
 
    /* Y = Y - T2 */
    if (err == MP_OKAY)
-       err = mp_sub(R->y, &t2, R->y);
+       err = mp_sub(y, t2, y);
    if (err == MP_OKAY) {
-       if (mp_cmp_d(R->y, 0) == MP_LT)
-           err = mp_add(R->y, modulus, R->y);
+       if (mp_isneg(y))
+           err = mp_add(y, modulus, y);
    }
 
-   /* clean up */ 
-   mp_clear(&t1);
-   mp_clear(&t2);
+#ifdef ALT_ECC_SIZE
+   if (err == MP_OKAY)
+       err = mp_copy(x, R->x);
+   if (err == MP_OKAY)
+       err = mp_copy(y, R->y);
+   if (err == MP_OKAY)
+       err = mp_copy(z, R->z);
+#endif
+
+   /* clean up */
+   mp_clear(t1);
+   mp_clear(t2);
+
+#ifdef WOLFSSL_SMALL_STACK
+#ifdef WOLFSSL_SMALL_STACK_CACHE
+   if (R->key == NULL)
+#endif
+   {
+    #ifdef ALT_ECC_SIZE
+       XFREE(rz, NULL, DYNAMIC_TYPE_ECC);
+       XFREE(ry, NULL, DYNAMIC_TYPE_ECC);
+       XFREE(rx, NULL, DYNAMIC_TYPE_ECC);
+    #endif
+       XFREE(t2, NULL, DYNAMIC_TYPE_ECC);
+       XFREE(t1, NULL, DYNAMIC_TYPE_ECC);
+    }
+#endif
 
    return err;
+#else
+    if (P == NULL || R == NULL || modulus == NULL)
+        return ECC_BAD_ARG_E;
+
+    (void)a;
+    (void)mp;
+
+#ifndef WOLFSSL_SP_NO_256
+    if (mp_count_bits(modulus) == 256) {
+        return sp_ecc_proj_dbl_point_256(P->x, P->y, P->z, R->x, R->y, R->z);
+    }
+#endif
+#ifdef WOLFSSL_SP_384
+    if (mp_count_bits(modulus) == 384) {
+        return sp_ecc_proj_dbl_point_384(P->x, P->y, P->z, R->x, R->y, R->z);
+    }
+#endif
+    return ECC_BAD_ARG_E;
+#endif
 }
 
-#endif /* USE_FAST_MATH */
 
 /**
-  Map a projective jacbobian point back to affine space
+  Map a projective Jacobian point back to affine space
   P        [in/out] The point to map
   modulus  The modulus of the field the ECC curve is in
   mp       The "b" value from montgomery_setup()
+  ct       Operation should be constant time.
   return   MP_OKAY on success
 */
-int ecc_map(ecc_point* P, mp_int* modulus, mp_digit* mp)
+int ecc_map_ex(ecc_point* P, mp_int* modulus, mp_digit mp, int ct)
 {
-   mp_int t1;
-   mp_int t2;
+#ifndef WOLFSSL_SP_MATH
+#ifdef WOLFSSL_SMALL_STACK
+   mp_int* t1 = NULL;
+   mp_int* t2 = NULL;
+#ifdef ALT_ECC_SIZE
+   mp_int* rx = NULL;
+   mp_int* ry = NULL;
+   mp_int* rz = NULL;
+#endif
+#else
+   mp_int  t1[1], t2[1];
+#ifdef ALT_ECC_SIZE
+   mp_int  rx[1], ry[1], rz[1];
+#endif
+#endif /* WOLFSSL_SMALL_STACK */
+   mp_int *x, *y, *z;
    int    err;
 
-   if (P == NULL || mp == NULL || modulus == NULL)
+   (void)ct;
+
+   if (P == NULL || modulus == NULL)
        return ECC_BAD_ARG_E;
 
    /* special case for point at infinity */
    if (mp_cmp_d(P->z, 0) == MP_EQ) {
-       mp_set(P->x, 0);
-       mp_set(P->y, 0);
-       mp_set(P->z, 1);
-       return MP_OKAY;
+       err = mp_set(P->x, 0);
+       if (err == MP_OKAY)
+           err = mp_set(P->y, 0);
+       if (err == MP_OKAY)
+           err = mp_set(P->z, 1);
+       return err;
+   }
+
+#ifdef WOLFSSL_SMALL_STACK
+#ifdef WOLFSSL_SMALL_STACK_CACHE
+   if (P->key != NULL) {
+       t1 = P->key->t1;
+       t2 = P->key->t2;
+   #ifdef ALT_ECC_SIZE
+       rx = P->key->x;
+       ry = P->key->y;
+       rz = P->key->z;
+   #endif
+   }
+   else
+#endif /* WOLFSSL_SMALL_STACK_CACHE */
+   {
+       t1 = (mp_int*)XMALLOC(sizeof(mp_int), NULL, DYNAMIC_TYPE_ECC);
+       t2 = (mp_int*)XMALLOC(sizeof(mp_int), NULL, DYNAMIC_TYPE_ECC);
+       if (t1 == NULL || t2 == NULL) {
+           XFREE(t2, NULL, DYNAMIC_TYPE_ECC);
+           XFREE(t1, NULL, DYNAMIC_TYPE_ECC);
+           return MEMORY_E;
+       }
+#ifdef ALT_ECC_SIZE
+       rx = (mp_int*)XMALLOC(sizeof(mp_int), NULL, DYNAMIC_TYPE_ECC);
+       ry = (mp_int*)XMALLOC(sizeof(mp_int), NULL, DYNAMIC_TYPE_ECC);
+       rz = (mp_int*)XMALLOC(sizeof(mp_int), NULL, DYNAMIC_TYPE_ECC);
+       if (rx == NULL || ry == NULL || rz == NULL) {
+           XFREE(rz, NULL, DYNAMIC_TYPE_ECC);
+           XFREE(ry, NULL, DYNAMIC_TYPE_ECC);
+           XFREE(rx, NULL, DYNAMIC_TYPE_ECC);
+           XFREE(t2, NULL, DYNAMIC_TYPE_ECC);
+           XFREE(t1, NULL, DYNAMIC_TYPE_ECC);
+           return MEMORY_E;
+       }
+#endif
    }
+#endif /* WOLFSSL_SMALL_STACK */
 
-   if ((err = mp_init_multi(&t1, &t2, NULL, NULL, NULL, NULL)) != MP_OKAY) {
+   if ((err = mp_init_multi(t1, t2, NULL, NULL, NULL, NULL)) != MP_OKAY) {
+#ifdef WOLFSSL_SMALL_STACK
+#ifdef WOLFSSL_SMALL_STACK_CACHE
+      if (P->key == NULL)
+#endif
+      {
+      #ifdef ALT_ECC_SIZE
+         XFREE(rz, NULL, DYNAMIC_TYPE_ECC);
+         XFREE(ry, NULL, DYNAMIC_TYPE_ECC);
+         XFREE(rx, NULL, DYNAMIC_TYPE_ECC);
+      #endif
+         XFREE(t2, NULL, DYNAMIC_TYPE_ECC);
+         XFREE(t1, NULL, DYNAMIC_TYPE_ECC);
+      }
+#endif
       return MEMORY_E;
    }
 
-   /* first map z back to normal */
-   err = mp_montgomery_reduce(P->z, modulus, *mp);
+#ifdef ALT_ECC_SIZE
+   /* Use local stack variable */
+   x = rx;
+   y = ry;
+   z = rz;
 
-   /* get 1/z */
+   if ((err = mp_init_multi(x, y, z, NULL, NULL, NULL)) != MP_OKAY) {
+       goto done;
+   }
+
+   if (err == MP_OKAY)
+       err = mp_copy(P->x, x);
+   if (err == MP_OKAY)
+       err = mp_copy(P->y, y);
    if (err == MP_OKAY)
-       err = mp_invmod(P->z, modulus, &t1);
- 
+       err = mp_copy(P->z, z);
+
+   if (err != MP_OKAY) {
+      goto done;
+   }
+#else
+   /* Use destination directly */
+   x = P->x;
+   y = P->y;
+   z = P->z;
+#endif
+
+   /* get 1/z */
+   if (err == MP_OKAY) {
+#if defined(ECC_TIMING_RESISTANT) && defined(USE_FAST_MATH)
+       if (ct) {
+           err = mp_invmod_mont_ct(z, modulus, t1, mp);
+           if (err == MP_OKAY)
+               err = mp_montgomery_reduce(t1, modulus, mp);
+       }
+       else
+#endif
+       {
+           /* first map z back to normal */
+           err = mp_montgomery_reduce(z, modulus, mp);
+           if (err == MP_OKAY)
+               err = mp_invmod(z, modulus, t1);
+       }
+   }
+
    /* get 1/z^2 and 1/z^3 */
    if (err == MP_OKAY)
-       err = mp_sqr(&t1, &t2);
+       err = mp_sqr(t1, t2);
    if (err == MP_OKAY)
-       err = mp_mod(&t2, modulus, &t2);
+       err = mp_mod(t2, modulus, t2);
    if (err == MP_OKAY)
-       err = mp_mul(&t1, &t2, &t1);
+       err = mp_mul(t1, t2, t1);
    if (err == MP_OKAY)
-       err = mp_mod(&t1, modulus, &t1);
+       err = mp_mod(t1, modulus, t1);
 
    /* multiply against x/y */
    if (err == MP_OKAY)
-       err = mp_mul(P->x, &t2, P->x);
+       err = mp_mul(x, t2, x);
+   if (err == MP_OKAY)
+       err = mp_montgomery_reduce(x, modulus, mp);
+   if (err == MP_OKAY)
+       err = mp_mul(y, t1, y);
+   if (err == MP_OKAY)
+       err = mp_montgomery_reduce(y, modulus, mp);
+
    if (err == MP_OKAY)
-       err = mp_montgomery_reduce(P->x, modulus, *mp);
+       err = mp_set(z, 1);
+
+#ifdef ALT_ECC_SIZE
+   /* return result */
    if (err == MP_OKAY)
-       err = mp_mul(P->y, &t1, P->y);
+      err = mp_copy(x, P->x);
    if (err == MP_OKAY)
-       err = mp_montgomery_reduce(P->y, modulus, *mp);
-   
+      err = mp_copy(y, P->y);
    if (err == MP_OKAY)
-       mp_set(P->z, 1);
+      err = mp_copy(z, P->z);
+
+done:
+#endif
 
    /* clean up */
-   mp_clear(&t1);
-   mp_clear(&t2);
+   mp_clear(t1);
+   mp_clear(t2);
+
+#ifdef WOLFSSL_SMALL_STACK
+#ifdef WOLFSSL_SMALL_STACK_CACHE
+   if (P->key == NULL)
+#endif
+   {
+   #ifdef ALT_ECC_SIZE
+      XFREE(rz, NULL, DYNAMIC_TYPE_ECC);
+      XFREE(ry, NULL, DYNAMIC_TYPE_ECC);
+      XFREE(rx, NULL, DYNAMIC_TYPE_ECC);
+   #endif
+      XFREE(t2, NULL, DYNAMIC_TYPE_ECC);
+      XFREE(t1, NULL, DYNAMIC_TYPE_ECC);
+   }
+#endif
 
    return err;
-}
+#else
+    if (P == NULL || modulus == NULL)
+        return ECC_BAD_ARG_E;
 
+    (void)mp;
 
-#ifndef ECC_TIMING_RESISTANT
+#ifndef WOLFSSL_SP_NO_256
+    if (mp_count_bits(modulus) == 256) {
+        return sp_ecc_map_256(P->x, P->y, P->z);
+    }
+#endif
+#ifdef WOLFSSL_SP_384
+    if (mp_count_bits(modulus) == 384) {
+        return sp_ecc_map_384(P->x, P->y, P->z);
+    }
+#endif
+    return ECC_BAD_ARG_E;
+#endif
+}
+
+int ecc_map(ecc_point* P, mp_int* modulus, mp_digit mp)
+{
+    return ecc_map_ex(P, modulus, mp, 0);
+}
+#endif /* !WOLFSSL_SP_MATH || WOLFSSL_PUBLIC_ECC_ADD_DBL */
 
-/* size of sliding window, don't change this! */
-#define WINSIZE 4
+#if !defined(FREESCALE_LTC_ECC) && !defined(WOLFSSL_STM32_PKA)
 
+#if !defined(FP_ECC) || !defined(WOLFSSL_SP_MATH)
 /**
-   Perform a point multiplication 
+   Perform a point multiplication
    k    The scalar to multiply by
    G    The base point
    R    [out] Destination for kG
+   a    ECC curve parameter a
    modulus  The modulus of the field the ECC curve is in
    map      Boolean whether to map back to affine or not
                 (1==map, 0 == leave in projective)
@@ -1007,83 +2521,182 @@ int ecc_map(ecc_point* P, mp_int* modulus, mp_digit* mp)
 */
 #ifdef FP_ECC
 static int normal_ecc_mulmod(mp_int* k, ecc_point *G, ecc_point *R,
-                             mp_int* modulus, int map)
+                  mp_int* a, mp_int* modulus, int map,
+                  void* heap)
 #else
-static int ecc_mulmod(mp_int* k, ecc_point *G, ecc_point *R, mp_int* modulus,
-                      int map)
+int wc_ecc_mulmod_ex(mp_int* k, ecc_point *G, ecc_point *R,
+                  mp_int* a, mp_int* modulus, int map,
+                  void* heap)
 #endif
 {
-   ecc_point *tG, *M[8];
-   int           i, j, err;
-   mp_int        mu;
+#ifndef WOLFSSL_SP_MATH
+#ifndef ECC_TIMING_RESISTANT
+   /* size of sliding window, don't change this! */
+   #define WINSIZE  4
+   #define M_POINTS 8
+   int           first = 1, bitbuf = 0, bitcpy = 0, j;
+#elif defined(WC_NO_CACHE_RESISTANT)
+   #define M_POINTS 4
+#else
+   #define M_POINTS 5
+#endif
+
+   ecc_point     *tG, *M[M_POINTS];
+   int           i, err;
+#ifdef WOLFSSL_SMALL_STACK_CACHE
+   ecc_key       key;
+#endif
+#ifdef WOLFSSL_SMALL_STACK
+   mp_int*       mu = NULL;
+#else
+   mp_int        mu[1];
+#endif
    mp_digit      mp;
    mp_digit      buf;
-   int           first = 1, bitbuf = 0, bitcpy = 0, bitcnt = 0, mode = 0,
-                 digidx = 0;
+   int           bitcnt = 0, mode = 0, digidx = 0;
 
-   if (k == NULL || G == NULL || R == NULL || modulus == NULL)
+   if (k == NULL || G == NULL || R == NULL || modulus == NULL) {
        return ECC_BAD_ARG_E;
+   }
+
+   /* init variables */
+   tG = NULL;
+   XMEMSET(M, 0, sizeof(M));
+#ifdef WOLFSSL_SMALL_STACK
+   mu = (mp_int*)XMALLOC(sizeof(mp_int), heap, DYNAMIC_TYPE_ECC);
+   if (mu == NULL)
+       return MEMORY_E;
+#endif
+#ifdef WOLFSSL_SMALL_STACK_CACHE
+   key.t1 = (mp_int*)XMALLOC(sizeof(mp_int), heap, DYNAMIC_TYPE_ECC);
+   key.t2 = (mp_int*)XMALLOC(sizeof(mp_int), heap, DYNAMIC_TYPE_ECC);
+#ifdef ALT_ECC_SIZE
+   key.x = (mp_int*)XMALLOC(sizeof(mp_int), heap, DYNAMIC_TYPE_ECC);
+   key.y = (mp_int*)XMALLOC(sizeof(mp_int), heap, DYNAMIC_TYPE_ECC);
+   key.z = (mp_int*)XMALLOC(sizeof(mp_int), heap, DYNAMIC_TYPE_ECC);
+#endif
+   if (key.t1 == NULL || key.t2 == NULL
+#ifdef ALT_ECC_SIZE
+      || key.x == NULL || key.y == NULL || key.z == NULL
+#endif
+   ) {
+#ifdef ALT_ECC_SIZE
+       XFREE(key.z, heap, DYNAMIC_TYPE_ECC);
+       XFREE(key.y, heap, DYNAMIC_TYPE_ECC);
+       XFREE(key.x, heap, DYNAMIC_TYPE_ECC);
+#endif
+       XFREE(key.t2, heap, DYNAMIC_TYPE_ECC);
+       XFREE(key.t1, heap, DYNAMIC_TYPE_ECC);
+       XFREE(mu, heap, DYNAMIC_TYPE_ECC);
+       return MEMORY_E;
+   }
+#endif /* WOLFSSL_SMALL_STACK_CACHE */
 
    /* init montgomery reduction */
    if ((err = mp_montgomery_setup(modulus, &mp)) != MP_OKAY) {
-      return err;
+#ifdef WOLFSSL_SMALL_STACK_CACHE
+#ifdef ALT_ECC_SIZE
+       XFREE(key.z, heap, DYNAMIC_TYPE_ECC);
+       XFREE(key.y, heap, DYNAMIC_TYPE_ECC);
+       XFREE(key.x, heap, DYNAMIC_TYPE_ECC);
+#endif
+       XFREE(key.t2, heap, DYNAMIC_TYPE_ECC);
+       XFREE(key.t1, heap, DYNAMIC_TYPE_ECC);
+#endif /* WOLFSSL_SMALL_STACK_CACHE */
+#ifdef WOLFSSL_SMALL_STACK
+       XFREE(mu, heap, DYNAMIC_TYPE_ECC);
+#endif
+       return err;
    }
-   if ((err = mp_init(&mu)) != MP_OKAY) {
-      return err;
+
+   if ((err = mp_init(mu)) != MP_OKAY) {
+#ifdef WOLFSSL_SMALL_STACK_CACHE
+#ifdef ALT_ECC_SIZE
+       XFREE(key.z, heap, DYNAMIC_TYPE_ECC);
+       XFREE(key.y, heap, DYNAMIC_TYPE_ECC);
+       XFREE(key.x, heap, DYNAMIC_TYPE_ECC);
+#endif
+       XFREE(key.t2, heap, DYNAMIC_TYPE_ECC);
+       XFREE(key.t1, heap, DYNAMIC_TYPE_ECC);
+#endif /* WOLFSSL_SMALL_STACK_CACHE */
+#ifdef WOLFSSL_SMALL_STACK
+       XFREE(mu, heap, DYNAMIC_TYPE_ECC);
+#endif
+       return err;
    }
-   if ((err = mp_montgomery_calc_normalization(&mu, modulus)) != MP_OKAY) {
-      mp_clear(&mu);
-      return err;
+   if ((err = mp_montgomery_calc_normalization(mu, modulus)) != MP_OKAY) {
+       mp_clear(mu);
+#ifdef WOLFSSL_SMALL_STACK_CACHE
+#ifdef ALT_ECC_SIZE
+       XFREE(key.z, heap, DYNAMIC_TYPE_ECC);
+       XFREE(key.y, heap, DYNAMIC_TYPE_ECC);
+       XFREE(key.x, heap, DYNAMIC_TYPE_ECC);
+#endif
+       XFREE(key.t2, heap, DYNAMIC_TYPE_ECC);
+       XFREE(key.t1, heap, DYNAMIC_TYPE_ECC);
+#endif /* WOLFSSL_SMALL_STACK_CACHE */
+#ifdef WOLFSSL_SMALL_STACK
+       XFREE(mu, heap, DYNAMIC_TYPE_ECC);
+#endif
+       return err;
    }
-  
+
   /* alloc ram for window temps */
-  for (i = 0; i < 8; i++) {
-      M[i] = ecc_new_point();
+  for (i = 0; i < M_POINTS; i++) {
+      M[i] = wc_ecc_new_point_h(heap);
       if (M[i] == NULL) {
-         for (j = 0; j < i; j++) {
-             ecc_del_point(M[j]);
-         }
-         mp_clear(&mu);
-         return MEMORY_E;
+         mp_clear(mu);
+         err = MEMORY_E; goto exit;
       }
+#ifdef WOLFSSL_SMALL_STACK_CACHE
+      M[i]->key = &key;
+#endif
   }
 
-   /* make a copy of G incase R==G */
-   tG = ecc_new_point();
+   /* make a copy of G in case R==G */
+   tG = wc_ecc_new_point_h(heap);
    if (tG == NULL)
        err = MEMORY_E;
 
    /* tG = G  and convert to montgomery */
    if (err == MP_OKAY) {
-       if (mp_cmp_d(&mu, 1) == MP_EQ) {
+       if (mp_cmp_d(mu, 1) == MP_EQ) {
            err = mp_copy(G->x, tG->x);
            if (err == MP_OKAY)
                err = mp_copy(G->y, tG->y);
            if (err == MP_OKAY)
                err = mp_copy(G->z, tG->z);
        } else {
-           err = mp_mulmod(G->x, &mu, modulus, tG->x);
+           err = mp_mulmod(G->x, mu, modulus, tG->x);
            if (err == MP_OKAY)
-               err = mp_mulmod(G->y, &mu, modulus, tG->y);
+               err = mp_mulmod(G->y, mu, modulus, tG->y);
            if (err == MP_OKAY)
-               err = mp_mulmod(G->z, &mu, modulus, tG->z);
+               err = mp_mulmod(G->z, mu, modulus, tG->z);
        }
    }
-   mp_clear(&mu);
-   
+
+   /* done with mu */
+   mp_clear(mu);
+
+#ifdef WOLFSSL_SMALL_STACK_CACHE
+   R->key = &key;
+#endif
+#ifndef ECC_TIMING_RESISTANT
+
    /* calc the M tab, which holds kG for k==8..15 */
    /* M[0] == 8G */
    if (err == MP_OKAY)
-       err = ecc_projective_dbl_point(tG, M[0], modulus, &mp);
+       err = ecc_projective_dbl_point(tG, M[0], a, modulus, mp);
    if (err == MP_OKAY)
-       err = ecc_projective_dbl_point(M[0], M[0], modulus, &mp);
+       err = ecc_projective_dbl_point(M[0], M[0], a, modulus, mp);
    if (err == MP_OKAY)
-       err = ecc_projective_dbl_point(M[0], M[0], modulus, &mp);
+       err = ecc_projective_dbl_point(M[0], M[0], a, modulus, mp);
 
    /* now find (8+k)G for k=1..7 */
    if (err == MP_OKAY)
        for (j = 9; j < 16; j++) {
-           err = ecc_projective_add_point(M[j-9], tG, M[j-8], modulus, &mp);
+           err = ecc_projective_add_point(M[j-9], tG, M[j-M_POINTS], a, modulus,
+                                                                            mp);
            if (err != MP_OKAY) break;
        }
 
@@ -1104,7 +2717,7 @@ static int ecc_mulmod(mp_int* k, ecc_point *G, ecc_point *R, mp_int* modulus,
                    break;
                }
                buf    = get_digit(k, digidx);
-               bitcnt = (int) DIGIT_BIT; 
+               bitcnt = (int) DIGIT_BIT;
                --digidx;
            }
 
@@ -1118,7 +2731,7 @@ static int ecc_mulmod(mp_int* k, ecc_point *G, ecc_point *R, mp_int* modulus,
 
            /* if the bit is zero and mode == 1 then we double */
            if (mode == 1 && i == 0) {
-               err = ecc_projective_dbl_point(R, R, modulus, &mp);
+               err = ecc_projective_dbl_point(R, R, a, modulus, mp);
                if (err != MP_OKAY) break;
                continue;
            }
@@ -1131,26 +2744,27 @@ static int ecc_mulmod(mp_int* k, ecc_point *G, ecc_point *R, mp_int* modulus,
                /* if this is the first window we do a simple copy */
                if (first == 1) {
                    /* R = kG [k = first window] */
-                   err = mp_copy(M[bitbuf-8]->x, R->x);
+                   err = mp_copy(M[bitbuf-M_POINTS]->x, R->x);
                    if (err != MP_OKAY) break;
 
-                   err = mp_copy(M[bitbuf-8]->y, R->y);
+                   err = mp_copy(M[bitbuf-M_POINTS]->y, R->y);
                    if (err != MP_OKAY) break;
 
-                   err = mp_copy(M[bitbuf-8]->z, R->z);
+                   err = mp_copy(M[bitbuf-M_POINTS]->z, R->z);
                    first = 0;
                } else {
                    /* normal window */
                    /* ok window is filled so double as required and add  */
                    /* double first */
                    for (j = 0; j < WINSIZE; j++) {
-                       err = ecc_projective_dbl_point(R, R, modulus, &mp);
+                       err = ecc_projective_dbl_point(R, R, a, modulus, mp);
                        if (err != MP_OKAY) break;
                    }
                    if (err != MP_OKAY) break;  /* out of first for(;;) */
 
-                   /* then add, bitbuf will be 8..15 [8..2^WINSIZE] guaranted */
-                   err = ecc_projective_add_point(R,M[bitbuf-8],R,modulus,&mp);
+                   /* then add, bitbuf will be 8..15 [8..2^WINSIZE] guaranteed */
+                   err = ecc_projective_add_point(R, M[bitbuf-M_POINTS], R, a,
+                                                                   modulus, mp);
                }
                if (err != MP_OKAY) break;
                /* empty window and reset */
@@ -1167,7 +2781,7 @@ static int ecc_mulmod(mp_int* k, ecc_point *G, ecc_point *R, mp_int* modulus,
            for (j = 0; j < bitcpy; j++) {
                /* only double if we have had at least one add first */
                if (first == 0) {
-                   err = ecc_projective_dbl_point(R, R, modulus, &mp);
+                   err = ecc_projective_dbl_point(R, R, a, modulus, mp);
                    if (err != MP_OKAY) break;
                }
 
@@ -1186,7 +2800,7 @@ static int ecc_mulmod(mp_int* k, ecc_point *G, ecc_point *R, mp_int* modulus,
                        first = 0;
                    } else {
                        /* then add */
-                       err = ecc_projective_add_point(R, tG, R, modulus, &mp);
+                       err = ecc_projective_add_point(R, tG, R, a, modulus, mp);
                        if (err != MP_OKAY) break;
                    }
                }
@@ -1194,89 +2808,10 @@ static int ecc_mulmod(mp_int* k, ecc_point *G, ecc_point *R, mp_int* modulus,
        }
    }
 
-   /* map R back from projective space */
-   if (err == MP_OKAY && map)
-       err = ecc_map(R, modulus, &mp);
-
-   mp_clear(&mu);
-   ecc_del_point(tG);
-   for (i = 0; i < 8; i++) {
-       ecc_del_point(M[i]);
-   }
-   return err;
-}
-
-#undef WINSIZE
+   #undef WINSIZE
 
 #else /* ECC_TIMING_RESISTANT */
 
-/**
-   Perform a point multiplication  (timing resistant)
-   k    The scalar to multiply by
-   G    The base point
-   R    [out] Destination for kG
-   modulus  The modulus of the field the ECC curve is in
-   map      Boolean whether to map back to affine or not
-            (1==map, 0 == leave in projective)
-   return MP_OKAY on success
-*/
-#ifdef FP_ECC
-static int normal_ecc_mulmod(mp_int* k, ecc_point *G, ecc_point *R,
-                             mp_int* modulus, int map)
-#else
-static int ecc_mulmod(mp_int* k, ecc_point *G, ecc_point *R, mp_int* modulus,
-                      int map)
-#endif
-{
-   ecc_point    *tG, *M[3];
-   int           i, j, err;
-   mp_int        mu;
-   mp_digit      mp;
-   mp_digit      buf;
-   int           bitcnt = 0, mode = 0, digidx = 0;
-
-   if (k == NULL || G == NULL || R == NULL || modulus == NULL)
-       return ECC_BAD_ARG_E;
-
-   /* init montgomery reduction */
-   if ((err = mp_montgomery_setup(modulus, &mp)) != MP_OKAY) {
-      return err;
-   }
-   if ((err = mp_init(&mu)) != MP_OKAY) {
-      return err;
-   }
-   if ((err = mp_montgomery_calc_normalization(&mu, modulus)) != MP_OKAY) {
-      mp_clear(&mu);
-      return err;
-   }
-
-  /* alloc ram for window temps */
-  for (i = 0; i < 3; i++) {
-      M[i] = ecc_new_point();
-      if (M[i] == NULL) {
-         for (j = 0; j < i; j++) {
-             ecc_del_point(M[j]);
-         }
-         mp_clear(&mu);
-         return MEMORY_E;
-      }
-  }
-
-   /* make a copy of G incase R==G */
-   tG = ecc_new_point();
-   if (tG == NULL)
-       err = MEMORY_E;
-
-   /* tG = G  and convert to montgomery */
-   if (err == MP_OKAY) {
-       err = mp_mulmod(G->x, &mu, modulus, tG->x);
-       if (err == MP_OKAY)
-           err = mp_mulmod(G->y, &mu, modulus, tG->y);
-       if (err == MP_OKAY)
-           err = mp_mulmod(G->z, &mu, modulus, tG->z);
-   }
-   mp_clear(&mu);
-
    /* calc the M tab */
    /* M[0] == G */
    if (err == MP_OKAY)
@@ -1288,13 +2823,24 @@ static int ecc_mulmod(mp_int* k, ecc_point *G, ecc_point *R, mp_int* modulus,
 
    /* M[1] == 2G */
    if (err == MP_OKAY)
-       err = ecc_projective_dbl_point(tG, M[1], modulus, &mp);
+       err = ecc_projective_dbl_point(tG, M[1], a, modulus, mp);
+#ifdef WC_NO_CACHE_RESISTANT
+   if (err == MP_OKAY)
+       err = wc_ecc_copy_point(M[0], M[2]);
+#else
+   if (err == MP_OKAY)
+       err = wc_ecc_copy_point(M[0], M[3]);
+   if (err == MP_OKAY)
+       err = wc_ecc_copy_point(M[1], M[4]);
+#endif
 
    /* setup sliding window */
    mode   = 0;
    bitcnt = 1;
    buf    = 0;
-   digidx = get_digit_count(k) - 1;
+   digidx = get_digit_count(modulus) - 1;
+   /* The order MAY be 1 bit longer than the modulus. */
+   digidx += (modulus->dp[digidx] >> (DIGIT_BIT-1));
 
    /* perform ops */
    if (err == MP_OKAY) {
@@ -1305,43 +2851,92 @@ static int ecc_mulmod(mp_int* k, ecc_point *G, ecc_point *R, mp_int* modulus,
                    break;
                }
                buf = get_digit(k, digidx);
-               bitcnt = (int) DIGIT_BIT;
+               bitcnt = (int)DIGIT_BIT;
                --digidx;
            }
 
-           /* grab the next msb from the ltiplicand */
+           /* grab the next msb from the multiplicand */
            i = (buf >> (DIGIT_BIT - 1)) & 1;
            buf <<= 1;
 
-           if (mode == 0 && i == 0) {
-               /* dummy operations */
-               if (err == MP_OKAY)
-                   err = ecc_projective_add_point(M[0], M[1], M[2], modulus,
-                                                  &mp);
+#ifdef WC_NO_CACHE_RESISTANT
+           if (mode == 0) {
+               /* timing resistant - dummy operations */
                if (err == MP_OKAY)
-                   err = ecc_projective_dbl_point(M[1], M[2], modulus, &mp);
+                   err = ecc_projective_add_point(M[1], M[2], M[2], a, modulus,
+                                                  mp);
                if (err == MP_OKAY)
-                   continue;
+                   err = ecc_projective_dbl_point(M[2], M[3], a, modulus, mp);
            }
-
-           if (mode == 0 && i == 1) {
-               mode = 1;
-               /* dummy operations */
-               if (err == MP_OKAY)
-                   err = ecc_projective_add_point(M[0], M[1], M[2], modulus,
-                                                  &mp);
+           else {
                if (err == MP_OKAY)
-                   err = ecc_projective_dbl_point(M[1], M[2], modulus, &mp);
+                   err = ecc_projective_add_point(M[0], M[1], M[i^1], a,
+                                                  modulus, mp);
                if (err == MP_OKAY)
-                   continue;
+                   err = ecc_projective_dbl_point(M[i], M[i], a, modulus, mp);
            }
+#else
+           if (err == MP_OKAY)
+               err = ecc_projective_add_point(M[0], M[1], M[2], a, modulus, mp);
+           if (err == MP_OKAY)
+               err = mp_cond_copy(M[2]->x, i, M[0]->x);
+           if (err == MP_OKAY)
+               err = mp_cond_copy(M[2]->y, i, M[0]->y);
+           if (err == MP_OKAY)
+               err = mp_cond_copy(M[2]->z, i, M[0]->z);
+           if (err == MP_OKAY)
+               err = mp_cond_copy(M[2]->x, i ^ 1, M[1]->x);
+           if (err == MP_OKAY)
+               err = mp_cond_copy(M[2]->y, i ^ 1, M[1]->y);
+           if (err == MP_OKAY)
+               err = mp_cond_copy(M[2]->z, i ^ 1, M[1]->z);
+
+           if (err == MP_OKAY)
+               err = mp_cond_copy(M[0]->x, i ^ 1, M[2]->x);
+           if (err == MP_OKAY)
+               err = mp_cond_copy(M[0]->y, i ^ 1, M[2]->y);
+           if (err == MP_OKAY)
+               err = mp_cond_copy(M[0]->z, i ^ 1, M[2]->z);
+           if (err == MP_OKAY)
+               err = mp_cond_copy(M[1]->x, i, M[2]->x);
+           if (err == MP_OKAY)
+               err = mp_cond_copy(M[1]->y, i, M[2]->y);
+           if (err == MP_OKAY)
+               err = mp_cond_copy(M[1]->z, i, M[2]->z);
+
+           if (err == MP_OKAY)
+               err = ecc_projective_dbl_point(M[2], M[2], a, modulus, mp);
+           if (err == MP_OKAY)
+               err = mp_cond_copy(M[2]->x, i ^ 1, M[0]->x);
+           if (err == MP_OKAY)
+               err = mp_cond_copy(M[2]->y, i ^ 1, M[0]->y);
+           if (err == MP_OKAY)
+               err = mp_cond_copy(M[2]->z, i ^ 1, M[0]->z);
+           if (err == MP_OKAY)
+               err = mp_cond_copy(M[2]->x, i, M[1]->x);
+           if (err == MP_OKAY)
+               err = mp_cond_copy(M[2]->y, i, M[1]->y);
+           if (err == MP_OKAY)
+               err = mp_cond_copy(M[2]->z, i, M[1]->z);
 
            if (err == MP_OKAY)
-               err = ecc_projective_add_point(M[0], M[1], M[i^1], modulus, &mp);
+               err = mp_cond_copy(M[3]->x, (mode ^ 1) & i, M[0]->x);
            if (err == MP_OKAY)
-               err = ecc_projective_dbl_point(M[i], M[i], modulus, &mp);
+               err = mp_cond_copy(M[3]->y, (mode ^ 1) & i, M[0]->y);
+           if (err == MP_OKAY)
+               err = mp_cond_copy(M[3]->z, (mode ^ 1) & i, M[0]->z);
+           if (err == MP_OKAY)
+               err = mp_cond_copy(M[4]->x, (mode ^ 1) & i, M[1]->x);
+           if (err == MP_OKAY)
+               err = mp_cond_copy(M[4]->y, (mode ^ 1) & i, M[1]->y);
+           if (err == MP_OKAY)
+               err = mp_cond_copy(M[4]->z, (mode ^ 1) & i, M[1]->z);
+#endif /* WC_NO_CACHE_RESISTANT */
+
            if (err != MP_OKAY)
                break;
+
+           mode |= i;
        } /* end for */
    }
 
@@ -1353,56 +2948,96 @@ static int ecc_mulmod(mp_int* k, ecc_point *G, ecc_point *R, mp_int* modulus,
    if (err == MP_OKAY)
        err = mp_copy(M[0]->z, R->z);
 
+#endif /* ECC_TIMING_RESISTANT */
+
    /* map R back from projective space */
    if (err == MP_OKAY && map)
-      err = ecc_map(R, modulus, &mp);
+       err = ecc_map(R, modulus, mp);
+
+exit:
 
    /* done */
-   mp_clear(&mu);
-   ecc_del_point(tG);
-   for (i = 0; i < 3; i++) {
-       ecc_del_point(M[i]);
+   wc_ecc_del_point_h(tG, heap);
+   for (i = 0; i < M_POINTS; i++) {
+       wc_ecc_del_point_h(M[i], heap);
    }
+#ifdef WOLFSSL_SMALL_STACK_CACHE
+   R->key = NULL;
+#ifdef ALT_ECC_SIZE
+   XFREE(key.z, heap, DYNAMIC_TYPE_ECC);
+   XFREE(key.y, heap, DYNAMIC_TYPE_ECC);
+   XFREE(key.x, heap, DYNAMIC_TYPE_ECC);
+#endif
+   XFREE(key.t2, heap, DYNAMIC_TYPE_ECC);
+   XFREE(key.t1, heap, DYNAMIC_TYPE_ECC);
+#endif /* WOLFSSL_SMALL_STACK_CACHE */
+#ifdef WOLFSSL_SMALL_STACK
+   XFREE(mu, heap, DYNAMIC_TYPE_ECC);
+#endif
+
    return err;
-}
+#else
+   if (k == NULL || G == NULL || R == NULL || modulus == NULL) {
+       return ECC_BAD_ARG_E;
+   }
 
-#endif /* ECC_TIMING_RESISTANT */
+   (void)a;
 
+#ifndef WOLFSSL_SP_NO_256
+   if (mp_count_bits(modulus) == 256) {
+       return sp_ecc_mulmod_256(k, G, R, map, heap);
+   }
+#endif
+#ifdef WOLFSSL_SP_384
+   if (mp_count_bits(modulus) == 384) {
+       return sp_ecc_mulmod_384(k, G, R, map, heap);
+   }
+#endif
+   return ECC_BAD_ARG_E;
+#endif
+}
 
-#ifdef ALT_ECC_SIZE
+#endif /* !FP_ECC || !WOLFSSL_SP_MATH */
+
+#endif /* !FREESCALE_LTC_ECC && !WOLFSSL_STM32_PKA */
 
-static void alt_fp_init(fp_int* a)
+/** ECC Fixed Point mulmod global
+    k        The multiplicand
+    G        Base point to multiply
+    R        [out] Destination of product
+    a        ECC curve parameter a
+    modulus  The modulus for the curve
+    map      [boolean] If non-zero maps the point back to affine coordinates,
+             otherwise it's left in jacobian-montgomery form
+    return MP_OKAY if successful
+*/
+int wc_ecc_mulmod(mp_int* k, ecc_point *G, ecc_point *R, mp_int* a,
+                  mp_int* modulus, int map)
 {
-    a->size = FP_SIZE_ECC;
-    fp_zero(a);
+    return wc_ecc_mulmod_ex(k, G, R, a, modulus, map, NULL);
 }
 
-#endif /* ALT_ECC_SIZE */
-
+#endif /* !WOLFSSL_ATECC508A */
 
 /**
-   Allocate a new ECC point
-   return A newly allocated point or NULL on error 
-*/
-ecc_point* ecc_new_point(void)
+ * use a heap hint when creating new ecc_point
+ * return an allocated point on success or NULL on failure
+ */
+ecc_point* wc_ecc_new_point_h(void* heap)
 {
    ecc_point* p;
 
-   p = (ecc_point*)XMALLOC(sizeof(ecc_point), 0, DYNAMIC_TYPE_ECC);
+   (void)heap;
+
+   p = (ecc_point*)XMALLOC(sizeof(ecc_point), heap, DYNAMIC_TYPE_ECC);
    if (p == NULL) {
       return NULL;
    }
    XMEMSET(p, 0, sizeof(ecc_point));
 
-#ifndef USE_FAST_MATH
-   p->x->dp = NULL;
-   p->y->dp = NULL;
-   p->z->dp = NULL;
-#endif
-
 #ifndef ALT_ECC_SIZE
    if (mp_init_multi(p->x, p->y, p->z, NULL, NULL, NULL) != MP_OKAY) {
-      XFREE(p, 0, DYNAMIC_TYPE_ECC);
+      XFREE(p, heap, DYNAMIC_TYPE_ECC);
       return NULL;
    }
 #else
@@ -1417,26 +3052,97 @@ ecc_point* ecc_new_point(void)
    return p;
 }
 
-/** Free an ECC point from memory
-  p   The point to free
+
+/**
+   Allocate a new ECC point
+   return A newly allocated point or NULL on error
 */
-void ecc_del_point(ecc_point* p)
+ecc_point* wc_ecc_new_point(void)
+{
+  return wc_ecc_new_point_h(NULL);
+}
+
+
+void wc_ecc_del_point_h(ecc_point* p, void* heap)
 {
    /* prevents free'ing null arguments */
    if (p != NULL) {
       mp_clear(p->x);
       mp_clear(p->y);
       mp_clear(p->z);
-      XFREE(p, 0, DYNAMIC_TYPE_ECC);
+      XFREE(p, heap, DYNAMIC_TYPE_ECC);
    }
+   (void)heap;
+}
+
+
+/** Free an ECC point from memory
+  p   The point to free
+*/
+void wc_ecc_del_point(ecc_point* p)
+{
+    wc_ecc_del_point_h(p, NULL);
+}
+
+
+/** Copy the value of a point to an other one
+  p    The point to copy
+  r    The created point
+*/
+int wc_ecc_copy_point(ecc_point* p, ecc_point *r)
+{
+    int ret;
+
+    /* prevents null arguments */
+    if (p == NULL || r == NULL)
+        return ECC_BAD_ARG_E;
+
+    ret = mp_copy(p->x, r->x);
+    if (ret != MP_OKAY)
+        return ret;
+    ret = mp_copy(p->y, r->y);
+    if (ret != MP_OKAY)
+        return ret;
+    ret = mp_copy(p->z, r->z);
+    if (ret != MP_OKAY)
+        return ret;
+
+    return MP_OKAY;
+}
+
+/** Compare the value of a point with an other one
+ a    The point to compare
+ b    The other point to compare
+
+ return MP_EQ if equal, MP_LT/MP_GT if not, < 0 in case of error
+ */
+int wc_ecc_cmp_point(ecc_point* a, ecc_point *b)
+{
+    int ret;
+
+    /* prevents null arguments */
+    if (a == NULL || b == NULL)
+        return BAD_FUNC_ARG;
+
+    ret = mp_cmp(a->x, b->x);
+    if (ret != MP_EQ)
+        return ret;
+    ret = mp_cmp(a->y, b->y);
+    if (ret != MP_EQ)
+        return ret;
+    ret = mp_cmp(a->z, b->z);
+    if (ret != MP_EQ)
+        return ret;
+
+    return MP_EQ;
 }
 
 
 /** Returns whether an ECC idx is valid or not
   n      The idx number to check
   return 1 if valid, 0 if not
-*/  
-static int ecc_is_valid_idx(int n)
+*/
+int wc_ecc_is_valid_idx(int n)
 {
    int x;
 
@@ -1444,84 +3150,741 @@ static int ecc_is_valid_idx(int n)
        ;
    /* -1 is a valid index --- indicating that the domain params
       were supplied by the user */
-   if ((n >= -1) && (n < x)) {
+   if ((n >= ECC_CUSTOM_IDX) && (n < x)) {
       return 1;
    }
+
+   return 0;
+}
+
+int wc_ecc_get_curve_idx(int curve_id)
+{
+    int curve_idx;
+    for (curve_idx = 0; ecc_sets[curve_idx].size != 0; curve_idx++) {
+        if (curve_id == ecc_sets[curve_idx].id)
+            break;
+    }
+    if (ecc_sets[curve_idx].size == 0) {
+        return ECC_CURVE_INVALID;
+    }
+    return curve_idx;
+}
+
+int wc_ecc_get_curve_id(int curve_idx)
+{
+    if (wc_ecc_is_valid_idx(curve_idx)) {
+        return ecc_sets[curve_idx].id;
+    }
+    return ECC_CURVE_INVALID;
+}
+
+/* Returns the curve size that corresponds to a given ecc_curve_id identifier
+ *
+ * id      curve id, from ecc_curve_id enum in ecc.h
+ * return  curve size, from ecc_sets[] on success, negative on error
+ */
+int wc_ecc_get_curve_size_from_id(int curve_id)
+{
+    int curve_idx = wc_ecc_get_curve_idx(curve_id);
+    if (curve_idx == ECC_CURVE_INVALID)
+        return ECC_BAD_ARG_E;
+    return ecc_sets[curve_idx].size;
+}
+
+/* Returns the curve index that corresponds to a given curve name in
+ * ecc_sets[] of ecc.c
+ *
+ * name    curve name, from ecc_sets[].name in ecc.c
+ * return  curve index in ecc_sets[] on success, negative on error
+ */
+int wc_ecc_get_curve_idx_from_name(const char* curveName)
+{
+    int curve_idx;
+    word32 len;
+
+    if (curveName == NULL)
+        return BAD_FUNC_ARG;
+
+    len = (word32)XSTRLEN(curveName);
+
+    for (curve_idx = 0; ecc_sets[curve_idx].size != 0; curve_idx++) {
+        if (
+        #ifndef WOLFSSL_ECC_CURVE_STATIC
+            ecc_sets[curve_idx].name &&
+        #endif
+                XSTRNCASECMP(ecc_sets[curve_idx].name, curveName, len) == 0) {
+            break;
+        }
+    }
+    if (ecc_sets[curve_idx].size == 0) {
+        WOLFSSL_MSG("ecc_set curve name not found");
+        return ECC_CURVE_INVALID;
+    }
+    return curve_idx;
+}
+
+/* Returns the curve size that corresponds to a given curve name,
+ * as listed in ecc_sets[] of ecc.c.
+ *
+ * name    curve name, from ecc_sets[].name in ecc.c
+ * return  curve size, from ecc_sets[] on success, negative on error
+ */
+int wc_ecc_get_curve_size_from_name(const char* curveName)
+{
+    int curve_idx;
+
+    if (curveName == NULL)
+        return BAD_FUNC_ARG;
+
+    curve_idx = wc_ecc_get_curve_idx_from_name(curveName);
+    if (curve_idx < 0)
+        return curve_idx;
+
+    return ecc_sets[curve_idx].size;
+}
+
+/* Returns the curve id that corresponds to a given curve name,
+ * as listed in ecc_sets[] of ecc.c.
+ *
+ * name   curve name, from ecc_sets[].name in ecc.c
+ * return curve id, from ecc_sets[] on success, negative on error
+ */
+int wc_ecc_get_curve_id_from_name(const char* curveName)
+{
+    int curve_idx;
+
+    if (curveName == NULL)
+        return BAD_FUNC_ARG;
+
+    curve_idx = wc_ecc_get_curve_idx_from_name(curveName);
+    if (curve_idx < 0)
+        return curve_idx;
+
+    return ecc_sets[curve_idx].id;
+}
+
+/* Compares a curve parameter (hex, from ecc_sets[]) to given input
+ * parameter for equality.
+ * encType is WC_TYPE_UNSIGNED_BIN or WC_TYPE_HEX_STR
+ * Returns MP_EQ on success, negative on error */
+static int wc_ecc_cmp_param(const char* curveParam,
+                            const byte* param, word32 paramSz, int encType)
+{
+    int err = MP_OKAY;
+#ifdef WOLFSSL_SMALL_STACK
+    mp_int* a = NULL;
+    mp_int* b = NULL;
+#else
+    mp_int  a[1], b[1];
+#endif
+
+    if (param == NULL || curveParam == NULL)
+        return BAD_FUNC_ARG;
+
+    if (encType == WC_TYPE_HEX_STR)
+        return XSTRNCMP(curveParam, (char*) param, paramSz);
+
+#ifdef WOLFSSL_SMALL_STACK
+    a = (mp_int*)XMALLOC(sizeof(mp_int), NULL, DYNAMIC_TYPE_ECC);
+    if (a == NULL)
+        return MEMORY_E;
+    b = (mp_int*)XMALLOC(sizeof(mp_int), NULL, DYNAMIC_TYPE_ECC);
+    if (b == NULL) {
+        XFREE(a, NULL, DYNAMIC_TYPE_ECC);
+        return MEMORY_E;
+    }
+#endif
+
+    if ((err = mp_init_multi(a, b, NULL, NULL, NULL, NULL)) != MP_OKAY) {
+    #ifdef WOLFSSL_SMALL_STACK
+        XFREE(a, NULL, DYNAMIC_TYPE_ECC);
+        XFREE(b, NULL, DYNAMIC_TYPE_ECC);
+    #endif
+        return err;
+    }
+
+    if (err == MP_OKAY) {
+        err = mp_read_unsigned_bin(a, param, paramSz);
+    }
+    if (err == MP_OKAY)
+        err = mp_read_radix(b, curveParam, MP_RADIX_HEX);
+
+    if (err == MP_OKAY) {
+        if (mp_cmp(a, b) != MP_EQ) {
+            err = -1;
+        } else {
+            err = MP_EQ;
+        }
+    }
+
+    mp_clear(a);
+    mp_clear(b);
+#ifdef WOLFSSL_SMALL_STACK
+    XFREE(b, NULL, DYNAMIC_TYPE_ECC);
+    XFREE(a, NULL, DYNAMIC_TYPE_ECC);
+#endif
+
+    return err;
+}
+
+/* Returns the curve id in ecc_sets[] that corresponds to a given set of
+ * curve parameters.
+ *
+ * fieldSize  the field size in bits
+ * prime      prime of the finite field
+ * primeSz    size of prime in octets
+ * Af         first coefficient a of the curve
+ * AfSz       size of Af in octets
+ * Bf         second coefficient b of the curve
+ * BfSz       size of Bf in octets
+ * order      curve order
+ * orderSz    size of curve in octets
+ * Gx         affine x coordinate of base point
+ * GxSz       size of Gx in octets
+ * Gy         affine y coordinate of base point
+ * GySz       size of Gy in octets
+ * cofactor   curve cofactor
+ *
+ * return curve id, from ecc_sets[] on success, negative on error
+ */
+int wc_ecc_get_curve_id_from_params(int fieldSize,
+        const byte* prime, word32 primeSz, const byte* Af, word32 AfSz,
+        const byte* Bf, word32 BfSz, const byte* order, word32 orderSz,
+        const byte* Gx, word32 GxSz, const byte* Gy, word32 GySz, int cofactor)
+{
+    int idx;
+    int curveSz;
+
+    if (prime == NULL || Af == NULL || Bf == NULL || order == NULL ||
+        Gx == NULL || Gy == NULL)
+        return BAD_FUNC_ARG;
+
+    curveSz = (fieldSize + 1) / 8;    /* round up */
+
+    for (idx = 0; ecc_sets[idx].size != 0; idx++) {
+        if (curveSz == ecc_sets[idx].size) {
+            if ((wc_ecc_cmp_param(ecc_sets[idx].prime, prime,
+                            primeSz, WC_TYPE_UNSIGNED_BIN) == MP_EQ) &&
+                (wc_ecc_cmp_param(ecc_sets[idx].Af, Af, AfSz,
+                                  WC_TYPE_UNSIGNED_BIN) == MP_EQ) &&
+                (wc_ecc_cmp_param(ecc_sets[idx].Bf, Bf, BfSz,
+                                  WC_TYPE_UNSIGNED_BIN) == MP_EQ) &&
+                (wc_ecc_cmp_param(ecc_sets[idx].order, order,
+                                  orderSz, WC_TYPE_UNSIGNED_BIN) == MP_EQ) &&
+                (wc_ecc_cmp_param(ecc_sets[idx].Gx, Gx, GxSz,
+                                  WC_TYPE_UNSIGNED_BIN) == MP_EQ) &&
+                (wc_ecc_cmp_param(ecc_sets[idx].Gy, Gy, GySz,
+                                  WC_TYPE_UNSIGNED_BIN) == MP_EQ) &&
+                (cofactor == ecc_sets[idx].cofactor)) {
+                    break;
+            }
+        }
+    }
+
+    if (ecc_sets[idx].size == 0)
+        return ECC_CURVE_INVALID;
+
+    return ecc_sets[idx].id;
+}
+
+/* Returns the curve id in ecc_sets[] that corresponds
+ * to a given domain parameters pointer.
+ *
+ * dp   domain parameters pointer
+ *
+ * return curve id, from ecc_sets[] on success, negative on error
+ */
+int wc_ecc_get_curve_id_from_dp_params(const ecc_set_type* dp)
+{
+    int idx;
+
+    if (dp == NULL
+    #ifndef WOLFSSL_ECC_CURVE_STATIC
+         || dp->prime == NULL ||  dp->Af == NULL ||
+        dp->Bf == NULL || dp->order == NULL || dp->Gx == NULL || dp->Gy == NULL
+    #endif
+    ) {
+        return BAD_FUNC_ARG;
+    }
+
+    for (idx = 0; ecc_sets[idx].size != 0; idx++) {
+        if (dp->size == ecc_sets[idx].size) {
+            if ((wc_ecc_cmp_param(ecc_sets[idx].prime, (const byte*)dp->prime,
+                    (word32)XSTRLEN(dp->prime), WC_TYPE_HEX_STR) == MP_EQ) &&
+                (wc_ecc_cmp_param(ecc_sets[idx].Af, (const byte*)dp->Af,
+                    (word32)XSTRLEN(dp->Af),WC_TYPE_HEX_STR) == MP_EQ) &&
+                (wc_ecc_cmp_param(ecc_sets[idx].Bf, (const byte*)dp->Bf,
+                    (word32)XSTRLEN(dp->Bf),WC_TYPE_HEX_STR) == MP_EQ) &&
+                (wc_ecc_cmp_param(ecc_sets[idx].order, (const byte*)dp->order,
+                    (word32)XSTRLEN(dp->order),WC_TYPE_HEX_STR) == MP_EQ) &&
+                (wc_ecc_cmp_param(ecc_sets[idx].Gx, (const byte*)dp->Gx,
+                    (word32)XSTRLEN(dp->Gx),WC_TYPE_HEX_STR) == MP_EQ) &&
+                (wc_ecc_cmp_param(ecc_sets[idx].Gy, (const byte*)dp->Gy,
+                    (word32)XSTRLEN(dp->Gy),WC_TYPE_HEX_STR) == MP_EQ) &&
+                (dp->cofactor == ecc_sets[idx].cofactor)) {
+                    break;
+            }
+        }
+    }
+
+    if (ecc_sets[idx].size == 0)
+        return ECC_CURVE_INVALID;
+
+    return ecc_sets[idx].id;
+}
+
+/* Returns the curve id that corresponds to a given OID,
+ * as listed in ecc_sets[] of ecc.c.
+ *
+ * oid   OID, from ecc_sets[].name in ecc.c
+ * len   OID len, from ecc_sets[].name in ecc.c
+ * return curve id, from ecc_sets[] on success, negative on error
+ */
+int wc_ecc_get_curve_id_from_oid(const byte* oid, word32 len)
+{
+    int curve_idx;
+
+    if (oid == NULL)
+        return BAD_FUNC_ARG;
+
+    for (curve_idx = 0; ecc_sets[curve_idx].size != 0; curve_idx++) {
+        if (
+        #ifndef WOLFSSL_ECC_CURVE_STATIC
+            ecc_sets[curve_idx].oid &&
+        #endif
+            ecc_sets[curve_idx].oidSz == len &&
+                              XMEMCMP(ecc_sets[curve_idx].oid, oid, len) == 0) {
+            break;
+        }
+    }
+    if (ecc_sets[curve_idx].size == 0) {
+        WOLFSSL_MSG("ecc_set curve name not found");
+        return ECC_CURVE_INVALID;
+    }
+
+    return ecc_sets[curve_idx].id;
+}
+
+/* Get curve parameters using curve index */
+const ecc_set_type* wc_ecc_get_curve_params(int curve_idx)
+{
+    const ecc_set_type* ecc_set = NULL;
+
+    if (curve_idx >= 0 && curve_idx < (int)ECC_SET_COUNT) {
+        ecc_set = &ecc_sets[curve_idx];
+    }
+    return ecc_set;
+}
+
+
+#if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_ECC)
+static WC_INLINE int wc_ecc_alloc_mpint(ecc_key* key, mp_int** mp)
+{
+   if (key == NULL || mp == NULL)
+      return BAD_FUNC_ARG;
+   if (*mp == NULL) {
+      *mp = (mp_int*)XMALLOC(sizeof(mp_int), key->heap, DYNAMIC_TYPE_BIGINT);
+      if (*mp == NULL) {
+         return MEMORY_E;
+      }
+      XMEMSET(*mp, 0, sizeof(mp_int));
+   }
    return 0;
 }
+static WC_INLINE void wc_ecc_free_mpint(ecc_key* key, mp_int** mp)
+{
+   if (key && mp && *mp) {
+      mp_clear(*mp);
+      XFREE(*mp, key->heap, DYNAMIC_TYPE_BIGINT);
+      *mp = NULL;
+   }
+}
+
+static int wc_ecc_alloc_async(ecc_key* key)
+{
+    int err = wc_ecc_alloc_mpint(key, &key->r);
+    if (err == 0)
+        err = wc_ecc_alloc_mpint(key, &key->s);
+    return err;
+}
+
+static void wc_ecc_free_async(ecc_key* key)
+{
+    wc_ecc_free_mpint(key, &key->r);
+    wc_ecc_free_mpint(key, &key->s);
+#ifdef HAVE_CAVIUM_V
+    wc_ecc_free_mpint(key, &key->e);
+    wc_ecc_free_mpint(key, &key->signK);
+#endif /* HAVE_CAVIUM_V */
+}
+#endif /* WOLFSSL_ASYNC_CRYPT && WC_ASYNC_ENABLE_ECC */
 
 
+#ifdef HAVE_ECC_DHE
 /**
   Create an ECC shared secret between two keys
-  private_key      The private ECC key
+  private_key      The private ECC key (heap hint based off of private key)
   public_key       The public key
   out              [out] Destination of the shared secret
-                   Conforms to EC-DH from ANSI X9.63
+                         Conforms to EC-DH from ANSI X9.63
   outlen           [in/out] The max size and resulting size of the shared secret
   return           MP_OKAY if successful
 */
 int wc_ecc_shared_secret(ecc_key* private_key, ecc_key* public_key, byte* out,
                       word32* outlen)
 {
-   word32         x = 0;
-   ecc_point*     result;
-   mp_int         prime;
-   int            err;
-
+   int err;
+#if defined(WOLFSSL_CRYPTOCELL) && !defined(WOLFSSL_ATECC508A)
+   CRYS_ECDH_TempData_t tempBuff;
+#endif
    if (private_key == NULL || public_key == NULL || out == NULL ||
-                                                    outlen == NULL)
+                                                            outlen == NULL) {
        return BAD_FUNC_ARG;
+   }
+
+#ifdef WOLF_CRYPTO_CB
+    if (private_key->devId != INVALID_DEVID) {
+        err = wc_CryptoCb_Ecdh(private_key, public_key, out, outlen);
+        if (err != CRYPTOCB_UNAVAILABLE)
+            return err;
+        /* fall-through when unavailable */
+    }
+#endif
 
    /* type valid? */
-   if (private_key->type != ECC_PRIVATEKEY) {
+   if (private_key->type != ECC_PRIVATEKEY &&
+           private_key->type != ECC_PRIVATEKEY_ONLY) {
       return ECC_BAD_ARG_E;
    }
 
-   if (ecc_is_valid_idx(private_key->idx) == 0 ||
-       ecc_is_valid_idx(public_key->idx)  == 0)
+   /* Verify domain params supplied */
+   if (wc_ecc_is_valid_idx(private_key->idx) == 0 ||
+       wc_ecc_is_valid_idx(public_key->idx)  == 0) {
       return ECC_BAD_ARG_E;
+   }
 
-   if (XSTRNCMP(private_key->dp->name, public_key->dp->name, ECC_MAXNAME) != 0)
+   /* Verify curve id matches */
+   if (private_key->dp->id != public_key->dp->id) {
       return ECC_BAD_ARG_E;
-
-   /* make new point */
-   result = ecc_new_point();
-   if (result == NULL) {
-      return MEMORY_E;
    }
 
-   if ((err = mp_init(&prime)) != MP_OKAY) {
-      ecc_del_point(result);
-      return err;
+#ifdef WOLFSSL_ATECC508A
+   /* For SECP256R1 use hardware */
+   if (private_key->dp->id == ECC_SECP256R1) {
+       err = atmel_ecc_create_pms(private_key->slot, public_key->pubkey_raw, out);
+       *outlen = private_key->dp->size;
+   }
+   else {
+      err = NOT_COMPILED_IN;
    }
+#elif defined(WOLFSSL_CRYPTOCELL)
 
-   err = mp_read_radix(&prime, (char *)private_key->dp->prime, 16);
+    /* generate a secret*/
+    err = CRYS_ECDH_SVDP_DH(&public_key->ctx.pubKey,
+                            &private_key->ctx.privKey,
+                            out,
+                            outlen,
+                            &tempBuff);
 
-   if (err == MP_OKAY)
-       err = ecc_mulmod(&private_key->k, &public_key->pubkey, result, &prime,1);
+    if (err != SA_SILIB_RET_OK){
+        WOLFSSL_MSG("CRYS_ECDH_SVDP_DH for secret failed");
+        return err;
+    }
 
-   if (err == MP_OKAY) {
-       x = mp_unsigned_bin_size(&prime);
-       if (*outlen < x)
-          err = BUFFER_E;
-   }
+#else
+   err = wc_ecc_shared_secret_ex(private_key, &public_key->pubkey, out, outlen);
+#endif /* WOLFSSL_ATECC508A */
 
-   if (err == MP_OKAY) {
-       XMEMSET(out, 0, x);
-       err = mp_to_unsigned_bin(result->x,out + (x -
-                                              mp_unsigned_bin_size(result->x)));
-       *outlen = x;
-   }
+   return err;
+}
 
-   mp_clear(&prime);
-   ecc_del_point(result);
 
-   return err;
+#if !defined(WOLFSSL_ATECC508A) && !defined(WOLFSSL_CRYPTOCELL)
+
+static int wc_ecc_shared_secret_gen_sync(ecc_key* private_key, ecc_point* point,
+                               byte* out, word32* outlen, ecc_curve_spec* curve)
+{
+    int err;
+#ifndef WOLFSSL_SP_MATH
+    ecc_point* result = NULL;
+    word32 x = 0;
+#endif
+    mp_int* k = &private_key->k;
+#ifdef HAVE_ECC_CDH
+    mp_int k_lcl;
+
+    /* if cofactor flag has been set */
+    if (private_key->flags & WC_ECC_FLAG_COFACTOR) {
+        mp_digit cofactor = (mp_digit)private_key->dp->cofactor;
+        /* only perform cofactor calc if not equal to 1 */
+        if (cofactor != 1) {
+            k = &k_lcl;
+            if (mp_init(k) != MP_OKAY)
+                return MEMORY_E;
+            /* multiply cofactor times private key "k" */
+            err = mp_mul_d(&private_key->k, cofactor, k);
+            if (err != MP_OKAY) {
+                mp_clear(k);
+                return err;
+            }
+        }
+    }
+#endif
+
+#ifdef WOLFSSL_HAVE_SP_ECC
+#ifndef WOLFSSL_SP_NO_256
+    if (private_key->idx != ECC_CUSTOM_IDX &&
+                               ecc_sets[private_key->idx].id == ECC_SECP256R1) {
+        err = sp_ecc_secret_gen_256(k, point, out, outlen, private_key->heap);
+    }
+    else
+#endif
+#ifdef WOLFSSL_SP_384
+    if (private_key->idx != ECC_CUSTOM_IDX &&
+                               ecc_sets[private_key->idx].id == ECC_SECP384R1) {
+        err = sp_ecc_secret_gen_384(k, point, out, outlen, private_key->heap);
+    }
+    else
+#endif
+#endif
+#ifdef WOLFSSL_SP_MATH
+    {
+        err = WC_KEY_SIZE_E;
+
+        (void)curve;
+    }
+#else
+    {
+        mp_digit mp = 0;
+
+        /* make new point */
+        result = wc_ecc_new_point_h(private_key->heap);
+        if (result == NULL) {
+#ifdef HAVE_ECC_CDH
+            if (k == &k_lcl)
+                mp_clear(k);
+#endif
+            return MEMORY_E;
+        }
+
+        /* Map in a separate call as this should be constant time */
+        err = wc_ecc_mulmod_ex(k, point, result, curve->Af, curve->prime, 0,
+                                                             private_key->heap);
+        if (err == MP_OKAY) {
+            err = mp_montgomery_setup(curve->prime, &mp);
+        }
+        if (err == MP_OKAY) {
+            /* Use constant time map if compiled in */
+            err = ecc_map_ex(result, curve->prime, mp, 1);
+        }
+        if (err == MP_OKAY) {
+            x = mp_unsigned_bin_size(curve->prime);
+            if (*outlen < x || (int)x < mp_unsigned_bin_size(result->x)) {
+                err = BUFFER_E;
+            }
+        }
+
+        if (err == MP_OKAY) {
+            XMEMSET(out, 0, x);
+            err = mp_to_unsigned_bin(result->x,out +
+                                     (x - mp_unsigned_bin_size(result->x)));
+        }
+        *outlen = x;
+
+        wc_ecc_del_point_h(result, private_key->heap);
+    }
+#endif
+#ifdef HAVE_ECC_CDH
+    if (k == &k_lcl)
+        mp_clear(k);
+#endif
+
+    return err;
+}
+
+#if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_ECC)
+static int wc_ecc_shared_secret_gen_async(ecc_key* private_key,
+            ecc_point* point, byte* out, word32 *outlen,
+            ecc_curve_spec* curve)
+{
+    int err;
+
+#if defined(HAVE_CAVIUM_V) || defined(HAVE_INTEL_QA)
+#ifdef HAVE_CAVIUM_V
+    /* verify the curve is supported by hardware */
+    if (NitroxEccIsCurveSupported(private_key))
+#endif
+    {
+        word32 keySz = private_key->dp->size;
+
+        /* sync public key x/y */
+        err = wc_mp_to_bigint_sz(&private_key->k, &private_key->k.raw, keySz);
+        if (err == MP_OKAY)
+            err = wc_mp_to_bigint_sz(point->x, &point->x->raw, keySz);
+        if (err == MP_OKAY)
+            err = wc_mp_to_bigint_sz(point->y, &point->y->raw, keySz);
+    #ifdef HAVE_CAVIUM_V
+        /* allocate buffer for output */
+        if (err == MP_OKAY)
+            err = wc_ecc_alloc_mpint(private_key, &private_key->e);
+        if (err == MP_OKAY)
+            err = wc_bigint_alloc(&private_key->e->raw,
+                NitroxEccGetSize(private_key)*2);
+        if (err == MP_OKAY)
+            err = NitroxEcdh(private_key,
+                &private_key->k.raw, &point->x->raw, &point->y->raw,
+                private_key->e->raw.buf, &private_key->e->raw.len,
+                &curve->prime->raw);
+    #else
+        if (err == MP_OKAY)
+            err = wc_ecc_curve_load(private_key->dp, &curve, ECC_CURVE_FIELD_BF);
+        if (err == MP_OKAY)
+            err = IntelQaEcdh(&private_key->asyncDev,
+                &private_key->k.raw, &point->x->raw, &point->y->raw,
+                out, outlen,
+                &curve->Af->raw, &curve->Bf->raw, &curve->prime->raw,
+                private_key->dp->cofactor);
+    #endif
+        return err;
+    }
+#elif defined(WOLFSSL_ASYNC_CRYPT_TEST)
+    if (wc_AsyncTestInit(&private_key->asyncDev, ASYNC_TEST_ECC_SHARED_SEC)) {
+        WC_ASYNC_TEST* testDev = &private_key->asyncDev.test;
+        testDev->eccSharedSec.private_key = private_key;
+        testDev->eccSharedSec.public_point = point;
+        testDev->eccSharedSec.out = out;
+        testDev->eccSharedSec.outLen = outlen;
+        return WC_PENDING_E;
+    }
+#endif
+
+    /* use sync in other cases */
+    err = wc_ecc_shared_secret_gen_sync(private_key, point, out, outlen, curve);
+
+    return err;
+}
+#endif /* WOLFSSL_ASYNC_CRYPT && WC_ASYNC_ENABLE_ECC */
+
+int wc_ecc_shared_secret_gen(ecc_key* private_key, ecc_point* point,
+                                                    byte* out, word32 *outlen)
+{
+    int err;
+    DECLARE_CURVE_SPECS(curve, 2);
+
+    if (private_key == NULL || point == NULL || out == NULL ||
+                                                            outlen == NULL) {
+        return BAD_FUNC_ARG;
+    }
+
+    /* load curve info */
+    ALLOC_CURVE_SPECS(2);
+    err = wc_ecc_curve_load(private_key->dp, &curve,
+        (ECC_CURVE_FIELD_PRIME | ECC_CURVE_FIELD_AF));
+    if (err != MP_OKAY) {
+        FREE_CURVE_SPECS();
+        return err;
+    }
+
+#if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_ECC)
+    if (private_key->asyncDev.marker == WOLFSSL_ASYNC_MARKER_ECC) {
+        err = wc_ecc_shared_secret_gen_async(private_key, point,
+            out, outlen, curve);
+    }
+    else
+#endif
+    {
+        err = wc_ecc_shared_secret_gen_sync(private_key, point,
+            out, outlen, curve);
+    }
+
+    wc_ecc_curve_free(curve);
+    FREE_CURVE_SPECS();
+
+    return err;
+}
+
+/**
+ Create an ECC shared secret between private key and public point
+ private_key      The private ECC key (heap hint based on private key)
+ point            The point to use (public key)
+ out              [out] Destination of the shared secret
+                        Conforms to EC-DH from ANSI X9.63
+ outlen           [in/out] The max size and resulting size of the shared secret
+ return           MP_OKAY if successful
+*/
+int wc_ecc_shared_secret_ex(ecc_key* private_key, ecc_point* point,
+                            byte* out, word32 *outlen)
+{
+    int err;
+
+    if (private_key == NULL || point == NULL || out == NULL ||
+                                                            outlen == NULL) {
+        return BAD_FUNC_ARG;
+    }
+
+    /* type valid? */
+    if (private_key->type != ECC_PRIVATEKEY &&
+            private_key->type != ECC_PRIVATEKEY_ONLY) {
+        return ECC_BAD_ARG_E;
+    }
+
+    /* Verify domain params supplied */
+    if (wc_ecc_is_valid_idx(private_key->idx) == 0)
+        return ECC_BAD_ARG_E;
+
+    switch(private_key->state) {
+        case ECC_STATE_NONE:
+        case ECC_STATE_SHARED_SEC_GEN:
+            private_key->state = ECC_STATE_SHARED_SEC_GEN;
+
+            err = wc_ecc_shared_secret_gen(private_key, point, out, outlen);
+            if (err < 0) {
+                break;
+            }
+            FALL_THROUGH;
+
+        case ECC_STATE_SHARED_SEC_RES:
+            private_key->state = ECC_STATE_SHARED_SEC_RES;
+        #if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_ECC)
+            if (private_key->asyncDev.marker == WOLFSSL_ASYNC_MARKER_ECC) {
+            #ifdef HAVE_CAVIUM_V
+                /* verify the curve is supported by hardware */
+                if (NitroxEccIsCurveSupported(private_key)) {
+                    /* copy output */
+                    *outlen = private_key->dp->size;
+                    XMEMCPY(out, private_key->e->raw.buf, *outlen);
+                }
+            #endif /* HAVE_CAVIUM_V */
+            }
+        #endif /* WOLFSSL_ASYNC_CRYPT */
+            err = 0;
+            break;
+
+        default:
+            err = BAD_STATE_E;
+    } /* switch */
+
+    /* if async pending then return and skip done cleanup below */
+    if (err == WC_PENDING_E) {
+        private_key->state++;
+        return err;
+    }
+
+    /* cleanup */
+#if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_ECC)
+    wc_ecc_free_async(private_key);
+#endif
+    private_key->state = ECC_STATE_NONE;
+
+    return err;
 }
+#endif /* !WOLFSSL_ATECC508A && !WOLFSSL_CRYPTOCELL */
+#endif /* HAVE_ECC_DHE */
 
 
+#if !defined(WOLFSSL_ATECC508A) && !defined(WOLFSSL_CRYPTOCELL)
 /* return 1 if point is at infinity, 0 if not, < 0 on error */
-static int ecc_point_is_at_infinity(ecc_point* p)
+int wc_ecc_point_is_at_infinity(ecc_point* p)
 {
     if (p == NULL)
         return BAD_FUNC_ARG;
@@ -1532,317 +3895,1461 @@ static int ecc_point_is_at_infinity(ecc_point* p)
     return 0;
 }
 
+/* generate random and ensure its greater than 0 and less than order */
+int wc_ecc_gen_k(WC_RNG* rng, int size, mp_int* k, mp_int* order)
+{
+#ifndef WC_NO_RNG
+    int err;
+    byte buf[ECC_MAXSIZE_GEN];
 
-int wc_ecc_make_key_ex(RNG* rng, ecc_key* key, const ecc_set_type* dp);
+    /*generate 8 extra bytes to mitigate bias from the modulo operation below*/
+    /*see section A.1.2 in 'Suite B Implementor's Guide to FIPS 186-3 (ECDSA)'*/
+    size += 8;
 
-/**
-  Make a new ECC key 
-  rng          An active RNG state
-  keysize      The keysize for the new key (in octets from 20 to 65 bytes)
-  key          [out] Destination of the newly created key
-  return       MP_OKAY if successful,
-                       upon error all allocated memory will be freed
-*/
-int wc_ecc_make_key(RNG* rng, int keysize, ecc_key* key)
-{
-   int x, err;
+    /* make up random string */
+    err = wc_RNG_GenerateBlock(rng, buf, size);
 
-   if (key == NULL || rng == NULL)
-       return ECC_BAD_ARG_E;
+    /* load random buffer data into k */
+    if (err == 0)
+        err = mp_read_unsigned_bin(k, (byte*)buf, size);
 
-   /* find key size */
-   for (x = 0; (keysize > ecc_sets[x].size) && (ecc_sets[x].size != 0); x++)
-       ;
-   keysize = ecc_sets[x].size;
+    /* the key should be smaller than the order of base point */
+    if (err == MP_OKAY) {
+        if (mp_cmp(k, order) != MP_LT) {
+            err = mp_mod(k, order, k);
+        }
+    }
 
-   if (keysize > ECC_MAXSIZE || ecc_sets[x].size == 0) {
-      return BAD_FUNC_ARG;
-   }
-   err = wc_ecc_make_key_ex(rng, key, &ecc_sets[x]);
-   key->idx = x;
+    /* quick sanity check to make sure we're not dealing with a 0 key */
+    if (err == MP_OKAY) {
+        if (mp_iszero(k) == MP_YES)
+          err = MP_ZERO_E;
+    }
 
-   return err;
+    ForceZero(buf, ECC_MAXSIZE);
+
+    return err;
+#else
+    (void)rng;
+    (void)size;
+    (void)k;
+    (void)order;
+    return NOT_COMPILED_IN;
+#endif /* !WC_NO_RNG */
 }
+#endif /* !WOLFSSL_ATECC508A && !WOLFSSL_CRYPTOCELL */
 
-int wc_ecc_make_key_ex(RNG* rng, ecc_key* key, const ecc_set_type* dp)
+static WC_INLINE void wc_ecc_reset(ecc_key* key)
 {
-   int            err;
-   ecc_point*     base;
-   mp_int         prime;
-   mp_int         order;
-#ifdef WOLFSSL_SMALL_STACK
-   byte*          buf;
-#else
-   byte           buf[ECC_MAXSIZE];
-#endif
-   int            keysize;
-   int            po_init = 0;  /* prime order Init flag for clear */
+    /* make sure required key variables are reset */
+    key->state = ECC_STATE_NONE;
+}
 
-   if (key == NULL || rng == NULL || dp == NULL)
-       return ECC_BAD_ARG_E;
 
-#ifdef WOLFSSL_SMALL_STACK
-   buf = (byte*)XMALLOC(ECC_MAXSIZE, NULL, DYNAMIC_TYPE_TMP_BUFFER);
-   if (buf == NULL)
-       return MEMORY_E;
+/* create the public ECC key from a private key
+ *
+ * key     an initialized private key to generate public part from
+ * curveIn [in]curve for key, can be NULL
+ * pubOut  [out]ecc_point holding the public key, if NULL then public key part
+ *         is cached in key instead.
+ *
+ * Note this function is local to the file because of the argument type
+ *      ecc_curve_spec. Having this argument allows for not having to load the
+ *      curve type multiple times when generating a key with wc_ecc_make_key().
+ *
+ * returns MP_OKAY on success
+ */
+static int wc_ecc_make_pub_ex(ecc_key* key, ecc_curve_spec* curveIn,
+        ecc_point* pubOut)
+{
+    int err = MP_OKAY;
+#ifndef WOLFSSL_ATECC508A
+#ifndef WOLFSSL_SP_MATH
+    ecc_point* base = NULL;
 #endif
+    ecc_point* pub;
+    DECLARE_CURVE_SPECS(curve, ECC_CURVE_FIELD_COUNT);
+#endif /* !WOLFSSL_ATECC508A */
+
+    if (key == NULL) {
+        return BAD_FUNC_ARG;
+    }
+
+#ifndef WOLFSSL_ATECC508A
+
+    /* if ecc_point passed in then use it as output for public key point */
+    if (pubOut != NULL) {
+        pub = pubOut;
+    }
+    else {
+        /* caching public key making it a ECC_PRIVATEKEY instead of
+           ECC_PRIVATEKEY_ONLY */
+        pub = &key->pubkey;
+        key->type = ECC_PRIVATEKEY_ONLY;
+    }
 
-   key->idx = -1;
-   key->dp  = dp;
-   keysize  = dp->size;
+    /* avoid loading the curve unless it is not passed in */
+    if (curveIn != NULL) {
+        curve = curveIn;
+    }
+    else {
+        /* load curve info */
+        if (err == MP_OKAY) {
+            ALLOC_CURVE_SPECS(ECC_CURVE_FIELD_COUNT);
+            err = wc_ecc_curve_load(key->dp, &curve, ECC_CURVE_FIELD_ALL);
+        }
+    }
 
-   /* allocate ram */
-   base = NULL;
+    if (err == MP_OKAY) {
+    #ifndef ALT_ECC_SIZE
+        err = mp_init_multi(pub->x, pub->y, pub->z, NULL, NULL, NULL);
+    #else
+        pub->x = (mp_int*)&pub->xyz[0];
+        pub->y = (mp_int*)&pub->xyz[1];
+        pub->z = (mp_int*)&pub->xyz[2];
+        alt_fp_init(pub->x);
+        alt_fp_init(pub->y);
+        alt_fp_init(pub->z);
+    #endif
+    }
 
-   /* make up random string */
-   err = wc_RNG_GenerateBlock(rng, buf, keysize);
-   if (err == 0)
-       buf[0] |= 0x0c;
 
-   /* setup the key variables */
-   if (err == 0) {
-#ifndef ALT_ECC_SIZE
-       err = mp_init_multi(key->pubkey.x, key->pubkey.y, key->pubkey.z,
-                            &key->k, &prime, &order);
-#else
-       key->pubkey.x = (mp_int*)&key->pubkey.xyz[0];
-       key->pubkey.y = (mp_int*)&key->pubkey.xyz[1];
-       key->pubkey.z = (mp_int*)&key->pubkey.xyz[2];
-       alt_fp_init(key->pubkey.x);
-       alt_fp_init(key->pubkey.y);
-       alt_fp_init(key->pubkey.z);
-       err = mp_init_multi(&key->k, &prime, &order, NULL, NULL, NULL);
+    if (err != MP_OKAY) {
+    }
+    else
+#ifdef WOLFSSL_HAVE_SP_ECC
+#ifndef WOLFSSL_SP_NO_256
+    if (key->idx != ECC_CUSTOM_IDX && ecc_sets[key->idx].id == ECC_SECP256R1) {
+        err = sp_ecc_mulmod_base_256(&key->k, pub, 1, key->heap);
+    }
+    else
 #endif
-       if (err != MP_OKAY)
-           err = MEMORY_E;
-       else
-           po_init = 1;
-   }
+#ifdef WOLFSSL_SP_384
+    if (key->idx != ECC_CUSTOM_IDX && ecc_sets[key->idx].id == ECC_SECP384R1) {
+        err = sp_ecc_mulmod_base_384(&key->k, pub, 1, key->heap);
+    }
+    else
+#endif
+#endif
+#ifdef WOLFSSL_SP_MATH
+        err = WC_KEY_SIZE_E;
+#else
+    {
+        mp_digit mp;
 
-   if (err == MP_OKAY) {
-       base = ecc_new_point();
-       if (base == NULL)
-           err = MEMORY_E;
-   }
+        base = wc_ecc_new_point_h(key->heap);
+        if (base == NULL)
+            err = MEMORY_E;
+        /* read in the x/y for this key */
+        if (err == MP_OKAY)
+            err = mp_copy(curve->Gx, base->x);
+        if (err == MP_OKAY)
+            err = mp_copy(curve->Gy, base->y);
+        if (err == MP_OKAY)
+            err = mp_set(base->z, 1);
 
-   /* read in the specs for this key */
-   if (err == MP_OKAY) 
-       err = mp_read_radix(&prime,   (char *)key->dp->prime, 16);
-   if (err == MP_OKAY) 
-       err = mp_read_radix(&order,   (char *)key->dp->order, 16);
-   if (err == MP_OKAY) 
-       err = mp_read_radix(base->x, (char *)key->dp->Gx, 16);
-   if (err == MP_OKAY) 
-       err = mp_read_radix(base->y, (char *)key->dp->Gy, 16);
-   
-   if (err == MP_OKAY) 
-       mp_set(base->z, 1);
-   if (err == MP_OKAY) 
-       err = mp_read_unsigned_bin(&key->k, (byte*)buf, keysize);
-
-   /* the key should be smaller than the order of base point */
-   if (err == MP_OKAY) { 
-       if (mp_cmp(&key->k, &order) != MP_LT)
-           err = mp_mod(&key->k, &order, &key->k);
-   }
-   /* make the public key */
-   if (err == MP_OKAY)
-       err = ecc_mulmod(&key->k, base, &key->pubkey, &prime, 1);
+        /* make the public key */
+        if (err == MP_OKAY) {
+            /* Map in a separate call as this should be constant time */
+            err = wc_ecc_mulmod_ex(&key->k, base, pub, curve->Af, curve->prime,
+                                                                  0, key->heap);
+            if (err == MP_MEM) {
+               err = MEMORY_E;
+            }
+        }
+        if (err == MP_OKAY) {
+            err = mp_montgomery_setup(curve->prime, &mp);
+        }
+        if (err == MP_OKAY) {
+            /* Use constant time map if compiled in */
+            err = ecc_map_ex(pub, curve->prime, mp, 1);
+        }
+
+        wc_ecc_del_point_h(base, key->heap);
+    }
+#endif
 
 #ifdef WOLFSSL_VALIDATE_ECC_KEYGEN
-   /* validate the public key, order * pubkey = point at infinity */
-   if (err == MP_OKAY)
-       err = ecc_check_pubkey_order(key, &prime, &order);
+    /* validate the public key, order * pubkey = point at infinity */
+    if (err == MP_OKAY)
+        err = ecc_check_pubkey_order(key, pub, curve->Af, curve->prime,
+                curve->order);
 #endif /* WOLFSSL_VALIDATE_KEYGEN */
 
-   if (err == MP_OKAY)
-       key->type = ECC_PRIVATEKEY;
+    if (err != MP_OKAY) {
+        /* clean up if failed */
+    #ifndef ALT_ECC_SIZE
+        mp_clear(pub->x);
+        mp_clear(pub->y);
+        mp_clear(pub->z);
+    #endif
+    }
 
-   if (err != MP_OKAY) {
-       /* clean up */
-       mp_clear(key->pubkey.x);
-       mp_clear(key->pubkey.y);
-       mp_clear(key->pubkey.z);
-       mp_clear(&key->k);
+    /* free up local curve */
+    if (curveIn == NULL) {
+        wc_ecc_curve_free(curve);
+        FREE_CURVE_SPECS();
+    }
+
+#else
+    (void)curveIn;
+    err = NOT_COMPILED_IN;
+#endif /* WOLFSSL_ATECC508A */
+
+    /* change key state if public part is cached */
+    if (key->type == ECC_PRIVATEKEY_ONLY && pubOut == NULL) {
+        key->type = ECC_PRIVATEKEY;
+    }
+
+    return err;
+}
+
+
+/* create the public ECC key from a private key
+ *
+ * key     an initialized private key to generate public part from
+ * pubOut  [out]ecc_point holding the public key, if NULL then public key part
+ *         is cached in key instead.
+ *
+ *
+ * returns MP_OKAY on success
+ */
+int wc_ecc_make_pub(ecc_key* key, ecc_point* pubOut)
+{
+    WOLFSSL_ENTER("wc_ecc_make_pub");
+
+    return wc_ecc_make_pub_ex(key, NULL, pubOut);
+}
+
+
+WOLFSSL_ABI
+int wc_ecc_make_key_ex(WC_RNG* rng, int keysize, ecc_key* key, int curve_id)
+{
+    int err;
+#if !defined(WOLFSSL_ATECC508A) && !defined(WOLFSSL_CRYPTOCELL)
+#ifndef WOLFSSL_SP_MATH
+    DECLARE_CURVE_SPECS(curve, ECC_CURVE_FIELD_COUNT);
+#endif
+#endif /* !WOLFSSL_ATECC508A */
+#if defined(WOLFSSL_CRYPTOCELL) && !defined(WOLFSSL_ATECC508A)
+    const CRYS_ECPKI_Domain_t*  pDomain;
+    CRYS_ECPKI_KG_TempData_t    tempBuff;
+    CRYS_ECPKI_KG_FipsContext_t fipsCtx;
+    byte ucompressed_key[ECC_MAX_CRYPTO_HW_SIZE*2 + 1];
+    word32 raw_size = 0;
+#endif
+    if (key == NULL || rng == NULL) {
+        return BAD_FUNC_ARG;
+    }
+
+    /* make sure required variables are reset */
+    wc_ecc_reset(key);
+
+    err = wc_ecc_set_curve(key, keysize, curve_id);
+    if (err != 0) {
+        return err;
+    }
+
+#ifdef WOLF_CRYPTO_CB
+    if (key->devId != INVALID_DEVID) {
+        err = wc_CryptoCb_MakeEccKey(rng, keysize, key, curve_id);
+        if (err != CRYPTOCB_UNAVAILABLE)
+            return err;
+        /* fall-through when unavailable */
+    }
+#endif
+
+#if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_ECC)
+    if (key->asyncDev.marker == WOLFSSL_ASYNC_MARKER_ECC) {
+    #ifdef HAVE_CAVIUM
+        /* TODO: Not implemented */
+    #elif defined(HAVE_INTEL_QA)
+        /* TODO: Not implemented */
+    #else
+        if (wc_AsyncTestInit(&key->asyncDev, ASYNC_TEST_ECC_MAKE)) {
+            WC_ASYNC_TEST* testDev = &key->asyncDev.test;
+            testDev->eccMake.rng = rng;
+            testDev->eccMake.key = key;
+            testDev->eccMake.size = keysize;
+            testDev->eccMake.curve_id = curve_id;
+            return WC_PENDING_E;
+        }
+    #endif
+    }
+#endif /* WOLFSSL_ASYNC_CRYPT && WC_ASYNC_ENABLE_ECC */
+
+#ifdef WOLFSSL_ATECC508A
+   if (key->dp->id == ECC_SECP256R1) {
+       key->type = ECC_PRIVATEKEY;
+       key->slot = atmel_ecc_alloc(ATMEL_SLOT_ECDHE);
+       err = atmel_ecc_create_key(key->slot, key->pubkey_raw);
+
+       /* populate key->pubkey */
+       if (err == 0
+       #ifdef ALT_ECC_SIZE
+          && key->pubkey.x
+       #endif
+       ) {
+           err = mp_read_unsigned_bin(key->pubkey.x, key->pubkey_raw,
+                                      ECC_MAX_CRYPTO_HW_SIZE);
+       }
+       if (err == 0
+       #ifdef ALT_ECC_SIZE
+          && key->pubkey.y
+       #endif
+       ) {
+           err = mp_read_unsigned_bin(key->pubkey.y,
+                                      key->pubkey_raw + ECC_MAX_CRYPTO_HW_SIZE,
+                                      ECC_MAX_CRYPTO_HW_SIZE);
+       }
    }
-   ecc_del_point(base);
-   if (po_init) {
-       mp_clear(&prime);
-       mp_clear(&order);
+   else {
+      err = NOT_COMPILED_IN;
    }
+#elif defined(WOLFSSL_CRYPTOCELL)
 
-   ForceZero(buf, ECC_MAXSIZE);
-#ifdef WOLFSSL_SMALL_STACK
-   XFREE(buf, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    pDomain = CRYS_ECPKI_GetEcDomain(cc310_mapCurve(curve_id));
+    raw_size = (word32)(key->dp->size)*2 + 1;
+
+    /* generate first key pair */
+    err = CRYS_ECPKI_GenKeyPair(&wc_rndState,
+                                wc_rndGenVectFunc,
+                                pDomain,
+                                &key->ctx.privKey,
+                                &key->ctx.pubKey,
+                                &tempBuff,
+                                &fipsCtx);
+
+    if (err != SA_SILIB_RET_OK){
+        WOLFSSL_MSG("CRYS_ECPKI_GenKeyPair for key pair failed");
+        return err;
+    }
+    key->type = ECC_PRIVATEKEY;
+
+    err = CRYS_ECPKI_ExportPublKey(&key->ctx.pubKey,
+                                   CRYS_EC_PointUncompressed,
+                                   &ucompressed_key[0],
+                                   &raw_size);
+
+    if (err == SA_SILIB_RET_OK && key->pubkey.x && key->pubkey.y) {
+        err = mp_read_unsigned_bin(key->pubkey.x,
+                                   &ucompressed_key[1], key->dp->size);
+        if (err == MP_OKAY) {
+            err = mp_read_unsigned_bin(key->pubkey.y,
+                            &ucompressed_key[1+key->dp->size],key->dp->size);
+        }
+    }
+    raw_size = key->dp->size;
+    if (err == MP_OKAY) {
+        err = CRYS_ECPKI_ExportPrivKey(&key->ctx.privKey,
+                                       ucompressed_key,
+                                       &raw_size);
+    }
+
+    if (err == SA_SILIB_RET_OK) {
+        err = mp_read_unsigned_bin(&key->k, ucompressed_key, raw_size);
+    }
+
+#else
+
+#ifdef WOLFSSL_HAVE_SP_ECC
+#ifndef WOLFSSL_SP_NO_256
+    if (key->idx != ECC_CUSTOM_IDX && ecc_sets[key->idx].id == ECC_SECP256R1) {
+        err = sp_ecc_make_key_256(rng, &key->k, &key->pubkey, key->heap);
+        if (err == MP_OKAY) {
+            key->type = ECC_PRIVATEKEY;
+        }
+    }
+    else
+#endif
+#ifdef WOLFSSL_SP_384
+    if (key->idx != ECC_CUSTOM_IDX && ecc_sets[key->idx].id == ECC_SECP384R1) {
+        err = sp_ecc_make_key_384(rng, &key->k, &key->pubkey, key->heap);
+        if (err == MP_OKAY) {
+            key->type = ECC_PRIVATEKEY;
+        }
+    }
+    else
 #endif
+#endif /* WOLFSSL_HAVE_SP_ECC */
 
-   return err;
+   { /* software key gen */
+#ifdef WOLFSSL_SP_MATH
+        err = WC_KEY_SIZE_E;
+#else
+
+        /* setup the key variables */
+        err = mp_init(&key->k);
+
+        /* load curve info */
+        if (err == MP_OKAY) {
+            ALLOC_CURVE_SPECS(ECC_CURVE_FIELD_COUNT);
+            err = wc_ecc_curve_load(key->dp, &curve, ECC_CURVE_FIELD_ALL);
+        }
+
+        /* generate k */
+        if (err == MP_OKAY)
+            err = wc_ecc_gen_k(rng, key->dp->size, &key->k, curve->order);
+
+        /* generate public key from k */
+        if (err == MP_OKAY)
+            err = wc_ecc_make_pub_ex(key, curve, NULL);
+
+        if (err == MP_OKAY)
+            key->type = ECC_PRIVATEKEY;
+
+        /* cleanup these on failure case only */
+        if (err != MP_OKAY) {
+            /* clean up */
+            mp_forcezero(&key->k);
+        }
+
+        /* cleanup allocations */
+        wc_ecc_curve_free(curve);
+        FREE_CURVE_SPECS();
+#endif /* WOLFSSL_SP_MATH */
+    }
+
+#ifdef HAVE_WOLF_BIGINT
+    if (err == MP_OKAY)
+         err = wc_mp_to_bigint(&key->k, &key->k.raw);
+    if (err == MP_OKAY)
+         err = wc_mp_to_bigint(key->pubkey.x, &key->pubkey.x->raw);
+    if (err == MP_OKAY)
+         err = wc_mp_to_bigint(key->pubkey.y, &key->pubkey.y->raw);
+    if (err == MP_OKAY)
+         err = wc_mp_to_bigint(key->pubkey.z, &key->pubkey.z->raw);
+#endif
+
+#endif /* WOLFSSL_ATECC508A */
+
+    return err;
 }
 
+#ifdef ECC_DUMP_OID
+/* Optional dump of encoded OID for adding new curves */
+static int mOidDumpDone;
+static void wc_ecc_dump_oids(void)
+{
+    int x;
 
-/* Setup dynamic pointers is using normal math for proper freeing */
-int wc_ecc_init(ecc_key* key)
+    if (mOidDumpDone) {
+        return;
+    }
+
+    /* find matching OID sum (based on encoded value) */
+    for (x = 0; ecc_sets[x].size != 0; x++) {
+        int i;
+        byte* oid;
+        word32 oidSz, sum = 0;
+
+        printf("ECC %s (%d):\n", ecc_sets[x].name, x);
+
+    #ifdef HAVE_OID_ENCODING
+        byte oidEnc[ECC_MAX_OID_LEN];
+
+        oid = oidEnc;
+        oidSz = ECC_MAX_OID_LEN;
+
+        printf("OID: ");
+        for (i = 0; i < (int)ecc_sets[x].oidSz; i++) {
+            printf("%d.", ecc_sets[x].oid[i]);
+        }
+        printf("\n");
+
+        EncodeObjectId(ecc_sets[x].oid, ecc_sets[x].oidSz, oidEnc, &oidSz);
+    #else
+        oid = (byte*)ecc_sets[x].oid;
+        oidSz = ecc_sets[x].oidSz;
+    #endif
+
+        printf("OID Encoded: ");
+        for (i = 0; i < (int)oidSz; i++) {
+            printf("0x%02X,", oid[i]);
+        }
+        printf("\n");
+
+        for (i = 0; i < (int)oidSz; i++) {
+            sum += oid[i];
+        }
+        printf("Sum: %d\n", sum);
+
+        /* validate sum */
+        if (ecc_sets[x].oidSum != sum) {
+            printf("  Sum %d Not Valid!\n", ecc_sets[x].oidSum);
+        }
+    }
+    mOidDumpDone = 1;
+}
+#endif /* ECC_DUMP_OID */
+
+
+WOLFSSL_ABI
+ecc_key* wc_ecc_key_new(void* heap)
+{
+    ecc_key* key;
+
+    key = (ecc_key*)XMALLOC(sizeof(ecc_key), heap, DYNAMIC_TYPE_ECC);
+    if (key) {
+        if (wc_ecc_init_ex(key, heap, INVALID_DEVID) != 0) {
+            XFREE(key, heap, DYNAMIC_TYPE_ECC);
+            key = NULL;
+        }
+    }
+
+    return key;
+}
+
+
+WOLFSSL_ABI
+void wc_ecc_key_free(ecc_key* key)
+{
+    if (key) {
+        void* heap = key->heap;
+
+        wc_ecc_free(key);
+        ForceZero(key, sizeof(ecc_key));
+        XFREE(key, heap, DYNAMIC_TYPE_ECC);
+        (void)heap;
+    }
+}
+
+
+/**
+ Make a new ECC key
+ rng          An active RNG state
+ keysize      The keysize for the new key (in octets from 20 to 65 bytes)
+ key          [out] Destination of the newly created key
+ return       MP_OKAY if successful,
+ upon error all allocated memory will be freed
+ */
+int wc_ecc_make_key(WC_RNG* rng, int keysize, ecc_key* key)
+{
+    return wc_ecc_make_key_ex(rng, keysize, key, ECC_CURVE_DEF);
+}
+
+/* Setup dynamic pointers if using normal math for proper freeing */
+WOLFSSL_ABI
+int wc_ecc_init_ex(ecc_key* key, void* heap, int devId)
 {
-    (void)key;
+    int ret = 0;
 
-#ifndef USE_FAST_MATH
-    key->pubkey.x->dp = NULL;
-    key->pubkey.y->dp = NULL;
-    key->pubkey.z->dp = NULL;
+    if (key == NULL) {
+        return BAD_FUNC_ARG;
+    }
 
-    key->k.dp = NULL;
+#ifdef ECC_DUMP_OID
+    wc_ecc_dump_oids();
 #endif
 
-#ifdef ALT_ECC_SIZE
-    if (mp_init(&key->k) != MP_OKAY)
-        return MEMORY_E;
+    XMEMSET(key, 0, sizeof(ecc_key));
+    key->state = ECC_STATE_NONE;
 
+#if defined(PLUTON_CRYPTO_ECC) || defined(WOLF_CRYPTO_CB)
+    key->devId = devId;
+#else
+    (void)devId;
+#endif
+
+#ifdef WOLFSSL_ATECC508A
+    key->slot = ATECC_INVALID_SLOT;
+#else
+#ifdef ALT_ECC_SIZE
     key->pubkey.x = (mp_int*)&key->pubkey.xyz[0];
     key->pubkey.y = (mp_int*)&key->pubkey.xyz[1];
     key->pubkey.z = (mp_int*)&key->pubkey.xyz[2];
     alt_fp_init(key->pubkey.x);
     alt_fp_init(key->pubkey.y);
     alt_fp_init(key->pubkey.z);
+    ret = mp_init(&key->k);
+    if (ret != MP_OKAY) {
+        return MEMORY_E;
+    }
+#else
+    ret = mp_init_multi(&key->k, key->pubkey.x, key->pubkey.y, key->pubkey.z,
+                                                                    NULL, NULL);
+    if (ret != MP_OKAY) {
+        return MEMORY_E;
+    }
+#endif /* ALT_ECC_SIZE */
+#endif /* WOLFSSL_ATECC508A */
+
+#ifdef WOLFSSL_HEAP_TEST
+    key->heap = (void*)WOLFSSL_HEAP_TEST;
+#else
+    key->heap = heap;
+#endif
+
+#if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_ECC)
+    /* handle as async */
+    ret = wolfAsync_DevCtxInit(&key->asyncDev, WOLFSSL_ASYNC_MARKER_ECC,
+                                                            key->heap, devId);
+#endif
+
+#if defined(WOLFSSL_DSP)
+    key->handle = -1;
+#endif
+    return ret;
+}
+
+int wc_ecc_init(ecc_key* key)
+{
+    return wc_ecc_init_ex(key, NULL, INVALID_DEVID);
+}
+
+#ifdef HAVE_PKCS11
+int wc_ecc_init_id(ecc_key* key, unsigned char* id, int len, void* heap,
+                   int devId)
+{
+    int ret = 0;
+
+    if (key == NULL)
+        ret = BAD_FUNC_ARG;
+    if (ret == 0 && (len < 0 || len > ECC_MAX_ID_LEN))
+        ret = BUFFER_E;
+
+    if (ret == 0)
+        ret = wc_ecc_init_ex(key, heap, devId);
+
+    if (ret == 0 && id != NULL && len != 0) {
+        XMEMCPY(key->id, id, len);
+        key->idLen = len;
+    }
+
+    return ret;
+}
 #endif
 
+int wc_ecc_set_flags(ecc_key* key, word32 flags)
+{
+    if (key == NULL) {
+        return BAD_FUNC_ARG;
+    }
+    key->flags |= flags;
     return 0;
 }
 
 
+static int wc_ecc_get_curve_order_bit_count(const ecc_set_type* dp)
+{
+    int err;
+    word32 orderBits;
+    DECLARE_CURVE_SPECS(curve, 1);
+
+    ALLOC_CURVE_SPECS(1);
+    err = wc_ecc_curve_load(dp, &curve, ECC_CURVE_FIELD_ORDER);
+    if (err != 0) {
+       FREE_CURVE_SPECS();
+       return err;
+    }
+    orderBits = mp_count_bits(curve->order);
+
+    wc_ecc_curve_free(curve);
+    FREE_CURVE_SPECS();
+    return (int)orderBits;
+}
+
+#ifdef HAVE_ECC_SIGN
+
+#ifndef NO_ASN
+
+#if defined(WOLFSSL_ATECC508A) || defined(PLUTON_CRYPTO_ECC) || \
+    defined(WOLFSSL_CRYPTOCELL)
+static int wc_ecc_sign_hash_hw(const byte* in, word32 inlen,
+    mp_int* r, mp_int* s, byte* out, word32 *outlen, WC_RNG* rng,
+    ecc_key* key)
+{
+    int err;
+#ifdef PLUTON_CRYPTO_ECC
+    if (key->devId != INVALID_DEVID) /* use hardware */
+#endif
+    {
+    #if defined(WOLFSSL_CRYPTOCELL) && !defined(WOLFSSL_ATECC508A)
+        CRYS_ECDSA_SignUserContext_t sigCtxTemp;
+        word32 raw_sig_size = *outlen;
+        word32 msgLenInBytes = inlen;
+        CRYS_ECPKI_HASH_OpMode_t hash_mode;
+    #endif
+        word32 keysize = (word32)key->dp->size;
+        word32 orderBits = wc_ecc_get_curve_order_bit_count(key->dp);
+
+        /* Check args */
+        if (keysize > ECC_MAX_CRYPTO_HW_SIZE || *outlen < keysize*2) {
+            return ECC_BAD_ARG_E;
+        }
+
+    #if defined(WOLFSSL_ATECC508A)
+        key->slot = atmel_ecc_alloc(ATMEL_SLOT_DEVICE);
+        if (key->slot == ATECC_INVALID_SLOT) {
+            return ECC_BAD_ARG_E;
+        }
+
+        /* Sign: Result is 32-bytes of R then 32-bytes of S */
+        err = atmel_ecc_sign(key->slot, in, out);
+        if (err != 0) {
+           return err;
+        }
+    #elif defined(PLUTON_CRYPTO_ECC)
+        {
+            /* if the input is larger than curve order, we must truncate */
+            if ((inlen * WOLFSSL_BIT_SIZE) > orderBits) {
+               inlen = (orderBits + WOLFSSL_BIT_SIZE - 1) / WOLFSSL_BIT_SIZE;
+            }
+
+            /* perform ECC sign */
+            word32 raw_sig_size = *outlen;
+            err = Crypto_EccSign(in, inlen, out, &raw_sig_size);
+            if (err != CRYPTO_RES_SUCCESS || raw_sig_size != keysize*2){
+               return BAD_COND_E;
+            }
+        }
+    #elif defined(WOLFSSL_CRYPTOCELL)
+
+        hash_mode = cc310_hashModeECC(msgLenInBytes);
+        if (hash_mode == CRYS_ECPKI_HASH_OpModeLast) {
+            hash_mode = cc310_hashModeECC(keysize);
+            hash_mode = CRYS_ECPKI_HASH_SHA256_mode;
+        }
+
+        /* truncate if hash is longer than key size */
+        if (msgLenInBytes > keysize) {
+            msgLenInBytes = keysize;
+        }
+
+        /* create signature from an input buffer using a private key*/
+        err = CRYS_ECDSA_Sign(&wc_rndState,
+                               wc_rndGenVectFunc,
+                               &sigCtxTemp,
+                               &key->ctx.privKey,
+                               hash_mode,
+                               (byte*)in,
+                               msgLenInBytes,
+                               out,
+                               &raw_sig_size);
+
+        if (err != SA_SILIB_RET_OK){
+            WOLFSSL_MSG("CRYS_ECDSA_Sign failed");
+            return err;
+        }
+    #endif
+
+        /* Load R and S */
+        err = mp_read_unsigned_bin(r, &out[0], keysize);
+        if (err != MP_OKAY) {
+            return err;
+        }
+        err = mp_read_unsigned_bin(s, &out[keysize], keysize);
+        if (err != MP_OKAY) {
+            return err;
+        }
+
+        /* Check for zeros */
+        if (mp_iszero(r) || mp_iszero(s)) {
+            return MP_ZERO_E;
+        }
+    }
+#ifdef PLUTON_CRYPTO_ECC
+    else {
+        err = wc_ecc_sign_hash_ex(in, inlen, rng, key, r, s);
+    }
+#endif
+    (void)rng;
+
+    return err;
+}
+#endif /* WOLFSSL_ATECC508A || PLUTON_CRYPTO_ECC || WOLFSSL_CRYPTOCELL */
+
+#if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_ECC)
+static int wc_ecc_sign_hash_async(const byte* in, word32 inlen, byte* out,
+    word32 *outlen, WC_RNG* rng, ecc_key* key)
+{
+    int err;
+    mp_int *r = NULL, *s = NULL;
+
+    if (in == NULL || out == NULL || outlen == NULL || key == NULL ||
+                                                                rng == NULL) {
+        return ECC_BAD_ARG_E;
+    }
+
+    err = wc_ecc_alloc_async(key);
+    if (err != 0) {
+        return err;
+    }
+    r = key->r;
+    s = key->s;
+
+    switch(key->state) {
+        case ECC_STATE_NONE:
+        case ECC_STATE_SIGN_DO:
+            key->state = ECC_STATE_SIGN_DO;
+
+            if ((err = mp_init_multi(r, s, NULL, NULL, NULL, NULL)) != MP_OKAY){
+                break;
+            }
+
+            err = wc_ecc_sign_hash_ex(in, inlen, rng, key, r, s);
+            if (err < 0) {
+                break;
+            }
+
+            FALL_THROUGH;
+
+        case ECC_STATE_SIGN_ENCODE:
+            key->state = ECC_STATE_SIGN_ENCODE;
+
+            if (key->asyncDev.marker == WOLFSSL_ASYNC_MARKER_ECC) {
+                #ifdef HAVE_CAVIUM_V
+                    /* Nitrox requires r and s in sep buffer, so split it */
+                    NitroxEccRsSplit(key, &r->raw, &s->raw);
+                #endif
+                #ifndef WOLFSSL_ASYNC_CRYPT_TEST
+                    /* only do this if not simulator, since it overwrites result */
+                    wc_bigint_to_mp(&r->raw, r);
+                    wc_bigint_to_mp(&s->raw, s);
+                #endif
+            }
+
+            /* encoded with DSA header */
+            err = StoreECC_DSA_Sig(out, outlen, r, s);
+
+            /* done with R/S */
+            mp_clear(r);
+            mp_clear(s);
+            break;
+
+        default:
+            err = BAD_STATE_E;
+            break;
+    }
+
+    /* if async pending then return and skip done cleanup below */
+    if (err == WC_PENDING_E) {
+        key->state++;
+        return err;
+    }
+
+    /* cleanup */
+    wc_ecc_free_async(key);
+    key->state = ECC_STATE_NONE;
+
+    return err;
+}
+#endif /* WOLFSSL_ASYNC_CRYPT && WC_ASYNC_ENABLE_ECC */
+
+/**
+ Sign a message digest
+ in        The message digest to sign
+ inlen     The length of the digest
+ out       [out] The destination for the signature
+ outlen    [in/out] The max size and resulting size of the signature
+ key       A private ECC key
+ return    MP_OKAY if successful
+ */
+WOLFSSL_ABI
+int wc_ecc_sign_hash(const byte* in, word32 inlen, byte* out, word32 *outlen,
+                     WC_RNG* rng, ecc_key* key)
+{
+    int err;
+#if !defined(WOLFSSL_ASYNC_CRYPT) || !defined(WC_ASYNC_ENABLE_ECC)
+#ifdef WOLFSSL_SMALL_STACK
+    mp_int *r = NULL, *s = NULL;
+#else
+    mp_int r[1], s[1];
+#endif
+#endif
+
+    if (in == NULL || out == NULL || outlen == NULL || key == NULL ||
+                                                                rng == NULL) {
+        return ECC_BAD_ARG_E;
+    }
+
+#ifdef WOLF_CRYPTO_CB
+    if (key->devId != INVALID_DEVID) {
+        err = wc_CryptoCb_EccSign(in, inlen, out, outlen, rng, key);
+        if (err != CRYPTOCB_UNAVAILABLE)
+            return err;
+        /* fall-through when unavailable */
+    }
+#endif
+
+#if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_ECC)
+    /* handle async cases */
+    err = wc_ecc_sign_hash_async(in, inlen, out, outlen, rng, key);
+#else
+
+#ifdef WOLFSSL_SMALL_STACK
+    r = (mp_int*)XMALLOC(sizeof(mp_int), key->heap, DYNAMIC_TYPE_ECC);
+    if (r == NULL)
+        return MEMORY_E;
+    s = (mp_int*)XMALLOC(sizeof(mp_int), key->heap, DYNAMIC_TYPE_ECC);
+    if (s == NULL) {
+        XFREE(r, key->heap, DYNAMIC_TYPE_ECC);
+        return MEMORY_E;
+    }
+#endif
+    XMEMSET(r, 0, sizeof(mp_int));
+    XMEMSET(s, 0, sizeof(mp_int));
+
+    if ((err = mp_init_multi(r, s, NULL, NULL, NULL, NULL)) != MP_OKAY){
+    #ifdef WOLFSSL_SMALL_STACK
+        XFREE(s, key->heap, DYNAMIC_TYPE_ECC);
+        XFREE(r, key->heap, DYNAMIC_TYPE_ECC);
+    #endif
+        return err;
+    }
+
+/* hardware crypto */
+#if defined(WOLFSSL_ATECC508A) || defined(PLUTON_CRYPTO_ECC) || defined(WOLFSSL_CRYPTOCELL)
+    err = wc_ecc_sign_hash_hw(in, inlen, r, s, out, outlen, rng, key);
+#else
+    err = wc_ecc_sign_hash_ex(in, inlen, rng, key, r, s);
+#endif
+    if (err < 0) {
+    #ifdef WOLFSSL_SMALL_STACK
+        XFREE(s, key->heap, DYNAMIC_TYPE_ECC);
+        XFREE(r, key->heap, DYNAMIC_TYPE_ECC);
+    #endif
+        return err;
+    }
+
+    /* encoded with DSA header */
+    err = StoreECC_DSA_Sig(out, outlen, r, s);
+
+    /* cleanup */
+    mp_clear(r);
+    mp_clear(s);
+
+#ifdef WOLFSSL_SMALL_STACK
+    XFREE(s, key->heap, DYNAMIC_TYPE_ECC);
+    XFREE(r, key->heap, DYNAMIC_TYPE_ECC);
+#endif
+#endif /* WOLFSSL_ASYNC_CRYPT */
+
+    return err;
+}
+#endif /* !NO_ASN */
+
+#if defined(WOLFSSL_STM32_PKA)
+int wc_ecc_sign_hash_ex(const byte* in, word32 inlen, WC_RNG* rng,
+                     ecc_key* key, mp_int *r, mp_int *s)
+{
+    return stm32_ecc_sign_hash_ex(in, inlen, rng, key, r, s);
+}
+#elif !defined(WOLFSSL_ATECC508A) && !defined(WOLFSSL_CRYPTOCELL)
 /**
   Sign a message digest
   in        The message digest to sign
   inlen     The length of the digest
-  out       [out] The destination for the signature
-  outlen    [in/out] The max size and resulting size of the signature
   key       A private ECC key
+  r         [out] The destination for r component of the signature
+  s         [out] The destination for s component of the signature
   return    MP_OKAY if successful
 */
-int wc_ecc_sign_hash(const byte* in, word32 inlen, byte* out, word32 *outlen, 
-                  RNG* rng, ecc_key* key)
+int wc_ecc_sign_hash_ex(const byte* in, word32 inlen, WC_RNG* rng,
+                     ecc_key* key, mp_int *r, mp_int *s)
 {
-   mp_int        r;
-   mp_int        s;
-   mp_int        e;
-   mp_int        p;
-   int           err;
+   int    err = 0;
+#ifndef WOLFSSL_SP_MATH
+   mp_int* e;
+#if (!defined(WOLFSSL_ASYNC_CRYPT) || !defined(HAVE_CAVIUM_V)) && \
+                                                   !defined(WOLFSSL_SMALL_STACK)
+   mp_int  e_lcl;
+#endif
 
-   if (in == NULL || out == NULL || outlen == NULL || key == NULL || rng ==NULL)
+#if defined(WOLFSSL_ECDSA_SET_K) || \
+    (defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_ECC) && \
+    (defined(HAVE_CAVIUM_V) || defined(HAVE_INTEL_QA)))
+   DECLARE_CURVE_SPECS(curve, ECC_CURVE_FIELD_COUNT);
+#else
+   DECLARE_CURVE_SPECS(curve, 1);
+#endif
+#endif /* !WOLFSSL_SP_MATH */
+
+   if (in == NULL || r == NULL || s == NULL || key == NULL || rng == NULL) {
        return ECC_BAD_ARG_E;
+   }
 
    /* is this a private key? */
-   if (key->type != ECC_PRIVATEKEY) {
+   if (key->type != ECC_PRIVATEKEY && key->type != ECC_PRIVATEKEY_ONLY) {
       return ECC_BAD_ARG_E;
    }
-   
+
    /* is the IDX valid ?  */
-   if (ecc_is_valid_idx(key->idx) != 1) {
+   if (wc_ecc_is_valid_idx(key->idx) != 1) {
       return ECC_BAD_ARG_E;
    }
 
+#ifdef WOLFSSL_SP_MATH
+#ifndef WOLFSSL_SP_NO_256
+    if (key->idx != ECC_CUSTOM_IDX && ecc_sets[key->idx].id == ECC_SECP256R1) {
+    #ifndef WOLFSSL_ECDSA_SET_K
+        return sp_ecc_sign_256(in, inlen, rng, &key->k, r, s, NULL, key->heap);
+    #else
+        return sp_ecc_sign_256(in, inlen, rng, &key->k, r, s, key->sign_k,
+                                                                     key->heap);
+    #endif
+    }
+#endif
+#ifdef WOLFSSL_SP_384
+    if (key->idx != ECC_CUSTOM_IDX && ecc_sets[key->idx].id == ECC_SECP384R1) {
+    #ifndef WOLFSSL_ECDSA_SET_K
+        return sp_ecc_sign_384(in, inlen, rng, &key->k, r, s, NULL, key->heap);
+    #else
+        return sp_ecc_sign_384(in, inlen, rng, &key->k, r, s, key->sign_k,
+                                                                     key->heap);
+    #endif
+    }
+#endif
+    return WC_KEY_SIZE_E;
+#else
+#ifdef WOLFSSL_HAVE_SP_ECC
+    #if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_ECC)
+    if (key->asyncDev.marker != WOLFSSL_ASYNC_MARKER_ECC)
+    #endif
+    {
+#ifndef WOLFSSL_SP_NO_256
+        if (key->idx != ECC_CUSTOM_IDX &&
+                                       ecc_sets[key->idx].id == ECC_SECP256R1) {
+        #ifndef WOLFSSL_ECDSA_SET_K
+            return sp_ecc_sign_256(in, inlen, rng, &key->k, r, s, NULL,
+                                                                     key->heap);
+        #else
+            return sp_ecc_sign_256(in, inlen, rng, &key->k, r, s, key->sign_k,
+                                                                     key->heap);
+        #endif
+        }
+#endif
+#ifdef WOLFSSL_SP_384
+        if (key->idx != ECC_CUSTOM_IDX &&
+                                       ecc_sets[key->idx].id == ECC_SECP384R1) {
+        #ifndef WOLFSSL_ECDSA_SET_K
+            return sp_ecc_sign_384(in, inlen, rng, &key->k, r, s, NULL,
+                                                                     key->heap);
+        #else
+            return sp_ecc_sign_384(in, inlen, rng, &key->k, r, s, key->sign_k,
+                                                                     key->heap);
+        #endif
+        }
+#endif
+    }
+#endif /* WOLFSSL_HAVE_SP_ECC */
+
+
+#if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_ECC) && \
+       defined(WOLFSSL_ASYNC_CRYPT_TEST)
+    if (key->asyncDev.marker == WOLFSSL_ASYNC_MARKER_ECC) {
+        if (wc_AsyncTestInit(&key->asyncDev, ASYNC_TEST_ECC_SIGN)) {
+            WC_ASYNC_TEST* testDev = &key->asyncDev.test;
+            testDev->eccSign.in = in;
+            testDev->eccSign.inSz = inlen;
+            testDev->eccSign.rng = rng;
+            testDev->eccSign.key = key;
+            testDev->eccSign.r = r;
+            testDev->eccSign.s = s;
+            return WC_PENDING_E;
+        }
+    }
+#endif
+
+#if defined(WOLFSSL_ASYNC_CRYPT) && defined(HAVE_CAVIUM_V)
+   err = wc_ecc_alloc_mpint(key, &key->e);
+   if (err != 0) {
+      return err;
+   }
+   e = key->e;
+#elif !defined(WOLFSSL_SMALL_STACK)
+   e = &e_lcl;
+#else
+   e = (mp_int*)XMALLOC(sizeof(mp_int), key->heap, DYNAMIC_TYPE_ECC);
+   if (e == NULL) {
+      return MEMORY_E;
+   }
+#endif
+
    /* get the hash and load it as a bignum into 'e' */
    /* init the bignums */
-   if ((err = mp_init_multi(&r, &s, &p, &e, NULL, NULL)) != MP_OKAY) { 
+   if ((err = mp_init(e)) != MP_OKAY) {
+   #ifdef WOLFSSL_SMALL_STACK
+      XFREE(e, key->heap, DYNAMIC_TYPE_ECC);
+   #endif
       return err;
    }
-   err = mp_read_radix(&p, (char *)key->dp->order, 16);
 
+   /* load curve info */
+#if defined(WOLFSSL_ECDSA_SET_K)
+   ALLOC_CURVE_SPECS(ECC_CURVE_FIELD_COUNT);
+   err = wc_ecc_curve_load(key->dp, &curve, ECC_CURVE_FIELD_ALL);
+#else
+   #if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_ECC) && \
+      (defined(HAVE_CAVIUM_V) || defined(HAVE_INTEL_QA))
+   if (key->asyncDev.marker == WOLFSSL_ASYNC_MARKER_ECC) {
+      ALLOC_CURVE_SPECS(ECC_CURVE_FIELD_COUNT);
+      err = wc_ecc_curve_load(key->dp, &curve, ECC_CURVE_FIELD_ALL);
+   }
+   else
+   #endif
+   {
+      ALLOC_CURVE_SPECS(1);
+      err = wc_ecc_curve_load(key->dp, &curve, ECC_CURVE_FIELD_ORDER);
+   }
+#endif
+
+   /* load digest into e */
    if (err == MP_OKAY) {
        /* we may need to truncate if hash is longer than key size */
-       word32 orderBits = mp_count_bits(&p);
+       word32 orderBits = mp_count_bits(curve->order);
 
        /* truncate down to byte size, may be all that's needed */
-       if ( (WOLFSSL_BIT_SIZE * inlen) > orderBits)
-           inlen = (orderBits + WOLFSSL_BIT_SIZE - 1)/WOLFSSL_BIT_SIZE;
-       err = mp_read_unsigned_bin(&e, (byte*)in, inlen);
+       if ((WOLFSSL_BIT_SIZE * inlen) > orderBits)
+           inlen = (orderBits + WOLFSSL_BIT_SIZE - 1) / WOLFSSL_BIT_SIZE;
+       err = mp_read_unsigned_bin(e, (byte*)in, inlen);
 
        /* may still need bit truncation too */
        if (err == MP_OKAY && (WOLFSSL_BIT_SIZE * inlen) > orderBits)
-           mp_rshb(&e, WOLFSSL_BIT_SIZE - (orderBits & 0x7));
+           mp_rshb(e, WOLFSSL_BIT_SIZE - (orderBits & 0x7));
    }
 
    /* make up a key and export the public copy */
    if (err == MP_OKAY) {
-       int loop_check = 0;
-       ecc_key pubkey;
-       wc_ecc_init(&pubkey);
-       for (;;) {
-           if (++loop_check > 64) {
-                err = RNG_FAILURE_E;
-                break;
+       int      loop_check = 0;
+   #ifdef WOLFSSL_SMALL_STACK
+       ecc_key* pubkey;
+   #else
+       ecc_key  pubkey[1];
+   #endif
+
+   #if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_ECC)
+        if (key->asyncDev.marker == WOLFSSL_ASYNC_MARKER_ECC) {
+        #if defined(HAVE_CAVIUM_V) || defined(HAVE_INTEL_QA)
+        #ifdef HAVE_CAVIUM_V
+            if (NitroxEccIsCurveSupported(key))
+        #endif
+            {
+               word32 keySz = key->dp->size;
+               mp_int* k;
+            #ifdef HAVE_CAVIUM_V
+               err = wc_ecc_alloc_mpint(key, &key->signK);
+               if (err != 0)
+                  return err;
+               k = key->signK;
+            #else
+               mp_int k_lcl;
+               k = &k_lcl;
+            #endif
+
+               err = mp_init(k);
+
+                /* make sure r and s are allocated */
+           #ifdef HAVE_CAVIUM_V
+               /* Nitrox V needs single buffer for R and S */
+               if (err == MP_OKAY)
+                   err = wc_bigint_alloc(&key->r->raw, NitroxEccGetSize(key)*2);
+               /* Nitrox V only needs Prime and Order */
+               if (err == MP_OKAY)
+                   err = wc_ecc_curve_load(key->dp, &curve,
+                        (ECC_CURVE_FIELD_PRIME | ECC_CURVE_FIELD_ORDER));
+           #else
+               if (err == MP_OKAY)
+                   err = wc_bigint_alloc(&key->r->raw, key->dp->size);
+               if (err == MP_OKAY)
+                   err = wc_ecc_curve_load(key->dp, &curve, ECC_CURVE_FIELD_ALL);
+           #endif
+               if (err == MP_OKAY)
+                   err = wc_bigint_alloc(&key->s->raw, key->dp->size);
+
+               /* load e and k */
+               if (err == MP_OKAY)
+                   err = wc_mp_to_bigint_sz(e, &e->raw, keySz);
+               if (err == MP_OKAY)
+                   err = wc_mp_to_bigint_sz(&key->k, &key->k.raw, keySz);
+               if (err == MP_OKAY)
+                   err = wc_ecc_gen_k(rng, key->dp->size, k, curve->order);
+               if (err == MP_OKAY)
+                   err = wc_mp_to_bigint_sz(k, &k->raw, keySz);
+
+           #ifdef HAVE_CAVIUM_V
+               if (err == MP_OKAY)
+                   err = NitroxEcdsaSign(key, &e->raw, &key->k.raw, &k->raw,
+                    &r->raw, &s->raw, &curve->prime->raw, &curve->order->raw);
+           #else
+               if (err == MP_OKAY)
+                   err = IntelQaEcdsaSign(&key->asyncDev, &e->raw, &key->k.raw,
+                      &k->raw, &r->raw, &s->raw, &curve->Af->raw, &curve->Bf->raw,
+                      &curve->prime->raw, &curve->order->raw, &curve->Gx->raw,
+                      &curve->Gy->raw);
+           #endif
+
+           #ifndef HAVE_CAVIUM_V
+               mp_clear(e);
+               mp_clear(k);
+           #endif
+               wc_ecc_curve_free(curve);
+               FREE_CURVE_SPECS();
+
+               return err;
            }
-           err = wc_ecc_make_key_ex(rng, &pubkey, key->dp);
-           if (err != MP_OKAY) break;
+       #endif /* HAVE_CAVIUM_V || HAVE_INTEL_QA */
+       }
+   #endif /* WOLFSSL_ASYNC_CRYPT && WC_ASYNC_ENABLE_ECC */
 
-           /* find r = x1 mod n */
-           err = mp_mod(pubkey.pubkey.x, &p, &r);
-           if (err != MP_OKAY) break;
+   #ifdef WOLFSSL_SMALL_STACK
+       pubkey = (ecc_key*)XMALLOC(sizeof(ecc_key), key->heap, DYNAMIC_TYPE_ECC);
+       if (pubkey == NULL)
+           err = MEMORY_E;
+   #endif
+
+       /* don't use async for key, since we don't support async return here */
+       if (err == MP_OKAY && (err = wc_ecc_init_ex(pubkey, key->heap,
+                                                   INVALID_DEVID)) == MP_OKAY) {
+       #ifdef WOLFSSL_SMALL_STACK
+           mp_int* b = NULL;
+       #else
+           mp_int  b[1];
+       #endif
+
+       #ifdef WOLFSSL_SMALL_STACK
+           if (err == MP_OKAY) {
+               b = (mp_int*)XMALLOC(sizeof(mp_int), key->heap,
+                                                              DYNAMIC_TYPE_ECC);
+               if (b == NULL)
+                   err = MEMORY_E;
+           }
+       #endif
 
-           if (mp_iszero(&r) == MP_YES) {
-               mp_clear(pubkey.pubkey.x);
-               mp_clear(pubkey.pubkey.y);
-               mp_clear(pubkey.pubkey.z);
-               mp_clear(&pubkey.k);
+           if (err == MP_OKAY) {
+               err = mp_init(b);
            }
-           else { 
-               /* find s = (e + xr)/k */
-               err = mp_invmod(&pubkey.k, &p, &pubkey.k);
-               if (err != MP_OKAY) break;
 
-               err = mp_mulmod(&key->k, &r, &p, &s);   /* s = xr */
-               if (err != MP_OKAY) break;
-           
-               err = mp_add(&e, &s, &s);               /* s = e +  xr */
-               if (err != MP_OKAY) break;
+       #ifdef WOLFSSL_CUSTOM_CURVES
+           /* if custom curve, apply params to pubkey */
+           if (err == MP_OKAY && key->idx == ECC_CUSTOM_IDX) {
+               err = wc_ecc_set_custom_curve(pubkey, key->dp);
+           }
+       #endif
+
+           if (err == MP_OKAY) {
+               /* Generate blinding value - non-zero value. */
+               do {
+                   if (++loop_check > 64) {
+                        err = RNG_FAILURE_E;
+                        break;
+                   }
+
+                   err = wc_ecc_gen_k(rng, key->dp->size, b, curve->order);
+               }
+               while (err == MP_ZERO_E);
+               loop_check = 0;
+           }
+
+           for (; err == MP_OKAY;) {
+               if (++loop_check > 64) {
+                    err = RNG_FAILURE_E;
+                    break;
+               }
+       #ifdef WOLFSSL_ECDSA_SET_K
+               if (key->sign_k != NULL) {
+                   if (loop_check > 1) {
+                      err = RNG_FAILURE_E;
+                      break;
+                   }
+
+                   err = mp_copy(key->sign_k, &pubkey->k);
+                   if (err != MP_OKAY) break;
 
-               err = mp_mod(&s, &p, &s);               /* s = e +  xr */
+                   mp_forcezero(key->sign_k);
+                   mp_free(key->sign_k);
+                   XFREE(key->sign_k, key->heap, DYNAMIC_TYPE_ECC);
+                   key->sign_k = NULL;
+                   err = wc_ecc_make_pub_ex(pubkey, curve, NULL);
+               }
+               else
+       #endif
+               {
+                   err = wc_ecc_make_key_ex(rng, key->dp->size, pubkey,
+                                                                   key->dp->id);
+               }
                if (err != MP_OKAY) break;
 
-               err = mp_mulmod(&s, &pubkey.k, &p, &s); /* s = (e + xr)/k */
+               /* find r = x1 mod n */
+               err = mp_mod(pubkey->pubkey.x, curve->order, r);
                if (err != MP_OKAY) break;
 
-               if (mp_iszero(&s) == MP_NO)
-                   break;
-            }
+               if (mp_iszero(r) == MP_YES) {
+                #ifndef ALT_ECC_SIZE
+                   mp_clear(pubkey->pubkey.x);
+                   mp_clear(pubkey->pubkey.y);
+                   mp_clear(pubkey->pubkey.z);
+                #endif
+                   mp_forcezero(&pubkey->k);
+               }
+               else {
+                   /* find s = (e + xr)/k
+                             = b.(e/k.b + x.r/k.b) */
+
+                   /* k = k.b */
+                   err = mp_mulmod(&pubkey->k, b, curve->order, &pubkey->k);
+                   if (err != MP_OKAY) break;
+
+                   /* k = 1/k.b */
+                   err = mp_invmod(&pubkey->k, curve->order, &pubkey->k);
+                   if (err != MP_OKAY) break;
+
+                   /* s = x.r */
+                   err = mp_mulmod(&key->k, r, curve->order, s);
+                   if (err != MP_OKAY) break;
+
+                   /* s = x.r/k.b */
+                   err = mp_mulmod(&pubkey->k, s, curve->order, s);
+                   if (err != MP_OKAY) break;
+
+                   /* e = e/k.b */
+                   err = mp_mulmod(&pubkey->k, e, curve->order, e);
+                   if (err != MP_OKAY) break;
+
+                   /* s = e/k.b + x.r/k.b
+                        = (e + x.r)/k.b */
+                   err = mp_add(e, s, s);
+                   if (err != MP_OKAY) break;
+
+                   /* s = b.(e + x.r)/k.b
+                        = (e + x.r)/k */
+                   err = mp_mulmod(s, b, curve->order, s);
+                   if (err != MP_OKAY) break;
+
+                   /* s = (e + xr)/k */
+                   err = mp_mod(s, curve->order, s);
+                   if (err != MP_OKAY) break;
+
+                   if (mp_iszero(s) == MP_NO)
+                       break;
+                }
+           }
+           mp_clear(b);
+           mp_free(b);
+       #ifdef WOLFSSL_SMALL_STACK
+           XFREE(b, key->heap, DYNAMIC_TYPE_ECC);
+       #endif
+           wc_ecc_free(pubkey);
+       #ifdef WOLFSSL_SMALL_STACK
+           XFREE(pubkey, key->heap, DYNAMIC_TYPE_ECC);
+       #endif
        }
-       wc_ecc_free(&pubkey);
    }
 
-   /* store as SEQUENCE { r, s -- integer } */
-   if (err == MP_OKAY)
-       err = StoreECC_DSA_Sig(out, outlen, &r, &s);
-
-   mp_clear(&r);
-   mp_clear(&s);
-   mp_clear(&p);
-   mp_clear(&e);
+   mp_clear(e);
+   wc_ecc_curve_free(curve);
+#ifdef WOLFSSL_SMALL_STACK
+   XFREE(e, key->heap, DYNAMIC_TYPE_ECC);
+#endif
+   FREE_CURVE_SPECS();
+#endif /* WOLFSSL_SP_MATH */
 
    return err;
 }
 
+#ifdef WOLFSSL_ECDSA_SET_K
+int wc_ecc_sign_set_k(const byte* k, word32 klen, ecc_key* key)
+{
+    int ret = 0;
+
+    if (k == NULL || klen == 0 || key == NULL) {
+        ret = BAD_FUNC_ARG;
+    }
+
+    if (ret == 0) {
+        if (key->sign_k == NULL) {
+            key->sign_k = (mp_int*)XMALLOC(sizeof(mp_int), key->heap,
+                                                              DYNAMIC_TYPE_ECC);
+            if (key->sign_k == NULL) {
+                ret = MEMORY_E;
+            }
+        }
+    }
+
+    if (ret == 0) {
+        ret = mp_init(key->sign_k);
+    }
+    if (ret == 0) {
+        ret = mp_read_unsigned_bin(key->sign_k, k, klen);
+    }
+
+    return ret;
+}
+#endif /* WOLFSSL_ECDSA_SET_K */
+#endif /* WOLFSSL_ATECC508A && WOLFSSL_CRYPTOCELL*/
+
+#endif /* HAVE_ECC_SIGN */
+
+#ifdef WOLFSSL_CUSTOM_CURVES
+void wc_ecc_free_curve(const ecc_set_type* curve, void* heap)
+{
+#ifndef WOLFSSL_ECC_CURVE_STATIC
+    if (curve->prime != NULL)
+        XFREE((void*)curve->prime, heap, DYNAMIC_TYPE_ECC_BUFFER);
+    if (curve->Af != NULL)
+        XFREE((void*)curve->Af, heap, DYNAMIC_TYPE_ECC_BUFFER);
+    if (curve->Bf != NULL)
+        XFREE((void*)curve->Bf, heap, DYNAMIC_TYPE_ECC_BUFFER);
+    if (curve->order != NULL)
+        XFREE((void*)curve->order, heap, DYNAMIC_TYPE_ECC_BUFFER);
+    if (curve->Gx != NULL)
+        XFREE((void*)curve->Gx, heap, DYNAMIC_TYPE_ECC_BUFFER);
+    if (curve->Gy != NULL)
+        XFREE((void*)curve->Gy, heap, DYNAMIC_TYPE_ECC_BUFFER);
+#endif
+
+    XFREE((void*)curve, heap, DYNAMIC_TYPE_ECC_BUFFER);
+
+    (void)heap;
+}
+#endif /* WOLFSSL_CUSTOM_CURVES */
 
 /**
   Free an ECC key from memory
   key   The key you wish to free
 */
-void wc_ecc_free(ecc_key* key)
+WOLFSSL_ABI
+int wc_ecc_free(ecc_key* key)
 {
-   if (key == NULL)
-       return;
+    if (key == NULL) {
+        return 0;
+    }
 
-   mp_clear(key->pubkey.x);
-   mp_clear(key->pubkey.y);
-   mp_clear(key->pubkey.z);
-   mp_clear(&key->k);
-}
+#ifdef WOLFSSL_ECDSA_SET_K
+    if (key->sign_k != NULL) {
+        mp_forcezero(key->sign_k);
+        mp_free(key->sign_k);
+        XFREE(key->sign_k, key->heap, DYNAMIC_TYPE_ECC);
+    }
+#endif
 
+#if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_ECC)
+    #ifdef WC_ASYNC_ENABLE_ECC
+    wolfAsync_DevCtxFree(&key->asyncDev, WOLFSSL_ASYNC_MARKER_ECC);
+    #endif
+    wc_ecc_free_async(key);
+#endif
 
-#ifdef USE_FAST_MATH
-    #define GEN_MEM_ERR FP_MEM
-#else
-    #define GEN_MEM_ERR MP_MEM
+#ifdef WOLFSSL_ATECC508A
+    atmel_ecc_free(key->slot);
+    key->slot = ATECC_INVALID_SLOT;
+#endif /* WOLFSSL_ATECC508A */
+
+    mp_clear(key->pubkey.x);
+    mp_clear(key->pubkey.y);
+    mp_clear(key->pubkey.z);
+
+    mp_forcezero(&key->k);
+
+#ifdef WOLFSSL_CUSTOM_CURVES
+    if (key->deallocSet && key->dp != NULL)
+        wc_ecc_free_curve(key->dp, key->heap);
 #endif
 
+    return 0;
+}
+
+#if !defined(WOLFSSL_SP_MATH) && !defined(WOLFSSL_ATECC508A) && !defined(WOLFSSL_CRYPTOCELL)
 #ifdef ECC_SHAMIR
 
 /** Computes kA*A + kB*B = C using Shamir's Trick
@@ -1851,47 +5358,97 @@ void wc_ecc_free(ecc_key* key)
   B        Second point to multiply
   kB       What to multiple B by
   C        [out] Destination point (can overlap with A or B)
-  modulus  Modulus for curve 
+  a        ECC curve parameter a
+  modulus  Modulus for curve
   return MP_OKAY on success
 */
 #ifdef FP_ECC
 static int normal_ecc_mul2add(ecc_point* A, mp_int* kA,
                              ecc_point* B, mp_int* kB,
-                             ecc_point* C, mp_int* modulus)
+                             ecc_point* C, mp_int* a, mp_int* modulus,
+                             void* heap)
 #else
-static int ecc_mul2add(ecc_point* A, mp_int* kA,
+int ecc_mul2add(ecc_point* A, mp_int* kA,
                     ecc_point* B, mp_int* kB,
-                    ecc_point* C, mp_int* modulus)
+                    ecc_point* C, mp_int* a, mp_int* modulus,
+                    void* heap)
 #endif
 {
-  ecc_point*     precomp[16];
-  unsigned       bitbufA, bitbufB, lenA, lenB, len, x, y, nA, nB, nibble;
+#ifdef WOLFSSL_SMALL_STACK_CACHE
+  ecc_key        key;
+#endif
+#ifdef WOLFSSL_SMALL_STACK
+  ecc_point**    precomp = NULL;
+#else
+  ecc_point*     precomp[SHAMIR_PRECOMP_SZ];
+#endif
+  unsigned       bitbufA, bitbufB, lenA, lenB, len, nA, nB, nibble;
   unsigned char* tA;
   unsigned char* tB;
-  int            err = MP_OKAY, first;
-  int            muInit    = 0;
-  int            tableInit = 0;
-  mp_digit mp;
-  mp_int   mu;
- 
-  /* argchks */
-  if (A == NULL || kA == NULL || B == NULL || kB == NULL || C == NULL || 
-                   modulus == NULL)
-    return ECC_BAD_ARG_E;
+  int            err = MP_OKAY, first, x, y;
+  mp_digit       mp = 0;
 
+  /* argchks */
+  if (A == NULL || kA == NULL || B == NULL || kB == NULL || C == NULL ||
+                                                         modulus == NULL) {
+     return ECC_BAD_ARG_E;
+  }
 
   /* allocate memory */
-  tA = (unsigned char*)XMALLOC(ECC_BUFSIZE, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+  tA = (unsigned char*)XMALLOC(ECC_BUFSIZE, heap, DYNAMIC_TYPE_ECC_BUFFER);
   if (tA == NULL) {
      return GEN_MEM_ERR;
   }
-  tB = (unsigned char*)XMALLOC(ECC_BUFSIZE, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+  tB = (unsigned char*)XMALLOC(ECC_BUFSIZE, heap, DYNAMIC_TYPE_ECC_BUFFER);
   if (tB == NULL) {
-     XFREE(tA, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+     XFREE(tA, heap, DYNAMIC_TYPE_ECC_BUFFER);
+     return GEN_MEM_ERR;
+  }
+#ifdef WOLFSSL_SMALL_STACK
+  precomp = (ecc_point**)XMALLOC(sizeof(ecc_point*) * SHAMIR_PRECOMP_SZ, heap,
+                                                       DYNAMIC_TYPE_ECC_BUFFER);
+  if (precomp == NULL) {
+     XFREE(tB, heap, DYNAMIC_TYPE_ECC_BUFFER);
+     XFREE(tA, heap, DYNAMIC_TYPE_ECC_BUFFER);
      return GEN_MEM_ERR;
   }
+#endif
+#ifdef WOLFSSL_SMALL_STACK_CACHE
+  key.t1 = (mp_int*)XMALLOC(sizeof(mp_int), heap, DYNAMIC_TYPE_ECC);
+  key.t2 = (mp_int*)XMALLOC(sizeof(mp_int), heap, DYNAMIC_TYPE_ECC);
+#ifdef ALT_ECC_SIZE
+  key.x = (mp_int*)XMALLOC(sizeof(mp_int), heap, DYNAMIC_TYPE_ECC);
+  key.y = (mp_int*)XMALLOC(sizeof(mp_int), heap, DYNAMIC_TYPE_ECC);
+  key.z = (mp_int*)XMALLOC(sizeof(mp_int), heap, DYNAMIC_TYPE_ECC);
+#endif
+  if (key.t1 == NULL || key.t2 == NULL
+#ifdef ALT_ECC_SIZE
+     || key.x == NULL || key.y == NULL || key.z == NULL
+#endif
+  ) {
+#ifdef ALT_ECC_SIZE
+      XFREE(key.z, heap, DYNAMIC_TYPE_ECC);
+      XFREE(key.y, heap, DYNAMIC_TYPE_ECC);
+      XFREE(key.x, heap, DYNAMIC_TYPE_ECC);
+#endif
+      XFREE(key.t2, heap, DYNAMIC_TYPE_ECC);
+      XFREE(key.t1, heap, DYNAMIC_TYPE_ECC);
+      XFREE(precomp, heap, DYNAMIC_TYPE_ECC_BUFFER);
+      XFREE(tB, heap, DYNAMIC_TYPE_ECC_BUFFER);
+      XFREE(tA, heap, DYNAMIC_TYPE_ECC_BUFFER);
+      return MEMORY_E;
+  }
+  C->key = &key;
+#endif /* WOLFSSL_SMALL_STACK_CACHE */
+
+  /* init variables */
   XMEMSET(tA, 0, ECC_BUFSIZE);
   XMEMSET(tB, 0, ECC_BUFSIZE);
+#ifndef WOLFSSL_SMALL_STACK
+  XMEMSET(precomp, 0, sizeof(precomp));
+#else
+  XMEMSET(precomp, 0, sizeof(ecc_point*) * SHAMIR_PRECOMP_SZ);
+#endif
 
   /* get sizes */
   lenA = mp_unsigned_bin_size(kA);
@@ -1900,7 +5457,7 @@ static int ecc_mul2add(ecc_point* A, mp_int* kA,
 
   /* sanity check */
   if ((lenA > ECC_BUFSIZE) || (lenB > ECC_BUFSIZE)) {
-     err = BAD_FUNC_ARG;
+    err = BAD_FUNC_ARG;
   }
 
   if (err == MP_OKAY) {
@@ -1913,75 +5470,92 @@ static int ecc_mul2add(ecc_point* A, mp_int* kA,
 
     /* allocate the table */
     if (err == MP_OKAY) {
-        for (x = 0; x < 16; x++) {
-            precomp[x] = ecc_new_point();
+        for (x = 0; x < SHAMIR_PRECOMP_SZ; x++) {
+            precomp[x] = wc_ecc_new_point_h(heap);
             if (precomp[x] == NULL) {
-                for (y = 0; y < x; ++y) {
-                    ecc_del_point(precomp[y]);
-                }
                 err = GEN_MEM_ERR;
                 break;
             }
+        #ifdef WOLFSSL_SMALL_STACK_CACHE
+            precomp[x]->key = &key;
+        #endif
         }
     }
   }
 
   if (err == MP_OKAY)
-    tableInit = 1;
+    /* init montgomery reduction */
+    err = mp_montgomery_setup(modulus, &mp);
 
-  if (err == MP_OKAY)
-   /* init montgomery reduction */
-   err = mp_montgomery_setup(modulus, &mp);
-
-  if (err == MP_OKAY)
-    err = mp_init(&mu);
-  if (err == MP_OKAY)
-    muInit = 1;
+  if (err == MP_OKAY) {
+  #ifdef WOLFSSL_SMALL_STACK
+    mp_int* mu;
+  #else
+    mp_int  mu[1];
+  #endif
+  #ifdef WOLFSSL_SMALL_STACK
+    mu = (mp_int*)XMALLOC(sizeof(mp_int), heap, DYNAMIC_TYPE_ECC);
+    if (mu == NULL)
+        err = MEMORY_E;
+  #endif
+    if (err == MP_OKAY) {
+        err = mp_init(mu);
+    }
+    if (err == MP_OKAY) {
+      err = mp_montgomery_calc_normalization(mu, modulus);
 
-  if (err == MP_OKAY)
-    err = mp_montgomery_calc_normalization(&mu, modulus);
+      if (err == MP_OKAY)
+        /* copy ones ... */
+        err = mp_mulmod(A->x, mu, modulus, precomp[1]->x);
 
-  if (err == MP_OKAY)
-    /* copy ones ... */
-    err = mp_mulmod(A->x, &mu, modulus, precomp[1]->x);
+      if (err == MP_OKAY)
+        err = mp_mulmod(A->y, mu, modulus, precomp[1]->y);
+      if (err == MP_OKAY)
+        err = mp_mulmod(A->z, mu, modulus, precomp[1]->z);
 
-  if (err == MP_OKAY)
-    err = mp_mulmod(A->y, &mu, modulus, precomp[1]->y);
-  if (err == MP_OKAY)
-    err = mp_mulmod(A->z, &mu, modulus, precomp[1]->z);
+      if (err == MP_OKAY)
+        err = mp_mulmod(B->x, mu, modulus, precomp[1<<2]->x);
+      if (err == MP_OKAY)
+        err = mp_mulmod(B->y, mu, modulus, precomp[1<<2]->y);
+      if (err == MP_OKAY)
+        err = mp_mulmod(B->z, mu, modulus, precomp[1<<2]->z);
 
-  if (err == MP_OKAY)
-    err = mp_mulmod(B->x, &mu, modulus, precomp[1<<2]->x);
-  if (err == MP_OKAY)
-    err = mp_mulmod(B->y, &mu, modulus, precomp[1<<2]->y);
-  if (err == MP_OKAY)
-    err = mp_mulmod(B->z, &mu, modulus, precomp[1<<2]->z);
+      /* done with mu */
+      mp_clear(mu);
+    }
+  #ifdef WOLFSSL_SMALL_STACK
+    if (mu != NULL) {
+      XFREE(mu, heap, DYNAMIC_TYPE_ECC);
+    }
+  #endif
+  }
 
   if (err == MP_OKAY)
     /* precomp [i,0](A + B) table */
-    err = ecc_projective_dbl_point(precomp[1], precomp[2], modulus, &mp);
+    err = ecc_projective_dbl_point(precomp[1], precomp[2], a, modulus, mp);
 
   if (err == MP_OKAY)
     err = ecc_projective_add_point(precomp[1], precomp[2], precomp[3],
-                                   modulus, &mp);
+                                   a, modulus, mp);
   if (err == MP_OKAY)
     /* precomp [0,i](A + B) table */
-    err = ecc_projective_dbl_point(precomp[1<<2], precomp[2<<2], modulus, &mp);
+    err = ecc_projective_dbl_point(precomp[1<<2], precomp[2<<2], a, modulus, mp);
 
   if (err == MP_OKAY)
     err = ecc_projective_add_point(precomp[1<<2], precomp[2<<2], precomp[3<<2],
-                                   modulus, &mp);
+                                   a, modulus, mp);
 
   if (err == MP_OKAY) {
     /* precomp [i,j](A + B) table (i != 0, j != 0) */
     for (x = 1; x < 4; x++) {
-        for (y = 1; y < 4; y++) {
-            if (err == MP_OKAY)
-                err = ecc_projective_add_point(precomp[x], precomp[(y<<2)],
-                                               precomp[x+(y<<2)], modulus, &mp);
+      for (y = 1; y < 4; y++) {
+        if (err == MP_OKAY) {
+          err = ecc_projective_add_point(precomp[x], precomp[(y<<2)],
+                                             precomp[x+(y<<2)], a, modulus, mp);
         }
-    } 
-  }  
+      }
+    }
+  }
 
   if (err == MP_OKAY) {
     nibble  = 3;
@@ -1990,20 +5564,21 @@ static int ecc_mul2add(ecc_point* A, mp_int* kA,
     bitbufB = tB[0];
 
     /* for every byte of the multiplicands */
-    for (x = -1;; ) {
+    for (x = 0;; ) {
         /* grab a nibble */
         if (++nibble == 4) {
-            ++x; if (x == len) break;
+            if (x == (int)len) break;
             bitbufA = tA[x];
             bitbufB = tB[x];
             nibble  = 0;
+            x++;
         }
 
         /* extract two bits from both, shift/update */
         nA = (bitbufA >> 6) & 0x03;
         nB = (bitbufB >> 6) & 0x03;
-        bitbufA = (bitbufA << 2) & 0xFF;   
-        bitbufB = (bitbufB << 2) & 0xFF;   
+        bitbufA = (bitbufA << 2) & 0xFF;
+        bitbufB = (bitbufB << 2) & 0xFF;
 
         /* if both zero, if first, continue */
         if ((nA == 0) && (nB == 0) && (first == 1)) {
@@ -2014,9 +5589,9 @@ static int ecc_mul2add(ecc_point* A, mp_int* kA,
         if (first == 0) {
             /* double twice */
             if (err == MP_OKAY)
-                err = ecc_projective_dbl_point(C, C, modulus, &mp);
+                err = ecc_projective_dbl_point(C, C, a, modulus, mp);
             if (err == MP_OKAY)
-                err = ecc_projective_dbl_point(C, C, modulus, &mp);
+                err = ecc_projective_dbl_point(C, C, a, modulus, mp);
             else
                 break;
         }
@@ -2040,44 +5615,76 @@ static int ecc_mul2add(ecc_point* A, mp_int* kA,
                 /* if not first, add from table */
                 if (err == MP_OKAY)
                     err = ecc_projective_add_point(C, precomp[nA + (nB<<2)], C,
-                                                   modulus, &mp);
-                else
+                                                   a, modulus, mp);
+                if (err != MP_OKAY)
                     break;
+                if (mp_iszero(C->z)) {
+                    /* When all zero then should have done an add */
+                    if (mp_iszero(C->x) && mp_iszero(C->y)) {
+                        err = ecc_projective_dbl_point(precomp[nA + (nB<<2)], C,
+                                                       a, modulus, mp);
+                        if (err != MP_OKAY)
+                            break;
+                    }
+                    /* When only Z zero then result is infinity */
+                    else {
+                        err = mp_set(C->x, 0);
+                        if (err != MP_OKAY)
+                            break;
+                        err = mp_set(C->y, 0);
+                        if (err != MP_OKAY)
+                            break;
+                        err = mp_set(C->z, 1);
+                        if (err != MP_OKAY)
+                            break;
+                        first = 1;
+                    }
+                }
             }
         }
     }
   }
 
+  /* reduce to affine */
   if (err == MP_OKAY)
-    /* reduce to affine */
-    err = ecc_map(C, modulus, &mp);
+    err = ecc_map(C, modulus, mp);
 
   /* clean up */
-  if (muInit)
-    mp_clear(&mu);
-
-  if (tableInit) {
-    for (x = 0; x < 16; x++) {
-       ecc_del_point(precomp[x]);
-    }
+  for (x = 0; x < SHAMIR_PRECOMP_SZ; x++) {
+     wc_ecc_del_point_h(precomp[x], heap);
   }
-   ForceZero(tA, ECC_BUFSIZE);
-   ForceZero(tB, ECC_BUFSIZE);
-   XFREE(tA, NULL, DYNAMIC_TYPE_TMP_BUFFER);
-   XFREE(tB, NULL, DYNAMIC_TYPE_TMP_BUFFER);
 
-   return err;
-}
+  ForceZero(tA, ECC_BUFSIZE);
+  ForceZero(tB, ECC_BUFSIZE);
+#ifdef WOLFSSL_SMALL_STACK_CACHE
+#ifdef ALT_ECC_SIZE
+  XFREE(key.z, heap, DYNAMIC_TYPE_ECC);
+  XFREE(key.y, heap, DYNAMIC_TYPE_ECC);
+  XFREE(key.x, heap, DYNAMIC_TYPE_ECC);
+#endif
+  XFREE(key.t2, heap, DYNAMIC_TYPE_ECC);
+  XFREE(key.t1, heap, DYNAMIC_TYPE_ECC);
+  C->key = NULL;
+#endif
+#ifdef WOLFSSL_SMALL_STACK
+  XFREE(precomp, heap, DYNAMIC_TYPE_ECC_BUFFER);
+#endif
+  XFREE(tB, heap, DYNAMIC_TYPE_ECC_BUFFER);
+  XFREE(tA, heap, DYNAMIC_TYPE_ECC_BUFFER);
 
+  return err;
+}
 
 #endif /* ECC_SHAMIR */
+#endif /* !WOLFSSL_SP_MATH && !WOLFSSL_ATECC508A && !WOLFSSL_CRYPTOCEL*/
 
 
-
-/* verify 
+#ifdef HAVE_ECC_VERIFY
+#ifndef NO_ASN
+/* verify
  *
  * w  = s^-1 mod n
- * u1 = xw 
+ * u1 = xw
  * u2 = rw
  * X = u1*G + u2*Q
  * v = X_x1 mod n
@@ -2085,120 +5692,476 @@ static int ecc_mul2add(ecc_point* A, mp_int* kA,
  */
 
 /**
+ Verify an ECC signature
+ sig         The signature to verify
+ siglen      The length of the signature (octets)
+ hash        The hash (message digest) that was signed
+ hashlen     The length of the hash (octets)
+ res         Result of signature, 1==valid, 0==invalid
+ key         The corresponding public ECC key
+ return      MP_OKAY if successful (even if the signature is not valid)
+ */
+int wc_ecc_verify_hash(const byte* sig, word32 siglen, const byte* hash,
+                       word32 hashlen, int* res, ecc_key* key)
+{
+    int err;
+    mp_int *r = NULL, *s = NULL;
+#if (!defined(WOLFSSL_ASYNC_CRYPT) || !defined(WC_ASYNC_ENABLE_ECC)) && \
+    !defined(WOLFSSL_SMALL_STACK)
+    mp_int r_lcl, s_lcl;
+#endif
+
+    if (sig == NULL || hash == NULL || res == NULL || key == NULL) {
+        return ECC_BAD_ARG_E;
+    }
+
+#ifdef WOLF_CRYPTO_CB
+    if (key->devId != INVALID_DEVID) {
+        err = wc_CryptoCb_EccVerify(sig, siglen, hash, hashlen, res, key);
+        if (err != CRYPTOCB_UNAVAILABLE)
+            return err;
+        /* fall-through when unavailable */
+    }
+#endif
+
+#if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_ECC)
+    err = wc_ecc_alloc_async(key);
+    if (err != 0)
+        return err;
+    r = key->r;
+    s = key->s;
+#else
+    #ifndef WOLFSSL_SMALL_STACK
+    r = &r_lcl;
+    s = &s_lcl;
+    #else
+    r = (mp_int*)XMALLOC(sizeof(mp_int), key->heap, DYNAMIC_TYPE_ECC);
+    if (r == NULL)
+        return MEMORY_E;
+    s = (mp_int*)XMALLOC(sizeof(mp_int), key->heap, DYNAMIC_TYPE_ECC);
+    if (s == NULL) {
+        XFREE(r, key->heap, DYNAMIC_TYPE_ECC);
+        return MEMORY_E;
+    }
+    #endif
+    XMEMSET(r, 0, sizeof(mp_int));
+    XMEMSET(s, 0, sizeof(mp_int));
+#endif /* WOLFSSL_ASYNC_CRYPT */
+
+    switch (key->state) {
+        case ECC_STATE_NONE:
+        case ECC_STATE_VERIFY_DECODE:
+            key->state = ECC_STATE_VERIFY_DECODE;
+
+            /* default to invalid signature */
+            *res = 0;
+
+            /* Note, DecodeECC_DSA_Sig() calls mp_init() on r and s.
+             * If either of those don't allocate correctly, none of
+             * the rest of this function will execute, and everything
+             * gets cleaned up at the end. */
+            /* decode DSA header */
+            err = DecodeECC_DSA_Sig(sig, siglen, r, s);
+            if (err < 0) {
+                break;
+            }
+            FALL_THROUGH;
+
+        case ECC_STATE_VERIFY_DO:
+            key->state = ECC_STATE_VERIFY_DO;
+
+            err = wc_ecc_verify_hash_ex(r, s, hash, hashlen, res, key);
+
+        #ifndef WOLFSSL_ASYNC_CRYPT
+            /* done with R/S */
+            mp_clear(r);
+            mp_clear(s);
+        #ifdef WOLFSSL_SMALL_STACK
+            XFREE(s, key->heap, DYNAMIC_TYPE_ECC);
+            XFREE(r, key->heap, DYNAMIC_TYPE_ECC);
+            r = NULL;
+            s = NULL;
+        #endif
+        #endif
+
+            if (err < 0) {
+                break;
+            }
+            FALL_THROUGH;
+
+        case ECC_STATE_VERIFY_RES:
+            key->state = ECC_STATE_VERIFY_RES;
+            err = 0;
+            break;
+
+        default:
+            err = BAD_STATE_E;
+    }
+
+    /* if async pending then return and skip done cleanup below */
+    if (err == WC_PENDING_E) {
+        key->state++;
+        return err;
+    }
+
+    /* cleanup */
+#if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_ECC)
+    wc_ecc_free_async(key);
+#elif defined(WOLFSSL_SMALL_STACK)
+    XFREE(s, key->heap, DYNAMIC_TYPE_ECC);
+    XFREE(r, key->heap, DYNAMIC_TYPE_ECC);
+    r = NULL;
+    s = NULL;
+#endif
+
+    key->state = ECC_STATE_NONE;
+
+    return err;
+}
+#endif /* !NO_ASN */
+
+
+/**
    Verify an ECC signature
-   sig         The signature to verify
-   siglen      The length of the signature (octets)
+   r           The signature R component to verify
+   s           The signature S component to verify
    hash        The hash (message digest) that was signed
    hashlen     The length of the hash (octets)
-   stat        Result of signature, 1==valid, 0==invalid
+   res         Result of signature, 1==valid, 0==invalid
    key         The corresponding public ECC key
    return      MP_OKAY if successful (even if the signature is not valid)
 */
-int wc_ecc_verify_hash(const byte* sig, word32 siglen, const byte* hash,
-                    word32 hashlen, int* stat, ecc_key* key)
-{
-   ecc_point    *mG, *mQ;
-   mp_int        r;
-   mp_int        s;
-   mp_int        v;
-   mp_int        w;
-   mp_int        u1;
-   mp_int        u2;
-   mp_int        e;
-   mp_int        p;
-   mp_int        m;
+
+int wc_ecc_verify_hash_ex(mp_int *r, mp_int *s, const byte* hash,
+                    word32 hashlen, int* res, ecc_key* key)
+#if defined(WOLFSSL_STM32_PKA)
+{
+    return stm32_ecc_verify_hash_ex(r, s, hash, hashlen, res, key);
+}
+#else
+{
    int           err;
+   word32        keySz;
+#ifdef WOLFSSL_ATECC508A
+   byte sigRS[ATECC_KEY_SIZE*2];
+#elif defined(WOLFSSL_CRYPTOCELL)
+   byte sigRS[ECC_MAX_CRYPTO_HW_SIZE*2];
+   CRYS_ECDSA_VerifyUserContext_t sigCtxTemp;
+   word32 msgLenInBytes = hashlen;
+   CRYS_ECPKI_HASH_OpMode_t hash_mode;
+#elif !defined(WOLFSSL_SP_MATH) || defined(FREESCALE_LTC_ECC)
+   int          did_init = 0;
+   ecc_point    *mG = NULL, *mQ = NULL;
+   #ifdef WOLFSSL_SMALL_STACK
+   mp_int*       v = NULL;
+   mp_int*       w = NULL;
+   mp_int*       u1 = NULL;
+   mp_int*       u2 = NULL;
+      #if !defined(WOLFSSL_ASYNC_CRYPT) || !defined(HAVE_CAVIUM_V)
+   mp_int*       e_lcl = NULL;
+      #endif
+   #else /* WOLFSSL_SMALL_STACK */
+   mp_int        v[1];
+   mp_int        w[1];
+   mp_int        u1[1];
+   mp_int        u2[1];
+      #if !defined(WOLFSSL_ASYNC_CRYPT) || !defined(HAVE_CAVIUM_V)
+   mp_int        e_lcl[1];
+      #endif
+   #endif /* WOLFSSL_SMALL_STACK */
+   mp_int*       e;
+   DECLARE_CURVE_SPECS(curve, ECC_CURVE_FIELD_COUNT);
+#endif
 
-   if (sig == NULL || hash == NULL || stat == NULL || key == NULL)
-       return ECC_BAD_ARG_E; 
+   if (r == NULL || s == NULL || hash == NULL || res == NULL || key == NULL)
+       return ECC_BAD_ARG_E;
 
    /* default to invalid signature */
-   *stat = 0;
+   *res = 0;
 
    /* is the IDX valid ?  */
-   if (ecc_is_valid_idx(key->idx) != 1) {
+   if (wc_ecc_is_valid_idx(key->idx) != 1) {
       return ECC_BAD_ARG_E;
    }
 
-   /* allocate ints */
-   if ((err = mp_init_multi(&v, &w, &u1, &u2, &p, &e)) != MP_OKAY) {
-      return MEMORY_E;
+   keySz = key->dp->size;
+
+#if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_ECC) && \
+       defined(WOLFSSL_ASYNC_CRYPT_TEST)
+    if (key->asyncDev.marker == WOLFSSL_ASYNC_MARKER_ECC) {
+        if (wc_AsyncTestInit(&key->asyncDev, ASYNC_TEST_ECC_VERIFY)) {
+            WC_ASYNC_TEST* testDev = &key->asyncDev.test;
+            testDev->eccVerify.r = r;
+            testDev->eccVerify.s = s;
+            testDev->eccVerify.hash = hash;
+            testDev->eccVerify.hashlen = hashlen;
+            testDev->eccVerify.stat = res;
+            testDev->eccVerify.key = key;
+            return WC_PENDING_E;
+        }
+    }
+#endif
+
+#ifdef WOLFSSL_ATECC508A
+    /* Extract R and S */
+    err = mp_to_unsigned_bin(r, &sigRS[0]);
+    if (err != MP_OKAY) {
+        return err;
+    }
+    err = mp_to_unsigned_bin(s, &sigRS[keySz]);
+    if (err != MP_OKAY) {
+        return err;
+    }
+
+    err = atmel_ecc_verify(hash, sigRS, key->pubkey_raw, res);
+    if (err != 0) {
+       return err;
+    }
+    (void)hashlen;
+#elif defined(WOLFSSL_CRYPTOCELL)
+
+   /* Extract R and S */
+
+   err = mp_to_unsigned_bin(r, &sigRS[0]);
+   if (err != MP_OKAY) {
+       return err;
+   }
+   err = mp_to_unsigned_bin(s, &sigRS[keySz]);
+   if (err != MP_OKAY) {
+       return err;
    }
 
-   if ((err = mp_init(&m)) != MP_OKAY) {
-      mp_clear(&v);
-      mp_clear(&w);
-      mp_clear(&u1);
-      mp_clear(&u2);
-      mp_clear(&p);
-      mp_clear(&e);
-      return MEMORY_E;
+   hash_mode = cc310_hashModeECC(msgLenInBytes);
+   if (hash_mode == CRYS_ECPKI_HASH_OpModeLast) {
+       /* hash_mode = */ cc310_hashModeECC(keySz);
+       hash_mode = CRYS_ECPKI_HASH_SHA256_mode;
+   }
+   /* truncate if hash is longer than key size */
+   if (msgLenInBytes > keySz) {
+       msgLenInBytes = keySz;
    }
 
-   /* allocate points */
-   mG = ecc_new_point();
-   mQ = ecc_new_point();
-   if (mQ  == NULL || mG == NULL)
-      err = MEMORY_E;
-
-   /* Note, DecodeECC_DSA_Sig() calls mp_init() on r and s.
-    * If either of those don't allocate correctly, none of
-    * the rest of this function will execute, and everything
-    * gets cleaned up at the end. */
-   XMEMSET(&r, 0, sizeof(r));
-   XMEMSET(&s, 0, sizeof(s));
-   if (err == MP_OKAY)
-       err = DecodeECC_DSA_Sig(sig, siglen, &r, &s);
+   /* verify the signature using the public key */
+   err = CRYS_ECDSA_Verify(&sigCtxTemp,
+                           &key->ctx.pubKey,
+                           hash_mode,
+                           &sigRS[0],
+                           keySz*2,
+                           (byte*)hash,
+                           msgLenInBytes);
 
-   /* get the order */
-   if (err == MP_OKAY)
-       err = mp_read_radix(&p, (char *)key->dp->order, 16);
+   if (err != SA_SILIB_RET_OK) {
+       WOLFSSL_MSG("CRYS_ECDSA_Verify failed");
+       return err;
+   }
+   /* valid signature if we get to this point */
+   *res = 1;
+#else
+  /* checking if private key with no public part */
+  if (key->type == ECC_PRIVATEKEY_ONLY) {
+      WOLFSSL_MSG("Verify called with private key, generating public part");
+      err = wc_ecc_make_pub_ex(key, NULL, NULL);
+      if (err != MP_OKAY) {
+           WOLFSSL_MSG("Unable to extract public key");
+           return err;
+      }
+  }
 
-   /* get the modulus */
-   if (err == MP_OKAY)
-       err = mp_read_radix(&m, (char *)key->dp->prime, 16);
+#if defined(WOLFSSL_DSP) && !defined(FREESCALE_LTC_ECC)
+  if (key->handle != -1) {
+      return sp_dsp_ecc_verify_256(key->handle, hash, hashlen, key->pubkey.x, key->pubkey.y,
+                                           key->pubkey.z, r, s, res, key->heap);
+  }
+  if (wolfSSL_GetHandleCbSet() == 1) {
+      return sp_dsp_ecc_verify_256(0, hash, hashlen, key->pubkey.x, key->pubkey.y,
+                                           key->pubkey.z, r, s, res, key->heap);
+  }
+#endif
+#if defined(WOLFSSL_SP_MATH) && !defined(FREESCALE_LTC_ECC)
+#ifndef WOLFSSL_SP_NO_256
+  if (key->idx != ECC_CUSTOM_IDX && ecc_sets[key->idx].id == ECC_SECP256R1) {
+      return sp_ecc_verify_256(hash, hashlen, key->pubkey.x, key->pubkey.y,
+                                           key->pubkey.z, r, s, res, key->heap);
+  }
+#endif
+#ifdef WOLFSSL_SP_384
+  if (key->idx != ECC_CUSTOM_IDX && ecc_sets[key->idx].id == ECC_SECP384R1) {
+      return sp_ecc_verify_384(hash, hashlen, key->pubkey.x, key->pubkey.y,
+                                           key->pubkey.z, r, s, res, key->heap);
+  }
+#endif
+  return WC_KEY_SIZE_E;
+#else
+#if defined WOLFSSL_HAVE_SP_ECC && !defined(FREESCALE_LTC_ECC)
+    #if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_ECC)
+    if (key->asyncDev.marker != WOLFSSL_ASYNC_MARKER_ECC)
+    #endif
+    {
+#ifndef WOLFSSL_SP_NO_256
+        if (key->idx != ECC_CUSTOM_IDX &&
+                                       ecc_sets[key->idx].id == ECC_SECP256R1) {
+            return sp_ecc_verify_256(hash, hashlen, key->pubkey.x,
+                                         key->pubkey.y, key->pubkey.z,r, s, res,
+                                         key->heap);
+        }
+#endif /* WOLFSSL_SP_NO_256 */
+#ifdef WOLFSSL_SP_384
+        if (key->idx != ECC_CUSTOM_IDX &&
+                                       ecc_sets[key->idx].id == ECC_SECP384R1) {
+            return sp_ecc_verify_384(hash, hashlen, key->pubkey.x,
+                                         key->pubkey.y, key->pubkey.z,r, s, res,
+                                         key->heap);
+        }
+#endif /* WOLFSSL_SP_384 */
+    }
+#endif /* WOLFSSL_HAVE_SP_ECC */
+
+   ALLOC_CURVE_SPECS(ECC_CURVE_FIELD_COUNT);
+
+#if defined(WOLFSSL_ASYNC_CRYPT) && defined(HAVE_CAVIUM_V)
+   err = wc_ecc_alloc_mpint(key, &key->e);
+   if (err != 0) {
+      FREE_CURVE_SPECS();
+      return err;
+   }
+   e = key->e;
+#else
+#ifdef WOLFSSL_SMALL_STACK
+   e_lcl = (mp_int*)XMALLOC(sizeof(mp_int), key->heap, DYNAMIC_TYPE_ECC);
+   if (e_lcl == NULL) {
+       FREE_CURVE_SPECS();
+       return MEMORY_E;
+   }
+#endif
+   e = e_lcl;
+#endif /* WOLFSSL_ASYNC_CRYPT && HAVE_CAVIUM_V */
+
+   err = mp_init(e);
+   if (err != MP_OKAY)
+      return MEMORY_E;
+
+   /* read in the specs for this curve */
+   err = wc_ecc_curve_load(key->dp, &curve, ECC_CURVE_FIELD_ALL);
 
    /* check for zero */
    if (err == MP_OKAY) {
-       if (mp_iszero(&r) || mp_iszero(&s) || mp_cmp(&r, &p) != MP_LT ||
-                                             mp_cmp(&s, &p) != MP_LT)
-           err = MP_ZERO_E; 
+       if (mp_iszero(r) == MP_YES || mp_iszero(s) == MP_YES ||
+           mp_cmp(r, curve->order) != MP_LT ||
+           mp_cmp(s, curve->order) != MP_LT) {
+           err = MP_ZERO_E;
+       }
    }
+
    /* read hash */
    if (err == MP_OKAY) {
        /* we may need to truncate if hash is longer than key size */
-       unsigned int orderBits = mp_count_bits(&p);
+       unsigned int orderBits = mp_count_bits(curve->order);
 
        /* truncate down to byte size, may be all that's needed */
        if ( (WOLFSSL_BIT_SIZE * hashlen) > orderBits)
-           hashlen = (orderBits + WOLFSSL_BIT_SIZE - 1)/WOLFSSL_BIT_SIZE;
-       err = mp_read_unsigned_bin(&e, hash, hashlen);
+           hashlen = (orderBits + WOLFSSL_BIT_SIZE - 1) / WOLFSSL_BIT_SIZE;
+       err = mp_read_unsigned_bin(e, hash, hashlen);
 
        /* may still need bit truncation too */
        if (err == MP_OKAY && (WOLFSSL_BIT_SIZE * hashlen) > orderBits)
-           mp_rshb(&e, WOLFSSL_BIT_SIZE - (orderBits & 0x7));
+           mp_rshb(e, WOLFSSL_BIT_SIZE - (orderBits & 0x7));
+   }
+
+   /* check for async hardware acceleration */
+#if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_ECC)
+   if (key->asyncDev.marker == WOLFSSL_ASYNC_MARKER_ECC) {
+   #if defined(HAVE_CAVIUM_V) || defined(HAVE_INTEL_QA)
+   #ifdef HAVE_CAVIUM_V
+      if (NitroxEccIsCurveSupported(key))
+   #endif
+      {
+          err = wc_mp_to_bigint_sz(e, &e->raw, keySz);
+          if (err == MP_OKAY)
+              err = wc_mp_to_bigint_sz(key->pubkey.x, &key->pubkey.x->raw, keySz);
+          if (err == MP_OKAY)
+              err = wc_mp_to_bigint_sz(key->pubkey.y, &key->pubkey.y->raw, keySz);
+          if (err == MP_OKAY)
+          #ifdef HAVE_CAVIUM_V
+              err = NitroxEcdsaVerify(key, &e->raw, &key->pubkey.x->raw,
+                    &key->pubkey.y->raw, &r->raw, &s->raw,
+                    &curve->prime->raw, &curve->order->raw, res);
+          #else
+              err = IntelQaEcdsaVerify(&key->asyncDev, &e->raw, &key->pubkey.x->raw,
+                    &key->pubkey.y->raw, &r->raw, &s->raw, &curve->Af->raw,
+                    &curve->Bf->raw, &curve->prime->raw, &curve->order->raw,
+                    &curve->Gx->raw, &curve->Gy->raw, res);
+          #endif
+
+      #ifndef HAVE_CAVIUM_V
+          mp_clear(e);
+      #endif
+          wc_ecc_curve_free(curve);
+          FREE_CURVE_SPECS();
+
+          return err;
+      }
+   #endif /* HAVE_CAVIUM_V || HAVE_INTEL_QA */
+   }
+#endif /* WOLFSSL_ASYNC_CRYPT && WC_ASYNC_ENABLE_ECC */
+
+#ifdef WOLFSSL_SMALL_STACK
+   if (err == MP_OKAY) {
+       v = (mp_int*)XMALLOC(sizeof(mp_int), key->heap, DYNAMIC_TYPE_ECC);
+       if (v == NULL)
+           err = MEMORY_E;
+   }
+   if (err == MP_OKAY) {
+       w = (mp_int*)XMALLOC(sizeof(mp_int), key->heap, DYNAMIC_TYPE_ECC);
+       if (w == NULL)
+           err = MEMORY_E;
+   }
+   if (err == MP_OKAY) {
+       u1 = (mp_int*)XMALLOC(sizeof(mp_int), key->heap, DYNAMIC_TYPE_ECC);
+       if (u1 == NULL)
+           err = MEMORY_E;
+   }
+   if (err == MP_OKAY) {
+       u2 = (mp_int*)XMALLOC(sizeof(mp_int), key->heap, DYNAMIC_TYPE_ECC);
+       if (u2 == NULL)
+           err = MEMORY_E;
+   }
+#endif
+
+   /* allocate ints */
+   if (err == MP_OKAY) {
+       if ((err = mp_init_multi(v, w, u1, u2, NULL, NULL)) != MP_OKAY) {
+          err = MEMORY_E;
+       }
+       did_init = 1;
+   }
+
+   /* allocate points */
+   if (err == MP_OKAY) {
+       mG = wc_ecc_new_point_h(key->heap);
+       mQ = wc_ecc_new_point_h(key->heap);
+       if (mQ  == NULL || mG == NULL)
+          err = MEMORY_E;
    }
 
    /*  w  = s^-1 mod n */
    if (err == MP_OKAY)
-       err = mp_invmod(&s, &p, &w);
+       err = mp_invmod(s, curve->order, w);
 
    /* u1 = ew */
    if (err == MP_OKAY)
-       err = mp_mulmod(&e, &w, &p, &u1);
+       err = mp_mulmod(e, w, curve->order, u1);
 
    /* u2 = rw */
    if (err == MP_OKAY)
-       err = mp_mulmod(&r, &w, &p, &u2);
+       err = mp_mulmod(r, w, curve->order, u2);
 
    /* find mG and mQ */
    if (err == MP_OKAY)
-       err = mp_read_radix(mG->x, (char *)key->dp->Gx, 16);
-
+       err = mp_copy(curve->Gx, mG->x);
    if (err == MP_OKAY)
-       err = mp_read_radix(mG->y, (char *)key->dp->Gy, 16);
+       err = mp_copy(curve->Gy, mG->y);
    if (err == MP_OKAY)
-       mp_set(mG->z, 1);
+       err = mp_set(mG->z, 1);
 
    if (err == MP_OKAY)
        err = mp_copy(key->pubkey.x, mQ->x);
@@ -2207,75 +6170,458 @@ int wc_ecc_verify_hash(const byte* sig, word32 siglen, const byte* hash,
    if (err == MP_OKAY)
        err = mp_copy(key->pubkey.z, mQ->z);
 
+#if defined(FREESCALE_LTC_ECC)
+   /* use PKHA to compute u1*mG + u2*mQ */
+   if (err == MP_OKAY)
+       err = wc_ecc_mulmod_ex(u1, mG, mG, curve->Af, curve->prime, 0, key->heap);
+   if (err == MP_OKAY)
+       err = wc_ecc_mulmod_ex(u2, mQ, mQ, curve->Af, curve->prime, 0, key->heap);
+   if (err == MP_OKAY)
+       err = wc_ecc_point_add(mG, mQ, mG, curve->prime);
+#else
 #ifndef ECC_SHAMIR
+    if (err == MP_OKAY)
     {
-       mp_digit      mp;
+        mp_digit mp = 0;
 
-       /* compute u1*mG + u2*mQ = mG */
-       if (err == MP_OKAY)
-           err = ecc_mulmod(&u1, mG, mG, &m, 0);
-       if (err == MP_OKAY)
-           err = ecc_mulmod(&u2, mQ, mQ, &m, 0);
-  
-       /* find the montgomery mp */
-       if (err == MP_OKAY)
-           err = mp_montgomery_setup(&m, &mp);
+        if (!mp_iszero(u1)) {
+            /* compute u1*mG + u2*mQ = mG */
+            err = wc_ecc_mulmod_ex(u1, mG, mG, curve->Af, curve->prime, 0,
+                                                                     key->heap);
+            if (err == MP_OKAY) {
+                err = wc_ecc_mulmod_ex(u2, mQ, mQ, curve->Af, curve->prime, 0,
+                                                                     key->heap);
+            }
 
-       /* add them */
-       if (err == MP_OKAY)
-           err = ecc_projective_add_point(mQ, mG, mG, &m, &mp);
-   
-       /* reduce */
-       if (err == MP_OKAY)
-           err = ecc_map(mG, &m, &mp);
+            /* find the montgomery mp */
+            if (err == MP_OKAY)
+                err = mp_montgomery_setup(curve->prime, &mp);
+
+            /* add them */
+            if (err == MP_OKAY)
+                err = ecc_projective_add_point(mQ, mG, mG, curve->Af,
+                                                              curve->prime, mp);
+            if (err == MP_OKAY && mp_iszero(mG->z)) {
+                /* When all zero then should have done an add */
+                if (mp_iszero(mG->x) && mp_iszero(mG->y)) {
+                    err = ecc_projective_dbl_point(mQ, mG, curve->Af,
+                                                              curve->prime, mp);
+                }
+                /* When only Z zero then result is infinity */
+                else {
+                    err = mp_set(mG->x, 0);
+                    if (err == MP_OKAY)
+                        err = mp_set(mG->y, 0);
+                    if (err == MP_OKAY)
+                        err = mp_set(mG->z, 1);
+                }
+            }
+        }
+        else {
+            /* compute 0*mG + u2*mQ = mG */
+            err = wc_ecc_mulmod_ex(u2, mQ, mG, curve->Af, curve->prime, 0,
+                                                                     key->heap);
+            /* find the montgomery mp */
+            if (err == MP_OKAY)
+                err = mp_montgomery_setup(curve->prime, &mp);
+        }
+
+        /* reduce */
+        if (err == MP_OKAY)
+            err = ecc_map(mG, curve->prime, mp);
     }
 #else
-       /* use Shamir's trick to compute u1*mG + u2*mQ using half the doubles */
-       if (err == MP_OKAY)
-           err = ecc_mul2add(mG, &u1, mQ, &u2, mG, &m);
-#endif /* ECC_SHAMIR */ 
-
+    /* use Shamir's trick to compute u1*mG + u2*mQ using half the doubles */
+    if (err == MP_OKAY) {
+        err = ecc_mul2add(mG, u1, mQ, u2, mG, curve->Af, curve->prime,
+                                                                     key->heap);
+    }
+#endif /* ECC_SHAMIR */
+#endif /* FREESCALE_LTC_ECC */
    /* v = X_x1 mod n */
    if (err == MP_OKAY)
-       err = mp_mod(mG->x, &p, &v);
+       err = mp_mod(mG->x, curve->order, v);
 
    /* does v == r */
    if (err == MP_OKAY) {
-       if (mp_cmp(&v, &r) == MP_EQ)
-           *stat = 1;
+       if (mp_cmp(v, r) == MP_EQ)
+           *res = 1;
    }
 
-   ecc_del_point(mG);
-   ecc_del_point(mQ);
+   /* cleanup */
+   wc_ecc_del_point_h(mG, key->heap);
+   wc_ecc_del_point_h(mQ, key->heap);
+
+   mp_clear(e);
+   if (did_init) {
+       mp_clear(v);
+       mp_clear(w);
+       mp_clear(u1);
+       mp_clear(u2);
+   }
+#ifdef WOLFSSL_SMALL_STACK
+   XFREE(u2, key->heap, DYNAMIC_TYPE_ECC);
+   XFREE(u1, key->heap, DYNAMIC_TYPE_ECC);
+   XFREE(w, key->heap, DYNAMIC_TYPE_ECC);
+   XFREE(v, key->heap, DYNAMIC_TYPE_ECC);
+#if !defined(WOLFSSL_ASYNC_CRYPT) || !defined(HAVE_CAVIUM_V)
+   XFREE(e_lcl, key->heap, DYNAMIC_TYPE_ECC);
+#endif
+#endif
+
+   wc_ecc_curve_free(curve);
+   FREE_CURVE_SPECS();
 
-   mp_clear(&r);
-   mp_clear(&s);
-   mp_clear(&v);
-   mp_clear(&w);
-   mp_clear(&u1);
-   mp_clear(&u2);
-   mp_clear(&p);
-   mp_clear(&e);
-   mp_clear(&m);
+#endif /* WOLFSSL_SP_MATH */
+#endif /* WOLFSSL_ATECC508A */
+
+   (void)keySz;
+   (void)hashlen;
 
    return err;
 }
+#endif /* WOLFSSL_STM32_PKA */
+#endif /* HAVE_ECC_VERIFY */
+
+#ifdef HAVE_ECC_KEY_IMPORT
+/* import point from der
+ * if shortKeySize != 0 then keysize is always (inLen-1)>>1 */
+int wc_ecc_import_point_der_ex(byte* in, word32 inLen, const int curve_idx,
+                               ecc_point* point, int shortKeySize)
+{
+    int err = 0;
+#ifdef HAVE_COMP_KEY
+    int compressed = 0;
+#endif
+    int keysize;
+    byte pointType;
+
+#ifndef HAVE_COMP_KEY
+    (void)shortKeySize;
+#endif
+
+    if (in == NULL || point == NULL || (curve_idx < 0) ||
+        (wc_ecc_is_valid_idx(curve_idx) == 0))
+        return ECC_BAD_ARG_E;
+
+    /* must be odd */
+    if ((inLen & 1) == 0) {
+        return ECC_BAD_ARG_E;
+    }
+
+    /* init point */
+#ifdef ALT_ECC_SIZE
+    point->x = (mp_int*)&point->xyz[0];
+    point->y = (mp_int*)&point->xyz[1];
+    point->z = (mp_int*)&point->xyz[2];
+    alt_fp_init(point->x);
+    alt_fp_init(point->y);
+    alt_fp_init(point->z);
+#else
+    err = mp_init_multi(point->x, point->y, point->z, NULL, NULL, NULL);
+#endif
+    if (err != MP_OKAY)
+        return MEMORY_E;
+
+    /* check for point type (4, 2, or 3) */
+    pointType = in[0];
+    if (pointType != ECC_POINT_UNCOMP && pointType != ECC_POINT_COMP_EVEN &&
+                                         pointType != ECC_POINT_COMP_ODD) {
+        err = ASN_PARSE_E;
+    }
+
+    if (pointType == ECC_POINT_COMP_EVEN || pointType == ECC_POINT_COMP_ODD) {
+#ifdef HAVE_COMP_KEY
+        compressed = 1;
+#else
+        err = NOT_COMPILED_IN;
+#endif
+    }
+
+    /* adjust to skip first byte */
+    inLen -= 1;
+    in += 1;
+
+    /* calculate key size based on inLen / 2 if uncompressed or shortKeySize
+     * is true */
+#ifdef HAVE_COMP_KEY
+    keysize = compressed && !shortKeySize ? inLen : inLen>>1;
+#else
+    keysize = inLen>>1;
+#endif
+
+    /* read data */
+    if (err == MP_OKAY)
+        err = mp_read_unsigned_bin(point->x, (byte*)in, keysize);
+
+#ifdef HAVE_COMP_KEY
+    if (err == MP_OKAY && compressed == 1) {   /* build y */
+#ifndef WOLFSSL_SP_MATH
+        int did_init = 0;
+        mp_int t1, t2;
+        DECLARE_CURVE_SPECS(curve, 3);
+
+        ALLOC_CURVE_SPECS(3);
+
+        if (mp_init_multi(&t1, &t2, NULL, NULL, NULL, NULL) != MP_OKAY)
+            err = MEMORY_E;
+        else
+            did_init = 1;
+
+        /* load curve info */
+        if (err == MP_OKAY)
+            err = wc_ecc_curve_load(&ecc_sets[curve_idx], &curve,
+                (ECC_CURVE_FIELD_PRIME | ECC_CURVE_FIELD_AF |
+                    ECC_CURVE_FIELD_BF));
+
+        /* compute x^3 */
+        if (err == MP_OKAY)
+            err = mp_sqr(point->x, &t1);
+        if (err == MP_OKAY)
+            err = mp_mulmod(&t1, point->x, curve->prime, &t1);
+
+        /* compute x^3 + a*x */
+        if (err == MP_OKAY)
+            err = mp_mulmod(curve->Af, point->x, curve->prime, &t2);
+        if (err == MP_OKAY)
+            err = mp_add(&t1, &t2, &t1);
+
+        /* compute x^3 + a*x + b */
+        if (err == MP_OKAY)
+            err = mp_add(&t1, curve->Bf, &t1);
+
+        /* compute sqrt(x^3 + a*x + b) */
+        if (err == MP_OKAY)
+            err = mp_sqrtmod_prime(&t1, curve->prime, &t2);
+
+        /* adjust y */
+        if (err == MP_OKAY) {
+            if ((mp_isodd(&t2) == MP_YES && pointType == ECC_POINT_COMP_ODD) ||
+                (mp_isodd(&t2) == MP_NO &&  pointType == ECC_POINT_COMP_EVEN)) {
+                err = mp_mod(&t2, curve->prime, point->y);
+            }
+            else {
+                err = mp_submod(curve->prime, &t2, curve->prime, point->y);
+            }
+        }
+
+        if (did_init) {
+            mp_clear(&t2);
+            mp_clear(&t1);
+        }
+
+        wc_ecc_curve_free(curve);
+        FREE_CURVE_SPECS();
+#else
+    #ifndef WOLFSSL_SP_NO_256
+        if (curve_idx != ECC_CUSTOM_IDX &&
+                                      ecc_sets[curve_idx].id == ECC_SECP256R1) {
+            sp_ecc_uncompress_256(point->x, pointType, point->y);
+        }
+        else
+    #endif
+    #ifdef WOLFSSL_SP_384
+        if (curve_idx != ECC_CUSTOM_IDX &&
+                                      ecc_sets[curve_idx].id == ECC_SECP384R1) {
+            sp_ecc_uncompress_384(point->x, pointType, point->y);
+        }
+        else
+    #endif
+        {
+            err = WC_KEY_SIZE_E;
+        }
+#endif
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#ifdef HAVE_COMP_KEY
+        if (compressed == 0)
+#endif
+            err = mp_read_unsigned_bin(point->y, (byte*)in + keysize, keysize);
+     }
+    if (err == MP_OKAY)
+        err = mp_set(point->z, 1);
+
+    if (err != MP_OKAY) {
+        mp_clear(point->x);
+        mp_clear(point->y);
+        mp_clear(point->z);
+    }
+
+    return err;
+}
+
+/* function for backwards compatiblity with previous implementations */
+int wc_ecc_import_point_der(byte* in, word32 inLen, const int curve_idx,
+                            ecc_point* point)
+{
+    return wc_ecc_import_point_der_ex(in, inLen, curve_idx, point, 1);
+}
+#endif /* HAVE_ECC_KEY_IMPORT */
+
+#ifdef HAVE_ECC_KEY_EXPORT
+/* export point to der */
+
+int wc_ecc_export_point_der_ex(const int curve_idx, ecc_point* point, byte* out,
+                               word32* outLen, int compressed)
+{
+    if (compressed == 0)
+        return wc_ecc_export_point_der(curve_idx, point, out, outLen);
+#ifdef HAVE_COMP_KEY
+    else
+        return wc_ecc_export_point_der_compressed(curve_idx, point, out, outLen);
+#else
+    return NOT_COMPILED_IN;
+#endif
+}
+
+int wc_ecc_export_point_der(const int curve_idx, ecc_point* point, byte* out,
+                            word32* outLen)
+{
+    int    ret = MP_OKAY;
+    word32 numlen;
+#ifdef WOLFSSL_SMALL_STACK
+    byte*  buf;
+#else
+    byte   buf[ECC_BUFSIZE];
+#endif
+
+    if ((curve_idx < 0) || (wc_ecc_is_valid_idx(curve_idx) == 0))
+        return ECC_BAD_ARG_E;
+
+    numlen = ecc_sets[curve_idx].size;
+
+    /* return length needed only */
+    if (point != NULL && out == NULL && outLen != NULL) {
+        *outLen = 1 + 2*numlen;
+        return LENGTH_ONLY_E;
+    }
+
+    if (point == NULL || out == NULL || outLen == NULL)
+        return ECC_BAD_ARG_E;
+
+    if (*outLen < (1 + 2*numlen)) {
+        *outLen = 1 + 2*numlen;
+        return BUFFER_E;
+    }
+
+    /* store byte point type */
+    out[0] = ECC_POINT_UNCOMP;
+
+#ifdef WOLFSSL_SMALL_STACK
+    buf = (byte*)XMALLOC(ECC_BUFSIZE, NULL, DYNAMIC_TYPE_ECC_BUFFER);
+    if (buf == NULL)
+        return MEMORY_E;
+#endif
+
+    /* pad and store x */
+    XMEMSET(buf, 0, ECC_BUFSIZE);
+    ret = mp_to_unsigned_bin(point->x, buf +
+                                 (numlen - mp_unsigned_bin_size(point->x)));
+    if (ret != MP_OKAY)
+        goto done;
+    XMEMCPY(out+1, buf, numlen);
+
+    /* pad and store y */
+    XMEMSET(buf, 0, ECC_BUFSIZE);
+    ret = mp_to_unsigned_bin(point->y, buf +
+                                 (numlen - mp_unsigned_bin_size(point->y)));
+    if (ret != MP_OKAY)
+        goto done;
+    XMEMCPY(out+1+numlen, buf, numlen);
+
+    *outLen = 1 + 2*numlen;
+
+done:
+#ifdef WOLFSSL_SMALL_STACK
+    XFREE(buf, NULL, DYNAMIC_TYPE_ECC_BUFFER);
+#endif
+
+    return ret;
+}
+
+
+/* export point to der */
+#ifdef HAVE_COMP_KEY
+int wc_ecc_export_point_der_compressed(const int curve_idx, ecc_point* point,
+                                       byte* out, word32* outLen)
+{
+    int    ret = MP_OKAY;
+    word32 numlen;
+    word32 output_len;
+#ifdef WOLFSSL_SMALL_STACK
+    byte*  buf;
+#else
+    byte   buf[ECC_BUFSIZE];
+#endif
+
+    if ((curve_idx < 0) || (wc_ecc_is_valid_idx(curve_idx) == 0))
+        return ECC_BAD_ARG_E;
+
+    numlen = ecc_sets[curve_idx].size;
+    output_len = 1 + numlen; /* y point type + x */
+
+    /* return length needed only */
+    if (point != NULL && out == NULL && outLen != NULL) {
+        *outLen = output_len;
+        return LENGTH_ONLY_E;
+    }
+
+    if (point == NULL || out == NULL || outLen == NULL)
+        return ECC_BAD_ARG_E;
+
+
+    if (*outLen < output_len) {
+        *outLen = output_len;
+        return BUFFER_E;
+    }
+
+    /* store byte point type */
+    out[0] = mp_isodd(point->y) == MP_YES ? ECC_POINT_COMP_ODD :
+                                            ECC_POINT_COMP_EVEN;
+
+#ifdef WOLFSSL_SMALL_STACK
+    buf = (byte*)XMALLOC(ECC_BUFSIZE, NULL, DYNAMIC_TYPE_ECC_BUFFER);
+    if (buf == NULL)
+        return MEMORY_E;
+#endif
 
+    /* pad and store x */
+    XMEMSET(buf, 0, ECC_BUFSIZE);
+    ret = mp_to_unsigned_bin(point->x, buf +
+                                 (numlen - mp_unsigned_bin_size(point->x)));
+    if (ret != MP_OKAY)
+        goto done;
+    XMEMCPY(out+1, buf, numlen);
+
+    *outLen = output_len;
+
+done:
+#ifdef WOLFSSL_SMALL_STACK
+    XFREE(buf, NULL, DYNAMIC_TYPE_ECC_BUFFER);
+#endif
+
+    return ret;
+}
+#endif /* HAVE_COMP_KEY */
 
 /* export public ECC key in ANSI X9.63 format */
 int wc_ecc_export_x963(ecc_key* key, byte* out, word32* outLen)
 {
+   int    ret = MP_OKAY;
+   word32 numlen;
 #ifdef WOLFSSL_SMALL_STACK
    byte*  buf;
 #else
    byte   buf[ECC_BUFSIZE];
 #endif
-   word32 numlen;
-   int    ret = MP_OKAY;
+   word32 pubxlen, pubylen;
 
    /* return length needed only */
    if (key != NULL && out == NULL && outLen != NULL) {
-      numlen = key->dp->size;
+      /* if key hasn't been setup assume max bytes for size estimation */
+      numlen = key->dp ? key->dp->size : MAX_ECC_BYTES;
       *outLen = 1 + 2*numlen;
       return LENGTH_ONLY_E;
    }
@@ -2283,47 +6629,56 @@ int wc_ecc_export_x963(ecc_key* key, byte* out, word32* outLen)
    if (key == NULL || out == NULL || outLen == NULL)
       return ECC_BAD_ARG_E;
 
-   if (ecc_is_valid_idx(key->idx) == 0) {
+   if (key->type == ECC_PRIVATEKEY_ONLY)
+       return ECC_PRIVATEONLY_E;
+
+   if (wc_ecc_is_valid_idx(key->idx) == 0 || key->dp == NULL) {
       return ECC_BAD_ARG_E;
    }
    numlen = key->dp->size;
 
+    /* verify room in out buffer */
    if (*outLen < (1 + 2*numlen)) {
       *outLen = 1 + 2*numlen;
       return BUFFER_E;
    }
 
-   /* store byte 0x04 */
-   out[0] = 0x04;
+   /* verify public key length is less than key size */
+   pubxlen = mp_unsigned_bin_size(key->pubkey.x);
+   pubylen = mp_unsigned_bin_size(key->pubkey.y);
+   if ((pubxlen > numlen) || (pubylen > numlen)) {
+      WOLFSSL_MSG("Public key x/y invalid!");
+      return BUFFER_E;
+   }
+
+   /* store byte point type */
+   out[0] = ECC_POINT_UNCOMP;
 
 #ifdef WOLFSSL_SMALL_STACK
-   buf = (byte*)XMALLOC(ECC_BUFSIZE, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+   buf = (byte*)XMALLOC(ECC_BUFSIZE, NULL, DYNAMIC_TYPE_ECC_BUFFER);
    if (buf == NULL)
       return MEMORY_E;
 #endif
 
-   do {
-      /* pad and store x */
-      XMEMSET(buf, 0, ECC_BUFSIZE);
-      ret = mp_to_unsigned_bin(key->pubkey.x,
-                         buf + (numlen - mp_unsigned_bin_size(key->pubkey.x)));
-      if (ret != MP_OKAY)
-         break;
-      XMEMCPY(out+1, buf, numlen);
-
-      /* pad and store y */
-      XMEMSET(buf, 0, ECC_BUFSIZE);
-      ret = mp_to_unsigned_bin(key->pubkey.y,
-                         buf + (numlen - mp_unsigned_bin_size(key->pubkey.y)));
-      if (ret != MP_OKAY)
-         break;
-      XMEMCPY(out+1+numlen, buf, numlen);
-
-      *outLen = 1 + 2*numlen;
-   } while (0);
-
+   /* pad and store x */
+   XMEMSET(buf, 0, ECC_BUFSIZE);
+   ret = mp_to_unsigned_bin(key->pubkey.x, buf + (numlen - pubxlen));
+   if (ret != MP_OKAY)
+      goto done;
+   XMEMCPY(out+1, buf, numlen);
+
+   /* pad and store y */
+   XMEMSET(buf, 0, ECC_BUFSIZE);
+   ret = mp_to_unsigned_bin(key->pubkey.y, buf + (numlen - pubylen));
+   if (ret != MP_OKAY)
+      goto done;
+   XMEMCPY(out+1+numlen, buf, numlen);
+
+   *outLen = 1 + 2*numlen;
+
+done:
 #ifdef WOLFSSL_SMALL_STACK
-   XFREE(buf, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+   XFREE(buf, NULL, DYNAMIC_TYPE_ECC_BUFFER);
 #endif
 
    return ret;
@@ -2332,158 +6687,264 @@ int wc_ecc_export_x963(ecc_key* key, byte* out, word32* outLen)
 
 /* export public ECC key in ANSI X9.63 format, extended with
  * compression option */
-int wc_ecc_export_x963_ex(ecc_key* key, byte* out, word32* outLen, int compressed)
+int wc_ecc_export_x963_ex(ecc_key* key, byte* out, word32* outLen,
+                          int compressed)
 {
     if (compressed == 0)
         return wc_ecc_export_x963(key, out, outLen);
 #ifdef HAVE_COMP_KEY
     else
         return wc_ecc_export_x963_compressed(key, out, outLen);
-#endif
-
+#else
     return NOT_COMPILED_IN;
+#endif
 }
+#endif /* HAVE_ECC_KEY_EXPORT */
+
 
+#if !defined(WOLFSSL_ATECC508A) && !defined(WOLFSSL_CRYPTOCELL)
 
-/* is ec point on curve descriped by dp ? */
-static int ecc_is_point(const ecc_set_type* dp, ecc_point* ecp, mp_int* prime)
+/* is ecc point on curve described by dp ? */
+int wc_ecc_is_point(ecc_point* ecp, mp_int* a, mp_int* b, mp_int* prime)
 {
-   mp_int b, t1, t2;
+#ifndef WOLFSSL_SP_MATH
    int err;
+#ifdef WOLFSSL_SMALL_STACK
+   mp_int* t1;
+   mp_int* t2;
+#else
+   mp_int  t1[1], t2[1];
+#endif
 
-   if ((err = mp_init_multi(&b, &t1, &t2, NULL, NULL, NULL)) != MP_OKAY) {
-      return err;
+#ifdef WOLFSSL_SMALL_STACK
+   t1 = (mp_int*)XMALLOC(sizeof(mp_int), NULL, DYNAMIC_TYPE_ECC);
+   if (t1 == NULL)
+       return MEMORY_E;
+   t2 = (mp_int*)XMALLOC(sizeof(mp_int), NULL, DYNAMIC_TYPE_ECC);
+   if (t2 == NULL) {
+       XFREE(t1, NULL, DYNAMIC_TYPE_ECC);
+       return MEMORY_E;
    }
+#endif
 
-   /* load  b */
-   err = mp_read_radix(&b, dp->Bf, 16);
+   if ((err = mp_init_multi(t1, t2, NULL, NULL, NULL, NULL)) != MP_OKAY) {
+   #ifdef WOLFSSL_SMALL_STACK
+      XFREE(t2, NULL, DYNAMIC_TYPE_ECC);
+      XFREE(t1, NULL, DYNAMIC_TYPE_ECC);
+   #endif
+      return err;
+   }
 
    /* compute y^2 */
    if (err == MP_OKAY)
-       err = mp_sqr(ecp->y, &t1);
+       err = mp_sqr(ecp->y, t1);
 
    /* compute x^3 */
    if (err == MP_OKAY)
-       err = mp_sqr(ecp->x, &t2);
+       err = mp_sqr(ecp->x, t2);
    if (err == MP_OKAY)
-       err = mp_mod(&t2, prime, &t2);
+       err = mp_mod(t2, prime, t2);
    if (err == MP_OKAY)
-       err = mp_mul(ecp->x, &t2, &t2);
+       err = mp_mul(ecp->x, t2, t2);
 
    /* compute y^2 - x^3 */
    if (err == MP_OKAY)
-       err = mp_sub(&t1, &t2, &t1);
+       err = mp_sub(t1, t2, t1);
 
-   /* compute y^2 - x^3 + 3x */
-   if (err == MP_OKAY)
-       err = mp_add(&t1, ecp->x, &t1);
-   if (err == MP_OKAY)
-       err = mp_add(&t1, ecp->x, &t1);
-   if (err == MP_OKAY)
-       err = mp_add(&t1, ecp->x, &t1);
-   if (err == MP_OKAY)
-       err = mp_mod(&t1, prime, &t1);
+   /* Determine if curve "a" should be used in calc */
+#ifdef WOLFSSL_CUSTOM_CURVES
+   if (err == MP_OKAY) {
+      /* Use a and prime to determine if a == 3 */
+      err = mp_set(t2, 0);
+      if (err == MP_OKAY)
+          err = mp_submod(prime, a, prime, t2);
+   }
+   if (err == MP_OKAY && mp_cmp_d(t2, 3) != MP_EQ) {
+      /* compute y^2 - x^3 + a*x */
+      if (err == MP_OKAY)
+          err = mp_mulmod(t2, ecp->x, prime, t2);
+      if (err == MP_OKAY)
+          err = mp_addmod(t1, t2, prime, t1);
+   }
+   else
+#endif /* WOLFSSL_CUSTOM_CURVES */
+   {
+      /* assumes "a" == 3 */
+      (void)a;
+
+      /* compute y^2 - x^3 + 3x */
+      if (err == MP_OKAY)
+          err = mp_add(t1, ecp->x, t1);
+      if (err == MP_OKAY)
+          err = mp_add(t1, ecp->x, t1);
+      if (err == MP_OKAY)
+          err = mp_add(t1, ecp->x, t1);
+      if (err == MP_OKAY)
+          err = mp_mod(t1, prime, t1);
+  }
 
-   while (err == MP_OKAY && mp_cmp_d(&t1, 0) == MP_LT) {
-      err = mp_add(&t1, prime, &t1);
+   /* adjust range (0, prime) */
+   while (err == MP_OKAY && mp_isneg(t1)) {
+      err = mp_add(t1, prime, t1);
    }
-   while (err == MP_OKAY && mp_cmp(&t1, prime) != MP_LT) {
-      err = mp_sub(&t1, prime, &t1);
+   while (err == MP_OKAY && mp_cmp(t1, prime) != MP_LT) {
+      err = mp_sub(t1, prime, t1);
    }
 
    /* compare to b */
    if (err == MP_OKAY) {
-       if (mp_cmp(&t1, &b) != MP_EQ) {
+       if (mp_cmp(t1, b) != MP_EQ) {
           err = MP_VAL;
        } else {
           err = MP_OKAY;
        }
    }
 
-   mp_clear(&b);
-   mp_clear(&t1);
-   mp_clear(&t2);
+   mp_clear(t1);
+   mp_clear(t2);
+#ifdef WOLFSSL_SMALL_STACK
+   XFREE(t2, NULL, DYNAMIC_TYPE_ECC);
+   XFREE(t1, NULL, DYNAMIC_TYPE_ECC);
+#endif
 
    return err;
-}
+#else
+   (void)a;
+   (void)b;
 
+#ifndef WOLFSSL_SP_NO_256
+   if (mp_count_bits(prime) == 256) {
+       return sp_ecc_is_point_256(ecp->x, ecp->y);
+   }
+#endif
+#ifdef WOLFSSL_SP_384
+   if (mp_count_bits(prime) == 384) {
+       return sp_ecc_is_point_384(ecp->x, ecp->y);
+   }
+#endif
+   return WC_KEY_SIZE_E;
+#endif
+}
 
+#ifndef WOLFSSL_SP_MATH
 /* validate privkey * generator == pubkey, 0 on success */
-static int ecc_check_privkey_gen(ecc_key* key, mp_int* prime)
+static int ecc_check_privkey_gen(ecc_key* key, mp_int* a, mp_int* prime)
 {
+    int        err = MP_OKAY;
     ecc_point* base = NULL;
     ecc_point* res  = NULL;
-    int        err;
+    DECLARE_CURVE_SPECS(curve, 2);
 
     if (key == NULL)
         return BAD_FUNC_ARG;
 
-    base = ecc_new_point();
-    if (base == NULL)
-        return MEMORY_E;
+    ALLOC_CURVE_SPECS(2);
 
-    /* set up base generator */
-    err = mp_read_radix(base->x, (char*)key->dp->Gx, 16);
-    if (err == MP_OKAY)
-        err = mp_read_radix(base->y, (char*)key->dp->Gy, 16);
-    if (err == MP_OKAY)
-        mp_set(base->z, 1);
+    res = wc_ecc_new_point_h(key->heap);
+    if (res == NULL)
+        err = MEMORY_E;
 
-    if (err == MP_OKAY) {
-        res = ecc_new_point();
-        if (res == NULL)
+#ifdef WOLFSSL_HAVE_SP_ECC
+#ifndef WOLFSSL_SP_NO_256
+    if (key->idx != ECC_CUSTOM_IDX && ecc_sets[key->idx].id == ECC_SECP256R1) {
+        if (err == MP_OKAY) {
+            err = sp_ecc_mulmod_base_256(&key->k, res, 1, key->heap);
+        }
+    }
+    else
+#endif
+#ifdef WOLFSSL_SP_384
+    if (key->idx != ECC_CUSTOM_IDX && ecc_sets[key->idx].id == ECC_SECP384R1) {
+        if (err == MP_OKAY) {
+            err = sp_ecc_mulmod_base_384(&key->k, res, 1, key->heap);
+        }
+    }
+    else
+#endif
+#endif
+    {
+        base = wc_ecc_new_point_h(key->heap);
+        if (base == NULL)
             err = MEMORY_E;
-        else {
-            err = ecc_mulmod(&key->k, base, res, prime, 1);
-            if (err == MP_OKAY) {
-                /* compare result to public key */
-                if (mp_cmp(res->x, key->pubkey.x) != MP_EQ ||
-                    mp_cmp(res->y, key->pubkey.y) != MP_EQ ||
-                    mp_cmp(res->z, key->pubkey.z) != MP_EQ) {
-                    /* didn't match */
-                    err = ECC_PRIV_KEY_E;
-                }
-            }
+
+        if (err == MP_OKAY) {
+            /* load curve info */
+            err = wc_ecc_curve_load(key->dp, &curve,
+                                      (ECC_CURVE_FIELD_GX | ECC_CURVE_FIELD_GY));
+        }
+
+        /* set up base generator */
+        if (err == MP_OKAY)
+            err = mp_copy(curve->Gx, base->x);
+        if (err == MP_OKAY)
+            err = mp_copy(curve->Gy, base->y);
+        if (err == MP_OKAY)
+            err = mp_set(base->z, 1);
+
+        if (err == MP_OKAY)
+            err = wc_ecc_mulmod_ex(&key->k, base, res, a, prime, 1, key->heap);
+    }
+
+    if (err == MP_OKAY) {
+        /* compare result to public key */
+        if (mp_cmp(res->x, key->pubkey.x) != MP_EQ ||
+            mp_cmp(res->y, key->pubkey.y) != MP_EQ ||
+            mp_cmp(res->z, key->pubkey.z) != MP_EQ) {
+            /* didn't match */
+            err = ECC_PRIV_KEY_E;
         }
     }
 
-    ecc_del_point(res);
-    ecc_del_point(base);
+    wc_ecc_curve_free(curve);
+    wc_ecc_del_point_h(res, key->heap);
+    wc_ecc_del_point_h(base, key->heap);
+    FREE_CURVE_SPECS();
 
     return err;
 }
-
+#endif
 
 #ifdef WOLFSSL_VALIDATE_ECC_IMPORT
 
 /* check privkey generator helper, creates prime needed */
 static int ecc_check_privkey_gen_helper(ecc_key* key)
 {
-    mp_int prime;
     int    err;
+#ifndef WOLFSSL_ATECC508A
+    DECLARE_CURVE_SPECS(curve, 2);
+#endif
 
     if (key == NULL)
         return BAD_FUNC_ARG;
 
-    err = mp_init(&prime);
-    if (err != MP_OKAY)
-        return err;
+#ifdef WOLFSSL_ATECC508A
+    /* Hardware based private key, so this operation is not supported */
+    err = MP_OKAY; /* just report success */
+
+#else
+    ALLOC_CURVE_SPECS(2);
 
-    err = mp_read_radix(&prime, (char*)key->dp->prime, 16);
+    /* load curve info */
+    err = wc_ecc_curve_load(key->dp, &curve,
+        (ECC_CURVE_FIELD_PRIME | ECC_CURVE_FIELD_AF));
+
+    if (err == MP_OKAY)
+        err = ecc_check_privkey_gen(key, curve->Af, curve->prime);
 
-    if (err == MP_OKAY);
-        err = ecc_check_privkey_gen(key, &prime);
+    wc_ecc_curve_free(curve);
+    FREE_CURVE_SPECS();
 
-    mp_clear(&prime);
+#endif /* WOLFSSL_ATECC508A */
 
     return err;
 }
 
 #endif /* WOLFSSL_VALIDATE_ECC_IMPORT */
 
-
+#if defined(WOLFSSL_VALIDATE_ECC_KEYGEN) || !defined(WOLFSSL_SP_MATH)
 /* validate order * pubkey = point at infinity, 0 on success */
-static int ecc_check_pubkey_order(ecc_key* key, mp_int* prime, mp_int* order)
+static int ecc_check_pubkey_order(ecc_key* key, ecc_point* pubkey, mp_int* a,
+        mp_int* prime, mp_int* order)
 {
     ecc_point* inf = NULL;
     int        err;
@@ -2491,258 +6952,613 @@ static int ecc_check_pubkey_order(ecc_key* key, mp_int* prime, mp_int* order)
     if (key == NULL)
         return BAD_FUNC_ARG;
 
-    inf = ecc_new_point();
+    inf = wc_ecc_new_point_h(key->heap);
     if (inf == NULL)
         err = MEMORY_E;
     else {
-        err = ecc_mulmod(order, &key->pubkey, inf, prime, 1);
-        if (err == MP_OKAY && !ecc_point_is_at_infinity(inf))
+#ifdef WOLFSSL_HAVE_SP_ECC
+#ifndef WOLFSSL_SP_NO_256
+        if (key->idx != ECC_CUSTOM_IDX &&
+                                       ecc_sets[key->idx].id == ECC_SECP256R1) {
+            err = sp_ecc_mulmod_256(order, pubkey, inf, 1, key->heap);
+        }
+        else
+#endif
+#ifdef WOLFSSL_SP_384
+        if (key->idx != ECC_CUSTOM_IDX &&
+                                       ecc_sets[key->idx].id == ECC_SECP384R1) {
+            err = sp_ecc_mulmod_384(order, pubkey, inf, 1, key->heap);
+        }
+        else
+#endif
+#endif
+#ifndef WOLFSSL_SP_MATH
+            err = wc_ecc_mulmod_ex(order, pubkey, inf, a, prime, 1, key->heap);
+        if (err == MP_OKAY && !wc_ecc_point_is_at_infinity(inf))
             err = ECC_INF_E;
+#else
+            (void)a;
+            (void)prime;
+
+            err = WC_KEY_SIZE_E;
+#endif
     }
 
-    ecc_del_point(inf);
+    wc_ecc_del_point_h(inf, key->heap);
 
     return err;
 }
+#endif
+#endif /* !WOLFSSL_ATECC508A && !WOLFSSL_CRYPTOCELL*/
+
+#ifdef OPENSSL_EXTRA
+int wc_ecc_get_generator(ecc_point* ecp, int curve_idx)
+{
+    int err = MP_OKAY;
+    DECLARE_CURVE_SPECS(curve, 2);
+
+    if (!ecp || curve_idx < 0 || curve_idx > (int)(ECC_SET_COUNT-1))
+        return BAD_FUNC_ARG;
 
+    ALLOC_CURVE_SPECS(2);
+
+    err = wc_ecc_curve_load(&ecc_sets[curve_idx], &curve,
+                            (ECC_CURVE_FIELD_GX | ECC_CURVE_FIELD_GY));
+    if (err == MP_OKAY)
+        err = mp_copy(curve->Gx, ecp->x);
+    if (err == MP_OKAY)
+        err = mp_copy(curve->Gy, ecp->y);
+    if (err == MP_OKAY)
+        err = mp_set(ecp->z, 1);
+
+    wc_ecc_curve_free(curve);
+    FREE_CURVE_SPECS();
+
+    return err;
+}
+#endif /* OPENSSLALL */
 
-/* perform sanity checks on ec key validity, 0 on success */
+/* perform sanity checks on ecc key validity, 0 on success */
 int wc_ecc_check_key(ecc_key* key)
 {
-    mp_int prime;  /* used by multiple calls so let's cache */
-    mp_int order;  /* other callers have, so let's gen here */
     int    err;
+#ifndef WOLFSSL_SP_MATH
+#if !defined(WOLFSSL_ATECC508A) && !defined(WOLFSSL_CRYPTOCELL)
+    mp_int* b = NULL;
+#ifdef USE_ECC_B_PARAM
+    DECLARE_CURVE_SPECS(curve, 4);
+#else
+#ifndef WOLFSSL_SMALL_STACK
+    mp_int b_lcl;
+#endif
+    DECLARE_CURVE_SPECS(curve, 3);
+#endif /* USE_ECC_B_PARAM */
+#endif /* WOLFSSL_ATECC508A */
 
     if (key == NULL)
         return BAD_FUNC_ARG;
 
-    /* pubkey point cannot be at inifinity */
-    if (ecc_point_is_at_infinity(&key->pubkey))
-        return ECC_INF_E;
+#if defined(WOLFSSL_ATECC508A) || defined(WOLFSSL_CRYPTOCELL)
 
-    err = mp_init_multi(&prime, &order, NULL, NULL, NULL, NULL);
-    if (err != MP_OKAY)
-        return err;
+    err = 0; /* consider key check success on ATECC508A */
 
-    err = mp_read_radix(&prime, (char*)key->dp->prime, 16);
+#else
+    #ifdef USE_ECC_B_PARAM
+        ALLOC_CURVE_SPECS(4);
+    #else
+        ALLOC_CURVE_SPECS(3);
+        #ifndef WOLFSSL_SMALL_STACK
+            b = &b_lcl;
+        #else
+            b = (mp_int*)XMALLOC(sizeof(mp_int), key->heap, DYNAMIC_TYPE_ECC);
+            if (b == NULL) {
+                FREE_CURVE_SPECS();
+                return MEMORY_E;
+            }
+        #endif
+        XMEMSET(b, 0, sizeof(mp_int));
+    #endif
 
-    /* make sure point is actually on curve */
+    /* SP 800-56Ar3, section 5.6.2.3.3, process step 1 */
+    /* pubkey point cannot be at infinity */
+    if (wc_ecc_point_is_at_infinity(&key->pubkey)) {
+    #ifdef WOLFSSL_SMALL_STACK
+        XFREE(b, key->heap, DYNAMIC_TYPE_ECC);
+    #endif
+        FREE_CURVE_SPECS();
+        return ECC_INF_E;
+    }
+
+    /* load curve info */
+    err = wc_ecc_curve_load(key->dp, &curve, (ECC_CURVE_FIELD_PRIME |
+            ECC_CURVE_FIELD_AF | ECC_CURVE_FIELD_ORDER
+#ifdef USE_ECC_B_PARAM
+            | ECC_CURVE_FIELD_BF
+#endif
+    ));
+
+#ifndef USE_ECC_B_PARAM
+    /* load curve b parameter */
+    if (err == MP_OKAY)
+        err = mp_init(b);
     if (err == MP_OKAY)
-        err = ecc_is_point(key->dp, &key->pubkey, &prime);
+        err = mp_read_radix(b, key->dp->Bf, MP_RADIX_HEX);
+#else
+    if (err == MP_OKAY)
+        b = curve->Bf;
+#endif
+
+    /* SP 800-56Ar3, section 5.6.2.3.3, process step 2 */
+    /* Qx must be in the range [0, p-1] */
+    if (err == MP_OKAY) {
+        if (mp_cmp(key->pubkey.x, curve->prime) != MP_LT)
+            err = ECC_OUT_OF_RANGE_E;
+    }
 
+    /* Qy must be in the range [0, p-1] */
+    if (err == MP_OKAY) {
+        if (mp_cmp(key->pubkey.y, curve->prime) != MP_LT)
+            err = ECC_OUT_OF_RANGE_E;
+    }
+
+    /* SP 800-56Ar3, section 5.6.2.3.3, process steps 3 */
+    /* make sure point is actually on curve */
     if (err == MP_OKAY)
-        err = mp_read_radix(&order, (char*)key->dp->order, 16);
+        err = wc_ecc_is_point(&key->pubkey, curve->Af, b, curve->prime);
 
+    /* SP 800-56Ar3, section 5.6.2.3.3, process steps 4 */
     /* pubkey * order must be at infinity */
     if (err == MP_OKAY)
-        err = ecc_check_pubkey_order(key, &prime, &order);
+        err = ecc_check_pubkey_order(key, &key->pubkey, curve->Af, curve->prime,
+                curve->order);
 
+    /* SP 800-56Ar3, section 5.6.2.1.4, method (b) for ECC */
     /* private * base generator must equal pubkey */
     if (err == MP_OKAY && key->type == ECC_PRIVATEKEY)
-        err = ecc_check_privkey_gen(key, &prime);
+        err = ecc_check_privkey_gen(key, curve->Af, curve->prime);
+
+    wc_ecc_curve_free(curve);
+
+#ifndef USE_ECC_B_PARAM
+    mp_clear(b);
+    #ifdef WOLFSSL_SMALL_STACK
+        XFREE(b, key->heap, DYNAMIC_TYPE_ECC);
+    #endif
+#endif
+
+    FREE_CURVE_SPECS();
+
+#endif /* WOLFSSL_ATECC508A */
+#else
+    if (key == NULL)
+        return BAD_FUNC_ARG;
 
-    mp_clear(&order);
-    mp_clear(&prime);
+    /* pubkey point cannot be at infinity */
+#ifndef WOLFSSL_SP_NO_256
+    if (key->idx != ECC_CUSTOM_IDX && ecc_sets[key->idx].id == ECC_SECP256R1) {
+        err = sp_ecc_check_key_256(key->pubkey.x, key->pubkey.y, &key->k,
+                                                                     key->heap);
+    }
+    else
+#endif
+#ifdef WOLFSSL_SP_384
+    if (key->idx != ECC_CUSTOM_IDX && ecc_sets[key->idx].id == ECC_SECP384R1) {
+        err = sp_ecc_check_key_384(key->pubkey.x, key->pubkey.y, &key->k,
+                                                                     key->heap);
+    }
+    else
+#endif
+    {
+        err = WC_KEY_SIZE_E;
+    }
+#endif
 
     return err;
 }
 
-
+#ifdef HAVE_ECC_KEY_IMPORT
 /* import public ECC key in ANSI X9.63 format */
-int wc_ecc_import_x963(const byte* in, word32 inLen, ecc_key* key)
+int wc_ecc_import_x963_ex(const byte* in, word32 inLen, ecc_key* key,
+                          int curve_id)
 {
-   int x, err;
-   int compressed = 0;
-   
-   if (in == NULL || key == NULL)
-       return ECC_BAD_ARG_E;
+    int err = MP_OKAY;
+#ifdef HAVE_COMP_KEY
+    int compressed = 0;
+#endif
+    int keysize = 0;
+    byte pointType;
 
-   /* must be odd */
-   if ((inLen & 1) == 0) {
-      return ECC_BAD_ARG_E;
-   }
+    if (in == NULL || key == NULL)
+        return BAD_FUNC_ARG;
 
-   /* init key */
-#ifdef ALT_ECC_SIZE
-   key->pubkey.x = (mp_int*)&key->pubkey.xyz[0];
-   key->pubkey.y = (mp_int*)&key->pubkey.xyz[1];
-   key->pubkey.z = (mp_int*)&key->pubkey.xyz[2];
-   alt_fp_init(key->pubkey.x);
-   alt_fp_init(key->pubkey.y);
-   alt_fp_init(key->pubkey.z);
-   err = mp_init(&key->k);
-#else
-   err = mp_init_multi(key->pubkey.x, key->pubkey.y, key->pubkey.z, &key->k,
-                     NULL, NULL);
-#endif
-   if (err != MP_OKAY)
-      return MEMORY_E;
+    /* must be odd */
+    if ((inLen & 1) == 0) {
+        return ECC_BAD_ARG_E;
+    }
 
-   /* check for 4, 2, or 3 */
-   if (in[0] != 0x04 && in[0] != 0x02 && in[0] != 0x03) {
-      err = ASN_PARSE_E;
-   }
+    /* make sure required variables are reset */
+    wc_ecc_reset(key);
 
-   if (in[0] == 0x02 || in[0] == 0x03) {
-#ifdef HAVE_COMP_KEY
-       compressed = 1;
-#else
-       err = NOT_COMPILED_IN;
-#endif
-   }
+    /* init key */
+    #ifdef ALT_ECC_SIZE
+        key->pubkey.x = (mp_int*)&key->pubkey.xyz[0];
+        key->pubkey.y = (mp_int*)&key->pubkey.xyz[1];
+        key->pubkey.z = (mp_int*)&key->pubkey.xyz[2];
+        alt_fp_init(key->pubkey.x);
+        alt_fp_init(key->pubkey.y);
+        alt_fp_init(key->pubkey.z);
+        err = mp_init(&key->k);
+    #else
+        err = mp_init_multi(&key->k,
+                    key->pubkey.x, key->pubkey.y, key->pubkey.z, NULL, NULL);
+    #endif
+    if (err != MP_OKAY)
+        return MEMORY_E;
 
-   if (err == MP_OKAY) {
-      /* determine the idx */
+    /* check for point type (4, 2, or 3) */
+    pointType = in[0];
+    if (pointType != ECC_POINT_UNCOMP && pointType != ECC_POINT_COMP_EVEN &&
+                                         pointType != ECC_POINT_COMP_ODD) {
+        err = ASN_PARSE_E;
+    }
 
-      if (compressed)
-          inLen = (inLen-1)*2 + 1;  /* used uncompressed len */
+    if (pointType == ECC_POINT_COMP_EVEN || pointType == ECC_POINT_COMP_ODD) {
+    #ifdef HAVE_COMP_KEY
+        compressed = 1;
+    #else
+        err = NOT_COMPILED_IN;
+    #endif
+    }
 
-      for (x = 0; ecc_sets[x].size != 0; x++) {
-         if ((unsigned)ecc_sets[x].size >= ((inLen-1)>>1)) {
-            break;
-         }
-      }
-      if (ecc_sets[x].size == 0) {
-         err = ASN_PARSE_E;
-      } else {
-          /* set the idx */
-          key->idx  = x;
-          key->dp = &ecc_sets[x];
-          key->type = ECC_PUBLICKEY;
-      }
-   }
+    /* adjust to skip first byte */
+    inLen -= 1;
+    in += 1;
 
-   /* read data */
-   if (err == MP_OKAY)
-       err = mp_read_unsigned_bin(key->pubkey.x, (byte*)in+1, (inLen-1)>>1);
+#ifdef WOLFSSL_ATECC508A
+    /* For SECP256R1 only save raw public key for hardware */
+    if (curve_id == ECC_SECP256R1 && inLen <= sizeof(key->pubkey_raw)) {
+    #ifdef HAVE_COMP_KEY
+        if (!compressed)
+    #endif
+            XMEMCPY(key->pubkey_raw, (byte*)in, inLen);
+    }
+#endif
 
-#ifdef HAVE_COMP_KEY
-   if (err == MP_OKAY && compressed == 1) {   /* build y */
-        mp_int t1, t2, prime, a, b;
+    if (err == MP_OKAY) {
+    #ifdef HAVE_COMP_KEY
+        /* adjust inLen if compressed */
+        if (compressed)
+            inLen = inLen*2 + 1;  /* used uncompressed len */
+    #endif
 
-        if (mp_init_multi(&t1, &t2, &prime, &a, &b, NULL) != MP_OKAY)
-            err = MEMORY_E;
+        /* determine key size */
+        keysize = (inLen>>1);
+        err = wc_ecc_set_curve(key, keysize, curve_id);
+        key->type = ECC_PUBLICKEY;
+    }
 
-        /* load prime */
-        if (err == MP_OKAY)
-            err = mp_read_radix(&prime, (char *)key->dp->prime, 16);
+    /* read data */
+    if (err == MP_OKAY)
+        err = mp_read_unsigned_bin(key->pubkey.x, (byte*)in, keysize);
 
-        /* load a */
-        if (err == MP_OKAY)
-            err = mp_read_radix(&a, (char *)key->dp->Af, 16);
+#ifdef HAVE_COMP_KEY
+    if (err == MP_OKAY && compressed == 1) {   /* build y */
+#ifndef WOLFSSL_SP_MATH
+        mp_int t1, t2;
+        int did_init = 0;
+
+        DECLARE_CURVE_SPECS(curve, 3);
+        ALLOC_CURVE_SPECS(3);
+
+        if (mp_init_multi(&t1, &t2, NULL, NULL, NULL, NULL) != MP_OKAY)
+            err = MEMORY_E;
+        else
+            did_init = 1;
 
-        /* load b */
+        /* load curve info */
         if (err == MP_OKAY)
-            err = mp_read_radix(&b, (char *)key->dp->Bf, 16);
+            err = wc_ecc_curve_load(key->dp, &curve,
+                (ECC_CURVE_FIELD_PRIME | ECC_CURVE_FIELD_AF |
+                 ECC_CURVE_FIELD_BF));
 
         /* compute x^3 */
         if (err == MP_OKAY)
             err = mp_sqr(key->pubkey.x, &t1);
-
         if (err == MP_OKAY)
-            err = mp_mulmod(&t1, key->pubkey.x, &prime, &t1);
+            err = mp_mulmod(&t1, key->pubkey.x, curve->prime, &t1);
 
         /* compute x^3 + a*x */
         if (err == MP_OKAY)
-            err = mp_mulmod(&a, key->pubkey.x, &prime, &t2);
-
+            err = mp_mulmod(curve->Af, key->pubkey.x, curve->prime, &t2);
         if (err == MP_OKAY)
             err = mp_add(&t1, &t2, &t1);
 
         /* compute x^3 + a*x + b */
         if (err == MP_OKAY)
-            err = mp_add(&t1, &b, &t1);
+            err = mp_add(&t1, curve->Bf, &t1);
 
         /* compute sqrt(x^3 + a*x + b) */
         if (err == MP_OKAY)
-            err = mp_sqrtmod_prime(&t1, &prime, &t2);
+            err = mp_sqrtmod_prime(&t1, curve->prime, &t2);
 
         /* adjust y */
         if (err == MP_OKAY) {
-            if ((mp_isodd(&t2) && in[0] == 0x03) ||
-               (!mp_isodd(&t2) && in[0] == 0x02)) {
-                err = mp_mod(&t2, &prime, key->pubkey.y);
+            if ((mp_isodd(&t2) == MP_YES && pointType == ECC_POINT_COMP_ODD) ||
+                (mp_isodd(&t2) == MP_NO &&  pointType == ECC_POINT_COMP_EVEN)) {
+                err = mp_mod(&t2, curve->prime, &t2);
             }
             else {
-                err = mp_submod(&prime, &t2, &prime, key->pubkey.y);
+                err = mp_submod(curve->prime, &t2, curve->prime, &t2);
             }
+            if (err == MP_OKAY)
+                err = mp_copy(&t2, key->pubkey.y);
         }
 
-        mp_clear(&a);
-        mp_clear(&b);
-        mp_clear(&prime);
-        mp_clear(&t2);
-        mp_clear(&t1);
-   }
+        if (did_init) {
+            mp_clear(&t2);
+            mp_clear(&t1);
+        }
+
+        wc_ecc_curve_free(curve);
+        FREE_CURVE_SPECS();
+#else
+    #ifndef WOLFSSL_SP_NO_256
+        if (key->dp->id == ECC_SECP256R1) {
+            sp_ecc_uncompress_256(key->pubkey.x, pointType, key->pubkey.y);
+        }
+        else
+    #endif
+    #ifdef WOLFSSL_SP_384
+        if (key->dp->id == ECC_SECP384R1) {
+            sp_ecc_uncompress_384(key->pubkey.x, pointType, key->pubkey.y);
+        }
+        else
+    #endif
+        {
+            err = WC_KEY_SIZE_E;
+        }
 #endif
+    }
+#endif /* HAVE_COMP_KEY */
 
-   if (err == MP_OKAY && compressed == 0)
-       err = mp_read_unsigned_bin(key->pubkey.y, (byte*)in+1+((inLen-1)>>1),
-                                  (inLen-1)>>1);
-   if (err == MP_OKAY)
-       mp_set(key->pubkey.z, 1);
+    if (err == MP_OKAY) {
+    #ifdef HAVE_COMP_KEY
+        if (compressed == 0)
+    #endif
+        {
+            err = mp_read_unsigned_bin(key->pubkey.y, (byte*)in + keysize,
+                                                                      keysize);
+        }
+    }
+    if (err == MP_OKAY)
+        err = mp_set(key->pubkey.z, 1);
 
 #ifdef WOLFSSL_VALIDATE_ECC_IMPORT
-   if (err == MP_OKAY)
-       err = wc_ecc_check_key(key);
+    if (err == MP_OKAY)
+        err = wc_ecc_check_key(key);
 #endif
 
-   if (err != MP_OKAY) {
-       mp_clear(key->pubkey.x);
-       mp_clear(key->pubkey.y);
-       mp_clear(key->pubkey.z);
-       mp_clear(&key->k);
-   }
+    if (err != MP_OKAY) {
+        mp_clear(key->pubkey.x);
+        mp_clear(key->pubkey.y);
+        mp_clear(key->pubkey.z);
+        mp_clear(&key->k);
+    }
 
-   return err;
+    return err;
+}
+
+WOLFSSL_ABI
+int wc_ecc_import_x963(const byte* in, word32 inLen, ecc_key* key)
+{
+    return wc_ecc_import_x963_ex(in, inLen, key, ECC_CURVE_DEF);
+}
+#endif /* HAVE_ECC_KEY_IMPORT */
+
+#ifdef HAVE_ECC_KEY_EXPORT
+
+/* export ecc key to component form, d is optional if only exporting public
+ * encType is WC_TYPE_UNSIGNED_BIN or WC_TYPE_HEX_STR
+ * return MP_OKAY on success */
+int wc_ecc_export_ex(ecc_key* key, byte* qx, word32* qxLen,
+                 byte* qy, word32* qyLen, byte* d, word32* dLen, int encType)
+{
+    int err = 0;
+    word32 keySz;
+
+    if (key == NULL) {
+        return BAD_FUNC_ARG;
+    }
+
+    if (wc_ecc_is_valid_idx(key->idx) == 0) {
+        return ECC_BAD_ARG_E;
+    }
+    keySz = key->dp->size;
+
+    /* private key, d */
+    if (d != NULL) {
+        if (dLen == NULL ||
+            (key->type != ECC_PRIVATEKEY && key->type != ECC_PRIVATEKEY_ONLY))
+            return BAD_FUNC_ARG;
+
+    #ifdef WOLFSSL_ATECC508A
+        /* Hardware cannot export private portion */
+        return NOT_COMPILED_IN;
+    #else
+        err = wc_export_int(&key->k, d, dLen, keySz, encType);
+        if (err != MP_OKAY)
+            return err;
+    #endif
+    }
+
+    /* public x component */
+    if (qx != NULL) {
+        if (qxLen == NULL || key->type == ECC_PRIVATEKEY_ONLY)
+            return BAD_FUNC_ARG;
+
+        err = wc_export_int(key->pubkey.x, qx, qxLen, keySz, encType);
+        if (err != MP_OKAY)
+            return err;
+    }
+
+    /* public y component */
+    if (qy != NULL) {
+        if (qyLen == NULL || key->type == ECC_PRIVATEKEY_ONLY)
+            return BAD_FUNC_ARG;
+
+        err = wc_export_int(key->pubkey.y, qy, qyLen, keySz, encType);
+        if (err != MP_OKAY)
+            return err;
+    }
+
+    return err;
 }
 
 
-/* export ecc private key only raw, outLen is in/out size 
+/* export ecc private key only raw, outLen is in/out size as unsigned bin
    return MP_OKAY on success */
 int wc_ecc_export_private_only(ecc_key* key, byte* out, word32* outLen)
 {
-   word32 numlen;
+    if (out == NULL || outLen == NULL) {
+        return BAD_FUNC_ARG;
+    }
 
-   if (key == NULL || out == NULL || outLen == NULL)
-       return ECC_BAD_ARG_E;
+    return wc_ecc_export_ex(key, NULL, NULL, NULL, NULL, out, outLen,
+        WC_TYPE_UNSIGNED_BIN);
+}
 
-   if (ecc_is_valid_idx(key->idx) == 0) {
-      return ECC_BAD_ARG_E;
-   }
-   numlen = key->dp->size;
+/* export public key to raw elements including public (Qx,Qy) as unsigned bin
+ * return MP_OKAY on success, negative on error */
+int wc_ecc_export_public_raw(ecc_key* key, byte* qx, word32* qxLen,
+                             byte* qy, word32* qyLen)
+{
+    if (qx == NULL || qxLen == NULL || qy == NULL || qyLen == NULL) {
+        return BAD_FUNC_ARG;
+    }
 
-   if (*outLen < numlen) {
-      *outLen = numlen;
-      return BUFFER_E;
-   }
-   *outLen = numlen; 
-   XMEMSET(out, 0, *outLen);
-   return mp_to_unsigned_bin(&key->k, out + (numlen -
-                                             mp_unsigned_bin_size(&key->k)));
+    return wc_ecc_export_ex(key, qx, qxLen, qy, qyLen, NULL, NULL,
+        WC_TYPE_UNSIGNED_BIN);
 }
 
+/* export ecc key to raw elements including public (Qx,Qy) and
+ *   private (d) as unsigned bin
+ * return MP_OKAY on success, negative on error */
+int wc_ecc_export_private_raw(ecc_key* key, byte* qx, word32* qxLen,
+                              byte* qy, word32* qyLen, byte* d, word32* dLen)
+{
+    return wc_ecc_export_ex(key, qx, qxLen, qy, qyLen, d, dLen,
+        WC_TYPE_UNSIGNED_BIN);
+}
 
-/* ecc private key import, public key in ANSI X9.63 format, private raw */
-int wc_ecc_import_private_key(const byte* priv, word32 privSz, const byte* pub,
-                           word32 pubSz, ecc_key* key)
+#endif /* HAVE_ECC_KEY_EXPORT */
+
+#ifdef HAVE_ECC_KEY_IMPORT
+/* import private key, public part optional if (pub) passed as NULL */
+int wc_ecc_import_private_key_ex(const byte* priv, word32 privSz,
+                                 const byte* pub, word32 pubSz, ecc_key* key,
+                                 int curve_id)
 {
-    int ret = wc_ecc_import_x963(pub, pubSz, key);
+    int ret;
+#if defined(WOLFSSL_CRYPTOCELL) && !defined(WOLFSSL_ATECC508A)
+    const CRYS_ECPKI_Domain_t* pDomain;
+    CRYS_ECPKI_BUILD_TempData_t tempBuff;
+#endif
+    if (key == NULL || priv == NULL)
+        return BAD_FUNC_ARG;
+
+    /* public optional, NULL if only importing private */
+    if (pub != NULL) {
+    #ifndef NO_ASN
+        word32 idx = 0;
+        ret = wc_ecc_import_x963_ex(pub, pubSz, key, curve_id);
+        if (ret < 0)
+            ret = wc_EccPublicKeyDecode(pub, &idx, key, pubSz);
+        key->type = ECC_PRIVATEKEY;
+    #else
+        ret = NOT_COMPILED_IN;
+    #endif
+    }
+    else {
+        /* make sure required variables are reset */
+        wc_ecc_reset(key);
+
+        /* set key size */
+        ret = wc_ecc_set_curve(key, privSz, curve_id);
+        key->type = ECC_PRIVATEKEY_ONLY;
+    }
+
     if (ret != 0)
         return ret;
 
-    key->type = ECC_PRIVATEKEY;
+#ifdef WOLFSSL_ATECC508A
+    /* Hardware does not support loading private keys */
+    return NOT_COMPILED_IN;
+#elif defined(WOLFSSL_CRYPTOCELL)
+    pDomain = CRYS_ECPKI_GetEcDomain(cc310_mapCurve(curve_id));
+
+    if (pub != NULL && pub[0] != '\0') {
+        /* create public key from external key buffer */
+        ret = CRYS_ECPKI_BuildPublKeyFullCheck(pDomain,
+                                               (byte*)pub,
+                                               pubSz,
+                                               &key->ctx.pubKey,
+                                               &tempBuff);
+
+        if (ret != SA_SILIB_RET_OK){
+            WOLFSSL_MSG("CRYS_ECPKI_BuildPublKeyFullCheck failed");
+            return ret;
+        }
+    }
+    /* import private key */
+    if (priv != NULL && priv[0] != '\0') {
+
+        /* Create private key from external key buffer*/
+        ret = CRYS_ECPKI_BuildPrivKey(pDomain,
+                                      priv,
+                                      privSz,
+                                      &key->ctx.privKey);
+
+        if (ret != SA_SILIB_RET_OK) {
+            WOLFSSL_MSG("CRYS_ECPKI_BuildPrivKey failed");
+            return ret;
+        }
+
+        ret = mp_read_unsigned_bin(&key->k, priv, privSz);
+    }
+
+#else
 
     ret = mp_read_unsigned_bin(&key->k, priv, privSz);
+#ifdef HAVE_WOLF_BIGINT
+    if (ret == 0 &&
+                  wc_bigint_from_unsigned_bin(&key->k.raw, priv, privSz) != 0) {
+        mp_clear(&key->k);
+        ret = ASN_GETINT_E;
+    }
+#endif /* HAVE_WOLF_BIGINT */
+
+
+#endif /* WOLFSSL_ATECC508A */
 
 #ifdef WOLFSSL_VALIDATE_ECC_IMPORT
-    if (ret == MP_OKAY)
+    if ((pub != NULL) && (ret == MP_OKAY))
+        /* public key needed to perform key validation */
         ret = ecc_check_privkey_gen_helper(key);
 #endif
 
     return ret;
 }
 
+/* ecc private key import, public key in ANSI X9.63 format, private raw */
+int wc_ecc_import_private_key(const byte* priv, word32 privSz, const byte* pub,
+                           word32 pubSz, ecc_key* key)
+{
+    return wc_ecc_import_private_key_ex(priv, privSz, pub, pubSz, key,
+                                                                ECC_CURVE_DEF);
+}
+#endif /* HAVE_ECC_KEY_IMPORT */
+
+#ifndef NO_ASN
 /**
    Convert ECC R,S to signature
    r       R component of signature
@@ -2754,53 +7570,232 @@ int wc_ecc_import_private_key(const byte* priv, word32 privSz, const byte* pub,
 int wc_ecc_rs_to_sig(const char* r, const char* s, byte* out, word32* outlen)
 {
     int err;
-    mp_int rtmp;
-    mp_int stmp;
+#ifdef WOLFSSL_SMALL_STACK
+    mp_int* rtmp = NULL;
+    mp_int* stmp = NULL;
+#else
+    mp_int  rtmp[1];
+    mp_int  stmp[1];
+#endif
 
     if (r == NULL || s == NULL || out == NULL || outlen == NULL)
         return ECC_BAD_ARG_E;
 
-    err = mp_init_multi(&rtmp, &stmp, NULL, NULL, NULL, NULL);
-    if (err != MP_OKAY)
+#ifdef WOLFSSL_SMALL_STACK
+    rtmp = (mp_int*)XMALLOC(sizeof(mp_int), NULL, DYNAMIC_TYPE_ECC);
+    if (rtmp == NULL)
+        return MEMORY_E;
+    stmp = (mp_int*)XMALLOC(sizeof(mp_int), NULL, DYNAMIC_TYPE_ECC);
+    if (stmp == NULL) {
+        XFREE(rtmp, NULL, DYNAMIC_TYPE_ECC);
+        return MEMORY_E;
+    }
+#endif
+
+    err = mp_init_multi(rtmp, stmp, NULL, NULL, NULL, NULL);
+    if (err != MP_OKAY) {
+    #ifdef WOLFSSL_SMALL_STACK
+        XFREE(stmp, NULL, DYNAMIC_TYPE_ECC);
+        XFREE(rtmp, NULL, DYNAMIC_TYPE_ECC);
+    #endif
+        return err;
+    }
+
+    err = mp_read_radix(rtmp, r, MP_RADIX_HEX);
+    if (err == MP_OKAY)
+        err = mp_read_radix(stmp, s, MP_RADIX_HEX);
+
+    /* convert mp_ints to ECDSA sig, initializes rtmp and stmp internally */
+    if (err == MP_OKAY)
+        err = StoreECC_DSA_Sig(out, outlen, rtmp, stmp);
+
+    if (err == MP_OKAY) {
+        if (mp_iszero(rtmp) == MP_YES || mp_iszero(stmp) == MP_YES)
+            err = MP_ZERO_E;
+    }
+
+    mp_clear(rtmp);
+    mp_clear(stmp);
+#ifdef WOLFSSL_SMALL_STACK
+    XFREE(stmp, NULL, DYNAMIC_TYPE_ECC);
+    XFREE(rtmp, NULL, DYNAMIC_TYPE_ECC);
+#endif
+
+    return err;
+}
+
+/**
+   Convert ECC R,S raw unsigned bin to signature
+   r       R component of signature
+   rSz     R size
+   s       S component of signature
+   sSz     S size
+   out     DER-encoded ECDSA signature
+   outlen  [in/out] output buffer size, output signature size
+   return  MP_OKAY on success
+*/
+int wc_ecc_rs_raw_to_sig(const byte* r, word32 rSz, const byte* s, word32 sSz,
+    byte* out, word32* outlen)
+{
+    int err;
+#ifdef WOLFSSL_SMALL_STACK
+    mp_int* rtmp = NULL;
+    mp_int* stmp = NULL;
+#else
+    mp_int  rtmp[1];
+    mp_int  stmp[1];
+#endif
+
+    if (r == NULL || s == NULL || out == NULL || outlen == NULL)
+        return ECC_BAD_ARG_E;
+
+#ifdef WOLFSSL_SMALL_STACK
+    rtmp = (mp_int*)XMALLOC(sizeof(mp_int), NULL, DYNAMIC_TYPE_ECC);
+    if (rtmp == NULL)
+        return MEMORY_E;
+    stmp = (mp_int*)XMALLOC(sizeof(mp_int), NULL, DYNAMIC_TYPE_ECC);
+    if (stmp == NULL) {
+        XFREE(rtmp, NULL, DYNAMIC_TYPE_ECC);
+        return MEMORY_E;
+    }
+#endif
+
+    err = mp_init_multi(rtmp, stmp, NULL, NULL, NULL, NULL);
+    if (err != MP_OKAY) {
+    #ifdef WOLFSSL_SMALL_STACK
+        XFREE(stmp, NULL, DYNAMIC_TYPE_ECC);
+        XFREE(rtmp, NULL, DYNAMIC_TYPE_ECC);
+    #endif
         return err;
+    }
 
-    err = mp_read_radix(&rtmp, r, 16);
+    err = mp_read_unsigned_bin(rtmp, r, rSz);
     if (err == MP_OKAY)
-        err = mp_read_radix(&stmp, s, 16);
+        err = mp_read_unsigned_bin(stmp, s, sSz);
 
     /* convert mp_ints to ECDSA sig, initializes rtmp and stmp internally */
     if (err == MP_OKAY)
-        err = StoreECC_DSA_Sig(out, outlen, &rtmp, &stmp);
+        err = StoreECC_DSA_Sig(out, outlen, rtmp, stmp);
 
     if (err == MP_OKAY) {
-        if (mp_iszero(&rtmp) || mp_iszero(&stmp))
+        if (mp_iszero(rtmp) == MP_YES || mp_iszero(stmp) == MP_YES)
             err = MP_ZERO_E;
     }
 
-    mp_clear(&rtmp);
-    mp_clear(&stmp);
+    mp_clear(rtmp);
+    mp_clear(stmp);
+#ifdef WOLFSSL_SMALL_STACK
+    XFREE(stmp, NULL, DYNAMIC_TYPE_ECC);
+    XFREE(rtmp, NULL, DYNAMIC_TYPE_ECC);
+#endif
 
     return err;
 }
 
 /**
-   Import raw ECC key
-   key       The destination ecc_key structure
-   qx        x component of base point, as ASCII hex string
-   qy        y component of base point, as ASCII hex string
-   d         private key, as ASCII hex string
-   curveName ECC curve name, from ecc_sets[]
-   return    MP_OKAY on success
+   Convert ECC signature to R,S
+   sig     DER-encoded ECDSA signature
+   sigLen  length of signature in octets
+   r       R component of signature
+   rLen    [in/out] output "r" buffer size, output "r" size
+   s       S component of signature
+   sLen    [in/out] output "s" buffer size, output "s" size
+   return  MP_OKAY on success, negative on error
 */
-int wc_ecc_import_raw(ecc_key* key, const char* qx, const char* qy,
-                   const char* d, const char* curveName)
+int wc_ecc_sig_to_rs(const byte* sig, word32 sigLen, byte* r, word32* rLen,
+                     byte* s, word32* sLen)
 {
-    int err, x;
+    int err;
+    int tmp_valid = 0;
+    word32 x = 0;
+#ifdef WOLFSSL_SMALL_STACK
+    mp_int* rtmp = NULL;
+    mp_int* stmp = NULL;
+#else
+    mp_int  rtmp[1];
+    mp_int  stmp[1];
+#endif
 
-    if (key == NULL || qx == NULL || qy == NULL || d == NULL ||
-        curveName == NULL)
+    if (sig == NULL || r == NULL || rLen == NULL || s == NULL || sLen == NULL)
         return ECC_BAD_ARG_E;
 
+#ifdef WOLFSSL_SMALL_STACK
+    rtmp = (mp_int*)XMALLOC(sizeof(mp_int), NULL, DYNAMIC_TYPE_ECC);
+    if (rtmp == NULL)
+        return MEMORY_E;
+    stmp = (mp_int*)XMALLOC(sizeof(mp_int), NULL, DYNAMIC_TYPE_ECC);
+    if (stmp == NULL) {
+        XFREE(rtmp, NULL, DYNAMIC_TYPE_ECC);
+        return MEMORY_E;
+    }
+#endif
+
+    err = DecodeECC_DSA_Sig(sig, sigLen, rtmp, stmp);
+
+    /* rtmp and stmp are initialized */
+    if (err == MP_OKAY) {
+        tmp_valid = 1;
+
+        /* extract r */
+        x = mp_unsigned_bin_size(rtmp);
+        if (*rLen < x)
+            err = BUFFER_E;
+    }
+    if (err == MP_OKAY) {
+        *rLen = x;
+        err = mp_to_unsigned_bin(rtmp, r);
+    }
+
+    /* extract s */
+    if (err == MP_OKAY) {
+        x = mp_unsigned_bin_size(stmp);
+        if (*sLen < x)
+            err = BUFFER_E;
+
+        if (err == MP_OKAY) {
+            *sLen = x;
+            err = mp_to_unsigned_bin(stmp, s);
+        }
+    }
+
+    if (tmp_valid) {
+        mp_clear(rtmp);
+        mp_clear(stmp);
+    }
+#ifdef WOLFSSL_SMALL_STACK
+    XFREE(stmp, NULL, DYNAMIC_TYPE_ECC);
+    XFREE(rtmp, NULL, DYNAMIC_TYPE_ECC);
+#endif
+
+    return err;
+}
+#endif /* !NO_ASN */
+
+#ifdef HAVE_ECC_KEY_IMPORT
+static int wc_ecc_import_raw_private(ecc_key* key, const char* qx,
+          const char* qy, const char* d, int curve_id, int encType)
+{
+    int err = MP_OKAY;
+#if defined(WOLFSSL_CRYPTOCELL) && !defined(WOLFSSL_ATECC508A)
+    const CRYS_ECPKI_Domain_t* pDomain;
+    CRYS_ECPKI_BUILD_TempData_t tempBuff;
+    byte key_raw[ECC_MAX_CRYPTO_HW_SIZE*2 + 1];
+    word32 keySz = 0;
+#endif
+    /* if d is NULL, only import as public key using Qx,Qy */
+    if (key == NULL || qx == NULL || qy == NULL) {
+        return BAD_FUNC_ARG;
+    }
+
+    /* make sure required variables are reset */
+    wc_ecc_reset(key);
+
+    /* set curve type and index */
+    err = wc_ecc_set_curve(key, 0, curve_id);
+    if (err != 0) {
+        return err;
+    }
+
     /* init key */
 #ifdef ALT_ECC_SIZE
     key->pubkey.x = (mp_int*)&key->pubkey.xyz[0];
@@ -2811,45 +7806,120 @@ int wc_ecc_import_raw(ecc_key* key, const char* qx, const char* qy,
     alt_fp_init(key->pubkey.z);
     err = mp_init(&key->k);
 #else
-    err = mp_init_multi(key->pubkey.x, key->pubkey.y, key->pubkey.z, &key->k,
-                      NULL, NULL);
+    err = mp_init_multi(&key->k, key->pubkey.x, key->pubkey.y, key->pubkey.z,
+                                                                  NULL, NULL);
 #endif
     if (err != MP_OKAY)
         return MEMORY_E;
 
     /* read Qx */
-    if (err == MP_OKAY)
-        err = mp_read_radix(key->pubkey.x, qx, 16);
+    if (err == MP_OKAY) {
+        if (encType == WC_TYPE_HEX_STR)
+            err = mp_read_radix(key->pubkey.x, qx, MP_RADIX_HEX);
+        else
+            err = mp_read_unsigned_bin(key->pubkey.x, (const byte*)qx,
+                key->dp->size);
+    }
 
     /* read Qy */
-    if (err == MP_OKAY)
-        err = mp_read_radix(key->pubkey.y, qy, 16);
+    if (err == MP_OKAY) {
+        if (encType == WC_TYPE_HEX_STR)
+            err = mp_read_radix(key->pubkey.y, qy, MP_RADIX_HEX);
+        else
+            err = mp_read_unsigned_bin(key->pubkey.y, (const byte*)qy,
+                key->dp->size);
 
-    if (err == MP_OKAY)
-        mp_set(key->pubkey.z, 1);
+    }
 
-    /* read and set the curve */
+    if (err == MP_OKAY)
+        err = mp_set(key->pubkey.z, 1);
+
+#ifdef WOLFSSL_ATECC508A
+    /* For SECP256R1 only save raw public key for hardware */
+    if (err == MP_OKAY && curve_id == ECC_SECP256R1) {
+        word32 keySz = key->dp->size;
+        err = wc_export_int(key->pubkey.x, key->pubkey_raw,
+            &keySz, keySz, WC_TYPE_UNSIGNED_BIN);
+        if (err == MP_OKAY)
+            err = wc_export_int(key->pubkey.y, &key->pubkey_raw[keySz],
+                &keySz, keySz, WC_TYPE_UNSIGNED_BIN);
+    }
+#elif defined(WOLFSSL_CRYPTOCELL)
     if (err == MP_OKAY) {
-        for (x = 0; ecc_sets[x].size != 0; x++) {
-            if (XSTRNCMP(ecc_sets[x].name, curveName,
-                         XSTRLEN(curveName)) == 0) {
-                break;
-            }
+        key_raw[0] = ECC_POINT_UNCOMP;
+        keySz = (word32)key->dp->size;
+        err = wc_export_int(key->pubkey.x, &key_raw[1], &keySz, keySz,
+            WC_TYPE_UNSIGNED_BIN);
+        if (err == MP_OKAY) {
+            err = wc_export_int(key->pubkey.y, &key_raw[1+keySz],
+                &keySz, keySz, WC_TYPE_UNSIGNED_BIN);
         }
-        if (ecc_sets[x].size == 0) {
-            err = ASN_PARSE_E;
-        } else {
-            /* set the curve */
-            key->idx = x;
-            key->dp = &ecc_sets[x];
-            key->type = ECC_PUBLICKEY;
+
+        if (err == MP_OKAY) {
+            pDomain = CRYS_ECPKI_GetEcDomain(cc310_mapCurve(curve_id));
+
+            /* create public key from external key buffer */
+            err = CRYS_ECPKI_BuildPublKeyFullCheck(pDomain,
+                                                   key_raw,
+                                                   keySz*2 + 1,
+                                                   &key->ctx.pubKey,
+                                                   &tempBuff);
+        }
+
+        if (err != SA_SILIB_RET_OK){
+            WOLFSSL_MSG("CRYS_ECPKI_BuildPublKeyFullCheck failed");
+            return err;
         }
     }
 
+#endif
+
     /* import private key */
     if (err == MP_OKAY) {
-        key->type = ECC_PRIVATEKEY;
-        err = mp_read_radix(&key->k, d, 16);
+        if (d != NULL && d[0] != '\0') {
+        #ifdef WOLFSSL_ATECC508A
+            /* Hardware doesn't support loading private key */
+            err = NOT_COMPILED_IN;
+
+        #elif defined(WOLFSSL_CRYPTOCELL)
+
+            key->type = ECC_PRIVATEKEY;
+
+            if (encType == WC_TYPE_HEX_STR)
+                err = mp_read_radix(&key->k, d, MP_RADIX_HEX);
+            else
+                err = mp_read_unsigned_bin(&key->k, (const byte*)d,
+                    key->dp->size);
+            if (err == MP_OKAY) {
+                err = wc_export_int(&key->k, &key_raw[0], &keySz, keySz,
+                    WC_TYPE_UNSIGNED_BIN);
+            }
+
+            if (err == MP_OKAY) {
+                /* Create private key from external key buffer*/
+                err = CRYS_ECPKI_BuildPrivKey(pDomain,
+                                              key_raw,
+                                              keySz,
+                                              &key->ctx.privKey);
+
+                if (err != SA_SILIB_RET_OK){
+                    WOLFSSL_MSG("CRYS_ECPKI_BuildPrivKey failed");
+                    return err;
+                }
+            }
+
+        #else
+            key->type = ECC_PRIVATEKEY;
+
+            if (encType == WC_TYPE_HEX_STR)
+                err = mp_read_radix(&key->k, d, MP_RADIX_HEX);
+            else
+                err = mp_read_unsigned_bin(&key->k, (const byte*)d,
+                    key->dp->size);
+        #endif /* WOLFSSL_ATECC508A */
+        } else {
+            key->type = ECC_PUBLICKEY;
+        }
     }
 
 #ifdef WOLFSSL_VALIDATE_ECC_IMPORT
@@ -2867,25 +7937,127 @@ int wc_ecc_import_raw(ecc_key* key, const char* qx, const char* qy,
     return err;
 }
 
+/**
+   Import raw ECC key
+   key       The destination ecc_key structure
+   qx        x component of the public key, as ASCII hex string
+   qy        y component of the public key, as ASCII hex string
+   d         private key, as ASCII hex string, optional if importing public
+             key only
+   dp        Custom ecc_set_type
+   return    MP_OKAY on success
+*/
+int wc_ecc_import_raw_ex(ecc_key* key, const char* qx, const char* qy,
+                   const char* d, int curve_id)
+{
+    return wc_ecc_import_raw_private(key, qx, qy, d, curve_id,
+        WC_TYPE_HEX_STR);
+
+}
+
+/* Import x, y and optional private (d) as unsigned binary */
+int wc_ecc_import_unsigned(ecc_key* key, byte* qx, byte* qy,
+                   byte* d, int curve_id)
+{
+    return wc_ecc_import_raw_private(key, (const char*)qx, (const char*)qy,
+        (const char*)d, curve_id, WC_TYPE_UNSIGNED_BIN);
+}
+
+/**
+   Import raw ECC key
+   key       The destination ecc_key structure
+   qx        x component of the public key, as ASCII hex string
+   qy        y component of the public key, as ASCII hex string
+   d         private key, as ASCII hex string, optional if importing public
+             key only
+   curveName ECC curve name, from ecc_sets[]
+   return    MP_OKAY on success
+*/
+int wc_ecc_import_raw(ecc_key* key, const char* qx, const char* qy,
+                   const char* d, const char* curveName)
+{
+    int err, x;
+
+    /* if d is NULL, only import as public key using Qx,Qy */
+    if (key == NULL || qx == NULL || qy == NULL || curveName == NULL) {
+        return BAD_FUNC_ARG;
+    }
+
+    /* set curve type and index */
+    for (x = 0; ecc_sets[x].size != 0; x++) {
+        if (XSTRNCMP(ecc_sets[x].name, curveName,
+                     XSTRLEN(curveName)) == 0) {
+            break;
+        }
+    }
+
+    if (ecc_sets[x].size == 0) {
+        WOLFSSL_MSG("ecc_set curve name not found");
+        err = ASN_PARSE_E;
+    } else {
+        return wc_ecc_import_raw_private(key, qx, qy, d, ecc_sets[x].id,
+            WC_TYPE_HEX_STR);
+    }
+
+    return err;
+}
+#endif /* HAVE_ECC_KEY_IMPORT */
 
 /* key size in octets */
 int wc_ecc_size(ecc_key* key)
 {
-    if (key == NULL) return 0;
+    if (key == NULL)
+        return 0;
 
     return key->dp->size;
 }
 
+/* maximum signature size based on key size */
+int wc_ecc_sig_size_calc(int sz)
+{
+    int maxSigSz = 0;
+
+    /* calculate based on key bits */
+    /* maximum possible signature header size is 7 bytes plus 2 bytes padding */
+    maxSigSz = (sz * 2) + SIG_HEADER_SZ + ECC_MAX_PAD_SZ;
 
-/* worst case estimate, check actual return from wc_ecc_sign_hash for actual value
-   of signature size in octets */
+    /* if total length is less than 128 + SEQ(1)+LEN(1) then subtract 1 */
+    if (maxSigSz < (128 + 2)) {
+        maxSigSz -= 1;
+    }
+
+    return maxSigSz;
+}
+
+/* maximum signature size based on actual key curve */
 int wc_ecc_sig_size(ecc_key* key)
 {
-    int sz = wc_ecc_size(key);
-    if (sz <= 0)
-        return sz;
+    int maxSigSz;
+    int orderBits, keySz;
+
+    if (key == NULL || key->dp == NULL)
+        return 0;
+
+    /* the signature r and s will always be less than order */
+    /* if the order MSB (top bit of byte) is set then ASN encoding needs
+        extra byte for r and s, so add 2 */
+    keySz = key->dp->size;
+    orderBits = wc_ecc_get_curve_order_bit_count(key->dp);
+    if (orderBits > keySz * 8) {
+        keySz = (orderBits + 7) / 8;
+    }
+    /* maximum possible signature header size is 7 bytes */
+    maxSigSz = (keySz * 2) + SIG_HEADER_SZ;
+    if ((orderBits % 8) == 0) {
+        /* MSB can be set, so add 2 */
+        maxSigSz += ECC_MAX_PAD_SZ;
+    }
+    /* if total length is less than 128 + SEQ(1)+LEN(1) then subtract 1 */
+    if (maxSigSz < (128 + 2)) {
+        maxSigSz -= 1;
+    }
 
-    return sz * 2 + SIG_HEADER_SZ + 4;  /* (4) worst case estimate */
+    return maxSigSz;
 }
 
 
@@ -2894,7 +8066,7 @@ int wc_ecc_sig_size(ecc_key* key)
 /* fixed point ECC cache */
 /* number of entries in the cache */
 #ifndef FP_ENTRIES
-    #define FP_ENTRIES 16
+    #define FP_ENTRIES 15
 #endif
 
 /* number of bits in LUT */
@@ -2914,10 +8086,12 @@ int wc_ecc_sig_size(ecc_key* key)
 #endif
 
 
+#ifndef WOLFSSL_SP_MATH
+
 /** Our FP cache */
 typedef struct {
    ecc_point* g;               /* cached COPY of base point */
-   ecc_point* LUT[1U<<FP_LUT]; /* fixed point lookup */ 
+   ecc_point* LUT[1U<<FP_LUT]; /* fixed point lookup */
    mp_int     mu;              /* copy of the montgomery constant */
    int        lru_count;       /* amount of times this entry has been used */
    int        lock;            /* flag to indicate cache eviction */
@@ -2936,524 +8110,524 @@ static THREAD_LS_T fp_cache_t fp_cache[FP_ENTRIES];
 static const struct {
    int ham, terma, termb;
 } lut_orders[] = {
-   { 0, 0, 0 }, { 1, 0, 0 }, { 1, 0, 0 }, { 2, 1, 2 }, { 1, 0, 0 }, { 2, 1, 4 }, { 2, 2, 4 }, { 3, 3, 4 }, 
-   { 1, 0, 0 }, { 2, 1, 8 }, { 2, 2, 8 }, { 3, 3, 8 }, { 2, 4, 8 }, { 3, 5, 8 }, { 3, 6, 8 }, { 4, 7, 8 }, 
-   { 1, 0, 0 }, { 2, 1, 16 }, { 2, 2, 16 }, { 3, 3, 16 }, { 2, 4, 16 }, { 3, 5, 16 }, { 3, 6, 16 }, { 4, 7, 16 }, 
-   { 2, 8, 16 }, { 3, 9, 16 }, { 3, 10, 16 }, { 4, 11, 16 }, { 3, 12, 16 }, { 4, 13, 16 }, { 4, 14, 16 }, { 5, 15, 16 }, 
-   { 1, 0, 0 }, { 2, 1, 32 }, { 2, 2, 32 }, { 3, 3, 32 }, { 2, 4, 32 }, { 3, 5, 32 }, { 3, 6, 32 }, { 4, 7, 32 }, 
-   { 2, 8, 32 }, { 3, 9, 32 }, { 3, 10, 32 }, { 4, 11, 32 }, { 3, 12, 32 }, { 4, 13, 32 }, { 4, 14, 32 }, { 5, 15, 32 }, 
-   { 2, 16, 32 }, { 3, 17, 32 }, { 3, 18, 32 }, { 4, 19, 32 }, { 3, 20, 32 }, { 4, 21, 32 }, { 4, 22, 32 }, { 5, 23, 32 }, 
-   { 3, 24, 32 }, { 4, 25, 32 }, { 4, 26, 32 }, { 5, 27, 32 }, { 4, 28, 32 }, { 5, 29, 32 }, { 5, 30, 32 }, { 6, 31, 32 }, 
+   { 0, 0, 0 }, { 1, 0, 0 }, { 1, 0, 0 }, { 2, 1, 2 }, { 1, 0, 0 }, { 2, 1, 4 }, { 2, 2, 4 }, { 3, 3, 4 },
+   { 1, 0, 0 }, { 2, 1, 8 }, { 2, 2, 8 }, { 3, 3, 8 }, { 2, 4, 8 }, { 3, 5, 8 }, { 3, 6, 8 }, { 4, 7, 8 },
+   { 1, 0, 0 }, { 2, 1, 16 }, { 2, 2, 16 }, { 3, 3, 16 }, { 2, 4, 16 }, { 3, 5, 16 }, { 3, 6, 16 }, { 4, 7, 16 },
+   { 2, 8, 16 }, { 3, 9, 16 }, { 3, 10, 16 }, { 4, 11, 16 }, { 3, 12, 16 }, { 4, 13, 16 }, { 4, 14, 16 }, { 5, 15, 16 },
+   { 1, 0, 0 }, { 2, 1, 32 }, { 2, 2, 32 }, { 3, 3, 32 }, { 2, 4, 32 }, { 3, 5, 32 }, { 3, 6, 32 }, { 4, 7, 32 },
+   { 2, 8, 32 }, { 3, 9, 32 }, { 3, 10, 32 }, { 4, 11, 32 }, { 3, 12, 32 }, { 4, 13, 32 }, { 4, 14, 32 }, { 5, 15, 32 },
+   { 2, 16, 32 }, { 3, 17, 32 }, { 3, 18, 32 }, { 4, 19, 32 }, { 3, 20, 32 }, { 4, 21, 32 }, { 4, 22, 32 }, { 5, 23, 32 },
+   { 3, 24, 32 }, { 4, 25, 32 }, { 4, 26, 32 }, { 5, 27, 32 }, { 4, 28, 32 }, { 5, 29, 32 }, { 5, 30, 32 }, { 6, 31, 32 },
 #if FP_LUT > 6
-   { 1, 0, 0 }, { 2, 1, 64 }, { 2, 2, 64 }, { 3, 3, 64 }, { 2, 4, 64 }, { 3, 5, 64 }, { 3, 6, 64 }, { 4, 7, 64 }, 
-   { 2, 8, 64 }, { 3, 9, 64 }, { 3, 10, 64 }, { 4, 11, 64 }, { 3, 12, 64 }, { 4, 13, 64 }, { 4, 14, 64 }, { 5, 15, 64 }, 
-   { 2, 16, 64 }, { 3, 17, 64 }, { 3, 18, 64 }, { 4, 19, 64 }, { 3, 20, 64 }, { 4, 21, 64 }, { 4, 22, 64 }, { 5, 23, 64 }, 
-   { 3, 24, 64 }, { 4, 25, 64 }, { 4, 26, 64 }, { 5, 27, 64 }, { 4, 28, 64 }, { 5, 29, 64 }, { 5, 30, 64 }, { 6, 31, 64 }, 
-   { 2, 32, 64 }, { 3, 33, 64 }, { 3, 34, 64 }, { 4, 35, 64 }, { 3, 36, 64 }, { 4, 37, 64 }, { 4, 38, 64 }, { 5, 39, 64 }, 
-   { 3, 40, 64 }, { 4, 41, 64 }, { 4, 42, 64 }, { 5, 43, 64 }, { 4, 44, 64 }, { 5, 45, 64 }, { 5, 46, 64 }, { 6, 47, 64 }, 
-   { 3, 48, 64 }, { 4, 49, 64 }, { 4, 50, 64 }, { 5, 51, 64 }, { 4, 52, 64 }, { 5, 53, 64 }, { 5, 54, 64 }, { 6, 55, 64 }, 
-   { 4, 56, 64 }, { 5, 57, 64 }, { 5, 58, 64 }, { 6, 59, 64 }, { 5, 60, 64 }, { 6, 61, 64 }, { 6, 62, 64 }, { 7, 63, 64 }, 
+   { 1, 0, 0 }, { 2, 1, 64 }, { 2, 2, 64 }, { 3, 3, 64 }, { 2, 4, 64 }, { 3, 5, 64 }, { 3, 6, 64 }, { 4, 7, 64 },
+   { 2, 8, 64 }, { 3, 9, 64 }, { 3, 10, 64 }, { 4, 11, 64 }, { 3, 12, 64 }, { 4, 13, 64 }, { 4, 14, 64 }, { 5, 15, 64 },
+   { 2, 16, 64 }, { 3, 17, 64 }, { 3, 18, 64 }, { 4, 19, 64 }, { 3, 20, 64 }, { 4, 21, 64 }, { 4, 22, 64 }, { 5, 23, 64 },
+   { 3, 24, 64 }, { 4, 25, 64 }, { 4, 26, 64 }, { 5, 27, 64 }, { 4, 28, 64 }, { 5, 29, 64 }, { 5, 30, 64 }, { 6, 31, 64 },
+   { 2, 32, 64 }, { 3, 33, 64 }, { 3, 34, 64 }, { 4, 35, 64 }, { 3, 36, 64 }, { 4, 37, 64 }, { 4, 38, 64 }, { 5, 39, 64 },
+   { 3, 40, 64 }, { 4, 41, 64 }, { 4, 42, 64 }, { 5, 43, 64 }, { 4, 44, 64 }, { 5, 45, 64 }, { 5, 46, 64 }, { 6, 47, 64 },
+   { 3, 48, 64 }, { 4, 49, 64 }, { 4, 50, 64 }, { 5, 51, 64 }, { 4, 52, 64 }, { 5, 53, 64 }, { 5, 54, 64 }, { 6, 55, 64 },
+   { 4, 56, 64 }, { 5, 57, 64 }, { 5, 58, 64 }, { 6, 59, 64 }, { 5, 60, 64 }, { 6, 61, 64 }, { 6, 62, 64 }, { 7, 63, 64 },
 #if FP_LUT > 7
-   { 1, 0, 0 }, { 2, 1, 128 }, { 2, 2, 128 }, { 3, 3, 128 }, { 2, 4, 128 }, { 3, 5, 128 }, { 3, 6, 128 }, { 4, 7, 128 }, 
-   { 2, 8, 128 }, { 3, 9, 128 }, { 3, 10, 128 }, { 4, 11, 128 }, { 3, 12, 128 }, { 4, 13, 128 }, { 4, 14, 128 }, { 5, 15, 128 }, 
-   { 2, 16, 128 }, { 3, 17, 128 }, { 3, 18, 128 }, { 4, 19, 128 }, { 3, 20, 128 }, { 4, 21, 128 }, { 4, 22, 128 }, { 5, 23, 128 }, 
-   { 3, 24, 128 }, { 4, 25, 128 }, { 4, 26, 128 }, { 5, 27, 128 }, { 4, 28, 128 }, { 5, 29, 128 }, { 5, 30, 128 }, { 6, 31, 128 }, 
-   { 2, 32, 128 }, { 3, 33, 128 }, { 3, 34, 128 }, { 4, 35, 128 }, { 3, 36, 128 }, { 4, 37, 128 }, { 4, 38, 128 }, { 5, 39, 128 }, 
-   { 3, 40, 128 }, { 4, 41, 128 }, { 4, 42, 128 }, { 5, 43, 128 }, { 4, 44, 128 }, { 5, 45, 128 }, { 5, 46, 128 }, { 6, 47, 128 }, 
-   { 3, 48, 128 }, { 4, 49, 128 }, { 4, 50, 128 }, { 5, 51, 128 }, { 4, 52, 128 }, { 5, 53, 128 }, { 5, 54, 128 }, { 6, 55, 128 }, 
-   { 4, 56, 128 }, { 5, 57, 128 }, { 5, 58, 128 }, { 6, 59, 128 }, { 5, 60, 128 }, { 6, 61, 128 }, { 6, 62, 128 }, { 7, 63, 128 }, 
-   { 2, 64, 128 }, { 3, 65, 128 }, { 3, 66, 128 }, { 4, 67, 128 }, { 3, 68, 128 }, { 4, 69, 128 }, { 4, 70, 128 }, { 5, 71, 128 }, 
-   { 3, 72, 128 }, { 4, 73, 128 }, { 4, 74, 128 }, { 5, 75, 128 }, { 4, 76, 128 }, { 5, 77, 128 }, { 5, 78, 128 }, { 6, 79, 128 }, 
-   { 3, 80, 128 }, { 4, 81, 128 }, { 4, 82, 128 }, { 5, 83, 128 }, { 4, 84, 128 }, { 5, 85, 128 }, { 5, 86, 128 }, { 6, 87, 128 }, 
-   { 4, 88, 128 }, { 5, 89, 128 }, { 5, 90, 128 }, { 6, 91, 128 }, { 5, 92, 128 }, { 6, 93, 128 }, { 6, 94, 128 }, { 7, 95, 128 }, 
-   { 3, 96, 128 }, { 4, 97, 128 }, { 4, 98, 128 }, { 5, 99, 128 }, { 4, 100, 128 }, { 5, 101, 128 }, { 5, 102, 128 }, { 6, 103, 128 }, 
-   { 4, 104, 128 }, { 5, 105, 128 }, { 5, 106, 128 }, { 6, 107, 128 }, { 5, 108, 128 }, { 6, 109, 128 }, { 6, 110, 128 }, { 7, 111, 128 }, 
-   { 4, 112, 128 }, { 5, 113, 128 }, { 5, 114, 128 }, { 6, 115, 128 }, { 5, 116, 128 }, { 6, 117, 128 }, { 6, 118, 128 }, { 7, 119, 128 }, 
-   { 5, 120, 128 }, { 6, 121, 128 }, { 6, 122, 128 }, { 7, 123, 128 }, { 6, 124, 128 }, { 7, 125, 128 }, { 7, 126, 128 }, { 8, 127, 128 }, 
+   { 1, 0, 0 }, { 2, 1, 128 }, { 2, 2, 128 }, { 3, 3, 128 }, { 2, 4, 128 }, { 3, 5, 128 }, { 3, 6, 128 }, { 4, 7, 128 },
+   { 2, 8, 128 }, { 3, 9, 128 }, { 3, 10, 128 }, { 4, 11, 128 }, { 3, 12, 128 }, { 4, 13, 128 }, { 4, 14, 128 }, { 5, 15, 128 },
+   { 2, 16, 128 }, { 3, 17, 128 }, { 3, 18, 128 }, { 4, 19, 128 }, { 3, 20, 128 }, { 4, 21, 128 }, { 4, 22, 128 }, { 5, 23, 128 },
+   { 3, 24, 128 }, { 4, 25, 128 }, { 4, 26, 128 }, { 5, 27, 128 }, { 4, 28, 128 }, { 5, 29, 128 }, { 5, 30, 128 }, { 6, 31, 128 },
+   { 2, 32, 128 }, { 3, 33, 128 }, { 3, 34, 128 }, { 4, 35, 128 }, { 3, 36, 128 }, { 4, 37, 128 }, { 4, 38, 128 }, { 5, 39, 128 },
+   { 3, 40, 128 }, { 4, 41, 128 }, { 4, 42, 128 }, { 5, 43, 128 }, { 4, 44, 128 }, { 5, 45, 128 }, { 5, 46, 128 }, { 6, 47, 128 },
+   { 3, 48, 128 }, { 4, 49, 128 }, { 4, 50, 128 }, { 5, 51, 128 }, { 4, 52, 128 }, { 5, 53, 128 }, { 5, 54, 128 }, { 6, 55, 128 },
+   { 4, 56, 128 }, { 5, 57, 128 }, { 5, 58, 128 }, { 6, 59, 128 }, { 5, 60, 128 }, { 6, 61, 128 }, { 6, 62, 128 }, { 7, 63, 128 },
+   { 2, 64, 128 }, { 3, 65, 128 }, { 3, 66, 128 }, { 4, 67, 128 }, { 3, 68, 128 }, { 4, 69, 128 }, { 4, 70, 128 }, { 5, 71, 128 },
+   { 3, 72, 128 }, { 4, 73, 128 }, { 4, 74, 128 }, { 5, 75, 128 }, { 4, 76, 128 }, { 5, 77, 128 }, { 5, 78, 128 }, { 6, 79, 128 },
+   { 3, 80, 128 }, { 4, 81, 128 }, { 4, 82, 128 }, { 5, 83, 128 }, { 4, 84, 128 }, { 5, 85, 128 }, { 5, 86, 128 }, { 6, 87, 128 },
+   { 4, 88, 128 }, { 5, 89, 128 }, { 5, 90, 128 }, { 6, 91, 128 }, { 5, 92, 128 }, { 6, 93, 128 }, { 6, 94, 128 }, { 7, 95, 128 },
+   { 3, 96, 128 }, { 4, 97, 128 }, { 4, 98, 128 }, { 5, 99, 128 }, { 4, 100, 128 }, { 5, 101, 128 }, { 5, 102, 128 }, { 6, 103, 128 },
+   { 4, 104, 128 }, { 5, 105, 128 }, { 5, 106, 128 }, { 6, 107, 128 }, { 5, 108, 128 }, { 6, 109, 128 }, { 6, 110, 128 }, { 7, 111, 128 },
+   { 4, 112, 128 }, { 5, 113, 128 }, { 5, 114, 128 }, { 6, 115, 128 }, { 5, 116, 128 }, { 6, 117, 128 }, { 6, 118, 128 }, { 7, 119, 128 },
+   { 5, 120, 128 }, { 6, 121, 128 }, { 6, 122, 128 }, { 7, 123, 128 }, { 6, 124, 128 }, { 7, 125, 128 }, { 7, 126, 128 }, { 8, 127, 128 },
 #if FP_LUT > 8
-   { 1, 0, 0 }, { 2, 1, 256 }, { 2, 2, 256 }, { 3, 3, 256 }, { 2, 4, 256 }, { 3, 5, 256 }, { 3, 6, 256 }, { 4, 7, 256 }, 
-   { 2, 8, 256 }, { 3, 9, 256 }, { 3, 10, 256 }, { 4, 11, 256 }, { 3, 12, 256 }, { 4, 13, 256 }, { 4, 14, 256 }, { 5, 15, 256 }, 
-   { 2, 16, 256 }, { 3, 17, 256 }, { 3, 18, 256 }, { 4, 19, 256 }, { 3, 20, 256 }, { 4, 21, 256 }, { 4, 22, 256 }, { 5, 23, 256 }, 
-   { 3, 24, 256 }, { 4, 25, 256 }, { 4, 26, 256 }, { 5, 27, 256 }, { 4, 28, 256 }, { 5, 29, 256 }, { 5, 30, 256 }, { 6, 31, 256 }, 
-   { 2, 32, 256 }, { 3, 33, 256 }, { 3, 34, 256 }, { 4, 35, 256 }, { 3, 36, 256 }, { 4, 37, 256 }, { 4, 38, 256 }, { 5, 39, 256 }, 
-   { 3, 40, 256 }, { 4, 41, 256 }, { 4, 42, 256 }, { 5, 43, 256 }, { 4, 44, 256 }, { 5, 45, 256 }, { 5, 46, 256 }, { 6, 47, 256 }, 
-   { 3, 48, 256 }, { 4, 49, 256 }, { 4, 50, 256 }, { 5, 51, 256 }, { 4, 52, 256 }, { 5, 53, 256 }, { 5, 54, 256 }, { 6, 55, 256 }, 
-   { 4, 56, 256 }, { 5, 57, 256 }, { 5, 58, 256 }, { 6, 59, 256 }, { 5, 60, 256 }, { 6, 61, 256 }, { 6, 62, 256 }, { 7, 63, 256 }, 
-   { 2, 64, 256 }, { 3, 65, 256 }, { 3, 66, 256 }, { 4, 67, 256 }, { 3, 68, 256 }, { 4, 69, 256 }, { 4, 70, 256 }, { 5, 71, 256 }, 
-   { 3, 72, 256 }, { 4, 73, 256 }, { 4, 74, 256 }, { 5, 75, 256 }, { 4, 76, 256 }, { 5, 77, 256 }, { 5, 78, 256 }, { 6, 79, 256 }, 
-   { 3, 80, 256 }, { 4, 81, 256 }, { 4, 82, 256 }, { 5, 83, 256 }, { 4, 84, 256 }, { 5, 85, 256 }, { 5, 86, 256 }, { 6, 87, 256 }, 
-   { 4, 88, 256 }, { 5, 89, 256 }, { 5, 90, 256 }, { 6, 91, 256 }, { 5, 92, 256 }, { 6, 93, 256 }, { 6, 94, 256 }, { 7, 95, 256 }, 
-   { 3, 96, 256 }, { 4, 97, 256 }, { 4, 98, 256 }, { 5, 99, 256 }, { 4, 100, 256 }, { 5, 101, 256 }, { 5, 102, 256 }, { 6, 103, 256 }, 
-   { 4, 104, 256 }, { 5, 105, 256 }, { 5, 106, 256 }, { 6, 107, 256 }, { 5, 108, 256 }, { 6, 109, 256 }, { 6, 110, 256 }, { 7, 111, 256 }, 
-   { 4, 112, 256 }, { 5, 113, 256 }, { 5, 114, 256 }, { 6, 115, 256 }, { 5, 116, 256 }, { 6, 117, 256 }, { 6, 118, 256 }, { 7, 119, 256 }, 
-   { 5, 120, 256 }, { 6, 121, 256 }, { 6, 122, 256 }, { 7, 123, 256 }, { 6, 124, 256 }, { 7, 125, 256 }, { 7, 126, 256 }, { 8, 127, 256 }, 
-   { 2, 128, 256 }, { 3, 129, 256 }, { 3, 130, 256 }, { 4, 131, 256 }, { 3, 132, 256 }, { 4, 133, 256 }, { 4, 134, 256 }, { 5, 135, 256 }, 
-   { 3, 136, 256 }, { 4, 137, 256 }, { 4, 138, 256 }, { 5, 139, 256 }, { 4, 140, 256 }, { 5, 141, 256 }, { 5, 142, 256 }, { 6, 143, 256 }, 
-   { 3, 144, 256 }, { 4, 145, 256 }, { 4, 146, 256 }, { 5, 147, 256 }, { 4, 148, 256 }, { 5, 149, 256 }, { 5, 150, 256 }, { 6, 151, 256 }, 
-   { 4, 152, 256 }, { 5, 153, 256 }, { 5, 154, 256 }, { 6, 155, 256 }, { 5, 156, 256 }, { 6, 157, 256 }, { 6, 158, 256 }, { 7, 159, 256 }, 
-   { 3, 160, 256 }, { 4, 161, 256 }, { 4, 162, 256 }, { 5, 163, 256 }, { 4, 164, 256 }, { 5, 165, 256 }, { 5, 166, 256 }, { 6, 167, 256 }, 
-   { 4, 168, 256 }, { 5, 169, 256 }, { 5, 170, 256 }, { 6, 171, 256 }, { 5, 172, 256 }, { 6, 173, 256 }, { 6, 174, 256 }, { 7, 175, 256 }, 
-   { 4, 176, 256 }, { 5, 177, 256 }, { 5, 178, 256 }, { 6, 179, 256 }, { 5, 180, 256 }, { 6, 181, 256 }, { 6, 182, 256 }, { 7, 183, 256 }, 
-   { 5, 184, 256 }, { 6, 185, 256 }, { 6, 186, 256 }, { 7, 187, 256 }, { 6, 188, 256 }, { 7, 189, 256 }, { 7, 190, 256 }, { 8, 191, 256 }, 
-   { 3, 192, 256 }, { 4, 193, 256 }, { 4, 194, 256 }, { 5, 195, 256 }, { 4, 196, 256 }, { 5, 197, 256 }, { 5, 198, 256 }, { 6, 199, 256 }, 
-   { 4, 200, 256 }, { 5, 201, 256 }, { 5, 202, 256 }, { 6, 203, 256 }, { 5, 204, 256 }, { 6, 205, 256 }, { 6, 206, 256 }, { 7, 207, 256 }, 
-   { 4, 208, 256 }, { 5, 209, 256 }, { 5, 210, 256 }, { 6, 211, 256 }, { 5, 212, 256 }, { 6, 213, 256 }, { 6, 214, 256 }, { 7, 215, 256 }, 
-   { 5, 216, 256 }, { 6, 217, 256 }, { 6, 218, 256 }, { 7, 219, 256 }, { 6, 220, 256 }, { 7, 221, 256 }, { 7, 222, 256 }, { 8, 223, 256 }, 
-   { 4, 224, 256 }, { 5, 225, 256 }, { 5, 226, 256 }, { 6, 227, 256 }, { 5, 228, 256 }, { 6, 229, 256 }, { 6, 230, 256 }, { 7, 231, 256 }, 
-   { 5, 232, 256 }, { 6, 233, 256 }, { 6, 234, 256 }, { 7, 235, 256 }, { 6, 236, 256 }, { 7, 237, 256 }, { 7, 238, 256 }, { 8, 239, 256 }, 
-   { 5, 240, 256 }, { 6, 241, 256 }, { 6, 242, 256 }, { 7, 243, 256 }, { 6, 244, 256 }, { 7, 245, 256 }, { 7, 246, 256 }, { 8, 247, 256 }, 
-   { 6, 248, 256 }, { 7, 249, 256 }, { 7, 250, 256 }, { 8, 251, 256 }, { 7, 252, 256 }, { 8, 253, 256 }, { 8, 254, 256 }, { 9, 255, 256 }, 
+   { 1, 0, 0 }, { 2, 1, 256 }, { 2, 2, 256 }, { 3, 3, 256 }, { 2, 4, 256 }, { 3, 5, 256 }, { 3, 6, 256 }, { 4, 7, 256 },
+   { 2, 8, 256 }, { 3, 9, 256 }, { 3, 10, 256 }, { 4, 11, 256 }, { 3, 12, 256 }, { 4, 13, 256 }, { 4, 14, 256 }, { 5, 15, 256 },
+   { 2, 16, 256 }, { 3, 17, 256 }, { 3, 18, 256 }, { 4, 19, 256 }, { 3, 20, 256 }, { 4, 21, 256 }, { 4, 22, 256 }, { 5, 23, 256 },
+   { 3, 24, 256 }, { 4, 25, 256 }, { 4, 26, 256 }, { 5, 27, 256 }, { 4, 28, 256 }, { 5, 29, 256 }, { 5, 30, 256 }, { 6, 31, 256 },
+   { 2, 32, 256 }, { 3, 33, 256 }, { 3, 34, 256 }, { 4, 35, 256 }, { 3, 36, 256 }, { 4, 37, 256 }, { 4, 38, 256 }, { 5, 39, 256 },
+   { 3, 40, 256 }, { 4, 41, 256 }, { 4, 42, 256 }, { 5, 43, 256 }, { 4, 44, 256 }, { 5, 45, 256 }, { 5, 46, 256 }, { 6, 47, 256 },
+   { 3, 48, 256 }, { 4, 49, 256 }, { 4, 50, 256 }, { 5, 51, 256 }, { 4, 52, 256 }, { 5, 53, 256 }, { 5, 54, 256 }, { 6, 55, 256 },
+   { 4, 56, 256 }, { 5, 57, 256 }, { 5, 58, 256 }, { 6, 59, 256 }, { 5, 60, 256 }, { 6, 61, 256 }, { 6, 62, 256 }, { 7, 63, 256 },
+   { 2, 64, 256 }, { 3, 65, 256 }, { 3, 66, 256 }, { 4, 67, 256 }, { 3, 68, 256 }, { 4, 69, 256 }, { 4, 70, 256 }, { 5, 71, 256 },
+   { 3, 72, 256 }, { 4, 73, 256 }, { 4, 74, 256 }, { 5, 75, 256 }, { 4, 76, 256 }, { 5, 77, 256 }, { 5, 78, 256 }, { 6, 79, 256 },
+   { 3, 80, 256 }, { 4, 81, 256 }, { 4, 82, 256 }, { 5, 83, 256 }, { 4, 84, 256 }, { 5, 85, 256 }, { 5, 86, 256 }, { 6, 87, 256 },
+   { 4, 88, 256 }, { 5, 89, 256 }, { 5, 90, 256 }, { 6, 91, 256 }, { 5, 92, 256 }, { 6, 93, 256 }, { 6, 94, 256 }, { 7, 95, 256 },
+   { 3, 96, 256 }, { 4, 97, 256 }, { 4, 98, 256 }, { 5, 99, 256 }, { 4, 100, 256 }, { 5, 101, 256 }, { 5, 102, 256 }, { 6, 103, 256 },
+   { 4, 104, 256 }, { 5, 105, 256 }, { 5, 106, 256 }, { 6, 107, 256 }, { 5, 108, 256 }, { 6, 109, 256 }, { 6, 110, 256 }, { 7, 111, 256 },
+   { 4, 112, 256 }, { 5, 113, 256 }, { 5, 114, 256 }, { 6, 115, 256 }, { 5, 116, 256 }, { 6, 117, 256 }, { 6, 118, 256 }, { 7, 119, 256 },
+   { 5, 120, 256 }, { 6, 121, 256 }, { 6, 122, 256 }, { 7, 123, 256 }, { 6, 124, 256 }, { 7, 125, 256 }, { 7, 126, 256 }, { 8, 127, 256 },
+   { 2, 128, 256 }, { 3, 129, 256 }, { 3, 130, 256 }, { 4, 131, 256 }, { 3, 132, 256 }, { 4, 133, 256 }, { 4, 134, 256 }, { 5, 135, 256 },
+   { 3, 136, 256 }, { 4, 137, 256 }, { 4, 138, 256 }, { 5, 139, 256 }, { 4, 140, 256 }, { 5, 141, 256 }, { 5, 142, 256 }, { 6, 143, 256 },
+   { 3, 144, 256 }, { 4, 145, 256 }, { 4, 146, 256 }, { 5, 147, 256 }, { 4, 148, 256 }, { 5, 149, 256 }, { 5, 150, 256 }, { 6, 151, 256 },
+   { 4, 152, 256 }, { 5, 153, 256 }, { 5, 154, 256 }, { 6, 155, 256 }, { 5, 156, 256 }, { 6, 157, 256 }, { 6, 158, 256 }, { 7, 159, 256 },
+   { 3, 160, 256 }, { 4, 161, 256 }, { 4, 162, 256 }, { 5, 163, 256 }, { 4, 164, 256 }, { 5, 165, 256 }, { 5, 166, 256 }, { 6, 167, 256 },
+   { 4, 168, 256 }, { 5, 169, 256 }, { 5, 170, 256 }, { 6, 171, 256 }, { 5, 172, 256 }, { 6, 173, 256 }, { 6, 174, 256 }, { 7, 175, 256 },
+   { 4, 176, 256 }, { 5, 177, 256 }, { 5, 178, 256 }, { 6, 179, 256 }, { 5, 180, 256 }, { 6, 181, 256 }, { 6, 182, 256 }, { 7, 183, 256 },
+   { 5, 184, 256 }, { 6, 185, 256 }, { 6, 186, 256 }, { 7, 187, 256 }, { 6, 188, 256 }, { 7, 189, 256 }, { 7, 190, 256 }, { 8, 191, 256 },
+   { 3, 192, 256 }, { 4, 193, 256 }, { 4, 194, 256 }, { 5, 195, 256 }, { 4, 196, 256 }, { 5, 197, 256 }, { 5, 198, 256 }, { 6, 199, 256 },
+   { 4, 200, 256 }, { 5, 201, 256 }, { 5, 202, 256 }, { 6, 203, 256 }, { 5, 204, 256 }, { 6, 205, 256 }, { 6, 206, 256 }, { 7, 207, 256 },
+   { 4, 208, 256 }, { 5, 209, 256 }, { 5, 210, 256 }, { 6, 211, 256 }, { 5, 212, 256 }, { 6, 213, 256 }, { 6, 214, 256 }, { 7, 215, 256 },
+   { 5, 216, 256 }, { 6, 217, 256 }, { 6, 218, 256 }, { 7, 219, 256 }, { 6, 220, 256 }, { 7, 221, 256 }, { 7, 222, 256 }, { 8, 223, 256 },
+   { 4, 224, 256 }, { 5, 225, 256 }, { 5, 226, 256 }, { 6, 227, 256 }, { 5, 228, 256 }, { 6, 229, 256 }, { 6, 230, 256 }, { 7, 231, 256 },
+   { 5, 232, 256 }, { 6, 233, 256 }, { 6, 234, 256 }, { 7, 235, 256 }, { 6, 236, 256 }, { 7, 237, 256 }, { 7, 238, 256 }, { 8, 239, 256 },
+   { 5, 240, 256 }, { 6, 241, 256 }, { 6, 242, 256 }, { 7, 243, 256 }, { 6, 244, 256 }, { 7, 245, 256 }, { 7, 246, 256 }, { 8, 247, 256 },
+   { 6, 248, 256 }, { 7, 249, 256 }, { 7, 250, 256 }, { 8, 251, 256 }, { 7, 252, 256 }, { 8, 253, 256 }, { 8, 254, 256 }, { 9, 255, 256 },
 #if FP_LUT > 9
-   { 1, 0, 0 }, { 2, 1, 512 }, { 2, 2, 512 }, { 3, 3, 512 }, { 2, 4, 512 }, { 3, 5, 512 }, { 3, 6, 512 }, { 4, 7, 512 }, 
-   { 2, 8, 512 }, { 3, 9, 512 }, { 3, 10, 512 }, { 4, 11, 512 }, { 3, 12, 512 }, { 4, 13, 512 }, { 4, 14, 512 }, { 5, 15, 512 }, 
-   { 2, 16, 512 }, { 3, 17, 512 }, { 3, 18, 512 }, { 4, 19, 512 }, { 3, 20, 512 }, { 4, 21, 512 }, { 4, 22, 512 }, { 5, 23, 512 }, 
-   { 3, 24, 512 }, { 4, 25, 512 }, { 4, 26, 512 }, { 5, 27, 512 }, { 4, 28, 512 }, { 5, 29, 512 }, { 5, 30, 512 }, { 6, 31, 512 }, 
-   { 2, 32, 512 }, { 3, 33, 512 }, { 3, 34, 512 }, { 4, 35, 512 }, { 3, 36, 512 }, { 4, 37, 512 }, { 4, 38, 512 }, { 5, 39, 512 }, 
-   { 3, 40, 512 }, { 4, 41, 512 }, { 4, 42, 512 }, { 5, 43, 512 }, { 4, 44, 512 }, { 5, 45, 512 }, { 5, 46, 512 }, { 6, 47, 512 }, 
-   { 3, 48, 512 }, { 4, 49, 512 }, { 4, 50, 512 }, { 5, 51, 512 }, { 4, 52, 512 }, { 5, 53, 512 }, { 5, 54, 512 }, { 6, 55, 512 }, 
-   { 4, 56, 512 }, { 5, 57, 512 }, { 5, 58, 512 }, { 6, 59, 512 }, { 5, 60, 512 }, { 6, 61, 512 }, { 6, 62, 512 }, { 7, 63, 512 }, 
-   { 2, 64, 512 }, { 3, 65, 512 }, { 3, 66, 512 }, { 4, 67, 512 }, { 3, 68, 512 }, { 4, 69, 512 }, { 4, 70, 512 }, { 5, 71, 512 }, 
-   { 3, 72, 512 }, { 4, 73, 512 }, { 4, 74, 512 }, { 5, 75, 512 }, { 4, 76, 512 }, { 5, 77, 512 }, { 5, 78, 512 }, { 6, 79, 512 }, 
-   { 3, 80, 512 }, { 4, 81, 512 }, { 4, 82, 512 }, { 5, 83, 512 }, { 4, 84, 512 }, { 5, 85, 512 }, { 5, 86, 512 }, { 6, 87, 512 }, 
-   { 4, 88, 512 }, { 5, 89, 512 }, { 5, 90, 512 }, { 6, 91, 512 }, { 5, 92, 512 }, { 6, 93, 512 }, { 6, 94, 512 }, { 7, 95, 512 }, 
-   { 3, 96, 512 }, { 4, 97, 512 }, { 4, 98, 512 }, { 5, 99, 512 }, { 4, 100, 512 }, { 5, 101, 512 }, { 5, 102, 512 }, { 6, 103, 512 }, 
-   { 4, 104, 512 }, { 5, 105, 512 }, { 5, 106, 512 }, { 6, 107, 512 }, { 5, 108, 512 }, { 6, 109, 512 }, { 6, 110, 512 }, { 7, 111, 512 }, 
-   { 4, 112, 512 }, { 5, 113, 512 }, { 5, 114, 512 }, { 6, 115, 512 }, { 5, 116, 512 }, { 6, 117, 512 }, { 6, 118, 512 }, { 7, 119, 512 }, 
-   { 5, 120, 512 }, { 6, 121, 512 }, { 6, 122, 512 }, { 7, 123, 512 }, { 6, 124, 512 }, { 7, 125, 512 }, { 7, 126, 512 }, { 8, 127, 512 }, 
-   { 2, 128, 512 }, { 3, 129, 512 }, { 3, 130, 512 }, { 4, 131, 512 }, { 3, 132, 512 }, { 4, 133, 512 }, { 4, 134, 512 }, { 5, 135, 512 }, 
-   { 3, 136, 512 }, { 4, 137, 512 }, { 4, 138, 512 }, { 5, 139, 512 }, { 4, 140, 512 }, { 5, 141, 512 }, { 5, 142, 512 }, { 6, 143, 512 }, 
-   { 3, 144, 512 }, { 4, 145, 512 }, { 4, 146, 512 }, { 5, 147, 512 }, { 4, 148, 512 }, { 5, 149, 512 }, { 5, 150, 512 }, { 6, 151, 512 }, 
-   { 4, 152, 512 }, { 5, 153, 512 }, { 5, 154, 512 }, { 6, 155, 512 }, { 5, 156, 512 }, { 6, 157, 512 }, { 6, 158, 512 }, { 7, 159, 512 }, 
-   { 3, 160, 512 }, { 4, 161, 512 }, { 4, 162, 512 }, { 5, 163, 512 }, { 4, 164, 512 }, { 5, 165, 512 }, { 5, 166, 512 }, { 6, 167, 512 }, 
-   { 4, 168, 512 }, { 5, 169, 512 }, { 5, 170, 512 }, { 6, 171, 512 }, { 5, 172, 512 }, { 6, 173, 512 }, { 6, 174, 512 }, { 7, 175, 512 }, 
-   { 4, 176, 512 }, { 5, 177, 512 }, { 5, 178, 512 }, { 6, 179, 512 }, { 5, 180, 512 }, { 6, 181, 512 }, { 6, 182, 512 }, { 7, 183, 512 }, 
-   { 5, 184, 512 }, { 6, 185, 512 }, { 6, 186, 512 }, { 7, 187, 512 }, { 6, 188, 512 }, { 7, 189, 512 }, { 7, 190, 512 }, { 8, 191, 512 }, 
-   { 3, 192, 512 }, { 4, 193, 512 }, { 4, 194, 512 }, { 5, 195, 512 }, { 4, 196, 512 }, { 5, 197, 512 }, { 5, 198, 512 }, { 6, 199, 512 }, 
-   { 4, 200, 512 }, { 5, 201, 512 }, { 5, 202, 512 }, { 6, 203, 512 }, { 5, 204, 512 }, { 6, 205, 512 }, { 6, 206, 512 }, { 7, 207, 512 }, 
-   { 4, 208, 512 }, { 5, 209, 512 }, { 5, 210, 512 }, { 6, 211, 512 }, { 5, 212, 512 }, { 6, 213, 512 }, { 6, 214, 512 }, { 7, 215, 512 }, 
-   { 5, 216, 512 }, { 6, 217, 512 }, { 6, 218, 512 }, { 7, 219, 512 }, { 6, 220, 512 }, { 7, 221, 512 }, { 7, 222, 512 }, { 8, 223, 512 }, 
-   { 4, 224, 512 }, { 5, 225, 512 }, { 5, 226, 512 }, { 6, 227, 512 }, { 5, 228, 512 }, { 6, 229, 512 }, { 6, 230, 512 }, { 7, 231, 512 }, 
-   { 5, 232, 512 }, { 6, 233, 512 }, { 6, 234, 512 }, { 7, 235, 512 }, { 6, 236, 512 }, { 7, 237, 512 }, { 7, 238, 512 }, { 8, 239, 512 }, 
-   { 5, 240, 512 }, { 6, 241, 512 }, { 6, 242, 512 }, { 7, 243, 512 }, { 6, 244, 512 }, { 7, 245, 512 }, { 7, 246, 512 }, { 8, 247, 512 }, 
-   { 6, 248, 512 }, { 7, 249, 512 }, { 7, 250, 512 }, { 8, 251, 512 }, { 7, 252, 512 }, { 8, 253, 512 }, { 8, 254, 512 }, { 9, 255, 512 }, 
-   { 2, 256, 512 }, { 3, 257, 512 }, { 3, 258, 512 }, { 4, 259, 512 }, { 3, 260, 512 }, { 4, 261, 512 }, { 4, 262, 512 }, { 5, 263, 512 }, 
-   { 3, 264, 512 }, { 4, 265, 512 }, { 4, 266, 512 }, { 5, 267, 512 }, { 4, 268, 512 }, { 5, 269, 512 }, { 5, 270, 512 }, { 6, 271, 512 }, 
-   { 3, 272, 512 }, { 4, 273, 512 }, { 4, 274, 512 }, { 5, 275, 512 }, { 4, 276, 512 }, { 5, 277, 512 }, { 5, 278, 512 }, { 6, 279, 512 }, 
-   { 4, 280, 512 }, { 5, 281, 512 }, { 5, 282, 512 }, { 6, 283, 512 }, { 5, 284, 512 }, { 6, 285, 512 }, { 6, 286, 512 }, { 7, 287, 512 }, 
-   { 3, 288, 512 }, { 4, 289, 512 }, { 4, 290, 512 }, { 5, 291, 512 }, { 4, 292, 512 }, { 5, 293, 512 }, { 5, 294, 512 }, { 6, 295, 512 }, 
-   { 4, 296, 512 }, { 5, 297, 512 }, { 5, 298, 512 }, { 6, 299, 512 }, { 5, 300, 512 }, { 6, 301, 512 }, { 6, 302, 512 }, { 7, 303, 512 }, 
-   { 4, 304, 512 }, { 5, 305, 512 }, { 5, 306, 512 }, { 6, 307, 512 }, { 5, 308, 512 }, { 6, 309, 512 }, { 6, 310, 512 }, { 7, 311, 512 }, 
-   { 5, 312, 512 }, { 6, 313, 512 }, { 6, 314, 512 }, { 7, 315, 512 }, { 6, 316, 512 }, { 7, 317, 512 }, { 7, 318, 512 }, { 8, 319, 512 }, 
-   { 3, 320, 512 }, { 4, 321, 512 }, { 4, 322, 512 }, { 5, 323, 512 }, { 4, 324, 512 }, { 5, 325, 512 }, { 5, 326, 512 }, { 6, 327, 512 }, 
-   { 4, 328, 512 }, { 5, 329, 512 }, { 5, 330, 512 }, { 6, 331, 512 }, { 5, 332, 512 }, { 6, 333, 512 }, { 6, 334, 512 }, { 7, 335, 512 }, 
-   { 4, 336, 512 }, { 5, 337, 512 }, { 5, 338, 512 }, { 6, 339, 512 }, { 5, 340, 512 }, { 6, 341, 512 }, { 6, 342, 512 }, { 7, 343, 512 }, 
-   { 5, 344, 512 }, { 6, 345, 512 }, { 6, 346, 512 }, { 7, 347, 512 }, { 6, 348, 512 }, { 7, 349, 512 }, { 7, 350, 512 }, { 8, 351, 512 }, 
-   { 4, 352, 512 }, { 5, 353, 512 }, { 5, 354, 512 }, { 6, 355, 512 }, { 5, 356, 512 }, { 6, 357, 512 }, { 6, 358, 512 }, { 7, 359, 512 }, 
-   { 5, 360, 512 }, { 6, 361, 512 }, { 6, 362, 512 }, { 7, 363, 512 }, { 6, 364, 512 }, { 7, 365, 512 }, { 7, 366, 512 }, { 8, 367, 512 }, 
-   { 5, 368, 512 }, { 6, 369, 512 }, { 6, 370, 512 }, { 7, 371, 512 }, { 6, 372, 512 }, { 7, 373, 512 }, { 7, 374, 512 }, { 8, 375, 512 }, 
-   { 6, 376, 512 }, { 7, 377, 512 }, { 7, 378, 512 }, { 8, 379, 512 }, { 7, 380, 512 }, { 8, 381, 512 }, { 8, 382, 512 }, { 9, 383, 512 }, 
-   { 3, 384, 512 }, { 4, 385, 512 }, { 4, 386, 512 }, { 5, 387, 512 }, { 4, 388, 512 }, { 5, 389, 512 }, { 5, 390, 512 }, { 6, 391, 512 }, 
-   { 4, 392, 512 }, { 5, 393, 512 }, { 5, 394, 512 }, { 6, 395, 512 }, { 5, 396, 512 }, { 6, 397, 512 }, { 6, 398, 512 }, { 7, 399, 512 }, 
-   { 4, 400, 512 }, { 5, 401, 512 }, { 5, 402, 512 }, { 6, 403, 512 }, { 5, 404, 512 }, { 6, 405, 512 }, { 6, 406, 512 }, { 7, 407, 512 }, 
-   { 5, 408, 512 }, { 6, 409, 512 }, { 6, 410, 512 }, { 7, 411, 512 }, { 6, 412, 512 }, { 7, 413, 512 }, { 7, 414, 512 }, { 8, 415, 512 }, 
-   { 4, 416, 512 }, { 5, 417, 512 }, { 5, 418, 512 }, { 6, 419, 512 }, { 5, 420, 512 }, { 6, 421, 512 }, { 6, 422, 512 }, { 7, 423, 512 }, 
-   { 5, 424, 512 }, { 6, 425, 512 }, { 6, 426, 512 }, { 7, 427, 512 }, { 6, 428, 512 }, { 7, 429, 512 }, { 7, 430, 512 }, { 8, 431, 512 }, 
-   { 5, 432, 512 }, { 6, 433, 512 }, { 6, 434, 512 }, { 7, 435, 512 }, { 6, 436, 512 }, { 7, 437, 512 }, { 7, 438, 512 }, { 8, 439, 512 }, 
-   { 6, 440, 512 }, { 7, 441, 512 }, { 7, 442, 512 }, { 8, 443, 512 }, { 7, 444, 512 }, { 8, 445, 512 }, { 8, 446, 512 }, { 9, 447, 512 }, 
-   { 4, 448, 512 }, { 5, 449, 512 }, { 5, 450, 512 }, { 6, 451, 512 }, { 5, 452, 512 }, { 6, 453, 512 }, { 6, 454, 512 }, { 7, 455, 512 }, 
-   { 5, 456, 512 }, { 6, 457, 512 }, { 6, 458, 512 }, { 7, 459, 512 }, { 6, 460, 512 }, { 7, 461, 512 }, { 7, 462, 512 }, { 8, 463, 512 }, 
-   { 5, 464, 512 }, { 6, 465, 512 }, { 6, 466, 512 }, { 7, 467, 512 }, { 6, 468, 512 }, { 7, 469, 512 }, { 7, 470, 512 }, { 8, 471, 512 }, 
-   { 6, 472, 512 }, { 7, 473, 512 }, { 7, 474, 512 }, { 8, 475, 512 }, { 7, 476, 512 }, { 8, 477, 512 }, { 8, 478, 512 }, { 9, 479, 512 }, 
-   { 5, 480, 512 }, { 6, 481, 512 }, { 6, 482, 512 }, { 7, 483, 512 }, { 6, 484, 512 }, { 7, 485, 512 }, { 7, 486, 512 }, { 8, 487, 512 }, 
-   { 6, 488, 512 }, { 7, 489, 512 }, { 7, 490, 512 }, { 8, 491, 512 }, { 7, 492, 512 }, { 8, 493, 512 }, { 8, 494, 512 }, { 9, 495, 512 }, 
-   { 6, 496, 512 }, { 7, 497, 512 }, { 7, 498, 512 }, { 8, 499, 512 }, { 7, 500, 512 }, { 8, 501, 512 }, { 8, 502, 512 }, { 9, 503, 512 }, 
-   { 7, 504, 512 }, { 8, 505, 512 }, { 8, 506, 512 }, { 9, 507, 512 }, { 8, 508, 512 }, { 9, 509, 512 }, { 9, 510, 512 }, { 10, 511, 512 }, 
+   { 1, 0, 0 }, { 2, 1, 512 }, { 2, 2, 512 }, { 3, 3, 512 }, { 2, 4, 512 }, { 3, 5, 512 }, { 3, 6, 512 }, { 4, 7, 512 },
+   { 2, 8, 512 }, { 3, 9, 512 }, { 3, 10, 512 }, { 4, 11, 512 }, { 3, 12, 512 }, { 4, 13, 512 }, { 4, 14, 512 }, { 5, 15, 512 },
+   { 2, 16, 512 }, { 3, 17, 512 }, { 3, 18, 512 }, { 4, 19, 512 }, { 3, 20, 512 }, { 4, 21, 512 }, { 4, 22, 512 }, { 5, 23, 512 },
+   { 3, 24, 512 }, { 4, 25, 512 }, { 4, 26, 512 }, { 5, 27, 512 }, { 4, 28, 512 }, { 5, 29, 512 }, { 5, 30, 512 }, { 6, 31, 512 },
+   { 2, 32, 512 }, { 3, 33, 512 }, { 3, 34, 512 }, { 4, 35, 512 }, { 3, 36, 512 }, { 4, 37, 512 }, { 4, 38, 512 }, { 5, 39, 512 },
+   { 3, 40, 512 }, { 4, 41, 512 }, { 4, 42, 512 }, { 5, 43, 512 }, { 4, 44, 512 }, { 5, 45, 512 }, { 5, 46, 512 }, { 6, 47, 512 },
+   { 3, 48, 512 }, { 4, 49, 512 }, { 4, 50, 512 }, { 5, 51, 512 }, { 4, 52, 512 }, { 5, 53, 512 }, { 5, 54, 512 }, { 6, 55, 512 },
+   { 4, 56, 512 }, { 5, 57, 512 }, { 5, 58, 512 }, { 6, 59, 512 }, { 5, 60, 512 }, { 6, 61, 512 }, { 6, 62, 512 }, { 7, 63, 512 },
+   { 2, 64, 512 }, { 3, 65, 512 }, { 3, 66, 512 }, { 4, 67, 512 }, { 3, 68, 512 }, { 4, 69, 512 }, { 4, 70, 512 }, { 5, 71, 512 },
+   { 3, 72, 512 }, { 4, 73, 512 }, { 4, 74, 512 }, { 5, 75, 512 }, { 4, 76, 512 }, { 5, 77, 512 }, { 5, 78, 512 }, { 6, 79, 512 },
+   { 3, 80, 512 }, { 4, 81, 512 }, { 4, 82, 512 }, { 5, 83, 512 }, { 4, 84, 512 }, { 5, 85, 512 }, { 5, 86, 512 }, { 6, 87, 512 },
+   { 4, 88, 512 }, { 5, 89, 512 }, { 5, 90, 512 }, { 6, 91, 512 }, { 5, 92, 512 }, { 6, 93, 512 }, { 6, 94, 512 }, { 7, 95, 512 },
+   { 3, 96, 512 }, { 4, 97, 512 }, { 4, 98, 512 }, { 5, 99, 512 }, { 4, 100, 512 }, { 5, 101, 512 }, { 5, 102, 512 }, { 6, 103, 512 },
+   { 4, 104, 512 }, { 5, 105, 512 }, { 5, 106, 512 }, { 6, 107, 512 }, { 5, 108, 512 }, { 6, 109, 512 }, { 6, 110, 512 }, { 7, 111, 512 },
+   { 4, 112, 512 }, { 5, 113, 512 }, { 5, 114, 512 }, { 6, 115, 512 }, { 5, 116, 512 }, { 6, 117, 512 }, { 6, 118, 512 }, { 7, 119, 512 },
+   { 5, 120, 512 }, { 6, 121, 512 }, { 6, 122, 512 }, { 7, 123, 512 }, { 6, 124, 512 }, { 7, 125, 512 }, { 7, 126, 512 }, { 8, 127, 512 },
+   { 2, 128, 512 }, { 3, 129, 512 }, { 3, 130, 512 }, { 4, 131, 512 }, { 3, 132, 512 }, { 4, 133, 512 }, { 4, 134, 512 }, { 5, 135, 512 },
+   { 3, 136, 512 }, { 4, 137, 512 }, { 4, 138, 512 }, { 5, 139, 512 }, { 4, 140, 512 }, { 5, 141, 512 }, { 5, 142, 512 }, { 6, 143, 512 },
+   { 3, 144, 512 }, { 4, 145, 512 }, { 4, 146, 512 }, { 5, 147, 512 }, { 4, 148, 512 }, { 5, 149, 512 }, { 5, 150, 512 }, { 6, 151, 512 },
+   { 4, 152, 512 }, { 5, 153, 512 }, { 5, 154, 512 }, { 6, 155, 512 }, { 5, 156, 512 }, { 6, 157, 512 }, { 6, 158, 512 }, { 7, 159, 512 },
+   { 3, 160, 512 }, { 4, 161, 512 }, { 4, 162, 512 }, { 5, 163, 512 }, { 4, 164, 512 }, { 5, 165, 512 }, { 5, 166, 512 }, { 6, 167, 512 },
+   { 4, 168, 512 }, { 5, 169, 512 }, { 5, 170, 512 }, { 6, 171, 512 }, { 5, 172, 512 }, { 6, 173, 512 }, { 6, 174, 512 }, { 7, 175, 512 },
+   { 4, 176, 512 }, { 5, 177, 512 }, { 5, 178, 512 }, { 6, 179, 512 }, { 5, 180, 512 }, { 6, 181, 512 }, { 6, 182, 512 }, { 7, 183, 512 },
+   { 5, 184, 512 }, { 6, 185, 512 }, { 6, 186, 512 }, { 7, 187, 512 }, { 6, 188, 512 }, { 7, 189, 512 }, { 7, 190, 512 }, { 8, 191, 512 },
+   { 3, 192, 512 }, { 4, 193, 512 }, { 4, 194, 512 }, { 5, 195, 512 }, { 4, 196, 512 }, { 5, 197, 512 }, { 5, 198, 512 }, { 6, 199, 512 },
+   { 4, 200, 512 }, { 5, 201, 512 }, { 5, 202, 512 }, { 6, 203, 512 }, { 5, 204, 512 }, { 6, 205, 512 }, { 6, 206, 512 }, { 7, 207, 512 },
+   { 4, 208, 512 }, { 5, 209, 512 }, { 5, 210, 512 }, { 6, 211, 512 }, { 5, 212, 512 }, { 6, 213, 512 }, { 6, 214, 512 }, { 7, 215, 512 },
+   { 5, 216, 512 }, { 6, 217, 512 }, { 6, 218, 512 }, { 7, 219, 512 }, { 6, 220, 512 }, { 7, 221, 512 }, { 7, 222, 512 }, { 8, 223, 512 },
+   { 4, 224, 512 }, { 5, 225, 512 }, { 5, 226, 512 }, { 6, 227, 512 }, { 5, 228, 512 }, { 6, 229, 512 }, { 6, 230, 512 }, { 7, 231, 512 },
+   { 5, 232, 512 }, { 6, 233, 512 }, { 6, 234, 512 }, { 7, 235, 512 }, { 6, 236, 512 }, { 7, 237, 512 }, { 7, 238, 512 }, { 8, 239, 512 },
+   { 5, 240, 512 }, { 6, 241, 512 }, { 6, 242, 512 }, { 7, 243, 512 }, { 6, 244, 512 }, { 7, 245, 512 }, { 7, 246, 512 }, { 8, 247, 512 },
+   { 6, 248, 512 }, { 7, 249, 512 }, { 7, 250, 512 }, { 8, 251, 512 }, { 7, 252, 512 }, { 8, 253, 512 }, { 8, 254, 512 }, { 9, 255, 512 },
+   { 2, 256, 512 }, { 3, 257, 512 }, { 3, 258, 512 }, { 4, 259, 512 }, { 3, 260, 512 }, { 4, 261, 512 }, { 4, 262, 512 }, { 5, 263, 512 },
+   { 3, 264, 512 }, { 4, 265, 512 }, { 4, 266, 512 }, { 5, 267, 512 }, { 4, 268, 512 }, { 5, 269, 512 }, { 5, 270, 512 }, { 6, 271, 512 },
+   { 3, 272, 512 }, { 4, 273, 512 }, { 4, 274, 512 }, { 5, 275, 512 }, { 4, 276, 512 }, { 5, 277, 512 }, { 5, 278, 512 }, { 6, 279, 512 },
+   { 4, 280, 512 }, { 5, 281, 512 }, { 5, 282, 512 }, { 6, 283, 512 }, { 5, 284, 512 }, { 6, 285, 512 }, { 6, 286, 512 }, { 7, 287, 512 },
+   { 3, 288, 512 }, { 4, 289, 512 }, { 4, 290, 512 }, { 5, 291, 512 }, { 4, 292, 512 }, { 5, 293, 512 }, { 5, 294, 512 }, { 6, 295, 512 },
+   { 4, 296, 512 }, { 5, 297, 512 }, { 5, 298, 512 }, { 6, 299, 512 }, { 5, 300, 512 }, { 6, 301, 512 }, { 6, 302, 512 }, { 7, 303, 512 },
+   { 4, 304, 512 }, { 5, 305, 512 }, { 5, 306, 512 }, { 6, 307, 512 }, { 5, 308, 512 }, { 6, 309, 512 }, { 6, 310, 512 }, { 7, 311, 512 },
+   { 5, 312, 512 }, { 6, 313, 512 }, { 6, 314, 512 }, { 7, 315, 512 }, { 6, 316, 512 }, { 7, 317, 512 }, { 7, 318, 512 }, { 8, 319, 512 },
+   { 3, 320, 512 }, { 4, 321, 512 }, { 4, 322, 512 }, { 5, 323, 512 }, { 4, 324, 512 }, { 5, 325, 512 }, { 5, 326, 512 }, { 6, 327, 512 },
+   { 4, 328, 512 }, { 5, 329, 512 }, { 5, 330, 512 }, { 6, 331, 512 }, { 5, 332, 512 }, { 6, 333, 512 }, { 6, 334, 512 }, { 7, 335, 512 },
+   { 4, 336, 512 }, { 5, 337, 512 }, { 5, 338, 512 }, { 6, 339, 512 }, { 5, 340, 512 }, { 6, 341, 512 }, { 6, 342, 512 }, { 7, 343, 512 },
+   { 5, 344, 512 }, { 6, 345, 512 }, { 6, 346, 512 }, { 7, 347, 512 }, { 6, 348, 512 }, { 7, 349, 512 }, { 7, 350, 512 }, { 8, 351, 512 },
+   { 4, 352, 512 }, { 5, 353, 512 }, { 5, 354, 512 }, { 6, 355, 512 }, { 5, 356, 512 }, { 6, 357, 512 }, { 6, 358, 512 }, { 7, 359, 512 },
+   { 5, 360, 512 }, { 6, 361, 512 }, { 6, 362, 512 }, { 7, 363, 512 }, { 6, 364, 512 }, { 7, 365, 512 }, { 7, 366, 512 }, { 8, 367, 512 },
+   { 5, 368, 512 }, { 6, 369, 512 }, { 6, 370, 512 }, { 7, 371, 512 }, { 6, 372, 512 }, { 7, 373, 512 }, { 7, 374, 512 }, { 8, 375, 512 },
+   { 6, 376, 512 }, { 7, 377, 512 }, { 7, 378, 512 }, { 8, 379, 512 }, { 7, 380, 512 }, { 8, 381, 512 }, { 8, 382, 512 }, { 9, 383, 512 },
+   { 3, 384, 512 }, { 4, 385, 512 }, { 4, 386, 512 }, { 5, 387, 512 }, { 4, 388, 512 }, { 5, 389, 512 }, { 5, 390, 512 }, { 6, 391, 512 },
+   { 4, 392, 512 }, { 5, 393, 512 }, { 5, 394, 512 }, { 6, 395, 512 }, { 5, 396, 512 }, { 6, 397, 512 }, { 6, 398, 512 }, { 7, 399, 512 },
+   { 4, 400, 512 }, { 5, 401, 512 }, { 5, 402, 512 }, { 6, 403, 512 }, { 5, 404, 512 }, { 6, 405, 512 }, { 6, 406, 512 }, { 7, 407, 512 },
+   { 5, 408, 512 }, { 6, 409, 512 }, { 6, 410, 512 }, { 7, 411, 512 }, { 6, 412, 512 }, { 7, 413, 512 }, { 7, 414, 512 }, { 8, 415, 512 },
+   { 4, 416, 512 }, { 5, 417, 512 }, { 5, 418, 512 }, { 6, 419, 512 }, { 5, 420, 512 }, { 6, 421, 512 }, { 6, 422, 512 }, { 7, 423, 512 },
+   { 5, 424, 512 }, { 6, 425, 512 }, { 6, 426, 512 }, { 7, 427, 512 }, { 6, 428, 512 }, { 7, 429, 512 }, { 7, 430, 512 }, { 8, 431, 512 },
+   { 5, 432, 512 }, { 6, 433, 512 }, { 6, 434, 512 }, { 7, 435, 512 }, { 6, 436, 512 }, { 7, 437, 512 }, { 7, 438, 512 }, { 8, 439, 512 },
+   { 6, 440, 512 }, { 7, 441, 512 }, { 7, 442, 512 }, { 8, 443, 512 }, { 7, 444, 512 }, { 8, 445, 512 }, { 8, 446, 512 }, { 9, 447, 512 },
+   { 4, 448, 512 }, { 5, 449, 512 }, { 5, 450, 512 }, { 6, 451, 512 }, { 5, 452, 512 }, { 6, 453, 512 }, { 6, 454, 512 }, { 7, 455, 512 },
+   { 5, 456, 512 }, { 6, 457, 512 }, { 6, 458, 512 }, { 7, 459, 512 }, { 6, 460, 512 }, { 7, 461, 512 }, { 7, 462, 512 }, { 8, 463, 512 },
+   { 5, 464, 512 }, { 6, 465, 512 }, { 6, 466, 512 }, { 7, 467, 512 }, { 6, 468, 512 }, { 7, 469, 512 }, { 7, 470, 512 }, { 8, 471, 512 },
+   { 6, 472, 512 }, { 7, 473, 512 }, { 7, 474, 512 }, { 8, 475, 512 }, { 7, 476, 512 }, { 8, 477, 512 }, { 8, 478, 512 }, { 9, 479, 512 },
+   { 5, 480, 512 }, { 6, 481, 512 }, { 6, 482, 512 }, { 7, 483, 512 }, { 6, 484, 512 }, { 7, 485, 512 }, { 7, 486, 512 }, { 8, 487, 512 },
+   { 6, 488, 512 }, { 7, 489, 512 }, { 7, 490, 512 }, { 8, 491, 512 }, { 7, 492, 512 }, { 8, 493, 512 }, { 8, 494, 512 }, { 9, 495, 512 },
+   { 6, 496, 512 }, { 7, 497, 512 }, { 7, 498, 512 }, { 8, 499, 512 }, { 7, 500, 512 }, { 8, 501, 512 }, { 8, 502, 512 }, { 9, 503, 512 },
+   { 7, 504, 512 }, { 8, 505, 512 }, { 8, 506, 512 }, { 9, 507, 512 }, { 8, 508, 512 }, { 9, 509, 512 }, { 9, 510, 512 }, { 10, 511, 512 },
 #if FP_LUT > 10
-   { 1, 0, 0 }, { 2, 1, 1024 }, { 2, 2, 1024 }, { 3, 3, 1024 }, { 2, 4, 1024 }, { 3, 5, 1024 }, { 3, 6, 1024 }, { 4, 7, 1024 }, 
-   { 2, 8, 1024 }, { 3, 9, 1024 }, { 3, 10, 1024 }, { 4, 11, 1024 }, { 3, 12, 1024 }, { 4, 13, 1024 }, { 4, 14, 1024 }, { 5, 15, 1024 }, 
-   { 2, 16, 1024 }, { 3, 17, 1024 }, { 3, 18, 1024 }, { 4, 19, 1024 }, { 3, 20, 1024 }, { 4, 21, 1024 }, { 4, 22, 1024 }, { 5, 23, 1024 }, 
-   { 3, 24, 1024 }, { 4, 25, 1024 }, { 4, 26, 1024 }, { 5, 27, 1024 }, { 4, 28, 1024 }, { 5, 29, 1024 }, { 5, 30, 1024 }, { 6, 31, 1024 }, 
-   { 2, 32, 1024 }, { 3, 33, 1024 }, { 3, 34, 1024 }, { 4, 35, 1024 }, { 3, 36, 1024 }, { 4, 37, 1024 }, { 4, 38, 1024 }, { 5, 39, 1024 }, 
-   { 3, 40, 1024 }, { 4, 41, 1024 }, { 4, 42, 1024 }, { 5, 43, 1024 }, { 4, 44, 1024 }, { 5, 45, 1024 }, { 5, 46, 1024 }, { 6, 47, 1024 }, 
-   { 3, 48, 1024 }, { 4, 49, 1024 }, { 4, 50, 1024 }, { 5, 51, 1024 }, { 4, 52, 1024 }, { 5, 53, 1024 }, { 5, 54, 1024 }, { 6, 55, 1024 }, 
-   { 4, 56, 1024 }, { 5, 57, 1024 }, { 5, 58, 1024 }, { 6, 59, 1024 }, { 5, 60, 1024 }, { 6, 61, 1024 }, { 6, 62, 1024 }, { 7, 63, 1024 }, 
-   { 2, 64, 1024 }, { 3, 65, 1024 }, { 3, 66, 1024 }, { 4, 67, 1024 }, { 3, 68, 1024 }, { 4, 69, 1024 }, { 4, 70, 1024 }, { 5, 71, 1024 }, 
-   { 3, 72, 1024 }, { 4, 73, 1024 }, { 4, 74, 1024 }, { 5, 75, 1024 }, { 4, 76, 1024 }, { 5, 77, 1024 }, { 5, 78, 1024 }, { 6, 79, 1024 }, 
-   { 3, 80, 1024 }, { 4, 81, 1024 }, { 4, 82, 1024 }, { 5, 83, 1024 }, { 4, 84, 1024 }, { 5, 85, 1024 }, { 5, 86, 1024 }, { 6, 87, 1024 }, 
-   { 4, 88, 1024 }, { 5, 89, 1024 }, { 5, 90, 1024 }, { 6, 91, 1024 }, { 5, 92, 1024 }, { 6, 93, 1024 }, { 6, 94, 1024 }, { 7, 95, 1024 }, 
-   { 3, 96, 1024 }, { 4, 97, 1024 }, { 4, 98, 1024 }, { 5, 99, 1024 }, { 4, 100, 1024 }, { 5, 101, 1024 }, { 5, 102, 1024 }, { 6, 103, 1024 }, 
-   { 4, 104, 1024 }, { 5, 105, 1024 }, { 5, 106, 1024 }, { 6, 107, 1024 }, { 5, 108, 1024 }, { 6, 109, 1024 }, { 6, 110, 1024 }, { 7, 111, 1024 }, 
-   { 4, 112, 1024 }, { 5, 113, 1024 }, { 5, 114, 1024 }, { 6, 115, 1024 }, { 5, 116, 1024 }, { 6, 117, 1024 }, { 6, 118, 1024 }, { 7, 119, 1024 }, 
-   { 5, 120, 1024 }, { 6, 121, 1024 }, { 6, 122, 1024 }, { 7, 123, 1024 }, { 6, 124, 1024 }, { 7, 125, 1024 }, { 7, 126, 1024 }, { 8, 127, 1024 }, 
-   { 2, 128, 1024 }, { 3, 129, 1024 }, { 3, 130, 1024 }, { 4, 131, 1024 }, { 3, 132, 1024 }, { 4, 133, 1024 }, { 4, 134, 1024 }, { 5, 135, 1024 }, 
-   { 3, 136, 1024 }, { 4, 137, 1024 }, { 4, 138, 1024 }, { 5, 139, 1024 }, { 4, 140, 1024 }, { 5, 141, 1024 }, { 5, 142, 1024 }, { 6, 143, 1024 }, 
-   { 3, 144, 1024 }, { 4, 145, 1024 }, { 4, 146, 1024 }, { 5, 147, 1024 }, { 4, 148, 1024 }, { 5, 149, 1024 }, { 5, 150, 1024 }, { 6, 151, 1024 }, 
-   { 4, 152, 1024 }, { 5, 153, 1024 }, { 5, 154, 1024 }, { 6, 155, 1024 }, { 5, 156, 1024 }, { 6, 157, 1024 }, { 6, 158, 1024 }, { 7, 159, 1024 }, 
-   { 3, 160, 1024 }, { 4, 161, 1024 }, { 4, 162, 1024 }, { 5, 163, 1024 }, { 4, 164, 1024 }, { 5, 165, 1024 }, { 5, 166, 1024 }, { 6, 167, 1024 }, 
-   { 4, 168, 1024 }, { 5, 169, 1024 }, { 5, 170, 1024 }, { 6, 171, 1024 }, { 5, 172, 1024 }, { 6, 173, 1024 }, { 6, 174, 1024 }, { 7, 175, 1024 }, 
-   { 4, 176, 1024 }, { 5, 177, 1024 }, { 5, 178, 1024 }, { 6, 179, 1024 }, { 5, 180, 1024 }, { 6, 181, 1024 }, { 6, 182, 1024 }, { 7, 183, 1024 }, 
-   { 5, 184, 1024 }, { 6, 185, 1024 }, { 6, 186, 1024 }, { 7, 187, 1024 }, { 6, 188, 1024 }, { 7, 189, 1024 }, { 7, 190, 1024 }, { 8, 191, 1024 }, 
-   { 3, 192, 1024 }, { 4, 193, 1024 }, { 4, 194, 1024 }, { 5, 195, 1024 }, { 4, 196, 1024 }, { 5, 197, 1024 }, { 5, 198, 1024 }, { 6, 199, 1024 }, 
-   { 4, 200, 1024 }, { 5, 201, 1024 }, { 5, 202, 1024 }, { 6, 203, 1024 }, { 5, 204, 1024 }, { 6, 205, 1024 }, { 6, 206, 1024 }, { 7, 207, 1024 }, 
-   { 4, 208, 1024 }, { 5, 209, 1024 }, { 5, 210, 1024 }, { 6, 211, 1024 }, { 5, 212, 1024 }, { 6, 213, 1024 }, { 6, 214, 1024 }, { 7, 215, 1024 }, 
-   { 5, 216, 1024 }, { 6, 217, 1024 }, { 6, 218, 1024 }, { 7, 219, 1024 }, { 6, 220, 1024 }, { 7, 221, 1024 }, { 7, 222, 1024 }, { 8, 223, 1024 }, 
-   { 4, 224, 1024 }, { 5, 225, 1024 }, { 5, 226, 1024 }, { 6, 227, 1024 }, { 5, 228, 1024 }, { 6, 229, 1024 }, { 6, 230, 1024 }, { 7, 231, 1024 }, 
-   { 5, 232, 1024 }, { 6, 233, 1024 }, { 6, 234, 1024 }, { 7, 235, 1024 }, { 6, 236, 1024 }, { 7, 237, 1024 }, { 7, 238, 1024 }, { 8, 239, 1024 }, 
-   { 5, 240, 1024 }, { 6, 241, 1024 }, { 6, 242, 1024 }, { 7, 243, 1024 }, { 6, 244, 1024 }, { 7, 245, 1024 }, { 7, 246, 1024 }, { 8, 247, 1024 }, 
-   { 6, 248, 1024 }, { 7, 249, 1024 }, { 7, 250, 1024 }, { 8, 251, 1024 }, { 7, 252, 1024 }, { 8, 253, 1024 }, { 8, 254, 1024 }, { 9, 255, 1024 }, 
-   { 2, 256, 1024 }, { 3, 257, 1024 }, { 3, 258, 1024 }, { 4, 259, 1024 }, { 3, 260, 1024 }, { 4, 261, 1024 }, { 4, 262, 1024 }, { 5, 263, 1024 }, 
-   { 3, 264, 1024 }, { 4, 265, 1024 }, { 4, 266, 1024 }, { 5, 267, 1024 }, { 4, 268, 1024 }, { 5, 269, 1024 }, { 5, 270, 1024 }, { 6, 271, 1024 }, 
-   { 3, 272, 1024 }, { 4, 273, 1024 }, { 4, 274, 1024 }, { 5, 275, 1024 }, { 4, 276, 1024 }, { 5, 277, 1024 }, { 5, 278, 1024 }, { 6, 279, 1024 }, 
-   { 4, 280, 1024 }, { 5, 281, 1024 }, { 5, 282, 1024 }, { 6, 283, 1024 }, { 5, 284, 1024 }, { 6, 285, 1024 }, { 6, 286, 1024 }, { 7, 287, 1024 }, 
-   { 3, 288, 1024 }, { 4, 289, 1024 }, { 4, 290, 1024 }, { 5, 291, 1024 }, { 4, 292, 1024 }, { 5, 293, 1024 }, { 5, 294, 1024 }, { 6, 295, 1024 }, 
-   { 4, 296, 1024 }, { 5, 297, 1024 }, { 5, 298, 1024 }, { 6, 299, 1024 }, { 5, 300, 1024 }, { 6, 301, 1024 }, { 6, 302, 1024 }, { 7, 303, 1024 }, 
-   { 4, 304, 1024 }, { 5, 305, 1024 }, { 5, 306, 1024 }, { 6, 307, 1024 }, { 5, 308, 1024 }, { 6, 309, 1024 }, { 6, 310, 1024 }, { 7, 311, 1024 }, 
-   { 5, 312, 1024 }, { 6, 313, 1024 }, { 6, 314, 1024 }, { 7, 315, 1024 }, { 6, 316, 1024 }, { 7, 317, 1024 }, { 7, 318, 1024 }, { 8, 319, 1024 }, 
-   { 3, 320, 1024 }, { 4, 321, 1024 }, { 4, 322, 1024 }, { 5, 323, 1024 }, { 4, 324, 1024 }, { 5, 325, 1024 }, { 5, 326, 1024 }, { 6, 327, 1024 }, 
-   { 4, 328, 1024 }, { 5, 329, 1024 }, { 5, 330, 1024 }, { 6, 331, 1024 }, { 5, 332, 1024 }, { 6, 333, 1024 }, { 6, 334, 1024 }, { 7, 335, 1024 }, 
-   { 4, 336, 1024 }, { 5, 337, 1024 }, { 5, 338, 1024 }, { 6, 339, 1024 }, { 5, 340, 1024 }, { 6, 341, 1024 }, { 6, 342, 1024 }, { 7, 343, 1024 }, 
-   { 5, 344, 1024 }, { 6, 345, 1024 }, { 6, 346, 1024 }, { 7, 347, 1024 }, { 6, 348, 1024 }, { 7, 349, 1024 }, { 7, 350, 1024 }, { 8, 351, 1024 }, 
-   { 4, 352, 1024 }, { 5, 353, 1024 }, { 5, 354, 1024 }, { 6, 355, 1024 }, { 5, 356, 1024 }, { 6, 357, 1024 }, { 6, 358, 1024 }, { 7, 359, 1024 }, 
-   { 5, 360, 1024 }, { 6, 361, 1024 }, { 6, 362, 1024 }, { 7, 363, 1024 }, { 6, 364, 1024 }, { 7, 365, 1024 }, { 7, 366, 1024 }, { 8, 367, 1024 }, 
-   { 5, 368, 1024 }, { 6, 369, 1024 }, { 6, 370, 1024 }, { 7, 371, 1024 }, { 6, 372, 1024 }, { 7, 373, 1024 }, { 7, 374, 1024 }, { 8, 375, 1024 }, 
-   { 6, 376, 1024 }, { 7, 377, 1024 }, { 7, 378, 1024 }, { 8, 379, 1024 }, { 7, 380, 1024 }, { 8, 381, 1024 }, { 8, 382, 1024 }, { 9, 383, 1024 }, 
-   { 3, 384, 1024 }, { 4, 385, 1024 }, { 4, 386, 1024 }, { 5, 387, 1024 }, { 4, 388, 1024 }, { 5, 389, 1024 }, { 5, 390, 1024 }, { 6, 391, 1024 }, 
-   { 4, 392, 1024 }, { 5, 393, 1024 }, { 5, 394, 1024 }, { 6, 395, 1024 }, { 5, 396, 1024 }, { 6, 397, 1024 }, { 6, 398, 1024 }, { 7, 399, 1024 }, 
-   { 4, 400, 1024 }, { 5, 401, 1024 }, { 5, 402, 1024 }, { 6, 403, 1024 }, { 5, 404, 1024 }, { 6, 405, 1024 }, { 6, 406, 1024 }, { 7, 407, 1024 }, 
-   { 5, 408, 1024 }, { 6, 409, 1024 }, { 6, 410, 1024 }, { 7, 411, 1024 }, { 6, 412, 1024 }, { 7, 413, 1024 }, { 7, 414, 1024 }, { 8, 415, 1024 }, 
-   { 4, 416, 1024 }, { 5, 417, 1024 }, { 5, 418, 1024 }, { 6, 419, 1024 }, { 5, 420, 1024 }, { 6, 421, 1024 }, { 6, 422, 1024 }, { 7, 423, 1024 }, 
-   { 5, 424, 1024 }, { 6, 425, 1024 }, { 6, 426, 1024 }, { 7, 427, 1024 }, { 6, 428, 1024 }, { 7, 429, 1024 }, { 7, 430, 1024 }, { 8, 431, 1024 }, 
-   { 5, 432, 1024 }, { 6, 433, 1024 }, { 6, 434, 1024 }, { 7, 435, 1024 }, { 6, 436, 1024 }, { 7, 437, 1024 }, { 7, 438, 1024 }, { 8, 439, 1024 }, 
-   { 6, 440, 1024 }, { 7, 441, 1024 }, { 7, 442, 1024 }, { 8, 443, 1024 }, { 7, 444, 1024 }, { 8, 445, 1024 }, { 8, 446, 1024 }, { 9, 447, 1024 }, 
-   { 4, 448, 1024 }, { 5, 449, 1024 }, { 5, 450, 1024 }, { 6, 451, 1024 }, { 5, 452, 1024 }, { 6, 453, 1024 }, { 6, 454, 1024 }, { 7, 455, 1024 }, 
-   { 5, 456, 1024 }, { 6, 457, 1024 }, { 6, 458, 1024 }, { 7, 459, 1024 }, { 6, 460, 1024 }, { 7, 461, 1024 }, { 7, 462, 1024 }, { 8, 463, 1024 }, 
-   { 5, 464, 1024 }, { 6, 465, 1024 }, { 6, 466, 1024 }, { 7, 467, 1024 }, { 6, 468, 1024 }, { 7, 469, 1024 }, { 7, 470, 1024 }, { 8, 471, 1024 }, 
-   { 6, 472, 1024 }, { 7, 473, 1024 }, { 7, 474, 1024 }, { 8, 475, 1024 }, { 7, 476, 1024 }, { 8, 477, 1024 }, { 8, 478, 1024 }, { 9, 479, 1024 }, 
-   { 5, 480, 1024 }, { 6, 481, 1024 }, { 6, 482, 1024 }, { 7, 483, 1024 }, { 6, 484, 1024 }, { 7, 485, 1024 }, { 7, 486, 1024 }, { 8, 487, 1024 }, 
-   { 6, 488, 1024 }, { 7, 489, 1024 }, { 7, 490, 1024 }, { 8, 491, 1024 }, { 7, 492, 1024 }, { 8, 493, 1024 }, { 8, 494, 1024 }, { 9, 495, 1024 }, 
-   { 6, 496, 1024 }, { 7, 497, 1024 }, { 7, 498, 1024 }, { 8, 499, 1024 }, { 7, 500, 1024 }, { 8, 501, 1024 }, { 8, 502, 1024 }, { 9, 503, 1024 }, 
-   { 7, 504, 1024 }, { 8, 505, 1024 }, { 8, 506, 1024 }, { 9, 507, 1024 }, { 8, 508, 1024 }, { 9, 509, 1024 }, { 9, 510, 1024 }, { 10, 511, 1024 }, 
-   { 2, 512, 1024 }, { 3, 513, 1024 }, { 3, 514, 1024 }, { 4, 515, 1024 }, { 3, 516, 1024 }, { 4, 517, 1024 }, { 4, 518, 1024 }, { 5, 519, 1024 }, 
-   { 3, 520, 1024 }, { 4, 521, 1024 }, { 4, 522, 1024 }, { 5, 523, 1024 }, { 4, 524, 1024 }, { 5, 525, 1024 }, { 5, 526, 1024 }, { 6, 527, 1024 }, 
-   { 3, 528, 1024 }, { 4, 529, 1024 }, { 4, 530, 1024 }, { 5, 531, 1024 }, { 4, 532, 1024 }, { 5, 533, 1024 }, { 5, 534, 1024 }, { 6, 535, 1024 }, 
-   { 4, 536, 1024 }, { 5, 537, 1024 }, { 5, 538, 1024 }, { 6, 539, 1024 }, { 5, 540, 1024 }, { 6, 541, 1024 }, { 6, 542, 1024 }, { 7, 543, 1024 }, 
-   { 3, 544, 1024 }, { 4, 545, 1024 }, { 4, 546, 1024 }, { 5, 547, 1024 }, { 4, 548, 1024 }, { 5, 549, 1024 }, { 5, 550, 1024 }, { 6, 551, 1024 }, 
-   { 4, 552, 1024 }, { 5, 553, 1024 }, { 5, 554, 1024 }, { 6, 555, 1024 }, { 5, 556, 1024 }, { 6, 557, 1024 }, { 6, 558, 1024 }, { 7, 559, 1024 }, 
-   { 4, 560, 1024 }, { 5, 561, 1024 }, { 5, 562, 1024 }, { 6, 563, 1024 }, { 5, 564, 1024 }, { 6, 565, 1024 }, { 6, 566, 1024 }, { 7, 567, 1024 }, 
-   { 5, 568, 1024 }, { 6, 569, 1024 }, { 6, 570, 1024 }, { 7, 571, 1024 }, { 6, 572, 1024 }, { 7, 573, 1024 }, { 7, 574, 1024 }, { 8, 575, 1024 }, 
-   { 3, 576, 1024 }, { 4, 577, 1024 }, { 4, 578, 1024 }, { 5, 579, 1024 }, { 4, 580, 1024 }, { 5, 581, 1024 }, { 5, 582, 1024 }, { 6, 583, 1024 }, 
-   { 4, 584, 1024 }, { 5, 585, 1024 }, { 5, 586, 1024 }, { 6, 587, 1024 }, { 5, 588, 1024 }, { 6, 589, 1024 }, { 6, 590, 1024 }, { 7, 591, 1024 }, 
-   { 4, 592, 1024 }, { 5, 593, 1024 }, { 5, 594, 1024 }, { 6, 595, 1024 }, { 5, 596, 1024 }, { 6, 597, 1024 }, { 6, 598, 1024 }, { 7, 599, 1024 }, 
-   { 5, 600, 1024 }, { 6, 601, 1024 }, { 6, 602, 1024 }, { 7, 603, 1024 }, { 6, 604, 1024 }, { 7, 605, 1024 }, { 7, 606, 1024 }, { 8, 607, 1024 }, 
-   { 4, 608, 1024 }, { 5, 609, 1024 }, { 5, 610, 1024 }, { 6, 611, 1024 }, { 5, 612, 1024 }, { 6, 613, 1024 }, { 6, 614, 1024 }, { 7, 615, 1024 }, 
-   { 5, 616, 1024 }, { 6, 617, 1024 }, { 6, 618, 1024 }, { 7, 619, 1024 }, { 6, 620, 1024 }, { 7, 621, 1024 }, { 7, 622, 1024 }, { 8, 623, 1024 }, 
-   { 5, 624, 1024 }, { 6, 625, 1024 }, { 6, 626, 1024 }, { 7, 627, 1024 }, { 6, 628, 1024 }, { 7, 629, 1024 }, { 7, 630, 1024 }, { 8, 631, 1024 }, 
-   { 6, 632, 1024 }, { 7, 633, 1024 }, { 7, 634, 1024 }, { 8, 635, 1024 }, { 7, 636, 1024 }, { 8, 637, 1024 }, { 8, 638, 1024 }, { 9, 639, 1024 }, 
-   { 3, 640, 1024 }, { 4, 641, 1024 }, { 4, 642, 1024 }, { 5, 643, 1024 }, { 4, 644, 1024 }, { 5, 645, 1024 }, { 5, 646, 1024 }, { 6, 647, 1024 }, 
-   { 4, 648, 1024 }, { 5, 649, 1024 }, { 5, 650, 1024 }, { 6, 651, 1024 }, { 5, 652, 1024 }, { 6, 653, 1024 }, { 6, 654, 1024 }, { 7, 655, 1024 }, 
-   { 4, 656, 1024 }, { 5, 657, 1024 }, { 5, 658, 1024 }, { 6, 659, 1024 }, { 5, 660, 1024 }, { 6, 661, 1024 }, { 6, 662, 1024 }, { 7, 663, 1024 }, 
-   { 5, 664, 1024 }, { 6, 665, 1024 }, { 6, 666, 1024 }, { 7, 667, 1024 }, { 6, 668, 1024 }, { 7, 669, 1024 }, { 7, 670, 1024 }, { 8, 671, 1024 }, 
-   { 4, 672, 1024 }, { 5, 673, 1024 }, { 5, 674, 1024 }, { 6, 675, 1024 }, { 5, 676, 1024 }, { 6, 677, 1024 }, { 6, 678, 1024 }, { 7, 679, 1024 }, 
-   { 5, 680, 1024 }, { 6, 681, 1024 }, { 6, 682, 1024 }, { 7, 683, 1024 }, { 6, 684, 1024 }, { 7, 685, 1024 }, { 7, 686, 1024 }, { 8, 687, 1024 }, 
-   { 5, 688, 1024 }, { 6, 689, 1024 }, { 6, 690, 1024 }, { 7, 691, 1024 }, { 6, 692, 1024 }, { 7, 693, 1024 }, { 7, 694, 1024 }, { 8, 695, 1024 }, 
-   { 6, 696, 1024 }, { 7, 697, 1024 }, { 7, 698, 1024 }, { 8, 699, 1024 }, { 7, 700, 1024 }, { 8, 701, 1024 }, { 8, 702, 1024 }, { 9, 703, 1024 }, 
-   { 4, 704, 1024 }, { 5, 705, 1024 }, { 5, 706, 1024 }, { 6, 707, 1024 }, { 5, 708, 1024 }, { 6, 709, 1024 }, { 6, 710, 1024 }, { 7, 711, 1024 }, 
-   { 5, 712, 1024 }, { 6, 713, 1024 }, { 6, 714, 1024 }, { 7, 715, 1024 }, { 6, 716, 1024 }, { 7, 717, 1024 }, { 7, 718, 1024 }, { 8, 719, 1024 }, 
-   { 5, 720, 1024 }, { 6, 721, 1024 }, { 6, 722, 1024 }, { 7, 723, 1024 }, { 6, 724, 1024 }, { 7, 725, 1024 }, { 7, 726, 1024 }, { 8, 727, 1024 }, 
-   { 6, 728, 1024 }, { 7, 729, 1024 }, { 7, 730, 1024 }, { 8, 731, 1024 }, { 7, 732, 1024 }, { 8, 733, 1024 }, { 8, 734, 1024 }, { 9, 735, 1024 }, 
-   { 5, 736, 1024 }, { 6, 737, 1024 }, { 6, 738, 1024 }, { 7, 739, 1024 }, { 6, 740, 1024 }, { 7, 741, 1024 }, { 7, 742, 1024 }, { 8, 743, 1024 }, 
-   { 6, 744, 1024 }, { 7, 745, 1024 }, { 7, 746, 1024 }, { 8, 747, 1024 }, { 7, 748, 1024 }, { 8, 749, 1024 }, { 8, 750, 1024 }, { 9, 751, 1024 }, 
-   { 6, 752, 1024 }, { 7, 753, 1024 }, { 7, 754, 1024 }, { 8, 755, 1024 }, { 7, 756, 1024 }, { 8, 757, 1024 }, { 8, 758, 1024 }, { 9, 759, 1024 }, 
-   { 7, 760, 1024 }, { 8, 761, 1024 }, { 8, 762, 1024 }, { 9, 763, 1024 }, { 8, 764, 1024 }, { 9, 765, 1024 }, { 9, 766, 1024 }, { 10, 767, 1024 }, 
-   { 3, 768, 1024 }, { 4, 769, 1024 }, { 4, 770, 1024 }, { 5, 771, 1024 }, { 4, 772, 1024 }, { 5, 773, 1024 }, { 5, 774, 1024 }, { 6, 775, 1024 }, 
-   { 4, 776, 1024 }, { 5, 777, 1024 }, { 5, 778, 1024 }, { 6, 779, 1024 }, { 5, 780, 1024 }, { 6, 781, 1024 }, { 6, 782, 1024 }, { 7, 783, 1024 }, 
-   { 4, 784, 1024 }, { 5, 785, 1024 }, { 5, 786, 1024 }, { 6, 787, 1024 }, { 5, 788, 1024 }, { 6, 789, 1024 }, { 6, 790, 1024 }, { 7, 791, 1024 }, 
-   { 5, 792, 1024 }, { 6, 793, 1024 }, { 6, 794, 1024 }, { 7, 795, 1024 }, { 6, 796, 1024 }, { 7, 797, 1024 }, { 7, 798, 1024 }, { 8, 799, 1024 }, 
-   { 4, 800, 1024 }, { 5, 801, 1024 }, { 5, 802, 1024 }, { 6, 803, 1024 }, { 5, 804, 1024 }, { 6, 805, 1024 }, { 6, 806, 1024 }, { 7, 807, 1024 }, 
-   { 5, 808, 1024 }, { 6, 809, 1024 }, { 6, 810, 1024 }, { 7, 811, 1024 }, { 6, 812, 1024 }, { 7, 813, 1024 }, { 7, 814, 1024 }, { 8, 815, 1024 }, 
-   { 5, 816, 1024 }, { 6, 817, 1024 }, { 6, 818, 1024 }, { 7, 819, 1024 }, { 6, 820, 1024 }, { 7, 821, 1024 }, { 7, 822, 1024 }, { 8, 823, 1024 }, 
-   { 6, 824, 1024 }, { 7, 825, 1024 }, { 7, 826, 1024 }, { 8, 827, 1024 }, { 7, 828, 1024 }, { 8, 829, 1024 }, { 8, 830, 1024 }, { 9, 831, 1024 }, 
-   { 4, 832, 1024 }, { 5, 833, 1024 }, { 5, 834, 1024 }, { 6, 835, 1024 }, { 5, 836, 1024 }, { 6, 837, 1024 }, { 6, 838, 1024 }, { 7, 839, 1024 }, 
-   { 5, 840, 1024 }, { 6, 841, 1024 }, { 6, 842, 1024 }, { 7, 843, 1024 }, { 6, 844, 1024 }, { 7, 845, 1024 }, { 7, 846, 1024 }, { 8, 847, 1024 }, 
-   { 5, 848, 1024 }, { 6, 849, 1024 }, { 6, 850, 1024 }, { 7, 851, 1024 }, { 6, 852, 1024 }, { 7, 853, 1024 }, { 7, 854, 1024 }, { 8, 855, 1024 }, 
-   { 6, 856, 1024 }, { 7, 857, 1024 }, { 7, 858, 1024 }, { 8, 859, 1024 }, { 7, 860, 1024 }, { 8, 861, 1024 }, { 8, 862, 1024 }, { 9, 863, 1024 }, 
-   { 5, 864, 1024 }, { 6, 865, 1024 }, { 6, 866, 1024 }, { 7, 867, 1024 }, { 6, 868, 1024 }, { 7, 869, 1024 }, { 7, 870, 1024 }, { 8, 871, 1024 }, 
-   { 6, 872, 1024 }, { 7, 873, 1024 }, { 7, 874, 1024 }, { 8, 875, 1024 }, { 7, 876, 1024 }, { 8, 877, 1024 }, { 8, 878, 1024 }, { 9, 879, 1024 }, 
-   { 6, 880, 1024 }, { 7, 881, 1024 }, { 7, 882, 1024 }, { 8, 883, 1024 }, { 7, 884, 1024 }, { 8, 885, 1024 }, { 8, 886, 1024 }, { 9, 887, 1024 }, 
-   { 7, 888, 1024 }, { 8, 889, 1024 }, { 8, 890, 1024 }, { 9, 891, 1024 }, { 8, 892, 1024 }, { 9, 893, 1024 }, { 9, 894, 1024 }, { 10, 895, 1024 }, 
-   { 4, 896, 1024 }, { 5, 897, 1024 }, { 5, 898, 1024 }, { 6, 899, 1024 }, { 5, 900, 1024 }, { 6, 901, 1024 }, { 6, 902, 1024 }, { 7, 903, 1024 }, 
-   { 5, 904, 1024 }, { 6, 905, 1024 }, { 6, 906, 1024 }, { 7, 907, 1024 }, { 6, 908, 1024 }, { 7, 909, 1024 }, { 7, 910, 1024 }, { 8, 911, 1024 }, 
-   { 5, 912, 1024 }, { 6, 913, 1024 }, { 6, 914, 1024 }, { 7, 915, 1024 }, { 6, 916, 1024 }, { 7, 917, 1024 }, { 7, 918, 1024 }, { 8, 919, 1024 }, 
-   { 6, 920, 1024 }, { 7, 921, 1024 }, { 7, 922, 1024 }, { 8, 923, 1024 }, { 7, 924, 1024 }, { 8, 925, 1024 }, { 8, 926, 1024 }, { 9, 927, 1024 }, 
-   { 5, 928, 1024 }, { 6, 929, 1024 }, { 6, 930, 1024 }, { 7, 931, 1024 }, { 6, 932, 1024 }, { 7, 933, 1024 }, { 7, 934, 1024 }, { 8, 935, 1024 }, 
-   { 6, 936, 1024 }, { 7, 937, 1024 }, { 7, 938, 1024 }, { 8, 939, 1024 }, { 7, 940, 1024 }, { 8, 941, 1024 }, { 8, 942, 1024 }, { 9, 943, 1024 }, 
-   { 6, 944, 1024 }, { 7, 945, 1024 }, { 7, 946, 1024 }, { 8, 947, 1024 }, { 7, 948, 1024 }, { 8, 949, 1024 }, { 8, 950, 1024 }, { 9, 951, 1024 }, 
-   { 7, 952, 1024 }, { 8, 953, 1024 }, { 8, 954, 1024 }, { 9, 955, 1024 }, { 8, 956, 1024 }, { 9, 957, 1024 }, { 9, 958, 1024 }, { 10, 959, 1024 }, 
-   { 5, 960, 1024 }, { 6, 961, 1024 }, { 6, 962, 1024 }, { 7, 963, 1024 }, { 6, 964, 1024 }, { 7, 965, 1024 }, { 7, 966, 1024 }, { 8, 967, 1024 }, 
-   { 6, 968, 1024 }, { 7, 969, 1024 }, { 7, 970, 1024 }, { 8, 971, 1024 }, { 7, 972, 1024 }, { 8, 973, 1024 }, { 8, 974, 1024 }, { 9, 975, 1024 }, 
-   { 6, 976, 1024 }, { 7, 977, 1024 }, { 7, 978, 1024 }, { 8, 979, 1024 }, { 7, 980, 1024 }, { 8, 981, 1024 }, { 8, 982, 1024 }, { 9, 983, 1024 }, 
-   { 7, 984, 1024 }, { 8, 985, 1024 }, { 8, 986, 1024 }, { 9, 987, 1024 }, { 8, 988, 1024 }, { 9, 989, 1024 }, { 9, 990, 1024 }, { 10, 991, 1024 }, 
-   { 6, 992, 1024 }, { 7, 993, 1024 }, { 7, 994, 1024 }, { 8, 995, 1024 }, { 7, 996, 1024 }, { 8, 997, 1024 }, { 8, 998, 1024 }, { 9, 999, 1024 }, 
-   { 7, 1000, 1024 }, { 8, 1001, 1024 }, { 8, 1002, 1024 }, { 9, 1003, 1024 }, { 8, 1004, 1024 }, { 9, 1005, 1024 }, { 9, 1006, 1024 }, { 10, 1007, 1024 }, 
-   { 7, 1008, 1024 }, { 8, 1009, 1024 }, { 8, 1010, 1024 }, { 9, 1011, 1024 }, { 8, 1012, 1024 }, { 9, 1013, 1024 }, { 9, 1014, 1024 }, { 10, 1015, 1024 }, 
-   { 8, 1016, 1024 }, { 9, 1017, 1024 }, { 9, 1018, 1024 }, { 10, 1019, 1024 }, { 9, 1020, 1024 }, { 10, 1021, 1024 }, { 10, 1022, 1024 }, { 11, 1023, 1024 }, 
+   { 1, 0, 0 }, { 2, 1, 1024 }, { 2, 2, 1024 }, { 3, 3, 1024 }, { 2, 4, 1024 }, { 3, 5, 1024 }, { 3, 6, 1024 }, { 4, 7, 1024 },
+   { 2, 8, 1024 }, { 3, 9, 1024 }, { 3, 10, 1024 }, { 4, 11, 1024 }, { 3, 12, 1024 }, { 4, 13, 1024 }, { 4, 14, 1024 }, { 5, 15, 1024 },
+   { 2, 16, 1024 }, { 3, 17, 1024 }, { 3, 18, 1024 }, { 4, 19, 1024 }, { 3, 20, 1024 }, { 4, 21, 1024 }, { 4, 22, 1024 }, { 5, 23, 1024 },
+   { 3, 24, 1024 }, { 4, 25, 1024 }, { 4, 26, 1024 }, { 5, 27, 1024 }, { 4, 28, 1024 }, { 5, 29, 1024 }, { 5, 30, 1024 }, { 6, 31, 1024 },
+   { 2, 32, 1024 }, { 3, 33, 1024 }, { 3, 34, 1024 }, { 4, 35, 1024 }, { 3, 36, 1024 }, { 4, 37, 1024 }, { 4, 38, 1024 }, { 5, 39, 1024 },
+   { 3, 40, 1024 }, { 4, 41, 1024 }, { 4, 42, 1024 }, { 5, 43, 1024 }, { 4, 44, 1024 }, { 5, 45, 1024 }, { 5, 46, 1024 }, { 6, 47, 1024 },
+   { 3, 48, 1024 }, { 4, 49, 1024 }, { 4, 50, 1024 }, { 5, 51, 1024 }, { 4, 52, 1024 }, { 5, 53, 1024 }, { 5, 54, 1024 }, { 6, 55, 1024 },
+   { 4, 56, 1024 }, { 5, 57, 1024 }, { 5, 58, 1024 }, { 6, 59, 1024 }, { 5, 60, 1024 }, { 6, 61, 1024 }, { 6, 62, 1024 }, { 7, 63, 1024 },
+   { 2, 64, 1024 }, { 3, 65, 1024 }, { 3, 66, 1024 }, { 4, 67, 1024 }, { 3, 68, 1024 }, { 4, 69, 1024 }, { 4, 70, 1024 }, { 5, 71, 1024 },
+   { 3, 72, 1024 }, { 4, 73, 1024 }, { 4, 74, 1024 }, { 5, 75, 1024 }, { 4, 76, 1024 }, { 5, 77, 1024 }, { 5, 78, 1024 }, { 6, 79, 1024 },
+   { 3, 80, 1024 }, { 4, 81, 1024 }, { 4, 82, 1024 }, { 5, 83, 1024 }, { 4, 84, 1024 }, { 5, 85, 1024 }, { 5, 86, 1024 }, { 6, 87, 1024 },
+   { 4, 88, 1024 }, { 5, 89, 1024 }, { 5, 90, 1024 }, { 6, 91, 1024 }, { 5, 92, 1024 }, { 6, 93, 1024 }, { 6, 94, 1024 }, { 7, 95, 1024 },
+   { 3, 96, 1024 }, { 4, 97, 1024 }, { 4, 98, 1024 }, { 5, 99, 1024 }, { 4, 100, 1024 }, { 5, 101, 1024 }, { 5, 102, 1024 }, { 6, 103, 1024 },
+   { 4, 104, 1024 }, { 5, 105, 1024 }, { 5, 106, 1024 }, { 6, 107, 1024 }, { 5, 108, 1024 }, { 6, 109, 1024 }, { 6, 110, 1024 }, { 7, 111, 1024 },
+   { 4, 112, 1024 }, { 5, 113, 1024 }, { 5, 114, 1024 }, { 6, 115, 1024 }, { 5, 116, 1024 }, { 6, 117, 1024 }, { 6, 118, 1024 }, { 7, 119, 1024 },
+   { 5, 120, 1024 }, { 6, 121, 1024 }, { 6, 122, 1024 }, { 7, 123, 1024 }, { 6, 124, 1024 }, { 7, 125, 1024 }, { 7, 126, 1024 }, { 8, 127, 1024 },
+   { 2, 128, 1024 }, { 3, 129, 1024 }, { 3, 130, 1024 }, { 4, 131, 1024 }, { 3, 132, 1024 }, { 4, 133, 1024 }, { 4, 134, 1024 }, { 5, 135, 1024 },
+   { 3, 136, 1024 }, { 4, 137, 1024 }, { 4, 138, 1024 }, { 5, 139, 1024 }, { 4, 140, 1024 }, { 5, 141, 1024 }, { 5, 142, 1024 }, { 6, 143, 1024 },
+   { 3, 144, 1024 }, { 4, 145, 1024 }, { 4, 146, 1024 }, { 5, 147, 1024 }, { 4, 148, 1024 }, { 5, 149, 1024 }, { 5, 150, 1024 }, { 6, 151, 1024 },
+   { 4, 152, 1024 }, { 5, 153, 1024 }, { 5, 154, 1024 }, { 6, 155, 1024 }, { 5, 156, 1024 }, { 6, 157, 1024 }, { 6, 158, 1024 }, { 7, 159, 1024 },
+   { 3, 160, 1024 }, { 4, 161, 1024 }, { 4, 162, 1024 }, { 5, 163, 1024 }, { 4, 164, 1024 }, { 5, 165, 1024 }, { 5, 166, 1024 }, { 6, 167, 1024 },
+   { 4, 168, 1024 }, { 5, 169, 1024 }, { 5, 170, 1024 }, { 6, 171, 1024 }, { 5, 172, 1024 }, { 6, 173, 1024 }, { 6, 174, 1024 }, { 7, 175, 1024 },
+   { 4, 176, 1024 }, { 5, 177, 1024 }, { 5, 178, 1024 }, { 6, 179, 1024 }, { 5, 180, 1024 }, { 6, 181, 1024 }, { 6, 182, 1024 }, { 7, 183, 1024 },
+   { 5, 184, 1024 }, { 6, 185, 1024 }, { 6, 186, 1024 }, { 7, 187, 1024 }, { 6, 188, 1024 }, { 7, 189, 1024 }, { 7, 190, 1024 }, { 8, 191, 1024 },
+   { 3, 192, 1024 }, { 4, 193, 1024 }, { 4, 194, 1024 }, { 5, 195, 1024 }, { 4, 196, 1024 }, { 5, 197, 1024 }, { 5, 198, 1024 }, { 6, 199, 1024 },
+   { 4, 200, 1024 }, { 5, 201, 1024 }, { 5, 202, 1024 }, { 6, 203, 1024 }, { 5, 204, 1024 }, { 6, 205, 1024 }, { 6, 206, 1024 }, { 7, 207, 1024 },
+   { 4, 208, 1024 }, { 5, 209, 1024 }, { 5, 210, 1024 }, { 6, 211, 1024 }, { 5, 212, 1024 }, { 6, 213, 1024 }, { 6, 214, 1024 }, { 7, 215, 1024 },
+   { 5, 216, 1024 }, { 6, 217, 1024 }, { 6, 218, 1024 }, { 7, 219, 1024 }, { 6, 220, 1024 }, { 7, 221, 1024 }, { 7, 222, 1024 }, { 8, 223, 1024 },
+   { 4, 224, 1024 }, { 5, 225, 1024 }, { 5, 226, 1024 }, { 6, 227, 1024 }, { 5, 228, 1024 }, { 6, 229, 1024 }, { 6, 230, 1024 }, { 7, 231, 1024 },
+   { 5, 232, 1024 }, { 6, 233, 1024 }, { 6, 234, 1024 }, { 7, 235, 1024 }, { 6, 236, 1024 }, { 7, 237, 1024 }, { 7, 238, 1024 }, { 8, 239, 1024 },
+   { 5, 240, 1024 }, { 6, 241, 1024 }, { 6, 242, 1024 }, { 7, 243, 1024 }, { 6, 244, 1024 }, { 7, 245, 1024 }, { 7, 246, 1024 }, { 8, 247, 1024 },
+   { 6, 248, 1024 }, { 7, 249, 1024 }, { 7, 250, 1024 }, { 8, 251, 1024 }, { 7, 252, 1024 }, { 8, 253, 1024 }, { 8, 254, 1024 }, { 9, 255, 1024 },
+   { 2, 256, 1024 }, { 3, 257, 1024 }, { 3, 258, 1024 }, { 4, 259, 1024 }, { 3, 260, 1024 }, { 4, 261, 1024 }, { 4, 262, 1024 }, { 5, 263, 1024 },
+   { 3, 264, 1024 }, { 4, 265, 1024 }, { 4, 266, 1024 }, { 5, 267, 1024 }, { 4, 268, 1024 }, { 5, 269, 1024 }, { 5, 270, 1024 }, { 6, 271, 1024 },
+   { 3, 272, 1024 }, { 4, 273, 1024 }, { 4, 274, 1024 }, { 5, 275, 1024 }, { 4, 276, 1024 }, { 5, 277, 1024 }, { 5, 278, 1024 }, { 6, 279, 1024 },
+   { 4, 280, 1024 }, { 5, 281, 1024 }, { 5, 282, 1024 }, { 6, 283, 1024 }, { 5, 284, 1024 }, { 6, 285, 1024 }, { 6, 286, 1024 }, { 7, 287, 1024 },
+   { 3, 288, 1024 }, { 4, 289, 1024 }, { 4, 290, 1024 }, { 5, 291, 1024 }, { 4, 292, 1024 }, { 5, 293, 1024 }, { 5, 294, 1024 }, { 6, 295, 1024 },
+   { 4, 296, 1024 }, { 5, 297, 1024 }, { 5, 298, 1024 }, { 6, 299, 1024 }, { 5, 300, 1024 }, { 6, 301, 1024 }, { 6, 302, 1024 }, { 7, 303, 1024 },
+   { 4, 304, 1024 }, { 5, 305, 1024 }, { 5, 306, 1024 }, { 6, 307, 1024 }, { 5, 308, 1024 }, { 6, 309, 1024 }, { 6, 310, 1024 }, { 7, 311, 1024 },
+   { 5, 312, 1024 }, { 6, 313, 1024 }, { 6, 314, 1024 }, { 7, 315, 1024 }, { 6, 316, 1024 }, { 7, 317, 1024 }, { 7, 318, 1024 }, { 8, 319, 1024 },
+   { 3, 320, 1024 }, { 4, 321, 1024 }, { 4, 322, 1024 }, { 5, 323, 1024 }, { 4, 324, 1024 }, { 5, 325, 1024 }, { 5, 326, 1024 }, { 6, 327, 1024 },
+   { 4, 328, 1024 }, { 5, 329, 1024 }, { 5, 330, 1024 }, { 6, 331, 1024 }, { 5, 332, 1024 }, { 6, 333, 1024 }, { 6, 334, 1024 }, { 7, 335, 1024 },
+   { 4, 336, 1024 }, { 5, 337, 1024 }, { 5, 338, 1024 }, { 6, 339, 1024 }, { 5, 340, 1024 }, { 6, 341, 1024 }, { 6, 342, 1024 }, { 7, 343, 1024 },
+   { 5, 344, 1024 }, { 6, 345, 1024 }, { 6, 346, 1024 }, { 7, 347, 1024 }, { 6, 348, 1024 }, { 7, 349, 1024 }, { 7, 350, 1024 }, { 8, 351, 1024 },
+   { 4, 352, 1024 }, { 5, 353, 1024 }, { 5, 354, 1024 }, { 6, 355, 1024 }, { 5, 356, 1024 }, { 6, 357, 1024 }, { 6, 358, 1024 }, { 7, 359, 1024 },
+   { 5, 360, 1024 }, { 6, 361, 1024 }, { 6, 362, 1024 }, { 7, 363, 1024 }, { 6, 364, 1024 }, { 7, 365, 1024 }, { 7, 366, 1024 }, { 8, 367, 1024 },
+   { 5, 368, 1024 }, { 6, 369, 1024 }, { 6, 370, 1024 }, { 7, 371, 1024 }, { 6, 372, 1024 }, { 7, 373, 1024 }, { 7, 374, 1024 }, { 8, 375, 1024 },
+   { 6, 376, 1024 }, { 7, 377, 1024 }, { 7, 378, 1024 }, { 8, 379, 1024 }, { 7, 380, 1024 }, { 8, 381, 1024 }, { 8, 382, 1024 }, { 9, 383, 1024 },
+   { 3, 384, 1024 }, { 4, 385, 1024 }, { 4, 386, 1024 }, { 5, 387, 1024 }, { 4, 388, 1024 }, { 5, 389, 1024 }, { 5, 390, 1024 }, { 6, 391, 1024 },
+   { 4, 392, 1024 }, { 5, 393, 1024 }, { 5, 394, 1024 }, { 6, 395, 1024 }, { 5, 396, 1024 }, { 6, 397, 1024 }, { 6, 398, 1024 }, { 7, 399, 1024 },
+   { 4, 400, 1024 }, { 5, 401, 1024 }, { 5, 402, 1024 }, { 6, 403, 1024 }, { 5, 404, 1024 }, { 6, 405, 1024 }, { 6, 406, 1024 }, { 7, 407, 1024 },
+   { 5, 408, 1024 }, { 6, 409, 1024 }, { 6, 410, 1024 }, { 7, 411, 1024 }, { 6, 412, 1024 }, { 7, 413, 1024 }, { 7, 414, 1024 }, { 8, 415, 1024 },
+   { 4, 416, 1024 }, { 5, 417, 1024 }, { 5, 418, 1024 }, { 6, 419, 1024 }, { 5, 420, 1024 }, { 6, 421, 1024 }, { 6, 422, 1024 }, { 7, 423, 1024 },
+   { 5, 424, 1024 }, { 6, 425, 1024 }, { 6, 426, 1024 }, { 7, 427, 1024 }, { 6, 428, 1024 }, { 7, 429, 1024 }, { 7, 430, 1024 }, { 8, 431, 1024 },
+   { 5, 432, 1024 }, { 6, 433, 1024 }, { 6, 434, 1024 }, { 7, 435, 1024 }, { 6, 436, 1024 }, { 7, 437, 1024 }, { 7, 438, 1024 }, { 8, 439, 1024 },
+   { 6, 440, 1024 }, { 7, 441, 1024 }, { 7, 442, 1024 }, { 8, 443, 1024 }, { 7, 444, 1024 }, { 8, 445, 1024 }, { 8, 446, 1024 }, { 9, 447, 1024 },
+   { 4, 448, 1024 }, { 5, 449, 1024 }, { 5, 450, 1024 }, { 6, 451, 1024 }, { 5, 452, 1024 }, { 6, 453, 1024 }, { 6, 454, 1024 }, { 7, 455, 1024 },
+   { 5, 456, 1024 }, { 6, 457, 1024 }, { 6, 458, 1024 }, { 7, 459, 1024 }, { 6, 460, 1024 }, { 7, 461, 1024 }, { 7, 462, 1024 }, { 8, 463, 1024 },
+   { 5, 464, 1024 }, { 6, 465, 1024 }, { 6, 466, 1024 }, { 7, 467, 1024 }, { 6, 468, 1024 }, { 7, 469, 1024 }, { 7, 470, 1024 }, { 8, 471, 1024 },
+   { 6, 472, 1024 }, { 7, 473, 1024 }, { 7, 474, 1024 }, { 8, 475, 1024 }, { 7, 476, 1024 }, { 8, 477, 1024 }, { 8, 478, 1024 }, { 9, 479, 1024 },
+   { 5, 480, 1024 }, { 6, 481, 1024 }, { 6, 482, 1024 }, { 7, 483, 1024 }, { 6, 484, 1024 }, { 7, 485, 1024 }, { 7, 486, 1024 }, { 8, 487, 1024 },
+   { 6, 488, 1024 }, { 7, 489, 1024 }, { 7, 490, 1024 }, { 8, 491, 1024 }, { 7, 492, 1024 }, { 8, 493, 1024 }, { 8, 494, 1024 }, { 9, 495, 1024 },
+   { 6, 496, 1024 }, { 7, 497, 1024 }, { 7, 498, 1024 }, { 8, 499, 1024 }, { 7, 500, 1024 }, { 8, 501, 1024 }, { 8, 502, 1024 }, { 9, 503, 1024 },
+   { 7, 504, 1024 }, { 8, 505, 1024 }, { 8, 506, 1024 }, { 9, 507, 1024 }, { 8, 508, 1024 }, { 9, 509, 1024 }, { 9, 510, 1024 }, { 10, 511, 1024 },
+   { 2, 512, 1024 }, { 3, 513, 1024 }, { 3, 514, 1024 }, { 4, 515, 1024 }, { 3, 516, 1024 }, { 4, 517, 1024 }, { 4, 518, 1024 }, { 5, 519, 1024 },
+   { 3, 520, 1024 }, { 4, 521, 1024 }, { 4, 522, 1024 }, { 5, 523, 1024 }, { 4, 524, 1024 }, { 5, 525, 1024 }, { 5, 526, 1024 }, { 6, 527, 1024 },
+   { 3, 528, 1024 }, { 4, 529, 1024 }, { 4, 530, 1024 }, { 5, 531, 1024 }, { 4, 532, 1024 }, { 5, 533, 1024 }, { 5, 534, 1024 }, { 6, 535, 1024 },
+   { 4, 536, 1024 }, { 5, 537, 1024 }, { 5, 538, 1024 }, { 6, 539, 1024 }, { 5, 540, 1024 }, { 6, 541, 1024 }, { 6, 542, 1024 }, { 7, 543, 1024 },
+   { 3, 544, 1024 }, { 4, 545, 1024 }, { 4, 546, 1024 }, { 5, 547, 1024 }, { 4, 548, 1024 }, { 5, 549, 1024 }, { 5, 550, 1024 }, { 6, 551, 1024 },
+   { 4, 552, 1024 }, { 5, 553, 1024 }, { 5, 554, 1024 }, { 6, 555, 1024 }, { 5, 556, 1024 }, { 6, 557, 1024 }, { 6, 558, 1024 }, { 7, 559, 1024 },
+   { 4, 560, 1024 }, { 5, 561, 1024 }, { 5, 562, 1024 }, { 6, 563, 1024 }, { 5, 564, 1024 }, { 6, 565, 1024 }, { 6, 566, 1024 }, { 7, 567, 1024 },
+   { 5, 568, 1024 }, { 6, 569, 1024 }, { 6, 570, 1024 }, { 7, 571, 1024 }, { 6, 572, 1024 }, { 7, 573, 1024 }, { 7, 574, 1024 }, { 8, 575, 1024 },
+   { 3, 576, 1024 }, { 4, 577, 1024 }, { 4, 578, 1024 }, { 5, 579, 1024 }, { 4, 580, 1024 }, { 5, 581, 1024 }, { 5, 582, 1024 }, { 6, 583, 1024 },
+   { 4, 584, 1024 }, { 5, 585, 1024 }, { 5, 586, 1024 }, { 6, 587, 1024 }, { 5, 588, 1024 }, { 6, 589, 1024 }, { 6, 590, 1024 }, { 7, 591, 1024 },
+   { 4, 592, 1024 }, { 5, 593, 1024 }, { 5, 594, 1024 }, { 6, 595, 1024 }, { 5, 596, 1024 }, { 6, 597, 1024 }, { 6, 598, 1024 }, { 7, 599, 1024 },
+   { 5, 600, 1024 }, { 6, 601, 1024 }, { 6, 602, 1024 }, { 7, 603, 1024 }, { 6, 604, 1024 }, { 7, 605, 1024 }, { 7, 606, 1024 }, { 8, 607, 1024 },
+   { 4, 608, 1024 }, { 5, 609, 1024 }, { 5, 610, 1024 }, { 6, 611, 1024 }, { 5, 612, 1024 }, { 6, 613, 1024 }, { 6, 614, 1024 }, { 7, 615, 1024 },
+   { 5, 616, 1024 }, { 6, 617, 1024 }, { 6, 618, 1024 }, { 7, 619, 1024 }, { 6, 620, 1024 }, { 7, 621, 1024 }, { 7, 622, 1024 }, { 8, 623, 1024 },
+   { 5, 624, 1024 }, { 6, 625, 1024 }, { 6, 626, 1024 }, { 7, 627, 1024 }, { 6, 628, 1024 }, { 7, 629, 1024 }, { 7, 630, 1024 }, { 8, 631, 1024 },
+   { 6, 632, 1024 }, { 7, 633, 1024 }, { 7, 634, 1024 }, { 8, 635, 1024 }, { 7, 636, 1024 }, { 8, 637, 1024 }, { 8, 638, 1024 }, { 9, 639, 1024 },
+   { 3, 640, 1024 }, { 4, 641, 1024 }, { 4, 642, 1024 }, { 5, 643, 1024 }, { 4, 644, 1024 }, { 5, 645, 1024 }, { 5, 646, 1024 }, { 6, 647, 1024 },
+   { 4, 648, 1024 }, { 5, 649, 1024 }, { 5, 650, 1024 }, { 6, 651, 1024 }, { 5, 652, 1024 }, { 6, 653, 1024 }, { 6, 654, 1024 }, { 7, 655, 1024 },
+   { 4, 656, 1024 }, { 5, 657, 1024 }, { 5, 658, 1024 }, { 6, 659, 1024 }, { 5, 660, 1024 }, { 6, 661, 1024 }, { 6, 662, 1024 }, { 7, 663, 1024 },
+   { 5, 664, 1024 }, { 6, 665, 1024 }, { 6, 666, 1024 }, { 7, 667, 1024 }, { 6, 668, 1024 }, { 7, 669, 1024 }, { 7, 670, 1024 }, { 8, 671, 1024 },
+   { 4, 672, 1024 }, { 5, 673, 1024 }, { 5, 674, 1024 }, { 6, 675, 1024 }, { 5, 676, 1024 }, { 6, 677, 1024 }, { 6, 678, 1024 }, { 7, 679, 1024 },
+   { 5, 680, 1024 }, { 6, 681, 1024 }, { 6, 682, 1024 }, { 7, 683, 1024 }, { 6, 684, 1024 }, { 7, 685, 1024 }, { 7, 686, 1024 }, { 8, 687, 1024 },
+   { 5, 688, 1024 }, { 6, 689, 1024 }, { 6, 690, 1024 }, { 7, 691, 1024 }, { 6, 692, 1024 }, { 7, 693, 1024 }, { 7, 694, 1024 }, { 8, 695, 1024 },
+   { 6, 696, 1024 }, { 7, 697, 1024 }, { 7, 698, 1024 }, { 8, 699, 1024 }, { 7, 700, 1024 }, { 8, 701, 1024 }, { 8, 702, 1024 }, { 9, 703, 1024 },
+   { 4, 704, 1024 }, { 5, 705, 1024 }, { 5, 706, 1024 }, { 6, 707, 1024 }, { 5, 708, 1024 }, { 6, 709, 1024 }, { 6, 710, 1024 }, { 7, 711, 1024 },
+   { 5, 712, 1024 }, { 6, 713, 1024 }, { 6, 714, 1024 }, { 7, 715, 1024 }, { 6, 716, 1024 }, { 7, 717, 1024 }, { 7, 718, 1024 }, { 8, 719, 1024 },
+   { 5, 720, 1024 }, { 6, 721, 1024 }, { 6, 722, 1024 }, { 7, 723, 1024 }, { 6, 724, 1024 }, { 7, 725, 1024 }, { 7, 726, 1024 }, { 8, 727, 1024 },
+   { 6, 728, 1024 }, { 7, 729, 1024 }, { 7, 730, 1024 }, { 8, 731, 1024 }, { 7, 732, 1024 }, { 8, 733, 1024 }, { 8, 734, 1024 }, { 9, 735, 1024 },
+   { 5, 736, 1024 }, { 6, 737, 1024 }, { 6, 738, 1024 }, { 7, 739, 1024 }, { 6, 740, 1024 }, { 7, 741, 1024 }, { 7, 742, 1024 }, { 8, 743, 1024 },
+   { 6, 744, 1024 }, { 7, 745, 1024 }, { 7, 746, 1024 }, { 8, 747, 1024 }, { 7, 748, 1024 }, { 8, 749, 1024 }, { 8, 750, 1024 }, { 9, 751, 1024 },
+   { 6, 752, 1024 }, { 7, 753, 1024 }, { 7, 754, 1024 }, { 8, 755, 1024 }, { 7, 756, 1024 }, { 8, 757, 1024 }, { 8, 758, 1024 }, { 9, 759, 1024 },
+   { 7, 760, 1024 }, { 8, 761, 1024 }, { 8, 762, 1024 }, { 9, 763, 1024 }, { 8, 764, 1024 }, { 9, 765, 1024 }, { 9, 766, 1024 }, { 10, 767, 1024 },
+   { 3, 768, 1024 }, { 4, 769, 1024 }, { 4, 770, 1024 }, { 5, 771, 1024 }, { 4, 772, 1024 }, { 5, 773, 1024 }, { 5, 774, 1024 }, { 6, 775, 1024 },
+   { 4, 776, 1024 }, { 5, 777, 1024 }, { 5, 778, 1024 }, { 6, 779, 1024 }, { 5, 780, 1024 }, { 6, 781, 1024 }, { 6, 782, 1024 }, { 7, 783, 1024 },
+   { 4, 784, 1024 }, { 5, 785, 1024 }, { 5, 786, 1024 }, { 6, 787, 1024 }, { 5, 788, 1024 }, { 6, 789, 1024 }, { 6, 790, 1024 }, { 7, 791, 1024 },
+   { 5, 792, 1024 }, { 6, 793, 1024 }, { 6, 794, 1024 }, { 7, 795, 1024 }, { 6, 796, 1024 }, { 7, 797, 1024 }, { 7, 798, 1024 }, { 8, 799, 1024 },
+   { 4, 800, 1024 }, { 5, 801, 1024 }, { 5, 802, 1024 }, { 6, 803, 1024 }, { 5, 804, 1024 }, { 6, 805, 1024 }, { 6, 806, 1024 }, { 7, 807, 1024 },
+   { 5, 808, 1024 }, { 6, 809, 1024 }, { 6, 810, 1024 }, { 7, 811, 1024 }, { 6, 812, 1024 }, { 7, 813, 1024 }, { 7, 814, 1024 }, { 8, 815, 1024 },
+   { 5, 816, 1024 }, { 6, 817, 1024 }, { 6, 818, 1024 }, { 7, 819, 1024 }, { 6, 820, 1024 }, { 7, 821, 1024 }, { 7, 822, 1024 }, { 8, 823, 1024 },
+   { 6, 824, 1024 }, { 7, 825, 1024 }, { 7, 826, 1024 }, { 8, 827, 1024 }, { 7, 828, 1024 }, { 8, 829, 1024 }, { 8, 830, 1024 }, { 9, 831, 1024 },
+   { 4, 832, 1024 }, { 5, 833, 1024 }, { 5, 834, 1024 }, { 6, 835, 1024 }, { 5, 836, 1024 }, { 6, 837, 1024 }, { 6, 838, 1024 }, { 7, 839, 1024 },
+   { 5, 840, 1024 }, { 6, 841, 1024 }, { 6, 842, 1024 }, { 7, 843, 1024 }, { 6, 844, 1024 }, { 7, 845, 1024 }, { 7, 846, 1024 }, { 8, 847, 1024 },
+   { 5, 848, 1024 }, { 6, 849, 1024 }, { 6, 850, 1024 }, { 7, 851, 1024 }, { 6, 852, 1024 }, { 7, 853, 1024 }, { 7, 854, 1024 }, { 8, 855, 1024 },
+   { 6, 856, 1024 }, { 7, 857, 1024 }, { 7, 858, 1024 }, { 8, 859, 1024 }, { 7, 860, 1024 }, { 8, 861, 1024 }, { 8, 862, 1024 }, { 9, 863, 1024 },
+   { 5, 864, 1024 }, { 6, 865, 1024 }, { 6, 866, 1024 }, { 7, 867, 1024 }, { 6, 868, 1024 }, { 7, 869, 1024 }, { 7, 870, 1024 }, { 8, 871, 1024 },
+   { 6, 872, 1024 }, { 7, 873, 1024 }, { 7, 874, 1024 }, { 8, 875, 1024 }, { 7, 876, 1024 }, { 8, 877, 1024 }, { 8, 878, 1024 }, { 9, 879, 1024 },
+   { 6, 880, 1024 }, { 7, 881, 1024 }, { 7, 882, 1024 }, { 8, 883, 1024 }, { 7, 884, 1024 }, { 8, 885, 1024 }, { 8, 886, 1024 }, { 9, 887, 1024 },
+   { 7, 888, 1024 }, { 8, 889, 1024 }, { 8, 890, 1024 }, { 9, 891, 1024 }, { 8, 892, 1024 }, { 9, 893, 1024 }, { 9, 894, 1024 }, { 10, 895, 1024 },
+   { 4, 896, 1024 }, { 5, 897, 1024 }, { 5, 898, 1024 }, { 6, 899, 1024 }, { 5, 900, 1024 }, { 6, 901, 1024 }, { 6, 902, 1024 }, { 7, 903, 1024 },
+   { 5, 904, 1024 }, { 6, 905, 1024 }, { 6, 906, 1024 }, { 7, 907, 1024 }, { 6, 908, 1024 }, { 7, 909, 1024 }, { 7, 910, 1024 }, { 8, 911, 1024 },
+   { 5, 912, 1024 }, { 6, 913, 1024 }, { 6, 914, 1024 }, { 7, 915, 1024 }, { 6, 916, 1024 }, { 7, 917, 1024 }, { 7, 918, 1024 }, { 8, 919, 1024 },
+   { 6, 920, 1024 }, { 7, 921, 1024 }, { 7, 922, 1024 }, { 8, 923, 1024 }, { 7, 924, 1024 }, { 8, 925, 1024 }, { 8, 926, 1024 }, { 9, 927, 1024 },
+   { 5, 928, 1024 }, { 6, 929, 1024 }, { 6, 930, 1024 }, { 7, 931, 1024 }, { 6, 932, 1024 }, { 7, 933, 1024 }, { 7, 934, 1024 }, { 8, 935, 1024 },
+   { 6, 936, 1024 }, { 7, 937, 1024 }, { 7, 938, 1024 }, { 8, 939, 1024 }, { 7, 940, 1024 }, { 8, 941, 1024 }, { 8, 942, 1024 }, { 9, 943, 1024 },
+   { 6, 944, 1024 }, { 7, 945, 1024 }, { 7, 946, 1024 }, { 8, 947, 1024 }, { 7, 948, 1024 }, { 8, 949, 1024 }, { 8, 950, 1024 }, { 9, 951, 1024 },
+   { 7, 952, 1024 }, { 8, 953, 1024 }, { 8, 954, 1024 }, { 9, 955, 1024 }, { 8, 956, 1024 }, { 9, 957, 1024 }, { 9, 958, 1024 }, { 10, 959, 1024 },
+   { 5, 960, 1024 }, { 6, 961, 1024 }, { 6, 962, 1024 }, { 7, 963, 1024 }, { 6, 964, 1024 }, { 7, 965, 1024 }, { 7, 966, 1024 }, { 8, 967, 1024 },
+   { 6, 968, 1024 }, { 7, 969, 1024 }, { 7, 970, 1024 }, { 8, 971, 1024 }, { 7, 972, 1024 }, { 8, 973, 1024 }, { 8, 974, 1024 }, { 9, 975, 1024 },
+   { 6, 976, 1024 }, { 7, 977, 1024 }, { 7, 978, 1024 }, { 8, 979, 1024 }, { 7, 980, 1024 }, { 8, 981, 1024 }, { 8, 982, 1024 }, { 9, 983, 1024 },
+   { 7, 984, 1024 }, { 8, 985, 1024 }, { 8, 986, 1024 }, { 9, 987, 1024 }, { 8, 988, 1024 }, { 9, 989, 1024 }, { 9, 990, 1024 }, { 10, 991, 1024 },
+   { 6, 992, 1024 }, { 7, 993, 1024 }, { 7, 994, 1024 }, { 8, 995, 1024 }, { 7, 996, 1024 }, { 8, 997, 1024 }, { 8, 998, 1024 }, { 9, 999, 1024 },
+   { 7, 1000, 1024 }, { 8, 1001, 1024 }, { 8, 1002, 1024 }, { 9, 1003, 1024 }, { 8, 1004, 1024 }, { 9, 1005, 1024 }, { 9, 1006, 1024 }, { 10, 1007, 1024 },
+   { 7, 1008, 1024 }, { 8, 1009, 1024 }, { 8, 1010, 1024 }, { 9, 1011, 1024 }, { 8, 1012, 1024 }, { 9, 1013, 1024 }, { 9, 1014, 1024 }, { 10, 1015, 1024 },
+   { 8, 1016, 1024 }, { 9, 1017, 1024 }, { 9, 1018, 1024 }, { 10, 1019, 1024 }, { 9, 1020, 1024 }, { 10, 1021, 1024 }, { 10, 1022, 1024 }, { 11, 1023, 1024 },
 #if FP_LUT > 11
-   { 1, 0, 0 }, { 2, 1, 2048 }, { 2, 2, 2048 }, { 3, 3, 2048 }, { 2, 4, 2048 }, { 3, 5, 2048 }, { 3, 6, 2048 }, { 4, 7, 2048 }, 
-   { 2, 8, 2048 }, { 3, 9, 2048 }, { 3, 10, 2048 }, { 4, 11, 2048 }, { 3, 12, 2048 }, { 4, 13, 2048 }, { 4, 14, 2048 }, { 5, 15, 2048 }, 
-   { 2, 16, 2048 }, { 3, 17, 2048 }, { 3, 18, 2048 }, { 4, 19, 2048 }, { 3, 20, 2048 }, { 4, 21, 2048 }, { 4, 22, 2048 }, { 5, 23, 2048 }, 
-   { 3, 24, 2048 }, { 4, 25, 2048 }, { 4, 26, 2048 }, { 5, 27, 2048 }, { 4, 28, 2048 }, { 5, 29, 2048 }, { 5, 30, 2048 }, { 6, 31, 2048 }, 
-   { 2, 32, 2048 }, { 3, 33, 2048 }, { 3, 34, 2048 }, { 4, 35, 2048 }, { 3, 36, 2048 }, { 4, 37, 2048 }, { 4, 38, 2048 }, { 5, 39, 2048 }, 
-   { 3, 40, 2048 }, { 4, 41, 2048 }, { 4, 42, 2048 }, { 5, 43, 2048 }, { 4, 44, 2048 }, { 5, 45, 2048 }, { 5, 46, 2048 }, { 6, 47, 2048 }, 
-   { 3, 48, 2048 }, { 4, 49, 2048 }, { 4, 50, 2048 }, { 5, 51, 2048 }, { 4, 52, 2048 }, { 5, 53, 2048 }, { 5, 54, 2048 }, { 6, 55, 2048 }, 
-   { 4, 56, 2048 }, { 5, 57, 2048 }, { 5, 58, 2048 }, { 6, 59, 2048 }, { 5, 60, 2048 }, { 6, 61, 2048 }, { 6, 62, 2048 }, { 7, 63, 2048 }, 
-   { 2, 64, 2048 }, { 3, 65, 2048 }, { 3, 66, 2048 }, { 4, 67, 2048 }, { 3, 68, 2048 }, { 4, 69, 2048 }, { 4, 70, 2048 }, { 5, 71, 2048 }, 
-   { 3, 72, 2048 }, { 4, 73, 2048 }, { 4, 74, 2048 }, { 5, 75, 2048 }, { 4, 76, 2048 }, { 5, 77, 2048 }, { 5, 78, 2048 }, { 6, 79, 2048 }, 
-   { 3, 80, 2048 }, { 4, 81, 2048 }, { 4, 82, 2048 }, { 5, 83, 2048 }, { 4, 84, 2048 }, { 5, 85, 2048 }, { 5, 86, 2048 }, { 6, 87, 2048 }, 
-   { 4, 88, 2048 }, { 5, 89, 2048 }, { 5, 90, 2048 }, { 6, 91, 2048 }, { 5, 92, 2048 }, { 6, 93, 2048 }, { 6, 94, 2048 }, { 7, 95, 2048 }, 
-   { 3, 96, 2048 }, { 4, 97, 2048 }, { 4, 98, 2048 }, { 5, 99, 2048 }, { 4, 100, 2048 }, { 5, 101, 2048 }, { 5, 102, 2048 }, { 6, 103, 2048 }, 
-   { 4, 104, 2048 }, { 5, 105, 2048 }, { 5, 106, 2048 }, { 6, 107, 2048 }, { 5, 108, 2048 }, { 6, 109, 2048 }, { 6, 110, 2048 }, { 7, 111, 2048 }, 
-   { 4, 112, 2048 }, { 5, 113, 2048 }, { 5, 114, 2048 }, { 6, 115, 2048 }, { 5, 116, 2048 }, { 6, 117, 2048 }, { 6, 118, 2048 }, { 7, 119, 2048 }, 
-   { 5, 120, 2048 }, { 6, 121, 2048 }, { 6, 122, 2048 }, { 7, 123, 2048 }, { 6, 124, 2048 }, { 7, 125, 2048 }, { 7, 126, 2048 }, { 8, 127, 2048 }, 
-   { 2, 128, 2048 }, { 3, 129, 2048 }, { 3, 130, 2048 }, { 4, 131, 2048 }, { 3, 132, 2048 }, { 4, 133, 2048 }, { 4, 134, 2048 }, { 5, 135, 2048 }, 
-   { 3, 136, 2048 }, { 4, 137, 2048 }, { 4, 138, 2048 }, { 5, 139, 2048 }, { 4, 140, 2048 }, { 5, 141, 2048 }, { 5, 142, 2048 }, { 6, 143, 2048 }, 
-   { 3, 144, 2048 }, { 4, 145, 2048 }, { 4, 146, 2048 }, { 5, 147, 2048 }, { 4, 148, 2048 }, { 5, 149, 2048 }, { 5, 150, 2048 }, { 6, 151, 2048 }, 
-   { 4, 152, 2048 }, { 5, 153, 2048 }, { 5, 154, 2048 }, { 6, 155, 2048 }, { 5, 156, 2048 }, { 6, 157, 2048 }, { 6, 158, 2048 }, { 7, 159, 2048 }, 
-   { 3, 160, 2048 }, { 4, 161, 2048 }, { 4, 162, 2048 }, { 5, 163, 2048 }, { 4, 164, 2048 }, { 5, 165, 2048 }, { 5, 166, 2048 }, { 6, 167, 2048 }, 
-   { 4, 168, 2048 }, { 5, 169, 2048 }, { 5, 170, 2048 }, { 6, 171, 2048 }, { 5, 172, 2048 }, { 6, 173, 2048 }, { 6, 174, 2048 }, { 7, 175, 2048 }, 
-   { 4, 176, 2048 }, { 5, 177, 2048 }, { 5, 178, 2048 }, { 6, 179, 2048 }, { 5, 180, 2048 }, { 6, 181, 2048 }, { 6, 182, 2048 }, { 7, 183, 2048 }, 
-   { 5, 184, 2048 }, { 6, 185, 2048 }, { 6, 186, 2048 }, { 7, 187, 2048 }, { 6, 188, 2048 }, { 7, 189, 2048 }, { 7, 190, 2048 }, { 8, 191, 2048 }, 
-   { 3, 192, 2048 }, { 4, 193, 2048 }, { 4, 194, 2048 }, { 5, 195, 2048 }, { 4, 196, 2048 }, { 5, 197, 2048 }, { 5, 198, 2048 }, { 6, 199, 2048 }, 
-   { 4, 200, 2048 }, { 5, 201, 2048 }, { 5, 202, 2048 }, { 6, 203, 2048 }, { 5, 204, 2048 }, { 6, 205, 2048 }, { 6, 206, 2048 }, { 7, 207, 2048 }, 
-   { 4, 208, 2048 }, { 5, 209, 2048 }, { 5, 210, 2048 }, { 6, 211, 2048 }, { 5, 212, 2048 }, { 6, 213, 2048 }, { 6, 214, 2048 }, { 7, 215, 2048 }, 
-   { 5, 216, 2048 }, { 6, 217, 2048 }, { 6, 218, 2048 }, { 7, 219, 2048 }, { 6, 220, 2048 }, { 7, 221, 2048 }, { 7, 222, 2048 }, { 8, 223, 2048 }, 
-   { 4, 224, 2048 }, { 5, 225, 2048 }, { 5, 226, 2048 }, { 6, 227, 2048 }, { 5, 228, 2048 }, { 6, 229, 2048 }, { 6, 230, 2048 }, { 7, 231, 2048 }, 
-   { 5, 232, 2048 }, { 6, 233, 2048 }, { 6, 234, 2048 }, { 7, 235, 2048 }, { 6, 236, 2048 }, { 7, 237, 2048 }, { 7, 238, 2048 }, { 8, 239, 2048 }, 
-   { 5, 240, 2048 }, { 6, 241, 2048 }, { 6, 242, 2048 }, { 7, 243, 2048 }, { 6, 244, 2048 }, { 7, 245, 2048 }, { 7, 246, 2048 }, { 8, 247, 2048 }, 
-   { 6, 248, 2048 }, { 7, 249, 2048 }, { 7, 250, 2048 }, { 8, 251, 2048 }, { 7, 252, 2048 }, { 8, 253, 2048 }, { 8, 254, 2048 }, { 9, 255, 2048 }, 
-   { 2, 256, 2048 }, { 3, 257, 2048 }, { 3, 258, 2048 }, { 4, 259, 2048 }, { 3, 260, 2048 }, { 4, 261, 2048 }, { 4, 262, 2048 }, { 5, 263, 2048 }, 
-   { 3, 264, 2048 }, { 4, 265, 2048 }, { 4, 266, 2048 }, { 5, 267, 2048 }, { 4, 268, 2048 }, { 5, 269, 2048 }, { 5, 270, 2048 }, { 6, 271, 2048 }, 
-   { 3, 272, 2048 }, { 4, 273, 2048 }, { 4, 274, 2048 }, { 5, 275, 2048 }, { 4, 276, 2048 }, { 5, 277, 2048 }, { 5, 278, 2048 }, { 6, 279, 2048 }, 
-   { 4, 280, 2048 }, { 5, 281, 2048 }, { 5, 282, 2048 }, { 6, 283, 2048 }, { 5, 284, 2048 }, { 6, 285, 2048 }, { 6, 286, 2048 }, { 7, 287, 2048 }, 
-   { 3, 288, 2048 }, { 4, 289, 2048 }, { 4, 290, 2048 }, { 5, 291, 2048 }, { 4, 292, 2048 }, { 5, 293, 2048 }, { 5, 294, 2048 }, { 6, 295, 2048 }, 
-   { 4, 296, 2048 }, { 5, 297, 2048 }, { 5, 298, 2048 }, { 6, 299, 2048 }, { 5, 300, 2048 }, { 6, 301, 2048 }, { 6, 302, 2048 }, { 7, 303, 2048 }, 
-   { 4, 304, 2048 }, { 5, 305, 2048 }, { 5, 306, 2048 }, { 6, 307, 2048 }, { 5, 308, 2048 }, { 6, 309, 2048 }, { 6, 310, 2048 }, { 7, 311, 2048 }, 
-   { 5, 312, 2048 }, { 6, 313, 2048 }, { 6, 314, 2048 }, { 7, 315, 2048 }, { 6, 316, 2048 }, { 7, 317, 2048 }, { 7, 318, 2048 }, { 8, 319, 2048 }, 
-   { 3, 320, 2048 }, { 4, 321, 2048 }, { 4, 322, 2048 }, { 5, 323, 2048 }, { 4, 324, 2048 }, { 5, 325, 2048 }, { 5, 326, 2048 }, { 6, 327, 2048 }, 
-   { 4, 328, 2048 }, { 5, 329, 2048 }, { 5, 330, 2048 }, { 6, 331, 2048 }, { 5, 332, 2048 }, { 6, 333, 2048 }, { 6, 334, 2048 }, { 7, 335, 2048 }, 
-   { 4, 336, 2048 }, { 5, 337, 2048 }, { 5, 338, 2048 }, { 6, 339, 2048 }, { 5, 340, 2048 }, { 6, 341, 2048 }, { 6, 342, 2048 }, { 7, 343, 2048 }, 
-   { 5, 344, 2048 }, { 6, 345, 2048 }, { 6, 346, 2048 }, { 7, 347, 2048 }, { 6, 348, 2048 }, { 7, 349, 2048 }, { 7, 350, 2048 }, { 8, 351, 2048 }, 
-   { 4, 352, 2048 }, { 5, 353, 2048 }, { 5, 354, 2048 }, { 6, 355, 2048 }, { 5, 356, 2048 }, { 6, 357, 2048 }, { 6, 358, 2048 }, { 7, 359, 2048 }, 
-   { 5, 360, 2048 }, { 6, 361, 2048 }, { 6, 362, 2048 }, { 7, 363, 2048 }, { 6, 364, 2048 }, { 7, 365, 2048 }, { 7, 366, 2048 }, { 8, 367, 2048 }, 
-   { 5, 368, 2048 }, { 6, 369, 2048 }, { 6, 370, 2048 }, { 7, 371, 2048 }, { 6, 372, 2048 }, { 7, 373, 2048 }, { 7, 374, 2048 }, { 8, 375, 2048 }, 
-   { 6, 376, 2048 }, { 7, 377, 2048 }, { 7, 378, 2048 }, { 8, 379, 2048 }, { 7, 380, 2048 }, { 8, 381, 2048 }, { 8, 382, 2048 }, { 9, 383, 2048 }, 
-   { 3, 384, 2048 }, { 4, 385, 2048 }, { 4, 386, 2048 }, { 5, 387, 2048 }, { 4, 388, 2048 }, { 5, 389, 2048 }, { 5, 390, 2048 }, { 6, 391, 2048 }, 
-   { 4, 392, 2048 }, { 5, 393, 2048 }, { 5, 394, 2048 }, { 6, 395, 2048 }, { 5, 396, 2048 }, { 6, 397, 2048 }, { 6, 398, 2048 }, { 7, 399, 2048 }, 
-   { 4, 400, 2048 }, { 5, 401, 2048 }, { 5, 402, 2048 }, { 6, 403, 2048 }, { 5, 404, 2048 }, { 6, 405, 2048 }, { 6, 406, 2048 }, { 7, 407, 2048 }, 
-   { 5, 408, 2048 }, { 6, 409, 2048 }, { 6, 410, 2048 }, { 7, 411, 2048 }, { 6, 412, 2048 }, { 7, 413, 2048 }, { 7, 414, 2048 }, { 8, 415, 2048 }, 
-   { 4, 416, 2048 }, { 5, 417, 2048 }, { 5, 418, 2048 }, { 6, 419, 2048 }, { 5, 420, 2048 }, { 6, 421, 2048 }, { 6, 422, 2048 }, { 7, 423, 2048 }, 
-   { 5, 424, 2048 }, { 6, 425, 2048 }, { 6, 426, 2048 }, { 7, 427, 2048 }, { 6, 428, 2048 }, { 7, 429, 2048 }, { 7, 430, 2048 }, { 8, 431, 2048 }, 
-   { 5, 432, 2048 }, { 6, 433, 2048 }, { 6, 434, 2048 }, { 7, 435, 2048 }, { 6, 436, 2048 }, { 7, 437, 2048 }, { 7, 438, 2048 }, { 8, 439, 2048 }, 
-   { 6, 440, 2048 }, { 7, 441, 2048 }, { 7, 442, 2048 }, { 8, 443, 2048 }, { 7, 444, 2048 }, { 8, 445, 2048 }, { 8, 446, 2048 }, { 9, 447, 2048 }, 
-   { 4, 448, 2048 }, { 5, 449, 2048 }, { 5, 450, 2048 }, { 6, 451, 2048 }, { 5, 452, 2048 }, { 6, 453, 2048 }, { 6, 454, 2048 }, { 7, 455, 2048 }, 
-   { 5, 456, 2048 }, { 6, 457, 2048 }, { 6, 458, 2048 }, { 7, 459, 2048 }, { 6, 460, 2048 }, { 7, 461, 2048 }, { 7, 462, 2048 }, { 8, 463, 2048 }, 
-   { 5, 464, 2048 }, { 6, 465, 2048 }, { 6, 466, 2048 }, { 7, 467, 2048 }, { 6, 468, 2048 }, { 7, 469, 2048 }, { 7, 470, 2048 }, { 8, 471, 2048 }, 
-   { 6, 472, 2048 }, { 7, 473, 2048 }, { 7, 474, 2048 }, { 8, 475, 2048 }, { 7, 476, 2048 }, { 8, 477, 2048 }, { 8, 478, 2048 }, { 9, 479, 2048 }, 
-   { 5, 480, 2048 }, { 6, 481, 2048 }, { 6, 482, 2048 }, { 7, 483, 2048 }, { 6, 484, 2048 }, { 7, 485, 2048 }, { 7, 486, 2048 }, { 8, 487, 2048 }, 
-   { 6, 488, 2048 }, { 7, 489, 2048 }, { 7, 490, 2048 }, { 8, 491, 2048 }, { 7, 492, 2048 }, { 8, 493, 2048 }, { 8, 494, 2048 }, { 9, 495, 2048 }, 
-   { 6, 496, 2048 }, { 7, 497, 2048 }, { 7, 498, 2048 }, { 8, 499, 2048 }, { 7, 500, 2048 }, { 8, 501, 2048 }, { 8, 502, 2048 }, { 9, 503, 2048 }, 
-   { 7, 504, 2048 }, { 8, 505, 2048 }, { 8, 506, 2048 }, { 9, 507, 2048 }, { 8, 508, 2048 }, { 9, 509, 2048 }, { 9, 510, 2048 }, { 10, 511, 2048 }, 
-   { 2, 512, 2048 }, { 3, 513, 2048 }, { 3, 514, 2048 }, { 4, 515, 2048 }, { 3, 516, 2048 }, { 4, 517, 2048 }, { 4, 518, 2048 }, { 5, 519, 2048 }, 
-   { 3, 520, 2048 }, { 4, 521, 2048 }, { 4, 522, 2048 }, { 5, 523, 2048 }, { 4, 524, 2048 }, { 5, 525, 2048 }, { 5, 526, 2048 }, { 6, 527, 2048 }, 
-   { 3, 528, 2048 }, { 4, 529, 2048 }, { 4, 530, 2048 }, { 5, 531, 2048 }, { 4, 532, 2048 }, { 5, 533, 2048 }, { 5, 534, 2048 }, { 6, 535, 2048 }, 
-   { 4, 536, 2048 }, { 5, 537, 2048 }, { 5, 538, 2048 }, { 6, 539, 2048 }, { 5, 540, 2048 }, { 6, 541, 2048 }, { 6, 542, 2048 }, { 7, 543, 2048 }, 
-   { 3, 544, 2048 }, { 4, 545, 2048 }, { 4, 546, 2048 }, { 5, 547, 2048 }, { 4, 548, 2048 }, { 5, 549, 2048 }, { 5, 550, 2048 }, { 6, 551, 2048 }, 
-   { 4, 552, 2048 }, { 5, 553, 2048 }, { 5, 554, 2048 }, { 6, 555, 2048 }, { 5, 556, 2048 }, { 6, 557, 2048 }, { 6, 558, 2048 }, { 7, 559, 2048 }, 
-   { 4, 560, 2048 }, { 5, 561, 2048 }, { 5, 562, 2048 }, { 6, 563, 2048 }, { 5, 564, 2048 }, { 6, 565, 2048 }, { 6, 566, 2048 }, { 7, 567, 2048 }, 
-   { 5, 568, 2048 }, { 6, 569, 2048 }, { 6, 570, 2048 }, { 7, 571, 2048 }, { 6, 572, 2048 }, { 7, 573, 2048 }, { 7, 574, 2048 }, { 8, 575, 2048 }, 
-   { 3, 576, 2048 }, { 4, 577, 2048 }, { 4, 578, 2048 }, { 5, 579, 2048 }, { 4, 580, 2048 }, { 5, 581, 2048 }, { 5, 582, 2048 }, { 6, 583, 2048 }, 
-   { 4, 584, 2048 }, { 5, 585, 2048 }, { 5, 586, 2048 }, { 6, 587, 2048 }, { 5, 588, 2048 }, { 6, 589, 2048 }, { 6, 590, 2048 }, { 7, 591, 2048 }, 
-   { 4, 592, 2048 }, { 5, 593, 2048 }, { 5, 594, 2048 }, { 6, 595, 2048 }, { 5, 596, 2048 }, { 6, 597, 2048 }, { 6, 598, 2048 }, { 7, 599, 2048 }, 
-   { 5, 600, 2048 }, { 6, 601, 2048 }, { 6, 602, 2048 }, { 7, 603, 2048 }, { 6, 604, 2048 }, { 7, 605, 2048 }, { 7, 606, 2048 }, { 8, 607, 2048 }, 
-   { 4, 608, 2048 }, { 5, 609, 2048 }, { 5, 610, 2048 }, { 6, 611, 2048 }, { 5, 612, 2048 }, { 6, 613, 2048 }, { 6, 614, 2048 }, { 7, 615, 2048 }, 
-   { 5, 616, 2048 }, { 6, 617, 2048 }, { 6, 618, 2048 }, { 7, 619, 2048 }, { 6, 620, 2048 }, { 7, 621, 2048 }, { 7, 622, 2048 }, { 8, 623, 2048 }, 
-   { 5, 624, 2048 }, { 6, 625, 2048 }, { 6, 626, 2048 }, { 7, 627, 2048 }, { 6, 628, 2048 }, { 7, 629, 2048 }, { 7, 630, 2048 }, { 8, 631, 2048 }, 
-   { 6, 632, 2048 }, { 7, 633, 2048 }, { 7, 634, 2048 }, { 8, 635, 2048 }, { 7, 636, 2048 }, { 8, 637, 2048 }, { 8, 638, 2048 }, { 9, 639, 2048 }, 
-   { 3, 640, 2048 }, { 4, 641, 2048 }, { 4, 642, 2048 }, { 5, 643, 2048 }, { 4, 644, 2048 }, { 5, 645, 2048 }, { 5, 646, 2048 }, { 6, 647, 2048 }, 
-   { 4, 648, 2048 }, { 5, 649, 2048 }, { 5, 650, 2048 }, { 6, 651, 2048 }, { 5, 652, 2048 }, { 6, 653, 2048 }, { 6, 654, 2048 }, { 7, 655, 2048 }, 
-   { 4, 656, 2048 }, { 5, 657, 2048 }, { 5, 658, 2048 }, { 6, 659, 2048 }, { 5, 660, 2048 }, { 6, 661, 2048 }, { 6, 662, 2048 }, { 7, 663, 2048 }, 
-   { 5, 664, 2048 }, { 6, 665, 2048 }, { 6, 666, 2048 }, { 7, 667, 2048 }, { 6, 668, 2048 }, { 7, 669, 2048 }, { 7, 670, 2048 }, { 8, 671, 2048 }, 
-   { 4, 672, 2048 }, { 5, 673, 2048 }, { 5, 674, 2048 }, { 6, 675, 2048 }, { 5, 676, 2048 }, { 6, 677, 2048 }, { 6, 678, 2048 }, { 7, 679, 2048 }, 
-   { 5, 680, 2048 }, { 6, 681, 2048 }, { 6, 682, 2048 }, { 7, 683, 2048 }, { 6, 684, 2048 }, { 7, 685, 2048 }, { 7, 686, 2048 }, { 8, 687, 2048 }, 
-   { 5, 688, 2048 }, { 6, 689, 2048 }, { 6, 690, 2048 }, { 7, 691, 2048 }, { 6, 692, 2048 }, { 7, 693, 2048 }, { 7, 694, 2048 }, { 8, 695, 2048 }, 
-   { 6, 696, 2048 }, { 7, 697, 2048 }, { 7, 698, 2048 }, { 8, 699, 2048 }, { 7, 700, 2048 }, { 8, 701, 2048 }, { 8, 702, 2048 }, { 9, 703, 2048 }, 
-   { 4, 704, 2048 }, { 5, 705, 2048 }, { 5, 706, 2048 }, { 6, 707, 2048 }, { 5, 708, 2048 }, { 6, 709, 2048 }, { 6, 710, 2048 }, { 7, 711, 2048 }, 
-   { 5, 712, 2048 }, { 6, 713, 2048 }, { 6, 714, 2048 }, { 7, 715, 2048 }, { 6, 716, 2048 }, { 7, 717, 2048 }, { 7, 718, 2048 }, { 8, 719, 2048 }, 
-   { 5, 720, 2048 }, { 6, 721, 2048 }, { 6, 722, 2048 }, { 7, 723, 2048 }, { 6, 724, 2048 }, { 7, 725, 2048 }, { 7, 726, 2048 }, { 8, 727, 2048 }, 
-   { 6, 728, 2048 }, { 7, 729, 2048 }, { 7, 730, 2048 }, { 8, 731, 2048 }, { 7, 732, 2048 }, { 8, 733, 2048 }, { 8, 734, 2048 }, { 9, 735, 2048 }, 
-   { 5, 736, 2048 }, { 6, 737, 2048 }, { 6, 738, 2048 }, { 7, 739, 2048 }, { 6, 740, 2048 }, { 7, 741, 2048 }, { 7, 742, 2048 }, { 8, 743, 2048 }, 
-   { 6, 744, 2048 }, { 7, 745, 2048 }, { 7, 746, 2048 }, { 8, 747, 2048 }, { 7, 748, 2048 }, { 8, 749, 2048 }, { 8, 750, 2048 }, { 9, 751, 2048 }, 
-   { 6, 752, 2048 }, { 7, 753, 2048 }, { 7, 754, 2048 }, { 8, 755, 2048 }, { 7, 756, 2048 }, { 8, 757, 2048 }, { 8, 758, 2048 }, { 9, 759, 2048 }, 
-   { 7, 760, 2048 }, { 8, 761, 2048 }, { 8, 762, 2048 }, { 9, 763, 2048 }, { 8, 764, 2048 }, { 9, 765, 2048 }, { 9, 766, 2048 }, { 10, 767, 2048 }, 
-   { 3, 768, 2048 }, { 4, 769, 2048 }, { 4, 770, 2048 }, { 5, 771, 2048 }, { 4, 772, 2048 }, { 5, 773, 2048 }, { 5, 774, 2048 }, { 6, 775, 2048 }, 
-   { 4, 776, 2048 }, { 5, 777, 2048 }, { 5, 778, 2048 }, { 6, 779, 2048 }, { 5, 780, 2048 }, { 6, 781, 2048 }, { 6, 782, 2048 }, { 7, 783, 2048 }, 
-   { 4, 784, 2048 }, { 5, 785, 2048 }, { 5, 786, 2048 }, { 6, 787, 2048 }, { 5, 788, 2048 }, { 6, 789, 2048 }, { 6, 790, 2048 }, { 7, 791, 2048 }, 
-   { 5, 792, 2048 }, { 6, 793, 2048 }, { 6, 794, 2048 }, { 7, 795, 2048 }, { 6, 796, 2048 }, { 7, 797, 2048 }, { 7, 798, 2048 }, { 8, 799, 2048 }, 
-   { 4, 800, 2048 }, { 5, 801, 2048 }, { 5, 802, 2048 }, { 6, 803, 2048 }, { 5, 804, 2048 }, { 6, 805, 2048 }, { 6, 806, 2048 }, { 7, 807, 2048 }, 
-   { 5, 808, 2048 }, { 6, 809, 2048 }, { 6, 810, 2048 }, { 7, 811, 2048 }, { 6, 812, 2048 }, { 7, 813, 2048 }, { 7, 814, 2048 }, { 8, 815, 2048 }, 
-   { 5, 816, 2048 }, { 6, 817, 2048 }, { 6, 818, 2048 }, { 7, 819, 2048 }, { 6, 820, 2048 }, { 7, 821, 2048 }, { 7, 822, 2048 }, { 8, 823, 2048 }, 
-   { 6, 824, 2048 }, { 7, 825, 2048 }, { 7, 826, 2048 }, { 8, 827, 2048 }, { 7, 828, 2048 }, { 8, 829, 2048 }, { 8, 830, 2048 }, { 9, 831, 2048 }, 
-   { 4, 832, 2048 }, { 5, 833, 2048 }, { 5, 834, 2048 }, { 6, 835, 2048 }, { 5, 836, 2048 }, { 6, 837, 2048 }, { 6, 838, 2048 }, { 7, 839, 2048 }, 
-   { 5, 840, 2048 }, { 6, 841, 2048 }, { 6, 842, 2048 }, { 7, 843, 2048 }, { 6, 844, 2048 }, { 7, 845, 2048 }, { 7, 846, 2048 }, { 8, 847, 2048 }, 
-   { 5, 848, 2048 }, { 6, 849, 2048 }, { 6, 850, 2048 }, { 7, 851, 2048 }, { 6, 852, 2048 }, { 7, 853, 2048 }, { 7, 854, 2048 }, { 8, 855, 2048 }, 
-   { 6, 856, 2048 }, { 7, 857, 2048 }, { 7, 858, 2048 }, { 8, 859, 2048 }, { 7, 860, 2048 }, { 8, 861, 2048 }, { 8, 862, 2048 }, { 9, 863, 2048 }, 
-   { 5, 864, 2048 }, { 6, 865, 2048 }, { 6, 866, 2048 }, { 7, 867, 2048 }, { 6, 868, 2048 }, { 7, 869, 2048 }, { 7, 870, 2048 }, { 8, 871, 2048 }, 
-   { 6, 872, 2048 }, { 7, 873, 2048 }, { 7, 874, 2048 }, { 8, 875, 2048 }, { 7, 876, 2048 }, { 8, 877, 2048 }, { 8, 878, 2048 }, { 9, 879, 2048 }, 
-   { 6, 880, 2048 }, { 7, 881, 2048 }, { 7, 882, 2048 }, { 8, 883, 2048 }, { 7, 884, 2048 }, { 8, 885, 2048 }, { 8, 886, 2048 }, { 9, 887, 2048 }, 
-   { 7, 888, 2048 }, { 8, 889, 2048 }, { 8, 890, 2048 }, { 9, 891, 2048 }, { 8, 892, 2048 }, { 9, 893, 2048 }, { 9, 894, 2048 }, { 10, 895, 2048 }, 
-   { 4, 896, 2048 }, { 5, 897, 2048 }, { 5, 898, 2048 }, { 6, 899, 2048 }, { 5, 900, 2048 }, { 6, 901, 2048 }, { 6, 902, 2048 }, { 7, 903, 2048 }, 
-   { 5, 904, 2048 }, { 6, 905, 2048 }, { 6, 906, 2048 }, { 7, 907, 2048 }, { 6, 908, 2048 }, { 7, 909, 2048 }, { 7, 910, 2048 }, { 8, 911, 2048 }, 
-   { 5, 912, 2048 }, { 6, 913, 2048 }, { 6, 914, 2048 }, { 7, 915, 2048 }, { 6, 916, 2048 }, { 7, 917, 2048 }, { 7, 918, 2048 }, { 8, 919, 2048 }, 
-   { 6, 920, 2048 }, { 7, 921, 2048 }, { 7, 922, 2048 }, { 8, 923, 2048 }, { 7, 924, 2048 }, { 8, 925, 2048 }, { 8, 926, 2048 }, { 9, 927, 2048 }, 
-   { 5, 928, 2048 }, { 6, 929, 2048 }, { 6, 930, 2048 }, { 7, 931, 2048 }, { 6, 932, 2048 }, { 7, 933, 2048 }, { 7, 934, 2048 }, { 8, 935, 2048 }, 
-   { 6, 936, 2048 }, { 7, 937, 2048 }, { 7, 938, 2048 }, { 8, 939, 2048 }, { 7, 940, 2048 }, { 8, 941, 2048 }, { 8, 942, 2048 }, { 9, 943, 2048 }, 
-   { 6, 944, 2048 }, { 7, 945, 2048 }, { 7, 946, 2048 }, { 8, 947, 2048 }, { 7, 948, 2048 }, { 8, 949, 2048 }, { 8, 950, 2048 }, { 9, 951, 2048 }, 
-   { 7, 952, 2048 }, { 8, 953, 2048 }, { 8, 954, 2048 }, { 9, 955, 2048 }, { 8, 956, 2048 }, { 9, 957, 2048 }, { 9, 958, 2048 }, { 10, 959, 2048 }, 
-   { 5, 960, 2048 }, { 6, 961, 2048 }, { 6, 962, 2048 }, { 7, 963, 2048 }, { 6, 964, 2048 }, { 7, 965, 2048 }, { 7, 966, 2048 }, { 8, 967, 2048 }, 
-   { 6, 968, 2048 }, { 7, 969, 2048 }, { 7, 970, 2048 }, { 8, 971, 2048 }, { 7, 972, 2048 }, { 8, 973, 2048 }, { 8, 974, 2048 }, { 9, 975, 2048 }, 
-   { 6, 976, 2048 }, { 7, 977, 2048 }, { 7, 978, 2048 }, { 8, 979, 2048 }, { 7, 980, 2048 }, { 8, 981, 2048 }, { 8, 982, 2048 }, { 9, 983, 2048 }, 
-   { 7, 984, 2048 }, { 8, 985, 2048 }, { 8, 986, 2048 }, { 9, 987, 2048 }, { 8, 988, 2048 }, { 9, 989, 2048 }, { 9, 990, 2048 }, { 10, 991, 2048 }, 
-   { 6, 992, 2048 }, { 7, 993, 2048 }, { 7, 994, 2048 }, { 8, 995, 2048 }, { 7, 996, 2048 }, { 8, 997, 2048 }, { 8, 998, 2048 }, { 9, 999, 2048 }, 
-   { 7, 1000, 2048 }, { 8, 1001, 2048 }, { 8, 1002, 2048 }, { 9, 1003, 2048 }, { 8, 1004, 2048 }, { 9, 1005, 2048 }, { 9, 1006, 2048 }, { 10, 1007, 2048 }, 
-   { 7, 1008, 2048 }, { 8, 1009, 2048 }, { 8, 1010, 2048 }, { 9, 1011, 2048 }, { 8, 1012, 2048 }, { 9, 1013, 2048 }, { 9, 1014, 2048 }, { 10, 1015, 2048 }, 
-   { 8, 1016, 2048 }, { 9, 1017, 2048 }, { 9, 1018, 2048 }, { 10, 1019, 2048 }, { 9, 1020, 2048 }, { 10, 1021, 2048 }, { 10, 1022, 2048 }, { 11, 1023, 2048 }, 
-   { 2, 1024, 2048 }, { 3, 1025, 2048 }, { 3, 1026, 2048 }, { 4, 1027, 2048 }, { 3, 1028, 2048 }, { 4, 1029, 2048 }, { 4, 1030, 2048 }, { 5, 1031, 2048 }, 
-   { 3, 1032, 2048 }, { 4, 1033, 2048 }, { 4, 1034, 2048 }, { 5, 1035, 2048 }, { 4, 1036, 2048 }, { 5, 1037, 2048 }, { 5, 1038, 2048 }, { 6, 1039, 2048 }, 
-   { 3, 1040, 2048 }, { 4, 1041, 2048 }, { 4, 1042, 2048 }, { 5, 1043, 2048 }, { 4, 1044, 2048 }, { 5, 1045, 2048 }, { 5, 1046, 2048 }, { 6, 1047, 2048 }, 
-   { 4, 1048, 2048 }, { 5, 1049, 2048 }, { 5, 1050, 2048 }, { 6, 1051, 2048 }, { 5, 1052, 2048 }, { 6, 1053, 2048 }, { 6, 1054, 2048 }, { 7, 1055, 2048 }, 
-   { 3, 1056, 2048 }, { 4, 1057, 2048 }, { 4, 1058, 2048 }, { 5, 1059, 2048 }, { 4, 1060, 2048 }, { 5, 1061, 2048 }, { 5, 1062, 2048 }, { 6, 1063, 2048 }, 
-   { 4, 1064, 2048 }, { 5, 1065, 2048 }, { 5, 1066, 2048 }, { 6, 1067, 2048 }, { 5, 1068, 2048 }, { 6, 1069, 2048 }, { 6, 1070, 2048 }, { 7, 1071, 2048 }, 
-   { 4, 1072, 2048 }, { 5, 1073, 2048 }, { 5, 1074, 2048 }, { 6, 1075, 2048 }, { 5, 1076, 2048 }, { 6, 1077, 2048 }, { 6, 1078, 2048 }, { 7, 1079, 2048 }, 
-   { 5, 1080, 2048 }, { 6, 1081, 2048 }, { 6, 1082, 2048 }, { 7, 1083, 2048 }, { 6, 1084, 2048 }, { 7, 1085, 2048 }, { 7, 1086, 2048 }, { 8, 1087, 2048 }, 
-   { 3, 1088, 2048 }, { 4, 1089, 2048 }, { 4, 1090, 2048 }, { 5, 1091, 2048 }, { 4, 1092, 2048 }, { 5, 1093, 2048 }, { 5, 1094, 2048 }, { 6, 1095, 2048 }, 
-   { 4, 1096, 2048 }, { 5, 1097, 2048 }, { 5, 1098, 2048 }, { 6, 1099, 2048 }, { 5, 1100, 2048 }, { 6, 1101, 2048 }, { 6, 1102, 2048 }, { 7, 1103, 2048 }, 
-   { 4, 1104, 2048 }, { 5, 1105, 2048 }, { 5, 1106, 2048 }, { 6, 1107, 2048 }, { 5, 1108, 2048 }, { 6, 1109, 2048 }, { 6, 1110, 2048 }, { 7, 1111, 2048 }, 
-   { 5, 1112, 2048 }, { 6, 1113, 2048 }, { 6, 1114, 2048 }, { 7, 1115, 2048 }, { 6, 1116, 2048 }, { 7, 1117, 2048 }, { 7, 1118, 2048 }, { 8, 1119, 2048 }, 
-   { 4, 1120, 2048 }, { 5, 1121, 2048 }, { 5, 1122, 2048 }, { 6, 1123, 2048 }, { 5, 1124, 2048 }, { 6, 1125, 2048 }, { 6, 1126, 2048 }, { 7, 1127, 2048 }, 
-   { 5, 1128, 2048 }, { 6, 1129, 2048 }, { 6, 1130, 2048 }, { 7, 1131, 2048 }, { 6, 1132, 2048 }, { 7, 1133, 2048 }, { 7, 1134, 2048 }, { 8, 1135, 2048 }, 
-   { 5, 1136, 2048 }, { 6, 1137, 2048 }, { 6, 1138, 2048 }, { 7, 1139, 2048 }, { 6, 1140, 2048 }, { 7, 1141, 2048 }, { 7, 1142, 2048 }, { 8, 1143, 2048 }, 
-   { 6, 1144, 2048 }, { 7, 1145, 2048 }, { 7, 1146, 2048 }, { 8, 1147, 2048 }, { 7, 1148, 2048 }, { 8, 1149, 2048 }, { 8, 1150, 2048 }, { 9, 1151, 2048 }, 
-   { 3, 1152, 2048 }, { 4, 1153, 2048 }, { 4, 1154, 2048 }, { 5, 1155, 2048 }, { 4, 1156, 2048 }, { 5, 1157, 2048 }, { 5, 1158, 2048 }, { 6, 1159, 2048 }, 
-   { 4, 1160, 2048 }, { 5, 1161, 2048 }, { 5, 1162, 2048 }, { 6, 1163, 2048 }, { 5, 1164, 2048 }, { 6, 1165, 2048 }, { 6, 1166, 2048 }, { 7, 1167, 2048 }, 
-   { 4, 1168, 2048 }, { 5, 1169, 2048 }, { 5, 1170, 2048 }, { 6, 1171, 2048 }, { 5, 1172, 2048 }, { 6, 1173, 2048 }, { 6, 1174, 2048 }, { 7, 1175, 2048 }, 
-   { 5, 1176, 2048 }, { 6, 1177, 2048 }, { 6, 1178, 2048 }, { 7, 1179, 2048 }, { 6, 1180, 2048 }, { 7, 1181, 2048 }, { 7, 1182, 2048 }, { 8, 1183, 2048 }, 
-   { 4, 1184, 2048 }, { 5, 1185, 2048 }, { 5, 1186, 2048 }, { 6, 1187, 2048 }, { 5, 1188, 2048 }, { 6, 1189, 2048 }, { 6, 1190, 2048 }, { 7, 1191, 2048 }, 
-   { 5, 1192, 2048 }, { 6, 1193, 2048 }, { 6, 1194, 2048 }, { 7, 1195, 2048 }, { 6, 1196, 2048 }, { 7, 1197, 2048 }, { 7, 1198, 2048 }, { 8, 1199, 2048 }, 
-   { 5, 1200, 2048 }, { 6, 1201, 2048 }, { 6, 1202, 2048 }, { 7, 1203, 2048 }, { 6, 1204, 2048 }, { 7, 1205, 2048 }, { 7, 1206, 2048 }, { 8, 1207, 2048 }, 
-   { 6, 1208, 2048 }, { 7, 1209, 2048 }, { 7, 1210, 2048 }, { 8, 1211, 2048 }, { 7, 1212, 2048 }, { 8, 1213, 2048 }, { 8, 1214, 2048 }, { 9, 1215, 2048 }, 
-   { 4, 1216, 2048 }, { 5, 1217, 2048 }, { 5, 1218, 2048 }, { 6, 1219, 2048 }, { 5, 1220, 2048 }, { 6, 1221, 2048 }, { 6, 1222, 2048 }, { 7, 1223, 2048 }, 
-   { 5, 1224, 2048 }, { 6, 1225, 2048 }, { 6, 1226, 2048 }, { 7, 1227, 2048 }, { 6, 1228, 2048 }, { 7, 1229, 2048 }, { 7, 1230, 2048 }, { 8, 1231, 2048 }, 
-   { 5, 1232, 2048 }, { 6, 1233, 2048 }, { 6, 1234, 2048 }, { 7, 1235, 2048 }, { 6, 1236, 2048 }, { 7, 1237, 2048 }, { 7, 1238, 2048 }, { 8, 1239, 2048 }, 
-   { 6, 1240, 2048 }, { 7, 1241, 2048 }, { 7, 1242, 2048 }, { 8, 1243, 2048 }, { 7, 1244, 2048 }, { 8, 1245, 2048 }, { 8, 1246, 2048 }, { 9, 1247, 2048 }, 
-   { 5, 1248, 2048 }, { 6, 1249, 2048 }, { 6, 1250, 2048 }, { 7, 1251, 2048 }, { 6, 1252, 2048 }, { 7, 1253, 2048 }, { 7, 1254, 2048 }, { 8, 1255, 2048 }, 
-   { 6, 1256, 2048 }, { 7, 1257, 2048 }, { 7, 1258, 2048 }, { 8, 1259, 2048 }, { 7, 1260, 2048 }, { 8, 1261, 2048 }, { 8, 1262, 2048 }, { 9, 1263, 2048 }, 
-   { 6, 1264, 2048 }, { 7, 1265, 2048 }, { 7, 1266, 2048 }, { 8, 1267, 2048 }, { 7, 1268, 2048 }, { 8, 1269, 2048 }, { 8, 1270, 2048 }, { 9, 1271, 2048 }, 
-   { 7, 1272, 2048 }, { 8, 1273, 2048 }, { 8, 1274, 2048 }, { 9, 1275, 2048 }, { 8, 1276, 2048 }, { 9, 1277, 2048 }, { 9, 1278, 2048 }, { 10, 1279, 2048 }, 
-   { 3, 1280, 2048 }, { 4, 1281, 2048 }, { 4, 1282, 2048 }, { 5, 1283, 2048 }, { 4, 1284, 2048 }, { 5, 1285, 2048 }, { 5, 1286, 2048 }, { 6, 1287, 2048 }, 
-   { 4, 1288, 2048 }, { 5, 1289, 2048 }, { 5, 1290, 2048 }, { 6, 1291, 2048 }, { 5, 1292, 2048 }, { 6, 1293, 2048 }, { 6, 1294, 2048 }, { 7, 1295, 2048 }, 
-   { 4, 1296, 2048 }, { 5, 1297, 2048 }, { 5, 1298, 2048 }, { 6, 1299, 2048 }, { 5, 1300, 2048 }, { 6, 1301, 2048 }, { 6, 1302, 2048 }, { 7, 1303, 2048 }, 
-   { 5, 1304, 2048 }, { 6, 1305, 2048 }, { 6, 1306, 2048 }, { 7, 1307, 2048 }, { 6, 1308, 2048 }, { 7, 1309, 2048 }, { 7, 1310, 2048 }, { 8, 1311, 2048 }, 
-   { 4, 1312, 2048 }, { 5, 1313, 2048 }, { 5, 1314, 2048 }, { 6, 1315, 2048 }, { 5, 1316, 2048 }, { 6, 1317, 2048 }, { 6, 1318, 2048 }, { 7, 1319, 2048 }, 
-   { 5, 1320, 2048 }, { 6, 1321, 2048 }, { 6, 1322, 2048 }, { 7, 1323, 2048 }, { 6, 1324, 2048 }, { 7, 1325, 2048 }, { 7, 1326, 2048 }, { 8, 1327, 2048 }, 
-   { 5, 1328, 2048 }, { 6, 1329, 2048 }, { 6, 1330, 2048 }, { 7, 1331, 2048 }, { 6, 1332, 2048 }, { 7, 1333, 2048 }, { 7, 1334, 2048 }, { 8, 1335, 2048 }, 
-   { 6, 1336, 2048 }, { 7, 1337, 2048 }, { 7, 1338, 2048 }, { 8, 1339, 2048 }, { 7, 1340, 2048 }, { 8, 1341, 2048 }, { 8, 1342, 2048 }, { 9, 1343, 2048 }, 
-   { 4, 1344, 2048 }, { 5, 1345, 2048 }, { 5, 1346, 2048 }, { 6, 1347, 2048 }, { 5, 1348, 2048 }, { 6, 1349, 2048 }, { 6, 1350, 2048 }, { 7, 1351, 2048 }, 
-   { 5, 1352, 2048 }, { 6, 1353, 2048 }, { 6, 1354, 2048 }, { 7, 1355, 2048 }, { 6, 1356, 2048 }, { 7, 1357, 2048 }, { 7, 1358, 2048 }, { 8, 1359, 2048 }, 
-   { 5, 1360, 2048 }, { 6, 1361, 2048 }, { 6, 1362, 2048 }, { 7, 1363, 2048 }, { 6, 1364, 2048 }, { 7, 1365, 2048 }, { 7, 1366, 2048 }, { 8, 1367, 2048 }, 
-   { 6, 1368, 2048 }, { 7, 1369, 2048 }, { 7, 1370, 2048 }, { 8, 1371, 2048 }, { 7, 1372, 2048 }, { 8, 1373, 2048 }, { 8, 1374, 2048 }, { 9, 1375, 2048 }, 
-   { 5, 1376, 2048 }, { 6, 1377, 2048 }, { 6, 1378, 2048 }, { 7, 1379, 2048 }, { 6, 1380, 2048 }, { 7, 1381, 2048 }, { 7, 1382, 2048 }, { 8, 1383, 2048 }, 
-   { 6, 1384, 2048 }, { 7, 1385, 2048 }, { 7, 1386, 2048 }, { 8, 1387, 2048 }, { 7, 1388, 2048 }, { 8, 1389, 2048 }, { 8, 1390, 2048 }, { 9, 1391, 2048 }, 
-   { 6, 1392, 2048 }, { 7, 1393, 2048 }, { 7, 1394, 2048 }, { 8, 1395, 2048 }, { 7, 1396, 2048 }, { 8, 1397, 2048 }, { 8, 1398, 2048 }, { 9, 1399, 2048 }, 
-   { 7, 1400, 2048 }, { 8, 1401, 2048 }, { 8, 1402, 2048 }, { 9, 1403, 2048 }, { 8, 1404, 2048 }, { 9, 1405, 2048 }, { 9, 1406, 2048 }, { 10, 1407, 2048 }, 
-   { 4, 1408, 2048 }, { 5, 1409, 2048 }, { 5, 1410, 2048 }, { 6, 1411, 2048 }, { 5, 1412, 2048 }, { 6, 1413, 2048 }, { 6, 1414, 2048 }, { 7, 1415, 2048 }, 
-   { 5, 1416, 2048 }, { 6, 1417, 2048 }, { 6, 1418, 2048 }, { 7, 1419, 2048 }, { 6, 1420, 2048 }, { 7, 1421, 2048 }, { 7, 1422, 2048 }, { 8, 1423, 2048 }, 
-   { 5, 1424, 2048 }, { 6, 1425, 2048 }, { 6, 1426, 2048 }, { 7, 1427, 2048 }, { 6, 1428, 2048 }, { 7, 1429, 2048 }, { 7, 1430, 2048 }, { 8, 1431, 2048 }, 
-   { 6, 1432, 2048 }, { 7, 1433, 2048 }, { 7, 1434, 2048 }, { 8, 1435, 2048 }, { 7, 1436, 2048 }, { 8, 1437, 2048 }, { 8, 1438, 2048 }, { 9, 1439, 2048 }, 
-   { 5, 1440, 2048 }, { 6, 1441, 2048 }, { 6, 1442, 2048 }, { 7, 1443, 2048 }, { 6, 1444, 2048 }, { 7, 1445, 2048 }, { 7, 1446, 2048 }, { 8, 1447, 2048 }, 
-   { 6, 1448, 2048 }, { 7, 1449, 2048 }, { 7, 1450, 2048 }, { 8, 1451, 2048 }, { 7, 1452, 2048 }, { 8, 1453, 2048 }, { 8, 1454, 2048 }, { 9, 1455, 2048 }, 
-   { 6, 1456, 2048 }, { 7, 1457, 2048 }, { 7, 1458, 2048 }, { 8, 1459, 2048 }, { 7, 1460, 2048 }, { 8, 1461, 2048 }, { 8, 1462, 2048 }, { 9, 1463, 2048 }, 
-   { 7, 1464, 2048 }, { 8, 1465, 2048 }, { 8, 1466, 2048 }, { 9, 1467, 2048 }, { 8, 1468, 2048 }, { 9, 1469, 2048 }, { 9, 1470, 2048 }, { 10, 1471, 2048 }, 
-   { 5, 1472, 2048 }, { 6, 1473, 2048 }, { 6, 1474, 2048 }, { 7, 1475, 2048 }, { 6, 1476, 2048 }, { 7, 1477, 2048 }, { 7, 1478, 2048 }, { 8, 1479, 2048 }, 
-   { 6, 1480, 2048 }, { 7, 1481, 2048 }, { 7, 1482, 2048 }, { 8, 1483, 2048 }, { 7, 1484, 2048 }, { 8, 1485, 2048 }, { 8, 1486, 2048 }, { 9, 1487, 2048 }, 
-   { 6, 1488, 2048 }, { 7, 1489, 2048 }, { 7, 1490, 2048 }, { 8, 1491, 2048 }, { 7, 1492, 2048 }, { 8, 1493, 2048 }, { 8, 1494, 2048 }, { 9, 1495, 2048 }, 
-   { 7, 1496, 2048 }, { 8, 1497, 2048 }, { 8, 1498, 2048 }, { 9, 1499, 2048 }, { 8, 1500, 2048 }, { 9, 1501, 2048 }, { 9, 1502, 2048 }, { 10, 1503, 2048 }, 
-   { 6, 1504, 2048 }, { 7, 1505, 2048 }, { 7, 1506, 2048 }, { 8, 1507, 2048 }, { 7, 1508, 2048 }, { 8, 1509, 2048 }, { 8, 1510, 2048 }, { 9, 1511, 2048 }, 
-   { 7, 1512, 2048 }, { 8, 1513, 2048 }, { 8, 1514, 2048 }, { 9, 1515, 2048 }, { 8, 1516, 2048 }, { 9, 1517, 2048 }, { 9, 1518, 2048 }, { 10, 1519, 2048 }, 
-   { 7, 1520, 2048 }, { 8, 1521, 2048 }, { 8, 1522, 2048 }, { 9, 1523, 2048 }, { 8, 1524, 2048 }, { 9, 1525, 2048 }, { 9, 1526, 2048 }, { 10, 1527, 2048 }, 
-   { 8, 1528, 2048 }, { 9, 1529, 2048 }, { 9, 1530, 2048 }, { 10, 1531, 2048 }, { 9, 1532, 2048 }, { 10, 1533, 2048 }, { 10, 1534, 2048 }, { 11, 1535, 2048 }, 
-   { 3, 1536, 2048 }, { 4, 1537, 2048 }, { 4, 1538, 2048 }, { 5, 1539, 2048 }, { 4, 1540, 2048 }, { 5, 1541, 2048 }, { 5, 1542, 2048 }, { 6, 1543, 2048 }, 
-   { 4, 1544, 2048 }, { 5, 1545, 2048 }, { 5, 1546, 2048 }, { 6, 1547, 2048 }, { 5, 1548, 2048 }, { 6, 1549, 2048 }, { 6, 1550, 2048 }, { 7, 1551, 2048 }, 
-   { 4, 1552, 2048 }, { 5, 1553, 2048 }, { 5, 1554, 2048 }, { 6, 1555, 2048 }, { 5, 1556, 2048 }, { 6, 1557, 2048 }, { 6, 1558, 2048 }, { 7, 1559, 2048 }, 
-   { 5, 1560, 2048 }, { 6, 1561, 2048 }, { 6, 1562, 2048 }, { 7, 1563, 2048 }, { 6, 1564, 2048 }, { 7, 1565, 2048 }, { 7, 1566, 2048 }, { 8, 1567, 2048 }, 
-   { 4, 1568, 2048 }, { 5, 1569, 2048 }, { 5, 1570, 2048 }, { 6, 1571, 2048 }, { 5, 1572, 2048 }, { 6, 1573, 2048 }, { 6, 1574, 2048 }, { 7, 1575, 2048 }, 
-   { 5, 1576, 2048 }, { 6, 1577, 2048 }, { 6, 1578, 2048 }, { 7, 1579, 2048 }, { 6, 1580, 2048 }, { 7, 1581, 2048 }, { 7, 1582, 2048 }, { 8, 1583, 2048 }, 
-   { 5, 1584, 2048 }, { 6, 1585, 2048 }, { 6, 1586, 2048 }, { 7, 1587, 2048 }, { 6, 1588, 2048 }, { 7, 1589, 2048 }, { 7, 1590, 2048 }, { 8, 1591, 2048 }, 
-   { 6, 1592, 2048 }, { 7, 1593, 2048 }, { 7, 1594, 2048 }, { 8, 1595, 2048 }, { 7, 1596, 2048 }, { 8, 1597, 2048 }, { 8, 1598, 2048 }, { 9, 1599, 2048 }, 
-   { 4, 1600, 2048 }, { 5, 1601, 2048 }, { 5, 1602, 2048 }, { 6, 1603, 2048 }, { 5, 1604, 2048 }, { 6, 1605, 2048 }, { 6, 1606, 2048 }, { 7, 1607, 2048 }, 
-   { 5, 1608, 2048 }, { 6, 1609, 2048 }, { 6, 1610, 2048 }, { 7, 1611, 2048 }, { 6, 1612, 2048 }, { 7, 1613, 2048 }, { 7, 1614, 2048 }, { 8, 1615, 2048 }, 
-   { 5, 1616, 2048 }, { 6, 1617, 2048 }, { 6, 1618, 2048 }, { 7, 1619, 2048 }, { 6, 1620, 2048 }, { 7, 1621, 2048 }, { 7, 1622, 2048 }, { 8, 1623, 2048 }, 
-   { 6, 1624, 2048 }, { 7, 1625, 2048 }, { 7, 1626, 2048 }, { 8, 1627, 2048 }, { 7, 1628, 2048 }, { 8, 1629, 2048 }, { 8, 1630, 2048 }, { 9, 1631, 2048 }, 
-   { 5, 1632, 2048 }, { 6, 1633, 2048 }, { 6, 1634, 2048 }, { 7, 1635, 2048 }, { 6, 1636, 2048 }, { 7, 1637, 2048 }, { 7, 1638, 2048 }, { 8, 1639, 2048 }, 
-   { 6, 1640, 2048 }, { 7, 1641, 2048 }, { 7, 1642, 2048 }, { 8, 1643, 2048 }, { 7, 1644, 2048 }, { 8, 1645, 2048 }, { 8, 1646, 2048 }, { 9, 1647, 2048 }, 
-   { 6, 1648, 2048 }, { 7, 1649, 2048 }, { 7, 1650, 2048 }, { 8, 1651, 2048 }, { 7, 1652, 2048 }, { 8, 1653, 2048 }, { 8, 1654, 2048 }, { 9, 1655, 2048 }, 
-   { 7, 1656, 2048 }, { 8, 1657, 2048 }, { 8, 1658, 2048 }, { 9, 1659, 2048 }, { 8, 1660, 2048 }, { 9, 1661, 2048 }, { 9, 1662, 2048 }, { 10, 1663, 2048 }, 
-   { 4, 1664, 2048 }, { 5, 1665, 2048 }, { 5, 1666, 2048 }, { 6, 1667, 2048 }, { 5, 1668, 2048 }, { 6, 1669, 2048 }, { 6, 1670, 2048 }, { 7, 1671, 2048 }, 
-   { 5, 1672, 2048 }, { 6, 1673, 2048 }, { 6, 1674, 2048 }, { 7, 1675, 2048 }, { 6, 1676, 2048 }, { 7, 1677, 2048 }, { 7, 1678, 2048 }, { 8, 1679, 2048 }, 
-   { 5, 1680, 2048 }, { 6, 1681, 2048 }, { 6, 1682, 2048 }, { 7, 1683, 2048 }, { 6, 1684, 2048 }, { 7, 1685, 2048 }, { 7, 1686, 2048 }, { 8, 1687, 2048 }, 
-   { 6, 1688, 2048 }, { 7, 1689, 2048 }, { 7, 1690, 2048 }, { 8, 1691, 2048 }, { 7, 1692, 2048 }, { 8, 1693, 2048 }, { 8, 1694, 2048 }, { 9, 1695, 2048 }, 
-   { 5, 1696, 2048 }, { 6, 1697, 2048 }, { 6, 1698, 2048 }, { 7, 1699, 2048 }, { 6, 1700, 2048 }, { 7, 1701, 2048 }, { 7, 1702, 2048 }, { 8, 1703, 2048 }, 
-   { 6, 1704, 2048 }, { 7, 1705, 2048 }, { 7, 1706, 2048 }, { 8, 1707, 2048 }, { 7, 1708, 2048 }, { 8, 1709, 2048 }, { 8, 1710, 2048 }, { 9, 1711, 2048 }, 
-   { 6, 1712, 2048 }, { 7, 1713, 2048 }, { 7, 1714, 2048 }, { 8, 1715, 2048 }, { 7, 1716, 2048 }, { 8, 1717, 2048 }, { 8, 1718, 2048 }, { 9, 1719, 2048 }, 
-   { 7, 1720, 2048 }, { 8, 1721, 2048 }, { 8, 1722, 2048 }, { 9, 1723, 2048 }, { 8, 1724, 2048 }, { 9, 1725, 2048 }, { 9, 1726, 2048 }, { 10, 1727, 2048 }, 
-   { 5, 1728, 2048 }, { 6, 1729, 2048 }, { 6, 1730, 2048 }, { 7, 1731, 2048 }, { 6, 1732, 2048 }, { 7, 1733, 2048 }, { 7, 1734, 2048 }, { 8, 1735, 2048 }, 
-   { 6, 1736, 2048 }, { 7, 1737, 2048 }, { 7, 1738, 2048 }, { 8, 1739, 2048 }, { 7, 1740, 2048 }, { 8, 1741, 2048 }, { 8, 1742, 2048 }, { 9, 1743, 2048 }, 
-   { 6, 1744, 2048 }, { 7, 1745, 2048 }, { 7, 1746, 2048 }, { 8, 1747, 2048 }, { 7, 1748, 2048 }, { 8, 1749, 2048 }, { 8, 1750, 2048 }, { 9, 1751, 2048 }, 
-   { 7, 1752, 2048 }, { 8, 1753, 2048 }, { 8, 1754, 2048 }, { 9, 1755, 2048 }, { 8, 1756, 2048 }, { 9, 1757, 2048 }, { 9, 1758, 2048 }, { 10, 1759, 2048 }, 
-   { 6, 1760, 2048 }, { 7, 1761, 2048 }, { 7, 1762, 2048 }, { 8, 1763, 2048 }, { 7, 1764, 2048 }, { 8, 1765, 2048 }, { 8, 1766, 2048 }, { 9, 1767, 2048 }, 
-   { 7, 1768, 2048 }, { 8, 1769, 2048 }, { 8, 1770, 2048 }, { 9, 1771, 2048 }, { 8, 1772, 2048 }, { 9, 1773, 2048 }, { 9, 1774, 2048 }, { 10, 1775, 2048 }, 
-   { 7, 1776, 2048 }, { 8, 1777, 2048 }, { 8, 1778, 2048 }, { 9, 1779, 2048 }, { 8, 1780, 2048 }, { 9, 1781, 2048 }, { 9, 1782, 2048 }, { 10, 1783, 2048 }, 
-   { 8, 1784, 2048 }, { 9, 1785, 2048 }, { 9, 1786, 2048 }, { 10, 1787, 2048 }, { 9, 1788, 2048 }, { 10, 1789, 2048 }, { 10, 1790, 2048 }, { 11, 1791, 2048 }, 
-   { 4, 1792, 2048 }, { 5, 1793, 2048 }, { 5, 1794, 2048 }, { 6, 1795, 2048 }, { 5, 1796, 2048 }, { 6, 1797, 2048 }, { 6, 1798, 2048 }, { 7, 1799, 2048 }, 
-   { 5, 1800, 2048 }, { 6, 1801, 2048 }, { 6, 1802, 2048 }, { 7, 1803, 2048 }, { 6, 1804, 2048 }, { 7, 1805, 2048 }, { 7, 1806, 2048 }, { 8, 1807, 2048 }, 
-   { 5, 1808, 2048 }, { 6, 1809, 2048 }, { 6, 1810, 2048 }, { 7, 1811, 2048 }, { 6, 1812, 2048 }, { 7, 1813, 2048 }, { 7, 1814, 2048 }, { 8, 1815, 2048 }, 
-   { 6, 1816, 2048 }, { 7, 1817, 2048 }, { 7, 1818, 2048 }, { 8, 1819, 2048 }, { 7, 1820, 2048 }, { 8, 1821, 2048 }, { 8, 1822, 2048 }, { 9, 1823, 2048 }, 
-   { 5, 1824, 2048 }, { 6, 1825, 2048 }, { 6, 1826, 2048 }, { 7, 1827, 2048 }, { 6, 1828, 2048 }, { 7, 1829, 2048 }, { 7, 1830, 2048 }, { 8, 1831, 2048 }, 
-   { 6, 1832, 2048 }, { 7, 1833, 2048 }, { 7, 1834, 2048 }, { 8, 1835, 2048 }, { 7, 1836, 2048 }, { 8, 1837, 2048 }, { 8, 1838, 2048 }, { 9, 1839, 2048 }, 
-   { 6, 1840, 2048 }, { 7, 1841, 2048 }, { 7, 1842, 2048 }, { 8, 1843, 2048 }, { 7, 1844, 2048 }, { 8, 1845, 2048 }, { 8, 1846, 2048 }, { 9, 1847, 2048 }, 
-   { 7, 1848, 2048 }, { 8, 1849, 2048 }, { 8, 1850, 2048 }, { 9, 1851, 2048 }, { 8, 1852, 2048 }, { 9, 1853, 2048 }, { 9, 1854, 2048 }, { 10, 1855, 2048 }, 
-   { 5, 1856, 2048 }, { 6, 1857, 2048 }, { 6, 1858, 2048 }, { 7, 1859, 2048 }, { 6, 1860, 2048 }, { 7, 1861, 2048 }, { 7, 1862, 2048 }, { 8, 1863, 2048 }, 
-   { 6, 1864, 2048 }, { 7, 1865, 2048 }, { 7, 1866, 2048 }, { 8, 1867, 2048 }, { 7, 1868, 2048 }, { 8, 1869, 2048 }, { 8, 1870, 2048 }, { 9, 1871, 2048 }, 
-   { 6, 1872, 2048 }, { 7, 1873, 2048 }, { 7, 1874, 2048 }, { 8, 1875, 2048 }, { 7, 1876, 2048 }, { 8, 1877, 2048 }, { 8, 1878, 2048 }, { 9, 1879, 2048 }, 
-   { 7, 1880, 2048 }, { 8, 1881, 2048 }, { 8, 1882, 2048 }, { 9, 1883, 2048 }, { 8, 1884, 2048 }, { 9, 1885, 2048 }, { 9, 1886, 2048 }, { 10, 1887, 2048 }, 
-   { 6, 1888, 2048 }, { 7, 1889, 2048 }, { 7, 1890, 2048 }, { 8, 1891, 2048 }, { 7, 1892, 2048 }, { 8, 1893, 2048 }, { 8, 1894, 2048 }, { 9, 1895, 2048 }, 
-   { 7, 1896, 2048 }, { 8, 1897, 2048 }, { 8, 1898, 2048 }, { 9, 1899, 2048 }, { 8, 1900, 2048 }, { 9, 1901, 2048 }, { 9, 1902, 2048 }, { 10, 1903, 2048 }, 
-   { 7, 1904, 2048 }, { 8, 1905, 2048 }, { 8, 1906, 2048 }, { 9, 1907, 2048 }, { 8, 1908, 2048 }, { 9, 1909, 2048 }, { 9, 1910, 2048 }, { 10, 1911, 2048 }, 
-   { 8, 1912, 2048 }, { 9, 1913, 2048 }, { 9, 1914, 2048 }, { 10, 1915, 2048 }, { 9, 1916, 2048 }, { 10, 1917, 2048 }, { 10, 1918, 2048 }, { 11, 1919, 2048 }, 
-   { 5, 1920, 2048 }, { 6, 1921, 2048 }, { 6, 1922, 2048 }, { 7, 1923, 2048 }, { 6, 1924, 2048 }, { 7, 1925, 2048 }, { 7, 1926, 2048 }, { 8, 1927, 2048 }, 
-   { 6, 1928, 2048 }, { 7, 1929, 2048 }, { 7, 1930, 2048 }, { 8, 1931, 2048 }, { 7, 1932, 2048 }, { 8, 1933, 2048 }, { 8, 1934, 2048 }, { 9, 1935, 2048 }, 
-   { 6, 1936, 2048 }, { 7, 1937, 2048 }, { 7, 1938, 2048 }, { 8, 1939, 2048 }, { 7, 1940, 2048 }, { 8, 1941, 2048 }, { 8, 1942, 2048 }, { 9, 1943, 2048 }, 
-   { 7, 1944, 2048 }, { 8, 1945, 2048 }, { 8, 1946, 2048 }, { 9, 1947, 2048 }, { 8, 1948, 2048 }, { 9, 1949, 2048 }, { 9, 1950, 2048 }, { 10, 1951, 2048 }, 
-   { 6, 1952, 2048 }, { 7, 1953, 2048 }, { 7, 1954, 2048 }, { 8, 1955, 2048 }, { 7, 1956, 2048 }, { 8, 1957, 2048 }, { 8, 1958, 2048 }, { 9, 1959, 2048 }, 
-   { 7, 1960, 2048 }, { 8, 1961, 2048 }, { 8, 1962, 2048 }, { 9, 1963, 2048 }, { 8, 1964, 2048 }, { 9, 1965, 2048 }, { 9, 1966, 2048 }, { 10, 1967, 2048 }, 
-   { 7, 1968, 2048 }, { 8, 1969, 2048 }, { 8, 1970, 2048 }, { 9, 1971, 2048 }, { 8, 1972, 2048 }, { 9, 1973, 2048 }, { 9, 1974, 2048 }, { 10, 1975, 2048 }, 
-   { 8, 1976, 2048 }, { 9, 1977, 2048 }, { 9, 1978, 2048 }, { 10, 1979, 2048 }, { 9, 1980, 2048 }, { 10, 1981, 2048 }, { 10, 1982, 2048 }, { 11, 1983, 2048 }, 
-   { 6, 1984, 2048 }, { 7, 1985, 2048 }, { 7, 1986, 2048 }, { 8, 1987, 2048 }, { 7, 1988, 2048 }, { 8, 1989, 2048 }, { 8, 1990, 2048 }, { 9, 1991, 2048 }, 
-   { 7, 1992, 2048 }, { 8, 1993, 2048 }, { 8, 1994, 2048 }, { 9, 1995, 2048 }, { 8, 1996, 2048 }, { 9, 1997, 2048 }, { 9, 1998, 2048 }, { 10, 1999, 2048 }, 
-   { 7, 2000, 2048 }, { 8, 2001, 2048 }, { 8, 2002, 2048 }, { 9, 2003, 2048 }, { 8, 2004, 2048 }, { 9, 2005, 2048 }, { 9, 2006, 2048 }, { 10, 2007, 2048 }, 
-   { 8, 2008, 2048 }, { 9, 2009, 2048 }, { 9, 2010, 2048 }, { 10, 2011, 2048 }, { 9, 2012, 2048 }, { 10, 2013, 2048 }, { 10, 2014, 2048 }, { 11, 2015, 2048 }, 
-   { 7, 2016, 2048 }, { 8, 2017, 2048 }, { 8, 2018, 2048 }, { 9, 2019, 2048 }, { 8, 2020, 2048 }, { 9, 2021, 2048 }, { 9, 2022, 2048 }, { 10, 2023, 2048 }, 
-   { 8, 2024, 2048 }, { 9, 2025, 2048 }, { 9, 2026, 2048 }, { 10, 2027, 2048 }, { 9, 2028, 2048 }, { 10, 2029, 2048 }, { 10, 2030, 2048 }, { 11, 2031, 2048 }, 
-   { 8, 2032, 2048 }, { 9, 2033, 2048 }, { 9, 2034, 2048 }, { 10, 2035, 2048 }, { 9, 2036, 2048 }, { 10, 2037, 2048 }, { 10, 2038, 2048 }, { 11, 2039, 2048 }, 
-   { 9, 2040, 2048 }, { 10, 2041, 2048 }, { 10, 2042, 2048 }, { 11, 2043, 2048 }, { 10, 2044, 2048 }, { 11, 2045, 2048 }, { 11, 2046, 2048 }, { 12, 2047, 2048 }, 
+   { 1, 0, 0 }, { 2, 1, 2048 }, { 2, 2, 2048 }, { 3, 3, 2048 }, { 2, 4, 2048 }, { 3, 5, 2048 }, { 3, 6, 2048 }, { 4, 7, 2048 },
+   { 2, 8, 2048 }, { 3, 9, 2048 }, { 3, 10, 2048 }, { 4, 11, 2048 }, { 3, 12, 2048 }, { 4, 13, 2048 }, { 4, 14, 2048 }, { 5, 15, 2048 },
+   { 2, 16, 2048 }, { 3, 17, 2048 }, { 3, 18, 2048 }, { 4, 19, 2048 }, { 3, 20, 2048 }, { 4, 21, 2048 }, { 4, 22, 2048 }, { 5, 23, 2048 },
+   { 3, 24, 2048 }, { 4, 25, 2048 }, { 4, 26, 2048 }, { 5, 27, 2048 }, { 4, 28, 2048 }, { 5, 29, 2048 }, { 5, 30, 2048 }, { 6, 31, 2048 },
+   { 2, 32, 2048 }, { 3, 33, 2048 }, { 3, 34, 2048 }, { 4, 35, 2048 }, { 3, 36, 2048 }, { 4, 37, 2048 }, { 4, 38, 2048 }, { 5, 39, 2048 },
+   { 3, 40, 2048 }, { 4, 41, 2048 }, { 4, 42, 2048 }, { 5, 43, 2048 }, { 4, 44, 2048 }, { 5, 45, 2048 }, { 5, 46, 2048 }, { 6, 47, 2048 },
+   { 3, 48, 2048 }, { 4, 49, 2048 }, { 4, 50, 2048 }, { 5, 51, 2048 }, { 4, 52, 2048 }, { 5, 53, 2048 }, { 5, 54, 2048 }, { 6, 55, 2048 },
+   { 4, 56, 2048 }, { 5, 57, 2048 }, { 5, 58, 2048 }, { 6, 59, 2048 }, { 5, 60, 2048 }, { 6, 61, 2048 }, { 6, 62, 2048 }, { 7, 63, 2048 },
+   { 2, 64, 2048 }, { 3, 65, 2048 }, { 3, 66, 2048 }, { 4, 67, 2048 }, { 3, 68, 2048 }, { 4, 69, 2048 }, { 4, 70, 2048 }, { 5, 71, 2048 },
+   { 3, 72, 2048 }, { 4, 73, 2048 }, { 4, 74, 2048 }, { 5, 75, 2048 }, { 4, 76, 2048 }, { 5, 77, 2048 }, { 5, 78, 2048 }, { 6, 79, 2048 },
+   { 3, 80, 2048 }, { 4, 81, 2048 }, { 4, 82, 2048 }, { 5, 83, 2048 }, { 4, 84, 2048 }, { 5, 85, 2048 }, { 5, 86, 2048 }, { 6, 87, 2048 },
+   { 4, 88, 2048 }, { 5, 89, 2048 }, { 5, 90, 2048 }, { 6, 91, 2048 }, { 5, 92, 2048 }, { 6, 93, 2048 }, { 6, 94, 2048 }, { 7, 95, 2048 },
+   { 3, 96, 2048 }, { 4, 97, 2048 }, { 4, 98, 2048 }, { 5, 99, 2048 }, { 4, 100, 2048 }, { 5, 101, 2048 }, { 5, 102, 2048 }, { 6, 103, 2048 },
+   { 4, 104, 2048 }, { 5, 105, 2048 }, { 5, 106, 2048 }, { 6, 107, 2048 }, { 5, 108, 2048 }, { 6, 109, 2048 }, { 6, 110, 2048 }, { 7, 111, 2048 },
+   { 4, 112, 2048 }, { 5, 113, 2048 }, { 5, 114, 2048 }, { 6, 115, 2048 }, { 5, 116, 2048 }, { 6, 117, 2048 }, { 6, 118, 2048 }, { 7, 119, 2048 },
+   { 5, 120, 2048 }, { 6, 121, 2048 }, { 6, 122, 2048 }, { 7, 123, 2048 }, { 6, 124, 2048 }, { 7, 125, 2048 }, { 7, 126, 2048 }, { 8, 127, 2048 },
+   { 2, 128, 2048 }, { 3, 129, 2048 }, { 3, 130, 2048 }, { 4, 131, 2048 }, { 3, 132, 2048 }, { 4, 133, 2048 }, { 4, 134, 2048 }, { 5, 135, 2048 },
+   { 3, 136, 2048 }, { 4, 137, 2048 }, { 4, 138, 2048 }, { 5, 139, 2048 }, { 4, 140, 2048 }, { 5, 141, 2048 }, { 5, 142, 2048 }, { 6, 143, 2048 },
+   { 3, 144, 2048 }, { 4, 145, 2048 }, { 4, 146, 2048 }, { 5, 147, 2048 }, { 4, 148, 2048 }, { 5, 149, 2048 }, { 5, 150, 2048 }, { 6, 151, 2048 },
+   { 4, 152, 2048 }, { 5, 153, 2048 }, { 5, 154, 2048 }, { 6, 155, 2048 }, { 5, 156, 2048 }, { 6, 157, 2048 }, { 6, 158, 2048 }, { 7, 159, 2048 },
+   { 3, 160, 2048 }, { 4, 161, 2048 }, { 4, 162, 2048 }, { 5, 163, 2048 }, { 4, 164, 2048 }, { 5, 165, 2048 }, { 5, 166, 2048 }, { 6, 167, 2048 },
+   { 4, 168, 2048 }, { 5, 169, 2048 }, { 5, 170, 2048 }, { 6, 171, 2048 }, { 5, 172, 2048 }, { 6, 173, 2048 }, { 6, 174, 2048 }, { 7, 175, 2048 },
+   { 4, 176, 2048 }, { 5, 177, 2048 }, { 5, 178, 2048 }, { 6, 179, 2048 }, { 5, 180, 2048 }, { 6, 181, 2048 }, { 6, 182, 2048 }, { 7, 183, 2048 },
+   { 5, 184, 2048 }, { 6, 185, 2048 }, { 6, 186, 2048 }, { 7, 187, 2048 }, { 6, 188, 2048 }, { 7, 189, 2048 }, { 7, 190, 2048 }, { 8, 191, 2048 },
+   { 3, 192, 2048 }, { 4, 193, 2048 }, { 4, 194, 2048 }, { 5, 195, 2048 }, { 4, 196, 2048 }, { 5, 197, 2048 }, { 5, 198, 2048 }, { 6, 199, 2048 },
+   { 4, 200, 2048 }, { 5, 201, 2048 }, { 5, 202, 2048 }, { 6, 203, 2048 }, { 5, 204, 2048 }, { 6, 205, 2048 }, { 6, 206, 2048 }, { 7, 207, 2048 },
+   { 4, 208, 2048 }, { 5, 209, 2048 }, { 5, 210, 2048 }, { 6, 211, 2048 }, { 5, 212, 2048 }, { 6, 213, 2048 }, { 6, 214, 2048 }, { 7, 215, 2048 },
+   { 5, 216, 2048 }, { 6, 217, 2048 }, { 6, 218, 2048 }, { 7, 219, 2048 }, { 6, 220, 2048 }, { 7, 221, 2048 }, { 7, 222, 2048 }, { 8, 223, 2048 },
+   { 4, 224, 2048 }, { 5, 225, 2048 }, { 5, 226, 2048 }, { 6, 227, 2048 }, { 5, 228, 2048 }, { 6, 229, 2048 }, { 6, 230, 2048 }, { 7, 231, 2048 },
+   { 5, 232, 2048 }, { 6, 233, 2048 }, { 6, 234, 2048 }, { 7, 235, 2048 }, { 6, 236, 2048 }, { 7, 237, 2048 }, { 7, 238, 2048 }, { 8, 239, 2048 },
+   { 5, 240, 2048 }, { 6, 241, 2048 }, { 6, 242, 2048 }, { 7, 243, 2048 }, { 6, 244, 2048 }, { 7, 245, 2048 }, { 7, 246, 2048 }, { 8, 247, 2048 },
+   { 6, 248, 2048 }, { 7, 249, 2048 }, { 7, 250, 2048 }, { 8, 251, 2048 }, { 7, 252, 2048 }, { 8, 253, 2048 }, { 8, 254, 2048 }, { 9, 255, 2048 },
+   { 2, 256, 2048 }, { 3, 257, 2048 }, { 3, 258, 2048 }, { 4, 259, 2048 }, { 3, 260, 2048 }, { 4, 261, 2048 }, { 4, 262, 2048 }, { 5, 263, 2048 },
+   { 3, 264, 2048 }, { 4, 265, 2048 }, { 4, 266, 2048 }, { 5, 267, 2048 }, { 4, 268, 2048 }, { 5, 269, 2048 }, { 5, 270, 2048 }, { 6, 271, 2048 },
+   { 3, 272, 2048 }, { 4, 273, 2048 }, { 4, 274, 2048 }, { 5, 275, 2048 }, { 4, 276, 2048 }, { 5, 277, 2048 }, { 5, 278, 2048 }, { 6, 279, 2048 },
+   { 4, 280, 2048 }, { 5, 281, 2048 }, { 5, 282, 2048 }, { 6, 283, 2048 }, { 5, 284, 2048 }, { 6, 285, 2048 }, { 6, 286, 2048 }, { 7, 287, 2048 },
+   { 3, 288, 2048 }, { 4, 289, 2048 }, { 4, 290, 2048 }, { 5, 291, 2048 }, { 4, 292, 2048 }, { 5, 293, 2048 }, { 5, 294, 2048 }, { 6, 295, 2048 },
+   { 4, 296, 2048 }, { 5, 297, 2048 }, { 5, 298, 2048 }, { 6, 299, 2048 }, { 5, 300, 2048 }, { 6, 301, 2048 }, { 6, 302, 2048 }, { 7, 303, 2048 },
+   { 4, 304, 2048 }, { 5, 305, 2048 }, { 5, 306, 2048 }, { 6, 307, 2048 }, { 5, 308, 2048 }, { 6, 309, 2048 }, { 6, 310, 2048 }, { 7, 311, 2048 },
+   { 5, 312, 2048 }, { 6, 313, 2048 }, { 6, 314, 2048 }, { 7, 315, 2048 }, { 6, 316, 2048 }, { 7, 317, 2048 }, { 7, 318, 2048 }, { 8, 319, 2048 },
+   { 3, 320, 2048 }, { 4, 321, 2048 }, { 4, 322, 2048 }, { 5, 323, 2048 }, { 4, 324, 2048 }, { 5, 325, 2048 }, { 5, 326, 2048 }, { 6, 327, 2048 },
+   { 4, 328, 2048 }, { 5, 329, 2048 }, { 5, 330, 2048 }, { 6, 331, 2048 }, { 5, 332, 2048 }, { 6, 333, 2048 }, { 6, 334, 2048 }, { 7, 335, 2048 },
+   { 4, 336, 2048 }, { 5, 337, 2048 }, { 5, 338, 2048 }, { 6, 339, 2048 }, { 5, 340, 2048 }, { 6, 341, 2048 }, { 6, 342, 2048 }, { 7, 343, 2048 },
+   { 5, 344, 2048 }, { 6, 345, 2048 }, { 6, 346, 2048 }, { 7, 347, 2048 }, { 6, 348, 2048 }, { 7, 349, 2048 }, { 7, 350, 2048 }, { 8, 351, 2048 },
+   { 4, 352, 2048 }, { 5, 353, 2048 }, { 5, 354, 2048 }, { 6, 355, 2048 }, { 5, 356, 2048 }, { 6, 357, 2048 }, { 6, 358, 2048 }, { 7, 359, 2048 },
+   { 5, 360, 2048 }, { 6, 361, 2048 }, { 6, 362, 2048 }, { 7, 363, 2048 }, { 6, 364, 2048 }, { 7, 365, 2048 }, { 7, 366, 2048 }, { 8, 367, 2048 },
+   { 5, 368, 2048 }, { 6, 369, 2048 }, { 6, 370, 2048 }, { 7, 371, 2048 }, { 6, 372, 2048 }, { 7, 373, 2048 }, { 7, 374, 2048 }, { 8, 375, 2048 },
+   { 6, 376, 2048 }, { 7, 377, 2048 }, { 7, 378, 2048 }, { 8, 379, 2048 }, { 7, 380, 2048 }, { 8, 381, 2048 }, { 8, 382, 2048 }, { 9, 383, 2048 },
+   { 3, 384, 2048 }, { 4, 385, 2048 }, { 4, 386, 2048 }, { 5, 387, 2048 }, { 4, 388, 2048 }, { 5, 389, 2048 }, { 5, 390, 2048 }, { 6, 391, 2048 },
+   { 4, 392, 2048 }, { 5, 393, 2048 }, { 5, 394, 2048 }, { 6, 395, 2048 }, { 5, 396, 2048 }, { 6, 397, 2048 }, { 6, 398, 2048 }, { 7, 399, 2048 },
+   { 4, 400, 2048 }, { 5, 401, 2048 }, { 5, 402, 2048 }, { 6, 403, 2048 }, { 5, 404, 2048 }, { 6, 405, 2048 }, { 6, 406, 2048 }, { 7, 407, 2048 },
+   { 5, 408, 2048 }, { 6, 409, 2048 }, { 6, 410, 2048 }, { 7, 411, 2048 }, { 6, 412, 2048 }, { 7, 413, 2048 }, { 7, 414, 2048 }, { 8, 415, 2048 },
+   { 4, 416, 2048 }, { 5, 417, 2048 }, { 5, 418, 2048 }, { 6, 419, 2048 }, { 5, 420, 2048 }, { 6, 421, 2048 }, { 6, 422, 2048 }, { 7, 423, 2048 },
+   { 5, 424, 2048 }, { 6, 425, 2048 }, { 6, 426, 2048 }, { 7, 427, 2048 }, { 6, 428, 2048 }, { 7, 429, 2048 }, { 7, 430, 2048 }, { 8, 431, 2048 },
+   { 5, 432, 2048 }, { 6, 433, 2048 }, { 6, 434, 2048 }, { 7, 435, 2048 }, { 6, 436, 2048 }, { 7, 437, 2048 }, { 7, 438, 2048 }, { 8, 439, 2048 },
+   { 6, 440, 2048 }, { 7, 441, 2048 }, { 7, 442, 2048 }, { 8, 443, 2048 }, { 7, 444, 2048 }, { 8, 445, 2048 }, { 8, 446, 2048 }, { 9, 447, 2048 },
+   { 4, 448, 2048 }, { 5, 449, 2048 }, { 5, 450, 2048 }, { 6, 451, 2048 }, { 5, 452, 2048 }, { 6, 453, 2048 }, { 6, 454, 2048 }, { 7, 455, 2048 },
+   { 5, 456, 2048 }, { 6, 457, 2048 }, { 6, 458, 2048 }, { 7, 459, 2048 }, { 6, 460, 2048 }, { 7, 461, 2048 }, { 7, 462, 2048 }, { 8, 463, 2048 },
+   { 5, 464, 2048 }, { 6, 465, 2048 }, { 6, 466, 2048 }, { 7, 467, 2048 }, { 6, 468, 2048 }, { 7, 469, 2048 }, { 7, 470, 2048 }, { 8, 471, 2048 },
+   { 6, 472, 2048 }, { 7, 473, 2048 }, { 7, 474, 2048 }, { 8, 475, 2048 }, { 7, 476, 2048 }, { 8, 477, 2048 }, { 8, 478, 2048 }, { 9, 479, 2048 },
+   { 5, 480, 2048 }, { 6, 481, 2048 }, { 6, 482, 2048 }, { 7, 483, 2048 }, { 6, 484, 2048 }, { 7, 485, 2048 }, { 7, 486, 2048 }, { 8, 487, 2048 },
+   { 6, 488, 2048 }, { 7, 489, 2048 }, { 7, 490, 2048 }, { 8, 491, 2048 }, { 7, 492, 2048 }, { 8, 493, 2048 }, { 8, 494, 2048 }, { 9, 495, 2048 },
+   { 6, 496, 2048 }, { 7, 497, 2048 }, { 7, 498, 2048 }, { 8, 499, 2048 }, { 7, 500, 2048 }, { 8, 501, 2048 }, { 8, 502, 2048 }, { 9, 503, 2048 },
+   { 7, 504, 2048 }, { 8, 505, 2048 }, { 8, 506, 2048 }, { 9, 507, 2048 }, { 8, 508, 2048 }, { 9, 509, 2048 }, { 9, 510, 2048 }, { 10, 511, 2048 },
+   { 2, 512, 2048 }, { 3, 513, 2048 }, { 3, 514, 2048 }, { 4, 515, 2048 }, { 3, 516, 2048 }, { 4, 517, 2048 }, { 4, 518, 2048 }, { 5, 519, 2048 },
+   { 3, 520, 2048 }, { 4, 521, 2048 }, { 4, 522, 2048 }, { 5, 523, 2048 }, { 4, 524, 2048 }, { 5, 525, 2048 }, { 5, 526, 2048 }, { 6, 527, 2048 },
+   { 3, 528, 2048 }, { 4, 529, 2048 }, { 4, 530, 2048 }, { 5, 531, 2048 }, { 4, 532, 2048 }, { 5, 533, 2048 }, { 5, 534, 2048 }, { 6, 535, 2048 },
+   { 4, 536, 2048 }, { 5, 537, 2048 }, { 5, 538, 2048 }, { 6, 539, 2048 }, { 5, 540, 2048 }, { 6, 541, 2048 }, { 6, 542, 2048 }, { 7, 543, 2048 },
+   { 3, 544, 2048 }, { 4, 545, 2048 }, { 4, 546, 2048 }, { 5, 547, 2048 }, { 4, 548, 2048 }, { 5, 549, 2048 }, { 5, 550, 2048 }, { 6, 551, 2048 },
+   { 4, 552, 2048 }, { 5, 553, 2048 }, { 5, 554, 2048 }, { 6, 555, 2048 }, { 5, 556, 2048 }, { 6, 557, 2048 }, { 6, 558, 2048 }, { 7, 559, 2048 },
+   { 4, 560, 2048 }, { 5, 561, 2048 }, { 5, 562, 2048 }, { 6, 563, 2048 }, { 5, 564, 2048 }, { 6, 565, 2048 }, { 6, 566, 2048 }, { 7, 567, 2048 },
+   { 5, 568, 2048 }, { 6, 569, 2048 }, { 6, 570, 2048 }, { 7, 571, 2048 }, { 6, 572, 2048 }, { 7, 573, 2048 }, { 7, 574, 2048 }, { 8, 575, 2048 },
+   { 3, 576, 2048 }, { 4, 577, 2048 }, { 4, 578, 2048 }, { 5, 579, 2048 }, { 4, 580, 2048 }, { 5, 581, 2048 }, { 5, 582, 2048 }, { 6, 583, 2048 },
+   { 4, 584, 2048 }, { 5, 585, 2048 }, { 5, 586, 2048 }, { 6, 587, 2048 }, { 5, 588, 2048 }, { 6, 589, 2048 }, { 6, 590, 2048 }, { 7, 591, 2048 },
+   { 4, 592, 2048 }, { 5, 593, 2048 }, { 5, 594, 2048 }, { 6, 595, 2048 }, { 5, 596, 2048 }, { 6, 597, 2048 }, { 6, 598, 2048 }, { 7, 599, 2048 },
+   { 5, 600, 2048 }, { 6, 601, 2048 }, { 6, 602, 2048 }, { 7, 603, 2048 }, { 6, 604, 2048 }, { 7, 605, 2048 }, { 7, 606, 2048 }, { 8, 607, 2048 },
+   { 4, 608, 2048 }, { 5, 609, 2048 }, { 5, 610, 2048 }, { 6, 611, 2048 }, { 5, 612, 2048 }, { 6, 613, 2048 }, { 6, 614, 2048 }, { 7, 615, 2048 },
+   { 5, 616, 2048 }, { 6, 617, 2048 }, { 6, 618, 2048 }, { 7, 619, 2048 }, { 6, 620, 2048 }, { 7, 621, 2048 }, { 7, 622, 2048 }, { 8, 623, 2048 },
+   { 5, 624, 2048 }, { 6, 625, 2048 }, { 6, 626, 2048 }, { 7, 627, 2048 }, { 6, 628, 2048 }, { 7, 629, 2048 }, { 7, 630, 2048 }, { 8, 631, 2048 },
+   { 6, 632, 2048 }, { 7, 633, 2048 }, { 7, 634, 2048 }, { 8, 635, 2048 }, { 7, 636, 2048 }, { 8, 637, 2048 }, { 8, 638, 2048 }, { 9, 639, 2048 },
+   { 3, 640, 2048 }, { 4, 641, 2048 }, { 4, 642, 2048 }, { 5, 643, 2048 }, { 4, 644, 2048 }, { 5, 645, 2048 }, { 5, 646, 2048 }, { 6, 647, 2048 },
+   { 4, 648, 2048 }, { 5, 649, 2048 }, { 5, 650, 2048 }, { 6, 651, 2048 }, { 5, 652, 2048 }, { 6, 653, 2048 }, { 6, 654, 2048 }, { 7, 655, 2048 },
+   { 4, 656, 2048 }, { 5, 657, 2048 }, { 5, 658, 2048 }, { 6, 659, 2048 }, { 5, 660, 2048 }, { 6, 661, 2048 }, { 6, 662, 2048 }, { 7, 663, 2048 },
+   { 5, 664, 2048 }, { 6, 665, 2048 }, { 6, 666, 2048 }, { 7, 667, 2048 }, { 6, 668, 2048 }, { 7, 669, 2048 }, { 7, 670, 2048 }, { 8, 671, 2048 },
+   { 4, 672, 2048 }, { 5, 673, 2048 }, { 5, 674, 2048 }, { 6, 675, 2048 }, { 5, 676, 2048 }, { 6, 677, 2048 }, { 6, 678, 2048 }, { 7, 679, 2048 },
+   { 5, 680, 2048 }, { 6, 681, 2048 }, { 6, 682, 2048 }, { 7, 683, 2048 }, { 6, 684, 2048 }, { 7, 685, 2048 }, { 7, 686, 2048 }, { 8, 687, 2048 },
+   { 5, 688, 2048 }, { 6, 689, 2048 }, { 6, 690, 2048 }, { 7, 691, 2048 }, { 6, 692, 2048 }, { 7, 693, 2048 }, { 7, 694, 2048 }, { 8, 695, 2048 },
+   { 6, 696, 2048 }, { 7, 697, 2048 }, { 7, 698, 2048 }, { 8, 699, 2048 }, { 7, 700, 2048 }, { 8, 701, 2048 }, { 8, 702, 2048 }, { 9, 703, 2048 },
+   { 4, 704, 2048 }, { 5, 705, 2048 }, { 5, 706, 2048 }, { 6, 707, 2048 }, { 5, 708, 2048 }, { 6, 709, 2048 }, { 6, 710, 2048 }, { 7, 711, 2048 },
+   { 5, 712, 2048 }, { 6, 713, 2048 }, { 6, 714, 2048 }, { 7, 715, 2048 }, { 6, 716, 2048 }, { 7, 717, 2048 }, { 7, 718, 2048 }, { 8, 719, 2048 },
+   { 5, 720, 2048 }, { 6, 721, 2048 }, { 6, 722, 2048 }, { 7, 723, 2048 }, { 6, 724, 2048 }, { 7, 725, 2048 }, { 7, 726, 2048 }, { 8, 727, 2048 },
+   { 6, 728, 2048 }, { 7, 729, 2048 }, { 7, 730, 2048 }, { 8, 731, 2048 }, { 7, 732, 2048 }, { 8, 733, 2048 }, { 8, 734, 2048 }, { 9, 735, 2048 },
+   { 5, 736, 2048 }, { 6, 737, 2048 }, { 6, 738, 2048 }, { 7, 739, 2048 }, { 6, 740, 2048 }, { 7, 741, 2048 }, { 7, 742, 2048 }, { 8, 743, 2048 },
+   { 6, 744, 2048 }, { 7, 745, 2048 }, { 7, 746, 2048 }, { 8, 747, 2048 }, { 7, 748, 2048 }, { 8, 749, 2048 }, { 8, 750, 2048 }, { 9, 751, 2048 },
+   { 6, 752, 2048 }, { 7, 753, 2048 }, { 7, 754, 2048 }, { 8, 755, 2048 }, { 7, 756, 2048 }, { 8, 757, 2048 }, { 8, 758, 2048 }, { 9, 759, 2048 },
+   { 7, 760, 2048 }, { 8, 761, 2048 }, { 8, 762, 2048 }, { 9, 763, 2048 }, { 8, 764, 2048 }, { 9, 765, 2048 }, { 9, 766, 2048 }, { 10, 767, 2048 },
+   { 3, 768, 2048 }, { 4, 769, 2048 }, { 4, 770, 2048 }, { 5, 771, 2048 }, { 4, 772, 2048 }, { 5, 773, 2048 }, { 5, 774, 2048 }, { 6, 775, 2048 },
+   { 4, 776, 2048 }, { 5, 777, 2048 }, { 5, 778, 2048 }, { 6, 779, 2048 }, { 5, 780, 2048 }, { 6, 781, 2048 }, { 6, 782, 2048 }, { 7, 783, 2048 },
+   { 4, 784, 2048 }, { 5, 785, 2048 }, { 5, 786, 2048 }, { 6, 787, 2048 }, { 5, 788, 2048 }, { 6, 789, 2048 }, { 6, 790, 2048 }, { 7, 791, 2048 },
+   { 5, 792, 2048 }, { 6, 793, 2048 }, { 6, 794, 2048 }, { 7, 795, 2048 }, { 6, 796, 2048 }, { 7, 797, 2048 }, { 7, 798, 2048 }, { 8, 799, 2048 },
+   { 4, 800, 2048 }, { 5, 801, 2048 }, { 5, 802, 2048 }, { 6, 803, 2048 }, { 5, 804, 2048 }, { 6, 805, 2048 }, { 6, 806, 2048 }, { 7, 807, 2048 },
+   { 5, 808, 2048 }, { 6, 809, 2048 }, { 6, 810, 2048 }, { 7, 811, 2048 }, { 6, 812, 2048 }, { 7, 813, 2048 }, { 7, 814, 2048 }, { 8, 815, 2048 },
+   { 5, 816, 2048 }, { 6, 817, 2048 }, { 6, 818, 2048 }, { 7, 819, 2048 }, { 6, 820, 2048 }, { 7, 821, 2048 }, { 7, 822, 2048 }, { 8, 823, 2048 },
+   { 6, 824, 2048 }, { 7, 825, 2048 }, { 7, 826, 2048 }, { 8, 827, 2048 }, { 7, 828, 2048 }, { 8, 829, 2048 }, { 8, 830, 2048 }, { 9, 831, 2048 },
+   { 4, 832, 2048 }, { 5, 833, 2048 }, { 5, 834, 2048 }, { 6, 835, 2048 }, { 5, 836, 2048 }, { 6, 837, 2048 }, { 6, 838, 2048 }, { 7, 839, 2048 },
+   { 5, 840, 2048 }, { 6, 841, 2048 }, { 6, 842, 2048 }, { 7, 843, 2048 }, { 6, 844, 2048 }, { 7, 845, 2048 }, { 7, 846, 2048 }, { 8, 847, 2048 },
+   { 5, 848, 2048 }, { 6, 849, 2048 }, { 6, 850, 2048 }, { 7, 851, 2048 }, { 6, 852, 2048 }, { 7, 853, 2048 }, { 7, 854, 2048 }, { 8, 855, 2048 },
+   { 6, 856, 2048 }, { 7, 857, 2048 }, { 7, 858, 2048 }, { 8, 859, 2048 }, { 7, 860, 2048 }, { 8, 861, 2048 }, { 8, 862, 2048 }, { 9, 863, 2048 },
+   { 5, 864, 2048 }, { 6, 865, 2048 }, { 6, 866, 2048 }, { 7, 867, 2048 }, { 6, 868, 2048 }, { 7, 869, 2048 }, { 7, 870, 2048 }, { 8, 871, 2048 },
+   { 6, 872, 2048 }, { 7, 873, 2048 }, { 7, 874, 2048 }, { 8, 875, 2048 }, { 7, 876, 2048 }, { 8, 877, 2048 }, { 8, 878, 2048 }, { 9, 879, 2048 },
+   { 6, 880, 2048 }, { 7, 881, 2048 }, { 7, 882, 2048 }, { 8, 883, 2048 }, { 7, 884, 2048 }, { 8, 885, 2048 }, { 8, 886, 2048 }, { 9, 887, 2048 },
+   { 7, 888, 2048 }, { 8, 889, 2048 }, { 8, 890, 2048 }, { 9, 891, 2048 }, { 8, 892, 2048 }, { 9, 893, 2048 }, { 9, 894, 2048 }, { 10, 895, 2048 },
+   { 4, 896, 2048 }, { 5, 897, 2048 }, { 5, 898, 2048 }, { 6, 899, 2048 }, { 5, 900, 2048 }, { 6, 901, 2048 }, { 6, 902, 2048 }, { 7, 903, 2048 },
+   { 5, 904, 2048 }, { 6, 905, 2048 }, { 6, 906, 2048 }, { 7, 907, 2048 }, { 6, 908, 2048 }, { 7, 909, 2048 }, { 7, 910, 2048 }, { 8, 911, 2048 },
+   { 5, 912, 2048 }, { 6, 913, 2048 }, { 6, 914, 2048 }, { 7, 915, 2048 }, { 6, 916, 2048 }, { 7, 917, 2048 }, { 7, 918, 2048 }, { 8, 919, 2048 },
+   { 6, 920, 2048 }, { 7, 921, 2048 }, { 7, 922, 2048 }, { 8, 923, 2048 }, { 7, 924, 2048 }, { 8, 925, 2048 }, { 8, 926, 2048 }, { 9, 927, 2048 },
+   { 5, 928, 2048 }, { 6, 929, 2048 }, { 6, 930, 2048 }, { 7, 931, 2048 }, { 6, 932, 2048 }, { 7, 933, 2048 }, { 7, 934, 2048 }, { 8, 935, 2048 },
+   { 6, 936, 2048 }, { 7, 937, 2048 }, { 7, 938, 2048 }, { 8, 939, 2048 }, { 7, 940, 2048 }, { 8, 941, 2048 }, { 8, 942, 2048 }, { 9, 943, 2048 },
+   { 6, 944, 2048 }, { 7, 945, 2048 }, { 7, 946, 2048 }, { 8, 947, 2048 }, { 7, 948, 2048 }, { 8, 949, 2048 }, { 8, 950, 2048 }, { 9, 951, 2048 },
+   { 7, 952, 2048 }, { 8, 953, 2048 }, { 8, 954, 2048 }, { 9, 955, 2048 }, { 8, 956, 2048 }, { 9, 957, 2048 }, { 9, 958, 2048 }, { 10, 959, 2048 },
+   { 5, 960, 2048 }, { 6, 961, 2048 }, { 6, 962, 2048 }, { 7, 963, 2048 }, { 6, 964, 2048 }, { 7, 965, 2048 }, { 7, 966, 2048 }, { 8, 967, 2048 },
+   { 6, 968, 2048 }, { 7, 969, 2048 }, { 7, 970, 2048 }, { 8, 971, 2048 }, { 7, 972, 2048 }, { 8, 973, 2048 }, { 8, 974, 2048 }, { 9, 975, 2048 },
+   { 6, 976, 2048 }, { 7, 977, 2048 }, { 7, 978, 2048 }, { 8, 979, 2048 }, { 7, 980, 2048 }, { 8, 981, 2048 }, { 8, 982, 2048 }, { 9, 983, 2048 },
+   { 7, 984, 2048 }, { 8, 985, 2048 }, { 8, 986, 2048 }, { 9, 987, 2048 }, { 8, 988, 2048 }, { 9, 989, 2048 }, { 9, 990, 2048 }, { 10, 991, 2048 },
+   { 6, 992, 2048 }, { 7, 993, 2048 }, { 7, 994, 2048 }, { 8, 995, 2048 }, { 7, 996, 2048 }, { 8, 997, 2048 }, { 8, 998, 2048 }, { 9, 999, 2048 },
+   { 7, 1000, 2048 }, { 8, 1001, 2048 }, { 8, 1002, 2048 }, { 9, 1003, 2048 }, { 8, 1004, 2048 }, { 9, 1005, 2048 }, { 9, 1006, 2048 }, { 10, 1007, 2048 },
+   { 7, 1008, 2048 }, { 8, 1009, 2048 }, { 8, 1010, 2048 }, { 9, 1011, 2048 }, { 8, 1012, 2048 }, { 9, 1013, 2048 }, { 9, 1014, 2048 }, { 10, 1015, 2048 },
+   { 8, 1016, 2048 }, { 9, 1017, 2048 }, { 9, 1018, 2048 }, { 10, 1019, 2048 }, { 9, 1020, 2048 }, { 10, 1021, 2048 }, { 10, 1022, 2048 }, { 11, 1023, 2048 },
+   { 2, 1024, 2048 }, { 3, 1025, 2048 }, { 3, 1026, 2048 }, { 4, 1027, 2048 }, { 3, 1028, 2048 }, { 4, 1029, 2048 }, { 4, 1030, 2048 }, { 5, 1031, 2048 },
+   { 3, 1032, 2048 }, { 4, 1033, 2048 }, { 4, 1034, 2048 }, { 5, 1035, 2048 }, { 4, 1036, 2048 }, { 5, 1037, 2048 }, { 5, 1038, 2048 }, { 6, 1039, 2048 },
+   { 3, 1040, 2048 }, { 4, 1041, 2048 }, { 4, 1042, 2048 }, { 5, 1043, 2048 }, { 4, 1044, 2048 }, { 5, 1045, 2048 }, { 5, 1046, 2048 }, { 6, 1047, 2048 },
+   { 4, 1048, 2048 }, { 5, 1049, 2048 }, { 5, 1050, 2048 }, { 6, 1051, 2048 }, { 5, 1052, 2048 }, { 6, 1053, 2048 }, { 6, 1054, 2048 }, { 7, 1055, 2048 },
+   { 3, 1056, 2048 }, { 4, 1057, 2048 }, { 4, 1058, 2048 }, { 5, 1059, 2048 }, { 4, 1060, 2048 }, { 5, 1061, 2048 }, { 5, 1062, 2048 }, { 6, 1063, 2048 },
+   { 4, 1064, 2048 }, { 5, 1065, 2048 }, { 5, 1066, 2048 }, { 6, 1067, 2048 }, { 5, 1068, 2048 }, { 6, 1069, 2048 }, { 6, 1070, 2048 }, { 7, 1071, 2048 },
+   { 4, 1072, 2048 }, { 5, 1073, 2048 }, { 5, 1074, 2048 }, { 6, 1075, 2048 }, { 5, 1076, 2048 }, { 6, 1077, 2048 }, { 6, 1078, 2048 }, { 7, 1079, 2048 },
+   { 5, 1080, 2048 }, { 6, 1081, 2048 }, { 6, 1082, 2048 }, { 7, 1083, 2048 }, { 6, 1084, 2048 }, { 7, 1085, 2048 }, { 7, 1086, 2048 }, { 8, 1087, 2048 },
+   { 3, 1088, 2048 }, { 4, 1089, 2048 }, { 4, 1090, 2048 }, { 5, 1091, 2048 }, { 4, 1092, 2048 }, { 5, 1093, 2048 }, { 5, 1094, 2048 }, { 6, 1095, 2048 },
+   { 4, 1096, 2048 }, { 5, 1097, 2048 }, { 5, 1098, 2048 }, { 6, 1099, 2048 }, { 5, 1100, 2048 }, { 6, 1101, 2048 }, { 6, 1102, 2048 }, { 7, 1103, 2048 },
+   { 4, 1104, 2048 }, { 5, 1105, 2048 }, { 5, 1106, 2048 }, { 6, 1107, 2048 }, { 5, 1108, 2048 }, { 6, 1109, 2048 }, { 6, 1110, 2048 }, { 7, 1111, 2048 },
+   { 5, 1112, 2048 }, { 6, 1113, 2048 }, { 6, 1114, 2048 }, { 7, 1115, 2048 }, { 6, 1116, 2048 }, { 7, 1117, 2048 }, { 7, 1118, 2048 }, { 8, 1119, 2048 },
+   { 4, 1120, 2048 }, { 5, 1121, 2048 }, { 5, 1122, 2048 }, { 6, 1123, 2048 }, { 5, 1124, 2048 }, { 6, 1125, 2048 }, { 6, 1126, 2048 }, { 7, 1127, 2048 },
+   { 5, 1128, 2048 }, { 6, 1129, 2048 }, { 6, 1130, 2048 }, { 7, 1131, 2048 }, { 6, 1132, 2048 }, { 7, 1133, 2048 }, { 7, 1134, 2048 }, { 8, 1135, 2048 },
+   { 5, 1136, 2048 }, { 6, 1137, 2048 }, { 6, 1138, 2048 }, { 7, 1139, 2048 }, { 6, 1140, 2048 }, { 7, 1141, 2048 }, { 7, 1142, 2048 }, { 8, 1143, 2048 },
+   { 6, 1144, 2048 }, { 7, 1145, 2048 }, { 7, 1146, 2048 }, { 8, 1147, 2048 }, { 7, 1148, 2048 }, { 8, 1149, 2048 }, { 8, 1150, 2048 }, { 9, 1151, 2048 },
+   { 3, 1152, 2048 }, { 4, 1153, 2048 }, { 4, 1154, 2048 }, { 5, 1155, 2048 }, { 4, 1156, 2048 }, { 5, 1157, 2048 }, { 5, 1158, 2048 }, { 6, 1159, 2048 },
+   { 4, 1160, 2048 }, { 5, 1161, 2048 }, { 5, 1162, 2048 }, { 6, 1163, 2048 }, { 5, 1164, 2048 }, { 6, 1165, 2048 }, { 6, 1166, 2048 }, { 7, 1167, 2048 },
+   { 4, 1168, 2048 }, { 5, 1169, 2048 }, { 5, 1170, 2048 }, { 6, 1171, 2048 }, { 5, 1172, 2048 }, { 6, 1173, 2048 }, { 6, 1174, 2048 }, { 7, 1175, 2048 },
+   { 5, 1176, 2048 }, { 6, 1177, 2048 }, { 6, 1178, 2048 }, { 7, 1179, 2048 }, { 6, 1180, 2048 }, { 7, 1181, 2048 }, { 7, 1182, 2048 }, { 8, 1183, 2048 },
+   { 4, 1184, 2048 }, { 5, 1185, 2048 }, { 5, 1186, 2048 }, { 6, 1187, 2048 }, { 5, 1188, 2048 }, { 6, 1189, 2048 }, { 6, 1190, 2048 }, { 7, 1191, 2048 },
+   { 5, 1192, 2048 }, { 6, 1193, 2048 }, { 6, 1194, 2048 }, { 7, 1195, 2048 }, { 6, 1196, 2048 }, { 7, 1197, 2048 }, { 7, 1198, 2048 }, { 8, 1199, 2048 },
+   { 5, 1200, 2048 }, { 6, 1201, 2048 }, { 6, 1202, 2048 }, { 7, 1203, 2048 }, { 6, 1204, 2048 }, { 7, 1205, 2048 }, { 7, 1206, 2048 }, { 8, 1207, 2048 },
+   { 6, 1208, 2048 }, { 7, 1209, 2048 }, { 7, 1210, 2048 }, { 8, 1211, 2048 }, { 7, 1212, 2048 }, { 8, 1213, 2048 }, { 8, 1214, 2048 }, { 9, 1215, 2048 },
+   { 4, 1216, 2048 }, { 5, 1217, 2048 }, { 5, 1218, 2048 }, { 6, 1219, 2048 }, { 5, 1220, 2048 }, { 6, 1221, 2048 }, { 6, 1222, 2048 }, { 7, 1223, 2048 },
+   { 5, 1224, 2048 }, { 6, 1225, 2048 }, { 6, 1226, 2048 }, { 7, 1227, 2048 }, { 6, 1228, 2048 }, { 7, 1229, 2048 }, { 7, 1230, 2048 }, { 8, 1231, 2048 },
+   { 5, 1232, 2048 }, { 6, 1233, 2048 }, { 6, 1234, 2048 }, { 7, 1235, 2048 }, { 6, 1236, 2048 }, { 7, 1237, 2048 }, { 7, 1238, 2048 }, { 8, 1239, 2048 },
+   { 6, 1240, 2048 }, { 7, 1241, 2048 }, { 7, 1242, 2048 }, { 8, 1243, 2048 }, { 7, 1244, 2048 }, { 8, 1245, 2048 }, { 8, 1246, 2048 }, { 9, 1247, 2048 },
+   { 5, 1248, 2048 }, { 6, 1249, 2048 }, { 6, 1250, 2048 }, { 7, 1251, 2048 }, { 6, 1252, 2048 }, { 7, 1253, 2048 }, { 7, 1254, 2048 }, { 8, 1255, 2048 },
+   { 6, 1256, 2048 }, { 7, 1257, 2048 }, { 7, 1258, 2048 }, { 8, 1259, 2048 }, { 7, 1260, 2048 }, { 8, 1261, 2048 }, { 8, 1262, 2048 }, { 9, 1263, 2048 },
+   { 6, 1264, 2048 }, { 7, 1265, 2048 }, { 7, 1266, 2048 }, { 8, 1267, 2048 }, { 7, 1268, 2048 }, { 8, 1269, 2048 }, { 8, 1270, 2048 }, { 9, 1271, 2048 },
+   { 7, 1272, 2048 }, { 8, 1273, 2048 }, { 8, 1274, 2048 }, { 9, 1275, 2048 }, { 8, 1276, 2048 }, { 9, 1277, 2048 }, { 9, 1278, 2048 }, { 10, 1279, 2048 },
+   { 3, 1280, 2048 }, { 4, 1281, 2048 }, { 4, 1282, 2048 }, { 5, 1283, 2048 }, { 4, 1284, 2048 }, { 5, 1285, 2048 }, { 5, 1286, 2048 }, { 6, 1287, 2048 },
+   { 4, 1288, 2048 }, { 5, 1289, 2048 }, { 5, 1290, 2048 }, { 6, 1291, 2048 }, { 5, 1292, 2048 }, { 6, 1293, 2048 }, { 6, 1294, 2048 }, { 7, 1295, 2048 },
+   { 4, 1296, 2048 }, { 5, 1297, 2048 }, { 5, 1298, 2048 }, { 6, 1299, 2048 }, { 5, 1300, 2048 }, { 6, 1301, 2048 }, { 6, 1302, 2048 }, { 7, 1303, 2048 },
+   { 5, 1304, 2048 }, { 6, 1305, 2048 }, { 6, 1306, 2048 }, { 7, 1307, 2048 }, { 6, 1308, 2048 }, { 7, 1309, 2048 }, { 7, 1310, 2048 }, { 8, 1311, 2048 },
+   { 4, 1312, 2048 }, { 5, 1313, 2048 }, { 5, 1314, 2048 }, { 6, 1315, 2048 }, { 5, 1316, 2048 }, { 6, 1317, 2048 }, { 6, 1318, 2048 }, { 7, 1319, 2048 },
+   { 5, 1320, 2048 }, { 6, 1321, 2048 }, { 6, 1322, 2048 }, { 7, 1323, 2048 }, { 6, 1324, 2048 }, { 7, 1325, 2048 }, { 7, 1326, 2048 }, { 8, 1327, 2048 },
+   { 5, 1328, 2048 }, { 6, 1329, 2048 }, { 6, 1330, 2048 }, { 7, 1331, 2048 }, { 6, 1332, 2048 }, { 7, 1333, 2048 }, { 7, 1334, 2048 }, { 8, 1335, 2048 },
+   { 6, 1336, 2048 }, { 7, 1337, 2048 }, { 7, 1338, 2048 }, { 8, 1339, 2048 }, { 7, 1340, 2048 }, { 8, 1341, 2048 }, { 8, 1342, 2048 }, { 9, 1343, 2048 },
+   { 4, 1344, 2048 }, { 5, 1345, 2048 }, { 5, 1346, 2048 }, { 6, 1347, 2048 }, { 5, 1348, 2048 }, { 6, 1349, 2048 }, { 6, 1350, 2048 }, { 7, 1351, 2048 },
+   { 5, 1352, 2048 }, { 6, 1353, 2048 }, { 6, 1354, 2048 }, { 7, 1355, 2048 }, { 6, 1356, 2048 }, { 7, 1357, 2048 }, { 7, 1358, 2048 }, { 8, 1359, 2048 },
+   { 5, 1360, 2048 }, { 6, 1361, 2048 }, { 6, 1362, 2048 }, { 7, 1363, 2048 }, { 6, 1364, 2048 }, { 7, 1365, 2048 }, { 7, 1366, 2048 }, { 8, 1367, 2048 },
+   { 6, 1368, 2048 }, { 7, 1369, 2048 }, { 7, 1370, 2048 }, { 8, 1371, 2048 }, { 7, 1372, 2048 }, { 8, 1373, 2048 }, { 8, 1374, 2048 }, { 9, 1375, 2048 },
+   { 5, 1376, 2048 }, { 6, 1377, 2048 }, { 6, 1378, 2048 }, { 7, 1379, 2048 }, { 6, 1380, 2048 }, { 7, 1381, 2048 }, { 7, 1382, 2048 }, { 8, 1383, 2048 },
+   { 6, 1384, 2048 }, { 7, 1385, 2048 }, { 7, 1386, 2048 }, { 8, 1387, 2048 }, { 7, 1388, 2048 }, { 8, 1389, 2048 }, { 8, 1390, 2048 }, { 9, 1391, 2048 },
+   { 6, 1392, 2048 }, { 7, 1393, 2048 }, { 7, 1394, 2048 }, { 8, 1395, 2048 }, { 7, 1396, 2048 }, { 8, 1397, 2048 }, { 8, 1398, 2048 }, { 9, 1399, 2048 },
+   { 7, 1400, 2048 }, { 8, 1401, 2048 }, { 8, 1402, 2048 }, { 9, 1403, 2048 }, { 8, 1404, 2048 }, { 9, 1405, 2048 }, { 9, 1406, 2048 }, { 10, 1407, 2048 },
+   { 4, 1408, 2048 }, { 5, 1409, 2048 }, { 5, 1410, 2048 }, { 6, 1411, 2048 }, { 5, 1412, 2048 }, { 6, 1413, 2048 }, { 6, 1414, 2048 }, { 7, 1415, 2048 },
+   { 5, 1416, 2048 }, { 6, 1417, 2048 }, { 6, 1418, 2048 }, { 7, 1419, 2048 }, { 6, 1420, 2048 }, { 7, 1421, 2048 }, { 7, 1422, 2048 }, { 8, 1423, 2048 },
+   { 5, 1424, 2048 }, { 6, 1425, 2048 }, { 6, 1426, 2048 }, { 7, 1427, 2048 }, { 6, 1428, 2048 }, { 7, 1429, 2048 }, { 7, 1430, 2048 }, { 8, 1431, 2048 },
+   { 6, 1432, 2048 }, { 7, 1433, 2048 }, { 7, 1434, 2048 }, { 8, 1435, 2048 }, { 7, 1436, 2048 }, { 8, 1437, 2048 }, { 8, 1438, 2048 }, { 9, 1439, 2048 },
+   { 5, 1440, 2048 }, { 6, 1441, 2048 }, { 6, 1442, 2048 }, { 7, 1443, 2048 }, { 6, 1444, 2048 }, { 7, 1445, 2048 }, { 7, 1446, 2048 }, { 8, 1447, 2048 },
+   { 6, 1448, 2048 }, { 7, 1449, 2048 }, { 7, 1450, 2048 }, { 8, 1451, 2048 }, { 7, 1452, 2048 }, { 8, 1453, 2048 }, { 8, 1454, 2048 }, { 9, 1455, 2048 },
+   { 6, 1456, 2048 }, { 7, 1457, 2048 }, { 7, 1458, 2048 }, { 8, 1459, 2048 }, { 7, 1460, 2048 }, { 8, 1461, 2048 }, { 8, 1462, 2048 }, { 9, 1463, 2048 },
+   { 7, 1464, 2048 }, { 8, 1465, 2048 }, { 8, 1466, 2048 }, { 9, 1467, 2048 }, { 8, 1468, 2048 }, { 9, 1469, 2048 }, { 9, 1470, 2048 }, { 10, 1471, 2048 },
+   { 5, 1472, 2048 }, { 6, 1473, 2048 }, { 6, 1474, 2048 }, { 7, 1475, 2048 }, { 6, 1476, 2048 }, { 7, 1477, 2048 }, { 7, 1478, 2048 }, { 8, 1479, 2048 },
+   { 6, 1480, 2048 }, { 7, 1481, 2048 }, { 7, 1482, 2048 }, { 8, 1483, 2048 }, { 7, 1484, 2048 }, { 8, 1485, 2048 }, { 8, 1486, 2048 }, { 9, 1487, 2048 },
+   { 6, 1488, 2048 }, { 7, 1489, 2048 }, { 7, 1490, 2048 }, { 8, 1491, 2048 }, { 7, 1492, 2048 }, { 8, 1493, 2048 }, { 8, 1494, 2048 }, { 9, 1495, 2048 },
+   { 7, 1496, 2048 }, { 8, 1497, 2048 }, { 8, 1498, 2048 }, { 9, 1499, 2048 }, { 8, 1500, 2048 }, { 9, 1501, 2048 }, { 9, 1502, 2048 }, { 10, 1503, 2048 },
+   { 6, 1504, 2048 }, { 7, 1505, 2048 }, { 7, 1506, 2048 }, { 8, 1507, 2048 }, { 7, 1508, 2048 }, { 8, 1509, 2048 }, { 8, 1510, 2048 }, { 9, 1511, 2048 },
+   { 7, 1512, 2048 }, { 8, 1513, 2048 }, { 8, 1514, 2048 }, { 9, 1515, 2048 }, { 8, 1516, 2048 }, { 9, 1517, 2048 }, { 9, 1518, 2048 }, { 10, 1519, 2048 },
+   { 7, 1520, 2048 }, { 8, 1521, 2048 }, { 8, 1522, 2048 }, { 9, 1523, 2048 }, { 8, 1524, 2048 }, { 9, 1525, 2048 }, { 9, 1526, 2048 }, { 10, 1527, 2048 },
+   { 8, 1528, 2048 }, { 9, 1529, 2048 }, { 9, 1530, 2048 }, { 10, 1531, 2048 }, { 9, 1532, 2048 }, { 10, 1533, 2048 }, { 10, 1534, 2048 }, { 11, 1535, 2048 },
+   { 3, 1536, 2048 }, { 4, 1537, 2048 }, { 4, 1538, 2048 }, { 5, 1539, 2048 }, { 4, 1540, 2048 }, { 5, 1541, 2048 }, { 5, 1542, 2048 }, { 6, 1543, 2048 },
+   { 4, 1544, 2048 }, { 5, 1545, 2048 }, { 5, 1546, 2048 }, { 6, 1547, 2048 }, { 5, 1548, 2048 }, { 6, 1549, 2048 }, { 6, 1550, 2048 }, { 7, 1551, 2048 },
+   { 4, 1552, 2048 }, { 5, 1553, 2048 }, { 5, 1554, 2048 }, { 6, 1555, 2048 }, { 5, 1556, 2048 }, { 6, 1557, 2048 }, { 6, 1558, 2048 }, { 7, 1559, 2048 },
+   { 5, 1560, 2048 }, { 6, 1561, 2048 }, { 6, 1562, 2048 }, { 7, 1563, 2048 }, { 6, 1564, 2048 }, { 7, 1565, 2048 }, { 7, 1566, 2048 }, { 8, 1567, 2048 },
+   { 4, 1568, 2048 }, { 5, 1569, 2048 }, { 5, 1570, 2048 }, { 6, 1571, 2048 }, { 5, 1572, 2048 }, { 6, 1573, 2048 }, { 6, 1574, 2048 }, { 7, 1575, 2048 },
+   { 5, 1576, 2048 }, { 6, 1577, 2048 }, { 6, 1578, 2048 }, { 7, 1579, 2048 }, { 6, 1580, 2048 }, { 7, 1581, 2048 }, { 7, 1582, 2048 }, { 8, 1583, 2048 },
+   { 5, 1584, 2048 }, { 6, 1585, 2048 }, { 6, 1586, 2048 }, { 7, 1587, 2048 }, { 6, 1588, 2048 }, { 7, 1589, 2048 }, { 7, 1590, 2048 }, { 8, 1591, 2048 },
+   { 6, 1592, 2048 }, { 7, 1593, 2048 }, { 7, 1594, 2048 }, { 8, 1595, 2048 }, { 7, 1596, 2048 }, { 8, 1597, 2048 }, { 8, 1598, 2048 }, { 9, 1599, 2048 },
+   { 4, 1600, 2048 }, { 5, 1601, 2048 }, { 5, 1602, 2048 }, { 6, 1603, 2048 }, { 5, 1604, 2048 }, { 6, 1605, 2048 }, { 6, 1606, 2048 }, { 7, 1607, 2048 },
+   { 5, 1608, 2048 }, { 6, 1609, 2048 }, { 6, 1610, 2048 }, { 7, 1611, 2048 }, { 6, 1612, 2048 }, { 7, 1613, 2048 }, { 7, 1614, 2048 }, { 8, 1615, 2048 },
+   { 5, 1616, 2048 }, { 6, 1617, 2048 }, { 6, 1618, 2048 }, { 7, 1619, 2048 }, { 6, 1620, 2048 }, { 7, 1621, 2048 }, { 7, 1622, 2048 }, { 8, 1623, 2048 },
+   { 6, 1624, 2048 }, { 7, 1625, 2048 }, { 7, 1626, 2048 }, { 8, 1627, 2048 }, { 7, 1628, 2048 }, { 8, 1629, 2048 }, { 8, 1630, 2048 }, { 9, 1631, 2048 },
+   { 5, 1632, 2048 }, { 6, 1633, 2048 }, { 6, 1634, 2048 }, { 7, 1635, 2048 }, { 6, 1636, 2048 }, { 7, 1637, 2048 }, { 7, 1638, 2048 }, { 8, 1639, 2048 },
+   { 6, 1640, 2048 }, { 7, 1641, 2048 }, { 7, 1642, 2048 }, { 8, 1643, 2048 }, { 7, 1644, 2048 }, { 8, 1645, 2048 }, { 8, 1646, 2048 }, { 9, 1647, 2048 },
+   { 6, 1648, 2048 }, { 7, 1649, 2048 }, { 7, 1650, 2048 }, { 8, 1651, 2048 }, { 7, 1652, 2048 }, { 8, 1653, 2048 }, { 8, 1654, 2048 }, { 9, 1655, 2048 },
+   { 7, 1656, 2048 }, { 8, 1657, 2048 }, { 8, 1658, 2048 }, { 9, 1659, 2048 }, { 8, 1660, 2048 }, { 9, 1661, 2048 }, { 9, 1662, 2048 }, { 10, 1663, 2048 },
+   { 4, 1664, 2048 }, { 5, 1665, 2048 }, { 5, 1666, 2048 }, { 6, 1667, 2048 }, { 5, 1668, 2048 }, { 6, 1669, 2048 }, { 6, 1670, 2048 }, { 7, 1671, 2048 },
+   { 5, 1672, 2048 }, { 6, 1673, 2048 }, { 6, 1674, 2048 }, { 7, 1675, 2048 }, { 6, 1676, 2048 }, { 7, 1677, 2048 }, { 7, 1678, 2048 }, { 8, 1679, 2048 },
+   { 5, 1680, 2048 }, { 6, 1681, 2048 }, { 6, 1682, 2048 }, { 7, 1683, 2048 }, { 6, 1684, 2048 }, { 7, 1685, 2048 }, { 7, 1686, 2048 }, { 8, 1687, 2048 },
+   { 6, 1688, 2048 }, { 7, 1689, 2048 }, { 7, 1690, 2048 }, { 8, 1691, 2048 }, { 7, 1692, 2048 }, { 8, 1693, 2048 }, { 8, 1694, 2048 }, { 9, 1695, 2048 },
+   { 5, 1696, 2048 }, { 6, 1697, 2048 }, { 6, 1698, 2048 }, { 7, 1699, 2048 }, { 6, 1700, 2048 }, { 7, 1701, 2048 }, { 7, 1702, 2048 }, { 8, 1703, 2048 },
+   { 6, 1704, 2048 }, { 7, 1705, 2048 }, { 7, 1706, 2048 }, { 8, 1707, 2048 }, { 7, 1708, 2048 }, { 8, 1709, 2048 }, { 8, 1710, 2048 }, { 9, 1711, 2048 },
+   { 6, 1712, 2048 }, { 7, 1713, 2048 }, { 7, 1714, 2048 }, { 8, 1715, 2048 }, { 7, 1716, 2048 }, { 8, 1717, 2048 }, { 8, 1718, 2048 }, { 9, 1719, 2048 },
+   { 7, 1720, 2048 }, { 8, 1721, 2048 }, { 8, 1722, 2048 }, { 9, 1723, 2048 }, { 8, 1724, 2048 }, { 9, 1725, 2048 }, { 9, 1726, 2048 }, { 10, 1727, 2048 },
+   { 5, 1728, 2048 }, { 6, 1729, 2048 }, { 6, 1730, 2048 }, { 7, 1731, 2048 }, { 6, 1732, 2048 }, { 7, 1733, 2048 }, { 7, 1734, 2048 }, { 8, 1735, 2048 },
+   { 6, 1736, 2048 }, { 7, 1737, 2048 }, { 7, 1738, 2048 }, { 8, 1739, 2048 }, { 7, 1740, 2048 }, { 8, 1741, 2048 }, { 8, 1742, 2048 }, { 9, 1743, 2048 },
+   { 6, 1744, 2048 }, { 7, 1745, 2048 }, { 7, 1746, 2048 }, { 8, 1747, 2048 }, { 7, 1748, 2048 }, { 8, 1749, 2048 }, { 8, 1750, 2048 }, { 9, 1751, 2048 },
+   { 7, 1752, 2048 }, { 8, 1753, 2048 }, { 8, 1754, 2048 }, { 9, 1755, 2048 }, { 8, 1756, 2048 }, { 9, 1757, 2048 }, { 9, 1758, 2048 }, { 10, 1759, 2048 },
+   { 6, 1760, 2048 }, { 7, 1761, 2048 }, { 7, 1762, 2048 }, { 8, 1763, 2048 }, { 7, 1764, 2048 }, { 8, 1765, 2048 }, { 8, 1766, 2048 }, { 9, 1767, 2048 },
+   { 7, 1768, 2048 }, { 8, 1769, 2048 }, { 8, 1770, 2048 }, { 9, 1771, 2048 }, { 8, 1772, 2048 }, { 9, 1773, 2048 }, { 9, 1774, 2048 }, { 10, 1775, 2048 },
+   { 7, 1776, 2048 }, { 8, 1777, 2048 }, { 8, 1778, 2048 }, { 9, 1779, 2048 }, { 8, 1780, 2048 }, { 9, 1781, 2048 }, { 9, 1782, 2048 }, { 10, 1783, 2048 },
+   { 8, 1784, 2048 }, { 9, 1785, 2048 }, { 9, 1786, 2048 }, { 10, 1787, 2048 }, { 9, 1788, 2048 }, { 10, 1789, 2048 }, { 10, 1790, 2048 }, { 11, 1791, 2048 },
+   { 4, 1792, 2048 }, { 5, 1793, 2048 }, { 5, 1794, 2048 }, { 6, 1795, 2048 }, { 5, 1796, 2048 }, { 6, 1797, 2048 }, { 6, 1798, 2048 }, { 7, 1799, 2048 },
+   { 5, 1800, 2048 }, { 6, 1801, 2048 }, { 6, 1802, 2048 }, { 7, 1803, 2048 }, { 6, 1804, 2048 }, { 7, 1805, 2048 }, { 7, 1806, 2048 }, { 8, 1807, 2048 },
+   { 5, 1808, 2048 }, { 6, 1809, 2048 }, { 6, 1810, 2048 }, { 7, 1811, 2048 }, { 6, 1812, 2048 }, { 7, 1813, 2048 }, { 7, 1814, 2048 }, { 8, 1815, 2048 },
+   { 6, 1816, 2048 }, { 7, 1817, 2048 }, { 7, 1818, 2048 }, { 8, 1819, 2048 }, { 7, 1820, 2048 }, { 8, 1821, 2048 }, { 8, 1822, 2048 }, { 9, 1823, 2048 },
+   { 5, 1824, 2048 }, { 6, 1825, 2048 }, { 6, 1826, 2048 }, { 7, 1827, 2048 }, { 6, 1828, 2048 }, { 7, 1829, 2048 }, { 7, 1830, 2048 }, { 8, 1831, 2048 },
+   { 6, 1832, 2048 }, { 7, 1833, 2048 }, { 7, 1834, 2048 }, { 8, 1835, 2048 }, { 7, 1836, 2048 }, { 8, 1837, 2048 }, { 8, 1838, 2048 }, { 9, 1839, 2048 },
+   { 6, 1840, 2048 }, { 7, 1841, 2048 }, { 7, 1842, 2048 }, { 8, 1843, 2048 }, { 7, 1844, 2048 }, { 8, 1845, 2048 }, { 8, 1846, 2048 }, { 9, 1847, 2048 },
+   { 7, 1848, 2048 }, { 8, 1849, 2048 }, { 8, 1850, 2048 }, { 9, 1851, 2048 }, { 8, 1852, 2048 }, { 9, 1853, 2048 }, { 9, 1854, 2048 }, { 10, 1855, 2048 },
+   { 5, 1856, 2048 }, { 6, 1857, 2048 }, { 6, 1858, 2048 }, { 7, 1859, 2048 }, { 6, 1860, 2048 }, { 7, 1861, 2048 }, { 7, 1862, 2048 }, { 8, 1863, 2048 },
+   { 6, 1864, 2048 }, { 7, 1865, 2048 }, { 7, 1866, 2048 }, { 8, 1867, 2048 }, { 7, 1868, 2048 }, { 8, 1869, 2048 }, { 8, 1870, 2048 }, { 9, 1871, 2048 },
+   { 6, 1872, 2048 }, { 7, 1873, 2048 }, { 7, 1874, 2048 }, { 8, 1875, 2048 }, { 7, 1876, 2048 }, { 8, 1877, 2048 }, { 8, 1878, 2048 }, { 9, 1879, 2048 },
+   { 7, 1880, 2048 }, { 8, 1881, 2048 }, { 8, 1882, 2048 }, { 9, 1883, 2048 }, { 8, 1884, 2048 }, { 9, 1885, 2048 }, { 9, 1886, 2048 }, { 10, 1887, 2048 },
+   { 6, 1888, 2048 }, { 7, 1889, 2048 }, { 7, 1890, 2048 }, { 8, 1891, 2048 }, { 7, 1892, 2048 }, { 8, 1893, 2048 }, { 8, 1894, 2048 }, { 9, 1895, 2048 },
+   { 7, 1896, 2048 }, { 8, 1897, 2048 }, { 8, 1898, 2048 }, { 9, 1899, 2048 }, { 8, 1900, 2048 }, { 9, 1901, 2048 }, { 9, 1902, 2048 }, { 10, 1903, 2048 },
+   { 7, 1904, 2048 }, { 8, 1905, 2048 }, { 8, 1906, 2048 }, { 9, 1907, 2048 }, { 8, 1908, 2048 }, { 9, 1909, 2048 }, { 9, 1910, 2048 }, { 10, 1911, 2048 },
+   { 8, 1912, 2048 }, { 9, 1913, 2048 }, { 9, 1914, 2048 }, { 10, 1915, 2048 }, { 9, 1916, 2048 }, { 10, 1917, 2048 }, { 10, 1918, 2048 }, { 11, 1919, 2048 },
+   { 5, 1920, 2048 }, { 6, 1921, 2048 }, { 6, 1922, 2048 }, { 7, 1923, 2048 }, { 6, 1924, 2048 }, { 7, 1925, 2048 }, { 7, 1926, 2048 }, { 8, 1927, 2048 },
+   { 6, 1928, 2048 }, { 7, 1929, 2048 }, { 7, 1930, 2048 }, { 8, 1931, 2048 }, { 7, 1932, 2048 }, { 8, 1933, 2048 }, { 8, 1934, 2048 }, { 9, 1935, 2048 },
+   { 6, 1936, 2048 }, { 7, 1937, 2048 }, { 7, 1938, 2048 }, { 8, 1939, 2048 }, { 7, 1940, 2048 }, { 8, 1941, 2048 }, { 8, 1942, 2048 }, { 9, 1943, 2048 },
+   { 7, 1944, 2048 }, { 8, 1945, 2048 }, { 8, 1946, 2048 }, { 9, 1947, 2048 }, { 8, 1948, 2048 }, { 9, 1949, 2048 }, { 9, 1950, 2048 }, { 10, 1951, 2048 },
+   { 6, 1952, 2048 }, { 7, 1953, 2048 }, { 7, 1954, 2048 }, { 8, 1955, 2048 }, { 7, 1956, 2048 }, { 8, 1957, 2048 }, { 8, 1958, 2048 }, { 9, 1959, 2048 },
+   { 7, 1960, 2048 }, { 8, 1961, 2048 }, { 8, 1962, 2048 }, { 9, 1963, 2048 }, { 8, 1964, 2048 }, { 9, 1965, 2048 }, { 9, 1966, 2048 }, { 10, 1967, 2048 },
+   { 7, 1968, 2048 }, { 8, 1969, 2048 }, { 8, 1970, 2048 }, { 9, 1971, 2048 }, { 8, 1972, 2048 }, { 9, 1973, 2048 }, { 9, 1974, 2048 }, { 10, 1975, 2048 },
+   { 8, 1976, 2048 }, { 9, 1977, 2048 }, { 9, 1978, 2048 }, { 10, 1979, 2048 }, { 9, 1980, 2048 }, { 10, 1981, 2048 }, { 10, 1982, 2048 }, { 11, 1983, 2048 },
+   { 6, 1984, 2048 }, { 7, 1985, 2048 }, { 7, 1986, 2048 }, { 8, 1987, 2048 }, { 7, 1988, 2048 }, { 8, 1989, 2048 }, { 8, 1990, 2048 }, { 9, 1991, 2048 },
+   { 7, 1992, 2048 }, { 8, 1993, 2048 }, { 8, 1994, 2048 }, { 9, 1995, 2048 }, { 8, 1996, 2048 }, { 9, 1997, 2048 }, { 9, 1998, 2048 }, { 10, 1999, 2048 },
+   { 7, 2000, 2048 }, { 8, 2001, 2048 }, { 8, 2002, 2048 }, { 9, 2003, 2048 }, { 8, 2004, 2048 }, { 9, 2005, 2048 }, { 9, 2006, 2048 }, { 10, 2007, 2048 },
+   { 8, 2008, 2048 }, { 9, 2009, 2048 }, { 9, 2010, 2048 }, { 10, 2011, 2048 }, { 9, 2012, 2048 }, { 10, 2013, 2048 }, { 10, 2014, 2048 }, { 11, 2015, 2048 },
+   { 7, 2016, 2048 }, { 8, 2017, 2048 }, { 8, 2018, 2048 }, { 9, 2019, 2048 }, { 8, 2020, 2048 }, { 9, 2021, 2048 }, { 9, 2022, 2048 }, { 10, 2023, 2048 },
+   { 8, 2024, 2048 }, { 9, 2025, 2048 }, { 9, 2026, 2048 }, { 10, 2027, 2048 }, { 9, 2028, 2048 }, { 10, 2029, 2048 }, { 10, 2030, 2048 }, { 11, 2031, 2048 },
+   { 8, 2032, 2048 }, { 9, 2033, 2048 }, { 9, 2034, 2048 }, { 10, 2035, 2048 }, { 9, 2036, 2048 }, { 10, 2037, 2048 }, { 10, 2038, 2048 }, { 11, 2039, 2048 },
+   { 9, 2040, 2048 }, { 10, 2041, 2048 }, { 10, 2042, 2048 }, { 11, 2043, 2048 }, { 10, 2044, 2048 }, { 11, 2045, 2048 }, { 11, 2046, 2048 }, { 12, 2047, 2048 },
 #endif
 #endif
 #endif
@@ -3462,6 +8636,7 @@ static const struct {
 #endif
 };
 
+
 /* find a hole and free as required, return -1 if no hole found */
 static int find_hole(void)
 {
@@ -3484,10 +8659,10 @@ static int find_hole(void)
    /* free entry z */
    if (z >= 0 && fp_cache[z].g) {
       mp_clear(&fp_cache[z].mu);
-      ecc_del_point(fp_cache[z].g);
+      wc_ecc_del_point(fp_cache[z].g);
       fp_cache[z].g  = NULL;
       for (x = 0; x < (1U<<FP_LUT); x++) {
-         ecc_del_point(fp_cache[z].LUT[x]);
+         wc_ecc_del_point(fp_cache[z].LUT[x]);
          fp_cache[z].LUT[x] = NULL;
       }
       fp_cache[z].lru_count = 0;
@@ -3500,9 +8675,9 @@ static int find_base(ecc_point* g)
 {
    int x;
    for (x = 0; x < FP_ENTRIES; x++) {
-      if (fp_cache[x].g != NULL && 
-          mp_cmp(fp_cache[x].g->x, g->x) == MP_EQ && 
-          mp_cmp(fp_cache[x].g->y, g->y) == MP_EQ && 
+      if (fp_cache[x].g != NULL &&
+          mp_cmp(fp_cache[x].g->x, g->x) == MP_EQ &&
+          mp_cmp(fp_cache[x].g->y, g->y) == MP_EQ &&
           mp_cmp(fp_cache[x].g->z, g->z) == MP_EQ) {
          break;
       }
@@ -3519,7 +8694,7 @@ static int add_entry(int idx, ecc_point *g)
    unsigned x, y;
 
    /* allocate base and LUT */
-   fp_cache[idx].g = ecc_new_point();
+   fp_cache[idx].g = wc_ecc_new_point();
    if (fp_cache[idx].g == NULL) {
       return GEN_MEM_ERR;
    }
@@ -3528,38 +8703,42 @@ static int add_entry(int idx, ecc_point *g)
    if ((mp_copy(g->x, fp_cache[idx].g->x) != MP_OKAY) ||
        (mp_copy(g->y, fp_cache[idx].g->y) != MP_OKAY) ||
        (mp_copy(g->z, fp_cache[idx].g->z) != MP_OKAY)) {
-      ecc_del_point(fp_cache[idx].g);
+      wc_ecc_del_point(fp_cache[idx].g);
       fp_cache[idx].g = NULL;
       return GEN_MEM_ERR;
-   }              
+   }
 
    for (x = 0; x < (1U<<FP_LUT); x++) {
-      fp_cache[idx].LUT[x] = ecc_new_point();
+      fp_cache[idx].LUT[x] = wc_ecc_new_point();
       if (fp_cache[idx].LUT[x] == NULL) {
          for (y = 0; y < x; y++) {
-            ecc_del_point(fp_cache[idx].LUT[y]);
+            wc_ecc_del_point(fp_cache[idx].LUT[y]);
             fp_cache[idx].LUT[y] = NULL;
          }
-         ecc_del_point(fp_cache[idx].g);
+         wc_ecc_del_point(fp_cache[idx].g);
          fp_cache[idx].g         = NULL;
          fp_cache[idx].lru_count = 0;
          return GEN_MEM_ERR;
       }
    }
-   
+
    fp_cache[idx].lru_count = 0;
 
    return MP_OKAY;
 }
+#endif
 
-/* build the LUT by spacing the bits of the input by #modulus/FP_LUT bits apart 
- * 
- * The algorithm builds patterns in increasing bit order by first making all 
+#ifndef WOLFSSL_SP_MATH
+/* build the LUT by spacing the bits of the input by #modulus/FP_LUT bits apart
+ *
+ * The algorithm builds patterns in increasing bit order by first making all
  * single bit input patterns, then all two bit input patterns and so on
  */
-static int build_lut(int idx, mp_int* modulus, mp_digit* mp, mp_int* mu)
-{ 
-   unsigned x, y, err, bitlen, lut_gap;
+static int build_lut(int idx, mp_int* a, mp_int* modulus, mp_digit mp,
+    mp_int* mu)
+{
+   int err;
+   unsigned x, y, bitlen, lut_gap;
    mp_int tmp;
 
    if (mp_init(&tmp) != MP_OKAY)
@@ -3570,82 +8749,80 @@ static int build_lut(int idx, mp_int* modulus, mp_digit* mp, mp_int* mu)
    if ((sizeof(lut_orders) / sizeof(lut_orders[0])) < (1U<<FP_LUT)) {
        err = BAD_FUNC_ARG;
    }
-   else {   
+   else {
     /* get bitlen and round up to next multiple of FP_LUT */
     bitlen  = mp_unsigned_bin_size(modulus) << 3;
     x       = bitlen % FP_LUT;
     if (x) {
       bitlen += FP_LUT - x;
-    }  
+    }
     lut_gap = bitlen / FP_LUT;
 
     /* init the mu */
     err = mp_init_copy(&fp_cache[idx].mu, mu);
    }
-   
+
    /* copy base */
    if (err == MP_OKAY) {
      if ((mp_mulmod(fp_cache[idx].g->x, mu, modulus,
-                  fp_cache[idx].LUT[1]->x) != MP_OKAY) || 
+                  fp_cache[idx].LUT[1]->x) != MP_OKAY) ||
          (mp_mulmod(fp_cache[idx].g->y, mu, modulus,
-                  fp_cache[idx].LUT[1]->y) != MP_OKAY) || 
+                  fp_cache[idx].LUT[1]->y) != MP_OKAY) ||
          (mp_mulmod(fp_cache[idx].g->z, mu, modulus,
                   fp_cache[idx].LUT[1]->z) != MP_OKAY)) {
-       err = MP_MULMOD_E; 
+       err = MP_MULMOD_E;
      }
    }
-       
+
    /* make all single bit entries */
    for (x = 1; x < FP_LUT; x++) {
       if (err != MP_OKAY)
           break;
       if ((mp_copy(fp_cache[idx].LUT[1<<(x-1)]->x,
-                   fp_cache[idx].LUT[1<<x]->x) != MP_OKAY) || 
+                   fp_cache[idx].LUT[1<<x]->x) != MP_OKAY) ||
           (mp_copy(fp_cache[idx].LUT[1<<(x-1)]->y,
-                   fp_cache[idx].LUT[1<<x]->y) != MP_OKAY) || 
+                   fp_cache[idx].LUT[1<<x]->y) != MP_OKAY) ||
           (mp_copy(fp_cache[idx].LUT[1<<(x-1)]->z,
                    fp_cache[idx].LUT[1<<x]->z) != MP_OKAY)){
           err = MP_INIT_E;
           break;
       } else {
-          
+
          /* now double it bitlen/FP_LUT times */
          for (y = 0; y < lut_gap; y++) {
              if ((err = ecc_projective_dbl_point(fp_cache[idx].LUT[1<<x],
-                            fp_cache[idx].LUT[1<<x], modulus, mp)) != MP_OKAY) {
+                            fp_cache[idx].LUT[1<<x], a, modulus, mp)) != MP_OKAY) {
                  break;
              }
          }
      }
   }
-      
+
    /* now make all entries in increase order of hamming weight */
    for (x = 2; x <= FP_LUT; x++) {
        if (err != MP_OKAY)
            break;
        for (y = 0; y < (1UL<<FP_LUT); y++) {
-           if (err != MP_OKAY)
-             break;
            if (lut_orders[y].ham != (int)x) continue;
-                     
+
            /* perform the add */
            if ((err = ecc_projective_add_point(
                            fp_cache[idx].LUT[lut_orders[y].terma],
                            fp_cache[idx].LUT[lut_orders[y].termb],
-                           fp_cache[idx].LUT[y], modulus, mp)) != MP_OKAY) {
+                           fp_cache[idx].LUT[y], a, modulus, mp)) != MP_OKAY) {
               break;
            }
        }
    }
-      
+
    /* now map all entries back to affine space to make point addition faster */
    for (x = 1; x < (1UL<<FP_LUT); x++) {
        if (err != MP_OKAY)
            break;
 
        /* convert z to normal from montgomery */
-       err = mp_montgomery_reduce(fp_cache[idx].LUT[x]->z, modulus, *mp);
- 
+       err = mp_montgomery_reduce(fp_cache[idx].LUT[x]->z, modulus, mp);
+
        /* invert it */
        if (err == MP_OKAY)
          err = mp_invmod(fp_cache[idx].LUT[x]->z, modulus,
@@ -3654,7 +8831,7 @@ static int build_lut(int idx, mp_int* modulus, mp_digit* mp, mp_int* mu)
        if (err == MP_OKAY)
          /* now square it */
          err = mp_sqrmod(fp_cache[idx].LUT[x]->z, modulus, &tmp);
-       
+
        if (err == MP_OKAY)
          /* fix x */
          err = mp_mulmod(fp_cache[idx].LUT[x]->x, &tmp, modulus,
@@ -3673,6 +8850,7 @@ static int build_lut(int idx, mp_int* modulus, mp_digit* mp, mp_int* mu)
          /* free z */
          mp_clear(fp_cache[idx].LUT[x]->z);
    }
+
    mp_clear(&tmp);
 
    if (err == MP_OKAY)
@@ -3680,107 +8858,99 @@ static int build_lut(int idx, mp_int* modulus, mp_digit* mp, mp_int* mu)
 
    /* err cleanup */
    for (y = 0; y < (1U<<FP_LUT); y++) {
-      ecc_del_point(fp_cache[idx].LUT[y]);
+      wc_ecc_del_point(fp_cache[idx].LUT[y]);
       fp_cache[idx].LUT[y] = NULL;
    }
-   ecc_del_point(fp_cache[idx].g);
+   wc_ecc_del_point(fp_cache[idx].g);
    fp_cache[idx].g         = NULL;
    fp_cache[idx].lru_count = 0;
    mp_clear(&fp_cache[idx].mu);
-   mp_clear(&tmp);
 
    return err;
 }
 
 /* perform a fixed point ECC mulmod */
-static int accel_fp_mul(int idx, mp_int* k, ecc_point *R, mp_int* modulus,
-                        mp_digit* mp, int map)
+static int accel_fp_mul(int idx, mp_int* k, ecc_point *R, mp_int* a,
+                        mp_int* modulus, mp_digit mp, int map)
 {
 #define KB_SIZE 128
 
 #ifdef WOLFSSL_SMALL_STACK
-   unsigned char* kb;
+   unsigned char* kb = NULL;
 #else
-   unsigned char kb[128];
+   unsigned char kb[KB_SIZE];
 #endif
-   int      x;
-   unsigned y, z, err, bitlen, bitpos, lut_gap, first;
-   mp_int   tk;
+   int      x, err;
+   unsigned y, z = 0, bitlen, bitpos, lut_gap, first;
+   mp_int   tk, order;
 
-   if (mp_init(&tk) != MP_OKAY)
+   if (mp_init_multi(&tk, &order, NULL, NULL, NULL, NULL) != MP_OKAY)
        return MP_INIT_E;
 
    /* if it's smaller than modulus we fine */
    if (mp_unsigned_bin_size(k) > mp_unsigned_bin_size(modulus)) {
-      mp_int order;
-      if (mp_init(&order) != MP_OKAY) {
-        mp_clear(&tk);
-        return MP_INIT_E;
-      }
-
       /* find order */
       y = mp_unsigned_bin_size(modulus);
       for (x = 0; ecc_sets[x].size; x++) {
          if (y <= (unsigned)ecc_sets[x].size) break;
       }
-   
+
       /* back off if we are on the 521 bit curve */
       if (y == 66) --x;
-      
-      if ((err = mp_read_radix(&order, ecc_sets[x].order, 16)) != MP_OKAY) {
-         mp_clear(&order);
-         mp_clear(&tk);
-         return err;
+
+      if ((err = mp_read_radix(&order, ecc_sets[x].order,
+                                                MP_RADIX_HEX)) != MP_OKAY) {
+         goto done;
       }
 
       /* k must be less than modulus */
       if (mp_cmp(k, &order) != MP_LT) {
          if ((err = mp_mod(k, &order, &tk)) != MP_OKAY) {
-            mp_clear(&tk);
-            mp_clear(&order);
-            return err;
+            goto done;
          }
       } else {
-         mp_copy(k, &tk);
+         if ((err = mp_copy(k, &tk)) != MP_OKAY) {
+            goto done;
+         }
       }
-      mp_clear(&order);
    } else {
-      mp_copy(k, &tk);
-   }       
-   
+      if ((err = mp_copy(k, &tk)) != MP_OKAY) {
+         goto done;
+      }
+   }
+
    /* get bitlen and round up to next multiple of FP_LUT */
    bitlen  = mp_unsigned_bin_size(modulus) << 3;
    x       = bitlen % FP_LUT;
    if (x) {
       bitlen += FP_LUT - x;
-   }  
+   }
    lut_gap = bitlen / FP_LUT;
-        
+
    /* get the k value */
    if (mp_unsigned_bin_size(&tk) > (int)(KB_SIZE - 2)) {
-      mp_clear(&tk);
-      return BUFFER_E;
+      err = BUFFER_E; goto done;
    }
-   
+
    /* store k */
 #ifdef WOLFSSL_SMALL_STACK
-   kb = (unsigned char*)XMALLOC(KB_SIZE, NULL, DYNAMIC_TYPE_TMP_BUFFER);
-   if (kb == NULL)
-      return MEMORY_E;
+   kb = (unsigned char*)XMALLOC(KB_SIZE, NULL, DYNAMIC_TYPE_ECC_BUFFER);
+   if (kb == NULL) {
+      err = MEMORY_E; goto done;
+   }
 #endif
 
    XMEMSET(kb, 0, KB_SIZE);
-   if ((err = mp_to_unsigned_bin(&tk, kb)) != MP_OKAY) {
-      mp_clear(&tk);
-   }
-   else {
+   if ((err = mp_to_unsigned_bin(&tk, kb)) == MP_OKAY) {
       /* let's reverse kb so it's little endian */
       x = 0;
-      y = mp_unsigned_bin_size(&tk) - 1;
-      mp_clear(&tk);
+      y = mp_unsigned_bin_size(&tk);
+      if (y > 0) {
+          y -= 1;
+      }
 
       while ((unsigned)x < y) {
-         z = kb[x]; kb[x] = kb[y]; kb[y] = z;
+         z = kb[x]; kb[x] = kb[y]; kb[y] = (byte)z;
          ++x; --y;
       }
 
@@ -3798,7 +8968,7 @@ static int accel_fp_mul(int idx, mp_int* k, ecc_point *R, mp_int* modulus,
 
           /* double if not first */
           if (!first) {
-             if ((err = ecc_projective_dbl_point(R, R, modulus,
+             if ((err = ecc_projective_dbl_point(R, R, a, modulus,
                                                               mp)) != MP_OKAY) {
                 break;
              }
@@ -3806,10 +8976,35 @@ static int accel_fp_mul(int idx, mp_int* k, ecc_point *R, mp_int* modulus,
 
           /* add if not first, otherwise copy */
           if (!first && z) {
-             if ((err = ecc_projective_add_point(R, fp_cache[idx].LUT[z], R,
+             if ((err = ecc_projective_add_point(R, fp_cache[idx].LUT[z], R, a,
                                                      modulus, mp)) != MP_OKAY) {
                 break;
              }
+             if (mp_iszero(R->z)) {
+                 /* When all zero then should have done an add */
+                 if (mp_iszero(R->x) && mp_iszero(R->y)) {
+                     if ((err = ecc_projective_dbl_point(fp_cache[idx].LUT[z],
+                                               R, a, modulus, mp)) != MP_OKAY) {
+                         break;
+                     }
+                 }
+                 /* When only Z zero then result is infinity */
+                 else {
+                    err = mp_set(R->x, 0);
+                    if (err != MP_OKAY) {
+                       break;
+                    }
+                    err = mp_set(R->y, 0);
+                    if (err != MP_OKAY) {
+                       break;
+                    }
+                    err = mp_copy(&fp_cache[idx].mu, R->z);
+                    if (err != MP_OKAY) {
+                       break;
+                    }
+                    first = 1;
+                 }
+             }
           } else if (z) {
              if ((mp_copy(fp_cache[idx].LUT[z]->x, R->x) != MP_OKAY) ||
                  (mp_copy(fp_cache[idx].LUT[z]->y, R->y) != MP_OKAY) ||
@@ -3817,14 +9012,15 @@ static int accel_fp_mul(int idx, mp_int* k, ecc_point *R, mp_int* modulus,
                  err = GEN_MEM_ERR;
                  break;
              }
-                 first = 0;
+             first = 0;
           }
       }
    }
 
    if (err == MP_OKAY) {
-      z = 0;
+      (void) z; /* Acknowledge the unused assignment */
       ForceZero(kb, KB_SIZE);
+
       /* map R back from projective space */
       if (map) {
          err = ecc_map(R, modulus, mp);
@@ -3833,35 +9029,41 @@ static int accel_fp_mul(int idx, mp_int* k, ecc_point *R, mp_int* modulus,
       }
    }
 
+done:
+   /* cleanup */
+   mp_clear(&order);
+   mp_clear(&tk);
+
 #ifdef WOLFSSL_SMALL_STACK
-   XFREE(kb, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+   XFREE(kb, NULL, DYNAMIC_TYPE_ECC_BUFFER);
 #endif
 
 #undef KB_SIZE
 
    return err;
 }
+#endif
 
 #ifdef ECC_SHAMIR
+#ifndef WOLFSSL_SP_MATH
 /* perform a fixed point ECC mulmod */
-static int accel_fp_mul2add(int idx1, int idx2, 
+static int accel_fp_mul2add(int idx1, int idx2,
                             mp_int* kA, mp_int* kB,
-                            ecc_point *R, mp_int* modulus, mp_digit* mp)
+                            ecc_point *R, mp_int* a,
+                            mp_int* modulus, mp_digit mp)
 {
 #define KB_SIZE 128
 
 #ifdef WOLFSSL_SMALL_STACK
-   unsigned char* kb[2];
+   unsigned char* kb[2] = {NULL, NULL};
 #else
-   unsigned char kb[2][128];
+   unsigned char kb[2][KB_SIZE];
 #endif
-   int      x;
-   unsigned y, z, err, bitlen, bitpos, lut_gap, first, zA, zB;
-   mp_int tka;
-   mp_int tkb;
-   mp_int order;
+   int      x, err;
+   unsigned y, z, bitlen, bitpos, lut_gap, first, zA, zB;
+   mp_int tka, tkb, order;
 
-   if (mp_init_multi(&tka, &tkb, 0, 0, 0, 0) != MP_OKAY)
+   if (mp_init_multi(&tka, &tkb, &order, NULL, NULL, NULL) != MP_OKAY)
        return MP_INIT_E;
 
    /* if it's smaller than modulus we fine */
@@ -3871,37 +9073,30 @@ static int accel_fp_mul2add(int idx1, int idx2,
       for (x = 0; ecc_sets[x].size; x++) {
          if (y <= (unsigned)ecc_sets[x].size) break;
       }
-   
+
       /* back off if we are on the 521 bit curve */
       if (y == 66) --x;
-      
-      if ((err = mp_init(&order)) != MP_OKAY) {
-         mp_clear(&tkb);
-         mp_clear(&tka);
-         return err;
-      }      
-      if ((err = mp_read_radix(&order, ecc_sets[x].order, 16)) != MP_OKAY) {
-         mp_clear(&tkb);
-         mp_clear(&tka);
-         mp_clear(&order);
-         return err;
+
+      if ((err = mp_read_radix(&order, ecc_sets[x].order,
+                                                MP_RADIX_HEX)) != MP_OKAY) {
+         goto done;
       }
 
       /* kA must be less than modulus */
       if (mp_cmp(kA, &order) != MP_LT) {
          if ((err = mp_mod(kA, &order, &tka)) != MP_OKAY) {
-            mp_clear(&tkb);
-            mp_clear(&tka);
-            mp_clear(&order);
-            return err;
+            goto done;
          }
       } else {
-         mp_copy(kA, &tka);
+         if ((err = mp_copy(kA, &tka)) != MP_OKAY) {
+            goto done;
+         }
       }
-      mp_clear(&order);
    } else {
-      mp_copy(kA, &tka);
-   }       
+      if ((err = mp_copy(kA, &tka)) != MP_OKAY) {
+         goto done;
+      }
+   }
 
    /* if it's smaller than modulus we fine */
    if (mp_unsigned_bin_size(kB) > mp_unsigned_bin_size(modulus)) {
@@ -3910,97 +9105,88 @@ static int accel_fp_mul2add(int idx1, int idx2,
       for (x = 0; ecc_sets[x].size; x++) {
          if (y <= (unsigned)ecc_sets[x].size) break;
       }
-   
+
       /* back off if we are on the 521 bit curve */
       if (y == 66) --x;
-      
-      if ((err = mp_init(&order)) != MP_OKAY) {
-         mp_clear(&tkb);
-         mp_clear(&tka);
-         return err;
-      }      
-      if ((err = mp_read_radix(&order, ecc_sets[x].order, 16)) != MP_OKAY) {
-         mp_clear(&tkb);
-         mp_clear(&tka);
-         mp_clear(&order);
-         return err;
+
+      if ((err = mp_read_radix(&order, ecc_sets[x].order,
+                                                MP_RADIX_HEX)) != MP_OKAY) {
+         goto done;
       }
 
       /* kB must be less than modulus */
       if (mp_cmp(kB, &order) != MP_LT) {
          if ((err = mp_mod(kB, &order, &tkb)) != MP_OKAY) {
-            mp_clear(&tkb);
-            mp_clear(&tka);
-            mp_clear(&order);
-            return err;
+            goto done;
          }
       } else {
-         mp_copy(kB, &tkb);
+         if ((err = mp_copy(kB, &tkb)) != MP_OKAY) {
+            goto done;
+         }
       }
-      mp_clear(&order);
    } else {
-      mp_copy(kB, &tkb);
-   }     
+      if ((err = mp_copy(kB, &tkb)) != MP_OKAY) {
+         goto done;
+      }
+   }
 
    /* get bitlen and round up to next multiple of FP_LUT */
    bitlen  = mp_unsigned_bin_size(modulus) << 3;
    x       = bitlen % FP_LUT;
    if (x) {
       bitlen += FP_LUT - x;
-   }  
+   }
    lut_gap = bitlen / FP_LUT;
-        
+
    /* get the k value */
    if ((mp_unsigned_bin_size(&tka) > (int)(KB_SIZE - 2)) ||
        (mp_unsigned_bin_size(&tkb) > (int)(KB_SIZE - 2))  ) {
-      mp_clear(&tka);
-      mp_clear(&tkb);
-      return BUFFER_E;
+      err = BUFFER_E; goto done;
    }
-   
+
    /* store k */
 #ifdef WOLFSSL_SMALL_STACK
-   kb[0] = (unsigned char*)XMALLOC(KB_SIZE, NULL, DYNAMIC_TYPE_TMP_BUFFER);
-   if (kb[0] == NULL)
-      return MEMORY_E;
+   kb[0] = (unsigned char*)XMALLOC(KB_SIZE, NULL, DYNAMIC_TYPE_ECC_BUFFER);
+   if (kb[0] == NULL) {
+      err = MEMORY_E; goto done;
+   }
 #endif
 
    XMEMSET(kb[0], 0, KB_SIZE);
    if ((err = mp_to_unsigned_bin(&tka, kb[0])) != MP_OKAY) {
-      mp_clear(&tka);
-      mp_clear(&tkb);
-      XFREE(kb[0], NULL, DYNAMIC_TYPE_TMP_BUFFER);
-      return err;
+      goto done;
    }
-   
+
    /* let's reverse kb so it's little endian */
    x = 0;
-   y = mp_unsigned_bin_size(&tka) - 1;
+   y = mp_unsigned_bin_size(&tka);
+   if (y > 0) {
+       y -= 1;
+   }
    mp_clear(&tka);
    while ((unsigned)x < y) {
-      z = kb[0][x]; kb[0][x] = kb[0][y]; kb[0][y] = z;
+      z = kb[0][x]; kb[0][x] = kb[0][y]; kb[0][y] = (byte)z;
       ++x; --y;
-   }      
-   
+   }
+
    /* store b */
 #ifdef WOLFSSL_SMALL_STACK
-   kb[1] = (unsigned char*)XMALLOC(KB_SIZE, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+   kb[1] = (unsigned char*)XMALLOC(KB_SIZE, NULL, DYNAMIC_TYPE_ECC_BUFFER);
    if (kb[1] == NULL) {
-      XFREE(kb[0], NULL, DYNAMIC_TYPE_TMP_BUFFER);
-      return MEMORY_E;
+      err = MEMORY_E; goto done;
    }
 #endif
 
    XMEMSET(kb[1], 0, KB_SIZE);
-   if ((err = mp_to_unsigned_bin(&tkb, kb[1])) != MP_OKAY) {
-      mp_clear(&tkb);
-   }
-   else {
+   if ((err = mp_to_unsigned_bin(&tkb, kb[1])) == MP_OKAY) {
       x = 0;
-      y = mp_unsigned_bin_size(&tkb) - 1;
-      mp_clear(&tkb);
+      y = mp_unsigned_bin_size(&tkb);
+      if (y > 0) {
+          y -= 1;
+      }
+
       while ((unsigned)x < y) {
-         z = kb[1][x]; kb[1][x] = kb[1][y]; kb[1][y] = z;
+         z = kb[1][x]; kb[1][x] = kb[1][y]; kb[1][y] = (byte)z;
          ++x; --y;
       }
 
@@ -4019,31 +9205,82 @@ static int accel_fp_mul2add(int idx1, int idx2,
 
           /* double if not first */
           if (!first) {
-             if ((err = ecc_projective_dbl_point(R, R, modulus,
+             if ((err = ecc_projective_dbl_point(R, R, a, modulus,
                                                               mp)) != MP_OKAY) {
                 break;
              }
-          }
 
-          /* add if not first, otherwise copy */
-          if (!first) {
+             /* add if not first, otherwise copy */
              if (zA) {
                 if ((err = ecc_projective_add_point(R, fp_cache[idx1].LUT[zA],
-                                                  R, modulus, mp)) != MP_OKAY) {
+                                               R, a, modulus, mp)) != MP_OKAY) {
                    break;
                 }
+                if (mp_iszero(R->z)) {
+                    /* When all zero then should have done an add */
+                    if (mp_iszero(R->x) && mp_iszero(R->y)) {
+                        if ((err = ecc_projective_dbl_point(
+                                                  fp_cache[idx1].LUT[zA], R,
+                                                  a, modulus, mp)) != MP_OKAY) {
+                            break;
+                        }
+                    }
+                    /* When only Z zero then result is infinity */
+                    else {
+                       err = mp_set(R->x, 0);
+                       if (err != MP_OKAY) {
+                          break;
+                       }
+                       err = mp_set(R->y, 0);
+                       if (err != MP_OKAY) {
+                          break;
+                       }
+                       err = mp_copy(&fp_cache[idx1].mu, R->z);
+                       if (err != MP_OKAY) {
+                          break;
+                       }
+                       first = 1;
+                    }
+                }
              }
+
              if (zB) {
                 if ((err = ecc_projective_add_point(R, fp_cache[idx2].LUT[zB],
-                                                  R, modulus, mp)) != MP_OKAY) {
+                                               R, a, modulus, mp)) != MP_OKAY) {
                    break;
                 }
+                if (mp_iszero(R->z)) {
+                    /* When all zero then should have done an add */
+                    if (mp_iszero(R->x) && mp_iszero(R->y)) {
+                        if ((err = ecc_projective_dbl_point(
+                                                  fp_cache[idx2].LUT[zB], R,
+                                                  a, modulus, mp)) != MP_OKAY) {
+                            break;
+                        }
+                    }
+                    /* When only Z zero then result is infinity */
+                    else {
+                       err = mp_set(R->x, 0);
+                       if (err != MP_OKAY) {
+                          break;
+                       }
+                       err = mp_set(R->y, 0);
+                       if (err != MP_OKAY) {
+                          break;
+                       }
+                       err = mp_copy(&fp_cache[idx2].mu, R->z);
+                       if (err != MP_OKAY) {
+                          break;
+                       }
+                       first = 1;
+                    }
+                }
              }
           } else {
              if (zA) {
                  if ((mp_copy(fp_cache[idx1].LUT[zA]->x, R->x) != MP_OKAY) ||
-                    (mp_copy(fp_cache[idx1].LUT[zA]->y,  R->y) != MP_OKAY) ||
-                    (mp_copy(&fp_cache[idx1].mu,         R->z) != MP_OKAY)) {
+                     (mp_copy(fp_cache[idx1].LUT[zA]->y, R->y) != MP_OKAY) ||
+                     (mp_copy(&fp_cache[idx1].mu,        R->z) != MP_OKAY)) {
                      err = GEN_MEM_ERR;
                      break;
                  }
@@ -4052,14 +9289,40 @@ static int accel_fp_mul2add(int idx1, int idx2,
              if (zB && first == 0) {
                 if (zB) {
                    if ((err = ecc_projective_add_point(R,
-                           fp_cache[idx2].LUT[zB], R, modulus, mp)) != MP_OKAY){
+                        fp_cache[idx2].LUT[zB], R, a, modulus, mp)) != MP_OKAY){
                       break;
                    }
+                   if (mp_iszero(R->z)) {
+                       /* When all zero then should have done an add */
+                       if (mp_iszero(R->x) && mp_iszero(R->y)) {
+                           if ((err = ecc_projective_dbl_point(
+                                                  fp_cache[idx2].LUT[zB], R,
+                                                  a, modulus, mp)) != MP_OKAY) {
+                               break;
+                           }
+                       }
+                       /* When only Z zero then result is infinity */
+                       else {
+                          err = mp_set(R->x, 0);
+                          if (err != MP_OKAY) {
+                             break;
+                          }
+                          err = mp_set(R->y, 0);
+                          if (err != MP_OKAY) {
+                             break;
+                          }
+                          err = mp_copy(&fp_cache[idx2].mu, R->z);
+                          if (err != MP_OKAY) {
+                             break;
+                          }
+                          first = 1;
+                       }
+                   }
                 }
              } else if (zB && first == 1) {
                  if ((mp_copy(fp_cache[idx2].LUT[zB]->x, R->x) != MP_OKAY) ||
-                    (mp_copy(fp_cache[idx2].LUT[zB]->y, R->y) != MP_OKAY) ||
-                    (mp_copy(&fp_cache[idx2].mu,        R->z) != MP_OKAY)) {
+                     (mp_copy(fp_cache[idx2].LUT[zB]->y, R->y) != MP_OKAY) ||
+                     (mp_copy(&fp_cache[idx2].mu,        R->z) != MP_OKAY)) {
                      err = GEN_MEM_ERR;
                      break;
                  }
@@ -4069,47 +9332,64 @@ static int accel_fp_mul2add(int idx1, int idx2,
       }
    }
 
-   ForceZero(kb[0], KB_SIZE);
-   ForceZero(kb[1], KB_SIZE);
+done:
+   /* cleanup */
+   mp_clear(&tkb);
+   mp_clear(&tka);
+   mp_clear(&order);
+
+#ifdef WOLFSSL_SMALL_STACK
+   if (kb[0])
+#endif
+      ForceZero(kb[0], KB_SIZE);
+#ifdef WOLFSSL_SMALL_STACK
+   if (kb[1])
+#endif
+      ForceZero(kb[1], KB_SIZE);
 
 #ifdef WOLFSSL_SMALL_STACK
-   XFREE(kb[0], NULL, DYNAMIC_TYPE_TMP_BUFFER);
-   XFREE(kb[1], NULL, DYNAMIC_TYPE_TMP_BUFFER);
+   XFREE(kb[0], NULL, DYNAMIC_TYPE_ECC_BUFFER);
+   XFREE(kb[1], NULL, DYNAMIC_TYPE_ECC_BUFFER);
 #endif
 
 #undef KB_SIZE
 
+    if (err != MP_OKAY)
+        return err;
+
    return ecc_map(R, modulus, mp);
 }
 
-/** ECC Fixed Point mulmod global
+
+/** ECC Fixed Point mulmod global with heap hint used
   Computes kA*A + kB*B = C using Shamir's Trick
   A        First point to multiply
   kA       What to multiple A by
   B        Second point to multiply
   kB       What to multiple B by
   C        [out] Destination point (can overlap with A or B)
-  modulus  Modulus for curve 
+  a        ECC curve parameter a
+  modulus  Modulus for curve
   return MP_OKAY on success
-*/ 
+*/
 int ecc_mul2add(ecc_point* A, mp_int* kA,
                 ecc_point* B, mp_int* kB,
-                ecc_point* C, mp_int* modulus)
+                ecc_point* C, mp_int* a, mp_int* modulus, void* heap)
 {
-   int  idx1 = -1, idx2 = -1, err = MP_OKAY, mpInit = 0;
+   int  idx1 = -1, idx2 = -1, err, mpInit = 0;
    mp_digit mp;
    mp_int   mu;
-  
+
    err = mp_init(&mu);
    if (err != MP_OKAY)
        return err;
 
 #ifndef HAVE_THREAD_LS
    if (initMutex == 0) {
-        InitMutex(&ecc_fp_lock);
+        wc_InitMutex(&ecc_fp_lock);
         initMutex = 1;
    }
-   if (LockMutex(&ecc_fp_lock) != 0)
+   if (wc_LockMutex(&ecc_fp_lock) != 0)
       return BAD_MUTEX_E;
 #endif /* HAVE_THREAD_LS */
 
@@ -4128,11 +9408,10 @@ int ecc_mul2add(ecc_point* A, mp_int* kA,
          ++(fp_cache[idx1].lru_count);
       }
 
-      if (err == MP_OKAY)
+      if (err == MP_OKAY) {
         /* find point */
         idx2 = find_base(B);
 
-      if (err == MP_OKAY) {
         /* no entry? */
         if (idx2 == -1) {
            /* find hole and add it */
@@ -4156,10 +9435,10 @@ int ecc_mul2add(ecc_point* A, mp_int* kA,
              mpInit = 1;
              err = mp_montgomery_calc_normalization(&mu, modulus);
            }
-                 
+
            if (err == MP_OKAY)
              /* build the LUT */
-               err = build_lut(idx1, modulus, &mp, &mu);
+               err = build_lut(idx1, a, modulus, mp, &mu);
         }
       }
 
@@ -4174,10 +9453,10 @@ int ecc_mul2add(ecc_point* A, mp_int* kA,
                     err = mp_montgomery_calc_normalization(&mu, modulus);
                 }
             }
-                 
-            if (err == MP_OKAY) 
+
+            if (err == MP_OKAY)
             /* build the LUT */
-              err = build_lut(idx2, modulus, &mp, &mu);
+              err = build_lut(idx2, a, modulus, mp, &mu);
         }
       }
 
@@ -4190,48 +9469,55 @@ int ecc_mul2add(ecc_point* A, mp_int* kA,
               err = mp_montgomery_setup(modulus, &mp);
            }
            if (err == MP_OKAY)
-             err = accel_fp_mul2add(idx1, idx2, kA, kB, C, modulus, &mp);
+             err = accel_fp_mul2add(idx1, idx2, kA, kB, C, a, modulus, mp);
         } else {
-           err = normal_ecc_mul2add(A, kA, B, kB, C, modulus);
+           err = normal_ecc_mul2add(A, kA, B, kB, C, a, modulus, heap);
         }
     }
 
 #ifndef HAVE_THREAD_LS
-    UnLockMutex(&ecc_fp_lock);
+    wc_UnLockMutex(&ecc_fp_lock);
 #endif /* HAVE_THREAD_LS */
     mp_clear(&mu);
 
     return err;
 }
 #endif
+#endif /* ECC_SHAMIR */
 
 /** ECC Fixed Point mulmod global
     k        The multiplicand
     G        Base point to multiply
     R        [out] Destination of product
+    a        ECC curve parameter a
     modulus  The modulus for the curve
-    map      [boolean] If non-zero maps the point back to affine co-ordinates,
+    map      [boolean] If non-zero maps the point back to affine coordinates,
              otherwise it's left in jacobian-montgomery form
     return MP_OKAY if successful
-*/   
-int ecc_mulmod(mp_int* k, ecc_point *G, ecc_point *R, mp_int* modulus,
-               int map)
+*/
+int wc_ecc_mulmod_ex(mp_int* k, ecc_point *G, ecc_point *R, mp_int* a,
+    mp_int* modulus, int map, void* heap)
 {
+#ifndef WOLFSSL_SP_MATH
    int   idx, err = MP_OKAY;
    mp_digit mp;
    mp_int   mu;
    int      mpSetup = 0;
 
+   if (k == NULL || G == NULL || R == NULL || a == NULL || modulus == NULL) {
+       return ECC_BAD_ARG_E;
+   }
+
    if (mp_init(&mu) != MP_OKAY)
        return MP_INIT_E;
-   
+
 #ifndef HAVE_THREAD_LS
    if (initMutex == 0) {
-        InitMutex(&ecc_fp_lock);
+        wc_InitMutex(&ecc_fp_lock);
         initMutex = 1;
    }
-   
-   if (LockMutex(&ecc_fp_lock) != 0)
+
+   if (wc_LockMutex(&ecc_fp_lock) != 0)
       return BAD_MUTEX_E;
 #endif /* HAVE_THREAD_LS */
 
@@ -4252,7 +9538,7 @@ int ecc_mulmod(mp_int* k, ecc_point *G, ecc_point *R, mp_int* modulus,
       }
 
 
-      if (err == MP_OKAY) { 
+      if (err == MP_OKAY) {
         /* if it's 2 build the LUT, if it's higher just use the LUT */
         if (idx >= 0 && fp_cache[idx].lru_count == 2) {
            /* compute mp */
@@ -4263,34 +9549,52 @@ int ecc_mulmod(mp_int* k, ecc_point *G, ecc_point *R, mp_int* modulus,
              mpSetup = 1;
              err = mp_montgomery_calc_normalization(&mu, modulus);
            }
-                 
-           if (err == MP_OKAY) 
+
+           if (err == MP_OKAY)
              /* build the LUT */
-             err = build_lut(idx, modulus, &mp, &mu);
+             err = build_lut(idx, a, modulus, mp, &mu);
         }
       }
 
-      if (err == MP_OKAY) { 
+      if (err == MP_OKAY) {
         if (idx >= 0 && fp_cache[idx].lru_count >= 2) {
            if (mpSetup == 0) {
               /* compute mp */
               err = mp_montgomery_setup(modulus, &mp);
            }
            if (err == MP_OKAY)
-             err = accel_fp_mul(idx, k, R, modulus, &mp, map);
+             err = accel_fp_mul(idx, k, R, a, modulus, mp, map);
         } else {
-           err = normal_ecc_mulmod(k, G, R, modulus, map);
+           err = normal_ecc_mulmod(k, G, R, a, modulus, map, heap);
         }
      }
 
 #ifndef HAVE_THREAD_LS
-    UnLockMutex(&ecc_fp_lock);
+    wc_UnLockMutex(&ecc_fp_lock);
 #endif /* HAVE_THREAD_LS */
     mp_clear(&mu);
 
     return err;
+#else
+    if (k == NULL || G == NULL || R == NULL || a == NULL || modulus == NULL) {
+        return ECC_BAD_ARG_E;
+    }
+
+#ifndef WOLFSSL_SP_NO_256
+    if (mp_count_bits(modulus) == 256) {
+        return sp_ecc_mulmod_256(k, G, R, map, heap);
+    }
+#endif
+#ifdef WOLFSSL_SP_384
+    if (mp_count_bits(modulus) == 384) {
+        return sp_ecc_mulmod_384(k, G, R, map, heap);
+    }
+#endif
+    return WC_KEY_SIZE_E;
+#endif
 }
 
+#ifndef WOLFSSL_SP_MATH
 /* helper function for freeing the cache ...
    must be called with the cache mutex locked */
 static void wc_ecc_fp_free_cache(void)
@@ -4299,38 +9603,41 @@ static void wc_ecc_fp_free_cache(void)
    for (x = 0; x < FP_ENTRIES; x++) {
       if (fp_cache[x].g != NULL) {
          for (y = 0; y < (1U<<FP_LUT); y++) {
-            ecc_del_point(fp_cache[x].LUT[y]);
+            wc_ecc_del_point(fp_cache[x].LUT[y]);
             fp_cache[x].LUT[y] = NULL;
          }
-         ecc_del_point(fp_cache[x].g);
+         wc_ecc_del_point(fp_cache[x].g);
          fp_cache[x].g         = NULL;
          mp_clear(&fp_cache[x].mu);
          fp_cache[x].lru_count = 0;
          fp_cache[x].lock = 0;
-      }         
+      }
    }
-}         
+}
+#endif
 
 /** Free the Fixed Point cache */
 void wc_ecc_fp_free(void)
 {
+#ifndef WOLFSSL_SP_MATH
 #ifndef HAVE_THREAD_LS
    if (initMutex == 0) {
-        InitMutex(&ecc_fp_lock);
+        wc_InitMutex(&ecc_fp_lock);
         initMutex = 1;
    }
-   
-   if (LockMutex(&ecc_fp_lock) == 0) {
+
+   if (wc_LockMutex(&ecc_fp_lock) == 0) {
 #endif /* HAVE_THREAD_LS */
 
        wc_ecc_fp_free_cache();
 
 #ifndef HAVE_THREAD_LS
-       UnLockMutex(&ecc_fp_lock);
-       FreeMutex(&ecc_fp_lock);
+       wc_UnLockMutex(&ecc_fp_lock);
+       wc_FreeMutex(&ecc_fp_lock);
        initMutex = 0;
    }
 #endif /* HAVE_THREAD_LS */
+#endif
 }
 
 
@@ -4340,21 +9647,21 @@ void wc_ecc_fp_free(void)
 
 
 enum ecCliState {
-    ecCLI_INIT      = 1,    
-    ecCLI_SALT_GET  = 2,    
-    ecCLI_SALT_SET  = 3,    
-    ecCLI_SENT_REQ  = 4,    
-    ecCLI_RECV_RESP = 5,    
-    ecCLI_BAD_STATE = 99    
+    ecCLI_INIT      = 1,
+    ecCLI_SALT_GET  = 2,
+    ecCLI_SALT_SET  = 3,
+    ecCLI_SENT_REQ  = 4,
+    ecCLI_RECV_RESP = 5,
+    ecCLI_BAD_STATE = 99
 };
 
 enum ecSrvState {
-    ecSRV_INIT      = 1,    
-    ecSRV_SALT_GET  = 2,    
-    ecSRV_SALT_SET  = 3,    
-    ecSRV_RECV_REQ  = 4,    
-    ecSRV_SENT_RESP = 5,    
-    ecSRV_BAD_STATE = 99    
+    ecSRV_INIT      = 1,
+    ecSRV_SALT_GET  = 2,
+    ecSRV_SALT_SET  = 3,
+    ecSRV_RECV_REQ  = 4,
+    ecSRV_SENT_RESP = 5,
+    ecSRV_BAD_STATE = 99
 };
 
 
@@ -4365,6 +9672,7 @@ struct ecEncCtx {
     word32    kdfSaltSz;   /* size of kdfSalt */
     word32    kdfInfoSz;   /* size of kdfInfo */
     word32    macSaltSz;   /* size of macSalt */
+    void*     heap;        /* heap hint for memory used */
     byte      clientSalt[EXCHANGE_SALT_SZ];  /* for msg exchange */
     byte      serverSalt[EXCHANGE_SALT_SZ];  /* for msg exchange */
     byte      encAlgo;     /* which encryption type */
@@ -4435,7 +9743,7 @@ int wc_ecc_ctx_set_peer_salt(ecEncCtx* ctx, const byte* salt)
             ctx->cliSt =  ecCLI_SALT_SET;
         else {
             ctx->cliSt =  ecCLI_BAD_STATE;
-            return BAD_ENC_STATE_E;
+            return BAD_STATE_E;
         }
     }
     else {
@@ -4444,7 +9752,7 @@ int wc_ecc_ctx_set_peer_salt(ecEncCtx* ctx, const byte* salt)
             ctx->srvSt =  ecSRV_SALT_SET;
         else {
             ctx->srvSt =  ecSRV_BAD_STATE;
-            return BAD_ENC_STATE_E;
+            return BAD_STATE_E;
         }
     }
 
@@ -4470,11 +9778,11 @@ int wc_ecc_ctx_set_peer_salt(ecEncCtx* ctx, const byte* salt)
 }
 
 
-static int ecc_ctx_set_salt(ecEncCtx* ctx, int flags, RNG* rng)
+static int ecc_ctx_set_salt(ecEncCtx* ctx, int flags, WC_RNG* rng)
 {
     byte* saltBuffer = NULL;
 
-    if (ctx == NULL || rng == NULL || flags == 0) 
+    if (ctx == NULL || rng == NULL || flags == 0)
         return BAD_FUNC_ARG;
 
     saltBuffer = (flags == REQ_RESP_CLIENT) ? ctx->clientSalt : ctx->serverSalt;
@@ -4501,8 +9809,8 @@ static void ecc_ctx_init(ecEncCtx* ctx, int flags)
 }
 
 
-/* allow ecc context reset so user doesn't have to init/free for resue */
-int wc_ecc_ctx_reset(ecEncCtx* ctx, RNG* rng)
+/* allow ecc context reset so user doesn't have to init/free for reuse */
+int wc_ecc_ctx_reset(ecEncCtx* ctx, WC_RNG* rng)
 {
     if (ctx == NULL || rng == NULL)
         return BAD_FUNC_ARG;
@@ -4512,14 +9820,16 @@ int wc_ecc_ctx_reset(ecEncCtx* ctx, RNG* rng)
 }
 
 
-/* alloc/init and set defaults, return new Context  */
-ecEncCtx* wc_ecc_ctx_new(int flags, RNG* rng)
+ecEncCtx* wc_ecc_ctx_new_ex(int flags, WC_RNG* rng, void* heap)
 {
     int       ret = 0;
-    ecEncCtx* ctx = (ecEncCtx*)XMALLOC(sizeof(ecEncCtx), 0, DYNAMIC_TYPE_ECC);
+    ecEncCtx* ctx = (ecEncCtx*)XMALLOC(sizeof(ecEncCtx), heap,
+                                                              DYNAMIC_TYPE_ECC);
 
-    if (ctx)
+    if (ctx) {
         ctx->protocol = (byte)flags;
+        ctx->heap     = heap;
+    }
 
     ret = wc_ecc_ctx_reset(ctx, rng);
     if (ret != 0) {
@@ -4531,12 +9841,19 @@ ecEncCtx* wc_ecc_ctx_new(int flags, RNG* rng)
 }
 
 
+/* alloc/init and set defaults, return new Context  */
+ecEncCtx* wc_ecc_ctx_new(int flags, WC_RNG* rng)
+{
+    return wc_ecc_ctx_new_ex(flags, rng, NULL);
+}
+
+
 /* free any resources, clear any keys */
 void wc_ecc_ctx_free(ecEncCtx* ctx)
 {
     if (ctx) {
         ForceZero(ctx, sizeof(ecEncCtx));
-        XFREE(ctx, 0, DYNAMIC_TYPE_ECC);
+        XFREE(ctx, ctx->heap, DYNAMIC_TYPE_ECC);
     }
 }
 
@@ -4548,7 +9865,7 @@ static int ecc_get_key_sizes(ecEncCtx* ctx, int* encKeySz, int* ivSz,
         switch (ctx->encAlgo) {
             case ecAES_128_CBC:
                 *encKeySz = KEY_SIZE_128;
-                *ivSz     = IV_SIZE_64;
+                *ivSz     = IV_SIZE_128;
                 *blockSz  = AES_BLOCK_SIZE;
                 break;
             default:
@@ -4557,7 +9874,7 @@ static int ecc_get_key_sizes(ecEncCtx* ctx, int* encKeySz, int* ivSz,
 
         switch (ctx->macAlgo) {
             case ecHMAC_SHA256:
-                *digestSz = SHA256_DIGEST_SIZE;
+                *digestSz = WC_SHA256_DIGEST_SIZE;
                 break;
             default:
                 return BAD_FUNC_ARG;
@@ -4573,12 +9890,12 @@ static int ecc_get_key_sizes(ecEncCtx* ctx, int* encKeySz, int* ivSz,
 
 /* ecc encrypt with shared secret run through kdf
    ctx holds non default algos and inputs
-   msgSz should be the right size for encAlgo, i.e., already padded 
+   msgSz should be the right size for encAlgo, i.e., already padded
    return 0 on success */
 int wc_ecc_encrypt(ecc_key* privKey, ecc_key* pubKey, const byte* msg,
                 word32 msgSz, byte* out, word32* outSz, ecEncCtx* ctx)
 {
-    int          ret;
+    int          ret = 0;
     word32       blockSz;
     word32       digestSz;
     ecEncCtx     localCtx;
@@ -4604,9 +9921,9 @@ int wc_ecc_encrypt(ecc_key* privKey, ecc_key* pubKey, const byte* msg,
 
     if (ctx == NULL) {  /* use defaults */
         ecc_ctx_init(&localCtx, 0);
-        ctx = &localCtx;  
+        ctx = &localCtx;
     }
-        
+
     ret = ecc_get_key_sizes(ctx, &encKeySz, &ivSz, &keysLen, &digestSz,
                             &blockSz);
     if (ret != 0)
@@ -4617,20 +9934,20 @@ int wc_ecc_encrypt(ecc_key* privKey, ecc_key* pubKey, const byte* msg,
         keysLen *= 2;
 
         if (ctx->srvSt != ecSRV_RECV_REQ)
-            return BAD_ENC_STATE_E;
+            return BAD_STATE_E;
 
         ctx->srvSt = ecSRV_BAD_STATE; /* we're done no more ops allowed */
     }
     else if (ctx->protocol == REQ_RESP_CLIENT) {
         if (ctx->cliSt != ecCLI_SALT_SET)
-            return BAD_ENC_STATE_E;
+            return BAD_STATE_E;
 
         ctx->cliSt = ecCLI_SENT_REQ; /* only do this once */
     }
-        
+
     if (keysLen > ECC_BUFSIZE) /* keys size */
         return BUFFER_E;
-        
+
     if ( (msgSz%blockSz) != 0)
         return BAD_PADDING_E;
 
@@ -4638,23 +9955,29 @@ int wc_ecc_encrypt(ecc_key* privKey, ecc_key* pubKey, const byte* msg,
         return BUFFER_E;
 
 #ifdef WOLFSSL_SMALL_STACK
-    sharedSecret = (byte*)XMALLOC(ECC_MAXSIZE, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    sharedSecret = (byte*)XMALLOC(ECC_MAXSIZE, NULL, DYNAMIC_TYPE_ECC_BUFFER);
     if (sharedSecret == NULL)
         return MEMORY_E;
 
-    keys = (byte*)XMALLOC(ECC_BUFSIZE, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    keys = (byte*)XMALLOC(ECC_BUFSIZE, NULL, DYNAMIC_TYPE_ECC_BUFFER);
     if (keys == NULL) {
-        XFREE(sharedSecret, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+        XFREE(sharedSecret, NULL, DYNAMIC_TYPE_ECC_BUFFER);
         return MEMORY_E;
     }
 #endif
 
-    ret = wc_ecc_shared_secret(privKey, pubKey, sharedSecret, &sharedSz);
-
+    do {
+    #if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_ECC)
+        ret = wc_AsyncWait(ret, &privKey->asyncDev, WC_ASYNC_FLAG_CALL_AGAIN);
+        if (ret != 0)
+            break;
+    #endif
+        ret = wc_ecc_shared_secret(privKey, pubKey, sharedSecret, &sharedSz);
+    } while (ret == WC_PENDING_E);
     if (ret == 0) {
        switch (ctx->kdfAlgo) {
            case ecHKDF_SHA256 :
-               ret = wc_HKDF(SHA256, sharedSecret, sharedSz, ctx->kdfSalt,
+               ret = wc_HKDF(WC_SHA256, sharedSecret, sharedSz, ctx->kdfSalt,
                           ctx->kdfSaltSz, ctx->kdfInfo, ctx->kdfInfoSz,
                           keys, keysLen);
                break;
@@ -4674,11 +9997,21 @@ int wc_ecc_encrypt(ecc_key* privKey, ecc_key* pubKey, const byte* msg,
            case ecAES_128_CBC:
                {
                    Aes aes;
-                   ret = wc_AesSetKey(&aes, encKey, KEY_SIZE_128, encIv,
+                   ret = wc_AesInit(&aes, NULL, INVALID_DEVID);
+                   if (ret == 0) {
+                       ret = wc_AesSetKey(&aes, encKey, KEY_SIZE_128, encIv,
                                                                 AES_ENCRYPTION);
+                       if (ret == 0) {
+                           ret = wc_AesCbcEncrypt(&aes, out, msg, msgSz);
+                       #if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_AES)
+                           ret = wc_AsyncWait(ret, &aes.asyncDev,
+                                              WC_ASYNC_FLAG_NONE);
+                       #endif
+                       }
+                       wc_AesFree(&aes);
+                   }
                    if (ret != 0)
-                       break;
-                   ret = wc_AesCbcEncrypt(&aes, out, msg, msgSz);
+                      break;
                }
                break;
 
@@ -4693,16 +10026,17 @@ int wc_ecc_encrypt(ecc_key* privKey, ecc_key* pubKey, const byte* msg,
            case ecHMAC_SHA256:
                {
                    Hmac hmac;
-                   ret = wc_HmacSetKey(&hmac, SHA256, macKey, SHA256_DIGEST_SIZE);
-                   if (ret != 0)
-                       break;
-                   ret = wc_HmacUpdate(&hmac, out, msgSz);
-                   if (ret != 0)
-                       break;
-                   ret = wc_HmacUpdate(&hmac, ctx->macSalt, ctx->macSaltSz);
-                   if (ret != 0)
-                       break;
-                   ret = wc_HmacFinal(&hmac, out+msgSz);
+                   ret = wc_HmacInit(&hmac, NULL, INVALID_DEVID);
+                   if (ret == 0) {
+                       ret = wc_HmacSetKey(&hmac, WC_SHA256, macKey, WC_SHA256_DIGEST_SIZE);
+                       if (ret == 0)
+                           ret = wc_HmacUpdate(&hmac, out, msgSz);
+                       if (ret == 0)
+                           ret = wc_HmacUpdate(&hmac, ctx->macSalt, ctx->macSaltSz);
+                       if (ret == 0)
+                           ret = wc_HmacFinal(&hmac, out+msgSz);
+                       wc_HmacFree(&hmac);
+                   }
                }
                break;
 
@@ -4716,8 +10050,8 @@ int wc_ecc_encrypt(ecc_key* privKey, ecc_key* pubKey, const byte* msg,
        *outSz = msgSz + digestSz;
 
 #ifdef WOLFSSL_SMALL_STACK
-    XFREE(sharedSecret, NULL, DYNAMIC_TYPE_TMP_BUFFER);
-    XFREE(keys, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    XFREE(sharedSecret, NULL, DYNAMIC_TYPE_ECC_BUFFER);
+    XFREE(keys, NULL, DYNAMIC_TYPE_ECC_BUFFER);
 #endif
 
     return ret;
@@ -4730,7 +10064,7 @@ int wc_ecc_encrypt(ecc_key* privKey, ecc_key* pubKey, const byte* msg,
 int wc_ecc_decrypt(ecc_key* privKey, ecc_key* pubKey, const byte* msg,
                 word32 msgSz, byte* out, word32* outSz, ecEncCtx* ctx)
 {
-    int          ret;
+    int          ret = 0;
     word32       blockSz;
     word32       digestSz;
     ecEncCtx     localCtx;
@@ -4756,33 +10090,33 @@ int wc_ecc_decrypt(ecc_key* privKey, ecc_key* pubKey, const byte* msg,
 
     if (ctx == NULL) {  /* use defaults */
         ecc_ctx_init(&localCtx, 0);
-        ctx = &localCtx;  
+        ctx = &localCtx;
     }
-        
+
     ret = ecc_get_key_sizes(ctx, &encKeySz, &ivSz, &keysLen, &digestSz,
                             &blockSz);
     if (ret != 0)
         return ret;
-        
+
     if (ctx->protocol == REQ_RESP_CLIENT) {
         offset = keysLen;
         keysLen *= 2;
 
         if (ctx->cliSt != ecCLI_SENT_REQ)
-            return BAD_ENC_STATE_E;
+            return BAD_STATE_E;
 
         ctx->cliSt = ecSRV_BAD_STATE; /* we're done no more ops allowed */
     }
     else if (ctx->protocol == REQ_RESP_SERVER) {
         if (ctx->srvSt != ecSRV_SALT_SET)
-            return BAD_ENC_STATE_E;
+            return BAD_STATE_E;
 
         ctx->srvSt = ecSRV_RECV_REQ; /* only do this once */
     }
-        
+
     if (keysLen > ECC_BUFSIZE) /* keys size */
         return BUFFER_E;
-        
+
     if ( ((msgSz-digestSz) % blockSz) != 0)
         return BAD_PADDING_E;
 
@@ -4790,23 +10124,29 @@ int wc_ecc_decrypt(ecc_key* privKey, ecc_key* pubKey, const byte* msg,
         return BUFFER_E;
 
 #ifdef WOLFSSL_SMALL_STACK
-    sharedSecret = (byte*)XMALLOC(ECC_MAXSIZE, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    sharedSecret = (byte*)XMALLOC(ECC_MAXSIZE, NULL, DYNAMIC_TYPE_ECC_BUFFER);
     if (sharedSecret == NULL)
         return MEMORY_E;
 
-    keys = (byte*)XMALLOC(ECC_BUFSIZE, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    keys = (byte*)XMALLOC(ECC_BUFSIZE, NULL, DYNAMIC_TYPE_ECC_BUFFER);
     if (keys == NULL) {
-        XFREE(sharedSecret, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+        XFREE(sharedSecret, NULL, DYNAMIC_TYPE_ECC_BUFFER);
         return MEMORY_E;
     }
 #endif
 
-    ret = wc_ecc_shared_secret(privKey, pubKey, sharedSecret, &sharedSz);
-
+    do {
+    #if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_ECC)
+        ret = wc_AsyncWait(ret, &privKey->asyncDev, WC_ASYNC_FLAG_CALL_AGAIN);
+        if (ret != 0)
+            break;
+    #endif
+        ret = wc_ecc_shared_secret(privKey, pubKey, sharedSecret, &sharedSz);
+    } while (ret == WC_PENDING_E);
     if (ret == 0) {
        switch (ctx->kdfAlgo) {
            case ecHKDF_SHA256 :
-               ret = wc_HKDF(SHA256, sharedSecret, sharedSz, ctx->kdfSalt,
+               ret = wc_HKDF(WC_SHA256, sharedSecret, sharedSz, ctx->kdfSalt,
                           ctx->kdfSaltSz, ctx->kdfInfo, ctx->kdfInfoSz,
                           keys, keysLen);
                break;
@@ -4824,25 +10164,28 @@ int wc_ecc_decrypt(ecc_key* privKey, ecc_key* pubKey, const byte* msg,
 
        switch (ctx->macAlgo) {
            case ecHMAC_SHA256:
-               {
-                   byte verify[SHA256_DIGEST_SIZE];
-                   Hmac hmac;
-                   ret = wc_HmacSetKey(&hmac, SHA256, macKey, SHA256_DIGEST_SIZE);
-                   if (ret != 0)
-                       break;
-                   ret = wc_HmacUpdate(&hmac, msg, msgSz-digestSz);
-                   if (ret != 0)
-                       break;
-                   ret = wc_HmacUpdate(&hmac, ctx->macSalt, ctx->macSaltSz);
-                   if (ret != 0)
-                       break;
-                   ret = wc_HmacFinal(&hmac, verify);
-                   if (ret != 0)
-                       break;
-                   if (memcmp(verify, msg + msgSz - digestSz, digestSz) != 0)
-                       ret = -1;
+           {
+               byte verify[WC_SHA256_DIGEST_SIZE];
+               Hmac hmac;
+
+               ret = wc_HmacInit(&hmac, NULL, INVALID_DEVID);
+               if (ret == 0) {
+                   ret = wc_HmacSetKey(&hmac, WC_SHA256, macKey, WC_SHA256_DIGEST_SIZE);
+                   if (ret == 0)
+                       ret = wc_HmacUpdate(&hmac, msg, msgSz-digestSz);
+                   if (ret == 0)
+                       ret = wc_HmacUpdate(&hmac, ctx->macSalt, ctx->macSaltSz);
+                   if (ret == 0)
+                       ret = wc_HmacFinal(&hmac, verify);
+                   if (ret == 0) {
+                      if (XMEMCMP(verify, msg + msgSz - digestSz, digestSz) != 0)
+                          ret = -1;
+                   }
+
+                   wc_HmacFree(&hmac);
                }
                break;
+           }
 
            default:
                ret = BAD_FUNC_ARG;
@@ -4852,6 +10195,7 @@ int wc_ecc_decrypt(ecc_key* privKey, ecc_key* pubKey, const byte* msg,
 
     if (ret == 0) {
        switch (ctx->encAlgo) {
+    #ifdef HAVE_AES_CBC
            case ecAES_128_CBC:
                {
                    Aes aes;
@@ -4860,9 +10204,12 @@ int wc_ecc_decrypt(ecc_key* privKey, ecc_key* pubKey, const byte* msg,
                    if (ret != 0)
                        break;
                    ret = wc_AesCbcDecrypt(&aes, out, msg, msgSz-digestSz);
+                #if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_AES)
+                   ret = wc_AsyncWait(ret, &aes.asyncDev, WC_ASYNC_FLAG_NONE);
+                #endif
                }
                break;
-
+    #endif
            default:
                ret = BAD_FUNC_ARG;
                break;
@@ -4873,8 +10220,8 @@ int wc_ecc_decrypt(ecc_key* privKey, ecc_key* pubKey, const byte* msg,
        *outSz = msgSz - digestSz;
 
 #ifdef WOLFSSL_SMALL_STACK
-    XFREE(sharedSecret, NULL, DYNAMIC_TYPE_TMP_BUFFER);
-    XFREE(keys, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    XFREE(sharedSecret, NULL, DYNAMIC_TYPE_ECC_BUFFER);
+    XFREE(keys, NULL, DYNAMIC_TYPE_ECC_BUFFER);
 #endif
 
     return ret;
@@ -4885,25 +10232,36 @@ int wc_ecc_decrypt(ecc_key* privKey, ecc_key* pubKey, const byte* msg,
 
 
 #ifdef HAVE_COMP_KEY
+#if !defined(WOLFSSL_ATECC508A) && !defined(WOLFSSL_CRYPTOCELL)
 
-/* computes the jacobi c = (a | n) (or Legendre if n is prime)
- * HAC pp. 73 Algorithm 2.149
- */
-int mp_jacobi(mp_int* a, mp_int* p, int* c)
+#ifndef WOLFSSL_SP_MATH
+int do_mp_jacobi(mp_int* a, mp_int* n, int* c);
+
+int do_mp_jacobi(mp_int* a, mp_int* n, int* c)
 {
-  mp_int   a1, p1;
-  int      k, s, r, res;
+  int      k, s, res;
+  int      r = 0; /* initialize to help static analysis out */
   mp_digit residue;
 
-  /* if p <= 0 return MP_VAL */
-  if (mp_cmp_d(p, 0) != MP_GT) {
+  /* if a < 0 return MP_VAL */
+  if (mp_isneg(a) == MP_YES) {
      return MP_VAL;
   }
 
-  /* step 1.  if a == 0, return 0 */
-  if (mp_iszero (a) == 1) {
-    *c = 0;
-    return MP_OKAY;
+  /* if n <= 0 return MP_VAL */
+  if (mp_cmp_d(n, 0) != MP_GT) {
+     return MP_VAL;
+  }
+
+  /* step 1. handle case of a == 0 */
+  if (mp_iszero (a) == MP_YES) {
+     /* special case of a == 0 and n == 1 */
+     if (mp_cmp_d (n, 1) == MP_EQ) {
+       *c = 1;
+     } else {
+       *c = 0;
+     }
+     return MP_OKAY;
   }
 
   /* step 2.  if a == 1, return 1 */
@@ -4915,19 +10273,9 @@ int mp_jacobi(mp_int* a, mp_int* p, int* c)
   /* default */
   s = 0;
 
-  /* step 3.  write a = a1 * 2**k  */
-  if ((res = mp_init_copy (&a1, a)) != MP_OKAY) {
-    return res;
-  }
-
-  if ((res = mp_init (&p1)) != MP_OKAY) {
-    mp_clear(&a1);
-    return res;
-  }
-
   /* divide out larger power of two */
-  k = mp_cnt_lsb(&a1);
-  res = mp_div_2d(&a1, k, &a1, NULL);
+  k = mp_cnt_lsb(a);
+  res = mp_div_2d(a, k, a, NULL);
 
   if (res == MP_OKAY) {
     /* step 4.  if e is even set s=1 */
@@ -4935,7 +10283,7 @@ int mp_jacobi(mp_int* a, mp_int* p, int* c)
       s = 1;
     } else {
       /* else set s=1 if p = 1/7 (mod 8) or s=-1 if p = 3/5 (mod 8) */
-      residue = p->dp[0] & 7;
+      residue = n->dp[0] & 7;
 
       if (residue == 1 || residue == 7) {
         s = 1;
@@ -4944,50 +10292,114 @@ int mp_jacobi(mp_int* a, mp_int* p, int* c)
       }
     }
 
-    /* step 5.  if p == 3 (mod 4) *and* a1 == 3 (mod 4) then s = -s */
-    if ( ((p->dp[0] & 3) == 3) && ((a1.dp[0] & 3) == 3)) {
+    /* step 5.  if p == 3 (mod 4) *and* a == 3 (mod 4) then s = -s */
+    if ( ((n->dp[0] & 3) == 3) && ((a->dp[0] & 3) == 3)) {
       s = -s;
     }
   }
 
   if (res == MP_OKAY) {
-    /* if a1 == 1 we're done */
-    if (mp_cmp_d (&a1, 1) == MP_EQ) {
+    /* if a == 1 we're done */
+    if (mp_cmp_d(a, 1) == MP_EQ) {
       *c = s;
     } else {
-      /* n1 = n mod a1 */
-      res = mp_mod (p, &a1, &p1);
+      /* n1 = n mod a */
+      res = mp_mod (n, a, n);
       if (res == MP_OKAY)
-        res = mp_jacobi (&p1, &a1, &r);
+        res = do_mp_jacobi(n, a, &r);
 
       if (res == MP_OKAY)
-      *c = s * r;
+        *c = s * r;
     }
   }
 
-  /* done */
-  mp_clear (&p1);
-  mp_clear (&a1);
+  return res;
+}
+
+
+/* computes the jacobi c = (a | n) (or Legendre if n is prime)
+ * HAC pp. 73 Algorithm 2.149
+ * HAC is wrong here, as the special case of (0 | 1) is not
+ * handled correctly.
+ */
+int mp_jacobi(mp_int* a, mp_int* n, int* c)
+{
+    mp_int   a1, n1;
+    int      res;
+
+    /* step 3.  write a = a1 * 2**k  */
+    if ((res = mp_init_multi(&a1, &n1, NULL, NULL, NULL, NULL)) != MP_OKAY) {
+        return res;
+    }
+
+    if ((res = mp_copy(a, &a1)) != MP_OKAY) {
+        goto done;
+    }
+
+    if ((res = mp_copy(n, &n1)) != MP_OKAY) {
+        goto done;
+    }
+
+    res = do_mp_jacobi(&a1, &n1, c);
+
+done:
+  /* cleanup */
+  mp_clear(&n1);
+  mp_clear(&a1);
 
   return res;
 }
 
 
+/* Solves the modular equation x^2 = n (mod p)
+ * where prime number is greater than 2 (odd prime).
+ * The result is returned in the third argument x
+ * the function returns MP_OKAY on success, MP_VAL or another error on failure
+ */
 int mp_sqrtmod_prime(mp_int* n, mp_int* prime, mp_int* ret)
 {
+#ifdef SQRTMOD_USE_MOD_EXP
+  int res;
+
+  mp_int e;
+
+  res = mp_init(&e);
+  if (res == MP_OKAY)
+      res = mp_add_d(prime, 1, &e);
+  if (res == MP_OKAY)
+      res = mp_div_2d(&e, 2, &e, NULL);
+  if (res == MP_OKAY)
+      res = mp_exptmod(n, &e, prime, ret);
+
+  mp_clear(&e);
+
+  return res;
+#else
   int res, legendre, done = 0;
   mp_int t1, C, Q, S, Z, M, T, R, two;
   mp_digit i;
 
-  /* first handle the simple cases */
+  /* first handle the simple cases n = 0 or n = 1 */
   if (mp_cmp_d(n, 0) == MP_EQ) {
     mp_zero(ret);
     return MP_OKAY;
   }
-  if (mp_cmp_d(prime, 2) == MP_EQ)       return MP_VAL; /* prime must be odd */
-  /* TAO removed
-  if ((res = mp_jacobi(n, prime, &legendre)) != MP_OKAY)      return res;
-  if (legendre == -1)  return MP_VAL; */ /* quadratic non-residue mod prime */
+  if (mp_cmp_d(n, 1) == MP_EQ) {
+    return mp_set(ret, 1);
+  }
+
+  /* prime must be odd */
+  if (mp_cmp_d(prime, 2) == MP_EQ) {
+    return MP_VAL;
+  }
+
+  /* is quadratic non-residue mod prime */
+  if ((res = mp_jacobi(n, prime, &legendre)) != MP_OKAY) {
+    return res;
+  }
+  if (legendre == -1) {
+    return MP_VAL;
+  }
 
   if ((res = mp_init_multi(&t1, &C, &Q, &S, &Z, &M)) != MP_OKAY)
     return res;
@@ -5018,61 +10430,72 @@ int mp_sqrtmod_prime(mp_int* n, mp_int* prime, mp_int* ret)
   }
 
   /* NOW: TonelliShanks algorithm */
+  if (res == MP_OKAY && done == 0) {
 
- if (res == MP_OKAY && done == 0) {
-
-   /* factor out powers of 2 from prime-1, defining Q and S
+    /* factor out powers of 2 from prime-1, defining Q and S
     *                                      as: prime-1 = Q*2^S */
+    /* Q = prime - 1 */
     res = mp_copy(prime, &Q);
     if (res == MP_OKAY)
       res = mp_sub_d(&Q, 1, &Q);
-    /* Q = prime - 1 */
+
+    /* S = 0 */
     if (res == MP_OKAY)
       mp_zero(&S);
-    /* S = 0 */
-    while (res == MP_OKAY && mp_iseven(&Q)) {
-      res = mp_div_2(&Q, &Q);
+
+    while (res == MP_OKAY && mp_iseven(&Q) == MP_YES) {
       /* Q = Q / 2 */
+      res = mp_div_2(&Q, &Q);
+
+      /* S = S + 1 */
       if (res == MP_OKAY)
         res = mp_add_d(&S, 1, &S);
-        /* S = S + 1 */
     }
 
     /* find a Z such that the Legendre symbol (Z|prime) == -1 */
+    /* Z = 2 */
     if (res == MP_OKAY)
       res = mp_set_int(&Z, 2);
-    /* Z = 2 */
+
     while (res == MP_OKAY) {
       res = mp_jacobi(&Z, prime, &legendre);
       if (res == MP_OKAY && legendre == -1)
         break;
+
+      /* Z = Z + 1 */
       if (res == MP_OKAY)
         res = mp_add_d(&Z, 1, &Z);
-        /* Z = Z + 1 */
     }
 
+    /* C = Z ^ Q mod prime */
     if (res == MP_OKAY)
       res = mp_exptmod(&Z, &Q, prime, &C);
-      /* C = Z ^ Q mod prime */
+
+    /* t1 = (Q + 1) / 2 */
     if (res == MP_OKAY)
       res = mp_add_d(&Q, 1, &t1);
     if (res == MP_OKAY)
       res = mp_div_2(&t1, &t1);
-      /* t1 = (Q + 1) / 2 */
+
+    /* R = n ^ ((Q + 1) / 2) mod prime */
     if (res == MP_OKAY)
       res = mp_exptmod(n, &t1, prime, &R);
-    /* R = n ^ ((Q + 1) / 2) mod prime */
+
+    /* T = n ^ Q mod prime */
     if (res == MP_OKAY)
       res = mp_exptmod(n, &Q, prime, &T);
-    /* T = n ^ Q mod prime */
+
+    /* M = S */
     if (res == MP_OKAY)
       res = mp_copy(&S, &M);
-    /* M = S */
+
     if (res == MP_OKAY)
       res = mp_set_int(&two, 2);
 
     while (res == MP_OKAY && done == 0) {
       res = mp_copy(&T, &t1);
+
+      /* reduce to 1 and count */
       i = 0;
       while (res == MP_OKAY) {
         if (mp_cmp_d(&t1, 1) == MP_EQ)
@@ -5082,34 +10505,38 @@ int mp_sqrtmod_prime(mp_int* n, mp_int* prime, mp_int* ret)
           i++;
       }
       if (res == MP_OKAY && i == 0) {
-        mp_copy(&R, ret);
-        res = MP_OKAY;
+        res = mp_copy(&R, ret);
         done = 1;
       }
 
       if (done == 0) {
+        /* t1 = 2 ^ (M - i - 1) */
         if (res == MP_OKAY)
           res = mp_sub_d(&M, i, &t1);
         if (res == MP_OKAY)
           res = mp_sub_d(&t1, 1, &t1);
         if (res == MP_OKAY)
           res = mp_exptmod(&two, &t1, prime, &t1);
-        /* t1 = 2 ^ (M - i - 1) */
-        if (res == MP_OKAY)
-          res = mp_exptmod(&C, &t1, prime, &t1);
+
         /* t1 = C ^ (2 ^ (M - i - 1)) mod prime */
         if (res == MP_OKAY)
-          res = mp_sqrmod(&t1, prime, &C);
+          res = mp_exptmod(&C, &t1, prime, &t1);
+
         /* C = (t1 * t1) mod prime */
         if (res == MP_OKAY)
-          res = mp_mulmod(&R, &t1, prime, &R);
+          res = mp_sqrmod(&t1, prime, &C);
+
         /* R = (R * t1) mod prime */
         if (res == MP_OKAY)
-          res = mp_mulmod(&T, &C, prime, &T);
+          res = mp_mulmod(&R, &t1, prime, &R);
+
         /* T = (T * C) mod prime */
         if (res == MP_OKAY)
-          mp_set(&M, i);
+          res = mp_mulmod(&T, &C, prime, &T);
+
         /* M = i */
+        if (res == MP_OKAY)
+          res = mp_set(&M, i);
       }
     }
   }
@@ -5126,19 +10553,22 @@ int mp_sqrtmod_prime(mp_int* n, mp_int* prime, mp_int* ret)
   mp_clear(&two);
 
   return res;
+#endif
 }
+#endif
+#endif /* !WOLFSSL_ATECC508A && !WOLFSSL_CRYPTOCELL */
 
 
 /* export public ECC key in ANSI X9.63 format compressed */
-int wc_ecc_export_x963_compressed(ecc_key* key, byte* out, word32* outLen)
+static int wc_ecc_export_x963_compressed(ecc_key* key, byte* out, word32* outLen)
 {
    word32 numlen;
    int    ret = MP_OKAY;
 
    if (key == NULL || out == NULL || outLen == NULL)
-       return ECC_BAD_ARG_E;
+       return BAD_FUNC_ARG;
 
-   if (ecc_is_valid_idx(key->idx) == 0) {
+   if (wc_ecc_is_valid_idx(key->idx) == 0) {
       return ECC_BAD_ARG_E;
    }
    numlen = key->dp->size;
@@ -5149,38 +10579,183 @@ int wc_ecc_export_x963_compressed(ecc_key* key, byte* out, word32* outLen)
    }
 
    /* store first byte */
-   out[0] = mp_isodd(key->pubkey.y) ? 0x03 : 0x02;
+   out[0] = mp_isodd(key->pubkey.y) == MP_YES ? ECC_POINT_COMP_ODD : ECC_POINT_COMP_EVEN;
 
    /* pad and store x */
    XMEMSET(out+1, 0, numlen);
    ret = mp_to_unsigned_bin(key->pubkey.x,
                        out+1 + (numlen - mp_unsigned_bin_size(key->pubkey.x)));
    *outLen = 1 + numlen;
+
    return ret;
 }
 
+#endif /* HAVE_COMP_KEY */
+
 
-/* d = a - b (mod c) */
-int mp_submod(mp_int* a, mp_int* b, mp_int* c, mp_int* d)
+int wc_ecc_get_oid(word32 oidSum, const byte** oid, word32* oidSz)
 {
-  int     res;
-  mp_int  t;
+    int x;
 
-  if ((res = mp_init (&t)) != MP_OKAY) {
-    return res;
-  }
+    if (oidSum == 0) {
+        return BAD_FUNC_ARG;
+    }
 
-  if ((res = mp_sub (a, b, &t)) != MP_OKAY) {
-    mp_clear (&t);
-    return res;
-  }
-  res = mp_mod (&t, c, d);
-  mp_clear (&t);
+    /* find matching OID sum (based on encoded value) */
+    for (x = 0; ecc_sets[x].size != 0; x++) {
+        if (ecc_sets[x].oidSum == oidSum) {
+            int ret;
+        #ifdef HAVE_OID_ENCODING
+            ret = 0;
+            /* check cache */
+            oid_cache_t* o = &ecc_oid_cache[x];
+            if (o->oidSz == 0) {
+                o->oidSz = sizeof(o->oid);
+                ret = EncodeObjectId(ecc_sets[x].oid, ecc_sets[x].oidSz,
+                                                            o->oid, &o->oidSz);
+            }
+            if (oidSz) {
+                *oidSz = o->oidSz;
+            }
+            if (oid) {
+                *oid = o->oid;
+            }
+            /* on success return curve id */
+            if (ret == 0) {
+                ret = ecc_sets[x].id;
+            }
+        #else
+            if (oidSz) {
+                *oidSz = ecc_sets[x].oidSz;
+            }
+            if (oid) {
+                *oid = ecc_sets[x].oid;
+            }
+            ret = ecc_sets[x].id;
+        #endif
+            return ret;
+        }
+    }
 
-  return res;
+    return NOT_COMPILED_IN;
 }
 
+#ifdef WOLFSSL_CUSTOM_CURVES
+int wc_ecc_set_custom_curve(ecc_key* key, const ecc_set_type* dp)
+{
+    if (key == NULL || dp == NULL) {
+        return BAD_FUNC_ARG;
+    }
 
-#endif /* HAVE_COMP_KEY */
+    key->idx = ECC_CUSTOM_IDX;
+    key->dp = dp;
+
+    return 0;
+}
+#endif /* WOLFSSL_CUSTOM_CURVES */
+
+#ifdef HAVE_X963_KDF
+
+static WC_INLINE void IncrementX963KdfCounter(byte* inOutCtr)
+{
+    int i;
+
+    /* in network byte order so start at end and work back */
+    for (i = 3; i >= 0; i--) {
+        if (++inOutCtr[i])  /* we're done unless we overflow */
+            return;
+    }
+}
+
+/* ASN X9.63 Key Derivation Function (SEC1) */
+int wc_X963_KDF(enum wc_HashType type, const byte* secret, word32 secretSz,
+                const byte* sinfo, word32 sinfoSz, byte* out, word32 outSz)
+{
+    int ret, i;
+    int digestSz, copySz;
+    int remaining = outSz;
+    byte* outIdx;
+    byte  counter[4];
+    byte  tmp[WC_MAX_DIGEST_SIZE];
+
+#ifdef WOLFSSL_SMALL_STACK
+    wc_HashAlg* hash;
+#else
+    wc_HashAlg hash[1];
+#endif
+
+    if (secret == NULL || secretSz == 0 || out == NULL)
+        return BAD_FUNC_ARG;
+
+    /* X9.63 allowed algos only */
+    if (type != WC_HASH_TYPE_SHA    && type != WC_HASH_TYPE_SHA224 &&
+        type != WC_HASH_TYPE_SHA256 && type != WC_HASH_TYPE_SHA384 &&
+        type != WC_HASH_TYPE_SHA512)
+        return BAD_FUNC_ARG;
+
+    digestSz = wc_HashGetDigestSize(type);
+    if (digestSz < 0)
+        return digestSz;
+
+#ifdef WOLFSSL_SMALL_STACK
+    hash = (wc_HashAlg*)XMALLOC(sizeof(wc_HashAlg), NULL,
+                                DYNAMIC_TYPE_HASHES);
+    if (hash == NULL)
+        return MEMORY_E;
+#endif
+
+    ret = wc_HashInit(hash, type);
+    if (ret != 0) {
+#ifdef WOLFSSL_SMALL_STACK
+        XFREE(hash, NULL, DYNAMIC_TYPE_HASHES);
+#endif
+        return ret;
+    }
+
+    outIdx = out;
+    XMEMSET(counter, 0, sizeof(counter));
+
+    for (i = 1; remaining > 0; i++) {
+
+        IncrementX963KdfCounter(counter);
+
+        ret = wc_HashUpdate(hash, type, secret, secretSz);
+        if (ret != 0) {
+            break;
+        }
+
+        ret = wc_HashUpdate(hash, type, counter, sizeof(counter));
+        if (ret != 0) {
+            break;
+        }
+
+        if (sinfo) {
+            ret = wc_HashUpdate(hash, type, sinfo, sinfoSz);
+            if (ret != 0) {
+                break;
+            }
+        }
+
+        ret = wc_HashFinal(hash, type, tmp);
+        if (ret != 0) {
+            break;
+        }
+
+        copySz = min(remaining, digestSz);
+        XMEMCPY(outIdx, tmp, copySz);
+
+        remaining -= copySz;
+        outIdx += copySz;
+    }
+
+    wc_HashFree(hash, type);
+
+#ifdef WOLFSSL_SMALL_STACK
+     XFREE(hash, NULL, DYNAMIC_TYPE_HASHES);
+#endif
+
+    return ret;
+}
+#endif /* HAVE_X963_KDF */
 
 #endif /* HAVE_ECC */
diff --git a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/ed25519.c b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/ed25519.c
index ba0dcbe53..8057caa7c 100644
--- a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/ed25519.c
+++ b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/ed25519.c
@@ -1,8 +1,8 @@
 /* ed25519.c
  *
- * Copyright (C) 2006-2015 wolfSSL Inc.
+ * Copyright (C) 2006-2020 wolfSSL Inc.
  *
- * This file is part of wolfSSL. (formerly known as CyaSSL)
+ * This file is part of wolfSSL.
  *
  * wolfSSL is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -16,9 +16,10 @@
  *
  * You should have received a copy of the GNU General Public License
  * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
  */
 
+
  /* Based On Daniel J Bernstein's ed25519 Public Domain ref10 work. */
 
 #ifdef HAVE_CONFIG_H
@@ -32,22 +33,67 @@
 
 #include <wolfssl/wolfcrypt/ed25519.h>
 #include <wolfssl/wolfcrypt/error-crypt.h>
+#include <wolfssl/wolfcrypt/hash.h>
 #ifdef NO_INLINE
     #include <wolfssl/wolfcrypt/misc.h>
 #else
+    #define WOLFSSL_MISC_INCLUDED
     #include <wolfcrypt/src/misc.c>
 #endif
 
+#ifdef FREESCALE_LTC_ECC
+    #include <wolfssl/wolfcrypt/port/nxp/ksdk_port.h>
+#endif
 
-/*
-    generate an ed25519 key pair.
-    returns 0 on success
- */
-int wc_ed25519_make_key(RNG* rng, int keySz, ed25519_key* key)
+#if defined(HAVE_ED25519_SIGN) || defined(HAVE_ED25519_VERIFY)
+#define ED25519CTX_SIZE    32
+
+static const byte ed25519Ctx[ED25519CTX_SIZE+1] =
+                                             "SigEd25519 no Ed25519 collisions";
+#endif
+
+int wc_ed25519_make_public(ed25519_key* key, unsigned char* pubKey,
+                           word32 pubKeySz)
 {
-    byte  az[64];
-    int   ret;
+    int   ret = 0;
+    byte  az[ED25519_PRV_KEY_SIZE];
+#if !defined(FREESCALE_LTC_ECC)
     ge_p3 A;
+#endif
+
+    if (key == NULL || pubKeySz != ED25519_PUB_KEY_SIZE)
+        ret = BAD_FUNC_ARG;
+
+    if (ret == 0)
+        ret = wc_Sha512Hash(key->k, ED25519_KEY_SIZE, az);
+    if (ret == 0) {
+        /* apply clamp */
+        az[0]  &= 248;
+        az[31] &= 63; /* same than az[31] &= 127 because of az[31] |= 64 */
+        az[31] |= 64;
+
+    #ifdef FREESCALE_LTC_ECC
+        ltc_pkha_ecc_point_t publicKey = {0};
+        publicKey.X = key->pointX;
+        publicKey.Y = key->pointY;
+        LTC_PKHA_Ed25519_PointMul(LTC_PKHA_Ed25519_BasePoint(), az,
+            ED25519_KEY_SIZE, &publicKey, kLTC_Ed25519 /* result on Ed25519 */);
+        LTC_PKHA_Ed25519_Compress(&publicKey, pubKey);
+    #else
+        ge_scalarmult_base(&A, az);
+        ge_p3_tobytes(pubKey, &A);
+    #endif
+    }
+
+    return ret;
+}
+
+/* generate an ed25519 key pair.
+ * returns 0 on success
+ */
+int wc_ed25519_make_key(WC_RNG* rng, int keySz, ed25519_key* key)
+{
+    int ret;
 
     if (rng == NULL || key == NULL)
         return BAD_FUNC_ARG;
@@ -56,142 +102,412 @@ int wc_ed25519_make_key(RNG* rng, int keySz, ed25519_key* key)
     if (keySz != ED25519_KEY_SIZE)
         return BAD_FUNC_ARG;
 
-    ret = 0;
-    ret |= wc_RNG_GenerateBlock(rng, key->k, 32);
-    ret |= wc_Sha512Hash(key->k, 32, az);
-    az[0] &= 248;
-    az[31] &= 63;
-    az[31] |= 64;
+    ret  = wc_RNG_GenerateBlock(rng, key->k, ED25519_KEY_SIZE);
+    if (ret != 0)
+        return ret;
+
+    ret = wc_ed25519_make_public(key, key->p, ED25519_PUB_KEY_SIZE);
+    if (ret != 0) {
+        ForceZero(key->k, ED25519_KEY_SIZE);
+        return ret;
+    }
+
+    /* put public key after private key, on the same buffer */
+    XMEMMOVE(key->k + ED25519_KEY_SIZE, key->p, ED25519_PUB_KEY_SIZE);
 
-    ge_scalarmult_base(&A, az);
-    ge_p3_tobytes(key->p, &A);
-    XMEMMOVE(key->k + 32, key->p, 32);
+    key->pubKeySet = 1;
 
     return ret;
 }
 
 
+#ifdef HAVE_ED25519_SIGN
 /*
-    in     contains the message to sign
-    inlen  is the length of the message to sign
-    out    is the buffer to write the signature
-    outlen [in/out] input size of out buf
-                    output gets set as the final length of out
-    key    is the ed25519 key to use when signing
+    in          contains the message to sign
+    inLen       is the length of the message to sign
+    out         is the buffer to write the signature
+    outLen      [in/out] input size of out buf
+                          output gets set as the final length of out
+    key         is the ed25519 key to use when signing
+    type        one of Ed25519, Ed25519ctx or Ed25519ph
+    context     extra signing data
+    contextLen  length of extra signing data
     return 0 on success
  */
-int wc_ed25519_sign_msg(const byte* in, word32 inlen, byte* out,
-                        word32 *outlen, ed25519_key* key)
+static int ed25519_sign_msg(const byte* in, word32 inLen, byte* out,
+                            word32 *outLen, ed25519_key* key, byte type,
+                            const byte* context, byte contextLen)
 {
+#ifdef FREESCALE_LTC_ECC
+    byte   tempBuf[ED25519_PRV_KEY_SIZE];
+#else
     ge_p3  R;
-    byte   nonce[SHA512_DIGEST_SIZE];
-    byte   hram[SHA512_DIGEST_SIZE];
-    byte   az[64];
-    word32 sigSz;
-    Sha512 sha;
-    int    ret = 0;
+#endif
+    byte   nonce[WC_SHA512_DIGEST_SIZE];
+    byte   hram[WC_SHA512_DIGEST_SIZE];
+    byte   az[ED25519_PRV_KEY_SIZE];
+    wc_Sha512 sha;
+    int    ret;
 
     /* sanity check on arguments */
-    if (in == NULL || out == NULL || outlen == NULL || key == NULL)
+    if (in == NULL || out == NULL || outLen == NULL || key == NULL ||
+                                         (context == NULL && contextLen != 0)) {
+        return BAD_FUNC_ARG;
+    }
+    if (!key->pubKeySet)
         return BAD_FUNC_ARG;
 
     /* check and set up out length */
-    ret   = 0;
-    sigSz = wc_ed25519_sig_size(key);
-    if (*outlen < sigSz)
-        return BAD_FUNC_ARG;
-    *outlen = sigSz;
+    if (*outLen < ED25519_SIG_SIZE) {
+        *outLen = ED25519_SIG_SIZE;
+        return BUFFER_E;
+    }
+    *outLen = ED25519_SIG_SIZE;
 
     /* step 1: create nonce to use where nonce is r in
        r = H(h_b, ... ,h_2b-1,M) */
-    ret |= wc_Sha512Hash(key->k,32,az);
+    ret = wc_Sha512Hash(key->k, ED25519_KEY_SIZE, az);
+    if (ret != 0)
+        return ret;
+
+    /* apply clamp */
     az[0]  &= 248;
-    az[31] &= 63;
+    az[31] &= 63; /* same than az[31] &= 127 because of az[31] |= 64 */
     az[31] |= 64;
-    ret |= wc_InitSha512(&sha);
-    ret |= wc_Sha512Update(&sha, az + 32, 32);
-    ret |= wc_Sha512Update(&sha, in, inlen);
-    ret |= wc_Sha512Final(&sha, nonce);
+
+    ret = wc_InitSha512(&sha);
+    if (ret != 0)
+        return ret;
+    if (type == Ed25519ctx || type == Ed25519ph) {
+        ret = wc_Sha512Update(&sha, ed25519Ctx, ED25519CTX_SIZE);
+        if (ret == 0)
+            ret = wc_Sha512Update(&sha, &type, sizeof(type));
+        if (ret == 0)
+            ret = wc_Sha512Update(&sha, &contextLen, sizeof(contextLen));
+        if (ret == 0 && context != NULL)
+            ret = wc_Sha512Update(&sha, context, contextLen);
+    }
+    if (ret == 0)
+        ret = wc_Sha512Update(&sha, az + ED25519_KEY_SIZE, ED25519_KEY_SIZE);
+    if (ret == 0)
+        ret = wc_Sha512Update(&sha, in, inLen);
+    if (ret == 0)
+        ret = wc_Sha512Final(&sha, nonce);
+    wc_Sha512Free(&sha);
+    if (ret != 0)
+        return ret;
+
+#ifdef FREESCALE_LTC_ECC
+    ltc_pkha_ecc_point_t ltcPoint = {0};
+    ltcPoint.X = &tempBuf[0];
+    ltcPoint.Y = &tempBuf[32];
+    LTC_PKHA_sc_reduce(nonce);
+    LTC_PKHA_Ed25519_PointMul(LTC_PKHA_Ed25519_BasePoint(), nonce,
+           ED25519_KEY_SIZE, &ltcPoint, kLTC_Ed25519 /* result on Ed25519 */);
+    LTC_PKHA_Ed25519_Compress(&ltcPoint, out);
+#else
     sc_reduce(nonce);
 
     /* step 2: computing R = rB where rB is the scalar multiplication of
        r and B */
     ge_scalarmult_base(&R,nonce);
     ge_p3_tobytes(out,&R);
+#endif
 
     /* step 3: hash R + public key + message getting H(R,A,M) then
        creating S = (r + H(R,A,M)a) mod l */
-    ret |= wc_InitSha512(&sha);
-    ret |= wc_Sha512Update(&sha, out, 32);
-    ret |= wc_Sha512Update(&sha, key->p, 32);
-    ret |= wc_Sha512Update(&sha, in, inlen);
-    ret |= wc_Sha512Final(&sha, hram);
+    ret = wc_InitSha512(&sha);
+    if (ret != 0)
+        return ret;
+    if (type == Ed25519ctx || type == Ed25519ph) {
+        ret = wc_Sha512Update(&sha, ed25519Ctx, ED25519CTX_SIZE);
+        if (ret == 0)
+            ret = wc_Sha512Update(&sha, &type, sizeof(type));
+        if (ret == 0)
+            ret = wc_Sha512Update(&sha, &contextLen, sizeof(contextLen));
+        if (ret == 0 && context != NULL)
+            ret = wc_Sha512Update(&sha, context, contextLen);
+    }
+    if (ret == 0)
+        ret = wc_Sha512Update(&sha, out, ED25519_SIG_SIZE/2);
+    if (ret == 0)
+        ret = wc_Sha512Update(&sha, key->p, ED25519_PUB_KEY_SIZE);
+    if (ret == 0)
+        ret = wc_Sha512Update(&sha, in, inLen);
+    if (ret == 0)
+        ret = wc_Sha512Final(&sha, hram);
+    wc_Sha512Free(&sha);
+    if (ret != 0)
+        return ret;
+
+#ifdef FREESCALE_LTC_ECC
+    LTC_PKHA_sc_reduce(hram);
+    LTC_PKHA_sc_muladd(out + (ED25519_SIG_SIZE/2), hram, az, nonce);
+#else
     sc_reduce(hram);
-    sc_muladd(out + 32, hram, az, nonce);
+    sc_muladd(out + (ED25519_SIG_SIZE/2), hram, az, nonce);
+#endif
 
     return ret;
 }
 
+/*
+    in     contains the message to sign
+    inLen  is the length of the message to sign
+    out    is the buffer to write the signature
+    outLen [in/out] input size of out buf
+                     output gets set as the final length of out
+    key    is the ed25519 key to use when signing
+    return 0 on success
+ */
+int wc_ed25519_sign_msg(const byte* in, word32 inLen, byte* out,
+                        word32 *outLen, ed25519_key* key)
+{
+    return ed25519_sign_msg(in, inLen, out, outLen, key, (byte)Ed25519, NULL, 0);
+}
+
+/*
+    in          contains the message to sign
+    inLen       is the length of the message to sign
+    out         is the buffer to write the signature
+    outLen      [in/out] input size of out buf
+                          output gets set as the final length of out
+    key         is the ed25519 key to use when signing
+    context     extra signing data
+    contextLen  length of extra signing data
+    return 0 on success
+ */
+int wc_ed25519ctx_sign_msg(const byte* in, word32 inLen, byte* out,
+                           word32 *outLen, ed25519_key* key,
+                           const byte* context, byte contextLen)
+{
+    return ed25519_sign_msg(in, inLen, out, outLen, key, Ed25519ctx, context,
+                                                                    contextLen);
+}
+
+/*
+    hash        contains the SHA-512 hash of the message to sign
+    hashLen     is the length of the SHA-512 hash of the message to sign
+    out         is the buffer to write the signature
+    outLen      [in/out] input size of out buf
+                          output gets set as the final length of out
+    key         is the ed25519 key to use when signing
+    context     extra signing data
+    contextLen  length of extra signing data
+    return 0 on success
+ */
+int wc_ed25519ph_sign_hash(const byte* hash, word32 hashLen, byte* out,
+                           word32 *outLen, ed25519_key* key,
+                           const byte* context, byte contextLen)
+{
+    return ed25519_sign_msg(hash, hashLen, out, outLen, key, Ed25519ph, context,
+                                                                    contextLen);
+}
+
+/*
+    in          contains the message to sign
+    inLen       is the length of the message to sign
+    out         is the buffer to write the signature
+    outLen      [in/out] input size of out buf
+                          output gets set as the final length of out
+    key         is the ed25519 key to use when signing
+    context     extra signing data
+    contextLen  length of extra signing data
+    return 0 on success
+ */
+int wc_ed25519ph_sign_msg(const byte* in, word32 inLen, byte* out,
+                          word32 *outLen, ed25519_key* key,
+                          const byte* context, byte contextLen)
+{
+    int  ret;
+    byte hash[WC_SHA512_DIGEST_SIZE];
+
+    ret = wc_Sha512Hash(in, inLen, hash);
+    if (ret != 0)
+        return ret;
+
+    return wc_ed25519ph_sign_hash(hash, sizeof(hash), out, outLen, key, context,
+                                                                    contextLen);
+}
+#endif /* HAVE_ED25519_SIGN */
+
+#ifdef HAVE_ED25519_VERIFY
 
 /*
    sig     is array of bytes containing the signature
-   siglen  is the length of sig byte array
+   sigLen  is the length of sig byte array
    msg     the array of bytes containing the message
-   msglen  length of msg array
-   stat    will be 1 on successful verify and 0 on unsuccessful
+   msgLen  length of msg array
+   res     will be 1 on successful verify and 0 on unsuccessful
+   key     Ed25519 public key
+   return  0 and res of 1 on success
 */
-int wc_ed25519_verify_msg(byte* sig, word32 siglen, const byte* msg,
-                          word32 msglen, int* stat, ed25519_key* key)
+static int ed25519_verify_msg(const byte* sig, word32 sigLen, const byte* msg,
+                              word32 msgLen, int* res, ed25519_key* key,
+                              byte type, const byte* context, byte contextLen)
 {
-    byte   rcheck[32];
-    byte   h[SHA512_DIGEST_SIZE];
+    byte   rcheck[ED25519_KEY_SIZE];
+    byte   h[WC_SHA512_DIGEST_SIZE];
+#ifndef FREESCALE_LTC_ECC
     ge_p3  A;
     ge_p2  R;
-    word32 sigSz;
+#endif
     int    ret;
-    Sha512 sha;
+    wc_Sha512 sha;
 
     /* sanity check on arguments */
-    if (sig == NULL || msg == NULL || stat == NULL || key == NULL)
+    if (sig == NULL || msg == NULL || res == NULL || key == NULL ||
+                                         (context == NULL && contextLen != 0)) {
         return BAD_FUNC_ARG;
+    }
 
-    ret   = 0;
-    *stat = 0;
-    sigSz = wc_ed25519_size(key);
+    /* set verification failed by default */
+    *res = 0;
 
     /* check on basics needed to verify signature */
-    if (siglen < sigSz)
-        return BAD_FUNC_ARG;
-    if (sig[63] & 224)
+    if (sigLen < ED25519_SIG_SIZE || (sig[ED25519_SIG_SIZE-1] & 224))
         return BAD_FUNC_ARG;
 
     /* uncompress A (public key), test if valid, and negate it */
+#ifndef FREESCALE_LTC_ECC
     if (ge_frombytes_negate_vartime(&A, key->p) != 0)
         return BAD_FUNC_ARG;
+#endif
 
     /* find H(R,A,M) and store it as h */
-    ret |= wc_InitSha512(&sha);
-    ret |= wc_Sha512Update(&sha, sig,    32);
-    ret |= wc_Sha512Update(&sha, key->p, 32);
-    ret |= wc_Sha512Update(&sha, msg,    msglen);
-    ret |= wc_Sha512Final(&sha,  h);
+    ret  = wc_InitSha512(&sha);
+    if (ret != 0)
+        return ret;
+    if (type == Ed25519ctx || type == Ed25519ph) {
+        ret = wc_Sha512Update(&sha, ed25519Ctx, ED25519CTX_SIZE);
+        if (ret == 0)
+            ret = wc_Sha512Update(&sha, &type, sizeof(type));
+        if (ret == 0)
+            ret = wc_Sha512Update(&sha, &contextLen, sizeof(contextLen));
+        if (ret == 0 && context != NULL)
+            ret = wc_Sha512Update(&sha, context, contextLen);
+    }
+    if (ret == 0)
+        ret = wc_Sha512Update(&sha, sig, ED25519_SIG_SIZE/2);
+    if (ret == 0)
+        ret = wc_Sha512Update(&sha, key->p, ED25519_PUB_KEY_SIZE);
+    if (ret == 0)
+        ret = wc_Sha512Update(&sha, msg, msgLen);
+    if (ret == 0)
+        ret = wc_Sha512Final(&sha,  h);
+    wc_Sha512Free(&sha);
+    if (ret != 0)
+        return ret;
+
+#ifdef FREESCALE_LTC_ECC
+    LTC_PKHA_sc_reduce(h);
+    LTC_PKHA_SignatureForVerify(rcheck, h, sig + (ED25519_SIG_SIZE/2), key);
+#else
     sc_reduce(h);
 
     /*
        Uses a fast single-signature verification SB = R + H(R,A,M)A becomes
        SB - H(R,A,M)A saving decompression of R
     */
-    ret |= ge_double_scalarmult_vartime(&R, h, &A, sig + 32);
+    ret = ge_double_scalarmult_vartime(&R, h, &A, sig + (ED25519_SIG_SIZE/2));
+    if (ret != 0)
+        return ret;
+
     ge_tobytes(rcheck, &R);
+#endif /* FREESCALE_LTC_ECC */
 
     /* comparison of R created to R in sig */
-    ret  |= ConstantCompare(rcheck, sig, 32);
+    ret = ConstantCompare(rcheck, sig, ED25519_SIG_SIZE/2);
+    if (ret != 0)
+        return SIG_VERIFY_E;
 
-    *stat = (ret == 0)? 1: 0;
+    /* set the verification status */
+    *res = 1;
 
     return ret;
 }
 
+/*
+   sig     is array of bytes containing the signature
+   sigLen  is the length of sig byte array
+   msg     the array of bytes containing the message
+   msgLen  length of msg array
+   res     will be 1 on successful verify and 0 on unsuccessful
+   key     Ed25519 public key
+   return  0 and res of 1 on success
+*/
+int wc_ed25519_verify_msg(const byte* sig, word32 sigLen, const byte* msg,
+                          word32 msgLen, int* res, ed25519_key* key)
+{
+    return ed25519_verify_msg(sig, sigLen, msg, msgLen, res, key, (byte)Ed25519,
+                                                                       NULL, 0);
+}
+
+/*
+   sig         is array of bytes containing the signature
+   sigLen      is the length of sig byte array
+   msg         the array of bytes containing the message
+   msgLen      length of msg array
+   res         will be 1 on successful verify and 0 on unsuccessful
+   key         Ed25519 public key
+   context     extra sigining data
+   contextLen  length of extra sigining data
+   return  0 and res of 1 on success
+*/
+int wc_ed25519ctx_verify_msg(const byte* sig, word32 sigLen, const byte* msg,
+                             word32 msgLen, int* res, ed25519_key* key,
+                             const byte* context, byte contextLen)
+{
+    return ed25519_verify_msg(sig, sigLen, msg, msgLen, res, key, Ed25519ctx,
+                                                           context, contextLen);
+}
+
+/*
+   sig         is array of bytes containing the signature
+   sigLen      is the length of sig byte array
+   hash        the array of bytes containing the SHA-512 hash of the message
+   hashLen     length of hash array
+   res         will be 1 on successful verify and 0 on unsuccessful
+   key         Ed25519 public key
+   context     extra sigining data
+   contextLen  length of extra sigining data
+   return  0 and res of 1 on success
+*/
+int wc_ed25519ph_verify_hash(const byte* sig, word32 sigLen, const byte* hash,
+                             word32 hashLen, int* res, ed25519_key* key,
+                             const byte* context, byte contextLen)
+{
+    return ed25519_verify_msg(sig, sigLen, hash, hashLen, res, key, Ed25519ph,
+                                                           context, contextLen);
+}
+
+/*
+   sig         is array of bytes containing the signature
+   sigLen      is the length of sig byte array
+   msg         the array of bytes containing the message
+   msgLen      length of msg array
+   res         will be 1 on successful verify and 0 on unsuccessful
+   key         Ed25519 public key
+   context     extra sigining data
+   contextLen  length of extra sigining data
+   return  0 and res of 1 on success
+*/
+int wc_ed25519ph_verify_msg(const byte* sig, word32 sigLen, const byte* msg,
+                            word32 msgLen, int* res, ed25519_key* key,
+                            const byte* context, byte contextLen)
+{
+    int  ret;
+    byte hash[WC_SHA512_DIGEST_SIZE];
+
+    ret = wc_Sha512Hash(msg, msgLen, hash);
+    if (ret != 0)
+        return ret;
+
+    return wc_ed25519ph_verify_hash(sig, sigLen, hash, sizeof(hash), res, key,
+                                                           context, contextLen);
+}
+#endif /* HAVE_ED25519_VERIFY */
+
 
 /* initialize information and memory for key */
 int wc_ed25519_init(ed25519_key* key)
@@ -201,6 +517,10 @@ int wc_ed25519_init(ed25519_key* key)
 
     XMEMSET(key, 0, sizeof(ed25519_key));
 
+#ifndef FREESCALE_LTC_ECC
+    fe_init();
+#endif
+
     return 0;
 }
 
@@ -215,6 +535,8 @@ void wc_ed25519_free(ed25519_key* key)
 }
 
 
+#ifdef HAVE_ED25519_KEY_EXPORT
+
 /*
     outLen should contain the size of out buffer when input. outLen is than set
     to the final output length.
@@ -222,24 +544,25 @@ void wc_ed25519_free(ed25519_key* key)
  */
 int wc_ed25519_export_public(ed25519_key* key, byte* out, word32* outLen)
 {
-    word32 keySz;
-
     /* sanity check on arguments */
     if (key == NULL || out == NULL || outLen == NULL)
         return BAD_FUNC_ARG;
 
-    keySz = wc_ed25519_size(key);
-    if (*outLen < keySz) {
-        *outLen = keySz;
+    if (*outLen < ED25519_PUB_KEY_SIZE) {
+        *outLen = ED25519_PUB_KEY_SIZE;
         return BUFFER_E;
     }
-    *outLen = keySz;
-    XMEMCPY(out, key->p, keySz);
+
+    *outLen = ED25519_PUB_KEY_SIZE;
+    XMEMCPY(out, key->p, ED25519_PUB_KEY_SIZE);
 
     return 0;
 }
 
+#endif /* HAVE_ED25519_KEY_EXPORT */
+
 
+#ifdef HAVE_ED25519_KEY_IMPORT
 /*
     Imports a compressed/uncompressed public key.
     in    the byte array containing the public key
@@ -248,37 +571,65 @@ int wc_ed25519_export_public(ed25519_key* key, byte* out, word32* outLen)
  */
 int wc_ed25519_import_public(const byte* in, word32 inLen, ed25519_key* key)
 {
-    word32 keySz;
     int    ret;
 
     /* sanity check on arguments */
     if (in == NULL || key == NULL)
         return BAD_FUNC_ARG;
 
-    keySz = wc_ed25519_size(key);
-
-    if (inLen < keySz)
+    if (inLen < ED25519_PUB_KEY_SIZE)
         return BAD_FUNC_ARG;
 
     /* compressed prefix according to draft
        http://www.ietf.org/id/draft-koch-eddsa-for-openpgp-02.txt */
-    if (in[0] == 0x40) {
+    if (in[0] == 0x40 && inLen > ED25519_PUB_KEY_SIZE) {
         /* key is stored in compressed format so just copy in */
-        XMEMCPY(key->p, (in + 1), keySz);
+        XMEMCPY(key->p, (in + 1), ED25519_PUB_KEY_SIZE);
+#ifdef FREESCALE_LTC_ECC
+        /* recover X coordinate */
+        ltc_pkha_ecc_point_t pubKey;
+        pubKey.X = key->pointX;
+        pubKey.Y = key->pointY;
+        LTC_PKHA_Ed25519_PointDecompress(key->p, ED25519_PUB_KEY_SIZE, &pubKey);
+#endif
+        key->pubKeySet = 1;
         return 0;
     }
 
     /* importing uncompressed public key */
-    if (in[0] == 0x04) {
+    if (in[0] == 0x04 && inLen > 2*ED25519_PUB_KEY_SIZE) {
+#ifdef FREESCALE_LTC_ECC
+        /* reverse bytes for little endian byte order */
+        for (int i = 0; i < ED25519_KEY_SIZE; i++)
+        {
+            key->pointX[i] = *(in + ED25519_KEY_SIZE - i);
+            key->pointY[i] = *(in + 2*ED25519_KEY_SIZE - i);
+        }
+        XMEMCPY(key->p, key->pointY, ED25519_KEY_SIZE);
+        key->pubKeySet = 1;
+        ret = 0;
+#else
         /* pass in (x,y) and store compressed key */
-        ret = ge_compress_key(key->p, (in+1), (in+1+keySz), keySz);
+        ret = ge_compress_key(key->p, in+1,
+                              in+1+ED25519_PUB_KEY_SIZE, ED25519_PUB_KEY_SIZE);
+        if (ret == 0)
+            key->pubKeySet = 1;
+#endif /* FREESCALE_LTC_ECC */
         return ret;
     }
 
     /* if not specified compressed or uncompressed check key size
        if key size is equal to compressed key size copy in key */
-    if (inLen == keySz) {
-        XMEMCPY(key->p, in, keySz);
+    if (inLen == ED25519_PUB_KEY_SIZE) {
+        XMEMCPY(key->p, in, ED25519_PUB_KEY_SIZE);
+#ifdef FREESCALE_LTC_ECC
+        /* recover X coordinate */
+        ltc_pkha_ecc_point_t pubKey;
+        pubKey.X = key->pointX;
+        pubKey.Y = key->pointY;
+        LTC_PKHA_Ed25519_PointDecompress(key->p, ED25519_PUB_KEY_SIZE, &pubKey);
+#endif
+        key->pubKeySet = 1;
         return 0;
     }
 
@@ -288,82 +639,175 @@ int wc_ed25519_import_public(const byte* in, word32 inLen, ed25519_key* key)
 
 
 /*
+    For importing a private key.
+ */
+int wc_ed25519_import_private_only(const byte* priv, word32 privSz,
+                                                               ed25519_key* key)
+{
+    /* sanity check on arguments */
+    if (priv == NULL || key == NULL)
+        return BAD_FUNC_ARG;
+
+    /* key size check */
+    if (privSz < ED25519_KEY_SIZE)
+        return BAD_FUNC_ARG;
+
+    XMEMCPY(key->k, priv, ED25519_KEY_SIZE);
+
+    return 0;
+}
+
+/*
     For importing a private key and its associated public key.
  */
 int wc_ed25519_import_private_key(const byte* priv, word32 privSz,
                                 const byte* pub, word32 pubSz, ed25519_key* key)
 {
-    word32 keySz;
     int    ret;
 
     /* sanity check on arguments */
     if (priv == NULL || pub == NULL || key == NULL)
         return BAD_FUNC_ARG;
 
-    keySz = wc_ed25519_size(key);
-
     /* key size check */
-    if (privSz < keySz || pubSz < keySz)
+    if (privSz < ED25519_KEY_SIZE || pubSz < ED25519_PUB_KEY_SIZE)
         return BAD_FUNC_ARG;
 
-    XMEMCPY(key->k, priv, keySz);
+    /* import public key */
     ret = wc_ed25519_import_public(pub, pubSz, key);
-    XMEMCPY((key->k + keySz), key->p, keySz);
+    if (ret != 0)
+        return ret;
+
+    /* make the private key (priv + pub) */
+    XMEMCPY(key->k, priv, ED25519_KEY_SIZE);
+    XMEMCPY(key->k + ED25519_KEY_SIZE, key->p, ED25519_PUB_KEY_SIZE);
 
     return ret;
 }
 
+#endif /* HAVE_ED25519_KEY_IMPORT */
+
+
+#ifdef HAVE_ED25519_KEY_EXPORT
 
 /*
-    outLen should contain the size of out buffer when input. outLen is than set
-    to the final output length.
-    returns 0 on success
+ export private key only (secret part so 32 bytes)
+ outLen should contain the size of out buffer when input. outLen is than set
+ to the final output length.
+ returns 0 on success
  */
 int wc_ed25519_export_private_only(ed25519_key* key, byte* out, word32* outLen)
 {
-    word32 keySz;
+    /* sanity checks on arguments */
+    if (key == NULL || out == NULL || outLen == NULL)
+        return BAD_FUNC_ARG;
+
+    if (*outLen < ED25519_KEY_SIZE) {
+        *outLen = ED25519_KEY_SIZE;
+        return BUFFER_E;
+    }
+
+    *outLen = ED25519_KEY_SIZE;
+    XMEMCPY(out, key->k, ED25519_KEY_SIZE);
 
+    return 0;
+}
+
+/*
+ export private key, including public part
+ outLen should contain the size of out buffer when input. outLen is than set
+ to the final output length.
+ returns 0 on success
+ */
+int wc_ed25519_export_private(ed25519_key* key, byte* out, word32* outLen)
+{
     /* sanity checks on arguments */
     if (key == NULL || out == NULL || outLen == NULL)
         return BAD_FUNC_ARG;
 
-    keySz = wc_ed25519_size(key);
-    if (*outLen < keySz) {
-        *outLen = keySz;
+    if (*outLen < ED25519_PRV_KEY_SIZE) {
+        *outLen = ED25519_PRV_KEY_SIZE;
         return BUFFER_E;
     }
-    *outLen = keySz;
-    XMEMCPY(out, key->k, keySz);
+
+    *outLen = ED25519_PRV_KEY_SIZE;
+    XMEMCPY(out, key->k, ED25519_PRV_KEY_SIZE);
 
     return 0;
 }
 
+/* export full private key and public key
+   return 0 on success
+ */
+int wc_ed25519_export_key(ed25519_key* key,
+                          byte* priv, word32 *privSz,
+                          byte* pub, word32 *pubSz)
+{
+    int ret;
+
+    /* export 'full' private part */
+    ret = wc_ed25519_export_private(key, priv, privSz);
+    if (ret != 0)
+        return ret;
 
-/* is the compressed key size in bytes */
-int wc_ed25519_size(ed25519_key* key)
+    /* export public part */
+    ret = wc_ed25519_export_public(key, pub, pubSz);
+
+    return ret;
+}
+
+#endif /* HAVE_ED25519_KEY_EXPORT */
+
+/* check the private and public keys match */
+int wc_ed25519_check_key(ed25519_key* key)
 {
-    word32 keySz;
+    int ret = 0;
+    unsigned char pubKey[ED25519_PUB_KEY_SIZE];
+
+    if (!key->pubKeySet)
+        ret = PUBLIC_KEY_E;
+    if (ret == 0)
+        ret = wc_ed25519_make_public(key, pubKey, sizeof(pubKey));
+    if (ret == 0 && XMEMCMP(pubKey, key->p, ED25519_PUB_KEY_SIZE) != 0)
+        ret = PUBLIC_KEY_E;
 
+    return ret;
+}
+
+/* returns the private key size (secret only) in bytes */
+int wc_ed25519_size(ed25519_key* key)
+{
     if (key == NULL)
         return BAD_FUNC_ARG;
 
-    keySz = ED25519_KEY_SIZE;
+    return ED25519_KEY_SIZE;
+}
 
-    return keySz;
+/* returns the private key size (secret + public) in bytes */
+int wc_ed25519_priv_size(ed25519_key* key)
+{
+    if (key == NULL)
+        return BAD_FUNC_ARG;
+
+    return ED25519_PRV_KEY_SIZE;
 }
 
+/* returns the compressed key size in bytes (public key) */
+int wc_ed25519_pub_size(ed25519_key* key)
+{
+    if (key == NULL)
+        return BAD_FUNC_ARG;
+
+    return ED25519_PUB_KEY_SIZE;
+}
 
 /* returns the size of signature in bytes */
 int wc_ed25519_sig_size(ed25519_key* key)
 {
-    word32 sigSz;
-
     if (key == NULL)
         return BAD_FUNC_ARG;
 
-    sigSz = ED25519_SIG_SIZE;
-
-    return sigSz;
+    return ED25519_SIG_SIZE;
 }
 
 #endif /* HAVE_ED25519 */
diff --git a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/ed448.c b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/ed448.c
new file mode 100644
index 000000000..125ee3852
--- /dev/null
+++ b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/ed448.c
@@ -0,0 +1,917 @@
+/* ed448.c
+ *
+ * Copyright (C) 2006-2020 wolfSSL Inc.
+ *
+ * This file is part of wolfSSL.
+ *
+ * wolfSSL is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * wolfSSL is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
+ */
+
+/* Implemented to: RFC 8032 */
+
+/* Based On Daniel J Bernstein's ed25519 Public Domain ref10 work.
+ * Reworked for curve448 by Sean Parkinson.
+ */
+
+#ifdef HAVE_CONFIG_H
+    #include <config.h>
+#endif
+
+/* in case user set HAVE_ED448 there */
+#include <wolfssl/wolfcrypt/settings.h>
+
+#ifdef HAVE_ED448
+
+#include <wolfssl/wolfcrypt/ed448.h>
+#include <wolfssl/wolfcrypt/error-crypt.h>
+#include <wolfssl/wolfcrypt/hash.h>
+#ifdef NO_INLINE
+    #include <wolfssl/wolfcrypt/misc.h>
+#else
+    #define WOLFSSL_MISC_INCLUDED
+    #include <wolfcrypt/src/misc.c>
+#endif
+
+#if defined(HAVE_ED448_SIGN) || defined(HAVE_ED448_VERIFY)
+/* Size of context bytes to use with hash when signing and verifying. */
+#define ED448CTX_SIZE    8
+/* Context to pass to hash when signing and verifying. */
+static const byte ed448Ctx[ED448CTX_SIZE+1] = "SigEd448";
+#endif
+
+/* Derive the public key for the private key.
+ *
+ * key       [in]  Ed448 key object.
+ * pubKey    [in]  Byte array to hold te public key.
+ * pubKeySz  [in]  Size of the array in bytes.
+ * returns BAD_FUNC_ARG when key is NULL or pubKeySz is not equal to
+ *         ED448_PUB_KEY_SIZE,
+ *         other -ve value on hash failure,
+ *         0 otherwise.
+ */
+int wc_ed448_make_public(ed448_key* key, unsigned char* pubKey, word32 pubKeySz)
+{
+    int   ret = 0;
+    byte  az[ED448_PRV_KEY_SIZE];
+    ge448_p2 A;
+
+    if ((key == NULL) || (pubKeySz != ED448_PUB_KEY_SIZE)) {
+        ret = BAD_FUNC_ARG;
+    }
+
+    if (ret == 0) {
+        ret = wc_Shake256Hash(key->k, ED448_KEY_SIZE, az, sizeof(az));
+    }
+    if (ret == 0) {
+        /* apply clamp */
+        az[0]  &= 0xfc;
+        az[55] |= 0x80;
+        az[56]  = 0x00;
+
+        ge448_scalarmult_base(&A, az);
+        ge448_to_bytes(pubKey, &A);
+    }
+
+    return ret;
+}
+
+/* Make a new ed448 private/public key.
+ *
+ * rng      [in]  Random number generator.
+ * keysize  [in]  Size of the key to generate.
+ * key      [in]  Ed448 key object.
+ * returns BAD_FUNC_ARG when rng or key is NULL or keySz is not equal to
+ *         ED448_KEY_SIZE,
+ *         other -ve value on random number or hash failure,
+ *         0 otherwise.
+ */
+int wc_ed448_make_key(WC_RNG* rng, int keySz, ed448_key* key)
+{
+    int ret = 0;
+
+    if ((rng == NULL) || (key == NULL)) {
+        ret = BAD_FUNC_ARG;
+    }
+
+    /* ed448 has 57 byte key sizes */
+    if ((ret == 0) && (keySz != ED448_KEY_SIZE)) {
+        ret = BAD_FUNC_ARG;
+    }
+
+    if (ret == 0) {
+        ret = wc_RNG_GenerateBlock(rng, key->k, ED448_KEY_SIZE);
+    }
+    if (ret == 0) {
+        ret = wc_ed448_make_public(key, key->p, ED448_PUB_KEY_SIZE);
+        if (ret != 0) {
+            ForceZero(key->k, ED448_KEY_SIZE);
+        }
+    }
+    if (ret == 0) {
+        /* put public key after private key, on the same buffer */
+        XMEMMOVE(key->k + ED448_KEY_SIZE, key->p, ED448_PUB_KEY_SIZE);
+
+        key->pubKeySet = 1;
+    }
+
+    return ret;
+}
+
+
+#ifdef HAVE_ED448_SIGN
+/* Sign the message using the ed448 private key.
+ *
+ *  in          [in]      Message to sign.
+ *  inLen       [in]      Length of the message in bytes.
+ *  out         [in]      Buffer to write signature into.
+ *  outLen      [in/out]  On in, size of buffer.
+ *                        On out, the length of the signature in bytes.
+ *  key         [in]      Ed448 key to use when signing
+ *  type        [in]      Type of signature to perform: Ed448 or Ed448ph
+ *  context     [in]      Context of signing.
+ *  contextLen  [in]      Length of context in bytes.
+ *  returns BAD_FUNC_ARG when a parameter is NULL or contextLen is zero when and
+ *          context is not NULL or public key not set,
+ *          BUFFER_E when outLen is less than ED448_SIG_SIZE,
+ *          other -ve values when hash fails,
+ *          0 otherwise.
+ */
+static int ed448_sign_msg(const byte* in, word32 inLen, byte* out,
+                          word32 *outLen, ed448_key* key, byte type,
+                          const byte* context, byte contextLen)
+{
+    ge448_p2 R;
+    byte     nonce[ED448_SIG_SIZE];
+    byte     hram[ED448_SIG_SIZE];
+    byte     az[ED448_PRV_KEY_SIZE];
+    wc_Shake sha;
+    int      ret = 0;
+
+    /* sanity check on arguments */
+    if ((in == NULL) || (out == NULL) || (outLen == NULL) || (key == NULL) ||
+                                     ((context == NULL) && (contextLen != 0))) {
+        ret = BAD_FUNC_ARG;
+    }
+    if ((ret == 0) && (!key->pubKeySet)) {
+        ret = BAD_FUNC_ARG;
+    }
+
+    /* check and set up out length */
+    if ((ret == 0) && (*outLen < ED448_SIG_SIZE)) {
+        *outLen = ED448_SIG_SIZE;
+        ret = BUFFER_E;
+    }
+
+    if (ret == 0) {
+        *outLen = ED448_SIG_SIZE;
+
+        /* step 1: create nonce to use where nonce is r in
+           r = H(h_b, ... ,h_2b-1,M) */
+        ret = wc_Shake256Hash(key->k, ED448_KEY_SIZE, az, sizeof(az));
+    }
+    if (ret == 0) {
+        /* apply clamp */
+        az[0]  &= 0xfc;
+        az[55] |= 0x80;
+        az[56]  = 0x00;
+
+        ret = wc_InitShake256(&sha, NULL, INVALID_DEVID);
+        if (ret == 0) {
+            ret = wc_Shake256_Update(&sha, ed448Ctx, ED448CTX_SIZE);
+        }
+        if (ret == 0) {
+            ret = wc_Shake256_Update(&sha, &type, sizeof(type));
+        }
+        if (ret == 0) {
+            ret = wc_Shake256_Update(&sha, &contextLen, sizeof(contextLen));
+        }
+        if (ret == 0 && context != NULL) {
+            ret = wc_Shake256_Update(&sha, context, contextLen);
+        }
+        if (ret == 0) {
+            ret = wc_Shake256_Update(&sha, az + ED448_KEY_SIZE, ED448_KEY_SIZE);
+        }
+        if (ret == 0) {
+            ret = wc_Shake256_Update(&sha, in, inLen);
+        }
+        if (ret == 0) {
+            ret = wc_Shake256_Final(&sha, nonce, sizeof(nonce));
+        }
+        wc_Shake256_Free(&sha);
+    }
+    if (ret == 0) {
+        sc448_reduce(nonce);
+
+        /* step 2: computing R = rB where rB is the scalar multiplication of
+           r and B */
+        ge448_scalarmult_base(&R,nonce);
+        ge448_to_bytes(out,&R);
+
+        /* step 3: hash R + public key + message getting H(R,A,M) then
+           creating S = (r + H(R,A,M)a) mod l */
+        ret = wc_InitShake256(&sha, NULL, INVALID_DEVID);
+        if (ret == 0) {
+            ret = wc_Shake256_Update(&sha, ed448Ctx, ED448CTX_SIZE);
+            if (ret == 0) {
+                ret = wc_Shake256_Update(&sha, &type, sizeof(type));
+            }
+            if (ret == 0) {
+                ret = wc_Shake256_Update(&sha, &contextLen, sizeof(contextLen));
+            }
+            if (ret == 0 && context != NULL) {
+                ret = wc_Shake256_Update(&sha, context, contextLen);
+            }
+            if (ret == 0) {
+                ret = wc_Shake256_Update(&sha, out, ED448_SIG_SIZE/2);
+            }
+            if (ret == 0) {
+                ret = wc_Shake256_Update(&sha, key->p, ED448_PUB_KEY_SIZE);
+            }
+            if (ret == 0) {
+                ret = wc_Shake256_Update(&sha, in, inLen);
+            }
+            if (ret == 0) {
+                ret = wc_Shake256_Final(&sha, hram, sizeof(hram));
+            }
+            wc_Shake256_Free(&sha);
+        }
+    }
+
+    if (ret == 0) {
+        sc448_reduce(hram);
+        sc448_muladd(out + (ED448_SIG_SIZE/2), hram, az, nonce);
+    }
+
+    return ret;
+}
+
+/* Sign the message using the ed448 private key.
+ * Signature type is Ed448.
+ *
+ *  in          [in]      Message to sign.
+ *  inLen       [in]      Length of the message in bytes.
+ *  out         [in]      Buffer to write signature into.
+ *  outLen      [in/out]  On in, size of buffer.
+ *                        On out, the length of the signature in bytes.
+ *  key         [in]      Ed448 key to use when signing
+ *  context     [in]      Context of signing.
+ *  contextLen  [in]      Length of context in bytes.
+ *  returns BAD_FUNC_ARG when a parameter is NULL or contextLen is zero when and
+ *          context is not NULL or public key not set,
+ *          BUFFER_E when outLen is less than ED448_SIG_SIZE,
+ *          other -ve values when hash fails,
+ *          0 otherwise.
+ */
+int wc_ed448_sign_msg(const byte* in, word32 inLen, byte* out, word32 *outLen,
+                      ed448_key* key, const byte* context, byte contextLen)
+{
+    return ed448_sign_msg(in, inLen, out, outLen, key, Ed448, context,
+                                                                    contextLen);
+}
+
+/* Sign the hash using the ed448 private key.
+ * Signature type is Ed448ph.
+ *
+ *  hash        [in]      Hash of message to sign.
+ *  hashLen     [in]      Length of hash of message in bytes.
+ *  out         [in]      Buffer to write signature into.
+ *  outLen      [in/out]  On in, size of buffer.
+ *                        On out, the length of the signature in bytes.
+ *  key         [in]      Ed448 key to use when signing
+ *  context     [in]      Context of signing.
+ *  contextLen  [in]      Length of context in bytes.
+ *  returns BAD_FUNC_ARG when a parameter is NULL or contextLen is zero when and
+ *          context is not NULL or public key not set,
+ *          BUFFER_E when outLen is less than ED448_SIG_SIZE,
+ *          other -ve values when hash fails,
+ *          0 otherwise.
+ */
+int wc_ed448ph_sign_hash(const byte* hash, word32 hashLen, byte* out,
+                         word32 *outLen, ed448_key* key,
+                         const byte* context, byte contextLen)
+{
+    return ed448_sign_msg(hash, hashLen, out, outLen, key, Ed448ph, context,
+                                                                    contextLen);
+}
+
+/* Sign the message using the ed448 private key.
+ * Signature type is Ed448ph.
+ *
+ *  in          [in]      Message to sign.
+ *  inLen       [in]      Length of the message to sign in bytes.
+ *  out         [in]      Buffer to write signature into.
+ *  outLen      [in/out]  On in, size of buffer.
+ *                        On out, the length of the signature in bytes.
+ *  key         [in]      Ed448 key to use when signing
+ *  context     [in]      Context of signing.
+ *  contextLen  [in]      Length of context in bytes.
+ *  returns BAD_FUNC_ARG when a parameter is NULL or contextLen is zero when and
+ *          context is not NULL or public key not set,
+ *          BUFFER_E when outLen is less than ED448_SIG_SIZE,
+ *          other -ve values when hash fails,
+ *          0 otherwise.
+ */
+int wc_ed448ph_sign_msg(const byte* in, word32 inLen, byte* out, word32 *outLen,
+                        ed448_key* key, const byte* context, byte contextLen)
+{
+    int  ret = 0;
+    byte hash[64];
+
+    ret = wc_Shake256Hash(in, inLen, hash, sizeof(hash));
+    if (ret == 0) {
+        ret = wc_ed448ph_sign_hash(hash, sizeof(hash), out, outLen, key,
+                                                           context, contextLen);
+    }
+
+    return ret;
+}
+#endif /* HAVE_ED448_SIGN */
+
+#ifdef HAVE_ED448_VERIFY
+
+/* Verify the message using the ed448 public key.
+ *
+ *  sig         [in]  Signature to verify.
+ *  sigLen      [in]  Size of signature in bytes.
+ *  msg         [in]  Message to verify.
+ *  msgLen      [in]  Length of the message in bytes.
+ *  key         [in]  Ed448 key to use to verify.
+ *  type        [in]  Type of signature to verify: Ed448 or Ed448ph
+ *  context     [in]  Context of verification.
+ *  contextLen  [in]  Length of context in bytes.
+ *  returns BAD_FUNC_ARG when a parameter is NULL or contextLen is zero when and
+ *          context is not NULL or public key not set,
+ *          BUFFER_E when sigLen is less than ED448_SIG_SIZE,
+ *          other -ve values when hash fails,
+ *          0 otherwise.
+ */
+static int ed448_verify_msg(const byte* sig, word32 sigLen, const byte* msg,
+                            word32 msgLen, int* res, ed448_key* key,
+                            byte type, const byte* context, byte contextLen)
+{
+    byte     rcheck[ED448_KEY_SIZE];
+    byte     h[ED448_SIG_SIZE];
+    ge448_p2 A;
+    ge448_p2 R;
+    int      ret = 0;
+    wc_Shake sha;
+
+    /* sanity check on arguments */
+    if ((sig == NULL) || (msg == NULL) || (res == NULL) || (key == NULL) ||
+                                     ((context == NULL) && (contextLen != 0))) {
+        ret = BAD_FUNC_ARG;
+    }
+
+    if (ret == 0) {
+        /* set verification failed by default */
+        *res = 0;
+
+        /* check on basics needed to verify signature */
+        if (sigLen < ED448_SIG_SIZE) {
+            ret = BAD_FUNC_ARG;
+        }
+    }
+
+    /* uncompress A (public key), test if valid, and negate it */
+    if ((ret == 0) && (ge448_from_bytes_negate_vartime(&A, key->p) != 0)) {
+        ret = BAD_FUNC_ARG;
+    }
+
+    if (ret == 0) {
+        /* find H(R,A,M) and store it as h */
+        ret  = wc_InitShake256(&sha, NULL, INVALID_DEVID);
+        if (ret == 0) {
+            ret = wc_Shake256_Update(&sha, ed448Ctx, ED448CTX_SIZE);
+            if (ret == 0) {
+                ret = wc_Shake256_Update(&sha, &type, sizeof(type));
+            }
+            if (ret == 0) {
+                ret = wc_Shake256_Update(&sha, &contextLen, sizeof(contextLen));
+            }
+            if (ret == 0 && context != NULL) {
+                ret = wc_Shake256_Update(&sha, context, contextLen);
+            }
+            if (ret == 0) {
+                ret = wc_Shake256_Update(&sha, sig, ED448_SIG_SIZE/2);
+            }
+            if (ret == 0) {
+                ret = wc_Shake256_Update(&sha, key->p, ED448_PUB_KEY_SIZE);
+            }
+            if (ret == 0) {
+                ret = wc_Shake256_Update(&sha, msg, msgLen);
+            }
+            if (ret == 0) {
+                ret = wc_Shake256_Final(&sha,  h, sizeof(h));
+            }
+            wc_Shake256_Free(&sha);
+        }
+    }
+    if (ret == 0) {
+        sc448_reduce(h);
+
+        /* Uses a fast single-signature verification SB = R + H(R,A,M)A becomes
+         * SB - H(R,A,M)A saving decompression of R
+         */
+        ret = ge448_double_scalarmult_vartime(&R, h, &A,
+                                                      sig + (ED448_SIG_SIZE/2));
+    }
+
+    if (ret == 0) {
+        ge448_to_bytes(rcheck, &R);
+
+        /* comparison of R created to R in sig */
+        if (ConstantCompare(rcheck, sig, ED448_SIG_SIZE/2) != 0) {
+            ret = SIG_VERIFY_E;
+        }
+        else {
+            /* set the verification status */
+            *res = 1;
+        }
+    }
+
+    return ret;
+}
+
+/* Verify the message using the ed448 public key.
+ * Signature type is Ed448.
+ *
+ *  sig         [in]  Signature to verify.
+ *  sigLen      [in]  Size of signature in bytes.
+ *  msg         [in]  Message to verify.
+ *  msgLen      [in]  Length of the message in bytes.
+ *  key         [in]  Ed448 key to use to verify.
+ *  context     [in]  Context of verification.
+ *  contextLen  [in]  Length of context in bytes.
+ *  returns BAD_FUNC_ARG when a parameter is NULL or contextLen is zero when and
+ *          context is not NULL or public key not set,
+ *          BUFFER_E when sigLen is less than ED448_SIG_SIZE,
+ *          other -ve values when hash fails,
+ *          0 otherwise.
+ */
+int wc_ed448_verify_msg(const byte* sig, word32 sigLen, const byte* msg,
+                        word32 msgLen, int* res, ed448_key* key,
+                        const byte* context, byte contextLen)
+{
+    return ed448_verify_msg(sig, sigLen, msg, msgLen, res, key, Ed448,
+                                                           context, contextLen);
+}
+
+/* Verify the hash using the ed448 public key.
+ * Signature type is Ed448ph.
+ *
+ *  sig         [in]  Signature to verify.
+ *  sigLen      [in]  Size of signature in bytes.
+ *  hash        [in]  Hash of message to verify.
+ *  hashLen     [in]  Length of the hash in bytes.
+ *  key         [in]  Ed448 key to use to verify.
+ *  context     [in]  Context of verification.
+ *  contextLen  [in]  Length of context in bytes.
+ *  returns BAD_FUNC_ARG when a parameter is NULL or contextLen is zero when and
+ *          context is not NULL or public key not set,
+ *          BUFFER_E when sigLen is less than ED448_SIG_SIZE,
+ *          other -ve values when hash fails,
+ *          0 otherwise.
+ */
+int wc_ed448ph_verify_hash(const byte* sig, word32 sigLen, const byte* hash,
+                           word32 hashLen, int* res, ed448_key* key,
+                           const byte* context, byte contextLen)
+{
+    return ed448_verify_msg(sig, sigLen, hash, hashLen, res, key, Ed448ph,
+                                                           context, contextLen);
+}
+
+/* Verify the message using the ed448 public key.
+ * Signature type is Ed448ph.
+ *
+ *  sig         [in]  Signature to verify.
+ *  sigLen      [in]  Size of signature in bytes.
+ *  msg         [in]  Message to verify.
+ *  msgLen      [in]  Length of the message in bytes.
+ *  key         [in]  Ed448 key to use to verify.
+ *  context     [in]  Context of verification.
+ *  contextLen  [in]  Length of context in bytes.
+ *  returns BAD_FUNC_ARG when a parameter is NULL or contextLen is zero when and
+ *          context is not NULL or public key not set,
+ *          BUFFER_E when sigLen is less than ED448_SIG_SIZE,
+ *          other -ve values when hash fails,
+ *          0 otherwise.
+ */
+int wc_ed448ph_verify_msg(const byte* sig, word32 sigLen, const byte* msg,
+                          word32 msgLen, int* res, ed448_key* key,
+                          const byte* context, byte contextLen)
+{
+    int  ret = 0;
+    byte hash[64];
+
+    ret = wc_Shake256Hash(msg, msgLen, hash, sizeof(hash));
+    if (ret == 0) {
+        ret = wc_ed448ph_verify_hash(sig, sigLen, hash, sizeof(hash), res, key,
+                                                           context, contextLen);
+    }
+
+    return ret;
+}
+#endif /* HAVE_ED448_VERIFY */
+
+/* Initialize the ed448 private/public key.
+ *
+ * key  [in]  Ed448 key.
+ * returns BAD_FUNC_ARG when key is NULL
+ */
+int wc_ed448_init(ed448_key* key)
+{
+    int ret = 0;
+
+    if (key == NULL) {
+        ret = BAD_FUNC_ARG;
+    }
+    else {
+        XMEMSET(key, 0, sizeof(ed448_key));
+
+        fe448_init();
+    }
+
+    return ret;
+}
+
+
+/* Clears the ed448 key data
+ *
+ * key  [in]  Ed448 key.
+ */
+void wc_ed448_free(ed448_key* key)
+{
+    if (key != NULL) {
+        ForceZero(key, sizeof(ed448_key));
+    }
+}
+
+
+#ifdef HAVE_ED448_KEY_EXPORT
+
+/* Export the ed448 public key.
+ *
+ * key     [in]      Ed448 public key.
+ * out     [in]      Array to hold public key.
+ * outLen  [in/out]  On in, the number of bytes in array.
+ *                   On out, the number bytes put into array.
+ * returns BAD_FUNC_ARG when a parameter is NULL,
+ *         ECC_BAD_ARG_E when outLen is less than ED448_PUB_KEY_SIZE,
+ *         0 otherwise.
+ */
+int wc_ed448_export_public(ed448_key* key, byte* out, word32* outLen)
+{
+    int ret = 0;
+
+    /* sanity check on arguments */
+    if ((key == NULL) || (out == NULL) || (outLen == NULL)) {
+        ret = BAD_FUNC_ARG;
+    }
+
+    if ((ret == 0) && (*outLen < ED448_PUB_KEY_SIZE)) {
+        *outLen = ED448_PUB_KEY_SIZE;
+        ret = BUFFER_E;
+    }
+
+    if (ret == 0) {
+        *outLen = ED448_PUB_KEY_SIZE;
+        XMEMCPY(out, key->p, ED448_PUB_KEY_SIZE);
+    }
+
+    return ret;
+}
+
+#endif /* HAVE_ED448_KEY_EXPORT */
+
+
+#ifdef HAVE_ED448_KEY_IMPORT
+/* Import a compressed or uncompressed ed448 public key from a byte array.
+ * Public key encoded in big-endian.
+ *
+ * in      [in]  Array holding public key.
+ * inLen   [in]  Number of bytes of data in array.
+ * key     [in]  Ed448 public key.
+ * returns BAD_FUNC_ARG when a parameter is NULL or key format is not supported,
+ *         0 otherwise.
+ */
+int wc_ed448_import_public(const byte* in, word32 inLen, ed448_key* key)
+{
+    int ret = 0;
+
+    /* sanity check on arguments */
+    if ((in == NULL) || (key == NULL)) {
+        ret = BAD_FUNC_ARG;
+    }
+
+    if (ret == 0) {
+        /* compressed prefix according to draft
+         * https://tools.ietf.org/html/draft-ietf-openpgp-rfc4880bis-06 */
+        if (in[0] == 0x40 && inLen > ED448_PUB_KEY_SIZE) {
+            /* key is stored in compressed format so just copy in */
+            XMEMCPY(key->p, (in + 1), ED448_PUB_KEY_SIZE);
+            key->pubKeySet = 1;
+        }
+        /* importing uncompressed public key */
+        else if (in[0] == 0x04 && inLen > 2*ED448_PUB_KEY_SIZE) {
+            /* pass in (x,y) and store compressed key */
+            ret = ge448_compress_key(key->p, in+1, in+1+ED448_PUB_KEY_SIZE);
+            if (ret == 0)
+                key->pubKeySet = 1;
+        }
+        else if (inLen == ED448_PUB_KEY_SIZE) {
+            /* if not specified compressed or uncompressed check key size
+             * if key size is equal to compressed key size copy in key */
+            XMEMCPY(key->p, in, ED448_PUB_KEY_SIZE);
+            key->pubKeySet = 1;
+        }
+        else {
+            /* bad public key format */
+            ret = BAD_FUNC_ARG;
+        }
+    }
+
+    return ret;
+}
+
+
+/* Import an ed448 private key from a byte array.
+ *
+ * priv    [in]  Array holding private key.
+ * privSz  [in]  Number of bytes of data in array.
+ * key     [in]  Ed448 private key.
+ * returns BAD_FUNC_ARG when a parameter is NULL or privSz is less than
+ *         ED448_KEY_SIZE,
+ *         0 otherwise.
+ */
+int wc_ed448_import_private_only(const byte* priv, word32 privSz,
+                                 ed448_key* key)
+{
+    int ret = 0;
+
+    /* sanity check on arguments */
+    if ((priv == NULL) || (key == NULL)) {
+        ret = BAD_FUNC_ARG;
+    }
+
+    /* key size check */
+    if ((ret == 0) && (privSz < ED448_KEY_SIZE)) {
+        ret = BAD_FUNC_ARG;
+    }
+
+    if (ret == 0) {
+        XMEMCPY(key->k, priv, ED448_KEY_SIZE);
+    }
+
+    return ret;
+}
+
+/* Import an ed448 private and public keys from a byte arrays.
+ *
+ * priv    [in]  Array holding private key.
+ * privSz  [in]  Number of bytes of data in private key array.
+ * pub     [in]  Array holding private key.
+ * pubSz   [in]  Number of bytes of data in public key array.
+ * key     [in]  Ed448 private/public key.
+ * returns BAD_FUNC_ARG when a parameter is NULL or privSz is less than
+ *         ED448_KEY_SIZE or pubSz is less than ED448_PUB_KEY_SIZE,
+ *         0 otherwise.
+ */
+int wc_ed448_import_private_key(const byte* priv, word32 privSz,
+                                const byte* pub, word32 pubSz, ed448_key* key)
+{
+    int ret = 0;
+
+    /* sanity check on arguments */
+    if ((priv == NULL) || (pub == NULL) || (key == NULL)) {
+        ret = BAD_FUNC_ARG;
+    }
+
+    /* key size check */
+    if ((ret == 0) && (privSz < ED448_KEY_SIZE || pubSz < ED448_PUB_KEY_SIZE)) {
+        ret = BAD_FUNC_ARG;
+    }
+
+    if (ret == 0) {
+        /* import public key */
+        ret = wc_ed448_import_public(pub, pubSz, key);
+    }
+    if (ret == 0) {
+        /* make the private key (priv + pub) */
+        XMEMCPY(key->k, priv, ED448_KEY_SIZE);
+        XMEMCPY(key->k + ED448_KEY_SIZE, key->p, ED448_PUB_KEY_SIZE);
+    }
+
+    return ret;
+}
+
+#endif /* HAVE_ED448_KEY_IMPORT */
+
+
+#ifdef HAVE_ED448_KEY_EXPORT
+
+/* Export the ed448 private key.
+ *
+ * key     [in]      Ed448 private key.
+ * out     [in]      Array to hold private key.
+ * outLen  [in/out]  On in, the number of bytes in array.
+ *                   On out, the number bytes put into array.
+ * returns BAD_FUNC_ARG when a parameter is NULL,
+ *         ECC_BAD_ARG_E when outLen is less than ED448_KEY_SIZE,
+ *         0 otherwise.
+ */
+int wc_ed448_export_private_only(ed448_key* key, byte* out, word32* outLen)
+{
+    int ret = 0;
+
+    /* sanity checks on arguments */
+    if ((key == NULL) || (out == NULL) || (outLen == NULL)) {
+        ret = BAD_FUNC_ARG;
+    }
+
+    if ((ret == 0) && (*outLen < ED448_KEY_SIZE)) {
+        *outLen = ED448_KEY_SIZE;
+        ret = BUFFER_E;
+    }
+
+    if (ret == 0) {
+        *outLen = ED448_KEY_SIZE;
+        XMEMCPY(out, key->k, ED448_KEY_SIZE);
+    }
+
+    return ret;
+}
+
+/* Export the ed448 private and public key.
+ *
+ * key     [in]      Ed448 private/public key.
+ * out     [in]      Array to hold private and public key.
+ * outLen  [in/out]  On in, the number of bytes in array.
+ *                   On out, the number bytes put into array.
+ * returns BAD_FUNC_ARG when a parameter is NULL,
+ *         BUFFER_E when outLen is less than ED448_PRV_KEY_SIZE,
+ *         0 otherwise.
+ */
+int wc_ed448_export_private(ed448_key* key, byte* out, word32* outLen)
+{
+    int ret = 0;
+
+    /* sanity checks on arguments */
+    if ((key == NULL) || (out == NULL) || (outLen == NULL)) {
+        ret = BAD_FUNC_ARG;
+    }
+
+    if ((ret == 0) && (*outLen < ED448_PRV_KEY_SIZE)) {
+        *outLen = ED448_PRV_KEY_SIZE;
+        ret = BUFFER_E;
+    }
+
+    if (ret == 0) {
+        *outLen = ED448_PRV_KEY_SIZE;
+        XMEMCPY(out, key->k, ED448_PRV_KEY_SIZE);
+     }
+
+    return ret;
+}
+
+/* Export the ed448 private and public key.
+ *
+ * key     [in]      Ed448 private/public key.
+ * priv    [in]      Array to hold private key.
+ * privSz  [in/out]  On in, the number of bytes in private key array.
+ * pub     [in]      Array to hold  public key.
+ * pubSz   [in/out]  On in, the number of bytes in public key array.
+ *                   On out, the number bytes put into array.
+ * returns BAD_FUNC_ARG when a parameter is NULL,
+ *         BUFFER_E when privSz is less than ED448_PRV_KEY_SIZE or pubSz is less
+ *         than ED448_PUB_KEY_SIZE,
+ *         0 otherwise.
+ */
+int wc_ed448_export_key(ed448_key* key, byte* priv, word32 *privSz,
+                        byte* pub, word32 *pubSz)
+{
+    int ret = 0;
+
+    /* export 'full' private part */
+    ret = wc_ed448_export_private(key, priv, privSz);
+    if (ret == 0) {
+        /* export public part */
+        ret = wc_ed448_export_public(key, pub, pubSz);
+    }
+
+    return ret;
+}
+
+#endif /* HAVE_ED448_KEY_EXPORT */
+
+/* Check the public key of the ed448 key matches the private key.
+ *
+ * key     [in]      Ed448 private/public key.
+ * returns BAD_FUNC_ARG when key is NULL,
+ *         PUBLIC_KEY_E when the public key is not set or doesn't match,
+ *         other -ve value on hash failure,
+ *         0 otherwise.
+ */
+int wc_ed448_check_key(ed448_key* key)
+{
+    int ret = 0;
+    unsigned char pubKey[ED448_PUB_KEY_SIZE];
+
+    if (key == NULL) {
+        ret = BAD_FUNC_ARG;
+    }
+
+    if (!key->pubKeySet) {
+        ret = PUBLIC_KEY_E;
+    }
+    if (ret == 0) {
+        ret = wc_ed448_make_public(key, pubKey, sizeof(pubKey));
+    }
+    if ((ret == 0) && (XMEMCMP(pubKey, key->p, ED448_PUB_KEY_SIZE) != 0)) {
+        ret = PUBLIC_KEY_E;
+    }
+
+    return ret;
+}
+
+/* Returns the size of an ed448 private key.
+ *
+ * key     [in]      Ed448 private/public key.
+ * returns BAD_FUNC_ARG when key is NULL,
+ *         ED448_KEY_SIZE otherwise.
+ */
+int wc_ed448_size(ed448_key* key)
+{
+    int ret = ED448_KEY_SIZE;
+
+    if (key == NULL) {
+        ret = BAD_FUNC_ARG;
+    }
+
+    return ret;
+}
+
+/* Returns the size of an ed448 private plus public key.
+ *
+ * key     [in]      Ed448 private/public key.
+ * returns BAD_FUNC_ARG when key is NULL,
+ *         ED448_PRV_KEY_SIZE otherwise.
+ */
+int wc_ed448_priv_size(ed448_key* key)
+{
+    int ret = ED448_PRV_KEY_SIZE;
+
+    if (key == NULL) {
+        ret = BAD_FUNC_ARG;
+    }
+
+    return ret;
+}
+
+/* Returns the size of an ed448 public key.
+ *
+ * key     [in]      Ed448 private/public key.
+ * returns BAD_FUNC_ARG when key is NULL,
+ *         ED448_PUB_KEY_SIZE otherwise.
+ */
+int wc_ed448_pub_size(ed448_key* key)
+{
+    int ret = ED448_PUB_KEY_SIZE;
+
+    if (key == NULL) {
+        ret = BAD_FUNC_ARG;
+    }
+
+    return ret;
+}
+
+/* Returns the size of an ed448 signature.
+ *
+ * key     [in]      Ed448 private/public key.
+ * returns BAD_FUNC_ARG when key is NULL,
+ *         ED448_SIG_SIZE otherwise.
+ */
+int wc_ed448_sig_size(ed448_key* key)
+{
+    int ret = ED448_SIG_SIZE;
+
+    if (key == NULL) {
+        ret = BAD_FUNC_ARG;
+    }
+
+    return ret;
+}
+
+#endif /* HAVE_ED448 */
+
diff --git a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/error.c b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/error.c
index 7d1d5ebe7..87ded35d6 100644
--- a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/error.c
+++ b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/error.c
@@ -1,8 +1,8 @@
 /* error.c
  *
- * Copyright (C) 2006-2015 wolfSSL Inc.
+ * Copyright (C) 2006-2020 wolfSSL Inc.
  *
- * This file is part of wolfSSL. (formerly known as CyaSSL)
+ * This file is part of wolfSSL.
  *
  * wolfSSL is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -16,9 +16,10 @@
  *
  * You should have received a copy of the GNU General Public License
  * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
  */
 
+
 #ifdef HAVE_CONFIG_H
     #include <config.h>
 #endif
@@ -32,15 +33,9 @@
     #pragma warning(disable: 4996)
 #endif
 
+#ifndef NO_ERROR_STRINGS
 const char* wc_GetErrorString(int error)
 {
-#ifdef NO_ERROR_STRINGS
-
-    (void)error;
-    return "no support for error strings built in";
-
-#else
-
     switch (error) {
 
     case OPEN_RAN_E :
@@ -61,6 +56,15 @@ const char* wc_GetErrorString(int error)
     case BAD_MUTEX_E :
         return "Bad mutex, operation failed";
 
+    case WC_TIMEOUT_E:
+        return "Timeout error";
+
+    case WC_PENDING_E:
+        return "wolfCrypt Operation Pending (would block / eagain) error";
+
+    case WC_NOT_PENDING_E:
+        return "wolfCrypt operation not pending error";
+
     case MP_INIT_E :
         return "mp_init error state";
 
@@ -100,6 +104,9 @@ const char* wc_GetErrorString(int error)
     case MEMORY_E :
         return "out of memory error";
 
+    case VAR_STATE_CHANGE_E :
+        return "Variable state modified by different thread";
+
     case RSA_WRONG_TYPE_E :
         return "RSA wrong block type for RSA function";
 
@@ -110,7 +117,7 @@ const char* wc_GetErrorString(int error)
         return "Buffer error, output too small or input too big";
 
     case ALGO_ID_E :
-        return "Setting Cert AlogID error";
+        return "Setting Cert AlgoID error";
 
     case PUBLIC_KEY_E :
         return "Setting Cert Public Key error";
@@ -170,7 +177,7 @@ const char* wc_GetErrorString(int error)
         return "ASN signature error, mismatched oid";
 
     case ASN_TIME_E :
-        return "ASN time error, unkown time type";
+        return "ASN time error, unknown time type";
 
     case ASN_INPUT_E :
         return "ASN input error, not enough data";
@@ -191,7 +198,10 @@ const char* wc_GetErrorString(int error)
         return "ASN NTRU key decode error, invalid input";
 
     case ASN_CRIT_EXT_E:
-        return "X.509 Critical extension ignored";
+        return "X.509 Critical extension ignored or invalid";
+
+    case ASN_ALT_NAME_E:
+        return "ASN alternate name error";
 
     case ECC_BAD_ARG_E :
         return "ECC input argument wrong type, invalid input";
@@ -223,8 +233,8 @@ const char* wc_GetErrorString(int error)
     case AES_CCM_AUTH_E:
         return "AES-CCM Authentication check fail";
 
-    case CAVIUM_INIT_E:
-        return "Cavium Init type error";
+    case ASYNC_INIT_E:
+        return "Async Init error";
 
     case COMPRESS_INIT_E:
         return "Compress Init error";
@@ -253,8 +263,11 @@ const char* wc_GetErrorString(int error)
     case ASN_OCSP_CONFIRM_E :
         return "ASN OCSP sig error, confirm failure";
 
-    case BAD_ENC_STATE_E:
-        return "Bad ecc encrypt state operation";
+    case ASN_NO_PEM_HEADER:
+        return "ASN no PEM Header Error";
+
+    case BAD_STATE_E:
+        return "Bad state operation";
 
     case BAD_PADDING_E:
         return "Bad padding, message wrong length";
@@ -268,6 +281,9 @@ const char* wc_GetErrorString(int error)
     case PKCS7_RECIP_E:
         return "PKCS#7 error: no matching recipient found";
 
+    case WC_PKCS7_WANT_READ_E:
+        return "PKCS#7 operations wants more input, call again";
+
     case FIPS_NOT_ALLOWED_E:
         return "FIPS mode not allowed error";
 
@@ -325,19 +341,190 @@ const char* wc_GetErrorString(int error)
     case ECC_INF_E:
         return " ECC point at infinity error";
 
+    case ECC_OUT_OF_RANGE_E:
+        return " ECC Qx or Qy out of range error";
+
     case ECC_PRIV_KEY_E:
         return " ECC private key is not valid error";
 
+    case SRP_CALL_ORDER_E:
+        return "SRP function called in the wrong order error";
+
+    case SRP_VERIFY_E:
+        return "SRP proof verification error";
+
+    case SRP_BAD_KEY_E:
+        return "SRP bad key values error";
+
+    case ASN_NO_SKID:
+        return "ASN no Subject Key Identifier found error";
+
+    case ASN_NO_AKID:
+        return "ASN no Authority Key Identifier found error";
+
+    case ASN_NO_KEYUSAGE:
+        return "ASN no Key Usage found error";
+
+    case SKID_E:
+        return "Setting Subject Key Identifier error";
+
+    case AKID_E:
+        return "Setting Authority Key Identifier error";
+
+    case KEYUSAGE_E:
+        return "Key Usage value error";
+
+    case EXTKEYUSAGE_E:
+        return "Extended Key Usage value error";
+
+    case CERTPOLICIES_E:
+        return "Setting Certificate Policies error";
+
+    case WC_INIT_E:
+        return "wolfCrypt Initialize Failure error";
+
+    case SIG_VERIFY_E:
+        return "Signature verify error";
+
+    case BAD_COND_E:
+        return "Bad condition variable operation error";
+
+    case SIG_TYPE_E:
+        return "Signature type not enabled/available";
+
+    case HASH_TYPE_E:
+        return "Hash type not enabled/available";
+
+    case WC_KEY_SIZE_E:
+        return "Key size error, either too small or large";
+
+    case ASN_COUNTRY_SIZE_E:
+        return "Country code size error, either too small or large";
+
+    case MISSING_RNG_E:
+        return "RNG required but not provided";
+
+    case ASN_PATHLEN_SIZE_E:
+        return "ASN CA path length value too large error";
+
+    case ASN_PATHLEN_INV_E:
+        return "ASN CA path length larger than signer error";
+
+    case BAD_KEYWRAP_ALG_E:
+        return "Unsupported key wrap algorithm error";
+
+    case BAD_KEYWRAP_IV_E:
+        return "Decrypted AES key wrap IV does not match expected";
+
+    case WC_CLEANUP_E:
+        return "wolfcrypt cleanup failed";
+
+    case ECC_CDH_KAT_FIPS_E:
+        return "wolfcrypt FIPS ECC CDH Known Answer Test Failure";
+
+    case DH_CHECK_PUB_E:
+        return "DH Check Public Key failure";
+
+    case BAD_PATH_ERROR:
+        return "Bad path for opendir error";
+
+    case ASYNC_OP_E:
+        return "Async operation error";
+
+    case BAD_OCSP_RESPONDER:
+        return "Invalid OCSP Responder, missing specific key usage extensions";
+
+    case ECC_PRIVATEONLY_E:
+        return "Invalid use of private only ECC key";
+
+    case WC_HW_E:
+        return "Error with hardware crypto use";
+
+    case WC_HW_WAIT_E:
+        return "Hardware waiting on resource";
+
+    case PSS_SALTLEN_E:
+        return "PSS - Length of salt is too big for hash algorithm";
+
+    case PRIME_GEN_E:
+        return "Unable to find a prime for RSA key";
+
+    case BER_INDEF_E:
+        return "Unable to decode an indefinite length encoded message";
+
+    case RSA_OUT_OF_RANGE_E:
+        return "Ciphertext to decrypt is out of range";
+
+    case RSAPSS_PAT_FIPS_E:
+        return "wolfcrypt FIPS RSA-PSS Pairwise Agreement Test Failure";
+
+    case ECDSA_PAT_FIPS_E:
+        return "wolfcrypt FIPS ECDSA Pairwise Agreement Test Failure";
+
+    case DH_KAT_FIPS_E:
+        return "wolfcrypt FIPS DH Known Answer Test Failure";
+
+    case AESCCM_KAT_FIPS_E:
+        return "AESCCM Known Answer Test check FIPS error";
+
+    case SHA3_KAT_FIPS_E:
+        return "SHA-3 Known Answer Test check FIPS error";
+
+    case ECDHE_KAT_FIPS_E:
+        return "wolfcrypt FIPS ECDHE Known Answer Test Failure";
+
+    case AES_GCM_OVERFLOW_E:
+        return "AES-GCM invocation counter overflow";
+
+    case AES_CCM_OVERFLOW_E:
+        return "AES-CCM invocation counter overflow";
+
+    case RSA_KEY_PAIR_E:
+        return "RSA Key Pair-Wise Consistency check fail";
+
+    case DH_CHECK_PRIV_E:
+        return "DH Check Private Key failure";
+
+    case WC_AFALG_SOCK_E:
+        return "AF_ALG socket error";
+
+    case WC_DEVCRYPTO_E:
+        return "Error with /dev/crypto";
+
+    case ZLIB_INIT_ERROR:
+        return "zlib init error";
+
+    case ZLIB_COMPRESS_ERROR:
+        return "zlib compress error";
+
+    case ZLIB_DECOMPRESS_ERROR:
+        return "zlib decompress error";
+
+    case PKCS7_NO_SIGNER_E:
+        return "No signer in PKCS#7 signed data";
+
+    case CRYPTOCB_UNAVAILABLE:
+        return "Crypto callback unavailable";
+
+    case PKCS7_SIGNEEDS_CHECK:
+        return "Signature found but no certificate to verify";
+
+    case PSS_SALTLEN_RECOVER_E:
+        return "PSS - Salt length unable to be recovered";
+
+    case ASN_SELF_SIGNED_E:
+        return "ASN self-signed certificate error";
+
     default:
         return "unknown error number";
 
     }
-
-#endif /* NO_ERROR_STRINGS */
-
 }
 
 void wc_ErrorString(int error, char* buffer)
 {
     XSTRNCPY(buffer, wc_GetErrorString(error), WOLFSSL_MAX_ERROR_SZ);
+    buffer[WOLFSSL_MAX_ERROR_SZ-1] = 0;
 }
+#endif /* !NO_ERROR_STRINGS */
+
diff --git a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/evp.c b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/evp.c
new file mode 100644
index 000000000..d9207900c
--- /dev/null
+++ b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/evp.c
@@ -0,0 +1,6595 @@
+/* evp.c
+ *
+ * Copyright (C) 2006-2020 wolfSSL Inc.
+ *
+ * This file is part of wolfSSL.
+ *
+ * wolfSSL is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * wolfSSL is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
+ */
+
+#if !defined(WOLFSSL_EVP_INCLUDED)
+    #ifndef WOLFSSL_IGNORE_FILE_WARN
+        #warning evp.c does not need to be compiled separately from ssl.c
+    #endif
+#elif defined(WOLFCRYPT_ONLY)
+#else
+
+#ifdef HAVE_CONFIG_H
+    #include <config.h>
+#endif
+
+#include <wolfssl/wolfcrypt/settings.h>
+
+#include <wolfssl/openssl/ecdsa.h>
+#include <wolfssl/openssl/evp.h>
+
+#if defined(OPENSSL_EXTRA)
+
+#ifndef NO_AES
+    #ifdef HAVE_AES_CBC
+    #ifdef WOLFSSL_AES_128
+        static char *EVP_AES_128_CBC = NULL;
+    #endif
+    #ifdef WOLFSSL_AES_192
+        static char *EVP_AES_192_CBC = NULL;
+    #endif
+    #ifdef WOLFSSL_AES_256
+        static char *EVP_AES_256_CBC = NULL;
+    #endif
+    #endif /* HAVE_AES_CBC */
+
+    #ifdef WOLFSSL_AES_OFB
+    #ifdef WOLFSSL_AES_128
+        static char *EVP_AES_128_OFB = NULL;
+    #endif
+    #ifdef WOLFSSL_AES_192
+        static char *EVP_AES_192_OFB = NULL;
+    #endif
+    #ifdef WOLFSSL_AES_256
+        static char *EVP_AES_256_OFB = NULL;
+    #endif
+    #endif /* WOLFSSL_AES_OFB */
+
+    #ifdef WOLFSSL_AES_XTS
+    #ifdef WOLFSSL_AES_128
+        static char *EVP_AES_128_XTS = NULL;
+    #endif
+    #ifdef WOLFSSL_AES_256
+        static char *EVP_AES_256_XTS = NULL;
+    #endif
+    #endif /* WOLFSSL_AES_XTS */
+
+    #ifdef WOLFSSL_AES_CFB
+    #ifdef WOLFSSL_AES_128
+        static char *EVP_AES_128_CFB1 = NULL;
+    #endif
+    #ifdef WOLFSSL_AES_192
+        static char *EVP_AES_192_CFB1 = NULL;
+    #endif
+    #ifdef WOLFSSL_AES_256
+        static char *EVP_AES_256_CFB1 = NULL;
+    #endif
+
+    #ifdef WOLFSSL_AES_128
+        static char *EVP_AES_128_CFB8 = NULL;
+    #endif
+    #ifdef WOLFSSL_AES_192
+        static char *EVP_AES_192_CFB8 = NULL;
+    #endif
+    #ifdef WOLFSSL_AES_256
+        static char *EVP_AES_256_CFB8 = NULL;
+    #endif
+
+    #ifdef WOLFSSL_AES_128
+        static char *EVP_AES_128_CFB128 = NULL;
+    #endif
+    #ifdef WOLFSSL_AES_192
+        static char *EVP_AES_192_CFB128 = NULL;
+    #endif
+    #ifdef WOLFSSL_AES_256
+        static char *EVP_AES_256_CFB128 = NULL;
+    #endif
+    #endif /* WOLFSSL_AES_CFB */
+
+    #ifdef HAVE_AESGCM
+        #ifdef WOLFSSL_AES_128
+            static char *EVP_AES_128_GCM = NULL;
+        #endif
+        #ifdef WOLFSSL_AES_192
+            static char *EVP_AES_192_GCM = NULL;
+        #endif
+        #ifdef WOLFSSL_AES_256
+            static char *EVP_AES_256_GCM = NULL;
+        #endif
+    #endif /* HAVE_AESGCM */
+    #ifdef WOLFSSL_AES_128
+        static char *EVP_AES_128_CTR = NULL;
+    #endif
+    #ifdef WOLFSSL_AES_192
+        static char *EVP_AES_192_CTR = NULL;
+    #endif
+    #ifdef WOLFSSL_AES_256
+        static char *EVP_AES_256_CTR = NULL;
+    #endif
+
+    #ifdef WOLFSSL_AES_128
+        static char *EVP_AES_128_ECB = NULL;
+    #endif
+    #ifdef WOLFSSL_AES_192
+        static char *EVP_AES_192_ECB = NULL;
+    #endif
+    #ifdef WOLFSSL_AES_256
+        static char *EVP_AES_256_ECB = NULL;
+    #endif
+        #define      EVP_AES_SIZE 11
+    #ifdef WOLFSSL_AES_CFB
+        #define      EVP_AESCFB_SIZE 14
+    #endif
+#endif
+
+#ifndef NO_DES3
+    static char *EVP_DES_CBC = NULL;
+    static char *EVP_DES_ECB = NULL;
+
+    static char *EVP_DES_EDE3_CBC = NULL;
+    static char *EVP_DES_EDE3_ECB = NULL;
+
+    #define EVP_DES_SIZE 7
+    #define EVP_DES_EDE3_SIZE 12
+#endif
+
+#ifdef HAVE_IDEA
+    static char *EVP_IDEA_CBC;
+    #define EVP_IDEA_SIZE 8
+#endif
+
+static unsigned int cipherType(const WOLFSSL_EVP_CIPHER *cipher);
+
+
+/* Getter function for cipher key length
+ *
+ * c  WOLFSSL_EVP_CIPHER structure to get key length from
+ *
+ * NOTE: OpenSSL_add_all_ciphers() should be called first before using this
+ *       function
+ *
+ * Returns size of key in bytes
+ */
+int wolfSSL_EVP_Cipher_key_length(const WOLFSSL_EVP_CIPHER* c)
+{
+    WOLFSSL_ENTER("wolfSSL_EVP_Cipher_key_length");
+
+    if (c == NULL) {
+        return 0;
+    }
+
+    switch (cipherType(c)) {
+#if !defined(NO_AES)
+  #if defined(HAVE_AES_CBC)
+      case AES_128_CBC_TYPE: return 16;
+      case AES_192_CBC_TYPE: return 24;
+      case AES_256_CBC_TYPE: return 32;
+  #endif
+  #if defined(WOLFSSL_AES_CFB)
+      case AES_128_CFB1_TYPE: return 16;
+      case AES_192_CFB1_TYPE: return 24;
+      case AES_256_CFB1_TYPE: return 32;
+      case AES_128_CFB8_TYPE: return 16;
+      case AES_192_CFB8_TYPE: return 24;
+      case AES_256_CFB8_TYPE: return 32;
+      case AES_128_CFB128_TYPE: return 16;
+      case AES_192_CFB128_TYPE: return 24;
+      case AES_256_CFB128_TYPE: return 32;
+  #endif
+  #if defined(WOLFSSL_AES_OFB)
+      case AES_128_OFB_TYPE: return 16;
+      case AES_192_OFB_TYPE: return 24;
+      case AES_256_OFB_TYPE: return 32;
+  #endif
+  #if defined(WOLFSSL_AES_XTS)
+      case AES_128_XTS_TYPE: return 16;
+      case AES_256_XTS_TYPE: return 32;
+  #endif
+  #if defined(HAVE_AESGCM)
+      case AES_128_GCM_TYPE: return 16;
+      case AES_192_GCM_TYPE: return 24;
+      case AES_256_GCM_TYPE: return 32;
+  #endif
+  #if defined(WOLFSSL_AES_COUNTER)
+      case AES_128_CTR_TYPE: return 16;
+      case AES_192_CTR_TYPE: return 24;
+      case AES_256_CTR_TYPE: return 32;
+  #endif
+  #if defined(HAVE_AES_ECB)
+      case AES_128_ECB_TYPE: return 16;
+      case AES_192_ECB_TYPE: return 24;
+      case AES_256_ECB_TYPE: return 32;
+  #endif
+#endif /* !NO_AES */
+  #ifndef NO_DES3
+      case DES_CBC_TYPE:      return 8;
+      case DES_EDE3_CBC_TYPE: return 24;
+      case DES_ECB_TYPE:      return 8;
+      case DES_EDE3_ECB_TYPE: return 24;
+  #endif
+      default:
+          return 0;
+      }
+}
+
+
+int  wolfSSL_EVP_EncryptInit(WOLFSSL_EVP_CIPHER_CTX* ctx,
+                                        const WOLFSSL_EVP_CIPHER* type,
+                                        const unsigned char* key,
+                                        const unsigned char* iv)
+{
+    return wolfSSL_EVP_CipherInit(ctx, type, (byte*)key, (byte*)iv, 1);
+}
+
+int  wolfSSL_EVP_EncryptInit_ex(WOLFSSL_EVP_CIPHER_CTX* ctx,
+                                        const WOLFSSL_EVP_CIPHER* type,
+                                        WOLFSSL_ENGINE *impl,
+                                        const unsigned char* key,
+                                        const unsigned char* iv)
+{
+    (void) impl;
+    return wolfSSL_EVP_CipherInit(ctx, type, (byte*)key, (byte*)iv, 1);
+}
+
+int  wolfSSL_EVP_DecryptInit(WOLFSSL_EVP_CIPHER_CTX* ctx,
+                                        const WOLFSSL_EVP_CIPHER* type,
+                                        const unsigned char* key,
+                                        const unsigned char* iv)
+{
+    WOLFSSL_ENTER("wolfSSL_EVP_CipherInit");
+    return wolfSSL_EVP_CipherInit(ctx, type, (byte*)key, (byte*)iv, 0);
+}
+
+int  wolfSSL_EVP_DecryptInit_ex(WOLFSSL_EVP_CIPHER_CTX* ctx,
+                                        const WOLFSSL_EVP_CIPHER* type,
+                                        WOLFSSL_ENGINE *impl,
+                                        const unsigned char* key,
+                                        const unsigned char* iv)
+{
+    (void) impl;
+    WOLFSSL_ENTER("wolfSSL_EVP_DecryptInit");
+    return wolfSSL_EVP_CipherInit(ctx, type, (byte*)key, (byte*)iv, 0);
+}
+
+
+WOLFSSL_EVP_CIPHER_CTX *wolfSSL_EVP_CIPHER_CTX_new(void)
+{
+    WOLFSSL_EVP_CIPHER_CTX *ctx = (WOLFSSL_EVP_CIPHER_CTX*)XMALLOC(sizeof *ctx,
+                                                 NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    if (ctx) {
+        WOLFSSL_ENTER("wolfSSL_EVP_CIPHER_CTX_new");
+        wolfSSL_EVP_CIPHER_CTX_init(ctx);
+    }
+    return ctx;
+}
+
+void wolfSSL_EVP_CIPHER_CTX_free(WOLFSSL_EVP_CIPHER_CTX *ctx)
+{
+    if (ctx) {
+        WOLFSSL_ENTER("wolfSSL_EVP_CIPHER_CTX_free");
+        wolfSSL_EVP_CIPHER_CTX_cleanup(ctx);
+        XFREE(ctx, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    }
+}
+
+int wolfSSL_EVP_CIPHER_CTX_reset(WOLFSSL_EVP_CIPHER_CTX *ctx)
+{
+    int ret = WOLFSSL_FAILURE;
+
+    if (ctx != NULL) {
+        WOLFSSL_ENTER("wolfSSL_EVP_CIPHER_CTX_reset");
+        wolfSSL_EVP_CIPHER_CTX_cleanup(ctx);
+        ret = WOLFSSL_SUCCESS;
+    }
+
+    return ret;
+}
+
+unsigned long wolfSSL_EVP_CIPHER_CTX_mode(const WOLFSSL_EVP_CIPHER_CTX *ctx)
+{
+  if (ctx == NULL) return 0;
+  return ctx->flags & WOLFSSL_EVP_CIPH_MODE;
+}
+
+int  wolfSSL_EVP_EncryptFinal(WOLFSSL_EVP_CIPHER_CTX *ctx,
+                                   unsigned char *out, int *outl)
+{
+    if (ctx && ctx->enc) {
+        WOLFSSL_ENTER("wolfSSL_EVP_EncryptFinal");
+        return wolfSSL_EVP_CipherFinal(ctx, out, outl);
+    }
+    else
+        return WOLFSSL_FAILURE;
+}
+
+
+int  wolfSSL_EVP_CipherInit_ex(WOLFSSL_EVP_CIPHER_CTX* ctx,
+                                    const WOLFSSL_EVP_CIPHER* type,
+                                    WOLFSSL_ENGINE *impl,
+                                    const unsigned char* key,
+                                    const unsigned char* iv,
+                                    int enc)
+{
+    (void)impl;
+    return wolfSSL_EVP_CipherInit(ctx, type, key, iv, enc);
+}
+
+int  wolfSSL_EVP_EncryptFinal_ex(WOLFSSL_EVP_CIPHER_CTX *ctx,
+                                   unsigned char *out, int *outl)
+{
+    if (ctx && ctx->enc) {
+        WOLFSSL_ENTER("wolfSSL_EVP_EncryptFinal_ex");
+        return wolfSSL_EVP_CipherFinal(ctx, out, outl);
+    }
+    else
+        return WOLFSSL_FAILURE;
+}
+
+int  wolfSSL_EVP_DecryptFinal(WOLFSSL_EVP_CIPHER_CTX *ctx,
+                                   unsigned char *out, int *outl)
+{
+    if (ctx && !ctx->enc) {
+        WOLFSSL_ENTER("wolfSSL_EVP_DecryptFinal");
+        return wolfSSL_EVP_CipherFinal(ctx, out, outl);
+    }
+    else {
+        return WOLFSSL_FAILURE;
+    }
+}
+
+int  wolfSSL_EVP_DecryptFinal_ex(WOLFSSL_EVP_CIPHER_CTX *ctx,
+                                   unsigned char *out, int *outl)
+{
+    if (ctx && !ctx->enc) {
+        WOLFSSL_ENTER("wolfSSL_EVP_DecryptFinal_ex");
+        return wolfSSL_EVP_CipherFinal(ctx, out, outl);
+    }
+    else {
+        return WOLFSSL_FAILURE;
+    }
+}
+
+
+int wolfSSL_EVP_DigestInit_ex(WOLFSSL_EVP_MD_CTX* ctx,
+                                     const WOLFSSL_EVP_MD* type,
+                                     WOLFSSL_ENGINE *impl)
+{
+    (void) impl;
+    WOLFSSL_ENTER("wolfSSL_EVP_DigestInit_ex");
+    return wolfSSL_EVP_DigestInit(ctx, type);
+}
+
+#ifdef DEBUG_WOLFSSL_EVP
+#define PRINT_BUF(b, sz) { int _i; for(_i=0; _i<(sz); _i++) { \
+  printf("%02x(%c),", (b)[_i], (b)[_i]); if ((_i+1)%8==0)printf("\n");}}
+#else
+#define PRINT_BUF(b, sz)
+#endif
+
+static int fillBuff(WOLFSSL_EVP_CIPHER_CTX *ctx, const unsigned char *in, int sz)
+{
+    int fill;
+
+    if (sz > 0) {
+        if ((sz+ctx->bufUsed) > ctx->block_size) {
+            fill = ctx->block_size - ctx->bufUsed;
+        } else {
+            fill = sz;
+        }
+        XMEMCPY(&(ctx->buf[ctx->bufUsed]), in, fill);
+        ctx->bufUsed += fill;
+        return fill;
+    } else return 0;
+}
+
+static int evpCipherBlock(WOLFSSL_EVP_CIPHER_CTX *ctx,
+                                   unsigned char *out,
+                                   const unsigned char *in, int inl)
+{
+    int ret = 0;
+
+    switch (ctx->cipherType) {
+#if !defined(NO_AES)
+    #if defined(HAVE_AES_CBC)
+        case AES_128_CBC_TYPE:
+        case AES_192_CBC_TYPE:
+        case AES_256_CBC_TYPE:
+            if (ctx->enc)
+                ret = wc_AesCbcEncrypt(&ctx->cipher.aes, out, in, inl);
+            else
+                ret = wc_AesCbcDecrypt(&ctx->cipher.aes, out, in, inl);
+            break;
+    #endif
+    #if defined(HAVE_AESGCM)
+        case AES_128_GCM_TYPE:
+        case AES_192_GCM_TYPE:
+        case AES_256_GCM_TYPE:
+            if (ctx->enc) {
+                if (out){
+                    /* encrypt confidential data*/
+                    ret = wc_AesGcmEncrypt(&ctx->cipher.aes, out, in, inl,
+                              ctx->iv, ctx->ivSz, ctx->authTag, ctx->authTagSz,
+                              NULL, 0);
+                }
+                else {
+                    /* authenticated, non-confidential data */
+                    ret = wc_AesGcmEncrypt(&ctx->cipher.aes, NULL, NULL, 0,
+                              ctx->iv, ctx->ivSz, ctx->authTag, ctx->authTagSz,
+                              in, inl);
+                    /* Reset partial authTag error for AAD*/
+                    if (ret == AES_GCM_AUTH_E)
+                        ret = 0;
+                }
+            }
+            else {
+                if (out){
+                    /* decrypt confidential data*/
+                    ret = wc_AesGcmDecrypt(&ctx->cipher.aes, out, in, inl,
+                              ctx->iv, ctx->ivSz, ctx->authTag, ctx->authTagSz,
+                              NULL, 0);
+                }
+                else {
+                    /* authenticated, non-confidential data*/
+                    ret = wc_AesGcmDecrypt(&ctx->cipher.aes, NULL, NULL, 0,
+                              ctx->iv, ctx->ivSz,
+                              ctx->authTag, ctx->authTagSz,
+                              in, inl);
+                    /* Reset partial authTag error for AAD*/
+                    if (ret == AES_GCM_AUTH_E)
+                        ret = 0;
+                }
+            }
+            break;
+    #endif
+    #if defined(WOLFSSL_AES_COUNTER)
+        case AES_128_CTR_TYPE:
+        case AES_192_CTR_TYPE:
+        case AES_256_CTR_TYPE:
+            ret = wc_AesCtrEncrypt(&ctx->cipher.aes, out, in, inl);
+            break;
+    #endif
+    #if defined(HAVE_AES_ECB)
+        case AES_128_ECB_TYPE:
+        case AES_192_ECB_TYPE:
+        case AES_256_ECB_TYPE:
+            if (ctx->enc)
+                ret = wc_AesEcbEncrypt(&ctx->cipher.aes, out, in, inl);
+            else
+                ret = wc_AesEcbDecrypt(&ctx->cipher.aes, out, in, inl);
+            break;
+    #endif
+    #if defined(WOLFSSL_AES_OFB)
+        case AES_128_OFB_TYPE:
+        case AES_192_OFB_TYPE:
+        case AES_256_OFB_TYPE:
+            if (ctx->enc)
+                ret = wc_AesOfbEncrypt(&ctx->cipher.aes, out, in, inl);
+            else
+                ret = wc_AesOfbDecrypt(&ctx->cipher.aes, out, in, inl);
+            break;
+    #endif
+    #if defined(WOLFSSL_AES_CFB)
+    #if !defined(HAVE_SELFTEST) && !defined(HAVE_FIPS)
+        case AES_128_CFB1_TYPE:
+        case AES_192_CFB1_TYPE:
+        case AES_256_CFB1_TYPE:
+            if (ctx->enc)
+                ret = wc_AesCfb1Encrypt(&ctx->cipher.aes, out, in,
+                        inl * WOLFSSL_BIT_SIZE);
+            else
+                ret = wc_AesCfb1Decrypt(&ctx->cipher.aes, out, in,
+                        inl * WOLFSSL_BIT_SIZE);
+            break;
+
+        case AES_128_CFB8_TYPE:
+        case AES_192_CFB8_TYPE:
+        case AES_256_CFB8_TYPE:
+            if (ctx->enc)
+                ret = wc_AesCfb8Encrypt(&ctx->cipher.aes, out, in, inl);
+            else
+                ret = wc_AesCfb8Decrypt(&ctx->cipher.aes, out, in, inl);
+            break;
+    #endif /* !HAVE_SELFTEST && !HAVE_FIPS */
+
+        case AES_128_CFB128_TYPE:
+        case AES_192_CFB128_TYPE:
+        case AES_256_CFB128_TYPE:
+            if (ctx->enc)
+                ret = wc_AesCfbEncrypt(&ctx->cipher.aes, out, in, inl);
+            else
+                ret = wc_AesCfbDecrypt(&ctx->cipher.aes, out, in, inl);
+            break;
+    #endif
+#if defined(WOLFSSL_AES_XTS)
+    case AES_128_XTS_TYPE:
+    case AES_256_XTS_TYPE:
+        if (ctx->enc)
+            ret = wc_AesXtsEncrypt(&ctx->cipher.xts, out, in, inl,
+                    ctx->iv, ctx->ivSz);
+        else
+            ret = wc_AesXtsDecrypt(&ctx->cipher.xts, out, in, inl,
+                    ctx->iv, ctx->ivSz);
+        break;
+#endif
+#endif /* !NO_AES */
+    #ifndef NO_DES3
+        case DES_CBC_TYPE:
+            if (ctx->enc)
+                ret = wc_Des_CbcEncrypt(&ctx->cipher.des, out, in, inl);
+            else
+                ret = wc_Des_CbcDecrypt(&ctx->cipher.des, out, in, inl);
+            break;
+        case DES_EDE3_CBC_TYPE:
+            if (ctx->enc)
+                ret = wc_Des3_CbcEncrypt(&ctx->cipher.des3, out, in, inl);
+            else
+                ret = wc_Des3_CbcDecrypt(&ctx->cipher.des3, out, in, inl);
+            break;
+        #if defined(WOLFSSL_DES_ECB)
+        case DES_ECB_TYPE:
+            ret = wc_Des_EcbEncrypt(&ctx->cipher.des, out, in, inl);
+            break;
+        case DES_EDE3_ECB_TYPE:
+            ret = wc_Des3_EcbEncrypt(&ctx->cipher.des3, out, in, inl);
+            break;
+        #endif
+    #endif
+    #ifndef NO_RC4
+        case ARC4_TYPE:
+            wc_Arc4Process(&ctx->cipher.arc4, out, in, inl);
+        break;
+    #endif
+        default:
+            return WOLFSSL_FAILURE;
+    }
+
+    if (ret != 0)
+        return WOLFSSL_FAILURE; /* failure */
+
+    (void)in;
+    (void)inl;
+    (void)out;
+
+    return WOLFSSL_SUCCESS; /* success */
+}
+
+#if defined(HAVE_AESGCM)
+static int wolfSSL_EVP_CipherUpdate_GCM(WOLFSSL_EVP_CIPHER_CTX *ctx,
+                                   unsigned char *out, int *outl,
+                                   const unsigned char *in, int inl)
+{
+    /* process blocks */
+    if (evpCipherBlock(ctx, out, in, inl) == 0)
+        return WOLFSSL_FAILURE;
+    *outl = inl;
+    return WOLFSSL_SUCCESS;
+}
+#endif
+
+/* returns WOLFSSL_SUCCESS on success and WOLFSSL_FAILURE on failure */
+WOLFSSL_API int wolfSSL_EVP_CipherUpdate(WOLFSSL_EVP_CIPHER_CTX *ctx,
+                                   unsigned char *out, int *outl,
+                                   const unsigned char *in, int inl)
+{
+    int blocks;
+    int fill;
+
+    WOLFSSL_ENTER("wolfSSL_EVP_CipherUpdate");
+    if ((ctx == NULL) || (inl < 0) || (outl == NULL)|| (in == NULL)) {
+        WOLFSSL_MSG("Bad argument");
+        return WOLFSSL_FAILURE;
+    }
+
+    *outl = 0;
+    if (inl == 0) {
+        return WOLFSSL_SUCCESS;
+    }
+
+#if !defined(NO_AES) && defined(HAVE_AESGCM)
+        switch (ctx->cipherType) {
+            case AES_128_GCM_TYPE:
+            case AES_192_GCM_TYPE:
+            case AES_256_GCM_TYPE:
+/* if out == NULL, in/inl contains the additional authenticated data for GCM */
+                return wolfSSL_EVP_CipherUpdate_GCM(ctx, out, outl, in, inl);
+            default:
+                /* fall-through */
+                break;
+        }
+#endif /* !defined(NO_AES) && defined(HAVE_AESGCM) */
+
+    if (out == NULL) {
+        return WOLFSSL_FAILURE;
+    }
+
+
+    if (ctx->bufUsed > 0) { /* concatenate them if there is anything */
+        fill = fillBuff(ctx, in, inl);
+        inl -= fill;
+        in  += fill;
+    }
+
+    /* check if the buff is full, and if so flash it out */
+    if (ctx->bufUsed == ctx->block_size) {
+        byte* output = out;
+
+        /* During decryption we save the last block to check padding on Final.
+         * Update the last block stored if one has already been stored */
+        if (ctx->enc == 0) {
+            if (ctx->lastUsed == 1) {
+                XMEMCPY(out, ctx->lastBlock, ctx->block_size);
+                *outl+= ctx->block_size;
+                out  += ctx->block_size;
+            }
+            output = ctx->lastBlock; /* redirect output to last block buffer */
+            ctx->lastUsed = 1;
+        }
+
+        PRINT_BUF(ctx->buf, ctx->block_size);
+        if (evpCipherBlock(ctx, output, ctx->buf, ctx->block_size) == 0) {
+            return WOLFSSL_FAILURE;
+        }
+        PRINT_BUF(out, ctx->block_size);
+        ctx->bufUsed = 0;
+
+        /* if doing encryption update the new output block, decryption will
+         * always have the last block saved for when Final is called */
+        if ((ctx->enc != 0)) {
+            *outl+= ctx->block_size;
+            out  += ctx->block_size;
+        }
+    }
+
+    blocks = inl / ctx->block_size;
+    if (blocks > 0) {
+        /* During decryption we save the last block to check padding on Final.
+         * Update the last block stored if one has already been stored */
+        if ((ctx->enc == 0) && (ctx->lastUsed == 1)) {
+            PRINT_BUF(ctx->lastBlock, ctx->block_size);
+            XMEMCPY(out, ctx->lastBlock, ctx->block_size);
+            *outl += ctx->block_size;
+            out += ctx->block_size;
+            ctx->lastUsed = 0;
+        }
+
+        /* process blocks */
+        if (evpCipherBlock(ctx, out, in, blocks * ctx->block_size) == 0) {
+            return WOLFSSL_FAILURE;
+        }
+        PRINT_BUF(in, ctx->block_size*blocks);
+        PRINT_BUF(out,ctx->block_size*blocks);
+        inl  -= ctx->block_size * blocks;
+        in   += ctx->block_size * blocks;
+        if (ctx->enc == 0) {
+            if ((ctx->flags & WOLFSSL_EVP_CIPH_NO_PADDING) ||
+                    (ctx->block_size == 1)) {
+                ctx->lastUsed = 0;
+                *outl += ctx->block_size * blocks;
+            } else {
+                /* in the case of decryption and padding, store the last block
+                 * here in order to verify the padding when Final is called */
+                if (inl == 0) { /* if not 0 then we know leftovers are checked*/
+                    ctx->lastUsed = 1;
+                    blocks = blocks - 1; /* save last block to check padding in
+                                          * EVP_CipherFinal call */
+                    XMEMCPY(ctx->lastBlock, &out[ctx->block_size * blocks],
+                            ctx->block_size);
+                }
+                *outl += ctx->block_size * blocks;
+            }
+        } else {
+            *outl += ctx->block_size * blocks;
+        }
+    }
+
+
+    if (inl > 0) {
+        /* put fraction into buff */
+        fillBuff(ctx, in, inl);
+        /* no increase of outl */
+    }
+    (void)out; /* silence warning in case not read */
+
+    return WOLFSSL_SUCCESS;
+}
+
+static void padBlock(WOLFSSL_EVP_CIPHER_CTX *ctx)
+{
+    int i;
+    for (i = ctx->bufUsed; i < ctx->block_size; i++)
+        ctx->buf[i] = (byte)(ctx->block_size - ctx->bufUsed);
+}
+
+static int checkPad(WOLFSSL_EVP_CIPHER_CTX *ctx, unsigned char *buff)
+{
+    int i;
+    int n;
+    n = buff[ctx->block_size-1];
+    if (n > ctx->block_size) return -1;
+    for (i = 0; i < n; i++) {
+        if (buff[ctx->block_size-i-1] != n)
+            return -1;
+    }
+    return ctx->block_size - n;
+}
+
+int  wolfSSL_EVP_CipherFinal(WOLFSSL_EVP_CIPHER_CTX *ctx,
+                                   unsigned char *out, int *outl)
+{
+    int fl;
+    int ret = WOLFSSL_SUCCESS;
+    if (!ctx || !outl)
+        return WOLFSSL_FAILURE;
+
+    WOLFSSL_ENTER("wolfSSL_EVP_CipherFinal");
+
+#if !defined(NO_AES) && defined(HAVE_AESGCM)
+        switch (ctx->cipherType) {
+            case AES_128_GCM_TYPE:
+            case AES_192_GCM_TYPE:
+            case AES_256_GCM_TYPE:
+                *outl = 0;
+                /* Clear IV, since IV reuse is not recommended for AES GCM. */
+                XMEMSET(ctx->iv, 0, AES_BLOCK_SIZE);
+                return WOLFSSL_SUCCESS;
+            default:
+                /* fall-through */
+                break;
+        }
+#endif /* !NO_AES && HAVE_AESGCM */
+
+    if (!out)
+        return WOLFSSL_FAILURE;
+
+    if (ctx->flags & WOLFSSL_EVP_CIPH_NO_PADDING) {
+        if (ctx->bufUsed != 0) return WOLFSSL_FAILURE;
+        *outl = 0;
+    }
+    else if (ctx->enc) {
+        if (ctx->block_size == 1) {
+            *outl = 0;
+        }
+        else if ((ctx->bufUsed >= 0) && (ctx->block_size != 1)) {
+            padBlock(ctx);
+            PRINT_BUF(ctx->buf, ctx->block_size);
+            if (evpCipherBlock(ctx, out, ctx->buf, ctx->block_size) == 0) {
+                WOLFSSL_MSG("Final Cipher Block failed");
+                ret = WOLFSSL_FAILURE;
+            }
+            else {
+                PRINT_BUF(out, ctx->block_size);
+                *outl = ctx->block_size;
+            }
+        }
+    }
+    else {
+        if (ctx->block_size == 1) {
+            *outl = 0;
+        }
+        else if ((ctx->bufUsed % ctx->block_size) != 0) {
+            *outl = 0;
+            /* not enough padding for decrypt */
+            WOLFSSL_MSG("Final Cipher Block not enough padding");
+            ret = WOLFSSL_FAILURE;
+        }
+        else if (ctx->lastUsed) {
+            PRINT_BUF(ctx->lastBlock, ctx->block_size);
+            if ((fl = checkPad(ctx, ctx->lastBlock)) >= 0) {
+                XMEMCPY(out, ctx->lastBlock, fl);
+                *outl = fl;
+                if (ctx->lastUsed == 0 && ctx->bufUsed == 0) {
+                    /* return error in cases where the block length is incorrect */
+                    WOLFSSL_MSG("Final Cipher Block bad length");
+                    ret = WOLFSSL_FAILURE;
+                }
+            }
+            else {
+                ret = WOLFSSL_FAILURE;
+            }
+        }
+        else if (ctx->lastUsed == 0 && ctx->bufUsed == 0) {
+            /* return error in cases where the block length is incorrect */
+            ret = WOLFSSL_FAILURE;
+        }
+    }
+    if (ret == WOLFSSL_SUCCESS) {
+        /* reset cipher state after final */
+        wolfSSL_EVP_CipherInit(ctx, NULL, NULL, NULL, -1);
+    }
+    return ret;
+}
+
+
+#ifdef WOLFSSL_EVP_DECRYPT_LEGACY
+/* This is a version of DecryptFinal to work with data encrypted with
+ * wolfSSL_EVP_EncryptFinal() with the broken padding. (pre-v3.12.0)
+ * Only call this after wolfSSL_EVP_CipherFinal() fails on a decrypt.
+ * Note, you don't know if the padding is good or bad with the old
+ * encrypt, but it is likely to be or bad. It will update the output
+ * length with the block_size so the last block is still captured. */
+WOLFSSL_API int  wolfSSL_EVP_DecryptFinal_legacy(WOLFSSL_EVP_CIPHER_CTX *ctx,
+        unsigned char *out, int *outl)
+{
+    int fl;
+    if (ctx == NULL || out == NULL || outl == NULL)
+        return BAD_FUNC_ARG;
+
+    WOLFSSL_ENTER("wolfSSL_EVP_DecryptFinal_legacy");
+    if (ctx->block_size == 1) {
+        *outl = 0;
+        return WOLFSSL_SUCCESS;
+    }
+    if ((ctx->bufUsed % ctx->block_size) != 0) {
+        *outl = 0;
+        /* not enough padding for decrypt */
+        return WOLFSSL_FAILURE;
+    }
+    /* The original behavior of CipherFinal() was like it is now,
+     * but checkPad would return 0 in case of a bad pad. It would
+     * treat the pad as 0, and leave the data in the output buffer,
+     * and not try to copy anything. This converts checkPad's -1 error
+     * code to block_size.
+     */
+    if (ctx->lastUsed) {
+        PRINT_BUF(ctx->lastBlock, ctx->block_size);
+        if ((fl = checkPad(ctx, ctx->lastBlock)) < 0) {
+            fl = ctx->block_size;
+        }
+        else {
+            XMEMCPY(out, ctx->lastBlock, fl);
+        }
+        *outl = fl;
+    }
+    /* return error in cases where the block length is incorrect */
+    if (ctx->lastUsed == 0 && ctx->bufUsed == 0) {
+        return WOLFSSL_FAILURE;
+    }
+
+    return WOLFSSL_SUCCESS;
+}
+#endif
+
+
+int wolfSSL_EVP_CIPHER_CTX_block_size(const WOLFSSL_EVP_CIPHER_CTX *ctx)
+{
+    if (ctx == NULL) return BAD_FUNC_ARG;
+    switch (ctx->cipherType) {
+#if !defined(NO_AES) || !defined(NO_DES3)
+#if !defined(NO_AES)
+#if defined(HAVE_AES_CBC)
+    case AES_128_CBC_TYPE:
+    case AES_192_CBC_TYPE:
+    case AES_256_CBC_TYPE:
+#endif
+#if defined(HAVE_AESGCM)
+    case AES_128_GCM_TYPE:
+    case AES_192_GCM_TYPE:
+    case AES_256_GCM_TYPE:
+#endif
+#if defined(WOLFSSL_AES_COUNTER)
+    case AES_128_CTR_TYPE:
+    case AES_192_CTR_TYPE:
+    case AES_256_CTR_TYPE:
+#endif
+#if defined(WOLFSSL_AES_CFB)
+    case AES_128_CFB1_TYPE:
+    case AES_192_CFB1_TYPE:
+    case AES_256_CFB1_TYPE:
+    case AES_128_CFB8_TYPE:
+    case AES_192_CFB8_TYPE:
+    case AES_256_CFB8_TYPE:
+    case AES_128_CFB128_TYPE:
+    case AES_192_CFB128_TYPE:
+    case AES_256_CFB128_TYPE:
+#endif
+#if defined(WOLFSSL_AES_OFB)
+    case AES_128_OFB_TYPE:
+    case AES_192_OFB_TYPE:
+    case AES_256_OFB_TYPE:
+#endif
+#if defined(WOLFSSL_AES_XTS)
+    case AES_128_XTS_TYPE:
+    case AES_256_XTS_TYPE:
+#endif
+
+    case AES_128_ECB_TYPE:
+    case AES_192_ECB_TYPE:
+    case AES_256_ECB_TYPE:
+#endif /* !NO_AES */
+#ifndef NO_DES3
+    case DES_CBC_TYPE:
+    case DES_ECB_TYPE:
+    case DES_EDE3_CBC_TYPE:
+    case DES_EDE3_ECB_TYPE:
+#endif
+        return ctx->block_size;
+#endif /* !NO_AES || !NO_DES3 */
+    default:
+        return 0;
+    }
+}
+
+static unsigned int cipherType(const WOLFSSL_EVP_CIPHER *cipher)
+{
+    if (cipher == NULL) return 0; /* dummy for #ifdef */
+#ifndef NO_DES3
+    else if (EVP_DES_CBC && XSTRNCMP(cipher, EVP_DES_CBC, EVP_DES_SIZE) == 0)
+        return DES_CBC_TYPE;
+    else if (EVP_DES_EDE3_CBC && XSTRNCMP(cipher, EVP_DES_EDE3_CBC, EVP_DES_EDE3_SIZE) == 0)
+        return DES_EDE3_CBC_TYPE;
+#if !defined(NO_DES3)
+    else if (EVP_DES_ECB && XSTRNCMP(cipher, EVP_DES_ECB, EVP_DES_SIZE) == 0)
+        return DES_ECB_TYPE;
+    else if (EVP_DES_EDE3_ECB && XSTRNCMP(cipher, EVP_DES_EDE3_ECB, EVP_DES_EDE3_SIZE) == 0)
+        return DES_EDE3_ECB_TYPE;
+#endif /* NO_DES3 && HAVE_AES_ECB */
+#endif
+#if !defined(NO_AES)
+#if defined(HAVE_AES_CBC)
+    #ifdef WOLFSSL_AES_128
+    else if (EVP_AES_128_CBC && XSTRNCMP(cipher, EVP_AES_128_CBC, EVP_AES_SIZE) == 0)
+        return AES_128_CBC_TYPE;
+    #endif
+    #ifdef WOLFSSL_AES_192
+    else if (EVP_AES_192_CBC && XSTRNCMP(cipher, EVP_AES_192_CBC, EVP_AES_SIZE) == 0)
+        return AES_192_CBC_TYPE;
+    #endif
+    #ifdef WOLFSSL_AES_256
+    else if (EVP_AES_256_CBC && XSTRNCMP(cipher, EVP_AES_256_CBC, EVP_AES_SIZE) == 0)
+        return AES_256_CBC_TYPE;
+    #endif
+#endif /* HAVE_AES_CBC */
+#if defined(HAVE_AESGCM)
+    #ifdef WOLFSSL_AES_128
+    else if (EVP_AES_128_GCM && XSTRNCMP(cipher, EVP_AES_128_GCM, EVP_AES_SIZE) == 0)
+        return AES_128_GCM_TYPE;
+    #endif
+    #ifdef WOLFSSL_AES_192
+    else if (EVP_AES_192_GCM && XSTRNCMP(cipher, EVP_AES_192_GCM, EVP_AES_SIZE) == 0)
+        return AES_192_GCM_TYPE;
+    #endif
+    #ifdef WOLFSSL_AES_256
+    else if (EVP_AES_256_GCM && XSTRNCMP(cipher, EVP_AES_256_GCM, EVP_AES_SIZE) == 0)
+        return AES_256_GCM_TYPE;
+    #endif
+#endif /* HAVE_AESGCM */
+#if defined(WOLFSSL_AES_COUNTER)
+    #ifdef WOLFSSL_AES_128
+    else if (EVP_AES_128_CTR && XSTRNCMP(cipher, EVP_AES_128_CTR, EVP_AES_SIZE) == 0)
+        return AES_128_CTR_TYPE;
+    #endif
+    #ifdef WOLFSSL_AES_192
+    else if (EVP_AES_192_CTR && XSTRNCMP(cipher, EVP_AES_192_CTR, EVP_AES_SIZE) == 0)
+        return AES_192_CTR_TYPE;
+    #endif
+    #ifdef WOLFSSL_AES_256
+    else if (EVP_AES_256_CTR && XSTRNCMP(cipher, EVP_AES_256_CTR, EVP_AES_SIZE) == 0)
+        return AES_256_CTR_TYPE;
+    #endif
+#endif /* HAVE_AES_CBC */
+#if defined(HAVE_AES_ECB)
+    #ifdef WOLFSSL_AES_128
+    else if (EVP_AES_128_ECB && XSTRNCMP(cipher, EVP_AES_128_ECB, EVP_AES_SIZE) == 0)
+        return AES_128_ECB_TYPE;
+    #endif
+    #ifdef WOLFSSL_AES_192
+    else if (EVP_AES_192_ECB && XSTRNCMP(cipher, EVP_AES_192_ECB, EVP_AES_SIZE) == 0)
+        return AES_192_ECB_TYPE;
+    #endif
+    #ifdef WOLFSSL_AES_256
+    else if (EVP_AES_256_ECB && XSTRNCMP(cipher, EVP_AES_256_ECB, EVP_AES_SIZE) == 0)
+        return AES_256_ECB_TYPE;
+    #endif
+#endif /*HAVE_AES_CBC */
+#if defined(WOLFSSL_AES_XTS)
+    #ifdef WOLFSSL_AES_128
+    else if (EVP_AES_128_XTS && XSTRNCMP(cipher, EVP_AES_128_XTS, EVP_AES_SIZE) == 0)
+        return AES_128_XTS_TYPE;
+    #endif
+    #ifdef WOLFSSL_AES_256
+    else if (EVP_AES_256_XTS && XSTRNCMP(cipher, EVP_AES_256_XTS, EVP_AES_SIZE) == 0)
+        return AES_256_XTS_TYPE;
+    #endif
+#endif /* WOLFSSL_AES_XTS */
+#if defined(WOLFSSL_AES_CFB)
+    #ifdef WOLFSSL_AES_128
+    else if (EVP_AES_128_CFB1 && XSTRNCMP(cipher, EVP_AES_128_CFB1, EVP_AESCFB_SIZE) == 0)
+        return AES_128_CFB1_TYPE;
+    #endif
+    #ifdef WOLFSSL_AES_192
+    else if (EVP_AES_192_CFB1 && XSTRNCMP(cipher, EVP_AES_192_CFB1, EVP_AESCFB_SIZE) == 0)
+        return AES_192_CFB1_TYPE;
+    #endif
+    #ifdef WOLFSSL_AES_256
+    else if (EVP_AES_256_CFB1 && XSTRNCMP(cipher, EVP_AES_256_CFB1, EVP_AESCFB_SIZE) == 0)
+        return AES_256_CFB1_TYPE;
+    #endif
+    #ifdef WOLFSSL_AES_128
+    else if (EVP_AES_128_CFB8 && XSTRNCMP(cipher, EVP_AES_128_CFB8, EVP_AESCFB_SIZE) == 0)
+        return AES_128_CFB8_TYPE;
+    #endif
+    #ifdef WOLFSSL_AES_192
+    else if (EVP_AES_192_CFB8 && XSTRNCMP(cipher, EVP_AES_192_CFB8, EVP_AESCFB_SIZE) == 0)
+        return AES_192_CFB8_TYPE;
+    #endif
+    #ifdef WOLFSSL_AES_256
+    else if (EVP_AES_256_CFB8 && XSTRNCMP(cipher, EVP_AES_256_CFB8, EVP_AESCFB_SIZE) == 0)
+        return AES_256_CFB8_TYPE;
+    #endif
+    #ifdef WOLFSSL_AES_128
+    else if (EVP_AES_128_CFB128 && XSTRNCMP(cipher, EVP_AES_128_CFB128, EVP_AESCFB_SIZE) == 0)
+        return AES_128_CFB128_TYPE;
+    #endif
+    #ifdef WOLFSSL_AES_192
+    else if (EVP_AES_192_CFB128 && XSTRNCMP(cipher, EVP_AES_192_CFB128, EVP_AESCFB_SIZE) == 0)
+        return AES_192_CFB128_TYPE;
+    #endif
+    #ifdef WOLFSSL_AES_256
+    else if (EVP_AES_256_CFB128 && XSTRNCMP(cipher, EVP_AES_256_CFB128, EVP_AESCFB_SIZE) == 0)
+        return AES_256_CFB128_TYPE;
+    #endif
+#endif /*HAVE_AES_CBC */
+#endif /* !NO_AES */
+      else return 0;
+}
+
+int wolfSSL_EVP_CIPHER_block_size(const WOLFSSL_EVP_CIPHER *cipher)
+{
+  if (cipher == NULL) return BAD_FUNC_ARG;
+  switch (cipherType(cipher)) {
+#if !defined(NO_AES)
+  #if defined(HAVE_AES_CBC)
+      case AES_128_CBC_TYPE:
+      case AES_192_CBC_TYPE:
+      case AES_256_CBC_TYPE:
+          return AES_BLOCK_SIZE;
+  #endif
+  #if defined(HAVE_AESGCM)
+      case AES_128_GCM_TYPE:
+      case AES_192_GCM_TYPE:
+      case AES_256_GCM_TYPE:
+          return AES_BLOCK_SIZE;
+  #endif
+  #if defined(WOLFSSL_AES_COUNTER)
+      case AES_128_CTR_TYPE:
+      case AES_192_CTR_TYPE:
+      case AES_256_CTR_TYPE:
+          return AES_BLOCK_SIZE;
+  #endif
+  #if defined(HAVE_AES_ECB)
+      case AES_128_ECB_TYPE:
+      case AES_192_ECB_TYPE:
+      case AES_256_ECB_TYPE:
+          return AES_BLOCK_SIZE;
+  #endif
+#endif /* NO_AES */
+  #ifndef NO_DES3
+      case DES_CBC_TYPE: return 8;
+      case DES_EDE3_CBC_TYPE: return 8;
+      case DES_ECB_TYPE: return 8;
+      case DES_EDE3_ECB_TYPE: return 8;
+  #endif
+      default:
+          return 0;
+      }
+}
+
+unsigned long WOLFSSL_CIPHER_mode(const WOLFSSL_EVP_CIPHER *cipher)
+{
+    switch (cipherType(cipher)) {
+#if !defined(NO_AES)
+    #if defined(HAVE_AES_CBC)
+        case AES_128_CBC_TYPE:
+        case AES_192_CBC_TYPE:
+        case AES_256_CBC_TYPE:
+            return WOLFSSL_EVP_CIPH_CBC_MODE;
+    #endif
+    #if defined(HAVE_AESGCM)
+        case AES_128_GCM_TYPE:
+        case AES_192_GCM_TYPE:
+        case AES_256_GCM_TYPE:
+            return WOLFSSL_EVP_CIPH_GCM_MODE;
+    #endif
+    #if defined(WOLFSSL_AES_COUNTER)
+        case AES_128_CTR_TYPE:
+        case AES_192_CTR_TYPE:
+        case AES_256_CTR_TYPE:
+            return WOLFSSL_EVP_CIPH_CTR_MODE;
+    #endif
+        case AES_128_ECB_TYPE:
+        case AES_192_ECB_TYPE:
+        case AES_256_ECB_TYPE:
+            return WOLFSSL_EVP_CIPH_ECB_MODE;
+#endif /* NO_ASE */
+    #ifndef NO_DES3
+        case DES_CBC_TYPE:
+        case DES_EDE3_CBC_TYPE:
+            return WOLFSSL_EVP_CIPH_CBC_MODE;
+        case DES_ECB_TYPE:
+        case DES_EDE3_ECB_TYPE:
+            return WOLFSSL_EVP_CIPH_ECB_MODE;
+    #endif
+    #ifndef NO_RC4
+        case ARC4_TYPE:
+            return EVP_CIPH_STREAM_CIPHER;
+    #endif
+        default:
+            return 0;
+        }
+}
+
+unsigned long WOLFSSL_EVP_CIPHER_mode(const WOLFSSL_EVP_CIPHER *cipher)
+{
+  if (cipher == NULL) return 0;
+  return WOLFSSL_CIPHER_mode(cipher);
+}
+
+void wolfSSL_EVP_CIPHER_CTX_set_flags(WOLFSSL_EVP_CIPHER_CTX *ctx, int flags)
+{
+    if (ctx != NULL) {
+        ctx->flags |= flags;
+    }
+}
+
+void wolfSSL_EVP_CIPHER_CTX_clear_flags(WOLFSSL_EVP_CIPHER_CTX *ctx, int flags)
+{
+    if (ctx != NULL) {
+        ctx->flags &= ~flags;
+    }
+}
+
+unsigned long wolfSSL_EVP_CIPHER_flags(const WOLFSSL_EVP_CIPHER *cipher)
+{
+  if (cipher == NULL) return 0;
+  return WOLFSSL_CIPHER_mode(cipher);
+}
+
+int  wolfSSL_EVP_CIPHER_CTX_set_padding(WOLFSSL_EVP_CIPHER_CTX *ctx, int padding)
+{
+  if (ctx == NULL) return BAD_FUNC_ARG;
+  if (padding) {
+      ctx->flags &= ~WOLFSSL_EVP_CIPH_NO_PADDING;
+  }
+  else {
+      ctx->flags |=  WOLFSSL_EVP_CIPH_NO_PADDING;
+  }
+  return 1;
+}
+
+int wolfSSL_EVP_add_digest(const WOLFSSL_EVP_MD *digest)
+{
+    (void)digest;
+    /* nothing to do */
+    return 0;
+}
+
+
+/* Frees the WOLFSSL_EVP_PKEY_CTX passed in.
+ *
+ * return WOLFSSL_SUCCESS on success
+ */
+int wolfSSL_EVP_PKEY_CTX_free(WOLFSSL_EVP_PKEY_CTX *ctx)
+{
+    if (ctx == NULL) return 0;
+    WOLFSSL_ENTER("EVP_PKEY_CTX_free");
+    if (ctx->pkey != NULL)
+        wolfSSL_EVP_PKEY_free(ctx->pkey);
+    if (ctx->peerKey != NULL)
+        wolfSSL_EVP_PKEY_free(ctx->peerKey);
+    XFREE(ctx, NULL, DYNAMIC_TYPE_PUBLIC_KEY);
+    return WOLFSSL_SUCCESS;
+}
+
+
+/* Creates a new WOLFSSL_EVP_PKEY_CTX structure.
+ *
+ * pkey  key structure to use with new WOLFSSL_EVP_PEKY_CTX
+ * e     engine to use. It should be NULL at this time.
+ *
+ * return the new structure on success and NULL if failed.
+ */
+WOLFSSL_EVP_PKEY_CTX *wolfSSL_EVP_PKEY_CTX_new(WOLFSSL_EVP_PKEY *pkey, WOLFSSL_ENGINE *e)
+{
+    WOLFSSL_EVP_PKEY_CTX* ctx;
+    int type = NID_undef;
+
+    if (pkey == NULL) return 0;
+    if (e != NULL) return 0;
+    WOLFSSL_ENTER("EVP_PKEY_CTX_new");
+
+    ctx = (WOLFSSL_EVP_PKEY_CTX*)XMALLOC(sizeof(WOLFSSL_EVP_PKEY_CTX), NULL,
+            DYNAMIC_TYPE_PUBLIC_KEY);
+    if (ctx == NULL) return NULL;
+    XMEMSET(ctx, 0, sizeof(WOLFSSL_EVP_PKEY_CTX));
+    ctx->pkey = pkey;
+#if !defined(NO_RSA) && !defined(HAVE_USER_RSA)
+    ctx->padding = RSA_PKCS1_PADDING;
+#endif
+    type = wolfSSL_EVP_PKEY_type(pkey->type);
+
+    if (type != NID_undef) {
+        if (wc_LockMutex(&pkey->refMutex) != 0) {
+            WOLFSSL_MSG("Couldn't lock pkey mutex");
+        }
+        pkey->references++;
+
+        wc_UnLockMutex(&pkey->refMutex);
+    }
+    return ctx;
+}
+
+
+/* Sets the type of RSA padding to use.
+ *
+ * ctx     structure to set padding in.
+ * padding RSA padding type
+ *
+ * returns WOLFSSL_SUCCESS on success.
+ */
+int wolfSSL_EVP_PKEY_CTX_set_rsa_padding(WOLFSSL_EVP_PKEY_CTX *ctx, int padding)
+{
+    if (ctx == NULL) return 0;
+    WOLFSSL_ENTER("EVP_PKEY_CTX_set_rsa_padding");
+    ctx->padding = padding;
+    return WOLFSSL_SUCCESS;
+}
+
+/* create a PKEY contxt and return it */
+WOLFSSL_EVP_PKEY_CTX *wolfSSL_EVP_PKEY_CTX_new_id(int id, WOLFSSL_ENGINE *e)
+{
+    WOLFSSL_EVP_PKEY* pkey;
+    WOLFSSL_EVP_PKEY_CTX* ctx = NULL;
+
+    WOLFSSL_ENTER("wolfSSL_EVP_PKEY_CTX_new_id");
+
+    pkey = wolfSSL_EVP_PKEY_new_ex(NULL);
+    if (pkey) {
+        pkey->type = id;
+        ctx = wolfSSL_EVP_PKEY_CTX_new(pkey, e);
+        if (ctx == NULL) {
+            wolfSSL_EVP_PKEY_free(pkey);
+        }
+    }
+    return ctx;
+}
+
+/* Returns WOLFSSL_SUCCESS or error */
+int wolfSSL_EVP_PKEY_CTX_set_rsa_keygen_bits(WOLFSSL_EVP_PKEY_CTX *ctx, int bits)
+{
+    if (ctx) {
+        ctx->nbits = bits;
+    }
+    return WOLFSSL_SUCCESS;
+}
+
+
+int wolfSSL_EVP_PKEY_derive_init(WOLFSSL_EVP_PKEY_CTX *ctx)
+{
+    WOLFSSL_ENTER("wolfSSL_EVP_PKEY_derive_init");
+
+    if (!ctx) {
+        return WOLFSSL_FAILURE;
+    }
+    wolfSSL_EVP_PKEY_free(ctx->peerKey);
+    ctx->op = EVP_PKEY_OP_DERIVE;
+    ctx->padding = 0;
+    ctx->nbits = 0;
+    return WOLFSSL_SUCCESS;
+}
+
+int wolfSSL_EVP_PKEY_derive_set_peer(WOLFSSL_EVP_PKEY_CTX *ctx, WOLFSSL_EVP_PKEY *peer)
+{
+    WOLFSSL_ENTER("wolfSSL_EVP_PKEY_derive_set_peer");
+
+    if (!ctx || ctx->op != EVP_PKEY_OP_DERIVE) {
+        return WOLFSSL_FAILURE;
+    }
+    wolfSSL_EVP_PKEY_free(ctx->peerKey);
+    ctx->peerKey = peer;
+    if (!wolfSSL_EVP_PKEY_up_ref(peer)) {
+        ctx->peerKey = NULL;
+        return WOLFSSL_FAILURE;
+    }
+    return WOLFSSL_SUCCESS;
+}
+
+#if !defined(NO_DH) && defined(HAVE_ECC)
+int wolfSSL_EVP_PKEY_derive(WOLFSSL_EVP_PKEY_CTX *ctx, unsigned char *key, size_t *keylen)
+{
+    int len;
+
+    WOLFSSL_ENTER("wolfSSL_EVP_PKEY_derive");
+
+    if (!ctx || ctx->op != EVP_PKEY_OP_DERIVE || !ctx->pkey || !ctx->peerKey || !keylen
+            || ctx->pkey->type != ctx->peerKey->type) {
+        return WOLFSSL_FAILURE;
+    }
+    switch (ctx->pkey->type) {
+#ifndef NO_DH
+    case EVP_PKEY_DH:
+        /* Use DH */
+        if (!ctx->pkey->dh || !ctx->peerKey->dh || !ctx->peerKey->dh->pub_key) {
+            return WOLFSSL_FAILURE;
+        }
+        if ((len = wolfSSL_DH_size(ctx->pkey->dh)) <= 0) {
+            return WOLFSSL_FAILURE;
+        }
+        if (key) {
+            if (*keylen < (size_t)len) {
+                return WOLFSSL_FAILURE;
+            }
+            if (wolfSSL_DH_compute_key(key, ctx->peerKey->dh->pub_key,
+                                       ctx->pkey->dh) != len) {
+                return WOLFSSL_FAILURE;
+            }
+        }
+        *keylen = (size_t)len;
+        break;
+#endif
+#ifdef HAVE_ECC
+    case EVP_PKEY_EC:
+        /* Use ECDH */
+        if (!ctx->pkey->ecc || !ctx->peerKey->ecc) {
+            return WOLFSSL_FAILURE;
+        }
+        /* set internal key if not done */
+        if (!ctx->pkey->ecc->inSet) {
+            if (SetECKeyInternal(ctx->pkey->ecc) != WOLFSSL_SUCCESS) {
+                WOLFSSL_MSG("SetECKeyInternal failed");
+                return WOLFSSL_FAILURE;
+            }
+        }
+        if (!ctx->peerKey->ecc->exSet || !ctx->peerKey->ecc->pub_key->internal) {
+            if (SetECKeyExternal(ctx->peerKey->ecc) != WOLFSSL_SUCCESS) {
+                WOLFSSL_MSG("SetECKeyExternal failed");
+                return WOLFSSL_FAILURE;
+            }
+        }
+        if (!(len = wc_ecc_size((ecc_key*)ctx->pkey->ecc->internal))) {
+            return WOLFSSL_FAILURE;
+        }
+        if (key) {
+            word32 len32 = (word32)len;
+            if (*keylen < len32) {
+                WOLFSSL_MSG("buffer too short");
+                return WOLFSSL_FAILURE;
+            }
+            if (wc_ecc_shared_secret_ssh((ecc_key*)ctx->pkey->ecc->internal,
+                                         (ecc_point*)ctx->peerKey->ecc->pub_key->internal,
+                                         key, &len32) != MP_OKAY) {
+                WOLFSSL_MSG("wc_ecc_shared_secret failed");
+                return WOLFSSL_FAILURE;
+            }
+            len = (int)len32;
+        }
+        *keylen = (size_t)len;
+        break;
+#endif
+    default:
+        WOLFSSL_MSG("Unknown key type");
+        return WOLFSSL_FAILURE;
+    }
+    return WOLFSSL_SUCCESS;
+}
+#endif
+
+/* Uses the WOLFSSL_EVP_PKEY_CTX to decrypt a buffer.
+ *
+ * ctx    structure to decrypt with
+ * out    buffer to hold the results
+ * outlen initially holds size of out buffer and gets set to decrypt result size
+ * in     buffer decrypt
+ * inlen  length of in buffer
+ *
+ * returns WOLFSSL_SUCCESS on success.
+ */
+int wolfSSL_EVP_PKEY_decrypt(WOLFSSL_EVP_PKEY_CTX *ctx,
+                     unsigned char *out, size_t *outlen,
+                     const unsigned char *in, size_t inlen)
+{
+    int len = 0;
+
+    if (ctx == NULL) return 0;
+    WOLFSSL_ENTER("EVP_PKEY_decrypt");
+
+    (void)out;
+    (void)outlen;
+    (void)in;
+    (void)inlen;
+    (void)len;
+
+    switch (ctx->pkey->type) {
+#if !defined(NO_RSA) && !defined(HAVE_USER_RSA)
+    case EVP_PKEY_RSA:
+        len = wolfSSL_RSA_private_decrypt((int)inlen, (unsigned char*)in, out,
+              ctx->pkey->rsa, ctx->padding);
+        if (len < 0) break;
+        else {
+            *outlen = len;
+            return WOLFSSL_SUCCESS;
+        }
+#endif /* NO_RSA */
+
+    case EVP_PKEY_EC:
+        WOLFSSL_MSG("not implemented");
+        FALL_THROUGH;
+    default:
+        break;
+    }
+    return WOLFSSL_FAILURE;
+}
+
+
+/* Initialize a WOLFSSL_EVP_PKEY_CTX structure for decryption
+ *
+ * ctx    WOLFSSL_EVP_PKEY_CTX structure to use with decryption
+ *
+ * Returns WOLFSSL_FAILURE on failure and WOLFSSL_SUCCESS on success
+ */
+int wolfSSL_EVP_PKEY_decrypt_init(WOLFSSL_EVP_PKEY_CTX *ctx)
+{
+    if (ctx == NULL) return WOLFSSL_FAILURE;
+    WOLFSSL_ENTER("EVP_PKEY_decrypt_init");
+    switch (ctx->pkey->type) {
+    case EVP_PKEY_RSA:
+        ctx->op = EVP_PKEY_OP_DECRYPT;
+        return WOLFSSL_SUCCESS;
+    case EVP_PKEY_EC:
+        WOLFSSL_MSG("not implemented");
+        FALL_THROUGH;
+    default:
+        break;
+    }
+    return WOLFSSL_FAILURE;
+}
+
+
+/* Use a WOLFSSL_EVP_PKEY_CTX structure to encrypt data
+ *
+ * ctx    WOLFSSL_EVP_PKEY_CTX structure to use with encryption
+ * out    buffer to hold encrypted data
+ * outlen length of out buffer
+ * in     data to be encrypted
+ * inlen  length of in buffer
+ *
+ * Returns WOLFSSL_FAILURE on failure and WOLFSSL_SUCCESS on success
+ */
+int wolfSSL_EVP_PKEY_encrypt(WOLFSSL_EVP_PKEY_CTX *ctx,
+                     unsigned char *out, size_t *outlen,
+                     const unsigned char *in, size_t inlen)
+{
+    int len = 0;
+    if (ctx == NULL) return WOLFSSL_FAILURE;
+    WOLFSSL_ENTER("EVP_PKEY_encrypt");
+    if (ctx->op != EVP_PKEY_OP_ENCRYPT) return WOLFSSL_FAILURE;
+
+    (void)out;
+    (void)outlen;
+    (void)in;
+    (void)inlen;
+    (void)len;
+    switch (ctx->pkey->type) {
+#if !defined(NO_RSA) && !defined(HAVE_USER_RSA)
+    case EVP_PKEY_RSA:
+        len = wolfSSL_RSA_public_encrypt((int)inlen, (unsigned char *)in, out,
+                  ctx->pkey->rsa, ctx->padding);
+        if (len < 0)
+            break;
+        else {
+            *outlen = len;
+            return WOLFSSL_SUCCESS;
+        }
+#endif /* NO_RSA */
+
+    case EVP_PKEY_EC:
+        WOLFSSL_MSG("not implemented");
+        FALL_THROUGH;
+    default:
+        break;
+    }
+    return WOLFSSL_FAILURE;
+}
+
+
+/* Initialize a WOLFSSL_EVP_PKEY_CTX structure to encrypt data
+ *
+ * ctx    WOLFSSL_EVP_PKEY_CTX structure to use with encryption
+ *
+ * Returns WOLFSSL_FAILURE on failure and WOLFSSL_SUCCESS on success
+ */
+int wolfSSL_EVP_PKEY_encrypt_init(WOLFSSL_EVP_PKEY_CTX *ctx)
+{
+    if (ctx == NULL) return WOLFSSL_FAILURE;
+    WOLFSSL_ENTER("EVP_PKEY_encrypt_init");
+
+    switch (ctx->pkey->type) {
+    case EVP_PKEY_RSA:
+        ctx->op = EVP_PKEY_OP_ENCRYPT;
+        return WOLFSSL_SUCCESS;
+    case EVP_PKEY_EC:
+        WOLFSSL_MSG("not implemented");
+        FALL_THROUGH;
+    default:
+        break;
+    }
+    return WOLFSSL_FAILURE;
+}
+/******************************************************************************
+* wolfSSL_EVP_PKEY_sign_init -  initializes a public key algorithm context for
+* a signing operation.
+*
+* RETURNS:
+* returns WOLFSSL_SUCCESS on success, otherwise returns -2
+*/
+WOLFSSL_API int wolfSSL_EVP_PKEY_sign_init(WOLFSSL_EVP_PKEY_CTX *ctx)
+{
+    int ret = -2;
+
+    WOLFSSL_MSG("wolfSSL_EVP_PKEY_sign_init");
+    if (!ctx  || !ctx->pkey)
+        return ret;
+
+    switch (ctx->pkey->type) {
+        case EVP_PKEY_RSA:
+            ctx->op = EVP_PKEY_OP_SIGN;
+            ret = WOLFSSL_SUCCESS;
+            break;
+        case EVP_PKEY_EC:
+            WOLFSSL_MSG("not implemented");
+            FALL_THROUGH;
+        default:
+            ret = -2;
+    }
+    return ret;
+}
+/******************************************************************************
+* wolfSSL_EVP_PKEY_sign - performs a public key signing operation using ctx
+* The data to be signed should be hashed since the function does not hash the data.
+*
+* RETURNS:
+* returns WOLFSSL_SUCCESS on success, otherwise returns WOLFSSL_FAILURE
+*/
+
+WOLFSSL_API int wolfSSL_EVP_PKEY_sign(WOLFSSL_EVP_PKEY_CTX *ctx, unsigned char *sig,
+                        size_t *siglen, const unsigned char *tbs, size_t tbslen)
+{
+    int len = 0;
+
+    WOLFSSL_MSG("wolfSSL_EVP_PKEY_sign");
+
+    if (!ctx || ctx->op != EVP_PKEY_OP_SIGN || !ctx->pkey)
+        return WOLFSSL_FAILURE;
+
+    (void)sig;
+    (void)siglen;
+    (void)tbs;
+    (void)tbslen;
+    (void)len;
+
+    switch (ctx->pkey->type) {
+#if !defined(NO_RSA) && !defined(HAVE_USER_RSA)
+    case EVP_PKEY_RSA:
+        len = wolfSSL_RSA_private_encrypt((int)tbslen, (unsigned char*)tbs, sig,
+              ctx->pkey->rsa, ctx->padding);
+        if (len < 0)
+            break;
+        else {
+            *siglen = len;
+            return WOLFSSL_SUCCESS;
+        }
+#endif /* NO_RSA */
+
+    case EVP_PKEY_EC:
+        WOLFSSL_MSG("not implemented");
+        FALL_THROUGH;
+    default:
+        break;
+    }
+    return WOLFSSL_FAILURE;
+}
+
+/* Get the size in bits for WOLFSSL_EVP_PKEY key
+ *
+ * pkey WOLFSSL_EVP_PKEY structure to get key size of
+ *
+ * returns the size in bits of key on success
+ */
+int wolfSSL_EVP_PKEY_bits(const WOLFSSL_EVP_PKEY *pkey)
+{
+    int bytes;
+
+    if (pkey == NULL) return 0;
+    WOLFSSL_ENTER("EVP_PKEY_bits");
+    if ((bytes = wolfSSL_EVP_PKEY_size((WOLFSSL_EVP_PKEY*)pkey)) ==0) return 0;
+    return bytes*8;
+}
+
+
+int wolfSSL_EVP_PKEY_keygen_init(WOLFSSL_EVP_PKEY_CTX *ctx)
+{
+    (void)ctx;
+    return WOLFSSL_SUCCESS;
+}
+
+int wolfSSL_EVP_PKEY_keygen(WOLFSSL_EVP_PKEY_CTX *ctx,
+  WOLFSSL_EVP_PKEY **ppkey)
+{
+    int ret = WOLFSSL_FAILURE;
+    int ownPkey = 0;
+    WOLFSSL_EVP_PKEY* pkey;
+
+    if (ctx == NULL || ppkey == NULL) {
+        return BAD_FUNC_ARG;
+    }
+
+    pkey = *ppkey;
+    if (pkey == NULL) {
+        ownPkey = 1;
+        pkey = wolfSSL_EVP_PKEY_new();
+
+        if (pkey == NULL)
+            return ret;
+    }
+
+    switch (pkey->type) {
+#if !defined(HAVE_FAST_RSA) && defined(WOLFSSL_KEY_GEN) && \
+    !defined(NO_RSA) && !defined(HAVE_USER_RSA)
+        case EVP_PKEY_RSA:
+            pkey->rsa = wolfSSL_RSA_generate_key(ctx->nbits, WC_RSA_EXPONENT,
+                NULL, NULL);
+            if (pkey->rsa) {
+                pkey->ownRsa = 1;
+                pkey->pkey_sz = wolfSSL_i2d_RSAPrivateKey(pkey->rsa,
+                        (unsigned char**)&pkey->pkey.ptr);
+                ret = WOLFSSL_SUCCESS;
+            }
+            break;
+#endif
+#ifdef HAVE_ECC
+        case EVP_PKEY_EC:
+            pkey->ecc = wolfSSL_EC_KEY_new();
+            if (pkey->ecc) {
+                ret = wolfSSL_EC_KEY_generate_key(pkey->ecc);
+                if (ret == WOLFSSL_SUCCESS) {
+                    pkey->ownEcc = 1;
+                }
+            }
+#endif
+        default:
+            break;
+    }
+
+    if (ret != WOLFSSL_SUCCESS && ownPkey) {
+        wolfSSL_EVP_PKEY_free(pkey);
+        pkey = NULL;
+    }
+
+    *ppkey = pkey;
+
+    return ret;
+}
+
+/* Get the size in bytes for WOLFSSL_EVP_PKEY key
+ *
+ * pkey WOLFSSL_EVP_PKEY structure to get key size of
+ *
+ * returns the size of a key on success which is the maximum size of a
+ *         signature
+ */
+int wolfSSL_EVP_PKEY_size(WOLFSSL_EVP_PKEY *pkey)
+{
+    if (pkey == NULL) return 0;
+    WOLFSSL_ENTER("EVP_PKEY_size");
+
+    switch (pkey->type) {
+#ifndef NO_RSA
+    case EVP_PKEY_RSA:
+        return (int)wolfSSL_RSA_size((const WOLFSSL_RSA*)(pkey->rsa));
+#endif /* !NO_RSA */
+
+#ifdef HAVE_ECC
+    case EVP_PKEY_EC:
+        if (pkey->ecc == NULL || pkey->ecc->internal == NULL) {
+            WOLFSSL_MSG("No ECC key has been set");
+            break;
+        }
+        return wc_ecc_size((ecc_key*)(pkey->ecc->internal));
+#endif /* HAVE_ECC */
+
+    default:
+        break;
+    }
+    return 0;
+}
+
+#ifndef NO_WOLFSSL_STUB
+WOLFSSL_API int wolfSSL_EVP_PKEY_missing_parameters(WOLFSSL_EVP_PKEY *pkey)
+{
+    (void)pkey;
+    /* not using missing params callback and returning zero to indicate success */
+    return 0;
+}
+#endif
+
+WOLFSSL_API int wolfSSL_EVP_PKEY_cmp(const WOLFSSL_EVP_PKEY *a, const WOLFSSL_EVP_PKEY *b)
+{
+    int ret = -1; /* failure */
+    int a_sz = 0, b_sz = 0;
+
+    if (a == NULL || b == NULL)
+        return ret;
+
+    /* check its the same type of key */
+    if (a->type != b->type)
+        return ret;
+
+    /* get size based on key type */
+    switch (a->type) {
+#ifndef NO_RSA
+    case EVP_PKEY_RSA:
+        a_sz = (int)wolfSSL_RSA_size((const WOLFSSL_RSA*)(a->rsa));
+        b_sz = (int)wolfSSL_RSA_size((const WOLFSSL_RSA*)(b->rsa));
+        break;
+#endif /* !NO_RSA */
+#ifdef HAVE_ECC
+    case EVP_PKEY_EC:
+        if (a->ecc == NULL || a->ecc->internal == NULL ||
+            b->ecc == NULL || b->ecc->internal == NULL) {
+            return ret;
+        }
+        a_sz = wc_ecc_size((ecc_key*)(a->ecc->internal));
+        b_sz = wc_ecc_size((ecc_key*)(b->ecc->internal));
+        break;
+#endif /* HAVE_ECC */
+    default:
+        break;
+    } /* switch (a->type) */
+
+    /* check size */
+    if (a_sz <= 0 || b_sz <= 0 || a_sz != b_sz) {
+        return ret;
+    }
+
+    /* check public key size */
+    if (a->pkey_sz > 0 && b->pkey_sz > 0 && a->pkey_sz != b->pkey_sz) {
+        return ret;
+    }
+
+    /* check public key */
+    if (a->pkey.ptr && b->pkey.ptr) {
+        if (XMEMCMP(a->pkey.ptr, b->pkey.ptr, a->pkey_sz) != 0) {
+            return ret;
+        }
+    }
+    ret = 0; /* success */
+
+    return ret;
+}
+
+/* Initialize structure for signing
+ *
+ * ctx  WOLFSSL_EVP_MD_CTX structure to initialize
+ * type is the type of message digest to use
+ *
+ * returns WOLFSSL_SUCCESS on success
+ */
+int wolfSSL_EVP_SignInit(WOLFSSL_EVP_MD_CTX *ctx, const WOLFSSL_EVP_MD *type)
+{
+    if (ctx == NULL) return WOLFSSL_FAILURE;
+    WOLFSSL_ENTER("EVP_SignInit");
+    return wolfSSL_EVP_DigestInit(ctx,type);
+}
+
+WOLFSSL_API int wolfSSL_EVP_SignInit_ex(WOLFSSL_EVP_MD_CTX* ctx,
+                                     const WOLFSSL_EVP_MD* type,
+                                     WOLFSSL_ENGINE *impl)
+{
+    if (ctx == NULL) return WOLFSSL_FAILURE;
+    WOLFSSL_ENTER("EVP_SignInit");
+    return wolfSSL_EVP_DigestInit_ex(ctx,type,impl);
+}
+
+
+/* Update structure with data for signing
+ *
+ * ctx  WOLFSSL_EVP_MD_CTX structure to update
+ * data buffer holding data to update with for sign
+ * len  length of data buffer
+ *
+ * returns WOLFSSL_SUCCESS on success
+ */
+int wolfSSL_EVP_SignUpdate(WOLFSSL_EVP_MD_CTX *ctx, const void *data, size_t len)
+{
+    if (ctx == NULL) return 0;
+    WOLFSSL_ENTER("EVP_SignUpdate(");
+    return wolfSSL_EVP_DigestUpdate(ctx, data, len);
+}
+
+static const struct s_ent {
+    const int macType;
+    const int nid;
+    const char *name;
+} md_tbl[] = {
+#ifndef NO_MD4
+    {WC_HASH_TYPE_MD4, NID_md4, "MD4"},
+#endif /* NO_MD4 */
+
+#ifndef NO_MD5
+    {WC_HASH_TYPE_MD5, NID_md5, "MD5"},
+#endif /* NO_MD5 */
+
+#ifndef NO_SHA
+    {WC_HASH_TYPE_SHA, NID_sha1, "SHA"},
+#endif /* NO_SHA */
+
+#ifdef WOLFSSL_SHA224
+    {WC_HASH_TYPE_SHA224, NID_sha224, "SHA224"},
+#endif /* WOLFSSL_SHA224 */
+#ifndef NO_SHA256
+    {WC_HASH_TYPE_SHA256, NID_sha256, "SHA256"},
+#endif
+
+#ifdef WOLFSSL_SHA384
+    {WC_HASH_TYPE_SHA384, NID_sha384, "SHA384"},
+#endif /* WOLFSSL_SHA384 */
+#ifdef WOLFSSL_SHA512
+    {WC_HASH_TYPE_SHA512, NID_sha512, "SHA512"},
+#endif /* WOLFSSL_SHA512 */
+#ifndef WOLFSSL_NOSHA3_224
+    {WC_HASH_TYPE_SHA3_224, NID_sha3_224, "SHA3_224"},
+#endif
+#ifndef WOLFSSL_NOSHA3_256
+    {WC_HASH_TYPE_SHA3_256, NID_sha3_256, "SHA3_256"},
+#endif
+    {WC_HASH_TYPE_SHA3_384, NID_sha3_384, "SHA3_384"},
+#ifndef WOLFSSL_NOSHA3_512
+    {WC_HASH_TYPE_SHA3_512, NID_sha3_512, "SHA3_512"},
+#endif
+    {0, 0, NULL}
+};
+
+static int wolfSSL_EVP_md2macType(const WOLFSSL_EVP_MD *md)
+{
+    const struct s_ent *ent ;
+
+    if (md != NULL) {
+        for( ent = md_tbl; ent->name != NULL; ent++) {
+            if(XSTRNCMP((const char *)md, ent->name, XSTRLEN(ent->name)+1) == 0) {
+                return ent->macType;
+            }
+        }
+    }
+    return WC_HASH_TYPE_NONE;
+}
+
+/* Finalize structure for signing
+ *
+ * ctx    WOLFSSL_EVP_MD_CTX structure to finalize
+ * sigret buffer to hold resulting signature
+ * siglen length of sigret buffer
+ * pkey   key to sign with
+ *
+ * returns WOLFSSL_SUCCESS on success and WOLFSSL_FAILURE on failure
+ */
+int wolfSSL_EVP_SignFinal(WOLFSSL_EVP_MD_CTX *ctx, unsigned char *sigret,
+                  unsigned int *siglen, WOLFSSL_EVP_PKEY *pkey)
+{
+    unsigned int mdsize;
+    unsigned char md[WC_MAX_DIGEST_SIZE];
+    int ret;
+    if (ctx == NULL) return WOLFSSL_FAILURE;
+    WOLFSSL_ENTER("EVP_SignFinal");
+
+    ret = wolfSSL_EVP_DigestFinal(ctx, md, &mdsize);
+    if (ret <= 0) return ret;
+
+    (void)sigret;
+    (void)siglen;
+
+    switch (pkey->type) {
+#if !defined(NO_RSA) && !defined(HAVE_USER_RSA)
+    case EVP_PKEY_RSA: {
+        int nid = wolfSSL_EVP_MD_type(wolfSSL_EVP_MD_CTX_md(ctx));
+        if (nid < 0) break;
+        return wolfSSL_RSA_sign(nid, md, mdsize, sigret,
+                                siglen, pkey->rsa);
+    }
+#endif /* NO_RSA */
+
+    case EVP_PKEY_DSA:
+    case EVP_PKEY_EC:
+        WOLFSSL_MSG("not implemented");
+        FALL_THROUGH;
+    default:
+        break;
+    }
+    return WOLFSSL_FAILURE;
+}
+
+
+/* Initialize structure for verifying signature
+ *
+ * ctx  WOLFSSL_EVP_MD_CTX structure to initialize
+ * type is the type of message digest to use
+ *
+ * returns WOLFSSL_SUCCESS on success
+ */
+int wolfSSL_EVP_VerifyInit(WOLFSSL_EVP_MD_CTX *ctx, const WOLFSSL_EVP_MD *type)
+{
+    if (ctx == NULL) return WOLFSSL_FAILURE;
+    WOLFSSL_ENTER("EVP_VerifyInit");
+    return wolfSSL_EVP_DigestInit(ctx,type);
+}
+
+
+/* Update structure for verifying signature
+ *
+ * ctx  WOLFSSL_EVP_MD_CTX structure to update
+ * data buffer holding data to update with for verify
+ * len  length of data buffer
+ *
+ * returns WOLFSSL_SUCCESS on success and WOLFSSL_FAILURE on failure
+ */
+int wolfSSL_EVP_VerifyUpdate(WOLFSSL_EVP_MD_CTX *ctx, const void *data, size_t len)
+{
+    if (ctx == NULL) return WOLFSSL_FAILURE;
+    WOLFSSL_ENTER("EVP_VerifyUpdate");
+    return wolfSSL_EVP_DigestUpdate(ctx, data, len);
+}
+
+
+/* Finalize structure for verifying signature
+ *
+ * ctx    WOLFSSL_EVP_MD_CTX structure to finalize
+ * sig    buffer holding signature
+ * siglen length of sig buffer
+ * pkey   key to verify with
+ *
+ * returns WOLFSSL_SUCCESS on success and WOLFSSL_FAILURE on failure
+ */
+int wolfSSL_EVP_VerifyFinal(WOLFSSL_EVP_MD_CTX *ctx,
+        unsigned char*sig, unsigned int siglen, WOLFSSL_EVP_PKEY *pkey)
+{
+    int ret;
+    unsigned char md[WC_MAX_DIGEST_SIZE];
+    unsigned int mdsize;
+
+    if (ctx == NULL) return WOLFSSL_FAILURE;
+    WOLFSSL_ENTER("EVP_VerifyFinal");
+    ret = wolfSSL_EVP_DigestFinal(ctx, md, &mdsize);
+    if (ret <= 0) return ret;
+
+    (void)sig;
+    (void)siglen;
+
+    switch (pkey->type) {
+#if !defined(NO_RSA) && !defined(HAVE_USER_RSA)
+    case EVP_PKEY_RSA: {
+        int nid = wolfSSL_EVP_MD_type(wolfSSL_EVP_MD_CTX_md(ctx));
+        if (nid < 0) break;
+        return wolfSSL_RSA_verify(nid, md, mdsize, sig,
+                (unsigned int)siglen, pkey->rsa);
+    }
+#endif /* NO_RSA */
+
+    case EVP_PKEY_DSA:
+    case EVP_PKEY_EC:
+        WOLFSSL_MSG("not implemented");
+        FALL_THROUGH;
+    default:
+        break;
+    }
+    return WOLFSSL_FAILURE;
+}
+
+int wolfSSL_EVP_add_cipher(const WOLFSSL_EVP_CIPHER *cipher)
+{
+    (void)cipher;
+    /* nothing to do */
+    return 0;
+}
+
+
+WOLFSSL_EVP_PKEY* wolfSSL_EVP_PKEY_new_mac_key(int type, ENGINE* e,
+                                          const unsigned char* key, int keylen)
+{
+    WOLFSSL_EVP_PKEY* pkey;
+
+    (void)e;
+
+    if (type != EVP_PKEY_HMAC || (key == NULL && keylen != 0))
+        return NULL;
+
+    pkey = wolfSSL_EVP_PKEY_new();
+    if (pkey != NULL) {
+        pkey->pkey.ptr = (char*)XMALLOC(keylen, NULL, DYNAMIC_TYPE_PUBLIC_KEY);
+        if (pkey->pkey.ptr == NULL && keylen > 0) {
+            wolfSSL_EVP_PKEY_free(pkey);
+            pkey = NULL;
+        }
+        else {
+            XMEMCPY(pkey->pkey.ptr, key, keylen);
+            pkey->pkey_sz = keylen;
+            pkey->type = pkey->save_type = type;
+        }
+    }
+
+    return pkey;
+}
+
+
+const unsigned char* wolfSSL_EVP_PKEY_get0_hmac(const WOLFSSL_EVP_PKEY* pkey,
+                                                size_t* len)
+{
+    if (pkey == NULL || len == NULL)
+        return NULL;
+
+    *len = (size_t)pkey->pkey_sz;
+
+    return (const unsigned char*)pkey->pkey.ptr;
+}
+
+
+/* Initialize an EVP_DigestSign/Verify operation.
+ * Initialize a digest for RSA and ECC keys, or HMAC for HMAC key.
+ */
+static int wolfSSL_evp_digest_pk_init(WOLFSSL_EVP_MD_CTX *ctx,
+                                      WOLFSSL_EVP_PKEY_CTX **pctx,
+                                      const WOLFSSL_EVP_MD *type,
+                                      WOLFSSL_ENGINE *e,
+                                      WOLFSSL_EVP_PKEY *pkey)
+{
+    if (pkey->type == EVP_PKEY_HMAC) {
+        int                  hashType;
+        const unsigned char* key;
+        size_t               keySz;
+
+        if (XSTRNCMP(type, "SHA256", 6) == 0) {
+            hashType = WC_SHA256;
+        }
+    #ifdef WOLFSSL_SHA224
+        else if (XSTRNCMP(type, "SHA224", 6) == 0) {
+            hashType = WC_SHA224;
+        }
+    #endif
+    #ifdef WOLFSSL_SHA384
+        else if (XSTRNCMP(type, "SHA384", 6) == 0) {
+            hashType = WC_SHA384;
+        }
+    #endif
+    #ifdef WOLFSSL_SHA512
+        else if (XSTRNCMP(type, "SHA512", 6) == 0) {
+            hashType = WC_SHA512;
+        }
+    #endif
+    #ifndef NO_MD5
+        else if (XSTRNCMP(type, "MD5", 3) == 0) {
+            hashType = WC_MD5;
+        }
+    #endif
+    #ifndef NO_SHA
+        /* has to be last since would pick or 224, 256, 384, or 512 too */
+        else if (XSTRNCMP(type, "SHA", 3) == 0) {
+             hashType = WC_SHA;
+        }
+    #endif /* NO_SHA */
+        else
+             return BAD_FUNC_ARG;
+
+        key = wolfSSL_EVP_PKEY_get0_hmac(pkey, &keySz);
+
+        if (wc_HmacInit(&ctx->hash.hmac, NULL, INVALID_DEVID) != 0)
+            return WOLFSSL_FAILURE;
+
+        if (wc_HmacSetKey(&ctx->hash.hmac, hashType, key, (word32)keySz) != 0)
+            return WOLFSSL_FAILURE;
+
+        ctx->macType = NID_hmac;
+    }
+    else {
+        int ret;
+
+        if (ctx->pctx == NULL) {
+            ctx->pctx = wolfSSL_EVP_PKEY_CTX_new(pkey, e);
+            if (ctx->pctx == NULL)
+                return WOLFSSL_FAILURE;
+        }
+
+        ret = wolfSSL_EVP_DigestInit(ctx, type);
+        if (ret == WOLFSSL_SUCCESS && pctx != NULL)
+            *pctx = ctx->pctx;
+        return ret;
+    }
+
+    return WOLFSSL_SUCCESS;
+}
+
+/* Update an EVP_DigestSign/Verify operation.
+ * Update a digest for RSA and ECC keys, or HMAC for HMAC key.
+ */
+static int wolfssl_evp_digest_pk_update(WOLFSSL_EVP_MD_CTX *ctx,
+                                        const void *d, unsigned int cnt)
+{
+    if (ctx->pctx == NULL) {
+        if (ctx->macType != NID_hmac)
+            return WOLFSSL_FAILURE;
+
+        if (wc_HmacUpdate(&ctx->hash.hmac, (const byte *)d, cnt) != 0)
+            return WOLFSSL_FAILURE;
+
+        return WOLFSSL_SUCCESS;
+    }
+    else
+        return wolfSSL_EVP_DigestUpdate(ctx, d, cnt);
+}
+
+/* Finalize an EVP_DigestSign/Verify operation - common part only.
+ * Finalize a digest for RSA and ECC keys, or HMAC for HMAC key.
+ * Copies the digest so that you can keep updating.
+ */
+static int wolfssl_evp_digest_pk_final(WOLFSSL_EVP_MD_CTX *ctx,
+                                       unsigned char *md, unsigned int* mdlen)
+{
+    int  ret;
+
+    if (ctx->pctx == NULL) {
+        Hmac hmacCopy;
+
+        if (ctx->macType != NID_hmac)
+            return WOLFSSL_FAILURE;
+
+        if (wolfSSL_HmacCopy(&hmacCopy, &ctx->hash.hmac) != WOLFSSL_SUCCESS)
+            return WOLFSSL_FAILURE;
+        ret = wc_HmacFinal(&hmacCopy, md) == 0;
+        wc_HmacFree(&hmacCopy);
+        return ret;
+    }
+    else {
+        WOLFSSL_EVP_MD_CTX ctxCopy;
+
+        if (wolfSSL_EVP_MD_CTX_copy_ex(&ctxCopy, ctx) != WOLFSSL_SUCCESS)
+            return WOLFSSL_FAILURE;
+
+        ret = wolfSSL_EVP_DigestFinal(&ctxCopy, md, mdlen);
+        wolfSSL_EVP_MD_CTX_cleanup(&ctxCopy);
+        return ret;
+    }
+}
+
+/* Get the length of the mac based on the digest algorithm. */
+static int wolfssl_mac_len(unsigned char macType)
+{
+    int hashLen;
+
+    switch (macType) {
+    #ifndef NO_MD5
+        case WC_MD5:
+            hashLen = WC_MD5_DIGEST_SIZE;
+            break;
+    #endif /* !NO_MD5 */
+
+    #ifndef NO_SHA
+        case WC_SHA:
+            hashLen = WC_SHA_DIGEST_SIZE;
+            break;
+    #endif /* !NO_SHA */
+
+    #ifdef WOLFSSL_SHA224
+        case WC_SHA224:
+            hashLen = WC_SHA224_DIGEST_SIZE;
+            break;
+    #endif /* WOLFSSL_SHA224 */
+
+    #ifndef NO_SHA256
+        case WC_SHA256:
+            hashLen = WC_SHA256_DIGEST_SIZE;
+            break;
+    #endif /* !NO_SHA256 */
+
+    #ifdef WOLFSSL_SHA384
+        case WC_SHA384:
+            hashLen = WC_SHA384_DIGEST_SIZE;
+            break;
+    #endif /* WOLFSSL_SHA384 */
+    #ifdef WOLFSSL_SHA512
+        case WC_SHA512:
+            hashLen = WC_SHA512_DIGEST_SIZE;
+            break;
+    #endif /* WOLFSSL_SHA512 */
+
+    #ifdef HAVE_BLAKE2
+        case BLAKE2B_ID:
+            hashLen = BLAKE2B_OUTBYTES;
+            break;
+    #endif /* HAVE_BLAKE2 */
+
+        default:
+            hashLen = 0;
+    }
+
+    return hashLen;
+}
+
+int wolfSSL_EVP_DigestSignInit(WOLFSSL_EVP_MD_CTX *ctx,
+                               WOLFSSL_EVP_PKEY_CTX **pctx,
+                               const WOLFSSL_EVP_MD *type,
+                               WOLFSSL_ENGINE *e,
+                               WOLFSSL_EVP_PKEY *pkey)
+{
+    WOLFSSL_ENTER("EVP_DigestSignInit");
+
+    if (ctx == NULL || type == NULL || pkey == NULL)
+        return BAD_FUNC_ARG;
+
+    return wolfSSL_evp_digest_pk_init(ctx, pctx, type, e, pkey);
+}
+
+
+int wolfSSL_EVP_DigestSignUpdate(WOLFSSL_EVP_MD_CTX *ctx, const void *d,
+                                 unsigned int cnt)
+{
+    WOLFSSL_ENTER("EVP_DigestSignUpdate");
+
+    if (ctx == NULL || d == NULL)
+        return BAD_FUNC_ARG;
+
+    return wolfssl_evp_digest_pk_update(ctx, d, cnt);
+}
+
+int wolfSSL_EVP_DigestSignFinal(WOLFSSL_EVP_MD_CTX *ctx, unsigned char *sig,
+                                size_t *siglen)
+{
+    unsigned char digest[WC_MAX_DIGEST_SIZE];
+    unsigned int  hashLen;
+    int           ret = WOLFSSL_FAILURE;
+
+    WOLFSSL_ENTER("EVP_DigestSignFinal");
+
+    if (ctx == NULL || siglen == NULL)
+        return WOLFSSL_FAILURE;
+
+    /* Return the maximum size of the signaure when sig is NULL. */
+    if (ctx->pctx == NULL) {
+        if (ctx->macType != NID_hmac)
+            return WOLFSSL_FAILURE;
+
+        hashLen = wolfssl_mac_len(ctx->hash.hmac.macType);
+
+        if (sig == NULL) {
+            *siglen = hashLen;
+            return WOLFSSL_SUCCESS;
+        }
+    }
+#ifndef NO_RSA
+    else if (ctx->pctx->pkey->type == EVP_PKEY_RSA) {
+        if (sig == NULL) {
+            *siglen = wolfSSL_RSA_size(ctx->pctx->pkey->rsa);
+            return WOLFSSL_SUCCESS;
+        }
+    }
+#endif /* !NO_RSA */
+#ifdef HAVE_ECC
+    else if (ctx->pctx->pkey->type == EVP_PKEY_EC) {
+        if (sig == NULL) {
+            /* SEQ + INT + INT */
+            *siglen = ecc_sets[ctx->pctx->pkey->ecc->group->curve_idx].size * 2
+                    + 8;
+            return WOLFSSL_SUCCESS;
+        }
+    }
+#endif
+
+    if (wolfssl_evp_digest_pk_final(ctx, digest, &hashLen) <= 0)
+        return WOLFSSL_FAILURE;
+
+    if (ctx->pctx == NULL) {
+        /* Copy the HMAC result as signature. */
+        if ((unsigned int)(*siglen) > hashLen)
+            *siglen = hashLen;
+        /* May be a truncated signature. */
+
+        XMEMCPY(sig, digest, *siglen);
+        ret = WOLFSSL_SUCCESS;
+    }
+    else {
+        /* Sign the digest. */
+        switch (ctx->pctx->pkey->type) {
+    #if !defined(NO_RSA) && !defined(HAVE_USER_RSA)
+        case EVP_PKEY_RSA: {
+            unsigned int sigSz;
+            int nid = wolfSSL_EVP_MD_type(wolfSSL_EVP_MD_CTX_md(ctx));
+            if (nid < 0)
+                break;
+            ret = wolfSSL_RSA_sign(nid, digest, hashLen, sig, &sigSz,
+                                   ctx->pctx->pkey->rsa);
+            if (ret >= 0)
+                *siglen = sigSz;
+            break;
+        }
+    #endif /* NO_RSA */
+
+    #ifdef HAVE_ECC
+        case EVP_PKEY_EC: {
+            WOLFSSL_ECDSA_SIG *ecdsaSig;
+            ecdsaSig = wolfSSL_ECDSA_do_sign(digest, hashLen,
+                                             ctx->pctx->pkey->ecc);
+            if (ecdsaSig == NULL)
+                break;
+            *siglen = wolfSSL_i2d_ECDSA_SIG(ecdsaSig, &sig);
+            wolfSSL_ECDSA_SIG_free(ecdsaSig);
+            ret = WOLFSSL_SUCCESS;
+            break;
+        }
+    #endif
+        default:
+            break;
+        }
+    }
+
+    ForceZero(digest, sizeof(digest));
+    return ret;
+}
+int wolfSSL_EVP_DigestVerifyInit(WOLFSSL_EVP_MD_CTX *ctx,
+                                 WOLFSSL_EVP_PKEY_CTX **pctx,
+                                 const WOLFSSL_EVP_MD *type,
+                                 WOLFSSL_ENGINE *e,
+                                 WOLFSSL_EVP_PKEY *pkey)
+{
+    WOLFSSL_ENTER("EVP_DigestVerifyInit");
+
+    if (ctx == NULL || type == NULL || pkey == NULL)
+        return BAD_FUNC_ARG;
+
+    return wolfSSL_evp_digest_pk_init(ctx, pctx, type, e, pkey);
+}
+
+
+int wolfSSL_EVP_DigestVerifyUpdate(WOLFSSL_EVP_MD_CTX *ctx, const void *d,
+                                   size_t cnt)
+{
+    WOLFSSL_ENTER("EVP_DigestVerifyUpdate");
+
+    if (ctx == NULL || d == NULL)
+        return BAD_FUNC_ARG;
+
+    return wolfssl_evp_digest_pk_update(ctx, d, (unsigned int)cnt);
+}
+
+
+int wolfSSL_EVP_DigestVerifyFinal(WOLFSSL_EVP_MD_CTX *ctx,
+                                  const unsigned char *sig, size_t siglen)
+{
+    unsigned char digest[WC_MAX_DIGEST_SIZE];
+    unsigned int  hashLen;
+
+    WOLFSSL_ENTER("EVP_DigestVerifyFinal");
+
+    if (ctx == NULL || sig == NULL)
+        return WOLFSSL_FAILURE;
+
+    if (ctx->pctx == NULL) {
+        if (ctx->macType != NID_hmac)
+            return WOLFSSL_FAILURE;
+
+        hashLen = wolfssl_mac_len(ctx->hash.hmac.macType);
+
+        if (siglen > hashLen)
+            return WOLFSSL_FAILURE;
+        /* May be a truncated signature. */
+    }
+
+    if (wolfssl_evp_digest_pk_final(ctx, digest, &hashLen) <= 0)
+        return WOLFSSL_FAILURE;
+
+    if (ctx->pctx == NULL) {
+        /* Check HMAC result matches the signature. */
+        if (XMEMCMP(sig, digest, siglen) == 0)
+            return WOLFSSL_SUCCESS;
+        return WOLFSSL_FAILURE;
+    }
+    else {
+        /* Verify the signature with the digest. */
+        switch (ctx->pctx->pkey->type) {
+    #if !defined(NO_RSA) && !defined(HAVE_USER_RSA)
+        case EVP_PKEY_RSA: {
+            int nid = wolfSSL_EVP_MD_type(wolfSSL_EVP_MD_CTX_md(ctx));
+            if (nid < 0)
+                return WOLFSSL_FAILURE;
+            return wolfSSL_RSA_verify(nid, digest, hashLen, sig,
+                                      (unsigned int)siglen,
+                                      ctx->pctx->pkey->rsa);
+        }
+    #endif /* NO_RSA */
+
+    #ifdef HAVE_ECC
+        case EVP_PKEY_EC: {
+            int ret;
+            WOLFSSL_ECDSA_SIG *ecdsaSig;
+            ecdsaSig = wolfSSL_d2i_ECDSA_SIG(NULL, &sig, (long)siglen);
+            if (ecdsaSig == NULL)
+                return WOLFSSL_FAILURE;
+            ret = wolfSSL_ECDSA_do_verify(digest, hashLen, ecdsaSig,
+                                          ctx->pctx->pkey->ecc);
+            wolfSSL_ECDSA_SIG_free(ecdsaSig);
+            return ret;
+        }
+    #endif
+        default:
+            break;
+        }
+    }
+
+    return WOLFSSL_FAILURE;
+}
+
+
+#ifdef WOLFSSL_APACHE_HTTPD
+#if !defined(USE_WINDOWS_API) && !defined(MICROCHIP_PIC32)
+    #include <termios.h>
+#endif
+
+#ifndef XGETPASSWD
+    static int XGETPASSWD(char* buf, int bufSz) {
+        int ret = WOLFSSL_SUCCESS;
+
+        /* turn off echo for passwords */
+    #ifdef USE_WINDOWS_API
+        DWORD originalTerm;
+        DWORD newTerm;
+        CONSOLE_SCREEN_BUFFER_INFO screenOrig;
+        HANDLE stdinHandle = GetStdHandle(STD_INPUT_HANDLE);
+        if (GetConsoleMode(stdinHandle, &originalTerm) == 0) {
+            WOLFSSL_MSG("Couldn't get the original terminal settings");
+            return WOLFSSL_FAILURE;
+        }
+        newTerm = originalTerm;
+        newTerm &= ~ENABLE_ECHO_INPUT;
+        if (SetConsoleMode(stdinHandle, newTerm) == 0) {
+            WOLFSSL_MSG("Couldn't turn off echo");
+            return WOLFSSL_FAILURE;
+        }
+    #else
+        struct termios originalTerm;
+        struct termios newTerm;
+        if (tcgetattr(STDIN_FILENO, &originalTerm) != 0) {
+            WOLFSSL_MSG("Couldn't get the original terminal settings");
+            return WOLFSSL_FAILURE;
+        }
+        XMEMCPY(&newTerm, &originalTerm, sizeof(struct termios));
+
+        newTerm.c_lflag &= ~ECHO;
+        newTerm.c_lflag |= (ICANON | ECHONL);
+        if (tcsetattr(STDIN_FILENO, TCSANOW, &newTerm) != 0) {
+            WOLFSSL_MSG("Couldn't turn off echo");
+            return WOLFSSL_FAILURE;
+        }
+    #endif
+
+        if (XFGETS(buf, bufSz, stdin) == NULL) {
+            ret = WOLFSSL_FAILURE;
+        }
+
+        /* restore default echo */
+    #ifdef USE_WINDOWS_API
+        if (SetConsoleMode(stdinHandle, originalTerm) == 0) {
+            WOLFSSL_MSG("Couldn't restore the terminal settings");
+            return WOLFSSL_FAILURE;
+        }
+    #else
+        if (tcsetattr(STDIN_FILENO, TCSANOW, &originalTerm) != 0) {
+            WOLFSSL_MSG("Couldn't restore the terminal settings");
+            return WOLFSSL_FAILURE;
+        }
+    #endif
+        return ret;
+    }
+#endif
+
+/* returns 0 on success and -2 or -1 on failure */
+int wolfSSL_EVP_read_pw_string(char* buf, int bufSz, const char* banner, int v)
+{
+    printf("%s", banner);
+    if (XGETPASSWD(buf, bufSz) == WOLFSSL_FAILURE) {
+        return -1;
+    }
+    (void)v; /* fgets always sanity checks size of input vs buffer */
+    return 0;
+}
+#endif /* WOLFSSL_APACHE_HTTPD */
+
+#if !defined(NO_PWDBASED) && !defined(NO_SHA)
+int wolfSSL_PKCS5_PBKDF2_HMAC_SHA1(const char *pass, int passlen,
+                                               const unsigned char *salt,
+                                               int saltlen, int iter,
+                                               int keylen, unsigned char *out)
+{
+    const char *nostring = "";
+    int ret = 0;
+
+    if (pass == NULL) {
+        passlen = 0;
+        pass = nostring;
+    }
+    else if (passlen == -1) {
+        passlen = (int)XSTRLEN(pass);
+    }
+
+    ret = wc_PBKDF2((byte*)out, (byte*)pass, passlen, (byte*)salt, saltlen,
+                    iter, keylen, WC_SHA);
+    if (ret == 0)
+        return WOLFSSL_SUCCESS;
+    else
+        return WOLFSSL_FAILURE;
+}
+#endif /* !NO_PWDBASED !NO_SHA*/
+
+#if !defined(NO_PWDBASED)
+WOLFSSL_API int wolfSSL_PKCS5_PBKDF2_HMAC(const char *pass, int passlen,
+                                           const unsigned char *salt,
+                                           int saltlen, int iter,
+                                           const WOLFSSL_EVP_MD *digest,
+                                           int keylen, unsigned char *out)
+{
+    const char *nostring = "";
+    int ret = 0;
+
+    if (pass == NULL) {
+        passlen = 0;
+        pass = nostring;
+    } else if (passlen == -1) {
+        passlen = (int)XSTRLEN(pass);
+    }
+
+    ret = wc_PBKDF2((byte*)out, (byte*)pass, passlen, (byte*)salt, saltlen,
+                    iter, keylen, wolfSSL_EVP_md2macType(digest));
+    if (ret == 0)
+        return WOLFSSL_SUCCESS;
+    else
+        return WOLFSSL_FAILURE;
+}
+#endif /* !NO_PWDBASED */
+
+static const struct cipher{
+        unsigned char type;
+        const char *name;
+        int nid;
+} cipher_tbl[] = {
+
+#ifndef NO_AES
+    #ifdef WOLFSSL_AES_128
+    {AES_128_CBC_TYPE, "AES-128-CBC", NID_aes_128_cbc},
+    #endif
+    #ifdef WOLFSSL_AES_192
+    {AES_192_CBC_TYPE, "AES-192-CBC", NID_aes_192_cbc},
+    #endif
+    #ifdef WOLFSSL_AES_256
+    {AES_256_CBC_TYPE, "AES-256-CBC", NID_aes_256_cbc},
+    #endif
+
+    #ifdef WOLFSSL_AES_128
+    {AES_128_CFB1_TYPE, "AES-128-CFB1", NID_aes_128_cfb1},
+    #endif
+    #ifdef WOLFSSL_AES_192
+    {AES_192_CFB1_TYPE, "AES-192-CFB1", NID_aes_192_cfb1},
+    #endif
+    #ifdef WOLFSSL_AES_256
+    {AES_256_CFB1_TYPE, "AES-256-CFB1", NID_aes_256_cfb1},
+    #endif
+
+    #ifdef WOLFSSL_AES_128
+    {AES_128_CFB8_TYPE, "AES-128-CFB8", NID_aes_128_cfb8},
+    #endif
+    #ifdef WOLFSSL_AES_192
+    {AES_192_CFB8_TYPE, "AES-192-CFB8", NID_aes_192_cfb8},
+    #endif
+    #ifdef WOLFSSL_AES_256
+    {AES_256_CFB8_TYPE, "AES-256-CFB8", NID_aes_256_cfb8},
+    #endif
+
+    #ifdef WOLFSSL_AES_128
+    {AES_128_CFB128_TYPE, "AES-128-CFB128", NID_aes_128_cfb128},
+    #endif
+    #ifdef WOLFSSL_AES_192
+    {AES_192_CFB128_TYPE, "AES-192-CFB128", NID_aes_192_cfb128},
+    #endif
+    #ifdef WOLFSSL_AES_256
+    {AES_256_CFB128_TYPE, "AES-256-CFB128", NID_aes_256_cfb128},
+    #endif
+
+    #ifdef WOLFSSL_AES_128
+    {AES_128_OFB_TYPE, "AES-128-OFB", NID_aes_128_ofb},
+    #endif
+    #ifdef WOLFSSL_AES_192
+    {AES_192_OFB_TYPE, "AES-192-OFB", NID_aes_192_ofb},
+    #endif
+    #ifdef WOLFSSL_AES_256
+    {AES_256_OFB_TYPE, "AES-256-OFB", NID_aes_256_ofb},
+    #endif
+
+    #ifdef WOLFSSL_AES_128
+    {AES_128_XTS_TYPE, "AES-128-XTS", NID_aes_128_xts},
+    #endif
+    #ifdef WOLFSSL_AES_256
+    {AES_256_XTS_TYPE, "AES-256-XTS", NID_aes_256_xts},
+    #endif
+
+    #ifdef WOLFSSL_AES_128
+    {AES_128_GCM_TYPE, "AES-128-GCM", NID_aes_128_gcm},
+    #endif
+    #ifdef WOLFSSL_AES_192
+    {AES_192_GCM_TYPE, "AES-192-GCM", NID_aes_192_gcm},
+    #endif
+    #ifdef WOLFSSL_AES_256
+    {AES_256_GCM_TYPE, "AES-256-GCM", NID_aes_256_gcm},
+    #endif
+    #ifdef WOLFSSL_AES_128
+        {AES_128_CTR_TYPE, "AES-128-CTR", NID_aes_128_ctr},
+    #endif
+    #ifdef WOLFSSL_AES_192
+        {AES_192_CTR_TYPE, "AES-192-CTR", NID_aes_192_ctr},
+    #endif
+    #ifdef WOLFSSL_AES_256
+        {AES_256_CTR_TYPE, "AES-256-CTR", NID_aes_256_ctr},
+    #endif
+
+    #ifdef WOLFSSL_AES_128
+        {AES_128_ECB_TYPE, "AES-128-ECB", NID_aes_128_ecb},
+    #endif
+    #ifdef WOLFSSL_AES_192
+        {AES_192_ECB_TYPE, "AES-192-ECB", NID_aes_192_ecb},
+    #endif
+    #ifdef WOLFSSL_AES_256
+        {AES_256_ECB_TYPE, "AES-256-ECB", NID_aes_256_ecb},
+    #endif
+
+#endif
+
+#ifndef NO_DES3
+    {DES_CBC_TYPE, "DES-CBC", NID_des_cbc},
+    {DES_ECB_TYPE, "DES-ECB", NID_des_ecb},
+
+    {DES_EDE3_CBC_TYPE, "DES-EDE3-CBC", NID_des_ede3_cbc},
+    {DES_EDE3_ECB_TYPE, "DES-EDE3-ECB", NID_des_ede3_ecb},
+#endif
+
+#ifndef NO_RC4
+    {ARC4_TYPE, "ARC4", NID_undef},
+#endif
+
+#ifdef HAVE_IDEA
+    {IDEA_CBC_TYPE, "IDEA-CBC", NID_idea_cbc},
+#endif
+    { 0, NULL, 0}
+};
+
+/* returns cipher using provided ctx type */
+const WOLFSSL_EVP_CIPHER *wolfSSL_EVP_CIPHER_CTX_cipher(
+    const WOLFSSL_EVP_CIPHER_CTX *ctx)
+{
+    const struct cipher* c;
+
+    if (!ctx || !ctx->cipherType) {
+        return NULL;
+    }
+
+    for (c = cipher_tbl; c->type != 0; c++) {
+        if (ctx->cipherType == c->type) {
+            return wolfSSL_EVP_get_cipherbyname(c->name);
+        }
+    }
+
+    return NULL;
+}
+
+int wolfSSL_EVP_CIPHER_nid(const WOLFSSL_EVP_CIPHER *cipher)
+{
+    const struct cipher* c;
+
+    if (!cipher) {
+        return 0;
+    }
+
+    for (c = cipher_tbl; c->type != 0; c++) {
+        if (XSTRNCMP(cipher, c->name, XSTRLEN(c->name)+1) == 0) {
+            return c->nid;
+        }
+    }
+
+    return 0;
+}
+
+const WOLFSSL_EVP_CIPHER *wolfSSL_EVP_get_cipherbyname(const char *name)
+{
+
+    static const struct alias {
+        const char *name;
+        const char *alias;
+    } alias_tbl[] =
+    {
+#ifndef NO_DES3
+        {"DES-CBC", "DES"},
+        {"DES-CBC", "des"},
+        {"DES-ECB", "DES-ECB"},
+        {"DES-ECB", "des-ecb"},
+        {"DES-EDE3-CBC", "DES3"},
+        {"DES-EDE3-CBC", "des3"},
+        {"DES-EDE3-ECB", "DES-EDE3"},
+        {"DES-EDE3-ECB", "des-ede3"},
+        {"DES-EDE3-ECB", "des-ede3-ecb"},
+#endif
+#ifdef HAVE_IDEA
+        {"IDEA-CBC", "IDEA"},
+        {"IDEA-CBC", "idea"},
+#endif
+#ifndef NO_AES
+    #ifdef HAVE_AES_CBC
+        #ifdef WOLFSSL_AES_128
+        {"AES-128-CBC", "AES128-CBC"},
+        {"AES-128-CBC", "aes128-cbc"},
+        #endif
+        #ifdef WOLFSSL_AES_192
+        {"AES-192-CBC", "AES192-CBC"},
+        {"AES-192-CBC", "aes192-cbc"},
+        #endif
+        #ifdef WOLFSSL_AES_256
+        {"AES-256-CBC", "AES256-CBC"},
+        {"AES-256-CBC", "aes256-cbc"},
+        #endif
+    #endif
+    #ifdef WOLFSSL_AES_128
+        {"AES-128-ECB", "AES128-ECB"},
+        {"AES-128-ECB", "aes128-ecb"},
+    #endif
+    #ifdef WOLFSSL_AES_192
+        {"AES-192-ECB", "AES192-ECB"},
+        {"AES-192-ECB", "aes192-ecb"},
+    #endif
+    #ifdef WOLFSSL_AES_256
+        {"AES-256-ECB", "AES256-ECB"},
+    #endif
+    #ifdef HAVE_AESGCM
+        #ifdef WOLFSSL_AES_128
+        {"AES-128-GCM", "aes-128-gcm"},
+        {"AES-128-GCM", "id-aes128-GCM"},
+        #endif
+        #ifdef WOLFSSL_AES_192
+        {"AES-192-GCM", "aes-192-gcm"},
+        {"AES-192-GCM", "id-aes192-GCM"},
+        #endif
+        #ifdef WOLFSSL_AES_256
+        {"AES-256-GCM", "aes-256-gcm"},
+        {"AES-256-GCM", "id-aes256-GCM"},
+        #endif
+    #endif
+#endif
+#ifndef NO_RC4
+        {"ARC4", "RC4"},
+#endif
+        { NULL, NULL}
+    };
+
+    const struct cipher *ent;
+    const struct alias  *al;
+
+    WOLFSSL_ENTER("EVP_get_cipherbyname");
+
+    for( al = alias_tbl; al->name != NULL; al++)
+        if(XSTRNCMP(name, al->alias, XSTRLEN(al->alias)+1) == 0) {
+            name = al->name;
+            break;
+        }
+
+    for( ent = cipher_tbl; ent->name != NULL; ent++)
+        if(XSTRNCMP(name, ent->name, XSTRLEN(ent->name)+1) == 0) {
+            return (WOLFSSL_EVP_CIPHER *)ent->name;
+        }
+
+    return NULL;
+}
+
+/*
+ * return an EVP_CIPHER structure when cipher NID is passed.
+ *
+ * id  cipher NID
+ *
+ * return WOLFSSL_EVP_CIPHER
+*/
+const WOLFSSL_EVP_CIPHER *wolfSSL_EVP_get_cipherbynid(int id)
+{
+    WOLFSSL_ENTER("EVP_get_cipherbynid");
+
+    switch(id) {
+
+#ifndef NO_AES
+    #ifdef HAVE_AES_CBC
+        #ifdef WOLFSSL_AES_128
+        case NID_aes_128_cbc:
+            return wolfSSL_EVP_aes_128_cbc();
+        #endif
+        #ifdef WOLFSSL_AES_192
+        case NID_aes_192_cbc:
+            return wolfSSL_EVP_aes_192_cbc();
+        #endif
+        #ifdef WOLFSSL_AES_256
+        case NID_aes_256_cbc:
+            return wolfSSL_EVP_aes_256_cbc();
+        #endif
+    #endif
+    #ifdef WOLFSSL_AES_COUNTER
+        #ifdef WOLFSSL_AES_128
+        case NID_aes_128_ctr:
+            return wolfSSL_EVP_aes_128_ctr();
+        #endif
+        #ifdef WOLFSSL_AES_192
+        case NID_aes_192_ctr:
+            return wolfSSL_EVP_aes_192_ctr();
+        #endif
+        #ifdef WOLFSSL_AES_256
+        case NID_aes_256_ctr:
+            return wolfSSL_EVP_aes_256_ctr();
+        #endif
+    #endif /* WOLFSSL_AES_COUNTER */
+    #ifdef HAVE_AES_ECB
+        #ifdef WOLFSSL_AES_128
+        case NID_aes_128_ecb:
+            return wolfSSL_EVP_aes_128_ecb();
+        #endif
+        #ifdef WOLFSSL_AES_192
+        case NID_aes_192_ecb:
+            return wolfSSL_EVP_aes_192_ecb();
+        #endif
+        #ifdef WOLFSSL_AES_256
+        case NID_aes_256_ecb:
+            return wolfSSL_EVP_aes_256_ecb();
+        #endif
+    #endif /* HAVE_AES_ECB */
+    #ifdef HAVE_AESGCM
+        #ifdef WOLFSSL_AES_128
+        case NID_aes_128_gcm:
+            return wolfSSL_EVP_aes_128_gcm();
+        #endif
+        #ifdef WOLFSSL_AES_192
+        case NID_aes_192_gcm:
+            return wolfSSL_EVP_aes_192_gcm();
+        #endif
+        #ifdef WOLFSSL_AES_256
+        case NID_aes_256_gcm:
+            return wolfSSL_EVP_aes_256_gcm();
+        #endif
+    #endif
+#endif
+
+#ifndef NO_DES3
+        case NID_des_cbc:
+            return wolfSSL_EVP_des_cbc();
+#ifdef WOLFSSL_DES_ECB
+        case NID_des_ecb:
+            return wolfSSL_EVP_des_ecb();
+#endif
+        case NID_des_ede3_cbc:
+            return wolfSSL_EVP_des_ede3_cbc();
+#ifdef WOLFSSL_DES_ECB
+        case NID_des_ede3_ecb:
+            return wolfSSL_EVP_des_ede3_ecb();
+#endif
+#endif /*NO_DES3*/
+
+#ifdef HAVE_IDEA
+        case NID_idea_cbc:
+            return wolfSSL_EVP_idea_cbc();
+#endif
+
+        default:
+            WOLFSSL_MSG("Bad cipher id value");
+    }
+
+    return NULL;
+}
+
+void wolfSSL_EVP_init(void)
+{
+#ifndef NO_AES
+    #ifdef HAVE_AES_CBC
+        #ifdef WOLFSSL_AES_128
+        EVP_AES_128_CBC = (char *)EVP_get_cipherbyname("AES-128-CBC");
+        #endif
+        #ifdef WOLFSSL_AES_192
+        EVP_AES_192_CBC = (char *)EVP_get_cipherbyname("AES-192-CBC");
+        #endif
+        #ifdef WOLFSSL_AES_256
+        EVP_AES_256_CBC = (char *)EVP_get_cipherbyname("AES-256-CBC");
+        #endif
+    #endif /* HAVE_AES_CBC */
+
+    #ifdef WOLFSSL_AES_CFB
+        #ifdef WOLFSSL_AES_128
+        EVP_AES_128_CFB1 = (char *)EVP_get_cipherbyname("AES-128-CFB1");
+        #endif
+
+        #ifdef WOLFSSL_AES_192
+        EVP_AES_192_CFB1 = (char *)EVP_get_cipherbyname("AES-192-CFB1");
+        #endif
+
+        #ifdef WOLFSSL_AES_256
+        EVP_AES_256_CFB1 = (char *)EVP_get_cipherbyname("AES-256-CFB1");
+        #endif
+
+        #ifdef WOLFSSL_AES_128
+        EVP_AES_128_CFB8 = (char *)EVP_get_cipherbyname("AES-128-CFB8");
+        #endif
+
+        #ifdef WOLFSSL_AES_192
+        EVP_AES_192_CFB8 = (char *)EVP_get_cipherbyname("AES-192-CFB8");
+        #endif
+
+        #ifdef WOLFSSL_AES_256
+        EVP_AES_256_CFB8 = (char *)EVP_get_cipherbyname("AES-256-CFB8");
+        #endif
+
+        #ifdef WOLFSSL_AES_128
+        EVP_AES_128_CFB128 = (char *)EVP_get_cipherbyname("AES-128-CFB128");
+        #endif
+
+        #ifdef WOLFSSL_AES_192
+        EVP_AES_192_CFB128 = (char *)EVP_get_cipherbyname("AES-192-CFB128");
+        #endif
+
+        #ifdef WOLFSSL_AES_256
+        EVP_AES_256_CFB128 = (char *)EVP_get_cipherbyname("AES-256-CFB128");
+        #endif
+    #endif /* WOLFSSL_AES_CFB */
+
+    #ifdef WOLFSSL_AES_OFB
+        #ifdef WOLFSSL_AES_128
+        EVP_AES_128_OFB = (char *)EVP_get_cipherbyname("AES-128-OFB");
+        #endif
+
+        #ifdef WOLFSSL_AES_192
+        EVP_AES_192_OFB = (char *)EVP_get_cipherbyname("AES-192-OFB");
+        #endif
+
+        #ifdef WOLFSSL_AES_256
+        EVP_AES_256_OFB = (char *)EVP_get_cipherbyname("AES-256-OFB");
+        #endif
+    #endif /* WOLFSSL_AES_OFB */
+
+    #ifdef WOLFSSL_AES_XTS
+        #ifdef WOLFSSL_AES_128
+        EVP_AES_128_XTS = (char *)EVP_get_cipherbyname("AES-128-XTS");
+        #endif
+
+        #ifdef WOLFSSL_AES_256
+        EVP_AES_256_XTS = (char *)EVP_get_cipherbyname("AES-256-XTS");
+        #endif
+    #endif /* WOLFSSL_AES_XTS */
+
+    #ifdef HAVE_AESGCM
+        #ifdef WOLFSSL_AES_128
+        EVP_AES_128_GCM = (char *)EVP_get_cipherbyname("AES-128-GCM");
+        #endif
+        #ifdef WOLFSSL_AES_192
+        EVP_AES_192_GCM = (char *)EVP_get_cipherbyname("AES-192-GCM");
+        #endif
+        #ifdef WOLFSSL_AES_256
+        EVP_AES_256_GCM = (char *)EVP_get_cipherbyname("AES-256-GCM");
+        #endif
+    #endif /* HAVE_AESGCM*/
+        #ifdef WOLFSSL_AES_128
+        EVP_AES_128_CTR = (char *)EVP_get_cipherbyname("AES-128-CTR");
+        #endif
+        #ifdef WOLFSSL_AES_192
+        EVP_AES_192_CTR = (char *)EVP_get_cipherbyname("AES-192-CTR");
+        #endif
+        #ifdef WOLFSSL_AES_256
+        EVP_AES_256_CTR = (char *)EVP_get_cipherbyname("AES-256-CTR");
+        #endif
+
+        #ifdef WOLFSSL_AES_128
+        EVP_AES_128_ECB = (char *)EVP_get_cipherbyname("AES-128-ECB");
+        #endif
+        #ifdef WOLFSSL_AES_192
+        EVP_AES_192_ECB = (char *)EVP_get_cipherbyname("AES-192-ECB");
+        #endif
+        #ifdef WOLFSSL_AES_256
+        EVP_AES_256_ECB = (char *)EVP_get_cipherbyname("AES-256-ECB");
+        #endif
+#endif /* ifndef NO_AES*/
+
+#ifndef NO_DES3
+    EVP_DES_CBC = (char *)EVP_get_cipherbyname("DES-CBC");
+    EVP_DES_ECB = (char *)EVP_get_cipherbyname("DES-ECB");
+
+    EVP_DES_EDE3_CBC = (char *)EVP_get_cipherbyname("DES-EDE3-CBC");
+    EVP_DES_EDE3_ECB = (char *)EVP_get_cipherbyname("DES-EDE3-ECB");
+#endif
+
+#ifdef HAVE_IDEA
+    EVP_IDEA_CBC = (char *)EVP_get_cipherbyname("IDEA-CBC");
+#endif
+}
+
+#if !defined(NO_PWDBASED)
+int wolfSSL_EVP_get_hashinfo(const WOLFSSL_EVP_MD* evp,
+    int* pHash, int* pHashSz)
+{
+    enum wc_HashType hash = WC_HASH_TYPE_NONE;
+    int hashSz;
+
+    if (XSTRLEN(evp) < 3) {
+        /* do not try comparing strings if size is too small */
+        return WOLFSSL_FAILURE;
+    }
+
+    if (XSTRNCMP("SHA", evp, 3) == 0) {
+        if (XSTRLEN(evp) > 3) {
+        #ifndef NO_SHA256
+            if (XSTRNCMP("SHA256", evp, 6) == 0) {
+                hash = WC_HASH_TYPE_SHA256;
+            }
+            else
+        #endif
+        #ifdef WOLFSSL_SHA384
+            if (XSTRNCMP("SHA384", evp, 6) == 0) {
+                hash = WC_HASH_TYPE_SHA384;
+            }
+            else
+        #endif
+        #ifdef WOLFSSL_SHA512
+            if (XSTRNCMP("SHA512", evp, 6) == 0) {
+                hash = WC_HASH_TYPE_SHA512;
+            }
+            else
+        #endif
+            {
+                WOLFSSL_MSG("Unknown SHA hash");
+            }
+        }
+        else {
+            hash = WC_HASH_TYPE_SHA;
+        }
+    }
+#ifdef WOLFSSL_MD2
+    else if (XSTRNCMP("MD2", evp, 3) == 0) {
+        hash = WC_HASH_TYPE_MD2;
+    }
+#endif
+#ifndef NO_MD4
+    else if (XSTRNCMP("MD4", evp, 3) == 0) {
+        hash = WC_HASH_TYPE_MD4;
+    }
+#endif
+#ifndef NO_MD5
+    else if (XSTRNCMP("MD5", evp, 3) == 0) {
+        hash = WC_HASH_TYPE_MD5;
+    }
+#endif
+
+    if (pHash)
+        *pHash = hash;
+
+    hashSz = wc_HashGetDigestSize(hash);
+    if (pHashSz)
+        *pHashSz = hashSz;
+
+    if (hashSz < 0) {
+        return WOLFSSL_FAILURE;
+    }
+
+    return WOLFSSL_SUCCESS;
+}
+
+/* this function makes the assumption that out buffer is big enough for digest*/
+int wolfSSL_EVP_Digest(const unsigned char* in, int inSz, unsigned char* out,
+                              unsigned int* outSz, const WOLFSSL_EVP_MD* evp,
+                              WOLFSSL_ENGINE* eng)
+{
+    int err;
+    int hashType = WC_HASH_TYPE_NONE;
+    int hashSz;
+
+    WOLFSSL_ENTER("wolfSSL_EVP_Digest");
+    if (in == NULL || out == NULL || evp == NULL) {
+        WOLFSSL_MSG("Null argument passed in");
+        return WOLFSSL_FAILURE;
+    }
+
+    err = wolfSSL_EVP_get_hashinfo(evp, &hashType, &hashSz);
+    if (err != WOLFSSL_SUCCESS)
+        return err;
+
+    if (wc_Hash((enum wc_HashType)hashType, in, inSz, out, hashSz) != 0) {
+        return WOLFSSL_FAILURE;
+    }
+
+    if (outSz != NULL)
+        *outSz = hashSz;
+
+    (void)eng;
+    return WOLFSSL_SUCCESS;
+}
+#endif
+
+const WOLFSSL_EVP_MD *wolfSSL_EVP_get_digestbyname(const char *name)
+{
+    static const struct alias {
+        const char *name;
+        const char *alias;
+    } alias_tbl[] =
+    {
+        {"MD4", "ssl3-md4"},
+        {"MD5", "ssl3-md5"},
+        {"SHA", "ssl3-sha1"},
+        {"SHA", "SHA1"},
+        { NULL, NULL}
+    };
+
+    const struct alias  *al;
+    const struct s_ent *ent;
+
+
+    for (al = alias_tbl; al->name != NULL; al++)
+        if(XSTRNCMP(name, al->alias, XSTRLEN(al->alias)+1) == 0) {
+            name = al->name;
+            break;
+        }
+
+    for (ent = md_tbl; ent->name != NULL; ent++)
+        if(XSTRNCMP(name, ent->name, XSTRLEN(ent->name)+1) == 0) {
+            return (EVP_MD *)ent->name;
+        }
+    return NULL;
+}
+
+int wolfSSL_EVP_MD_type(const WOLFSSL_EVP_MD *md)
+{
+    const struct s_ent *ent ;
+    WOLFSSL_ENTER("EVP_MD_type");
+    for( ent = md_tbl; ent->name != NULL; ent++){
+        if(XSTRNCMP((const char *)md, ent->name, XSTRLEN(ent->name)+1) == 0) {
+            return ent->nid;
+        }
+    }
+    return 0;
+}
+
+#ifndef NO_MD4
+
+    /* return a pointer to MD4 EVP type */
+    const WOLFSSL_EVP_MD* wolfSSL_EVP_md4(void)
+    {
+        WOLFSSL_ENTER("wolfSSL_EVP_md4");
+        return EVP_get_digestbyname("MD4");
+    }
+
+#endif /* !NO_MD4 */
+
+
+#ifndef NO_MD5
+
+    const WOLFSSL_EVP_MD* wolfSSL_EVP_md5(void)
+    {
+        WOLFSSL_ENTER("EVP_md5");
+        return EVP_get_digestbyname("MD5");
+    }
+
+#endif /* !NO_MD5 */
+
+
+#ifndef NO_WOLFSSL_STUB
+    const WOLFSSL_EVP_MD* wolfSSL_EVP_mdc2(void)
+    {
+        WOLFSSL_STUB("EVP_mdc2");
+        return NULL;
+    }
+#endif
+
+#ifndef NO_SHA
+    const WOLFSSL_EVP_MD* wolfSSL_EVP_sha1(void)
+    {
+        WOLFSSL_ENTER("EVP_sha1");
+        return EVP_get_digestbyname("SHA");
+    }
+#endif /* NO_SHA */
+
+#ifdef WOLFSSL_SHA224
+
+    const WOLFSSL_EVP_MD* wolfSSL_EVP_sha224(void)
+    {
+        WOLFSSL_ENTER("EVP_sha224");
+        return EVP_get_digestbyname("SHA224");
+    }
+
+#endif /* WOLFSSL_SHA224 */
+
+
+    const WOLFSSL_EVP_MD* wolfSSL_EVP_sha256(void)
+    {
+        WOLFSSL_ENTER("EVP_sha256");
+        return EVP_get_digestbyname("SHA256");
+    }
+
+#ifdef WOLFSSL_SHA384
+
+    const WOLFSSL_EVP_MD* wolfSSL_EVP_sha384(void)
+    {
+        WOLFSSL_ENTER("EVP_sha384");
+        return EVP_get_digestbyname("SHA384");
+    }
+
+#endif /* WOLFSSL_SHA384 */
+
+#ifdef WOLFSSL_SHA512
+
+    const WOLFSSL_EVP_MD* wolfSSL_EVP_sha512(void)
+    {
+        WOLFSSL_ENTER("EVP_sha512");
+        return EVP_get_digestbyname("SHA512");
+    }
+
+#endif /* WOLFSSL_SHA512 */
+
+#ifdef WOLFSSL_SHA3
+#ifndef WOLFSSL_NOSHA3_224
+    const WOLFSSL_EVP_MD* wolfSSL_EVP_sha3_224(void)
+    {
+        WOLFSSL_ENTER("EVP_sha3_224");
+        return EVP_get_digestbyname("SHA3_224");
+    }
+#endif /* WOLFSSL_NOSHA3_224 */
+
+
+#ifndef WOLFSSL_NOSHA3_256
+    const WOLFSSL_EVP_MD* wolfSSL_EVP_sha3_256(void)
+    {
+        WOLFSSL_ENTER("EVP_sha3_256");
+        return EVP_get_digestbyname("SHA3_256");
+    }
+#endif /* WOLFSSL_NOSHA3_256 */
+
+    const WOLFSSL_EVP_MD* wolfSSL_EVP_sha3_384(void)
+    {
+        WOLFSSL_ENTER("EVP_sha3_384");
+        return EVP_get_digestbyname("SHA3_384");
+    }
+
+#ifndef WOLFSSL_NOSHA3_512
+    const WOLFSSL_EVP_MD* wolfSSL_EVP_sha3_512(void)
+    {
+        WOLFSSL_ENTER("EVP_sha3_512");
+        return EVP_get_digestbyname("SHA3_512");
+    }
+#endif /* WOLFSSL_NOSHA3_512 */
+#endif /* WOLFSSL_SHA3 */
+
+    WOLFSSL_EVP_MD_CTX *wolfSSL_EVP_MD_CTX_new(void)
+    {
+        WOLFSSL_EVP_MD_CTX* ctx;
+        WOLFSSL_ENTER("EVP_MD_CTX_new");
+        ctx = (WOLFSSL_EVP_MD_CTX*)XMALLOC(sizeof *ctx, NULL,
+                                                       DYNAMIC_TYPE_OPENSSL);
+        if (ctx){
+            wolfSSL_EVP_MD_CTX_init(ctx);
+        }
+        return ctx;
+    }
+
+    WOLFSSL_API void wolfSSL_EVP_MD_CTX_free(WOLFSSL_EVP_MD_CTX *ctx)
+    {
+        if (ctx) {
+            WOLFSSL_ENTER("EVP_MD_CTX_free");
+                wolfSSL_EVP_MD_CTX_cleanup(ctx);
+                XFREE(ctx, NULL, DYNAMIC_TYPE_OPENSSL);
+            }
+    }
+
+    /* returns the NID of message digest used by the ctx */
+    int wolfSSL_EVP_MD_CTX_type(const WOLFSSL_EVP_MD_CTX *ctx) {
+        const struct s_ent *ent;
+
+        WOLFSSL_ENTER("EVP_MD_CTX_type");
+
+        if (ctx) {
+            for(ent = md_tbl; ent->name != NULL; ent++) {
+                if (ctx->macType == ent->macType) {
+                    return ent->nid;
+                }
+            }
+            /* Return whatever we got */
+            return ctx->macType;
+        }
+        return 0;
+    }
+
+
+    /* returns WOLFSSL_SUCCESS on success */
+    int wolfSSL_EVP_MD_CTX_copy(WOLFSSL_EVP_MD_CTX *out, const WOLFSSL_EVP_MD_CTX *in)
+    {
+        return wolfSSL_EVP_MD_CTX_copy_ex(out, in);
+    }
+
+    /* returns digest size */
+    int wolfSSL_EVP_MD_CTX_size(const WOLFSSL_EVP_MD_CTX *ctx) {
+        return(wolfSSL_EVP_MD_size(wolfSSL_EVP_MD_CTX_md(ctx)));
+    }
+    /* returns block size */
+    int wolfSSL_EVP_MD_CTX_block_size(const WOLFSSL_EVP_MD_CTX *ctx) {
+        return(wolfSSL_EVP_MD_block_size(wolfSSL_EVP_MD_CTX_md(ctx)));
+    }
+
+    /* Deep copy of EVP_MD hasher
+     * return WOLFSSL_SUCCESS on success */
+    static int wolfSSL_EVP_MD_Copy_Hasher(WOLFSSL_EVP_MD_CTX* des,
+            const WOLFSSL_EVP_MD_CTX* src)
+    {
+        if (src->macType == NID_hmac) {
+            wolfSSL_HmacCopy(&des->hash.hmac, (Hmac*)&src->hash.hmac);
+        }
+        else {
+            switch (src->macType) {
+            #ifndef NO_MD5
+                case WC_HASH_TYPE_MD5:
+                    wc_Md5Copy((wc_Md5*)&src->hash.digest,
+                            (wc_Md5*)&des->hash.digest);
+                    break;
+            #endif /* !NO_MD5 */
+
+            #ifndef NO_SHA
+                case WC_HASH_TYPE_SHA:
+                    wc_ShaCopy((wc_Sha*)&src->hash.digest,
+                            (wc_Sha*)&des->hash.digest);
+                    break;
+            #endif /* !NO_SHA */
+
+            #ifdef WOLFSSL_SHA224
+                case WC_HASH_TYPE_SHA224:
+                    wc_Sha224Copy((wc_Sha224*)&src->hash.digest,
+                            (wc_Sha224*)&des->hash.digest);
+                    break;
+            #endif /* WOLFSSL_SHA224 */
+
+            #ifndef NO_SHA256
+                case WC_HASH_TYPE_SHA256:
+                    wc_Sha256Copy((wc_Sha256*)&src->hash.digest,
+                            (wc_Sha256*)&des->hash.digest);
+                    break;
+            #endif /* !NO_SHA256 */
+
+            #ifdef WOLFSSL_SHA384
+                case WC_HASH_TYPE_SHA384:
+                    wc_Sha384Copy((wc_Sha384*)&src->hash.digest,
+                            (wc_Sha384*)&des->hash.digest);
+                    break;
+            #endif /* WOLFSSL_SHA384 */
+            #ifdef WOLFSSL_SHA512
+                case WC_HASH_TYPE_SHA512:
+                    wc_Sha512Copy((wc_Sha512*)&src->hash.digest,
+                        (wc_Sha512*)&des->hash.digest);
+                    break;
+            #endif /* WOLFSSL_SHA512 */
+        #ifdef WOLFSSL_SHA3
+            #ifndef WOLFSSL_NOSHA3_224
+                case WC_HASH_TYPE_SHA3_224:
+                    wc_Sha3_224_Copy((wc_Sha3*)&src->hash.digest,
+                            (wc_Sha3*)&des->hash.digest);
+                    break;
+            #endif
+
+            #ifndef WOLFSSL_NOSHA3_256
+                case WC_HASH_TYPE_SHA3_256:
+                    wc_Sha3_256_Copy((wc_Sha3*)&src->hash.digest,
+                            (wc_Sha3*)&des->hash.digest);
+                    break;
+            #endif
+
+                case WC_HASH_TYPE_SHA3_384:
+                    wc_Sha3_384_Copy((wc_Sha3*)&src->hash.digest,
+                            (wc_Sha3*)&des->hash.digest);
+                    break;
+
+            #ifndef WOLFSSL_NOSHA3_512
+                case WC_HASH_TYPE_SHA3_512:
+                    wc_Sha3_512_Copy((wc_Sha3*)&src->hash.digest,
+                        (wc_Sha3*)&des->hash.digest);
+                    break;
+            #endif
+        #endif
+                default:
+                    return WOLFSSL_FAILURE;
+            }
+        }
+        return WOLFSSL_SUCCESS;
+    }
+
+    /* copies structure in to the structure out
+     *
+     * returns WOLFSSL_SUCCESS on success */
+    int wolfSSL_EVP_MD_CTX_copy_ex(WOLFSSL_EVP_MD_CTX *out, const WOLFSSL_EVP_MD_CTX *in)
+    {
+        if ((out == NULL) || (in == NULL)) return WOLFSSL_FAILURE;
+        WOLFSSL_ENTER("EVP_CIPHER_MD_CTX_copy_ex");
+        XMEMCPY(out, in, sizeof(WOLFSSL_EVP_MD_CTX));
+        if (in->pctx != NULL) {
+            out->pctx = wolfSSL_EVP_PKEY_CTX_new(in->pctx->pkey, NULL);
+            if (out->pctx == NULL)
+                return WOLFSSL_FAILURE;
+        }
+        return wolfSSL_EVP_MD_Copy_Hasher(out, (WOLFSSL_EVP_MD_CTX*)in);
+    }
+
+    void wolfSSL_EVP_MD_CTX_init(WOLFSSL_EVP_MD_CTX* ctx)
+    {
+        WOLFSSL_ENTER("EVP_CIPHER_MD_CTX_init");
+        XMEMSET(ctx, 0, sizeof(WOLFSSL_EVP_MD_CTX));
+    }
+
+    const WOLFSSL_EVP_MD *wolfSSL_EVP_MD_CTX_md(const WOLFSSL_EVP_MD_CTX *ctx)
+    {
+        const struct s_ent *ent;
+        if (ctx == NULL)
+            return NULL;
+        WOLFSSL_ENTER("EVP_MD_CTX_md");
+        for(ent = md_tbl; ent->name != NULL; ent++) {
+            if(ctx->macType == ent->macType) {
+                return (const WOLFSSL_EVP_MD *)ent->name;
+            }
+        }
+        return (WOLFSSL_EVP_MD *)NULL;
+    }
+
+    #ifndef NO_AES
+
+    #ifdef HAVE_AES_CBC
+    #ifdef WOLFSSL_AES_128
+    const WOLFSSL_EVP_CIPHER* wolfSSL_EVP_aes_128_cbc(void)
+    {
+        WOLFSSL_ENTER("wolfSSL_EVP_aes_128_cbc");
+        if (EVP_AES_128_CBC == NULL)
+            wolfSSL_EVP_init();
+        return EVP_AES_128_CBC;
+    }
+    #endif /* WOLFSSL_AES_128 */
+
+
+    #ifdef WOLFSSL_AES_192
+    const WOLFSSL_EVP_CIPHER* wolfSSL_EVP_aes_192_cbc(void)
+    {
+        WOLFSSL_ENTER("wolfSSL_EVP_aes_192_cbc");
+        if (EVP_AES_192_CBC == NULL)
+            wolfSSL_EVP_init();
+        return EVP_AES_192_CBC;
+    }
+    #endif /* WOLFSSL_AES_192 */
+
+
+    #ifdef WOLFSSL_AES_256
+    const WOLFSSL_EVP_CIPHER* wolfSSL_EVP_aes_256_cbc(void)
+    {
+        WOLFSSL_ENTER("wolfSSL_EVP_aes_256_cbc");
+        if (EVP_AES_256_CBC == NULL)
+            wolfSSL_EVP_init();
+        return EVP_AES_256_CBC;
+    }
+    #endif /* WOLFSSL_AES_256 */
+    #endif /* HAVE_AES_CBC */
+
+    #ifdef WOLFSSL_AES_CFB
+#if !defined(HAVE_SELFTEST) && !defined(HAVE_FIPS)
+    #ifdef WOLFSSL_AES_128
+    const WOLFSSL_EVP_CIPHER* wolfSSL_EVP_aes_128_cfb1(void)
+    {
+        WOLFSSL_ENTER("wolfSSL_EVP_aes_128_cfb1");
+        if (EVP_AES_128_CFB1 == NULL)
+            wolfSSL_EVP_init();
+        return EVP_AES_128_CFB1;
+    }
+    #endif /* WOLFSSL_AES_128 */
+
+    #ifdef WOLFSSL_AES_192
+    const WOLFSSL_EVP_CIPHER* wolfSSL_EVP_aes_192_cfb1(void)
+    {
+        WOLFSSL_ENTER("wolfSSL_EVP_aes_192_cfb1");
+        if (EVP_AES_192_CFB1 == NULL)
+            wolfSSL_EVP_init();
+        return EVP_AES_192_CFB1;
+    }
+    #endif /* WOLFSSL_AES_192 */
+
+    #ifdef WOLFSSL_AES_256
+    const WOLFSSL_EVP_CIPHER* wolfSSL_EVP_aes_256_cfb1(void)
+    {
+        WOLFSSL_ENTER("wolfSSL_EVP_aes_256_cfb1");
+        if (EVP_AES_256_CFB1 == NULL)
+            wolfSSL_EVP_init();
+        return EVP_AES_256_CFB1;
+    }
+    #endif /* WOLFSSL_AES_256 */
+
+    #ifdef WOLFSSL_AES_128
+    const WOLFSSL_EVP_CIPHER* wolfSSL_EVP_aes_128_cfb8(void)
+    {
+        WOLFSSL_ENTER("wolfSSL_EVP_aes_128_cfb8");
+        if (EVP_AES_128_CFB8 == NULL)
+            wolfSSL_EVP_init();
+        return EVP_AES_128_CFB8;
+    }
+    #endif /* WOLFSSL_AES_128 */
+
+    #ifdef WOLFSSL_AES_192
+    const WOLFSSL_EVP_CIPHER* wolfSSL_EVP_aes_192_cfb8(void)
+    {
+        WOLFSSL_ENTER("wolfSSL_EVP_aes_192_cfb8");
+        if (EVP_AES_192_CFB8 == NULL)
+            wolfSSL_EVP_init();
+        return EVP_AES_192_CFB8;
+    }
+    #endif /* WOLFSSL_AES_192 */
+
+    #ifdef WOLFSSL_AES_256
+    const WOLFSSL_EVP_CIPHER* wolfSSL_EVP_aes_256_cfb8(void)
+    {
+        WOLFSSL_ENTER("wolfSSL_EVP_aes_256_cfb8");
+        if (EVP_AES_256_CFB8 == NULL)
+            wolfSSL_EVP_init();
+        return EVP_AES_256_CFB8;
+    }
+    #endif /* WOLFSSL_AES_256 */
+#endif /* !HAVE_SELFTEST && !HAVE_FIPS */
+
+    #ifdef WOLFSSL_AES_128
+    const WOLFSSL_EVP_CIPHER* wolfSSL_EVP_aes_128_cfb128(void)
+    {
+        WOLFSSL_ENTER("wolfSSL_EVP_aes_128_cfb128");
+        if (EVP_AES_128_CFB128 == NULL)
+            wolfSSL_EVP_init();
+        return EVP_AES_128_CFB128;
+    }
+    #endif /* WOLFSSL_AES_128 */
+
+    #ifdef WOLFSSL_AES_192
+    const WOLFSSL_EVP_CIPHER* wolfSSL_EVP_aes_192_cfb128(void)
+    {
+        WOLFSSL_ENTER("wolfSSL_EVP_aes_192_cfb128");
+        if (EVP_AES_192_CFB128 == NULL)
+            wolfSSL_EVP_init();
+        return EVP_AES_192_CFB128;
+    }
+    #endif /* WOLFSSL_AES_192 */
+
+    #ifdef WOLFSSL_AES_256
+    const WOLFSSL_EVP_CIPHER* wolfSSL_EVP_aes_256_cfb128(void)
+    {
+        WOLFSSL_ENTER("wolfSSL_EVP_aes_256_cfb128");
+        if (EVP_AES_256_CFB128 == NULL)
+            wolfSSL_EVP_init();
+        return EVP_AES_256_CFB128;
+    }
+    #endif /* WOLFSSL_AES_256 */
+    #endif /* WOLFSSL_AES_CFB */
+
+    #ifdef WOLFSSL_AES_OFB
+    #ifdef WOLFSSL_AES_128
+    const WOLFSSL_EVP_CIPHER* wolfSSL_EVP_aes_128_ofb(void)
+    {
+        WOLFSSL_ENTER("wolfSSL_EVP_aes_128_ofb");
+        if (EVP_AES_128_OFB == NULL)
+            wolfSSL_EVP_init();
+        return EVP_AES_128_OFB;
+    }
+    #endif /* WOLFSSL_AES_128 */
+
+    #ifdef WOLFSSL_AES_192
+    const WOLFSSL_EVP_CIPHER* wolfSSL_EVP_aes_192_ofb(void)
+    {
+        WOLFSSL_ENTER("wolfSSL_EVP_aes_192_ofb");
+        if (EVP_AES_192_OFB == NULL)
+            wolfSSL_EVP_init();
+        return EVP_AES_192_OFB;
+    }
+    #endif /* WOLFSSL_AES_192 */
+
+    #ifdef WOLFSSL_AES_256
+    const WOLFSSL_EVP_CIPHER* wolfSSL_EVP_aes_256_ofb(void)
+    {
+        WOLFSSL_ENTER("wolfSSL_EVP_aes_256_ofb");
+        if (EVP_AES_256_OFB == NULL)
+            wolfSSL_EVP_init();
+        return EVP_AES_256_OFB;
+    }
+    #endif /* WOLFSSL_AES_256 */
+    #endif /* WOLFSSL_AES_OFB */
+
+    #ifdef WOLFSSL_AES_XTS
+    #ifdef WOLFSSL_AES_128
+    const WOLFSSL_EVP_CIPHER* wolfSSL_EVP_aes_128_xts(void)
+    {
+        WOLFSSL_ENTER("wolfSSL_EVP_aes_128_xts");
+        if (EVP_AES_128_XTS == NULL)
+            wolfSSL_EVP_init();
+        return EVP_AES_128_XTS;
+    }
+    #endif /* WOLFSSL_AES_128 */
+
+    #ifdef WOLFSSL_AES_256
+    const WOLFSSL_EVP_CIPHER* wolfSSL_EVP_aes_256_xts(void)
+    {
+        WOLFSSL_ENTER("wolfSSL_EVP_aes_256_xts");
+        if (EVP_AES_256_XTS == NULL)
+            wolfSSL_EVP_init();
+        return EVP_AES_256_XTS;
+    }
+    #endif /* WOLFSSL_AES_256 */
+    #endif /* WOLFSSL_AES_XTS */
+
+    #ifdef HAVE_AESGCM
+    #ifdef WOLFSSL_AES_128
+    const WOLFSSL_EVP_CIPHER* wolfSSL_EVP_aes_128_gcm(void)
+    {
+        WOLFSSL_ENTER("wolfSSL_EVP_aes_128_gcm");
+        if (EVP_AES_128_GCM == NULL)
+            wolfSSL_EVP_init();
+        return EVP_AES_128_GCM;
+    }
+    #endif /* WOLFSSL_GCM_128 */
+
+    #ifdef WOLFSSL_AES_192
+    const WOLFSSL_EVP_CIPHER* wolfSSL_EVP_aes_192_gcm(void)
+    {
+        WOLFSSL_ENTER("wolfSSL_EVP_aes_192_gcm");
+        if (EVP_AES_192_GCM == NULL)
+            wolfSSL_EVP_init();
+        return EVP_AES_192_GCM;
+    }
+    #endif /* WOLFSSL_AES_192 */
+
+    #ifdef WOLFSSL_AES_256
+    const WOLFSSL_EVP_CIPHER* wolfSSL_EVP_aes_256_gcm(void)
+    {
+        WOLFSSL_ENTER("wolfSSL_EVP_aes_256_gcm");
+        if (EVP_AES_256_GCM == NULL)
+            wolfSSL_EVP_init();
+        return EVP_AES_256_GCM;
+    }
+    #endif /* WOLFSSL_AES_256 */
+    #endif /* HAVE_AESGCM */
+
+    #ifdef WOLFSSL_AES_128
+    const WOLFSSL_EVP_CIPHER* wolfSSL_EVP_aes_128_ctr(void)
+    {
+        WOLFSSL_ENTER("wolfSSL_EVP_aes_128_ctr");
+        if (EVP_AES_128_CTR == NULL)
+            wolfSSL_EVP_init();
+        return EVP_AES_128_CTR;
+    }
+    #endif /* WOLFSSL_AES_2128 */
+
+
+    #ifdef WOLFSSL_AES_192
+    const WOLFSSL_EVP_CIPHER* wolfSSL_EVP_aes_192_ctr(void)
+    {
+        WOLFSSL_ENTER("wolfSSL_EVP_aes_192_ctr");
+        if (EVP_AES_192_CTR == NULL)
+            wolfSSL_EVP_init();
+        return EVP_AES_192_CTR;
+    }
+    #endif /* WOLFSSL_AES_192 */
+
+
+    #ifdef WOLFSSL_AES_256
+    const WOLFSSL_EVP_CIPHER* wolfSSL_EVP_aes_256_ctr(void)
+    {
+        WOLFSSL_ENTER("wolfSSL_EVP_aes_256_ctr");
+        if (EVP_AES_256_CTR == NULL)
+            wolfSSL_EVP_init();
+        return EVP_AES_256_CTR;
+    }
+    #endif /* WOLFSSL_AES_256 */
+
+    #ifdef WOLFSSL_AES_128
+    const WOLFSSL_EVP_CIPHER* wolfSSL_EVP_aes_128_ecb(void)
+    {
+        WOLFSSL_ENTER("wolfSSL_EVP_aes_128_ecb");
+        if (EVP_AES_128_ECB == NULL)
+            wolfSSL_EVP_init();
+        return EVP_AES_128_ECB;
+    }
+    #endif /* WOLFSSL_AES_128 */
+
+
+    #ifdef WOLFSSL_AES_192
+    const WOLFSSL_EVP_CIPHER* wolfSSL_EVP_aes_192_ecb(void)
+    {
+        WOLFSSL_ENTER("wolfSSL_EVP_aes_192_ecb");
+        if (EVP_AES_192_ECB == NULL)
+            wolfSSL_EVP_init();
+        return EVP_AES_192_ECB;
+    }
+    #endif /* WOLFSSL_AES_192*/
+
+
+    #ifdef WOLFSSL_AES_256
+    const WOLFSSL_EVP_CIPHER* wolfSSL_EVP_aes_256_ecb(void)
+    {
+        WOLFSSL_ENTER("wolfSSL_EVP_aes_256_ecb");
+        if (EVP_AES_256_ECB == NULL)
+            wolfSSL_EVP_init();
+        return EVP_AES_256_ECB;
+    }
+    #endif /* WOLFSSL_AES_256 */
+    #endif /* NO_AES */
+
+#ifndef NO_DES3
+    const WOLFSSL_EVP_CIPHER* wolfSSL_EVP_des_cbc(void)
+    {
+        WOLFSSL_ENTER("wolfSSL_EVP_des_cbc");
+        if (EVP_DES_CBC == NULL)
+            wolfSSL_EVP_init();
+        return EVP_DES_CBC;
+    }
+#ifdef WOLFSSL_DES_ECB
+    const WOLFSSL_EVP_CIPHER* wolfSSL_EVP_des_ecb(void)
+    {
+        WOLFSSL_ENTER("wolfSSL_EVP_des_ecb");
+        if (EVP_DES_ECB == NULL)
+            wolfSSL_EVP_init();
+        return EVP_DES_ECB;
+    }
+#endif
+    const WOLFSSL_EVP_CIPHER* wolfSSL_EVP_des_ede3_cbc(void)
+    {
+        WOLFSSL_ENTER("wolfSSL_EVP_des_ede3_cbc");
+        if (EVP_DES_EDE3_CBC == NULL)
+            wolfSSL_EVP_init();
+        return EVP_DES_EDE3_CBC;
+    }
+#ifdef WOLFSSL_DES_ECB
+    const WOLFSSL_EVP_CIPHER* wolfSSL_EVP_des_ede3_ecb(void)
+    {
+        WOLFSSL_ENTER("wolfSSL_EVP_des_ede3_ecb");
+        if (EVP_DES_EDE3_ECB == NULL)
+            wolfSSL_EVP_init();
+        return EVP_DES_EDE3_ECB;
+    }
+#endif
+#endif /* NO_DES3 */
+
+#ifndef NO_RC4
+    const WOLFSSL_EVP_CIPHER* wolfSSL_EVP_rc4(void)
+    {
+        static const char* type = "ARC4";
+        WOLFSSL_ENTER("wolfSSL_EVP_rc4");
+        return type;
+    }
+#endif
+
+#ifdef HAVE_IDEA
+    const WOLFSSL_EVP_CIPHER* wolfSSL_EVP_idea_cbc(void)
+    {
+        WOLFSSL_ENTER("wolfSSL_EVP_idea_cbc");
+        if (EVP_IDEA_CBC == NULL)
+            wolfSSL_EVP_init();
+        return EVP_IDEA_CBC;
+    }
+#endif
+    const WOLFSSL_EVP_CIPHER* wolfSSL_EVP_enc_null(void)
+    {
+        static const char* type = "NULL";
+        WOLFSSL_ENTER("wolfSSL_EVP_enc_null");
+        return type;
+    }
+
+    int wolfSSL_EVP_MD_CTX_cleanup(WOLFSSL_EVP_MD_CTX* ctx)
+    {
+        WOLFSSL_ENTER("EVP_MD_CTX_cleanup");
+        if (ctx->pctx != NULL)
+            wolfSSL_EVP_PKEY_CTX_free(ctx->pctx);
+
+        if (ctx->macType == NID_hmac) {
+            wc_HmacFree(&ctx->hash.hmac);
+        }
+        else {
+            switch (ctx->macType) {
+            #ifndef NO_MD5
+                case WC_HASH_TYPE_MD5:
+                    wc_Md5Free((wc_Md5*)&ctx->hash.digest);
+                    break;
+            #endif /* !NO_MD5 */
+
+            #ifndef NO_SHA
+                case WC_HASH_TYPE_SHA:
+                    wc_ShaFree((wc_Sha*)&ctx->hash.digest);
+                    break;
+            #endif /* !NO_SHA */
+
+            #ifdef WOLFSSL_SHA224
+                case WC_HASH_TYPE_SHA224:
+                    wc_Sha224Free((wc_Sha224*)&ctx->hash.digest);
+                    break;
+            #endif /* WOLFSSL_SHA224 */
+
+            #ifndef NO_SHA256
+                case WC_HASH_TYPE_SHA256:
+                    wc_Sha256Free((wc_Sha256*)&ctx->hash.digest);
+                    break;
+            #endif /* !NO_SHA256 */
+
+            #ifdef WOLFSSL_SHA384
+                case WC_HASH_TYPE_SHA384:
+                    wc_Sha384Free((wc_Sha384*)&ctx->hash.digest);
+                    break;
+            #endif /* WOLFSSL_SHA384 */
+            #ifdef WOLFSSL_SHA512
+                case WC_HASH_TYPE_SHA512:
+                    wc_Sha512Free((wc_Sha512*)&ctx->hash.digest);
+                    break;
+            #endif /* WOLFSSL_SHA512 */
+        #ifdef WOLFSSL_SHA3
+            #ifndef WOLFSSL_NOSHA3_224
+                case WC_HASH_TYPE_SHA3_224:
+                    wc_Sha3_224_Free((wc_Sha3*)&ctx->hash.digest);
+                    break;
+            #endif
+
+            #ifndef WOLFSSL_NOSHA3_256
+                case WC_HASH_TYPE_SHA3_256:
+                    wc_Sha3_256_Free((wc_Sha3*)&ctx->hash.digest);
+                    break;
+            #endif
+
+                case WC_HASH_TYPE_SHA3_384:
+                    wc_Sha3_384_Free((wc_Sha3*)&ctx->hash.digest);
+                    break;
+
+            #ifndef WOLFSSL_NOSHA3_512
+                case WC_HASH_TYPE_SHA3_512:
+                    wc_Sha3_512_Free((wc_Sha3*)&ctx->hash.digest);
+                    break;
+            #endif
+        #endif
+                default:
+                    return WOLFSSL_FAILURE;
+            }
+        }
+        ForceZero(ctx, sizeof(*ctx));
+        ctx->macType = WC_HASH_TYPE_NONE;
+        return 1;
+    }
+
+    void wolfSSL_EVP_CIPHER_CTX_init(WOLFSSL_EVP_CIPHER_CTX* ctx)
+    {
+        WOLFSSL_ENTER("EVP_CIPHER_CTX_init");
+        if (ctx) {
+            XMEMSET(ctx, 0, sizeof(WOLFSSL_EVP_CIPHER_CTX));
+            ctx->cipherType = WOLFSSL_EVP_CIPH_TYPE_INIT;   /* not yet initialized */
+            ctx->keyLen     = 0;
+            ctx->enc        = 1;      /* start in encrypt mode */
+        }
+    }
+
+#if defined(HAVE_AESGCM) && !defined(HAVE_SELFTEST)
+    static WC_INLINE void IncCtr(byte* ctr, word32 ctrSz)
+    {
+        int i;
+        for (i = ctrSz-1; i >= 0; i--) {
+            if (++ctr[i])
+                break;
+        }
+    }
+#endif
+
+    /* This function allows cipher specific parameters to be
+    determined and set. */
+    int wolfSSL_EVP_CIPHER_CTX_ctrl(WOLFSSL_EVP_CIPHER_CTX *ctx, int type, \
+                                    int arg, void *ptr)
+    {
+        int ret = WOLFSSL_FAILURE;
+#if defined(HAVE_AESGCM) && !defined(HAVE_SELFTEST) && !defined(WC_NO_RNG)
+        WC_RNG rng;
+#endif
+        if (ctx == NULL)
+            return WOLFSSL_FAILURE;
+
+        (void)arg;
+        (void)ptr;
+
+        WOLFSSL_ENTER("EVP_CIPHER_CTX_ctrl");
+
+        switch(type) {
+            case EVP_CTRL_INIT:
+                wolfSSL_EVP_CIPHER_CTX_init(ctx);
+                if(ctx)
+                    ret = WOLFSSL_SUCCESS;
+                break;
+            case EVP_CTRL_SET_KEY_LENGTH:
+                ret = wolfSSL_EVP_CIPHER_CTX_set_key_length(ctx, arg);
+                break;
+#if defined(HAVE_AESGCM) && !defined(HAVE_SELFTEST) && !defined(WC_NO_RNG)
+            case EVP_CTRL_GCM_SET_IVLEN:
+                if(arg <= 0 || arg > 16)
+                    return WOLFSSL_FAILURE;
+                ret = wolfSSL_EVP_CIPHER_CTX_set_iv_length(ctx, arg);
+                break;
+            case EVP_CTRL_AEAD_SET_IV_FIXED:
+                if (arg == -1) {
+                    /* arg == -1 copies ctx->ivSz from ptr */
+                    ret = wolfSSL_EVP_CIPHER_CTX_set_iv(ctx, (byte*)ptr, ctx->ivSz);
+                }
+                else {
+                    /*
+                     * Fixed field must be at least 4 bytes and invocation
+                     * field at least 8.
+                     */
+                    if ((arg < 4) || (ctx->ivSz - arg) < 8) {
+                        WOLFSSL_MSG("Fixed field or invocation field too short");
+                        ret = WOLFSSL_FAILURE;
+                        break;
+                    }
+                    if (wc_InitRng(&rng) != 0) {
+                        WOLFSSL_MSG("wc_InitRng failed");
+                        ret = WOLFSSL_FAILURE;
+                        break;
+                    }
+                    if (arg) {
+                        XMEMCPY(ctx->iv, ptr, arg);
+                    }
+                    if (wc_RNG_GenerateBlock(&rng, ctx->iv   + arg,
+                                                   ctx->ivSz - arg) != 0) {
+                        /* rng is freed immediately after if block so no need
+                         * to do it here
+                         */
+                        WOLFSSL_MSG("wc_RNG_GenerateBlock failed");
+                        ret = WOLFSSL_FAILURE;
+                    }
+
+                    if (wc_FreeRng(&rng) != 0) {
+                        WOLFSSL_MSG("wc_FreeRng failed");
+                        ret = WOLFSSL_FAILURE;
+                        break;
+                    }
+                }
+                break;
+#if !defined(_WIN32) && !defined(HAVE_FIPS)
+            case EVP_CTRL_GCM_IV_GEN:
+                if (ctx->cipher.aes.keylen == 0 || ctx->ivSz == 0) {
+                    ret = WOLFSSL_FAILURE;
+                    WOLFSSL_MSG("Key or IV not set");
+                    break;
+                }
+                if ((ret = wc_AesGcmSetExtIV(&ctx->cipher.aes, ctx->iv, ctx->ivSz)) != 0) {
+                    WOLFSSL_MSG("wc_AesGcmSetIV failed");
+                    ret = WOLFSSL_FAILURE;
+                }
+                /* OpenSSL increments the IV. Not sure why */
+                IncCtr(ctx->iv, ctx->ivSz);
+                break;
+#endif
+            case EVP_CTRL_AEAD_SET_TAG:
+                if(arg <= 0 || arg > 16 || (ptr == NULL))
+                    return WOLFSSL_FAILURE;
+
+                XMEMCPY(ctx->authTag, ptr, arg);
+                ctx->authTagSz = arg;
+                ret = WOLFSSL_SUCCESS;
+
+                break;
+            case EVP_CTRL_AEAD_GET_TAG:
+                if(arg <= 0 || arg > 16)
+                    return WOLFSSL_FAILURE;
+
+                XMEMCPY(ptr, ctx->authTag, arg);
+                ret = WOLFSSL_SUCCESS;
+                break;
+#endif /* HAVE_AESGCM && !HAVE_SELFTEST && !WC_NO_RNG */
+            default:
+                WOLFSSL_MSG("EVP_CIPHER_CTX_ctrl operation not yet handled");
+                ret = WOLFSSL_FAILURE;
+        }
+        return ret;
+    }
+
+    /* WOLFSSL_SUCCESS on ok */
+    int wolfSSL_EVP_CIPHER_CTX_cleanup(WOLFSSL_EVP_CIPHER_CTX* ctx)
+    {
+        WOLFSSL_ENTER("EVP_CIPHER_CTX_cleanup");
+        if (ctx) {
+            ctx->cipherType = WOLFSSL_EVP_CIPH_TYPE_INIT;  /* not yet initialized  */
+            ctx->keyLen     = 0;
+        }
+
+        return WOLFSSL_SUCCESS;
+    }
+
+    /* Permanent stub for Qt compilation. */
+    #if defined(WOLFSSL_QT) && !defined(NO_WOLFSSL_STUB)
+    const WOLFSSL_EVP_CIPHER* wolfSSL_EVP_rc2_cbc(void)
+    {
+        WOLFSSL_ENTER("wolfSSL_EVP_rc2_cbc");
+        WOLFSSL_STUB("EVP_rc2_cbc");
+        return NULL;
+    }
+    #endif
+
+#if defined(WOLFSSL_ENCRYPTED_KEYS) && !defined(NO_PWDBASED)
+
+    int wolfSSL_EVP_BytesToKey(const WOLFSSL_EVP_CIPHER* type,
+                       const WOLFSSL_EVP_MD* md, const byte* salt,
+                       const byte* data, int sz, int count, byte* key, byte* iv)
+    {
+        int ret;
+        int hashType = WC_HASH_TYPE_NONE;
+    #ifdef WOLFSSL_SMALL_STACK
+        EncryptedInfo* info;
+    #else
+        EncryptedInfo  info[1];
+    #endif
+
+    #ifdef WOLFSSL_SMALL_STACK
+        info = (EncryptedInfo*)XMALLOC(sizeof(EncryptedInfo), NULL,
+                                       DYNAMIC_TYPE_ENCRYPTEDINFO);
+        if (info == NULL) {
+            WOLFSSL_MSG("malloc failed");
+            return WOLFSSL_FAILURE;
+        }
+    #endif
+
+        XMEMSET(info, 0, sizeof(EncryptedInfo));
+
+        ret = wc_EncryptedInfoGet(info, type);
+        if (ret < 0)
+            goto end;
+
+        if (data == NULL) {
+            ret = info->keySz;
+            goto end;
+        }
+
+        ret = wolfSSL_EVP_get_hashinfo(md, &hashType, NULL);
+        if (ret == WOLFSSL_FAILURE)
+            goto end;
+
+        ret = wc_PBKDF1_ex(key, info->keySz, iv, info->ivSz, data, sz, salt,
+                           EVP_SALT_SIZE, count, hashType, NULL);
+        if (ret == 0)
+            ret = info->keySz;
+
+    end:
+    #ifdef WOLFSSL_SMALL_STACK
+        XFREE(info, NULL, DYNAMIC_TYPE_ENCRYPTEDINFO);
+    #endif
+        if (ret < 0)
+            return 0; /* failure - for compatibility */
+
+        return ret;
+    }
+
+#endif /* WOLFSSL_ENCRYPTED_KEYS && !NO_PWDBASED */
+
+#ifndef NO_AES
+    static int   AesSetKey_ex(Aes* aes, const byte* key, word32 len,
+                              const byte* iv, int dir, int direct)
+    {
+        int ret;
+        /* wc_AesSetKey clear aes.reg if iv == NULL.
+           Keep IV for openSSL compatibility */
+        if (iv == NULL)
+            XMEMCPY((byte *)aes->tmp, (byte *)aes->reg, AES_BLOCK_SIZE);
+        if (direct) {
+        #if defined(WOLFSSL_AES_DIRECT)
+            ret = wc_AesSetKeyDirect(aes, key, len, iv, dir);
+        #else
+            ret = NOT_COMPILED_IN;
+        #endif
+        }
+        else {
+            ret = wc_AesSetKey(aes, key, len, iv, dir);
+        }
+        if (iv == NULL)
+            XMEMCPY((byte *)aes->reg, (byte *)aes->tmp, AES_BLOCK_SIZE);
+        return ret;
+    }
+#endif
+
+    /* return WOLFSSL_SUCCESS on ok, 0 on failure to match API compatibility */
+    int  wolfSSL_EVP_CipherInit(WOLFSSL_EVP_CIPHER_CTX* ctx,
+                               const WOLFSSL_EVP_CIPHER* type, const byte* key,
+                               const byte* iv, int enc)
+    {
+        int ret = 0;
+        (void)key;
+        (void)iv;
+        (void)enc;
+
+        WOLFSSL_ENTER("wolfSSL_EVP_CipherInit");
+        if (ctx == NULL) {
+            WOLFSSL_MSG("no ctx");
+            return WOLFSSL_FAILURE;
+        }
+
+        if (type == NULL && ctx->cipherType == WOLFSSL_EVP_CIPH_TYPE_INIT) {
+            WOLFSSL_MSG("no type set");
+            return WOLFSSL_FAILURE;
+        }
+        if (ctx->cipherType == WOLFSSL_EVP_CIPH_TYPE_INIT){
+            /* only first EVP_CipherInit invoke. ctx->cipherType is set below */
+            XMEMSET(&ctx->cipher, 0, sizeof(ctx->cipher));
+            ctx->flags   = 0;
+        }
+        /* always clear buffer state */
+        ctx->bufUsed = 0;
+        ctx->lastUsed = 0;
+
+#ifdef HAVE_WOLFSSL_EVP_CIPHER_CTX_IV
+        if (!iv && ctx->ivSz) {
+            iv = ctx->iv;
+        }
+#endif
+
+#ifndef NO_AES
+    #ifdef HAVE_AES_CBC
+        #ifdef WOLFSSL_AES_128
+        if (ctx->cipherType == AES_128_CBC_TYPE ||
+            (type && XSTRNCMP(type, EVP_AES_128_CBC, EVP_AES_SIZE) == 0)) {
+            WOLFSSL_MSG("EVP_AES_128_CBC");
+            ctx->cipherType = AES_128_CBC_TYPE;
+            ctx->flags     &= ~WOLFSSL_EVP_CIPH_MODE;
+            ctx->flags     |= WOLFSSL_EVP_CIPH_CBC_MODE;
+            ctx->keyLen     = 16;
+            ctx->block_size = AES_BLOCK_SIZE;
+            ctx->ivSz       = AES_BLOCK_SIZE;
+            if (enc == 0 || enc == 1)
+                ctx->enc = enc ? 1 : 0;
+            if (key) {
+                ret = AesSetKey_ex(&ctx->cipher.aes, key, ctx->keyLen, iv,
+                                ctx->enc ? AES_ENCRYPTION : AES_DECRYPTION, 0);
+                if (ret != 0)
+                    return WOLFSSL_FAILURE;
+            }
+            if (iv && key == NULL) {
+                ret = wc_AesSetIV(&ctx->cipher.aes, iv);
+                if (ret != 0)
+                    return WOLFSSL_FAILURE;
+            }
+        }
+        #endif /* WOLFSSL_AES_128 */
+        #ifdef WOLFSSL_AES_192
+        if (ctx->cipherType == AES_192_CBC_TYPE ||
+                 (type && XSTRNCMP(type, EVP_AES_192_CBC, EVP_AES_SIZE) == 0)) {
+            WOLFSSL_MSG("EVP_AES_192_CBC");
+            ctx->cipherType = AES_192_CBC_TYPE;
+            ctx->flags     &= ~WOLFSSL_EVP_CIPH_MODE;
+            ctx->flags     |= WOLFSSL_EVP_CIPH_CBC_MODE;
+            ctx->keyLen     = 24;
+            ctx->block_size = AES_BLOCK_SIZE;
+            ctx->ivSz       = AES_BLOCK_SIZE;
+            if (enc == 0 || enc == 1)
+                ctx->enc = enc ? 1 : 0;
+            if (key) {
+                ret = AesSetKey_ex(&ctx->cipher.aes, key, ctx->keyLen, iv,
+                                ctx->enc ? AES_ENCRYPTION : AES_DECRYPTION, 0);
+                if (ret != 0)
+                    return WOLFSSL_FAILURE;
+            }
+            if (iv && key == NULL) {
+                ret = wc_AesSetIV(&ctx->cipher.aes, iv);
+                if (ret != 0)
+                    return WOLFSSL_FAILURE;
+            }
+        }
+        #endif /* WOLFSSL_AES_192 */
+        #ifdef WOLFSSL_AES_256
+        if (ctx->cipherType == AES_256_CBC_TYPE ||
+                 (type && XSTRNCMP(type, EVP_AES_256_CBC, EVP_AES_SIZE) == 0)) {
+            WOLFSSL_MSG("EVP_AES_256_CBC");
+            ctx->cipherType = AES_256_CBC_TYPE;
+            ctx->flags     &= ~WOLFSSL_EVP_CIPH_MODE;
+            ctx->flags     |= WOLFSSL_EVP_CIPH_CBC_MODE;
+            ctx->keyLen     = 32;
+            ctx->block_size = AES_BLOCK_SIZE;
+            ctx->ivSz       = AES_BLOCK_SIZE;
+            if (enc == 0 || enc == 1)
+                ctx->enc = enc ? 1 : 0;
+            if (key) {
+                ret = AesSetKey_ex(&ctx->cipher.aes, key, ctx->keyLen, iv,
+                                ctx->enc ? AES_ENCRYPTION : AES_DECRYPTION, 0);
+                if (ret != 0){
+                    WOLFSSL_MSG("AesSetKey() failed");
+                    return WOLFSSL_FAILURE;
+                }
+            }
+            if (iv && key == NULL) {
+                ret = wc_AesSetIV(&ctx->cipher.aes, iv);
+                if (ret != 0){
+                    WOLFSSL_MSG("wc_AesSetIV() failed");
+                    return WOLFSSL_FAILURE;
+                }
+            }
+        }
+        #endif /* WOLFSSL_AES_256 */
+    #endif /* HAVE_AES_CBC */
+#if !defined(_WIN32) && !defined(HAVE_FIPS) && !defined(HAVE_SELFTEST)
+    #ifdef HAVE_AESGCM
+        #ifdef WOLFSSL_AES_128
+        if (ctx->cipherType == AES_128_GCM_TYPE ||
+            (type && XSTRNCMP(type, EVP_AES_128_GCM, EVP_AES_SIZE) == 0)) {
+            WOLFSSL_MSG("EVP_AES_128_GCM");
+            ctx->cipherType = AES_128_GCM_TYPE;
+            ctx->flags     &= ~WOLFSSL_EVP_CIPH_MODE;
+            ctx->flags     |= WOLFSSL_EVP_CIPH_GCM_MODE;
+            ctx->keyLen     = 16;
+            ctx->block_size = AES_BLOCK_SIZE;
+            ctx->authTagSz  = AES_BLOCK_SIZE;
+            ctx->ivSz       = GCM_NONCE_MID_SZ;
+
+            XMEMSET(ctx->authTag, 0, ctx->authTagSz);
+            if (key && wc_AesGcmSetKey(&ctx->cipher.aes, key, ctx->keyLen)) {
+                WOLFSSL_MSG("wc_AesGcmSetKey() failed");
+                return WOLFSSL_FAILURE;
+            }
+            if (iv && wc_AesGcmSetExtIV(&ctx->cipher.aes, iv, GCM_NONCE_MID_SZ)) {
+                WOLFSSL_MSG("wc_AesGcmSetExtIV() failed");
+                return WOLFSSL_FAILURE;
+            }
+            if (enc == 0 || enc == 1)
+                ctx->enc = enc ? 1 : 0;
+        }
+        #endif /* WOLFSSL_AES_128 */
+        #ifdef WOLFSSL_AES_192
+        if (ctx->cipherType == AES_192_GCM_TYPE ||
+                 (type && XSTRNCMP(type, EVP_AES_192_GCM, EVP_AES_SIZE) == 0)) {
+            WOLFSSL_MSG("EVP_AES_192_GCM");
+            ctx->cipherType = AES_192_GCM_TYPE;
+            ctx->flags     &= ~WOLFSSL_EVP_CIPH_MODE;
+            ctx->flags     |= WOLFSSL_EVP_CIPH_GCM_MODE;
+            ctx->keyLen     = 24;
+            ctx->block_size = AES_BLOCK_SIZE;
+            ctx->authTagSz  = AES_BLOCK_SIZE;
+            ctx->ivSz       = GCM_NONCE_MID_SZ;
+
+            XMEMSET(ctx->authTag, 0, ctx->authTagSz);
+            if (key && wc_AesGcmSetKey(&ctx->cipher.aes, key, ctx->keyLen)) {
+                WOLFSSL_MSG("wc_AesGcmSetKey() failed");
+                return WOLFSSL_FAILURE;
+            }
+            if (iv && wc_AesGcmSetExtIV(&ctx->cipher.aes, iv, GCM_NONCE_MID_SZ)) {
+                WOLFSSL_MSG("wc_AesGcmSetExtIV() failed");
+                return WOLFSSL_FAILURE;
+            }
+            if (enc == 0 || enc == 1)
+                ctx->enc = enc ? 1 : 0;
+        }
+        #endif /* WOLFSSL_AES_192 */
+        #ifdef WOLFSSL_AES_256
+        if (ctx->cipherType == AES_256_GCM_TYPE ||
+                 (type && XSTRNCMP(type, EVP_AES_256_GCM, EVP_AES_SIZE) == 0)) {
+            WOLFSSL_MSG("EVP_AES_256_GCM");
+            ctx->cipherType = AES_256_GCM_TYPE;
+            ctx->flags     &= ~WOLFSSL_EVP_CIPH_MODE;
+            ctx->flags     |= WOLFSSL_EVP_CIPH_GCM_MODE;
+            ctx->keyLen     = 32;
+            ctx->block_size = AES_BLOCK_SIZE;
+            ctx->authTagSz  = AES_BLOCK_SIZE;
+            ctx->ivSz       = GCM_NONCE_MID_SZ;
+
+            XMEMSET(ctx->authTag, 0, ctx->authTagSz);
+            if (key && wc_AesGcmSetKey(&ctx->cipher.aes, key, ctx->keyLen)) {
+                WOLFSSL_MSG("wc_AesGcmSetKey() failed");
+                return WOLFSSL_FAILURE;
+            }
+            if (iv && wc_AesGcmSetExtIV(&ctx->cipher.aes, iv, GCM_NONCE_MID_SZ)) {
+                WOLFSSL_MSG("wc_AesGcmSetExtIV() failed");
+                return WOLFSSL_FAILURE;
+            }
+            if (enc == 0 || enc == 1)
+                ctx->enc = enc ? 1 : 0;
+        }
+        #endif /* WOLFSSL_AES_256 */
+    #endif /* HAVE_AESGCM */
+#endif /* !defined(_WIN32) && !defined(HAVE_FIPS) && !defined(HAVE_SELFTEST) */
+#ifdef WOLFSSL_AES_COUNTER
+        #ifdef WOLFSSL_AES_128
+        if (ctx->cipherType == AES_128_CTR_TYPE ||
+                 (type && XSTRNCMP(type, EVP_AES_128_CTR, EVP_AES_SIZE) == 0)) {
+            WOLFSSL_MSG("EVP_AES_128_CTR");
+            ctx->flags     &= ~WOLFSSL_EVP_CIPH_MODE;
+            ctx->cipherType = AES_128_CTR_TYPE;
+            ctx->flags     |= WOLFSSL_EVP_CIPH_CTR_MODE;
+            ctx->keyLen     = 16;
+            ctx->block_size = NO_PADDING_BLOCK_SIZE;
+            ctx->ivSz       = AES_BLOCK_SIZE;
+#if defined(WOLFSSL_AES_COUNTER) || defined(WOLFSSL_AES_CFB)
+            ctx->cipher.aes.left = 0;
+#endif
+            if (enc == 0 || enc == 1)
+                ctx->enc = enc ? 1 : 0;
+            if (key) {
+                ret =  AesSetKey_ex(&ctx->cipher.aes, key, ctx->keyLen, iv,
+                    AES_ENCRYPTION, 1);
+                if (ret != 0)
+                    return WOLFSSL_FAILURE;
+            }
+            if (iv && key == NULL) {
+                ret = wc_AesSetIV(&ctx->cipher.aes, iv);
+                if (ret != 0)
+                    return WOLFSSL_FAILURE;
+            }
+        }
+        #endif /* WOLFSSL_AES_128 */
+        #ifdef WOLFSSL_AES_192
+        if (ctx->cipherType == AES_192_CTR_TYPE ||
+                 (type && XSTRNCMP(type, EVP_AES_192_CTR, EVP_AES_SIZE) == 0)) {
+            WOLFSSL_MSG("EVP_AES_192_CTR");
+            ctx->cipherType = AES_192_CTR_TYPE;
+            ctx->flags     &= ~WOLFSSL_EVP_CIPH_MODE;
+            ctx->flags     |= WOLFSSL_EVP_CIPH_CTR_MODE;
+            ctx->keyLen     = 24;
+            ctx->block_size = NO_PADDING_BLOCK_SIZE;
+            ctx->ivSz       = AES_BLOCK_SIZE;
+#if defined(WOLFSSL_AES_COUNTER) || defined(WOLFSSL_AES_CFB)
+            ctx->cipher.aes.left = 0;
+#endif
+            if (enc == 0 || enc == 1)
+                ctx->enc = enc ? 1 : 0;
+            if (key) {
+                ret =  AesSetKey_ex(&ctx->cipher.aes, key, ctx->keyLen, iv,
+                      AES_ENCRYPTION, 1);
+                if (ret != 0)
+                    return WOLFSSL_FAILURE;
+            }
+            if (iv && key == NULL) {
+                ret = wc_AesSetIV(&ctx->cipher.aes, iv);
+                if (ret != 0)
+                    return WOLFSSL_FAILURE;
+            }
+        }
+        #endif /* WOLFSSL_AES_192 */
+        #ifdef WOLFSSL_AES_256
+        if (ctx->cipherType == AES_256_CTR_TYPE ||
+                 (type && XSTRNCMP(type, EVP_AES_256_CTR, EVP_AES_SIZE) == 0)) {
+            WOLFSSL_MSG("EVP_AES_256_CTR");
+            ctx->cipherType = AES_256_CTR_TYPE;
+            ctx->flags     &= ~WOLFSSL_EVP_CIPH_MODE;
+            ctx->flags     |= WOLFSSL_EVP_CIPH_CTR_MODE;
+            ctx->keyLen     = 32;
+            ctx->block_size = NO_PADDING_BLOCK_SIZE;
+            ctx->ivSz       = AES_BLOCK_SIZE;
+#if defined(WOLFSSL_AES_COUNTER) || defined(WOLFSSL_AES_CFB)
+            ctx->cipher.aes.left = 0;
+#endif
+            if (enc == 0 || enc == 1)
+                ctx->enc = enc ? 1 : 0;
+            if (key) {
+                ret =  AesSetKey_ex(&ctx->cipher.aes, key, ctx->keyLen, iv,
+                      AES_ENCRYPTION, 1);
+                if (ret != 0)
+                    return WOLFSSL_FAILURE;
+            }
+            if (iv && key == NULL) {
+                ret = wc_AesSetIV(&ctx->cipher.aes, iv);
+                if (ret != 0)
+                    return WOLFSSL_FAILURE;
+            }
+        }
+        #endif /* WOLFSSL_AES_256 */
+#endif /* WOLFSSL_AES_COUNTER */
+        #ifdef WOLFSSL_AES_128
+        if (ctx->cipherType == AES_128_ECB_TYPE ||
+            (type && XSTRNCMP(type, EVP_AES_128_ECB, EVP_AES_SIZE) == 0)) {
+            WOLFSSL_MSG("EVP_AES_128_ECB");
+            ctx->cipherType = AES_128_ECB_TYPE;
+            ctx->flags     &= ~WOLFSSL_EVP_CIPH_MODE;
+            ctx->flags     |= WOLFSSL_EVP_CIPH_ECB_MODE;
+            ctx->keyLen     = 16;
+            ctx->block_size = AES_BLOCK_SIZE;
+            if (enc == 0 || enc == 1)
+                ctx->enc = enc ? 1 : 0;
+            if (key) {
+                ret =  AesSetKey_ex(&ctx->cipher.aes, key, ctx->keyLen, NULL,
+                      ctx->enc ? AES_ENCRYPTION : AES_DECRYPTION, 1);
+            }
+            if (ret != 0)
+                return WOLFSSL_FAILURE;
+        }
+        #endif /* WOLFSSL_AES_128 */
+        #ifdef WOLFSSL_AES_192
+        if (ctx->cipherType == AES_192_ECB_TYPE ||
+                 (type && XSTRNCMP(type, EVP_AES_192_ECB, EVP_AES_SIZE) == 0)) {
+            WOLFSSL_MSG("EVP_AES_192_ECB");
+            ctx->cipherType = AES_192_ECB_TYPE;
+            ctx->flags     &= ~WOLFSSL_EVP_CIPH_MODE;
+            ctx->flags     |= WOLFSSL_EVP_CIPH_ECB_MODE;
+            ctx->keyLen     = 24;
+            ctx->block_size = AES_BLOCK_SIZE;
+            if (enc == 0 || enc == 1)
+                ctx->enc = enc ? 1 : 0;
+            if (key) {
+                ret =  AesSetKey_ex(&ctx->cipher.aes, key, ctx->keyLen, NULL,
+                      ctx->enc ? AES_ENCRYPTION : AES_DECRYPTION, 1);
+            }
+            if (ret != 0)
+                return WOLFSSL_FAILURE;
+        }
+        #endif /* WOLFSSL_AES_192 */
+        #ifdef WOLFSSL_AES_256
+        if (ctx->cipherType == AES_256_ECB_TYPE ||
+                 (type && XSTRNCMP(type, EVP_AES_256_ECB, EVP_AES_SIZE) == 0)) {
+            WOLFSSL_MSG("EVP_AES_256_ECB");
+            ctx->cipherType = AES_256_ECB_TYPE;
+            ctx->flags     &= ~WOLFSSL_EVP_CIPH_MODE;
+            ctx->flags     |= WOLFSSL_EVP_CIPH_ECB_MODE;
+            ctx->keyLen     = 32;
+            ctx->block_size = AES_BLOCK_SIZE;
+            if (enc == 0 || enc == 1)
+                ctx->enc = enc ? 1 : 0;
+            if (key) {
+                ret =  AesSetKey_ex(&ctx->cipher.aes, key, ctx->keyLen, NULL,
+                    ctx->enc ? AES_ENCRYPTION : AES_DECRYPTION, 1);
+            }
+            if (ret != 0)
+                return WOLFSSL_FAILURE;
+        }
+        #endif /* WOLFSSL_AES_256 */
+    #ifdef WOLFSSL_AES_CFB
+        #ifdef WOLFSSL_AES_128
+        if (ctx->cipherType == AES_128_CFB1_TYPE ||
+            (type && XSTRNCMP(type, EVP_AES_128_CFB1, EVP_AESCFB_SIZE) == 0)) {
+            WOLFSSL_MSG("EVP_AES_128_CFB1");
+            ctx->cipherType = AES_128_CFB1_TYPE;
+            ctx->flags     &= ~WOLFSSL_EVP_CIPH_MODE;
+            ctx->flags     |= WOLFSSL_EVP_CIPH_CFB_MODE;
+            ctx->keyLen     = 16;
+            ctx->block_size = 1;
+            if (enc == 0 || enc == 1)
+                ctx->enc = enc ? 1 : 0;
+            if (key) {
+                ret = AesSetKey_ex(&ctx->cipher.aes, key, ctx->keyLen, iv,
+                        AES_ENCRYPTION, 0);
+                if (ret != 0)
+                    return WOLFSSL_FAILURE;
+            }
+            if (iv && key == NULL) {
+                ret = wc_AesSetIV(&ctx->cipher.aes, iv);
+                if (ret != 0)
+                    return WOLFSSL_FAILURE;
+            }
+        }
+        #endif /* WOLFSSL_AES_128 */
+        #ifdef WOLFSSL_AES_192
+        if (ctx->cipherType == AES_192_CFB1_TYPE ||
+                 (type && XSTRNCMP(type, EVP_AES_192_CFB1, EVP_AESCFB_SIZE) == 0)) {
+            WOLFSSL_MSG("EVP_AES_192_CFB1");
+            ctx->cipherType = AES_192_CFB1_TYPE;
+            ctx->flags     &= ~WOLFSSL_EVP_CIPH_MODE;
+            ctx->flags     |= WOLFSSL_EVP_CIPH_CFB_MODE;
+            ctx->keyLen     = 24;
+            ctx->block_size = 1;
+            if (enc == 0 || enc == 1)
+                ctx->enc = enc ? 1 : 0;
+            if (key) {
+                ret = AesSetKey_ex(&ctx->cipher.aes, key, ctx->keyLen, iv,
+                            AES_ENCRYPTION, 0);
+                if (ret != 0)
+                    return WOLFSSL_FAILURE;
+            }
+            if (iv && key == NULL) {
+                ret = wc_AesSetIV(&ctx->cipher.aes, iv);
+                if (ret != 0)
+                    return WOLFSSL_FAILURE;
+            }
+        }
+        #endif /* WOLFSSL_AES_192 */
+        #ifdef WOLFSSL_AES_256
+        if (ctx->cipherType == AES_256_CFB1_TYPE ||
+                 (type && XSTRNCMP(type, EVP_AES_256_CFB1, EVP_AESCFB_SIZE) == 0)) {
+            WOLFSSL_MSG("EVP_AES_256_CFB1");
+            ctx->cipherType = AES_256_CFB1_TYPE;
+            ctx->flags     &= ~WOLFSSL_EVP_CIPH_MODE;
+            ctx->flags     |= WOLFSSL_EVP_CIPH_CFB_MODE;
+            ctx->keyLen     = 32;
+            ctx->block_size = 1;
+            if (enc == 0 || enc == 1)
+                ctx->enc = enc ? 1 : 0;
+            if (key) {
+                ret = AesSetKey_ex(&ctx->cipher.aes, key, ctx->keyLen, iv,
+                            AES_ENCRYPTION, 0);
+                if (ret != 0){
+                    WOLFSSL_MSG("AesSetKey() failed");
+                    return WOLFSSL_FAILURE;
+                }
+            }
+            if (iv && key == NULL) {
+                ret = wc_AesSetIV(&ctx->cipher.aes, iv);
+                if (ret != 0){
+                    WOLFSSL_MSG("wc_AesSetIV() failed");
+                    return WOLFSSL_FAILURE;
+                }
+            }
+        }
+        #endif /* WOLFSSL_AES_256 */
+        #ifdef WOLFSSL_AES_128
+        if (ctx->cipherType == AES_128_CFB8_TYPE ||
+            (type && XSTRNCMP(type, EVP_AES_128_CFB8, EVP_AESCFB_SIZE) == 0)) {
+            WOLFSSL_MSG("EVP_AES_128_CFB8");
+            ctx->cipherType = AES_128_CFB8_TYPE;
+            ctx->flags     &= ~WOLFSSL_EVP_CIPH_MODE;
+            ctx->flags     |= WOLFSSL_EVP_CIPH_CFB_MODE;
+            ctx->keyLen     = 16;
+            ctx->block_size = 1;
+            if (enc == 0 || enc == 1)
+                ctx->enc = enc ? 1 : 0;
+            if (key) {
+                ret = AesSetKey_ex(&ctx->cipher.aes, key, ctx->keyLen, iv,
+                        AES_ENCRYPTION, 0);
+                if (ret != 0)
+                    return WOLFSSL_FAILURE;
+            }
+            if (iv && key == NULL) {
+                ret = wc_AesSetIV(&ctx->cipher.aes, iv);
+                if (ret != 0)
+                    return WOLFSSL_FAILURE;
+            }
+        }
+        #endif /* WOLFSSL_AES_128 */
+        #ifdef WOLFSSL_AES_192
+        if (ctx->cipherType == AES_192_CFB8_TYPE ||
+                 (type && XSTRNCMP(type, EVP_AES_192_CFB8, EVP_AESCFB_SIZE) == 0)) {
+            WOLFSSL_MSG("EVP_AES_192_CFB8");
+            ctx->cipherType = AES_192_CFB8_TYPE;
+            ctx->flags     &= ~WOLFSSL_EVP_CIPH_MODE;
+            ctx->flags     |= WOLFSSL_EVP_CIPH_CFB_MODE;
+            ctx->keyLen     = 24;
+            ctx->block_size = 1;
+            if (enc == 0 || enc == 1)
+                ctx->enc = enc ? 1 : 0;
+            if (key) {
+                ret = AesSetKey_ex(&ctx->cipher.aes, key, ctx->keyLen, iv,
+                            AES_ENCRYPTION, 0);
+                if (ret != 0)
+                    return WOLFSSL_FAILURE;
+            }
+            if (iv && key == NULL) {
+                ret = wc_AesSetIV(&ctx->cipher.aes, iv);
+                if (ret != 0)
+                    return WOLFSSL_FAILURE;
+            }
+        }
+        #endif /* WOLFSSL_AES_192 */
+        #ifdef WOLFSSL_AES_256
+        if (ctx->cipherType == AES_256_CFB8_TYPE ||
+                 (type && XSTRNCMP(type, EVP_AES_256_CFB8, EVP_AESCFB_SIZE) == 0)) {
+            WOLFSSL_MSG("EVP_AES_256_CFB8");
+            ctx->cipherType = AES_256_CFB8_TYPE;
+            ctx->flags     &= ~WOLFSSL_EVP_CIPH_MODE;
+            ctx->flags     |= WOLFSSL_EVP_CIPH_CFB_MODE;
+            ctx->keyLen     = 32;
+            ctx->block_size = 1;
+            if (enc == 0 || enc == 1)
+                ctx->enc = enc ? 1 : 0;
+            if (key) {
+                ret = AesSetKey_ex(&ctx->cipher.aes, key, ctx->keyLen, iv,
+                            AES_ENCRYPTION, 0);
+                if (ret != 0){
+                    WOLFSSL_MSG("AesSetKey() failed");
+                    return WOLFSSL_FAILURE;
+                }
+            }
+            if (iv && key == NULL) {
+                ret = wc_AesSetIV(&ctx->cipher.aes, iv);
+                if (ret != 0){
+                    WOLFSSL_MSG("wc_AesSetIV() failed");
+                    return WOLFSSL_FAILURE;
+                }
+            }
+        }
+        #endif /* WOLFSSL_AES_256 */
+        #ifdef WOLFSSL_AES_128
+        if (ctx->cipherType == AES_128_CFB128_TYPE ||
+            (type && XSTRNCMP(type, EVP_AES_128_CFB128, EVP_AESCFB_SIZE) == 0)) {
+            WOLFSSL_MSG("EVP_AES_128_CFB128");
+            ctx->cipherType = AES_128_CFB128_TYPE;
+            ctx->flags     &= ~WOLFSSL_EVP_CIPH_MODE;
+            ctx->flags     |= WOLFSSL_EVP_CIPH_CFB_MODE;
+            ctx->keyLen     = 16;
+            ctx->block_size = 1;
+            if (enc == 0 || enc == 1)
+                ctx->enc = enc ? 1 : 0;
+            if (key) {
+                ret = AesSetKey_ex(&ctx->cipher.aes, key, ctx->keyLen, iv,
+                        AES_ENCRYPTION, 0);
+                if (ret != 0)
+                    return WOLFSSL_FAILURE;
+            }
+            if (iv && key == NULL) {
+                ret = wc_AesSetIV(&ctx->cipher.aes, iv);
+                if (ret != 0)
+                    return WOLFSSL_FAILURE;
+            }
+        }
+        #endif /* WOLFSSL_AES_128 */
+        #ifdef WOLFSSL_AES_192
+        if (ctx->cipherType == AES_192_CFB128_TYPE ||
+                 (type && XSTRNCMP(type, EVP_AES_192_CFB128, EVP_AESCFB_SIZE) == 0)) {
+            WOLFSSL_MSG("EVP_AES_192_CFB128");
+            ctx->cipherType = AES_192_CFB128_TYPE;
+            ctx->flags     &= ~WOLFSSL_EVP_CIPH_MODE;
+            ctx->flags     |= WOLFSSL_EVP_CIPH_CFB_MODE;
+            ctx->keyLen     = 24;
+            ctx->block_size = 1;
+            if (enc == 0 || enc == 1)
+                ctx->enc = enc ? 1 : 0;
+            if (key) {
+                ret = AesSetKey_ex(&ctx->cipher.aes, key, ctx->keyLen, iv,
+                            AES_ENCRYPTION, 0);
+                if (ret != 0)
+                    return WOLFSSL_FAILURE;
+            }
+            if (iv && key == NULL) {
+                ret = wc_AesSetIV(&ctx->cipher.aes, iv);
+                if (ret != 0)
+                    return WOLFSSL_FAILURE;
+            }
+        }
+        #endif /* WOLFSSL_AES_192 */
+        #ifdef WOLFSSL_AES_256
+        if (ctx->cipherType == AES_256_CFB128_TYPE ||
+                 (type && XSTRNCMP(type, EVP_AES_256_CFB128, EVP_AESCFB_SIZE) == 0)) {
+            WOLFSSL_MSG("EVP_AES_256_CFB128");
+            ctx->cipherType = AES_256_CFB128_TYPE;
+            ctx->flags     &= ~WOLFSSL_EVP_CIPH_MODE;
+            ctx->flags     |= WOLFSSL_EVP_CIPH_CFB_MODE;
+            ctx->keyLen     = 32;
+            ctx->block_size = 1;
+            if (enc == 0 || enc == 1)
+                ctx->enc = enc ? 1 : 0;
+            if (key) {
+                ret = AesSetKey_ex(&ctx->cipher.aes, key, ctx->keyLen, iv,
+                            AES_ENCRYPTION, 0);
+                if (ret != 0){
+                    WOLFSSL_MSG("AesSetKey() failed");
+                    return WOLFSSL_FAILURE;
+                }
+            }
+            if (iv && key == NULL) {
+                ret = wc_AesSetIV(&ctx->cipher.aes, iv);
+                if (ret != 0){
+                    WOLFSSL_MSG("wc_AesSetIV() failed");
+                    return WOLFSSL_FAILURE;
+                }
+            }
+        }
+        #endif /* WOLFSSL_AES_256 */
+    #endif /* HAVE_AES_CFB */
+    #ifdef WOLFSSL_AES_OFB
+        #ifdef WOLFSSL_AES_128
+        if (ctx->cipherType == AES_128_OFB_TYPE ||
+            (type && XSTRNCMP(type, EVP_AES_128_OFB, EVP_AES_SIZE) == 0)) {
+            WOLFSSL_MSG("EVP_AES_128_OFB");
+            ctx->cipherType = AES_128_OFB_TYPE;
+            ctx->flags     &= ~WOLFSSL_EVP_CIPH_MODE;
+            ctx->flags     |= WOLFSSL_EVP_CIPH_OFB_MODE;
+            ctx->keyLen     = 16;
+            ctx->block_size = 1;
+            if (enc == 0 || enc == 1)
+                ctx->enc = enc ? 1 : 0;
+            if (key) {
+                ret = AesSetKey_ex(&ctx->cipher.aes, key, ctx->keyLen, iv,
+                        AES_ENCRYPTION, 0);
+                if (ret != 0)
+                    return WOLFSSL_FAILURE;
+            }
+            if (iv && key == NULL) {
+                ret = wc_AesSetIV(&ctx->cipher.aes, iv);
+                if (ret != 0)
+                    return WOLFSSL_FAILURE;
+            }
+        }
+        #endif /* WOLFSSL_AES_128 */
+        #ifdef WOLFSSL_AES_192
+        if (ctx->cipherType == AES_192_OFB_TYPE ||
+                 (type && XSTRNCMP(type, EVP_AES_192_OFB, EVP_AES_SIZE) == 0)) {
+            WOLFSSL_MSG("EVP_AES_192_OFB");
+            ctx->cipherType = AES_192_OFB_TYPE;
+            ctx->flags     &= ~WOLFSSL_EVP_CIPH_MODE;
+            ctx->flags     |= WOLFSSL_EVP_CIPH_OFB_MODE;
+            ctx->keyLen     = 24;
+            ctx->block_size = 1;
+            if (enc == 0 || enc == 1)
+                ctx->enc = enc ? 1 : 0;
+            if (key) {
+                ret = AesSetKey_ex(&ctx->cipher.aes, key, ctx->keyLen, iv,
+                            AES_ENCRYPTION, 0);
+                if (ret != 0)
+                    return WOLFSSL_FAILURE;
+            }
+            if (iv && key == NULL) {
+                ret = wc_AesSetIV(&ctx->cipher.aes, iv);
+                if (ret != 0)
+                    return WOLFSSL_FAILURE;
+            }
+        }
+        #endif /* WOLFSSL_AES_192 */
+        #ifdef WOLFSSL_AES_256
+        if (ctx->cipherType == AES_256_OFB_TYPE ||
+                 (type && XSTRNCMP(type, EVP_AES_256_OFB, EVP_AES_SIZE) == 0)) {
+            WOLFSSL_MSG("EVP_AES_256_OFB");
+            ctx->cipherType = AES_256_OFB_TYPE;
+            ctx->flags     &= ~WOLFSSL_EVP_CIPH_MODE;
+            ctx->flags     |= WOLFSSL_EVP_CIPH_OFB_MODE;
+            ctx->keyLen     = 32;
+            ctx->block_size = 1;
+            if (enc == 0 || enc == 1)
+                ctx->enc = enc ? 1 : 0;
+            if (key) {
+                ret = AesSetKey_ex(&ctx->cipher.aes, key, ctx->keyLen, iv,
+                            AES_ENCRYPTION, 0);
+                if (ret != 0){
+                    WOLFSSL_MSG("AesSetKey() failed");
+                    return WOLFSSL_FAILURE;
+                }
+            }
+            if (iv && key == NULL) {
+                ret = wc_AesSetIV(&ctx->cipher.aes, iv);
+                if (ret != 0){
+                    WOLFSSL_MSG("wc_AesSetIV() failed");
+                    return WOLFSSL_FAILURE;
+                }
+            }
+        }
+        #endif /* WOLFSSL_AES_256 */
+    #endif /* HAVE_AES_OFB */
+    #ifdef WOLFSSL_AES_XTS
+        #ifdef WOLFSSL_AES_128
+        if (ctx->cipherType == AES_128_XTS_TYPE ||
+            (type && XSTRNCMP(type, EVP_AES_128_XTS, EVP_AES_SIZE) == 0)) {
+            WOLFSSL_MSG("EVP_AES_128_XTS");
+            ctx->cipherType = AES_128_XTS_TYPE;
+            ctx->flags     &= ~WOLFSSL_EVP_CIPH_MODE;
+            ctx->flags     |= WOLFSSL_EVP_CIPH_XTS_MODE;
+            ctx->keyLen     = 32;
+            ctx->block_size = 1;
+            ctx->ivSz       = AES_BLOCK_SIZE;
+
+            if (iv != NULL) {
+                if (iv != ctx->iv) /* Valgrind error when src == dst */
+                    XMEMCPY(ctx->iv, iv, ctx->ivSz);
+            }
+            else
+                XMEMSET(ctx->iv, 0, AES_BLOCK_SIZE);
+
+            if (enc == 0 || enc == 1)
+                ctx->enc = enc ? 1 : 0;
+            if (key) {
+                ret = wc_AesXtsSetKey(&ctx->cipher.xts, key, ctx->keyLen,
+                    ctx->enc ? AES_ENCRYPTION : AES_DECRYPTION, NULL, 0);
+                if (ret != 0) {
+                    WOLFSSL_MSG("wc_AesXtsSetKey() failed");
+                    return WOLFSSL_FAILURE;
+                }
+            }
+        }
+        #endif /* WOLFSSL_AES_128 */
+        #ifdef WOLFSSL_AES_256
+        if (ctx->cipherType == AES_256_XTS_TYPE ||
+                 (type && XSTRNCMP(type, EVP_AES_256_XTS, EVP_AES_SIZE) == 0)) {
+            WOLFSSL_MSG("EVP_AES_256_XTS");
+            ctx->cipherType = AES_256_XTS_TYPE;
+            ctx->flags     &= ~WOLFSSL_EVP_CIPH_MODE;
+            ctx->flags     |= WOLFSSL_EVP_CIPH_XTS_MODE;
+            ctx->keyLen     = 64;
+            ctx->block_size = 1;
+            ctx->ivSz       = AES_BLOCK_SIZE;
+
+            if (iv != NULL) {
+                if (iv != ctx->iv) /* Valgrind error when src == dst */
+                    XMEMCPY(ctx->iv, iv, ctx->ivSz);
+            }
+            else
+                XMEMSET(ctx->iv, 0, AES_BLOCK_SIZE);
+
+            if (enc == 0 || enc == 1)
+                ctx->enc = enc ? 1 : 0;
+            if (key) {
+                ret = wc_AesXtsSetKey(&ctx->cipher.xts, key, ctx->keyLen,
+                        ctx->enc ? AES_ENCRYPTION : AES_DECRYPTION, NULL, 0);
+                if (ret != 0) {
+                    WOLFSSL_MSG("wc_AesXtsSetKey() failed");
+                    return WOLFSSL_FAILURE;
+                }
+            }
+        }
+        #endif /* WOLFSSL_AES_256 */
+    #endif /* HAVE_AES_XTS */
+#endif /* NO_AES */
+
+#ifndef NO_DES3
+        if (ctx->cipherType == DES_CBC_TYPE ||
+                 (type && XSTRNCMP(type, EVP_DES_CBC, EVP_DES_SIZE) == 0)) {
+            WOLFSSL_MSG("EVP_DES_CBC");
+            ctx->cipherType = DES_CBC_TYPE;
+            ctx->flags     &= ~WOLFSSL_EVP_CIPH_MODE;
+            ctx->flags     |= WOLFSSL_EVP_CIPH_CBC_MODE;
+            ctx->keyLen     = 8;
+            ctx->block_size = DES_BLOCK_SIZE;
+            ctx->ivSz       = DES_BLOCK_SIZE;
+            if (enc == 0 || enc == 1)
+                ctx->enc = enc ? 1 : 0;
+            if (key) {
+                ret = wc_Des_SetKey(&ctx->cipher.des, key, iv,
+                          ctx->enc ? DES_ENCRYPTION : DES_DECRYPTION);
+                if (ret != 0)
+                    return WOLFSSL_FAILURE;
+            }
+
+            if (iv && key == NULL)
+                wc_Des_SetIV(&ctx->cipher.des, iv);
+        }
+#ifdef WOLFSSL_DES_ECB
+        else if (ctx->cipherType == DES_ECB_TYPE ||
+                 (type && XSTRNCMP(type, EVP_DES_ECB, EVP_DES_SIZE) == 0)) {
+            WOLFSSL_MSG("EVP_DES_ECB");
+            ctx->cipherType = DES_ECB_TYPE;
+            ctx->flags     &= ~WOLFSSL_EVP_CIPH_MODE;
+            ctx->flags     |= WOLFSSL_EVP_CIPH_ECB_MODE;
+            ctx->keyLen     = 8;
+            ctx->block_size = DES_BLOCK_SIZE;
+            if (enc == 0 || enc == 1)
+                ctx->enc = enc ? 1 : 0;
+            if (key) {
+                WOLFSSL_MSG("Des_SetKey");
+                ret = wc_Des_SetKey(&ctx->cipher.des, key, NULL,
+                          ctx->enc ? DES_ENCRYPTION : DES_DECRYPTION);
+                if (ret != 0)
+                    return WOLFSSL_FAILURE;
+            }
+        }
+#endif
+        else if (ctx->cipherType == DES_EDE3_CBC_TYPE ||
+                 (type &&
+                  XSTRNCMP(type, EVP_DES_EDE3_CBC, EVP_DES_EDE3_SIZE) == 0)) {
+            WOLFSSL_MSG("EVP_DES_EDE3_CBC");
+            ctx->cipherType = DES_EDE3_CBC_TYPE;
+            ctx->flags     &= ~WOLFSSL_EVP_CIPH_MODE;
+            ctx->flags     |= WOLFSSL_EVP_CIPH_CBC_MODE;
+            ctx->keyLen     = 24;
+            ctx->block_size = DES_BLOCK_SIZE;
+            ctx->ivSz       = DES_BLOCK_SIZE;
+            if (enc == 0 || enc == 1)
+                ctx->enc = enc ? 1 : 0;
+            if (key) {
+                ret = wc_Des3_SetKey(&ctx->cipher.des3, key, iv,
+                          ctx->enc ? DES_ENCRYPTION : DES_DECRYPTION);
+                if (ret != 0)
+                    return WOLFSSL_FAILURE;
+            }
+
+            if (iv && key == NULL) {
+                ret = wc_Des3_SetIV(&ctx->cipher.des3, iv);
+                if (ret != 0)
+                    return WOLFSSL_FAILURE;
+            }
+        }
+        else if (ctx->cipherType == DES_EDE3_ECB_TYPE ||
+                 (type &&
+                  XSTRNCMP(type, EVP_DES_EDE3_ECB, EVP_DES_EDE3_SIZE) == 0)) {
+            WOLFSSL_MSG("EVP_DES_EDE3_ECB");
+            ctx->cipherType = DES_EDE3_ECB_TYPE;
+            ctx->flags     &= ~WOLFSSL_EVP_CIPH_MODE;
+            ctx->flags     |= WOLFSSL_EVP_CIPH_ECB_MODE;
+            ctx->keyLen     = 24;
+            ctx->block_size = DES_BLOCK_SIZE;
+            if (enc == 0 || enc == 1)
+                ctx->enc = enc ? 1 : 0;
+            if (key) {
+                ret = wc_Des3_SetKey(&ctx->cipher.des3, key, NULL,
+                          ctx->enc ? DES_ENCRYPTION : DES_DECRYPTION);
+                if (ret != 0)
+                    return WOLFSSL_FAILURE;
+            }
+        }
+#endif /* NO_DES3 */
+#ifndef NO_RC4
+        if (ctx->cipherType == ARC4_TYPE || (type &&
+                                     XSTRNCMP(type, "ARC4", 4) == 0)) {
+            WOLFSSL_MSG("ARC4");
+            ctx->cipherType = ARC4_TYPE;
+            ctx->flags     &= ~WOLFSSL_EVP_CIPH_MODE;
+            ctx->flags     |= WOLFSSL_EVP_CIPH_STREAM_CIPHER;
+            ctx->block_size = 1;
+            if (ctx->keyLen == 0)  /* user may have already set */
+                ctx->keyLen = 16;  /* default to 128 */
+            if (key)
+                wc_Arc4SetKey(&ctx->cipher.arc4, key, ctx->keyLen);
+        }
+#endif /* NO_RC4 */
+#ifdef HAVE_IDEA
+        if (ctx->cipherType == IDEA_CBC_TYPE ||
+                 (type && XSTRNCMP(type, EVP_IDEA_CBC, EVP_IDEA_SIZE) == 0)) {
+            WOLFSSL_MSG("EVP_IDEA_CBC");
+            ctx->cipherType = IDEA_CBC_TYPE;
+            ctx->flags     &= ~WOLFSSL_EVP_CIPH_MODE;
+            ctx->flags     |= WOLFSSL_EVP_CIPH_CBC_MODE;
+            ctx->keyLen     = IDEA_KEY_SIZE;
+            ctx->block_size = 8;
+            ctx->ivSz       = IDEA_BLOCK_SIZE;
+            if (enc == 0 || enc == 1)
+                ctx->enc = enc ? 1 : 0;
+            if (key) {
+                ret = wc_IdeaSetKey(&ctx->cipher.idea, key, (word16)ctx->keyLen,
+                                    iv, ctx->enc ? IDEA_ENCRYPTION :
+                                                   IDEA_DECRYPTION);
+                if (ret != 0)
+                    return WOLFSSL_FAILURE;
+            }
+
+            if (iv && key == NULL)
+                wc_IdeaSetIV(&ctx->cipher.idea, iv);
+        }
+#endif /* HAVE_IDEA */
+        if (ctx->cipherType == NULL_CIPHER_TYPE || (type &&
+                                     XSTRNCMP(type, "NULL", 4) == 0)) {
+            WOLFSSL_MSG("NULL cipher");
+            ctx->cipherType = NULL_CIPHER_TYPE;
+            ctx->keyLen = 0;
+            ctx->block_size = 16;
+        }
+#ifdef HAVE_WOLFSSL_EVP_CIPHER_CTX_IV
+        if (iv && iv != ctx->iv) {
+            if (wolfSSL_StoreExternalIV(ctx) != WOLFSSL_SUCCESS) {
+                return WOLFSSL_FAILURE;
+            }
+        }
+#endif
+        (void)ret; /* remove warning. If execution reaches this point, ret=0 */
+        return WOLFSSL_SUCCESS;
+    }
+
+    /* WOLFSSL_SUCCESS on ok */
+    int wolfSSL_EVP_CIPHER_CTX_key_length(WOLFSSL_EVP_CIPHER_CTX* ctx)
+    {
+        WOLFSSL_ENTER("wolfSSL_EVP_CIPHER_CTX_key_length");
+        if (ctx)
+            return ctx->keyLen;
+
+        return 0;   /* failure */
+    }
+
+    /* WOLFSSL_SUCCESS on ok */
+    int wolfSSL_EVP_CIPHER_CTX_set_key_length(WOLFSSL_EVP_CIPHER_CTX* ctx,
+                                             int keylen)
+    {
+        WOLFSSL_ENTER("wolfSSL_EVP_CIPHER_CTX_set_key_length");
+        if (ctx)
+            ctx->keyLen = keylen;
+        else
+            return 0;  /* failure */
+
+        return WOLFSSL_SUCCESS;
+    }
+#if defined(HAVE_AESGCM)
+    /* returns WOLFSSL_SUCCESS on success, otherwise returns WOLFSSL_FAILURE */
+    int wolfSSL_EVP_CIPHER_CTX_set_iv_length(WOLFSSL_EVP_CIPHER_CTX* ctx,
+                                             int ivLen)
+    {
+        WOLFSSL_ENTER("wolfSSL_EVP_CIPHER_CTX_set_iv_length");
+        if (ctx)
+            ctx->ivSz= ivLen;
+        else
+            return WOLFSSL_FAILURE;
+
+        return WOLFSSL_SUCCESS;
+    }
+
+    /* returns WOLFSSL_SUCCESS on success, otherwise returns WOLFSSL_FAILURE */
+    int wolfSSL_EVP_CIPHER_CTX_set_iv(WOLFSSL_EVP_CIPHER_CTX* ctx, byte* iv,
+                                             int ivLen)
+    {
+        int expectedIvLen;
+
+        WOLFSSL_ENTER("wolfSSL_EVP_CIPHER_CTX_set_iv_length");
+        if (!ctx || !iv || !ivLen) {
+            return WOLFSSL_FAILURE;
+        }
+
+        expectedIvLen = wolfSSL_EVP_CIPHER_CTX_iv_length(ctx);
+
+        if (expectedIvLen == 0 || expectedIvLen != ivLen) {
+            WOLFSSL_MSG("Wrong ivLen value");
+            return WOLFSSL_FAILURE;
+        }
+
+        return wolfSSL_EVP_CipherInit(ctx, NULL, NULL, iv, -1);
+    }
+#endif
+
+    /* WOLFSSL_SUCCESS on ok */
+    int wolfSSL_EVP_Cipher(WOLFSSL_EVP_CIPHER_CTX* ctx, byte* dst, byte* src,
+                          word32 len)
+    {
+        int ret = 0;
+        WOLFSSL_ENTER("wolfSSL_EVP_Cipher");
+
+        if (ctx == NULL || src == NULL ||
+            (dst == NULL &&
+             ctx->cipherType != AES_128_GCM_TYPE &&
+             ctx->cipherType != AES_192_GCM_TYPE &&
+             ctx->cipherType != AES_256_GCM_TYPE)) {
+            WOLFSSL_MSG("Bad function argument");
+            return 0;  /* failure */
+        }
+
+        if (ctx->cipherType == 0xff) {
+            WOLFSSL_MSG("no init");
+            return 0;  /* failure */
+        }
+
+        switch (ctx->cipherType) {
+
+#ifndef NO_AES
+#ifdef HAVE_AES_CBC
+            case AES_128_CBC_TYPE :
+            case AES_192_CBC_TYPE :
+            case AES_256_CBC_TYPE :
+                WOLFSSL_MSG("AES CBC");
+                if (ctx->enc)
+                    ret = wc_AesCbcEncrypt(&ctx->cipher.aes, dst, src, len);
+                else
+                    ret = wc_AesCbcDecrypt(&ctx->cipher.aes, dst, src, len);
+                break;
+#endif /* HAVE_AES_CBC */
+
+#ifdef WOLFSSL_AES_CFB
+#if !defined(HAVE_SELFTEST) && !defined(HAVE_FIPS)
+            case AES_128_CFB1_TYPE:
+            case AES_192_CFB1_TYPE:
+            case AES_256_CFB1_TYPE:
+                WOLFSSL_MSG("AES CFB1");
+                if (ctx->enc)
+                    ret = wc_AesCfb1Encrypt(&ctx->cipher.aes, dst, src, len);
+                else
+                    ret = wc_AesCfb1Decrypt(&ctx->cipher.aes, dst, src, len);
+                break;
+            case AES_128_CFB8_TYPE:
+            case AES_192_CFB8_TYPE:
+            case AES_256_CFB8_TYPE:
+                WOLFSSL_MSG("AES CFB8");
+                if (ctx->enc)
+                    ret = wc_AesCfb8Encrypt(&ctx->cipher.aes, dst, src, len);
+                else
+                    ret = wc_AesCfb8Decrypt(&ctx->cipher.aes, dst, src, len);
+                break;
+#endif /* !HAVE_SELFTEST && !HAVE_FIPS */
+            case AES_128_CFB128_TYPE:
+            case AES_192_CFB128_TYPE:
+            case AES_256_CFB128_TYPE:
+                WOLFSSL_MSG("AES CFB128");
+                if (ctx->enc)
+                    ret = wc_AesCfbEncrypt(&ctx->cipher.aes, dst, src, len);
+                else
+                    ret = wc_AesCfbDecrypt(&ctx->cipher.aes, dst, src, len);
+                break;
+#endif /* WOLFSSL_AES_CFB */
+#if defined(WOLFSSL_AES_OFB)
+            case AES_128_OFB_TYPE:
+            case AES_192_OFB_TYPE:
+            case AES_256_OFB_TYPE:
+                WOLFSSL_MSG("AES OFB");
+                if (ctx->enc)
+                    ret = wc_AesOfbEncrypt(&ctx->cipher.aes, dst, src, len);
+                else
+                    ret = wc_AesOfbDecrypt(&ctx->cipher.aes, dst, src, len);
+                break;
+#endif /* WOLFSSL_AES_OFB */
+#if defined(WOLFSSL_AES_XTS)
+            case AES_128_XTS_TYPE:
+            case AES_256_XTS_TYPE:
+                WOLFSSL_MSG("AES XTS");
+                if (ctx->enc)
+                    ret = wc_AesXtsEncrypt(&ctx->cipher.xts, dst, src, len,
+                            ctx->iv, ctx->ivSz);
+                else
+                    ret = wc_AesXtsDecrypt(&ctx->cipher.xts, dst, src, len,
+                            ctx->iv, ctx->ivSz);
+                break;
+#endif /* WOLFSSL_AES_XTS */
+
+#ifdef HAVE_AESGCM
+            case AES_128_GCM_TYPE :
+            case AES_192_GCM_TYPE :
+            case AES_256_GCM_TYPE :
+                WOLFSSL_MSG("AES GCM");
+                if (ctx->enc) {
+                    if (dst){
+                        /* encrypt confidential data*/
+                        ret = wc_AesGcmEncrypt(&ctx->cipher.aes, dst, src, len,
+                                  ctx->iv, ctx->ivSz, ctx->authTag, ctx->authTagSz,
+                                  NULL, 0);
+                    }
+                    else {
+                        /* authenticated, non-confidential data */
+                        ret = wc_AesGcmEncrypt(&ctx->cipher.aes, NULL, NULL, 0,
+                                  ctx->iv, ctx->ivSz, ctx->authTag, ctx->authTagSz,
+                                  src, len);
+                        /* Reset partial authTag error for AAD*/
+                        if (ret == AES_GCM_AUTH_E)
+                            ret = 0;
+                    }
+                }
+                else {
+                    if (dst){
+                        /* decrypt confidential data*/
+                        ret = wc_AesGcmDecrypt(&ctx->cipher.aes, dst, src, len,
+                                  ctx->iv, ctx->ivSz, ctx->authTag, ctx->authTagSz,
+                                  NULL, 0);
+                    }
+                    else {
+                        /* authenticated, non-confidential data*/
+                        ret = wc_AesGcmDecrypt(&ctx->cipher.aes, NULL, NULL, 0,
+                                  ctx->iv, ctx->ivSz,
+                                  ctx->authTag, ctx->authTagSz,
+                                  src, len);
+                        /* Reset partial authTag error for AAD*/
+                        if (ret == AES_GCM_AUTH_E)
+                            ret = 0;
+                    }
+                }
+                break;
+#endif /* HAVE_AESGCM */
+#ifdef HAVE_AES_ECB
+            case AES_128_ECB_TYPE :
+            case AES_192_ECB_TYPE :
+            case AES_256_ECB_TYPE :
+                WOLFSSL_MSG("AES ECB");
+                if (ctx->enc)
+                    ret = wc_AesEcbEncrypt(&ctx->cipher.aes, dst, src, len);
+                else
+                    ret = wc_AesEcbDecrypt(&ctx->cipher.aes, dst, src, len);
+                break;
+#endif
+#ifdef WOLFSSL_AES_COUNTER
+            case AES_128_CTR_TYPE :
+            case AES_192_CTR_TYPE :
+            case AES_256_CTR_TYPE :
+                    WOLFSSL_MSG("AES CTR");
+                    ret = wc_AesCtrEncrypt(&ctx->cipher.aes, dst, src, len);
+                break;
+#endif /* WOLFSSL_AES_COUNTER */
+#endif /* NO_AES */
+
+#ifndef NO_DES3
+            case DES_CBC_TYPE :
+                WOLFSSL_MSG("DES CBC");
+                if (ctx->enc)
+                    wc_Des_CbcEncrypt(&ctx->cipher.des, dst, src, len);
+                else
+                    wc_Des_CbcDecrypt(&ctx->cipher.des, dst, src, len);
+                break;
+            case DES_EDE3_CBC_TYPE :
+                WOLFSSL_MSG("DES3 CBC");
+                if (ctx->enc)
+                    ret = wc_Des3_CbcEncrypt(&ctx->cipher.des3, dst, src, len);
+                else
+                    ret = wc_Des3_CbcDecrypt(&ctx->cipher.des3, dst, src, len);
+                break;
+#ifdef WOLFSSL_DES_ECB
+            case DES_ECB_TYPE :
+                WOLFSSL_MSG("DES ECB");
+                ret = wc_Des_EcbEncrypt(&ctx->cipher.des, dst, src, len);
+                break;
+            case DES_EDE3_ECB_TYPE :
+                WOLFSSL_MSG("DES3 ECB");
+                ret = wc_Des3_EcbEncrypt(&ctx->cipher.des3, dst, src, len);
+                break;
+#endif
+#endif /* !NO_DES3 */
+
+#ifndef NO_RC4
+            case ARC4_TYPE :
+                WOLFSSL_MSG("ARC4");
+                wc_Arc4Process(&ctx->cipher.arc4, dst, src, len);
+                break;
+#endif
+
+#ifdef HAVE_IDEA
+            case IDEA_CBC_TYPE :
+                WOLFSSL_MSG("IDEA CBC");
+                if (ctx->enc)
+                    wc_IdeaCbcEncrypt(&ctx->cipher.idea, dst, src, len);
+                else
+                    wc_IdeaCbcDecrypt(&ctx->cipher.idea, dst, src, len);
+                break;
+#endif
+            case NULL_CIPHER_TYPE :
+                WOLFSSL_MSG("NULL CIPHER");
+                XMEMCPY(dst, src, len);
+                break;
+
+            default: {
+                WOLFSSL_MSG("bad type");
+                return 0;  /* failure */
+            }
+        }
+
+        if (ret != 0) {
+            WOLFSSL_MSG("wolfSSL_EVP_Cipher failure");
+            return 0;  /* failure */
+        }
+
+        if (wolfSSL_StoreExternalIV(ctx) != WOLFSSL_SUCCESS) {
+            return WOLFSSL_FAILURE;
+        }
+
+        WOLFSSL_MSG("wolfSSL_EVP_Cipher success");
+        return WOLFSSL_SUCCESS;  /* success */
+    }
+
+    /* WOLFSSL_SUCCESS on ok */
+    int wolfSSL_EVP_DigestInit(WOLFSSL_EVP_MD_CTX* ctx,
+                               const WOLFSSL_EVP_MD* md)
+    {
+        int ret = WOLFSSL_SUCCESS;
+
+        WOLFSSL_ENTER("EVP_DigestInit");
+
+        if (ctx == NULL || md == NULL) {
+            return BAD_FUNC_ARG;
+        }
+
+
+    #ifdef WOLFSSL_ASYNC_CRYPT
+        /* compile-time validation of ASYNC_CTX_SIZE */
+        typedef char async_test[WC_ASYNC_DEV_SIZE >= sizeof(WC_ASYNC_DEV) ?
+                                                                        1 : -1];
+        (void)sizeof(async_test);
+    #endif
+
+        /* Set to 0 if no match */
+        ctx->macType = wolfSSL_EVP_md2macType(md);
+        if (XSTRNCMP(md, "SHA256", 6) == 0) {
+             ret = wolfSSL_SHA256_Init(&(ctx->hash.digest.sha256));
+        }
+    #ifdef WOLFSSL_SHA224
+        else if (XSTRNCMP(md, "SHA224", 6) == 0) {
+             ret = wolfSSL_SHA224_Init(&(ctx->hash.digest.sha224));
+        }
+    #endif
+    #ifdef WOLFSSL_SHA384
+        else if (XSTRNCMP(md, "SHA384", 6) == 0) {
+             ret = wolfSSL_SHA384_Init(&(ctx->hash.digest.sha384));
+        }
+    #endif
+    #ifdef WOLFSSL_SHA512
+        else if (XSTRNCMP(md, "SHA512", 6) == 0) {
+             ret = wolfSSL_SHA512_Init(&(ctx->hash.digest.sha512));
+        }
+    #endif
+    #ifndef NO_MD4
+        else if (XSTRNCMP(md, "MD4", 3) == 0) {
+            wolfSSL_MD4_Init(&(ctx->hash.digest.md4));
+        }
+    #endif
+    #ifndef NO_MD5
+        else if (XSTRNCMP(md, "MD5", 3) == 0) {
+            ret = wolfSSL_MD5_Init(&(ctx->hash.digest.md5));
+        }
+    #endif
+#ifdef WOLFSSL_SHA3
+    #ifndef WOLFSSL_NOSHA3_224
+        else if (XSTRNCMP(md, "SHA3_224", 8) == 0) {
+             ret = wolfSSL_SHA3_224_Init(&(ctx->hash.digest.sha3_224));
+        }
+    #endif
+    #ifndef WOLFSSL_NOSHA3_256
+        else if (XSTRNCMP(md, "SHA3_256", 8) == 0) {
+             ret = wolfSSL_SHA3_256_Init(&(ctx->hash.digest.sha3_256));
+        }
+    #endif
+        else if (XSTRNCMP(md, "SHA3_384", 8) == 0) {
+             ret = wolfSSL_SHA3_384_Init(&(ctx->hash.digest.sha3_384));
+        }
+    #ifndef WOLFSSL_NOSHA3_512
+        else if (XSTRNCMP(md, "SHA3_512", 8) == 0) {
+             ret = wolfSSL_SHA3_512_Init(&(ctx->hash.digest.sha3_512));
+        }
+    #endif
+#endif
+    #ifndef NO_SHA
+        /* has to be last since would pick or 224, 256, 384, or 512 too */
+        else if (XSTRNCMP(md, "SHA", 3) == 0) {
+             ret = wolfSSL_SHA_Init(&(ctx->hash.digest.sha));
+        }
+    #endif /* NO_SHA */
+        else {
+             ctx->macType = WC_HASH_TYPE_NONE;
+             return BAD_FUNC_ARG;
+        }
+
+        return ret;
+    }
+
+    /* WOLFSSL_SUCCESS on ok, WOLFSSL_FAILURE on failure */
+    int wolfSSL_EVP_DigestUpdate(WOLFSSL_EVP_MD_CTX* ctx, const void* data,
+                                size_t sz)
+    {
+        int macType;
+
+        WOLFSSL_ENTER("EVP_DigestUpdate");
+
+        macType = wolfSSL_EVP_md2macType(EVP_MD_CTX_md(ctx));
+        switch (macType) {
+#ifndef NO_MD4
+            case WC_HASH_TYPE_MD4:
+                wolfSSL_MD4_Update((MD4_CTX*)&ctx->hash, data,
+                                  (unsigned long)sz);
+                break;
+#endif
+#ifndef NO_MD5
+            case WC_HASH_TYPE_MD5:
+                wolfSSL_MD5_Update((MD5_CTX*)&ctx->hash, data,
+                                  (unsigned long)sz);
+                break;
+#endif
+#ifndef NO_SHA
+            case WC_HASH_TYPE_SHA:
+                wolfSSL_SHA_Update((SHA_CTX*)&ctx->hash, data,
+                                  (unsigned long)sz);
+                break;
+#endif
+#ifdef WOLFSSL_SHA224
+            case WC_HASH_TYPE_SHA224:
+                wolfSSL_SHA224_Update((SHA224_CTX*)&ctx->hash, data,
+                                     (unsigned long)sz);
+                break;
+#endif
+#ifndef NO_SHA256
+            case WC_HASH_TYPE_SHA256:
+                wolfSSL_SHA256_Update((SHA256_CTX*)&ctx->hash, data,
+                                     (unsigned long)sz);
+                break;
+#endif /* !NO_SHA256 */
+#ifdef WOLFSSL_SHA384
+            case WC_HASH_TYPE_SHA384:
+                wolfSSL_SHA384_Update((SHA384_CTX*)&ctx->hash, data,
+                                     (unsigned long)sz);
+                break;
+#endif
+#ifdef WOLFSSL_SHA512
+            case WC_HASH_TYPE_SHA512:
+                wolfSSL_SHA512_Update((SHA512_CTX*)&ctx->hash, data,
+                                     (unsigned long)sz);
+                break;
+#endif /* WOLFSSL_SHA512 */
+    #ifdef WOLFSSL_SHA3
+        #ifndef WOLFSSL_NOSHA3_224
+            case WC_HASH_TYPE_SHA3_224:
+                wolfSSL_SHA3_224_Update((SHA3_224_CTX*)&ctx->hash, data,
+                                     (unsigned long)sz);
+                break;
+        #endif
+        #ifndef WOLFSSL_NOSHA3_256
+            case WC_HASH_TYPE_SHA3_256:
+                wolfSSL_SHA3_256_Update((SHA3_256_CTX*)&ctx->hash, data,
+                                     (unsigned long)sz);
+                break;
+        #endif
+            case WC_HASH_TYPE_SHA3_384:
+                wolfSSL_SHA3_384_Update((SHA3_384_CTX*)&ctx->hash, data,
+                                     (unsigned long)sz);
+                break;
+        #ifndef WOLFSSL_NOSHA3_512
+            case WC_HASH_TYPE_SHA3_512:
+                wolfSSL_SHA3_512_Update((SHA3_512_CTX*)&ctx->hash, data,
+                                     (unsigned long)sz);
+                break;
+        #endif
+    #endif
+            default:
+                return WOLFSSL_FAILURE;
+        }
+
+        return WOLFSSL_SUCCESS;
+    }
+
+    /* WOLFSSL_SUCCESS on ok */
+    int wolfSSL_EVP_DigestFinal(WOLFSSL_EVP_MD_CTX* ctx, unsigned char* md,
+                               unsigned int* s)
+    {
+        int macType;
+
+        WOLFSSL_ENTER("EVP_DigestFinal");
+        macType = wolfSSL_EVP_md2macType(EVP_MD_CTX_md(ctx));
+        switch (macType) {
+#ifndef NO_MD4
+            case WC_HASH_TYPE_MD4:
+                wolfSSL_MD4_Final(md, (MD4_CTX*)&ctx->hash);
+                if (s) *s = MD4_DIGEST_SIZE;
+                break;
+#endif
+#ifndef NO_MD5
+            case WC_HASH_TYPE_MD5:
+                wolfSSL_MD5_Final(md, (MD5_CTX*)&ctx->hash);
+                if (s) *s = WC_MD5_DIGEST_SIZE;
+                break;
+#endif
+#ifndef NO_SHA
+            case WC_HASH_TYPE_SHA:
+                wolfSSL_SHA_Final(md, (SHA_CTX*)&ctx->hash);
+                if (s) *s = WC_SHA_DIGEST_SIZE;
+                break;
+#endif
+#ifdef WOLFSSL_SHA224
+            case WC_HASH_TYPE_SHA224:
+                wolfSSL_SHA224_Final(md, (SHA224_CTX*)&ctx->hash);
+                if (s) *s = WC_SHA224_DIGEST_SIZE;
+                break;
+#endif
+#ifndef NO_SHA256
+            case WC_HASH_TYPE_SHA256:
+                wolfSSL_SHA256_Final(md, (SHA256_CTX*)&ctx->hash);
+                if (s) *s = WC_SHA256_DIGEST_SIZE;
+                break;
+#endif /* !NO_SHA256 */
+#ifdef WOLFSSL_SHA384
+            case WC_HASH_TYPE_SHA384:
+                wolfSSL_SHA384_Final(md, (SHA384_CTX*)&ctx->hash);
+                if (s) *s = WC_SHA384_DIGEST_SIZE;
+                break;
+#endif
+#ifdef WOLFSSL_SHA512
+            case WC_HASH_TYPE_SHA512:
+                wolfSSL_SHA512_Final(md, (SHA512_CTX*)&ctx->hash);
+                if (s) *s = WC_SHA512_DIGEST_SIZE;
+                break;
+#endif /* WOLFSSL_SHA512 */
+    #ifdef WOLFSSL_SHA3
+        #ifndef WOLFSSL_NOSHA3_224
+            case WC_HASH_TYPE_SHA3_224:
+                wolfSSL_SHA3_224_Final(md, (SHA3_224_CTX*)&ctx->hash);
+                if (s) *s = WC_SHA3_224_DIGEST_SIZE;
+                break;
+        #endif
+        #ifndef WOLFSSL_NOSHA3_256
+            case WC_HASH_TYPE_SHA3_256:
+                wolfSSL_SHA3_256_Final(md, (SHA3_256_CTX*)&ctx->hash);
+                if (s) *s = WC_SHA3_256_DIGEST_SIZE;
+                break;
+        #endif
+            case WC_HASH_TYPE_SHA3_384:
+                wolfSSL_SHA3_384_Final(md, (SHA3_384_CTX*)&ctx->hash);
+                if (s) *s = WC_SHA3_384_DIGEST_SIZE;
+                break;
+        #ifndef WOLFSSL_NOSHA3_512
+            case WC_HASH_TYPE_SHA3_512:
+                wolfSSL_SHA3_512_Final(md, (SHA3_512_CTX*)&ctx->hash);
+                if (s) *s = WC_SHA3_512_DIGEST_SIZE;
+                break;
+        #endif
+    #endif
+            default:
+                return WOLFSSL_FAILURE;
+        }
+
+        return WOLFSSL_SUCCESS;
+    }
+
+    /* WOLFSSL_SUCCESS on ok */
+    int wolfSSL_EVP_DigestFinal_ex(WOLFSSL_EVP_MD_CTX* ctx, unsigned char* md,
+                                   unsigned int* s)
+    {
+        WOLFSSL_ENTER("EVP_DigestFinal_ex");
+        return EVP_DigestFinal(ctx, md, s);
+    }
+
+    void wolfSSL_EVP_cleanup(void)
+    {
+        /* nothing to do here */
+    }
+
+const WOLFSSL_EVP_MD* wolfSSL_EVP_get_digestbynid(int id)
+{
+    WOLFSSL_MSG("wolfSSL_get_digestbynid");
+
+    switch(id) {
+#ifndef NO_MD5
+        case NID_md5:
+            return wolfSSL_EVP_md5();
+#endif
+#ifndef NO_SHA
+        case NID_sha1:
+            return wolfSSL_EVP_sha1();
+#endif
+        default:
+            WOLFSSL_MSG("Bad digest id value");
+    }
+
+    return NULL;
+}
+
+#ifndef NO_RSA
+WOLFSSL_RSA* wolfSSL_EVP_PKEY_get0_RSA(WOLFSSL_EVP_PKEY *pkey)
+{
+    if (!pkey) {
+        return NULL;
+    }
+    return pkey->rsa;
+}
+
+WOLFSSL_RSA* wolfSSL_EVP_PKEY_get1_RSA(WOLFSSL_EVP_PKEY* key)
+{
+    WOLFSSL_RSA* local;
+
+    WOLFSSL_MSG("wolfSSL_EVP_PKEY_get1_RSA");
+
+    if (key == NULL) {
+        return NULL;
+    }
+
+    local = wolfSSL_RSA_new();
+    if (local == NULL) {
+        WOLFSSL_MSG("Error creating a new WOLFSSL_RSA structure");
+        return NULL;
+    }
+
+    if (key->type == EVP_PKEY_RSA) {
+        if (wolfSSL_RSA_LoadDer(local, (const unsigned char*)key->pkey.ptr,
+                    key->pkey_sz) != SSL_SUCCESS) {
+            /* now try public key */
+            if (wolfSSL_RSA_LoadDer_ex(local,
+                        (const unsigned char*)key->pkey.ptr, key->pkey_sz,
+                        WOLFSSL_RSA_LOAD_PUBLIC) != SSL_SUCCESS) {
+                wolfSSL_RSA_free(local);
+                local = NULL;
+            }
+        }
+    }
+    else {
+        WOLFSSL_MSG("WOLFSSL_EVP_PKEY does not hold an RSA key");
+        wolfSSL_RSA_free(local);
+        local = NULL;
+    }
+    return local;
+}
+
+/* with set1 functions the pkey struct does not own the RSA structure
+ *
+ * returns WOLFSSL_SUCCESS on success and WOLFSSL_FAILURE on failure
+ */
+int wolfSSL_EVP_PKEY_set1_RSA(WOLFSSL_EVP_PKEY *pkey, WOLFSSL_RSA *key)
+{
+#if defined(WOLFSSL_KEY_GEN) && !defined(HAVE_USER_RSA)
+    int derMax = 0;
+    int derSz  = 0;
+    byte* derBuf = NULL;
+    RsaKey* rsa  = NULL;
+#endif
+    WOLFSSL_ENTER("wolfSSL_EVP_PKEY_set1_RSA");
+    if ((pkey == NULL) || (key == NULL))
+        return WOLFSSL_FAILURE;
+
+    if (pkey->rsa != NULL && pkey->ownRsa == 1) {
+        wolfSSL_RSA_free(pkey->rsa);
+    }
+    pkey->rsa    = key;
+    pkey->ownRsa = 0; /* pkey does not own RSA */
+    pkey->type   = EVP_PKEY_RSA;
+    if (key->inSet == 0) {
+        if (SetRsaInternal(key) != WOLFSSL_SUCCESS) {
+            WOLFSSL_MSG("SetRsaInternal failed");
+            return WOLFSSL_FAILURE;
+        }
+    }
+
+#if defined(WOLFSSL_KEY_GEN) && !defined(HAVE_USER_RSA)
+    rsa = (RsaKey*)key->internal;
+    /* 5 > size of n, d, p, q, d%(p-1), d(q-1), 1/q%p, e + ASN.1 additional
+     * information */
+    derMax = 5 * wolfSSL_RSA_size(key) + (2 * AES_BLOCK_SIZE);
+
+    derBuf = (byte*)XMALLOC(derMax, pkey->heap, DYNAMIC_TYPE_TMP_BUFFER);
+    if (derBuf == NULL) {
+        WOLFSSL_MSG("malloc failed");
+        return WOLFSSL_FAILURE;
+    }
+
+    if (rsa->type == RSA_PRIVATE) {
+        /* Private key to DER */
+        derSz = wc_RsaKeyToDer(rsa, derBuf, derMax);
+    }
+    else {
+        /* Public key to DER */
+        derSz = wc_RsaKeyToPublicDer(rsa, derBuf, derMax);
+    }
+
+    if (derSz < 0) {
+        if (rsa->type == RSA_PRIVATE) {
+            WOLFSSL_MSG("wc_RsaKeyToDer failed");
+        }
+        else {
+            WOLFSSL_MSG("wc_RsaKeyToPublicDer failed");
+        }
+        XFREE(derBuf, pkey->heap, DYNAMIC_TYPE_TMP_BUFFER);
+        return WOLFSSL_FAILURE;
+    }
+
+    pkey->pkey.ptr = (char*)XMALLOC(derSz, pkey->heap, DYNAMIC_TYPE_DER);
+    if (pkey->pkey.ptr == NULL) {
+        WOLFSSL_MSG("key malloc failed");
+        XFREE(derBuf, pkey->heap, DYNAMIC_TYPE_TMP_BUFFER);
+        return WOLFSSL_FAILURE;
+    }
+    pkey->pkey_sz = derSz;
+    XMEMCPY(pkey->pkey.ptr, derBuf, derSz);
+    XFREE(derBuf, pkey->heap, DYNAMIC_TYPE_TMP_BUFFER);
+#endif /* WOLFSSL_KEY_GEN && !HAVE_USER_RSA */
+
+#ifdef WC_RSA_BLINDING
+    if (key->ownRng == 0) {
+        if (wc_RsaSetRNG((RsaKey*)(pkey->rsa->internal), &(pkey->rng)) != 0) {
+            WOLFSSL_MSG("Error setting RSA rng");
+            return WOLFSSL_FAILURE;
+        }
+    }
+#endif
+    return WOLFSSL_SUCCESS;
+}
+#endif /* !NO_RSA */
+
+#if !defined (NO_DSA) && !defined(HAVE_SELFTEST) && defined(WOLFSSL_KEY_GEN)
+/* with set1 functions the pkey struct does not own the DSA structure
+ *
+ * returns WOLFSSL_SUCCESS on success and WOLFSSL_FAILURE on failure
+ */
+int wolfSSL_EVP_PKEY_set1_DSA(WOLFSSL_EVP_PKEY *pkey, WOLFSSL_DSA *key)
+{
+    int derMax = 0;
+    int derSz  = 0;
+    DsaKey* dsa  = NULL;
+    byte* derBuf = NULL;
+
+    WOLFSSL_ENTER("wolfSSL_EVP_PKEY_set1_DSA");
+
+    if((pkey == NULL) || (key == NULL))return WOLFSSL_FAILURE;
+    if (pkey->dsa != NULL && pkey->ownDsa == 1) {
+        wolfSSL_DSA_free(pkey->dsa);
+    }
+    pkey->dsa    = key;
+    pkey->ownDsa = 0; /* pkey does not own DSA */
+    pkey->type   = EVP_PKEY_DSA;
+    if (key->inSet == 0) {
+        if (SetDsaInternal(key) != WOLFSSL_SUCCESS) {
+            WOLFSSL_MSG("SetDsaInternal failed");
+            return WOLFSSL_FAILURE;
+        }
+    }
+    dsa = (DsaKey*)key->internal;
+
+    /* 4 > size of pub, priv, p, q, g + ASN.1 additional information */
+    derMax = 4 * wolfSSL_BN_num_bytes(key->g) + AES_BLOCK_SIZE;
+
+    derBuf = (byte*)XMALLOC(derMax, pkey->heap, DYNAMIC_TYPE_TMP_BUFFER);
+    if (derBuf == NULL) {
+        WOLFSSL_MSG("malloc failed");
+        return WOLFSSL_FAILURE;
+    }
+
+    if (dsa->type == DSA_PRIVATE) {
+        /* Private key to DER */
+        derSz = wc_DsaKeyToDer(dsa, derBuf, derMax);
+    }
+    else {
+        /* Public key to DER */
+        derSz = wc_DsaKeyToPublicDer(dsa, derBuf, derMax);
+    }
+
+    if (derSz < 0) {
+        if (dsa->type == DSA_PRIVATE) {
+            WOLFSSL_MSG("wc_DsaKeyToDer failed");
+        }
+        else {
+            WOLFSSL_MSG("wc_DsaKeyToPublicDer failed");
+        }
+        XFREE(derBuf, pkey->heap, DYNAMIC_TYPE_TMP_BUFFER);
+        return WOLFSSL_FAILURE;
+    }
+
+    pkey->pkey.ptr = (char*)XMALLOC(derSz, pkey->heap, DYNAMIC_TYPE_DER);
+    if (pkey->pkey.ptr == NULL) {
+        WOLFSSL_MSG("key malloc failed");
+        XFREE(derBuf, pkey->heap, DYNAMIC_TYPE_TMP_BUFFER);
+        return WOLFSSL_FAILURE;
+    }
+    pkey->pkey_sz = derSz;
+    XMEMCPY(pkey->pkey.ptr, derBuf, derSz);
+    XFREE(derBuf, pkey->heap, DYNAMIC_TYPE_TMP_BUFFER);
+
+    return WOLFSSL_SUCCESS;
+}
+
+WOLFSSL_DSA* wolfSSL_EVP_PKEY_get1_DSA(WOLFSSL_EVP_PKEY* key)
+{
+    WOLFSSL_DSA* local;
+
+    WOLFSSL_ENTER("wolfSSL_EVP_PKEY_get1_DSA");
+
+    if (key == NULL) {
+        WOLFSSL_MSG("Bad function argument");
+        return NULL;
+    }
+
+    local = wolfSSL_DSA_new();
+    if (local == NULL) {
+        WOLFSSL_MSG("Error creating a new WOLFSSL_DSA structure");
+        return NULL;
+    }
+
+    if (key->type == EVP_PKEY_DSA) {
+        if (wolfSSL_DSA_LoadDer(local, (const unsigned char*)key->pkey.ptr,
+                    key->pkey_sz) != SSL_SUCCESS) {
+            /* now try public key */
+            if (wolfSSL_DSA_LoadDer_ex(local,
+                        (const unsigned char*)key->pkey.ptr, key->pkey_sz,
+                        WOLFSSL_DSA_LOAD_PUBLIC) != SSL_SUCCESS) {
+                wolfSSL_DSA_free(local);
+                local = NULL;
+            }
+        }
+    }
+    else {
+        WOLFSSL_MSG("WOLFSSL_EVP_PKEY does not hold a DSA key");
+        wolfSSL_DSA_free(local);
+        local = NULL;
+    }
+    return local;
+}
+#endif /* !NO_DSA && !HAVE_SELFTEST && WOLFSSL_KEY_GEN */
+
+#ifdef HAVE_ECC
+WOLFSSL_EC_KEY *wolfSSL_EVP_PKEY_get0_EC_KEY(WOLFSSL_EVP_PKEY *pkey)
+{
+    WOLFSSL_EC_KEY *eckey = NULL;
+    if (pkey) {
+#ifdef HAVE_ECC
+        eckey = pkey->ecc;
+#endif
+    }
+    return eckey;
+}
+
+WOLFSSL_EC_KEY* wolfSSL_EVP_PKEY_get1_EC_KEY(WOLFSSL_EVP_PKEY* key)
+{
+    WOLFSSL_EC_KEY* local;
+    WOLFSSL_ENTER("wolfSSL_EVP_PKEY_get1_EC_KEY");
+
+    if (key == NULL) {
+        return NULL;
+    }
+
+    local = wolfSSL_EC_KEY_new();
+    if (local == NULL) {
+        WOLFSSL_MSG("Error creating a new WOLFSSL_EC_KEY structure");
+        return NULL;
+    }
+
+    if (key->type == EVP_PKEY_EC) {
+        if (wolfSSL_EC_KEY_LoadDer(local, (const unsigned char*)key->pkey.ptr,
+                    key->pkey_sz) != SSL_SUCCESS) {
+            /* now try public key */
+            if (wolfSSL_EC_KEY_LoadDer_ex(local,
+                    (const unsigned char*)key->pkey.ptr,
+                    key->pkey_sz, WOLFSSL_EC_KEY_LOAD_PUBLIC) != SSL_SUCCESS) {
+
+                wolfSSL_EC_KEY_free(local);
+                local = NULL;
+            }
+        }
+    }
+    else {
+        WOLFSSL_MSG("WOLFSSL_EVP_PKEY does not hold an EC key");
+        wolfSSL_EC_KEY_free(local);
+        local = NULL;
+    }
+#ifdef OPENSSL_ALL
+    if (!local && key->ecc) {
+        local = wolfSSL_EC_KEY_dup(key->ecc);
+    }
+#endif
+    return local;
+}
+#endif /* HAVE_ECC */
+
+#if defined(OPENSSL_ALL) || defined(WOLFSSL_QT)
+#if !defined(NO_DH) && !defined(NO_FILESYSTEM)
+/* with set1 functions the pkey struct does not own the DH structure
+ * Build the following DH Key format from the passed in WOLFSSL_DH
+ * then store in WOLFSSL_EVP_PKEY in DER format.
+ *
+ * returns WOLFSSL_SUCCESS on success and WOLFSSL_FAILURE on failure
+ */
+int wolfSSL_EVP_PKEY_set1_DH(WOLFSSL_EVP_PKEY *pkey, WOLFSSL_DH *key)
+{
+    byte havePublic = 0, havePrivate = 0;
+    int ret;
+    word32 derSz = 0;
+    byte* derBuf = NULL;
+    DhKey* dhkey = NULL;
+
+    WOLFSSL_ENTER("wolfSSL_EVP_PKEY_set1_DH");
+
+    if (pkey == NULL || key == NULL)
+        return WOLFSSL_FAILURE;
+
+    if (pkey->dh != NULL && pkey->ownDh == 1)
+        wolfSSL_DH_free(pkey->dh);
+
+    pkey->dh    = key;
+    pkey->ownDh = 0; /* pkey does not own DH */
+    pkey->type  = EVP_PKEY_DH;
+    if (key->inSet == 0) {
+        if (SetDhInternal(key) != WOLFSSL_SUCCESS) {
+            WOLFSSL_MSG("SetDhInternal failed");
+            return WOLFSSL_FAILURE;
+        }
+    }
+
+    dhkey = (DhKey*)key->internal;
+
+    havePublic  = mp_unsigned_bin_size(&dhkey->pub)  > 0;
+    havePrivate = mp_unsigned_bin_size(&dhkey->priv) > 0;
+
+    /* Get size of DER buffer only */
+    if (havePublic && !havePrivate) {
+        ret = wc_DhPubKeyToDer(dhkey, NULL, &derSz);
+    } else if (havePrivate && !havePublic) {
+        ret = wc_DhPrivKeyToDer(dhkey, NULL, &derSz);
+    } else {
+        ret = wc_DhParamsToDer(dhkey,NULL,&derSz);
+    }
+
+    if (derSz <= 0 || ret != LENGTH_ONLY_E) {
+       WOLFSSL_MSG("Failed to get size of DH Key");
+       return WOLFSSL_FAILURE;
+    }
+
+    derBuf = (byte*)XMALLOC(derSz, pkey->heap, DYNAMIC_TYPE_TMP_BUFFER);
+    if (derBuf == NULL) {
+        WOLFSSL_MSG("malloc failed");
+        return WOLFSSL_FAILURE;
+    }
+
+    /* Fill DER buffer */
+    if (havePublic && !havePrivate) {
+        ret = wc_DhPubKeyToDer(dhkey, derBuf, &derSz);
+    } else if (havePrivate && !havePublic) {
+        ret = wc_DhPrivKeyToDer(dhkey, derBuf, &derSz);
+    } else {
+        ret = wc_DhParamsToDer(dhkey,derBuf,&derSz);
+    }
+
+    if (ret <= 0) {
+        WOLFSSL_MSG("Failed to export DH Key");
+        XFREE(derBuf, pkey->heap, DYNAMIC_TYPE_TMP_BUFFER);
+        return WOLFSSL_FAILURE;
+    }
+
+    /* Store DH key into pkey (DER format) */
+    pkey->pkey.ptr = (char*)derBuf;
+    pkey->pkey_sz = derSz;
+
+    return WOLFSSL_SUCCESS;
+}
+
+WOLFSSL_DH* wolfSSL_EVP_PKEY_get0_DH(WOLFSSL_EVP_PKEY* key)
+{
+    if (!key) {
+        return NULL;
+    }
+    return key->dh;
+}
+
+WOLFSSL_DH* wolfSSL_EVP_PKEY_get1_DH(WOLFSSL_EVP_PKEY* key)
+{
+    WOLFSSL_DH* local = NULL;
+
+    WOLFSSL_ENTER("wolfSSL_EVP_PKEY_get1_DH");
+
+    if (key == NULL || key->dh == NULL) {
+        WOLFSSL_MSG("Bad function argument");
+        return NULL;
+    }
+
+    if (key->type == EVP_PKEY_DH) {
+        local = wolfSSL_DH_new();
+        if (local == NULL) {
+            WOLFSSL_MSG("Error creating a new WOLFSSL_DH structure");
+            return NULL;
+        }
+
+        if (wolfSSL_DH_LoadDer(local, (const unsigned char*)key->pkey.ptr,
+                    key->pkey_sz) != SSL_SUCCESS) {
+            wolfSSL_DH_free(local);
+            WOLFSSL_MSG("Error wolfSSL_DH_LoadDer");
+            local = NULL;
+        }
+    }
+    else {
+        WOLFSSL_MSG("WOLFSSL_EVP_PKEY does not hold a DH key");
+        wolfSSL_DH_free(local);
+        return NULL;
+    }
+
+    return local;
+}
+#endif /* NO_DH && NO_FILESYSTEM */
+
+int wolfSSL_EVP_PKEY_assign(WOLFSSL_EVP_PKEY *pkey, int type, void *key)
+{
+    int ret;
+
+    WOLFSSL_ENTER("wolfSSL_EVP_PKEY_assign");
+
+    /* pkey and key checked if NULL in subsequent assign functions */
+    switch(type) {
+    #ifndef NO_RSA
+        case EVP_PKEY_RSA:
+            ret = wolfSSL_EVP_PKEY_assign_RSA(pkey, (WOLFSSL_RSA*)key);
+            break;
+    #endif
+    #ifndef NO_DSA
+        case EVP_PKEY_DSA:
+            ret = wolfSSL_EVP_PKEY_assign_DSA(pkey, (WOLFSSL_DSA*)key);
+            break;
+    #endif
+    #ifdef HAVE_ECC
+        case EVP_PKEY_EC:
+            ret = wolfSSL_EVP_PKEY_assign_EC_KEY(pkey, (WOLFSSL_EC_KEY*)key);
+            break;
+    #endif
+    #ifdef NO_DH
+         case EVP_PKEY_DH:
+            ret = wolfSSL_EVP_PKEY_assign_DH(pkey, (WOLFSSL_DH*)key);
+            break;
+    #endif
+        default:
+            WOLFSSL_MSG("Unknown EVP_PKEY type in wolfSSL_EVP_PKEY_assign.");
+            ret = WOLFSSL_FAILURE;
+    }
+
+    return ret;
+}
+#endif /* WOLFSSL_QT || OPENSSL_ALL */
+
+#if defined(HAVE_ECC)
+/* try and populate public pkey_sz and pkey.ptr */
+static void ECC_populate_EVP_PKEY(EVP_PKEY* pkey, ecc_key* ecc)
+{
+    int ret;
+    if (!pkey || !ecc)
+        return;
+    if ((ret = wc_EccPublicKeyDerSize(ecc, 1)) > 0) {
+        int derSz = ret;
+        char* derBuf = (char*)XMALLOC(derSz, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+        if (derBuf) {
+            ret = wc_EccPublicKeyToDer(ecc, (byte*)derBuf, derSz, 1);
+            if (ret >= 0) {
+                if (pkey->pkey.ptr) {
+                    XFREE(pkey->pkey.ptr, NULL, DYNAMIC_TYPE_OPENSSL);
+                }
+                pkey->pkey_sz = ret;
+                pkey->pkey.ptr = derBuf;
+            }
+            else { /* failure - okay to ignore */
+                XFREE(derBuf, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+                derBuf = NULL;
+            }
+        }
+    }
+}
+
+WOLFSSL_API int wolfSSL_EVP_PKEY_set1_EC_KEY(WOLFSSL_EVP_PKEY *pkey, WOLFSSL_EC_KEY *key)
+{
+#ifdef HAVE_ECC
+    if((pkey == NULL) || (key ==NULL))return WOLFSSL_FAILURE;
+    WOLFSSL_ENTER("wolfSSL_EVP_PKEY_set1_EC_KEY");
+#ifndef NO_RSA
+    if (pkey->rsa != NULL && pkey->ownRsa == 1) {
+        wolfSSL_RSA_free(pkey->rsa);
+    }
+    pkey->ownRsa = 0;
+#endif
+#ifndef NO_DSA
+    if (pkey->dsa != NULL && pkey->ownDsa == 1) {
+        wolfSSL_DSA_free(pkey->dsa);
+    }
+    pkey->ownDsa = 0;
+#endif
+#ifndef NO_DH
+    if (pkey->dh != NULL && pkey->ownDh == 1) {
+        wolfSSL_DH_free(pkey->dh);
+    }
+    pkey->ownDh = 0;
+#endif
+    if (pkey->ecc != NULL && pkey->ownEcc == 1) {
+        wolfSSL_EC_KEY_free(pkey->ecc);
+    }
+    pkey->ecc    = key;
+    pkey->ownEcc = 0; /* pkey does not own EC key */
+    pkey->type   = EVP_PKEY_EC;
+    ECC_populate_EVP_PKEY(pkey, (ecc_key*)key->internal);
+    return WOLFSSL_SUCCESS;
+#else
+    (void)pkey;
+    (void)key;
+    return WOLFSSL_FAILURE;
+#endif
+}
+
+void* wolfSSL_EVP_X_STATE(const WOLFSSL_EVP_CIPHER_CTX* ctx)
+{
+    WOLFSSL_MSG("wolfSSL_EVP_X_STATE");
+
+    if (ctx) {
+        switch (ctx->cipherType) {
+            case ARC4_TYPE:
+                WOLFSSL_MSG("returning arc4 state");
+                return (void*)&ctx->cipher.arc4.x;
+
+            default:
+                WOLFSSL_MSG("bad x state type");
+                return 0;
+        }
+    }
+
+    return NULL;
+}
+int wolfSSL_EVP_PKEY_assign_EC_KEY(EVP_PKEY* pkey, WOLFSSL_EC_KEY* key)
+{
+    if (pkey == NULL || key == NULL)
+        return WOLFSSL_FAILURE;
+
+    pkey->type = EVP_PKEY_EC;
+    pkey->ecc = key;
+    pkey->ownEcc = 1;
+
+    /* try and populate public pkey_sz and pkey.ptr */
+    ECC_populate_EVP_PKEY(pkey, (ecc_key*)key->internal);
+
+    return WOLFSSL_SUCCESS;
+}
+#endif /* HAVE_ECC */
+
+#ifndef NO_WOLFSSL_STUB
+const WOLFSSL_EVP_MD* wolfSSL_EVP_ripemd160(void)
+{
+    WOLFSSL_MSG("wolfSSL_ripemd160");
+    WOLFSSL_STUB("EVP_ripemd160");
+    return NULL;
+}
+#endif
+
+
+int wolfSSL_EVP_MD_block_size(const WOLFSSL_EVP_MD* type)
+{
+    WOLFSSL_MSG("wolfSSL_EVP_MD_block_size");
+
+    if (type == NULL) {
+        WOLFSSL_MSG("No md type arg");
+        return BAD_FUNC_ARG;
+    }
+
+    if (XSTRNCMP(type, "SHA256", 6) == 0) {
+        return WC_SHA256_BLOCK_SIZE;
+    }
+#ifndef NO_MD5
+    else if (XSTRNCMP(type, "MD5", 3) == 0) {
+        return WC_MD5_BLOCK_SIZE;
+    }
+#endif
+#ifdef WOLFSSL_SHA224
+    else if (XSTRNCMP(type, "SHA224", 6) == 0) {
+        return WC_SHA224_BLOCK_SIZE;
+    }
+#endif
+#ifdef WOLFSSL_SHA384
+    else if (XSTRNCMP(type, "SHA384", 6) == 0) {
+        return WC_SHA384_BLOCK_SIZE;
+    }
+#endif
+#ifdef WOLFSSL_SHA512
+    else if (XSTRNCMP(type, "SHA512", 6) == 0) {
+        return WC_SHA512_BLOCK_SIZE;
+    }
+#endif
+#ifndef NO_SHA
+    /* has to be last since would pick or 256, 384, or 512 too */
+    else if (XSTRNCMP(type, "SHA", 3) == 0) {
+        return WC_SHA_BLOCK_SIZE;
+    }
+#endif
+
+    return BAD_FUNC_ARG;
+}
+
+int wolfSSL_EVP_MD_size(const WOLFSSL_EVP_MD* type)
+{
+    WOLFSSL_MSG("wolfSSL_EVP_MD_size");
+
+    if (type == NULL) {
+        WOLFSSL_MSG("No md type arg");
+        return BAD_FUNC_ARG;
+    }
+
+    if (XSTRNCMP(type, "SHA256", 6) == 0) {
+        return WC_SHA256_DIGEST_SIZE;
+    }
+#ifndef NO_MD5
+    else if (XSTRNCMP(type, "MD5", 3) == 0) {
+        return WC_MD5_DIGEST_SIZE;
+    }
+#endif
+#ifdef WOLFSSL_SHA224
+    else if (XSTRNCMP(type, "SHA224", 6) == 0) {
+        return WC_SHA224_DIGEST_SIZE;
+    }
+#endif
+#ifdef WOLFSSL_SHA384
+    else if (XSTRNCMP(type, "SHA384", 6) == 0) {
+        return WC_SHA384_DIGEST_SIZE;
+    }
+#endif
+#ifdef WOLFSSL_SHA512
+    else if (XSTRNCMP(type, "SHA512", 6) == 0) {
+        return WC_SHA512_DIGEST_SIZE;
+    }
+#endif
+#ifndef NO_SHA
+    /* has to be last since would pick or 256, 384, or 512 too */
+    else if (XSTRNCMP(type, "SHA", 3) == 0) {
+        return WC_SHA_DIGEST_SIZE;
+    }
+#endif
+
+    return BAD_FUNC_ARG;
+}
+
+
+int wolfSSL_EVP_CIPHER_CTX_iv_length(const WOLFSSL_EVP_CIPHER_CTX* ctx)
+{
+    WOLFSSL_MSG("wolfSSL_EVP_CIPHER_CTX_iv_length");
+
+    switch (ctx->cipherType) {
+
+#ifdef HAVE_AES_CBC
+        case AES_128_CBC_TYPE :
+        case AES_192_CBC_TYPE :
+        case AES_256_CBC_TYPE :
+            WOLFSSL_MSG("AES CBC");
+            return AES_BLOCK_SIZE;
+#endif
+#ifdef HAVE_AESGCM
+        case AES_128_GCM_TYPE :
+        case AES_192_GCM_TYPE :
+        case AES_256_GCM_TYPE :
+            WOLFSSL_MSG("AES GCM");
+            return GCM_NONCE_MID_SZ;
+#endif
+#ifdef WOLFSSL_AES_COUNTER
+        case AES_128_CTR_TYPE :
+        case AES_192_CTR_TYPE :
+        case AES_256_CTR_TYPE :
+            WOLFSSL_MSG("AES CTR");
+            return AES_BLOCK_SIZE;
+#endif
+#ifndef NO_DES3
+        case DES_CBC_TYPE :
+            WOLFSSL_MSG("DES CBC");
+            return DES_BLOCK_SIZE;
+
+        case DES_EDE3_CBC_TYPE :
+            WOLFSSL_MSG("DES EDE3 CBC");
+            return DES_BLOCK_SIZE;
+#endif
+#ifdef HAVE_IDEA
+        case IDEA_CBC_TYPE :
+            WOLFSSL_MSG("IDEA CBC");
+            return IDEA_BLOCK_SIZE;
+#endif
+#ifndef NO_RC4
+        case ARC4_TYPE :
+            WOLFSSL_MSG("ARC4");
+            return 0;
+#endif
+#ifdef WOLFSSL_AES_CFB
+#if !defined(HAVE_SELFTEST) && !defined(HAVE_FIPS)
+        case AES_128_CFB1_TYPE:
+        case AES_192_CFB1_TYPE:
+        case AES_256_CFB1_TYPE:
+            WOLFSSL_MSG("AES CFB1");
+            return AES_BLOCK_SIZE;
+        case AES_128_CFB8_TYPE:
+        case AES_192_CFB8_TYPE:
+        case AES_256_CFB8_TYPE:
+            WOLFSSL_MSG("AES CFB8");
+            return AES_BLOCK_SIZE;
+#endif /* !HAVE_SELFTEST && !HAVE_FIPS */
+        case AES_128_CFB128_TYPE:
+        case AES_192_CFB128_TYPE:
+        case AES_256_CFB128_TYPE:
+            WOLFSSL_MSG("AES CFB128");
+            return AES_BLOCK_SIZE;
+#endif /* WOLFSSL_AES_CFB */
+#if defined(WOLFSSL_AES_OFB)
+        case AES_128_OFB_TYPE:
+        case AES_192_OFB_TYPE:
+        case AES_256_OFB_TYPE:
+            WOLFSSL_MSG("AES OFB");
+            return AES_BLOCK_SIZE;
+#endif /* WOLFSSL_AES_OFB */
+#ifdef WOLFSSL_AES_XTS
+        case AES_128_XTS_TYPE:
+        case AES_256_XTS_TYPE:
+            WOLFSSL_MSG("AES XTS");
+            return AES_BLOCK_SIZE;
+#endif /* WOLFSSL_AES_XTS */
+
+        case NULL_CIPHER_TYPE :
+            WOLFSSL_MSG("NULL");
+            return 0;
+
+        default: {
+            WOLFSSL_MSG("bad type");
+        }
+    }
+    return 0;
+}
+
+int wolfSSL_EVP_CIPHER_iv_length(const WOLFSSL_EVP_CIPHER* cipher)
+{
+    const char *name = (const char *)cipher;
+    WOLFSSL_MSG("wolfSSL_EVP_CIPHER_iv_length");
+
+#ifndef NO_AES
+#ifdef HAVE_AES_CBC
+    #ifdef WOLFSSL_AES_128
+    if (EVP_AES_128_CBC && XSTRNCMP(name, EVP_AES_128_CBC, XSTRLEN(EVP_AES_128_CBC)) == 0)
+        return AES_BLOCK_SIZE;
+    #endif
+    #ifdef WOLFSSL_AES_192
+    if (EVP_AES_192_CBC && XSTRNCMP(name, EVP_AES_192_CBC, XSTRLEN(EVP_AES_192_CBC)) == 0)
+        return AES_BLOCK_SIZE;
+    #endif
+    #ifdef WOLFSSL_AES_256
+    if (EVP_AES_256_CBC && XSTRNCMP(name, EVP_AES_256_CBC, XSTRLEN(EVP_AES_256_CBC)) == 0)
+        return AES_BLOCK_SIZE;
+    #endif
+#endif /* HAVE_AES_CBC */
+#ifdef HAVE_AESGCM
+    #ifdef WOLFSSL_AES_128
+    if (EVP_AES_128_GCM && XSTRNCMP(name, EVP_AES_128_GCM, XSTRLEN(EVP_AES_128_GCM)) == 0)
+        return GCM_NONCE_MID_SZ;
+    #endif
+    #ifdef WOLFSSL_AES_192
+    if (EVP_AES_192_GCM && XSTRNCMP(name, EVP_AES_192_GCM, XSTRLEN(EVP_AES_192_GCM)) == 0)
+        return GCM_NONCE_MID_SZ;
+    #endif
+    #ifdef WOLFSSL_AES_256
+    if (EVP_AES_256_GCM && XSTRNCMP(name, EVP_AES_256_GCM, XSTRLEN(EVP_AES_256_GCM)) == 0)
+        return GCM_NONCE_MID_SZ;
+    #endif
+#endif /* HAVE_AESGCM */
+#ifdef WOLFSSL_AES_COUNTER
+    #ifdef WOLFSSL_AES_128
+    if (EVP_AES_128_CTR && XSTRNCMP(name, EVP_AES_128_CTR, XSTRLEN(EVP_AES_128_CTR)) == 0)
+        return AES_BLOCK_SIZE;
+    #endif
+    #ifdef WOLFSSL_AES_192
+    if (EVP_AES_192_CTR && XSTRNCMP(name, EVP_AES_192_CTR, XSTRLEN(EVP_AES_192_CTR)) == 0)
+        return AES_BLOCK_SIZE;
+    #endif
+    #ifdef WOLFSSL_AES_256
+    if (EVP_AES_256_CTR && XSTRNCMP(name, EVP_AES_256_CTR, XSTRLEN(EVP_AES_256_CTR)) == 0)
+        return AES_BLOCK_SIZE;
+    #endif
+#endif
+#ifdef WOLFSSL_AES_XTS
+    #ifdef WOLFSSL_AES_128
+    if (EVP_AES_128_XTS && XSTRNCMP(name, EVP_AES_128_XTS, XSTRLEN(EVP_AES_128_XTS)) == 0)
+        return AES_BLOCK_SIZE;
+    #endif /* WOLFSSL_AES_128 */
+
+    #ifdef WOLFSSL_AES_256
+    if (EVP_AES_256_XTS && XSTRNCMP(name, EVP_AES_256_XTS, XSTRLEN(EVP_AES_256_XTS)) == 0)
+        return AES_BLOCK_SIZE;
+    #endif /* WOLFSSL_AES_256 */
+#endif /* WOLFSSL_AES_XTS */
+
+#endif
+
+#ifndef NO_DES3
+    if ((EVP_DES_CBC && XSTRNCMP(name, EVP_DES_CBC, XSTRLEN(EVP_DES_CBC)) == 0) ||
+           (EVP_DES_EDE3_CBC && XSTRNCMP(name, EVP_DES_EDE3_CBC, XSTRLEN(EVP_DES_EDE3_CBC)) == 0)) {
+        return DES_BLOCK_SIZE;
+    }
+#endif
+
+#ifdef HAVE_IDEA
+    if (EVP_IDEA_CBC && XSTRNCMP(name, EVP_IDEA_CBC, XSTRLEN(EVP_IDEA_CBC)) == 0)
+        return IDEA_BLOCK_SIZE;
+#endif
+
+    (void)name;
+
+    return 0;
+}
+
+
+int wolfSSL_EVP_X_STATE_LEN(const WOLFSSL_EVP_CIPHER_CTX* ctx)
+{
+    WOLFSSL_MSG("wolfSSL_EVP_X_STATE_LEN");
+
+    if (ctx) {
+        switch (ctx->cipherType) {
+            case ARC4_TYPE:
+                WOLFSSL_MSG("returning arc4 state size");
+                return sizeof(Arc4);
+
+            default:
+                WOLFSSL_MSG("bad x state type");
+                return 0;
+        }
+    }
+
+    return 0;
+}
+
+
+/* return of pkey->type which will be EVP_PKEY_RSA for example.
+ *
+ * type  type of EVP_PKEY
+ *
+ * returns type or if type is not found then NID_undef
+ */
+int wolfSSL_EVP_PKEY_type(int type)
+{
+    WOLFSSL_MSG("wolfSSL_EVP_PKEY_type");
+
+    switch (type) {
+        case EVP_PKEY_RSA:
+            return EVP_PKEY_RSA;
+        case EVP_PKEY_DSA:
+            return EVP_PKEY_DSA;
+        case EVP_PKEY_EC:
+            return EVP_PKEY_EC;
+        case EVP_PKEY_DH:
+            return EVP_PKEY_DH;
+        default:
+            return NID_undef;
+    }
+}
+
+
+int wolfSSL_EVP_PKEY_id(const EVP_PKEY *pkey)
+{
+    if (pkey != NULL)
+        return pkey->type;
+    return 0;
+}
+
+
+int wolfSSL_EVP_PKEY_base_id(const EVP_PKEY *pkey)
+{
+    if (pkey == NULL)
+        return NID_undef;
+    return wolfSSL_EVP_PKEY_type(pkey->type);
+}
+
+
+/* increments ref count of WOLFSSL_EVP_PKEY. Return 1 on success, 0 on error */
+int wolfSSL_EVP_PKEY_up_ref(WOLFSSL_EVP_PKEY* pkey)
+{
+    if (pkey) {
+        if (wc_LockMutex(&pkey->refMutex) != 0) {
+            WOLFSSL_MSG("Failed to lock pkey mutex");
+        }
+        pkey->references++;
+        wc_UnLockMutex(&pkey->refMutex);
+
+        return 1;
+    }
+
+    return 0;
+}
+
+#ifndef NO_RSA
+int wolfSSL_EVP_PKEY_assign_RSA(EVP_PKEY* pkey, WOLFSSL_RSA* key)
+{
+    if (pkey == NULL || key == NULL)
+        return WOLFSSL_FAILURE;
+
+    pkey->type = EVP_PKEY_RSA;
+    pkey->rsa = key;
+    pkey->ownRsa = 1;
+
+    /* try and populate public pkey_sz and pkey.ptr */
+    if (key->internal) {
+        RsaKey* rsa = (RsaKey*)key->internal;
+        int ret = wc_RsaPublicKeyDerSize(rsa, 1);
+        if (ret > 0) {
+            int derSz = ret;
+            char* derBuf = (char*)XMALLOC(derSz, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+            if (derBuf) {
+                ret = wc_RsaKeyToPublicDer(rsa, (byte*)derBuf, derSz);
+                if (ret >= 0) {
+                    pkey->pkey_sz = ret;
+                    pkey->pkey.ptr = derBuf;
+                }
+                else { /* failure - okay to ignore */
+                    XFREE(derBuf, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+                    derBuf = NULL;
+                }
+            }
+        }
+    }
+
+    return WOLFSSL_SUCCESS;
+}
+#endif /* !NO_RSA */
+
+#ifndef NO_DSA
+int wolfSSL_EVP_PKEY_assign_DSA(EVP_PKEY* pkey, WOLFSSL_DSA* key)
+{
+    if (pkey == NULL || key == NULL)
+        return WOLFSSL_FAILURE;
+
+    pkey->type = EVP_PKEY_DSA;
+    pkey->dsa = key;
+    pkey->ownDsa = 1;
+
+    return WOLFSSL_SUCCESS;
+}
+#endif /* !NO_DSA */
+
+#ifndef NO_DH
+int wolfSSL_EVP_PKEY_assign_DH(EVP_PKEY* pkey, WOLFSSL_DH* key)
+{
+    if (pkey == NULL || key == NULL)
+        return WOLFSSL_FAILURE;
+
+    pkey->type = EVP_PKEY_DH;
+    pkey->dh = key;
+    pkey->ownDh = 1;
+
+    return WOLFSSL_SUCCESS;
+}
+#endif /* !NO_DH */
+
+#endif /* OPENSSL_EXTRA */
+
+#if defined(OPENSSL_EXTRA_X509_SMALL)
+/* Subset of OPENSSL_EXTRA for PKEY operations PKEY free is needed by the
+ * subset of X509 API */
+
+WOLFSSL_EVP_PKEY* wolfSSL_EVP_PKEY_new(void){
+    return wolfSSL_EVP_PKEY_new_ex(NULL);
+}
+
+WOLFSSL_EVP_PKEY* wolfSSL_EVP_PKEY_new_ex(void* heap)
+{
+    WOLFSSL_EVP_PKEY* pkey;
+    int ret;
+    WOLFSSL_ENTER("wolfSSL_EVP_PKEY_new_ex");
+    pkey = (WOLFSSL_EVP_PKEY*)XMALLOC(sizeof(WOLFSSL_EVP_PKEY), heap,
+            DYNAMIC_TYPE_PUBLIC_KEY);
+    if (pkey != NULL) {
+        XMEMSET(pkey, 0, sizeof(WOLFSSL_EVP_PKEY));
+        pkey->heap = heap;
+        pkey->type = WOLFSSL_EVP_PKEY_DEFAULT;
+#ifndef HAVE_FIPS
+        ret = wc_InitRng_ex(&pkey->rng, heap, INVALID_DEVID);
+#else
+        ret = wc_InitRng(&pkey->rng);
+#endif
+        if (ret != 0){
+            wolfSSL_EVP_PKEY_free(pkey);
+            WOLFSSL_MSG("memory failure");
+            return NULL;
+        }
+        pkey->references = 1;
+        wc_InitMutex(&pkey->refMutex);
+    }
+    else {
+        WOLFSSL_MSG("memory failure");
+    }
+
+    return pkey;
+}
+
+void wolfSSL_EVP_PKEY_free(WOLFSSL_EVP_PKEY* key)
+{
+    int doFree = 0;
+    WOLFSSL_ENTER("wolfSSL_EVP_PKEY_free");
+    if (key != NULL) {
+        if (wc_LockMutex(&key->refMutex) != 0) {
+            WOLFSSL_MSG("Couldn't lock pkey mutex");
+        }
+
+        /* only free if all references to it are done */
+        key->references--;
+        if (key->references == 0) {
+            doFree = 1;
+        }
+        wc_UnLockMutex(&key->refMutex);
+
+        if (doFree) {
+            wc_FreeRng(&key->rng);
+
+            if (key->pkey.ptr != NULL) {
+                XFREE(key->pkey.ptr, key->heap, DYNAMIC_TYPE_PUBLIC_KEY);
+                key->pkey.ptr = NULL;
+            }
+            switch(key->type)
+            {
+                #ifndef NO_RSA
+                case EVP_PKEY_RSA:
+                    if (key->rsa != NULL && key->ownRsa == 1) {
+                        wolfSSL_RSA_free(key->rsa);
+                        key->rsa = NULL;
+                    }
+                    break;
+                #endif /* NO_RSA */
+
+                #if defined(HAVE_ECC) && defined(OPENSSL_EXTRA)
+                case EVP_PKEY_EC:
+                    if (key->ecc != NULL && key->ownEcc == 1) {
+                        wolfSSL_EC_KEY_free(key->ecc);
+                        key->ecc = NULL;
+                    }
+                    break;
+                #endif /* HAVE_ECC && OPENSSL_EXTRA */
+
+                #ifndef NO_DSA
+                case EVP_PKEY_DSA:
+                    if (key->dsa != NULL && key->ownDsa == 1) {
+                        wolfSSL_DSA_free(key->dsa);
+                        key->dsa = NULL;
+                    }
+                    break;
+                #endif /* NO_DSA */
+
+                #if !defined(NO_DH) && (defined(WOLFSSL_QT) || defined(OPENSSL_ALL))
+                case EVP_PKEY_DH:
+                    if (key->dh != NULL && key->ownDh == 1) {
+                        wolfSSL_DH_free(key->dh);
+                        key->dh = NULL;
+                    }
+                    break;
+                #endif /* ! NO_DH ... */
+
+                default:
+                break;
+            }
+
+            if (wc_FreeMutex(&key->refMutex) != 0) {
+                WOLFSSL_MSG("Couldn't free pkey mutex");
+            }
+            XFREE(key, key->heap, DYNAMIC_TYPE_PUBLIC_KEY);
+        }
+    }
+}
+
+#endif /* OPENSSL_EXTRA_X509_SMALL */
+
+#endif /* WOLFSSL_EVP_INCLUDED */
diff --git a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/fe_448.c b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/fe_448.c
new file mode 100644
index 000000000..bc38c112f
--- /dev/null
+++ b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/fe_448.c
@@ -0,0 +1,2458 @@
+/* fe_448.c
+ *
+ * Copyright (C) 2006-2020 wolfSSL Inc.
+ *
+ * This file is part of wolfSSL.
+ *
+ * wolfSSL is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * wolfSSL is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
+ */
+
+/* Based On Daniel J Bernstein's curve25519 Public Domain ref10 work.
+ * Small implementation based on Daniel Beer's curve25519 public domain work.
+ * Reworked for curve448 by Sean Parkinson.
+ */
+
+#ifdef HAVE_CONFIG_H
+    #include <config.h>
+#endif
+
+#include <wolfssl/wolfcrypt/settings.h>
+
+#if defined(HAVE_CURVE448) || defined(HAVE_ED448)
+
+#include <wolfssl/wolfcrypt/fe_448.h>
+#include <stdint.h>
+
+#ifdef NO_INLINE
+    #include <wolfssl/wolfcrypt/misc.h>
+#else
+    #define WOLFSSL_MISC_INCLUDED
+    #include <wolfcrypt/src/misc.c>
+#endif
+
+#if defined(CURVE448_SMALL) || defined(ED448_SMALL)
+
+/* Initialize the field element operations.
+ */
+void fe448_init(void)
+{
+}
+
+/* Normalize the field element.
+ * Ensure result is in range: 0..2^448-2^224-2
+ *
+ * a  [in]  Field element in range 0..2^448-1.
+ */
+void fe448_norm(uint8_t* a)
+{
+    int i;
+    int16_t c = 0;
+    int16_t o = 0;
+
+    for (i = 0; i < 56; i++) {
+        c += a[i];
+        if ((i == 0) || (i == 28))
+            c += 1;
+        c >>= 8;
+    }
+
+    for (i = 0; i < 56; i++) {
+        if ((i == 0) || (i == 28)) o += c;
+        o += a[i];
+        a[i] = (uint8_t)o;
+        o >>= 8;
+    }
+}
+
+/* Copy one field element into another: d = a.
+ *
+ * d  [in]  Destination field element.
+ * a  [in]  Source field element.
+ */
+void fe448_copy(uint8_t* d, const uint8_t* a)
+{
+    int i;
+    for (i = 0; i < 56; i++) {
+         d[i] = a[i];
+    }
+}
+
+/* Conditionally swap the elements.
+ * Constant time implementation.
+ *
+ * a  [in]  First field element.
+ * b  [in]  Second field element.
+ * c  [in]  Swap when 1. Valid values: 0, 1.
+ */
+static void fe448_cswap(uint8_t* a, uint8_t* b, int c)
+{
+    int i;
+    uint8_t mask = -(uint8_t)c;
+    uint8_t t[56];
+
+    for (i = 0; i < 56; i++)
+        t[i] = (a[i] ^ b[i]) & mask;
+    for (i = 0; i < 56; i++)
+        a[i] ^= t[i];
+    for (i = 0; i < 56; i++)
+        b[i] ^= t[i];
+}
+
+/* Add two field elements. r = (a + b) mod (2^448 - 2^224 - 1)
+ *
+ * r  [in]  Field element to hold sum.
+ * a  [in]  Field element to add.
+ * b  [in]  Field element to add.
+ */
+void fe448_add(uint8_t* r, const uint8_t* a, const uint8_t* b)
+{
+    int i;
+    int16_t c = 0;
+    int16_t o = 0;
+
+    for (i = 0; i < 56; i++) {
+        c += a[i];
+        c += b[i];
+        r[i] = (uint8_t)c;
+        c >>= 8;
+    }
+
+    for (i = 0; i < 56; i++) {
+        if ((i == 0) || (i == 28)) o += c;
+        o += r[i];
+        r[i] = (uint8_t)o;
+        o >>= 8;
+    }
+}
+
+/* Subtract a field element from another. r = (a - b) mod (2^448 - 2^224 - 1)
+ *
+ * r  [in]  Field element to hold difference.
+ * a  [in]  Field element to subtract from.
+ * b  [in]  Field element to subtract.
+ */
+void fe448_sub(uint8_t* r, const uint8_t* a, const uint8_t* b)
+{
+    int i;
+    int16_t c = 0;
+    int16_t o = 0;
+
+    for (i = 0; i < 56; i++) {
+        if (i == 28)
+            c += 0x1fc;
+        else
+            c += 0x1fe;
+        c += a[i];
+        c -= b[i];
+        r[i] = (uint8_t)c;
+        c >>= 8;
+    }
+
+    for (i = 0; i < 56; i++) {
+        if ((i == 0) || (i == 28)) o += c;
+        o += r[i];
+        r[i] = (uint8_t)o;
+        o >>= 8;
+    }
+}
+
+/* Mulitply a field element by 39081. r = (39081 * a) mod (2^448 - 2^224 - 1)
+ *
+ * r  [in]  Field element to hold result.
+ * a  [in]  Field element to multiply.
+ */
+void fe448_mul39081(uint8_t* r, const uint8_t* a)
+{
+    int i;
+    int32_t c = 0;
+    int32_t o = 0;
+
+    for (i = 0; i < 56; i++) {
+        c += a[i] * (int32_t)39081;
+        r[i] = (uint8_t)c;
+        c >>= 8;
+    }
+
+    for (i = 0; i < 56; i++) {
+        if ((i == 0) || (i == 28)) o += c;
+        o += r[i];
+        r[i] = (uint8_t)o;
+        o >>= 8;
+    }
+}
+
+/* Mulitply two field elements. r = (a * b) mod (2^448 - 2^224 - 1)
+ *
+ * r  [in]  Field element to hold result.
+ * a  [in]  Field element to multiply.
+ * b  [in]  Field element to multiply.
+ */
+void fe448_mul(uint8_t* r, const uint8_t* a, const uint8_t* b)
+{
+    int i, k;
+    int32_t c = 0;
+    int16_t o = 0, cc = 0;
+    uint8_t t[112];
+
+    for (k = 0; k < 56; k++) {
+        i = 0;
+        for (; i <= k; i++) {
+            c += (int32_t)a[i] * b[k - i];
+        }
+        t[k] = (uint8_t)c;
+        c >>= 8;
+    }
+    for (; k < 111; k++) {
+        i = k - 55;
+        for (; i < 56; i++) {
+            c += (int32_t)a[i] * b[k - i];
+        }
+        t[k] = (uint8_t)c;
+        c >>= 8;
+    }
+    t[k] = (uint8_t)c;
+
+    for (i = 0; i < 28; i++) {
+        o += t[i];
+        o += t[i + 56];
+        o += t[i + 84];
+        r[i] = (uint8_t)o;
+        o >>= 8;
+    }
+    for (i = 28; i < 56; i++) {
+        o += t[i];
+        o += t[i + 56];
+        o += t[i + 28];
+        o += t[i + 56];
+        r[i] = (uint8_t)o;
+        o >>= 8;
+    }
+    for (i = 0; i < 56; i++) {
+        if ((i == 0) || (i == 28)) cc += o;
+        cc += r[i];
+        r[i] = (uint8_t)cc;
+        cc >>= 8;
+    }
+}
+
+/* Square a field element. r = (a * a) mod (2^448 - 2^224 - 1)
+ *
+ * r  [in]  Field element to hold result.
+ * a  [in]  Field element to square.
+ */
+void fe448_sqr(uint8_t* r, const uint8_t* a)
+{
+    int i, k;
+    int32_t c = 0;
+    int32_t p;
+    int16_t o = 0, cc = 0;
+    uint8_t t[112];
+
+    for (k = 0; k < 56; k++) {
+        i = 0;
+        for (; i <= k; i++) {
+            if (k - i < i)
+                break;
+            p = (int32_t)a[i] * a[k - i];
+            if (k - i != i)
+                p *= 2;
+            c += p;
+        }
+        t[k] = (uint8_t)c;
+        c >>= 8;
+    }
+    for (; k < 111; k++) {
+         i = k - 55;
+        for (; i < 56; i++) {
+            if (k - i < i)
+                break;
+            p = (int32_t)a[i] * a[k - i];
+            if (k - i != i)
+                p *= 2;
+            c += p;
+        }
+        t[k] = (uint8_t)c;
+        c >>= 8;
+    }
+    t[k] = (uint8_t)c;
+
+    for (i = 0; i < 28; i++) {
+        o += t[i];
+        o += t[i + 56];
+        o += t[i + 84];
+        r[i] = (uint8_t)o;
+        o >>= 8;
+    }
+    for (i = 28; i < 56; i++) {
+        o += t[i];
+        o += t[i + 56];
+        o += t[i + 28];
+        o += t[i + 56];
+        r[i] = (uint8_t)o;
+        o >>= 8;
+    }
+    for (i = 0; i < 56; i++) {
+        if ((i == 0) || (i == 28)) cc += o;
+        cc += r[i];
+        r[i] = (uint8_t)cc;
+        cc >>= 8;
+    }
+    fe448_norm(r);
+}
+
+/* Invert the field element. (r * a) mod (2^448 - 2^224 - 1) = 1
+ * Constant time implementation - using Fermat's little theorem:
+ *   a^(p-1) mod p = 1 => a^(p-2) mod p = 1/a
+ * For curve448: p - 2 = 2^448 - 2^224 - 3
+ *
+ * r  [in]  Field element to hold result.
+ * a  [in]  Field element to invert.
+ */
+void fe448_invert(uint8_t* r, const uint8_t* a)
+{
+    int i;
+    uint8_t t[56];
+
+    fe448_sqr(t, a);
+    fe448_mul(t, t, a);
+    for (i = 0; i < 221; i++) {
+        fe448_sqr(t, t);
+        fe448_mul(t, t, a);
+    }
+    fe448_sqr(t, t);
+    for (i = 0; i < 222; i++) {
+        fe448_sqr(t, t);
+        fe448_mul(t, t, a);
+    }
+    fe448_sqr(t, t);
+    fe448_sqr(t, t);
+    fe448_mul(r, t, a);
+}
+
+/* Scalar multiply the point by a number. r = n.a
+ * Uses Montogmery ladder and only requires the x-ordinate.
+ *
+ * r  [in]  Field element to hold result.
+ * n  [in]  Scalar as an array of bytes.
+ * a  [in]  Point to multiply - x-ordinate only.
+ */
+int curve448(byte* r, const byte* n, const byte* a)
+{
+    uint8_t x1[56];
+    uint8_t x2[56] = {1};
+    uint8_t z2[56] = {0};
+    uint8_t x3[56];
+    uint8_t z3[56] = {1};
+    uint8_t t0[56];
+    uint8_t t1[56];
+    int i;
+    unsigned int swap;
+    unsigned int b;
+
+    fe448_copy(x1, a);
+    fe448_copy(x3, a);
+
+    swap = 0;
+    for (i = 447; i >= 0; --i) {
+        b = (n[i >> 3] >> (i & 7)) & 1;
+        swap ^= b;
+        fe448_cswap(x2, x3, swap);
+        fe448_cswap(z2, z3, swap);
+        swap = b;
+
+        /* Montgomery Ladder - double and add */
+        fe448_add(t0, x2, z2);
+        fe448_add(t1, x3, z3);
+        fe448_sub(x2, x2, z2);
+        fe448_sub(x3, x3, z3);
+        fe448_mul(t1, t1, x2);
+        fe448_mul(z3, x3, t0);
+        fe448_sqr(t0, t0);
+        fe448_sqr(x2, x2);
+        fe448_add(x3, z3, t1);
+        fe448_sqr(x3, x3);
+        fe448_sub(z3, z3, t1);
+        fe448_sqr(z3, z3);
+        fe448_mul(z3, z3, x1);
+        fe448_sub(t1, t0, x2);
+        fe448_mul(x2, t0, x2);
+        fe448_mul39081(z2, t1);
+        fe448_add(z2, t0, z2);
+        fe448_mul(z2, z2, t1);
+    }
+    fe448_cswap(x2, x3, swap);
+    fe448_cswap(z2, z3, swap);
+
+    fe448_invert(z2, z2);
+    fe448_mul(r, x2, z2);
+    fe448_norm(r);
+
+    return 0;
+}
+
+#ifdef HAVE_ED448
+/* Check whether field element is not 0.
+ * Field element must have been normalized before call.
+ *
+ * a  [in]  Field element.
+ * returns 0 when zero, and any other value otherwise.
+ */
+int fe448_isnonzero(const uint8_t* a)
+{
+    int i;
+    uint8_t c = 0;
+    for (i = 0; i < 56; i++)
+        c |= a[i];
+    return c;
+}
+
+/* Negates the field element. r = -a mod (2^448 - 2^224 - 1)
+ * Add 0x200 to each element and subtract 2 from next.
+ * Top element overflow handled by subtracting 2 from index 0 and 28.
+ *
+ * r  [in]  Field element to hold result.
+ * a  [in]  Field element.
+ */
+void fe448_neg(uint8_t* r, const uint8_t* a)
+{
+    int i;
+    int16_t c = 0;
+    int16_t o = 0;
+
+    for (i = 0; i < 56; i++) {
+        if (i == 28)
+            c += 0x1fc;
+        else
+            c += 0x1fe;
+        c -= a[i];
+        r[i] = (uint8_t)c;
+        c >>= 8;
+    }
+
+    for (i = 0; i < 56; i++) {
+        if ((i == 0) || (i == 28)) o += c;
+        o += r[i];
+        r[i] = (uint8_t)o;
+        o >>= 8;
+    }
+}
+
+/* Raise field element to (p-3) / 4: 2^446 - 2^222 - 1
+ * Used for calcualting y-ordinate from x-ordinate for Ed448.
+ *
+ * r  [in]  Field element to hold result.
+ * a  [in]  Field element to exponentiate.
+ */
+void fe448_pow_2_446_222_1(uint8_t* r, const uint8_t* a)
+{
+    int i;
+    uint8_t t[56];
+
+    fe448_sqr(t, a);
+    fe448_mul(t, t, a);
+    for (i = 0; i < 221; i++) {
+        fe448_sqr(t, t);
+        fe448_mul(t, t, a);
+    }
+    fe448_sqr(t, t);
+    for (i = 0; i < 221; i++) {
+        fe448_sqr(t, t);
+        fe448_mul(t, t, a);
+    }
+    fe448_sqr(t, t);
+    fe448_mul(r, t, a);
+}
+
+/* Constant time, conditional move of b into a.
+ * a is not changed if the condition is 0.
+ *
+ * a  A field element.
+ * b  A field element.
+ * c  If 1 then copy and if 0 then don't copy.
+ */
+void fe448_cmov(uint8_t* a, const uint8_t* b, int c)
+{
+    int i;
+    uint8_t m = -(uint8_t)c;
+    uint8_t t[56];
+
+    for (i = 0; i < 56; i++)
+        t[i] = m & (a[i] ^ b[i]);
+    for (i = 0; i < 56; i++)
+        a[i] ^= t[i];
+}
+
+#endif /* HAVE_ED448 */
+#elif defined(CURVED448_128BIT)
+
+/* Initialize the field element operations.
+ */
+void fe448_init(void)
+{
+}
+
+/* Convert the field element from a byte array to an array of 56-bits.
+ *
+ * r  [in]  Array to encode into.
+ * b  [in]  Byte array.
+ */
+void fe448_from_bytes(int64_t* r, const unsigned char* b)
+{
+    r[ 0] =  ((int64_t) (b[ 0]) <<  0)
+          |  ((int64_t) (b[ 1]) <<  8)
+          |  ((int64_t) (b[ 2]) << 16)
+          |  ((int64_t) (b[ 3]) << 24)
+          |  ((int64_t) (b[ 4]) << 32)
+          |  ((int64_t) (b[ 5]) << 40)
+          |  ((int64_t) (b[ 6]) << 48);
+    r[ 1] =  ((int64_t) (b[ 7]) <<  0)
+          |  ((int64_t) (b[ 8]) <<  8)
+          |  ((int64_t) (b[ 9]) << 16)
+          |  ((int64_t) (b[10]) << 24)
+          |  ((int64_t) (b[11]) << 32)
+          |  ((int64_t) (b[12]) << 40)
+          |  ((int64_t) (b[13]) << 48);
+    r[ 2] =  ((int64_t) (b[14]) <<  0)
+          |  ((int64_t) (b[15]) <<  8)
+          |  ((int64_t) (b[16]) << 16)
+          |  ((int64_t) (b[17]) << 24)
+          |  ((int64_t) (b[18]) << 32)
+          |  ((int64_t) (b[19]) << 40)
+          |  ((int64_t) (b[20]) << 48);
+    r[ 3] =  ((int64_t) (b[21]) <<  0)
+          |  ((int64_t) (b[22]) <<  8)
+          |  ((int64_t) (b[23]) << 16)
+          |  ((int64_t) (b[24]) << 24)
+          |  ((int64_t) (b[25]) << 32)
+          |  ((int64_t) (b[26]) << 40)
+          |  ((int64_t) (b[27]) << 48);
+    r[ 4] =  ((int64_t) (b[28]) <<  0)
+          |  ((int64_t) (b[29]) <<  8)
+          |  ((int64_t) (b[30]) << 16)
+          |  ((int64_t) (b[31]) << 24)
+          |  ((int64_t) (b[32]) << 32)
+          |  ((int64_t) (b[33]) << 40)
+          |  ((int64_t) (b[34]) << 48);
+    r[ 5] =  ((int64_t) (b[35]) <<  0)
+          |  ((int64_t) (b[36]) <<  8)
+          |  ((int64_t) (b[37]) << 16)
+          |  ((int64_t) (b[38]) << 24)
+          |  ((int64_t) (b[39]) << 32)
+          |  ((int64_t) (b[40]) << 40)
+          |  ((int64_t) (b[41]) << 48);
+    r[ 6] =  ((int64_t) (b[42]) <<  0)
+          |  ((int64_t) (b[43]) <<  8)
+          |  ((int64_t) (b[44]) << 16)
+          |  ((int64_t) (b[45]) << 24)
+          |  ((int64_t) (b[46]) << 32)
+          |  ((int64_t) (b[47]) << 40)
+          |  ((int64_t) (b[48]) << 48);
+    r[ 7] =  ((int64_t) (b[49]) <<  0)
+          |  ((int64_t) (b[50]) <<  8)
+          |  ((int64_t) (b[51]) << 16)
+          |  ((int64_t) (b[52]) << 24)
+          |  ((int64_t) (b[53]) << 32)
+          |  ((int64_t) (b[54]) << 40)
+          |  ((int64_t) (b[55]) << 48);
+}
+
+/* Convert the field element to a byte array from an array of 56-bits.
+ *
+ * b  [in]  Byte array.
+ * a  [in]  Array to encode into.
+ */
+void fe448_to_bytes(unsigned char* b, const int64_t* a)
+{
+    int128_t t;
+    /* Mod */
+    int64_t in0 = a[0];
+    int64_t in1 = a[1];
+    int64_t in2 = a[2];
+    int64_t in3 = a[3];
+    int64_t in4 = a[4];
+    int64_t in5 = a[5];
+    int64_t in6 = a[6];
+    int64_t in7 = a[7];
+    int64_t o = in7 >> 56;
+    in7 -= o << 56;
+    in0 += o;
+    in4 += o;
+    o = (in0 + 1) >> 56;
+    o = (o + in1) >> 56;
+    o = (o + in2) >> 56;
+    o = (o + in3) >> 56;
+    o = (o + in4 + 1) >> 56;
+    o = (o + in5) >> 56;
+    o = (o + in6) >> 56;
+    o = (o + in7) >> 56;
+    in0 += o;
+    in4 += o;
+    in7 -= o << 56;
+    o = in0  >> 56; in1  += o; t = o << 56; in0  -= t;
+    o = in1  >> 56; in2  += o; t = o << 56; in1  -= t;
+    o = in2  >> 56; in3  += o; t = o << 56; in2  -= t;
+    o = in3  >> 56; in4  += o; t = o << 56; in3  -= t;
+    o = in4  >> 56; in5  += o; t = o << 56; in4  -= t;
+    o = in5  >> 56; in6  += o; t = o << 56; in5  -= t;
+    o = in6  >> 56; in7  += o; t = o << 56; in6  -= t;
+    o = in7  >> 56; in0  += o;
+                    in4  += o; t = o << 56; in7  -= t;
+
+    /* Output as bytes */
+    b[ 0] = (in0  >>  0);
+    b[ 1] = (in0  >>  8);
+    b[ 2] = (in0  >> 16);
+    b[ 3] = (in0  >> 24);
+    b[ 4] = (in0  >> 32);
+    b[ 5] = (in0  >> 40);
+    b[ 6] = (in0  >> 48);
+    b[ 7] = (in1  >>  0);
+    b[ 8] = (in1  >>  8);
+    b[ 9] = (in1  >> 16);
+    b[10] = (in1  >> 24);
+    b[11] = (in1  >> 32);
+    b[12] = (in1  >> 40);
+    b[13] = (in1  >> 48);
+    b[14] = (in2  >>  0);
+    b[15] = (in2  >>  8);
+    b[16] = (in2  >> 16);
+    b[17] = (in2  >> 24);
+    b[18] = (in2  >> 32);
+    b[19] = (in2  >> 40);
+    b[20] = (in2  >> 48);
+    b[21] = (in3  >>  0);
+    b[22] = (in3  >>  8);
+    b[23] = (in3  >> 16);
+    b[24] = (in3  >> 24);
+    b[25] = (in3  >> 32);
+    b[26] = (in3  >> 40);
+    b[27] = (in3  >> 48);
+    b[28] = (in4  >>  0);
+    b[29] = (in4  >>  8);
+    b[30] = (in4  >> 16);
+    b[31] = (in4  >> 24);
+    b[32] = (in4  >> 32);
+    b[33] = (in4  >> 40);
+    b[34] = (in4  >> 48);
+    b[35] = (in5  >>  0);
+    b[36] = (in5  >>  8);
+    b[37] = (in5  >> 16);
+    b[38] = (in5  >> 24);
+    b[39] = (in5  >> 32);
+    b[40] = (in5  >> 40);
+    b[41] = (in5  >> 48);
+    b[42] = (in6  >>  0);
+    b[43] = (in6  >>  8);
+    b[44] = (in6  >> 16);
+    b[45] = (in6  >> 24);
+    b[46] = (in6  >> 32);
+    b[47] = (in6  >> 40);
+    b[48] = (in6  >> 48);
+    b[49] = (in7  >>  0);
+    b[50] = (in7  >>  8);
+    b[51] = (in7  >> 16);
+    b[52] = (in7  >> 24);
+    b[53] = (in7  >> 32);
+    b[54] = (in7  >> 40);
+    b[55] = (in7  >> 48);
+}
+
+/* Set the field element to 0.
+ *
+ * a  [in]  Field element.
+ */
+void fe448_1(int64_t* a)
+{
+    a[0] = 1;
+    a[1] = 0;
+    a[2] = 0;
+    a[3] = 0;
+    a[4] = 0;
+    a[5] = 0;
+    a[6] = 0;
+    a[7] = 0;
+}
+
+/* Set the field element to 0.
+ *
+ * a  [in]  Field element.
+ */
+void fe448_0(int64_t* a)
+{
+    a[0] = 0;
+    a[1] = 0;
+    a[2] = 0;
+    a[3] = 0;
+    a[4] = 0;
+    a[5] = 0;
+    a[6] = 0;
+    a[7] = 0;
+}
+
+/* Copy one field element into another: d = a.
+ *
+ * d  [in]  Destination field element.
+ * a  [in]  Source field element.
+ */
+void fe448_copy(int64_t* d, const int64_t* a)
+{
+    d[0] = a[0];
+    d[1] = a[1];
+    d[2] = a[2];
+    d[3] = a[3];
+    d[4] = a[4];
+    d[5] = a[5];
+    d[6] = a[6];
+    d[7] = a[7];
+}
+
+/* Conditionally swap the elements.
+ * Constant time implementation.
+ *
+ * a  [in]  First field element.
+ * b  [in]  Second field element.
+ * c  [in]  Swap when 1. Valid values: 0, 1.
+ */
+static void fe448_cswap(int64_t* a, int64_t* b, int c)
+{
+    int64_t mask = -(int64_t)c;
+    int64_t t0 = (a[0] ^ b[0]) & mask;
+    int64_t t1 = (a[1] ^ b[1]) & mask;
+    int64_t t2 = (a[2] ^ b[2]) & mask;
+    int64_t t3 = (a[3] ^ b[3]) & mask;
+    int64_t t4 = (a[4] ^ b[4]) & mask;
+    int64_t t5 = (a[5] ^ b[5]) & mask;
+    int64_t t6 = (a[6] ^ b[6]) & mask;
+    int64_t t7 = (a[7] ^ b[7]) & mask;
+    a[0] ^= t0;
+    a[1] ^= t1;
+    a[2] ^= t2;
+    a[3] ^= t3;
+    a[4] ^= t4;
+    a[5] ^= t5;
+    a[6] ^= t6;
+    a[7] ^= t7;
+    b[0] ^= t0;
+    b[1] ^= t1;
+    b[2] ^= t2;
+    b[3] ^= t3;
+    b[4] ^= t4;
+    b[5] ^= t5;
+    b[6] ^= t6;
+    b[7] ^= t7;
+}
+
+/* Add two field elements. r = (a + b) mod (2^448 - 2^224 - 1)
+ *
+ * r  [in]  Field element to hold sum.
+ * a  [in]  Field element to add.
+ * b  [in]  Field element to add.
+ */
+void fe448_add(int64_t* r, const int64_t* a, const int64_t* b)
+{
+    r[0] = a[0] + b[0];
+    r[1] = a[1] + b[1];
+    r[2] = a[2] + b[2];
+    r[3] = a[3] + b[3];
+    r[4] = a[4] + b[4];
+    r[5] = a[5] + b[5];
+    r[6] = a[6] + b[6];
+    r[7] = a[7] + b[7];
+}
+
+/* Subtract a field element from another. r = (a - b) mod (2^448 - 2^224 - 1)
+ *
+ * r  [in]  Field element to hold difference.
+ * a  [in]  Field element to subtract from.
+ * b  [in]  Field element to subtract.
+ */
+void fe448_sub(int64_t* r, const int64_t* a, const int64_t* b)
+{
+    r[0] = a[0] - b[0];
+    r[1] = a[1] - b[1];
+    r[2] = a[2] - b[2];
+    r[3] = a[3] - b[3];
+    r[4] = a[4] - b[4];
+    r[5] = a[5] - b[5];
+    r[6] = a[6] - b[6];
+    r[7] = a[7] - b[7];
+}
+
+/* Mulitply a field element by 39081. r = (39081 * a) mod (2^448 - 2^224 - 1)
+ *
+ * r  [in]  Field element to hold result.
+ * a  [in]  Field element to multiply.
+ */
+void fe448_mul39081(int64_t* r, const int64_t* a)
+{
+    int128_t t;
+    int64_t o;
+    int128_t t0 = a[0] * (int128_t)39081;
+    int128_t t1 = a[1] * (int128_t)39081;
+    int128_t t2 = a[2] * (int128_t)39081;
+    int128_t t3 = a[3] * (int128_t)39081;
+    int128_t t4 = a[4] * (int128_t)39081;
+    int128_t t5 = a[5] * (int128_t)39081;
+    int128_t t6 = a[6] * (int128_t)39081;
+    int128_t t7 = a[7] * (int128_t)39081;
+    o = t0  >> 56; t1  += o; t = (int128_t)o << 56; t0  -= t;
+    o = t1  >> 56; t2  += o; t = (int128_t)o << 56; t1  -= t;
+    o = t2  >> 56; t3  += o; t = (int128_t)o << 56; t2  -= t;
+    o = t3  >> 56; t4  += o; t = (int128_t)o << 56; t3  -= t;
+    o = t4  >> 56; t5  += o; t = (int128_t)o << 56; t4  -= t;
+    o = t5  >> 56; t6  += o; t = (int128_t)o << 56; t5  -= t;
+    o = t6  >> 56; t7  += o; t = (int128_t)o << 56; t6  -= t;
+    o = t7  >> 56; t0  += o;
+                   t4  += o; t = (int128_t)o << 56; t7  -= t;
+
+    /* Store */
+    r[0] = t0;
+    r[1] = t1;
+    r[2] = t2;
+    r[3] = t3;
+    r[4] = t4;
+    r[5] = t5;
+    r[6] = t6;
+    r[7] = t7;
+}
+
+/* Mulitply two field elements. r = (a * b) mod (2^448 - 2^224 - 1)
+ *
+ * r  [in]  Field element to hold result.
+ * a  [in]  Field element to multiply.
+ * b  [in]  Field element to multiply.
+ */
+void fe448_mul(int64_t* r, const int64_t* a, const int64_t* b)
+{
+    int128_t t;
+    int64_t o;
+    int128_t t0   = (int128_t)a[ 0] * b[ 0];
+    int128_t t1   = (int128_t)a[ 0] * b[ 1];
+    int128_t t101 = (int128_t)a[ 1] * b[ 0];
+    int128_t t2   = (int128_t)a[ 0] * b[ 2];
+    int128_t t102 = (int128_t)a[ 1] * b[ 1];
+    int128_t t202 = (int128_t)a[ 2] * b[ 0];
+    int128_t t3   = (int128_t)a[ 0] * b[ 3];
+    int128_t t103 = (int128_t)a[ 1] * b[ 2];
+    int128_t t203 = (int128_t)a[ 2] * b[ 1];
+    int128_t t303 = (int128_t)a[ 3] * b[ 0];
+    int128_t t4   = (int128_t)a[ 0] * b[ 4];
+    int128_t t104 = (int128_t)a[ 1] * b[ 3];
+    int128_t t204 = (int128_t)a[ 2] * b[ 2];
+    int128_t t304 = (int128_t)a[ 3] * b[ 1];
+    int128_t t404 = (int128_t)a[ 4] * b[ 0];
+    int128_t t5   = (int128_t)a[ 0] * b[ 5];
+    int128_t t105 = (int128_t)a[ 1] * b[ 4];
+    int128_t t205 = (int128_t)a[ 2] * b[ 3];
+    int128_t t305 = (int128_t)a[ 3] * b[ 2];
+    int128_t t405 = (int128_t)a[ 4] * b[ 1];
+    int128_t t505 = (int128_t)a[ 5] * b[ 0];
+    int128_t t6   = (int128_t)a[ 0] * b[ 6];
+    int128_t t106 = (int128_t)a[ 1] * b[ 5];
+    int128_t t206 = (int128_t)a[ 2] * b[ 4];
+    int128_t t306 = (int128_t)a[ 3] * b[ 3];
+    int128_t t406 = (int128_t)a[ 4] * b[ 2];
+    int128_t t506 = (int128_t)a[ 5] * b[ 1];
+    int128_t t606 = (int128_t)a[ 6] * b[ 0];
+    int128_t t7   = (int128_t)a[ 0] * b[ 7];
+    int128_t t107 = (int128_t)a[ 1] * b[ 6];
+    int128_t t207 = (int128_t)a[ 2] * b[ 5];
+    int128_t t307 = (int128_t)a[ 3] * b[ 4];
+    int128_t t407 = (int128_t)a[ 4] * b[ 3];
+    int128_t t507 = (int128_t)a[ 5] * b[ 2];
+    int128_t t607 = (int128_t)a[ 6] * b[ 1];
+    int128_t t707 = (int128_t)a[ 7] * b[ 0];
+    int128_t t8   = (int128_t)a[ 1] * b[ 7];
+    int128_t t108 = (int128_t)a[ 2] * b[ 6];
+    int128_t t208 = (int128_t)a[ 3] * b[ 5];
+    int128_t t308 = (int128_t)a[ 4] * b[ 4];
+    int128_t t408 = (int128_t)a[ 5] * b[ 3];
+    int128_t t508 = (int128_t)a[ 6] * b[ 2];
+    int128_t t608 = (int128_t)a[ 7] * b[ 1];
+    int128_t t9   = (int128_t)a[ 2] * b[ 7];
+    int128_t t109 = (int128_t)a[ 3] * b[ 6];
+    int128_t t209 = (int128_t)a[ 4] * b[ 5];
+    int128_t t309 = (int128_t)a[ 5] * b[ 4];
+    int128_t t409 = (int128_t)a[ 6] * b[ 3];
+    int128_t t509 = (int128_t)a[ 7] * b[ 2];
+    int128_t t10  = (int128_t)a[ 3] * b[ 7];
+    int128_t t110 = (int128_t)a[ 4] * b[ 6];
+    int128_t t210 = (int128_t)a[ 5] * b[ 5];
+    int128_t t310 = (int128_t)a[ 6] * b[ 4];
+    int128_t t410 = (int128_t)a[ 7] * b[ 3];
+    int128_t t11  = (int128_t)a[ 4] * b[ 7];
+    int128_t t111 = (int128_t)a[ 5] * b[ 6];
+    int128_t t211 = (int128_t)a[ 6] * b[ 5];
+    int128_t t311 = (int128_t)a[ 7] * b[ 4];
+    int128_t t12  = (int128_t)a[ 5] * b[ 7];
+    int128_t t112 = (int128_t)a[ 6] * b[ 6];
+    int128_t t212 = (int128_t)a[ 7] * b[ 5];
+    int128_t t13  = (int128_t)a[ 6] * b[ 7];
+    int128_t t113 = (int128_t)a[ 7] * b[ 6];
+    int128_t t14  = (int128_t)a[ 7] * b[ 7];
+    t1  += t101;
+    t2  += t102; t2  += t202;
+    t3  += t103; t3  += t203; t3  += t303;
+    t4  += t104; t4  += t204; t4  += t304; t4  += t404;
+    t5  += t105; t5  += t205; t5  += t305; t5  += t405; t5  += t505;
+    t6  += t106; t6  += t206; t6  += t306; t6  += t406; t6  += t506;
+    t6  += t606;
+    t7  += t107; t7  += t207; t7  += t307; t7  += t407; t7  += t507;
+    t7  += t607;
+    t7  += t707;
+    t8  += t108; t8  += t208; t8  += t308; t8  += t408; t8  += t508;
+    t8  += t608;
+    t9  += t109; t9  += t209; t9  += t309; t9  += t409; t9  += t509;
+    t10 += t110; t10 += t210; t10 += t310; t10 += t410;
+    t11 += t111; t11 += t211; t11 += t311;
+    t12 += t112; t12 += t212;
+    t13 += t113;
+
+    /* Reduce */
+    t0  += t8  + t12;
+    t1  += t9  + t13;
+    t2  += t10 + t14;
+    t3  += t11;
+    t4  += t12 + t8  + t12;
+    t5  += t13 + t9  + t13;
+    t6  += t14 + t10 + t14;
+    t7  +=       t11;
+    o = t7  >> 56; t0  += o;
+                   t4  += o; t = (int128_t)o << 56; t7  -= t;
+    o = t0  >> 56; t1  += o; t = (int128_t)o << 56; t0  -= t;
+    o = t1  >> 56; t2  += o; t = (int128_t)o << 56; t1  -= t;
+    o = t2  >> 56; t3  += o; t = (int128_t)o << 56; t2  -= t;
+    o = t3  >> 56; t4  += o; t = (int128_t)o << 56; t3  -= t;
+    o = t4  >> 56; t5  += o; t = (int128_t)o << 56; t4  -= t;
+    o = t5  >> 56; t6  += o; t = (int128_t)o << 56; t5  -= t;
+    o = t6  >> 56; t7  += o; t = (int128_t)o << 56; t6  -= t;
+    o = t7  >> 56; t0  += o;
+                   t4  += o; t = (int128_t)o << 56; t7  -= t;
+
+    /* Store */
+    r[0] = t0;
+    r[1] = t1;
+    r[2] = t2;
+    r[3] = t3;
+    r[4] = t4;
+    r[5] = t5;
+    r[6] = t6;
+    r[7] = t7;
+}
+
+/* Square a field element. r = (a * a) mod (2^448 - 2^224 - 1)
+ *
+ * r  [in]  Field element to hold result.
+ * a  [in]  Field element to square.
+ */
+void fe448_sqr(int64_t* r, const int64_t* a)
+{
+    int128_t t;
+    int64_t o;
+    int128_t t0   =     (int128_t)a[ 0] * a[ 0];
+    int128_t t1   = 2 * (int128_t)a[ 0] * a[ 1];
+    int128_t t2   = 2 * (int128_t)a[ 0] * a[ 2];
+    int128_t t102 =     (int128_t)a[ 1] * a[ 1];
+    int128_t t3   = 2 * (int128_t)a[ 0] * a[ 3];
+    int128_t t103 = 2 * (int128_t)a[ 1] * a[ 2];
+    int128_t t4   = 2 * (int128_t)a[ 0] * a[ 4];
+    int128_t t104 = 2 * (int128_t)a[ 1] * a[ 3];
+    int128_t t204 =     (int128_t)a[ 2] * a[ 2];
+    int128_t t5   = 2 * (int128_t)a[ 0] * a[ 5];
+    int128_t t105 = 2 * (int128_t)a[ 1] * a[ 4];
+    int128_t t205 = 2 * (int128_t)a[ 2] * a[ 3];
+    int128_t t6   = 2 * (int128_t)a[ 0] * a[ 6];
+    int128_t t106 = 2 * (int128_t)a[ 1] * a[ 5];
+    int128_t t206 = 2 * (int128_t)a[ 2] * a[ 4];
+    int128_t t306 =     (int128_t)a[ 3] * a[ 3];
+    int128_t t7   = 2 * (int128_t)a[ 0] * a[ 7];
+    int128_t t107 = 2 * (int128_t)a[ 1] * a[ 6];
+    int128_t t207 = 2 * (int128_t)a[ 2] * a[ 5];
+    int128_t t307 = 2 * (int128_t)a[ 3] * a[ 4];
+    int128_t t8   = 2 * (int128_t)a[ 1] * a[ 7];
+    int128_t t108 = 2 * (int128_t)a[ 2] * a[ 6];
+    int128_t t208 = 2 * (int128_t)a[ 3] * a[ 5];
+    int128_t t308 =     (int128_t)a[ 4] * a[ 4];
+    int128_t t9   = 2 * (int128_t)a[ 2] * a[ 7];
+    int128_t t109 = 2 * (int128_t)a[ 3] * a[ 6];
+    int128_t t209 = 2 * (int128_t)a[ 4] * a[ 5];
+    int128_t t10  = 2 * (int128_t)a[ 3] * a[ 7];
+    int128_t t110 = 2 * (int128_t)a[ 4] * a[ 6];
+    int128_t t210 =     (int128_t)a[ 5] * a[ 5];
+    int128_t t11  = 2 * (int128_t)a[ 4] * a[ 7];
+    int128_t t111 = 2 * (int128_t)a[ 5] * a[ 6];
+    int128_t t12  = 2 * (int128_t)a[ 5] * a[ 7];
+    int128_t t112 =     (int128_t)a[ 6] * a[ 6];
+    int128_t t13  = 2 * (int128_t)a[ 6] * a[ 7];
+    int128_t t14  =     (int128_t)a[ 7] * a[ 7];
+    t2  += t102;
+    t3  += t103;
+    t4  += t104; t4  += t204;
+    t5  += t105; t5  += t205;
+    t6  += t106; t6  += t206; t6  += t306;
+    t7  += t107; t7  += t207; t7  += t307;
+    t8  += t108; t8  += t208; t8  += t308;
+    t9  += t109; t9  += t209;
+    t10 += t110; t10 += t210;
+    t11 += t111;
+    t12 += t112;
+
+    /* Reduce */
+    t0  += t8  + t12;
+    t1  += t9  + t13;
+    t2  += t10 + t14;
+    t3  += t11;
+    t4  += t12 + t8  + t12;
+    t5  += t13 + t9  + t13;
+    t6  += t14 + t10 + t14;
+    t7  +=       t11;
+    o = t7  >> 56; t0  += o;
+                   t4  += o; t = (int128_t)o << 56; t7  -= t;
+    o = t0  >> 56; t1  += o; t = (int128_t)o << 56; t0  -= t;
+    o = t1  >> 56; t2  += o; t = (int128_t)o << 56; t1  -= t;
+    o = t2  >> 56; t3  += o; t = (int128_t)o << 56; t2  -= t;
+    o = t3  >> 56; t4  += o; t = (int128_t)o << 56; t3  -= t;
+    o = t4  >> 56; t5  += o; t = (int128_t)o << 56; t4  -= t;
+    o = t5  >> 56; t6  += o; t = (int128_t)o << 56; t5  -= t;
+    o = t6  >> 56; t7  += o; t = (int128_t)o << 56; t6  -= t;
+    o = t7  >> 56; t0  += o;
+                   t4  += o; t = (int128_t)o << 56; t7  -= t;
+
+    /* Store */
+    r[0] = t0;
+    r[1] = t1;
+    r[2] = t2;
+    r[3] = t3;
+    r[4] = t4;
+    r[5] = t5;
+    r[6] = t6;
+    r[7] = t7;
+}
+
+/* Invert the field element. (r * a) mod (2^448 - 2^224 - 1) = 1
+ * Constant time implementation - using Fermat's little theorem:
+ *   a^(p-1) mod p = 1 => a^(p-2) mod p = 1/a
+ * For curve448: p - 2 = 2^448 - 2^224 - 3
+ *
+ * r  [in]  Field element to hold result.
+ * a  [in]  Field element to invert.
+ */
+void fe448_invert(int64_t* r, const int64_t* a)
+{
+    int64_t t1[8];
+    int64_t t2[8];
+    int64_t t3[8];
+    int64_t t4[8];
+    int i;
+
+    fe448_sqr(t1, a);
+    /* t1 = 2 */
+    fe448_mul(t1, t1, a);
+    /* t1 = 3 */
+    fe448_sqr(t2, t1); for (i = 1; i < 2; ++i) fe448_sqr(t2, t2);
+    /* t2 = c */
+    fe448_mul(t3, t2, a);
+    /* t3 = d */
+    fe448_mul(t1, t2, t1);
+    /* t1 = f */
+    fe448_sqr(t2, t1);
+    /* t2 = 1e */
+    fe448_mul(t4, t2, a);
+    /* t4 = 1f */
+    fe448_sqr(t2, t4); for (i = 1; i < 5; ++i) fe448_sqr(t2, t2);
+    /* t2 = 3e0 */
+    fe448_mul(t1, t2, t4);
+    /* t1 = 3ff */
+    fe448_sqr(t2, t1); for (i = 1; i < 10; ++i) fe448_sqr(t2, t2);
+    /* t2 = ffc00 */
+    fe448_mul(t1, t2, t1);
+    /* t1 = fffff */
+    fe448_sqr(t2, t1); for (i = 1; i < 5; ++i) fe448_sqr(t2, t2);
+    /* t2 = 1ffffe0 */
+    fe448_mul(t1, t2, t4);
+    /* t1 = 1ffffff */
+    fe448_sqr(t2, t1); for (i = 1; i < 25; ++i) fe448_sqr(t2, t2);
+    /* t2 = 3fffffe000000 */
+    fe448_mul(t1, t2, t1);
+    /* t1 = 3ffffffffffff */
+    fe448_sqr(t2, t1); for (i = 1; i < 5; ++i) fe448_sqr(t2, t2);
+    /* t2 = 7fffffffffffe0 */
+    fe448_mul(t1, t2, t4);
+    /* t1 = 7fffffffffffff */
+    fe448_sqr(t2, t1); for (i = 1; i < 55; ++i) fe448_sqr(t2, t2);
+    /* t2 = 3fffffffffffff80000000000000 */
+    fe448_mul(t1, t2, t1);
+    /* t1 = 3fffffffffffffffffffffffffff */
+    fe448_sqr(t2, t1); for (i = 1; i < 110; ++i) fe448_sqr(t2, t2);
+    /* t2 = fffffffffffffffffffffffffffc000000000000000000000000000 */
+    fe448_mul(t1, t2, t1);
+    /* t1 = fffffffffffffffffffffffffffffffffffffffffffffffffffffff */
+    fe448_sqr(t2, t1); for (i = 1; i < 4; ++i) fe448_sqr(t2, t2);
+    /* t2 = fffffffffffffffffffffffffffffffffffffffffffffffffffffff0 */
+    fe448_mul(t3, t3, t2);
+    /* t3 = fffffffffffffffffffffffffffffffffffffffffffffffffffffffd */
+    fe448_mul(t1, t3, a);
+    /* t1 = fffffffffffffffffffffffffffffffffffffffffffffffffffffffe */
+    fe448_sqr(t1, t1); for (i = 1; i < 224; ++i) fe448_sqr(t1, t1);
+    /* t1 = fffffffffffffffffffffffffffffffffffffffffffffffffffffffe00000000000000000000000000000000000000000000000000000000 */
+    fe448_mul(r, t3, t1);
+    /* r = fffffffffffffffffffffffffffffffffffffffffffffffffffffffefffffffffffffffffffffffffffffffffffffffffffffffffffffffd */
+}
+
+/* Scalar multiply the point by a number. r = n.a
+ * Uses Montogmery ladder and only requires the x-ordinate.
+ *
+ * r  [in]  Field element to hold result.
+ * n  [in]  Scalar as an array of bytes.
+ * a  [in]  Point to multiply - x-ordinate only.
+ */
+int curve448(byte* r, const byte* n, const byte* a)
+{
+    int64_t x1[8];
+    int64_t x2[8];
+    int64_t z2[8];
+    int64_t x3[8];
+    int64_t z3[8];
+    int64_t t0[8];
+    int64_t t1[8];
+    int i;
+    unsigned int swap;
+    unsigned int b;
+
+    fe448_from_bytes(x1, a);
+    fe448_1(x2);
+    fe448_0(z2);
+    fe448_copy(x3, x1);
+    fe448_1(z3);
+
+    swap = 0;
+    for (i = 447; i >= 0; --i) {
+        b = (n[i >> 3] >> (i & 7)) & 1;
+        swap ^= b;
+        fe448_cswap(x2, x3, swap);
+        fe448_cswap(z2, z3, swap);
+        swap = b;
+
+        /* Montgomery Ladder - double and add */
+        fe448_add(t0, x2, z2);
+        fe448_reduce(t0);
+        fe448_add(t1, x3, z3);
+        fe448_reduce(t1);
+        fe448_sub(x2, x2, z2);
+        fe448_sub(x3, x3, z3);
+        fe448_mul(t1, t1, x2);
+        fe448_mul(z3, x3, t0);
+        fe448_sqr(t0, t0);
+        fe448_sqr(x2, x2);
+        fe448_add(x3, z3, t1);
+        fe448_reduce(x3);
+        fe448_sqr(x3, x3);
+        fe448_sub(z3, z3, t1);
+        fe448_sqr(z3, z3);
+        fe448_mul(z3, z3, x1);
+        fe448_sub(t1, t0, x2);
+        fe448_mul(x2, t0, x2);
+        fe448_mul39081(z2, t1);
+        fe448_add(z2, t0, z2);
+        fe448_mul(z2, z2, t1);
+    }
+    /* Last two bits are 0 - no final swap check required. */
+
+    fe448_invert(z2, z2);
+    fe448_mul(x2, x2, z2);
+    fe448_to_bytes(r, x2);
+
+    return 0;
+}
+
+#ifdef HAVE_ED448
+/* Check whether field element is not 0.
+ * Must convert to a normalized form before checking.
+ *
+ * a  [in]  Field element.
+ * returns 0 when zero, and any other value otherwise.
+ */
+int fe448_isnonzero(const int64_t* a)
+{
+    uint8_t b[56];
+    int i;
+    uint8_t c = 0;
+    fe448_to_bytes(b, a);
+    for (i = 0; i < 56; i++)
+        c |= b[i];
+    return c;
+}
+
+/* Check whether field element is negative.
+ * Must convert to a normalized form before checking.
+ *
+ * a  [in]  Field element.
+ * returns 1 when negative, and 0 otherwise.
+ */
+int fe448_isnegative(const int64_t* a)
+{
+    uint8_t b[56];
+    fe448_to_bytes(b, a);
+    return b[0] & 1;
+}
+
+/* Negates the field element. r = -a
+ *
+ * r  [in]  Field element to hold result.
+ * a  [in]  Field element.
+ */
+void fe448_neg(int64_t* r, const int64_t* a)
+{
+    r[0] = -a[0];
+    r[1] = -a[1];
+    r[2] = -a[2];
+    r[3] = -a[3];
+    r[4] = -a[4];
+    r[5] = -a[5];
+    r[6] = -a[6];
+    r[7] = -a[7];
+}
+
+/* Raise field element to (p-3) / 4: 2^446 - 2^222 - 1
+ * Used for calcualting y-ordinate from x-ordinate for Ed448.
+ *
+ * r  [in]  Field element to hold result.
+ * a  [in]  Field element to exponentiate.
+ */
+void fe448_pow_2_446_222_1(int64_t* r, const int64_t* a)
+{
+    int64_t t1[8];
+    int64_t t2[8];
+    int64_t t3[8];
+    int64_t t4[8];
+    int64_t t5[8];
+    int i;
+
+    fe448_sqr(t3, a);
+    /* t3 = 2 */
+    fe448_mul(t1, t3, a);
+    /* t1 = 3 */
+    fe448_sqr(t5, t1);
+    /* t5 = 6 */
+    fe448_mul(t5, t5, a);
+    /* t5 = 7 */
+    fe448_sqr(t2, t1); for (i = 1; i < 2; ++i) fe448_sqr(t2, t2);
+    /* t2 = c */
+    fe448_mul(t3, t2, t3);
+    /* t3 = e */
+    fe448_mul(t1, t2, t1);
+    /* t1 = f */
+    fe448_sqr(t2, t1); for (i = 1; i < 3; ++i) fe448_sqr(t2, t2);
+    /* t2 = 78 */
+    fe448_mul(t5, t2, t5);
+    /* t5 = 7f */
+    fe448_sqr(t2, t1); for (i = 1; i < 4; ++i) fe448_sqr(t2, t2);
+    /* t2 = f0 */
+    fe448_mul(t1, t2, t1);
+    /* t1 = ff */
+    fe448_mul(t3, t3, t2);
+    /* t3 = fe */
+    fe448_sqr(t2, t1); for (i = 1; i < 7; ++i) fe448_sqr(t2, t2);
+    /* t2 = 7f80 */
+    fe448_mul(t5, t2, t5);
+    /* t5 = 7fff */
+    fe448_sqr(t2, t1); for (i = 1; i < 8; ++i) fe448_sqr(t2, t2);
+    /* t2 = ff00 */
+    fe448_mul(t1, t2, t1);
+    /* t1 = ffff */
+    fe448_mul(t3, t3, t2);
+    /* t3 = fffe */
+    fe448_sqr(t2, t5); for (i = 1; i < 15; ++i) fe448_sqr(t2, t2);
+    /* t2 = 3fff8000 */
+    fe448_mul(t5, t2, t5);
+    /* t5 = 3fffffff */
+    fe448_sqr(t2, t1); for (i = 1; i < 16; ++i) fe448_sqr(t2, t2);
+    /* t2 = ffff0000 */
+    fe448_mul(t1, t2, t1);
+    /* t1 = ffffffff */
+    fe448_mul(t3, t3, t2);
+    /* t3 = fffffffe */
+    fe448_sqr(t2, t1); for (i = 1; i < 32; ++i) fe448_sqr(t2, t2);
+    /* t2 = ffffffff00000000 */
+    fe448_mul(t2, t2, t1);
+    /* t2 = ffffffffffffffff */
+    fe448_sqr(t1, t2); for (i = 1; i < 64; ++i) fe448_sqr(t1, t1);
+    /* t1 = ffffffffffffffff0000000000000000 */
+    fe448_mul(t1, t1, t2);
+    /* t1 = ffffffffffffffffffffffffffffffff */
+    fe448_sqr(t1, t1); for (i = 1; i < 64; ++i) fe448_sqr(t1, t1);
+    /* t1 = ffffffffffffffffffffffffffffffff0000000000000000 */
+    fe448_mul(t4, t1, t2);
+    /* t4 = ffffffffffffffffffffffffffffffffffffffffffffffff */
+    fe448_sqr(t2, t4); for (i = 1; i < 32; ++i) fe448_sqr(t2, t2);
+    /* t2 = ffffffffffffffffffffffffffffffffffffffffffffffff00000000 */
+    fe448_mul(t3, t3, t2);
+    /* t3 = fffffffffffffffffffffffffffffffffffffffffffffffffffffffe */
+    fe448_sqr(t1, t3); for (i = 1; i < 192; ++i) fe448_sqr(t1, t1);
+    /* t1 = fffffffffffffffffffffffffffffffffffffffffffffffffffffffe000000000000000000000000000000000000000000000000 */
+    fe448_mul(t1, t1, t4);
+    /* t1 = fffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffffffffffffffffffffffffffffffffffffffffffff */
+    fe448_sqr(t1, t1); for (i = 1; i < 30; ++i) fe448_sqr(t1, t1);
+    /* t1 = 3fffffffffffffffffffffffffffffffffffffffffffffffffffffffbfffffffffffffffffffffffffffffffffffffffffffffffc0000000 */
+    fe448_mul(r, t5, t1);
+    /* r = 3fffffffffffffffffffffffffffffffffffffffffffffffffffffffbfffffffffffffffffffffffffffffffffffffffffffffffffffffff */
+}
+
+/* Constant time, conditional move of b into a.
+ * a is not changed if the condition is 0.
+ *
+ * a  A field element.
+ * b  A field element.
+ * c  If 1 then copy and if 0 then don't copy.
+ */
+void fe448_cmov(int64_t* a, const int64_t* b, int c)
+{
+    int64_t m = -(int64_t)c;
+    int64_t t0 = m & (a[0] ^ b[0]);
+    int64_t t1 = m & (a[1] ^ b[1]);
+    int64_t t2 = m & (a[2] ^ b[2]);
+    int64_t t3 = m & (a[3] ^ b[3]);
+    int64_t t4 = m & (a[4] ^ b[4]);
+    int64_t t5 = m & (a[5] ^ b[5]);
+    int64_t t6 = m & (a[6] ^ b[6]);
+    int64_t t7 = m & (a[7] ^ b[7]);
+
+    a[0] ^= t0;
+    a[1] ^= t1;
+    a[2] ^= t2;
+    a[3] ^= t3;
+    a[4] ^= t4;
+    a[5] ^= t5;
+    a[6] ^= t6;
+    a[7] ^= t7;
+}
+
+#endif /* HAVE_ED448 */
+#else
+
+/* Initialize the field element operations.
+ */
+void fe448_init(void)
+{
+}
+
+/* Convert the field element from a byte array to an array of 28-bits.
+ *
+ * r  [in]  Array to encode into.
+ * b  [in]  Byte array.
+ */
+void fe448_from_bytes(int32_t* r, const unsigned char* b)
+{
+    r[ 0] =  (((int32_t)((b[ 0]        ) >>  0)) <<  0)
+          |  (((int32_t)((b[ 1]        ) >>  0)) <<  8)
+          |  (((int32_t)((b[ 2]        ) >>  0)) << 16)
+          | ((((int32_t)((b[ 3] & 0xf )) >>  0)) << 24);
+    r[ 1] =  (((int32_t)((b[ 3]        ) >>  4)) <<  0)
+          |  (((int32_t)((b[ 4]        ) >>  0)) <<  4)
+          |  (((int32_t)((b[ 5]        ) >>  0)) << 12)
+          |  (((int32_t)((b[ 6]        ) >>  0)) << 20);
+    r[ 2] =  (((int32_t)((b[ 7]        ) >>  0)) <<  0)
+          |  (((int32_t)((b[ 8]        ) >>  0)) <<  8)
+          |  (((int32_t)((b[ 9]        ) >>  0)) << 16)
+          | ((((int32_t)((b[10] & 0xf )) >>  0)) << 24);
+    r[ 3] =  (((int32_t)((b[10]        ) >>  4)) <<  0)
+          |  (((int32_t)((b[11]        ) >>  0)) <<  4)
+          |  (((int32_t)((b[12]        ) >>  0)) << 12)
+          |  (((int32_t)((b[13]        ) >>  0)) << 20);
+    r[ 4] =  (((int32_t)((b[14]        ) >>  0)) <<  0)
+          |  (((int32_t)((b[15]        ) >>  0)) <<  8)
+          |  (((int32_t)((b[16]        ) >>  0)) << 16)
+          | ((((int32_t)((b[17] & 0xf )) >>  0)) << 24);
+    r[ 5] =  (((int32_t)((b[17]        ) >>  4)) <<  0)
+          |  (((int32_t)((b[18]        ) >>  0)) <<  4)
+          |  (((int32_t)((b[19]        ) >>  0)) << 12)
+          |  (((int32_t)((b[20]        ) >>  0)) << 20);
+    r[ 6] =  (((int32_t)((b[21]        ) >>  0)) <<  0)
+          |  (((int32_t)((b[22]        ) >>  0)) <<  8)
+          |  (((int32_t)((b[23]        ) >>  0)) << 16)
+          | ((((int32_t)((b[24] & 0xf )) >>  0)) << 24);
+    r[ 7] =  (((int32_t)((b[24]        ) >>  4)) <<  0)
+          |  (((int32_t)((b[25]        ) >>  0)) <<  4)
+          |  (((int32_t)((b[26]        ) >>  0)) << 12)
+          |  (((int32_t)((b[27]        ) >>  0)) << 20);
+    r[ 8] =  (((int32_t)((b[28]        ) >>  0)) <<  0)
+          |  (((int32_t)((b[29]        ) >>  0)) <<  8)
+          |  (((int32_t)((b[30]        ) >>  0)) << 16)
+          | ((((int32_t)((b[31] & 0xf )) >>  0)) << 24);
+    r[ 9] =  (((int32_t)((b[31]        ) >>  4)) <<  0)
+          |  (((int32_t)((b[32]        ) >>  0)) <<  4)
+          |  (((int32_t)((b[33]        ) >>  0)) << 12)
+          |  (((int32_t)((b[34]        ) >>  0)) << 20);
+    r[10] =  (((int32_t)((b[35]        ) >>  0)) <<  0)
+          |  (((int32_t)((b[36]        ) >>  0)) <<  8)
+          |  (((int32_t)((b[37]        ) >>  0)) << 16)
+          | ((((int32_t)((b[38] & 0xf )) >>  0)) << 24);
+    r[11] =  (((int32_t)((b[38]        ) >>  4)) <<  0)
+          |  (((int32_t)((b[39]        ) >>  0)) <<  4)
+          |  (((int32_t)((b[40]        ) >>  0)) << 12)
+          |  (((int32_t)((b[41]        ) >>  0)) << 20);
+    r[12] =  (((int32_t)((b[42]        ) >>  0)) <<  0)
+          |  (((int32_t)((b[43]        ) >>  0)) <<  8)
+          |  (((int32_t)((b[44]        ) >>  0)) << 16)
+          | ((((int32_t)((b[45] & 0xf )) >>  0)) << 24);
+    r[13] =  (((int32_t)((b[45]        ) >>  4)) <<  0)
+          |  (((int32_t)((b[46]        ) >>  0)) <<  4)
+          |  (((int32_t)((b[47]        ) >>  0)) << 12)
+          |  (((int32_t)((b[48]        ) >>  0)) << 20);
+    r[14] =  (((int32_t)((b[49]        ) >>  0)) <<  0)
+          |  (((int32_t)((b[50]        ) >>  0)) <<  8)
+          |  (((int32_t)((b[51]        ) >>  0)) << 16)
+          | ((((int32_t)((b[52] & 0xf )) >>  0)) << 24);
+    r[15] =  (((int32_t)((b[52]        ) >>  4)) <<  0)
+          |  (((int32_t)((b[53]        ) >>  0)) <<  4)
+          |  (((int32_t)((b[54]        ) >>  0)) << 12)
+          |  (((int32_t)((b[55]        ) >>  0)) << 20);
+}
+
+/* Convert the field element to a byte array from an array of 28-bits.
+ *
+ * b  [in]  Byte array.
+ * a  [in]  Array to encode into.
+ */
+void fe448_to_bytes(unsigned char* b, const int32_t* a)
+{
+    int64_t t;
+    /* Mod */
+    int32_t in0 = a[0];
+    int32_t in1 = a[1];
+    int32_t in2 = a[2];
+    int32_t in3 = a[3];
+    int32_t in4 = a[4];
+    int32_t in5 = a[5];
+    int32_t in6 = a[6];
+    int32_t in7 = a[7];
+    int32_t in8 = a[8];
+    int32_t in9 = a[9];
+    int32_t in10 = a[10];
+    int32_t in11 = a[11];
+    int32_t in12 = a[12];
+    int32_t in13 = a[13];
+    int32_t in14 = a[14];
+    int32_t in15 = a[15];
+    int32_t o = in15 >> 28;
+    in15 -= o << 28;
+    in0 += o;
+    in8 += o;
+    o = (in0 + 1) >> 28;
+    o = (o + in1) >> 28;
+    o = (o + in2) >> 28;
+    o = (o + in3) >> 28;
+    o = (o + in4) >> 28;
+    o = (o + in5) >> 28;
+    o = (o + in6) >> 28;
+    o = (o + in7) >> 28;
+    o = (o + in8 + 1) >> 28;
+    o = (o + in9) >> 28;
+    o = (o + in10) >> 28;
+    o = (o + in11) >> 28;
+    o = (o + in12) >> 28;
+    o = (o + in13) >> 28;
+    o = (o + in14) >> 28;
+    o = (o + in15) >> 28;
+    in0 += o;
+    in8 += o;
+    in15 -= o << 28;
+    o = in0  >> 28; in1  += o; t = o << 28; in0  -= t;
+    o = in1  >> 28; in2  += o; t = o << 28; in1  -= t;
+    o = in2  >> 28; in3  += o; t = o << 28; in2  -= t;
+    o = in3  >> 28; in4  += o; t = o << 28; in3  -= t;
+    o = in4  >> 28; in5  += o; t = o << 28; in4  -= t;
+    o = in5  >> 28; in6  += o; t = o << 28; in5  -= t;
+    o = in6  >> 28; in7  += o; t = o << 28; in6  -= t;
+    o = in7  >> 28; in8  += o; t = o << 28; in7  -= t;
+    o = in8  >> 28; in9  += o; t = o << 28; in8  -= t;
+    o = in9  >> 28; in10 += o; t = o << 28; in9  -= t;
+    o = in10 >> 28; in11 += o; t = o << 28; in10 -= t;
+    o = in11 >> 28; in12 += o; t = o << 28; in11 -= t;
+    o = in12 >> 28; in13 += o; t = o << 28; in12 -= t;
+    o = in13 >> 28; in14 += o; t = o << 28; in13 -= t;
+    o = in14 >> 28; in15 += o; t = o << 28; in14 -= t;
+    o = in15 >> 28; in0  += o;
+                    in8  += o; t = o << 28; in15 -= t;
+
+    /* Output as bytes */
+    b[ 0] = (in0  >>  0);
+    b[ 1] = (in0  >>  8);
+    b[ 2] = (in0  >> 16);
+    b[ 3] = (in0  >> 24) + ((in1  >>  0) <<  4);
+    b[ 4] = (in1  >>  4);
+    b[ 5] = (in1  >> 12);
+    b[ 6] = (in1  >> 20);
+    b[ 7] = (in2  >>  0);
+    b[ 8] = (in2  >>  8);
+    b[ 9] = (in2  >> 16);
+    b[10] = (in2  >> 24) + ((in3  >>  0) <<  4);
+    b[11] = (in3  >>  4);
+    b[12] = (in3  >> 12);
+    b[13] = (in3  >> 20);
+    b[14] = (in4  >>  0);
+    b[15] = (in4  >>  8);
+    b[16] = (in4  >> 16);
+    b[17] = (in4  >> 24) + ((in5  >>  0) <<  4);
+    b[18] = (in5  >>  4);
+    b[19] = (in5  >> 12);
+    b[20] = (in5  >> 20);
+    b[21] = (in6  >>  0);
+    b[22] = (in6  >>  8);
+    b[23] = (in6  >> 16);
+    b[24] = (in6  >> 24) + ((in7  >>  0) <<  4);
+    b[25] = (in7  >>  4);
+    b[26] = (in7  >> 12);
+    b[27] = (in7  >> 20);
+    b[28] = (in8  >>  0);
+    b[29] = (in8  >>  8);
+    b[30] = (in8  >> 16);
+    b[31] = (in8  >> 24) + ((in9  >>  0) <<  4);
+    b[32] = (in9  >>  4);
+    b[33] = (in9  >> 12);
+    b[34] = (in9  >> 20);
+    b[35] = (in10 >>  0);
+    b[36] = (in10 >>  8);
+    b[37] = (in10 >> 16);
+    b[38] = (in10 >> 24) + ((in11 >>  0) <<  4);
+    b[39] = (in11 >>  4);
+    b[40] = (in11 >> 12);
+    b[41] = (in11 >> 20);
+    b[42] = (in12 >>  0);
+    b[43] = (in12 >>  8);
+    b[44] = (in12 >> 16);
+    b[45] = (in12 >> 24) + ((in13 >>  0) <<  4);
+    b[46] = (in13 >>  4);
+    b[47] = (in13 >> 12);
+    b[48] = (in13 >> 20);
+    b[49] = (in14 >>  0);
+    b[50] = (in14 >>  8);
+    b[51] = (in14 >> 16);
+    b[52] = (in14 >> 24) + ((in15 >>  0) <<  4);
+    b[53] = (in15 >>  4);
+    b[54] = (in15 >> 12);
+    b[55] = (in15 >> 20);
+}
+
+/* Set the field element to 0.
+ *
+ * a  [in]  Field element.
+ */
+void fe448_1(int32_t* a)
+{
+    a[0] = 1;
+    a[1] = 0;
+    a[2] = 0;
+    a[3] = 0;
+    a[4] = 0;
+    a[5] = 0;
+    a[6] = 0;
+    a[7] = 0;
+    a[8] = 0;
+    a[9] = 0;
+    a[10] = 0;
+    a[11] = 0;
+    a[12] = 0;
+    a[13] = 0;
+    a[14] = 0;
+    a[15] = 0;
+}
+
+/* Set the field element to 0.
+ *
+ * a  [in]  Field element.
+ */
+void fe448_0(int32_t* a)
+{
+    a[0] = 0;
+    a[1] = 0;
+    a[2] = 0;
+    a[3] = 0;
+    a[4] = 0;
+    a[5] = 0;
+    a[6] = 0;
+    a[7] = 0;
+    a[8] = 0;
+    a[9] = 0;
+    a[10] = 0;
+    a[11] = 0;
+    a[12] = 0;
+    a[13] = 0;
+    a[14] = 0;
+    a[15] = 0;
+}
+
+/* Copy one field element into another: d = a.
+ *
+ * d  [in]  Destination field element.
+ * a  [in]  Source field element.
+ */
+void fe448_copy(int32_t* d, const int32_t* a)
+{
+    d[0] = a[0];
+    d[1] = a[1];
+    d[2] = a[2];
+    d[3] = a[3];
+    d[4] = a[4];
+    d[5] = a[5];
+    d[6] = a[6];
+    d[7] = a[7];
+    d[8] = a[8];
+    d[9] = a[9];
+    d[10] = a[10];
+    d[11] = a[11];
+    d[12] = a[12];
+    d[13] = a[13];
+    d[14] = a[14];
+    d[15] = a[15];
+}
+
+/* Conditionally swap the elements.
+ * Constant time implementation.
+ *
+ * a  [in]  First field element.
+ * b  [in]  Second field element.
+ * c  [in]  Swap when 1. Valid values: 0, 1.
+ */
+static void fe448_cswap(int32_t* a, int32_t* b, int c)
+{
+    int32_t mask = -(int32_t)c;
+    int32_t t0 = (a[0] ^ b[0]) & mask;
+    int32_t t1 = (a[1] ^ b[1]) & mask;
+    int32_t t2 = (a[2] ^ b[2]) & mask;
+    int32_t t3 = (a[3] ^ b[3]) & mask;
+    int32_t t4 = (a[4] ^ b[4]) & mask;
+    int32_t t5 = (a[5] ^ b[5]) & mask;
+    int32_t t6 = (a[6] ^ b[6]) & mask;
+    int32_t t7 = (a[7] ^ b[7]) & mask;
+    int32_t t8 = (a[8] ^ b[8]) & mask;
+    int32_t t9 = (a[9] ^ b[9]) & mask;
+    int32_t t10 = (a[10] ^ b[10]) & mask;
+    int32_t t11 = (a[11] ^ b[11]) & mask;
+    int32_t t12 = (a[12] ^ b[12]) & mask;
+    int32_t t13 = (a[13] ^ b[13]) & mask;
+    int32_t t14 = (a[14] ^ b[14]) & mask;
+    int32_t t15 = (a[15] ^ b[15]) & mask;
+    a[0] ^= t0;
+    a[1] ^= t1;
+    a[2] ^= t2;
+    a[3] ^= t3;
+    a[4] ^= t4;
+    a[5] ^= t5;
+    a[6] ^= t6;
+    a[7] ^= t7;
+    a[8] ^= t8;
+    a[9] ^= t9;
+    a[10] ^= t10;
+    a[11] ^= t11;
+    a[12] ^= t12;
+    a[13] ^= t13;
+    a[14] ^= t14;
+    a[15] ^= t15;
+    b[0] ^= t0;
+    b[1] ^= t1;
+    b[2] ^= t2;
+    b[3] ^= t3;
+    b[4] ^= t4;
+    b[5] ^= t5;
+    b[6] ^= t6;
+    b[7] ^= t7;
+    b[8] ^= t8;
+    b[9] ^= t9;
+    b[10] ^= t10;
+    b[11] ^= t11;
+    b[12] ^= t12;
+    b[13] ^= t13;
+    b[14] ^= t14;
+    b[15] ^= t15;
+}
+
+/* Add two field elements. r = (a + b) mod (2^448 - 2^224 - 1)
+ *
+ * r  [in]  Field element to hold sum.
+ * a  [in]  Field element to add.
+ * b  [in]  Field element to add.
+ */
+void fe448_add(int32_t* r, const int32_t* a, const int32_t* b)
+{
+    r[0] = a[0] + b[0];
+    r[1] = a[1] + b[1];
+    r[2] = a[2] + b[2];
+    r[3] = a[3] + b[3];
+    r[4] = a[4] + b[4];
+    r[5] = a[5] + b[5];
+    r[6] = a[6] + b[6];
+    r[7] = a[7] + b[7];
+    r[8] = a[8] + b[8];
+    r[9] = a[9] + b[9];
+    r[10] = a[10] + b[10];
+    r[11] = a[11] + b[11];
+    r[12] = a[12] + b[12];
+    r[13] = a[13] + b[13];
+    r[14] = a[14] + b[14];
+    r[15] = a[15] + b[15];
+}
+
+/* Subtract a field element from another. r = (a - b) mod (2^448 - 2^224 - 1)
+ *
+ * r  [in]  Field element to hold difference.
+ * a  [in]  Field element to subtract from.
+ * b  [in]  Field element to subtract.
+ */
+void fe448_sub(int32_t* r, const int32_t* a, const int32_t* b)
+{
+    r[0] = a[0] - b[0];
+    r[1] = a[1] - b[1];
+    r[2] = a[2] - b[2];
+    r[3] = a[3] - b[3];
+    r[4] = a[4] - b[4];
+    r[5] = a[5] - b[5];
+    r[6] = a[6] - b[6];
+    r[7] = a[7] - b[7];
+    r[8] = a[8] - b[8];
+    r[9] = a[9] - b[9];
+    r[10] = a[10] - b[10];
+    r[11] = a[11] - b[11];
+    r[12] = a[12] - b[12];
+    r[13] = a[13] - b[13];
+    r[14] = a[14] - b[14];
+    r[15] = a[15] - b[15];
+}
+
+void fe448_reduce(int32_t* a)
+{
+    int64_t o;
+
+    o = a[0 ] >> 28; a[1 ] += o; a[0 ] -= o << 28;
+    o = a[1 ] >> 28; a[2 ] += o; a[1 ] -= o << 28;
+    o = a[2 ] >> 28; a[3 ] += o; a[2 ] -= o << 28;
+    o = a[3 ] >> 28; a[4 ] += o; a[3 ] -= o << 28;
+    o = a[4 ] >> 28; a[5 ] += o; a[4 ] -= o << 28;
+    o = a[5 ] >> 28; a[6 ] += o; a[5 ] -= o << 28;
+    o = a[6 ] >> 28; a[7 ] += o; a[6 ] -= o << 28;
+    o = a[7 ] >> 28; a[8 ] += o; a[7 ] -= o << 28;
+    o = a[8 ] >> 28; a[9 ] += o; a[8 ] -= o << 28;
+    o = a[9 ] >> 28; a[10] += o; a[9 ] -= o << 28;
+    o = a[10] >> 28; a[11] += o; a[10] -= o << 28;
+    o = a[11] >> 28; a[12] += o; a[11] -= o << 28;
+    o = a[12] >> 28; a[13] += o; a[12] -= o << 28;
+    o = a[13] >> 28; a[14] += o; a[13] -= o << 28;
+    o = a[14] >> 28; a[15] += o; a[14] -= o << 28;
+    o = a[15] >> 28; a[0]  += o;
+                     a[8]  += o; a[15] -= o << 28;
+}
+/* Mulitply a field element by 39081. r = (39081 * a) mod (2^448 - 2^224 - 1)
+ *
+ * r  [in]  Field element to hold result.
+ * a  [in]  Field element to multiply.
+ */
+void fe448_mul39081(int32_t* r, const int32_t* a)
+{
+    int64_t t;
+    int32_t o;
+    int64_t t0 = a[0] * (int64_t)39081;
+    int64_t t1 = a[1] * (int64_t)39081;
+    int64_t t2 = a[2] * (int64_t)39081;
+    int64_t t3 = a[3] * (int64_t)39081;
+    int64_t t4 = a[4] * (int64_t)39081;
+    int64_t t5 = a[5] * (int64_t)39081;
+    int64_t t6 = a[6] * (int64_t)39081;
+    int64_t t7 = a[7] * (int64_t)39081;
+    int64_t t8 = a[8] * (int64_t)39081;
+    int64_t t9 = a[9] * (int64_t)39081;
+    int64_t t10 = a[10] * (int64_t)39081;
+    int64_t t11 = a[11] * (int64_t)39081;
+    int64_t t12 = a[12] * (int64_t)39081;
+    int64_t t13 = a[13] * (int64_t)39081;
+    int64_t t14 = a[14] * (int64_t)39081;
+    int64_t t15 = a[15] * (int64_t)39081;
+    o = t0  >> 28; t1  += o; t = (int64_t)o << 28; t0  -= t;
+    o = t1  >> 28; t2  += o; t = (int64_t)o << 28; t1  -= t;
+    o = t2  >> 28; t3  += o; t = (int64_t)o << 28; t2  -= t;
+    o = t3  >> 28; t4  += o; t = (int64_t)o << 28; t3  -= t;
+    o = t4  >> 28; t5  += o; t = (int64_t)o << 28; t4  -= t;
+    o = t5  >> 28; t6  += o; t = (int64_t)o << 28; t5  -= t;
+    o = t6  >> 28; t7  += o; t = (int64_t)o << 28; t6  -= t;
+    o = t7  >> 28; t8  += o; t = (int64_t)o << 28; t7  -= t;
+    o = t8  >> 28; t9  += o; t = (int64_t)o << 28; t8  -= t;
+    o = t9  >> 28; t10 += o; t = (int64_t)o << 28; t9  -= t;
+    o = t10 >> 28; t11 += o; t = (int64_t)o << 28; t10 -= t;
+    o = t11 >> 28; t12 += o; t = (int64_t)o << 28; t11 -= t;
+    o = t12 >> 28; t13 += o; t = (int64_t)o << 28; t12 -= t;
+    o = t13 >> 28; t14 += o; t = (int64_t)o << 28; t13 -= t;
+    o = t14 >> 28; t15 += o; t = (int64_t)o << 28; t14 -= t;
+    o = t15 >> 28; t0  += o;
+                   t8  += o; t = (int64_t)o << 28; t15 -= t;
+
+    /* Store */
+    r[0] = t0;
+    r[1] = t1;
+    r[2] = t2;
+    r[3] = t3;
+    r[4] = t4;
+    r[5] = t5;
+    r[6] = t6;
+    r[7] = t7;
+    r[8] = t8;
+    r[9] = t9;
+    r[10] = t10;
+    r[11] = t11;
+    r[12] = t12;
+    r[13] = t13;
+    r[14] = t14;
+    r[15] = t15;
+}
+
+/* Mulitply two field elements. r = a * b
+ *
+ * r  [in]  Field element to hold result.
+ * a  [in]  Field element to multiply.
+ * b  [in]  Field element to multiply.
+ */
+static WC_INLINE void fe448_mul_8(int32_t* r, const int32_t* a, const int32_t* b)
+{
+    int64_t t;
+    int64_t t0   = (int64_t)a[ 0] * b[ 0];
+    int64_t t1   = (int64_t)a[ 0] * b[ 1];
+    int64_t t101 = (int64_t)a[ 1] * b[ 0];
+    int64_t t2   = (int64_t)a[ 0] * b[ 2];
+    int64_t t102 = (int64_t)a[ 1] * b[ 1];
+    int64_t t202 = (int64_t)a[ 2] * b[ 0];
+    int64_t t3   = (int64_t)a[ 0] * b[ 3];
+    int64_t t103 = (int64_t)a[ 1] * b[ 2];
+    int64_t t203 = (int64_t)a[ 2] * b[ 1];
+    int64_t t303 = (int64_t)a[ 3] * b[ 0];
+    int64_t t4   = (int64_t)a[ 0] * b[ 4];
+    int64_t t104 = (int64_t)a[ 1] * b[ 3];
+    int64_t t204 = (int64_t)a[ 2] * b[ 2];
+    int64_t t304 = (int64_t)a[ 3] * b[ 1];
+    int64_t t404 = (int64_t)a[ 4] * b[ 0];
+    int64_t t5   = (int64_t)a[ 0] * b[ 5];
+    int64_t t105 = (int64_t)a[ 1] * b[ 4];
+    int64_t t205 = (int64_t)a[ 2] * b[ 3];
+    int64_t t305 = (int64_t)a[ 3] * b[ 2];
+    int64_t t405 = (int64_t)a[ 4] * b[ 1];
+    int64_t t505 = (int64_t)a[ 5] * b[ 0];
+    int64_t t6   = (int64_t)a[ 0] * b[ 6];
+    int64_t t106 = (int64_t)a[ 1] * b[ 5];
+    int64_t t206 = (int64_t)a[ 2] * b[ 4];
+    int64_t t306 = (int64_t)a[ 3] * b[ 3];
+    int64_t t406 = (int64_t)a[ 4] * b[ 2];
+    int64_t t506 = (int64_t)a[ 5] * b[ 1];
+    int64_t t606 = (int64_t)a[ 6] * b[ 0];
+    int64_t t7   = (int64_t)a[ 0] * b[ 7];
+    int64_t t107 = (int64_t)a[ 1] * b[ 6];
+    int64_t t207 = (int64_t)a[ 2] * b[ 5];
+    int64_t t307 = (int64_t)a[ 3] * b[ 4];
+    int64_t t407 = (int64_t)a[ 4] * b[ 3];
+    int64_t t507 = (int64_t)a[ 5] * b[ 2];
+    int64_t t607 = (int64_t)a[ 6] * b[ 1];
+    int64_t t707 = (int64_t)a[ 7] * b[ 0];
+    int64_t t8   = (int64_t)a[ 1] * b[ 7];
+    int64_t t108 = (int64_t)a[ 2] * b[ 6];
+    int64_t t208 = (int64_t)a[ 3] * b[ 5];
+    int64_t t308 = (int64_t)a[ 4] * b[ 4];
+    int64_t t408 = (int64_t)a[ 5] * b[ 3];
+    int64_t t508 = (int64_t)a[ 6] * b[ 2];
+    int64_t t608 = (int64_t)a[ 7] * b[ 1];
+    int64_t t9   = (int64_t)a[ 2] * b[ 7];
+    int64_t t109 = (int64_t)a[ 3] * b[ 6];
+    int64_t t209 = (int64_t)a[ 4] * b[ 5];
+    int64_t t309 = (int64_t)a[ 5] * b[ 4];
+    int64_t t409 = (int64_t)a[ 6] * b[ 3];
+    int64_t t509 = (int64_t)a[ 7] * b[ 2];
+    int64_t t10  = (int64_t)a[ 3] * b[ 7];
+    int64_t t110 = (int64_t)a[ 4] * b[ 6];
+    int64_t t210 = (int64_t)a[ 5] * b[ 5];
+    int64_t t310 = (int64_t)a[ 6] * b[ 4];
+    int64_t t410 = (int64_t)a[ 7] * b[ 3];
+    int64_t t11  = (int64_t)a[ 4] * b[ 7];
+    int64_t t111 = (int64_t)a[ 5] * b[ 6];
+    int64_t t211 = (int64_t)a[ 6] * b[ 5];
+    int64_t t311 = (int64_t)a[ 7] * b[ 4];
+    int64_t t12  = (int64_t)a[ 5] * b[ 7];
+    int64_t t112 = (int64_t)a[ 6] * b[ 6];
+    int64_t t212 = (int64_t)a[ 7] * b[ 5];
+    int64_t t13  = (int64_t)a[ 6] * b[ 7];
+    int64_t t113 = (int64_t)a[ 7] * b[ 6];
+    int64_t t14  = (int64_t)a[ 7] * b[ 7];
+    t1  += t101;
+    t2  += t102; t2  += t202;
+    t3  += t103; t3  += t203; t3  += t303;
+    t4  += t104; t4  += t204; t4  += t304; t4  += t404;
+    t5  += t105; t5  += t205; t5  += t305; t5  += t405; t5  += t505;
+    t6  += t106; t6  += t206; t6  += t306; t6  += t406; t6  += t506;
+    t6  += t606;
+    t7  += t107; t7  += t207; t7  += t307; t7  += t407; t7  += t507;
+    t7  += t607;
+    t7  += t707;
+    t8  += t108; t8  += t208; t8  += t308; t8  += t408; t8  += t508;
+    t8  += t608;
+    t9  += t109; t9  += t209; t9  += t309; t9  += t409; t9  += t509;
+    t10 += t110; t10 += t210; t10 += t310; t10 += t410;
+    t11 += t111; t11 += t211; t11 += t311;
+    t12 += t112; t12 += t212;
+    t13 += t113;
+    int64_t o = t14 >> 28;
+    int64_t t15 = o;
+    t14 -= o << 28;
+    o = t0  >> 28; t1  += o; t = (int64_t)o << 28; t0  -= t;
+    o = t1  >> 28; t2  += o; t = (int64_t)o << 28; t1  -= t;
+    o = t2  >> 28; t3  += o; t = (int64_t)o << 28; t2  -= t;
+    o = t3  >> 28; t4  += o; t = (int64_t)o << 28; t3  -= t;
+    o = t4  >> 28; t5  += o; t = (int64_t)o << 28; t4  -= t;
+    o = t5  >> 28; t6  += o; t = (int64_t)o << 28; t5  -= t;
+    o = t6  >> 28; t7  += o; t = (int64_t)o << 28; t6  -= t;
+    o = t7  >> 28; t8  += o; t = (int64_t)o << 28; t7  -= t;
+    o = t8  >> 28; t9  += o; t = (int64_t)o << 28; t8  -= t;
+    o = t9  >> 28; t10 += o; t = (int64_t)o << 28; t9  -= t;
+    o = t10 >> 28; t11 += o; t = (int64_t)o << 28; t10 -= t;
+    o = t11 >> 28; t12 += o; t = (int64_t)o << 28; t11 -= t;
+    o = t12 >> 28; t13 += o; t = (int64_t)o << 28; t12 -= t;
+    o = t13 >> 28; t14 += o; t = (int64_t)o << 28; t13 -= t;
+    o = t14 >> 28; t15 += o; t = (int64_t)o << 28; t14 -= t;
+    o = t15 >> 28; t0  += o;
+                   t8  += o; t = (int64_t)o << 28; t15 -= t;
+
+    /* Store */
+    r[0] = t0;
+    r[1] = t1;
+    r[2] = t2;
+    r[3] = t3;
+    r[4] = t4;
+    r[5] = t5;
+    r[6] = t6;
+    r[7] = t7;
+    r[8] = t8;
+    r[9] = t9;
+    r[10] = t10;
+    r[11] = t11;
+    r[12] = t12;
+    r[13] = t13;
+    r[14] = t14;
+    r[15] = t15;
+}
+
+/* Mulitply two field elements. r = (a * b) mod (2^448 - 2^224 - 1)
+ *
+ * r  [in]  Field element to hold result.
+ * a  [in]  Field element to multiply.
+ * b  [in]  Field element to multiply.
+ */
+void fe448_mul(int32_t* r, const int32_t* a, const int32_t* b)
+{
+    int32_t r0[16];
+    int32_t r1[16];
+    int32_t* a1 = r1;
+    int32_t b1[8];
+    int32_t r2[16];
+    a1[0] = a[0] + a[8];
+    a1[1] = a[1] + a[9];
+    a1[2] = a[2] + a[10];
+    a1[3] = a[3] + a[11];
+    a1[4] = a[4] + a[12];
+    a1[5] = a[5] + a[13];
+    a1[6] = a[6] + a[14];
+    a1[7] = a[7] + a[15];
+    b1[0] = b[0] + b[8];
+    b1[1] = b[1] + b[9];
+    b1[2] = b[2] + b[10];
+    b1[3] = b[3] + b[11];
+    b1[4] = b[4] + b[12];
+    b1[5] = b[5] + b[13];
+    b1[6] = b[6] + b[14];
+    b1[7] = b[7] + b[15];
+    fe448_mul_8(r2, a + 8, b + 8);
+    fe448_mul_8(r0, a, b);
+    fe448_mul_8(r1, a1, b1);
+    r[ 0] = r0[ 0] + r2[ 0] + r1[ 8] - r0[ 8];
+    r[ 1] = r0[ 1] + r2[ 1] + r1[ 9] - r0[ 9];
+    r[ 2] = r0[ 2] + r2[ 2] + r1[10] - r0[10];
+    r[ 3] = r0[ 3] + r2[ 3] + r1[11] - r0[11];
+    r[ 4] = r0[ 4] + r2[ 4] + r1[12] - r0[12];
+    r[ 5] = r0[ 5] + r2[ 5] + r1[13] - r0[13];
+    r[ 6] = r0[ 6] + r2[ 6] + r1[14] - r0[14];
+    r[ 7] = r0[ 7] + r2[ 7] + r1[15] - r0[15];
+    r[ 8] = r2[ 8]          + r1[ 0] - r0[ 0] + r1[ 8];
+    r[ 9] = r2[ 9]          + r1[ 1] - r0[ 1] + r1[ 9];
+    r[10] = r2[10]          + r1[ 2] - r0[ 2] + r1[10];
+    r[11] = r2[11]          + r1[ 3] - r0[ 3] + r1[11];
+    r[12] = r2[12]          + r1[ 4] - r0[ 4] + r1[12];
+    r[13] = r2[13]          + r1[ 5] - r0[ 5] + r1[13];
+    r[14] = r2[14]          + r1[ 6] - r0[ 6] + r1[14];
+    r[15] = r2[15]          + r1[ 7] - r0[ 7] + r1[15];
+}
+
+/* Square a field element. r = a * a
+ *
+ * r  [in]  Field element to hold result.
+ * a  [in]  Field element to square.
+ */
+static WC_INLINE void fe448_sqr_8(int32_t* r, const int32_t* a)
+{
+    int64_t t;
+    int64_t t0   =     (int64_t)a[ 0] * a[ 0];
+    int64_t t1   = 2 * (int64_t)a[ 0] * a[ 1];
+    int64_t t2   = 2 * (int64_t)a[ 0] * a[ 2];
+    int64_t t102 =     (int64_t)a[ 1] * a[ 1];
+    int64_t t3   = 2 * (int64_t)a[ 0] * a[ 3];
+    int64_t t103 = 2 * (int64_t)a[ 1] * a[ 2];
+    int64_t t4   = 2 * (int64_t)a[ 0] * a[ 4];
+    int64_t t104 = 2 * (int64_t)a[ 1] * a[ 3];
+    int64_t t204 =     (int64_t)a[ 2] * a[ 2];
+    int64_t t5   = 2 * (int64_t)a[ 0] * a[ 5];
+    int64_t t105 = 2 * (int64_t)a[ 1] * a[ 4];
+    int64_t t205 = 2 * (int64_t)a[ 2] * a[ 3];
+    int64_t t6   = 2 * (int64_t)a[ 0] * a[ 6];
+    int64_t t106 = 2 * (int64_t)a[ 1] * a[ 5];
+    int64_t t206 = 2 * (int64_t)a[ 2] * a[ 4];
+    int64_t t306 =     (int64_t)a[ 3] * a[ 3];
+    int64_t t7   = 2 * (int64_t)a[ 0] * a[ 7];
+    int64_t t107 = 2 * (int64_t)a[ 1] * a[ 6];
+    int64_t t207 = 2 * (int64_t)a[ 2] * a[ 5];
+    int64_t t307 = 2 * (int64_t)a[ 3] * a[ 4];
+    int64_t t8   = 2 * (int64_t)a[ 1] * a[ 7];
+    int64_t t108 = 2 * (int64_t)a[ 2] * a[ 6];
+    int64_t t208 = 2 * (int64_t)a[ 3] * a[ 5];
+    int64_t t308 =     (int64_t)a[ 4] * a[ 4];
+    int64_t t9   = 2 * (int64_t)a[ 2] * a[ 7];
+    int64_t t109 = 2 * (int64_t)a[ 3] * a[ 6];
+    int64_t t209 = 2 * (int64_t)a[ 4] * a[ 5];
+    int64_t t10  = 2 * (int64_t)a[ 3] * a[ 7];
+    int64_t t110 = 2 * (int64_t)a[ 4] * a[ 6];
+    int64_t t210 =     (int64_t)a[ 5] * a[ 5];
+    int64_t t11  = 2 * (int64_t)a[ 4] * a[ 7];
+    int64_t t111 = 2 * (int64_t)a[ 5] * a[ 6];
+    int64_t t12  = 2 * (int64_t)a[ 5] * a[ 7];
+    int64_t t112 =     (int64_t)a[ 6] * a[ 6];
+    int64_t t13  = 2 * (int64_t)a[ 6] * a[ 7];
+    int64_t t14  =     (int64_t)a[ 7] * a[ 7];
+    t2  += t102;
+    t3  += t103;
+    t4  += t104; t4  += t204;
+    t5  += t105; t5  += t205;
+    t6  += t106; t6  += t206; t6  += t306;
+    t7  += t107; t7  += t207; t7  += t307;
+    t8  += t108; t8  += t208; t8  += t308;
+    t9  += t109; t9  += t209;
+    t10 += t110; t10 += t210;
+    t11 += t111;
+    t12 += t112;
+    int64_t o = t14 >> 28;
+    int64_t t15 = o;
+    t14 -= o << 28;
+    o = t0  >> 28; t1  += o; t = (int64_t)o << 28; t0  -= t;
+    o = t1  >> 28; t2  += o; t = (int64_t)o << 28; t1  -= t;
+    o = t2  >> 28; t3  += o; t = (int64_t)o << 28; t2  -= t;
+    o = t3  >> 28; t4  += o; t = (int64_t)o << 28; t3  -= t;
+    o = t4  >> 28; t5  += o; t = (int64_t)o << 28; t4  -= t;
+    o = t5  >> 28; t6  += o; t = (int64_t)o << 28; t5  -= t;
+    o = t6  >> 28; t7  += o; t = (int64_t)o << 28; t6  -= t;
+    o = t7  >> 28; t8  += o; t = (int64_t)o << 28; t7  -= t;
+    o = t8  >> 28; t9  += o; t = (int64_t)o << 28; t8  -= t;
+    o = t9  >> 28; t10 += o; t = (int64_t)o << 28; t9  -= t;
+    o = t10 >> 28; t11 += o; t = (int64_t)o << 28; t10 -= t;
+    o = t11 >> 28; t12 += o; t = (int64_t)o << 28; t11 -= t;
+    o = t12 >> 28; t13 += o; t = (int64_t)o << 28; t12 -= t;
+    o = t13 >> 28; t14 += o; t = (int64_t)o << 28; t13 -= t;
+    o = t14 >> 28; t15 += o; t = (int64_t)o << 28; t14 -= t;
+    o = t15 >> 28; t0  += o;
+                   t8  += o; t = (int64_t)o << 28; t15 -= t;
+
+    /* Store */
+    r[0] = t0;
+    r[1] = t1;
+    r[2] = t2;
+    r[3] = t3;
+    r[4] = t4;
+    r[5] = t5;
+    r[6] = t6;
+    r[7] = t7;
+    r[8] = t8;
+    r[9] = t9;
+    r[10] = t10;
+    r[11] = t11;
+    r[12] = t12;
+    r[13] = t13;
+    r[14] = t14;
+    r[15] = t15;
+}
+
+/* Square a field element. r = (a * a) mod (2^448 - 2^224 - 1)
+ *
+ * r  [in]  Field element to hold result.
+ * a  [in]  Field element to square.
+ */
+void fe448_sqr(int32_t* r, const int32_t* a)
+{
+    int32_t r0[16];
+    int32_t r1[16];
+    int32_t* a1 = r1;
+    int32_t r2[16];
+    a1[0] = a[0] + a[8];
+    a1[1] = a[1] + a[9];
+    a1[2] = a[2] + a[10];
+    a1[3] = a[3] + a[11];
+    a1[4] = a[4] + a[12];
+    a1[5] = a[5] + a[13];
+    a1[6] = a[6] + a[14];
+    a1[7] = a[7] + a[15];
+    fe448_sqr_8(r2, a + 8);
+    fe448_sqr_8(r0, a);
+    fe448_sqr_8(r1, a1);
+    r[ 0] = r0[ 0] + r2[ 0] + r1[ 8] - r0[ 8];
+    r[ 1] = r0[ 1] + r2[ 1] + r1[ 9] - r0[ 9];
+    r[ 2] = r0[ 2] + r2[ 2] + r1[10] - r0[10];
+    r[ 3] = r0[ 3] + r2[ 3] + r1[11] - r0[11];
+    r[ 4] = r0[ 4] + r2[ 4] + r1[12] - r0[12];
+    r[ 5] = r0[ 5] + r2[ 5] + r1[13] - r0[13];
+    r[ 6] = r0[ 6] + r2[ 6] + r1[14] - r0[14];
+    r[ 7] = r0[ 7] + r2[ 7] + r1[15] - r0[15];
+    r[ 8] = r2[ 8]          + r1[ 0] - r0[ 0] + r1[ 8];
+    r[ 9] = r2[ 9]          + r1[ 1] - r0[ 1] + r1[ 9];
+    r[10] = r2[10]          + r1[ 2] - r0[ 2] + r1[10];
+    r[11] = r2[11]          + r1[ 3] - r0[ 3] + r1[11];
+    r[12] = r2[12]          + r1[ 4] - r0[ 4] + r1[12];
+    r[13] = r2[13]          + r1[ 5] - r0[ 5] + r1[13];
+    r[14] = r2[14]          + r1[ 6] - r0[ 6] + r1[14];
+    r[15] = r2[15]          + r1[ 7] - r0[ 7] + r1[15];
+}
+
+/* Invert the field element. (r * a) mod (2^448 - 2^224 - 1) = 1
+ * Constant time implementation - using Fermat's little theorem:
+ *   a^(p-1) mod p = 1 => a^(p-2) mod p = 1/a
+ * For curve448: p - 2 = 2^448 - 2^224 - 3
+ *
+ * r  [in]  Field element to hold result.
+ * a  [in]  Field element to invert.
+ */
+void fe448_invert(int32_t* r, const int32_t* a)
+{
+    int32_t t1[16];
+    int32_t t2[16];
+    int32_t t3[16];
+    int32_t t4[16];
+    int i;
+
+    fe448_sqr(t1, a);
+    /* t1 = 2 */
+    fe448_mul(t1, t1, a);
+    /* t1 = 3 */
+    fe448_sqr(t2, t1); for (i = 1; i < 2; ++i) fe448_sqr(t2, t2);
+    /* t2 = c */
+    fe448_mul(t3, t2, a);
+    /* t3 = d */
+    fe448_mul(t1, t2, t1);
+    /* t1 = f */
+    fe448_sqr(t2, t1);
+    /* t2 = 1e */
+    fe448_mul(t4, t2, a);
+    /* t4 = 1f */
+    fe448_sqr(t2, t4); for (i = 1; i < 5; ++i) fe448_sqr(t2, t2);
+    /* t2 = 3e0 */
+    fe448_mul(t1, t2, t4);
+    /* t1 = 3ff */
+    fe448_sqr(t2, t1); for (i = 1; i < 10; ++i) fe448_sqr(t2, t2);
+    /* t2 = ffc00 */
+    fe448_mul(t1, t2, t1);
+    /* t1 = fffff */
+    fe448_sqr(t2, t1); for (i = 1; i < 5; ++i) fe448_sqr(t2, t2);
+    /* t2 = 1ffffe0 */
+    fe448_mul(t1, t2, t4);
+    /* t1 = 1ffffff */
+    fe448_sqr(t2, t1); for (i = 1; i < 25; ++i) fe448_sqr(t2, t2);
+    /* t2 = 3fffffe000000 */
+    fe448_mul(t1, t2, t1);
+    /* t1 = 3ffffffffffff */
+    fe448_sqr(t2, t1); for (i = 1; i < 5; ++i) fe448_sqr(t2, t2);
+    /* t2 = 7fffffffffffe0 */
+    fe448_mul(t1, t2, t4);
+    /* t1 = 7fffffffffffff */
+    fe448_sqr(t2, t1); for (i = 1; i < 55; ++i) fe448_sqr(t2, t2);
+    /* t2 = 3fffffffffffff80000000000000 */
+    fe448_mul(t1, t2, t1);
+    /* t1 = 3fffffffffffffffffffffffffff */
+    fe448_sqr(t2, t1); for (i = 1; i < 110; ++i) fe448_sqr(t2, t2);
+    /* t2 = fffffffffffffffffffffffffffc000000000000000000000000000 */
+    fe448_mul(t1, t2, t1);
+    /* t1 = fffffffffffffffffffffffffffffffffffffffffffffffffffffff */
+    fe448_sqr(t2, t1); for (i = 1; i < 4; ++i) fe448_sqr(t2, t2);
+    /* t2 = fffffffffffffffffffffffffffffffffffffffffffffffffffffff0 */
+    fe448_mul(t3, t3, t2);
+    /* t3 = fffffffffffffffffffffffffffffffffffffffffffffffffffffffd */
+    fe448_mul(t1, t3, a);
+    /* t1 = fffffffffffffffffffffffffffffffffffffffffffffffffffffffe */
+    fe448_sqr(t1, t1); for (i = 1; i < 224; ++i) fe448_sqr(t1, t1);
+    /* t1 = fffffffffffffffffffffffffffffffffffffffffffffffffffffffe00000000000000000000000000000000000000000000000000000000 */
+    fe448_mul(r, t3, t1);
+    /* r = fffffffffffffffffffffffffffffffffffffffffffffffffffffffefffffffffffffffffffffffffffffffffffffffffffffffffffffffd */
+}
+
+/* Scalar multiply the point by a number. r = n.a
+ * Uses Montogmery ladder and only requires the x-ordinate.
+ *
+ * r  [in]  Field element to hold result.
+ * n  [in]  Scalar as an array of bytes.
+ * a  [in]  Point to multiply - x-ordinate only.
+ */
+int curve448(byte* r, const byte* n, const byte* a)
+{
+    int32_t x1[16];
+    int32_t x2[16];
+    int32_t z2[16];
+    int32_t x3[16];
+    int32_t z3[16];
+    int32_t t0[16];
+    int32_t t1[16];
+    int i;
+    unsigned int swap;
+    unsigned int b;
+
+    fe448_from_bytes(x1, a);
+    fe448_1(x2);
+    fe448_0(z2);
+    fe448_copy(x3, x1);
+    fe448_1(z3);
+
+    swap = 0;
+    for (i = 447; i >= 0; --i) {
+        b = (n[i >> 3] >> (i & 7)) & 1;
+        swap ^= b;
+        fe448_cswap(x2, x3, swap);
+        fe448_cswap(z2, z3, swap);
+        swap = b;
+
+        /* Montgomery Ladder - double and add */
+        fe448_add(t0, x2, z2);
+        fe448_reduce(t0);
+        fe448_add(t1, x3, z3);
+        fe448_reduce(t1);
+        fe448_sub(x2, x2, z2);
+        fe448_sub(x3, x3, z3);
+        fe448_mul(t1, t1, x2);
+        fe448_mul(z3, x3, t0);
+        fe448_sqr(t0, t0);
+        fe448_sqr(x2, x2);
+        fe448_add(x3, z3, t1);
+        fe448_reduce(x3);
+        fe448_sqr(x3, x3);
+        fe448_sub(z3, z3, t1);
+        fe448_sqr(z3, z3);
+        fe448_mul(z3, z3, x1);
+        fe448_sub(t1, t0, x2);
+        fe448_mul(x2, t0, x2);
+        fe448_mul39081(z2, t1);
+        fe448_add(z2, t0, z2);
+        fe448_mul(z2, z2, t1);
+    }
+    /* Last two bits are 0 - no final swap check required. */
+
+    fe448_invert(z2, z2);
+    fe448_mul(x2, x2, z2);
+    fe448_to_bytes(r, x2);
+
+    return 0;
+}
+
+#ifdef HAVE_ED448
+/* Check whether field element is not 0.
+ * Must convert to a normalized form before checking.
+ *
+ * a  [in]  Field element.
+ * returns 0 when zero, and any other value otherwise.
+ */
+int fe448_isnonzero(const int32_t* a)
+{
+    uint8_t b[56];
+    int i;
+    uint8_t c = 0;
+    fe448_to_bytes(b, a);
+    for (i = 0; i < 56; i++)
+        c |= b[i];
+    return c;
+}
+
+/* Check whether field element is negative.
+ * Must convert to a normalized form before checking.
+ *
+ * a  [in]  Field element.
+ * returns 1 when negative, and 0 otherwise.
+ */
+int fe448_isnegative(const int32_t* a)
+{
+    uint8_t b[56];
+    fe448_to_bytes(b, a);
+    return b[0] & 1;
+}
+
+/* Negates the field element. r = -a
+ *
+ * r  [in]  Field element to hold result.
+ * a  [in]  Field element.
+ */
+void fe448_neg(int32_t* r, const int32_t* a)
+{
+    r[0] = -a[0];
+    r[1] = -a[1];
+    r[2] = -a[2];
+    r[3] = -a[3];
+    r[4] = -a[4];
+    r[5] = -a[5];
+    r[6] = -a[6];
+    r[7] = -a[7];
+    r[8] = -a[8];
+    r[9] = -a[9];
+    r[10] = -a[10];
+    r[11] = -a[11];
+    r[12] = -a[12];
+    r[13] = -a[13];
+    r[14] = -a[14];
+    r[15] = -a[15];
+}
+
+/* Raise field element to (p-3) / 4: 2^446 - 2^222 - 1
+ * Used for calcualting y-ordinate from x-ordinate for Ed448.
+ *
+ * r  [in]  Field element to hold result.
+ * a  [in]  Field element to exponentiate.
+ */
+void fe448_pow_2_446_222_1(int32_t* r, const int32_t* a)
+{
+    int32_t t1[16];
+    int32_t t2[16];
+    int32_t t3[16];
+    int32_t t4[16];
+    int32_t t5[16];
+    int i;
+
+    fe448_sqr(t3, a);
+    /* t3 = 2 */
+    fe448_mul(t1, t3, a);
+    /* t1 = 3 */
+    fe448_sqr(t5, t1);
+    /* t5 = 6 */
+    fe448_mul(t5, t5, a);
+    /* t5 = 7 */
+    fe448_sqr(t2, t1); for (i = 1; i < 2; ++i) fe448_sqr(t2, t2);
+    /* t2 = c */
+    fe448_mul(t3, t2, t3);
+    /* t3 = e */
+    fe448_mul(t1, t2, t1);
+    /* t1 = f */
+    fe448_sqr(t2, t1); for (i = 1; i < 3; ++i) fe448_sqr(t2, t2);
+    /* t2 = 78 */
+    fe448_mul(t5, t2, t5);
+    /* t5 = 7f */
+    fe448_sqr(t2, t1); for (i = 1; i < 4; ++i) fe448_sqr(t2, t2);
+    /* t2 = f0 */
+    fe448_mul(t1, t2, t1);
+    /* t1 = ff */
+    fe448_mul(t3, t3, t2);
+    /* t3 = fe */
+    fe448_sqr(t2, t1); for (i = 1; i < 7; ++i) fe448_sqr(t2, t2);
+    /* t2 = 7f80 */
+    fe448_mul(t5, t2, t5);
+    /* t5 = 7fff */
+    fe448_sqr(t2, t1); for (i = 1; i < 8; ++i) fe448_sqr(t2, t2);
+    /* t2 = ff00 */
+    fe448_mul(t1, t2, t1);
+    /* t1 = ffff */
+    fe448_mul(t3, t3, t2);
+    /* t3 = fffe */
+    fe448_sqr(t2, t5); for (i = 1; i < 15; ++i) fe448_sqr(t2, t2);
+    /* t2 = 3fff8000 */
+    fe448_mul(t5, t2, t5);
+    /* t5 = 3fffffff */
+    fe448_sqr(t2, t1); for (i = 1; i < 16; ++i) fe448_sqr(t2, t2);
+    /* t2 = ffff0000 */
+    fe448_mul(t1, t2, t1);
+    /* t1 = ffffffff */
+    fe448_mul(t3, t3, t2);
+    /* t3 = fffffffe */
+    fe448_sqr(t2, t1); for (i = 1; i < 32; ++i) fe448_sqr(t2, t2);
+    /* t2 = ffffffff00000000 */
+    fe448_mul(t2, t2, t1);
+    /* t2 = ffffffffffffffff */
+    fe448_sqr(t1, t2); for (i = 1; i < 64; ++i) fe448_sqr(t1, t1);
+    /* t1 = ffffffffffffffff0000000000000000 */
+    fe448_mul(t1, t1, t2);
+    /* t1 = ffffffffffffffffffffffffffffffff */
+    fe448_sqr(t1, t1); for (i = 1; i < 64; ++i) fe448_sqr(t1, t1);
+    /* t1 = ffffffffffffffffffffffffffffffff0000000000000000 */
+    fe448_mul(t4, t1, t2);
+    /* t4 = ffffffffffffffffffffffffffffffffffffffffffffffff */
+    fe448_sqr(t2, t4); for (i = 1; i < 32; ++i) fe448_sqr(t2, t2);
+    /* t2 = ffffffffffffffffffffffffffffffffffffffffffffffff00000000 */
+    fe448_mul(t3, t3, t2);
+    /* t3 = fffffffffffffffffffffffffffffffffffffffffffffffffffffffe */
+    fe448_sqr(t1, t3); for (i = 1; i < 192; ++i) fe448_sqr(t1, t1);
+    /* t1 = fffffffffffffffffffffffffffffffffffffffffffffffffffffffe000000000000000000000000000000000000000000000000 */
+    fe448_mul(t1, t1, t4);
+    /* t1 = fffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffffffffffffffffffffffffffffffffffffffffffff */
+    fe448_sqr(t1, t1); for (i = 1; i < 30; ++i) fe448_sqr(t1, t1);
+    /* t1 = 3fffffffffffffffffffffffffffffffffffffffffffffffffffffffbfffffffffffffffffffffffffffffffffffffffffffffffc0000000 */
+    fe448_mul(r, t5, t1);
+    /* r = 3fffffffffffffffffffffffffffffffffffffffffffffffffffffffbfffffffffffffffffffffffffffffffffffffffffffffffffffffff */
+}
+
+/* Constant time, conditional move of b into a.
+ * a is not changed if the condition is 0.
+ *
+ * a  A field element.
+ * b  A field element.
+ * c  If 1 then copy and if 0 then don't copy.
+ */
+void fe448_cmov(int32_t* a, const int32_t* b, int c)
+{
+    int32_t m = -(int32_t)c;
+    int32_t t0 = m & (a[0] ^ b[0]);
+    int32_t t1 = m & (a[1] ^ b[1]);
+    int32_t t2 = m & (a[2] ^ b[2]);
+    int32_t t3 = m & (a[3] ^ b[3]);
+    int32_t t4 = m & (a[4] ^ b[4]);
+    int32_t t5 = m & (a[5] ^ b[5]);
+    int32_t t6 = m & (a[6] ^ b[6]);
+    int32_t t7 = m & (a[7] ^ b[7]);
+    int32_t t8 = m & (a[8] ^ b[8]);
+    int32_t t9 = m & (a[9] ^ b[9]);
+    int32_t t10 = m & (a[10] ^ b[10]);
+    int32_t t11 = m & (a[11] ^ b[11]);
+    int32_t t12 = m & (a[12] ^ b[12]);
+    int32_t t13 = m & (a[13] ^ b[13]);
+    int32_t t14 = m & (a[14] ^ b[14]);
+    int32_t t15 = m & (a[15] ^ b[15]);
+
+    a[0] ^= t0;
+    a[1] ^= t1;
+    a[2] ^= t2;
+    a[3] ^= t3;
+    a[4] ^= t4;
+    a[5] ^= t5;
+    a[6] ^= t6;
+    a[7] ^= t7;
+    a[8] ^= t8;
+    a[9] ^= t9;
+    a[10] ^= t10;
+    a[11] ^= t11;
+    a[12] ^= t12;
+    a[13] ^= t13;
+    a[14] ^= t14;
+    a[15] ^= t15;
+}
+
+#endif /* HAVE_ED448 */
+#endif
+
+#endif /* HAVE_CURVE448 || HAVE_ED448 */
diff --git a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/fe_low_mem.c b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/fe_low_mem.c
index 80834f54c..13c88cbb4 100644
--- a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/fe_low_mem.c
+++ b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/fe_low_mem.c
@@ -1,8 +1,8 @@
 /* fe_low_mem.c
  *
- * Copyright (C) 2006-2015 wolfSSL Inc.
+ * Copyright (C) 2006-2020 wolfSSL Inc.
  *
- * This file is part of wolfSSL. (formerly known as CyaSSL)
+ * This file is part of wolfSSL.
  *
  * wolfSSL is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -16,10 +16,11 @@
  *
  * You should have received a copy of the GNU General Public License
  * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
  */
 
-/* Based from Daniel Beer's public domain word. */
+
+/* Based from Daniel Beer's public domain work. */
 
 #ifdef HAVE_CONFIG_H
     #include <config.h>
@@ -27,17 +28,18 @@
 
 #include <wolfssl/wolfcrypt/settings.h>
 
-#if defined(HAVE_ED25519) || defined(HAVE_CURVE25519)
+#if defined(HAVE_CURVE25519) || defined(HAVE_ED25519)
+#if defined(CURVE25519_SMALL) || defined(ED25519_SMALL) /* use slower code that takes less memory */
 
 #include <wolfssl/wolfcrypt/fe_operations.h>
 
 #ifdef NO_INLINE
     #include <wolfssl/wolfcrypt/misc.h>
 #else
+    #define WOLFSSL_MISC_INCLUDED
     #include <wolfcrypt/src/misc.c>
 #endif
 
-
 void fprime_copy(byte *x, const byte *a)
 {
     int i;
@@ -46,13 +48,24 @@ void fprime_copy(byte *x, const byte *a)
 }
 
 
-void fe_copy(fe x, const fe a)
+void lm_copy(byte* x, const byte* a)
 {
     int i;
     for (i = 0; i < F25519_SIZE; i++)
         x[i] = a[i];
 }
 
+#if ((defined(HAVE_CURVE25519) && !defined(CURVE25519_SMALL)) || \
+    (defined(HAVE_ED25519) && !defined(ED25519_SMALL))) &&      \
+    !defined(FREESCALE_LTC_ECC)
+    /* to be Complementary to fe_low_mem.c */
+#else
+void fe_init(void)
+{
+}
+#endif
+
+#ifdef CURVE25519_SMALL
 
 /* Double an X-coordinate */
 static void xc_double(byte *x3, byte *z3,
@@ -74,12 +87,12 @@ static void xc_double(byte *x3, byte *z3,
 	fe_mul__distinct(z1sq, z1, z1);
 	fe_mul__distinct(x1z1, x1, z1);
 
-	fe_sub(a, x1sq, z1sq);
+	lm_sub(a, x1sq, z1sq);
 	fe_mul__distinct(x3, a, a);
 
 	fe_mul_c(a, x1z1, 486662);
-	fe_add(a, x1sq, a);
-	fe_add(a, z1sq, a);
+	lm_add(a, x1sq, a);
+	lm_add(a, z1sq, a);
 	fe_mul__distinct(x1sq, x1z1, a);
 	fe_mul_c(z3, x1sq, 4);
 }
@@ -110,24 +123,24 @@ static void xc_diffadd(byte *x5, byte *z5,
 	byte a[F25519_SIZE];
 	byte b[F25519_SIZE];
 
-	fe_add(a, x2, z2);
-	fe_sub(b, x3, z3); /* D */
+	lm_add(a, x2, z2);
+	lm_sub(b, x3, z3); /* D */
 	fe_mul__distinct(da, a, b);
 
-	fe_sub(b, x2, z2);
-	fe_add(a, x3, z3); /* C */
+	lm_sub(b, x2, z2);
+	lm_add(a, x3, z3); /* C */
 	fe_mul__distinct(cb, a, b);
 
-	fe_add(a, da, cb);
+	lm_add(a, da, cb);
 	fe_mul__distinct(b, a, a);
 	fe_mul__distinct(x5, z1, b);
 
-	fe_sub(a, da, cb);
+	lm_sub(a, da, cb);
 	fe_mul__distinct(b, a, a);
 	fe_mul__distinct(z5, x1, b);
 }
 
-
+#ifndef FREESCALE_LTC_ECC
 int curve25519(byte *result, byte *e, byte *q)
 {
 	/* Current point: P_m */
@@ -141,7 +154,7 @@ int curve25519(byte *result, byte *e, byte *q)
 	int i;
 
 	/* Note: bit 254 is assumed to be 1 */
-	fe_copy(xm, q);
+	lm_copy(xm, q);
 
 	for (i = 253; i >= 0; i--) {
 		const int bit = (e[i >> 3] >> (i & 7)) & 1;
@@ -171,6 +184,8 @@ int curve25519(byte *result, byte *e, byte *q)
 	fe_normalize(result);
     return 0;
 }
+#endif /* !FREESCALE_LTC_ECC */
+#endif /* CURVE25519_SMALL */
 
 
 static void raw_add(byte *x, const byte *p)
@@ -180,7 +195,7 @@ static void raw_add(byte *x, const byte *p)
 
 	for (i = 0; i < F25519_SIZE; i++) {
 		c += ((word16)x[i]) + ((word16)p[i]);
-		x[i] = c;
+		x[i] = (byte)c;
 		c >>= 8;
 	}
 }
@@ -194,11 +209,11 @@ static void raw_try_sub(byte *x, const byte *p)
 
 	for (i = 0; i < F25519_SIZE; i++) {
 		c = ((word16)x[i]) - ((word16)p[i]) - c;
-		minusp[i] = c;
+		minusp[i] = (byte)c;
 		c = (c >> 8) & 1;
 	}
 
-	fprime_select(x, minusp, x, c);
+	fprime_select(x, minusp, x, (byte)c);
 }
 
 
@@ -211,7 +226,7 @@ static int prime_msb(const byte *p)
 
    /*
        Test for any hot bits.
-       As soon as one instance is incountered set shift to 0.
+       As soon as one instance is encountered set shift to 0.
     */
 	for (i = F25519_SIZE - 1; i >= 0; i--) {
         shift &= ((shift ^ ((-p[i] | p[i]) >> 7)) & 1);
@@ -268,7 +283,7 @@ void fprime_mul(byte *r, const byte *a, const byte *b,
 
 	    for (j = 0; j < F25519_SIZE; j++) {
 		    c |= ((word16)r[j]) << 1;
-		    r[j] = c;
+		    r[j] = (byte)c;
 		    c >>= 8;
 	    }
 		raw_try_sub(r, modulus);
@@ -307,7 +322,7 @@ void fe_normalize(byte *x)
 
 	for (i = 0; i < F25519_SIZE; i++) {
 		c += x[i];
-		x[i] = c;
+		x[i] = (byte)c;
 		c >>= 8;
 	}
 
@@ -319,12 +334,12 @@ void fe_normalize(byte *x)
 
 	for (i = 0; i + 1 < F25519_SIZE; i++) {
 		c += x[i];
-		minusp[i] = c;
+		minusp[i] = (byte)c;
 		c >>= 8;
 	}
 
 	c += ((word16)x[i]) - 128;
-	minusp[31] = c;
+	minusp[31] = (byte)c;
 
 	/* Load x-p if no underflow */
 	fe_select(x, minusp, x, (c >> 15) & 1);
@@ -343,7 +358,7 @@ void fe_select(byte *dst,
 }
 
 
-void fe_add(fe r, const fe a, const fe b)
+void lm_add(byte* r, const byte* a, const byte* b)
 {
 	word16 c = 0;
 	int i;
@@ -352,7 +367,7 @@ void fe_add(fe r, const fe a, const fe b)
 	for (i = 0; i < F25519_SIZE; i++) {
 		c >>= 8;
 		c += ((word16)a[i]) + ((word16)b[i]);
-		r[i] = c;
+		r[i] = (byte)c;
 	}
 
 	/* Reduce with 2^255 = 19 mod p */
@@ -361,13 +376,13 @@ void fe_add(fe r, const fe a, const fe b)
 
 	for (i = 0; i < F25519_SIZE; i++) {
 		c += r[i];
-		r[i] = c;
+		r[i] = (byte)c;
 		c >>= 8;
 	}
 }
 
 
-void fe_sub(fe r, const fe a, const fe b)
+void lm_sub(byte* r, const byte* a, const byte* b)
 {
 	word32 c = 0;
 	int i;
@@ -392,7 +407,7 @@ void fe_sub(fe r, const fe a, const fe b)
 }
 
 
-void fe_neg(fe r, const fe a)
+void lm_neg(byte* r, const byte* a)
 {
 	word32 c = 0;
 	int i;
@@ -447,12 +462,12 @@ void fe_mul__distinct(byte *r, const byte *a, const byte *b)
 }
 
 
-void fe_mul(fe r, const fe a, const fe b)
+void lm_mul(byte *r, const byte* a, const byte *b)
 {
 	byte tmp[F25519_SIZE];
 
 	fe_mul__distinct(tmp, a, b);
-	fe_copy(r, tmp);
+	lm_copy(r, tmp);
 }
 
 
@@ -530,12 +545,12 @@ void fe_inv__distinct(byte *r, const byte *x)
 }
 
 
-void fe_invert(fe r, const fe x)
+void lm_invert(byte *r, const byte *x)
 {
 	byte tmp[F25519_SIZE];
 
 	fe_inv__distinct(tmp, x);
-	fe_copy(r, tmp);
+	lm_copy(r, tmp);
 }
 
 
@@ -585,12 +600,12 @@ void fe_sqrt(byte *r, const byte *a)
 	fe_mul__distinct(y, v, v);
 	fe_mul__distinct(i, x, y);
 	fe_load(y, 1);
-	fe_sub(i, i, y);
+	lm_sub(i, i, y);
 
 	/* r = avi */
 	fe_mul__distinct(x, v, a);
 	fe_mul__distinct(r, x, i);
 }
 
-#endif /* HAVE_CURVE25519 or HAVE_ED25519 */
-
+#endif /* CURVE25519_SMALL || ED25519_SMALL */
+#endif /* HAVE_CURVE25519 || HAVE_ED25519 */
diff --git a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/fe_operations.c b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/fe_operations.c
index da07c951c..1e1c92bf2 100644
--- a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/fe_operations.c
+++ b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/fe_operations.c
@@ -1,8 +1,8 @@
 /* fe_operations.c
  *
- * Copyright (C) 2006-2015 wolfSSL Inc.
+ * Copyright (C) 2006-2020 wolfSSL Inc.
  *
- * This file is part of wolfSSL. (formerly known as CyaSSL)
+ * This file is part of wolfSSL.
  *
  * wolfSSL is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -16,9 +16,10 @@
  *
  * You should have received a copy of the GNU General Public License
  * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
  */
 
+
  /* Based On Daniel J Bernstein's curve25519 Public Domain ref10 work. */
 
 #ifdef HAVE_CONFIG_H
@@ -27,7 +28,8 @@
 
 #include <wolfssl/wolfcrypt/settings.h>
 
-#if defined(HAVE_ED25519) || defined(HAVE_CURVE25519)
+#if defined(HAVE_CURVE25519) || defined(HAVE_ED25519)
+#if !defined(CURVE25519_SMALL) || !defined(ED25519_SMALL) /* run when not defined to use small memory math */
 
 #include <wolfssl/wolfcrypt/fe_operations.h>
 #include <stdint.h>
@@ -35,9 +37,20 @@
 #ifdef NO_INLINE
     #include <wolfssl/wolfcrypt/misc.h>
 #else
+    #define WOLFSSL_MISC_INCLUDED
     #include <wolfcrypt/src/misc.c>
 #endif
 
+#ifdef CURVED25519_X64
+/* Assembly code in fe_x25519_asm.* */
+#elif defined(WOLFSSL_ARMASM)
+/* Assembly code in fe_armv[78]_x25519.* */
+#elif defined(CURVED25519_128BIT)
+#include "fe_x25519_128.i"
+#else
+
+#if defined(HAVE_CURVE25519) || \
+    (defined(HAVE_ED25519) && !defined(ED25519_SMALL))
 /*
 fe means field element.
 Here the field is \Z/(2^255-19).
@@ -65,7 +78,7 @@ uint64_t load_4(const unsigned char *in)
   result |= ((uint64_t) in[3]) << 24;
   return result;
 }
-
+#endif
 
 /*
 h = 1
@@ -105,25 +118,43 @@ void fe_0(fe h)
 }
 
 
+#if ((defined(HAVE_CURVE25519) && !defined(CURVE25519_SMALL)) || \
+     (defined(HAVE_ED25519) && !defined(ED25519_SMALL))) && \
+    !defined(FREESCALE_LTC_ECC)
+/* to be Complementary to fe_low_mem.c */
+void fe_init(void)
+{
+}
+#endif
+
+#if defined(HAVE_CURVE25519) && !defined(CURVE25519_SMALL) && \
+    !defined(FREESCALE_LTC_ECC)
 int curve25519(byte* q, byte* n, byte* p)
 {
+#if 0
   unsigned char e[32];
-  unsigned int i;
-  fe x1;
-  fe x2;
-  fe z2;
-  fe x3;
-  fe z3;
-  fe tmp0;
-  fe tmp1;
-  int pos;
-  unsigned int swap;
-  unsigned int b;
-
-  for (i = 0;i < 32;++i) e[i] = n[i];
-  e[0] &= 248;
-  e[31] &= 127;
-  e[31] |= 64;
+#endif
+  fe x1 = {0};
+  fe x2 = {0};
+  fe z2 = {0};
+  fe x3 = {0};
+  fe z3 = {0};
+  fe tmp0 = {0};
+  fe tmp1 = {0};
+  int pos = 0;
+  unsigned int swap = 0;
+  unsigned int b = 0;
+
+  /* Clamp already done during key generation and import */
+#if 0
+  {
+    unsigned int i;
+    for (i = 0;i < 32;++i) e[i] = n[i];
+    e[0] &= 248;
+    e[31] &= 127;
+    e[31] |= 64;
+  }
+#endif
 
   fe_frombytes(x1,p);
   fe_1(x2);
@@ -133,7 +164,11 @@ int curve25519(byte* q, byte* n, byte* p)
 
   swap = 0;
   for (pos = 254;pos >= 0;--pos) {
+#if 0
     b = e[pos / 8] >> (pos & 7);
+#else
+    b = n[pos / 8] >> (pos & 7);
+#endif
     b &= 1;
     swap ^= b;
     fe_cswap(x2,x3,swap);
@@ -169,6 +204,7 @@ int curve25519(byte* q, byte* n, byte* p)
 
   return 0;
 }
+#endif /* HAVE_CURVE25519 && !CURVE25519_SMALL && !FREESCALE_LTC_ECC */
 
 
 /*
@@ -287,24 +323,24 @@ void fe_sq(fe h,const fe f)
   int64_t carry8;
   int64_t carry9;
 
-  carry0 = (h0 + (int64_t) (1<<25)) >> 26; h1 += carry0; h0 -= carry0 << 26;
-  carry4 = (h4 + (int64_t) (1<<25)) >> 26; h5 += carry4; h4 -= carry4 << 26;
+  carry0 = (h0 + (int64_t) (1UL<<25)) >> 26; h1 += carry0; h0 -= carry0 << 26;
+  carry4 = (h4 + (int64_t) (1UL<<25)) >> 26; h5 += carry4; h4 -= carry4 << 26;
 
-  carry1 = (h1 + (int64_t) (1<<24)) >> 25; h2 += carry1; h1 -= carry1 << 25;
-  carry5 = (h5 + (int64_t) (1<<24)) >> 25; h6 += carry5; h5 -= carry5 << 25;
+  carry1 = (h1 + (int64_t) (1UL<<24)) >> 25; h2 += carry1; h1 -= carry1 << 25;
+  carry5 = (h5 + (int64_t) (1UL<<24)) >> 25; h6 += carry5; h5 -= carry5 << 25;
 
-  carry2 = (h2 + (int64_t) (1<<25)) >> 26; h3 += carry2; h2 -= carry2 << 26;
-  carry6 = (h6 + (int64_t) (1<<25)) >> 26; h7 += carry6; h6 -= carry6 << 26;
+  carry2 = (h2 + (int64_t) (1UL<<25)) >> 26; h3 += carry2; h2 -= carry2 << 26;
+  carry6 = (h6 + (int64_t) (1UL<<25)) >> 26; h7 += carry6; h6 -= carry6 << 26;
 
-  carry3 = (h3 + (int64_t) (1<<24)) >> 25; h4 += carry3; h3 -= carry3 << 25;
-  carry7 = (h7 + (int64_t) (1<<24)) >> 25; h8 += carry7; h7 -= carry7 << 25;
+  carry3 = (h3 + (int64_t) (1UL<<24)) >> 25; h4 += carry3; h3 -= carry3 << 25;
+  carry7 = (h7 + (int64_t) (1UL<<24)) >> 25; h8 += carry7; h7 -= carry7 << 25;
 
-  carry4 = (h4 + (int64_t) (1<<25)) >> 26; h5 += carry4; h4 -= carry4 << 26;
-  carry8 = (h8 + (int64_t) (1<<25)) >> 26; h9 += carry8; h8 -= carry8 << 26;
+  carry4 = (h4 + (int64_t) (1UL<<25)) >> 26; h5 += carry4; h4 -= carry4 << 26;
+  carry8 = (h8 + (int64_t) (1UL<<25)) >> 26; h9 += carry8; h8 -= carry8 << 26;
 
-  carry9 = (h9 + (int64_t) (1<<24)) >> 25; h0 += carry9 * 19; h9 -= carry9 << 25;
+  carry9 = (h9 + (int64_t) (1UL<<24)) >> 25; h0 += carry9 * 19; h9 -= carry9 << 25;
 
-  carry0 = (h0 + (int64_t) (1<<25)) >> 26; h1 += carry0; h0 -= carry0 << 26;
+  carry0 = (h0 + (int64_t) (1UL<<25)) >> 26; h1 += carry0; h0 -= carry0 << 26;
 
   h[0] = (int32_t)h0;
   h[1] = (int32_t)h1;
@@ -460,38 +496,38 @@ void fe_tobytes(unsigned char *s,const fe h)
   Goal: Output h0+...+2^230 h9.
   */
 
-  s[0] = h0 >> 0;
-  s[1] = h0 >> 8;
-  s[2] = h0 >> 16;
-  s[3] = (h0 >> 24) | (h1 << 2);
-  s[4] = h1 >> 6;
-  s[5] = h1 >> 14;
-  s[6] = (h1 >> 22) | (h2 << 3);
-  s[7] = h2 >> 5;
-  s[8] = h2 >> 13;
-  s[9] = (h2 >> 21) | (h3 << 5);
-  s[10] = h3 >> 3;
-  s[11] = h3 >> 11;
-  s[12] = (h3 >> 19) | (h4 << 6);
-  s[13] = h4 >> 2;
-  s[14] = h4 >> 10;
-  s[15] = h4 >> 18;
-  s[16] = h5 >> 0;
-  s[17] = h5 >> 8;
-  s[18] = h5 >> 16;
-  s[19] = (h5 >> 24) | (h6 << 1);
-  s[20] = h6 >> 7;
-  s[21] = h6 >> 15;
-  s[22] = (h6 >> 23) | (h7 << 3);
-  s[23] = h7 >> 5;
-  s[24] = h7 >> 13;
-  s[25] = (h7 >> 21) | (h8 << 4);
-  s[26] = h8 >> 4;
-  s[27] = h8 >> 12;
-  s[28] = (h8 >> 20) | (h9 << 6);
-  s[29] = h9 >> 2;
-  s[30] = h9 >> 10;
-  s[31] = h9 >> 18;
+  s[0] = (byte)(h0 >> 0);
+  s[1] = (byte)(h0 >> 8);
+  s[2] = (byte)(h0 >> 16);
+  s[3] = (byte)((h0 >> 24) | (h1 << 2));
+  s[4] = (byte)(h1 >> 6);
+  s[5] = (byte)(h1 >> 14);
+  s[6] = (byte)((h1 >> 22) | (h2 << 3));
+  s[7] = (byte)(h2 >> 5);
+  s[8] = (byte)(h2 >> 13);
+  s[9] = (byte)((h2 >> 21) | (h3 << 5));
+  s[10] = (byte)(h3 >> 3);
+  s[11] = (byte)(h3 >> 11);
+  s[12] = (byte)((h3 >> 19) | (h4 << 6));
+  s[13] = (byte)(h4 >> 2);
+  s[14] = (byte)(h4 >> 10);
+  s[15] = (byte)(h4 >> 18);
+  s[16] = (byte)(h5 >> 0);
+  s[17] = (byte)(h5 >> 8);
+  s[18] = (byte)(h5 >> 16);
+  s[19] = (byte)((h5 >> 24) | (h6 << 1));
+  s[20] = (byte)(h6 >> 7);
+  s[21] = (byte)(h6 >> 15);
+  s[22] = (byte)((h6 >> 23) | (h7 << 3));
+  s[23] = (byte)(h7 >> 5);
+  s[24] = (byte)(h7 >> 13);
+  s[25] = (byte)((h7 >> 21) | (h8 << 4));
+  s[26] = (byte)(h8 >> 4);
+  s[27] = (byte)(h8 >> 12);
+  s[28] = (byte)((h8 >> 20) | (h9 << 6));
+  s[29] = (byte)(h9 >> 2);
+  s[30] = (byte)(h9 >> 10);
+  s[31] = (byte)(h9 >> 18);
 }
 
 
@@ -552,6 +588,8 @@ void fe_sub(fe h,const fe f,const fe g)
 }
 
 
+#if defined(HAVE_CURVE25519) || \
+    (defined(HAVE_ED25519) && !defined(ED25519_SMALL))
 /*
 Ignores top bit of h.
 */
@@ -579,17 +617,17 @@ void fe_frombytes(fe h,const unsigned char *s)
   int64_t carry8;
   int64_t carry9;
 
-  carry9 = (h9 + (int64_t) (1<<24)) >> 25; h0 += carry9 * 19; h9 -= carry9 << 25;
-  carry1 = (h1 + (int64_t) (1<<24)) >> 25; h2 += carry1; h1 -= carry1 << 25;
-  carry3 = (h3 + (int64_t) (1<<24)) >> 25; h4 += carry3; h3 -= carry3 << 25;
-  carry5 = (h5 + (int64_t) (1<<24)) >> 25; h6 += carry5; h5 -= carry5 << 25;
-  carry7 = (h7 + (int64_t) (1<<24)) >> 25; h8 += carry7; h7 -= carry7 << 25;
+  carry9 = (h9 + (int64_t) (1UL<<24)) >> 25; h0 += carry9 * 19; h9 -= carry9 << 25;
+  carry1 = (h1 + (int64_t) (1UL<<24)) >> 25; h2 += carry1; h1 -= carry1 << 25;
+  carry3 = (h3 + (int64_t) (1UL<<24)) >> 25; h4 += carry3; h3 -= carry3 << 25;
+  carry5 = (h5 + (int64_t) (1UL<<24)) >> 25; h6 += carry5; h5 -= carry5 << 25;
+  carry7 = (h7 + (int64_t) (1UL<<24)) >> 25; h8 += carry7; h7 -= carry7 << 25;
 
-  carry0 = (h0 + (int64_t) (1<<25)) >> 26; h1 += carry0; h0 -= carry0 << 26;
-  carry2 = (h2 + (int64_t) (1<<25)) >> 26; h3 += carry2; h2 -= carry2 << 26;
-  carry4 = (h4 + (int64_t) (1<<25)) >> 26; h5 += carry4; h4 -= carry4 << 26;
-  carry6 = (h6 + (int64_t) (1<<25)) >> 26; h7 += carry6; h6 -= carry6 << 26;
-  carry8 = (h8 + (int64_t) (1<<25)) >> 26; h9 += carry8; h8 -= carry8 << 26;
+  carry0 = (h0 + (int64_t) (1UL<<25)) >> 26; h1 += carry0; h0 -= carry0 << 26;
+  carry2 = (h2 + (int64_t) (1UL<<25)) >> 26; h3 += carry2; h2 -= carry2 << 26;
+  carry4 = (h4 + (int64_t) (1UL<<25)) >> 26; h5 += carry4; h4 -= carry4 << 26;
+  carry6 = (h6 + (int64_t) (1UL<<25)) >> 26; h7 += carry6; h6 -= carry6 << 26;
+  carry8 = (h8 + (int64_t) (1UL<<25)) >> 26; h9 += carry8; h8 -= carry8 << 26;
 
   h[0] = (int32_t)h0;
   h[1] = (int32_t)h1;
@@ -602,15 +640,16 @@ void fe_frombytes(fe h,const unsigned char *s)
   h[8] = (int32_t)h8;
   h[9] = (int32_t)h9;
 }
+#endif
 
 
 void fe_invert(fe out,const fe z)
 {
-  fe t0;
-  fe t1;
-  fe t2;
-  fe t3;
-  int i;
+  fe t0 = {0};
+  fe t1 = {0};
+  fe t2 = {0};
+  fe t3 = {0};
+  int i = 0;
 
   /* pow225521 */
   fe_sq(t0,z); for (i = 1;i < 1;++i) fe_sq(t0,t0);
@@ -865,46 +904,46 @@ void fe_mul(fe h,const fe f,const fe g)
     i.e. |h1| <= 1.7*2^59; narrower ranges for h3, h5, h7, h9
   */
 
-  carry0 = (h0 + (int64_t) (1<<25)) >> 26; h1 += carry0; h0 -= carry0 << 26;
-  carry4 = (h4 + (int64_t) (1<<25)) >> 26; h5 += carry4; h4 -= carry4 << 26;
+  carry0 = (h0 + (int64_t) (1UL<<25)) >> 26; h1 += carry0; h0 -= carry0 << 26;
+  carry4 = (h4 + (int64_t) (1UL<<25)) >> 26; h5 += carry4; h4 -= carry4 << 26;
   /* |h0| <= 2^25 */
   /* |h4| <= 2^25 */
   /* |h1| <= 1.71*2^59 */
   /* |h5| <= 1.71*2^59 */
 
-  carry1 = (h1 + (int64_t) (1<<24)) >> 25; h2 += carry1; h1 -= carry1 << 25;
-  carry5 = (h5 + (int64_t) (1<<24)) >> 25; h6 += carry5; h5 -= carry5 << 25;
+  carry1 = (h1 + (int64_t) (1UL<<24)) >> 25; h2 += carry1; h1 -= carry1 << 25;
+  carry5 = (h5 + (int64_t) (1UL<<24)) >> 25; h6 += carry5; h5 -= carry5 << 25;
   /* |h1| <= 2^24; from now on fits into int32 */
   /* |h5| <= 2^24; from now on fits into int32 */
   /* |h2| <= 1.41*2^60 */
   /* |h6| <= 1.41*2^60 */
 
-  carry2 = (h2 + (int64_t) (1<<25)) >> 26; h3 += carry2; h2 -= carry2 << 26;
-  carry6 = (h6 + (int64_t) (1<<25)) >> 26; h7 += carry6; h6 -= carry6 << 26;
+  carry2 = (h2 + (int64_t) (1UL<<25)) >> 26; h3 += carry2; h2 -= carry2 << 26;
+  carry6 = (h6 + (int64_t) (1UL<<25)) >> 26; h7 += carry6; h6 -= carry6 << 26;
   /* |h2| <= 2^25; from now on fits into int32 unchanged */
   /* |h6| <= 2^25; from now on fits into int32 unchanged */
   /* |h3| <= 1.71*2^59 */
   /* |h7| <= 1.71*2^59 */
 
-  carry3 = (h3 + (int64_t) (1<<24)) >> 25; h4 += carry3; h3 -= carry3 << 25;
-  carry7 = (h7 + (int64_t) (1<<24)) >> 25; h8 += carry7; h7 -= carry7 << 25;
+  carry3 = (h3 + (int64_t) (1UL<<24)) >> 25; h4 += carry3; h3 -= carry3 << 25;
+  carry7 = (h7 + (int64_t) (1UL<<24)) >> 25; h8 += carry7; h7 -= carry7 << 25;
   /* |h3| <= 2^24; from now on fits into int32 unchanged */
   /* |h7| <= 2^24; from now on fits into int32 unchanged */
   /* |h4| <= 1.72*2^34 */
   /* |h8| <= 1.41*2^60 */
 
-  carry4 = (h4 + (int64_t) (1<<25)) >> 26; h5 += carry4; h4 -= carry4 << 26;
-  carry8 = (h8 + (int64_t) (1<<25)) >> 26; h9 += carry8; h8 -= carry8 << 26;
+  carry4 = (h4 + (int64_t) (1UL<<25)) >> 26; h5 += carry4; h4 -= carry4 << 26;
+  carry8 = (h8 + (int64_t) (1UL<<25)) >> 26; h9 += carry8; h8 -= carry8 << 26;
   /* |h4| <= 2^25; from now on fits into int32 unchanged */
   /* |h8| <= 2^25; from now on fits into int32 unchanged */
   /* |h5| <= 1.01*2^24 */
   /* |h9| <= 1.71*2^59 */
 
-  carry9 = (h9 + (int64_t) (1<<24)) >> 25; h0 += carry9 * 19; h9 -= carry9 << 25;
+  carry9 = (h9 + (int64_t) (1UL<<24)) >> 25; h0 += carry9 * 19; h9 -= carry9 << 25;
   /* |h9| <= 2^24; from now on fits into int32 unchanged */
   /* |h0| <= 1.1*2^39 */
 
-  carry0 = (h0 + (int64_t) (1<<25)) >> 26; h1 += carry0; h0 -= carry0 << 26;
+  carry0 = (h0 + (int64_t) (1UL<<25)) >> 26; h1 += carry0; h0 -= carry0 << 26;
   /* |h0| <= 2^25; from now on fits into int32 unchanged */
   /* |h1| <= 1.01*2^24 */
 
@@ -928,7 +967,7 @@ replace (f,g) with (f,g) if b == 0.
 Preconditions: b in {0,1}.
 */
 
-void fe_cswap(fe f,fe g,unsigned int b)
+void fe_cswap(fe f, fe g, int b)
 {
   int32_t f0 = f[0];
   int32_t f1 = f[1];
@@ -1038,17 +1077,17 @@ void fe_mul121666(fe h,fe f)
   int64_t carry8;
   int64_t carry9;
 
-  carry9 = (h9 + (int64_t) (1<<24)) >> 25; h0 += carry9 * 19; h9 -= carry9 << 25;
-  carry1 = (h1 + (int64_t) (1<<24)) >> 25; h2 += carry1; h1 -= carry1 << 25;
-  carry3 = (h3 + (int64_t) (1<<24)) >> 25; h4 += carry3; h3 -= carry3 << 25;
-  carry5 = (h5 + (int64_t) (1<<24)) >> 25; h6 += carry5; h5 -= carry5 << 25;
-  carry7 = (h7 + (int64_t) (1<<24)) >> 25; h8 += carry7; h7 -= carry7 << 25;
+  carry9 = (h9 + (int64_t) (1UL<<24)) >> 25; h0 += carry9 * 19; h9 -= carry9 << 25;
+  carry1 = (h1 + (int64_t) (1UL<<24)) >> 25; h2 += carry1; h1 -= carry1 << 25;
+  carry3 = (h3 + (int64_t) (1UL<<24)) >> 25; h4 += carry3; h3 -= carry3 << 25;
+  carry5 = (h5 + (int64_t) (1UL<<24)) >> 25; h6 += carry5; h5 -= carry5 << 25;
+  carry7 = (h7 + (int64_t) (1UL<<24)) >> 25; h8 += carry7; h7 -= carry7 << 25;
 
-  carry0 = (h0 + (int64_t) (1<<25)) >> 26; h1 += carry0; h0 -= carry0 << 26;
-  carry2 = (h2 + (int64_t) (1<<25)) >> 26; h3 += carry2; h2 -= carry2 << 26;
-  carry4 = (h4 + (int64_t) (1<<25)) >> 26; h5 += carry4; h4 -= carry4 << 26;
-  carry6 = (h6 + (int64_t) (1<<25)) >> 26; h7 += carry6; h6 -= carry6 << 26;
-  carry8 = (h8 + (int64_t) (1<<25)) >> 26; h9 += carry8; h8 -= carry8 << 26;
+  carry0 = (h0 + (int64_t) (1UL<<25)) >> 26; h1 += carry0; h0 -= carry0 << 26;
+  carry2 = (h2 + (int64_t) (1UL<<25)) >> 26; h3 += carry2; h2 -= carry2 << 26;
+  carry4 = (h4 + (int64_t) (1UL<<25)) >> 26; h5 += carry4; h4 -= carry4 << 26;
+  carry6 = (h6 + (int64_t) (1UL<<25)) >> 26; h7 += carry6; h6 -= carry6 << 26;
+  carry8 = (h8 + (int64_t) (1UL<<25)) >> 26; h9 += carry8; h8 -= carry8 << 26;
 
   h[0] = (int32_t)h0;
   h[1] = (int32_t)h1;
@@ -1190,24 +1229,24 @@ void fe_sq2(fe h,const fe f)
   h8 += h8;
   h9 += h9;
 
-  carry0 = (h0 + (int64_t) (1<<25)) >> 26; h1 += carry0; h0 -= carry0 << 26;
-  carry4 = (h4 + (int64_t) (1<<25)) >> 26; h5 += carry4; h4 -= carry4 << 26;
+  carry0 = (h0 + (int64_t) (1UL<<25)) >> 26; h1 += carry0; h0 -= carry0 << 26;
+  carry4 = (h4 + (int64_t) (1UL<<25)) >> 26; h5 += carry4; h4 -= carry4 << 26;
 
-  carry1 = (h1 + (int64_t) (1<<24)) >> 25; h2 += carry1; h1 -= carry1 << 25;
-  carry5 = (h5 + (int64_t) (1<<24)) >> 25; h6 += carry5; h5 -= carry5 << 25;
+  carry1 = (h1 + (int64_t) (1UL<<24)) >> 25; h2 += carry1; h1 -= carry1 << 25;
+  carry5 = (h5 + (int64_t) (1UL<<24)) >> 25; h6 += carry5; h5 -= carry5 << 25;
 
-  carry2 = (h2 + (int64_t) (1<<25)) >> 26; h3 += carry2; h2 -= carry2 << 26;
-  carry6 = (h6 + (int64_t) (1<<25)) >> 26; h7 += carry6; h6 -= carry6 << 26;
+  carry2 = (h2 + (int64_t) (1UL<<25)) >> 26; h3 += carry2; h2 -= carry2 << 26;
+  carry6 = (h6 + (int64_t) (1UL<<25)) >> 26; h7 += carry6; h6 -= carry6 << 26;
 
-  carry3 = (h3 + (int64_t) (1<<24)) >> 25; h4 += carry3; h3 -= carry3 << 25;
-  carry7 = (h7 + (int64_t) (1<<24)) >> 25; h8 += carry7; h7 -= carry7 << 25;
+  carry3 = (h3 + (int64_t) (1UL<<24)) >> 25; h4 += carry3; h3 -= carry3 << 25;
+  carry7 = (h7 + (int64_t) (1UL<<24)) >> 25; h8 += carry7; h7 -= carry7 << 25;
 
-  carry4 = (h4 + (int64_t) (1<<25)) >> 26; h5 += carry4; h4 -= carry4 << 26;
-  carry8 = (h8 + (int64_t) (1<<25)) >> 26; h9 += carry8; h8 -= carry8 << 26;
+  carry4 = (h4 + (int64_t) (1UL<<25)) >> 26; h5 += carry4; h4 -= carry4 << 26;
+  carry8 = (h8 + (int64_t) (1UL<<25)) >> 26; h9 += carry8; h8 -= carry8 << 26;
 
-  carry9 = (h9 + (int64_t) (1<<24)) >> 25; h0 += carry9 * 19; h9 -= carry9 << 25;
+  carry9 = (h9 + (int64_t) (1UL<<24)) >> 25; h0 += carry9 * 19; h9 -= carry9 << 25;
 
-  carry0 = (h0 + (int64_t) (1<<25)) >> 26; h1 += carry0; h0 -= carry0 << 26;
+  carry0 = (h0 + (int64_t) (1UL<<25)) >> 26; h1 += carry0; h0 -= carry0 << 26;
 
   h[0] = (int32_t)h0;
   h[1] = (int32_t)h1;
@@ -1224,10 +1263,10 @@ void fe_sq2(fe h,const fe f)
 
 void fe_pow22523(fe out,const fe z)
 {
-  fe t0;
-  fe t1;
-  fe t2;
-  int i;
+  fe t0 = {0};
+  fe t1 = {0};
+  fe t2 = {0};
+  int i = 0;
 
   fe_sq(t0,z); for (i = 1;i < 1;++i) fe_sq(t0,t0);
   fe_sq(t1,t0); for (i = 1;i < 2;++i) fe_sq(t1,t1);
@@ -1306,7 +1345,7 @@ Preconditions:
    |f| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc.
 */
 
-static const unsigned char zero[32];
+static const unsigned char zero[32] = {0};
 
 int fe_isnonzero(const fe f)
 {
@@ -1339,7 +1378,7 @@ replace (f,g) with (f,g) if b == 0.
 Preconditions: b in {0,1}.
 */
 
-void fe_cmov(fe f,const fe g,unsigned int b)
+void fe_cmov(fe f, const fe g, int b)
 {
   int32_t f0 = f[0];
   int32_t f1 = f[1];
@@ -1393,5 +1432,7 @@ void fe_cmov(fe f,const fe g,unsigned int b)
   f[8] = f8 ^ x8;
   f[9] = f9 ^ x9;
 }
-#endif /* HAVE ED25519 or CURVE25519 */
+#endif
 
+#endif /* !CURVE25519_SMALL || !ED25519_SMALL */
+#endif /* HAVE_CURVE25519 || HAVE_ED25519 */
diff --git a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/fe_x25519_128.i b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/fe_x25519_128.i
new file mode 100644
index 000000000..10e43d9cd
--- /dev/null
+++ b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/fe_x25519_128.i
@@ -0,0 +1,625 @@
+/* fe_x25519_128.i
+ *
+ * Copyright (C) 2006-2020 wolfSSL Inc.
+ *
+ * This file is part of wolfSSL.
+ *
+ * wolfSSL is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * wolfSSL is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
+ */
+
+void fe_init(void)
+{
+}
+
+/* Convert a number represented as an array of bytes to an array of words with
+ * 51-bits of data in each word.
+ *
+ * in   An array of bytes.
+ * out  An array of words.
+ */
+void fe_frombytes(fe out, const unsigned char *in)
+{
+    out[0] = (((int64_t)((in[ 0]      )       ))      )
+           | (((int64_t)((in[ 1]      )       )) <<  8)
+           | (((int64_t)((in[ 2]      )       )) << 16)
+           | (((int64_t)((in[ 3]      )       )) << 24)
+           | (((int64_t)((in[ 4]      )       )) << 32)
+           | (((int64_t)((in[ 5]      )       )) << 40)
+           | (((int64_t)((in[ 6]      ) & 0x07)) << 48);
+    out[1] = (((int64_t)((in[ 6] >>  3) & 0x1f))      )
+           | (((int64_t)((in[ 7]      )       )) <<  5)
+           | (((int64_t)((in[ 8]      )       )) << 13)
+           | (((int64_t)((in[ 9]      )       )) << 21)
+           | (((int64_t)((in[10]      )       )) << 29)
+           | (((int64_t)((in[11]      )       )) << 37)
+           | (((int64_t)((in[12]      ) & 0x3f)) << 45);
+    out[2] = (((int64_t)((in[12] >>  6) & 0x03))      )
+           | (((int64_t)((in[13]      )       )) <<  2)
+           | (((int64_t)((in[14]      )       )) << 10)
+           | (((int64_t)((in[15]      )       )) << 18)
+           | (((int64_t)((in[16]      )       )) << 26)
+           | (((int64_t)((in[17]      )       )) << 34)
+           | (((int64_t)((in[18]      )       )) << 42)
+           | (((int64_t)((in[19]      ) & 0x01)) << 50);
+    out[3] = (((int64_t)((in[19] >>  1) & 0x7f))      )
+           | (((int64_t)((in[20]      )       )) <<  7)
+           | (((int64_t)((in[21]      )       )) << 15)
+           | (((int64_t)((in[22]      )       )) << 23)
+           | (((int64_t)((in[23]      )       )) << 31)
+           | (((int64_t)((in[24]      )       )) << 39)
+           | (((int64_t)((in[25]      ) & 0x0f)) << 47);
+    out[4] = (((int64_t)((in[25] >>  4) & 0x0f))      )
+           | (((int64_t)((in[26]      )       )) <<  4)
+           | (((int64_t)((in[27]      )       )) << 12)
+           | (((int64_t)((in[28]      )       )) << 20)
+           | (((int64_t)((in[29]      )       )) << 28)
+           | (((int64_t)((in[30]      )       )) << 36)
+           | (((int64_t)((in[31]      ) & 0x7f)) << 44);
+}
+
+/* Convert a number represented as an array of words to an array of bytes.
+ * The array of words is normalized to an array of 51-bit data words and if
+ * greater than the mod, modulo reduced by the prime 2^255 - 1.
+ *
+ * n    An array of words.
+ * out  An array of bytes.
+ */
+void fe_tobytes(unsigned char *out, const fe n)
+{
+    fe      in;
+    int64_t c;
+
+    in[0] = n[0];
+    in[1] = n[1];
+    in[2] = n[2];
+    in[3] = n[3];
+    in[4] = n[4];
+
+    /* Normalize to 51-bits of data per word. */
+    in[0] += (in[4] >> 51) * 19; in[4] &= 0x7ffffffffffff;
+
+    in[1] += in[0] >> 51; in[0] &= 0x7ffffffffffff;
+    in[2] += in[1] >> 51; in[1] &= 0x7ffffffffffff;
+    in[3] += in[2] >> 51; in[2] &= 0x7ffffffffffff;
+    in[4] += in[3] >> 51; in[3] &= 0x7ffffffffffff;
+    in[0] += (in[4] >> 51) * 19;
+    in[4] &= 0x7ffffffffffff;
+
+    c = (in[0] + 19) >> 51;
+    c = (in[1] + c) >> 51;
+    c = (in[2] + c) >> 51;
+    c = (in[3] + c) >> 51;
+    c = (in[4] + c) >> 51;
+    in[0] += c * 19;
+    in[1] += in[0] >> 51; in[0] &= 0x7ffffffffffff;
+    in[2] += in[1] >> 51; in[1] &= 0x7ffffffffffff;
+    in[3] += in[2] >> 51; in[2] &= 0x7ffffffffffff;
+    in[4] += in[3] >> 51; in[3] &= 0x7ffffffffffff;
+    in[4] &= 0x7ffffffffffff;
+
+    out[ 0] = (((byte)((in[0]      )       ))      );
+    out[ 1] = (((byte)((in[0] >>  8)       ))      );
+    out[ 2] = (((byte)((in[0] >> 16)       ))      );
+    out[ 3] = (((byte)((in[0] >> 24)       ))      );
+    out[ 4] = (((byte)((in[0] >> 32)       ))      );
+    out[ 5] = (((byte)((in[0] >> 40)       ))      );
+    out[ 6] = (((byte)((in[0] >> 48) & 0x07))      )
+            | (((byte)((in[1]      ) & 0x1f)) <<  3);
+    out[ 7] = (((byte)((in[1] >>  5)       ))      );
+    out[ 8] = (((byte)((in[1] >> 13)       ))      );
+    out[ 9] = (((byte)((in[1] >> 21)       ))      );
+    out[10] = (((byte)((in[1] >> 29)       ))      );
+    out[11] = (((byte)((in[1] >> 37)       ))      );
+    out[12] = (((byte)((in[1] >> 45) & 0x3f))      )
+            | (((byte)((in[2]      ) & 0x03)) <<  6);
+    out[13] = (((byte)((in[2] >>  2)       ))      );
+    out[14] = (((byte)((in[2] >> 10)       ))      );
+    out[15] = (((byte)((in[2] >> 18)       ))      );
+    out[16] = (((byte)((in[2] >> 26)       ))      );
+    out[17] = (((byte)((in[2] >> 34)       ))      );
+    out[18] = (((byte)((in[2] >> 42)       ))      );
+    out[19] = (((byte)((in[2] >> 50) & 0x01))      )
+            | (((byte)((in[3]      ) & 0x7f)) <<  1);
+    out[20] = (((byte)((in[3] >>  7)       ))      );
+    out[21] = (((byte)((in[3] >> 15)       ))      );
+    out[22] = (((byte)((in[3] >> 23)       ))      );
+    out[23] = (((byte)((in[3] >> 31)       ))      );
+    out[24] = (((byte)((in[3] >> 39)       ))      );
+    out[25] = (((byte)((in[3] >> 47) & 0x0f))      )
+            | (((byte)((in[4]      ) & 0x0f)) <<  4);
+    out[26] = (((byte)((in[4] >>  4)       ))      );
+    out[27] = (((byte)((in[4] >> 12)       ))      );
+    out[28] = (((byte)((in[4] >> 20)       ))      );
+    out[29] = (((byte)((in[4] >> 28)       ))      );
+    out[30] = (((byte)((in[4] >> 36)       ))      );
+    out[31] = (((byte)((in[4] >> 44) & 0x7f))      );
+}
+
+/* Set the field element to 1.
+ *
+ * n  The field element number.
+ */
+void fe_1(fe n)
+{
+    n[0] = 0x0000000000001;
+    n[1] = 0x0000000000000;
+    n[2] = 0x0000000000000;
+    n[3] = 0x0000000000000;
+    n[4] = 0x0000000000000;
+}
+
+/* Set the field element to 0.
+ *
+ * n  The field element number.
+ */
+void fe_0(fe n)
+{
+    n[0] = 0x0000000000000;
+    n[1] = 0x0000000000000;
+    n[2] = 0x0000000000000;
+    n[3] = 0x0000000000000;
+    n[4] = 0x0000000000000;
+}
+
+/* Copy field element a into field element r.
+ *
+ * r  Field element to copy into.
+ * a  Field element to copy.
+ */
+void fe_copy(fe r, const fe a)
+{
+    r[0] = a[0];
+    r[1] = a[1];
+    r[2] = a[2];
+    r[3] = a[3];
+    r[4] = a[4];
+}
+
+/* Constant time, conditional swap of field elements a and b.
+ *
+ * a  A field element.
+ * b  A field element.
+ * c  If 1 then swap and if 0 then don't swap.
+ */
+void fe_cswap(fe a, fe b, int c)
+{
+    int64_t m = c;
+    int64_t t0, t1, t2, t3, t4;
+
+    /* Convert conditional into mask. */
+    m = -m;
+    t0 = m & (a[0] ^ b[0]);
+    t1 = m & (a[1] ^ b[1]);
+    t2 = m & (a[2] ^ b[2]);
+    t3 = m & (a[3] ^ b[3]);
+    t4 = m & (a[4] ^ b[4]);
+
+    a[0] ^= t0;
+    a[1] ^= t1;
+    a[2] ^= t2;
+    a[3] ^= t3;
+    a[4] ^= t4;
+
+    b[0] ^= t0;
+    b[1] ^= t1;
+    b[2] ^= t2;
+    b[3] ^= t3;
+    b[4] ^= t4;
+}
+
+/* Subtract b from a into r. (r = a - b)
+ *
+ * r  A field element.
+ * a  A field element.
+ * b  A field element.
+ */
+void fe_sub(fe r, const fe a, const fe b)
+{
+    r[0] = a[0] - b[0];
+    r[1] = a[1] - b[1];
+    r[2] = a[2] - b[2];
+    r[3] = a[3] - b[3];
+    r[4] = a[4] - b[4];
+}
+
+/* Add b to a into r. (r = a + b)
+ *
+ * r  A field element.
+ * a  A field element.
+ * b  A field element.
+ */
+void fe_add(fe r, const fe a, const fe b)
+{
+    r[0] = a[0] + b[0];
+    r[1] = a[1] + b[1];
+    r[2] = a[2] + b[2];
+    r[3] = a[3] + b[3];
+    r[4] = a[4] + b[4];
+}
+
+/* Multiply a and b into r. (r = a * b)
+ *
+ * r  A field element.
+ * a  A field element.
+ * b  A field element.
+ */
+void fe_mul(fe r, const fe a, const fe b)
+{
+    const __int128_t k19 = 19;
+    __int128_t t0 = ((__int128_t)a[0]) * b[0];
+    __int128_t t1 = ((__int128_t)a[0]) * b[1]
+                  + ((__int128_t)a[1]) * b[0];
+    __int128_t t2 = ((__int128_t)a[0]) * b[2]
+                  + ((__int128_t)a[1]) * b[1]
+                  + ((__int128_t)a[2]) * b[0];
+    __int128_t t3 = ((__int128_t)a[0]) * b[3]
+                  + ((__int128_t)a[1]) * b[2]
+                  + ((__int128_t)a[2]) * b[1]
+                  + ((__int128_t)a[3]) * b[0];
+    __int128_t t4 = ((__int128_t)a[0]) * b[4]
+                  + ((__int128_t)a[1]) * b[3]
+                  + ((__int128_t)a[2]) * b[2]
+                  + ((__int128_t)a[3]) * b[1]
+                  + ((__int128_t)a[4]) * b[0];
+    __int128_t t5 = ((__int128_t)a[1]) * b[4]
+                  + ((__int128_t)a[2]) * b[3]
+                  + ((__int128_t)a[3]) * b[2]
+                  + ((__int128_t)a[4]) * b[1];
+    __int128_t t6 = ((__int128_t)a[2]) * b[4]
+                  + ((__int128_t)a[3]) * b[3]
+                  + ((__int128_t)a[4]) * b[2];
+    __int128_t t7 = ((__int128_t)a[3]) * b[4]
+                  + ((__int128_t)a[4]) * b[3];
+    __int128_t t8 = ((__int128_t)a[4]) * b[4];
+
+    /* Modulo reduce double long word. */
+    t0 += t5 * k19;
+    t1 += t6 * k19;
+    t2 += t7 * k19;
+    t3 += t8 * k19;
+
+    /* Normalize to 51-bits of data per word. */
+    t0 += (t4 >> 51) * k19; t4 &= 0x7ffffffffffff;
+
+    t1 += t0 >> 51; r[0] = t0 & 0x7ffffffffffff;
+    t2 += t1 >> 51; r[1] = t1 & 0x7ffffffffffff;
+    t3 += t2 >> 51; r[2] = t2 & 0x7ffffffffffff;
+    t4 += t3 >> 51; r[3] = t3 & 0x7ffffffffffff;
+    r[0] += (t4 >> 51) * k19;
+    r[4] = t4 & 0x7ffffffffffff;
+}
+
+/* Square a and put result in r. (r = a * a)
+ *
+ * r  A field element.
+ * a  A field element.
+ * b  A field element.
+ */
+void fe_sq(fe r, const fe a)
+{
+    const __int128_t k19 = 19;
+    const __int128_t k2 = 2;
+    __int128_t t0 = ((__int128_t)a[0]) * a[0];
+    __int128_t t1 = ((__int128_t)a[0]) * a[1] * k2;
+    __int128_t t2 = ((__int128_t)a[0]) * a[2] * k2
+                  + ((__int128_t)a[1]) * a[1];
+    __int128_t t3 = ((__int128_t)a[0]) * a[3] * k2
+                  + ((__int128_t)a[1]) * a[2] * k2;
+    __int128_t t4 = ((__int128_t)a[0]) * a[4] * k2
+                  + ((__int128_t)a[1]) * a[3] * k2
+                  + ((__int128_t)a[2]) * a[2];
+    __int128_t t5 = ((__int128_t)a[1]) * a[4] * k2
+                  + ((__int128_t)a[2]) * a[3] * k2;
+    __int128_t t6 = ((__int128_t)a[2]) * a[4] * k2
+                  + ((__int128_t)a[3]) * a[3];
+    __int128_t t7 = ((__int128_t)a[3]) * a[4] * k2;
+    __int128_t t8 = ((__int128_t)a[4]) * a[4];
+
+    /* Modulo reduce double long word. */
+    t0 += t5 * k19;
+    t1 += t6 * k19;
+    t2 += t7 * k19;
+    t3 += t8 * k19;
+
+    /* Normalize to 51-bits of data per word. */
+    t0 += (t4 >> 51) * k19; t4 &= 0x7ffffffffffff;
+
+    t1 += t0 >> 51; r[0] = t0 & 0x7ffffffffffff;
+    t2 += t1 >> 51; r[1] = t1 & 0x7ffffffffffff;
+    t3 += t2 >> 51; r[2] = t2 & 0x7ffffffffffff;
+    t4 += t3 >> 51; r[3] = t3 & 0x7ffffffffffff;
+    r[0] += (t4 >> 51) * k19;
+    r[4] = t4 & 0x7ffffffffffff;
+}
+
+/* Multiply a by 121666 and put result in r. (r = 121666 * a)
+ *
+ * r  A field element.
+ * a  A field element.
+ * b  A field element.
+ */
+void fe_mul121666(fe r, fe a)
+{
+    const __int128_t k19 = 19;
+    const __int128_t k121666 = 121666;
+    __int128_t t0 = ((__int128_t)a[0]) * k121666;
+    __int128_t t1 = ((__int128_t)a[1]) * k121666;
+    __int128_t t2 = ((__int128_t)a[2]) * k121666;
+    __int128_t t3 = ((__int128_t)a[3]) * k121666;
+    __int128_t t4 = ((__int128_t)a[4]) * k121666;
+
+    /* Normalize to 51-bits of data per word. */
+    t0 += (t4 >> 51) * k19; t4 &= 0x7ffffffffffff;
+
+    t1 += t0 >> 51; r[0] = t0 & 0x7ffffffffffff;
+    t2 += t1 >> 51; r[1] = t1 & 0x7ffffffffffff;
+    t3 += t2 >> 51; r[2] = t2 & 0x7ffffffffffff;
+    t4 += t3 >> 51; r[3] = t3 & 0x7ffffffffffff;
+    r[0] += (t4 >> 51) * k19;
+    r[4] = t4 & 0x7ffffffffffff;
+}
+
+/* Find the inverse of a modulo 2^255 - 1 and put result in r.
+ * (r * a) mod (2^255 - 1) = 1
+ * Implementation is constant time.
+ *
+ * r  A field element.
+ * a  A field element.
+ */
+void fe_invert(fe r, const fe a)
+{
+    fe  t0, t1, t2, t3;
+    int i;
+
+    /* a ^ (2^255 - 21) */
+    fe_sq(t0,  a); for (i = 1; i <   1; ++i) fe_sq(t0, t0);
+    fe_sq(t1, t0); for (i = 1; i <   2; ++i) fe_sq(t1, t1); fe_mul(t1,  a, t1);
+    fe_mul(t0, t0, t1);
+    fe_sq(t2, t0); for (i = 1; i <   1; ++i) fe_sq(t2, t2); fe_mul(t1, t1, t2);
+    fe_sq(t2, t1); for (i = 1; i <   5; ++i) fe_sq(t2, t2); fe_mul(t1, t2, t1);
+    fe_sq(t2, t1); for (i = 1; i <  10; ++i) fe_sq(t2, t2); fe_mul(t2, t2, t1);
+    fe_sq(t3, t2); for (i = 1; i <  20; ++i) fe_sq(t3, t3); fe_mul(t2, t3, t2);
+    fe_sq(t2, t2); for (i = 1; i <  10; ++i) fe_sq(t2, t2); fe_mul(t1, t2, t1);
+    fe_sq(t2, t1); for (i = 1; i <  50; ++i) fe_sq(t2, t2); fe_mul(t2, t2, t1);
+    fe_sq(t3, t2); for (i = 1; i < 100; ++i) fe_sq(t3, t3); fe_mul(t2, t3, t2);
+    fe_sq(t2, t2); for (i = 1; i <  50; ++i) fe_sq(t2, t2); fe_mul(t1, t2, t1);
+    fe_sq(t1, t1); for (i = 1; i <   5; ++i) fe_sq(t1, t1); fe_mul( r, t1, t0);
+}
+
+#ifndef CURVE25519_SMALL
+/* Scalar multiply the field element a by n using Montgomery Ladder and places
+ * result in r.
+ *
+ * r  A field element as an array of bytes.
+ * n  The scalar as an array of bytes.
+ * a  A field element as an array of bytes.
+ */
+int curve25519(byte* r, byte* n, byte* a)
+{
+    fe           x1, x2, z2, x3, z3;
+    fe           t0, t1;
+    int          pos;
+    unsigned int swap;
+    unsigned int b;
+
+    fe_frombytes(x1, a);
+    fe_1(x2);
+    fe_0(z2);
+    fe_copy(x3, x1);
+    fe_1(z3);
+
+    swap = 0;
+    for (pos = 254;pos >= 0;--pos) {
+        b = n[pos / 8] >> (pos & 7);
+        b &= 1;
+        swap ^= b;
+        fe_cswap(x2, x3, swap);
+        fe_cswap(z2, z3, swap);
+        swap = b;
+
+        fe_sub(t0, x3, z3);
+        fe_sub(t1, x2, z2);
+        fe_add(x2, x2, z2);
+        fe_add(z2, x3, z3);
+        fe_mul(z3, t0, x2);
+        fe_mul(z2, z2, t1);
+        fe_sq(t0, t1);
+        fe_sq(t1, x2);
+        fe_add(x3, z3, z2);
+        fe_sub(z2, z3, z2);
+        fe_mul(x2, t1, t0);
+        fe_sub(t1, t1, t0);
+        fe_sq(z2, z2);
+        fe_mul121666(z3, t1);
+        fe_sq(x3, x3);
+        fe_add(t0, t0, z3);
+        fe_mul(z3, x1, z2);
+        fe_mul(z2, t1, t0);
+    }
+    fe_cswap(x2, x3, swap);
+    fe_cswap(z2, z3, swap);
+
+    fe_invert(z2, z2);
+    fe_mul(x2, x2, z2);
+    fe_tobytes(r, x2);
+
+    return 0;
+}
+#endif /* !CURVE25519_SMALL */
+
+/* The field element value 0 as an array of bytes. */
+static const unsigned char zero[32] = {0};
+
+/* Constant time check as to whether a is not 0.
+ *
+ * a  A field element.
+ */
+int fe_isnonzero(const fe a)
+{
+    unsigned char s[32];
+    fe_tobytes(s, a);
+    return ConstantCompare(s, zero, 32);
+}
+
+/* Checks whether a is negative.
+ *
+ * a  A field element.
+ */
+int fe_isnegative(const fe a)
+{
+    unsigned char s[32];
+    fe_tobytes(s, a);
+    return s[0] & 1;
+}
+
+/* Negates field element a and stores the result in r.
+ *
+ * r  A field element.
+ * a  A field element.
+ */
+void fe_neg(fe r, const fe a)
+{
+    r[0] = -a[0];
+    r[1] = -a[1];
+    r[2] = -a[2];
+    r[3] = -a[3];
+    r[4] = -a[4];
+}
+
+/* Constant time, conditional move of b into a.
+ * a is not changed if the condition is 0.
+ *
+ * a  A field element.
+ * b  A field element.
+ * c  If 1 then copy and if 0 then don't copy.
+ */
+void fe_cmov(fe a, const fe b, int c)
+{
+    int64_t m = c;
+    int64_t t0, t1, t2, t3, t4;
+
+    /* Convert conditional into mask. */
+    m = -m;
+    t0 = m & (a[0] ^ b[0]);
+    t1 = m & (a[1] ^ b[1]);
+    t2 = m & (a[2] ^ b[2]);
+    t3 = m & (a[3] ^ b[3]);
+    t4 = m & (a[4] ^ b[4]);
+
+    a[0] ^= t0;
+    a[1] ^= t1;
+    a[2] ^= t2;
+    a[3] ^= t3;
+    a[4] ^= t4;
+}
+
+void fe_pow22523(fe r, const fe a)
+{
+    fe t0, t1, t2;
+    int i;
+
+    /* a ^ (2^255 - 23) */
+    fe_sq(t0,  a); for (i = 1; i <   1; ++i) fe_sq(t0, t0);
+    fe_sq(t1, t0); for (i = 1; i <   2; ++i) fe_sq(t1, t1); fe_mul(t1,  a, t1);
+    fe_mul(t0, t0, t1);
+    fe_sq(t0, t0); for (i = 1; i <   1; ++i) fe_sq(t0, t0); fe_mul(t0, t1, t0);
+    fe_sq(t1, t0); for (i = 1; i <   5; ++i) fe_sq(t1, t1); fe_mul(t0, t1, t0);
+    fe_sq(t1, t0); for (i = 1; i <  10; ++i) fe_sq(t1, t1); fe_mul(t1, t1, t0);
+    fe_sq(t2, t1); for (i = 1; i <  20; ++i) fe_sq(t2, t2); fe_mul(t1, t2, t1);
+    fe_sq(t1, t1); for (i = 1; i <  10; ++i) fe_sq(t1, t1); fe_mul(t0, t1, t0);
+    fe_sq(t1, t0); for (i = 1; i <  50; ++i) fe_sq(t1, t1); fe_mul(t1, t1, t0);
+    fe_sq(t2, t1); for (i = 1; i < 100; ++i) fe_sq(t2, t2); fe_mul(t1, t2, t1);
+    fe_sq(t1, t1); for (i = 1; i <  50; ++i) fe_sq(t1, t1); fe_mul(t0, t1, t0);
+    fe_sq(t0, t0); for (i = 1; i <   2; ++i) fe_sq(t0, t0); fe_mul( r, t0, a);
+
+    return;
+}
+
+/* Double the square of a and put result in r. (r = 2 * a * a)
+ *
+ * r  A field element.
+ * a  A field element.
+ * b  A field element.
+ */
+void fe_sq2(fe r, const fe a)
+{
+    const __int128_t k2 = 2;
+    const __int128_t k19 = 19;
+    __int128_t t0 = k2 * (((__int128_t)a[0]) * a[0]);
+    __int128_t t1 = k2 * (((__int128_t)a[0]) * a[1] * k2);
+    __int128_t t2 = k2 * (((__int128_t)a[0]) * a[2] * k2
+                  + ((__int128_t)a[1]) * a[1]);
+    __int128_t t3 = k2 * (((__int128_t)a[0]) * a[3] * k2
+                  + ((__int128_t)a[1]) * a[2] * k2);
+    __int128_t t4 = k2 * (((__int128_t)a[0]) * a[4] * k2
+                  + ((__int128_t)a[1]) * a[3] * k2
+                  + ((__int128_t)a[2]) * a[2]);
+    __int128_t t5 = k2 * (((__int128_t)a[1]) * a[4] * k2
+                  + ((__int128_t)a[2]) * a[3] * k2);
+    __int128_t t6 = k2 * (((__int128_t)a[2]) * a[4] * k2
+                  + ((__int128_t)a[3]) * a[3]);
+    __int128_t t7 = k2 * (((__int128_t)a[3]) * a[4] * k2);
+    __int128_t t8 = k2 * (((__int128_t)a[4]) * a[4]);
+
+    /* Modulo reduce double long word. */
+    t0 += t5 * k19;
+    t1 += t6 * k19;
+    t2 += t7 * k19;
+    t3 += t8 * k19;
+
+    /* Normalize to 51-bits of data per word. */
+    t0 += (t4 >> 51) * k19; t4 &= 0x7ffffffffffff;
+
+    t1 += t0 >> 51; r[0] = t0 & 0x7ffffffffffff;
+    t2 += t1 >> 51; r[1] = t1 & 0x7ffffffffffff;
+    t3 += t2 >> 51; r[2] = t2 & 0x7ffffffffffff;
+    t4 += t3 >> 51; r[3] = t3 & 0x7ffffffffffff;
+    r[0] += (t4 >> 51) * k19;
+    r[4] = t4 & 0x7ffffffffffff;
+}
+
+/* Load 3 little endian bytes into a 64-bit word.
+ *
+ * in  An array of bytes.
+ * returns a 64-bit word.
+ */
+uint64_t load_3(const unsigned char *in)
+{
+    uint64_t result;
+
+    result = ((((uint64_t)in[0])      ) |
+              (((uint64_t)in[1]) <<  8) |
+              (((uint64_t)in[2]) << 16));
+
+    return result;
+}
+
+/* Load 4 little endian bytes into a 64-bit word.
+ *
+ * in  An array of bytes.
+ * returns a 64-bit word.
+ */
+uint64_t load_4(const unsigned char *in)
+{
+    uint64_t result;
+
+    result = ((((uint64_t)in[0])      ) |
+              (((uint64_t)in[1]) <<  8) |
+              (((uint64_t)in[2]) << 16) |
+              (((uint64_t)in[3]) << 24));
+
+    return result;
+}
+
diff --git a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/fe_x25519_asm.S b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/fe_x25519_asm.S
new file mode 100644
index 000000000..6d0f638b5
--- /dev/null
+++ b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/fe_x25519_asm.S
@@ -0,0 +1,16542 @@
+/* fe_x25519_asm
+ *
+ * Copyright (C) 2006-2020 wolfSSL Inc.
+ *
+ * This file is part of wolfSSL.
+ *
+ * wolfSSL is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * wolfSSL is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
+ */
+
+#ifndef HAVE_INTEL_AVX1
+#define HAVE_INTEL_AVX1
+#endif /* HAVE_INTEL_AVX1 */
+#ifndef NO_AVX2_SUPPORT
+#define HAVE_INTEL_AVX2
+#endif /* NO_AVX2_SUPPORT */
+
+#ifndef __APPLE__
+.text
+.globl	fe_init
+.type	fe_init,@function
+.align	4
+fe_init:
+#else
+.section	__TEXT,__text
+.globl	_fe_init
+.p2align	2
+_fe_init:
+#endif /* __APPLE__ */
+#ifdef HAVE_INTEL_AVX2
+#ifndef __APPLE__
+        movq	cpuFlagsSet@GOTPCREL(%rip), %rax
+        movl	(%rax), %eax
+#else
+        movl	_cpuFlagsSet(%rip), %eax
+#endif /* __APPLE__ */
+        testl	%eax, %eax
+        je	L_fe_init_get_flags
+        repz retq
+L_fe_init_get_flags:
+#ifndef __APPLE__
+        callq	cpuid_get_flags@plt
+#else
+        callq	_cpuid_get_flags
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+        movq	intelFlags@GOTPCREL(%rip), %rdx
+        movl	%eax, (%rdx)
+#else
+        movl	%eax, _intelFlags(%rip)
+#endif /* __APPLE__ */
+        andl	$0x50, %eax
+        cmpl	$0x50, %eax
+        jne	L_fe_init_flags_done
+#ifndef __APPLE__
+        movq	fe_mul_avx2@GOTPCREL(%rip), %rax
+#else
+        leaq	_fe_mul_avx2(%rip), %rax
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+        movq	fe_mul_p@GOTPCREL(%rip), %rdx
+        movq	%rax, (%rdx)
+#else
+        movq	%rax, _fe_mul_p(%rip)
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+        movq	fe_sq_avx2@GOTPCREL(%rip), %rax
+#else
+        leaq	_fe_sq_avx2(%rip), %rax
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+        movq	fe_sq_p@GOTPCREL(%rip), %rdx
+        movq	%rax, (%rdx)
+#else
+        movq	%rax, _fe_sq_p(%rip)
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+        movq	fe_mul121666_avx2@GOTPCREL(%rip), %rax
+#else
+        leaq	_fe_mul121666_avx2(%rip), %rax
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+        movq	fe_mul121666_p@GOTPCREL(%rip), %rdx
+        movq	%rax, (%rdx)
+#else
+        movq	%rax, _fe_mul121666_p(%rip)
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+        movq	fe_sq2_avx2@GOTPCREL(%rip), %rax
+#else
+        leaq	_fe_sq2_avx2(%rip), %rax
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+        movq	fe_sq2_p@GOTPCREL(%rip), %rdx
+        movq	%rax, (%rdx)
+#else
+        movq	%rax, _fe_sq2_p(%rip)
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+        movq	fe_invert_avx2@GOTPCREL(%rip), %rax
+#else
+        leaq	_fe_invert_avx2(%rip), %rax
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+        movq	fe_invert_p@GOTPCREL(%rip), %rdx
+        movq	%rax, (%rdx)
+#else
+        movq	%rax, _fe_invert_p(%rip)
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+        movq	curve25519_avx2@GOTPCREL(%rip), %rax
+#else
+        leaq	_curve25519_avx2(%rip), %rax
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+        movq	curve25519_p@GOTPCREL(%rip), %rdx
+        movq	%rax, (%rdx)
+#else
+        movq	%rax, _curve25519_p(%rip)
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+        movq	fe_pow22523_avx2@GOTPCREL(%rip), %rax
+#else
+        leaq	_fe_pow22523_avx2(%rip), %rax
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+        movq	fe_pow22523_p@GOTPCREL(%rip), %rdx
+        movq	%rax, (%rdx)
+#else
+        movq	%rax, _fe_pow22523_p(%rip)
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+        movq	fe_ge_to_p2_avx2@GOTPCREL(%rip), %rax
+#else
+        leaq	_fe_ge_to_p2_avx2(%rip), %rax
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+        movq	fe_ge_to_p2_p@GOTPCREL(%rip), %rdx
+        movq	%rax, (%rdx)
+#else
+        movq	%rax, _fe_ge_to_p2_p(%rip)
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+        movq	fe_ge_to_p3_avx2@GOTPCREL(%rip), %rax
+#else
+        leaq	_fe_ge_to_p3_avx2(%rip), %rax
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+        movq	fe_ge_to_p3_p@GOTPCREL(%rip), %rdx
+        movq	%rax, (%rdx)
+#else
+        movq	%rax, _fe_ge_to_p3_p(%rip)
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+        movq	fe_ge_dbl_avx2@GOTPCREL(%rip), %rax
+#else
+        leaq	_fe_ge_dbl_avx2(%rip), %rax
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+        movq	fe_ge_dbl_p@GOTPCREL(%rip), %rdx
+        movq	%rax, (%rdx)
+#else
+        movq	%rax, _fe_ge_dbl_p(%rip)
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+        movq	fe_ge_madd_avx2@GOTPCREL(%rip), %rax
+#else
+        leaq	_fe_ge_madd_avx2(%rip), %rax
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+        movq	fe_ge_madd_p@GOTPCREL(%rip), %rdx
+        movq	%rax, (%rdx)
+#else
+        movq	%rax, _fe_ge_madd_p(%rip)
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+        movq	fe_ge_msub_avx2@GOTPCREL(%rip), %rax
+#else
+        leaq	_fe_ge_msub_avx2(%rip), %rax
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+        movq	fe_ge_msub_p@GOTPCREL(%rip), %rdx
+        movq	%rax, (%rdx)
+#else
+        movq	%rax, _fe_ge_msub_p(%rip)
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+        movq	fe_ge_add_avx2@GOTPCREL(%rip), %rax
+#else
+        leaq	_fe_ge_add_avx2(%rip), %rax
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+        movq	fe_ge_add_p@GOTPCREL(%rip), %rdx
+        movq	%rax, (%rdx)
+#else
+        movq	%rax, _fe_ge_add_p(%rip)
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+        movq	fe_ge_sub_avx2@GOTPCREL(%rip), %rax
+#else
+        leaq	_fe_ge_sub_avx2(%rip), %rax
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+        movq	fe_ge_sub_p@GOTPCREL(%rip), %rdx
+        movq	%rax, (%rdx)
+#else
+        movq	%rax, _fe_ge_sub_p(%rip)
+#endif /* __APPLE__ */
+L_fe_init_flags_done:
+#ifndef __APPLE__
+        movq	cpuFlagsSet@GOTPCREL(%rip), %rdx
+        movl	$0x1, (%rdx)
+#else
+        movl	$0x1, _cpuFlagsSet(%rip)
+#endif /* __APPLE__ */
+#endif /* HAVE_INTEL_AVX2 */
+        repz retq
+#ifndef __APPLE__
+.size	fe_init,.-fe_init
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+.text
+.globl	fe_frombytes
+.type	fe_frombytes,@function
+.align	4
+fe_frombytes:
+#else
+.section	__TEXT,__text
+.globl	_fe_frombytes
+.p2align	2
+_fe_frombytes:
+#endif /* __APPLE__ */
+        movq	$0x7fffffffffffffff, %r9
+        movq	(%rsi), %rdx
+        movq	8(%rsi), %rax
+        movq	16(%rsi), %rcx
+        movq	24(%rsi), %r8
+        andq	%r9, %r8
+        movq	%rdx, (%rdi)
+        movq	%rax, 8(%rdi)
+        movq	%rcx, 16(%rdi)
+        movq	%r8, 24(%rdi)
+        repz retq
+#ifndef __APPLE__
+.size	fe_frombytes,.-fe_frombytes
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+.text
+.globl	fe_tobytes
+.type	fe_tobytes,@function
+.align	4
+fe_tobytes:
+#else
+.section	__TEXT,__text
+.globl	_fe_tobytes
+.p2align	2
+_fe_tobytes:
+#endif /* __APPLE__ */
+        movq	$0x7fffffffffffffff, %r10
+        movq	(%rsi), %rdx
+        movq	8(%rsi), %rax
+        movq	16(%rsi), %rcx
+        movq	24(%rsi), %r8
+        addq	$19, %rdx
+        adcq	$0x00, %rax
+        adcq	$0x00, %rcx
+        adcq	$0x00, %r8
+        shrq	$63, %r8
+        imulq	$19, %r8, %r9
+        movq	(%rsi), %rdx
+        movq	8(%rsi), %rax
+        movq	16(%rsi), %rcx
+        movq	24(%rsi), %r8
+        addq	%r9, %rdx
+        adcq	$0x00, %rax
+        adcq	$0x00, %rcx
+        adcq	$0x00, %r8
+        andq	%r10, %r8
+        movq	%rdx, (%rdi)
+        movq	%rax, 8(%rdi)
+        movq	%rcx, 16(%rdi)
+        movq	%r8, 24(%rdi)
+        repz retq
+#ifndef __APPLE__
+.size	fe_tobytes,.-fe_tobytes
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+.text
+.globl	fe_1
+.type	fe_1,@function
+.align	4
+fe_1:
+#else
+.section	__TEXT,__text
+.globl	_fe_1
+.p2align	2
+_fe_1:
+#endif /* __APPLE__ */
+        # Set one
+        movq	$0x01, (%rdi)
+        movq	$0x00, 8(%rdi)
+        movq	$0x00, 16(%rdi)
+        movq	$0x00, 24(%rdi)
+        repz retq
+#ifndef __APPLE__
+.size	fe_1,.-fe_1
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+.text
+.globl	fe_0
+.type	fe_0,@function
+.align	4
+fe_0:
+#else
+.section	__TEXT,__text
+.globl	_fe_0
+.p2align	2
+_fe_0:
+#endif /* __APPLE__ */
+        # Set zero
+        movq	$0x00, (%rdi)
+        movq	$0x00, 8(%rdi)
+        movq	$0x00, 16(%rdi)
+        movq	$0x00, 24(%rdi)
+        repz retq
+#ifndef __APPLE__
+.size	fe_0,.-fe_0
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+.text
+.globl	fe_copy
+.type	fe_copy,@function
+.align	4
+fe_copy:
+#else
+.section	__TEXT,__text
+.globl	_fe_copy
+.p2align	2
+_fe_copy:
+#endif /* __APPLE__ */
+        # Copy
+        movq	(%rsi), %rdx
+        movq	8(%rsi), %rax
+        movq	16(%rsi), %rcx
+        movq	24(%rsi), %r8
+        movq	%rdx, (%rdi)
+        movq	%rax, 8(%rdi)
+        movq	%rcx, 16(%rdi)
+        movq	%r8, 24(%rdi)
+        repz retq
+#ifndef __APPLE__
+.size	fe_copy,.-fe_copy
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+.text
+.globl	fe_sub
+.type	fe_sub,@function
+.align	4
+fe_sub:
+#else
+.section	__TEXT,__text
+.globl	_fe_sub
+.p2align	2
+_fe_sub:
+#endif /* __APPLE__ */
+        pushq	%r12
+        # Sub
+        movq	(%rsi), %rax
+        movq	8(%rsi), %rcx
+        movq	16(%rsi), %r8
+        movq	24(%rsi), %r9
+        subq	(%rdx), %rax
+        movq	$0x00, %r10
+        sbbq	8(%rdx), %rcx
+        movq	$-19, %r11
+        sbbq	16(%rdx), %r8
+        movq	$0x7fffffffffffffff, %r12
+        sbbq	24(%rdx), %r9
+        sbbq	$0x00, %r10
+        #   Mask the modulus
+        andq	%r10, %r11
+        andq	%r10, %r12
+        #   Add modulus (if underflow)
+        addq	%r11, %rax
+        adcq	%r10, %rcx
+        adcq	%r10, %r8
+        adcq	%r12, %r9
+        movq	%rax, (%rdi)
+        movq	%rcx, 8(%rdi)
+        movq	%r8, 16(%rdi)
+        movq	%r9, 24(%rdi)
+        popq	%r12
+        repz retq
+#ifndef __APPLE__
+.size	fe_sub,.-fe_sub
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+.text
+.globl	fe_add
+.type	fe_add,@function
+.align	4
+fe_add:
+#else
+.section	__TEXT,__text
+.globl	_fe_add
+.p2align	2
+_fe_add:
+#endif /* __APPLE__ */
+        pushq	%r12
+        # Add
+        movq	(%rsi), %rax
+        movq	8(%rsi), %rcx
+        addq	(%rdx), %rax
+        movq	16(%rsi), %r8
+        adcq	8(%rdx), %rcx
+        movq	24(%rsi), %r10
+        adcq	16(%rdx), %r8
+        movq	$-19, %r11
+        adcq	24(%rdx), %r10
+        movq	$0x7fffffffffffffff, %r12
+        movq	%r10, %r9
+        sarq	$63, %r10
+        #   Mask the modulus
+        andq	%r10, %r11
+        andq	%r10, %r12
+        #   Sub modulus (if overflow)
+        subq	%r11, %rax
+        sbbq	%r10, %rcx
+        sbbq	%r10, %r8
+        sbbq	%r12, %r9
+        movq	%rax, (%rdi)
+        movq	%rcx, 8(%rdi)
+        movq	%r8, 16(%rdi)
+        movq	%r9, 24(%rdi)
+        popq	%r12
+        repz retq
+#ifndef __APPLE__
+.size	fe_add,.-fe_add
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+.text
+.globl	fe_neg
+.type	fe_neg,@function
+.align	4
+fe_neg:
+#else
+.section	__TEXT,__text
+.globl	_fe_neg
+.p2align	2
+_fe_neg:
+#endif /* __APPLE__ */
+        movq	$-19, %rdx
+        movq	$-1, %rax
+        movq	$-1, %rcx
+        movq	$0x7fffffffffffffff, %r8
+        subq	(%rsi), %rdx
+        sbbq	8(%rsi), %rax
+        sbbq	16(%rsi), %rcx
+        sbbq	24(%rsi), %r8
+        movq	%rdx, (%rdi)
+        movq	%rax, 8(%rdi)
+        movq	%rcx, 16(%rdi)
+        movq	%r8, 24(%rdi)
+        repz retq
+#ifndef __APPLE__
+.size	fe_neg,.-fe_neg
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+.text
+.globl	fe_cmov
+.type	fe_cmov,@function
+.align	4
+fe_cmov:
+#else
+.section	__TEXT,__text
+.globl	_fe_cmov
+.p2align	2
+_fe_cmov:
+#endif /* __APPLE__ */
+        cmpl	$0x01, %edx
+        movq	(%rdi), %rcx
+        movq	8(%rdi), %r8
+        movq	16(%rdi), %r9
+        movq	24(%rdi), %r10
+        cmoveq	(%rsi), %rcx
+        cmoveq	8(%rsi), %r8
+        cmoveq	16(%rsi), %r9
+        cmoveq	24(%rsi), %r10
+        movq	%rcx, (%rdi)
+        movq	%r8, 8(%rdi)
+        movq	%r9, 16(%rdi)
+        movq	%r10, 24(%rdi)
+        repz retq
+#ifndef __APPLE__
+.size	fe_cmov,.-fe_cmov
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+.text
+.globl	fe_isnonzero
+.type	fe_isnonzero,@function
+.align	4
+fe_isnonzero:
+#else
+.section	__TEXT,__text
+.globl	_fe_isnonzero
+.p2align	2
+_fe_isnonzero:
+#endif /* __APPLE__ */
+        movq	$0x7fffffffffffffff, %r10
+        movq	(%rdi), %rax
+        movq	8(%rdi), %rdx
+        movq	16(%rdi), %rcx
+        movq	24(%rdi), %r8
+        addq	$19, %rax
+        adcq	$0x00, %rdx
+        adcq	$0x00, %rcx
+        adcq	$0x00, %r8
+        shrq	$63, %r8
+        imulq	$19, %r8, %r9
+        movq	(%rdi), %rax
+        movq	8(%rdi), %rdx
+        movq	16(%rdi), %rcx
+        movq	24(%rdi), %r8
+        addq	%r9, %rax
+        adcq	$0x00, %rdx
+        adcq	$0x00, %rcx
+        adcq	$0x00, %r8
+        andq	%r10, %r8
+        orq	%rdx, %rax
+        orq	%rcx, %rax
+        orq	%r8, %rax
+        repz retq
+#ifndef __APPLE__
+.size	fe_isnonzero,.-fe_isnonzero
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+.text
+.globl	fe_isnegative
+.type	fe_isnegative,@function
+.align	4
+fe_isnegative:
+#else
+.section	__TEXT,__text
+.globl	_fe_isnegative
+.p2align	2
+_fe_isnegative:
+#endif /* __APPLE__ */
+        movq	$0x7fffffffffffffff, %r11
+        movq	(%rdi), %rdx
+        movq	8(%rdi), %rcx
+        movq	16(%rdi), %r8
+        movq	24(%rdi), %r9
+        movq	%rdx, %rax
+        addq	$19, %rdx
+        adcq	$0x00, %rcx
+        adcq	$0x00, %r8
+        adcq	$0x00, %r9
+        shrq	$63, %r9
+        imulq	$19, %r9, %r10
+        addq	%r10, %rax
+        andq	$0x01, %rax
+        repz retq
+#ifndef __APPLE__
+.size	fe_isnegative,.-fe_isnegative
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+.text
+.globl	fe_cmov_table
+.type	fe_cmov_table,@function
+.align	4
+fe_cmov_table:
+#else
+.section	__TEXT,__text
+.globl	_fe_cmov_table
+.p2align	2
+_fe_cmov_table:
+#endif /* __APPLE__ */
+        pushq	%r12
+        pushq	%r13
+        pushq	%r14
+        pushq	%r15
+        movq	%rdx, %rcx
+        movsbq	%cl, %rax
+        cdq
+        xorb	%dl, %al
+        subb	%dl, %al
+        movb	%al, %r15b
+        movq	$0x01, %rax
+        xorq	%rdx, %rdx
+        xorq	%r8, %r8
+        xorq	%r9, %r9
+        movq	$0x01, %r10
+        xorq	%r11, %r11
+        xorq	%r12, %r12
+        xorq	%r13, %r13
+        cmpb	$0x01, %r15b
+        movq	(%rsi), %r14
+        cmoveq	%r14, %rax
+        movq	8(%rsi), %r14
+        cmoveq	%r14, %rdx
+        movq	16(%rsi), %r14
+        cmoveq	%r14, %r8
+        movq	24(%rsi), %r14
+        cmoveq	%r14, %r9
+        movq	32(%rsi), %r14
+        cmoveq	%r14, %r10
+        movq	40(%rsi), %r14
+        cmoveq	%r14, %r11
+        movq	48(%rsi), %r14
+        cmoveq	%r14, %r12
+        movq	56(%rsi), %r14
+        cmoveq	%r14, %r13
+        cmpb	$2, %r15b
+        movq	96(%rsi), %r14
+        cmoveq	%r14, %rax
+        movq	104(%rsi), %r14
+        cmoveq	%r14, %rdx
+        movq	112(%rsi), %r14
+        cmoveq	%r14, %r8
+        movq	120(%rsi), %r14
+        cmoveq	%r14, %r9
+        movq	128(%rsi), %r14
+        cmoveq	%r14, %r10
+        movq	136(%rsi), %r14
+        cmoveq	%r14, %r11
+        movq	144(%rsi), %r14
+        cmoveq	%r14, %r12
+        movq	152(%rsi), %r14
+        cmoveq	%r14, %r13
+        cmpb	$3, %r15b
+        movq	192(%rsi), %r14
+        cmoveq	%r14, %rax
+        movq	200(%rsi), %r14
+        cmoveq	%r14, %rdx
+        movq	208(%rsi), %r14
+        cmoveq	%r14, %r8
+        movq	216(%rsi), %r14
+        cmoveq	%r14, %r9
+        movq	224(%rsi), %r14
+        cmoveq	%r14, %r10
+        movq	232(%rsi), %r14
+        cmoveq	%r14, %r11
+        movq	240(%rsi), %r14
+        cmoveq	%r14, %r12
+        movq	248(%rsi), %r14
+        cmoveq	%r14, %r13
+        cmpb	$4, %r15b
+        movq	288(%rsi), %r14
+        cmoveq	%r14, %rax
+        movq	296(%rsi), %r14
+        cmoveq	%r14, %rdx
+        movq	304(%rsi), %r14
+        cmoveq	%r14, %r8
+        movq	312(%rsi), %r14
+        cmoveq	%r14, %r9
+        movq	320(%rsi), %r14
+        cmoveq	%r14, %r10
+        movq	328(%rsi), %r14
+        cmoveq	%r14, %r11
+        movq	336(%rsi), %r14
+        cmoveq	%r14, %r12
+        movq	344(%rsi), %r14
+        cmoveq	%r14, %r13
+        cmpb	$5, %r15b
+        movq	384(%rsi), %r14
+        cmoveq	%r14, %rax
+        movq	392(%rsi), %r14
+        cmoveq	%r14, %rdx
+        movq	400(%rsi), %r14
+        cmoveq	%r14, %r8
+        movq	408(%rsi), %r14
+        cmoveq	%r14, %r9
+        movq	416(%rsi), %r14
+        cmoveq	%r14, %r10
+        movq	424(%rsi), %r14
+        cmoveq	%r14, %r11
+        movq	432(%rsi), %r14
+        cmoveq	%r14, %r12
+        movq	440(%rsi), %r14
+        cmoveq	%r14, %r13
+        cmpb	$6, %r15b
+        movq	480(%rsi), %r14
+        cmoveq	%r14, %rax
+        movq	488(%rsi), %r14
+        cmoveq	%r14, %rdx
+        movq	496(%rsi), %r14
+        cmoveq	%r14, %r8
+        movq	504(%rsi), %r14
+        cmoveq	%r14, %r9
+        movq	512(%rsi), %r14
+        cmoveq	%r14, %r10
+        movq	520(%rsi), %r14
+        cmoveq	%r14, %r11
+        movq	528(%rsi), %r14
+        cmoveq	%r14, %r12
+        movq	536(%rsi), %r14
+        cmoveq	%r14, %r13
+        cmpb	$7, %r15b
+        movq	576(%rsi), %r14
+        cmoveq	%r14, %rax
+        movq	584(%rsi), %r14
+        cmoveq	%r14, %rdx
+        movq	592(%rsi), %r14
+        cmoveq	%r14, %r8
+        movq	600(%rsi), %r14
+        cmoveq	%r14, %r9
+        movq	608(%rsi), %r14
+        cmoveq	%r14, %r10
+        movq	616(%rsi), %r14
+        cmoveq	%r14, %r11
+        movq	624(%rsi), %r14
+        cmoveq	%r14, %r12
+        movq	632(%rsi), %r14
+        cmoveq	%r14, %r13
+        cmpb	$8, %r15b
+        movq	672(%rsi), %r14
+        cmoveq	%r14, %rax
+        movq	680(%rsi), %r14
+        cmoveq	%r14, %rdx
+        movq	688(%rsi), %r14
+        cmoveq	%r14, %r8
+        movq	696(%rsi), %r14
+        cmoveq	%r14, %r9
+        movq	704(%rsi), %r14
+        cmoveq	%r14, %r10
+        movq	712(%rsi), %r14
+        cmoveq	%r14, %r11
+        movq	720(%rsi), %r14
+        cmoveq	%r14, %r12
+        movq	728(%rsi), %r14
+        cmoveq	%r14, %r13
+        cmpb	$0x00, %cl
+        movq	%rax, %r14
+        cmovlq	%r10, %rax
+        cmovlq	%r14, %r10
+        movq	%rdx, %r14
+        cmovlq	%r11, %rdx
+        cmovlq	%r14, %r11
+        movq	%r8, %r14
+        cmovlq	%r12, %r8
+        cmovlq	%r14, %r12
+        movq	%r9, %r14
+        cmovlq	%r13, %r9
+        cmovlq	%r14, %r13
+        movq	%rax, (%rdi)
+        movq	%rdx, 8(%rdi)
+        movq	%r8, 16(%rdi)
+        movq	%r9, 24(%rdi)
+        movq	%r10, 32(%rdi)
+        movq	%r11, 40(%rdi)
+        movq	%r12, 48(%rdi)
+        movq	%r13, 56(%rdi)
+        xorq	%rax, %rax
+        xorq	%rdx, %rdx
+        xorq	%r8, %r8
+        xorq	%r9, %r9
+        cmpb	$0x01, %r15b
+        movq	64(%rsi), %r14
+        cmoveq	%r14, %rax
+        movq	72(%rsi), %r14
+        cmoveq	%r14, %rdx
+        movq	80(%rsi), %r14
+        cmoveq	%r14, %r8
+        movq	88(%rsi), %r14
+        cmoveq	%r14, %r9
+        cmpb	$2, %r15b
+        movq	160(%rsi), %r14
+        cmoveq	%r14, %rax
+        movq	168(%rsi), %r14
+        cmoveq	%r14, %rdx
+        movq	176(%rsi), %r14
+        cmoveq	%r14, %r8
+        movq	184(%rsi), %r14
+        cmoveq	%r14, %r9
+        cmpb	$3, %r15b
+        movq	256(%rsi), %r14
+        cmoveq	%r14, %rax
+        movq	264(%rsi), %r14
+        cmoveq	%r14, %rdx
+        movq	272(%rsi), %r14
+        cmoveq	%r14, %r8
+        movq	280(%rsi), %r14
+        cmoveq	%r14, %r9
+        cmpb	$4, %r15b
+        movq	352(%rsi), %r14
+        cmoveq	%r14, %rax
+        movq	360(%rsi), %r14
+        cmoveq	%r14, %rdx
+        movq	368(%rsi), %r14
+        cmoveq	%r14, %r8
+        movq	376(%rsi), %r14
+        cmoveq	%r14, %r9
+        cmpb	$5, %r15b
+        movq	448(%rsi), %r14
+        cmoveq	%r14, %rax
+        movq	456(%rsi), %r14
+        cmoveq	%r14, %rdx
+        movq	464(%rsi), %r14
+        cmoveq	%r14, %r8
+        movq	472(%rsi), %r14
+        cmoveq	%r14, %r9
+        cmpb	$6, %r15b
+        movq	544(%rsi), %r14
+        cmoveq	%r14, %rax
+        movq	552(%rsi), %r14
+        cmoveq	%r14, %rdx
+        movq	560(%rsi), %r14
+        cmoveq	%r14, %r8
+        movq	568(%rsi), %r14
+        cmoveq	%r14, %r9
+        cmpb	$7, %r15b
+        movq	640(%rsi), %r14
+        cmoveq	%r14, %rax
+        movq	648(%rsi), %r14
+        cmoveq	%r14, %rdx
+        movq	656(%rsi), %r14
+        cmoveq	%r14, %r8
+        movq	664(%rsi), %r14
+        cmoveq	%r14, %r9
+        cmpb	$8, %r15b
+        movq	736(%rsi), %r14
+        cmoveq	%r14, %rax
+        movq	744(%rsi), %r14
+        cmoveq	%r14, %rdx
+        movq	752(%rsi), %r14
+        cmoveq	%r14, %r8
+        movq	760(%rsi), %r14
+        cmoveq	%r14, %r9
+        movq	$-19, %r10
+        movq	$-1, %r11
+        movq	$-1, %r12
+        movq	$0x7fffffffffffffff, %r13
+        subq	%rax, %r10
+        sbbq	%rdx, %r11
+        sbbq	%r8, %r12
+        sbbq	%r9, %r13
+        cmpb	$0x00, %cl
+        cmovlq	%r10, %rax
+        cmovlq	%r11, %rdx
+        cmovlq	%r12, %r8
+        cmovlq	%r13, %r9
+        movq	%rax, 64(%rdi)
+        movq	%rdx, 72(%rdi)
+        movq	%r8, 80(%rdi)
+        movq	%r9, 88(%rdi)
+        popq	%r15
+        popq	%r14
+        popq	%r13
+        popq	%r12
+        repz retq
+#ifndef __APPLE__
+.size	fe_cmov_table,.-fe_cmov_table
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+.text
+.globl	fe_mul
+.type	fe_mul,@function
+.align	4
+fe_mul:
+#else
+.section	__TEXT,__text
+.globl	_fe_mul
+.p2align	2
+_fe_mul:
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+        jmpq	*fe_mul_p(%rip)
+#else
+        jmpq	*_fe_mul_p(%rip)
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+.size	fe_mul,.-fe_mul
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+.text
+.globl	fe_sq
+.type	fe_sq,@function
+.align	4
+fe_sq:
+#else
+.section	__TEXT,__text
+.globl	_fe_sq
+.p2align	2
+_fe_sq:
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+        jmpq	*fe_sq_p(%rip)
+#else
+        jmpq	*_fe_sq_p(%rip)
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+.size	fe_sq,.-fe_sq
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+.text
+.globl	fe_mul121666
+.type	fe_mul121666,@function
+.align	4
+fe_mul121666:
+#else
+.section	__TEXT,__text
+.globl	_fe_mul121666
+.p2align	2
+_fe_mul121666:
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+        jmpq	*fe_mul121666_p(%rip)
+#else
+        jmpq	*_fe_mul121666_p(%rip)
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+.size	fe_mul121666,.-fe_mul121666
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+.text
+.globl	fe_sq2
+.type	fe_sq2,@function
+.align	4
+fe_sq2:
+#else
+.section	__TEXT,__text
+.globl	_fe_sq2
+.p2align	2
+_fe_sq2:
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+        jmpq	*fe_sq2_p(%rip)
+#else
+        jmpq	*_fe_sq2_p(%rip)
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+.size	fe_sq2,.-fe_sq2
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+.text
+.globl	fe_invert
+.type	fe_invert,@function
+.align	4
+fe_invert:
+#else
+.section	__TEXT,__text
+.globl	_fe_invert
+.p2align	2
+_fe_invert:
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+        jmpq	*fe_invert_p(%rip)
+#else
+        jmpq	*_fe_invert_p(%rip)
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+.size	fe_invert,.-fe_invert
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+.text
+.globl	curve25519
+.type	curve25519,@function
+.align	4
+curve25519:
+#else
+.section	__TEXT,__text
+.globl	_curve25519
+.p2align	2
+_curve25519:
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+        jmpq	*curve25519_p(%rip)
+#else
+        jmpq	*_curve25519_p(%rip)
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+.size	curve25519,.-curve25519
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+.text
+.globl	fe_pow22523
+.type	fe_pow22523,@function
+.align	4
+fe_pow22523:
+#else
+.section	__TEXT,__text
+.globl	_fe_pow22523
+.p2align	2
+_fe_pow22523:
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+        jmpq	*fe_pow22523_p(%rip)
+#else
+        jmpq	*_fe_pow22523_p(%rip)
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+.size	fe_pow22523,.-fe_pow22523
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+.text
+.globl	fe_ge_to_p2
+.type	fe_ge_to_p2,@function
+.align	4
+fe_ge_to_p2:
+#else
+.section	__TEXT,__text
+.globl	_fe_ge_to_p2
+.p2align	2
+_fe_ge_to_p2:
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+        jmpq	*fe_ge_to_p2_p(%rip)
+#else
+        jmpq	*_fe_ge_to_p2_p(%rip)
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+.size	fe_ge_to_p2,.-fe_ge_to_p2
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+.text
+.globl	fe_ge_to_p3
+.type	fe_ge_to_p3,@function
+.align	4
+fe_ge_to_p3:
+#else
+.section	__TEXT,__text
+.globl	_fe_ge_to_p3
+.p2align	2
+_fe_ge_to_p3:
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+        jmpq	*fe_ge_to_p3_p(%rip)
+#else
+        jmpq	*_fe_ge_to_p3_p(%rip)
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+.size	fe_ge_to_p3,.-fe_ge_to_p3
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+.text
+.globl	fe_ge_dbl
+.type	fe_ge_dbl,@function
+.align	4
+fe_ge_dbl:
+#else
+.section	__TEXT,__text
+.globl	_fe_ge_dbl
+.p2align	2
+_fe_ge_dbl:
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+        jmpq	*fe_ge_dbl_p(%rip)
+#else
+        jmpq	*_fe_ge_dbl_p(%rip)
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+.size	fe_ge_dbl,.-fe_ge_dbl
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+.text
+.globl	fe_ge_madd
+.type	fe_ge_madd,@function
+.align	4
+fe_ge_madd:
+#else
+.section	__TEXT,__text
+.globl	_fe_ge_madd
+.p2align	2
+_fe_ge_madd:
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+        jmpq	*fe_ge_madd_p(%rip)
+#else
+        jmpq	*_fe_ge_madd_p(%rip)
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+.size	fe_ge_madd,.-fe_ge_madd
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+.text
+.globl	fe_ge_msub
+.type	fe_ge_msub,@function
+.align	4
+fe_ge_msub:
+#else
+.section	__TEXT,__text
+.globl	_fe_ge_msub
+.p2align	2
+_fe_ge_msub:
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+        jmpq	*fe_ge_msub_p(%rip)
+#else
+        jmpq	*_fe_ge_msub_p(%rip)
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+.size	fe_ge_msub,.-fe_ge_msub
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+.text
+.globl	fe_ge_add
+.type	fe_ge_add,@function
+.align	4
+fe_ge_add:
+#else
+.section	__TEXT,__text
+.globl	_fe_ge_add
+.p2align	2
+_fe_ge_add:
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+        jmpq	*fe_ge_add_p(%rip)
+#else
+        jmpq	*_fe_ge_add_p(%rip)
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+.size	fe_ge_add,.-fe_ge_add
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+.text
+.globl	fe_ge_sub
+.type	fe_ge_sub,@function
+.align	4
+fe_ge_sub:
+#else
+.section	__TEXT,__text
+.globl	_fe_ge_sub
+.p2align	2
+_fe_ge_sub:
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+        jmpq	*fe_ge_sub_p(%rip)
+#else
+        jmpq	*_fe_ge_sub_p(%rip)
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+.size	fe_ge_sub,.-fe_ge_sub
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+.data
+.type	cpuFlagsSet, @object
+.size	cpuFlagsSet,4
+cpuFlagsSet:
+	.long	0
+#else
+.section	__DATA,__data
+.p2align	2
+_cpuFlagsSet:
+	.long	0
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+.data
+.type	intelFlags, @object
+.size	intelFlags,4
+intelFlags:
+	.long	0
+#else
+.section	__DATA,__data
+.p2align	2
+_intelFlags:
+	.long	0
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+.data
+.type	fe_mul_p, @object
+.size	fe_mul_p,8
+fe_mul_p:
+	.quad	fe_mul_x64
+#else
+.section	__DATA,__data
+.p2align	2
+_fe_mul_p:
+	.quad	_fe_mul_x64
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+.data
+.type	fe_sq_p, @object
+.size	fe_sq_p,8
+fe_sq_p:
+	.quad	fe_sq_x64
+#else
+.section	__DATA,__data
+.p2align	2
+_fe_sq_p:
+	.quad	_fe_sq_x64
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+.data
+.type	fe_mul121666_p, @object
+.size	fe_mul121666_p,8
+fe_mul121666_p:
+	.quad	fe_mul121666_x64
+#else
+.section	__DATA,__data
+.p2align	2
+_fe_mul121666_p:
+	.quad	_fe_mul121666_x64
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+.data
+.type	fe_sq2_p, @object
+.size	fe_sq2_p,8
+fe_sq2_p:
+	.quad	fe_sq2_x64
+#else
+.section	__DATA,__data
+.p2align	2
+_fe_sq2_p:
+	.quad	_fe_sq2_x64
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+.data
+.type	fe_invert_p, @object
+.size	fe_invert_p,8
+fe_invert_p:
+	.quad	fe_invert_x64
+#else
+.section	__DATA,__data
+.p2align	2
+_fe_invert_p:
+	.quad	_fe_invert_x64
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+.data
+.type	curve25519_p, @object
+.size	curve25519_p,8
+curve25519_p:
+	.quad	curve25519_x64
+#else
+.section	__DATA,__data
+.p2align	2
+_curve25519_p:
+	.quad	_curve25519_x64
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+.data
+.type	fe_pow22523_p, @object
+.size	fe_pow22523_p,8
+fe_pow22523_p:
+	.quad	fe_pow22523_x64
+#else
+.section	__DATA,__data
+.p2align	2
+_fe_pow22523_p:
+	.quad	_fe_pow22523_x64
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+.data
+.type	fe_ge_to_p2_p, @object
+.size	fe_ge_to_p2_p,8
+fe_ge_to_p2_p:
+	.quad	fe_ge_to_p2_x64
+#else
+.section	__DATA,__data
+.p2align	2
+_fe_ge_to_p2_p:
+	.quad	_fe_ge_to_p2_x64
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+.data
+.type	fe_ge_to_p3_p, @object
+.size	fe_ge_to_p3_p,8
+fe_ge_to_p3_p:
+	.quad	fe_ge_to_p3_x64
+#else
+.section	__DATA,__data
+.p2align	2
+_fe_ge_to_p3_p:
+	.quad	_fe_ge_to_p3_x64
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+.data
+.type	fe_ge_dbl_p, @object
+.size	fe_ge_dbl_p,8
+fe_ge_dbl_p:
+	.quad	fe_ge_dbl_x64
+#else
+.section	__DATA,__data
+.p2align	2
+_fe_ge_dbl_p:
+	.quad	_fe_ge_dbl_x64
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+.data
+.type	fe_ge_madd_p, @object
+.size	fe_ge_madd_p,8
+fe_ge_madd_p:
+	.quad	fe_ge_madd_x64
+#else
+.section	__DATA,__data
+.p2align	2
+_fe_ge_madd_p:
+	.quad	_fe_ge_madd_x64
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+.data
+.type	fe_ge_msub_p, @object
+.size	fe_ge_msub_p,8
+fe_ge_msub_p:
+	.quad	fe_ge_msub_x64
+#else
+.section	__DATA,__data
+.p2align	2
+_fe_ge_msub_p:
+	.quad	_fe_ge_msub_x64
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+.data
+.type	fe_ge_add_p, @object
+.size	fe_ge_add_p,8
+fe_ge_add_p:
+	.quad	fe_ge_add_x64
+#else
+.section	__DATA,__data
+.p2align	2
+_fe_ge_add_p:
+	.quad	_fe_ge_add_x64
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+.data
+.type	fe_ge_sub_p, @object
+.size	fe_ge_sub_p,8
+fe_ge_sub_p:
+	.quad	fe_ge_sub_x64
+#else
+.section	__DATA,__data
+.p2align	2
+_fe_ge_sub_p:
+	.quad	_fe_ge_sub_x64
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+.text
+.globl	fe_mul_x64
+.type	fe_mul_x64,@function
+.align	4
+fe_mul_x64:
+#else
+.section	__TEXT,__text
+.globl	_fe_mul_x64
+.p2align	2
+_fe_mul_x64:
+#endif /* __APPLE__ */
+        pushq	%r12
+        pushq	%r13
+        pushq	%r14
+        pushq	%r15
+        pushq	%rbx
+        movq	%rdx, %rcx
+        # Multiply
+        #  A[0] * B[0]
+        movq	(%rcx), %rax
+        mulq	(%rsi)
+        movq	%rax, %r8
+        movq	%rdx, %r9
+        #  A[0] * B[1]
+        movq	8(%rcx), %rax
+        mulq	(%rsi)
+        xorq	%r10, %r10
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        #  A[1] * B[0]
+        movq	(%rcx), %rax
+        mulq	8(%rsi)
+        xorq	%r11, %r11
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0x00, %r11
+        #  A[0] * B[2]
+        movq	16(%rcx), %rax
+        mulq	(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        #  A[1] * B[1]
+        movq	8(%rcx), %rax
+        mulq	8(%rsi)
+        xorq	%r12, %r12
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0x00, %r12
+        #  A[2] * B[0]
+        movq	(%rcx), %rax
+        mulq	16(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0x00, %r12
+        #  A[0] * B[3]
+        movq	24(%rcx), %rax
+        mulq	(%rsi)
+        xorq	%r13, %r13
+        addq	%rax, %r11
+        adcq	%rdx, %r12
+        adcq	$0x00, %r13
+        #  A[1] * B[2]
+        movq	16(%rcx), %rax
+        mulq	8(%rsi)
+        addq	%rax, %r11
+        adcq	%rdx, %r12
+        adcq	$0x00, %r13
+        #  A[2] * B[1]
+        movq	8(%rcx), %rax
+        mulq	16(%rsi)
+        addq	%rax, %r11
+        adcq	%rdx, %r12
+        adcq	$0x00, %r13
+        #  A[3] * B[0]
+        movq	(%rcx), %rax
+        mulq	24(%rsi)
+        addq	%rax, %r11
+        adcq	%rdx, %r12
+        adcq	$0x00, %r13
+        #  A[1] * B[3]
+        movq	24(%rcx), %rax
+        mulq	8(%rsi)
+        xorq	%r14, %r14
+        addq	%rax, %r12
+        adcq	%rdx, %r13
+        adcq	$0x00, %r14
+        #  A[2] * B[2]
+        movq	16(%rcx), %rax
+        mulq	16(%rsi)
+        addq	%rax, %r12
+        adcq	%rdx, %r13
+        adcq	$0x00, %r14
+        #  A[3] * B[1]
+        movq	8(%rcx), %rax
+        mulq	24(%rsi)
+        addq	%rax, %r12
+        adcq	%rdx, %r13
+        adcq	$0x00, %r14
+        #  A[2] * B[3]
+        movq	24(%rcx), %rax
+        mulq	16(%rsi)
+        xorq	%r15, %r15
+        addq	%rax, %r13
+        adcq	%rdx, %r14
+        adcq	$0x00, %r15
+        #  A[3] * B[2]
+        movq	16(%rcx), %rax
+        mulq	24(%rsi)
+        addq	%rax, %r13
+        adcq	%rdx, %r14
+        adcq	$0x00, %r15
+        #  A[3] * B[3]
+        movq	24(%rcx), %rax
+        mulq	24(%rsi)
+        addq	%rax, %r14
+        adcq	%rdx, %r15
+        # Reduce
+        movq	$0x7fffffffffffffff, %rbx
+        #  Move top half into t4-t7 and remove top bit from t3
+        shldq	$0x01, %r14, %r15
+        shldq	$0x01, %r13, %r14
+        shldq	$0x01, %r12, %r13
+        shldq	$0x01, %r11, %r12
+        andq	%rbx, %r11
+        #  Multiply top half by 19
+        movq	$19, %rax
+        mulq	%r12
+        xorq	%r12, %r12
+        addq	%rax, %r8
+        movq	$19, %rax
+        adcq	%rdx, %r12
+        mulq	%r13
+        xorq	%r13, %r13
+        addq	%rax, %r9
+        movq	$19, %rax
+        adcq	%rdx, %r13
+        mulq	%r14
+        xorq	%r14, %r14
+        addq	%rax, %r10
+        movq	$19, %rax
+        adcq	%rdx, %r14
+        mulq	%r15
+        #  Add remaining product results in
+        addq	%r12, %r9
+        adcq	%r13, %r10
+        adcq	%r14, %r11
+        adcq	%rax, %r11
+        adcq	$0x00, %rdx
+        #  Overflow
+        shldq	$0x01, %r11, %rdx
+        imulq	$19, %rdx, %rax
+        andq	%rbx, %r11
+        addq	%rax, %r8
+        adcq	$0x00, %r9
+        adcq	$0x00, %r10
+        adcq	$0x00, %r11
+        # Reduce if top bit set
+        movq	%r11, %rdx
+        shrq	$63, %rdx
+        imulq	$19, %rdx, %rax
+        andq	%rbx, %r11
+        addq	%rax, %r8
+        adcq	$0x00, %r9
+        adcq	$0x00, %r10
+        adcq	$0x00, %r11
+        # Store
+        movq	%r8, (%rdi)
+        movq	%r9, 8(%rdi)
+        movq	%r10, 16(%rdi)
+        movq	%r11, 24(%rdi)
+        popq	%rbx
+        popq	%r15
+        popq	%r14
+        popq	%r13
+        popq	%r12
+        repz retq
+#ifndef __APPLE__
+.size	fe_mul_x64,.-fe_mul_x64
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+.text
+.globl	fe_sq_x64
+.type	fe_sq_x64,@function
+.align	4
+fe_sq_x64:
+#else
+.section	__TEXT,__text
+.globl	_fe_sq_x64
+.p2align	2
+_fe_sq_x64:
+#endif /* __APPLE__ */
+        pushq	%r12
+        pushq	%r13
+        pushq	%r14
+        pushq	%r15
+        # Square
+        #  A[0] * A[1]
+        movq	(%rsi), %rax
+        mulq	8(%rsi)
+        movq	%rax, %r8
+        movq	%rdx, %r9
+        #  A[0] * A[2]
+        movq	(%rsi), %rax
+        mulq	16(%rsi)
+        xorq	%r10, %r10
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        #  A[0] * A[3]
+        movq	(%rsi), %rax
+        mulq	24(%rsi)
+        xorq	%r11, %r11
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        #  A[1] * A[2]
+        movq	8(%rsi), %rax
+        mulq	16(%rsi)
+        xorq	%r12, %r12
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0x00, %r12
+        #  A[1] * A[3]
+        movq	8(%rsi), %rax
+        mulq	24(%rsi)
+        addq	%rax, %r11
+        adcq	%rdx, %r12
+        #  A[2] * A[3]
+        movq	16(%rsi), %rax
+        mulq	24(%rsi)
+        xorq	%r13, %r13
+        addq	%rax, %r12
+        adcq	%rdx, %r13
+        # Double
+        xorq	%r14, %r14
+        addq	%r8, %r8
+        adcq	%r9, %r9
+        adcq	%r10, %r10
+        adcq	%r11, %r11
+        adcq	%r12, %r12
+        adcq	%r13, %r13
+        adcq	$0x00, %r14
+        #  A[0] * A[0]
+        movq	(%rsi), %rax
+        mulq	%rax
+        movq	%rax, %rcx
+        movq	%rdx, %r15
+        #  A[1] * A[1]
+        movq	8(%rsi), %rax
+        mulq	%rax
+        addq	%r15, %r8
+        adcq	%rax, %r9
+        adcq	$0x00, %rdx
+        movq	%rdx, %r15
+        #  A[2] * A[2]
+        movq	16(%rsi), %rax
+        mulq	%rax
+        addq	%r15, %r10
+        adcq	%rax, %r11
+        adcq	$0x00, %rdx
+        movq	%rdx, %r15
+        #  A[3] * A[3]
+        movq	24(%rsi), %rax
+        mulq	%rax
+        addq	%rax, %r13
+        adcq	%rdx, %r14
+        addq	%r15, %r12
+        adcq	$0x00, %r13
+        adcq	$0x00, %r14
+        # Reduce
+        movq	$0x7fffffffffffffff, %r15
+        #  Move top half into t4-t7 and remove top bit from t3
+        shldq	$0x01, %r13, %r14
+        shldq	$0x01, %r12, %r13
+        shldq	$0x01, %r11, %r12
+        shldq	$0x01, %r10, %r11
+        andq	%r15, %r10
+        #  Multiply top half by 19
+        movq	$19, %rax
+        mulq	%r11
+        xorq	%r11, %r11
+        addq	%rax, %rcx
+        movq	$19, %rax
+        adcq	%rdx, %r11
+        mulq	%r12
+        xorq	%r12, %r12
+        addq	%rax, %r8
+        movq	$19, %rax
+        adcq	%rdx, %r12
+        mulq	%r13
+        xorq	%r13, %r13
+        addq	%rax, %r9
+        movq	$19, %rax
+        adcq	%rdx, %r13
+        mulq	%r14
+        #  Add remaining product results in
+        addq	%r11, %r8
+        adcq	%r12, %r9
+        adcq	%r13, %r10
+        adcq	%rax, %r10
+        adcq	$0x00, %rdx
+        #  Overflow
+        shldq	$0x01, %r10, %rdx
+        imulq	$19, %rdx, %rax
+        andq	%r15, %r10
+        addq	%rax, %rcx
+        adcq	$0x00, %r8
+        adcq	$0x00, %r9
+        adcq	$0x00, %r10
+        # Reduce if top bit set
+        movq	%r10, %rdx
+        shrq	$63, %rdx
+        imulq	$19, %rdx, %rax
+        andq	%r15, %r10
+        addq	%rax, %rcx
+        adcq	$0x00, %r8
+        adcq	$0x00, %r9
+        adcq	$0x00, %r10
+        # Store
+        movq	%rcx, (%rdi)
+        movq	%r8, 8(%rdi)
+        movq	%r9, 16(%rdi)
+        movq	%r10, 24(%rdi)
+        popq	%r15
+        popq	%r14
+        popq	%r13
+        popq	%r12
+        repz retq
+#ifndef __APPLE__
+.size	fe_sq_x64,.-fe_sq_x64
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+.text
+.globl	fe_sq_n_x64
+.type	fe_sq_n_x64,@function
+.align	4
+fe_sq_n_x64:
+#else
+.section	__TEXT,__text
+.globl	_fe_sq_n_x64
+.p2align	2
+_fe_sq_n_x64:
+#endif /* __APPLE__ */
+        pushq	%r12
+        pushq	%r13
+        pushq	%r14
+        pushq	%r15
+        pushq	%rbx
+        movq	%rdx, %rcx
+L_fe_sq_n_x64:
+        # Square
+        #  A[0] * A[1]
+        movq	(%rsi), %rax
+        mulq	8(%rsi)
+        movq	%rax, %r9
+        movq	%rdx, %r10
+        #  A[0] * A[2]
+        movq	(%rsi), %rax
+        mulq	16(%rsi)
+        xorq	%r11, %r11
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        #  A[0] * A[3]
+        movq	(%rsi), %rax
+        mulq	24(%rsi)
+        xorq	%r12, %r12
+        addq	%rax, %r11
+        adcq	%rdx, %r12
+        #  A[1] * A[2]
+        movq	8(%rsi), %rax
+        mulq	16(%rsi)
+        xorq	%r13, %r13
+        addq	%rax, %r11
+        adcq	%rdx, %r12
+        adcq	$0x00, %r13
+        #  A[1] * A[3]
+        movq	8(%rsi), %rax
+        mulq	24(%rsi)
+        addq	%rax, %r12
+        adcq	%rdx, %r13
+        #  A[2] * A[3]
+        movq	16(%rsi), %rax
+        mulq	24(%rsi)
+        xorq	%r14, %r14
+        addq	%rax, %r13
+        adcq	%rdx, %r14
+        # Double
+        xorq	%r15, %r15
+        addq	%r9, %r9
+        adcq	%r10, %r10
+        adcq	%r11, %r11
+        adcq	%r12, %r12
+        adcq	%r13, %r13
+        adcq	%r14, %r14
+        adcq	$0x00, %r15
+        #  A[0] * A[0]
+        movq	(%rsi), %rax
+        mulq	%rax
+        movq	%rax, %r8
+        movq	%rdx, %rbx
+        #  A[1] * A[1]
+        movq	8(%rsi), %rax
+        mulq	%rax
+        addq	%rbx, %r9
+        adcq	%rax, %r10
+        adcq	$0x00, %rdx
+        movq	%rdx, %rbx
+        #  A[2] * A[2]
+        movq	16(%rsi), %rax
+        mulq	%rax
+        addq	%rbx, %r11
+        adcq	%rax, %r12
+        adcq	$0x00, %rdx
+        movq	%rdx, %rbx
+        #  A[3] * A[3]
+        movq	24(%rsi), %rax
+        mulq	%rax
+        addq	%rax, %r14
+        adcq	%rdx, %r15
+        addq	%rbx, %r13
+        adcq	$0x00, %r14
+        adcq	$0x00, %r15
+        # Reduce
+        movq	$0x7fffffffffffffff, %rbx
+        #  Move top half into t4-t7 and remove top bit from t3
+        shldq	$0x01, %r14, %r15
+        shldq	$0x01, %r13, %r14
+        shldq	$0x01, %r12, %r13
+        shldq	$0x01, %r11, %r12
+        andq	%rbx, %r11
+        #  Multiply top half by 19
+        movq	$19, %rax
+        mulq	%r12
+        xorq	%r12, %r12
+        addq	%rax, %r8
+        movq	$19, %rax
+        adcq	%rdx, %r12
+        mulq	%r13
+        xorq	%r13, %r13
+        addq	%rax, %r9
+        movq	$19, %rax
+        adcq	%rdx, %r13
+        mulq	%r14
+        xorq	%r14, %r14
+        addq	%rax, %r10
+        movq	$19, %rax
+        adcq	%rdx, %r14
+        mulq	%r15
+        #  Add remaining product results in
+        addq	%r12, %r9
+        adcq	%r13, %r10
+        adcq	%r14, %r11
+        adcq	%rax, %r11
+        adcq	$0x00, %rdx
+        #  Overflow
+        shldq	$0x01, %r11, %rdx
+        imulq	$19, %rdx, %rax
+        andq	%rbx, %r11
+        addq	%rax, %r8
+        adcq	$0x00, %r9
+        adcq	$0x00, %r10
+        adcq	$0x00, %r11
+        # Reduce if top bit set
+        movq	%r11, %rdx
+        shrq	$63, %rdx
+        imulq	$19, %rdx, %rax
+        andq	%rbx, %r11
+        addq	%rax, %r8
+        adcq	$0x00, %r9
+        adcq	$0x00, %r10
+        adcq	$0x00, %r11
+        # Store
+        movq	%r8, (%rdi)
+        movq	%r9, 8(%rdi)
+        movq	%r10, 16(%rdi)
+        movq	%r11, 24(%rdi)
+        decb	%cl
+        jnz	L_fe_sq_n_x64
+        popq	%rbx
+        popq	%r15
+        popq	%r14
+        popq	%r13
+        popq	%r12
+        repz retq
+#ifndef __APPLE__
+.size	fe_sq_n_x64,.-fe_sq_n_x64
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+.text
+.globl	fe_mul121666_x64
+.type	fe_mul121666_x64,@function
+.align	4
+fe_mul121666_x64:
+#else
+.section	__TEXT,__text
+.globl	_fe_mul121666_x64
+.p2align	2
+_fe_mul121666_x64:
+#endif /* __APPLE__ */
+        pushq	%r12
+        # Multiply by 121666
+        movq	$0x1db42, %rax
+        mulq	(%rsi)
+        xorq	%r10, %r10
+        movq	%rax, %r8
+        movq	%rdx, %r9
+        movq	$0x1db42, %rax
+        mulq	8(%rsi)
+        xorq	%r11, %r11
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        movq	$0x1db42, %rax
+        mulq	16(%rsi)
+        xorq	%r12, %r12
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        movq	$0x1db42, %rax
+        mulq	24(%rsi)
+        movq	$0x7fffffffffffffff, %rcx
+        addq	%rax, %r11
+        adcq	%rdx, %r12
+        shldq	$0x01, %r11, %r12
+        andq	%rcx, %r11
+        movq	$19, %rax
+        mulq	%r12
+        addq	%rax, %r8
+        adcq	$0x00, %r9
+        adcq	$0x00, %r10
+        adcq	$0x00, %r11
+        movq	%r8, (%rdi)
+        movq	%r9, 8(%rdi)
+        movq	%r10, 16(%rdi)
+        movq	%r11, 24(%rdi)
+        popq	%r12
+        repz retq
+#ifndef __APPLE__
+.size	fe_mul121666_x64,.-fe_mul121666_x64
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+.text
+.globl	fe_sq2_x64
+.type	fe_sq2_x64,@function
+.align	4
+fe_sq2_x64:
+#else
+.section	__TEXT,__text
+.globl	_fe_sq2_x64
+.p2align	2
+_fe_sq2_x64:
+#endif /* __APPLE__ */
+        pushq	%r12
+        pushq	%r13
+        pushq	%r14
+        pushq	%r15
+        pushq	%rbx
+        # Square * 2
+        #  A[0] * A[1]
+        movq	(%rsi), %rax
+        mulq	8(%rsi)
+        movq	%rax, %r8
+        movq	%rdx, %r9
+        #  A[0] * A[2]
+        movq	(%rsi), %rax
+        mulq	16(%rsi)
+        xorq	%r10, %r10
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        #  A[0] * A[3]
+        movq	(%rsi), %rax
+        mulq	24(%rsi)
+        xorq	%r11, %r11
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        #  A[1] * A[2]
+        movq	8(%rsi), %rax
+        mulq	16(%rsi)
+        xorq	%r12, %r12
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0x00, %r12
+        #  A[1] * A[3]
+        movq	8(%rsi), %rax
+        mulq	24(%rsi)
+        addq	%rax, %r11
+        adcq	%rdx, %r12
+        #  A[2] * A[3]
+        movq	16(%rsi), %rax
+        mulq	24(%rsi)
+        xorq	%r13, %r13
+        addq	%rax, %r12
+        adcq	%rdx, %r13
+        # Double
+        xorq	%r14, %r14
+        addq	%r8, %r8
+        adcq	%r9, %r9
+        adcq	%r10, %r10
+        adcq	%r11, %r11
+        adcq	%r12, %r12
+        adcq	%r13, %r13
+        adcq	$0x00, %r14
+        #  A[0] * A[0]
+        movq	(%rsi), %rax
+        mulq	%rax
+        movq	%rax, %rcx
+        movq	%rdx, %r15
+        #  A[1] * A[1]
+        movq	8(%rsi), %rax
+        mulq	%rax
+        addq	%r15, %r8
+        adcq	%rax, %r9
+        adcq	$0x00, %rdx
+        movq	%rdx, %r15
+        #  A[2] * A[2]
+        movq	16(%rsi), %rax
+        mulq	%rax
+        addq	%r15, %r10
+        adcq	%rax, %r11
+        adcq	$0x00, %rdx
+        movq	%rdx, %r15
+        #  A[3] * A[3]
+        movq	24(%rsi), %rax
+        mulq	%rax
+        addq	%rax, %r13
+        adcq	%rdx, %r14
+        addq	%r15, %r12
+        adcq	$0x00, %r13
+        adcq	$0x00, %r14
+        # Reduce
+        movq	$0x7fffffffffffffff, %rbx
+        xorq	%rax, %rax
+        #  Move top half into t4-t7 and remove top bit from t3
+        shldq	$3, %r14, %rax
+        shldq	$2, %r13, %r14
+        shldq	$2, %r12, %r13
+        shldq	$2, %r11, %r12
+        shldq	$2, %r10, %r11
+        shldq	$0x01, %r9, %r10
+        shldq	$0x01, %r8, %r9
+        shldq	$0x01, %rcx, %r8
+        shlq	$0x01, %rcx
+        andq	%rbx, %r10
+        #  Two out left, one in right
+        andq	%rbx, %r14
+        #  Multiply top bits by 19*19
+        imulq	$0x169, %rax, %r15
+        #  Multiply top half by 19
+        movq	$19, %rax
+        mulq	%r11
+        xorq	%r11, %r11
+        addq	%rax, %rcx
+        movq	$19, %rax
+        adcq	%rdx, %r11
+        mulq	%r12
+        xorq	%r12, %r12
+        addq	%rax, %r8
+        movq	$19, %rax
+        adcq	%rdx, %r12
+        mulq	%r13
+        xorq	%r13, %r13
+        addq	%rax, %r9
+        movq	$19, %rax
+        adcq	%rdx, %r13
+        mulq	%r14
+        #  Add remaining produce results in
+        addq	%r15, %rcx
+        adcq	%r11, %r8
+        adcq	%r12, %r9
+        adcq	%r13, %r10
+        adcq	%rax, %r10
+        adcq	$0x00, %rdx
+        #  Overflow
+        shldq	$0x01, %r10, %rdx
+        imulq	$19, %rdx, %rax
+        andq	%rbx, %r10
+        addq	%rax, %rcx
+        adcq	$0x00, %r8
+        adcq	$0x00, %r9
+        adcq	$0x00, %r10
+        # Reduce if top bit set
+        movq	%r10, %rdx
+        shrq	$63, %rdx
+        imulq	$19, %rdx, %rax
+        andq	%rbx, %r10
+        addq	%rax, %rcx
+        adcq	$0x00, %r8
+        adcq	$0x00, %r9
+        adcq	$0x00, %r10
+        # Store
+        movq	%rcx, (%rdi)
+        movq	%r8, 8(%rdi)
+        movq	%r9, 16(%rdi)
+        movq	%r10, 24(%rdi)
+        popq	%rbx
+        popq	%r15
+        popq	%r14
+        popq	%r13
+        popq	%r12
+        repz retq
+#ifndef __APPLE__
+.size	fe_sq2_x64,.-fe_sq2_x64
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+.text
+.globl	fe_invert_x64
+.type	fe_invert_x64,@function
+.align	4
+fe_invert_x64:
+#else
+.section	__TEXT,__text
+.globl	_fe_invert_x64
+.p2align	2
+_fe_invert_x64:
+#endif /* __APPLE__ */
+        subq	$0x90, %rsp
+        # Invert
+        movq	%rdi, 128(%rsp)
+        movq	%rsi, 136(%rsp)
+        movq	%rsp, %rdi
+        movq	136(%rsp), %rsi
+#ifndef __APPLE__
+        callq	fe_sq_x64@plt
+#else
+        callq	_fe_sq_x64
+#endif /* __APPLE__ */
+        leaq	32(%rsp), %rdi
+        movq	%rsp, %rsi
+#ifndef __APPLE__
+        callq	fe_sq_x64@plt
+#else
+        callq	_fe_sq_x64
+#endif /* __APPLE__ */
+        leaq	32(%rsp), %rdi
+        leaq	32(%rsp), %rsi
+#ifndef __APPLE__
+        callq	fe_sq_x64@plt
+#else
+        callq	_fe_sq_x64
+#endif /* __APPLE__ */
+        leaq	32(%rsp), %rdi
+        movq	136(%rsp), %rsi
+        leaq	32(%rsp), %rdx
+#ifndef __APPLE__
+        callq	fe_mul_x64@plt
+#else
+        callq	_fe_mul_x64
+#endif /* __APPLE__ */
+        movq	%rsp, %rdi
+        movq	%rsp, %rsi
+        leaq	32(%rsp), %rdx
+#ifndef __APPLE__
+        callq	fe_mul_x64@plt
+#else
+        callq	_fe_mul_x64
+#endif /* __APPLE__ */
+        leaq	64(%rsp), %rdi
+        movq	%rsp, %rsi
+#ifndef __APPLE__
+        callq	fe_sq_x64@plt
+#else
+        callq	_fe_sq_x64
+#endif /* __APPLE__ */
+        leaq	32(%rsp), %rdi
+        leaq	32(%rsp), %rsi
+        leaq	64(%rsp), %rdx
+#ifndef __APPLE__
+        callq	fe_mul_x64@plt
+#else
+        callq	_fe_mul_x64
+#endif /* __APPLE__ */
+        leaq	64(%rsp), %rdi
+        leaq	32(%rsp), %rsi
+#ifndef __APPLE__
+        callq	fe_sq_x64@plt
+#else
+        callq	_fe_sq_x64
+#endif /* __APPLE__ */
+        leaq	64(%rsp), %rdi
+        leaq	64(%rsp), %rsi
+        movq	$4, %rdx
+#ifndef __APPLE__
+        callq	fe_sq_n_x64@plt
+#else
+        callq	_fe_sq_n_x64
+#endif /* __APPLE__ */
+        leaq	32(%rsp), %rdi
+        leaq	64(%rsp), %rsi
+        leaq	32(%rsp), %rdx
+#ifndef __APPLE__
+        callq	fe_mul_x64@plt
+#else
+        callq	_fe_mul_x64
+#endif /* __APPLE__ */
+        leaq	64(%rsp), %rdi
+        leaq	32(%rsp), %rsi
+#ifndef __APPLE__
+        callq	fe_sq_x64@plt
+#else
+        callq	_fe_sq_x64
+#endif /* __APPLE__ */
+        leaq	64(%rsp), %rdi
+        leaq	64(%rsp), %rsi
+        movq	$9, %rdx
+#ifndef __APPLE__
+        callq	fe_sq_n_x64@plt
+#else
+        callq	_fe_sq_n_x64
+#endif /* __APPLE__ */
+        leaq	64(%rsp), %rdi
+        leaq	64(%rsp), %rsi
+        leaq	32(%rsp), %rdx
+#ifndef __APPLE__
+        callq	fe_mul_x64@plt
+#else
+        callq	_fe_mul_x64
+#endif /* __APPLE__ */
+        leaq	96(%rsp), %rdi
+        leaq	64(%rsp), %rsi
+#ifndef __APPLE__
+        callq	fe_sq_x64@plt
+#else
+        callq	_fe_sq_x64
+#endif /* __APPLE__ */
+        leaq	96(%rsp), %rdi
+        leaq	96(%rsp), %rsi
+        movq	$19, %rdx
+#ifndef __APPLE__
+        callq	fe_sq_n_x64@plt
+#else
+        callq	_fe_sq_n_x64
+#endif /* __APPLE__ */
+        leaq	64(%rsp), %rdi
+        leaq	96(%rsp), %rsi
+        leaq	64(%rsp), %rdx
+#ifndef __APPLE__
+        callq	fe_mul_x64@plt
+#else
+        callq	_fe_mul_x64
+#endif /* __APPLE__ */
+        leaq	64(%rsp), %rdi
+        leaq	64(%rsp), %rsi
+#ifndef __APPLE__
+        callq	fe_sq_x64@plt
+#else
+        callq	_fe_sq_x64
+#endif /* __APPLE__ */
+        leaq	64(%rsp), %rdi
+        leaq	64(%rsp), %rsi
+        movq	$9, %rdx
+#ifndef __APPLE__
+        callq	fe_sq_n_x64@plt
+#else
+        callq	_fe_sq_n_x64
+#endif /* __APPLE__ */
+        leaq	32(%rsp), %rdi
+        leaq	64(%rsp), %rsi
+        leaq	32(%rsp), %rdx
+#ifndef __APPLE__
+        callq	fe_mul_x64@plt
+#else
+        callq	_fe_mul_x64
+#endif /* __APPLE__ */
+        leaq	64(%rsp), %rdi
+        leaq	32(%rsp), %rsi
+#ifndef __APPLE__
+        callq	fe_sq_x64@plt
+#else
+        callq	_fe_sq_x64
+#endif /* __APPLE__ */
+        leaq	64(%rsp), %rdi
+        leaq	64(%rsp), %rsi
+        movq	$49, %rdx
+#ifndef __APPLE__
+        callq	fe_sq_n_x64@plt
+#else
+        callq	_fe_sq_n_x64
+#endif /* __APPLE__ */
+        leaq	64(%rsp), %rdi
+        leaq	64(%rsp), %rsi
+        leaq	32(%rsp), %rdx
+#ifndef __APPLE__
+        callq	fe_mul_x64@plt
+#else
+        callq	_fe_mul_x64
+#endif /* __APPLE__ */
+        leaq	96(%rsp), %rdi
+        leaq	64(%rsp), %rsi
+#ifndef __APPLE__
+        callq	fe_sq_x64@plt
+#else
+        callq	_fe_sq_x64
+#endif /* __APPLE__ */
+        leaq	96(%rsp), %rdi
+        leaq	96(%rsp), %rsi
+        movq	$0x63, %rdx
+#ifndef __APPLE__
+        callq	fe_sq_n_x64@plt
+#else
+        callq	_fe_sq_n_x64
+#endif /* __APPLE__ */
+        leaq	64(%rsp), %rdi
+        leaq	96(%rsp), %rsi
+        leaq	64(%rsp), %rdx
+#ifndef __APPLE__
+        callq	fe_mul_x64@plt
+#else
+        callq	_fe_mul_x64
+#endif /* __APPLE__ */
+        leaq	64(%rsp), %rdi
+        leaq	64(%rsp), %rsi
+#ifndef __APPLE__
+        callq	fe_sq_x64@plt
+#else
+        callq	_fe_sq_x64
+#endif /* __APPLE__ */
+        leaq	64(%rsp), %rdi
+        leaq	64(%rsp), %rsi
+        movq	$49, %rdx
+#ifndef __APPLE__
+        callq	fe_sq_n_x64@plt
+#else
+        callq	_fe_sq_n_x64
+#endif /* __APPLE__ */
+        leaq	32(%rsp), %rdi
+        leaq	64(%rsp), %rsi
+        leaq	32(%rsp), %rdx
+#ifndef __APPLE__
+        callq	fe_mul_x64@plt
+#else
+        callq	_fe_mul_x64
+#endif /* __APPLE__ */
+        leaq	32(%rsp), %rdi
+        leaq	32(%rsp), %rsi
+#ifndef __APPLE__
+        callq	fe_sq_x64@plt
+#else
+        callq	_fe_sq_x64
+#endif /* __APPLE__ */
+        leaq	32(%rsp), %rdi
+        leaq	32(%rsp), %rsi
+        movq	$4, %rdx
+#ifndef __APPLE__
+        callq	fe_sq_n_x64@plt
+#else
+        callq	_fe_sq_n_x64
+#endif /* __APPLE__ */
+        movq	128(%rsp), %rdi
+        leaq	32(%rsp), %rsi
+        movq	%rsp, %rdx
+#ifndef __APPLE__
+        callq	fe_mul_x64@plt
+#else
+        callq	_fe_mul_x64
+#endif /* __APPLE__ */
+        movq	136(%rsp), %rsi
+        movq	128(%rsp), %rdi
+        addq	$0x90, %rsp
+        repz retq
+#ifndef __APPLE__
+.text
+.globl	curve25519_x64
+.type	curve25519_x64,@function
+.align	4
+curve25519_x64:
+#else
+.section	__TEXT,__text
+.globl	_curve25519_x64
+.p2align	2
+_curve25519_x64:
+#endif /* __APPLE__ */
+        pushq	%r12
+        pushq	%r13
+        pushq	%r14
+        pushq	%r15
+        pushq	%rbx
+        pushq	%rbp
+        movq	%rdx, %r8
+        subq	$0xb8, %rsp
+        xorq	%rbx, %rbx
+        movq	%rdi, 176(%rsp)
+        # Set one
+        movq	$0x01, (%rdi)
+        movq	$0x00, 8(%rdi)
+        movq	$0x00, 16(%rdi)
+        movq	$0x00, 24(%rdi)
+        # Set zero
+        movq	$0x00, (%rsp)
+        movq	$0x00, 8(%rsp)
+        movq	$0x00, 16(%rsp)
+        movq	$0x00, 24(%rsp)
+        # Set one
+        movq	$0x01, 32(%rsp)
+        movq	$0x00, 40(%rsp)
+        movq	$0x00, 48(%rsp)
+        movq	$0x00, 56(%rsp)
+        # Copy
+        movq	(%r8), %rcx
+        movq	8(%r8), %r9
+        movq	16(%r8), %r10
+        movq	24(%r8), %r11
+        movq	%rcx, 64(%rsp)
+        movq	%r9, 72(%rsp)
+        movq	%r10, 80(%rsp)
+        movq	%r11, 88(%rsp)
+        movb	$62, 168(%rsp)
+        movq	$3, 160(%rsp)
+L_curve25519_x64_words:
+L_curve25519_x64_bits:
+        movq	160(%rsp), %r9
+        movb	168(%rsp), %cl
+        movq	(%rsi,%r9,8), %rbp
+        shrq	%cl, %rbp
+        andq	$0x01, %rbp
+        xorq	%rbp, %rbx
+        negq	%rbx
+        # Conditional Swap
+        movq	(%rdi), %rcx
+        movq	8(%rdi), %r9
+        movq	16(%rdi), %r10
+        movq	24(%rdi), %r11
+        xorq	64(%rsp), %rcx
+        xorq	72(%rsp), %r9
+        xorq	80(%rsp), %r10
+        xorq	88(%rsp), %r11
+        andq	%rbx, %rcx
+        andq	%rbx, %r9
+        andq	%rbx, %r10
+        andq	%rbx, %r11
+        xorq	%rcx, (%rdi)
+        xorq	%r9, 8(%rdi)
+        xorq	%r10, 16(%rdi)
+        xorq	%r11, 24(%rdi)
+        xorq	%rcx, 64(%rsp)
+        xorq	%r9, 72(%rsp)
+        xorq	%r10, 80(%rsp)
+        xorq	%r11, 88(%rsp)
+        # Conditional Swap
+        movq	(%rsp), %rcx
+        movq	8(%rsp), %r9
+        movq	16(%rsp), %r10
+        movq	24(%rsp), %r11
+        xorq	32(%rsp), %rcx
+        xorq	40(%rsp), %r9
+        xorq	48(%rsp), %r10
+        xorq	56(%rsp), %r11
+        andq	%rbx, %rcx
+        andq	%rbx, %r9
+        andq	%rbx, %r10
+        andq	%rbx, %r11
+        xorq	%rcx, (%rsp)
+        xorq	%r9, 8(%rsp)
+        xorq	%r10, 16(%rsp)
+        xorq	%r11, 24(%rsp)
+        xorq	%rcx, 32(%rsp)
+        xorq	%r9, 40(%rsp)
+        xorq	%r10, 48(%rsp)
+        xorq	%r11, 56(%rsp)
+        movq	%rbp, %rbx
+        # Add
+        movq	(%rdi), %rcx
+        movq	8(%rdi), %r9
+        movq	16(%rdi), %r10
+        movq	24(%rdi), %rbp
+        movq	%rcx, %r12
+        addq	(%rsp), %rcx
+        movq	%r9, %r13
+        adcq	8(%rsp), %r9
+        movq	%r10, %r14
+        adcq	16(%rsp), %r10
+        movq	%rbp, %r15
+        adcq	24(%rsp), %rbp
+        movq	$-19, %rax
+        movq	%rbp, %r11
+        movq	$0x7fffffffffffffff, %rdx
+        sarq	$63, %rbp
+        #   Mask the modulus
+        andq	%rbp, %rax
+        andq	%rbp, %rdx
+        #   Sub modulus (if overflow)
+        subq	%rax, %rcx
+        sbbq	%rbp, %r9
+        sbbq	%rbp, %r10
+        sbbq	%rdx, %r11
+        # Sub
+        subq	(%rsp), %r12
+        movq	$0x00, %rbp
+        sbbq	8(%rsp), %r13
+        movq	$-19, %rax
+        sbbq	16(%rsp), %r14
+        movq	$0x7fffffffffffffff, %rdx
+        sbbq	24(%rsp), %r15
+        sbbq	$0x00, %rbp
+        #   Mask the modulus
+        andq	%rbp, %rax
+        andq	%rbp, %rdx
+        #   Add modulus (if underflow)
+        addq	%rax, %r12
+        adcq	%rbp, %r13
+        adcq	%rbp, %r14
+        adcq	%rdx, %r15
+        movq	%rcx, (%rdi)
+        movq	%r9, 8(%rdi)
+        movq	%r10, 16(%rdi)
+        movq	%r11, 24(%rdi)
+        movq	%r12, 128(%rsp)
+        movq	%r13, 136(%rsp)
+        movq	%r14, 144(%rsp)
+        movq	%r15, 152(%rsp)
+        # Add
+        movq	64(%rsp), %rcx
+        movq	72(%rsp), %r9
+        movq	80(%rsp), %r10
+        movq	88(%rsp), %rbp
+        movq	%rcx, %r12
+        addq	32(%rsp), %rcx
+        movq	%r9, %r13
+        adcq	40(%rsp), %r9
+        movq	%r10, %r14
+        adcq	48(%rsp), %r10
+        movq	%rbp, %r15
+        adcq	56(%rsp), %rbp
+        movq	$-19, %rax
+        movq	%rbp, %r11
+        movq	$0x7fffffffffffffff, %rdx
+        sarq	$63, %rbp
+        #   Mask the modulus
+        andq	%rbp, %rax
+        andq	%rbp, %rdx
+        #   Sub modulus (if overflow)
+        subq	%rax, %rcx
+        sbbq	%rbp, %r9
+        sbbq	%rbp, %r10
+        sbbq	%rdx, %r11
+        # Sub
+        subq	32(%rsp), %r12
+        movq	$0x00, %rbp
+        sbbq	40(%rsp), %r13
+        movq	$-19, %rax
+        sbbq	48(%rsp), %r14
+        movq	$0x7fffffffffffffff, %rdx
+        sbbq	56(%rsp), %r15
+        sbbq	$0x00, %rbp
+        #   Mask the modulus
+        andq	%rbp, %rax
+        andq	%rbp, %rdx
+        #   Add modulus (if underflow)
+        addq	%rax, %r12
+        adcq	%rbp, %r13
+        adcq	%rbp, %r14
+        adcq	%rdx, %r15
+        movq	%rcx, (%rsp)
+        movq	%r9, 8(%rsp)
+        movq	%r10, 16(%rsp)
+        movq	%r11, 24(%rsp)
+        movq	%r12, 96(%rsp)
+        movq	%r13, 104(%rsp)
+        movq	%r14, 112(%rsp)
+        movq	%r15, 120(%rsp)
+        # Multiply
+        #  A[0] * B[0]
+        movq	(%rdi), %rax
+        mulq	96(%rsp)
+        movq	%rax, %rcx
+        movq	%rdx, %r9
+        #  A[0] * B[1]
+        movq	8(%rdi), %rax
+        mulq	96(%rsp)
+        xorq	%r10, %r10
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        #  A[1] * B[0]
+        movq	(%rdi), %rax
+        mulq	104(%rsp)
+        xorq	%r11, %r11
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0x00, %r11
+        #  A[0] * B[2]
+        movq	16(%rdi), %rax
+        mulq	96(%rsp)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        #  A[1] * B[1]
+        movq	8(%rdi), %rax
+        mulq	104(%rsp)
+        xorq	%r12, %r12
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0x00, %r12
+        #  A[2] * B[0]
+        movq	(%rdi), %rax
+        mulq	112(%rsp)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0x00, %r12
+        #  A[0] * B[3]
+        movq	24(%rdi), %rax
+        mulq	96(%rsp)
+        xorq	%r13, %r13
+        addq	%rax, %r11
+        adcq	%rdx, %r12
+        adcq	$0x00, %r13
+        #  A[1] * B[2]
+        movq	16(%rdi), %rax
+        mulq	104(%rsp)
+        addq	%rax, %r11
+        adcq	%rdx, %r12
+        adcq	$0x00, %r13
+        #  A[2] * B[1]
+        movq	8(%rdi), %rax
+        mulq	112(%rsp)
+        addq	%rax, %r11
+        adcq	%rdx, %r12
+        adcq	$0x00, %r13
+        #  A[3] * B[0]
+        movq	(%rdi), %rax
+        mulq	120(%rsp)
+        addq	%rax, %r11
+        adcq	%rdx, %r12
+        adcq	$0x00, %r13
+        #  A[1] * B[3]
+        movq	24(%rdi), %rax
+        mulq	104(%rsp)
+        xorq	%r14, %r14
+        addq	%rax, %r12
+        adcq	%rdx, %r13
+        adcq	$0x00, %r14
+        #  A[2] * B[2]
+        movq	16(%rdi), %rax
+        mulq	112(%rsp)
+        addq	%rax, %r12
+        adcq	%rdx, %r13
+        adcq	$0x00, %r14
+        #  A[3] * B[1]
+        movq	8(%rdi), %rax
+        mulq	120(%rsp)
+        addq	%rax, %r12
+        adcq	%rdx, %r13
+        adcq	$0x00, %r14
+        #  A[2] * B[3]
+        movq	24(%rdi), %rax
+        mulq	112(%rsp)
+        xorq	%r15, %r15
+        addq	%rax, %r13
+        adcq	%rdx, %r14
+        adcq	$0x00, %r15
+        #  A[3] * B[2]
+        movq	16(%rdi), %rax
+        mulq	120(%rsp)
+        addq	%rax, %r13
+        adcq	%rdx, %r14
+        adcq	$0x00, %r15
+        #  A[3] * B[3]
+        movq	24(%rdi), %rax
+        mulq	120(%rsp)
+        addq	%rax, %r14
+        adcq	%rdx, %r15
+        # Reduce
+        movq	$0x7fffffffffffffff, %rbp
+        #  Move top half into t4-t7 and remove top bit from t3
+        shldq	$0x01, %r14, %r15
+        shldq	$0x01, %r13, %r14
+        shldq	$0x01, %r12, %r13
+        shldq	$0x01, %r11, %r12
+        andq	%rbp, %r11
+        #  Multiply top half by 19
+        movq	$19, %rax
+        mulq	%r12
+        xorq	%r12, %r12
+        addq	%rax, %rcx
+        movq	$19, %rax
+        adcq	%rdx, %r12
+        mulq	%r13
+        xorq	%r13, %r13
+        addq	%rax, %r9
+        movq	$19, %rax
+        adcq	%rdx, %r13
+        mulq	%r14
+        xorq	%r14, %r14
+        addq	%rax, %r10
+        movq	$19, %rax
+        adcq	%rdx, %r14
+        mulq	%r15
+        #  Add remaining product results in
+        addq	%r12, %r9
+        adcq	%r13, %r10
+        adcq	%r14, %r11
+        adcq	%rax, %r11
+        adcq	$0x00, %rdx
+        #  Overflow
+        shldq	$0x01, %r11, %rdx
+        imulq	$19, %rdx, %rax
+        andq	%rbp, %r11
+        addq	%rax, %rcx
+        adcq	$0x00, %r9
+        adcq	$0x00, %r10
+        adcq	$0x00, %r11
+        # Reduce if top bit set
+        movq	%r11, %rdx
+        shrq	$63, %rdx
+        imulq	$19, %rdx, %rax
+        andq	%rbp, %r11
+        addq	%rax, %rcx
+        adcq	$0x00, %r9
+        adcq	$0x00, %r10
+        adcq	$0x00, %r11
+        # Store
+        movq	%rcx, 32(%rsp)
+        movq	%r9, 40(%rsp)
+        movq	%r10, 48(%rsp)
+        movq	%r11, 56(%rsp)
+        # Multiply
+        #  A[0] * B[0]
+        movq	128(%rsp), %rax
+        mulq	(%rsp)
+        movq	%rax, %rcx
+        movq	%rdx, %r9
+        #  A[0] * B[1]
+        movq	136(%rsp), %rax
+        mulq	(%rsp)
+        xorq	%r10, %r10
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        #  A[1] * B[0]
+        movq	128(%rsp), %rax
+        mulq	8(%rsp)
+        xorq	%r11, %r11
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0x00, %r11
+        #  A[0] * B[2]
+        movq	144(%rsp), %rax
+        mulq	(%rsp)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        #  A[1] * B[1]
+        movq	136(%rsp), %rax
+        mulq	8(%rsp)
+        xorq	%r12, %r12
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0x00, %r12
+        #  A[2] * B[0]
+        movq	128(%rsp), %rax
+        mulq	16(%rsp)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0x00, %r12
+        #  A[0] * B[3]
+        movq	152(%rsp), %rax
+        mulq	(%rsp)
+        xorq	%r13, %r13
+        addq	%rax, %r11
+        adcq	%rdx, %r12
+        adcq	$0x00, %r13
+        #  A[1] * B[2]
+        movq	144(%rsp), %rax
+        mulq	8(%rsp)
+        addq	%rax, %r11
+        adcq	%rdx, %r12
+        adcq	$0x00, %r13
+        #  A[2] * B[1]
+        movq	136(%rsp), %rax
+        mulq	16(%rsp)
+        addq	%rax, %r11
+        adcq	%rdx, %r12
+        adcq	$0x00, %r13
+        #  A[3] * B[0]
+        movq	128(%rsp), %rax
+        mulq	24(%rsp)
+        addq	%rax, %r11
+        adcq	%rdx, %r12
+        adcq	$0x00, %r13
+        #  A[1] * B[3]
+        movq	152(%rsp), %rax
+        mulq	8(%rsp)
+        xorq	%r14, %r14
+        addq	%rax, %r12
+        adcq	%rdx, %r13
+        adcq	$0x00, %r14
+        #  A[2] * B[2]
+        movq	144(%rsp), %rax
+        mulq	16(%rsp)
+        addq	%rax, %r12
+        adcq	%rdx, %r13
+        adcq	$0x00, %r14
+        #  A[3] * B[1]
+        movq	136(%rsp), %rax
+        mulq	24(%rsp)
+        addq	%rax, %r12
+        adcq	%rdx, %r13
+        adcq	$0x00, %r14
+        #  A[2] * B[3]
+        movq	152(%rsp), %rax
+        mulq	16(%rsp)
+        xorq	%r15, %r15
+        addq	%rax, %r13
+        adcq	%rdx, %r14
+        adcq	$0x00, %r15
+        #  A[3] * B[2]
+        movq	144(%rsp), %rax
+        mulq	24(%rsp)
+        addq	%rax, %r13
+        adcq	%rdx, %r14
+        adcq	$0x00, %r15
+        #  A[3] * B[3]
+        movq	152(%rsp), %rax
+        mulq	24(%rsp)
+        addq	%rax, %r14
+        adcq	%rdx, %r15
+        # Reduce
+        movq	$0x7fffffffffffffff, %rbp
+        #  Move top half into t4-t7 and remove top bit from t3
+        shldq	$0x01, %r14, %r15
+        shldq	$0x01, %r13, %r14
+        shldq	$0x01, %r12, %r13
+        shldq	$0x01, %r11, %r12
+        andq	%rbp, %r11
+        #  Multiply top half by 19
+        movq	$19, %rax
+        mulq	%r12
+        xorq	%r12, %r12
+        addq	%rax, %rcx
+        movq	$19, %rax
+        adcq	%rdx, %r12
+        mulq	%r13
+        xorq	%r13, %r13
+        addq	%rax, %r9
+        movq	$19, %rax
+        adcq	%rdx, %r13
+        mulq	%r14
+        xorq	%r14, %r14
+        addq	%rax, %r10
+        movq	$19, %rax
+        adcq	%rdx, %r14
+        mulq	%r15
+        #  Add remaining product results in
+        addq	%r12, %r9
+        adcq	%r13, %r10
+        adcq	%r14, %r11
+        adcq	%rax, %r11
+        adcq	$0x00, %rdx
+        #  Overflow
+        shldq	$0x01, %r11, %rdx
+        imulq	$19, %rdx, %rax
+        andq	%rbp, %r11
+        addq	%rax, %rcx
+        adcq	$0x00, %r9
+        adcq	$0x00, %r10
+        adcq	$0x00, %r11
+        # Reduce if top bit set
+        movq	%r11, %rdx
+        shrq	$63, %rdx
+        imulq	$19, %rdx, %rax
+        andq	%rbp, %r11
+        addq	%rax, %rcx
+        adcq	$0x00, %r9
+        adcq	$0x00, %r10
+        adcq	$0x00, %r11
+        # Store
+        movq	%rcx, (%rsp)
+        movq	%r9, 8(%rsp)
+        movq	%r10, 16(%rsp)
+        movq	%r11, 24(%rsp)
+        # Square
+        #  A[0] * A[1]
+        movq	128(%rsp), %rax
+        mulq	136(%rsp)
+        movq	%rax, %r9
+        movq	%rdx, %r10
+        #  A[0] * A[2]
+        movq	128(%rsp), %rax
+        mulq	144(%rsp)
+        xorq	%r11, %r11
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        #  A[0] * A[3]
+        movq	128(%rsp), %rax
+        mulq	152(%rsp)
+        xorq	%r12, %r12
+        addq	%rax, %r11
+        adcq	%rdx, %r12
+        #  A[1] * A[2]
+        movq	136(%rsp), %rax
+        mulq	144(%rsp)
+        xorq	%r13, %r13
+        addq	%rax, %r11
+        adcq	%rdx, %r12
+        adcq	$0x00, %r13
+        #  A[1] * A[3]
+        movq	136(%rsp), %rax
+        mulq	152(%rsp)
+        addq	%rax, %r12
+        adcq	%rdx, %r13
+        #  A[2] * A[3]
+        movq	144(%rsp), %rax
+        mulq	152(%rsp)
+        xorq	%r14, %r14
+        addq	%rax, %r13
+        adcq	%rdx, %r14
+        # Double
+        xorq	%r15, %r15
+        addq	%r9, %r9
+        adcq	%r10, %r10
+        adcq	%r11, %r11
+        adcq	%r12, %r12
+        adcq	%r13, %r13
+        adcq	%r14, %r14
+        adcq	$0x00, %r15
+        #  A[0] * A[0]
+        movq	128(%rsp), %rax
+        mulq	%rax
+        movq	%rax, %rcx
+        movq	%rdx, %rbp
+        #  A[1] * A[1]
+        movq	136(%rsp), %rax
+        mulq	%rax
+        addq	%rbp, %r9
+        adcq	%rax, %r10
+        adcq	$0x00, %rdx
+        movq	%rdx, %rbp
+        #  A[2] * A[2]
+        movq	144(%rsp), %rax
+        mulq	%rax
+        addq	%rbp, %r11
+        adcq	%rax, %r12
+        adcq	$0x00, %rdx
+        movq	%rdx, %rbp
+        #  A[3] * A[3]
+        movq	152(%rsp), %rax
+        mulq	%rax
+        addq	%rax, %r14
+        adcq	%rdx, %r15
+        addq	%rbp, %r13
+        adcq	$0x00, %r14
+        adcq	$0x00, %r15
+        # Reduce
+        movq	$0x7fffffffffffffff, %rbp
+        #  Move top half into t4-t7 and remove top bit from t3
+        shldq	$0x01, %r14, %r15
+        shldq	$0x01, %r13, %r14
+        shldq	$0x01, %r12, %r13
+        shldq	$0x01, %r11, %r12
+        andq	%rbp, %r11
+        #  Multiply top half by 19
+        movq	$19, %rax
+        mulq	%r12
+        xorq	%r12, %r12
+        addq	%rax, %rcx
+        movq	$19, %rax
+        adcq	%rdx, %r12
+        mulq	%r13
+        xorq	%r13, %r13
+        addq	%rax, %r9
+        movq	$19, %rax
+        adcq	%rdx, %r13
+        mulq	%r14
+        xorq	%r14, %r14
+        addq	%rax, %r10
+        movq	$19, %rax
+        adcq	%rdx, %r14
+        mulq	%r15
+        #  Add remaining product results in
+        addq	%r12, %r9
+        adcq	%r13, %r10
+        adcq	%r14, %r11
+        adcq	%rax, %r11
+        adcq	$0x00, %rdx
+        #  Overflow
+        shldq	$0x01, %r11, %rdx
+        imulq	$19, %rdx, %rax
+        andq	%rbp, %r11
+        addq	%rax, %rcx
+        adcq	$0x00, %r9
+        adcq	$0x00, %r10
+        adcq	$0x00, %r11
+        # Reduce if top bit set
+        movq	%r11, %rdx
+        shrq	$63, %rdx
+        imulq	$19, %rdx, %rax
+        andq	%rbp, %r11
+        addq	%rax, %rcx
+        adcq	$0x00, %r9
+        adcq	$0x00, %r10
+        adcq	$0x00, %r11
+        # Store
+        movq	%rcx, 96(%rsp)
+        movq	%r9, 104(%rsp)
+        movq	%r10, 112(%rsp)
+        movq	%r11, 120(%rsp)
+        # Square
+        #  A[0] * A[1]
+        movq	(%rdi), %rax
+        mulq	8(%rdi)
+        movq	%rax, %r9
+        movq	%rdx, %r10
+        #  A[0] * A[2]
+        movq	(%rdi), %rax
+        mulq	16(%rdi)
+        xorq	%r11, %r11
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        #  A[0] * A[3]
+        movq	(%rdi), %rax
+        mulq	24(%rdi)
+        xorq	%r12, %r12
+        addq	%rax, %r11
+        adcq	%rdx, %r12
+        #  A[1] * A[2]
+        movq	8(%rdi), %rax
+        mulq	16(%rdi)
+        xorq	%r13, %r13
+        addq	%rax, %r11
+        adcq	%rdx, %r12
+        adcq	$0x00, %r13
+        #  A[1] * A[3]
+        movq	8(%rdi), %rax
+        mulq	24(%rdi)
+        addq	%rax, %r12
+        adcq	%rdx, %r13
+        #  A[2] * A[3]
+        movq	16(%rdi), %rax
+        mulq	24(%rdi)
+        xorq	%r14, %r14
+        addq	%rax, %r13
+        adcq	%rdx, %r14
+        # Double
+        xorq	%r15, %r15
+        addq	%r9, %r9
+        adcq	%r10, %r10
+        adcq	%r11, %r11
+        adcq	%r12, %r12
+        adcq	%r13, %r13
+        adcq	%r14, %r14
+        adcq	$0x00, %r15
+        #  A[0] * A[0]
+        movq	(%rdi), %rax
+        mulq	%rax
+        movq	%rax, %rcx
+        movq	%rdx, %rbp
+        #  A[1] * A[1]
+        movq	8(%rdi), %rax
+        mulq	%rax
+        addq	%rbp, %r9
+        adcq	%rax, %r10
+        adcq	$0x00, %rdx
+        movq	%rdx, %rbp
+        #  A[2] * A[2]
+        movq	16(%rdi), %rax
+        mulq	%rax
+        addq	%rbp, %r11
+        adcq	%rax, %r12
+        adcq	$0x00, %rdx
+        movq	%rdx, %rbp
+        #  A[3] * A[3]
+        movq	24(%rdi), %rax
+        mulq	%rax
+        addq	%rax, %r14
+        adcq	%rdx, %r15
+        addq	%rbp, %r13
+        adcq	$0x00, %r14
+        adcq	$0x00, %r15
+        # Reduce
+        movq	$0x7fffffffffffffff, %rbp
+        #  Move top half into t4-t7 and remove top bit from t3
+        shldq	$0x01, %r14, %r15
+        shldq	$0x01, %r13, %r14
+        shldq	$0x01, %r12, %r13
+        shldq	$0x01, %r11, %r12
+        andq	%rbp, %r11
+        #  Multiply top half by 19
+        movq	$19, %rax
+        mulq	%r12
+        xorq	%r12, %r12
+        addq	%rax, %rcx
+        movq	$19, %rax
+        adcq	%rdx, %r12
+        mulq	%r13
+        xorq	%r13, %r13
+        addq	%rax, %r9
+        movq	$19, %rax
+        adcq	%rdx, %r13
+        mulq	%r14
+        xorq	%r14, %r14
+        addq	%rax, %r10
+        movq	$19, %rax
+        adcq	%rdx, %r14
+        mulq	%r15
+        #  Add remaining product results in
+        addq	%r12, %r9
+        adcq	%r13, %r10
+        adcq	%r14, %r11
+        adcq	%rax, %r11
+        adcq	$0x00, %rdx
+        #  Overflow
+        shldq	$0x01, %r11, %rdx
+        imulq	$19, %rdx, %rax
+        andq	%rbp, %r11
+        addq	%rax, %rcx
+        adcq	$0x00, %r9
+        adcq	$0x00, %r10
+        adcq	$0x00, %r11
+        # Reduce if top bit set
+        movq	%r11, %rdx
+        shrq	$63, %rdx
+        imulq	$19, %rdx, %rax
+        andq	%rbp, %r11
+        addq	%rax, %rcx
+        adcq	$0x00, %r9
+        adcq	$0x00, %r10
+        adcq	$0x00, %r11
+        # Store
+        movq	%rcx, 128(%rsp)
+        movq	%r9, 136(%rsp)
+        movq	%r10, 144(%rsp)
+        movq	%r11, 152(%rsp)
+        # Add
+        movq	32(%rsp), %rcx
+        movq	40(%rsp), %r9
+        movq	48(%rsp), %r10
+        movq	56(%rsp), %rbp
+        movq	%rcx, %r12
+        addq	(%rsp), %rcx
+        movq	%r9, %r13
+        adcq	8(%rsp), %r9
+        movq	%r10, %r14
+        adcq	16(%rsp), %r10
+        movq	%rbp, %r15
+        adcq	24(%rsp), %rbp
+        movq	$-19, %rax
+        movq	%rbp, %r11
+        movq	$0x7fffffffffffffff, %rdx
+        sarq	$63, %rbp
+        #   Mask the modulus
+        andq	%rbp, %rax
+        andq	%rbp, %rdx
+        #   Sub modulus (if overflow)
+        subq	%rax, %rcx
+        sbbq	%rbp, %r9
+        sbbq	%rbp, %r10
+        sbbq	%rdx, %r11
+        # Sub
+        subq	(%rsp), %r12
+        movq	$0x00, %rbp
+        sbbq	8(%rsp), %r13
+        movq	$-19, %rax
+        sbbq	16(%rsp), %r14
+        movq	$0x7fffffffffffffff, %rdx
+        sbbq	24(%rsp), %r15
+        sbbq	$0x00, %rbp
+        #   Mask the modulus
+        andq	%rbp, %rax
+        andq	%rbp, %rdx
+        #   Add modulus (if underflow)
+        addq	%rax, %r12
+        adcq	%rbp, %r13
+        adcq	%rbp, %r14
+        adcq	%rdx, %r15
+        movq	%rcx, 64(%rsp)
+        movq	%r9, 72(%rsp)
+        movq	%r10, 80(%rsp)
+        movq	%r11, 88(%rsp)
+        movq	%r12, (%rsp)
+        movq	%r13, 8(%rsp)
+        movq	%r14, 16(%rsp)
+        movq	%r15, 24(%rsp)
+        # Multiply
+        #  A[0] * B[0]
+        movq	96(%rsp), %rax
+        mulq	128(%rsp)
+        movq	%rax, %rcx
+        movq	%rdx, %r9
+        #  A[0] * B[1]
+        movq	104(%rsp), %rax
+        mulq	128(%rsp)
+        xorq	%r10, %r10
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        #  A[1] * B[0]
+        movq	96(%rsp), %rax
+        mulq	136(%rsp)
+        xorq	%r11, %r11
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0x00, %r11
+        #  A[0] * B[2]
+        movq	112(%rsp), %rax
+        mulq	128(%rsp)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        #  A[1] * B[1]
+        movq	104(%rsp), %rax
+        mulq	136(%rsp)
+        xorq	%r12, %r12
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0x00, %r12
+        #  A[2] * B[0]
+        movq	96(%rsp), %rax
+        mulq	144(%rsp)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0x00, %r12
+        #  A[0] * B[3]
+        movq	120(%rsp), %rax
+        mulq	128(%rsp)
+        xorq	%r13, %r13
+        addq	%rax, %r11
+        adcq	%rdx, %r12
+        adcq	$0x00, %r13
+        #  A[1] * B[2]
+        movq	112(%rsp), %rax
+        mulq	136(%rsp)
+        addq	%rax, %r11
+        adcq	%rdx, %r12
+        adcq	$0x00, %r13
+        #  A[2] * B[1]
+        movq	104(%rsp), %rax
+        mulq	144(%rsp)
+        addq	%rax, %r11
+        adcq	%rdx, %r12
+        adcq	$0x00, %r13
+        #  A[3] * B[0]
+        movq	96(%rsp), %rax
+        mulq	152(%rsp)
+        addq	%rax, %r11
+        adcq	%rdx, %r12
+        adcq	$0x00, %r13
+        #  A[1] * B[3]
+        movq	120(%rsp), %rax
+        mulq	136(%rsp)
+        xorq	%r14, %r14
+        addq	%rax, %r12
+        adcq	%rdx, %r13
+        adcq	$0x00, %r14
+        #  A[2] * B[2]
+        movq	112(%rsp), %rax
+        mulq	144(%rsp)
+        addq	%rax, %r12
+        adcq	%rdx, %r13
+        adcq	$0x00, %r14
+        #  A[3] * B[1]
+        movq	104(%rsp), %rax
+        mulq	152(%rsp)
+        addq	%rax, %r12
+        adcq	%rdx, %r13
+        adcq	$0x00, %r14
+        #  A[2] * B[3]
+        movq	120(%rsp), %rax
+        mulq	144(%rsp)
+        xorq	%r15, %r15
+        addq	%rax, %r13
+        adcq	%rdx, %r14
+        adcq	$0x00, %r15
+        #  A[3] * B[2]
+        movq	112(%rsp), %rax
+        mulq	152(%rsp)
+        addq	%rax, %r13
+        adcq	%rdx, %r14
+        adcq	$0x00, %r15
+        #  A[3] * B[3]
+        movq	120(%rsp), %rax
+        mulq	152(%rsp)
+        addq	%rax, %r14
+        adcq	%rdx, %r15
+        # Reduce
+        movq	$0x7fffffffffffffff, %rbp
+        #  Move top half into t4-t7 and remove top bit from t3
+        shldq	$0x01, %r14, %r15
+        shldq	$0x01, %r13, %r14
+        shldq	$0x01, %r12, %r13
+        shldq	$0x01, %r11, %r12
+        andq	%rbp, %r11
+        #  Multiply top half by 19
+        movq	$19, %rax
+        mulq	%r12
+        xorq	%r12, %r12
+        addq	%rax, %rcx
+        movq	$19, %rax
+        adcq	%rdx, %r12
+        mulq	%r13
+        xorq	%r13, %r13
+        addq	%rax, %r9
+        movq	$19, %rax
+        adcq	%rdx, %r13
+        mulq	%r14
+        xorq	%r14, %r14
+        addq	%rax, %r10
+        movq	$19, %rax
+        adcq	%rdx, %r14
+        mulq	%r15
+        #  Add remaining product results in
+        addq	%r12, %r9
+        adcq	%r13, %r10
+        adcq	%r14, %r11
+        adcq	%rax, %r11
+        adcq	$0x00, %rdx
+        #  Overflow
+        shldq	$0x01, %r11, %rdx
+        imulq	$19, %rdx, %rax
+        andq	%rbp, %r11
+        addq	%rax, %rcx
+        adcq	$0x00, %r9
+        adcq	$0x00, %r10
+        adcq	$0x00, %r11
+        # Reduce if top bit set
+        movq	%r11, %rdx
+        shrq	$63, %rdx
+        imulq	$19, %rdx, %rax
+        andq	%rbp, %r11
+        addq	%rax, %rcx
+        adcq	$0x00, %r9
+        adcq	$0x00, %r10
+        adcq	$0x00, %r11
+        # Store
+        movq	%rcx, (%rdi)
+        movq	%r9, 8(%rdi)
+        movq	%r10, 16(%rdi)
+        movq	%r11, 24(%rdi)
+        # Sub
+        movq	128(%rsp), %rcx
+        movq	136(%rsp), %r9
+        movq	144(%rsp), %r10
+        movq	152(%rsp), %r11
+        subq	96(%rsp), %rcx
+        movq	$0x00, %rbp
+        sbbq	104(%rsp), %r9
+        movq	$-19, %rax
+        sbbq	112(%rsp), %r10
+        movq	$0x7fffffffffffffff, %rdx
+        sbbq	120(%rsp), %r11
+        sbbq	$0x00, %rbp
+        #   Mask the modulus
+        andq	%rbp, %rax
+        andq	%rbp, %rdx
+        #   Add modulus (if underflow)
+        addq	%rax, %rcx
+        adcq	%rbp, %r9
+        adcq	%rbp, %r10
+        adcq	%rdx, %r11
+        movq	%rcx, 128(%rsp)
+        movq	%r9, 136(%rsp)
+        movq	%r10, 144(%rsp)
+        movq	%r11, 152(%rsp)
+        # Square
+        #  A[0] * A[1]
+        movq	(%rsp), %rax
+        mulq	8(%rsp)
+        movq	%rax, %r9
+        movq	%rdx, %r10
+        #  A[0] * A[2]
+        movq	(%rsp), %rax
+        mulq	16(%rsp)
+        xorq	%r11, %r11
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        #  A[0] * A[3]
+        movq	(%rsp), %rax
+        mulq	24(%rsp)
+        xorq	%r12, %r12
+        addq	%rax, %r11
+        adcq	%rdx, %r12
+        #  A[1] * A[2]
+        movq	8(%rsp), %rax
+        mulq	16(%rsp)
+        xorq	%r13, %r13
+        addq	%rax, %r11
+        adcq	%rdx, %r12
+        adcq	$0x00, %r13
+        #  A[1] * A[3]
+        movq	8(%rsp), %rax
+        mulq	24(%rsp)
+        addq	%rax, %r12
+        adcq	%rdx, %r13
+        #  A[2] * A[3]
+        movq	16(%rsp), %rax
+        mulq	24(%rsp)
+        xorq	%r14, %r14
+        addq	%rax, %r13
+        adcq	%rdx, %r14
+        # Double
+        xorq	%r15, %r15
+        addq	%r9, %r9
+        adcq	%r10, %r10
+        adcq	%r11, %r11
+        adcq	%r12, %r12
+        adcq	%r13, %r13
+        adcq	%r14, %r14
+        adcq	$0x00, %r15
+        #  A[0] * A[0]
+        movq	(%rsp), %rax
+        mulq	%rax
+        movq	%rax, %rcx
+        movq	%rdx, %rbp
+        #  A[1] * A[1]
+        movq	8(%rsp), %rax
+        mulq	%rax
+        addq	%rbp, %r9
+        adcq	%rax, %r10
+        adcq	$0x00, %rdx
+        movq	%rdx, %rbp
+        #  A[2] * A[2]
+        movq	16(%rsp), %rax
+        mulq	%rax
+        addq	%rbp, %r11
+        adcq	%rax, %r12
+        adcq	$0x00, %rdx
+        movq	%rdx, %rbp
+        #  A[3] * A[3]
+        movq	24(%rsp), %rax
+        mulq	%rax
+        addq	%rax, %r14
+        adcq	%rdx, %r15
+        addq	%rbp, %r13
+        adcq	$0x00, %r14
+        adcq	$0x00, %r15
+        # Reduce
+        movq	$0x7fffffffffffffff, %rbp
+        #  Move top half into t4-t7 and remove top bit from t3
+        shldq	$0x01, %r14, %r15
+        shldq	$0x01, %r13, %r14
+        shldq	$0x01, %r12, %r13
+        shldq	$0x01, %r11, %r12
+        andq	%rbp, %r11
+        #  Multiply top half by 19
+        movq	$19, %rax
+        mulq	%r12
+        xorq	%r12, %r12
+        addq	%rax, %rcx
+        movq	$19, %rax
+        adcq	%rdx, %r12
+        mulq	%r13
+        xorq	%r13, %r13
+        addq	%rax, %r9
+        movq	$19, %rax
+        adcq	%rdx, %r13
+        mulq	%r14
+        xorq	%r14, %r14
+        addq	%rax, %r10
+        movq	$19, %rax
+        adcq	%rdx, %r14
+        mulq	%r15
+        #  Add remaining product results in
+        addq	%r12, %r9
+        adcq	%r13, %r10
+        adcq	%r14, %r11
+        adcq	%rax, %r11
+        adcq	$0x00, %rdx
+        #  Overflow
+        shldq	$0x01, %r11, %rdx
+        imulq	$19, %rdx, %rax
+        andq	%rbp, %r11
+        addq	%rax, %rcx
+        adcq	$0x00, %r9
+        adcq	$0x00, %r10
+        adcq	$0x00, %r11
+        # Reduce if top bit set
+        movq	%r11, %rdx
+        shrq	$63, %rdx
+        imulq	$19, %rdx, %rax
+        andq	%rbp, %r11
+        addq	%rax, %rcx
+        adcq	$0x00, %r9
+        adcq	$0x00, %r10
+        adcq	$0x00, %r11
+        # Store
+        movq	%rcx, (%rsp)
+        movq	%r9, 8(%rsp)
+        movq	%r10, 16(%rsp)
+        movq	%r11, 24(%rsp)
+        # Multiply by 121666
+        movq	$0x1db42, %rax
+        mulq	128(%rsp)
+        xorq	%r10, %r10
+        movq	%rax, %rcx
+        movq	%rdx, %r9
+        movq	$0x1db42, %rax
+        mulq	136(%rsp)
+        xorq	%r11, %r11
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        movq	$0x1db42, %rax
+        mulq	144(%rsp)
+        xorq	%r13, %r13
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        movq	$0x1db42, %rax
+        mulq	152(%rsp)
+        movq	$0x7fffffffffffffff, %r12
+        addq	%rax, %r11
+        adcq	%rdx, %r13
+        shldq	$0x01, %r11, %r13
+        andq	%r12, %r11
+        movq	$19, %rax
+        mulq	%r13
+        addq	%rax, %rcx
+        adcq	$0x00, %r9
+        adcq	$0x00, %r10
+        adcq	$0x00, %r11
+        movq	%rcx, 32(%rsp)
+        movq	%r9, 40(%rsp)
+        movq	%r10, 48(%rsp)
+        movq	%r11, 56(%rsp)
+        # Square
+        #  A[0] * A[1]
+        movq	64(%rsp), %rax
+        mulq	72(%rsp)
+        movq	%rax, %r9
+        movq	%rdx, %r10
+        #  A[0] * A[2]
+        movq	64(%rsp), %rax
+        mulq	80(%rsp)
+        xorq	%r11, %r11
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        #  A[0] * A[3]
+        movq	64(%rsp), %rax
+        mulq	88(%rsp)
+        xorq	%r12, %r12
+        addq	%rax, %r11
+        adcq	%rdx, %r12
+        #  A[1] * A[2]
+        movq	72(%rsp), %rax
+        mulq	80(%rsp)
+        xorq	%r13, %r13
+        addq	%rax, %r11
+        adcq	%rdx, %r12
+        adcq	$0x00, %r13
+        #  A[1] * A[3]
+        movq	72(%rsp), %rax
+        mulq	88(%rsp)
+        addq	%rax, %r12
+        adcq	%rdx, %r13
+        #  A[2] * A[3]
+        movq	80(%rsp), %rax
+        mulq	88(%rsp)
+        xorq	%r14, %r14
+        addq	%rax, %r13
+        adcq	%rdx, %r14
+        # Double
+        xorq	%r15, %r15
+        addq	%r9, %r9
+        adcq	%r10, %r10
+        adcq	%r11, %r11
+        adcq	%r12, %r12
+        adcq	%r13, %r13
+        adcq	%r14, %r14
+        adcq	$0x00, %r15
+        #  A[0] * A[0]
+        movq	64(%rsp), %rax
+        mulq	%rax
+        movq	%rax, %rcx
+        movq	%rdx, %rbp
+        #  A[1] * A[1]
+        movq	72(%rsp), %rax
+        mulq	%rax
+        addq	%rbp, %r9
+        adcq	%rax, %r10
+        adcq	$0x00, %rdx
+        movq	%rdx, %rbp
+        #  A[2] * A[2]
+        movq	80(%rsp), %rax
+        mulq	%rax
+        addq	%rbp, %r11
+        adcq	%rax, %r12
+        adcq	$0x00, %rdx
+        movq	%rdx, %rbp
+        #  A[3] * A[3]
+        movq	88(%rsp), %rax
+        mulq	%rax
+        addq	%rax, %r14
+        adcq	%rdx, %r15
+        addq	%rbp, %r13
+        adcq	$0x00, %r14
+        adcq	$0x00, %r15
+        # Reduce
+        movq	$0x7fffffffffffffff, %rbp
+        #  Move top half into t4-t7 and remove top bit from t3
+        shldq	$0x01, %r14, %r15
+        shldq	$0x01, %r13, %r14
+        shldq	$0x01, %r12, %r13
+        shldq	$0x01, %r11, %r12
+        andq	%rbp, %r11
+        #  Multiply top half by 19
+        movq	$19, %rax
+        mulq	%r12
+        xorq	%r12, %r12
+        addq	%rax, %rcx
+        movq	$19, %rax
+        adcq	%rdx, %r12
+        mulq	%r13
+        xorq	%r13, %r13
+        addq	%rax, %r9
+        movq	$19, %rax
+        adcq	%rdx, %r13
+        mulq	%r14
+        xorq	%r14, %r14
+        addq	%rax, %r10
+        movq	$19, %rax
+        adcq	%rdx, %r14
+        mulq	%r15
+        #  Add remaining product results in
+        addq	%r12, %r9
+        adcq	%r13, %r10
+        adcq	%r14, %r11
+        adcq	%rax, %r11
+        adcq	$0x00, %rdx
+        #  Overflow
+        shldq	$0x01, %r11, %rdx
+        imulq	$19, %rdx, %rax
+        andq	%rbp, %r11
+        addq	%rax, %rcx
+        adcq	$0x00, %r9
+        adcq	$0x00, %r10
+        adcq	$0x00, %r11
+        # Reduce if top bit set
+        movq	%r11, %rdx
+        shrq	$63, %rdx
+        imulq	$19, %rdx, %rax
+        andq	%rbp, %r11
+        addq	%rax, %rcx
+        adcq	$0x00, %r9
+        adcq	$0x00, %r10
+        adcq	$0x00, %r11
+        # Store
+        movq	%rcx, 64(%rsp)
+        movq	%r9, 72(%rsp)
+        movq	%r10, 80(%rsp)
+        movq	%r11, 88(%rsp)
+        # Add
+        movq	96(%rsp), %rcx
+        movq	104(%rsp), %r9
+        addq	32(%rsp), %rcx
+        movq	112(%rsp), %r10
+        adcq	40(%rsp), %r9
+        movq	120(%rsp), %rbp
+        adcq	48(%rsp), %r10
+        movq	$-19, %rax
+        adcq	56(%rsp), %rbp
+        movq	$0x7fffffffffffffff, %rdx
+        movq	%rbp, %r11
+        sarq	$63, %rbp
+        #   Mask the modulus
+        andq	%rbp, %rax
+        andq	%rbp, %rdx
+        #   Sub modulus (if overflow)
+        subq	%rax, %rcx
+        sbbq	%rbp, %r9
+        sbbq	%rbp, %r10
+        sbbq	%rdx, %r11
+        movq	%rcx, 96(%rsp)
+        movq	%r9, 104(%rsp)
+        movq	%r10, 112(%rsp)
+        movq	%r11, 120(%rsp)
+        # Multiply
+        #  A[0] * B[0]
+        movq	(%rsp), %rax
+        mulq	(%r8)
+        movq	%rax, %rcx
+        movq	%rdx, %r9
+        #  A[0] * B[1]
+        movq	8(%rsp), %rax
+        mulq	(%r8)
+        xorq	%r10, %r10
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        #  A[1] * B[0]
+        movq	(%rsp), %rax
+        mulq	8(%r8)
+        xorq	%r11, %r11
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0x00, %r11
+        #  A[0] * B[2]
+        movq	16(%rsp), %rax
+        mulq	(%r8)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        #  A[1] * B[1]
+        movq	8(%rsp), %rax
+        mulq	8(%r8)
+        xorq	%r12, %r12
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0x00, %r12
+        #  A[2] * B[0]
+        movq	(%rsp), %rax
+        mulq	16(%r8)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0x00, %r12
+        #  A[0] * B[3]
+        movq	24(%rsp), %rax
+        mulq	(%r8)
+        xorq	%r13, %r13
+        addq	%rax, %r11
+        adcq	%rdx, %r12
+        adcq	$0x00, %r13
+        #  A[1] * B[2]
+        movq	16(%rsp), %rax
+        mulq	8(%r8)
+        addq	%rax, %r11
+        adcq	%rdx, %r12
+        adcq	$0x00, %r13
+        #  A[2] * B[1]
+        movq	8(%rsp), %rax
+        mulq	16(%r8)
+        addq	%rax, %r11
+        adcq	%rdx, %r12
+        adcq	$0x00, %r13
+        #  A[3] * B[0]
+        movq	(%rsp), %rax
+        mulq	24(%r8)
+        addq	%rax, %r11
+        adcq	%rdx, %r12
+        adcq	$0x00, %r13
+        #  A[1] * B[3]
+        movq	24(%rsp), %rax
+        mulq	8(%r8)
+        xorq	%r14, %r14
+        addq	%rax, %r12
+        adcq	%rdx, %r13
+        adcq	$0x00, %r14
+        #  A[2] * B[2]
+        movq	16(%rsp), %rax
+        mulq	16(%r8)
+        addq	%rax, %r12
+        adcq	%rdx, %r13
+        adcq	$0x00, %r14
+        #  A[3] * B[1]
+        movq	8(%rsp), %rax
+        mulq	24(%r8)
+        addq	%rax, %r12
+        adcq	%rdx, %r13
+        adcq	$0x00, %r14
+        #  A[2] * B[3]
+        movq	24(%rsp), %rax
+        mulq	16(%r8)
+        xorq	%r15, %r15
+        addq	%rax, %r13
+        adcq	%rdx, %r14
+        adcq	$0x00, %r15
+        #  A[3] * B[2]
+        movq	16(%rsp), %rax
+        mulq	24(%r8)
+        addq	%rax, %r13
+        adcq	%rdx, %r14
+        adcq	$0x00, %r15
+        #  A[3] * B[3]
+        movq	24(%rsp), %rax
+        mulq	24(%r8)
+        addq	%rax, %r14
+        adcq	%rdx, %r15
+        # Reduce
+        movq	$0x7fffffffffffffff, %rbp
+        #  Move top half into t4-t7 and remove top bit from t3
+        shldq	$0x01, %r14, %r15
+        shldq	$0x01, %r13, %r14
+        shldq	$0x01, %r12, %r13
+        shldq	$0x01, %r11, %r12
+        andq	%rbp, %r11
+        #  Multiply top half by 19
+        movq	$19, %rax
+        mulq	%r12
+        xorq	%r12, %r12
+        addq	%rax, %rcx
+        movq	$19, %rax
+        adcq	%rdx, %r12
+        mulq	%r13
+        xorq	%r13, %r13
+        addq	%rax, %r9
+        movq	$19, %rax
+        adcq	%rdx, %r13
+        mulq	%r14
+        xorq	%r14, %r14
+        addq	%rax, %r10
+        movq	$19, %rax
+        adcq	%rdx, %r14
+        mulq	%r15
+        #  Add remaining product results in
+        addq	%r12, %r9
+        adcq	%r13, %r10
+        adcq	%r14, %r11
+        adcq	%rax, %r11
+        adcq	$0x00, %rdx
+        #  Overflow
+        shldq	$0x01, %r11, %rdx
+        imulq	$19, %rdx, %rax
+        andq	%rbp, %r11
+        addq	%rax, %rcx
+        adcq	$0x00, %r9
+        adcq	$0x00, %r10
+        adcq	$0x00, %r11
+        # Reduce if top bit set
+        movq	%r11, %rdx
+        shrq	$63, %rdx
+        imulq	$19, %rdx, %rax
+        andq	%rbp, %r11
+        addq	%rax, %rcx
+        adcq	$0x00, %r9
+        adcq	$0x00, %r10
+        adcq	$0x00, %r11
+        # Store
+        movq	%rcx, 32(%rsp)
+        movq	%r9, 40(%rsp)
+        movq	%r10, 48(%rsp)
+        movq	%r11, 56(%rsp)
+        # Multiply
+        #  A[0] * B[0]
+        movq	96(%rsp), %rax
+        mulq	128(%rsp)
+        movq	%rax, %rcx
+        movq	%rdx, %r9
+        #  A[0] * B[1]
+        movq	104(%rsp), %rax
+        mulq	128(%rsp)
+        xorq	%r10, %r10
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        #  A[1] * B[0]
+        movq	96(%rsp), %rax
+        mulq	136(%rsp)
+        xorq	%r11, %r11
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0x00, %r11
+        #  A[0] * B[2]
+        movq	112(%rsp), %rax
+        mulq	128(%rsp)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        #  A[1] * B[1]
+        movq	104(%rsp), %rax
+        mulq	136(%rsp)
+        xorq	%r12, %r12
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0x00, %r12
+        #  A[2] * B[0]
+        movq	96(%rsp), %rax
+        mulq	144(%rsp)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0x00, %r12
+        #  A[0] * B[3]
+        movq	120(%rsp), %rax
+        mulq	128(%rsp)
+        xorq	%r13, %r13
+        addq	%rax, %r11
+        adcq	%rdx, %r12
+        adcq	$0x00, %r13
+        #  A[1] * B[2]
+        movq	112(%rsp), %rax
+        mulq	136(%rsp)
+        addq	%rax, %r11
+        adcq	%rdx, %r12
+        adcq	$0x00, %r13
+        #  A[2] * B[1]
+        movq	104(%rsp), %rax
+        mulq	144(%rsp)
+        addq	%rax, %r11
+        adcq	%rdx, %r12
+        adcq	$0x00, %r13
+        #  A[3] * B[0]
+        movq	96(%rsp), %rax
+        mulq	152(%rsp)
+        addq	%rax, %r11
+        adcq	%rdx, %r12
+        adcq	$0x00, %r13
+        #  A[1] * B[3]
+        movq	120(%rsp), %rax
+        mulq	136(%rsp)
+        xorq	%r14, %r14
+        addq	%rax, %r12
+        adcq	%rdx, %r13
+        adcq	$0x00, %r14
+        #  A[2] * B[2]
+        movq	112(%rsp), %rax
+        mulq	144(%rsp)
+        addq	%rax, %r12
+        adcq	%rdx, %r13
+        adcq	$0x00, %r14
+        #  A[3] * B[1]
+        movq	104(%rsp), %rax
+        mulq	152(%rsp)
+        addq	%rax, %r12
+        adcq	%rdx, %r13
+        adcq	$0x00, %r14
+        #  A[2] * B[3]
+        movq	120(%rsp), %rax
+        mulq	144(%rsp)
+        xorq	%r15, %r15
+        addq	%rax, %r13
+        adcq	%rdx, %r14
+        adcq	$0x00, %r15
+        #  A[3] * B[2]
+        movq	112(%rsp), %rax
+        mulq	152(%rsp)
+        addq	%rax, %r13
+        adcq	%rdx, %r14
+        adcq	$0x00, %r15
+        #  A[3] * B[3]
+        movq	120(%rsp), %rax
+        mulq	152(%rsp)
+        addq	%rax, %r14
+        adcq	%rdx, %r15
+        # Reduce
+        movq	$0x7fffffffffffffff, %rbp
+        #  Move top half into t4-t7 and remove top bit from t3
+        shldq	$0x01, %r14, %r15
+        shldq	$0x01, %r13, %r14
+        shldq	$0x01, %r12, %r13
+        shldq	$0x01, %r11, %r12
+        andq	%rbp, %r11
+        #  Multiply top half by 19
+        movq	$19, %rax
+        mulq	%r12
+        xorq	%r12, %r12
+        addq	%rax, %rcx
+        movq	$19, %rax
+        adcq	%rdx, %r12
+        mulq	%r13
+        xorq	%r13, %r13
+        addq	%rax, %r9
+        movq	$19, %rax
+        adcq	%rdx, %r13
+        mulq	%r14
+        xorq	%r14, %r14
+        addq	%rax, %r10
+        movq	$19, %rax
+        adcq	%rdx, %r14
+        mulq	%r15
+        #  Add remaining product results in
+        addq	%r12, %r9
+        adcq	%r13, %r10
+        adcq	%r14, %r11
+        adcq	%rax, %r11
+        adcq	$0x00, %rdx
+        #  Overflow
+        shldq	$0x01, %r11, %rdx
+        imulq	$19, %rdx, %rax
+        andq	%rbp, %r11
+        addq	%rax, %rcx
+        adcq	$0x00, %r9
+        adcq	$0x00, %r10
+        adcq	$0x00, %r11
+        # Reduce if top bit set
+        movq	%r11, %rdx
+        shrq	$63, %rdx
+        imulq	$19, %rdx, %rax
+        andq	%rbp, %r11
+        addq	%rax, %rcx
+        adcq	$0x00, %r9
+        adcq	$0x00, %r10
+        adcq	$0x00, %r11
+        # Store
+        movq	%rcx, (%rsp)
+        movq	%r9, 8(%rsp)
+        movq	%r10, 16(%rsp)
+        movq	%r11, 24(%rsp)
+        decb	168(%rsp)
+        jge	L_curve25519_x64_bits
+        movq	$63, 168(%rsp)
+        decb	160(%rsp)
+        jge	L_curve25519_x64_words
+        # Invert
+        leaq	32(%rsp), %rdi
+        movq	%rsp, %rsi
+#ifndef __APPLE__
+        callq	fe_sq_x64@plt
+#else
+        callq	_fe_sq_x64
+#endif /* __APPLE__ */
+        leaq	64(%rsp), %rdi
+        leaq	32(%rsp), %rsi
+#ifndef __APPLE__
+        callq	fe_sq_x64@plt
+#else
+        callq	_fe_sq_x64
+#endif /* __APPLE__ */
+        leaq	64(%rsp), %rdi
+        leaq	64(%rsp), %rsi
+#ifndef __APPLE__
+        callq	fe_sq_x64@plt
+#else
+        callq	_fe_sq_x64
+#endif /* __APPLE__ */
+        leaq	64(%rsp), %rdi
+        movq	%rsp, %rsi
+        leaq	64(%rsp), %rdx
+#ifndef __APPLE__
+        callq	fe_mul_x64@plt
+#else
+        callq	_fe_mul_x64
+#endif /* __APPLE__ */
+        leaq	32(%rsp), %rdi
+        leaq	32(%rsp), %rsi
+        leaq	64(%rsp), %rdx
+#ifndef __APPLE__
+        callq	fe_mul_x64@plt
+#else
+        callq	_fe_mul_x64
+#endif /* __APPLE__ */
+        leaq	96(%rsp), %rdi
+        leaq	32(%rsp), %rsi
+#ifndef __APPLE__
+        callq	fe_sq_x64@plt
+#else
+        callq	_fe_sq_x64
+#endif /* __APPLE__ */
+        leaq	64(%rsp), %rdi
+        leaq	64(%rsp), %rsi
+        leaq	96(%rsp), %rdx
+#ifndef __APPLE__
+        callq	fe_mul_x64@plt
+#else
+        callq	_fe_mul_x64
+#endif /* __APPLE__ */
+        leaq	96(%rsp), %rdi
+        leaq	64(%rsp), %rsi
+#ifndef __APPLE__
+        callq	fe_sq_x64@plt
+#else
+        callq	_fe_sq_x64
+#endif /* __APPLE__ */
+        leaq	96(%rsp), %rdi
+        leaq	96(%rsp), %rsi
+        movq	$4, %rdx
+#ifndef __APPLE__
+        callq	fe_sq_n_x64@plt
+#else
+        callq	_fe_sq_n_x64
+#endif /* __APPLE__ */
+        leaq	64(%rsp), %rdi
+        leaq	96(%rsp), %rsi
+        leaq	64(%rsp), %rdx
+#ifndef __APPLE__
+        callq	fe_mul_x64@plt
+#else
+        callq	_fe_mul_x64
+#endif /* __APPLE__ */
+        leaq	96(%rsp), %rdi
+        leaq	64(%rsp), %rsi
+#ifndef __APPLE__
+        callq	fe_sq_x64@plt
+#else
+        callq	_fe_sq_x64
+#endif /* __APPLE__ */
+        leaq	96(%rsp), %rdi
+        leaq	96(%rsp), %rsi
+        movq	$9, %rdx
+#ifndef __APPLE__
+        callq	fe_sq_n_x64@plt
+#else
+        callq	_fe_sq_n_x64
+#endif /* __APPLE__ */
+        leaq	96(%rsp), %rdi
+        leaq	96(%rsp), %rsi
+        leaq	64(%rsp), %rdx
+#ifndef __APPLE__
+        callq	fe_mul_x64@plt
+#else
+        callq	_fe_mul_x64
+#endif /* __APPLE__ */
+        leaq	128(%rsp), %rdi
+        leaq	96(%rsp), %rsi
+#ifndef __APPLE__
+        callq	fe_sq_x64@plt
+#else
+        callq	_fe_sq_x64
+#endif /* __APPLE__ */
+        leaq	128(%rsp), %rdi
+        leaq	128(%rsp), %rsi
+        movq	$19, %rdx
+#ifndef __APPLE__
+        callq	fe_sq_n_x64@plt
+#else
+        callq	_fe_sq_n_x64
+#endif /* __APPLE__ */
+        leaq	96(%rsp), %rdi
+        leaq	128(%rsp), %rsi
+        leaq	96(%rsp), %rdx
+#ifndef __APPLE__
+        callq	fe_mul_x64@plt
+#else
+        callq	_fe_mul_x64
+#endif /* __APPLE__ */
+        leaq	96(%rsp), %rdi
+        leaq	96(%rsp), %rsi
+#ifndef __APPLE__
+        callq	fe_sq_x64@plt
+#else
+        callq	_fe_sq_x64
+#endif /* __APPLE__ */
+        leaq	96(%rsp), %rdi
+        leaq	96(%rsp), %rsi
+        movq	$9, %rdx
+#ifndef __APPLE__
+        callq	fe_sq_n_x64@plt
+#else
+        callq	_fe_sq_n_x64
+#endif /* __APPLE__ */
+        leaq	64(%rsp), %rdi
+        leaq	96(%rsp), %rsi
+        leaq	64(%rsp), %rdx
+#ifndef __APPLE__
+        callq	fe_mul_x64@plt
+#else
+        callq	_fe_mul_x64
+#endif /* __APPLE__ */
+        leaq	96(%rsp), %rdi
+        leaq	64(%rsp), %rsi
+#ifndef __APPLE__
+        callq	fe_sq_x64@plt
+#else
+        callq	_fe_sq_x64
+#endif /* __APPLE__ */
+        leaq	96(%rsp), %rdi
+        leaq	96(%rsp), %rsi
+        movq	$49, %rdx
+#ifndef __APPLE__
+        callq	fe_sq_n_x64@plt
+#else
+        callq	_fe_sq_n_x64
+#endif /* __APPLE__ */
+        leaq	96(%rsp), %rdi
+        leaq	96(%rsp), %rsi
+        leaq	64(%rsp), %rdx
+#ifndef __APPLE__
+        callq	fe_mul_x64@plt
+#else
+        callq	_fe_mul_x64
+#endif /* __APPLE__ */
+        leaq	128(%rsp), %rdi
+        leaq	96(%rsp), %rsi
+#ifndef __APPLE__
+        callq	fe_sq_x64@plt
+#else
+        callq	_fe_sq_x64
+#endif /* __APPLE__ */
+        leaq	128(%rsp), %rdi
+        leaq	128(%rsp), %rsi
+        movq	$0x63, %rdx
+#ifndef __APPLE__
+        callq	fe_sq_n_x64@plt
+#else
+        callq	_fe_sq_n_x64
+#endif /* __APPLE__ */
+        leaq	96(%rsp), %rdi
+        leaq	128(%rsp), %rsi
+        leaq	96(%rsp), %rdx
+#ifndef __APPLE__
+        callq	fe_mul_x64@plt
+#else
+        callq	_fe_mul_x64
+#endif /* __APPLE__ */
+        leaq	96(%rsp), %rdi
+        leaq	96(%rsp), %rsi
+#ifndef __APPLE__
+        callq	fe_sq_x64@plt
+#else
+        callq	_fe_sq_x64
+#endif /* __APPLE__ */
+        leaq	96(%rsp), %rdi
+        leaq	96(%rsp), %rsi
+        movq	$49, %rdx
+#ifndef __APPLE__
+        callq	fe_sq_n_x64@plt
+#else
+        callq	_fe_sq_n_x64
+#endif /* __APPLE__ */
+        leaq	64(%rsp), %rdi
+        leaq	96(%rsp), %rsi
+        leaq	64(%rsp), %rdx
+#ifndef __APPLE__
+        callq	fe_mul_x64@plt
+#else
+        callq	_fe_mul_x64
+#endif /* __APPLE__ */
+        leaq	64(%rsp), %rdi
+        leaq	64(%rsp), %rsi
+#ifndef __APPLE__
+        callq	fe_sq_x64@plt
+#else
+        callq	_fe_sq_x64
+#endif /* __APPLE__ */
+        leaq	64(%rsp), %rdi
+        leaq	64(%rsp), %rsi
+        movq	$4, %rdx
+#ifndef __APPLE__
+        callq	fe_sq_n_x64@plt
+#else
+        callq	_fe_sq_n_x64
+#endif /* __APPLE__ */
+        movq	%rsp, %rdi
+        leaq	64(%rsp), %rsi
+        leaq	32(%rsp), %rdx
+#ifndef __APPLE__
+        callq	fe_mul_x64@plt
+#else
+        callq	_fe_mul_x64
+#endif /* __APPLE__ */
+        movq	176(%rsp), %rdi
+        # Multiply
+        #  A[0] * B[0]
+        movq	(%rsp), %rax
+        mulq	(%rdi)
+        movq	%rax, %rcx
+        movq	%rdx, %r9
+        #  A[0] * B[1]
+        movq	8(%rsp), %rax
+        mulq	(%rdi)
+        xorq	%r10, %r10
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        #  A[1] * B[0]
+        movq	(%rsp), %rax
+        mulq	8(%rdi)
+        xorq	%r11, %r11
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0x00, %r11
+        #  A[0] * B[2]
+        movq	16(%rsp), %rax
+        mulq	(%rdi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        #  A[1] * B[1]
+        movq	8(%rsp), %rax
+        mulq	8(%rdi)
+        xorq	%r12, %r12
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0x00, %r12
+        #  A[2] * B[0]
+        movq	(%rsp), %rax
+        mulq	16(%rdi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0x00, %r12
+        #  A[0] * B[3]
+        movq	24(%rsp), %rax
+        mulq	(%rdi)
+        xorq	%r13, %r13
+        addq	%rax, %r11
+        adcq	%rdx, %r12
+        adcq	$0x00, %r13
+        #  A[1] * B[2]
+        movq	16(%rsp), %rax
+        mulq	8(%rdi)
+        addq	%rax, %r11
+        adcq	%rdx, %r12
+        adcq	$0x00, %r13
+        #  A[2] * B[1]
+        movq	8(%rsp), %rax
+        mulq	16(%rdi)
+        addq	%rax, %r11
+        adcq	%rdx, %r12
+        adcq	$0x00, %r13
+        #  A[3] * B[0]
+        movq	(%rsp), %rax
+        mulq	24(%rdi)
+        addq	%rax, %r11
+        adcq	%rdx, %r12
+        adcq	$0x00, %r13
+        #  A[1] * B[3]
+        movq	24(%rsp), %rax
+        mulq	8(%rdi)
+        xorq	%r14, %r14
+        addq	%rax, %r12
+        adcq	%rdx, %r13
+        adcq	$0x00, %r14
+        #  A[2] * B[2]
+        movq	16(%rsp), %rax
+        mulq	16(%rdi)
+        addq	%rax, %r12
+        adcq	%rdx, %r13
+        adcq	$0x00, %r14
+        #  A[3] * B[1]
+        movq	8(%rsp), %rax
+        mulq	24(%rdi)
+        addq	%rax, %r12
+        adcq	%rdx, %r13
+        adcq	$0x00, %r14
+        #  A[2] * B[3]
+        movq	24(%rsp), %rax
+        mulq	16(%rdi)
+        xorq	%r15, %r15
+        addq	%rax, %r13
+        adcq	%rdx, %r14
+        adcq	$0x00, %r15
+        #  A[3] * B[2]
+        movq	16(%rsp), %rax
+        mulq	24(%rdi)
+        addq	%rax, %r13
+        adcq	%rdx, %r14
+        adcq	$0x00, %r15
+        #  A[3] * B[3]
+        movq	24(%rsp), %rax
+        mulq	24(%rdi)
+        addq	%rax, %r14
+        adcq	%rdx, %r15
+        # Reduce
+        movq	$0x7fffffffffffffff, %rbp
+        #  Move top half into t4-t7 and remove top bit from t3
+        shldq	$0x01, %r14, %r15
+        shldq	$0x01, %r13, %r14
+        shldq	$0x01, %r12, %r13
+        shldq	$0x01, %r11, %r12
+        andq	%rbp, %r11
+        #  Multiply top half by 19
+        movq	$19, %rax
+        mulq	%r12
+        xorq	%r12, %r12
+        addq	%rax, %rcx
+        movq	$19, %rax
+        adcq	%rdx, %r12
+        mulq	%r13
+        xorq	%r13, %r13
+        addq	%rax, %r9
+        movq	$19, %rax
+        adcq	%rdx, %r13
+        mulq	%r14
+        xorq	%r14, %r14
+        addq	%rax, %r10
+        movq	$19, %rax
+        adcq	%rdx, %r14
+        mulq	%r15
+        #  Add remaining product results in
+        addq	%r12, %r9
+        adcq	%r13, %r10
+        adcq	%r14, %r11
+        adcq	%rax, %r11
+        adcq	$0x00, %rdx
+        #  Overflow
+        shldq	$0x01, %r11, %rdx
+        imulq	$19, %rdx, %rax
+        andq	%rbp, %r11
+        addq	%rax, %rcx
+        adcq	$0x00, %r9
+        adcq	$0x00, %r10
+        adcq	$0x00, %r11
+        # Reduce if top bit set
+        movq	%r11, %rdx
+        shrq	$63, %rdx
+        imulq	$19, %rdx, %rax
+        andq	%rbp, %r11
+        addq	%rax, %rcx
+        adcq	$0x00, %r9
+        adcq	$0x00, %r10
+        adcq	$0x00, %r11
+        # Store
+        movq	%rcx, (%rdi)
+        movq	%r9, 8(%rdi)
+        movq	%r10, 16(%rdi)
+        movq	%r11, 24(%rdi)
+        xorq	%rax, %rax
+        addq	$0xb8, %rsp
+        popq	%rbp
+        popq	%rbx
+        popq	%r15
+        popq	%r14
+        popq	%r13
+        popq	%r12
+        repz retq
+#ifndef __APPLE__
+.size	curve25519_x64,.-curve25519_x64
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+.text
+.globl	fe_pow22523_x64
+.type	fe_pow22523_x64,@function
+.align	4
+fe_pow22523_x64:
+#else
+.section	__TEXT,__text
+.globl	_fe_pow22523_x64
+.p2align	2
+_fe_pow22523_x64:
+#endif /* __APPLE__ */
+        subq	$0x70, %rsp
+        # pow22523
+        movq	%rdi, 96(%rsp)
+        movq	%rsi, 104(%rsp)
+        movq	%rsp, %rdi
+        movq	104(%rsp), %rsi
+#ifndef __APPLE__
+        callq	fe_sq_x64@plt
+#else
+        callq	_fe_sq_x64
+#endif /* __APPLE__ */
+        leaq	32(%rsp), %rdi
+        movq	%rsp, %rsi
+#ifndef __APPLE__
+        callq	fe_sq_x64@plt
+#else
+        callq	_fe_sq_x64
+#endif /* __APPLE__ */
+        leaq	32(%rsp), %rdi
+        leaq	32(%rsp), %rsi
+#ifndef __APPLE__
+        callq	fe_sq_x64@plt
+#else
+        callq	_fe_sq_x64
+#endif /* __APPLE__ */
+        leaq	32(%rsp), %rdi
+        movq	104(%rsp), %rsi
+        leaq	32(%rsp), %rdx
+#ifndef __APPLE__
+        callq	fe_mul_x64@plt
+#else
+        callq	_fe_mul_x64
+#endif /* __APPLE__ */
+        movq	%rsp, %rdi
+        movq	%rsp, %rsi
+        leaq	32(%rsp), %rdx
+#ifndef __APPLE__
+        callq	fe_mul_x64@plt
+#else
+        callq	_fe_mul_x64
+#endif /* __APPLE__ */
+        movq	%rsp, %rdi
+        movq	%rsp, %rsi
+#ifndef __APPLE__
+        callq	fe_sq_x64@plt
+#else
+        callq	_fe_sq_x64
+#endif /* __APPLE__ */
+        movq	%rsp, %rdi
+        leaq	32(%rsp), %rsi
+        movq	%rsp, %rdx
+#ifndef __APPLE__
+        callq	fe_mul_x64@plt
+#else
+        callq	_fe_mul_x64
+#endif /* __APPLE__ */
+        leaq	32(%rsp), %rdi
+        movq	%rsp, %rsi
+#ifndef __APPLE__
+        callq	fe_sq_x64@plt
+#else
+        callq	_fe_sq_x64
+#endif /* __APPLE__ */
+        leaq	32(%rsp), %rdi
+        leaq	32(%rsp), %rsi
+        movq	$4, %rdx
+#ifndef __APPLE__
+        callq	fe_sq_n_x64@plt
+#else
+        callq	_fe_sq_n_x64
+#endif /* __APPLE__ */
+        movq	%rsp, %rdi
+        leaq	32(%rsp), %rsi
+        movq	%rsp, %rdx
+#ifndef __APPLE__
+        callq	fe_mul_x64@plt
+#else
+        callq	_fe_mul_x64
+#endif /* __APPLE__ */
+        leaq	32(%rsp), %rdi
+        movq	%rsp, %rsi
+#ifndef __APPLE__
+        callq	fe_sq_x64@plt
+#else
+        callq	_fe_sq_x64
+#endif /* __APPLE__ */
+        leaq	32(%rsp), %rdi
+        leaq	32(%rsp), %rsi
+        movq	$9, %rdx
+#ifndef __APPLE__
+        callq	fe_sq_n_x64@plt
+#else
+        callq	_fe_sq_n_x64
+#endif /* __APPLE__ */
+        leaq	32(%rsp), %rdi
+        leaq	32(%rsp), %rsi
+        movq	%rsp, %rdx
+#ifndef __APPLE__
+        callq	fe_mul_x64@plt
+#else
+        callq	_fe_mul_x64
+#endif /* __APPLE__ */
+        leaq	64(%rsp), %rdi
+        leaq	32(%rsp), %rsi
+#ifndef __APPLE__
+        callq	fe_sq_x64@plt
+#else
+        callq	_fe_sq_x64
+#endif /* __APPLE__ */
+        leaq	64(%rsp), %rdi
+        leaq	64(%rsp), %rsi
+        movq	$19, %rdx
+#ifndef __APPLE__
+        callq	fe_sq_n_x64@plt
+#else
+        callq	_fe_sq_n_x64
+#endif /* __APPLE__ */
+        leaq	32(%rsp), %rdi
+        leaq	64(%rsp), %rsi
+        leaq	32(%rsp), %rdx
+#ifndef __APPLE__
+        callq	fe_mul_x64@plt
+#else
+        callq	_fe_mul_x64
+#endif /* __APPLE__ */
+        leaq	32(%rsp), %rdi
+        leaq	32(%rsp), %rsi
+#ifndef __APPLE__
+        callq	fe_sq_x64@plt
+#else
+        callq	_fe_sq_x64
+#endif /* __APPLE__ */
+        leaq	32(%rsp), %rdi
+        leaq	32(%rsp), %rsi
+        movq	$9, %rdx
+#ifndef __APPLE__
+        callq	fe_sq_n_x64@plt
+#else
+        callq	_fe_sq_n_x64
+#endif /* __APPLE__ */
+        movq	%rsp, %rdi
+        leaq	32(%rsp), %rsi
+        movq	%rsp, %rdx
+#ifndef __APPLE__
+        callq	fe_mul_x64@plt
+#else
+        callq	_fe_mul_x64
+#endif /* __APPLE__ */
+        leaq	32(%rsp), %rdi
+        movq	%rsp, %rsi
+#ifndef __APPLE__
+        callq	fe_sq_x64@plt
+#else
+        callq	_fe_sq_x64
+#endif /* __APPLE__ */
+        leaq	32(%rsp), %rdi
+        leaq	32(%rsp), %rsi
+        movq	$49, %rdx
+#ifndef __APPLE__
+        callq	fe_sq_n_x64@plt
+#else
+        callq	_fe_sq_n_x64
+#endif /* __APPLE__ */
+        leaq	32(%rsp), %rdi
+        leaq	32(%rsp), %rsi
+        movq	%rsp, %rdx
+#ifndef __APPLE__
+        callq	fe_mul_x64@plt
+#else
+        callq	_fe_mul_x64
+#endif /* __APPLE__ */
+        leaq	64(%rsp), %rdi
+        leaq	32(%rsp), %rsi
+#ifndef __APPLE__
+        callq	fe_sq_x64@plt
+#else
+        callq	_fe_sq_x64
+#endif /* __APPLE__ */
+        leaq	64(%rsp), %rdi
+        leaq	64(%rsp), %rsi
+        movq	$0x63, %rdx
+#ifndef __APPLE__
+        callq	fe_sq_n_x64@plt
+#else
+        callq	_fe_sq_n_x64
+#endif /* __APPLE__ */
+        leaq	32(%rsp), %rdi
+        leaq	64(%rsp), %rsi
+        leaq	32(%rsp), %rdx
+#ifndef __APPLE__
+        callq	fe_mul_x64@plt
+#else
+        callq	_fe_mul_x64
+#endif /* __APPLE__ */
+        leaq	32(%rsp), %rdi
+        leaq	32(%rsp), %rsi
+#ifndef __APPLE__
+        callq	fe_sq_x64@plt
+#else
+        callq	_fe_sq_x64
+#endif /* __APPLE__ */
+        leaq	32(%rsp), %rdi
+        leaq	32(%rsp), %rsi
+        movq	$49, %rdx
+#ifndef __APPLE__
+        callq	fe_sq_n_x64@plt
+#else
+        callq	_fe_sq_n_x64
+#endif /* __APPLE__ */
+        movq	%rsp, %rdi
+        leaq	32(%rsp), %rsi
+        movq	%rsp, %rdx
+#ifndef __APPLE__
+        callq	fe_mul_x64@plt
+#else
+        callq	_fe_mul_x64
+#endif /* __APPLE__ */
+        movq	%rsp, %rdi
+        movq	%rsp, %rsi
+#ifndef __APPLE__
+        callq	fe_sq_x64@plt
+#else
+        callq	_fe_sq_x64
+#endif /* __APPLE__ */
+        movq	%rsp, %rdi
+        movq	%rsp, %rsi
+#ifndef __APPLE__
+        callq	fe_sq_x64@plt
+#else
+        callq	_fe_sq_x64
+#endif /* __APPLE__ */
+        movq	96(%rsp), %rdi
+        movq	%rsp, %rsi
+        movq	104(%rsp), %rdx
+#ifndef __APPLE__
+        callq	fe_mul_x64@plt
+#else
+        callq	_fe_mul_x64
+#endif /* __APPLE__ */
+        movq	104(%rsp), %rsi
+        movq	96(%rsp), %rdi
+        addq	$0x70, %rsp
+        repz retq
+#ifndef __APPLE__
+.text
+.globl	fe_ge_to_p2_x64
+.type	fe_ge_to_p2_x64,@function
+.align	4
+fe_ge_to_p2_x64:
+#else
+.section	__TEXT,__text
+.globl	_fe_ge_to_p2_x64
+.p2align	2
+_fe_ge_to_p2_x64:
+#endif /* __APPLE__ */
+        pushq	%rbx
+        pushq	%r12
+        pushq	%r13
+        pushq	%r14
+        pushq	%r15
+        subq	$40, %rsp
+        movq	%rsi, (%rsp)
+        movq	%rdx, 8(%rsp)
+        movq	%rcx, 16(%rsp)
+        movq	%r8, 24(%rsp)
+        movq	%r9, 32(%rsp)
+        movq	16(%rsp), %rsi
+        movq	88(%rsp), %rbx
+        # Multiply
+        #  A[0] * B[0]
+        movq	(%rbx), %rax
+        mulq	(%rsi)
+        movq	%rax, %r8
+        movq	%rdx, %r9
+        #  A[0] * B[1]
+        movq	8(%rbx), %rax
+        mulq	(%rsi)
+        xorq	%r10, %r10
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        #  A[1] * B[0]
+        movq	(%rbx), %rax
+        mulq	8(%rsi)
+        xorq	%r11, %r11
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0x00, %r11
+        #  A[0] * B[2]
+        movq	16(%rbx), %rax
+        mulq	(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        #  A[1] * B[1]
+        movq	8(%rbx), %rax
+        mulq	8(%rsi)
+        xorq	%r12, %r12
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0x00, %r12
+        #  A[2] * B[0]
+        movq	(%rbx), %rax
+        mulq	16(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0x00, %r12
+        #  A[0] * B[3]
+        movq	24(%rbx), %rax
+        mulq	(%rsi)
+        xorq	%r13, %r13
+        addq	%rax, %r11
+        adcq	%rdx, %r12
+        adcq	$0x00, %r13
+        #  A[1] * B[2]
+        movq	16(%rbx), %rax
+        mulq	8(%rsi)
+        addq	%rax, %r11
+        adcq	%rdx, %r12
+        adcq	$0x00, %r13
+        #  A[2] * B[1]
+        movq	8(%rbx), %rax
+        mulq	16(%rsi)
+        addq	%rax, %r11
+        adcq	%rdx, %r12
+        adcq	$0x00, %r13
+        #  A[3] * B[0]
+        movq	(%rbx), %rax
+        mulq	24(%rsi)
+        addq	%rax, %r11
+        adcq	%rdx, %r12
+        adcq	$0x00, %r13
+        #  A[1] * B[3]
+        movq	24(%rbx), %rax
+        mulq	8(%rsi)
+        xorq	%r14, %r14
+        addq	%rax, %r12
+        adcq	%rdx, %r13
+        adcq	$0x00, %r14
+        #  A[2] * B[2]
+        movq	16(%rbx), %rax
+        mulq	16(%rsi)
+        addq	%rax, %r12
+        adcq	%rdx, %r13
+        adcq	$0x00, %r14
+        #  A[3] * B[1]
+        movq	8(%rbx), %rax
+        mulq	24(%rsi)
+        addq	%rax, %r12
+        adcq	%rdx, %r13
+        adcq	$0x00, %r14
+        #  A[2] * B[3]
+        movq	24(%rbx), %rax
+        mulq	16(%rsi)
+        xorq	%r15, %r15
+        addq	%rax, %r13
+        adcq	%rdx, %r14
+        adcq	$0x00, %r15
+        #  A[3] * B[2]
+        movq	16(%rbx), %rax
+        mulq	24(%rsi)
+        addq	%rax, %r13
+        adcq	%rdx, %r14
+        adcq	$0x00, %r15
+        #  A[3] * B[3]
+        movq	24(%rbx), %rax
+        mulq	24(%rsi)
+        addq	%rax, %r14
+        adcq	%rdx, %r15
+        # Reduce
+        movq	$0x7fffffffffffffff, %rcx
+        #  Move top half into t4-t7 and remove top bit from t3
+        shldq	$0x01, %r14, %r15
+        shldq	$0x01, %r13, %r14
+        shldq	$0x01, %r12, %r13
+        shldq	$0x01, %r11, %r12
+        andq	%rcx, %r11
+        #  Multiply top half by 19
+        movq	$19, %rax
+        mulq	%r12
+        xorq	%r12, %r12
+        addq	%rax, %r8
+        movq	$19, %rax
+        adcq	%rdx, %r12
+        mulq	%r13
+        xorq	%r13, %r13
+        addq	%rax, %r9
+        movq	$19, %rax
+        adcq	%rdx, %r13
+        mulq	%r14
+        xorq	%r14, %r14
+        addq	%rax, %r10
+        movq	$19, %rax
+        adcq	%rdx, %r14
+        mulq	%r15
+        #  Add remaining product results in
+        addq	%r12, %r9
+        adcq	%r13, %r10
+        adcq	%r14, %r11
+        adcq	%rax, %r11
+        adcq	$0x00, %rdx
+        #  Overflow
+        shldq	$0x01, %r11, %rdx
+        imulq	$19, %rdx, %rax
+        andq	%rcx, %r11
+        addq	%rax, %r8
+        adcq	$0x00, %r9
+        adcq	$0x00, %r10
+        adcq	$0x00, %r11
+        # Reduce if top bit set
+        movq	%r11, %rdx
+        shrq	$63, %rdx
+        imulq	$19, %rdx, %rax
+        andq	%rcx, %r11
+        addq	%rax, %r8
+        adcq	$0x00, %r9
+        adcq	$0x00, %r10
+        adcq	$0x00, %r11
+        # Store
+        movq	%r8, (%rdi)
+        movq	%r9, 8(%rdi)
+        movq	%r10, 16(%rdi)
+        movq	%r11, 24(%rdi)
+        movq	(%rsp), %rdi
+        movq	24(%rsp), %rsi
+        movq	32(%rsp), %rbx
+        # Multiply
+        #  A[0] * B[0]
+        movq	(%rbx), %rax
+        mulq	(%rsi)
+        movq	%rax, %r8
+        movq	%rdx, %r9
+        #  A[0] * B[1]
+        movq	8(%rbx), %rax
+        mulq	(%rsi)
+        xorq	%r10, %r10
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        #  A[1] * B[0]
+        movq	(%rbx), %rax
+        mulq	8(%rsi)
+        xorq	%r11, %r11
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0x00, %r11
+        #  A[0] * B[2]
+        movq	16(%rbx), %rax
+        mulq	(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        #  A[1] * B[1]
+        movq	8(%rbx), %rax
+        mulq	8(%rsi)
+        xorq	%r12, %r12
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0x00, %r12
+        #  A[2] * B[0]
+        movq	(%rbx), %rax
+        mulq	16(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0x00, %r12
+        #  A[0] * B[3]
+        movq	24(%rbx), %rax
+        mulq	(%rsi)
+        xorq	%r13, %r13
+        addq	%rax, %r11
+        adcq	%rdx, %r12
+        adcq	$0x00, %r13
+        #  A[1] * B[2]
+        movq	16(%rbx), %rax
+        mulq	8(%rsi)
+        addq	%rax, %r11
+        adcq	%rdx, %r12
+        adcq	$0x00, %r13
+        #  A[2] * B[1]
+        movq	8(%rbx), %rax
+        mulq	16(%rsi)
+        addq	%rax, %r11
+        adcq	%rdx, %r12
+        adcq	$0x00, %r13
+        #  A[3] * B[0]
+        movq	(%rbx), %rax
+        mulq	24(%rsi)
+        addq	%rax, %r11
+        adcq	%rdx, %r12
+        adcq	$0x00, %r13
+        #  A[1] * B[3]
+        movq	24(%rbx), %rax
+        mulq	8(%rsi)
+        xorq	%r14, %r14
+        addq	%rax, %r12
+        adcq	%rdx, %r13
+        adcq	$0x00, %r14
+        #  A[2] * B[2]
+        movq	16(%rbx), %rax
+        mulq	16(%rsi)
+        addq	%rax, %r12
+        adcq	%rdx, %r13
+        adcq	$0x00, %r14
+        #  A[3] * B[1]
+        movq	8(%rbx), %rax
+        mulq	24(%rsi)
+        addq	%rax, %r12
+        adcq	%rdx, %r13
+        adcq	$0x00, %r14
+        #  A[2] * B[3]
+        movq	24(%rbx), %rax
+        mulq	16(%rsi)
+        xorq	%r15, %r15
+        addq	%rax, %r13
+        adcq	%rdx, %r14
+        adcq	$0x00, %r15
+        #  A[3] * B[2]
+        movq	16(%rbx), %rax
+        mulq	24(%rsi)
+        addq	%rax, %r13
+        adcq	%rdx, %r14
+        adcq	$0x00, %r15
+        #  A[3] * B[3]
+        movq	24(%rbx), %rax
+        mulq	24(%rsi)
+        addq	%rax, %r14
+        adcq	%rdx, %r15
+        # Reduce
+        movq	$0x7fffffffffffffff, %rcx
+        #  Move top half into t4-t7 and remove top bit from t3
+        shldq	$0x01, %r14, %r15
+        shldq	$0x01, %r13, %r14
+        shldq	$0x01, %r12, %r13
+        shldq	$0x01, %r11, %r12
+        andq	%rcx, %r11
+        #  Multiply top half by 19
+        movq	$19, %rax
+        mulq	%r12
+        xorq	%r12, %r12
+        addq	%rax, %r8
+        movq	$19, %rax
+        adcq	%rdx, %r12
+        mulq	%r13
+        xorq	%r13, %r13
+        addq	%rax, %r9
+        movq	$19, %rax
+        adcq	%rdx, %r13
+        mulq	%r14
+        xorq	%r14, %r14
+        addq	%rax, %r10
+        movq	$19, %rax
+        adcq	%rdx, %r14
+        mulq	%r15
+        #  Add remaining product results in
+        addq	%r12, %r9
+        adcq	%r13, %r10
+        adcq	%r14, %r11
+        adcq	%rax, %r11
+        adcq	$0x00, %rdx
+        #  Overflow
+        shldq	$0x01, %r11, %rdx
+        imulq	$19, %rdx, %rax
+        andq	%rcx, %r11
+        addq	%rax, %r8
+        adcq	$0x00, %r9
+        adcq	$0x00, %r10
+        adcq	$0x00, %r11
+        # Reduce if top bit set
+        movq	%r11, %rdx
+        shrq	$63, %rdx
+        imulq	$19, %rdx, %rax
+        andq	%rcx, %r11
+        addq	%rax, %r8
+        adcq	$0x00, %r9
+        adcq	$0x00, %r10
+        adcq	$0x00, %r11
+        # Store
+        movq	%r8, (%rdi)
+        movq	%r9, 8(%rdi)
+        movq	%r10, 16(%rdi)
+        movq	%r11, 24(%rdi)
+        movq	8(%rsp), %rdi
+        movq	32(%rsp), %rsi
+        movq	88(%rsp), %rbx
+        # Multiply
+        #  A[0] * B[0]
+        movq	(%rbx), %rax
+        mulq	(%rsi)
+        movq	%rax, %r8
+        movq	%rdx, %r9
+        #  A[0] * B[1]
+        movq	8(%rbx), %rax
+        mulq	(%rsi)
+        xorq	%r10, %r10
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        #  A[1] * B[0]
+        movq	(%rbx), %rax
+        mulq	8(%rsi)
+        xorq	%r11, %r11
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0x00, %r11
+        #  A[0] * B[2]
+        movq	16(%rbx), %rax
+        mulq	(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        #  A[1] * B[1]
+        movq	8(%rbx), %rax
+        mulq	8(%rsi)
+        xorq	%r12, %r12
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0x00, %r12
+        #  A[2] * B[0]
+        movq	(%rbx), %rax
+        mulq	16(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0x00, %r12
+        #  A[0] * B[3]
+        movq	24(%rbx), %rax
+        mulq	(%rsi)
+        xorq	%r13, %r13
+        addq	%rax, %r11
+        adcq	%rdx, %r12
+        adcq	$0x00, %r13
+        #  A[1] * B[2]
+        movq	16(%rbx), %rax
+        mulq	8(%rsi)
+        addq	%rax, %r11
+        adcq	%rdx, %r12
+        adcq	$0x00, %r13
+        #  A[2] * B[1]
+        movq	8(%rbx), %rax
+        mulq	16(%rsi)
+        addq	%rax, %r11
+        adcq	%rdx, %r12
+        adcq	$0x00, %r13
+        #  A[3] * B[0]
+        movq	(%rbx), %rax
+        mulq	24(%rsi)
+        addq	%rax, %r11
+        adcq	%rdx, %r12
+        adcq	$0x00, %r13
+        #  A[1] * B[3]
+        movq	24(%rbx), %rax
+        mulq	8(%rsi)
+        xorq	%r14, %r14
+        addq	%rax, %r12
+        adcq	%rdx, %r13
+        adcq	$0x00, %r14
+        #  A[2] * B[2]
+        movq	16(%rbx), %rax
+        mulq	16(%rsi)
+        addq	%rax, %r12
+        adcq	%rdx, %r13
+        adcq	$0x00, %r14
+        #  A[3] * B[1]
+        movq	8(%rbx), %rax
+        mulq	24(%rsi)
+        addq	%rax, %r12
+        adcq	%rdx, %r13
+        adcq	$0x00, %r14
+        #  A[2] * B[3]
+        movq	24(%rbx), %rax
+        mulq	16(%rsi)
+        xorq	%r15, %r15
+        addq	%rax, %r13
+        adcq	%rdx, %r14
+        adcq	$0x00, %r15
+        #  A[3] * B[2]
+        movq	16(%rbx), %rax
+        mulq	24(%rsi)
+        addq	%rax, %r13
+        adcq	%rdx, %r14
+        adcq	$0x00, %r15
+        #  A[3] * B[3]
+        movq	24(%rbx), %rax
+        mulq	24(%rsi)
+        addq	%rax, %r14
+        adcq	%rdx, %r15
+        # Reduce
+        movq	$0x7fffffffffffffff, %rcx
+        #  Move top half into t4-t7 and remove top bit from t3
+        shldq	$0x01, %r14, %r15
+        shldq	$0x01, %r13, %r14
+        shldq	$0x01, %r12, %r13
+        shldq	$0x01, %r11, %r12
+        andq	%rcx, %r11
+        #  Multiply top half by 19
+        movq	$19, %rax
+        mulq	%r12
+        xorq	%r12, %r12
+        addq	%rax, %r8
+        movq	$19, %rax
+        adcq	%rdx, %r12
+        mulq	%r13
+        xorq	%r13, %r13
+        addq	%rax, %r9
+        movq	$19, %rax
+        adcq	%rdx, %r13
+        mulq	%r14
+        xorq	%r14, %r14
+        addq	%rax, %r10
+        movq	$19, %rax
+        adcq	%rdx, %r14
+        mulq	%r15
+        #  Add remaining product results in
+        addq	%r12, %r9
+        adcq	%r13, %r10
+        adcq	%r14, %r11
+        adcq	%rax, %r11
+        adcq	$0x00, %rdx
+        #  Overflow
+        shldq	$0x01, %r11, %rdx
+        imulq	$19, %rdx, %rax
+        andq	%rcx, %r11
+        addq	%rax, %r8
+        adcq	$0x00, %r9
+        adcq	$0x00, %r10
+        adcq	$0x00, %r11
+        # Reduce if top bit set
+        movq	%r11, %rdx
+        shrq	$63, %rdx
+        imulq	$19, %rdx, %rax
+        andq	%rcx, %r11
+        addq	%rax, %r8
+        adcq	$0x00, %r9
+        adcq	$0x00, %r10
+        adcq	$0x00, %r11
+        # Store
+        movq	%r8, (%rdi)
+        movq	%r9, 8(%rdi)
+        movq	%r10, 16(%rdi)
+        movq	%r11, 24(%rdi)
+        addq	$40, %rsp
+        popq	%r15
+        popq	%r14
+        popq	%r13
+        popq	%r12
+        popq	%rbx
+        repz retq
+#ifndef __APPLE__
+.size	fe_ge_to_p2_x64,.-fe_ge_to_p2_x64
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+.text
+.globl	fe_ge_to_p3_x64
+.type	fe_ge_to_p3_x64,@function
+.align	4
+fe_ge_to_p3_x64:
+#else
+.section	__TEXT,__text
+.globl	_fe_ge_to_p3_x64
+.p2align	2
+_fe_ge_to_p3_x64:
+#endif /* __APPLE__ */
+        pushq	%rbx
+        pushq	%r12
+        pushq	%r13
+        pushq	%r14
+        pushq	%r15
+        subq	$40, %rsp
+        movq	%rsi, (%rsp)
+        movq	%rdx, 8(%rsp)
+        movq	%rcx, 16(%rsp)
+        movq	%r8, 24(%rsp)
+        movq	%r9, 32(%rsp)
+        movq	24(%rsp), %rsi
+        movq	96(%rsp), %rbx
+        # Multiply
+        #  A[0] * B[0]
+        movq	(%rbx), %rax
+        mulq	(%rsi)
+        movq	%rax, %r8
+        movq	%rdx, %r9
+        #  A[0] * B[1]
+        movq	8(%rbx), %rax
+        mulq	(%rsi)
+        xorq	%r10, %r10
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        #  A[1] * B[0]
+        movq	(%rbx), %rax
+        mulq	8(%rsi)
+        xorq	%r11, %r11
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0x00, %r11
+        #  A[0] * B[2]
+        movq	16(%rbx), %rax
+        mulq	(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        #  A[1] * B[1]
+        movq	8(%rbx), %rax
+        mulq	8(%rsi)
+        xorq	%r12, %r12
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0x00, %r12
+        #  A[2] * B[0]
+        movq	(%rbx), %rax
+        mulq	16(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0x00, %r12
+        #  A[0] * B[3]
+        movq	24(%rbx), %rax
+        mulq	(%rsi)
+        xorq	%r13, %r13
+        addq	%rax, %r11
+        adcq	%rdx, %r12
+        adcq	$0x00, %r13
+        #  A[1] * B[2]
+        movq	16(%rbx), %rax
+        mulq	8(%rsi)
+        addq	%rax, %r11
+        adcq	%rdx, %r12
+        adcq	$0x00, %r13
+        #  A[2] * B[1]
+        movq	8(%rbx), %rax
+        mulq	16(%rsi)
+        addq	%rax, %r11
+        adcq	%rdx, %r12
+        adcq	$0x00, %r13
+        #  A[3] * B[0]
+        movq	(%rbx), %rax
+        mulq	24(%rsi)
+        addq	%rax, %r11
+        adcq	%rdx, %r12
+        adcq	$0x00, %r13
+        #  A[1] * B[3]
+        movq	24(%rbx), %rax
+        mulq	8(%rsi)
+        xorq	%r14, %r14
+        addq	%rax, %r12
+        adcq	%rdx, %r13
+        adcq	$0x00, %r14
+        #  A[2] * B[2]
+        movq	16(%rbx), %rax
+        mulq	16(%rsi)
+        addq	%rax, %r12
+        adcq	%rdx, %r13
+        adcq	$0x00, %r14
+        #  A[3] * B[1]
+        movq	8(%rbx), %rax
+        mulq	24(%rsi)
+        addq	%rax, %r12
+        adcq	%rdx, %r13
+        adcq	$0x00, %r14
+        #  A[2] * B[3]
+        movq	24(%rbx), %rax
+        mulq	16(%rsi)
+        xorq	%r15, %r15
+        addq	%rax, %r13
+        adcq	%rdx, %r14
+        adcq	$0x00, %r15
+        #  A[3] * B[2]
+        movq	16(%rbx), %rax
+        mulq	24(%rsi)
+        addq	%rax, %r13
+        adcq	%rdx, %r14
+        adcq	$0x00, %r15
+        #  A[3] * B[3]
+        movq	24(%rbx), %rax
+        mulq	24(%rsi)
+        addq	%rax, %r14
+        adcq	%rdx, %r15
+        # Reduce
+        movq	$0x7fffffffffffffff, %rcx
+        #  Move top half into t4-t7 and remove top bit from t3
+        shldq	$0x01, %r14, %r15
+        shldq	$0x01, %r13, %r14
+        shldq	$0x01, %r12, %r13
+        shldq	$0x01, %r11, %r12
+        andq	%rcx, %r11
+        #  Multiply top half by 19
+        movq	$19, %rax
+        mulq	%r12
+        xorq	%r12, %r12
+        addq	%rax, %r8
+        movq	$19, %rax
+        adcq	%rdx, %r12
+        mulq	%r13
+        xorq	%r13, %r13
+        addq	%rax, %r9
+        movq	$19, %rax
+        adcq	%rdx, %r13
+        mulq	%r14
+        xorq	%r14, %r14
+        addq	%rax, %r10
+        movq	$19, %rax
+        adcq	%rdx, %r14
+        mulq	%r15
+        #  Add remaining product results in
+        addq	%r12, %r9
+        adcq	%r13, %r10
+        adcq	%r14, %r11
+        adcq	%rax, %r11
+        adcq	$0x00, %rdx
+        #  Overflow
+        shldq	$0x01, %r11, %rdx
+        imulq	$19, %rdx, %rax
+        andq	%rcx, %r11
+        addq	%rax, %r8
+        adcq	$0x00, %r9
+        adcq	$0x00, %r10
+        adcq	$0x00, %r11
+        # Reduce if top bit set
+        movq	%r11, %rdx
+        shrq	$63, %rdx
+        imulq	$19, %rdx, %rax
+        andq	%rcx, %r11
+        addq	%rax, %r8
+        adcq	$0x00, %r9
+        adcq	$0x00, %r10
+        adcq	$0x00, %r11
+        # Store
+        movq	%r8, (%rdi)
+        movq	%r9, 8(%rdi)
+        movq	%r10, 16(%rdi)
+        movq	%r11, 24(%rdi)
+        movq	(%rsp), %rdi
+        movq	32(%rsp), %rsi
+        movq	88(%rsp), %rbx
+        # Multiply
+        #  A[0] * B[0]
+        movq	(%rbx), %rax
+        mulq	(%rsi)
+        movq	%rax, %r8
+        movq	%rdx, %r9
+        #  A[0] * B[1]
+        movq	8(%rbx), %rax
+        mulq	(%rsi)
+        xorq	%r10, %r10
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        #  A[1] * B[0]
+        movq	(%rbx), %rax
+        mulq	8(%rsi)
+        xorq	%r11, %r11
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0x00, %r11
+        #  A[0] * B[2]
+        movq	16(%rbx), %rax
+        mulq	(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        #  A[1] * B[1]
+        movq	8(%rbx), %rax
+        mulq	8(%rsi)
+        xorq	%r12, %r12
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0x00, %r12
+        #  A[2] * B[0]
+        movq	(%rbx), %rax
+        mulq	16(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0x00, %r12
+        #  A[0] * B[3]
+        movq	24(%rbx), %rax
+        mulq	(%rsi)
+        xorq	%r13, %r13
+        addq	%rax, %r11
+        adcq	%rdx, %r12
+        adcq	$0x00, %r13
+        #  A[1] * B[2]
+        movq	16(%rbx), %rax
+        mulq	8(%rsi)
+        addq	%rax, %r11
+        adcq	%rdx, %r12
+        adcq	$0x00, %r13
+        #  A[2] * B[1]
+        movq	8(%rbx), %rax
+        mulq	16(%rsi)
+        addq	%rax, %r11
+        adcq	%rdx, %r12
+        adcq	$0x00, %r13
+        #  A[3] * B[0]
+        movq	(%rbx), %rax
+        mulq	24(%rsi)
+        addq	%rax, %r11
+        adcq	%rdx, %r12
+        adcq	$0x00, %r13
+        #  A[1] * B[3]
+        movq	24(%rbx), %rax
+        mulq	8(%rsi)
+        xorq	%r14, %r14
+        addq	%rax, %r12
+        adcq	%rdx, %r13
+        adcq	$0x00, %r14
+        #  A[2] * B[2]
+        movq	16(%rbx), %rax
+        mulq	16(%rsi)
+        addq	%rax, %r12
+        adcq	%rdx, %r13
+        adcq	$0x00, %r14
+        #  A[3] * B[1]
+        movq	8(%rbx), %rax
+        mulq	24(%rsi)
+        addq	%rax, %r12
+        adcq	%rdx, %r13
+        adcq	$0x00, %r14
+        #  A[2] * B[3]
+        movq	24(%rbx), %rax
+        mulq	16(%rsi)
+        xorq	%r15, %r15
+        addq	%rax, %r13
+        adcq	%rdx, %r14
+        adcq	$0x00, %r15
+        #  A[3] * B[2]
+        movq	16(%rbx), %rax
+        mulq	24(%rsi)
+        addq	%rax, %r13
+        adcq	%rdx, %r14
+        adcq	$0x00, %r15
+        #  A[3] * B[3]
+        movq	24(%rbx), %rax
+        mulq	24(%rsi)
+        addq	%rax, %r14
+        adcq	%rdx, %r15
+        # Reduce
+        movq	$0x7fffffffffffffff, %rcx
+        #  Move top half into t4-t7 and remove top bit from t3
+        shldq	$0x01, %r14, %r15
+        shldq	$0x01, %r13, %r14
+        shldq	$0x01, %r12, %r13
+        shldq	$0x01, %r11, %r12
+        andq	%rcx, %r11
+        #  Multiply top half by 19
+        movq	$19, %rax
+        mulq	%r12
+        xorq	%r12, %r12
+        addq	%rax, %r8
+        movq	$19, %rax
+        adcq	%rdx, %r12
+        mulq	%r13
+        xorq	%r13, %r13
+        addq	%rax, %r9
+        movq	$19, %rax
+        adcq	%rdx, %r13
+        mulq	%r14
+        xorq	%r14, %r14
+        addq	%rax, %r10
+        movq	$19, %rax
+        adcq	%rdx, %r14
+        mulq	%r15
+        #  Add remaining product results in
+        addq	%r12, %r9
+        adcq	%r13, %r10
+        adcq	%r14, %r11
+        adcq	%rax, %r11
+        adcq	$0x00, %rdx
+        #  Overflow
+        shldq	$0x01, %r11, %rdx
+        imulq	$19, %rdx, %rax
+        andq	%rcx, %r11
+        addq	%rax, %r8
+        adcq	$0x00, %r9
+        adcq	$0x00, %r10
+        adcq	$0x00, %r11
+        # Reduce if top bit set
+        movq	%r11, %rdx
+        shrq	$63, %rdx
+        imulq	$19, %rdx, %rax
+        andq	%rcx, %r11
+        addq	%rax, %r8
+        adcq	$0x00, %r9
+        adcq	$0x00, %r10
+        adcq	$0x00, %r11
+        # Store
+        movq	%r8, (%rdi)
+        movq	%r9, 8(%rdi)
+        movq	%r10, 16(%rdi)
+        movq	%r11, 24(%rdi)
+        movq	8(%rsp), %rdi
+        movq	88(%rsp), %rsi
+        movq	96(%rsp), %rbx
+        # Multiply
+        #  A[0] * B[0]
+        movq	(%rbx), %rax
+        mulq	(%rsi)
+        movq	%rax, %r8
+        movq	%rdx, %r9
+        #  A[0] * B[1]
+        movq	8(%rbx), %rax
+        mulq	(%rsi)
+        xorq	%r10, %r10
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        #  A[1] * B[0]
+        movq	(%rbx), %rax
+        mulq	8(%rsi)
+        xorq	%r11, %r11
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0x00, %r11
+        #  A[0] * B[2]
+        movq	16(%rbx), %rax
+        mulq	(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        #  A[1] * B[1]
+        movq	8(%rbx), %rax
+        mulq	8(%rsi)
+        xorq	%r12, %r12
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0x00, %r12
+        #  A[2] * B[0]
+        movq	(%rbx), %rax
+        mulq	16(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0x00, %r12
+        #  A[0] * B[3]
+        movq	24(%rbx), %rax
+        mulq	(%rsi)
+        xorq	%r13, %r13
+        addq	%rax, %r11
+        adcq	%rdx, %r12
+        adcq	$0x00, %r13
+        #  A[1] * B[2]
+        movq	16(%rbx), %rax
+        mulq	8(%rsi)
+        addq	%rax, %r11
+        adcq	%rdx, %r12
+        adcq	$0x00, %r13
+        #  A[2] * B[1]
+        movq	8(%rbx), %rax
+        mulq	16(%rsi)
+        addq	%rax, %r11
+        adcq	%rdx, %r12
+        adcq	$0x00, %r13
+        #  A[3] * B[0]
+        movq	(%rbx), %rax
+        mulq	24(%rsi)
+        addq	%rax, %r11
+        adcq	%rdx, %r12
+        adcq	$0x00, %r13
+        #  A[1] * B[3]
+        movq	24(%rbx), %rax
+        mulq	8(%rsi)
+        xorq	%r14, %r14
+        addq	%rax, %r12
+        adcq	%rdx, %r13
+        adcq	$0x00, %r14
+        #  A[2] * B[2]
+        movq	16(%rbx), %rax
+        mulq	16(%rsi)
+        addq	%rax, %r12
+        adcq	%rdx, %r13
+        adcq	$0x00, %r14
+        #  A[3] * B[1]
+        movq	8(%rbx), %rax
+        mulq	24(%rsi)
+        addq	%rax, %r12
+        adcq	%rdx, %r13
+        adcq	$0x00, %r14
+        #  A[2] * B[3]
+        movq	24(%rbx), %rax
+        mulq	16(%rsi)
+        xorq	%r15, %r15
+        addq	%rax, %r13
+        adcq	%rdx, %r14
+        adcq	$0x00, %r15
+        #  A[3] * B[2]
+        movq	16(%rbx), %rax
+        mulq	24(%rsi)
+        addq	%rax, %r13
+        adcq	%rdx, %r14
+        adcq	$0x00, %r15
+        #  A[3] * B[3]
+        movq	24(%rbx), %rax
+        mulq	24(%rsi)
+        addq	%rax, %r14
+        adcq	%rdx, %r15
+        # Reduce
+        movq	$0x7fffffffffffffff, %rcx
+        #  Move top half into t4-t7 and remove top bit from t3
+        shldq	$0x01, %r14, %r15
+        shldq	$0x01, %r13, %r14
+        shldq	$0x01, %r12, %r13
+        shldq	$0x01, %r11, %r12
+        andq	%rcx, %r11
+        #  Multiply top half by 19
+        movq	$19, %rax
+        mulq	%r12
+        xorq	%r12, %r12
+        addq	%rax, %r8
+        movq	$19, %rax
+        adcq	%rdx, %r12
+        mulq	%r13
+        xorq	%r13, %r13
+        addq	%rax, %r9
+        movq	$19, %rax
+        adcq	%rdx, %r13
+        mulq	%r14
+        xorq	%r14, %r14
+        addq	%rax, %r10
+        movq	$19, %rax
+        adcq	%rdx, %r14
+        mulq	%r15
+        #  Add remaining product results in
+        addq	%r12, %r9
+        adcq	%r13, %r10
+        adcq	%r14, %r11
+        adcq	%rax, %r11
+        adcq	$0x00, %rdx
+        #  Overflow
+        shldq	$0x01, %r11, %rdx
+        imulq	$19, %rdx, %rax
+        andq	%rcx, %r11
+        addq	%rax, %r8
+        adcq	$0x00, %r9
+        adcq	$0x00, %r10
+        adcq	$0x00, %r11
+        # Reduce if top bit set
+        movq	%r11, %rdx
+        shrq	$63, %rdx
+        imulq	$19, %rdx, %rax
+        andq	%rcx, %r11
+        addq	%rax, %r8
+        adcq	$0x00, %r9
+        adcq	$0x00, %r10
+        adcq	$0x00, %r11
+        # Store
+        movq	%r8, (%rdi)
+        movq	%r9, 8(%rdi)
+        movq	%r10, 16(%rdi)
+        movq	%r11, 24(%rdi)
+        movq	16(%rsp), %rdi
+        movq	24(%rsp), %rsi
+        movq	32(%rsp), %rbx
+        # Multiply
+        #  A[0] * B[0]
+        movq	(%rbx), %rax
+        mulq	(%rsi)
+        movq	%rax, %r8
+        movq	%rdx, %r9
+        #  A[0] * B[1]
+        movq	8(%rbx), %rax
+        mulq	(%rsi)
+        xorq	%r10, %r10
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        #  A[1] * B[0]
+        movq	(%rbx), %rax
+        mulq	8(%rsi)
+        xorq	%r11, %r11
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0x00, %r11
+        #  A[0] * B[2]
+        movq	16(%rbx), %rax
+        mulq	(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        #  A[1] * B[1]
+        movq	8(%rbx), %rax
+        mulq	8(%rsi)
+        xorq	%r12, %r12
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0x00, %r12
+        #  A[2] * B[0]
+        movq	(%rbx), %rax
+        mulq	16(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0x00, %r12
+        #  A[0] * B[3]
+        movq	24(%rbx), %rax
+        mulq	(%rsi)
+        xorq	%r13, %r13
+        addq	%rax, %r11
+        adcq	%rdx, %r12
+        adcq	$0x00, %r13
+        #  A[1] * B[2]
+        movq	16(%rbx), %rax
+        mulq	8(%rsi)
+        addq	%rax, %r11
+        adcq	%rdx, %r12
+        adcq	$0x00, %r13
+        #  A[2] * B[1]
+        movq	8(%rbx), %rax
+        mulq	16(%rsi)
+        addq	%rax, %r11
+        adcq	%rdx, %r12
+        adcq	$0x00, %r13
+        #  A[3] * B[0]
+        movq	(%rbx), %rax
+        mulq	24(%rsi)
+        addq	%rax, %r11
+        adcq	%rdx, %r12
+        adcq	$0x00, %r13
+        #  A[1] * B[3]
+        movq	24(%rbx), %rax
+        mulq	8(%rsi)
+        xorq	%r14, %r14
+        addq	%rax, %r12
+        adcq	%rdx, %r13
+        adcq	$0x00, %r14
+        #  A[2] * B[2]
+        movq	16(%rbx), %rax
+        mulq	16(%rsi)
+        addq	%rax, %r12
+        adcq	%rdx, %r13
+        adcq	$0x00, %r14
+        #  A[3] * B[1]
+        movq	8(%rbx), %rax
+        mulq	24(%rsi)
+        addq	%rax, %r12
+        adcq	%rdx, %r13
+        adcq	$0x00, %r14
+        #  A[2] * B[3]
+        movq	24(%rbx), %rax
+        mulq	16(%rsi)
+        xorq	%r15, %r15
+        addq	%rax, %r13
+        adcq	%rdx, %r14
+        adcq	$0x00, %r15
+        #  A[3] * B[2]
+        movq	16(%rbx), %rax
+        mulq	24(%rsi)
+        addq	%rax, %r13
+        adcq	%rdx, %r14
+        adcq	$0x00, %r15
+        #  A[3] * B[3]
+        movq	24(%rbx), %rax
+        mulq	24(%rsi)
+        addq	%rax, %r14
+        adcq	%rdx, %r15
+        # Reduce
+        movq	$0x7fffffffffffffff, %rcx
+        #  Move top half into t4-t7 and remove top bit from t3
+        shldq	$0x01, %r14, %r15
+        shldq	$0x01, %r13, %r14
+        shldq	$0x01, %r12, %r13
+        shldq	$0x01, %r11, %r12
+        andq	%rcx, %r11
+        #  Multiply top half by 19
+        movq	$19, %rax
+        mulq	%r12
+        xorq	%r12, %r12
+        addq	%rax, %r8
+        movq	$19, %rax
+        adcq	%rdx, %r12
+        mulq	%r13
+        xorq	%r13, %r13
+        addq	%rax, %r9
+        movq	$19, %rax
+        adcq	%rdx, %r13
+        mulq	%r14
+        xorq	%r14, %r14
+        addq	%rax, %r10
+        movq	$19, %rax
+        adcq	%rdx, %r14
+        mulq	%r15
+        #  Add remaining product results in
+        addq	%r12, %r9
+        adcq	%r13, %r10
+        adcq	%r14, %r11
+        adcq	%rax, %r11
+        adcq	$0x00, %rdx
+        #  Overflow
+        shldq	$0x01, %r11, %rdx
+        imulq	$19, %rdx, %rax
+        andq	%rcx, %r11
+        addq	%rax, %r8
+        adcq	$0x00, %r9
+        adcq	$0x00, %r10
+        adcq	$0x00, %r11
+        # Reduce if top bit set
+        movq	%r11, %rdx
+        shrq	$63, %rdx
+        imulq	$19, %rdx, %rax
+        andq	%rcx, %r11
+        addq	%rax, %r8
+        adcq	$0x00, %r9
+        adcq	$0x00, %r10
+        adcq	$0x00, %r11
+        # Store
+        movq	%r8, (%rdi)
+        movq	%r9, 8(%rdi)
+        movq	%r10, 16(%rdi)
+        movq	%r11, 24(%rdi)
+        addq	$40, %rsp
+        popq	%r15
+        popq	%r14
+        popq	%r13
+        popq	%r12
+        popq	%rbx
+        repz retq
+#ifndef __APPLE__
+.size	fe_ge_to_p3_x64,.-fe_ge_to_p3_x64
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+.text
+.globl	fe_ge_dbl_x64
+.type	fe_ge_dbl_x64,@function
+.align	4
+fe_ge_dbl_x64:
+#else
+.section	__TEXT,__text
+.globl	_fe_ge_dbl_x64
+.p2align	2
+_fe_ge_dbl_x64:
+#endif /* __APPLE__ */
+        pushq	%rbx
+        pushq	%r12
+        pushq	%r13
+        pushq	%r14
+        pushq	%r15
+        subq	$0x50, %rsp
+        movq	%rdi, (%rsp)
+        movq	%rsi, 8(%rsp)
+        movq	%rdx, 16(%rsp)
+        movq	%rcx, 24(%rsp)
+        movq	%r8, 32(%rsp)
+        movq	%r9, 40(%rsp)
+        movq	(%rsp), %rdi
+        movq	32(%rsp), %rsi
+        # Square
+        #  A[0] * A[1]
+        movq	(%rsi), %rax
+        mulq	8(%rsi)
+        movq	%rax, %r9
+        movq	%rdx, %r10
+        #  A[0] * A[2]
+        movq	(%rsi), %rax
+        mulq	16(%rsi)
+        xorq	%r11, %r11
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        #  A[0] * A[3]
+        movq	(%rsi), %rax
+        mulq	24(%rsi)
+        xorq	%r12, %r12
+        addq	%rax, %r11
+        adcq	%rdx, %r12
+        #  A[1] * A[2]
+        movq	8(%rsi), %rax
+        mulq	16(%rsi)
+        xorq	%r13, %r13
+        addq	%rax, %r11
+        adcq	%rdx, %r12
+        adcq	$0x00, %r13
+        #  A[1] * A[3]
+        movq	8(%rsi), %rax
+        mulq	24(%rsi)
+        addq	%rax, %r12
+        adcq	%rdx, %r13
+        #  A[2] * A[3]
+        movq	16(%rsi), %rax
+        mulq	24(%rsi)
+        xorq	%r14, %r14
+        addq	%rax, %r13
+        adcq	%rdx, %r14
+        # Double
+        xorq	%r15, %r15
+        addq	%r9, %r9
+        adcq	%r10, %r10
+        adcq	%r11, %r11
+        adcq	%r12, %r12
+        adcq	%r13, %r13
+        adcq	%r14, %r14
+        adcq	$0x00, %r15
+        #  A[0] * A[0]
+        movq	(%rsi), %rax
+        mulq	%rax
+        movq	%rax, %r8
+        movq	%rdx, %rcx
+        #  A[1] * A[1]
+        movq	8(%rsi), %rax
+        mulq	%rax
+        addq	%rcx, %r9
+        adcq	%rax, %r10
+        adcq	$0x00, %rdx
+        movq	%rdx, %rcx
+        #  A[2] * A[2]
+        movq	16(%rsi), %rax
+        mulq	%rax
+        addq	%rcx, %r11
+        adcq	%rax, %r12
+        adcq	$0x00, %rdx
+        movq	%rdx, %rcx
+        #  A[3] * A[3]
+        movq	24(%rsi), %rax
+        mulq	%rax
+        addq	%rax, %r14
+        adcq	%rdx, %r15
+        addq	%rcx, %r13
+        adcq	$0x00, %r14
+        adcq	$0x00, %r15
+        # Reduce
+        movq	$0x7fffffffffffffff, %rcx
+        #  Move top half into t4-t7 and remove top bit from t3
+        shldq	$0x01, %r14, %r15
+        shldq	$0x01, %r13, %r14
+        shldq	$0x01, %r12, %r13
+        shldq	$0x01, %r11, %r12
+        andq	%rcx, %r11
+        #  Multiply top half by 19
+        movq	$19, %rax
+        mulq	%r12
+        xorq	%r12, %r12
+        addq	%rax, %r8
+        movq	$19, %rax
+        adcq	%rdx, %r12
+        mulq	%r13
+        xorq	%r13, %r13
+        addq	%rax, %r9
+        movq	$19, %rax
+        adcq	%rdx, %r13
+        mulq	%r14
+        xorq	%r14, %r14
+        addq	%rax, %r10
+        movq	$19, %rax
+        adcq	%rdx, %r14
+        mulq	%r15
+        #  Add remaining product results in
+        addq	%r12, %r9
+        adcq	%r13, %r10
+        adcq	%r14, %r11
+        adcq	%rax, %r11
+        adcq	$0x00, %rdx
+        #  Overflow
+        shldq	$0x01, %r11, %rdx
+        imulq	$19, %rdx, %rax
+        andq	%rcx, %r11
+        addq	%rax, %r8
+        adcq	$0x00, %r9
+        adcq	$0x00, %r10
+        adcq	$0x00, %r11
+        # Reduce if top bit set
+        movq	%r11, %rdx
+        shrq	$63, %rdx
+        imulq	$19, %rdx, %rax
+        andq	%rcx, %r11
+        addq	%rax, %r8
+        adcq	$0x00, %r9
+        adcq	$0x00, %r10
+        adcq	$0x00, %r11
+        # Store
+        movq	%r8, (%rdi)
+        movq	%r9, 8(%rdi)
+        movq	%r10, 16(%rdi)
+        movq	%r11, 24(%rdi)
+        movq	16(%rsp), %rdi
+        movq	40(%rsp), %rsi
+        # Square
+        #  A[0] * A[1]
+        movq	(%rsi), %rax
+        mulq	8(%rsi)
+        movq	%rax, %r9
+        movq	%rdx, %r10
+        #  A[0] * A[2]
+        movq	(%rsi), %rax
+        mulq	16(%rsi)
+        xorq	%r11, %r11
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        #  A[0] * A[3]
+        movq	(%rsi), %rax
+        mulq	24(%rsi)
+        xorq	%r12, %r12
+        addq	%rax, %r11
+        adcq	%rdx, %r12
+        #  A[1] * A[2]
+        movq	8(%rsi), %rax
+        mulq	16(%rsi)
+        xorq	%r13, %r13
+        addq	%rax, %r11
+        adcq	%rdx, %r12
+        adcq	$0x00, %r13
+        #  A[1] * A[3]
+        movq	8(%rsi), %rax
+        mulq	24(%rsi)
+        addq	%rax, %r12
+        adcq	%rdx, %r13
+        #  A[2] * A[3]
+        movq	16(%rsi), %rax
+        mulq	24(%rsi)
+        xorq	%r14, %r14
+        addq	%rax, %r13
+        adcq	%rdx, %r14
+        # Double
+        xorq	%r15, %r15
+        addq	%r9, %r9
+        adcq	%r10, %r10
+        adcq	%r11, %r11
+        adcq	%r12, %r12
+        adcq	%r13, %r13
+        adcq	%r14, %r14
+        adcq	$0x00, %r15
+        #  A[0] * A[0]
+        movq	(%rsi), %rax
+        mulq	%rax
+        movq	%rax, %r8
+        movq	%rdx, %rcx
+        #  A[1] * A[1]
+        movq	8(%rsi), %rax
+        mulq	%rax
+        addq	%rcx, %r9
+        adcq	%rax, %r10
+        adcq	$0x00, %rdx
+        movq	%rdx, %rcx
+        #  A[2] * A[2]
+        movq	16(%rsi), %rax
+        mulq	%rax
+        addq	%rcx, %r11
+        adcq	%rax, %r12
+        adcq	$0x00, %rdx
+        movq	%rdx, %rcx
+        #  A[3] * A[3]
+        movq	24(%rsi), %rax
+        mulq	%rax
+        addq	%rax, %r14
+        adcq	%rdx, %r15
+        addq	%rcx, %r13
+        adcq	$0x00, %r14
+        adcq	$0x00, %r15
+        # Reduce
+        movq	$0x7fffffffffffffff, %rcx
+        #  Move top half into t4-t7 and remove top bit from t3
+        shldq	$0x01, %r14, %r15
+        shldq	$0x01, %r13, %r14
+        shldq	$0x01, %r12, %r13
+        shldq	$0x01, %r11, %r12
+        andq	%rcx, %r11
+        #  Multiply top half by 19
+        movq	$19, %rax
+        mulq	%r12
+        xorq	%r12, %r12
+        addq	%rax, %r8
+        movq	$19, %rax
+        adcq	%rdx, %r12
+        mulq	%r13
+        xorq	%r13, %r13
+        addq	%rax, %r9
+        movq	$19, %rax
+        adcq	%rdx, %r13
+        mulq	%r14
+        xorq	%r14, %r14
+        addq	%rax, %r10
+        movq	$19, %rax
+        adcq	%rdx, %r14
+        mulq	%r15
+        #  Add remaining product results in
+        addq	%r12, %r9
+        adcq	%r13, %r10
+        adcq	%r14, %r11
+        adcq	%rax, %r11
+        adcq	$0x00, %rdx
+        #  Overflow
+        shldq	$0x01, %r11, %rdx
+        imulq	$19, %rdx, %rax
+        andq	%rcx, %r11
+        addq	%rax, %r8
+        adcq	$0x00, %r9
+        adcq	$0x00, %r10
+        adcq	$0x00, %r11
+        # Reduce if top bit set
+        movq	%r11, %rdx
+        shrq	$63, %rdx
+        imulq	$19, %rdx, %rax
+        andq	%rcx, %r11
+        addq	%rax, %r8
+        adcq	$0x00, %r9
+        adcq	$0x00, %r10
+        adcq	$0x00, %r11
+        # Store
+        movq	%r8, (%rdi)
+        movq	%r9, 8(%rdi)
+        movq	%r10, 16(%rdi)
+        movq	%r11, 24(%rdi)
+        movq	24(%rsp), %rdi
+        movq	128(%rsp), %rsi
+        # Square * 2
+        #  A[0] * A[1]
+        movq	(%rsi), %rax
+        mulq	8(%rsi)
+        movq	%rax, %r9
+        movq	%rdx, %r10
+        #  A[0] * A[2]
+        movq	(%rsi), %rax
+        mulq	16(%rsi)
+        xorq	%r11, %r11
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        #  A[0] * A[3]
+        movq	(%rsi), %rax
+        mulq	24(%rsi)
+        xorq	%r12, %r12
+        addq	%rax, %r11
+        adcq	%rdx, %r12
+        #  A[1] * A[2]
+        movq	8(%rsi), %rax
+        mulq	16(%rsi)
+        xorq	%r13, %r13
+        addq	%rax, %r11
+        adcq	%rdx, %r12
+        adcq	$0x00, %r13
+        #  A[1] * A[3]
+        movq	8(%rsi), %rax
+        mulq	24(%rsi)
+        addq	%rax, %r12
+        adcq	%rdx, %r13
+        #  A[2] * A[3]
+        movq	16(%rsi), %rax
+        mulq	24(%rsi)
+        xorq	%r14, %r14
+        addq	%rax, %r13
+        adcq	%rdx, %r14
+        # Double
+        xorq	%r15, %r15
+        addq	%r9, %r9
+        adcq	%r10, %r10
+        adcq	%r11, %r11
+        adcq	%r12, %r12
+        adcq	%r13, %r13
+        adcq	%r14, %r14
+        adcq	$0x00, %r15
+        #  A[0] * A[0]
+        movq	(%rsi), %rax
+        mulq	%rax
+        movq	%rax, %r8
+        movq	%rdx, %rcx
+        #  A[1] * A[1]
+        movq	8(%rsi), %rax
+        mulq	%rax
+        addq	%rcx, %r9
+        adcq	%rax, %r10
+        adcq	$0x00, %rdx
+        movq	%rdx, %rcx
+        #  A[2] * A[2]
+        movq	16(%rsi), %rax
+        mulq	%rax
+        addq	%rcx, %r11
+        adcq	%rax, %r12
+        adcq	$0x00, %rdx
+        movq	%rdx, %rcx
+        #  A[3] * A[3]
+        movq	24(%rsi), %rax
+        mulq	%rax
+        addq	%rax, %r14
+        adcq	%rdx, %r15
+        addq	%rcx, %r13
+        adcq	$0x00, %r14
+        adcq	$0x00, %r15
+        # Reduce
+        movq	$0x7fffffffffffffff, %rbx
+        xorq	%rax, %rax
+        #  Move top half into t4-t7 and remove top bit from t3
+        shldq	$3, %r15, %rax
+        shldq	$2, %r14, %r15
+        shldq	$2, %r13, %r14
+        shldq	$2, %r12, %r13
+        shldq	$2, %r11, %r12
+        shldq	$0x01, %r10, %r11
+        shldq	$0x01, %r9, %r10
+        shldq	$0x01, %r8, %r9
+        shlq	$0x01, %r8
+        andq	%rbx, %r11
+        #  Two out left, one in right
+        andq	%rbx, %r15
+        #  Multiply top bits by 19*19
+        imulq	$0x169, %rax, %rcx
+        #  Multiply top half by 19
+        movq	$19, %rax
+        mulq	%r12
+        xorq	%r12, %r12
+        addq	%rax, %r8
+        movq	$19, %rax
+        adcq	%rdx, %r12
+        mulq	%r13
+        xorq	%r13, %r13
+        addq	%rax, %r9
+        movq	$19, %rax
+        adcq	%rdx, %r13
+        mulq	%r14
+        xorq	%r14, %r14
+        addq	%rax, %r10
+        movq	$19, %rax
+        adcq	%rdx, %r14
+        mulq	%r15
+        #  Add remaining produce results in
+        addq	%rcx, %r8
+        adcq	%r12, %r9
+        adcq	%r13, %r10
+        adcq	%r14, %r11
+        adcq	%rax, %r11
+        adcq	$0x00, %rdx
+        #  Overflow
+        shldq	$0x01, %r11, %rdx
+        imulq	$19, %rdx, %rax
+        andq	%rbx, %r11
+        addq	%rax, %r8
+        adcq	$0x00, %r9
+        adcq	$0x00, %r10
+        adcq	$0x00, %r11
+        # Reduce if top bit set
+        movq	%r11, %rdx
+        shrq	$63, %rdx
+        imulq	$19, %rdx, %rax
+        andq	%rbx, %r11
+        addq	%rax, %r8
+        adcq	$0x00, %r9
+        adcq	$0x00, %r10
+        adcq	$0x00, %r11
+        # Store
+        movq	%r8, (%rdi)
+        movq	%r9, 8(%rdi)
+        movq	%r10, 16(%rdi)
+        movq	%r11, 24(%rdi)
+        movq	8(%rsp), %rdi
+        movq	32(%rsp), %rsi
+        movq	40(%rsp), %rbx
+        # Add
+        movq	(%rsi), %r8
+        movq	8(%rsi), %r9
+        addq	(%rbx), %r8
+        movq	16(%rsi), %r10
+        adcq	8(%rbx), %r9
+        movq	24(%rsi), %rcx
+        adcq	16(%rbx), %r10
+        movq	$-19, %rax
+        adcq	24(%rbx), %rcx
+        movq	$0x7fffffffffffffff, %rdx
+        movq	%rcx, %r11
+        sarq	$63, %rcx
+        #   Mask the modulus
+        andq	%rcx, %rax
+        andq	%rcx, %rdx
+        #   Sub modulus (if overflow)
+        subq	%rax, %r8
+        sbbq	%rcx, %r9
+        sbbq	%rcx, %r10
+        sbbq	%rdx, %r11
+        movq	%r8, (%rdi)
+        movq	%r9, 8(%rdi)
+        movq	%r10, 16(%rdi)
+        movq	%r11, 24(%rdi)
+        leaq	48(%rsp), %rdi
+        movq	8(%rsp), %rsi
+        # Square
+        #  A[0] * A[1]
+        movq	(%rsi), %rax
+        mulq	8(%rsi)
+        movq	%rax, %r9
+        movq	%rdx, %r10
+        #  A[0] * A[2]
+        movq	(%rsi), %rax
+        mulq	16(%rsi)
+        xorq	%r11, %r11
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        #  A[0] * A[3]
+        movq	(%rsi), %rax
+        mulq	24(%rsi)
+        xorq	%r12, %r12
+        addq	%rax, %r11
+        adcq	%rdx, %r12
+        #  A[1] * A[2]
+        movq	8(%rsi), %rax
+        mulq	16(%rsi)
+        xorq	%r13, %r13
+        addq	%rax, %r11
+        adcq	%rdx, %r12
+        adcq	$0x00, %r13
+        #  A[1] * A[3]
+        movq	8(%rsi), %rax
+        mulq	24(%rsi)
+        addq	%rax, %r12
+        adcq	%rdx, %r13
+        #  A[2] * A[3]
+        movq	16(%rsi), %rax
+        mulq	24(%rsi)
+        xorq	%r14, %r14
+        addq	%rax, %r13
+        adcq	%rdx, %r14
+        # Double
+        xorq	%r15, %r15
+        addq	%r9, %r9
+        adcq	%r10, %r10
+        adcq	%r11, %r11
+        adcq	%r12, %r12
+        adcq	%r13, %r13
+        adcq	%r14, %r14
+        adcq	$0x00, %r15
+        #  A[0] * A[0]
+        movq	(%rsi), %rax
+        mulq	%rax
+        movq	%rax, %r8
+        movq	%rdx, %rcx
+        #  A[1] * A[1]
+        movq	8(%rsi), %rax
+        mulq	%rax
+        addq	%rcx, %r9
+        adcq	%rax, %r10
+        adcq	$0x00, %rdx
+        movq	%rdx, %rcx
+        #  A[2] * A[2]
+        movq	16(%rsi), %rax
+        mulq	%rax
+        addq	%rcx, %r11
+        adcq	%rax, %r12
+        adcq	$0x00, %rdx
+        movq	%rdx, %rcx
+        #  A[3] * A[3]
+        movq	24(%rsi), %rax
+        mulq	%rax
+        addq	%rax, %r14
+        adcq	%rdx, %r15
+        addq	%rcx, %r13
+        adcq	$0x00, %r14
+        adcq	$0x00, %r15
+        # Reduce
+        movq	$0x7fffffffffffffff, %rcx
+        #  Move top half into t4-t7 and remove top bit from t3
+        shldq	$0x01, %r14, %r15
+        shldq	$0x01, %r13, %r14
+        shldq	$0x01, %r12, %r13
+        shldq	$0x01, %r11, %r12
+        andq	%rcx, %r11
+        #  Multiply top half by 19
+        movq	$19, %rax
+        mulq	%r12
+        xorq	%r12, %r12
+        addq	%rax, %r8
+        movq	$19, %rax
+        adcq	%rdx, %r12
+        mulq	%r13
+        xorq	%r13, %r13
+        addq	%rax, %r9
+        movq	$19, %rax
+        adcq	%rdx, %r13
+        mulq	%r14
+        xorq	%r14, %r14
+        addq	%rax, %r10
+        movq	$19, %rax
+        adcq	%rdx, %r14
+        mulq	%r15
+        #  Add remaining product results in
+        addq	%r12, %r9
+        adcq	%r13, %r10
+        adcq	%r14, %r11
+        adcq	%rax, %r11
+        adcq	$0x00, %rdx
+        #  Overflow
+        shldq	$0x01, %r11, %rdx
+        imulq	$19, %rdx, %rax
+        andq	%rcx, %r11
+        addq	%rax, %r8
+        adcq	$0x00, %r9
+        adcq	$0x00, %r10
+        adcq	$0x00, %r11
+        # Reduce if top bit set
+        movq	%r11, %rdx
+        shrq	$63, %rdx
+        imulq	$19, %rdx, %rax
+        andq	%rcx, %r11
+        addq	%rax, %r8
+        adcq	$0x00, %r9
+        adcq	$0x00, %r10
+        adcq	$0x00, %r11
+        # Store
+        movq	%r8, (%rdi)
+        movq	%r9, 8(%rdi)
+        movq	%r10, 16(%rdi)
+        movq	%r11, 24(%rdi)
+        movq	8(%rsp), %rdi
+        movq	16(%rsp), %rsi
+        movq	(%rsp), %rbx
+        # Add
+        movq	(%rsi), %r8
+        movq	8(%rsi), %r9
+        addq	(%rbx), %r8
+        movq	16(%rsi), %r10
+        adcq	8(%rbx), %r9
+        movq	24(%rsi), %rcx
+        adcq	16(%rbx), %r10
+        movq	$-19, %rax
+        adcq	24(%rbx), %rcx
+        movq	$0x7fffffffffffffff, %rdx
+        movq	%rcx, %r11
+        sarq	$63, %rcx
+        #   Mask the modulus
+        andq	%rcx, %rax
+        andq	%rcx, %rdx
+        #   Sub modulus (if overflow)
+        subq	%rax, %r8
+        sbbq	%rcx, %r9
+        sbbq	%rcx, %r10
+        sbbq	%rdx, %r11
+        movq	%r8, (%rdi)
+        movq	%r9, 8(%rdi)
+        movq	%r10, 16(%rdi)
+        movq	%r11, 24(%rdi)
+        movq	16(%rsp), %rdi
+        movq	16(%rsp), %rsi
+        movq	(%rsp), %rbx
+        # Sub
+        movq	(%rsi), %r8
+        movq	8(%rsi), %r9
+        movq	16(%rsi), %r10
+        movq	24(%rsi), %r11
+        subq	(%rbx), %r8
+        movq	$0x00, %rcx
+        sbbq	8(%rbx), %r9
+        movq	$-19, %rax
+        sbbq	16(%rbx), %r10
+        movq	$0x7fffffffffffffff, %rdx
+        sbbq	24(%rbx), %r11
+        sbbq	$0x00, %rcx
+        #   Mask the modulus
+        andq	%rcx, %rax
+        andq	%rcx, %rdx
+        #   Add modulus (if underflow)
+        addq	%rax, %r8
+        adcq	%rcx, %r9
+        adcq	%rcx, %r10
+        adcq	%rdx, %r11
+        movq	%r8, (%rdi)
+        movq	%r9, 8(%rdi)
+        movq	%r10, 16(%rdi)
+        movq	%r11, 24(%rdi)
+        movq	(%rsp), %rdi
+        leaq	48(%rsp), %rsi
+        movq	8(%rsp), %rbx
+        # Sub
+        movq	(%rsi), %r8
+        movq	8(%rsi), %r9
+        movq	16(%rsi), %r10
+        movq	24(%rsi), %r11
+        subq	(%rbx), %r8
+        movq	$0x00, %rcx
+        sbbq	8(%rbx), %r9
+        movq	$-19, %rax
+        sbbq	16(%rbx), %r10
+        movq	$0x7fffffffffffffff, %rdx
+        sbbq	24(%rbx), %r11
+        sbbq	$0x00, %rcx
+        #   Mask the modulus
+        andq	%rcx, %rax
+        andq	%rcx, %rdx
+        #   Add modulus (if underflow)
+        addq	%rax, %r8
+        adcq	%rcx, %r9
+        adcq	%rcx, %r10
+        adcq	%rdx, %r11
+        movq	%r8, (%rdi)
+        movq	%r9, 8(%rdi)
+        movq	%r10, 16(%rdi)
+        movq	%r11, 24(%rdi)
+        movq	24(%rsp), %rdi
+        movq	24(%rsp), %rsi
+        movq	16(%rsp), %rbx
+        # Sub
+        movq	(%rsi), %r8
+        movq	8(%rsi), %r9
+        movq	16(%rsi), %r10
+        movq	24(%rsi), %r11
+        subq	(%rbx), %r8
+        movq	$0x00, %rcx
+        sbbq	8(%rbx), %r9
+        movq	$-19, %rax
+        sbbq	16(%rbx), %r10
+        movq	$0x7fffffffffffffff, %rdx
+        sbbq	24(%rbx), %r11
+        sbbq	$0x00, %rcx
+        #   Mask the modulus
+        andq	%rcx, %rax
+        andq	%rcx, %rdx
+        #   Add modulus (if underflow)
+        addq	%rax, %r8
+        adcq	%rcx, %r9
+        adcq	%rcx, %r10
+        adcq	%rdx, %r11
+        movq	%r8, (%rdi)
+        movq	%r9, 8(%rdi)
+        movq	%r10, 16(%rdi)
+        movq	%r11, 24(%rdi)
+        addq	$0x50, %rsp
+        popq	%r15
+        popq	%r14
+        popq	%r13
+        popq	%r12
+        popq	%rbx
+        repz retq
+#ifndef __APPLE__
+.size	fe_ge_dbl_x64,.-fe_ge_dbl_x64
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+.text
+.globl	fe_ge_madd_x64
+.type	fe_ge_madd_x64,@function
+.align	4
+fe_ge_madd_x64:
+#else
+.section	__TEXT,__text
+.globl	_fe_ge_madd_x64
+.p2align	2
+_fe_ge_madd_x64:
+#endif /* __APPLE__ */
+        pushq	%rbx
+        pushq	%r12
+        pushq	%r13
+        pushq	%r14
+        pushq	%r15
+        subq	$0x50, %rsp
+        movq	%rdi, (%rsp)
+        movq	%rsi, 8(%rsp)
+        movq	%rdx, 16(%rsp)
+        movq	%rcx, 24(%rsp)
+        movq	%r8, 32(%rsp)
+        movq	%r9, 40(%rsp)
+        movq	(%rsp), %rdi
+        movq	40(%rsp), %rsi
+        movq	32(%rsp), %rbx
+        # Add
+        movq	(%rsi), %r8
+        movq	8(%rsi), %r9
+        addq	(%rbx), %r8
+        movq	16(%rsi), %r10
+        adcq	8(%rbx), %r9
+        movq	24(%rsi), %rcx
+        adcq	16(%rbx), %r10
+        movq	$-19, %rax
+        adcq	24(%rbx), %rcx
+        movq	$0x7fffffffffffffff, %rdx
+        movq	%rcx, %r11
+        sarq	$63, %rcx
+        #   Mask the modulus
+        andq	%rcx, %rax
+        andq	%rcx, %rdx
+        #   Sub modulus (if overflow)
+        subq	%rax, %r8
+        sbbq	%rcx, %r9
+        sbbq	%rcx, %r10
+        sbbq	%rdx, %r11
+        movq	%r8, (%rdi)
+        movq	%r9, 8(%rdi)
+        movq	%r10, 16(%rdi)
+        movq	%r11, 24(%rdi)
+        movq	8(%rsp), %rdi
+        movq	40(%rsp), %rsi
+        movq	32(%rsp), %rbx
+        # Sub
+        movq	(%rsi), %r8
+        movq	8(%rsi), %r9
+        movq	16(%rsi), %r10
+        movq	24(%rsi), %r11
+        subq	(%rbx), %r8
+        movq	$0x00, %rcx
+        sbbq	8(%rbx), %r9
+        movq	$-19, %rax
+        sbbq	16(%rbx), %r10
+        movq	$0x7fffffffffffffff, %rdx
+        sbbq	24(%rbx), %r11
+        sbbq	$0x00, %rcx
+        #   Mask the modulus
+        andq	%rcx, %rax
+        andq	%rcx, %rdx
+        #   Add modulus (if underflow)
+        addq	%rax, %r8
+        adcq	%rcx, %r9
+        adcq	%rcx, %r10
+        adcq	%rdx, %r11
+        movq	%r8, (%rdi)
+        movq	%r9, 8(%rdi)
+        movq	%r10, 16(%rdi)
+        movq	%r11, 24(%rdi)
+        movq	16(%rsp), %rdi
+        movq	(%rsp), %rsi
+        movq	152(%rsp), %rbx
+        # Multiply
+        #  A[0] * B[0]
+        movq	(%rbx), %rax
+        mulq	(%rsi)
+        movq	%rax, %r8
+        movq	%rdx, %r9
+        #  A[0] * B[1]
+        movq	8(%rbx), %rax
+        mulq	(%rsi)
+        xorq	%r10, %r10
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        #  A[1] * B[0]
+        movq	(%rbx), %rax
+        mulq	8(%rsi)
+        xorq	%r11, %r11
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0x00, %r11
+        #  A[0] * B[2]
+        movq	16(%rbx), %rax
+        mulq	(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        #  A[1] * B[1]
+        movq	8(%rbx), %rax
+        mulq	8(%rsi)
+        xorq	%r12, %r12
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0x00, %r12
+        #  A[2] * B[0]
+        movq	(%rbx), %rax
+        mulq	16(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0x00, %r12
+        #  A[0] * B[3]
+        movq	24(%rbx), %rax
+        mulq	(%rsi)
+        xorq	%r13, %r13
+        addq	%rax, %r11
+        adcq	%rdx, %r12
+        adcq	$0x00, %r13
+        #  A[1] * B[2]
+        movq	16(%rbx), %rax
+        mulq	8(%rsi)
+        addq	%rax, %r11
+        adcq	%rdx, %r12
+        adcq	$0x00, %r13
+        #  A[2] * B[1]
+        movq	8(%rbx), %rax
+        mulq	16(%rsi)
+        addq	%rax, %r11
+        adcq	%rdx, %r12
+        adcq	$0x00, %r13
+        #  A[3] * B[0]
+        movq	(%rbx), %rax
+        mulq	24(%rsi)
+        addq	%rax, %r11
+        adcq	%rdx, %r12
+        adcq	$0x00, %r13
+        #  A[1] * B[3]
+        movq	24(%rbx), %rax
+        mulq	8(%rsi)
+        xorq	%r14, %r14
+        addq	%rax, %r12
+        adcq	%rdx, %r13
+        adcq	$0x00, %r14
+        #  A[2] * B[2]
+        movq	16(%rbx), %rax
+        mulq	16(%rsi)
+        addq	%rax, %r12
+        adcq	%rdx, %r13
+        adcq	$0x00, %r14
+        #  A[3] * B[1]
+        movq	8(%rbx), %rax
+        mulq	24(%rsi)
+        addq	%rax, %r12
+        adcq	%rdx, %r13
+        adcq	$0x00, %r14
+        #  A[2] * B[3]
+        movq	24(%rbx), %rax
+        mulq	16(%rsi)
+        xorq	%r15, %r15
+        addq	%rax, %r13
+        adcq	%rdx, %r14
+        adcq	$0x00, %r15
+        #  A[3] * B[2]
+        movq	16(%rbx), %rax
+        mulq	24(%rsi)
+        addq	%rax, %r13
+        adcq	%rdx, %r14
+        adcq	$0x00, %r15
+        #  A[3] * B[3]
+        movq	24(%rbx), %rax
+        mulq	24(%rsi)
+        addq	%rax, %r14
+        adcq	%rdx, %r15
+        # Reduce
+        movq	$0x7fffffffffffffff, %rcx
+        #  Move top half into t4-t7 and remove top bit from t3
+        shldq	$0x01, %r14, %r15
+        shldq	$0x01, %r13, %r14
+        shldq	$0x01, %r12, %r13
+        shldq	$0x01, %r11, %r12
+        andq	%rcx, %r11
+        #  Multiply top half by 19
+        movq	$19, %rax
+        mulq	%r12
+        xorq	%r12, %r12
+        addq	%rax, %r8
+        movq	$19, %rax
+        adcq	%rdx, %r12
+        mulq	%r13
+        xorq	%r13, %r13
+        addq	%rax, %r9
+        movq	$19, %rax
+        adcq	%rdx, %r13
+        mulq	%r14
+        xorq	%r14, %r14
+        addq	%rax, %r10
+        movq	$19, %rax
+        adcq	%rdx, %r14
+        mulq	%r15
+        #  Add remaining product results in
+        addq	%r12, %r9
+        adcq	%r13, %r10
+        adcq	%r14, %r11
+        adcq	%rax, %r11
+        adcq	$0x00, %rdx
+        #  Overflow
+        shldq	$0x01, %r11, %rdx
+        imulq	$19, %rdx, %rax
+        andq	%rcx, %r11
+        addq	%rax, %r8
+        adcq	$0x00, %r9
+        adcq	$0x00, %r10
+        adcq	$0x00, %r11
+        # Reduce if top bit set
+        movq	%r11, %rdx
+        shrq	$63, %rdx
+        imulq	$19, %rdx, %rax
+        andq	%rcx, %r11
+        addq	%rax, %r8
+        adcq	$0x00, %r9
+        adcq	$0x00, %r10
+        adcq	$0x00, %r11
+        # Store
+        movq	%r8, (%rdi)
+        movq	%r9, 8(%rdi)
+        movq	%r10, 16(%rdi)
+        movq	%r11, 24(%rdi)
+        movq	8(%rsp), %rdi
+        movq	8(%rsp), %rsi
+        movq	160(%rsp), %rbx
+        # Multiply
+        #  A[0] * B[0]
+        movq	(%rbx), %rax
+        mulq	(%rsi)
+        movq	%rax, %r8
+        movq	%rdx, %r9
+        #  A[0] * B[1]
+        movq	8(%rbx), %rax
+        mulq	(%rsi)
+        xorq	%r10, %r10
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        #  A[1] * B[0]
+        movq	(%rbx), %rax
+        mulq	8(%rsi)
+        xorq	%r11, %r11
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0x00, %r11
+        #  A[0] * B[2]
+        movq	16(%rbx), %rax
+        mulq	(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        #  A[1] * B[1]
+        movq	8(%rbx), %rax
+        mulq	8(%rsi)
+        xorq	%r12, %r12
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0x00, %r12
+        #  A[2] * B[0]
+        movq	(%rbx), %rax
+        mulq	16(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0x00, %r12
+        #  A[0] * B[3]
+        movq	24(%rbx), %rax
+        mulq	(%rsi)
+        xorq	%r13, %r13
+        addq	%rax, %r11
+        adcq	%rdx, %r12
+        adcq	$0x00, %r13
+        #  A[1] * B[2]
+        movq	16(%rbx), %rax
+        mulq	8(%rsi)
+        addq	%rax, %r11
+        adcq	%rdx, %r12
+        adcq	$0x00, %r13
+        #  A[2] * B[1]
+        movq	8(%rbx), %rax
+        mulq	16(%rsi)
+        addq	%rax, %r11
+        adcq	%rdx, %r12
+        adcq	$0x00, %r13
+        #  A[3] * B[0]
+        movq	(%rbx), %rax
+        mulq	24(%rsi)
+        addq	%rax, %r11
+        adcq	%rdx, %r12
+        adcq	$0x00, %r13
+        #  A[1] * B[3]
+        movq	24(%rbx), %rax
+        mulq	8(%rsi)
+        xorq	%r14, %r14
+        addq	%rax, %r12
+        adcq	%rdx, %r13
+        adcq	$0x00, %r14
+        #  A[2] * B[2]
+        movq	16(%rbx), %rax
+        mulq	16(%rsi)
+        addq	%rax, %r12
+        adcq	%rdx, %r13
+        adcq	$0x00, %r14
+        #  A[3] * B[1]
+        movq	8(%rbx), %rax
+        mulq	24(%rsi)
+        addq	%rax, %r12
+        adcq	%rdx, %r13
+        adcq	$0x00, %r14
+        #  A[2] * B[3]
+        movq	24(%rbx), %rax
+        mulq	16(%rsi)
+        xorq	%r15, %r15
+        addq	%rax, %r13
+        adcq	%rdx, %r14
+        adcq	$0x00, %r15
+        #  A[3] * B[2]
+        movq	16(%rbx), %rax
+        mulq	24(%rsi)
+        addq	%rax, %r13
+        adcq	%rdx, %r14
+        adcq	$0x00, %r15
+        #  A[3] * B[3]
+        movq	24(%rbx), %rax
+        mulq	24(%rsi)
+        addq	%rax, %r14
+        adcq	%rdx, %r15
+        # Reduce
+        movq	$0x7fffffffffffffff, %rcx
+        #  Move top half into t4-t7 and remove top bit from t3
+        shldq	$0x01, %r14, %r15
+        shldq	$0x01, %r13, %r14
+        shldq	$0x01, %r12, %r13
+        shldq	$0x01, %r11, %r12
+        andq	%rcx, %r11
+        #  Multiply top half by 19
+        movq	$19, %rax
+        mulq	%r12
+        xorq	%r12, %r12
+        addq	%rax, %r8
+        movq	$19, %rax
+        adcq	%rdx, %r12
+        mulq	%r13
+        xorq	%r13, %r13
+        addq	%rax, %r9
+        movq	$19, %rax
+        adcq	%rdx, %r13
+        mulq	%r14
+        xorq	%r14, %r14
+        addq	%rax, %r10
+        movq	$19, %rax
+        adcq	%rdx, %r14
+        mulq	%r15
+        #  Add remaining product results in
+        addq	%r12, %r9
+        adcq	%r13, %r10
+        adcq	%r14, %r11
+        adcq	%rax, %r11
+        adcq	$0x00, %rdx
+        #  Overflow
+        shldq	$0x01, %r11, %rdx
+        imulq	$19, %rdx, %rax
+        andq	%rcx, %r11
+        addq	%rax, %r8
+        adcq	$0x00, %r9
+        adcq	$0x00, %r10
+        adcq	$0x00, %r11
+        # Reduce if top bit set
+        movq	%r11, %rdx
+        shrq	$63, %rdx
+        imulq	$19, %rdx, %rax
+        andq	%rcx, %r11
+        addq	%rax, %r8
+        adcq	$0x00, %r9
+        adcq	$0x00, %r10
+        adcq	$0x00, %r11
+        # Store
+        movq	%r8, (%rdi)
+        movq	%r9, 8(%rdi)
+        movq	%r10, 16(%rdi)
+        movq	%r11, 24(%rdi)
+        movq	24(%rsp), %rdi
+        movq	144(%rsp), %rsi
+        movq	136(%rsp), %rbx
+        # Multiply
+        #  A[0] * B[0]
+        movq	(%rbx), %rax
+        mulq	(%rsi)
+        movq	%rax, %r8
+        movq	%rdx, %r9
+        #  A[0] * B[1]
+        movq	8(%rbx), %rax
+        mulq	(%rsi)
+        xorq	%r10, %r10
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        #  A[1] * B[0]
+        movq	(%rbx), %rax
+        mulq	8(%rsi)
+        xorq	%r11, %r11
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0x00, %r11
+        #  A[0] * B[2]
+        movq	16(%rbx), %rax
+        mulq	(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        #  A[1] * B[1]
+        movq	8(%rbx), %rax
+        mulq	8(%rsi)
+        xorq	%r12, %r12
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0x00, %r12
+        #  A[2] * B[0]
+        movq	(%rbx), %rax
+        mulq	16(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0x00, %r12
+        #  A[0] * B[3]
+        movq	24(%rbx), %rax
+        mulq	(%rsi)
+        xorq	%r13, %r13
+        addq	%rax, %r11
+        adcq	%rdx, %r12
+        adcq	$0x00, %r13
+        #  A[1] * B[2]
+        movq	16(%rbx), %rax
+        mulq	8(%rsi)
+        addq	%rax, %r11
+        adcq	%rdx, %r12
+        adcq	$0x00, %r13
+        #  A[2] * B[1]
+        movq	8(%rbx), %rax
+        mulq	16(%rsi)
+        addq	%rax, %r11
+        adcq	%rdx, %r12
+        adcq	$0x00, %r13
+        #  A[3] * B[0]
+        movq	(%rbx), %rax
+        mulq	24(%rsi)
+        addq	%rax, %r11
+        adcq	%rdx, %r12
+        adcq	$0x00, %r13
+        #  A[1] * B[3]
+        movq	24(%rbx), %rax
+        mulq	8(%rsi)
+        xorq	%r14, %r14
+        addq	%rax, %r12
+        adcq	%rdx, %r13
+        adcq	$0x00, %r14
+        #  A[2] * B[2]
+        movq	16(%rbx), %rax
+        mulq	16(%rsi)
+        addq	%rax, %r12
+        adcq	%rdx, %r13
+        adcq	$0x00, %r14
+        #  A[3] * B[1]
+        movq	8(%rbx), %rax
+        mulq	24(%rsi)
+        addq	%rax, %r12
+        adcq	%rdx, %r13
+        adcq	$0x00, %r14
+        #  A[2] * B[3]
+        movq	24(%rbx), %rax
+        mulq	16(%rsi)
+        xorq	%r15, %r15
+        addq	%rax, %r13
+        adcq	%rdx, %r14
+        adcq	$0x00, %r15
+        #  A[3] * B[2]
+        movq	16(%rbx), %rax
+        mulq	24(%rsi)
+        addq	%rax, %r13
+        adcq	%rdx, %r14
+        adcq	$0x00, %r15
+        #  A[3] * B[3]
+        movq	24(%rbx), %rax
+        mulq	24(%rsi)
+        addq	%rax, %r14
+        adcq	%rdx, %r15
+        # Reduce
+        movq	$0x7fffffffffffffff, %rcx
+        #  Move top half into t4-t7 and remove top bit from t3
+        shldq	$0x01, %r14, %r15
+        shldq	$0x01, %r13, %r14
+        shldq	$0x01, %r12, %r13
+        shldq	$0x01, %r11, %r12
+        andq	%rcx, %r11
+        #  Multiply top half by 19
+        movq	$19, %rax
+        mulq	%r12
+        xorq	%r12, %r12
+        addq	%rax, %r8
+        movq	$19, %rax
+        adcq	%rdx, %r12
+        mulq	%r13
+        xorq	%r13, %r13
+        addq	%rax, %r9
+        movq	$19, %rax
+        adcq	%rdx, %r13
+        mulq	%r14
+        xorq	%r14, %r14
+        addq	%rax, %r10
+        movq	$19, %rax
+        adcq	%rdx, %r14
+        mulq	%r15
+        #  Add remaining product results in
+        addq	%r12, %r9
+        adcq	%r13, %r10
+        adcq	%r14, %r11
+        adcq	%rax, %r11
+        adcq	$0x00, %rdx
+        #  Overflow
+        shldq	$0x01, %r11, %rdx
+        imulq	$19, %rdx, %rax
+        andq	%rcx, %r11
+        addq	%rax, %r8
+        adcq	$0x00, %r9
+        adcq	$0x00, %r10
+        adcq	$0x00, %r11
+        # Reduce if top bit set
+        movq	%r11, %rdx
+        shrq	$63, %rdx
+        imulq	$19, %rdx, %rax
+        andq	%rcx, %r11
+        addq	%rax, %r8
+        adcq	$0x00, %r9
+        adcq	$0x00, %r10
+        adcq	$0x00, %r11
+        # Store
+        movq	%r8, (%rdi)
+        movq	%r9, 8(%rdi)
+        movq	%r10, 16(%rdi)
+        movq	%r11, 24(%rdi)
+        leaq	48(%rsp), %rdi
+        movq	128(%rsp), %rsi
+        movq	128(%rsp), %rbx
+        # Add
+        movq	(%rsi), %r8
+        movq	8(%rsi), %r9
+        addq	(%rbx), %r8
+        movq	16(%rsi), %r10
+        adcq	8(%rbx), %r9
+        movq	24(%rsi), %rcx
+        adcq	16(%rbx), %r10
+        movq	$-19, %rax
+        adcq	24(%rbx), %rcx
+        movq	$0x7fffffffffffffff, %rdx
+        movq	%rcx, %r11
+        sarq	$63, %rcx
+        #   Mask the modulus
+        andq	%rcx, %rax
+        andq	%rcx, %rdx
+        #   Sub modulus (if overflow)
+        subq	%rax, %r8
+        sbbq	%rcx, %r9
+        sbbq	%rcx, %r10
+        sbbq	%rdx, %r11
+        movq	%r8, (%rdi)
+        movq	%r9, 8(%rdi)
+        movq	%r10, 16(%rdi)
+        movq	%r11, 24(%rdi)
+        movq	(%rsp), %rdi
+        movq	16(%rsp), %rsi
+        movq	8(%rsp), %rbx
+        # Sub
+        movq	(%rsi), %r8
+        movq	8(%rsi), %r9
+        movq	16(%rsi), %r10
+        movq	24(%rsi), %r11
+        subq	(%rbx), %r8
+        movq	$0x00, %rcx
+        sbbq	8(%rbx), %r9
+        movq	$-19, %rax
+        sbbq	16(%rbx), %r10
+        movq	$0x7fffffffffffffff, %rdx
+        sbbq	24(%rbx), %r11
+        sbbq	$0x00, %rcx
+        #   Mask the modulus
+        andq	%rcx, %rax
+        andq	%rcx, %rdx
+        #   Add modulus (if underflow)
+        addq	%rax, %r8
+        adcq	%rcx, %r9
+        adcq	%rcx, %r10
+        adcq	%rdx, %r11
+        movq	%r8, (%rdi)
+        movq	%r9, 8(%rdi)
+        movq	%r10, 16(%rdi)
+        movq	%r11, 24(%rdi)
+        movq	8(%rsp), %rdi
+        movq	16(%rsp), %rsi
+        movq	8(%rsp), %rbx
+        # Add
+        movq	(%rsi), %r8
+        movq	8(%rsi), %r9
+        addq	(%rbx), %r8
+        movq	16(%rsi), %r10
+        adcq	8(%rbx), %r9
+        movq	24(%rsi), %rcx
+        adcq	16(%rbx), %r10
+        movq	$-19, %rax
+        adcq	24(%rbx), %rcx
+        movq	$0x7fffffffffffffff, %rdx
+        movq	%rcx, %r11
+        sarq	$63, %rcx
+        #   Mask the modulus
+        andq	%rcx, %rax
+        andq	%rcx, %rdx
+        #   Sub modulus (if overflow)
+        subq	%rax, %r8
+        sbbq	%rcx, %r9
+        sbbq	%rcx, %r10
+        sbbq	%rdx, %r11
+        movq	%r8, (%rdi)
+        movq	%r9, 8(%rdi)
+        movq	%r10, 16(%rdi)
+        movq	%r11, 24(%rdi)
+        movq	16(%rsp), %rdi
+        leaq	48(%rsp), %rsi
+        movq	24(%rsp), %rbx
+        # Add
+        movq	(%rsi), %r8
+        movq	8(%rsi), %r9
+        addq	(%rbx), %r8
+        movq	16(%rsi), %r10
+        adcq	8(%rbx), %r9
+        movq	24(%rsi), %rcx
+        adcq	16(%rbx), %r10
+        movq	$-19, %rax
+        adcq	24(%rbx), %rcx
+        movq	$0x7fffffffffffffff, %rdx
+        movq	%rcx, %r11
+        sarq	$63, %rcx
+        #   Mask the modulus
+        andq	%rcx, %rax
+        andq	%rcx, %rdx
+        #   Sub modulus (if overflow)
+        subq	%rax, %r8
+        sbbq	%rcx, %r9
+        sbbq	%rcx, %r10
+        sbbq	%rdx, %r11
+        movq	%r8, (%rdi)
+        movq	%r9, 8(%rdi)
+        movq	%r10, 16(%rdi)
+        movq	%r11, 24(%rdi)
+        movq	24(%rsp), %rdi
+        leaq	48(%rsp), %rsi
+        movq	24(%rsp), %rbx
+        # Sub
+        movq	(%rsi), %r8
+        movq	8(%rsi), %r9
+        movq	16(%rsi), %r10
+        movq	24(%rsi), %r11
+        subq	(%rbx), %r8
+        movq	$0x00, %rcx
+        sbbq	8(%rbx), %r9
+        movq	$-19, %rax
+        sbbq	16(%rbx), %r10
+        movq	$0x7fffffffffffffff, %rdx
+        sbbq	24(%rbx), %r11
+        sbbq	$0x00, %rcx
+        #   Mask the modulus
+        andq	%rcx, %rax
+        andq	%rcx, %rdx
+        #   Add modulus (if underflow)
+        addq	%rax, %r8
+        adcq	%rcx, %r9
+        adcq	%rcx, %r10
+        adcq	%rdx, %r11
+        movq	%r8, (%rdi)
+        movq	%r9, 8(%rdi)
+        movq	%r10, 16(%rdi)
+        movq	%r11, 24(%rdi)
+        addq	$0x50, %rsp
+        popq	%r15
+        popq	%r14
+        popq	%r13
+        popq	%r12
+        popq	%rbx
+        repz retq
+#ifndef __APPLE__
+.size	fe_ge_madd_x64,.-fe_ge_madd_x64
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+.text
+.globl	fe_ge_msub_x64
+.type	fe_ge_msub_x64,@function
+.align	4
+fe_ge_msub_x64:
+#else
+.section	__TEXT,__text
+.globl	_fe_ge_msub_x64
+.p2align	2
+_fe_ge_msub_x64:
+#endif /* __APPLE__ */
+        pushq	%rbx
+        pushq	%r12
+        pushq	%r13
+        pushq	%r14
+        pushq	%r15
+        subq	$0x50, %rsp
+        movq	%rdi, (%rsp)
+        movq	%rsi, 8(%rsp)
+        movq	%rdx, 16(%rsp)
+        movq	%rcx, 24(%rsp)
+        movq	%r8, 32(%rsp)
+        movq	%r9, 40(%rsp)
+        movq	(%rsp), %rdi
+        movq	40(%rsp), %rsi
+        movq	32(%rsp), %rbx
+        # Add
+        movq	(%rsi), %r8
+        movq	8(%rsi), %r9
+        addq	(%rbx), %r8
+        movq	16(%rsi), %r10
+        adcq	8(%rbx), %r9
+        movq	24(%rsi), %rcx
+        adcq	16(%rbx), %r10
+        movq	$-19, %rax
+        adcq	24(%rbx), %rcx
+        movq	$0x7fffffffffffffff, %rdx
+        movq	%rcx, %r11
+        sarq	$63, %rcx
+        #   Mask the modulus
+        andq	%rcx, %rax
+        andq	%rcx, %rdx
+        #   Sub modulus (if overflow)
+        subq	%rax, %r8
+        sbbq	%rcx, %r9
+        sbbq	%rcx, %r10
+        sbbq	%rdx, %r11
+        movq	%r8, (%rdi)
+        movq	%r9, 8(%rdi)
+        movq	%r10, 16(%rdi)
+        movq	%r11, 24(%rdi)
+        movq	8(%rsp), %rdi
+        movq	40(%rsp), %rsi
+        movq	32(%rsp), %rbx
+        # Sub
+        movq	(%rsi), %r8
+        movq	8(%rsi), %r9
+        movq	16(%rsi), %r10
+        movq	24(%rsi), %r11
+        subq	(%rbx), %r8
+        movq	$0x00, %rcx
+        sbbq	8(%rbx), %r9
+        movq	$-19, %rax
+        sbbq	16(%rbx), %r10
+        movq	$0x7fffffffffffffff, %rdx
+        sbbq	24(%rbx), %r11
+        sbbq	$0x00, %rcx
+        #   Mask the modulus
+        andq	%rcx, %rax
+        andq	%rcx, %rdx
+        #   Add modulus (if underflow)
+        addq	%rax, %r8
+        adcq	%rcx, %r9
+        adcq	%rcx, %r10
+        adcq	%rdx, %r11
+        movq	%r8, (%rdi)
+        movq	%r9, 8(%rdi)
+        movq	%r10, 16(%rdi)
+        movq	%r11, 24(%rdi)
+        movq	16(%rsp), %rdi
+        movq	(%rsp), %rsi
+        movq	160(%rsp), %rbx
+        # Multiply
+        #  A[0] * B[0]
+        movq	(%rbx), %rax
+        mulq	(%rsi)
+        movq	%rax, %r8
+        movq	%rdx, %r9
+        #  A[0] * B[1]
+        movq	8(%rbx), %rax
+        mulq	(%rsi)
+        xorq	%r10, %r10
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        #  A[1] * B[0]
+        movq	(%rbx), %rax
+        mulq	8(%rsi)
+        xorq	%r11, %r11
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0x00, %r11
+        #  A[0] * B[2]
+        movq	16(%rbx), %rax
+        mulq	(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        #  A[1] * B[1]
+        movq	8(%rbx), %rax
+        mulq	8(%rsi)
+        xorq	%r12, %r12
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0x00, %r12
+        #  A[2] * B[0]
+        movq	(%rbx), %rax
+        mulq	16(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0x00, %r12
+        #  A[0] * B[3]
+        movq	24(%rbx), %rax
+        mulq	(%rsi)
+        xorq	%r13, %r13
+        addq	%rax, %r11
+        adcq	%rdx, %r12
+        adcq	$0x00, %r13
+        #  A[1] * B[2]
+        movq	16(%rbx), %rax
+        mulq	8(%rsi)
+        addq	%rax, %r11
+        adcq	%rdx, %r12
+        adcq	$0x00, %r13
+        #  A[2] * B[1]
+        movq	8(%rbx), %rax
+        mulq	16(%rsi)
+        addq	%rax, %r11
+        adcq	%rdx, %r12
+        adcq	$0x00, %r13
+        #  A[3] * B[0]
+        movq	(%rbx), %rax
+        mulq	24(%rsi)
+        addq	%rax, %r11
+        adcq	%rdx, %r12
+        adcq	$0x00, %r13
+        #  A[1] * B[3]
+        movq	24(%rbx), %rax
+        mulq	8(%rsi)
+        xorq	%r14, %r14
+        addq	%rax, %r12
+        adcq	%rdx, %r13
+        adcq	$0x00, %r14
+        #  A[2] * B[2]
+        movq	16(%rbx), %rax
+        mulq	16(%rsi)
+        addq	%rax, %r12
+        adcq	%rdx, %r13
+        adcq	$0x00, %r14
+        #  A[3] * B[1]
+        movq	8(%rbx), %rax
+        mulq	24(%rsi)
+        addq	%rax, %r12
+        adcq	%rdx, %r13
+        adcq	$0x00, %r14
+        #  A[2] * B[3]
+        movq	24(%rbx), %rax
+        mulq	16(%rsi)
+        xorq	%r15, %r15
+        addq	%rax, %r13
+        adcq	%rdx, %r14
+        adcq	$0x00, %r15
+        #  A[3] * B[2]
+        movq	16(%rbx), %rax
+        mulq	24(%rsi)
+        addq	%rax, %r13
+        adcq	%rdx, %r14
+        adcq	$0x00, %r15
+        #  A[3] * B[3]
+        movq	24(%rbx), %rax
+        mulq	24(%rsi)
+        addq	%rax, %r14
+        adcq	%rdx, %r15
+        # Reduce
+        movq	$0x7fffffffffffffff, %rcx
+        #  Move top half into t4-t7 and remove top bit from t3
+        shldq	$0x01, %r14, %r15
+        shldq	$0x01, %r13, %r14
+        shldq	$0x01, %r12, %r13
+        shldq	$0x01, %r11, %r12
+        andq	%rcx, %r11
+        #  Multiply top half by 19
+        movq	$19, %rax
+        mulq	%r12
+        xorq	%r12, %r12
+        addq	%rax, %r8
+        movq	$19, %rax
+        adcq	%rdx, %r12
+        mulq	%r13
+        xorq	%r13, %r13
+        addq	%rax, %r9
+        movq	$19, %rax
+        adcq	%rdx, %r13
+        mulq	%r14
+        xorq	%r14, %r14
+        addq	%rax, %r10
+        movq	$19, %rax
+        adcq	%rdx, %r14
+        mulq	%r15
+        #  Add remaining product results in
+        addq	%r12, %r9
+        adcq	%r13, %r10
+        adcq	%r14, %r11
+        adcq	%rax, %r11
+        adcq	$0x00, %rdx
+        #  Overflow
+        shldq	$0x01, %r11, %rdx
+        imulq	$19, %rdx, %rax
+        andq	%rcx, %r11
+        addq	%rax, %r8
+        adcq	$0x00, %r9
+        adcq	$0x00, %r10
+        adcq	$0x00, %r11
+        # Reduce if top bit set
+        movq	%r11, %rdx
+        shrq	$63, %rdx
+        imulq	$19, %rdx, %rax
+        andq	%rcx, %r11
+        addq	%rax, %r8
+        adcq	$0x00, %r9
+        adcq	$0x00, %r10
+        adcq	$0x00, %r11
+        # Store
+        movq	%r8, (%rdi)
+        movq	%r9, 8(%rdi)
+        movq	%r10, 16(%rdi)
+        movq	%r11, 24(%rdi)
+        movq	8(%rsp), %rdi
+        movq	8(%rsp), %rsi
+        movq	152(%rsp), %rbx
+        # Multiply
+        #  A[0] * B[0]
+        movq	(%rbx), %rax
+        mulq	(%rsi)
+        movq	%rax, %r8
+        movq	%rdx, %r9
+        #  A[0] * B[1]
+        movq	8(%rbx), %rax
+        mulq	(%rsi)
+        xorq	%r10, %r10
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        #  A[1] * B[0]
+        movq	(%rbx), %rax
+        mulq	8(%rsi)
+        xorq	%r11, %r11
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0x00, %r11
+        #  A[0] * B[2]
+        movq	16(%rbx), %rax
+        mulq	(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        #  A[1] * B[1]
+        movq	8(%rbx), %rax
+        mulq	8(%rsi)
+        xorq	%r12, %r12
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0x00, %r12
+        #  A[2] * B[0]
+        movq	(%rbx), %rax
+        mulq	16(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0x00, %r12
+        #  A[0] * B[3]
+        movq	24(%rbx), %rax
+        mulq	(%rsi)
+        xorq	%r13, %r13
+        addq	%rax, %r11
+        adcq	%rdx, %r12
+        adcq	$0x00, %r13
+        #  A[1] * B[2]
+        movq	16(%rbx), %rax
+        mulq	8(%rsi)
+        addq	%rax, %r11
+        adcq	%rdx, %r12
+        adcq	$0x00, %r13
+        #  A[2] * B[1]
+        movq	8(%rbx), %rax
+        mulq	16(%rsi)
+        addq	%rax, %r11
+        adcq	%rdx, %r12
+        adcq	$0x00, %r13
+        #  A[3] * B[0]
+        movq	(%rbx), %rax
+        mulq	24(%rsi)
+        addq	%rax, %r11
+        adcq	%rdx, %r12
+        adcq	$0x00, %r13
+        #  A[1] * B[3]
+        movq	24(%rbx), %rax
+        mulq	8(%rsi)
+        xorq	%r14, %r14
+        addq	%rax, %r12
+        adcq	%rdx, %r13
+        adcq	$0x00, %r14
+        #  A[2] * B[2]
+        movq	16(%rbx), %rax
+        mulq	16(%rsi)
+        addq	%rax, %r12
+        adcq	%rdx, %r13
+        adcq	$0x00, %r14
+        #  A[3] * B[1]
+        movq	8(%rbx), %rax
+        mulq	24(%rsi)
+        addq	%rax, %r12
+        adcq	%rdx, %r13
+        adcq	$0x00, %r14
+        #  A[2] * B[3]
+        movq	24(%rbx), %rax
+        mulq	16(%rsi)
+        xorq	%r15, %r15
+        addq	%rax, %r13
+        adcq	%rdx, %r14
+        adcq	$0x00, %r15
+        #  A[3] * B[2]
+        movq	16(%rbx), %rax
+        mulq	24(%rsi)
+        addq	%rax, %r13
+        adcq	%rdx, %r14
+        adcq	$0x00, %r15
+        #  A[3] * B[3]
+        movq	24(%rbx), %rax
+        mulq	24(%rsi)
+        addq	%rax, %r14
+        adcq	%rdx, %r15
+        # Reduce
+        movq	$0x7fffffffffffffff, %rcx
+        #  Move top half into t4-t7 and remove top bit from t3
+        shldq	$0x01, %r14, %r15
+        shldq	$0x01, %r13, %r14
+        shldq	$0x01, %r12, %r13
+        shldq	$0x01, %r11, %r12
+        andq	%rcx, %r11
+        #  Multiply top half by 19
+        movq	$19, %rax
+        mulq	%r12
+        xorq	%r12, %r12
+        addq	%rax, %r8
+        movq	$19, %rax
+        adcq	%rdx, %r12
+        mulq	%r13
+        xorq	%r13, %r13
+        addq	%rax, %r9
+        movq	$19, %rax
+        adcq	%rdx, %r13
+        mulq	%r14
+        xorq	%r14, %r14
+        addq	%rax, %r10
+        movq	$19, %rax
+        adcq	%rdx, %r14
+        mulq	%r15
+        #  Add remaining product results in
+        addq	%r12, %r9
+        adcq	%r13, %r10
+        adcq	%r14, %r11
+        adcq	%rax, %r11
+        adcq	$0x00, %rdx
+        #  Overflow
+        shldq	$0x01, %r11, %rdx
+        imulq	$19, %rdx, %rax
+        andq	%rcx, %r11
+        addq	%rax, %r8
+        adcq	$0x00, %r9
+        adcq	$0x00, %r10
+        adcq	$0x00, %r11
+        # Reduce if top bit set
+        movq	%r11, %rdx
+        shrq	$63, %rdx
+        imulq	$19, %rdx, %rax
+        andq	%rcx, %r11
+        addq	%rax, %r8
+        adcq	$0x00, %r9
+        adcq	$0x00, %r10
+        adcq	$0x00, %r11
+        # Store
+        movq	%r8, (%rdi)
+        movq	%r9, 8(%rdi)
+        movq	%r10, 16(%rdi)
+        movq	%r11, 24(%rdi)
+        movq	24(%rsp), %rdi
+        movq	144(%rsp), %rsi
+        movq	136(%rsp), %rbx
+        # Multiply
+        #  A[0] * B[0]
+        movq	(%rbx), %rax
+        mulq	(%rsi)
+        movq	%rax, %r8
+        movq	%rdx, %r9
+        #  A[0] * B[1]
+        movq	8(%rbx), %rax
+        mulq	(%rsi)
+        xorq	%r10, %r10
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        #  A[1] * B[0]
+        movq	(%rbx), %rax
+        mulq	8(%rsi)
+        xorq	%r11, %r11
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0x00, %r11
+        #  A[0] * B[2]
+        movq	16(%rbx), %rax
+        mulq	(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        #  A[1] * B[1]
+        movq	8(%rbx), %rax
+        mulq	8(%rsi)
+        xorq	%r12, %r12
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0x00, %r12
+        #  A[2] * B[0]
+        movq	(%rbx), %rax
+        mulq	16(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0x00, %r12
+        #  A[0] * B[3]
+        movq	24(%rbx), %rax
+        mulq	(%rsi)
+        xorq	%r13, %r13
+        addq	%rax, %r11
+        adcq	%rdx, %r12
+        adcq	$0x00, %r13
+        #  A[1] * B[2]
+        movq	16(%rbx), %rax
+        mulq	8(%rsi)
+        addq	%rax, %r11
+        adcq	%rdx, %r12
+        adcq	$0x00, %r13
+        #  A[2] * B[1]
+        movq	8(%rbx), %rax
+        mulq	16(%rsi)
+        addq	%rax, %r11
+        adcq	%rdx, %r12
+        adcq	$0x00, %r13
+        #  A[3] * B[0]
+        movq	(%rbx), %rax
+        mulq	24(%rsi)
+        addq	%rax, %r11
+        adcq	%rdx, %r12
+        adcq	$0x00, %r13
+        #  A[1] * B[3]
+        movq	24(%rbx), %rax
+        mulq	8(%rsi)
+        xorq	%r14, %r14
+        addq	%rax, %r12
+        adcq	%rdx, %r13
+        adcq	$0x00, %r14
+        #  A[2] * B[2]
+        movq	16(%rbx), %rax
+        mulq	16(%rsi)
+        addq	%rax, %r12
+        adcq	%rdx, %r13
+        adcq	$0x00, %r14
+        #  A[3] * B[1]
+        movq	8(%rbx), %rax
+        mulq	24(%rsi)
+        addq	%rax, %r12
+        adcq	%rdx, %r13
+        adcq	$0x00, %r14
+        #  A[2] * B[3]
+        movq	24(%rbx), %rax
+        mulq	16(%rsi)
+        xorq	%r15, %r15
+        addq	%rax, %r13
+        adcq	%rdx, %r14
+        adcq	$0x00, %r15
+        #  A[3] * B[2]
+        movq	16(%rbx), %rax
+        mulq	24(%rsi)
+        addq	%rax, %r13
+        adcq	%rdx, %r14
+        adcq	$0x00, %r15
+        #  A[3] * B[3]
+        movq	24(%rbx), %rax
+        mulq	24(%rsi)
+        addq	%rax, %r14
+        adcq	%rdx, %r15
+        # Reduce
+        movq	$0x7fffffffffffffff, %rcx
+        #  Move top half into t4-t7 and remove top bit from t3
+        shldq	$0x01, %r14, %r15
+        shldq	$0x01, %r13, %r14
+        shldq	$0x01, %r12, %r13
+        shldq	$0x01, %r11, %r12
+        andq	%rcx, %r11
+        #  Multiply top half by 19
+        movq	$19, %rax
+        mulq	%r12
+        xorq	%r12, %r12
+        addq	%rax, %r8
+        movq	$19, %rax
+        adcq	%rdx, %r12
+        mulq	%r13
+        xorq	%r13, %r13
+        addq	%rax, %r9
+        movq	$19, %rax
+        adcq	%rdx, %r13
+        mulq	%r14
+        xorq	%r14, %r14
+        addq	%rax, %r10
+        movq	$19, %rax
+        adcq	%rdx, %r14
+        mulq	%r15
+        #  Add remaining product results in
+        addq	%r12, %r9
+        adcq	%r13, %r10
+        adcq	%r14, %r11
+        adcq	%rax, %r11
+        adcq	$0x00, %rdx
+        #  Overflow
+        shldq	$0x01, %r11, %rdx
+        imulq	$19, %rdx, %rax
+        andq	%rcx, %r11
+        addq	%rax, %r8
+        adcq	$0x00, %r9
+        adcq	$0x00, %r10
+        adcq	$0x00, %r11
+        # Reduce if top bit set
+        movq	%r11, %rdx
+        shrq	$63, %rdx
+        imulq	$19, %rdx, %rax
+        andq	%rcx, %r11
+        addq	%rax, %r8
+        adcq	$0x00, %r9
+        adcq	$0x00, %r10
+        adcq	$0x00, %r11
+        # Store
+        movq	%r8, (%rdi)
+        movq	%r9, 8(%rdi)
+        movq	%r10, 16(%rdi)
+        movq	%r11, 24(%rdi)
+        leaq	48(%rsp), %rdi
+        movq	128(%rsp), %rsi
+        movq	128(%rsp), %rbx
+        # Add
+        movq	(%rsi), %r8
+        movq	8(%rsi), %r9
+        addq	(%rbx), %r8
+        movq	16(%rsi), %r10
+        adcq	8(%rbx), %r9
+        movq	24(%rsi), %rcx
+        adcq	16(%rbx), %r10
+        movq	$-19, %rax
+        adcq	24(%rbx), %rcx
+        movq	$0x7fffffffffffffff, %rdx
+        movq	%rcx, %r11
+        sarq	$63, %rcx
+        #   Mask the modulus
+        andq	%rcx, %rax
+        andq	%rcx, %rdx
+        #   Sub modulus (if overflow)
+        subq	%rax, %r8
+        sbbq	%rcx, %r9
+        sbbq	%rcx, %r10
+        sbbq	%rdx, %r11
+        movq	%r8, (%rdi)
+        movq	%r9, 8(%rdi)
+        movq	%r10, 16(%rdi)
+        movq	%r11, 24(%rdi)
+        movq	(%rsp), %rdi
+        movq	16(%rsp), %rsi
+        movq	8(%rsp), %rbx
+        # Sub
+        movq	(%rsi), %r8
+        movq	8(%rsi), %r9
+        movq	16(%rsi), %r10
+        movq	24(%rsi), %r11
+        subq	(%rbx), %r8
+        movq	$0x00, %rcx
+        sbbq	8(%rbx), %r9
+        movq	$-19, %rax
+        sbbq	16(%rbx), %r10
+        movq	$0x7fffffffffffffff, %rdx
+        sbbq	24(%rbx), %r11
+        sbbq	$0x00, %rcx
+        #   Mask the modulus
+        andq	%rcx, %rax
+        andq	%rcx, %rdx
+        #   Add modulus (if underflow)
+        addq	%rax, %r8
+        adcq	%rcx, %r9
+        adcq	%rcx, %r10
+        adcq	%rdx, %r11
+        movq	%r8, (%rdi)
+        movq	%r9, 8(%rdi)
+        movq	%r10, 16(%rdi)
+        movq	%r11, 24(%rdi)
+        movq	8(%rsp), %rdi
+        movq	16(%rsp), %rsi
+        movq	8(%rsp), %rbx
+        # Add
+        movq	(%rsi), %r8
+        movq	8(%rsi), %r9
+        addq	(%rbx), %r8
+        movq	16(%rsi), %r10
+        adcq	8(%rbx), %r9
+        movq	24(%rsi), %rcx
+        adcq	16(%rbx), %r10
+        movq	$-19, %rax
+        adcq	24(%rbx), %rcx
+        movq	$0x7fffffffffffffff, %rdx
+        movq	%rcx, %r11
+        sarq	$63, %rcx
+        #   Mask the modulus
+        andq	%rcx, %rax
+        andq	%rcx, %rdx
+        #   Sub modulus (if overflow)
+        subq	%rax, %r8
+        sbbq	%rcx, %r9
+        sbbq	%rcx, %r10
+        sbbq	%rdx, %r11
+        movq	%r8, (%rdi)
+        movq	%r9, 8(%rdi)
+        movq	%r10, 16(%rdi)
+        movq	%r11, 24(%rdi)
+        movq	16(%rsp), %rdi
+        leaq	48(%rsp), %rsi
+        movq	24(%rsp), %rbx
+        # Sub
+        movq	(%rsi), %r8
+        movq	8(%rsi), %r9
+        movq	16(%rsi), %r10
+        movq	24(%rsi), %r11
+        subq	(%rbx), %r8
+        movq	$0x00, %rcx
+        sbbq	8(%rbx), %r9
+        movq	$-19, %rax
+        sbbq	16(%rbx), %r10
+        movq	$0x7fffffffffffffff, %rdx
+        sbbq	24(%rbx), %r11
+        sbbq	$0x00, %rcx
+        #   Mask the modulus
+        andq	%rcx, %rax
+        andq	%rcx, %rdx
+        #   Add modulus (if underflow)
+        addq	%rax, %r8
+        adcq	%rcx, %r9
+        adcq	%rcx, %r10
+        adcq	%rdx, %r11
+        movq	%r8, (%rdi)
+        movq	%r9, 8(%rdi)
+        movq	%r10, 16(%rdi)
+        movq	%r11, 24(%rdi)
+        movq	24(%rsp), %rdi
+        leaq	48(%rsp), %rsi
+        movq	24(%rsp), %rbx
+        # Add
+        movq	(%rsi), %r8
+        movq	8(%rsi), %r9
+        addq	(%rbx), %r8
+        movq	16(%rsi), %r10
+        adcq	8(%rbx), %r9
+        movq	24(%rsi), %rcx
+        adcq	16(%rbx), %r10
+        movq	$-19, %rax
+        adcq	24(%rbx), %rcx
+        movq	$0x7fffffffffffffff, %rdx
+        movq	%rcx, %r11
+        sarq	$63, %rcx
+        #   Mask the modulus
+        andq	%rcx, %rax
+        andq	%rcx, %rdx
+        #   Sub modulus (if overflow)
+        subq	%rax, %r8
+        sbbq	%rcx, %r9
+        sbbq	%rcx, %r10
+        sbbq	%rdx, %r11
+        movq	%r8, (%rdi)
+        movq	%r9, 8(%rdi)
+        movq	%r10, 16(%rdi)
+        movq	%r11, 24(%rdi)
+        addq	$0x50, %rsp
+        popq	%r15
+        popq	%r14
+        popq	%r13
+        popq	%r12
+        popq	%rbx
+        repz retq
+#ifndef __APPLE__
+.size	fe_ge_msub_x64,.-fe_ge_msub_x64
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+.text
+.globl	fe_ge_add_x64
+.type	fe_ge_add_x64,@function
+.align	4
+fe_ge_add_x64:
+#else
+.section	__TEXT,__text
+.globl	_fe_ge_add_x64
+.p2align	2
+_fe_ge_add_x64:
+#endif /* __APPLE__ */
+        pushq	%rbx
+        pushq	%r12
+        pushq	%r13
+        pushq	%r14
+        pushq	%r15
+        subq	$0x50, %rsp
+        movq	%rdi, (%rsp)
+        movq	%rsi, 8(%rsp)
+        movq	%rdx, 16(%rsp)
+        movq	%rcx, 24(%rsp)
+        movq	%r8, 32(%rsp)
+        movq	%r9, 40(%rsp)
+        movq	(%rsp), %rdi
+        movq	40(%rsp), %rsi
+        movq	32(%rsp), %rbx
+        # Add
+        movq	(%rsi), %r8
+        movq	8(%rsi), %r9
+        addq	(%rbx), %r8
+        movq	16(%rsi), %r10
+        adcq	8(%rbx), %r9
+        movq	24(%rsi), %rcx
+        adcq	16(%rbx), %r10
+        movq	$-19, %rax
+        adcq	24(%rbx), %rcx
+        movq	$0x7fffffffffffffff, %rdx
+        movq	%rcx, %r11
+        sarq	$63, %rcx
+        #   Mask the modulus
+        andq	%rcx, %rax
+        andq	%rcx, %rdx
+        #   Sub modulus (if overflow)
+        subq	%rax, %r8
+        sbbq	%rcx, %r9
+        sbbq	%rcx, %r10
+        sbbq	%rdx, %r11
+        movq	%r8, (%rdi)
+        movq	%r9, 8(%rdi)
+        movq	%r10, 16(%rdi)
+        movq	%r11, 24(%rdi)
+        movq	8(%rsp), %rdi
+        movq	40(%rsp), %rsi
+        movq	32(%rsp), %rbx
+        # Sub
+        movq	(%rsi), %r8
+        movq	8(%rsi), %r9
+        movq	16(%rsi), %r10
+        movq	24(%rsi), %r11
+        subq	(%rbx), %r8
+        movq	$0x00, %rcx
+        sbbq	8(%rbx), %r9
+        movq	$-19, %rax
+        sbbq	16(%rbx), %r10
+        movq	$0x7fffffffffffffff, %rdx
+        sbbq	24(%rbx), %r11
+        sbbq	$0x00, %rcx
+        #   Mask the modulus
+        andq	%rcx, %rax
+        andq	%rcx, %rdx
+        #   Add modulus (if underflow)
+        addq	%rax, %r8
+        adcq	%rcx, %r9
+        adcq	%rcx, %r10
+        adcq	%rdx, %r11
+        movq	%r8, (%rdi)
+        movq	%r9, 8(%rdi)
+        movq	%r10, 16(%rdi)
+        movq	%r11, 24(%rdi)
+        movq	16(%rsp), %rdi
+        movq	(%rsp), %rsi
+        movq	160(%rsp), %rbx
+        # Multiply
+        #  A[0] * B[0]
+        movq	(%rbx), %rax
+        mulq	(%rsi)
+        movq	%rax, %r8
+        movq	%rdx, %r9
+        #  A[0] * B[1]
+        movq	8(%rbx), %rax
+        mulq	(%rsi)
+        xorq	%r10, %r10
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        #  A[1] * B[0]
+        movq	(%rbx), %rax
+        mulq	8(%rsi)
+        xorq	%r11, %r11
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0x00, %r11
+        #  A[0] * B[2]
+        movq	16(%rbx), %rax
+        mulq	(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        #  A[1] * B[1]
+        movq	8(%rbx), %rax
+        mulq	8(%rsi)
+        xorq	%r12, %r12
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0x00, %r12
+        #  A[2] * B[0]
+        movq	(%rbx), %rax
+        mulq	16(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0x00, %r12
+        #  A[0] * B[3]
+        movq	24(%rbx), %rax
+        mulq	(%rsi)
+        xorq	%r13, %r13
+        addq	%rax, %r11
+        adcq	%rdx, %r12
+        adcq	$0x00, %r13
+        #  A[1] * B[2]
+        movq	16(%rbx), %rax
+        mulq	8(%rsi)
+        addq	%rax, %r11
+        adcq	%rdx, %r12
+        adcq	$0x00, %r13
+        #  A[2] * B[1]
+        movq	8(%rbx), %rax
+        mulq	16(%rsi)
+        addq	%rax, %r11
+        adcq	%rdx, %r12
+        adcq	$0x00, %r13
+        #  A[3] * B[0]
+        movq	(%rbx), %rax
+        mulq	24(%rsi)
+        addq	%rax, %r11
+        adcq	%rdx, %r12
+        adcq	$0x00, %r13
+        #  A[1] * B[3]
+        movq	24(%rbx), %rax
+        mulq	8(%rsi)
+        xorq	%r14, %r14
+        addq	%rax, %r12
+        adcq	%rdx, %r13
+        adcq	$0x00, %r14
+        #  A[2] * B[2]
+        movq	16(%rbx), %rax
+        mulq	16(%rsi)
+        addq	%rax, %r12
+        adcq	%rdx, %r13
+        adcq	$0x00, %r14
+        #  A[3] * B[1]
+        movq	8(%rbx), %rax
+        mulq	24(%rsi)
+        addq	%rax, %r12
+        adcq	%rdx, %r13
+        adcq	$0x00, %r14
+        #  A[2] * B[3]
+        movq	24(%rbx), %rax
+        mulq	16(%rsi)
+        xorq	%r15, %r15
+        addq	%rax, %r13
+        adcq	%rdx, %r14
+        adcq	$0x00, %r15
+        #  A[3] * B[2]
+        movq	16(%rbx), %rax
+        mulq	24(%rsi)
+        addq	%rax, %r13
+        adcq	%rdx, %r14
+        adcq	$0x00, %r15
+        #  A[3] * B[3]
+        movq	24(%rbx), %rax
+        mulq	24(%rsi)
+        addq	%rax, %r14
+        adcq	%rdx, %r15
+        # Reduce
+        movq	$0x7fffffffffffffff, %rcx
+        #  Move top half into t4-t7 and remove top bit from t3
+        shldq	$0x01, %r14, %r15
+        shldq	$0x01, %r13, %r14
+        shldq	$0x01, %r12, %r13
+        shldq	$0x01, %r11, %r12
+        andq	%rcx, %r11
+        #  Multiply top half by 19
+        movq	$19, %rax
+        mulq	%r12
+        xorq	%r12, %r12
+        addq	%rax, %r8
+        movq	$19, %rax
+        adcq	%rdx, %r12
+        mulq	%r13
+        xorq	%r13, %r13
+        addq	%rax, %r9
+        movq	$19, %rax
+        adcq	%rdx, %r13
+        mulq	%r14
+        xorq	%r14, %r14
+        addq	%rax, %r10
+        movq	$19, %rax
+        adcq	%rdx, %r14
+        mulq	%r15
+        #  Add remaining product results in
+        addq	%r12, %r9
+        adcq	%r13, %r10
+        adcq	%r14, %r11
+        adcq	%rax, %r11
+        adcq	$0x00, %rdx
+        #  Overflow
+        shldq	$0x01, %r11, %rdx
+        imulq	$19, %rdx, %rax
+        andq	%rcx, %r11
+        addq	%rax, %r8
+        adcq	$0x00, %r9
+        adcq	$0x00, %r10
+        adcq	$0x00, %r11
+        # Reduce if top bit set
+        movq	%r11, %rdx
+        shrq	$63, %rdx
+        imulq	$19, %rdx, %rax
+        andq	%rcx, %r11
+        addq	%rax, %r8
+        adcq	$0x00, %r9
+        adcq	$0x00, %r10
+        adcq	$0x00, %r11
+        # Store
+        movq	%r8, (%rdi)
+        movq	%r9, 8(%rdi)
+        movq	%r10, 16(%rdi)
+        movq	%r11, 24(%rdi)
+        movq	8(%rsp), %rdi
+        movq	8(%rsp), %rsi
+        movq	168(%rsp), %rbx
+        # Multiply
+        #  A[0] * B[0]
+        movq	(%rbx), %rax
+        mulq	(%rsi)
+        movq	%rax, %r8
+        movq	%rdx, %r9
+        #  A[0] * B[1]
+        movq	8(%rbx), %rax
+        mulq	(%rsi)
+        xorq	%r10, %r10
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        #  A[1] * B[0]
+        movq	(%rbx), %rax
+        mulq	8(%rsi)
+        xorq	%r11, %r11
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0x00, %r11
+        #  A[0] * B[2]
+        movq	16(%rbx), %rax
+        mulq	(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        #  A[1] * B[1]
+        movq	8(%rbx), %rax
+        mulq	8(%rsi)
+        xorq	%r12, %r12
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0x00, %r12
+        #  A[2] * B[0]
+        movq	(%rbx), %rax
+        mulq	16(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0x00, %r12
+        #  A[0] * B[3]
+        movq	24(%rbx), %rax
+        mulq	(%rsi)
+        xorq	%r13, %r13
+        addq	%rax, %r11
+        adcq	%rdx, %r12
+        adcq	$0x00, %r13
+        #  A[1] * B[2]
+        movq	16(%rbx), %rax
+        mulq	8(%rsi)
+        addq	%rax, %r11
+        adcq	%rdx, %r12
+        adcq	$0x00, %r13
+        #  A[2] * B[1]
+        movq	8(%rbx), %rax
+        mulq	16(%rsi)
+        addq	%rax, %r11
+        adcq	%rdx, %r12
+        adcq	$0x00, %r13
+        #  A[3] * B[0]
+        movq	(%rbx), %rax
+        mulq	24(%rsi)
+        addq	%rax, %r11
+        adcq	%rdx, %r12
+        adcq	$0x00, %r13
+        #  A[1] * B[3]
+        movq	24(%rbx), %rax
+        mulq	8(%rsi)
+        xorq	%r14, %r14
+        addq	%rax, %r12
+        adcq	%rdx, %r13
+        adcq	$0x00, %r14
+        #  A[2] * B[2]
+        movq	16(%rbx), %rax
+        mulq	16(%rsi)
+        addq	%rax, %r12
+        adcq	%rdx, %r13
+        adcq	$0x00, %r14
+        #  A[3] * B[1]
+        movq	8(%rbx), %rax
+        mulq	24(%rsi)
+        addq	%rax, %r12
+        adcq	%rdx, %r13
+        adcq	$0x00, %r14
+        #  A[2] * B[3]
+        movq	24(%rbx), %rax
+        mulq	16(%rsi)
+        xorq	%r15, %r15
+        addq	%rax, %r13
+        adcq	%rdx, %r14
+        adcq	$0x00, %r15
+        #  A[3] * B[2]
+        movq	16(%rbx), %rax
+        mulq	24(%rsi)
+        addq	%rax, %r13
+        adcq	%rdx, %r14
+        adcq	$0x00, %r15
+        #  A[3] * B[3]
+        movq	24(%rbx), %rax
+        mulq	24(%rsi)
+        addq	%rax, %r14
+        adcq	%rdx, %r15
+        # Reduce
+        movq	$0x7fffffffffffffff, %rcx
+        #  Move top half into t4-t7 and remove top bit from t3
+        shldq	$0x01, %r14, %r15
+        shldq	$0x01, %r13, %r14
+        shldq	$0x01, %r12, %r13
+        shldq	$0x01, %r11, %r12
+        andq	%rcx, %r11
+        #  Multiply top half by 19
+        movq	$19, %rax
+        mulq	%r12
+        xorq	%r12, %r12
+        addq	%rax, %r8
+        movq	$19, %rax
+        adcq	%rdx, %r12
+        mulq	%r13
+        xorq	%r13, %r13
+        addq	%rax, %r9
+        movq	$19, %rax
+        adcq	%rdx, %r13
+        mulq	%r14
+        xorq	%r14, %r14
+        addq	%rax, %r10
+        movq	$19, %rax
+        adcq	%rdx, %r14
+        mulq	%r15
+        #  Add remaining product results in
+        addq	%r12, %r9
+        adcq	%r13, %r10
+        adcq	%r14, %r11
+        adcq	%rax, %r11
+        adcq	$0x00, %rdx
+        #  Overflow
+        shldq	$0x01, %r11, %rdx
+        imulq	$19, %rdx, %rax
+        andq	%rcx, %r11
+        addq	%rax, %r8
+        adcq	$0x00, %r9
+        adcq	$0x00, %r10
+        adcq	$0x00, %r11
+        # Reduce if top bit set
+        movq	%r11, %rdx
+        shrq	$63, %rdx
+        imulq	$19, %rdx, %rax
+        andq	%rcx, %r11
+        addq	%rax, %r8
+        adcq	$0x00, %r9
+        adcq	$0x00, %r10
+        adcq	$0x00, %r11
+        # Store
+        movq	%r8, (%rdi)
+        movq	%r9, 8(%rdi)
+        movq	%r10, 16(%rdi)
+        movq	%r11, 24(%rdi)
+        movq	24(%rsp), %rdi
+        movq	152(%rsp), %rsi
+        movq	136(%rsp), %rbx
+        # Multiply
+        #  A[0] * B[0]
+        movq	(%rbx), %rax
+        mulq	(%rsi)
+        movq	%rax, %r8
+        movq	%rdx, %r9
+        #  A[0] * B[1]
+        movq	8(%rbx), %rax
+        mulq	(%rsi)
+        xorq	%r10, %r10
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        #  A[1] * B[0]
+        movq	(%rbx), %rax
+        mulq	8(%rsi)
+        xorq	%r11, %r11
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0x00, %r11
+        #  A[0] * B[2]
+        movq	16(%rbx), %rax
+        mulq	(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        #  A[1] * B[1]
+        movq	8(%rbx), %rax
+        mulq	8(%rsi)
+        xorq	%r12, %r12
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0x00, %r12
+        #  A[2] * B[0]
+        movq	(%rbx), %rax
+        mulq	16(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0x00, %r12
+        #  A[0] * B[3]
+        movq	24(%rbx), %rax
+        mulq	(%rsi)
+        xorq	%r13, %r13
+        addq	%rax, %r11
+        adcq	%rdx, %r12
+        adcq	$0x00, %r13
+        #  A[1] * B[2]
+        movq	16(%rbx), %rax
+        mulq	8(%rsi)
+        addq	%rax, %r11
+        adcq	%rdx, %r12
+        adcq	$0x00, %r13
+        #  A[2] * B[1]
+        movq	8(%rbx), %rax
+        mulq	16(%rsi)
+        addq	%rax, %r11
+        adcq	%rdx, %r12
+        adcq	$0x00, %r13
+        #  A[3] * B[0]
+        movq	(%rbx), %rax
+        mulq	24(%rsi)
+        addq	%rax, %r11
+        adcq	%rdx, %r12
+        adcq	$0x00, %r13
+        #  A[1] * B[3]
+        movq	24(%rbx), %rax
+        mulq	8(%rsi)
+        xorq	%r14, %r14
+        addq	%rax, %r12
+        adcq	%rdx, %r13
+        adcq	$0x00, %r14
+        #  A[2] * B[2]
+        movq	16(%rbx), %rax
+        mulq	16(%rsi)
+        addq	%rax, %r12
+        adcq	%rdx, %r13
+        adcq	$0x00, %r14
+        #  A[3] * B[1]
+        movq	8(%rbx), %rax
+        mulq	24(%rsi)
+        addq	%rax, %r12
+        adcq	%rdx, %r13
+        adcq	$0x00, %r14
+        #  A[2] * B[3]
+        movq	24(%rbx), %rax
+        mulq	16(%rsi)
+        xorq	%r15, %r15
+        addq	%rax, %r13
+        adcq	%rdx, %r14
+        adcq	$0x00, %r15
+        #  A[3] * B[2]
+        movq	16(%rbx), %rax
+        mulq	24(%rsi)
+        addq	%rax, %r13
+        adcq	%rdx, %r14
+        adcq	$0x00, %r15
+        #  A[3] * B[3]
+        movq	24(%rbx), %rax
+        mulq	24(%rsi)
+        addq	%rax, %r14
+        adcq	%rdx, %r15
+        # Reduce
+        movq	$0x7fffffffffffffff, %rcx
+        #  Move top half into t4-t7 and remove top bit from t3
+        shldq	$0x01, %r14, %r15
+        shldq	$0x01, %r13, %r14
+        shldq	$0x01, %r12, %r13
+        shldq	$0x01, %r11, %r12
+        andq	%rcx, %r11
+        #  Multiply top half by 19
+        movq	$19, %rax
+        mulq	%r12
+        xorq	%r12, %r12
+        addq	%rax, %r8
+        movq	$19, %rax
+        adcq	%rdx, %r12
+        mulq	%r13
+        xorq	%r13, %r13
+        addq	%rax, %r9
+        movq	$19, %rax
+        adcq	%rdx, %r13
+        mulq	%r14
+        xorq	%r14, %r14
+        addq	%rax, %r10
+        movq	$19, %rax
+        adcq	%rdx, %r14
+        mulq	%r15
+        #  Add remaining product results in
+        addq	%r12, %r9
+        adcq	%r13, %r10
+        adcq	%r14, %r11
+        adcq	%rax, %r11
+        adcq	$0x00, %rdx
+        #  Overflow
+        shldq	$0x01, %r11, %rdx
+        imulq	$19, %rdx, %rax
+        andq	%rcx, %r11
+        addq	%rax, %r8
+        adcq	$0x00, %r9
+        adcq	$0x00, %r10
+        adcq	$0x00, %r11
+        # Reduce if top bit set
+        movq	%r11, %rdx
+        shrq	$63, %rdx
+        imulq	$19, %rdx, %rax
+        andq	%rcx, %r11
+        addq	%rax, %r8
+        adcq	$0x00, %r9
+        adcq	$0x00, %r10
+        adcq	$0x00, %r11
+        # Store
+        movq	%r8, (%rdi)
+        movq	%r9, 8(%rdi)
+        movq	%r10, 16(%rdi)
+        movq	%r11, 24(%rdi)
+        movq	(%rsp), %rdi
+        movq	128(%rsp), %rsi
+        movq	144(%rsp), %rbx
+        # Multiply
+        #  A[0] * B[0]
+        movq	(%rbx), %rax
+        mulq	(%rsi)
+        movq	%rax, %r8
+        movq	%rdx, %r9
+        #  A[0] * B[1]
+        movq	8(%rbx), %rax
+        mulq	(%rsi)
+        xorq	%r10, %r10
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        #  A[1] * B[0]
+        movq	(%rbx), %rax
+        mulq	8(%rsi)
+        xorq	%r11, %r11
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0x00, %r11
+        #  A[0] * B[2]
+        movq	16(%rbx), %rax
+        mulq	(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        #  A[1] * B[1]
+        movq	8(%rbx), %rax
+        mulq	8(%rsi)
+        xorq	%r12, %r12
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0x00, %r12
+        #  A[2] * B[0]
+        movq	(%rbx), %rax
+        mulq	16(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0x00, %r12
+        #  A[0] * B[3]
+        movq	24(%rbx), %rax
+        mulq	(%rsi)
+        xorq	%r13, %r13
+        addq	%rax, %r11
+        adcq	%rdx, %r12
+        adcq	$0x00, %r13
+        #  A[1] * B[2]
+        movq	16(%rbx), %rax
+        mulq	8(%rsi)
+        addq	%rax, %r11
+        adcq	%rdx, %r12
+        adcq	$0x00, %r13
+        #  A[2] * B[1]
+        movq	8(%rbx), %rax
+        mulq	16(%rsi)
+        addq	%rax, %r11
+        adcq	%rdx, %r12
+        adcq	$0x00, %r13
+        #  A[3] * B[0]
+        movq	(%rbx), %rax
+        mulq	24(%rsi)
+        addq	%rax, %r11
+        adcq	%rdx, %r12
+        adcq	$0x00, %r13
+        #  A[1] * B[3]
+        movq	24(%rbx), %rax
+        mulq	8(%rsi)
+        xorq	%r14, %r14
+        addq	%rax, %r12
+        adcq	%rdx, %r13
+        adcq	$0x00, %r14
+        #  A[2] * B[2]
+        movq	16(%rbx), %rax
+        mulq	16(%rsi)
+        addq	%rax, %r12
+        adcq	%rdx, %r13
+        adcq	$0x00, %r14
+        #  A[3] * B[1]
+        movq	8(%rbx), %rax
+        mulq	24(%rsi)
+        addq	%rax, %r12
+        adcq	%rdx, %r13
+        adcq	$0x00, %r14
+        #  A[2] * B[3]
+        movq	24(%rbx), %rax
+        mulq	16(%rsi)
+        xorq	%r15, %r15
+        addq	%rax, %r13
+        adcq	%rdx, %r14
+        adcq	$0x00, %r15
+        #  A[3] * B[2]
+        movq	16(%rbx), %rax
+        mulq	24(%rsi)
+        addq	%rax, %r13
+        adcq	%rdx, %r14
+        adcq	$0x00, %r15
+        #  A[3] * B[3]
+        movq	24(%rbx), %rax
+        mulq	24(%rsi)
+        addq	%rax, %r14
+        adcq	%rdx, %r15
+        # Reduce
+        movq	$0x7fffffffffffffff, %rcx
+        #  Move top half into t4-t7 and remove top bit from t3
+        shldq	$0x01, %r14, %r15
+        shldq	$0x01, %r13, %r14
+        shldq	$0x01, %r12, %r13
+        shldq	$0x01, %r11, %r12
+        andq	%rcx, %r11
+        #  Multiply top half by 19
+        movq	$19, %rax
+        mulq	%r12
+        xorq	%r12, %r12
+        addq	%rax, %r8
+        movq	$19, %rax
+        adcq	%rdx, %r12
+        mulq	%r13
+        xorq	%r13, %r13
+        addq	%rax, %r9
+        movq	$19, %rax
+        adcq	%rdx, %r13
+        mulq	%r14
+        xorq	%r14, %r14
+        addq	%rax, %r10
+        movq	$19, %rax
+        adcq	%rdx, %r14
+        mulq	%r15
+        #  Add remaining product results in
+        addq	%r12, %r9
+        adcq	%r13, %r10
+        adcq	%r14, %r11
+        adcq	%rax, %r11
+        adcq	$0x00, %rdx
+        #  Overflow
+        shldq	$0x01, %r11, %rdx
+        imulq	$19, %rdx, %rax
+        andq	%rcx, %r11
+        addq	%rax, %r8
+        adcq	$0x00, %r9
+        adcq	$0x00, %r10
+        adcq	$0x00, %r11
+        # Reduce if top bit set
+        movq	%r11, %rdx
+        shrq	$63, %rdx
+        imulq	$19, %rdx, %rax
+        andq	%rcx, %r11
+        addq	%rax, %r8
+        adcq	$0x00, %r9
+        adcq	$0x00, %r10
+        adcq	$0x00, %r11
+        # Store
+        movq	%r8, (%rdi)
+        movq	%r9, 8(%rdi)
+        movq	%r10, 16(%rdi)
+        movq	%r11, 24(%rdi)
+        leaq	48(%rsp), %rdi
+        movq	(%rsp), %rsi
+        movq	(%rsp), %rbx
+        # Add
+        movq	(%rsi), %r8
+        movq	8(%rsi), %r9
+        addq	(%rbx), %r8
+        movq	16(%rsi), %r10
+        adcq	8(%rbx), %r9
+        movq	24(%rsi), %rcx
+        adcq	16(%rbx), %r10
+        movq	$-19, %rax
+        adcq	24(%rbx), %rcx
+        movq	$0x7fffffffffffffff, %rdx
+        movq	%rcx, %r11
+        sarq	$63, %rcx
+        #   Mask the modulus
+        andq	%rcx, %rax
+        andq	%rcx, %rdx
+        #   Sub modulus (if overflow)
+        subq	%rax, %r8
+        sbbq	%rcx, %r9
+        sbbq	%rcx, %r10
+        sbbq	%rdx, %r11
+        movq	%r8, (%rdi)
+        movq	%r9, 8(%rdi)
+        movq	%r10, 16(%rdi)
+        movq	%r11, 24(%rdi)
+        movq	(%rsp), %rdi
+        movq	16(%rsp), %rsi
+        movq	8(%rsp), %rbx
+        # Sub
+        movq	(%rsi), %r8
+        movq	8(%rsi), %r9
+        movq	16(%rsi), %r10
+        movq	24(%rsi), %r11
+        subq	(%rbx), %r8
+        movq	$0x00, %rcx
+        sbbq	8(%rbx), %r9
+        movq	$-19, %rax
+        sbbq	16(%rbx), %r10
+        movq	$0x7fffffffffffffff, %rdx
+        sbbq	24(%rbx), %r11
+        sbbq	$0x00, %rcx
+        #   Mask the modulus
+        andq	%rcx, %rax
+        andq	%rcx, %rdx
+        #   Add modulus (if underflow)
+        addq	%rax, %r8
+        adcq	%rcx, %r9
+        adcq	%rcx, %r10
+        adcq	%rdx, %r11
+        movq	%r8, (%rdi)
+        movq	%r9, 8(%rdi)
+        movq	%r10, 16(%rdi)
+        movq	%r11, 24(%rdi)
+        movq	8(%rsp), %rdi
+        movq	16(%rsp), %rsi
+        movq	8(%rsp), %rbx
+        # Add
+        movq	(%rsi), %r8
+        movq	8(%rsi), %r9
+        addq	(%rbx), %r8
+        movq	16(%rsi), %r10
+        adcq	8(%rbx), %r9
+        movq	24(%rsi), %rcx
+        adcq	16(%rbx), %r10
+        movq	$-19, %rax
+        adcq	24(%rbx), %rcx
+        movq	$0x7fffffffffffffff, %rdx
+        movq	%rcx, %r11
+        sarq	$63, %rcx
+        #   Mask the modulus
+        andq	%rcx, %rax
+        andq	%rcx, %rdx
+        #   Sub modulus (if overflow)
+        subq	%rax, %r8
+        sbbq	%rcx, %r9
+        sbbq	%rcx, %r10
+        sbbq	%rdx, %r11
+        movq	%r8, (%rdi)
+        movq	%r9, 8(%rdi)
+        movq	%r10, 16(%rdi)
+        movq	%r11, 24(%rdi)
+        movq	16(%rsp), %rdi
+        leaq	48(%rsp), %rsi
+        movq	24(%rsp), %rbx
+        # Add
+        movq	(%rsi), %r8
+        movq	8(%rsi), %r9
+        addq	(%rbx), %r8
+        movq	16(%rsi), %r10
+        adcq	8(%rbx), %r9
+        movq	24(%rsi), %rcx
+        adcq	16(%rbx), %r10
+        movq	$-19, %rax
+        adcq	24(%rbx), %rcx
+        movq	$0x7fffffffffffffff, %rdx
+        movq	%rcx, %r11
+        sarq	$63, %rcx
+        #   Mask the modulus
+        andq	%rcx, %rax
+        andq	%rcx, %rdx
+        #   Sub modulus (if overflow)
+        subq	%rax, %r8
+        sbbq	%rcx, %r9
+        sbbq	%rcx, %r10
+        sbbq	%rdx, %r11
+        movq	%r8, (%rdi)
+        movq	%r9, 8(%rdi)
+        movq	%r10, 16(%rdi)
+        movq	%r11, 24(%rdi)
+        movq	24(%rsp), %rdi
+        leaq	48(%rsp), %rsi
+        movq	24(%rsp), %rbx
+        # Sub
+        movq	(%rsi), %r8
+        movq	8(%rsi), %r9
+        movq	16(%rsi), %r10
+        movq	24(%rsi), %r11
+        subq	(%rbx), %r8
+        movq	$0x00, %rcx
+        sbbq	8(%rbx), %r9
+        movq	$-19, %rax
+        sbbq	16(%rbx), %r10
+        movq	$0x7fffffffffffffff, %rdx
+        sbbq	24(%rbx), %r11
+        sbbq	$0x00, %rcx
+        #   Mask the modulus
+        andq	%rcx, %rax
+        andq	%rcx, %rdx
+        #   Add modulus (if underflow)
+        addq	%rax, %r8
+        adcq	%rcx, %r9
+        adcq	%rcx, %r10
+        adcq	%rdx, %r11
+        movq	%r8, (%rdi)
+        movq	%r9, 8(%rdi)
+        movq	%r10, 16(%rdi)
+        movq	%r11, 24(%rdi)
+        addq	$0x50, %rsp
+        popq	%r15
+        popq	%r14
+        popq	%r13
+        popq	%r12
+        popq	%rbx
+        repz retq
+#ifndef __APPLE__
+.size	fe_ge_add_x64,.-fe_ge_add_x64
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+.text
+.globl	fe_ge_sub_x64
+.type	fe_ge_sub_x64,@function
+.align	4
+fe_ge_sub_x64:
+#else
+.section	__TEXT,__text
+.globl	_fe_ge_sub_x64
+.p2align	2
+_fe_ge_sub_x64:
+#endif /* __APPLE__ */
+        pushq	%rbx
+        pushq	%r12
+        pushq	%r13
+        pushq	%r14
+        pushq	%r15
+        subq	$0x50, %rsp
+        movq	%rdi, (%rsp)
+        movq	%rsi, 8(%rsp)
+        movq	%rdx, 16(%rsp)
+        movq	%rcx, 24(%rsp)
+        movq	%r8, 32(%rsp)
+        movq	%r9, 40(%rsp)
+        movq	(%rsp), %rdi
+        movq	40(%rsp), %rsi
+        movq	32(%rsp), %rbx
+        # Add
+        movq	(%rsi), %r8
+        movq	8(%rsi), %r9
+        addq	(%rbx), %r8
+        movq	16(%rsi), %r10
+        adcq	8(%rbx), %r9
+        movq	24(%rsi), %rcx
+        adcq	16(%rbx), %r10
+        movq	$-19, %rax
+        adcq	24(%rbx), %rcx
+        movq	$0x7fffffffffffffff, %rdx
+        movq	%rcx, %r11
+        sarq	$63, %rcx
+        #   Mask the modulus
+        andq	%rcx, %rax
+        andq	%rcx, %rdx
+        #   Sub modulus (if overflow)
+        subq	%rax, %r8
+        sbbq	%rcx, %r9
+        sbbq	%rcx, %r10
+        sbbq	%rdx, %r11
+        movq	%r8, (%rdi)
+        movq	%r9, 8(%rdi)
+        movq	%r10, 16(%rdi)
+        movq	%r11, 24(%rdi)
+        movq	8(%rsp), %rdi
+        movq	40(%rsp), %rsi
+        movq	32(%rsp), %rbx
+        # Sub
+        movq	(%rsi), %r8
+        movq	8(%rsi), %r9
+        movq	16(%rsi), %r10
+        movq	24(%rsi), %r11
+        subq	(%rbx), %r8
+        movq	$0x00, %rcx
+        sbbq	8(%rbx), %r9
+        movq	$-19, %rax
+        sbbq	16(%rbx), %r10
+        movq	$0x7fffffffffffffff, %rdx
+        sbbq	24(%rbx), %r11
+        sbbq	$0x00, %rcx
+        #   Mask the modulus
+        andq	%rcx, %rax
+        andq	%rcx, %rdx
+        #   Add modulus (if underflow)
+        addq	%rax, %r8
+        adcq	%rcx, %r9
+        adcq	%rcx, %r10
+        adcq	%rdx, %r11
+        movq	%r8, (%rdi)
+        movq	%r9, 8(%rdi)
+        movq	%r10, 16(%rdi)
+        movq	%r11, 24(%rdi)
+        movq	16(%rsp), %rdi
+        movq	(%rsp), %rsi
+        movq	168(%rsp), %rbx
+        # Multiply
+        #  A[0] * B[0]
+        movq	(%rbx), %rax
+        mulq	(%rsi)
+        movq	%rax, %r8
+        movq	%rdx, %r9
+        #  A[0] * B[1]
+        movq	8(%rbx), %rax
+        mulq	(%rsi)
+        xorq	%r10, %r10
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        #  A[1] * B[0]
+        movq	(%rbx), %rax
+        mulq	8(%rsi)
+        xorq	%r11, %r11
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0x00, %r11
+        #  A[0] * B[2]
+        movq	16(%rbx), %rax
+        mulq	(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        #  A[1] * B[1]
+        movq	8(%rbx), %rax
+        mulq	8(%rsi)
+        xorq	%r12, %r12
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0x00, %r12
+        #  A[2] * B[0]
+        movq	(%rbx), %rax
+        mulq	16(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0x00, %r12
+        #  A[0] * B[3]
+        movq	24(%rbx), %rax
+        mulq	(%rsi)
+        xorq	%r13, %r13
+        addq	%rax, %r11
+        adcq	%rdx, %r12
+        adcq	$0x00, %r13
+        #  A[1] * B[2]
+        movq	16(%rbx), %rax
+        mulq	8(%rsi)
+        addq	%rax, %r11
+        adcq	%rdx, %r12
+        adcq	$0x00, %r13
+        #  A[2] * B[1]
+        movq	8(%rbx), %rax
+        mulq	16(%rsi)
+        addq	%rax, %r11
+        adcq	%rdx, %r12
+        adcq	$0x00, %r13
+        #  A[3] * B[0]
+        movq	(%rbx), %rax
+        mulq	24(%rsi)
+        addq	%rax, %r11
+        adcq	%rdx, %r12
+        adcq	$0x00, %r13
+        #  A[1] * B[3]
+        movq	24(%rbx), %rax
+        mulq	8(%rsi)
+        xorq	%r14, %r14
+        addq	%rax, %r12
+        adcq	%rdx, %r13
+        adcq	$0x00, %r14
+        #  A[2] * B[2]
+        movq	16(%rbx), %rax
+        mulq	16(%rsi)
+        addq	%rax, %r12
+        adcq	%rdx, %r13
+        adcq	$0x00, %r14
+        #  A[3] * B[1]
+        movq	8(%rbx), %rax
+        mulq	24(%rsi)
+        addq	%rax, %r12
+        adcq	%rdx, %r13
+        adcq	$0x00, %r14
+        #  A[2] * B[3]
+        movq	24(%rbx), %rax
+        mulq	16(%rsi)
+        xorq	%r15, %r15
+        addq	%rax, %r13
+        adcq	%rdx, %r14
+        adcq	$0x00, %r15
+        #  A[3] * B[2]
+        movq	16(%rbx), %rax
+        mulq	24(%rsi)
+        addq	%rax, %r13
+        adcq	%rdx, %r14
+        adcq	$0x00, %r15
+        #  A[3] * B[3]
+        movq	24(%rbx), %rax
+        mulq	24(%rsi)
+        addq	%rax, %r14
+        adcq	%rdx, %r15
+        # Reduce
+        movq	$0x7fffffffffffffff, %rcx
+        #  Move top half into t4-t7 and remove top bit from t3
+        shldq	$0x01, %r14, %r15
+        shldq	$0x01, %r13, %r14
+        shldq	$0x01, %r12, %r13
+        shldq	$0x01, %r11, %r12
+        andq	%rcx, %r11
+        #  Multiply top half by 19
+        movq	$19, %rax
+        mulq	%r12
+        xorq	%r12, %r12
+        addq	%rax, %r8
+        movq	$19, %rax
+        adcq	%rdx, %r12
+        mulq	%r13
+        xorq	%r13, %r13
+        addq	%rax, %r9
+        movq	$19, %rax
+        adcq	%rdx, %r13
+        mulq	%r14
+        xorq	%r14, %r14
+        addq	%rax, %r10
+        movq	$19, %rax
+        adcq	%rdx, %r14
+        mulq	%r15
+        #  Add remaining product results in
+        addq	%r12, %r9
+        adcq	%r13, %r10
+        adcq	%r14, %r11
+        adcq	%rax, %r11
+        adcq	$0x00, %rdx
+        #  Overflow
+        shldq	$0x01, %r11, %rdx
+        imulq	$19, %rdx, %rax
+        andq	%rcx, %r11
+        addq	%rax, %r8
+        adcq	$0x00, %r9
+        adcq	$0x00, %r10
+        adcq	$0x00, %r11
+        # Reduce if top bit set
+        movq	%r11, %rdx
+        shrq	$63, %rdx
+        imulq	$19, %rdx, %rax
+        andq	%rcx, %r11
+        addq	%rax, %r8
+        adcq	$0x00, %r9
+        adcq	$0x00, %r10
+        adcq	$0x00, %r11
+        # Store
+        movq	%r8, (%rdi)
+        movq	%r9, 8(%rdi)
+        movq	%r10, 16(%rdi)
+        movq	%r11, 24(%rdi)
+        movq	8(%rsp), %rdi
+        movq	8(%rsp), %rsi
+        movq	160(%rsp), %rbx
+        # Multiply
+        #  A[0] * B[0]
+        movq	(%rbx), %rax
+        mulq	(%rsi)
+        movq	%rax, %r8
+        movq	%rdx, %r9
+        #  A[0] * B[1]
+        movq	8(%rbx), %rax
+        mulq	(%rsi)
+        xorq	%r10, %r10
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        #  A[1] * B[0]
+        movq	(%rbx), %rax
+        mulq	8(%rsi)
+        xorq	%r11, %r11
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0x00, %r11
+        #  A[0] * B[2]
+        movq	16(%rbx), %rax
+        mulq	(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        #  A[1] * B[1]
+        movq	8(%rbx), %rax
+        mulq	8(%rsi)
+        xorq	%r12, %r12
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0x00, %r12
+        #  A[2] * B[0]
+        movq	(%rbx), %rax
+        mulq	16(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0x00, %r12
+        #  A[0] * B[3]
+        movq	24(%rbx), %rax
+        mulq	(%rsi)
+        xorq	%r13, %r13
+        addq	%rax, %r11
+        adcq	%rdx, %r12
+        adcq	$0x00, %r13
+        #  A[1] * B[2]
+        movq	16(%rbx), %rax
+        mulq	8(%rsi)
+        addq	%rax, %r11
+        adcq	%rdx, %r12
+        adcq	$0x00, %r13
+        #  A[2] * B[1]
+        movq	8(%rbx), %rax
+        mulq	16(%rsi)
+        addq	%rax, %r11
+        adcq	%rdx, %r12
+        adcq	$0x00, %r13
+        #  A[3] * B[0]
+        movq	(%rbx), %rax
+        mulq	24(%rsi)
+        addq	%rax, %r11
+        adcq	%rdx, %r12
+        adcq	$0x00, %r13
+        #  A[1] * B[3]
+        movq	24(%rbx), %rax
+        mulq	8(%rsi)
+        xorq	%r14, %r14
+        addq	%rax, %r12
+        adcq	%rdx, %r13
+        adcq	$0x00, %r14
+        #  A[2] * B[2]
+        movq	16(%rbx), %rax
+        mulq	16(%rsi)
+        addq	%rax, %r12
+        adcq	%rdx, %r13
+        adcq	$0x00, %r14
+        #  A[3] * B[1]
+        movq	8(%rbx), %rax
+        mulq	24(%rsi)
+        addq	%rax, %r12
+        adcq	%rdx, %r13
+        adcq	$0x00, %r14
+        #  A[2] * B[3]
+        movq	24(%rbx), %rax
+        mulq	16(%rsi)
+        xorq	%r15, %r15
+        addq	%rax, %r13
+        adcq	%rdx, %r14
+        adcq	$0x00, %r15
+        #  A[3] * B[2]
+        movq	16(%rbx), %rax
+        mulq	24(%rsi)
+        addq	%rax, %r13
+        adcq	%rdx, %r14
+        adcq	$0x00, %r15
+        #  A[3] * B[3]
+        movq	24(%rbx), %rax
+        mulq	24(%rsi)
+        addq	%rax, %r14
+        adcq	%rdx, %r15
+        # Reduce
+        movq	$0x7fffffffffffffff, %rcx
+        #  Move top half into t4-t7 and remove top bit from t3
+        shldq	$0x01, %r14, %r15
+        shldq	$0x01, %r13, %r14
+        shldq	$0x01, %r12, %r13
+        shldq	$0x01, %r11, %r12
+        andq	%rcx, %r11
+        #  Multiply top half by 19
+        movq	$19, %rax
+        mulq	%r12
+        xorq	%r12, %r12
+        addq	%rax, %r8
+        movq	$19, %rax
+        adcq	%rdx, %r12
+        mulq	%r13
+        xorq	%r13, %r13
+        addq	%rax, %r9
+        movq	$19, %rax
+        adcq	%rdx, %r13
+        mulq	%r14
+        xorq	%r14, %r14
+        addq	%rax, %r10
+        movq	$19, %rax
+        adcq	%rdx, %r14
+        mulq	%r15
+        #  Add remaining product results in
+        addq	%r12, %r9
+        adcq	%r13, %r10
+        adcq	%r14, %r11
+        adcq	%rax, %r11
+        adcq	$0x00, %rdx
+        #  Overflow
+        shldq	$0x01, %r11, %rdx
+        imulq	$19, %rdx, %rax
+        andq	%rcx, %r11
+        addq	%rax, %r8
+        adcq	$0x00, %r9
+        adcq	$0x00, %r10
+        adcq	$0x00, %r11
+        # Reduce if top bit set
+        movq	%r11, %rdx
+        shrq	$63, %rdx
+        imulq	$19, %rdx, %rax
+        andq	%rcx, %r11
+        addq	%rax, %r8
+        adcq	$0x00, %r9
+        adcq	$0x00, %r10
+        adcq	$0x00, %r11
+        # Store
+        movq	%r8, (%rdi)
+        movq	%r9, 8(%rdi)
+        movq	%r10, 16(%rdi)
+        movq	%r11, 24(%rdi)
+        movq	24(%rsp), %rdi
+        movq	152(%rsp), %rsi
+        movq	136(%rsp), %rbx
+        # Multiply
+        #  A[0] * B[0]
+        movq	(%rbx), %rax
+        mulq	(%rsi)
+        movq	%rax, %r8
+        movq	%rdx, %r9
+        #  A[0] * B[1]
+        movq	8(%rbx), %rax
+        mulq	(%rsi)
+        xorq	%r10, %r10
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        #  A[1] * B[0]
+        movq	(%rbx), %rax
+        mulq	8(%rsi)
+        xorq	%r11, %r11
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0x00, %r11
+        #  A[0] * B[2]
+        movq	16(%rbx), %rax
+        mulq	(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        #  A[1] * B[1]
+        movq	8(%rbx), %rax
+        mulq	8(%rsi)
+        xorq	%r12, %r12
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0x00, %r12
+        #  A[2] * B[0]
+        movq	(%rbx), %rax
+        mulq	16(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0x00, %r12
+        #  A[0] * B[3]
+        movq	24(%rbx), %rax
+        mulq	(%rsi)
+        xorq	%r13, %r13
+        addq	%rax, %r11
+        adcq	%rdx, %r12
+        adcq	$0x00, %r13
+        #  A[1] * B[2]
+        movq	16(%rbx), %rax
+        mulq	8(%rsi)
+        addq	%rax, %r11
+        adcq	%rdx, %r12
+        adcq	$0x00, %r13
+        #  A[2] * B[1]
+        movq	8(%rbx), %rax
+        mulq	16(%rsi)
+        addq	%rax, %r11
+        adcq	%rdx, %r12
+        adcq	$0x00, %r13
+        #  A[3] * B[0]
+        movq	(%rbx), %rax
+        mulq	24(%rsi)
+        addq	%rax, %r11
+        adcq	%rdx, %r12
+        adcq	$0x00, %r13
+        #  A[1] * B[3]
+        movq	24(%rbx), %rax
+        mulq	8(%rsi)
+        xorq	%r14, %r14
+        addq	%rax, %r12
+        adcq	%rdx, %r13
+        adcq	$0x00, %r14
+        #  A[2] * B[2]
+        movq	16(%rbx), %rax
+        mulq	16(%rsi)
+        addq	%rax, %r12
+        adcq	%rdx, %r13
+        adcq	$0x00, %r14
+        #  A[3] * B[1]
+        movq	8(%rbx), %rax
+        mulq	24(%rsi)
+        addq	%rax, %r12
+        adcq	%rdx, %r13
+        adcq	$0x00, %r14
+        #  A[2] * B[3]
+        movq	24(%rbx), %rax
+        mulq	16(%rsi)
+        xorq	%r15, %r15
+        addq	%rax, %r13
+        adcq	%rdx, %r14
+        adcq	$0x00, %r15
+        #  A[3] * B[2]
+        movq	16(%rbx), %rax
+        mulq	24(%rsi)
+        addq	%rax, %r13
+        adcq	%rdx, %r14
+        adcq	$0x00, %r15
+        #  A[3] * B[3]
+        movq	24(%rbx), %rax
+        mulq	24(%rsi)
+        addq	%rax, %r14
+        adcq	%rdx, %r15
+        # Reduce
+        movq	$0x7fffffffffffffff, %rcx
+        #  Move top half into t4-t7 and remove top bit from t3
+        shldq	$0x01, %r14, %r15
+        shldq	$0x01, %r13, %r14
+        shldq	$0x01, %r12, %r13
+        shldq	$0x01, %r11, %r12
+        andq	%rcx, %r11
+        #  Multiply top half by 19
+        movq	$19, %rax
+        mulq	%r12
+        xorq	%r12, %r12
+        addq	%rax, %r8
+        movq	$19, %rax
+        adcq	%rdx, %r12
+        mulq	%r13
+        xorq	%r13, %r13
+        addq	%rax, %r9
+        movq	$19, %rax
+        adcq	%rdx, %r13
+        mulq	%r14
+        xorq	%r14, %r14
+        addq	%rax, %r10
+        movq	$19, %rax
+        adcq	%rdx, %r14
+        mulq	%r15
+        #  Add remaining product results in
+        addq	%r12, %r9
+        adcq	%r13, %r10
+        adcq	%r14, %r11
+        adcq	%rax, %r11
+        adcq	$0x00, %rdx
+        #  Overflow
+        shldq	$0x01, %r11, %rdx
+        imulq	$19, %rdx, %rax
+        andq	%rcx, %r11
+        addq	%rax, %r8
+        adcq	$0x00, %r9
+        adcq	$0x00, %r10
+        adcq	$0x00, %r11
+        # Reduce if top bit set
+        movq	%r11, %rdx
+        shrq	$63, %rdx
+        imulq	$19, %rdx, %rax
+        andq	%rcx, %r11
+        addq	%rax, %r8
+        adcq	$0x00, %r9
+        adcq	$0x00, %r10
+        adcq	$0x00, %r11
+        # Store
+        movq	%r8, (%rdi)
+        movq	%r9, 8(%rdi)
+        movq	%r10, 16(%rdi)
+        movq	%r11, 24(%rdi)
+        movq	(%rsp), %rdi
+        movq	128(%rsp), %rsi
+        movq	144(%rsp), %rbx
+        # Multiply
+        #  A[0] * B[0]
+        movq	(%rbx), %rax
+        mulq	(%rsi)
+        movq	%rax, %r8
+        movq	%rdx, %r9
+        #  A[0] * B[1]
+        movq	8(%rbx), %rax
+        mulq	(%rsi)
+        xorq	%r10, %r10
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        #  A[1] * B[0]
+        movq	(%rbx), %rax
+        mulq	8(%rsi)
+        xorq	%r11, %r11
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0x00, %r11
+        #  A[0] * B[2]
+        movq	16(%rbx), %rax
+        mulq	(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        #  A[1] * B[1]
+        movq	8(%rbx), %rax
+        mulq	8(%rsi)
+        xorq	%r12, %r12
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0x00, %r12
+        #  A[2] * B[0]
+        movq	(%rbx), %rax
+        mulq	16(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0x00, %r12
+        #  A[0] * B[3]
+        movq	24(%rbx), %rax
+        mulq	(%rsi)
+        xorq	%r13, %r13
+        addq	%rax, %r11
+        adcq	%rdx, %r12
+        adcq	$0x00, %r13
+        #  A[1] * B[2]
+        movq	16(%rbx), %rax
+        mulq	8(%rsi)
+        addq	%rax, %r11
+        adcq	%rdx, %r12
+        adcq	$0x00, %r13
+        #  A[2] * B[1]
+        movq	8(%rbx), %rax
+        mulq	16(%rsi)
+        addq	%rax, %r11
+        adcq	%rdx, %r12
+        adcq	$0x00, %r13
+        #  A[3] * B[0]
+        movq	(%rbx), %rax
+        mulq	24(%rsi)
+        addq	%rax, %r11
+        adcq	%rdx, %r12
+        adcq	$0x00, %r13
+        #  A[1] * B[3]
+        movq	24(%rbx), %rax
+        mulq	8(%rsi)
+        xorq	%r14, %r14
+        addq	%rax, %r12
+        adcq	%rdx, %r13
+        adcq	$0x00, %r14
+        #  A[2] * B[2]
+        movq	16(%rbx), %rax
+        mulq	16(%rsi)
+        addq	%rax, %r12
+        adcq	%rdx, %r13
+        adcq	$0x00, %r14
+        #  A[3] * B[1]
+        movq	8(%rbx), %rax
+        mulq	24(%rsi)
+        addq	%rax, %r12
+        adcq	%rdx, %r13
+        adcq	$0x00, %r14
+        #  A[2] * B[3]
+        movq	24(%rbx), %rax
+        mulq	16(%rsi)
+        xorq	%r15, %r15
+        addq	%rax, %r13
+        adcq	%rdx, %r14
+        adcq	$0x00, %r15
+        #  A[3] * B[2]
+        movq	16(%rbx), %rax
+        mulq	24(%rsi)
+        addq	%rax, %r13
+        adcq	%rdx, %r14
+        adcq	$0x00, %r15
+        #  A[3] * B[3]
+        movq	24(%rbx), %rax
+        mulq	24(%rsi)
+        addq	%rax, %r14
+        adcq	%rdx, %r15
+        # Reduce
+        movq	$0x7fffffffffffffff, %rcx
+        #  Move top half into t4-t7 and remove top bit from t3
+        shldq	$0x01, %r14, %r15
+        shldq	$0x01, %r13, %r14
+        shldq	$0x01, %r12, %r13
+        shldq	$0x01, %r11, %r12
+        andq	%rcx, %r11
+        #  Multiply top half by 19
+        movq	$19, %rax
+        mulq	%r12
+        xorq	%r12, %r12
+        addq	%rax, %r8
+        movq	$19, %rax
+        adcq	%rdx, %r12
+        mulq	%r13
+        xorq	%r13, %r13
+        addq	%rax, %r9
+        movq	$19, %rax
+        adcq	%rdx, %r13
+        mulq	%r14
+        xorq	%r14, %r14
+        addq	%rax, %r10
+        movq	$19, %rax
+        adcq	%rdx, %r14
+        mulq	%r15
+        #  Add remaining product results in
+        addq	%r12, %r9
+        adcq	%r13, %r10
+        adcq	%r14, %r11
+        adcq	%rax, %r11
+        adcq	$0x00, %rdx
+        #  Overflow
+        shldq	$0x01, %r11, %rdx
+        imulq	$19, %rdx, %rax
+        andq	%rcx, %r11
+        addq	%rax, %r8
+        adcq	$0x00, %r9
+        adcq	$0x00, %r10
+        adcq	$0x00, %r11
+        # Reduce if top bit set
+        movq	%r11, %rdx
+        shrq	$63, %rdx
+        imulq	$19, %rdx, %rax
+        andq	%rcx, %r11
+        addq	%rax, %r8
+        adcq	$0x00, %r9
+        adcq	$0x00, %r10
+        adcq	$0x00, %r11
+        # Store
+        movq	%r8, (%rdi)
+        movq	%r9, 8(%rdi)
+        movq	%r10, 16(%rdi)
+        movq	%r11, 24(%rdi)
+        leaq	48(%rsp), %rdi
+        movq	(%rsp), %rsi
+        movq	(%rsp), %rbx
+        # Add
+        movq	(%rsi), %r8
+        movq	8(%rsi), %r9
+        addq	(%rbx), %r8
+        movq	16(%rsi), %r10
+        adcq	8(%rbx), %r9
+        movq	24(%rsi), %rcx
+        adcq	16(%rbx), %r10
+        movq	$-19, %rax
+        adcq	24(%rbx), %rcx
+        movq	$0x7fffffffffffffff, %rdx
+        movq	%rcx, %r11
+        sarq	$63, %rcx
+        #   Mask the modulus
+        andq	%rcx, %rax
+        andq	%rcx, %rdx
+        #   Sub modulus (if overflow)
+        subq	%rax, %r8
+        sbbq	%rcx, %r9
+        sbbq	%rcx, %r10
+        sbbq	%rdx, %r11
+        movq	%r8, (%rdi)
+        movq	%r9, 8(%rdi)
+        movq	%r10, 16(%rdi)
+        movq	%r11, 24(%rdi)
+        movq	(%rsp), %rdi
+        movq	16(%rsp), %rsi
+        movq	8(%rsp), %rbx
+        # Sub
+        movq	(%rsi), %r8
+        movq	8(%rsi), %r9
+        movq	16(%rsi), %r10
+        movq	24(%rsi), %r11
+        subq	(%rbx), %r8
+        movq	$0x00, %rcx
+        sbbq	8(%rbx), %r9
+        movq	$-19, %rax
+        sbbq	16(%rbx), %r10
+        movq	$0x7fffffffffffffff, %rdx
+        sbbq	24(%rbx), %r11
+        sbbq	$0x00, %rcx
+        #   Mask the modulus
+        andq	%rcx, %rax
+        andq	%rcx, %rdx
+        #   Add modulus (if underflow)
+        addq	%rax, %r8
+        adcq	%rcx, %r9
+        adcq	%rcx, %r10
+        adcq	%rdx, %r11
+        movq	%r8, (%rdi)
+        movq	%r9, 8(%rdi)
+        movq	%r10, 16(%rdi)
+        movq	%r11, 24(%rdi)
+        movq	8(%rsp), %rdi
+        movq	16(%rsp), %rsi
+        movq	8(%rsp), %rbx
+        # Add
+        movq	(%rsi), %r8
+        movq	8(%rsi), %r9
+        addq	(%rbx), %r8
+        movq	16(%rsi), %r10
+        adcq	8(%rbx), %r9
+        movq	24(%rsi), %rcx
+        adcq	16(%rbx), %r10
+        movq	$-19, %rax
+        adcq	24(%rbx), %rcx
+        movq	$0x7fffffffffffffff, %rdx
+        movq	%rcx, %r11
+        sarq	$63, %rcx
+        #   Mask the modulus
+        andq	%rcx, %rax
+        andq	%rcx, %rdx
+        #   Sub modulus (if overflow)
+        subq	%rax, %r8
+        sbbq	%rcx, %r9
+        sbbq	%rcx, %r10
+        sbbq	%rdx, %r11
+        movq	%r8, (%rdi)
+        movq	%r9, 8(%rdi)
+        movq	%r10, 16(%rdi)
+        movq	%r11, 24(%rdi)
+        movq	16(%rsp), %rdi
+        leaq	48(%rsp), %rsi
+        movq	24(%rsp), %rbx
+        # Sub
+        movq	(%rsi), %r8
+        movq	8(%rsi), %r9
+        movq	16(%rsi), %r10
+        movq	24(%rsi), %r11
+        subq	(%rbx), %r8
+        movq	$0x00, %rcx
+        sbbq	8(%rbx), %r9
+        movq	$-19, %rax
+        sbbq	16(%rbx), %r10
+        movq	$0x7fffffffffffffff, %rdx
+        sbbq	24(%rbx), %r11
+        sbbq	$0x00, %rcx
+        #   Mask the modulus
+        andq	%rcx, %rax
+        andq	%rcx, %rdx
+        #   Add modulus (if underflow)
+        addq	%rax, %r8
+        adcq	%rcx, %r9
+        adcq	%rcx, %r10
+        adcq	%rdx, %r11
+        movq	%r8, (%rdi)
+        movq	%r9, 8(%rdi)
+        movq	%r10, 16(%rdi)
+        movq	%r11, 24(%rdi)
+        movq	24(%rsp), %rdi
+        leaq	48(%rsp), %rsi
+        movq	24(%rsp), %rbx
+        # Add
+        movq	(%rsi), %r8
+        movq	8(%rsi), %r9
+        addq	(%rbx), %r8
+        movq	16(%rsi), %r10
+        adcq	8(%rbx), %r9
+        movq	24(%rsi), %rcx
+        adcq	16(%rbx), %r10
+        movq	$-19, %rax
+        adcq	24(%rbx), %rcx
+        movq	$0x7fffffffffffffff, %rdx
+        movq	%rcx, %r11
+        sarq	$63, %rcx
+        #   Mask the modulus
+        andq	%rcx, %rax
+        andq	%rcx, %rdx
+        #   Sub modulus (if overflow)
+        subq	%rax, %r8
+        sbbq	%rcx, %r9
+        sbbq	%rcx, %r10
+        sbbq	%rdx, %r11
+        movq	%r8, (%rdi)
+        movq	%r9, 8(%rdi)
+        movq	%r10, 16(%rdi)
+        movq	%r11, 24(%rdi)
+        addq	$0x50, %rsp
+        popq	%r15
+        popq	%r14
+        popq	%r13
+        popq	%r12
+        popq	%rbx
+        repz retq
+#ifndef __APPLE__
+.size	fe_ge_sub_x64,.-fe_ge_sub_x64
+#endif /* __APPLE__ */
+#ifdef HAVE_INTEL_AVX2
+#ifndef __APPLE__
+.text
+.globl	fe_mul_avx2
+.type	fe_mul_avx2,@function
+.align	4
+fe_mul_avx2:
+#else
+.section	__TEXT,__text
+.globl	_fe_mul_avx2
+.p2align	2
+_fe_mul_avx2:
+#endif /* __APPLE__ */
+        pushq	%r12
+        pushq	%r13
+        pushq	%r14
+        pushq	%r15
+        pushq	%rbx
+        movq	%rdx, %rbx
+        # Multiply
+        # A[0] * B[0]
+        movq	(%rbx), %rdx
+        mulxq	(%rsi), %r8, %r9
+        # A[2] * B[0]
+        mulxq	16(%rsi), %r10, %r11
+        # A[1] * B[0]
+        mulxq	8(%rsi), %rax, %rcx
+        xorq	%r15, %r15
+        adcxq	%rax, %r9
+        # A[1] * B[3]
+        movq	24(%rbx), %rdx
+        mulxq	8(%rsi), %r12, %r13
+        adcxq	%rcx, %r10
+        # A[0] * B[1]
+        movq	8(%rbx), %rdx
+        mulxq	(%rsi), %rax, %rcx
+        adoxq	%rax, %r9
+        # A[2] * B[1]
+        mulxq	16(%rsi), %rax, %r14
+        adoxq	%rcx, %r10
+        adcxq	%rax, %r11
+        # A[1] * B[2]
+        movq	16(%rbx), %rdx
+        mulxq	8(%rsi), %rax, %rcx
+        adcxq	%r14, %r12
+        adoxq	%rax, %r11
+        adcxq	%r15, %r13
+        adoxq	%rcx, %r12
+        # A[0] * B[2]
+        mulxq	(%rsi), %rax, %rcx
+        adoxq	%r15, %r13
+        xorq	%r14, %r14
+        adcxq	%rax, %r10
+        # A[1] * B[1]
+        movq	8(%rbx), %rdx
+        mulxq	8(%rsi), %rdx, %rax
+        adcxq	%rcx, %r11
+        adoxq	%rdx, %r10
+        # A[3] * B[1]
+        movq	8(%rbx), %rdx
+        adoxq	%rax, %r11
+        mulxq	24(%rsi), %rax, %rcx
+        adcxq	%rax, %r12
+        # A[2] * B[2]
+        movq	16(%rbx), %rdx
+        mulxq	16(%rsi), %rdx, %rax
+        adcxq	%rcx, %r13
+        adoxq	%rdx, %r12
+        # A[3] * B[3]
+        movq	24(%rbx), %rdx
+        adoxq	%rax, %r13
+        mulxq	24(%rsi), %rax, %rcx
+        adoxq	%r15, %r14
+        adcxq	%rax, %r14
+        # A[0] * B[3]
+        mulxq	(%rsi), %rdx, %rax
+        adcxq	%rcx, %r15
+        xorq	%rcx, %rcx
+        adcxq	%rdx, %r11
+        # A[3] * B[0]
+        movq	(%rbx), %rdx
+        adcxq	%rax, %r12
+        mulxq	24(%rsi), %rdx, %rax
+        adoxq	%rdx, %r11
+        adoxq	%rax, %r12
+        # A[2] * B[3]
+        movq	24(%rbx), %rdx
+        mulxq	16(%rsi), %rdx, %rax
+        adcxq	%rdx, %r13
+        # A[3] * B[2]
+        movq	16(%rbx), %rdx
+        adcxq	%rax, %r14
+        mulxq	24(%rsi), %rax, %rdx
+        adcxq	%rcx, %r15
+        adoxq	%rax, %r13
+        adoxq	%rdx, %r14
+        adoxq	%rcx, %r15
+        # Reduce
+        movq	$0x7fffffffffffffff, %rcx
+        #  Move top half into t4-t7 and remove top bit from t3
+        shldq	$0x01, %r14, %r15
+        shldq	$0x01, %r13, %r14
+        shldq	$0x01, %r12, %r13
+        shldq	$0x01, %r11, %r12
+        andq	%rcx, %r11
+        #  Multiply top half by 19
+        movq	$19, %rdx
+        xorq	%rcx, %rcx
+        mulxq	%r12, %rax, %r12
+        adcxq	%rax, %r8
+        adoxq	%r12, %r9
+        mulxq	%r13, %rax, %r13
+        adcxq	%rax, %r9
+        adoxq	%r13, %r10
+        mulxq	%r14, %rax, %r14
+        adcxq	%rax, %r10
+        adoxq	%r14, %r11
+        mulxq	%r15, %r15, %rdx
+        adcxq	%r15, %r11
+        adoxq	%rcx, %rdx
+        adcxq	%rcx, %rdx
+        #  Overflow
+        shldq	$0x01, %r11, %rdx
+        movq	$0x7fffffffffffffff, %rcx
+        imulq	$19, %rdx, %rax
+        andq	%rcx, %r11
+        addq	%rax, %r8
+        adcq	$0x00, %r9
+        adcq	$0x00, %r10
+        adcq	$0x00, %r11
+        # Reduce if top bit set
+        movq	%r11, %rdx
+        shrq	$63, %rdx
+        imulq	$19, %rdx, %rax
+        andq	%rcx, %r11
+        addq	%rax, %r8
+        adcq	$0x00, %r9
+        adcq	$0x00, %r10
+        adcq	$0x00, %r11
+        # Store
+        movq	%r8, (%rdi)
+        movq	%r9, 8(%rdi)
+        movq	%r10, 16(%rdi)
+        movq	%r11, 24(%rdi)
+        popq	%rbx
+        popq	%r15
+        popq	%r14
+        popq	%r13
+        popq	%r12
+        repz retq
+#ifndef __APPLE__
+.size	fe_mul_avx2,.-fe_mul_avx2
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+.text
+.globl	fe_sq_avx2
+.type	fe_sq_avx2,@function
+.align	4
+fe_sq_avx2:
+#else
+.section	__TEXT,__text
+.globl	_fe_sq_avx2
+.p2align	2
+_fe_sq_avx2:
+#endif /* __APPLE__ */
+        pushq	%rbx
+        pushq	%r12
+        pushq	%r13
+        pushq	%r14
+        pushq	%r15
+        # Square
+        # A[0] * A[1]
+        movq	(%rsi), %rdx
+        mulxq	8(%rsi), %r9, %r10
+        # A[0] * A[3]
+        mulxq	24(%rsi), %r11, %r12
+        # A[2] * A[1]
+        movq	16(%rsi), %rdx
+        mulxq	8(%rsi), %rcx, %rbx
+        xorq	%r15, %r15
+        adoxq	%rcx, %r11
+        # A[2] * A[3]
+        mulxq	24(%rsi), %r13, %r14
+        adoxq	%rbx, %r12
+        # A[2] * A[0]
+        mulxq	(%rsi), %rcx, %rbx
+        adoxq	%r15, %r13
+        adcxq	%rcx, %r10
+        adoxq	%r15, %r14
+        # A[1] * A[3]
+        movq	8(%rsi), %rdx
+        mulxq	24(%rsi), %rax, %r8
+        adcxq	%rbx, %r11
+        adcxq	%rax, %r12
+        adcxq	%r8, %r13
+        adcxq	%r15, %r14
+        # Double with Carry Flag
+        xorq	%r15, %r15
+        # A[0] * A[0]
+        movq	(%rsi), %rdx
+        mulxq	%rdx, %r8, %rax
+        adcxq	%r9, %r9
+        # A[1] * A[1]
+        movq	8(%rsi), %rdx
+        mulxq	%rdx, %rcx, %rbx
+        adcxq	%r10, %r10
+        adoxq	%rax, %r9
+        adcxq	%r11, %r11
+        adoxq	%rcx, %r10
+        # A[2] * A[2]
+        movq	16(%rsi), %rdx
+        mulxq	%rdx, %rax, %rcx
+        adcxq	%r12, %r12
+        adoxq	%rbx, %r11
+        adcxq	%r13, %r13
+        adoxq	%rax, %r12
+        # A[3] * A[3]
+        movq	24(%rsi), %rdx
+        mulxq	%rdx, %rax, %rbx
+        adcxq	%r14, %r14
+        adoxq	%rcx, %r13
+        adcxq	%r15, %r15
+        adoxq	%rax, %r14
+        adoxq	%rbx, %r15
+        # Reduce
+        movq	$0x7fffffffffffffff, %rcx
+        #  Move top half into t4-t7 and remove top bit from t3
+        shldq	$0x01, %r14, %r15
+        shldq	$0x01, %r13, %r14
+        shldq	$0x01, %r12, %r13
+        shldq	$0x01, %r11, %r12
+        andq	%rcx, %r11
+        #  Multiply top half by 19
+        movq	$19, %rdx
+        xorq	%rcx, %rcx
+        mulxq	%r12, %rax, %r12
+        adcxq	%rax, %r8
+        adoxq	%r12, %r9
+        mulxq	%r13, %rax, %r13
+        adcxq	%rax, %r9
+        adoxq	%r13, %r10
+        mulxq	%r14, %rax, %r14
+        adcxq	%rax, %r10
+        adoxq	%r14, %r11
+        mulxq	%r15, %r15, %rdx
+        adcxq	%r15, %r11
+        adoxq	%rcx, %rdx
+        adcxq	%rcx, %rdx
+        #  Overflow
+        shldq	$0x01, %r11, %rdx
+        movq	$0x7fffffffffffffff, %rcx
+        imulq	$19, %rdx, %rax
+        andq	%rcx, %r11
+        addq	%rax, %r8
+        adcq	$0x00, %r9
+        adcq	$0x00, %r10
+        adcq	$0x00, %r11
+        # Reduce if top bit set
+        movq	%r11, %rdx
+        shrq	$63, %rdx
+        imulq	$19, %rdx, %rax
+        andq	%rcx, %r11
+        addq	%rax, %r8
+        adcq	$0x00, %r9
+        adcq	$0x00, %r10
+        adcq	$0x00, %r11
+        # Store
+        movq	%r8, (%rdi)
+        movq	%r9, 8(%rdi)
+        movq	%r10, 16(%rdi)
+        movq	%r11, 24(%rdi)
+        popq	%r15
+        popq	%r14
+        popq	%r13
+        popq	%r12
+        popq	%rbx
+        repz retq
+#ifndef __APPLE__
+.size	fe_sq_avx2,.-fe_sq_avx2
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+.text
+.globl	fe_sq_n_avx2
+.type	fe_sq_n_avx2,@function
+.align	4
+fe_sq_n_avx2:
+#else
+.section	__TEXT,__text
+.globl	_fe_sq_n_avx2
+.p2align	2
+_fe_sq_n_avx2:
+#endif /* __APPLE__ */
+        pushq	%rbx
+        pushq	%r12
+        pushq	%r13
+        pushq	%r14
+        pushq	%r15
+        pushq	%rbp
+        movq	%rdx, %rbp
+L_fe_sq_n_avx2:
+        # Square
+        # A[0] * A[1]
+        movq	(%rsi), %rdx
+        mulxq	8(%rsi), %r9, %r10
+        # A[0] * A[3]
+        mulxq	24(%rsi), %r11, %r12
+        # A[2] * A[1]
+        movq	16(%rsi), %rdx
+        mulxq	8(%rsi), %rcx, %rbx
+        xorq	%r15, %r15
+        adoxq	%rcx, %r11
+        # A[2] * A[3]
+        mulxq	24(%rsi), %r13, %r14
+        adoxq	%rbx, %r12
+        # A[2] * A[0]
+        mulxq	(%rsi), %rcx, %rbx
+        adoxq	%r15, %r13
+        adcxq	%rcx, %r10
+        adoxq	%r15, %r14
+        # A[1] * A[3]
+        movq	8(%rsi), %rdx
+        mulxq	24(%rsi), %rax, %r8
+        adcxq	%rbx, %r11
+        adcxq	%rax, %r12
+        adcxq	%r8, %r13
+        adcxq	%r15, %r14
+        # Double with Carry Flag
+        xorq	%r15, %r15
+        # A[0] * A[0]
+        movq	(%rsi), %rdx
+        mulxq	%rdx, %r8, %rax
+        adcxq	%r9, %r9
+        # A[1] * A[1]
+        movq	8(%rsi), %rdx
+        mulxq	%rdx, %rcx, %rbx
+        adcxq	%r10, %r10
+        adoxq	%rax, %r9
+        adcxq	%r11, %r11
+        adoxq	%rcx, %r10
+        # A[2] * A[2]
+        movq	16(%rsi), %rdx
+        mulxq	%rdx, %rax, %rcx
+        adcxq	%r12, %r12
+        adoxq	%rbx, %r11
+        adcxq	%r13, %r13
+        adoxq	%rax, %r12
+        # A[3] * A[3]
+        movq	24(%rsi), %rdx
+        mulxq	%rdx, %rax, %rbx
+        adcxq	%r14, %r14
+        adoxq	%rcx, %r13
+        adcxq	%r15, %r15
+        adoxq	%rax, %r14
+        adoxq	%rbx, %r15
+        # Reduce
+        movq	$0x7fffffffffffffff, %rcx
+        #  Move top half into t4-t7 and remove top bit from t3
+        shldq	$0x01, %r14, %r15
+        shldq	$0x01, %r13, %r14
+        shldq	$0x01, %r12, %r13
+        shldq	$0x01, %r11, %r12
+        andq	%rcx, %r11
+        #  Multiply top half by 19
+        movq	$19, %rdx
+        xorq	%rcx, %rcx
+        mulxq	%r12, %rax, %r12
+        adcxq	%rax, %r8
+        adoxq	%r12, %r9
+        mulxq	%r13, %rax, %r13
+        adcxq	%rax, %r9
+        adoxq	%r13, %r10
+        mulxq	%r14, %rax, %r14
+        adcxq	%rax, %r10
+        adoxq	%r14, %r11
+        mulxq	%r15, %r15, %rdx
+        adcxq	%r15, %r11
+        adoxq	%rcx, %rdx
+        adcxq	%rcx, %rdx
+        #  Overflow
+        shldq	$0x01, %r11, %rdx
+        movq	$0x7fffffffffffffff, %rcx
+        imulq	$19, %rdx, %rax
+        andq	%rcx, %r11
+        addq	%rax, %r8
+        adcq	$0x00, %r9
+        adcq	$0x00, %r10
+        adcq	$0x00, %r11
+        # Reduce if top bit set
+        movq	%r11, %rdx
+        shrq	$63, %rdx
+        imulq	$19, %rdx, %rax
+        andq	%rcx, %r11
+        addq	%rax, %r8
+        adcq	$0x00, %r9
+        adcq	$0x00, %r10
+        adcq	$0x00, %r11
+        # Store
+        movq	%r8, (%rdi)
+        movq	%r9, 8(%rdi)
+        movq	%r10, 16(%rdi)
+        movq	%r11, 24(%rdi)
+        decb	%bpl
+        jnz	L_fe_sq_n_avx2
+        popq	%rbp
+        popq	%r15
+        popq	%r14
+        popq	%r13
+        popq	%r12
+        popq	%rbx
+        repz retq
+#ifndef __APPLE__
+.size	fe_sq_n_avx2,.-fe_sq_n_avx2
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+.text
+.globl	fe_mul121666_avx2
+.type	fe_mul121666_avx2,@function
+.align	4
+fe_mul121666_avx2:
+#else
+.section	__TEXT,__text
+.globl	_fe_mul121666_avx2
+.p2align	2
+_fe_mul121666_avx2:
+#endif /* __APPLE__ */
+        pushq	%r12
+        pushq	%r13
+        movq	$0x1db42, %rdx
+        mulxq	(%rsi), %rax, %r13
+        mulxq	8(%rsi), %rcx, %r12
+        mulxq	16(%rsi), %r8, %r11
+        mulxq	24(%rsi), %r9, %r10
+        addq	%r13, %rcx
+        adcq	%r12, %r8
+        adcq	%r11, %r9
+        adcq	$0x00, %r10
+        movq	$0x7fffffffffffffff, %r13
+        shldq	$0x01, %r9, %r10
+        andq	%r13, %r9
+        imulq	$19, %r10, %r10
+        addq	%r10, %rax
+        adcq	$0x00, %rcx
+        adcq	$0x00, %r8
+        adcq	$0x00, %r9
+        movq	%rax, (%rdi)
+        movq	%rcx, 8(%rdi)
+        movq	%r8, 16(%rdi)
+        movq	%r9, 24(%rdi)
+        popq	%r13
+        popq	%r12
+        repz retq
+#ifndef __APPLE__
+.size	fe_mul121666_avx2,.-fe_mul121666_avx2
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+.text
+.globl	fe_sq2_avx2
+.type	fe_sq2_avx2,@function
+.align	4
+fe_sq2_avx2:
+#else
+.section	__TEXT,__text
+.globl	_fe_sq2_avx2
+.p2align	2
+_fe_sq2_avx2:
+#endif /* __APPLE__ */
+        pushq	%rbx
+        pushq	%r12
+        pushq	%r13
+        pushq	%r14
+        pushq	%r15
+        # Square * 2
+        # A[0] * A[1]
+        movq	(%rsi), %rdx
+        mulxq	8(%rsi), %r9, %r10
+        # A[0] * A[3]
+        mulxq	24(%rsi), %r11, %r12
+        # A[2] * A[1]
+        movq	16(%rsi), %rdx
+        mulxq	8(%rsi), %rcx, %rbx
+        xorq	%r15, %r15
+        adoxq	%rcx, %r11
+        # A[2] * A[3]
+        mulxq	24(%rsi), %r13, %r14
+        adoxq	%rbx, %r12
+        # A[2] * A[0]
+        mulxq	(%rsi), %rcx, %rbx
+        adoxq	%r15, %r13
+        adcxq	%rcx, %r10
+        adoxq	%r15, %r14
+        # A[1] * A[3]
+        movq	8(%rsi), %rdx
+        mulxq	24(%rsi), %rax, %r8
+        adcxq	%rbx, %r11
+        adcxq	%rax, %r12
+        adcxq	%r8, %r13
+        adcxq	%r15, %r14
+        # Double with Carry Flag
+        xorq	%r15, %r15
+        # A[0] * A[0]
+        movq	(%rsi), %rdx
+        mulxq	%rdx, %r8, %rax
+        adcxq	%r9, %r9
+        # A[1] * A[1]
+        movq	8(%rsi), %rdx
+        mulxq	%rdx, %rcx, %rbx
+        adcxq	%r10, %r10
+        adoxq	%rax, %r9
+        adcxq	%r11, %r11
+        adoxq	%rcx, %r10
+        # A[2] * A[2]
+        movq	16(%rsi), %rdx
+        mulxq	%rdx, %rax, %rcx
+        adcxq	%r12, %r12
+        adoxq	%rbx, %r11
+        adcxq	%r13, %r13
+        adoxq	%rax, %r12
+        # A[3] * A[3]
+        movq	24(%rsi), %rdx
+        mulxq	%rdx, %rax, %rbx
+        adcxq	%r14, %r14
+        adoxq	%rcx, %r13
+        adcxq	%r15, %r15
+        adoxq	%rax, %r14
+        adoxq	%rbx, %r15
+        # Reduce
+        movq	$0x7fffffffffffffff, %rbx
+        xorq	%rax, %rax
+        #  Move top half into t4-t7 and remove top bit from t3 and double
+        shldq	$3, %r15, %rax
+        shldq	$2, %r14, %r15
+        shldq	$2, %r13, %r14
+        shldq	$2, %r12, %r13
+        shldq	$2, %r11, %r12
+        shldq	$0x01, %r10, %r11
+        shldq	$0x01, %r9, %r10
+        shldq	$0x01, %r8, %r9
+        shlq	$0x01, %r8
+        andq	%rbx, %r11
+        #  Two out left, one in right
+        andq	%rbx, %r15
+        #  Multiply top bits by 19*19
+        imulq	$0x169, %rax, %rcx
+        xorq	%rbx, %rbx
+        #  Multiply top half by 19
+        movq	$19, %rdx
+        adoxq	%rcx, %r8
+        mulxq	%r12, %rax, %r12
+        adcxq	%rax, %r8
+        adoxq	%r12, %r9
+        mulxq	%r13, %rax, %r13
+        adcxq	%rax, %r9
+        adoxq	%r13, %r10
+        mulxq	%r14, %rax, %r14
+        adcxq	%rax, %r10
+        adoxq	%r14, %r11
+        mulxq	%r15, %r15, %rdx
+        adcxq	%r15, %r11
+        adoxq	%rbx, %rdx
+        adcxq	%rbx, %rdx
+        #  Overflow
+        shldq	$0x01, %r11, %rdx
+        movq	$0x7fffffffffffffff, %rbx
+        imulq	$19, %rdx, %rax
+        andq	%rbx, %r11
+        addq	%rax, %r8
+        adcq	$0x00, %r9
+        adcq	$0x00, %r10
+        adcq	$0x00, %r11
+        # Reduce if top bit set
+        movq	%r11, %rdx
+        shrq	$63, %rdx
+        imulq	$19, %rdx, %rax
+        andq	%rbx, %r11
+        addq	%rax, %r8
+        adcq	$0x00, %r9
+        adcq	$0x00, %r10
+        adcq	$0x00, %r11
+        # Store
+        movq	%r8, (%rdi)
+        movq	%r9, 8(%rdi)
+        movq	%r10, 16(%rdi)
+        movq	%r11, 24(%rdi)
+        popq	%r15
+        popq	%r14
+        popq	%r13
+        popq	%r12
+        popq	%rbx
+        repz retq
+#ifndef __APPLE__
+.size	fe_sq2_avx2,.-fe_sq2_avx2
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+.text
+.globl	fe_invert_avx2
+.type	fe_invert_avx2,@function
+.align	4
+fe_invert_avx2:
+#else
+.section	__TEXT,__text
+.globl	_fe_invert_avx2
+.p2align	2
+_fe_invert_avx2:
+#endif /* __APPLE__ */
+        subq	$0x90, %rsp
+        # Invert
+        movq	%rdi, 128(%rsp)
+        movq	%rsi, 136(%rsp)
+        movq	%rsp, %rdi
+        movq	136(%rsp), %rsi
+#ifndef __APPLE__
+        callq	fe_sq_avx2@plt
+#else
+        callq	_fe_sq_avx2
+#endif /* __APPLE__ */
+        leaq	32(%rsp), %rdi
+        movq	%rsp, %rsi
+#ifndef __APPLE__
+        callq	fe_sq_avx2@plt
+#else
+        callq	_fe_sq_avx2
+#endif /* __APPLE__ */
+        leaq	32(%rsp), %rdi
+        leaq	32(%rsp), %rsi
+#ifndef __APPLE__
+        callq	fe_sq_avx2@plt
+#else
+        callq	_fe_sq_avx2
+#endif /* __APPLE__ */
+        leaq	32(%rsp), %rdi
+        movq	136(%rsp), %rsi
+        leaq	32(%rsp), %rdx
+#ifndef __APPLE__
+        callq	fe_mul_avx2@plt
+#else
+        callq	_fe_mul_avx2
+#endif /* __APPLE__ */
+        movq	%rsp, %rdi
+        movq	%rsp, %rsi
+        leaq	32(%rsp), %rdx
+#ifndef __APPLE__
+        callq	fe_mul_avx2@plt
+#else
+        callq	_fe_mul_avx2
+#endif /* __APPLE__ */
+        leaq	64(%rsp), %rdi
+        movq	%rsp, %rsi
+#ifndef __APPLE__
+        callq	fe_sq_avx2@plt
+#else
+        callq	_fe_sq_avx2
+#endif /* __APPLE__ */
+        leaq	32(%rsp), %rdi
+        leaq	32(%rsp), %rsi
+        leaq	64(%rsp), %rdx
+#ifndef __APPLE__
+        callq	fe_mul_avx2@plt
+#else
+        callq	_fe_mul_avx2
+#endif /* __APPLE__ */
+        leaq	64(%rsp), %rdi
+        leaq	32(%rsp), %rsi
+#ifndef __APPLE__
+        callq	fe_sq_avx2@plt
+#else
+        callq	_fe_sq_avx2
+#endif /* __APPLE__ */
+        leaq	64(%rsp), %rdi
+        leaq	64(%rsp), %rsi
+        movq	$4, %rdx
+#ifndef __APPLE__
+        callq	fe_sq_n_avx2@plt
+#else
+        callq	_fe_sq_n_avx2
+#endif /* __APPLE__ */
+        leaq	32(%rsp), %rdi
+        leaq	64(%rsp), %rsi
+        leaq	32(%rsp), %rdx
+#ifndef __APPLE__
+        callq	fe_mul_avx2@plt
+#else
+        callq	_fe_mul_avx2
+#endif /* __APPLE__ */
+        leaq	64(%rsp), %rdi
+        leaq	32(%rsp), %rsi
+#ifndef __APPLE__
+        callq	fe_sq_avx2@plt
+#else
+        callq	_fe_sq_avx2
+#endif /* __APPLE__ */
+        leaq	64(%rsp), %rdi
+        leaq	64(%rsp), %rsi
+        movq	$9, %rdx
+#ifndef __APPLE__
+        callq	fe_sq_n_avx2@plt
+#else
+        callq	_fe_sq_n_avx2
+#endif /* __APPLE__ */
+        leaq	64(%rsp), %rdi
+        leaq	64(%rsp), %rsi
+        leaq	32(%rsp), %rdx
+#ifndef __APPLE__
+        callq	fe_mul_avx2@plt
+#else
+        callq	_fe_mul_avx2
+#endif /* __APPLE__ */
+        leaq	96(%rsp), %rdi
+        leaq	64(%rsp), %rsi
+#ifndef __APPLE__
+        callq	fe_sq_avx2@plt
+#else
+        callq	_fe_sq_avx2
+#endif /* __APPLE__ */
+        leaq	96(%rsp), %rdi
+        leaq	96(%rsp), %rsi
+        movq	$19, %rdx
+#ifndef __APPLE__
+        callq	fe_sq_n_avx2@plt
+#else
+        callq	_fe_sq_n_avx2
+#endif /* __APPLE__ */
+        leaq	64(%rsp), %rdi
+        leaq	96(%rsp), %rsi
+        leaq	64(%rsp), %rdx
+#ifndef __APPLE__
+        callq	fe_mul_avx2@plt
+#else
+        callq	_fe_mul_avx2
+#endif /* __APPLE__ */
+        leaq	64(%rsp), %rdi
+        leaq	64(%rsp), %rsi
+#ifndef __APPLE__
+        callq	fe_sq_avx2@plt
+#else
+        callq	_fe_sq_avx2
+#endif /* __APPLE__ */
+        leaq	64(%rsp), %rdi
+        leaq	64(%rsp), %rsi
+        movq	$9, %rdx
+#ifndef __APPLE__
+        callq	fe_sq_n_avx2@plt
+#else
+        callq	_fe_sq_n_avx2
+#endif /* __APPLE__ */
+        leaq	32(%rsp), %rdi
+        leaq	64(%rsp), %rsi
+        leaq	32(%rsp), %rdx
+#ifndef __APPLE__
+        callq	fe_mul_avx2@plt
+#else
+        callq	_fe_mul_avx2
+#endif /* __APPLE__ */
+        leaq	64(%rsp), %rdi
+        leaq	32(%rsp), %rsi
+#ifndef __APPLE__
+        callq	fe_sq_avx2@plt
+#else
+        callq	_fe_sq_avx2
+#endif /* __APPLE__ */
+        leaq	64(%rsp), %rdi
+        leaq	64(%rsp), %rsi
+        movq	$49, %rdx
+#ifndef __APPLE__
+        callq	fe_sq_n_avx2@plt
+#else
+        callq	_fe_sq_n_avx2
+#endif /* __APPLE__ */
+        leaq	64(%rsp), %rdi
+        leaq	64(%rsp), %rsi
+        leaq	32(%rsp), %rdx
+#ifndef __APPLE__
+        callq	fe_mul_avx2@plt
+#else
+        callq	_fe_mul_avx2
+#endif /* __APPLE__ */
+        leaq	96(%rsp), %rdi
+        leaq	64(%rsp), %rsi
+#ifndef __APPLE__
+        callq	fe_sq_avx2@plt
+#else
+        callq	_fe_sq_avx2
+#endif /* __APPLE__ */
+        leaq	96(%rsp), %rdi
+        leaq	96(%rsp), %rsi
+        movq	$0x63, %rdx
+#ifndef __APPLE__
+        callq	fe_sq_n_avx2@plt
+#else
+        callq	_fe_sq_n_avx2
+#endif /* __APPLE__ */
+        leaq	64(%rsp), %rdi
+        leaq	96(%rsp), %rsi
+        leaq	64(%rsp), %rdx
+#ifndef __APPLE__
+        callq	fe_mul_avx2@plt
+#else
+        callq	_fe_mul_avx2
+#endif /* __APPLE__ */
+        leaq	64(%rsp), %rdi
+        leaq	64(%rsp), %rsi
+#ifndef __APPLE__
+        callq	fe_sq_avx2@plt
+#else
+        callq	_fe_sq_avx2
+#endif /* __APPLE__ */
+        leaq	64(%rsp), %rdi
+        leaq	64(%rsp), %rsi
+        movq	$49, %rdx
+#ifndef __APPLE__
+        callq	fe_sq_n_avx2@plt
+#else
+        callq	_fe_sq_n_avx2
+#endif /* __APPLE__ */
+        leaq	32(%rsp), %rdi
+        leaq	64(%rsp), %rsi
+        leaq	32(%rsp), %rdx
+#ifndef __APPLE__
+        callq	fe_mul_avx2@plt
+#else
+        callq	_fe_mul_avx2
+#endif /* __APPLE__ */
+        leaq	32(%rsp), %rdi
+        leaq	32(%rsp), %rsi
+#ifndef __APPLE__
+        callq	fe_sq_avx2@plt
+#else
+        callq	_fe_sq_avx2
+#endif /* __APPLE__ */
+        leaq	32(%rsp), %rdi
+        leaq	32(%rsp), %rsi
+        movq	$4, %rdx
+#ifndef __APPLE__
+        callq	fe_sq_n_avx2@plt
+#else
+        callq	_fe_sq_n_avx2
+#endif /* __APPLE__ */
+        movq	128(%rsp), %rdi
+        leaq	32(%rsp), %rsi
+        movq	%rsp, %rdx
+#ifndef __APPLE__
+        callq	fe_mul_avx2@plt
+#else
+        callq	_fe_mul_avx2
+#endif /* __APPLE__ */
+        movq	136(%rsp), %rsi
+        movq	128(%rsp), %rdi
+        addq	$0x90, %rsp
+        repz retq
+#ifndef __APPLE__
+.text
+.globl	curve25519_avx2
+.type	curve25519_avx2,@function
+.align	4
+curve25519_avx2:
+#else
+.section	__TEXT,__text
+.globl	_curve25519_avx2
+.p2align	2
+_curve25519_avx2:
+#endif /* __APPLE__ */
+        pushq	%rbx
+        pushq	%r12
+        pushq	%r13
+        pushq	%r14
+        pushq	%r15
+        pushq	%rbp
+        movq	%rdx, %r8
+        subq	$0xc0, %rsp
+        movq	$0x00, 184(%rsp)
+        movq	%rdi, 176(%rsp)
+        # Set one
+        movq	$0x01, (%rdi)
+        movq	$0x00, 8(%rdi)
+        movq	$0x00, 16(%rdi)
+        movq	$0x00, 24(%rdi)
+        # Set zero
+        movq	$0x00, (%rsp)
+        movq	$0x00, 8(%rsp)
+        movq	$0x00, 16(%rsp)
+        movq	$0x00, 24(%rsp)
+        # Set one
+        movq	$0x01, 32(%rsp)
+        movq	$0x00, 40(%rsp)
+        movq	$0x00, 48(%rsp)
+        movq	$0x00, 56(%rsp)
+        # Copy
+        movq	(%r8), %r9
+        movq	8(%r8), %r10
+        movq	16(%r8), %r11
+        movq	24(%r8), %r12
+        movq	%r9, 64(%rsp)
+        movq	%r10, 72(%rsp)
+        movq	%r11, 80(%rsp)
+        movq	%r12, 88(%rsp)
+        movb	$62, 168(%rsp)
+        movq	$3, 160(%rsp)
+L_curve25519_avx2_words:
+L_curve25519_avx2_bits:
+        movq	184(%rsp), %rbx
+        movq	160(%rsp), %r9
+        movb	168(%rsp), %cl
+        movq	(%rsi,%r9,8), %rax
+        shrq	%cl, %rax
+        andq	$0x01, %rax
+        xorq	%rax, %rbx
+        negq	%rbx
+        # Conditional Swap
+        movq	(%rdi), %r9
+        movq	8(%rdi), %r10
+        movq	16(%rdi), %r11
+        movq	24(%rdi), %r12
+        xorq	64(%rsp), %r9
+        xorq	72(%rsp), %r10
+        xorq	80(%rsp), %r11
+        xorq	88(%rsp), %r12
+        andq	%rbx, %r9
+        andq	%rbx, %r10
+        andq	%rbx, %r11
+        andq	%rbx, %r12
+        xorq	%r9, (%rdi)
+        xorq	%r10, 8(%rdi)
+        xorq	%r11, 16(%rdi)
+        xorq	%r12, 24(%rdi)
+        xorq	%r9, 64(%rsp)
+        xorq	%r10, 72(%rsp)
+        xorq	%r11, 80(%rsp)
+        xorq	%r12, 88(%rsp)
+        # Conditional Swap
+        movq	(%rsp), %r9
+        movq	8(%rsp), %r10
+        movq	16(%rsp), %r11
+        movq	24(%rsp), %r12
+        xorq	32(%rsp), %r9
+        xorq	40(%rsp), %r10
+        xorq	48(%rsp), %r11
+        xorq	56(%rsp), %r12
+        andq	%rbx, %r9
+        andq	%rbx, %r10
+        andq	%rbx, %r11
+        andq	%rbx, %r12
+        xorq	%r9, (%rsp)
+        xorq	%r10, 8(%rsp)
+        xorq	%r11, 16(%rsp)
+        xorq	%r12, 24(%rsp)
+        xorq	%r9, 32(%rsp)
+        xorq	%r10, 40(%rsp)
+        xorq	%r11, 48(%rsp)
+        xorq	%r12, 56(%rsp)
+        movq	%rax, 184(%rsp)
+        # Add
+        movq	(%rdi), %r9
+        movq	8(%rdi), %r10
+        movq	16(%rdi), %r11
+        movq	24(%rdi), %rax
+        movq	%r9, %r13
+        addq	(%rsp), %r9
+        movq	%r10, %r14
+        adcq	8(%rsp), %r10
+        movq	%r11, %r15
+        adcq	16(%rsp), %r11
+        movq	%rax, %rbp
+        adcq	24(%rsp), %rax
+        movq	$-19, %rcx
+        movq	%rax, %r12
+        movq	$0x7fffffffffffffff, %rbx
+        sarq	$63, %rax
+        #   Mask the modulus
+        andq	%rax, %rcx
+        andq	%rax, %rbx
+        #   Sub modulus (if overflow)
+        subq	%rcx, %r9
+        sbbq	%rax, %r10
+        sbbq	%rax, %r11
+        sbbq	%rbx, %r12
+        # Sub
+        subq	(%rsp), %r13
+        movq	$0x00, %rax
+        sbbq	8(%rsp), %r14
+        movq	$-19, %rcx
+        sbbq	16(%rsp), %r15
+        movq	$0x7fffffffffffffff, %rbx
+        sbbq	24(%rsp), %rbp
+        sbbq	$0x00, %rax
+        #   Mask the modulus
+        andq	%rax, %rcx
+        andq	%rax, %rbx
+        #   Add modulus (if underflow)
+        addq	%rcx, %r13
+        adcq	%rax, %r14
+        adcq	%rax, %r15
+        adcq	%rbx, %rbp
+        movq	%r9, (%rdi)
+        movq	%r10, 8(%rdi)
+        movq	%r11, 16(%rdi)
+        movq	%r12, 24(%rdi)
+        movq	%r13, 128(%rsp)
+        movq	%r14, 136(%rsp)
+        movq	%r15, 144(%rsp)
+        movq	%rbp, 152(%rsp)
+        # Add
+        movq	64(%rsp), %r9
+        movq	72(%rsp), %r10
+        movq	80(%rsp), %r11
+        movq	88(%rsp), %rax
+        movq	%r9, %r13
+        addq	32(%rsp), %r9
+        movq	%r10, %r14
+        adcq	40(%rsp), %r10
+        movq	%r11, %r15
+        adcq	48(%rsp), %r11
+        movq	%rax, %rbp
+        adcq	56(%rsp), %rax
+        movq	$-19, %rcx
+        movq	%rax, %r12
+        movq	$0x7fffffffffffffff, %rbx
+        sarq	$63, %rax
+        #   Mask the modulus
+        andq	%rax, %rcx
+        andq	%rax, %rbx
+        #   Sub modulus (if overflow)
+        subq	%rcx, %r9
+        sbbq	%rax, %r10
+        sbbq	%rax, %r11
+        sbbq	%rbx, %r12
+        # Sub
+        subq	32(%rsp), %r13
+        movq	$0x00, %rax
+        sbbq	40(%rsp), %r14
+        movq	$-19, %rcx
+        sbbq	48(%rsp), %r15
+        movq	$0x7fffffffffffffff, %rbx
+        sbbq	56(%rsp), %rbp
+        sbbq	$0x00, %rax
+        #   Mask the modulus
+        andq	%rax, %rcx
+        andq	%rax, %rbx
+        #   Add modulus (if underflow)
+        addq	%rcx, %r13
+        adcq	%rax, %r14
+        adcq	%rax, %r15
+        adcq	%rbx, %rbp
+        movq	%r9, (%rsp)
+        movq	%r10, 8(%rsp)
+        movq	%r11, 16(%rsp)
+        movq	%r12, 24(%rsp)
+        movq	%r13, 96(%rsp)
+        movq	%r14, 104(%rsp)
+        movq	%r15, 112(%rsp)
+        movq	%rbp, 120(%rsp)
+        # Multiply
+        # A[0] * B[0]
+        movq	(%rdi), %rdx
+        mulxq	96(%rsp), %r9, %r10
+        # A[2] * B[0]
+        mulxq	112(%rsp), %r11, %r12
+        # A[1] * B[0]
+        mulxq	104(%rsp), %rcx, %rbx
+        xorq	%rbp, %rbp
+        adcxq	%rcx, %r10
+        # A[1] * B[3]
+        movq	24(%rdi), %rdx
+        mulxq	104(%rsp), %r13, %r14
+        adcxq	%rbx, %r11
+        # A[0] * B[1]
+        movq	8(%rdi), %rdx
+        mulxq	96(%rsp), %rcx, %rbx
+        adoxq	%rcx, %r10
+        # A[2] * B[1]
+        mulxq	112(%rsp), %rcx, %r15
+        adoxq	%rbx, %r11
+        adcxq	%rcx, %r12
+        # A[1] * B[2]
+        movq	16(%rdi), %rdx
+        mulxq	104(%rsp), %rcx, %rbx
+        adcxq	%r15, %r13
+        adoxq	%rcx, %r12
+        adcxq	%rbp, %r14
+        adoxq	%rbx, %r13
+        # A[0] * B[2]
+        mulxq	96(%rsp), %rcx, %rbx
+        adoxq	%rbp, %r14
+        xorq	%r15, %r15
+        adcxq	%rcx, %r11
+        # A[1] * B[1]
+        movq	8(%rdi), %rdx
+        mulxq	104(%rsp), %rdx, %rcx
+        adcxq	%rbx, %r12
+        adoxq	%rdx, %r11
+        # A[3] * B[1]
+        movq	8(%rdi), %rdx
+        adoxq	%rcx, %r12
+        mulxq	120(%rsp), %rcx, %rbx
+        adcxq	%rcx, %r13
+        # A[2] * B[2]
+        movq	16(%rdi), %rdx
+        mulxq	112(%rsp), %rdx, %rcx
+        adcxq	%rbx, %r14
+        adoxq	%rdx, %r13
+        # A[3] * B[3]
+        movq	24(%rdi), %rdx
+        adoxq	%rcx, %r14
+        mulxq	120(%rsp), %rcx, %rbx
+        adoxq	%rbp, %r15
+        adcxq	%rcx, %r15
+        # A[0] * B[3]
+        mulxq	96(%rsp), %rdx, %rcx
+        adcxq	%rbx, %rbp
+        xorq	%rbx, %rbx
+        adcxq	%rdx, %r12
+        # A[3] * B[0]
+        movq	(%rdi), %rdx
+        adcxq	%rcx, %r13
+        mulxq	120(%rsp), %rdx, %rcx
+        adoxq	%rdx, %r12
+        adoxq	%rcx, %r13
+        # A[2] * B[3]
+        movq	24(%rdi), %rdx
+        mulxq	112(%rsp), %rdx, %rcx
+        adcxq	%rdx, %r14
+        # A[3] * B[2]
+        movq	16(%rdi), %rdx
+        adcxq	%rcx, %r15
+        mulxq	120(%rsp), %rcx, %rdx
+        adcxq	%rbx, %rbp
+        adoxq	%rcx, %r14
+        adoxq	%rdx, %r15
+        adoxq	%rbx, %rbp
+        # Reduce
+        movq	$0x7fffffffffffffff, %rbx
+        #  Move top half into t4-t7 and remove top bit from t3
+        shldq	$0x01, %r15, %rbp
+        shldq	$0x01, %r14, %r15
+        shldq	$0x01, %r13, %r14
+        shldq	$0x01, %r12, %r13
+        andq	%rbx, %r12
+        #  Multiply top half by 19
+        movq	$19, %rdx
+        xorq	%rbx, %rbx
+        mulxq	%r13, %rcx, %r13
+        adcxq	%rcx, %r9
+        adoxq	%r13, %r10
+        mulxq	%r14, %rcx, %r14
+        adcxq	%rcx, %r10
+        adoxq	%r14, %r11
+        mulxq	%r15, %rcx, %r15
+        adcxq	%rcx, %r11
+        adoxq	%r15, %r12
+        mulxq	%rbp, %rbp, %rdx
+        adcxq	%rbp, %r12
+        adoxq	%rbx, %rdx
+        adcxq	%rbx, %rdx
+        #  Overflow
+        shldq	$0x01, %r12, %rdx
+        movq	$0x7fffffffffffffff, %rbx
+        imulq	$19, %rdx, %rcx
+        andq	%rbx, %r12
+        addq	%rcx, %r9
+        adcq	$0x00, %r10
+        adcq	$0x00, %r11
+        adcq	$0x00, %r12
+        # Reduce if top bit set
+        movq	%r12, %rdx
+        shrq	$63, %rdx
+        imulq	$19, %rdx, %rcx
+        andq	%rbx, %r12
+        addq	%rcx, %r9
+        adcq	$0x00, %r10
+        adcq	$0x00, %r11
+        adcq	$0x00, %r12
+        # Store
+        movq	%r9, 32(%rsp)
+        movq	%r10, 40(%rsp)
+        movq	%r11, 48(%rsp)
+        movq	%r12, 56(%rsp)
+        # Multiply
+        # A[0] * B[0]
+        movq	128(%rsp), %rdx
+        mulxq	(%rsp), %r9, %r10
+        # A[2] * B[0]
+        mulxq	16(%rsp), %r11, %r12
+        # A[1] * B[0]
+        mulxq	8(%rsp), %rcx, %rbx
+        xorq	%rbp, %rbp
+        adcxq	%rcx, %r10
+        # A[1] * B[3]
+        movq	152(%rsp), %rdx
+        mulxq	8(%rsp), %r13, %r14
+        adcxq	%rbx, %r11
+        # A[0] * B[1]
+        movq	136(%rsp), %rdx
+        mulxq	(%rsp), %rcx, %rbx
+        adoxq	%rcx, %r10
+        # A[2] * B[1]
+        mulxq	16(%rsp), %rcx, %r15
+        adoxq	%rbx, %r11
+        adcxq	%rcx, %r12
+        # A[1] * B[2]
+        movq	144(%rsp), %rdx
+        mulxq	8(%rsp), %rcx, %rbx
+        adcxq	%r15, %r13
+        adoxq	%rcx, %r12
+        adcxq	%rbp, %r14
+        adoxq	%rbx, %r13
+        # A[0] * B[2]
+        mulxq	(%rsp), %rcx, %rbx
+        adoxq	%rbp, %r14
+        xorq	%r15, %r15
+        adcxq	%rcx, %r11
+        # A[1] * B[1]
+        movq	136(%rsp), %rdx
+        mulxq	8(%rsp), %rdx, %rcx
+        adcxq	%rbx, %r12
+        adoxq	%rdx, %r11
+        # A[3] * B[1]
+        movq	136(%rsp), %rdx
+        adoxq	%rcx, %r12
+        mulxq	24(%rsp), %rcx, %rbx
+        adcxq	%rcx, %r13
+        # A[2] * B[2]
+        movq	144(%rsp), %rdx
+        mulxq	16(%rsp), %rdx, %rcx
+        adcxq	%rbx, %r14
+        adoxq	%rdx, %r13
+        # A[3] * B[3]
+        movq	152(%rsp), %rdx
+        adoxq	%rcx, %r14
+        mulxq	24(%rsp), %rcx, %rbx
+        adoxq	%rbp, %r15
+        adcxq	%rcx, %r15
+        # A[0] * B[3]
+        mulxq	(%rsp), %rdx, %rcx
+        adcxq	%rbx, %rbp
+        xorq	%rbx, %rbx
+        adcxq	%rdx, %r12
+        # A[3] * B[0]
+        movq	128(%rsp), %rdx
+        adcxq	%rcx, %r13
+        mulxq	24(%rsp), %rdx, %rcx
+        adoxq	%rdx, %r12
+        adoxq	%rcx, %r13
+        # A[2] * B[3]
+        movq	152(%rsp), %rdx
+        mulxq	16(%rsp), %rdx, %rcx
+        adcxq	%rdx, %r14
+        # A[3] * B[2]
+        movq	144(%rsp), %rdx
+        adcxq	%rcx, %r15
+        mulxq	24(%rsp), %rcx, %rdx
+        adcxq	%rbx, %rbp
+        adoxq	%rcx, %r14
+        adoxq	%rdx, %r15
+        adoxq	%rbx, %rbp
+        # Reduce
+        movq	$0x7fffffffffffffff, %rbx
+        #  Move top half into t4-t7 and remove top bit from t3
+        shldq	$0x01, %r15, %rbp
+        shldq	$0x01, %r14, %r15
+        shldq	$0x01, %r13, %r14
+        shldq	$0x01, %r12, %r13
+        andq	%rbx, %r12
+        #  Multiply top half by 19
+        movq	$19, %rdx
+        xorq	%rbx, %rbx
+        mulxq	%r13, %rcx, %r13
+        adcxq	%rcx, %r9
+        adoxq	%r13, %r10
+        mulxq	%r14, %rcx, %r14
+        adcxq	%rcx, %r10
+        adoxq	%r14, %r11
+        mulxq	%r15, %rcx, %r15
+        adcxq	%rcx, %r11
+        adoxq	%r15, %r12
+        mulxq	%rbp, %rbp, %rdx
+        adcxq	%rbp, %r12
+        adoxq	%rbx, %rdx
+        adcxq	%rbx, %rdx
+        #  Overflow
+        shldq	$0x01, %r12, %rdx
+        movq	$0x7fffffffffffffff, %rbx
+        imulq	$19, %rdx, %rcx
+        andq	%rbx, %r12
+        addq	%rcx, %r9
+        adcq	$0x00, %r10
+        adcq	$0x00, %r11
+        adcq	$0x00, %r12
+        # Reduce if top bit set
+        movq	%r12, %rdx
+        shrq	$63, %rdx
+        imulq	$19, %rdx, %rcx
+        andq	%rbx, %r12
+        addq	%rcx, %r9
+        adcq	$0x00, %r10
+        adcq	$0x00, %r11
+        adcq	$0x00, %r12
+        # Store
+        movq	%r9, (%rsp)
+        movq	%r10, 8(%rsp)
+        movq	%r11, 16(%rsp)
+        movq	%r12, 24(%rsp)
+        # Square
+        # A[0] * A[1]
+        movq	128(%rsp), %rdx
+        mulxq	136(%rsp), %r10, %r11
+        # A[0] * A[3]
+        mulxq	152(%rsp), %r12, %r13
+        # A[2] * A[1]
+        movq	144(%rsp), %rdx
+        mulxq	136(%rsp), %rcx, %rbx
+        xorq	%rbp, %rbp
+        adoxq	%rcx, %r12
+        # A[2] * A[3]
+        mulxq	152(%rsp), %r14, %r15
+        adoxq	%rbx, %r13
+        # A[2] * A[0]
+        mulxq	128(%rsp), %rcx, %rbx
+        adoxq	%rbp, %r14
+        adcxq	%rcx, %r11
+        adoxq	%rbp, %r15
+        # A[1] * A[3]
+        movq	136(%rsp), %rdx
+        mulxq	152(%rsp), %rax, %r9
+        adcxq	%rbx, %r12
+        adcxq	%rax, %r13
+        adcxq	%r9, %r14
+        adcxq	%rbp, %r15
+        # Double with Carry Flag
+        xorq	%rbp, %rbp
+        # A[0] * A[0]
+        movq	128(%rsp), %rdx
+        mulxq	%rdx, %r9, %rax
+        adcxq	%r10, %r10
+        # A[1] * A[1]
+        movq	136(%rsp), %rdx
+        mulxq	%rdx, %rcx, %rbx
+        adcxq	%r11, %r11
+        adoxq	%rax, %r10
+        adcxq	%r12, %r12
+        adoxq	%rcx, %r11
+        # A[2] * A[2]
+        movq	144(%rsp), %rdx
+        mulxq	%rdx, %rax, %rcx
+        adcxq	%r13, %r13
+        adoxq	%rbx, %r12
+        adcxq	%r14, %r14
+        adoxq	%rax, %r13
+        # A[3] * A[3]
+        movq	152(%rsp), %rdx
+        mulxq	%rdx, %rax, %rbx
+        adcxq	%r15, %r15
+        adoxq	%rcx, %r14
+        adcxq	%rbp, %rbp
+        adoxq	%rax, %r15
+        adoxq	%rbx, %rbp
+        # Reduce
+        movq	$0x7fffffffffffffff, %rcx
+        #  Move top half into t4-t7 and remove top bit from t3
+        shldq	$0x01, %r15, %rbp
+        shldq	$0x01, %r14, %r15
+        shldq	$0x01, %r13, %r14
+        shldq	$0x01, %r12, %r13
+        andq	%rcx, %r12
+        #  Multiply top half by 19
+        movq	$19, %rdx
+        xorq	%rcx, %rcx
+        mulxq	%r13, %rax, %r13
+        adcxq	%rax, %r9
+        adoxq	%r13, %r10
+        mulxq	%r14, %rax, %r14
+        adcxq	%rax, %r10
+        adoxq	%r14, %r11
+        mulxq	%r15, %rax, %r15
+        adcxq	%rax, %r11
+        adoxq	%r15, %r12
+        mulxq	%rbp, %rbp, %rdx
+        adcxq	%rbp, %r12
+        adoxq	%rcx, %rdx
+        adcxq	%rcx, %rdx
+        #  Overflow
+        shldq	$0x01, %r12, %rdx
+        movq	$0x7fffffffffffffff, %rcx
+        imulq	$19, %rdx, %rax
+        andq	%rcx, %r12
+        addq	%rax, %r9
+        adcq	$0x00, %r10
+        adcq	$0x00, %r11
+        adcq	$0x00, %r12
+        # Reduce if top bit set
+        movq	%r12, %rdx
+        shrq	$63, %rdx
+        imulq	$19, %rdx, %rax
+        andq	%rcx, %r12
+        addq	%rax, %r9
+        adcq	$0x00, %r10
+        adcq	$0x00, %r11
+        adcq	$0x00, %r12
+        # Store
+        movq	%r9, 96(%rsp)
+        movq	%r10, 104(%rsp)
+        movq	%r11, 112(%rsp)
+        movq	%r12, 120(%rsp)
+        # Square
+        # A[0] * A[1]
+        movq	(%rdi), %rdx
+        mulxq	8(%rdi), %r10, %r11
+        # A[0] * A[3]
+        mulxq	24(%rdi), %r12, %r13
+        # A[2] * A[1]
+        movq	16(%rdi), %rdx
+        mulxq	8(%rdi), %rcx, %rbx
+        xorq	%rbp, %rbp
+        adoxq	%rcx, %r12
+        # A[2] * A[3]
+        mulxq	24(%rdi), %r14, %r15
+        adoxq	%rbx, %r13
+        # A[2] * A[0]
+        mulxq	(%rdi), %rcx, %rbx
+        adoxq	%rbp, %r14
+        adcxq	%rcx, %r11
+        adoxq	%rbp, %r15
+        # A[1] * A[3]
+        movq	8(%rdi), %rdx
+        mulxq	24(%rdi), %rax, %r9
+        adcxq	%rbx, %r12
+        adcxq	%rax, %r13
+        adcxq	%r9, %r14
+        adcxq	%rbp, %r15
+        # Double with Carry Flag
+        xorq	%rbp, %rbp
+        # A[0] * A[0]
+        movq	(%rdi), %rdx
+        mulxq	%rdx, %r9, %rax
+        adcxq	%r10, %r10
+        # A[1] * A[1]
+        movq	8(%rdi), %rdx
+        mulxq	%rdx, %rcx, %rbx
+        adcxq	%r11, %r11
+        adoxq	%rax, %r10
+        adcxq	%r12, %r12
+        adoxq	%rcx, %r11
+        # A[2] * A[2]
+        movq	16(%rdi), %rdx
+        mulxq	%rdx, %rax, %rcx
+        adcxq	%r13, %r13
+        adoxq	%rbx, %r12
+        adcxq	%r14, %r14
+        adoxq	%rax, %r13
+        # A[3] * A[3]
+        movq	24(%rdi), %rdx
+        mulxq	%rdx, %rax, %rbx
+        adcxq	%r15, %r15
+        adoxq	%rcx, %r14
+        adcxq	%rbp, %rbp
+        adoxq	%rax, %r15
+        adoxq	%rbx, %rbp
+        # Reduce
+        movq	$0x7fffffffffffffff, %rcx
+        #  Move top half into t4-t7 and remove top bit from t3
+        shldq	$0x01, %r15, %rbp
+        shldq	$0x01, %r14, %r15
+        shldq	$0x01, %r13, %r14
+        shldq	$0x01, %r12, %r13
+        andq	%rcx, %r12
+        #  Multiply top half by 19
+        movq	$19, %rdx
+        xorq	%rcx, %rcx
+        mulxq	%r13, %rax, %r13
+        adcxq	%rax, %r9
+        adoxq	%r13, %r10
+        mulxq	%r14, %rax, %r14
+        adcxq	%rax, %r10
+        adoxq	%r14, %r11
+        mulxq	%r15, %rax, %r15
+        adcxq	%rax, %r11
+        adoxq	%r15, %r12
+        mulxq	%rbp, %rbp, %rdx
+        adcxq	%rbp, %r12
+        adoxq	%rcx, %rdx
+        adcxq	%rcx, %rdx
+        #  Overflow
+        shldq	$0x01, %r12, %rdx
+        movq	$0x7fffffffffffffff, %rcx
+        imulq	$19, %rdx, %rax
+        andq	%rcx, %r12
+        addq	%rax, %r9
+        adcq	$0x00, %r10
+        adcq	$0x00, %r11
+        adcq	$0x00, %r12
+        # Reduce if top bit set
+        movq	%r12, %rdx
+        shrq	$63, %rdx
+        imulq	$19, %rdx, %rax
+        andq	%rcx, %r12
+        addq	%rax, %r9
+        adcq	$0x00, %r10
+        adcq	$0x00, %r11
+        adcq	$0x00, %r12
+        # Store
+        movq	%r9, 128(%rsp)
+        movq	%r10, 136(%rsp)
+        movq	%r11, 144(%rsp)
+        movq	%r12, 152(%rsp)
+        # Add
+        movq	32(%rsp), %r9
+        movq	40(%rsp), %r10
+        movq	48(%rsp), %r11
+        movq	56(%rsp), %rax
+        movq	%r9, %r13
+        addq	(%rsp), %r9
+        movq	%r10, %r14
+        adcq	8(%rsp), %r10
+        movq	%r11, %r15
+        adcq	16(%rsp), %r11
+        movq	%rax, %rbp
+        adcq	24(%rsp), %rax
+        movq	$-19, %rcx
+        movq	%rax, %r12
+        movq	$0x7fffffffffffffff, %rbx
+        sarq	$63, %rax
+        #   Mask the modulus
+        andq	%rax, %rcx
+        andq	%rax, %rbx
+        #   Sub modulus (if overflow)
+        subq	%rcx, %r9
+        sbbq	%rax, %r10
+        sbbq	%rax, %r11
+        sbbq	%rbx, %r12
+        # Sub
+        subq	(%rsp), %r13
+        movq	$0x00, %rax
+        sbbq	8(%rsp), %r14
+        movq	$-19, %rcx
+        sbbq	16(%rsp), %r15
+        movq	$0x7fffffffffffffff, %rbx
+        sbbq	24(%rsp), %rbp
+        sbbq	$0x00, %rax
+        #   Mask the modulus
+        andq	%rax, %rcx
+        andq	%rax, %rbx
+        #   Add modulus (if underflow)
+        addq	%rcx, %r13
+        adcq	%rax, %r14
+        adcq	%rax, %r15
+        adcq	%rbx, %rbp
+        movq	%r9, 64(%rsp)
+        movq	%r10, 72(%rsp)
+        movq	%r11, 80(%rsp)
+        movq	%r12, 88(%rsp)
+        movq	%r13, (%rsp)
+        movq	%r14, 8(%rsp)
+        movq	%r15, 16(%rsp)
+        movq	%rbp, 24(%rsp)
+        # Multiply
+        # A[0] * B[0]
+        movq	96(%rsp), %rdx
+        mulxq	128(%rsp), %r9, %r10
+        # A[2] * B[0]
+        mulxq	144(%rsp), %r11, %r12
+        # A[1] * B[0]
+        mulxq	136(%rsp), %rcx, %rbx
+        xorq	%rbp, %rbp
+        adcxq	%rcx, %r10
+        # A[1] * B[3]
+        movq	120(%rsp), %rdx
+        mulxq	136(%rsp), %r13, %r14
+        adcxq	%rbx, %r11
+        # A[0] * B[1]
+        movq	104(%rsp), %rdx
+        mulxq	128(%rsp), %rcx, %rbx
+        adoxq	%rcx, %r10
+        # A[2] * B[1]
+        mulxq	144(%rsp), %rcx, %r15
+        adoxq	%rbx, %r11
+        adcxq	%rcx, %r12
+        # A[1] * B[2]
+        movq	112(%rsp), %rdx
+        mulxq	136(%rsp), %rcx, %rbx
+        adcxq	%r15, %r13
+        adoxq	%rcx, %r12
+        adcxq	%rbp, %r14
+        adoxq	%rbx, %r13
+        # A[0] * B[2]
+        mulxq	128(%rsp), %rcx, %rbx
+        adoxq	%rbp, %r14
+        xorq	%r15, %r15
+        adcxq	%rcx, %r11
+        # A[1] * B[1]
+        movq	104(%rsp), %rdx
+        mulxq	136(%rsp), %rdx, %rcx
+        adcxq	%rbx, %r12
+        adoxq	%rdx, %r11
+        # A[3] * B[1]
+        movq	104(%rsp), %rdx
+        adoxq	%rcx, %r12
+        mulxq	152(%rsp), %rcx, %rbx
+        adcxq	%rcx, %r13
+        # A[2] * B[2]
+        movq	112(%rsp), %rdx
+        mulxq	144(%rsp), %rdx, %rcx
+        adcxq	%rbx, %r14
+        adoxq	%rdx, %r13
+        # A[3] * B[3]
+        movq	120(%rsp), %rdx
+        adoxq	%rcx, %r14
+        mulxq	152(%rsp), %rcx, %rbx
+        adoxq	%rbp, %r15
+        adcxq	%rcx, %r15
+        # A[0] * B[3]
+        mulxq	128(%rsp), %rdx, %rcx
+        adcxq	%rbx, %rbp
+        xorq	%rbx, %rbx
+        adcxq	%rdx, %r12
+        # A[3] * B[0]
+        movq	96(%rsp), %rdx
+        adcxq	%rcx, %r13
+        mulxq	152(%rsp), %rdx, %rcx
+        adoxq	%rdx, %r12
+        adoxq	%rcx, %r13
+        # A[2] * B[3]
+        movq	120(%rsp), %rdx
+        mulxq	144(%rsp), %rdx, %rcx
+        adcxq	%rdx, %r14
+        # A[3] * B[2]
+        movq	112(%rsp), %rdx
+        adcxq	%rcx, %r15
+        mulxq	152(%rsp), %rcx, %rdx
+        adcxq	%rbx, %rbp
+        adoxq	%rcx, %r14
+        adoxq	%rdx, %r15
+        adoxq	%rbx, %rbp
+        # Reduce
+        movq	$0x7fffffffffffffff, %rbx
+        #  Move top half into t4-t7 and remove top bit from t3
+        shldq	$0x01, %r15, %rbp
+        shldq	$0x01, %r14, %r15
+        shldq	$0x01, %r13, %r14
+        shldq	$0x01, %r12, %r13
+        andq	%rbx, %r12
+        #  Multiply top half by 19
+        movq	$19, %rdx
+        xorq	%rbx, %rbx
+        mulxq	%r13, %rcx, %r13
+        adcxq	%rcx, %r9
+        adoxq	%r13, %r10
+        mulxq	%r14, %rcx, %r14
+        adcxq	%rcx, %r10
+        adoxq	%r14, %r11
+        mulxq	%r15, %rcx, %r15
+        adcxq	%rcx, %r11
+        adoxq	%r15, %r12
+        mulxq	%rbp, %rbp, %rdx
+        adcxq	%rbp, %r12
+        adoxq	%rbx, %rdx
+        adcxq	%rbx, %rdx
+        #  Overflow
+        shldq	$0x01, %r12, %rdx
+        movq	$0x7fffffffffffffff, %rbx
+        imulq	$19, %rdx, %rcx
+        andq	%rbx, %r12
+        addq	%rcx, %r9
+        adcq	$0x00, %r10
+        adcq	$0x00, %r11
+        adcq	$0x00, %r12
+        # Reduce if top bit set
+        movq	%r12, %rdx
+        shrq	$63, %rdx
+        imulq	$19, %rdx, %rcx
+        andq	%rbx, %r12
+        addq	%rcx, %r9
+        adcq	$0x00, %r10
+        adcq	$0x00, %r11
+        adcq	$0x00, %r12
+        # Store
+        movq	%r9, (%rdi)
+        movq	%r10, 8(%rdi)
+        movq	%r11, 16(%rdi)
+        movq	%r12, 24(%rdi)
+        # Sub
+        movq	128(%rsp), %r9
+        movq	136(%rsp), %r10
+        movq	144(%rsp), %r11
+        movq	152(%rsp), %r12
+        subq	96(%rsp), %r9
+        movq	$0x00, %rax
+        sbbq	104(%rsp), %r10
+        movq	$-19, %rcx
+        sbbq	112(%rsp), %r11
+        movq	$0x7fffffffffffffff, %rbx
+        sbbq	120(%rsp), %r12
+        sbbq	$0x00, %rax
+        #   Mask the modulus
+        andq	%rax, %rcx
+        andq	%rax, %rbx
+        #   Add modulus (if underflow)
+        addq	%rcx, %r9
+        adcq	%rax, %r10
+        adcq	%rax, %r11
+        adcq	%rbx, %r12
+        movq	%r9, 128(%rsp)
+        movq	%r10, 136(%rsp)
+        movq	%r11, 144(%rsp)
+        movq	%r12, 152(%rsp)
+        # Square
+        # A[0] * A[1]
+        movq	(%rsp), %rdx
+        mulxq	8(%rsp), %r10, %r11
+        # A[0] * A[3]
+        mulxq	24(%rsp), %r12, %r13
+        # A[2] * A[1]
+        movq	16(%rsp), %rdx
+        mulxq	8(%rsp), %rcx, %rbx
+        xorq	%rbp, %rbp
+        adoxq	%rcx, %r12
+        # A[2] * A[3]
+        mulxq	24(%rsp), %r14, %r15
+        adoxq	%rbx, %r13
+        # A[2] * A[0]
+        mulxq	(%rsp), %rcx, %rbx
+        adoxq	%rbp, %r14
+        adcxq	%rcx, %r11
+        adoxq	%rbp, %r15
+        # A[1] * A[3]
+        movq	8(%rsp), %rdx
+        mulxq	24(%rsp), %rax, %r9
+        adcxq	%rbx, %r12
+        adcxq	%rax, %r13
+        adcxq	%r9, %r14
+        adcxq	%rbp, %r15
+        # Double with Carry Flag
+        xorq	%rbp, %rbp
+        # A[0] * A[0]
+        movq	(%rsp), %rdx
+        mulxq	%rdx, %r9, %rax
+        adcxq	%r10, %r10
+        # A[1] * A[1]
+        movq	8(%rsp), %rdx
+        mulxq	%rdx, %rcx, %rbx
+        adcxq	%r11, %r11
+        adoxq	%rax, %r10
+        adcxq	%r12, %r12
+        adoxq	%rcx, %r11
+        # A[2] * A[2]
+        movq	16(%rsp), %rdx
+        mulxq	%rdx, %rax, %rcx
+        adcxq	%r13, %r13
+        adoxq	%rbx, %r12
+        adcxq	%r14, %r14
+        adoxq	%rax, %r13
+        # A[3] * A[3]
+        movq	24(%rsp), %rdx
+        mulxq	%rdx, %rax, %rbx
+        adcxq	%r15, %r15
+        adoxq	%rcx, %r14
+        adcxq	%rbp, %rbp
+        adoxq	%rax, %r15
+        adoxq	%rbx, %rbp
+        # Reduce
+        movq	$0x7fffffffffffffff, %rcx
+        #  Move top half into t4-t7 and remove top bit from t3
+        shldq	$0x01, %r15, %rbp
+        shldq	$0x01, %r14, %r15
+        shldq	$0x01, %r13, %r14
+        shldq	$0x01, %r12, %r13
+        andq	%rcx, %r12
+        #  Multiply top half by 19
+        movq	$19, %rdx
+        xorq	%rcx, %rcx
+        mulxq	%r13, %rax, %r13
+        adcxq	%rax, %r9
+        adoxq	%r13, %r10
+        mulxq	%r14, %rax, %r14
+        adcxq	%rax, %r10
+        adoxq	%r14, %r11
+        mulxq	%r15, %rax, %r15
+        adcxq	%rax, %r11
+        adoxq	%r15, %r12
+        mulxq	%rbp, %rbp, %rdx
+        adcxq	%rbp, %r12
+        adoxq	%rcx, %rdx
+        adcxq	%rcx, %rdx
+        #  Overflow
+        shldq	$0x01, %r12, %rdx
+        movq	$0x7fffffffffffffff, %rcx
+        imulq	$19, %rdx, %rax
+        andq	%rcx, %r12
+        addq	%rax, %r9
+        adcq	$0x00, %r10
+        adcq	$0x00, %r11
+        adcq	$0x00, %r12
+        # Reduce if top bit set
+        movq	%r12, %rdx
+        shrq	$63, %rdx
+        imulq	$19, %rdx, %rax
+        andq	%rcx, %r12
+        addq	%rax, %r9
+        adcq	$0x00, %r10
+        adcq	$0x00, %r11
+        adcq	$0x00, %r12
+        # Store
+        movq	%r9, (%rsp)
+        movq	%r10, 8(%rsp)
+        movq	%r11, 16(%rsp)
+        movq	%r12, 24(%rsp)
+        movq	$0x1db42, %rdx
+        mulxq	128(%rsp), %r9, %rbp
+        mulxq	136(%rsp), %r10, %r15
+        mulxq	144(%rsp), %r11, %r14
+        mulxq	152(%rsp), %r12, %r13
+        addq	%rbp, %r10
+        adcq	%r15, %r11
+        adcq	%r14, %r12
+        adcq	$0x00, %r13
+        movq	$0x7fffffffffffffff, %rbp
+        shldq	$0x01, %r12, %r13
+        andq	%rbp, %r12
+        imulq	$19, %r13, %r13
+        addq	%r13, %r9
+        adcq	$0x00, %r10
+        adcq	$0x00, %r11
+        adcq	$0x00, %r12
+        movq	%r9, 32(%rsp)
+        movq	%r10, 40(%rsp)
+        movq	%r11, 48(%rsp)
+        movq	%r12, 56(%rsp)
+        # Square
+        # A[0] * A[1]
+        movq	64(%rsp), %rdx
+        mulxq	72(%rsp), %r10, %r11
+        # A[0] * A[3]
+        mulxq	88(%rsp), %r12, %r13
+        # A[2] * A[1]
+        movq	80(%rsp), %rdx
+        mulxq	72(%rsp), %rcx, %rbx
+        xorq	%rbp, %rbp
+        adoxq	%rcx, %r12
+        # A[2] * A[3]
+        mulxq	88(%rsp), %r14, %r15
+        adoxq	%rbx, %r13
+        # A[2] * A[0]
+        mulxq	64(%rsp), %rcx, %rbx
+        adoxq	%rbp, %r14
+        adcxq	%rcx, %r11
+        adoxq	%rbp, %r15
+        # A[1] * A[3]
+        movq	72(%rsp), %rdx
+        mulxq	88(%rsp), %rax, %r9
+        adcxq	%rbx, %r12
+        adcxq	%rax, %r13
+        adcxq	%r9, %r14
+        adcxq	%rbp, %r15
+        # Double with Carry Flag
+        xorq	%rbp, %rbp
+        # A[0] * A[0]
+        movq	64(%rsp), %rdx
+        mulxq	%rdx, %r9, %rax
+        adcxq	%r10, %r10
+        # A[1] * A[1]
+        movq	72(%rsp), %rdx
+        mulxq	%rdx, %rcx, %rbx
+        adcxq	%r11, %r11
+        adoxq	%rax, %r10
+        adcxq	%r12, %r12
+        adoxq	%rcx, %r11
+        # A[2] * A[2]
+        movq	80(%rsp), %rdx
+        mulxq	%rdx, %rax, %rcx
+        adcxq	%r13, %r13
+        adoxq	%rbx, %r12
+        adcxq	%r14, %r14
+        adoxq	%rax, %r13
+        # A[3] * A[3]
+        movq	88(%rsp), %rdx
+        mulxq	%rdx, %rax, %rbx
+        adcxq	%r15, %r15
+        adoxq	%rcx, %r14
+        adcxq	%rbp, %rbp
+        adoxq	%rax, %r15
+        adoxq	%rbx, %rbp
+        # Reduce
+        movq	$0x7fffffffffffffff, %rcx
+        #  Move top half into t4-t7 and remove top bit from t3
+        shldq	$0x01, %r15, %rbp
+        shldq	$0x01, %r14, %r15
+        shldq	$0x01, %r13, %r14
+        shldq	$0x01, %r12, %r13
+        andq	%rcx, %r12
+        #  Multiply top half by 19
+        movq	$19, %rdx
+        xorq	%rcx, %rcx
+        mulxq	%r13, %rax, %r13
+        adcxq	%rax, %r9
+        adoxq	%r13, %r10
+        mulxq	%r14, %rax, %r14
+        adcxq	%rax, %r10
+        adoxq	%r14, %r11
+        mulxq	%r15, %rax, %r15
+        adcxq	%rax, %r11
+        adoxq	%r15, %r12
+        mulxq	%rbp, %rbp, %rdx
+        adcxq	%rbp, %r12
+        adoxq	%rcx, %rdx
+        adcxq	%rcx, %rdx
+        #  Overflow
+        shldq	$0x01, %r12, %rdx
+        movq	$0x7fffffffffffffff, %rcx
+        imulq	$19, %rdx, %rax
+        andq	%rcx, %r12
+        addq	%rax, %r9
+        adcq	$0x00, %r10
+        adcq	$0x00, %r11
+        adcq	$0x00, %r12
+        # Reduce if top bit set
+        movq	%r12, %rdx
+        shrq	$63, %rdx
+        imulq	$19, %rdx, %rax
+        andq	%rcx, %r12
+        addq	%rax, %r9
+        adcq	$0x00, %r10
+        adcq	$0x00, %r11
+        adcq	$0x00, %r12
+        # Store
+        movq	%r9, 64(%rsp)
+        movq	%r10, 72(%rsp)
+        movq	%r11, 80(%rsp)
+        movq	%r12, 88(%rsp)
+        # Add
+        movq	96(%rsp), %r9
+        movq	104(%rsp), %r10
+        addq	32(%rsp), %r9
+        movq	112(%rsp), %r11
+        adcq	40(%rsp), %r10
+        movq	120(%rsp), %rax
+        adcq	48(%rsp), %r11
+        movq	$-19, %rcx
+        adcq	56(%rsp), %rax
+        movq	$0x7fffffffffffffff, %rbx
+        movq	%rax, %r12
+        sarq	$63, %rax
+        #   Mask the modulus
+        andq	%rax, %rcx
+        andq	%rax, %rbx
+        #   Sub modulus (if overflow)
+        subq	%rcx, %r9
+        sbbq	%rax, %r10
+        sbbq	%rax, %r11
+        sbbq	%rbx, %r12
+        movq	%r9, 96(%rsp)
+        movq	%r10, 104(%rsp)
+        movq	%r11, 112(%rsp)
+        movq	%r12, 120(%rsp)
+        # Multiply
+        # A[0] * B[0]
+        movq	(%rsp), %rdx
+        mulxq	(%r8), %r9, %r10
+        # A[2] * B[0]
+        mulxq	16(%r8), %r11, %r12
+        # A[1] * B[0]
+        mulxq	8(%r8), %rcx, %rbx
+        xorq	%rbp, %rbp
+        adcxq	%rcx, %r10
+        # A[1] * B[3]
+        movq	24(%rsp), %rdx
+        mulxq	8(%r8), %r13, %r14
+        adcxq	%rbx, %r11
+        # A[0] * B[1]
+        movq	8(%rsp), %rdx
+        mulxq	(%r8), %rcx, %rbx
+        adoxq	%rcx, %r10
+        # A[2] * B[1]
+        mulxq	16(%r8), %rcx, %r15
+        adoxq	%rbx, %r11
+        adcxq	%rcx, %r12
+        # A[1] * B[2]
+        movq	16(%rsp), %rdx
+        mulxq	8(%r8), %rcx, %rbx
+        adcxq	%r15, %r13
+        adoxq	%rcx, %r12
+        adcxq	%rbp, %r14
+        adoxq	%rbx, %r13
+        # A[0] * B[2]
+        mulxq	(%r8), %rcx, %rbx
+        adoxq	%rbp, %r14
+        xorq	%r15, %r15
+        adcxq	%rcx, %r11
+        # A[1] * B[1]
+        movq	8(%rsp), %rdx
+        mulxq	8(%r8), %rdx, %rcx
+        adcxq	%rbx, %r12
+        adoxq	%rdx, %r11
+        # A[3] * B[1]
+        movq	8(%rsp), %rdx
+        adoxq	%rcx, %r12
+        mulxq	24(%r8), %rcx, %rbx
+        adcxq	%rcx, %r13
+        # A[2] * B[2]
+        movq	16(%rsp), %rdx
+        mulxq	16(%r8), %rdx, %rcx
+        adcxq	%rbx, %r14
+        adoxq	%rdx, %r13
+        # A[3] * B[3]
+        movq	24(%rsp), %rdx
+        adoxq	%rcx, %r14
+        mulxq	24(%r8), %rcx, %rbx
+        adoxq	%rbp, %r15
+        adcxq	%rcx, %r15
+        # A[0] * B[3]
+        mulxq	(%r8), %rdx, %rcx
+        adcxq	%rbx, %rbp
+        xorq	%rbx, %rbx
+        adcxq	%rdx, %r12
+        # A[3] * B[0]
+        movq	(%rsp), %rdx
+        adcxq	%rcx, %r13
+        mulxq	24(%r8), %rdx, %rcx
+        adoxq	%rdx, %r12
+        adoxq	%rcx, %r13
+        # A[2] * B[3]
+        movq	24(%rsp), %rdx
+        mulxq	16(%r8), %rdx, %rcx
+        adcxq	%rdx, %r14
+        # A[3] * B[2]
+        movq	16(%rsp), %rdx
+        adcxq	%rcx, %r15
+        mulxq	24(%r8), %rcx, %rdx
+        adcxq	%rbx, %rbp
+        adoxq	%rcx, %r14
+        adoxq	%rdx, %r15
+        adoxq	%rbx, %rbp
+        # Reduce
+        movq	$0x7fffffffffffffff, %rbx
+        #  Move top half into t4-t7 and remove top bit from t3
+        shldq	$0x01, %r15, %rbp
+        shldq	$0x01, %r14, %r15
+        shldq	$0x01, %r13, %r14
+        shldq	$0x01, %r12, %r13
+        andq	%rbx, %r12
+        #  Multiply top half by 19
+        movq	$19, %rdx
+        xorq	%rbx, %rbx
+        mulxq	%r13, %rcx, %r13
+        adcxq	%rcx, %r9
+        adoxq	%r13, %r10
+        mulxq	%r14, %rcx, %r14
+        adcxq	%rcx, %r10
+        adoxq	%r14, %r11
+        mulxq	%r15, %rcx, %r15
+        adcxq	%rcx, %r11
+        adoxq	%r15, %r12
+        mulxq	%rbp, %rbp, %rdx
+        adcxq	%rbp, %r12
+        adoxq	%rbx, %rdx
+        adcxq	%rbx, %rdx
+        #  Overflow
+        shldq	$0x01, %r12, %rdx
+        movq	$0x7fffffffffffffff, %rbx
+        imulq	$19, %rdx, %rcx
+        andq	%rbx, %r12
+        addq	%rcx, %r9
+        adcq	$0x00, %r10
+        adcq	$0x00, %r11
+        adcq	$0x00, %r12
+        # Reduce if top bit set
+        movq	%r12, %rdx
+        shrq	$63, %rdx
+        imulq	$19, %rdx, %rcx
+        andq	%rbx, %r12
+        addq	%rcx, %r9
+        adcq	$0x00, %r10
+        adcq	$0x00, %r11
+        adcq	$0x00, %r12
+        # Store
+        movq	%r9, 32(%rsp)
+        movq	%r10, 40(%rsp)
+        movq	%r11, 48(%rsp)
+        movq	%r12, 56(%rsp)
+        # Multiply
+        # A[0] * B[0]
+        movq	96(%rsp), %rdx
+        mulxq	128(%rsp), %r9, %r10
+        # A[2] * B[0]
+        mulxq	144(%rsp), %r11, %r12
+        # A[1] * B[0]
+        mulxq	136(%rsp), %rcx, %rbx
+        xorq	%rbp, %rbp
+        adcxq	%rcx, %r10
+        # A[1] * B[3]
+        movq	120(%rsp), %rdx
+        mulxq	136(%rsp), %r13, %r14
+        adcxq	%rbx, %r11
+        # A[0] * B[1]
+        movq	104(%rsp), %rdx
+        mulxq	128(%rsp), %rcx, %rbx
+        adoxq	%rcx, %r10
+        # A[2] * B[1]
+        mulxq	144(%rsp), %rcx, %r15
+        adoxq	%rbx, %r11
+        adcxq	%rcx, %r12
+        # A[1] * B[2]
+        movq	112(%rsp), %rdx
+        mulxq	136(%rsp), %rcx, %rbx
+        adcxq	%r15, %r13
+        adoxq	%rcx, %r12
+        adcxq	%rbp, %r14
+        adoxq	%rbx, %r13
+        # A[0] * B[2]
+        mulxq	128(%rsp), %rcx, %rbx
+        adoxq	%rbp, %r14
+        xorq	%r15, %r15
+        adcxq	%rcx, %r11
+        # A[1] * B[1]
+        movq	104(%rsp), %rdx
+        mulxq	136(%rsp), %rdx, %rcx
+        adcxq	%rbx, %r12
+        adoxq	%rdx, %r11
+        # A[3] * B[1]
+        movq	104(%rsp), %rdx
+        adoxq	%rcx, %r12
+        mulxq	152(%rsp), %rcx, %rbx
+        adcxq	%rcx, %r13
+        # A[2] * B[2]
+        movq	112(%rsp), %rdx
+        mulxq	144(%rsp), %rdx, %rcx
+        adcxq	%rbx, %r14
+        adoxq	%rdx, %r13
+        # A[3] * B[3]
+        movq	120(%rsp), %rdx
+        adoxq	%rcx, %r14
+        mulxq	152(%rsp), %rcx, %rbx
+        adoxq	%rbp, %r15
+        adcxq	%rcx, %r15
+        # A[0] * B[3]
+        mulxq	128(%rsp), %rdx, %rcx
+        adcxq	%rbx, %rbp
+        xorq	%rbx, %rbx
+        adcxq	%rdx, %r12
+        # A[3] * B[0]
+        movq	96(%rsp), %rdx
+        adcxq	%rcx, %r13
+        mulxq	152(%rsp), %rdx, %rcx
+        adoxq	%rdx, %r12
+        adoxq	%rcx, %r13
+        # A[2] * B[3]
+        movq	120(%rsp), %rdx
+        mulxq	144(%rsp), %rdx, %rcx
+        adcxq	%rdx, %r14
+        # A[3] * B[2]
+        movq	112(%rsp), %rdx
+        adcxq	%rcx, %r15
+        mulxq	152(%rsp), %rcx, %rdx
+        adcxq	%rbx, %rbp
+        adoxq	%rcx, %r14
+        adoxq	%rdx, %r15
+        adoxq	%rbx, %rbp
+        # Reduce
+        movq	$0x7fffffffffffffff, %rbx
+        #  Move top half into t4-t7 and remove top bit from t3
+        shldq	$0x01, %r15, %rbp
+        shldq	$0x01, %r14, %r15
+        shldq	$0x01, %r13, %r14
+        shldq	$0x01, %r12, %r13
+        andq	%rbx, %r12
+        #  Multiply top half by 19
+        movq	$19, %rdx
+        xorq	%rbx, %rbx
+        mulxq	%r13, %rcx, %r13
+        adcxq	%rcx, %r9
+        adoxq	%r13, %r10
+        mulxq	%r14, %rcx, %r14
+        adcxq	%rcx, %r10
+        adoxq	%r14, %r11
+        mulxq	%r15, %rcx, %r15
+        adcxq	%rcx, %r11
+        adoxq	%r15, %r12
+        mulxq	%rbp, %rbp, %rdx
+        adcxq	%rbp, %r12
+        adoxq	%rbx, %rdx
+        adcxq	%rbx, %rdx
+        #  Overflow
+        shldq	$0x01, %r12, %rdx
+        movq	$0x7fffffffffffffff, %rbx
+        imulq	$19, %rdx, %rcx
+        andq	%rbx, %r12
+        addq	%rcx, %r9
+        adcq	$0x00, %r10
+        adcq	$0x00, %r11
+        adcq	$0x00, %r12
+        # Reduce if top bit set
+        movq	%r12, %rdx
+        shrq	$63, %rdx
+        imulq	$19, %rdx, %rcx
+        andq	%rbx, %r12
+        addq	%rcx, %r9
+        adcq	$0x00, %r10
+        adcq	$0x00, %r11
+        adcq	$0x00, %r12
+        # Store
+        movq	%r9, (%rsp)
+        movq	%r10, 8(%rsp)
+        movq	%r11, 16(%rsp)
+        movq	%r12, 24(%rsp)
+        decb	168(%rsp)
+        jge	L_curve25519_avx2_bits
+        movq	$63, 168(%rsp)
+        decb	160(%rsp)
+        jge	L_curve25519_avx2_words
+        # Invert
+        leaq	32(%rsp), %rdi
+        movq	%rsp, %rsi
+#ifndef __APPLE__
+        callq	fe_sq_avx2@plt
+#else
+        callq	_fe_sq_avx2
+#endif /* __APPLE__ */
+        leaq	64(%rsp), %rdi
+        leaq	32(%rsp), %rsi
+#ifndef __APPLE__
+        callq	fe_sq_avx2@plt
+#else
+        callq	_fe_sq_avx2
+#endif /* __APPLE__ */
+        leaq	64(%rsp), %rdi
+        leaq	64(%rsp), %rsi
+#ifndef __APPLE__
+        callq	fe_sq_avx2@plt
+#else
+        callq	_fe_sq_avx2
+#endif /* __APPLE__ */
+        leaq	64(%rsp), %rdi
+        movq	%rsp, %rsi
+        leaq	64(%rsp), %rdx
+#ifndef __APPLE__
+        callq	fe_mul_avx2@plt
+#else
+        callq	_fe_mul_avx2
+#endif /* __APPLE__ */
+        leaq	32(%rsp), %rdi
+        leaq	32(%rsp), %rsi
+        leaq	64(%rsp), %rdx
+#ifndef __APPLE__
+        callq	fe_mul_avx2@plt
+#else
+        callq	_fe_mul_avx2
+#endif /* __APPLE__ */
+        leaq	96(%rsp), %rdi
+        leaq	32(%rsp), %rsi
+#ifndef __APPLE__
+        callq	fe_sq_avx2@plt
+#else
+        callq	_fe_sq_avx2
+#endif /* __APPLE__ */
+        leaq	64(%rsp), %rdi
+        leaq	64(%rsp), %rsi
+        leaq	96(%rsp), %rdx
+#ifndef __APPLE__
+        callq	fe_mul_avx2@plt
+#else
+        callq	_fe_mul_avx2
+#endif /* __APPLE__ */
+        leaq	96(%rsp), %rdi
+        leaq	64(%rsp), %rsi
+#ifndef __APPLE__
+        callq	fe_sq_avx2@plt
+#else
+        callq	_fe_sq_avx2
+#endif /* __APPLE__ */
+        leaq	96(%rsp), %rdi
+        leaq	96(%rsp), %rsi
+        movq	$4, %rdx
+#ifndef __APPLE__
+        callq	fe_sq_n_avx2@plt
+#else
+        callq	_fe_sq_n_avx2
+#endif /* __APPLE__ */
+        leaq	64(%rsp), %rdi
+        leaq	96(%rsp), %rsi
+        leaq	64(%rsp), %rdx
+#ifndef __APPLE__
+        callq	fe_mul_avx2@plt
+#else
+        callq	_fe_mul_avx2
+#endif /* __APPLE__ */
+        leaq	96(%rsp), %rdi
+        leaq	64(%rsp), %rsi
+#ifndef __APPLE__
+        callq	fe_sq_avx2@plt
+#else
+        callq	_fe_sq_avx2
+#endif /* __APPLE__ */
+        leaq	96(%rsp), %rdi
+        leaq	96(%rsp), %rsi
+        movq	$9, %rdx
+#ifndef __APPLE__
+        callq	fe_sq_n_avx2@plt
+#else
+        callq	_fe_sq_n_avx2
+#endif /* __APPLE__ */
+        leaq	96(%rsp), %rdi
+        leaq	96(%rsp), %rsi
+        leaq	64(%rsp), %rdx
+#ifndef __APPLE__
+        callq	fe_mul_avx2@plt
+#else
+        callq	_fe_mul_avx2
+#endif /* __APPLE__ */
+        leaq	128(%rsp), %rdi
+        leaq	96(%rsp), %rsi
+#ifndef __APPLE__
+        callq	fe_sq_avx2@plt
+#else
+        callq	_fe_sq_avx2
+#endif /* __APPLE__ */
+        leaq	128(%rsp), %rdi
+        leaq	128(%rsp), %rsi
+        movq	$19, %rdx
+#ifndef __APPLE__
+        callq	fe_sq_n_avx2@plt
+#else
+        callq	_fe_sq_n_avx2
+#endif /* __APPLE__ */
+        leaq	96(%rsp), %rdi
+        leaq	128(%rsp), %rsi
+        leaq	96(%rsp), %rdx
+#ifndef __APPLE__
+        callq	fe_mul_avx2@plt
+#else
+        callq	_fe_mul_avx2
+#endif /* __APPLE__ */
+        leaq	96(%rsp), %rdi
+        leaq	96(%rsp), %rsi
+#ifndef __APPLE__
+        callq	fe_sq_avx2@plt
+#else
+        callq	_fe_sq_avx2
+#endif /* __APPLE__ */
+        leaq	96(%rsp), %rdi
+        leaq	96(%rsp), %rsi
+        movq	$9, %rdx
+#ifndef __APPLE__
+        callq	fe_sq_n_avx2@plt
+#else
+        callq	_fe_sq_n_avx2
+#endif /* __APPLE__ */
+        leaq	64(%rsp), %rdi
+        leaq	96(%rsp), %rsi
+        leaq	64(%rsp), %rdx
+#ifndef __APPLE__
+        callq	fe_mul_avx2@plt
+#else
+        callq	_fe_mul_avx2
+#endif /* __APPLE__ */
+        leaq	96(%rsp), %rdi
+        leaq	64(%rsp), %rsi
+#ifndef __APPLE__
+        callq	fe_sq_avx2@plt
+#else
+        callq	_fe_sq_avx2
+#endif /* __APPLE__ */
+        leaq	96(%rsp), %rdi
+        leaq	96(%rsp), %rsi
+        movq	$49, %rdx
+#ifndef __APPLE__
+        callq	fe_sq_n_avx2@plt
+#else
+        callq	_fe_sq_n_avx2
+#endif /* __APPLE__ */
+        leaq	96(%rsp), %rdi
+        leaq	96(%rsp), %rsi
+        leaq	64(%rsp), %rdx
+#ifndef __APPLE__
+        callq	fe_mul_avx2@plt
+#else
+        callq	_fe_mul_avx2
+#endif /* __APPLE__ */
+        leaq	128(%rsp), %rdi
+        leaq	96(%rsp), %rsi
+#ifndef __APPLE__
+        callq	fe_sq_avx2@plt
+#else
+        callq	_fe_sq_avx2
+#endif /* __APPLE__ */
+        leaq	128(%rsp), %rdi
+        leaq	128(%rsp), %rsi
+        movq	$0x63, %rdx
+#ifndef __APPLE__
+        callq	fe_sq_n_avx2@plt
+#else
+        callq	_fe_sq_n_avx2
+#endif /* __APPLE__ */
+        leaq	96(%rsp), %rdi
+        leaq	128(%rsp), %rsi
+        leaq	96(%rsp), %rdx
+#ifndef __APPLE__
+        callq	fe_mul_avx2@plt
+#else
+        callq	_fe_mul_avx2
+#endif /* __APPLE__ */
+        leaq	96(%rsp), %rdi
+        leaq	96(%rsp), %rsi
+#ifndef __APPLE__
+        callq	fe_sq_avx2@plt
+#else
+        callq	_fe_sq_avx2
+#endif /* __APPLE__ */
+        leaq	96(%rsp), %rdi
+        leaq	96(%rsp), %rsi
+        movq	$49, %rdx
+#ifndef __APPLE__
+        callq	fe_sq_n_avx2@plt
+#else
+        callq	_fe_sq_n_avx2
+#endif /* __APPLE__ */
+        leaq	64(%rsp), %rdi
+        leaq	96(%rsp), %rsi
+        leaq	64(%rsp), %rdx
+#ifndef __APPLE__
+        callq	fe_mul_avx2@plt
+#else
+        callq	_fe_mul_avx2
+#endif /* __APPLE__ */
+        leaq	64(%rsp), %rdi
+        leaq	64(%rsp), %rsi
+#ifndef __APPLE__
+        callq	fe_sq_avx2@plt
+#else
+        callq	_fe_sq_avx2
+#endif /* __APPLE__ */
+        leaq	64(%rsp), %rdi
+        leaq	64(%rsp), %rsi
+        movq	$4, %rdx
+#ifndef __APPLE__
+        callq	fe_sq_n_avx2@plt
+#else
+        callq	_fe_sq_n_avx2
+#endif /* __APPLE__ */
+        movq	%rsp, %rdi
+        leaq	64(%rsp), %rsi
+        leaq	32(%rsp), %rdx
+#ifndef __APPLE__
+        callq	fe_mul_avx2@plt
+#else
+        callq	_fe_mul_avx2
+#endif /* __APPLE__ */
+        movq	176(%rsp), %rdi
+        # Multiply
+        # A[0] * B[0]
+        movq	(%rsp), %rdx
+        mulxq	(%rdi), %r9, %r10
+        # A[2] * B[0]
+        mulxq	16(%rdi), %r11, %r12
+        # A[1] * B[0]
+        mulxq	8(%rdi), %rcx, %rbx
+        xorq	%rbp, %rbp
+        adcxq	%rcx, %r10
+        # A[1] * B[3]
+        movq	24(%rsp), %rdx
+        mulxq	8(%rdi), %r13, %r14
+        adcxq	%rbx, %r11
+        # A[0] * B[1]
+        movq	8(%rsp), %rdx
+        mulxq	(%rdi), %rcx, %rbx
+        adoxq	%rcx, %r10
+        # A[2] * B[1]
+        mulxq	16(%rdi), %rcx, %r15
+        adoxq	%rbx, %r11
+        adcxq	%rcx, %r12
+        # A[1] * B[2]
+        movq	16(%rsp), %rdx
+        mulxq	8(%rdi), %rcx, %rbx
+        adcxq	%r15, %r13
+        adoxq	%rcx, %r12
+        adcxq	%rbp, %r14
+        adoxq	%rbx, %r13
+        # A[0] * B[2]
+        mulxq	(%rdi), %rcx, %rbx
+        adoxq	%rbp, %r14
+        xorq	%r15, %r15
+        adcxq	%rcx, %r11
+        # A[1] * B[1]
+        movq	8(%rsp), %rdx
+        mulxq	8(%rdi), %rdx, %rcx
+        adcxq	%rbx, %r12
+        adoxq	%rdx, %r11
+        # A[3] * B[1]
+        movq	8(%rsp), %rdx
+        adoxq	%rcx, %r12
+        mulxq	24(%rdi), %rcx, %rbx
+        adcxq	%rcx, %r13
+        # A[2] * B[2]
+        movq	16(%rsp), %rdx
+        mulxq	16(%rdi), %rdx, %rcx
+        adcxq	%rbx, %r14
+        adoxq	%rdx, %r13
+        # A[3] * B[3]
+        movq	24(%rsp), %rdx
+        adoxq	%rcx, %r14
+        mulxq	24(%rdi), %rcx, %rbx
+        adoxq	%rbp, %r15
+        adcxq	%rcx, %r15
+        # A[0] * B[3]
+        mulxq	(%rdi), %rdx, %rcx
+        adcxq	%rbx, %rbp
+        xorq	%rbx, %rbx
+        adcxq	%rdx, %r12
+        # A[3] * B[0]
+        movq	(%rsp), %rdx
+        adcxq	%rcx, %r13
+        mulxq	24(%rdi), %rdx, %rcx
+        adoxq	%rdx, %r12
+        adoxq	%rcx, %r13
+        # A[2] * B[3]
+        movq	24(%rsp), %rdx
+        mulxq	16(%rdi), %rdx, %rcx
+        adcxq	%rdx, %r14
+        # A[3] * B[2]
+        movq	16(%rsp), %rdx
+        adcxq	%rcx, %r15
+        mulxq	24(%rdi), %rcx, %rdx
+        adcxq	%rbx, %rbp
+        adoxq	%rcx, %r14
+        adoxq	%rdx, %r15
+        adoxq	%rbx, %rbp
+        # Reduce
+        movq	$0x7fffffffffffffff, %rbx
+        #  Move top half into t4-t7 and remove top bit from t3
+        shldq	$0x01, %r15, %rbp
+        shldq	$0x01, %r14, %r15
+        shldq	$0x01, %r13, %r14
+        shldq	$0x01, %r12, %r13
+        andq	%rbx, %r12
+        #  Multiply top half by 19
+        movq	$19, %rdx
+        xorq	%rbx, %rbx
+        mulxq	%r13, %rcx, %r13
+        adcxq	%rcx, %r9
+        adoxq	%r13, %r10
+        mulxq	%r14, %rcx, %r14
+        adcxq	%rcx, %r10
+        adoxq	%r14, %r11
+        mulxq	%r15, %rcx, %r15
+        adcxq	%rcx, %r11
+        adoxq	%r15, %r12
+        mulxq	%rbp, %rbp, %rdx
+        adcxq	%rbp, %r12
+        adoxq	%rbx, %rdx
+        adcxq	%rbx, %rdx
+        #  Overflow
+        shldq	$0x01, %r12, %rdx
+        movq	$0x7fffffffffffffff, %rbx
+        imulq	$19, %rdx, %rcx
+        andq	%rbx, %r12
+        addq	%rcx, %r9
+        adcq	$0x00, %r10
+        adcq	$0x00, %r11
+        adcq	$0x00, %r12
+        # Reduce if top bit set
+        movq	%r12, %rdx
+        shrq	$63, %rdx
+        imulq	$19, %rdx, %rcx
+        andq	%rbx, %r12
+        addq	%rcx, %r9
+        adcq	$0x00, %r10
+        adcq	$0x00, %r11
+        adcq	$0x00, %r12
+        # Store
+        movq	%r9, (%rdi)
+        movq	%r10, 8(%rdi)
+        movq	%r11, 16(%rdi)
+        movq	%r12, 24(%rdi)
+        xorq	%rax, %rax
+        addq	$0xc0, %rsp
+        popq	%rbp
+        popq	%r15
+        popq	%r14
+        popq	%r13
+        popq	%r12
+        popq	%rbx
+        repz retq
+#ifndef __APPLE__
+.size	curve25519_avx2,.-curve25519_avx2
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+.text
+.globl	fe_pow22523_avx2
+.type	fe_pow22523_avx2,@function
+.align	4
+fe_pow22523_avx2:
+#else
+.section	__TEXT,__text
+.globl	_fe_pow22523_avx2
+.p2align	2
+_fe_pow22523_avx2:
+#endif /* __APPLE__ */
+        subq	$0x70, %rsp
+        # pow22523
+        movq	%rdi, 96(%rsp)
+        movq	%rsi, 104(%rsp)
+        movq	%rsp, %rdi
+        movq	104(%rsp), %rsi
+#ifndef __APPLE__
+        callq	fe_sq_avx2@plt
+#else
+        callq	_fe_sq_avx2
+#endif /* __APPLE__ */
+        leaq	32(%rsp), %rdi
+        movq	%rsp, %rsi
+#ifndef __APPLE__
+        callq	fe_sq_avx2@plt
+#else
+        callq	_fe_sq_avx2
+#endif /* __APPLE__ */
+        leaq	32(%rsp), %rdi
+        leaq	32(%rsp), %rsi
+#ifndef __APPLE__
+        callq	fe_sq_avx2@plt
+#else
+        callq	_fe_sq_avx2
+#endif /* __APPLE__ */
+        leaq	32(%rsp), %rdi
+        movq	104(%rsp), %rsi
+        leaq	32(%rsp), %rdx
+#ifndef __APPLE__
+        callq	fe_mul_avx2@plt
+#else
+        callq	_fe_mul_avx2
+#endif /* __APPLE__ */
+        movq	%rsp, %rdi
+        movq	%rsp, %rsi
+        leaq	32(%rsp), %rdx
+#ifndef __APPLE__
+        callq	fe_mul_avx2@plt
+#else
+        callq	_fe_mul_avx2
+#endif /* __APPLE__ */
+        movq	%rsp, %rdi
+        movq	%rsp, %rsi
+#ifndef __APPLE__
+        callq	fe_sq_avx2@plt
+#else
+        callq	_fe_sq_avx2
+#endif /* __APPLE__ */
+        movq	%rsp, %rdi
+        leaq	32(%rsp), %rsi
+        movq	%rsp, %rdx
+#ifndef __APPLE__
+        callq	fe_mul_avx2@plt
+#else
+        callq	_fe_mul_avx2
+#endif /* __APPLE__ */
+        leaq	32(%rsp), %rdi
+        movq	%rsp, %rsi
+#ifndef __APPLE__
+        callq	fe_sq_avx2@plt
+#else
+        callq	_fe_sq_avx2
+#endif /* __APPLE__ */
+        leaq	32(%rsp), %rdi
+        leaq	32(%rsp), %rsi
+        movb	$4, %dl
+#ifndef __APPLE__
+        callq	fe_sq_n_avx2@plt
+#else
+        callq	_fe_sq_n_avx2
+#endif /* __APPLE__ */
+        movq	%rsp, %rdi
+        leaq	32(%rsp), %rsi
+        movq	%rsp, %rdx
+#ifndef __APPLE__
+        callq	fe_mul_avx2@plt
+#else
+        callq	_fe_mul_avx2
+#endif /* __APPLE__ */
+        leaq	32(%rsp), %rdi
+        movq	%rsp, %rsi
+#ifndef __APPLE__
+        callq	fe_sq_avx2@plt
+#else
+        callq	_fe_sq_avx2
+#endif /* __APPLE__ */
+        leaq	32(%rsp), %rdi
+        leaq	32(%rsp), %rsi
+        movb	$9, %dl
+#ifndef __APPLE__
+        callq	fe_sq_n_avx2@plt
+#else
+        callq	_fe_sq_n_avx2
+#endif /* __APPLE__ */
+        leaq	32(%rsp), %rdi
+        leaq	32(%rsp), %rsi
+        movq	%rsp, %rdx
+#ifndef __APPLE__
+        callq	fe_mul_avx2@plt
+#else
+        callq	_fe_mul_avx2
+#endif /* __APPLE__ */
+        leaq	64(%rsp), %rdi
+        leaq	32(%rsp), %rsi
+#ifndef __APPLE__
+        callq	fe_sq_avx2@plt
+#else
+        callq	_fe_sq_avx2
+#endif /* __APPLE__ */
+        leaq	64(%rsp), %rdi
+        leaq	64(%rsp), %rsi
+        movb	$19, %dl
+#ifndef __APPLE__
+        callq	fe_sq_n_avx2@plt
+#else
+        callq	_fe_sq_n_avx2
+#endif /* __APPLE__ */
+        leaq	32(%rsp), %rdi
+        leaq	64(%rsp), %rsi
+        leaq	32(%rsp), %rdx
+#ifndef __APPLE__
+        callq	fe_mul_avx2@plt
+#else
+        callq	_fe_mul_avx2
+#endif /* __APPLE__ */
+        leaq	32(%rsp), %rdi
+        leaq	32(%rsp), %rsi
+#ifndef __APPLE__
+        callq	fe_sq_avx2@plt
+#else
+        callq	_fe_sq_avx2
+#endif /* __APPLE__ */
+        leaq	32(%rsp), %rdi
+        leaq	32(%rsp), %rsi
+        movb	$9, %dl
+#ifndef __APPLE__
+        callq	fe_sq_n_avx2@plt
+#else
+        callq	_fe_sq_n_avx2
+#endif /* __APPLE__ */
+        movq	%rsp, %rdi
+        leaq	32(%rsp), %rsi
+        movq	%rsp, %rdx
+#ifndef __APPLE__
+        callq	fe_mul_avx2@plt
+#else
+        callq	_fe_mul_avx2
+#endif /* __APPLE__ */
+        leaq	32(%rsp), %rdi
+        movq	%rsp, %rsi
+#ifndef __APPLE__
+        callq	fe_sq_avx2@plt
+#else
+        callq	_fe_sq_avx2
+#endif /* __APPLE__ */
+        leaq	32(%rsp), %rdi
+        leaq	32(%rsp), %rsi
+        movb	$49, %dl
+#ifndef __APPLE__
+        callq	fe_sq_n_avx2@plt
+#else
+        callq	_fe_sq_n_avx2
+#endif /* __APPLE__ */
+        leaq	32(%rsp), %rdi
+        leaq	32(%rsp), %rsi
+        movq	%rsp, %rdx
+#ifndef __APPLE__
+        callq	fe_mul_avx2@plt
+#else
+        callq	_fe_mul_avx2
+#endif /* __APPLE__ */
+        leaq	64(%rsp), %rdi
+        leaq	32(%rsp), %rsi
+#ifndef __APPLE__
+        callq	fe_sq_avx2@plt
+#else
+        callq	_fe_sq_avx2
+#endif /* __APPLE__ */
+        leaq	64(%rsp), %rdi
+        leaq	64(%rsp), %rsi
+        movb	$0x63, %dl
+#ifndef __APPLE__
+        callq	fe_sq_n_avx2@plt
+#else
+        callq	_fe_sq_n_avx2
+#endif /* __APPLE__ */
+        leaq	32(%rsp), %rdi
+        leaq	64(%rsp), %rsi
+        leaq	32(%rsp), %rdx
+#ifndef __APPLE__
+        callq	fe_mul_avx2@plt
+#else
+        callq	_fe_mul_avx2
+#endif /* __APPLE__ */
+        leaq	32(%rsp), %rdi
+        leaq	32(%rsp), %rsi
+#ifndef __APPLE__
+        callq	fe_sq_avx2@plt
+#else
+        callq	_fe_sq_avx2
+#endif /* __APPLE__ */
+        leaq	32(%rsp), %rdi
+        leaq	32(%rsp), %rsi
+        movb	$49, %dl
+#ifndef __APPLE__
+        callq	fe_sq_n_avx2@plt
+#else
+        callq	_fe_sq_n_avx2
+#endif /* __APPLE__ */
+        movq	%rsp, %rdi
+        leaq	32(%rsp), %rsi
+        movq	%rsp, %rdx
+#ifndef __APPLE__
+        callq	fe_mul_avx2@plt
+#else
+        callq	_fe_mul_avx2
+#endif /* __APPLE__ */
+        movq	%rsp, %rdi
+        movq	%rsp, %rsi
+#ifndef __APPLE__
+        callq	fe_sq_avx2@plt
+#else
+        callq	_fe_sq_avx2
+#endif /* __APPLE__ */
+        movq	%rsp, %rdi
+        movq	%rsp, %rsi
+#ifndef __APPLE__
+        callq	fe_sq_avx2@plt
+#else
+        callq	_fe_sq_avx2
+#endif /* __APPLE__ */
+        movq	96(%rsp), %rdi
+        movq	%rsp, %rsi
+        movq	104(%rsp), %rdx
+#ifndef __APPLE__
+        callq	fe_mul_avx2@plt
+#else
+        callq	_fe_mul_avx2
+#endif /* __APPLE__ */
+        movq	104(%rsp), %rsi
+        movq	96(%rsp), %rdi
+        addq	$0x70, %rsp
+        repz retq
+#ifndef __APPLE__
+.text
+.globl	fe_ge_to_p2_avx2
+.type	fe_ge_to_p2_avx2,@function
+.align	4
+fe_ge_to_p2_avx2:
+#else
+.section	__TEXT,__text
+.globl	_fe_ge_to_p2_avx2
+.p2align	2
+_fe_ge_to_p2_avx2:
+#endif /* __APPLE__ */
+        pushq	%rbx
+        pushq	%r12
+        pushq	%r13
+        pushq	%r14
+        pushq	%r15
+        subq	$40, %rsp
+        movq	%rsi, (%rsp)
+        movq	%rdx, 8(%rsp)
+        movq	%rcx, 16(%rsp)
+        movq	%r8, 24(%rsp)
+        movq	%r9, 32(%rsp)
+        movq	16(%rsp), %rsi
+        movq	88(%rsp), %rbx
+        # Multiply
+        # A[0] * B[0]
+        movq	(%rbx), %rdx
+        mulxq	(%rsi), %r8, %r9
+        # A[2] * B[0]
+        mulxq	16(%rsi), %r10, %r11
+        # A[1] * B[0]
+        mulxq	8(%rsi), %rcx, %rax
+        xorq	%r15, %r15
+        adcxq	%rcx, %r9
+        # A[1] * B[3]
+        movq	24(%rbx), %rdx
+        mulxq	8(%rsi), %r12, %r13
+        adcxq	%rax, %r10
+        # A[0] * B[1]
+        movq	8(%rbx), %rdx
+        mulxq	(%rsi), %rcx, %rax
+        adoxq	%rcx, %r9
+        # A[2] * B[1]
+        mulxq	16(%rsi), %rcx, %r14
+        adoxq	%rax, %r10
+        adcxq	%rcx, %r11
+        # A[1] * B[2]
+        movq	16(%rbx), %rdx
+        mulxq	8(%rsi), %rcx, %rax
+        adcxq	%r14, %r12
+        adoxq	%rcx, %r11
+        adcxq	%r15, %r13
+        adoxq	%rax, %r12
+        # A[0] * B[2]
+        mulxq	(%rsi), %rcx, %rax
+        adoxq	%r15, %r13
+        xorq	%r14, %r14
+        adcxq	%rcx, %r10
+        # A[1] * B[1]
+        movq	8(%rbx), %rdx
+        mulxq	8(%rsi), %rdx, %rcx
+        adcxq	%rax, %r11
+        adoxq	%rdx, %r10
+        # A[3] * B[1]
+        movq	8(%rbx), %rdx
+        adoxq	%rcx, %r11
+        mulxq	24(%rsi), %rcx, %rax
+        adcxq	%rcx, %r12
+        # A[2] * B[2]
+        movq	16(%rbx), %rdx
+        mulxq	16(%rsi), %rdx, %rcx
+        adcxq	%rax, %r13
+        adoxq	%rdx, %r12
+        # A[3] * B[3]
+        movq	24(%rbx), %rdx
+        adoxq	%rcx, %r13
+        mulxq	24(%rsi), %rcx, %rax
+        adoxq	%r15, %r14
+        adcxq	%rcx, %r14
+        # A[0] * B[3]
+        mulxq	(%rsi), %rdx, %rcx
+        adcxq	%rax, %r15
+        xorq	%rax, %rax
+        adcxq	%rdx, %r11
+        # A[3] * B[0]
+        movq	(%rbx), %rdx
+        adcxq	%rcx, %r12
+        mulxq	24(%rsi), %rdx, %rcx
+        adoxq	%rdx, %r11
+        adoxq	%rcx, %r12
+        # A[2] * B[3]
+        movq	24(%rbx), %rdx
+        mulxq	16(%rsi), %rdx, %rcx
+        adcxq	%rdx, %r13
+        # A[3] * B[2]
+        movq	16(%rbx), %rdx
+        adcxq	%rcx, %r14
+        mulxq	24(%rsi), %rcx, %rdx
+        adcxq	%rax, %r15
+        adoxq	%rcx, %r13
+        adoxq	%rdx, %r14
+        adoxq	%rax, %r15
+        # Reduce
+        movq	$0x7fffffffffffffff, %rax
+        #  Move top half into t4-t7 and remove top bit from t3
+        shldq	$0x01, %r14, %r15
+        shldq	$0x01, %r13, %r14
+        shldq	$0x01, %r12, %r13
+        shldq	$0x01, %r11, %r12
+        andq	%rax, %r11
+        #  Multiply top half by 19
+        movq	$19, %rdx
+        xorq	%rax, %rax
+        mulxq	%r12, %rcx, %r12
+        adcxq	%rcx, %r8
+        adoxq	%r12, %r9
+        mulxq	%r13, %rcx, %r13
+        adcxq	%rcx, %r9
+        adoxq	%r13, %r10
+        mulxq	%r14, %rcx, %r14
+        adcxq	%rcx, %r10
+        adoxq	%r14, %r11
+        mulxq	%r15, %r15, %rdx
+        adcxq	%r15, %r11
+        adoxq	%rax, %rdx
+        adcxq	%rax, %rdx
+        #  Overflow
+        shldq	$0x01, %r11, %rdx
+        movq	$0x7fffffffffffffff, %rax
+        imulq	$19, %rdx, %rcx
+        andq	%rax, %r11
+        addq	%rcx, %r8
+        adcq	$0x00, %r9
+        adcq	$0x00, %r10
+        adcq	$0x00, %r11
+        # Reduce if top bit set
+        movq	%r11, %rdx
+        shrq	$63, %rdx
+        imulq	$19, %rdx, %rcx
+        andq	%rax, %r11
+        addq	%rcx, %r8
+        adcq	$0x00, %r9
+        adcq	$0x00, %r10
+        adcq	$0x00, %r11
+        # Store
+        movq	%r8, (%rdi)
+        movq	%r9, 8(%rdi)
+        movq	%r10, 16(%rdi)
+        movq	%r11, 24(%rdi)
+        movq	(%rsp), %rdi
+        movq	24(%rsp), %rsi
+        movq	32(%rsp), %rbx
+        # Multiply
+        # A[0] * B[0]
+        movq	(%rbx), %rdx
+        mulxq	(%rsi), %r8, %r9
+        # A[2] * B[0]
+        mulxq	16(%rsi), %r10, %r11
+        # A[1] * B[0]
+        mulxq	8(%rsi), %rcx, %rax
+        xorq	%r15, %r15
+        adcxq	%rcx, %r9
+        # A[1] * B[3]
+        movq	24(%rbx), %rdx
+        mulxq	8(%rsi), %r12, %r13
+        adcxq	%rax, %r10
+        # A[0] * B[1]
+        movq	8(%rbx), %rdx
+        mulxq	(%rsi), %rcx, %rax
+        adoxq	%rcx, %r9
+        # A[2] * B[1]
+        mulxq	16(%rsi), %rcx, %r14
+        adoxq	%rax, %r10
+        adcxq	%rcx, %r11
+        # A[1] * B[2]
+        movq	16(%rbx), %rdx
+        mulxq	8(%rsi), %rcx, %rax
+        adcxq	%r14, %r12
+        adoxq	%rcx, %r11
+        adcxq	%r15, %r13
+        adoxq	%rax, %r12
+        # A[0] * B[2]
+        mulxq	(%rsi), %rcx, %rax
+        adoxq	%r15, %r13
+        xorq	%r14, %r14
+        adcxq	%rcx, %r10
+        # A[1] * B[1]
+        movq	8(%rbx), %rdx
+        mulxq	8(%rsi), %rdx, %rcx
+        adcxq	%rax, %r11
+        adoxq	%rdx, %r10
+        # A[3] * B[1]
+        movq	8(%rbx), %rdx
+        adoxq	%rcx, %r11
+        mulxq	24(%rsi), %rcx, %rax
+        adcxq	%rcx, %r12
+        # A[2] * B[2]
+        movq	16(%rbx), %rdx
+        mulxq	16(%rsi), %rdx, %rcx
+        adcxq	%rax, %r13
+        adoxq	%rdx, %r12
+        # A[3] * B[3]
+        movq	24(%rbx), %rdx
+        adoxq	%rcx, %r13
+        mulxq	24(%rsi), %rcx, %rax
+        adoxq	%r15, %r14
+        adcxq	%rcx, %r14
+        # A[0] * B[3]
+        mulxq	(%rsi), %rdx, %rcx
+        adcxq	%rax, %r15
+        xorq	%rax, %rax
+        adcxq	%rdx, %r11
+        # A[3] * B[0]
+        movq	(%rbx), %rdx
+        adcxq	%rcx, %r12
+        mulxq	24(%rsi), %rdx, %rcx
+        adoxq	%rdx, %r11
+        adoxq	%rcx, %r12
+        # A[2] * B[3]
+        movq	24(%rbx), %rdx
+        mulxq	16(%rsi), %rdx, %rcx
+        adcxq	%rdx, %r13
+        # A[3] * B[2]
+        movq	16(%rbx), %rdx
+        adcxq	%rcx, %r14
+        mulxq	24(%rsi), %rcx, %rdx
+        adcxq	%rax, %r15
+        adoxq	%rcx, %r13
+        adoxq	%rdx, %r14
+        adoxq	%rax, %r15
+        # Reduce
+        movq	$0x7fffffffffffffff, %rax
+        #  Move top half into t4-t7 and remove top bit from t3
+        shldq	$0x01, %r14, %r15
+        shldq	$0x01, %r13, %r14
+        shldq	$0x01, %r12, %r13
+        shldq	$0x01, %r11, %r12
+        andq	%rax, %r11
+        #  Multiply top half by 19
+        movq	$19, %rdx
+        xorq	%rax, %rax
+        mulxq	%r12, %rcx, %r12
+        adcxq	%rcx, %r8
+        adoxq	%r12, %r9
+        mulxq	%r13, %rcx, %r13
+        adcxq	%rcx, %r9
+        adoxq	%r13, %r10
+        mulxq	%r14, %rcx, %r14
+        adcxq	%rcx, %r10
+        adoxq	%r14, %r11
+        mulxq	%r15, %r15, %rdx
+        adcxq	%r15, %r11
+        adoxq	%rax, %rdx
+        adcxq	%rax, %rdx
+        #  Overflow
+        shldq	$0x01, %r11, %rdx
+        movq	$0x7fffffffffffffff, %rax
+        imulq	$19, %rdx, %rcx
+        andq	%rax, %r11
+        addq	%rcx, %r8
+        adcq	$0x00, %r9
+        adcq	$0x00, %r10
+        adcq	$0x00, %r11
+        # Reduce if top bit set
+        movq	%r11, %rdx
+        shrq	$63, %rdx
+        imulq	$19, %rdx, %rcx
+        andq	%rax, %r11
+        addq	%rcx, %r8
+        adcq	$0x00, %r9
+        adcq	$0x00, %r10
+        adcq	$0x00, %r11
+        # Store
+        movq	%r8, (%rdi)
+        movq	%r9, 8(%rdi)
+        movq	%r10, 16(%rdi)
+        movq	%r11, 24(%rdi)
+        movq	8(%rsp), %rdi
+        movq	88(%rsp), %rsi
+        # Multiply
+        # A[0] * B[0]
+        movq	(%rsi), %rdx
+        mulxq	(%rbx), %r8, %r9
+        # A[2] * B[0]
+        mulxq	16(%rbx), %r10, %r11
+        # A[1] * B[0]
+        mulxq	8(%rbx), %rcx, %rax
+        xorq	%r15, %r15
+        adcxq	%rcx, %r9
+        # A[1] * B[3]
+        movq	24(%rsi), %rdx
+        mulxq	8(%rbx), %r12, %r13
+        adcxq	%rax, %r10
+        # A[0] * B[1]
+        movq	8(%rsi), %rdx
+        mulxq	(%rbx), %rcx, %rax
+        adoxq	%rcx, %r9
+        # A[2] * B[1]
+        mulxq	16(%rbx), %rcx, %r14
+        adoxq	%rax, %r10
+        adcxq	%rcx, %r11
+        # A[1] * B[2]
+        movq	16(%rsi), %rdx
+        mulxq	8(%rbx), %rcx, %rax
+        adcxq	%r14, %r12
+        adoxq	%rcx, %r11
+        adcxq	%r15, %r13
+        adoxq	%rax, %r12
+        # A[0] * B[2]
+        mulxq	(%rbx), %rcx, %rax
+        adoxq	%r15, %r13
+        xorq	%r14, %r14
+        adcxq	%rcx, %r10
+        # A[1] * B[1]
+        movq	8(%rsi), %rdx
+        mulxq	8(%rbx), %rdx, %rcx
+        adcxq	%rax, %r11
+        adoxq	%rdx, %r10
+        # A[3] * B[1]
+        movq	8(%rsi), %rdx
+        adoxq	%rcx, %r11
+        mulxq	24(%rbx), %rcx, %rax
+        adcxq	%rcx, %r12
+        # A[2] * B[2]
+        movq	16(%rsi), %rdx
+        mulxq	16(%rbx), %rdx, %rcx
+        adcxq	%rax, %r13
+        adoxq	%rdx, %r12
+        # A[3] * B[3]
+        movq	24(%rsi), %rdx
+        adoxq	%rcx, %r13
+        mulxq	24(%rbx), %rcx, %rax
+        adoxq	%r15, %r14
+        adcxq	%rcx, %r14
+        # A[0] * B[3]
+        mulxq	(%rbx), %rdx, %rcx
+        adcxq	%rax, %r15
+        xorq	%rax, %rax
+        adcxq	%rdx, %r11
+        # A[3] * B[0]
+        movq	(%rsi), %rdx
+        adcxq	%rcx, %r12
+        mulxq	24(%rbx), %rdx, %rcx
+        adoxq	%rdx, %r11
+        adoxq	%rcx, %r12
+        # A[2] * B[3]
+        movq	24(%rsi), %rdx
+        mulxq	16(%rbx), %rdx, %rcx
+        adcxq	%rdx, %r13
+        # A[3] * B[2]
+        movq	16(%rsi), %rdx
+        adcxq	%rcx, %r14
+        mulxq	24(%rbx), %rcx, %rdx
+        adcxq	%rax, %r15
+        adoxq	%rcx, %r13
+        adoxq	%rdx, %r14
+        adoxq	%rax, %r15
+        # Reduce
+        movq	$0x7fffffffffffffff, %rax
+        #  Move top half into t4-t7 and remove top bit from t3
+        shldq	$0x01, %r14, %r15
+        shldq	$0x01, %r13, %r14
+        shldq	$0x01, %r12, %r13
+        shldq	$0x01, %r11, %r12
+        andq	%rax, %r11
+        #  Multiply top half by 19
+        movq	$19, %rdx
+        xorq	%rax, %rax
+        mulxq	%r12, %rcx, %r12
+        adcxq	%rcx, %r8
+        adoxq	%r12, %r9
+        mulxq	%r13, %rcx, %r13
+        adcxq	%rcx, %r9
+        adoxq	%r13, %r10
+        mulxq	%r14, %rcx, %r14
+        adcxq	%rcx, %r10
+        adoxq	%r14, %r11
+        mulxq	%r15, %r15, %rdx
+        adcxq	%r15, %r11
+        adoxq	%rax, %rdx
+        adcxq	%rax, %rdx
+        #  Overflow
+        shldq	$0x01, %r11, %rdx
+        movq	$0x7fffffffffffffff, %rax
+        imulq	$19, %rdx, %rcx
+        andq	%rax, %r11
+        addq	%rcx, %r8
+        adcq	$0x00, %r9
+        adcq	$0x00, %r10
+        adcq	$0x00, %r11
+        # Reduce if top bit set
+        movq	%r11, %rdx
+        shrq	$63, %rdx
+        imulq	$19, %rdx, %rcx
+        andq	%rax, %r11
+        addq	%rcx, %r8
+        adcq	$0x00, %r9
+        adcq	$0x00, %r10
+        adcq	$0x00, %r11
+        # Store
+        movq	%r8, (%rdi)
+        movq	%r9, 8(%rdi)
+        movq	%r10, 16(%rdi)
+        movq	%r11, 24(%rdi)
+        addq	$40, %rsp
+        popq	%r15
+        popq	%r14
+        popq	%r13
+        popq	%r12
+        popq	%rbx
+        repz retq
+#ifndef __APPLE__
+.size	fe_ge_to_p2_avx2,.-fe_ge_to_p2_avx2
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+.text
+.globl	fe_ge_to_p3_avx2
+.type	fe_ge_to_p3_avx2,@function
+.align	4
+fe_ge_to_p3_avx2:
+#else
+.section	__TEXT,__text
+.globl	_fe_ge_to_p3_avx2
+.p2align	2
+_fe_ge_to_p3_avx2:
+#endif /* __APPLE__ */
+        pushq	%rbx
+        pushq	%r12
+        pushq	%r13
+        pushq	%r14
+        pushq	%r15
+        subq	$40, %rsp
+        movq	%rsi, (%rsp)
+        movq	%rdx, 8(%rsp)
+        movq	%rcx, 16(%rsp)
+        movq	%r8, 24(%rsp)
+        movq	%r9, 32(%rsp)
+        movq	24(%rsp), %rsi
+        movq	96(%rsp), %rbx
+        # Multiply
+        # A[0] * B[0]
+        movq	(%rbx), %rdx
+        mulxq	(%rsi), %r8, %r9
+        # A[2] * B[0]
+        mulxq	16(%rsi), %r10, %r11
+        # A[1] * B[0]
+        mulxq	8(%rsi), %rcx, %rax
+        xorq	%r15, %r15
+        adcxq	%rcx, %r9
+        # A[1] * B[3]
+        movq	24(%rbx), %rdx
+        mulxq	8(%rsi), %r12, %r13
+        adcxq	%rax, %r10
+        # A[0] * B[1]
+        movq	8(%rbx), %rdx
+        mulxq	(%rsi), %rcx, %rax
+        adoxq	%rcx, %r9
+        # A[2] * B[1]
+        mulxq	16(%rsi), %rcx, %r14
+        adoxq	%rax, %r10
+        adcxq	%rcx, %r11
+        # A[1] * B[2]
+        movq	16(%rbx), %rdx
+        mulxq	8(%rsi), %rcx, %rax
+        adcxq	%r14, %r12
+        adoxq	%rcx, %r11
+        adcxq	%r15, %r13
+        adoxq	%rax, %r12
+        # A[0] * B[2]
+        mulxq	(%rsi), %rcx, %rax
+        adoxq	%r15, %r13
+        xorq	%r14, %r14
+        adcxq	%rcx, %r10
+        # A[1] * B[1]
+        movq	8(%rbx), %rdx
+        mulxq	8(%rsi), %rdx, %rcx
+        adcxq	%rax, %r11
+        adoxq	%rdx, %r10
+        # A[3] * B[1]
+        movq	8(%rbx), %rdx
+        adoxq	%rcx, %r11
+        mulxq	24(%rsi), %rcx, %rax
+        adcxq	%rcx, %r12
+        # A[2] * B[2]
+        movq	16(%rbx), %rdx
+        mulxq	16(%rsi), %rdx, %rcx
+        adcxq	%rax, %r13
+        adoxq	%rdx, %r12
+        # A[3] * B[3]
+        movq	24(%rbx), %rdx
+        adoxq	%rcx, %r13
+        mulxq	24(%rsi), %rcx, %rax
+        adoxq	%r15, %r14
+        adcxq	%rcx, %r14
+        # A[0] * B[3]
+        mulxq	(%rsi), %rdx, %rcx
+        adcxq	%rax, %r15
+        xorq	%rax, %rax
+        adcxq	%rdx, %r11
+        # A[3] * B[0]
+        movq	(%rbx), %rdx
+        adcxq	%rcx, %r12
+        mulxq	24(%rsi), %rdx, %rcx
+        adoxq	%rdx, %r11
+        adoxq	%rcx, %r12
+        # A[2] * B[3]
+        movq	24(%rbx), %rdx
+        mulxq	16(%rsi), %rdx, %rcx
+        adcxq	%rdx, %r13
+        # A[3] * B[2]
+        movq	16(%rbx), %rdx
+        adcxq	%rcx, %r14
+        mulxq	24(%rsi), %rcx, %rdx
+        adcxq	%rax, %r15
+        adoxq	%rcx, %r13
+        adoxq	%rdx, %r14
+        adoxq	%rax, %r15
+        # Reduce
+        movq	$0x7fffffffffffffff, %rax
+        #  Move top half into t4-t7 and remove top bit from t3
+        shldq	$0x01, %r14, %r15
+        shldq	$0x01, %r13, %r14
+        shldq	$0x01, %r12, %r13
+        shldq	$0x01, %r11, %r12
+        andq	%rax, %r11
+        #  Multiply top half by 19
+        movq	$19, %rdx
+        xorq	%rax, %rax
+        mulxq	%r12, %rcx, %r12
+        adcxq	%rcx, %r8
+        adoxq	%r12, %r9
+        mulxq	%r13, %rcx, %r13
+        adcxq	%rcx, %r9
+        adoxq	%r13, %r10
+        mulxq	%r14, %rcx, %r14
+        adcxq	%rcx, %r10
+        adoxq	%r14, %r11
+        mulxq	%r15, %r15, %rdx
+        adcxq	%r15, %r11
+        adoxq	%rax, %rdx
+        adcxq	%rax, %rdx
+        #  Overflow
+        shldq	$0x01, %r11, %rdx
+        movq	$0x7fffffffffffffff, %rax
+        imulq	$19, %rdx, %rcx
+        andq	%rax, %r11
+        addq	%rcx, %r8
+        adcq	$0x00, %r9
+        adcq	$0x00, %r10
+        adcq	$0x00, %r11
+        # Reduce if top bit set
+        movq	%r11, %rdx
+        shrq	$63, %rdx
+        imulq	$19, %rdx, %rcx
+        andq	%rax, %r11
+        addq	%rcx, %r8
+        adcq	$0x00, %r9
+        adcq	$0x00, %r10
+        adcq	$0x00, %r11
+        # Store
+        movq	%r8, (%rdi)
+        movq	%r9, 8(%rdi)
+        movq	%r10, 16(%rdi)
+        movq	%r11, 24(%rdi)
+        movq	(%rsp), %rdi
+        movq	32(%rsp), %rsi
+        movq	88(%rsp), %rbx
+        # Multiply
+        # A[0] * B[0]
+        movq	(%rbx), %rdx
+        mulxq	(%rsi), %r8, %r9
+        # A[2] * B[0]
+        mulxq	16(%rsi), %r10, %r11
+        # A[1] * B[0]
+        mulxq	8(%rsi), %rcx, %rax
+        xorq	%r15, %r15
+        adcxq	%rcx, %r9
+        # A[1] * B[3]
+        movq	24(%rbx), %rdx
+        mulxq	8(%rsi), %r12, %r13
+        adcxq	%rax, %r10
+        # A[0] * B[1]
+        movq	8(%rbx), %rdx
+        mulxq	(%rsi), %rcx, %rax
+        adoxq	%rcx, %r9
+        # A[2] * B[1]
+        mulxq	16(%rsi), %rcx, %r14
+        adoxq	%rax, %r10
+        adcxq	%rcx, %r11
+        # A[1] * B[2]
+        movq	16(%rbx), %rdx
+        mulxq	8(%rsi), %rcx, %rax
+        adcxq	%r14, %r12
+        adoxq	%rcx, %r11
+        adcxq	%r15, %r13
+        adoxq	%rax, %r12
+        # A[0] * B[2]
+        mulxq	(%rsi), %rcx, %rax
+        adoxq	%r15, %r13
+        xorq	%r14, %r14
+        adcxq	%rcx, %r10
+        # A[1] * B[1]
+        movq	8(%rbx), %rdx
+        mulxq	8(%rsi), %rdx, %rcx
+        adcxq	%rax, %r11
+        adoxq	%rdx, %r10
+        # A[3] * B[1]
+        movq	8(%rbx), %rdx
+        adoxq	%rcx, %r11
+        mulxq	24(%rsi), %rcx, %rax
+        adcxq	%rcx, %r12
+        # A[2] * B[2]
+        movq	16(%rbx), %rdx
+        mulxq	16(%rsi), %rdx, %rcx
+        adcxq	%rax, %r13
+        adoxq	%rdx, %r12
+        # A[3] * B[3]
+        movq	24(%rbx), %rdx
+        adoxq	%rcx, %r13
+        mulxq	24(%rsi), %rcx, %rax
+        adoxq	%r15, %r14
+        adcxq	%rcx, %r14
+        # A[0] * B[3]
+        mulxq	(%rsi), %rdx, %rcx
+        adcxq	%rax, %r15
+        xorq	%rax, %rax
+        adcxq	%rdx, %r11
+        # A[3] * B[0]
+        movq	(%rbx), %rdx
+        adcxq	%rcx, %r12
+        mulxq	24(%rsi), %rdx, %rcx
+        adoxq	%rdx, %r11
+        adoxq	%rcx, %r12
+        # A[2] * B[3]
+        movq	24(%rbx), %rdx
+        mulxq	16(%rsi), %rdx, %rcx
+        adcxq	%rdx, %r13
+        # A[3] * B[2]
+        movq	16(%rbx), %rdx
+        adcxq	%rcx, %r14
+        mulxq	24(%rsi), %rcx, %rdx
+        adcxq	%rax, %r15
+        adoxq	%rcx, %r13
+        adoxq	%rdx, %r14
+        adoxq	%rax, %r15
+        # Reduce
+        movq	$0x7fffffffffffffff, %rax
+        #  Move top half into t4-t7 and remove top bit from t3
+        shldq	$0x01, %r14, %r15
+        shldq	$0x01, %r13, %r14
+        shldq	$0x01, %r12, %r13
+        shldq	$0x01, %r11, %r12
+        andq	%rax, %r11
+        #  Multiply top half by 19
+        movq	$19, %rdx
+        xorq	%rax, %rax
+        mulxq	%r12, %rcx, %r12
+        adcxq	%rcx, %r8
+        adoxq	%r12, %r9
+        mulxq	%r13, %rcx, %r13
+        adcxq	%rcx, %r9
+        adoxq	%r13, %r10
+        mulxq	%r14, %rcx, %r14
+        adcxq	%rcx, %r10
+        adoxq	%r14, %r11
+        mulxq	%r15, %r15, %rdx
+        adcxq	%r15, %r11
+        adoxq	%rax, %rdx
+        adcxq	%rax, %rdx
+        #  Overflow
+        shldq	$0x01, %r11, %rdx
+        movq	$0x7fffffffffffffff, %rax
+        imulq	$19, %rdx, %rcx
+        andq	%rax, %r11
+        addq	%rcx, %r8
+        adcq	$0x00, %r9
+        adcq	$0x00, %r10
+        adcq	$0x00, %r11
+        # Reduce if top bit set
+        movq	%r11, %rdx
+        shrq	$63, %rdx
+        imulq	$19, %rdx, %rcx
+        andq	%rax, %r11
+        addq	%rcx, %r8
+        adcq	$0x00, %r9
+        adcq	$0x00, %r10
+        adcq	$0x00, %r11
+        # Store
+        movq	%r8, (%rdi)
+        movq	%r9, 8(%rdi)
+        movq	%r10, 16(%rdi)
+        movq	%r11, 24(%rdi)
+        movq	8(%rsp), %rdi
+        movq	96(%rsp), %rsi
+        # Multiply
+        # A[0] * B[0]
+        movq	(%rsi), %rdx
+        mulxq	(%rbx), %r8, %r9
+        # A[2] * B[0]
+        mulxq	16(%rbx), %r10, %r11
+        # A[1] * B[0]
+        mulxq	8(%rbx), %rcx, %rax
+        xorq	%r15, %r15
+        adcxq	%rcx, %r9
+        # A[1] * B[3]
+        movq	24(%rsi), %rdx
+        mulxq	8(%rbx), %r12, %r13
+        adcxq	%rax, %r10
+        # A[0] * B[1]
+        movq	8(%rsi), %rdx
+        mulxq	(%rbx), %rcx, %rax
+        adoxq	%rcx, %r9
+        # A[2] * B[1]
+        mulxq	16(%rbx), %rcx, %r14
+        adoxq	%rax, %r10
+        adcxq	%rcx, %r11
+        # A[1] * B[2]
+        movq	16(%rsi), %rdx
+        mulxq	8(%rbx), %rcx, %rax
+        adcxq	%r14, %r12
+        adoxq	%rcx, %r11
+        adcxq	%r15, %r13
+        adoxq	%rax, %r12
+        # A[0] * B[2]
+        mulxq	(%rbx), %rcx, %rax
+        adoxq	%r15, %r13
+        xorq	%r14, %r14
+        adcxq	%rcx, %r10
+        # A[1] * B[1]
+        movq	8(%rsi), %rdx
+        mulxq	8(%rbx), %rdx, %rcx
+        adcxq	%rax, %r11
+        adoxq	%rdx, %r10
+        # A[3] * B[1]
+        movq	8(%rsi), %rdx
+        adoxq	%rcx, %r11
+        mulxq	24(%rbx), %rcx, %rax
+        adcxq	%rcx, %r12
+        # A[2] * B[2]
+        movq	16(%rsi), %rdx
+        mulxq	16(%rbx), %rdx, %rcx
+        adcxq	%rax, %r13
+        adoxq	%rdx, %r12
+        # A[3] * B[3]
+        movq	24(%rsi), %rdx
+        adoxq	%rcx, %r13
+        mulxq	24(%rbx), %rcx, %rax
+        adoxq	%r15, %r14
+        adcxq	%rcx, %r14
+        # A[0] * B[3]
+        mulxq	(%rbx), %rdx, %rcx
+        adcxq	%rax, %r15
+        xorq	%rax, %rax
+        adcxq	%rdx, %r11
+        # A[3] * B[0]
+        movq	(%rsi), %rdx
+        adcxq	%rcx, %r12
+        mulxq	24(%rbx), %rdx, %rcx
+        adoxq	%rdx, %r11
+        adoxq	%rcx, %r12
+        # A[2] * B[3]
+        movq	24(%rsi), %rdx
+        mulxq	16(%rbx), %rdx, %rcx
+        adcxq	%rdx, %r13
+        # A[3] * B[2]
+        movq	16(%rsi), %rdx
+        adcxq	%rcx, %r14
+        mulxq	24(%rbx), %rcx, %rdx
+        adcxq	%rax, %r15
+        adoxq	%rcx, %r13
+        adoxq	%rdx, %r14
+        adoxq	%rax, %r15
+        # Reduce
+        movq	$0x7fffffffffffffff, %rax
+        #  Move top half into t4-t7 and remove top bit from t3
+        shldq	$0x01, %r14, %r15
+        shldq	$0x01, %r13, %r14
+        shldq	$0x01, %r12, %r13
+        shldq	$0x01, %r11, %r12
+        andq	%rax, %r11
+        #  Multiply top half by 19
+        movq	$19, %rdx
+        xorq	%rax, %rax
+        mulxq	%r12, %rcx, %r12
+        adcxq	%rcx, %r8
+        adoxq	%r12, %r9
+        mulxq	%r13, %rcx, %r13
+        adcxq	%rcx, %r9
+        adoxq	%r13, %r10
+        mulxq	%r14, %rcx, %r14
+        adcxq	%rcx, %r10
+        adoxq	%r14, %r11
+        mulxq	%r15, %r15, %rdx
+        adcxq	%r15, %r11
+        adoxq	%rax, %rdx
+        adcxq	%rax, %rdx
+        #  Overflow
+        shldq	$0x01, %r11, %rdx
+        movq	$0x7fffffffffffffff, %rax
+        imulq	$19, %rdx, %rcx
+        andq	%rax, %r11
+        addq	%rcx, %r8
+        adcq	$0x00, %r9
+        adcq	$0x00, %r10
+        adcq	$0x00, %r11
+        # Reduce if top bit set
+        movq	%r11, %rdx
+        shrq	$63, %rdx
+        imulq	$19, %rdx, %rcx
+        andq	%rax, %r11
+        addq	%rcx, %r8
+        adcq	$0x00, %r9
+        adcq	$0x00, %r10
+        adcq	$0x00, %r11
+        # Store
+        movq	%r8, (%rdi)
+        movq	%r9, 8(%rdi)
+        movq	%r10, 16(%rdi)
+        movq	%r11, 24(%rdi)
+        movq	16(%rsp), %rdi
+        movq	24(%rsp), %rsi
+        movq	32(%rsp), %rbx
+        # Multiply
+        # A[0] * B[0]
+        movq	(%rbx), %rdx
+        mulxq	(%rsi), %r8, %r9
+        # A[2] * B[0]
+        mulxq	16(%rsi), %r10, %r11
+        # A[1] * B[0]
+        mulxq	8(%rsi), %rcx, %rax
+        xorq	%r15, %r15
+        adcxq	%rcx, %r9
+        # A[1] * B[3]
+        movq	24(%rbx), %rdx
+        mulxq	8(%rsi), %r12, %r13
+        adcxq	%rax, %r10
+        # A[0] * B[1]
+        movq	8(%rbx), %rdx
+        mulxq	(%rsi), %rcx, %rax
+        adoxq	%rcx, %r9
+        # A[2] * B[1]
+        mulxq	16(%rsi), %rcx, %r14
+        adoxq	%rax, %r10
+        adcxq	%rcx, %r11
+        # A[1] * B[2]
+        movq	16(%rbx), %rdx
+        mulxq	8(%rsi), %rcx, %rax
+        adcxq	%r14, %r12
+        adoxq	%rcx, %r11
+        adcxq	%r15, %r13
+        adoxq	%rax, %r12
+        # A[0] * B[2]
+        mulxq	(%rsi), %rcx, %rax
+        adoxq	%r15, %r13
+        xorq	%r14, %r14
+        adcxq	%rcx, %r10
+        # A[1] * B[1]
+        movq	8(%rbx), %rdx
+        mulxq	8(%rsi), %rdx, %rcx
+        adcxq	%rax, %r11
+        adoxq	%rdx, %r10
+        # A[3] * B[1]
+        movq	8(%rbx), %rdx
+        adoxq	%rcx, %r11
+        mulxq	24(%rsi), %rcx, %rax
+        adcxq	%rcx, %r12
+        # A[2] * B[2]
+        movq	16(%rbx), %rdx
+        mulxq	16(%rsi), %rdx, %rcx
+        adcxq	%rax, %r13
+        adoxq	%rdx, %r12
+        # A[3] * B[3]
+        movq	24(%rbx), %rdx
+        adoxq	%rcx, %r13
+        mulxq	24(%rsi), %rcx, %rax
+        adoxq	%r15, %r14
+        adcxq	%rcx, %r14
+        # A[0] * B[3]
+        mulxq	(%rsi), %rdx, %rcx
+        adcxq	%rax, %r15
+        xorq	%rax, %rax
+        adcxq	%rdx, %r11
+        # A[3] * B[0]
+        movq	(%rbx), %rdx
+        adcxq	%rcx, %r12
+        mulxq	24(%rsi), %rdx, %rcx
+        adoxq	%rdx, %r11
+        adoxq	%rcx, %r12
+        # A[2] * B[3]
+        movq	24(%rbx), %rdx
+        mulxq	16(%rsi), %rdx, %rcx
+        adcxq	%rdx, %r13
+        # A[3] * B[2]
+        movq	16(%rbx), %rdx
+        adcxq	%rcx, %r14
+        mulxq	24(%rsi), %rcx, %rdx
+        adcxq	%rax, %r15
+        adoxq	%rcx, %r13
+        adoxq	%rdx, %r14
+        adoxq	%rax, %r15
+        # Reduce
+        movq	$0x7fffffffffffffff, %rax
+        #  Move top half into t4-t7 and remove top bit from t3
+        shldq	$0x01, %r14, %r15
+        shldq	$0x01, %r13, %r14
+        shldq	$0x01, %r12, %r13
+        shldq	$0x01, %r11, %r12
+        andq	%rax, %r11
+        #  Multiply top half by 19
+        movq	$19, %rdx
+        xorq	%rax, %rax
+        mulxq	%r12, %rcx, %r12
+        adcxq	%rcx, %r8
+        adoxq	%r12, %r9
+        mulxq	%r13, %rcx, %r13
+        adcxq	%rcx, %r9
+        adoxq	%r13, %r10
+        mulxq	%r14, %rcx, %r14
+        adcxq	%rcx, %r10
+        adoxq	%r14, %r11
+        mulxq	%r15, %r15, %rdx
+        adcxq	%r15, %r11
+        adoxq	%rax, %rdx
+        adcxq	%rax, %rdx
+        #  Overflow
+        shldq	$0x01, %r11, %rdx
+        movq	$0x7fffffffffffffff, %rax
+        imulq	$19, %rdx, %rcx
+        andq	%rax, %r11
+        addq	%rcx, %r8
+        adcq	$0x00, %r9
+        adcq	$0x00, %r10
+        adcq	$0x00, %r11
+        # Reduce if top bit set
+        movq	%r11, %rdx
+        shrq	$63, %rdx
+        imulq	$19, %rdx, %rcx
+        andq	%rax, %r11
+        addq	%rcx, %r8
+        adcq	$0x00, %r9
+        adcq	$0x00, %r10
+        adcq	$0x00, %r11
+        # Store
+        movq	%r8, (%rdi)
+        movq	%r9, 8(%rdi)
+        movq	%r10, 16(%rdi)
+        movq	%r11, 24(%rdi)
+        addq	$40, %rsp
+        popq	%r15
+        popq	%r14
+        popq	%r13
+        popq	%r12
+        popq	%rbx
+        repz retq
+#ifndef __APPLE__
+.size	fe_ge_to_p3_avx2,.-fe_ge_to_p3_avx2
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+.text
+.globl	fe_ge_dbl_avx2
+.type	fe_ge_dbl_avx2,@function
+.align	4
+fe_ge_dbl_avx2:
+#else
+.section	__TEXT,__text
+.globl	_fe_ge_dbl_avx2
+.p2align	2
+_fe_ge_dbl_avx2:
+#endif /* __APPLE__ */
+        pushq	%rbp
+        pushq	%rbx
+        pushq	%r12
+        pushq	%r13
+        pushq	%r14
+        pushq	%r15
+        subq	$48, %rsp
+        movq	%rdi, (%rsp)
+        movq	%rsi, 8(%rsp)
+        movq	%rdx, 16(%rsp)
+        movq	%rcx, 24(%rsp)
+        movq	%r8, 32(%rsp)
+        movq	%r9, 40(%rsp)
+        movq	32(%rsp), %rsi
+        # Square
+        # A[0] * A[1]
+        movq	(%rsi), %rdx
+        mulxq	8(%rsi), %r9, %r10
+        # A[0] * A[3]
+        mulxq	24(%rsi), %r11, %r12
+        # A[2] * A[1]
+        movq	16(%rsi), %rdx
+        mulxq	8(%rsi), %rcx, %rax
+        xorq	%r15, %r15
+        adoxq	%rcx, %r11
+        # A[2] * A[3]
+        mulxq	24(%rsi), %r13, %r14
+        adoxq	%rax, %r12
+        # A[2] * A[0]
+        mulxq	(%rsi), %rcx, %rax
+        adoxq	%r15, %r13
+        adcxq	%rcx, %r10
+        adoxq	%r15, %r14
+        # A[1] * A[3]
+        movq	8(%rsi), %rdx
+        mulxq	24(%rsi), %rbp, %r8
+        adcxq	%rax, %r11
+        adcxq	%rbp, %r12
+        adcxq	%r8, %r13
+        adcxq	%r15, %r14
+        # Double with Carry Flag
+        xorq	%r15, %r15
+        # A[0] * A[0]
+        movq	(%rsi), %rdx
+        mulxq	%rdx, %r8, %rbp
+        adcxq	%r9, %r9
+        # A[1] * A[1]
+        movq	8(%rsi), %rdx
+        mulxq	%rdx, %rcx, %rax
+        adcxq	%r10, %r10
+        adoxq	%rbp, %r9
+        adcxq	%r11, %r11
+        adoxq	%rcx, %r10
+        # A[2] * A[2]
+        movq	16(%rsi), %rdx
+        mulxq	%rdx, %rbp, %rcx
+        adcxq	%r12, %r12
+        adoxq	%rax, %r11
+        adcxq	%r13, %r13
+        adoxq	%rbp, %r12
+        # A[3] * A[3]
+        movq	24(%rsi), %rdx
+        mulxq	%rdx, %rbp, %rax
+        adcxq	%r14, %r14
+        adoxq	%rcx, %r13
+        adcxq	%r15, %r15
+        adoxq	%rbp, %r14
+        adoxq	%rax, %r15
+        # Reduce
+        movq	$0x7fffffffffffffff, %rcx
+        #  Move top half into t4-t7 and remove top bit from t3
+        shldq	$0x01, %r14, %r15
+        shldq	$0x01, %r13, %r14
+        shldq	$0x01, %r12, %r13
+        shldq	$0x01, %r11, %r12
+        andq	%rcx, %r11
+        #  Multiply top half by 19
+        movq	$19, %rdx
+        xorq	%rcx, %rcx
+        mulxq	%r12, %rbp, %r12
+        adcxq	%rbp, %r8
+        adoxq	%r12, %r9
+        mulxq	%r13, %rbp, %r13
+        adcxq	%rbp, %r9
+        adoxq	%r13, %r10
+        mulxq	%r14, %rbp, %r14
+        adcxq	%rbp, %r10
+        adoxq	%r14, %r11
+        mulxq	%r15, %r15, %rdx
+        adcxq	%r15, %r11
+        adoxq	%rcx, %rdx
+        adcxq	%rcx, %rdx
+        #  Overflow
+        shldq	$0x01, %r11, %rdx
+        movq	$0x7fffffffffffffff, %rcx
+        imulq	$19, %rdx, %rbp
+        andq	%rcx, %r11
+        addq	%rbp, %r8
+        adcq	$0x00, %r9
+        adcq	$0x00, %r10
+        adcq	$0x00, %r11
+        # Reduce if top bit set
+        movq	%r11, %rdx
+        shrq	$63, %rdx
+        imulq	$19, %rdx, %rbp
+        andq	%rcx, %r11
+        addq	%rbp, %r8
+        adcq	$0x00, %r9
+        adcq	$0x00, %r10
+        adcq	$0x00, %r11
+        # Store
+        movq	%r8, (%rdi)
+        movq	%r9, 8(%rdi)
+        movq	%r10, 16(%rdi)
+        movq	%r11, 24(%rdi)
+        movq	16(%rsp), %rdi
+        movq	40(%rsp), %rbx
+        # Square
+        # A[0] * A[1]
+        movq	(%rbx), %rdx
+        mulxq	8(%rbx), %r9, %r10
+        # A[0] * A[3]
+        mulxq	24(%rbx), %r11, %r12
+        # A[2] * A[1]
+        movq	16(%rbx), %rdx
+        mulxq	8(%rbx), %rcx, %rax
+        xorq	%r15, %r15
+        adoxq	%rcx, %r11
+        # A[2] * A[3]
+        mulxq	24(%rbx), %r13, %r14
+        adoxq	%rax, %r12
+        # A[2] * A[0]
+        mulxq	(%rbx), %rcx, %rax
+        adoxq	%r15, %r13
+        adcxq	%rcx, %r10
+        adoxq	%r15, %r14
+        # A[1] * A[3]
+        movq	8(%rbx), %rdx
+        mulxq	24(%rbx), %rbp, %r8
+        adcxq	%rax, %r11
+        adcxq	%rbp, %r12
+        adcxq	%r8, %r13
+        adcxq	%r15, %r14
+        # Double with Carry Flag
+        xorq	%r15, %r15
+        # A[0] * A[0]
+        movq	(%rbx), %rdx
+        mulxq	%rdx, %r8, %rbp
+        adcxq	%r9, %r9
+        # A[1] * A[1]
+        movq	8(%rbx), %rdx
+        mulxq	%rdx, %rcx, %rax
+        adcxq	%r10, %r10
+        adoxq	%rbp, %r9
+        adcxq	%r11, %r11
+        adoxq	%rcx, %r10
+        # A[2] * A[2]
+        movq	16(%rbx), %rdx
+        mulxq	%rdx, %rbp, %rcx
+        adcxq	%r12, %r12
+        adoxq	%rax, %r11
+        adcxq	%r13, %r13
+        adoxq	%rbp, %r12
+        # A[3] * A[3]
+        movq	24(%rbx), %rdx
+        mulxq	%rdx, %rbp, %rax
+        adcxq	%r14, %r14
+        adoxq	%rcx, %r13
+        adcxq	%r15, %r15
+        adoxq	%rbp, %r14
+        adoxq	%rax, %r15
+        # Reduce
+        movq	$0x7fffffffffffffff, %rcx
+        #  Move top half into t4-t7 and remove top bit from t3
+        shldq	$0x01, %r14, %r15
+        shldq	$0x01, %r13, %r14
+        shldq	$0x01, %r12, %r13
+        shldq	$0x01, %r11, %r12
+        andq	%rcx, %r11
+        #  Multiply top half by 19
+        movq	$19, %rdx
+        xorq	%rcx, %rcx
+        mulxq	%r12, %rbp, %r12
+        adcxq	%rbp, %r8
+        adoxq	%r12, %r9
+        mulxq	%r13, %rbp, %r13
+        adcxq	%rbp, %r9
+        adoxq	%r13, %r10
+        mulxq	%r14, %rbp, %r14
+        adcxq	%rbp, %r10
+        adoxq	%r14, %r11
+        mulxq	%r15, %r15, %rdx
+        adcxq	%r15, %r11
+        adoxq	%rcx, %rdx
+        adcxq	%rcx, %rdx
+        #  Overflow
+        shldq	$0x01, %r11, %rdx
+        movq	$0x7fffffffffffffff, %rcx
+        imulq	$19, %rdx, %rbp
+        andq	%rcx, %r11
+        addq	%rbp, %r8
+        adcq	$0x00, %r9
+        adcq	$0x00, %r10
+        adcq	$0x00, %r11
+        # Reduce if top bit set
+        movq	%r11, %rdx
+        shrq	$63, %rdx
+        imulq	$19, %rdx, %rbp
+        andq	%rcx, %r11
+        addq	%rbp, %r8
+        adcq	$0x00, %r9
+        adcq	$0x00, %r10
+        adcq	$0x00, %r11
+        # Store
+        movq	%r8, (%rdi)
+        movq	%r9, 8(%rdi)
+        movq	%r10, 16(%rdi)
+        movq	%r11, 24(%rdi)
+        movq	8(%rsp), %rdi
+        # Add
+        movq	(%rsi), %r8
+        movq	8(%rsi), %r9
+        addq	(%rbx), %r8
+        movq	16(%rsi), %r10
+        adcq	8(%rbx), %r9
+        movq	24(%rsi), %rdx
+        adcq	16(%rbx), %r10
+        movq	$-19, %rcx
+        adcq	24(%rbx), %rdx
+        movq	$0x7fffffffffffffff, %rax
+        movq	%rdx, %r11
+        sarq	$63, %rdx
+        #   Mask the modulus
+        andq	%rdx, %rcx
+        andq	%rdx, %rax
+        #   Sub modulus (if overflow)
+        subq	%rcx, %r8
+        sbbq	%rdx, %r9
+        sbbq	%rdx, %r10
+        sbbq	%rax, %r11
+        movq	%r8, (%rdi)
+        movq	%r9, 8(%rdi)
+        movq	%r10, 16(%rdi)
+        movq	%r11, 24(%rdi)
+        movq	24(%rsp), %rsi
+        # Square
+        # A[0] * A[1]
+        movq	(%rdi), %rdx
+        mulxq	8(%rdi), %r9, %r10
+        # A[0] * A[3]
+        mulxq	24(%rdi), %r11, %r12
+        # A[2] * A[1]
+        movq	16(%rdi), %rdx
+        mulxq	8(%rdi), %rcx, %rax
+        xorq	%r15, %r15
+        adoxq	%rcx, %r11
+        # A[2] * A[3]
+        mulxq	24(%rdi), %r13, %r14
+        adoxq	%rax, %r12
+        # A[2] * A[0]
+        mulxq	(%rdi), %rcx, %rax
+        adoxq	%r15, %r13
+        adcxq	%rcx, %r10
+        adoxq	%r15, %r14
+        # A[1] * A[3]
+        movq	8(%rdi), %rdx
+        mulxq	24(%rdi), %rbp, %r8
+        adcxq	%rax, %r11
+        adcxq	%rbp, %r12
+        adcxq	%r8, %r13
+        adcxq	%r15, %r14
+        # Double with Carry Flag
+        xorq	%r15, %r15
+        # A[0] * A[0]
+        movq	(%rdi), %rdx
+        mulxq	%rdx, %r8, %rbp
+        adcxq	%r9, %r9
+        # A[1] * A[1]
+        movq	8(%rdi), %rdx
+        mulxq	%rdx, %rcx, %rax
+        adcxq	%r10, %r10
+        adoxq	%rbp, %r9
+        adcxq	%r11, %r11
+        adoxq	%rcx, %r10
+        # A[2] * A[2]
+        movq	16(%rdi), %rdx
+        mulxq	%rdx, %rbp, %rcx
+        adcxq	%r12, %r12
+        adoxq	%rax, %r11
+        adcxq	%r13, %r13
+        adoxq	%rbp, %r12
+        # A[3] * A[3]
+        movq	24(%rdi), %rdx
+        mulxq	%rdx, %rbp, %rax
+        adcxq	%r14, %r14
+        adoxq	%rcx, %r13
+        adcxq	%r15, %r15
+        adoxq	%rbp, %r14
+        adoxq	%rax, %r15
+        # Reduce
+        movq	$0x7fffffffffffffff, %rcx
+        #  Move top half into t4-t7 and remove top bit from t3
+        shldq	$0x01, %r14, %r15
+        shldq	$0x01, %r13, %r14
+        shldq	$0x01, %r12, %r13
+        shldq	$0x01, %r11, %r12
+        andq	%rcx, %r11
+        #  Multiply top half by 19
+        movq	$19, %rdx
+        xorq	%rcx, %rcx
+        mulxq	%r12, %rbp, %r12
+        adcxq	%rbp, %r8
+        adoxq	%r12, %r9
+        mulxq	%r13, %rbp, %r13
+        adcxq	%rbp, %r9
+        adoxq	%r13, %r10
+        mulxq	%r14, %rbp, %r14
+        adcxq	%rbp, %r10
+        adoxq	%r14, %r11
+        mulxq	%r15, %r15, %rdx
+        adcxq	%r15, %r11
+        adoxq	%rcx, %rdx
+        adcxq	%rcx, %rdx
+        #  Overflow
+        shldq	$0x01, %r11, %rdx
+        movq	$0x7fffffffffffffff, %rcx
+        imulq	$19, %rdx, %rbp
+        andq	%rcx, %r11
+        addq	%rbp, %r8
+        adcq	$0x00, %r9
+        adcq	$0x00, %r10
+        adcq	$0x00, %r11
+        # Reduce if top bit set
+        movq	%r11, %rdx
+        shrq	$63, %rdx
+        imulq	$19, %rdx, %rbp
+        andq	%rcx, %r11
+        addq	%rbp, %r8
+        adcq	$0x00, %r9
+        adcq	$0x00, %r10
+        adcq	$0x00, %r11
+        # Store
+        movq	%r8, (%rsi)
+        movq	%r9, 8(%rsi)
+        movq	%r10, 16(%rsi)
+        movq	%r11, 24(%rsi)
+        movq	16(%rsp), %rsi
+        movq	(%rsp), %rbx
+        # Add
+        movq	(%rsi), %r8
+        movq	8(%rsi), %r9
+        movq	16(%rsi), %r10
+        movq	24(%rsi), %rdx
+        movq	%r8, %r12
+        addq	(%rbx), %r8
+        movq	%r9, %r13
+        adcq	8(%rbx), %r9
+        movq	%r10, %r14
+        adcq	16(%rbx), %r10
+        movq	%rdx, %r15
+        adcq	24(%rbx), %rdx
+        movq	$-19, %rcx
+        movq	%rdx, %r11
+        movq	$0x7fffffffffffffff, %rax
+        sarq	$63, %rdx
+        #   Mask the modulus
+        andq	%rdx, %rcx
+        andq	%rdx, %rax
+        #   Sub modulus (if overflow)
+        subq	%rcx, %r8
+        sbbq	%rdx, %r9
+        sbbq	%rdx, %r10
+        sbbq	%rax, %r11
+        # Sub
+        subq	(%rbx), %r12
+        movq	$0x00, %rdx
+        sbbq	8(%rbx), %r13
+        movq	$-19, %rcx
+        sbbq	16(%rbx), %r14
+        movq	$0x7fffffffffffffff, %rax
+        sbbq	24(%rbx), %r15
+        sbbq	$0x00, %rdx
+        #   Mask the modulus
+        andq	%rdx, %rcx
+        andq	%rdx, %rax
+        #   Add modulus (if underflow)
+        addq	%rcx, %r12
+        adcq	%rdx, %r13
+        adcq	%rdx, %r14
+        adcq	%rax, %r15
+        movq	%r8, (%rdi)
+        movq	%r9, 8(%rdi)
+        movq	%r10, 16(%rdi)
+        movq	%r11, 24(%rdi)
+        movq	%r12, (%rsi)
+        movq	%r13, 8(%rsi)
+        movq	%r14, 16(%rsi)
+        movq	%r15, 24(%rsi)
+        movq	24(%rsp), %rsi
+        # Sub
+        movq	(%rsi), %r8
+        movq	8(%rsi), %r9
+        movq	16(%rsi), %r10
+        movq	24(%rsi), %r11
+        subq	(%rdi), %r8
+        movq	$0x00, %rdx
+        sbbq	8(%rdi), %r9
+        movq	$-19, %rcx
+        sbbq	16(%rdi), %r10
+        movq	$0x7fffffffffffffff, %rax
+        sbbq	24(%rdi), %r11
+        sbbq	$0x00, %rdx
+        #   Mask the modulus
+        andq	%rdx, %rcx
+        andq	%rdx, %rax
+        #   Add modulus (if underflow)
+        addq	%rcx, %r8
+        adcq	%rdx, %r9
+        adcq	%rdx, %r10
+        adcq	%rax, %r11
+        movq	%r8, (%rbx)
+        movq	%r9, 8(%rbx)
+        movq	%r10, 16(%rbx)
+        movq	%r11, 24(%rbx)
+        movq	104(%rsp), %rdi
+        # Square * 2
+        # A[0] * A[1]
+        movq	(%rdi), %rdx
+        mulxq	8(%rdi), %r9, %r10
+        # A[0] * A[3]
+        mulxq	24(%rdi), %r11, %r12
+        # A[2] * A[1]
+        movq	16(%rdi), %rdx
+        mulxq	8(%rdi), %rcx, %rax
+        xorq	%r15, %r15
+        adoxq	%rcx, %r11
+        # A[2] * A[3]
+        mulxq	24(%rdi), %r13, %r14
+        adoxq	%rax, %r12
+        # A[2] * A[0]
+        mulxq	(%rdi), %rcx, %rax
+        adoxq	%r15, %r13
+        adcxq	%rcx, %r10
+        adoxq	%r15, %r14
+        # A[1] * A[3]
+        movq	8(%rdi), %rdx
+        mulxq	24(%rdi), %rbp, %r8
+        adcxq	%rax, %r11
+        adcxq	%rbp, %r12
+        adcxq	%r8, %r13
+        adcxq	%r15, %r14
+        # Double with Carry Flag
+        xorq	%r15, %r15
+        # A[0] * A[0]
+        movq	(%rdi), %rdx
+        mulxq	%rdx, %r8, %rbp
+        adcxq	%r9, %r9
+        # A[1] * A[1]
+        movq	8(%rdi), %rdx
+        mulxq	%rdx, %rcx, %rax
+        adcxq	%r10, %r10
+        adoxq	%rbp, %r9
+        adcxq	%r11, %r11
+        adoxq	%rcx, %r10
+        # A[2] * A[2]
+        movq	16(%rdi), %rdx
+        mulxq	%rdx, %rbp, %rcx
+        adcxq	%r12, %r12
+        adoxq	%rax, %r11
+        adcxq	%r13, %r13
+        adoxq	%rbp, %r12
+        # A[3] * A[3]
+        movq	24(%rdi), %rdx
+        mulxq	%rdx, %rbp, %rax
+        adcxq	%r14, %r14
+        adoxq	%rcx, %r13
+        adcxq	%r15, %r15
+        adoxq	%rbp, %r14
+        adoxq	%rax, %r15
+        # Reduce
+        movq	$0x7fffffffffffffff, %rax
+        xorq	%rbp, %rbp
+        #  Move top half into t4-t7 and remove top bit from t3 and double
+        shldq	$3, %r15, %rbp
+        shldq	$2, %r14, %r15
+        shldq	$2, %r13, %r14
+        shldq	$2, %r12, %r13
+        shldq	$2, %r11, %r12
+        shldq	$0x01, %r10, %r11
+        shldq	$0x01, %r9, %r10
+        shldq	$0x01, %r8, %r9
+        shlq	$0x01, %r8
+        andq	%rax, %r11
+        #  Two out left, one in right
+        andq	%rax, %r15
+        #  Multiply top bits by 19*19
+        imulq	$0x169, %rbp, %rcx
+        xorq	%rax, %rax
+        #  Multiply top half by 19
+        movq	$19, %rdx
+        adoxq	%rcx, %r8
+        mulxq	%r12, %rbp, %r12
+        adcxq	%rbp, %r8
+        adoxq	%r12, %r9
+        mulxq	%r13, %rbp, %r13
+        adcxq	%rbp, %r9
+        adoxq	%r13, %r10
+        mulxq	%r14, %rbp, %r14
+        adcxq	%rbp, %r10
+        adoxq	%r14, %r11
+        mulxq	%r15, %r15, %rdx
+        adcxq	%r15, %r11
+        adoxq	%rax, %rdx
+        adcxq	%rax, %rdx
+        #  Overflow
+        shldq	$0x01, %r11, %rdx
+        movq	$0x7fffffffffffffff, %rax
+        imulq	$19, %rdx, %rbp
+        andq	%rax, %r11
+        addq	%rbp, %r8
+        adcq	$0x00, %r9
+        adcq	$0x00, %r10
+        adcq	$0x00, %r11
+        # Reduce if top bit set
+        movq	%r11, %rdx
+        shrq	$63, %rdx
+        imulq	$19, %rdx, %rbp
+        andq	%rax, %r11
+        addq	%rbp, %r8
+        adcq	$0x00, %r9
+        adcq	$0x00, %r10
+        adcq	$0x00, %r11
+        # Store
+        movq	%r8, (%rsi)
+        movq	%r9, 8(%rsi)
+        movq	%r10, 16(%rsi)
+        movq	%r11, 24(%rsi)
+        movq	16(%rsp), %rdi
+        # Sub
+        movq	(%rsi), %r8
+        movq	8(%rsi), %r9
+        movq	16(%rsi), %r10
+        movq	24(%rsi), %r11
+        subq	(%rdi), %r8
+        movq	$0x00, %rdx
+        sbbq	8(%rdi), %r9
+        movq	$-19, %rcx
+        sbbq	16(%rdi), %r10
+        movq	$0x7fffffffffffffff, %rax
+        sbbq	24(%rdi), %r11
+        sbbq	$0x00, %rdx
+        #   Mask the modulus
+        andq	%rdx, %rcx
+        andq	%rdx, %rax
+        #   Add modulus (if underflow)
+        addq	%rcx, %r8
+        adcq	%rdx, %r9
+        adcq	%rdx, %r10
+        adcq	%rax, %r11
+        movq	%r8, (%rsi)
+        movq	%r9, 8(%rsi)
+        movq	%r10, 16(%rsi)
+        movq	%r11, 24(%rsi)
+        addq	$48, %rsp
+        popq	%r15
+        popq	%r14
+        popq	%r13
+        popq	%r12
+        popq	%rbx
+        popq	%rbp
+        repz retq
+#ifndef __APPLE__
+.size	fe_ge_dbl_avx2,.-fe_ge_dbl_avx2
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+.text
+.globl	fe_ge_madd_avx2
+.type	fe_ge_madd_avx2,@function
+.align	4
+fe_ge_madd_avx2:
+#else
+.section	__TEXT,__text
+.globl	_fe_ge_madd_avx2
+.p2align	2
+_fe_ge_madd_avx2:
+#endif /* __APPLE__ */
+        pushq	%rbp
+        pushq	%rbx
+        pushq	%r12
+        pushq	%r13
+        pushq	%r14
+        pushq	%r15
+        subq	$48, %rsp
+        movq	%rdi, (%rsp)
+        movq	%rsi, 8(%rsp)
+        movq	%rdx, 16(%rsp)
+        movq	%rcx, 24(%rsp)
+        movq	%r8, 32(%rsp)
+        movq	%r9, 40(%rsp)
+        movq	8(%rsp), %rsi
+        movq	40(%rsp), %rbx
+        movq	32(%rsp), %rbp
+        # Add
+        movq	(%rbx), %r8
+        movq	8(%rbx), %r9
+        movq	16(%rbx), %r10
+        movq	24(%rbx), %rdx
+        movq	%r8, %r12
+        addq	(%rbp), %r8
+        movq	%r9, %r13
+        adcq	8(%rbp), %r9
+        movq	%r10, %r14
+        adcq	16(%rbp), %r10
+        movq	%rdx, %r15
+        adcq	24(%rbp), %rdx
+        movq	$-19, %rcx
+        movq	%rdx, %r11
+        movq	$0x7fffffffffffffff, %rax
+        sarq	$63, %rdx
+        #   Mask the modulus
+        andq	%rdx, %rcx
+        andq	%rdx, %rax
+        #   Sub modulus (if overflow)
+        subq	%rcx, %r8
+        sbbq	%rdx, %r9
+        sbbq	%rdx, %r10
+        sbbq	%rax, %r11
+        # Sub
+        subq	(%rbp), %r12
+        movq	$0x00, %rdx
+        sbbq	8(%rbp), %r13
+        movq	$-19, %rcx
+        sbbq	16(%rbp), %r14
+        movq	$0x7fffffffffffffff, %rax
+        sbbq	24(%rbp), %r15
+        sbbq	$0x00, %rdx
+        #   Mask the modulus
+        andq	%rdx, %rcx
+        andq	%rdx, %rax
+        #   Add modulus (if underflow)
+        addq	%rcx, %r12
+        adcq	%rdx, %r13
+        adcq	%rdx, %r14
+        adcq	%rax, %r15
+        movq	%r8, (%rdi)
+        movq	%r9, 8(%rdi)
+        movq	%r10, 16(%rdi)
+        movq	%r11, 24(%rdi)
+        movq	%r12, (%rsi)
+        movq	%r13, 8(%rsi)
+        movq	%r14, 16(%rsi)
+        movq	%r15, 24(%rsi)
+        movq	16(%rsp), %rbx
+        movq	128(%rsp), %rbp
+        # Multiply
+        # A[0] * B[0]
+        movq	(%rbp), %rdx
+        mulxq	(%rdi), %r8, %r9
+        # A[2] * B[0]
+        mulxq	16(%rdi), %r10, %r11
+        # A[1] * B[0]
+        mulxq	8(%rdi), %rcx, %rax
+        xorq	%r15, %r15
+        adcxq	%rcx, %r9
+        # A[1] * B[3]
+        movq	24(%rbp), %rdx
+        mulxq	8(%rdi), %r12, %r13
+        adcxq	%rax, %r10
+        # A[0] * B[1]
+        movq	8(%rbp), %rdx
+        mulxq	(%rdi), %rcx, %rax
+        adoxq	%rcx, %r9
+        # A[2] * B[1]
+        mulxq	16(%rdi), %rcx, %r14
+        adoxq	%rax, %r10
+        adcxq	%rcx, %r11
+        # A[1] * B[2]
+        movq	16(%rbp), %rdx
+        mulxq	8(%rdi), %rcx, %rax
+        adcxq	%r14, %r12
+        adoxq	%rcx, %r11
+        adcxq	%r15, %r13
+        adoxq	%rax, %r12
+        # A[0] * B[2]
+        mulxq	(%rdi), %rcx, %rax
+        adoxq	%r15, %r13
+        xorq	%r14, %r14
+        adcxq	%rcx, %r10
+        # A[1] * B[1]
+        movq	8(%rbp), %rdx
+        mulxq	8(%rdi), %rdx, %rcx
+        adcxq	%rax, %r11
+        adoxq	%rdx, %r10
+        # A[3] * B[1]
+        movq	8(%rbp), %rdx
+        adoxq	%rcx, %r11
+        mulxq	24(%rdi), %rcx, %rax
+        adcxq	%rcx, %r12
+        # A[2] * B[2]
+        movq	16(%rbp), %rdx
+        mulxq	16(%rdi), %rdx, %rcx
+        adcxq	%rax, %r13
+        adoxq	%rdx, %r12
+        # A[3] * B[3]
+        movq	24(%rbp), %rdx
+        adoxq	%rcx, %r13
+        mulxq	24(%rdi), %rcx, %rax
+        adoxq	%r15, %r14
+        adcxq	%rcx, %r14
+        # A[0] * B[3]
+        mulxq	(%rdi), %rdx, %rcx
+        adcxq	%rax, %r15
+        xorq	%rax, %rax
+        adcxq	%rdx, %r11
+        # A[3] * B[0]
+        movq	(%rbp), %rdx
+        adcxq	%rcx, %r12
+        mulxq	24(%rdi), %rdx, %rcx
+        adoxq	%rdx, %r11
+        adoxq	%rcx, %r12
+        # A[2] * B[3]
+        movq	24(%rbp), %rdx
+        mulxq	16(%rdi), %rdx, %rcx
+        adcxq	%rdx, %r13
+        # A[3] * B[2]
+        movq	16(%rbp), %rdx
+        adcxq	%rcx, %r14
+        mulxq	24(%rdi), %rcx, %rdx
+        adcxq	%rax, %r15
+        adoxq	%rcx, %r13
+        adoxq	%rdx, %r14
+        adoxq	%rax, %r15
+        # Reduce
+        movq	$0x7fffffffffffffff, %rax
+        #  Move top half into t4-t7 and remove top bit from t3
+        shldq	$0x01, %r14, %r15
+        shldq	$0x01, %r13, %r14
+        shldq	$0x01, %r12, %r13
+        shldq	$0x01, %r11, %r12
+        andq	%rax, %r11
+        #  Multiply top half by 19
+        movq	$19, %rdx
+        xorq	%rax, %rax
+        mulxq	%r12, %rcx, %r12
+        adcxq	%rcx, %r8
+        adoxq	%r12, %r9
+        mulxq	%r13, %rcx, %r13
+        adcxq	%rcx, %r9
+        adoxq	%r13, %r10
+        mulxq	%r14, %rcx, %r14
+        adcxq	%rcx, %r10
+        adoxq	%r14, %r11
+        mulxq	%r15, %r15, %rdx
+        adcxq	%r15, %r11
+        adoxq	%rax, %rdx
+        adcxq	%rax, %rdx
+        #  Overflow
+        shldq	$0x01, %r11, %rdx
+        movq	$0x7fffffffffffffff, %rax
+        imulq	$19, %rdx, %rcx
+        andq	%rax, %r11
+        addq	%rcx, %r8
+        adcq	$0x00, %r9
+        adcq	$0x00, %r10
+        adcq	$0x00, %r11
+        # Reduce if top bit set
+        movq	%r11, %rdx
+        shrq	$63, %rdx
+        imulq	$19, %rdx, %rcx
+        andq	%rax, %r11
+        addq	%rcx, %r8
+        adcq	$0x00, %r9
+        adcq	$0x00, %r10
+        adcq	$0x00, %r11
+        # Store
+        movq	%r8, (%rbx)
+        movq	%r9, 8(%rbx)
+        movq	%r10, 16(%rbx)
+        movq	%r11, 24(%rbx)
+        movq	136(%rsp), %rdi
+        # Multiply
+        # A[0] * B[0]
+        movq	(%rdi), %rdx
+        mulxq	(%rsi), %r8, %r9
+        # A[2] * B[0]
+        mulxq	16(%rsi), %r10, %r11
+        # A[1] * B[0]
+        mulxq	8(%rsi), %rcx, %rax
+        xorq	%r15, %r15
+        adcxq	%rcx, %r9
+        # A[1] * B[3]
+        movq	24(%rdi), %rdx
+        mulxq	8(%rsi), %r12, %r13
+        adcxq	%rax, %r10
+        # A[0] * B[1]
+        movq	8(%rdi), %rdx
+        mulxq	(%rsi), %rcx, %rax
+        adoxq	%rcx, %r9
+        # A[2] * B[1]
+        mulxq	16(%rsi), %rcx, %r14
+        adoxq	%rax, %r10
+        adcxq	%rcx, %r11
+        # A[1] * B[2]
+        movq	16(%rdi), %rdx
+        mulxq	8(%rsi), %rcx, %rax
+        adcxq	%r14, %r12
+        adoxq	%rcx, %r11
+        adcxq	%r15, %r13
+        adoxq	%rax, %r12
+        # A[0] * B[2]
+        mulxq	(%rsi), %rcx, %rax
+        adoxq	%r15, %r13
+        xorq	%r14, %r14
+        adcxq	%rcx, %r10
+        # A[1] * B[1]
+        movq	8(%rdi), %rdx
+        mulxq	8(%rsi), %rdx, %rcx
+        adcxq	%rax, %r11
+        adoxq	%rdx, %r10
+        # A[3] * B[1]
+        movq	8(%rdi), %rdx
+        adoxq	%rcx, %r11
+        mulxq	24(%rsi), %rcx, %rax
+        adcxq	%rcx, %r12
+        # A[2] * B[2]
+        movq	16(%rdi), %rdx
+        mulxq	16(%rsi), %rdx, %rcx
+        adcxq	%rax, %r13
+        adoxq	%rdx, %r12
+        # A[3] * B[3]
+        movq	24(%rdi), %rdx
+        adoxq	%rcx, %r13
+        mulxq	24(%rsi), %rcx, %rax
+        adoxq	%r15, %r14
+        adcxq	%rcx, %r14
+        # A[0] * B[3]
+        mulxq	(%rsi), %rdx, %rcx
+        adcxq	%rax, %r15
+        xorq	%rax, %rax
+        adcxq	%rdx, %r11
+        # A[3] * B[0]
+        movq	(%rdi), %rdx
+        adcxq	%rcx, %r12
+        mulxq	24(%rsi), %rdx, %rcx
+        adoxq	%rdx, %r11
+        adoxq	%rcx, %r12
+        # A[2] * B[3]
+        movq	24(%rdi), %rdx
+        mulxq	16(%rsi), %rdx, %rcx
+        adcxq	%rdx, %r13
+        # A[3] * B[2]
+        movq	16(%rdi), %rdx
+        adcxq	%rcx, %r14
+        mulxq	24(%rsi), %rcx, %rdx
+        adcxq	%rax, %r15
+        adoxq	%rcx, %r13
+        adoxq	%rdx, %r14
+        adoxq	%rax, %r15
+        # Reduce
+        movq	$0x7fffffffffffffff, %rax
+        #  Move top half into t4-t7 and remove top bit from t3
+        shldq	$0x01, %r14, %r15
+        shldq	$0x01, %r13, %r14
+        shldq	$0x01, %r12, %r13
+        shldq	$0x01, %r11, %r12
+        andq	%rax, %r11
+        #  Multiply top half by 19
+        movq	$19, %rdx
+        xorq	%rax, %rax
+        mulxq	%r12, %rcx, %r12
+        adcxq	%rcx, %r8
+        adoxq	%r12, %r9
+        mulxq	%r13, %rcx, %r13
+        adcxq	%rcx, %r9
+        adoxq	%r13, %r10
+        mulxq	%r14, %rcx, %r14
+        adcxq	%rcx, %r10
+        adoxq	%r14, %r11
+        mulxq	%r15, %r15, %rdx
+        adcxq	%r15, %r11
+        adoxq	%rax, %rdx
+        adcxq	%rax, %rdx
+        #  Overflow
+        shldq	$0x01, %r11, %rdx
+        movq	$0x7fffffffffffffff, %rax
+        imulq	$19, %rdx, %rcx
+        andq	%rax, %r11
+        addq	%rcx, %r8
+        adcq	$0x00, %r9
+        adcq	$0x00, %r10
+        adcq	$0x00, %r11
+        # Reduce if top bit set
+        movq	%r11, %rdx
+        shrq	$63, %rdx
+        imulq	$19, %rdx, %rcx
+        andq	%rax, %r11
+        addq	%rcx, %r8
+        adcq	$0x00, %r9
+        adcq	$0x00, %r10
+        adcq	$0x00, %r11
+        # Store
+        movq	%r8, (%rsi)
+        movq	%r9, 8(%rsi)
+        movq	%r10, 16(%rsi)
+        movq	%r11, 24(%rsi)
+        movq	24(%rsp), %rdi
+        movq	120(%rsp), %rsi
+        movq	112(%rsp), %rbp
+        # Multiply
+        # A[0] * B[0]
+        movq	(%rbp), %rdx
+        mulxq	(%rsi), %r8, %r9
+        # A[2] * B[0]
+        mulxq	16(%rsi), %r10, %r11
+        # A[1] * B[0]
+        mulxq	8(%rsi), %rcx, %rax
+        xorq	%r15, %r15
+        adcxq	%rcx, %r9
+        # A[1] * B[3]
+        movq	24(%rbp), %rdx
+        mulxq	8(%rsi), %r12, %r13
+        adcxq	%rax, %r10
+        # A[0] * B[1]
+        movq	8(%rbp), %rdx
+        mulxq	(%rsi), %rcx, %rax
+        adoxq	%rcx, %r9
+        # A[2] * B[1]
+        mulxq	16(%rsi), %rcx, %r14
+        adoxq	%rax, %r10
+        adcxq	%rcx, %r11
+        # A[1] * B[2]
+        movq	16(%rbp), %rdx
+        mulxq	8(%rsi), %rcx, %rax
+        adcxq	%r14, %r12
+        adoxq	%rcx, %r11
+        adcxq	%r15, %r13
+        adoxq	%rax, %r12
+        # A[0] * B[2]
+        mulxq	(%rsi), %rcx, %rax
+        adoxq	%r15, %r13
+        xorq	%r14, %r14
+        adcxq	%rcx, %r10
+        # A[1] * B[1]
+        movq	8(%rbp), %rdx
+        mulxq	8(%rsi), %rdx, %rcx
+        adcxq	%rax, %r11
+        adoxq	%rdx, %r10
+        # A[3] * B[1]
+        movq	8(%rbp), %rdx
+        adoxq	%rcx, %r11
+        mulxq	24(%rsi), %rcx, %rax
+        adcxq	%rcx, %r12
+        # A[2] * B[2]
+        movq	16(%rbp), %rdx
+        mulxq	16(%rsi), %rdx, %rcx
+        adcxq	%rax, %r13
+        adoxq	%rdx, %r12
+        # A[3] * B[3]
+        movq	24(%rbp), %rdx
+        adoxq	%rcx, %r13
+        mulxq	24(%rsi), %rcx, %rax
+        adoxq	%r15, %r14
+        adcxq	%rcx, %r14
+        # A[0] * B[3]
+        mulxq	(%rsi), %rdx, %rcx
+        adcxq	%rax, %r15
+        xorq	%rax, %rax
+        adcxq	%rdx, %r11
+        # A[3] * B[0]
+        movq	(%rbp), %rdx
+        adcxq	%rcx, %r12
+        mulxq	24(%rsi), %rdx, %rcx
+        adoxq	%rdx, %r11
+        adoxq	%rcx, %r12
+        # A[2] * B[3]
+        movq	24(%rbp), %rdx
+        mulxq	16(%rsi), %rdx, %rcx
+        adcxq	%rdx, %r13
+        # A[3] * B[2]
+        movq	16(%rbp), %rdx
+        adcxq	%rcx, %r14
+        mulxq	24(%rsi), %rcx, %rdx
+        adcxq	%rax, %r15
+        adoxq	%rcx, %r13
+        adoxq	%rdx, %r14
+        adoxq	%rax, %r15
+        # Reduce
+        movq	$0x7fffffffffffffff, %rax
+        #  Move top half into t4-t7 and remove top bit from t3
+        shldq	$0x01, %r14, %r15
+        shldq	$0x01, %r13, %r14
+        shldq	$0x01, %r12, %r13
+        shldq	$0x01, %r11, %r12
+        andq	%rax, %r11
+        #  Multiply top half by 19
+        movq	$19, %rdx
+        xorq	%rax, %rax
+        mulxq	%r12, %rcx, %r12
+        adcxq	%rcx, %r8
+        adoxq	%r12, %r9
+        mulxq	%r13, %rcx, %r13
+        adcxq	%rcx, %r9
+        adoxq	%r13, %r10
+        mulxq	%r14, %rcx, %r14
+        adcxq	%rcx, %r10
+        adoxq	%r14, %r11
+        mulxq	%r15, %r15, %rdx
+        adcxq	%r15, %r11
+        adoxq	%rax, %rdx
+        adcxq	%rax, %rdx
+        #  Overflow
+        shldq	$0x01, %r11, %rdx
+        movq	$0x7fffffffffffffff, %rax
+        imulq	$19, %rdx, %rcx
+        andq	%rax, %r11
+        addq	%rcx, %r8
+        adcq	$0x00, %r9
+        adcq	$0x00, %r10
+        adcq	$0x00, %r11
+        # Reduce if top bit set
+        movq	%r11, %rdx
+        shrq	$63, %rdx
+        imulq	$19, %rdx, %rcx
+        andq	%rax, %r11
+        addq	%rcx, %r8
+        adcq	$0x00, %r9
+        adcq	$0x00, %r10
+        adcq	$0x00, %r11
+        # Store
+        movq	%r8, (%rdi)
+        movq	%r9, 8(%rdi)
+        movq	%r10, 16(%rdi)
+        movq	%r11, 24(%rdi)
+        movq	8(%rsp), %rdi
+        movq	(%rsp), %rsi
+        # Add
+        movq	(%rbx), %r8
+        movq	8(%rbx), %r9
+        movq	16(%rbx), %r10
+        movq	24(%rbx), %rdx
+        movq	%r8, %r12
+        addq	(%rdi), %r8
+        movq	%r9, %r13
+        adcq	8(%rdi), %r9
+        movq	%r10, %r14
+        adcq	16(%rdi), %r10
+        movq	%rdx, %r15
+        adcq	24(%rdi), %rdx
+        movq	$-19, %rcx
+        movq	%rdx, %r11
+        movq	$0x7fffffffffffffff, %rax
+        sarq	$63, %rdx
+        #   Mask the modulus
+        andq	%rdx, %rcx
+        andq	%rdx, %rax
+        #   Sub modulus (if overflow)
+        subq	%rcx, %r8
+        sbbq	%rdx, %r9
+        sbbq	%rdx, %r10
+        sbbq	%rax, %r11
+        # Sub
+        subq	(%rdi), %r12
+        movq	$0x00, %rdx
+        sbbq	8(%rdi), %r13
+        movq	$-19, %rcx
+        sbbq	16(%rdi), %r14
+        movq	$0x7fffffffffffffff, %rax
+        sbbq	24(%rdi), %r15
+        sbbq	$0x00, %rdx
+        #   Mask the modulus
+        andq	%rdx, %rcx
+        andq	%rdx, %rax
+        #   Add modulus (if underflow)
+        addq	%rcx, %r12
+        adcq	%rdx, %r13
+        adcq	%rdx, %r14
+        adcq	%rax, %r15
+        movq	%r8, (%rdi)
+        movq	%r9, 8(%rdi)
+        movq	%r10, 16(%rdi)
+        movq	%r11, 24(%rdi)
+        movq	%r12, (%rsi)
+        movq	%r13, 8(%rsi)
+        movq	%r14, 16(%rsi)
+        movq	%r15, 24(%rsi)
+        movq	104(%rsp), %rdi
+        # Double
+        movq	(%rdi), %r8
+        movq	8(%rdi), %r9
+        addq	%r8, %r8
+        movq	16(%rdi), %r10
+        adcq	%r9, %r9
+        movq	24(%rdi), %rdx
+        adcq	%r10, %r10
+        movq	$-19, %rcx
+        adcq	%rdx, %rdx
+        movq	$0x7fffffffffffffff, %rax
+        movq	%rdx, %r11
+        sarq	$63, %rdx
+        #   Mask the modulus
+        andq	%rdx, %rcx
+        andq	%rdx, %rax
+        #   Sub modulus (if overflow)
+        subq	%rcx, %r8
+        sbbq	%rdx, %r9
+        sbbq	%rdx, %r10
+        sbbq	%rax, %r11
+        movq	%r8, (%rbx)
+        movq	%r9, 8(%rbx)
+        movq	%r10, 16(%rbx)
+        movq	%r11, 24(%rbx)
+        movq	24(%rsp), %rdi
+        # Add
+        movq	(%rbx), %r8
+        movq	8(%rbx), %r9
+        movq	16(%rbx), %r10
+        movq	24(%rbx), %rdx
+        movq	%r8, %r12
+        addq	(%rdi), %r8
+        movq	%r9, %r13
+        adcq	8(%rdi), %r9
+        movq	%r10, %r14
+        adcq	16(%rdi), %r10
+        movq	%rdx, %r15
+        adcq	24(%rdi), %rdx
+        movq	$-19, %rcx
+        movq	%rdx, %r11
+        movq	$0x7fffffffffffffff, %rax
+        sarq	$63, %rdx
+        #   Mask the modulus
+        andq	%rdx, %rcx
+        andq	%rdx, %rax
+        #   Sub modulus (if overflow)
+        subq	%rcx, %r8
+        sbbq	%rdx, %r9
+        sbbq	%rdx, %r10
+        sbbq	%rax, %r11
+        # Sub
+        subq	(%rdi), %r12
+        movq	$0x00, %rdx
+        sbbq	8(%rdi), %r13
+        movq	$-19, %rcx
+        sbbq	16(%rdi), %r14
+        movq	$0x7fffffffffffffff, %rax
+        sbbq	24(%rdi), %r15
+        sbbq	$0x00, %rdx
+        #   Mask the modulus
+        andq	%rdx, %rcx
+        andq	%rdx, %rax
+        #   Add modulus (if underflow)
+        addq	%rcx, %r12
+        adcq	%rdx, %r13
+        adcq	%rdx, %r14
+        adcq	%rax, %r15
+        movq	%r8, (%rbx)
+        movq	%r9, 8(%rbx)
+        movq	%r10, 16(%rbx)
+        movq	%r11, 24(%rbx)
+        movq	%r12, (%rdi)
+        movq	%r13, 8(%rdi)
+        movq	%r14, 16(%rdi)
+        movq	%r15, 24(%rdi)
+        addq	$48, %rsp
+        popq	%r15
+        popq	%r14
+        popq	%r13
+        popq	%r12
+        popq	%rbx
+        popq	%rbp
+        repz retq
+#ifndef __APPLE__
+.size	fe_ge_madd_avx2,.-fe_ge_madd_avx2
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+.text
+.globl	fe_ge_msub_avx2
+.type	fe_ge_msub_avx2,@function
+.align	4
+fe_ge_msub_avx2:
+#else
+.section	__TEXT,__text
+.globl	_fe_ge_msub_avx2
+.p2align	2
+_fe_ge_msub_avx2:
+#endif /* __APPLE__ */
+        pushq	%rbp
+        pushq	%rbx
+        pushq	%r12
+        pushq	%r13
+        pushq	%r14
+        pushq	%r15
+        subq	$48, %rsp
+        movq	%rdi, (%rsp)
+        movq	%rsi, 8(%rsp)
+        movq	%rdx, 16(%rsp)
+        movq	%rcx, 24(%rsp)
+        movq	%r8, 32(%rsp)
+        movq	%r9, 40(%rsp)
+        movq	8(%rsp), %rsi
+        movq	40(%rsp), %rbx
+        movq	32(%rsp), %rbp
+        # Add
+        movq	(%rbx), %r8
+        movq	8(%rbx), %r9
+        movq	16(%rbx), %r10
+        movq	24(%rbx), %rdx
+        movq	%r8, %r12
+        addq	(%rbp), %r8
+        movq	%r9, %r13
+        adcq	8(%rbp), %r9
+        movq	%r10, %r14
+        adcq	16(%rbp), %r10
+        movq	%rdx, %r15
+        adcq	24(%rbp), %rdx
+        movq	$-19, %rcx
+        movq	%rdx, %r11
+        movq	$0x7fffffffffffffff, %rax
+        sarq	$63, %rdx
+        #   Mask the modulus
+        andq	%rdx, %rcx
+        andq	%rdx, %rax
+        #   Sub modulus (if overflow)
+        subq	%rcx, %r8
+        sbbq	%rdx, %r9
+        sbbq	%rdx, %r10
+        sbbq	%rax, %r11
+        # Sub
+        subq	(%rbp), %r12
+        movq	$0x00, %rdx
+        sbbq	8(%rbp), %r13
+        movq	$-19, %rcx
+        sbbq	16(%rbp), %r14
+        movq	$0x7fffffffffffffff, %rax
+        sbbq	24(%rbp), %r15
+        sbbq	$0x00, %rdx
+        #   Mask the modulus
+        andq	%rdx, %rcx
+        andq	%rdx, %rax
+        #   Add modulus (if underflow)
+        addq	%rcx, %r12
+        adcq	%rdx, %r13
+        adcq	%rdx, %r14
+        adcq	%rax, %r15
+        movq	%r8, (%rdi)
+        movq	%r9, 8(%rdi)
+        movq	%r10, 16(%rdi)
+        movq	%r11, 24(%rdi)
+        movq	%r12, (%rsi)
+        movq	%r13, 8(%rsi)
+        movq	%r14, 16(%rsi)
+        movq	%r15, 24(%rsi)
+        movq	16(%rsp), %rbx
+        movq	136(%rsp), %rbp
+        # Multiply
+        # A[0] * B[0]
+        movq	(%rbp), %rdx
+        mulxq	(%rdi), %r8, %r9
+        # A[2] * B[0]
+        mulxq	16(%rdi), %r10, %r11
+        # A[1] * B[0]
+        mulxq	8(%rdi), %rcx, %rax
+        xorq	%r15, %r15
+        adcxq	%rcx, %r9
+        # A[1] * B[3]
+        movq	24(%rbp), %rdx
+        mulxq	8(%rdi), %r12, %r13
+        adcxq	%rax, %r10
+        # A[0] * B[1]
+        movq	8(%rbp), %rdx
+        mulxq	(%rdi), %rcx, %rax
+        adoxq	%rcx, %r9
+        # A[2] * B[1]
+        mulxq	16(%rdi), %rcx, %r14
+        adoxq	%rax, %r10
+        adcxq	%rcx, %r11
+        # A[1] * B[2]
+        movq	16(%rbp), %rdx
+        mulxq	8(%rdi), %rcx, %rax
+        adcxq	%r14, %r12
+        adoxq	%rcx, %r11
+        adcxq	%r15, %r13
+        adoxq	%rax, %r12
+        # A[0] * B[2]
+        mulxq	(%rdi), %rcx, %rax
+        adoxq	%r15, %r13
+        xorq	%r14, %r14
+        adcxq	%rcx, %r10
+        # A[1] * B[1]
+        movq	8(%rbp), %rdx
+        mulxq	8(%rdi), %rdx, %rcx
+        adcxq	%rax, %r11
+        adoxq	%rdx, %r10
+        # A[3] * B[1]
+        movq	8(%rbp), %rdx
+        adoxq	%rcx, %r11
+        mulxq	24(%rdi), %rcx, %rax
+        adcxq	%rcx, %r12
+        # A[2] * B[2]
+        movq	16(%rbp), %rdx
+        mulxq	16(%rdi), %rdx, %rcx
+        adcxq	%rax, %r13
+        adoxq	%rdx, %r12
+        # A[3] * B[3]
+        movq	24(%rbp), %rdx
+        adoxq	%rcx, %r13
+        mulxq	24(%rdi), %rcx, %rax
+        adoxq	%r15, %r14
+        adcxq	%rcx, %r14
+        # A[0] * B[3]
+        mulxq	(%rdi), %rdx, %rcx
+        adcxq	%rax, %r15
+        xorq	%rax, %rax
+        adcxq	%rdx, %r11
+        # A[3] * B[0]
+        movq	(%rbp), %rdx
+        adcxq	%rcx, %r12
+        mulxq	24(%rdi), %rdx, %rcx
+        adoxq	%rdx, %r11
+        adoxq	%rcx, %r12
+        # A[2] * B[3]
+        movq	24(%rbp), %rdx
+        mulxq	16(%rdi), %rdx, %rcx
+        adcxq	%rdx, %r13
+        # A[3] * B[2]
+        movq	16(%rbp), %rdx
+        adcxq	%rcx, %r14
+        mulxq	24(%rdi), %rcx, %rdx
+        adcxq	%rax, %r15
+        adoxq	%rcx, %r13
+        adoxq	%rdx, %r14
+        adoxq	%rax, %r15
+        # Reduce
+        movq	$0x7fffffffffffffff, %rax
+        #  Move top half into t4-t7 and remove top bit from t3
+        shldq	$0x01, %r14, %r15
+        shldq	$0x01, %r13, %r14
+        shldq	$0x01, %r12, %r13
+        shldq	$0x01, %r11, %r12
+        andq	%rax, %r11
+        #  Multiply top half by 19
+        movq	$19, %rdx
+        xorq	%rax, %rax
+        mulxq	%r12, %rcx, %r12
+        adcxq	%rcx, %r8
+        adoxq	%r12, %r9
+        mulxq	%r13, %rcx, %r13
+        adcxq	%rcx, %r9
+        adoxq	%r13, %r10
+        mulxq	%r14, %rcx, %r14
+        adcxq	%rcx, %r10
+        adoxq	%r14, %r11
+        mulxq	%r15, %r15, %rdx
+        adcxq	%r15, %r11
+        adoxq	%rax, %rdx
+        adcxq	%rax, %rdx
+        #  Overflow
+        shldq	$0x01, %r11, %rdx
+        movq	$0x7fffffffffffffff, %rax
+        imulq	$19, %rdx, %rcx
+        andq	%rax, %r11
+        addq	%rcx, %r8
+        adcq	$0x00, %r9
+        adcq	$0x00, %r10
+        adcq	$0x00, %r11
+        # Reduce if top bit set
+        movq	%r11, %rdx
+        shrq	$63, %rdx
+        imulq	$19, %rdx, %rcx
+        andq	%rax, %r11
+        addq	%rcx, %r8
+        adcq	$0x00, %r9
+        adcq	$0x00, %r10
+        adcq	$0x00, %r11
+        # Store
+        movq	%r8, (%rbx)
+        movq	%r9, 8(%rbx)
+        movq	%r10, 16(%rbx)
+        movq	%r11, 24(%rbx)
+        movq	128(%rsp), %rdi
+        # Multiply
+        # A[0] * B[0]
+        movq	(%rdi), %rdx
+        mulxq	(%rsi), %r8, %r9
+        # A[2] * B[0]
+        mulxq	16(%rsi), %r10, %r11
+        # A[1] * B[0]
+        mulxq	8(%rsi), %rcx, %rax
+        xorq	%r15, %r15
+        adcxq	%rcx, %r9
+        # A[1] * B[3]
+        movq	24(%rdi), %rdx
+        mulxq	8(%rsi), %r12, %r13
+        adcxq	%rax, %r10
+        # A[0] * B[1]
+        movq	8(%rdi), %rdx
+        mulxq	(%rsi), %rcx, %rax
+        adoxq	%rcx, %r9
+        # A[2] * B[1]
+        mulxq	16(%rsi), %rcx, %r14
+        adoxq	%rax, %r10
+        adcxq	%rcx, %r11
+        # A[1] * B[2]
+        movq	16(%rdi), %rdx
+        mulxq	8(%rsi), %rcx, %rax
+        adcxq	%r14, %r12
+        adoxq	%rcx, %r11
+        adcxq	%r15, %r13
+        adoxq	%rax, %r12
+        # A[0] * B[2]
+        mulxq	(%rsi), %rcx, %rax
+        adoxq	%r15, %r13
+        xorq	%r14, %r14
+        adcxq	%rcx, %r10
+        # A[1] * B[1]
+        movq	8(%rdi), %rdx
+        mulxq	8(%rsi), %rdx, %rcx
+        adcxq	%rax, %r11
+        adoxq	%rdx, %r10
+        # A[3] * B[1]
+        movq	8(%rdi), %rdx
+        adoxq	%rcx, %r11
+        mulxq	24(%rsi), %rcx, %rax
+        adcxq	%rcx, %r12
+        # A[2] * B[2]
+        movq	16(%rdi), %rdx
+        mulxq	16(%rsi), %rdx, %rcx
+        adcxq	%rax, %r13
+        adoxq	%rdx, %r12
+        # A[3] * B[3]
+        movq	24(%rdi), %rdx
+        adoxq	%rcx, %r13
+        mulxq	24(%rsi), %rcx, %rax
+        adoxq	%r15, %r14
+        adcxq	%rcx, %r14
+        # A[0] * B[3]
+        mulxq	(%rsi), %rdx, %rcx
+        adcxq	%rax, %r15
+        xorq	%rax, %rax
+        adcxq	%rdx, %r11
+        # A[3] * B[0]
+        movq	(%rdi), %rdx
+        adcxq	%rcx, %r12
+        mulxq	24(%rsi), %rdx, %rcx
+        adoxq	%rdx, %r11
+        adoxq	%rcx, %r12
+        # A[2] * B[3]
+        movq	24(%rdi), %rdx
+        mulxq	16(%rsi), %rdx, %rcx
+        adcxq	%rdx, %r13
+        # A[3] * B[2]
+        movq	16(%rdi), %rdx
+        adcxq	%rcx, %r14
+        mulxq	24(%rsi), %rcx, %rdx
+        adcxq	%rax, %r15
+        adoxq	%rcx, %r13
+        adoxq	%rdx, %r14
+        adoxq	%rax, %r15
+        # Reduce
+        movq	$0x7fffffffffffffff, %rax
+        #  Move top half into t4-t7 and remove top bit from t3
+        shldq	$0x01, %r14, %r15
+        shldq	$0x01, %r13, %r14
+        shldq	$0x01, %r12, %r13
+        shldq	$0x01, %r11, %r12
+        andq	%rax, %r11
+        #  Multiply top half by 19
+        movq	$19, %rdx
+        xorq	%rax, %rax
+        mulxq	%r12, %rcx, %r12
+        adcxq	%rcx, %r8
+        adoxq	%r12, %r9
+        mulxq	%r13, %rcx, %r13
+        adcxq	%rcx, %r9
+        adoxq	%r13, %r10
+        mulxq	%r14, %rcx, %r14
+        adcxq	%rcx, %r10
+        adoxq	%r14, %r11
+        mulxq	%r15, %r15, %rdx
+        adcxq	%r15, %r11
+        adoxq	%rax, %rdx
+        adcxq	%rax, %rdx
+        #  Overflow
+        shldq	$0x01, %r11, %rdx
+        movq	$0x7fffffffffffffff, %rax
+        imulq	$19, %rdx, %rcx
+        andq	%rax, %r11
+        addq	%rcx, %r8
+        adcq	$0x00, %r9
+        adcq	$0x00, %r10
+        adcq	$0x00, %r11
+        # Reduce if top bit set
+        movq	%r11, %rdx
+        shrq	$63, %rdx
+        imulq	$19, %rdx, %rcx
+        andq	%rax, %r11
+        addq	%rcx, %r8
+        adcq	$0x00, %r9
+        adcq	$0x00, %r10
+        adcq	$0x00, %r11
+        # Store
+        movq	%r8, (%rsi)
+        movq	%r9, 8(%rsi)
+        movq	%r10, 16(%rsi)
+        movq	%r11, 24(%rsi)
+        movq	24(%rsp), %rdi
+        movq	120(%rsp), %rsi
+        movq	112(%rsp), %rbp
+        # Multiply
+        # A[0] * B[0]
+        movq	(%rbp), %rdx
+        mulxq	(%rsi), %r8, %r9
+        # A[2] * B[0]
+        mulxq	16(%rsi), %r10, %r11
+        # A[1] * B[0]
+        mulxq	8(%rsi), %rcx, %rax
+        xorq	%r15, %r15
+        adcxq	%rcx, %r9
+        # A[1] * B[3]
+        movq	24(%rbp), %rdx
+        mulxq	8(%rsi), %r12, %r13
+        adcxq	%rax, %r10
+        # A[0] * B[1]
+        movq	8(%rbp), %rdx
+        mulxq	(%rsi), %rcx, %rax
+        adoxq	%rcx, %r9
+        # A[2] * B[1]
+        mulxq	16(%rsi), %rcx, %r14
+        adoxq	%rax, %r10
+        adcxq	%rcx, %r11
+        # A[1] * B[2]
+        movq	16(%rbp), %rdx
+        mulxq	8(%rsi), %rcx, %rax
+        adcxq	%r14, %r12
+        adoxq	%rcx, %r11
+        adcxq	%r15, %r13
+        adoxq	%rax, %r12
+        # A[0] * B[2]
+        mulxq	(%rsi), %rcx, %rax
+        adoxq	%r15, %r13
+        xorq	%r14, %r14
+        adcxq	%rcx, %r10
+        # A[1] * B[1]
+        movq	8(%rbp), %rdx
+        mulxq	8(%rsi), %rdx, %rcx
+        adcxq	%rax, %r11
+        adoxq	%rdx, %r10
+        # A[3] * B[1]
+        movq	8(%rbp), %rdx
+        adoxq	%rcx, %r11
+        mulxq	24(%rsi), %rcx, %rax
+        adcxq	%rcx, %r12
+        # A[2] * B[2]
+        movq	16(%rbp), %rdx
+        mulxq	16(%rsi), %rdx, %rcx
+        adcxq	%rax, %r13
+        adoxq	%rdx, %r12
+        # A[3] * B[3]
+        movq	24(%rbp), %rdx
+        adoxq	%rcx, %r13
+        mulxq	24(%rsi), %rcx, %rax
+        adoxq	%r15, %r14
+        adcxq	%rcx, %r14
+        # A[0] * B[3]
+        mulxq	(%rsi), %rdx, %rcx
+        adcxq	%rax, %r15
+        xorq	%rax, %rax
+        adcxq	%rdx, %r11
+        # A[3] * B[0]
+        movq	(%rbp), %rdx
+        adcxq	%rcx, %r12
+        mulxq	24(%rsi), %rdx, %rcx
+        adoxq	%rdx, %r11
+        adoxq	%rcx, %r12
+        # A[2] * B[3]
+        movq	24(%rbp), %rdx
+        mulxq	16(%rsi), %rdx, %rcx
+        adcxq	%rdx, %r13
+        # A[3] * B[2]
+        movq	16(%rbp), %rdx
+        adcxq	%rcx, %r14
+        mulxq	24(%rsi), %rcx, %rdx
+        adcxq	%rax, %r15
+        adoxq	%rcx, %r13
+        adoxq	%rdx, %r14
+        adoxq	%rax, %r15
+        # Reduce
+        movq	$0x7fffffffffffffff, %rax
+        #  Move top half into t4-t7 and remove top bit from t3
+        shldq	$0x01, %r14, %r15
+        shldq	$0x01, %r13, %r14
+        shldq	$0x01, %r12, %r13
+        shldq	$0x01, %r11, %r12
+        andq	%rax, %r11
+        #  Multiply top half by 19
+        movq	$19, %rdx
+        xorq	%rax, %rax
+        mulxq	%r12, %rcx, %r12
+        adcxq	%rcx, %r8
+        adoxq	%r12, %r9
+        mulxq	%r13, %rcx, %r13
+        adcxq	%rcx, %r9
+        adoxq	%r13, %r10
+        mulxq	%r14, %rcx, %r14
+        adcxq	%rcx, %r10
+        adoxq	%r14, %r11
+        mulxq	%r15, %r15, %rdx
+        adcxq	%r15, %r11
+        adoxq	%rax, %rdx
+        adcxq	%rax, %rdx
+        #  Overflow
+        shldq	$0x01, %r11, %rdx
+        movq	$0x7fffffffffffffff, %rax
+        imulq	$19, %rdx, %rcx
+        andq	%rax, %r11
+        addq	%rcx, %r8
+        adcq	$0x00, %r9
+        adcq	$0x00, %r10
+        adcq	$0x00, %r11
+        # Reduce if top bit set
+        movq	%r11, %rdx
+        shrq	$63, %rdx
+        imulq	$19, %rdx, %rcx
+        andq	%rax, %r11
+        addq	%rcx, %r8
+        adcq	$0x00, %r9
+        adcq	$0x00, %r10
+        adcq	$0x00, %r11
+        # Store
+        movq	%r8, (%rdi)
+        movq	%r9, 8(%rdi)
+        movq	%r10, 16(%rdi)
+        movq	%r11, 24(%rdi)
+        movq	8(%rsp), %rsi
+        movq	(%rsp), %rbp
+        # Add
+        movq	(%rbx), %r8
+        movq	8(%rbx), %r9
+        movq	16(%rbx), %r10
+        movq	24(%rbx), %rdx
+        movq	%r8, %r12
+        addq	(%rsi), %r8
+        movq	%r9, %r13
+        adcq	8(%rsi), %r9
+        movq	%r10, %r14
+        adcq	16(%rsi), %r10
+        movq	%rdx, %r15
+        adcq	24(%rsi), %rdx
+        movq	$-19, %rcx
+        movq	%rdx, %r11
+        movq	$0x7fffffffffffffff, %rax
+        sarq	$63, %rdx
+        #   Mask the modulus
+        andq	%rdx, %rcx
+        andq	%rdx, %rax
+        #   Sub modulus (if overflow)
+        subq	%rcx, %r8
+        sbbq	%rdx, %r9
+        sbbq	%rdx, %r10
+        sbbq	%rax, %r11
+        # Sub
+        subq	(%rsi), %r12
+        movq	$0x00, %rdx
+        sbbq	8(%rsi), %r13
+        movq	$-19, %rcx
+        sbbq	16(%rsi), %r14
+        movq	$0x7fffffffffffffff, %rax
+        sbbq	24(%rsi), %r15
+        sbbq	$0x00, %rdx
+        #   Mask the modulus
+        andq	%rdx, %rcx
+        andq	%rdx, %rax
+        #   Add modulus (if underflow)
+        addq	%rcx, %r12
+        adcq	%rdx, %r13
+        adcq	%rdx, %r14
+        adcq	%rax, %r15
+        movq	%r8, (%rsi)
+        movq	%r9, 8(%rsi)
+        movq	%r10, 16(%rsi)
+        movq	%r11, 24(%rsi)
+        movq	%r12, (%rbp)
+        movq	%r13, 8(%rbp)
+        movq	%r14, 16(%rbp)
+        movq	%r15, 24(%rbp)
+        movq	104(%rsp), %rsi
+        # Double
+        movq	(%rsi), %r8
+        movq	8(%rsi), %r9
+        addq	%r8, %r8
+        movq	16(%rsi), %r10
+        adcq	%r9, %r9
+        movq	24(%rsi), %rdx
+        adcq	%r10, %r10
+        movq	$-19, %rcx
+        adcq	%rdx, %rdx
+        movq	$0x7fffffffffffffff, %rax
+        movq	%rdx, %r11
+        sarq	$63, %rdx
+        #   Mask the modulus
+        andq	%rdx, %rcx
+        andq	%rdx, %rax
+        #   Sub modulus (if overflow)
+        subq	%rcx, %r8
+        sbbq	%rdx, %r9
+        sbbq	%rdx, %r10
+        sbbq	%rax, %r11
+        movq	%r8, (%rbx)
+        movq	%r9, 8(%rbx)
+        movq	%r10, 16(%rbx)
+        movq	%r11, 24(%rbx)
+        # Add
+        movq	(%rbx), %r8
+        movq	8(%rbx), %r9
+        movq	16(%rbx), %r10
+        movq	24(%rbx), %rdx
+        movq	%r8, %r12
+        addq	(%rdi), %r8
+        movq	%r9, %r13
+        adcq	8(%rdi), %r9
+        movq	%r10, %r14
+        adcq	16(%rdi), %r10
+        movq	%rdx, %r15
+        adcq	24(%rdi), %rdx
+        movq	$-19, %rcx
+        movq	%rdx, %r11
+        movq	$0x7fffffffffffffff, %rax
+        sarq	$63, %rdx
+        #   Mask the modulus
+        andq	%rdx, %rcx
+        andq	%rdx, %rax
+        #   Sub modulus (if overflow)
+        subq	%rcx, %r8
+        sbbq	%rdx, %r9
+        sbbq	%rdx, %r10
+        sbbq	%rax, %r11
+        # Sub
+        subq	(%rdi), %r12
+        movq	$0x00, %rdx
+        sbbq	8(%rdi), %r13
+        movq	$-19, %rcx
+        sbbq	16(%rdi), %r14
+        movq	$0x7fffffffffffffff, %rax
+        sbbq	24(%rdi), %r15
+        sbbq	$0x00, %rdx
+        #   Mask the modulus
+        andq	%rdx, %rcx
+        andq	%rdx, %rax
+        #   Add modulus (if underflow)
+        addq	%rcx, %r12
+        adcq	%rdx, %r13
+        adcq	%rdx, %r14
+        adcq	%rax, %r15
+        movq	%r8, (%rdi)
+        movq	%r9, 8(%rdi)
+        movq	%r10, 16(%rdi)
+        movq	%r11, 24(%rdi)
+        movq	%r12, (%rbx)
+        movq	%r13, 8(%rbx)
+        movq	%r14, 16(%rbx)
+        movq	%r15, 24(%rbx)
+        addq	$48, %rsp
+        popq	%r15
+        popq	%r14
+        popq	%r13
+        popq	%r12
+        popq	%rbx
+        popq	%rbp
+        repz retq
+#ifndef __APPLE__
+.size	fe_ge_msub_avx2,.-fe_ge_msub_avx2
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+.text
+.globl	fe_ge_add_avx2
+.type	fe_ge_add_avx2,@function
+.align	4
+fe_ge_add_avx2:
+#else
+.section	__TEXT,__text
+.globl	_fe_ge_add_avx2
+.p2align	2
+_fe_ge_add_avx2:
+#endif /* __APPLE__ */
+        pushq	%rbx
+        pushq	%rbp
+        pushq	%r12
+        pushq	%r13
+        pushq	%r14
+        pushq	%r15
+        subq	$0x50, %rsp
+        movq	%rdi, (%rsp)
+        movq	%rsi, 8(%rsp)
+        movq	%rdx, 16(%rsp)
+        movq	%rcx, 24(%rsp)
+        movq	%r8, 32(%rsp)
+        movq	%r9, 40(%rsp)
+        movq	8(%rsp), %rsi
+        movq	40(%rsp), %rbx
+        movq	32(%rsp), %rbp
+        # Add
+        movq	(%rbx), %r8
+        movq	8(%rbx), %r9
+        movq	16(%rbx), %r10
+        movq	24(%rbx), %rdx
+        movq	%r8, %r12
+        addq	(%rbp), %r8
+        movq	%r9, %r13
+        adcq	8(%rbp), %r9
+        movq	%r10, %r14
+        adcq	16(%rbp), %r10
+        movq	%rdx, %r15
+        adcq	24(%rbp), %rdx
+        movq	$-19, %rcx
+        movq	%rdx, %r11
+        movq	$0x7fffffffffffffff, %rax
+        sarq	$63, %rdx
+        #   Mask the modulus
+        andq	%rdx, %rcx
+        andq	%rdx, %rax
+        #   Sub modulus (if overflow)
+        subq	%rcx, %r8
+        sbbq	%rdx, %r9
+        sbbq	%rdx, %r10
+        sbbq	%rax, %r11
+        # Sub
+        subq	(%rbp), %r12
+        movq	$0x00, %rdx
+        sbbq	8(%rbp), %r13
+        movq	$-19, %rcx
+        sbbq	16(%rbp), %r14
+        movq	$0x7fffffffffffffff, %rax
+        sbbq	24(%rbp), %r15
+        sbbq	$0x00, %rdx
+        #   Mask the modulus
+        andq	%rdx, %rcx
+        andq	%rdx, %rax
+        #   Add modulus (if underflow)
+        addq	%rcx, %r12
+        adcq	%rdx, %r13
+        adcq	%rdx, %r14
+        adcq	%rax, %r15
+        movq	%r8, (%rdi)
+        movq	%r9, 8(%rdi)
+        movq	%r10, 16(%rdi)
+        movq	%r11, 24(%rdi)
+        movq	%r12, (%rsi)
+        movq	%r13, 8(%rsi)
+        movq	%r14, 16(%rsi)
+        movq	%r15, 24(%rsi)
+        movq	16(%rsp), %rbx
+        movq	168(%rsp), %rbp
+        # Multiply
+        # A[0] * B[0]
+        movq	(%rbp), %rdx
+        mulxq	(%rdi), %r8, %r9
+        # A[2] * B[0]
+        mulxq	16(%rdi), %r10, %r11
+        # A[1] * B[0]
+        mulxq	8(%rdi), %rcx, %rax
+        xorq	%r15, %r15
+        adcxq	%rcx, %r9
+        # A[1] * B[3]
+        movq	24(%rbp), %rdx
+        mulxq	8(%rdi), %r12, %r13
+        adcxq	%rax, %r10
+        # A[0] * B[1]
+        movq	8(%rbp), %rdx
+        mulxq	(%rdi), %rcx, %rax
+        adoxq	%rcx, %r9
+        # A[2] * B[1]
+        mulxq	16(%rdi), %rcx, %r14
+        adoxq	%rax, %r10
+        adcxq	%rcx, %r11
+        # A[1] * B[2]
+        movq	16(%rbp), %rdx
+        mulxq	8(%rdi), %rcx, %rax
+        adcxq	%r14, %r12
+        adoxq	%rcx, %r11
+        adcxq	%r15, %r13
+        adoxq	%rax, %r12
+        # A[0] * B[2]
+        mulxq	(%rdi), %rcx, %rax
+        adoxq	%r15, %r13
+        xorq	%r14, %r14
+        adcxq	%rcx, %r10
+        # A[1] * B[1]
+        movq	8(%rbp), %rdx
+        mulxq	8(%rdi), %rdx, %rcx
+        adcxq	%rax, %r11
+        adoxq	%rdx, %r10
+        # A[3] * B[1]
+        movq	8(%rbp), %rdx
+        adoxq	%rcx, %r11
+        mulxq	24(%rdi), %rcx, %rax
+        adcxq	%rcx, %r12
+        # A[2] * B[2]
+        movq	16(%rbp), %rdx
+        mulxq	16(%rdi), %rdx, %rcx
+        adcxq	%rax, %r13
+        adoxq	%rdx, %r12
+        # A[3] * B[3]
+        movq	24(%rbp), %rdx
+        adoxq	%rcx, %r13
+        mulxq	24(%rdi), %rcx, %rax
+        adoxq	%r15, %r14
+        adcxq	%rcx, %r14
+        # A[0] * B[3]
+        mulxq	(%rdi), %rdx, %rcx
+        adcxq	%rax, %r15
+        xorq	%rax, %rax
+        adcxq	%rdx, %r11
+        # A[3] * B[0]
+        movq	(%rbp), %rdx
+        adcxq	%rcx, %r12
+        mulxq	24(%rdi), %rdx, %rcx
+        adoxq	%rdx, %r11
+        adoxq	%rcx, %r12
+        # A[2] * B[3]
+        movq	24(%rbp), %rdx
+        mulxq	16(%rdi), %rdx, %rcx
+        adcxq	%rdx, %r13
+        # A[3] * B[2]
+        movq	16(%rbp), %rdx
+        adcxq	%rcx, %r14
+        mulxq	24(%rdi), %rcx, %rdx
+        adcxq	%rax, %r15
+        adoxq	%rcx, %r13
+        adoxq	%rdx, %r14
+        adoxq	%rax, %r15
+        # Reduce
+        movq	$0x7fffffffffffffff, %rax
+        #  Move top half into t4-t7 and remove top bit from t3
+        shldq	$0x01, %r14, %r15
+        shldq	$0x01, %r13, %r14
+        shldq	$0x01, %r12, %r13
+        shldq	$0x01, %r11, %r12
+        andq	%rax, %r11
+        #  Multiply top half by 19
+        movq	$19, %rdx
+        xorq	%rax, %rax
+        mulxq	%r12, %rcx, %r12
+        adcxq	%rcx, %r8
+        adoxq	%r12, %r9
+        mulxq	%r13, %rcx, %r13
+        adcxq	%rcx, %r9
+        adoxq	%r13, %r10
+        mulxq	%r14, %rcx, %r14
+        adcxq	%rcx, %r10
+        adoxq	%r14, %r11
+        mulxq	%r15, %r15, %rdx
+        adcxq	%r15, %r11
+        adoxq	%rax, %rdx
+        adcxq	%rax, %rdx
+        #  Overflow
+        shldq	$0x01, %r11, %rdx
+        movq	$0x7fffffffffffffff, %rax
+        imulq	$19, %rdx, %rcx
+        andq	%rax, %r11
+        addq	%rcx, %r8
+        adcq	$0x00, %r9
+        adcq	$0x00, %r10
+        adcq	$0x00, %r11
+        # Reduce if top bit set
+        movq	%r11, %rdx
+        shrq	$63, %rdx
+        imulq	$19, %rdx, %rcx
+        andq	%rax, %r11
+        addq	%rcx, %r8
+        adcq	$0x00, %r9
+        adcq	$0x00, %r10
+        adcq	$0x00, %r11
+        # Store
+        movq	%r8, (%rbx)
+        movq	%r9, 8(%rbx)
+        movq	%r10, 16(%rbx)
+        movq	%r11, 24(%rbx)
+        movq	176(%rsp), %rbx
+        # Multiply
+        # A[0] * B[0]
+        movq	(%rbx), %rdx
+        mulxq	(%rsi), %r8, %r9
+        # A[2] * B[0]
+        mulxq	16(%rsi), %r10, %r11
+        # A[1] * B[0]
+        mulxq	8(%rsi), %rcx, %rax
+        xorq	%r15, %r15
+        adcxq	%rcx, %r9
+        # A[1] * B[3]
+        movq	24(%rbx), %rdx
+        mulxq	8(%rsi), %r12, %r13
+        adcxq	%rax, %r10
+        # A[0] * B[1]
+        movq	8(%rbx), %rdx
+        mulxq	(%rsi), %rcx, %rax
+        adoxq	%rcx, %r9
+        # A[2] * B[1]
+        mulxq	16(%rsi), %rcx, %r14
+        adoxq	%rax, %r10
+        adcxq	%rcx, %r11
+        # A[1] * B[2]
+        movq	16(%rbx), %rdx
+        mulxq	8(%rsi), %rcx, %rax
+        adcxq	%r14, %r12
+        adoxq	%rcx, %r11
+        adcxq	%r15, %r13
+        adoxq	%rax, %r12
+        # A[0] * B[2]
+        mulxq	(%rsi), %rcx, %rax
+        adoxq	%r15, %r13
+        xorq	%r14, %r14
+        adcxq	%rcx, %r10
+        # A[1] * B[1]
+        movq	8(%rbx), %rdx
+        mulxq	8(%rsi), %rdx, %rcx
+        adcxq	%rax, %r11
+        adoxq	%rdx, %r10
+        # A[3] * B[1]
+        movq	8(%rbx), %rdx
+        adoxq	%rcx, %r11
+        mulxq	24(%rsi), %rcx, %rax
+        adcxq	%rcx, %r12
+        # A[2] * B[2]
+        movq	16(%rbx), %rdx
+        mulxq	16(%rsi), %rdx, %rcx
+        adcxq	%rax, %r13
+        adoxq	%rdx, %r12
+        # A[3] * B[3]
+        movq	24(%rbx), %rdx
+        adoxq	%rcx, %r13
+        mulxq	24(%rsi), %rcx, %rax
+        adoxq	%r15, %r14
+        adcxq	%rcx, %r14
+        # A[0] * B[3]
+        mulxq	(%rsi), %rdx, %rcx
+        adcxq	%rax, %r15
+        xorq	%rax, %rax
+        adcxq	%rdx, %r11
+        # A[3] * B[0]
+        movq	(%rbx), %rdx
+        adcxq	%rcx, %r12
+        mulxq	24(%rsi), %rdx, %rcx
+        adoxq	%rdx, %r11
+        adoxq	%rcx, %r12
+        # A[2] * B[3]
+        movq	24(%rbx), %rdx
+        mulxq	16(%rsi), %rdx, %rcx
+        adcxq	%rdx, %r13
+        # A[3] * B[2]
+        movq	16(%rbx), %rdx
+        adcxq	%rcx, %r14
+        mulxq	24(%rsi), %rcx, %rdx
+        adcxq	%rax, %r15
+        adoxq	%rcx, %r13
+        adoxq	%rdx, %r14
+        adoxq	%rax, %r15
+        # Reduce
+        movq	$0x7fffffffffffffff, %rax
+        #  Move top half into t4-t7 and remove top bit from t3
+        shldq	$0x01, %r14, %r15
+        shldq	$0x01, %r13, %r14
+        shldq	$0x01, %r12, %r13
+        shldq	$0x01, %r11, %r12
+        andq	%rax, %r11
+        #  Multiply top half by 19
+        movq	$19, %rdx
+        xorq	%rax, %rax
+        mulxq	%r12, %rcx, %r12
+        adcxq	%rcx, %r8
+        adoxq	%r12, %r9
+        mulxq	%r13, %rcx, %r13
+        adcxq	%rcx, %r9
+        adoxq	%r13, %r10
+        mulxq	%r14, %rcx, %r14
+        adcxq	%rcx, %r10
+        adoxq	%r14, %r11
+        mulxq	%r15, %r15, %rdx
+        adcxq	%r15, %r11
+        adoxq	%rax, %rdx
+        adcxq	%rax, %rdx
+        #  Overflow
+        shldq	$0x01, %r11, %rdx
+        movq	$0x7fffffffffffffff, %rax
+        imulq	$19, %rdx, %rcx
+        andq	%rax, %r11
+        addq	%rcx, %r8
+        adcq	$0x00, %r9
+        adcq	$0x00, %r10
+        adcq	$0x00, %r11
+        # Reduce if top bit set
+        movq	%r11, %rdx
+        shrq	$63, %rdx
+        imulq	$19, %rdx, %rcx
+        andq	%rax, %r11
+        addq	%rcx, %r8
+        adcq	$0x00, %r9
+        adcq	$0x00, %r10
+        adcq	$0x00, %r11
+        # Store
+        movq	%r8, (%rsi)
+        movq	%r9, 8(%rsi)
+        movq	%r10, 16(%rsi)
+        movq	%r11, 24(%rsi)
+        movq	24(%rsp), %rsi
+        movq	160(%rsp), %rbx
+        movq	144(%rsp), %rbp
+        # Multiply
+        # A[0] * B[0]
+        movq	(%rbp), %rdx
+        mulxq	(%rbx), %r8, %r9
+        # A[2] * B[0]
+        mulxq	16(%rbx), %r10, %r11
+        # A[1] * B[0]
+        mulxq	8(%rbx), %rcx, %rax
+        xorq	%r15, %r15
+        adcxq	%rcx, %r9
+        # A[1] * B[3]
+        movq	24(%rbp), %rdx
+        mulxq	8(%rbx), %r12, %r13
+        adcxq	%rax, %r10
+        # A[0] * B[1]
+        movq	8(%rbp), %rdx
+        mulxq	(%rbx), %rcx, %rax
+        adoxq	%rcx, %r9
+        # A[2] * B[1]
+        mulxq	16(%rbx), %rcx, %r14
+        adoxq	%rax, %r10
+        adcxq	%rcx, %r11
+        # A[1] * B[2]
+        movq	16(%rbp), %rdx
+        mulxq	8(%rbx), %rcx, %rax
+        adcxq	%r14, %r12
+        adoxq	%rcx, %r11
+        adcxq	%r15, %r13
+        adoxq	%rax, %r12
+        # A[0] * B[2]
+        mulxq	(%rbx), %rcx, %rax
+        adoxq	%r15, %r13
+        xorq	%r14, %r14
+        adcxq	%rcx, %r10
+        # A[1] * B[1]
+        movq	8(%rbp), %rdx
+        mulxq	8(%rbx), %rdx, %rcx
+        adcxq	%rax, %r11
+        adoxq	%rdx, %r10
+        # A[3] * B[1]
+        movq	8(%rbp), %rdx
+        adoxq	%rcx, %r11
+        mulxq	24(%rbx), %rcx, %rax
+        adcxq	%rcx, %r12
+        # A[2] * B[2]
+        movq	16(%rbp), %rdx
+        mulxq	16(%rbx), %rdx, %rcx
+        adcxq	%rax, %r13
+        adoxq	%rdx, %r12
+        # A[3] * B[3]
+        movq	24(%rbp), %rdx
+        adoxq	%rcx, %r13
+        mulxq	24(%rbx), %rcx, %rax
+        adoxq	%r15, %r14
+        adcxq	%rcx, %r14
+        # A[0] * B[3]
+        mulxq	(%rbx), %rdx, %rcx
+        adcxq	%rax, %r15
+        xorq	%rax, %rax
+        adcxq	%rdx, %r11
+        # A[3] * B[0]
+        movq	(%rbp), %rdx
+        adcxq	%rcx, %r12
+        mulxq	24(%rbx), %rdx, %rcx
+        adoxq	%rdx, %r11
+        adoxq	%rcx, %r12
+        # A[2] * B[3]
+        movq	24(%rbp), %rdx
+        mulxq	16(%rbx), %rdx, %rcx
+        adcxq	%rdx, %r13
+        # A[3] * B[2]
+        movq	16(%rbp), %rdx
+        adcxq	%rcx, %r14
+        mulxq	24(%rbx), %rcx, %rdx
+        adcxq	%rax, %r15
+        adoxq	%rcx, %r13
+        adoxq	%rdx, %r14
+        adoxq	%rax, %r15
+        # Reduce
+        movq	$0x7fffffffffffffff, %rax
+        #  Move top half into t4-t7 and remove top bit from t3
+        shldq	$0x01, %r14, %r15
+        shldq	$0x01, %r13, %r14
+        shldq	$0x01, %r12, %r13
+        shldq	$0x01, %r11, %r12
+        andq	%rax, %r11
+        #  Multiply top half by 19
+        movq	$19, %rdx
+        xorq	%rax, %rax
+        mulxq	%r12, %rcx, %r12
+        adcxq	%rcx, %r8
+        adoxq	%r12, %r9
+        mulxq	%r13, %rcx, %r13
+        adcxq	%rcx, %r9
+        adoxq	%r13, %r10
+        mulxq	%r14, %rcx, %r14
+        adcxq	%rcx, %r10
+        adoxq	%r14, %r11
+        mulxq	%r15, %r15, %rdx
+        adcxq	%r15, %r11
+        adoxq	%rax, %rdx
+        adcxq	%rax, %rdx
+        #  Overflow
+        shldq	$0x01, %r11, %rdx
+        movq	$0x7fffffffffffffff, %rax
+        imulq	$19, %rdx, %rcx
+        andq	%rax, %r11
+        addq	%rcx, %r8
+        adcq	$0x00, %r9
+        adcq	$0x00, %r10
+        adcq	$0x00, %r11
+        # Reduce if top bit set
+        movq	%r11, %rdx
+        shrq	$63, %rdx
+        imulq	$19, %rdx, %rcx
+        andq	%rax, %r11
+        addq	%rcx, %r8
+        adcq	$0x00, %r9
+        adcq	$0x00, %r10
+        adcq	$0x00, %r11
+        # Store
+        movq	%r8, (%rsi)
+        movq	%r9, 8(%rsi)
+        movq	%r10, 16(%rsi)
+        movq	%r11, 24(%rsi)
+        movq	136(%rsp), %rsi
+        movq	152(%rsp), %rbx
+        # Multiply
+        # A[0] * B[0]
+        movq	(%rbx), %rdx
+        mulxq	(%rsi), %r8, %r9
+        # A[2] * B[0]
+        mulxq	16(%rsi), %r10, %r11
+        # A[1] * B[0]
+        mulxq	8(%rsi), %rcx, %rax
+        xorq	%r15, %r15
+        adcxq	%rcx, %r9
+        # A[1] * B[3]
+        movq	24(%rbx), %rdx
+        mulxq	8(%rsi), %r12, %r13
+        adcxq	%rax, %r10
+        # A[0] * B[1]
+        movq	8(%rbx), %rdx
+        mulxq	(%rsi), %rcx, %rax
+        adoxq	%rcx, %r9
+        # A[2] * B[1]
+        mulxq	16(%rsi), %rcx, %r14
+        adoxq	%rax, %r10
+        adcxq	%rcx, %r11
+        # A[1] * B[2]
+        movq	16(%rbx), %rdx
+        mulxq	8(%rsi), %rcx, %rax
+        adcxq	%r14, %r12
+        adoxq	%rcx, %r11
+        adcxq	%r15, %r13
+        adoxq	%rax, %r12
+        # A[0] * B[2]
+        mulxq	(%rsi), %rcx, %rax
+        adoxq	%r15, %r13
+        xorq	%r14, %r14
+        adcxq	%rcx, %r10
+        # A[1] * B[1]
+        movq	8(%rbx), %rdx
+        mulxq	8(%rsi), %rdx, %rcx
+        adcxq	%rax, %r11
+        adoxq	%rdx, %r10
+        # A[3] * B[1]
+        movq	8(%rbx), %rdx
+        adoxq	%rcx, %r11
+        mulxq	24(%rsi), %rcx, %rax
+        adcxq	%rcx, %r12
+        # A[2] * B[2]
+        movq	16(%rbx), %rdx
+        mulxq	16(%rsi), %rdx, %rcx
+        adcxq	%rax, %r13
+        adoxq	%rdx, %r12
+        # A[3] * B[3]
+        movq	24(%rbx), %rdx
+        adoxq	%rcx, %r13
+        mulxq	24(%rsi), %rcx, %rax
+        adoxq	%r15, %r14
+        adcxq	%rcx, %r14
+        # A[0] * B[3]
+        mulxq	(%rsi), %rdx, %rcx
+        adcxq	%rax, %r15
+        xorq	%rax, %rax
+        adcxq	%rdx, %r11
+        # A[3] * B[0]
+        movq	(%rbx), %rdx
+        adcxq	%rcx, %r12
+        mulxq	24(%rsi), %rdx, %rcx
+        adoxq	%rdx, %r11
+        adoxq	%rcx, %r12
+        # A[2] * B[3]
+        movq	24(%rbx), %rdx
+        mulxq	16(%rsi), %rdx, %rcx
+        adcxq	%rdx, %r13
+        # A[3] * B[2]
+        movq	16(%rbx), %rdx
+        adcxq	%rcx, %r14
+        mulxq	24(%rsi), %rcx, %rdx
+        adcxq	%rax, %r15
+        adoxq	%rcx, %r13
+        adoxq	%rdx, %r14
+        adoxq	%rax, %r15
+        # Reduce
+        movq	$0x7fffffffffffffff, %rax
+        #  Move top half into t4-t7 and remove top bit from t3
+        shldq	$0x01, %r14, %r15
+        shldq	$0x01, %r13, %r14
+        shldq	$0x01, %r12, %r13
+        shldq	$0x01, %r11, %r12
+        andq	%rax, %r11
+        #  Multiply top half by 19
+        movq	$19, %rdx
+        xorq	%rax, %rax
+        mulxq	%r12, %rcx, %r12
+        adcxq	%rcx, %r8
+        adoxq	%r12, %r9
+        mulxq	%r13, %rcx, %r13
+        adcxq	%rcx, %r9
+        adoxq	%r13, %r10
+        mulxq	%r14, %rcx, %r14
+        adcxq	%rcx, %r10
+        adoxq	%r14, %r11
+        mulxq	%r15, %r15, %rdx
+        adcxq	%r15, %r11
+        adoxq	%rax, %rdx
+        adcxq	%rax, %rdx
+        #  Overflow
+        shldq	$0x01, %r11, %rdx
+        movq	$0x7fffffffffffffff, %rax
+        imulq	$19, %rdx, %rcx
+        andq	%rax, %r11
+        addq	%rcx, %r8
+        adcq	$0x00, %r9
+        adcq	$0x00, %r10
+        adcq	$0x00, %r11
+        # Reduce if top bit set
+        movq	%r11, %rdx
+        shrq	$63, %rdx
+        imulq	$19, %rdx, %rcx
+        andq	%rax, %r11
+        addq	%rcx, %r8
+        adcq	$0x00, %r9
+        adcq	$0x00, %r10
+        adcq	$0x00, %r11
+        # Store
+        movq	%r8, (%rdi)
+        movq	%r9, 8(%rdi)
+        movq	%r10, 16(%rdi)
+        movq	%r11, 24(%rdi)
+        leaq	48(%rsp), %rsi
+        # Double
+        movq	(%rdi), %r8
+        movq	8(%rdi), %r9
+        addq	%r8, %r8
+        movq	16(%rdi), %r10
+        adcq	%r9, %r9
+        movq	24(%rdi), %rdx
+        adcq	%r10, %r10
+        movq	$-19, %rcx
+        adcq	%rdx, %rdx
+        movq	$0x7fffffffffffffff, %rax
+        movq	%rdx, %r11
+        sarq	$63, %rdx
+        #   Mask the modulus
+        andq	%rdx, %rcx
+        andq	%rdx, %rax
+        #   Sub modulus (if overflow)
+        subq	%rcx, %r8
+        sbbq	%rdx, %r9
+        sbbq	%rdx, %r10
+        sbbq	%rax, %r11
+        movq	%r8, (%rsi)
+        movq	%r9, 8(%rsi)
+        movq	%r10, 16(%rsi)
+        movq	%r11, 24(%rsi)
+        movq	8(%rsp), %rbx
+        movq	16(%rsp), %rbp
+        # Add
+        movq	(%rbp), %r8
+        movq	8(%rbp), %r9
+        movq	16(%rbp), %r10
+        movq	24(%rbp), %rdx
+        movq	%r8, %r12
+        addq	(%rbx), %r8
+        movq	%r9, %r13
+        adcq	8(%rbx), %r9
+        movq	%r10, %r14
+        adcq	16(%rbx), %r10
+        movq	%rdx, %r15
+        adcq	24(%rbx), %rdx
+        movq	$-19, %rcx
+        movq	%rdx, %r11
+        movq	$0x7fffffffffffffff, %rax
+        sarq	$63, %rdx
+        #   Mask the modulus
+        andq	%rdx, %rcx
+        andq	%rdx, %rax
+        #   Sub modulus (if overflow)
+        subq	%rcx, %r8
+        sbbq	%rdx, %r9
+        sbbq	%rdx, %r10
+        sbbq	%rax, %r11
+        # Sub
+        subq	(%rbx), %r12
+        movq	$0x00, %rdx
+        sbbq	8(%rbx), %r13
+        movq	$-19, %rcx
+        sbbq	16(%rbx), %r14
+        movq	$0x7fffffffffffffff, %rax
+        sbbq	24(%rbx), %r15
+        sbbq	$0x00, %rdx
+        #   Mask the modulus
+        andq	%rdx, %rcx
+        andq	%rdx, %rax
+        #   Add modulus (if underflow)
+        addq	%rcx, %r12
+        adcq	%rdx, %r13
+        adcq	%rdx, %r14
+        adcq	%rax, %r15
+        movq	%r8, (%rbx)
+        movq	%r9, 8(%rbx)
+        movq	%r10, 16(%rbx)
+        movq	%r11, 24(%rbx)
+        movq	%r12, (%rdi)
+        movq	%r13, 8(%rdi)
+        movq	%r14, 16(%rdi)
+        movq	%r15, 24(%rdi)
+        movq	24(%rsp), %rdi
+        # Add
+        movq	(%rsi), %r8
+        movq	8(%rsi), %r9
+        movq	16(%rsi), %r10
+        movq	24(%rsi), %rdx
+        movq	%r8, %r12
+        addq	(%rdi), %r8
+        movq	%r9, %r13
+        adcq	8(%rdi), %r9
+        movq	%r10, %r14
+        adcq	16(%rdi), %r10
+        movq	%rdx, %r15
+        adcq	24(%rdi), %rdx
+        movq	$-19, %rcx
+        movq	%rdx, %r11
+        movq	$0x7fffffffffffffff, %rax
+        sarq	$63, %rdx
+        #   Mask the modulus
+        andq	%rdx, %rcx
+        andq	%rdx, %rax
+        #   Sub modulus (if overflow)
+        subq	%rcx, %r8
+        sbbq	%rdx, %r9
+        sbbq	%rdx, %r10
+        sbbq	%rax, %r11
+        # Sub
+        subq	(%rdi), %r12
+        movq	$0x00, %rdx
+        sbbq	8(%rdi), %r13
+        movq	$-19, %rcx
+        sbbq	16(%rdi), %r14
+        movq	$0x7fffffffffffffff, %rax
+        sbbq	24(%rdi), %r15
+        sbbq	$0x00, %rdx
+        #   Mask the modulus
+        andq	%rdx, %rcx
+        andq	%rdx, %rax
+        #   Add modulus (if underflow)
+        addq	%rcx, %r12
+        adcq	%rdx, %r13
+        adcq	%rdx, %r14
+        adcq	%rax, %r15
+        movq	%r8, (%rbp)
+        movq	%r9, 8(%rbp)
+        movq	%r10, 16(%rbp)
+        movq	%r11, 24(%rbp)
+        movq	%r12, (%rdi)
+        movq	%r13, 8(%rdi)
+        movq	%r14, 16(%rdi)
+        movq	%r15, 24(%rdi)
+        addq	$0x50, %rsp
+        popq	%r15
+        popq	%r14
+        popq	%r13
+        popq	%r12
+        popq	%rbp
+        popq	%rbx
+        repz retq
+#ifndef __APPLE__
+.size	fe_ge_add_avx2,.-fe_ge_add_avx2
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+.text
+.globl	fe_ge_sub_avx2
+.type	fe_ge_sub_avx2,@function
+.align	4
+fe_ge_sub_avx2:
+#else
+.section	__TEXT,__text
+.globl	_fe_ge_sub_avx2
+.p2align	2
+_fe_ge_sub_avx2:
+#endif /* __APPLE__ */
+        pushq	%rbx
+        pushq	%rbp
+        pushq	%r12
+        pushq	%r13
+        pushq	%r14
+        pushq	%r15
+        subq	$0x50, %rsp
+        movq	%rdi, (%rsp)
+        movq	%rsi, 8(%rsp)
+        movq	%rdx, 16(%rsp)
+        movq	%rcx, 24(%rsp)
+        movq	%r8, 32(%rsp)
+        movq	%r9, 40(%rsp)
+        movq	8(%rsp), %rsi
+        movq	40(%rsp), %rbx
+        movq	32(%rsp), %rbp
+        # Add
+        movq	(%rbx), %r8
+        movq	8(%rbx), %r9
+        movq	16(%rbx), %r10
+        movq	24(%rbx), %rdx
+        movq	%r8, %r12
+        addq	(%rbp), %r8
+        movq	%r9, %r13
+        adcq	8(%rbp), %r9
+        movq	%r10, %r14
+        adcq	16(%rbp), %r10
+        movq	%rdx, %r15
+        adcq	24(%rbp), %rdx
+        movq	$-19, %rcx
+        movq	%rdx, %r11
+        movq	$0x7fffffffffffffff, %rax
+        sarq	$63, %rdx
+        #   Mask the modulus
+        andq	%rdx, %rcx
+        andq	%rdx, %rax
+        #   Sub modulus (if overflow)
+        subq	%rcx, %r8
+        sbbq	%rdx, %r9
+        sbbq	%rdx, %r10
+        sbbq	%rax, %r11
+        # Sub
+        subq	(%rbp), %r12
+        movq	$0x00, %rdx
+        sbbq	8(%rbp), %r13
+        movq	$-19, %rcx
+        sbbq	16(%rbp), %r14
+        movq	$0x7fffffffffffffff, %rax
+        sbbq	24(%rbp), %r15
+        sbbq	$0x00, %rdx
+        #   Mask the modulus
+        andq	%rdx, %rcx
+        andq	%rdx, %rax
+        #   Add modulus (if underflow)
+        addq	%rcx, %r12
+        adcq	%rdx, %r13
+        adcq	%rdx, %r14
+        adcq	%rax, %r15
+        movq	%r8, (%rdi)
+        movq	%r9, 8(%rdi)
+        movq	%r10, 16(%rdi)
+        movq	%r11, 24(%rdi)
+        movq	%r12, (%rsi)
+        movq	%r13, 8(%rsi)
+        movq	%r14, 16(%rsi)
+        movq	%r15, 24(%rsi)
+        movq	16(%rsp), %rbx
+        movq	176(%rsp), %rbp
+        # Multiply
+        # A[0] * B[0]
+        movq	(%rbp), %rdx
+        mulxq	(%rdi), %r8, %r9
+        # A[2] * B[0]
+        mulxq	16(%rdi), %r10, %r11
+        # A[1] * B[0]
+        mulxq	8(%rdi), %rcx, %rax
+        xorq	%r15, %r15
+        adcxq	%rcx, %r9
+        # A[1] * B[3]
+        movq	24(%rbp), %rdx
+        mulxq	8(%rdi), %r12, %r13
+        adcxq	%rax, %r10
+        # A[0] * B[1]
+        movq	8(%rbp), %rdx
+        mulxq	(%rdi), %rcx, %rax
+        adoxq	%rcx, %r9
+        # A[2] * B[1]
+        mulxq	16(%rdi), %rcx, %r14
+        adoxq	%rax, %r10
+        adcxq	%rcx, %r11
+        # A[1] * B[2]
+        movq	16(%rbp), %rdx
+        mulxq	8(%rdi), %rcx, %rax
+        adcxq	%r14, %r12
+        adoxq	%rcx, %r11
+        adcxq	%r15, %r13
+        adoxq	%rax, %r12
+        # A[0] * B[2]
+        mulxq	(%rdi), %rcx, %rax
+        adoxq	%r15, %r13
+        xorq	%r14, %r14
+        adcxq	%rcx, %r10
+        # A[1] * B[1]
+        movq	8(%rbp), %rdx
+        mulxq	8(%rdi), %rdx, %rcx
+        adcxq	%rax, %r11
+        adoxq	%rdx, %r10
+        # A[3] * B[1]
+        movq	8(%rbp), %rdx
+        adoxq	%rcx, %r11
+        mulxq	24(%rdi), %rcx, %rax
+        adcxq	%rcx, %r12
+        # A[2] * B[2]
+        movq	16(%rbp), %rdx
+        mulxq	16(%rdi), %rdx, %rcx
+        adcxq	%rax, %r13
+        adoxq	%rdx, %r12
+        # A[3] * B[3]
+        movq	24(%rbp), %rdx
+        adoxq	%rcx, %r13
+        mulxq	24(%rdi), %rcx, %rax
+        adoxq	%r15, %r14
+        adcxq	%rcx, %r14
+        # A[0] * B[3]
+        mulxq	(%rdi), %rdx, %rcx
+        adcxq	%rax, %r15
+        xorq	%rax, %rax
+        adcxq	%rdx, %r11
+        # A[3] * B[0]
+        movq	(%rbp), %rdx
+        adcxq	%rcx, %r12
+        mulxq	24(%rdi), %rdx, %rcx
+        adoxq	%rdx, %r11
+        adoxq	%rcx, %r12
+        # A[2] * B[3]
+        movq	24(%rbp), %rdx
+        mulxq	16(%rdi), %rdx, %rcx
+        adcxq	%rdx, %r13
+        # A[3] * B[2]
+        movq	16(%rbp), %rdx
+        adcxq	%rcx, %r14
+        mulxq	24(%rdi), %rcx, %rdx
+        adcxq	%rax, %r15
+        adoxq	%rcx, %r13
+        adoxq	%rdx, %r14
+        adoxq	%rax, %r15
+        # Reduce
+        movq	$0x7fffffffffffffff, %rax
+        #  Move top half into t4-t7 and remove top bit from t3
+        shldq	$0x01, %r14, %r15
+        shldq	$0x01, %r13, %r14
+        shldq	$0x01, %r12, %r13
+        shldq	$0x01, %r11, %r12
+        andq	%rax, %r11
+        #  Multiply top half by 19
+        movq	$19, %rdx
+        xorq	%rax, %rax
+        mulxq	%r12, %rcx, %r12
+        adcxq	%rcx, %r8
+        adoxq	%r12, %r9
+        mulxq	%r13, %rcx, %r13
+        adcxq	%rcx, %r9
+        adoxq	%r13, %r10
+        mulxq	%r14, %rcx, %r14
+        adcxq	%rcx, %r10
+        adoxq	%r14, %r11
+        mulxq	%r15, %r15, %rdx
+        adcxq	%r15, %r11
+        adoxq	%rax, %rdx
+        adcxq	%rax, %rdx
+        #  Overflow
+        shldq	$0x01, %r11, %rdx
+        movq	$0x7fffffffffffffff, %rax
+        imulq	$19, %rdx, %rcx
+        andq	%rax, %r11
+        addq	%rcx, %r8
+        adcq	$0x00, %r9
+        adcq	$0x00, %r10
+        adcq	$0x00, %r11
+        # Reduce if top bit set
+        movq	%r11, %rdx
+        shrq	$63, %rdx
+        imulq	$19, %rdx, %rcx
+        andq	%rax, %r11
+        addq	%rcx, %r8
+        adcq	$0x00, %r9
+        adcq	$0x00, %r10
+        adcq	$0x00, %r11
+        # Store
+        movq	%r8, (%rbx)
+        movq	%r9, 8(%rbx)
+        movq	%r10, 16(%rbx)
+        movq	%r11, 24(%rbx)
+        movq	168(%rsp), %rbx
+        # Multiply
+        # A[0] * B[0]
+        movq	(%rbx), %rdx
+        mulxq	(%rsi), %r8, %r9
+        # A[2] * B[0]
+        mulxq	16(%rsi), %r10, %r11
+        # A[1] * B[0]
+        mulxq	8(%rsi), %rcx, %rax
+        xorq	%r15, %r15
+        adcxq	%rcx, %r9
+        # A[1] * B[3]
+        movq	24(%rbx), %rdx
+        mulxq	8(%rsi), %r12, %r13
+        adcxq	%rax, %r10
+        # A[0] * B[1]
+        movq	8(%rbx), %rdx
+        mulxq	(%rsi), %rcx, %rax
+        adoxq	%rcx, %r9
+        # A[2] * B[1]
+        mulxq	16(%rsi), %rcx, %r14
+        adoxq	%rax, %r10
+        adcxq	%rcx, %r11
+        # A[1] * B[2]
+        movq	16(%rbx), %rdx
+        mulxq	8(%rsi), %rcx, %rax
+        adcxq	%r14, %r12
+        adoxq	%rcx, %r11
+        adcxq	%r15, %r13
+        adoxq	%rax, %r12
+        # A[0] * B[2]
+        mulxq	(%rsi), %rcx, %rax
+        adoxq	%r15, %r13
+        xorq	%r14, %r14
+        adcxq	%rcx, %r10
+        # A[1] * B[1]
+        movq	8(%rbx), %rdx
+        mulxq	8(%rsi), %rdx, %rcx
+        adcxq	%rax, %r11
+        adoxq	%rdx, %r10
+        # A[3] * B[1]
+        movq	8(%rbx), %rdx
+        adoxq	%rcx, %r11
+        mulxq	24(%rsi), %rcx, %rax
+        adcxq	%rcx, %r12
+        # A[2] * B[2]
+        movq	16(%rbx), %rdx
+        mulxq	16(%rsi), %rdx, %rcx
+        adcxq	%rax, %r13
+        adoxq	%rdx, %r12
+        # A[3] * B[3]
+        movq	24(%rbx), %rdx
+        adoxq	%rcx, %r13
+        mulxq	24(%rsi), %rcx, %rax
+        adoxq	%r15, %r14
+        adcxq	%rcx, %r14
+        # A[0] * B[3]
+        mulxq	(%rsi), %rdx, %rcx
+        adcxq	%rax, %r15
+        xorq	%rax, %rax
+        adcxq	%rdx, %r11
+        # A[3] * B[0]
+        movq	(%rbx), %rdx
+        adcxq	%rcx, %r12
+        mulxq	24(%rsi), %rdx, %rcx
+        adoxq	%rdx, %r11
+        adoxq	%rcx, %r12
+        # A[2] * B[3]
+        movq	24(%rbx), %rdx
+        mulxq	16(%rsi), %rdx, %rcx
+        adcxq	%rdx, %r13
+        # A[3] * B[2]
+        movq	16(%rbx), %rdx
+        adcxq	%rcx, %r14
+        mulxq	24(%rsi), %rcx, %rdx
+        adcxq	%rax, %r15
+        adoxq	%rcx, %r13
+        adoxq	%rdx, %r14
+        adoxq	%rax, %r15
+        # Reduce
+        movq	$0x7fffffffffffffff, %rax
+        #  Move top half into t4-t7 and remove top bit from t3
+        shldq	$0x01, %r14, %r15
+        shldq	$0x01, %r13, %r14
+        shldq	$0x01, %r12, %r13
+        shldq	$0x01, %r11, %r12
+        andq	%rax, %r11
+        #  Multiply top half by 19
+        movq	$19, %rdx
+        xorq	%rax, %rax
+        mulxq	%r12, %rcx, %r12
+        adcxq	%rcx, %r8
+        adoxq	%r12, %r9
+        mulxq	%r13, %rcx, %r13
+        adcxq	%rcx, %r9
+        adoxq	%r13, %r10
+        mulxq	%r14, %rcx, %r14
+        adcxq	%rcx, %r10
+        adoxq	%r14, %r11
+        mulxq	%r15, %r15, %rdx
+        adcxq	%r15, %r11
+        adoxq	%rax, %rdx
+        adcxq	%rax, %rdx
+        #  Overflow
+        shldq	$0x01, %r11, %rdx
+        movq	$0x7fffffffffffffff, %rax
+        imulq	$19, %rdx, %rcx
+        andq	%rax, %r11
+        addq	%rcx, %r8
+        adcq	$0x00, %r9
+        adcq	$0x00, %r10
+        adcq	$0x00, %r11
+        # Reduce if top bit set
+        movq	%r11, %rdx
+        shrq	$63, %rdx
+        imulq	$19, %rdx, %rcx
+        andq	%rax, %r11
+        addq	%rcx, %r8
+        adcq	$0x00, %r9
+        adcq	$0x00, %r10
+        adcq	$0x00, %r11
+        # Store
+        movq	%r8, (%rsi)
+        movq	%r9, 8(%rsi)
+        movq	%r10, 16(%rsi)
+        movq	%r11, 24(%rsi)
+        movq	24(%rsp), %rsi
+        movq	160(%rsp), %rbx
+        movq	144(%rsp), %rbp
+        # Multiply
+        # A[0] * B[0]
+        movq	(%rbp), %rdx
+        mulxq	(%rbx), %r8, %r9
+        # A[2] * B[0]
+        mulxq	16(%rbx), %r10, %r11
+        # A[1] * B[0]
+        mulxq	8(%rbx), %rcx, %rax
+        xorq	%r15, %r15
+        adcxq	%rcx, %r9
+        # A[1] * B[3]
+        movq	24(%rbp), %rdx
+        mulxq	8(%rbx), %r12, %r13
+        adcxq	%rax, %r10
+        # A[0] * B[1]
+        movq	8(%rbp), %rdx
+        mulxq	(%rbx), %rcx, %rax
+        adoxq	%rcx, %r9
+        # A[2] * B[1]
+        mulxq	16(%rbx), %rcx, %r14
+        adoxq	%rax, %r10
+        adcxq	%rcx, %r11
+        # A[1] * B[2]
+        movq	16(%rbp), %rdx
+        mulxq	8(%rbx), %rcx, %rax
+        adcxq	%r14, %r12
+        adoxq	%rcx, %r11
+        adcxq	%r15, %r13
+        adoxq	%rax, %r12
+        # A[0] * B[2]
+        mulxq	(%rbx), %rcx, %rax
+        adoxq	%r15, %r13
+        xorq	%r14, %r14
+        adcxq	%rcx, %r10
+        # A[1] * B[1]
+        movq	8(%rbp), %rdx
+        mulxq	8(%rbx), %rdx, %rcx
+        adcxq	%rax, %r11
+        adoxq	%rdx, %r10
+        # A[3] * B[1]
+        movq	8(%rbp), %rdx
+        adoxq	%rcx, %r11
+        mulxq	24(%rbx), %rcx, %rax
+        adcxq	%rcx, %r12
+        # A[2] * B[2]
+        movq	16(%rbp), %rdx
+        mulxq	16(%rbx), %rdx, %rcx
+        adcxq	%rax, %r13
+        adoxq	%rdx, %r12
+        # A[3] * B[3]
+        movq	24(%rbp), %rdx
+        adoxq	%rcx, %r13
+        mulxq	24(%rbx), %rcx, %rax
+        adoxq	%r15, %r14
+        adcxq	%rcx, %r14
+        # A[0] * B[3]
+        mulxq	(%rbx), %rdx, %rcx
+        adcxq	%rax, %r15
+        xorq	%rax, %rax
+        adcxq	%rdx, %r11
+        # A[3] * B[0]
+        movq	(%rbp), %rdx
+        adcxq	%rcx, %r12
+        mulxq	24(%rbx), %rdx, %rcx
+        adoxq	%rdx, %r11
+        adoxq	%rcx, %r12
+        # A[2] * B[3]
+        movq	24(%rbp), %rdx
+        mulxq	16(%rbx), %rdx, %rcx
+        adcxq	%rdx, %r13
+        # A[3] * B[2]
+        movq	16(%rbp), %rdx
+        adcxq	%rcx, %r14
+        mulxq	24(%rbx), %rcx, %rdx
+        adcxq	%rax, %r15
+        adoxq	%rcx, %r13
+        adoxq	%rdx, %r14
+        adoxq	%rax, %r15
+        # Reduce
+        movq	$0x7fffffffffffffff, %rax
+        #  Move top half into t4-t7 and remove top bit from t3
+        shldq	$0x01, %r14, %r15
+        shldq	$0x01, %r13, %r14
+        shldq	$0x01, %r12, %r13
+        shldq	$0x01, %r11, %r12
+        andq	%rax, %r11
+        #  Multiply top half by 19
+        movq	$19, %rdx
+        xorq	%rax, %rax
+        mulxq	%r12, %rcx, %r12
+        adcxq	%rcx, %r8
+        adoxq	%r12, %r9
+        mulxq	%r13, %rcx, %r13
+        adcxq	%rcx, %r9
+        adoxq	%r13, %r10
+        mulxq	%r14, %rcx, %r14
+        adcxq	%rcx, %r10
+        adoxq	%r14, %r11
+        mulxq	%r15, %r15, %rdx
+        adcxq	%r15, %r11
+        adoxq	%rax, %rdx
+        adcxq	%rax, %rdx
+        #  Overflow
+        shldq	$0x01, %r11, %rdx
+        movq	$0x7fffffffffffffff, %rax
+        imulq	$19, %rdx, %rcx
+        andq	%rax, %r11
+        addq	%rcx, %r8
+        adcq	$0x00, %r9
+        adcq	$0x00, %r10
+        adcq	$0x00, %r11
+        # Reduce if top bit set
+        movq	%r11, %rdx
+        shrq	$63, %rdx
+        imulq	$19, %rdx, %rcx
+        andq	%rax, %r11
+        addq	%rcx, %r8
+        adcq	$0x00, %r9
+        adcq	$0x00, %r10
+        adcq	$0x00, %r11
+        # Store
+        movq	%r8, (%rsi)
+        movq	%r9, 8(%rsi)
+        movq	%r10, 16(%rsi)
+        movq	%r11, 24(%rsi)
+        movq	136(%rsp), %rsi
+        movq	152(%rsp), %rbx
+        # Multiply
+        # A[0] * B[0]
+        movq	(%rbx), %rdx
+        mulxq	(%rsi), %r8, %r9
+        # A[2] * B[0]
+        mulxq	16(%rsi), %r10, %r11
+        # A[1] * B[0]
+        mulxq	8(%rsi), %rcx, %rax
+        xorq	%r15, %r15
+        adcxq	%rcx, %r9
+        # A[1] * B[3]
+        movq	24(%rbx), %rdx
+        mulxq	8(%rsi), %r12, %r13
+        adcxq	%rax, %r10
+        # A[0] * B[1]
+        movq	8(%rbx), %rdx
+        mulxq	(%rsi), %rcx, %rax
+        adoxq	%rcx, %r9
+        # A[2] * B[1]
+        mulxq	16(%rsi), %rcx, %r14
+        adoxq	%rax, %r10
+        adcxq	%rcx, %r11
+        # A[1] * B[2]
+        movq	16(%rbx), %rdx
+        mulxq	8(%rsi), %rcx, %rax
+        adcxq	%r14, %r12
+        adoxq	%rcx, %r11
+        adcxq	%r15, %r13
+        adoxq	%rax, %r12
+        # A[0] * B[2]
+        mulxq	(%rsi), %rcx, %rax
+        adoxq	%r15, %r13
+        xorq	%r14, %r14
+        adcxq	%rcx, %r10
+        # A[1] * B[1]
+        movq	8(%rbx), %rdx
+        mulxq	8(%rsi), %rdx, %rcx
+        adcxq	%rax, %r11
+        adoxq	%rdx, %r10
+        # A[3] * B[1]
+        movq	8(%rbx), %rdx
+        adoxq	%rcx, %r11
+        mulxq	24(%rsi), %rcx, %rax
+        adcxq	%rcx, %r12
+        # A[2] * B[2]
+        movq	16(%rbx), %rdx
+        mulxq	16(%rsi), %rdx, %rcx
+        adcxq	%rax, %r13
+        adoxq	%rdx, %r12
+        # A[3] * B[3]
+        movq	24(%rbx), %rdx
+        adoxq	%rcx, %r13
+        mulxq	24(%rsi), %rcx, %rax
+        adoxq	%r15, %r14
+        adcxq	%rcx, %r14
+        # A[0] * B[3]
+        mulxq	(%rsi), %rdx, %rcx
+        adcxq	%rax, %r15
+        xorq	%rax, %rax
+        adcxq	%rdx, %r11
+        # A[3] * B[0]
+        movq	(%rbx), %rdx
+        adcxq	%rcx, %r12
+        mulxq	24(%rsi), %rdx, %rcx
+        adoxq	%rdx, %r11
+        adoxq	%rcx, %r12
+        # A[2] * B[3]
+        movq	24(%rbx), %rdx
+        mulxq	16(%rsi), %rdx, %rcx
+        adcxq	%rdx, %r13
+        # A[3] * B[2]
+        movq	16(%rbx), %rdx
+        adcxq	%rcx, %r14
+        mulxq	24(%rsi), %rcx, %rdx
+        adcxq	%rax, %r15
+        adoxq	%rcx, %r13
+        adoxq	%rdx, %r14
+        adoxq	%rax, %r15
+        # Reduce
+        movq	$0x7fffffffffffffff, %rax
+        #  Move top half into t4-t7 and remove top bit from t3
+        shldq	$0x01, %r14, %r15
+        shldq	$0x01, %r13, %r14
+        shldq	$0x01, %r12, %r13
+        shldq	$0x01, %r11, %r12
+        andq	%rax, %r11
+        #  Multiply top half by 19
+        movq	$19, %rdx
+        xorq	%rax, %rax
+        mulxq	%r12, %rcx, %r12
+        adcxq	%rcx, %r8
+        adoxq	%r12, %r9
+        mulxq	%r13, %rcx, %r13
+        adcxq	%rcx, %r9
+        adoxq	%r13, %r10
+        mulxq	%r14, %rcx, %r14
+        adcxq	%rcx, %r10
+        adoxq	%r14, %r11
+        mulxq	%r15, %r15, %rdx
+        adcxq	%r15, %r11
+        adoxq	%rax, %rdx
+        adcxq	%rax, %rdx
+        #  Overflow
+        shldq	$0x01, %r11, %rdx
+        movq	$0x7fffffffffffffff, %rax
+        imulq	$19, %rdx, %rcx
+        andq	%rax, %r11
+        addq	%rcx, %r8
+        adcq	$0x00, %r9
+        adcq	$0x00, %r10
+        adcq	$0x00, %r11
+        # Reduce if top bit set
+        movq	%r11, %rdx
+        shrq	$63, %rdx
+        imulq	$19, %rdx, %rcx
+        andq	%rax, %r11
+        addq	%rcx, %r8
+        adcq	$0x00, %r9
+        adcq	$0x00, %r10
+        adcq	$0x00, %r11
+        # Store
+        movq	%r8, (%rdi)
+        movq	%r9, 8(%rdi)
+        movq	%r10, 16(%rdi)
+        movq	%r11, 24(%rdi)
+        leaq	48(%rsp), %rsi
+        # Double
+        movq	(%rdi), %r8
+        movq	8(%rdi), %r9
+        addq	%r8, %r8
+        movq	16(%rdi), %r10
+        adcq	%r9, %r9
+        movq	24(%rdi), %rdx
+        adcq	%r10, %r10
+        movq	$-19, %rcx
+        adcq	%rdx, %rdx
+        movq	$0x7fffffffffffffff, %rax
+        movq	%rdx, %r11
+        sarq	$63, %rdx
+        #   Mask the modulus
+        andq	%rdx, %rcx
+        andq	%rdx, %rax
+        #   Sub modulus (if overflow)
+        subq	%rcx, %r8
+        sbbq	%rdx, %r9
+        sbbq	%rdx, %r10
+        sbbq	%rax, %r11
+        movq	%r8, (%rsi)
+        movq	%r9, 8(%rsi)
+        movq	%r10, 16(%rsi)
+        movq	%r11, 24(%rsi)
+        movq	8(%rsp), %rbx
+        movq	16(%rsp), %rbp
+        # Add
+        movq	(%rbp), %r8
+        movq	8(%rbp), %r9
+        movq	16(%rbp), %r10
+        movq	24(%rbp), %rdx
+        movq	%r8, %r12
+        addq	(%rbx), %r8
+        movq	%r9, %r13
+        adcq	8(%rbx), %r9
+        movq	%r10, %r14
+        adcq	16(%rbx), %r10
+        movq	%rdx, %r15
+        adcq	24(%rbx), %rdx
+        movq	$-19, %rcx
+        movq	%rdx, %r11
+        movq	$0x7fffffffffffffff, %rax
+        sarq	$63, %rdx
+        #   Mask the modulus
+        andq	%rdx, %rcx
+        andq	%rdx, %rax
+        #   Sub modulus (if overflow)
+        subq	%rcx, %r8
+        sbbq	%rdx, %r9
+        sbbq	%rdx, %r10
+        sbbq	%rax, %r11
+        # Sub
+        subq	(%rbx), %r12
+        movq	$0x00, %rdx
+        sbbq	8(%rbx), %r13
+        movq	$-19, %rcx
+        sbbq	16(%rbx), %r14
+        movq	$0x7fffffffffffffff, %rax
+        sbbq	24(%rbx), %r15
+        sbbq	$0x00, %rdx
+        #   Mask the modulus
+        andq	%rdx, %rcx
+        andq	%rdx, %rax
+        #   Add modulus (if underflow)
+        addq	%rcx, %r12
+        adcq	%rdx, %r13
+        adcq	%rdx, %r14
+        adcq	%rax, %r15
+        movq	%r8, (%rbx)
+        movq	%r9, 8(%rbx)
+        movq	%r10, 16(%rbx)
+        movq	%r11, 24(%rbx)
+        movq	%r12, (%rdi)
+        movq	%r13, 8(%rdi)
+        movq	%r14, 16(%rdi)
+        movq	%r15, 24(%rdi)
+        movq	24(%rsp), %rdi
+        # Add
+        movq	(%rsi), %r8
+        movq	8(%rsi), %r9
+        movq	16(%rsi), %r10
+        movq	24(%rsi), %rdx
+        movq	%r8, %r12
+        addq	(%rdi), %r8
+        movq	%r9, %r13
+        adcq	8(%rdi), %r9
+        movq	%r10, %r14
+        adcq	16(%rdi), %r10
+        movq	%rdx, %r15
+        adcq	24(%rdi), %rdx
+        movq	$-19, %rcx
+        movq	%rdx, %r11
+        movq	$0x7fffffffffffffff, %rax
+        sarq	$63, %rdx
+        #   Mask the modulus
+        andq	%rdx, %rcx
+        andq	%rdx, %rax
+        #   Sub modulus (if overflow)
+        subq	%rcx, %r8
+        sbbq	%rdx, %r9
+        sbbq	%rdx, %r10
+        sbbq	%rax, %r11
+        # Sub
+        subq	(%rdi), %r12
+        movq	$0x00, %rdx
+        sbbq	8(%rdi), %r13
+        movq	$-19, %rcx
+        sbbq	16(%rdi), %r14
+        movq	$0x7fffffffffffffff, %rax
+        sbbq	24(%rdi), %r15
+        sbbq	$0x00, %rdx
+        #   Mask the modulus
+        andq	%rdx, %rcx
+        andq	%rdx, %rax
+        #   Add modulus (if underflow)
+        addq	%rcx, %r12
+        adcq	%rdx, %r13
+        adcq	%rdx, %r14
+        adcq	%rax, %r15
+        movq	%r8, (%rdi)
+        movq	%r9, 8(%rdi)
+        movq	%r10, 16(%rdi)
+        movq	%r11, 24(%rdi)
+        movq	%r12, (%rbp)
+        movq	%r13, 8(%rbp)
+        movq	%r14, 16(%rbp)
+        movq	%r15, 24(%rbp)
+        addq	$0x50, %rsp
+        popq	%r15
+        popq	%r14
+        popq	%r13
+        popq	%r12
+        popq	%rbp
+        popq	%rbx
+        repz retq
+#ifndef __APPLE__
+.size	fe_ge_sub_avx2,.-fe_ge_sub_avx2
+#endif /* __APPLE__ */
+#endif /* HAVE_INTEL_AVX2 */
diff --git a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/fips.c b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/fips.c
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/fips.c
diff --git a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/fips_test.c b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/fips_test.c
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/fips_test.c
diff --git a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/fp_mont_small.i b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/fp_mont_small.i
index c4a339b9b..380b0a25b 100644
--- a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/fp_mont_small.i
+++ b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/fp_mont_small.i
@@ -1,8 +1,8 @@
 /* fp_mont_small.i
  *
- * Copyright (C) 2006-2015 wolfSSL Inc.
+ * Copyright (C) 2006-2020 wolfSSL Inc.
  *
- * This file is part of wolfSSL. (formerly known as CyaSSL)
+ * This file is part of wolfSSL.
  *
  * wolfSSL is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -16,21 +16,34 @@
  *
  * You should have received a copy of the GNU General Public License
  * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
  */
 
 
+
 #ifdef TFM_SMALL_MONT_SET
 /* computes x/R == x (mod N) via Montgomery Reduction */
-void fp_montgomery_reduce_small(fp_int *a, fp_int *m, fp_digit mp)
+int fp_montgomery_reduce_small(fp_int *a, fp_int *m, fp_digit mp)
 {
-   fp_digit c[FP_SIZE], *_c, *tmpm, mu, cy;
+#ifndef WOLFSSL_SMALL_STACK
+   fp_digit c[FP_SIZE];
+#else
+   fp_digit *c;
+#endif
+   fp_digit *_c, *tmpm, mu, cy;
    int      oldused, x, y, pa;
 
-#if defined(USE_MEMSET)
-   /* now zero the buff */
-   memset(c, 0, sizeof c);
+#ifdef WOLFSSL_SMALL_STACK
+   /* only allocate space for what's needed for window plus res */
+   c = (fp_digit*)XMALLOC(sizeof(fp_digit)*FP_SIZE, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+   if (c == NULL) {
+      return FP_MEM;
+   }
 #endif
+
+   /* now zero the buff */
+   XMEMSET(c, 0, sizeof(fp_digit)*(FP_SIZE));
+
    pa = m->used;
 
    /* copy the input */
@@ -38,11 +51,7 @@ void fp_montgomery_reduce_small(fp_int *a, fp_int *m, fp_digit mp)
    for (x = 0; x < oldused; x++) {
        c[x] = a->dp[x];
    }
-#if !defined(USE_MEMSET)
-   for (; x < 2*pa+3; x++) {
-       c[x] = 0;
-   }
-#endif
+
    MONT_START;
 
    switch (pa) {
@@ -3855,6 +3864,11 @@ void fp_montgomery_reduce_small(fp_int *a, fp_int *m, fp_digit mp)
   if (fp_cmp_mag (a, m) != FP_LT) {
     s_fp_sub (a, m, a);
   }
+
+#ifdef WOLFSSL_SMALL_STACK
+  XFREE(c, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+#endif
+  return FP_OKAY;
 }
 
 #endif
diff --git a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/fp_mul_comba_12.i b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/fp_mul_comba_12.i
index b25ce5c4a..0f0683d74 100644
--- a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/fp_mul_comba_12.i
+++ b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/fp_mul_comba_12.i
@@ -1,8 +1,8 @@
 /* fp_mul_comba_12.i
  *
- * Copyright (C) 2006-2015 wolfSSL Inc.
+ * Copyright (C) 2006-2020 wolfSSL Inc.
  *
- * This file is part of wolfSSL. (formerly known as CyaSSL)
+ * This file is part of wolfSSL.
  *
  * wolfSSL is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -16,17 +16,29 @@
  *
  * You should have received a copy of the GNU General Public License
  * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
  */
 
 
+
 #ifdef TFM_MUL12
-void fp_mul_comba12(fp_int *A, fp_int *B, fp_int *C)
+int fp_mul_comba12(fp_int *A, fp_int *B, fp_int *C)
 {
-   fp_digit c0, c1, c2, at[24];
+   fp_digit c0, c1, c2;
+#ifndef WOLFSSL_SMALL_STACK
+   fp_digit at[24];
+#else
+   fp_digit *at;
+#endif
+
+#ifdef WOLFSSL_SMALL_STACK
+   at = (fp_digit*)XMALLOC(sizeof(fp_digit) * 24, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+   if (at == NULL)
+       return FP_MEM;
+#endif
 
-   memcpy(at, A->dp, 12 * sizeof(fp_digit));
-   memcpy(at+12, B->dp, 12 * sizeof(fp_digit));
+   XMEMCPY(at, A->dp, 12 * sizeof(fp_digit));
+   XMEMCPY(at+12, B->dp, 12 * sizeof(fp_digit));
    COMBA_START;
 
    COMBA_CLEAR;
@@ -126,5 +138,10 @@ void fp_mul_comba12(fp_int *A, fp_int *B, fp_int *C)
    C->sign = A->sign ^ B->sign;
    fp_clamp(C);
    COMBA_FINI;
+
+#ifdef WOLFSSL_SMALL_STACK
+   XFREE(at, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+#endif
+   return FP_OKAY;
 }
 #endif
diff --git a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/fp_mul_comba_17.i b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/fp_mul_comba_17.i
index fe12f0602..fb3205515 100644
--- a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/fp_mul_comba_17.i
+++ b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/fp_mul_comba_17.i
@@ -1,8 +1,8 @@
 /* fp_mul_comba_17.i
  *
- * Copyright (C) 2006-2015 wolfSSL Inc.
+ * Copyright (C) 2006-2020 wolfSSL Inc.
  *
- * This file is part of wolfSSL. (formerly known as CyaSSL)
+ * This file is part of wolfSSL.
  *
  * wolfSSL is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -16,17 +16,29 @@
  *
  * You should have received a copy of the GNU General Public License
  * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
  */
 
 
+
 #ifdef TFM_MUL17
-void fp_mul_comba17(fp_int *A, fp_int *B, fp_int *C)
+int fp_mul_comba17(fp_int *A, fp_int *B, fp_int *C)
 {
-   fp_digit c0, c1, c2, at[34];
+   fp_digit c0, c1, c2;
+#ifndef WOLFSSL_SMALL_STACK
+   fp_digit at[34];
+#else
+   fp_digit *at;
+#endif
+
+#ifdef WOLFSSL_SMALL_STACK
+   at = (fp_digit*)XMALLOC(sizeof(fp_digit) * 34, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+   if (at == NULL)
+       return FP_MEM;
+#endif
 
-   memcpy(at, A->dp, 17 * sizeof(fp_digit));
-   memcpy(at+17, B->dp, 17 * sizeof(fp_digit));
+   XMEMCPY(at, A->dp, 17 * sizeof(fp_digit));
+   XMEMCPY(at+17, B->dp, 17 * sizeof(fp_digit));
    COMBA_START;
 
    COMBA_CLEAR;
@@ -166,5 +178,10 @@ void fp_mul_comba17(fp_int *A, fp_int *B, fp_int *C)
    C->sign = A->sign ^ B->sign;
    fp_clamp(C);
    COMBA_FINI;
+
+#ifdef WOLFSSL_SMALL_STACK
+   XFREE(at, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+#endif
+   return FP_OKAY;
 }
 #endif
diff --git a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/fp_mul_comba_20.i b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/fp_mul_comba_20.i
index cd07e5dfd..372f51f41 100644
--- a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/fp_mul_comba_20.i
+++ b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/fp_mul_comba_20.i
@@ -1,8 +1,8 @@
 /* fp_mul_comba_20.i
  *
- * Copyright (C) 2006-2015 wolfSSL Inc.
+ * Copyright (C) 2006-2020 wolfSSL Inc.
  *
- * This file is part of wolfSSL. (formerly known as CyaSSL)
+ * This file is part of wolfSSL.
  *
  * wolfSSL is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -16,16 +16,28 @@
  *
  * You should have received a copy of the GNU General Public License
  * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
  */
 
+
 #ifdef TFM_MUL20
-void fp_mul_comba20(fp_int *A, fp_int *B, fp_int *C)
+int fp_mul_comba20(fp_int *A, fp_int *B, fp_int *C)
 {
-   fp_digit c0, c1, c2, at[40];
-   
-   memcpy(at, A->dp, 20 * sizeof(fp_digit));
-   memcpy(at+20, B->dp, 20 * sizeof(fp_digit));
+   fp_digit c0, c1, c2;
+#ifndef WOLFSSL_SMALL_STACK
+   fp_digit at[40];
+#else
+   fp_digit *at;
+#endif
+
+#ifdef WOLFSSL_SMALL_STACK
+   at = (fp_digit*)XMALLOC(sizeof(fp_digit) * 40, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+   if (at == NULL)
+       return FP_MEM;
+#endif
+
+   XMEMCPY(at, A->dp, 20 * sizeof(fp_digit));
+   XMEMCPY(at+20, B->dp, 20 * sizeof(fp_digit));
    COMBA_START;
 
    COMBA_CLEAR;
@@ -189,5 +201,10 @@ void fp_mul_comba20(fp_int *A, fp_int *B, fp_int *C)
    C->sign = A->sign ^ B->sign;
    fp_clamp(C);
    COMBA_FINI;
+
+#ifdef WOLFSSL_SMALL_STACK
+   XFREE(at, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+#endif
+   return FP_OKAY;
 }
 #endif
diff --git a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/fp_mul_comba_24.i b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/fp_mul_comba_24.i
index 2576d27aa..17705f7df 100644
--- a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/fp_mul_comba_24.i
+++ b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/fp_mul_comba_24.i
@@ -1,8 +1,8 @@
 /* fp_mul_comba_24.i
  *
- * Copyright (C) 2006-2015 wolfSSL Inc.
+ * Copyright (C) 2006-2020 wolfSSL Inc.
  *
- * This file is part of wolfSSL. (formerly known as CyaSSL)
+ * This file is part of wolfSSL.
  *
  * wolfSSL is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -16,17 +16,29 @@
  *
  * You should have received a copy of the GNU General Public License
  * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
  */
 
 
+
 #ifdef TFM_MUL24
-void fp_mul_comba24(fp_int *A, fp_int *B, fp_int *C)
+int fp_mul_comba24(fp_int *A, fp_int *B, fp_int *C)
 {
-   fp_digit c0, c1, c2, at[48];
+   fp_digit c0, c1, c2;
+#ifndef WOLFSSL_SMALL_STACK
+   fp_digit at[48];
+#else
+   fp_digit *at;
+#endif
+
+#ifdef WOLFSSL_SMALL_STACK
+   at = (fp_digit*)XMALLOC(sizeof(fp_digit) * 48, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+   if (at == NULL)
+       return FP_MEM;
+#endif
 
-   memcpy(at, A->dp, 24 * sizeof(fp_digit));
-   memcpy(at+24, B->dp, 24 * sizeof(fp_digit));
+   XMEMCPY(at, A->dp, 24 * sizeof(fp_digit));
+   XMEMCPY(at+24, B->dp, 24 * sizeof(fp_digit));
    COMBA_START;
 
    COMBA_CLEAR;
@@ -222,5 +234,10 @@ void fp_mul_comba24(fp_int *A, fp_int *B, fp_int *C)
    C->sign = A->sign ^ B->sign;
    fp_clamp(C);
    COMBA_FINI;
+
+#ifdef WOLFSSL_SMALL_STACK
+   XFREE(at, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+#endif
+   return FP_OKAY;
 }
 #endif
diff --git a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/fp_mul_comba_28.i b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/fp_mul_comba_28.i
index 822dd14c7..594db74ef 100644
--- a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/fp_mul_comba_28.i
+++ b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/fp_mul_comba_28.i
@@ -1,8 +1,8 @@
 /* fp_mul_comba_28.i
  *
- * Copyright (C) 2006-2015 wolfSSL Inc.
+ * Copyright (C) 2006-2020 wolfSSL Inc.
  *
- * This file is part of wolfSSL. (formerly known as CyaSSL)
+ * This file is part of wolfSSL.
  *
  * wolfSSL is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -16,17 +16,29 @@
  *
  * You should have received a copy of the GNU General Public License
  * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
  */
 
 
+
 #ifdef TFM_MUL28
-void fp_mul_comba28(fp_int *A, fp_int *B, fp_int *C)
+int fp_mul_comba28(fp_int *A, fp_int *B, fp_int *C)
 {
-   fp_digit c0, c1, c2, at[56];
+   fp_digit c0, c1, c2;
+#ifndef WOLFSSL_SMALL_STACK
+   fp_digit at[56];
+#else
+   fp_digit *at;
+#endif
+
+#ifdef WOLFSSL_SMALL_STACK
+   at = (fp_digit*)XMALLOC(sizeof(fp_digit) * 56, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+   if (at == NULL)
+       return FP_MEM;
+#endif
 
-   memcpy(at, A->dp, 28 * sizeof(fp_digit));
-   memcpy(at+28, B->dp, 28 * sizeof(fp_digit));
+   XMEMCPY(at, A->dp, 28 * sizeof(fp_digit));
+   XMEMCPY(at+28, B->dp, 28 * sizeof(fp_digit));
    COMBA_START;
 
    COMBA_CLEAR;
@@ -254,5 +266,10 @@ void fp_mul_comba28(fp_int *A, fp_int *B, fp_int *C)
    C->sign = A->sign ^ B->sign;
    fp_clamp(C);
    COMBA_FINI;
+
+#ifdef WOLFSSL_SMALL_STACK
+   XFREE(at, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+#endif
+   return FP_OKAY;
 }
 #endif
diff --git a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/fp_mul_comba_3.i b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/fp_mul_comba_3.i
index 440291e38..0befff860 100644
--- a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/fp_mul_comba_3.i
+++ b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/fp_mul_comba_3.i
@@ -1,8 +1,8 @@
 /* fp_mul_comba_3.i
  *
- * Copyright (C) 2006-2015 wolfSSL Inc.
+ * Copyright (C) 2006-2020 wolfSSL Inc.
  *
- * This file is part of wolfSSL. (formerly known as CyaSSL)
+ * This file is part of wolfSSL.
  *
  * wolfSSL is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -16,17 +16,18 @@
  *
  * You should have received a copy of the GNU General Public License
  * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
  */
 
 
+
 #ifdef TFM_MUL3
-void fp_mul_comba3(fp_int *A, fp_int *B, fp_int *C)
+int fp_mul_comba3(fp_int *A, fp_int *B, fp_int *C)
 {
    fp_digit c0, c1, c2, at[6];
 
-   memcpy(at, A->dp, 3 * sizeof(fp_digit));
-   memcpy(at+3, B->dp, 3 * sizeof(fp_digit));
+   XMEMCPY(at, A->dp, 3 * sizeof(fp_digit));
+   XMEMCPY(at+3, B->dp, 3 * sizeof(fp_digit));
    COMBA_START;
 
    COMBA_CLEAR;
@@ -54,5 +55,7 @@ void fp_mul_comba3(fp_int *A, fp_int *B, fp_int *C)
    C->sign = A->sign ^ B->sign;
    fp_clamp(C);
    COMBA_FINI;
+
+   return FP_OKAY;
 }
 #endif
diff --git a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/fp_mul_comba_32.i b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/fp_mul_comba_32.i
index 905028d17..97dc076be 100644
--- a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/fp_mul_comba_32.i
+++ b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/fp_mul_comba_32.i
@@ -1,8 +1,8 @@
 /* fp_mul_comba_32.i
  *
- * Copyright (C) 2006-2015 wolfSSL Inc.
+ * Copyright (C) 2006-2020 wolfSSL Inc.
  *
- * This file is part of wolfSSL. (formerly known as CyaSSL)
+ * This file is part of wolfSSL.
  *
  * wolfSSL is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -16,19 +16,31 @@
  *
  * You should have received a copy of the GNU General Public License
  * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
  */
 
 
+
 #ifdef TFM_MUL32
-void fp_mul_comba32(fp_int *A, fp_int *B, fp_int *C)
+int fp_mul_comba32(fp_int *A, fp_int *B, fp_int *C)
 {
-   fp_digit c0, c1, c2, at[64];
    int out_size;
+   fp_digit c0, c1, c2;
+#ifndef WOLFSSL_SMALL_STACK
+   fp_digit at[64];
+#else
+   fp_digit *at;
+#endif
+
+#ifdef WOLFSSL_SMALL_STACK
+   at = (fp_digit*)XMALLOC(sizeof(fp_digit) * 64, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+   if (at == NULL)
+       return FP_MEM;
+#endif
 
    out_size = A->used + B->used;
-   memcpy(at, A->dp, 32 * sizeof(fp_digit));
-   memcpy(at+32, B->dp, 32 * sizeof(fp_digit));
+   XMEMCPY(at, A->dp, 32 * sizeof(fp_digit));
+   XMEMCPY(at+32, B->dp, 32 * sizeof(fp_digit));
    COMBA_START;
 
    COMBA_CLEAR;
@@ -189,7 +201,7 @@ void fp_mul_comba32(fp_int *A, fp_int *B, fp_int *C)
    COMBA_STORE(C->dp[38]);
 
    /* early out at 40 digits, 40*32==1280, or two 640 bit operands */
-   if (out_size <= 40) { COMBA_STORE2(C->dp[39]); C->used = 40; C->sign = A->sign ^ B->sign; fp_clamp(C); COMBA_FINI; return; }
+   if (out_size <= 40) { COMBA_STORE2(C->dp[39]); C->used = 40; C->sign = A->sign ^ B->sign; fp_clamp(C); COMBA_FINI; return FP_OKAY; }
 
    /* 39 */
    COMBA_FORWARD;
@@ -225,7 +237,7 @@ void fp_mul_comba32(fp_int *A, fp_int *B, fp_int *C)
    COMBA_STORE(C->dp[46]);
 
    /* early out at 48 digits, 48*32==1536, or two 768 bit operands */
-   if (out_size <= 48) { COMBA_STORE2(C->dp[47]); C->used = 48; C->sign = A->sign ^ B->sign; fp_clamp(C); COMBA_FINI; return; }
+   if (out_size <= 48) { COMBA_STORE2(C->dp[47]); C->used = 48; C->sign = A->sign ^ B->sign; fp_clamp(C); COMBA_FINI; return FP_OKAY; }
 
    /* 47 */
    COMBA_FORWARD;
@@ -261,7 +273,7 @@ void fp_mul_comba32(fp_int *A, fp_int *B, fp_int *C)
    COMBA_STORE(C->dp[54]);
 
    /* early out at 56 digits, 56*32==1792, or two 896 bit operands */
-   if (out_size <= 56) { COMBA_STORE2(C->dp[55]); C->used = 56; C->sign = A->sign ^ B->sign; fp_clamp(C); COMBA_FINI; return; }
+   if (out_size <= 56) { COMBA_STORE2(C->dp[55]); C->used = 56; C->sign = A->sign ^ B->sign; fp_clamp(C); COMBA_FINI; return FP_OKAY; }
 
    /* 55 */
    COMBA_FORWARD;
@@ -300,5 +312,10 @@ void fp_mul_comba32(fp_int *A, fp_int *B, fp_int *C)
    C->sign = A->sign ^ B->sign;
    fp_clamp(C);
    COMBA_FINI;
+
+#ifdef WOLFSSL_SMALL_STACK
+   XFREE(at, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+#endif
+   return FP_OKAY;
 }
 #endif
diff --git a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/fp_mul_comba_4.i b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/fp_mul_comba_4.i
index e981eb1f0..803c6151a 100644
--- a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/fp_mul_comba_4.i
+++ b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/fp_mul_comba_4.i
@@ -1,8 +1,8 @@
 /* fp_mul_comba_4.i
  *
- * Copyright (C) 2006-2015 wolfSSL Inc.
+ * Copyright (C) 2006-2020 wolfSSL Inc.
  *
- * This file is part of wolfSSL. (formerly known as CyaSSL)
+ * This file is part of wolfSSL.
  *
  * wolfSSL is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -16,17 +16,29 @@
  *
  * You should have received a copy of the GNU General Public License
  * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
  */
 
 
+
 #ifdef TFM_MUL4
-void fp_mul_comba4(fp_int *A, fp_int *B, fp_int *C)
+int fp_mul_comba4(fp_int *A, fp_int *B, fp_int *C)
 {
-   fp_digit c0, c1, c2, at[8];
+   fp_digit c0, c1, c2;
+#ifndef WOLFSSL_SMALL_STACK
+   fp_digit at[8];
+#else
+   fp_digit *at;
+#endif
+
+#ifdef WOLFSSL_SMALL_STACK
+   at = (fp_digit*)XMALLOC(sizeof(fp_digit) * 8, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+   if (at == NULL)
+       return FP_MEM;
+#endif
 
-   memcpy(at, A->dp, 4 * sizeof(fp_digit));
-   memcpy(at+4, B->dp, 4 * sizeof(fp_digit));
+   XMEMCPY(at, A->dp, 4 * sizeof(fp_digit));
+   XMEMCPY(at+4, B->dp, 4 * sizeof(fp_digit));
    COMBA_START;
 
    COMBA_CLEAR;
@@ -62,5 +74,10 @@ void fp_mul_comba4(fp_int *A, fp_int *B, fp_int *C)
    C->sign = A->sign ^ B->sign;
    fp_clamp(C);
    COMBA_FINI;
+
+#ifdef WOLFSSL_SMALL_STACK
+   XFREE(at, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+#endif
+   return FP_OKAY;
 }
 #endif
diff --git a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/fp_mul_comba_48.i b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/fp_mul_comba_48.i
index 79e43b8d0..0d1533458 100644
--- a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/fp_mul_comba_48.i
+++ b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/fp_mul_comba_48.i
@@ -1,8 +1,8 @@
 /* fp_mul_comba_48.i
  *
- * Copyright (C) 2006-2015 wolfSSL Inc.
+ * Copyright (C) 2006-2020 wolfSSL Inc.
  *
- * This file is part of wolfSSL. (formerly known as CyaSSL)
+ * This file is part of wolfSSL.
  *
  * wolfSSL is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -16,17 +16,29 @@
  *
  * You should have received a copy of the GNU General Public License
  * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
  */
 
 
+
 #ifdef TFM_MUL48
-void fp_mul_comba48(fp_int *A, fp_int *B, fp_int *C)
+int fp_mul_comba48(fp_int *A, fp_int *B, fp_int *C)
 {
-   fp_digit c0, c1, c2, at[96];
+   fp_digit c0, c1, c2;
+#ifndef WOLFSSL_SMALL_STACK
+   fp_digit at[96];
+#else
+   fp_digit *at;
+#endif
+
+#ifdef WOLFSSL_SMALL_STACK
+   at = (fp_digit*)XMALLOC(sizeof(fp_digit) * 96, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+   if (at == NULL)
+       return FP_MEM;
+#endif
 
-   memcpy(at, A->dp, 48 * sizeof(fp_digit));
-   memcpy(at+48, B->dp, 48 * sizeof(fp_digit));
+   XMEMCPY(at, A->dp, 48 * sizeof(fp_digit));
+   XMEMCPY(at+48, B->dp, 48 * sizeof(fp_digit));
    COMBA_START;
 
    COMBA_CLEAR;
@@ -414,5 +426,10 @@ void fp_mul_comba48(fp_int *A, fp_int *B, fp_int *C)
    C->sign = A->sign ^ B->sign;
    fp_clamp(C);
    COMBA_FINI;
+
+#ifdef WOLFSSL_SMALL_STACK
+   XFREE(at, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+#endif
+   return FP_OKAY;
 }
 #endif
diff --git a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/fp_mul_comba_6.i b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/fp_mul_comba_6.i
index 165c270b7..815badcb8 100644
--- a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/fp_mul_comba_6.i
+++ b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/fp_mul_comba_6.i
@@ -1,8 +1,8 @@
 /* fp_mul_comba_6.i
  *
- * Copyright (C) 2006-2015 wolfSSL Inc.
+ * Copyright (C) 2006-2020 wolfSSL Inc.
  *
- * This file is part of wolfSSL. (formerly known as CyaSSL)
+ * This file is part of wolfSSL.
  *
  * wolfSSL is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -16,17 +16,29 @@
  *
  * You should have received a copy of the GNU General Public License
  * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
  */
 
 
+
 #ifdef TFM_MUL6
-void fp_mul_comba6(fp_int *A, fp_int *B, fp_int *C)
+int fp_mul_comba6(fp_int *A, fp_int *B, fp_int *C)
 {
-   fp_digit c0, c1, c2, at[12];
+   fp_digit c0, c1, c2;
+#ifndef WOLFSSL_SMALL_STACK
+   fp_digit at[12];
+#else
+   fp_digit *at;
+#endif
+
+#ifdef WOLFSSL_SMALL_STACK
+   at = (fp_digit*)XMALLOC(sizeof(fp_digit) * 12, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+   if (at == NULL)
+       return FP_MEM;
+#endif
 
-   memcpy(at, A->dp, 6 * sizeof(fp_digit));
-   memcpy(at+6, B->dp, 6 * sizeof(fp_digit));
+   XMEMCPY(at, A->dp, 6 * sizeof(fp_digit));
+   XMEMCPY(at+6, B->dp, 6 * sizeof(fp_digit));
    COMBA_START;
 
    COMBA_CLEAR;
@@ -78,5 +90,10 @@ void fp_mul_comba6(fp_int *A, fp_int *B, fp_int *C)
    C->sign = A->sign ^ B->sign;
    fp_clamp(C);
    COMBA_FINI;
+
+#ifdef WOLFSSL_SMALL_STACK
+   XFREE(at, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+#endif
+   return FP_OKAY;
 }
 #endif
diff --git a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/fp_mul_comba_64.i b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/fp_mul_comba_64.i
index 76d7c2114..7080fa2a3 100644
--- a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/fp_mul_comba_64.i
+++ b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/fp_mul_comba_64.i
@@ -1,8 +1,8 @@
 /* fp_mul_comba_64.i
  *
- * Copyright (C) 2006-2015 wolfSSL Inc.
+ * Copyright (C) 2006-2020 wolfSSL Inc.
  *
- * This file is part of wolfSSL. (formerly known as CyaSSL)
+ * This file is part of wolfSSL.
  *
  * wolfSSL is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -16,17 +16,29 @@
  *
  * You should have received a copy of the GNU General Public License
  * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
  */
 
 
+
 #ifdef TFM_MUL64
-void fp_mul_comba64(fp_int *A, fp_int *B, fp_int *C)
+int fp_mul_comba64(fp_int *A, fp_int *B, fp_int *C)
 {
-   fp_digit c0, c1, c2, at[128];
+   fp_digit c0, c1, c2;
+#ifndef WOLFSSL_SMALL_STACK
+   fp_digit at[128];
+#else
+   fp_digit *at;
+#endif
+
+#ifdef WOLFSSL_SMALL_STACK
+   at = (fp_digit*)XMALLOC(sizeof(fp_digit) * 128, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+   if (at == NULL)
+       return FP_MEM;
+#endif
 
-   memcpy(at, A->dp, 64 * sizeof(fp_digit));
-   memcpy(at+64, B->dp, 64 * sizeof(fp_digit));
+   XMEMCPY(at, A->dp, 64 * sizeof(fp_digit));
+   XMEMCPY(at+64, B->dp, 64 * sizeof(fp_digit));
    COMBA_START;
 
    COMBA_CLEAR;
@@ -542,5 +554,10 @@ void fp_mul_comba64(fp_int *A, fp_int *B, fp_int *C)
    C->sign = A->sign ^ B->sign;
    fp_clamp(C);
    COMBA_FINI;
+
+#ifdef WOLFSSL_SMALL_STACK
+   XFREE(at, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+#endif
+   return FP_OKAY;
 }
 #endif
diff --git a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/fp_mul_comba_7.i b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/fp_mul_comba_7.i
index eed886315..b969a9a3b 100644
--- a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/fp_mul_comba_7.i
+++ b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/fp_mul_comba_7.i
@@ -1,8 +1,8 @@
 /* fp_mul_comba_7.i
  *
- * Copyright (C) 2006-2015 wolfSSL Inc.
+ * Copyright (C) 2006-2020 wolfSSL Inc.
  *
- * This file is part of wolfSSL. (formerly known as CyaSSL)
+ * This file is part of wolfSSL.
  *
  * wolfSSL is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -16,17 +16,29 @@
  *
  * You should have received a copy of the GNU General Public License
  * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
  */
 
 
+
 #ifdef TFM_MUL7
-void fp_mul_comba7(fp_int *A, fp_int *B, fp_int *C)
+int fp_mul_comba7(fp_int *A, fp_int *B, fp_int *C)
 {
-   fp_digit c0, c1, c2, at[14];
+   fp_digit c0, c1, c2;
+#ifndef WOLFSSL_SMALL_STACK
+   fp_digit at[14];
+#else
+   fp_digit *at;
+#endif
+
+#ifdef WOLFSSL_SMALL_STACK
+   at = (fp_digit*)XMALLOC(sizeof(fp_digit) * 14, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+   if (at == NULL)
+       return FP_MEM;
+#endif
 
-   memcpy(at, A->dp, 7 * sizeof(fp_digit));
-   memcpy(at+7, B->dp, 7 * sizeof(fp_digit));
+   XMEMCPY(at, A->dp, 7 * sizeof(fp_digit));
+   XMEMCPY(at+7, B->dp, 7 * sizeof(fp_digit));
    COMBA_START;
 
    COMBA_CLEAR;
@@ -86,5 +98,10 @@ void fp_mul_comba7(fp_int *A, fp_int *B, fp_int *C)
    C->sign = A->sign ^ B->sign;
    fp_clamp(C);
    COMBA_FINI;
+
+#ifdef WOLFSSL_SMALL_STACK
+   XFREE(at, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+#endif
+   return FP_OKAY;
 }
 #endif
diff --git a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/fp_mul_comba_8.i b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/fp_mul_comba_8.i
index fa578a839..1d61a7781 100644
--- a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/fp_mul_comba_8.i
+++ b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/fp_mul_comba_8.i
@@ -1,8 +1,8 @@
 /* fp_mul_comba_8.i
  *
- * Copyright (C) 2006-2015 wolfSSL Inc.
+ * Copyright (C) 2006-2020 wolfSSL Inc.
  *
- * This file is part of wolfSSL. (formerly known as CyaSSL)
+ * This file is part of wolfSSL.
  *
  * wolfSSL is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -16,17 +16,29 @@
  *
  * You should have received a copy of the GNU General Public License
  * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
  */
 
 
+
 #ifdef TFM_MUL8
-void fp_mul_comba8(fp_int *A, fp_int *B, fp_int *C)
+int fp_mul_comba8(fp_int *A, fp_int *B, fp_int *C)
 {
-   fp_digit c0, c1, c2, at[16];
+   fp_digit c0, c1, c2;
+#ifndef WOLFSSL_SMALL_STACK
+   fp_digit at[16];
+#else
+   fp_digit *at;
+#endif
+
+#ifdef WOLFSSL_SMALL_STACK
+   at = (fp_digit*)XMALLOC(sizeof(fp_digit) * 16, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+   if (at == NULL)
+       return FP_MEM;
+#endif
 
-   memcpy(at, A->dp, 8 * sizeof(fp_digit));
-   memcpy(at+8, B->dp, 8 * sizeof(fp_digit));
+   XMEMCPY(at, A->dp, 8 * sizeof(fp_digit));
+   XMEMCPY(at+8, B->dp, 8 * sizeof(fp_digit));
    COMBA_START;
 
    COMBA_CLEAR;
@@ -94,5 +106,10 @@ void fp_mul_comba8(fp_int *A, fp_int *B, fp_int *C)
    C->sign = A->sign ^ B->sign;
    fp_clamp(C);
    COMBA_FINI;
+
+#ifdef WOLFSSL_SMALL_STACK
+   XFREE(at, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+#endif
+   return FP_OKAY;
 }
 #endif
diff --git a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/fp_mul_comba_9.i b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/fp_mul_comba_9.i
index 755067f86..0eedd7597 100644
--- a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/fp_mul_comba_9.i
+++ b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/fp_mul_comba_9.i
@@ -1,8 +1,8 @@
 /* fp_mul_comba_9.i
  *
- * Copyright (C) 2006-2015 wolfSSL Inc.
+ * Copyright (C) 2006-2020 wolfSSL Inc.
  *
- * This file is part of wolfSSL. (formerly known as CyaSSL)
+ * This file is part of wolfSSL.
  *
  * wolfSSL is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -16,17 +16,29 @@
  *
  * You should have received a copy of the GNU General Public License
  * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
  */
 
 
+
 #ifdef TFM_MUL9
-void fp_mul_comba9(fp_int *A, fp_int *B, fp_int *C)
+int fp_mul_comba9(fp_int *A, fp_int *B, fp_int *C)
 {
-   fp_digit c0, c1, c2, at[18];
+   fp_digit c0, c1, c2;
+#ifndef WOLFSSL_SMALL_STACK
+   fp_digit at[18];
+#else
+   fp_digit *at;
+#endif
+
+#ifdef WOLFSSL_SMALL_STACK
+   at = (fp_digit*)XMALLOC(sizeof(fp_digit) * 18, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+   if (at == NULL)
+       return FP_MEM;
+#endif
 
-   memcpy(at, A->dp, 9 * sizeof(fp_digit));
-   memcpy(at+9, B->dp, 9 * sizeof(fp_digit));
+   XMEMCPY(at, A->dp, 9 * sizeof(fp_digit));
+   XMEMCPY(at+9, B->dp, 9 * sizeof(fp_digit));
    COMBA_START;
 
    COMBA_CLEAR;
@@ -102,5 +114,10 @@ void fp_mul_comba9(fp_int *A, fp_int *B, fp_int *C)
    C->sign = A->sign ^ B->sign;
    fp_clamp(C);
    COMBA_FINI;
+
+#ifdef WOLFSSL_SMALL_STACK
+   XFREE(at, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+#endif
+   return FP_OKAY;
 }
 #endif
diff --git a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/fp_mul_comba_small_set.i b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/fp_mul_comba_small_set.i
index deea5932c..62ab909cf 100644
--- a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/fp_mul_comba_small_set.i
+++ b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/fp_mul_comba_small_set.i
@@ -1,8 +1,8 @@
 /* fp_mul_comba_small_set.i
  *
- * Copyright (C) 2006-2015 wolfSSL Inc.
+ * Copyright (C) 2006-2020 wolfSSL Inc.
  *
- * This file is part of wolfSSL. (formerly known as CyaSSL)
+ * This file is part of wolfSSL.
  *
  * wolfSSL is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -16,19 +16,32 @@
  *
  * You should have received a copy of the GNU General Public License
  * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
  */
 
 
+
 #if defined(TFM_SMALL_SET)
-void fp_mul_comba_small(fp_int *A, fp_int *B, fp_int *C)
+int fp_mul_comba_small(fp_int *A, fp_int *B, fp_int *C)
 {
-   fp_digit c0, c1, c2, at[32];
+   fp_digit c0, c1, c2;
+#ifndef WOLFSSL_SMALL_STACK
+   fp_digit at[32];
+#else
+   fp_digit *at;
+#endif
+
+#ifdef WOLFSSL_SMALL_STACK
+   at = (fp_digit*)XMALLOC(sizeof(fp_digit) * 32, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+   if (at == NULL)
+       return FP_MEM;
+#endif
+
    switch (MAX(A->used, B->used)) { 
 
    case 1:
-      memcpy(at, A->dp, 1 * sizeof(fp_digit));
-      memcpy(at+1, B->dp, 1 * sizeof(fp_digit));
+      XMEMCPY(at, A->dp, 1 * sizeof(fp_digit));
+      XMEMCPY(at+1, B->dp, 1 * sizeof(fp_digit));
       COMBA_START;
 
       COMBA_CLEAR;
@@ -43,8 +56,8 @@ void fp_mul_comba_small(fp_int *A, fp_int *B, fp_int *C)
       break;
 
    case 2:
-      memcpy(at, A->dp, 2 * sizeof(fp_digit));
-      memcpy(at+2, B->dp, 2 * sizeof(fp_digit));
+      XMEMCPY(at, A->dp, 2 * sizeof(fp_digit));
+      XMEMCPY(at+2, B->dp, 2 * sizeof(fp_digit));
       COMBA_START;
 
       COMBA_CLEAR;
@@ -67,8 +80,8 @@ void fp_mul_comba_small(fp_int *A, fp_int *B, fp_int *C)
       break;
 
    case 3:
-      memcpy(at, A->dp, 3 * sizeof(fp_digit));
-      memcpy(at+3, B->dp, 3 * sizeof(fp_digit));
+      XMEMCPY(at, A->dp, 3 * sizeof(fp_digit));
+      XMEMCPY(at+3, B->dp, 3 * sizeof(fp_digit));
       COMBA_START;
 
       COMBA_CLEAR;
@@ -99,8 +112,8 @@ void fp_mul_comba_small(fp_int *A, fp_int *B, fp_int *C)
       break;
 
    case 4:
-      memcpy(at, A->dp, 4 * sizeof(fp_digit));
-      memcpy(at+4, B->dp, 4 * sizeof(fp_digit));
+      XMEMCPY(at, A->dp, 4 * sizeof(fp_digit));
+      XMEMCPY(at+4, B->dp, 4 * sizeof(fp_digit));
       COMBA_START;
 
       COMBA_CLEAR;
@@ -139,8 +152,8 @@ void fp_mul_comba_small(fp_int *A, fp_int *B, fp_int *C)
       break;
 
    case 5:
-      memcpy(at, A->dp, 5 * sizeof(fp_digit));
-      memcpy(at+5, B->dp, 5 * sizeof(fp_digit));
+      XMEMCPY(at, A->dp, 5 * sizeof(fp_digit));
+      XMEMCPY(at+5, B->dp, 5 * sizeof(fp_digit));
       COMBA_START;
 
       COMBA_CLEAR;
@@ -187,8 +200,8 @@ void fp_mul_comba_small(fp_int *A, fp_int *B, fp_int *C)
       break;
 
    case 6:
-      memcpy(at, A->dp, 6 * sizeof(fp_digit));
-      memcpy(at+6, B->dp, 6 * sizeof(fp_digit));
+      XMEMCPY(at, A->dp, 6 * sizeof(fp_digit));
+      XMEMCPY(at+6, B->dp, 6 * sizeof(fp_digit));
       COMBA_START;
 
       COMBA_CLEAR;
@@ -243,8 +256,8 @@ void fp_mul_comba_small(fp_int *A, fp_int *B, fp_int *C)
       break;
 
    case 7:
-      memcpy(at, A->dp, 7 * sizeof(fp_digit));
-      memcpy(at+7, B->dp, 7 * sizeof(fp_digit));
+      XMEMCPY(at, A->dp, 7 * sizeof(fp_digit));
+      XMEMCPY(at+7, B->dp, 7 * sizeof(fp_digit));
       COMBA_START;
 
       COMBA_CLEAR;
@@ -307,8 +320,8 @@ void fp_mul_comba_small(fp_int *A, fp_int *B, fp_int *C)
       break;
 
    case 8:
-      memcpy(at, A->dp, 8 * sizeof(fp_digit));
-      memcpy(at+8, B->dp, 8 * sizeof(fp_digit));
+      XMEMCPY(at, A->dp, 8 * sizeof(fp_digit));
+      XMEMCPY(at+8, B->dp, 8 * sizeof(fp_digit));
       COMBA_START;
 
       COMBA_CLEAR;
@@ -379,8 +392,8 @@ void fp_mul_comba_small(fp_int *A, fp_int *B, fp_int *C)
       break;
 
    case 9:
-      memcpy(at, A->dp, 9 * sizeof(fp_digit));
-      memcpy(at+9, B->dp, 9 * sizeof(fp_digit));
+      XMEMCPY(at, A->dp, 9 * sizeof(fp_digit));
+      XMEMCPY(at+9, B->dp, 9 * sizeof(fp_digit));
       COMBA_START;
 
       COMBA_CLEAR;
@@ -459,8 +472,8 @@ void fp_mul_comba_small(fp_int *A, fp_int *B, fp_int *C)
       break;
 
    case 10:
-      memcpy(at, A->dp, 10 * sizeof(fp_digit));
-      memcpy(at+10, B->dp, 10 * sizeof(fp_digit));
+      XMEMCPY(at, A->dp, 10 * sizeof(fp_digit));
+      XMEMCPY(at+10, B->dp, 10 * sizeof(fp_digit));
       COMBA_START;
 
       COMBA_CLEAR;
@@ -547,8 +560,8 @@ void fp_mul_comba_small(fp_int *A, fp_int *B, fp_int *C)
       break;
 
    case 11:
-      memcpy(at, A->dp, 11 * sizeof(fp_digit));
-      memcpy(at+11, B->dp, 11 * sizeof(fp_digit));
+      XMEMCPY(at, A->dp, 11 * sizeof(fp_digit));
+      XMEMCPY(at+11, B->dp, 11 * sizeof(fp_digit));
       COMBA_START;
 
       COMBA_CLEAR;
@@ -643,8 +656,8 @@ void fp_mul_comba_small(fp_int *A, fp_int *B, fp_int *C)
       break;
 
    case 12:
-      memcpy(at, A->dp, 12 * sizeof(fp_digit));
-      memcpy(at+12, B->dp, 12 * sizeof(fp_digit));
+      XMEMCPY(at, A->dp, 12 * sizeof(fp_digit));
+      XMEMCPY(at+12, B->dp, 12 * sizeof(fp_digit));
       COMBA_START;
 
       COMBA_CLEAR;
@@ -747,8 +760,8 @@ void fp_mul_comba_small(fp_int *A, fp_int *B, fp_int *C)
       break;
 
    case 13:
-      memcpy(at, A->dp, 13 * sizeof(fp_digit));
-      memcpy(at+13, B->dp, 13 * sizeof(fp_digit));
+      XMEMCPY(at, A->dp, 13 * sizeof(fp_digit));
+      XMEMCPY(at+13, B->dp, 13 * sizeof(fp_digit));
       COMBA_START;
 
       COMBA_CLEAR;
@@ -859,8 +872,8 @@ void fp_mul_comba_small(fp_int *A, fp_int *B, fp_int *C)
       break;
 
    case 14:
-      memcpy(at, A->dp, 14 * sizeof(fp_digit));
-      memcpy(at+14, B->dp, 14 * sizeof(fp_digit));
+      XMEMCPY(at, A->dp, 14 * sizeof(fp_digit));
+      XMEMCPY(at+14, B->dp, 14 * sizeof(fp_digit));
       COMBA_START;
 
       COMBA_CLEAR;
@@ -979,8 +992,8 @@ void fp_mul_comba_small(fp_int *A, fp_int *B, fp_int *C)
       break;
 
    case 15:
-      memcpy(at, A->dp, 15 * sizeof(fp_digit));
-      memcpy(at+15, B->dp, 15 * sizeof(fp_digit));
+      XMEMCPY(at, A->dp, 15 * sizeof(fp_digit));
+      XMEMCPY(at+15, B->dp, 15 * sizeof(fp_digit));
       COMBA_START;
 
       COMBA_CLEAR;
@@ -1107,8 +1120,8 @@ void fp_mul_comba_small(fp_int *A, fp_int *B, fp_int *C)
       break;
 
    case 16:
-      memcpy(at, A->dp, 16 * sizeof(fp_digit));
-      memcpy(at+16, B->dp, 16 * sizeof(fp_digit));
+      XMEMCPY(at, A->dp, 16 * sizeof(fp_digit));
+      XMEMCPY(at+16, B->dp, 16 * sizeof(fp_digit));
       COMBA_START;
 
       COMBA_CLEAR;
@@ -1245,6 +1258,11 @@ void fp_mul_comba_small(fp_int *A, fp_int *B, fp_int *C)
    default:
       break;
    }
+
+#ifdef WOLFSSL_SMALL_STACK
+   XFREE(at, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+#endif
+   return FP_OKAY;
 }
 
 #endif
diff --git a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/fp_sqr_comba_12.i b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/fp_sqr_comba_12.i
index 078b8986d..cded4b123 100644
--- a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/fp_sqr_comba_12.i
+++ b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/fp_sqr_comba_12.i
@@ -1,8 +1,8 @@
 /* fp_sqr_comba_12.i
  *
- * Copyright (C) 2006-2015 wolfSSL Inc.
+ * Copyright (C) 2006-2020 wolfSSL Inc.
  *
- * This file is part of wolfSSL. (formerly known as CyaSSL)
+ * This file is part of wolfSSL.
  *
  * wolfSSL is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -16,17 +16,30 @@
  *
  * You should have received a copy of the GNU General Public License
  * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
  */
 
 
+
 #ifdef TFM_SQR12
-void fp_sqr_comba12(fp_int *A, fp_int *B)
+int fp_sqr_comba12(fp_int *A, fp_int *B)
 {
-   fp_digit *a, b[24], c0, c1, c2, sc0, sc1, sc2;
+   fp_digit *a, c0, c1, c2, sc0 = 0, sc1 = 0, sc2 = 0;
 #ifdef TFM_ISO
    fp_word tt;
 #endif
+#ifndef WOLFSSL_SMALL_STACK
+   fp_digit b[24];
+#else
+   fp_digit *b;
+#endif
+
+#ifdef WOLFSSL_SMALL_STACK
+   b = (fp_digit*)XMALLOC(sizeof(fp_digit) * 24, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+   if (b == NULL)
+      return FP_MEM;
+#endif
+
    a = A->dp;
    COMBA_START; 
 
@@ -151,8 +164,13 @@ void fp_sqr_comba12(fp_int *A, fp_int *B)
 
    B->used = 24;
    B->sign = FP_ZPOS;
-   memcpy(B->dp, b, 24 * sizeof(fp_digit));
+   XMEMCPY(B->dp, b, 24 * sizeof(fp_digit));
    fp_clamp(B);
+
+#ifdef WOLFSSL_SMALL_STACK
+   XFREE(b, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+#endif
+   return FP_OKAY;
 }
 #endif
 
diff --git a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/fp_sqr_comba_17.i b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/fp_sqr_comba_17.i
index d5f4674fb..d2418d931 100644
--- a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/fp_sqr_comba_17.i
+++ b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/fp_sqr_comba_17.i
@@ -1,8 +1,8 @@
 /* fp_sqr_comba_17.i
  *
- * Copyright (C) 2006-2015 wolfSSL Inc.
+ * Copyright (C) 2006-2020 wolfSSL Inc.
  *
- * This file is part of wolfSSL. (formerly known as CyaSSL)
+ * This file is part of wolfSSL.
  *
  * wolfSSL is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -16,17 +16,29 @@
  *
  * You should have received a copy of the GNU General Public License
  * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
  */
 
 
+
 #ifdef TFM_SQR17
-void fp_sqr_comba17(fp_int *A, fp_int *B)
+int fp_sqr_comba17(fp_int *A, fp_int *B)
 {
-   fp_digit *a, b[34], c0, c1, c2, sc0, sc1, sc2;
+   fp_digit *a, c0, c1, c2, sc0 = 0, sc1 = 0, sc2 = 0;
 #ifdef TFM_ISO
    fp_word tt;
 #endif
+#ifndef WOLFSSL_SMALL_STACK
+   fp_digit b[34];
+#else
+   fp_digit *b;
+#endif
+
+#ifdef WOLFSSL_SMALL_STACK
+   b = (fp_digit*)XMALLOC(sizeof(fp_digit) * 34, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+   if (b == NULL)
+      return FP_MEM;
+#endif
 
    a = A->dp;
    COMBA_START; 
@@ -202,8 +214,13 @@ void fp_sqr_comba17(fp_int *A, fp_int *B)
 
    B->used = 34;
    B->sign = FP_ZPOS;
-   memcpy(B->dp, b, 34 * sizeof(fp_digit));
+   XMEMCPY(B->dp, b, 34 * sizeof(fp_digit));
    fp_clamp(B);
+
+#ifdef WOLFSSL_SMALL_STACK
+   XFREE(b, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+#endif
+   return FP_OKAY;
 }
 #endif
 
diff --git a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/fp_sqr_comba_20.i b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/fp_sqr_comba_20.i
index dcd9f318f..78fd3fd96 100644
--- a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/fp_sqr_comba_20.i
+++ b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/fp_sqr_comba_20.i
@@ -1,8 +1,8 @@
 /* fp_sqr_comba_20.i
  *
- * Copyright (C) 2006-2015 wolfSSL Inc.
+ * Copyright (C) 2006-2020 wolfSSL Inc.
  *
- * This file is part of wolfSSL. (formerly known as CyaSSL)
+ * This file is part of wolfSSL.
  *
  * wolfSSL is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -16,17 +16,29 @@
  *
  * You should have received a copy of the GNU General Public License
  * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
  */
 
 
+
 #ifdef TFM_SQR20
-void fp_sqr_comba20(fp_int *A, fp_int *B)
+int fp_sqr_comba20(fp_int *A, fp_int *B)
 {
-   fp_digit *a, b[40], c0, c1, c2, sc0, sc1, sc2;
+   fp_digit *a, c0, c1, c2, sc0 = 0, sc1 = 0, sc2 = 0;
 #ifdef TFM_ISO
-   fp_word   tt;   
-#endif   
+   fp_word tt;
+#endif
+#ifndef WOLFSSL_SMALL_STACK
+   fp_digit b[40];
+#else
+   fp_digit *b;
+#endif
+
+#ifdef WOLFSSL_SMALL_STACK
+   b = (fp_digit*)XMALLOC(sizeof(fp_digit) * 40, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+   if (b == NULL)
+      return FP_MEM;
+#endif
 
    a = A->dp;
    COMBA_START; 
@@ -232,8 +244,13 @@ void fp_sqr_comba20(fp_int *A, fp_int *B)
 
    B->used = 40;
    B->sign = FP_ZPOS;
-   memcpy(B->dp, b, 40 * sizeof(fp_digit));
+   XMEMCPY(B->dp, b, 40 * sizeof(fp_digit));
    fp_clamp(B);
+
+#ifdef WOLFSSL_SMALL_STACK
+   XFREE(b, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+#endif
+   return FP_OKAY;
 }
 #endif
 
diff --git a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/fp_sqr_comba_24.i b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/fp_sqr_comba_24.i
index cf512e3c3..602b36c09 100644
--- a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/fp_sqr_comba_24.i
+++ b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/fp_sqr_comba_24.i
@@ -1,8 +1,8 @@
 /* fp_sqr_comba_24.i
  *
- * Copyright (C) 2006-2015 wolfSSL Inc.
+ * Copyright (C) 2006-2020 wolfSSL Inc.
  *
- * This file is part of wolfSSL. (formerly known as CyaSSL)
+ * This file is part of wolfSSL.
  *
  * wolfSSL is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -16,17 +16,29 @@
  *
  * You should have received a copy of the GNU General Public License
  * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
  */
 
 
+
 #ifdef TFM_SQR24
-void fp_sqr_comba24(fp_int *A, fp_int *B)
+int fp_sqr_comba24(fp_int *A, fp_int *B)
 {
-   fp_digit *a, b[48], c0, c1, c2, sc0, sc1, sc2;
+   fp_digit *a, c0, c1, c2, sc0 = 0, sc1 = 0, sc2 = 0;
 #ifdef TFM_ISO
-   fp_word   tt;   
-#endif   
+   fp_word tt;
+#endif
+#ifndef WOLFSSL_SMALL_STACK
+   fp_digit b[48];
+#else
+   fp_digit *b;
+#endif
+
+#ifdef WOLFSSL_SMALL_STACK
+   b = (fp_digit*)XMALLOC(sizeof(fp_digit) * 48, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+   if (b == NULL)
+      return FP_MEM;
+#endif
 
    a = A->dp;
    COMBA_START; 
@@ -272,8 +284,13 @@ void fp_sqr_comba24(fp_int *A, fp_int *B)
 
    B->used = 48;
    B->sign = FP_ZPOS;
-   memcpy(B->dp, b, 48 * sizeof(fp_digit));
+   XMEMCPY(B->dp, b, 48 * sizeof(fp_digit));
    fp_clamp(B);
+
+#ifdef WOLFSSL_SMALL_STACK
+   XFREE(b, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+#endif
+   return FP_OKAY;
 }
 #endif
 
diff --git a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/fp_sqr_comba_28.i b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/fp_sqr_comba_28.i
index 08e9bc4d5..57c1acc30 100644
--- a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/fp_sqr_comba_28.i
+++ b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/fp_sqr_comba_28.i
@@ -1,8 +1,8 @@
 /* fp_sqr_comba_28.i
  *
- * Copyright (C) 2006-2015 wolfSSL Inc.
+ * Copyright (C) 2006-2020 wolfSSL Inc.
  *
- * This file is part of wolfSSL. (formerly known as CyaSSL)
+ * This file is part of wolfSSL.
  *
  * wolfSSL is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -16,17 +16,29 @@
  *
  * You should have received a copy of the GNU General Public License
  * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
  */
 
 
+
 #ifdef TFM_SQR28
-void fp_sqr_comba28(fp_int *A, fp_int *B)
+int fp_sqr_comba28(fp_int *A, fp_int *B)
 {
-   fp_digit *a, b[56], c0, c1, c2, sc0, sc1, sc2;
+   fp_digit *a, c0, c1, c2, sc0 = 0, sc1 = 0, sc2 = 0;
 #ifdef TFM_ISO
-   fp_word   tt;   
-#endif   
+   fp_word tt;
+#endif
+#ifndef WOLFSSL_SMALL_STACK
+   fp_digit b[56];
+#else
+   fp_digit *b;
+#endif
+
+#ifdef WOLFSSL_SMALL_STACK
+   b = (fp_digit*)XMALLOC(sizeof(fp_digit) * 56, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+   if (b == NULL)
+      return FP_MEM;
+#endif
 
    a = A->dp;
    COMBA_START; 
@@ -312,8 +324,13 @@ void fp_sqr_comba28(fp_int *A, fp_int *B)
 
    B->used = 56;
    B->sign = FP_ZPOS;
-   memcpy(B->dp, b, 56 * sizeof(fp_digit));
+   XMEMCPY(B->dp, b, 56 * sizeof(fp_digit));
    fp_clamp(B);
+
+#ifdef WOLFSSL_SMALL_STACK
+   XFREE(b, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+#endif
+   return FP_OKAY;
 }
 #endif
 
diff --git a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/fp_sqr_comba_3.i b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/fp_sqr_comba_3.i
index b4754093d..51c3d7422 100644
--- a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/fp_sqr_comba_3.i
+++ b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/fp_sqr_comba_3.i
@@ -1,8 +1,8 @@
 /* fp_sqr_comba_3.i
  *
- * Copyright (C) 2006-2015 wolfSSL Inc.
+ * Copyright (C) 2006-2020 wolfSSL Inc.
  *
- * This file is part of wolfSSL. (formerly known as CyaSSL)
+ * This file is part of wolfSSL.
  *
  * wolfSSL is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -16,12 +16,13 @@
  *
  * You should have received a copy of the GNU General Public License
  * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
  */
 
 
+
 #ifdef TFM_SQR3
-void fp_sqr_comba3(fp_int *A, fp_int *B)
+int fp_sqr_comba3(fp_int *A, fp_int *B)
 {
    fp_digit *a, b[6], c0, c1, c2;
 #ifdef TFM_ISO
@@ -62,8 +63,10 @@ void fp_sqr_comba3(fp_int *A, fp_int *B)
 
    B->used = 6;
    B->sign = FP_ZPOS;
-   memcpy(B->dp, b, 6 * sizeof(fp_digit));
+   XMEMCPY(B->dp, b, 6 * sizeof(fp_digit));
    fp_clamp(B);
+
+   return FP_OKAY;
 }
 #endif
 
diff --git a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/fp_sqr_comba_32.i b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/fp_sqr_comba_32.i
index 4a35d7477..4fcf3497b 100644
--- a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/fp_sqr_comba_32.i
+++ b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/fp_sqr_comba_32.i
@@ -1,8 +1,8 @@
 /* fp_sqr_comba_32.i
  *
- * Copyright (C) 2006-2015 wolfSSL Inc.
+ * Copyright (C) 2006-2020 wolfSSL Inc.
  *
- * This file is part of wolfSSL. (formerly known as CyaSSL)
+ * This file is part of wolfSSL.
  *
  * wolfSSL is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -16,17 +16,29 @@
  *
  * You should have received a copy of the GNU General Public License
  * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
  */
 
 
+
 #ifdef TFM_SQR32
-void fp_sqr_comba32(fp_int *A, fp_int *B)
+int fp_sqr_comba32(fp_int *A, fp_int *B)
 {
-   fp_digit *a, b[64], c0, c1, c2, sc0, sc1, sc2;
+   fp_digit *a, c0, c1, c2, sc0 = 0, sc1 = 0, sc2 = 0;
 #ifdef TFM_ISO
-   fp_word   tt;   
-#endif   
+   fp_word tt;
+#endif
+#ifndef WOLFSSL_SMALL_STACK
+   fp_digit b[64];
+#else
+   fp_digit *b;
+#endif
+
+#ifdef WOLFSSL_SMALL_STACK
+   b = (fp_digit*)XMALLOC(sizeof(fp_digit) * 64, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+   if (b == NULL)
+      return FP_MEM;
+#endif
 
    a = A->dp;
    COMBA_START; 
@@ -352,8 +364,13 @@ void fp_sqr_comba32(fp_int *A, fp_int *B)
 
    B->used = 64;
    B->sign = FP_ZPOS;
-   memcpy(B->dp, b, 64 * sizeof(fp_digit));
+   XMEMCPY(B->dp, b, 64 * sizeof(fp_digit));
    fp_clamp(B);
+
+#ifdef WOLFSSL_SMALL_STACK
+   XFREE(b, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+#endif
+   return FP_OKAY;
 }
 #endif
 
diff --git a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/fp_sqr_comba_4.i b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/fp_sqr_comba_4.i
index bb09dc891..b7f257288 100644
--- a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/fp_sqr_comba_4.i
+++ b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/fp_sqr_comba_4.i
@@ -1,8 +1,8 @@
 /* fp_sqr_comba_4.i
  *
- * Copyright (C) 2006-2015 wolfSSL Inc.
+ * Copyright (C) 2006-2020 wolfSSL Inc.
  *
- * This file is part of wolfSSL. (formerly known as CyaSSL)
+ * This file is part of wolfSSL.
  *
  * wolfSSL is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -16,17 +16,29 @@
  *
  * You should have received a copy of the GNU General Public License
  * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
  */
 
 
+
 #ifdef TFM_SQR4
-void fp_sqr_comba4(fp_int *A, fp_int *B)
+int fp_sqr_comba4(fp_int *A, fp_int *B)
 {
-   fp_digit *a, b[8], c0, c1, c2;
+   fp_digit *a, c0, c1, c2;
 #ifdef TFM_ISO
    fp_word tt;
 #endif
+#ifndef WOLFSSL_SMALL_STACK
+   fp_digit b[8];
+#else
+   fp_digit *b;
+#endif
+
+#ifdef WOLFSSL_SMALL_STACK
+   b = (fp_digit*)XMALLOC(sizeof(fp_digit) * 8, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+   if (b == NULL)
+      return FP_MEM;
+#endif
 
    a = A->dp;
    COMBA_START; 
@@ -72,8 +84,13 @@ void fp_sqr_comba4(fp_int *A, fp_int *B)
 
    B->used = 8;
    B->sign = FP_ZPOS;
-   memcpy(B->dp, b, 8 * sizeof(fp_digit));
+   XMEMCPY(B->dp, b, 8 * sizeof(fp_digit));
    fp_clamp(B);
+
+#ifdef WOLFSSL_SMALL_STACK
+   XFREE(b, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+#endif
+   return FP_OKAY;
 }
 #endif
 
diff --git a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/fp_sqr_comba_48.i b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/fp_sqr_comba_48.i
index cbaac02cc..0f24532b1 100644
--- a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/fp_sqr_comba_48.i
+++ b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/fp_sqr_comba_48.i
@@ -1,8 +1,8 @@
 /* fp_sqr_comba_48.i
  *
- * Copyright (C) 2006-2015 wolfSSL Inc.
+ * Copyright (C) 2006-2020 wolfSSL Inc.
  *
- * This file is part of wolfSSL. (formerly known as CyaSSL)
+ * This file is part of wolfSSL.
  *
  * wolfSSL is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -16,17 +16,29 @@
  *
  * You should have received a copy of the GNU General Public License
  * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
  */
 
 
+
 #ifdef TFM_SQR48
-void fp_sqr_comba48(fp_int *A, fp_int *B)
+int fp_sqr_comba48(fp_int *A, fp_int *B)
 {
-   fp_digit *a, b[96], c0, c1, c2, sc0, sc1, sc2;
+   fp_digit *a, c0, c1, c2, sc0 = 0, sc1 = 0, sc2 = 0;
 #ifdef TFM_ISO
-   fp_word   tt;   
-#endif   
+   fp_word tt;
+#endif
+#ifndef WOLFSSL_SMALL_STACK
+   fp_digit b[96];
+#else
+   fp_digit *b;
+#endif
+
+#ifdef WOLFSSL_SMALL_STACK
+   b = (fp_digit*)XMALLOC(sizeof(fp_digit) * 96, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+   if (b == NULL)
+      return FP_MEM;
+#endif
 
    a = A->dp;
    COMBA_START; 
@@ -512,8 +524,13 @@ void fp_sqr_comba48(fp_int *A, fp_int *B)
 
    B->used = 96;
    B->sign = FP_ZPOS;
-   memcpy(B->dp, b, 96 * sizeof(fp_digit));
+   XMEMCPY(B->dp, b, 96 * sizeof(fp_digit));
    fp_clamp(B);
+
+#ifdef WOLFSSL_SMALL_STACK
+   XFREE(b, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+#endif
+   return FP_OKAY;
 }
 #endif
 
diff --git a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/fp_sqr_comba_6.i b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/fp_sqr_comba_6.i
index bb2fd743e..b36416844 100644
--- a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/fp_sqr_comba_6.i
+++ b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/fp_sqr_comba_6.i
@@ -1,8 +1,8 @@
 /* fp_sqr_comba_6.i
  *
- * Copyright (C) 2006-2015 wolfSSL Inc.
+ * Copyright (C) 2006-2020 wolfSSL Inc.
  *
- * This file is part of wolfSSL. (formerly known as CyaSSL)
+ * This file is part of wolfSSL.
  *
  * wolfSSL is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -16,17 +16,29 @@
  *
  * You should have received a copy of the GNU General Public License
  * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
  */
 
 
+
 #ifdef TFM_SQR6
-void fp_sqr_comba6(fp_int *A, fp_int *B)
+int fp_sqr_comba6(fp_int *A, fp_int *B)
 {
-   fp_digit *a, b[12], c0, c1, c2, sc0, sc1, sc2;
+   fp_digit *a, c0, c1, c2, sc0 = 0, sc1 = 0, sc2 = 0;
 #ifdef TFM_ISO
    fp_word tt;
 #endif
+#ifndef WOLFSSL_SMALL_STACK
+   fp_digit b[12];
+#else
+   fp_digit *b;
+#endif
+
+#ifdef WOLFSSL_SMALL_STACK
+   b = (fp_digit*)XMALLOC(sizeof(fp_digit) * 12, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+   if (b == NULL)
+      return FP_MEM;
+#endif
 
    a = A->dp;
    COMBA_START; 
@@ -92,8 +104,13 @@ void fp_sqr_comba6(fp_int *A, fp_int *B)
 
    B->used = 12;
    B->sign = FP_ZPOS;
-   memcpy(B->dp, b, 12 * sizeof(fp_digit));
+   XMEMCPY(B->dp, b, 12 * sizeof(fp_digit));
    fp_clamp(B);
+
+#ifdef WOLFSSL_SMALL_STACK
+   XFREE(b, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+#endif
+   return FP_OKAY;
 }
 #endif
 
diff --git a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/fp_sqr_comba_64.i b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/fp_sqr_comba_64.i
index b74367a7c..b9b2c8ab7 100644
--- a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/fp_sqr_comba_64.i
+++ b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/fp_sqr_comba_64.i
@@ -1,8 +1,8 @@
 /* fp_sqr_comba_64.i
  *
- * Copyright (C) 2006-2015 wolfSSL Inc.
+ * Copyright (C) 2006-2020 wolfSSL Inc.
  *
- * This file is part of wolfSSL. (formerly known as CyaSSL)
+ * This file is part of wolfSSL.
  *
  * wolfSSL is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -16,17 +16,29 @@
  *
  * You should have received a copy of the GNU General Public License
  * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
  */
 
 
+
 #ifdef TFM_SQR64
-void fp_sqr_comba64(fp_int *A, fp_int *B)
+int fp_sqr_comba64(fp_int *A, fp_int *B)
 {
-   fp_digit *a, b[128], c0, c1, c2, sc0, sc1, sc2;
+   fp_digit *a, c0, c1, c2, sc0 = 0, sc1 = 0, sc2 = 0;
 #ifdef TFM_ISO
-   fp_word   tt;   
-#endif   
+   fp_word tt;
+#endif
+#ifndef WOLFSSL_SMALL_STACK
+   fp_digit b[128];
+#else
+   fp_digit *b;
+#endif
+
+#ifdef WOLFSSL_SMALL_STACK
+   b = (fp_digit*)XMALLOC(sizeof(fp_digit) * 128, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+   if (b == NULL)
+      return FP_MEM;
+#endif
 
    a = A->dp;
    COMBA_START; 
@@ -672,8 +684,13 @@ void fp_sqr_comba64(fp_int *A, fp_int *B)
 
    B->used = 128;
    B->sign = FP_ZPOS;
-   memcpy(B->dp, b, 128 * sizeof(fp_digit));
+   XMEMCPY(B->dp, b, 128 * sizeof(fp_digit));
    fp_clamp(B);
+
+#ifdef WOLFSSL_SMALL_STACK
+   XFREE(b, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+#endif
+   return FP_OKAY;
 }
 #endif
 
diff --git a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/fp_sqr_comba_7.i b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/fp_sqr_comba_7.i
index 8ddef1a9b..09bf9954a 100644
--- a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/fp_sqr_comba_7.i
+++ b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/fp_sqr_comba_7.i
@@ -1,8 +1,8 @@
 /* fp_sqr_comba_7.i
  *
- * Copyright (C) 2006-2015 wolfSSL Inc.
+ * Copyright (C) 2006-2020 wolfSSL Inc.
  *
- * This file is part of wolfSSL. (formerly known as CyaSSL)
+ * This file is part of wolfSSL.
  *
  * wolfSSL is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -16,17 +16,29 @@
  *
  * You should have received a copy of the GNU General Public License
  * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
  */
 
 
+
 #ifdef TFM_SQR7
-void fp_sqr_comba7(fp_int *A, fp_int *B)
+int fp_sqr_comba7(fp_int *A, fp_int *B)
 {
-   fp_digit *a, b[14], c0, c1, c2, sc0, sc1, sc2;
+   fp_digit *a, c0, c1, c2, sc0 = 0, sc1 = 0, sc2 = 0;
 #ifdef TFM_ISO
    fp_word tt;
 #endif
+#ifndef WOLFSSL_SMALL_STACK
+   fp_digit b[14];
+#else
+   fp_digit *b;
+#endif
+
+#ifdef WOLFSSL_SMALL_STACK
+   b = (fp_digit*)XMALLOC(sizeof(fp_digit) * 14, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+   if (b == NULL)
+      return FP_MEM;
+#endif
 
    a = A->dp;
    COMBA_START; 
@@ -102,8 +114,13 @@ void fp_sqr_comba7(fp_int *A, fp_int *B)
 
    B->used = 14;
    B->sign = FP_ZPOS;
-   memcpy(B->dp, b, 14 * sizeof(fp_digit));
+   XMEMCPY(B->dp, b, 14 * sizeof(fp_digit));
    fp_clamp(B);
+
+#ifdef WOLFSSL_SMALL_STACK
+   XFREE(b, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+#endif
+   return FP_OKAY;
 }
 #endif
 
diff --git a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/fp_sqr_comba_8.i b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/fp_sqr_comba_8.i
index f9a72bcf6..23fd8e41d 100644
--- a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/fp_sqr_comba_8.i
+++ b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/fp_sqr_comba_8.i
@@ -1,8 +1,8 @@
 /* fp_sqr_comba_8.i
  *
- * Copyright (C) 2006-2015 wolfSSL Inc.
+ * Copyright (C) 2006-2020 wolfSSL Inc.
  *
- * This file is part of wolfSSL. (formerly known as CyaSSL)
+ * This file is part of wolfSSL.
  *
  * wolfSSL is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -16,17 +16,29 @@
  *
  * You should have received a copy of the GNU General Public License
  * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
  */
 
 
+
 #ifdef TFM_SQR8
-void fp_sqr_comba8(fp_int *A, fp_int *B)
+int fp_sqr_comba8(fp_int *A, fp_int *B)
 {
-   fp_digit *a, b[16], c0, c1, c2, sc0, sc1, sc2;
+   fp_digit *a, c0, c1, c2, sc0 = 0, sc1 = 0, sc2 = 0;
 #ifdef TFM_ISO
-   fp_word   tt;   
-#endif   
+   fp_word tt;
+#endif
+#ifndef WOLFSSL_SMALL_STACK
+   fp_digit b[16];
+#else
+   fp_digit *b;
+#endif
+
+#ifdef WOLFSSL_SMALL_STACK
+   b = (fp_digit*)XMALLOC(sizeof(fp_digit) * 16, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+   if (b == NULL)
+      return FP_MEM;
+#endif
 
    a = A->dp;
    COMBA_START; 
@@ -112,8 +124,13 @@ void fp_sqr_comba8(fp_int *A, fp_int *B)
 
    B->used = 16;
    B->sign = FP_ZPOS;
-   memcpy(B->dp, b, 16 * sizeof(fp_digit));
+   XMEMCPY(B->dp, b, 16 * sizeof(fp_digit));
    fp_clamp(B);
+
+#ifdef WOLFSSL_SMALL_STACK
+   XFREE(b, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+#endif
+   return FP_OKAY;
 }
 #endif
 
diff --git a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/fp_sqr_comba_9.i b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/fp_sqr_comba_9.i
index 94a5d2e92..ed6451a77 100644
--- a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/fp_sqr_comba_9.i
+++ b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/fp_sqr_comba_9.i
@@ -1,8 +1,8 @@
 /* fp_sqr_comba_9.i
  *
- * Copyright (C) 2006-2015 wolfSSL Inc.
+ * Copyright (C) 2006-2020 wolfSSL Inc.
  *
- * This file is part of wolfSSL. (formerly known as CyaSSL)
+ * This file is part of wolfSSL.
  *
  * wolfSSL is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -16,17 +16,29 @@
  *
  * You should have received a copy of the GNU General Public License
  * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
  */
 
 
+
 #ifdef TFM_SQR9
-void fp_sqr_comba9(fp_int *A, fp_int *B)
+int fp_sqr_comba9(fp_int *A, fp_int *B)
 {
-   fp_digit *a, b[18], c0, c1, c2, sc0, sc1, sc2;
+   fp_digit *a, c0, c1, c2, sc0 = 0, sc1 = 0, sc2 = 0;
 #ifdef TFM_ISO
    fp_word tt;
 #endif
+#ifndef WOLFSSL_SMALL_STACK
+   fp_digit b[18];
+#else
+   fp_digit *b;
+#endif
+
+#ifdef WOLFSSL_SMALL_STACK
+   b = (fp_digit*)XMALLOC(sizeof(fp_digit) * 18, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+   if (b == NULL)
+      return FP_MEM;
+#endif
 
    a = A->dp;
    COMBA_START; 
@@ -122,8 +134,13 @@ void fp_sqr_comba9(fp_int *A, fp_int *B)
 
    B->used = 18;
    B->sign = FP_ZPOS;
-   memcpy(B->dp, b, 18 * sizeof(fp_digit));
+   XMEMCPY(B->dp, b, 18 * sizeof(fp_digit));
    fp_clamp(B);
+
+#ifdef WOLFSSL_SMALL_STACK
+   XFREE(b, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+#endif
+   return FP_OKAY;
 }
 #endif
 
diff --git a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/fp_sqr_comba_small_set.i b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/fp_sqr_comba_small_set.i
index 9918b2ee8..a81ee10e2 100644
--- a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/fp_sqr_comba_small_set.i
+++ b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/fp_sqr_comba_small_set.i
@@ -1,8 +1,8 @@
 /* fp_sqr_comba_small_set.i
  *
- * Copyright (C) 2006-2015 wolfSSL Inc.
+ * Copyright (C) 2006-2020 wolfSSL Inc.
  *
- * This file is part of wolfSSL. (formerly known as CyaSSL)
+ * This file is part of wolfSSL.
  *
  * wolfSSL is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -16,17 +16,30 @@
  *
  * You should have received a copy of the GNU General Public License
  * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
  */
 
 
+
 #if defined(TFM_SMALL_SET)
-void fp_sqr_comba_small(fp_int *A, fp_int *B)
+int fp_sqr_comba_small(fp_int *A, fp_int *B)
 {
-   fp_digit *a, b[32], c0, c1, c2, sc0, sc1, sc2;
+   fp_digit *a, c0, c1, c2, sc0 = 0, sc1 = 0, sc2 = 0;
 #ifdef TFM_ISO
-   fp_word   tt;   
-#endif   
+   fp_word tt;
+#endif
+#ifndef WOLFSSL_SMALL_STACK
+   fp_digit b[32];
+#else
+   fp_digit *b;
+#endif
+
+#ifdef WOLFSSL_SMALL_STACK
+   b = (fp_digit*)XMALLOC(sizeof(fp_digit) * 32, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+   if (b == NULL)
+      return FP_MEM;
+#endif
+
    switch (A->used) { 
    case 1:
       a = A->dp;
@@ -43,7 +56,7 @@ void fp_sqr_comba_small(fp_int *A, fp_int *B)
 
       B->used = 2;
       B->sign = FP_ZPOS;
-      memcpy(B->dp, b, 2 * sizeof(fp_digit));
+      XMEMCPY(B->dp, b, 2 * sizeof(fp_digit));
       fp_clamp(B);
       break;
 
@@ -72,7 +85,7 @@ void fp_sqr_comba_small(fp_int *A, fp_int *B)
 
       B->used = 4;
       B->sign = FP_ZPOS;
-      memcpy(B->dp, b, 4 * sizeof(fp_digit));
+      XMEMCPY(B->dp, b, 4 * sizeof(fp_digit));
       fp_clamp(B);
       break;
 
@@ -111,7 +124,7 @@ void fp_sqr_comba_small(fp_int *A, fp_int *B)
 
       B->used = 6;
       B->sign = FP_ZPOS;
-      memcpy(B->dp, b, 6 * sizeof(fp_digit));
+      XMEMCPY(B->dp, b, 6 * sizeof(fp_digit));
       fp_clamp(B);
       break;
 
@@ -160,7 +173,7 @@ void fp_sqr_comba_small(fp_int *A, fp_int *B)
 
       B->used = 8;
       B->sign = FP_ZPOS;
-      memcpy(B->dp, b, 8 * sizeof(fp_digit));
+      XMEMCPY(B->dp, b, 8 * sizeof(fp_digit));
       fp_clamp(B);
       break;
 
@@ -219,7 +232,7 @@ void fp_sqr_comba_small(fp_int *A, fp_int *B)
 
       B->used = 10;
       B->sign = FP_ZPOS;
-      memcpy(B->dp, b, 10 * sizeof(fp_digit));
+      XMEMCPY(B->dp, b, 10 * sizeof(fp_digit));
       fp_clamp(B);
       break;
 
@@ -288,7 +301,7 @@ void fp_sqr_comba_small(fp_int *A, fp_int *B)
 
       B->used = 12;
       B->sign = FP_ZPOS;
-      memcpy(B->dp, b, 12 * sizeof(fp_digit));
+      XMEMCPY(B->dp, b, 12 * sizeof(fp_digit));
       fp_clamp(B);
       break;
 
@@ -367,7 +380,7 @@ void fp_sqr_comba_small(fp_int *A, fp_int *B)
 
       B->used = 14;
       B->sign = FP_ZPOS;
-      memcpy(B->dp, b, 14 * sizeof(fp_digit));
+      XMEMCPY(B->dp, b, 14 * sizeof(fp_digit));
       fp_clamp(B);
       break;
 
@@ -456,7 +469,7 @@ void fp_sqr_comba_small(fp_int *A, fp_int *B)
 
       B->used = 16;
       B->sign = FP_ZPOS;
-      memcpy(B->dp, b, 16 * sizeof(fp_digit));
+      XMEMCPY(B->dp, b, 16 * sizeof(fp_digit));
       fp_clamp(B);
       break;
 
@@ -555,7 +568,7 @@ void fp_sqr_comba_small(fp_int *A, fp_int *B)
 
       B->used = 18;
       B->sign = FP_ZPOS;
-      memcpy(B->dp, b, 18 * sizeof(fp_digit));
+      XMEMCPY(B->dp, b, 18 * sizeof(fp_digit));
       fp_clamp(B);
       break;
 
@@ -664,7 +677,7 @@ void fp_sqr_comba_small(fp_int *A, fp_int *B)
 
       B->used = 20;
       B->sign = FP_ZPOS;
-      memcpy(B->dp, b, 20 * sizeof(fp_digit));
+      XMEMCPY(B->dp, b, 20 * sizeof(fp_digit));
       fp_clamp(B);
       break;
 
@@ -783,7 +796,7 @@ void fp_sqr_comba_small(fp_int *A, fp_int *B)
 
       B->used = 22;
       B->sign = FP_ZPOS;
-      memcpy(B->dp, b, 22 * sizeof(fp_digit));
+      XMEMCPY(B->dp, b, 22 * sizeof(fp_digit));
       fp_clamp(B);
       break;
 
@@ -912,7 +925,7 @@ void fp_sqr_comba_small(fp_int *A, fp_int *B)
 
       B->used = 24;
       B->sign = FP_ZPOS;
-      memcpy(B->dp, b, 24 * sizeof(fp_digit));
+      XMEMCPY(B->dp, b, 24 * sizeof(fp_digit));
       fp_clamp(B);
       break;
 
@@ -1051,7 +1064,7 @@ void fp_sqr_comba_small(fp_int *A, fp_int *B)
 
       B->used = 26;
       B->sign = FP_ZPOS;
-      memcpy(B->dp, b, 26 * sizeof(fp_digit));
+      XMEMCPY(B->dp, b, 26 * sizeof(fp_digit));
       fp_clamp(B);
       break;
 
@@ -1200,7 +1213,7 @@ void fp_sqr_comba_small(fp_int *A, fp_int *B)
 
       B->used = 28;
       B->sign = FP_ZPOS;
-      memcpy(B->dp, b, 28 * sizeof(fp_digit));
+      XMEMCPY(B->dp, b, 28 * sizeof(fp_digit));
       fp_clamp(B);
       break;
 
@@ -1359,7 +1372,7 @@ void fp_sqr_comba_small(fp_int *A, fp_int *B)
 
       B->used = 30;
       B->sign = FP_ZPOS;
-      memcpy(B->dp, b, 30 * sizeof(fp_digit));
+      XMEMCPY(B->dp, b, 30 * sizeof(fp_digit));
       fp_clamp(B);
       break;
 
@@ -1528,13 +1541,18 @@ void fp_sqr_comba_small(fp_int *A, fp_int *B)
 
       B->used = 32;
       B->sign = FP_ZPOS;
-      memcpy(B->dp, b, 32 * sizeof(fp_digit));
+      XMEMCPY(B->dp, b, 32 * sizeof(fp_digit));
       fp_clamp(B);
       break;
 
    default:
       break;
-}
+   }
+
+#ifdef WOLFSSL_SMALL_STACK
+   XFREE(b, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+#endif
+   return FP_OKAY;
 }
 
 #endif /* TFM_SMALL_SET */
diff --git a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/ge_448.c b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/ge_448.c
new file mode 100644
index 000000000..7795a962d
--- /dev/null
+++ b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/ge_448.c
@@ -0,0 +1,10780 @@
+/* ge_448.c
+ *
+ * Copyright (C) 2006-2020 wolfSSL Inc.
+ *
+ * This file is part of wolfSSL.
+ *
+ * wolfSSL is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * wolfSSL is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
+ */
+
+/* Based On Daniel J Bernstein's ed25519 Public Domain ref10 work.
+ * Small implementation based on Daniel Beer's ed25519 public domain work.
+ * Reworked for ed448 by Sean Parkinson.
+ */
+
+#ifdef HAVE_CONFIG_H
+    #include <config.h>
+#endif
+
+#include <wolfssl/wolfcrypt/settings.h>
+
+#ifdef HAVE_ED448
+
+#include <wolfssl/wolfcrypt/ge_448.h>
+#include <wolfssl/wolfcrypt/ed448.h>
+#include <wolfssl/wolfcrypt/error-crypt.h>
+#ifdef NO_INLINE
+    #include <wolfssl/wolfcrypt/misc.h>
+#else
+    #define WOLFSSL_MISC_INCLUDED
+    #include <wolfcrypt/src/misc.c>
+#endif
+
+/*
+sc means scalar.
+ge means group element.
+
+Here the group is the set of pairs (x,y) of field elements (see ge_448.h)
+satisfying -x^2 + y^2 = 1 + d x^2y^2
+where d = -39081
+
+Representations:
+  ge448_p2 (projective) :  (X:Y:Z) satisfying x=X/Z, y=Y/Z
+  ge448_precomp (affine):  (X:Y)
+*/
+
+
+#ifdef ED448_SMALL
+
+/* Base point of ed448 */
+static const ge448_p2 ed448_base = {
+    { 0x5e, 0xc0, 0x0c, 0xc7, 0x2b, 0xa8, 0x26, 0x26, 0x8e, 0x93, 0x00, 0x8b,
+      0xe1, 0x80, 0x3b, 0x43, 0x11, 0x65, 0xb6, 0x2a, 0xf7, 0x1a, 0xae, 0x12,
+      0x64, 0xa4, 0xd3, 0xa3, 0x24, 0xe3, 0x6d, 0xea, 0x67, 0x17, 0x0f, 0x47,
+      0x70, 0x65, 0x14, 0x9e, 0xda, 0x36, 0xbf, 0x22, 0xa6, 0x15, 0x1d, 0x22,
+      0xed, 0x0d, 0xed, 0x6b, 0xc6, 0x70, 0x19, 0x4f },
+    { 0x14, 0xfa, 0x30, 0xf2, 0x5b, 0x79, 0x08, 0x98, 0xad, 0xc8, 0xd7, 0x4e,
+      0x2c, 0x13, 0xbd, 0xfd, 0xc4, 0x39, 0x7c, 0xe6, 0x1c, 0xff, 0xd3, 0x3a,
+      0xd7, 0xc2, 0xa0, 0x05, 0x1e, 0x9c, 0x78, 0x87, 0x40, 0x98, 0xa3, 0x6c,
+      0x73, 0x73, 0xea, 0x4b, 0x62, 0xc7, 0xc9, 0x56, 0x37, 0x20, 0x76, 0x88,
+      0x24, 0xbc, 0xb6, 0x6e, 0x71, 0x46, 0x3f, 0x69 },
+    { 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
+};
+
+/* Part of order of ed448 that needs tp be multiplied when reducing */
+static const uint8_t ed448_order_mul[56] = {
+    0x0d, 0xbb, 0xa7, 0x54, 0x6d, 0x3d, 0x87, 0xdc, 0xaa, 0x70, 0x3a, 0x72,
+    0x8d, 0x3d, 0x93, 0xde, 0x6f, 0xc9, 0x29, 0x51, 0xb6, 0x24, 0xb1, 0x3b,
+    0x16, 0xdc, 0x35, 0x83,
+};
+
+/* Reduce scalar mod the order of the curve.
+ * Scalar Will be 114 bytes.
+ *
+ * b  [in]  Scalar to reduce.
+ */
+void sc448_reduce(uint8_t* b)
+{
+    int i, j;
+    uint32_t t[114];
+    uint8_t o;
+
+    for (i = 0; i < 86; i++) {
+        t[i] = b[i];
+    }
+    for (i = 0; i < 58; i++) {
+        for (j = 0; j < 28; j++)
+            t[i+j] += b[i+56] * ((uint32_t)ed448_order_mul[j] << 2);
+        t[i+56] = 0;
+    }
+    for (i = 54; i < 87; i++) {
+        t[i+1] += t[i] >> 8;
+        t[i] &= 0xff;
+    }
+    for (i = 0; i < 31; i++) {
+        for (j = 0; j < 28; j++)
+            t[i+j] += t[i+56] * ((uint32_t)ed448_order_mul[j] << 2);
+        t[i+56] = 0;
+    }
+    for (i = 54; i < 60; i++) {
+        t[i+1] += t[i] >> 8;
+        t[i] &= 0xff;
+    }
+    for (i = 0; i < 4; i++) {
+        for (j = 0; j < 28; j++)
+            t[i+j] += t[i+56] * ((uint32_t)ed448_order_mul[j] << 2);
+        t[i+56] = 0;
+    }
+    for (i = 0; i < 55; i++) {
+        t[i+1] += t[i] >> 8;
+        t[i] &= 0xff;
+    }
+    o = t[55] >> 6;
+    t[55] &= 0x3f;
+    for (j = 0; j < 28; j++)
+        t[j] += o * (uint32_t)ed448_order_mul[j];
+    for (i = 0; i < 55; i++) {
+        t[i+1] += t[i] >> 8;
+        b[i] = t[i] & 0xff;
+    }
+    b[i] = t[i] & 0xff;
+    b[i+1] = 0;
+}
+
+/* Multiply a by b and add d. r = (a * b + d) mod order
+ *
+ * r  [in]  Scalar to hold result.
+ * a  [in]  Scalar to multiply.
+ * b  [in]  Scalar to multiply.
+ * d  [in]  Scalar to add to multiplicative result.
+ */
+void sc448_muladd(uint8_t* r, const uint8_t* a, const uint8_t* b,
+                  const uint8_t* d)
+{
+    int i, j;
+    uint32_t t[112];
+    uint8_t o;
+
+    /* a * b + d */
+    for (i = 0; i < 56; i++)
+        t[i] = d[i];
+    for (i = 0; i < 56; i++) {
+        for (j = 0; j < 56; j++)
+            t[i+j] += (int16_t)a[i] * b[j];
+        t[i+56] = 0;
+    }
+
+    for (i = 0; i < 111; i++) {
+        t[i+1] += t[i] >> 8;
+        t[i] &= 0xff;
+    }
+    for (i = 0; i < 56; i++) {
+        for (j = 0; j < 28; j++)
+            t[i+j] += t[i+56] * ((uint32_t)ed448_order_mul[j] << 2);
+        t[i+56] = 0;
+    }
+    for (i = 54; i < 85; i++) {
+        t[i+1] += t[i] >> 8;
+        t[i] &= 0xff;
+    }
+    for (i = 0; i < 29; i++) {
+        for (j = 0; j < 28; j++)
+            t[i+j] += t[i+56] * ((uint32_t)ed448_order_mul[j] << 2);
+        t[i+56] = 0;
+    }
+    for (i = 54; i < 58; i++) {
+        t[i+1] += t[i] >> 8;
+        t[i] &= 0xff;
+    }
+    for (i = 0; i < 2; i++) {
+        for (j = 0; j < 28; j++)
+            t[i+j] += t[i+56] * ((uint32_t)ed448_order_mul[j] << 2);
+        t[i+56] = 0;
+    }
+    for (i = 0; i < 55; i++) {
+        t[i+1] += t[i] >> 8;
+        t[i] &= 0xff;
+    }
+    o = t[55] >> 6;
+    t[55] &= 0x3f;
+    for (j = 0; j < 28; j++)
+        t[j] += o * (uint32_t)ed448_order_mul[j];
+    for (i = 0; i < 55; i++) {
+        t[i+1] += t[i] >> 8;
+        r[i] = t[i] & 0xff;
+    }
+    r[i] = t[i] & 0xff;
+    r[i+1] = 0;
+}
+
+/* Double the point on the Twisted Edwards curve. r = 2.p
+ *
+ * r  [in]  Point to hold result.
+ * p  [in]  Point to double.
+ */
+static WC_INLINE void ge448_dbl(ge448_p2 *r,const ge448_p2 *p)
+{
+    ge448 t0[GE448_WORDS];
+    ge448 t1[GE448_WORDS];
+
+    fe448_add(t0, p->X, p->Y);    /* t0 = B1 = X1+Y1     */
+    fe448_reduce(t0);
+    fe448_sqr(t0, t0);            /* t0 = B = (X1+Y1)^2  */
+    fe448_sqr(r->X, p->X);        /* r->X = C = X1^2     */
+    fe448_sqr(r->Y, p->Y);        /* r->Y = D = Y1^2     */
+    fe448_add(t1, r->X, r->Y);    /* t1 = E = C+D        */
+    fe448_reduce(t1);
+    fe448_sub(r->Y, r->X, r->Y);  /* r->Y = Y31 = C-D    */
+    fe448_sqr(r->Z, p->Z);        /* r->Z = H = Z1^2     */
+    fe448_add(r->Z, r->Z, r->Z);  /* r->Z = J1 = 2*H     */
+    fe448_sub(r->Z, t1, r->Z);    /* r->Z = J = E-2*H    */
+    fe448_reduce(r->Z);
+    fe448_sub(r->X, t0, t1);      /* r->X = X31 = B-E    */
+    fe448_mul(r->X, r->X, r->Z);  /* r->X = X3 = (B-E)*J */
+    fe448_mul(r->Y, r->Y, t1);    /* r->Y = Y3 = E*(C-D) */
+    fe448_mul(r->Z, t1, r->Z);    /* r->Z = Z3 = E*J     */
+}
+
+/* Add two point on the Twisted Edwards curve. r = p + q
+ *
+ * r  [in]  Point to hold result.
+ * p  [in]  Point to add.
+ * q  [in]  Point to add.
+ */
+static WC_INLINE void ge448_add(ge448_p2* r, const ge448_p2* p,
+                                const ge448_p2* q)
+{
+    ge448 t0[GE448_WORDS];
+    ge448 t1[GE448_WORDS];
+    ge448 t2[GE448_WORDS];
+    ge448 t3[GE448_WORDS];
+    ge448 t4[GE448_WORDS];
+
+    fe448_mul(t1, p->X, q->X);      /* t1 = C = X1*X2             */
+    fe448_mul(t2, p->Y, q->Y);      /* t2 = D = Y1*Y2             */
+    fe448_mul(t3, t1, t2);          /* t3 = E1 = C*D              */
+    fe448_mul39081(t3, t3);         /* t3 = E = d*C*D             */
+    fe448_mul(r->Z, p->Z, q->Z);    /* r->Z = A = Z1*Z2           */
+    fe448_sqr(t0, r->Z);            /* t0 = B = A^2               */
+    fe448_add(t4, t0, t3);          /* t4 = F = B-(-E)            */
+    fe448_sub(t0, t0, t3);          /* t0 = G = B+(-E)            */
+    fe448_reduce(t0);
+    fe448_add(r->X, p->X, p->Y);    /* r->X = H1 = X1+Y1          */
+    fe448_reduce(r->X);
+    fe448_add(r->Y, q->X, q->Y);    /* r->Y = H2 = X2+Y2          */
+    fe448_reduce(r->Y);
+    fe448_mul(r->X, r->X, r->Y);    /* r->X = H = (X1+Y1)*(X2+Y2) */
+    fe448_sub(r->X, r->X, t1);      /* r->X = X31 = H-C           */
+    fe448_sub(r->X, r->X, t2);      /* r->X = X32 = H-C-D         */
+    fe448_reduce(r->X);
+    fe448_mul(r->X, r->X, t4);      /* r->X = X33 = F*(H-C-D)     */
+    fe448_mul(r->X, r->X, r->Z);    /* r->X = X3 = A*F*(H-C-D)    */
+    fe448_sub(r->Y, t2, t1);        /* r->Y = Y31 = D-C           */
+    fe448_reduce(r->Y);
+    fe448_mul(r->Y, r->Y, t0);      /* r->Y = Y32 = G*(D-C)       */
+    fe448_mul(r->Y, r->Y, r->Z);    /* r->Y = Y3 = A*F*(D-C)      */
+    fe448_mul(r->Z, t4, t0);        /* r->Z = Z3 = F*G            */
+}
+
+/* Convert point to byte array assuming projective ordinates.
+ *
+ * b  [in]  Array of bytes to hold compressed point.
+ * p  [in]  Point to convert.
+ */
+void ge448_to_bytes(uint8_t *s, const ge448_p2 *h)
+{
+    ge448 recip[56];
+    ge448 x[56];
+
+    fe448_invert(recip, h->Z);
+    fe448_mul(x, h->X, recip);
+    fe448_mul(s, h->Y, recip);
+    fe448_norm(x);
+    fe448_norm(s);
+    s[56] = (x[0] & 1) << 7;
+}
+
+/* Compress the point to y-ordinate and negative bit.
+ *
+ * out    [in]  Array of bytes to hold compressed key.
+ * xIn    [in]  The x-ordinate.
+ * yIn    [in]  The y-ordinate.
+ */
+int ge448_compress_key(uint8_t* out, const uint8_t* xIn, const uint8_t* yIn)
+{
+    ge448 x[56];
+
+    fe448_copy(x, xIn);
+    fe448_copy(out, yIn);
+    fe448_norm(x);
+    fe448_norm(out);
+    out[56] = (x[0] & 1) << 7;
+
+    return 0;
+}
+
+/* Perform a scalar multiplication of the a point. r = p * base
+ *
+ * r  [in]  Point to hold result.
+ * a  [in]  Scalar to multiply by.
+ */
+static void ge448_scalarmult(ge448_p2* h, const ge448_p2* p, const uint8_t* a)
+{
+    ge448_p2 r;
+    ge448_p2 s;
+    int i;
+
+    XMEMSET(&r, 0, sizeof(r));
+    r.Y[0] = 1;
+    r.Z[0] = 1;
+
+    for (i = 447; i >= 0; i--) {
+        const byte bit = (a[i >> 3] >> (i & 7)) & 1;
+
+        ge448_dbl(&r, &r);
+        ge448_add(&s, &r, p);
+
+        fe448_cmov(r.X, s.X, bit);
+        fe448_cmov(r.Y, s.Y, bit);
+        fe448_cmov(r.Z, s.Z, bit);
+    }
+
+    XMEMCPY(h, &r, sizeof(r));
+}
+
+/* Perform a scalar multiplication of the base point. r = a * base
+ *
+ * r  [in]  Point to hold result.
+ * a  [in]  Scalar to multiply by.
+ */
+void ge448_scalarmult_base(ge448_p2* h, const uint8_t* a)
+{
+    ge448_scalarmult(h, &ed448_base, a);
+}
+
+/* Perform a scalar multplication of the base point and public point.
+ *   r = a * p + b * base
+ * Uses a sliding window of 5 bits.
+ * Not constant time.
+ *
+ * r  [in]  Point to hold result.
+ * a  [in]  Scalar to multiply by.
+ */
+int ge448_double_scalarmult_vartime(ge448_p2 *r, const uint8_t *a,
+                                    const ge448_p2 *A, const uint8_t *b)
+{
+    ge448_p2 t;
+
+    ge448_scalarmult(&t, &ed448_base, b);
+    ge448_scalarmult(r, A, a);
+    ge448_add(r, r, &t);
+
+    return 0;
+}
+
+/* Convert compressed point to negative of affine point.
+ * Calculates x from the y and the negative bit.
+ * Not constant time.
+ *
+ * r  [in]  Uncompressed point.
+ * b  [in]  Array of bytes representing point.
+ * returns 0 on success and -1 on failure.
+ */
+int ge448_from_bytes_negate_vartime(ge448_p2 *r, const uint8_t *b)
+{
+    int   ret = 0;
+    ge448 u[GE448_WORDS];
+    ge448 v[GE448_WORDS];
+    ge448 u3[GE448_WORDS];
+    ge448 vxx[GE448_WORDS];
+    ge448 check[GE448_WORDS];
+
+    fe448_copy(r->Y, b);
+    XMEMSET(r->Z, 0, sizeof(r->Z));
+    r->Z[0] = 1;
+    fe448_sqr(u, r->Y);                /* u = y^2                      */
+    fe448_mul39081(v, u);              /* v = 39081.y^2                */
+    fe448_sub(u, u, r->Z);             /* u = y^2-1                    */
+    fe448_add(v, v, r->Z);             /* v = 39081.y^2-1              */
+    fe448_neg(v, v);                   /* v = -39081.y^2-1 = d.y^2-1   */
+
+    fe448_sqr(r->X, v);                /* x = v^2                      */
+    fe448_mul(r->X, r->X, v);          /* x = v^3                      */
+    fe448_sqr(u3, u);                  /* x = u^2.v^3                  */
+    fe448_mul(r->X, r->X, u3);         /* x = u^2.v^3                  */
+    fe448_mul(u3, u3, u);              /* u3 = u^3                     */
+    fe448_mul(r->X, r->X, u3);         /* x = u^5.v^3                  */
+
+    fe448_pow_2_446_222_1(r->X, r->X); /* x = (u^5.v^3)^((q-3)/4)      */
+    fe448_mul(r->X, r->X, u3);         /* x = u^3(u^5.v^3)^((q-3)/4)   */
+    fe448_mul(r->X, r->X, v);          /* x = u^3.v(u^5.v^3)^((q-3)/4) */
+
+    fe448_sqr(vxx, r->X);
+    fe448_mul(vxx, vxx, v);
+    fe448_sub(check, vxx, u);          /* check = v.x^2-u              */
+    fe448_norm(check);
+    fe448_norm(r->X);
+    fe448_norm(r->Y);
+    /* Note; vx^2+u is NOT correct. */
+    if (fe448_isnonzero(check)) {
+        ret = -1;
+    }
+
+    /* Calculating negative of point in bytes - negate only if X is correct. */
+    if ((r->X[0] & 1) == (b[56] >> 7)) {
+        fe448_neg(r->X, r->X);
+    }
+
+    return ret;
+}
+
+#else /* !ED448_SMALL */
+
+#if defined(CURVED448_128BIT)
+
+/* Reduce scalar mod the order of the curve.
+ * Scalar Will be 114 bytes.
+ *
+ * b  [in]  Scalar to reduce.
+ */
+void sc448_reduce(uint8_t* b)
+{
+    uint64_t d[8];
+    uint128_t t[17];
+    uint128_t c;
+    uint64_t o;
+
+    /* Load from bytes */
+    t[ 0] =  ((int64_t) (b[ 0]) <<  0)
+          |  ((int64_t) (b[ 1]) <<  8)
+          |  ((int64_t) (b[ 2]) << 16)
+          |  ((int64_t) (b[ 3]) << 24)
+          |  ((int64_t) (b[ 4]) << 32)
+          |  ((int64_t) (b[ 5]) << 40)
+          |  ((int64_t) (b[ 6]) << 48);
+    t[ 1] =  ((int64_t) (b[ 7]) <<  0)
+          |  ((int64_t) (b[ 8]) <<  8)
+          |  ((int64_t) (b[ 9]) << 16)
+          |  ((int64_t) (b[10]) << 24)
+          |  ((int64_t) (b[11]) << 32)
+          |  ((int64_t) (b[12]) << 40)
+          |  ((int64_t) (b[13]) << 48);
+    t[ 2] =  ((int64_t) (b[14]) <<  0)
+          |  ((int64_t) (b[15]) <<  8)
+          |  ((int64_t) (b[16]) << 16)
+          |  ((int64_t) (b[17]) << 24)
+          |  ((int64_t) (b[18]) << 32)
+          |  ((int64_t) (b[19]) << 40)
+          |  ((int64_t) (b[20]) << 48);
+    t[ 3] =  ((int64_t) (b[21]) <<  0)
+          |  ((int64_t) (b[22]) <<  8)
+          |  ((int64_t) (b[23]) << 16)
+          |  ((int64_t) (b[24]) << 24)
+          |  ((int64_t) (b[25]) << 32)
+          |  ((int64_t) (b[26]) << 40)
+          |  ((int64_t) (b[27]) << 48);
+    t[ 4] =  ((int64_t) (b[28]) <<  0)
+          |  ((int64_t) (b[29]) <<  8)
+          |  ((int64_t) (b[30]) << 16)
+          |  ((int64_t) (b[31]) << 24)
+          |  ((int64_t) (b[32]) << 32)
+          |  ((int64_t) (b[33]) << 40)
+          |  ((int64_t) (b[34]) << 48);
+    t[ 5] =  ((int64_t) (b[35]) <<  0)
+          |  ((int64_t) (b[36]) <<  8)
+          |  ((int64_t) (b[37]) << 16)
+          |  ((int64_t) (b[38]) << 24)
+          |  ((int64_t) (b[39]) << 32)
+          |  ((int64_t) (b[40]) << 40)
+          |  ((int64_t) (b[41]) << 48);
+    t[ 6] =  ((int64_t) (b[42]) <<  0)
+          |  ((int64_t) (b[43]) <<  8)
+          |  ((int64_t) (b[44]) << 16)
+          |  ((int64_t) (b[45]) << 24)
+          |  ((int64_t) (b[46]) << 32)
+          |  ((int64_t) (b[47]) << 40)
+          |  ((int64_t) (b[48]) << 48);
+    t[ 7] =  ((int64_t) (b[49]) <<  0)
+          |  ((int64_t) (b[50]) <<  8)
+          |  ((int64_t) (b[51]) << 16)
+          |  ((int64_t) (b[52]) << 24)
+          |  ((int64_t) (b[53]) << 32)
+          |  ((int64_t) (b[54]) << 40)
+          |  ((int64_t) (b[55]) << 48);
+    t[ 8] =  ((int64_t) (b[56]) <<  0)
+          |  ((int64_t) (b[57]) <<  8)
+          |  ((int64_t) (b[58]) << 16)
+          |  ((int64_t) (b[59]) << 24)
+          |  ((int64_t) (b[60]) << 32)
+          |  ((int64_t) (b[61]) << 40)
+          |  ((int64_t) (b[62]) << 48);
+    t[ 9] =  ((int64_t) (b[63]) <<  0)
+          |  ((int64_t) (b[64]) <<  8)
+          |  ((int64_t) (b[65]) << 16)
+          |  ((int64_t) (b[66]) << 24)
+          |  ((int64_t) (b[67]) << 32)
+          |  ((int64_t) (b[68]) << 40)
+          |  ((int64_t) (b[69]) << 48);
+    t[10] =  ((int64_t) (b[70]) <<  0)
+          |  ((int64_t) (b[71]) <<  8)
+          |  ((int64_t) (b[72]) << 16)
+          |  ((int64_t) (b[73]) << 24)
+          |  ((int64_t) (b[74]) << 32)
+          |  ((int64_t) (b[75]) << 40)
+          |  ((int64_t) (b[76]) << 48);
+    t[11] =  ((int64_t) (b[77]) <<  0)
+          |  ((int64_t) (b[78]) <<  8)
+          |  ((int64_t) (b[79]) << 16)
+          |  ((int64_t) (b[80]) << 24)
+          |  ((int64_t) (b[81]) << 32)
+          |  ((int64_t) (b[82]) << 40)
+          |  ((int64_t) (b[83]) << 48);
+    t[12] =  ((int64_t) (b[84]) <<  0)
+          |  ((int64_t) (b[85]) <<  8)
+          |  ((int64_t) (b[86]) << 16)
+          |  ((int64_t) (b[87]) << 24)
+          |  ((int64_t) (b[88]) << 32)
+          |  ((int64_t) (b[89]) << 40)
+          |  ((int64_t) (b[90]) << 48);
+    t[13] =  ((int64_t) (b[91]) <<  0)
+          |  ((int64_t) (b[92]) <<  8)
+          |  ((int64_t) (b[93]) << 16)
+          |  ((int64_t) (b[94]) << 24)
+          |  ((int64_t) (b[95]) << 32)
+          |  ((int64_t) (b[96]) << 40)
+          |  ((int64_t) (b[97]) << 48);
+    t[14] =  ((int64_t) (b[98]) <<  0)
+          |  ((int64_t) (b[99]) <<  8)
+          |  ((int64_t) (b[100]) << 16)
+          |  ((int64_t) (b[101]) << 24)
+          |  ((int64_t) (b[102]) << 32)
+          |  ((int64_t) (b[103]) << 40)
+          |  ((int64_t) (b[104]) << 48);
+    t[15] =  ((int64_t) (b[105]) <<  0)
+          |  ((int64_t) (b[106]) <<  8)
+          |  ((int64_t) (b[107]) << 16)
+          |  ((int64_t) (b[108]) << 24)
+          |  ((int64_t) (b[109]) << 32)
+          |  ((int64_t) (b[110]) << 40)
+          |  ((int64_t) (b[111]) << 48);
+    t[16] =  ((int64_t) (b[112]) <<  0)
+          |  ((int64_t) (b[113]) <<  8);
+
+    /* Mod curve order */
+    /* 2^446 - 0x8335dc163bb124b65129c96fde933d8d723a70aadc873d6d54a7bb0d */
+    /* Mod top half of extra words */
+    t[ 4] += (int128_t)0x21cf5b5529eec34L * t[12];
+    t[ 5] += (int128_t)0x0f635c8e9c2ab70L * t[12];
+    t[ 6] += (int128_t)0x2d944a725bf7a4cL * t[12];
+    t[ 7] += (int128_t)0x20cd77058eec490L * t[12];
+    t[ 5] += (int128_t)0x21cf5b5529eec34L * t[13];
+    t[ 6] += (int128_t)0x0f635c8e9c2ab70L * t[13];
+    t[ 7] += (int128_t)0x2d944a725bf7a4cL * t[13];
+    t[ 8] += (int128_t)0x20cd77058eec490L * t[13];
+    t[ 6] += (int128_t)0x21cf5b5529eec34L * t[14];
+    t[ 7] += (int128_t)0x0f635c8e9c2ab70L * t[14];
+    t[ 8] += (int128_t)0x2d944a725bf7a4cL * t[14];
+    t[ 9] += (int128_t)0x20cd77058eec490L * t[14];
+    t[ 7] += (int128_t)0x21cf5b5529eec34L * t[15];
+    t[ 8] += (int128_t)0x0f635c8e9c2ab70L * t[15];
+    t[ 9] += (int128_t)0x2d944a725bf7a4cL * t[15];
+    t[10] += (int128_t)0x20cd77058eec490L * t[15];
+    t[ 8] += (int128_t)0x21cf5b5529eec34L * t[16];
+    t[ 9] += (int128_t)0x0f635c8e9c2ab70L * t[16];
+    t[10] += (int128_t)0x2d944a725bf7a4cL * t[16];
+    t[11] += (int128_t)0x20cd77058eec490L * t[16];
+    t[12]  = 0;
+    /* Propagate carries */
+    c = t[ 4] >> 56; t[ 5] += c; t[ 4] = t[ 4] & 0xffffffffffffff;
+    c = t[ 5] >> 56; t[ 6] += c; t[ 5] = t[ 5] & 0xffffffffffffff;
+    c = t[ 6] >> 56; t[ 7] += c; t[ 6] = t[ 6] & 0xffffffffffffff;
+    c = t[ 7] >> 56; t[ 8] += c; t[ 7] = t[ 7] & 0xffffffffffffff;
+    c = t[ 8] >> 56; t[ 9] += c; t[ 8] = t[ 8] & 0xffffffffffffff;
+    c = t[ 9] >> 56; t[10] += c; t[ 9] = t[ 9] & 0xffffffffffffff;
+    c = t[10] >> 56; t[11] += c; t[10] = t[10] & 0xffffffffffffff;
+    c = t[11] >> 56; t[12] += c; t[11] = t[11] & 0xffffffffffffff;
+    /* Mod bottom half of extra words */
+    t[ 0] += (int128_t)0x21cf5b5529eec34L * t[ 8];
+    t[ 1] += (int128_t)0x0f635c8e9c2ab70L * t[ 8];
+    t[ 2] += (int128_t)0x2d944a725bf7a4cL * t[ 8];
+    t[ 3] += (int128_t)0x20cd77058eec490L * t[ 8];
+    t[ 1] += (int128_t)0x21cf5b5529eec34L * t[ 9];
+    t[ 2] += (int128_t)0x0f635c8e9c2ab70L * t[ 9];
+    t[ 3] += (int128_t)0x2d944a725bf7a4cL * t[ 9];
+    t[ 4] += (int128_t)0x20cd77058eec490L * t[ 9];
+    t[ 2] += (int128_t)0x21cf5b5529eec34L * t[10];
+    t[ 3] += (int128_t)0x0f635c8e9c2ab70L * t[10];
+    t[ 4] += (int128_t)0x2d944a725bf7a4cL * t[10];
+    t[ 5] += (int128_t)0x20cd77058eec490L * t[10];
+    t[ 3] += (int128_t)0x21cf5b5529eec34L * t[11];
+    t[ 4] += (int128_t)0x0f635c8e9c2ab70L * t[11];
+    t[ 5] += (int128_t)0x2d944a725bf7a4cL * t[11];
+    t[ 6] += (int128_t)0x20cd77058eec490L * t[11];
+    t[ 4] += (int128_t)0x21cf5b5529eec34L * t[12];
+    t[ 5] += (int128_t)0x0f635c8e9c2ab70L * t[12];
+    t[ 6] += (int128_t)0x2d944a725bf7a4cL * t[12];
+    t[ 7] += (int128_t)0x20cd77058eec490L * t[12];
+    t[ 8]  = 0;
+    /* Propagate carries */
+    c = t[ 0] >> 56; t[ 1] += c; t[ 0] = t[ 0] & 0xffffffffffffff;
+    c = t[ 1] >> 56; t[ 2] += c; t[ 1] = t[ 1] & 0xffffffffffffff;
+    c = t[ 2] >> 56; t[ 3] += c; t[ 2] = t[ 2] & 0xffffffffffffff;
+    c = t[ 3] >> 56; t[ 4] += c; t[ 3] = t[ 3] & 0xffffffffffffff;
+    c = t[ 4] >> 56; t[ 5] += c; t[ 4] = t[ 4] & 0xffffffffffffff;
+    c = t[ 5] >> 56; t[ 6] += c; t[ 5] = t[ 5] & 0xffffffffffffff;
+    c = t[ 6] >> 56; t[ 7] += c; t[ 6] = t[ 6] & 0xffffffffffffff;
+    c = t[ 7] >> 56; t[ 8] += c; t[ 7] = t[ 7] & 0xffffffffffffff;
+    t[ 0] += (int128_t)0x21cf5b5529eec34L * t[ 8];
+    t[ 1] += (int128_t)0x0f635c8e9c2ab70L * t[ 8];
+    t[ 2] += (int128_t)0x2d944a725bf7a4cL * t[ 8];
+    t[ 3] += (int128_t)0x20cd77058eec490L * t[ 8];
+    /* Propagate carries */
+    c = t[ 0] >> 56; t[ 1] += c; d[ 0] = (int64_t)(t[ 0] & 0xffffffffffffff);
+    c = t[ 1] >> 56; t[ 2] += c; d[ 1] = (int64_t)(t[ 1] & 0xffffffffffffff);
+    c = t[ 2] >> 56; t[ 3] += c; d[ 2] = (int64_t)(t[ 2] & 0xffffffffffffff);
+    c = t[ 3] >> 56; t[ 4] += c; d[ 3] = (int64_t)(t[ 3] & 0xffffffffffffff);
+    c = t[ 4] >> 56; t[ 5] += c; d[ 4] = (int64_t)(t[ 4] & 0xffffffffffffff);
+    c = t[ 5] >> 56; t[ 6] += c; d[ 5] = (int64_t)(t[ 5] & 0xffffffffffffff);
+    c = t[ 6] >> 56; t[ 7] += c; d[ 6] = (int64_t)(t[ 6] & 0xffffffffffffff);
+    d[ 7] = t[7];
+    /* Mod bits over 56 in last word */
+    o = d[7] >> 54; d[ 7] &= 0x3fffffffffffff;
+    d[ 0] += 0x873d6d54a7bb0dL * o;
+    d[ 1] += 0x3d8d723a70aadcL * o;
+    d[ 2] += 0xb65129c96fde93L * o;
+    d[ 3] += 0x8335dc163bb124L * o;
+    /* Propagate carries */
+    o = d[ 0] >> 56; d[ 1] += o; d[ 0] = d[ 0] & 0xffffffffffffff;
+    o = d[ 1] >> 56; d[ 2] += o; d[ 1] = d[ 1] & 0xffffffffffffff;
+    o = d[ 2] >> 56; d[ 3] += o; d[ 2] = d[ 2] & 0xffffffffffffff;
+    o = d[ 3] >> 56; d[ 4] += o; d[ 3] = d[ 3] & 0xffffffffffffff;
+    o = d[ 4] >> 56; d[ 5] += o; d[ 4] = d[ 4] & 0xffffffffffffff;
+    o = d[ 5] >> 56; d[ 6] += o; d[ 5] = d[ 5] & 0xffffffffffffff;
+    o = d[ 6] >> 56; d[ 7] += o; d[ 6] = d[ 6] & 0xffffffffffffff;
+
+    /* Convert to bytes */
+    b[ 0] = (d[0 ] >>  0);
+    b[ 1] = (d[0 ] >>  8);
+    b[ 2] = (d[0 ] >> 16);
+    b[ 3] = (d[0 ] >> 24);
+    b[ 4] = (d[0 ] >> 32);
+    b[ 5] = (d[0 ] >> 40);
+    b[ 6] = (d[0 ] >> 48);
+    b[ 7] = (d[1 ] >>  0);
+    b[ 8] = (d[1 ] >>  8);
+    b[ 9] = (d[1 ] >> 16);
+    b[10] = (d[1 ] >> 24);
+    b[11] = (d[1 ] >> 32);
+    b[12] = (d[1 ] >> 40);
+    b[13] = (d[1 ] >> 48);
+    b[14] = (d[2 ] >>  0);
+    b[15] = (d[2 ] >>  8);
+    b[16] = (d[2 ] >> 16);
+    b[17] = (d[2 ] >> 24);
+    b[18] = (d[2 ] >> 32);
+    b[19] = (d[2 ] >> 40);
+    b[20] = (d[2 ] >> 48);
+    b[21] = (d[3 ] >>  0);
+    b[22] = (d[3 ] >>  8);
+    b[23] = (d[3 ] >> 16);
+    b[24] = (d[3 ] >> 24);
+    b[25] = (d[3 ] >> 32);
+    b[26] = (d[3 ] >> 40);
+    b[27] = (d[3 ] >> 48);
+    b[28] = (d[4 ] >>  0);
+    b[29] = (d[4 ] >>  8);
+    b[30] = (d[4 ] >> 16);
+    b[31] = (d[4 ] >> 24);
+    b[32] = (d[4 ] >> 32);
+    b[33] = (d[4 ] >> 40);
+    b[34] = (d[4 ] >> 48);
+    b[35] = (d[5 ] >>  0);
+    b[36] = (d[5 ] >>  8);
+    b[37] = (d[5 ] >> 16);
+    b[38] = (d[5 ] >> 24);
+    b[39] = (d[5 ] >> 32);
+    b[40] = (d[5 ] >> 40);
+    b[41] = (d[5 ] >> 48);
+    b[42] = (d[6 ] >>  0);
+    b[43] = (d[6 ] >>  8);
+    b[44] = (d[6 ] >> 16);
+    b[45] = (d[6 ] >> 24);
+    b[46] = (d[6 ] >> 32);
+    b[47] = (d[6 ] >> 40);
+    b[48] = (d[6 ] >> 48);
+    b[49] = (d[7 ] >>  0);
+    b[50] = (d[7 ] >>  8);
+    b[51] = (d[7 ] >> 16);
+    b[52] = (d[7 ] >> 24);
+    b[53] = (d[7 ] >> 32);
+    b[54] = (d[7 ] >> 40);
+    b[55] = (d[7 ] >> 48);
+    b[56] = 0;
+}
+
+/* Multiply a by b and add d. r = (a * b + d) mod order
+ *
+ * r  [in]  Scalar to hold result.
+ * a  [in]  Scalar to multiply.
+ * b  [in]  Scalar to multiply.
+ * d  [in]  Scalar to add to multiplicative result.
+ */
+void sc448_muladd(uint8_t* r, const uint8_t* a, const uint8_t* b,
+                  const uint8_t* d)
+{
+    uint64_t ad[8], bd[8], dd[8], rd[8];
+    uint128_t t[16];
+    uint128_t c;
+    uint64_t o;
+
+    /* Load from bytes */
+    ad[ 0] =  ((int64_t) (a[ 0]) <<  0)
+           |  ((int64_t) (a[ 1]) <<  8)
+           |  ((int64_t) (a[ 2]) << 16)
+           |  ((int64_t) (a[ 3]) << 24)
+           |  ((int64_t) (a[ 4]) << 32)
+           |  ((int64_t) (a[ 5]) << 40)
+           |  ((int64_t) (a[ 6]) << 48);
+    ad[ 1] =  ((int64_t) (a[ 7]) <<  0)
+           |  ((int64_t) (a[ 8]) <<  8)
+           |  ((int64_t) (a[ 9]) << 16)
+           |  ((int64_t) (a[10]) << 24)
+           |  ((int64_t) (a[11]) << 32)
+           |  ((int64_t) (a[12]) << 40)
+           |  ((int64_t) (a[13]) << 48);
+    ad[ 2] =  ((int64_t) (a[14]) <<  0)
+           |  ((int64_t) (a[15]) <<  8)
+           |  ((int64_t) (a[16]) << 16)
+           |  ((int64_t) (a[17]) << 24)
+           |  ((int64_t) (a[18]) << 32)
+           |  ((int64_t) (a[19]) << 40)
+           |  ((int64_t) (a[20]) << 48);
+    ad[ 3] =  ((int64_t) (a[21]) <<  0)
+           |  ((int64_t) (a[22]) <<  8)
+           |  ((int64_t) (a[23]) << 16)
+           |  ((int64_t) (a[24]) << 24)
+           |  ((int64_t) (a[25]) << 32)
+           |  ((int64_t) (a[26]) << 40)
+           |  ((int64_t) (a[27]) << 48);
+    ad[ 4] =  ((int64_t) (a[28]) <<  0)
+           |  ((int64_t) (a[29]) <<  8)
+           |  ((int64_t) (a[30]) << 16)
+           |  ((int64_t) (a[31]) << 24)
+           |  ((int64_t) (a[32]) << 32)
+           |  ((int64_t) (a[33]) << 40)
+           |  ((int64_t) (a[34]) << 48);
+    ad[ 5] =  ((int64_t) (a[35]) <<  0)
+           |  ((int64_t) (a[36]) <<  8)
+           |  ((int64_t) (a[37]) << 16)
+           |  ((int64_t) (a[38]) << 24)
+           |  ((int64_t) (a[39]) << 32)
+           |  ((int64_t) (a[40]) << 40)
+           |  ((int64_t) (a[41]) << 48);
+    ad[ 6] =  ((int64_t) (a[42]) <<  0)
+           |  ((int64_t) (a[43]) <<  8)
+           |  ((int64_t) (a[44]) << 16)
+           |  ((int64_t) (a[45]) << 24)
+           |  ((int64_t) (a[46]) << 32)
+           |  ((int64_t) (a[47]) << 40)
+           |  ((int64_t) (a[48]) << 48);
+    ad[ 7] =  ((int64_t) (a[49]) <<  0)
+           |  ((int64_t) (a[50]) <<  8)
+           |  ((int64_t) (a[51]) << 16)
+           |  ((int64_t) (a[52]) << 24)
+           |  ((int64_t) (a[53]) << 32)
+           |  ((int64_t) (a[54]) << 40)
+           |  ((int64_t) (a[55]) << 48);
+    /* Load from bytes */
+    bd[ 0] =  ((int64_t) (b[ 0]) <<  0)
+           |  ((int64_t) (b[ 1]) <<  8)
+           |  ((int64_t) (b[ 2]) << 16)
+           |  ((int64_t) (b[ 3]) << 24)
+           |  ((int64_t) (b[ 4]) << 32)
+           |  ((int64_t) (b[ 5]) << 40)
+           |  ((int64_t) (b[ 6]) << 48);
+    bd[ 1] =  ((int64_t) (b[ 7]) <<  0)
+           |  ((int64_t) (b[ 8]) <<  8)
+           |  ((int64_t) (b[ 9]) << 16)
+           |  ((int64_t) (b[10]) << 24)
+           |  ((int64_t) (b[11]) << 32)
+           |  ((int64_t) (b[12]) << 40)
+           |  ((int64_t) (b[13]) << 48);
+    bd[ 2] =  ((int64_t) (b[14]) <<  0)
+           |  ((int64_t) (b[15]) <<  8)
+           |  ((int64_t) (b[16]) << 16)
+           |  ((int64_t) (b[17]) << 24)
+           |  ((int64_t) (b[18]) << 32)
+           |  ((int64_t) (b[19]) << 40)
+           |  ((int64_t) (b[20]) << 48);
+    bd[ 3] =  ((int64_t) (b[21]) <<  0)
+           |  ((int64_t) (b[22]) <<  8)
+           |  ((int64_t) (b[23]) << 16)
+           |  ((int64_t) (b[24]) << 24)
+           |  ((int64_t) (b[25]) << 32)
+           |  ((int64_t) (b[26]) << 40)
+           |  ((int64_t) (b[27]) << 48);
+    bd[ 4] =  ((int64_t) (b[28]) <<  0)
+           |  ((int64_t) (b[29]) <<  8)
+           |  ((int64_t) (b[30]) << 16)
+           |  ((int64_t) (b[31]) << 24)
+           |  ((int64_t) (b[32]) << 32)
+           |  ((int64_t) (b[33]) << 40)
+           |  ((int64_t) (b[34]) << 48);
+    bd[ 5] =  ((int64_t) (b[35]) <<  0)
+           |  ((int64_t) (b[36]) <<  8)
+           |  ((int64_t) (b[37]) << 16)
+           |  ((int64_t) (b[38]) << 24)
+           |  ((int64_t) (b[39]) << 32)
+           |  ((int64_t) (b[40]) << 40)
+           |  ((int64_t) (b[41]) << 48);
+    bd[ 6] =  ((int64_t) (b[42]) <<  0)
+           |  ((int64_t) (b[43]) <<  8)
+           |  ((int64_t) (b[44]) << 16)
+           |  ((int64_t) (b[45]) << 24)
+           |  ((int64_t) (b[46]) << 32)
+           |  ((int64_t) (b[47]) << 40)
+           |  ((int64_t) (b[48]) << 48);
+    bd[ 7] =  ((int64_t) (b[49]) <<  0)
+           |  ((int64_t) (b[50]) <<  8)
+           |  ((int64_t) (b[51]) << 16)
+           |  ((int64_t) (b[52]) << 24)
+           |  ((int64_t) (b[53]) << 32)
+           |  ((int64_t) (b[54]) << 40)
+           |  ((int64_t) (b[55]) << 48);
+    /* Load from bytes */
+    dd[ 0] =  ((int64_t) (d[ 0]) <<  0)
+           |  ((int64_t) (d[ 1]) <<  8)
+           |  ((int64_t) (d[ 2]) << 16)
+           |  ((int64_t) (d[ 3]) << 24)
+           |  ((int64_t) (d[ 4]) << 32)
+           |  ((int64_t) (d[ 5]) << 40)
+           |  ((int64_t) (d[ 6]) << 48);
+    dd[ 1] =  ((int64_t) (d[ 7]) <<  0)
+           |  ((int64_t) (d[ 8]) <<  8)
+           |  ((int64_t) (d[ 9]) << 16)
+           |  ((int64_t) (d[10]) << 24)
+           |  ((int64_t) (d[11]) << 32)
+           |  ((int64_t) (d[12]) << 40)
+           |  ((int64_t) (d[13]) << 48);
+    dd[ 2] =  ((int64_t) (d[14]) <<  0)
+           |  ((int64_t) (d[15]) <<  8)
+           |  ((int64_t) (d[16]) << 16)
+           |  ((int64_t) (d[17]) << 24)
+           |  ((int64_t) (d[18]) << 32)
+           |  ((int64_t) (d[19]) << 40)
+           |  ((int64_t) (d[20]) << 48);
+    dd[ 3] =  ((int64_t) (d[21]) <<  0)
+           |  ((int64_t) (d[22]) <<  8)
+           |  ((int64_t) (d[23]) << 16)
+           |  ((int64_t) (d[24]) << 24)
+           |  ((int64_t) (d[25]) << 32)
+           |  ((int64_t) (d[26]) << 40)
+           |  ((int64_t) (d[27]) << 48);
+    dd[ 4] =  ((int64_t) (d[28]) <<  0)
+           |  ((int64_t) (d[29]) <<  8)
+           |  ((int64_t) (d[30]) << 16)
+           |  ((int64_t) (d[31]) << 24)
+           |  ((int64_t) (d[32]) << 32)
+           |  ((int64_t) (d[33]) << 40)
+           |  ((int64_t) (d[34]) << 48);
+    dd[ 5] =  ((int64_t) (d[35]) <<  0)
+           |  ((int64_t) (d[36]) <<  8)
+           |  ((int64_t) (d[37]) << 16)
+           |  ((int64_t) (d[38]) << 24)
+           |  ((int64_t) (d[39]) << 32)
+           |  ((int64_t) (d[40]) << 40)
+           |  ((int64_t) (d[41]) << 48);
+    dd[ 6] =  ((int64_t) (d[42]) <<  0)
+           |  ((int64_t) (d[43]) <<  8)
+           |  ((int64_t) (d[44]) << 16)
+           |  ((int64_t) (d[45]) << 24)
+           |  ((int64_t) (d[46]) << 32)
+           |  ((int64_t) (d[47]) << 40)
+           |  ((int64_t) (d[48]) << 48);
+    dd[ 7] =  ((int64_t) (d[49]) <<  0)
+           |  ((int64_t) (d[50]) <<  8)
+           |  ((int64_t) (d[51]) << 16)
+           |  ((int64_t) (d[52]) << 24)
+           |  ((int64_t) (d[53]) << 32)
+           |  ((int64_t) (d[54]) << 40)
+           |  ((int64_t) (d[55]) << 48);
+
+    /* a * b + d */
+    t[ 0] =  dd[ 0] + (int128_t)ad[ 0] * bd[ 0];
+    t[ 1] =  dd[ 1] + (int128_t)ad[ 0] * bd[ 1]
+                    + (int128_t)ad[ 1] * bd[ 0];
+    t[ 2] =  dd[ 2] + (int128_t)ad[ 0] * bd[ 2]
+                    + (int128_t)ad[ 1] * bd[ 1]
+                    + (int128_t)ad[ 2] * bd[ 0];
+    t[ 3] =  dd[ 3] + (int128_t)ad[ 0] * bd[ 3]
+                    + (int128_t)ad[ 1] * bd[ 2]
+                    + (int128_t)ad[ 2] * bd[ 1]
+                    + (int128_t)ad[ 3] * bd[ 0];
+    t[ 4] =  dd[ 4] + (int128_t)ad[ 0] * bd[ 4]
+                    + (int128_t)ad[ 1] * bd[ 3]
+                    + (int128_t)ad[ 2] * bd[ 2]
+                    + (int128_t)ad[ 3] * bd[ 1]
+                    + (int128_t)ad[ 4] * bd[ 0];
+    t[ 5] =  dd[ 5] + (int128_t)ad[ 0] * bd[ 5]
+                    + (int128_t)ad[ 1] * bd[ 4]
+                    + (int128_t)ad[ 2] * bd[ 3]
+                    + (int128_t)ad[ 3] * bd[ 2]
+                    + (int128_t)ad[ 4] * bd[ 1]
+                    + (int128_t)ad[ 5] * bd[ 0];
+    t[ 6] =  dd[ 6] + (int128_t)ad[ 0] * bd[ 6]
+                    + (int128_t)ad[ 1] * bd[ 5]
+                    + (int128_t)ad[ 2] * bd[ 4]
+                    + (int128_t)ad[ 3] * bd[ 3]
+                    + (int128_t)ad[ 4] * bd[ 2]
+                    + (int128_t)ad[ 5] * bd[ 1]
+                    + (int128_t)ad[ 6] * bd[ 0];
+    t[ 7] =  dd[ 7] + (int128_t)ad[ 0] * bd[ 7]
+                    + (int128_t)ad[ 1] * bd[ 6]
+                    + (int128_t)ad[ 2] * bd[ 5]
+                    + (int128_t)ad[ 3] * bd[ 4]
+                    + (int128_t)ad[ 4] * bd[ 3]
+                    + (int128_t)ad[ 5] * bd[ 2]
+                    + (int128_t)ad[ 6] * bd[ 1]
+                    + (int128_t)ad[ 7] * bd[ 0];
+    t[ 8] =           (int128_t)ad[ 1] * bd[ 7]
+                    + (int128_t)ad[ 2] * bd[ 6]
+                    + (int128_t)ad[ 3] * bd[ 5]
+                    + (int128_t)ad[ 4] * bd[ 4]
+                    + (int128_t)ad[ 5] * bd[ 3]
+                    + (int128_t)ad[ 6] * bd[ 2]
+                    + (int128_t)ad[ 7] * bd[ 1];
+    t[ 9] =           (int128_t)ad[ 2] * bd[ 7]
+                    + (int128_t)ad[ 3] * bd[ 6]
+                    + (int128_t)ad[ 4] * bd[ 5]
+                    + (int128_t)ad[ 5] * bd[ 4]
+                    + (int128_t)ad[ 6] * bd[ 3]
+                    + (int128_t)ad[ 7] * bd[ 2];
+    t[10] =           (int128_t)ad[ 3] * bd[ 7]
+                    + (int128_t)ad[ 4] * bd[ 6]
+                    + (int128_t)ad[ 5] * bd[ 5]
+                    + (int128_t)ad[ 6] * bd[ 4]
+                    + (int128_t)ad[ 7] * bd[ 3];
+    t[11] =           (int128_t)ad[ 4] * bd[ 7]
+                    + (int128_t)ad[ 5] * bd[ 6]
+                    + (int128_t)ad[ 6] * bd[ 5]
+                    + (int128_t)ad[ 7] * bd[ 4];
+    t[12] =           (int128_t)ad[ 5] * bd[ 7]
+                    + (int128_t)ad[ 6] * bd[ 6]
+                    + (int128_t)ad[ 7] * bd[ 5];
+    t[13] =           (int128_t)ad[ 6] * bd[ 7]
+                    + (int128_t)ad[ 7] * bd[ 6];
+    t[14] =           (int128_t)ad[ 7] * bd[ 7];
+    t[15] = 0;
+
+    /* Mod curve order */
+    /* 2^446 - 0x8335dc163bb124b65129c96fde933d8d723a70aadc873d6d54a7bb0d */
+    /* Propagate carries */
+    c = t[ 0] >> 56; t[ 1] += c; t[ 0] = t[ 0] & 0xffffffffffffff;
+    c = t[ 1] >> 56; t[ 2] += c; t[ 1] = t[ 1] & 0xffffffffffffff;
+    c = t[ 2] >> 56; t[ 3] += c; t[ 2] = t[ 2] & 0xffffffffffffff;
+    c = t[ 3] >> 56; t[ 4] += c; t[ 3] = t[ 3] & 0xffffffffffffff;
+    c = t[ 4] >> 56; t[ 5] += c; t[ 4] = t[ 4] & 0xffffffffffffff;
+    c = t[ 5] >> 56; t[ 6] += c; t[ 5] = t[ 5] & 0xffffffffffffff;
+    c = t[ 6] >> 56; t[ 7] += c; t[ 6] = t[ 6] & 0xffffffffffffff;
+    c = t[ 7] >> 56; t[ 8] += c; t[ 7] = t[ 7] & 0xffffffffffffff;
+    c = t[ 8] >> 56; t[ 9] += c; t[ 8] = t[ 8] & 0xffffffffffffff;
+    c = t[ 9] >> 56; t[10] += c; t[ 9] = t[ 9] & 0xffffffffffffff;
+    c = t[10] >> 56; t[11] += c; t[10] = t[10] & 0xffffffffffffff;
+    c = t[11] >> 56; t[12] += c; t[11] = t[11] & 0xffffffffffffff;
+    c = t[12] >> 56; t[13] += c; t[12] = t[12] & 0xffffffffffffff;
+    c = t[13] >> 56; t[14] += c; t[13] = t[13] & 0xffffffffffffff;
+    c = t[14] >> 56; t[15] += c; t[14] = t[14] & 0xffffffffffffff;
+    /* Mod top half of extra words */
+    t[ 4] += (int128_t)0x21cf5b5529eec34L * t[12];
+    t[ 5] += (int128_t)0x0f635c8e9c2ab70L * t[12];
+    t[ 6] += (int128_t)0x2d944a725bf7a4cL * t[12];
+    t[ 7] += (int128_t)0x20cd77058eec490L * t[12];
+    t[ 5] += (int128_t)0x21cf5b5529eec34L * t[13];
+    t[ 6] += (int128_t)0x0f635c8e9c2ab70L * t[13];
+    t[ 7] += (int128_t)0x2d944a725bf7a4cL * t[13];
+    t[ 8] += (int128_t)0x20cd77058eec490L * t[13];
+    t[ 6] += (int128_t)0x21cf5b5529eec34L * t[14];
+    t[ 7] += (int128_t)0x0f635c8e9c2ab70L * t[14];
+    t[ 8] += (int128_t)0x2d944a725bf7a4cL * t[14];
+    t[ 9] += (int128_t)0x20cd77058eec490L * t[14];
+    t[ 7] += (int128_t)0x21cf5b5529eec34L * t[15];
+    t[ 8] += (int128_t)0x0f635c8e9c2ab70L * t[15];
+    t[ 9] += (int128_t)0x2d944a725bf7a4cL * t[15];
+    t[10] += (int128_t)0x20cd77058eec490L * t[15];
+    /* Propagate carries */
+    c = t[ 4] >> 56; t[ 5] += c; t[ 4] = t[ 4] & 0xffffffffffffff;
+    c = t[ 5] >> 56; t[ 6] += c; t[ 5] = t[ 5] & 0xffffffffffffff;
+    c = t[ 6] >> 56; t[ 7] += c; t[ 6] = t[ 6] & 0xffffffffffffff;
+    c = t[ 7] >> 56; t[ 8] += c; t[ 7] = t[ 7] & 0xffffffffffffff;
+    c = t[ 8] >> 56; t[ 9] += c; t[ 8] = t[ 8] & 0xffffffffffffff;
+    c = t[ 9] >> 56; t[10] += c; t[ 9] = t[ 9] & 0xffffffffffffff;
+    c = t[10] >> 56; t[11] += c; t[10] = t[10] & 0xffffffffffffff;
+    /* Mod bottom half of extra words */
+    t[ 0] += (int128_t)0x21cf5b5529eec34L * t[ 8];
+    t[ 1] += (int128_t)0x0f635c8e9c2ab70L * t[ 8];
+    t[ 2] += (int128_t)0x2d944a725bf7a4cL * t[ 8];
+    t[ 3] += (int128_t)0x20cd77058eec490L * t[ 8];
+    t[ 1] += (int128_t)0x21cf5b5529eec34L * t[ 9];
+    t[ 2] += (int128_t)0x0f635c8e9c2ab70L * t[ 9];
+    t[ 3] += (int128_t)0x2d944a725bf7a4cL * t[ 9];
+    t[ 4] += (int128_t)0x20cd77058eec490L * t[ 9];
+    t[ 2] += (int128_t)0x21cf5b5529eec34L * t[10];
+    t[ 3] += (int128_t)0x0f635c8e9c2ab70L * t[10];
+    t[ 4] += (int128_t)0x2d944a725bf7a4cL * t[10];
+    t[ 5] += (int128_t)0x20cd77058eec490L * t[10];
+    t[ 3] += (int128_t)0x21cf5b5529eec34L * t[11];
+    t[ 4] += (int128_t)0x0f635c8e9c2ab70L * t[11];
+    t[ 5] += (int128_t)0x2d944a725bf7a4cL * t[11];
+    t[ 6] += (int128_t)0x20cd77058eec490L * t[11];
+    /* Propagate carries */
+    c = t[ 0] >> 56; t[ 1] += c; rd[ 0] = (int64_t)(t[ 0] & 0xffffffffffffff);
+    c = t[ 1] >> 56; t[ 2] += c; rd[ 1] = (int64_t)(t[ 1] & 0xffffffffffffff);
+    c = t[ 2] >> 56; t[ 3] += c; rd[ 2] = (int64_t)(t[ 2] & 0xffffffffffffff);
+    c = t[ 3] >> 56; t[ 4] += c; rd[ 3] = (int64_t)(t[ 3] & 0xffffffffffffff);
+    c = t[ 4] >> 56; t[ 5] += c; rd[ 4] = (int64_t)(t[ 4] & 0xffffffffffffff);
+    c = t[ 5] >> 56; t[ 6] += c; rd[ 5] = (int64_t)(t[ 5] & 0xffffffffffffff);
+    c = t[ 6] >> 56; t[ 7] += c; rd[ 6] = (int64_t)(t[ 6] & 0xffffffffffffff);
+    rd[ 7] = t[7];
+    /* Mod bits over 56 in last word */
+    o = rd[7] >> 54; rd[ 7] &= 0x3fffffffffffff;
+    rd[ 0] += 0x873d6d54a7bb0dL * o;
+    rd[ 1] += 0x3d8d723a70aadcL * o;
+    rd[ 2] += 0xb65129c96fde93L * o;
+    rd[ 3] += 0x8335dc163bb124L * o;
+    /* Propagate carries */
+    o = rd[ 0] >> 56; rd[ 1] += o; rd[ 0] = rd[ 0] & 0xffffffffffffff;
+    o = rd[ 1] >> 56; rd[ 2] += o; rd[ 1] = rd[ 1] & 0xffffffffffffff;
+    o = rd[ 2] >> 56; rd[ 3] += o; rd[ 2] = rd[ 2] & 0xffffffffffffff;
+    o = rd[ 3] >> 56; rd[ 4] += o; rd[ 3] = rd[ 3] & 0xffffffffffffff;
+    o = rd[ 4] >> 56; rd[ 5] += o; rd[ 4] = rd[ 4] & 0xffffffffffffff;
+    o = rd[ 5] >> 56; rd[ 6] += o; rd[ 5] = rd[ 5] & 0xffffffffffffff;
+    o = rd[ 6] >> 56; rd[ 7] += o; rd[ 6] = rd[ 6] & 0xffffffffffffff;
+
+    /* Convert to bytes */
+    r[ 0] = (rd[0 ] >>  0);
+    r[ 1] = (rd[0 ] >>  8);
+    r[ 2] = (rd[0 ] >> 16);
+    r[ 3] = (rd[0 ] >> 24);
+    r[ 4] = (rd[0 ] >> 32);
+    r[ 5] = (rd[0 ] >> 40);
+    r[ 6] = (rd[0 ] >> 48);
+    r[ 7] = (rd[1 ] >>  0);
+    r[ 8] = (rd[1 ] >>  8);
+    r[ 9] = (rd[1 ] >> 16);
+    r[10] = (rd[1 ] >> 24);
+    r[11] = (rd[1 ] >> 32);
+    r[12] = (rd[1 ] >> 40);
+    r[13] = (rd[1 ] >> 48);
+    r[14] = (rd[2 ] >>  0);
+    r[15] = (rd[2 ] >>  8);
+    r[16] = (rd[2 ] >> 16);
+    r[17] = (rd[2 ] >> 24);
+    r[18] = (rd[2 ] >> 32);
+    r[19] = (rd[2 ] >> 40);
+    r[20] = (rd[2 ] >> 48);
+    r[21] = (rd[3 ] >>  0);
+    r[22] = (rd[3 ] >>  8);
+    r[23] = (rd[3 ] >> 16);
+    r[24] = (rd[3 ] >> 24);
+    r[25] = (rd[3 ] >> 32);
+    r[26] = (rd[3 ] >> 40);
+    r[27] = (rd[3 ] >> 48);
+    r[28] = (rd[4 ] >>  0);
+    r[29] = (rd[4 ] >>  8);
+    r[30] = (rd[4 ] >> 16);
+    r[31] = (rd[4 ] >> 24);
+    r[32] = (rd[4 ] >> 32);
+    r[33] = (rd[4 ] >> 40);
+    r[34] = (rd[4 ] >> 48);
+    r[35] = (rd[5 ] >>  0);
+    r[36] = (rd[5 ] >>  8);
+    r[37] = (rd[5 ] >> 16);
+    r[38] = (rd[5 ] >> 24);
+    r[39] = (rd[5 ] >> 32);
+    r[40] = (rd[5 ] >> 40);
+    r[41] = (rd[5 ] >> 48);
+    r[42] = (rd[6 ] >>  0);
+    r[43] = (rd[6 ] >>  8);
+    r[44] = (rd[6 ] >> 16);
+    r[45] = (rd[6 ] >> 24);
+    r[46] = (rd[6 ] >> 32);
+    r[47] = (rd[6 ] >> 40);
+    r[48] = (rd[6 ] >> 48);
+    r[49] = (rd[7 ] >>  0);
+    r[50] = (rd[7 ] >>  8);
+    r[51] = (rd[7 ] >> 16);
+    r[52] = (rd[7 ] >> 24);
+    r[53] = (rd[7 ] >> 32);
+    r[54] = (rd[7 ] >> 40);
+    r[55] = (rd[7 ] >> 48);
+    r[56] = 0;
+}
+
+/* Precomputed multiples of the base point. */
+static const ge448_precomp base[58][8] = {
+{
+    {
+        { 0x26a82bc70cc05eL, 0x80e18b00938e26L, 0xf72ab66511433bL,
+          0xa3d3a46412ae1aL, 0x0f1767ea6de324L, 0x36da9e14657047L,
+          0xed221d15a622bfL, 0x4f1970c66bed0dL },
+        { 0x08795bf230fa14L, 0x132c4ed7c8ad98L, 0x1ce67c39c4fdbdL,
+          0x05a0c2d73ad3ffL, 0xa3984087789c1eL, 0xc7624bea73736cL,
+          0x248876203756c9L, 0x693f46716eb6bcL }
+    },
+    {
+        { 0x55555555555555L, 0x55555555555555L, 0x55555555555555L,
+          0x55555555555555L, 0xaaaaaaaaaaaaa9L, 0xaaaaaaaaaaaaaaL,
+          0xaaaaaaaaaaaaaaL, 0xaaaaaaaaaaaaaaL },
+        { 0xeafbcdea9386edL, 0xb2bed1cda06bdaL, 0x833a2a3098bbbcL,
+          0x8ad8c4b80d6565L, 0x884dd7b7e36d72L, 0xc2b0036ed7a035L,
+          0x8db359d6205086L, 0xae05e9634ad704L }
+    },
+    {
+        { 0x28173286ff2f8fL, 0xb769465da85757L, 0xf7f6271fd6e862L,
+          0x4a3fcfe8daa9cbL, 0xda82c7e2ba077aL, 0x943332241b8b8cL,
+          0x6455bd64316cb6L, 0x0865886b9108afL },
+        { 0x22ac13588ed6fcL, 0x9a68fed02dafb8L, 0x1bdb6767f0bffaL,
+          0xec4e1d58bb3a33L, 0x56c3b9fce43c82L, 0xa6449a4a8d9523L,
+          0xf706cbda7ad43aL, 0xe005a8dbd5125cL }
+    },
+    {
+        { 0xce42ac48ba7f30L, 0xe1798949e120e2L, 0xf1515dd8ba21aeL,
+          0x70c74cc301b7bdL, 0x0891c693fda4beL, 0x29ea255a09cf4eL,
+          0x2c1419a17226f9L, 0x49dcbc5c6c0cceL },
+        { 0xe236f86de51839L, 0x44285d0d4f5b32L, 0x7ea1ca9472b5d4L,
+          0x7b8a5bc1c0d8f9L, 0x57d845c90dc322L, 0x1b979cb7c02f04L,
+          0x27164b33a5de02L, 0xd49077e4accde5L }
+    },
+    {
+        { 0xa99d1092030034L, 0x2d8cefc6f950d0L, 0x7a920c3c96f07bL,
+          0x958812808bc0d5L, 0x62ada756d761e8L, 0x0def80cbcf7285L,
+          0x0e2ba7601eedb5L, 0x7a9f9335a48dcbL },
+        { 0xb4731472f435ebL, 0x5512881f225443L, 0xee59d2b33c5840L,
+          0xb698017127d7a4L, 0xb18fced86551f7L, 0x0ade260ca1823aL,
+          0xd3b9109ce4fd58L, 0xadfd751a2517edL }
+    },
+    {
+        { 0x7fd7652abef79cL, 0x6c20a07443a878L, 0x5c1840d12a7109L,
+          0x4a06e4a876451cL, 0x3bed0b4ad95f65L, 0x25d2e673fb0260L,
+          0x2e00349aebd971L, 0x54523e04498b72L },
+        { 0xea5d1da07c7bccL, 0xcce776938ea98cL, 0x80284e861d2b3eL,
+          0x48de76b6e1ff1bL, 0x7b121869c58522L, 0xbfd053a2765a1aL,
+          0x2d743ec056c667L, 0x3f99b9cd8ab61cL }
+    },
+    {
+        { 0xdf9567ceb5eaf7L, 0x110a6b478ac7d7L, 0x2d335014706e0bL,
+          0x0df9c7b0b5a209L, 0xba4223d568e684L, 0xd78af2d8c3719bL,
+          0x77467b9a5291b6L, 0x079748e5c89befL },
+        { 0xe20d3fadac377fL, 0x34e866972b5c09L, 0xd8687a3c40bbb7L,
+          0x7b3946fd2f84c9L, 0xd00e40ca78f50eL, 0xb87594417e7179L,
+          0x9c7373bcb23583L, 0x7ddeda3c90fd69L }
+    },
+    {
+        { 0x2538a67153bde0L, 0x223aca9406b696L, 0xf9080dc1ad713eL,
+          0x6c4cb47d816a64L, 0xbc285685dc8b97L, 0xd97b037c08e2d7L,
+          0x5b63fb45d0e66bL, 0xd1f1bc5520e8a3L },
+        { 0x4eb873ce69e09bL, 0x1663164bc8ee45L, 0x08f7003ba8d89fL,
+          0x4b98ead386ad82L, 0xa4b93b7bd94c7bL, 0x46ba408c6b38b3L,
+          0xdae87d1f3574ffL, 0xc7564f4e9bea9bL }
+    },
+},
+{
+    {
+        { 0x2e4fdb25bfac1cL, 0xf0d79aaf5f3bcaL, 0xe756b0d20fb7ccL,
+          0xe3696beb39609aL, 0xa019fc35a5ab58L, 0xa2b24853b281ddL,
+          0xe3e2be761ac0a2L, 0xf19c34feb56730L },
+        { 0x2d25ce8a30241eL, 0xf5661eab73d7a1L, 0x4611ed0daac9f4L,
+          0xd5442344ced72cL, 0xce78f52e92e985L, 0x6fe5dd44da4aadL,
+          0xfcaddc61d363ceL, 0x3beb69cc9111bfL }
+    },
+    {
+        { 0xd2e7660940ebc9L, 0xe032018b17bbe0L, 0xad4939175c0575L,
+          0xdd0b14721c7f34L, 0x52c2ba43e147e0L, 0x7dd03c60ee8973L,
+          0x5472e8decf2754L, 0x17a1cd1d6482bbL },
+        { 0xdd43b848128b3fL, 0xf0cae34ea7dd25L, 0x81ca99fff07df2L,
+          0x1c8959792ebbdcL, 0x45c7a6872155e6L, 0x907a50e39ddd08L,
+          0xbe398c2bb2d89bL, 0x38063f91b3b536L }
+    },
+    {
+        { 0x149fafbf843b23L, 0x00ab582ac7f22aL, 0xa3b981bf2f4d4cL,
+          0x2ce1a654341a22L, 0x68a40747c03b63L, 0x63206a212f2cf8L,
+          0xc9961d35149741L, 0xfb85430bc7099eL },
+        { 0x9c9107290a9e59L, 0x734e94a06de367L, 0x5cf3cbedb99214L,
+          0xc6bce3245b1fb9L, 0x1a82abedd7be0dL, 0xf74976aede7d1cL,
+          0x7025b7c21503bdL, 0xf7894910d096abL }
+    },
+    {
+        { 0x6bd48bb555a41bL, 0xfbdd0d067de206L, 0x98bc477dd6dfd1L,
+          0x1d0693b3e40b8aL, 0x6e15563da32ae4L, 0x0194a20fcebaa2L,
+          0xda116150980a93L, 0x8e119200109cecL },
+        { 0x8ea0552ffb9726L, 0xeba50a4047e44bL, 0xc050d2460ddf76L,
+          0xe009204ac690e0L, 0x47b86399b18edcL, 0x2f5b76ac77f23fL,
+          0x4296c240792905L, 0x73f6b4a06f6dc7L }
+    },
+    {
+        { 0xb6ef9ea3b10cadL, 0x312843df7c8fceL, 0x5bdcd528bedf86L,
+          0x2889059f6dd823L, 0x04578e908bfde0L, 0x3245df3123e2e5L,
+          0xbf461d57ee9e3aL, 0xddec2d46f94cebL },
+        { 0x21b43b9145768fL, 0xe79a8f9dae962aL, 0xff1972bcbb043fL,
+          0xe3dcf6d239649bL, 0xed592bdc533b85L, 0x14ff94fdbe22d0L,
+          0x6c4eb87f1d8e22L, 0xd8d4c71d18cf6dL }
+    },
+    {
+        { 0xcda666c8d96345L, 0x9ecaa25836cd21L, 0x6e885bd984606eL,
+          0x1dd5fef804f054L, 0x9dfff6b6959ae4L, 0x99b9cf8c9b55ccL,
+          0xb4716b062b9b80L, 0x13ec87c554b128L },
+        { 0xe696d1f75aacc2L, 0xf78c99387fc5ffL, 0x76c09473809d42L,
+          0x99ce62db618fa8L, 0x35e3e022f53341L, 0x62fc1ac0db6c5eL,
+          0xa1fb8e600d8b47L, 0x0bc107058f0d1eL }
+    },
+    {
+        { 0x1f4526916da513L, 0x1f2fc04f5cf341L, 0xae9208664d23e0L,
+          0x4e33082da8a113L, 0x2688ec61cfc085L, 0x6f2e8de6e5327fL,
+          0x2070db3b4e48a8L, 0xd6626973240adeL },
+        { 0xa6b317ffbd997bL, 0x9fa1b5649e26bdL, 0xcbf0d258cba0f3L,
+          0x4a7791b17b4745L, 0x25f555b5c9e190L, 0x7cd3940923ec4cL,
+          0x16f4c6ae98f1b6L, 0x7962116bcd4e0fL }
+    },
+    {
+        { 0x8d58fa302491e3L, 0x7cf76c67ab3898L, 0xbc2f657647ebc7L,
+          0x5f4bfe0d25f5a3L, 0x503f478d69505dL, 0x4a889fc3fb6645L,
+          0x33e1bc1fa86b18L, 0xabb234f5508dd8L },
+        { 0x5348e1b9a05b48L, 0x57ac5f164dc858L, 0x21f4d38ec8a2d3L,
+          0x5ec6d3ca3a3e9dL, 0xcd4062e560a0b8L, 0x49b74f73433f59L,
+          0xefd9d87cab14e3L, 0x858ce7feb964f5L }
+    },
+},
+{
+    {
+        { 0x7577254eb731b4L, 0x9fff1fb4e2397eL, 0x749b145c821715L,
+          0x40619fe2e65e67L, 0x57b82812e618d8L, 0x063186c707b83eL,
+          0xcfc80cb31b24a2L, 0xcca6185ac75169L },
+        { 0x6539f44b255818L, 0x5895da00368bceL, 0x841a30917c7482L,
+          0x85469e1b1a9c9eL, 0x05664c0e4f7d9dL, 0x8a063187b35cc0L,
+          0x214763aa0e9b0aL, 0x1bd872c4b26ac2L }
+    },
+    {
+        { 0x3578f97a93762bL, 0x434f69a72d52bcL, 0xddcca4022cb565L,
+          0xa7d1e41ff20544L, 0x823475d8a66588L, 0x9fc97c799d7bafL,
+          0x15542f1660e421L, 0xa7d1f60843faf6L },
+        { 0xbbfaab54063cccL, 0x3ad9bada49855aL, 0xffd5f1c5bddbfeL,
+          0x0e419c2ae87e59L, 0xdce6ed6f89956bL, 0xf047c21ccd8951L,
+          0x6ed4a1ba83c991L, 0x85af86e2d28e0aL }
+    },
+    {
+        { 0x04433c49ed48a8L, 0xeffa8580bc375dL, 0xfb0e1b2fa6e3b5L,
+          0x51483a2a1aaddaL, 0x733448df8b2ea8L, 0xaa0513cf639f0cL,
+          0x6bc61a3a23bf84L, 0x3e64f68dc2430dL },
+        { 0x51bf502c5876b1L, 0x6b833751c0dd2aL, 0xe597be1342914fL,
+          0x43d5ab0f8e632cL, 0x2696715d62587bL, 0xe87d20aed34f24L,
+          0x25b7e14e18baf7L, 0xf5eb753e22e084L }
+    },
+    {
+        { 0x51da71724d8295L, 0xd478e4318d1340L, 0xacf94f42cf7f66L,
+          0x230d7d13760711L, 0x078a66a5abc626L, 0xd78b0bd6b5f6daL,
+          0x23a971396d1d0bL, 0x87623d64bd960fL },
+        { 0x0841a9977db53fL, 0x23c1a53f4d03eeL, 0x2f62c2e1f95df1L,
+          0xd1e2ec1116f4e7L, 0x896d2fe34811a9L, 0xad65e2bec8096eL,
+          0x09d36f9b1744a6L, 0x564bac7ff5ddf7L }
+    },
+    {
+        { 0x48b41e2c3f77cbL, 0x52276730968938L, 0xff1b899fd9b452L,
+          0x67cf3bf2e03908L, 0x3731d90248a6fbL, 0xd800a05256598fL,
+          0x347d2f2bdc8530L, 0xc72a3007ad08a1L },
+        { 0x5e5be741d65f73L, 0x183d4ae4206eadL, 0xcb50c1cade4013L,
+          0x39db43d3102483L, 0x0eb49fa70d6325L, 0xa18f6a2c1f02b9L,
+          0x3e6fe30dbf5e66L, 0xac4eeb93a82aa5L }
+    },
+    {
+        { 0x295affd3613d47L, 0x7b7e68ab56f343L, 0x980629692b173bL,
+          0x937061ebad35fbL, 0x25019785c21eeaL, 0xe92721b787a746L,
+          0x463c46c3651631L, 0x6da4b5dc6f2d5aL },
+        { 0xcb67cc16e6d18cL, 0x1b30d520010588L, 0x1bb6ea6db1d1e8L,
+          0x9c6308aad11474L, 0xc3167413d19b1cL, 0xf2e84d7be4fb79L,
+          0xeccb873e050f77L, 0xf7c8d80cc2bf86L }
+    },
+    {
+        { 0x16fe2e17ab20e5L, 0x274deadecf3a92L, 0x9f434870972f67L,
+          0x9a65a454605751L, 0x9351f07b8980b2L, 0x412962b0eb08a5L,
+          0xb8c9bfd733f440L, 0xac2cd641ca250fL },
+        { 0x68cdd0f2ba7d26L, 0xd3d2a4a4e0beeaL, 0x50135c19f4a258L,
+          0xb475e53f0d02e4L, 0x432d8c6589283aL, 0x29141bfa0a2b6cL,
+          0xd7379ec13704bcL, 0x831562c52459bfL }
+    },
+    {
+        { 0x676b366eeec506L, 0xdd6cad545da557L, 0x9de39cb77057d2L,
+          0x388c5fedf05bf1L, 0x6e55650dfb1f03L, 0xdbceffa52126c9L,
+          0xe4d187b3a4a220L, 0xac914f9eb27020L },
+        { 0x3f4ab98d2e5f30L, 0x6ae97dadd94451L, 0x64af6950d80981L,
+          0x36b4b90f2aa2ceL, 0x6adcd7a18fcf59L, 0x3ddfe6dc116c81L,
+          0x661072b549b9e3L, 0xd9e3134ec4584dL }
+    },
+},
+{
+    {
+        { 0x6e46707a1e400cL, 0xcdc990b551e806L, 0xfa512513a07724L,
+          0x500553f1b3e4f5L, 0x67e8b58ef4dac3L, 0x958349f2cb4cc7L,
+          0x948b4ed7f9143cL, 0xe646d092b7822bL },
+        { 0xd185dd52bc3c26L, 0x34ba16ec837fc9L, 0x516d4ba5a788b7L,
+          0x72f2de756142b0L, 0x5846f61f445b3dL, 0xdaec5c9f4631a1L,
+          0xa10b18d169ea9bL, 0x85d2998af6751bL }
+    },
+    {
+        { 0xda0cac443ddf31L, 0x0966e171860911L, 0x9c3a7173cba600L,
+          0x5781880571f895L, 0x5e2a927737ac21L, 0x8a461486c253fbL,
+          0xe801cf595ee626L, 0x271166a5f84fc0L },
+        { 0x306937fba856bdL, 0x80cb179be80a43L, 0x70393b2ffb5980L,
+          0xa8e4a1c660fc64L, 0x5078abfc0d5c98L, 0x62ba530fbd31ffL,
+          0xda608449e51b88L, 0xdb6ecb0355ae15L }
+    },
+    {
+        { 0xbcbb6ea23c5d49L, 0x08906ba87959bcL, 0x61cc0880991665L,
+          0x21d6b41d90d13cL, 0x0c27ac1d03afe9L, 0x159995f5cfea52L,
+          0x4057e20bdfe220L, 0xdd1b349cbdf058L },
+        { 0x0cd66262e37159L, 0x8cea8e43eb0d17L, 0x553af085bce7f0L,
+          0xb94cb5f5b6511dL, 0x7b8d3a550e0330L, 0x415911057ab7e7L,
+          0x320820e6aa886fL, 0x130d4d6c5b6b81L }
+    },
+    {
+        { 0x2f98059c7bb2edL, 0x33ebf4ca49bdfbL, 0x04c72a1b0a675bL,
+          0x94f9ea4adb6c14L, 0x03376d8cf728c0L, 0x5c059d34c6eb6aL,
+          0x0178408eb8da48L, 0x8bf607b2956817L },
+        { 0x7ad2822ceb3d28L, 0xd07a40337ae653L, 0xbc68739c1e46b2L,
+          0x15d7cca9154ba9L, 0x6b97103a26617dL, 0xa610314b2e0d28L,
+          0x52a08bafd4d363L, 0x80c2638c7dc2afL }
+    },
+    {
+        { 0x0cde7ef3187140L, 0x93b92ca4b70acdL, 0x5696e507a79cdcL,
+          0x73cc9728eaab66L, 0x6b8c5b68f1b0c7L, 0xb39a3184f7e0b1L,
+          0x72cfb0d376108aL, 0x0c53efc98536a7L },
+        { 0x03b52a824c2f1eL, 0x717132e6399b78L, 0x31ebd25349a85dL,
+          0x265ee811a200d4L, 0x0b1aad2407d7adL, 0x9a9ebc894d2962L,
+          0x994e6cd41171d9L, 0x09178d86c8fa83L }
+    },
+    {
+        { 0x7d1d238a2593a1L, 0x863e93ab38fb19L, 0xd23a4cce7712a9L,
+          0x7477b1327efcd5L, 0x3ba69ff1392f6cL, 0x63e0c32f7bb5a5L,
+          0x20412c0026effdL, 0xd3ee8e4ef424abL },
+        { 0x14c0b2d64e5174L, 0x2a611f2e58c47bL, 0xaa58a06c1e8635L,
+          0x1870c3ecf17034L, 0xb0d5e3483f1bf3L, 0xb19905c16c7eb3L,
+          0xbf85d626efa4caL, 0xfd16b2f180f92bL }
+    },
+    {
+        { 0xc0431af3adcb48L, 0xc9a7a8dba90496L, 0xd765a163895294L,
+          0xb02a41a551de70L, 0xb71b261749b8a1L, 0x0dfa89ec6f3e47L,
+          0x392c0d80f5d9ceL, 0x43c59d831aee3cL },
+        { 0x94bfb6d4d76f49L, 0xe8f5b8227d68a5L, 0x78ae1d9630fd08L,
+          0x1379029ce1bdaeL, 0x9689da066715dcL, 0x5d4cb24d3278c7L,
+          0x77c98339e84fbcL, 0xc8478dcea1048cL }
+    },
+    {
+        { 0xe4b8f31770d2baL, 0x744f65242ea095L, 0xd06e090036f138L,
+          0xd3a3d5b3b078caL, 0xc7ae54178b8417L, 0xad6c5d4c738fd7L,
+          0x61789844676454L, 0xfbf34235d9a392L },
+        { 0x8e451a7fff772fL, 0x8605bb75ffbeadL, 0x6f75cc1930d59fL,
+          0xd4f47558f3f460L, 0xefd2d796700c8aL, 0xceb462a2406421L,
+          0x8ed0f979dfe8f1L, 0x0280bf1d1d7600L }
+    },
+},
+{
+    {
+        { 0x761c219dd9a54dL, 0x1127fcb86a39c0L, 0x7d0e4f04c9beddL,
+          0x27c017a4d976b6L, 0x800c973da042cfL, 0xe7419af2593f11L,
+          0xbd49448ae67960L, 0xd3b60b7744fd85L },
+        { 0x5e74ed961676feL, 0x7383ef339af627L, 0x34407e05e62df7L,
+          0xb0534618bf3196L, 0xd6b7184583b407L, 0xe3d068555011beL,
+          0x94083d02124b52L, 0xa908324f780aafL }
+    },
+    {
+        { 0xb27af1a73ec9c3L, 0xb66ad9f70fa725L, 0x07724f58cf73e4L,
+          0xc3fcd579949358L, 0x06efb79da0cc01L, 0x1e977d210597c9L,
+          0xcd732be703e8d6L, 0x6fd29bf6d0b69eL },
+        { 0xca658ac667128eL, 0xca0036ac7872b3L, 0xc9698585355837L,
+          0x59f3be8075cf1cL, 0x9f1b9b03809a11L, 0x6881ced9733871L,
+          0x8cda0fbe902a5fL, 0x4d8c69b4e3871eL }
+    },
+    {
+        { 0x5c3bd07ddee82fL, 0xe52dd312f9723bL, 0xcf8761174f1be8L,
+          0xd9ecbd835f8657L, 0x4f77393fbfea17L, 0xec9579fd78fe2cL,
+          0x320de920fb0450L, 0xbfc9b8d95d9c47L },
+        { 0x818bd425e1b4c3L, 0x0e0c41c40e2c78L, 0x0f7ce9abccb0d0L,
+          0xc7e9fa45ef81fbL, 0x2561d6f73574adL, 0xa2d8d99d2efb0bL,
+          0xcf8f316e96cd0aL, 0x088f0f14964807L }
+    },
+    {
+        { 0x0a8498945d5a19L, 0x47ab39c6c2131fL, 0x5c02824f3fc35dL,
+          0x3be77c89ee8127L, 0xa8491b7c90b80aL, 0x5397631a28aa93L,
+          0x54d6e816c0b344L, 0x22878be876d0e4L },
+        { 0xeecb8a46db3bf6L, 0x340f29554577a3L, 0xa7798689a00f85L,
+          0x98465d74bb9147L, 0x9532d7dda3c736L, 0x6d574f17504b20L,
+          0x6e356f4d86e435L, 0x70c2e8d4533887L }
+    },
+    {
+        { 0xdce5a0ad293980L, 0x32d7210069010eL, 0x64af59f06deaaaL,
+          0xd6b43c459239e4L, 0x74bf2559199c29L, 0x3efff4111e1e2bL,
+          0x1aa7b5ecb0f8d8L, 0x9baa22b989e395L },
+        { 0xf78db807b33ac1L, 0x05a3b4354ce80aL, 0x371defc7bc8e12L,
+          0x63305a01224610L, 0x028b1ae6d697efL, 0x7aba39c1cd8051L,
+          0x76ed7a928ee4b4L, 0x31bd02a7f99901L }
+    },
+    {
+        { 0xf9dab7af075566L, 0x84e29a5f56f18bL, 0x3a4c45af64e56dL,
+          0xcf3644a6a7302dL, 0xfb40808156b658L, 0xf33ef9cf96be52L,
+          0xfe92038caa2f08L, 0xcfaf2e3b261894L },
+        { 0xf2a0dbc224ce3fL, 0xed05009592eb27L, 0x501743f95889d0L,
+          0xa88a47877c95c2L, 0x86755fbdd63da9L, 0x9024acfc7ee828L,
+          0x634b020f38113bL, 0x3c5aacc6056e64L }
+    },
+    {
+        { 0xe03ff3aa2ef760L, 0x3b95767b1c3bacL, 0x51ce6aa940d754L,
+          0x7cbac3f47a9a3dL, 0xa864ac434f8d1aL, 0x1eff3f280dbd47L,
+          0xd8ab6607ebd5caL, 0xc4df5c405b07edL },
+        { 0x3dc92dfa4f095bL, 0x5ae36a57cdbd9aL, 0x7ff29737891e04L,
+          0x37c03130a5fe7bL, 0x210d7b0aa6e35eL, 0x6edfb53bf200d8L,
+          0x787b68d84afb85L, 0x9b5c49b72c6de3L }
+    },
+    {
+        { 0x51857164010f4eL, 0xe0b144b0536ebeL, 0xacabb14887d663L,
+          0xac1caededf584fL, 0xb43fb8faf175a3L, 0x310b6d5f992a3cL,
+          0xf2c4aa285178a4L, 0x69c99698bd56bfL },
+        { 0x73d6372a4d972eL, 0x3d5bb2e9583803L, 0x7bf7d18d891581L,
+          0xa5ce5d7568a34aL, 0x670b4331f45c81L, 0x97265a71f96910L,
+          0xdb14eb3b07c1eaL, 0xdf008eafed447cL }
+    },
+},
+{
+    {
+        { 0x0379f5a00c2f10L, 0xb320b4fd350285L, 0x74e560e8efdd7dL,
+          0xf2f017ef46a140L, 0x2ced1a60f34624L, 0x7c4b4e3ca08ec9L,
+          0xdffc2a15d8bc6bL, 0xcc8f3f3527b007L },
+        { 0x59f8ac4861fe83L, 0x8d48d2cd03144cL, 0xa8457d2bfa6dceL,
+          0xd7ed333677c136L, 0xcb8e219c228e18L, 0x5f70bc916ab1e4L,
+          0x2ae3a3d3780370L, 0x9f3365488f17adL }
+    },
+    {
+        { 0xeab0710960e4bbL, 0xc668a78ab9cfd3L, 0x2e85553b0ef946L,
+          0xa43c4b98df5df3L, 0x0ecd5593cb3646L, 0x6f543c418dbe71L,
+          0xee7edaaf59818bL, 0xc44e8d290911c1L },
+        { 0xafb38b1269b509L, 0x9e2737c52afe2cL, 0x5b2ef02ccfa664L,
+          0x1e0aeace1cc58bL, 0x37a57e95ea134eL, 0xc9c465a83b9fc2L,
+          0x4b9e8c76e3eccaL, 0xca07dbe9bdbab5L }
+    },
+    {
+        { 0xd297f3cb0d7807L, 0xee441a5f59ce61L, 0x728553bb2db844L,
+          0x90f87e5640e9e0L, 0xaa72cbfcb76dffL, 0x065c6864012d57L,
+          0xd5ee88f9678b44L, 0x3d74b852177603L },
+        { 0x3f9c947748b68eL, 0x03856d98f44d44L, 0xde34b84462426cL,
+          0xc16d1bb845ab29L, 0x9df6217d2e18deL, 0xec6d219b154643L,
+          0x22a8ec32ee0f8fL, 0x632ad3891c5175L }
+    },
+    {
+        { 0x19d9d236869267L, 0x628df94fe5532aL, 0x458d76c6dc9a01L,
+          0x405fe6c2cc39c8L, 0x7dddc67f3a04baL, 0xfee630312500c7L,
+          0x580b6f0a50e9deL, 0xfb5918a6090604L },
+        { 0xd7159253af6b2dL, 0x83d62d61c7d1ecL, 0x94398c185858c4L,
+          0x94643dc14bfb64L, 0x758fa38af7db80L, 0xe2d7d93a8a1557L,
+          0xa569e853562af1L, 0xd226bdd84346aaL }
+    },
+    {
+        { 0xc2d0a5ed0ccd20L, 0xeb9adb85dbc0cfL, 0xe0a29ee26d7e88L,
+          0x8bb39f884a8e98L, 0x511f1c137396eaL, 0xbc9ec5ac8b2fb3L,
+          0x299d81c090e5bcL, 0xe1dfe344cdd587L },
+        { 0x80f61f45e465b7L, 0x5699c531bad59eL, 0x85e92e4b79ff92L,
+          0x1e64fce9db244cL, 0x3748574a22097dL, 0xe2aa6b9efff24eL,
+          0xb951be70a10bc6L, 0x66853269067a1cL }
+    },
+    {
+        { 0xf716ddfa6114d3L, 0x9e515f5037ec1fL, 0x773454144944a6L,
+          0x1540c4caba97ccL, 0xe41e5488b54bb7L, 0x4363156cae37bcL,
+          0xc384eaff3d2ce8L, 0x72a4f454c58ba4L },
+        { 0x0ceb530dcaf3fcL, 0x72d536578dcdbbL, 0x9b44084c6320faL,
+          0x6262d34eb74c70L, 0x8abac85608e6dcL, 0x82a526410dd38dL,
+          0xbc39911a819b8dL, 0xbda15fe03ad0d9L }
+    },
+    {
+        { 0xadbf587f9dc60bL, 0xf9d814f7d846d2L, 0xccdd241b77bde0L,
+          0x89cb6d72242f50L, 0x95c0e3ee6360a8L, 0x7c7dd5adf49713L,
+          0x68e0e4957d5814L, 0x3aa097d0c16571L },
+        { 0xb56b672267d03aL, 0x4f557088c44af4L, 0x67c49e7f3252a5L,
+          0x871d6cfc94a469L, 0x57ae99801fbfaaL, 0x5c0e48f48a5d8eL,
+          0xe9bf9c85e240b9L, 0xa41018999d41caL }
+    },
+    {
+        { 0x6beb0c7b2889b4L, 0x78b7f899455370L, 0xd43421447ca364L,
+          0xdd9d2da9f21e5bL, 0xa0c7c180a7e4aaL, 0x022c0d4da1660cL,
+          0xe1f5c165a57002L, 0x51c7c9e518f68fL },
+        { 0x6d521b62586502L, 0xa0f2cb3183ec1bL, 0x578b4e0caa5e16L,
+          0x7bd4fbd764997fL, 0x7ec56c364b1804L, 0xb75a2540ee08e4L,
+          0x6bf74a6dc19080L, 0x6ec793d97d6e59L }
+    },
+},
+{
+    {
+        { 0x16789d60a4beb9L, 0x512b2cd9b9c801L, 0xf8b6d108c7bb9cL,
+          0xd85651e9ebdc8cL, 0xc9450829ba971aL, 0x852d9ea7e1cf78L,
+          0x6a45e350af01e2L, 0xe6cdadf6151dcfL },
+        { 0xc454bb42b8c01bL, 0x59e0c493d54cd2L, 0x8e1e686454d608L,
+          0x0dbae4bd8c6103L, 0xa5603a16c18b18L, 0x227a6b23369093L,
+          0xf1e89295f3de1cL, 0x42f0b588ab63c5L }
+    },
+    {
+        { 0xf1974cc5b596d8L, 0xee8093f44719f0L, 0x40ba933f6f5b54L,
+          0xd6e53652f3d654L, 0x9aeb83526d73b8L, 0x50ed5350776382L,
+          0x3be47d6ad43875L, 0x21d56dfc786e48L },
+        { 0x8a75e18b73bb39L, 0x9eba84cf265a78L, 0x7c02a4d2e772e7L,
+          0xf7df6d44c1ecd2L, 0xa8d9ea06cef71bL, 0x86e8f91cae3b68L,
+          0x2fd141199efefaL, 0x0b36ab2214e6f6L }
+    },
+    {
+        { 0xd79065cbdce61cL, 0xcb562ffdecb229L, 0xef5d3d14600849L,
+          0x348b31b1d23ac8L, 0xb2ea69915c36b8L, 0x268683d4822836L,
+          0x083edbec6f0b7dL, 0xaf4f39d1a7821cL },
+        { 0x23be6e84e64841L, 0xe9e246365bf791L, 0xa3208ac02bfd7cL,
+          0x231989cd01357dL, 0x79b8aad6422ab4L, 0x57d2b7e91b8564L,
+          0x28ebbcc8c04421L, 0xdc787d87d09c05L }
+    },
+    {
+        { 0xeb99f626c7bed5L, 0x326b15f39cd0e8L, 0xd9d53dcd860615L,
+          0xdf636e71bf4205L, 0x1eaa0bf0752209L, 0x17ce69a4744abbL,
+          0x474572df3ea2fbL, 0xc4f6f73224a7f3L },
+        { 0x7ed86ad63081b4L, 0xcd4cdc74a20afbL, 0x7563831b301b2eL,
+          0x5b4d2b1e038699L, 0xa15d1fa802a15fL, 0x6687aaf13e9172L,
+          0x3eccd36ba6da90L, 0x34e829d7474e83L }
+    },
+    {
+        { 0x4cea19b19c9b27L, 0xa14c37a5f52523L, 0x248b16d726625cL,
+          0x8c40f9f6cabc21L, 0x918470c32a5c65L, 0x314056b2a98d5bL,
+          0x6c974cf34a0714L, 0x0c8f8a94f6314aL },
+        { 0x484455770bccfdL, 0xf5835db740c9fdL, 0x12e59b5a21407cL,
+          0xbe338e0db1689dL, 0x5a50ce9dd5e915L, 0xb1780e9ef99f39L,
+          0x1262b55ee4d833L, 0x4be3f2289c5340L }
+    },
+    {
+        { 0xbb99b906c4b858L, 0xa7724d1550ca53L, 0x7d31f5a826962eL,
+          0xf239322a5804daL, 0x3e113200275048L, 0xcbb1bb83ee4cb6L,
+          0xdb865251331191L, 0xb7caf9e7d1d903L },
+        { 0x06e3b0577d7a9dL, 0x7a132b0b3bbbf5L, 0xd61fbc57c50575L,
+          0x393f712af4b646L, 0xef77972cb7efe9L, 0x20e6d5d5ea4995L,
+          0x0ac23d4fbbe4c6L, 0x8456617c807f2aL }
+    },
+    {
+        { 0x4995fb35396143L, 0xa8b4bd1b99dc46L, 0x2293e8e4150064L,
+          0x2f77d4922a3545L, 0xe866b03b2192c4L, 0x58b01f05e0aa38L,
+          0xe406b232ed246bL, 0x447edb3ed60974L },
+        { 0xf541b338869703L, 0x6959fe0383420aL, 0xd6b39db4be4e48L,
+          0x048f3b4b5714efL, 0x68b49685d9e4b8L, 0xbda8e6c2177963L,
+          0x5094e35c4211feL, 0xea591c32d46d1aL }
+    },
+    {
+        { 0x3a768ff2fef780L, 0x4218d2832970c6L, 0xce598e4ec6da17L,
+          0xf675645fbb126aL, 0xb04c23f0427617L, 0xc9f93fbe4fce74L,
+          0x44a414b3c91b00L, 0x4d982f31d3b3ccL },
+        { 0xb1d40e8b24cce0L, 0x5a21c07133e73dL, 0x6e9358e0bb589dL,
+          0x39cfb172399844L, 0x83f7647166080eL, 0xcfe7bf8450b468L,
+          0x2a288f71e8434fL, 0xd39f1e521a81e3L }
+    },
+},
+{
+    {
+        { 0x78c6f13528af6fL, 0x0001fe294b74d9L, 0xae7742501aab44L,
+          0x7cbe937ef0039cL, 0xaf3e4f00fa2a67L, 0xe28175fda1378eL,
+          0x72adeed8ccd90eL, 0x16a8ce100af22fL },
+        { 0x69fae17cbf63ddL, 0x67861729e39e26L, 0xe92b3d5f827a18L,
+          0x4d75e418403682L, 0x01a4fd99056a79L, 0x89efb2d20008f5L,
+          0xa2f6918b78ff15L, 0xf41c870a3437f5L }
+    },
+    {
+        { 0xc840ae57be353cL, 0x465a5eb3fb2691L, 0x34a89f07eba833L,
+          0xf620896013346eL, 0x563b5f0e875df2L, 0x5f7fc8bfbc44ceL,
+          0x22fcb5acfedf9dL, 0x7cf68d47dc691bL },
+        { 0x37f7c2d76a103fL, 0x728a128fd87b7dL, 0x7db2ad8ccf2132L,
+          0xa4c13feb100e63L, 0xcd28a517b511d5L, 0xb910280721ca5cL,
+          0xec1305fd84bd52L, 0xb9646422729791L }
+    },
+    {
+        { 0x83fccdf5bc7462L, 0x01f3ddad6f012fL, 0x57f11713a6a87cL,
+          0xedb47ceff403acL, 0x6c184e5baab073L, 0x5b17c7d6f0d6a1L,
+          0x45a4c4f3ef2c91L, 0x26c3f7e86a8f41L },
+        { 0x81a6db0b646514L, 0xf84059fca8b9aeL, 0xd73dab69f02305L,
+          0x0de3faec4b7c6cL, 0x18abb88696df2fL, 0x45dd1b975d7740L,
+          0x3aeccc69ee35bcL, 0x478252eb029f88L }
+    },
+    {
+        { 0x66bf85b8b2ce15L, 0x1175425335709dL, 0x00169ef8123874L,
+          0xfd3c18c9b89868L, 0xb3612f9775204eL, 0x4b8d09dc2cd510L,
+          0xafa12e614559adL, 0x1ddaa889657493L },
+        { 0x87d700b1e77a08L, 0xaf4cf2f14d2e71L, 0xe00835dbf90c94L,
+          0xb16a6ec6dc8429L, 0x02a7210f8a4d92L, 0x5a5ab403d0c48dL,
+          0x0052b3ab5b9beaL, 0x6242739e138f89L }
+    },
+    {
+        { 0x7c215d316b2819L, 0xdacb65efeb9d7aL, 0xc3c569ed833423L,
+          0xbc08435886a058L, 0x132c4db7e5cb61L, 0x6373a279422affL,
+          0x43b9d7efca9fc4L, 0xe3319a5dbe465fL },
+        { 0x51d36870b39da7L, 0xcb6d7984b75492L, 0x77eb272eadd87aL,
+          0xf2fb47de0d3f6cL, 0x807fd86f9f791cL, 0xf01086b975e885L,
+          0xf9314b5b6a3604L, 0x8cd453867be852L }
+    },
+    {
+        { 0x7c1e6b3858f79bL, 0xf0477c4938caf9L, 0xb311bbf3e88c44L,
+          0x9234c091e3a3c1L, 0x531af2b95a1d4dL, 0xf3cc969b8d1c64L,
+          0x6f3c328b51e78dL, 0x5a1bd6c34e8881L },
+        { 0x2e312393a9336fL, 0x020f0cc5ced897L, 0x4b45d7b5fab121L,
+          0x8068b1c1841210L, 0x1bd85fc8349170L, 0xfe816d80f97fe5L,
+          0x108981814b84fcL, 0x1d4fabbb93cd48L }
+    },
+    {
+        { 0x1f11d45aef599eL, 0x8d91243b09c58aL, 0xd2eec7bd08c3c3L,
+          0x5a6039b3b02793L, 0xb27fed58fb2c00L, 0xb5de44de8acf5eL,
+          0x2c3e0cd6e6c698L, 0x2f96ed4777180dL },
+        { 0x67de8bf96d0e36L, 0xd36a2b6c9b6d65L, 0x8df5d37637d59cL,
+          0x951899fc8d9878L, 0x0fa090db13fcf8L, 0xa5270811f5c7b4L,
+          0x56a6560513a37aL, 0xc6f553014dc1feL }
+    },
+    {
+        { 0x7f6def794945d6L, 0x2f52fe38cc8832L, 0x0228ad9a812ff5L,
+          0xcd282e5bb8478aL, 0xa0bc9afbe91b07L, 0x0360cdc11165e2L,
+          0xb5240fd7b857e4L, 0x67f1665fa36b08L },
+        { 0x84ce588ad2c93fL, 0x94db722e8ff4c0L, 0xad2edbb489c8a3L,
+          0x6b2d5b87e5f278L, 0x0265e58d1d0798L, 0xd2c9f264c5589eL,
+          0xde81f094e4074dL, 0xc539595303089fL }
+    },
+},
+{
+    {
+        { 0x183492f83e882cL, 0x4d58203b5e6c12L, 0x1ac96c3efec20bL,
+          0xabd5a5be1cd15eL, 0x7e1e242cbbb14bL, 0x9f03f45d0543b3L,
+          0xc94bc47d678158L, 0x7917be0a446cadL },
+        { 0x53f2be29b37394L, 0x0cb0a6c064cc76L, 0x3a857bcfba3da3L,
+          0xac86bc580fcb49L, 0x9d5336e30ab146L, 0xafb093d5bc1270L,
+          0x996689de5c3b6eL, 0x55189faea076baL }
+    },
+    {
+        { 0x99ef986646ce03L, 0xa155f8130e6100L, 0x75bef1729b6b07L,
+          0xc46f08e1de077bL, 0xf52fdc57ed0526L, 0xe09d98961a299aL,
+          0x95273297b8e93aL, 0x11255b50acd185L },
+        { 0x57919db4a6acddL, 0x708a5784451d74L, 0x5b0bd01283f7b3L,
+          0xe82f40cc3d9260L, 0x2ab96ec82bbdc2L, 0x921f680c164d87L,
+          0xf0f7883c17a6a9L, 0xc366478382a001L }
+    },
+    {
+        { 0x5c9aa072e40791L, 0xf0b72d6a0776bfL, 0x445f9b2eaa50dcL,
+          0xa929fa96bda47fL, 0x539dc713bbfc49L, 0x4f16dd0006a78bL,
+          0x331ba3deef39c7L, 0xbfa0a24c34157cL },
+        { 0x0220beb6a3b482L, 0x3164d4d6c43885L, 0xa03bb5dacdea23L,
+          0xd6b8b5a9d8f450L, 0xd218e65bd208feL, 0x43948ed35c476fL,
+          0x29a0dd80a2ed2bL, 0xa6ccf3325295b7L }
+    },
+    {
+        { 0xf68f15fac38939L, 0xb3dd5a2f8010c1L, 0xf7ac290a35f141L,
+          0xdc8f3b27388574L, 0x7ec3de1e95fed2L, 0xc625451257ac7dL,
+          0x66fc33e664e55aL, 0xd3968d34832ba5L },
+        { 0x980291bc026448L, 0xfcb212524da4a5L, 0xbca7df4827a360L,
+          0xfcc395c85ca63bL, 0xcf566ec8e9f733L, 0x835ee9bd465f70L,
+          0xe66d111372f916L, 0xc066cf904d9211L }
+    },
+    {
+        { 0xb9763a38b48818L, 0xa6d23cc4288f96L, 0xe27fcf5ed3a229L,
+          0x6aebf9cabaff00L, 0xf3375038131cd1L, 0x13ad41dffabd58L,
+          0x1bee6af861c83bL, 0x274fe969c142e7L },
+        { 0x70ebcc99b84b5bL, 0xe1a57d78191cfcL, 0x46ccd06cbf00b8L,
+          0xc233e8eefe402dL, 0xb4ab215beebeb3L, 0xb7424eabd14e7bL,
+          0x351259aa679578L, 0x6d6d01e471d684L }
+    },
+    {
+        { 0x755c465815ae38L, 0xadc3e85611db56L, 0x633999b188dd50L,
+          0xfdf7509c12d907L, 0x25bcfde238b6afL, 0x50d705d397f5e7L,
+          0xb65f60b944c974L, 0x8867fc327ac325L },
+        { 0x2edc4413763effL, 0x892c0b3341fb63L, 0xb34b83ab3a7f28L,
+          0x9aa106d15c2f18L, 0x720bbc61bb2277L, 0x637f72a5cfaefdL,
+          0xf57db6ef43e565L, 0xceb7c67b58e772L }
+    },
+    {
+        { 0x2793da56ecc1deL, 0x4e1097438f31b2L, 0x4229b4f8781267L,
+          0xe5d2272dec04a1L, 0x6abb463ec17cffL, 0x28aaa7e0cbb048L,
+          0x41dc081d22ef85L, 0xcbc361e5e63d0fL },
+        { 0xb78aafcad5dbaaL, 0x0111505fc1edc3L, 0x63ed66d92c7bfaL,
+          0x2982284e468919L, 0x30f1f21b8c0d8cL, 0xf0567472685093L,
+          0x0e085b6f03dd0fL, 0xa8c8db85581e66L }
+    },
+    {
+        { 0x42009a6264ad0cL, 0x13bf2b8593bef4L, 0x1d111905d4e8b1L,
+          0xfe3e940ef7bddcL, 0xa012275624e62cL, 0xcb659241d6d3ccL,
+          0xc7bcc70edb7ab6L, 0xff9fafbb750b1cL },
+        { 0xf65df297fea84bL, 0x17c84a890b0e02L, 0xa92a859301e821L,
+          0xbee8cb2fb480d1L, 0x7010b8c59c604eL, 0x47bf3f4e803c43L,
+          0xd64514247b3fffL, 0xc4c5dcb9f0da13L }
+    },
+},
+{
+    {
+        { 0x8af700cb5253b3L, 0x31ca605206957aL, 0x25744393eafdcdL,
+          0x2ba5ae1d3ae15eL, 0x710b7385b82579L, 0x145ab57112b95aL,
+          0x4b133a038c55c5L, 0xf7559c92a16fefL },
+        { 0x70c3e68d9ba896L, 0x475dd32c33d07aL, 0xe084e473a41e40L,
+          0xddc9382fd2e706L, 0x34b727579510bdL, 0x5e78a69a5f901eL,
+          0x429dfd7dcfb823L, 0x1d9dc18014f0a3L }
+    },
+    {
+        { 0x364fcdfaf403d7L, 0xd9ea4ffb7d7b34L, 0x21a3426cbb1dacL,
+          0xfa51052143b4f5L, 0x2bca0736df2409L, 0x7e6985a8ad7285L,
+          0x3a1a9d04aaa27fL, 0x1a815e19fc0c6cL },
+        { 0xfab6147bb65bb3L, 0xa36dc0d33ced0bL, 0x26a88592062d78L,
+          0x343861728a5fb7L, 0xe82da254ebb1adL, 0x70f5071d05aa11L,
+          0x0b7f847adaac48L, 0xeb812bc93cb269L }
+    },
+    {
+        { 0xcb317ccf7cacccL, 0xd3410d9cf85098L, 0xca68c8d7f078d7L,
+          0xfe9e812b782efcL, 0x32e7c0f5f544b5L, 0x44fe95a3a7b7f2L,
+          0xf4f1543e91327bL, 0x27d118d76645edL },
+        { 0x690547cd7abc2cL, 0xf64680fb53c8afL, 0xbe0cbe079ea989L,
+          0x6cf0ccea91af28L, 0xa3b85a29daa2f9L, 0xd4b663c91faed0L,
+          0x782c7b7a8b20baL, 0xf494fafb8d98ceL }
+    },
+    {
+        { 0x080c0d7002f55aL, 0xf4f8f142d6d9ddL, 0xb326229382f025L,
+          0x58fd0b5ad28c20L, 0x704b9928d06a15L, 0xf4545d97fbd8e4L,
+          0xc32fa63ed55581L, 0x3ab793601ac0fdL },
+        { 0x13ece526099fd1L, 0x776dba89c79178L, 0x8d28212ce26c45L,
+          0x09fddaf60d739cL, 0xf9931eda84826eL, 0x6e73d90b29439eL,
+          0x94cfefc9095e61L, 0x3050d16802f474L }
+    },
+    {
+        { 0x0898f8f9f6394bL, 0x48b8cea88b0e91L, 0x4bc99254c1b362L,
+          0xe3fccb4827d9ecL, 0x5d4cf9ad950d6aL, 0xa16f1ef39b5b38L,
+          0x3c76d1d620f288L, 0x9fdd059e119390L },
+        { 0x7b5de9efb5edf8L, 0x3e290b9769d14eL, 0x4df3a916bd10b5L,
+          0xae99bca82f8f7bL, 0x5481d5dc9524afL, 0xf112e4f69504f1L,
+          0xb048f0951931ecL, 0xbff876a18f51b1L }
+    },
+    {
+        { 0x932e2a746c1c37L, 0x903ad529aea4c1L, 0x717ac918f161f2L,
+          0xa57d197f425e2aL, 0xae89dac7f39e0eL, 0x91655c0baa2a58L,
+          0xe3dc28654836ddL, 0xb5f0baaa9ec9e6L },
+        { 0xf7c4662bdbda04L, 0xbe5393b51059c0L, 0xb16d552dd95b0fL,
+          0xde495b31b3bd96L, 0xb2a6e02c0206c5L, 0x045cc09014d3a9L,
+          0xf66a3152a2f490L, 0x208c108c5dea05L }
+    },
+    {
+        { 0x6e38b6865237eaL, 0x93a13039f27fc6L, 0x9a6d510a95068aL,
+          0x6fbf216e7c9e54L, 0x7824290571ac1dL, 0x8cb23ba91c2a0cL,
+          0x611202ec7e434dL, 0x8f901bf76058b4L },
+        { 0xef0ac050849588L, 0xe0d2ddedd31804L, 0xaf5417ceb2ca81L,
+          0x420ac065d1a509L, 0x46e345e9683bb6L, 0x6daf635f613f7fL,
+          0xc9e829148a9576L, 0x5f9f1d1176d147L }
+    },
+    {
+        { 0xd24ae1d77e9709L, 0x77751dc0047b8aL, 0xe325334c6a1593L,
+          0x9baf962671f86aL, 0x425af6ac29a15eL, 0x31086002796e33L,
+          0xb6ea78cfc253a5L, 0x4c733e0afae0eaL },
+        { 0x4b7443a97c99b9L, 0xc14e9e450203a6L, 0xd1bb51552680baL,
+          0xa56a3efd55533aL, 0xa66e38c169e1a0L, 0xb3e4df9eed7da0L,
+          0x022c937ddce3d9L, 0x8552089f6e36b4L }
+    },
+},
+{
+    {
+        { 0x8e4bf95f5cc82eL, 0x2ad80c3c3ed6c9L, 0xf2e5b2cc9045e1L,
+          0x42c906559b06d4L, 0xc1f73797b43b84L, 0x1710dbf72d7992L,
+          0xe98cf47767b41cL, 0xe713fce7bfb9e9L },
+        { 0x9f54ae99fa5134L, 0x3002fd8de40d0eL, 0xdc282b79311334L,
+          0x5519810bfeb360L, 0x31539c70f96ffeL, 0x04eacc0d27777bL,
+          0x59824108ff5053L, 0x598236632b67adL }
+    },
+    {
+        { 0x6eb45546bea5c2L, 0x82cfae0d509a33L, 0x6a69bd8394bb59L,
+          0x1880d8d5770ee1L, 0x63518447dacf9eL, 0x5b1ecc5f02b891L,
+          0xeb7d900b6c9a5aL, 0xdab8a768897da8L },
+        { 0x28c7be598851a6L, 0x0101d4f4d73c3bL, 0x3c2569c5084996L,
+          0xb9bc911280bde0L, 0x513a22acd0d4f9L, 0xdf2986d2a15f3bL,
+          0x231c28f2aa4943L, 0x29623ad0333870L }
+    },
+    {
+        { 0x2ceb1784084416L, 0x924cf1c49516cdL, 0x76536c04be856fL,
+          0x11b59cd47a265bL, 0x720dc844999494L, 0x910f794007b795L,
+          0x8434e142d3df83L, 0x8f53878bd478d3L },
+        { 0xd9b072eaeb9c2fL, 0x16f87eafd8a29fL, 0x8c42f9b2fd0de1L,
+          0x916721e0e816efL, 0x2ecb47018bde37L, 0xcde3b7a2375da2L,
+          0x30d0657ef94281L, 0x51054565cd7af8L }
+    },
+    {
+        { 0x7230b334bdced3L, 0x0c6a3e10838569L, 0xf19c9ece3493b8L,
+          0xf2759270d97c57L, 0xf14181e0c862ebL, 0xfd3bac132c72bcL,
+          0x620563ff3be362L, 0x672ccaf47283b7L },
+        { 0x191e3fa2b7bf16L, 0xf838633520dad7L, 0xd3dde553629d87L,
+          0x14d8836af86ebeL, 0x3db7dfb221b2ceL, 0x3872abb0aed72aL,
+          0xb60de528c665b7L, 0x89c259644982cbL }
+    },
+    {
+        { 0x799a2de4dbba25L, 0xd818aaea42715eL, 0xbc88f4df55c362L,
+          0x142a163713c9aeL, 0x411e8eefbfb33fL, 0x34b46296bb684aL,
+          0x4344becdc81817L, 0xcc9573d17f9d46L },
+        { 0xf85f8bcff38a7dL, 0xa14bf730caf117L, 0x126874f4ba6429L,
+          0xcc9bf22aa5db97L, 0x62b56df6aba827L, 0xfee1cb89c9772aL,
+          0xe36838f177e541L, 0x698815dadd438fL }
+    },
+    {
+        { 0xc9fd89438ed1adL, 0x73cd79d7b6a601L, 0x2210e6205e8d20L,
+          0x72384ac3592af5L, 0x5ccc079763d07eL, 0x2f31a4aa5f79ebL,
+          0x693f4ed2945a95L, 0xc7120178056fdcL },
+        { 0x361ecd2df4b09aL, 0xa5644eab7d929aL, 0x34abc0b3fabe9aL,
+          0x1a2473ce942a8cL, 0xe00c9246454bc3L, 0xab324bcdff7366L,
+          0xe1412f121b8f99L, 0x970b572e33551eL }
+    },
+    {
+        { 0x6ca4cacbd0a6b5L, 0x5584787921d654L, 0x18e5253c809bdaL,
+          0x01b32c3f0cbe5eL, 0xb9aa7540f987ddL, 0x628f4bb6dfa4dbL,
+          0x0255f0b891890bL, 0x25b7df4874e590L },
+        { 0xbded3188ed5f95L, 0x9dc428dca93023L, 0xc68f25abccf520L,
+          0xc4f3764e616e6cL, 0xd9a57f1a1d9993L, 0xd1964a5533431bL,
+          0x06cd77f02ab6d0L, 0xa66079103e52e0L }
+    },
+    {
+        { 0xab088645f72700L, 0xf77b2ff0a1a44eL, 0x43ebdd8c2a24b5L,
+          0xa6d67114f564d7L, 0x495df63f414160L, 0xf5bacd776f6de6L,
+          0x3011aff7c2b43dL, 0xbb1e64c3241928L },
+        { 0xf70c5725034073L, 0x891c62a68f1e97L, 0xed8eb2eb22e374L,
+          0xd3a53e97dbcc2fL, 0x1d06281dc8f220L, 0x9eef48face4393L,
+          0x96014f5d2abecdL, 0x1da7e092653cebL }
+    },
+},
+{
+    {
+        { 0x7593318d00bc94L, 0x586f3c6c7262a2L, 0xea68f52958ad31L,
+          0x6707fccd4e8bedL, 0xb7e35d6cb3f9ceL, 0x2cbb6f7f4b1be8L,
+          0xa5352687b41aeeL, 0x1d77845f7b39b8L },
+        { 0xb1f3995eaf9554L, 0x3250f70fe9e7d4L, 0x62e5d1ba00c23cL,
+          0x5e422f5c10e3bfL, 0x7a18039c25cec4L, 0xb4e66a17cc4d5bL,
+          0xad7c5f636d0e0cL, 0x9f40b12a4cf347L }
+    },
+    {
+        { 0x697f88251e3696L, 0xc89bc40ab0a648L, 0x8f261a59785804L,
+          0x4c7f900b51a2bdL, 0xd00e7af8a2dfcfL, 0xf9c534db642aebL,
+          0xea2a79fb63df0eL, 0x392a69af2f64a4L },
+        { 0x0c0f01cc331b6cL, 0x414bf2e6a5edb5L, 0xfe5ed815068391L,
+          0x0a8078d62fbc34L, 0x78a438254bca98L, 0xf7a49ae3d727c7L,
+          0x96c1de1ab4dffeL, 0x45901f73b9440aL }
+    },
+    {
+        { 0x3f1189facfe46eL, 0xdca6f464467443L, 0xac385422eb5bcfL,
+          0xb02dce9906bf72L, 0xdd8cdacfe1d454L, 0xc26f04c65f7218L,
+          0xb4748596ea145dL, 0xc53dc6b5bdb315L },
+        { 0xbe5be749ad7197L, 0x627e91918b5eccL, 0x57c889c9ea405dL,
+          0x2e5650c1a5360bL, 0x42290df1b30b27L, 0x4a071575242687L,
+          0x553ed1fd379133L, 0xb9d7a0701db019L }
+    },
+    {
+        { 0xcfe551c56597dcL, 0x81af92a925ebd6L, 0x83efe16f4e8d57L,
+          0x61bb4311f640d3L, 0xf80440f78b414aL, 0x72f3c636c9e3b4L,
+          0xb55f43a6a03c66L, 0x47a9dede417037L },
+        { 0x1a7e287dbb612bL, 0x895c3c7dbb9220L, 0xd50c86e6c04764L,
+          0xed5269853cf7caL, 0xc78d799f74af55L, 0xb2ba0f2b969ff2L,
+          0x06d48151c6530bL, 0x764a1fe165a575L }
+    },
+    {
+        { 0x4383a3bc1b5eceL, 0x0563c8854ff148L, 0x9a452795af796eL,
+          0xffba7c088e9953L, 0xfe9fb5eb6a3001L, 0x795098825b6b19L,
+          0x67c899ad81be5eL, 0xc89ac8d2f9d29bL },
+        { 0x7c76ba329ab8f7L, 0xb2a18c96e40f74L, 0x1b5056e3864d9bL,
+          0xdfa503d9b582b8L, 0xfb035197c9c68eL, 0xdc501316b3c22bL,
+          0x38ab231a6c96ffL, 0x4ea527c8cb1c10L }
+    },
+    {
+        { 0xd632f20c05b4edL, 0xe0199fab2a032dL, 0x373295626812d7L,
+          0x2aed855013df13L, 0x92ca24b39f96acL, 0x620273dbb9751aL,
+          0x5d0d21ef7437a1L, 0x9de2a43077de56L },
+        { 0x0569b1211a4674L, 0xfc3923e89c3989L, 0x3d127042c5c770L,
+          0x0072b9084e8c37L, 0x7178d4dac39f9aL, 0x5f8292f778d345L,
+          0x9e5bf0f77c7307L, 0x7691610c3a20f5L }
+    },
+    {
+        { 0x7c4ead5705fe96L, 0x377ec35c8e464cL, 0x3e5b9907689954L,
+          0xc0f6949a2d31eaL, 0x839d395c580671L, 0x2f347a6b215b09L,
+          0xfdcfa33683df83L, 0x6e12cc26af39a8L },
+        { 0xae46ec813a3bd2L, 0x03a7d3b59366f8L, 0xe2029d5b87aed4L,
+          0xbdc4e43fe1b83dL, 0x768437cdb8a1a8L, 0xe47acc3ea0dd7fL,
+          0x550e0cc62a0af4L, 0xcaf2cbc1a20962L }
+    },
+    {
+        { 0x5a784f7f28a78fL, 0x952a9b507e9724L, 0x8ac5e411bab7a3L,
+          0x1251e3fb7bc1e1L, 0xe360f82dc15e22L, 0x3ac72da95213f5L,
+          0x65ee9ba4dcd47bL, 0xdfeab7b3af5952L },
+        { 0x34c5c8026fd3c6L, 0xd977b08f3ac7eeL, 0x003bd017dba2f6L,
+          0xcfc5cf8ac98c8dL, 0x05eb6040e46922L, 0xc248b17faa9352L,
+          0xfa41c0f395c7a7L, 0x29931d4b71ee44L }
+    },
+},
+{
+    {
+        { 0xac087bb07861c5L, 0x3bd37db5ae8240L, 0x94c68ecf94518fL,
+          0xd32a378ff88a5bL, 0x42c8aaf9b441d1L, 0x089db70fc07f12L,
+          0x211c386d3d4455L, 0x1db9af7546b158L },
+        { 0xdfd1b6551bc927L, 0x69c04930733df4L, 0xdc72cd42aeb586L,
+          0xeebdace823aa13L, 0x51b3b3c56ad643L, 0xb983a99d4e0426L,
+          0xa1e5b6c69c4eccL, 0x37cd38245e6668L }
+    },
+    {
+        { 0x158ce6d9f73aeaL, 0x36a774914ff475L, 0x0d4e424dc0b018L,
+          0xc2c44483946f09L, 0x7a7de3ffacda62L, 0x49a19e6b486709L,
+          0x65094d8db61da7L, 0x09edfd98f5ee87L },
+        { 0xe460fcfb37226dL, 0x3b9d03969bf470L, 0x3d4d511247ca22L,
+          0xc7248d6c782cb1L, 0x91189a000ad293L, 0x1244942e8abe75L,
+          0x9f88d12bf52cdbL, 0x368463ebbbcadfL }
+    },
+    {
+        { 0x419e4b38074f45L, 0xd3f8e2e0771c83L, 0xd2743b42e68d34L,
+          0xc68b7dbb116a00L, 0xfad2cf7d84cc37L, 0xcfd27c0b7a0f4dL,
+          0x3b9e23f190e587L, 0x7bab499751ca9eL },
+        { 0x3270861a8f12eeL, 0xee1f38d31b36d5L, 0x748bb31e4c0eedL,
+          0x9be5c9b110ebadL, 0x728660bc8b6cb6L, 0x7bc9df793d914aL,
+          0x73a4f2cc88c859L, 0xbe4a2fdb4e7f0eL }
+    },
+    {
+        { 0xe566ff8a450e77L, 0xb0b40066a13abaL, 0x483a510cd7dc90L,
+          0xb1a20135fa9cccL, 0xeb0b631a80e67cL, 0x7c34e1f020801aL,
+          0x0257dc8f4e447cL, 0x7abe7d174c6f0fL },
+        { 0xf115a3ab19a576L, 0x8f0474a064ca0eL, 0x999bb6b351f99bL,
+          0x855254b773edc3L, 0x49f6c2f427d717L, 0x9f682532e0cef2L,
+          0x1fe126c2ee34f5L, 0x1ec2cae80150f7L }
+    },
+    {
+        { 0x862c5afc005b7aL, 0x61adea7ec4ef17L, 0xf885fd3007b446L,
+          0x25c129d9b0e30eL, 0xbc10f25feec7e0L, 0x3901ac4df79ee1L,
+          0xad49db7fe9e19fL, 0xc8624d9360d050L },
+        { 0xc74a576bf3260bL, 0xbde80248c010c2L, 0xf15532909b6977L,
+          0x6a5a82ed52dcf8L, 0x4fbf59d29b9dfcL, 0x337d049c7b730cL,
+          0xb3deac63a89cd4L, 0x1e07595ad2f2ebL }
+    },
+    {
+        { 0xa0b0a4d3b7c84eL, 0xf132c378cf2b00L, 0x192814beaaa8ecL,
+          0xe7929f97b4b5dfL, 0xf08a68e42d0ab7L, 0x814afb17b60cddL,
+          0x78c348c7d9c160L, 0xf8a948844db217L },
+        { 0xcdefd88eaa2578L, 0xf717f56bd0e260L, 0x7754e131694d02L,
+          0x1254c14181dbd8L, 0x0dacdd26e5f312L, 0xb8abdfbcef87bfL,
+          0xb985972e74e2eaL, 0x1717621002b424L }
+    },
+    {
+        { 0x92cc75e162df70L, 0x1e20c0618ee849L, 0xc036b4626aa590L,
+          0x31be67e4da5155L, 0x04911b5f7213b0L, 0x39261d7bb2e72eL,
+          0x9e844665c015a3L, 0x2f59fc0298ae67L },
+        { 0xa3ea7ba1701fccL, 0x87a5fa90ebd651L, 0xa607ed4301d7b1L,
+          0xbd4ec5f3b2e271L, 0x732a1a2dc4180fL, 0xbe15d82feaa8c1L,
+          0x103670266f2f3fL, 0xccfd3979e79ce8L }
+    },
+    {
+        { 0x82ab83570a54adL, 0x5c1dee8e3bec75L, 0xf583ff454b556bL,
+          0x9220199f461e60L, 0xdf61ca887fc4e7L, 0x6641fd20776dadL,
+          0x00c6edd8edd061L, 0xaf9b14255f7e87L },
+        { 0x73f15e49bbe3ecL, 0xdd3b788f8bc1faL, 0xb24cc071b8ff86L,
+          0x6c260d241be58bL, 0xec1c4e36b10adaL, 0xf6b42097fdb985L,
+          0x0d0ac85d47c212L, 0x967191c07d78d1L }
+    },
+},
+{
+    {
+        { 0x3b11638843d0f3L, 0x4b89297f27f10eL, 0x477236e863ba2aL,
+          0x1949622add280cL, 0x7cd523504da757L, 0xe0e99d279e4ff7L,
+          0xb4ef894537da41L, 0xc55dde45a24ff1L },
+        { 0x18d8e21b587521L, 0x8010b5d3777833L, 0x4af522dd3a54c8L,
+          0x7cd476b4c0ac13L, 0x4587e614099f67L, 0x494d0ed605ee64L,
+          0x3218ba2cc80903L, 0x5ff56aa0b2e169L }
+    },
+    {
+        { 0x51ec94e3a06c69L, 0xa26d7be5e65c52L, 0x156f113d44ee96L,
+          0x70f0968bf5b9b4L, 0x9b7e4695f5332dL, 0x36c295f6703829L,
+          0x1522690d04f492L, 0xcf35ca4728043bL },
+        { 0xf9ca3e1190a7c3L, 0x53d2413f971b07L, 0xae596529c48b49L,
+          0x74672b8fefff5cL, 0x0a3018ba7643b0L, 0x51919e83e9b0a8L,
+          0x89ad33dc932fb5L, 0x52a4419643e687L }
+    },
+    {
+        { 0x7778990d2d0acdL, 0x3bdbcce487fdf1L, 0xdc413ca2b03dd2L,
+          0x278755b9a2b7d0L, 0x4ebb8b535ddd7fL, 0x0465152bcbdb92L,
+          0x34f22d6671d051L, 0x1ba04c787192b9L },
+        { 0xb1693f483560c1L, 0xe08a5937d174e9L, 0x47ffdc464dc9afL,
+          0x1123596ce8126cL, 0x632d95f1124628L, 0x66287abfee7c76L,
+          0xb40fe60c552332L, 0x3f11729e304e1eL }
+    },
+    {
+        { 0x97a6ea05030a8cL, 0x692419809c27b2L, 0x3308501ac9dd5dL,
+          0x9fed7fabe73fdcL, 0xea555440535286L, 0xc7c07ab6c9b832L,
+          0x178c882c51b967L, 0x6fa0c6986ee075L },
+        { 0xbaa4a15b8b5c4aL, 0xf83c0ea3130c0aL, 0xcf8624b2800331L,
+          0xade85cd7ccbcb8L, 0x971d7f6f08445dL, 0xfd480b76a546dcL,
+          0xdc15a38c93761cL, 0xc4c495c9d04631L }
+    },
+    {
+        { 0x5f4cee89470efeL, 0x9fe896188d93adL, 0x24783b3f4e49ceL,
+          0x1bc7ed752ffb3eL, 0xa3abe6a6d81e17L, 0xd6bb8b47a333c3L,
+          0x3485c0b10a3527L, 0x7cddc9c31a9d10L },
+        { 0x0c78112c38ca37L, 0x10e249ddd2f8d8L, 0x72c88ccc511911L,
+          0x4d75b5a29a6c84L, 0xc74b267a227b1eL, 0x698390cf8e35adL,
+          0x8f27edfe98d230L, 0xec922f26bdc7f4L }
+    },
+    {
+        { 0xac34023fc32e11L, 0xe0ae2f547200d1L, 0xa7c7492bd98c82L,
+          0x3910b687b02154L, 0x6fdd06ce28ab6dL, 0xd3a7e49d98b012L,
+          0x4c1c82b9f54207L, 0xef5bbe645c176fL },
+        { 0x3d17960d3e71ebL, 0x90d7e84080e70cL, 0x83e6438bff5d9eL,
+          0x1877e1f535d85cL, 0x931ed6efbb69ccL, 0xcf962651247848L,
+          0x76d618b750da4eL, 0xc076708717fbf6L }
+    },
+    {
+        { 0x80a5ac5eec5126L, 0x6d05dd13379c80L, 0x514b0892336d32L,
+          0x586c0066725137L, 0xab2365a574f954L, 0x3c89ea0ac7d356L,
+          0xf1f2edd27460baL, 0xf200ddbab9870fL },
+        { 0xc8f1b2ca35e885L, 0x5d22f86e6e7550L, 0x24b9a409554615L,
+          0xcb41107616314fL, 0xca752f0c976a11L, 0x3e2f839a08291aL,
+          0x0cff22ff2c420eL, 0xafd603e82b9747L }
+    },
+    {
+        { 0xaddeddc810a3daL, 0x78b6c2dd3a87bfL, 0xbc7020bde3a04cL,
+          0x47ab9739b6d045L, 0x3b046d60959358L, 0x0f953e7509ee3eL,
+          0x803dc8669fc61bL, 0xcceaec0893c8d4L },
+        { 0x21f8c40b048a45L, 0xb535073fcaea8aL, 0xe712c3590e360bL,
+          0x5d0f3f48403338L, 0xe0ea26c7207f2dL, 0x20f6b57ffd9e05L,
+          0xb97d68e4788b00L, 0xb1215541889cceL }
+    },
+},
+{
+    {
+        { 0x0079817464238eL, 0x21103020d381caL, 0x1cc4c6ed9f01b5L,
+          0x5e35dc55a131b1L, 0xb61848d06944ebL, 0x83792a029631a3L,
+          0xbe1017fafca0ddL, 0x70aaa01782fcbbL },
+        { 0xc63b7a099945e7L, 0xe9164ecc4486c1L, 0xb133e35885f2c1L,
+          0x186f0d3c99ae02L, 0x2fca4922bf53e6L, 0xf922aa248a02bcL,
+          0x4fe64900dd3dcaL, 0xe8c313ff6a8207L }
+    },
+    {
+        { 0xc5b358397caf1eL, 0xa001922922a4b6L, 0x67e36bedf07c95L,
+          0xabaa0aeb2f4f34L, 0x66dc926dedc333L, 0x82021c438ec5b3L,
+          0x82b4f2600ab176L, 0x1b7c22e69c45afL },
+        { 0x07b0dbe0924ad9L, 0xe030936a407ddeL, 0x66e1ce926ccd06L,
+          0xb50c108e3505a9L, 0x8b921e1da98f51L, 0x449ca1a20cf7c7L,
+          0xadb80c7e67d079L, 0x205aa54834372dL }
+    },
+    {
+        { 0x1482b4819bf847L, 0xd6c16ab5906f0fL, 0x323fb1723ad060L,
+          0x0346389c832be7L, 0xe71b2d82ee45bfL, 0x761c37dfb22276L,
+          0xa9b33345d70be2L, 0x81a06565a0627aL },
+        { 0x337750399a6282L, 0xafc8d2ed0436f0L, 0x22f71d3c53342fL,
+          0x66ca56d8939ad3L, 0x15a919230e09baL, 0x261091ea6de890L,
+          0x609d700e78f2d5L, 0x8aa52ee8eaaf78L }
+    },
+    {
+        { 0xa398788ce76258L, 0x3031d07494b975L, 0x4a6d652043dfe2L,
+          0xdb1a849b4401ecL, 0xf81ebbbce8bbccL, 0x937dd4716efe9eL,
+          0x9c19350ef85eccL, 0x260d932214273bL },
+        { 0x1d7e21e77bf1a3L, 0x199d689a544eb7L, 0x9da594194ced50L,
+          0x71a60be8a0aeaaL, 0x183a0ae26d3b51L, 0x49f176a8df9728L,
+          0x744376e3230674L, 0xb2cb21ae25541cL }
+    },
+    {
+        { 0x7a721589a0071fL, 0xe19dd29e7d2a6bL, 0x3deb34e55113f0L,
+          0xef1f8ebede573bL, 0xa8f7ff95665e37L, 0xa2c21eaf2d7777L,
+          0x1387afa91e2e39L, 0x04057b97db68f6L },
+        { 0x8b9d5ae1c241f7L, 0x689588a8e75993L, 0x79585b45c0e2d4L,
+          0xba1ef167b64974L, 0x72685bc1c08a75L, 0xf0a5814d572eddL,
+          0x71464a35ab0e70L, 0xc93c92b339aea7L }
+    },
+    {
+        { 0x1917e2a5b8a87dL, 0xea5db763a82756L, 0x5bba2fb6420e2bL,
+          0x5cc0501019372aL, 0xb1ef8beccc5efdL, 0xaf06393f49c57dL,
+          0x3ab1adf87a0bc4L, 0x2ee4cca34fe6b6L },
+        { 0xd1606686b8ba9bL, 0xef137d97efec13L, 0x7b6046550abb76L,
+          0xb40ec2bf753a00L, 0x696ed22eaf8f1dL, 0x398c91fd8ba3d8L,
+          0x11f203437db313L, 0xe1ec33bfe5079eL }
+    },
+    {
+        { 0x8a10c00bdc81f0L, 0x5f392566fe8e05L, 0xa595dab14a368eL,
+          0x32b318138cec6bL, 0xd77afde1b00d00L, 0x3c979284d9923dL,
+          0x78f0e7a76e13ddL, 0x5ee8e59bf75675L },
+        { 0x49ec89391b130cL, 0x9416182a47a441L, 0x54555b576e2ce8L,
+          0xcbdd2fd349c40bL, 0x10ae7379392bbeL, 0x270b1112e2dab0L,
+          0x5cb7712af293f4L, 0xfc22a33d6095c6L }
+    },
+    {
+        { 0xdcb5bbd0f15878L, 0xbcf27adb6bba48L, 0x979913e7b70ebaL,
+          0x4c0f34b158578aL, 0x53f59a76ed6088L, 0x19b3b2c75b0fc2L,
+          0xad628dc0153f3cL, 0x5195a2bcec1607L },
+        { 0x95f8b84dfe0f7aL, 0x935c6b0152920bL, 0x25f9e314da1056L,
+          0x4910a94b28c229L, 0x54b03b48ee4d6eL, 0xc991fc3694e3edL,
+          0x68c4c26dbe5709L, 0xc9cfce463d7657L }
+    },
+},
+{
+    {
+        { 0x21c9227f52a44eL, 0x7f105a2e85bfbdL, 0x887781f6268fc2L,
+          0x56ee808a2d7e35L, 0x14f9de52d3930fL, 0x4a4e356dcb561aL,
+          0x87362267f95598L, 0x211c3425f34151L },
+        { 0x8fcb75b0eaf9cbL, 0xcc9edf93d60ce2L, 0x54412c9a5fe627L,
+          0x6036a72842dd09L, 0x71ce668a6c6099L, 0x02b30d75386764L,
+          0xb69bed36f18e23L, 0x124c9b1d1de9f4L }
+    },
+    {
+        { 0xe8f8d95e69b531L, 0xe1e115eaff1049L, 0x9087cd1eddea0cL,
+          0x8ed55a57449916L, 0x8009f547808404L, 0x990f21617fea55L,
+          0x68ba624fe8ecf9L, 0x8ac295056d1f47L },
+        { 0x3257887529dfb0L, 0xc4a613f244c080L, 0xabb1ac028672faL,
+          0xb2915c531eb291L, 0x6e368ca8fababaL, 0x6b8c2591fde498L,
+          0x67724a1f2a548cL, 0x6b3b7e8f90409bL }
+    },
+    {
+        { 0x5415003fae20aaL, 0x95858a985df5ceL, 0x42bc9870ac6beeL,
+          0x8d843c539ea1a9L, 0x5de200cb571043L, 0x084fcd51741a33L,
+          0xe1ca20c0009d1cL, 0x0271d28e957e6dL },
+        { 0x84cbf809e3be55L, 0xc804dda1c578c6L, 0xea85489409a93aL,
+          0x64a450a972021dL, 0xc6a2161e681312L, 0x280bff965bc111L,
+          0xd358a4b0f8526fL, 0xd967be8953a3abL }
+    },
+    {
+        { 0x4c5e6157dd066cL, 0x37afd33634c8d4L, 0xa3ac88a42d8b87L,
+          0x9681e9b938b607L, 0x7a286ab37fe4c8L, 0xdeee5742494245L,
+          0x184b9d36af75a8L, 0x20f696a3670c04L },
+        { 0x1340adfa39e8b9L, 0x03c19290850b2eL, 0x435ebd42c0e1efL,
+          0x49de18b142ee9bL, 0xb440b273f116f2L, 0xd94e9fa2214463L,
+          0x1b0ddd36311543L, 0x1ae042a991ba3cL }
+    },
+    {
+        { 0xbc322f85bb47aaL, 0x9e2562554a5845L, 0x96b65ae21115f3L,
+          0x46fbed4bb5757bL, 0x18aec4f4c42dceL, 0xc59caf68d801f0L,
+          0x91894631205521L, 0x66bd8e089feb7aL },
+        { 0x39ebe95c529ee7L, 0x28d89928eadb99L, 0x6058c786927544L,
+          0x877e7a5d3808ecL, 0x8f651111c52eafL, 0xfb59812ae221cdL,
+          0x22289c6f890391L, 0xa97695b4966e92L }
+    },
+    {
+        { 0xf0a91226ff10f0L, 0x49a931ba2a65c8L, 0x3fcebbcb1d3cb0L,
+          0x70eb79bca9685fL, 0x82520b5ab38cb6L, 0xccf991b76304c3L,
+          0x575aab1af8b07cL, 0xec8166a5ed5efbL },
+        { 0xddc5698c8689b1L, 0x227c949b2e78d7L, 0x61323218e07d91L,
+          0x658a11d22cfd62L, 0x908fb44004dd5fL, 0xe3d14f090d21b1L,
+          0x6f3db9da6a1639L, 0x09d86c0333a525L }
+    },
+    {
+        { 0xd83eaf06f043f7L, 0x88ab648b52d5f6L, 0x67c664d57144d7L,
+          0x55d7644eafc8b5L, 0x1c89f20cceb291L, 0x51aec7b831ac47L,
+          0x51172fa6148854L, 0x8fabf7ef6d7bfeL },
+        { 0x5910316477ee27L, 0x5f299dd20fe61eL, 0x48079a842826abL,
+          0xf4a83ba22591faL, 0x8fac66055482ecL, 0x48fd5f16b65b3bL,
+          0x4288a7c9fd9e19L, 0x27db8199377894L }
+    },
+    {
+        { 0x2936ee47fd9dd6L, 0xcce5f0e9ec87c6L, 0x15a50e3db6e3b4L,
+          0x61df105ad701c8L, 0x3601add1dff1f7L, 0xb761e06e8a16e1L,
+          0x4341e021af3f91L, 0x9156a4a933fa3fL },
+        { 0x9dc46ae54bc01dL, 0x605577a64eb910L, 0x22b99f85a59a99L,
+          0xab2dbaf0a229d8L, 0xa8bfb656599364L, 0x39ed4a5e94ebf0L,
+          0x7b46a1e0dbb23eL, 0x117b1958751422L }
+    },
+},
+{
+    {
+        { 0xd19e8fd423bddfL, 0x9d77042387ef59L, 0x315cbdd849590aL,
+          0xfdc637c7866c1eL, 0x72be83d03515a6L, 0xd44a4a00376780L,
+          0x3b9613119e0c2bL, 0x023aca37b1a689L },
+        { 0xf5f368782282eaL, 0x44710898a8b5c7L, 0xcd2f00a17a3066L,
+          0x754e11281ed681L, 0x9c6c70c0bfcefdL, 0xd6aced03b6f29bL,
+          0xe443d562817a2aL, 0xe590ef4e7c0012L }
+    },
+    {
+        { 0xc2f96763e62e2aL, 0x661816eb2daa26L, 0x3515fd2dd5f512L,
+          0xdc36e2756b6e75L, 0x0bdde4674cc658L, 0x102908600e7644L,
+          0xfdf00451694a09L, 0x454bcb6ceac169L },
+        { 0xf4c92ab6481eb6L, 0x8b77afa09750e7L, 0xe6f42316362d6dL,
+          0x0d45deef53a3aeL, 0xdac7aacd7dcf98L, 0x628cb7f125ec4aL,
+          0x41e8a20aec0320L, 0x7418c7eea2e35bL }
+    },
+    {
+        { 0x4d649abdf40519L, 0x8cb22d43525833L, 0x15f6d137a5333fL,
+          0x8c3991b72c23eeL, 0x248b9a50cd44a3L, 0x6b4c4e0ccc1a75L,
+          0x3221efb15c99a9L, 0x236d5040a9c504L },
+        { 0x401c7fbd559100L, 0xcf0e07507c524dL, 0x39647c034a9275L,
+          0x2355422f7e8683L, 0x3e0a16eb3ae670L, 0x1c83bcbad61b7fL,
+          0x491bcb19ca6cbeL, 0xe668dc45e29458L }
+    },
+    {
+        { 0xe44c65b219379eL, 0x211381bbb607eeL, 0xd4c7428b7bc6dbL,
+          0xba62a03b76a2e8L, 0xe1729c98bb0b31L, 0x3caeb50c6bbc10L,
+          0x6c66727b0187aaL, 0xbf9d2f0fb90dcfL },
+        { 0xec693501184dc6L, 0xd58d2a32698eb5L, 0xb366d8da316b07L,
+          0xe1e39bb251c017L, 0xbe44ba9adb157fL, 0xbaa9a9a8a8b06cL,
+          0xd0f46356e473e1L, 0xd25a8f61d681c6L }
+    },
+    {
+        { 0xba39d5fcb102c7L, 0x66eba21d8aa1ebL, 0xcc2591a697fbf4L,
+          0x5adb5792317f54L, 0xa01ae71f76c6f9L, 0x2c525de5042705L,
+          0xc8f42724f4479fL, 0x26ab54ae6d7a5bL },
+        { 0xda217b5dc28106L, 0xc7cadeaeb2ae6aL, 0x0b1609453ea3b2L,
+          0xcddcc1ccc6111bL, 0x5c47affa7a7bebL, 0xf9931bd0e52dabL,
+          0x5231835c6dcf96L, 0x7095bdef27ea4eL }
+    },
+    {
+        { 0xee8adaec33b4e2L, 0x300665163ceb44L, 0xf1476fb880b086L,
+          0x07033289569ce8L, 0x2cabf9a238b595L, 0x85017bc26c8158L,
+          0x420b5b568d5144L, 0xa9f5f1ef9c696fL },
+        { 0x1409c3ac8fec5aL, 0x541516f28e9579L, 0x06573f70e1f446L,
+          0x3e3c7062311b96L, 0x0033f1a3c2ffd8L, 0x8e808fcca6711cL,
+          0x716752d07aef98L, 0x5e53e9a92525b3L }
+    },
+    {
+        { 0xce98a425a1c29fL, 0xaa703483ca6dc9L, 0xe77d822edfa48bL,
+          0xd2e3455068abcaL, 0xb456e81482cfcaL, 0xc5aa9817fbfb08L,
+          0x8979f258243194L, 0x727f2172cd043dL },
+        { 0x7cca616aa53923L, 0x387c5aee9bcb72L, 0x0173fd437580bbL,
+          0xdd7795b75fc0d9L, 0x47d1c37345deaeL, 0x2eb5d7fb0d1c03L,
+          0xf7a1b92958f002L, 0x7365cf48f61b67L }
+    },
+    {
+        { 0x4b22c3b562a5edL, 0x711216f5c7cd07L, 0x51f72c49ba0648L,
+          0xc10d0930de9e6fL, 0xaca479bfda63baL, 0x4722a55af532b0L,
+          0x8d59eb77236f39L, 0x5cad8744465c34L },
+        { 0xa2119e5722b0c1L, 0xb670264f343ea4L, 0x6910f02c19f387L,
+          0xcfec5bc0381fbaL, 0x5f5de0d52c0a1dL, 0x4e474d56378cb6L,
+          0x2fc802727e2ba3L, 0xa215da3159b541L }
+    },
+},
+{
+    {
+        { 0xed535858499895L, 0xa0aefd565c998dL, 0x210d8502d5a561L,
+          0xc2cc23ca2cd9d6L, 0x2371d46c4d297eL, 0x88b2143d18d441L,
+          0xbebdad9043993dL, 0x6ba91e7ad5f28dL },
+        { 0xc2bb3f13a731f4L, 0xd35cfac5d0d5c3L, 0x995099835ac427L,
+          0x8938bb55458adbL, 0x0bd738cab26f3bL, 0x56db3d5a28cd8dL,
+          0x87eb95fa1d8b4bL, 0xd6700efe7f3b4bL }
+    },
+    {
+        { 0x962c920ea1e57bL, 0xd3be37e6dded6dL, 0xf499b622c96a73L,
+          0x3eaf7b46c99752L, 0xa310c89025590bL, 0x535aa4a721db23L,
+          0x56ab57819714a0L, 0xeecb4fad4048c1L },
+        { 0x7b79ec4470c466L, 0xc4e8f2e1383ceeL, 0x0f5d7765750c45L,
+          0xa3b3bc3725527dL, 0x2f5deb66d00cceL, 0x5d5a0f495a8d81L,
+          0x50a442ee02b824L, 0xafb04462a11628L }
+    },
+    {
+        { 0x72b67bc0c613deL, 0x0150d4be6f0b24L, 0x847854e8ed289dL,
+          0xe08292fa320f88L, 0xd5b6da329c6160L, 0x2a48e2d4fb9d06L,
+          0x55d9e412de087cL, 0x65683b54f02100L },
+        { 0x4dc8c2ea8886c6L, 0xe966dd220d6114L, 0x99745eba57af97L,
+          0x23a9a71b854725L, 0x8effe05621a047L, 0xf16d284049a4beL,
+          0x95828c25b0660fL, 0xd5b69ba56e96b0L }
+    },
+    {
+        { 0x0b5b4244ffa0b8L, 0x0585b45096cc5eL, 0x413e1aef505d37L,
+          0xe5652a30c7ab8dL, 0xab32fb72990120L, 0x6b8b16e3f09368L,
+          0xbf9fadbefe128eL, 0x85f366b14b7671L },
+        { 0xcb2f294090608dL, 0x25e2769ac3045fL, 0x069c4f06131904L,
+          0x1c57cf1329a779L, 0x72fe0d5b7cace7L, 0x04d9f430897a45L,
+          0xbaf32f6359a645L, 0x0fa854ffa7485aL }
+    },
+    {
+        { 0xae3533c5f56f60L, 0x9773bbb0ad9360L, 0x769b34a38fbe6bL,
+          0xb5ba8e9ffb0c00L, 0xa93931875472e4L, 0x12cac92ce5f30fL,
+          0x514fc06a9e7dbcL, 0xd7ca86558b4734L },
+        { 0xd101ff365a730bL, 0x92da451abe70e9L, 0xfb5f94aef7bf4bL,
+          0x8c3ef4c1d56c7bL, 0xb0857668435c10L, 0x7fbbbdae7ed4ccL,
+          0x1da6eaf24f372fL, 0x0ab2c1f59b8ae3L }
+    },
+    {
+        { 0x63a1a78f10a4b9L, 0xbb5278d0c7e510L, 0x97b224ef874142L,
+          0x0a9ff52b2517b1L, 0x1b5a485c5cd920L, 0x1a8e2eba1823b9L,
+          0x2b088c00e914a8L, 0xe5ec3adcf13432L },
+        { 0x0d6ab3e6e7e253L, 0x9f0f5cd6f18458L, 0x839a744f459a6dL,
+          0xb4b4f941eb15f7L, 0xe0313acc72cb14L, 0x58ee933b20472dL,
+          0x5f73d7a872543eL, 0xb1700c5501f067L }
+    },
+    {
+        { 0xb70428e085f67fL, 0x5441d5143cabe5L, 0x4d0e8c2e0a6055L,
+          0x8d39a080882e4fL, 0x615bb32c1cb39dL, 0x113f18df7a1642L,
+          0xbab8cf5250681fL, 0x3017ba2677b72aL },
+        { 0xcd2b6e95a3a876L, 0x04765012035a69L, 0x31d6440efa2ea0L,
+          0xde8f8d156874d5L, 0xcbc71cd0199d4aL, 0xc546b61e7f2170L,
+          0x4e57e4e112c4c3L, 0x58955a8d1622baL }
+    },
+    {
+        { 0x0064cd704e2f6fL, 0xe9d458de0edd38L, 0xeb1a5977e0a5c8L,
+          0xe322ece01fc0a8L, 0x8b9d1661032a19L, 0x3e7b539a89de94L,
+          0xfa30262001c754L, 0xe33de4ddb588f6L },
+        { 0x4dafbdb954eb94L, 0xbb436480584c1bL, 0x622c93e5dbe29bL,
+          0x968f9e3f57b931L, 0x98f03be0f6453bL, 0xb0ecc7f08f696cL,
+          0x5af55f4a505335L, 0x028533efb3fa9bL }
+    },
+},
+{
+    {
+        { 0x3bc8e6827e8d86L, 0x4e43b3063f105aL, 0x5301b7d4981250L,
+          0x8b0a75e9f72fa8L, 0x88f59db357348cL, 0x5f0ebb1ec4208eL,
+          0x4712561c043d3bL, 0x9e5ded0c806b97L },
+        { 0xf9bd0a62121d09L, 0x1759ecbe337cd1L, 0xd1acc0ee945542L,
+          0x3683febbd2f63aL, 0x44f1bccda5dfe9L, 0xa3606c9707f22fL,
+          0x45ef0642d96ca5L, 0xfc3107d9022df9L }
+    },
+    {
+        { 0xe81320b44be755L, 0xdf213d55c7c761L, 0xf43d2d5b4e5db9L,
+          0x3bcfd828dedcd2L, 0xdf368a6d37a9ecL, 0xfef20aef475a77L,
+          0x22f5894162c064L, 0x956bc660142a7dL },
+        { 0xaaa10e27daec78L, 0x3cb9b72b6e9a78L, 0xa740bade383f72L,
+          0xc31b4017759007L, 0xdada964a7afc50L, 0x6bf062cfd3d11fL,
+          0x9470d535db3679L, 0x339447303abf13L }
+    },
+    {
+        { 0x533f44046e5d7fL, 0xd1793e349048c8L, 0x59e11501929b94L,
+          0xcddbbcb8364134L, 0x795c794582774fL, 0x114dfc4e03081aL,
+          0x541ef68ef54042L, 0x159295b23f18cdL },
+        { 0xfb7e2ba48a2c8cL, 0xe2d4572bb6d116L, 0x7bb0b22d750b53L,
+          0xc58888cd142ee8L, 0xd11537a90c9e2dL, 0x77d5858d02eb9eL,
+          0x1fa4c75d444a79L, 0xf19b2d3d58a68dL }
+    },
+    {
+        { 0x37e5b73eb8b90fL, 0x3737f7a3f2a963L, 0x87913fa9de35e0L,
+          0xec7f9928731eddL, 0x6e6259e219491eL, 0xb2148a04de236cL,
+          0x89700e8fdd309bL, 0x9ce51e49f0bf80L },
+        { 0xe7ec421301f17bL, 0xa4b570a3bc5f4fL, 0xc2b1b2a1285ee2L,
+          0x5e86bc8c53db73L, 0xb65fceaf24fa90L, 0x9e74c5608ab024L,
+          0x5c8003df9ed877L, 0xa632e9e4a2cbbcL }
+    },
+    {
+        { 0x32a4546c91c8b5L, 0xc122b5ac969363L, 0xbbbec5e3648b3aL,
+          0xd5a365e25143b0L, 0xcf3e46454157ceL, 0x9712f04f9bab64L,
+          0xc12d43a04b4008L, 0x51932d72edf1c7L },
+        { 0xaef1655b2f8470L, 0xaa8e3f36c24aceL, 0x7da75da6b4e761L,
+          0xd371827b90bca2L, 0x84db4500afb45cL, 0xae12045ef46b5dL,
+          0x91639a5d962f98L, 0x669cbe672f2ac0L }
+    },
+    {
+        { 0x851bb3183a4356L, 0x7d436bf9a1bf15L, 0x46a3f0e120b378L,
+          0x9302abc3f5b357L, 0x1e0672693fef53L, 0xb12f4a95fd2ee9L,
+          0x94a884c7de9433L, 0x2645234a6f2874L },
+        { 0x6fb56f5cdb8dfaL, 0x4a17dfc9e0ee4eL, 0xe269d8383ab01eL,
+          0xda932dab77c10fL, 0x463af0c0321243L, 0xbe1d68216fc8a3L,
+          0x2eae3ea48b39e3L, 0x94230213b03e7bL }
+    },
+    {
+        { 0xaeb507cb22f28aL, 0xa77458b49a6b44L, 0x232ed5ac03dc17L,
+          0x79dfc169c61ac6L, 0x7c48be9cd71b93L, 0x983d68ac429cd9L,
+          0x7709c4798ae2c8L, 0xe4765c0a5df075L },
+        { 0x23c4deb3367f33L, 0xbdf2b7e37d72a7L, 0xbaab5c70af2d26L,
+          0xd609f7ffd026abL, 0x23b72b2541b039L, 0x8d06bac83be852L,
+          0x911d4a9cb23d1cL, 0xeae815cfb0dbd7L }
+    },
+    {
+        { 0x487c35c2c33481L, 0xffab636b6136dbL, 0xccd4daea3d3aa4L,
+          0x87149bbc3704e0L, 0x9de8119c0e8396L, 0xd49357a58e7ca6L,
+          0x68789181562d75L, 0xc7453815ab1fadL },
+        { 0x0f1579802c9b91L, 0x7ffc3f0b1ddde5L, 0xa01d5e06aae50dL,
+          0x6a97e65e279873L, 0x4bcf42fb5b1b41L, 0x1c6410f32f5982L,
+          0xd4f760050701c8L, 0xff02663873b90dL }
+    },
+},
+{
+    {
+        { 0xdc53ea2e5b2de2L, 0x94b352d38acecbL, 0x37d960b0d9d5e5L,
+          0xabd868f90bd997L, 0x781668f35a7376L, 0x043d59710118bfL,
+          0xd4da719f57928aL, 0x01942f6983e46cL },
+        { 0xab97fc8728bd76L, 0x825956b4b5c1c5L, 0x202809fc82a104L,
+          0xdb63e9cc8e3132L, 0xa41c701c2181afL, 0xd28018043e066aL,
+          0xc734e4124044ceL, 0x4d9ab23505193cL }
+    },
+    {
+        { 0x0bcd42af9f0c3fL, 0xda21a46b94a218L, 0xe55243c0ffc788L,
+          0x318aae647a5551L, 0x8c2938b79af9cbL, 0x5d15232ec1dce5L,
+          0x3d310ba8ad2e5cL, 0xd3d972494f792aL },
+        { 0xdeb4ca112a9553L, 0x2f1ed04eb54d9dL, 0xaa9c9cf69fb7a1L,
+          0xeb73c3a54dcd3aL, 0xee3eddcf5f201fL, 0x35f9e1cba7d234L,
+          0x1d1d04cd2e242fL, 0x48df9d80df7515L }
+    },
+    {
+        { 0x4ecc77da81dd9aL, 0xa6ac4bb03aa015L, 0x7645842bbc4fedL,
+          0x9ae34cd9d6cf52L, 0xf8ff0335917e0bL, 0x7c9da37c2cc175L,
+          0x1e74dccaaacfbeL, 0xa8f2df07999af8L },
+        { 0xd06c4ea102a466L, 0x2156e87ae190ddL, 0xc95db8aec4a863L,
+          0x49edffd244a6feL, 0x110fae6904f81eL, 0xbaa3e50a1cd104L,
+          0x5bd38a20478b65L, 0x2b57d05daefbccL }
+    },
+    {
+        { 0x1ce92ba86f4534L, 0xb2a8592414f5e3L, 0xdd7a4c69979436L,
+          0x7599aff3f0add7L, 0xe0ce4d3e2d4f64L, 0x74475cc401a29fL,
+          0xaef6541a2377d9L, 0x54048f53f917b6L },
+        { 0x1b86b2205312ecL, 0x779ba2231493cbL, 0xc718369aac9320L,
+          0xeab01a8617fce4L, 0x17b1f10f7187faL, 0xe68eda0a1aca46L,
+          0x61033fe2586342L, 0xfc14e790b6ca43L }
+    },
+    {
+        { 0x9f2231913d2491L, 0x66bdb537997202L, 0x0bafb0c4617f34L,
+          0x5917831f3bb7b3L, 0x6feb2a6b45bddbL, 0x08662b30202c19L,
+          0x0bc2b5705852f6L, 0x2c00fd491818c2L },
+        { 0xca7672cda37dacL, 0xfe4c04c5a30865L, 0x5f1399f322e92aL,
+          0xe7d67ea25b1bebL, 0xe08b014dce7f68L, 0x24df52af2f2b3cL,
+          0x2028b23750ecd1L, 0x9b25d4bc810a45L }
+    },
+    {
+        { 0xa35b7157a9d799L, 0x6da1eb301f9c99L, 0x33ef91ce363ba8L,
+          0x21c0e2ece140daL, 0xb0b11bf158cd84L, 0x6a8744293da438L,
+          0x924f10d3db585bL, 0xf5ddd7310c6159L },
+        { 0xb72dcb86a74c21L, 0x6d14198cc8f79fL, 0x99f4b6c9c5a8d6L,
+          0x063968890e135cL, 0x330edb883f6385L, 0xe1a5a6b9079675L,
+          0x6e37fa8b8f5fe0L, 0x60e2fd961dca1eL }
+    },
+    {
+        { 0xc6cb40366c395eL, 0x03b21a7b51d0f1L, 0xbc478a5e693181L,
+          0x0017c2fc6cff33L, 0x740a5b839d8d1eL, 0x3968d664d9ec6dL,
+          0xfd53738b0ef1b0L, 0x73ca8fd1ed0a04L },
+        { 0x4ace93875ab371L, 0xd602936ddad7e9L, 0x1f5424a750bcc2L,
+          0xfe09b3668c7a17L, 0x165f7de58341ecL, 0x95b825a6ce61e5L,
+          0x9d31e1966c83c4L, 0x65b3e08cc5887bL }
+    },
+    {
+        { 0xd37e93221482d1L, 0x9af659708b6380L, 0x279426a7d61e4bL,
+          0x80dd0ec80997adL, 0x7239b0dd5b76d4L, 0x92e6c73e76c098L,
+          0xeeb2321eab3e1dL, 0xa69c4a7eb1a910L },
+        { 0x46d6aa7833d9aeL, 0x3ee6957572b0feL, 0x44ccbedcdb3d97L,
+          0x342f29dcbea01bL, 0x0d518c58926876L, 0xaaabae75585d2cL,
+          0xc548c77e008f58L, 0x819e2fa21fab2cL }
+    },
+},
+{
+    {
+        { 0x468e149c16e981L, 0x286c7909ddbb7cL, 0x2a92d47db7a38aL,
+          0xde614e68a27cb2L, 0x8dc8822e5b0ab6L, 0x38441aecf48565L,
+          0x11ed5c9089435bL, 0x238928682d0d31L },
+        { 0xc6698d472f2f31L, 0x295242c56d76afL, 0x4099205eba563bL,
+          0xae7de5a3ab7384L, 0xccdf127d0ed86cL, 0xb9b6d5b965c3c3L,
+          0xe351a8f2c31ad7L, 0xa761dd8ac12f13L }
+    },
+    {
+        { 0xda115ddf171ab7L, 0x2de17b1401f93dL, 0x95019ca40964b4L,
+          0x169d1f465ba3c3L, 0x534a0070090d08L, 0x805c5e282bf410L,
+          0x15dfe1165f8d90L, 0x827a416ca72456L },
+        { 0x5af888433a36c4L, 0x8bfa54cd8ee604L, 0x08fd1419ce290fL,
+          0x2db5e8c287b3a6L, 0xe5be98103cdad2L, 0x155b874bf810b9L,
+          0x2ae42de670f473L, 0x22185847f74657L }
+    },
+    {
+        { 0x54b2a5023ffa43L, 0xcf87b16a24d919L, 0x1ff540263524e8L,
+          0x73c94e056d1e54L, 0x76515523899fb5L, 0x13a721418723bfL,
+          0x39afbdd3561517L, 0x49b790a9f2862eL },
+        { 0xc8c1f4f527d2ceL, 0x1997aec7609bb7L, 0x583ad8002a3400L,
+          0xac2374e4f79706L, 0xbf1f9a821b7183L, 0x06158ab6600fe0L,
+          0xfcc9b2ebd56751L, 0xe1de5acddaaec7L }
+    },
+    {
+        { 0x230baa1788fdabL, 0xf30860a7d04597L, 0xa2c7ece99f4caaL,
+          0xbd39f106ad065eL, 0xfd92f5d3bef7bdL, 0x6069fad96d2203L,
+          0xbff38cac4d9e0dL, 0x419a0171fda313L },
+        { 0x5d77fd8572f035L, 0x5af99f2b282b40L, 0x7257d3b23facffL,
+          0xf2ee22358c90afL, 0xcc2687d9b6a52aL, 0x140892c302430eL,
+          0xa934d5e3ec4f38L, 0xc087d7c3bd18beL }
+    },
+    {
+        { 0x7e94138a2c5ed7L, 0xbc8ceef53610bfL, 0xe89356bd86f803L,
+          0x9a3a3805a55330L, 0xe894aba11ad648L, 0x2e68fbaba95918L,
+          0x643e2bafcad344L, 0x0dd025661640aaL },
+        { 0xc02e479e25cbddL, 0xd78c4d813a1b3fL, 0xa6dae8fcca9692L,
+          0x3dd91e9e5de8a0L, 0x78ae0ce764ea36L, 0xb4ad99985dbc5eL,
+          0x967ff23e82a169L, 0xaeb26ecbaee1fcL }
+    },
+    {
+        { 0x8c502559a6f90cL, 0x56e7abe0ea374aL, 0x675c72256413b2L,
+          0xd3fc17e946753fL, 0x28c4e1fe235f7cL, 0xe209bcdb028eb0L,
+          0x7d0f93a489fe88L, 0xb966a2e063706aL },
+        { 0xb6c228c4a30319L, 0x6868efeca6d674L, 0x0610a70057311aL,
+          0x0808112bad7f89L, 0x2a2462c1dd6181L, 0x52ed9feb58e88aL,
+          0xbbff16f33821a2L, 0xda53e9617f882aL }
+    },
+    {
+        { 0xb6ffca38c30e5dL, 0xa90f9915c905f5L, 0x72fb200d753e88L,
+          0xe509d4c7256c6aL, 0x369e552d866500L, 0xee4b7e033cf8aeL,
+          0x280d954efcf6ebL, 0x5b275d3d557f0eL },
+        { 0xeb17211b5cecf8L, 0xd6ad50fbdb2f8dL, 0x2478c7b35e04b7L,
+          0x97e7143ac73bd3L, 0x09d6ede4817e24L, 0x68fea712c405e1L,
+          0x34adbc905f67a1L, 0xd20ab7073edf99L }
+    },
+    {
+        { 0xe116a96569f191L, 0xb3f0bce4d6e29aL, 0x30b9e1af51dbabL,
+          0x1dd36f3346d276L, 0x83151030749a27L, 0x242f148ab47f70L,
+          0xe8a5bcf5585681L, 0x8b801845ed79baL },
+        { 0xa4042fd3894ad1L, 0x82f781d2b88bc6L, 0x2d34cacbe4c397L,
+          0x8731aeadd99c9fL, 0x0f95498ef1d382L, 0xcaba2e1dd0bbc9L,
+          0x78889e954064e8L, 0x8cd9c9761a8ab9L }
+    },
+},
+{
+    {
+        { 0xf31f53ffa0459eL, 0xf8742a1315cd6bL, 0xabe2f50ae64e97L,
+          0xbd787419b9da48L, 0x4521a3351e526eL, 0xfa05935e10ba45L,
+          0x5c947e1e8f903cL, 0x0aa47d15a754eeL },
+        { 0xb2849efd814825L, 0x9c2a5d25c9968dL, 0x24dbb2604e634cL,
+          0x33f3a4cdb38194L, 0xe04f609c8a2b6bL, 0xcaefd8eabbbfdbL,
+          0x683119a404498bL, 0x24ab7a98b21cbdL }
+    },
+    {
+        { 0x6f1326921fa2ddL, 0xd79e61cc10a4bcL, 0xac4b3ce4bd6d46L,
+          0x52459b6bd3f37bL, 0xce0f0a3a396966L, 0x050d1d5a1ed488L,
+          0x1b9c403e0b17faL, 0xee1abd004a2e66L },
+        { 0x97065c35cf3e3bL, 0x6513d5fbe33441L, 0xcd3463479047aeL,
+          0x45cbb1cfd22df1L, 0x7a173ae967b17cL, 0x75f5ba72223cdaL,
+          0xe3d12dbefe0a73L, 0x3b7f94dfd7adcfL }
+    },
+    {
+        { 0xd596a13f1e9b7dL, 0x04f5bdd6734e0cL, 0x18b694f8be163aL,
+          0x15620c7d959fa3L, 0x65fc2c553d2a3bL, 0xd44a364c4d36f2L,
+          0xc8b421f268ceabL, 0x564139abfe2bd4L },
+        { 0xb52461019d4633L, 0x5ab3f886346934L, 0x96691fe9819422L,
+          0xdfdec898b39b82L, 0x84b1c7997cfb27L, 0xe59a98d4d6d004L,
+          0x5e5d0c612c350fL, 0xb431220d415774L }
+    },
+    {
+        { 0x3d0ca736aae0a2L, 0x7b1991f48c2d8cL, 0x00ae8565cdae72L,
+          0xdbb6ca0bd55128L, 0x3c2ab2a45c82bfL, 0xea5a55979545caL,
+          0xeba9a26d5927d0L, 0xb52e40183257fcL },
+        { 0x55ed517ca9650aL, 0xbdaa081e3ebff2L, 0x8cf7ce49f8831bL,
+          0x1d0b5bd6e3b8d3L, 0xa314a9fd8fc869L, 0x07f2079b892babL,
+          0xb700dbfa0cc9d9L, 0x7105a086dc0a39L }
+    },
+    {
+        { 0x0c7e05d8c7d901L, 0xa7ff681af3182bL, 0xb88e3caf9a0d06L,
+          0xfe20a12c343b7fL, 0x9f0257703251f9L, 0xf225dedc40c5ebL,
+          0x50e0cecb208ea7L, 0x5b250f0e6eeb65L },
+        { 0x807a1534806b6eL, 0xded120afa94139L, 0x237ddc749366fbL,
+          0xdd3674e5a34bcbL, 0xef6cdff9c4a61dL, 0x036194bb2fb896L,
+          0x38659539528cd9L, 0x0723c596936a52L }
+    },
+    {
+        { 0x1f84cd5e17719dL, 0x545939bc73b394L, 0xefbf3c583e84e7L,
+          0x6cc46f1f77fd66L, 0xa629f591383ab8L, 0x9177ffacd35cd2L,
+          0x039187f9dd411bL, 0xa9cf1cf7b7eea8L },
+        { 0xa3b105aac47e5dL, 0xa755bead0a9da4L, 0x50cfbae73da15eL,
+          0x9456cbc60b628cL, 0x7ffc3629b7a910L, 0x30b5924cd6d6a4L,
+          0x198629f0b04ab6L, 0xc74609c624dea9L }
+    },
+    {
+        { 0x27d4d77af12fa6L, 0xdd8a216690aeb2L, 0xe48fc02fe24417L,
+          0x1970403720e17eL, 0x95013fdce37b42L, 0x06817d2de4bd9bL,
+          0xc5863e763d0ba2L, 0xa1bafc0a556f5dL },
+        { 0xf28ec7b410a78aL, 0x0dcac420a01a63L, 0xfcd3fa4b5bce11L,
+          0x054d7e5d278b89L, 0x5195db85ce49e3L, 0x4c0b1672c73d96L,
+          0xd94307720a1bdbL, 0x66fa8b359c77a7L }
+    },
+    {
+        { 0xb9e93aed7462feL, 0xbfe54b218dde4fL, 0xaabb5283dbb08eL,
+          0x8c367020e5fc45L, 0x35028888e69be3L, 0x6d2efc1c12a11dL,
+          0xfce5cebf265e30L, 0x58c8bb35742c7eL },
+        { 0x32e89dcccf7fa0L, 0xa811f33dd020a4L, 0xa10d6205129fe5L,
+          0x3841c88e4ed29bL, 0xf3303a9d8b1ea6L, 0xa9a0cad1781f58L,
+          0x4502b388f3ef0bL, 0x2b7587e74c6d35L }
+    },
+},
+{
+    {
+        { 0xc6eaea123ae7cdL, 0xa1884d473c0caaL, 0x901e76fef1ea88L,
+          0xdb9935ca14269dL, 0xe8b2486947f1deL, 0x4ad56f4a657588L,
+          0xe7680542913fb1L, 0x2abff5d37600daL },
+        { 0xa814813a81a797L, 0x63e76a446acb69L, 0xb1038394ab8277L,
+          0x587de349d8e759L, 0xdfaeb8dddf62dfL, 0x24fe1cf9239d49L,
+          0x7de7409e130d1cL, 0x3ecfef9581d070L }
+    },
+    {
+        { 0x8d177a0f87c72dL, 0xae7e5818c6d1deL, 0x0077b5f8cece85L,
+          0x382483832d2187L, 0x49d8b156db2bd2L, 0xe9e5513c8d85b9L,
+          0x63c410ce05c53fL, 0xceaf2fbd86f752L },
+        { 0x0b432fe93806c5L, 0x18eb15d3d06c75L, 0xcaad82612cfc02L,
+          0x581e0401e2d045L, 0xd573cb595edcfdL, 0xce71948dbc66e3L,
+          0xcf68721acc14eaL, 0xf68bea26cac4dcL }
+    },
+    {
+        { 0xd8576afcb74da2L, 0x8771c29c433f46L, 0x7315af6e2f5b8eL,
+          0xc195481ba33928L, 0xb77dcc22fb1f94L, 0xcb3e57ca610f75L,
+          0xeb2a92753907dfL, 0x916f14923eff95L },
+        { 0xbb378e4b6cd291L, 0xa2a5e2b2f13ce1L, 0xa8a0e60bcd00b0L,
+          0x5902741682b75aL, 0xa0882c93f65a77L, 0x2069f75c93cfffL,
+          0x1ede40570c0cb9L, 0x13840c90d526c4L }
+    },
+    {
+        { 0xdc2caaa03ced48L, 0x2079219a0315beL, 0xca493563b1f642L,
+          0x0202dc7b0665f2L, 0xe5d6bbdb7a5238L, 0x36fbd5e26eab32L,
+          0xb3988f1f5819b4L, 0x5b15dc84aa4d69L },
+        { 0xa52feed54e5c24L, 0x927471be91a797L, 0xd119bfdd57f677L,
+          0xde38f7b78e4c4fL, 0xa7af516b150bc3L, 0x403b21e26b76c2L,
+          0x589067d92300dcL, 0x04e406a066802aL }
+    },
+    {
+        { 0x28e7d09a9ca9bbL, 0xaa84fd5fccf4a0L, 0xdbe9fb8635b7edL,
+          0x9ede3f5d56fc7cL, 0xa4b5031b01cb29L, 0x584299d7f93703L,
+          0xbd28868b6fe825L, 0x1d385d48b9c2d9L },
+        { 0x6606f4a822be80L, 0xb5a0165626d0fdL, 0x9920a2014568adL,
+          0x7d430f41c6d174L, 0xc243e16e02e9e9L, 0x367f1d2a6bd649L,
+          0x693910071b8c36L, 0x2ede1314de2984L }
+    },
+    {
+        { 0xdc781875beec32L, 0x1fff0cca525ff4L, 0x6e86425676df34L,
+          0x2b4e8a63f638e1L, 0xc4991d29b1e59fL, 0x399d0011589717L,
+          0x406464ebe041cdL, 0x901cb3d9e65bb0L },
+        { 0xf5f4572fb42307L, 0xf81b3b0f1b7307L, 0x8fb695cf2094d1L,
+          0x7db4792db56f7bL, 0x36836d55a794e0L, 0x2da477b09bc879L,
+          0x1cdfadb1887c40L, 0x65dc6c2f2699b6L }
+    },
+    {
+        { 0x36f9f214737972L, 0x48f0c8b7a387b0L, 0xa156ed339a1d24L,
+          0x375293a0fed268L, 0xf679f487ff75cbL, 0xd15a00f1cc9e62L,
+          0x92a7dc722c3877L, 0xe9870636fb0ed4L },
+        { 0xfd8e59c16f5f3cL, 0x375732eaeeb48eL, 0x2dd9213ca1ab42L,
+          0xcb062099ffcceaL, 0xfc611f6b23edfdL, 0x271634999b060eL,
+          0xb938b5d820de8aL, 0x138f6e7eb49a32L }
+    },
+    {
+        { 0x7feda63e485f70L, 0x646380aeb27b2cL, 0xcf8fe32c4511c7L,
+          0x2c68e1eff9406aL, 0xa9f2fd920b6020L, 0x1c98fc63b3e465L,
+          0xb8dac3593e53aaL, 0x2fb47b6a750e96L },
+        { 0xea373ef1950bb3L, 0x81566944ac7aecL, 0x8d6b3c2b55b931L,
+          0x5d13f2db62ef7dL, 0x4647f2aab9182bL, 0x8f56c5a33bf07cL,
+          0xc5ab284b35a221L, 0x0747ab75a46a6bL }
+    },
+},
+{
+    {
+        { 0x5b9236c86b85c5L, 0x5967a0dc482448L, 0x397c9557df6ae0L,
+          0xf83ee1c5378f2bL, 0xf82df656e05dd1L, 0x4c424f619d7c8bL,
+          0xa612550a6d5f2aL, 0xfe8482a63c3ebfL },
+        { 0xcb8d4030142c82L, 0x08b06623679e6cL, 0x3ea51463eca5eeL,
+          0x089eb3b1370500L, 0xcbfb19c5a0d306L, 0x2f6858842a65bbL,
+          0xe3e1db5e51e119L, 0x2c150e7110895eL }
+    },
+    {
+        { 0xf323488f6d4c4cL, 0x5fc931f63b87e2L, 0x8867da035c759fL,
+          0xb6f1eff9746d4cL, 0x8a8172d990be0aL, 0x1113eee5c407b4L,
+          0xd80dacf378ed8aL, 0x99b57cf3fa7fd1L },
+        { 0xf5bb6d95176405L, 0x6b8963a92e83b5L, 0xac55b6b8a7ef8dL,
+          0xe73fa126c1fbf0L, 0xdb3756060148dfL, 0x72f1a98f3f1fbaL,
+          0x1f71d0aea550f2L, 0xc3ea4f09544a87L }
+    },
+    {
+        { 0x5b09da24322bf3L, 0x2a573d561264e1L, 0x93cb2e1803acc4L,
+          0x397b4fbe502fc6L, 0xddfb21239e0ebcL, 0xeccd8f5bbcbc57L,
+          0x49d3bed4663788L, 0x37192aa1218df9L },
+        { 0x8a05bc92ffa3c6L, 0xc38c28123ebf4dL, 0xc80d547fe343a8L,
+          0xa8d5a5b6c63516L, 0xc5d8ce18d8fa6bL, 0xeb5e87224a87c0L,
+          0x9806e9e75bfa23L, 0x11f0889689469aL }
+    },
+    {
+        { 0x81005f68e75666L, 0xb84d861d349505L, 0xe0832829f321eaL,
+          0xb751d7acfa33a1L, 0x793cf6f067c550L, 0x073a6b21027e56L,
+          0x53f40ee66a6012L, 0x70bfaa8c210fa9L },
+        { 0x1518e39e4b5998L, 0x8f0b53024b8d9cL, 0xd91c281afdf923L,
+          0xc5cfb2824e3f69L, 0x63a529a870871fL, 0x3d3e8872128dadL,
+          0xed658dccb30cceL, 0xf9373b9afb7baeL }
+    },
+    {
+        { 0x22d4dbede58ed2L, 0x4fefc1d03f8789L, 0x6b0a1fe344817fL,
+          0x96bef40a56b0b2L, 0x32684eeda249faL, 0x8298864524a91bL,
+          0xa958baf0c736a1L, 0xd033a7def2f3e5L },
+        { 0x5be3edc43f4d6aL, 0x326a39d9c89abbL, 0x90c44f755d997aL,
+          0x20581066e966c2L, 0xdbae4906548038L, 0xac7bc97d473fc1L,
+          0xb34488b4b2603aL, 0x27aea275e9bb98L }
+    },
+    {
+        { 0xa59e7281b88773L, 0xe2f05d40c241f6L, 0xa56229e4e75749L,
+          0x8f00c0b1b10705L, 0x855994619394d3L, 0x0d7e352aaf5e32L,
+          0x526c462787b8eaL, 0x89297d9a179d48L },
+        { 0xeff17e6ef43892L, 0x17091eb221f841L, 0x82f5eb34a4b848L,
+          0x6bea4778eb7b76L, 0x21f227176c536cL, 0xd9ef2c896c81bbL,
+          0x7c2754654bf4d3L, 0x9dd4662d7c28c8L }
+    },
+    {
+        { 0xe7fff0020e1a6bL, 0x26a35c6a08d467L, 0xb3c773d3248c91L,
+          0xa646615ba7d935L, 0xa91f453b0d26faL, 0xdcf9c3460c6d32L,
+          0x63668619e3e3dcL, 0x3012813f30f3e2L },
+        { 0xac6623dc2fc61aL, 0x108dc252bfd2ffL, 0xd7f5c0d231d6eaL,
+          0xa904f9aad1107eL, 0x46941c20d1e9c8L, 0xe5b6451c810cf2L,
+          0xaba8e674f511d1L, 0x5b4b94f08373feL }
+    },
+    {
+        { 0x002d4e2849c230L, 0x9bed0efd8ba391L, 0x745e0c0828e319L,
+          0xcd40907ca58de2L, 0x2c87ab11abaa4aL, 0x3c17a97db64391L,
+          0x36b184e86c72d2L, 0xb03d202485f7aaL },
+        { 0x2b6b79bde24abaL, 0xdcb78542325fb2L, 0xf5d1db966ebae2L,
+          0x35a4d5b903840aL, 0x7afeb09190e9daL, 0x1818f6a35c1792L,
+          0x90091fa3faa269L, 0xc4ccff62570235L }
+    },
+},
+{
+    {
+        { 0xa177619ec85940L, 0xfca24db7ef7eeeL, 0xb2450f37a90c11L,
+          0x29d256ddbf4f85L, 0x920c8d051316c3L, 0x2f7f7ba04474daL,
+          0x308117f2ec9a0bL, 0xd0a231ad0d2085L },
+        { 0xf3288fc7ab641dL, 0xc68bade9f4fa32L, 0x768f014bbf8253L,
+          0x5eff260c0a33f0L, 0xc71b4536bb93ceL, 0xa71d045680697fL,
+          0xb62444cce72bc3L, 0x11f03e8d1379f3L }
+    },
+    {
+        { 0x1f54789c16df92L, 0x874c642e3ed142L, 0x6699f60fa2a9f1L,
+          0xbd1b8d33fecfc1L, 0x59682d58a3d953L, 0xf17c0214a36b81L,
+          0xeb9621d181a666L, 0x7c2c3ab3cf1ad8L },
+        { 0xe6888c3e529f7cL, 0x197b66ab355315L, 0x63b558a83e31acL,
+          0x4aa7bc5891c68eL, 0xc17d989592e360L, 0xc750a291363666L,
+          0x0d534704909ac0L, 0xd6d02724594a10L }
+    },
+    {
+        { 0x35c541b3fbb635L, 0x50016d05982afaL, 0x58ebce496b0ca0L,
+          0xb940027577ea56L, 0xf29d305e38480fL, 0x43705b0ebd6a2cL,
+          0x0e4acdae90c639L, 0xbe94a29f56e05eL },
+        { 0xc61f4a030659adL, 0x39074adc402211L, 0xfe0d8d551b621dL,
+          0x2d02e8dd1d5222L, 0x05ece3c46c2683L, 0xf70705ac689d41L,
+          0xe3caf444d837bfL, 0xfda058475ba6d0L }
+    },
+    {
+        { 0x1098163cb7d458L, 0x12b645ff5ba834L, 0x70a318128af72cL,
+          0x5f4727ef32e5ddL, 0x7cbae1510a21b4L, 0xa80bf806785389L,
+          0x9827402b8f93b7L, 0xe385f8208349daL },
+        { 0x2d054619589f6eL, 0x6aa5b26e7c0191L, 0xe79ae12bd5574dL,
+          0x5d13f914148e61L, 0x7b2be0f13716ffL, 0x82b0fe680bb81fL,
+          0x697633c3e2569cL, 0x6c1f083873f8b3L }
+    },
+    {
+        { 0x6e26d850be1674L, 0xe4e47f6ab8044fL, 0xfdf46e882fc434L,
+          0x639ae2cc89cadcL, 0x2244a524b85bdcL, 0xb1e4790b7cf4eaL,
+          0x51dce037e0bb8fL, 0xdd143352716ceeL },
+        { 0x1c049b48e8841dL, 0x6bf26dcb97c621L, 0x21d6255ba01178L,
+          0x477258a8e4f0e4L, 0xf5e437e68f8ef1L, 0xd118fbc8b03e1eL,
+          0x3d6bc51e1c91b3L, 0xa259486d5b6907L }
+    },
+    {
+        { 0x4159cfc7b6f5dcL, 0x05a52b3493694aL, 0xeeb511c83b8883L,
+          0x19d79e42b06400L, 0x8e503a2738f37eL, 0xa30e5795a94ad9L,
+          0x3981c75262618dL, 0x06b6c692dcba19L },
+        { 0xd7242ee4d1b051L, 0x6274ccb3b350c4L, 0x66df0bbf540019L,
+          0x4d66be65ae12d5L, 0xcea29601049cbaL, 0x40473398df84b3L,
+          0x7d6c96b75a31c8L, 0xbb80159874174cL }
+    },
+    {
+        { 0xf0f7be059f1aa4L, 0x798f39adcff451L, 0x96763ff8014e1eL,
+          0x03987a809cc5ecL, 0x4919656893650aL, 0x92e8eef75e24dfL,
+          0x54e97cde89d639L, 0x8081d067682cc0L },
+        { 0xb9ef41aa8ceb71L, 0xb8173a4a4d7aaaL, 0x93d81b1c54ee10L,
+          0xabe180570a445aL, 0xac0ff9764d569dL, 0x86946b23e570beL,
+          0x8e11dd24180641L, 0x3d0b33c99f67dcL }
+    },
+    {
+        { 0x2c9637e48bf5a4L, 0x9fdec19ccaf112L, 0xe5cde9d5c42023L,
+          0x9869620878f0ccL, 0xcf970a21fe6ebaL, 0x1df5ec854e678bL,
+          0x4667f0128d00ddL, 0xfa7260db0b3fa8L },
+        { 0x6bd2895b34239bL, 0x04c8bc52d2a50dL, 0x14e55ef6cb23e2L,
+          0x6440c273a278d5L, 0xf4b12e32193046L, 0x46adf645dd4c08L,
+          0x70e29984656e8cL, 0xe7b36eae4acd44L }
+    },
+},
+{
+    {
+        { 0xea64a5716cf664L, 0x8497ee426fd357L, 0x44d94b4814e851L,
+          0xf4aac225a6a2cfL, 0x947b30980c301fL, 0xf390ba17865383L,
+          0x16c4fc6d1773d3L, 0x61b98146227220L },
+        { 0x07dd03a1dd0270L, 0x290ca820f160dfL, 0x8f2205444ba955L,
+          0x4e85e450b6f1b3L, 0xfd73ce9ad78089L, 0x67c12702f2cb0eL,
+          0xa7de0d7ee33a61L, 0x6a811cc6553261L }
+    },
+    {
+        { 0x5ef05742d0a427L, 0xe8d2e95220a341L, 0xdd28cbf8044886L,
+          0xdad7b4ba1aa58bL, 0xb28f3738ec901bL, 0x1841a935bbe3dbL,
+          0x8fd7cd1a075feeL, 0x93b603fc0d3cddL },
+        { 0xca54fd55edd859L, 0xa4cb05f64ed687L, 0x3138668ed1a3d7L,
+          0x1224fdaee32be5L, 0xf1f532bc80aeb3L, 0xa4f65d0e8d4d69L,
+          0xc697a015905fe5L, 0x514da7a6690ce4L }
+    },
+    {
+        { 0xc7b9af83de4a55L, 0xc79bad7b318d93L, 0x1808071f5b1c83L,
+          0x92112efb965b16L, 0x655ab387bb740aL, 0x53dbc8b384ff87L,
+          0xd153c2872dc6f2L, 0x2ec20e199c7819L },
+        { 0x65e46ea3b854b5L, 0x272d5aec711db5L, 0xfd1bb5326e19e8L,
+          0x33280b83dc0665L, 0x95b986eb8f1c4aL, 0xa671fc4a685c4aL,
+          0xa03cbd583bdbbfL, 0xd329402ab77544L }
+    },
+    {
+        { 0x40fa6518e62b35L, 0x3913b11f9e55a6L, 0x4e8089b5270a41L,
+          0x565f52a80d1886L, 0x93b5f05512749bL, 0x35c869c141c547L,
+          0x9a44a1af86717fL, 0x2b9984b9c2b2cbL },
+        { 0x61fb6074952322L, 0x2d4072f7af1464L, 0x9b2fa8c600eb30L,
+          0x6071fb7f10668eL, 0x27cc24d90634caL, 0x3875bc2471d32bL,
+          0x678590ba11210cL, 0x352b447fcc5a9aL }
+    },
+    {
+        { 0x795d5415fa3200L, 0xadaa557a92949fL, 0x42fff063cc88c4L,
+          0x26d683171b68a5L, 0x3286549e67ad8cL, 0x5bf636386396b2L,
+          0x41229b6e12c8eaL, 0x05320c9748952eL },
+        { 0xae36b63900b460L, 0x9354ff2f2b6affL, 0x10b810b065ee0cL,
+          0x4d6925fcc8bb38L, 0x31c03fd7a22f14L, 0x76b7f4457544e8L,
+          0x3a9123cc0eed26L, 0x77acd67e0cd1ccL }
+    },
+    {
+        { 0x2e9053007ec527L, 0x32388ef62937cfL, 0xa445389e229188L,
+          0xa44b68e33bcebeL, 0x5a8722e4c4e701L, 0xfd066e8cf07e41L,
+          0xa3c1a4f95fab62L, 0xb4d6a1be542f24L },
+        { 0xe6a92e4af6c9b5L, 0x9452484c83d61dL, 0x422b55b0062276L,
+          0x261973a5279688L, 0xde8be263999fb2L, 0x64e96287b029caL,
+          0xd8edfaa06897d4L, 0x408319c6955511L }
+    },
+    {
+        { 0xff6baed50a5632L, 0x922b7d05c5885aL, 0xdf0f3b31b45864L,
+          0x27e49c0c04340eL, 0x618c566122c447L, 0x7863a38eafee7eL,
+          0x7143affb828cb0L, 0x51fcf4cf9d054eL },
+        { 0xc4a4b3127f5e09L, 0x021f47a90be2bdL, 0x1a060197ab956dL,
+          0xe77fa1586ea86bL, 0x9ccde87d550ef3L, 0x7dee53a6532654L,
+          0x8b4f060e826387L, 0xda38637ad077b5L }
+    },
+    {
+        { 0xbc901b30e9fac8L, 0xfa082046fb2a2aL, 0x92f68ab5e04efcL,
+          0x184a30a9ac12d0L, 0x1aa11aab25d479L, 0x8bc5f4c0f03161L,
+          0x7e3a083cfc8817L, 0x84d9355597f93fL },
+        { 0xc014478239abc6L, 0xb226b098d37b04L, 0xb056942f575789L,
+          0x816b95aba745ebL, 0x2a49d39b98ddb6L, 0xc41ca26291af81L,
+          0xb3afe99ab26347L, 0x59c31bc604b638L }
+    },
+},
+{
+    {
+        { 0xa16a8b9c42befdL, 0x731c9c92052f00L, 0x1ad49b41f5dfa0L,
+          0x7a289e3bffce36L, 0x868fac00c79cf1L, 0x6d6d28486721abL,
+          0x590f928e726c94L, 0x0e802cb51f3841L },
+        { 0x6a6a57a0b694bcL, 0xb9bb0cd8120fb8L, 0xad96ac79c05826L,
+          0x294da8c7768df0L, 0xfe32311b56c6c6L, 0x291c2c6ae8d050L,
+          0x1c765e7e7db4c9L, 0xe058298d65f9f7L }
+    },
+    {
+        { 0x4bfa85b7e8d345L, 0xa04ef95de1dfc8L, 0xb5f7f21324ace3L,
+          0x4b350a1574b14aL, 0x11436bff8e5c8dL, 0x1c789f97642369L,
+          0xeb5e335fb623ceL, 0x9deacd2442d562L },
+        { 0x4ff989f531ee71L, 0x43e2c49aacb52aL, 0xa76319885bfadcL,
+          0x08b6d5cd0161a0L, 0x010e3fa541f197L, 0x83a589e3279a16L,
+          0xf0991376309f9bL, 0x07c093bf1cea10L }
+    },
+    {
+        { 0x1ce3f0f33d2192L, 0x07b559ac37ce73L, 0xaa2ad38207be27L,
+          0x84f053b7ed93deL, 0xbc5c7973b98a4bL, 0xc92346163aa9b9L,
+          0x807cc16231a10cL, 0x8ffdf57a061209L },
+        { 0xa9ca741497070fL, 0xf608ec9d113b3aL, 0x51327268d0384dL,
+          0x96686acf5ec307L, 0x437bbbd71c4665L, 0xdef09d57c379caL,
+          0xf8be033621747cL, 0x2775b378ae8047L }
+    },
+    {
+        { 0x4009798b2c4fc2L, 0x148d7d1203772eL, 0x9d9392df8423fbL,
+          0xa5bd72eaf8cef4L, 0x579d58d4380b53L, 0x2ff88f18c39d24L,
+          0x9ca2fbc5706466L, 0xb42987d1e56af2L },
+        { 0xcc2556e5d94ea8L, 0x4e5c2b35369d76L, 0x5de35742a94f9cL,
+          0x8d068c95cb4145L, 0x4d553ff51bfcbfL, 0x3ab71648a23fceL,
+          0xc9cb3a9d0fa7f3L, 0xf81209bed9ced1L }
+    },
+    {
+        { 0xde7356ee5b66f5L, 0x7b2bf1ae8a25e0L, 0x09a444a2c9b725L,
+          0xfd8a2f44906c55L, 0x409cc8082514f3L, 0x47e009928999a9L,
+          0x0a582a66a312f4L, 0xf7946f8f6723deL },
+        { 0xa55f6ba92d8affL, 0xb62c3c8a544b1cL, 0xa1d14115c16a94L,
+          0xc3783192ad5e71L, 0x13d784706b1dd6L, 0x99005f8ee7ff55L,
+          0xfb5ea3f8a1e7d8L, 0xdc7f53cb4cac39L }
+    },
+    {
+        { 0x482abaf36e3794L, 0xc23e9e5c74684fL, 0x4544cf6f1629beL,
+          0xd8a8ee52f40374L, 0x2eea87ff433bdbL, 0x489a99cae9990eL,
+          0xefc131e54b23b6L, 0x25fe6998600270L },
+        { 0x03d2d9ec059a7eL, 0xa6445b56979c3cL, 0x491a10c9bfbceaL,
+          0x15b5974e937af1L, 0x4be8002797c7fcL, 0xbed8a49fedcfeeL,
+          0x35751cea9e0691L, 0xe9a9fa39ef5982L }
+    },
+    {
+        { 0xeffeaca3065de7L, 0x841d544ac4d4e2L, 0x8144679caf199fL,
+          0x98cf4f9443967aL, 0x8cd57f4f33183cL, 0x390832ac1b15ebL,
+          0xc4b1feaa53b500L, 0xd762a10dff24b5L },
+        { 0xccd3eedb0ee2a9L, 0xa6dd4a9362d485L, 0xeb4ff26f1d047aL,
+          0xc0771fd23860fcL, 0xdbb4e394b64114L, 0x2ff3f244d29b29L,
+          0x9cac005387b365L, 0x05b7aa6de5994aL }
+    },
+    {
+        { 0x5e71752c03dd63L, 0xad10fe9bc74687L, 0x51a5b0c54c76abL,
+          0x763fd501f586d4L, 0xc7bd5ce816048bL, 0x8fc83d23f744dcL,
+          0x0561802109df9aL, 0x18fb01fccf0e43L },
+        { 0xe4606fc038ab23L, 0x5878f1fa664c98L, 0x3aedbbd5da7356L,
+          0x3c578f5516746aL, 0x259477f1a17210L, 0xc7a869d028248fL,
+          0x6517a6148cbf95L, 0xbc5f91d3d04d47L }
+    },
+},
+{
+    {
+        { 0x15fd9a9083ca53L, 0x1161da02697ca6L, 0xf516af356b676cL,
+          0x8a420d575eec13L, 0x72d67421a9526bL, 0x8d8c29e76b463fL,
+          0x38a4f588815627L, 0xf7e528be0650f9L },
+        { 0x2cfa78e382edcaL, 0x638d183c4ad83cL, 0x96d3b9de4a0119L,
+          0x5769ccba7c1101L, 0xc3b3b792b8d04aL, 0x96212f64951bdeL,
+          0xad7905a481161eL, 0x8fd676241c5edfL }
+    },
+    {
+        { 0xf7b063539d6cdeL, 0x69d0549115a84aL, 0x4a976c6cbd9fe4L,
+          0xc92953f950ff96L, 0x1d7f0fe654d127L, 0x7293870da0f75dL,
+          0x7bb3652cf2277fL, 0x64798c9834484fL },
+        { 0xb94d8bfac3a76cL, 0xf5721a97ff776bL, 0x23a6e9f2722e31L,
+          0xe9da9969a5c034L, 0xb9bbf83456ebc3L, 0x239f58a96956a4L,
+          0x8b75beb18b7f00L, 0x6c2b5b8a51cb97L }
+    },
+    {
+        { 0x78b1c627eb41f3L, 0x0638fcf17c4352L, 0x939edd80c5709cL,
+          0x0a8dfc3edc906cL, 0x3942f47efb01edL, 0x4c8275749986feL,
+          0x792545c4dffa57L, 0xeee68836c3ff26L },
+        { 0x824d08e12b1218L, 0x515a478902457fL, 0xc70cc9cbae55b3L,
+          0x1240737bcef9d4L, 0xf22e6162f9db7fL, 0x98c4f0291f8da2L,
+          0xa89219cafaaa67L, 0xf35fd87e7d27e2L }
+    },
+    {
+        { 0x19b0cd701b80d0L, 0x3d7e29df9aebd1L, 0xd39c9ca0477cbcL,
+          0xac0f6155ff0d3dL, 0x8a51993520fd01L, 0x508ff54b22d6fbL,
+          0x8786c47318d3abL, 0x4312c464a683f8L },
+        { 0x73b1d3995359f6L, 0x0d94fa5963011eL, 0x5723af29bfe83eL,
+          0xafa90016841df3L, 0x791e92ab7c498aL, 0xbc931ad7ea4253L,
+          0x438e016b783c06L, 0x1347db22ca662bL }
+    },
+    {
+        { 0x41df37dfbaa861L, 0x98ecb23329e4deL, 0xdaf1560507e018L,
+          0xa902269b088e32L, 0xad898a5e4cab2fL, 0xd84e9ed02c1e1bL,
+          0xc20a5d58488af3L, 0xc7165af6cc77c6L },
+        { 0x8526f3adeb7461L, 0x03577b14a2d332L, 0x28e469de4760b5L,
+          0x442c7f9b276266L, 0x90d5c77f9c90faL, 0x7aa87163e211bdL,
+          0x56d8ff05decfd6L, 0xa204b56ee23e6eL }
+    },
+    {
+        { 0x2e4374e4aceafcL, 0x978743b6fcd5e5L, 0xa0f6345c4855caL,
+          0x9bc7e4fe98074bL, 0x3835d57c33d08aL, 0xeec7c8b6f00566L,
+          0x71628a21acf55cL, 0x5da375097fb19eL },
+        { 0x6904a8e01a7125L, 0xad33c85e6e3780L, 0x1702928c19f94aL,
+          0xb424ff27c04b3dL, 0xb212e3919e2ba3L, 0x4cca8e8c9af4c9L,
+          0x98ab7aefd9bf0eL, 0x21d245d9799db5L }
+    },
+    {
+        { 0x6b034dcec08806L, 0xfd763f2b40f2d9L, 0x5e16de029cb906L,
+          0x02b70148a0e16aL, 0x463c8eee071e12L, 0x644728125ad509L,
+          0x9ee6f2ddc0e07aL, 0x188895c68d4d97L },
+        { 0x092fff3b27f971L, 0xb3c159fc9b7722L, 0xe27d8ff3cae42dL,
+          0xf8a5ed6e87071dL, 0x318388f607ebd2L, 0x924967b53486f1L,
+          0x77304947c46e1fL, 0xf279c60f21d196L }
+    },
+    {
+        { 0xef2bc0384f3201L, 0xf8750c71f94c51L, 0xbaa4f5a986ec65L,
+          0x6f8a5de2732a33L, 0x0f13d80299e365L, 0x2709530e85261fL,
+          0x097d922f527d56L, 0x4969687be1f3f8L },
+        { 0x9f3f5043e1708dL, 0xac67b874aa4be4L, 0x75fb042320a87eL,
+          0xa361ad36e2cad6L, 0xcb01470203e9f6L, 0xe3807b7c9b76c6L,
+          0xf086833b907c09L, 0xe9bed3c7e85a01L }
+    },
+},
+{
+    {
+        { 0xa7ea98991780c7L, 0x04e4eccd2476b6L, 0x0af9f58c494b68L,
+          0xe0f269fdee64fdL, 0x85a61f6021bd26L, 0xc265c35b5d284bL,
+          0x58755ea3775afdL, 0x617f1742ecf2c6L },
+        { 0x50109e25ec556aL, 0x235366bfd57e39L, 0x7b3c97644b6b2eL,
+          0xf7f9e82b2b7b9cL, 0xb6196ab0ec6409L, 0x88f1d160a20d9eL,
+          0xe3be3b4586f761L, 0x9983c26e26395dL }
+    },
+    {
+        { 0x1d7605c6909ee2L, 0xfc4d970995ec8aL, 0x2d82e9dcf2b361L,
+          0x07f0ef61225f55L, 0xa240c13aee9c55L, 0xd449d1e5627b54L,
+          0x07164a73a44575L, 0x61a15fdbd4bd71L },
+        { 0x30696b9d3a9fe4L, 0x68308c77e7e326L, 0x3ac222bce0b8c8L,
+          0x83ee319304db8eL, 0xeca503b5e5db0bL, 0x78a8dceb1c6539L,
+          0x4a8b05e2d256bcL, 0xa1c3cb8bd9fd57L }
+    },
+    {
+        { 0x5685531d95aa96L, 0xc6f11746bd51ffL, 0xb38308ac9c2343L,
+          0x52ee64a2921841L, 0x60809c478f3b01L, 0xe297a99ae403acL,
+          0x7edc18fcb09a5bL, 0x4808bcb81ac92aL },
+        { 0x3ec1bb234dc89aL, 0x1e8b42e4e39da5L, 0xde67d5ee526486L,
+          0x237654876f0684L, 0x0a583bd285a3ddL, 0x3d8b87dfe9b009L,
+          0x45bd7360413979L, 0xb5d5f9038a727fL }
+    },
+    {
+        { 0x7b8820f4bde3eeL, 0xea712ef24d5170L, 0x517f88cdf6ec7bL,
+          0xb15cecf983ea9aL, 0x9eeee4431a4592L, 0x786c784ebb013eL,
+          0x2f06cb31f4e15dL, 0x5603fd84f4fda1L },
+        { 0xf6790e99e1321fL, 0x274c66a74a4c09L, 0xa4b70b49a41a4eL,
+          0x7700bddada5157L, 0xe54a60d51be8dcL, 0xfaf92761a477e0L,
+          0x6661c72b027eacL, 0x50e2340280b917L }
+    },
+    {
+        { 0x635f40f96ec123L, 0x4a331337a766a4L, 0x9ce4416b935587L,
+          0xbb6e1f595d97e4L, 0x26147239d4197dL, 0xabd4478490e896L,
+          0xf6a1b2a8bba895L, 0x401fa405e27a45L },
+        { 0x7354ba50620900L, 0xc443a29385678bL, 0x48aba1053cf5faL,
+          0xd67e723bbe152dL, 0x4b858e02a63d68L, 0x174e1ee72be4eeL,
+          0xad0fbb39ab8d46L, 0xa0fdffbce17dd7L }
+    },
+    {
+        { 0xa1ea3259c46fd8L, 0xeca122e9fb96efL, 0xf9074a26767acdL,
+          0x9b004a22787082L, 0x389f8077f3ba8eL, 0x6463de90d5aabeL,
+          0xf30ceaab090585L, 0x71b31e85634ab8L },
+        { 0x0dee65caf02aedL, 0x506886e20ac252L, 0x0665f7886b8a59L,
+          0xb9b784df2bb328L, 0x46e443adc6b089L, 0x3d5de1966c27fdL,
+          0x0419265f0fde70L, 0xed946122b5c034L }
+    },
+    {
+        { 0x5a52ad213b0056L, 0x9fbeb92b909ee3L, 0xb42ba18bdaab08L,
+          0xec127c4ffc8a77L, 0xc6d2985fda906aL, 0x5355547994bbe7L,
+          0xa7470c09cdfd62L, 0x31a3971d2e675aL },
+        { 0x8d8311ccc8b356L, 0xabb0bf801b4372L, 0x33c1cad0294566L,
+          0xe2e649ce07b672L, 0x9084d882ae3284L, 0x7a90d4c1835ce2L,
+          0xb4d1cd5809d44cL, 0x78227149f0528fL }
+    },
+    {
+        { 0xca884cfbf5844bL, 0x9dd05c48524cf9L, 0xdbffa1936ba889L,
+          0xef94fdd29e7666L, 0x358f81b3eaf48fL, 0x96734d51530d56L,
+          0x378b2d14adf9e5L, 0x2f850464731f61L },
+        { 0xd6ae90599dcb83L, 0xa4f89e06199239L, 0x64052498f0f958L,
+          0x2866d99cc27707L, 0x64681a2f551c0fL, 0x2c7b0d04c37080L,
+          0x218925b00ac301L, 0x8d57fb354df895L }
+    },
+},
+{
+    {
+        { 0xdaebde0809c8d7L, 0x58c761c0e95ea1L, 0xbd9965000ae5e2L,
+          0x6117a85cd51acdL, 0xc4424d87c55d56L, 0xe9b1ddedfbeeafL,
+          0xda98bb50db4791L, 0xff3a5a63fca108L },
+        { 0x172fb8e5ccbea1L, 0x9fe12a7a9f6cc9L, 0x1de4b0b8967ce2L,
+          0xc1ab60f671dbc6L, 0x338385a5dedcdaL, 0x647a4203a043feL,
+          0xe9abc6428ebc89L, 0xc357ff003ba3c8L }
+    },
+    {
+        { 0x37061e7de39ebdL, 0xebb91352be567aL, 0xa9a6f6bd6bb80aL,
+          0x039345d99f0ba2L, 0x215494e98bbf47L, 0xf2cb7a4a2a1ccbL,
+          0xf51aa1037f67c9L, 0xd29c85c17fff71L },
+        { 0x8d4e4f24d30b87L, 0x20fdf5593a8309L, 0x9b9f9cf757075cL,
+          0x09142adcd70101L, 0x901d0ee766ca55L, 0x6a5d86a32e418bL,
+          0x550ad92d7fcaecL, 0x64e8818d91b26eL }
+    },
+    {
+        { 0x5cea0f747e5ee5L, 0x8ca1d31be99699L, 0x52db8465c136c7L,
+          0x8cecb3890e0d74L, 0xb8efe9dede2ad8L, 0x18d6ff8f17ade8L,
+          0xd2227352d66c20L, 0xc46593ef2005fdL },
+        { 0xe5ebe6ff7141e1L, 0xc968315e0126f2L, 0x95adc731cb91b6L,
+          0x753b54c38a6003L, 0xa6141254230a61L, 0x23ac6eb559feceL,
+          0x9816b603865c23L, 0x567014e543a570L }
+    },
+    {
+        { 0xd46091ddd2b71fL, 0x3999a5d97d24ffL, 0xce2a4f11ecff3cL,
+          0xab2687c581c6f0L, 0xa9fb2ebcba70b4L, 0x6fde35642093e1L,
+          0x00253ecaee724aL, 0xa08ce3c2b81bddL },
+        { 0xa251238935a2b3L, 0x8cae1d4584f750L, 0x011469e988a219L,
+          0x61f7ed35a6a50eL, 0xe13ebaa01fcebdL, 0x794b97631d8867L,
+          0xf25755ccda32e7L, 0x368a97b4564cd1L }
+    },
+    {
+        { 0x0d22224aa3397bL, 0x1dbb3e638066dbL, 0xfe0b5ee0ce8e32L,
+          0x09c17c87bab4dcL, 0x5cc65ddf188b64L, 0x74c4abf211b5faL,
+          0xdcc17b7ab0ba86L, 0xfbdf46fa535501L },
+        { 0x4775087aca569eL, 0x6575f9006a1718L, 0xb5c45a9b94de93L,
+          0x0fc80068497171L, 0x775d965489f7abL, 0x8775b58f5c0c89L,
+          0x05d4e201a06254L, 0x8cab349b6d73a5L }
+    },
+    {
+        { 0xca7816339465b0L, 0x3ef914814498fdL, 0x9ca1f346255c11L,
+          0x389fd15b7f38f1L, 0xdac2089354b8f3L, 0x82d07fca840a70L,
+          0xf53fd731dd483aL, 0xa6e4eae1590578L },
+        { 0x7bf65af3c01b77L, 0x27542f3a75c982L, 0xc5bd947716cfceL,
+          0xba5fe76884b9e7L, 0x39bae14d55725dL, 0x982f64efae0eabL,
+          0xcfae6627a5293aL, 0x22a25a1d60f464L }
+    },
+    {
+        { 0x74caecc7dd5e16L, 0x23678a2ce7bca3L, 0x467393257f1ba1L,
+          0x4eb9948a4c1697L, 0x5d400e8eaba18dL, 0x128d1c89807871L,
+          0x78f9627bff38a6L, 0xf80b813a39d4ccL },
+        { 0x8aeefa031d3aadL, 0x504219927db664L, 0x244fc694cb6383L,
+          0x319047772192a3L, 0xcc86075bbfb57bL, 0xbae3a134451511L,
+          0x16cf416f6174f0L, 0xb343cc0d376813L }
+    },
+    {
+        { 0x31ac9b9d1824b7L, 0x6282260ec8f61aL, 0xbbeb9f8c781765L,
+          0x06ab5c02d110daL, 0xd583e2247146b8L, 0x79a16084100d05L,
+          0x16dbbb4f0a5c95L, 0xfe2af1de331667L },
+        { 0x26f0364af8710eL, 0x1cb8c91eec08feL, 0x436bce61d95e9fL,
+          0xfe9050c57944a0L, 0x5f45acf07b626bL, 0x48dc93f9cf1276L,
+          0x4491371a05bfb7L, 0x51063044bcf785L }
+    },
+},
+{
+    {
+        { 0xac2e294ed0b3b6L, 0x5c5ade6671637bL, 0x2f289ce1140677L,
+          0xaf446e2754eb53L, 0x70911b720421adL, 0x4b73836e0b7556L,
+          0xcadf1042a97827L, 0x4824e498005bc6L },
+        { 0xb0eeccd937c28aL, 0x1ce061d0c3ee97L, 0xcb076319f33faaL,
+          0x9980bf4aea66dcL, 0x2bd0755d111d98L, 0x43feaf67fe4de0L,
+          0xe76fb80b077b2fL, 0x227dc9f5793b04L }
+    },
+    {
+        { 0xea24ae514f49baL, 0xbc39ea611436e7L, 0x9d7fed278485d8L,
+          0xb6ef00cdf8b131L, 0x0237b4bfdbc7afL, 0x08745b564ccd27L,
+          0xaf8595dafc5a76L, 0x43657af29f5500L },
+        { 0x300718348470f8L, 0x51f91fd640fd53L, 0x859c807be15512L,
+          0x7d1a474ab3e9c5L, 0x5d714d981553e5L, 0x07573436f62310L,
+          0xedc5be06b02a62L, 0x5a4b9b7ea47832L }
+    },
+    {
+        { 0x03e0a24e93dbb3L, 0x25841dccadc884L, 0xabc1a818d10ad5L,
+          0x207e38a2042dddL, 0x7fffbdbfeba8d8L, 0x74efebba3ec9b5L,
+          0x0bc39ca0b40a9fL, 0x69ee9c90267febL },
+        { 0xd402facbc62919L, 0xe9f8fc11cf53c6L, 0xe76fa5a7cc7d81L,
+          0x4f2d87696bb19dL, 0xd4fb7f9adc67c7L, 0x40621d596702dcL,
+          0x5b6a98e438f6c5L, 0xa7c64def1a1036L }
+    },
+    {
+        { 0x84c5e809a092c7L, 0x9e40e0a11c22b7L, 0x820a091d06c99bL,
+          0x45fdc77eecca8fL, 0xfe1b8a35794f16L, 0x31f7e5b4ce3d6dL,
+          0xfd5e01082c74c8L, 0xfdabf30c1f6f7dL },
+        { 0xbfa6017b9248a0L, 0xe898d30546b941L, 0x878c492207ff65L,
+          0xbf22e8db874e64L, 0x43fdb1b53a547eL, 0xb66deda5fbd464L,
+          0x59127a6c7ae1b5L, 0xa4636466a7515aL }
+    },
+    {
+        { 0x22c4e66de9ab2eL, 0xfaf60c20203c58L, 0xed2d7bf0d5c5edL,
+          0xdbc16fe4ca0f19L, 0x54e8ef6465b979L, 0xe2d64b1a310ef9L,
+          0xa0f2c953778636L, 0xf3b4aa4281883bL },
+        { 0x4ac9af09be6629L, 0xba455e11ca90c5L, 0x0147538856f492L,
+          0xc80db7eabd7840L, 0xb3526d96beb9cdL, 0x37657fb9d81503L,
+          0x8729a16193cec3L, 0xd9a93fbd69952aL }
+    },
+    {
+        { 0xfce017594f47c6L, 0x228da21e366d05L, 0x27ce0b2dc8baf3L,
+          0x8cc660b6b4a951L, 0xf678947384bb01L, 0xc629d7d44d980cL,
+          0x47980e4e85e81fL, 0xa2e636a1cd723eL },
+        { 0x6b6ebae77fb207L, 0x70179614c92891L, 0x5569541b4d279cL,
+          0xbb6b36a41758cbL, 0xecaa22227a8e30L, 0x8b6746ab470ad9L,
+          0x4c4601763e2d3dL, 0xe19c4edd3edaecL }
+    },
+    {
+        { 0x0b43fec34718c8L, 0x553c407f33499fL, 0x8272efb970d1dbL,
+          0x008c62ca8e8d1cL, 0xe4b79d763eec45L, 0x1fd4230f2d71a3L,
+          0x090fdafa368c36L, 0xf62c101fca7baaL },
+        { 0x1c9e6c8d2395b3L, 0x671ed6304c5513L, 0x577d933299a465L,
+          0x286890e63f9986L, 0xd92a95dbfc979cL, 0xcebd79d2b51019L,
+          0xe74d88b3d07251L, 0x8b6db73906f9adL }
+    },
+    {
+        { 0xc0c43db7b3d90cL, 0x85d154e4304a06L, 0xe8aceefaf2f38eL,
+          0x5e0429383d9459L, 0x65e5e32431afd1L, 0x9e5f050a900a65L,
+          0xcbaa1718a26671L, 0x33d0b249c93de7L },
+        { 0x3dcbf92d5b6680L, 0xc47e5ec20006f9L, 0xc9711299a51924L,
+          0x665d9b8cd0ed46L, 0xed2d63fa5fcab6L, 0xa817eb6cfbfc5aL,
+          0xb38169fb76eb76L, 0x8b93544f11160bL }
+    },
+},
+{
+    {
+        { 0x02eca52693bdcdL, 0xbbf09232ae01d6L, 0x0b0a2de8b44b3eL,
+          0xdb82449b250dffL, 0x0c42b866e1c530L, 0xcd226dca64c2c4L,
+          0xcfb2bb1f046b5fL, 0x97e2fae3fccb0dL },
+        { 0xdf9290745ed156L, 0x224dcb9f641229L, 0x2126abc5f1f67eL,
+          0xa7eed5ae9c8a6bL, 0x40abedc9857d9bL, 0x3f9c7f6de941c6L,
+          0x2158d42d725ddfL, 0xbdd10158c69543L }
+    },
+    {
+        { 0xa7dd24e8df2fbcL, 0x3adbcfd13d1aeeL, 0xf6a32d113b2177L,
+          0x89a72327a9a14cL, 0xe3aef43dc65df9L, 0xeaec3e3a64d74cL,
+          0x4d387d84fec33bL, 0xaba2a0521a2128L },
+        { 0x2382c226b85e30L, 0x4352d85cd2aad3L, 0xb0c6001d9772c4L,
+          0x7ed82635f3653fL, 0x3626a6f0300f47L, 0x23909de6ca7e4eL,
+          0xb43dd81c154141L, 0x9a49fad7e4bc68L }
+    },
+    {
+        { 0xa3661df2428f88L, 0xbe48b0256e0db2L, 0x3cd1871ce79aa9L,
+          0x90ab87123dddacL, 0x9c58fb971871a6L, 0xf031f7fa34910eL,
+          0xb501eea81060e4L, 0xdb668ba791224eL },
+        { 0x240bbcb6a705bcL, 0x7e76fbd2d1865eL, 0x6e2cd022513641L,
+          0xe6c522546365c9L, 0xe46a8b8a5a01fbL, 0x696fa7bb67618bL,
+          0x418b3b90db6792L, 0x7204acd7108b9cL }
+    },
+    {
+        { 0xb5a143b8456b45L, 0x8a3ab25f53b4d9L, 0xb112a58e13a570L,
+          0x613ca3281487d2L, 0x837d8233b1e7c9L, 0x592baded41e9d5L,
+          0xdc1893a5cd02f2L, 0x08795028972e23L },
+        { 0x7003c08cb76261L, 0x14bde9e332a5e0L, 0x14b2872cbbd78eL,
+          0x5594061de238e8L, 0xad12645067466cL, 0xa8d0e64f5e4952L,
+          0x5b44b82c7f8d06L, 0xb51bea8fb1b828L }
+    },
+    {
+        { 0xebad6853f0daccL, 0x5c31b8b1cbebbcL, 0x6746975fa5a2dcL,
+          0x2d9596531d9faaL, 0x343797d00fc0e4L, 0x38d821c55fe01bL,
+          0x0bfdb247323aa0L, 0x42613c4f962a8eL },
+        { 0x599a211e134bc0L, 0x75fa4a147a7084L, 0x6e719487f734b5L,
+          0xd5ced2d6dfca2bL, 0x9fa0fdc8aeabd2L, 0x5e6b03f12361daL,
+          0xad23d315859fcfL, 0x3120ef125a5fc8L }
+    },
+    {
+        { 0x990ef628e9f638L, 0xfdaa240626a60cL, 0x4a3de202abddabL,
+          0xd5d10b7d8872b2L, 0xa01b7301ea5880L, 0x481697fa81b9d8L,
+          0x29841533471ed8L, 0xefd73f8292d37cL },
+        { 0xdda76269994bebL, 0xa0377036a4f865L, 0xda992ece5b47d5L,
+          0x912a427e53edbaL, 0x64675989264e45L, 0xd3b68c3af71222L,
+          0x9d3436c6dedc5fL, 0x1e027af076b2adL }
+    },
+    {
+        { 0xd56fca14382f4aL, 0x83712a48966b7bL, 0xd6b2cf5a4c9ddbL,
+          0xa66be29f602875L, 0x70e4266894f3d0L, 0x007d220b3195caL,
+          0xba38d8f82c74d4L, 0xdccc5fcd975cbdL },
+        { 0x03e1610c88b38bL, 0xeb9f9a152e0d8dL, 0x6a57ecab646eb7L,
+          0x161641fc76b6c1L, 0xf9025adbd2e12bL, 0x87c74db5c0e26dL,
+          0xed5cb51bfeca74L, 0x603dfb6e34a08cL }
+    },
+    {
+        { 0xc4be728cb03307L, 0xde34c0ec2741ccL, 0xe01db05a74eb17L,
+          0x1bfce0c8905e4bL, 0xb18830ad1b1826L, 0xcacbb41e87bbfbL,
+          0x8696842d2f1a79L, 0xa80e5fb08c83eaL },
+        { 0xe48f1633f1439cL, 0xc1d4108cd6987bL, 0x05705c4b751814L,
+          0xa9bffd0c1c622dL, 0x23de4af46cd053L, 0xf782f5e39457c3L,
+          0x815276b5e5d243L, 0x31320416161ae3L }
+    },
+},
+{
+    {
+        { 0x245966177f2542L, 0x203be7e8372b25L, 0xc7c9426ee2007bL,
+          0xc5641380621799L, 0xda56589c28c3ceL, 0x13e8a7c7afc1e3L,
+          0xdba81e9e352082L, 0xf43054904435c7L },
+        { 0x4d26533691de4aL, 0x364408cfb777abL, 0xccdfb43eae7f88L,
+          0xbc40f44a525b11L, 0x8e112a53c60627L, 0x7f7c581e17e696L,
+          0x0fd78781ea774aL, 0xd09e6320b1f582L }
+    },
+    {
+        { 0x44390bd70aab15L, 0x41112bc889c3f2L, 0x6b02894d685349L,
+          0x71030015584dfeL, 0x373cb1b1ba7887L, 0x53d286c2a017c7L,
+          0x2ed03883c81fdcL, 0x3bfc5e3fbcc6fcL },
+        { 0xd38ac6ffd6418dL, 0xc667e96bfad89eL, 0x46f4f77eab4d66L,
+          0x194c04f0911293L, 0x0fd09cf68c48d5L, 0x6f5b05563cf7f4L,
+          0x0c0a8c4acd562fL, 0x94c1d8336d965dL }
+    },
+    {
+        { 0x94fc8f0caa127aL, 0xc762d5dd803690L, 0x8bfdfd11ebf0d3L,
+          0xa98cdf248eac50L, 0x3d7365d8b5ff10L, 0x20dc29bc65b4deL,
+          0x62ac28e8ec7c68L, 0x7f5a13290372d2L },
+        { 0xf3d8a253246658L, 0xa4bebd39ac202aL, 0x078ede75cc1697L,
+          0x5525800c8fc022L, 0x302a8025fae77bL, 0x018013957917b6L,
+          0x7c8806d864bf55L, 0x4e2d87812f06f1L }
+    },
+    {
+        { 0x8d351183d66e88L, 0xfb861a1a91d02aL, 0x8c27c2a7850e5fL,
+          0x9fd6399a5496f6L, 0x52152ae8080049L, 0x600e2fffd1c2dcL,
+          0xc75902affe8b2eL, 0x5c4d2cce03b175L },
+        { 0x8ad7c424f57e78L, 0x77cf6061736f87L, 0x2876012f85038aL,
+          0xff328451b97b95L, 0x3cc6dd5392dfc8L, 0x72f1363a6f5075L,
+          0x028ec4471de894L, 0x7030f2f6f45a86L }
+    },
+    {
+        { 0x66400f59695817L, 0xeda0a7df20ea36L, 0x855be51d394992L,
+          0x2d082c18336f62L, 0x30944ddf28c868L, 0xfb5f8530dc86d0L,
+          0x9562ae5564a0bdL, 0x1f7ea12b6b9b51L },
+        { 0x5bd74e0d0a7148L, 0x6c8247fb91e572L, 0x699aba547da498L,
+          0xed825811f7c814L, 0x434674b62057b9L, 0x8b4df5e15c15b4L,
+          0x2a97da1b110081L, 0x2a96b0c4c417feL }
+    },
+    {
+        { 0x4f75dfc237639dL, 0xe5ad6bc1db7029L, 0xd43e06eb3d28f7L,
+          0x89f3bb5e447989L, 0xc426a2c01a1a6eL, 0x33ea71c315878fL,
+          0x8a7784ab1b5705L, 0xa59e86e77ca811L },
+        { 0xddb133c36ae155L, 0x49f1d4c0d51b42L, 0x55080829d05519L,
+          0x20e23be5291816L, 0x35047ec67181ecL, 0x6237dc47aad091L,
+          0xa1d3ce1e2e25a2L, 0x1de05220d3db4cL }
+    },
+    {
+        { 0xe9a5e19d9fd423L, 0x0c2c3d09801e43L, 0x043c2dd28df2daL,
+          0x4eecab4e1ad12aL, 0x97e17979615aa5L, 0xe57b879ca7bb5eL,
+          0xa2a903ccc92619L, 0x5cef370aa56e93L },
+        { 0xbef29fa7f3232cL, 0x1cf35ed2b7ad5cL, 0x35c48933b6077aL,
+          0xe0651487a1d47dL, 0xedb4673ce14572L, 0xdc9e98c0b17629L,
+          0xef98ebe9a02a5cL, 0x1f772e311d03c0L }
+    },
+    {
+        { 0xcbdbdcd4608f72L, 0xb4352235a13c6fL, 0xa6497f64bb3c21L,
+          0x3af238312c15c9L, 0xfbbf4b36322d11L, 0x520a5c6c641775L,
+          0x18cd967e81e0e1L, 0x980b2c63de3871L },
+        { 0xfa9db619ae44a2L, 0x0281dd2176bc56L, 0xfd037118a7f817L,
+          0x9c485454129b30L, 0xb439648039626dL, 0x355050ee4ada6bL,
+          0xc9c16d67f5d98cL, 0xf53ccc318c4d5eL }
+    },
+},
+{
+    {
+        { 0x50ae9423ffb20bL, 0xa6c0b426865eb4L, 0x4677f7d09930f1L,
+          0x742e0b64a16427L, 0x521d18ef976f9aL, 0x43ac9cfa454749L,
+          0xda3a91dc51f50dL, 0xf657029ad6f954L },
+        { 0xfe5f0646b4f99aL, 0xd92a5d963ad4ceL, 0xfcb55092e0e081L,
+          0xadc85ab8d8a858L, 0x8e9b9660632f0fL, 0xe7a4f168d7216dL,
+          0x00a4cc559c3b99L, 0xed6d0bdba09dc1L }
+    },
+    {
+        { 0x7236d141621bebL, 0x1751fd4bc7ca95L, 0xaa619d12f5319cL,
+          0xfc2b15b4e9316fL, 0x2d1a9069fd4d33L, 0x28c3bac8ced829L,
+          0xf2efab51dd998fL, 0x2c133303b149edL },
+        { 0x65237c9f601ac6L, 0xb54dd6507d6a45L, 0xa1ce391fb1a4cfL,
+          0x2957533115f67eL, 0x6456da8465279bL, 0x02890aaa993e02L,
+          0x6891853b7175e4L, 0x3fda2030f3e59bL }
+    },
+    {
+        { 0xe99fe12d8c6e0bL, 0x7cb07ff5341c56L, 0xc292c7bdf77b24L,
+          0xf52dfd0ca29906L, 0x4a6aa26772f02cL, 0x26f7684e1bbd09L,
+          0xec56b2bee7c2a8L, 0x67709e6ad4a312L },
+        { 0x99c57b2c570263L, 0xeb0100b2faafaeL, 0x980d5d1ff25ecaL,
+          0xace35e682cf936L, 0x5a82ce544679edL, 0x5c76a41074b81eL,
+          0xf36fa43a00abb1L, 0x064281904ffb2dL }
+    },
+    {
+        { 0x68f6bc804bdd28L, 0xc311d96b5dc7adL, 0xff0d646ed32e45L,
+          0xaf3cdc6e0f712dL, 0xd4508e9d483861L, 0xb624be50e1c277L,
+          0xc510275c5dd841L, 0x451c5c3298dc02L },
+        { 0xf87d479dd34d6bL, 0xda7f293dd06a38L, 0x575e129b699e9fL,
+          0x79e5fb2215b2ccL, 0xd280028657e690L, 0x7fecd09e702a71L,
+          0x85160abfa13677L, 0x5de3427ce65f64L }
+    },
+    {
+        { 0x84e4bf6e8fff38L, 0x16f3725b358b1cL, 0x360371c3b472a5L,
+          0xe64c06152f217aL, 0x8e673790501241L, 0x88e81d6ab2dd96L,
+          0xf3e218a1385604L, 0x9736cafe84184dL },
+        { 0xb55a043dbb93a3L, 0x335088f9301088L, 0xcea7a2db2a4959L,
+          0x48e5d4ab882c33L, 0x114f09bad46179L, 0x4416467b446576L,
+          0x01cb23e34c6c2fL, 0xddebf04a02db8aL }
+    },
+    {
+        { 0x36d60cc9bde8a1L, 0x20fd2f2676e4adL, 0xebdcfb78936581L,
+          0x245d0d5dbfc2c3L, 0x104c62ca9f82e5L, 0x7387457d654d9bL,
+          0xe966777ae7f10eL, 0xefeb16f1d8e582L },
+        { 0x4faf4f170364b5L, 0x0e1ab58d612472L, 0x11bbfe7fed6085L,
+          0xb360a14a59a09aL, 0x61d96e9722fdb6L, 0x16a12f194068bdL,
+          0x225bf07f73c2beL, 0x1e64665c8bd24eL }
+    },
+    {
+        { 0x27a478a3698c75L, 0x778ccd36202aa2L, 0x0149c638d87f1fL,
+          0xa660e5f784edaeL, 0xe0d4d2f82adfa8L, 0xf512dd61ba1f9dL,
+          0x90cfed96245c58L, 0x6c3a54818b53ddL },
+        { 0x833f70cbdc094fL, 0xa5f26f5b1514e7L, 0x93e7cf51c8cf13L,
+          0x1436601186ec43L, 0x81924ace78170aL, 0xcc880a08694368L,
+          0x2dfa9550b62cbbL, 0x0bc6aa496b4a2cL }
+    },
+    {
+        { 0x5157a7e3561aa2L, 0x525c5008645c1eL, 0x22feb4ece7cbb3L,
+          0x36d0d25c89a58bL, 0x43131f7c9bde9cL, 0x74afdda881f731L,
+          0x99ab87c7c8e36aL, 0xf07a476c1d4fb2L },
+        { 0x1b82056bebc606L, 0x95a1e5afcf089fL, 0xc5bccfa2b55d5cL,
+          0x8fbc18e00eb0b1L, 0x93a06fe9efb483L, 0xcafd7252d74c57L,
+          0xc7518f03de4350L, 0x9a719bfc6fd762L }
+    },
+},
+{
+    {
+        { 0x5ee0d832362087L, 0x7f2c0d70b167e8L, 0xb7327895e0e865L,
+          0xef5b2e898c4e65L, 0x222797d8fe9cc1L, 0xfe6d73e82d1e15L,
+          0xc7c0e9cf62dc4bL, 0x962acfe937cedaL },
+        { 0xd763711c1e85c7L, 0x8f2dbbc2836978L, 0xbadc0558c44e98L,
+          0xed63eaba3e93f8L, 0x807e85741b55c7L, 0xd51ae5e6d1207bL,
+          0xa0ef9a639d541bL, 0x58855f9a0c56a5L }
+    },
+    {
+        { 0x7d88eaa213091dL, 0xcbdfee745b6a0dL, 0x826a0124f5e077L,
+          0xb04fc1390f1e4cL, 0x1961ac3aea69aaL, 0x3afb719d5bb63eL,
+          0x2a378374ac7e5cL, 0x78efcc1c50ca45L },
+        { 0x346e8f0b8abdefL, 0x27e3dbd88095d0L, 0x56d3379ffc6c22L,
+          0x67d416cfa4b291L, 0xc3baaf63b1b373L, 0x0184e1fdf73baeL,
+          0x38ae8f79167528L, 0x7329d4c35d6297L }
+    },
+    {
+        { 0x45d2ac9f568c52L, 0x51348149808593L, 0x0c92d8331b7ed8L,
+          0x921327a0876ecdL, 0xf752d75052736aL, 0x7b56487bc6b837L,
+          0x6b1a320a23b4ccL, 0x1983937ec0d665L },
+        { 0x2c3017c08554abL, 0x40ad955366e87fL, 0x88c4edf8ed7f02L,
+          0x64a7db13cc5e6dL, 0x5ac91fa2dc978bL, 0x016a20d925d2a2L,
+          0x3604dfeabb57b4L, 0xc3683ecd7e2e85L }
+    },
+    {
+        { 0xc47150a4c0c6d0L, 0x30af45ee22adcfL, 0x39b5acb022ea4bL,
+          0xfbe318577203b5L, 0xe5aaa346fd9b59L, 0x0062c90dd1c8dcL,
+          0xcf113f354049acL, 0xd8fba4d63a31b5L },
+        { 0x73b54881056a69L, 0x3be6cbcd780bdaL, 0x5776ec230ba2b9L,
+          0xbe883cf8e8d6f7L, 0x64efe945c2be6fL, 0x064f704f1ade8dL,
+          0x41cfd17743110eL, 0xaac94114c20abeL }
+    },
+    {
+        { 0x91f9192f1c1468L, 0x8176e744563e13L, 0xa48b5f90bda15dL,
+          0x2a085aeda42af6L, 0xfd38ab2425c018L, 0x2884ba408abafbL,
+          0x356f318cbd091dL, 0x454e450817871bL },
+        { 0xe080e818ada531L, 0xa40f1eb3152ba8L, 0x051049f0c38eb1L,
+          0x37e4bb3bd45003L, 0x6d0980454a01e5L, 0x6de932feeb824aL,
+          0xccdef37dc93481L, 0x8633e0793a05e8L }
+    },
+    {
+        { 0xbe94256034675cL, 0x376c01d08db789L, 0x8707ee79af1b6bL,
+          0x633b3ef11bfbacL, 0x694f33fd06db60L, 0x2a68bfcbb13407L,
+          0x1c860c9da27c3aL, 0xbca16ded701ac3L },
+        { 0x2b76cfac59ffd0L, 0xf9a116554d718dL, 0xf86a1db67f0878L,
+          0xe313e05af34e85L, 0xa1888113343159L, 0xdbe4c3f0bb7ed1L,
+          0x73b67e80c732bcL, 0xa4e1c87e74110eL }
+    },
+    {
+        { 0xce1106b5c6770cL, 0x422c70b5c0bcb7L, 0x32a39908195e7fL,
+          0xa24968d1ccd4aaL, 0x8f08ecf720e557L, 0x5da10a454bcc81L,
+          0x9d3c73b6cd846eL, 0xaeb12c7368d065L },
+        { 0x2110859cf9fd1bL, 0xd2a4801ee2bd6dL, 0x376e556e9466acL,
+          0x767803b3b5aa35L, 0x343f842b8a89baL, 0x3263cc16726bbfL,
+          0x26caf1725871b0L, 0xef66ad641b8578L }
+    },
+    {
+        { 0xc9f2249638068cL, 0x96d282c1ccf9afL, 0x71df30c69b435aL,
+          0x88c943acb9d5c9L, 0xbf98ef12a8f378L, 0xffc1824114c6ffL,
+          0xda3ad2cd52e8c7L, 0xf1222bc1afcb59L },
+        { 0x459e94b0ee334aL, 0xd4477b8421933aL, 0x60fb7b0a1e401eL,
+          0xfde6e820d1e330L, 0xcecfe9b3233fdeL, 0x09ec4662e93523L,
+          0xa5ba64930775b9L, 0xcc397e5adf80f2L }
+    },
+},
+{
+    {
+        { 0x2fe182d4ddc8a8L, 0x88d6e79ac056bfL, 0xc3ff2d10e41e4eL,
+          0x32ec7f92c3679fL, 0x3561f094e61051L, 0x4553f5a6c6250aL,
+          0x2b765efdd25c5bL, 0xe3a40a26a1cd7fL },
+        { 0xb27309b5d821ddL, 0x950fb8dc2c17caL, 0xfeed0158fb0d4cL,
+          0x762c479f550179L, 0x306cf44e095840L, 0x84b413ad379e66L,
+          0xd6e5d5abb2e4f1L, 0x8bc12b794b085dL }
+    },
+    {
+        { 0xc0d4cb804b5532L, 0x7a31525b9940a6L, 0x010e7dd68c69d1L,
+          0xd81f29d2a18c35L, 0x08ae7703f11e73L, 0x5358f876e55106L,
+          0x299e8cac960ef5L, 0x89a6fb4acfc8dcL },
+        { 0x5996a406dc7d4aL, 0x21e5112e51b96eL, 0x95b8c3d09a202bL,
+          0x306ab0fd441f1fL, 0x2834fed98d4245L, 0xc29c387d0abbdeL,
+          0xf6a9bf1b805c15L, 0x602f4f8c4e458dL }
+    },
+    {
+        { 0xf041486e5a893aL, 0x53b891d8934327L, 0x11e000d4000758L,
+          0xa4ccde8662bad9L, 0xe34d3edb9a1b64L, 0x72d967584e7a6dL,
+          0x773da2f6627be4L, 0xa11c946e835ae3L },
+        { 0x02e8203650bc15L, 0x2d35936e58b78dL, 0xe9cfbe8f21a3ccL,
+          0x55ad8311049222L, 0xbf99de438fff47L, 0xebbfd803831db5L,
+          0xe990636af2af42L, 0xc26ae52b7f5a0eL }
+    },
+    {
+        { 0xb5d85b1fa8f846L, 0x4166489b3b1455L, 0x768260dd36a305L,
+          0xc6a82354ff5645L, 0xd241cd8d6e93e5L, 0xeed9aa1a406e74L,
+          0x9e96ab05f600d9L, 0xa26b8b56eca2a1L },
+        { 0x78321cfd705aefL, 0xc4fb6b3c0161ecL, 0xdc324415199cf1L,
+          0x33627d0d0a5067L, 0x13490cb15143eeL, 0x77e0ede85b4f44L,
+          0x904f12e394b165L, 0x90f50f5efab32dL }
+    },
+    {
+        { 0x4aa0a16bc2de96L, 0x172596aaa9c12bL, 0xd512e1e60e8a29L,
+          0x77d35c1f637e83L, 0xbb0d141d2aae0bL, 0x8a878a58c03738L,
+          0x6d24c01ab0e525L, 0xb7d3136f760887L },
+        { 0xdbc3f8f3f91b7cL, 0xe7b4bcaa8722c0L, 0x3286a91da0ae65L,
+          0x8372274225b084L, 0x5884cd5ae1886cL, 0xb4e63ef3a23cf7L,
+          0xfe5f202f2dd0daL, 0x951fac9653916cL }
+    },
+    {
+        { 0x05e2e8f854fa4eL, 0xf411f941edaf10L, 0x26cc562a0a928dL,
+          0x78fd34e4abce65L, 0x1d8760998a32e2L, 0x85dc76f4c37518L,
+          0xdcaeef500e8021L, 0x7fcb2f84e9b2a5L },
+        { 0x9eba91ef382c06L, 0x2052e8524cae53L, 0x617336ef5c1519L,
+          0xf1546d5b4e632bL, 0xa9edc81d7b8ffdL, 0xdb2914f29ab68cL,
+          0xe805070debbabaL, 0x775e53bc3b719eL }
+    },
+    {
+        { 0xa40e294065256aL, 0x9f113868fb031aL, 0xac03af8059667cL,
+          0x432eb3a0475f58L, 0x22332bf01faad0L, 0xc8132e9bc57a11L,
+          0x27d5a173bc3f8bL, 0x5471fc6930bf3eL },
+        { 0xba28bc0e6bff40L, 0x198d57e555e564L, 0x13ce8319c65b8fL,
+          0xb0a5c9d5681b51L, 0x467588bdeb9e11L, 0xf1891a7bb4250bL,
+          0x10b938bd12b433L, 0x0b8c80224dcda4L }
+    },
+    {
+        { 0xc428703cf332d3L, 0x9d0053cf2a5b98L, 0x4e4c6207838a15L,
+          0x2e92919fbf8a43L, 0x39ad52421cd9a5L, 0x584ed6c1561588L,
+          0x20af30517a95c8L, 0xa223077b70e1c8L },
+        { 0x679cfea2fa4871L, 0x54f2a46ac633c7L, 0x60306514cdc5f1L,
+          0xc4facda75a1dc7L, 0x710a2882d07d19L, 0xd55864e6b44992L,
+          0x44d4b6c454c5b2L, 0x2855d2872f9981L }
+    },
+},
+{
+    {
+        { 0x4071b3ec7b0674L, 0x800eb14f8794d5L, 0x70573afbe6783eL,
+          0xafaa4407785901L, 0x112d2a1405f32cL, 0x3761a52169b3e2L,
+          0xe168b31842a366L, 0x5bc322f9bf4734L },
+        { 0x36ef240976c4a0L, 0x066f3d6fea4e64L, 0x0e954bda989e57L,
+          0xe36ef5ef9466e4L, 0x6bb615abeb9226L, 0x5571e5f3d5a2caL,
+          0xa86efe24897a86L, 0xed7e9cf28a9f77L }
+    },
+    {
+        { 0xdf10c971f82c68L, 0x796ba1e3b597e6L, 0x1ac77ece718cbfL,
+          0xc8175bb410eac8L, 0x0cdf9a1bc555efL, 0x6b889f17524e05L,
+          0x6bf1e61ae26d82L, 0xb3f6ad5d2e97d9L },
+        { 0x94dcff9f226487L, 0x60e6356be03ddeL, 0xda1f93b6a3dd7dL,
+          0xf1be72179ca90cL, 0x05ed3131e6bce5L, 0xcf50908d48af3eL,
+          0x3b0e85c61e554fL, 0xfe7e35ba2778d3L }
+    },
+    {
+        { 0x42c503275ac5a9L, 0xa66a66dda062c2L, 0xa4f4f82caa7023L,
+          0x489d47664b4f86L, 0x10b108897311adL, 0x55dd637177b2ecL,
+          0xa5ccff09a267b1L, 0xf07690bff327b0L },
+        { 0x39162ed2250cd2L, 0x1426de08b255f1L, 0xf227afd1bdd731L,
+          0x78f8a36fa4c844L, 0x267a211157379cL, 0x3f05f92cc04acbL,
+          0x374496cfc69caeL, 0xbf2c5d016ebfecL }
+    },
+    {
+        { 0x605418bd0518d1L, 0x3237f809e1cbc6L, 0x37a7005286c019L,
+          0xf1fb0e0b15af0bL, 0xfc3b97caa853c0L, 0x1f48bd0e6beba2L,
+          0x8e5d7c5e6a72f1L, 0x575e66d26ebf0cL },
+        { 0x099477662eae3dL, 0x53f074f96c9c65L, 0x6cfbfdbb81badeL,
+          0x98b4efe3fed7d1L, 0xdaa112338c3382L, 0xdf88b7347b8ec6L,
+          0x9b0fe4b9504a4fL, 0x2e7df4cf30c1c3L }
+    },
+    {
+        { 0x25380cb2fc1833L, 0xb8e248c18d62deL, 0x91c8f59d82f9dbL,
+          0x5ec2b202444750L, 0x3f3a1f766b6f74L, 0x0180aa9dd7d14dL,
+          0xd0a342d2956b9cL, 0x26e910e7139873L },
+        { 0x2261dc4139e23dL, 0x7edb181b8343ddL, 0xfcf1073b4038ddL,
+          0x88870efa3bfea3L, 0x4e98ba964a263eL, 0x3c6e5dc70811f5L,
+          0x17d28f5f86055dL, 0xca9c27666e4199L }
+    },
+    {
+        { 0x0b2d8bd964ef8cL, 0x5a99b8588e2ba6L, 0x9e927b204498ceL,
+          0x9ff20c5756eb25L, 0x97cc27b3f27736L, 0xf32dd6d4729583L,
+          0xbdc26580381a94L, 0x70fef15ef2c06fL },
+        { 0x50a619149252ccL, 0x9eb4a14236b4b9L, 0x9b1b2158e00f78L,
+          0x27add366ea9c23L, 0xef61763c3a8e79L, 0xed4542fd82ce56L,
+          0xa8737e70caed75L, 0xeca0ac2d452d76L }
+    },
+    {
+        { 0x20c07793d082d0L, 0x6e3ce64c9e9f3bL, 0xb3a4dce75a195fL,
+          0x3a3c305bdd9f24L, 0xe2545c88688942L, 0xa463c82080f32bL,
+          0x442974842686b8L, 0xf50e20d7213866L },
+        { 0x265ac523826e74L, 0x26fba57228e8ecL, 0x8a1e1dbe6b3ed8L,
+          0x7c7b278f0fe65aL, 0x9a6df23c395234L, 0x99562060b0f114L,
+          0x440c8c4ef90837L, 0x21ad22a3645f65L }
+    },
+    {
+        { 0x1e023a6edd31b2L, 0xf76d1459ff8668L, 0x970705617b45c8L,
+          0x06120781e88e37L, 0x85c51c8922faacL, 0x4df392e22756d9L,
+          0x8907fd0a03c98eL, 0x626f46a52ea51cL },
+        { 0xf8f766a486c8a2L, 0x8c499a288ed18cL, 0x44d2dc63c4f0deL,
+          0x47dde686f2a0b6L, 0x9a655f84a973fdL, 0x3e7124e786ac80L,
+          0x699e61ce8a0574L, 0xdf0ba9a31cdd0dL }
+    },
+},
+{
+    {
+        { 0x76270add73e69bL, 0x991120fc67d38aL, 0x7be58309469f0cL,
+          0x93aba597db40acL, 0x2b707bc822fc08L, 0x4199fc069551cdL,
+          0x38deed4f367324L, 0xca518e12228787L },
+        { 0x72f1befd9a9277L, 0x57d4aabe49ae90L, 0x13810d5db23478L,
+          0x2a8b7809b4b77fL, 0xb542f4e1b4e004L, 0x4080fd03ec77f0L,
+          0xb49e9fecec6596L, 0x20338d33f16037L }
+    },
+    {
+        { 0x4adcdae53554b0L, 0xfea4906e04c4dbL, 0x0808bec7748233L,
+          0xde7477c47148d7L, 0xdd9124c03da38cL, 0x6b2503125ee8e9L,
+          0xae67399b0d6161L, 0x70c4acd82203b6L },
+        { 0x9683916d31dae8L, 0x34775031ac7f69L, 0x9553153988e4adL,
+          0xb58f41153a15e1L, 0xb65a2d492ba2ddL, 0x7c3efb1a90169cL,
+          0x210f45e6b1747dL, 0x16e8d1bcff488dL }
+    },
+    {
+        { 0x252adf89d703dbL, 0x259ac1dfdfeb39L, 0x7faf6af115e806L,
+          0x7aaefd6c1aff21L, 0x80542107c0113dL, 0x481f1a5e19b4b1L,
+          0x7c17d43fcc8c61L, 0x8b04452bb0bbbeL },
+        { 0xe51e5f54cebae1L, 0x05341ba56a414cL, 0x0083a2c7fb8a30L,
+          0xb4663f277f4952L, 0xce72eec4bb0074L, 0x74fdd66a3584d1L,
+          0x6b9e58eb02e076L, 0x5be45d53b961f4L }
+    },
+    {
+        { 0xc7474f31ab2e0bL, 0x2838ccbf4bf454L, 0x634392ef3c3eacL,
+          0x440e40a137602bL, 0xeea67e9d1ae8e3L, 0xafdf93a77e221eL,
+          0x3c9f3da2719a10L, 0x466ecef32c8256L },
+        { 0x1061c19f9c432fL, 0xa1332d9b1c7d98L, 0xbc735f2a425c2cL,
+          0x1429cdf4b1bccbL, 0x77b42a16bbb5f9L, 0x30078e35955ae4L,
+          0x8acd77721cc315L, 0xaa90d5fe86fa99L }
+    },
+    {
+        { 0xfcfd460721115aL, 0x6a7de3e08269b8L, 0xe5964a696dd47eL,
+          0x6717cd58dca975L, 0x7ea4ebe98b149eL, 0x6f894d5b7b8057L,
+          0xbd6f9607f30e31L, 0x61ca45323df092L },
+        { 0x32241f99d782f3L, 0x55173b02abfae2L, 0x0abe0edd15bbbdL,
+          0xb6d3c0ab438abbL, 0x62fb4679ffa20bL, 0x30926b5d31560aL,
+          0x44bf27c2a0aa6dL, 0xf7473131a4cb97L }
+    },
+    {
+        { 0xa2f6c0db0535deL, 0xcb02ae1c855166L, 0xc699e6bb3422f0L,
+          0x774febe281ba8aL, 0x1d9d24fffabcc7L, 0x0b31ba1fe12ba5L,
+          0x4c8680313d0af7L, 0x90640d32f47160L },
+        { 0xa0c4bf45876603L, 0x717f6fa950ab08L, 0xf12bb53a710de8L,
+          0xc500c616a88f50L, 0x0070f992645351L, 0x57aab5d2446893L,
+          0xd553fa8b68f657L, 0xe8537c1693c55dL }
+    },
+    {
+        { 0x58e86eb7fc7684L, 0xdf330f7bfc73a9L, 0x41e337dcc11936L,
+          0x36d92006e35759L, 0x01327033500d8bL, 0xfa684059483354L,
+          0xc8f2980667851bL, 0x538ec8918296b0L },
+        { 0xa2a2c4fcff55f9L, 0xb260d4d60d20bdL, 0x3ed576fd9cc59fL,
+          0x4ed8c64d514fccL, 0x37ebfb2c22b315L, 0xca67a3694c212cL,
+          0x4f8e08c3a1795eL, 0x498f9264e7261fL }
+    },
+    {
+        { 0xfea7382c59b3d4L, 0xb9942ed3f2925fL, 0xe4b00dc8ea77e8L,
+          0x74a18ec3cab02eL, 0xbbbb752ef16d0bL, 0x639da4fffab032L,
+          0xc371a4a3aa30f0L, 0x8e26b22caa175bL },
+        { 0x94e41567e2b62eL, 0x7cceea625a794cL, 0x931d2f4479f015L,
+          0x946183d90b25b2L, 0x1504e9768a2807L, 0xa7577d3fa49dddL,
+          0x24fc87edd48699L, 0x9edefd63d7d99cL }
+    },
+},
+{
+    {
+        { 0x0508b340f0b450L, 0xe0069a5c36f7f4L, 0x26556642a5a761L,
+          0x0193fd8848e04dL, 0xc108cf573fe2e7L, 0x05eb0ecfd787d4L,
+          0x1555ccbff28985L, 0xb5af09f651b995L },
+        { 0x167d72ce1134beL, 0xd6d98bf57c669aL, 0x40fb7166dd76faL,
+          0xeabbf202a41b31L, 0x300ff0e09b75b0L, 0x32b6fadd9a0c1eL,
+          0x805188365a80e0L, 0x8bef69332110feL }
+    },
+    {
+        { 0x637802fbef47d4L, 0xfac114b2d16eaaL, 0x7b3f3ab0415644L,
+          0x17ab8d12dd895bL, 0x271b7fe87195f3L, 0xa3f867ea71f65fL,
+          0x39ba40cc80583aL, 0x6db067256e1fccL },
+        { 0x4feab4e06662a8L, 0xc857415c74bd46L, 0x18032ed732b126L,
+          0x87c8aea7a099eaL, 0xb4a753536fe0a8L, 0x33a98da27673f6L,
+          0x3e40c022b8e549L, 0x2def1af9a4c587L }
+    },
+    {
+        { 0x9618b68a8c9ad9L, 0xd70b4aa49defdaL, 0xae8b1385f788efL,
+          0x87c3542dd523f4L, 0xe42c7055c5b004L, 0x6303360fa7df57L,
+          0x33e27a75f6d068L, 0x9b3268e8ff331aL },
+        { 0x845cc9623ee0c3L, 0x003af70ac80084L, 0x6a9f931530c41dL,
+          0xa1d7051bb127f0L, 0x642ce05ca36245L, 0xc34205b0323ee9L,
+          0x7cc8912b7b3513L, 0x6252cc8076cbdbL }
+    },
+    {
+        { 0x10e68a07089522L, 0x36c136158fc658L, 0x490397d74723a4L,
+          0x42692c0519d56cL, 0x69d251bf1ff235L, 0xe689d03c2cbf37L,
+          0xf04ceba825b7f4L, 0xd6b9bee2281c2eL },
+        { 0xc52ef3fe0043abL, 0x351bf28d1d1be8L, 0x277615f0f18a5aL,
+          0x31f717f5d6800fL, 0xf5fb82dab922e2L, 0x99aee2f2d6ae43L,
+          0x42477fec63b982L, 0x904aeb1a594a01L }
+    },
+    {
+        { 0xaa82174eb39974L, 0xbc38e6195e6aa0L, 0x6a3df8a25c0675L,
+          0xf324203ffbe739L, 0xfa5a0b4a3f0649L, 0x79c87327a7a6b8L,
+          0xeb65ecd40ad3f5L, 0x718d416e4e45c5L },
+        { 0x029dbf4e2326fdL, 0x0c63416e7942f0L, 0x6d0c7286f4e678L,
+          0x59f0b10a138601L, 0x8a1d9788d92ea9L, 0x9f8d712c22eca5L,
+          0x73970447b6b96bL, 0xa2d49eee6fb955L }
+    },
+    {
+        { 0x249f900bf14a19L, 0xd3522da63a8cd2L, 0x28a32f386964d2L,
+          0xacf712bc1fa743L, 0x98a9bfc0bb94d3L, 0x318ece1bc06824L,
+          0xfc476754fce7f0L, 0x19caec9e4135b7L },
+        { 0x6de68a8c6817bbL, 0x7121960f3b6d89L, 0xa7d4261f5a818eL,
+          0x0c0ba519157455L, 0x78b6acf450d5ffL, 0x198b4934e8649aL,
+          0x0941a3cfd05da3L, 0x264ea4adb55951L }
+    },
+    {
+        { 0xcfee91c46e5a31L, 0x47b6806fff7366L, 0xdb14be45df849dL,
+          0x3c5e22bac66cc7L, 0x7f3f284a5f4769L, 0x4e00815383be36L,
+          0x39a9f0b8072b0bL, 0x9887cd5c7eadd6L },
+        { 0x7dd8f05b659511L, 0x15c796dd2e1cb9L, 0xe5edb0c0d31345L,
+          0x2025df06939c60L, 0x6314c08bf15de1L, 0x03c154804c7fb5L,
+          0x413337fbb5d3edL, 0xfc20b40477e983L }
+    },
+    {
+        { 0x7f968805db0ef9L, 0x05562dee9c2a70L, 0x071e5bc7dae133L,
+          0xa8cdd12237fc4aL, 0x6d565e74ea492bL, 0xa17cf94381ee52L,
+          0x6ab8a4e9f5c546L, 0xbb642f340288efL },
+        { 0x64e59215df5c2dL, 0x43696e3bb906f4L, 0x73a841a74ae46cL,
+          0xe264883c506b8aL, 0x9542e1aa1be548L, 0x89385395e81b4aL,
+          0x5642cfaeaca6ceL, 0xed8077b806e0f9L }
+    },
+},
+{
+    {
+        { 0x1c776c47e13597L, 0x0ec8b289e584fdL, 0x0bb6043b8b61e8L,
+          0xdcc17489cd835bL, 0x493e6ac39fef9aL, 0xb44eb34d133e17L,
+          0xfebcd0071cb6f9L, 0xe6cf543d20eff2L },
+        { 0xf265cad0a004c7L, 0x9b06c9dd35cc12L, 0x769f985cb4ea53L,
+          0x29160a20993434L, 0xdf8dd108d939c4L, 0xefa177c6711e2fL,
+          0x1695790cd7a2cdL, 0x38da3d777f6642L }
+    },
+    {
+        { 0x9bfcfd96307b74L, 0xc26a36dbfdabc3L, 0x9341be04abe28eL,
+          0xdb20b5273d1387L, 0xf8d229c3d1949cL, 0xf1e0afeb8b3a41L,
+          0x29c60dfed565d0L, 0x6930bb58b43b2cL },
+        { 0x1d76527fc0718fL, 0xdb981431f67189L, 0x0c62f6451f32ccL,
+          0x70a66268bd35e5L, 0x1725641c1cece7L, 0x7f130a8f96f4a4L,
+          0x72319e9f06ee98L, 0x215b73867bf9b2L }
+    },
+    {
+        { 0x8d1bec20aaddd7L, 0xfb8b95bb8be4f9L, 0xeac193efde1026L,
+          0xa5edea79d5860cL, 0x4adbaea44280d3L, 0xce8b67038f4798L,
+          0x914c107ec30deaL, 0xbdc5cf7000776bL },
+        { 0xb6fd7d1a206a13L, 0x9941ebadae986eL, 0x76c27a81f1caaaL,
+          0x6967c123f108b4L, 0x6f115284aea2d0L, 0x9bb4319144ddacL,
+          0x1a4d3eac8ec6fcL, 0xfe4b0b8bf37420L }
+    },
+    {
+        { 0x5d9a4a1ec0ac6fL, 0x84b79f2fc7c80dL, 0x64222f7c14fac3L,
+          0xdd9e039c23b3f2L, 0x4a84abdea956bbL, 0x370dcbaebe09dcL,
+          0x79a9ea8e0eaf82L, 0x4cfb60aaee375fL },
+        { 0x6a10dbf9106827L, 0xa3ba5cf43f305bL, 0x481b885c1bb083L,
+          0x2f52380b3117b1L, 0x0066122ddd6791L, 0x4f8923e63bace3L,
+          0x5c5f499ecb88d4L, 0xfdc780a3bac146L }
+    },
+    {
+        { 0x34b70ae7ba1f71L, 0x909182945bd184L, 0x3b39778e707313L,
+          0xdeefc5e6164e91L, 0xbb55bed4971f39L, 0x7d523398dafc8bL,
+          0x82391bfa6adf0fL, 0xfd6f90ae319522L },
+        { 0x60fdf77f29bbc9L, 0xeff9ed8aaa4030L, 0x978e045f8c0d3fL,
+          0xe0502c3eed65cdL, 0x3104d8f3cfd4c8L, 0xab1be44a639005L,
+          0xe83f4319eeab3fL, 0x01970e8451d797L }
+    },
+    {
+        { 0xbc972f83180f4bL, 0xac053c0617779dL, 0x89392c57fa149fL,
+          0xdc4699bbcb6263L, 0x0ae8b28ce12882L, 0xdca19a7af1a4dcL,
+          0xd3d719f64e1a74L, 0xbb50201affdd5dL },
+        { 0x56f73107ac30e9L, 0x65cc9c71878900L, 0x83f586627338a3L,
+          0x122adefac5bb13L, 0x97de2001bcd4d5L, 0x6ed3985b8aa3a0L,
+          0x8680f1d6821f9bL, 0xcb42028dda9f98L }
+    },
+    {
+        { 0xcdb07080ec2db3L, 0xe28c8333dad1a1L, 0x2093e32de2da07L,
+          0x731707383b8987L, 0xad17871f552b8dL, 0x846da9851cf70aL,
+          0xf94a16e5c4f5e1L, 0x84299960f8348aL },
+        { 0x4bf3f6898db78aL, 0xad77fa83d19b52L, 0x69767728b972dcL,
+          0x7dfa35a5321be0L, 0x9881846dd344a6L, 0xe550292ad4e2a8L,
+          0x8075217bc68bf1L, 0xdd837c4893be15L }
+    },
+    {
+        { 0x09c931ed4fab5bL, 0xb2dcf08b77a0f1L, 0x7dac5c0e0d38a6L,
+          0xa5570b00ae73afL, 0xc7c19d3f5aed28L, 0x575fa6f5251e92L,
+          0xb843cd6cdf7275L, 0xd9d3d8e9a01287L },
+        { 0xf94e356b3c370bL, 0xc62b99ffe464b0L, 0x7792650a986057L,
+          0xeaa67d5c4b1874L, 0xba1ba4d0b07078L, 0xdbf636d7a03699L,
+          0x1a16c34edd32a3L, 0x6ce2495a45cb5dL }
+    },
+},
+{
+    {
+        { 0xd7c4d9aa684441L, 0xce62af630cd42aL, 0xcd2669b43014c4L,
+          0xce7e7116f65b24L, 0x1847ce9576fa19L, 0x82585ac9dd8ca6L,
+          0x3009096b42e1dbL, 0x2b2c83e384ab8bL },
+        { 0xe171ffcb4e9a6eL, 0x9de42187374b40L, 0x5701f9fdb1d616L,
+          0x211e122a3e8cbcL, 0x04e8c1a1e400bfL, 0x02974700f37159L,
+          0x41775d13df8c28L, 0xcfaad4a61ac2dbL }
+    },
+    {
+        { 0x6341b4d7dc0f49L, 0xaff6c2df471a53L, 0x20ec795fb8e91eL,
+          0x4c7a4dfc3b7b62L, 0x9f33ff2d374938L, 0x38f8c653a60f2eL,
+          0xc1168ac2efef73L, 0x046146fce408eeL },
+        { 0x9b39ac0308b0c3L, 0xe032d6136b8570L, 0xee07d8dfc4aacfL,
+          0x0a82acbd5a41ddL, 0xbe0ded27c3d726L, 0xce51d60b926ce9L,
+          0xfa2f7f45806c1eL, 0xe367c6d1dec59cL }
+    },
+    {
+        { 0x64511b6da2547bL, 0x76a349c0761405L, 0x37d662601223abL,
+          0x0e243c1f4d7c48L, 0xdc9c8b4da756a0L, 0xc7430dfd72e7e9L,
+          0x0eb130827b4210L, 0x7a9c044cf11cbdL },
+        { 0x2c08ff6e8dd150L, 0x18b738c2932fc6L, 0x07d565104513e8L,
+          0x0ca5cffaa40a17L, 0xd48634101baa8fL, 0xfb20fafb72b79eL,
+          0x1a051e5654020fL, 0xe3b33174e17f23L }
+    },
+    {
+        { 0x05910484de9428L, 0x620542a5abdf97L, 0xaa0ededa16a4d1L,
+          0xa93f71c6d65bb9L, 0x88be135b8dfaf9L, 0x1d9f4e557ca8eeL,
+          0x4c896aa26781adL, 0xd3fbe316c6c49fL },
+        { 0x088d8522c34c3dL, 0xbb6d645badff1eL, 0xe3080b8385450dL,
+          0x5ccc54c50ab1f3L, 0x4e07e6eac0657dL, 0xa7ba596b7ef2c0L,
+          0xcceca8a73a81e9L, 0xa0b804c8284c35L }
+    },
+    {
+        { 0x7c55956f17a6a2L, 0xb451d81789cfa8L, 0xdf414e82506eaaL,
+          0x6ef40fbae96562L, 0x63ea2830e0297eL, 0xf5df26e73c46faL,
+          0xe00641caac8bceL, 0xc89ed8f64371f3L },
+        { 0xd22b08e793202eL, 0x39a9033875cb50L, 0xe64eec0f85ddb4L,
+          0xdce45a77acf7b5L, 0x39d1e71b9b802dL, 0xafdfe7cbd559acL,
+          0x17ec1f8809eeb5L, 0x8c0e38a4889b8cL }
+    },
+    {
+        { 0x47eabfe17089daL, 0x2d18466ec90c50L, 0xa511aa45861531L,
+          0xebb3d348c39b39L, 0xa0ac4daf1b5282L, 0xea26be7a9dadbaL,
+          0x8992ba8554d86eL, 0x7fcbdb6d5f2ef5L },
+        { 0x320e79b56863e7L, 0xeb9d0c0a7dce2dL, 0xb9f4031784cbc6L,
+          0x68823ee7ac1f81L, 0xa6b6f4f9d87497L, 0x83c67b657f9b6eL,
+          0x37357470fef2a7L, 0xf38028f59596e2L }
+    },
+    {
+        { 0x9ea57ab7e82886L, 0x18221c548c44d5L, 0xbf8e6cf314a24fL,
+          0x70ff18efd025e5L, 0x08d03de5334468L, 0x2b206d57404fb7L,
+          0xb92327155e36b0L, 0xcc7604ab88ddd9L },
+        { 0x3df51524a746f0L, 0x8fdebd8168e3fcL, 0xffc550c7f8c32cL,
+          0x1dbbc17148743eL, 0xd48af29b88e18bL, 0x8dca11c750027cL,
+          0x717f9db1832be3L, 0x22923e02b06019L }
+    },
+    {
+        { 0xd4e06f5c1cc4d3L, 0x0fa32e32b4f03aL, 0x956b9afc4628d0L,
+          0x95c39ce939dad1L, 0x39d41e08a00416L, 0xfd7ff266fb01aaL,
+          0xc6033d545af340L, 0x2f655428e36584L },
+        { 0x14cfb1f8dff960L, 0x7236ffcda81474L, 0xc6a6788d452d0fL,
+          0x2ad4a5277f6094L, 0x369d65a07eea74L, 0x27c6c38d6229aaL,
+          0xe590e098863976L, 0x361ca6eb38b142L }
+    },
+},
+{
+    {
+        { 0x6803413dfeb7efL, 0xb669d71d3f4fadL, 0x5df402ac941606L,
+          0xe5d17768e6c5b7L, 0x131bcb392ab236L, 0x7f1fb31ce2e0e0L,
+          0xa2c020d9e98c35L, 0x33b23c0f28657bL },
+        { 0xed14e739cf7879L, 0x10d4867b4357b3L, 0x127cea331e4e04L,
+          0xc60d25faa5f8a7L, 0xfef840a025b987L, 0x78081d666f2a0aL,
+          0x0fa0b97ac36198L, 0xe0bb919134dc9fL }
+    },
+    {
+        { 0xc1d2461cc32eaeL, 0x0fdbfdf0f79a37L, 0x70f2bc21c95f02L,
+          0x7d68bec372cddfL, 0x44f78178439342L, 0xa3d56784843a6cL,
+          0xbadf77a07f8959L, 0xf45819873db4caL },
+        { 0xe8eaaf3d54f805L, 0x2f529d1b84c1e7L, 0x404e32e21e535cL,
+          0xabac85c159b5f5L, 0x4e8e594b00466fL, 0x40fcaabc941873L,
+          0x3b4e370be407c6L, 0xccd57885b2e58dL }
+    },
+    {
+        { 0x3ee615e88b74a8L, 0xd7d6608eab4e69L, 0x27cf9f1e4ace36L,
+          0x282359e7aebabbL, 0x96e509bf6d162fL, 0xad906f3f1a290aL,
+          0xe7d6c4f1314a58L, 0xeecffe4218431dL },
+        { 0xa66e0e9e2cfed9L, 0xb0887ec71f0544L, 0xd34e36ba04c5d7L,
+          0x094daa5ed4392dL, 0xcda83adc8aa925L, 0x1adef91b979786L,
+          0x3124dcbfddc5d6L, 0x5cc27ed0b70c14L }
+    },
+    {
+        { 0x386dbc00eac2d8L, 0xa716ecbc50ca30L, 0x9e3fc0580d9f04L,
+          0x37dde44cfeacebL, 0xd88d74da3522d5L, 0x6bb9e9f2cf239aL,
+          0x9e7fb49a7cbfecL, 0xe1a75f00a5c0efL },
+        { 0x6e434e7fb9229dL, 0x0ec6df5c8a79b3L, 0x7046380d3fb311L,
+          0xe957ef052e20faL, 0x0f4fe9a9ef4614L, 0x1b37d9c54d8f2bL,
+          0x23b2dc139d84a2L, 0xf62c4f6724e713L }
+    },
+    {
+        { 0xbd6922c747e219L, 0x34d14383869b7bL, 0x8c875a596f2272L,
+          0xd9602c03fe361eL, 0x081348f744839fL, 0x61bd16c61ac1f1L,
+          0x993b727d8da4e1L, 0xbb40ba87741271L },
+        { 0xe6dcc9881dcfffL, 0x9f513f593ce616L, 0xdc09683618cd8fL,
+          0xc3b1d1026639beL, 0xe8f149fc762ee2L, 0x59f26efb244aaeL,
+          0x3f2de27693dd96L, 0xd8b68f79c3a7deL }
+    },
+    {
+        { 0x6fa20b9970bd5bL, 0x87242d775f6179L, 0xa95a6c672d9308L,
+          0x6eb251837a8a58L, 0xfdea12ac59562cL, 0x4419c1e20f1fc3L,
+          0x0c1bd999d66788L, 0x4b7428832c0547L },
+        { 0x4f38accdf479abL, 0x01f6271c52a942L, 0xe3298f402ca9a7L,
+          0x533dacab718fc8L, 0x133602ab093ca8L, 0xc04da808f98104L,
+          0xd0f2e23af08620L, 0x882c817178b164L }
+    },
+    {
+        { 0x28e6678ec30a71L, 0xe646879f78aca1L, 0x868a64b88fa078L,
+          0x671030afee3433L, 0xb2a06bb87c0211L, 0x202eca946c406aL,
+          0x64d6284e4f0f59L, 0x56ae4a23c9f907L },
+        { 0x5abbb561dcc100L, 0x6fef6cf07c7784L, 0xb6e25cddb7302dL,
+          0xa26785b42980e8L, 0xe7d4043fb96801L, 0x46df55d8e4282bL,
+          0x9c0a5f5c602d6eL, 0xf06560475dfe29L }
+    },
+    {
+        { 0x0e82a1a3dcbc90L, 0xb1ee285656feacL, 0xfa4353b0d3d3b2L,
+          0xc2e7a6edd5c5dfL, 0x13707e1416ce53L, 0xc84ce0787ebc07L,
+          0xdd273ce8a9a834L, 0x432a6175e8e1e7L },
+        { 0xa359670bd0064aL, 0xc899dd56534516L, 0x666560edb27169L,
+          0x1537b22a19a068L, 0x3420507eac7527L, 0x479f25e6fc13a7L,
+          0xc847acc1bc19b3L, 0xecdecf00b20d45L }
+    },
+},
+{
+    {
+        { 0x6f241004acea57L, 0xdace1c6da68597L, 0xea7dd4150ce77fL,
+          0x1aecb841585884L, 0x92ff208ea4a85cL, 0xde9433c88eebd2L,
+          0x53cd3183f4d289L, 0x397085826539afL },
+        { 0x4b57599b827d87L, 0xdc82ac03d77638L, 0x694336652f6e61L,
+          0xb8fc4b0ad5e8a6L, 0x1b6f7dcf388642L, 0x6f24533a74dd57L,
+          0xc66937841750cfL, 0x06757eb28a37afL }
+    },
+    {
+        { 0x0e70d53c133995L, 0x88a5e0c7c8c97dL, 0x4e59dbf85f3be3L,
+          0x0f364ac0e92698L, 0x3a1e79bef6940fL, 0xc8a3941d85d23aL,
+          0x143bb999a00e58L, 0x61cf7d6c6f2f10L },
+        { 0x979c99485150feL, 0xcfd0df259d773fL, 0xce97b9daab7bcdL,
+          0xc9fff8e6afd8fcL, 0x246befd89a4628L, 0xf6302821567090L,
+          0x15393426749c58L, 0xff47d0ea0f3fd3L }
+    },
+    {
+        { 0x09b0bfd35f6706L, 0x74645812c82e69L, 0xb60729f50d5fe9L,
+          0xf13324595c74f1L, 0x33647e3bb76c89L, 0x01264045a9afccL,
+          0x46d57ee0f154abL, 0x2efa55525680a4L },
+        { 0x12ebfc65329d90L, 0xcb37ae579800afL, 0x5bb53496f8e310L,
+          0x9b59c63f1bb936L, 0x5b49baaf4610e9L, 0x2bbeeef4f2d6acL,
+          0x87ee21e0badc67L, 0x12e2aadf1ddfa0L }
+    },
+    {
+        { 0x5b4668fa9109eeL, 0xfa951338a6cea2L, 0xe45e6fc4068e16L,
+          0x8ae9a0c0205ed8L, 0x2993b96679b79bL, 0xc6b878fed604d3L,
+          0x01d020832c77f3L, 0xd45d890495a1abL },
+        { 0x99348fa29d2030L, 0x961f9a661f8f7aL, 0xfd53212674f74bL,
+          0x45cee23b3e72bcL, 0x3fccb86b77e2d5L, 0xdff03104219cb7L,
+          0x233771dc056871L, 0x1214e327d2c521L }
+    },
+    {
+        { 0x9f51e15ff2a8e1L, 0x86571c5138bc70L, 0xbfc4caf0c09d46L,
+          0x65e33fec2a0c18L, 0x8214392426867dL, 0x51ce6c080ae4edL,
+          0x6cbe8d7b110de6L, 0x7f6e947fd22ea4L },
+        { 0x7373a75cadefc4L, 0x6fca1d2b0c682fL, 0xcd2140df3c7c1eL,
+          0x8653a37558b7a5L, 0x653e74e55eb321L, 0xbe0c6b3c31af73L,
+          0x3376379f4fc365L, 0x3570b3771add4dL }
+    },
+    {
+        { 0x9061ec183c3494L, 0xaf2f28d677bc95L, 0x6fe72793bf8768L,
+          0xc5f50e30fa86d8L, 0x6c03060a3293ceL, 0x4d53357e2355a6L,
+          0x43a59eae4df931L, 0x6f48f5d13b79c6L },
+        { 0xa4d073dddc5192L, 0x6d0e318a65773fL, 0x1008792765de9eL,
+          0xa724ed239a0375L, 0x510ff1497d7c9eL, 0x251f6225baa863L,
+          0x86464fe648a351L, 0xf85e98fd50fd91L }
+    },
+    {
+        { 0x29c963486ee987L, 0x93e8e5210dcc9fL, 0xa1fc4d1c910b1fL,
+          0x015acacfeb603eL, 0xc9f25f80844a5fL, 0x50de93c73f4dacL,
+          0x1758783310a4aaL, 0x544d570358f106L },
+        { 0x4eeec7b1dc68caL, 0x6238e6fe00fbcbL, 0x34d394cb4e83c9L,
+          0x764ffa22292656L, 0x5614cd1f641f2eL, 0x4252eb69e07234L,
+          0xcbaef4568d2ba4L, 0x8c9c5508a98b17L }
+    },
+    {
+        { 0xf235d9d4106140L, 0x1bf2fc39eb601eL, 0x6fb6ca9375e0c3L,
+          0x4bf5492c0024d2L, 0x3d97093eb54cc6L, 0xc60931f5c90cb5L,
+          0xfa88808fbe0f1aL, 0xc22b83dd33e7d4L },
+        { 0x9cfec53c0abbf5L, 0x52c3f0a93723dfL, 0x0622b7e39b96b6L,
+          0x300de281667270L, 0x50b66c79ef426aL, 0x8849189c6eb295L,
+          0xeaec3a98914a7eL, 0x7ed56b0c4c99e0L }
+    },
+},
+{
+    {
+        { 0x7926403687e557L, 0xa3498165310017L, 0x1b06e91d43a8fdL,
+          0xf201db46ac23cbL, 0x6f172ad4f48750L, 0x5ed8c8ce74bd3eL,
+          0x492a654daba648L, 0x123010ba9b64ffL },
+        { 0xa83125b6e89f93L, 0x3a3b0b0398378aL, 0x9622e0b0aebe7cL,
+          0xb9cbfdc49512a4L, 0x13edffd6aaf12aL, 0x555dff59f5eafdL,
+          0x3cba6fe1212efaL, 0xd07b744d9bb0f8L }
+    },
+    {
+        { 0x45732b09a48920L, 0xf3080fc13ff36dL, 0x9347395de8f950L,
+          0x14d025a382b897L, 0x60c5a7404d72adL, 0x30be7e511a9c71L,
+          0x43ffabd31ac33aL, 0x97b06f335cbb14L },
+        { 0xe4ff5c57740de9L, 0x5fed090aacf81eL, 0x97196eee8b7c9dL,
+          0x316dcd1045910bL, 0x7a2b2f55ad8c63L, 0x674fffdc5b03bbL,
+          0xc1cd133e65953cL, 0x3c060520a83556L }
+    },
+    {
+        { 0x797c3f6091c23dL, 0x2ea2de339c9c05L, 0x5d958b4a31f67cL,
+          0xf97afe5d5f088cL, 0xbcfbd2a0b37243L, 0xc43ad3eeca630cL,
+          0xb92a33742845e0L, 0x970bff7a9a0f16L },
+        { 0x86355115970a79L, 0xcee332ef205928L, 0x2c58d70c04c208L,
+          0xdbfe19a3f5e5bfL, 0x8f8f2c88e51c56L, 0xb61f58e8e2da75L,
+          0x4046a19624d93fL, 0x7de64dbe1f9538L }
+    },
+    {
+        { 0xd018e1cc2d850eL, 0x8cdb64363a723cL, 0x9a65abe90a42afL,
+          0xfeece9616f20ccL, 0xc906800d5cff56L, 0x0acf23a3f0deedL,
+          0x2143061728dd3aL, 0x66276e2b8ce34cL },
+        { 0x23700dc73cc9c7L, 0xdb448515b1778bL, 0x330f41e4aab669L,
+          0x2f5aabcf5282a4L, 0xff837a930f9e01L, 0x1a1eb2f901cc98L,
+          0xd3f4ed9e69bd7fL, 0xa6b11418a72a7dL }
+    },
+    {
+        { 0x34bde809ea3b43L, 0x5ddcb705ced6aeL, 0x8257f5b95a6cb8L,
+          0xaac205dc77dcb8L, 0x77d740d035b397L, 0xca7847fcf7e0a6L,
+          0x9404dd6085601bL, 0x0a5046c457e4f9L },
+        { 0xcaee868bc11470L, 0xb118796005c5f6L, 0xcc04976ec79173L,
+          0x7f51ba721f6827L, 0xa8e3f0c486ff7eL, 0x327163af87838cL,
+          0xcf2883e6d039fdL, 0x6fb7ab6db8b0e2L }
+    },
+    {
+        { 0x8ca5bac620d669L, 0xff707c8ed7caa9L, 0xdaefa2b927909bL,
+          0x1d2f9557029da3L, 0x52a3ba46d131a0L, 0xe5a94fd3ab1041L,
+          0x508917799bc0aeL, 0xf750354fa1bd16L },
+        { 0xdd4e83a6cd31fdL, 0xd33505392fac84L, 0xf914cbc1691382L,
+          0x669683fda6ade6L, 0x69446438878513L, 0x429d3cc4b1a72dL,
+          0x655c46a61eec36L, 0x881eded4bc4970L }
+    },
+    {
+        { 0x5b39d377ca647fL, 0x41533c1e917b34L, 0xea2aeb57daf734L,
+          0xf1ef1eb1286560L, 0x582f2e008e0473L, 0x5913d7d5edc74aL,
+          0x588c7ec3c1e754L, 0xbd6db057146fe1L },
+        { 0x3b0d49e7634907L, 0x4c65ce4e43b9ccL, 0xb87e9582d92d5bL,
+          0x05135727ab1519L, 0x03ec0848c3aed0L, 0x4d7aa21561a641L,
+          0xe5f821199e92adL, 0x379b55f48a457cL }
+    },
+    {
+        { 0x8317c34d6a8442L, 0xb0ab4a5ae499daL, 0xebcb16e720e8ebL,
+          0xfd5c5639a96908L, 0xcab4d67ad23acfL, 0xa600a79bcdf748L,
+          0x18a6340a2a6a51L, 0xf2f415c3aabd69L },
+        { 0xdb38a4f747258aL, 0xb6ea5602e24415L, 0xfad1ea9f1f7655L,
+          0x4e27eb5c957684L, 0xf8283e1b2e1cfcL, 0x8f83bd6aa6291cL,
+          0x28d23b55619e84L, 0xb9f34e893770a4L }
+    },
+},
+{
+    {
+        { 0x1bb84377515fb1L, 0xac73f2a7b860a6L, 0x78afdfa22b390fL,
+          0x815502b66048aaL, 0xf513b9785bf620L, 0x2524e653fc5d7cL,
+          0xa10adc0178c969L, 0xa1d53965391c8dL },
+        { 0x09fccc5a8bcc45L, 0xa1f97d67710e1eL, 0xd694442897d0a1L,
+          0x7030beb5f42400L, 0xdebe08c7127908L, 0x96b715c2187637L,
+          0xc598250b528129L, 0x0f62f45a1ccb07L }
+    },
+    {
+        { 0x8404941b765479L, 0xfdecff45837dc4L, 0x1796372adbd465L,
+          0x5f84c793159806L, 0x6d2e46b6aaad34L, 0xd303b4a384b375L,
+          0x440acd5b392002L, 0x4f2a4a7c475e87L },
+        { 0x038e1da5606fc2L, 0x2d821c29c2f050L, 0xc074cb3f139db4L,
+          0xde2fee74ec59beL, 0x5a819eea84ed59L, 0xd65c62c3e98711L,
+          0x72eb440b9723c1L, 0xb92775401be611L }
+    },
+    {
+        { 0x929fe64ab9e9fcL, 0x04379fd0bf1e85L, 0xb322093bc28ee3L,
+          0x78ac4e2e4555e1L, 0xdb42b58abc5588L, 0x1c1b5e177c8b12L,
+          0xf6d78dd40366c4L, 0xc21ff75bdae22eL },
+        { 0x1e3d28ea211df2L, 0xc5a65a13617c0aL, 0x3fa02c058140d5L,
+          0x155c346b62d10cL, 0xc9cf142e48268fL, 0xdc140831993bc3L,
+          0x07c44d40ee69dcL, 0x61699505e2ac46L }
+    },
+    {
+        { 0x44e4a51d0fb585L, 0x00846bef1f3ce8L, 0xedef39a8e2de1eL,
+          0x430afe333b3934L, 0xac78b054337188L, 0x0f39de4c9a3f24L,
+          0x039edddc9ae6a4L, 0xf4701578eacd51L },
+        { 0x1e396949a2f31aL, 0xc8a40f4b19a8b1L, 0xdddd10c9d239d8L,
+          0xf974245887e066L, 0xfdb51113ea28c6L, 0xb5af0fbe1122a9L,
+          0xd30c89f36e0267L, 0x7b1c0f774f024cL }
+    },
+    {
+        { 0x1ec995607a39bfL, 0x1c3ecf23a68d15L, 0xd8a5c4e4f59fe9L,
+          0xacb2032271abc3L, 0xbc6bdf071ef239L, 0x660d7abb39b391L,
+          0x2e73bb2b627a0eL, 0x3464d7e248fc7eL },
+        { 0xaa492491666760L, 0xa257b6a8582659L, 0xf572cef5593089L,
+          0x2f51bde73ca6bfL, 0x234b63f764cff5L, 0x29f48ead411a35L,
+          0xd837840afe1db1L, 0x58ec0b1d9f4c4bL }
+    },
+    {
+        { 0x8e1deba5e6f3dcL, 0xc636cf406a5ff7L, 0xe172b06c80ca0fL,
+          0x56dc0985ffb90aL, 0x895c2189a05e83L, 0x6ddfaec7561ac2L,
+          0xaa3574996283a0L, 0x6dfb2627e7cd43L },
+        { 0x6576de52c8ca27L, 0x6a4a87249018ebL, 0x00c275c5c34342L,
+          0xe34805ad2d90c4L, 0x651b161d8743c4L, 0xb3b9d9b7312bf3L,
+          0x5d4b8e20bf7e00L, 0x8899bdf78d3d7eL }
+    },
+    {
+        { 0x9644ad8faa9cd1L, 0x34c98bf6e0e58eL, 0x6022aad404c637L,
+          0x2a11a737ac013bL, 0x5bdd1035540899L, 0x2e675721e022a4L,
+          0xe32045db834c33L, 0x74a260c2f2d01cL },
+        { 0x20d59e9c48841cL, 0x05045dde560359L, 0xeba779cac998acL,
+          0x5bed10c00a6218L, 0x25d4f8e5327ef4L, 0xa2784744597794L,
+          0xefd68ca831d11eL, 0x9ad370d934446aL }
+    },
+    {
+        { 0x3089b3e73c92acL, 0x0ff3f27957a75cL, 0x843d3d9d676f50L,
+          0xe547a19d496d43L, 0x68911c98e924a4L, 0xfab38f885b5522L,
+          0x104881183e0ac5L, 0xcaccea9dc788c4L },
+        { 0xfbe2e95e3c6aadL, 0xa7b3992b3a6cf1L, 0x5302ec587d78b1L,
+          0xf589a0e1826100L, 0x2acdb978610632L, 0x1e4ea8f9232b26L,
+          0xb21194e9c09a15L, 0xab13645849b909L }
+    },
+},
+{
+    {
+        { 0x92e5d6df3a71c1L, 0x349ed29297d661L, 0xe58bd521713fc9L,
+          0xad999a7b9ddfb5L, 0x271c30f3c28ce0L, 0xf6cd7dc2a9d460L,
+          0xaf728e9207dec7L, 0x9c2a532fcb8bf0L },
+        { 0xd70218468bf486L, 0x73b45be7ab8ea8L, 0xddfc6581795c93L,
+          0x79416606bb8da2L, 0x658f19788e07a2L, 0xa9d5b0826d3d12L,
+          0x4d7c95f9535b52L, 0xad55e25268ef8aL }
+    },
+    {
+        { 0x94a9b0ba2bc326L, 0x485ecc5167e5f3L, 0x8340bc7c97fc74L,
+          0x06f882b07aaa5cL, 0x4b57455849698aL, 0xd9281ebb36a0baL,
+          0x8918c6c8b8108fL, 0xedd1eea5b50d1dL },
+        { 0x94d737d2a25f50L, 0x0e5a8232446ad0L, 0x02a54357ced3e2L,
+          0xb09a92a4af8cedL, 0x85fc498eeecef2L, 0x06a02b9e71e3d4L,
+          0x00ad30784bb49aL, 0xf61585e64a5b4aL }
+    },
+    {
+        { 0x915f6d8b86a4c9L, 0x944bc6ba861e1fL, 0x3091ca754465efL,
+          0x11df859eb53a38L, 0xd44dde50144679L, 0x6c8da9a0994eddL,
+          0xeebcebf91241efL, 0xc419354c2f6859L },
+        { 0x1f4969349581b6L, 0x5712b10bb26cb4L, 0x8fcaa41b09fd59L,
+          0xbd39aad72e22e3L, 0xf70e794b1199b0L, 0xdf63c0cc6f863dL,
+          0xd58166fee9df4fL, 0xb9224eac45e70bL }
+    },
+    {
+        { 0x80072face525f4L, 0x8597bd666a5502L, 0xf65e203dbc9725L,
+          0xeccfbe3f2222a4L, 0x490aa422339834L, 0x134889162489e8L,
+          0xaff3f80a735084L, 0x69d53d2f3f1bd6L },
+        { 0xb123ffc813341aL, 0x359084c1173848L, 0x751425ed29b08dL,
+          0x1edda523890ad4L, 0xb64974c607cf20L, 0xa8c8cb8b42ac7cL,
+          0xd5cb305edd42e5L, 0xf3034dc44c090aL }
+    },
+    {
+        { 0x428921dbb18e19L, 0x4cfd680fed2127L, 0x671144d92ac8c3L,
+          0x2121901132c894L, 0x25d0e567604cd9L, 0xa372223afbc2a0L,
+          0xcf98a5256c16f7L, 0x71f129ab5459e1L },
+        { 0xf4afdc5b668b2eL, 0xc5d937a0c2d410L, 0xe2cc4af285d54aL,
+          0x1c827778c53e18L, 0x270f2c369a92f6L, 0x799f9ac616327aL,
+          0xce658d9d4246f2L, 0x0fb681ffb12e36L }
+    },
+    {
+        { 0xc5ab11ee0690feL, 0x80261e33f74249L, 0x8eb4b4758c1cf2L,
+          0x4895a80184ae9bL, 0x4a4bdb6d3e27ebL, 0xa7a1638bfd251cL,
+          0x29ec144417a7e3L, 0xd0736093f1b960L },
+        { 0xcb1ed8349c73d1L, 0x33fc84a8d1945aL, 0x9f668dbe965118L,
+          0x3331743a82811fL, 0xf394dec28ba540L, 0x44ce601654a454L,
+          0x240dbb63623645L, 0xf07e7f22e61048L }
+    },
+    {
+        { 0x7c9f1763d45213L, 0x3eefa709c1f77fL, 0xde3c3c51b48350L,
+          0x4a2bc649d481a7L, 0xfd4a58a7874f3dL, 0x96655d4037b302L,
+          0x945252868bf5abL, 0x1b6d46a75177f6L },
+        { 0x7de6763efb8d00L, 0xb2c1ba7a741b7bL, 0xcca6af47bae6edL,
+          0xe4378ca5b68b3fL, 0xfb757deaf71948L, 0x7f07b5ebc6ac99L,
+          0x752a56827d636dL, 0xc8b7d1d4b8a34fL }
+    },
+    {
+        { 0x76cb78e325331bL, 0x41f41c9add2eedL, 0x03db2385c5f623L,
+          0xbbc1d177102fa2L, 0x80f137a60182ecL, 0xfdd856955adf15L,
+          0x4f53f5ee3373dcL, 0xec6faf021b669bL },
+        { 0x7d4e9830b86081L, 0x10d3cd9f2d979cL, 0x0f48f5824a22c8L,
+          0x86c540c02f99eeL, 0xf4c66545e6c5fcL, 0xaf0c588bc404c8L,
+          0x2e6edbd423118aL, 0x86e32e90690eabL }
+    },
+},
+{
+    {
+        { 0x1d12656dfbfa6fL, 0xa4980957646018L, 0x2f1071bc3597d0L,
+          0x3df83f91dda80aL, 0x5853e28f3ae449L, 0xb853d319e19aadL,
+          0x863f01ba0d8a46L, 0xa84fca62fef108L },
+        { 0xbe4c0b7fb84de9L, 0x40a03dcc0727bfL, 0x781f841b18575cL,
+          0x6a63045466cddbL, 0x6be758205dc7a2L, 0x420f87f07ae811L,
+          0x28082423bf96c8L, 0x723998c51c6821L }
+    },
+    {
+        { 0x38ab64181f5863L, 0xd82ecbd05ff9e1L, 0x339c94ea065856L,
+          0x143054aa45156dL, 0xe6d64bf065628cL, 0xe530086a938589L,
+          0x22d3a49385d79bL, 0x0b107900ab8245L },
+        { 0xb0d80fbca387b5L, 0x698206e35551d7L, 0x199685da10bb73L,
+          0xa8e5fa89107378L, 0x36e5724d99dbbfL, 0xd67f476d581b03L,
+          0x7a15be788dd1e6L, 0x8dac8e4e5baa31L }
+    },
+    {
+        { 0x4d5d88fe170ef8L, 0xb6ba5de1e9e600L, 0x4a89d41edeabc5L,
+          0x737c66b8fac936L, 0x8d05b2365c3125L, 0x85a5cbcb61b68eL,
+          0x8fea62620a6af9L, 0x85115ded8b50ecL },
+        { 0x5430c8d6a6f30bL, 0x8bef9cf8474295L, 0x0648f5bbe77f38L,
+          0xfe2b72f9e47bd7L, 0xad6c5da93106e2L, 0x4fa6f3dfa7a6c3L,
+          0xdcd2ed8b396650L, 0x7de1cce1157ef9L }
+    },
+    {
+        { 0x70a5f6c1f241d1L, 0x6c354d8798cd5cL, 0x23c78381a729fbL,
+          0xcff8f15523cbdaL, 0x5683ff43493697L, 0xef7dbab7534f53L,
+          0xd7bd08e2243d53L, 0x6f644cbf8072a9L },
+        { 0xac960f9b22db63L, 0xa97f41723af04dL, 0x692b652d9798afL,
+          0x0e35967fedb156L, 0x14b5e50dfe6ee8L, 0x7597edeb411070L,
+          0x116f3ce442b3f9L, 0xe9b5ae81b2b6dbL }
+    },
+    {
+        { 0xf4385ee2315930L, 0xc8d029827a8740L, 0x7907a8dd934a43L,
+          0x20bc946c582191L, 0xa4acb3e6a405e7L, 0x8c1d6c843df2f5L,
+          0x9df1593991f0b5L, 0xbb9df984d9be9dL },
+        { 0x63620088e4b190L, 0xee1421eada3a88L, 0xb84f0ccf93b027L,
+          0x7a5d6678e95091L, 0x3974462f3e3704L, 0xfa6fb5ec593e98L,
+          0x44b6cf7a6477d2L, 0xe885b57b09a562L }
+    },
+    {
+        { 0x6e339e909a0c02L, 0x57afff00e75f29L, 0x797d8d6fb7db03L,
+          0xc6e11a3d25a236L, 0x643ce1c0107260L, 0xe644ec462eae1cL,
+          0x821d5b83f5a3f5L, 0xa8ad453c0579d6L },
+        { 0x6518ed417d43a4L, 0x46e76a53f87ccdL, 0xd6cbaabf9bef95L,
+          0x25688324f7cbcfL, 0x367159a08476b4L, 0x1d1b401be6d324L,
+          0x348cb98a605026L, 0x144f3fe43b6b1eL }
+    },
+    {
+        { 0xbabbd787b1822cL, 0xd34ba7e2aa51f8L, 0x086f1cc41fbea4L,
+          0x96f7eac746f3d9L, 0xad97f26281ecafL, 0x751a905a14ee2cL,
+          0xb4e7fe90d7335fL, 0x0d97b8f4892ff0L },
+        { 0xdb8a3155a5c40eL, 0x64e5de77ba567bL, 0x4f155f71eefe88L,
+          0xe2297e9fb6fbf4L, 0xfe24bf96c16be5L, 0x2251847cdd83e2L,
+          0x13ac2c85eda444L, 0x49d1b85283275fL }
+    },
+    {
+        { 0xca08731423e08fL, 0x7046bb087d2f14L, 0x876f10c3bc846cL,
+          0x2202b76358fbe3L, 0x0d4fc1c0e26ac6L, 0x1fc748bb986881L,
+          0x609e61c8384a18L, 0x28a72d60d88e00L },
+        { 0x1332a3178c6e2fL, 0x0367919b3526a4L, 0x53989e4698fe3eL,
+          0x14b1145b16a99bL, 0xef9ec80ddbb75fL, 0x76256240e53955L,
+          0x54e087a8744ae1L, 0xce50e8a672b875L }
+    },
+},
+{
+    {
+        { 0x4c88b2ba29629cL, 0x946559c7b2642fL, 0x933d432f7ebe4cL,
+          0x97109b663632c9L, 0x799b3fbe53184dL, 0xd4628710f069a6L,
+          0x0c182a13a68351L, 0x974a8399a2437aL },
+        { 0x29f19972a70278L, 0x01b98b6d9c424bL, 0xd85a60b08f4c37L,
+          0xcc3523f2b1da15L, 0xf922115ddffb0fL, 0xee0fe4dde84ae2L,
+          0x810440c55365beL, 0xd2f66391a457e8L }
+    },
+    {
+        { 0x5e6879fe2ddd05L, 0x92a7545abdfc61L, 0x7dedd63a5cede8L,
+          0x8a03b3f70df4bdL, 0xa5d1f6591f6cbbL, 0x372fde610f3fb2L,
+          0x4537f9ea9dee05L, 0x7eb85bbdf7aa50L },
+        { 0x963edf8e8c504dL, 0x53c8dcae7bdb6bL, 0xa246e4c6fedf2dL,
+          0x75533400c55bdeL, 0x2aa748d0270a54L, 0xadb6cf005860ddL,
+          0x8d314509b84763L, 0x626720deb405efL }
+    },
+    {
+        { 0xa3709ae6601328L, 0x68e94fd2ac2478L, 0x38793439d5d247L,
+          0xfa467af392c198L, 0x49e7b0d15df607L, 0x8c5812261792a8L,
+          0x79f76581d3762fL, 0xaa38895244a39dL },
+        { 0xef60af9c5cd0bcL, 0x2b0db53a33b3bbL, 0xe3e0b1f251015dL,
+          0xc608afce64489eL, 0xe52b05703651aaL, 0x1dda8b91c6f7b9L,
+          0x833f022ff41893L, 0x58eb0a0192818cL }
+    },
+    {
+        { 0x6c1300cfc7b5a7L, 0x6d2ffe1a83ab33L, 0x7b3cd019c02eefL,
+          0x6c64559ba60d55L, 0x2e9c16c19e2f73L, 0x11b24aedbe47b1L,
+          0xc10a2ee1b8153bL, 0x35c0e081e02e1aL },
+        { 0xa9f470c1dd6f16L, 0x4ea93b6f41a290L, 0xac240f825ee03fL,
+          0x6cd88adb85aabdL, 0x378a64a1be2f8fL, 0xbf254da417bac1L,
+          0x7e4e5a59231142L, 0x057aadc3b8c057L }
+    },
+    {
+        { 0x607c77a80af479L, 0xd3e01ff5ccdf74L, 0x9680aaf101b4c7L,
+          0xd2a7be12fc50a6L, 0x92a788db72d782L, 0x35daf2e4640b52L,
+          0xc170d6939e601cL, 0x16e05f57b25c2fL },
+        { 0x47a42a66fe37f8L, 0xeb74271beca298L, 0x401e11e179da16L,
+          0xfb8da82aa53873L, 0xd657d635bb4783L, 0x6847758fcea0b1L,
+          0x2f261fb0993154L, 0x868abe3592853aL }
+    },
+    {
+        { 0x1a4c54335766abL, 0xa1c84d66f4e4eaL, 0x5d737a660ba199L,
+          0x4a7b1e298b15a2L, 0x207877ffd967d3L, 0xcaec82dc262b4dL,
+          0x0b278494f2a37dL, 0x34781416ac1711L },
+        { 0x28e3df18fc6856L, 0xbec03f816d003fL, 0x2bd705bff39ebdL,
+          0x1dcb53b2d776d3L, 0xabafa7d5c0e7ceL, 0x5b9c8c24a53332L,
+          0xe9f90d99d90214L, 0x789747ec129690L }
+    },
+    {
+        { 0x94d3c3954e2dfaL, 0x919f406afb2a8fL, 0x159ef0534e3927L,
+          0xcdb4d14a165c37L, 0xa23e5e8288f337L, 0x95867c00f90242L,
+          0x2528150e34e781L, 0x104e5016657b95L },
+        { 0x695a6c9bcdda24L, 0x609b99523eb5faL, 0xcbce4f516a60f8L,
+          0xec63f7df084a29L, 0x3075ada20c811fL, 0x129a1928c716a1L,
+          0xd65f4d4cd4cd4aL, 0xe18fa9c62188beL }
+    },
+    {
+        { 0x1672757bac60e3L, 0x525b3b9577144bL, 0x38fc997887055bL,
+          0x7a7712631e4408L, 0x884f173cba2fcfL, 0x783cbdc5962ac0L,
+          0x4f3ed0a22287dcL, 0x8a73e3450e20e6L },
+        { 0xe7a1cd0d764583L, 0x8997d8d0d58ee6L, 0x0ea08e9aa13ed6L,
+          0xed478d0cf363cbL, 0x068523d5b37bf4L, 0x8b5a9e8783f13cL,
+          0xde47bbd87528a9L, 0xd6499cccaec313L }
+    },
+},
+{
+    {
+        { 0x54781bbe09859dL, 0x89b6e067f5e648L, 0xb006dfe7075824L,
+          0x17316600717f68L, 0x9c865540b4efe2L, 0xdbdb2575e30d8eL,
+          0xa6a5db13b4d50fL, 0x3b5662cfa47bebL },
+        { 0x9d4091f89d4a59L, 0x790517b550a7dcL, 0x19eae96c52965eL,
+          0x1a7b3c5b5ed7a4L, 0x19e9ac6eb16541L, 0x5f6262fef66852L,
+          0x1b83091c4cda27L, 0xa4adf6f3bf742bL }
+    },
+    {
+        { 0x8cc2365a5100e7L, 0x3026f508592422L, 0xa4de79a3d714d0L,
+          0xefa0d3f90fcb30L, 0x126d559474ada0L, 0xd68fa77c94350aL,
+          0xfa80e570c7cb45L, 0xe042bb83985fbfL },
+        { 0x51c80f1fe13dbaL, 0xeace234cf055d7L, 0x6b8197b73f95f7L,
+          0x9ca5a89dcdbe89L, 0x2124d5fdfd9896L, 0x7c695569e7ca37L,
+          0x58e806a8babb37L, 0x91b4cc7baf99ceL }
+    },
+    {
+        { 0x874e253197e968L, 0x36277f53160668L, 0x0b65dda8b95dbeL,
+          0x477a792f0872a1L, 0x03a7e3a314268dL, 0xa96c8420c805c7L,
+          0xb941968b7bc4a8L, 0x79dce3075db390L },
+        { 0x577d4ef6f4cc14L, 0x5b0d205b5d1107L, 0x64ff20f9f93624L,
+          0x0b15e315034a2fL, 0x3a0f6bb8b6f35cL, 0x0399a84e0d0ec5L,
+          0xd0e58230d5d521L, 0xdeb3da1cb1dd54L }
+    },
+    {
+        { 0x24684ae182401aL, 0x0b79c1c21a706fL, 0xe1d81f8d8998afL,
+          0xadf870f4bb069fL, 0xd57f85cf3dd7aaL, 0x62d8e06e4a40f8L,
+          0x0c5228c8b55aa1L, 0xc34244aa9c0a1aL },
+        { 0xb5c6cf968f544eL, 0xa560533de23ab7L, 0xaa5512047c690cL,
+          0x20eda5b12aaaa6L, 0xea0a49a751a6a0L, 0x6d6cfff2baa272L,
+          0x95b756ebf4c28aL, 0xd747074e6178a4L }
+    },
+    {
+        { 0xa27b453221a94bL, 0xd56ad13e635f20L, 0x03574b08c95117L,
+          0xf0ee953ed30b70L, 0xb48d733957796fL, 0xf5d958358c336bL,
+          0x6170cd882db529L, 0xcd3ef00ec9d1eaL },
+        { 0xd1bea0de4d105fL, 0xd2d670fad6a559L, 0x652d01252f9690L,
+          0x5f51fb2c2529b0L, 0x5e88bf0e89df2aL, 0x9a90684cd686e4L,
+          0xf519ccd882c7a1L, 0x933a0dfc2f4d37L }
+    },
+    {
+        { 0x0720a9f3f66938L, 0x99356b6d8149dfL, 0xb89c419a3d7f61L,
+          0xe6581344ba6e31L, 0xd130561ab936c8L, 0x0625f6c40dbef1L,
+          0x7b2d6a2b6bb847L, 0x3ca8b2984d506bL },
+        { 0x6bf729afb011b0L, 0x01c307833448c9L, 0x6ae95080837420L,
+          0xf781a8da207fb8L, 0xcc54d5857562a9L, 0xc9b7364858c5abL,
+          0xdfb5035359908fL, 0x8bf77fd9631138L }
+    },
+    {
+        { 0xf523365c13fbb1L, 0x88532ea9993ed5L, 0x5318b025a73492L,
+          0x94bff5ce5a8f3cL, 0x73f9e61306c2a0L, 0x00abbacf2668a3L,
+          0x23ce332076237dL, 0xc867f1734c0f9bL },
+        { 0x1e50995cfd2136L, 0x0026a6eb2b70f8L, 0x66cb1845077a7dL,
+          0xc31b2b8a3b498eL, 0xc12035b260ec86L, 0x1cbee81e1b3df0L,
+          0xfd7b8048d55a42L, 0x912a41cf47a8c8L }
+    },
+    {
+        { 0xab9ffe79e157e3L, 0x9cfe46d44dc158L, 0x435551c8a4a3efL,
+          0x638acc03b7e3a8L, 0x08a4ebd49954a7L, 0x295390c13194f7L,
+          0x3a2b68b253892aL, 0xc1662c225d5b11L },
+        { 0xcfba0723a5d2bbL, 0xffaf6d3cc327c9L, 0x6c6314bc67e254L,
+          0x66616312f32208L, 0xf780f97bea72e1L, 0x495af40002122fL,
+          0x3562f247578a99L, 0x5f479a377ce51eL }
+    },
+},
+{
+    {
+        { 0x91a58841a82a12L, 0xa75417580f3a62L, 0x399009ff73417aL,
+          0x2db1fb90a8c5cdL, 0x82c8912c046d51L, 0x0a3f5778f18274L,
+          0x2ad0ede26ccae2L, 0x7d6bd8b8a4e9c2L },
+        { 0xaa0d7974b3de44L, 0xf8658b996ac9bbL, 0x31e7be25f6c334L,
+          0x23836ce4df12c9L, 0x029027b59eb5c9L, 0x2f225315b8649dL,
+          0xa0fdf03d907162L, 0x101d9df9e80226L }
+    },
+    {
+        { 0xf12037a9a90835L, 0xd2d0882f0222a7L, 0xeaf8d40c3814e2L,
+          0xa986dc68b8146bL, 0x147a3318504653L, 0x734e0032feaf67L,
+          0x6f27bbf602bec5L, 0xa1e21f16a688f3L },
+        { 0x5a8eeab73c4ae5L, 0x4dbaddbe70b412L, 0x871cebacfd2af1L,
+          0x18603827d7a286L, 0x024059db5bb401L, 0x2557c093c39b73L,
+          0xfc5a7116681697L, 0xf881c0f891b57cL }
+    },
+    {
+        { 0x3c443f18ea191aL, 0x76faa58d700ad0L, 0x6fe6cfabe7fcbfL,
+          0xaefc5288990ef7L, 0x44e30fa80004ccL, 0xc744adc6d8ef85L,
+          0xafcd931912df70L, 0xf62a9d1572a6d8L },
+        { 0x47158a03219f27L, 0x76fb27ead73136L, 0x41bb2adcc2d614L,
+          0x8858cb9de1ec21L, 0xab402c45f15866L, 0x6675d5bbc82bbfL,
+          0x4ee9dd6f1b28d3L, 0x875884fe373c17L }
+    },
+    {
+        { 0x17806dd2a67d36L, 0xaa23a8632c9ec1L, 0xd914126fc1ee55L,
+          0xbf8f7bd653701bL, 0x9b0111aea71367L, 0x61fd4aba98e417L,
+          0xeb45298561c5a5L, 0x2187b0ae7af394L },
+        { 0x71f12db1616ddeL, 0x061760907da7b4L, 0x414d37602ddb04L,
+          0x1100be7286fb58L, 0xd7cf88d6f0d95bL, 0x8539d23746d703L,
+          0xdccc9d64e23d73L, 0xaeef1d2ec89680L }
+    },
+    {
+        { 0x82ccf1a336508dL, 0xa128c1f5bad150L, 0x551d8c029a188dL,
+          0xef13dd4771404fL, 0xdd67696c37b993L, 0x428c0e20dddad2L,
+          0x222278d038c94cL, 0x1a24a51078e3f2L },
+        { 0xd297fe6edb0db9L, 0x00988d28251a87L, 0xbb946f8bfaa0d7L,
+          0x380f7b9df45ea0L, 0x8526415afccf5eL, 0x909bfbfe9ec7bcL,
+          0x2ed7093124755cL, 0x436802889404e2L }
+    },
+    {
+        { 0x21b9fa036d9ef1L, 0xfd64b7ce433526L, 0xd9d7eb76544849L,
+          0x201620cd5b54b3L, 0x25fab3dbb61159L, 0x90d4eb0c53e0d3L,
+          0xba098319e74772L, 0x8749658ec1681cL },
+        { 0xa354349fec316bL, 0x639a9b1a743ea2L, 0x2e514ca37c50e6L,
+          0x9f4a4fddbaf6c5L, 0x0df87ef6f511c9L, 0xadd4cef0c00d95L,
+          0x401c0ebaa1433fL, 0x3c3a59ebb38af9L }
+    },
+    {
+        { 0x8706245f0e7dcaL, 0xad238cd3fb29caL, 0x03304439b7d8f0L,
+          0xfdcd6e6154f495L, 0xc67e24a7d4ad09L, 0x1b209e85438390L,
+          0xf893b81b0c211eL, 0x1aa86f07e11e36L },
+        { 0x2cca3ffedea8b1L, 0x7eedd073b306cdL, 0x78e37bc12ee222L,
+          0x257870bbc42a1dL, 0x5fb2bb91fbd397L, 0x470247009d6c60L,
+          0x11748a320bdc36L, 0x3ff24dc04280e8L }
+    },
+    {
+        { 0x0eb1c679839b52L, 0x5bcca27acfbd32L, 0xb506c1674898e3L,
+          0x37d662e2489e5eL, 0x8dc0731f694887L, 0x571149ef43f1dcL,
+          0x6430a3766d63dcL, 0x0d2640eb50dd70L },
+        { 0x2b561493b2675bL, 0x1b4806588c604fL, 0x55c86a8aafbabcL,
+          0xa7b9447608aabaL, 0xa42f63504cad8cL, 0x0f72b1dcee7788L,
+          0x1d68374755d99aL, 0xd7cdd8f5be2531L }
+    },
+},
+{
+    {
+        { 0x67873bdbcdfee1L, 0xa5a0c0afcd0a3fL, 0x59389f93cfa3d4L,
+          0x14e945ce1c865cL, 0x62d2f8e1d588ccL, 0xfd02f8a8e228b4L,
+          0x208f791b42b649L, 0x0e0dff1ab397adL },
+        { 0x30ac3d90bc6eb1L, 0xf14f16a5f313bbL, 0x70fa447e2a0ad2L,
+          0x6e406855a0db84L, 0xd52282be32e1e7L, 0x315a02a15ca330L,
+          0x9a57a70867c2feL, 0x55f07650054923L }
+    },
+    {
+        { 0x2d729f6c0cf08fL, 0x6b80138ebaf57fL, 0x6285bcc0200c25L,
+          0xee845192cd2ac7L, 0x28fce4d922778aL, 0x761325ccd1011cL,
+          0xd01f2475100e47L, 0xc7a1665c60d8e1L },
+        { 0x950966d7ceb064L, 0x0a88e8578420dbL, 0x44f2cfce096f29L,
+          0x9d9325f640f1d2L, 0x6a4a81fd2426f1L, 0x3ed6b189c905acL,
+          0xba3c0e2008854dL, 0x1df0bd6a0d321bL }
+    },
+    {
+        { 0x0117ad63feb1e7L, 0xa058ba2f1ae02fL, 0x5eee5aa31b3f06L,
+          0x540d9d4afacd4dL, 0x38992f41571d91L, 0xef2738ebf2c7deL,
+          0x28bfcab92a798dL, 0x37c7c5d2286733L },
+        { 0xb99936e6470df0L, 0x3d762d58af6a42L, 0xa8c357ac74eec5L,
+          0x9917bebf13afbcL, 0x28f0941f2dc073L, 0x306abf36ce7df7L,
+          0xa3c5f6fd6973c8L, 0x640209b3677632L }
+    },
+    {
+        { 0xee872a2e23aef7L, 0xb497b6feb9b08eL, 0xfb94d973f33c63L,
+          0x9ea1ff42b32315L, 0x537b49249a4166L, 0x89c7fe6ab4f8beL,
+          0xf68007fdad8f0fL, 0xe56ef0b71b8474L },
+        { 0x478b2e83f333f9L, 0x144e718b2607f5L, 0x13aa605a4c7ab5L,
+          0xfc1fc991d0730dL, 0xe7a04375ab3ea1L, 0xc59986a306d8d3L,
+          0x24f6111702a8b1L, 0x7741394e040ad2L }
+    },
+    {
+        { 0x34c6a2560723a7L, 0x8aabd0df4ea691L, 0x9d676a55d7497fL,
+          0x12c09577d91fa4L, 0x581c7a86479284L, 0xa54f3daf4fd449L,
+          0x2f89f3c4ef44cfL, 0xfc266b5c9ec97cL },
+        { 0xfcd3fbe88b142aL, 0x9f3109f4bd69c1L, 0x08839c0b5f5a6aL,
+          0x63ca8502e68303L, 0x2f0628dbba0a74L, 0x743cccf5d56b54L,
+          0xbd4b06613e09fdL, 0x7a8415bde2ba3eL }
+    },
+    {
+        { 0x2234a3bc076ab2L, 0xd6953e54977a98L, 0xc12215831ebe2eL,
+          0x632145fbad78e2L, 0xd7ba78aa5c4b08L, 0x6f4ea71998e32aL,
+          0x25900d23485a63L, 0x97ac6286a5176fL },
+        { 0x5df91181093f7bL, 0x2bf9829c844563L, 0x525d99d6272449L,
+          0x4281cb5b5c8a18L, 0x35df2780544a08L, 0xf4c3d2dbaeb8f4L,
+          0xc7ff3175230447L, 0x6b4d7645d2fbffL }
+    },
+    {
+        { 0x4837f802b0c9cbL, 0xb65f8168ce8418L, 0xdf66ea99fc1428L,
+          0x9788ee804ea7e8L, 0x9eae9008334e3cL, 0xbc91058d6ba1b6L,
+          0x634aba1d7064b6L, 0x12d9bb3397b368L },
+        { 0x0645c85c413aa8L, 0xb09dea6ac6b5e3L, 0x29a620d289a50bL,
+          0x104db3bbbcceb1L, 0x42e479287b3309L, 0xdfc373eec97f01L,
+          0xe953f94b93f84eL, 0x3274b7f052dfbfL }
+    },
+    {
+        { 0x9d5670a1bd6fa9L, 0xec42fc9db6c4d4L, 0xaecd4ed1b42845L,
+          0x4eed90e1b03549L, 0xeb3225cbbab1faL, 0x5345e1d28a2816L,
+          0x3741cfa0b77d2aL, 0x712b19f7ea8caaL },
+        { 0x42e6844661853eL, 0x4cf4126e4a6e5dL, 0x196a9cfc3649f6L,
+          0x06621bcf21b6b1L, 0x887021c32e29eaL, 0x5703aeb8c5680fL,
+          0x974be24660f6d7L, 0xaf09badc71864eL }
+    },
+},
+{
+    {
+        { 0x3483535a81b6d3L, 0x19e7301ca037dcL, 0x748cab763ddfebL,
+          0xe5d87f66f01a38L, 0xbba4a5c2795cd6L, 0x411c5d4615c36cL,
+          0xff48efc706f412L, 0x205bafc4b519dfL },
+        { 0xfcaa5be5227110L, 0x7832f463ad0af0L, 0x34ef2c42642b1bL,
+          0x7bbef7b072f822L, 0x93cb0a8923a616L, 0x5df02366d91ba7L,
+          0x5da94f142f7d21L, 0x3478298a14e891L }
+    },
+    {
+        { 0xad79a0fc831d39L, 0x24d19484803c44L, 0x4f8a86486aeeb2L,
+          0x0ca284b926f6b9L, 0x501829c1acd7cdL, 0x9f6038b3d12c52L,
+          0x77223abf371ef5L, 0x2e0351613bf4deL },
+        { 0x7a5a4f2b4468ccL, 0xdcea921470ae46L, 0xf23b7e811be696L,
+          0xe59ad0d720d6fbL, 0x9eacac22983469L, 0x4dd4110c4397eeL,
+          0x4ef85bdcbe2675L, 0xe4999f7aa7c74bL }
+    },
+    {
+        { 0x031838c8ea1e98L, 0x539b38304d96a2L, 0x5fbdef0163956eL,
+          0x6bd4d35ce3f52aL, 0xe538c2355e897fL, 0x6078d3a472dd3fL,
+          0x590241eca9f452L, 0x2bc8495fd7fc07L },
+        { 0x23d0c89ead4c8cL, 0x1ea55a9601c66eL, 0x41493c94f5b833L,
+          0xc49a300aa5a978L, 0xc98bdc90c69594L, 0x4e44cedccbdc8cL,
+          0xb0d4e916adccbfL, 0xd56e36b32c37aeL }
+    },
+    {
+        { 0x052bd405b93152L, 0x688b1d44f1dbfaL, 0xe77ba1abe5cc5fL,
+          0x11f8a38a6ac543L, 0x3355fd6e4bb988L, 0xdf29c5af8dffb4L,
+          0x751f58981f20eeL, 0x22a0f74da9b7fbL },
+        { 0xec8f2bc6397b49L, 0xff59fc93639201L, 0xb7f130aa048264L,
+          0xe156a63afdc4ccL, 0x0fd7c34b13acafL, 0x87698d40cb4999L,
+          0x6d6ecae7f26f24L, 0xae51fad0f296e2L }
+    },
+    {
+        { 0xd0ad5ebdd0f58dL, 0x6ec6a2c5c67880L, 0xe1ce0349af1e0fL,
+          0x08014853996d32L, 0x59af51e5e69d20L, 0x0ef743aaa48ecfL,
+          0x8d3d2ea7dafcb0L, 0x4ac4fad89189b6L },
+        { 0x92d91c2eae97f1L, 0xef5eca262b4662L, 0x440b213b38b10aL,
+          0xec90187fc661daL, 0x85f3f25f64cf8dL, 0xcee53ca457ad1bL,
+          0x8deed4bf517672L, 0x7706fb34761828L }
+    },
+    {
+        { 0x1577d9117494feL, 0x52d29be2fd7239L, 0x9a0eef00186d37L,
+          0x241d0f527fe108L, 0x42824bae6fb59fL, 0xb8d33df0d48c25L,
+          0xfffdb0a47af4b0L, 0x534c601073b0b6L },
+        { 0xe6df35951c033bL, 0x3e1002b86c0f94L, 0xa7cb55548fb9b6L,
+          0x999818ba7bbff8L, 0xe4ba3d684d8bf2L, 0x53dbb326358f0aL,
+          0xeebc1e2f2568e8L, 0xc6917ebb3e0f68L }
+    },
+    {
+        { 0xbe1bbfc19f8d13L, 0xc3951b62d4795cL, 0x9371c49ed535a9L,
+          0x77c389f68cebeaL, 0xfc1a947a141d0eL, 0x4b48d7ade44f8bL,
+          0x3db1f058580a26L, 0xeed1466258b5fcL },
+        { 0x5daa4a19854b21L, 0x5bfa46f1ab1eadL, 0xc152e3559957ebL,
+          0xdc84277ea48adaL, 0x68709cffc169b5L, 0xde50ce3720e617L,
+          0xe42f262dd9a832L, 0xddffd4d2d6ce29L }
+    },
+    {
+        { 0xd5ba5578fa0a56L, 0x0d7d0f1fafaf4cL, 0x7666e4138b63edL,
+          0x04e65135d87f02L, 0xdca8866c958f32L, 0xaa8486d3ce2686L,
+          0xe3785caf1cbcd3L, 0x8a9b11403c8335L },
+        { 0x5c1dca22e0ef60L, 0x775af5b7d3fb20L, 0xe690ffc2b373a8L,
+          0x30fe15d28330e6L, 0x8a1022bdd0f393L, 0x6bd7364966a828L,
+          0x8d4b154949208aL, 0xfb38c6bb9d9828L }
+    },
+},
+{
+    {
+        { 0x6d197640340ac2L, 0x969f473ecab5ffL, 0xead46f7c458e42L,
+          0x168646a1d00eedL, 0xf70c878e0ce0cfL, 0xa7291d38d8d15aL,
+          0x92cf916fdd10ccL, 0x6d3613424f86d5L },
+        { 0xba50d172d5c4b4L, 0xe0af5024626f15L, 0x76f3809d76098aL,
+          0x433dc27d6caaa8L, 0x72dc67a70d97a7L, 0x935b360f5c7355L,
+          0xdbaac93179bb31L, 0x76738487ed1a33L }
+    },
+    {
+        { 0x8d1ca668f9fa0dL, 0x4ed95d8a02f2bfL, 0xd19fc79f630d7bL,
+          0x0448ec4f46fa51L, 0xb371dd8623bf3fL, 0xe94fabcd650e94L,
+          0x3af3fcacd90a70L, 0x0f720c403ce3b7L },
+        { 0x590814cd636c3bL, 0xcf6928d4469945L, 0x5843aaf484a4c6L,
+          0xb5a4c1af9b4722L, 0x25116b36cfb2f9L, 0xf248cf032c2640L,
+          0x8cd059e27412a1L, 0x866d536862fc5dL }
+    },
+    {
+        { 0x156e62f6de4a2eL, 0x0365af7aafcc78L, 0x65c861819e925eL,
+          0x4db5c01f8b2191L, 0x1fd26d1ad564faL, 0x16bbc5319c8610L,
+          0x0718eef815f262L, 0x8684f4727f83d1L },
+        { 0xa30fd28b0f48dbL, 0x6fef5066ab8278L, 0xd164e771a652dfL,
+          0x5a486f3c6ebc8cL, 0xb68b498dc3132bL, 0x264b6efd73323fL,
+          0xc261eb669b2262L, 0xd17015f2a35748L }
+    },
+    {
+        { 0x4241f657c4bb1dL, 0x5671702f5187c4L, 0x8a9449f3973753L,
+          0x272f772cc0c0cdL, 0x1b7efee58e280cL, 0x7b323494b5ee9cL,
+          0xf23af4731142a5L, 0x80c0e1dd62cc9eL },
+        { 0xcbc05bf675ffe3L, 0x66215cf258ce3cL, 0xc5d223928c9110L,
+          0x30e12a32a69bc2L, 0x5ef5e8076a9f48L, 0x77964ed2329d5fL,
+          0xdf81ba58a72cf2L, 0x38ea70d6e1b365L }
+    },
+    {
+        { 0x1b186802f75c80L, 0x0c153a0698665aL, 0x6f5a7fe522e8ddL,
+          0x96738668ddfc27L, 0x7e421d50d3bdceL, 0x2d737cf25001b2L,
+          0x568840f0e8490cL, 0xea2610be30c8daL },
+        { 0xe7b1bc09561fd4L, 0xeda786c26decb0L, 0x22369906a76160L,
+          0x371c71478a3da3L, 0x1db8fce2a2d9bfL, 0x59d7b843292f92L,
+          0x8097af95a665f9L, 0x7cb4662542b7a9L }
+    },
+    {
+        { 0xa5c53aec6b0c2fL, 0xc4b87327312d84L, 0xfc374cbc732736L,
+          0xa8d78fe9310cc0L, 0xd980e8665d1752L, 0xa62692d6004727L,
+          0x5d079280146220L, 0xbd1fedb860fea5L },
+        { 0xcbc4f8ab35d111L, 0x5ba8cdf3e32f77L, 0xd5b71adb614b93L,
+          0x7b3a2df2f8808dL, 0x09b89c26ef2721L, 0x55a505447c3030L,
+          0x21044312986ae6L, 0x427a0112367d4cL }
+    },
+    {
+        { 0xe9fe256c1942d8L, 0x9e7377d96e3546L, 0x43e734cb0c1744L,
+          0x5f46821211fbcaL, 0x44f83dc32b6203L, 0x84513086ad1d96L,
+          0x54dd5192fbb455L, 0xc2a18222f10089L },
+        { 0x01055a21855bfaL, 0x9e6d7b477078b4L, 0x3f8df6d30cea0eL,
+          0x81c215032973f7L, 0x17dd761c0b3d40L, 0x040424c50d0abeL,
+          0x5599413783deabL, 0xde9271e8f3146fL }
+    },
+    {
+        { 0x5edfd25af4a11dL, 0x3a3c5307846783L, 0xb20086873edd31L,
+          0x74e00ecfe0eef8L, 0xba65d2f3dd78c7L, 0xab1364371999f1L,
+          0xfa9be5dde9a7e8L, 0xeb146ce87a8609L },
+        { 0x76afd6565353e9L, 0xfa7023dd51ba1cL, 0x7a09f2237ede4fL,
+          0xca085760ba7a1bL, 0xd973882b99950aL, 0xe894266ea5057aL,
+          0xd01c4217f55e49L, 0x69cfb9c5555679L }
+    },
+},
+{
+    {
+        { 0x67867e7c5d631aL, 0x1de88c55bcf47bL, 0x8366d06afd1352L,
+          0xd7dbdef6e20337L, 0xb0f9e2f1253ec7L, 0x1be984510ad240L,
+          0x63ec533f4a6118L, 0xd5e4c5b96ce633L },
+        { 0x1d0b6c34df4a25L, 0xef9486a5a1b554L, 0x2f0e59e47b6ef3L,
+          0x4d8042f2ff84d7L, 0x3e74aa3da359c9L, 0x1baa16fd21c160L,
+          0xb4cff210191cbaL, 0x50032d8ebc6472L }
+    },
+    {
+        { 0xb6833e01fc1b13L, 0x8a8b7ba1a5ad8fL, 0xc0cafa2622b820L,
+          0xc6663af738ed20L, 0xd8944868b18f97L, 0xcf0c1f9774fbe4L,
+          0xeedd4355be814fL, 0xd81c02db57e543L },
+        { 0x5e32afc310bad8L, 0x065bc819b813d1L, 0x8efc5fc3142795L,
+          0x5006514732d59cL, 0x91e39df2b5a3ceL, 0x2ad4477faf4204L,
+          0x1a96b184d9bd4fL, 0xc3fee95a4d9c07L }
+    },
+    {
+        { 0xfac7df06b4ba61L, 0xa6ed551061aaefL, 0x35aa2d6133f609L,
+          0x420cfba20ed13dL, 0x861c63eea03d0cL, 0x75f0c56f936d6eL,
+          0xa25f68f3d9a3d5L, 0xba0b7fecd9f66eL },
+        { 0x292e1354680772L, 0x6f6a2dba73f405L, 0xca6add924ea9e4L,
+          0x81cfd61268daaaL, 0x7a4cb6ce6f147aL, 0x8ec3454bded8f5L,
+          0xc8a893b11d61cbL, 0x2256ffc7656022L }
+    },
+    {
+        { 0x6b33271575cb78L, 0x560d305adcd23eL, 0xeedbd3ad6d834bL,
+          0x614a64a5a31e27L, 0xe40b47647ee0c8L, 0x8ef4ff68bd7c2cL,
+          0xa5297fc0b77727L, 0x8759208baf88adL },
+        { 0x86cfe64918df68L, 0x9d60a73cdd882eL, 0x546b642b953014L,
+          0xbaceae38bbef55L, 0xdf58e43f1c3467L, 0x99a83fee9f9babL,
+          0xcd52cbf57a4a8bL, 0xf744e968ae36ecL }
+    },
+    {
+        { 0xb945869a607124L, 0x810dbe9440e6f6L, 0x9911e60738e381L,
+          0x51df68c343b80bL, 0xe424336f7a3f39L, 0x2d32acb989015cL,
+          0xa69b14931019e8L, 0x8a31a38ec12f93L },
+        { 0x0d0d36997c916aL, 0xdc95f3b8885372L, 0xcf1a2613549040L,
+          0x60f6f5eabe95a2L, 0xa909e9fe141325L, 0x7d598f2355c865L,
+          0x70c6442931a9c9L, 0x2354a85b423850L }
+    },
+    {
+        { 0x4cdd22497f9619L, 0x4776fffc22162eL, 0xee5ec330cd31c2L,
+          0x7c04c10f209bb8L, 0x35bbfde579e211L, 0x0e3832515cdfc2L,
+          0x657e6d3e26ffa7L, 0xc66a7c3c65c604L },
+        { 0x322acd7b45e567L, 0x1589cf0296db9bL, 0x1fd0bd3ba1db73L,
+          0xe8826109337a40L, 0xf505a50b3035c7L, 0x4d5af066ed08d7L,
+          0xb3c376b5eda400L, 0x9c7b7001944748L }
+    },
+    {
+        { 0xd76832570c3716L, 0xda62af0dd540e0L, 0x76b155d6580feaL,
+          0x4f42acc32b5464L, 0x881bb603f5b72bL, 0x09c130ee68b9baL,
+          0x37ede3b5c50342L, 0xce61a9cfd15e7dL },
+        { 0xfff1d8572605d0L, 0x62ac2d3062abc2L, 0xa85e02efbe43ddL,
+          0x859d2baa947020L, 0x2ebc8a9111c20bL, 0x7f590a7a656f66L,
+          0x0e1384316b21a6L, 0x29b30c500c7db6L }
+    },
+    {
+        { 0x61e55e2906b8deL, 0x6a97e96949974dL, 0x24b52b526eef67L,
+          0x512f5361aa595aL, 0x81cc7b83c48fcbL, 0xa64af2328115adL,
+          0x9edf6f93d44b8eL, 0x68d7f7c1fe22e3L },
+        { 0x2b2116a520d151L, 0x66a0b7d6aa3efbL, 0x48ae70a9b0f791L,
+          0xcf12174037db88L, 0x36868cd317d9f3L, 0xb57305922fc344L,
+          0xbaa852646a5d23L, 0xad6569137fc10dL }
+    },
+},
+{
+    {
+        { 0xcf8e5f512c78d5L, 0xeb94d98805cdbdL, 0xad1dcdf2ab50b5L,
+          0xf33c136f33cd31L, 0x0d6226b10aeff5L, 0xf7ff493f2f8fc5L,
+          0x7e520d4df57165L, 0x41fbae505271a7L },
+        { 0x72c898776480baL, 0x260835925f4523L, 0xed36b8d49f5f01L,
+          0x3bc1dcef3d49ebL, 0x30c1c1a4940322L, 0x78c1cda7e0f731L,
+          0x51f2dc86d05a31L, 0x57b0aa807f3522L }
+    },
+    {
+        { 0x7ab628e71f88bcL, 0xcf585f38018f21L, 0xdbbe3a413d64f6L,
+          0x0f86df1ec493a5L, 0x8355e6c7725de9L, 0x3954ffee00fe1eL,
+          0xbb8978f9924e32L, 0x1c192987812714L },
+        { 0x7c4ce3eaabca8bL, 0xf861eb59bf7019L, 0x31a84fc682e541L,
+          0x2307ca9acd1b92L, 0x6f8b6ce4bf2842L, 0xde252accb9f9a9L,
+          0x7f0611d93c46d1L, 0x8e2bd80751dc98L }
+    },
+    {
+        { 0xf2fd8fbe27d54bL, 0x2a1e37ec248071L, 0x2fcc888ab8f49aL,
+          0x42c62a3c18a9e5L, 0xe30290870b2446L, 0x90277fac5ac55dL,
+          0x8d97d56d6dde41L, 0xf4cf8a95db04feL },
+        { 0x3e280f5d30d077L, 0x2c903073cb3293L, 0xe0be2ac24eb0ddL,
+          0xa2d1a498bcb4f0L, 0x16db466cd0cd45L, 0x3b28aa79a80232L,
+          0xdd7e52f17b008eL, 0x20685f2868e4daL }
+    },
+    {
+        { 0x0a68c147c7a486L, 0xd8ef234c429633L, 0x470667bffe7506L,
+          0x55a13c88828d51L, 0x5f327412e44befL, 0x537d92a5929f92L,
+          0x0a01d5b31c5cd5L, 0xb77aa7867eb3d7L },
+        { 0x36ec45f8b82e4dL, 0x6821da0b37b199L, 0x8af37aad7fa94eL,
+          0xf0206421085010L, 0x9b886787e56851L, 0x35f394452948ceL,
+          0x125c2baafc1361L, 0x8a57d0e453e332L }
+    },
+    {
+        { 0xefe99488043664L, 0xb8b8509db1aa55L, 0x1a2e5a9332523fL,
+          0x5e255dd1045c0fL, 0xe68dd8a7ae7180L, 0x55f1cf345bf532L,
+          0xe00722ee63a716L, 0xd1c21386116bacL },
+        { 0x626221f1c6d1f4L, 0x240b8303773278L, 0xe393a0d88def16L,
+          0x229266eca0495cL, 0x7b5c6c9d3e4608L, 0xdc559cb7927190L,
+          0x06afe42c7b3c57L, 0x8a2ad0bb439c9bL }
+    },
+    {
+        { 0xd7360fbffc3e2fL, 0xf721317fbd2e95L, 0x8cacbab5748e69L,
+          0x7c89f279054bb9L, 0xcbe50faaa86881L, 0x7aa05d375206e4L,
+          0x1ea01bcc752c66L, 0x5968cde1f2c2bcL },
+        { 0x487c55f09a853eL, 0x82cbef1e09204bL, 0xad5c492abd8670L,
+          0x7175963f12dcb3L, 0x7a85762bf6aa06L, 0x02e5697f8d5237L,
+          0xccf7d1937c6157L, 0x3b14ca6c2fd59cL }
+    },
+    {
+        { 0x5e610d81b9f77fL, 0x85876d0051b02fL, 0x5d81c63b8020ddL,
+          0xd0b4116d6ce614L, 0x91810e5aa8bf0cL, 0xf27f91fcbf8c66L,
+          0x2e5dc5f38480aeL, 0x0a13ffebec7633L },
+        { 0x61ff6492bf6af8L, 0xe6aef2d641f827L, 0xad5708a5de5f04L,
+          0xe5c3a80cdfee20L, 0x88466e268fcfa2L, 0x8e5bb3ad6e1d7bL,
+          0xa514f06ed236b8L, 0x51c9c7ba5f5274L }
+    },
+    {
+        { 0xa19d228f9bc3d8L, 0xf89c3f03381069L, 0xfee890e5c3f379L,
+          0x3d3ef3d32fb857L, 0x39988495b418ddL, 0x6786f73c46e89aL,
+          0x79691a59e0f12fL, 0x76916bf3bc022bL },
+        { 0xea073b62cd8a0aL, 0x1fbedd4102fdbcL, 0x1888b14cb9d015L,
+          0x98f2cfd76655f7L, 0xb9b591059f0494L, 0xa3dbbe1e6986a3L,
+          0xef016a5eaf2b04L, 0xf671ba7cd2d876L }
+    },
+},
+{
+    {
+        { 0x1dae3bf1ae05e9L, 0x6a029961f21fefL, 0x95df2b97aec3c6L,
+          0x9abbc5ad83189bL, 0xaf994af2d13140L, 0xc3f884686aa406L,
+          0xcd77e5075284c5L, 0x1c1e13d2a9a4d7L },
+        { 0x7f8815d744b89dL, 0xb1891332ba673eL, 0x55ea93cd594570L,
+          0x19c8a18d61b041L, 0x938ebaa8d2c580L, 0x9b4344d05ba078L,
+          0x622da438eaf9b7L, 0x809b8079fea368L }
+    },
+    {
+        { 0x3780e51c33b7a2L, 0xd7a205c387b1c8L, 0x79515f84be60e4L,
+          0xde02a8b1e18277L, 0x4645c96f0d9150L, 0x45f8acbe0b3fd1L,
+          0x5d532ba9b53ac3L, 0x7984dcdb0557c9L },
+        { 0x5ae5ca68a92f01L, 0xd2fbb3c9d569caL, 0x668cc570c297c1L,
+          0xa4829436295e89L, 0xf646bc1a33ad40L, 0x066aaa4c3f425dL,
+          0x23434cdd005de2L, 0x5aca9e9db35af4L }
+    },
+    {
+        { 0x2bca35c6877c56L, 0xab864b4f0ddd7dL, 0x5f6aa74404f46cL,
+          0x72be164539c279L, 0x1b1d73ee0283cfL, 0xe550f46ad583d9L,
+          0x4ac6518e739ad1L, 0x6b6def78d42100L },
+        { 0x4d36b8cfa8468dL, 0x2cb37735a3d7b8L, 0x577f86f5016281L,
+          0xdb6fe5f9124733L, 0xacb6d2ae29e039L, 0x2ab8330580b8a1L,
+          0x130a4ac643b2d0L, 0xa7996e35e6884eL }
+    },
+    {
+        { 0x6fb627760a0aa8L, 0xe046843cbe04f0L, 0xc01d120e6ad443L,
+          0xa42a05cabef2fcL, 0x6b793f112ff09cL, 0x5734ea8a3e5854L,
+          0xe482b36775f0adL, 0x2f4f60df864a34L },
+        { 0xf521c5884f2449L, 0x58734a99186a71L, 0x157f5d5ac5eaccL,
+          0x858d9a4248ee61L, 0x0727e6d48149c3L, 0xd5c3eaaac9ec50L,
+          0xa63a64a20ee9b5L, 0x3f0dfc487be9deL }
+    },
+    {
+        { 0x836349db13e3f4L, 0xebdd0263e9316dL, 0x3fd61e8324fd6cL,
+          0x85dddfa0964f41L, 0x06e72de52add1bL, 0xb752cff8c4a9e2L,
+          0x53b0894fdf09f7L, 0xd5220ab0bc24fdL },
+        { 0x8442b35fb1981aL, 0xa733a373edd701L, 0x42b60c3d0ef089L,
+          0xa1b16ec46e7bcaL, 0xc0df179a09aaf4L, 0xcd4f187638f3a1L,
+          0x9af64f79eab1c2L, 0x86fed79d1d78e3L }
+    },
+    {
+        { 0x42c8d86fe29980L, 0x6657b816575660L, 0x82d52c680f92caL,
+          0x8587af102d42beL, 0xb5151316e8bdf0L, 0x706e2d9c333495L,
+          0xd53601a9673064L, 0x27b1fbb8219099L },
+        { 0x3f0929d705f7c8L, 0xff40b10f3d6e6fL, 0x673c703026af5cL,
+          0x2c1dce4e25a422L, 0x5348bd73dad8b6L, 0xc39b6b6be2c329L,
+          0x47854ffb921084L, 0xb347b8bb391f20L }
+    },
+    {
+        { 0x79fc841eb9b774L, 0xf32da25b4b6c1dL, 0xcbba76bfe492cbL,
+          0x76c51fcd623903L, 0x114cf6fcf0705aL, 0x6b720497815dafL,
+          0x630b362473382eL, 0xbf40c3a9704db5L },
+        { 0xa8a9ddcc5456ebL, 0x2b4472a72f2dc1L, 0x9874444d6d6ef3L,
+          0x27e8d85a0ba5edL, 0x5d225b4194849fL, 0xe852cd6ebaa40dL,
+          0xb669c248d4bf3fL, 0xa8601eb2343991L }
+    },
+    {
+        { 0x8a0485459502d3L, 0xcab27eee269a7bL, 0x41793074875adaL,
+          0x179e685e2405f9L, 0x0d7b6987b28963L, 0x80c9db8422a43eL,
+          0xf5ff318a0f43eeL, 0x7a928054ba7aa7L },
+        { 0xa5c79fe0c0834eL, 0x837ca0d1f849ecL, 0xfe0d7fa628ab7bL,
+          0x94bcb956edd19aL, 0xa18bc932226fbfL, 0x2795379aad54a3L,
+          0xceeacf8371129eL, 0x65ca57fa588be5L }
+    },
+},
+{
+    {
+        { 0x7a578b52caa330L, 0x7c21944d8ca34aL, 0x6c0fbbb6447282L,
+          0xa8a9957f90b2e5L, 0xbbe10666586b71L, 0x716a90249138a2L,
+          0x2fa6034e7ed66dL, 0x56f77ed2b9916aL },
+        { 0x69f1e26bddefb3L, 0xa4978098c08420L, 0xc3377eb09bc184L,
+          0x796ce0cbe6dadeL, 0x3be0625d103bbbL, 0x01be27c992685cL,
+          0xc0e25597755f9fL, 0x165c40d1c0dbfaL }
+    },
+    {
+        { 0xc63a397659c761L, 0x10a0e5b630fbadL, 0xf21e8a6655ac56L,
+          0xe8580fac1181e2L, 0xbfc2d9c0a84b5cL, 0x2cdbaff7afd5d1L,
+          0x95f1182f61e85aL, 0x1173e96719eaf4L },
+        { 0xc06d55ec6de8b9L, 0x1b4c8ebafcbcaaL, 0x52af5cbbc2bbcdL,
+          0x564fab877bcd10L, 0xfd53a18ae85a6eL, 0x225785994c712fL,
+          0x29b11d71352121L, 0xab1cb76c40491aL }
+    },
+    {
+        { 0xb4e8ca8ce32eb4L, 0x7e484acb250b49L, 0x062c6f7a3e31a2L,
+          0x497fd83625d1fcL, 0x98f821c362dda7L, 0xcae1f8f6be3111L,
+          0x9077e955d4fa42L, 0xa589971a65855aL },
+        { 0xda6321d28832a9L, 0xf9ef5dc3936e9eL, 0xa37f117c9797efL,
+          0x0eb3c80db581beL, 0x207c5c4baa0002L, 0xc0401b5f38faa0L,
+          0xceee523d0f1e6eL, 0x8d27a5fd1f0045L }
+    },
+    {
+        { 0x9411063cf0af29L, 0x304385789a6693L, 0x9a9fb8f640145eL,
+          0x7d82fe954832ebL, 0xf2789e1898c520L, 0x448b402f948dc0L,
+          0xeca8fdf68996ddL, 0x22227e9a149b2fL },
+        { 0x63509ff8e62d6aL, 0xe98d81c8c9c57fL, 0xd3874071fe3bedL,
+          0xf1db013539538fL, 0xb04092e48418ceL, 0xbbf8e76d6d9d4dL,
+          0x2ea9cda2cec5aeL, 0x8414b3e5078fa9L }
+    },
+    {
+        { 0x5ad1cdbd68a073L, 0xd4cedafc18b591L, 0x78267078e4c1c9L,
+          0x9b8d9209ca302aL, 0x3101bd2326115bL, 0x6f154b54c2717aL,
+          0x618c31b263e84bL, 0x12c4138bbd6942L },
+        { 0xf9ead2580da426L, 0xe748e9947d9680L, 0x9b396a38a4210eL,
+          0xfaf03ddf4b8f72L, 0xbd94a5266159e7L, 0x5e730491d4c7cbL,
+          0x31d1f9a7910f38L, 0x4fd10ca08d6dd1L }
+    },
+    {
+        { 0x4f510ac9f2331eL, 0xee872dc7e3dcc2L, 0x4a11a32a0a0c73L,
+          0x27e5803aa5a630L, 0xe5ae5037af4a8aL, 0x2dcdeba9fffeb0L,
+          0x8c27748719d91fL, 0xd3b5b62b9cc61cL },
+        { 0x998ac90cca7939L, 0xc22b59864514e5L, 0x950aaa1b35738aL,
+          0x4b208bbdab0264L, 0x6677931a557d2eL, 0x2c696d8f7c17d3L,
+          0x1672d4a3e15c51L, 0x95fab663db0e82L }
+    },
+    {
+        { 0x3d427346ff205eL, 0x7f187d90ea9fbeL, 0xbd9367f466b2afL,
+          0x188e53203daf2fL, 0xefe132927b54d8L, 0x14faf85ef70435L,
+          0xa5061281ec95c4L, 0xad01705c22cba7L },
+        { 0x7d2dfa66197333L, 0xedd7f078b4f6edL, 0xe0cb68575df105L,
+          0x47c9ddb80f76bcL, 0x49ab5319073c54L, 0x845255ae607f44L,
+          0x0b4ed9fcc74b7cL, 0xcfb52d50f5c3a6L }
+    },
+    {
+        { 0x545c7c6c278776L, 0x92a39ae98c30f0L, 0x8aa8c01d2f4680L,
+          0xa5409ed6b7f840L, 0x0c450acdcb24e7L, 0x5da6fb2c5770d9L,
+          0x5b8e8be8658333L, 0xb26bf4a67ea4adL },
+        { 0x2e30c81c7d91faL, 0x6e50a490eeb69fL, 0x9458c2bee4bc26L,
+          0x419acf233be250L, 0x79d6f8187881abL, 0x694565d403b1beL,
+          0x34b3990234fe1dL, 0x60997d72132b38L }
+    },
+},
+{
+    {
+        { 0x00a974126975dcL, 0x42161c46cf94e7L, 0xcc9fe4bc64ed99L,
+          0x020019a4680570L, 0x885595a698da0dL, 0x008444b77dd962L,
+          0xbf3c22da4fea0eL, 0xc4630482c81245L },
+        { 0xcb248c5793ab18L, 0x4dc7a20eb4320bL, 0x9a0906f1572b7dL,
+          0xd5b3019f9ac20fL, 0x79b1bf534520a3L, 0x788dfe869b5322L,
+          0x9a05298455b7e2L, 0x2f4aecb016bca9L }
+    },
+    {
+        { 0x414d3798745618L, 0x64ba22eb7c983cL, 0x9a5d19f9f9d532L,
+          0x81a00d844a80c8L, 0xb9e24f5cae98d6L, 0x6c3769caca965aL,
+          0x50d6081f6e4e6dL, 0x0d9698054422a6L },
+        { 0xbd7e7925cdd790L, 0xcff65da6a35219L, 0x40dc3638b60ebeL,
+          0x84bee7492a50dcL, 0x57d4be415ad65eL, 0xc54256b1a6d1d3L,
+          0x141c64945717ccL, 0x05eb609cd1c736L }
+    },
+    {
+        { 0xfd52eab1e3c7ecL, 0xa4a5eca9f24895L, 0xaaa2a8d79fdb83L,
+          0xd105e6072bdfdaL, 0x59e6ae2681d97eL, 0xfedf8e08e8077fL,
+          0xb06d0ad629e462L, 0x8c7c2d096fa863L },
+        { 0x5eecc4cee8fc91L, 0x5e83ab29e61174L, 0x1fd8925b28c02dL,
+          0x93be5382072864L, 0xda0c88624c984eL, 0xdcf9f0ca008286L,
+          0x1ecb5a6a58ba75L, 0x1d9b890c2e3c83L }
+    },
+    {
+        { 0x19e866eeeee062L, 0x31c1c7f4f7b387L, 0x9be60181c06652L,
+          0xc00a93a2b68bbbL, 0x54c65d69d52b2bL, 0x4591416e8b744aL,
+          0x641bcca9a64ab6L, 0xf22bcb1ab08098L },
+        { 0x3c0db8ff1f726cL, 0x4f5739e9d2e6a6L, 0x5cb669b45c9530L,
+          0x861b04e7b472d0L, 0x3e30515894da77L, 0x3344685c9ac39bL,
+          0x9e1730573bdd29L, 0x9cac12c808dc85L }
+    },
+    {
+        { 0xf152b865e27087L, 0x267bd8590a580eL, 0xba79cec8baafc1L,
+          0x6140ab19442686L, 0xa67090c5b31693L, 0x50a103a28b4117L,
+          0x7722e610ddc08fL, 0x5d19d43e6569b2L },
+        { 0x70e0c525962bf6L, 0x808e316fb5fb02L, 0x3fb80da5b667beL,
+          0x8aa366efcfacecL, 0xcb0b3e7134280eL, 0x0bf1de4cd7d944L,
+          0x0cd23bed092df5L, 0xc9a6a79a153a0cL }
+    },
+    {
+        { 0x1c69ad02d5a4b7L, 0x4bb28d0d9e6f4aL, 0x815308ca984fc6L,
+          0x40929c79037ca5L, 0x0ea2b491bd0357L, 0xec17e5b42aad4eL,
+          0x1f32ade18e7235L, 0xbc60b05a96a9d3L },
+        { 0x3b0229ae20f707L, 0xd63505056bdfadL, 0xac2d922d8b2e1eL,
+          0x92b2998235c748L, 0x6002c3ad766f97L, 0x99198001a2a862L,
+          0x2af7567b58b684L, 0xd8fe707aaafce5L }
+    },
+    {
+        { 0x54487ab5df7a4bL, 0x51cccdec57ccc2L, 0x23943277510b53L,
+          0x3a09f02f555de3L, 0xa696aec1be484dL, 0x56f459f37817a2L,
+          0x8d8f61c623dcb4L, 0xc52223c5335656L },
+        { 0xf634111b49914aL, 0xbf8e1ab8e4f9bbL, 0x2f59578f4dba02L,
+          0x2a94199e004319L, 0x87931f0654d005L, 0x7df57d96fa0814L,
+          0xc8da316a154031L, 0x2a44ac041f658bL }
+    },
+    {
+        { 0xfb5f4f89e34ac6L, 0x0a1b10b97790f2L, 0x58fe4e74b8a06cL,
+          0x10c1710955f27cL, 0x77b798ad5ebe19L, 0xaf1c35b1f1c2dcL,
+          0xc25b8e6a1f8d69L, 0x49cf751f76bf23L },
+        { 0x15cb2db436f7b7L, 0x186d7c27e74d1aL, 0x60731dec00a415L,
+          0xea1e15615f0772L, 0xf02d591714463fL, 0x26a0c6451adeb1L,
+          0x20174cdcc5229eL, 0xb817e50efd512aL }
+    },
+},
+};
+
+static const ge448_precomp base_i[16] = {
+    {
+        { 0x26a82bc70cc05eL, 0x80e18b00938e26L, 0xf72ab66511433bL,
+          0xa3d3a46412ae1aL, 0x0f1767ea6de324L, 0x36da9e14657047L,
+          0xed221d15a622bfL, 0x4f1970c66bed0dL },
+        { 0x08795bf230fa14L, 0x132c4ed7c8ad98L, 0x1ce67c39c4fdbdL,
+          0x05a0c2d73ad3ffL, 0xa3984087789c1eL, 0xc7624bea73736cL,
+          0x248876203756c9L, 0x693f46716eb6bcL }
+    },
+    {
+        { 0x28173286ff2f8fL, 0xb769465da85757L, 0xf7f6271fd6e862L,
+          0x4a3fcfe8daa9cbL, 0xda82c7e2ba077aL, 0x943332241b8b8cL,
+          0x6455bd64316cb6L, 0x0865886b9108afL },
+        { 0x22ac13588ed6fcL, 0x9a68fed02dafb8L, 0x1bdb6767f0bffaL,
+          0xec4e1d58bb3a33L, 0x56c3b9fce43c82L, 0xa6449a4a8d9523L,
+          0xf706cbda7ad43aL, 0xe005a8dbd5125cL }
+    },
+    {
+        { 0xa99d1092030034L, 0x2d8cefc6f950d0L, 0x7a920c3c96f07bL,
+          0x958812808bc0d5L, 0x62ada756d761e8L, 0x0def80cbcf7285L,
+          0x0e2ba7601eedb5L, 0x7a9f9335a48dcbL },
+        { 0xb4731472f435ebL, 0x5512881f225443L, 0xee59d2b33c5840L,
+          0xb698017127d7a4L, 0xb18fced86551f7L, 0x0ade260ca1823aL,
+          0xd3b9109ce4fd58L, 0xadfd751a2517edL }
+    },
+    {
+        { 0xdf9567ceb5eaf7L, 0x110a6b478ac7d7L, 0x2d335014706e0bL,
+          0x0df9c7b0b5a209L, 0xba4223d568e684L, 0xd78af2d8c3719bL,
+          0x77467b9a5291b6L, 0x079748e5c89befL },
+        { 0xe20d3fadac377fL, 0x34e866972b5c09L, 0xd8687a3c40bbb7L,
+          0x7b3946fd2f84c9L, 0xd00e40ca78f50eL, 0xb87594417e7179L,
+          0x9c7373bcb23583L, 0x7ddeda3c90fd69L }
+    },
+    {
+        { 0x3d0def76ab686bL, 0x1a467ec49f7c79L, 0x3e53f4fc8989edL,
+          0x101e344430a0d9L, 0xa3ae7318ad44eeL, 0xaefa6cdae1d134L,
+          0xaa8cd7d824ad4dL, 0xef1650ced584fcL },
+        { 0xa74df674f4754fL, 0xf52cea8ef3fb8bL, 0x47c32d42971140L,
+          0x391c15da256fbbL, 0xc165faba605671L, 0xf2518c687993b9L,
+          0x2daf7acbd5a84dL, 0x1560b6298f12aeL }
+    },
+    {
+        { 0xef4da0254dc10aL, 0x63118655940db8L, 0xe20b14982f2948L,
+          0x67b93775581dbaL, 0x422ee7104f5029L, 0x5d440db5122d34L,
+          0xb1e56d71a4c640L, 0xbf12abbc2408eeL },
+        { 0x0cc9f86016af01L, 0x88366abf3d8cabL, 0x85dda13a2efe12L,
+          0x390df605d00674L, 0xf18f5806d187f7L, 0x28c900ff0c5d20L,
+          0xad308123e01733L, 0x42d35b554bf2fdL }
+    },
+    {
+        { 0x009135f2ffb1f1L, 0x099fc7e8f9c605L, 0xcc67da626bfa5aL,
+          0xc186d12344552bL, 0xb5232501b339e1L, 0x70a544fc9708c5L,
+          0x06baaec1e928e7L, 0x0baedd2ef0f50fL },
+        { 0x535d6d8bf479e5L, 0x156e536e4ec3e9L, 0x3165741ddb9be2L,
+          0x988af7159fd736L, 0x13d8a782e33dddL, 0x54604214e69002L,
+          0x34d56e0804a268L, 0xc59b84f0e52a4cL }
+    },
+    {
+        { 0x525d45f24729d9L, 0x5768aba8712327L, 0xa25e43b43035dbL,
+          0x15a1ee8927ef21L, 0xa785d216056112L, 0x45e2fbfd508af9L,
+          0xb6f721a37ba969L, 0x30d6d8c216d8d3L },
+        { 0x3065e0852074c3L, 0xfa40b4a2a0684eL, 0x851325a763f955L,
+          0xd4ef19c9f25900L, 0x799c869f665756L, 0x7b052223312990L,
+          0xc986c2b28db802L, 0xf48fb8f28ade0aL }
+    },
+    {
+        { 0x1e461731649b68L, 0xa96e5d65beb9dcL, 0x765ddff481935dL,
+          0x6cf132c9f3bf2aL, 0x9f6c5c97c35658L, 0x99cd1394696e60L,
+          0x99fa9249c0d5e4L, 0x1acd0638845a95L },
+        { 0x0b065413636087L, 0xea20e78ea17b7fL, 0x20afc5f6161967L,
+          0xfd6c8a2dc81028L, 0x4ef1357e32c8fdL, 0x8aa400400e4a88L,
+          0xd6fcaef48cb82fL, 0x7ba7c6db3cd4faL }
+    },
+    {
+        { 0xf843473d19c7abL, 0x968e76dc655c4dL, 0x52c87d9c4b9c2fL,
+          0x65f641ae4aa082L, 0x491a39733c3603L, 0xa606ffe5810098L,
+          0x09920e68bf8ad4L, 0x691a0c86db7882L },
+        { 0x5205883a4d3ef5L, 0xee839b7acf2efeL, 0x4b78e2ac00ca66L,
+          0xbe3f071f9fcb91L, 0x61e66c9bf6943aL, 0xe9b4e57061b79dL,
+          0x8d1b01b56c06bdL, 0x0dfa315df76ae5L }
+    },
+    {
+        { 0x803df65f1fd093L, 0x1cd6523489b77eL, 0x2cd2e15c20e295L,
+          0xcd490be9b912d1L, 0xdd9a2ff2e886d2L, 0xa3c836dfe9d72aL,
+          0xfcad5f2298e0c1L, 0xed126e24bcf067L },
+        { 0x1e339533dc81bcL, 0xbea4d76ece6a08L, 0x1d15de3991b252L,
+          0x74cc5cfe6daf97L, 0x5ad343f0826493L, 0x2d38a471064049L,
+          0xf7f47b9ffcfa4dL, 0xef14490418066cL }
+    },
+    {
+        { 0x4e7f86b9bb55abL, 0x310d7853f496a3L, 0xbd682fc0dec42cL,
+          0xbde047a411d32aL, 0xea639b4c5a5ea2L, 0x5052078ba08fa1L,
+          0xc968b2307729f2L, 0x567b5a623d3e28L },
+        { 0x171e825977fbf7L, 0x0319c70be990aaL, 0x8f65023e12cd69L,
+          0x1fb9b19f5015e6L, 0x0083f603568a7cL, 0xba3d30b1f3c5acL,
+          0xe7b509d3d7a988L, 0x2318b99cd0f6b6L }
+    },
+    {
+        { 0x54d3b8793ab2cfL, 0x366abead2d8306L, 0x66e8eb6d7a4977L,
+          0xa61888cae0072eL, 0x9eeeef5dbc3315L, 0x93f09db163e7f5L,
+          0xee9095959ade9aL, 0xaf7f578ce59be0L },
+        { 0x24bfd8d5ece59eL, 0x8aa698b3689523L, 0xa9a65de2de92cfL,
+          0xec11dbca6ad300L, 0x217f3fa09f88caL, 0xf6c33e3b4d6af7L,
+          0xcd3bfa21d86d2dL, 0x1497f835f13f25L }
+    },
+    {
+        { 0xa579568cd03d1dL, 0xd717cdae158af6L, 0x59eda97389a19fL,
+          0xb32c370099e99cL, 0xa2dba91dabb591L, 0x6d697d577c2c97L,
+          0x5423fc2d43fa6dL, 0x56ea8a50b382bfL },
+        { 0x4a987bad80c11aL, 0xe4cde217d590a5L, 0x3dd8860f97e559L,
+          0xff45e2543b593cL, 0x00eb4535343cb5L, 0x06b9b997bbfbddL,
+          0x4da36b716aea24L, 0x247651757a624eL }
+    },
+    {
+        { 0x32207d03474e0dL, 0x3ffbf04b41cc73L, 0x5c4dc45319eb39L,
+          0xfee29be758b463L, 0xcc8a381c30c7a7L, 0x147f4e49fe0e53L,
+          0x05b2e26e35a2deL, 0x4362f0292f3666L },
+        { 0x0476d0c8474b85L, 0x9d8c65fccaf108L, 0xf58d4041d54b6aL,
+          0x3ee6862f38e4b0L, 0x7c7c9d53b44f54L, 0x36a3fd80fb0db5L,
+          0xfcd94ba18a8ac8L, 0xc1b1d568f35c05L }
+    },
+    {
+        { 0x16539fc1bdd30dL, 0x1356e538df4afbL, 0xc0545d85a1aedbL,
+          0xeb2037a489396bL, 0x897fcbd5660894L, 0x02a58a9b7d104aL,
+          0x57fa24cc96b980L, 0xf6448e35bd8946L },
+        { 0xee727418805c83L, 0x10fa274992cfc6L, 0x95141939e66b21L,
+          0xe0ffa44bd08009L, 0x174332220da22bL, 0x4891ff359e6831L,
+          0x407ed73a7d687bL, 0x2fb4e0751d99cfL }
+    },
+};
+#else
+
+/* Reduce scalar mod the order of the curve.
+ * Scalar Will be 114 bytes.
+ *
+ * b  [in]  Scalar to reduce.
+ */
+void sc448_reduce(uint8_t* b)
+{
+    uint32_t d[16];
+    uint64_t t[33];
+    uint64_t c;
+    uint32_t o;
+
+    /* Load from bytes */
+    t[ 0] =  (((int32_t)((b[ 0]        ) >>  0)) <<  0)
+          |  (((int32_t)((b[ 1]        ) >>  0)) <<  8)
+          |  (((int32_t)((b[ 2]        ) >>  0)) << 16)
+          | ((((int32_t)((b[ 3] & 0xf )) >>  0)) << 24);
+    t[ 1] =  (((int32_t)((b[ 3]        ) >>  4)) <<  0)
+          |  (((int32_t)((b[ 4]        ) >>  0)) <<  4)
+          |  (((int32_t)((b[ 5]        ) >>  0)) << 12)
+          |  (((int32_t)((b[ 6]        ) >>  0)) << 20);
+    t[ 2] =  (((int32_t)((b[ 7]        ) >>  0)) <<  0)
+          |  (((int32_t)((b[ 8]        ) >>  0)) <<  8)
+          |  (((int32_t)((b[ 9]        ) >>  0)) << 16)
+          | ((((int32_t)((b[10] & 0xf )) >>  0)) << 24);
+    t[ 3] =  (((int32_t)((b[10]        ) >>  4)) <<  0)
+          |  (((int32_t)((b[11]        ) >>  0)) <<  4)
+          |  (((int32_t)((b[12]        ) >>  0)) << 12)
+          |  (((int32_t)((b[13]        ) >>  0)) << 20);
+    t[ 4] =  (((int32_t)((b[14]        ) >>  0)) <<  0)
+          |  (((int32_t)((b[15]        ) >>  0)) <<  8)
+          |  (((int32_t)((b[16]        ) >>  0)) << 16)
+          | ((((int32_t)((b[17] & 0xf )) >>  0)) << 24);
+    t[ 5] =  (((int32_t)((b[17]        ) >>  4)) <<  0)
+          |  (((int32_t)((b[18]        ) >>  0)) <<  4)
+          |  (((int32_t)((b[19]        ) >>  0)) << 12)
+          |  (((int32_t)((b[20]        ) >>  0)) << 20);
+    t[ 6] =  (((int32_t)((b[21]        ) >>  0)) <<  0)
+          |  (((int32_t)((b[22]        ) >>  0)) <<  8)
+          |  (((int32_t)((b[23]        ) >>  0)) << 16)
+          | ((((int32_t)((b[24] & 0xf )) >>  0)) << 24);
+    t[ 7] =  (((int32_t)((b[24]        ) >>  4)) <<  0)
+          |  (((int32_t)((b[25]        ) >>  0)) <<  4)
+          |  (((int32_t)((b[26]        ) >>  0)) << 12)
+          |  (((int32_t)((b[27]        ) >>  0)) << 20);
+    t[ 8] =  (((int32_t)((b[28]        ) >>  0)) <<  0)
+          |  (((int32_t)((b[29]        ) >>  0)) <<  8)
+          |  (((int32_t)((b[30]        ) >>  0)) << 16)
+          | ((((int32_t)((b[31] & 0xf )) >>  0)) << 24);
+    t[ 9] =  (((int32_t)((b[31]        ) >>  4)) <<  0)
+          |  (((int32_t)((b[32]        ) >>  0)) <<  4)
+          |  (((int32_t)((b[33]        ) >>  0)) << 12)
+          |  (((int32_t)((b[34]        ) >>  0)) << 20);
+    t[10] =  (((int32_t)((b[35]        ) >>  0)) <<  0)
+          |  (((int32_t)((b[36]        ) >>  0)) <<  8)
+          |  (((int32_t)((b[37]        ) >>  0)) << 16)
+          | ((((int32_t)((b[38] & 0xf )) >>  0)) << 24);
+    t[11] =  (((int32_t)((b[38]        ) >>  4)) <<  0)
+          |  (((int32_t)((b[39]        ) >>  0)) <<  4)
+          |  (((int32_t)((b[40]        ) >>  0)) << 12)
+          |  (((int32_t)((b[41]        ) >>  0)) << 20);
+    t[12] =  (((int32_t)((b[42]        ) >>  0)) <<  0)
+          |  (((int32_t)((b[43]        ) >>  0)) <<  8)
+          |  (((int32_t)((b[44]        ) >>  0)) << 16)
+          | ((((int32_t)((b[45] & 0xf )) >>  0)) << 24);
+    t[13] =  (((int32_t)((b[45]        ) >>  4)) <<  0)
+          |  (((int32_t)((b[46]        ) >>  0)) <<  4)
+          |  (((int32_t)((b[47]        ) >>  0)) << 12)
+          |  (((int32_t)((b[48]        ) >>  0)) << 20);
+    t[14] =  (((int32_t)((b[49]        ) >>  0)) <<  0)
+          |  (((int32_t)((b[50]        ) >>  0)) <<  8)
+          |  (((int32_t)((b[51]        ) >>  0)) << 16)
+          | ((((int32_t)((b[52] & 0xf )) >>  0)) << 24);
+    t[15] =  (((int32_t)((b[52]        ) >>  4)) <<  0)
+          |  (((int32_t)((b[53]        ) >>  0)) <<  4)
+          |  (((int32_t)((b[54]        ) >>  0)) << 12)
+          |  (((int32_t)((b[55]        ) >>  0)) << 20);
+    t[16] =  (((int32_t)((b[56]        ) >>  0)) <<  0)
+          |  (((int32_t)((b[57]        ) >>  0)) <<  8)
+          |  (((int32_t)((b[58]        ) >>  0)) << 16)
+          | ((((int32_t)((b[59] & 0xf )) >>  0)) << 24);
+    t[17] =  (((int32_t)((b[59]        ) >>  4)) <<  0)
+          |  (((int32_t)((b[60]        ) >>  0)) <<  4)
+          |  (((int32_t)((b[61]        ) >>  0)) << 12)
+          |  (((int32_t)((b[62]        ) >>  0)) << 20);
+    t[18] =  (((int32_t)((b[63]        ) >>  0)) <<  0)
+          |  (((int32_t)((b[64]        ) >>  0)) <<  8)
+          |  (((int32_t)((b[65]        ) >>  0)) << 16)
+          | ((((int32_t)((b[66] & 0xf )) >>  0)) << 24);
+    t[19] =  (((int32_t)((b[66]        ) >>  4)) <<  0)
+          |  (((int32_t)((b[67]        ) >>  0)) <<  4)
+          |  (((int32_t)((b[68]        ) >>  0)) << 12)
+          |  (((int32_t)((b[69]        ) >>  0)) << 20);
+    t[20] =  (((int32_t)((b[70]        ) >>  0)) <<  0)
+          |  (((int32_t)((b[71]        ) >>  0)) <<  8)
+          |  (((int32_t)((b[72]        ) >>  0)) << 16)
+          | ((((int32_t)((b[73] & 0xf )) >>  0)) << 24);
+    t[21] =  (((int32_t)((b[73]        ) >>  4)) <<  0)
+          |  (((int32_t)((b[74]        ) >>  0)) <<  4)
+          |  (((int32_t)((b[75]        ) >>  0)) << 12)
+          |  (((int32_t)((b[76]        ) >>  0)) << 20);
+    t[22] =  (((int32_t)((b[77]        ) >>  0)) <<  0)
+          |  (((int32_t)((b[78]        ) >>  0)) <<  8)
+          |  (((int32_t)((b[79]        ) >>  0)) << 16)
+          | ((((int32_t)((b[80] & 0xf )) >>  0)) << 24);
+    t[23] =  (((int32_t)((b[80]        ) >>  4)) <<  0)
+          |  (((int32_t)((b[81]        ) >>  0)) <<  4)
+          |  (((int32_t)((b[82]        ) >>  0)) << 12)
+          |  (((int32_t)((b[83]        ) >>  0)) << 20);
+    t[24] =  (((int32_t)((b[84]        ) >>  0)) <<  0)
+          |  (((int32_t)((b[85]        ) >>  0)) <<  8)
+          |  (((int32_t)((b[86]        ) >>  0)) << 16)
+          | ((((int32_t)((b[87] & 0xf )) >>  0)) << 24);
+    t[25] =  (((int32_t)((b[87]        ) >>  4)) <<  0)
+          |  (((int32_t)((b[88]        ) >>  0)) <<  4)
+          |  (((int32_t)((b[89]        ) >>  0)) << 12)
+          |  (((int32_t)((b[90]        ) >>  0)) << 20);
+    t[26] =  (((int32_t)((b[91]        ) >>  0)) <<  0)
+          |  (((int32_t)((b[92]        ) >>  0)) <<  8)
+          |  (((int32_t)((b[93]        ) >>  0)) << 16)
+          | ((((int32_t)((b[94] & 0xf )) >>  0)) << 24);
+    t[27] =  (((int32_t)((b[94]        ) >>  4)) <<  0)
+          |  (((int32_t)((b[95]        ) >>  0)) <<  4)
+          |  (((int32_t)((b[96]        ) >>  0)) << 12)
+          |  (((int32_t)((b[97]        ) >>  0)) << 20);
+    t[28] =  (((int32_t)((b[98]        ) >>  0)) <<  0)
+          |  (((int32_t)((b[99]        ) >>  0)) <<  8)
+          |  (((int32_t)((b[100]        ) >>  0)) << 16)
+          | ((((int32_t)((b[101] & 0xf )) >>  0)) << 24);
+    t[29] =  (((int32_t)((b[101]        ) >>  4)) <<  0)
+          |  (((int32_t)((b[102]        ) >>  0)) <<  4)
+          |  (((int32_t)((b[103]        ) >>  0)) << 12)
+          |  (((int32_t)((b[104]        ) >>  0)) << 20);
+    t[30] =  (((int32_t)((b[105]        ) >>  0)) <<  0)
+          |  (((int32_t)((b[106]        ) >>  0)) <<  8)
+          |  (((int32_t)((b[107]        ) >>  0)) << 16)
+          | ((((int32_t)((b[108] & 0xf )) >>  0)) << 24);
+    t[31] =  (((int32_t)((b[108]        ) >>  4)) <<  0)
+          |  (((int32_t)((b[109]        ) >>  0)) <<  4)
+          |  (((int32_t)((b[110]        ) >>  0)) << 12)
+          |  (((int32_t)((b[111]        ) >>  0)) << 20);
+    t[32] =  (((int32_t)((b[112]        ) >>  0)) <<  0)
+          |  (((int32_t)((b[113]        ) >>  0)) <<  8);
+
+    /* Mod curve order */
+    /* 2^446 - 0x8335dc163bb124b65129c96fde933d8d723a70aadc873d6d54a7bb0d */
+    /* Mod top half of extra words */
+    t[ 8] += (int64_t)0x129eec34 * t[24];
+    t[ 9] += (int64_t)0x21cf5b54 * t[24];
+    t[10] += (int64_t)0x29c2ab70 * t[24];
+    t[11] += (int64_t)0x0f635c8c * t[24];
+    t[12] += (int64_t)0x25bf7a4c * t[24];
+    t[13] += (int64_t)0x2d944a70 * t[24];
+    t[14] += (int64_t)0x18eec490 * t[24];
+    t[15] += (int64_t)0x20cd7704 * t[24];
+    t[ 9] += (int64_t)0x129eec34 * t[25];
+    t[10] += (int64_t)0x21cf5b54 * t[25];
+    t[11] += (int64_t)0x29c2ab70 * t[25];
+    t[12] += (int64_t)0x0f635c8c * t[25];
+    t[13] += (int64_t)0x25bf7a4c * t[25];
+    t[14] += (int64_t)0x2d944a70 * t[25];
+    t[15] += (int64_t)0x18eec490 * t[25];
+    t[16] += (int64_t)0x20cd7704 * t[25];
+    t[10] += (int64_t)0x129eec34 * t[26];
+    t[11] += (int64_t)0x21cf5b54 * t[26];
+    t[12] += (int64_t)0x29c2ab70 * t[26];
+    t[13] += (int64_t)0x0f635c8c * t[26];
+    t[14] += (int64_t)0x25bf7a4c * t[26];
+    t[15] += (int64_t)0x2d944a70 * t[26];
+    t[16] += (int64_t)0x18eec490 * t[26];
+    t[17] += (int64_t)0x20cd7704 * t[26];
+    t[11] += (int64_t)0x129eec34 * t[27];
+    t[12] += (int64_t)0x21cf5b54 * t[27];
+    t[13] += (int64_t)0x29c2ab70 * t[27];
+    t[14] += (int64_t)0x0f635c8c * t[27];
+    t[15] += (int64_t)0x25bf7a4c * t[27];
+    t[16] += (int64_t)0x2d944a70 * t[27];
+    t[17] += (int64_t)0x18eec490 * t[27];
+    t[18] += (int64_t)0x20cd7704 * t[27];
+    t[12] += (int64_t)0x129eec34 * t[28];
+    t[13] += (int64_t)0x21cf5b54 * t[28];
+    t[14] += (int64_t)0x29c2ab70 * t[28];
+    t[15] += (int64_t)0x0f635c8c * t[28];
+    t[16] += (int64_t)0x25bf7a4c * t[28];
+    t[17] += (int64_t)0x2d944a70 * t[28];
+    t[18] += (int64_t)0x18eec490 * t[28];
+    t[19] += (int64_t)0x20cd7704 * t[28];
+    t[13] += (int64_t)0x129eec34 * t[29];
+    t[14] += (int64_t)0x21cf5b54 * t[29];
+    t[15] += (int64_t)0x29c2ab70 * t[29];
+    t[16] += (int64_t)0x0f635c8c * t[29];
+    t[17] += (int64_t)0x25bf7a4c * t[29];
+    t[18] += (int64_t)0x2d944a70 * t[29];
+    t[19] += (int64_t)0x18eec490 * t[29];
+    t[20] += (int64_t)0x20cd7704 * t[29];
+    t[14] += (int64_t)0x129eec34 * t[30];
+    t[15] += (int64_t)0x21cf5b54 * t[30];
+    t[16] += (int64_t)0x29c2ab70 * t[30];
+    t[17] += (int64_t)0x0f635c8c * t[30];
+    t[18] += (int64_t)0x25bf7a4c * t[30];
+    t[19] += (int64_t)0x2d944a70 * t[30];
+    t[20] += (int64_t)0x18eec490 * t[30];
+    t[21] += (int64_t)0x20cd7704 * t[30];
+    t[15] += (int64_t)0x129eec34 * t[31];
+    t[16] += (int64_t)0x21cf5b54 * t[31];
+    t[17] += (int64_t)0x29c2ab70 * t[31];
+    t[18] += (int64_t)0x0f635c8c * t[31];
+    t[19] += (int64_t)0x25bf7a4c * t[31];
+    t[20] += (int64_t)0x2d944a70 * t[31];
+    t[21] += (int64_t)0x18eec490 * t[31];
+    t[22] += (int64_t)0x20cd7704 * t[31];
+    t[16] += (int64_t)0x129eec34 * t[32];
+    t[17] += (int64_t)0x21cf5b54 * t[32];
+    t[18] += (int64_t)0x29c2ab70 * t[32];
+    t[19] += (int64_t)0x0f635c8c * t[32];
+    t[20] += (int64_t)0x25bf7a4c * t[32];
+    t[21] += (int64_t)0x2d944a70 * t[32];
+    t[22] += (int64_t)0x18eec490 * t[32];
+    t[23] += (int64_t)0x20cd7704 * t[32];
+    t[24]  = 0;
+    /* Propagate carries */
+    c = t[ 8] >> 28; t[ 9] += c; t[ 8] = t[ 8] & 0xfffffff;
+    c = t[ 9] >> 28; t[10] += c; t[ 9] = t[ 9] & 0xfffffff;
+    c = t[10] >> 28; t[11] += c; t[10] = t[10] & 0xfffffff;
+    c = t[11] >> 28; t[12] += c; t[11] = t[11] & 0xfffffff;
+    c = t[12] >> 28; t[13] += c; t[12] = t[12] & 0xfffffff;
+    c = t[13] >> 28; t[14] += c; t[13] = t[13] & 0xfffffff;
+    c = t[14] >> 28; t[15] += c; t[14] = t[14] & 0xfffffff;
+    c = t[15] >> 28; t[16] += c; t[15] = t[15] & 0xfffffff;
+    c = t[16] >> 28; t[17] += c; t[16] = t[16] & 0xfffffff;
+    c = t[17] >> 28; t[18] += c; t[17] = t[17] & 0xfffffff;
+    c = t[18] >> 28; t[19] += c; t[18] = t[18] & 0xfffffff;
+    c = t[19] >> 28; t[20] += c; t[19] = t[19] & 0xfffffff;
+    c = t[20] >> 28; t[21] += c; t[20] = t[20] & 0xfffffff;
+    c = t[21] >> 28; t[22] += c; t[21] = t[21] & 0xfffffff;
+    c = t[22] >> 28; t[23] += c; t[22] = t[22] & 0xfffffff;
+    c = t[23] >> 28; t[24] += c; t[23] = t[23] & 0xfffffff;
+    /* Mod bottom half of extra words */
+    t[ 0] += (int64_t)0x129eec34 * t[16];
+    t[ 1] += (int64_t)0x21cf5b54 * t[16];
+    t[ 2] += (int64_t)0x29c2ab70 * t[16];
+    t[ 3] += (int64_t)0x0f635c8c * t[16];
+    t[ 4] += (int64_t)0x25bf7a4c * t[16];
+    t[ 5] += (int64_t)0x2d944a70 * t[16];
+    t[ 6] += (int64_t)0x18eec490 * t[16];
+    t[ 7] += (int64_t)0x20cd7704 * t[16];
+    t[ 1] += (int64_t)0x129eec34 * t[17];
+    t[ 2] += (int64_t)0x21cf5b54 * t[17];
+    t[ 3] += (int64_t)0x29c2ab70 * t[17];
+    t[ 4] += (int64_t)0x0f635c8c * t[17];
+    t[ 5] += (int64_t)0x25bf7a4c * t[17];
+    t[ 6] += (int64_t)0x2d944a70 * t[17];
+    t[ 7] += (int64_t)0x18eec490 * t[17];
+    t[ 8] += (int64_t)0x20cd7704 * t[17];
+    t[ 2] += (int64_t)0x129eec34 * t[18];
+    t[ 3] += (int64_t)0x21cf5b54 * t[18];
+    t[ 4] += (int64_t)0x29c2ab70 * t[18];
+    t[ 5] += (int64_t)0x0f635c8c * t[18];
+    t[ 6] += (int64_t)0x25bf7a4c * t[18];
+    t[ 7] += (int64_t)0x2d944a70 * t[18];
+    t[ 8] += (int64_t)0x18eec490 * t[18];
+    t[ 9] += (int64_t)0x20cd7704 * t[18];
+    t[ 3] += (int64_t)0x129eec34 * t[19];
+    t[ 4] += (int64_t)0x21cf5b54 * t[19];
+    t[ 5] += (int64_t)0x29c2ab70 * t[19];
+    t[ 6] += (int64_t)0x0f635c8c * t[19];
+    t[ 7] += (int64_t)0x25bf7a4c * t[19];
+    t[ 8] += (int64_t)0x2d944a70 * t[19];
+    t[ 9] += (int64_t)0x18eec490 * t[19];
+    t[10] += (int64_t)0x20cd7704 * t[19];
+    t[ 4] += (int64_t)0x129eec34 * t[20];
+    t[ 5] += (int64_t)0x21cf5b54 * t[20];
+    t[ 6] += (int64_t)0x29c2ab70 * t[20];
+    t[ 7] += (int64_t)0x0f635c8c * t[20];
+    t[ 8] += (int64_t)0x25bf7a4c * t[20];
+    t[ 9] += (int64_t)0x2d944a70 * t[20];
+    t[10] += (int64_t)0x18eec490 * t[20];
+    t[11] += (int64_t)0x20cd7704 * t[20];
+    t[ 5] += (int64_t)0x129eec34 * t[21];
+    t[ 6] += (int64_t)0x21cf5b54 * t[21];
+    t[ 7] += (int64_t)0x29c2ab70 * t[21];
+    t[ 8] += (int64_t)0x0f635c8c * t[21];
+    t[ 9] += (int64_t)0x25bf7a4c * t[21];
+    t[10] += (int64_t)0x2d944a70 * t[21];
+    t[11] += (int64_t)0x18eec490 * t[21];
+    t[12] += (int64_t)0x20cd7704 * t[21];
+    t[ 6] += (int64_t)0x129eec34 * t[22];
+    t[ 7] += (int64_t)0x21cf5b54 * t[22];
+    t[ 8] += (int64_t)0x29c2ab70 * t[22];
+    t[ 9] += (int64_t)0x0f635c8c * t[22];
+    t[10] += (int64_t)0x25bf7a4c * t[22];
+    t[11] += (int64_t)0x2d944a70 * t[22];
+    t[12] += (int64_t)0x18eec490 * t[22];
+    t[13] += (int64_t)0x20cd7704 * t[22];
+    t[ 7] += (int64_t)0x129eec34 * t[23];
+    t[ 8] += (int64_t)0x21cf5b54 * t[23];
+    t[ 9] += (int64_t)0x29c2ab70 * t[23];
+    t[10] += (int64_t)0x0f635c8c * t[23];
+    t[11] += (int64_t)0x25bf7a4c * t[23];
+    t[12] += (int64_t)0x2d944a70 * t[23];
+    t[13] += (int64_t)0x18eec490 * t[23];
+    t[14] += (int64_t)0x20cd7704 * t[23];
+    t[ 8] += (int64_t)0x129eec34 * t[24];
+    t[ 9] += (int64_t)0x21cf5b54 * t[24];
+    t[10] += (int64_t)0x29c2ab70 * t[24];
+    t[11] += (int64_t)0x0f635c8c * t[24];
+    t[12] += (int64_t)0x25bf7a4c * t[24];
+    t[13] += (int64_t)0x2d944a70 * t[24];
+    t[14] += (int64_t)0x18eec490 * t[24];
+    t[15] += (int64_t)0x20cd7704 * t[24];
+    t[16]  = 0;
+    /* Propagate carries */
+    c = t[ 0] >> 28; t[ 1] += c; t[ 0] = t[ 0] & 0xfffffff;
+    c = t[ 1] >> 28; t[ 2] += c; t[ 1] = t[ 1] & 0xfffffff;
+    c = t[ 2] >> 28; t[ 3] += c; t[ 2] = t[ 2] & 0xfffffff;
+    c = t[ 3] >> 28; t[ 4] += c; t[ 3] = t[ 3] & 0xfffffff;
+    c = t[ 4] >> 28; t[ 5] += c; t[ 4] = t[ 4] & 0xfffffff;
+    c = t[ 5] >> 28; t[ 6] += c; t[ 5] = t[ 5] & 0xfffffff;
+    c = t[ 6] >> 28; t[ 7] += c; t[ 6] = t[ 6] & 0xfffffff;
+    c = t[ 7] >> 28; t[ 8] += c; t[ 7] = t[ 7] & 0xfffffff;
+    c = t[ 8] >> 28; t[ 9] += c; t[ 8] = t[ 8] & 0xfffffff;
+    c = t[ 9] >> 28; t[10] += c; t[ 9] = t[ 9] & 0xfffffff;
+    c = t[10] >> 28; t[11] += c; t[10] = t[10] & 0xfffffff;
+    c = t[11] >> 28; t[12] += c; t[11] = t[11] & 0xfffffff;
+    c = t[12] >> 28; t[13] += c; t[12] = t[12] & 0xfffffff;
+    c = t[13] >> 28; t[14] += c; t[13] = t[13] & 0xfffffff;
+    c = t[14] >> 28; t[15] += c; t[14] = t[14] & 0xfffffff;
+    c = t[15] >> 28; t[16] += c; t[15] = t[15] & 0xfffffff;
+    t[ 0] += (int64_t)0x129eec34 * t[16];
+    t[ 1] += (int64_t)0x21cf5b54 * t[16];
+    t[ 2] += (int64_t)0x29c2ab70 * t[16];
+    t[ 3] += (int64_t)0x0f635c8c * t[16];
+    t[ 4] += (int64_t)0x25bf7a4c * t[16];
+    t[ 5] += (int64_t)0x2d944a70 * t[16];
+    t[ 6] += (int64_t)0x18eec490 * t[16];
+    t[ 7] += (int64_t)0x20cd7704 * t[16];
+    /* Propagate carries */
+    c = t[ 0] >> 28; t[ 1] += c; d[ 0] = (int32_t)(t[ 0] & 0xfffffff);
+    c = t[ 1] >> 28; t[ 2] += c; d[ 1] = (int32_t)(t[ 1] & 0xfffffff);
+    c = t[ 2] >> 28; t[ 3] += c; d[ 2] = (int32_t)(t[ 2] & 0xfffffff);
+    c = t[ 3] >> 28; t[ 4] += c; d[ 3] = (int32_t)(t[ 3] & 0xfffffff);
+    c = t[ 4] >> 28; t[ 5] += c; d[ 4] = (int32_t)(t[ 4] & 0xfffffff);
+    c = t[ 5] >> 28; t[ 6] += c; d[ 5] = (int32_t)(t[ 5] & 0xfffffff);
+    c = t[ 6] >> 28; t[ 7] += c; d[ 6] = (int32_t)(t[ 6] & 0xfffffff);
+    c = t[ 7] >> 28; t[ 8] += c; d[ 7] = (int32_t)(t[ 7] & 0xfffffff);
+    c = t[ 8] >> 28; t[ 9] += c; d[ 8] = (int32_t)(t[ 8] & 0xfffffff);
+    c = t[ 9] >> 28; t[10] += c; d[ 9] = (int32_t)(t[ 9] & 0xfffffff);
+    c = t[10] >> 28; t[11] += c; d[10] = (int32_t)(t[10] & 0xfffffff);
+    c = t[11] >> 28; t[12] += c; d[11] = (int32_t)(t[11] & 0xfffffff);
+    c = t[12] >> 28; t[13] += c; d[12] = (int32_t)(t[12] & 0xfffffff);
+    c = t[13] >> 28; t[14] += c; d[13] = (int32_t)(t[13] & 0xfffffff);
+    c = t[14] >> 28; t[15] += c; d[14] = (int32_t)(t[14] & 0xfffffff);
+    d[15] = t[15];
+    /* Mod bits over 28 in last word */
+    o = d[15] >> 26; d[15] &= 0x3ffffff;
+    d[ 0] += 0x4a7bb0d * o;
+    d[ 1] += 0x873d6d5 * o;
+    d[ 2] += 0xa70aadc * o;
+    d[ 3] += 0x3d8d723 * o;
+    d[ 4] += 0x96fde93 * o;
+    d[ 5] += 0xb65129c * o;
+    d[ 6] += 0x63bb124 * o;
+    d[ 7] += 0x8335dc1 * o;
+    /* Propagate carries */
+    o = d[ 0] >> 28; d[ 1] += o; d[ 0] = d[ 0] & 0xfffffff;
+    o = d[ 1] >> 28; d[ 2] += o; d[ 1] = d[ 1] & 0xfffffff;
+    o = d[ 2] >> 28; d[ 3] += o; d[ 2] = d[ 2] & 0xfffffff;
+    o = d[ 3] >> 28; d[ 4] += o; d[ 3] = d[ 3] & 0xfffffff;
+    o = d[ 4] >> 28; d[ 5] += o; d[ 4] = d[ 4] & 0xfffffff;
+    o = d[ 5] >> 28; d[ 6] += o; d[ 5] = d[ 5] & 0xfffffff;
+    o = d[ 6] >> 28; d[ 7] += o; d[ 6] = d[ 6] & 0xfffffff;
+    o = d[ 7] >> 28; d[ 8] += o; d[ 7] = d[ 7] & 0xfffffff;
+    o = d[ 8] >> 28; d[ 9] += o; d[ 8] = d[ 8] & 0xfffffff;
+    o = d[ 9] >> 28; d[10] += o; d[ 9] = d[ 9] & 0xfffffff;
+    o = d[10] >> 28; d[11] += o; d[10] = d[10] & 0xfffffff;
+    o = d[11] >> 28; d[12] += o; d[11] = d[11] & 0xfffffff;
+    o = d[12] >> 28; d[13] += o; d[12] = d[12] & 0xfffffff;
+    o = d[13] >> 28; d[14] += o; d[13] = d[13] & 0xfffffff;
+    o = d[14] >> 28; d[15] += o; d[14] = d[14] & 0xfffffff;
+
+    /* Convert to bytes */
+    b[ 0] = (d[0 ] >>  0);
+    b[ 1] = (d[0 ] >>  8);
+    b[ 2] = (d[0 ] >> 16);
+    b[ 3] = (d[0 ] >> 24) + ((d[1 ] >>  0) <<  4);
+    b[ 4] = (d[1 ] >>  4);
+    b[ 5] = (d[1 ] >> 12);
+    b[ 6] = (d[1 ] >> 20);
+    b[ 7] = (d[2 ] >>  0);
+    b[ 8] = (d[2 ] >>  8);
+    b[ 9] = (d[2 ] >> 16);
+    b[10] = (d[2 ] >> 24) + ((d[3 ] >>  0) <<  4);
+    b[11] = (d[3 ] >>  4);
+    b[12] = (d[3 ] >> 12);
+    b[13] = (d[3 ] >> 20);
+    b[14] = (d[4 ] >>  0);
+    b[15] = (d[4 ] >>  8);
+    b[16] = (d[4 ] >> 16);
+    b[17] = (d[4 ] >> 24) + ((d[5 ] >>  0) <<  4);
+    b[18] = (d[5 ] >>  4);
+    b[19] = (d[5 ] >> 12);
+    b[20] = (d[5 ] >> 20);
+    b[21] = (d[6 ] >>  0);
+    b[22] = (d[6 ] >>  8);
+    b[23] = (d[6 ] >> 16);
+    b[24] = (d[6 ] >> 24) + ((d[7 ] >>  0) <<  4);
+    b[25] = (d[7 ] >>  4);
+    b[26] = (d[7 ] >> 12);
+    b[27] = (d[7 ] >> 20);
+    b[28] = (d[8 ] >>  0);
+    b[29] = (d[8 ] >>  8);
+    b[30] = (d[8 ] >> 16);
+    b[31] = (d[8 ] >> 24) + ((d[9 ] >>  0) <<  4);
+    b[32] = (d[9 ] >>  4);
+    b[33] = (d[9 ] >> 12);
+    b[34] = (d[9 ] >> 20);
+    b[35] = (d[10] >>  0);
+    b[36] = (d[10] >>  8);
+    b[37] = (d[10] >> 16);
+    b[38] = (d[10] >> 24) + ((d[11] >>  0) <<  4);
+    b[39] = (d[11] >>  4);
+    b[40] = (d[11] >> 12);
+    b[41] = (d[11] >> 20);
+    b[42] = (d[12] >>  0);
+    b[43] = (d[12] >>  8);
+    b[44] = (d[12] >> 16);
+    b[45] = (d[12] >> 24) + ((d[13] >>  0) <<  4);
+    b[46] = (d[13] >>  4);
+    b[47] = (d[13] >> 12);
+    b[48] = (d[13] >> 20);
+    b[49] = (d[14] >>  0);
+    b[50] = (d[14] >>  8);
+    b[51] = (d[14] >> 16);
+    b[52] = (d[14] >> 24) + ((d[15] >>  0) <<  4);
+    b[53] = (d[15] >>  4);
+    b[54] = (d[15] >> 12);
+    b[55] = (d[15] >> 20);
+    b[56] = 0;
+}
+
+/* Multiply a by b and add d. r = (a * b + d) mod order
+ *
+ * r  [in]  Scalar to hold result.
+ * a  [in]  Scalar to multiply.
+ * b  [in]  Scalar to multiply.
+ * d  [in]  Scalar to add to multiplicative result.
+ */
+void sc448_muladd(uint8_t* r, const uint8_t* a, const uint8_t* b,
+                  const uint8_t* d)
+{
+    uint32_t ad[16], bd[16], dd[16], rd[16];
+    uint64_t t[32];
+    uint64_t c;
+    uint32_t o;
+
+    /* Load from bytes */
+    ad[ 0] =  (((int32_t)((a[ 0]        ) >>  0)) <<  0)
+           |  (((int32_t)((a[ 1]        ) >>  0)) <<  8)
+           |  (((int32_t)((a[ 2]        ) >>  0)) << 16)
+           | ((((int32_t)((a[ 3] & 0xf )) >>  0)) << 24);
+    ad[ 1] =  (((int32_t)((a[ 3]        ) >>  4)) <<  0)
+           |  (((int32_t)((a[ 4]        ) >>  0)) <<  4)
+           |  (((int32_t)((a[ 5]        ) >>  0)) << 12)
+           |  (((int32_t)((a[ 6]        ) >>  0)) << 20);
+    ad[ 2] =  (((int32_t)((a[ 7]        ) >>  0)) <<  0)
+           |  (((int32_t)((a[ 8]        ) >>  0)) <<  8)
+           |  (((int32_t)((a[ 9]        ) >>  0)) << 16)
+           | ((((int32_t)((a[10] & 0xf )) >>  0)) << 24);
+    ad[ 3] =  (((int32_t)((a[10]        ) >>  4)) <<  0)
+           |  (((int32_t)((a[11]        ) >>  0)) <<  4)
+           |  (((int32_t)((a[12]        ) >>  0)) << 12)
+           |  (((int32_t)((a[13]        ) >>  0)) << 20);
+    ad[ 4] =  (((int32_t)((a[14]        ) >>  0)) <<  0)
+           |  (((int32_t)((a[15]        ) >>  0)) <<  8)
+           |  (((int32_t)((a[16]        ) >>  0)) << 16)
+           | ((((int32_t)((a[17] & 0xf )) >>  0)) << 24);
+    ad[ 5] =  (((int32_t)((a[17]        ) >>  4)) <<  0)
+           |  (((int32_t)((a[18]        ) >>  0)) <<  4)
+           |  (((int32_t)((a[19]        ) >>  0)) << 12)
+           |  (((int32_t)((a[20]        ) >>  0)) << 20);
+    ad[ 6] =  (((int32_t)((a[21]        ) >>  0)) <<  0)
+           |  (((int32_t)((a[22]        ) >>  0)) <<  8)
+           |  (((int32_t)((a[23]        ) >>  0)) << 16)
+           | ((((int32_t)((a[24] & 0xf )) >>  0)) << 24);
+    ad[ 7] =  (((int32_t)((a[24]        ) >>  4)) <<  0)
+           |  (((int32_t)((a[25]        ) >>  0)) <<  4)
+           |  (((int32_t)((a[26]        ) >>  0)) << 12)
+           |  (((int32_t)((a[27]        ) >>  0)) << 20);
+    ad[ 8] =  (((int32_t)((a[28]        ) >>  0)) <<  0)
+           |  (((int32_t)((a[29]        ) >>  0)) <<  8)
+           |  (((int32_t)((a[30]        ) >>  0)) << 16)
+           | ((((int32_t)((a[31] & 0xf )) >>  0)) << 24);
+    ad[ 9] =  (((int32_t)((a[31]        ) >>  4)) <<  0)
+           |  (((int32_t)((a[32]        ) >>  0)) <<  4)
+           |  (((int32_t)((a[33]        ) >>  0)) << 12)
+           |  (((int32_t)((a[34]        ) >>  0)) << 20);
+    ad[10] =  (((int32_t)((a[35]        ) >>  0)) <<  0)
+           |  (((int32_t)((a[36]        ) >>  0)) <<  8)
+           |  (((int32_t)((a[37]        ) >>  0)) << 16)
+           | ((((int32_t)((a[38] & 0xf )) >>  0)) << 24);
+    ad[11] =  (((int32_t)((a[38]        ) >>  4)) <<  0)
+           |  (((int32_t)((a[39]        ) >>  0)) <<  4)
+           |  (((int32_t)((a[40]        ) >>  0)) << 12)
+           |  (((int32_t)((a[41]        ) >>  0)) << 20);
+    ad[12] =  (((int32_t)((a[42]        ) >>  0)) <<  0)
+           |  (((int32_t)((a[43]        ) >>  0)) <<  8)
+           |  (((int32_t)((a[44]        ) >>  0)) << 16)
+           | ((((int32_t)((a[45] & 0xf )) >>  0)) << 24);
+    ad[13] =  (((int32_t)((a[45]        ) >>  4)) <<  0)
+           |  (((int32_t)((a[46]        ) >>  0)) <<  4)
+           |  (((int32_t)((a[47]        ) >>  0)) << 12)
+           |  (((int32_t)((a[48]        ) >>  0)) << 20);
+    ad[14] =  (((int32_t)((a[49]        ) >>  0)) <<  0)
+           |  (((int32_t)((a[50]        ) >>  0)) <<  8)
+           |  (((int32_t)((a[51]        ) >>  0)) << 16)
+           | ((((int32_t)((a[52] & 0xf )) >>  0)) << 24);
+    ad[15] =  (((int32_t)((a[52]        ) >>  4)) <<  0)
+           |  (((int32_t)((a[53]        ) >>  0)) <<  4)
+           |  (((int32_t)((a[54]        ) >>  0)) << 12)
+           |  (((int32_t)((a[55]        ) >>  0)) << 20);
+    /* Load from bytes */
+    bd[ 0] =  (((int32_t)((b[ 0]        ) >>  0)) <<  0)
+           |  (((int32_t)((b[ 1]        ) >>  0)) <<  8)
+           |  (((int32_t)((b[ 2]        ) >>  0)) << 16)
+           | ((((int32_t)((b[ 3] & 0xf )) >>  0)) << 24);
+    bd[ 1] =  (((int32_t)((b[ 3]        ) >>  4)) <<  0)
+           |  (((int32_t)((b[ 4]        ) >>  0)) <<  4)
+           |  (((int32_t)((b[ 5]        ) >>  0)) << 12)
+           |  (((int32_t)((b[ 6]        ) >>  0)) << 20);
+    bd[ 2] =  (((int32_t)((b[ 7]        ) >>  0)) <<  0)
+           |  (((int32_t)((b[ 8]        ) >>  0)) <<  8)
+           |  (((int32_t)((b[ 9]        ) >>  0)) << 16)
+           | ((((int32_t)((b[10] & 0xf )) >>  0)) << 24);
+    bd[ 3] =  (((int32_t)((b[10]        ) >>  4)) <<  0)
+           |  (((int32_t)((b[11]        ) >>  0)) <<  4)
+           |  (((int32_t)((b[12]        ) >>  0)) << 12)
+           |  (((int32_t)((b[13]        ) >>  0)) << 20);
+    bd[ 4] =  (((int32_t)((b[14]        ) >>  0)) <<  0)
+           |  (((int32_t)((b[15]        ) >>  0)) <<  8)
+           |  (((int32_t)((b[16]        ) >>  0)) << 16)
+           | ((((int32_t)((b[17] & 0xf )) >>  0)) << 24);
+    bd[ 5] =  (((int32_t)((b[17]        ) >>  4)) <<  0)
+           |  (((int32_t)((b[18]        ) >>  0)) <<  4)
+           |  (((int32_t)((b[19]        ) >>  0)) << 12)
+           |  (((int32_t)((b[20]        ) >>  0)) << 20);
+    bd[ 6] =  (((int32_t)((b[21]        ) >>  0)) <<  0)
+           |  (((int32_t)((b[22]        ) >>  0)) <<  8)
+           |  (((int32_t)((b[23]        ) >>  0)) << 16)
+           | ((((int32_t)((b[24] & 0xf )) >>  0)) << 24);
+    bd[ 7] =  (((int32_t)((b[24]        ) >>  4)) <<  0)
+           |  (((int32_t)((b[25]        ) >>  0)) <<  4)
+           |  (((int32_t)((b[26]        ) >>  0)) << 12)
+           |  (((int32_t)((b[27]        ) >>  0)) << 20);
+    bd[ 8] =  (((int32_t)((b[28]        ) >>  0)) <<  0)
+           |  (((int32_t)((b[29]        ) >>  0)) <<  8)
+           |  (((int32_t)((b[30]        ) >>  0)) << 16)
+           | ((((int32_t)((b[31] & 0xf )) >>  0)) << 24);
+    bd[ 9] =  (((int32_t)((b[31]        ) >>  4)) <<  0)
+           |  (((int32_t)((b[32]        ) >>  0)) <<  4)
+           |  (((int32_t)((b[33]        ) >>  0)) << 12)
+           |  (((int32_t)((b[34]        ) >>  0)) << 20);
+    bd[10] =  (((int32_t)((b[35]        ) >>  0)) <<  0)
+           |  (((int32_t)((b[36]        ) >>  0)) <<  8)
+           |  (((int32_t)((b[37]        ) >>  0)) << 16)
+           | ((((int32_t)((b[38] & 0xf )) >>  0)) << 24);
+    bd[11] =  (((int32_t)((b[38]        ) >>  4)) <<  0)
+           |  (((int32_t)((b[39]        ) >>  0)) <<  4)
+           |  (((int32_t)((b[40]        ) >>  0)) << 12)
+           |  (((int32_t)((b[41]        ) >>  0)) << 20);
+    bd[12] =  (((int32_t)((b[42]        ) >>  0)) <<  0)
+           |  (((int32_t)((b[43]        ) >>  0)) <<  8)
+           |  (((int32_t)((b[44]        ) >>  0)) << 16)
+           | ((((int32_t)((b[45] & 0xf )) >>  0)) << 24);
+    bd[13] =  (((int32_t)((b[45]        ) >>  4)) <<  0)
+           |  (((int32_t)((b[46]        ) >>  0)) <<  4)
+           |  (((int32_t)((b[47]        ) >>  0)) << 12)
+           |  (((int32_t)((b[48]        ) >>  0)) << 20);
+    bd[14] =  (((int32_t)((b[49]        ) >>  0)) <<  0)
+           |  (((int32_t)((b[50]        ) >>  0)) <<  8)
+           |  (((int32_t)((b[51]        ) >>  0)) << 16)
+           | ((((int32_t)((b[52] & 0xf )) >>  0)) << 24);
+    bd[15] =  (((int32_t)((b[52]        ) >>  4)) <<  0)
+           |  (((int32_t)((b[53]        ) >>  0)) <<  4)
+           |  (((int32_t)((b[54]        ) >>  0)) << 12)
+           |  (((int32_t)((b[55]        ) >>  0)) << 20);
+    /* Load from bytes */
+    dd[ 0] =  (((int32_t)((d[ 0]        ) >>  0)) <<  0)
+           |  (((int32_t)((d[ 1]        ) >>  0)) <<  8)
+           |  (((int32_t)((d[ 2]        ) >>  0)) << 16)
+           | ((((int32_t)((d[ 3] & 0xf )) >>  0)) << 24);
+    dd[ 1] =  (((int32_t)((d[ 3]        ) >>  4)) <<  0)
+           |  (((int32_t)((d[ 4]        ) >>  0)) <<  4)
+           |  (((int32_t)((d[ 5]        ) >>  0)) << 12)
+           |  (((int32_t)((d[ 6]        ) >>  0)) << 20);
+    dd[ 2] =  (((int32_t)((d[ 7]        ) >>  0)) <<  0)
+           |  (((int32_t)((d[ 8]        ) >>  0)) <<  8)
+           |  (((int32_t)((d[ 9]        ) >>  0)) << 16)
+           | ((((int32_t)((d[10] & 0xf )) >>  0)) << 24);
+    dd[ 3] =  (((int32_t)((d[10]        ) >>  4)) <<  0)
+           |  (((int32_t)((d[11]        ) >>  0)) <<  4)
+           |  (((int32_t)((d[12]        ) >>  0)) << 12)
+           |  (((int32_t)((d[13]        ) >>  0)) << 20);
+    dd[ 4] =  (((int32_t)((d[14]        ) >>  0)) <<  0)
+           |  (((int32_t)((d[15]        ) >>  0)) <<  8)
+           |  (((int32_t)((d[16]        ) >>  0)) << 16)
+           | ((((int32_t)((d[17] & 0xf )) >>  0)) << 24);
+    dd[ 5] =  (((int32_t)((d[17]        ) >>  4)) <<  0)
+           |  (((int32_t)((d[18]        ) >>  0)) <<  4)
+           |  (((int32_t)((d[19]        ) >>  0)) << 12)
+           |  (((int32_t)((d[20]        ) >>  0)) << 20);
+    dd[ 6] =  (((int32_t)((d[21]        ) >>  0)) <<  0)
+           |  (((int32_t)((d[22]        ) >>  0)) <<  8)
+           |  (((int32_t)((d[23]        ) >>  0)) << 16)
+           | ((((int32_t)((d[24] & 0xf )) >>  0)) << 24);
+    dd[ 7] =  (((int32_t)((d[24]        ) >>  4)) <<  0)
+           |  (((int32_t)((d[25]        ) >>  0)) <<  4)
+           |  (((int32_t)((d[26]        ) >>  0)) << 12)
+           |  (((int32_t)((d[27]        ) >>  0)) << 20);
+    dd[ 8] =  (((int32_t)((d[28]        ) >>  0)) <<  0)
+           |  (((int32_t)((d[29]        ) >>  0)) <<  8)
+           |  (((int32_t)((d[30]        ) >>  0)) << 16)
+           | ((((int32_t)((d[31] & 0xf )) >>  0)) << 24);
+    dd[ 9] =  (((int32_t)((d[31]        ) >>  4)) <<  0)
+           |  (((int32_t)((d[32]        ) >>  0)) <<  4)
+           |  (((int32_t)((d[33]        ) >>  0)) << 12)
+           |  (((int32_t)((d[34]        ) >>  0)) << 20);
+    dd[10] =  (((int32_t)((d[35]        ) >>  0)) <<  0)
+           |  (((int32_t)((d[36]        ) >>  0)) <<  8)
+           |  (((int32_t)((d[37]        ) >>  0)) << 16)
+           | ((((int32_t)((d[38] & 0xf )) >>  0)) << 24);
+    dd[11] =  (((int32_t)((d[38]        ) >>  4)) <<  0)
+           |  (((int32_t)((d[39]        ) >>  0)) <<  4)
+           |  (((int32_t)((d[40]        ) >>  0)) << 12)
+           |  (((int32_t)((d[41]        ) >>  0)) << 20);
+    dd[12] =  (((int32_t)((d[42]        ) >>  0)) <<  0)
+           |  (((int32_t)((d[43]        ) >>  0)) <<  8)
+           |  (((int32_t)((d[44]        ) >>  0)) << 16)
+           | ((((int32_t)((d[45] & 0xf )) >>  0)) << 24);
+    dd[13] =  (((int32_t)((d[45]        ) >>  4)) <<  0)
+           |  (((int32_t)((d[46]        ) >>  0)) <<  4)
+           |  (((int32_t)((d[47]        ) >>  0)) << 12)
+           |  (((int32_t)((d[48]        ) >>  0)) << 20);
+    dd[14] =  (((int32_t)((d[49]        ) >>  0)) <<  0)
+           |  (((int32_t)((d[50]        ) >>  0)) <<  8)
+           |  (((int32_t)((d[51]        ) >>  0)) << 16)
+           | ((((int32_t)((d[52] & 0xf )) >>  0)) << 24);
+    dd[15] =  (((int32_t)((d[52]        ) >>  4)) <<  0)
+           |  (((int32_t)((d[53]        ) >>  0)) <<  4)
+           |  (((int32_t)((d[54]        ) >>  0)) << 12)
+           |  (((int32_t)((d[55]        ) >>  0)) << 20);
+
+    /* a * b + d */
+    t[ 0] =  dd[ 0] + (int64_t)ad[ 0] * bd[ 0];
+    t[ 1] =  dd[ 1] + (int64_t)ad[ 0] * bd[ 1]
+                    + (int64_t)ad[ 1] * bd[ 0];
+    t[ 2] =  dd[ 2] + (int64_t)ad[ 0] * bd[ 2]
+                    + (int64_t)ad[ 1] * bd[ 1]
+                    + (int64_t)ad[ 2] * bd[ 0];
+    t[ 3] =  dd[ 3] + (int64_t)ad[ 0] * bd[ 3]
+                    + (int64_t)ad[ 1] * bd[ 2]
+                    + (int64_t)ad[ 2] * bd[ 1]
+                    + (int64_t)ad[ 3] * bd[ 0];
+    t[ 4] =  dd[ 4] + (int64_t)ad[ 0] * bd[ 4]
+                    + (int64_t)ad[ 1] * bd[ 3]
+                    + (int64_t)ad[ 2] * bd[ 2]
+                    + (int64_t)ad[ 3] * bd[ 1]
+                    + (int64_t)ad[ 4] * bd[ 0];
+    t[ 5] =  dd[ 5] + (int64_t)ad[ 0] * bd[ 5]
+                    + (int64_t)ad[ 1] * bd[ 4]
+                    + (int64_t)ad[ 2] * bd[ 3]
+                    + (int64_t)ad[ 3] * bd[ 2]
+                    + (int64_t)ad[ 4] * bd[ 1]
+                    + (int64_t)ad[ 5] * bd[ 0];
+    t[ 6] =  dd[ 6] + (int64_t)ad[ 0] * bd[ 6]
+                    + (int64_t)ad[ 1] * bd[ 5]
+                    + (int64_t)ad[ 2] * bd[ 4]
+                    + (int64_t)ad[ 3] * bd[ 3]
+                    + (int64_t)ad[ 4] * bd[ 2]
+                    + (int64_t)ad[ 5] * bd[ 1]
+                    + (int64_t)ad[ 6] * bd[ 0];
+    t[ 7] =  dd[ 7] + (int64_t)ad[ 0] * bd[ 7]
+                    + (int64_t)ad[ 1] * bd[ 6]
+                    + (int64_t)ad[ 2] * bd[ 5]
+                    + (int64_t)ad[ 3] * bd[ 4]
+                    + (int64_t)ad[ 4] * bd[ 3]
+                    + (int64_t)ad[ 5] * bd[ 2]
+                    + (int64_t)ad[ 6] * bd[ 1]
+                    + (int64_t)ad[ 7] * bd[ 0];
+    t[ 8] =  dd[ 8] + (int64_t)ad[ 0] * bd[ 8]
+                    + (int64_t)ad[ 1] * bd[ 7]
+                    + (int64_t)ad[ 2] * bd[ 6]
+                    + (int64_t)ad[ 3] * bd[ 5]
+                    + (int64_t)ad[ 4] * bd[ 4]
+                    + (int64_t)ad[ 5] * bd[ 3]
+                    + (int64_t)ad[ 6] * bd[ 2]
+                    + (int64_t)ad[ 7] * bd[ 1]
+                    + (int64_t)ad[ 8] * bd[ 0];
+    t[ 9] =  dd[ 9] + (int64_t)ad[ 0] * bd[ 9]
+                    + (int64_t)ad[ 1] * bd[ 8]
+                    + (int64_t)ad[ 2] * bd[ 7]
+                    + (int64_t)ad[ 3] * bd[ 6]
+                    + (int64_t)ad[ 4] * bd[ 5]
+                    + (int64_t)ad[ 5] * bd[ 4]
+                    + (int64_t)ad[ 6] * bd[ 3]
+                    + (int64_t)ad[ 7] * bd[ 2]
+                    + (int64_t)ad[ 8] * bd[ 1]
+                    + (int64_t)ad[ 9] * bd[ 0];
+    t[10] =  dd[10] + (int64_t)ad[ 0] * bd[10]
+                    + (int64_t)ad[ 1] * bd[ 9]
+                    + (int64_t)ad[ 2] * bd[ 8]
+                    + (int64_t)ad[ 3] * bd[ 7]
+                    + (int64_t)ad[ 4] * bd[ 6]
+                    + (int64_t)ad[ 5] * bd[ 5]
+                    + (int64_t)ad[ 6] * bd[ 4]
+                    + (int64_t)ad[ 7] * bd[ 3]
+                    + (int64_t)ad[ 8] * bd[ 2]
+                    + (int64_t)ad[ 9] * bd[ 1]
+                    + (int64_t)ad[10] * bd[ 0];
+    t[11] =  dd[11] + (int64_t)ad[ 0] * bd[11]
+                    + (int64_t)ad[ 1] * bd[10]
+                    + (int64_t)ad[ 2] * bd[ 9]
+                    + (int64_t)ad[ 3] * bd[ 8]
+                    + (int64_t)ad[ 4] * bd[ 7]
+                    + (int64_t)ad[ 5] * bd[ 6]
+                    + (int64_t)ad[ 6] * bd[ 5]
+                    + (int64_t)ad[ 7] * bd[ 4]
+                    + (int64_t)ad[ 8] * bd[ 3]
+                    + (int64_t)ad[ 9] * bd[ 2]
+                    + (int64_t)ad[10] * bd[ 1]
+                    + (int64_t)ad[11] * bd[ 0];
+    t[12] =  dd[12] + (int64_t)ad[ 0] * bd[12]
+                    + (int64_t)ad[ 1] * bd[11]
+                    + (int64_t)ad[ 2] * bd[10]
+                    + (int64_t)ad[ 3] * bd[ 9]
+                    + (int64_t)ad[ 4] * bd[ 8]
+                    + (int64_t)ad[ 5] * bd[ 7]
+                    + (int64_t)ad[ 6] * bd[ 6]
+                    + (int64_t)ad[ 7] * bd[ 5]
+                    + (int64_t)ad[ 8] * bd[ 4]
+                    + (int64_t)ad[ 9] * bd[ 3]
+                    + (int64_t)ad[10] * bd[ 2]
+                    + (int64_t)ad[11] * bd[ 1]
+                    + (int64_t)ad[12] * bd[ 0];
+    t[13] =  dd[13] + (int64_t)ad[ 0] * bd[13]
+                    + (int64_t)ad[ 1] * bd[12]
+                    + (int64_t)ad[ 2] * bd[11]
+                    + (int64_t)ad[ 3] * bd[10]
+                    + (int64_t)ad[ 4] * bd[ 9]
+                    + (int64_t)ad[ 5] * bd[ 8]
+                    + (int64_t)ad[ 6] * bd[ 7]
+                    + (int64_t)ad[ 7] * bd[ 6]
+                    + (int64_t)ad[ 8] * bd[ 5]
+                    + (int64_t)ad[ 9] * bd[ 4]
+                    + (int64_t)ad[10] * bd[ 3]
+                    + (int64_t)ad[11] * bd[ 2]
+                    + (int64_t)ad[12] * bd[ 1]
+                    + (int64_t)ad[13] * bd[ 0];
+    t[14] =  dd[14] + (int64_t)ad[ 0] * bd[14]
+                    + (int64_t)ad[ 1] * bd[13]
+                    + (int64_t)ad[ 2] * bd[12]
+                    + (int64_t)ad[ 3] * bd[11]
+                    + (int64_t)ad[ 4] * bd[10]
+                    + (int64_t)ad[ 5] * bd[ 9]
+                    + (int64_t)ad[ 6] * bd[ 8]
+                    + (int64_t)ad[ 7] * bd[ 7]
+                    + (int64_t)ad[ 8] * bd[ 6]
+                    + (int64_t)ad[ 9] * bd[ 5]
+                    + (int64_t)ad[10] * bd[ 4]
+                    + (int64_t)ad[11] * bd[ 3]
+                    + (int64_t)ad[12] * bd[ 2]
+                    + (int64_t)ad[13] * bd[ 1]
+                    + (int64_t)ad[14] * bd[ 0];
+    t[15] =  dd[15] + (int64_t)ad[ 0] * bd[15]
+                    + (int64_t)ad[ 1] * bd[14]
+                    + (int64_t)ad[ 2] * bd[13]
+                    + (int64_t)ad[ 3] * bd[12]
+                    + (int64_t)ad[ 4] * bd[11]
+                    + (int64_t)ad[ 5] * bd[10]
+                    + (int64_t)ad[ 6] * bd[ 9]
+                    + (int64_t)ad[ 7] * bd[ 8]
+                    + (int64_t)ad[ 8] * bd[ 7]
+                    + (int64_t)ad[ 9] * bd[ 6]
+                    + (int64_t)ad[10] * bd[ 5]
+                    + (int64_t)ad[11] * bd[ 4]
+                    + (int64_t)ad[12] * bd[ 3]
+                    + (int64_t)ad[13] * bd[ 2]
+                    + (int64_t)ad[14] * bd[ 1]
+                    + (int64_t)ad[15] * bd[ 0];
+    t[16] =           (int64_t)ad[ 1] * bd[15]
+                    + (int64_t)ad[ 2] * bd[14]
+                    + (int64_t)ad[ 3] * bd[13]
+                    + (int64_t)ad[ 4] * bd[12]
+                    + (int64_t)ad[ 5] * bd[11]
+                    + (int64_t)ad[ 6] * bd[10]
+                    + (int64_t)ad[ 7] * bd[ 9]
+                    + (int64_t)ad[ 8] * bd[ 8]
+                    + (int64_t)ad[ 9] * bd[ 7]
+                    + (int64_t)ad[10] * bd[ 6]
+                    + (int64_t)ad[11] * bd[ 5]
+                    + (int64_t)ad[12] * bd[ 4]
+                    + (int64_t)ad[13] * bd[ 3]
+                    + (int64_t)ad[14] * bd[ 2]
+                    + (int64_t)ad[15] * bd[ 1];
+    t[17] =           (int64_t)ad[ 2] * bd[15]
+                    + (int64_t)ad[ 3] * bd[14]
+                    + (int64_t)ad[ 4] * bd[13]
+                    + (int64_t)ad[ 5] * bd[12]
+                    + (int64_t)ad[ 6] * bd[11]
+                    + (int64_t)ad[ 7] * bd[10]
+                    + (int64_t)ad[ 8] * bd[ 9]
+                    + (int64_t)ad[ 9] * bd[ 8]
+                    + (int64_t)ad[10] * bd[ 7]
+                    + (int64_t)ad[11] * bd[ 6]
+                    + (int64_t)ad[12] * bd[ 5]
+                    + (int64_t)ad[13] * bd[ 4]
+                    + (int64_t)ad[14] * bd[ 3]
+                    + (int64_t)ad[15] * bd[ 2];
+    t[18] =           (int64_t)ad[ 3] * bd[15]
+                    + (int64_t)ad[ 4] * bd[14]
+                    + (int64_t)ad[ 5] * bd[13]
+                    + (int64_t)ad[ 6] * bd[12]
+                    + (int64_t)ad[ 7] * bd[11]
+                    + (int64_t)ad[ 8] * bd[10]
+                    + (int64_t)ad[ 9] * bd[ 9]
+                    + (int64_t)ad[10] * bd[ 8]
+                    + (int64_t)ad[11] * bd[ 7]
+                    + (int64_t)ad[12] * bd[ 6]
+                    + (int64_t)ad[13] * bd[ 5]
+                    + (int64_t)ad[14] * bd[ 4]
+                    + (int64_t)ad[15] * bd[ 3];
+    t[19] =           (int64_t)ad[ 4] * bd[15]
+                    + (int64_t)ad[ 5] * bd[14]
+                    + (int64_t)ad[ 6] * bd[13]
+                    + (int64_t)ad[ 7] * bd[12]
+                    + (int64_t)ad[ 8] * bd[11]
+                    + (int64_t)ad[ 9] * bd[10]
+                    + (int64_t)ad[10] * bd[ 9]
+                    + (int64_t)ad[11] * bd[ 8]
+                    + (int64_t)ad[12] * bd[ 7]
+                    + (int64_t)ad[13] * bd[ 6]
+                    + (int64_t)ad[14] * bd[ 5]
+                    + (int64_t)ad[15] * bd[ 4];
+    t[20] =           (int64_t)ad[ 5] * bd[15]
+                    + (int64_t)ad[ 6] * bd[14]
+                    + (int64_t)ad[ 7] * bd[13]
+                    + (int64_t)ad[ 8] * bd[12]
+                    + (int64_t)ad[ 9] * bd[11]
+                    + (int64_t)ad[10] * bd[10]
+                    + (int64_t)ad[11] * bd[ 9]
+                    + (int64_t)ad[12] * bd[ 8]
+                    + (int64_t)ad[13] * bd[ 7]
+                    + (int64_t)ad[14] * bd[ 6]
+                    + (int64_t)ad[15] * bd[ 5];
+    t[21] =           (int64_t)ad[ 6] * bd[15]
+                    + (int64_t)ad[ 7] * bd[14]
+                    + (int64_t)ad[ 8] * bd[13]
+                    + (int64_t)ad[ 9] * bd[12]
+                    + (int64_t)ad[10] * bd[11]
+                    + (int64_t)ad[11] * bd[10]
+                    + (int64_t)ad[12] * bd[ 9]
+                    + (int64_t)ad[13] * bd[ 8]
+                    + (int64_t)ad[14] * bd[ 7]
+                    + (int64_t)ad[15] * bd[ 6];
+    t[22] =           (int64_t)ad[ 7] * bd[15]
+                    + (int64_t)ad[ 8] * bd[14]
+                    + (int64_t)ad[ 9] * bd[13]
+                    + (int64_t)ad[10] * bd[12]
+                    + (int64_t)ad[11] * bd[11]
+                    + (int64_t)ad[12] * bd[10]
+                    + (int64_t)ad[13] * bd[ 9]
+                    + (int64_t)ad[14] * bd[ 8]
+                    + (int64_t)ad[15] * bd[ 7];
+    t[23] =           (int64_t)ad[ 8] * bd[15]
+                    + (int64_t)ad[ 9] * bd[14]
+                    + (int64_t)ad[10] * bd[13]
+                    + (int64_t)ad[11] * bd[12]
+                    + (int64_t)ad[12] * bd[11]
+                    + (int64_t)ad[13] * bd[10]
+                    + (int64_t)ad[14] * bd[ 9]
+                    + (int64_t)ad[15] * bd[ 8];
+    t[24] =           (int64_t)ad[ 9] * bd[15]
+                    + (int64_t)ad[10] * bd[14]
+                    + (int64_t)ad[11] * bd[13]
+                    + (int64_t)ad[12] * bd[12]
+                    + (int64_t)ad[13] * bd[11]
+                    + (int64_t)ad[14] * bd[10]
+                    + (int64_t)ad[15] * bd[ 9];
+    t[25] =           (int64_t)ad[10] * bd[15]
+                    + (int64_t)ad[11] * bd[14]
+                    + (int64_t)ad[12] * bd[13]
+                    + (int64_t)ad[13] * bd[12]
+                    + (int64_t)ad[14] * bd[11]
+                    + (int64_t)ad[15] * bd[10];
+    t[26] =           (int64_t)ad[11] * bd[15]
+                    + (int64_t)ad[12] * bd[14]
+                    + (int64_t)ad[13] * bd[13]
+                    + (int64_t)ad[14] * bd[12]
+                    + (int64_t)ad[15] * bd[11];
+    t[27] =           (int64_t)ad[12] * bd[15]
+                    + (int64_t)ad[13] * bd[14]
+                    + (int64_t)ad[14] * bd[13]
+                    + (int64_t)ad[15] * bd[12];
+    t[28] =           (int64_t)ad[13] * bd[15]
+                    + (int64_t)ad[14] * bd[14]
+                    + (int64_t)ad[15] * bd[13];
+    t[29] =           (int64_t)ad[14] * bd[15]
+                    + (int64_t)ad[15] * bd[14];
+    t[30] =           (int64_t)ad[15] * bd[15];
+    t[31] = 0;
+
+    /* Mod curve order */
+    /* 2^446 - 0x8335dc163bb124b65129c96fde933d8d723a70aadc873d6d54a7bb0d */
+    /* Propagate carries */
+    c = t[ 0] >> 28; t[ 1] += c; t[ 0] = t[ 0] & 0xfffffff;
+    c = t[ 1] >> 28; t[ 2] += c; t[ 1] = t[ 1] & 0xfffffff;
+    c = t[ 2] >> 28; t[ 3] += c; t[ 2] = t[ 2] & 0xfffffff;
+    c = t[ 3] >> 28; t[ 4] += c; t[ 3] = t[ 3] & 0xfffffff;
+    c = t[ 4] >> 28; t[ 5] += c; t[ 4] = t[ 4] & 0xfffffff;
+    c = t[ 5] >> 28; t[ 6] += c; t[ 5] = t[ 5] & 0xfffffff;
+    c = t[ 6] >> 28; t[ 7] += c; t[ 6] = t[ 6] & 0xfffffff;
+    c = t[ 7] >> 28; t[ 8] += c; t[ 7] = t[ 7] & 0xfffffff;
+    c = t[ 8] >> 28; t[ 9] += c; t[ 8] = t[ 8] & 0xfffffff;
+    c = t[ 9] >> 28; t[10] += c; t[ 9] = t[ 9] & 0xfffffff;
+    c = t[10] >> 28; t[11] += c; t[10] = t[10] & 0xfffffff;
+    c = t[11] >> 28; t[12] += c; t[11] = t[11] & 0xfffffff;
+    c = t[12] >> 28; t[13] += c; t[12] = t[12] & 0xfffffff;
+    c = t[13] >> 28; t[14] += c; t[13] = t[13] & 0xfffffff;
+    c = t[14] >> 28; t[15] += c; t[14] = t[14] & 0xfffffff;
+    c = t[15] >> 28; t[16] += c; t[15] = t[15] & 0xfffffff;
+    c = t[16] >> 28; t[17] += c; t[16] = t[16] & 0xfffffff;
+    c = t[17] >> 28; t[18] += c; t[17] = t[17] & 0xfffffff;
+    c = t[18] >> 28; t[19] += c; t[18] = t[18] & 0xfffffff;
+    c = t[19] >> 28; t[20] += c; t[19] = t[19] & 0xfffffff;
+    c = t[20] >> 28; t[21] += c; t[20] = t[20] & 0xfffffff;
+    c = t[21] >> 28; t[22] += c; t[21] = t[21] & 0xfffffff;
+    c = t[22] >> 28; t[23] += c; t[22] = t[22] & 0xfffffff;
+    c = t[23] >> 28; t[24] += c; t[23] = t[23] & 0xfffffff;
+    c = t[24] >> 28; t[25] += c; t[24] = t[24] & 0xfffffff;
+    c = t[25] >> 28; t[26] += c; t[25] = t[25] & 0xfffffff;
+    c = t[26] >> 28; t[27] += c; t[26] = t[26] & 0xfffffff;
+    c = t[27] >> 28; t[28] += c; t[27] = t[27] & 0xfffffff;
+    c = t[28] >> 28; t[29] += c; t[28] = t[28] & 0xfffffff;
+    c = t[29] >> 28; t[30] += c; t[29] = t[29] & 0xfffffff;
+    c = t[30] >> 28; t[31] += c; t[30] = t[30] & 0xfffffff;
+    /* Mod top half of extra words */
+    t[ 8] += (int64_t)0x129eec34 * t[24];
+    t[ 9] += (int64_t)0x21cf5b54 * t[24];
+    t[10] += (int64_t)0x29c2ab70 * t[24];
+    t[11] += (int64_t)0x0f635c8c * t[24];
+    t[12] += (int64_t)0x25bf7a4c * t[24];
+    t[13] += (int64_t)0x2d944a70 * t[24];
+    t[14] += (int64_t)0x18eec490 * t[24];
+    t[15] += (int64_t)0x20cd7704 * t[24];
+    t[ 9] += (int64_t)0x129eec34 * t[25];
+    t[10] += (int64_t)0x21cf5b54 * t[25];
+    t[11] += (int64_t)0x29c2ab70 * t[25];
+    t[12] += (int64_t)0x0f635c8c * t[25];
+    t[13] += (int64_t)0x25bf7a4c * t[25];
+    t[14] += (int64_t)0x2d944a70 * t[25];
+    t[15] += (int64_t)0x18eec490 * t[25];
+    t[16] += (int64_t)0x20cd7704 * t[25];
+    t[10] += (int64_t)0x129eec34 * t[26];
+    t[11] += (int64_t)0x21cf5b54 * t[26];
+    t[12] += (int64_t)0x29c2ab70 * t[26];
+    t[13] += (int64_t)0x0f635c8c * t[26];
+    t[14] += (int64_t)0x25bf7a4c * t[26];
+    t[15] += (int64_t)0x2d944a70 * t[26];
+    t[16] += (int64_t)0x18eec490 * t[26];
+    t[17] += (int64_t)0x20cd7704 * t[26];
+    t[11] += (int64_t)0x129eec34 * t[27];
+    t[12] += (int64_t)0x21cf5b54 * t[27];
+    t[13] += (int64_t)0x29c2ab70 * t[27];
+    t[14] += (int64_t)0x0f635c8c * t[27];
+    t[15] += (int64_t)0x25bf7a4c * t[27];
+    t[16] += (int64_t)0x2d944a70 * t[27];
+    t[17] += (int64_t)0x18eec490 * t[27];
+    t[18] += (int64_t)0x20cd7704 * t[27];
+    t[12] += (int64_t)0x129eec34 * t[28];
+    t[13] += (int64_t)0x21cf5b54 * t[28];
+    t[14] += (int64_t)0x29c2ab70 * t[28];
+    t[15] += (int64_t)0x0f635c8c * t[28];
+    t[16] += (int64_t)0x25bf7a4c * t[28];
+    t[17] += (int64_t)0x2d944a70 * t[28];
+    t[18] += (int64_t)0x18eec490 * t[28];
+    t[19] += (int64_t)0x20cd7704 * t[28];
+    t[13] += (int64_t)0x129eec34 * t[29];
+    t[14] += (int64_t)0x21cf5b54 * t[29];
+    t[15] += (int64_t)0x29c2ab70 * t[29];
+    t[16] += (int64_t)0x0f635c8c * t[29];
+    t[17] += (int64_t)0x25bf7a4c * t[29];
+    t[18] += (int64_t)0x2d944a70 * t[29];
+    t[19] += (int64_t)0x18eec490 * t[29];
+    t[20] += (int64_t)0x20cd7704 * t[29];
+    t[14] += (int64_t)0x129eec34 * t[30];
+    t[15] += (int64_t)0x21cf5b54 * t[30];
+    t[16] += (int64_t)0x29c2ab70 * t[30];
+    t[17] += (int64_t)0x0f635c8c * t[30];
+    t[18] += (int64_t)0x25bf7a4c * t[30];
+    t[19] += (int64_t)0x2d944a70 * t[30];
+    t[20] += (int64_t)0x18eec490 * t[30];
+    t[21] += (int64_t)0x20cd7704 * t[30];
+    t[15] += (int64_t)0x129eec34 * t[31];
+    t[16] += (int64_t)0x21cf5b54 * t[31];
+    t[17] += (int64_t)0x29c2ab70 * t[31];
+    t[18] += (int64_t)0x0f635c8c * t[31];
+    t[19] += (int64_t)0x25bf7a4c * t[31];
+    t[20] += (int64_t)0x2d944a70 * t[31];
+    t[21] += (int64_t)0x18eec490 * t[31];
+    t[22] += (int64_t)0x20cd7704 * t[31];
+    /* Propagate carries */
+    c = t[ 8] >> 28; t[ 9] += c; t[ 8] = t[ 8] & 0xfffffff;
+    c = t[ 9] >> 28; t[10] += c; t[ 9] = t[ 9] & 0xfffffff;
+    c = t[10] >> 28; t[11] += c; t[10] = t[10] & 0xfffffff;
+    c = t[11] >> 28; t[12] += c; t[11] = t[11] & 0xfffffff;
+    c = t[12] >> 28; t[13] += c; t[12] = t[12] & 0xfffffff;
+    c = t[13] >> 28; t[14] += c; t[13] = t[13] & 0xfffffff;
+    c = t[14] >> 28; t[15] += c; t[14] = t[14] & 0xfffffff;
+    c = t[15] >> 28; t[16] += c; t[15] = t[15] & 0xfffffff;
+    c = t[16] >> 28; t[17] += c; t[16] = t[16] & 0xfffffff;
+    c = t[17] >> 28; t[18] += c; t[17] = t[17] & 0xfffffff;
+    c = t[18] >> 28; t[19] += c; t[18] = t[18] & 0xfffffff;
+    c = t[19] >> 28; t[20] += c; t[19] = t[19] & 0xfffffff;
+    c = t[20] >> 28; t[21] += c; t[20] = t[20] & 0xfffffff;
+    c = t[21] >> 28; t[22] += c; t[21] = t[21] & 0xfffffff;
+    c = t[22] >> 28; t[23] += c; t[22] = t[22] & 0xfffffff;
+    /* Mod bottom half of extra words */
+    t[ 0] += (int64_t)0x129eec34 * t[16];
+    t[ 1] += (int64_t)0x21cf5b54 * t[16];
+    t[ 2] += (int64_t)0x29c2ab70 * t[16];
+    t[ 3] += (int64_t)0x0f635c8c * t[16];
+    t[ 4] += (int64_t)0x25bf7a4c * t[16];
+    t[ 5] += (int64_t)0x2d944a70 * t[16];
+    t[ 6] += (int64_t)0x18eec490 * t[16];
+    t[ 7] += (int64_t)0x20cd7704 * t[16];
+    t[ 1] += (int64_t)0x129eec34 * t[17];
+    t[ 2] += (int64_t)0x21cf5b54 * t[17];
+    t[ 3] += (int64_t)0x29c2ab70 * t[17];
+    t[ 4] += (int64_t)0x0f635c8c * t[17];
+    t[ 5] += (int64_t)0x25bf7a4c * t[17];
+    t[ 6] += (int64_t)0x2d944a70 * t[17];
+    t[ 7] += (int64_t)0x18eec490 * t[17];
+    t[ 8] += (int64_t)0x20cd7704 * t[17];
+    t[ 2] += (int64_t)0x129eec34 * t[18];
+    t[ 3] += (int64_t)0x21cf5b54 * t[18];
+    t[ 4] += (int64_t)0x29c2ab70 * t[18];
+    t[ 5] += (int64_t)0x0f635c8c * t[18];
+    t[ 6] += (int64_t)0x25bf7a4c * t[18];
+    t[ 7] += (int64_t)0x2d944a70 * t[18];
+    t[ 8] += (int64_t)0x18eec490 * t[18];
+    t[ 9] += (int64_t)0x20cd7704 * t[18];
+    t[ 3] += (int64_t)0x129eec34 * t[19];
+    t[ 4] += (int64_t)0x21cf5b54 * t[19];
+    t[ 5] += (int64_t)0x29c2ab70 * t[19];
+    t[ 6] += (int64_t)0x0f635c8c * t[19];
+    t[ 7] += (int64_t)0x25bf7a4c * t[19];
+    t[ 8] += (int64_t)0x2d944a70 * t[19];
+    t[ 9] += (int64_t)0x18eec490 * t[19];
+    t[10] += (int64_t)0x20cd7704 * t[19];
+    t[ 4] += (int64_t)0x129eec34 * t[20];
+    t[ 5] += (int64_t)0x21cf5b54 * t[20];
+    t[ 6] += (int64_t)0x29c2ab70 * t[20];
+    t[ 7] += (int64_t)0x0f635c8c * t[20];
+    t[ 8] += (int64_t)0x25bf7a4c * t[20];
+    t[ 9] += (int64_t)0x2d944a70 * t[20];
+    t[10] += (int64_t)0x18eec490 * t[20];
+    t[11] += (int64_t)0x20cd7704 * t[20];
+    t[ 5] += (int64_t)0x129eec34 * t[21];
+    t[ 6] += (int64_t)0x21cf5b54 * t[21];
+    t[ 7] += (int64_t)0x29c2ab70 * t[21];
+    t[ 8] += (int64_t)0x0f635c8c * t[21];
+    t[ 9] += (int64_t)0x25bf7a4c * t[21];
+    t[10] += (int64_t)0x2d944a70 * t[21];
+    t[11] += (int64_t)0x18eec490 * t[21];
+    t[12] += (int64_t)0x20cd7704 * t[21];
+    t[ 6] += (int64_t)0x129eec34 * t[22];
+    t[ 7] += (int64_t)0x21cf5b54 * t[22];
+    t[ 8] += (int64_t)0x29c2ab70 * t[22];
+    t[ 9] += (int64_t)0x0f635c8c * t[22];
+    t[10] += (int64_t)0x25bf7a4c * t[22];
+    t[11] += (int64_t)0x2d944a70 * t[22];
+    t[12] += (int64_t)0x18eec490 * t[22];
+    t[13] += (int64_t)0x20cd7704 * t[22];
+    t[ 7] += (int64_t)0x129eec34 * t[23];
+    t[ 8] += (int64_t)0x21cf5b54 * t[23];
+    t[ 9] += (int64_t)0x29c2ab70 * t[23];
+    t[10] += (int64_t)0x0f635c8c * t[23];
+    t[11] += (int64_t)0x25bf7a4c * t[23];
+    t[12] += (int64_t)0x2d944a70 * t[23];
+    t[13] += (int64_t)0x18eec490 * t[23];
+    t[14] += (int64_t)0x20cd7704 * t[23];
+    /* Propagate carries */
+    c = t[ 0] >> 28; t[ 1] += c; rd[ 0] = (int32_t)(t[ 0] & 0xfffffff);
+    c = t[ 1] >> 28; t[ 2] += c; rd[ 1] = (int32_t)(t[ 1] & 0xfffffff);
+    c = t[ 2] >> 28; t[ 3] += c; rd[ 2] = (int32_t)(t[ 2] & 0xfffffff);
+    c = t[ 3] >> 28; t[ 4] += c; rd[ 3] = (int32_t)(t[ 3] & 0xfffffff);
+    c = t[ 4] >> 28; t[ 5] += c; rd[ 4] = (int32_t)(t[ 4] & 0xfffffff);
+    c = t[ 5] >> 28; t[ 6] += c; rd[ 5] = (int32_t)(t[ 5] & 0xfffffff);
+    c = t[ 6] >> 28; t[ 7] += c; rd[ 6] = (int32_t)(t[ 6] & 0xfffffff);
+    c = t[ 7] >> 28; t[ 8] += c; rd[ 7] = (int32_t)(t[ 7] & 0xfffffff);
+    c = t[ 8] >> 28; t[ 9] += c; rd[ 8] = (int32_t)(t[ 8] & 0xfffffff);
+    c = t[ 9] >> 28; t[10] += c; rd[ 9] = (int32_t)(t[ 9] & 0xfffffff);
+    c = t[10] >> 28; t[11] += c; rd[10] = (int32_t)(t[10] & 0xfffffff);
+    c = t[11] >> 28; t[12] += c; rd[11] = (int32_t)(t[11] & 0xfffffff);
+    c = t[12] >> 28; t[13] += c; rd[12] = (int32_t)(t[12] & 0xfffffff);
+    c = t[13] >> 28; t[14] += c; rd[13] = (int32_t)(t[13] & 0xfffffff);
+    c = t[14] >> 28; t[15] += c; rd[14] = (int32_t)(t[14] & 0xfffffff);
+    rd[15] = t[15];
+    /* Mod bits over 28 in last word */
+    o = rd[15] >> 26; rd[15] &= 0x3ffffff;
+    rd[ 0] += 0x4a7bb0d * o;
+    rd[ 1] += 0x873d6d5 * o;
+    rd[ 2] += 0xa70aadc * o;
+    rd[ 3] += 0x3d8d723 * o;
+    rd[ 4] += 0x96fde93 * o;
+    rd[ 5] += 0xb65129c * o;
+    rd[ 6] += 0x63bb124 * o;
+    rd[ 7] += 0x8335dc1 * o;
+    /* Propagate carries */
+    o = rd[ 0] >> 28; rd[ 1] += o; rd[ 0] = rd[ 0] & 0xfffffff;
+    o = rd[ 1] >> 28; rd[ 2] += o; rd[ 1] = rd[ 1] & 0xfffffff;
+    o = rd[ 2] >> 28; rd[ 3] += o; rd[ 2] = rd[ 2] & 0xfffffff;
+    o = rd[ 3] >> 28; rd[ 4] += o; rd[ 3] = rd[ 3] & 0xfffffff;
+    o = rd[ 4] >> 28; rd[ 5] += o; rd[ 4] = rd[ 4] & 0xfffffff;
+    o = rd[ 5] >> 28; rd[ 6] += o; rd[ 5] = rd[ 5] & 0xfffffff;
+    o = rd[ 6] >> 28; rd[ 7] += o; rd[ 6] = rd[ 6] & 0xfffffff;
+    o = rd[ 7] >> 28; rd[ 8] += o; rd[ 7] = rd[ 7] & 0xfffffff;
+    o = rd[ 8] >> 28; rd[ 9] += o; rd[ 8] = rd[ 8] & 0xfffffff;
+    o = rd[ 9] >> 28; rd[10] += o; rd[ 9] = rd[ 9] & 0xfffffff;
+    o = rd[10] >> 28; rd[11] += o; rd[10] = rd[10] & 0xfffffff;
+    o = rd[11] >> 28; rd[12] += o; rd[11] = rd[11] & 0xfffffff;
+    o = rd[12] >> 28; rd[13] += o; rd[12] = rd[12] & 0xfffffff;
+    o = rd[13] >> 28; rd[14] += o; rd[13] = rd[13] & 0xfffffff;
+    o = rd[14] >> 28; rd[15] += o; rd[14] = rd[14] & 0xfffffff;
+
+    /* Convert to bytes */
+    r[ 0] = (rd[0 ] >>  0);
+    r[ 1] = (rd[0 ] >>  8);
+    r[ 2] = (rd[0 ] >> 16);
+    r[ 3] = (rd[0 ] >> 24) + ((rd[1 ] >>  0) <<  4);
+    r[ 4] = (rd[1 ] >>  4);
+    r[ 5] = (rd[1 ] >> 12);
+    r[ 6] = (rd[1 ] >> 20);
+    r[ 7] = (rd[2 ] >>  0);
+    r[ 8] = (rd[2 ] >>  8);
+    r[ 9] = (rd[2 ] >> 16);
+    r[10] = (rd[2 ] >> 24) + ((rd[3 ] >>  0) <<  4);
+    r[11] = (rd[3 ] >>  4);
+    r[12] = (rd[3 ] >> 12);
+    r[13] = (rd[3 ] >> 20);
+    r[14] = (rd[4 ] >>  0);
+    r[15] = (rd[4 ] >>  8);
+    r[16] = (rd[4 ] >> 16);
+    r[17] = (rd[4 ] >> 24) + ((rd[5 ] >>  0) <<  4);
+    r[18] = (rd[5 ] >>  4);
+    r[19] = (rd[5 ] >> 12);
+    r[20] = (rd[5 ] >> 20);
+    r[21] = (rd[6 ] >>  0);
+    r[22] = (rd[6 ] >>  8);
+    r[23] = (rd[6 ] >> 16);
+    r[24] = (rd[6 ] >> 24) + ((rd[7 ] >>  0) <<  4);
+    r[25] = (rd[7 ] >>  4);
+    r[26] = (rd[7 ] >> 12);
+    r[27] = (rd[7 ] >> 20);
+    r[28] = (rd[8 ] >>  0);
+    r[29] = (rd[8 ] >>  8);
+    r[30] = (rd[8 ] >> 16);
+    r[31] = (rd[8 ] >> 24) + ((rd[9 ] >>  0) <<  4);
+    r[32] = (rd[9 ] >>  4);
+    r[33] = (rd[9 ] >> 12);
+    r[34] = (rd[9 ] >> 20);
+    r[35] = (rd[10] >>  0);
+    r[36] = (rd[10] >>  8);
+    r[37] = (rd[10] >> 16);
+    r[38] = (rd[10] >> 24) + ((rd[11] >>  0) <<  4);
+    r[39] = (rd[11] >>  4);
+    r[40] = (rd[11] >> 12);
+    r[41] = (rd[11] >> 20);
+    r[42] = (rd[12] >>  0);
+    r[43] = (rd[12] >>  8);
+    r[44] = (rd[12] >> 16);
+    r[45] = (rd[12] >> 24) + ((rd[13] >>  0) <<  4);
+    r[46] = (rd[13] >>  4);
+    r[47] = (rd[13] >> 12);
+    r[48] = (rd[13] >> 20);
+    r[49] = (rd[14] >>  0);
+    r[50] = (rd[14] >>  8);
+    r[51] = (rd[14] >> 16);
+    r[52] = (rd[14] >> 24) + ((rd[15] >>  0) <<  4);
+    r[53] = (rd[15] >>  4);
+    r[54] = (rd[15] >> 12);
+    r[55] = (rd[15] >> 20);
+    r[56] = 0;
+}
+
+/* Precomputed multiples of the base point. */
+static const ge448_precomp base[58][8] = {
+{
+    {
+        { 0x70cc05e, 0x26a82bc, 0x0938e26, 0x80e18b0, 0x511433b, 0xf72ab66,
+          0x412ae1a, 0xa3d3a46, 0xa6de324, 0x0f1767e, 0x4657047, 0x36da9e1,
+          0x5a622bf, 0xed221d1, 0x66bed0d, 0x4f1970c },
+        { 0x230fa14, 0x08795bf, 0x7c8ad98, 0x132c4ed, 0x9c4fdbd, 0x1ce67c3,
+          0x73ad3ff, 0x05a0c2d, 0x7789c1e, 0xa398408, 0xa73736c, 0xc7624be,
+          0x03756c9, 0x2488762, 0x16eb6bc, 0x693f467 }
+    },
+    {
+        { 0x5555555, 0x5555555, 0x5555555, 0x5555555, 0x5555555, 0x5555555,
+          0x5555555, 0x5555555, 0xaaaaaa9, 0xaaaaaaa, 0xaaaaaaa, 0xaaaaaaa,
+          0xaaaaaaa, 0xaaaaaaa, 0xaaaaaaa, 0xaaaaaaa },
+        { 0xa9386ed, 0xeafbcde, 0xda06bda, 0xb2bed1c, 0x098bbbc, 0x833a2a3,
+          0x80d6565, 0x8ad8c4b, 0x7e36d72, 0x884dd7b, 0xed7a035, 0xc2b0036,
+          0x6205086, 0x8db359d, 0x34ad704, 0xae05e96 }
+    },
+    {
+        { 0x6ff2f8f, 0x2817328, 0xda85757, 0xb769465, 0xfd6e862, 0xf7f6271,
+          0x8daa9cb, 0x4a3fcfe, 0x2ba077a, 0xda82c7e, 0x41b8b8c, 0x9433322,
+          0x4316cb6, 0x6455bd6, 0xb9108af, 0x0865886 },
+        { 0x88ed6fc, 0x22ac135, 0x02dafb8, 0x9a68fed, 0x7f0bffa, 0x1bdb676,
+          0x8bb3a33, 0xec4e1d5, 0xce43c82, 0x56c3b9f, 0xa8d9523, 0xa6449a4,
+          0xa7ad43a, 0xf706cbd, 0xbd5125c, 0xe005a8d }
+    },
+    {
+        { 0x8ba7f30, 0xce42ac4, 0x9e120e2, 0xe179894, 0x8ba21ae, 0xf1515dd,
+          0x301b7bd, 0x70c74cc, 0x3fda4be, 0x0891c69, 0xa09cf4e, 0x29ea255,
+          0x17226f9, 0x2c1419a, 0xc6c0cce, 0x49dcbc5 },
+        { 0xde51839, 0xe236f86, 0xd4f5b32, 0x44285d0, 0x472b5d4, 0x7ea1ca9,
+          0x1c0d8f9, 0x7b8a5bc, 0x90dc322, 0x57d845c, 0x7c02f04, 0x1b979cb,
+          0x3a5de02, 0x27164b3, 0x4accde5, 0xd49077e }
+    },
+    {
+        { 0x2030034, 0xa99d109, 0x6f950d0, 0x2d8cefc, 0xc96f07b, 0x7a920c3,
+          0x08bc0d5, 0x9588128, 0x6d761e8, 0x62ada75, 0xbcf7285, 0x0def80c,
+          0x01eedb5, 0x0e2ba76, 0x5a48dcb, 0x7a9f933 },
+        { 0x2f435eb, 0xb473147, 0xf225443, 0x5512881, 0x33c5840, 0xee59d2b,
+          0x127d7a4, 0xb698017, 0x86551f7, 0xb18fced, 0xca1823a, 0x0ade260,
+          0xce4fd58, 0xd3b9109, 0xa2517ed, 0xadfd751 }
+    },
+    {
+        { 0xabef79c, 0x7fd7652, 0x443a878, 0x6c20a07, 0x12a7109, 0x5c1840d,
+          0x876451c, 0x4a06e4a, 0xad95f65, 0x3bed0b4, 0x3fb0260, 0x25d2e67,
+          0xaebd971, 0x2e00349, 0x4498b72, 0x54523e0 },
+        { 0x07c7bcc, 0xea5d1da, 0x38ea98c, 0xcce7769, 0x61d2b3e, 0x80284e8,
+          0x6e1ff1b, 0x48de76b, 0x9c58522, 0x7b12186, 0x2765a1a, 0xbfd053a,
+          0x056c667, 0x2d743ec, 0xd8ab61c, 0x3f99b9c }
+    },
+    {
+        { 0xeb5eaf7, 0xdf9567c, 0x78ac7d7, 0x110a6b4, 0x4706e0b, 0x2d33501,
+          0x0b5a209, 0x0df9c7b, 0x568e684, 0xba4223d, 0x8c3719b, 0xd78af2d,
+          0xa5291b6, 0x77467b9, 0x5c89bef, 0x079748e },
+        { 0xdac377f, 0xe20d3fa, 0x72b5c09, 0x34e8669, 0xc40bbb7, 0xd8687a3,
+          0xd2f84c9, 0x7b3946f, 0xa78f50e, 0xd00e40c, 0x17e7179, 0xb875944,
+          0xcb23583, 0x9c7373b, 0xc90fd69, 0x7ddeda3 }
+    },
+    {
+        { 0x153bde0, 0x2538a67, 0x406b696, 0x223aca9, 0x1ad713e, 0xf9080dc,
+          0xd816a64, 0x6c4cb47, 0x5dc8b97, 0xbc28568, 0xc08e2d7, 0xd97b037,
+          0x5d0e66b, 0x5b63fb4, 0x520e8a3, 0xd1f1bc5 },
+        { 0xe69e09b, 0x4eb873c, 0xbc8ee45, 0x1663164, 0xba8d89f, 0x08f7003,
+          0x386ad82, 0x4b98ead, 0xbd94c7b, 0xa4b93b7, 0xc6b38b3, 0x46ba408,
+          0xf3574ff, 0xdae87d1, 0xe9bea9b, 0xc7564f4 }
+    },
+},
+{
+    {
+        { 0x5bfac1c, 0x2e4fdb2, 0xf5f3bca, 0xf0d79aa, 0x20fb7cc, 0xe756b0d,
+          0xb39609a, 0xe3696be, 0x5a5ab58, 0xa019fc3, 0x3b281dd, 0xa2b2485,
+          0x61ac0a2, 0xe3e2be7, 0xeb56730, 0xf19c34f },
+        { 0xa30241e, 0x2d25ce8, 0xb73d7a1, 0xf5661ea, 0xdaac9f4, 0x4611ed0,
+          0x4ced72c, 0xd544234, 0xe92e985, 0xce78f52, 0x4da4aad, 0x6fe5dd4,
+          0x1d363ce, 0xfcaddc6, 0xc9111bf, 0x3beb69c }
+    },
+    {
+        { 0x940ebc9, 0xd2e7660, 0xb17bbe0, 0xe032018, 0x75c0575, 0xad49391,
+          0x21c7f34, 0xdd0b147, 0x3e147e0, 0x52c2ba4, 0x0ee8973, 0x7dd03c6,
+          0xecf2754, 0x5472e8d, 0xd6482bb, 0x17a1cd1 },
+        { 0x8128b3f, 0xdd43b84, 0xea7dd25, 0xf0cae34, 0xff07df2, 0x81ca99f,
+          0x92ebbdc, 0x1c89597, 0x72155e6, 0x45c7a68, 0x39ddd08, 0x907a50e,
+          0xbb2d89b, 0xbe398c2, 0x1b3b536, 0x38063f9 }
+    },
+    {
+        { 0xf843b23, 0x149fafb, 0xac7f22a, 0x00ab582, 0xf2f4d4c, 0xa3b981b,
+          0x4341a22, 0x2ce1a65, 0x7c03b63, 0x68a4074, 0x12f2cf8, 0x63206a2,
+          0x5149741, 0xc9961d3, 0xbc7099e, 0xfb85430 },
+        { 0x90a9e59, 0x9c91072, 0x06de367, 0x734e94a, 0xdb99214, 0x5cf3cbe,
+          0x45b1fb9, 0xc6bce32, 0xdd7be0d, 0x1a82abe, 0xede7d1c, 0xf74976a,
+          0x21503bd, 0x7025b7c, 0x0d096ab, 0xf789491 }
+    },
+    {
+        { 0x555a41b, 0x6bd48bb, 0x67de206, 0xfbdd0d0, 0xdd6dfd1, 0x98bc477,
+          0x3e40b8a, 0x1d0693b, 0xda32ae4, 0x6e15563, 0xfcebaa2, 0x0194a20,
+          0x0980a93, 0xda11615, 0x0109cec, 0x8e11920 },
+        { 0xffb9726, 0x8ea0552, 0x047e44b, 0xeba50a4, 0x60ddf76, 0xc050d24,
+          0xac690e0, 0xe009204, 0x9b18edc, 0x47b8639, 0xc77f23f, 0x2f5b76a,
+          0x0792905, 0x4296c24, 0x06f6dc7, 0x73f6b4a }
+    },
+    {
+        { 0x3b10cad, 0xb6ef9ea, 0xf7c8fce, 0x312843d, 0x8bedf86, 0x5bdcd52,
+          0xf6dd823, 0x2889059, 0x08bfde0, 0x04578e9, 0x123e2e5, 0x3245df3,
+          0x7ee9e3a, 0xbf461d5, 0x6f94ceb, 0xddec2d4 },
+        { 0x145768f, 0x21b43b9, 0xdae962a, 0xe79a8f9, 0xcbb043f, 0xff1972b,
+          0x239649b, 0xe3dcf6d, 0xc533b85, 0xed592bd, 0xdbe22d0, 0x14ff94f,
+          0xf1d8e22, 0x6c4eb87, 0xd18cf6d, 0xd8d4c71 }
+    },
+    {
+        { 0x8d96345, 0xcda666c, 0x836cd21, 0x9ecaa25, 0x984606e, 0x6e885bd,
+          0x804f054, 0x1dd5fef, 0x6959ae4, 0x9dfff6b, 0xc9b55cc, 0x99b9cf8,
+          0x62b9b80, 0xb4716b0, 0x554b128, 0x13ec87c },
+        { 0x75aacc2, 0xe696d1f, 0x87fc5ff, 0xf78c993, 0x3809d42, 0x76c0947,
+          0xb618fa8, 0x99ce62d, 0x2f53341, 0x35e3e02, 0x0db6c5e, 0x62fc1ac,
+          0x00d8b47, 0xa1fb8e6, 0x58f0d1e, 0x0bc1070 }
+    },
+    {
+        { 0x16da513, 0x1f45269, 0xf5cf341, 0x1f2fc04, 0x64d23e0, 0xae92086,
+          0xda8a113, 0x4e33082, 0x1cfc085, 0x2688ec6, 0x6e5327f, 0x6f2e8de,
+          0xb4e48a8, 0x2070db3, 0x3240ade, 0xd662697 },
+        { 0xfbd997b, 0xa6b317f, 0x49e26bd, 0x9fa1b56, 0x8cba0f3, 0xcbf0d25,
+          0x17b4745, 0x4a7791b, 0x5c9e190, 0x25f555b, 0x923ec4c, 0x7cd3940,
+          0xe98f1b6, 0x16f4c6a, 0xbcd4e0f, 0x7962116 }
+    },
+    {
+        { 0x02491e3, 0x8d58fa3, 0x7ab3898, 0x7cf76c6, 0x647ebc7, 0xbc2f657,
+          0xd25f5a3, 0x5f4bfe0, 0xd69505d, 0x503f478, 0x3fb6645, 0x4a889fc,
+          0xfa86b18, 0x33e1bc1, 0x5508dd8, 0xabb234f },
+        { 0x9a05b48, 0x5348e1b, 0x64dc858, 0x57ac5f1, 0xec8a2d3, 0x21f4d38,
+          0xa3a3e9d, 0x5ec6d3c, 0x560a0b8, 0xcd4062e, 0x3433f59, 0x49b74f7,
+          0xcab14e3, 0xefd9d87, 0xeb964f5, 0x858ce7f }
+    },
+},
+{
+    {
+        { 0xeb731b4, 0x7577254, 0x4e2397e, 0x9fff1fb, 0xc821715, 0x749b145,
+          0x2e65e67, 0x40619fe, 0x2e618d8, 0x57b8281, 0x707b83e, 0x063186c,
+          0x31b24a2, 0xcfc80cb, 0xac75169, 0xcca6185 },
+        { 0xb255818, 0x6539f44, 0x0368bce, 0x5895da0, 0x17c7482, 0x841a309,
+          0xb1a9c9e, 0x85469e1, 0xe4f7d9d, 0x05664c0, 0x7b35cc0, 0x8a06318,
+          0xa0e9b0a, 0x214763a, 0x4b26ac2, 0x1bd872c }
+    },
+    {
+        { 0xa93762b, 0x3578f97, 0x72d52bc, 0x434f69a, 0x22cb565, 0xddcca40,
+          0xff20544, 0xa7d1e41, 0x8a66588, 0x823475d, 0x99d7baf, 0x9fc97c7,
+          0x660e421, 0x15542f1, 0x843faf6, 0xa7d1f60 },
+        { 0x4063ccc, 0xbbfaab5, 0xa49855a, 0x3ad9bad, 0x5bddbfe, 0xffd5f1c,
+          0xae87e59, 0x0e419c2, 0xf89956b, 0xdce6ed6, 0xccd8951, 0xf047c21,
+          0xa83c991, 0x6ed4a1b, 0x2d28e0a, 0x85af86e }
+    },
+    {
+        { 0x9ed48a8, 0x04433c4, 0x0bc375d, 0xeffa858, 0xfa6e3b5, 0xfb0e1b2,
+          0xa1aadda, 0x51483a2, 0xf8b2ea8, 0x733448d, 0xf639f0c, 0xaa0513c,
+          0xa23bf84, 0x6bc61a3, 0xdc2430d, 0x3e64f68 },
+        { 0xc5876b1, 0x51bf502, 0x1c0dd2a, 0x6b83375, 0x342914f, 0xe597be1,
+          0xf8e632c, 0x43d5ab0, 0xd62587b, 0x2696715, 0xed34f24, 0xe87d20a,
+          0xe18baf7, 0x25b7e14, 0xe22e084, 0xf5eb753 }
+    },
+    {
+        { 0x24d8295, 0x51da717, 0x18d1340, 0xd478e43, 0x2cf7f66, 0xacf94f4,
+          0x3760711, 0x230d7d1, 0x5abc626, 0x078a66a, 0x6b5f6da, 0xd78b0bd,
+          0x96d1d0b, 0x23a9713, 0x4bd960f, 0x87623d6 },
+        { 0x77db53f, 0x0841a99, 0xf4d03ee, 0x23c1a53, 0x1f95df1, 0x2f62c2e,
+          0x116f4e7, 0xd1e2ec1, 0x34811a9, 0x896d2fe, 0xec8096e, 0xad65e2b,
+          0xb1744a6, 0x09d36f9, 0xff5ddf7, 0x564bac7 }
+    },
+    {
+        { 0xc3f77cb, 0x48b41e2, 0x0968938, 0x5227673, 0xfd9b452, 0xff1b899,
+          0x2e03908, 0x67cf3bf, 0x248a6fb, 0x3731d90, 0x256598f, 0xd800a05,
+          0xbdc8530, 0x347d2f2, 0x7ad08a1, 0xc72a300 },
+        { 0x1d65f73, 0x5e5be74, 0x4206ead, 0x183d4ae, 0xade4013, 0xcb50c1c,
+          0x3102483, 0x39db43d, 0x70d6325, 0x0eb49fa, 0xc1f02b9, 0xa18f6a2,
+          0xdbf5e66, 0x3e6fe30, 0x3a82aa5, 0xac4eeb9 }
+    },
+    {
+        { 0x3613d47, 0x295affd, 0xb56f343, 0x7b7e68a, 0x92b173b, 0x9806296,
+          0xbad35fb, 0x937061e, 0x5c21eea, 0x2501978, 0x787a746, 0xe92721b,
+          0x3651631, 0x463c46c, 0xc6f2d5a, 0x6da4b5d },
+        { 0x6e6d18c, 0xcb67cc1, 0x0010588, 0x1b30d52, 0xdb1d1e8, 0x1bb6ea6,
+          0xad11474, 0x9c6308a, 0x3d19b1c, 0xc316741, 0xbe4fb79, 0xf2e84d7,
+          0xe050f77, 0xeccb873, 0xcc2bf86, 0xf7c8d80 }
+    },
+    {
+        { 0x7ab20e5, 0x16fe2e1, 0xecf3a92, 0x274dead, 0x0972f67, 0x9f43487,
+          0x4605751, 0x9a65a45, 0xb8980b2, 0x9351f07, 0x0eb08a5, 0x412962b,
+          0x733f440, 0xb8c9bfd, 0x1ca250f, 0xac2cd64 },
+        { 0x2ba7d26, 0x68cdd0f, 0x4e0beea, 0xd3d2a4a, 0x9f4a258, 0x50135c1,
+          0xf0d02e4, 0xb475e53, 0x589283a, 0x432d8c6, 0xa0a2b6c, 0x29141bf,
+          0x13704bc, 0xd7379ec, 0x52459bf, 0x831562c }
+    },
+    {
+        { 0xeeec506, 0x676b366, 0x45da557, 0xdd6cad5, 0x77057d2, 0x9de39cb,
+          0xdf05bf1, 0x388c5fe, 0xdfb1f03, 0x6e55650, 0x52126c9, 0xdbceffa,
+          0x3a4a220, 0xe4d187b, 0xeb27020, 0xac914f9 },
+        { 0xd2e5f30, 0x3f4ab98, 0xdd94451, 0x6ae97da, 0x0d80981, 0x64af695,
+          0xf2aa2ce, 0x36b4b90, 0x18fcf59, 0x6adcd7a, 0xc116c81, 0x3ddfe6d,
+          0x549b9e3, 0x661072b, 0xec4584d, 0xd9e3134 }
+    },
+},
+{
+    {
+        { 0xa1e400c, 0x6e46707, 0x551e806, 0xcdc990b, 0x3a07724, 0xfa51251,
+          0x1b3e4f5, 0x500553f, 0xef4dac3, 0x67e8b58, 0x2cb4cc7, 0x958349f,
+          0x7f9143c, 0x948b4ed, 0x2b7822b, 0xe646d09 },
+        { 0x2bc3c26, 0xd185dd5, 0xc837fc9, 0x34ba16e, 0x5a788b7, 0x516d4ba,
+          0x56142b0, 0x72f2de7, 0xf445b3d, 0x5846f61, 0xf4631a1, 0xdaec5c9,
+          0x169ea9b, 0xa10b18d, 0xaf6751b, 0x85d2998 }
+    },
+    {
+        { 0x43ddf31, 0xda0cac4, 0x1860911, 0x0966e17, 0x3cba600, 0x9c3a717,
+          0x571f895, 0x5781880, 0x737ac21, 0x5e2a927, 0x6c253fb, 0x8a46148,
+          0x95ee626, 0xe801cf5, 0x5f84fc0, 0x271166a },
+        { 0xba856bd, 0x306937f, 0xbe80a43, 0x80cb179, 0xffb5980, 0x70393b2,
+          0x660fc64, 0xa8e4a1c, 0xc0d5c98, 0x5078abf, 0xfbd31ff, 0x62ba530,
+          0x9e51b88, 0xda60844, 0x355ae15, 0xdb6ecb0 }
+    },
+    {
+        { 0x23c5d49, 0xbcbb6ea, 0x87959bc, 0x08906ba, 0x0991665, 0x61cc088,
+          0xd90d13c, 0x21d6b41, 0xd03afe9, 0x0c27ac1, 0x5cfea52, 0x159995f,
+          0xbdfe220, 0x4057e20, 0xcbdf058, 0xdd1b349 },
+        { 0x2e37159, 0x0cd6626, 0x3eb0d17, 0x8cea8e4, 0x5bce7f0, 0x553af08,
+          0x5b6511d, 0xb94cb5f, 0x50e0330, 0x7b8d3a5, 0x57ab7e7, 0x4159110,
+          0x6aa886f, 0x320820e, 0xc5b6b81, 0x130d4d6 }
+    },
+    {
+        { 0xc7bb2ed, 0x2f98059, 0xa49bdfb, 0x33ebf4c, 0xb0a675b, 0x04c72a1,
+          0xadb6c14, 0x94f9ea4, 0xcf728c0, 0x03376d8, 0x4c6eb6a, 0x5c059d3,
+          0xeb8da48, 0x0178408, 0x2956817, 0x8bf607b },
+        { 0xceb3d28, 0x7ad2822, 0x37ae653, 0xd07a403, 0xc1e46b2, 0xbc68739,
+          0x9154ba9, 0x15d7cca, 0xa26617d, 0x6b97103, 0xb2e0d28, 0xa610314,
+          0xfd4d363, 0x52a08ba, 0xc7dc2af, 0x80c2638 }
+    },
+    {
+        { 0x3187140, 0x0cde7ef, 0x4b70acd, 0x93b92ca, 0x7a79cdc, 0x5696e50,
+          0x8eaab66, 0x73cc972, 0x8f1b0c7, 0x6b8c5b6, 0x4f7e0b1, 0xb39a318,
+          0x376108a, 0x72cfb0d, 0x98536a7, 0x0c53efc },
+        { 0x24c2f1e, 0x03b52a8, 0x6399b78, 0x717132e, 0x349a85d, 0x31ebd25,
+          0x1a200d4, 0x265ee81, 0x407d7ad, 0x0b1aad2, 0x94d2962, 0x9a9ebc8,
+          0x41171d9, 0x994e6cd, 0x6c8fa83, 0x09178d8 }
+    },
+    {
+        { 0xa2593a1, 0x7d1d238, 0xb38fb19, 0x863e93a, 0xe7712a9, 0xd23a4cc,
+          0x27efcd5, 0x7477b13, 0x1392f6c, 0x3ba69ff, 0xf7bb5a5, 0x63e0c32,
+          0x026effd, 0x20412c0, 0xef424ab, 0xd3ee8e4 },
+        { 0x64e5174, 0x14c0b2d, 0xe58c47b, 0x2a611f2, 0xc1e8635, 0xaa58a06,
+          0xcf17034, 0x1870c3e, 0x83f1bf3, 0xb0d5e34, 0x16c7eb3, 0xb19905c,
+          0x6efa4ca, 0xbf85d62, 0x180f92b, 0xfd16b2f }
+    },
+    {
+        { 0x3adcb48, 0xc0431af, 0xba90496, 0xc9a7a8d, 0x3895294, 0xd765a16,
+          0x551de70, 0xb02a41a, 0x749b8a1, 0xb71b261, 0xc6f3e47, 0x0dfa89e,
+          0x0f5d9ce, 0x392c0d8, 0x31aee3c, 0x43c59d8 },
+        { 0x4d76f49, 0x94bfb6d, 0x27d68a5, 0xe8f5b82, 0x630fd08, 0x78ae1d9,
+          0xce1bdae, 0x1379029, 0x66715dc, 0x9689da0, 0xd3278c7, 0x5d4cb24,
+          0x9e84fbc, 0x77c9833, 0xea1048c, 0xc8478dc }
+    },
+    {
+        { 0x770d2ba, 0xe4b8f31, 0x42ea095, 0x744f652, 0x036f138, 0xd06e090,
+          0x3b078ca, 0xd3a3d5b, 0x78b8417, 0xc7ae541, 0xc738fd7, 0xad6c5d4,
+          0x4676454, 0x6178984, 0x5d9a392, 0xfbf3423 },
+        { 0xfff772f, 0x8e451a7, 0x5ffbead, 0x8605bb7, 0x930d59f, 0x6f75cc1,
+          0x8f3f460, 0xd4f4755, 0x6700c8a, 0xefd2d79, 0x2406421, 0xceb462a,
+          0x9dfe8f1, 0x8ed0f97, 0xd1d7600, 0x0280bf1 }
+    },
+},
+{
+    {
+        { 0xdd9a54d, 0x761c219, 0x86a39c0, 0x1127fcb, 0x4c9bedd, 0x7d0e4f0,
+          0x4d976b6, 0x27c017a, 0xda042cf, 0x800c973, 0x2593f11, 0xe7419af,
+          0xae67960, 0xbd49448, 0x744fd85, 0xd3b60b7 },
+        { 0x61676fe, 0x5e74ed9, 0x39af627, 0x7383ef3, 0x5e62df7, 0x34407e0,
+          0x8bf3196, 0xb053461, 0x583b407, 0xd6b7184, 0x55011be, 0xe3d0685,
+          0x2124b52, 0x94083d0, 0xf780aaf, 0xa908324 }
+    },
+    {
+        { 0x73ec9c3, 0xb27af1a, 0x70fa725, 0xb66ad9f, 0x8cf73e4, 0x07724f5,
+          0x9949358, 0xc3fcd57, 0xda0cc01, 0x06efb79, 0x10597c9, 0x1e977d2,
+          0x703e8d6, 0xcd732be, 0x6d0b69e, 0x6fd29bf },
+        { 0x667128e, 0xca658ac, 0xc7872b3, 0xca0036a, 0x5355837, 0xc969858,
+          0x075cf1c, 0x59f3be8, 0x3809a11, 0x9f1b9b0, 0x9733871, 0x6881ced,
+          0xe902a5f, 0x8cda0fb, 0x4e3871e, 0x4d8c69b }
+    },
+    {
+        { 0xddee82f, 0x5c3bd07, 0x2f9723b, 0xe52dd31, 0x74f1be8, 0xcf87611,
+          0x35f8657, 0xd9ecbd8, 0xfbfea17, 0x4f77393, 0xd78fe2c, 0xec9579f,
+          0x0fb0450, 0x320de92, 0x95d9c47, 0xbfc9b8d },
+        { 0x5e1b4c3, 0x818bd42, 0x40e2c78, 0x0e0c41c, 0xbccb0d0, 0x0f7ce9a,
+          0x5ef81fb, 0xc7e9fa4, 0x73574ad, 0x2561d6f, 0xd2efb0b, 0xa2d8d99,
+          0xe96cd0a, 0xcf8f316, 0x4964807, 0x088f0f1 }
+    },
+    {
+        { 0x45d5a19, 0x0a84989, 0x6c2131f, 0x47ab39c, 0xf3fc35d, 0x5c02824,
+          0x9ee8127, 0x3be77c8, 0xc90b80a, 0xa8491b7, 0xa28aa93, 0x5397631,
+          0x6c0b344, 0x54d6e81, 0x876d0e4, 0x22878be },
+        { 0x6db3bf6, 0xeecb8a4, 0x54577a3, 0x340f295, 0x9a00f85, 0xa779868,
+          0x4bb9147, 0x98465d7, 0xda3c736, 0x9532d7d, 0x7504b20, 0x6d574f1,
+          0xd86e435, 0x6e356f4, 0x4533887, 0x70c2e8d }
+    },
+    {
+        { 0xd293980, 0xdce5a0a, 0x069010e, 0x32d7210, 0x06deaaa, 0x64af59f,
+          0x59239e4, 0xd6b43c4, 0x9199c29, 0x74bf255, 0x11e1e2b, 0x3efff41,
+          0xcb0f8d8, 0x1aa7b5e, 0x989e395, 0x9baa22b },
+        { 0x7b33ac1, 0xf78db80, 0x54ce80a, 0x05a3b43, 0x7bc8e12, 0x371defc,
+          0x1224610, 0x63305a0, 0x6d697ef, 0x028b1ae, 0x1cd8051, 0x7aba39c,
+          0x28ee4b4, 0x76ed7a9, 0x7f99901, 0x31bd02a }
+    },
+    {
+        { 0xf075566, 0xf9dab7a, 0xf56f18b, 0x84e29a5, 0xf64e56d, 0x3a4c45a,
+          0x6a7302d, 0xcf3644a, 0x156b658, 0xfb40808, 0xf96be52, 0xf33ef9c,
+          0xcaa2f08, 0xfe92038, 0xb261894, 0xcfaf2e3 },
+        { 0x224ce3f, 0xf2a0dbc, 0x592eb27, 0xed05009, 0x95889d0, 0x501743f,
+          0x77c95c2, 0xa88a478, 0xdd63da9, 0x86755fb, 0xc7ee828, 0x9024acf,
+          0xf38113b, 0x634b020, 0x6056e64, 0x3c5aacc }
+    },
+    {
+        { 0xa2ef760, 0xe03ff3a, 0xb1c3bac, 0x3b95767, 0x940d754, 0x51ce6aa,
+          0x47a9a3d, 0x7cbac3f, 0x34f8d1a, 0xa864ac4, 0x80dbd47, 0x1eff3f2,
+          0x7ebd5ca, 0xd8ab660, 0x05b07ed, 0xc4df5c4 },
+        { 0xa4f095b, 0x3dc92df, 0x7cdbd9a, 0x5ae36a5, 0x7891e04, 0x7ff2973,
+          0x0a5fe7b, 0x37c0313, 0xaa6e35e, 0x210d7b0, 0xbf200d8, 0x6edfb53,
+          0x84afb85, 0x787b68d, 0x72c6de3, 0x9b5c49b }
+    },
+    {
+        { 0x4010f4e, 0x5185716, 0x0536ebe, 0xe0b144b, 0x887d663, 0xacabb14,
+          0xedf584f, 0xac1caed, 0xaf175a3, 0xb43fb8f, 0xf992a3c, 0x310b6d5,
+          0x85178a4, 0xf2c4aa2, 0x8bd56bf, 0x69c9969 },
+        { 0xa4d972e, 0x73d6372, 0x9583803, 0x3d5bb2e, 0xd891581, 0x7bf7d18,
+          0x568a34a, 0xa5ce5d7, 0x1f45c81, 0x670b433, 0x1f96910, 0x97265a7,
+          0xb07c1ea, 0xdb14eb3, 0xfed447c, 0xdf008ea }
+    },
+},
+{
+    {
+        { 0x00c2f10, 0x0379f5a, 0xd350285, 0xb320b4f, 0x8efdd7d, 0x74e560e,
+          0xf46a140, 0xf2f017e, 0x0f34624, 0x2ced1a6, 0xca08ec9, 0x7c4b4e3,
+          0x5d8bc6b, 0xdffc2a1, 0x527b007, 0xcc8f3f3 },
+        { 0x861fe83, 0x59f8ac4, 0xd03144c, 0x8d48d2c, 0xbfa6dce, 0xa8457d2,
+          0x677c136, 0xd7ed333, 0xc228e18, 0xcb8e219, 0x16ab1e4, 0x5f70bc9,
+          0x3780370, 0x2ae3a3d, 0x88f17ad, 0x9f33654 }
+    },
+    {
+        { 0x960e4bb, 0xeab0710, 0xab9cfd3, 0xc668a78, 0xb0ef946, 0x2e85553,
+          0x8df5df3, 0xa43c4b9, 0x3cb3646, 0x0ecd559, 0x18dbe71, 0x6f543c4,
+          0xf59818b, 0xee7edaa, 0x90911c1, 0xc44e8d2 },
+        { 0x269b509, 0xafb38b1, 0x52afe2c, 0x9e2737c, 0xccfa664, 0x5b2ef02,
+          0xe1cc58b, 0x1e0aeac, 0x5ea134e, 0x37a57e9, 0x83b9fc2, 0xc9c465a,
+          0x6e3ecca, 0x4b9e8c7, 0x9bdbab5, 0xca07dbe }
+    },
+    {
+        { 0xb0d7807, 0xd297f3c, 0xf59ce61, 0xee441a5, 0xb2db844, 0x728553b,
+          0x640e9e0, 0x90f87e5, 0xcb76dff, 0xaa72cbf, 0x4012d57, 0x065c686,
+          0x9678b44, 0xd5ee88f, 0x2177603, 0x3d74b85 },
+        { 0x748b68e, 0x3f9c947, 0x8f44d44, 0x03856d9, 0x462426c, 0xde34b84,
+          0x845ab29, 0xc16d1bb, 0xd2e18de, 0x9df6217, 0xb154643, 0xec6d219,
+          0x2ee0f8f, 0x22a8ec3, 0x91c5175, 0x632ad38 }
+    },
+    {
+        { 0x6869267, 0x19d9d23, 0xfe5532a, 0x628df94, 0x6dc9a01, 0x458d76c,
+          0x2cc39c8, 0x405fe6c, 0xf3a04ba, 0x7dddc67, 0x12500c7, 0xfee6303,
+          0xa50e9de, 0x580b6f0, 0x6090604, 0xfb5918a },
+        { 0x3af6b2d, 0xd715925, 0x1c7d1ec, 0x83d62d6, 0x85858c4, 0x94398c1,
+          0x14bfb64, 0x94643dc, 0xaf7db80, 0x758fa38, 0xa8a1557, 0xe2d7d93,
+          0x3562af1, 0xa569e85, 0x84346aa, 0xd226bdd }
+    },
+    {
+        { 0xd0ccd20, 0xc2d0a5e, 0x5dbc0cf, 0xeb9adb8, 0x26d7e88, 0xe0a29ee,
+          0x84a8e98, 0x8bb39f8, 0x37396ea, 0x511f1c1, 0xc8b2fb3, 0xbc9ec5a,
+          0x090e5bc, 0x299d81c, 0x4cdd587, 0xe1dfe34 },
+        { 0x5e465b7, 0x80f61f4, 0x1bad59e, 0x5699c53, 0xb79ff92, 0x85e92e4,
+          0x9db244c, 0x1e64fce, 0xa22097d, 0x3748574, 0xefff24e, 0xe2aa6b9,
+          0x0a10bc6, 0xb951be7, 0x9067a1c, 0x6685326 }
+    },
+    {
+        { 0xa6114d3, 0xf716ddf, 0x037ec1f, 0x9e515f5, 0x44944a6, 0x7734541,
+          0xaba97cc, 0x1540c4c, 0x8b54bb7, 0xe41e548, 0xcae37bc, 0x4363156,
+          0xf3d2ce8, 0xc384eaf, 0x4c58ba4, 0x72a4f45 },
+        { 0xdcaf3fc, 0x0ceb530, 0x78dcdbb, 0x72d5365, 0xc6320fa, 0x9b44084,
+          0xeb74c70, 0x6262d34, 0x608e6dc, 0x8abac85, 0x10dd38d, 0x82a5264,
+          0xa819b8d, 0xbc39911, 0x03ad0d9, 0xbda15fe }
+    },
+    {
+        { 0xf9dc60b, 0xadbf587, 0x7d846d2, 0xf9d814f, 0xb77bde0, 0xccdd241,
+          0x2242f50, 0x89cb6d7, 0xe6360a8, 0x95c0e3e, 0xdf49713, 0x7c7dd5a,
+          0x57d5814, 0x68e0e49, 0x0c16571, 0x3aa097d },
+        { 0x267d03a, 0xb56b672, 0x8c44af4, 0x4f55708, 0xf3252a5, 0x67c49e7,
+          0xc94a469, 0x871d6cf, 0x01fbfaa, 0x57ae998, 0x48a5d8e, 0x5c0e48f,
+          0x5e240b9, 0xe9bf9c8, 0x99d41ca, 0xa410189 }
+    },
+    {
+        { 0xb2889b4, 0x6beb0c7, 0x9455370, 0x78b7f89, 0x47ca364, 0xd434214,
+          0x9f21e5b, 0xdd9d2da, 0x0a7e4aa, 0xa0c7c18, 0xda1660c, 0x022c0d4,
+          0x5a57002, 0xe1f5c16, 0x518f68f, 0x51c7c9e },
+        { 0x2586502, 0x6d521b6, 0x183ec1b, 0xa0f2cb3, 0xcaa5e16, 0x578b4e0,
+          0x764997f, 0x7bd4fbd, 0x64b1804, 0x7ec56c3, 0x0ee08e4, 0xb75a254,
+          0xdc19080, 0x6bf74a6, 0x97d6e59, 0x6ec793d }
+    },
+},
+{
+    {
+        { 0x0a4beb9, 0x16789d6, 0x9b9c801, 0x512b2cd, 0x8c7bb9c, 0xf8b6d10,
+          0x9ebdc8c, 0xd85651e, 0x9ba971a, 0xc945082, 0x7e1cf78, 0x852d9ea,
+          0x0af01e2, 0x6a45e35, 0x6151dcf, 0xe6cdadf },
+        { 0x2b8c01b, 0xc454bb4, 0x3d54cd2, 0x59e0c49, 0x454d608, 0x8e1e686,
+          0xd8c6103, 0x0dbae4b, 0x6c18b18, 0xa5603a1, 0x3369093, 0x227a6b2,
+          0x5f3de1c, 0xf1e8929, 0x8ab63c5, 0x42f0b58 }
+    },
+    {
+        { 0x5b596d8, 0xf1974cc, 0x44719f0, 0xee8093f, 0xf6f5b54, 0x40ba933,
+          0x2f3d654, 0xd6e5365, 0x26d73b8, 0x9aeb835, 0x0776382, 0x50ed535,
+          0xad43875, 0x3be47d6, 0xc786e48, 0x21d56df },
+        { 0xb73bb39, 0x8a75e18, 0xf265a78, 0x9eba84c, 0x2e772e7, 0x7c02a4d,
+          0x4c1ecd2, 0xf7df6d4, 0x6cef71b, 0xa8d9ea0, 0xcae3b68, 0x86e8f91,
+          0x99efefa, 0x2fd1411, 0x214e6f6, 0x0b36ab2 }
+    },
+    {
+        { 0xbdce61c, 0xd79065c, 0xdecb229, 0xcb562ff, 0x4600849, 0xef5d3d1,
+          0x1d23ac8, 0x348b31b, 0x15c36b8, 0xb2ea699, 0x4822836, 0x268683d,
+          0xc6f0b7d, 0x083edbe, 0x1a7821c, 0xaf4f39d },
+        { 0x4e64841, 0x23be6e8, 0x65bf791, 0xe9e2463, 0x02bfd7c, 0xa3208ac,
+          0xd01357d, 0x231989c, 0x6422ab4, 0x79b8aad, 0x91b8564, 0x57d2b7e,
+          0x8c04421, 0x28ebbcc, 0x7d09c05, 0xdc787d8 }
+    },
+    {
+        { 0x6c7bed5, 0xeb99f62, 0x39cd0e8, 0x326b15f, 0xd860615, 0xd9d53dc,
+          0x1bf4205, 0xdf636e7, 0x0752209, 0x1eaa0bf, 0x4744abb, 0x17ce69a,
+          0xf3ea2fb, 0x474572d, 0x224a7f3, 0xc4f6f73 },
+        { 0x63081b4, 0x7ed86ad, 0x4a20afb, 0xcd4cdc7, 0xb301b2e, 0x7563831,
+          0xe038699, 0x5b4d2b1, 0x802a15f, 0xa15d1fa, 0x13e9172, 0x6687aaf,
+          0xba6da90, 0x3eccd36, 0x7474e83, 0x34e829d }
+    },
+    {
+        { 0x19c9b27, 0x4cea19b, 0x5f52523, 0xa14c37a, 0x726625c, 0x248b16d,
+          0x6cabc21, 0x8c40f9f, 0x32a5c65, 0x918470c, 0x2a98d5b, 0x314056b,
+          0x34a0714, 0x6c974cf, 0x4f6314a, 0x0c8f8a9 },
+        { 0x70bccfd, 0x4844557, 0x740c9fd, 0xf5835db, 0xa21407c, 0x12e59b5,
+          0xdb1689d, 0xbe338e0, 0xdd5e915, 0x5a50ce9, 0xef99f39, 0xb1780e9,
+          0xee4d833, 0x1262b55, 0x89c5340, 0x4be3f22 }
+    },
+    {
+        { 0x6c4b858, 0xbb99b90, 0x550ca53, 0xa7724d1, 0x826962e, 0x7d31f5a,
+          0xa5804da, 0xf239322, 0x0275048, 0x3e11320, 0x3ee4cb6, 0xcbb1bb8,
+          0x1331191, 0xdb86525, 0x7d1d903, 0xb7caf9e },
+        { 0x77d7a9d, 0x06e3b05, 0xb3bbbf5, 0x7a132b0, 0x7c50575, 0xd61fbc5,
+          0xaf4b646, 0x393f712, 0xcb7efe9, 0xef77972, 0x5ea4995, 0x20e6d5d,
+          0xfbbe4c6, 0x0ac23d4, 0xc807f2a, 0x8456617 }
+    },
+    {
+        { 0x5396143, 0x4995fb3, 0xb99dc46, 0xa8b4bd1, 0x4150064, 0x2293e8e,
+          0x22a3545, 0x2f77d49, 0xb2192c4, 0xe866b03, 0x5e0aa38, 0x58b01f0,
+          0x2ed246b, 0xe406b23, 0xed60974, 0x447edb3 },
+        { 0x8869703, 0xf541b33, 0x383420a, 0x6959fe0, 0x4be4e48, 0xd6b39db,
+          0xb5714ef, 0x048f3b4, 0x5d9e4b8, 0x68b4968, 0x2177963, 0xbda8e6c,
+          0xc4211fe, 0x5094e35, 0x2d46d1a, 0xea591c3 }
+    },
+    {
+        { 0x2fef780, 0x3a768ff, 0x32970c6, 0x4218d28, 0xec6da17, 0xce598e4,
+          0xfbb126a, 0xf675645, 0x0427617, 0xb04c23f, 0xe4fce74, 0xc9f93fb,
+          0x3c91b00, 0x44a414b, 0x1d3b3cc, 0x4d982f3 },
+        { 0xb24cce0, 0xb1d40e8, 0x133e73d, 0x5a21c07, 0x0bb589d, 0x6e9358e,
+          0x2399844, 0x39cfb17, 0x166080e, 0x83f7647, 0x450b468, 0xcfe7bf8,
+          0x1e8434f, 0x2a288f7, 0x21a81e3, 0xd39f1e5 }
+    },
+},
+{
+    {
+        { 0x528af6f, 0x78c6f13, 0x94b74d9, 0x0001fe2, 0x01aab44, 0xae77425,
+          0xef0039c, 0x7cbe937, 0x0fa2a67, 0xaf3e4f0, 0xda1378e, 0xe28175f,
+          0x8ccd90e, 0x72adeed, 0x00af22f, 0x16a8ce1 },
+        { 0xcbf63dd, 0x69fae17, 0x9e39e26, 0x6786172, 0xf827a18, 0xe92b3d5,
+          0x8403682, 0x4d75e41, 0x9056a79, 0x01a4fd9, 0x20008f5, 0x89efb2d,
+          0xb78ff15, 0xa2f6918, 0xa3437f5, 0xf41c870 }
+    },
+    {
+        { 0x7be353c, 0xc840ae5, 0x3fb2691, 0x465a5eb, 0x7eba833, 0x34a89f0,
+          0x013346e, 0xf620896, 0xe875df2, 0x563b5f0, 0xfbc44ce, 0x5f7fc8b,
+          0xcfedf9d, 0x22fcb5a, 0x7dc691b, 0x7cf68d4 },
+        { 0x76a103f, 0x37f7c2d, 0xfd87b7d, 0x728a128, 0xccf2132, 0x7db2ad8,
+          0xb100e63, 0xa4c13fe, 0x7b511d5, 0xcd28a51, 0x721ca5c, 0xb910280,
+          0xd84bd52, 0xec1305f, 0x2729791, 0xb964642 }
+    },
+    {
+        { 0x5bc7462, 0x83fccdf, 0xd6f012f, 0x01f3dda, 0x3a6a87c, 0x57f1171,
+          0xff403ac, 0xedb47ce, 0xbaab073, 0x6c184e5, 0x6f0d6a1, 0x5b17c7d,
+          0x3ef2c91, 0x45a4c4f, 0x86a8f41, 0x26c3f7e },
+        { 0xb646514, 0x81a6db0, 0xca8b9ae, 0xf84059f, 0x9f02305, 0xd73dab6,
+          0xc4b7c6c, 0x0de3fae, 0x696df2f, 0x18abb88, 0x75d7740, 0x45dd1b9,
+          0x9ee35bc, 0x3aeccc6, 0xb029f88, 0x478252e }
+    },
+    {
+        { 0x8b2ce15, 0x66bf85b, 0x335709d, 0x1175425, 0x8123874, 0x00169ef,
+          0x9b89868, 0xfd3c18c, 0x775204e, 0xb3612f9, 0xc2cd510, 0x4b8d09d,
+          0x14559ad, 0xafa12e6, 0x9657493, 0x1ddaa88 },
+        { 0x1e77a08, 0x87d700b, 0x14d2e71, 0xaf4cf2f, 0xbf90c94, 0xe00835d,
+          0x6dc8429, 0xb16a6ec, 0xf8a4d92, 0x02a7210, 0x3d0c48d, 0x5a5ab40,
+          0xb5b9bea, 0x0052b3a, 0xe138f89, 0x6242739 }
+    },
+    {
+        { 0x16b2819, 0x7c215d3, 0xfeb9d7a, 0xdacb65e, 0xd833423, 0xc3c569e,
+          0x886a058, 0xbc08435, 0x7e5cb61, 0x132c4db, 0x9422aff, 0x6373a27,
+          0xfca9fc4, 0x43b9d7e, 0xdbe465f, 0xe3319a5 },
+        { 0x0b39da7, 0x51d3687, 0x4b75492, 0xcb6d798, 0xeadd87a, 0x77eb272,
+          0xe0d3f6c, 0xf2fb47d, 0xf9f791c, 0x807fd86, 0x975e885, 0xf01086b,
+          0xb6a3604, 0xf9314b5, 0x67be852, 0x8cd4538 }
+    },
+    {
+        { 0x858f79b, 0x7c1e6b3, 0x938caf9, 0xf0477c4, 0x3e88c44, 0xb311bbf,
+          0x1e3a3c1, 0x9234c09, 0x95a1d4d, 0x531af2b, 0xb8d1c64, 0xf3cc969,
+          0xb51e78d, 0x6f3c328, 0x34e8881, 0x5a1bd6c },
+        { 0x3a9336f, 0x2e31239, 0x5ced897, 0x020f0cc, 0x5fab121, 0x4b45d7b,
+          0x1841210, 0x8068b1c, 0x8349170, 0x1bd85fc, 0x0f97fe5, 0xfe816d8,
+          0x14b84fc, 0x1089818, 0xb93cd48, 0x1d4fabb }
+    },
+    {
+        { 0xaef599e, 0x1f11d45, 0xb09c58a, 0x8d91243, 0xd08c3c3, 0xd2eec7b,
+          0x3b02793, 0x5a6039b, 0x8fb2c00, 0xb27fed5, 0xe8acf5e, 0xb5de44d,
+          0x6e6c698, 0x2c3e0cd, 0x777180d, 0x2f96ed4 },
+        { 0x96d0e36, 0x67de8bf, 0xc9b6d65, 0xd36a2b6, 0x637d59c, 0x8df5d37,
+          0xc8d9878, 0x951899f, 0xb13fcf8, 0x0fa090d, 0x1f5c7b4, 0xa527081,
+          0x513a37a, 0x56a6560, 0x14dc1fe, 0xc6f5530 }
+    },
+    {
+        { 0x94945d6, 0x7f6def7, 0x8cc8832, 0x2f52fe3, 0xa812ff5, 0x0228ad9,
+          0xbb8478a, 0xcd282e5, 0xbe91b07, 0xa0bc9af, 0x11165e2, 0x0360cdc,
+          0x7b857e4, 0xb5240fd, 0xfa36b08, 0x67f1665 },
+        { 0xad2c93f, 0x84ce588, 0xe8ff4c0, 0x94db722, 0x489c8a3, 0xad2edbb,
+          0x7e5f278, 0x6b2d5b8, 0xd1d0798, 0x0265e58, 0x4c5589e, 0xd2c9f26,
+          0x4e4074d, 0xde81f09, 0x303089f, 0xc539595 }
+    },
+},
+{
+    {
+        { 0x83e882c, 0x183492f, 0xb5e6c12, 0x4d58203, 0xefec20b, 0x1ac96c3,
+          0xe1cd15e, 0xabd5a5b, 0xcbbb14b, 0x7e1e242, 0xd0543b3, 0x9f03f45,
+          0xd678158, 0xc94bc47, 0xa446cad, 0x7917be0 },
+        { 0x9b37394, 0x53f2be2, 0x064cc76, 0x0cb0a6c, 0xfba3da3, 0x3a857bc,
+          0x80fcb49, 0xac86bc5, 0x30ab146, 0x9d5336e, 0x5bc1270, 0xafb093d,
+          0xe5c3b6e, 0x996689d, 0xea076ba, 0x55189fa }
+    },
+    {
+        { 0x646ce03, 0x99ef986, 0x30e6100, 0xa155f81, 0x29b6b07, 0x75bef17,
+          0x1de077b, 0xc46f08e, 0x7ed0526, 0xf52fdc5, 0x61a299a, 0xe09d989,
+          0x7b8e93a, 0x9527329, 0x0acd185, 0x11255b5 },
+        { 0x4a6acdd, 0x57919db, 0x4451d74, 0x708a578, 0x283f7b3, 0x5b0bd01,
+          0xc3d9260, 0xe82f40c, 0x82bbdc2, 0x2ab96ec, 0xc164d87, 0x921f680,
+          0xc17a6a9, 0xf0f7883, 0x382a001, 0xc366478 }
+    },
+    {
+        { 0x2e40791, 0x5c9aa07, 0xa0776bf, 0xf0b72d6, 0xeaa50dc, 0x445f9b2,
+          0x6bda47f, 0xa929fa9, 0x3bbfc49, 0x539dc71, 0x006a78b, 0x4f16dd0,
+          0xeef39c7, 0x331ba3d, 0xc34157c, 0xbfa0a24 },
+        { 0x6a3b482, 0x0220beb, 0x6c43885, 0x3164d4d, 0xacdea23, 0xa03bb5d,
+          0x9d8f450, 0xd6b8b5a, 0xbd208fe, 0xd218e65, 0x35c476f, 0x43948ed,
+          0x0a2ed2b, 0x29a0dd8, 0x25295b7, 0xa6ccf33 }
+    },
+    {
+        { 0xac38939, 0xf68f15f, 0xf8010c1, 0xb3dd5a2, 0xa35f141, 0xf7ac290,
+          0x7388574, 0xdc8f3b2, 0xe95fed2, 0x7ec3de1, 0x257ac7d, 0xc625451,
+          0x664e55a, 0x66fc33e, 0x4832ba5, 0xd3968d3 },
+        { 0xc026448, 0x980291b, 0x24da4a5, 0xfcb2125, 0x827a360, 0xbca7df4,
+          0x85ca63b, 0xfcc395c, 0x8e9f733, 0xcf566ec, 0xd465f70, 0x835ee9b,
+          0x372f916, 0xe66d111, 0x04d9211, 0xc066cf9 }
+    },
+    {
+        { 0x8b48818, 0xb9763a3, 0x4288f96, 0xa6d23cc, 0xed3a229, 0xe27fcf5,
+          0xabaff00, 0x6aebf9c, 0x8131cd1, 0xf337503, 0xffabd58, 0x13ad41d,
+          0x861c83b, 0x1bee6af, 0x9c142e7, 0x274fe96 },
+        { 0x9b84b5b, 0x70ebcc9, 0x8191cfc, 0xe1a57d7, 0xcbf00b8, 0x46ccd06,
+          0xefe402d, 0xc233e8e, 0xbeebeb3, 0xb4ab215, 0xbd14e7b, 0xb7424ea,
+          0xa679578, 0x351259a, 0x471d684, 0x6d6d01e }
+    },
+    {
+        { 0x815ae38, 0x755c465, 0x611db56, 0xadc3e85, 0x188dd50, 0x633999b,
+          0xc12d907, 0xfdf7509, 0x238b6af, 0x25bcfde, 0x397f5e7, 0x50d705d,
+          0x944c974, 0xb65f60b, 0x27ac325, 0x8867fc3 },
+        { 0x3763eff, 0x2edc441, 0x341fb63, 0x892c0b3, 0xb3a7f28, 0xb34b83a,
+          0x15c2f18, 0x9aa106d, 0x1bb2277, 0x720bbc6, 0x5cfaefd, 0x637f72a,
+          0xf43e565, 0xf57db6e, 0xb58e772, 0xceb7c67 }
+    },
+    {
+        { 0x6ecc1de, 0x2793da5, 0x38f31b2, 0x4e10974, 0x8781267, 0x4229b4f,
+          0xdec04a1, 0xe5d2272, 0xec17cff, 0x6abb463, 0x0cbb048, 0x28aaa7e,
+          0xd22ef85, 0x41dc081, 0x5e63d0f, 0xcbc361e },
+        { 0xad5dbaa, 0xb78aafc, 0xfc1edc3, 0x0111505, 0x92c7bfa, 0x63ed66d,
+          0xe468919, 0x2982284, 0xb8c0d8c, 0x30f1f21, 0x2685093, 0xf056747,
+          0xf03dd0f, 0x0e085b6, 0x5581e66, 0xa8c8db8 }
+    },
+    {
+        { 0x264ad0c, 0x42009a6, 0x593bef4, 0x13bf2b8, 0x5d4e8b1, 0x1d11190,
+          0xef7bddc, 0xfe3e940, 0x624e62c, 0xa012275, 0x1d6d3cc, 0xcb65924,
+          0xedb7ab6, 0xc7bcc70, 0xb750b1c, 0xff9fafb },
+        { 0x7fea84b, 0xf65df29, 0x90b0e02, 0x17c84a8, 0x301e821, 0xa92a859,
+          0xfb480d1, 0xbee8cb2, 0x59c604e, 0x7010b8c, 0xe803c43, 0x47bf3f4,
+          0x47b3fff, 0xd645142, 0x9f0da13, 0xc4c5dcb }
+    },
+},
+{
+    {
+        { 0xb5253b3, 0x8af700c, 0x206957a, 0x31ca605, 0x3eafdcd, 0x2574439,
+          0xd3ae15e, 0x2ba5ae1, 0x5b82579, 0x710b738, 0x112b95a, 0x145ab57,
+          0x38c55c5, 0x4b133a0, 0x2a16fef, 0xf7559c9 },
+        { 0xd9ba896, 0x70c3e68, 0xc33d07a, 0x475dd32, 0x3a41e40, 0xe084e47,
+          0xfd2e706, 0xddc9382, 0x79510bd, 0x34b7275, 0xa5f901e, 0x5e78a69,
+          0xdcfb823, 0x429dfd7, 0x014f0a3, 0x1d9dc18 }
+    },
+    {
+        { 0xaf403d7, 0x364fcdf, 0xb7d7b34, 0xd9ea4ff, 0xcbb1dac, 0x21a3426,
+          0x143b4f5, 0xfa51052, 0x6df2409, 0x2bca073, 0x8ad7285, 0x7e6985a,
+          0x4aaa27f, 0x3a1a9d0, 0x9fc0c6c, 0x1a815e1 },
+        { 0xbb65bb3, 0xfab6147, 0x33ced0b, 0xa36dc0d, 0x2062d78, 0x26a8859,
+          0x28a5fb7, 0x3438617, 0x4ebb1ad, 0xe82da25, 0xd05aa11, 0x70f5071,
+          0xadaac48, 0x0b7f847, 0x93cb269, 0xeb812bc }
+    },
+    {
+        { 0xf7caccc, 0xcb317cc, 0xcf85098, 0xd3410d9, 0x7f078d7, 0xca68c8d,
+          0xb782efc, 0xfe9e812, 0x5f544b5, 0x32e7c0f, 0x3a7b7f2, 0x44fe95a,
+          0xe91327b, 0xf4f1543, 0x76645ed, 0x27d118d },
+        { 0xd7abc2c, 0x690547c, 0xb53c8af, 0xf64680f, 0x79ea989, 0xbe0cbe0,
+          0xa91af28, 0x6cf0cce, 0x9daa2f9, 0xa3b85a2, 0x91faed0, 0xd4b663c,
+          0xa8b20ba, 0x782c7b7, 0xb8d98ce, 0xf494faf }
+    },
+    {
+        { 0x002f55a, 0x080c0d7, 0x2d6d9dd, 0xf4f8f14, 0x382f025, 0xb326229,
+          0xad28c20, 0x58fd0b5, 0x8d06a15, 0x704b992, 0x7fbd8e4, 0xf4545d9,
+          0xed55581, 0xc32fa63, 0x01ac0fd, 0x3ab7936 },
+        { 0x6099fd1, 0x13ece52, 0x9c79178, 0x776dba8, 0xce26c45, 0x8d28212,
+          0x60d739c, 0x09fddaf, 0xa84826e, 0xf9931ed, 0xb29439e, 0x6e73d90,
+          0x9095e61, 0x94cfefc, 0x802f474, 0x3050d16 }
+    },
+    {
+        { 0x9f6394b, 0x0898f8f, 0x88b0e91, 0x48b8cea, 0x4c1b362, 0x4bc9925,
+          0x827d9ec, 0xe3fccb4, 0xd950d6a, 0x5d4cf9a, 0x39b5b38, 0xa16f1ef,
+          0x620f288, 0x3c76d1d, 0xe119390, 0x9fdd059 },
+        { 0xfb5edf8, 0x7b5de9e, 0x769d14e, 0x3e290b9, 0x6bd10b5, 0x4df3a91,
+          0x82f8f7b, 0xae99bca, 0xc9524af, 0x5481d5d, 0x69504f1, 0xf112e4f,
+          0x51931ec, 0xb048f09, 0x18f51b1, 0xbff876a }
+    },
+    {
+        { 0x46c1c37, 0x932e2a7, 0x9aea4c1, 0x903ad52, 0x8f161f2, 0x717ac91,
+          0xf425e2a, 0xa57d197, 0x7f39e0e, 0xae89dac, 0xbaa2a58, 0x91655c0,
+          0x54836dd, 0xe3dc286, 0xa9ec9e6, 0xb5f0baa },
+        { 0xbdbda04, 0xf7c4662, 0x51059c0, 0xbe5393b, 0xdd95b0f, 0xb16d552,
+          0x1b3bd96, 0xde495b3, 0xc0206c5, 0xb2a6e02, 0x014d3a9, 0x045cc09,
+          0x2a2f490, 0xf66a315, 0xc5dea05, 0x208c108 }
+    },
+    {
+        { 0x65237ea, 0x6e38b68, 0x9f27fc6, 0x93a1303, 0xa95068a, 0x9a6d510,
+          0xe7c9e54, 0x6fbf216, 0x571ac1d, 0x7824290, 0x91c2a0c, 0x8cb23ba,
+          0xc7e434d, 0x611202e, 0x76058b4, 0x8f901bf },
+        { 0x0849588, 0xef0ac05, 0xdd31804, 0xe0d2dde, 0xeb2ca81, 0xaf5417c,
+          0x5d1a509, 0x420ac06, 0x9683bb6, 0x46e345e, 0xf613f7f, 0x6daf635,
+          0x48a9576, 0xc9e8291, 0x176d147, 0x5f9f1d1 }
+    },
+    {
+        { 0x77e9709, 0xd24ae1d, 0x0047b8a, 0x77751dc, 0xc6a1593, 0xe325334,
+          0x671f86a, 0x9baf962, 0xc29a15e, 0x425af6a, 0x2796e33, 0x3108600,
+          0xfc253a5, 0xb6ea78c, 0xafae0ea, 0x4c733e0 },
+        { 0x97c99b9, 0x4b7443a, 0x50203a6, 0xc14e9e4, 0x52680ba, 0xd1bb515,
+          0xd55533a, 0xa56a3ef, 0x169e1a0, 0xa66e38c, 0xeed7da0, 0xb3e4df9,
+          0xddce3d9, 0x022c937, 0xf6e36b4, 0x8552089 }
+    },
+},
+{
+    {
+        { 0xf5cc82e, 0x8e4bf95, 0xc3ed6c9, 0x2ad80c3, 0xc9045e1, 0xf2e5b2c,
+          0x59b06d4, 0x42c9065, 0x7b43b84, 0xc1f7379, 0x72d7992, 0x1710dbf,
+          0x767b41c, 0xe98cf47, 0x7bfb9e9, 0xe713fce },
+        { 0x9fa5134, 0x9f54ae9, 0xde40d0e, 0x3002fd8, 0x9311334, 0xdc282b7,
+          0xbfeb360, 0x5519810, 0x0f96ffe, 0x31539c7, 0xd27777b, 0x04eacc0,
+          0x8ff5053, 0x5982410, 0x32b67ad, 0x5982366 }
+    },
+    {
+        { 0x6bea5c2, 0x6eb4554, 0xd509a33, 0x82cfae0, 0x394bb59, 0x6a69bd8,
+          0x5770ee1, 0x1880d8d, 0x7dacf9e, 0x6351844, 0xf02b891, 0x5b1ecc5,
+          0xb6c9a5a, 0xeb7d900, 0x8897da8, 0xdab8a76 },
+        { 0x98851a6, 0x28c7be5, 0x4d73c3b, 0x0101d4f, 0x5084996, 0x3c2569c,
+          0x280bde0, 0xb9bc911, 0xcd0d4f9, 0x513a22a, 0x2a15f3b, 0xdf2986d,
+          0x2aa4943, 0x231c28f, 0x0333870, 0x29623ad }
+    },
+    {
+        { 0x4084416, 0x2ceb178, 0x49516cd, 0x924cf1c, 0x4be856f, 0x76536c0,
+          0x47a265b, 0x11b59cd, 0x4999494, 0x720dc84, 0x007b795, 0x910f794,
+          0x2d3df83, 0x8434e14, 0xbd478d3, 0x8f53878 },
+        { 0xaeb9c2f, 0xd9b072e, 0xfd8a29f, 0x16f87ea, 0x2fd0de1, 0x8c42f9b,
+          0x0e816ef, 0x916721e, 0x18bde37, 0x2ecb470, 0x2375da2, 0xcde3b7a,
+          0xef94281, 0x30d0657, 0x5cd7af8, 0x5105456 }
+    },
+    {
+        { 0x4bdced3, 0x7230b33, 0x0838569, 0x0c6a3e1, 0xe3493b8, 0xf19c9ec,
+          0x0d97c57, 0xf275927, 0x0c862eb, 0xf14181e, 0x32c72bc, 0xfd3bac1,
+          0xf3be362, 0x620563f, 0x47283b7, 0x672ccaf },
+        { 0x2b7bf16, 0x191e3fa, 0x520dad7, 0xf838633, 0x3629d87, 0xd3dde55,
+          0xaf86ebe, 0x14d8836, 0x221b2ce, 0x3db7dfb, 0x0aed72a, 0x3872abb,
+          0x8c665b7, 0xb60de52, 0x44982cb, 0x89c2596 }
+    },
+    {
+        { 0x4dbba25, 0x799a2de, 0xa42715e, 0xd818aae, 0xf55c362, 0xbc88f4d,
+          0x713c9ae, 0x142a163, 0xfbfb33f, 0x411e8ee, 0x6bb684a, 0x34b4629,
+          0xdc81817, 0x4344bec, 0x17f9d46, 0xcc9573d },
+        { 0xff38a7d, 0xf85f8bc, 0x0caf117, 0xa14bf73, 0x4ba6429, 0x126874f,
+          0xaa5db97, 0xcc9bf22, 0x6aba827, 0x62b56df, 0x9c9772a, 0xfee1cb8,
+          0x177e541, 0xe36838f, 0xadd438f, 0x698815d }
+    },
+    {
+        { 0x38ed1ad, 0xc9fd894, 0x7b6a601, 0x73cd79d, 0x05e8d20, 0x2210e62,
+          0x3592af5, 0x72384ac, 0x763d07e, 0x5ccc079, 0xa5f79eb, 0x2f31a4a,
+          0x2945a95, 0x693f4ed, 0x8056fdc, 0xc712017 },
+        { 0xdf4b09a, 0x361ecd2, 0xb7d929a, 0xa5644ea, 0x3fabe9a, 0x34abc0b,
+          0xe942a8c, 0x1a2473c, 0x6454bc3, 0xe00c924, 0xdff7366, 0xab324bc,
+          0x21b8f99, 0xe1412f1, 0xe33551e, 0x970b572 }
+    },
+    {
+        { 0xbd0a6b5, 0x6ca4cac, 0x921d654, 0x5584787, 0xc809bda, 0x18e5253,
+          0xf0cbe5e, 0x01b32c3, 0x0f987dd, 0xb9aa754, 0x6dfa4db, 0x628f4bb,
+          0x891890b, 0x0255f0b, 0x874e590, 0x25b7df4 },
+        { 0x8ed5f95, 0xbded318, 0xca93023, 0x9dc428d, 0xbccf520, 0xc68f25a,
+          0xe616e6c, 0xc4f3764, 0xa1d9993, 0xd9a57f1, 0x533431b, 0xd1964a5,
+          0x02ab6d0, 0x06cd77f, 0x03e52e0, 0xa660791 }
+    },
+    {
+        { 0x5f72700, 0xab08864, 0x0a1a44e, 0xf77b2ff, 0xc2a24b5, 0x43ebdd8,
+          0x4f564d7, 0xa6d6711, 0xf414160, 0x495df63, 0x76f6de6, 0xf5bacd7,
+          0x7c2b43d, 0x3011aff, 0x3241928, 0xbb1e64c },
+        { 0x5034073, 0xf70c572, 0x68f1e97, 0x891c62a, 0xb22e374, 0xed8eb2e,
+          0x7dbcc2f, 0xd3a53e9, 0xdc8f220, 0x1d06281, 0xace4393, 0x9eef48f,
+          0xd2abecd, 0x96014f5, 0x2653ceb, 0x1da7e09 }
+    },
+},
+{
+    {
+        { 0xd00bc94, 0x7593318, 0xc7262a2, 0x586f3c6, 0x958ad31, 0xea68f52,
+          0xd4e8bed, 0x6707fcc, 0xcb3f9ce, 0xb7e35d6, 0xf4b1be8, 0x2cbb6f7,
+          0x7b41aee, 0xa535268, 0xf7b39b8, 0x1d77845 },
+        { 0xeaf9554, 0xb1f3995, 0xfe9e7d4, 0x3250f70, 0xa00c23c, 0x62e5d1b,
+          0xc10e3bf, 0x5e422f5, 0xc25cec4, 0x7a18039, 0x7cc4d5b, 0xb4e66a1,
+          0x36d0e0c, 0xad7c5f6, 0xa4cf347, 0x9f40b12 }
+    },
+    {
+        { 0x51e3696, 0x697f882, 0xab0a648, 0xc89bc40, 0x9785804, 0x8f261a5,
+          0xb51a2bd, 0x4c7f900, 0x8a2dfcf, 0xd00e7af, 0xb642aeb, 0xf9c534d,
+          0xb63df0e, 0xea2a79f, 0xf2f64a4, 0x392a69a },
+        { 0xc331b6c, 0x0c0f01c, 0x6a5edb5, 0x414bf2e, 0x5068391, 0xfe5ed81,
+          0x62fbc34, 0x0a8078d, 0x54bca98, 0x78a4382, 0x3d727c7, 0xf7a49ae,
+          0xab4dffe, 0x96c1de1, 0x3b9440a, 0x45901f7 }
+    },
+    {
+        { 0xacfe46e, 0x3f1189f, 0x4467443, 0xdca6f46, 0x2eb5bcf, 0xac38542,
+          0x906bf72, 0xb02dce9, 0xfe1d454, 0xdd8cdac, 0x65f7218, 0xc26f04c,
+          0x6ea145d, 0xb474859, 0x5bdb315, 0xc53dc6b },
+        { 0x9ad7197, 0xbe5be74, 0x18b5ecc, 0x627e919, 0x9ea405d, 0x57c889c,
+          0x1a5360b, 0x2e5650c, 0x1b30b27, 0x42290df, 0x5242687, 0x4a07157,
+          0xd379133, 0x553ed1f, 0x01db019, 0xb9d7a07 }
+    },
+    {
+        { 0x56597dc, 0xcfe551c, 0x925ebd6, 0x81af92a, 0xf4e8d57, 0x83efe16,
+          0x1f640d3, 0x61bb431, 0x78b414a, 0xf80440f, 0x6c9e3b4, 0x72f3c63,
+          0x6a03c66, 0xb55f43a, 0xe417037, 0x47a9ded },
+        { 0xdbb612b, 0x1a7e287, 0xdbb9220, 0x895c3c7, 0x6c04764, 0xd50c86e,
+          0x53cf7ca, 0xed52698, 0xf74af55, 0xc78d799, 0xb969ff2, 0xb2ba0f2,
+          0x1c6530b, 0x06d4815, 0x165a575, 0x764a1fe }
+    },
+    {
+        { 0xc1b5ece, 0x4383a3b, 0x54ff148, 0x0563c88, 0x5af796e, 0x9a45279,
+          0x88e9953, 0xffba7c0, 0xb6a3001, 0xfe9fb5e, 0x25b6b19, 0x7950988,
+          0xd81be5e, 0x67c899a, 0x2f9d29b, 0xc89ac8d },
+        { 0x29ab8f7, 0x7c76ba3, 0x6e40f74, 0xb2a18c9, 0x3864d9b, 0x1b5056e,
+          0x9b582b8, 0xdfa503d, 0x7c9c68e, 0xfb03519, 0x6b3c22b, 0xdc50131,
+          0xa6c96ff, 0x38ab231, 0x8cb1c10, 0x4ea527c }
+    },
+    {
+        { 0xc05b4ed, 0xd632f20, 0xb2a032d, 0xe0199fa, 0x26812d7, 0x3732956,
+          0x013df13, 0x2aed855, 0x39f96ac, 0x92ca24b, 0xbb9751a, 0x620273d,
+          0xf7437a1, 0x5d0d21e, 0x077de56, 0x9de2a43 },
+        { 0x11a4674, 0x0569b12, 0x89c3989, 0xfc3923e, 0x2c5c770, 0x3d12704,
+          0x84e8c37, 0x0072b90, 0xac39f9a, 0x7178d4d, 0x778d345, 0x5f8292f,
+          0x77c7307, 0x9e5bf0f, 0xc3a20f5, 0x7691610 }
+    },
+    {
+        { 0x705fe96, 0x7c4ead5, 0xc8e464c, 0x377ec35, 0x7689954, 0x3e5b990,
+          0xa2d31ea, 0xc0f6949, 0xc580671, 0x839d395, 0xb215b09, 0x2f347a6,
+          0x683df83, 0xfdcfa33, 0x6af39a8, 0x6e12cc2 },
+        { 0x13a3bd2, 0xae46ec8, 0x59366f8, 0x03a7d3b, 0xb87aed4, 0xe2029d5,
+          0xfe1b83d, 0xbdc4e43, 0xdb8a1a8, 0x768437c, 0xea0dd7f, 0xe47acc3,
+          0x62a0af4, 0x550e0cc, 0x1a20962, 0xcaf2cbc }
+    },
+    {
+        { 0xf28a78f, 0x5a784f7, 0x07e9724, 0x952a9b5, 0x1bab7a3, 0x8ac5e41,
+          0xb7bc1e1, 0x1251e3f, 0xdc15e22, 0xe360f82, 0x95213f5, 0x3ac72da,
+          0x4dcd47b, 0x65ee9ba, 0x3af5952, 0xdfeab7b },
+        { 0x26fd3c6, 0x34c5c80, 0xf3ac7ee, 0xd977b08, 0x7dba2f6, 0x003bd01,
+          0xac98c8d, 0xcfc5cf8, 0x0e46922, 0x05eb604, 0xfaa9352, 0xc248b17,
+          0x395c7a7, 0xfa41c0f, 0xb71ee44, 0x29931d4 }
+    },
+},
+{
+    {
+        { 0x07861c5, 0xac087bb, 0x5ae8240, 0x3bd37db, 0xf94518f, 0x94c68ec,
+          0xff88a5b, 0xd32a378, 0x9b441d1, 0x42c8aaf, 0xfc07f12, 0x089db70,
+          0xd3d4455, 0x211c386, 0x546b158, 0x1db9af7 },
+        { 0x51bc927, 0xdfd1b65, 0x0733df4, 0x69c0493, 0x2aeb586, 0xdc72cd4,
+          0x823aa13, 0xeebdace, 0x56ad643, 0x51b3b3c, 0xd4e0426, 0xb983a99,
+          0x69c4ecc, 0xa1e5b6c, 0x45e6668, 0x37cd382 }
+    },
+    {
+        { 0x9f73aea, 0x158ce6d, 0x14ff475, 0x36a7749, 0xdc0b018, 0x0d4e424,
+          0x3946f09, 0xc2c4448, 0xfacda62, 0x7a7de3f, 0xb486709, 0x49a19e6,
+          0xdb61da7, 0x65094d8, 0x8f5ee87, 0x09edfd9 },
+        { 0xb37226d, 0xe460fcf, 0x69bf470, 0x3b9d039, 0x247ca22, 0x3d4d511,
+          0xc782cb1, 0xc7248d6, 0x00ad293, 0x91189a0, 0xe8abe75, 0x1244942,
+          0xbf52cdb, 0x9f88d12, 0xbbbcadf, 0x368463e }
+    },
+    {
+        { 0x8074f45, 0x419e4b3, 0x0771c83, 0xd3f8e2e, 0x2e68d34, 0xd2743b4,
+          0xb116a00, 0xc68b7db, 0xd84cc37, 0xfad2cf7, 0xb7a0f4d, 0xcfd27c0,
+          0x190e587, 0x3b9e23f, 0x751ca9e, 0x7bab499 },
+        { 0xa8f12ee, 0x3270861, 0x31b36d5, 0xee1f38d, 0xe4c0eed, 0x748bb31,
+          0x110ebad, 0x9be5c9b, 0xc8b6cb6, 0x728660b, 0x93d914a, 0x7bc9df7,
+          0xc88c859, 0x73a4f2c, 0xb4e7f0e, 0xbe4a2fd }
+    },
+    {
+        { 0xa450e77, 0xe566ff8, 0x6a13aba, 0xb0b4006, 0xcd7dc90, 0x483a510,
+          0x5fa9ccc, 0xb1a2013, 0xa80e67c, 0xeb0b631, 0x020801a, 0x7c34e1f,
+          0xf4e447c, 0x0257dc8, 0x74c6f0f, 0x7abe7d1 },
+        { 0xb19a576, 0xf115a3a, 0x064ca0e, 0x8f0474a, 0x351f99b, 0x999bb6b,
+          0x773edc3, 0x855254b, 0x427d717, 0x49f6c2f, 0x2e0cef2, 0x9f68253,
+          0x2ee34f5, 0x1fe126c, 0x80150f7, 0x1ec2cae }
+    },
+    {
+        { 0xc005b7a, 0x862c5af, 0xec4ef17, 0x61adea7, 0x007b446, 0xf885fd3,
+          0x9b0e30e, 0x25c129d, 0xfeec7e0, 0xbc10f25, 0xdf79ee1, 0x3901ac4,
+          0xfe9e19f, 0xad49db7, 0x360d050, 0xc8624d9 },
+        { 0xbf3260b, 0xc74a576, 0x8c010c2, 0xbde8024, 0x09b6977, 0xf155329,
+          0xd52dcf8, 0x6a5a82e, 0x29b9dfc, 0x4fbf59d, 0xc7b730c, 0x337d049,
+          0x3a89cd4, 0xb3deac6, 0xad2f2eb, 0x1e07595 }
+    },
+    {
+        { 0x3b7c84e, 0xa0b0a4d, 0x8cf2b00, 0xf132c37, 0xeaaa8ec, 0x192814b,
+          0x7b4b5df, 0xe7929f9, 0x42d0ab7, 0xf08a68e, 0x7b60cdd, 0x814afb1,
+          0x7d9c160, 0x78c348c, 0x44db217, 0xf8a9488 },
+        { 0xeaa2578, 0xcdefd88, 0xbd0e260, 0xf717f56, 0x1694d02, 0x7754e13,
+          0x181dbd8, 0x1254c14, 0x6e5f312, 0x0dacdd2, 0xcef87bf, 0xb8abdfb,
+          0xe74e2ea, 0xb985972, 0x002b424, 0x1717621 }
+    },
+    {
+        { 0x162df70, 0x92cc75e, 0x18ee849, 0x1e20c06, 0x26aa590, 0xc036b46,
+          0x4da5155, 0x31be67e, 0xf7213b0, 0x04911b5, 0xbb2e72e, 0x39261d7,
+          0x5c015a3, 0x9e84466, 0x298ae67, 0x2f59fc0 },
+        { 0x1701fcc, 0xa3ea7ba, 0x0ebd651, 0x87a5fa9, 0x301d7b1, 0xa607ed4,
+          0x3b2e271, 0xbd4ec5f, 0xdc4180f, 0x732a1a2, 0xfeaa8c1, 0xbe15d82,
+          0x66f2f3f, 0x1036702, 0x9e79ce8, 0xccfd397 }
+    },
+    {
+        { 0x70a54ad, 0x82ab835, 0xe3bec75, 0x5c1dee8, 0x54b556b, 0xf583ff4,
+          0xf461e60, 0x9220199, 0x87fc4e7, 0xdf61ca8, 0x0776dad, 0x6641fd2,
+          0x8edd061, 0x00c6edd, 0x55f7e87, 0xaf9b142 },
+        { 0x9bbe3ec, 0x73f15e4, 0xf8bc1fa, 0xdd3b788, 0x1b8ff86, 0xb24cc07,
+          0x41be58b, 0x6c260d2, 0x6b10ada, 0xec1c4e3, 0x7fdb985, 0xf6b4209,
+          0xd47c212, 0x0d0ac85, 0x07d78d1, 0x967191c }
+    },
+},
+{
+    {
+        { 0x843d0f3, 0x3b11638, 0xf27f10e, 0x4b89297, 0x863ba2a, 0x477236e,
+          0xadd280c, 0x1949622, 0x04da757, 0x7cd5235, 0x79e4ff7, 0xe0e99d2,
+          0x537da41, 0xb4ef894, 0x5a24ff1, 0xc55dde4 },
+        { 0xb587521, 0x18d8e21, 0x3777833, 0x8010b5d, 0xd3a54c8, 0x4af522d,
+          0x4c0ac13, 0x7cd476b, 0x4099f67, 0x4587e61, 0x605ee64, 0x494d0ed,
+          0xcc80903, 0x3218ba2, 0x0b2e169, 0x5ff56aa }
+    },
+    {
+        { 0x3a06c69, 0x51ec94e, 0x5e65c52, 0xa26d7be, 0xd44ee96, 0x156f113,
+          0xbf5b9b4, 0x70f0968, 0x5f5332d, 0x9b7e469, 0x6703829, 0x36c295f,
+          0xd04f492, 0x1522690, 0x728043b, 0xcf35ca4 },
+        { 0x190a7c3, 0xf9ca3e1, 0xf971b07, 0x53d2413, 0x9c48b49, 0xae59652,
+          0xfefff5c, 0x74672b8, 0xa7643b0, 0x0a3018b, 0x3e9b0a8, 0x51919e8,
+          0xc932fb5, 0x89ad33d, 0x643e687, 0x52a4419 }
+    },
+    {
+        { 0xd2d0acd, 0x7778990, 0x487fdf1, 0x3bdbcce, 0x2b03dd2, 0xdc413ca,
+          0x9a2b7d0, 0x278755b, 0x35ddd7f, 0x4ebb8b5, 0xbcbdb92, 0x0465152,
+          0x671d051, 0x34f22d6, 0x87192b9, 0x1ba04c7 },
+        { 0x83560c1, 0xb1693f4, 0x7d174e9, 0xe08a593, 0x64dc9af, 0x47ffdc4,
+          0xce8126c, 0x1123596, 0x1124628, 0x632d95f, 0xfee7c76, 0x66287ab,
+          0xc552332, 0xb40fe60, 0xe304e1e, 0x3f11729 }
+    },
+    {
+        { 0x5030a8c, 0x97a6ea0, 0x09c27b2, 0x6924198, 0xac9dd5d, 0x3308501,
+          0xbe73fdc, 0x9fed7fa, 0x0535286, 0xea55544, 0x6c9b832, 0xc7c07ab,
+          0xc51b967, 0x178c882, 0x86ee075, 0x6fa0c69 },
+        { 0xb8b5c4a, 0xbaa4a15, 0x3130c0a, 0xf83c0ea, 0x2800331, 0xcf8624b,
+          0x7ccbcb8, 0xade85cd, 0xf08445d, 0x971d7f6, 0x6a546dc, 0xfd480b7,
+          0xc93761c, 0xdc15a38, 0x9d04631, 0xc4c495c }
+    },
+    {
+        { 0x9470efe, 0x5f4cee8, 0x88d93ad, 0x9fe8961, 0xf4e49ce, 0x24783b3,
+          0x52ffb3e, 0x1bc7ed7, 0x6d81e17, 0xa3abe6a, 0x7a333c3, 0xd6bb8b4,
+          0x10a3527, 0x3485c0b, 0x31a9d10, 0x7cddc9c },
+        { 0xc38ca37, 0x0c78112, 0xdd2f8d8, 0x10e249d, 0xc511911, 0x72c88cc,
+          0x29a6c84, 0x4d75b5a, 0xa227b1e, 0xc74b267, 0xf8e35ad, 0x698390c,
+          0xe98d230, 0x8f27edf, 0x6bdc7f4, 0xec922f2 }
+    },
+    {
+        { 0xfc32e11, 0xac34023, 0x47200d1, 0xe0ae2f5, 0xbd98c82, 0xa7c7492,
+          0x7b02154, 0x3910b68, 0xe28ab6d, 0x6fdd06c, 0xd98b012, 0xd3a7e49,
+          0x9f54207, 0x4c1c82b, 0x45c176f, 0xef5bbe6 },
+        { 0xd3e71eb, 0x3d17960, 0x080e70c, 0x90d7e84, 0xbff5d9e, 0x83e6438,
+          0x535d85c, 0x1877e1f, 0xfbb69cc, 0x931ed6e, 0x1247848, 0xcf96265,
+          0x750da4e, 0x76d618b, 0x717fbf6, 0xc076708 }
+    },
+    {
+        { 0xeec5126, 0x80a5ac5, 0x3379c80, 0x6d05dd1, 0x2336d32, 0x514b089,
+          0x6725137, 0x586c006, 0x574f954, 0xab2365a, 0xac7d356, 0x3c89ea0,
+          0x27460ba, 0xf1f2edd, 0xab9870f, 0xf200ddb },
+        { 0xa35e885, 0xc8f1b2c, 0xe6e7550, 0x5d22f86, 0x9554615, 0x24b9a40,
+          0x616314f, 0xcb41107, 0xc976a11, 0xca752f0, 0xa08291a, 0x3e2f839,
+          0xf2c420e, 0x0cff22f, 0x82b9747, 0xafd603e }
+    },
+    {
+        { 0x810a3da, 0xaddeddc, 0xd3a87bf, 0x78b6c2d, 0xde3a04c, 0xbc7020b,
+          0x9b6d045, 0x47ab973, 0x0959358, 0x3b046d6, 0x509ee3e, 0x0f953e7,
+          0x69fc61b, 0x803dc86, 0x893c8d4, 0xcceaec0 },
+        { 0xb048a45, 0x21f8c40, 0xfcaea8a, 0xb535073, 0x90e360b, 0xe712c35,
+          0x8403338, 0x5d0f3f4, 0x7207f2d, 0xe0ea26c, 0xffd9e05, 0x20f6b57,
+          0x4788b00, 0xb97d68e, 0x1889cce, 0xb121554 }
+    },
+},
+{
+    {
+        { 0x464238e, 0x0079817, 0x0d381ca, 0x2110302, 0xd9f01b5, 0x1cc4c6e,
+          0x5a131b1, 0x5e35dc5, 0x06944eb, 0xb61848d, 0x29631a3, 0x83792a0,
+          0xafca0dd, 0xbe1017f, 0x782fcbb, 0x70aaa01 },
+        { 0x99945e7, 0xc63b7a0, 0xc4486c1, 0xe9164ec, 0x885f2c1, 0xb133e35,
+          0xc99ae02, 0x186f0d3, 0x2bf53e6, 0x2fca492, 0x48a02bc, 0xf922aa2,
+          0x0dd3dca, 0x4fe6490, 0xf6a8207, 0xe8c313f }
+    },
+    {
+        { 0x97caf1e, 0xc5b3583, 0x922a4b6, 0xa001922, 0xdf07c95, 0x67e36be,
+          0xb2f4f34, 0xabaa0ae, 0xdedc333, 0x66dc926, 0x38ec5b3, 0x82021c4,
+          0x00ab176, 0x82b4f26, 0x69c45af, 0x1b7c22e },
+        { 0x0924ad9, 0x07b0dbe, 0xa407dde, 0xe030936, 0x26ccd06, 0x66e1ce9,
+          0xe3505a9, 0xb50c108, 0xda98f51, 0x8b921e1, 0x20cf7c7, 0x449ca1a,
+          0xe67d079, 0xadb80c7, 0x834372d, 0x205aa54 }
+    },
+    {
+        { 0x19bf847, 0x1482b48, 0x5906f0f, 0xd6c16ab, 0x23ad060, 0x323fb17,
+          0xc832be7, 0x0346389, 0x2ee45bf, 0xe71b2d8, 0xfb22276, 0x761c37d,
+          0x5d70be2, 0xa9b3334, 0x5a0627a, 0x81a0656 },
+        { 0x99a6282, 0x3377503, 0xd0436f0, 0xafc8d2e, 0xc53342f, 0x22f71d3,
+          0x8939ad3, 0x66ca56d, 0x30e09ba, 0x15a9192, 0xa6de890, 0x261091e,
+          0xe78f2d5, 0x609d700, 0x8eaaf78, 0x8aa52ee }
+    },
+    {
+        { 0xce76258, 0xa398788, 0x494b975, 0x3031d07, 0x043dfe2, 0x4a6d652,
+          0xb4401ec, 0xdb1a849, 0xce8bbcc, 0xf81ebbb, 0x16efe9e, 0x937dd47,
+          0xef85ecc, 0x9c19350, 0x214273b, 0x260d932 },
+        { 0x77bf1a3, 0x1d7e21e, 0xa544eb7, 0x199d689, 0x94ced50, 0x9da5941,
+          0x8a0aeaa, 0x71a60be, 0x26d3b51, 0x183a0ae, 0x8df9728, 0x49f176a,
+          0x3230674, 0x744376e, 0xe25541c, 0xb2cb21a }
+    },
+    {
+        { 0x9a0071f, 0x7a72158, 0xe7d2a6b, 0xe19dd29, 0x55113f0, 0x3deb34e,
+          0xede573b, 0xef1f8eb, 0x5665e37, 0xa8f7ff9, 0xf2d7777, 0xa2c21ea,
+          0x91e2e39, 0x1387afa, 0x7db68f6, 0x04057b9 },
+        { 0x1c241f7, 0x8b9d5ae, 0x8e75993, 0x689588a, 0x5c0e2d4, 0x79585b4,
+          0x7b64974, 0xba1ef16, 0x1c08a75, 0x72685bc, 0xd572edd, 0xf0a5814,
+          0x5ab0e70, 0x71464a3, 0x339aea7, 0xc93c92b }
+    },
+    {
+        { 0x5b8a87d, 0x1917e2a, 0x3a82756, 0xea5db76, 0x6420e2b, 0x5bba2fb,
+          0x019372a, 0x5cc0501, 0xccc5efd, 0xb1ef8be, 0xf49c57d, 0xaf06393,
+          0x87a0bc4, 0x3ab1adf, 0x34fe6b6, 0x2ee4cca },
+        { 0x6b8ba9b, 0xd160668, 0x7efec13, 0xef137d9, 0x50abb76, 0x7b60465,
+          0xf753a00, 0xb40ec2b, 0xeaf8f1d, 0x696ed22, 0xd8ba3d8, 0x398c91f,
+          0x37db313, 0x11f2034, 0xfe5079e, 0xe1ec33b }
+    },
+    {
+        { 0xbdc81f0, 0x8a10c00, 0x6fe8e05, 0x5f39256, 0x14a368e, 0xa595dab,
+          0x38cec6b, 0x32b3181, 0x1b00d00, 0xd77afde, 0x4d9923d, 0x3c97928,
+          0x76e13dd, 0x78f0e7a, 0xbf75675, 0x5ee8e59 },
+        { 0x91b130c, 0x49ec893, 0xa47a441, 0x9416182, 0x76e2ce8, 0x54555b5,
+          0x349c40b, 0xcbdd2fd, 0x9392bbe, 0x10ae737, 0x2e2dab0, 0x270b111,
+          0xaf293f4, 0x5cb7712, 0xd6095c6, 0xfc22a33 }
+    },
+    {
+        { 0x0f15878, 0xdcb5bbd, 0xb6bba48, 0xbcf27ad, 0x7b70eba, 0x979913e,
+          0x158578a, 0x4c0f34b, 0x6ed6088, 0x53f59a7, 0x75b0fc2, 0x19b3b2c,
+          0x0153f3c, 0xad628dc, 0xcec1607, 0x5195a2b },
+        { 0xdfe0f7a, 0x95f8b84, 0x152920b, 0x935c6b0, 0x4da1056, 0x25f9e31,
+          0xb28c229, 0x4910a94, 0x8ee4d6e, 0x54b03b4, 0x694e3ed, 0xc991fc3,
+          0xdbe5709, 0x68c4c26, 0x63d7657, 0xc9cfce4 }
+    },
+},
+{
+    {
+        { 0xf52a44e, 0x21c9227, 0xe85bfbd, 0x7f105a2, 0x6268fc2, 0x887781f,
+          0xa2d7e35, 0x56ee808, 0x2d3930f, 0x14f9de5, 0xdcb561a, 0x4a4e356,
+          0x7f95598, 0x8736226, 0x5f34151, 0x211c342 },
+        { 0x0eaf9cb, 0x8fcb75b, 0x3d60ce2, 0xcc9edf9, 0xa5fe627, 0x54412c9,
+          0x842dd09, 0x6036a72, 0xa6c6099, 0x71ce668, 0x5386764, 0x02b30d7,
+          0x6f18e23, 0xb69bed3, 0xd1de9f4, 0x124c9b1 }
+    },
+    {
+        { 0xe69b531, 0xe8f8d95, 0xaff1049, 0xe1e115e, 0xeddea0c, 0x9087cd1,
+          0x7449916, 0x8ed55a5, 0x7808404, 0x8009f54, 0x17fea55, 0x990f216,
+          0xfe8ecf9, 0x68ba624, 0x56d1f47, 0x8ac2950 },
+        { 0x529dfb0, 0x3257887, 0x244c080, 0xc4a613f, 0x28672fa, 0xabb1ac0,
+          0x31eb291, 0xb2915c5, 0x8fababa, 0x6e368ca, 0x1fde498, 0x6b8c259,
+          0xf2a548c, 0x67724a1, 0xf90409b, 0x6b3b7e8 }
+    },
+    {
+        { 0xfae20aa, 0x5415003, 0x85df5ce, 0x95858a9, 0x0ac6bee, 0x42bc987,
+          0x39ea1a9, 0x8d843c5, 0xb571043, 0x5de200c, 0x1741a33, 0x084fcd5,
+          0x0009d1c, 0xe1ca20c, 0xe957e6d, 0x0271d28 },
+        { 0x9e3be55, 0x84cbf80, 0x1c578c6, 0xc804dda, 0x409a93a, 0xea85489,
+          0x972021d, 0x64a450a, 0xe681312, 0xc6a2161, 0x65bc111, 0x280bff9,
+          0x0f8526f, 0xd358a4b, 0x953a3ab, 0xd967be8 }
+    },
+    {
+        { 0x7dd066c, 0x4c5e615, 0x634c8d4, 0x37afd33, 0x42d8b87, 0xa3ac88a,
+          0x938b607, 0x9681e9b, 0x37fe4c8, 0x7a286ab, 0x2494245, 0xdeee574,
+          0x6af75a8, 0x184b9d3, 0x3670c04, 0x20f696a },
+        { 0xa39e8b9, 0x1340adf, 0x0850b2e, 0x03c1929, 0x2c0e1ef, 0x435ebd4,
+          0x142ee9b, 0x49de18b, 0x3f116f2, 0xb440b27, 0x2214463, 0xd94e9fa,
+          0x6311543, 0x1b0ddd3, 0x991ba3c, 0x1ae042a }
+    },
+    {
+        { 0x5bb47aa, 0xbc322f8, 0x54a5845, 0x9e25625, 0x21115f3, 0x96b65ae,
+          0xbb5757b, 0x46fbed4, 0x4c42dce, 0x18aec4f, 0x8d801f0, 0xc59caf6,
+          0x1205521, 0x9189463, 0x89feb7a, 0x66bd8e0 },
+        { 0xc529ee7, 0x39ebe95, 0x8eadb99, 0x28d8992, 0x6927544, 0x6058c78,
+          0xd3808ec, 0x877e7a5, 0x1c52eaf, 0x8f65111, 0xae221cd, 0xfb59812,
+          0xf890391, 0x22289c6, 0x4966e92, 0xa97695b }
+    },
+    {
+        { 0x6ff10f0, 0xf0a9122, 0xa2a65c8, 0x49a931b, 0xb1d3cb0, 0x3fcebbc,
+          0xca9685f, 0x70eb79b, 0xab38cb6, 0x82520b5, 0x76304c3, 0xccf991b,
+          0xaf8b07c, 0x575aab1, 0x5ed5efb, 0xec8166a },
+        { 0xc8689b1, 0xddc5698, 0xb2e78d7, 0x227c949, 0x8e07d91, 0x6132321,
+          0x22cfd62, 0x658a11d, 0x004dd5f, 0x908fb44, 0x90d21b1, 0xe3d14f0,
+          0xa6a1639, 0x6f3db9d, 0x333a525, 0x09d86c0 }
+    },
+    {
+        { 0x6f043f7, 0xd83eaf0, 0xb52d5f6, 0x88ab648, 0x57144d7, 0x67c664d,
+          0xeafc8b5, 0x55d7644, 0xcceb291, 0x1c89f20, 0x831ac47, 0x51aec7b,
+          0x6148854, 0x51172fa, 0xf6d7bfe, 0x8fabf7e },
+        { 0x477ee27, 0x5910316, 0x20fe61e, 0x5f299dd, 0x42826ab, 0x48079a8,
+          0x22591fa, 0xf4a83ba, 0x55482ec, 0x8fac660, 0x6b65b3b, 0x48fd5f1,
+          0x9fd9e19, 0x4288a7c, 0x9377894, 0x27db819 }
+    },
+    {
+        { 0x7fd9dd6, 0x2936ee4, 0x9ec87c6, 0xcce5f0e, 0xdb6e3b4, 0x15a50e3,
+          0xad701c8, 0x61df105, 0x1dff1f7, 0x3601add, 0xe8a16e1, 0xb761e06,
+          0x1af3f91, 0x4341e02, 0x933fa3f, 0x9156a4a },
+        { 0x54bc01d, 0x9dc46ae, 0x64eb910, 0x605577a, 0x5a59a99, 0x22b99f8,
+          0x0a229d8, 0xab2dbaf, 0x6599364, 0xa8bfb65, 0xe94ebf0, 0x39ed4a5,
+          0x0dbb23e, 0x7b46a1e, 0x8751422, 0x117b195 }
+    },
+},
+{
+    {
+        { 0x423bddf, 0xd19e8fd, 0x387ef59, 0x9d77042, 0x849590a, 0x315cbdd,
+          0x7866c1e, 0xfdc637c, 0x03515a6, 0x72be83d, 0x0376780, 0xd44a4a0,
+          0x19e0c2b, 0x3b96131, 0x7b1a689, 0x023aca3 },
+        { 0x82282ea, 0xf5f3687, 0x8a8b5c7, 0x4471089, 0x17a3066, 0xcd2f00a,
+          0x81ed681, 0x754e112, 0x0bfcefd, 0x9c6c70c, 0x3b6f29b, 0xd6aced0,
+          0x2817a2a, 0xe443d56, 0xe7c0012, 0xe590ef4 }
+    },
+    {
+        { 0x3e62e2a, 0xc2f9676, 0xb2daa26, 0x661816e, 0xdd5f512, 0x3515fd2,
+          0x56b6e75, 0xdc36e27, 0x74cc658, 0x0bdde46, 0x00e7644, 0x1029086,
+          0x1694a09, 0xfdf0045, 0xceac169, 0x454bcb6 },
+        { 0x6481eb6, 0xf4c92ab, 0x09750e7, 0x8b77afa, 0x6362d6d, 0xe6f4231,
+          0xf53a3ae, 0x0d45dee, 0xd7dcf98, 0xdac7aac, 0x125ec4a, 0x628cb7f,
+          0xaec0320, 0x41e8a20, 0xea2e35b, 0x7418c7e }
+    },
+    {
+        { 0xdf40519, 0x4d649ab, 0x3525833, 0x8cb22d4, 0x7a5333f, 0x15f6d13,
+          0x72c23ee, 0x8c3991b, 0x0cd44a3, 0x248b9a5, 0xccc1a75, 0x6b4c4e0,
+          0x15c99a9, 0x3221efb, 0x0a9c504, 0x236d504 },
+        { 0xd559100, 0x401c7fb, 0x07c524d, 0xcf0e075, 0x34a9275, 0x39647c0,
+          0xf7e8683, 0x2355422, 0xb3ae670, 0x3e0a16e, 0xad61b7f, 0x1c83bcb,
+          0x9ca6cbe, 0x491bcb1, 0x5e29458, 0xe668dc4 }
+    },
+    {
+        { 0x219379e, 0xe44c65b, 0xbb607ee, 0x211381b, 0xb7bc6db, 0xd4c7428,
+          0xb76a2e8, 0xba62a03, 0x8bb0b31, 0xe1729c9, 0xc6bbc10, 0x3caeb50,
+          0xb0187aa, 0x6c66727, 0xfb90dcf, 0xbf9d2f0 },
+        { 0x1184dc6, 0xec69350, 0x2698eb5, 0xd58d2a3, 0xa316b07, 0xb366d8d,
+          0x251c017, 0xe1e39bb, 0xadb157f, 0xbe44ba9, 0x8a8b06c, 0xbaa9a9a,
+          0x6e473e1, 0xd0f4635, 0x1d681c6, 0xd25a8f6 }
+    },
+    {
+        { 0xcb102c7, 0xba39d5f, 0xd8aa1eb, 0x66eba21, 0x697fbf4, 0xcc2591a,
+          0x2317f54, 0x5adb579, 0xf76c6f9, 0xa01ae71, 0x5042705, 0x2c525de,
+          0x4f4479f, 0xc8f4272, 0xe6d7a5b, 0x26ab54a },
+        { 0xdc28106, 0xda217b5, 0xeb2ae6a, 0xc7cadea, 0x53ea3b2, 0x0b16094,
+          0xcc6111b, 0xcddcc1c, 0xa7a7beb, 0x5c47aff, 0x0e52dab, 0xf9931bd,
+          0xc6dcf96, 0x5231835, 0xf27ea4e, 0x7095bde }
+    },
+    {
+        { 0xc33b4e2, 0xee8adae, 0x63ceb44, 0x3006651, 0x880b086, 0xf1476fb,
+          0x9569ce8, 0x0703328, 0x238b595, 0x2cabf9a, 0x26c8158, 0x85017bc,
+          0x68d5144, 0x420b5b5, 0xf9c696f, 0xa9f5f1e },
+        { 0xc8fec5a, 0x1409c3a, 0x28e9579, 0x541516f, 0x0e1f446, 0x06573f7,
+          0x2311b96, 0x3e3c706, 0x3c2ffd8, 0x0033f1a, 0xca6711c, 0x8e808fc,
+          0x07aef98, 0x716752d, 0x92525b3, 0x5e53e9a }
+    },
+    {
+        { 0x5a1c29f, 0xce98a42, 0x3ca6dc9, 0xaa70348, 0xedfa48b, 0xe77d822,
+          0x068abca, 0xd2e3455, 0x482cfca, 0xb456e81, 0x7fbfb08, 0xc5aa981,
+          0x8243194, 0x8979f25, 0x2cd043d, 0x727f217 },
+        { 0xaa53923, 0x7cca616, 0xe9bcb72, 0x387c5ae, 0x37580bb, 0x0173fd4,
+          0x75fc0d9, 0xdd7795b, 0x345deae, 0x47d1c37, 0xb0d1c03, 0x2eb5d7f,
+          0x958f002, 0xf7a1b92, 0x8f61b67, 0x7365cf4 }
+    },
+    {
+        { 0x562a5ed, 0x4b22c3b, 0x5c7cd07, 0x711216f, 0x9ba0648, 0x51f72c4,
+          0x0de9e6f, 0xc10d093, 0xfda63ba, 0xaca479b, 0xaf532b0, 0x4722a55,
+          0x7236f39, 0x8d59eb7, 0x4465c34, 0x5cad874 },
+        { 0x722b0c1, 0xa2119e5, 0xf343ea4, 0xb670264, 0xc19f387, 0x6910f02,
+          0x0381fba, 0xcfec5bc, 0x52c0a1d, 0x5f5de0d, 0x6378cb6, 0x4e474d5,
+          0x27e2ba3, 0x2fc8027, 0x159b541, 0xa215da3 }
+    },
+},
+{
+    {
+        { 0x8499895, 0xed53585, 0x65c998d, 0xa0aefd5, 0x2d5a561, 0x210d850,
+          0xa2cd9d6, 0xc2cc23c, 0xc4d297e, 0x2371d46, 0xd18d441, 0x88b2143,
+          0x043993d, 0xbebdad9, 0xad5f28d, 0x6ba91e7 },
+        { 0x3a731f4, 0xc2bb3f1, 0x5d0d5c3, 0xd35cfac, 0x35ac427, 0x9950998,
+          0x5458adb, 0x8938bb5, 0xab26f3b, 0x0bd738c, 0xa28cd8d, 0x56db3d5,
+          0xa1d8b4b, 0x87eb95f, 0xe7f3b4b, 0xd6700ef }
+    },
+    {
+        { 0xea1e57b, 0x962c920, 0x6dded6d, 0xd3be37e, 0x2c96a73, 0xf499b62,
+          0x6c99752, 0x3eaf7b4, 0x025590b, 0xa310c89, 0x721db23, 0x535aa4a,
+          0x19714a0, 0x56ab578, 0xd4048c1, 0xeecb4fa },
+        { 0x470c466, 0x7b79ec4, 0x1383cee, 0xc4e8f2e, 0x5750c45, 0x0f5d776,
+          0x725527d, 0xa3b3bc3, 0x6d00cce, 0x2f5deb6, 0x95a8d81, 0x5d5a0f4,
+          0xe02b824, 0x50a442e, 0x2a11628, 0xafb0446 }
+    },
+    {
+        { 0x0c613de, 0x72b67bc, 0xe6f0b24, 0x0150d4b, 0x8ed289d, 0x847854e,
+          0xa320f88, 0xe08292f, 0x29c6160, 0xd5b6da3, 0x4fb9d06, 0x2a48e2d,
+          0x2de087c, 0x55d9e41, 0x4f02100, 0x65683b5 },
+        { 0xa8886c6, 0x4dc8c2e, 0x20d6114, 0xe966dd2, 0xa57af97, 0x99745eb,
+          0xb854725, 0x23a9a71, 0x621a047, 0x8effe05, 0x049a4be, 0xf16d284,
+          0x5b0660f, 0x95828c2, 0x56e96b0, 0xd5b69ba }
+    },
+    {
+        { 0x4ffa0b8, 0x0b5b424, 0x096cc5e, 0x0585b45, 0xf505d37, 0x413e1ae,
+          0x0c7ab8d, 0xe5652a3, 0x2990120, 0xab32fb7, 0x3f09368, 0x6b8b16e,
+          0xefe128e, 0xbf9fadb, 0x14b7671, 0x85f366b },
+        { 0x090608d, 0xcb2f294, 0xac3045f, 0x25e2769, 0x6131904, 0x069c4f0,
+          0x329a779, 0x1c57cf1, 0xb7cace7, 0x72fe0d5, 0x0897a45, 0x04d9f43,
+          0x359a645, 0xbaf32f6, 0xfa7485a, 0x0fa854f }
+    },
+    {
+        { 0x5f56f60, 0xae3533c, 0x0ad9360, 0x9773bbb, 0x38fbe6b, 0x769b34a,
+          0xffb0c00, 0xb5ba8e9, 0x75472e4, 0xa939318, 0xce5f30f, 0x12cac92,
+          0xa9e7dbc, 0x514fc06, 0x58b4734, 0xd7ca865 },
+        { 0x65a730b, 0xd101ff3, 0xabe70e9, 0x92da451, 0xef7bf4b, 0xfb5f94a,
+          0x1d56c7b, 0x8c3ef4c, 0x8435c10, 0xb085766, 0xe7ed4cc, 0x7fbbbda,
+          0x24f372f, 0x1da6eaf, 0x59b8ae3, 0x0ab2c1f }
+    },
+    {
+        { 0xf10a4b9, 0x63a1a78, 0x0c7e510, 0xbb5278d, 0xf874142, 0x97b224e,
+          0xb2517b1, 0x0a9ff52, 0xc5cd920, 0x1b5a485, 0xa1823b9, 0x1a8e2eb,
+          0x0e914a8, 0x2b088c0, 0xcf13432, 0xe5ec3ad },
+        { 0x6e7e253, 0x0d6ab3e, 0x6f18458, 0x9f0f5cd, 0xf459a6d, 0x839a744,
+          0x1eb15f7, 0xb4b4f94, 0xc72cb14, 0xe0313ac, 0xb20472d, 0x58ee933,
+          0x872543e, 0x5f73d7a, 0x501f067, 0xb1700c5 }
+    },
+    {
+        { 0x085f67f, 0xb70428e, 0x43cabe5, 0x5441d51, 0xe0a6055, 0x4d0e8c2,
+          0x0882e4f, 0x8d39a08, 0xc1cb39d, 0x615bb32, 0xf7a1642, 0x113f18d,
+          0x250681f, 0xbab8cf5, 0x677b72a, 0x3017ba2 },
+        { 0x5a3a876, 0xcd2b6e9, 0x2035a69, 0x0476501, 0xefa2ea0, 0x31d6440,
+          0x56874d5, 0xde8f8d1, 0x0199d4a, 0xcbc71cd, 0xe7f2170, 0xc546b61,
+          0x112c4c3, 0x4e57e4e, 0xd1622ba, 0x58955a8 }
+    },
+    {
+        { 0x04e2f6f, 0x0064cd7, 0xe0edd38, 0xe9d458d, 0x7e0a5c8, 0xeb1a597,
+          0x01fc0a8, 0xe322ece, 0x1032a19, 0x8b9d166, 0xa89de94, 0x3e7b539,
+          0x001c754, 0xfa30262, 0xdb588f6, 0xe33de4d },
+        { 0x954eb94, 0x4dafbdb, 0x0584c1b, 0xbb43648, 0x5dbe29b, 0x622c93e,
+          0xf57b931, 0x968f9e3, 0x0f6453b, 0x98f03be, 0x08f696c, 0xb0ecc7f,
+          0xa505335, 0x5af55f4, 0xfb3fa9b, 0x028533e }
+    },
+},
+{
+    {
+        { 0x27e8d86, 0x3bc8e68, 0x63f105a, 0x4e43b30, 0x4981250, 0x5301b7d,
+          0x9f72fa8, 0x8b0a75e, 0x357348c, 0x88f59db, 0xec4208e, 0x5f0ebb1,
+          0xc043d3b, 0x4712561, 0xc806b97, 0x9e5ded0 },
+        { 0x2121d09, 0xf9bd0a6, 0xe337cd1, 0x1759ecb, 0xe945542, 0xd1acc0e,
+          0xbd2f63a, 0x3683feb, 0xda5dfe9, 0x44f1bcc, 0x707f22f, 0xa3606c9,
+          0x2d96ca5, 0x45ef064, 0x9022df9, 0xfc3107d }
+    },
+    {
+        { 0x44be755, 0xe81320b, 0x5c7c761, 0xdf213d5, 0xb4e5db9, 0xf43d2d5,
+          0x8dedcd2, 0x3bcfd82, 0xd37a9ec, 0xdf368a6, 0xf475a77, 0xfef20ae,
+          0x162c064, 0x22f5894, 0x0142a7d, 0x956bc66 },
+        { 0x7daec78, 0xaaa10e2, 0xb6e9a78, 0x3cb9b72, 0xe383f72, 0xa740bad,
+          0x7759007, 0xc31b401, 0xa7afc50, 0xdada964, 0xfd3d11f, 0x6bf062c,
+          0x5db3679, 0x9470d53, 0x03abf13, 0x3394473 }
+    },
+    {
+        { 0x46e5d7f, 0x533f440, 0x49048c8, 0xd1793e3, 0x1929b94, 0x59e1150,
+          0x8364134, 0xcddbbcb, 0x582774f, 0x795c794, 0xe03081a, 0x114dfc4,
+          0xef54042, 0x541ef68, 0x23f18cd, 0x159295b },
+        { 0x48a2c8c, 0xfb7e2ba, 0xbb6d116, 0xe2d4572, 0xd750b53, 0x7bb0b22,
+          0xd142ee8, 0xc58888c, 0x90c9e2d, 0xd11537a, 0xd02eb9e, 0x77d5858,
+          0xd444a79, 0x1fa4c75, 0xd58a68d, 0xf19b2d3 }
+    },
+    {
+        { 0xeb8b90f, 0x37e5b73, 0x3f2a963, 0x3737f7a, 0x9de35e0, 0x87913fa,
+          0x8731edd, 0xec7f992, 0x219491e, 0x6e6259e, 0x4de236c, 0xb2148a0,
+          0xfdd309b, 0x89700e8, 0x9f0bf80, 0x9ce51e4 },
+        { 0x301f17b, 0xe7ec421, 0x3bc5f4f, 0xa4b570a, 0x1285ee2, 0xc2b1b2a,
+          0xc53db73, 0x5e86bc8, 0xf24fa90, 0xb65fcea, 0x08ab024, 0x9e74c56,
+          0xf9ed877, 0x5c8003d, 0x4a2cbbc, 0xa632e9e }
+    },
+    {
+        { 0xc91c8b5, 0x32a4546, 0xc969363, 0xc122b5a, 0x3648b3a, 0xbbbec5e,
+          0x25143b0, 0xd5a365e, 0x54157ce, 0xcf3e464, 0xf9bab64, 0x9712f04,
+          0x04b4008, 0xc12d43a, 0x2edf1c7, 0x51932d7 },
+        { 0xb2f8470, 0xaef1655, 0x6c24ace, 0xaa8e3f3, 0x6b4e761, 0x7da75da,
+          0xb90bca2, 0xd371827, 0x0afb45c, 0x84db450, 0xef46b5d, 0xae12045,
+          0xd962f98, 0x91639a5, 0x72f2ac0, 0x669cbe6 }
+    },
+    {
+        { 0x83a4356, 0x851bb31, 0x9a1bf15, 0x7d436bf, 0x120b378, 0x46a3f0e,
+          0x3f5b357, 0x9302abc, 0x93fef53, 0x1e06726, 0x5fd2ee9, 0xb12f4a9,
+          0x7de9433, 0x94a884c, 0xa6f2874, 0x2645234 },
+        { 0xcdb8dfa, 0x6fb56f5, 0x9e0ee4e, 0x4a17dfc, 0x83ab01e, 0xe269d83,
+          0xb77c10f, 0xda932da, 0x0321243, 0x463af0c, 0x16fc8a3, 0xbe1d682,
+          0x48b39e3, 0x2eae3ea, 0x3b03e7b, 0x9423021 }
+    },
+    {
+        { 0xb22f28a, 0xaeb507c, 0x49a6b44, 0xa77458b, 0xc03dc17, 0x232ed5a,
+          0x9c61ac6, 0x79dfc16, 0xcd71b93, 0x7c48be9, 0xc429cd9, 0x983d68a,
+          0x98ae2c8, 0x7709c47, 0xa5df075, 0xe4765c0 },
+        { 0x3367f33, 0x23c4deb, 0x37d72a7, 0xbdf2b7e, 0x0af2d26, 0xbaab5c7,
+          0xfd026ab, 0xd609f7f, 0x541b039, 0x23b72b2, 0x83be852, 0x8d06bac,
+          0xcb23d1c, 0x911d4a9, 0xfb0dbd7, 0xeae815c }
+    },
+    {
+        { 0x2c33481, 0x487c35c, 0xb6136db, 0xffab636, 0xa3d3aa4, 0xccd4dae,
+          0xc3704e0, 0x87149bb, 0xc0e8396, 0x9de8119, 0x58e7ca6, 0xd49357a,
+          0x1562d75, 0x6878918, 0x5ab1fad, 0xc745381 },
+        { 0x02c9b91, 0x0f15798, 0xb1ddde5, 0x7ffc3f0, 0x6aae50d, 0xa01d5e0,
+          0xe279873, 0x6a97e65, 0xb5b1b41, 0x4bcf42f, 0x32f5982, 0x1c6410f,
+          0x50701c8, 0xd4f7600, 0x873b90d, 0xff02663 }
+    },
+},
+{
+    {
+        { 0xe5b2de2, 0xdc53ea2, 0x38acecb, 0x94b352d, 0x0d9d5e5, 0x37d960b,
+          0x90bd997, 0xabd868f, 0x35a7376, 0x781668f, 0x10118bf, 0x043d597,
+          0xf57928a, 0xd4da719, 0x983e46c, 0x01942f6 },
+        { 0x728bd76, 0xab97fc8, 0x4b5c1c5, 0x825956b, 0xc82a104, 0x202809f,
+          0xc8e3132, 0xdb63e9c, 0xc2181af, 0xa41c701, 0x43e066a, 0xd280180,
+          0x24044ce, 0xc734e41, 0x505193c, 0x4d9ab23 }
+    },
+    {
+        { 0xf9f0c3f, 0x0bcd42a, 0xb94a218, 0xda21a46, 0x0ffc788, 0xe55243c,
+          0x47a5551, 0x318aae6, 0x79af9cb, 0x8c2938b, 0xec1dce5, 0x5d15232,
+          0x8ad2e5c, 0x3d310ba, 0x94f792a, 0xd3d9724 },
+        { 0x12a9553, 0xdeb4ca1, 0xeb54d9d, 0x2f1ed04, 0x69fb7a1, 0xaa9c9cf,
+          0x54dcd3a, 0xeb73c3a, 0xf5f201f, 0xee3eddc, 0xba7d234, 0x35f9e1c,
+          0xd2e242f, 0x1d1d04c, 0x0df7515, 0x48df9d8 }
+    },
+    {
+        { 0xa81dd9a, 0x4ecc77d, 0x03aa015, 0xa6ac4bb, 0xbbc4fed, 0x7645842,
+          0x9d6cf52, 0x9ae34cd, 0x5917e0b, 0xf8ff033, 0xc2cc175, 0x7c9da37,
+          0xaaacfbe, 0x1e74dcc, 0x7999af8, 0xa8f2df0 },
+        { 0x102a466, 0xd06c4ea, 0xae190dd, 0x2156e87, 0xec4a863, 0xc95db8a,
+          0x244a6fe, 0x49edffd, 0x904f81e, 0x110fae6, 0xa1cd104, 0xbaa3e50,
+          0x0478b65, 0x5bd38a2, 0xdaefbcc, 0x2b57d05 }
+    },
+    {
+        { 0x86f4534, 0x1ce92ba, 0x414f5e3, 0xb2a8592, 0x9979436, 0xdd7a4c6,
+          0x3f0add7, 0x7599aff, 0xe2d4f64, 0xe0ce4d3, 0x401a29f, 0x74475cc,
+          0xa2377d9, 0xaef6541, 0x3f917b6, 0x54048f5 },
+        { 0x05312ec, 0x1b86b22, 0x31493cb, 0x779ba22, 0xaac9320, 0xc718369,
+          0x617fce4, 0xeab01a8, 0xf7187fa, 0x17b1f10, 0xa1aca46, 0xe68eda0,
+          0x2586342, 0x61033fe, 0x0b6ca43, 0xfc14e79 }
+    },
+    {
+        { 0x13d2491, 0x9f22319, 0x7997202, 0x66bdb53, 0x4617f34, 0x0bafb0c,
+          0xf3bb7b3, 0x5917831, 0xb45bddb, 0x6feb2a6, 0x0202c19, 0x08662b3,
+          0x05852f6, 0x0bc2b57, 0x91818c2, 0x2c00fd4 },
+        { 0xda37dac, 0xca7672c, 0x5a30865, 0xfe4c04c, 0x322e92a, 0x5f1399f,
+          0x25b1beb, 0xe7d67ea, 0xdce7f68, 0xe08b014, 0xf2f2b3c, 0x24df52a,
+          0x750ecd1, 0x2028b23, 0xc810a45, 0x9b25d4b }
+    },
+    {
+        { 0x7a9d799, 0xa35b715, 0x01f9c99, 0x6da1eb3, 0xe363ba8, 0x33ef91c,
+          0xce140da, 0x21c0e2e, 0x158cd84, 0xb0b11bf, 0x93da438, 0x6a87442,
+          0x3db585b, 0x924f10d, 0x10c6159, 0xf5ddd73 },
+        { 0x6a74c21, 0xb72dcb8, 0xcc8f79f, 0x6d14198, 0x9c5a8d6, 0x99f4b6c,
+          0x90e135c, 0x0639688, 0x83f6385, 0x330edb8, 0x9079675, 0xe1a5a6b,
+          0xb8f5fe0, 0x6e37fa8, 0x61dca1e, 0x60e2fd9 }
+    },
+    {
+        { 0x66c395e, 0xc6cb403, 0xb51d0f1, 0x03b21a7, 0xe693181, 0xbc478a5,
+          0xc6cff33, 0x0017c2f, 0x39d8d1e, 0x740a5b8, 0x4d9ec6d, 0x3968d66,
+          0xb0ef1b0, 0xfd53738, 0x1ed0a04, 0x73ca8fd },
+        { 0x75ab371, 0x4ace938, 0xddad7e9, 0xd602936, 0x750bcc2, 0x1f5424a,
+          0x68c7a17, 0xfe09b36, 0x58341ec, 0x165f7de, 0x6ce61e5, 0x95b825a,
+          0x66c83c4, 0x9d31e19, 0xcc5887b, 0x65b3e08 }
+    },
+    {
+        { 0x21482d1, 0xd37e932, 0x08b6380, 0x9af6597, 0x7d61e4b, 0x279426a,
+          0x80997ad, 0x80dd0ec, 0xd5b76d4, 0x7239b0d, 0xe76c098, 0x92e6c73,
+          0xeab3e1d, 0xeeb2321, 0xeb1a910, 0xa69c4a7 },
+        { 0x833d9ae, 0x46d6aa7, 0x572b0fe, 0x3ee6957, 0xcdb3d97, 0x44ccbed,
+          0xcbea01b, 0x342f29d, 0x8926876, 0x0d518c5, 0x5585d2c, 0xaaabae7,
+          0xe008f58, 0xc548c77, 0x21fab2c, 0x819e2fa }
+    },
+},
+{
+    {
+        { 0xc16e981, 0x468e149, 0x9ddbb7c, 0x286c790, 0xdb7a38a, 0x2a92d47,
+          0x8a27cb2, 0xde614e6, 0xe5b0ab6, 0x8dc8822, 0xcf48565, 0x38441ae,
+          0x089435b, 0x11ed5c9, 0x82d0d31, 0x2389286 },
+        { 0x72f2f31, 0xc6698d4, 0x56d76af, 0x295242c, 0xeba563b, 0x4099205,
+          0x3ab7384, 0xae7de5a, 0xd0ed86c, 0xccdf127, 0x965c3c3, 0xb9b6d5b,
+          0x2c31ad7, 0xe351a8f, 0xac12f13, 0xa761dd8 }
+    },
+    {
+        { 0xf171ab7, 0xda115dd, 0x401f93d, 0x2de17b1, 0x40964b4, 0x95019ca,
+          0x65ba3c3, 0x169d1f4, 0x0090d08, 0x534a007, 0x82bf410, 0x805c5e2,
+          0x65f8d90, 0x15dfe11, 0xca72456, 0x827a416 },
+        { 0x33a36c4, 0x5af8884, 0xd8ee604, 0x8bfa54c, 0x9ce290f, 0x08fd141,
+          0x287b3a6, 0x2db5e8c, 0x03cdad2, 0xe5be981, 0xbf810b9, 0x155b874,
+          0x670f473, 0x2ae42de, 0x7f74657, 0x2218584 }
+    },
+    {
+        { 0x23ffa43, 0x54b2a50, 0xa24d919, 0xcf87b16, 0x63524e8, 0x1ff5402,
+          0x56d1e54, 0x73c94e0, 0x3899fb5, 0x7651552, 0x18723bf, 0x13a7214,
+          0x3561517, 0x39afbdd, 0x9f2862e, 0x49b790a },
+        { 0x527d2ce, 0xc8c1f4f, 0x7609bb7, 0x1997aec, 0x02a3400, 0x583ad80,
+          0x4f79706, 0xac2374e, 0x21b7183, 0xbf1f9a8, 0x6600fe0, 0x06158ab,
+          0xbd56751, 0xfcc9b2e, 0xddaaec7, 0xe1de5ac }
+    },
+    {
+        { 0x788fdab, 0x230baa1, 0x7d04597, 0xf30860a, 0x99f4caa, 0xa2c7ece,
+          0x6ad065e, 0xbd39f10, 0x3bef7bd, 0xfd92f5d, 0x96d2203, 0x6069fad,
+          0xc4d9e0d, 0xbff38ca, 0x1fda313, 0x419a017 },
+        { 0x572f035, 0x5d77fd8, 0xb282b40, 0x5af99f2, 0x23facff, 0x7257d3b,
+          0x58c90af, 0xf2ee223, 0x9b6a52a, 0xcc2687d, 0x302430e, 0x140892c,
+          0x3ec4f38, 0xa934d5e, 0x3bd18be, 0xc087d7c }
+    },
+    {
+        { 0xa2c5ed7, 0x7e94138, 0x53610bf, 0xbc8ceef, 0xd86f803, 0xe89356b,
+          0x5a55330, 0x9a3a380, 0x11ad648, 0xe894aba, 0xba95918, 0x2e68fba,
+          0xfcad344, 0x643e2ba, 0x61640aa, 0x0dd0256 },
+        { 0xe25cbdd, 0xc02e479, 0x13a1b3f, 0xd78c4d8, 0xcca9692, 0xa6dae8f,
+          0xe5de8a0, 0x3dd91e9, 0x764ea36, 0x78ae0ce, 0x85dbc5e, 0xb4ad999,
+          0xe82a169, 0x967ff23, 0xbaee1fc, 0xaeb26ec }
+    },
+    {
+        { 0x9a6f90c, 0x8c50255, 0x0ea374a, 0x56e7abe, 0x56413b2, 0x675c722,
+          0x946753f, 0xd3fc17e, 0xe235f7c, 0x28c4e1f, 0xb028eb0, 0xe209bcd,
+          0x489fe88, 0x7d0f93a, 0x063706a, 0xb966a2e },
+        { 0x4a30319, 0xb6c228c, 0xca6d674, 0x6868efe, 0x057311a, 0x0610a70,
+          0xbad7f89, 0x0808112, 0x1dd6181, 0x2a2462c, 0xb58e88a, 0x52ed9fe,
+          0x33821a2, 0xbbff16f, 0x17f882a, 0xda53e96 }
+    },
+    {
+        { 0x8c30e5d, 0xb6ffca3, 0x5c905f5, 0xa90f991, 0xd753e88, 0x72fb200,
+          0x7256c6a, 0xe509d4c, 0xd866500, 0x369e552, 0x33cf8ae, 0xee4b7e0,
+          0xefcf6eb, 0x280d954, 0xd557f0e, 0x5b275d3 },
+        { 0xb5cecf8, 0xeb17211, 0xbdb2f8d, 0xd6ad50f, 0x35e04b7, 0x2478c7b,
+          0xac73bd3, 0x97e7143, 0x4817e24, 0x09d6ede, 0x2c405e1, 0x68fea71,
+          0x05f67a1, 0x34adbc9, 0x73edf99, 0xd20ab70 }
+    },
+    {
+        { 0x569f191, 0xe116a96, 0x4d6e29a, 0xb3f0bce, 0xf51dbab, 0x30b9e1a,
+          0x346d276, 0x1dd36f3, 0x0749a27, 0x8315103, 0xab47f70, 0x242f148,
+          0x5585681, 0xe8a5bcf, 0x5ed79ba, 0x8b80184 },
+        { 0x3894ad1, 0xa4042fd, 0x2b88bc6, 0x82f781d, 0xbe4c397, 0x2d34cac,
+          0xdd99c9f, 0x8731aea, 0xef1d382, 0x0f95498, 0xdd0bbc9, 0xcaba2e1,
+          0x54064e8, 0x78889e9, 0x61a8ab9, 0x8cd9c97 }
+    },
+},
+{
+    {
+        { 0xfa0459e, 0xf31f53f, 0x315cd6b, 0xf8742a1, 0xae64e97, 0xabe2f50,
+          0x9b9da48, 0xbd78741, 0x51e526e, 0x4521a33, 0xe10ba45, 0xfa05935,
+          0xe8f903c, 0x5c947e1, 0x5a754ee, 0x0aa47d1 },
+        { 0xd814825, 0xb2849ef, 0x5c9968d, 0x9c2a5d2, 0x04e634c, 0x24dbb26,
+          0xdb38194, 0x33f3a4c, 0xc8a2b6b, 0xe04f609, 0xabbbfdb, 0xcaefd8e,
+          0x404498b, 0x683119a, 0x8b21cbd, 0x24ab7a9 }
+    },
+    {
+        { 0x21fa2dd, 0x6f13269, 0xc10a4bc, 0xd79e61c, 0x4bd6d46, 0xac4b3ce,
+          0xbd3f37b, 0x52459b6, 0xa396966, 0xce0f0a3, 0xa1ed488, 0x050d1d5,
+          0xe0b17fa, 0x1b9c403, 0x04a2e66, 0xee1abd0 },
+        { 0x5cf3e3b, 0x97065c3, 0xbe33441, 0x6513d5f, 0x79047ae, 0xcd34634,
+          0xfd22df1, 0x45cbb1c, 0x967b17c, 0x7a173ae, 0x2223cda, 0x75f5ba7,
+          0xefe0a73, 0xe3d12db, 0xfd7adcf, 0x3b7f94d }
+    },
+    {
+        { 0xf1e9b7d, 0xd596a13, 0x6734e0c, 0x04f5bdd, 0x8be163a, 0x18b694f,
+          0xd959fa3, 0x15620c7, 0x53d2a3b, 0x65fc2c5, 0xc4d36f2, 0xd44a364,
+          0x268ceab, 0xc8b421f, 0xbfe2bd4, 0x564139a },
+        { 0x19d4633, 0xb524610, 0x6346934, 0x5ab3f88, 0x9819422, 0x96691fe,
+          0x8b39b82, 0xdfdec89, 0x97cfb27, 0x84b1c79, 0x4d6d004, 0xe59a98d,
+          0x12c350f, 0x5e5d0c6, 0xd415774, 0xb431220 }
+    },
+    {
+        { 0x6aae0a2, 0x3d0ca73, 0x48c2d8c, 0x7b1991f, 0x5cdae72, 0x00ae856,
+          0xbd55128, 0xdbb6ca0, 0x45c82bf, 0x3c2ab2a, 0x79545ca, 0xea5a559,
+          0xd5927d0, 0xeba9a26, 0x83257fc, 0xb52e401 },
+        { 0xca9650a, 0x55ed517, 0xe3ebff2, 0xbdaa081, 0x9f8831b, 0x8cf7ce4,
+          0x6e3b8d3, 0x1d0b5bd, 0xd8fc869, 0xa314a9f, 0xb892bab, 0x07f2079,
+          0xa0cc9d9, 0xb700dbf, 0x6dc0a39, 0x7105a08 }
+    },
+    {
+        { 0x8c7d901, 0x0c7e05d, 0xaf3182b, 0xa7ff681, 0xf9a0d06, 0xb88e3ca,
+          0xc343b7f, 0xfe20a12, 0x03251f9, 0x9f02577, 0xc40c5eb, 0xf225ded,
+          0xb208ea7, 0x50e0cec, 0xe6eeb65, 0x5b250f0 },
+        { 0x4806b6e, 0x807a153, 0xfa94139, 0xded120a, 0x49366fb, 0x237ddc7,
+          0x5a34bcb, 0xdd3674e, 0x9c4a61d, 0xef6cdff, 0xb2fb896, 0x036194b,
+          0x9528cd9, 0x3865953, 0x6936a52, 0x0723c59 }
+    },
+    {
+        { 0xe17719d, 0x1f84cd5, 0xc73b394, 0x545939b, 0x83e84e7, 0xefbf3c5,
+          0xf77fd66, 0x6cc46f1, 0x1383ab8, 0xa629f59, 0xcd35cd2, 0x9177ffa,
+          0x9dd411b, 0x039187f, 0x7b7eea8, 0xa9cf1cf },
+        { 0xac47e5d, 0xa3b105a, 0xd0a9da4, 0xa755bea, 0x73da15e, 0x50cfbae,
+          0x60b628c, 0x9456cbc, 0x9b7a910, 0x7ffc362, 0xcd6d6a4, 0x30b5924,
+          0x0b04ab6, 0x198629f, 0x624dea9, 0xc74609c }
+    },
+    {
+        { 0xaf12fa6, 0x27d4d77, 0x690aeb2, 0xdd8a216, 0xfe24417, 0xe48fc02,
+          0x720e17e, 0x1970403, 0xce37b42, 0x95013fd, 0xde4bd9b, 0x06817d2,
+          0x63d0ba2, 0xc5863e7, 0xa556f5d, 0xa1bafc0 },
+        { 0x410a78a, 0xf28ec7b, 0x0a01a63, 0x0dcac42, 0xb5bce11, 0xfcd3fa4,
+          0xd278b89, 0x054d7e5, 0x5ce49e3, 0x5195db8, 0x2c73d96, 0x4c0b167,
+          0x20a1bdb, 0xd943077, 0x59c77a7, 0x66fa8b3 }
+    },
+    {
+        { 0xd7462fe, 0xb9e93ae, 0x18dde4f, 0xbfe54b2, 0x3dbb08e, 0xaabb528,
+          0x0e5fc45, 0x8c36702, 0x8e69be3, 0x3502888, 0xc12a11d, 0x6d2efc1,
+          0xf265e30, 0xfce5ceb, 0x5742c7e, 0x58c8bb3 },
+        { 0xccf7fa0, 0x32e89dc, 0xdd020a4, 0xa811f33, 0x5129fe5, 0xa10d620,
+          0xe4ed29b, 0x3841c88, 0xd8b1ea6, 0xf3303a9, 0x1781f58, 0xa9a0cad,
+          0x8f3ef0b, 0x4502b38, 0x74c6d35, 0x2b7587e }
+    },
+},
+{
+    {
+        { 0x23ae7cd, 0xc6eaea1, 0x73c0caa, 0xa1884d4, 0xef1ea88, 0x901e76f,
+          0xa14269d, 0xdb9935c, 0x947f1de, 0xe8b2486, 0xa657588, 0x4ad56f4,
+          0x2913fb1, 0xe768054, 0x37600da, 0x2abff5d },
+        { 0xa81a797, 0xa814813, 0x46acb69, 0x63e76a4, 0x4ab8277, 0xb103839,
+          0x9d8e759, 0x587de34, 0xddf62df, 0xdfaeb8d, 0x9239d49, 0x24fe1cf,
+          0xe130d1c, 0x7de7409, 0x581d070, 0x3ecfef9 }
+    },
+    {
+        { 0xf87c72d, 0x8d177a0, 0x8c6d1de, 0xae7e581, 0x8cece85, 0x0077b5f,
+          0x32d2187, 0x3824838, 0x6db2bd2, 0x49d8b15, 0xc8d85b9, 0xe9e5513,
+          0xe05c53f, 0x63c410c, 0xd86f752, 0xceaf2fb },
+        { 0x93806c5, 0x0b432fe, 0x3d06c75, 0x18eb15d, 0x12cfc02, 0xcaad826,
+          0x1e2d045, 0x581e040, 0x95edcfd, 0xd573cb5, 0xdbc66e3, 0xce71948,
+          0xacc14ea, 0xcf68721, 0x6cac4dc, 0xf68bea2 }
+    },
+    {
+        { 0xcb74da2, 0xd8576af, 0xc433f46, 0x8771c29, 0xe2f5b8e, 0x7315af6,
+          0xba33928, 0xc195481, 0x2fb1f94, 0xb77dcc2, 0xa610f75, 0xcb3e57c,
+          0x53907df, 0xeb2a927, 0x23eff95, 0x916f149 },
+        { 0xb6cd291, 0xbb378e4, 0x2f13ce1, 0xa2a5e2b, 0xbcd00b0, 0xa8a0e60,
+          0x682b75a, 0x5902741, 0x3f65a77, 0xa0882c9, 0xc93cfff, 0x2069f75,
+          0x70c0cb9, 0x1ede405, 0x0d526c4, 0x13840c9 }
+    },
+    {
+        { 0x03ced48, 0xdc2caaa, 0xa0315be, 0x2079219, 0x3b1f642, 0xca49356,
+          0xb0665f2, 0x0202dc7, 0xb7a5238, 0xe5d6bbd, 0x26eab32, 0x36fbd5e,
+          0xf5819b4, 0xb3988f1, 0x4aa4d69, 0x5b15dc8 },
+        { 0x54e5c24, 0xa52feed, 0xe91a797, 0x927471b, 0xd57f677, 0xd119bfd,
+          0x78e4c4f, 0xde38f7b, 0xb150bc3, 0xa7af516, 0x26b76c2, 0x403b21e,
+          0x92300dc, 0x589067d, 0x066802a, 0x04e406a }
+    },
+    {
+        { 0xa9ca9bb, 0x28e7d09, 0xfccf4a0, 0xaa84fd5, 0x635b7ed, 0xdbe9fb8,
+          0xd56fc7c, 0x9ede3f5, 0xb01cb29, 0xa4b5031, 0x7f93703, 0x584299d,
+          0xb6fe825, 0xbd28868, 0x8b9c2d9, 0x1d385d4 },
+        { 0x822be80, 0x6606f4a, 0x626d0fd, 0xb5a0165, 0x14568ad, 0x9920a20,
+          0x1c6d174, 0x7d430f4, 0xe02e9e9, 0xc243e16, 0xa6bd649, 0x367f1d2,
+          0x71b8c36, 0x6939100, 0x4de2984, 0x2ede131 }
+    },
+    {
+        { 0x5beec32, 0xdc78187, 0xa525ff4, 0x1fff0cc, 0x676df34, 0x6e86425,
+          0x3f638e1, 0x2b4e8a6, 0x9b1e59f, 0xc4991d2, 0x1589717, 0x399d001,
+          0xbe041cd, 0x406464e, 0x9e65bb0, 0x901cb3d },
+        { 0xfb42307, 0xf5f4572, 0xf1b7307, 0xf81b3b0, 0xf2094d1, 0x8fb695c,
+          0xdb56f7b, 0x7db4792, 0x5a794e0, 0x36836d5, 0x09bc879, 0x2da477b,
+          0x1887c40, 0x1cdfadb, 0xf2699b6, 0x65dc6c2 }
+    },
+    {
+        { 0x4737972, 0x36f9f21, 0x7a387b0, 0x48f0c8b, 0x39a1d24, 0xa156ed3,
+          0x0fed268, 0x375293a, 0x7ff75cb, 0xf679f48, 0x1cc9e62, 0xd15a00f,
+          0x22c3877, 0x92a7dc7, 0x6fb0ed4, 0xe987063 },
+        { 0x16f5f3c, 0xfd8e59c, 0xaeeb48e, 0x375732e, 0xca1ab42, 0x2dd9213,
+          0x9ffccea, 0xcb06209, 0xb23edfd, 0xfc611f6, 0x99b060e, 0x2716349,
+          0x820de8a, 0xb938b5d, 0xeb49a32, 0x138f6e7 }
+    },
+    {
+        { 0xe485f70, 0x7feda63, 0xeb27b2c, 0x646380a, 0xc4511c7, 0xcf8fe32,
+          0xff9406a, 0x2c68e1e, 0x20b6020, 0xa9f2fd9, 0x3b3e465, 0x1c98fc6,
+          0x93e53aa, 0xb8dac35, 0xa750e96, 0x2fb47b6 },
+        { 0x1950bb3, 0xea373ef, 0x4ac7aec, 0x8156694, 0xb55b931, 0x8d6b3c2,
+          0xb62ef7d, 0x5d13f2d, 0xab9182b, 0x4647f2a, 0x33bf07c, 0x8f56c5a,
+          0xb35a221, 0xc5ab284, 0x5a46a6b, 0x0747ab7 }
+    },
+},
+{
+    {
+        { 0x86b85c5, 0x5b9236c, 0xc482448, 0x5967a0d, 0x7df6ae0, 0x397c955,
+          0x5378f2b, 0xf83ee1c, 0x6e05dd1, 0xf82df65, 0x19d7c8b, 0x4c424f6,
+          0xa6d5f2a, 0xa612550, 0x63c3ebf, 0xfe8482a },
+        { 0x0142c82, 0xcb8d403, 0x3679e6c, 0x08b0662, 0x3eca5ee, 0x3ea5146,
+          0x1370500, 0x089eb3b, 0x5a0d306, 0xcbfb19c, 0x42a65bb, 0x2f68588,
+          0xe51e119, 0xe3e1db5, 0x110895e, 0x2c150e7 }
+    },
+    {
+        { 0xf6d4c4c, 0xf323488, 0x63b87e2, 0x5fc931f, 0x35c759f, 0x8867da0,
+          0x9746d4c, 0xb6f1eff, 0x990be0a, 0x8a8172d, 0x5c407b4, 0x1113eee,
+          0x378ed8a, 0xd80dacf, 0x3fa7fd1, 0x99b57cf },
+        { 0x5176405, 0xf5bb6d9, 0x92e83b5, 0x6b8963a, 0x8a7ef8d, 0xac55b6b,
+          0x6c1fbf0, 0xe73fa12, 0x60148df, 0xdb37560, 0xf3f1fba, 0x72f1a98,
+          0xea550f2, 0x1f71d0a, 0x9544a87, 0xc3ea4f0 }
+    },
+    {
+        { 0x4322bf3, 0x5b09da2, 0x61264e1, 0x2a573d5, 0x803acc4, 0x93cb2e1,
+          0xe502fc6, 0x397b4fb, 0x39e0ebc, 0xddfb212, 0xbbcbc57, 0xeccd8f5,
+          0x4663788, 0x49d3bed, 0x1218df9, 0x37192aa },
+        { 0x2ffa3c6, 0x8a05bc9, 0x23ebf4d, 0xc38c281, 0xfe343a8, 0xc80d547,
+          0x6c63516, 0xa8d5a5b, 0x8d8fa6b, 0xc5d8ce1, 0x24a87c0, 0xeb5e872,
+          0x75bfa23, 0x9806e9e, 0x689469a, 0x11f0889 }
+    },
+    {
+        { 0x8e75666, 0x81005f6, 0xd349505, 0xb84d861, 0x9f321ea, 0xe083282,
+          0xcfa33a1, 0xb751d7a, 0x067c550, 0x793cf6f, 0x1027e56, 0x073a6b2,
+          0x66a6012, 0x53f40ee, 0xc210fa9, 0x70bfaa8 },
+        { 0xe4b5998, 0x1518e39, 0x24b8d9c, 0x8f0b530, 0xafdf923, 0xd91c281,
+          0x24e3f69, 0xc5cfb28, 0x870871f, 0x63a529a, 0x2128dad, 0x3d3e887,
+          0xcb30cce, 0xed658dc, 0xafb7bae, 0xf9373b9 }
+    },
+    {
+        { 0xde58ed2, 0x22d4dbe, 0x03f8789, 0x4fefc1d, 0x344817f, 0x6b0a1fe,
+          0xa56b0b2, 0x96bef40, 0xda249fa, 0x32684ee, 0x524a91b, 0x8298864,
+          0x0c736a1, 0xa958baf, 0xef2f3e5, 0xd033a7d },
+        { 0x43f4d6a, 0x5be3edc, 0x9c89abb, 0x326a39d, 0x55d997a, 0x90c44f7,
+          0x6e966c2, 0x2058106, 0x6548038, 0xdbae490, 0xd473fc1, 0xac7bc97,
+          0x4b2603a, 0xb34488b, 0x5e9bb98, 0x27aea27 }
+    },
+    {
+        { 0x1b88773, 0xa59e728, 0x0c241f6, 0xe2f05d4, 0x4e75749, 0xa56229e,
+          0x1b10705, 0x8f00c0b, 0x19394d3, 0x8559946, 0xaaf5e32, 0x0d7e352,
+          0x787b8ea, 0x526c462, 0xa179d48, 0x89297d9 },
+        { 0xef43892, 0xeff17e6, 0x221f841, 0x17091eb, 0x4a4b848, 0x82f5eb3,
+          0x8eb7b76, 0x6bea477, 0x76c536c, 0x21f2271, 0x96c81bb, 0xd9ef2c8,
+          0x54bf4d3, 0x7c27546, 0xd7c28c8, 0x9dd4662 }
+    },
+    {
+        { 0x20e1a6b, 0xe7fff00, 0xa08d467, 0x26a35c6, 0x3248c91, 0xb3c773d,
+          0xba7d935, 0xa646615, 0xb0d26fa, 0xa91f453, 0x60c6d32, 0xdcf9c34,
+          0x9e3e3dc, 0x6366861, 0xf30f3e2, 0x3012813 },
+        { 0xc2fc61a, 0xac6623d, 0x2bfd2ff, 0x108dc25, 0x231d6ea, 0xd7f5c0d,
+          0xad1107e, 0xa904f9a, 0x0d1e9c8, 0x46941c2, 0xc810cf2, 0xe5b6451,
+          0x4f511d1, 0xaba8e67, 0x08373fe, 0x5b4b94f }
+    },
+    {
+        { 0x849c230, 0x002d4e2, 0xd8ba391, 0x9bed0ef, 0x828e319, 0x745e0c0,
+          0xca58de2, 0xcd40907, 0x1abaa4a, 0x2c87ab1, 0xdb64391, 0x3c17a97,
+          0x86c72d2, 0x36b184e, 0x485f7aa, 0xb03d202 },
+        { 0xde24aba, 0x2b6b79b, 0x2325fb2, 0xdcb7854, 0x66ebae2, 0xf5d1db9,
+          0x903840a, 0x35a4d5b, 0x190e9da, 0x7afeb09, 0x35c1792, 0x1818f6a,
+          0x3faa269, 0x90091fa, 0x2570235, 0xc4ccff6 }
+    },
+},
+{
+    {
+        { 0xec85940, 0xa177619, 0x7ef7eee, 0xfca24db, 0x7a90c11, 0xb2450f3,
+          0xdbf4f85, 0x29d256d, 0x51316c3, 0x920c8d0, 0x04474da, 0x2f7f7ba,
+          0x2ec9a0b, 0x308117f, 0xd0d2085, 0xd0a231a },
+        { 0x7ab641d, 0xf3288fc, 0x9f4fa32, 0xc68bade, 0xbbf8253, 0x768f014,
+          0xc0a33f0, 0x5eff260, 0x6bb93ce, 0xc71b453, 0x680697f, 0xa71d045,
+          0xce72bc3, 0xb62444c, 0xd1379f3, 0x11f03e8 }
+    },
+    {
+        { 0xc16df92, 0x1f54789, 0xe3ed142, 0x874c642, 0xfa2a9f1, 0x6699f60,
+          0x3fecfc1, 0xbd1b8d3, 0x8a3d953, 0x59682d5, 0x4a36b81, 0xf17c021,
+          0x181a666, 0xeb9621d, 0x3cf1ad8, 0x7c2c3ab },
+        { 0xe529f7c, 0xe6888c3, 0xb355315, 0x197b66a, 0x83e31ac, 0x63b558a,
+          0x891c68e, 0x4aa7bc5, 0x592e360, 0xc17d989, 0x1363666, 0xc750a29,
+          0x4909ac0, 0x0d53470, 0x4594a10, 0xd6d0272 }
+    },
+    {
+        { 0x3fbb635, 0x35c541b, 0x5982afa, 0x50016d0, 0x96b0ca0, 0x58ebce4,
+          0x577ea56, 0xb940027, 0xe38480f, 0xf29d305, 0xebd6a2c, 0x43705b0,
+          0xe90c639, 0x0e4acda, 0xf56e05e, 0xbe94a29 },
+        { 0x30659ad, 0xc61f4a0, 0xc402211, 0x39074ad, 0x51b621d, 0xfe0d8d5,
+          0xd1d5222, 0x2d02e8d, 0x46c2683, 0x05ece3c, 0xc689d41, 0xf70705a,
+          0x4d837bf, 0xe3caf44, 0x75ba6d0, 0xfda0584 }
+    },
+    {
+        { 0xcb7d458, 0x1098163, 0xf5ba834, 0x12b645f, 0x28af72c, 0x70a3181,
+          0xf32e5dd, 0x5f4727e, 0x10a21b4, 0x7cbae15, 0x6785389, 0xa80bf80,
+          0xb8f93b7, 0x9827402, 0x08349da, 0xe385f82 },
+        { 0x9589f6e, 0x2d05461, 0xe7c0191, 0x6aa5b26, 0xbd5574d, 0xe79ae12,
+          0x4148e61, 0x5d13f91, 0x13716ff, 0x7b2be0f, 0x80bb81f, 0x82b0fe6,
+          0x3e2569c, 0x697633c, 0x873f8b3, 0x6c1f083 }
+    },
+    {
+        { 0x0be1674, 0x6e26d85, 0xab8044f, 0xe4e47f6, 0x82fc434, 0xfdf46e8,
+          0xc89cadc, 0x639ae2c, 0x4b85bdc, 0x2244a52, 0xb7cf4ea, 0xb1e4790,
+          0x7e0bb8f, 0x51dce03, 0x2716cee, 0xdd14335 },
+        { 0x8e8841d, 0x1c049b4, 0xb97c621, 0x6bf26dc, 0xba01178, 0x21d6255,
+          0x8e4f0e4, 0x477258a, 0x68f8ef1, 0xf5e437e, 0x8b03e1e, 0xd118fbc,
+          0xe1c91b3, 0x3d6bc51, 0xd5b6907, 0xa259486 }
+    },
+    {
+        { 0x7b6f5dc, 0x4159cfc, 0x493694a, 0x05a52b3, 0x83b8883, 0xeeb511c,
+          0x2b06400, 0x19d79e4, 0x738f37e, 0x8e503a2, 0x5a94ad9, 0xa30e579,
+          0x262618d, 0x3981c75, 0x2dcba19, 0x06b6c69 },
+        { 0x4d1b051, 0xd7242ee, 0x3b350c4, 0x6274ccb, 0xf540019, 0x66df0bb,
+          0x5ae12d5, 0x4d66be6, 0x1049cba, 0xcea2960, 0x8df84b3, 0x4047339,
+          0x75a31c8, 0x7d6c96b, 0x874174c, 0xbb80159 }
+    },
+    {
+        { 0x59f1aa4, 0xf0f7be0, 0xdcff451, 0x798f39a, 0x8014e1e, 0x96763ff,
+          0x09cc5ec, 0x03987a8, 0x893650a, 0x4919656, 0x75e24df, 0x92e8eef,
+          0xe89d639, 0x54e97cd, 0x7682cc0, 0x8081d06 },
+        { 0xa8ceb71, 0xb9ef41a, 0xa4d7aaa, 0xb8173a4, 0xc54ee10, 0x93d81b1,
+          0x70a445a, 0xabe1805, 0x64d569d, 0xac0ff97, 0x3e570be, 0x86946b2,
+          0x4180641, 0x8e11dd2, 0x99f67dc, 0x3d0b33c }
+    },
+    {
+        { 0x48bf5a4, 0x2c9637e, 0xccaf112, 0x9fdec19, 0x5c42023, 0xe5cde9d,
+          0x878f0cc, 0x9869620, 0x1fe6eba, 0xcf970a2, 0x54e678b, 0x1df5ec8,
+          0x28d00dd, 0x4667f01, 0xb0b3fa8, 0xfa7260d },
+        { 0xb34239b, 0x6bd2895, 0x2d2a50d, 0x04c8bc5, 0x6cb23e2, 0x14e55ef,
+          0x3a278d5, 0x6440c27, 0x2193046, 0xf4b12e3, 0x5dd4c08, 0x46adf64,
+          0x4656e8c, 0x70e2998, 0xe4acd44, 0xe7b36ea }
+    },
+},
+{
+    {
+        { 0x16cf664, 0xea64a57, 0x26fd357, 0x8497ee4, 0x814e851, 0x44d94b4,
+          0x5a6a2cf, 0xf4aac22, 0x80c301f, 0x947b309, 0x7865383, 0xf390ba1,
+          0xd1773d3, 0x16c4fc6, 0x6227220, 0x61b9814 },
+        { 0x1dd0270, 0x07dd03a, 0x0f160df, 0x290ca82, 0x44ba955, 0x8f22054,
+          0x0b6f1b3, 0x4e85e45, 0xad78089, 0xfd73ce9, 0x2f2cb0e, 0x67c1270,
+          0xee33a61, 0xa7de0d7, 0x6553261, 0x6a811cc }
+    },
+    {
+        { 0x2d0a427, 0x5ef0574, 0x220a341, 0xe8d2e95, 0x8044886, 0xdd28cbf,
+          0xa1aa58b, 0xdad7b4b, 0x8ec901b, 0xb28f373, 0x5bbe3db, 0x1841a93,
+          0xa075fee, 0x8fd7cd1, 0xc0d3cdd, 0x93b603f },
+        { 0x5edd859, 0xca54fd5, 0x64ed687, 0xa4cb05f, 0xed1a3d7, 0x3138668,
+          0xee32be5, 0x1224fda, 0xc80aeb3, 0xf1f532b, 0xe8d4d69, 0xa4f65d0,
+          0x5905fe5, 0xc697a01, 0x6690ce4, 0x514da7a }
+    },
+    {
+        { 0x3de4a55, 0xc7b9af8, 0xb318d93, 0xc79bad7, 0xf5b1c83, 0x1808071,
+          0xb965b16, 0x92112ef, 0x7bb740a, 0x655ab38, 0x384ff87, 0x53dbc8b,
+          0x72dc6f2, 0xd153c28, 0x99c7819, 0x2ec20e1 },
+        { 0x3b854b5, 0x65e46ea, 0xc711db5, 0x272d5ae, 0x26e19e8, 0xfd1bb53,
+          0x3dc0665, 0x33280b8, 0xb8f1c4a, 0x95b986e, 0xa685c4a, 0xa671fc4,
+          0x83bdbbf, 0xa03cbd5, 0xab77544, 0xd329402 }
+    },
+    {
+        { 0x8e62b35, 0x40fa651, 0xf9e55a6, 0x3913b11, 0x5270a41, 0x4e8089b,
+          0x80d1886, 0x565f52a, 0x512749b, 0x93b5f05, 0x141c547, 0x35c869c,
+          0xf86717f, 0x9a44a1a, 0x9c2b2cb, 0x2b9984b },
+        { 0x4952322, 0x61fb607, 0x7af1464, 0x2d4072f, 0x600eb30, 0x9b2fa8c,
+          0xf10668e, 0x6071fb7, 0x90634ca, 0x27cc24d, 0x471d32b, 0x3875bc2,
+          0xa11210c, 0x678590b, 0xfcc5a9a, 0x352b447 }
+    },
+    {
+        { 0x5fa3200, 0x795d541, 0xa92949f, 0xadaa557, 0x3cc88c4, 0x42fff06,
+          0x71b68a5, 0x26d6831, 0xe67ad8c, 0x3286549, 0x86396b2, 0x5bf6363,
+          0xe12c8ea, 0x41229b6, 0x748952e, 0x05320c9 },
+        { 0x900b460, 0xae36b63, 0xf2b6aff, 0x9354ff2, 0x065ee0c, 0x10b810b,
+          0xcc8bb38, 0x4d6925f, 0x7a22f14, 0x31c03fd, 0x57544e8, 0x76b7f44,
+          0xc0eed26, 0x3a9123c, 0xe0cd1cc, 0x77acd67 }
+    },
+    {
+        { 0x07ec527, 0x2e90530, 0x62937cf, 0x32388ef, 0xe229188, 0xa445389,
+          0x33bcebe, 0xa44b68e, 0x4c4e701, 0x5a8722e, 0xcf07e41, 0xfd066e8,
+          0x95fab62, 0xa3c1a4f, 0xe542f24, 0xb4d6a1b },
+        { 0xaf6c9b5, 0xe6a92e4, 0xc83d61d, 0x9452484, 0x0062276, 0x422b55b,
+          0x5279688, 0x261973a, 0x3999fb2, 0xde8be26, 0x7b029ca, 0x64e9628,
+          0x06897d4, 0xd8edfaa, 0x6955511, 0x408319c }
+    },
+    {
+        { 0x50a5632, 0xff6baed, 0x5c5885a, 0x922b7d0, 0x1b45864, 0xdf0f3b3,
+          0xc04340e, 0x27e49c0, 0x122c447, 0x618c566, 0xeafee7e, 0x7863a38,
+          0xb828cb0, 0x7143aff, 0xf9d054e, 0x51fcf4c },
+        { 0x27f5e09, 0xc4a4b31, 0x90be2bd, 0x021f47a, 0x7ab956d, 0x1a06019,
+          0x86ea86b, 0xe77fa15, 0xd550ef3, 0x9ccde87, 0x6532654, 0x7dee53a,
+          0xe826387, 0x8b4f060, 0xad077b5, 0xda38637 }
+    },
+    {
+        { 0x0e9fac8, 0xbc901b3, 0x6fb2a2a, 0xfa08204, 0x5e04efc, 0x92f68ab,
+          0x9ac12d0, 0x184a30a, 0xb25d479, 0x1aa11aa, 0x0f03161, 0x8bc5f4c,
+          0xcfc8817, 0x7e3a083, 0x597f93f, 0x84d9355 },
+        { 0x239abc6, 0xc014478, 0x8d37b04, 0xb226b09, 0xf575789, 0xb056942,
+          0xba745eb, 0x816b95a, 0xb98ddb6, 0x2a49d39, 0x291af81, 0xc41ca26,
+          0xab26347, 0xb3afe99, 0x604b638, 0x59c31bc }
+    },
+},
+{
+    {
+        { 0xc42befd, 0xa16a8b9, 0x2052f00, 0x731c9c9, 0x1f5dfa0, 0x1ad49b4,
+          0xbffce36, 0x7a289e3, 0x0c79cf1, 0x868fac0, 0x86721ab, 0x6d6d284,
+          0xe726c94, 0x590f928, 0x51f3841, 0x0e802cb },
+        { 0x0b694bc, 0x6a6a57a, 0x8120fb8, 0xb9bb0cd, 0x9c05826, 0xad96ac7,
+          0x7768df0, 0x294da8c, 0xb56c6c6, 0xfe32311, 0xae8d050, 0x291c2c6,
+          0xe7db4c9, 0x1c765e7, 0xd65f9f7, 0xe058298 }
+    },
+    {
+        { 0x7e8d345, 0x4bfa85b, 0xde1dfc8, 0xa04ef95, 0x324ace3, 0xb5f7f21,
+          0x574b14a, 0x4b350a1, 0xf8e5c8d, 0x11436bf, 0x7642369, 0x1c789f9,
+          0xfb623ce, 0xeb5e335, 0x442d562, 0x9deacd2 },
+        { 0x531ee71, 0x4ff989f, 0xaacb52a, 0x43e2c49, 0x85bfadc, 0xa763198,
+          0xd0161a0, 0x08b6d5c, 0x541f197, 0x010e3fa, 0x3279a16, 0x83a589e,
+          0x6309f9b, 0xf099137, 0xf1cea10, 0x07c093b }
+    },
+    {
+        { 0x33d2192, 0x1ce3f0f, 0xc37ce73, 0x07b559a, 0x207be27, 0xaa2ad38,
+          0x7ed93de, 0x84f053b, 0x3b98a4b, 0xbc5c797, 0x63aa9b9, 0xc923461,
+          0x231a10c, 0x807cc16, 0xa061209, 0x8ffdf57 },
+        { 0x497070f, 0xa9ca741, 0xd113b3a, 0xf608ec9, 0x8d0384d, 0x5132726,
+          0xf5ec307, 0x96686ac, 0x71c4665, 0x437bbbd, 0x7c379ca, 0xdef09d5,
+          0x621747c, 0xf8be033, 0x8ae8047, 0x2775b37 }
+    },
+    {
+        { 0xb2c4fc2, 0x4009798, 0x203772e, 0x148d7d1, 0xf8423fb, 0x9d9392d,
+          0xaf8cef4, 0xa5bd72e, 0x4380b53, 0x579d58d, 0x8c39d24, 0x2ff88f1,
+          0x5706466, 0x9ca2fbc, 0x1e56af2, 0xb42987d },
+        { 0x5d94ea8, 0xcc2556e, 0x5369d76, 0x4e5c2b3, 0x2a94f9c, 0x5de3574,
+          0x5cb4145, 0x8d068c9, 0x51bfcbf, 0x4d553ff, 0x8a23fce, 0x3ab7164,
+          0xd0fa7f3, 0xc9cb3a9, 0xed9ced1, 0xf81209b }
+    },
+    {
+        { 0xe5b66f5, 0xde7356e, 0xe8a25e0, 0x7b2bf1a, 0x2c9b725, 0x09a444a,
+          0x4906c55, 0xfd8a2f4, 0x82514f3, 0x409cc80, 0x28999a9, 0x47e0099,
+          0x6a312f4, 0x0a582a6, 0xf6723de, 0xf7946f8 },
+        { 0x92d8aff, 0xa55f6ba, 0xa544b1c, 0xb62c3c8, 0x5c16a94, 0xa1d1411,
+          0x2ad5e71, 0xc378319, 0x06b1dd6, 0x13d7847, 0xee7ff55, 0x99005f8,
+          0x8a1e7d8, 0xfb5ea3f, 0xb4cac39, 0xdc7f53c }
+    },
+    {
+        { 0x36e3794, 0x482abaf, 0xc74684f, 0xc23e9e5, 0xf1629be, 0x4544cf6,
+          0x2f40374, 0xd8a8ee5, 0xf433bdb, 0x2eea87f, 0xae9990e, 0x489a99c,
+          0x54b23b6, 0xefc131e, 0x8600270, 0x25fe699 },
+        { 0xc059a7e, 0x03d2d9e, 0x6979c3c, 0xa6445b5, 0x9bfbcea, 0x491a10c,
+          0xe937af1, 0x15b5974, 0x797c7fc, 0x4be8002, 0xfedcfee, 0xbed8a49,
+          0xa9e0691, 0x35751ce, 0x9ef5982, 0xe9a9fa3 }
+    },
+    {
+        { 0x3065de7, 0xeffeaca, 0xac4d4e2, 0x841d544, 0xcaf199f, 0x8144679,
+          0x443967a, 0x98cf4f9, 0xf33183c, 0x8cd57f4, 0xc1b15eb, 0x390832a,
+          0xa53b500, 0xc4b1fea, 0xdff24b5, 0xd762a10 },
+        { 0xb0ee2a9, 0xccd3eed, 0x362d485, 0xa6dd4a9, 0xf1d047a, 0xeb4ff26,
+          0x23860fc, 0xc0771fd, 0x4b64114, 0xdbb4e39, 0x4d29b29, 0x2ff3f24,
+          0x387b365, 0x9cac005, 0xde5994a, 0x05b7aa6 }
+    },
+    {
+        { 0xc03dd63, 0x5e71752, 0xbc74687, 0xad10fe9, 0x54c76ab, 0x51a5b0c,
+          0x1f586d4, 0x763fd50, 0x816048b, 0xc7bd5ce, 0x3f744dc, 0x8fc83d2,
+          0x109df9a, 0x0561802, 0xccf0e43, 0x18fb01f },
+        { 0x038ab23, 0xe4606fc, 0xa664c98, 0x5878f1f, 0x5da7356, 0x3aedbbd,
+          0x516746a, 0x3c578f5, 0x1a17210, 0x259477f, 0x028248f, 0xc7a869d,
+          0x48cbf95, 0x6517a61, 0x3d04d47, 0xbc5f91d }
+    },
+},
+{
+    {
+        { 0x083ca53, 0x15fd9a9, 0x2697ca6, 0x1161da0, 0x56b676c, 0xf516af3,
+          0x75eec13, 0x8a420d5, 0x1a9526b, 0x72d6742, 0x76b463f, 0x8d8c29e,
+          0x8815627, 0x38a4f58, 0xe0650f9, 0xf7e528b },
+        { 0x382edca, 0x2cfa78e, 0xc4ad83c, 0x638d183, 0xe4a0119, 0x96d3b9d,
+          0xa7c1101, 0x5769ccb, 0x2b8d04a, 0xc3b3b79, 0x4951bde, 0x96212f6,
+          0x481161e, 0xad7905a, 0x41c5edf, 0x8fd6762 }
+    },
+    {
+        { 0x39d6cde, 0xf7b0635, 0x115a84a, 0x69d0549, 0xcbd9fe4, 0x4a976c6,
+          0x950ff96, 0xc92953f, 0x654d127, 0x1d7f0fe, 0xda0f75d, 0x7293870,
+          0xcf2277f, 0x7bb3652, 0x834484f, 0x64798c9 },
+        { 0xac3a76c, 0xb94d8bf, 0x7ff776b, 0xf5721a9, 0x2722e31, 0x23a6e9f,
+          0x9a5c034, 0xe9da996, 0x456ebc3, 0xb9bbf83, 0x96956a4, 0x239f58a,
+          0x18b7f00, 0x8b75beb, 0xa51cb97, 0x6c2b5b8 }
+    },
+    {
+        { 0x7eb41f3, 0x78b1c62, 0x17c4352, 0x0638fcf, 0x0c5709c, 0x939edd8,
+          0xedc906c, 0x0a8dfc3, 0xefb01ed, 0x3942f47, 0x49986fe, 0x4c82757,
+          0x4dffa57, 0x792545c, 0x6c3ff26, 0xeee6883 },
+        { 0x12b1218, 0x824d08e, 0x902457f, 0x515a478, 0xbae55b3, 0xc70cc9c,
+          0xbcef9d4, 0x1240737, 0x2f9db7f, 0xf22e616, 0x91f8da2, 0x98c4f02,
+          0xafaaa67, 0xa89219c, 0xe7d27e2, 0xf35fd87 }
+    },
+    {
+        { 0x01b80d0, 0x19b0cd7, 0xf9aebd1, 0x3d7e29d, 0x0477cbc, 0xd39c9ca,
+          0x5ff0d3d, 0xac0f615, 0x520fd01, 0x8a51993, 0xb22d6fb, 0x508ff54,
+          0x318d3ab, 0x8786c47, 0x4a683f8, 0x4312c46 },
+        { 0x95359f6, 0x73b1d39, 0x963011e, 0x0d94fa5, 0x9bfe83e, 0x5723af2,
+          0x6841df3, 0xafa9001, 0xb7c498a, 0x791e92a, 0x7ea4253, 0xbc931ad,
+          0xb783c06, 0x438e016, 0x2ca662b, 0x1347db2 }
+    },
+    {
+        { 0xfbaa861, 0x41df37d, 0x329e4de, 0x98ecb23, 0x507e018, 0xdaf1560,
+          0xb088e32, 0xa902269, 0xe4cab2f, 0xad898a5, 0x02c1e1b, 0xd84e9ed,
+          0x8488af3, 0xc20a5d5, 0x6cc77c6, 0xc7165af },
+        { 0xdeb7461, 0x8526f3a, 0x4a2d332, 0x03577b1, 0xe4760b5, 0x28e469d,
+          0xb276266, 0x442c7f9, 0xf9c90fa, 0x90d5c77, 0x3e211bd, 0x7aa8716,
+          0x5decfd6, 0x56d8ff0, 0xee23e6e, 0xa204b56 }
+    },
+    {
+        { 0x4aceafc, 0x2e4374e, 0x6fcd5e5, 0x978743b, 0xc4855ca, 0xa0f6345,
+          0xe98074b, 0x9bc7e4f, 0xc33d08a, 0x3835d57, 0x6f00566, 0xeec7c8b,
+          0x1acf55c, 0x71628a2, 0x97fb19e, 0x5da3750 },
+        { 0x01a7125, 0x6904a8e, 0xe6e3780, 0xad33c85, 0xc19f94a, 0x1702928,
+          0x7c04b3d, 0xb424ff2, 0x19e2ba3, 0xb212e39, 0xc9af4c9, 0x4cca8e8,
+          0xfd9bf0e, 0x98ab7ae, 0x9799db5, 0x21d245d }
+    },
+    {
+        { 0xec08806, 0x6b034dc, 0xb40f2d9, 0xfd763f2, 0x29cb906, 0x5e16de0,
+          0x8a0e16a, 0x02b7014, 0xe071e12, 0x463c8ee, 0x25ad509, 0x6447281,
+          0xdc0e07a, 0x9ee6f2d, 0x68d4d97, 0x188895c },
+        { 0xb27f971, 0x092fff3, 0xc9b7722, 0xb3c159f, 0x3cae42d, 0xe27d8ff,
+          0xe87071d, 0xf8a5ed6, 0x607ebd2, 0x318388f, 0x53486f1, 0x924967b,
+          0x7c46e1f, 0x7730494, 0xf21d196, 0xf279c60 }
+    },
+    {
+        { 0x84f3201, 0xef2bc03, 0x1f94c51, 0xf8750c7, 0x986ec65, 0xbaa4f5a,
+          0x2732a33, 0x6f8a5de, 0x299e365, 0x0f13d80, 0xe85261f, 0x2709530,
+          0xf527d56, 0x097d922, 0xbe1f3f8, 0x4969687 },
+        { 0x3e1708d, 0x9f3f504, 0x4aa4be4, 0xac67b87, 0x320a87e, 0x75fb042,
+          0x6e2cad6, 0xa361ad3, 0x203e9f6, 0xcb01470, 0xc9b76c6, 0xe3807b7,
+          0xb907c09, 0xf086833, 0x7e85a01, 0xe9bed3c }
+    },
+},
+{
+    {
+        { 0x91780c7, 0xa7ea989, 0xd2476b6, 0x04e4ecc, 0xc494b68, 0x0af9f58,
+          0xdee64fd, 0xe0f269f, 0x021bd26, 0x85a61f6, 0xb5d284b, 0xc265c35,
+          0x3775afd, 0x58755ea, 0x2ecf2c6, 0x617f174 },
+        { 0x5ec556a, 0x50109e2, 0xfd57e39, 0x235366b, 0x44b6b2e, 0x7b3c976,
+          0xb2b7b9c, 0xf7f9e82, 0x0ec6409, 0xb6196ab, 0x0a20d9e, 0x88f1d16,
+          0x586f761, 0xe3be3b4, 0xe26395d, 0x9983c26 }
+    },
+    {
+        { 0x6909ee2, 0x1d7605c, 0x995ec8a, 0xfc4d970, 0xcf2b361, 0x2d82e9d,
+          0x1225f55, 0x07f0ef6, 0xaee9c55, 0xa240c13, 0x5627b54, 0xd449d1e,
+          0x3a44575, 0x07164a7, 0xbd4bd71, 0x61a15fd },
+        { 0xd3a9fe4, 0x30696b9, 0x7e7e326, 0x68308c7, 0xce0b8c8, 0x3ac222b,
+          0x304db8e, 0x83ee319, 0x5e5db0b, 0xeca503b, 0xb1c6539, 0x78a8dce,
+          0x2d256bc, 0x4a8b05e, 0xbd9fd57, 0xa1c3cb8 }
+    },
+    {
+        { 0xd95aa96, 0x5685531, 0x6bd51ff, 0xc6f1174, 0xc9c2343, 0xb38308a,
+          0x2921841, 0x52ee64a, 0x78f3b01, 0x60809c4, 0xae403ac, 0xe297a99,
+          0xcb09a5b, 0x7edc18f, 0x81ac92a, 0x4808bcb },
+        { 0x34dc89a, 0x3ec1bb2, 0x4e39da5, 0x1e8b42e, 0xe526486, 0xde67d5e,
+          0x76f0684, 0x2376548, 0x285a3dd, 0x0a583bd, 0xfe9b009, 0x3d8b87d,
+          0x0413979, 0x45bd736, 0x38a727f, 0xb5d5f90 }
+    },
+    {
+        { 0x4bde3ee, 0x7b8820f, 0x24d5170, 0xea712ef, 0xdf6ec7b, 0x517f88c,
+          0x983ea9a, 0xb15cecf, 0x31a4592, 0x9eeee44, 0xebb013e, 0x786c784,
+          0x1f4e15d, 0x2f06cb3, 0x4f4fda1, 0x5603fd8 },
+        { 0x9e1321f, 0xf6790e9, 0x74a4c09, 0x274c66a, 0x9a41a4e, 0xa4b70b4,
+          0xada5157, 0x7700bdd, 0x51be8dc, 0xe54a60d, 0x1a477e0, 0xfaf9276,
+          0xb027eac, 0x6661c72, 0x280b917, 0x50e2340 }
+    },
+    {
+        { 0x96ec123, 0x635f40f, 0x7a766a4, 0x4a33133, 0xb935587, 0x9ce4416,
+          0x95d97e4, 0xbb6e1f5, 0x9d4197d, 0x2614723, 0x490e896, 0xabd4478,
+          0x8bba895, 0xf6a1b2a, 0x5e27a45, 0x401fa40 },
+        { 0x0620900, 0x7354ba5, 0x385678b, 0xc443a29, 0x53cf5fa, 0x48aba10,
+          0xbbe152d, 0xd67e723, 0x2a63d68, 0x4b858e0, 0x72be4ee, 0x174e1ee,
+          0x9ab8d46, 0xad0fbb3, 0xce17dd7, 0xa0fdffb }
+    },
+    {
+        { 0x9c46fd8, 0xa1ea325, 0x9fb96ef, 0xeca122e, 0x6767acd, 0xf9074a2,
+          0x2787082, 0x9b004a2, 0x7f3ba8e, 0x389f807, 0x0d5aabe, 0x6463de9,
+          0xb090585, 0xf30ceaa, 0x5634ab8, 0x71b31e8 },
+        { 0xaf02aed, 0x0dee65c, 0x20ac252, 0x506886e, 0x86b8a59, 0x0665f78,
+          0xf2bb328, 0xb9b784d, 0xdc6b089, 0x46e443a, 0x66c27fd, 0x3d5de19,
+          0xf0fde70, 0x0419265, 0x2b5c034, 0xed94612 }
+    },
+    {
+        { 0x13b0056, 0x5a52ad2, 0xb909ee3, 0x9fbeb92, 0xbdaab08, 0xb42ba18,
+          0xffc8a77, 0xec127c4, 0xfda906a, 0xc6d2985, 0x994bbe7, 0x5355547,
+          0x9cdfd62, 0xa7470c0, 0xd2e675a, 0x31a3971 },
+        { 0xcc8b356, 0x8d8311c, 0x01b4372, 0xabb0bf8, 0x0294566, 0x33c1cad,
+          0xe07b672, 0xe2e649c, 0x2ae3284, 0x9084d88, 0x1835ce2, 0x7a90d4c,
+          0x809d44c, 0xb4d1cd5, 0x9f0528f, 0x7822714 }
+    },
+    {
+        { 0xbf5844b, 0xca884cf, 0x8524cf9, 0x9dd05c4, 0x36ba889, 0xdbffa19,
+          0x29e7666, 0xef94fdd, 0x3eaf48f, 0x358f81b, 0x1530d56, 0x96734d5,
+          0x4adf9e5, 0x378b2d1, 0x4731f61, 0x2f85046 },
+        { 0x99dcb83, 0xd6ae905, 0x6199239, 0xa4f89e0, 0x8f0f958, 0x6405249,
+          0xcc27707, 0x2866d99, 0xf551c0f, 0x64681a2, 0x4c37080, 0x2c7b0d0,
+          0x00ac301, 0x218925b, 0x54df895, 0x8d57fb3 }
+    },
+},
+{
+    {
+        { 0x809c8d7, 0xdaebde0, 0x0e95ea1, 0x58c761c, 0x00ae5e2, 0xbd99650,
+          0xcd51acd, 0x6117a85, 0x7c55d56, 0xc4424d8, 0xdfbeeaf, 0xe9b1dde,
+          0x0db4791, 0xda98bb5, 0x3fca108, 0xff3a5a6 },
+        { 0x5ccbea1, 0x172fb8e, 0xa9f6cc9, 0x9fe12a7, 0x8967ce2, 0x1de4b0b,
+          0x671dbc6, 0xc1ab60f, 0x5dedcda, 0x338385a, 0x3a043fe, 0x647a420,
+          0x28ebc89, 0xe9abc64, 0x03ba3c8, 0xc357ff0 }
+    },
+    {
+        { 0xde39ebd, 0x37061e7, 0x2be567a, 0xebb9135, 0xd6bb80a, 0xa9a6f6b,
+          0x99f0ba2, 0x039345d, 0x98bbf47, 0x215494e, 0xa2a1ccb, 0xf2cb7a4,
+          0x37f67c9, 0xf51aa10, 0x17fff71, 0xd29c85c },
+        { 0x4d30b87, 0x8d4e4f2, 0x93a8309, 0x20fdf55, 0x757075c, 0x9b9f9cf,
+          0xcd70101, 0x09142ad, 0x766ca55, 0x901d0ee, 0x32e418b, 0x6a5d86a,
+          0xd7fcaec, 0x550ad92, 0xd91b26e, 0x64e8818 }
+    },
+    {
+        { 0x47e5ee5, 0x5cea0f7, 0xbe99699, 0x8ca1d31, 0x5c136c7, 0x52db846,
+          0x90e0d74, 0x8cecb38, 0xede2ad8, 0xb8efe9d, 0xf17ade8, 0x18d6ff8,
+          0x2d66c20, 0xd222735, 0xf2005fd, 0xc46593e },
+        { 0xf7141e1, 0xe5ebe6f, 0xe0126f2, 0xc968315, 0x1cb91b6, 0x95adc73,
+          0x38a6003, 0x753b54c, 0x4230a61, 0xa614125, 0x559fece, 0x23ac6eb,
+          0x3865c23, 0x9816b60, 0x543a570, 0x567014e }
+    },
+    {
+        { 0xdd2b71f, 0xd46091d, 0x97d24ff, 0x3999a5d, 0x1ecff3c, 0xce2a4f1,
+          0x581c6f0, 0xab2687c, 0xcba70b4, 0xa9fb2eb, 0x42093e1, 0x6fde356,
+          0xaee724a, 0x00253ec, 0x2b81bdd, 0xa08ce3c },
+        { 0x935a2b3, 0xa251238, 0x584f750, 0x8cae1d4, 0x988a219, 0x011469e,
+          0x5a6a50e, 0x61f7ed3, 0x01fcebd, 0xe13ebaa, 0x31d8867, 0x794b976,
+          0xcda32e7, 0xf25755c, 0x4564cd1, 0x368a97b }
+    },
+    {
+        { 0xaa3397b, 0x0d22224, 0x38066db, 0x1dbb3e6, 0x0ce8e32, 0xfe0b5ee,
+          0x7bab4dc, 0x09c17c8, 0xf188b64, 0x5cc65dd, 0x211b5fa, 0x74c4abf,
+          0xab0ba86, 0xdcc17b7, 0xa535501, 0xfbdf46f },
+        { 0xaca569e, 0x4775087, 0x06a1718, 0x6575f90, 0xb94de93, 0xb5c45a9,
+          0x8497171, 0x0fc8006, 0x489f7ab, 0x775d965, 0xf5c0c89, 0x8775b58,
+          0x1a06254, 0x05d4e20, 0xb6d73a5, 0x8cab349 }
+    },
+    {
+        { 0x39465b0, 0xca78163, 0x14498fd, 0x3ef9148, 0x6255c11, 0x9ca1f34,
+          0xb7f38f1, 0x389fd15, 0x354b8f3, 0xdac2089, 0xa840a70, 0x82d07fc,
+          0x1dd483a, 0xf53fd73, 0x1590578, 0xa6e4eae },
+        { 0x3c01b77, 0x7bf65af, 0xa75c982, 0x27542f3, 0x716cfce, 0xc5bd947,
+          0x884b9e7, 0xba5fe76, 0xd55725d, 0x39bae14, 0xfae0eab, 0x982f64e,
+          0x7a5293a, 0xcfae662, 0xd60f464, 0x22a25a1 }
+    },
+    {
+        { 0x7dd5e16, 0x74caecc, 0xce7bca3, 0x23678a2, 0x57f1ba1, 0x4673932,
+          0xa4c1697, 0x4eb9948, 0xeaba18d, 0x5d400e8, 0x9807871, 0x128d1c8,
+          0xbff38a6, 0x78f9627, 0xa39d4cc, 0xf80b813 },
+        { 0x31d3aad, 0x8aeefa0, 0x27db664, 0x5042199, 0x4cb6383, 0x244fc69,
+          0x72192a3, 0x3190477, 0xbbfb57b, 0xcc86075, 0x4451511, 0xbae3a13,
+          0xf6174f0, 0x16cf416, 0xd376813, 0xb343cc0 }
+    },
+    {
+        { 0xd1824b7, 0x31ac9b9, 0xec8f61a, 0x6282260, 0xc781765, 0xbbeb9f8,
+          0x2d110da, 0x06ab5c0, 0x47146b8, 0xd583e22, 0x4100d05, 0x79a1608,
+          0xf0a5c95, 0x16dbbb4, 0xe331667, 0xfe2af1d },
+        { 0xaf8710e, 0x26f0364, 0xeec08fe, 0x1cb8c91, 0x1d95e9f, 0x436bce6,
+          0x57944a0, 0xfe9050c, 0x07b626b, 0x5f45acf, 0x9cf1276, 0x48dc93f,
+          0xa05bfb7, 0x4491371, 0x4bcf785, 0x5106304 }
+    },
+},
+{
+    {
+        { 0xed0b3b6, 0xac2e294, 0x671637b, 0x5c5ade6, 0x1140677, 0x2f289ce,
+          0x754eb53, 0xaf446e2, 0x20421ad, 0x70911b7, 0xe0b7556, 0x4b73836,
+          0x2a97827, 0xcadf104, 0x8005bc6, 0x4824e49 },
+        { 0x937c28a, 0xb0eeccd, 0x0c3ee97, 0x1ce061d, 0x9f33faa, 0xcb07631,
+          0xaea66dc, 0x9980bf4, 0xd111d98, 0x2bd0755, 0x7fe4de0, 0x43feaf6,
+          0xb077b2f, 0xe76fb80, 0x5793b04, 0x227dc9f }
+    },
+    {
+        { 0x14f49ba, 0xea24ae5, 0x11436e7, 0xbc39ea6, 0x78485d8, 0x9d7fed2,
+          0xdf8b131, 0xb6ef00c, 0xfdbc7af, 0x0237b4b, 0x64ccd27, 0x08745b5,
+          0xafc5a76, 0xaf8595d, 0x29f5500, 0x43657af },
+        { 0x48470f8, 0x3007183, 0x640fd53, 0x51f91fd, 0xbe15512, 0x859c807,
+          0xab3e9c5, 0x7d1a474, 0x81553e5, 0x5d714d9, 0x6f62310, 0x0757343,
+          0x6b02a62, 0xedc5be0, 0xea47832, 0x5a4b9b7 }
+    },
+    {
+        { 0xe93dbb3, 0x03e0a24, 0xcadc884, 0x25841dc, 0x8d10ad5, 0xabc1a81,
+          0x2042ddd, 0x207e38a, 0xfeba8d8, 0x7fffbdb, 0xa3ec9b5, 0x74efebb,
+          0x0b40a9f, 0x0bc39ca, 0x0267feb, 0x69ee9c9 },
+        { 0xbc62919, 0xd402fac, 0x1cf53c6, 0xe9f8fc1, 0x7cc7d81, 0xe76fa5a,
+          0x96bb19d, 0x4f2d876, 0xadc67c7, 0xd4fb7f9, 0x96702dc, 0x40621d5,
+          0x438f6c5, 0x5b6a98e, 0xf1a1036, 0xa7c64de }
+    },
+    {
+        { 0x9a092c7, 0x84c5e80, 0x11c22b7, 0x9e40e0a, 0xd06c99b, 0x820a091,
+          0xeecca8f, 0x45fdc77, 0x5794f16, 0xfe1b8a3, 0x4ce3d6d, 0x31f7e5b,
+          0x82c74c8, 0xfd5e010, 0xc1f6f7d, 0xfdabf30 },
+        { 0xb9248a0, 0xbfa6017, 0x546b941, 0xe898d30, 0x207ff65, 0x878c492,
+          0xb874e64, 0xbf22e8d, 0x53a547e, 0x43fdb1b, 0x5fbd464, 0xb66deda,
+          0xc7ae1b5, 0x59127a6, 0x6a7515a, 0xa463646 }
+    },
+    {
+        { 0xde9ab2e, 0x22c4e66, 0x0203c58, 0xfaf60c2, 0x0d5c5ed, 0xed2d7bf,
+          0x4ca0f19, 0xdbc16fe, 0x465b979, 0x54e8ef6, 0xa310ef9, 0xe2d64b1,
+          0x3778636, 0xa0f2c95, 0x281883b, 0xf3b4aa4 },
+        { 0x9be6629, 0x4ac9af0, 0x1ca90c5, 0xba455e1, 0x856f492, 0x0147538,
+          0xabd7840, 0xc80db7e, 0x6beb9cd, 0xb3526d9, 0x9d81503, 0x37657fb,
+          0x193cec3, 0x8729a16, 0xd69952a, 0xd9a93fb }
+    },
+    {
+        { 0x94f47c6, 0xfce0175, 0xe366d05, 0x228da21, 0xdc8baf3, 0x27ce0b2,
+          0x6b4a951, 0x8cc660b, 0x384bb01, 0xf678947, 0x44d980c, 0xc629d7d,
+          0xe85e81f, 0x47980e4, 0x1cd723e, 0xa2e636a },
+        { 0x77fb207, 0x6b6ebae, 0x4c92891, 0x7017961, 0xb4d279c, 0x5569541,
+          0x41758cb, 0xbb6b36a, 0x27a8e30, 0xecaa222, 0xb470ad9, 0x8b6746a,
+          0x63e2d3d, 0x4c46017, 0xd3edaec, 0xe19c4ed }
+    },
+    {
+        { 0x34718c8, 0x0b43fec, 0xf33499f, 0x553c407, 0x970d1db, 0x8272efb,
+          0xa8e8d1c, 0x008c62c, 0x63eec45, 0xe4b79d7, 0xf2d71a3, 0x1fd4230,
+          0xa368c36, 0x090fdaf, 0xfca7baa, 0xf62c101 },
+        { 0xd2395b3, 0x1c9e6c8, 0x04c5513, 0x671ed63, 0x299a465, 0x577d933,
+          0x63f9986, 0x286890e, 0xbfc979c, 0xd92a95d, 0x2b51019, 0xcebd79d,
+          0x3d07251, 0xe74d88b, 0x906f9ad, 0x8b6db73 }
+    },
+    {
+        { 0x7b3d90c, 0xc0c43db, 0x4304a06, 0x85d154e, 0xaf2f38e, 0xe8aceef,
+          0x83d9459, 0x5e04293, 0x431afd1, 0x65e5e32, 0xa900a65, 0x9e5f050,
+          0x8a26671, 0xcbaa171, 0x9c93de7, 0x33d0b24 },
+        { 0xd5b6680, 0x3dcbf92, 0x20006f9, 0xc47e5ec, 0x9a51924, 0xc971129,
+          0xcd0ed46, 0x665d9b8, 0xa5fcab6, 0xed2d63f, 0xcfbfc5a, 0xa817eb6,
+          0xb76eb76, 0xb38169f, 0xf11160b, 0x8b93544 }
+    },
+},
+{
+    {
+        { 0x693bdcd, 0x02eca52, 0x2ae01d6, 0xbbf0923, 0x8b44b3e, 0x0b0a2de,
+          0xb250dff, 0xdb82449, 0x6e1c530, 0x0c42b86, 0xa64c2c4, 0xcd226dc,
+          0xf046b5f, 0xcfb2bb1, 0x3fccb0d, 0x97e2fae },
+        { 0x45ed156, 0xdf92907, 0xf641229, 0x224dcb9, 0x5f1f67e, 0x2126abc,
+          0xe9c8a6b, 0xa7eed5a, 0x9857d9b, 0x40abedc, 0xde941c6, 0x3f9c7f6,
+          0xd725ddf, 0x2158d42, 0x8c69543, 0xbdd1015 }
+    },
+    {
+        { 0x8df2fbc, 0xa7dd24e, 0x13d1aee, 0x3adbcfd, 0x13b2177, 0xf6a32d1,
+          0x7a9a14c, 0x89a7232, 0xdc65df9, 0xe3aef43, 0xa64d74c, 0xeaec3e3,
+          0x4fec33b, 0x4d387d8, 0x21a2128, 0xaba2a05 },
+        { 0x6b85e30, 0x2382c22, 0xcd2aad3, 0x4352d85, 0xd9772c4, 0xb0c6001,
+          0x5f3653f, 0x7ed8263, 0x0300f47, 0x3626a6f, 0x6ca7e4e, 0x23909de,
+          0xc154141, 0xb43dd81, 0x7e4bc68, 0x9a49fad }
+    },
+    {
+        { 0x2428f88, 0xa3661df, 0x56e0db2, 0xbe48b02, 0xce79aa9, 0x3cd1871,
+          0x23dddac, 0x90ab871, 0x71871a6, 0x9c58fb9, 0xa34910e, 0xf031f7f,
+          0x81060e4, 0xb501eea, 0x791224e, 0xdb668ba },
+        { 0x6a705bc, 0x240bbcb, 0x2d1865e, 0x7e76fbd, 0x2513641, 0x6e2cd02,
+          0x46365c9, 0xe6c5225, 0xa5a01fb, 0xe46a8b8, 0xb67618b, 0x696fa7b,
+          0x0db6792, 0x418b3b9, 0x7108b9c, 0x7204acd }
+    },
+    {
+        { 0x8456b45, 0xb5a143b, 0xf53b4d9, 0x8a3ab25, 0xe13a570, 0xb112a58,
+          0x81487d2, 0x613ca32, 0x3b1e7c9, 0x837d823, 0xd41e9d5, 0x592bade,
+          0x5cd02f2, 0xdc1893a, 0x8972e23, 0x0879502 },
+        { 0xcb76261, 0x7003c08, 0x332a5e0, 0x14bde9e, 0xcbbd78e, 0x14b2872,
+          0xde238e8, 0x5594061, 0x067466c, 0xad12645, 0xf5e4952, 0xa8d0e64,
+          0xc7f8d06, 0x5b44b82, 0xfb1b828, 0xb51bea8 }
+    },
+    {
+        { 0x3f0dacc, 0xebad685, 0x1cbebbc, 0x5c31b8b, 0xfa5a2dc, 0x6746975,
+          0x31d9faa, 0x2d95965, 0x00fc0e4, 0x343797d, 0x55fe01b, 0x38d821c,
+          0x7323aa0, 0x0bfdb24, 0xf962a8e, 0x42613c4 },
+        { 0xe134bc0, 0x599a211, 0x47a7084, 0x75fa4a1, 0x7f734b5, 0x6e71948,
+          0x6dfca2b, 0xd5ced2d, 0x8aeabd2, 0x9fa0fdc, 0x12361da, 0x5e6b03f,
+          0x5859fcf, 0xad23d31, 0x25a5fc8, 0x3120ef1 }
+    },
+    {
+        { 0x8e9f638, 0x990ef62, 0x626a60c, 0xfdaa240, 0x2abddab, 0x4a3de20,
+          0xd8872b2, 0xd5d10b7, 0x1ea5880, 0xa01b730, 0xa81b9d8, 0x481697f,
+          0x3471ed8, 0x2984153, 0x292d37c, 0xefd73f8 },
+        { 0x9994beb, 0xdda7626, 0x6a4f865, 0xa037703, 0xe5b47d5, 0xda992ec,
+          0xe53edba, 0x912a427, 0x9264e45, 0x6467598, 0xaf71222, 0xd3b68c3,
+          0x6dedc5f, 0x9d3436c, 0x076b2ad, 0x1e027af }
+    },
+    {
+        { 0x4382f4a, 0xd56fca1, 0x8966b7b, 0x83712a4, 0xa4c9ddb, 0xd6b2cf5,
+          0xf602875, 0xa66be29, 0x894f3d0, 0x70e4266, 0xb3195ca, 0x007d220,
+          0x82c74d4, 0xba38d8f, 0xd975cbd, 0xdccc5fc },
+        { 0xc88b38b, 0x03e1610, 0x52e0d8d, 0xeb9f9a1, 0xb646eb7, 0x6a57eca,
+          0xc76b6c1, 0x161641f, 0xbd2e12b, 0xf9025ad, 0x5c0e26d, 0x87c74db,
+          0xbfeca74, 0xed5cb51, 0xe34a08c, 0x603dfb6 }
+    },
+    {
+        { 0xcb03307, 0xc4be728, 0xc2741cc, 0xde34c0e, 0xa74eb17, 0xe01db05,
+          0x8905e4b, 0x1bfce0c, 0xd1b1826, 0xb18830a, 0xe87bbfb, 0xcacbb41,
+          0xd2f1a79, 0x8696842, 0x08c83ea, 0xa80e5fb },
+        { 0x3f1439c, 0xe48f163, 0xcd6987b, 0xc1d4108, 0xb751814, 0x05705c4,
+          0xc1c622d, 0xa9bffd0, 0x46cd053, 0x23de4af, 0x39457c3, 0xf782f5e,
+          0x5e5d243, 0x815276b, 0x6161ae3, 0x3132041 }
+    },
+},
+{
+    {
+        { 0x77f2542, 0x2459661, 0x8372b25, 0x203be7e, 0xee2007b, 0xc7c9426,
+          0x0621799, 0xc564138, 0xc28c3ce, 0xda56589, 0x7afc1e3, 0x13e8a7c,
+          0xe352082, 0xdba81e9, 0x04435c7, 0xf430549 },
+        { 0x691de4a, 0x4d26533, 0xfb777ab, 0x364408c, 0xeae7f88, 0xccdfb43,
+          0xa525b11, 0xbc40f44, 0x3c60627, 0x8e112a5, 0xe17e696, 0x7f7c581,
+          0x1ea774a, 0x0fd7878, 0x0b1f582, 0xd09e632 }
+    },
+    {
+        { 0x70aab15, 0x44390bd, 0x889c3f2, 0x41112bc, 0xd685349, 0x6b02894,
+          0x5584dfe, 0x7103001, 0x1ba7887, 0x373cb1b, 0x2a017c7, 0x53d286c,
+          0x3c81fdc, 0x2ed0388, 0xfbcc6fc, 0x3bfc5e3 },
+        { 0xfd6418d, 0xd38ac6f, 0xbfad89e, 0xc667e96, 0xeab4d66, 0x46f4f77,
+          0x0911293, 0x194c04f, 0x68c48d5, 0x0fd09cf, 0x63cf7f4, 0x6f5b055,
+          0xacd562f, 0x0c0a8c4, 0x36d965d, 0x94c1d83 }
+    },
+    {
+        { 0xcaa127a, 0x94fc8f0, 0xd803690, 0xc762d5d, 0x1ebf0d3, 0x8bfdfd1,
+          0x48eac50, 0xa98cdf2, 0x8b5ff10, 0x3d7365d, 0xc65b4de, 0x20dc29b,
+          0x8ec7c68, 0x62ac28e, 0x90372d2, 0x7f5a132 },
+        { 0x3246658, 0xf3d8a25, 0x9ac202a, 0xa4bebd3, 0x5cc1697, 0x078ede7,
+          0xc8fc022, 0x5525800, 0x5fae77b, 0x302a802, 0x57917b6, 0x0180139,
+          0x864bf55, 0x7c8806d, 0x12f06f1, 0x4e2d878 }
+    },
+    {
+        { 0x3d66e88, 0x8d35118, 0xa91d02a, 0xfb861a1, 0x7850e5f, 0x8c27c2a,
+          0xa5496f6, 0x9fd6399, 0x8080049, 0x52152ae, 0xfd1c2dc, 0x600e2ff,
+          0xffe8b2e, 0xc75902a, 0xe03b175, 0x5c4d2cc },
+        { 0x4f57e78, 0x8ad7c42, 0x1736f87, 0x77cf606, 0xf85038a, 0x2876012,
+          0x1b97b95, 0xff32845, 0x392dfc8, 0x3cc6dd5, 0xa6f5075, 0x72f1363,
+          0x71de894, 0x028ec44, 0x6f45a86, 0x7030f2f }
+    },
+    {
+        { 0x9695817, 0x66400f5, 0xf20ea36, 0xeda0a7d, 0xd394992, 0x855be51,
+          0x8336f62, 0x2d082c1, 0xf28c868, 0x30944dd, 0x0dc86d0, 0xfb5f853,
+          0x564a0bd, 0x9562ae5, 0xb6b9b51, 0x1f7ea12 },
+        { 0xd0a7148, 0x5bd74e0, 0xb91e572, 0x6c8247f, 0x47da498, 0x699aba5,
+          0x1f7c814, 0xed82581, 0x62057b9, 0x434674b, 0x15c15b4, 0x8b4df5e,
+          0xb110081, 0x2a97da1, 0x4c417fe, 0x2a96b0c }
+    },
+    {
+        { 0x237639d, 0x4f75dfc, 0x1db7029, 0xe5ad6bc, 0xb3d28f7, 0xd43e06e,
+          0xe447989, 0x89f3bb5, 0x01a1a6e, 0xc426a2c, 0x315878f, 0x33ea71c,
+          0xb1b5705, 0x8a7784a, 0x77ca811, 0xa59e86e },
+        { 0x36ae155, 0xddb133c, 0x0d51b42, 0x49f1d4c, 0x9d05519, 0x5508082,
+          0x5291816, 0x20e23be, 0x67181ec, 0x35047ec, 0x7aad091, 0x6237dc4,
+          0xe2e25a2, 0xa1d3ce1, 0x0d3db4c, 0x1de0522 }
+    },
+    {
+        { 0xd9fd423, 0xe9a5e19, 0x9801e43, 0x0c2c3d0, 0x28df2da, 0x043c2dd,
+          0xe1ad12a, 0x4eecab4, 0x9615aa5, 0x97e1797, 0xca7bb5e, 0xe57b879,
+          0xcc92619, 0xa2a903c, 0xaa56e93, 0x5cef370 },
+        { 0x7f3232c, 0xbef29fa, 0x2b7ad5c, 0x1cf35ed, 0x3b6077a, 0x35c4893,
+          0x7a1d47d, 0xe065148, 0xce14572, 0xedb4673, 0x0b17629, 0xdc9e98c,
+          0x9a02a5c, 0xef98ebe, 0x11d03c0, 0x1f772e3 }
+    },
+    {
+        { 0x4608f72, 0xcbdbdcd, 0x5a13c6f, 0xb435223, 0x4bb3c21, 0xa6497f6,
+          0x12c15c9, 0x3af2383, 0x6322d11, 0xfbbf4b3, 0xc641775, 0x520a5c6,
+          0xe81e0e1, 0x18cd967, 0x3de3871, 0x980b2c6 },
+        { 0x9ae44a2, 0xfa9db61, 0x176bc56, 0x0281dd2, 0x8a7f817, 0xfd03711,
+          0x4129b30, 0x9c48545, 0x039626d, 0xb439648, 0xe4ada6b, 0x355050e,
+          0x7f5d98c, 0xc9c16d6, 0x18c4d5e, 0xf53ccc3 }
+    },
+},
+{
+    {
+        { 0x3ffb20b, 0x50ae942, 0x6865eb4, 0xa6c0b42, 0x09930f1, 0x4677f7d,
+          0x4a16427, 0x742e0b6, 0xf976f9a, 0x521d18e, 0xa454749, 0x43ac9cf,
+          0xc51f50d, 0xda3a91d, 0xad6f954, 0xf657029 },
+        { 0x6b4f99a, 0xfe5f064, 0x63ad4ce, 0xd92a5d9, 0x2e0e081, 0xfcb5509,
+          0x8d8a858, 0xadc85ab, 0x0632f0f, 0x8e9b966, 0x8d7216d, 0xe7a4f16,
+          0x59c3b99, 0x00a4cc5, 0xba09dc1, 0xed6d0bd }
+    },
+    {
+        { 0x1621beb, 0x7236d14, 0xbc7ca95, 0x1751fd4, 0x2f5319c, 0xaa619d1,
+          0x4e9316f, 0xfc2b15b, 0x9fd4d33, 0x2d1a906, 0x8ced829, 0x28c3bac,
+          0x1dd998f, 0xf2efab5, 0x3b149ed, 0x2c13330 },
+        { 0xf601ac6, 0x65237c9, 0x07d6a45, 0xb54dd65, 0xfb1a4cf, 0xa1ce391,
+          0x115f67e, 0x2957533, 0x465279b, 0x6456da8, 0xa993e02, 0x02890aa,
+          0xb7175e4, 0x6891853, 0x0f3e59b, 0x3fda203 }
+    },
+    {
+        { 0xd8c6e0b, 0xe99fe12, 0x5341c56, 0x7cb07ff, 0xdf77b24, 0xc292c7b,
+          0xca29906, 0xf52dfd0, 0x772f02c, 0x4a6aa26, 0xe1bbd09, 0x26f7684,
+          0xee7c2a8, 0xec56b2b, 0xad4a312, 0x67709e6 },
+        { 0xc570263, 0x99c57b2, 0x2faafae, 0xeb0100b, 0xff25eca, 0x980d5d1,
+          0x82cf936, 0xace35e6, 0x44679ed, 0x5a82ce5, 0x074b81e, 0x5c76a41,
+          0xa00abb1, 0xf36fa43, 0x04ffb2d, 0x0642819 }
+    },
+    {
+        { 0x04bdd28, 0x68f6bc8, 0xb5dc7ad, 0xc311d96, 0xed32e45, 0xff0d646,
+          0xe0f712d, 0xaf3cdc6, 0xd483861, 0xd4508e9, 0x0e1c277, 0xb624be5,
+          0xc5dd841, 0xc510275, 0x298dc02, 0x451c5c3 },
+        { 0xdd34d6b, 0xf87d479, 0xdd06a38, 0xda7f293, 0xb699e9f, 0x575e129,
+          0x215b2cc, 0x79e5fb2, 0x657e690, 0xd280028, 0xe702a71, 0x7fecd09,
+          0xfa13677, 0x85160ab, 0xce65f64, 0x5de3427 }
+    },
+    {
+        { 0xe8fff38, 0x84e4bf6, 0xb358b1c, 0x16f3725, 0x3b472a5, 0x360371c,
+          0x52f217a, 0xe64c061, 0x0501241, 0x8e67379, 0xab2dd96, 0x88e81d6,
+          0x1385604, 0xf3e218a, 0xe84184d, 0x9736caf },
+        { 0xdbb93a3, 0xb55a043, 0x9301088, 0x335088f, 0xb2a4959, 0xcea7a2d,
+          0xb882c33, 0x48e5d4a, 0xad46179, 0x114f09b, 0xb446576, 0x4416467,
+          0x34c6c2f, 0x01cb23e, 0xa02db8a, 0xddebf04 }
+    },
+    {
+        { 0x9bde8a1, 0x36d60cc, 0x676e4ad, 0x20fd2f2, 0x8936581, 0xebdcfb7,
+          0xdbfc2c3, 0x245d0d5, 0xa9f82e5, 0x104c62c, 0xd654d9b, 0x7387457,
+          0xae7f10e, 0xe966777, 0x1d8e582, 0xefeb16f },
+        { 0x70364b5, 0x4faf4f1, 0xd612472, 0x0e1ab58, 0xfed6085, 0x11bbfe7,
+          0xa59a09a, 0xb360a14, 0x722fdb6, 0x61d96e9, 0x94068bd, 0x16a12f1,
+          0xf73c2be, 0x225bf07, 0xc8bd24e, 0x1e64665 }
+    },
+    {
+        { 0x3698c75, 0x27a478a, 0x6202aa2, 0x778ccd3, 0x8d87f1f, 0x0149c63,
+          0x784edae, 0xa660e5f, 0x82adfa8, 0xe0d4d2f, 0x1ba1f9d, 0xf512dd6,
+          0x6245c58, 0x90cfed9, 0x18b53dd, 0x6c3a548 },
+        { 0xbdc094f, 0x833f70c, 0xb1514e7, 0xa5f26f5, 0x1c8cf13, 0x93e7cf5,
+          0x186ec43, 0x1436601, 0xe78170a, 0x81924ac, 0x8694368, 0xcc880a0,
+          0x0b62cbb, 0x2dfa955, 0x96b4a2c, 0x0bc6aa4 }
+    },
+    {
+        { 0x3561aa2, 0x5157a7e, 0x8645c1e, 0x525c500, 0xce7cbb3, 0x22feb4e,
+          0xc89a58b, 0x36d0d25, 0xc9bde9c, 0x43131f7, 0x881f731, 0x74afdda,
+          0x7c8e36a, 0x99ab87c, 0xc1d4fb2, 0xf07a476 },
+        { 0xbebc606, 0x1b82056, 0xfcf089f, 0x95a1e5a, 0x2b55d5c, 0xc5bccfa,
+          0x00eb0b1, 0x8fbc18e, 0x9efb483, 0x93a06fe, 0x2d74c57, 0xcafd725,
+          0x3de4350, 0xc7518f0, 0xc6fd762, 0x9a719bf }
+    },
+},
+{
+    {
+        { 0x2362087, 0x5ee0d83, 0x0b167e8, 0x7f2c0d7, 0x5e0e865, 0xb732789,
+          0x98c4e65, 0xef5b2e8, 0x8fe9cc1, 0x222797d, 0x82d1e15, 0xfe6d73e,
+          0xf62dc4b, 0xc7c0e9c, 0x937ceda, 0x962acfe },
+        { 0xc1e85c7, 0xd763711, 0x2836978, 0x8f2dbbc, 0x8c44e98, 0xbadc055,
+          0xa3e93f8, 0xed63eab, 0x41b55c7, 0x807e857, 0x6d1207b, 0xd51ae5e,
+          0x39d541b, 0xa0ef9a6, 0xa0c56a5, 0x58855f9 }
+    },
+    {
+        { 0x213091d, 0x7d88eaa, 0x45b6a0d, 0xcbdfee7, 0x4f5e077, 0x826a012,
+          0x90f1e4c, 0xb04fc13, 0xaea69aa, 0x1961ac3, 0xd5bb63e, 0x3afb719,
+          0x4ac7e5c, 0x2a37837, 0xc50ca45, 0x78efcc1 },
+        { 0xb8abdef, 0x346e8f0, 0x88095d0, 0x27e3dbd, 0xffc6c22, 0x56d3379,
+          0xfa4b291, 0x67d416c, 0x3b1b373, 0xc3baaf6, 0xdf73bae, 0x0184e1f,
+          0x9167528, 0x38ae8f7, 0x35d6297, 0x7329d4c }
+    },
+    {
+        { 0xf568c52, 0x45d2ac9, 0x9808593, 0x5134814, 0x31b7ed8, 0x0c92d83,
+          0x0876ecd, 0x921327a, 0x052736a, 0xf752d75, 0xbc6b837, 0x7b56487,
+          0xa23b4cc, 0x6b1a320, 0xec0d665, 0x1983937 },
+        { 0x08554ab, 0x2c3017c, 0x366e87f, 0x40ad955, 0x8ed7f02, 0x88c4edf,
+          0x3cc5e6d, 0x64a7db1, 0x2dc978b, 0x5ac91fa, 0x925d2a2, 0x016a20d,
+          0xabb57b4, 0x3604dfe, 0xd7e2e85, 0xc3683ec }
+    },
+    {
+        { 0x4c0c6d0, 0xc47150a, 0xe22adcf, 0x30af45e, 0x022ea4b, 0x39b5acb,
+          0x77203b5, 0xfbe3185, 0x6fd9b59, 0xe5aaa34, 0xdd1c8dc, 0x0062c90,
+          0x54049ac, 0xcf113f3, 0x63a31b5, 0xd8fba4d },
+        { 0x1056a69, 0x73b5488, 0xd780bda, 0x3be6cbc, 0x30ba2b9, 0x5776ec2,
+          0x8e8d6f7, 0xbe883cf, 0x5c2be6f, 0x64efe94, 0xf1ade8d, 0x064f704,
+          0x743110e, 0x41cfd17, 0x4c20abe, 0xaac9411 }
+    },
+    {
+        { 0xf1c1468, 0x91f9192, 0x4563e13, 0x8176e74, 0x0bda15d, 0xa48b5f9,
+          0xda42af6, 0x2a085ae, 0x425c018, 0xfd38ab2, 0x08abafb, 0x2884ba4,
+          0xcbd091d, 0x356f318, 0x817871b, 0x454e450 },
+        { 0x8ada531, 0xe080e81, 0x3152ba8, 0xa40f1eb, 0x0c38eb1, 0x051049f,
+          0xbd45003, 0x37e4bb3, 0x54a01e5, 0x6d09804, 0xeeb824a, 0x6de932f,
+          0xdc93481, 0xccdef37, 0x93a05e8, 0x8633e07 }
+    },
+    {
+        { 0x034675c, 0xbe94256, 0x08db789, 0x376c01d, 0x9af1b6b, 0x8707ee7,
+          0x11bfbac, 0x633b3ef, 0xd06db60, 0x694f33f, 0xbb13407, 0x2a68bfc,
+          0xda27c3a, 0x1c860c9, 0xd701ac3, 0xbca16de },
+        { 0xc59ffd0, 0x2b76cfa, 0x54d718d, 0xf9a1165, 0x67f0878, 0xf86a1db,
+          0xaf34e85, 0xe313e05, 0x3343159, 0xa188811, 0x0bb7ed1, 0xdbe4c3f,
+          0x0c732bc, 0x73b67e8, 0xe74110e, 0xa4e1c87 }
+    },
+    {
+        { 0x5c6770c, 0xce1106b, 0x5c0bcb7, 0x422c70b, 0x8195e7f, 0x32a3990,
+          0x1ccd4aa, 0xa24968d, 0x720e557, 0x8f08ecf, 0x54bcc81, 0x5da10a4,
+          0x6cd846e, 0x9d3c73b, 0x368d065, 0xaeb12c7 },
+        { 0xcf9fd1b, 0x2110859, 0xee2bd6d, 0xd2a4801, 0xe9466ac, 0x376e556,
+          0x3b5aa35, 0x767803b, 0xb8a89ba, 0x343f842, 0x6726bbf, 0x3263cc1,
+          0x25871b0, 0x26caf17, 0x41b8578, 0xef66ad6 }
+    },
+    {
+        { 0x638068c, 0xc9f2249, 0x1ccf9af, 0x96d282c, 0x69b435a, 0x71df30c,
+          0xcb9d5c9, 0x88c943a, 0x2a8f378, 0xbf98ef1, 0x114c6ff, 0xffc1824,
+          0xd52e8c7, 0xda3ad2c, 0x1afcb59, 0xf1222bc },
+        { 0x0ee334a, 0x459e94b, 0x421933a, 0xd4477b8, 0xa1e401e, 0x60fb7b0,
+          0x0d1e330, 0xfde6e82, 0x3233fde, 0xcecfe9b, 0x2e93523, 0x09ec466,
+          0x30775b9, 0xa5ba649, 0xadf80f2, 0xcc397e5 }
+    },
+},
+{
+    {
+        { 0x4ddc8a8, 0x2fe182d, 0xac056bf, 0x88d6e79, 0x0e41e4e, 0xc3ff2d1,
+          0x2c3679f, 0x32ec7f9, 0x4e61051, 0x3561f09, 0x6c6250a, 0x4553f5a,
+          0xdd25c5b, 0x2b765ef, 0x6a1cd7f, 0xe3a40a2 },
+        { 0x5d821dd, 0xb27309b, 0xc2c17ca, 0x950fb8d, 0x8fb0d4c, 0xfeed015,
+          0xf550179, 0x762c479, 0xe095840, 0x306cf44, 0xd379e66, 0x84b413a,
+          0xbb2e4f1, 0xd6e5d5a, 0x94b085d, 0x8bc12b7 }
+    },
+    {
+        { 0x04b5532, 0xc0d4cb8, 0xb9940a6, 0x7a31525, 0x68c69d1, 0x010e7dd,
+          0x2a18c35, 0xd81f29d, 0x3f11e73, 0x08ae770, 0x6e55106, 0x5358f87,
+          0xc960ef5, 0x299e8ca, 0xacfc8dc, 0x89a6fb4 },
+        { 0x6dc7d4a, 0x5996a40, 0xe51b96e, 0x21e5112, 0x09a202b, 0x95b8c3d,
+          0xd441f1f, 0x306ab0f, 0x98d4245, 0x2834fed, 0xd0abbde, 0xc29c387,
+          0xb805c15, 0xf6a9bf1, 0xc4e458d, 0x602f4f8 }
+    },
+    {
+        { 0xe5a893a, 0xf041486, 0x8934327, 0x53b891d, 0x4000758, 0x11e000d,
+          0x662bad9, 0xa4ccde8, 0xb9a1b64, 0xe34d3ed, 0x84e7a6d, 0x72d9675,
+          0x6627be4, 0x773da2f, 0xe835ae3, 0xa11c946 },
+        { 0x650bc15, 0x02e8203, 0xe58b78d, 0x2d35936, 0xf21a3cc, 0xe9cfbe8,
+          0x1049222, 0x55ad831, 0x38fff47, 0xbf99de4, 0x3831db5, 0xebbfd80,
+          0xaf2af42, 0xe990636, 0xb7f5a0e, 0xc26ae52 }
+    },
+    {
+        { 0xfa8f846, 0xb5d85b1, 0xb3b1455, 0x4166489, 0xd36a305, 0x768260d,
+          0x4ff5645, 0xc6a8235, 0xd6e93e5, 0xd241cd8, 0xa406e74, 0xeed9aa1,
+          0x5f600d9, 0x9e96ab0, 0x6eca2a1, 0xa26b8b5 },
+        { 0xd705aef, 0x78321cf, 0xc0161ec, 0xc4fb6b3, 0x5199cf1, 0xdc32441,
+          0xd0a5067, 0x33627d0, 0x15143ee, 0x13490cb, 0x85b4f44, 0x77e0ede,
+          0x394b165, 0x904f12e, 0xefab32d, 0x90f50f5 }
+    },
+    {
+        { 0xbc2de96, 0x4aa0a16, 0xaa9c12b, 0x172596a, 0x60e8a29, 0xd512e1e,
+          0xf637e83, 0x77d35c1, 0xd2aae0b, 0xbb0d141, 0x8c03738, 0x8a878a5,
+          0xab0e525, 0x6d24c01, 0xf760887, 0xb7d3136 },
+        { 0x3f91b7c, 0xdbc3f8f, 0xa8722c0, 0xe7b4bca, 0xda0ae65, 0x3286a91,
+          0x225b084, 0x8372274, 0xae1886c, 0x5884cd5, 0x3a23cf7, 0xb4e63ef,
+          0xf2dd0da, 0xfe5f202, 0x653916c, 0x951fac9 }
+    },
+    {
+        { 0x854fa4e, 0x05e2e8f, 0x1edaf10, 0xf411f94, 0xa0a928d, 0x26cc562,
+          0x4abce65, 0x78fd34e, 0x98a32e2, 0x1d87609, 0x4c37518, 0x85dc76f,
+          0x00e8021, 0xdcaeef5, 0x4e9b2a5, 0x7fcb2f8 },
+        { 0xf382c06, 0x9eba91e, 0x24cae53, 0x2052e85, 0xf5c1519, 0x617336e,
+          0xb4e632b, 0xf1546d5, 0xd7b8ffd, 0xa9edc81, 0x29ab68c, 0xdb2914f,
+          0xdebbaba, 0xe805070, 0xc3b719e, 0x775e53b }
+    },
+    {
+        { 0x065256a, 0xa40e294, 0x8fb031a, 0x9f11386, 0x059667c, 0xac03af8,
+          0x0475f58, 0x432eb3a, 0x01faad0, 0x22332bf, 0xbc57a11, 0xc8132e9,
+          0x3bc3f8b, 0x27d5a17, 0x930bf3e, 0x5471fc6 },
+        { 0xe6bff40, 0xba28bc0, 0x555e564, 0x198d57e, 0x9c65b8f, 0x13ce831,
+          0x5681b51, 0xb0a5c9d, 0xdeb9e11, 0x467588b, 0xbb4250b, 0xf1891a7,
+          0xd12b433, 0x10b938b, 0x24dcda4, 0x0b8c802 }
+    },
+    {
+        { 0xcf332d3, 0xc428703, 0xf2a5b98, 0x9d0053c, 0x7838a15, 0x4e4c620,
+          0xfbf8a43, 0x2e92919, 0x21cd9a5, 0x39ad524, 0x1561588, 0x584ed6c,
+          0x17a95c8, 0x20af305, 0xb70e1c8, 0xa223077 },
+        { 0x2fa4871, 0x679cfea, 0xac633c7, 0x54f2a46, 0x4cdc5f1, 0x6030651,
+          0x75a1dc7, 0xc4facda, 0x2d07d19, 0x710a288, 0x6b44992, 0xd55864e,
+          0x454c5b2, 0x44d4b6c, 0x72f9981, 0x2855d28 }
+    },
+},
+{
+    {
+        { 0xc7b0674, 0x4071b3e, 0xf8794d5, 0x800eb14, 0xbe6783e, 0x70573af,
+          0x7785901, 0xafaa440, 0x405f32c, 0x112d2a1, 0x169b3e2, 0x3761a52,
+          0x842a366, 0xe168b31, 0x9bf4734, 0x5bc322f },
+        { 0x976c4a0, 0x36ef240, 0xfea4e64, 0x066f3d6, 0xa989e57, 0x0e954bd,
+          0xf9466e4, 0xe36ef5e, 0xbeb9226, 0x6bb615a, 0x3d5a2ca, 0x5571e5f,
+          0x4897a86, 0xa86efe2, 0x28a9f77, 0xed7e9cf }
+    },
+    {
+        { 0x1f82c68, 0xdf10c97, 0x3b597e6, 0x796ba1e, 0xe718cbf, 0x1ac77ec,
+          0x410eac8, 0xc8175bb, 0xbc555ef, 0x0cdf9a1, 0x7524e05, 0x6b889f1,
+          0xae26d82, 0x6bf1e61, 0xd2e97d9, 0xb3f6ad5 },
+        { 0xf226487, 0x94dcff9, 0xbe03dde, 0x60e6356, 0x6a3dd7d, 0xda1f93b,
+          0x79ca90c, 0xf1be721, 0x1e6bce5, 0x05ed313, 0xd48af3e, 0xcf50908,
+          0x61e554f, 0x3b0e85c, 0xa2778d3, 0xfe7e35b }
+    },
+    {
+        { 0x75ac5a9, 0x42c5032, 0xda062c2, 0xa66a66d, 0xcaa7023, 0xa4f4f82,
+          0x64b4f86, 0x489d476, 0x97311ad, 0x10b1088, 0x177b2ec, 0x55dd637,
+          0x9a267b1, 0xa5ccff0, 0xff327b0, 0xf07690b },
+        { 0x2250cd2, 0x39162ed, 0x8b255f1, 0x1426de0, 0x1bdd731, 0xf227afd,
+          0xfa4c844, 0x78f8a36, 0x157379c, 0x267a211, 0xcc04acb, 0x3f05f92,
+          0xfc69cae, 0x374496c, 0x16ebfec, 0xbf2c5d0 }
+    },
+    {
+        { 0xd0518d1, 0x605418b, 0x9e1cbc6, 0x3237f80, 0x286c019, 0x37a7005,
+          0xb15af0b, 0xf1fb0e0, 0xaa853c0, 0xfc3b97c, 0xe6beba2, 0x1f48bd0,
+          0xe6a72f1, 0x8e5d7c5, 0x26ebf0c, 0x575e66d },
+        { 0x62eae3d, 0x0994776, 0x96c9c65, 0x53f074f, 0xb81bade, 0x6cfbfdb,
+          0x3fed7d1, 0x98b4efe, 0x38c3382, 0xdaa1123, 0x47b8ec6, 0xdf88b73,
+          0x9504a4f, 0x9b0fe4b, 0xf30c1c3, 0x2e7df4c }
+    },
+    {
+        { 0x2fc1833, 0x25380cb, 0x18d62de, 0xb8e248c, 0xd82f9db, 0x91c8f59,
+          0x2444750, 0x5ec2b20, 0x66b6f74, 0x3f3a1f7, 0xdd7d14d, 0x0180aa9,
+          0x2956b9c, 0xd0a342d, 0x7139873, 0x26e910e },
+        { 0x139e23d, 0x2261dc4, 0xb8343dd, 0x7edb181, 0xb4038dd, 0xfcf1073,
+          0xa3bfea3, 0x88870ef, 0x64a263e, 0x4e98ba9, 0x70811f5, 0x3c6e5dc,
+          0xf86055d, 0x17d28f5, 0x66e4199, 0xca9c276 }
+    },
+    {
+        { 0x964ef8c, 0x0b2d8bd, 0x88e2ba6, 0x5a99b85, 0x04498ce, 0x9e927b2,
+          0x756eb25, 0x9ff20c5, 0x3f27736, 0x97cc27b, 0x4729583, 0xf32dd6d,
+          0x0381a94, 0xbdc2658, 0xef2c06f, 0x70fef15 },
+        { 0x49252cc, 0x50a6191, 0x236b4b9, 0x9eb4a14, 0x8e00f78, 0x9b1b215,
+          0x6ea9c23, 0x27add36, 0xc3a8e79, 0xef61763, 0xd82ce56, 0xed4542f,
+          0x0caed75, 0xa8737e7, 0xd452d76, 0xeca0ac2 }
+    },
+    {
+        { 0x3d082d0, 0x20c0779, 0xc9e9f3b, 0x6e3ce64, 0x75a195f, 0xb3a4dce,
+          0xbdd9f24, 0x3a3c305, 0x8688942, 0xe2545c8, 0x080f32b, 0xa463c82,
+          0x42686b8, 0x4429748, 0x7213866, 0xf50e20d },
+        { 0x3826e74, 0x265ac52, 0x228e8ec, 0x26fba57, 0xe6b3ed8, 0x8a1e1db,
+          0xf0fe65a, 0x7c7b278, 0xc395234, 0x9a6df23, 0x0b0f114, 0x9956206,
+          0xef90837, 0x440c8c4, 0x3645f65, 0x21ad22a }
+    },
+    {
+        { 0xedd31b2, 0x1e023a6, 0x9ff8668, 0xf76d145, 0x17b45c8, 0x9707056,
+          0x1e88e37, 0x0612078, 0x922faac, 0x85c51c8, 0x22756d9, 0x4df392e,
+          0xa03c98e, 0x8907fd0, 0x52ea51c, 0x626f46a },
+        { 0x486c8a2, 0xf8f766a, 0x88ed18c, 0x8c499a2, 0x3c4f0de, 0x44d2dc6,
+          0x6f2a0b6, 0x47dde68, 0x4a973fd, 0x9a655f8, 0x786ac80, 0x3e7124e,
+          0xe8a0574, 0x699e61c, 0x31cdd0d, 0xdf0ba9a }
+    },
+},
+{
+    {
+        { 0xd73e69b, 0x76270ad, 0xc67d38a, 0x991120f, 0x9469f0c, 0x7be5830,
+          0x7db40ac, 0x93aba59, 0x822fc08, 0x2b707bc, 0x69551cd, 0x4199fc0,
+          0xf367324, 0x38deed4, 0x2228787, 0xca518e1 },
+        { 0xd9a9277, 0x72f1bef, 0xe49ae90, 0x57d4aab, 0xdb23478, 0x13810d5,
+          0x9b4b77f, 0x2a8b780, 0x1b4e004, 0xb542f4e, 0x3ec77f0, 0x4080fd0,
+          0xcec6596, 0xb49e9fe, 0x3f16037, 0x20338d3 }
+    },
+    {
+        { 0x53554b0, 0x4adcdae, 0xe04c4db, 0xfea4906, 0x7748233, 0x0808bec,
+          0x47148d7, 0xde7477c, 0x03da38c, 0xdd9124c, 0x25ee8e9, 0x6b25031,
+          0xb0d6161, 0xae67399, 0x82203b6, 0x70c4acd },
+        { 0xd31dae8, 0x9683916, 0x1ac7f69, 0x3477503, 0x988e4ad, 0x9553153,
+          0x53a15e1, 0xb58f411, 0x92ba2dd, 0xb65a2d4, 0xa90169c, 0x7c3efb1,
+          0x6b1747d, 0x210f45e, 0xcff488d, 0x16e8d1b }
+    },
+    {
+        { 0x9d703db, 0x252adf8, 0xfdfeb39, 0x259ac1d, 0x115e806, 0x7faf6af,
+          0xc1aff21, 0x7aaefd6, 0x7c0113d, 0x8054210, 0xe19b4b1, 0x481f1a5,
+          0xfcc8c61, 0x7c17d43, 0xbb0bbbe, 0x8b04452 },
+        { 0x4cebae1, 0xe51e5f5, 0x56a414c, 0x05341ba, 0x7fb8a30, 0x0083a2c,
+          0x77f4952, 0xb4663f2, 0x4bb0074, 0xce72eec, 0xa3584d1, 0x74fdd66,
+          0xb02e076, 0x6b9e58e, 0x3b961f4, 0x5be45d5 }
+    },
+    {
+        { 0x1ab2e0b, 0xc7474f3, 0xf4bf454, 0x2838ccb, 0xf3c3eac, 0x634392e,
+          0x137602b, 0x440e40a, 0xd1ae8e3, 0xeea67e9, 0x77e221e, 0xafdf93a,
+          0x2719a10, 0x3c9f3da, 0x32c8256, 0x466ecef },
+        { 0xf9c432f, 0x1061c19, 0xb1c7d98, 0xa1332d9, 0xa425c2c, 0xbc735f2,
+          0x4b1bccb, 0x1429cdf, 0x6bbb5f9, 0x77b42a1, 0x5955ae4, 0x30078e3,
+          0x21cc315, 0x8acd777, 0xe86fa99, 0xaa90d5f }
+    },
+    {
+        { 0x721115a, 0xfcfd460, 0x08269b8, 0x6a7de3e, 0x96dd47e, 0xe5964a6,
+          0x8dca975, 0x6717cd5, 0x98b149e, 0x7ea4ebe, 0xb7b8057, 0x6f894d5,
+          0x7f30e31, 0xbd6f960, 0x23df092, 0x61ca453 },
+        { 0x9d782f3, 0x32241f9, 0x2abfae2, 0x55173b0, 0xd15bbbd, 0x0abe0ed,
+          0xb438abb, 0xb6d3c0a, 0x9ffa20b, 0x62fb467, 0xd31560a, 0x30926b5,
+          0x2a0aa6d, 0x44bf27c, 0x1a4cb97, 0xf747313 }
+    },
+    {
+        { 0xb0535de, 0xa2f6c0d, 0xc855166, 0xcb02ae1, 0xb3422f0, 0xc699e6b,
+          0x281ba8a, 0x774febe, 0xffabcc7, 0x1d9d24f, 0xfe12ba5, 0x0b31ba1,
+          0x13d0af7, 0x4c86803, 0x2f47160, 0x90640d3 },
+        { 0x5876603, 0xa0c4bf4, 0x950ab08, 0x717f6fa, 0xa710de8, 0xf12bb53,
+          0x6a88f50, 0xc500c61, 0x2645351, 0x0070f99, 0x2446893, 0x57aab5d,
+          0xb68f657, 0xd553fa8, 0x693c55d, 0xe8537c1 }
+    },
+    {
+        { 0x7fc7684, 0x58e86eb, 0xbfc73a9, 0xdf330f7, 0xcc11936, 0x41e337d,
+          0x6e35759, 0x36d9200, 0x3500d8b, 0x0132703, 0x9483354, 0xfa68405,
+          0x667851b, 0xc8f2980, 0x18296b0, 0x538ec89 },
+        { 0xcff55f9, 0xa2a2c4f, 0x60d20bd, 0xb260d4d, 0xd9cc59f, 0x3ed576f,
+          0xd514fcc, 0x4ed8c64, 0xc22b315, 0x37ebfb2, 0x94c212c, 0xca67a36,
+          0x3a1795e, 0x4f8e08c, 0x4e7261f, 0x498f926 }
+    },
+    {
+        { 0xc59b3d4, 0xfea7382, 0x3f2925f, 0xb9942ed, 0x8ea77e8, 0xe4b00dc,
+          0x3cab02e, 0x74a18ec, 0xef16d0b, 0xbbbb752, 0xffab032, 0x639da4f,
+          0x3aa30f0, 0xc371a4a, 0xcaa175b, 0x8e26b22 },
+        { 0x7e2b62e, 0x94e4156, 0x25a794c, 0x7cceea6, 0x479f015, 0x931d2f4,
+          0x90b25b2, 0x946183d, 0x68a2807, 0x1504e97, 0xfa49ddd, 0xa7577d3,
+          0xdd48699, 0x24fc87e, 0x3d7d99c, 0x9edefd6 }
+    },
+},
+{
+    {
+        { 0x0f0b450, 0x0508b34, 0xc36f7f4, 0xe0069a5, 0x2a5a761, 0x2655664,
+          0x848e04d, 0x0193fd8, 0x73fe2e7, 0xc108cf5, 0xfd787d4, 0x05eb0ec,
+          0xff28985, 0x1555ccb, 0x651b995, 0xb5af09f },
+        { 0xe1134be, 0x167d72c, 0x57c669a, 0xd6d98bf, 0x6dd76fa, 0x40fb716,
+          0x2a41b31, 0xeabbf20, 0x09b75b0, 0x300ff0e, 0xd9a0c1e, 0x32b6fad,
+          0x65a80e0, 0x8051883, 0x32110fe, 0x8bef693 }
+    },
+    {
+        { 0xbef47d4, 0x637802f, 0x2d16eaa, 0xfac114b, 0x0415644, 0x7b3f3ab,
+          0x2dd895b, 0x17ab8d1, 0x87195f3, 0x271b7fe, 0xa71f65f, 0xa3f867e,
+          0xc80583a, 0x39ba40c, 0x56e1fcc, 0x6db0672 },
+        { 0x06662a8, 0x4feab4e, 0xc74bd46, 0xc857415, 0x732b126, 0x18032ed,
+          0x7a099ea, 0x87c8aea, 0x36fe0a8, 0xb4a7535, 0x27673f6, 0x33a98da,
+          0x2b8e549, 0x3e40c02, 0x9a4c587, 0x2def1af }
+    },
+    {
+        { 0xa8c9ad9, 0x9618b68, 0x49defda, 0xd70b4aa, 0x5f788ef, 0xae8b138,
+          0xdd523f4, 0x87c3542, 0x5c5b004, 0xe42c705, 0xfa7df57, 0x6303360,
+          0x5f6d068, 0x33e27a7, 0x8ff331a, 0x9b3268e },
+        { 0x23ee0c3, 0x845cc96, 0xac80084, 0x003af70, 0x530c41d, 0x6a9f931,
+          0xbb127f0, 0xa1d7051, 0xca36245, 0x642ce05, 0x0323ee9, 0xc34205b,
+          0xb7b3513, 0x7cc8912, 0x076cbdb, 0x6252cc8 }
+    },
+    {
+        { 0x7089522, 0x10e68a0, 0x58fc658, 0x36c1361, 0x74723a4, 0x490397d,
+          0x519d56c, 0x42692c0, 0xf1ff235, 0x69d251b, 0xc2cbf37, 0xe689d03,
+          0x825b7f4, 0xf04ceba, 0x2281c2e, 0xd6b9bee },
+        { 0xe0043ab, 0xc52ef3f, 0xd1d1be8, 0x351bf28, 0x0f18a5a, 0x277615f,
+          0x5d6800f, 0x31f717f, 0xab922e2, 0xf5fb82d, 0x2d6ae43, 0x99aee2f,
+          0xc63b982, 0x42477fe, 0xa594a01, 0x904aeb1 }
+    },
+    {
+        { 0xeb39974, 0xaa82174, 0x95e6aa0, 0xbc38e61, 0x25c0675, 0x6a3df8a,
+          0xffbe739, 0xf324203, 0xa3f0649, 0xfa5a0b4, 0x7a7a6b8, 0x79c8732,
+          0x40ad3f5, 0xeb65ecd, 0xe4e45c5, 0x718d416 },
+        { 0xe2326fd, 0x029dbf4, 0xe7942f0, 0x0c63416, 0x6f4e678, 0x6d0c728,
+          0xa138601, 0x59f0b10, 0x8d92ea9, 0x8a1d978, 0xc22eca5, 0x9f8d712,
+          0x7b6b96b, 0x7397044, 0xe6fb955, 0xa2d49ee }
+    },
+    {
+        { 0xbf14a19, 0x249f900, 0x63a8cd2, 0xd3522da, 0x86964d2, 0x28a32f3,
+          0xc1fa743, 0xacf712b, 0x0bb94d3, 0x98a9bfc, 0xbc06824, 0x318ece1,
+          0x4fce7f0, 0xfc47675, 0xe4135b7, 0x19caec9 },
+        { 0xc6817bb, 0x6de68a8, 0xf3b6d89, 0x7121960, 0xf5a818e, 0xa7d4261,
+          0x9157455, 0x0c0ba51, 0x450d5ff, 0x78b6acf, 0x4e8649a, 0x198b493,
+          0xfd05da3, 0x0941a3c, 0xdb55951, 0x264ea4a }
+    },
+    {
+        { 0x46e5a31, 0xcfee91c, 0xfff7366, 0x47b6806, 0x5df849d, 0xdb14be4,
+          0xac66cc7, 0x3c5e22b, 0xa5f4769, 0x7f3f284, 0x383be36, 0x4e00815,
+          0x8072b0b, 0x39a9f0b, 0xc7eadd6, 0x9887cd5 },
+        { 0xb659511, 0x7dd8f05, 0xd2e1cb9, 0x15c796d, 0x0d31345, 0xe5edb0c,
+          0x6939c60, 0x2025df0, 0xbf15de1, 0x6314c08, 0x04c7fb5, 0x03c1548,
+          0xbb5d3ed, 0x413337f, 0x477e983, 0xfc20b40 }
+    },
+    {
+        { 0x5db0ef9, 0x7f96880, 0xe9c2a70, 0x05562de, 0x7dae133, 0x071e5bc,
+          0x237fc4a, 0xa8cdd12, 0x4ea492b, 0x6d565e7, 0x381ee52, 0xa17cf94,
+          0x9f5c546, 0x6ab8a4e, 0x40288ef, 0xbb642f3 },
+        { 0x5df5c2d, 0x64e5921, 0xbb906f4, 0x43696e3, 0x74ae46c, 0x73a841a,
+          0xc506b8a, 0xe264883, 0xa1be548, 0x9542e1a, 0x5e81b4a, 0x8938539,
+          0xeaca6ce, 0x5642cfa, 0x806e0f9, 0xed8077b }
+    },
+},
+{
+    {
+        { 0x7e13597, 0x1c776c4, 0x9e584fd, 0x0ec8b28, 0xb8b61e8, 0x0bb6043,
+          0x9cd835b, 0xdcc1748, 0x39fef9a, 0x493e6ac, 0xd133e17, 0xb44eb34,
+          0x71cb6f9, 0xfebcd00, 0xd20eff2, 0xe6cf543 },
+        { 0x0a004c7, 0xf265cad, 0xd35cc12, 0x9b06c9d, 0xcb4ea53, 0x769f985,
+          0x0993434, 0x29160a2, 0x8d939c4, 0xdf8dd10, 0x6711e2f, 0xefa177c,
+          0xcd7a2cd, 0x1695790, 0x77f6642, 0x38da3d7 }
+    },
+    {
+        { 0x6307b74, 0x9bfcfd9, 0xbfdabc3, 0xc26a36d, 0x4abe28e, 0x9341be0,
+          0x73d1387, 0xdb20b52, 0x3d1949c, 0xf8d229c, 0xb8b3a41, 0xf1e0afe,
+          0xed565d0, 0x29c60df, 0x8b43b2c, 0x6930bb5 },
+        { 0xfc0718f, 0x1d76527, 0x1f67189, 0xdb98143, 0x51f32cc, 0x0c62f64,
+          0x8bd35e5, 0x70a6626, 0xc1cece7, 0x1725641, 0xf96f4a4, 0x7f130a8,
+          0xf06ee98, 0x72319e9, 0x67bf9b2, 0x215b738 }
+    },
+    {
+        { 0x0aaddd7, 0x8d1bec2, 0xb8be4f9, 0xfb8b95b, 0xfde1026, 0xeac193e,
+          0x9d5860c, 0xa5edea7, 0x44280d3, 0x4adbaea, 0x38f4798, 0xce8b670,
+          0xec30dea, 0x914c107, 0x000776b, 0xbdc5cf7 },
+        { 0xa206a13, 0xb6fd7d1, 0xdae986e, 0x9941eba, 0x1f1caaa, 0x76c27a8,
+          0x3f108b4, 0x6967c12, 0x4aea2d0, 0x6f11528, 0x144ddac, 0x9bb4319,
+          0xc8ec6fc, 0x1a4d3ea, 0xbf37420, 0xfe4b0b8 }
+    },
+    {
+        { 0xec0ac6f, 0x5d9a4a1, 0xfc7c80d, 0x84b79f2, 0xc14fac3, 0x64222f7,
+          0xc23b3f2, 0xdd9e039, 0xea956bb, 0x4a84abd, 0xebe09dc, 0x370dcba,
+          0xe0eaf82, 0x79a9ea8, 0xaee375f, 0x4cfb60a },
+        { 0x9106827, 0x6a10dbf, 0x43f305b, 0xa3ba5cf, 0xc1bb083, 0x481b885,
+          0xb3117b1, 0x2f52380, 0xddd6791, 0x0066122, 0x63bace3, 0x4f8923e,
+          0xecb88d4, 0x5c5f499, 0x3bac146, 0xfdc780a }
+    },
+    {
+        { 0x7ba1f71, 0x34b70ae, 0x45bd184, 0x9091829, 0xe707313, 0x3b39778,
+          0x6164e91, 0xdeefc5e, 0x4971f39, 0xbb55bed, 0x8dafc8b, 0x7d52339,
+          0xa6adf0f, 0x82391bf, 0xe319522, 0xfd6f90a },
+        { 0xf29bbc9, 0x60fdf77, 0xaaa4030, 0xeff9ed8, 0xf8c0d3f, 0x978e045,
+          0xeed65cd, 0xe0502c3, 0x3cfd4c8, 0x3104d8f, 0xa639005, 0xab1be44,
+          0x9eeab3f, 0xe83f431, 0x451d797, 0x01970e8 }
+    },
+    {
+        { 0x3180f4b, 0xbc972f8, 0x617779d, 0xac053c0, 0x7fa149f, 0x89392c5,
+          0xbcb6263, 0xdc4699b, 0xce12882, 0x0ae8b28, 0xaf1a4dc, 0xdca19a7,
+          0x64e1a74, 0xd3d719f, 0xaffdd5d, 0xbb50201 },
+        { 0x7ac30e9, 0x56f7310, 0x1878900, 0x65cc9c7, 0x27338a3, 0x83f5866,
+          0xac5bb13, 0x122adef, 0x1bcd4d5, 0x97de200, 0xb8aa3a0, 0x6ed3985,
+          0x6821f9b, 0x8680f1d, 0xdda9f98, 0xcb42028 }
+    },
+    {
+        { 0x0ec2db3, 0xcdb0708, 0x3dad1a1, 0xe28c833, 0xde2da07, 0x2093e32,
+          0x83b8987, 0x7317073, 0xf552b8d, 0xad17871, 0x51cf70a, 0x846da98,
+          0x5c4f5e1, 0xf94a16e, 0x0f8348a, 0x8429996 },
+        { 0x98db78a, 0x4bf3f68, 0x3d19b52, 0xad77fa8, 0x8b972dc, 0x6976772,
+          0x5321be0, 0x7dfa35a, 0xdd344a6, 0x9881846, 0xad4e2a8, 0xe550292,
+          0xbc68bf1, 0x8075217, 0x893be15, 0xdd837c4 }
+    },
+    {
+        { 0xd4fab5b, 0x09c931e, 0xb77a0f1, 0xb2dcf08, 0xe0d38a6, 0x7dac5c0,
+          0x0ae73af, 0xa5570b0, 0xf5aed28, 0xc7c19d3, 0x5251e92, 0x575fa6f,
+          0xcdf7275, 0xb843cd6, 0x9a01287, 0xd9d3d8e },
+        { 0xb3c370b, 0xf94e356, 0xfe464b0, 0xc62b99f, 0xa986057, 0x7792650,
+          0xc4b1874, 0xeaa67d5, 0x0b07078, 0xba1ba4d, 0x7a03699, 0xdbf636d,
+          0xedd32a3, 0x1a16c34, 0xa45cb5d, 0x6ce2495 }
+    },
+},
+{
+    {
+        { 0xa684441, 0xd7c4d9a, 0x30cd42a, 0xce62af6, 0x43014c4, 0xcd2669b,
+          0x6f65b24, 0xce7e711, 0x576fa19, 0x1847ce9, 0x9dd8ca6, 0x82585ac,
+          0xb42e1db, 0x3009096, 0x384ab8b, 0x2b2c83e },
+        { 0xb4e9a6e, 0xe171ffc, 0x7374b40, 0x9de4218, 0xdb1d616, 0x5701f9f,
+          0xa3e8cbc, 0x211e122, 0x1e400bf, 0x04e8c1a, 0x0f37159, 0x0297470,
+          0x3df8c28, 0x41775d1, 0x61ac2db, 0xcfaad4a }
+    },
+    {
+        { 0x7dc0f49, 0x6341b4d, 0xf471a53, 0xaff6c2d, 0xfb8e91e, 0x20ec795,
+          0xc3b7b62, 0x4c7a4df, 0xd374938, 0x9f33ff2, 0x3a60f2e, 0x38f8c65,
+          0x2efef73, 0xc1168ac, 0xce408ee, 0x046146f },
+        { 0x308b0c3, 0x9b39ac0, 0x36b8570, 0xe032d61, 0xfc4aacf, 0xee07d8d,
+          0xd5a41dd, 0x0a82acb, 0x7c3d726, 0xbe0ded2, 0xb926ce9, 0xce51d60,
+          0x5806c1e, 0xfa2f7f4, 0x1dec59c, 0xe367c6d }
+    },
+    {
+        { 0xda2547b, 0x64511b6, 0x0761405, 0x76a349c, 0x01223ab, 0x37d6626,
+          0xf4d7c48, 0x0e243c1, 0xda756a0, 0xdc9c8b4, 0xd72e7e9, 0xc7430df,
+          0x27b4210, 0x0eb1308, 0xcf11cbd, 0x7a9c044 },
+        { 0xe8dd150, 0x2c08ff6, 0x2932fc6, 0x18b738c, 0x04513e8, 0x07d5651,
+          0xaa40a17, 0x0ca5cff, 0x01baa8f, 0xd486341, 0xb72b79e, 0xfb20faf,
+          0x654020f, 0x1a051e5, 0x4e17f23, 0xe3b3317 }
+    },
+    {
+        { 0x4de9428, 0x0591048, 0x5abdf97, 0x620542a, 0xa16a4d1, 0xaa0eded,
+          0x6d65bb9, 0xa93f71c, 0xb8dfaf9, 0x88be135, 0x57ca8ee, 0x1d9f4e5,
+          0x26781ad, 0x4c896aa, 0x6c6c49f, 0xd3fbe31 },
+        { 0x2c34c3d, 0x088d852, 0xbadff1e, 0xbb6d645, 0x385450d, 0xe3080b8,
+          0x50ab1f3, 0x5ccc54c, 0xac0657d, 0x4e07e6e, 0xb7ef2c0, 0xa7ba596,
+          0x73a81e9, 0xcceca8a, 0x8284c35, 0xa0b804c }
+    },
+    {
+        { 0xf17a6a2, 0x7c55956, 0x789cfa8, 0xb451d81, 0x2506eaa, 0xdf414e8,
+          0xae96562, 0x6ef40fb, 0x0e0297e, 0x63ea283, 0x73c46fa, 0xf5df26e,
+          0xaac8bce, 0xe00641c, 0x64371f3, 0xc89ed8f },
+        { 0x793202e, 0xd22b08e, 0x875cb50, 0x39a9033, 0xf85ddb4, 0xe64eec0,
+          0x7acf7b5, 0xdce45a7, 0xb9b802d, 0x39d1e71, 0xbd559ac, 0xafdfe7c,
+          0x809eeb5, 0x17ec1f8, 0x4889b8c, 0x8c0e38a }
+    },
+    {
+        { 0x17089da, 0x47eabfe, 0xec90c50, 0x2d18466, 0x5861531, 0xa511aa4,
+          0x8c39b39, 0xebb3d34, 0xf1b5282, 0xa0ac4da, 0xa9dadba, 0xea26be7,
+          0x554d86e, 0x8992ba8, 0xd5f2ef5, 0x7fcbdb6 },
+        { 0x56863e7, 0x320e79b, 0xa7dce2d, 0xeb9d0c0, 0x784cbc6, 0xb9f4031,
+          0x7ac1f81, 0x68823ee, 0x9d87497, 0xa6b6f4f, 0x57f9b6e, 0x83c67b6,
+          0x0fef2a7, 0x3735747, 0x59596e2, 0xf38028f }
+    },
+    {
+        { 0x7e82886, 0x9ea57ab, 0x48c44d5, 0x18221c5, 0x314a24f, 0xbf8e6cf,
+          0xfd025e5, 0x70ff18e, 0x5334468, 0x08d03de, 0x7404fb7, 0x2b206d5,
+          0x55e36b0, 0xb923271, 0xb88ddd9, 0xcc7604a },
+        { 0x4a746f0, 0x3df5152, 0x168e3fc, 0x8fdebd8, 0x7f8c32c, 0xffc550c,
+          0x148743e, 0x1dbbc17, 0xb88e18b, 0xd48af29, 0x750027c, 0x8dca11c,
+          0x1832be3, 0x717f9db, 0x2b06019, 0x22923e0 }
+    },
+    {
+        { 0xc1cc4d3, 0xd4e06f5, 0x2b4f03a, 0x0fa32e3, 0xc4628d0, 0x956b9af,
+          0x939dad1, 0x95c39ce, 0x8a00416, 0x39d41e0, 0x6fb01aa, 0xfd7ff26,
+          0x45af340, 0xc6033d5, 0x8e36584, 0x2f65542 },
+        { 0x8dff960, 0x14cfb1f, 0xda81474, 0x7236ffc, 0xd452d0f, 0xc6a6788,
+          0x77f6094, 0x2ad4a52, 0x07eea74, 0x369d65a, 0xd6229aa, 0x27c6c38,
+          0x8863976, 0xe590e09, 0xb38b142, 0x361ca6e }
+    },
+},
+{
+    {
+        { 0xdfeb7ef, 0x6803413, 0xd3f4fad, 0xb669d71, 0xc941606, 0x5df402a,
+          0x8e6c5b7, 0xe5d1776, 0x92ab236, 0x131bcb3, 0xce2e0e0, 0x7f1fb31,
+          0x9e98c35, 0xa2c020d, 0xf28657b, 0x33b23c0 },
+        { 0x9cf7879, 0xed14e73, 0xb4357b3, 0x10d4867, 0x31e4e04, 0x127cea3,
+          0xaa5f8a7, 0xc60d25f, 0x025b987, 0xfef840a, 0x66f2a0a, 0x78081d6,
+          0xac36198, 0x0fa0b97, 0x134dc9f, 0xe0bb919 }
+    },
+    {
+        { 0xcc32eae, 0xc1d2461, 0x0f79a37, 0x0fdbfdf, 0x1c95f02, 0x70f2bc2,
+          0x372cddf, 0x7d68bec, 0x8439342, 0x44f7817, 0x4843a6c, 0xa3d5678,
+          0x07f8959, 0xbadf77a, 0x73db4ca, 0xf458198 },
+        { 0xd54f805, 0xe8eaaf3, 0xb84c1e7, 0x2f529d1, 0x21e535c, 0x404e32e,
+          0x159b5f5, 0xabac85c, 0xb00466f, 0x4e8e594, 0xc941873, 0x40fcaab,
+          0xbe407c6, 0x3b4e370, 0x5b2e58d, 0xccd5788 }
+    },
+    {
+        { 0x88b74a8, 0x3ee615e, 0xeab4e69, 0xd7d6608, 0xe4ace36, 0x27cf9f1,
+          0x7aebabb, 0x282359e, 0xf6d162f, 0x96e509b, 0xf1a290a, 0xad906f3,
+          0x1314a58, 0xe7d6c4f, 0x218431d, 0xeecffe4 },
+        { 0xe2cfed9, 0xa66e0e9, 0x71f0544, 0xb0887ec, 0xa04c5d7, 0xd34e36b,
+          0xed4392d, 0x094daa5, 0xc8aa925, 0xcda83ad, 0xb979786, 0x1adef91,
+          0xfddc5d6, 0x3124dcb, 0x0b70c14, 0x5cc27ed }
+    },
+    {
+        { 0x0eac2d8, 0x386dbc0, 0xc50ca30, 0xa716ecb, 0x80d9f04, 0x9e3fc05,
+          0xcfeaceb, 0x37dde44, 0xa3522d5, 0xd88d74d, 0x2cf239a, 0x6bb9e9f,
+          0xa7cbfec, 0x9e7fb49, 0x0a5c0ef, 0xe1a75f0 },
+        { 0xfb9229d, 0x6e434e7, 0xc8a79b3, 0x0ec6df5, 0xd3fb311, 0x7046380,
+          0x52e20fa, 0xe957ef0, 0x9ef4614, 0x0f4fe9a, 0x54d8f2b, 0x1b37d9c,
+          0x39d84a2, 0x23b2dc1, 0x724e713, 0xf62c4f6 }
+    },
+    {
+        { 0x747e219, 0xbd6922c, 0x3869b7b, 0x34d1438, 0x96f2272, 0x8c875a5,
+          0x3fe361e, 0xd9602c0, 0x744839f, 0x081348f, 0x61ac1f1, 0x61bd16c,
+          0xd8da4e1, 0x993b727, 0x7741271, 0xbb40ba8 },
+        { 0x81dcfff, 0xe6dcc98, 0x93ce616, 0x9f513f5, 0x618cd8f, 0xdc09683,
+          0x26639be, 0xc3b1d10, 0xc762ee2, 0xe8f149f, 0xb244aae, 0x59f26ef,
+          0x693dd96, 0x3f2de27, 0x9c3a7de, 0xd8b68f7 }
+    },
+    {
+        { 0x970bd5b, 0x6fa20b9, 0x75f6179, 0x87242d7, 0x72d9308, 0xa95a6c6,
+          0x37a8a58, 0x6eb2518, 0xc59562c, 0xfdea12a, 0x20f1fc3, 0x4419c1e,
+          0x9d66788, 0x0c1bd99, 0x32c0547, 0x4b74288 },
+        { 0xdf479ab, 0x4f38acc, 0xc52a942, 0x01f6271, 0x02ca9a7, 0xe3298f4,
+          0xb718fc8, 0x533daca, 0xb093ca8, 0x133602a, 0x8f98104, 0xc04da80,
+          0xaf08620, 0xd0f2e23, 0x178b164, 0x882c817 }
+    },
+    {
+        { 0xec30a71, 0x28e6678, 0xf78aca1, 0xe646879, 0x88fa078, 0x868a64b,
+          0xfee3433, 0x671030a, 0x87c0211, 0xb2a06bb, 0x46c406a, 0x202eca9,
+          0xe4f0f59, 0x64d6284, 0x3c9f907, 0x56ae4a2 },
+        { 0x1dcc100, 0x5abbb56, 0x07c7784, 0x6fef6cf, 0xdb7302d, 0xb6e25cd,
+          0x42980e8, 0xa26785b, 0xfb96801, 0xe7d4043, 0x8e4282b, 0x46df55d,
+          0xc602d6e, 0x9c0a5f5, 0x75dfe29, 0xf065604 }
+    },
+    {
+        { 0x3dcbc90, 0x0e82a1a, 0x656feac, 0xb1ee285, 0x0d3d3b2, 0xfa4353b,
+          0xdd5c5df, 0xc2e7a6e, 0x416ce53, 0x13707e1, 0x87ebc07, 0xc84ce07,
+          0x8a9a834, 0xdd273ce, 0x5e8e1e7, 0x432a617 },
+        { 0xbd0064a, 0xa359670, 0x6534516, 0xc899dd5, 0xdb27169, 0x666560e,
+          0xa19a068, 0x1537b22, 0xeac7527, 0x3420507, 0x6fc13a7, 0x479f25e,
+          0x1bc19b3, 0xc847acc, 0x0b20d45, 0xecdecf0 }
+    },
+},
+{
+    {
+        { 0x4acea57, 0x6f24100, 0xda68597, 0xdace1c6, 0x50ce77f, 0xea7dd41,
+          0x1585884, 0x1aecb84, 0xea4a85c, 0x92ff208, 0x88eebd2, 0xde9433c,
+          0x3f4d289, 0x53cd318, 0x26539af, 0x3970858 },
+        { 0xb827d87, 0x4b57599, 0x3d77638, 0xdc82ac0, 0x52f6e61, 0x6943366,
+          0xad5e8a6, 0xb8fc4b0, 0xf388642, 0x1b6f7dc, 0xa74dd57, 0x6f24533,
+          0x41750cf, 0xc669378, 0x28a37af, 0x06757eb }
+    },
+    {
+        { 0xc133995, 0x0e70d53, 0x7c8c97d, 0x88a5e0c, 0x85f3be3, 0x4e59dbf,
+          0x0e92698, 0x0f364ac, 0xef6940f, 0x3a1e79b, 0xd85d23a, 0xc8a3941,
+          0x9a00e58, 0x143bb99, 0xc6f2f10, 0x61cf7d6 },
+        { 0x85150fe, 0x979c994, 0x59d773f, 0xcfd0df2, 0xaab7bcd, 0xce97b9d,
+          0x6afd8fc, 0xc9fff8e, 0x89a4628, 0x246befd, 0x1567090, 0xf630282,
+          0x6749c58, 0x1539342, 0xa0f3fd3, 0xff47d0e }
+    },
+    {
+        { 0x35f6706, 0x09b0bfd, 0x2c82e69, 0x7464581, 0x50d5fe9, 0xb60729f,
+          0x95c74f1, 0xf133245, 0xbb76c89, 0x33647e3, 0x5a9afcc, 0x0126404,
+          0x0f154ab, 0x46d57ee, 0x25680a4, 0x2efa555 },
+        { 0x5329d90, 0x12ebfc6, 0x79800af, 0xcb37ae5, 0x6f8e310, 0x5bb5349,
+          0xf1bb936, 0x9b59c63, 0xf4610e9, 0x5b49baa, 0x4f2d6ac, 0x2bbeeef,
+          0x0badc67, 0x87ee21e, 0xf1ddfa0, 0x12e2aad }
+    },
+    {
+        { 0xa9109ee, 0x5b4668f, 0x8a6cea2, 0xfa95133, 0x4068e16, 0xe45e6fc,
+          0x0205ed8, 0x8ae9a0c, 0x679b79b, 0x2993b96, 0xed604d3, 0xc6b878f,
+          0x32c77f3, 0x01d0208, 0x495a1ab, 0xd45d890 },
+        { 0x29d2030, 0x99348fa, 0x61f8f7a, 0x961f9a6, 0x674f74b, 0xfd53212,
+          0xb3e72bc, 0x45cee23, 0xb77e2d5, 0x3fccb86, 0x4219cb7, 0xdff0310,
+          0xc056871, 0x233771d, 0x7d2c521, 0x1214e32 }
+    },
+    {
+        { 0xff2a8e1, 0x9f51e15, 0x138bc70, 0x86571c5, 0x0c09d46, 0xbfc4caf,
+          0xc2a0c18, 0x65e33fe, 0x426867d, 0x8214392, 0x80ae4ed, 0x51ce6c0,
+          0xb110de6, 0x6cbe8d7, 0xfd22ea4, 0x7f6e947 },
+        { 0xcadefc4, 0x7373a75, 0xb0c682f, 0x6fca1d2, 0xf3c7c1e, 0xcd2140d,
+          0x558b7a5, 0x8653a37, 0x55eb321, 0x653e74e, 0xc31af73, 0xbe0c6b3,
+          0xf4fc365, 0x3376379, 0x71add4d, 0x3570b37 }
+    },
+    {
+        { 0x83c3494, 0x9061ec1, 0x677bc95, 0xaf2f28d, 0x3bf8768, 0x6fe7279,
+          0x0fa86d8, 0xc5f50e3, 0xa3293ce, 0x6c03060, 0xe2355a6, 0x4d53357,
+          0xe4df931, 0x43a59ea, 0x13b79c6, 0x6f48f5d },
+        { 0xddc5192, 0xa4d073d, 0xa65773f, 0x6d0e318, 0x765de9e, 0x1008792,
+          0x39a0375, 0xa724ed2, 0x97d7c9e, 0x510ff14, 0x5baa863, 0x251f622,
+          0x648a351, 0x86464fe, 0xd50fd91, 0xf85e98f }
+    },
+    {
+        { 0x86ee987, 0x29c9634, 0x10dcc9f, 0x93e8e52, 0xc910b1f, 0xa1fc4d1,
+          0xfeb603e, 0x015acac, 0x0844a5f, 0xc9f25f8, 0x73f4dac, 0x50de93c,
+          0x310a4aa, 0x1758783, 0x358f106, 0x544d570 },
+        { 0x1dc68ca, 0x4eeec7b, 0xe00fbcb, 0x6238e6f, 0xb4e83c9, 0x34d394c,
+          0x2292656, 0x764ffa2, 0xf641f2e, 0x5614cd1, 0x9e07234, 0x4252eb6,
+          0x68d2ba4, 0xcbaef45, 0x8a98b17, 0x8c9c550 }
+    },
+    {
+        { 0x4106140, 0xf235d9d, 0x9eb601e, 0x1bf2fc3, 0x375e0c3, 0x6fb6ca9,
+          0xc0024d2, 0x4bf5492, 0xeb54cc6, 0x3d97093, 0x5c90cb5, 0xc60931f,
+          0xfbe0f1a, 0xfa88808, 0xd33e7d4, 0xc22b83d },
+        { 0xc0abbf5, 0x9cfec53, 0x93723df, 0x52c3f0a, 0x39b96b6, 0x0622b7e,
+          0x1667270, 0x300de28, 0x9ef426a, 0x50b66c7, 0xc6eb295, 0x8849189,
+          0x8914a7e, 0xeaec3a9, 0xc4c99e0, 0x7ed56b0 }
+    },
+},
+{
+    {
+        { 0x687e557, 0x7926403, 0x5310017, 0xa349816, 0xd43a8fd, 0x1b06e91,
+          0x6ac23cb, 0xf201db4, 0x4f48750, 0x6f172ad, 0xe74bd3e, 0x5ed8c8c,
+          0xdaba648, 0x492a654, 0xa9b64ff, 0x123010b },
+        { 0x6e89f93, 0xa83125b, 0x398378a, 0x3a3b0b0, 0x0aebe7c, 0x9622e0b,
+          0x49512a4, 0xb9cbfdc, 0x6aaf12a, 0x13edffd, 0x9f5eafd, 0x555dff5,
+          0x1212efa, 0x3cba6fe, 0xd9bb0f8, 0xd07b744 }
+    },
+    {
+        { 0x9a48920, 0x45732b0, 0x13ff36d, 0xf3080fc, 0xde8f950, 0x9347395,
+          0x382b897, 0x14d025a, 0x04d72ad, 0x60c5a74, 0x11a9c71, 0x30be7e5,
+          0x31ac33a, 0x43ffabd, 0x35cbb14, 0x97b06f3 },
+        { 0x7740de9, 0xe4ff5c5, 0xaacf81e, 0x5fed090, 0xe8b7c9d, 0x97196ee,
+          0x045910b, 0x316dcd1, 0x5ad8c63, 0x7a2b2f5, 0xc5b03bb, 0x674fffd,
+          0xe65953c, 0xc1cd133, 0x0a83556, 0x3c06052 }
+    },
+    {
+        { 0x091c23d, 0x797c3f6, 0x39c9c05, 0x2ea2de3, 0xa31f67c, 0x5d958b4,
+          0xd5f088c, 0xf97afe5, 0x0b37243, 0xbcfbd2a, 0xeca630c, 0xc43ad3e,
+          0x42845e0, 0xb92a337, 0xa9a0f16, 0x970bff7 },
+        { 0x5970a79, 0x8635511, 0xf205928, 0xcee332e, 0xc04c208, 0x2c58d70,
+          0x3f5e5bf, 0xdbfe19a, 0x8e51c56, 0x8f8f2c8, 0x8e2da75, 0xb61f58e,
+          0x624d93f, 0x4046a19, 0xe1f9538, 0x7de64db }
+    },
+    {
+        { 0xc2d850e, 0xd018e1c, 0x63a723c, 0x8cdb643, 0x90a42af, 0x9a65abe,
+          0x16f20cc, 0xfeece96, 0xd5cff56, 0xc906800, 0x3f0deed, 0x0acf23a,
+          0x728dd3a, 0x2143061, 0xb8ce34c, 0x66276e2 },
+        { 0x73cc9c7, 0x23700dc, 0x5b1778b, 0xdb44851, 0x4aab669, 0x330f41e,
+          0xf5282a4, 0x2f5aabc, 0x30f9e01, 0xff837a9, 0x901cc98, 0x1a1eb2f,
+          0xe69bd7f, 0xd3f4ed9, 0x8a72a7d, 0xa6b1141 }
+    },
+    {
+        { 0x9ea3b43, 0x34bde80, 0x5ced6ae, 0x5ddcb70, 0x95a6cb8, 0x8257f5b,
+          0xc77dcb8, 0xaac205d, 0x035b397, 0x77d740d, 0xcf7e0a6, 0xca7847f,
+          0x085601b, 0x9404dd6, 0x457e4f9, 0x0a5046c },
+        { 0xbc11470, 0xcaee868, 0x005c5f6, 0xb118796, 0xec79173, 0xcc04976,
+          0x21f6827, 0x7f51ba7, 0x486ff7e, 0xa8e3f0c, 0xf87838c, 0x327163a,
+          0x6d039fd, 0xcf2883e, 0xdb8b0e2, 0x6fb7ab6 }
+    },
+    {
+        { 0x620d669, 0x8ca5bac, 0xed7caa9, 0xff707c8, 0x927909b, 0xdaefa2b,
+          0x7029da3, 0x1d2f955, 0x6d131a0, 0x52a3ba4, 0x3ab1041, 0xe5a94fd,
+          0x99bc0ae, 0x5089177, 0xfa1bd16, 0xf750354 },
+        { 0x6cd31fd, 0xdd4e83a, 0x92fac84, 0xd335053, 0x1691382, 0xf914cbc,
+          0xda6ade6, 0x669683f, 0x8878513, 0x6944643, 0x4b1a72d, 0x429d3cc,
+          0x61eec36, 0x655c46a, 0x4bc4970, 0x881eded }
+    },
+    {
+        { 0x7ca647f, 0x5b39d37, 0xe917b34, 0x41533c1, 0x7daf734, 0xea2aeb5,
+          0x1286560, 0xf1ef1eb, 0x08e0473, 0x582f2e0, 0x5edc74a, 0x5913d7d,
+          0x3c1e754, 0x588c7ec, 0x7146fe1, 0xbd6db05 },
+        { 0x7634907, 0x3b0d49e, 0xe43b9cc, 0x4c65ce4, 0x2d92d5b, 0xb87e958,
+          0x7ab1519, 0x0513572, 0x8c3aed0, 0x03ec084, 0x561a641, 0x4d7aa21,
+          0x99e92ad, 0xe5f8211, 0x48a457c, 0x379b55f }
+    },
+    {
+        { 0xd6a8442, 0x8317c34, 0xae499da, 0xb0ab4a5, 0x720e8eb, 0xebcb16e,
+          0x9a96908, 0xfd5c563, 0xad23acf, 0xcab4d67, 0xbcdf748, 0xa600a79,
+          0xa2a6a51, 0x18a6340, 0x3aabd69, 0xf2f415c },
+        { 0x747258a, 0xdb38a4f, 0x2e24415, 0xb6ea560, 0xf1f7655, 0xfad1ea9,
+          0xc957684, 0x4e27eb5, 0xb2e1cfc, 0xf8283e1, 0xaa6291c, 0x8f83bd6,
+          0x5619e84, 0x28d23b5, 0x93770a4, 0xb9f34e8 }
+    },
+},
+{
+    {
+        { 0x7515fb1, 0x1bb8437, 0x7b860a6, 0xac73f2a, 0x22b390f, 0x78afdfa,
+          0x66048aa, 0x815502b, 0x85bf620, 0xf513b97, 0x3fc5d7c, 0x2524e65,
+          0x178c969, 0xa10adc0, 0x5391c8d, 0xa1d5396 },
+        { 0xa8bcc45, 0x09fccc5, 0x7710e1e, 0xa1f97d6, 0x897d0a1, 0xd694442,
+          0x5f42400, 0x7030beb, 0x7127908, 0xdebe08c, 0x2187637, 0x96b715c,
+          0xb528129, 0xc598250, 0xa1ccb07, 0x0f62f45 }
+    },
+    {
+        { 0xb765479, 0x8404941, 0x5837dc4, 0xfdecff4, 0xadbd465, 0x1796372,
+          0x3159806, 0x5f84c79, 0x6aaad34, 0x6d2e46b, 0x384b375, 0xd303b4a,
+          0xb392002, 0x440acd5, 0xc475e87, 0x4f2a4a7 },
+        { 0x5606fc2, 0x038e1da, 0x9c2f050, 0x2d821c2, 0xf139db4, 0xc074cb3,
+          0x4ec59be, 0xde2fee7, 0xa84ed59, 0x5a819ee, 0x3e98711, 0xd65c62c,
+          0xb9723c1, 0x72eb440, 0x01be611, 0xb927754 }
+    },
+    {
+        { 0xab9e9fc, 0x929fe64, 0x0bf1e85, 0x04379fd, 0xbc28ee3, 0xb322093,
+          0xe4555e1, 0x78ac4e2, 0xabc5588, 0xdb42b58, 0x77c8b12, 0x1c1b5e1,
+          0x40366c4, 0xf6d78dd, 0xbdae22e, 0xc21ff75 },
+        { 0xa211df2, 0x1e3d28e, 0x3617c0a, 0xc5a65a1, 0x58140d5, 0x3fa02c0,
+          0xb62d10c, 0x155c346, 0xe48268f, 0xc9cf142, 0x1993bc3, 0xdc14083,
+          0x0ee69dc, 0x07c44d4, 0x5e2ac46, 0x6169950 }
+    },
+    {
+        { 0xd0fb585, 0x44e4a51, 0xf1f3ce8, 0x00846be, 0x8e2de1e, 0xedef39a,
+          0x33b3934, 0x430afe3, 0x4337188, 0xac78b05, 0xc9a3f24, 0x0f39de4,
+          0xc9ae6a4, 0x039eddd, 0x8eacd51, 0xf470157 },
+        { 0x9a2f31a, 0x1e39694, 0xb19a8b1, 0xc8a40f4, 0x9d239d8, 0xdddd10c,
+          0x887e066, 0xf974245, 0x3ea28c6, 0xfdb5111, 0xe1122a9, 0xb5af0fb,
+          0x36e0267, 0xd30c89f, 0x74f024c, 0x7b1c0f7 }
+    },
+    {
+        { 0x07a39bf, 0x1ec9956, 0x3a68d15, 0x1c3ecf2, 0x4f59fe9, 0xd8a5c4e,
+          0x271abc3, 0xacb2032, 0x71ef239, 0xbc6bdf0, 0xb39b391, 0x660d7ab,
+          0xb627a0e, 0x2e73bb2, 0x248fc7e, 0x3464d7e },
+        { 0x1666760, 0xaa49249, 0x8582659, 0xa257b6a, 0x5593089, 0xf572cef,
+          0x73ca6bf, 0x2f51bde, 0x764cff5, 0x234b63f, 0xd411a35, 0x29f48ea,
+          0xafe1db1, 0xd837840, 0xd9f4c4b, 0x58ec0b1 }
+    },
+    {
+        { 0x5e6f3dc, 0x8e1deba, 0x06a5ff7, 0xc636cf4, 0xc80ca0f, 0xe172b06,
+          0x5ffb90a, 0x56dc098, 0x9a05e83, 0x895c218, 0x7561ac2, 0x6ddfaec,
+          0x96283a0, 0xaa35749, 0x7e7cd43, 0x6dfb262 },
+        { 0x2c8ca27, 0x6576de5, 0x49018eb, 0x6a4a872, 0x5c34342, 0x00c275c,
+          0xd2d90c4, 0xe34805a, 0xd8743c4, 0x651b161, 0x7312bf3, 0xb3b9d9b,
+          0x0bf7e00, 0x5d4b8e2, 0x78d3d7e, 0x8899bdf }
+    },
+    {
+        { 0xfaa9cd1, 0x9644ad8, 0x6e0e58e, 0x34c98bf, 0x404c637, 0x6022aad,
+          0x7ac013b, 0x2a11a73, 0x5540899, 0x5bdd103, 0x1e022a4, 0x2e67572,
+          0xb834c33, 0xe32045d, 0x2f2d01c, 0x74a260c },
+        { 0xc48841c, 0x20d59e9, 0xe560359, 0x05045dd, 0xac998ac, 0xeba779c,
+          0x00a6218, 0x5bed10c, 0x5327ef4, 0x25d4f8e, 0x4597794, 0xa278474,
+          0x831d11e, 0xefd68ca, 0x934446a, 0x9ad370d }
+    },
+    {
+        { 0x73c92ac, 0x3089b3e, 0x957a75c, 0x0ff3f27, 0xd676f50, 0x843d3d9,
+          0xd496d43, 0xe547a19, 0x8e924a4, 0x68911c9, 0x85b5522, 0xfab38f8,
+          0x83e0ac5, 0x1048811, 0xdc788c4, 0xcaccea9 },
+        { 0xe3c6aad, 0xfbe2e95, 0xb3a6cf1, 0xa7b3992, 0x87d78b1, 0x5302ec5,
+          0x1826100, 0xf589a0e, 0x8610632, 0x2acdb97, 0x9232b26, 0x1e4ea8f,
+          0x9c09a15, 0xb21194e, 0x849b909, 0xab13645 }
+    },
+},
+{
+    {
+        { 0xf3a71c1, 0x92e5d6d, 0x297d661, 0x349ed29, 0x1713fc9, 0xe58bd52,
+          0xb9ddfb5, 0xad999a7, 0x3c28ce0, 0x271c30f, 0x2a9d460, 0xf6cd7dc,
+          0x207dec7, 0xaf728e9, 0xfcb8bf0, 0x9c2a532 },
+        { 0x68bf486, 0xd702184, 0x7ab8ea8, 0x73b45be, 0x1795c93, 0xddfc658,
+          0x6bb8da2, 0x7941660, 0x88e07a2, 0x658f197, 0x26d3d12, 0xa9d5b08,
+          0x9535b52, 0x4d7c95f, 0x268ef8a, 0xad55e25 }
+    },
+    {
+        { 0xa2bc326, 0x94a9b0b, 0x167e5f3, 0x485ecc5, 0xc97fc74, 0x8340bc7,
+          0x07aaa5c, 0x06f882b, 0x849698a, 0x4b57455, 0xb36a0ba, 0xd9281eb,
+          0x8b8108f, 0x8918c6c, 0x5b50d1d, 0xedd1eea },
+        { 0x2a25f50, 0x94d737d, 0x2446ad0, 0x0e5a823, 0x7ced3e2, 0x02a5435,
+          0x4af8ced, 0xb09a92a, 0xeeecef2, 0x85fc498, 0xe71e3d4, 0x06a02b9,
+          0x84bb49a, 0x00ad307, 0x64a5b4a, 0xf61585e }
+    },
+    {
+        { 0xb86a4c9, 0x915f6d8, 0xa861e1f, 0x944bc6b, 0x54465ef, 0x3091ca7,
+          0xeb53a38, 0x11df859, 0x0144679, 0xd44dde5, 0x0994edd, 0x6c8da9a,
+          0x91241ef, 0xeebcebf, 0xc2f6859, 0xc419354 },
+        { 0x49581b6, 0x1f49693, 0xbb26cb4, 0x5712b10, 0xb09fd59, 0x8fcaa41,
+          0x72e22e3, 0xbd39aad, 0xb1199b0, 0xf70e794, 0xc6f863d, 0xdf63c0c,
+          0xee9df4f, 0xd58166f, 0xc45e70b, 0xb9224ea }
+    },
+    {
+        { 0xce525f4, 0x80072fa, 0x66a5502, 0x8597bd6, 0xdbc9725, 0xf65e203,
+          0xf2222a4, 0xeccfbe3, 0x2339834, 0x490aa42, 0x62489e8, 0x1348891,
+          0xa735084, 0xaff3f80, 0xf3f1bd6, 0x69d53d2 },
+        { 0x813341a, 0xb123ffc, 0x1173848, 0x359084c, 0xd29b08d, 0x751425e,
+          0x3890ad4, 0x1edda52, 0x607cf20, 0xb64974c, 0xb42ac7c, 0xa8c8cb8,
+          0xedd42e5, 0xd5cb305, 0x44c090a, 0xf3034dc }
+    },
+    {
+        { 0xbb18e19, 0x428921d, 0xfed2127, 0x4cfd680, 0x92ac8c3, 0x671144d,
+          0x132c894, 0x2121901, 0x7604cd9, 0x25d0e56, 0xafbc2a0, 0xa372223,
+          0x56c16f7, 0xcf98a52, 0xb5459e1, 0x71f129a },
+        { 0xb668b2e, 0xf4afdc5, 0x0c2d410, 0xc5d937a, 0x285d54a, 0xe2cc4af,
+          0x8c53e18, 0x1c82777, 0x69a92f6, 0x270f2c3, 0x616327a, 0x799f9ac,
+          0xd4246f2, 0xce658d9, 0xfb12e36, 0x0fb681f }
+    },
+    {
+        { 0xe0690fe, 0xc5ab11e, 0x3f74249, 0x80261e3, 0x58c1cf2, 0x8eb4b47,
+          0x184ae9b, 0x4895a80, 0xd3e27eb, 0x4a4bdb6, 0xbfd251c, 0xa7a1638,
+          0x417a7e3, 0x29ec144, 0x3f1b960, 0xd073609 },
+        { 0x49c73d1, 0xcb1ed83, 0x8d1945a, 0x33fc84a, 0xe965118, 0x9f668db,
+          0xa82811f, 0x3331743, 0x28ba540, 0xf394dec, 0x654a454, 0x44ce601,
+          0x3623645, 0x240dbb6, 0x2e61048, 0xf07e7f2 }
+    },
+    {
+        { 0x3d45213, 0x7c9f176, 0x9c1f77f, 0x3eefa70, 0x1b48350, 0xde3c3c5,
+          0x9d481a7, 0x4a2bc64, 0x7874f3d, 0xfd4a58a, 0x037b302, 0x96655d4,
+          0x68bf5ab, 0x9452528, 0x75177f6, 0x1b6d46a },
+        { 0xefb8d00, 0x7de6763, 0xa741b7b, 0xb2c1ba7, 0x7bae6ed, 0xcca6af4,
+          0x5b68b3f, 0xe4378ca, 0xaf71948, 0xfb757de, 0xbc6ac99, 0x7f07b5e,
+          0x27d636d, 0x752a568, 0x4b8a34f, 0xc8b7d1d }
+    },
+    {
+        { 0x325331b, 0x76cb78e, 0xadd2eed, 0x41f41c9, 0x5c5f623, 0x03db238,
+          0x7102fa2, 0xbbc1d17, 0x60182ec, 0x80f137a, 0x55adf15, 0xfdd8569,
+          0xe3373dc, 0x4f53f5e, 0x21b669b, 0xec6faf0 },
+        { 0x0b86081, 0x7d4e983, 0xf2d979c, 0x10d3cd9, 0x24a22c8, 0x0f48f58,
+          0x02f99ee, 0x86c540c, 0x5e6c5fc, 0xf4c6654, 0xbc404c8, 0xaf0c588,
+          0x423118a, 0x2e6edbd, 0x0690eab, 0x86e32e9 }
+    },
+},
+{
+    {
+        { 0xdfbfa6f, 0x1d12656, 0x7646018, 0xa498095, 0xc3597d0, 0x2f1071b,
+          0x1dda80a, 0x3df83f9, 0xf3ae449, 0x5853e28, 0x9e19aad, 0xb853d31,
+          0xa0d8a46, 0x863f01b, 0x2fef108, 0xa84fca6 },
+        { 0xfb84de9, 0xbe4c0b7, 0xc0727bf, 0x40a03dc, 0xb18575c, 0x781f841,
+          0x466cddb, 0x6a63045, 0x05dc7a2, 0x6be7582, 0x07ae811, 0x420f87f,
+          0x3bf96c8, 0x2808242, 0x51c6821, 0x723998c }
+    },
+    {
+        { 0x81f5863, 0x38ab641, 0x05ff9e1, 0xd82ecbd, 0xa065856, 0x339c94e,
+          0xa45156d, 0x143054a, 0x065628c, 0xe6d64bf, 0xa938589, 0xe530086,
+          0x385d79b, 0x22d3a49, 0x0ab8245, 0x0b10790 },
+        { 0xca387b5, 0xb0d80fb, 0x35551d7, 0x698206e, 0xa10bb73, 0x199685d,
+          0x9107378, 0xa8e5fa8, 0xd99dbbf, 0x36e5724, 0xd581b03, 0xd67f476,
+          0x88dd1e6, 0x7a15be7, 0xe5baa31, 0x8dac8e4 }
+    },
+    {
+        { 0xe170ef8, 0x4d5d88f, 0x1e9e600, 0xb6ba5de, 0xedeabc5, 0x4a89d41,
+          0x8fac936, 0x737c66b, 0x65c3125, 0x8d05b23, 0xb61b68e, 0x85a5cbc,
+          0x20a6af9, 0x8fea626, 0xd8b50ec, 0x85115de },
+        { 0x6a6f30b, 0x5430c8d, 0x8474295, 0x8bef9cf, 0xbe77f38, 0x0648f5b,
+          0x9e47bd7, 0xfe2b72f, 0x93106e2, 0xad6c5da, 0xfa7a6c3, 0x4fa6f3d,
+          0xb396650, 0xdcd2ed8, 0x1157ef9, 0x7de1cce }
+    },
+    {
+        { 0x1f241d1, 0x70a5f6c, 0x798cd5c, 0x6c354d8, 0x1a729fb, 0x23c7838,
+          0x523cbda, 0xcff8f15, 0x3493697, 0x5683ff4, 0x7534f53, 0xef7dbab,
+          0x2243d53, 0xd7bd08e, 0xf8072a9, 0x6f644cb },
+        { 0xb22db63, 0xac960f9, 0x23af04d, 0xa97f417, 0xd9798af, 0x692b652,
+          0xfedb156, 0x0e35967, 0xdfe6ee8, 0x14b5e50, 0xb411070, 0x7597ede,
+          0x442b3f9, 0x116f3ce, 0x1b2b6db, 0xe9b5ae8 }
+    },
+    {
+        { 0x2315930, 0xf4385ee, 0x27a8740, 0xc8d0298, 0xd934a43, 0x7907a8d,
+          0xc582191, 0x20bc946, 0x6a405e7, 0xa4acb3e, 0x43df2f5, 0x8c1d6c8,
+          0x991f0b5, 0x9df1593, 0x4d9be9d, 0xbb9df98 },
+        { 0x8e4b190, 0x6362008, 0xada3a88, 0xee1421e, 0xf93b027, 0xb84f0cc,
+          0x8e95091, 0x7a5d667, 0xf3e3704, 0x3974462, 0xc593e98, 0xfa6fb5e,
+          0xa6477d2, 0x44b6cf7, 0xb09a562, 0xe885b57 }
+    },
+    {
+        { 0x09a0c02, 0x6e339e9, 0x0e75f29, 0x57afff0, 0xfb7db03, 0x797d8d6,
+          0xd25a236, 0xc6e11a3, 0x0107260, 0x643ce1c, 0x62eae1c, 0xe644ec4,
+          0x3f5a3f5, 0x821d5b8, 0xc0579d6, 0xa8ad453 },
+        { 0x17d43a4, 0x6518ed4, 0x3f87ccd, 0x46e76a5, 0xf9bef95, 0xd6cbaab,
+          0x4f7cbcf, 0x2568832, 0x08476b4, 0x367159a, 0xbe6d324, 0x1d1b401,
+          0xa605026, 0x348cb98, 0x43b6b1e, 0x144f3fe }
+    },
+    {
+        { 0x7b1822c, 0xbabbd78, 0x2aa51f8, 0xd34ba7e, 0x41fbea4, 0x086f1cc,
+          0x746f3d9, 0x96f7eac, 0x281ecaf, 0xad97f26, 0xa14ee2c, 0x751a905,
+          0x0d7335f, 0xb4e7fe9, 0x4892ff0, 0x0d97b8f },
+        { 0x5a5c40e, 0xdb8a315, 0x7ba567b, 0x64e5de7, 0x1eefe88, 0x4f155f7,
+          0xfb6fbf4, 0xe2297e9, 0x6c16be5, 0xfe24bf9, 0xcdd83e2, 0x2251847,
+          0x5eda444, 0x13ac2c8, 0x283275f, 0x49d1b85 }
+    },
+    {
+        { 0x423e08f, 0xca08731, 0x87d2f14, 0x7046bb0, 0x3bc846c, 0x876f10c,
+          0x358fbe3, 0x2202b76, 0x0e26ac6, 0x0d4fc1c, 0xb986881, 0x1fc748b,
+          0x8384a18, 0x609e61c, 0x0d88e00, 0x28a72d6 },
+        { 0x78c6e2f, 0x1332a31, 0xb3526a4, 0x0367919, 0x698fe3e, 0x53989e4,
+          0xb16a99b, 0x14b1145, 0xddbb75f, 0xef9ec80, 0x0e53955, 0x7625624,
+          0x8744ae1, 0x54e087a, 0x672b875, 0xce50e8a }
+    },
+},
+{
+    {
+        { 0xa29629c, 0x4c88b2b, 0x7b2642f, 0x946559c, 0xf7ebe4c, 0x933d432,
+          0x63632c9, 0x97109b6, 0xe53184d, 0x799b3fb, 0x0f069a6, 0xd462871,
+          0x3a68351, 0x0c182a1, 0x9a2437a, 0x974a839 },
+        { 0x2a70278, 0x29f1997, 0xd9c424b, 0x01b98b6, 0x08f4c37, 0xd85a60b,
+          0x2b1da15, 0xcc3523f, 0xddffb0f, 0xf922115, 0xde84ae2, 0xee0fe4d,
+          0x55365be, 0x810440c, 0x1a457e8, 0xd2f6639 }
+    },
+    {
+        { 0xe2ddd05, 0x5e6879f, 0xabdfc61, 0x92a7545, 0xa5cede8, 0x7dedd63,
+          0x70df4bd, 0x8a03b3f, 0x91f6cbb, 0xa5d1f65, 0x10f3fb2, 0x372fde6,
+          0xa9dee05, 0x4537f9e, 0xdf7aa50, 0x7eb85bb },
+        { 0xe8c504d, 0x963edf8, 0xe7bdb6b, 0x53c8dca, 0x6fedf2d, 0xa246e4c,
+          0x0c55bde, 0x7553340, 0x0270a54, 0x2aa748d, 0x05860dd, 0xadb6cf0,
+          0x9b84763, 0x8d31450, 0xeb405ef, 0x626720d }
+    },
+    {
+        { 0x6601328, 0xa3709ae, 0x2ac2478, 0x68e94fd, 0x9d5d247, 0x3879343,
+          0x392c198, 0xfa467af, 0x15df607, 0x49e7b0d, 0x61792a8, 0x8c58122,
+          0x1d3762f, 0x79f7658, 0x244a39d, 0xaa38895 },
+        { 0xc5cd0bc, 0xef60af9, 0xa33b3bb, 0x2b0db53, 0x251015d, 0xe3e0b1f,
+          0xe64489e, 0xc608afc, 0x03651aa, 0xe52b057, 0x1c6f7b9, 0x1dda8b9,
+          0xff41893, 0x833f022, 0x192818c, 0x58eb0a0 }
+    },
+    {
+        { 0xfc7b5a7, 0x6c1300c, 0xa83ab33, 0x6d2ffe1, 0x9c02eef, 0x7b3cd01,
+          0xba60d55, 0x6c64559, 0x19e2f73, 0x2e9c16c, 0xdbe47b1, 0x11b24ae,
+          0x1b8153b, 0xc10a2ee, 0x1e02e1a, 0x35c0e08 },
+        { 0x1dd6f16, 0xa9f470c, 0xf41a290, 0x4ea93b6, 0x25ee03f, 0xac240f8,
+          0xb85aabd, 0x6cd88ad, 0x1be2f8f, 0x378a64a, 0x417bac1, 0xbf254da,
+          0x9231142, 0x7e4e5a5, 0x3b8c057, 0x057aadc }
+    },
+    {
+        { 0x80af479, 0x607c77a, 0x5ccdf74, 0xd3e01ff, 0x101b4c7, 0x9680aaf,
+          0x2fc50a6, 0xd2a7be1, 0xb72d782, 0x92a788d, 0x4640b52, 0x35daf2e,
+          0x39e601c, 0xc170d69, 0x7b25c2f, 0x16e05f5 },
+        { 0x6fe37f8, 0x47a42a6, 0xbeca298, 0xeb74271, 0x179da16, 0x401e11e,
+          0xaa53873, 0xfb8da82, 0x5bb4783, 0xd657d63, 0xfcea0b1, 0x6847758,
+          0x0993154, 0x2f261fb, 0x592853a, 0x868abe3 }
+    },
+    {
+        { 0x35766ab, 0x1a4c543, 0x6f4e4ea, 0xa1c84d6, 0x60ba199, 0x5d737a6,
+          0x98b15a2, 0x4a7b1e2, 0xfd967d3, 0x207877f, 0xc262b4d, 0xcaec82d,
+          0x4f2a37d, 0x0b27849, 0x6ac1711, 0x3478141 },
+        { 0x8fc6856, 0x28e3df1, 0x16d003f, 0xbec03f8, 0xff39ebd, 0x2bd705b,
+          0x2d776d3, 0x1dcb53b, 0x5c0e7ce, 0xabafa7d, 0x4a53332, 0x5b9c8c2,
+          0x9d90214, 0xe9f90d9, 0xc129690, 0x789747e }
+    },
+    {
+        { 0x54e2dfa, 0x94d3c39, 0xafb2a8f, 0x919f406, 0x34e3927, 0x159ef05,
+          0xa165c37, 0xcdb4d14, 0x288f337, 0xa23e5e8, 0x0f90242, 0x95867c0,
+          0xe34e781, 0x2528150, 0x6657b95, 0x104e501 },
+        { 0xbcdda24, 0x695a6c9, 0x23eb5fa, 0x609b995, 0x16a60f8, 0xcbce4f5,
+          0xf084a29, 0xec63f7d, 0x20c811f, 0x3075ada, 0x8c716a1, 0x129a192,
+          0xcd4cd4a, 0xd65f4d4, 0x62188be, 0xe18fa9c }
+    },
+    {
+        { 0xbac60e3, 0x1672757, 0x577144b, 0x525b3b9, 0x887055b, 0x38fc997,
+          0x31e4408, 0x7a77126, 0xcba2fcf, 0x884f173, 0x5962ac0, 0x783cbdc,
+          0x22287dc, 0x4f3ed0a, 0x50e20e6, 0x8a73e34 },
+        { 0xd764583, 0xe7a1cd0, 0x0d58ee6, 0x8997d8d, 0xaa13ed6, 0x0ea08e9,
+          0xcf363cb, 0xed478d0, 0x5b37bf4, 0x068523d, 0x783f13c, 0x8b5a9e8,
+          0x87528a9, 0xde47bbd, 0xcaec313, 0xd6499cc }
+    },
+},
+{
+    {
+        { 0xe09859d, 0x54781bb, 0x7f5e648, 0x89b6e06, 0x7075824, 0xb006dfe,
+          0x0717f68, 0x1731660, 0x0b4efe2, 0x9c86554, 0x5e30d8e, 0xdbdb257,
+          0x3b4d50f, 0xa6a5db1, 0xfa47beb, 0x3b5662c },
+        { 0x89d4a59, 0x9d4091f, 0x550a7dc, 0x790517b, 0xc52965e, 0x19eae96,
+          0xb5ed7a4, 0x1a7b3c5, 0xeb16541, 0x19e9ac6, 0xef66852, 0x5f6262f,
+          0xc4cda27, 0x1b83091, 0x3bf742b, 0xa4adf6f }
+    },
+    {
+        { 0xa5100e7, 0x8cc2365, 0x8592422, 0x3026f50, 0x3d714d0, 0xa4de79a,
+          0x90fcb30, 0xefa0d3f, 0x474ada0, 0x126d559, 0xc94350a, 0xd68fa77,
+          0x0c7cb45, 0xfa80e57, 0x3985fbf, 0xe042bb8 },
+        { 0xfe13dba, 0x51c80f1, 0xcf055d7, 0xeace234, 0x73f95f7, 0x6b8197b,
+          0xdcdbe89, 0x9ca5a89, 0xdfd9896, 0x2124d5f, 0x9e7ca37, 0x7c69556,
+          0x8babb37, 0x58e806a, 0xbaf99ce, 0x91b4cc7 }
+    },
+    {
+        { 0x197e968, 0x874e253, 0x3160668, 0x36277f5, 0x8b95dbe, 0x0b65dda,
+          0xf0872a1, 0x477a792, 0x314268d, 0x03a7e3a, 0x0c805c7, 0xa96c842,
+          0xb7bc4a8, 0xb941968, 0x75db390, 0x79dce30 },
+        { 0x6f4cc14, 0x577d4ef, 0xb5d1107, 0x5b0d205, 0x9f93624, 0x64ff20f,
+          0x5034a2f, 0x0b15e31, 0x8b6f35c, 0x3a0f6bb, 0xe0d0ec5, 0x0399a84,
+          0x0d5d521, 0xd0e5823, 0xcb1dd54, 0xdeb3da1 }
+    },
+    {
+        { 0x182401a, 0x24684ae, 0x21a706f, 0x0b79c1c, 0xd8998af, 0xe1d81f8,
+          0x4bb069f, 0xadf870f, 0xf3dd7aa, 0xd57f85c, 0xe4a40f8, 0x62d8e06,
+          0x8b55aa1, 0x0c5228c, 0xa9c0a1a, 0xc34244a },
+        { 0x68f544e, 0xb5c6cf9, 0xde23ab7, 0xa560533, 0x47c690c, 0xaa55120,
+          0x12aaaa6, 0x20eda5b, 0x751a6a0, 0xea0a49a, 0x2baa272, 0x6d6cfff,
+          0xbf4c28a, 0x95b756e, 0xe6178a4, 0xd747074 }
+    },
+    {
+        { 0x221a94b, 0xa27b453, 0xe635f20, 0xd56ad13, 0x8c95117, 0x03574b0,
+          0xed30b70, 0xf0ee953, 0x957796f, 0xb48d733, 0x58c336b, 0xf5d9583,
+          0x82db529, 0x6170cd8, 0xec9d1ea, 0xcd3ef00 },
+        { 0xe4d105f, 0xd1bea0d, 0xad6a559, 0xd2d670f, 0x52f9690, 0x652d012,
+          0xc2529b0, 0x5f51fb2, 0xe89df2a, 0x5e88bf0, 0xcd686e4, 0x9a90684,
+          0x882c7a1, 0xf519ccd, 0xc2f4d37, 0x933a0df }
+    },
+    {
+        { 0x3f66938, 0x0720a9f, 0xd8149df, 0x99356b6, 0xa3d7f61, 0xb89c419,
+          0x4ba6e31, 0xe658134, 0xab936c8, 0xd130561, 0x40dbef1, 0x0625f6c,
+          0xb6bb847, 0x7b2d6a2, 0x84d506b, 0x3ca8b29 },
+        { 0xfb011b0, 0x6bf729a, 0x33448c9, 0x01c3078, 0x0837420, 0x6ae9508,
+          0xa207fb8, 0xf781a8d, 0x57562a9, 0xcc54d58, 0x858c5ab, 0xc9b7364,
+          0x359908f, 0xdfb5035, 0x9631138, 0x8bf77fd }
+    },
+    {
+        { 0xc13fbb1, 0xf523365, 0x9993ed5, 0x88532ea, 0x5a73492, 0x5318b02,
+          0xe5a8f3c, 0x94bff5c, 0x306c2a0, 0x73f9e61, 0xf2668a3, 0x00abbac,
+          0x076237d, 0x23ce332, 0x34c0f9b, 0xc867f17 },
+        { 0xcfd2136, 0x1e50995, 0xb2b70f8, 0x0026a6e, 0x5077a7d, 0x66cb184,
+          0xa3b498e, 0xc31b2b8, 0x260ec86, 0xc12035b, 0xe1b3df0, 0x1cbee81,
+          0x8d55a42, 0xfd7b804, 0xf47a8c8, 0x912a41c }
+    },
+    {
+        { 0x9e157e3, 0xab9ffe7, 0x44dc158, 0x9cfe46d, 0x8a4a3ef, 0x435551c,
+          0x3b7e3a8, 0x638acc0, 0x49954a7, 0x08a4ebd, 0x13194f7, 0x295390c,
+          0x253892a, 0x3a2b68b, 0x25d5b11, 0xc1662c2 },
+        { 0x3a5d2bb, 0xcfba072, 0xcc327c9, 0xffaf6d3, 0xc67e254, 0x6c6314b,
+          0x2f32208, 0x6661631, 0xbea72e1, 0xf780f97, 0x002122f, 0x495af40,
+          0x7578a99, 0x3562f24, 0x77ce51e, 0x5f479a3 }
+    },
+},
+{
+    {
+        { 0x1a82a12, 0x91a5884, 0x80f3a62, 0xa754175, 0xf73417a, 0x399009f,
+          0x0a8c5cd, 0x2db1fb9, 0xc046d51, 0x82c8912, 0x8f18274, 0x0a3f577,
+          0x26ccae2, 0x2ad0ede, 0x8a4e9c2, 0x7d6bd8b },
+        { 0x4b3de44, 0xaa0d797, 0x96ac9bb, 0xf8658b9, 0x5f6c334, 0x31e7be2,
+          0x4df12c9, 0x23836ce, 0x59eb5c9, 0x029027b, 0x5b8649d, 0x2f22531,
+          0xd907162, 0xa0fdf03, 0x9e80226, 0x101d9df }
+    },
+    {
+        { 0x9a90835, 0xf12037a, 0xf0222a7, 0xd2d0882, 0xc3814e2, 0xeaf8d40,
+          0x8b8146b, 0xa986dc6, 0x8504653, 0x147a331, 0x2feaf67, 0x734e003,
+          0x602bec5, 0x6f27bbf, 0x6a688f3, 0xa1e21f1 },
+        { 0x73c4ae5, 0x5a8eeab, 0xe70b412, 0x4dbaddb, 0xcfd2af1, 0x871ceba,
+          0x7d7a286, 0x1860382, 0xb5bb401, 0x024059d, 0x3c39b73, 0x2557c09,
+          0x6681697, 0xfc5a711, 0x891b57c, 0xf881c0f }
+    },
+    {
+        { 0x8ea191a, 0x3c443f1, 0xd700ad0, 0x76faa58, 0xbe7fcbf, 0x6fe6cfa,
+          0x8990ef7, 0xaefc528, 0x80004cc, 0x44e30fa, 0x6d8ef85, 0xc744adc,
+          0x912df70, 0xafcd931, 0x572a6d8, 0xf62a9d1 },
+        { 0x3219f27, 0x47158a0, 0xad73136, 0x76fb27e, 0xcc2d614, 0x41bb2ad,
+          0xde1ec21, 0x8858cb9, 0x5f15866, 0xab402c4, 0xbc82bbf, 0x6675d5b,
+          0xf1b28d3, 0x4ee9dd6, 0xe373c17, 0x875884f }
+    },
+    {
+        { 0x2a67d36, 0x17806dd, 0x32c9ec1, 0xaa23a86, 0xfc1ee55, 0xd914126,
+          0x653701b, 0xbf8f7bd, 0xea71367, 0x9b0111a, 0xa98e417, 0x61fd4ab,
+          0x561c5a5, 0xeb45298, 0xe7af394, 0x2187b0a },
+        { 0x1616dde, 0x71f12db, 0x07da7b4, 0x0617609, 0x02ddb04, 0x414d376,
+          0x286fb58, 0x1100be7, 0x6f0d95b, 0xd7cf88d, 0x746d703, 0x8539d23,
+          0x4e23d73, 0xdccc9d6, 0xec89680, 0xaeef1d2 }
+    },
+    {
+        { 0x336508d, 0x82ccf1a, 0x5bad150, 0xa128c1f, 0x29a188d, 0x551d8c0,
+          0x771404f, 0xef13dd4, 0xc37b993, 0xdd67696, 0x0dddad2, 0x428c0e2,
+          0x038c94c, 0x222278d, 0x078e3f2, 0x1a24a51 },
+        { 0xedb0db9, 0xd297fe6, 0x8251a87, 0x00988d2, 0xbfaa0d7, 0xbb946f8,
+          0xdf45ea0, 0x380f7b9, 0xafccf5e, 0x8526415, 0xe9ec7bc, 0x909bfbf,
+          0x124755c, 0x2ed7093, 0x89404e2, 0x4368028 }
+    },
+    {
+        { 0x36d9ef1, 0x21b9fa0, 0xe433526, 0xfd64b7c, 0x6544849, 0xd9d7eb7,
+          0xd5b54b3, 0x201620c, 0xbb61159, 0x25fab3d, 0xc53e0d3, 0x90d4eb0,
+          0x9e74772, 0xba09831, 0xec1681c, 0x8749658 },
+        { 0xfec316b, 0xa354349, 0xa743ea2, 0x639a9b1, 0x37c50e6, 0x2e514ca,
+          0xdbaf6c5, 0x9f4a4fd, 0x6f511c9, 0x0df87ef, 0x0c00d95, 0xadd4cef,
+          0xaa1433f, 0x401c0eb, 0xbb38af9, 0x3c3a59e }
+    },
+    {
+        { 0xf0e7dca, 0x8706245, 0x3fb29ca, 0xad238cd, 0x9b7d8f0, 0x0330443,
+          0x154f495, 0xfdcd6e6, 0x7d4ad09, 0xc67e24a, 0x5438390, 0x1b209e8,
+          0xb0c211e, 0xf893b81, 0x7e11e36, 0x1aa86f0 },
+        { 0xedea8b1, 0x2cca3ff, 0x3b306cd, 0x7eedd07, 0x12ee222, 0x78e37bc,
+          0xbc42a1d, 0x257870b, 0x1fbd397, 0x5fb2bb9, 0x09d6c60, 0x4702470,
+          0x20bdc36, 0x11748a3, 0x04280e8, 0x3ff24dc }
+    },
+    {
+        { 0x9839b52, 0x0eb1c67, 0xacfbd32, 0x5bcca27, 0x74898e3, 0xb506c16,
+          0x2489e5e, 0x37d662e, 0xf694887, 0x8dc0731, 0xf43f1dc, 0x571149e,
+          0x66d63dc, 0x6430a37, 0xb50dd70, 0x0d2640e },
+        { 0x3b2675b, 0x2b56149, 0x88c604f, 0x1b48065, 0xaafbabc, 0x55c86a8,
+          0x608aaba, 0xa7b9447, 0x04cad8c, 0xa42f635, 0xcee7788, 0x0f72b1d,
+          0x755d99a, 0x1d68374, 0x5be2531, 0xd7cdd8f }
+    },
+},
+{
+    {
+        { 0xbcdfee1, 0x67873bd, 0xfcd0a3f, 0xa5a0c0a, 0x3cfa3d4, 0x59389f9,
+          0xe1c865c, 0x14e945c, 0x1d588cc, 0x62d2f8e, 0x8e228b4, 0xfd02f8a,
+          0xb42b649, 0x208f791, 0xab397ad, 0x0e0dff1 },
+        { 0x0bc6eb1, 0x30ac3d9, 0x5f313bb, 0xf14f16a, 0xe2a0ad2, 0x70fa447,
+          0x5a0db84, 0x6e40685, 0xe32e1e7, 0xd52282b, 0x15ca330, 0x315a02a,
+          0x867c2fe, 0x9a57a70, 0x0054923, 0x55f0765 }
+    },
+    {
+        { 0xc0cf08f, 0x2d729f6, 0xebaf57f, 0x6b80138, 0x0200c25, 0x6285bcc,
+          0x2cd2ac7, 0xee84519, 0x922778a, 0x28fce4d, 0xcd1011c, 0x761325c,
+          0x5100e47, 0xd01f247, 0xc60d8e1, 0xc7a1665 },
+        { 0x7ceb064, 0x950966d, 0x78420db, 0x0a88e85, 0xe096f29, 0x44f2cfc,
+          0x640f1d2, 0x9d9325f, 0xd2426f1, 0x6a4a81f, 0x9c905ac, 0x3ed6b18,
+          0x008854d, 0xba3c0e2, 0xa0d321b, 0x1df0bd6 }
+    },
+    {
+        { 0x3feb1e7, 0x0117ad6, 0xf1ae02f, 0xa058ba2, 0x31b3f06, 0x5eee5aa,
+          0xafacd4d, 0x540d9d4, 0x1571d91, 0x38992f4, 0xbf2c7de, 0xef2738e,
+          0x92a798d, 0x28bfcab, 0x2286733, 0x37c7c5d },
+        { 0x6470df0, 0xb99936e, 0x8af6a42, 0x3d762d5, 0xc74eec5, 0xa8c357a,
+          0xf13afbc, 0x9917beb, 0xf2dc073, 0x28f0941, 0x6ce7df7, 0x306abf3,
+          0xd6973c8, 0xa3c5f6f, 0x3677632, 0x640209b }
+    },
+    {
+        { 0xe23aef7, 0xee872a2, 0xeb9b08e, 0xb497b6f, 0x3f33c63, 0xfb94d97,
+          0x2b32315, 0x9ea1ff4, 0x49a4166, 0x537b492, 0xab4f8be, 0x89c7fe6,
+          0xdad8f0f, 0xf68007f, 0x71b8474, 0xe56ef0b },
+        { 0x3f333f9, 0x478b2e8, 0xb2607f5, 0x144e718, 0xa4c7ab5, 0x13aa605,
+          0x1d0730d, 0xfc1fc99, 0x5ab3ea1, 0xe7a0437, 0x306d8d3, 0xc59986a,
+          0x702a8b1, 0x24f6111, 0xe040ad2, 0x7741394 }
+    },
+    {
+        { 0x60723a7, 0x34c6a25, 0xf4ea691, 0x8aabd0d, 0x5d7497f, 0x9d676a5,
+          0x7d91fa4, 0x12c0957, 0x6479284, 0x581c7a8, 0xf4fd449, 0xa54f3da,
+          0x4ef44cf, 0x2f89f3c, 0xc9ec97c, 0xfc266b5 },
+        { 0x88b142a, 0xfcd3fbe, 0x4bd69c1, 0x9f3109f, 0xb5f5a6a, 0x08839c0,
+          0x2e68303, 0x63ca850, 0xbba0a74, 0x2f0628d, 0x5d56b54, 0x743cccf,
+          0x13e09fd, 0xbd4b066, 0xde2ba3e, 0x7a8415b }
+    },
+    {
+        { 0xc076ab2, 0x2234a3b, 0x4977a98, 0xd6953e5, 0x31ebe2e, 0xc122158,
+          0xbad78e2, 0x632145f, 0xa5c4b08, 0xd7ba78a, 0x998e32a, 0x6f4ea71,
+          0x3485a63, 0x25900d2, 0x6a5176f, 0x97ac628 },
+        { 0x1093f7b, 0x5df9118, 0xc844563, 0x2bf9829, 0x6272449, 0x525d99d,
+          0xb5c8a18, 0x4281cb5, 0x0544a08, 0x35df278, 0xbaeb8f4, 0xf4c3d2d,
+          0x5230447, 0xc7ff317, 0x5d2fbff, 0x6b4d764 }
+    },
+    {
+        { 0x2b0c9cb, 0x4837f80, 0x8ce8418, 0xb65f816, 0x9fc1428, 0xdf66ea9,
+          0x04ea7e8, 0x9788ee8, 0x8334e3c, 0x9eae900, 0xd6ba1b6, 0xbc91058,
+          0xd7064b6, 0x634aba1, 0x397b368, 0x12d9bb3 },
+        { 0xc413aa8, 0x0645c85, 0xac6b5e3, 0xb09dea6, 0x289a50b, 0x29a620d,
+          0xbbcceb1, 0x104db3b, 0x87b3309, 0x42e4792, 0xec97f01, 0xdfc373e,
+          0xb93f84e, 0xe953f94, 0x052dfbf, 0x3274b7f }
+    },
+    {
+        { 0x1bd6fa9, 0x9d5670a, 0xdb6c4d4, 0xec42fc9, 0x1b42845, 0xaecd4ed,
+          0x1b03549, 0x4eed90e, 0xbbab1fa, 0xeb3225c, 0x28a2816, 0x5345e1d,
+          0x0b77d2a, 0x3741cfa, 0x7ea8caa, 0x712b19f },
+        { 0x661853e, 0x42e6844, 0xe4a6e5d, 0x4cf4126, 0xc3649f6, 0x196a9cf,
+          0xf21b6b1, 0x06621bc, 0x32e29ea, 0x887021c, 0x8c5680f, 0x5703aeb,
+          0x660f6d7, 0x974be24, 0xc71864e, 0xaf09bad }
+    },
+},
+{
+    {
+        { 0xa81b6d3, 0x3483535, 0xca037dc, 0x19e7301, 0x63ddfeb, 0x748cab7,
+          0x6f01a38, 0xe5d87f6, 0x2795cd6, 0xbba4a5c, 0x615c36c, 0x411c5d4,
+          0x706f412, 0xff48efc, 0x4b519df, 0x205bafc },
+        { 0x5227110, 0xfcaa5be, 0x3ad0af0, 0x7832f46, 0x2642b1b, 0x34ef2c4,
+          0x072f822, 0x7bbef7b, 0x923a616, 0x93cb0a8, 0x6d91ba7, 0x5df0236,
+          0x42f7d21, 0x5da94f1, 0xa14e891, 0x3478298 }
+    },
+    {
+        { 0xc831d39, 0xad79a0f, 0x4803c44, 0x24d1948, 0x86aeeb2, 0x4f8a864,
+          0x926f6b9, 0x0ca284b, 0x1acd7cd, 0x501829c, 0x3d12c52, 0x9f6038b,
+          0xf371ef5, 0x77223ab, 0x13bf4de, 0x2e03516 },
+        { 0xb4468cc, 0x7a5a4f2, 0x470ae46, 0xdcea921, 0x11be696, 0xf23b7e8,
+          0x720d6fb, 0xe59ad0d, 0x2983469, 0x9eacac2, 0xc4397ee, 0x4dd4110,
+          0xcbe2675, 0x4ef85bd, 0xaa7c74b, 0xe4999f7 }
+    },
+    {
+        { 0x8ea1e98, 0x031838c, 0x04d96a2, 0x539b383, 0x163956e, 0x5fbdef0,
+          0xce3f52a, 0x6bd4d35, 0x55e897f, 0xe538c23, 0x472dd3f, 0x6078d3a,
+          0xca9f452, 0x590241e, 0xfd7fc07, 0x2bc8495 },
+        { 0xead4c8c, 0x23d0c89, 0x601c66e, 0x1ea55a9, 0x4f5b833, 0x41493c9,
+          0xaa5a978, 0xc49a300, 0x0c69594, 0xc98bdc9, 0xccbdc8c, 0x4e44ced,
+          0x6adccbf, 0xb0d4e91, 0x32c37ae, 0xd56e36b }
+    },
+    {
+        { 0x5b93152, 0x052bd40, 0x4f1dbfa, 0x688b1d4, 0xbe5cc5f, 0xe77ba1a,
+          0xa6ac543, 0x11f8a38, 0xe4bb988, 0x3355fd6, 0xf8dffb4, 0xdf29c5a,
+          0x81f20ee, 0x751f589, 0xda9b7fb, 0x22a0f74 },
+        { 0x6397b49, 0xec8f2bc, 0x3639201, 0xff59fc9, 0xa048264, 0xb7f130a,
+          0xafdc4cc, 0xe156a63, 0xb13acaf, 0x0fd7c34, 0x0cb4999, 0x87698d4,
+          0x7f26f24, 0x6d6ecae, 0x0f296e2, 0xae51fad }
+    },
+    {
+        { 0xdd0f58d, 0xd0ad5eb, 0x5c67880, 0x6ec6a2c, 0x9af1e0f, 0xe1ce034,
+          0x3996d32, 0x0801485, 0x5e69d20, 0x59af51e, 0xaa48ecf, 0x0ef743a,
+          0x7dafcb0, 0x8d3d2ea, 0x89189b6, 0x4ac4fad },
+        { 0xeae97f1, 0x92d91c2, 0x62b4662, 0xef5eca2, 0xb38b10a, 0x440b213,
+          0xfc661da, 0xec90187, 0xf64cf8d, 0x85f3f25, 0x457ad1b, 0xcee53ca,
+          0xf517672, 0x8deed4b, 0x4761828, 0x7706fb3 }
+    },
+    {
+        { 0x17494fe, 0x1577d91, 0x2fd7239, 0x52d29be, 0x0186d37, 0x9a0eef0,
+          0x27fe108, 0x241d0f5, 0xe6fb59f, 0x42824ba, 0x0d48c25, 0xb8d33df,
+          0x47af4b0, 0xfffdb0a, 0x073b0b6, 0x534c601 },
+        { 0x51c033b, 0xe6df359, 0x86c0f94, 0x3e1002b, 0x48fb9b6, 0xa7cb555,
+          0xa7bbff8, 0x999818b, 0x84d8bf2, 0xe4ba3d6, 0x6358f0a, 0x53dbb32,
+          0xf2568e8, 0xeebc1e2, 0xb3e0f68, 0xc6917eb }
+    },
+    {
+        { 0x19f8d13, 0xbe1bbfc, 0x2d4795c, 0xc3951b6, 0xed535a9, 0x9371c49,
+          0x68cebea, 0x77c389f, 0xa141d0e, 0xfc1a947, 0xde44f8b, 0x4b48d7a,
+          0x8580a26, 0x3db1f05, 0x258b5fc, 0xeed1466 },
+        { 0x9854b21, 0x5daa4a1, 0x1ab1ead, 0x5bfa46f, 0x59957eb, 0xc152e35,
+          0xea48ada, 0xdc84277, 0xfc169b5, 0x68709cf, 0x720e617, 0xde50ce3,
+          0xdd9a832, 0xe42f262, 0x2d6ce29, 0xddffd4d }
+    },
+    {
+        { 0x8fa0a56, 0xd5ba557, 0xfafaf4c, 0x0d7d0f1, 0x38b63ed, 0x7666e41,
+          0x5d87f02, 0x04e6513, 0xc958f32, 0xdca8866, 0x3ce2686, 0xaa8486d,
+          0xf1cbcd3, 0xe3785ca, 0x03c8335, 0x8a9b114 },
+        { 0x2e0ef60, 0x5c1dca2, 0x7d3fb20, 0x775af5b, 0x2b373a8, 0xe690ffc,
+          0x28330e6, 0x30fe15d, 0xdd0f393, 0x8a1022b, 0x966a828, 0x6bd7364,
+          0x949208a, 0x8d4b154, 0xb9d9828, 0xfb38c6b }
+    },
+},
+{
+    {
+        { 0x0340ac2, 0x6d19764, 0xecab5ff, 0x969f473, 0xc458e42, 0xead46f7,
+          0x1d00eed, 0x168646a, 0xe0ce0cf, 0xf70c878, 0x8d8d15a, 0xa7291d3,
+          0xfdd10cc, 0x92cf916, 0x24f86d5, 0x6d36134 },
+        { 0x2d5c4b4, 0xba50d17, 0x4626f15, 0xe0af502, 0xd76098a, 0x76f3809,
+          0xd6caaa8, 0x433dc27, 0x70d97a7, 0x72dc67a, 0xf5c7355, 0x935b360,
+          0x179bb31, 0xdbaac93, 0x7ed1a33, 0x7673848 }
+    },
+    {
+        { 0x8f9fa0d, 0x8d1ca66, 0xa02f2bf, 0x4ed95d8, 0xf630d7b, 0xd19fc79,
+          0xf46fa51, 0x0448ec4, 0x623bf3f, 0xb371dd8, 0xd650e94, 0xe94fabc,
+          0xcd90a70, 0x3af3fca, 0x03ce3b7, 0x0f720c4 },
+        { 0xd636c3b, 0x590814c, 0x4469945, 0xcf6928d, 0x484a4c6, 0x5843aaf,
+          0xf9b4722, 0xb5a4c1a, 0x6cfb2f9, 0x25116b3, 0x32c2640, 0xf248cf0,
+          0x27412a1, 0x8cd059e, 0x862fc5d, 0x866d536 }
+    },
+    {
+        { 0x6de4a2e, 0x156e62f, 0xaafcc78, 0x0365af7, 0x19e925e, 0x65c8618,
+          0xf8b2191, 0x4db5c01, 0xad564fa, 0x1fd26d1, 0x19c8610, 0x16bbc53,
+          0x815f262, 0x0718eef, 0x27f83d1, 0x8684f47 },
+        { 0xb0f48db, 0xa30fd28, 0x6ab8278, 0x6fef506, 0x1a652df, 0xd164e77,
+          0xc6ebc8c, 0x5a486f3, 0xdc3132b, 0xb68b498, 0xd73323f, 0x264b6ef,
+          0x69b2262, 0xc261eb6, 0x2a35748, 0xd17015f }
+    },
+    {
+        { 0x7c4bb1d, 0x4241f65, 0xf5187c4, 0x5671702, 0x3973753, 0x8a9449f,
+          0xcc0c0cd, 0x272f772, 0x58e280c, 0x1b7efee, 0x4b5ee9c, 0x7b32349,
+          0x31142a5, 0xf23af47, 0xd62cc9e, 0x80c0e1d },
+        { 0x675ffe3, 0xcbc05bf, 0x258ce3c, 0x66215cf, 0x28c9110, 0xc5d2239,
+          0x2a69bc2, 0x30e12a3, 0x76a9f48, 0x5ef5e80, 0x2329d5f, 0x77964ed,
+          0x8a72cf2, 0xdf81ba5, 0x6e1b365, 0x38ea70d }
+    },
+    {
+        { 0x2f75c80, 0x1b18680, 0x698665a, 0x0c153a0, 0x522e8dd, 0x6f5a7fe,
+          0x8ddfc27, 0x9673866, 0x0d3bdce, 0x7e421d5, 0x25001b2, 0x2d737cf,
+          0x0e8490c, 0x568840f, 0xe30c8da, 0xea2610b },
+        { 0x9561fd4, 0xe7b1bc0, 0x26decb0, 0xeda786c, 0x6a76160, 0x2236990,
+          0x78a3da3, 0x371c714, 0x2a2d9bf, 0x1db8fce, 0x3292f92, 0x59d7b84,
+          0x5a665f9, 0x8097af9, 0x542b7a9, 0x7cb4662 }
+    },
+    {
+        { 0xc6b0c2f, 0xa5c53ae, 0x7312d84, 0xc4b8732, 0xc732736, 0xfc374cb,
+          0x9310cc0, 0xa8d78fe, 0x65d1752, 0xd980e86, 0x6004727, 0xa62692d,
+          0x0146220, 0x5d07928, 0x860fea5, 0xbd1fedb },
+        { 0xb35d111, 0xcbc4f8a, 0x3e32f77, 0x5ba8cdf, 0xb614b93, 0xd5b71ad,
+          0x2f8808d, 0x7b3a2df, 0x6ef2721, 0x09b89c2, 0x47c3030, 0x55a5054,
+          0x2986ae6, 0x2104431, 0x2367d4c, 0x427a011 }
+    },
+    {
+        { 0xc1942d8, 0xe9fe256, 0x96e3546, 0x9e7377d, 0xb0c1744, 0x43e734c,
+          0x211fbca, 0x5f46821, 0x32b6203, 0x44f83dc, 0x6ad1d96, 0x8451308,
+          0x2fbb455, 0x54dd519, 0x2f10089, 0xc2a1822 },
+        { 0x1855bfa, 0x01055a2, 0x77078b4, 0x9e6d7b4, 0x30cea0e, 0x3f8df6d,
+          0x32973f7, 0x81c2150, 0xc0b3d40, 0x17dd761, 0x50d0abe, 0x040424c,
+          0x783deab, 0x5599413, 0x8f3146f, 0xde9271e }
+    },
+    {
+        { 0xaf4a11d, 0x5edfd25, 0x7846783, 0x3a3c530, 0x73edd31, 0xb200868,
+          0xfe0eef8, 0x74e00ec, 0x3dd78c7, 0xba65d2f, 0x71999f1, 0xab13643,
+          0xde9a7e8, 0xfa9be5d, 0x87a8609, 0xeb146ce },
+        { 0x65353e9, 0x76afd65, 0xd51ba1c, 0xfa7023d, 0x37ede4f, 0x7a09f22,
+          0x0ba7a1b, 0xca08576, 0xb99950a, 0xd973882, 0xea5057a, 0xe894266,
+          0x7f55e49, 0xd01c421, 0x5555679, 0x69cfb9c }
+    },
+},
+{
+    {
+        { 0xc5d631a, 0x67867e7, 0x5bcf47b, 0x1de88c5, 0xafd1352, 0x8366d06,
+          0x6e20337, 0xd7dbdef, 0x1253ec7, 0xb0f9e2f, 0x10ad240, 0x1be9845,
+          0xf4a6118, 0x63ec533, 0x96ce633, 0xd5e4c5b },
+        { 0x4df4a25, 0x1d0b6c3, 0x5a1b554, 0xef9486a, 0x47b6ef3, 0x2f0e59e,
+          0x2ff84d7, 0x4d8042f, 0xda359c9, 0x3e74aa3, 0xd21c160, 0x1baa16f,
+          0x0191cba, 0xb4cff21, 0xebc6472, 0x50032d8 }
+    },
+    {
+        { 0x1fc1b13, 0xb6833e0, 0x1a5ad8f, 0x8a8b7ba, 0x622b820, 0xc0cafa2,
+          0x738ed20, 0xc6663af, 0x8b18f97, 0xd894486, 0x774fbe4, 0xcf0c1f9,
+          0x5be814f, 0xeedd435, 0xb57e543, 0xd81c02d },
+        { 0x310bad8, 0x5e32afc, 0x9b813d1, 0x065bc81, 0x3142795, 0x8efc5fc,
+          0x732d59c, 0x5006514, 0x2b5a3ce, 0x91e39df, 0xfaf4204, 0x2ad4477,
+          0x4d9bd4f, 0x1a96b18, 0xa4d9c07, 0xc3fee95 }
+    },
+    {
+        { 0x6b4ba61, 0xfac7df0, 0x061aaef, 0xa6ed551, 0x133f609, 0x35aa2d6,
+          0x20ed13d, 0x420cfba, 0xea03d0c, 0x861c63e, 0xf936d6e, 0x75f0c56,
+          0x3d9a3d5, 0xa25f68f, 0xcd9f66e, 0xba0b7fe },
+        { 0x4680772, 0x292e135, 0xa73f405, 0x6f6a2db, 0x24ea9e4, 0xca6add9,
+          0x268daaa, 0x81cfd61, 0xe6f147a, 0x7a4cb6c, 0xbded8f5, 0x8ec3454,
+          0x11d61cb, 0xc8a893b, 0x7656022, 0x2256ffc }
+    },
+    {
+        { 0x575cb78, 0x6b33271, 0xadcd23e, 0x560d305, 0xd6d834b, 0xeedbd3a,
+          0x5a31e27, 0x614a64a, 0x47ee0c8, 0xe40b476, 0x8bd7c2c, 0x8ef4ff6,
+          0x0b77727, 0xa5297fc, 0xbaf88ad, 0x8759208 },
+        { 0x918df68, 0x86cfe64, 0xcdd882e, 0x9d60a73, 0xb953014, 0x546b642,
+          0x8bbef55, 0xbaceae3, 0xf1c3467, 0xdf58e43, 0xe9f9bab, 0x99a83fe,
+          0x57a4a8b, 0xcd52cbf, 0x8ae36ec, 0xf744e96 }
+    },
+    {
+        { 0xa607124, 0xb945869, 0x440e6f6, 0x810dbe9, 0x738e381, 0x9911e60,
+          0x343b80b, 0x51df68c, 0xf7a3f39, 0xe424336, 0x989015c, 0x2d32acb,
+          0x31019e8, 0xa69b149, 0xec12f93, 0x8a31a38 },
+        { 0x97c916a, 0x0d0d369, 0x8885372, 0xdc95f3b, 0x3549040, 0xcf1a261,
+          0xabe95a2, 0x60f6f5e, 0xe141325, 0xa909e9f, 0x355c865, 0x7d598f2,
+          0x931a9c9, 0x70c6442, 0xb423850, 0x2354a85 }
+    },
+    {
+        { 0x97f9619, 0x4cdd224, 0xc22162e, 0x4776fff, 0x0cd31c2, 0xee5ec33,
+          0xf209bb8, 0x7c04c10, 0x579e211, 0x35bbfde, 0x15cdfc2, 0x0e38325,
+          0xe26ffa7, 0x657e6d3, 0xc65c604, 0xc66a7c3 },
+        { 0xb45e567, 0x322acd7, 0x296db9b, 0x1589cf0, 0xba1db73, 0x1fd0bd3,
+          0x9337a40, 0xe882610, 0xb3035c7, 0xf505a50, 0x6ed08d7, 0x4d5af06,
+          0x5eda400, 0xb3c376b, 0x1944748, 0x9c7b700 }
+    },
+    {
+        { 0x70c3716, 0xd768325, 0xdd540e0, 0xda62af0, 0x6580fea, 0x76b155d,
+          0x32b5464, 0x4f42acc, 0x3f5b72b, 0x881bb60, 0xe68b9ba, 0x09c130e,
+          0x5c50342, 0x37ede3b, 0xfd15e7d, 0xce61a9c },
+        { 0x72605d0, 0xfff1d85, 0x062abc2, 0x62ac2d3, 0xfbe43dd, 0xa85e02e,
+          0xa947020, 0x859d2ba, 0x111c20b, 0x2ebc8a9, 0xa656f66, 0x7f590a7,
+          0x16b21a6, 0x0e13843, 0x00c7db6, 0x29b30c5 }
+    },
+    {
+        { 0x906b8de, 0x61e55e2, 0x949974d, 0x6a97e96, 0x26eef67, 0x24b52b5,
+          0x1aa595a, 0x512f536, 0x3c48fcb, 0x81cc7b8, 0x28115ad, 0xa64af23,
+          0x3d44b8e, 0x9edf6f9, 0x1fe22e3, 0x68d7f7c },
+        { 0x520d151, 0x2b2116a, 0x6aa3efb, 0x66a0b7d, 0x9b0f791, 0x48ae70a,
+          0x037db88, 0xcf12174, 0x317d9f3, 0x36868cd, 0x22fc344, 0xb573059,
+          0x46a5d23, 0xbaa8526, 0x37fc10d, 0xad65691 }
+    },
+},
+{
+    {
+        { 0x12c78d5, 0xcf8e5f5, 0x805cdbd, 0xeb94d98, 0x2ab50b5, 0xad1dcdf,
+          0xf33cd31, 0xf33c136, 0x10aeff5, 0x0d6226b, 0xf2f8fc5, 0xf7ff493,
+          0xdf57165, 0x7e520d4, 0x05271a7, 0x41fbae5 },
+        { 0x76480ba, 0x72c8987, 0x25f4523, 0x2608359, 0x49f5f01, 0xed36b8d,
+          0xf3d49eb, 0x3bc1dce, 0x4940322, 0x30c1c1a, 0x7e0f731, 0x78c1cda,
+          0x6d05a31, 0x51f2dc8, 0x07f3522, 0x57b0aa8 }
+    },
+    {
+        { 0x71f88bc, 0x7ab628e, 0x8018f21, 0xcf585f3, 0x13d64f6, 0xdbbe3a4,
+          0xec493a5, 0x0f86df1, 0x7725de9, 0x8355e6c, 0xe00fe1e, 0x3954ffe,
+          0x9924e32, 0xbb8978f, 0x7812714, 0x1c19298 },
+        { 0xaabca8b, 0x7c4ce3e, 0x9bf7019, 0xf861eb5, 0x682e541, 0x31a84fc,
+          0xacd1b92, 0x2307ca9, 0x4bf2842, 0x6f8b6ce, 0xcb9f9a9, 0xde252ac,
+          0x93c46d1, 0x7f0611d, 0x751dc98, 0x8e2bd80 }
+    },
+    {
+        { 0xe27d54b, 0xf2fd8fb, 0xc248071, 0x2a1e37e, 0xab8f49a, 0x2fcc888,
+          0xc18a9e5, 0x42c62a3, 0x70b2446, 0xe302908, 0xc5ac55d, 0x90277fa,
+          0xd6dde41, 0x8d97d56, 0x5db04fe, 0xf4cf8a9 },
+        { 0xd30d077, 0x3e280f5, 0x3cb3293, 0x2c90307, 0x24eb0dd, 0xe0be2ac,
+          0x8bcb4f0, 0xa2d1a49, 0xcd0cd45, 0x16db466, 0x9a80232, 0x3b28aa7,
+          0x17b008e, 0xdd7e52f, 0x868e4da, 0x20685f2 }
+    },
+    {
+        { 0x7c7a486, 0x0a68c14, 0xc429633, 0xd8ef234, 0xffe7506, 0x470667b,
+          0x8828d51, 0x55a13c8, 0x2e44bef, 0x5f32741, 0x5929f92, 0x537d92a,
+          0x31c5cd5, 0x0a01d5b, 0x67eb3d7, 0xb77aa78 },
+        { 0x8b82e4d, 0x36ec45f, 0xb37b199, 0x6821da0, 0xd7fa94e, 0x8af37aa,
+          0x1085010, 0xf020642, 0x7e56851, 0x9b88678, 0x52948ce, 0x35f3944,
+          0xafc1361, 0x125c2ba, 0x453e332, 0x8a57d0e }
+    },
+    {
+        { 0x8043664, 0xefe9948, 0xdb1aa55, 0xb8b8509, 0x332523f, 0x1a2e5a9,
+          0x1045c0f, 0x5e255dd, 0x7ae7180, 0xe68dd8a, 0x45bf532, 0x55f1cf3,
+          0xe63a716, 0xe00722e, 0x6116bac, 0xd1c2138 },
+        { 0x1c6d1f4, 0x626221f, 0x3773278, 0x240b830, 0x88def16, 0xe393a0d,
+          0xca0495c, 0x229266e, 0xd3e4608, 0x7b5c6c9, 0x7927190, 0xdc559cb,
+          0xc7b3c57, 0x06afe42, 0xb439c9b, 0x8a2ad0b }
+    },
+    {
+        { 0xffc3e2f, 0xd7360fb, 0xfbd2e95, 0xf721317, 0x5748e69, 0x8cacbab,
+          0x9054bb9, 0x7c89f27, 0xaa86881, 0xcbe50fa, 0x75206e4, 0x7aa05d3,
+          0xc752c66, 0x1ea01bc, 0x1f2c2bc, 0x5968cde },
+        { 0x09a853e, 0x487c55f, 0xe09204b, 0x82cbef1, 0xabd8670, 0xad5c492,
+          0xf12dcb3, 0x7175963, 0xbf6aa06, 0x7a85762, 0xf8d5237, 0x02e5697,
+          0x37c6157, 0xccf7d19, 0xc2fd59c, 0x3b14ca6 }
+    },
+    {
+        { 0x1b9f77f, 0x5e610d8, 0x051b02f, 0x85876d0, 0xb8020dd, 0x5d81c63,
+          0xd6ce614, 0xd0b4116, 0xaa8bf0c, 0x91810e5, 0xcbf8c66, 0xf27f91f,
+          0x38480ae, 0x2e5dc5f, 0xbec7633, 0x0a13ffe },
+        { 0x2bf6af8, 0x61ff649, 0x641f827, 0xe6aef2d, 0x5de5f04, 0xad5708a,
+          0xcdfee20, 0xe5c3a80, 0x68fcfa2, 0x88466e2, 0xd6e1d7b, 0x8e5bb3a,
+          0xed236b8, 0xa514f06, 0xa5f5274, 0x51c9c7b }
+    },
+    {
+        { 0xf9bc3d8, 0xa19d228, 0x3381069, 0xf89c3f0, 0x5c3f379, 0xfee890e,
+          0x32fb857, 0x3d3ef3d, 0x5b418dd, 0x3998849, 0xc46e89a, 0x6786f73,
+          0x9e0f12f, 0x79691a5, 0x3bc022b, 0x76916bf },
+        { 0x2cd8a0a, 0xea073b6, 0x102fdbc, 0x1fbedd4, 0xcb9d015, 0x1888b14,
+          0x76655f7, 0x98f2cfd, 0x59f0494, 0xb9b5910, 0xe6986a3, 0xa3dbbe1,
+          0xeaf2b04, 0xef016a5, 0xcd2d876, 0xf671ba7 }
+    },
+},
+{
+    {
+        { 0x1ae05e9, 0x1dae3bf, 0x1f21fef, 0x6a02996, 0x7aec3c6, 0x95df2b9,
+          0xd83189b, 0x9abbc5a, 0x2d13140, 0xaf994af, 0x86aa406, 0xc3f8846,
+          0x75284c5, 0xcd77e50, 0x2a9a4d7, 0x1c1e13d },
+        { 0x744b89d, 0x7f8815d, 0x2ba673e, 0xb189133, 0xd594570, 0x55ea93c,
+          0xd61b041, 0x19c8a18, 0x8d2c580, 0x938ebaa, 0x05ba078, 0x9b4344d,
+          0x8eaf9b7, 0x622da43, 0x9fea368, 0x809b807 }
+    },
+    {
+        { 0xc33b7a2, 0x3780e51, 0x387b1c8, 0xd7a205c, 0x4be60e4, 0x79515f8,
+          0x1e18277, 0xde02a8b, 0xf0d9150, 0x4645c96, 0xe0b3fd1, 0x45f8acb,
+          0x9b53ac3, 0x5d532ba, 0xb0557c9, 0x7984dcd },
+        { 0x8a92f01, 0x5ae5ca6, 0x9d569ca, 0xd2fbb3c, 0x0c297c1, 0x668cc57,
+          0x6295e89, 0xa482943, 0xa33ad40, 0xf646bc1, 0xc3f425d, 0x066aaa4,
+          0xd005de2, 0x23434cd, 0xdb35af4, 0x5aca9e9 }
+    },
+    {
+        { 0x6877c56, 0x2bca35c, 0xf0ddd7d, 0xab864b4, 0x404f46c, 0x5f6aa74,
+          0x539c279, 0x72be164, 0xe0283cf, 0x1b1d73e, 0xad583d9, 0xe550f46,
+          0xe739ad1, 0x4ac6518, 0x8d42100, 0x6b6def7 },
+        { 0xfa8468d, 0x4d36b8c, 0x5a3d7b8, 0x2cb3773, 0x5016281, 0x577f86f,
+          0x9124733, 0xdb6fe5f, 0xe29e039, 0xacb6d2a, 0x580b8a1, 0x2ab8330,
+          0x643b2d0, 0x130a4ac, 0x5e6884e, 0xa7996e3 }
+    },
+    {
+        { 0x60a0aa8, 0x6fb6277, 0xcbe04f0, 0xe046843, 0xe6ad443, 0xc01d120,
+          0xabef2fc, 0xa42a05c, 0x12ff09c, 0x6b793f1, 0xa3e5854, 0x5734ea8,
+          0x775f0ad, 0xe482b36, 0xf864a34, 0x2f4f60d },
+        { 0x84f2449, 0xf521c58, 0x9186a71, 0x58734a9, 0xac5eacc, 0x157f5d5,
+          0x248ee61, 0x858d9a4, 0x48149c3, 0x0727e6d, 0xac9ec50, 0xd5c3eaa,
+          0x20ee9b5, 0xa63a64a, 0x87be9de, 0x3f0dfc4 }
+    },
+    {
+        { 0xb13e3f4, 0x836349d, 0x3e9316d, 0xebdd026, 0x324fd6c, 0x3fd61e8,
+          0x0964f41, 0x85dddfa, 0x52add1b, 0x06e72de, 0x8c4a9e2, 0xb752cff,
+          0xfdf09f7, 0x53b0894, 0x0bc24fd, 0xd5220ab },
+        { 0xfb1981a, 0x8442b35, 0x3edd701, 0xa733a37, 0xd0ef089, 0x42b60c3,
+          0x46e7bca, 0xa1b16ec, 0xa09aaf4, 0xc0df179, 0x638f3a1, 0xcd4f187,
+          0x9eab1c2, 0x9af64f7, 0xd1d78e3, 0x86fed79 }
+    },
+    {
+        { 0xfe29980, 0x42c8d86, 0x6575660, 0x6657b81, 0x80f92ca, 0x82d52c6,
+          0x02d42be, 0x8587af1, 0x6e8bdf0, 0xb515131, 0xc333495, 0x706e2d9,
+          0x9673064, 0xd53601a, 0x8219099, 0x27b1fbb },
+        { 0x705f7c8, 0x3f0929d, 0xf3d6e6f, 0xff40b10, 0x026af5c, 0x673c703,
+          0xe25a422, 0x2c1dce4, 0x3dad8b6, 0x5348bd7, 0xbe2c329, 0xc39b6b6,
+          0xb921084, 0x47854ff, 0xb391f20, 0xb347b8b }
+    },
+    {
+        { 0xeb9b774, 0x79fc841, 0xb4b6c1d, 0xf32da25, 0xfe492cb, 0xcbba76b,
+          0xd623903, 0x76c51fc, 0xcf0705a, 0x114cf6f, 0x7815daf, 0x6b72049,
+          0x473382e, 0x630b362, 0x9704db5, 0xbf40c3a },
+        { 0xc5456eb, 0xa8a9ddc, 0x72f2dc1, 0x2b4472a, 0xd6d6ef3, 0x9874444,
+          0xa0ba5ed, 0x27e8d85, 0x194849f, 0x5d225b4, 0xebaa40d, 0xe852cd6,
+          0x8d4bf3f, 0xb669c24, 0x2343991, 0xa8601eb }
+    },
+    {
+        { 0x59502d3, 0x8a04854, 0xe269a7b, 0xcab27ee, 0x4875ada, 0x4179307,
+          0xe2405f9, 0x179e685, 0x7b28963, 0x0d7b698, 0x422a43e, 0x80c9db8,
+          0xa0f43ee, 0xf5ff318, 0x4ba7aa7, 0x7a92805 },
+        { 0x0c0834e, 0xa5c79fe, 0x1f849ec, 0x837ca0d, 0x628ab7b, 0xfe0d7fa,
+          0x6edd19a, 0x94bcb95, 0x2226fbf, 0xa18bc93, 0xaad54a3, 0x2795379,
+          0x371129e, 0xceeacf8, 0xa588be5, 0x65ca57f }
+    },
+},
+{
+    {
+        { 0x2caa330, 0x7a578b5, 0xd8ca34a, 0x7c21944, 0x6447282, 0x6c0fbbb,
+          0xf90b2e5, 0xa8a9957, 0x6586b71, 0xbbe1066, 0x49138a2, 0x716a902,
+          0xe7ed66d, 0x2fa6034, 0x2b9916a, 0x56f77ed },
+        { 0xbddefb3, 0x69f1e26, 0x8c08420, 0xa497809, 0x09bc184, 0xc3377eb,
+          0xbe6dade, 0x796ce0c, 0xd103bbb, 0x3be0625, 0x992685c, 0x01be27c,
+          0x7755f9f, 0xc0e2559, 0x1c0dbfa, 0x165c40d }
+    },
+    {
+        { 0x659c761, 0xc63a397, 0x630fbad, 0x10a0e5b, 0x655ac56, 0xf21e8a6,
+          0xc1181e2, 0xe8580fa, 0x0a84b5c, 0xbfc2d9c, 0x7afd5d1, 0x2cdbaff,
+          0xf61e85a, 0x95f1182, 0x719eaf4, 0x1173e96 },
+        { 0xc6de8b9, 0xc06d55e, 0xafcbcaa, 0x1b4c8eb, 0xbc2bbcd, 0x52af5cb,
+          0x77bcd10, 0x564fab8, 0xae85a6e, 0xfd53a18, 0x94c712f, 0x2257859,
+          0x1352121, 0x29b11d7, 0xc40491a, 0xab1cb76 }
+    },
+    {
+        { 0xce32eb4, 0xb4e8ca8, 0xb250b49, 0x7e484ac, 0xa3e31a2, 0x062c6f7,
+          0x625d1fc, 0x497fd83, 0x362dda7, 0x98f821c, 0x6be3111, 0xcae1f8f,
+          0x5d4fa42, 0x9077e95, 0xa65855a, 0xa589971 },
+        { 0x28832a9, 0xda6321d, 0x3936e9e, 0xf9ef5dc, 0xc9797ef, 0xa37f117,
+          0xdb581be, 0x0eb3c80, 0xbaa0002, 0x207c5c4, 0xf38faa0, 0xc0401b5,
+          0xd0f1e6e, 0xceee523, 0xd1f0045, 0x8d27a5f }
+    },
+    {
+        { 0xcf0af29, 0x9411063, 0x89a6693, 0x3043857, 0x640145e, 0x9a9fb8f,
+          0x54832eb, 0x7d82fe9, 0x898c520, 0xf2789e1, 0xf948dc0, 0x448b402,
+          0x68996dd, 0xeca8fdf, 0xa149b2f, 0x22227e9 },
+        { 0x8e62d6a, 0x63509ff, 0x8c9c57f, 0xe98d81c, 0x1fe3bed, 0xd387407,
+          0x539538f, 0xf1db013, 0x48418ce, 0xb04092e, 0xd6d9d4d, 0xbbf8e76,
+          0x2cec5ae, 0x2ea9cda, 0x5078fa9, 0x8414b3e }
+    },
+    {
+        { 0xd68a073, 0x5ad1cdb, 0xc18b591, 0xd4cedaf, 0x8e4c1c9, 0x7826707,
+          0x9ca302a, 0x9b8d920, 0x326115b, 0x3101bd2, 0x4c2717a, 0x6f154b5,
+          0x263e84b, 0x618c31b, 0xbbd6942, 0x12c4138 },
+        { 0x80da426, 0xf9ead25, 0x47d9680, 0xe748e99, 0x8a4210e, 0x9b396a3,
+          0xf4b8f72, 0xfaf03dd, 0x66159e7, 0xbd94a52, 0x1d4c7cb, 0x5e73049,
+          0x7910f38, 0x31d1f9a, 0x08d6dd1, 0x4fd10ca }
+    },
+    {
+        { 0x9f2331e, 0x4f510ac, 0x7e3dcc2, 0xee872dc, 0xa0a0c73, 0x4a11a32,
+          0xaa5a630, 0x27e5803, 0x7af4a8a, 0xe5ae503, 0x9fffeb0, 0x2dcdeba,
+          0x719d91f, 0x8c27748, 0xb9cc61c, 0xd3b5b62 },
+        { 0xcca7939, 0x998ac90, 0x64514e5, 0xc22b598, 0xb35738a, 0x950aaa1,
+          0xdab0264, 0x4b208bb, 0xa557d2e, 0x6677931, 0xf7c17d3, 0x2c696d8,
+          0x3e15c51, 0x1672d4a, 0x3db0e82, 0x95fab66 }
+    },
+    {
+        { 0x6ff205e, 0x3d42734, 0x0ea9fbe, 0x7f187d9, 0x466b2af, 0xbd9367f,
+          0x03daf2f, 0x188e532, 0x27b54d8, 0xefe1329, 0xef70435, 0x14faf85,
+          0x1ec95c4, 0xa506128, 0xc22cba7, 0xad01705 },
+        { 0x6197333, 0x7d2dfa6, 0x8b4f6ed, 0xedd7f07, 0x75df105, 0xe0cb685,
+          0x80f76bc, 0x47c9ddb, 0x9073c54, 0x49ab531, 0xe607f44, 0x845255a,
+          0xcc74b7c, 0x0b4ed9f, 0x0f5c3a6, 0xcfb52d5 }
+    },
+    {
+        { 0xc278776, 0x545c7c6, 0x98c30f0, 0x92a39ae, 0xd2f4680, 0x8aa8c01,
+          0x6b7f840, 0xa5409ed, 0xdcb24e7, 0x0c450ac, 0xc5770d9, 0x5da6fb2,
+          0x8658333, 0x5b8e8be, 0x67ea4ad, 0xb26bf4a },
+        { 0xc7d91fa, 0x2e30c81, 0x0eeb69f, 0x6e50a49, 0xee4bc26, 0x9458c2b,
+          0x33be250, 0x419acf2, 0x87881ab, 0x79d6f81, 0x403b1be, 0x694565d,
+          0x234fe1d, 0x34b3990, 0x2132b38, 0x60997d7 }
+    },
+},
+{
+    {
+        { 0x26975dc, 0x00a9741, 0x6cf94e7, 0x42161c4, 0xc64ed99, 0xcc9fe4b,
+          0x4680570, 0x020019a, 0x698da0d, 0x885595a, 0x77dd962, 0x008444b,
+          0xa4fea0e, 0xbf3c22d, 0x2c81245, 0xc463048 },
+        { 0x793ab18, 0xcb248c5, 0xeb4320b, 0x4dc7a20, 0x1572b7d, 0x9a0906f,
+          0xf9ac20f, 0xd5b3019, 0x34520a3, 0x79b1bf5, 0x69b5322, 0x788dfe8,
+          0x455b7e2, 0x9a05298, 0x016bca9, 0x2f4aecb }
+    },
+    {
+        { 0x8745618, 0x414d379, 0xb7c983c, 0x64ba22e, 0x9f9d532, 0x9a5d19f,
+          0x44a80c8, 0x81a00d8, 0xcae98d6, 0xb9e24f5, 0xaca965a, 0x6c3769c,
+          0xf6e4e6d, 0x50d6081, 0x54422a6, 0x0d96980 },
+        { 0x5cdd790, 0xbd7e792, 0x6a35219, 0xcff65da, 0x8b60ebe, 0x40dc363,
+          0x92a50dc, 0x84bee74, 0x15ad65e, 0x57d4be4, 0x1a6d1d3, 0xc54256b,
+          0x45717cc, 0x141c649, 0xcd1c736, 0x05eb609 }
+    },
+    {
+        { 0x1e3c7ec, 0xfd52eab, 0x9f24895, 0xa4a5eca, 0x79fdb83, 0xaaa2a8d,
+          0x72bdfda, 0xd105e60, 0x681d97e, 0x59e6ae2, 0x8e8077f, 0xfedf8e0,
+          0x629e462, 0xb06d0ad, 0x96fa863, 0x8c7c2d0 },
+        { 0xee8fc91, 0x5eecc4c, 0x9e61174, 0x5e83ab2, 0xb28c02d, 0x1fd8925,
+          0x2072864, 0x93be538, 0x24c984e, 0xda0c886, 0xa008286, 0xdcf9f0c,
+          0xa58ba75, 0x1ecb5a6, 0xc2e3c83, 0x1d9b890 }
+    },
+    {
+        { 0xeeee062, 0x19e866e, 0x4f7b387, 0x31c1c7f, 0x1c06652, 0x9be6018,
+          0x2b68bbb, 0xc00a93a, 0x9d52b2b, 0x54c65d6, 0xe8b744a, 0x4591416,
+          0x9a64ab6, 0x641bcca, 0xab08098, 0xf22bcb1 },
+        { 0xf1f726c, 0x3c0db8f, 0x9d2e6a6, 0x4f5739e, 0x45c9530, 0x5cb669b,
+          0x7b472d0, 0x861b04e, 0x894da77, 0x3e30515, 0xc9ac39b, 0x3344685,
+          0x73bdd29, 0x9e17305, 0x808dc85, 0x9cac12c }
+    },
+    {
+        { 0x5e27087, 0xf152b86, 0x90a580e, 0x267bd85, 0x8baafc1, 0xba79cec,
+          0x9442686, 0x6140ab1, 0x5b31693, 0xa67090c, 0x28b4117, 0x50a103a,
+          0x0ddc08f, 0x7722e61, 0xe6569b2, 0x5d19d43 },
+        { 0x5962bf6, 0x70e0c52, 0xfb5fb02, 0x808e316, 0x5b667be, 0x3fb80da,
+          0xfcfacec, 0x8aa366e, 0x134280e, 0xcb0b3e7, 0xcd7d944, 0x0bf1de4,
+          0xd092df5, 0x0cd23be, 0xa153a0c, 0xc9a6a79 }
+    },
+    {
+        { 0x2d5a4b7, 0x1c69ad0, 0xd9e6f4a, 0x4bb28d0, 0xa984fc6, 0x815308c,
+          0x9037ca5, 0x40929c7, 0x1bd0357, 0x0ea2b49, 0x42aad4e, 0xec17e5b,
+          0x18e7235, 0x1f32ade, 0xa96a9d3, 0xbc60b05 },
+        { 0xe20f707, 0x3b0229a, 0x56bdfad, 0xd635050, 0xd8b2e1e, 0xac2d922,
+          0x235c748, 0x92b2998, 0xd766f97, 0x6002c3a, 0x1a2a862, 0x9919800,
+          0xb58b684, 0x2af7567, 0xaaafce5, 0xd8fe707 }
+    },
+    {
+        { 0x5df7a4b, 0x54487ab, 0xc57ccc2, 0x51cccde, 0x7510b53, 0x2394327,
+          0xf555de3, 0x3a09f02, 0x1be484d, 0xa696aec, 0x37817a2, 0x56f459f,
+          0x623dcb4, 0x8d8f61c, 0x5335656, 0xc52223c },
+        { 0xb49914a, 0xf634111, 0x8e4f9bb, 0xbf8e1ab, 0xf4dba02, 0x2f59578,
+          0xe004319, 0x2a94199, 0x654d005, 0x87931f0, 0x6fa0814, 0x7df57d9,
+          0xa154031, 0xc8da316, 0x41f658b, 0x2a44ac0 }
+    },
+    {
+        { 0x9e34ac6, 0xfb5f4f8, 0x97790f2, 0x0a1b10b, 0x4b8a06c, 0x58fe4e7,
+          0x955f27c, 0x10c1710, 0xd5ebe19, 0x77b798a, 0x1f1c2dc, 0xaf1c35b,
+          0xa1f8d69, 0xc25b8e6, 0xf76bf23, 0x49cf751 },
+        { 0x436f7b7, 0x15cb2db, 0x7e74d1a, 0x186d7c2, 0xc00a415, 0x60731de,
+          0x15f0772, 0xea1e156, 0x714463f, 0xf02d591, 0x51adeb1, 0x26a0c64,
+          0xcc5229e, 0x20174cd, 0xefd512a, 0xb817e50 }
+    },
+},
+};
+
+static const ge448_precomp base_i[16] = {
+    {
+        { 0x70cc05e, 0x26a82bc, 0x0938e26, 0x80e18b0, 0x511433b, 0xf72ab66,
+          0x412ae1a, 0xa3d3a46, 0xa6de324, 0x0f1767e, 0x4657047, 0x36da9e1,
+          0x5a622bf, 0xed221d1, 0x66bed0d, 0x4f1970c },
+        { 0x230fa14, 0x08795bf, 0x7c8ad98, 0x132c4ed, 0x9c4fdbd, 0x1ce67c3,
+          0x73ad3ff, 0x05a0c2d, 0x7789c1e, 0xa398408, 0xa73736c, 0xc7624be,
+          0x03756c9, 0x2488762, 0x16eb6bc, 0x693f467 }
+    },
+    {
+        { 0x6ff2f8f, 0x2817328, 0xda85757, 0xb769465, 0xfd6e862, 0xf7f6271,
+          0x8daa9cb, 0x4a3fcfe, 0x2ba077a, 0xda82c7e, 0x41b8b8c, 0x9433322,
+          0x4316cb6, 0x6455bd6, 0xb9108af, 0x0865886 },
+        { 0x88ed6fc, 0x22ac135, 0x02dafb8, 0x9a68fed, 0x7f0bffa, 0x1bdb676,
+          0x8bb3a33, 0xec4e1d5, 0xce43c82, 0x56c3b9f, 0xa8d9523, 0xa6449a4,
+          0xa7ad43a, 0xf706cbd, 0xbd5125c, 0xe005a8d }
+    },
+    {
+        { 0x2030034, 0xa99d109, 0x6f950d0, 0x2d8cefc, 0xc96f07b, 0x7a920c3,
+          0x08bc0d5, 0x9588128, 0x6d761e8, 0x62ada75, 0xbcf7285, 0x0def80c,
+          0x01eedb5, 0x0e2ba76, 0x5a48dcb, 0x7a9f933 },
+        { 0x2f435eb, 0xb473147, 0xf225443, 0x5512881, 0x33c5840, 0xee59d2b,
+          0x127d7a4, 0xb698017, 0x86551f7, 0xb18fced, 0xca1823a, 0x0ade260,
+          0xce4fd58, 0xd3b9109, 0xa2517ed, 0xadfd751 }
+    },
+    {
+        { 0xeb5eaf7, 0xdf9567c, 0x78ac7d7, 0x110a6b4, 0x4706e0b, 0x2d33501,
+          0x0b5a209, 0x0df9c7b, 0x568e684, 0xba4223d, 0x8c3719b, 0xd78af2d,
+          0xa5291b6, 0x77467b9, 0x5c89bef, 0x079748e },
+        { 0xdac377f, 0xe20d3fa, 0x72b5c09, 0x34e8669, 0xc40bbb7, 0xd8687a3,
+          0xd2f84c9, 0x7b3946f, 0xa78f50e, 0xd00e40c, 0x17e7179, 0xb875944,
+          0xcb23583, 0x9c7373b, 0xc90fd69, 0x7ddeda3 }
+    },
+    {
+        { 0x6ab686b, 0x3d0def7, 0x49f7c79, 0x1a467ec, 0xc8989ed, 0x3e53f4f,
+          0x430a0d9, 0x101e344, 0x8ad44ee, 0xa3ae731, 0xae1d134, 0xaefa6cd,
+          0x824ad4d, 0xaa8cd7d, 0xed584fc, 0xef1650c },
+        { 0x4f4754f, 0xa74df67, 0xef3fb8b, 0xf52cea8, 0x2971140, 0x47c32d4,
+          0xa256fbb, 0x391c15d, 0xa605671, 0xc165fab, 0x87993b9, 0xf2518c6,
+          0xbd5a84d, 0x2daf7ac, 0x98f12ae, 0x1560b62 }
+    },
+    {
+        { 0x54dc10a, 0xef4da02, 0x5940db8, 0x6311865, 0x82f2948, 0xe20b149,
+          0x5581dba, 0x67b9377, 0x04f5029, 0x422ee71, 0x5122d34, 0x5d440db,
+          0x1a4c640, 0xb1e56d7, 0xc2408ee, 0xbf12abb },
+        { 0x016af01, 0x0cc9f86, 0xf3d8cab, 0x88366ab, 0xa2efe12, 0x85dda13,
+          0x5d00674, 0x390df60, 0x6d187f7, 0xf18f580, 0xf0c5d20, 0x28c900f,
+          0x3e01733, 0xad30812, 0x54bf2fd, 0x42d35b5 }
+    },
+    {
+        { 0x2ffb1f1, 0x009135f, 0x8f9c605, 0x099fc7e, 0x26bfa5a, 0xcc67da6,
+          0x344552b, 0xc186d12, 0x1b339e1, 0xb523250, 0xc9708c5, 0x70a544f,
+          0x1e928e7, 0x06baaec, 0xef0f50f, 0x0baedd2 },
+        { 0xbf479e5, 0x535d6d8, 0xe4ec3e9, 0x156e536, 0xddb9be2, 0x3165741,
+          0x59fd736, 0x988af71, 0x2e33ddd, 0x13d8a78, 0x4e69002, 0x5460421,
+          0x804a268, 0x34d56e0, 0x0e52a4c, 0xc59b84f }
+    },
+    {
+        { 0x24729d9, 0x525d45f, 0x8712327, 0x5768aba, 0x43035db, 0xa25e43b,
+          0x927ef21, 0x15a1ee8, 0x6056112, 0xa785d21, 0xd508af9, 0x45e2fbf,
+          0x37ba969, 0xb6f721a, 0x216d8d3, 0x30d6d8c },
+        { 0x52074c3, 0x3065e08, 0x2a0684e, 0xfa40b4a, 0x763f955, 0x851325a,
+          0x9f25900, 0xd4ef19c, 0xf665756, 0x799c869, 0x3312990, 0x7b05222,
+          0x28db802, 0xc986c2b, 0x28ade0a, 0xf48fb8f }
+    },
+    {
+        { 0x1649b68, 0x1e46173, 0x5beb9dc, 0xa96e5d6, 0x481935d, 0x765ddff,
+          0x9f3bf2a, 0x6cf132c, 0x7c35658, 0x9f6c5c9, 0x4696e60, 0x99cd139,
+          0x9c0d5e4, 0x99fa924, 0x8845a95, 0x1acd063 },
+        { 0x3636087, 0x0b06541, 0xea17b7f, 0xea20e78, 0x6161967, 0x20afc5f,
+          0xdc81028, 0xfd6c8a2, 0xe32c8fd, 0x4ef1357, 0x00e4a88, 0x8aa4004,
+          0x48cb82f, 0xd6fcaef, 0xb3cd4fa, 0x7ba7c6d }
+    },
+    {
+        { 0xd19c7ab, 0xf843473, 0xc655c4d, 0x968e76d, 0xc4b9c2f, 0x52c87d9,
+          0xe4aa082, 0x65f641a, 0x33c3603, 0x491a397, 0x5810098, 0xa606ffe,
+          0x8bf8ad4, 0x09920e6, 0x6db7882, 0x691a0c8 },
+        { 0xa4d3ef5, 0x5205883, 0xacf2efe, 0xee839b7, 0xc00ca66, 0x4b78e2a,
+          0xf9fcb91, 0xbe3f071, 0xbf6943a, 0x61e66c9, 0x061b79d, 0xe9b4e57,
+          0x56c06bd, 0x8d1b01b, 0xdf76ae5, 0x0dfa315 }
+    },
+    {
+        { 0xf1fd093, 0x803df65, 0x489b77e, 0x1cd6523, 0xc20e295, 0x2cd2e15,
+          0x9b912d1, 0xcd490be, 0x2e886d2, 0xdd9a2ff, 0xfe9d72a, 0xa3c836d,
+          0x298e0c1, 0xfcad5f2, 0x4bcf067, 0xed126e2 },
+        { 0x3dc81bc, 0x1e33953, 0xece6a08, 0xbea4d76, 0x991b252, 0x1d15de3,
+          0xe6daf97, 0x74cc5cf, 0x0826493, 0x5ad343f, 0x1064049, 0x2d38a47,
+          0xffcfa4d, 0xf7f47b9, 0x418066c, 0xef14490 }
+    },
+    {
+        { 0x9bb55ab, 0x4e7f86b, 0x3f496a3, 0x310d785, 0x0dec42c, 0xbd682fc,
+          0x411d32a, 0xbde047a, 0xc5a5ea2, 0xea639b4, 0xba08fa1, 0x5052078,
+          0x07729f2, 0xc968b23, 0x23d3e28, 0x567b5a6 },
+        { 0x977fbf7, 0x171e825, 0xbe990aa, 0x0319c70, 0xe12cd69, 0x8f65023,
+          0xf5015e6, 0x1fb9b19, 0x3568a7c, 0x0083f60, 0x1f3c5ac, 0xba3d30b,
+          0x3d7a988, 0xe7b509d, 0xcd0f6b6, 0x2318b99 }
+    },
+    {
+        { 0x93ab2cf, 0x54d3b87, 0xd2d8306, 0x366abea, 0xd7a4977, 0x66e8eb6,
+          0xae0072e, 0xa61888c, 0xdbc3315, 0x9eeeef5, 0x163e7f5, 0x93f09db,
+          0x59ade9a, 0xee90959, 0xce59be0, 0xaf7f578 },
+        { 0x5ece59e, 0x24bfd8d, 0x3689523, 0x8aa698b, 0x2de92cf, 0xa9a65de,
+          0xa6ad300, 0xec11dbc, 0x09f88ca, 0x217f3fa, 0xb4d6af7, 0xf6c33e3,
+          0x1d86d2d, 0xcd3bfa2, 0x5f13f25, 0x1497f83 }
+    },
+    {
+        { 0xcd03d1d, 0xa579568, 0xe158af6, 0xd717cda, 0x389a19f, 0x59eda97,
+          0x099e99c, 0xb32c370, 0xdabb591, 0xa2dba91, 0x77c2c97, 0x6d697d5,
+          0xd43fa6d, 0x5423fc2, 0x0b382bf, 0x56ea8a5 },
+        { 0xd80c11a, 0x4a987ba, 0x7d590a5, 0xe4cde21, 0xf97e559, 0x3dd8860,
+          0x43b593c, 0xff45e25, 0x5343cb5, 0x00eb453, 0x7bbfbdd, 0x06b9b99,
+          0x16aea24, 0x4da36b7, 0x57a624e, 0x2476517 }
+    },
+    {
+        { 0x3474e0d, 0x32207d0, 0xb41cc73, 0x3ffbf04, 0x319eb39, 0x5c4dc45,
+          0x758b463, 0xfee29be, 0xc30c7a7, 0xcc8a381, 0x9fe0e53, 0x147f4e4,
+          0xe35a2de, 0x05b2e26, 0x92f3666, 0x4362f02 },
+        { 0x8474b85, 0x0476d0c, 0xccaf108, 0x9d8c65f, 0x1d54b6a, 0xf58d404,
+          0xf38e4b0, 0x3ee6862, 0x3b44f54, 0x7c7c9d5, 0x0fb0db5, 0x36a3fd8,
+          0x18a8ac8, 0xfcd94ba, 0x8f35c05, 0xc1b1d56 }
+    },
+    {
+        { 0x1bdd30d, 0x16539fc, 0x8df4afb, 0x1356e53, 0x5a1aedb, 0xc0545d8,
+          0x489396b, 0xeb2037a, 0x5660894, 0x897fcbd, 0xb7d104a, 0x02a58a9,
+          0xc96b980, 0x57fa24c, 0x5bd8946, 0xf6448e3 },
+        { 0x8805c83, 0xee72741, 0x992cfc6, 0x10fa274, 0x9e66b21, 0x9514193,
+          0xbd08009, 0xe0ffa44, 0x20da22b, 0x1743322, 0x59e6831, 0x4891ff3,
+          0xa7d687b, 0x407ed73, 0x51d99cf, 0x2fb4e07 }
+    },
+};
+#endif
+
+/* Set the 0 point.
+ *
+ * p  [in]  Point to set to 0.
+ */
+static WC_INLINE void ge448_0(ge448_p2 *p)
+{
+    fe448_0(p->X);
+    fe448_1(p->Y);
+    fe448_1(p->Z);
+}
+
+/* Set the precompute point to 0.
+ *
+ * p  [in]  Precompute point to set.
+ */
+static void ge448_precomp_0(ge448_precomp *p)
+{
+    fe448_0(p->x);
+    fe448_1(p->y);
+}
+
+/* Double the point on the Twisted Edwards curve. r = 2.p
+ *
+ * r  [in]  Point to hold result.
+ * p  [in]  Point to double.
+ */
+static WC_INLINE void ge448_dbl(ge448_p2 *r,const ge448_p2 *p)
+{
+    ge448 t0[GE448_WORDS];
+    ge448 t1[GE448_WORDS];
+
+    fe448_add(t0, p->X, p->Y);    /* t0 = B1 = X1+Y1     */
+    fe448_reduce(t0);
+    fe448_sqr(t0, t0);            /* t0 = B = (X1+Y1)^2  */
+    fe448_sqr(r->X, p->X);        /* r->X = C = X1^2     */
+    fe448_sqr(r->Y, p->Y);        /* r->Y = D = Y1^2     */
+    fe448_add(t1, r->X, r->Y);    /* t1 = E = C+D        */
+    fe448_reduce(t1);
+    fe448_sub(r->Y, r->X, r->Y);  /* r->Y = Y31 = C-D    */
+    fe448_sqr(r->Z, p->Z);        /* r->Z = H = Z1^2     */
+    fe448_add(r->Z, r->Z, r->Z);  /* r->Z = J1 = 2*H     */
+    fe448_sub(r->Z, t1, r->Z);    /* r->Z = J = E-2*H    */
+    fe448_reduce(r->Z);
+    fe448_sub(r->X, t0, t1);      /* r->X = X31 = B-E    */
+    fe448_mul(r->X, r->X, r->Z);  /* r->X = X3 = (B-E)*J */
+    fe448_mul(r->Y, r->Y, t1);    /* r->Y = Y3 = E*(C-D) */
+    fe448_mul(r->Z, t1, r->Z);    /* r->Z = Z3 = E*J     */
+}
+
+/* Add two point on the Twisted Edwards curve. r = p + q
+ * Second point has z-ordinate of 1.
+ *
+ * r  [in]  Point to hold result.
+ * p  [in]  Point to add.
+ * q  [in]  Point to add.
+ */
+static WC_INLINE void ge448_madd(ge448_p2 *r, const ge448_p2 *p,
+                                 const ge448_precomp *q)
+{
+    ge448 t0[GE448_WORDS];
+    ge448 t1[GE448_WORDS];
+    ge448 t2[GE448_WORDS];
+    ge448 t3[GE448_WORDS];
+    ge448 t4[GE448_WORDS];
+
+                                    /* p->Z = A                   */
+    fe448_mul(t1, p->X, q->x);      /* t1 = C = X1*X2             */
+    fe448_mul(t2, p->Y, q->y);      /* t2 = D = Y1*Y2             */
+    fe448_mul(t3, t1, t2);          /* t3 = E1 = C*D              */
+    fe448_mul39081(t3, t3);         /* t3 = E = d*C*D             */
+    fe448_sqr(t0, p->Z);            /* t0 = B = A^2               */
+    fe448_add(t4, t0, t3);          /* t4 = F = B-(-E)            */
+    fe448_sub(t0, t0, t3);          /* t0 = G = B+(-E)            */
+    fe448_reduce(t0);
+    fe448_add(r->X, p->X, p->Y);    /* r->X = H1 = X1+Y1          */
+    fe448_reduce(r->X);
+    fe448_add(r->Y, q->x, q->y);    /* r->Y = H2 = X2+Y2          */
+    fe448_reduce(r->Y);
+    fe448_mul(r->X, r->X, r->Y);    /* r->X = H = (X1+Y1)*(X2+Y2) */
+    fe448_sub(r->X, r->X, t1);      /* r->X = X31 = H-C           */
+    fe448_sub(r->X, r->X, t2);      /* r->X = X32 = H-C-D         */
+    fe448_reduce(r->X);
+    fe448_mul(r->X, r->X, t4);      /* r->X = X33 = F*(H-C-D)     */
+    fe448_mul(r->X, r->X, p->Z);    /* r->X = X3 = A*F*(H-C-D)    */
+    fe448_sub(r->Y, t2, t1);        /* r->Y = Y31 = D-C           */
+    fe448_reduce(r->Y);
+    fe448_mul(r->Y, r->Y, t0);      /* r->Y = Y32 = G*(D-C)       */
+    fe448_mul(r->Y, r->Y, p->Z);    /* r->Y = Y3 = A*F*(D-C)      */
+    fe448_mul(r->Z, t4, t0);        /* r->Z = Z3 = F*G            */
+}
+
+/* Subtract one point from another on the Twisted Edwards curve. r = p - q
+ * Second point has z-ordinate of 1.
+ *
+ * r  [in]  Point to hold result.
+ * p  [in]  Point to subtract from.
+ * q  [in]  Point to subtract.
+ */
+static WC_INLINE void ge448_msub(ge448_p2 *r, const ge448_p2 *p,
+                                 const ge448_precomp *q)
+{
+    ge448 t0[GE448_WORDS];
+    ge448 t1[GE448_WORDS];
+    ge448 t2[GE448_WORDS];
+    ge448 t3[GE448_WORDS];
+    ge448 t4[GE448_WORDS];
+
+                                    /* p->Z = A                   */
+    fe448_sqr(t0, p->Z);            /* t0 = B = A^2               */
+    fe448_mul(t1, p->X, q->x);      /* t1 = C = X1*X2             */
+    fe448_mul(t2, p->Y, q->y);      /* t2 = D = Y1*Y2             */
+    fe448_mul(t3, t1, t2);          /* t3 = E1 = C*D              */
+    fe448_mul39081(t3, t3);         /* t3 = E = d*C*D             */
+    fe448_sub(t4, t0, t3);          /* t4 = F = B-(--E)           */
+    fe448_add(t0, t0, t3);          /* t0 = G = B+(--E)           */
+    fe448_reduce(t0);
+    fe448_add(r->X, p->X, p->Y);    /* r->X = H1 = X1+Y1          */
+    fe448_reduce(r->X);
+    fe448_sub(r->Y, q->y, q->x);    /* r->Y = H2 = Y2+(-X2)       */
+    fe448_reduce(r->Y);
+    fe448_mul(r->X, r->X, r->Y);    /* r->X = H = (X1+Y1)*(X2+Y2) */
+    fe448_add(r->X, r->X, t1);      /* r->X = X31 = H-(-C)        */
+    fe448_sub(r->X, r->X, t2);      /* r->X = X32 = H-(-C)-D      */
+    fe448_reduce(r->X);
+    fe448_mul(r->X, r->X, t4);      /* r->X = X33 = F*(H-C-D)     */
+    fe448_mul(r->X, r->X, p->Z);    /* r->X = X3 = A*F*(H-C-D)    */
+    fe448_add(r->Y, t2, t1);        /* r->Y = Y31 = D-C           */
+    fe448_reduce(r->Y);
+    fe448_mul(r->Y, r->Y, t0);      /* r->Y = Y32 = G*(D-C)       */
+    fe448_mul(r->Y, r->Y, p->Z);    /* r->Y = Y3 = A*F*(D-C)      */
+    fe448_mul(r->Z, t4, t0);        /* r->Z = Z3 = F*G            */
+}
+
+/* Add two point on the Twisted Edwards curve. r = p + q
+ *
+ * r  [in]  Point to hold result.
+ * p  [in]  Point to add.
+ * q  [in]  Point to add.
+ */
+static WC_INLINE void ge448_add(ge448_p2* r, const ge448_p2* p,
+                                const ge448_p2* q)
+{
+    ge448 t0[GE448_WORDS];
+    ge448 t1[GE448_WORDS];
+    ge448 t2[GE448_WORDS];
+    ge448 t3[GE448_WORDS];
+    ge448 t4[GE448_WORDS];
+
+    fe448_mul(t1, p->X, q->X);      /* t1 = C = X1*X2             */
+    fe448_mul(t2, p->Y, q->Y);      /* t2 = D = Y1*Y2             */
+    fe448_mul(t3, t1, t2);          /* t3 = E1 = C*D              */
+    fe448_mul39081(t3, t3);         /* t3 = E = d*C*D             */
+    fe448_mul(r->Z, p->Z, q->Z);    /* r->Z = A = Z1*Z2           */
+    fe448_sqr(t0, r->Z);            /* t0 = B = A^2               */
+    fe448_add(t4, t0, t3);          /* t4 = F = B-(-E)            */
+    fe448_sub(t0, t0, t3);          /* t0 = G = B+(-E)            */
+    fe448_reduce(t0);
+    fe448_add(r->X, p->X, p->Y);    /* r->X = H1 = X1+Y1          */
+    fe448_reduce(r->X);
+    fe448_add(r->Y, q->X, q->Y);    /* r->Y = H2 = X2+Y2          */
+    fe448_reduce(r->Y);
+    fe448_mul(r->X, r->X, r->Y);    /* r->X = H = (X1+Y1)*(X2+Y2) */
+    fe448_sub(r->X, r->X, t1);      /* r->X = X31 = H-C           */
+    fe448_sub(r->X, r->X, t2);      /* r->X = X32 = H-C-D         */
+    fe448_reduce(r->X);
+    fe448_mul(r->X, r->X, t4);      /* r->X = X33 = F*(H-C-D)     */
+    fe448_mul(r->X, r->X, r->Z);    /* r->X = X3 = A*F*(H-C-D)    */
+    fe448_sub(r->Y, t2, t1);        /* r->Y = Y31 = D-C           */
+    fe448_reduce(r->Y);
+    fe448_mul(r->Y, r->Y, t0);      /* r->Y = Y32 = G*(D-C)       */
+    fe448_mul(r->Y, r->Y, r->Z);    /* r->Y = Y3 = A*F*(D-C)      */
+    fe448_mul(r->Z, t4, t0);        /* r->Z = Z3 = F*G            */
+}
+
+/* Subtract one point from another on the Twisted Edwards curve. r = p - q
+ *
+ * r  [in]  Point to hold result.
+ * p  [in]  Point to subtract from.
+ * q  [in]  Point to subtract.
+ */
+static WC_INLINE void ge448_sub(ge448_p2 *r, const ge448_p2 *p,
+                                const ge448_p2 *q)
+{
+    ge448 t0[GE448_WORDS];
+    ge448 t1[GE448_WORDS];
+    ge448 t2[GE448_WORDS];
+    ge448 t3[GE448_WORDS];
+    ge448 t4[GE448_WORDS];
+
+    fe448_mul(t1, p->X, q->X);      /* t1 = C = X1*X2             */
+    fe448_mul(t2, p->Y, q->Y);      /* t2 = D = Y1*Y2             */
+    fe448_mul(t3, t1, t2);          /* t3 = E1 = C*D              */
+    fe448_mul39081(t3, t3);         /* t3 = E = d*C*D             */
+    fe448_mul(r->Z, p->Z, q->Z);    /* r->Z = A = Z1*Z2           */
+    fe448_sqr(t0, p->Z);            /* t0 = B = A^2               */
+    fe448_sub(t4, t0, t3);          /* t4 = F = B-(--E)           */
+    fe448_add(t0, t0, t3);          /* t0 = G = B+(--E)           */
+    fe448_reduce(t0);
+    fe448_add(r->X, p->X, p->Y);    /* r->X = H1 = X1+Y1          */
+    fe448_reduce(r->X);
+    fe448_sub(r->Y, q->Y, q->X);    /* r->Y = H2 = Y2+(-X2)       */
+    fe448_reduce(r->Y);
+    fe448_mul(r->X, r->X, r->Y);    /* r->X = H = (X1+Y1)*(X2+Y2) */
+    fe448_add(r->X, r->X, t1);      /* r->X = X31 = H-(-C)        */
+    fe448_sub(r->X, r->X, t2);      /* r->X = X32 = H-(-C)-D      */
+    fe448_reduce(r->X);
+    fe448_mul(r->X, r->X, t4);      /* r->X = X33 = F*(H-C-D)     */
+    fe448_mul(r->X, r->X, r->Z);    /* r->X = X3 = A*F*(H-C-D)    */
+    fe448_add(r->Y, t2, t1);        /* r->Y = Y31 = D-C           */
+    fe448_reduce(r->Y);
+    fe448_mul(r->Y, r->Y, t0);      /* r->Y = Y32 = G*(D-C)       */
+    fe448_mul(r->Y, r->Y, r->Z);    /* r->Y = Y3 = A*F*(D-C)      */
+    fe448_mul(r->Z, t4, t0);        /* r->Z = Z3 = F*G            */
+}
+
+/* Convert point to byte array assuming projective ordinates.
+ *
+ * b  [in]  Array of bytes to hold compressed point.
+ * p  [in]  Point to convert.
+ */
+void ge448_to_bytes(uint8_t *b, const ge448_p2 *p)
+{
+    ge448 recip[GE448_WORDS];
+    ge448 x[GE448_WORDS];
+    ge448 y[GE448_WORDS];
+
+    fe448_invert(recip, p->Z);
+    fe448_mul(x, p->X, recip);
+    fe448_mul(y, p->Y, recip);
+    fe448_to_bytes(b, y);
+    b[56] = fe448_isnegative(x) << 7;
+}
+
+/* Convert point to byte array assuming z is 1.
+ *
+ * b  [in]  Array of bytes to hold compressed point.
+ * p  [in]  Point to convert.
+ */
+static void ge448_p2z1_to_bytes(uint8_t *b, const ge448_p2 *p)
+{
+    fe448_to_bytes(b, p->Y);
+    b[56] = fe448_isnegative(p->X) << 7;
+}
+
+/* Compress the point to y-ordinate and negative bit.
+ *
+ * out    [in]  Array of bytes to hold compressed key.
+ * xIn    [in]  The x-ordinate.
+ * yIn    [in]  The y-ordinate.
+ */
+int ge448_compress_key(uint8_t* out, const uint8_t* xIn, const uint8_t* yIn)
+{
+    ge448_p2  g;
+    uint8_t   bArray[ED448_KEY_SIZE];
+    uint32_t  i;
+
+    fe448_from_bytes(g.X, xIn);
+    fe448_from_bytes(g.Y, yIn);
+    fe448_1(g.Z);
+
+    ge448_p2z1_to_bytes(bArray, &g);
+
+    for (i = 0; i < 57; i++) {
+        out[57 - 1 - i] = bArray[i];
+    }
+
+    return 0;
+}
+
+/* Determine whether the value is negative.
+ *
+ * b  [in]  An 8-bit signed value.
+ * returns 1 when negative and 0 otherwise.
+ */
+static uint8_t negative(int8_t b)
+{
+    return ((uint8_t)b) >> 7;
+}
+
+/* Determine whether two values are equal. a == b
+ * Constant time implementation.
+ *
+ * a  [in]  An 8-bit unsigned value.
+ * b  [in]  An 8-bit unsigned value.
+ * returns 1 when equal and 0 otherwise.
+ */
+static uint8_t equal(uint8_t a, uint8_t b)
+{
+    return (uint8_t)(((uint32_t)(a ^ b) - 1) >> 31);
+}
+
+/* Conditional move the point into result point if two values are equal.
+ * Constant time implementation.
+ *
+ * f  [in]  Point to conditionally overwrite.
+ * p  [in]  Point to conditionally copy.
+ * b  [in]  An 8-bit unsigned value.
+ * n  [in]  An 8-bit unsigned value.
+ */
+static WC_INLINE void cmov(ge448_precomp* r, const ge448_precomp* p, uint8_t b,
+                           uint8_t n)
+{
+    b = equal(b, n);
+    fe448_cmov(r->x, p->x, b);
+    fe448_cmov(r->y, p->y, b);
+}
+
+/* Select one of the entries from the precomputed table and negate if required.
+ * Constant time implementation.
+ *
+ * r    [in]  Point to hold chosen point.
+ * pos  [in]  Position of array of entries to choose from.
+ * b    [in]  Index of point to select. -ve value means negate the point.
+ */
+static void ge448_select(ge448_precomp* r, int pos, int8_t b)
+{
+    ge448 minusx[16];
+    uint8_t bnegative = negative(b);
+    uint8_t babs = b - (((-bnegative) & b) << 1);
+
+    ge448_precomp_0(r);
+    cmov(r, &base[pos][0], babs, 1);
+    cmov(r, &base[pos][1], babs, 2);
+    cmov(r, &base[pos][2], babs, 3);
+    cmov(r, &base[pos][3], babs, 4);
+    cmov(r, &base[pos][4], babs, 5);
+    cmov(r, &base[pos][5], babs, 6);
+    cmov(r, &base[pos][6], babs, 7);
+    cmov(r, &base[pos][7], babs, 8);
+    fe448_neg(minusx, r->x);
+    fe448_cmov(r->x, minusx, bnegative);
+}
+
+/* Perform a scalar multiplication of the base point. r = a * base
+ *
+ * r  [in]  Point to hold result.
+ * a  [in]  Scalar to multiply by.
+ */
+void ge448_scalarmult_base(ge448_p2* r, const uint8_t* a)
+{
+    int8_t        carry;
+    ge448_precomp t;
+    int           i;
+    int8_t        e[113];
+
+    carry = 0;
+    for (i = 0; i < 56; ++i) {
+        e[2 * i + 0] = ((a[i] >> 0) & 0xf) + carry;
+        carry = e[2 * i + 0] + 8;
+        carry >>= 4;
+        e[2 * i + 0] -= carry << 4;
+
+        e[2 * i + 1] = ((a[i] >> 4) & 0xf) + carry;
+        carry = e[2 * i + 1] + 8;
+        carry >>= 4;
+        e[2 * i + 1] -= carry << 4;
+    }
+    e[112] = carry;
+    /* each e[i] is between -8 and 8 */
+
+    /* Odd indeces first - sum based on even index so multiply by 16 */
+    ge448_select(&t, 0, e[1]);
+    fe448_copy(r->X, t.x);
+    fe448_copy(r->Y, t.y);
+    fe448_1(r->Z);
+    for (i = 3; i < 112; i += 2) {
+        ge448_select(&t, i / 2, e[i]);
+        ge448_madd(r, r, &t);
+    }
+
+    ge448_dbl(r, r);
+    ge448_dbl(r, r);
+    ge448_dbl(r, r);
+    ge448_dbl(r, r);
+
+    /* Add even indeces */
+    for (i = 0; i <= 112; i += 2) {
+        ge448_select(&t, i / 2, e[i]);
+        ge448_madd(r, r, &t);
+    }
+}
+
+/* Create to a sliding window for the scalar multiplicaton.
+ *
+ * r  [in]  Array of indeces.
+ * a  [in]  Scalar to break up.
+ */
+static void slide(int8_t *r, const uint8_t *a)
+{
+    int i;
+    int b;
+    int k;
+
+    for (i = 0; i < 448; ++i) {
+        r[i] = (a[i >> 3] >> (i & 7)) & 1;
+    }
+
+    for (i = 0; i < 448; ++i) {
+        if (r[i] == 0) {
+            continue;
+        }
+
+        for (b = 1; b <= 7 && i + b < 448; ++b) {
+            if (r[i + b] == 0) {
+                continue;
+            }
+
+            if (r[i] + (r[i + b] << b) <= 31) {
+                r[i] += r[i + b] << b; r[i + b] = 0;
+            }
+            else if (r[i] - (r[i + b] << b) >= -31) {
+                r[i] -= r[i + b] << b;
+                for (k = i + b; k < 448; ++k) {
+                    if (!r[k]) {
+                        r[k] = 1;
+                        break;
+                    }
+                    r[k] = 0;
+                }
+            }
+            else {
+                break;
+            }
+        }
+    }
+}
+
+/* Perform a scalar multplication of the base point and public point.
+ *   r = a * p + b * base
+ * Uses a sliding window of 5 bits.
+ * Not constant time.
+ *
+ * r  [in]  Point to hold result.
+ * a  [in]  Scalar to multiply by.
+ */
+int ge448_double_scalarmult_vartime(ge448_p2 *r, const uint8_t *a,
+                                    const ge448_p2 *p, const uint8_t *b)
+{
+    int8_t       aslide[448];
+    int8_t       bslide[448];
+    ge448_p2     pi[16]; /* p,3p,..,31p */
+    ge448_p2     p2;
+    int          i;
+
+    slide(aslide, a);
+    slide(bslide, b);
+
+    fe448_copy(pi[0].X, p->X);
+    fe448_copy(pi[0].Y, p->Y);
+    fe448_copy(pi[0].Z, p->Z);
+    ge448_dbl(&p2, p);
+    ge448_add(&pi[1], &p2, &pi[0]);
+    ge448_add(&pi[2], &p2, &pi[1]);
+    ge448_add(&pi[3], &p2, &pi[2]);
+    ge448_add(&pi[4], &p2, &pi[3]);
+    ge448_add(&pi[5], &p2, &pi[4]);
+    ge448_add(&pi[6], &p2, &pi[5]);
+    ge448_add(&pi[7], &p2, &pi[6]);
+    ge448_add(&pi[8], &p2, &pi[7]);
+    ge448_add(&pi[9], &p2, &pi[8]);
+    ge448_add(&pi[10], &p2, &pi[9]);
+    ge448_add(&pi[11], &p2, &pi[10]);
+    ge448_add(&pi[12], &p2, &pi[11]);
+    ge448_add(&pi[13], &p2, &pi[12]);
+    ge448_add(&pi[14], &p2, &pi[13]);
+    ge448_add(&pi[15], &p2, &pi[14]);
+
+    ge448_0(r);
+
+    /* Find first index that is not 0. */
+    for (i = 447; i >= 0; --i) {
+        if (aslide[i] || bslide[i]) {
+            break;
+        }
+    }
+
+    for (; i >= 0; --i) {
+        ge448_dbl(r, r);
+
+        if (aslide[i] > 0)
+            ge448_add(r, r, &pi[aslide[i]/2]);
+        else if (aslide[i] < 0)
+            ge448_sub(r, r ,&pi[(-aslide[i])/2]);
+
+        if (bslide[i] > 0)
+            ge448_madd(r, r, &base_i[bslide[i]/2]);
+        else if (bslide[i] < 0)
+            ge448_msub(r, r, &base_i[(-bslide[i])/2]);
+    }
+
+    return 0;
+}
+
+/* Convert compressed point to negative of affine point.
+ * Calculates x from the y and the negative bit.
+ * Not constant time.
+ *
+ * r  [in]  Uncompressed point.
+ * b  [in]  Array of bytes representing point.
+ * returns 0 on success and -1 on failure.
+ */
+int ge448_from_bytes_negate_vartime(ge448_p2 *r, const uint8_t *b)
+{
+    int   ret = 0;
+    ge448 u[GE448_WORDS];
+    ge448 v[GE448_WORDS];
+    ge448 u3[GE448_WORDS];
+    ge448 vxx[GE448_WORDS];
+    ge448 check[GE448_WORDS];
+
+    fe448_from_bytes(r->Y, b);
+    fe448_1(r->Z);
+    fe448_sqr(u, r->Y);                /* u = y^2                      */
+    fe448_mul39081(v, u);              /* v = 39081.y^2                */
+    fe448_sub(u, u, r->Z);             /* u = y^2-1                    */
+    fe448_reduce(u);
+    fe448_add(v, v, r->Z);             /* v = 39081.y^2-1              */
+    fe448_reduce(v);
+    fe448_neg(v, v);                   /* v = -39081.y^2-1 = d.y^2-1   */
+
+    fe448_sqr(r->X, v);                /* x = v^2                      */
+    fe448_mul(r->X, r->X, v);          /* x = v^3                      */
+    fe448_sqr(u3, u);                  /* x = u^2.v^3                  */
+    fe448_mul(r->X, r->X, u3);         /* x = u^2.v^3                  */
+    fe448_mul(u3, u3, u);              /* u3 = u^3                     */
+    fe448_mul(r->X, r->X, u3);         /* x = u^5.v^3                  */
+
+    fe448_pow_2_446_222_1(r->X, r->X); /* x = (u^5.v^3)^((q-3)/4)      */
+    fe448_mul(r->X, r->X, u3);         /* x = u^3(u^5.v^3)^((q-3)/4)   */
+    fe448_mul(r->X, r->X, v);          /* x = u^3.v(u^5.v^3)^((q-3)/4) */
+
+    fe448_sqr(vxx, r->X);
+    fe448_mul(vxx, vxx, v);
+    fe448_sub(check, vxx, u);          /* check = v.x^2-u              */
+    fe448_reduce(check);
+    /* Note; vx^2+u is NOT correct. */
+    if (fe448_isnonzero(check)) {
+        ret = -1;
+    }
+
+    /* Calculating negative of point in bytes - negate only if X is correct. */
+    if (fe448_isnegative(r->X) == (b[56] >> 7)) {
+        fe448_neg(r->X, r->X);
+    }
+
+    return ret;
+}
+
+#endif /* ED448_SMALL */
+#endif /* HAVE_CURVE448 || HAVE_ED448 */
diff --git a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/ge_low_mem.c b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/ge_low_mem.c
index 43c533c69..3b72b96cc 100644
--- a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/ge_low_mem.c
+++ b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/ge_low_mem.c
@@ -1,8 +1,8 @@
 /* ge_low_mem.c
  *
- * Copyright (C) 2006-2015 wolfSSL Inc.
+ * Copyright (C) 2006-2020 wolfSSL Inc.
  *
- * This file is part of wolfSSL. (formerly known as CyaSSL)
+ * This file is part of wolfSSL.
  *
  * wolfSSL is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -16,9 +16,10 @@
  *
  * You should have received a copy of the GNU General Public License
  * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
  */
 
+
  /* Based from Daniel Beer's public domain work. */
 
 #ifdef HAVE_CONFIG_H
@@ -28,12 +29,14 @@
 #include <wolfssl/wolfcrypt/settings.h>
 
 #ifdef HAVE_ED25519
+#ifdef ED25519_SMALL /* use slower code that takes less memory */
 
 #include <wolfssl/wolfcrypt/ge_operations.h>
 #include <wolfssl/wolfcrypt/error-crypt.h>
 #ifdef NO_INLINE
     #include <wolfssl/wolfcrypt/misc.h>
 #else
+    #define WOLFSSL_MISC_INCLUDED
     #include <wolfcrypt/src/misc.c>
 #endif
 
@@ -43,10 +46,10 @@ void ed25519_double(ge_p3 *r, const ge_p3 *a);
 
 
 static const byte ed25519_order[F25519_SIZE] = {
-	0xed, 0xd3, 0xf5, 0x5c, 0x1a, 0x63, 0x12, 0x58,
-	0xd6, 0x9c, 0xf7, 0xa2, 0xde, 0xf9, 0xde, 0x14,
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10
+    0xed, 0xd3, 0xf5, 0x5c, 0x1a, 0x63, 0x12, 0x58,
+    0xd6, 0x9c, 0xf7, 0xa2, 0xde, 0xf9, 0xde, 0x14,
+    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10
 };
 
 /*Arithmetic modulo the group order m = 2^252 +
@@ -69,16 +72,16 @@ static const word32 mu[33] = {
 int ge_compress_key(byte* out, const byte* xIn, const byte* yIn,
                         word32 keySz)
 {
-	byte tmp[F25519_SIZE];
-	byte parity;
+    byte tmp[F25519_SIZE];
+    byte parity;
+    byte pt[32];
     int     i;
 
-	fe_copy(tmp, xIn);
-	parity = (tmp[0] & 1) << 7;
+    lm_copy(tmp, xIn);
+    parity = (tmp[0] & 1) << 7;
 
-    byte pt[32];
-	fe_copy(pt, yIn);
-	pt[31] |= parity;
+    lm_copy(pt, yIn);
+    pt[31] |= parity;
 
     for(i = 0; i < 32; i++) {
         out[32-i-1] = pt[i];
@@ -90,7 +93,7 @@ int ge_compress_key(byte* out, const byte* xIn, const byte* yIn,
 
 static word32 lt(word32 a,word32 b) /* 16-bit inputs */
 {
-  unsigned int x = a;
+  word32 x = a;
   x -= (unsigned int) b; /* 0..65535: no; 4294901761..4294967295: yes */
   x >>= 31; /* 0: no; 1: yes */
   return x;
@@ -187,20 +190,20 @@ void sc_reduce(unsigned char x[64])
 void sc_muladd(byte* out, const byte* a, const byte* b, const byte* c)
 {
 
-	byte s[32];
+    byte s[32];
     byte e[64];
 
     XMEMSET(e, 0, sizeof(e));
     XMEMCPY(e, b, 32);
 
-	/* Obtain e */
-	sc_reduce(e);
+    /* Obtain e */
+    sc_reduce(e);
 
-	/* Compute s = ze + k */
-	fprime_mul(s, a, e, ed25519_order);
-	fprime_add(s, c, ed25519_order);
+    /* Compute s = ze + k */
+    fprime_mul(s, a, e, ed25519_order);
+    fprime_add(s, c, ed25519_order);
 
-	XMEMCPY(out, s, 32);
+    XMEMCPY(out, s, 32);
 }
 
 
@@ -216,315 +219,317 @@ void sc_muladd(byte* out, const byte* a, const byte* b, const byte* c)
  * t is x*y.
  */
 const ge_p3 ed25519_base = {
-	.X = {
-		0x1a, 0xd5, 0x25, 0x8f, 0x60, 0x2d, 0x56, 0xc9,
-		0xb2, 0xa7, 0x25, 0x95, 0x60, 0xc7, 0x2c, 0x69,
-		0x5c, 0xdc, 0xd6, 0xfd, 0x31, 0xe2, 0xa4, 0xc0,
-		0xfe, 0x53, 0x6e, 0xcd, 0xd3, 0x36, 0x69, 0x21
-	},
-	.Y = {
-		0x58, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66,
-		0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66,
-		0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66,
-		0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66
-	},
-	.T = {
-		0xa3, 0xdd, 0xb7, 0xa5, 0xb3, 0x8a, 0xde, 0x6d,
-		0xf5, 0x52, 0x51, 0x77, 0x80, 0x9f, 0xf0, 0x20,
-		0x7d, 0xe3, 0xab, 0x64, 0x8e, 0x4e, 0xea, 0x66,
-		0x65, 0x76, 0x8b, 0xd7, 0x0f, 0x5f, 0x87, 0x67
-	},
-	.Z = {1, 0}
+    {
+        0x1a, 0xd5, 0x25, 0x8f, 0x60, 0x2d, 0x56, 0xc9,
+        0xb2, 0xa7, 0x25, 0x95, 0x60, 0xc7, 0x2c, 0x69,
+        0x5c, 0xdc, 0xd6, 0xfd, 0x31, 0xe2, 0xa4, 0xc0,
+        0xfe, 0x53, 0x6e, 0xcd, 0xd3, 0x36, 0x69, 0x21
+    },
+    {
+        0x58, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66,
+        0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66,
+        0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66,
+        0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66
+    },
+    {1, 0},
+    {
+        0xa3, 0xdd, 0xb7, 0xa5, 0xb3, 0x8a, 0xde, 0x6d,
+        0xf5, 0x52, 0x51, 0x77, 0x80, 0x9f, 0xf0, 0x20,
+        0x7d, 0xe3, 0xab, 0x64, 0x8e, 0x4e, 0xea, 0x66,
+        0x65, 0x76, 0x8b, 0xd7, 0x0f, 0x5f, 0x87, 0x67
+    },
+
 };
 
 
 const ge_p3 ed25519_neutral = {
-	.X = {0},
-	.Y = {1, 0},
-	.T = {0},
-	.Z = {1, 0}
+    {0},
+    {1, 0},
+    {1, 0},
+    {0},
+
 };
 
 
 static const byte ed25519_d[F25519_SIZE] = {
-	0xa3, 0x78, 0x59, 0x13, 0xca, 0x4d, 0xeb, 0x75,
-	0xab, 0xd8, 0x41, 0x41, 0x4d, 0x0a, 0x70, 0x00,
-	0x98, 0xe8, 0x79, 0x77, 0x79, 0x40, 0xc7, 0x8c,
-	0x73, 0xfe, 0x6f, 0x2b, 0xee, 0x6c, 0x03, 0x52
+    0xa3, 0x78, 0x59, 0x13, 0xca, 0x4d, 0xeb, 0x75,
+    0xab, 0xd8, 0x41, 0x41, 0x4d, 0x0a, 0x70, 0x00,
+    0x98, 0xe8, 0x79, 0x77, 0x79, 0x40, 0xc7, 0x8c,
+    0x73, 0xfe, 0x6f, 0x2b, 0xee, 0x6c, 0x03, 0x52
 };
 
 
 /* k = 2d */
 static const byte ed25519_k[F25519_SIZE] = {
-	0x59, 0xf1, 0xb2, 0x26, 0x94, 0x9b, 0xd6, 0xeb,
-	0x56, 0xb1, 0x83, 0x82, 0x9a, 0x14, 0xe0, 0x00,
-	0x30, 0xd1, 0xf3, 0xee, 0xf2, 0x80, 0x8e, 0x19,
-	0xe7, 0xfc, 0xdf, 0x56, 0xdc, 0xd9, 0x06, 0x24
+    0x59, 0xf1, 0xb2, 0x26, 0x94, 0x9b, 0xd6, 0xeb,
+    0x56, 0xb1, 0x83, 0x82, 0x9a, 0x14, 0xe0, 0x00,
+    0x30, 0xd1, 0xf3, 0xee, 0xf2, 0x80, 0x8e, 0x19,
+    0xe7, 0xfc, 0xdf, 0x56, 0xdc, 0xd9, 0x06, 0x24
 };
 
 
 void ed25519_add(ge_p3 *r,
-		 const ge_p3 *p1, const ge_p3 *p2)
+         const ge_p3 *p1, const ge_p3 *p2)
 {
-	/* Explicit formulas database: add-2008-hwcd-3
-	 *
-	 * source 2008 Hisil--Wong--Carter--Dawson,
-	 *     http://eprint.iacr.org/2008/522, Section 3.1
-	 * appliesto extended-1
-	 * parameter k
-	 * assume k = 2 d
-	 * compute A = (Y1-X1)(Y2-X2)
-	 * compute B = (Y1+X1)(Y2+X2)
-	 * compute C = T1 k T2
-	 * compute D = Z1 2 Z2
-	 * compute E = B - A
-	 * compute F = D - C
-	 * compute G = D + C
-	 * compute H = B + A
-	 * compute X3 = E F
-	 * compute Y3 = G H
-	 * compute T3 = E H
-	 * compute Z3 = F G
-	 */
-	byte a[F25519_SIZE];
-	byte b[F25519_SIZE];
-	byte c[F25519_SIZE];
-	byte d[F25519_SIZE];
-	byte e[F25519_SIZE];
-	byte f[F25519_SIZE];
-	byte g[F25519_SIZE];
-	byte h[F25519_SIZE];
-
-	/* A = (Y1-X1)(Y2-X2) */
-	fe_sub(c, p1->Y, p1->X);
-	fe_sub(d, p2->Y, p2->X);
-	fe_mul__distinct(a, c, d);
-
-	/* B = (Y1+X1)(Y2+X2) */
-	fe_add(c, p1->Y, p1->X);
-	fe_add(d, p2->Y, p2->X);
-	fe_mul__distinct(b, c, d);
-
-	/* C = T1 k T2 */
-	fe_mul__distinct(d, p1->T, p2->T);
-	fe_mul__distinct(c, d, ed25519_k);
-
-	/* D = Z1 2 Z2 */
-	fe_mul__distinct(d, p1->Z, p2->Z);
-	fe_add(d, d, d);
-
-	/* E = B - A */
-	fe_sub(e, b, a);
-
-	/* F = D - C */
-	fe_sub(f, d, c);
-
-	/* G = D + C */
-	fe_add(g, d, c);
-
-	/* H = B + A */
-	fe_add(h, b, a);
-
-	/* X3 = E F */
-	fe_mul__distinct(r->X, e, f);
-
-	/* Y3 = G H */
-	fe_mul__distinct(r->Y, g, h);
-
-	/* T3 = E H */
-	fe_mul__distinct(r->T, e, h);
-
-	/* Z3 = F G */
-	fe_mul__distinct(r->Z, f, g);
+    /* Explicit formulas database: add-2008-hwcd-3
+     *
+     * source 2008 Hisil--Wong--Carter--Dawson,
+     *     http://eprint.iacr.org/2008/522, Section 3.1
+     * appliesto extended-1
+     * parameter k
+     * assume k = 2 d
+     * compute A = (Y1-X1)(Y2-X2)
+     * compute B = (Y1+X1)(Y2+X2)
+     * compute C = T1 k T2
+     * compute D = Z1 2 Z2
+     * compute E = B - A
+     * compute F = D - C
+     * compute G = D + C
+     * compute H = B + A
+     * compute X3 = E F
+     * compute Y3 = G H
+     * compute T3 = E H
+     * compute Z3 = F G
+     */
+    byte a[F25519_SIZE];
+    byte b[F25519_SIZE];
+    byte c[F25519_SIZE];
+    byte d[F25519_SIZE];
+    byte e[F25519_SIZE];
+    byte f[F25519_SIZE];
+    byte g[F25519_SIZE];
+    byte h[F25519_SIZE];
+
+    /* A = (Y1-X1)(Y2-X2) */
+    lm_sub(c, p1->Y, p1->X);
+    lm_sub(d, p2->Y, p2->X);
+    fe_mul__distinct(a, c, d);
+
+    /* B = (Y1+X1)(Y2+X2) */
+    lm_add(c, p1->Y, p1->X);
+    lm_add(d, p2->Y, p2->X);
+    fe_mul__distinct(b, c, d);
+
+    /* C = T1 k T2 */
+    fe_mul__distinct(d, p1->T, p2->T);
+    fe_mul__distinct(c, d, ed25519_k);
+
+    /* D = Z1 2 Z2 */
+    fe_mul__distinct(d, p1->Z, p2->Z);
+    lm_add(d, d, d);
+
+    /* E = B - A */
+    lm_sub(e, b, a);
+
+    /* F = D - C */
+    lm_sub(f, d, c);
+
+    /* G = D + C */
+    lm_add(g, d, c);
+
+    /* H = B + A */
+    lm_add(h, b, a);
+
+    /* X3 = E F */
+    fe_mul__distinct(r->X, e, f);
+
+    /* Y3 = G H */
+    fe_mul__distinct(r->Y, g, h);
+
+    /* T3 = E H */
+    fe_mul__distinct(r->T, e, h);
+
+    /* Z3 = F G */
+    fe_mul__distinct(r->Z, f, g);
 }
 
 
 void ed25519_double(ge_p3 *r, const ge_p3 *p)
 {
-	/* Explicit formulas database: dbl-2008-hwcd
-	 *
-	 * source 2008 Hisil--Wong--Carter--Dawson,
-	 *     http://eprint.iacr.org/2008/522, Section 3.3
-	 * compute A = X1^2
-	 * compute B = Y1^2
-	 * compute C = 2 Z1^2
-	 * compute D = a A
-	 * compute E = (X1+Y1)^2-A-B
-	 * compute G = D + B
-	 * compute F = G - C
-	 * compute H = D - B
-	 * compute X3 = E F
-	 * compute Y3 = G H
-	 * compute T3 = E H
-	 * compute Z3 = F G
-	 */
-	byte a[F25519_SIZE];
-	byte b[F25519_SIZE];
-	byte c[F25519_SIZE];
-	byte e[F25519_SIZE];
-	byte f[F25519_SIZE];
-	byte g[F25519_SIZE];
-	byte h[F25519_SIZE];
-
-	/* A = X1^2 */
-	fe_mul__distinct(a, p->X, p->X);
-
-	/* B = Y1^2 */
-	fe_mul__distinct(b, p->Y, p->Y);
-
-	/* C = 2 Z1^2 */
-	fe_mul__distinct(c, p->Z, p->Z);
-	fe_add(c, c, c);
-
-	/* D = a A (alter sign) */
-	/* E = (X1+Y1)^2-A-B */
-	fe_add(f, p->X, p->Y);
-	fe_mul__distinct(e, f, f);
-	fe_sub(e, e, a);
-	fe_sub(e, e, b);
-
-	/* G = D + B */
-	fe_sub(g, b, a);
-
-	/* F = G - C */
-	fe_sub(f, g, c);
-
-	/* H = D - B */
-	fe_neg(h, b);
-	fe_sub(h, h, a);
-
-	/* X3 = E F */
-	fe_mul__distinct(r->X, e, f);
-
-	/* Y3 = G H */
-	fe_mul__distinct(r->Y, g, h);
-
-	/* T3 = E H */
-	fe_mul__distinct(r->T, e, h);
-
-	/* Z3 = F G */
-	fe_mul__distinct(r->Z, f, g);
+    /* Explicit formulas database: dbl-2008-hwcd
+     *
+     * source 2008 Hisil--Wong--Carter--Dawson,
+     *     http://eprint.iacr.org/2008/522, Section 3.3
+     * compute A = X1^2
+     * compute B = Y1^2
+     * compute C = 2 Z1^2
+     * compute D = a A
+     * compute E = (X1+Y1)^2-A-B
+     * compute G = D + B
+     * compute F = G - C
+     * compute H = D - B
+     * compute X3 = E F
+     * compute Y3 = G H
+     * compute T3 = E H
+     * compute Z3 = F G
+     */
+    byte a[F25519_SIZE];
+    byte b[F25519_SIZE];
+    byte c[F25519_SIZE];
+    byte e[F25519_SIZE];
+    byte f[F25519_SIZE];
+    byte g[F25519_SIZE];
+    byte h[F25519_SIZE];
+
+    /* A = X1^2 */
+    fe_mul__distinct(a, p->X, p->X);
+
+    /* B = Y1^2 */
+    fe_mul__distinct(b, p->Y, p->Y);
+
+    /* C = 2 Z1^2 */
+    fe_mul__distinct(c, p->Z, p->Z);
+    lm_add(c, c, c);
+
+    /* D = a A (alter sign) */
+    /* E = (X1+Y1)^2-A-B */
+    lm_add(f, p->X, p->Y);
+    fe_mul__distinct(e, f, f);
+    lm_sub(e, e, a);
+    lm_sub(e, e, b);
+
+    /* G = D + B */
+    lm_sub(g, b, a);
+
+    /* F = G - C */
+    lm_sub(f, g, c);
+
+    /* H = D - B */
+    lm_neg(h, b);
+    lm_sub(h, h, a);
+
+    /* X3 = E F */
+    fe_mul__distinct(r->X, e, f);
+
+    /* Y3 = G H */
+    fe_mul__distinct(r->Y, g, h);
+
+    /* T3 = E H */
+    fe_mul__distinct(r->T, e, h);
+
+    /* Z3 = F G */
+    fe_mul__distinct(r->Z, f, g);
 }
 
 
 void ed25519_smult(ge_p3 *r_out, const ge_p3 *p, const byte *e)
 {
-	ge_p3 r;
-	int   i;
+    ge_p3 r;
+    int   i;
 
     XMEMCPY(&r, &ed25519_neutral, sizeof(r));
 
-	for (i = 255; i >= 0; i--) {
-		const byte bit = (e[i >> 3] >> (i & 7)) & 1;
-		ge_p3 s;
+    for (i = 255; i >= 0; i--) {
+        const byte bit = (e[i >> 3] >> (i & 7)) & 1;
+        ge_p3 s;
 
-		ed25519_double(&r, &r);
-		ed25519_add(&s, &r, p);
+        ed25519_double(&r, &r);
+        ed25519_add(&s, &r, p);
 
-		fe_select(r.X, r.X, s.X, bit);
-		fe_select(r.Y, r.Y, s.Y, bit);
-		fe_select(r.Z, r.Z, s.Z, bit);
-		fe_select(r.T, r.T, s.T, bit);
-	}
+        fe_select(r.X, r.X, s.X, bit);
+        fe_select(r.Y, r.Y, s.Y, bit);
+        fe_select(r.Z, r.Z, s.Z, bit);
+        fe_select(r.T, r.T, s.T, bit);
+    }
     XMEMCPY(r_out, &r, sizeof(r));
 }
 
 
 void ge_scalarmult_base(ge_p3 *R,const unsigned char *nonce)
 {
-	ed25519_smult(R, &ed25519_base, nonce);
+    ed25519_smult(R, &ed25519_base, nonce);
 }
 
 
 /* pack the point h into array s */
 void ge_p3_tobytes(unsigned char *s,const ge_p3 *h)
 {
-	byte x[F25519_SIZE];
-	byte y[F25519_SIZE];
-	byte z1[F25519_SIZE];
-	byte parity;
-
-	fe_inv__distinct(z1, h->Z);
-	fe_mul__distinct(x, h->X, z1);
-	fe_mul__distinct(y, h->Y, z1);
-
-	fe_normalize(x);
-	fe_normalize(y);
-
-	parity = (x[0] & 1) << 7;
-	fe_copy(s, y);
-	fe_normalize(s);
-	s[31] |= parity;
+    byte x[F25519_SIZE];
+    byte y[F25519_SIZE];
+    byte z1[F25519_SIZE];
+    byte parity;
+
+    fe_inv__distinct(z1, h->Z);
+    fe_mul__distinct(x, h->X, z1);
+    fe_mul__distinct(y, h->Y, z1);
+
+    fe_normalize(x);
+    fe_normalize(y);
+
+    parity = (x[0] & 1) << 7;
+    lm_copy(s, y);
+    fe_normalize(s);
+    s[31] |= parity;
 }
 
 
 /* pack the point h into array s */
 void ge_tobytes(unsigned char *s,const ge_p2 *h)
 {
-	byte x[F25519_SIZE];
-	byte y[F25519_SIZE];
-	byte z1[F25519_SIZE];
-	byte parity;
-
-	fe_inv__distinct(z1, h->Z);
-	fe_mul__distinct(x, h->X, z1);
-	fe_mul__distinct(y, h->Y, z1);
-
-	fe_normalize(x);
-	fe_normalize(y);
-
-	parity = (x[0] & 1) << 7;
-	fe_copy(s, y);
-	fe_normalize(s);
-	s[31] |= parity;
+    byte x[F25519_SIZE];
+    byte y[F25519_SIZE];
+    byte z1[F25519_SIZE];
+    byte parity;
+
+    fe_inv__distinct(z1, h->Z);
+    fe_mul__distinct(x, h->X, z1);
+    fe_mul__distinct(y, h->Y, z1);
+
+    fe_normalize(x);
+    fe_normalize(y);
+
+    parity = (x[0] & 1) << 7;
+    lm_copy(s, y);
+    fe_normalize(s);
+    s[31] |= parity;
 }
 
 
 /*
-   Test if the public key can be uncommpressed and negate it (-X,Y,Z,-T)
+   Test if the public key can be uncompressed and negate it (-X,Y,Z,-T)
    return 0 on success
  */
 int ge_frombytes_negate_vartime(ge_p3 *p,const unsigned char *s)
 {
 
-	byte parity;
+    byte parity;
     byte x[F25519_SIZE];
-	byte y[F25519_SIZE];
-	byte a[F25519_SIZE];
-	byte b[F25519_SIZE];
-	byte c[F25519_SIZE];
+    byte y[F25519_SIZE];
+    byte a[F25519_SIZE];
+    byte b[F25519_SIZE];
+    byte c[F25519_SIZE];
     int ret = 0;
 
     /* unpack the key s */
     parity = s[31] >> 7;
-    fe_copy(y, s);
-	y[31] &= 127;
+    lm_copy(y, s);
+    y[31] &= 127;
 
-	fe_mul__distinct(c, y, y);
+    fe_mul__distinct(c, y, y);
     fe_mul__distinct(b, c, ed25519_d);
-	fe_add(a, b, f25519_one);
-	fe_inv__distinct(b, a);
-	fe_sub(a, c, f25519_one);
-	fe_mul__distinct(c, a, b);
-	fe_sqrt(a, c);
-	fe_neg(b, a);
-	fe_select(x, a, b, (a[0] ^ parity) & 1);
+    lm_add(a, b, f25519_one);
+    fe_inv__distinct(b, a);
+    lm_sub(a, c, f25519_one);
+    fe_mul__distinct(c, a, b);
+    fe_sqrt(a, c);
+    lm_neg(b, a);
+    fe_select(x, a, b, (a[0] ^ parity) & 1);
 
     /* test that x^2 is equal to c */
     fe_mul__distinct(a, x, x);
-	fe_normalize(a);
-	fe_normalize(c);
-	ret |= ConstantCompare(a, c, F25519_SIZE);
+    fe_normalize(a);
+    fe_normalize(c);
+    ret |= ConstantCompare(a, c, F25519_SIZE);
 
     /* project the key s onto p */
-	fe_copy(p->X, x);
-	fe_copy(p->Y, y);
-	fe_load(p->Z, 1);
-	fe_mul__distinct(p->T, x, y);
+    lm_copy(p->X, x);
+    lm_copy(p->Y, y);
+    fe_load(p->Z, 1);
+    fe_mul__distinct(p->T, x, y);
 
     /* negate, the point becomes (-X,Y,Z,-T) */
-    fe_neg(p->X,p->X);
-    fe_neg(p->T,p->T);
+    lm_neg(p->X,p->X);
+    lm_neg(p->T,p->T);
 
     return ret;
 }
@@ -542,17 +547,17 @@ int ge_double_scalarmult_vartime(ge_p2* R, const unsigned char *h,
     ed25519_smult(&p, &ed25519_base, sig);
 
     /* find H(R,A,M) * -A */
-	ed25519_smult(&A, &A, h);
+    ed25519_smult(&A, &A, h);
 
     /* SB + -H(R,A,M)A */
-	ed25519_add(&A, &p, &A);
+    ed25519_add(&A, &p, &A);
 
-    fe_copy(R->X, A.X);
-    fe_copy(R->Y, A.Y);
-    fe_copy(R->Z, A.Z);
+    lm_copy(R->X, A.X);
+    lm_copy(R->Y, A.Y);
+    lm_copy(R->Z, A.Z);
 
     return ret;
 }
 
+#endif /* ED25519_SMALL */
 #endif /* HAVE_ED25519 */
-
diff --git a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/ge_operations.c b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/ge_operations.c
index 665cfe89b..73fa06e35 100644
--- a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/ge_operations.c
+++ b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/ge_operations.c
@@ -1,8 +1,8 @@
 /* ge_operations.c
  *
- * Copyright (C) 2006-2015 wolfSSL Inc.
+ * Copyright (C) 2006-2020 wolfSSL Inc.
  *
- * This file is part of wolfSSL. (formerly known as CyaSSL)
+ * This file is part of wolfSSL.
  *
  * wolfSSL is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -16,9 +16,10 @@
  *
  * You should have received a copy of the GNU General Public License
  * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
  */
 
+
  /* Based On Daniel J Bernstein's ed25519 Public Domain ref10 work. */
 
 
@@ -29,19 +30,52 @@
 #include <wolfssl/wolfcrypt/settings.h>
 
 #ifdef HAVE_ED25519
+#ifndef ED25519_SMALL /* run when not defined to use small memory math */
 
 #include <wolfssl/wolfcrypt/ge_operations.h>
+#include <wolfssl/wolfcrypt/ed25519.h>
 #include <wolfssl/wolfcrypt/error-crypt.h>
 #ifdef NO_INLINE
     #include <wolfssl/wolfcrypt/misc.h>
 #else
+    #define WOLFSSL_MISC_INCLUDED
     #include <wolfcrypt/src/misc.c>
 #endif
 
+#if defined(CURVED25519_X64)
+    #define CURVED25519_ASM_64BIT
+    #define CURVED25519_ASM
+#endif
+#if defined(WOLFSSL_ARMASM)
+    #if defined(__aarch64__)
+        #define CURVED25519_ASM_64BIT
+    #else
+        #define CURVED25519_ASM_32BIT
+    #endif
+    #define CURVED25519_ASM
+#endif
+
+
+static void ge_p2_0(ge_p2 *);
+#ifndef CURVED25519_ASM
+static void ge_precomp_0(ge_precomp *);
+#endif
+static void ge_p3_to_p2(ge_p2 *,const ge_p3 *);
+static void ge_p3_to_cached(ge_cached *,const ge_p3 *);
+static void ge_p1p1_to_p2(ge_p2 *,const ge_p1p1 *);
+static void ge_p1p1_to_p3(ge_p3 *,const ge_p1p1 *);
+static void ge_p2_dbl(ge_p1p1 *,const ge_p2 *);
+static void ge_p3_dbl(ge_p1p1 *,const ge_p3 *);
+
+static void ge_madd(ge_p1p1 *,const ge_p3 *,const ge_precomp *);
+static void ge_msub(ge_p1p1 *,const ge_p3 *,const ge_precomp *);
+static void ge_add(ge_p1p1 *,const ge_p3 *,const ge_cached *);
+static void ge_sub(ge_p1p1 *,const ge_p3 *,const ge_cached *);
+
 /*
 ge means group element.
 
-Here the group is the set of pairs (x,y) of field elements (see fe.h)
+Here the group is the set of pairs (x,y) of field elements (see ge_operations.h)
 satisfying -x^2 + y^2 = 1 + d x^2y^2
 where d = -121665/121666.
 
@@ -52,6 +86,36 @@ Representations:
   ge_precomp (Duif): (y+x,y-x,2dxy)
 */
 
+#if !defined(HAVE___UINT128_T) || defined(NO_CURVED25519_128BIT)
+#define MASK_21     0x1fffff
+#define ORDER_0     0x15d3ed
+#define ORDER_1     0x18d2e7
+#define ORDER_2     0x160498
+#define ORDER_3     0xf39ac
+#define ORDER_4     0x1dea2f
+#define ORDER_5     0xa6f7c
+
+#ifdef CURVED25519_ASM_32BIT
+uint64_t load_3(const unsigned char *in)
+{
+  uint64_t result;
+  result = (uint64_t) in[0];
+  result |= ((uint64_t) in[1]) << 8;
+  result |= ((uint64_t) in[2]) << 16;
+  return result;
+}
+
+
+uint64_t load_4(const unsigned char *in)
+{
+  uint64_t result;
+  result = (uint64_t) in[0];
+  result |= ((uint64_t) in[1]) << 8;
+  result |= ((uint64_t) in[2]) << 16;
+  result |= ((uint64_t) in[3]) << 24;
+  return result;
+}
+#endif
 
 /*
 Input:
@@ -64,261 +128,197 @@ Output:
 */
 void sc_reduce(byte* s)
 {
-  int64_t s0 = 2097151 & load_3(s);
-  int64_t s1 = 2097151 & (load_4(s + 2) >> 5);
-  int64_t s2 = 2097151 & (load_3(s + 5) >> 2);
-  int64_t s3 = 2097151 & (load_4(s + 7) >> 7);
-  int64_t s4 = 2097151 & (load_4(s + 10) >> 4);
-  int64_t s5 = 2097151 & (load_3(s + 13) >> 1);
-  int64_t s6 = 2097151 & (load_4(s + 15) >> 6);
-  int64_t s7 = 2097151 & (load_3(s + 18) >> 3);
-  int64_t s8 = 2097151 & load_3(s + 21);
-  int64_t s9 = 2097151 & (load_4(s + 23) >> 5);
-  int64_t s10 = 2097151 & (load_3(s + 26) >> 2);
-  int64_t s11 = 2097151 & (load_4(s + 28) >> 7);
-  int64_t s12 = 2097151 & (load_4(s + 31) >> 4);
-  int64_t s13 = 2097151 & (load_3(s + 34) >> 1);
-  int64_t s14 = 2097151 & (load_4(s + 36) >> 6);
-  int64_t s15 = 2097151 & (load_3(s + 39) >> 3);
-  int64_t s16 = 2097151 & load_3(s + 42);
-  int64_t s17 = 2097151 & (load_4(s + 44) >> 5);
-  int64_t s18 = 2097151 & (load_3(s + 47) >> 2);
-  int64_t s19 = 2097151 & (load_4(s + 49) >> 7);
-  int64_t s20 = 2097151 & (load_4(s + 52) >> 4);
-  int64_t s21 = 2097151 & (load_3(s + 55) >> 1);
-  int64_t s22 = 2097151 & (load_4(s + 57) >> 6);
-  int64_t s23 = (load_4(s + 60) >> 3);
-  int64_t carry0;
-  int64_t carry1;
-  int64_t carry2;
-  int64_t carry3;
-  int64_t carry4;
-  int64_t carry5;
-  int64_t carry6;
-  int64_t carry7;
-  int64_t carry8;
-  int64_t carry9;
-  int64_t carry10;
-  int64_t carry11;
-  int64_t carry12;
-  int64_t carry13;
-  int64_t carry14;
-  int64_t carry15;
-  int64_t carry16;
-
-  s11 += s23 * 666643;
-  s12 += s23 * 470296;
-  s13 += s23 * 654183;
-  s14 -= s23 * 997805;
-  s15 += s23 * 136657;
-  s16 -= s23 * 683901;
-  s23 = 0;
-
-  s10 += s22 * 666643;
-  s11 += s22 * 470296;
-  s12 += s22 * 654183;
-  s13 -= s22 * 997805;
-  s14 += s22 * 136657;
-  s15 -= s22 * 683901;
-  s22 = 0;
-
-  s9 += s21 * 666643;
-  s10 += s21 * 470296;
-  s11 += s21 * 654183;
-  s12 -= s21 * 997805;
-  s13 += s21 * 136657;
-  s14 -= s21 * 683901;
-  s21 = 0;
-
-  s8 += s20 * 666643;
-  s9 += s20 * 470296;
-  s10 += s20 * 654183;
-  s11 -= s20 * 997805;
-  s12 += s20 * 136657;
-  s13 -= s20 * 683901;
-  s20 = 0;
-
-  s7 += s19 * 666643;
-  s8 += s19 * 470296;
-  s9 += s19 * 654183;
-  s10 -= s19 * 997805;
-  s11 += s19 * 136657;
-  s12 -= s19 * 683901;
-  s19 = 0;
-
-  s6 += s18 * 666643;
-  s7 += s18 * 470296;
-  s8 += s18 * 654183;
-  s9 -= s18 * 997805;
-  s10 += s18 * 136657;
-  s11 -= s18 * 683901;
-  s18 = 0;
-
-  carry6 = (s6 + (1<<20)) >> 21; s7 += carry6; s6 -= carry6 << 21;
-  carry8 = (s8 + (1<<20)) >> 21; s9 += carry8; s8 -= carry8 << 21;
-  carry10 = (s10 + (1<<20)) >> 21; s11 += carry10; s10 -= carry10 << 21;
-  carry12 = (s12 + (1<<20)) >> 21; s13 += carry12; s12 -= carry12 << 21;
-  carry14 = (s14 + (1<<20)) >> 21; s15 += carry14; s14 -= carry14 << 21;
-  carry16 = (s16 + (1<<20)) >> 21; s17 += carry16; s16 -= carry16 << 21;
-
-  carry7 = (s7 + (1<<20)) >> 21; s8 += carry7; s7 -= carry7 << 21;
-  carry9 = (s9 + (1<<20)) >> 21; s10 += carry9; s9 -= carry9 << 21;
-  carry11 = (s11 + (1<<20)) >> 21; s12 += carry11; s11 -= carry11 << 21;
-  carry13 = (s13 + (1<<20)) >> 21; s14 += carry13; s13 -= carry13 << 21;
-  carry15 = (s15 + (1<<20)) >> 21; s16 += carry15; s15 -= carry15 << 21;
-
-  s5 += s17 * 666643;
-  s6 += s17 * 470296;
-  s7 += s17 * 654183;
-  s8 -= s17 * 997805;
-  s9 += s17 * 136657;
-  s10 -= s17 * 683901;
-  s17 = 0;
-
-  s4 += s16 * 666643;
-  s5 += s16 * 470296;
-  s6 += s16 * 654183;
-  s7 -= s16 * 997805;
-  s8 += s16 * 136657;
-  s9 -= s16 * 683901;
-  s16 = 0;
-
-  s3 += s15 * 666643;
-  s4 += s15 * 470296;
-  s5 += s15 * 654183;
-  s6 -= s15 * 997805;
-  s7 += s15 * 136657;
-  s8 -= s15 * 683901;
-  s15 = 0;
-
-  s2 += s14 * 666643;
-  s3 += s14 * 470296;
-  s4 += s14 * 654183;
-  s5 -= s14 * 997805;
-  s6 += s14 * 136657;
-  s7 -= s14 * 683901;
-  s14 = 0;
-
-  s1 += s13 * 666643;
-  s2 += s13 * 470296;
-  s3 += s13 * 654183;
-  s4 -= s13 * 997805;
-  s5 += s13 * 136657;
-  s6 -= s13 * 683901;
-  s13 = 0;
-
-  s0 += s12 * 666643;
-  s1 += s12 * 470296;
-  s2 += s12 * 654183;
-  s3 -= s12 * 997805;
-  s4 += s12 * 136657;
-  s5 -= s12 * 683901;
-  s12 = 0;
-
-  carry0 = (s0 + (1<<20)) >> 21; s1 += carry0; s0 -= carry0 << 21;
-  carry2 = (s2 + (1<<20)) >> 21; s3 += carry2; s2 -= carry2 << 21;
-  carry4 = (s4 + (1<<20)) >> 21; s5 += carry4; s4 -= carry4 << 21;
-  carry6 = (s6 + (1<<20)) >> 21; s7 += carry6; s6 -= carry6 << 21;
-  carry8 = (s8 + (1<<20)) >> 21; s9 += carry8; s8 -= carry8 << 21;
-  carry10 = (s10 + (1<<20)) >> 21; s11 += carry10; s10 -= carry10 << 21;
-
-  carry1 = (s1 + (1<<20)) >> 21; s2 += carry1; s1 -= carry1 << 21;
-  carry3 = (s3 + (1<<20)) >> 21; s4 += carry3; s3 -= carry3 << 21;
-  carry5 = (s5 + (1<<20)) >> 21; s6 += carry5; s5 -= carry5 << 21;
-  carry7 = (s7 + (1<<20)) >> 21; s8 += carry7; s7 -= carry7 << 21;
-  carry9 = (s9 + (1<<20)) >> 21; s10 += carry9; s9 -= carry9 << 21;
-  carry11 = (s11 + (1<<20)) >> 21; s12 += carry11; s11 -= carry11 << 21;
-
-  s0 += s12 * 666643;
-  s1 += s12 * 470296;
-  s2 += s12 * 654183;
-  s3 -= s12 * 997805;
-  s4 += s12 * 136657;
-  s5 -= s12 * 683901;
-  s12 = 0;
-
-  carry0 = s0 >> 21; s1 += carry0; s0 -= carry0 << 21;
-  carry1 = s1 >> 21; s2 += carry1; s1 -= carry1 << 21;
-  carry2 = s2 >> 21; s3 += carry2; s2 -= carry2 << 21;
-  carry3 = s3 >> 21; s4 += carry3; s3 -= carry3 << 21;
-  carry4 = s4 >> 21; s5 += carry4; s4 -= carry4 << 21;
-  carry5 = s5 >> 21; s6 += carry5; s5 -= carry5 << 21;
-  carry6 = s6 >> 21; s7 += carry6; s6 -= carry6 << 21;
-  carry7 = s7 >> 21; s8 += carry7; s7 -= carry7 << 21;
-  carry8 = s8 >> 21; s9 += carry8; s8 -= carry8 << 21;
-  carry9 = s9 >> 21; s10 += carry9; s9 -= carry9 << 21;
-  carry10 = s10 >> 21; s11 += carry10; s10 -= carry10 << 21;
-  carry11 = s11 >> 21; s12 += carry11; s11 -= carry11 << 21;
-
-  s0 += s12 * 666643;
-  s1 += s12 * 470296;
-  s2 += s12 * 654183;
-  s3 -= s12 * 997805;
-  s4 += s12 * 136657;
-  s5 -= s12 * 683901;
-  s12 = 0;
-
-  carry0 = s0 >> 21; s1 += carry0; s0 -= carry0 << 21;
-  carry1 = s1 >> 21; s2 += carry1; s1 -= carry1 << 21;
-  carry2 = s2 >> 21; s3 += carry2; s2 -= carry2 << 21;
-  carry3 = s3 >> 21; s4 += carry3; s3 -= carry3 << 21;
-  carry4 = s4 >> 21; s5 += carry4; s4 -= carry4 << 21;
-  carry5 = s5 >> 21; s6 += carry5; s5 -= carry5 << 21;
-  carry6 = s6 >> 21; s7 += carry6; s6 -= carry6 << 21;
-  carry7 = s7 >> 21; s8 += carry7; s7 -= carry7 << 21;
-  carry8 = s8 >> 21; s9 += carry8; s8 -= carry8 << 21;
-  carry9 = s9 >> 21; s10 += carry9; s9 -= carry9 << 21;
-  carry10 = s10 >> 21; s11 += carry10; s10 -= carry10 << 21;
-
-  s[0] = s0 >> 0;
-  s[1] = s0 >> 8;
-  s[2] = (s0 >> 16) | (s1 << 5);
-  s[3] = s1 >> 3;
-  s[4] = s1 >> 11;
-  s[5] = (s1 >> 19) | (s2 << 2);
-  s[6] = s2 >> 6;
-  s[7] = (s2 >> 14) | (s3 << 7);
-  s[8] = s3 >> 1;
-  s[9] = s3 >> 9;
-  s[10] = (s3 >> 17) | (s4 << 4);
-  s[11] = s4 >> 4;
-  s[12] = s4 >> 12;
-  s[13] = (s4 >> 20) | (s5 << 1);
-  s[14] = s5 >> 7;
-  s[15] = (s5 >> 15) | (s6 << 6);
-  s[16] = s6 >> 2;
-  s[17] = s6 >> 10;
-  s[18] = (s6 >> 18) | (s7 << 3);
-  s[19] = s7 >> 5;
-  s[20] = s7 >> 13;
-  s[21] = s8 >> 0;
-  s[22] = s8 >> 8;
-  s[23] = (s8 >> 16) | (s9 << 5);
-  s[24] = s9 >> 3;
-  s[25] = s9 >> 11;
-  s[26] = (s9 >> 19) | (s10 << 2);
-  s[27] = s10 >> 6;
-  s[28] = (s10 >> 14) | (s11 << 7);
-  s[29] = s11 >> 1;
-  s[30] = s11 >> 9;
-  s[31] = s11 >> 17;
-
-  /* hush warnings after setting values to 0 */
-  (void)s12;
-  (void)s13;
-  (void)s14;
-  (void)s15;
-  (void)s16;
-  (void)s17;
-  (void)s18;
-  (void)s19;
-  (void)s20;
-  (void)s21;
-  (void)s22;
-  (void)s23;
+    int64_t t[24];
+    int64_t carry;
+
+    t[ 0] = MASK_21 & (load_3(s +  0) >> 0);
+    t[ 1] = MASK_21 & (load_4(s +  2) >> 5);
+    t[ 2] = MASK_21 & (load_3(s +  5) >> 2);
+    t[ 3] = MASK_21 & (load_4(s +  7) >> 7);
+    t[ 4] = MASK_21 & (load_4(s + 10) >> 4);
+    t[ 5] = MASK_21 & (load_3(s + 13) >> 1);
+    t[ 6] = MASK_21 & (load_4(s + 15) >> 6);
+    t[ 7] = MASK_21 & (load_3(s + 18) >> 3);
+    t[ 8] = MASK_21 & (load_3(s + 21) >> 0);
+    t[ 9] = MASK_21 & (load_4(s + 23) >> 5);
+    t[10] = MASK_21 & (load_3(s + 26) >> 2);
+    t[11] = MASK_21 & (load_4(s + 28) >> 7);
+    t[12] = MASK_21 & (load_4(s + 31) >> 4);
+    t[13] = MASK_21 & (load_3(s + 34) >> 1);
+    t[14] = MASK_21 & (load_4(s + 36) >> 6);
+    t[15] = MASK_21 & (load_3(s + 39) >> 3);
+    t[16] = MASK_21 & (load_3(s + 42) >> 0);
+    t[17] = MASK_21 & (load_4(s + 44) >> 5);
+    t[18] = MASK_21 & (load_3(s + 47) >> 2);
+    t[19] = MASK_21 & (load_4(s + 49) >> 7);
+    t[20] = MASK_21 & (load_4(s + 52) >> 4);
+    t[21] = MASK_21 & (load_3(s + 55) >> 1);
+    t[22] = MASK_21 & (load_4(s + 57) >> 6);
+    t[23] =           (load_4(s + 60) >> 3);
+
+    t[11] -= t[23] * ORDER_0;
+    t[12] -= t[23] * ORDER_1;
+    t[13] -= t[23] * ORDER_2;
+    t[14] -= t[23] * ORDER_3;
+    t[15] -= t[23] * ORDER_4;
+    t[16] -= t[23] * ORDER_5;
+
+    t[10] -= t[22] * ORDER_0;
+    t[11] -= t[22] * ORDER_1;
+    t[12] -= t[22] * ORDER_2;
+    t[13] -= t[22] * ORDER_3;
+    t[14] -= t[22] * ORDER_4;
+    t[15] -= t[22] * ORDER_5;
+
+    t[ 9] -= t[21] * ORDER_0;
+    t[10] -= t[21] * ORDER_1;
+    t[11] -= t[21] * ORDER_2;
+    t[12] -= t[21] * ORDER_3;
+    t[13] -= t[21] * ORDER_4;
+    t[14] -= t[21] * ORDER_5;
+
+    t[ 8] -= t[20] * ORDER_0;
+    t[ 9] -= t[20] * ORDER_1;
+    t[10] -= t[20] * ORDER_2;
+    t[11] -= t[20] * ORDER_3;
+    t[12] -= t[20] * ORDER_4;
+    t[13] -= t[20] * ORDER_5;
+
+    t[ 7] -= t[19] * ORDER_0;
+    t[ 8] -= t[19] * ORDER_1;
+    t[ 9] -= t[19] * ORDER_2;
+    t[10] -= t[19] * ORDER_3;
+    t[11] -= t[19] * ORDER_4;
+    t[12] -= t[19] * ORDER_5;
+
+    t[ 6] -= t[18] * ORDER_0;
+    t[ 7] -= t[18] * ORDER_1;
+    t[ 8] -= t[18] * ORDER_2;
+    t[ 9] -= t[18] * ORDER_3;
+    t[10] -= t[18] * ORDER_4;
+    t[11] -= t[18] * ORDER_5;
+
+    carry = t[ 6] >> 21; t[ 7] += carry; t[ 6] &= MASK_21;
+    carry = t[ 8] >> 21; t[ 9] += carry; t[ 8] &= MASK_21;
+    carry = t[10] >> 21; t[11] += carry; t[10] &= MASK_21;
+    carry = t[12] >> 21; t[13] += carry; t[12] &= MASK_21;
+    carry = t[14] >> 21; t[15] += carry; t[14] &= MASK_21;
+    carry = t[16] >> 21; t[17] += carry; t[16] &= MASK_21;
+    carry = t[ 7] >> 21; t[ 8] += carry; t[ 7] &= MASK_21;
+    carry = t[ 9] >> 21; t[10] += carry; t[ 9] &= MASK_21;
+    carry = t[11] >> 21; t[12] += carry; t[11] &= MASK_21;
+    carry = t[13] >> 21; t[14] += carry; t[13] &= MASK_21;
+    carry = t[15] >> 21; t[16] += carry; t[15] &= MASK_21;
+
+    t[ 5] -= t[17] * ORDER_0;
+    t[ 6] -= t[17] * ORDER_1;
+    t[ 7] -= t[17] * ORDER_2;
+    t[ 8] -= t[17] * ORDER_3;
+    t[ 9] -= t[17] * ORDER_4;
+    t[10] -= t[17] * ORDER_5;
+
+    t[ 4] -= t[16] * ORDER_0;
+    t[ 5] -= t[16] * ORDER_1;
+    t[ 6] -= t[16] * ORDER_2;
+    t[ 7] -= t[16] * ORDER_3;
+    t[ 8] -= t[16] * ORDER_4;
+    t[ 9] -= t[16] * ORDER_5;
+
+    t[ 3] -= t[15] * ORDER_0;
+    t[ 4] -= t[15] * ORDER_1;
+    t[ 5] -= t[15] * ORDER_2;
+    t[ 6] -= t[15] * ORDER_3;
+    t[ 7] -= t[15] * ORDER_4;
+    t[ 8] -= t[15] * ORDER_5;
+
+    t[ 2] -= t[14] * ORDER_0;
+    t[ 3] -= t[14] * ORDER_1;
+    t[ 4] -= t[14] * ORDER_2;
+    t[ 5] -= t[14] * ORDER_3;
+    t[ 6] -= t[14] * ORDER_4;
+    t[ 7] -= t[14] * ORDER_5;
+
+    t[ 1] -= t[13] * ORDER_0;
+    t[ 2] -= t[13] * ORDER_1;
+    t[ 3] -= t[13] * ORDER_2;
+    t[ 4] -= t[13] * ORDER_3;
+    t[ 5] -= t[13] * ORDER_4;
+    t[ 6] -= t[13] * ORDER_5;
+
+    t[ 0] -= t[12] * ORDER_0;
+    t[ 1] -= t[12] * ORDER_1;
+    t[ 2] -= t[12] * ORDER_2;
+    t[ 3] -= t[12] * ORDER_3;
+    t[ 4] -= t[12] * ORDER_4;
+    t[ 5] -= t[12] * ORDER_5;
+    t[12]  = 0;
+
+    carry = t[ 0] >> 21; t[ 1] += carry; t[ 0] &= MASK_21;
+    carry = t[ 1] >> 21; t[ 2] += carry; t[ 1] &= MASK_21;
+    carry = t[ 2] >> 21; t[ 3] += carry; t[ 2] &= MASK_21;
+    carry = t[ 3] >> 21; t[ 4] += carry; t[ 3] &= MASK_21;
+    carry = t[ 4] >> 21; t[ 5] += carry; t[ 4] &= MASK_21;
+    carry = t[ 5] >> 21; t[ 6] += carry; t[ 5] &= MASK_21;
+    carry = t[ 6] >> 21; t[ 7] += carry; t[ 6] &= MASK_21;
+    carry = t[ 7] >> 21; t[ 8] += carry; t[ 7] &= MASK_21;
+    carry = t[ 8] >> 21; t[ 9] += carry; t[ 8] &= MASK_21;
+    carry = t[ 9] >> 21; t[10] += carry; t[ 9] &= MASK_21;
+    carry = t[10] >> 21; t[11] += carry; t[10] &= MASK_21;
+    carry = t[11] >> 21; t[12] += carry; t[11] &= MASK_21;
+
+    t[ 0] -= t[12] * ORDER_0;
+    t[ 1] -= t[12] * ORDER_1;
+    t[ 2] -= t[12] * ORDER_2;
+    t[ 3] -= t[12] * ORDER_3;
+    t[ 4] -= t[12] * ORDER_4;
+    t[ 5] -= t[12] * ORDER_5;
+
+    carry = t[ 0] >> 21; t[ 1] += carry; t[ 0] &= MASK_21;
+    carry = t[ 1] >> 21; t[ 2] += carry; t[ 1] &= MASK_21;
+    carry = t[ 2] >> 21; t[ 3] += carry; t[ 2] &= MASK_21;
+    carry = t[ 3] >> 21; t[ 4] += carry; t[ 3] &= MASK_21;
+    carry = t[ 4] >> 21; t[ 5] += carry; t[ 4] &= MASK_21;
+    carry = t[ 5] >> 21; t[ 6] += carry; t[ 5] &= MASK_21;
+    carry = t[ 6] >> 21; t[ 7] += carry; t[ 6] &= MASK_21;
+    carry = t[ 7] >> 21; t[ 8] += carry; t[ 7] &= MASK_21;
+    carry = t[ 8] >> 21; t[ 9] += carry; t[ 8] &= MASK_21;
+    carry = t[ 9] >> 21; t[10] += carry; t[ 9] &= MASK_21;
+    carry = t[10] >> 21; t[11] += carry; t[10] &= MASK_21;
+
+    s[ 0] = (byte)(t[ 0] >>  0);
+    s[ 1] = (byte)(t[ 0] >>  8);
+    s[ 2] = (byte)((t[ 0] >> 16) | (t[ 1] <<  5));
+    s[ 3] = (byte)(t[ 1] >>  3);
+    s[ 4] = (byte)(t[ 1] >> 11);
+    s[ 5] = (byte)((t[ 1] >> 19) | (t[ 2] <<  2));
+    s[ 6] = (byte)(t[ 2] >>  6);
+    s[ 7] = (byte)((t[ 2] >> 14) | (t[ 3] <<  7));
+    s[ 8] = (byte)(t[ 3] >>  1);
+    s[ 9] = (byte)(t[ 3] >>  9);
+    s[10] = (byte)((t[ 3] >> 17) | (t[ 4] <<  4));
+    s[11] = (byte)(t[ 4] >>  4);
+    s[12] = (byte)(t[ 4] >> 12);
+    s[13] = (byte)((t[ 4] >> 20) | (t[ 5] <<  1));
+    s[14] = (byte)(t[ 5] >>  7);
+    s[15] = (byte)((t[ 5] >> 15) | (t[ 6] <<  6));
+    s[16] = (byte)(t[ 6] >>  2);
+    s[17] = (byte)(t[ 6] >> 10);
+    s[18] = (byte)((t[ 6] >> 18) | (t[ 7] <<  3));
+    s[19] = (byte)(t[ 7] >>  5);
+    s[20] = (byte)(t[ 7] >> 13);
+    s[21] = (byte)(t[ 8] >>  0);
+    s[22] = (byte)(t[ 8] >>  8);
+    s[23] = (byte)((t[ 8] >> 16) | (t[ 9] <<  5));
+    s[24] = (byte)(t[ 9] >>  3);
+    s[25] = (byte)(t[ 9] >> 11);
+    s[26] = (byte)((t[ 9] >> 19) | (t[10] <<  2));
+    s[27] = (byte)(t[10] >>  6);
+    s[28] = (byte)((t[10] >> 14) | (t[11] <<  7));
+    s[29] = (byte)(t[11] >>  1);
+    s[30] = (byte)(t[11] >>  9);
+    s[31] = (byte)(t[11] >> 17);
 }
 
-
 /*
 Input:
   a[0]+256*a[1]+...+256^31*a[31] = a
@@ -331,365 +331,611 @@ Output:
 */
 void sc_muladd(byte* s, const byte* a, const byte* b, const byte* c)
 {
-  int64_t a0 = 2097151 & load_3(a);
-  int64_t a1 = 2097151 & (load_4(a + 2) >> 5);
-  int64_t a2 = 2097151 & (load_3(a + 5) >> 2);
-  int64_t a3 = 2097151 & (load_4(a + 7) >> 7);
-  int64_t a4 = 2097151 & (load_4(a + 10) >> 4);
-  int64_t a5 = 2097151 & (load_3(a + 13) >> 1);
-  int64_t a6 = 2097151 & (load_4(a + 15) >> 6);
-  int64_t a7 = 2097151 & (load_3(a + 18) >> 3);
-  int64_t a8 = 2097151 & load_3(a + 21);
-  int64_t a9 = 2097151 & (load_4(a + 23) >> 5);
-  int64_t a10 = 2097151 & (load_3(a + 26) >> 2);
-  int64_t a11 = (load_4(a + 28) >> 7);
-  int64_t b0 = 2097151 & load_3(b);
-  int64_t b1 = 2097151 & (load_4(b + 2) >> 5);
-  int64_t b2 = 2097151 & (load_3(b + 5) >> 2);
-  int64_t b3 = 2097151 & (load_4(b + 7) >> 7);
-  int64_t b4 = 2097151 & (load_4(b + 10) >> 4);
-  int64_t b5 = 2097151 & (load_3(b + 13) >> 1);
-  int64_t b6 = 2097151 & (load_4(b + 15) >> 6);
-  int64_t b7 = 2097151 & (load_3(b + 18) >> 3);
-  int64_t b8 = 2097151 & load_3(b + 21);
-  int64_t b9 = 2097151 & (load_4(b + 23) >> 5);
-  int64_t b10 = 2097151 & (load_3(b + 26) >> 2);
-  int64_t b11 = (load_4(b + 28) >> 7);
-  int64_t c0 = 2097151 & load_3(c);
-  int64_t c1 = 2097151 & (load_4(c + 2) >> 5);
-  int64_t c2 = 2097151 & (load_3(c + 5) >> 2);
-  int64_t c3 = 2097151 & (load_4(c + 7) >> 7);
-  int64_t c4 = 2097151 & (load_4(c + 10) >> 4);
-  int64_t c5 = 2097151 & (load_3(c + 13) >> 1);
-  int64_t c6 = 2097151 & (load_4(c + 15) >> 6);
-  int64_t c7 = 2097151 & (load_3(c + 18) >> 3);
-  int64_t c8 = 2097151 & load_3(c + 21);
-  int64_t c9 = 2097151 & (load_4(c + 23) >> 5);
-  int64_t c10 = 2097151 & (load_3(c + 26) >> 2);
-  int64_t c11 = (load_4(c + 28) >> 7);
-  int64_t s0;
-  int64_t s1;
-  int64_t s2;
-  int64_t s3;
-  int64_t s4;
-  int64_t s5;
-  int64_t s6;
-  int64_t s7;
-  int64_t s8;
-  int64_t s9;
-  int64_t s10;
-  int64_t s11;
-  int64_t s12;
-  int64_t s13;
-  int64_t s14;
-  int64_t s15;
-  int64_t s16;
-  int64_t s17;
-  int64_t s18;
-  int64_t s19;
-  int64_t s20;
-  int64_t s21;
-  int64_t s22;
-  int64_t s23;
-  int64_t carry0;
-  int64_t carry1;
-  int64_t carry2;
-  int64_t carry3;
-  int64_t carry4;
-  int64_t carry5;
-  int64_t carry6;
-  int64_t carry7;
-  int64_t carry8;
-  int64_t carry9;
-  int64_t carry10;
-  int64_t carry11;
-  int64_t carry12;
-  int64_t carry13;
-  int64_t carry14;
-  int64_t carry15;
-  int64_t carry16;
-  int64_t carry17;
-  int64_t carry18;
-  int64_t carry19;
-  int64_t carry20;
-  int64_t carry21;
-  int64_t carry22;
-
-  s0 = c0 + a0*b0;
-  s1 = c1 + a0*b1 + a1*b0;
-  s2 = c2 + a0*b2 + a1*b1 + a2*b0;
-  s3 = c3 + a0*b3 + a1*b2 + a2*b1 + a3*b0;
-  s4 = c4 + a0*b4 + a1*b3 + a2*b2 + a3*b1 + a4*b0;
-  s5 = c5 + a0*b5 + a1*b4 + a2*b3 + a3*b2 + a4*b1 + a5*b0;
-  s6 = c6 + a0*b6 + a1*b5 + a2*b4 + a3*b3 + a4*b2 + a5*b1 + a6*b0;
-  s7 = c7 + a0*b7 + a1*b6 + a2*b5 + a3*b4 + a4*b3 + a5*b2 + a6*b1 + a7*b0;
-  s8 = c8 + a0*b8 + a1*b7 + a2*b6 + a3*b5 + a4*b4 + a5*b3 + a6*b2 + a7*b1
-          + a8*b0;
-  s9 = c9 + a0*b9 + a1*b8 + a2*b7 + a3*b6 + a4*b5 + a5*b4 + a6*b3 + a7*b2
-          + a8*b1 + a9*b0;
-  s10 = c10 + a0*b10 + a1*b9 + a2*b8 + a3*b7 + a4*b6 + a5*b5 + a6*b4 + a7*b3
-            + a8*b2 + a9*b1 + a10*b0;
-  s11 = c11 + a0*b11 + a1*b10 + a2*b9 + a3*b8 + a4*b7 + a5*b6 + a6*b5 + a7*b4
-            + a8*b3 + a9*b2 + a10*b1 + a11*b0;
-  s12 = a1*b11 + a2*b10 + a3*b9 + a4*b8 + a5*b7 + a6*b6 + a7*b5 + a8*b4 + a9*b3
-               + a10*b2 + a11*b1;
-  s13 = a2*b11 + a3*b10 + a4*b9 + a5*b8 + a6*b7 + a7*b6 + a8*b5 + a9*b4 + a10*b3
-               + a11*b2;
-  s14 = a3*b11 + a4*b10 + a5*b9 + a6*b8 + a7*b7 + a8*b6 + a9*b5 + a10*b4
-               + a11*b3;
-  s15 = a4*b11 + a5*b10 + a6*b9 + a7*b8 + a8*b7 + a9*b6 + a10*b5 + a11*b4;
-  s16 = a5*b11 + a6*b10 + a7*b9 + a8*b8 + a9*b7 + a10*b6 + a11*b5;
-  s17 = a6*b11 + a7*b10 + a8*b9 + a9*b8 + a10*b7 + a11*b6;
-  s18 = a7*b11 + a8*b10 + a9*b9 + a10*b8 + a11*b7;
-  s19 = a8*b11 + a9*b10 + a10*b9 + a11*b8;
-  s20 = a9*b11 + a10*b10 + a11*b9;
-  s21 = a10*b11 + a11*b10;
-  s22 = a11*b11;
-  s23 = 0;
-
-  carry0 = (s0 + (1<<20)) >> 21; s1 += carry0; s0 -= carry0 << 21;
-  carry2 = (s2 + (1<<20)) >> 21; s3 += carry2; s2 -= carry2 << 21;
-  carry4 = (s4 + (1<<20)) >> 21; s5 += carry4; s4 -= carry4 << 21;
-  carry6 = (s6 + (1<<20)) >> 21; s7 += carry6; s6 -= carry6 << 21;
-  carry8 = (s8 + (1<<20)) >> 21; s9 += carry8; s8 -= carry8 << 21;
-  carry10 = (s10 + (1<<20)) >> 21; s11 += carry10; s10 -= carry10 << 21;
-  carry12 = (s12 + (1<<20)) >> 21; s13 += carry12; s12 -= carry12 << 21;
-  carry14 = (s14 + (1<<20)) >> 21; s15 += carry14; s14 -= carry14 << 21;
-  carry16 = (s16 + (1<<20)) >> 21; s17 += carry16; s16 -= carry16 << 21;
-  carry18 = (s18 + (1<<20)) >> 21; s19 += carry18; s18 -= carry18 << 21;
-  carry20 = (s20 + (1<<20)) >> 21; s21 += carry20; s20 -= carry20 << 21;
-  carry22 = (s22 + (1<<20)) >> 21; s23 += carry22; s22 -= carry22 << 21;
-
-  carry1 = (s1 + (1<<20)) >> 21; s2 += carry1; s1 -= carry1 << 21;
-  carry3 = (s3 + (1<<20)) >> 21; s4 += carry3; s3 -= carry3 << 21;
-  carry5 = (s5 + (1<<20)) >> 21; s6 += carry5; s5 -= carry5 << 21;
-  carry7 = (s7 + (1<<20)) >> 21; s8 += carry7; s7 -= carry7 << 21;
-  carry9 = (s9 + (1<<20)) >> 21; s10 += carry9; s9 -= carry9 << 21;
-  carry11 = (s11 + (1<<20)) >> 21; s12 += carry11; s11 -= carry11 << 21;
-  carry13 = (s13 + (1<<20)) >> 21; s14 += carry13; s13 -= carry13 << 21;
-  carry15 = (s15 + (1<<20)) >> 21; s16 += carry15; s15 -= carry15 << 21;
-  carry17 = (s17 + (1<<20)) >> 21; s18 += carry17; s17 -= carry17 << 21;
-  carry19 = (s19 + (1<<20)) >> 21; s20 += carry19; s19 -= carry19 << 21;
-  carry21 = (s21 + (1<<20)) >> 21; s22 += carry21; s21 -= carry21 << 21;
-
-  s11 += s23 * 666643;
-  s12 += s23 * 470296;
-  s13 += s23 * 654183;
-  s14 -= s23 * 997805;
-  s15 += s23 * 136657;
-  s16 -= s23 * 683901;
-  s23 = 0;
-
-  s10 += s22 * 666643;
-  s11 += s22 * 470296;
-  s12 += s22 * 654183;
-  s13 -= s22 * 997805;
-  s14 += s22 * 136657;
-  s15 -= s22 * 683901;
-  s22 = 0;
-
-  s9 += s21 * 666643;
-  s10 += s21 * 470296;
-  s11 += s21 * 654183;
-  s12 -= s21 * 997805;
-  s13 += s21 * 136657;
-  s14 -= s21 * 683901;
-  s21 = 0;
-
-  s8 += s20 * 666643;
-  s9 += s20 * 470296;
-  s10 += s20 * 654183;
-  s11 -= s20 * 997805;
-  s12 += s20 * 136657;
-  s13 -= s20 * 683901;
-  s20 = 0;
-
-  s7 += s19 * 666643;
-  s8 += s19 * 470296;
-  s9 += s19 * 654183;
-  s10 -= s19 * 997805;
-  s11 += s19 * 136657;
-  s12 -= s19 * 683901;
-  s19 = 0;
-
-  s6 += s18 * 666643;
-  s7 += s18 * 470296;
-  s8 += s18 * 654183;
-  s9 -= s18 * 997805;
-  s10 += s18 * 136657;
-  s11 -= s18 * 683901;
-  s18 = 0;
-
-  carry6 = (s6 + (1<<20)) >> 21; s7 += carry6; s6 -= carry6 << 21;
-  carry8 = (s8 + (1<<20)) >> 21; s9 += carry8; s8 -= carry8 << 21;
-  carry10 = (s10 + (1<<20)) >> 21; s11 += carry10; s10 -= carry10 << 21;
-  carry12 = (s12 + (1<<20)) >> 21; s13 += carry12; s12 -= carry12 << 21;
-  carry14 = (s14 + (1<<20)) >> 21; s15 += carry14; s14 -= carry14 << 21;
-  carry16 = (s16 + (1<<20)) >> 21; s17 += carry16; s16 -= carry16 << 21;
-
-  carry7 = (s7 + (1<<20)) >> 21; s8 += carry7; s7 -= carry7 << 21;
-  carry9 = (s9 + (1<<20)) >> 21; s10 += carry9; s9 -= carry9 << 21;
-  carry11 = (s11 + (1<<20)) >> 21; s12 += carry11; s11 -= carry11 << 21;
-  carry13 = (s13 + (1<<20)) >> 21; s14 += carry13; s13 -= carry13 << 21;
-  carry15 = (s15 + (1<<20)) >> 21; s16 += carry15; s15 -= carry15 << 21;
-
-  s5 += s17 * 666643;
-  s6 += s17 * 470296;
-  s7 += s17 * 654183;
-  s8 -= s17 * 997805;
-  s9 += s17 * 136657;
-  s10 -= s17 * 683901;
-  s17 = 0;
-
-  s4 += s16 * 666643;
-  s5 += s16 * 470296;
-  s6 += s16 * 654183;
-  s7 -= s16 * 997805;
-  s8 += s16 * 136657;
-  s9 -= s16 * 683901;
-  s16 = 0;
-
-  s3 += s15 * 666643;
-  s4 += s15 * 470296;
-  s5 += s15 * 654183;
-  s6 -= s15 * 997805;
-  s7 += s15 * 136657;
-  s8 -= s15 * 683901;
-  s15 = 0;
-
-  s2 += s14 * 666643;
-  s3 += s14 * 470296;
-  s4 += s14 * 654183;
-  s5 -= s14 * 997805;
-  s6 += s14 * 136657;
-  s7 -= s14 * 683901;
-  s14 = 0;
-
-  s1 += s13 * 666643;
-  s2 += s13 * 470296;
-  s3 += s13 * 654183;
-  s4 -= s13 * 997805;
-  s5 += s13 * 136657;
-  s6 -= s13 * 683901;
-  s13 = 0;
-
-  s0 += s12 * 666643;
-  s1 += s12 * 470296;
-  s2 += s12 * 654183;
-  s3 -= s12 * 997805;
-  s4 += s12 * 136657;
-  s5 -= s12 * 683901;
-  s12 = 0;
-
-  carry0 = (s0 + (1<<20)) >> 21; s1 += carry0; s0 -= carry0 << 21;
-  carry2 = (s2 + (1<<20)) >> 21; s3 += carry2; s2 -= carry2 << 21;
-  carry4 = (s4 + (1<<20)) >> 21; s5 += carry4; s4 -= carry4 << 21;
-  carry6 = (s6 + (1<<20)) >> 21; s7 += carry6; s6 -= carry6 << 21;
-  carry8 = (s8 + (1<<20)) >> 21; s9 += carry8; s8 -= carry8 << 21;
-  carry10 = (s10 + (1<<20)) >> 21; s11 += carry10; s10 -= carry10 << 21;
-
-  carry1 = (s1 + (1<<20)) >> 21; s2 += carry1; s1 -= carry1 << 21;
-  carry3 = (s3 + (1<<20)) >> 21; s4 += carry3; s3 -= carry3 << 21;
-  carry5 = (s5 + (1<<20)) >> 21; s6 += carry5; s5 -= carry5 << 21;
-  carry7 = (s7 + (1<<20)) >> 21; s8 += carry7; s7 -= carry7 << 21;
-  carry9 = (s9 + (1<<20)) >> 21; s10 += carry9; s9 -= carry9 << 21;
-  carry11 = (s11 + (1<<20)) >> 21; s12 += carry11; s11 -= carry11 << 21;
-
-  s0 += s12 * 666643;
-  s1 += s12 * 470296;
-  s2 += s12 * 654183;
-  s3 -= s12 * 997805;
-  s4 += s12 * 136657;
-  s5 -= s12 * 683901;
-  s12 = 0;
-
-  carry0 = s0 >> 21; s1 += carry0; s0 -= carry0 << 21;
-  carry1 = s1 >> 21; s2 += carry1; s1 -= carry1 << 21;
-  carry2 = s2 >> 21; s3 += carry2; s2 -= carry2 << 21;
-  carry3 = s3 >> 21; s4 += carry3; s3 -= carry3 << 21;
-  carry4 = s4 >> 21; s5 += carry4; s4 -= carry4 << 21;
-  carry5 = s5 >> 21; s6 += carry5; s5 -= carry5 << 21;
-  carry6 = s6 >> 21; s7 += carry6; s6 -= carry6 << 21;
-  carry7 = s7 >> 21; s8 += carry7; s7 -= carry7 << 21;
-  carry8 = s8 >> 21; s9 += carry8; s8 -= carry8 << 21;
-  carry9 = s9 >> 21; s10 += carry9; s9 -= carry9 << 21;
-  carry10 = s10 >> 21; s11 += carry10; s10 -= carry10 << 21;
-  carry11 = s11 >> 21; s12 += carry11; s11 -= carry11 << 21;
-
-  s0 += s12 * 666643;
-  s1 += s12 * 470296;
-  s2 += s12 * 654183;
-  s3 -= s12 * 997805;
-  s4 += s12 * 136657;
-  s5 -= s12 * 683901;
-  s12 = 0;
-
-  carry0 = s0 >> 21; s1 += carry0; s0 -= carry0 << 21;
-  carry1 = s1 >> 21; s2 += carry1; s1 -= carry1 << 21;
-  carry2 = s2 >> 21; s3 += carry2; s2 -= carry2 << 21;
-  carry3 = s3 >> 21; s4 += carry3; s3 -= carry3 << 21;
-  carry4 = s4 >> 21; s5 += carry4; s4 -= carry4 << 21;
-  carry5 = s5 >> 21; s6 += carry5; s5 -= carry5 << 21;
-  carry6 = s6 >> 21; s7 += carry6; s6 -= carry6 << 21;
-  carry7 = s7 >> 21; s8 += carry7; s7 -= carry7 << 21;
-  carry8 = s8 >> 21; s9 += carry8; s8 -= carry8 << 21;
-  carry9 = s9 >> 21; s10 += carry9; s9 -= carry9 << 21;
-  carry10 = s10 >> 21; s11 += carry10; s10 -= carry10 << 21;
-
-  s[0] = s0 >> 0;
-  s[1] = s0 >> 8;
-  s[2] = (s0 >> 16) | (s1 << 5);
-  s[3] = s1 >> 3;
-  s[4] = s1 >> 11;
-  s[5] = (s1 >> 19) | (s2 << 2);
-  s[6] = s2 >> 6;
-  s[7] = (s2 >> 14) | (s3 << 7);
-  s[8] = s3 >> 1;
-  s[9] = s3 >> 9;
-  s[10] = (s3 >> 17) | (s4 << 4);
-  s[11] = s4 >> 4;
-  s[12] = s4 >> 12;
-  s[13] = (s4 >> 20) | (s5 << 1);
-  s[14] = s5 >> 7;
-  s[15] = (s5 >> 15) | (s6 << 6);
-  s[16] = s6 >> 2;
-  s[17] = s6 >> 10;
-  s[18] = (s6 >> 18) | (s7 << 3);
-  s[19] = s7 >> 5;
-  s[20] = s7 >> 13;
-  s[21] = s8 >> 0;
-  s[22] = s8 >> 8;
-  s[23] = (s8 >> 16) | (s9 << 5);
-  s[24] = s9 >> 3;
-  s[25] = s9 >> 11;
-  s[26] = (s9 >> 19) | (s10 << 2);
-  s[27] = s10 >> 6;
-  s[28] = (s10 >> 14) | (s11 << 7);
-  s[29] = s11 >> 1;
-  s[30] = s11 >> 9;
-  s[31] = s11 >> 17;
-
-  /* hush warnings after setting values to 0 */
-  (void)s12;
-  (void)s13;
-  (void)s14;
-  (void)s15;
-  (void)s16;
-  (void)s17;
-  (void)s18;
-  (void)s19;
-  (void)s20;
-  (void)s21;
-  (void)s22;
-  (void)s23;
+    uint32_t ad[12], bd[12], cd[12];
+    int64_t t[24];
+    int64_t carry;
+
+    ad[ 0] = MASK_21 & (load_3(a +  0) >> 0);
+    ad[ 1] = MASK_21 & (load_4(a +  2) >> 5);
+    ad[ 2] = MASK_21 & (load_3(a +  5) >> 2);
+    ad[ 3] = MASK_21 & (load_4(a +  7) >> 7);
+    ad[ 4] = MASK_21 & (load_4(a + 10) >> 4);
+    ad[ 5] = MASK_21 & (load_3(a + 13) >> 1);
+    ad[ 6] = MASK_21 & (load_4(a + 15) >> 6);
+    ad[ 7] = MASK_21 & (load_3(a + 18) >> 3);
+    ad[ 8] = MASK_21 & (load_3(a + 21) >> 0);
+    ad[ 9] = MASK_21 & (load_4(a + 23) >> 5);
+    ad[10] = MASK_21 & (load_3(a + 26) >> 2);
+    ad[11] = (uint32_t)(load_4(a + 28) >> 7);
+    bd[ 0] = MASK_21 & (load_3(b +  0) >> 0);
+    bd[ 1] = MASK_21 & (load_4(b +  2) >> 5);
+    bd[ 2] = MASK_21 & (load_3(b +  5) >> 2);
+    bd[ 3] = MASK_21 & (load_4(b +  7) >> 7);
+    bd[ 4] = MASK_21 & (load_4(b + 10) >> 4);
+    bd[ 5] = MASK_21 & (load_3(b + 13) >> 1);
+    bd[ 6] = MASK_21 & (load_4(b + 15) >> 6);
+    bd[ 7] = MASK_21 & (load_3(b + 18) >> 3);
+    bd[ 8] = MASK_21 & (load_3(b + 21) >> 0);
+    bd[ 9] = MASK_21 & (load_4(b + 23) >> 5);
+    bd[10] = MASK_21 & (load_3(b + 26) >> 2);
+    bd[11] = (uint32_t)(load_4(b + 28) >> 7);
+    cd[ 0] = MASK_21 & (load_3(c +  0) >> 0);
+    cd[ 1] = MASK_21 & (load_4(c +  2) >> 5);
+    cd[ 2] = MASK_21 & (load_3(c +  5) >> 2);
+    cd[ 3] = MASK_21 & (load_4(c +  7) >> 7);
+    cd[ 4] = MASK_21 & (load_4(c + 10) >> 4);
+    cd[ 5] = MASK_21 & (load_3(c + 13) >> 1);
+    cd[ 6] = MASK_21 & (load_4(c + 15) >> 6);
+    cd[ 7] = MASK_21 & (load_3(c + 18) >> 3);
+    cd[ 8] = MASK_21 & (load_3(c + 21) >> 0);
+    cd[ 9] = MASK_21 & (load_4(c + 23) >> 5);
+    cd[10] = MASK_21 & (load_3(c + 26) >> 2);
+    cd[11] = (uint32_t)(load_4(c + 28) >> 7);
+
+    t[ 0] = cd[ 0] + (int64_t)ad[ 0] * bd[ 0];
+    t[ 1] = cd[ 1] + (int64_t)ad[ 0] * bd[ 1] + (int64_t)ad[ 1] * bd[ 0];
+    t[ 2] = cd[ 2] + (int64_t)ad[ 0] * bd[ 2] + (int64_t)ad[ 1] * bd[ 1] +
+                     (int64_t)ad[ 2] * bd[ 0];
+    t[ 3] = cd[ 3] + (int64_t)ad[ 0] * bd[ 3] + (int64_t)ad[ 1] * bd[ 2] +
+                     (int64_t)ad[ 2] * bd[ 1] + (int64_t)ad[ 3] * bd[ 0];
+    t[ 4] = cd[ 4] + (int64_t)ad[ 0] * bd[ 4] + (int64_t)ad[ 1] * bd[ 3] +
+                     (int64_t)ad[ 2] * bd[ 2] + (int64_t)ad[ 3] * bd[ 1] +
+                     (int64_t)ad[ 4] * bd[ 0];
+    t[ 5] = cd[ 5] + (int64_t)ad[ 0] * bd[ 5] + (int64_t)ad[ 1] * bd[ 4] +
+                     (int64_t)ad[ 2] * bd[ 3] + (int64_t)ad[ 3] * bd[ 2] +
+                     (int64_t)ad[ 4] * bd[ 1] + (int64_t)ad[ 5] * bd[ 0];
+    t[ 6] = cd[ 6] + (int64_t)ad[ 0] * bd[ 6] + (int64_t)ad[ 1] * bd[ 5] +
+                     (int64_t)ad[ 2] * bd[ 4] + (int64_t)ad[ 3] * bd[ 3] +
+                     (int64_t)ad[ 4] * bd[ 2] + (int64_t)ad[ 5] * bd[ 1] +
+                     (int64_t)ad[ 6] * bd[ 0];
+    t[ 7] = cd[ 7] + (int64_t)ad[ 0] * bd[ 7] + (int64_t)ad[ 1] * bd[ 6] +
+                     (int64_t)ad[ 2] * bd[ 5] + (int64_t)ad[ 3] * bd[ 4] +
+                     (int64_t)ad[ 4] * bd[ 3] + (int64_t)ad[ 5] * bd[ 2] +
+                     (int64_t)ad[ 6] * bd[ 1] + (int64_t)ad[ 7] * bd[ 0];
+    t[ 8] = cd[ 8] + (int64_t)ad[ 0] * bd[ 8] + (int64_t)ad[ 1] * bd[ 7] +
+                     (int64_t)ad[ 2] * bd[ 6] + (int64_t)ad[ 3] * bd[ 5] +
+                     (int64_t)ad[ 4] * bd[ 4] + (int64_t)ad[ 5] * bd[ 3] +
+                     (int64_t)ad[ 6] * bd[ 2] + (int64_t)ad[ 7] * bd[ 1] +
+                     (int64_t)ad[ 8] * bd[ 0];
+    t[ 9] = cd[ 9] + (int64_t)ad[ 0] * bd[ 9] + (int64_t)ad[ 1] * bd[ 8] +
+                     (int64_t)ad[ 2] * bd[ 7] + (int64_t)ad[ 3] * bd[ 6] +
+                     (int64_t)ad[ 4] * bd[ 5] + (int64_t)ad[ 5] * bd[ 4] +
+                     (int64_t)ad[ 6] * bd[ 3] + (int64_t)ad[ 7] * bd[ 2] +
+                     (int64_t)ad[ 8] * bd[ 1] + (int64_t)ad[ 9] * bd[ 0];
+    t[10] = cd[10] + (int64_t)ad[ 0] * bd[10] + (int64_t)ad[ 1] * bd[ 9] +
+                     (int64_t)ad[ 2] * bd[ 8] + (int64_t)ad[ 3] * bd[ 7] +
+                     (int64_t)ad[ 4] * bd[ 6] + (int64_t)ad[ 5] * bd[ 5] +
+                     (int64_t)ad[ 6] * bd[ 4] + (int64_t)ad[ 7] * bd[ 3] +
+                     (int64_t)ad[ 8] * bd[ 2] + (int64_t)ad[ 9] * bd[ 1] +
+                     (int64_t)ad[10] * bd[ 0];
+    t[11] = cd[11] + (int64_t)ad[ 0] * bd[11] + (int64_t)ad[ 1] * bd[10] +
+                     (int64_t)ad[ 2] * bd[ 9] + (int64_t)ad[ 3] * bd[ 8] +
+                     (int64_t)ad[ 4] * bd[ 7] + (int64_t)ad[ 5] * bd[ 6] +
+                     (int64_t)ad[ 6] * bd[ 5] + (int64_t)ad[ 7] * bd[ 4] +
+                     (int64_t)ad[ 8] * bd[ 3] + (int64_t)ad[ 9] * bd[ 2] +
+                     (int64_t)ad[10] * bd[ 1] + (int64_t)ad[11] * bd[ 0];
+    t[12] =          (int64_t)ad[ 1] * bd[11] + (int64_t)ad[ 2] * bd[10] +
+                     (int64_t)ad[ 3] * bd[ 9] + (int64_t)ad[ 4] * bd[ 8] +
+                     (int64_t)ad[ 5] * bd[ 7] + (int64_t)ad[ 6] * bd[ 6] +
+                     (int64_t)ad[ 7] * bd[ 5] + (int64_t)ad[ 8] * bd[ 4] +
+                     (int64_t)ad[ 9] * bd[ 3] + (int64_t)ad[10] * bd[ 2] +
+                     (int64_t)ad[11] * bd[ 1];
+    t[13] =          (int64_t)ad[ 2] * bd[11] + (int64_t)ad[ 3] * bd[10] +
+                     (int64_t)ad[ 4] * bd[ 9] + (int64_t)ad[ 5] * bd[ 8] +
+                     (int64_t)ad[ 6] * bd[ 7] + (int64_t)ad[ 7] * bd[ 6] +
+                     (int64_t)ad[ 8] * bd[ 5] + (int64_t)ad[ 9] * bd[ 4] +
+                     (int64_t)ad[10] * bd[ 3] + (int64_t)ad[11] * bd[ 2];
+    t[14] =          (int64_t)ad[ 3] * bd[11] + (int64_t)ad[ 4] * bd[10] +
+                     (int64_t)ad[ 5] * bd[ 9] + (int64_t)ad[ 6] * bd[ 8] +
+                     (int64_t)ad[ 7] * bd[ 7] + (int64_t)ad[ 8] * bd[ 6] +
+                     (int64_t)ad[ 9] * bd[ 5] + (int64_t)ad[10] * bd[ 4] +
+                     (int64_t)ad[11] * bd[ 3];
+    t[15] =          (int64_t)ad[ 4] * bd[11] + (int64_t)ad[ 5] * bd[10] +
+                     (int64_t)ad[ 6] * bd[ 9] + (int64_t)ad[ 7] * bd[ 8] +
+                     (int64_t)ad[ 8] * bd[ 7] + (int64_t)ad[ 9] * bd[ 6] +
+                     (int64_t)ad[10] * bd[ 5] + (int64_t)ad[11] * bd[ 4];
+    t[16] =          (int64_t)ad[ 5] * bd[11] + (int64_t)ad[ 6] * bd[10] +
+                     (int64_t)ad[ 7] * bd[ 9] + (int64_t)ad[ 8] * bd[ 8] +
+                     (int64_t)ad[ 9] * bd[ 7] + (int64_t)ad[10] * bd[ 6] +
+                     (int64_t)ad[11] * bd[ 5];
+    t[17] =          (int64_t)ad[ 6] * bd[11] + (int64_t)ad[ 7] * bd[10] +
+                     (int64_t)ad[ 8] * bd[ 9] + (int64_t)ad[ 9] * bd[ 8] +
+                     (int64_t)ad[10] * bd[ 7] + (int64_t)ad[11] * bd[ 6];
+    t[18] =          (int64_t)ad[ 7] * bd[11] + (int64_t)ad[ 8] * bd[10] +
+                     (int64_t)ad[ 9] * bd[ 9] + (int64_t)ad[10] * bd[ 8] +
+                     (int64_t)ad[11] * bd[ 7];
+    t[19] =          (int64_t)ad[ 8] * bd[11] + (int64_t)ad[ 9] * bd[10] +
+                     (int64_t)ad[10] * bd[ 9] + (int64_t)ad[11] * bd[ 8];
+    t[20] =          (int64_t)ad[ 9] * bd[11] + (int64_t)ad[10] * bd[10] +
+                     (int64_t)ad[11] * bd[ 9];
+    t[21] =          (int64_t)ad[10] * bd[11] + (int64_t)ad[11] * bd[10];
+    t[22] =          (int64_t)ad[11] * bd[11];
+    t[23] = 0;
+
+    carry = t[ 0] >> 21; t[ 1] += carry; t[ 0] &= MASK_21;
+    carry = t[ 2] >> 21; t[ 3] += carry; t[ 2] &= MASK_21;
+    carry = t[ 4] >> 21; t[ 5] += carry; t[ 4] &= MASK_21;
+    carry = t[ 6] >> 21; t[ 7] += carry; t[ 6] &= MASK_21;
+    carry = t[ 8] >> 21; t[ 9] += carry; t[ 8] &= MASK_21;
+    carry = t[10] >> 21; t[11] += carry; t[10] &= MASK_21;
+    carry = t[12] >> 21; t[13] += carry; t[12] &= MASK_21;
+    carry = t[14] >> 21; t[15] += carry; t[14] &= MASK_21;
+    carry = t[16] >> 21; t[17] += carry; t[16] &= MASK_21;
+    carry = t[18] >> 21; t[19] += carry; t[18] &= MASK_21;
+    carry = t[20] >> 21; t[21] += carry; t[20] &= MASK_21;
+    carry = t[22] >> 21; t[23] += carry; t[22] &= MASK_21;
+    carry = t[ 1] >> 21; t[ 2] += carry; t[ 1] &= MASK_21;
+    carry = t[ 3] >> 21; t[ 4] += carry; t[ 3] &= MASK_21;
+    carry = t[ 5] >> 21; t[ 6] += carry; t[ 5] &= MASK_21;
+    carry = t[ 7] >> 21; t[ 8] += carry; t[ 7] &= MASK_21;
+    carry = t[ 9] >> 21; t[10] += carry; t[ 9] &= MASK_21;
+    carry = t[11] >> 21; t[12] += carry; t[11] &= MASK_21;
+    carry = t[13] >> 21; t[14] += carry; t[13] &= MASK_21;
+    carry = t[15] >> 21; t[16] += carry; t[15] &= MASK_21;
+    carry = t[17] >> 21; t[18] += carry; t[17] &= MASK_21;
+    carry = t[19] >> 21; t[20] += carry; t[19] &= MASK_21;
+    carry = t[21] >> 21; t[22] += carry; t[21] &= MASK_21;
+
+    t[11] -= t[23] * ORDER_0;
+    t[12] -= t[23] * ORDER_1;
+    t[13] -= t[23] * ORDER_2;
+    t[14] -= t[23] * ORDER_3;
+    t[15] -= t[23] * ORDER_4;
+    t[16] -= t[23] * ORDER_5;
+
+    t[10] -= t[22] * ORDER_0;
+    t[11] -= t[22] * ORDER_1;
+    t[12] -= t[22] * ORDER_2;
+    t[13] -= t[22] * ORDER_3;
+    t[14] -= t[22] * ORDER_4;
+    t[15] -= t[22] * ORDER_5;
+
+    t[ 9] -= t[21] * ORDER_0;
+    t[10] -= t[21] * ORDER_1;
+    t[11] -= t[21] * ORDER_2;
+    t[12] -= t[21] * ORDER_3;
+    t[13] -= t[21] * ORDER_4;
+    t[14] -= t[21] * ORDER_5;
+
+    t[ 8] -= t[20] * ORDER_0;
+    t[ 9] -= t[20] * ORDER_1;
+    t[10] -= t[20] * ORDER_2;
+    t[11] -= t[20] * ORDER_3;
+    t[12] -= t[20] * ORDER_4;
+    t[13] -= t[20] * ORDER_5;
+
+    t[ 7] -= t[19] * ORDER_0;
+    t[ 8] -= t[19] * ORDER_1;
+    t[ 9] -= t[19] * ORDER_2;
+    t[10] -= t[19] * ORDER_3;
+    t[11] -= t[19] * ORDER_4;
+    t[12] -= t[19] * ORDER_5;
+
+    t[ 6] -= t[18] * ORDER_0;
+    t[ 7] -= t[18] * ORDER_1;
+    t[ 8] -= t[18] * ORDER_2;
+    t[ 9] -= t[18] * ORDER_3;
+    t[10] -= t[18] * ORDER_4;
+    t[11] -= t[18] * ORDER_5;
+
+    carry = t[ 6] >> 21; t[ 7] += carry; t[ 6] &= MASK_21;
+    carry = t[ 8] >> 21; t[ 9] += carry; t[ 8] &= MASK_21;
+    carry = t[10] >> 21; t[11] += carry; t[10] &= MASK_21;
+    carry = t[12] >> 21; t[13] += carry; t[12] &= MASK_21;
+    carry = t[14] >> 21; t[15] += carry; t[14] &= MASK_21;
+    carry = t[16] >> 21; t[17] += carry; t[16] &= MASK_21;
+    carry = t[ 7] >> 21; t[ 8] += carry; t[ 7] &= MASK_21;
+    carry = t[ 9] >> 21; t[10] += carry; t[ 9] &= MASK_21;
+    carry = t[11] >> 21; t[12] += carry; t[11] &= MASK_21;
+    carry = t[13] >> 21; t[14] += carry; t[13] &= MASK_21;
+    carry = t[15] >> 21; t[16] += carry; t[15] &= MASK_21;
+
+    t[ 5] -= t[17] * ORDER_0;
+    t[ 6] -= t[17] * ORDER_1;
+    t[ 7] -= t[17] * ORDER_2;
+    t[ 8] -= t[17] * ORDER_3;
+    t[ 9] -= t[17] * ORDER_4;
+    t[10] -= t[17] * ORDER_5;
+
+    t[ 4] -= t[16] * ORDER_0;
+    t[ 5] -= t[16] * ORDER_1;
+    t[ 6] -= t[16] * ORDER_2;
+    t[ 7] -= t[16] * ORDER_3;
+    t[ 8] -= t[16] * ORDER_4;
+    t[ 9] -= t[16] * ORDER_5;
+
+    t[ 3] -= t[15] * ORDER_0;
+    t[ 4] -= t[15] * ORDER_1;
+    t[ 5] -= t[15] * ORDER_2;
+    t[ 6] -= t[15] * ORDER_3;
+    t[ 7] -= t[15] * ORDER_4;
+    t[ 8] -= t[15] * ORDER_5;
+
+    t[ 2] -= t[14] * ORDER_0;
+    t[ 3] -= t[14] * ORDER_1;
+    t[ 4] -= t[14] * ORDER_2;
+    t[ 5] -= t[14] * ORDER_3;
+    t[ 6] -= t[14] * ORDER_4;
+    t[ 7] -= t[14] * ORDER_5;
+
+    t[ 1] -= t[13] * ORDER_0;
+    t[ 2] -= t[13] * ORDER_1;
+    t[ 3] -= t[13] * ORDER_2;
+    t[ 4] -= t[13] * ORDER_3;
+    t[ 5] -= t[13] * ORDER_4;
+    t[ 6] -= t[13] * ORDER_5;
+
+    t[ 0] -= t[12] * ORDER_0;
+    t[ 1] -= t[12] * ORDER_1;
+    t[ 2] -= t[12] * ORDER_2;
+    t[ 3] -= t[12] * ORDER_3;
+    t[ 4] -= t[12] * ORDER_4;
+    t[ 5] -= t[12] * ORDER_5;
+    t[12]  = 0;
+
+    carry = t[ 0] >> 21; t[ 1] += carry; t[ 0] &= MASK_21;
+    carry = t[ 1] >> 21; t[ 2] += carry; t[ 1] &= MASK_21;
+    carry = t[ 2] >> 21; t[ 3] += carry; t[ 2] &= MASK_21;
+    carry = t[ 3] >> 21; t[ 4] += carry; t[ 3] &= MASK_21;
+    carry = t[ 4] >> 21; t[ 5] += carry; t[ 4] &= MASK_21;
+    carry = t[ 5] >> 21; t[ 6] += carry; t[ 5] &= MASK_21;
+    carry = t[ 6] >> 21; t[ 7] += carry; t[ 6] &= MASK_21;
+    carry = t[ 7] >> 21; t[ 8] += carry; t[ 7] &= MASK_21;
+    carry = t[ 8] >> 21; t[ 9] += carry; t[ 8] &= MASK_21;
+    carry = t[ 9] >> 21; t[10] += carry; t[ 9] &= MASK_21;
+    carry = t[10] >> 21; t[11] += carry; t[10] &= MASK_21;
+    carry = t[11] >> 21; t[12] += carry; t[11] &= MASK_21;
+
+    t[ 0] -= t[12] * ORDER_0;
+    t[ 1] -= t[12] * ORDER_1;
+    t[ 2] -= t[12] * ORDER_2;
+    t[ 3] -= t[12] * ORDER_3;
+    t[ 4] -= t[12] * ORDER_4;
+    t[ 5] -= t[12] * ORDER_5;
+
+    carry = t[ 0] >> 21; t[ 1] += carry; t[ 0] &= MASK_21;
+    carry = t[ 1] >> 21; t[ 2] += carry; t[ 1] &= MASK_21;
+    carry = t[ 2] >> 21; t[ 3] += carry; t[ 2] &= MASK_21;
+    carry = t[ 3] >> 21; t[ 4] += carry; t[ 3] &= MASK_21;
+    carry = t[ 4] >> 21; t[ 5] += carry; t[ 4] &= MASK_21;
+    carry = t[ 5] >> 21; t[ 6] += carry; t[ 5] &= MASK_21;
+    carry = t[ 6] >> 21; t[ 7] += carry; t[ 6] &= MASK_21;
+    carry = t[ 7] >> 21; t[ 8] += carry; t[ 7] &= MASK_21;
+    carry = t[ 8] >> 21; t[ 9] += carry; t[ 8] &= MASK_21;
+    carry = t[ 9] >> 21; t[10] += carry; t[ 9] &= MASK_21;
+    carry = t[10] >> 21; t[11] += carry; t[10] &= MASK_21;
+
+    s[ 0] = (byte)(t[ 0] >>  0);
+    s[ 1] = (byte)(t[ 0] >>  8);
+    s[ 2] = (byte)((t[ 0] >> 16) | (t[ 1] <<  5));
+    s[ 3] = (byte)(t[ 1] >>  3);
+    s[ 4] = (byte)(t[ 1] >> 11);
+    s[ 5] = (byte)((t[ 1] >> 19) | (t[ 2] <<  2));
+    s[ 6] = (byte)(t[ 2] >>  6);
+    s[ 7] = (byte)((t[ 2] >> 14) | (t[ 3] <<  7));
+    s[ 8] = (byte)(t[ 3] >>  1);
+    s[ 9] = (byte)(t[ 3] >>  9);
+    s[10] = (byte)((t[ 3] >> 17) | (t[ 4] <<  4));
+    s[11] = (byte)(t[ 4] >>  4);
+    s[12] = (byte)(t[ 4] >> 12);
+    s[13] = (byte)((t[ 4] >> 20) | (t[ 5] <<  1));
+    s[14] = (byte)(t[ 5] >>  7);
+    s[15] = (byte)((t[ 5] >> 15) | (t[ 6] <<  6));
+    s[16] = (byte)(t[ 6] >>  2);
+    s[17] = (byte)(t[ 6] >> 10);
+    s[18] = (byte)((t[ 6] >> 18) | (t[ 7] <<  3));
+    s[19] = (byte)(t[ 7] >>  5);
+    s[20] = (byte)(t[ 7] >> 13);
+    s[21] = (byte)(t[ 8] >>  0);
+    s[22] = (byte)(t[ 8] >>  8);
+    s[23] = (byte)((t[ 8] >> 16) | (t[ 9] <<  5));
+    s[24] = (byte)(t[ 9] >>  3);
+    s[25] = (byte)(t[ 9] >> 11);
+    s[26] = (byte)((t[ 9] >> 19) | (t[10] <<  2));
+    s[27] = (byte)(t[10] >>  6);
+    s[28] = (byte)((t[10] >> 14) | (t[11] <<  7));
+    s[29] = (byte)(t[11] >>  1);
+    s[30] = (byte)(t[11] >>  9);
+    s[31] = (byte)(t[11] >> 17);
+}
+#else
+static uint64_t load_6(const byte* a)
+{
+    uint64_t n;
+    n = ((uint64_t)a[0] <<  0) |
+        ((uint64_t)a[1] <<  8) |
+        ((uint64_t)a[2] << 16) |
+        ((uint64_t)a[3] << 24) |
+        ((uint64_t)a[4] << 32) |
+        ((uint64_t)a[5] << 40);
+    return n;
+}
+
+static uint64_t load_7(const byte* a)
+{
+    uint64_t n;
+    n = ((uint64_t)a[0] <<  0) |
+        ((uint64_t)a[1] <<  8) |
+        ((uint64_t)a[2] << 16) |
+        ((uint64_t)a[3] << 24) |
+        ((uint64_t)a[4] << 32) |
+        ((uint64_t)a[5] << 40) |
+        ((uint64_t)a[6] << 48);
+    return n;
 }
 
+#define MASK_42     0x3ffffffffffl
+#define ORDER_0     0x31a5cf5d3edl
+#define ORDER_1     0x1e735960498l
+#define ORDER_2     0x14def9dea2fl
+
+/*
+Input:
+  s[0]+256*s[1]+...+256^63*s[63] = s
+
+Output:
+  s[0]+256*s[1]+...+256^31*s[31] = s mod l
+  where l = 2^252 + 27742317777372353535851937790883648493.
+  Overwrites s in place.
+*/
+void sc_reduce(byte* s)
+{
+    __int128_t t[12];
+    __int128_t carry;
+
+    t[ 0] = MASK_42 & (load_6(s +  0) >> 0);
+    t[ 1] = MASK_42 & (load_6(s +  5) >> 2);
+    t[ 2] = MASK_42 & (load_6(s + 10) >> 4);
+    t[ 3] = MASK_42 & (load_6(s + 15) >> 6);
+    t[ 4] = MASK_42 & (load_6(s + 21) >> 0);
+    t[ 5] = MASK_42 & (load_6(s + 26) >> 2);
+    t[ 6] = MASK_42 & (load_6(s + 31) >> 4);
+    t[ 7] = MASK_42 & (load_6(s + 36) >> 6);
+    t[ 8] = MASK_42 & (load_6(s + 42) >> 0);
+    t[ 9] = MASK_42 & (load_6(s + 47) >> 2);
+    t[10] = MASK_42 & (load_6(s + 52) >> 4);
+    t[11] =           (load_7(s + 57) >> 6);
+
+    t[ 5] -= t[11] * ORDER_0;
+    t[ 6] -= t[11] * ORDER_1;
+    t[ 7] -= t[11] * ORDER_2;
+
+    t[ 4] -= t[10] * ORDER_0;
+    t[ 5] -= t[10] * ORDER_1;
+    t[ 6] -= t[10] * ORDER_2;
+
+    t[ 3] -= t[ 9] * ORDER_0;
+    t[ 4] -= t[ 9] * ORDER_1;
+    t[ 5] -= t[ 9] * ORDER_2;
+
+    carry = t[ 3] >> 42; t[ 4] += carry; t[ 3] &= MASK_42;
+    carry = t[ 5] >> 42; t[ 6] += carry; t[ 5] &= MASK_42;
+    carry = t[ 7] >> 42; t[ 8] += carry; t[ 7] &= MASK_42;
+    carry = t[ 4] >> 42; t[ 5] += carry; t[ 4] &= MASK_42;
+    carry = t[ 6] >> 42; t[ 7] += carry; t[ 6] &= MASK_42;
+
+    t[ 2] -= t[ 8] * ORDER_0;
+    t[ 3] -= t[ 8] * ORDER_1;
+    t[ 4] -= t[ 8] * ORDER_2;
+
+    t[ 1] -= t[ 7] * ORDER_0;
+    t[ 2] -= t[ 7] * ORDER_1;
+    t[ 3] -= t[ 7] * ORDER_2;
+
+    t[ 0] -= t[ 6] * ORDER_0;
+    t[ 1] -= t[ 6] * ORDER_1;
+    t[ 2] -= t[ 6] * ORDER_2;
+    t[ 6]  = 0;
+
+    carry = t[ 0] >> 42; t[ 1] += carry; t[ 0] &= MASK_42;
+    carry = t[ 1] >> 42; t[ 2] += carry; t[ 1] &= MASK_42;
+    carry = t[ 2] >> 42; t[ 3] += carry; t[ 2] &= MASK_42;
+    carry = t[ 3] >> 42; t[ 4] += carry; t[ 3] &= MASK_42;
+    carry = t[ 4] >> 42; t[ 5] += carry; t[ 4] &= MASK_42;
+    carry = t[ 5] >> 42; t[ 6] += carry; t[ 5] &= MASK_42;
+
+    t[ 0] -= t[ 6] * ORDER_0;
+    t[ 1] -= t[ 6] * ORDER_1;
+    t[ 2] -= t[ 6] * ORDER_2;
+
+    carry = t[ 0] >> 42; t[ 1] += carry; t[ 0] &= MASK_42;
+    carry = t[ 1] >> 42; t[ 2] += carry; t[ 1] &= MASK_42;
+    carry = t[ 2] >> 42; t[ 3] += carry; t[ 2] &= MASK_42;
+    carry = t[ 3] >> 42; t[ 4] += carry; t[ 3] &= MASK_42;
+    carry = t[ 4] >> 42; t[ 5] += carry; t[ 4] &= MASK_42;
+
+    s[ 0] = (t[ 0] >>  0);
+    s[ 1] = (t[ 0] >>  8);
+    s[ 2] = (t[ 0] >> 16);
+    s[ 3] = (t[ 0] >> 24);
+    s[ 4] = (t[ 0] >> 32);
+    s[ 5] = (t[ 0] >> 40) | (t[ 1] <<  2);
+    s[ 6] = (t[ 1] >>  6);
+    s[ 7] = (t[ 1] >> 14);
+    s[ 8] = (t[ 1] >> 22);
+    s[ 9] = (t[ 1] >> 30);
+    s[10] = (t[ 1] >> 38) | (t[ 2] <<  4);
+    s[11] = (t[ 2] >>  4);
+    s[12] = (t[ 2] >> 12);
+    s[13] = (t[ 2] >> 20);
+    s[14] = (t[ 2] >> 28);
+    s[15] = (t[ 2] >> 36) | (t[ 3] <<  6);
+    s[16] = (t[ 3] >>  2);
+    s[17] = (t[ 3] >> 10);
+    s[18] = (t[ 3] >> 18);
+    s[19] = (t[ 3] >> 26);
+    s[20] = (t[ 3] >> 34);
+    s[21] = (t[ 4] >>  0);
+    s[22] = (t[ 4] >>  8);
+    s[23] = (t[ 4] >> 16);
+    s[24] = (t[ 4] >> 24);
+    s[25] = (t[ 4] >> 32);
+    s[26] = (t[ 4] >> 40) | (t[ 5] <<  2);
+    s[27] = (t[ 5] >>  6);
+    s[28] = (t[ 5] >> 14);
+    s[29] = (t[ 5] >> 22);
+    s[30] = (t[ 5] >> 30);
+    s[31] = (t[ 5] >> 38);
+}
+
+/*
+Input:
+  a[0]+256*a[1]+...+256^31*a[31] = a
+  b[0]+256*b[1]+...+256^31*b[31] = b
+  c[0]+256*c[1]+...+256^31*c[31] = c
+
+Output:
+  s[0]+256*s[1]+...+256^31*s[31] = (ab+c) mod l
+  where l = 2^252 + 27742317777372353535851937790883648493.
+*/
+void sc_muladd(byte* s, const byte* a, const byte* b, const byte* c)
+{
+    uint64_t ad[6], bd[6], cd[6];
+    __int128_t t[12];
+    __int128_t carry;
+
+    ad[ 0] = MASK_42 & (load_6(a +  0) >> 0);
+    ad[ 1] = MASK_42 & (load_6(a +  5) >> 2);
+    ad[ 2] = MASK_42 & (load_6(a + 10) >> 4);
+    ad[ 3] = MASK_42 & (load_6(a + 15) >> 6);
+    ad[ 4] = MASK_42 & (load_6(a + 21) >> 0);
+    ad[ 5] =           (load_6(a + 26) >> 2);
+    bd[ 0] = MASK_42 & (load_6(b +  0) >> 0);
+    bd[ 1] = MASK_42 & (load_6(b +  5) >> 2);
+    bd[ 2] = MASK_42 & (load_6(b + 10) >> 4);
+    bd[ 3] = MASK_42 & (load_6(b + 15) >> 6);
+    bd[ 4] = MASK_42 & (load_6(b + 21) >> 0);
+    bd[ 5] =           (load_6(b + 26) >> 2);
+    cd[ 0] = MASK_42 & (load_6(c +  0) >> 0);
+    cd[ 1] = MASK_42 & (load_6(c +  5) >> 2);
+    cd[ 2] = MASK_42 & (load_6(c + 10) >> 4);
+    cd[ 3] = MASK_42 & (load_6(c + 15) >> 6);
+    cd[ 4] = MASK_42 & (load_6(c + 21) >> 0);
+    cd[ 5] =           (load_6(c + 26) >> 2);
+
+    t[ 0] = cd[ 0] + (__int128_t)ad[ 0] * bd[ 0];
+    t[ 1] = cd[ 1] + (__int128_t)ad[ 0] * bd[ 1] + (__int128_t)ad[ 1] * bd[ 0];
+    t[ 2] = cd[ 2] + (__int128_t)ad[ 0] * bd[ 2] + (__int128_t)ad[ 1] * bd[ 1] +
+                     (__int128_t)ad[ 2] * bd[ 0];
+    t[ 3] = cd[ 3] + (__int128_t)ad[ 0] * bd[ 3] + (__int128_t)ad[ 1] * bd[ 2] +
+                     (__int128_t)ad[ 2] * bd[ 1] + (__int128_t)ad[ 3] * bd[ 0];
+    t[ 4] = cd[ 4] + (__int128_t)ad[ 0] * bd[ 4] + (__int128_t)ad[ 1] * bd[ 3] +
+                     (__int128_t)ad[ 2] * bd[ 2] + (__int128_t)ad[ 3] * bd[ 1] +
+                     (__int128_t)ad[ 4] * bd[ 0];
+    t[ 5] = cd[ 5] + (__int128_t)ad[ 0] * bd[ 5] + (__int128_t)ad[ 1] * bd[ 4] +
+                     (__int128_t)ad[ 2] * bd[ 3] + (__int128_t)ad[ 3] * bd[ 2] +
+                     (__int128_t)ad[ 4] * bd[ 1] + (__int128_t)ad[ 5] * bd[ 0];
+    t[ 6] =          (__int128_t)ad[ 1] * bd[ 5] + (__int128_t)ad[ 2] * bd[ 4] +
+                     (__int128_t)ad[ 3] * bd[ 3] + (__int128_t)ad[ 4] * bd[ 2] +
+                     (__int128_t)ad[ 5] * bd[ 1];
+    t[ 7] =          (__int128_t)ad[ 2] * bd[ 5] + (__int128_t)ad[ 3] * bd[ 4] +
+                     (__int128_t)ad[ 4] * bd[ 3] + (__int128_t)ad[ 5] * bd[ 2];
+    t[ 8] =          (__int128_t)ad[ 3] * bd[ 5] + (__int128_t)ad[ 4] * bd[ 4] +
+                     (__int128_t)ad[ 5] * bd[ 3];
+    t[ 9] =          (__int128_t)ad[ 4] * bd[ 5] + (__int128_t)ad[ 5] * bd[ 4];
+    t[10] =          (__int128_t)ad[ 5] * bd[ 5];
+    t[11] = 0;
+
+    carry = t[ 0] >> 42; t[ 1] += carry; t[ 0] &= MASK_42;
+    carry = t[ 2] >> 42; t[ 3] += carry; t[ 2] &= MASK_42;
+    carry = t[ 4] >> 42; t[ 5] += carry; t[ 4] &= MASK_42;
+    carry = t[ 6] >> 42; t[ 7] += carry; t[ 6] &= MASK_42;
+    carry = t[ 8] >> 42; t[ 9] += carry; t[ 8] &= MASK_42;
+    carry = t[10] >> 42; t[11] += carry; t[10] &= MASK_42;
+    carry = t[ 1] >> 42; t[ 2] += carry; t[ 1] &= MASK_42;
+    carry = t[ 3] >> 42; t[ 4] += carry; t[ 3] &= MASK_42;
+    carry = t[ 5] >> 42; t[ 6] += carry; t[ 5] &= MASK_42;
+    carry = t[ 7] >> 42; t[ 8] += carry; t[ 7] &= MASK_42;
+    carry = t[ 9] >> 42; t[10] += carry; t[ 9] &= MASK_42;
+
+    t[ 5] -= t[11] * ORDER_0;
+    t[ 6] -= t[11] * ORDER_1;
+    t[ 7] -= t[11] * ORDER_2;
+
+    t[ 4] -= t[10] * ORDER_0;
+    t[ 5] -= t[10] * ORDER_1;
+    t[ 6] -= t[10] * ORDER_2;
+
+    t[ 3] -= t[ 9] * ORDER_0;
+    t[ 4] -= t[ 9] * ORDER_1;
+    t[ 5] -= t[ 9] * ORDER_2;
+
+    carry = t[ 3] >> 42; t[ 4] += carry; t[ 3] &= MASK_42;
+    carry = t[ 5] >> 42; t[ 6] += carry; t[ 5] &= MASK_42;
+    carry = t[ 7] >> 42; t[ 8] += carry; t[ 7] &= MASK_42;
+    carry = t[ 4] >> 42; t[ 5] += carry; t[ 4] &= MASK_42;
+    carry = t[ 6] >> 42; t[ 7] += carry; t[ 6] &= MASK_42;
+
+    t[ 2] -= t[ 8] * ORDER_0;
+    t[ 3] -= t[ 8] * ORDER_1;
+    t[ 4] -= t[ 8] * ORDER_2;
+
+    t[ 1] -= t[ 7] * ORDER_0;
+    t[ 2] -= t[ 7] * ORDER_1;
+    t[ 3] -= t[ 7] * ORDER_2;
+
+    t[ 0] -= t[ 6] * ORDER_0;
+    t[ 1] -= t[ 6] * ORDER_1;
+    t[ 2] -= t[ 6] * ORDER_2;
+    t[ 6]  = 0;
+
+    carry = t[ 0] >> 42; t[ 1] += carry; t[ 0] &= MASK_42;
+    carry = t[ 1] >> 42; t[ 2] += carry; t[ 1] &= MASK_42;
+    carry = t[ 2] >> 42; t[ 3] += carry; t[ 2] &= MASK_42;
+    carry = t[ 3] >> 42; t[ 4] += carry; t[ 3] &= MASK_42;
+    carry = t[ 4] >> 42; t[ 5] += carry; t[ 4] &= MASK_42;
+    carry = t[ 5] >> 42; t[ 6] += carry; t[ 5] &= MASK_42;
+
+    t[ 0] -= t[ 6] * ORDER_0;
+    t[ 1] -= t[ 6] * ORDER_1;
+    t[ 2] -= t[ 6] * ORDER_2;
+
+    carry = t[ 0] >> 42; t[ 1] += carry; t[ 0] &= MASK_42;
+    carry = t[ 1] >> 42; t[ 2] += carry; t[ 1] &= MASK_42;
+    carry = t[ 2] >> 42; t[ 3] += carry; t[ 2] &= MASK_42;
+    carry = t[ 3] >> 42; t[ 4] += carry; t[ 3] &= MASK_42;
+    carry = t[ 4] >> 42; t[ 5] += carry; t[ 4] &= MASK_42;
+
+    s[ 0] = (t[ 0] >>  0);
+    s[ 1] = (t[ 0] >>  8);
+    s[ 2] = (t[ 0] >> 16);
+    s[ 3] = (t[ 0] >> 24);
+    s[ 4] = (t[ 0] >> 32);
+    s[ 5] = (t[ 0] >> 40) | (t[ 1] <<  2);
+    s[ 6] = (t[ 1] >>  6);
+    s[ 7] = (t[ 1] >> 14);
+    s[ 8] = (t[ 1] >> 22);
+    s[ 9] = (t[ 1] >> 30);
+    s[10] = (t[ 1] >> 38) | (t[ 2] <<  4);
+    s[11] = (t[ 2] >>  4);
+    s[12] = (t[ 2] >> 12);
+    s[13] = (t[ 2] >> 20);
+    s[14] = (t[ 2] >> 28);
+    s[15] = (t[ 2] >> 36) | (t[ 3] <<  6);
+    s[16] = (t[ 3] >>  2);
+    s[17] = (t[ 3] >> 10);
+    s[18] = (t[ 3] >> 18);
+    s[19] = (t[ 3] >> 26);
+    s[20] = (t[ 3] >> 34);
+    s[21] = (t[ 4] >>  0);
+    s[22] = (t[ 4] >>  8);
+    s[23] = (t[ 4] >> 16);
+    s[24] = (t[ 4] >> 24);
+    s[25] = (t[ 4] >> 32);
+    s[26] = (t[ 4] >> 40) | (t[ 5] <<  2);
+    s[27] = (t[ 5] >>  6);
+    s[28] = (t[ 5] >> 14);
+    s[29] = (t[ 5] >> 22);
+    s[30] = (t[ 5] >> 30);
+    s[31] = (t[ 5] >> 38);
+}
+#endif /* !HAVE___UINT128_T || NO_CURVED25519_128BIT */
 
 int ge_compress_key(byte* out, const byte* xIn, const byte* yIn, word32 keySz)
 {
-    fe     x,y,z;
+    ge     x,y,z;
     ge_p3  g;
-    byte   bArray[keySz];
+    byte   bArray[ED25519_KEY_SIZE];
     word32 i;
 
     fe_0(x);
@@ -715,23 +961,29 @@ int ge_compress_key(byte* out, const byte* xIn, const byte* yIn, word32 keySz)
 /*
 r = p + q
 */
-void ge_add(ge_p1p1 *r,const ge_p3 *p,const ge_cached *q)
-{
-	fe t0;
-	fe_add(r->X,p->Y,p->X);
-	fe_sub(r->Y,p->Y,p->X);
-	fe_mul(r->Z,r->X,q->YplusX);
-	fe_mul(r->Y,r->Y,q->YminusX);
-	fe_mul(r->T,q->T2d,p->T);
-	fe_mul(r->X,p->Z,q->Z);
-	fe_add(t0,r->X,r->X);
-	fe_sub(r->X,r->Z,r->Y);
-	fe_add(r->Y,r->Z,r->Y);
-	fe_add(r->Z,t0,r->T);
-	fe_sub(r->T,t0,r->T);
+static WC_INLINE void ge_add(ge_p1p1 *r,const ge_p3 *p,const ge_cached *q)
+{
+#ifndef CURVED25519_ASM
+    ge t0;
+    fe_add(r->X,p->Y,p->X);
+    fe_sub(r->Y,p->Y,p->X);
+    fe_mul(r->Z,r->X,q->YplusX);
+    fe_mul(r->Y,r->Y,q->YminusX);
+    fe_mul(r->T,q->T2d,p->T);
+    fe_mul(r->X,p->Z,q->Z);
+    fe_add(t0,r->X,r->X);
+    fe_sub(r->X,r->Z,r->Y);
+    fe_add(r->Y,r->Z,r->Y);
+    fe_add(r->Z,t0,r->T);
+    fe_sub(r->T,t0,r->T);
+#else
+    fe_ge_add(r->X, r->Y, r->Z, r->T, p->X, p->Y, p->Z, p->T, q->Z, q->T2d,
+              q->YplusX, q->YminusX);
+#endif
 }
 
 
+#ifndef CURVED25519_ASM
 /* ge_scalar mult base */
 static unsigned char equal(signed char b,signed char c)
 {
@@ -741,29 +993,6758 @@ static unsigned char equal(signed char b,signed char c)
   uint32_t y = x; /* 0: yes; 1..255: no */
   y -= 1; /* 4294967295: yes; 0..254: no */
   y >>= 31; /* 1: yes; 0: no */
-  return y;
+  return (unsigned char)y;
 }
 
 
 static unsigned char negative(signed char b)
 {
-  unsigned long long x = b; /* 18446744073709551361..18446744073709551615:
-                               yes; 0..255: no */
-  x >>= 63; /* 1: yes; 0: no */
-  return x;
+  return ((unsigned char)b) >> 7;
 }
 
 
-static void cmov(ge_precomp *t,ge_precomp *u,unsigned char b)
+static WC_INLINE void cmov(ge_precomp *t,const ge_precomp *u,unsigned char b,
+                        unsigned char n)
 {
+  b = equal(b,n);
   fe_cmov(t->yplusx,u->yplusx,b);
   fe_cmov(t->yminusx,u->yminusx,b);
   fe_cmov(t->xy2d,u->xy2d,b);
 }
+#endif
 
-
+#ifdef CURVED25519_ASM_64BIT
+static const ge_precomp base[64][8] = {
+{
+    {
+        { 0x2fbc93c6f58c3b85, -0x306cd2390473f1e7, 0x270b4898643d42c2, 0x07cf9d3a33d4ba65 },
+        { -0x62efc6fa28bf6ec2, -0x02c660fa2ebf414d, -0x5a3e7bcb977075f7, 0x44fd2f9298f81267 },
+        { -0x2442ea98b49044a7, 0x41e13f00eea2a5ea, -0x322b62e336a83906, 0x4f0ebe1faf16ecca }
+    },
+    {
+        { -0x6ddb18036cc38e29, -0x60b9626985f00a4b, 0x5aa69a65e1d60702, 0x590c063fa87d2e2e },
+        { -0x75665a9fbd4b2a58, -0x70d47ef3b19f530a, -0x1f61dc944e91c856, 0x6bb595a669c92555 },
+        { 0x6e347eaadad36802, -0x450ca66c7c11b7fb, 0x3bcabe10e6076826, 0x49314f0a165ed1b8 }
+    },
+    {
+        { -0x50da4f57b31168d0, 0x025a8430e8864b8a, -0x3ee4affd60fe98ce, 0x7a164e1b9a80f8f4 },
+        { 0x56611fe8a4fcd265, 0x3bd353fde5c1ba7d, -0x7ece0ce5deb42943, 0x2ab91587555bda62 },
+        { -0x640dee0b0e98b7cc, -0x47b194e809d2076b, -0x282190f8a48dd5b2, 0x549a04b963bb2a21 }
+    },
+    {
+        { 0x287351b98efc099f, 0x6765c6f47dfd2538, -0x35cb72c204f56d9b, 0x680e910321e58727 },
+        { -0x6a01faf5fa97e741, 0x327e89715660faa9, -0x3c171c32f95faf8d, 0x27933f4c7445a49a },
+        { -0x40e1ba131aebd950, -0x1cd439c29245f06c, -0x1bd68b2a7307ad40, 0x44f079b1b0e64c18 }
+    },
+    {
+        { -0x5ded43bbf75a44cd, -0x72afb73c38a112fe, -0x22e414f3a54013bc, 0x2945ccf146e206eb },
+        { 0x7f9182c3a447d6ba, -0x2affeb2eb4d8d649, -0x1cc30ee3479b5f79, 0x154a7e73eb1b55f3 },
+        { -0x37cd5e86182ffc4d, 0x5f729d0a00124d7e, 0x62c1d4a10e6d8ff3, 0x68b8ac5938b27a98 }
+    },
+    {
+        { 0x3a0ceeeb77157131, -0x64d8ea76ff375078, -0x7f9a499725a658ca, 0x51e57bb6a2cc38bd },
+        { 0x499806b67b7d8ca4, 0x575be28427d22739, -0x44f7a318dfbaac47, 0x38b64c41ae417884 },
+        { -0x7062526e97621c5c, 0x175f2428f8fb9137, 0x050ab5329fcfb988, 0x7865dfa21354c09f }
+    },
+    {
+        { 0x6b1a5cd0944ea3bf, 0x7470353ab39dc0d2, 0x71b2528228542e49, 0x461bea69283c927e },
+        { -0x4590d36555cdde4f, 0x6ca021533bba23a7, -0x621589b06de6d3c6, 0x1d6edd5d2e5317e0 },
+        { 0x217a8aacab0fda36, -0x5ad739abc2cab638, 0x37d05b8b13ab7568, 0x233cef623a2cbc37 }
+    },
+    {
+        { 0x59b7596604dd3e8f, 0x6cb30377e288702c, -0x4ecc6399a1263cdd, 0x0915e76061bce52f },
+        { -0x1d58a2120c6dcb27, -0x69c2897f1e4aa707, 0x2c2741ac6e3c23fb, 0x3a9024a1320e01c3 },
+        { -0x208217ca57cb5c82, -0x741e63259767a816, 0x2c1185367167b326, 0x589eb3d9dbefd5c2 }
+    },
+},
+{
+    {
+        { 0x322d04a52d9021f6, -0x463e60cc8a394064, 0x587a3a4342d20b09, 0x143b1cf8aa64fe61 },
+        { 0x7ec851ca553e2df3, -0x58ed7b3459b7874d, -0x194a1be6cd772e19, 0x4cf210ec5a9a8883 },
+        { -0x6079838269753555, 0x5f54258e27092729, -0x2f582cb415e7f68b, 0x21b546a3374126e1 }
+    },
+    {
+        { 0x490a7a45d185218f, -0x65eac887b9fb6ccb, 0x0060ea09cc31e1f6, 0x7e041577f86ee965 },
+        { -0x56b007a75d777cbd, -0x31f12ba9acec12c4, -0x0aa3c2304a40cb06, 0x0a653ca5c9eab371 },
+        { 0x66b2a496ce5b67f3, -0x00ab6d2742a9686a, 0x503cec294a592cd0, 0x566943650813acb2 }
+    },
+    {
+        { 0x5672f9eb1dabb69d, -0x458f4aca5017ac04, 0x47ac0f752796d66d, 0x32a5351794117275 },
+        { -0x47e724f3d99df868, 0x5d5c31d9606e354a, 0x0982fa4f00a8cdc7, 0x17e12bcd4653e2d4 },
+        { -0x2c59bb59209b7bc9, 0x703b6559880fbfdd, -0x347adabf52c5e55b, 0x0900b3f78e4c6468 }
+    },
+    {
+        { -0x12d7f04137e952cf, 0x52d9595bd8e6efe3, 0x0fe71772f6c623f5, 0x4314030b051e293c },
+        { 0x0a851b9f679d651b, -0x1ef7349efcccbd0e, -0x29fe0a801774cf5d, 0x371f3acaed2dd714 },
+        { -0x2a9fffa1040f4353, -0x7148f0d12e78f3a2, 0x201f9033d084e6a0, 0x4c3a5ae1ce7b6670 }
+    },
+    {
+        { -0x45078a1b36c25f23, -0x46cd7d588e46d6b3, -0x7f29c0480b393ba0, 0x6de9c73dea66c181 },
+        { 0x4138a434dcb8fa95, -0x78f3098293697bf5, -0x21c77a8bd68417d4, 0x7c814db27262a55a },
+        { 0x478904d5a04df8f2, -0x050451b54efebd2d, -0x0937539caaa2f668, 0x5aac4a412f90b104 }
+    },
+    {
+        { 0x603a0d0abd7f5134, -0x7f7636cd1e2c51ba, -0x20da6ec67867429d, 0x1c145cd274ba0235 },
+        { -0x39b0cd94c536d6f8, 0x5551b282e663e1e0, 0x476b35f54a1a4b83, 0x1b9da3fe189f68c2 },
+        { 0x32e8386475f3d743, 0x365b8baf6ae5d9ef, -0x7dadc749c7a497e2, 0x234929c1167d65e1 }
+    },
+    {
+        { 0x48145cc21d099fcf, 0x4535c192cc28d7e5, -0x7f183e1ab7db81ff, 0x4a5f28743b2973ee },
+        { -0x67b213545f885218, 0x383f77ad19eb389d, -0x38139481d6ab286c, 0x59c77b3aeb7c3a7a },
+        { -0x2c5228dadda3309e, -0x6ee5cc7e4dead3a3, -0x274c6052a4f70783, 0x6f05606b4799fe3b }
+    },
+    {
+        { 0x5b433149f91b6483, -0x524a239aa5d3409e, -0x78057bed9cd7d84d, 0x60895e91ab49f8d8 },
+        { -0x6001616de884569e, -0x675118e2f21a351f, 0x3ff4ae942d831044, 0x714de12e58533ac8 },
+        { -0x16130d12f30793e8, -0x4b92f9edf8ca202c, -0x43625f67fb469419, 0x73e2e62fd96dc26b }
+    },
+},
+{
+    {
+        { 0x2eccdd0e632f9c1d, 0x51d0b69676893115, 0x52dfb76ba8637a58, 0x6dd37d49a00eef39 },
+        { -0x12a49cabb655aea2, -0x579a3b60f4397dc6, -0x7af3e016a4bd2e3c, 0x30d76d6f03d315b9 },
+        { 0x6c4444172106e4c7, -0x04ac297f6d728097, -0x4b8c615b96b2c0da, 0x10c697112e864bb0 }
+    },
+    {
+        { 0x0ca62aa08358c805, 0x6a3d4ae37a204247, 0x7464d3a63b11eddc, 0x03bf9baf550806ef },
+        { 0x6493c4277dbe5fde, 0x265d4fad19ad7ea2, 0x0e00dfc846304590, 0x25e61cabed66fe09 },
+        { 0x3f13e128cc586604, 0x6f5873ecb459747e, -0x5f49c21233ed970b, 0x566d78634586e22c }
+    },
+    {
+        { -0x5efabd7a39a5d030, 0x6c64112af31667c3, 0x680ae240731aee58, 0x14fba5f34793b22a },
+        { 0x1637a49f9cc10834, -0x4371a92a57643baf, 0x1cb5ec0f7f7fd2db, 0x33975bca5ecc35d9 },
+        { 0x3cd746166985f7d4, 0x593e5e84c9c80057, 0x2fc3f2b67b61131e, 0x14829cea83fc526c }
+    },
+    {
+        { 0x21e70b2f4e71ecb8, -0x19a92246bf5b881d, -0x409aa93131e2b080, 0x05fc3bc4535d7b7e },
+        { -0x00bc847b68226a3e, 0x6c744e30aa4eb5a7, -0x61f3a29ec37a1775, 0x2fd9c71e5f758173 },
+        { 0x24b8b3ae52afdedd, 0x3495638ced3b30cf, 0x33a4bc83a9be8195, 0x373767475c651f04 }
+    },
+    {
+        { 0x634095cb14246590, -0x10edebbfe93eaacb, -0x61c7ebf376ef43a0, 0x6bf5905730907c8c },
+        { 0x2fba99fd40d1add9, -0x4cf8e990690b2fd9, 0x4363f05215f03bae, 0x1fbea56c3b18f999 },
+        { 0x0fa778f1e1415b8a, 0x06409ff7bac3a77e, 0x6f52d7b89aa29a50, 0x02521cf67a635a56 }
+    },
+    {
+        { -0x4eeb98df88d0a11c, -0x17076b4e69f86532, 0x4af8224d00ac824a, 0x001753d9f7cd6cc4 },
+        { 0x513fee0b0a9d5294, -0x706718a3f020a59a, -0x2b9e7977401ef832, 0x3fa00a7e71382ced },
+        { 0x3c69232d963ddb34, 0x1dde87dab4973858, -0x55282e065f6e0d7b, 0x12b5fe2fa048edb6 }
+    },
+    {
+        { -0x20d483d95290e16e, 0x4b66d323504b8913, -0x73bf623f8ae3743d, 0x6f7e93c20796c7b8 },
+        { 0x71f0fbc496fce34d, 0x73b9826badf35bed, -0x2dfb8d9e00d73a9f, 0x749b76f96fb1206f },
+        { 0x1f5af604aea6ae05, -0x3edcae0e411b6367, 0x61a808b5eeff6b66, 0x0fcec10f01e02151 }
+    },
+    {
+        { 0x3df2d29dc4244e45, 0x2b020e7493d8de0a, 0x6cc8067e820c214d, 0x413779166feab90a },
+        { 0x644d58a649fe1e44, 0x21fcaea231ad777e, 0x02441c5a887fd0d2, 0x4901aa7183c511f3 },
+        { 0x08b1b7548c1af8f0, -0x31f08583db9d664c, -0x089f4f06e1f926c7, 0x41bb887b726d1213 }
+    },
+},
+{
+    {
+        { -0x68267f1f55c6082e, 0x35d0384252c6b51c, 0x7d43f49307cd55aa, 0x56bd36cfb78ac362 },
+        { -0x6d987f93a983b628, 0x066d04ccca791e6a, -0x5960a9ba1c33c6b5, 0x5c95b686a0788cd2 },
+        { 0x2ac519c10d14a954, -0x150b8b4b6b4a0570, -0x19507c7d560785a6, 0x0dea6db1879be094 }
+    },
+    {
+        { 0x15baeb74d6a8797a, 0x7ef55cf1fac41732, 0x29001f5a3c8b05c5, 0x0ad7cc8752eaccfb },
+        { -0x559940ab8cbb1a55, -0x25eda77770e4bcf7, 0x5e87d2b3fd564b2f, 0x5b2c78885483b1dd },
+        { 0x52151362793408cf, -0x14f0e8fce669c26c, -0x57cc4d0577c26b9a, 0x093a7fa775003c78 }
+    },
+    {
+        { -0x47169fbb9f56ed7a, 0x7f3fd8047778d3de, 0x67d01e31bf8a5e2d, 0x7b038a06c27b653e },
+        { -0x1aef8219c5e92842, -0x5c880023650ccd31, 0x70d5bf18440b677f, 0x6a252b19a4a31403 },
+        { -0x6126e62a2c966f0d, 0x5213aebbdb4eb9f2, -0x38f715fab3466ecb, 0x58ded57f72260e56 }
+    },
+    {
+        { -0x2592acd9a4f02b75, -0x769f7dce6c405678, -0x287536cd9e2a81d8, 0x79f2942d3a5c8143 },
+        { 0x78e79dade9413d77, -0x0da8062a68d61983, 0x59db910ee37aa7e6, 0x6aa11b5bbb9e039c },
+        { -0x6825d0da49377217, 0x251ba7eaacf20169, 0x09b44f87ef4eb4e4, 0x7d90ab1bbc6a7da5 }
+    },
+    {
+        { 0x1a07a3f496b3c397, 0x11ceaa188f4e2532, 0x7d9498d5a7751bf0, 0x19ed161f508dd8a0 },
+        { -0x6533597c58fe9402, -0x6fafa0b20d3af493, 0x6b610d5fcce435aa, 0x19a10d446198ff96 },
+        { 0x560a2cd687dce6ca, 0x7f3568c48664cf4d, -0x78be16addd7fc5c8, 0x483bdab1595653fc }
+    },
+    {
+        { -0x2930b2f54b257f0a, -0x7db7c1ba07cf8020, 0x05005269ae6f9da4, 0x1c7052909cf7877a },
+        { -0x0587f0eb78cb05b7, 0x106f0b70360534e0, 0x2210776fe3e307bd, 0x3286c109dde6a0fe },
+        { 0x32ee7de2874e98d4, 0x14c362e9b97e0c60, 0x5781dcde6a60a38a, 0x217dd5eaaa7aa840 }
+    },
+    {
+        { -0x7420e0464173f138, 0x00bae7f8e30a0282, 0x4963991dad6c4f6c, 0x07058a6e5df6f60a },
+        { -0x62483b2fdb71e150, -0x1f89681eb28b40ae, 0x1e6a9b173c562354, 0x7fa7c21f795a4965 },
+        { -0x1614fd3b24ce0981, -0x12da0276ef4304d5, 0x46c8131f5c5cddb4, 0x33b21c13a0cb9bce }
+    },
+    {
+        { -0x6550464fa11c73a5, -0x4062d2b1f8e5ec39, -0x7111919216ccd6f6, 0x1c3bab17ae109717 },
+        { 0x360692f8087d8e31, -0x0b2339c82d8e9c09, 0x25a4e62065ea5963, 0x659bf72e5ac160d9 },
+        { 0x1c9ab216c7cab7b0, 0x7d65d37407bbc3cc, 0x52744750504a58d5, 0x09f2606b131a2990 }
+    },
+},
+{
+    {
+        { 0x7e234c597c6691ae, 0x64889d3d0a85b4c8, -0x251d36f3cab50519, 0x0a871e070c6a9e1d },
+        { 0x40e87d44744346be, 0x1d48dad415b52b25, 0x7c3a8a18a13b603e, 0x4eb728c12fcdbdf7 },
+        { 0x3301b5994bbc8989, 0x736bae3a5bdd4260, 0x0d61ade219d59e3c, 0x3ee7300f2685d464 }
+    },
+    {
+        { 0x43fa7947841e7518, -0x1a3905a69c63b929, -0x5ef9a1e21cfad48c, 0x7d47c6a2cfb89030 },
+        { -0x0a2daa1b61822949, -0x7fe9eea39ef4e154, 0x3c99975d92e187ca, 0x13815762979125c2 },
+        { 0x3fdad0148ef0d6e0, -0x62c18b656eab90c4, 0x71ec621026bb8157, 0x148cf58d34c9ec80 }
+    },
+    {
+        { -0x1da8d082651b8a93, 0x56c345bb88f3487f, -0x602ef492969f5773, 0x278febad4eaea1b9 },
+        { 0x46a492f67934f027, 0x469984bef6840aa9, 0x5ca1bc2a89611854, 0x3ff2fa1ebd5dbbd4 },
+        { -0x4e5597e0736cc69a, -0x73de6b63dfd6f368, 0x39115291219d3c52, 0x4104dd02fe9c677b }
+    },
+    {
+        { -0x7edeb1f924f69548, 0x21a8b6c90ce44f35, 0x6524c12a409e2af5, 0x0165b5a48efca481 },
+        { 0x72b2bf5e1124422a, -0x5e05f3cc675cc54b, -0x6b349efe05ad499a, 0x2c863b00afaf53d5 },
+        { -0x0e6f5b8b5f7b958a, 0x12eff984cd2f7cc0, 0x695e290658aa2b8f, 0x591b67d9bffec8b8 }
+    },
+    {
+        { -0x66464c8e60e74aa3, -0x1b9a1a055e739be2, 0x61081136c29f05ed, 0x489b4f867030128b },
+        { 0x312f0d1c80b49bfa, 0x5979515eabf3ec8a, 0x727033c09ef01c88, 0x3de02ec7ca8f7bcb },
+        { -0x2dcdefd2c5146d11, -0x1e9dac4b9ee9579f, 0x3d7eabe7190baa24, 0x49f5fbba496cbebf }
+    },
+    {
+        { 0x155d628c1e9c572e, -0x75b279533a77b8bf, -0x6e5cad09aea89c15, 0x06a1a6c28867515b },
+        { 0x30949a108a5bcfd4, -0x23bf228f439b8c15, -0x6d3d6b3ecf83f2e4, 0x5604a86dcbfa6e74 },
+        { 0x7288d1d47c1764b6, 0x72541140e0418b51, -0x60fce59fe753092f, 0x20989e89fe2742c6 }
+    },
+    {
+        { 0x1674278b85eaec2e, 0x5621dc077acb2bdf, 0x640a4c1661cbf45a, 0x730b9950f70595d3 },
+        { 0x499777fd3a2dcc7f, 0x32857c2ca54fd892, -0x5d86279b2df81c60, 0x0403ed1d0ca67e29 },
+        { -0x36b4d2ca78b13aae, -0x3a19373067db9073, -0x0834b905e93fca32, 0x5bd7454308303dcc }
+    },
+    {
+        { -0x7a3b6cdeea1886d6, -0x39b3765d42322237, -0x62e1c257525c289e, 0x5bb7db123067f82c },
+        { 0x7f9ad19528b24cc2, 0x7f6b54656335c181, 0x66b8b66e4fc07236, 0x133a78007380ad83 },
+        { 0x0961f467c6ca62be, 0x04ec21d6211952ee, 0x182360779bd54770, 0x740dca6d58f0e0d2 }
+    },
+},
+{
+    {
+        { 0x3906c72aed261ae5, -0x65497026771eff09, -0x0a16fa650cc9fe69, 0x0e53dc78bf2b6d47 },
+        { 0x50b70bf5d3f0af0b, 0x4feaf48ae32e71f7, 0x60e84ed3a55bbd34, 0x00ed489b3f50d1ed },
+        { -0x46f7d640868e7886, 0x5e4444636d17e631, 0x4d05c52e18276893, 0x27632d9a5a4a4af5 }
+    },
+    {
+        { -0x567d7a2e78150025, -0x5a4b0444272f579c, -0x49a70d80fdd99c09, 0x3bbc2b22d99ce282 },
+        { -0x2ee00faeab4d9f32, -0x27923c718d06ad90, 0x601fcd0d267cc138, 0x2b67916429e90ccd },
+        { -0x46e836ada7c3f5a8, 0x653ff9b80fe4c6f3, -0x64f258284320c3f4, 0x43a0eeb6ab54d60e }
+    },
+    {
+        { 0x3ac6322357875fe8, -0x262b0b130a043471, -0x72117b6cc7d449e0, 0x50c5eaa14c799fdc },
+        { 0x396966a46d4a5487, -0x07ee5e7553d44c46, 0x66e4685b5628b26b, 0x70a477029d929b92 },
+        { -0x22f12374290d04c4, 0x54c63aa79cc7b7a0, -0x51f4fcd4d37260e6, 0x6f9ce107602967fb }
+    },
+    {
+        { 0x139693063520e0b5, 0x437fcf7c88ea03fe, -0x082b3bf42c36a644, 0x699154d1f893ded9 },
+        { -0x52efab4e321e3dd6, -0x3b5716fdb714cd21, 0x5f3e7b33accdc0ea, 0x72364713fc79963e },
+        { 0x315d5c75b4b27526, -0x33347bd2fdc9255b, 0x22f0c8a3345fee8e, 0x73975a617d39dbed }
+    },
+    {
+        { 0x6f37f392f4433e46, 0x0e19b9a11f566b18, 0x220fb78a1fd1d662, 0x362a4258a381c94d },
+        { -0x1bfdb2069c8a25f0, 0x78d3251a1830c870, -0x6fd4e6b79a7326e4, 0x7e18b10b29b7438a },
+        { -0x6f8e26ecd49414d1, 0x0f26e9ad28418247, -0x1546e13642136da3, 0x4be65bc8f48af2de }
+    },
+    {
+        { 0x1d50fba257c26234, 0x7bd4823adeb0678b, -0x3d4f239159ac750b, 0x5665eec6351da73e },
+        { 0x78487feba36e7028, 0x5f3f13001dd8ce34, -0x6cb04ed2b4cf3b77, 0x056c244d397f0a2b },
+        { -0x24c11ff6bc404df0, 0x4972018720800ac2, 0x26ab5d6173bd8667, 0x20b209c2ab204938 }
+    },
+    {
+        { 0x1fcca94516bd3289, 0x448d65aa41420428, 0x59c3b7b216a55d62, 0x49992cc64e612cd8 },
+        { 0x549e342ac07fb34b, 0x02d8220821373d93, -0x43d9d28f532e0a99, 0x7a92c9fdfbcac784 },
+        { 0x65bd1bea70f801de, 0x1befb7c0fe49e28a, -0x579cf9324e4d51b6, 0x3b7ac0cd265c2a09 }
+    },
+    {
+        { -0x0f2ab1b0dd12c659, -0x5d5516e1a9f7eaf6, -0x0bde4d161225178b, 0x31bc531d6b7de992 },
+        { -0x7dd411bc73fe4314, 0x530cb525c0fbc73b, 0x48519034c1953fe9, 0x265cc261e09a0f5b },
+        { -0x20c2ecb2567f068f, 0x7a4fb8d1221a22a7, 0x3df7d42035aad6d8, 0x2a14edcc6a1a125e }
+    },
+},
+{
+    {
+        { 0x231a8c570478433c, -0x484ad8f13d7ebc63, -0x245566151c26f861, 0x2c03f5256c2b03d9 },
+        { -0x20b711f8ad3031b2, -0x3c00050cf913f749, 0x05710b2ab95459c4, 0x161d25fa963ea38d },
+        { 0x790f18757b53a47d, 0x307b0130cf0c5879, 0x31903d77257ef7f9, 0x699468bdbd96bbaf }
+    },
+    {
+        { -0x2722c2199556e6b8, 0x485064c22fc0d2cc, -0x64b7db99cb0215d1, 0x293e1c4e6c4a2e3a },
+        { -0x42e0d0b90b250131, 0x7cef0114a47fd6f7, -0x2ce00225b5b84c81, 0x525219a473905785 },
+        { 0x376e134b925112e1, 0x703778b5dca15da0, -0x4fba7650b9e3ceef, 0x5b605c447f032823 }
+    },
+    {
+        { 0x3be9fec6f0e7f04c, -0x7995a8618a1cb69e, 0x5542ef161e1de61a, 0x2f12fef4cc5abdd5 },
+        { -0x469a7fa6df3b8377, -0x180feff36dc47034, 0x0001256502e2ef77, 0x24a76dcea8aeb3ee },
+        { 0x0a4522b2dfc0c740, 0x10d06e7f40c9a407, -0x3930ebbe87300998, 0x5e607b2518a43790 }
+    },
+    {
+        { -0x5fd3bce35a6930ec, -0x1c3bd2bf512c1c00, -0x2dbad97fd1f0d925, 0x201f33139e457068 },
+        { 0x58b31d8f6cdf1818, 0x35cfa74fc36258a2, -0x1e4c00b09919e292, 0x5067acab6ccdd5f7 },
+        { -0x02ad8094f7fc62af, 0x18b14964017c0006, -0x2addf14fd1da5b58, 0x397cba8862460375 }
+    },
+    {
+        { 0x7815c3fbc81379e7, -0x599e6bdf221ed50f, -0x00563f077a57022b, 0x771b4022c1e1c252 },
+        { 0x30c13093f05959b2, -0x1dc55e721656868a, 0x222fd491721d5e26, 0x2339d320766e6c3a },
+        { -0x27822679aec5d059, -0x0a53648e062b30f8, -0x2f943ce4e15d7c4d, 0x331a189219971a76 }
+    },
+    {
+        { 0x26512f3a9d7572af, 0x5bcbe28868074a9e, -0x7b123e3eee7f083c, 0x1ac9619ff649a67b },
+        { -0x0ae990ba04b07f3a, -0x63c938219e388a31, -0x1c2b17e46fbe26e4, 0x31167c6b83bdfe21 },
+        { -0x0dd4c7bdadb4ef98, 0x5068343bee9ce987, -0x03628e7bb59daf38, 0x612436341f08b111 }
+    },
+    {
+        { -0x749cb61ce5d2d9c8, -0x622048ff642c02cb, 0x7f8bf1b8a3a06ba4, 0x1522aa3178d90445 },
+        { -0x2662be2478b17673, 0x09fea5f16c07dc20, 0x793d2c67d00f9bbc, 0x46ebe2309e5eff40 },
+        { 0x2c382f5369614938, -0x2501bf6548d292f0, -0x1737cc6e49b90dd9, 0x45fe70f50524306c }
+    },
+    {
+        { 0x62f24920c8951491, 0x05f007c83f630ca2, 0x6fbb45d2f5c9d4b8, 0x16619f6db57a2245 },
+        { -0x25b78a5969f3f474, 0x5b68d076ef0e2f20, 0x07fb51cf3d0b8fd4, 0x428d1623a0e392d4 },
+        { 0x084f4a4401a308fd, -0x57dde63c895a3554, -0x214721b9bc2e4383, 0x1d81592d60bd38c6 }
+    },
+},
+{
+    {
+        { 0x3a4a369a2f89c8a1, 0x63137a1d7c8de80d, -0x4353ff7587125feb, 0x2cb8b3a5b483b03f },
+        { -0x27cc284113d5b3c8, 0x2c9162830acc20ed, -0x16c5b8556d208a7f, 0x702d67a3333c4a81 },
+        { 0x36e417cbcb1b90a1, 0x33b3ddaa7f11794e, 0x3f510808885bc607, 0x24141dc0e6a8020d }
+    },
+    {
+        { -0x6e6da233427cea83, 0x3ca1205322cc8094, 0x28e57f183f90d6e4, 0x1a4714cede2e767b },
+        { 0x59f73c773fefee9d, -0x4c0e10763e306763, -0x1ca204bd1fd1aba1, 0x5766120b47a1b47c },
+        { -0x24df45f047494801, -0x48cd3c4988aee05f, -0x56d4ae3f660fd277, 0x4f3875ad489ca5f1 }
+    },
+    {
+        { 0x79ed13f6ee73eec0, -0x5a39ad9296eef44f, -0x1b76d73c79fc79f4, 0x722a1446fd7059f5 },
+        { -0x380389d0b6cd54de, 0x7ac0edf72f4c3c1b, 0x5f6b55aa9aa895e8, 0x3680274dad0a0081 },
+        { -0x2f6a6016573077e7, -0x2f566aaf7b8a5664, 0x6eac173320b09cc5, 0x628ecf04331b1095 }
+    },
+    {
+        { -0x64be5307a38b330f, -0x498cce7ef7d9adaf, -0x6636d512ee524eb9, 0x7a47d70d34ecb40f },
+        { -0x67434ee7562f2244, -0x11bb61cbf74b7fd5, -0x78f76dd947594efc, 0x685f349a45c7915d },
+        { 0x60a0c4cbcc43a4f5, 0x775c66ca3677bea9, -0x5e855e8ad0070a13, 0x11ded9020e01fdc0 }
+    },
+    {
+        { 0x471f95b03bea93b7, 0x0552d7d43313abd3, -0x426c8f1d1e81c085, 0x7b120f1db20e5bec },
+        { -0x76f187f6351018fc, -0x78d7d6921cf17394, 0x4c5cd2a392aeb1c9, 0x194263d15771531f },
+        { 0x17d2fb3d86502d7a, -0x4a9b27bbaf596cae, 0x7da962c8a60ed75d, 0x00d0f85b318736aa }
+    },
+    {
+        { -0x598ac3e10289de3f, 0x69c0b4a7445671f5, -0x68e0ad8bfa4dc3ef, 0x387bc74851a8c7cd },
+        { -0x6874ebd188837b03, -0x0bfd9bb8fa573f9e, -0x59852ae41819ed39, 0x2f7b459698dd6a33 },
+        { -0x7e76b4b2b5ad5658, -0x5226c1ed09477cd1, 0x184d8548b61bd638, 0x3f1c62dbd6c9f6cd }
+    },
+    {
+        { 0x3fad3e40148f693d, 0x052656e194eb9a72, 0x2f4dcbfd184f4e2f, 0x406f8db1c482e18b },
+        { 0x2e8f1f0091910c1f, -0x5b20b01f400d1ed4, 0x60c6560aee927438, 0x6338283facefc8fa },
+        { -0x619cf2d380e6e11c, 0x4fbf8301bc3ff670, 0x787d8e4e7afb73c4, 0x50d83d5be8f58fa5 }
+    },
+    {
+        { -0x3f53306f4b2c4993, -0x58fa621a9e8cd1a0, 0x033d1f7870c6b0ba, 0x584161cd26d946e4 },
+        { -0x7a97c6e93ee5e769, 0x2d69a4efe506d008, 0x39af1378f664bd01, 0x65942131361517c6 },
+        { -0x440d4e5f8d2d835e, -0x40c6c3a6042138fc, -0x167244311d9d47e2, 0x02eebd0b3029b589 }
+    },
+},
+{
+    {
+        { -0x789a4960847a3a18, 0x6ff0678bd168bab2, 0x3a70e77c1d330f9b, 0x3a5f6d51b0af8e7c },
+        { 0x61368756a60dac5f, 0x17e02f6aebabdc57, 0x7f193f2d4cce0f7d, 0x20234a7789ecdcf0 },
+        { 0x76d20db67178b252, 0x071c34f9d51ed160, -0x09d5b5df4c1bee90, 0x7cd682353cffe366 }
+    },
+    {
+        { -0x599a329f97530b0d, 0x42d92d183cd7e3d3, 0x5759389d336025d9, 0x3ef0253b2b2cd8ff },
+        { 0x0be1a45bd887fab6, 0x2a846a32ba403b6e, -0x266defed1691a000, 0x2838c8863bdc0943 },
+        { -0x2e944f30b5b9afd0, -0x05b694beea3a8855, -0x7d3051750b54be63, 0x21dcb8a606a82812 }
+    },
+    {
+        { -0x6572ff054188ce46, -0x7dfc9f819d61e777, -0x4d33fdc8bc0c2681, 0x5d840dbf6c6f678b },
+        { 0x5c6004468c9d9fc8, 0x2540096ed42aa3cb, 0x125b4d4c12ee2f9c, 0x0bc3d08194a31dab },
+        { 0x706e380d309fe18b, 0x6eb02da6b9e165c7, 0x57bbba997dae20ab, 0x3a4276232ac196dd }
+    },
+    {
+        { 0x3bf8c172db447ecb, 0x5fcfc41fc6282dbd, -0x7f53003f8a55ea02, 0x0770c9e824e1a9f9 },
+        { 0x4b42432c8a7084fa, -0x7675e61c20461abb, -0x4160ffde63a71ba3, 0x1ff177cea16debd1 },
+        { -0x309e2665ba4a4a03, -0x79f67b16e4c586dc, -0x18cff6e6cfc1c177, 0x39f264fd41500b1e }
+    },
+    {
+        { -0x2e64b55401f6841f, -0x5b92031e201fe6d7, -0x3c36f76bd3590e01, 0x65c621272c35f14e },
+        { -0x5852cbe824181d64, -0x426bc895d463ec64, -0x5f16e4716ca68457, 0x1712d73468889840 },
+        { -0x18d4760731ce6c23, 0x4d103356a125c0bb, 0x0419a93d2e1cfe83, 0x22f9800ab19ce272 }
+    },
+    {
+        { 0x42029fdd9a6efdac, -0x46ed3141cb5ab6bf, 0x640f64b987bdf37b, 0x4171a4d38598cab4 },
+        { 0x605a368a3e9ef8cb, -0x1c163fdd5aafb8eb, 0x553d48b05f24248f, 0x13f416cd647626e5 },
+        { -0x05d8a7556636b374, 0x23006f6fb000b807, -0x042d6e225225ac6e, 0x508214fa574bd1ab }
+    },
+    {
+        { 0x461a15bb53d003d6, -0x4defd777430c369b, 0x27c576756c683a5a, 0x3a7758a4c86cb447 },
+        { -0x3dfd96eac12901b5, -0x59a598c6aee2883c, -0x3421d9b9d3eb506c, 0x22f960ec6faba74b },
+        { 0x548111f693ae5076, 0x1dae21df1dfd54a6, 0x12248c90f3115e65, 0x5d9fd15f8de7f494 }
+    },
+    {
+        { 0x3f244d2aeed7521e, -0x71c56fd7bcd169eb, -0x1e9b4588d163e92c, 0x3bc187fa47eb98d8 },
+        { 0x031408d36d63727f, 0x6a379aefd7c7b533, -0x561e703a33511db5, 0x332f35914f8fbed3 },
+        { 0x6d470115ea86c20c, -0x6675483493b92edb, -0x2887cd4ac599fe78, 0x450d81ce906fba03 }
+    },
+},
+{
+    {
+        { 0x23264d66b2cae0b5, 0x7dbaed33ebca6576, 0x030ebed6f0d24ac8, 0x2a887f78f7635510 },
+        { -0x0751b2d527bac6fe, 0x7018058ee8db2d1d, -0x554c66a0382d3ee2, 0x53b16d2324ccca79 },
+        { 0x2a23b9e75c012d4f, 0x0c974651cae1f2ea, 0x2fb63273675d70ca, 0x0ba7250b864403f5 }
+    },
+    {
+        { -0x229ca76c79079264, 0x61699176e13a85a4, 0x2e5111954eaa7d57, 0x32c21b57fb60bdfb },
+        { -0x44f2e702fd639bdf, -0x43d2ebde76d670fe, -0x7cb8071974daf16a, 0x7b9f2fe8032d71c9 },
+        { -0x2787dc32ce61f880, -0x103b303e76888a3b, 0x4854fb129a0ab3f7, 0x12c49d417238c371 }
+    },
+    {
+        { 0x09b3a01783799542, 0x626dd08faad5ee3f, -0x45ff4311148feb61, 0x1421b246a0a444c9 },
+        { 0x0950b533ffe83769, 0x21861c1d8e1d6bd1, -0x0fdd27c7ecfd1af0, 0x2509200c6391cab4 },
+        { 0x4aa43a8e8c24a7c7, 0x04c1f540d8f05ef5, -0x5245a1f3f4c14624, 0x2ab5504448a49ce3 }
+    },
+    {
+        { -0x23f8539ce3a2c506, 0x58615171f9df8c6c, 0x72a079d89d73e2b0, 0x7301f4ceb4eae15d },
+        { 0x2ed227266f0f5dec, -0x67db11bea12af7dc, -0x7f8413836b972beb, 0x7093bae1b521e23f },
+        { 0x6409e759d6722c41, -0x598b1e308d408d65, -0x43f5db14c3de1a97, 0x390167d24ebacb23 }
+    },
+    {
+        { -0x2844fab45d0dedf5, -0x1d4631514efa7649, 0x3fe8bac8f3c0edbe, 0x4cbd40767112cb69 },
+        { 0x27f58e3bba353f1c, 0x4c47764dbf6a4361, -0x50443b1a91a9d9b0, 0x07db2ee6aae1a45d },
+        { 0x0b603cc029c58176, 0x5988e3825cb15d61, 0x2bb61413dcf0ad8d, 0x7b8eec6c74183287 }
+    },
+    {
+        { 0x32fee570fc386b73, -0x2574febe25c57339, -0x68a002f537697ca7, 0x6ee809a1b132a855 },
+        { -0x1b35bf87d32d8350, -0x25063cdc04169843, -0x4d642cb5752be162, 0x72810497626ede4d },
+        { -0x6bbb44ce030279c6, 0x2fe3690a3e4e48c5, -0x23d637982f7705db, 0x13bd1e38d173292e }
+    },
+    {
+        { 0x223fb5cf1dfac521, 0x325c25316f554450, 0x030b98d7659177ac, 0x1ed018b64f88a4bd },
+        { -0x2cd4b327969eb64b, -0x1aa6c8287e275549, 0x0bcb2127ae122b94, 0x41e86fcfb14099b0 },
+        { 0x3630dfa1b802a6b0, -0x77f078b8bd52c42b, 0x0af90d6ceec5a4d4, 0x746a247a37cdc5d9 }
+    },
+    {
+        { 0x6eccd85278d941ed, 0x2254ae83d22f7843, -0x3add2fd184403249, 0x681e3351bff0e4e2 },
+        { -0x2ace4742d484650a, 0x5005093537fc5b51, 0x232fcf25c593546d, 0x20a365142bb40f49 },
+        { -0x749b4a627cfcb0bb, 0x2f8b71f21fa20efb, 0x69249495ba6550e4, 0x539ef98e45d5472b }
+    },
+},
+{
+    {
+        { -0x2f8b2769e3518bc1, -0x0792e70a11e39c13, -0x68423aa4180b12d7, 0x4cbad279663ab108 },
+        { 0x6e7bb6a1a6205275, -0x55b0de28bec3717d, 0x6f56d155e88f5cb2, 0x2de25d4ba6345be1 },
+        { -0x7f2e6fdb5f28e033, -0x3ada3df504d77508, -0x4e5c68b4a0c59be7, 0x7d7fbcefe2007233 }
+    },
+    {
+        { -0x3283a23a0c3d6f6c, -0x387e5d65d56efa55, -0x7f39e2c9bde3cfa8, 0x4f9cd196dcd8d4d7 },
+        { -0x0510e195d994d7ff, -0x7993973b2a8c60ea, -0x0975d043e4fc89d4, 0x5975435e87b75a8d },
+        { 0x199297d86a7b3768, -0x2f2fa7dbe52e859d, -0x45fd6352a3e3f3e9, 0x7ccdd084387a0307 }
+    },
+    {
+        { -0x64f37be7989f336d, -0x3251ff85e54cd567, -0x577213799df425e8, 0x3593ca848190ca44 },
+        { -0x2359bdd392d9fbe9, -0x51eac2af6b7dbf43, -0x563f3e4b04973989, 0x428bd0ed61d0cf53 },
+        { -0x6dece765a17b6559, -0x2b273cca9a270533, -0x73adaba4ac02442f, 0x27398308da2d63e6 }
+    },
+    {
+        { -0x465ef1b3f58fdbad, 0x0fa25866d57d1bde, -0x0046264a32d82509, 0x572c2945492c33fd },
+        { 0x42c38d28435ed413, -0x42af0c9fcd873337, -0x44f854e58625fc11, 0x269597aebe8c3355 },
+        { -0x388038ba2932cf42, -0x1b20172c1c455105, -0x5dd377cf55a225f4, 0x7f985498c05bca80 }
+    },
+    {
+        { -0x2ca9eaadf0409c9d, 0x08045a45cf4dfba6, -0x113db04378c05f3e, 0x30f2653cd69b12e7 },
+        { 0x3849ce889f0be117, -0x7ffa52e484ab5d78, 0x3da3c39f23fc921c, 0x76c2ec470a31f304 },
+        { -0x75f736c7553ef37b, 0x46179b60db276bcb, -0x56df3fe1f1905390, 0x2f1273f1596473da }
+    },
+    {
+        { 0x30488bd755a70bc0, 0x06d6b5a4f1d442e7, -0x152e596143a69e9e, 0x38ac1997edc5f784 },
+        { 0x4739fc7c8ae01e11, -0x02ad8b6fb5955461, 0x41d98a8287728f2e, 0x5d9e572ad85b69f2 },
+        { 0x0666b517a751b13b, 0x747d06867e9b858c, -0x53533feebab221b7, 0x22dfcd9cbfe9e69c }
+    },
+    {
+        { 0x56ec59b4103be0a1, 0x2ee3baecd259f969, 0x797cb29413f5cd32, 0x0fe9877824cde472 },
+        { -0x72242d1f3cf2f327, -0x527199a05344bccd, -0x7094da73cdd569e1, 0x6b2916c05448c1c7 },
+        { 0x7edb34d10aba913b, 0x4ea3cd822e6dac0e, 0x66083dff6578f815, 0x4c303f307ff00a17 }
+    },
+    {
+        { 0x29fc03580dd94500, -0x132d855b9044136d, 0x130a155fc2e2a7f8, 0x416b151ab706a1d5 },
+        { -0x2cf5c429e84d737b, -0x3a2c8848c688c416, -0x39391873e195a341, 0x0d61b8f78b2ab7c4 },
+        { 0x56a8d7efe9c136b0, -0x42f81a32a71bb4e0, -0x5019d025e4a81f55, 0x191a2af74277e8d2 }
+    },
+},
+{
+    {
+        { 0x09d4b60b2fe09a14, -0x3c7b0f50244e8b82, 0x58e2ea8978b5fd6e, 0x519ef577b5e09b0a },
+        { -0x2aaff6a45490b67b, 0x04f4cd5b4fbfaf1a, -0x6271d12ed5f38ac0, 0x2bc24e04b2212286 },
+        { 0x1863d7d91124cca9, 0x7ac08145b88a708e, 0x2bcd7309857031f5, 0x62337a6e8ab8fae5 }
+    },
+    {
+        { -0x2e54cdb1e4c5ed8d, 0x18947cf181055340, 0x3b5d9567a98c196e, 0x7fa00425802e1e68 },
+        { 0x4bcef17f06ffca16, -0x21f91e2496d51e96, 0x0753702d614f42b0, 0x5f6041b45b9212d0 },
+        { 0x7d531574028c2705, -0x7fce829624f28a02, 0x30fface8ef8c8ddd, 0x7e9de97bb6c3e998 }
+    },
+    {
+        { -0x0ffb419d5db2bf23, -0x45f9a66efbad2be1, -0x7e3ba11e9d5bbdcc, 0x4cb829d8a22266ef },
+        { 0x1558967b9e6585a3, -0x6836631f6716746e, 0x10af149b6eb3adad, 0x42181fe8f4d38cfa },
+        { 0x1dbcaa8407b86681, 0x081f001e8b26753b, 0x3cd7ce6a84048e81, 0x78af11633f25f22c }
+    },
+    {
+        { 0x3241c00e7d65318c, -0x19411a232f179219, 0x118b2dc2fbc08c26, 0x680d04a7fc603dc3 },
+        { -0x7be9142bf4af4544, 0x1508722628208bee, -0x5ceb7050463e3c93, 0x0d07daacd32d7d5d },
+        { -0x063dbeb596a55c15, -0x255bd3b3fa5970df, 0x7c6c23987f93963e, 0x210e8cd30c3954e3 }
+    },
+    {
+        { 0x2b50f16137fe6c26, -0x1efd4327a91bfb28, 0x12b0f1414c561f6b, 0x51b17bc8d028ec91 },
+        { -0x53bdfe0def58e3fa, 0x6a65e0aef3bfb021, -0x43bd3ca3c6c9cd09, 0x56ea8db1865f0742 },
+        { -0x000a04b430acaee7, -0x0b67628620eef760, -0x4203159a65c45cdb, 0x18a11f1174d1a6f2 }
+    },
+    {
+        { -0x0429c3252d85a0d4, -0x0ff03b43755ef929, 0x53fb5c1a8e64a430, 0x04eaabe50c1a2e85 },
+        { 0x407375ab3f6bba29, -0x613c492766e1b7d2, -0x6637f17d1aa06d17, 0x307c13b6fb0c0ae1 },
+        { 0x24751021cb8ab5e7, -0x03dcbbb6a3afef15, 0x5f1e717b4e5610a1, 0x44da5f18c2710cd5 }
+    },
+    {
+        { -0x6ea9019476271534, -0x19486bae1dced95f, -0x428b9c26c6bb14b2, 0x726373f6767203ae },
+        { 0x033cc55ff1b82eb5, -0x4ea51c92bee351ae, -0x45bf49e67004532d, 0x768edce1532e861f },
+        { -0x1cfa358d14810976, 0x662cf31f70eadb23, 0x18f026fdb4c45b68, 0x513b5384b5d2ecbd }
+    },
+    {
+        { 0x5e2702878af34ceb, -0x6ff4fbf646b92952, 0x6512ebf7dabd8512, 0x61d9b76988258f81 },
+        { 0x46d46280c729989e, 0x4b93fbd05368a5dd, 0x63df3f81d1765a89, 0x34cebd64b9a0a223 },
+        { -0x593a58ecb64826b5, -0x5c0c2ea7dc146bba, 0x0416fbd277484834, 0x69d45e6f2c70812f }
+    },
+},
+{
+    {
+        { -0x6019d4bcb0b9f105, -0x212cfc2b59c9f82a, -0x0faddef1485f25dc, 0x237e7dbe00545b93 },
+        { -0x31e908b43ac3ebcf, 0x2b9725ce2072edde, -0x47463c904a4dc119, 0x7e2e0e450b5cc908 },
+        { 0x013575ed6701b430, 0x231094e69f0bfd10, 0x75320f1583e47f22, 0x71afa699b11155e3 }
+    },
+    {
+        { -0x15bdc3e3b8c4af2a, 0x51e87a1f3b38ef10, -0x647b40a04d36416b, 0x00731fbc78f89a1c },
+        { 0x65ce6f9b3953b61d, -0x39a7c615505ebe1a, 0x0f435ffda9f759fe, 0x021142e9c2b1c28e },
+        { -0x1bcf38e7b707e780, -0x4069f3dda1313ee7, -0x49251f7c9445ea1d, 0x4c4d6f3347e15808 }
+    },
+    {
+        { 0x2f0cddfc988f1970, 0x6b916227b0b9f51b, 0x6ec7b6c4779176be, 0x38bf9500a88f9fa8 },
+        { 0x18f7eccfc17d1fc9, 0x6c75f5a651403c14, -0x24218ed40811f321, 0x193fddaaa7e47a22 },
+        { 0x1fd2c93c37e8876f, -0x5d09e1a5e72eb9d4, 0x5080f58239241276, 0x6a6fb99ebf0d4969 }
+    },
+    {
+        { -0x114edd4a491bdc3a, -0x6c628fef0d790072, -0x6f56d57ce230a274, 0x136fda9f42c5eb10 },
+        { 0x6a46c1bb560855eb, 0x2416bb38f893f09d, -0x28e2eec8708e533f, 0x75f76914a31896ea },
+        { -0x06b3204e5cfa422f, 0x0f364b9d9ff82c08, 0x2a87d8a5c3bb588a, 0x022183510be8dcba }
+    },
+    {
+        { -0x62a58efebccf8581, -0x4f9c21613b825ba1, 0x22bbfe52be927ad3, 0x1387c441fd40426c },
+        { 0x4af766385ead2d14, -0x5f71277f3583a7d0, 0x0d13a6e610211e3d, 0x6a071ce17b806c03 },
+        { -0x4a2c3c2e78687508, 0x722b5a3d7f0e4413, 0x0d7b4848bb477ca0, 0x3171b26aaf1edc92 }
+    },
+    {
+        { -0x59f248274d75b82f, -0x5940eb29e88f5b0f, -0x2b5e076cac2242a8, 0x6c514a63344243e9 },
+        { -0x56d0ce6f68a9b358, -0x008447b3dd8a1ee7, 0x4f55fe37a4875150, 0x221fd4873cf0835a },
+        { 0x2322204f3a156341, -0x048c1f1645f5fcd3, -0x031f22b3bef0fcf2, 0x48daa596fb924aaa }
+    },
+    {
+        { 0x14f61d5dc84c9793, -0x66be061c10be7dfa, -0x320a4770cb9d8854, 0x58c837fa0e8a79a9 },
+        { 0x6eca8e665ca59cc7, -0x57b8dab4d1c75360, 0x31afc708d21e17ce, 0x676dd6fccad84af7 },
+        { 0x0cf9688596fc9058, 0x1ddcbbf37b56a01b, -0x233d1882b6ca2996, 0x1c4f73f2c6a57f0a }
+    },
+    {
+        { -0x4c918f910383cb7c, 0x73dfc9b4c3c1cf61, -0x14e2863687e3381b, 0x70459adb7daf675c },
+        { 0x0e7a4fbd305fa0bb, -0x7d62b31fab399c53, -0x0bde3c7cd01cc7b8, 0x795ac80d1bf64c42 },
+        { 0x1b91db4991b42bb3, 0x572696234b02dcca, -0x6020611ae0738724, 0x5fe162848ce21fd3 }
+    },
+},
+{
+    {
+        { 0x315c29c795115389, -0x281f1af879d08b32, 0x0c4a762185927432, 0x72de6c984a25a1e4 },
+        { -0x1d86f551b2f883bf, -0x746c7d8f248b965d, 0x6eb632dc8abd16a2, 0x720814ecaa064b72 },
+        { -0x51654aac40955cf0, 0x050a50a9806d6e1b, -0x6d448bfc5200aec7, 0x0394d27645be618b }
+    },
+    {
+        { -0x0ac69bda4dcaba5c, 0x15a7a27e98fbb296, -0x5493ad439c90227a, 0x79d995a8419334ee },
+        { 0x4d572251857eedf4, -0x1c8db1221e616c3b, -0x758ebdf1f4868fcb, 0x3b3c833687abe743 },
+        { -0x32757159ee6a228b, -0x5afb2757e22657d1, 0x540dca81a35879b6, 0x60dd16a379c86a8a }
+    },
+    {
+        { 0x3501d6f8153e47b8, -0x485698abeb5d09f4, 0x112ee8b6455d9523, 0x4e62a3c18112ea8a },
+        { 0x35a2c8487381e559, 0x596ffea6d78082cb, -0x34688e14245849ad, 0x5a08b5019b4da685 },
+        { -0x372b53fbae95487a, 0x595af3215295b23d, -0x29122dcb24fdcf3f, 0x0929efe8825b41cc }
+    },
+    {
+        { -0x74ce8d4852a99ae3, 0x01581b7a3fabd717, 0x2dc94df6424df6e4, 0x30376e5d2c29284f },
+        { 0x5f0601d1cbd0f2d3, 0x736e412f6132bb7f, -0x7c9fbbcddc722179, 0x1e3a5272f5c0753c },
+        { -0x2d6e72587ea65a64, 0x6bdc1cd93f0713f3, 0x565f7a934acd6590, 0x53daacec4cb4c128 }
+    },
+    {
+        { -0x667ad43c7ad30250, 0x2cc12e9559d6ed0b, 0x70f9e2bf9b5ac27b, 0x4f3b8c117959ae99 },
+        { 0x4ca73bd79cc8a7d6, 0x4d4a738f47e9a9b2, -0x0b340ed6bd0a0200, 0x01a13ff9bdbf0752 },
+        { 0x55b6c9c82ff26412, 0x1ac4a8c91fb667a8, -0x2ad840301488740e, 0x303337da7012a3be }
+    },
+    {
+        { -0x6892c334052d022f, -0x34777c68c859bf58, 0x2ff00c1d6734cb25, 0x269ff4dc789c2d2b },
+        { -0x6aabdddd73e36284, 0x01fac1371a9b340f, 0x7e8d9177925b48d7, 0x53f8ad5661b3e31b },
+        { 0x0c003fbdc08d678d, 0x4d982fa37ead2b17, -0x3f8194324d1a7d0f, 0x296c7291df412a44 }
+    },
+    {
+        { -0x204dcdfa25474a62, 0x465aeaa0c8092250, -0x2ecc3ee7658da2e8, 0x2327370261f117d1 },
+        { 0x7903de2b33daf397, -0x2f00f9e63659db4d, -0x75e2dad4aaa4c1e8, 0x2b6d581c52e0b7c0 },
+        { 0x3d0543d3623e7986, 0x679414c2c278a354, -0x51bc0f338d9e690a, 0x7836c41f8245eaba }
+    },
+    {
+        { -0x359ae17b7fee6c84, -0x394f3b91910be5d8, -0x48fde458a0c072ae, 0x119dff99ead7b9fd },
+        { -0x185dab24b616a57f, 0x5192d5d008b0ad73, 0x4d20e5b1d00afc07, 0x5d55f8012cf25f38 },
+        { 0x43eadfcbf4b31d4d, -0x39afc08beeeb776e, -0x0111973af9f2c4e9, 0x329293b3dd4a0ac8 }
+    },
+},
+{
+    {
+        { 0x2879852d5d7cb208, -0x4721228f97820d19, -0x23f40054de97876f, 0x2b44c043677daa35 },
+        { 0x4e59214fe194961a, 0x49be7dc70d71cd4f, -0x6cff302dc4af0dd3, 0x4789d446fc917232 },
+        { 0x1a1c87ab074eb78e, -0x05392e7166250b99, 0x3eacbbcd484f9067, 0x60c52eef2bb9a4e4 }
+    },
+    {
+        { 0x702bc5c27cae6d11, 0x44c7699b54a48cab, -0x1043bfa945b6d14e, 0x70d77248d9b6676d },
+        { 0x0b5d89bc3bfd8bf1, -0x4f946dc8360caae6, 0x0e4c16b0d53028f5, 0x10bc9c312ccfcaab },
+        { -0x557517b4c13d5fa5, -0x6796610b12e87e20, 0x794513e4708e85d1, 0x63755bd3a976f413 }
+    },
+    {
+        { 0x3dc7101897f1acb7, 0x5dda7d5ec165bbd8, 0x508e5b9c0fa1020f, 0x2763751737c52a56 },
+        { -0x4aa05fc1d52ef7ad, 0x356f75909ee63569, -0x60060e0241964770, 0x0d8cc1c48bc16f84 },
+        { 0x029402d36eb419a9, -0x0f4bb181884b9f5b, -0x30579dcf2bc3b6aa, 0x70c2dd8a7ad166e7 }
+    },
+    {
+        { -0x6e2b6982471281ed, 0x74252f0ad776817a, -0x1bf67d1ff27ada9c, 0x32b8613816a53ce5 },
+        { 0x656194509f6fec0e, -0x11d18156b939ae73, -0x68cc3e0c981f64a4, 0x2e0fac6363948495 },
+        { 0x79e7f7bee448cd64, 0x6ac83a67087886d0, -0x07602b265f1b24d2, 0x4179215c735a4f41 }
+    },
+    {
+        { -0x1b51cc46d79432cc, -0x48108149aa622924, 0x278b141fb3d38e1f, 0x31fa85662241c286 },
+        { -0x738f6b18282312d6, -0x6804753cb82c6390, -0x1ec41fcc56f926fe, 0x700344a30cd99d76 },
+        { -0x507d93bdd1c9dd0c, -0x3edfd67867ccafd3, -0x643e481ed4c76edd, 0x24bb2312a9952489 }
+    },
+    {
+        { 0x41f80c2af5f85c6b, 0x687284c304fa6794, -0x76ba20665c45e453, 0x0d1d2af9ffeb5d16 },
+        { -0x4e5712e8cd21983d, 0x3cb49418461b4948, -0x7142bcbc8930432e, 0x0fee3e871e188008 },
+        { -0x5625755ecd9de121, 0x30b822a159226579, 0x4004197ba79ac193, 0x16acd79718531d76 }
+    },
+    {
+        { -0x36a6393a87784953, -0x6b1e6152a06f0146, 0x16e24e62a342f504, 0x164ed34b18161700 },
+        { 0x72df72af2d9b1d3d, 0x63462a36a432245a, 0x3ecea07916b39637, 0x123e0ef6b9302309 },
+        { 0x487ed94c192fe69a, 0x61ae2cea3a911513, -0x7884092c465b21d9, 0x78da0fc61073f3eb }
+    },
+    {
+        { -0x5d607f0e97f3c56c, 0x71f77e151ae9e7e6, 0x1100f15848017973, 0x054aa4b316b38ddd },
+        { 0x5bf15d28e52bc66a, 0x2c47e31870f01a8e, 0x2419afbc06c28bdd, 0x2d25deeb256b173a },
+        { -0x2037b972e6d98348, 0x0b28789c66e54daf, 0x2aeb1d2a666eec17, 0x134610a6ab7da760 }
+    },
+},
+{
+    {
+        { -0x26ebcf1f23fd73c4, 0x0eb955a85217c771, 0x4b09e1ed2c99a1fa, 0x42881af2bd6a743c },
+        { -0x350aa13d83a64dc1, -0x665112c1eab2fb0e, 0x68441d72e14141f4, 0x140345133932a0a2 },
+        { 0x7bfec69aab5cad3d, -0x3dc1732cb34d3053, 0x685dd14bfb37d6a2, 0x0ad6d64415677a18 }
+    },
+    {
+        { 0x7914892847927e9f, 0x33dad6ef370aa877, 0x1f8f24fa11122703, 0x5265ac2f2adf9592 },
+        { 0x781a439e417becb5, 0x4ac5938cd10e0266, 0x5da385110692ac24, 0x11b065a2ade31233 },
+        { 0x405fdd309afcb346, -0x268dc2bbd719c0ac, -0x6b3fe20fa09a5552, 0x43e4dc3ae14c0809 }
+    },
+    {
+        { -0x1590853c523d395d, -0x2f16d709168e836c, -0x1d2c861529ba150b, 0x46dd8785c51ffbbe },
+        { -0x43ed380e56c75ae9, 0x473028ab3180b2e1, 0x3f78571efbcd254a, 0x74e534426ff6f90f },
+        { 0x709801be375c8898, 0x4b06dab5e3fd8348, 0x75880ced27230714, 0x2b09468fdd2f4c42 }
+    },
+    {
+        { 0x5b97946582ffa02a, -0x25f695ae01570ab7, -0x5f9caec8a0885065, 0x1bcfde61201d1e76 },
+        { -0x6838b61148fe346a, -0x7c0bc72b495c963d, 0x62962b8b9a402cd9, 0x6976c7509888df7b },
+        { 0x4a4a5490246a59a2, -0x29c1422117802270, -0x26bc8398f2dc8e06, 0x69e87308d30f8ed6 }
+    },
+    {
+        { 0x0f80bf028bc80303, 0x6aae16b37a18cefb, -0x22b815b828d3295d, 0x61943588f4ed39aa },
+        { 0x435a8bb15656beb0, -0x07053645b0b2a436, -0x464d873beab73f8b, 0x3eb0ef76e892b622 },
+        { -0x2d91a3c16efc607b, -0x3f161882090cc557, -0x176973aa8ff9956d, 0x3c34d1881faaaddd }
+    },
+    {
+        { -0x42a4f470d0001f27, 0x6aa254103ed24fb9, 0x2ac7d7bcb26821c4, 0x605b394b60dca36a },
+        { 0x3f9d2b5ea09f9ec0, 0x1dab3b6fb623a890, -0x5f645c158d26d93c, 0x374193513fd8b36d },
+        { -0x4b17a91ba562e12e, -0x1017b7899368565e, -0x4efb309be1a11183, 0x2f50b81c88a71c8f }
+    },
+    {
+        { 0x2b552ca0a7da522a, 0x3230b336449b0250, -0x0d3b3a435b466047, 0x7b2c674958074a22 },
+        { 0x31723c61fc6811bb, -0x634bafb79dee7ff1, 0x768933d347995753, 0x3491a53502752fcd },
+        { -0x2aae9a77c12d7321, 0x12d84fd2d362de39, 0x0a874ad3e3378e4f, 0x000d2b1f7c763e74 }
+    },
+    {
+        { -0x69db8873c16b5755, 0x0ad6f3cee9a78bec, -0x6b75387ef28bc3b1, 0x76627935aaecfccc },
+        { 0x3d420811d06d4a67, -0x4103fb7a6f1f001d, -0x078f394842b78422, 0x6e2a7316319afa28 },
+        { 0x56a8ac24d6d59a9f, -0x37248ac1cf690ffa, 0x477f41e68f4c5299, 0x588d851cf6c86114 }
+    },
+},
+{
+    {
+        { -0x32d59a18882e0aeb, 0x548991878faa60f1, -0x4e48c4432543f91b, 0x654878cba97cc9fb },
+        { 0x51138ec78df6b0fe, 0x5397da89e575f51b, 0x09207a1d717af1b9, 0x2102fdba2b20d650 },
+        { -0x69611bfafaa3195f, 0x36bca7681251ad29, 0x3a1af517aa7da415, 0x0ad725db29ecb2ba }
+    },
+    {
+        { -0x013843f364fa907b, 0x537d5268e7f5ffd7, 0x77afc6624312aefa, 0x4f675f5302399fd9 },
+        { -0x23bd984e7cb1dba9, -0x498abb4a8f31e43b, 0x1af07a0bf7d15ed7, 0x4aefcffb71a03650 },
+        { -0x3cd2c9c9fbeae8e2, -0x32d410ee7667b7c5, -0x78f591522f6baef0, 0x0bccbb72a2a86561 }
+    },
+    {
+        { 0x186d5e4c50fe1296, -0x1fc6847d01176082, 0x3bc7f6c5507031b0, 0x6678fd69108f37c2 },
+        { 0x185e962feab1a9c8, -0x791819ca9aeb8233, -0x4f6d1fce44a4920e, 0x4024f0ab59d6b73e },
+        { 0x1586fa31636863c2, 0x07f68c48572d33f2, 0x4f73cc9f789eaefc, 0x2d42e2108ead4701 }
+    },
+    {
+        { 0x21717b0d0f537593, -0x6eb196f4ece1f9b4, 0x1bb687ae752ae09f, 0x420bf3a79b423c6e },
+        { -0x680aecea6b202d65, 0x6155985d313f4c6a, -0x145ec0f8f7baaff0, 0x676b2608b8d2d322 },
+        { -0x7ec7459ae3a4d4b9, -0x798e4913cee4e480, 0x7bff0cb1bc3135b0, 0x745d2ffa9c0cf1e0 }
+    },
+    {
+        { 0x6036df5721d34e6a, -0x4e2477d866844c30, -0x2c3df63c378a9506, 0x06e15be54c1dc839 },
+        { -0x40ada5e1d4363743, -0x15a4d9f7d9b8627f, -0x2aee38f120feaa25, 0x1ae23ceb960cf5d0 },
+        { 0x5b725d871932994a, 0x32351cb5ceb1dab0, 0x7dc41549dab7ca05, 0x58ded861278ec1f7 }
+    },
+    {
+        { 0x2dfb5ba8b6c2c9a8, 0x48eeef8ef52c598c, 0x33809107f12d1573, 0x08ba696b531d5bd8 },
+        { -0x27e8c86c0d993aa4, -0x3736893a33bab1b7, 0x5ce382f8bc26c3a8, 0x2ff39de85485f6f9 },
+        { 0x77ed3eeec3efc57a, 0x04e05517d4ff4811, -0x15c285c00e598e35, 0x120633b4947cfe54 }
+    },
+    {
+        { -0x7d42ceb8b6edeff6, -0x21dc8492819041fa, -0x1ee189e6ee15863a, 0x07433be3cb393bde },
+        { 0x0b94987891610042, 0x4ee7b13cecebfae8, 0x70be739594f0a4c0, 0x35d30a99b4d59185 },
+        { -0x0086bb3fa316680c, 0x575d3de4b05c51a3, 0x583381fd5a76847c, 0x2d873ede7af6da9f }
+    },
+    {
+        { -0x559dfd1eb1a2067f, -0x5df2a6e8afea1e0b, 0x18a275d3bae21d6c, 0x0543618a01600253 },
+        { 0x157a316443373409, -0x054748110b557e27, -0x4f6c01190a59b7fa, 0x2e773654707fa7b6 },
+        { 0x0deabdf4974c23c1, -0x5590f5da6231b96d, 0x04202cb8a29aba2c, 0x4b1443362d07960d }
+    },
+},
+{
+    {
+        { 0x299b1c3f57c5715e, -0x69346d6194979270, 0x3004806447235ab3, 0x2c435c24a44d9fe1 },
+        { 0x47b837f753242cec, 0x256dc48cc04212f2, -0x1ddd04041e26d73b, 0x48ea295bad8a2c07 },
+        { 0x0607c97c80f8833f, 0x0e851578ca25ec5b, 0x54f7450b161ebb6f, 0x7bcb4792a0def80e }
+    },
+    {
+        { 0x1cecd0a0045224c2, 0x757f1b1b69e53952, 0x775b7a925289f681, 0x1b6cc62016736148 },
+        { -0x7b781c2fd438c9a7, 0x4baf8445059979df, -0x2e8368a523529041, 0x57369f0bdefc96b6 },
+        { -0x0e5666fe8a9c7968, 0x353dd1beeeaa60d3, -0x7b6b8eccb3645b78, 0x63fa6e6843ade311 }
+    },
+    {
+        { 0x2195becdd24b5eb7, 0x5e41f18cc0cd44f9, -0x20d7f8bbbe356122, 0x07073b98f35b7d67 },
+        { -0x2ea3dfac9a683e98, -0x608c8bff672d7877, 0x18aee7f13257ba1f, 0x3418bfda07346f14 },
+        { -0x2fc39893b31acf2c, 0x0b64c0473b5df9f4, 0x065cef8b19b3a31e, 0x3084d661533102c9 }
+    },
+    {
+        { -0x6593178989fcde03, 0x7fe2b5109eb63ad8, 0x00e7d4ae8ac80592, 0x73d86b7abb6f723a },
+        { -0x1e094861407b9653, 0x15801004e2663135, -0x65b67ccf508be7e5, 0x3ba2504f049b673c },
+        { 0x0b52b5606dba5ab6, -0x56ecb0f0444e1255, 0x30a9520d9b04a635, 0x6813b8f37973e5db }
+    },
+    {
+        { -0x0e6b35a90cea81d7, 0x136d35705ef528a5, -0x22b3108874fa6644, 0x7d5472af24f833ed },
+        { -0x67ab4fabccbed83f, 0x105d047882fbff25, -0x24b60806bbe790b1, 0x1768e838bed0b900 },
+        { -0x2f1078b250cc25b9, 0x00d3be5db6e339f9, 0x3f2a8a2f9c9ceece, 0x5d1aeb792352435a }
+    },
+    {
+        { 0x12c7bfaeb61ba775, -0x47b19de01d9c4003, 0x0b47a5c35c840dcf, 0x7e83be0bccaf8634 },
+        { -0x0a61944ce6329c36, 0x670c159221d06839, -0x4f92a9a4deaf354a, 0x20fb199d104f12a3 },
+        { 0x61943dee6d99c120, -0x79efe0d1b9f46020, 0x6bb2f1518ee8598d, 0x76b76289fcc475cc }
+    },
+    {
+        { 0x4245f1a1522ec0b3, 0x558785b22a75656d, 0x1d485a2548a1b3c0, 0x60959eccd58fe09f },
+        { 0x791b4cc1756286fa, -0x24312ce828b5ea84, 0x7e732421ea72bde6, 0x01fe18491131c8e9 },
+        { 0x3ebfeb7ba8ed7a09, 0x49fdc2bbe502789c, 0x44ebce5d3c119428, 0x35e1eb55be947f4a }
+    },
+    {
+        { 0x14fd6dfa726ccc74, 0x3b084cfe2f53b965, -0x0cc51b0aad5d374c, 0x59aab07a0d40166a },
+        { -0x242518fe3a8c722d, -0x063909ca4d90e412, 0x61e96a8042f15ef4, 0x3aa1d11faf60a4d8 },
+        { 0x77bcec4c925eac25, 0x1848718460137738, 0x5b374337fea9f451, 0x1865e78ec8e6aa46 }
+    },
+},
+{
+    {
+        { -0x6983ab16e3ad6335, 0x30f6269264c635fb, 0x2747aff478121965, 0x17038418eaf66f5c },
+        { -0x333b48384991e086, 0x44157e25f50c2f7e, 0x3ef06dfc713eaf1c, 0x582f446752da63f7 },
+        { -0x39ce842cdfcdb31c, -0x57efbd175bb7743c, -0x4de10e74b1a5ec9c, 0x0c2a1c4bcda28dc9 }
+    },
+    {
+        { -0x123b7eb7964296bb, 0x0d6d907dbe1c8d22, -0x39c42ded2aa33a55, 0x5a6a9b30a314dc83 },
+        { -0x2db2382f90e0fbb9, -0x4dd961c124783fa7, -0x2ea4fd8d044d2d71, 0x7c558bd1c6f64877 },
+        { -0x2f13eadb2c69b9c3, 0x12bb628ac35a24f0, -0x5af3c586e343a05c, 0x0404a5ca0afbafc3 }
+    },
+    {
+        { 0x62bc9e1b2a416fd1, -0x4a3908d71cafa675, 0x04343fd83d5d6967, 0x39527516e7f8ee98 },
+        { -0x73e0bff8f558bc2a, -0x33452f34a4d9a118, 0x574b046b668fd2de, 0x46395bfdcadd9633 },
+        { 0x117fdb2d1a5d9a9c, -0x6388ba432effa3d6, -0x102b410eab2a9016, 0x76579a29e822d016 }
+    },
+    {
+        { 0x333cb51352b434f2, -0x27cdd7b66c217f1f, -0x4aaed7788af2ca32, 0x02c514bb2a2777c1 },
+        { 0x45b68e7e49c02a17, 0x23cd51a2bca9a37f, 0x3ed65f11ec224c1b, 0x43a384dc9e05bdb1 },
+        { 0x684bd5da8bf1b645, -0x04742c81094ab4ad, 0x313916d7a9b0d253, 0x1160920961548059 }
+    },
+    {
+        { 0x7a385616369b4dcd, 0x75c02ca7655c3563, 0x7dc21bf9d4f18021, 0x2f637d7491e6e042 },
+        { -0x4bb2e996d6253056, -0x25ad60b37beca671, -0x16109c35bac2aaa7, 0x351e125bc5698e0b },
+        { -0x2b4b64b9e5098442, -0x29fcfc853754769f, 0x71dee19ff9a699fb, 0x7f182d06e7ce2a9a }
+    },
+    {
+        { 0x09454b728e217522, -0x55a7170b2b7b4728, -0x2ca7dab280b96fc4, 0x44acc043241c5217 },
+        { 0x7a7c8e64ab0168ec, -0x34a5b5aaea123abd, 0x095519d347cd0eda, 0x67d4ac8c343e93b0 },
+        { 0x1c7d6bbb4f7a5777, -0x74ca012b6e7cec1f, 0x4adca1c6c96b4684, 0x556d1c8312ad71bd }
+    },
+    {
+        { -0x7e0f98a94ee417df, 0x0faff82310a3f3dd, -0x074d2faa9566b9a3, 0x097abe38cc8c7f05 },
+        { 0x17ef40e30c8d3982, 0x31f7073e15a3fa34, 0x4f21f3cb0773646e, 0x746c6c6d1d824eff },
+        { 0x0c49c9877ea52da4, 0x4c4369559bdc1d43, 0x022c3809f7ccebd2, 0x577e14a34bee84bd }
+    },
+    {
+        { -0x6b01314142b228d5, -0x0b95b025f9f0ddef, 0x124a5977c0c8d1ff, 0x705304b8fb009295 },
+        { -0x0f1d97539e58c4f6, -0x0d0505efc86e5a0b, -0x3e1ec17d9492ff17, 0x60fa7ee96fd78f42 },
+        { -0x49c2e2cab2d6913a, -0x0c3cfac1a052ce28, 0x670b958cb4bd42ec, 0x21398e0ca16353fd }
+    },
+},
+{
+    {
+        { -0x793a03e979e48166, -0x095ccfb895d83baf, 0x01667267a1e93597, 0x05ffb9cd6082dfeb },
+        { 0x216ab2ca8da7d2ef, 0x366ad9dd99f42827, -0x519b46ffb022c38b, 0x403a395b53909e62 },
+        { -0x59e805600ac09ec7, 0x60f2b5e513e66cb6, -0x285741104cbb755c, 0x7a2932856f5ea192 }
+    },
+    {
+        { -0x4763bbb7869c6cfe, 0x4ae4f19350c67f2c, -0x0f4ca25737e5063a, 0x39d0003546871017 },
+        { 0x0b39d761b02de888, 0x5f550e7ed2414e1f, -0x59405ba7dd1e56c0, 0x050a2f7dfd447b99 },
+        { 0x437c3b33a650db77, 0x6bafe81dbac52bb2, -0x0166bfd2d2482ce8, 0x2b5b7eec372ba6ce }
+    },
+    {
+        { -0x596bbfb29ec5370c, 0x500c3c2bfa97e72c, -0x78befb2de0313df0, 0x1b205fb38604a8ee },
+        { -0x4c43b4427c0af111, 0x508f0c998c927866, 0x43e76587c8b7e66e, 0x0f7655a3a47f98d9 },
+        { 0x55ecad37d24b133c, 0x441e147d6038c90b, 0x656683a1d62c6fee, 0x0157d5dc87e0ecae }
+    },
+    {
+        { -0x6ad9aaeb28e14adc, -0x19fc277ea20eba6d, 0x147cdf410d4de6b7, 0x5293b1730437c850 },
+        { -0x0d5850aefcab3ec3, -0x285f4eba55c8d4a0, 0x2869b96a05a3d470, 0x6528e42d82460173 },
+        { 0x23d0e0814bccf226, -0x6d38ba327e69046d, -0x749e8693a6abe1a5, 0x40a44df0c021f978 }
+    },
+    {
+        { -0x793691aeb43a2f6b, -0x0df2bf6703597fb6, 0x27363d89c826ea5d, 0x39ca36565719cacf },
+        { -0x25579676b0df1596, -0x15eb5c2eb39df9e8, 0x6001fccb090bf8be, 0x35f4e822947e9cf0 },
+        { -0x68af90d0907848a4, -0x39db515ffcb51f90, 0x1ec856e3aad34dd6, 0x055b0be0e440e58f }
+    },
+    {
+        { 0x4d12a04b6ea33da2, 0x57cf4c15e36126dd, -0x6f13698a11bb2699, 0x64ca348d2a985aac },
+        { 0x6469a17d89735d12, -0x2490d82a199d460f, -0x60345cd795c6a97f, 0x363b8004d269af25 },
+        { -0x66a771e61b3b6ed3, -0x1033c4b1e35a3195, 0x4522ea60fa5b98d5, 0x7064bbab1de4a819 }
+    },
+    {
+        { -0x5d6f3f9ebdabded7, -0x0d1d3d514172a470, -0x30dba724895401e5, 0x02157ade83d626bf },
+        { -0x46e61eaea588f9bf, -0x565d1d38b1807fc7, 0x7527250b3df23109, 0x756a7330ac27b78b },
+        { 0x3e46972a1b9a038b, 0x2e4ee66a7ee03fb4, -0x7e5db78891244b36, 0x1a944ee88ecd0563 }
+    },
+    {
+        { -0x44bf57a6e7dc9d2a, -0x4660aa8875b2e545, -0x72e74bd88a7aa60a, 0x26c20fe74d26235a },
+        { -0x2a56e2eeaefc6c8e, 0x2ed377b799ca26de, -0x5e8dfd5302c99495, 0x0730291bd6901995 },
+        { 0x648d1d9fe9cc22f5, 0x66bc561928dd577c, 0x47d3ed21652439d1, 0x49d271acedaf8b49 }
+    },
+},
+{
+    {
+        { 0x2798aaf9b4b75601, 0x5eac72135c8dad72, -0x2d31559e9e485fdd, 0x1bbfb284e98f7d4e },
+        { -0x760afa75c7d4cc0d, 0x5ae2ba0bad48c0b4, -0x706c4afc5ac24c92, 0x5aa3ed9d95a232e6 },
+        { 0x656777e9c7d96561, -0x34d4edab8d387fca, 0x65053299d9506eee, 0x4a07e14e5e8957cc }
+    },
+    {
+        { 0x240b58cdc477a49b, -0x02c725219bb80fe9, 0x19928d32a7c86aad, 0x50af7aed84afa081 },
+        { 0x4ee412cb980df999, -0x5cea2890c391388f, -0x445a12216da38803, 0x3f0bac391d313402 },
+        { 0x6e4fde0115f65be5, 0x29982621216109b2, 0x780205810badd6d9, 0x1921a316baebd006 }
+    },
+    {
+        { -0x28a55265260c3e75, 0x566a0eef60b1c19c, 0x3e9a0bac255c0ed9, 0x7b049deca062c7f5 },
+        { -0x76bdd08120478f04, 0x2c296beb4f76b3bd, 0x0738f1d436c24df7, 0x6458df41e273aeb0 },
+        { -0x23341c85cabbbb7d, 0x758879330fedbe93, 0x786004c312c5dd87, 0x6093dccbc2950e64 }
+    },
+    {
+        { 0x6bdeeebe6084034b, 0x3199c2b6780fb854, -0x68cc895449d2f96b, 0x6e3180c98b647d90 },
+        { 0x1ff39a8585e0706d, 0x36d0a5d8b3e73933, 0x43b9f2e1718f453b, 0x57d1ea084827a97c },
+        { -0x118549185ed74f8f, -0x5b3ea6926c577456, -0x084b217d4dde9ed0, 0x363e999ddd97bd18 }
+    },
+    {
+        { 0x2f1848dce24baec6, 0x769b7255babcaf60, -0x6f34c391c31016cf, 0x231f979bc6f9b355 },
+        { -0x6957bc3eca11e03c, -0x68914caaf71b3731, -0x4bd097fe4a732cd0, 0x48ee9b78693a052b },
+        { 0x5c31de4bcc2af3c6, -0x4fb44fcf01df72e1, -0x48728ff63eb04b9a, 0x079bfa9b08792413 }
+    },
+    {
+        { -0x0c36127f5d2abdbb, 0x0aa08b7877f63952, -0x2892539c2ef7ab8b, 0x1ef4fb159470636b },
+        { -0x1c6fc5ae25cff20c, -0x7bc69bdcc256a550, -0x12c30ed2f4ca9b80, 0x038c77f684817194 },
+        { -0x7ab1a119a4e98414, 0x59590a4296d0cdc2, 0x72b2df3498102199, 0x575ee92a4a0bff56 }
+    },
+    {
+        { 0x5d46bc450aa4d801, -0x3c50edd85acc4628, 0x389e3b262b8906c2, 0x200a1e7e382f581b },
+        { -0x2b3f7f6f75e7d031, 0x30e170c299489dbd, 0x05babd5752f733de, 0x43d4e7112cd3fd00 },
+        { 0x518db967eaf93ac5, 0x71bc989b056652c0, -0x01d47a26a98e680b, 0x050eca52651e4e38 }
+    },
+    {
+        { -0x6853c6899f199716, -0x64e64401eac54b69, 0x4cb179b534eca79f, 0x6151c09fa131ae57 },
+        { -0x3cbce521bac0f364, -0x160afba1008fc465, -0x03268536127b84c3, 0x4b0ee6c21c58f4c6 },
+        { 0x3af55c0dfdf05d96, -0x22d9d11fd54b1186, 0x11b2bb8712171709, 0x1fef24fa800f030b }
+    },
+},
+{
+    {
+        { -0x006e59956fe99de0, -0x0ddaad51a40e1ff7, 0x7dff85d87f90df7c, 0x4f620ffe0c736fb9 },
+        { -0x4b69edc5949399f7, -0x58af017a7f54a6c8, -0x0b8e40c6483d85a1, 0x507903ce77ac193c },
+        { 0x62f90d65dfde3e34, -0x30d73a6d4605a053, -0x6637910639e9baf0, 0x25d448044a256c84 }
+    },
+    {
+        { 0x2c7c4415c9022b55, 0x56a0d241812eb1fe, -0x0fd15e362849a1f3, 0x4180512fd5323b26 },
+        { -0x4297dcf138164e91, 0x0eb1b9c1c1c5795d, 0x7943c8c495b6b1ff, 0x2f9faf620bbacf5e },
+        { -0x5b00c19675b75a25, -0x4595c7f9426abfc5, -0x60831e50b82a49a3, 0x15e087e55939d2fb }
+    },
+    {
+        { -0x776be7910469c0c8, 0x48a00e80dc639bd5, -0x5b17f6d41693e367, 0x5a097d54ca573661 },
+        { 0x12207543745c1496, -0x2500c30225c79ef4, -0x1b1868d8d38e3cb1, 0x39c07b1934bdede9 },
+        { 0x2d45892b17c9e755, -0x2fcc028d76cf7208, 0x6c2fe9d9525b8bd9, 0x2edbecf1c11cc079 }
+    },
+    {
+        { -0x11f0f0222f785da1, -0x638aceaaa3c1cb12, 0x660c572e8fab3ab5, 0x0854fc44544cd3b2 },
+        { 0x1616a4e3c715a0d2, 0x53623cb0f8341d4d, -0x6910acd638176635, 0x3d4e8dbba668baa6 },
+        { 0x61eba0c555edad19, 0x24b533fef0a83de6, 0x3b77042883baa5f8, 0x678f82b898a47e8d }
+    },
+    {
+        { 0x1e09d94057775696, -0x112ed9a3c326ae25, -0x056253d4df431e91, 0x0f7f76e0e8d089f4 },
+        { -0x4eb6e2f4296ff3ac, 0x3539722c9d132636, 0x4db928920b362bc9, 0x4d7cd1fea68b69df },
+        { 0x36d9ebc5d485b00c, -0x5da69b6d1b524c9b, -0x3e9a6b7f3dee6333, 0x45306349186e0d5f }
+    },
+    {
+        { -0x695beb13d4f8db6f, 0x1bb2218127a7b65b, 0x6d2849596e8a4af0, 0x65f3b08ccd27765f },
+        { -0x6b222f3e593200e3, 0x55f6f115e84213ae, 0x6c935f85992fcf6a, 0x067ee0f54a37f16f },
+        { -0x134d6000e667fe09, -0x62c9e2e05d5f08d1, 0x25f11d2375fd2f49, 0x124cefe80fe10fe2 }
+    },
+    {
+        { 0x1518e85b31b16489, -0x70552348248ef405, 0x39b0bdf4a14ae239, 0x05f4cbea503d20c1 },
+        { 0x4c126cf9d18df255, -0x3e2b8e16eb859c4a, 0x2c6d3c73f3c93b5f, 0x6be3a6a2e3ff86a2 },
+        { -0x31fbf1613fbeba44, -0x38e00b1df7097cb4, -0x42ab91725477b85d, 0x64666aa0a4d2aba5 }
+    },
+    {
+        { -0x4f3ac408ccc816b4, 0x7cb5697e11e14f15, 0x4b84abac1930c750, 0x28dd4abfe0640468 },
+        { 0x6841435a7c06d912, -0x35edc3de44c07cf5, -0x2b4c84d84e341d88, 0x1d753b84c76f5046 },
+        { 0x7dc0b64c44cb9f44, 0x18a3e1ace3925dbf, 0x7a3034862d0457c4, 0x4c498bf78a0c892e }
+    },
+},
+{
+    {
+        { 0x22d2aff530976b86, -0x726f47f93d2db9fc, -0x235e7693b21a451b, 0x28005fe6c8340c17 },
+        { 0x37d653fb1aa73196, 0x0f9495303fd76418, -0x52dff4f604c5e84e, 0x544d49292fc8613e },
+        { 0x6aefba9f34528688, 0x5c1bff9425107da1, -0x08a444329926b4ca, 0x72e472930f316dfa }
+    },
+    {
+        { 0x07f3f635d32a7627, 0x7aaa4d865f6566f0, 0x3c85e79728d04450, 0x1fee7f000fe06438 },
+        { 0x2695208c9781084f, -0x4eafd5f4dcbaf11f, -0x02625159fc1021fe, 0x5a9d2e8c2733a34c },
+        { 0x765305da03dbf7e5, -0x5b250db6ebcb3243, 0x7b4ad5cdd24a88ec, 0x00f94051ee040543 }
+    },
+    {
+        { -0x28106c44f85068ad, 0x583ed0cf3db766a7, -0x3196674091f4e13b, 0x47b7ffd25dd40452 },
+        { -0x72ca94dc3c2ccf4e, -0x0de374644fb8e4fa, -0x4c93ce9391bd47c4, 0x07d79c7e8beab10d },
+        { -0x7804046343f722ee, -0x75f994c51e113d65, 0x0d57242bdb1fc1bf, 0x1c3520a35ea64bb6 }
+    },
+    {
+        { -0x325790bfde943fa7, 0x1fbb231d12bcd87e, -0x4b6a9561e838f670, 0x38750c3b66d12e55 },
+        { -0x7f2dac5943345cb6, 0x3e61c3a13838219b, -0x6f3c49fe677d1c6a, 0x1c3d05775d0ee66f },
+        { 0x692ef1409422e51a, -0x343f38c3d4a2098f, 0x21014fe7744ce029, 0x0621e2c7d330487c }
+    },
+    {
+        { -0x4851e8694f240f0d, 0x54dfafb9e17ce196, 0x25923071e9aaa3b4, 0x5d8e589ca1002e9d },
+        { -0x50679f337da67c73, -0x6f15b73e39606524, 0x6526483765581e30, 0x0007d6097bd3a5bc },
+        { -0x3f40e26af7bd56b5, -0x4d2c3c9ca770d1c2, 0x0a961438bb51e2ef, 0x1583d7783c1cbf86 }
+    },
+    {
+        { -0x6ffcb8fb3362d739, 0x1d1b679ef72cc58f, 0x16e12b5fbe5b8726, 0x4958064e83c5580a },
+        { -0x13115d10a25d851f, 0x597c3a1455670174, -0x3659d5ed99f6e986, 0x252a5f2e81ed8f70 },
+        { 0x0d2894265066e80d, -0x033c087acf837395, 0x1b53da780c1112fd, 0x079c170bd843b388 }
+    },
+    {
+        { -0x322932af3f2a2faa, -0x6508979244fca8c5, 0x3ca6723ff3c3ef48, 0x6768c0d7317b8acc },
+        { 0x0506ece464fa6fff, -0x411cbce19dfa1add, 0x3579422451b8ea42, 0x6dec05e34ac9fb00 },
+        { -0x6b49da1a0eaa3e4d, 0x417bf3a7997b7b91, -0x3dd342239294da00, 0x51445e14ddcd52f4 }
+    },
+    {
+        { -0x76ceb854d4415bab, -0x73ac5db06df86ed7, 0x4b49f948be30f7a7, 0x12e990086e4fd43d },
+        { 0x57502b4b3b144951, -0x71980094bbb4434d, -0x474296d8e99c7a25, 0x13186f31e39295c8 },
+        { -0x0ef3694c802044d2, -0x60656ca1ede31507, -0x20eec93bc5a467c1, 0x77b2e3f05d3e99af }
+    },
+},
+{
+    {
+        { -0x6acd0b7033a32d65, 0x2ba851bea3ce3671, 0x32dacaa051122941, 0x478d99d9350004f2 },
+        { -0x02f28a78630ed9a9, -0x17d0106b1ac5f1d7, -0x33cb580fa444b419, 0x0b251172a50c38a2 },
+        { 0x1d5ad94890bb02c0, 0x50e208b10ec25115, -0x5d95dd76b10de8fe, 0x4dc923343b524805 }
+    },
+    {
+        { 0x3ad3e3ebf36c4975, -0x28a2da5ac879dedb, -0x178c6bc25fda5aea, 0x6bbc7cb4c411c847 },
+        { -0x1c7d73bff07f794a, 0x3f77e6f7979f0dc8, 0x7ef6de304df42cb4, 0x5265797cb6abd784 },
+        { 0x3c6f9cd1d4a50d56, -0x49dbbf8839015482, 0x6ff9bf483580972e, 0x00375883b332acfb }
+    },
+    {
+        { -0x3674137a938a3664, -0x1bbe7b3fff1cc30c, 0x0a676b9bba907634, 0x669e2cb571f379d7 },
+        { 0x0001b2cd28cb0940, 0x63fb51a06f1c24c9, -0x4a52796e232a35cf, 0x67238dbd8c450660 },
+        { -0x34ee948c5b642cf8, 0x025aad6b2392729e, -0x4b86c105c0aa264f, 0x72a1056140678bb9 }
+    },
+    {
+        { 0x0d8d2909e2e505b6, -0x673587543fd6edd0, 0x77ef5569a9b12327, 0x7c77897b81439b47 },
+        { -0x5d497ed4e336db63, 0x62866eee21211f58, 0x2cb5c5b85df10ece, 0x03a6b259e263ae00 },
+        { -0x0e3e4a1d21cce34b, 0x5a9f5d8e15fca420, -0x605bc70e8426cd4f, 0x2a381bf01c6146e7 }
+    },
+    {
+        { -0x083f41cd4acbe991, 0x27e6ca6419cf70d4, -0x6cb2082856a858a7, 0x5701461dabdec2aa },
+        { -0x536467863037ee3f, -0x7482d67ec8a91a99, 0x50da4e607c70edfc, 0x5dbca62f884400b6 },
+        { 0x2c6747402c915c25, 0x1bdcd1a80b0d340a, 0x5e5601bd07b43f5f, 0x2555b4e05539a242 }
+    },
+    {
+        { 0x78409b1d87e463d4, -0x52b256a532049c63, -0x13d788c8aada6464, 0x69c806e9c31230ab },
+        { 0x6fc09f5266ddd216, -0x231a9f58371c8fb8, -0x139a6c625d209d03, 0x7a869ae7e52ed192 },
+        { 0x7b48f57414bb3f22, 0x68c7cee4aedccc88, -0x12d06c9e86127f42, 0x25d70b885f77bc4b }
+    },
+    {
+        { -0x67ba62d644e51b2c, 0x56b9c4c739f954ec, -0x7cd8bc093d64b4c2, 0x21ea8e2798b6878a },
+        { 0x4151c3d9762bf4de, 0x083f435f2745d82b, 0x29775a2e0d23ddd5, 0x138e3a6269a5db24 },
+        { -0x78410b4b95a58464, -0x2dd662e4a03e2f9e, -0x7dbf67e722cde9b8, 0x5c5abeb1e5a2e03d }
+    },
+    {
+        { 0x02cde6de1306a233, 0x7b5a52a2116f8ec7, -0x1e397e0b3ee9c4a5, 0x241d350660d32643 },
+        { 0x14722af4b73c2ddb, -0x43b8f3a0a5faf9f3, 0x00943eac2581b02e, 0x0e434b3b1f499c8f },
+        { 0x6be4404d0ebc52c7, -0x51b9dcc44e586e0b, 0x2aec170ed25db42b, 0x1d8dfd966645d694 }
+    },
+},
+{
+    {
+        { -0x2a679c63ed224f5c, -0x5a2e60cf3fdb7995, -0x2e83d0fca7031ba0, 0x07a195152e095e8a },
+        { 0x296fa9c59c2ec4de, -0x43749e40b07b0c35, 0x1c7706d917a8f908, 0x63b795fc7ad3255d },
+        { -0x57c970fdc761a038, -0x6fbcc4fd30721bc5, -0x505e02a23abed9bd, 0x3e8fe83d032f0137 }
+    },
+    {
+        { 0x08704c8de8efd13c, -0x203ae571cc1fc8cf, -0x5a62a25aed9f321d, 0x22d60899a6258c86 },
+        { 0x2f8b15b90570a294, -0x6b0dbd8f98f7bab7, -0x21e3a51e9e44027c, 0x75ba3b797fac4007 },
+        { 0x6239dbc070cdd196, 0x60fe8a8b6c7d8a9a, -0x4c77b84314bfeda0, 0x0904d07b87779e5e }
+    },
+    {
+        { -0x0bcdd299b706bf47, 0x06952f0cbd2d0c39, 0x167697ada081f931, 0x6240aacebaf72a6c },
+        { -0x4b31e02b22456e64, -0x30ce24c138b37256, 0x2c63cc63ad86cc51, 0x43e2143fbc1dde07 },
+        { -0x07cb8b63a45d6a60, -0x296b83a435c82da6, 0x66f13ba7e7c9316a, 0x56bdaf238db40cac }
+    },
+    {
+        { 0x1310d36cc19d3bb2, 0x062a6bb7622386b9, 0x7c9b8591d7a14f5c, 0x03aa31507e1e5754 },
+        { 0x362ab9e3f53533eb, 0x338568d56eb93d40, -0x61f1ebade2a5aa8e, 0x1d24a86d83741318 },
+        { -0x0b1389b7002b31e1, -0x1fba150fab5373e4, -0x772dda7de2f6ca84, 0x43b261dc9aeb4859 }
+    },
+    {
+        { 0x19513d8b6c951364, -0x6b018ed9fff40b85, 0x028d10ddd54f9567, 0x02b4d5e242940964 },
+        { -0x1aa4e1e677448645, -0x5f612f823e85ca63, -0x4fd3d11d9fc215cd, 0x326055cf5b276bc2 },
+        { -0x4b5eaa34d72e720e, -0x1533b9b9e7931af8, -0x3b630b6c937dbc77, 0x27a6c809ae5d3410 }
+    },
+    {
+        { -0x32d3d8f53bc296ac, -0x22b5c1a89599354e, 0x79fa592469d7036c, 0x221503603d8c2599 },
+        { -0x74591432e0f24e78, 0x37d3d73a675a5be8, -0x0dd1205cea0aa7a6, 0x2cb67174ff60a17e },
+        { 0x59eecdf9390be1d0, -0x56bddfbb8d731c0f, -0x7d76e399856b0f0c, 0x7b1df4b73890f436 }
+    },
+    {
+        { 0x5f2e221807f8f58c, -0x1caaa3602b6bf62c, -0x4d555772e04959d0, 0x68698245d352e03d },
+        { -0x1b6d0d1f4c4d5ddc, 0x7c6c9e062b551160, 0x15eb8fe20d7f7b0e, 0x61fcef2658fc5992 },
+        { -0x244ea27ad5e7e786, -0x0c1b552c79225329, 0x44bae2810ff6c482, 0x46cf4c473daf01cf }
+    },
+    {
+        { 0x213c6ea7f1498140, 0x7c1e7ef8392b4854, 0x2488c38c5629ceba, 0x1065aae50d8cc5bb },
+        { 0x426525ed9ec4e5f9, 0x0e5eda0116903303, 0x72b1a7f2cbe5cadc, 0x29387bcd14eb5f40 },
+        { 0x1c2c4525df200d57, 0x5c3b2dd6bfca674a, 0x0a07e7b1e1834030, 0x69a198e64f1ce716 }
+    },
+},
+{
+    {
+        { 0x7b26e56b9e2d4734, -0x3b38ecd47e39e98b, -0x10a36ada13632181, 0x39c80b16e71743ad },
+        { 0x7afcd613efa9d697, 0x0cc45aa41c067959, -0x5a901efb3e05256a, 0x3a73b70472e40365 },
+        { 0x0f196e0d1b826c68, -0x08e00f1db69f1c25, 0x6113167023b7436c, 0x0cf0ea5877da7282 }
+    },
+    {
+        { -0x1ccd312bc4596ba6, -0x21f4ec9e177e3fa3, 0x1ad40f095e67ed3b, 0x5da8acdab8c63d5d },
+        { 0x196c80a4ddd4ccbd, 0x22e6f55d95f2dd9d, -0x38a1cc38bf2938e5, 0x7bb51279cb3c042f },
+        { -0x3b4999b5c58fea61, 0x76194f0f0a904e14, -0x5a9eb3c65bf693ed, 0x6cd0ff50979feced }
+    },
+    {
+        { 0x7fecfabdb04ba18e, -0x2f038403c4224309, -0x5be2b791fa85ece4, 0x641a4391f2223a61 },
+        { -0x3f1f981870bbd754, 0x14835ab0a61135e3, -0x0de2eb0cc7f9d6cb, 0x6390a4c8df04849c },
+        { -0x3a3946a559f95725, -0x6eb480614f97da0f, 0x2a731f6b44fc9eff, 0x30ddf38562705cfc }
+    },
+    {
+        { 0x33bef2bd68bcd52c, -0x39b6244f96b7d10e, -0x4a4911f3be34e512, 0x5c294d270212a7e5 },
+        { 0x4e3dcbdad1bff7f9, -0x36ee717ddf9ba8e9, -0x45333143f0e762aa, 0x1b4822e9d4467668 },
+        { -0x54c9f580daa9c87f, 0x2512228a480f7958, -0x38a2fad89eeb4b1d, 0x222d9625d976fe2a }
+    },
+    {
+        { 0x0f94be7e0a344f85, -0x14d05573780dd3c8, -0x631e18a1b11e90f1, 0x43e64e5418a08dea },
+        { 0x1c717f85b372ace1, -0x7e6cf196b9c740e8, 0x239cad056bc08b58, 0x0b34271c87f8fff4 },
+        { -0x7eaa1dade5ca319d, -0x41eff2b206edfd72, -0x4007f4075a822314, 0x57342dc96d6bc6e4 }
+    },
+    {
+        { -0x0c3c4348e18f840a, 0x351d9b8c7291a762, 0x00502e6edad69a33, 0x522f521f1ec8807f },
+        { -0x10110f9a3731a668, -0x40fd6aef4a34155e, -0x739b5ef9df483ba8, 0x35134fb231c24855 },
+        { 0x272c1f46f9a3902b, -0x36e45c48669a8434, -0x519eb4cfb075e3f2, 0x7afcaad70b99017b }
+    },
+    {
+        { -0x577ebe13107bd495, 0x55e7b14797abe6c5, -0x738b7068fc87b002, 0x5b50a1f7afcd00b7 },
+        { -0x3da212ab5b4741bf, -0x6fd2ec1ee44f1d23, 0x41f43233cde82ab2, 0x1085faa5c3aae7cb },
+        { -0x647bf0990ec9eceb, 0x18462242701003e9, 0x65ed45fae4a25080, 0x0a2862393fda7320 }
+    },
+    {
+        { -0x69f18c84913462e9, -0x050db6b72983151f, 0x37e7a9b4d55e1b89, 0x5cb7173cb46c59eb },
+        { 0x46ab13c8347cbc9d, 0x3849e8d499c12383, 0x4cea314087d64ac9, 0x1f354134b1a29ee7 },
+        { 0x4a89e68b82b7abf0, -0x0be326d864594847, 0x16e6c210e18d876f, 0x7cacdb0f7f1b09c6 }
+    },
+},
+{
+    {
+        { -0x1efebbcb233a3513, 0x47ed5d963c84fb33, 0x70019576ed86a0e7, 0x25b2697bd267f9e4 },
+        { -0x6f9d4d1f26e58744, 0x47c9889cc8509667, -0x620ab599bfaf8f48, 0x7369e6a92493a1bf },
+        { -0x6298c004ec67979c, 0x3ca5fbd9415dc7b8, -0x1fb133c420d8c4a2, 0x1420683db54e4cd2 }
+    },
+    {
+        { 0x34eebb6fc1cc5ad0, 0x6a1b0ce99646ac8b, -0x2c4f25b6599421ad, 0x31e83b4161d081c1 },
+        { -0x4b8742e1db622e69, 0x620c35005e58c102, -0x04fd2cd0334553a4, 0x60b63bebf508a72d },
+        { -0x681738ed61f9d4b1, 0x49e48f4f29320ad8, 0x5bece14b6f18683f, 0x55cf1eb62d550317 }
+    },
+    {
+        { 0x3076b5e37df58c52, -0x28c54622186633ca, -0x427ce31cb6ec11e0, 0x1a56fbaa62ba0133 },
+        { 0x5879101065c23d58, -0x7462f792af6b7e64, -0x1dbfd056ed3aa059, 0x669a6564570891d4 },
+        { -0x6bc194afa3623614, 0x302557bba77c371a, -0x678c51a9becb89af, 0x13c4836799c58a5c }
+    },
+    {
+        { -0x3b230495a2742f80, -0x21143b13a8e5b7be, -0x2b4d177c471aac9b, 0x50bdc87dc8e5b827 },
+        { 0x423a5d465ab3e1b9, -0x03ec3e78380ec09f, 0x19f83664ecb5b9b6, 0x66f80c93a637b607 },
+        { 0x606d37836edfe111, 0x32353e15f011abd9, 0x64b03ac325b73b96, 0x1dd56444725fd5ae }
+    },
+    {
+        { -0x3d6819fff7453766, 0x7d4cea11eae1c3e0, -0x0c1c741e60186884, 0x3a3a450f63a305cd },
+        { -0x705b8007cc9ded83, -0x4360953b8e3283eb, 0x6e71454349220c8b, 0x0e645912219f732e },
+        { 0x078f2f31d8394627, 0x389d3183de94a510, -0x2e1c9392e8669080, 0x318c8d9393a9a87b }
+    },
+    {
+        { 0x5d669e29ab1dd398, -0x036de9a7cbd261c5, 0x55851dfdf35973cd, 0x509a41c325950af6 },
+        { -0x0d8ba2fcd50001e7, 0x0c9f3c497f24db66, -0x43672c1c457a6711, 0x224c7c679a1d5314 },
+        { -0x423f91235906da17, 0x793ef3f4641b1f33, -0x7d13ed7f627cc177, 0x05bff02328a11389 }
+    },
+    {
+        { 0x6881a0dd0dc512e4, 0x4fe70dc844a5fafe, 0x1f748e6b8f4a5240, 0x576277cdee01a3ea },
+        { 0x3632137023cae00b, 0x544acf0ad1accf59, -0x698befb62de5e378, 0x780b8cc3fa2a44a7 },
+        { 0x1ef38abc234f305f, -0x65a88042ebfa21f8, 0x5e82a51434e62a0d, 0x5ff418726271b7a1 }
+    },
+    {
+        { -0x1a24b817ec496ac0, -0x0ca2d5c4bcd9ef1f, -0x53e0d916c787ed8a, 0x29d4db8ca0a0cb69 },
+        { 0x398e080c1789db9d, -0x589fdfda0c18870b, -0x056776b3f942fca3, 0x106a03dc25a966be },
+        { -0x2652f550ccccac30, 0x38669da5acd309e5, 0x3c57658ac888f7f0, 0x4ab38a51052cbefa }
+    },
+},
+{
+    {
+        { -0x09701d177f621fac, -0x1c43f695637d452f, 0x076353d40aadbf45, 0x7b9b1fb5dea1959e },
+        { -0x20253411bcdb3f17, 0x054442883f955bb7, -0x2108555715ce9f61, 0x68aee70642287cff },
+        { -0x0fe3370e8b8e33f4, -0x6adbd1c8a86f7d45, 0x27776093d3e46b5f, 0x2d13d55a28bd85fb }
+    },
+    {
+        { -0x40fe6331851185ae, -0x57212d491bab152d, 0x3c619f0b87a8bb19, 0x3619b5d7560916d8 },
+        { -0x053a2df9a4ca4726, -0x572575657a9db449, -0x332d356ec2de32f1, 0x6b8341ee8bf90d58 },
+        { 0x3579f26b0282c4b2, 0x64d592f24fafefae, -0x48321284d7373840, 0x6a927b6b7173a8d7 }
+    },
+    {
+        { -0x728fbf79c1317715, -0x0f1cf8567f113f74, -0x53ddaf9ef2877026, 0x056d92a43a0d478d },
+        { 0x1f6db24f986e4656, 0x1021c02ed1e9105b, -0x0700c000d33f5c8b, 0x1d2a6bf8c6c82592 },
+        { 0x1b05a196fc3da5a1, 0x77d7a8c243b59ed0, 0x06da3d6297d17918, 0x66fbb494f12353f7 }
+    },
+    {
+        { -0x2928f6690edcf62a, -0x2404dc7a163c2ac7, 0x46d602b0f7552411, 0x270a0b0557843e0c },
+        { 0x751a50b9d85c0fb8, -0x2e5023da7430f685, 0x2f16a6a38309a969, 0x14ddff9ee5b00659 },
+        { 0x61ff0640a7862bcc, -0x7e353f65a0ee5402, -0x6fb87cfbaa2ed545, 0x19a4bde1945ae873 }
+    },
+    {
+        { 0x40c709dec076c49f, 0x657bfaf27f3e53f6, 0x40662331eca042c4, 0x14b375487eb4df04 },
+        { -0x6460d90adf59dff6, 0x64804443cf13eaf8, -0x759c98c079ce122d, 0x72bbbce11ed39dc1 },
+        { -0x517ac36b549923b9, -0x149dcbc12089d292, -0x0f71f1e7904d082f, 0x4f0b1c02700ab37a }
+    },
+    {
+        { 0x79fd21ccc1b2e23f, 0x4ae7c281453df52a, -0x37e8d1362eaeb795, 0x68abe9443e0a7534 },
+        { -0x1e8f987827e6ae06, -0x5ef5d3714d6f3885, -0x18c7d05fc129988d, 0x0a4d84710bcc4b54 },
+        { -0x25ed393bf87ce235, 0x0da230d74d5c510d, 0x4ab1531e6bd404e1, 0x4106b166bcf440ef }
+    },
+    {
+        { -0x5b7a332ac61b130e, 0x5aa3f3ad0555bab5, 0x145e3439937df82d, 0x1238b51e1214283f },
+        { 0x02e57a421cd23668, 0x4ad9fb5d0eaef6fd, -0x6ab198d84edbbb80, 0x7f792f9d2699f331 },
+        { 0x0b886b925fd4d924, 0x60906f7a3626a80d, -0x132c984b467542ee, 0x2876beb1def344cf }
+    },
+    {
+        { -0x2a6b4cccc5757a08, 0x4ea37689e78d7d58, 0x73bf9f455e8e351f, 0x5507d7d2bc41ebb4 },
+        { -0x237b16ca9cebb96f, 0x632fe8a0d61f23f4, 0x4caa800612a9a8d5, 0x48f9dbfa0e9918d3 },
+        { 0x1ceb2903299572fc, 0x7c8ccaa29502d0ee, -0x6e405bcbee331985, 0x5784481964a831e7 }
+    },
+},
+{
+    {
+        { -0x29302e10a0223f64, -0x17d4c10208a8a232, 0x25d56b5d201634c2, 0x3041c6bb04ed2b9b },
+        { -0x2583d4da98972a6d, -0x673e3fa8bbdd35ed, -0x0e57f42a35f531e3, 0x29cdd1adc088a690 },
+        { 0x0ff2f2f9d956e148, -0x5218688a60ca94d2, 0x1a4698bb5f6c025c, 0x104bbd6814049a7b }
+    },
+    {
+        { -0x56a265a029800e9d, -0x16d41962b338a97f, -0x4807fdb321df0da9, 0x204f2a20fb072df5 },
+        { 0x51f0fd3168f1ed67, 0x2c811dcdd86f3bc2, 0x44dc5c4304d2f2de, 0x5be8cc57092a7149 },
+        { -0x37ebc4c2cf144f87, 0x7589155abd652e30, 0x653c3c318f6d5c31, 0x2570fb17c279161f }
+    },
+    {
+        { 0x192ea9550bb8245a, -0x37190457706faf2f, 0x7986ea2d88a4c935, 0x241c5f91de018668 },
+        { 0x3efa367f2cb61575, -0x0a069089e329fd94, -0x1738ebd59a4ada9e, 0x3dcb65ea53030acd },
+        { 0x28d8172940de6caa, -0x7040d30fdd268cc6, 0x16d7fcdd235b01d1, 0x08420edd5fcdf0e5 }
+    },
+    {
+        { 0x0358c34e04f410ce, -0x49eca4a5d891f97b, 0x5d9670c7ebb91521, 0x04d654f321db889c },
+        { -0x3200df547c9d05b6, 0x57e118d4e21a3e6e, -0x1ce869e803c619d5, 0x0d9a53efbc1769fd },
+        { 0x5e7dc116ddbdb5d5, 0x2954deb68da5dd2d, 0x1cb608173334a292, 0x4a7a4f2618991ad7 }
+    },
+    {
+        { 0x24c3b291af372a4b, -0x6c257d8f8e7eb80e, -0x227b7a9b7976610e, 0x4a96314223e0ee33 },
+        { -0x0b58e7fda04ea06b, 0x3df65f346b5c1b8f, -0x32030f7aff1feeee, 0x11b50c4cddd31848 },
+        { -0x5917d8bbf75b002a, 0x738e177e9c1576d9, 0x773348b63d02b3f2, 0x4f4bce4dce6bcc51 }
+    },
+    {
+        { 0x30e2616ec49d0b6f, -0x1ba98e703513dce9, 0x48eb409bf26b4fa6, 0x3042cee561595f37 },
+        { -0x58e031a51ddbda7c, 0x26ea725692f58a9e, -0x2de5f628e315c30c, 0x73fcdd14b71c01e6 },
+        { 0x427e7079449bac41, -0x7aa51c92431dcef6, 0x4cae76215f841a7c, 0x389e740c9a9ce1d6 }
+    },
+    {
+        { -0x36428709a8f153d8, -0x1aa4f4cdd86e631f, 0x65fc3eaba19b91ed, 0x25c425e5d6263690 },
+        { 0x64fcb3ae34dcb9ce, -0x68affcdc1cb72f53, 0x45b3f07d62c6381b, 0x61545379465a6788 },
+        { 0x3f3e06a6f1d7de6e, 0x3ef976278e062308, -0x73eb09d9b1759389, 0x6539a08915484759 }
+    },
+    {
+        { -0x223b242beb44b5e7, 0x19b2bc3c98424f8e, 0x48a89fd736ca7169, 0x0f65320ef019bd90 },
+        { -0x162de08b3c2d088d, -0x3eafabbeda3b97bb, 0x624e5ce8f9b99e33, 0x11c5e4aac5cd186c },
+        { -0x2b792e4e35021f3a, 0x4f3fe6e3163b5181, 0x59a8af0dfaf2939a, 0x4cabc7bdec33072a }
+    },
+},
+{
+    {
+        { -0x083f5e63e5ab5fbc, 0x4a1c5e2477bd9fbb, -0x591c35eea50dd68e, 0x1819bb953f2e9e0d },
+        { 0x16faa8fb532f7428, -0x242bd15fb95b1d8e, 0x5337653b8b9ea480, 0x4065947223973f03 },
+        { 0x498fbb795e042e84, 0x7d0dd89a7698b714, -0x7404f45bd8019d6b, 0x36ba82e721200524 }
+    },
+    {
+        { -0x372962f5a8d8b12b, 0x45ba803260804b17, -0x20c325efddaa2054, 0x77d221232709b339 },
+        { -0x29f13448bdba13bf, -0x02641761cbcb78ea, -0x36dbf5011bdd7b22, 0x4472f648d0531db4 },
+        { 0x498a6d7064ad94d8, -0x5a4a37026509dd9d, -0x735712faba3ebe0c, 0x2c63bec3662d358c }
+    },
+    {
+        { -0x65ae74c57a790741, -0x6118e509344e6910, -0x55f9da195dc7a30e, 0x1deb2176ddd7c8d1 },
+        { 0x7fe60d8bea787955, -0x4623ee814a0bfe49, -0x6e383f65e6caa332, 0x22692ef59442bedf },
+        { -0x7a9c2e65df993094, 0x401bfd8c4dcc7cd7, -0x2689594132f2709e, 0x67cfd773a278b05e }
+    },
+    {
+        { 0x2d5fa9855a4e586a, 0x65f8f7a449beab7e, -0x55f8b2220de2cc2d, 0x185cba721bcb9dee },
+        { -0x7213ce0510c11b8b, -0x6624007561dd026e, 0x512d11594e26cab1, 0x0cde561eec4310b9 },
+        { -0x6c79625c0b1c34bf, -0x40fc6d0abf086882, 0x026204fcd0463b83, 0x3ec91a769eec6eed }
+    },
+    {
+        { 0x0fad2fb7b0a3402f, 0x46615ecbfb69f4a8, -0x08ba43373a07155a, 0x7a5fa8794a94e896 },
+        { 0x1e9df75bf78166ad, 0x4dfda838eb0cd7af, -0x45ffd1273e150678, 0x13fedb3e11f33cfc },
+        { 0x52958faa13cd67a1, -0x69a11f7e74244ae9, 0x16e58daa2e8845b3, 0x357d397d5499da8f }
+    },
+    {
+        { 0x481dacb4194bfbf8, 0x4d77e3f1bae58299, 0x1ef4612e7d1372a0, 0x3a8d867e70ff69e1 },
+        { 0x1ebfa05fb0bace6c, -0x36cb9df3e35065e2, -0x3388e33be27d49e6, 0x2d94a16aa5f74fec },
+        { 0x6f58cd5d55aff958, -0x45c155a38aa988df, 0x75c123999165227d, 0x69be1343c2f2b35e }
+    },
+    {
+        { -0x7d44425397b4721d, -0x5d0b382fc035f8e8, 0x337f92fbe096aaa8, 0x200d4d8c63587376 },
+        { 0x0e091d5ee197c92a, 0x4f51019f2945119f, 0x143679b9f034e99c, 0x7d88112e4d24c696 },
+        { 0x208aed4b4893b32b, 0x3efbf23ebe59b964, -0x289d214f245a1af9, 0x69607bd681bd9d94 }
+    },
+    {
+        { 0x3b7f3bd49323a902, 0x7c21b5566b2c6e53, -0x1a45700ac587ad59, 0x28bc77a5838ece00 },
+        { -0x0941fdef9721e31f, -0x172ae718f12343e1, -0x1c10022fe4aafa5b, 0x35f63353d3ec3fd0 },
+        { 0x63ba78a8e25d8036, 0x63651e0094333490, 0x48d82f20288ce532, 0x3a31abfa36b57524 }
+    },
+},
+{
+    {
+        { -0x3f708770c0872d77, -0x01cf58d35ebfb261, -0x0d887403309a3363, 0x7ee498165acb2021 },
+        { 0x239e9624089c0a2e, -0x38b73b3fc501b8c8, 0x17dbed2a764fa12a, 0x639b93f0321c8582 },
+        { 0x7bd508e39111a1c3, 0x2b2b90d480907489, -0x182d513d518d02e7, 0x0edf493c85b602a6 }
+    },
+    {
+        { 0x6767c4d284764113, -0x5f6fbfc0080a07cb, 0x1c8fcffacae6bede, 0x04c00c54d1dfa369 },
+        { -0x51337ea7a664a598, -0x15a8b0f014521df2, 0x4fe41d7422b67f07, 0x403b92e3019d4fb4 },
+        { 0x4dc22f818b465cf8, 0x71a0f35a1480eff8, -0x51174052fb3829a9, 0x355bb12ab26176f4 }
+    },
+    {
+        { -0x5cfe2538a5738ce8, -0x126ffc624c3155ef, 0x6f077cbf3bae3f2d, 0x7518eaf8e052ad8e },
+        { -0x58e19b338b6c440c, -0x1a427b26135c4f3d, 0x0a6bc50cfa05e785, 0x0f9b8132182ec312 },
+        { -0x5b77a63be48093ce, 0x0f2d60bcf4383298, 0x1815a929c9b1d1d9, 0x47c3871bbb1755c4 }
+    },
+    {
+        { -0x0419a2af37af9950, 0x62ecc4b0b3a299b0, -0x1ac8ab15bbe51720, 0x08fea02ce8d48d5f },
+        { 0x5144539771ec4f48, -0x07fa4e823673a292, -0x089d3ee5b83c3995, 0x00b89b85764699dc },
+        { -0x7db2228997211530, -0x379bbadfb497a2dd, -0x4aeb3032a276299b, 0x473829a74f75d537 }
+    },
+    {
+        { 0x23d9533aad3902c9, 0x64c2ddceef03588f, 0x15257390cfe12fb4, 0x6c668b4d44e4d390 },
+        { -0x7d2d258ab9863be8, -0x19c428274d9e7210, 0x355eef24ac47eb0a, 0x2078684c4833c6b4 },
+        { 0x3b48cf217a78820c, -0x0895f54d7ed8c169, -0x56939a5873711285, 0x7411a6054f8a433f }
+    },
+    {
+        { 0x579ae53d18b175b4, 0x68713159f392a102, -0x7baa1345e110ca0b, 0x1ec9a872458c398f },
+        { 0x4d659d32b99dc86d, 0x044cdc75603af115, -0x4cb38ed3233d1b78, 0x7c136574fb8134ff },
+        { -0x47195b2bff5daf65, -0x647e28fdf4377d4c, 0x57e7cc9bf1957561, 0x3add88a5c7cd6460 }
+    },
+    {
+        { -0x7a3d672ba6c6cfba, -0x7081ca67a009a614, 0x1d2ca22af2f66e3a, 0x61ba1131a406a720 },
+        { -0x5476a88f49ca230e, 0x02dfef6cf66c1fbc, -0x7aacfd9741492e79, 0x249929fccc879e74 },
+        { -0x5c2f5f0ee96a6fd7, 0x023b6b6cba7ebd89, 0x7bf15a3e26783307, 0x5620310cbbd8ece7 }
+    },
+    {
+        { 0x6646b5f477e285d6, 0x40e8ff676c8f6193, -0x59138cee544a6b23, 0x7ec846f3658cec4d },
+        { 0x528993434934d643, -0x462407f95aeddd0b, -0x709278703c0be3de, 0x37676a2a4d9d9730 },
+        { -0x64a170c0e25dd139, 0x130f1d776c01cd13, 0x214c8fcfa2989fb8, 0x6daaf723399b9dd5 }
+    },
+},
+{
+    {
+        { -0x7e514422d32ecf90, -0x69d1bcda07a5f162, -0x216c6e5535200135, 0x53177fda52c230e6 },
+        { 0x591e4a5610628564, 0x2a4bb87ca8b4df34, -0x21d5da8d185c71bd, 0x3cbdabd9fee5046e },
+        { -0x584368f9af462187, 0x3d12a7fbc301b59b, 0x02652e68d36ae38c, 0x79d739835a6199dc }
+    },
+    {
+        { 0x21c9d9920d591737, -0x6415be2d164b932a, -0x1df17bdff2764036, 0x79d99f946eae5ff8 },
+        { -0x26cab209bece3e43, 0x758094a186ec5822, 0x4464ee12e459f3c2, 0x6c11fce4cb133282 },
+        { -0x0e84b7ca9798cdfb, 0x387deae83caad96c, 0x61b471fd56ffe386, 0x31741195b745a599 }
+    },
+    {
+        { 0x17f8ba683b02a047, 0x50212096feefb6c8, 0x70139be21556cbe2, 0x203e44a11d98915b },
+        { -0x172efe6f4885c9f5, -0x66467cdf666a18fe, -0x42b0200705fdb856, 0x2772e344e0d36a87 },
+        { -0x2979c145c8461c61, 0x105bc169723b5a23, 0x104f6459a65c0762, 0x567951295b4d38d4 }
+    },
+    {
+        { 0x07242eb30d4b497f, 0x1ef96306b9bccc87, 0x37950934d8116f45, 0x05468d6201405b04 },
+        { 0x535fd60613037524, -0x1def52094f043d96, -0x5372f564dc166f52, 0x47204d08d72fdbf9 },
+        { 0x00f565a9f93267de, -0x313028723f2a7176, -0x5dea1d230ce71d72, 0x4599ee919b633352 }
+    },
+    {
+        { -0x538b929479e51a87, 0x31ab0650f6aea9dc, 0x241d661140256d4c, 0x2f485e853d21a5de },
+        { -0x2c3ddf358f1f1895, -0x4ed415a71560cf6c, 0x294ddec8c3271282, 0x0c3539e1a1d1d028 },
+        { 0x329744839c0833f3, 0x6fe6257fd2abc484, 0x5327d1814b358817, 0x65712585893fe9bc }
+    },
+    {
+        { -0x7e3d60e428f711c1, -0x2234a5fa519bf830, -0x68513e282d5c1459, 0x1590521a91d50831 },
+        { -0x63efd048cd59ee9f, -0x1b71ef22cb2adf58, 0x365c63546f9a9176, 0x32f6fe4c046f6006 },
+        { 0x40a3a11ec7910acc, -0x6fec20070e92d852, 0x1a9720d8abb195d4, 0x1bb9fe452ea98463 }
+    },
+    {
+        { -0x30a1936a33c98b84, 0x294201536b0bc30d, 0x453ac67cee797af0, 0x5eae6ab32a8bb3c9 },
+        { -0x162e26af4c2ab062, 0x2d5f9cbee00d33c1, 0x51c2c656a04fc6ac, 0x65c091ee3c1cbcc9 },
+        { 0x7083661114f118ea, 0x2b37b87b94349cad, 0x7273f51cb4e99f40, 0x78a2a95823d75698 }
+    },
+    {
+        { -0x4b0dc3bda107cdf9, -0x54076b2c3656cb4b, -0x2f8f73ecc6027809, 0x1876789117166130 },
+        { -0x5d4f8d16a373d532, 0x69cffc96651e9c4b, 0x44328ef842e7b42b, 0x5dd996c122aadeb3 },
+        { -0x6da4a10f98f3af84, -0x7e6437bd46c3cc41, 0x10792e9a70dd003f, 0x59ad4b7a6e28dc74 }
+    },
+},
+{
+    {
+        { 0x583b04bfacad8ea2, 0x29b743e8148be884, 0x2b1e583b0810c5db, 0x2b5449e58eb3bbaa },
+        { 0x5f3a7562eb3dbe47, -0x0815c7ab71425f48, 0x00c3e53145747299, 0x1304e9e71627d551 },
+        { 0x789814d26adc9cfe, 0x3c1bab3f8b48dd0b, -0x25f01e00068639f6, 0x4468de2d7c2dd693 }
+    },
+    {
+        { 0x4b9ad8c6f86307ce, 0x21113531435d0c28, -0x2b57993a9a8588d4, 0x5da6427e63247352 },
+        { 0x51bb355e9419469e, 0x33e6dc4c23ddc754, -0x6c5a4929bb80669e, 0x6cce7c6ffb44bd63 },
+        { 0x1a94c688deac22ca, -0x46f991084451e008, -0x775273c772a6a7f1, 0x58f29abfe79f2ca8 }
+    },
+    {
+        { 0x4b5a64bf710ecdf6, -0x4eb31ac7b9d3d6c4, 0x3643d056d50b3ab9, 0x6af93724185b4870 },
+        { -0x16f130547218c198, 0x54036f9f377e76a5, -0x0fb6a4f441fea67e, 0x577629c4a7f41e36 },
+        { 0x3220024509c6a888, -0x2d1fc9ecb4aa768d, -0x7c1dc9dcc3ccd761, 0x701f25bb0caec18f }
+    },
+    {
+        { -0x62e7092683413eed, -0x7bb5f9198b40241c, 0x20f5b522ac4e60d6, 0x720a5bc050955e51 },
+        { -0x3c574f071b9e9313, -0x08ff99f161da5783, 0x61e3061ff4bca59c, 0x2e0c92bfbdc40be9 },
+        { 0x0c3f09439b805a35, -0x17b174c89dbd5404, 0x691417f35c229346, 0x0e9b9cbb144ef0ec }
+    },
+    {
+        { -0x7211642aa24e4112, -0x363c54c8f58dc047, 0x44a8f1bf1c68d791, 0x366d44191cfd3cde },
+        { -0x04452b7004a8df53, -0x117e6e942406f2f2, -0x2b7ecead9caabc41, 0x221104eb3f337bd8 },
+        { -0x61c3e8bc0d4373ec, 0x2eda26fcb5856c3b, -0x3347d0f197580469, 0x4167a4e6bc593244 }
+    },
+    {
+        { -0x3d41d99a07317012, -0x169800eb177f29d4, -0x0ed19181d0c9b112, 0x34b33370cb7ed2f6 },
+        { 0x643b9d2876f62700, 0x5d1d9d400e7668eb, 0x1b4b430321fc0684, 0x7938bb7e2255246a },
+        { -0x323a6e11797e2934, -0x31fdef63127a58ad, -0x128b7a3ea77f777d, 0x1176fc6e2dfe65e4 }
+    },
+    {
+        { -0x246f1d76b688f148, -0x670433d5530bbf5d, 0x21354ffeded7879b, 0x1f6a3e54f26906b6 },
+        { -0x4b50932fa4639e65, 0x2ddfc9f4b2a58480, 0x3d4fa502ebe94dc4, 0x08fc3a4c677d5f34 },
+        { 0x60a4c199d30734ea, 0x40c085b631165cd6, -0x1dccc1dc08a67d6b, 0x4f2fad0116b900d1 }
+    },
+    {
+        { -0x69d326e248c449c8, -0x19fa885503ed63f8, 0x6f619b39f3b61689, 0x3451995f2944ee81 },
+        { 0x44beb24194ae4e54, 0x5f541c511857ef6c, -0x59e194d2c972fb68, 0x445484a4972ef7ab },
+        { -0x6ead032f60158284, 0x4a816c94b0935cf6, 0x258e9aaa47285c40, 0x10b89ca6042893b7 }
+    },
+},
+{
+    {
+        { -0x29832129862cb560, -0x33f4613f33b24c61, -0x5aca5ba91ca2e6f1, 0x2e05d9eaf61f6fef },
+        { -0x64d5bd91c49b9fdb, 0x32127190385ce4cf, -0x5da3003d229215bb, 0x06409010bea8de75 },
+        { -0x3bb86fe529e414a7, 0x661f19bce5dc880a, 0x24685482b7ca6827, 0x293c778cefe07f26 }
+    },
+    {
+        { 0x16c795d6a11ff200, -0x348f2f1d4ea7ea37, -0x760d6cdf64ac6a4b, 0x50b8c2d031e47b4f },
+        { -0x797f618ff8f96f6a, -0x5528a4ea1b1afe77, 0x07f35715a21a0147, 0x0487f3f112815d5e },
+        { 0x48350c08068a4962, 0x6ffdd05351092c9a, 0x17af4f4aaf6fc8dd, 0x4b0553b53cdba58b }
+    },
+    {
+        { -0x40fadee4d83ead2c, 0x5ec26849bd1af639, 0x5e0b2caa8e6fab98, 0x054c8bdd50bd0840 },
+        { -0x639a0341e4cd0087, -0x148a1560fc4af065, -0x0312d59393f819fa, 0x35106cd551717908 },
+        { 0x38a0b12f1dcf073d, 0x4b60a8a3b7f6a276, -0x012a53da2cbfb066, 0x72e82d5e5505c229 }
+    },
+    {
+        { 0x00d9cdfd69771d02, 0x410276cd6cfbf17e, 0x4c45306c1cb12ec7, 0x2857bf1627500861 },
+        { 0x6b0b697ff0d844c8, -0x44ed07a3268634b7, -0x2d5abe393e25f0e1, 0x7b7c242958ce7211 },
+        { -0x60de6fc0fefe9762, -0x2886202c4079effb, -0x5edd11a0c214f0e5, 0x510df84b485a00d4 }
+    },
+    {
+        { 0x24b3c887c70ac15e, -0x4f0c5aa8047e48ce, -0x64d321d01a8733e5, 0x4cf7ed0703b54f8e },
+        { -0x5abecc446d885e06, 0x74ec3b6263991237, 0x1a3c54dc35d2f15a, 0x2d347144e482ba3a },
+        { 0x6bd47c6598fbee0f, -0x61b8cc1d54aa41d3, 0x1093f624127610c5, 0x4e05e26ad0a1eaa4 }
+    },
+    {
+        { 0x1833c773e18fe6c0, -0x1c3b8ee52c378d9b, 0x3bfd3c4f0116b283, 0x1955875eb4cd4db8 },
+        { -0x2564949db4ace0e0, 0x429a760e77509abb, -0x24160add17dc3480, 0x618f1856880c8f82 },
+        { 0x6da6de8f0e399799, 0x7ad61aa440fda178, -0x4cd327efa1ca9c23, 0x15f6beae2ae340ae }
+    },
+    {
+        { -0x4565f0846dba1deb, -0x0c979ed22673f245, 0x2e84e4cbf220b020, 0x6ba92fe962d90eda },
+        { -0x79d434f3ce13c59e, -0x7ef1d4baeec70c3e, 0x788ec4b839dac2a4, 0x28f76867ae2a9281 },
+        { 0x3e4df9655884e2aa, -0x429d0424242b9a5b, -0x28a69355f2161adc, 0x6e8042ccb2b1b3d7 }
+    },
+    {
+        { 0x1530653616521f7e, 0x660d06b896203dba, 0x2d3989bc545f0879, 0x4b5303af78ebd7b0 },
+        { -0x0ef2c3d631d73592, -0x452cbabf0349f6c3, -0x18bd91285d15d2c1, 0x08af9d4e4ff298b9 },
+        { 0x72f8a6c3bebcbde8, 0x4f0fca4adc3a8e89, 0x6fa9d4e8c7bfdf7a, 0x0dcf2d679b624eb7 }
+    },
+},
+{
+    {
+        { 0x753941be5a45f06e, -0x2f8351129263a09b, 0x11776b9c72ff51b6, 0x17d2d1d9ef0d4da9 },
+        { 0x3d5947499718289c, 0x12ebf8c524533f26, 0x0262bfcb14c3ef15, 0x20b878d577b7518e },
+        { 0x27f2af18073f3e6a, -0x02c01ae628adef97, 0x22e3b72c3ca60022, 0x72214f63cc65c6a7 }
+    },
+    {
+        { 0x1d9db7b9f43b29c9, -0x29fa7db5b0ae708b, -0x0d3f8d42ced0623c, 0x1f24ac855a1545b0 },
+        { -0x4b1c80bfacf8596d, -0x5458eb28d0cc986b, -0x29042f588c89ef67, 0x5fdf48c58171cbc9 },
+        { 0x24d608328e9505aa, 0x4748c1d10c1420ee, -0x38001ba3f904da5e, 0x00ba739e2ae395e6 }
+    },
+    {
+        { -0x51bbd90a157744da, 0x360679d984973bfb, 0x5c9f030c26694e50, 0x72297de7d518d226 },
+        { 0x592e98de5c8790d6, -0x1a40482cba3d5d21, 0x115a3b60f9b49922, 0x03283a3e67ad78f3 },
+        { 0x48241dc7be0cb939, 0x32f19b4d8b633080, -0x2c2036f2fdd76cf8, 0x05e1296846271945 }
+    },
+    {
+        { -0x52404437dbd3bab0, -0x4337f3132fcf7e27, -0x7bca99590a37206e, 0x78cf25d38258ce4c },
+        { -0x457d114cd263b6a6, -0x311037030ed44684, -0x4fd254516c4a2e20, 0x39c00c9c13698d9b },
+        { 0x15ae6b8e31489d68, -0x557ae35463d40f79, -0x3658a5680fb105fb, 0x006b52076b3ff832 }
+    },
+    {
+        { -0x0a3481e94631f7d3, 0x3407f14c417abc29, -0x2b4c9431d40b5855, 0x7de2e9561a9f75ce },
+        { 0x29e0cfe19d95781c, -0x497e20e7699cef1e, 0x57df39d370516b39, 0x4d57e3443bc76122 },
+        { -0x218f2b0b495aa135, 0x4801527f5d85db99, -0x24363bbf2c11657f, 0x6b2a90af1a6029ed }
+    },
+    {
+        { 0x77ebf3245bb2d80a, -0x27cfe4b8d046f865, -0x39b8190db3118ccd, 0x465812c8276c2109 },
+        { 0x6923f4fc9ae61e97, 0x5735281de03f5fd1, -0x589b51bc19122ed3, 0x5fd8f4e9d12d3e4a },
+        { 0x4d43beb22a1062d9, 0x7065fb753831dc16, 0x180d4a7bde2968d7, 0x05b32c2b1cb16790 }
+    },
+    {
+        { -0x08035bd3852a7e6b, 0x3214286e4333f3cc, -0x493d62f2cbf46863, 0x31771a48567307e1 },
+        { -0x373fa1332db25703, -0x5e30e553fa20107d, -0x2441100d8206329f, 0x3b5556a37b471e99 },
+        { 0x32b0c524e14dd482, -0x124caeabe5d45b4a, -0x5c2e9fb7d7d4a50d, 0x4fc079d27a7336eb }
+    },
+    {
+        { -0x23cb74bbf3793af3, 0x1337cbc9cc94e651, 0x6422f74d643e3cb9, 0x241170c2bae3cd08 },
+        { 0x51c938b089bf2f7f, 0x2497bd6502dfe9a7, -0x00003f63877f1bad, 0x124567cecaf98e92 },
+        { 0x3ff9ab860ac473b4, -0x0f6ee211feec1bcb, 0x4ae75060ebc6c4af, 0x3f8612966c87000d }
+    },
+},
+{
+    {
+        { 0x529fdffe638c7bf3, -0x20d4619fc774b66b, -0x1fd84cb0e452fdb7, 0x7bc92fc9b9fa74ed },
+        { 0x0c9c5303f7957be4, -0x5c3ce5df1f7a3ebb, -0x4f8de28e2f7affb0, 0x0aba390eab0bf2da },
+        { -0x606810d17fe52607, -0x7c9682ab865025c6, -0x16f94c0042a694b0, 0x02672b37dd3fb8e0 }
+    },
+    {
+        { -0x116458d6c673580b, -0x146359da85b7b625, 0x29eb29ce7ec544e1, 0x232ca21ef736e2c8 },
+        { 0x48b2ca8b260885e4, -0x5bd794137d4cb3e4, -0x6c81e5d9e80a708c, 0x741d1fcbab2ca2a5 },
+        { -0x409ebdc2dac034e9, 0x08803ceafa39eb14, -0x0e79fd2067ae3851, 0x0400f3a049e3414b }
+    },
+    {
+        { 0x2efba412a06e7b06, 0x146785452c8d2560, -0x2068ec1429856e39, 0x32830ac7157eadf3 },
+        { -0x5431fb89459e3aa5, 0x36a3d6d7c4d39716, 0x6eb259d5e8d82d09, 0x0c9176e984d756fb },
+        { 0x0e782a7ab73769e8, 0x04a05d7875b18e2c, 0x29525226ebcceae1, 0x0d794f8383eba820 }
+    },
+    {
+        { 0x7be44ce7a7a2e1ac, 0x411fd93efad1b8b7, 0x1734a1d70d5f7c9b, 0x0d6592233127db16 },
+        { -0x00ca0a3461eae90c, -0x117fa4309b7551bb, -0x0f28c3d446c5610d, 0x097b0bf22092a6c2 },
+        { -0x3b7454eade5628cd, -0x593d151529e544db, 0x625c6c1cc6cb4305, 0x7fc90fea93eb3a67 }
+    },
+    {
+        { -0x3ad8214a63834dc3, -0x6aac6e96acd7bfb2, -0x29bc6d7e8330d386, 0x6ce97dabf7d8fa11 },
+        { 0x0408f1fe1f5c5926, 0x1a8f2f5e3b258bf4, 0x40a951a2fdc71669, 0x6598ee93c98b577e },
+        { 0x25b5a8e50ef7c48f, -0x149fcbee90d31ace, -0x3a18ae8c1ac21ac9, 0x73119fa08c12bb03 }
+    },
+    {
+        { 0x7845b94d21f4774d, -0x409d0e93876848d9, 0x671857c03c56522b, 0x3cd6a85295621212 },
+        { -0x12cfed6bac0e5b35, -0x4319de36370ac879, -0x0534d4ecc7411847, 0x3025798a9ea8428c },
+        { 0x3fecde923aeca999, -0x4255a4ff9d173ed1, 0x67b99dfc96988ade, 0x3f52c02852661036 }
+    },
+    {
+        { -0x6da74066113be93a, -0x5375afe8562d098f, 0x629549ab16dea4ab, 0x05d0e85c99091569 },
+        { -0x00155b71d5ecae3a, 0x28624754fa7f53d7, 0x0b5ba9e57582ddf1, 0x60c0104ba696ac59 },
+        { 0x051de020de9cbe97, -0x05f803a94af4308c, 0x378cec9f0f11df65, 0x36853c69ab96de4d }
+    },
+    {
+        { 0x4433c0b0fac5e7be, 0x724bae854c08dcbe, -0x0e0db33bb9687065, 0x4a0aff6d62825fc8 },
+        { 0x36d9b8de78f39b2d, 0x7f42ed71a847b9ec, 0x241cd1d679bd3fde, 0x6a704fec92fbce6b },
+        { -0x16e804619ef6acff, -0x3efd206bfd5f6d08, -0x40f61d0a0599e6f5, 0x681109bee0dcfe37 }
+    },
+},
+{
+    {
+        { -0x63e70305c9fb72ed, 0x29159db373899ddd, -0x2360caf4606d2f56, 0x26f57eee878a19d4 },
+        { 0x559a0cc9782a0dde, 0x551dcdb2ea718385, 0x7f62865b31ef238c, 0x504aa7767973613d },
+        { 0x0cab2cd55687efb1, 0x5180d162247af17b, -0x7a3ea5cbb0a5db99, 0x4041943d9dba3069 }
+    },
+    {
+        { 0x4b217743a26caadd, 0x47a6b424648ab7ce, -0x34e2b085fc04361d, 0x12d931429800d019 },
+        { -0x3c3f1145bc14336a, -0x728b6363d9156351, -0x26056a11e388333a, 0x1420a1d97684340f },
+        { 0x00c67799d337594f, 0x5e3c5140b23aa47b, 0x44182854e35ff395, 0x1b4f92314359a012 }
+    },
+    {
+        { 0x33cf3030a49866b1, 0x251f73d2215f4859, -0x547d55bfae210b0a, 0x5ff191d56f9a23f6 },
+        { 0x3e5c109d89150951, 0x39cefa912de9696a, 0x20eae43f975f3020, 0x239b572a7f132dae },
+        { -0x7e612bcc53d26f98, 0x2883ab795fc98523, -0x10ba8d7faa6c14c3, 0x020c526a758f36cb }
+    },
+    {
+        { -0x16ce10a60fbd3377, 0x2c589c9d8e124bb6, -0x52371e755138a669, 0x452cfe0a5602c50c },
+        { 0x779834f89ed8dbbc, -0x370d550623835b94, -0x56adb3235c1e4f8c, 0x02aacc4615313877 },
+        { -0x795f085f9b878821, -0x443b9bd8f19f8361, -0x54e815da0e04ee37, 0x4cfb7d7b304b877b }
+    },
+    {
+        { -0x1d79663d687610ee, 0x2b6ecd71df57190d, -0x3cbc37a813368f30, 0x5b1d4cbc434d3ac5 },
+        { 0x72b43d6cb89b75fe, 0x54c694d99c6adc80, -0x473c55c8c11cb361, 0x14b4622b39075364 },
+        { -0x4904d9ea33f560da, 0x3a4f0e2bb88dcce5, 0x1301498b3369a705, 0x2f98f71258592dd1 }
+    },
+    {
+        { 0x2e12ae444f54a701, -0x0301c10f56342822, -0x314076f28a7ca220, 0x1d8062e9e7614554 },
+        { 0x0c94a74cb50f9e56, 0x5b1ff4a98e8e1320, -0x65d533de7dcff099, 0x3a6ae249d806aaf9 },
+        { 0x657ada85a9907c5a, 0x1a0ea8b591b90f62, -0x72f1e20420cb4b17, 0x298b8ce8aef25ff3 }
+    },
+    {
+        { -0x7c858d15f5de9a22, 0x3fab07b40bcf79f6, 0x521636c77738ae70, 0x6ba6271803a7d7dc },
+        { 0x2a927953eff70cb2, 0x4b89c92a79157076, -0x6be7ba85cf583096, 0x34b8a8404d5ce485 },
+        { -0x3d91134a7c96cccb, -0x2a57ec209c4a0103, -0x5d6c55655b4dda8d, 0x71d62bdd465e1c6a }
+    },
+    {
+        { -0x32d24a254e08a10b, -0x28806a30e94f9a0b, 0x14571fea3f49f085, 0x1c333621262b2b3d },
+        { 0x6533cc28d378df80, -0x0924bc86f5f05b4c, -0x1c9ba00608fe25a6, 0x74d5f317f3172ba4 },
+        { -0x57901aab9826357f, 0x398b7c752b298c37, -0x2592f76d1c539dc5, 0x4aebcc4547e9d98c }
+    },
+},
+{
+    {
+        { 0x0de9b204a059a445, -0x1ea34b55b4e852f1, -0x1e4413ade0863aa9, 0x2633f1b9d071081b },
+        { 0x53175a7205d21a77, -0x4f3fbbdd2c46cb2c, -0x52260db422a21524, 0x074f46e69f10ff8c },
+        { -0x3e04be88fe7466f0, -0x5915df2393f01ec0, -0x299e0c18bcab3901, 0x5ecb72e6f1a3407a }
+    },
+    {
+        { -0x01151ef917179669, -0x679ccc80672f6c7d, -0x6b8fb7f155f91411, 0x038b6898d4c5c2d0 },
+        { -0x5aea5ce4dda604b2, 0x0960f3972bcac52f, -0x124ad01372cbab35, 0x382e2720c476c019 },
+        { -0x0c6e3ae27531af5a, 0x3142d0b9ae2d2948, -0x24b2a5e580db3580, 0x21aeba8b59250ea8 }
+    },
+    {
+        { 0x53853600f0087f23, 0x4c461879da7d5784, 0x6af303deb41f6860, 0x0a3c16c5c27c18ed },
+        { 0x24f13b34cf405530, 0x3c44ea4a43088af7, 0x5dd5c5170006a482, 0x118eb8f8890b086d },
+        { 0x17e49c17cc947f3d, -0x33391259553e2d85, -0x209f6d314f0f71aa, 0x4909b3e22c67c36b }
+    },
+    {
+        { 0x59a16676706ff64e, 0x10b953dd0d86a53d, 0x5848e1e6ce5c0b96, 0x2d8b78e712780c68 },
+        { -0x63637a159c01d177, -0x41e4506ef16bed14, -0x7084557579040185, 0x0fb17f9fef968b6c },
+        { 0x79d5c62eafc3902b, 0x773a215289e80728, -0x3c7519bf1efedf47, 0x09ae23717b2b1a6d }
+    },
+    {
+        { 0x10ab8fa1ad32b1d0, -0x165312e41d8874dc, -0x577a943fc8c216f1, 0x66f35ddddda53996 },
+        { -0x4495e6d5b1b2f7c4, 0x34ace0630029e192, -0x67dba5a655054515, 0x6d9c8a9ada97faac },
+        { -0x2d826504db668cdd, 0x1bb7e07ef6f01d2e, 0x2ba7472df52ecc7f, 0x03019b4f646f9dc8 }
+    },
+    {
+        { -0x50f64deb194c2395, 0x3f7573b5ad7d2f65, -0x2fe62677eff5dc50, 0x392b63a58b5c35f7 },
+        { 0x04a186b5565345cd, -0x111899ef433bee96, 0x689c73b478fb2a45, 0x387dcbff65697512 },
+        { 0x4093addc9c07c205, -0x3a9a41ea0acd3c82, 0x63dbecfd1583402a, 0x61722b4aef2e032e }
+    },
+    {
+        { -0x294f85aa7e34f1c4, 0x290ff006d9444969, 0x08680b6a16dcda1f, 0x5568d2b75a06de59 },
+        { 0x0012aafeecbd47af, 0x55a266fb1cd46309, -0x0dfc1497f69838d4, 0x39633944ca3c1429 },
+        { -0x72f34773e4c8301f, 0x05b6a5a3053818f3, -0x0d1643fb487826a7, 0x6beba1249add7f64 }
+    },
+    {
+        { 0x5c3cecb943f5a53b, -0x633659e2f93f720e, -0x30459c657a76abb9, 0x5a845ae80df09fd5 },
+        { 0x1d06005ca5b1b143, 0x6d4c6bb87fd1cda2, 0x6ef5967653fcffe7, 0x097c29e8c1ce1ea5 },
+        { 0x4ce97dbe5deb94ca, 0x38d0a4388c709c48, -0x3bc1312b5e962f69, 0x0a1249fff7e587c3 }
+    },
+},
+{
+    {
+        { 0x0b408d9e7354b610, -0x7f94cdaca457a492, -0x2419c5fcb5a75df9, 0x173bd9ddc9a1df2c },
+        { 0x12f0071b276d01c9, -0x1847453a793b7390, 0x5308129b71d6fba9, 0x5d88fbf95a3db792 },
+        { 0x2b500f1efe5872df, 0x58d6582ed43918c1, -0x1912d8713698c520, 0x06e1cd13b19ea319 }
+    },
+    {
+        { 0x472baf629e5b0353, 0x3baa0b90278d0447, 0x0c785f469643bf27, 0x7f3a6a1a8d837b13 },
+        { 0x40d0ad516f166f23, 0x118e32931fab6abe, 0x3fe35e14a04d088e, 0x3080603526e16266 },
+        { -0x0819bbc6a2c27ff5, -0x6a572aaa36fe120a, 0x68cd7830592c6339, 0x30d0fded2e51307e }
+    },
+    {
+        { -0x634b68e19747b8b0, -0x5f6a8dd6999b4431, 0x5c8de72672fa412b, 0x4615084351c589d9 },
+        { -0x1fa6b2e50dedcc4d, 0x1bdbe78ef0cc4d9c, 0x6965187f8f499a77, 0x0a9214202c099868 },
+        { -0x436fe63f51465fd2, 0x55c7110d16034cae, 0x0e6df501659932ec, 0x3bca0d2895ca5dfe }
+    },
+    {
+        { -0x639771496133fe41, -0x0f437c5259bb7691, -0x35d26aa0a085601e, 0x4ea8b4038df28241 },
+        { 0x40f031bc3c5d62a4, 0x19fc8b3ecff07a60, -0x67e7c25decf04abb, 0x5631deddae8f13cd },
+        { 0x2aed460af1cad202, 0x46305305a48cee83, -0x6ede88bab60ee5a1, 0x24ce0930542ca463 }
+    },
+    {
+        { 0x3fcfa155fdf30b85, -0x2d08e971c9c8d15c, -0x4d1f9b219b6d07bc, 0x549928a7324f4280 },
+        { 0x1fe890f5fd06c106, -0x4a3b97caa277ef0e, -0x7d87f701917350c2, 0x41d4e3c28a06d74b },
+        { -0x0d91cd589c11e5d2, -0x516e1b482da00216, -0x43c42cc42e80b297, 0x491b66dec0dcff6a }
+    },
+    {
+        { 0x75f04a8ed0da64a1, -0x12ddd350981dd7b5, -0x7dcb5c86e084845c, 0x4cf6b8b0b7018b67 },
+        { -0x670a4ec23815cd59, -0x1c2a073381e92468, -0x53f540ad340726b9, 0x08f338d0c85ee4ac },
+        { -0x3c7c57de66e58c43, -0x54d843fe20cdf386, -0x3ec2cce47b888f9d, 0x530d4a82eb078a99 }
+    },
+    {
+        { 0x6d6973456c9abf9e, 0x257fb2fc4900a880, 0x2bacf412c8cfb850, 0x0db3e7e00cbfbd5b },
+        { 0x004c3630e1f94825, 0x7e2d78268cab535a, -0x38b7dcdc337b0075, 0x65ea753f101770b9 },
+        { 0x3d66fc3ee2096363, -0x7e29d3809e4a3495, 0x0fbe044213443b1a, 0x02a4ec1921e1a1db }
+    },
+    {
+        { -0x0a379e9d0e3086a1, 0x118c861926ee57f2, 0x172124851c063578, 0x36d12b5dec067fcf },
+        { 0x5ce6259a3b24b8a2, -0x47a88533ba505f48, -0x33341917745f8fc9, 0x3d143c51127809bf },
+        { 0x126d279179154557, -0x2a1b70a30387c5f6, 0x36bdb6e8df179bac, 0x2ef517885ba82859 }
+    },
+},
+{
+    {
+        { 0x1ea436837c6da1e9, -0x063e7650e0464242, 0x303001fcce5dd155, 0x28a7c99ebc57be52 },
+        { -0x7742bc732ee1f2b6, 0x30cb610d43ccf308, -0x1f65f1c86e6c8434, 0x4559135b25b1720c },
+        { -0x47026c66172e6163, -0x6f7e6e3469dbdc01, -0x4d46b728b838bd5d, 0x37f33226d7fb44c4 }
+    },
+    {
+        { 0x33912553c821b11d, 0x66ed42c241e301df, 0x066fcc11104222fd, 0x307a3b41c192168f },
+        { 0x0dae8767b55f6e08, 0x4a43b3b35b203a02, -0x1c8da5917f507387, 0x0f7a7fd1705fa7a3 },
+        { -0x7114a2f8914aa320, 0x2fc536bfaa0d925a, -0x417e7cf023493918, 0x556c7045827baf52 }
+    },
+    {
+        { -0x46b46ffdd40bbbfa, -0x542bdc81006f4acc, 0x7600a960faf86d3a, 0x2f45abdac2322ee3 },
+        { -0x71d4ae8cfd162749, -0x1c1add96db78eb18, -0x42b04288b3569f4b, 0x6f4b4199c5ecada9 },
+        { 0x61af4912c8ef8a6a, -0x1a705b01bc0491a2, -0x4a5033a2902bd831, 0x6a5393281e1e11eb }
+    },
+    {
+        { 0x0fff04fe149443cf, 0x53cac6d9865cddd7, 0x31385b03531ed1b7, 0x5846a27cacd1039d },
+        { -0x0c25aec65a2e1177, -0x7ebaba83006c9678, 0x3f622fed00e188c4, 0x0f513815db8b5a3d },
+        { 0x4ff5cdac1eb08717, 0x67e8b29590f2e9bc, 0x44093b5e237afa99, 0x0d414bed8708b8b2 }
+    },
+    {
+        { -0x7e77956dd6b53618, 0x23162b45d55547be, -0x6b3043bbfc8ea67d, 0x50eb8fdb134bc401 },
+        { -0x30497d9a02f18a0a, -0x1ba4c1d7446f18f9, 0x7242a8de9ff92c7a, 0x685b3201933202dd },
+        { -0x3f48c139294ccf33, -0x7b1bb7f8ecd0500f, 0x732b7352c4a5dee1, 0x5d7c7cf1aa7cd2d2 }
+    },
+    {
+        { 0x33d1013e9b73a562, -0x6da310a8b713d91f, -0x580319eb22b97fa8, 0x78b0fad41e9aa438 },
+        { -0x50c4b94085b5505e, -0x4878fa13b2bf2bef, 0x114f0c6aca7c15e3, 0x3f364faaa9489d4d },
+        { -0x40a95bce12fa4b78, -0x5acc199363b6a382, -0x179ad450780c9ae6, 0x0241800059d66c33 }
+    },
+    {
+        { 0x28350c7dcf38ea01, 0x7c6cdbc0b2917ab6, -0x531830417a8f7d09, 0x4d2845aba2d9a1e0 },
+        { -0x314f88015c85a41c, -0x249bd0fd1a5a1149, -0x3d192f3ab8ed8f48, 0x4771b65538e4529c },
+        { -0x44ac801fbb8f8f22, -0x3458bbbc922aa821, -0x2c4a5cb8c9ff2435, 0x4aeabbe6f9ffd7f8 }
+    },
+    {
+        { 0x6a2134bcc4a9c8f2, -0x040702e37531d1c9, 0x000ae3049911a0ba, 0x046e3a616bc89b9e },
+        { 0x4630119e40d8f78c, -0x5fe5643ac38ef1ef, 0x486d2b258910dd79, 0x1e6c47b3db0324e5 },
+        { 0x14e65442f03906be, 0x4a019d54e362be2a, 0x68ccdfec8dc230c7, 0x7cfb7e3faf6b861c }
+    },
+},
+{
+    {
+        { -0x69114004cfa4d0af, -0x2c06c752776a6948, -0x0f0ad238b92a22db, 0x57968290bb3a0095 },
+        { 0x4637974e8c58aedc, -0x4610dd04540fbe5c, -0x1e7a26a9167f8e76, 0x2f1b78fab143a8a6 },
+        { -0x08e547bcf5df1eff, -0x0c6c9a72db0f13b9, -0x308af657911d112f, 0x7dc43e35dc2aa3e1 }
+    },
+    {
+        { 0x5a782a5c273e9718, 0x3576c6995e4efd94, 0x0f2ed8051f237d3e, 0x044fb81d82d50a99 },
+        { -0x7a69999a7782263d, -0x36f064ceb44facab, -0x391f720710df864f, 0x7ef72016758cc12f },
+        { -0x3e20e73a56f81c27, 0x57b3371dce4c6359, -0x358fbacb4dfe44b7, 0x7f79823f9c30dd2e }
+    },
+    {
+        { 0x6a9c1ff068f587ba, 0x0827894e0050c8de, 0x3cbf99557ded5be7, 0x64a9b0431c06d6f0 },
+        { -0x7ccb2dc65c4aec18, -0x3ec98f2b46e05728, 0x12b54136f590bd33, 0x0a4e0373d784d9b4 },
+        { 0x2eb3d6a15b7d2919, -0x4f4b095f2ac57dcb, 0x7156ce4389a45d47, 0x071a7d0ace18346c }
+    },
+    {
+        { -0x33f3caaddf1ebbcf, 0x0d65950709b15141, -0x650a9de4df62a0ca, 0x7c69bcf7617755d3 },
+        { -0x2cf8d255377845f5, 0x01262905bfa562ee, -0x30abcffd3f108975, 0x2c3bcc7146ea7e9c },
+        { 0x07f0d7eb04e8295f, 0x10db18252f50f37d, -0x16ae565ce8e86729, 0x6f5a9a7322aca51d }
+    },
+    {
+        { -0x18d62b145c26bb42, -0x7261f6bf7f875062, 0x4525567a47869c03, 0x02ab9680ee8d3b24 },
+        { -0x745efff3d0be393b, -0x3b60863ef3010465, 0x4efa47703cc51c9f, 0x494e21a2e147afca },
+        { -0x105b757a221af266, 0x219a224e0fb9a249, -0x05f6e0e226e10927, 0x6b5d76cbea46bb34 }
+    },
+    {
+        { -0x1f06bee8e187dade, -0x0e19518bfc96c92d, 0x408b3ea2d0fcc746, 0x16fb869c03dd313e },
+        { -0x77a8aa9313f3266c, 0x6472dc6f5cd01dba, -0x50fe96eb70bd4b89, 0x0ae333f685277354 },
+        { 0x288e199733b60962, 0x24fc72b4d8abe133, 0x4811f7ed0991d03e, 0x3f81e38b8f70d075 }
+    },
+    {
+        { 0x0adb7f355f17c824, 0x74b923c3d74299a4, -0x2a83c17434071509, 0x0ad3e2d34cdedc3d },
+        { 0x7f910fcc7ed9affe, 0x545cb8a12465874b, -0x57c6812db4f3b8fc, 0x50510fc104f50993 },
+        { 0x6f0c0fc5336e249d, 0x745ede19c331cfd9, -0x0d2902fff61101e4, 0x127c158bf0fa1ebe }
+    },
+    {
+        { -0x215d703b51ae468c, 0x1d9973d3744dfe96, 0x6240680b873848a8, 0x4ed82479d167df95 },
+        { -0x09e683bdd167865e, -0x5bb5222bad35c9b9, -0x64bec03eb4b15335, 0x354ef87d07ef4f68 },
+        { -0x011c4add9f3a268b, 0x50352efceb41b0b8, -0x77f753cf56099ac4, 0x302d92d20539236d }
+    },
+},
+{
+    {
+        { -0x6a847474f20ac3d0, 0x2a1c770a8e60f098, -0x4438598fcba86922, 0x22a48f9a90c99bc9 },
+        { 0x4c59023fcb3efb7c, 0x6c2fcb99c63c2a94, -0x45be6f1d3c381f7c, 0x0e545daea51874d9 },
+        { 0x6b7dc0dc8d3fac58, 0x5497cd6ce6e42bfd, 0x542f7d1bf400d305, 0x4159f47f048d9136 }
+    },
+    {
+        { 0x748515a8bbd24839, 0x77128347afb02b55, 0x50ba2ac649a2a17f, 0x060525513ad730f1 },
+        { 0x20ad660839e31e32, -0x07e1e42a7bfa41b0, -0x07f9bfa90b254397, 0x14d23dd4ce71b975 },
+        { -0x0dc671f6755d807e, 0x6d7982bb89a1b024, -0x0596bf7bdeb22db4, 0x71ab966fa32301c3 }
+    },
+    {
+        { -0x4ef775f8fd7f66ab, 0x43b273ea0b43c391, -0x3564985101f97913, 0x605eecbf8335f4ed },
+        { 0x2dcbd8e34ded02fc, 0x1151f3ec596f22aa, -0x435daabcb1fcd726, 0x35768fbe92411b22 },
+        { -0x7cdff59a93cbfbcf, -0x60328e98711a63d1, 0x75d4613f71300f8a, 0x7a912faf60f542f9 }
+    },
+    {
+        { 0x253f4f8dfa2d5597, 0x25e49c405477130c, 0x00c052e5996b1102, 0x33cb966e33bb6c4a },
+        { -0x4dfba7a1a123e5bd, -0x60f1e911a76838c4, 0x5b82c0ae4e70483c, 0x624a170e2bddf9be },
+        { 0x597028047f116909, -0x7d753be3e1a9bb99, 0x70417dbde6217387, 0x721627aefbac4384 }
+    },
+    {
+        { -0x02cf6843bef4d0de, -0x0e5fa2584a3057bc, 0x61289a1def57ca74, 0x245ea199bb821902 },
+        { -0x682fc43c78c9522b, 0x2f1422afc532b130, 0x3aa68a057101bbc4, 0x4c946cf7e74f9fa7 },
+        { -0x51235996872b8808, 0x1898ba3c29117fe1, -0x308c067c8df342a8, 0x67da12e6b8b56351 }
+    },
+    {
+        { 0x2b7ef3d38ec8308c, -0x7d7028138e146b55, -0x7f83c4c93af9d543, 0x0cb64cb831a94141 },
+        { 0x7067e187b4bd6e07, 0x6e8f0203c7d1fe74, -0x6c3955d0c737a5d0, 0x76297d1f3d75a78a },
+        { 0x3030fc33534c6378, -0x469ca3a31abe179f, 0x15d9a9bed9b2c728, 0x49233ea3f3775dcb }
+    },
+    {
+        { 0x7b3985fe1c9f249b, 0x4fd6b2d5a1233293, -0x314cba6be520b29e, 0x6987ff6f542de50c },
+        { 0x629398fa8dbffc3a, -0x1ed01ad22ab24bab, -0x0c41ee20250dad6b, 0x628b140dce5e7b51 },
+        { 0x47e241428f83753c, 0x6317bebc866af997, -0x2544a4bcc2e567d7, 0x074d8d245287fb2d }
+    },
+    {
+        { 0x481875c6c0e31488, 0x219429b2e22034b4, 0x7223c98a31283b65, 0x3420d60b342277f9 },
+        { -0x7cc82632bbf403cf, 0x729d2ca1af318fd7, -0x5fbf5b5b88d3df90, 0x46002ef03a7349be },
+        { -0x055dc52150019a09, 0x78261ed45be0764c, 0x441c0a1e2f164403, 0x5aea8e567a87d395 }
+    },
+},
+{
+    {
+        { 0x2dbc6fb6e4e0f177, 0x04e1bf29a4bd6a93, 0x5e1966d4787af6e8, 0x0edc5f5eb426d060 },
+        { 0x7813c1a2bca4283d, -0x129d0f6e5e79c227, -0x513843473d97057a, 0x10e5d3b76f1cae4c },
+        { 0x5453bfd653da8e67, -0x1623e113db5609bf, -0x4078d9c4fca875dd, 0x45b46c51361cba72 }
+    },
+    {
+        { -0x3162b22275801c1c, -0x54ec9ba9899df1d0, 0x4b594f7bb30e9958, 0x5c1c0aef321229df },
+        { -0x56bfd540ceb0805f, -0x1da80e2371730bb0, 0x1dbbd54b23a8be84, 0x2177bfa36dcb713b },
+        { 0x37081bbcfa79db8f, 0x6048811ec25f59b3, 0x087a76659c832487, 0x4ae619387d8ab5bb }
+    },
+    {
+        { 0x61117e44985bfb83, -0x031fb9d58e69ceca, -0x7c53cbb72bda6fb5, 0x75685abe5ba43d64 },
+        { -0x72240955acbb5cd2, 0x7d88eab4b41b4078, 0x5eb0eb974a130d60, 0x1a00d91b17bf3e03 },
+        { 0x6e960933eb61f2b2, 0x543d0fa8c9ff4952, -0x208d8aef85099a97, 0x135529b623b0e6aa }
+    },
+    {
+        { -0x0a38e9431dd17c02, -0x4bd414e617f67a3f, -0x136259c8ebdab552, 0x5972ea051590a613 },
+        { 0x18f0dbd7add1d518, -0x68608777303ee0ef, -0x78cd1e0f8eeb8a65, 0x79b5b81a65ca3a01 },
+        { 0x0fd4ac20dc8f7811, -0x65652d6b53b2b058, -0x3fe4d29b4cc9fbcc, 0x4f7e9c95905f3bdb }
+    },
+    {
+        { 0x71c8443d355299fe, -0x7432c4e324141529, -0x7f6db6610e5b6b9a, 0x1942eec4a144adc8 },
+        { 0x62674bbc5781302e, -0x27adf0c6765223f1, -0x73d66651ac04263a, 0x31993ad92e638e4c },
+        { 0x7dac5319ae234992, 0x2c1b3d910cea3e92, 0x553ce494253c1122, 0x2a0a65314ef9ca75 }
+    },
+    {
+        { -0x30c9e532c3e386c6, 0x2f9ebcac5a35bc3b, 0x60e860e9a8cda6ab, 0x055dc39b6dea1a13 },
+        { 0x2db7937ff7f927c2, -0x248be0f9e82f59cb, 0x5982f3a21155af76, 0x4cf6e218647c2ded },
+        { -0x4ee6dd833d72a44a, 0x07e24ebc774dffab, -0x57c387311b5cd377, 0x121a307710aa24b6 }
+    },
+    {
+        { -0x29a68ec1388b7c37, -0x77401f8847d46951, 0x289e28231097bcd3, 0x527bb94a6ced3a9b },
+        { -0x1b24a2a160fcb569, -0x1eac03f6cfcb43d3, 0x460546919551d3b1, 0x333fc76c7a40e52d },
+        { 0x563d992a995b482e, 0x3405d07c6e383801, 0x485035de2f64d8e5, 0x6b89069b20a7a9f7 }
+    },
+    {
+        { 0x4082fa8cb5c7db77, 0x068686f8c734c155, 0x29e6c8d9f6e7a57e, 0x0473d308a7639bcf },
+        { -0x7ed55fbe9d8fddf3, -0x66a5760506dba4b2, -0x00523b31af8d10fb, 0x23bc2103aa73eb73 },
+        { -0x351186d9fca761fb, 0x2b4b421246dcc492, 0x02a1ef74e601a94f, 0x102f73bfde04341a }
+    },
+},
+{
+    {
+        { 0x358ecba293a36247, -0x5070679d4d97029b, 0x412f7e9968a01c89, 0x5786f312cd754524 },
+        { -0x4a5d2af3813df2c2, -0x39b422915f368d9d, 0x56e89052c1ff734d, 0x4929c6f72b2ffaba },
+        { 0x337788ffca14032c, -0x0c6defd7bb80e11d, -0x74ebf8e0dce43353, 0x4c817b4bf2344783 }
+    },
+    {
+        { 0x413ba057a40b4484, -0x45b3d1e5b0a095bd, 0x614ba0a5aee1d61c, 0x78a1531a8b05dc53 },
+        { 0x0ff853852871b96e, -0x1ec160549f3c0e45, -0x1102a6acdacbbbfe, 0x0a37c37075b7744b },
+        { 0x6cbdf1703ad0562b, -0x7130b7cf36dade5d, -0x25142cfc027bdb19, 0x72ad82a42e5ec56f }
+    },
+    {
+        { -0x3c976c6e98fdb43d, -0x71962e92b6afd026, -0x030d13c31ba0b4d7, 0x065f669ea3b4cbc4 },
+        { 0x3f9e8e35bafb65f6, 0x39d69ec8f27293a1, 0x6cb8cd958cf6a3d0, 0x1734778173adae6d },
+        { -0x75ff5138aacd24b3, -0x47965b1bbc1ce44f, 0x4a0f8552d3a7f515, 0x19adeb7c303d7c08 }
+    },
+    {
+        { -0x62fa4582bc3ce86c, 0x2470c8ff93322526, -0x7cdc2137e9e68bc8, 0x2852709881569b53 },
+        { -0x38df349eac15265d, 0x55b2c97f512b636e, -0x4e1ca4a02bfd6f4f, 0x2fd9ccf13b530ee2 },
+        { 0x07bd475b47f796b8, -0x2d384fecabd370ac, 0x2dbd23f43b24f87e, 0x6551afd77b0901d6 }
+    },
+    {
+        { 0x68a24ce3a1d5c9ac, -0x44885cc2ef009b9f, 0x0f86ce4425d3166e, 0x56507c0950b9623b },
+        { 0x4546baaf54aac27f, -0x090990134d5ba5d8, 0x582d1b5b562bcfe8, 0x44b123f3920f785f },
+        { 0x1206f0b7d1713e63, 0x353fe3d915bafc74, 0x194ceb970ad9d94d, 0x62fadd7cf9d03ad3 }
+    },
+    {
+        { 0x3cd7bc61e7ce4594, -0x3294ca564822d982, -0x5f7f5437bc9910d9, 0x6ec7c46f59c79711 },
+        { -0x394a6984aa675f8c, 0x5efe91ce8e493e25, -0x2b48d3bab6d7f778, 0x20ef1149a26740c2 },
+        { 0x2f07ad636f09a8a2, -0x79681931dbdfa183, -0x3f5103fa11ca5ec7, 0x15e80958b5f9d897 }
+    },
+    {
+        { 0x4dd1ed355bb061c4, 0x42dc0cef941c0700, 0x61305dc1fd86340e, 0x56b2cc930e55a443 },
+        { 0x25a5ef7d0c3e235b, 0x6c39c17fbe134ee7, -0x388b1ecbd23a3cd9, 0x021354b892021f39 },
+        { 0x1df79da6a6bfc5a2, 0x02f3a2749fde4369, -0x4cdc260d325c6f59, 0x7be0847b8774d363 }
+    },
+    {
+        { 0x1466f5af5307fa11, -0x7e8033821293f50e, 0x0a6de44ec3a4a3fb, 0x74071475bc927d0b },
+        { -0x736633a574c0aa3d, 0x0611d7253fded2a0, -0x12d66a00c948f5ca, 0x1f699a54d78a2619 },
+        { -0x188d6d0c8c181576, 0x296537d2cb045a31, 0x1bd0653ed3274fde, 0x2f9a2c4476bd2966 }
+    },
+},
+{
+    {
+        { -0x5d4b251f4aaee366, 0x7ac860292bffff06, -0x67e0c8a20aafbdcc, 0x3f6bd725da4ea12d },
+        { -0x14e7465480a8ba3a, 0x023a8aee5787c690, -0x48d8ed25d2085057, 0x36597d25ea5c013d },
+        { 0x734d8d7b106058ac, -0x26bfa86190396fa1, 0x6466f8f99202932d, 0x7b7ecc19da60d6d0 }
+    },
+    {
+        { 0x6dae4a51a77cfa9b, -0x7dd9c9ab185c79b0, 0x09bbffcd8f2d82db, 0x03bedc661bf5caba },
+        { 0x78c2373c695c690d, -0x22dad199f9bd6f92, -0x6ae2bbbbb51ed42e, 0x4235ad7601743956 },
+        { 0x6258cb0d078975f5, 0x492942549189f298, -0x5f354bdc1d1c911c, 0x0e7ce2b0cdf066a1 }
+    },
+    {
+        { -0x0159012026b48f07, -0x0ecf3fae3e0345d3, 0x4882d47e7f2fab89, 0x615256138aeceeb5 },
+        { -0x3b6b9bc53b737a5d, -0x02c9e20bc39ec653, 0x09db17dd3ae94d48, 0x666e0a5d8fb4674a },
+        { 0x2abbf64e4870cb0d, -0x329a430f55ba7495, -0x6541b1458a1767a3, 0x7f0bc810d514dee4 }
+    },
+    {
+        { -0x7c5362528c8dec60, -0x60090745d108d168, 0x311e2edd43ec6957, 0x1d3a907ddec5ab75 },
+        { -0x46ff945bd90bec91, -0x7298c961a81fcfcb, -0x34372026b0b9c3d8, 0x0d1f8dbcf8eedbf5 },
+        { -0x45e96ccec12f7e24, 0x29329fad851b3480, 0x0128013c030321cb, 0x00011b44a31bfde3 }
+    },
+    {
+        { 0x16561f696a0aa75c, -0x3e408da3a7ad4296, 0x11a8dd7f9a7966ad, 0x63d988a2d2851026 },
+        { 0x3fdfa06c3fc66c0c, 0x5d40e38e4dd60dd2, 0x7ae38b38268e4d71, 0x3ac48d916e8357e1 },
+        { 0x00120753afbd232e, -0x16d431470227097d, -0x07e9964c7b18d46f, 0x33fad52b2368a066 }
+    },
+    {
+        { -0x72d3372f3bdd3018, 0x072b4f7b05a13acb, -0x5c01491913095a91, 0x3cc355ccb90a71e2 },
+        { 0x540649c6c5e41e16, 0x0af86430333f7735, -0x4d53032d0cfa18ba, 0x16c0f429a256dca7 },
+        { -0x16496bbc6fc16ecf, -0x475b6b3485a9c832, -0x37832e5b45456dbc, 0x631eaf426bae7568 }
+    },
+    {
+        { 0x47d975b9a3700de8, 0x7280c5fbe2f80552, 0x53658f2732e45de1, 0x431f2c7f665f80b5 },
+        { -0x4c16fbef25990161, -0x7a22b4ad93e91a5a, -0x43c2689ee106407d, 0x5599648b1ea919b5 },
+        { -0x29fd9cbb7a7084e7, 0x14ab352fa1ea514a, -0x76ffbbe5df6f5629, 0x7b04715f91253b26 }
+    },
+    {
+        { -0x4c893d7f3b19453a, -0x68f12c2292e264f5, -0x4f656aa7baf406bc, 0x48d0acfa57cde223 },
+        { -0x7c1242d7530951bd, -0x79ca837482a3854c, -0x3fbfb8964814d3bc, 0x59b37bf5c2f6583f },
+        { -0x49f0d91b8254198f, -0x0e2e5e689dd0c5c9, 0x4208ce7ee9960394, 0x16234191336d3bdb }
+    },
+},
+{
+    {
+        { -0x7ad22e02c2a87442, 0x2b65ce72c3286108, 0x658c07f4eace2273, 0x0933f804ec38ab40 },
+        { -0x0e651538cc59c511, 0x2c7fba5d4442454e, 0x5da87aa04795e441, 0x413051e1a4e0b0f5 },
+        { -0x5854968672b69b8a, -0x7ede5521034a5438, -0x5a23ed1084ac6b8e, 0x07fd47065e45351a }
+    },
+    {
+        { 0x304211559ae8e7c3, -0x0d7e4dd66bb77d5b, -0x75ec53d1c87daf1c, 0x014afa0954ba48f4 },
+        { -0x37a7c3c2da72d433, 0x17029a4daf60b73f, -0x05f03629be95c87f, 0x1c1e5fba38b3fb23 },
+        { -0x34ce68ffe44c9994, 0x330060524bffecb9, 0x293711991a88233c, 0x291884363d4ed364 }
+    },
+    {
+        { -0x0462c83c43e54915, 0x02be14534d57a240, -0x0b28cbea075a1e0a, 0x5964f4300ccc8188 },
+        { 0x033c6805dc4babfa, 0x2c15bf5e5596ecc1, 0x1bc70624b59b1d3b, 0x3ede9850a19f0ec5 },
+        { -0x1bb5dcead2f69800, 0x5c08c55970866996, -0x20d249f5b9500492, 0x579155c1f856fd89 }
+    },
+    {
+        { -0x4a0e949cf7e8185a, -0x7f7396dcc3caefda, 0x324a983b54cef201, 0x53c092084a485345 },
+        { -0x69cdb122ed1f3611, 0x468b878df2420297, 0x199a3776a4f573be, 0x1e7fbcf18e91e92a },
+        { -0x2d2beb7e0e345041, 0x231d2db6716174e5, 0x0b7d7656e2a55c98, 0x3e955cd82aa495f6 }
+    },
+    {
+        { -0x54c60c109e44c5c1, -0x714bff9ad146e6c2, -0x4a219133c73ee08c, 0x654d7e9626f3c49f },
+        { -0x1b70aca1c12eabcd, -0x2f8a96d5f28d8f5d, 0x40fbd21daade6387, 0x14264887cf4495f5 },
+        { -0x1a9b3022a382d315, -0x7d11502128c83347, 0x6107db62d1f9b0ab, 0x0b6baac3b4358dbb }
+    },
+    {
+        { 0x204abad63700a93b, -0x41ffdc2c25886c8d, -0x27a0fcb99cc548f7, 0x00496dc490820412 },
+        { 0x7ae62bcb8622fe98, 0x47762256ceb891af, 0x1a5a92bcf2e406b4, 0x7d29401784e41501 },
+        { 0x1c74b88dc27e6360, 0x074854268d14850c, -0x5eba0484c1f234d0, 0x10843f1b43803b23 }
+    },
+    {
+        { -0x2a9098d21cdb9765, -0x2e2575124c6b567f, -0x2284a7016e973013, 0x7ce246cd4d56c1e8 },
+        { -0x3a06fbaac89d8923, -0x31a6ea72289ba327, -0x6d09a2aee2c994c7, 0x11574b6e526996c4 },
+        { -0x470bcf71807f41ad, 0x5f3cb8cb34a9d397, 0x18a961bd33cc2b2c, 0x710045fb3a9af671 }
+    },
+    {
+        { -0x5fc0379dfa629662, 0x2370cfa19a619e69, -0x3b01c4edd07dc215, 0x1d1b056fa7f0844e },
+        { 0x73f93d36101b95eb, -0x0510cc86b090bb7a, 0x5651735f8f15e562, 0x7fa3f19058b40da1 },
+        { 0x1bc64631e56bf61f, -0x2c8654ef91ac7d5d, 0x4d58c57e0540168d, 0x566256628442d8e4 }
+    },
+},
+{
+    {
+        { -0x22b66329e00c79c0, 0x29cd9bc3063625a0, 0x51e2d8023dd73dc3, 0x4a25707a203b9231 },
+        { -0x461b662109d9800a, 0x7772ca7b742c0843, 0x23a0153fe9a4f2b1, 0x2cdfdfecd5d05006 },
+        { 0x2ab7668a53f6ed6a, 0x304242581dd170a1, 0x4000144c3ae20161, 0x5721896d248e49fc }
+    },
+    {
+        { 0x285d5091a1d0da4e, 0x4baa6fa7b5fe3e08, 0x63e5177ce19393b3, 0x03c935afc4b030fd },
+        { 0x0b6e5517fd181bae, -0x6fdd9d60d4469c4c, 0x5509bce932064625, 0x578edd74f63c13da },
+        { -0x668d8939b6d4f3c3, 0x47ccc2c4dfe205fc, -0x232d647b229dc5c4, 0x3ec2ab590288c7a2 }
+    },
+    {
+        { -0x58dec5f651cd2e35, 0x0f2b87df40f5c2d5, 0x0baea4c6e81eab29, 0x0e1bf66c6adbac5e },
+        { -0x5e5f2d841b278447, -0x5674b2149ec6e513, -0x665f222f8c34647d, 0x2dd5c25a200fcace },
+        { -0x1d542a1686d37782, 0x1a020018cb926d5d, -0x404596324551a0e2, 0x730548b35ae88f5f }
+    },
+    {
+        { -0x7fa4f6b45e291ccc, -0x40c10e88f6cac0e7, 0x423f06cb0622702b, 0x585a2277d87845dd },
+        { -0x3bcaae5c34574712, 0x65a26f1db2115f16, 0x760f4f52ab8c3850, 0x3043443b411db8ca },
+        { -0x5e75a07dcc2b769e, 0x6698c4b5ec78257f, -0x5871905ac8c1be01, 0x7656278950ef981f }
+    },
+    {
+        { -0x1e8f8c5c15793063, 0x3a8cfbb707155fdc, 0x4853e7fc31838a8e, 0x28bbf484b613f616 },
+        { 0x38c3cf59d51fc8c0, -0x64122d02faf9490e, 0x26bf109fab570e8f, 0x3f4160a8c1b846a6 },
+        { -0x0d9ed0a390ec9384, -0x50152ef80922ee42, 0x527e9ad213de6f33, 0x1e79cb358188f75d }
+    },
+    {
+        { 0x77e953d8f5e08181, -0x7b5af3bbd6622127, -0x2393d2f379bada1b, 0x478ab52d39d1f2f4 },
+        { 0x013436c3eef7e3f1, -0x7d7495800161ef08, 0x7ff908e5bcf9defc, 0x65d7951b3a3b3831 },
+        { 0x66a6a4d39252d159, -0x1a221e4378e537f9, -0x47d394bf593e3691, 0x16d87a411a212214 }
+    },
+    {
+        { -0x045b2a1d2ab1fa7d, -0x1de05028d1426606, 0x497ac2736ee9778f, 0x1f990b577a5a6dde },
+        { -0x4c4281a5bdf99deb, -0x78641c32f3a5db3f, 0x57c05db1d6f994b7, 0x28f87c8165f38ca6 },
+        { -0x5ccbb152e417082a, 0x7d1e50ebacea798f, 0x77c6569e520de052, 0x45882fe1534d6d3e }
+    },
+    {
+        { -0x275366d66bc3901c, -0x4a060e9e5c7c6d5e, 0x2699db13bec89af3, 0x7dcf843ce405f074 },
+        { 0x6669345d757983d6, 0x62b6ed1117aa11a6, 0x7ddd1857985e128f, 0x688fe5b8f626f6dd },
+        { 0x6c90d6484a4732c0, -0x2adebc0235a9cd67, -0x4c41d73c6ea2391f, 0x6739687e7327191b }
+    },
+},
+{
+    {
+        { -0x731a552f363468e1, 0x1156aaa99fd54a29, 0x41f7247015af9b78, 0x1fe8cca8420f49aa },
+        { -0x609a3a15dff7eb31, -0x7bfac91e965ce8c0, -0x74f12ec6da374b53, 0x0080dbafe936361d },
+        { 0x72a1848f3c0cc82a, 0x38c560c2877c9e54, 0x5004e228ce554140, 0x042418a103429d71 }
+    },
+    {
+        { 0x58e84c6f20816247, -0x724d4d491c90286d, -0x688e7da9e2b7b27b, 0x0822024f8632abd7 },
+        { -0x766215ae540c00a1, -0x646c5798d03d2746, 0x2c38cb97be6ebd5c, 0x114d578497263b5d },
+        { -0x4cfe448394e4135d, 0x55393f6dc6eb1375, -0x6ef2d7ef68491b15, 0x1ad4548d9d479ea3 }
+    },
+    {
+        { -0x5f901992f016012d, -0x578cc5bfe3a786f7, 0x30d14d800df98953, 0x41ce5876c7b30258 },
+        { -0x32a5825fc765b703, -0x4c705b556587c8e2, -0x392689e4d3247194, 0x35cf51dbc97e1443 },
+        { 0x59ac3bc5d670c022, -0x151983ef64ee6bfa, -0x6867420f4c87d026, 0x651e3201fd074092 }
+    },
+    {
+        { -0x5a845b5fe1035162, 0x769f4beedc308a94, -0x2e0ef114c9fc34d2, 0x4099ce5e7e441278 },
+        { -0x29c27b7c10cf3a31, 0x4cd4b4962361cc0c, -0x116f1aff5b7bd954, 0x0af51d7d18c14eeb },
+        { 0x1ac98e4f8a5121e9, 0x7dae9544dbfa2fe0, -0x7cdf55f229bcf207, 0x667282652c4a2fb5 }
+    },
+    {
+        { -0x5257491fd6b924dd, 0x1c0ce51a7b253ab7, -0x7bb737a59922b7a5, 0x7f1fc025d0675adf },
+        { -0x78b9de0b27943655, -0x4ab38441a9019016, 0x077a24257fadc22c, 0x1ab53be419b90d39 },
+        { -0x2711e4e7ce615956, 0x004d88083a21f0da, 0x3bd6aa1d883a4f4b, 0x4db9a3a6dfd9fd14 }
+    },
+    {
+        { -0x26a4ff4434488398, -0x22437b956e0e87b7, 0x7cf700aebe28d9b3, 0x5ce1285c85d31f3e },
+        { -0x73184dc44663f8ab, 0x35c5d6edc4f50f7a, 0x7e1e2ed2ed9b50c3, 0x36305f16e8934da1 },
+        { 0x31b6972d98b0bde8, 0x7d920706aca6de5b, -0x198cef076f759a61, 0x50fac2a6efdf0235 }
+    },
+    {
+        { 0x295b1c86f6f449bc, 0x51b2e84a1f0ab4dd, -0x3ffe34cf5571aae3, 0x6a28d35944f43662 },
+        { -0x0c2c560ca477f0a6, -0x1213faf324fc183e, -0x576967e0060f4e5e, 0x49a4ae2bac5e34a4 },
+        { 0x28bb12ee04a740e0, 0x14313bbd9bce8174, 0x72f5b5e4e8c10c40, 0x7cbfb19936adcd5b }
+    },
+    {
+        { -0x7186c58533c91920, -0x0605485c82a79113, 0x3a4f9692bae1f4e4, 0x1c14b03eff5f447e },
+        { -0x5cee223d947686d3, 0x1b30b4c6da512664, 0x0ca77b4ccf150859, 0x1de443df1b009408 },
+        { 0x19647bd114a85291, 0x57b76cb21034d3af, 0x6329db440f9d6dfa, 0x5ef43e586a571493 }
+    },
+},
+{
+    {
+        { -0x5992336237f3e540, -0x685fa30be4c75bca, -0x58140c416a24283a, 0x7da0b8f68d7e7dab },
+        { -0x1087dfebc7a98a5a, -0x5d9b60cf55025618, 0x4cd1eb505cdfa8cb, 0x46115aba1d4dc0b3 },
+        { -0x2bf0e6ac3c4a258a, 0x1dac6f7321119e9b, 0x03cc6021feb25960, 0x5a5f887e83674b4b }
+    },
+    {
+        { -0x6169d72c5f59bc47, -0x4a3c34ff193cdf9c, -0x64acfd7683d213ce, 0x43e37ae2d5d1c70c },
+        { -0x709cfe308f5ec2ef, -0x303147eacaf22f3c, -0x08fd682b5b435b82, 0x3669b656e44d1434 },
+        { 0x387e3f06eda6e133, 0x67301d5199a13ac0, -0x42a52707c9d9c7ef, 0x6a21e6cd4fd5e9be }
+    },
+    {
+        { -0x10bed6ed99664d1d, 0x71d30847708d1301, 0x325432d01182b0bd, 0x45371b07001e8b36 },
+        { -0x0e39e8f5cfb919a1, 0x58712a2a00d23524, 0x69dbbd3c8c82b755, 0x586bf9f1a195ff57 },
+        { -0x5924f772a10786f5, 0x5278f0dc610937e5, -0x53fcb62d9e5e9148, 0x0eafb03790e52179 }
+    },
+    {
+        { 0x5140805e0f75ae1d, -0x13fd041cd99d33d0, 0x2cebdf1eea92396d, 0x44ae3344c5435bb3 },
+        { -0x69faaa3ec8b7fbd1, 0x219a41e6820baa11, 0x1c81f73873486d0c, 0x309acc675a02c661 },
+        { -0x630d7646445abc12, -0x0c89f162a5368ebe, 0x1d82e5c64f9360aa, 0x62d5221b7f94678f }
+    },
+    {
+        { 0x7585d4263af77a3c, -0x205184ee0116ebb3, -0x5af98f7fa608e6c3, 0x14f29a5383922037 },
+        { 0x524c299c18d0936d, -0x37944a9375f3e5f4, -0x5c8afad124b579cf, 0x5c0efde4bc754562 },
+        { -0x208e8123da4d280b, 0x21f970db99b53040, -0x256dcb483c12b39e, 0x5e72365c7bee093e }
+    },
+    {
+        { 0x7d9339062f08b33e, 0x5b9659e5df9f32be, -0x5300c252e0614203, 0x70b20555cb7349b7 },
+        { 0x575bfc074571217f, 0x3779675d0694d95b, -0x65f5c8440be6e1cd, 0x77f1104c47b4eabc },
+        { -0x41aeec3aaaeed3b4, 0x6688423a9a881fcd, 0x446677855e503b47, 0x0e34398f4a06404a }
+    },
+    {
+        { 0x18930b093e4b1928, 0x7de3e10e73f3f640, -0x0bcde8258cc6a291, 0x6f8aded6ca379c3e },
+        { -0x4982dd26c1314218, 0x09b3e84127822f07, 0x743fa61fb05b6d8d, 0x5e5405368a362372 },
+        { -0x1cbfedc202484d66, 0x487b97e1a21ab291, -0x066982fd02196b62, 0x780de72ec8d3de97 }
+    },
+    {
+        { 0x671feaf300f42772, -0x708d14d5d573be56, 0x29a17fd797373292, 0x1defc6ad32b587a6 },
+        { 0x0ae28545089ae7bc, 0x388ddecf1c7f4d06, 0x38ac15510a4811b8, 0x0eb28bf671928ce4 },
+        { -0x50a441e510ae6a59, 0x148c1277917b15ed, 0x2991f7fb7ae5da2e, 0x467d201bf8dd2867 }
+    },
+},
+{
+    {
+        { 0x745f9d56296bc318, -0x66ca7f2b27ead19b, -0x4f1a4ec0a7c61632, 0x51fc2b28d43921c0 },
+        { 0x7906ee72f7bd2e6b, 0x05d270d6109abf4e, -0x72a301ba46be575c, 0x44c218671c974287 },
+        { 0x1b8fd11795e2a98c, 0x1c4e5ee12b6b6291, 0x5b30e7107424b572, 0x6e6b9de84c4f4ac6 }
+    },
+    {
+        { 0x6b7c5f10f80cb088, 0x736b54dc56e42151, -0x3d49df5a3910663c, 0x5f4c802cc3a06f42 },
+        { -0x200da031b4e21eaf, -0x27be3f381ee3bfdb, 0x2554b3c854749c87, 0x2d292459908e0df9 },
+        { -0x649a370e82f8ad26, -0x77e31cc738811800, -0x3c4aeb0fa49d061d, 0x66ed5dd5bec10d48 }
+    },
+    {
+        { -0x0f520c363435fb83, -0x7e3c4d340baad095, -0x3025eed2bb8ca06d, 0x1f23a0c77e20048c },
+        { 0x7d38a1c20bb2089d, -0x7f7ccb1e69332bee, -0x3b58f47393682ced, 0x2eacf8bc03007f20 },
+        { -0x0dcab9841a43ea90, 0x03d2d9020dbab38c, 0x27529aa2fcf9e09e, 0x0840bef29d34bc50 }
+    },
+    {
+        { -0x32ab1f9480c81b15, -0x733ea0780a169336, -0x47db744f2ca68232, 0x246affa06074400c },
+        { 0x796dfb35dc10b287, 0x27176bcd5c7ff29d, 0x7f3d43e8c7b24905, 0x0304f5a191c54276 },
+        { 0x37d88e68fbe45321, -0x79f68ab73f28afce, 0x4e9b13ef894a0d35, 0x25a83cac5753d325 }
+    },
+    {
+        { -0x60f099d6c6ad491e, 0x33db5e0e0934267b, -0x00badad429f60124, 0x06be10f5c506e0c9 },
+        { 0x10222f48eed8165e, 0x623fc1234b8bcf3a, 0x1e145c09c221e8f0, 0x7ccfa59fca782630 },
+        { 0x1a9615a9b62a345f, 0x22050c564a52fecc, -0x585d877ad743f202, 0x5e82770a1a1ee71d }
+    },
+    {
+        { -0x17fd17f5bdcc638c, 0x34175166a7fffae5, 0x34865d1f1c408cae, 0x2cca982c605bc5ee },
+        { 0x35425183ad896a5c, -0x1798c5041872ad0a, 0x2c66f25f92a35f64, 0x09d04f3b3b86b102 },
+        { -0x02d2a2cae6824192, 0x207c2eea8be4ffa3, 0x2613d8db325ae918, 0x7a325d1727741d3e }
+    },
+    {
+        { -0x132d82fe81d5f896, -0x28779760e9c9b6a2, 0x52a61af0919233e5, 0x2a479df17bb1ae64 },
+        { -0x2fc946442e92021e, -0x5dfaa8a83b6857d7, -0x71933699580ed999, 0x4d3b1a791239c180 },
+        { -0x61a11171cc24d8f0, 0x189854ded6c43ca5, -0x5be3dd3a6d8e7ec8, 0x27ad5538a43a5e9b }
+    },
+    {
+        { -0x34a5829c71b8f884, -0x7248ac9edf5e3fa7, 0x549e1e4d8bedfdcc, 0x080153b7503b179d },
+        { 0x2746dd4b15350d61, -0x2fc03437116ade49, -0x1791c9a5ec798d36, 0x510e987f7e7d89e2 },
+        { -0x2259626cf5c12c1d, 0x3d386ef1cd60a722, -0x37e852a74255b11a, 0x23be8d554fe7372a }
+    },
+},
+{
+    {
+        { -0x43e10b42a9851857, 0x3f624cb2d64498bd, -0x1bef9b2dd3e0b138, 0x2ef9c5a5ba384001 },
+        { -0x6a016e658b10b053, 0x3a827becf6a308a2, -0x69b1fe2cf65b84ff, 0x71c43c4f5ba3c797 },
+        { -0x4902920905618b33, -0x0e7d87431b50d986, -0x7daa4c2f0e1066f2, 0x5a758ca390c5f293 }
+    },
+    {
+        { -0x731f6e74e29e236c, -0x7212c9b9657ecf9a, -0x2b1957d65017552d, 0x0a738027f639d43f },
+        { -0x5d48d8ef26b9db6b, 0x3aa8c6d2d57d5003, -0x1c2bff405f4b7836, 0x2dbae244b3eb72ec },
+        { -0x67f0b5d0a8001e34, 0x00670d0de1839843, 0x105c3f4a49fb15fd, 0x2698ca635126a69c }
+    },
+    {
+        { 0x2e3d702f5e3dd90e, -0x61c0f6e71b2dac7a, 0x5e773ef6024da96a, 0x3c004b0c4afa3332 },
+        { -0x189ace77cd4f4588, 0x381831f7925cff8b, 0x08a81b91a0291fcc, 0x1fb43dcc49caeb07 },
+        { -0x6556b953f90b47d5, 0x1ca284a5a806c4f3, 0x3ed3265fc6cd4787, 0x6b43fd01cd1fd217 }
+    },
+    {
+        { -0x4a38bda7c189f10d, 0x75dc52b9ee0ab990, -0x40ebd83df8d46dc1, 0x73420b2d6ff0d9f0 },
+        { -0x3858a2b4b9683abc, 0x15fdf848df0fffbf, 0x2868b9ebaa46785a, 0x5a68d7105b52f714 },
+        { -0x50d30934617ae1fa, -0x70a6c6ec39ddc73c, -0x2575476966040c8d, 0x3db5632fea34bc9e }
+    },
+    {
+        { 0x2e4990b1829825d5, -0x12151478c165766f, -0x110fc2c6b38fb508, 0x59197ea495df2b0e },
+        { -0x0b9111d408a22628, 0x0d17b1f6396759a5, 0x1bf2d131499e7273, 0x04321adf49d75f13 },
+        { 0x04e16019e4e55aae, -0x1884bc8581d06d17, -0x3831d23e90ea655c, 0x45eafdc1f4d70cc0 }
+    },
+    {
+        { -0x49f1b9db30334e13, 0x59dbc292bd5c0395, 0x31a09d1ddc0481c9, 0x3f73ceea5d56d940 },
+        { 0x698401858045d72b, 0x4c22faa2cf2f0651, -0x6be5c99a94ddd23a, 0x5a5eebc80362dade },
+        { -0x4858402ef5b1723a, -0x41a8ff81bb364cc7, 0x60c1207f1557aefa, 0x26058891266218db }
+    },
+    {
+        { 0x4c818e3cc676e542, 0x5e422c9303ceccad, -0x13f833354bed60f8, 0x0dedfa10b24443b8 },
+        { 0x59f704a68360ff04, -0x3c26c021899e190c, -0x7ce4d58ced78caaf, 0x54ad0c2e4e615d57 },
+        { -0x11c4982a47d4add6, 0x36f163469fa5c1eb, -0x5a4b2d0d913e602d, 0x62ecb2baa77a9408 }
+    },
+    {
+        { -0x6df8d7c95049d78c, 0x5fcd5e8579e104a5, 0x5aad01adc630a14a, 0x61913d5075663f98 },
+        { -0x1a1286ad9eead4c3, 0x4962357d0eddd7d1, 0x7482c8d0b96b4c71, 0x2e59f919a966d8be },
+        { 0x0dc62d361a3231da, -0x05b8a7cd6bdffd90, 0x02d801513f9594ce, 0x3ddbc2a131c05d5c }
+    },
+},
+{
+    {
+        { -0x048ca53dffb5ca2f, 0x31de0f433a6607c3, 0x7b8591bfc528d599, 0x55be9a25f5bb050c },
+        { 0x3f50a50a4ffb81ef, -0x4e1fcaf6c40bdf41, -0x645571e33955d330, 0x32239861fa237a40 },
+        { 0x0d005acd33db3dbf, 0x0111b37c80ac35e2, 0x4892d66c6f88ebeb, 0x770eadb16508fbcd }
+    },
+    {
+        { -0x0e2c497e5faf8e47, 0x2207659a3592ff3a, 0x5f0169297881e40e, 0x16bedd0e86ba374e },
+        { -0x7bae061fa1b17623, -0x3f9cfd004386c6c9, 0x5d22749556a6495c, 0x09a6755ca05603fb },
+        { 0x5ecccc4f2c2737b5, 0x43b79e0c2dccb703, 0x33e008bc4ec43df3, 0x06c1b840f07566c0 }
+    },
+    {
+        { 0x69ee9e7f9b02805c, -0x34007d75ab82e9c0, 0x3d93a869b2430968, 0x46b7b8cd3fe26972 },
+        { 0x7688a5c6a388f877, 0x02a96c14deb2b6ac, 0x64c9f3431b8c2af8, 0x3628435554a1eed6 },
+        { -0x167edf7901811420, 0x4cba6be72f515437, 0x1d04168b516efae9, 0x5ea1391043982cb9 }
+    },
+    {
+        { 0x6f2b3be4d5d3b002, -0x5013cc2695f63780, 0x035f73a4a8bcc4cc, 0x22c5b9284662198b },
+        { 0x49125c9cf4702ee1, 0x4520b71f8b25b32d, 0x33193026501fef7e, 0x656d8997c8d2eb2b },
+        { -0x34a73701bcc276c7, -0x765f34d1957281b0, 0x79ca955309fbbe5a, 0x0c626616cd7fc106 }
+    },
+    {
+        { -0x70203c86040bab4f, 0x45a5a970f1a4b771, -0x536de108452ca6eb, 0x42d088dca81c2192 },
+        { 0x1ffeb80a4879b61f, 0x6396726e4ada21ed, 0x33c7b093368025ba, 0x471aa0c6f3c31788 },
+        { -0x7025f0c85fe9ae67, 0x0adadb77c8a0e343, 0x20fbfdfcc875e820, 0x1cf2bea80c2206e7 }
+    },
+    {
+        { -0x67d291e5fd3fbed1, -0x6f05b37c24a71702, 0x01c2f5bcdcb18bc0, 0x686e0c90216abc66 },
+        { -0x3d220e214c9dfd54, -0x6d5a01f62d1d855b, 0x7d1648f6fc09f1d3, 0x74c2cc0513bc4959 },
+        { 0x1fadbadba54395a7, -0x4be5fd5f51f25996, -0x40e60a67445c83f9, 0x6a12b8acde48430d }
+    },
+    {
+        { 0x793bdd801aaeeb5f, 0x00a2a0aac1518871, -0x175c8c5ce0dec94c, 0x48aab888fc91ef19 },
+        { -0x072515e0c62b6a27, 0x592c190e525f1dfc, -0x247342fb3666e2e5, 0x11f7fda3d88f0cb7 },
+        { 0x041f7e925830f40e, 0x002d6ca979661c06, -0x79236006d4fb95d2, 0x760360928b0493d1 }
+    },
+    {
+        { -0x4bcef71a96a5f4fb, 0x6cb00ee8ad37a38b, 0x5edad6eea3537381, 0x3f2602d4b6dc3224 },
+        { 0x21bb41c6120cf9c6, -0x154d55ed21325a65, -0x3e58d2fdf55b74cc, 0x215d4d27e87d3b68 },
+        { -0x374db849a4350e64, 0x49779dc3b1b2c652, -0x765e7f442a131d1e, 0x13f098a3cec8e039 }
+    },
+},
+{
+    {
+        { -0x0c55a85dd86944ec, -0x77c5454864f825df, -0x1ab41de7ce5fc6e4, 0x5ee7fb38d83205f9 },
+        { -0x6523f00631a13ab5, 0x039c2a6b8c2f130d, 0x028007c7f0f89515, 0x78968314ac04b36b },
+        { 0x538dfdcb41446a8e, -0x5a530256bcb6c807, 0x46af908d263c8c78, 0x61d0633c9bca0d09 }
+    },
+    {
+        { -0x525cd74307038c21, -0x117b96a2590fc804, 0x637fb4db38c2a909, 0x5b23ac2df8067bdc },
+        { 0x63744935ffdb2566, -0x3a42947687f49745, 0x6f1b3280553eec03, 0x6e965fd847aed7f5 },
+        { -0x652d46ac117fad85, -0x1770e65505219273, 0x0e711704150e82cf, 0x79b9bbb9dd95dedc }
+    },
+    {
+        { -0x2e66825171608c8c, -0x5fcd5d073044f7ea, -0x329345ed92bba0f6, 0x1ba811460accb834 },
+        { -0x144caabf95ced93e, -0x2d9c7c5797373c6d, 0x6c0c6429e5b97a82, 0x5065f158c9fd2147 },
+        { 0x708169fb0c429954, -0x1eb9ff5328913099, 0x2eaab98a70e645ba, 0x3981f39e58a4faf2 }
+    },
+    {
+        { -0x37ba205a92199022, -0x1ead5affd3bfb7c6, -0x162d1e9c384b09ce, 0x30f4452edcbc1b65 },
+        { 0x18fb8a7559230a93, 0x1d168f6960e6f45d, 0x3a85a94514a93cb5, 0x38dc083705acd0fd },
+        { -0x7a92d87d3a8a68c0, -0x05ecba9606634134, -0x77bb038c3f15b18f, 0x632d9a1a593f2469 }
+    },
+    {
+        { -0x40f602ee12f37b59, 0x63f071810d9f693a, 0x21908c2d57cf8779, 0x3a5a7df28af64ba2 },
+        { -0x094494ea47f8345a, 0x1823c7dfbc54f0d7, -0x44e268fc91d698f5, 0x0b24f48847ed4a57 },
+        { -0x23252b41aee41539, -0x5bac7f8a12d9330e, -0x1e630060ffa0659b, 0x34fcf74475481f63 }
+    },
+    {
+        { -0x5a44e25487305568, 0x5ceda267190b72f2, -0x6cf636eef56d9f72, 0x0119a3042fb374b0 },
+        { -0x3e681fb387689836, -0x478eb234c726b983, 0x55de888283f95fa8, 0x3d3bdc164dfa63f7 },
+        { 0x67a2d89ce8c2177d, 0x669da5f66895d0c1, -0x0a9a671a4d7d5d50, 0x56c088f1ede20a73 }
+    },
+    {
+        { 0x581b5fac24f38f02, -0x56f41601451cf343, -0x65de96fd75306d10, 0x038b7ea48359038f },
+        { 0x336d3d1110a86e17, -0x280c77cdf48a4d06, -0x06eacc89daf8d678, 0x09674c6b99108b87 },
+        { -0x60b107de66ce9008, 0x2f49d282eaa78d4f, 0x0971a5ab5aef3174, 0x6e5e31025969eb65 }
+    },
+    {
+        { 0x3304fb0e63066222, -0x04caf976785345c1, -0x42e6db8873ef9e5d, 0x3058ad43d1838620 },
+        { -0x4e939d0a781a6c05, 0x4999eddeca5d3e71, -0x4b6e3e1feb33c193, 0x08f5114789a8dba8 },
+        { 0x323c0ffde57663d0, 0x05c3df38a22ea610, -0x423875425366b066, 0x26549fa4efe3dc99 }
+    },
+},
+{
+    {
+        { 0x04dbbc17f75396b9, 0x69e6a2d7d2f86746, -0x39bf62660ac1543a, 0x606175f6332e25d2 },
+        { 0x738b38d787ce8f89, -0x49d9a71dbe865773, 0x30738c9cf151316d, 0x49128c7f727275c9 },
+        { 0x4021370ef540e7dd, 0x0910d6f5a1f1d0a5, 0x4634aacd5b06b807, 0x6a39e6356944f235 }
+    },
+    {
+        { 0x1da1965774049e9d, -0x0432915e6701cad5, -0x4e3432af33adc95a, 0x1f5ec83d3f9846e2 },
+        { -0x6932a9bf206f0c19, 0x6c3a760edbfa25ea, 0x24f3ef0959e33cc4, 0x42889e7e530d2e58 },
+        { -0x7104dc3ccd73348b, -0x50bd5df822789117, 0x20fbdadc5dfae796, 0x241e246b06bf9f51 }
+    },
+    {
+        { 0x7eaafc9a6280bbb8, 0x22a70f12f403d809, 0x31ce40bb1bfc8d20, 0x2bc65635e8bd53ee },
+        { 0x29e68e57ad6e98f6, 0x4c9260c80b462065, 0x3f00862ea51ebb4b, 0x5bc2c77fb38d9097 },
+        { -0x172a23605694526d, -0x1a704e8221e6b824, 0x681532ea65185fa3, 0x1fdd6c3b034a7830 }
+    },
+    {
+        { -0x63ec595ad2270857, 0x2dbb1f8c3efdcabf, -0x69e1cdbfa1f7084b, 0x48c8a121bbe6c9e5 },
+        { 0x0a64e28c55dc18fe, -0x1c206166cc661423, 0x79ac432370e2e652, 0x35ff7fc33ae4cc0e },
+        { -0x03bea583a69b9bbb, -0x2ddb4d283ed749eb, 0x6035c9c905fbb912, 0x42d7a91274429fab }
+    },
+    {
+        { -0x565b76b86cc25a44, 0x4a58920ec2e979ec, -0x69277fffec1a53b4, 0x453692d74b48b147 },
+        { 0x4e6213e3eaf72ed3, 0x6794981a43acd4e7, -0x00ab8321914af735, 0x6fed19dd10fcb532 },
+        { -0x2288a26657aa6391, -0x0bd5debf20ffc1dc, 0x5223e229da928a66, 0x063f46ba6d38f22c }
+    },
+    {
+        { 0x39843cb737346921, -0x58b804f8c7376bb9, -0x34727fce5dbacf82, 0x67810f8e6d82f068 },
+        { -0x2d2dbd76a0ac996c, -0x35cc5d3abd6c64d4, -0x67905259382246a4, 0x5a152c042f712d5d },
+        { 0x3eeb8fbcd2287db4, 0x72c7d3a301a03e93, 0x5473e88cbd98265a, 0x7324aa515921b403 }
+    },
+    {
+        { -0x52dc092517dcab35, 0x6962502ab6571a6d, -0x649ae9c91c71c82f, 0x5cac5005d1a3312f },
+        { -0x7a86bd0b93c34172, -0x5e2c9b4eb8cf3fba, 0x1c8ed914d23c41bf, 0x0838e161eef6d5d2 },
+        { -0x733eab33161c66fc, 0x5b3a040b84de6846, -0x3b2759e34e41a292, 0x40fb897bd8861f02 }
+    },
+    {
+        { -0x1a8127b8a54ef89f, 0x71435e206fd13746, 0x342f824ecd025632, 0x4b16281ea8791e7b },
+        { -0x7b3a556f9d21c85f, 0x421da5000d1d96e1, 0x788286306a9242d9, 0x3c5e464a690d10da },
+        { -0x2e3efe2af47ecc7f, -0x2119f0ee891197d8, 0x0cb68893383f6409, 0x6183c565f6ff484a }
+    },
+},
+{
+    {
+        { -0x24b97ab650c09992, -0x288030fb0eb5f15b, 0x3df23ff7a4ba0c47, 0x3a10dfe132ce3c85 },
+        { 0x741d5a461e6bf9d6, 0x2305b3fc7777a581, -0x2baa8b5d9b8b2c27, 0x1926e1dc6401e0ff },
+        { -0x1f80b17515e83160, 0x2fd515463a1fc1fd, 0x175322fd31f2c0f1, 0x1fa1d01d861e5d15 }
+    },
+    {
+        { 0x38dcac00d1df94ab, 0x2e712bddd1080de9, 0x7f13e93efdd5e262, 0x73fced18ee9a01e5 },
+        { -0x337faa6b82a667ce, 0x1e4656da37f15520, -0x6609088bb1fa6ce0, 0x773563bc6a75cf33 },
+        { 0x06b1e90863139cb3, -0x5b6c25983a5fc133, -0x72883137529c76ce, 0x1f426b701b864f44 }
+    },
+    {
+        { -0x0e81ca376e5edaae, -0x48947eaca8a1638a, -0x057cbf90f2648dc2, 0x0b76bb1b3fa7e438 },
+        { -0x1036d9b3be6ee3ff, -0x0e5c4847e85dd3db, 0x5875da6bf30f1447, 0x4e1af5271d31b090 },
+        { 0x08b8c1f97f92939b, -0x41988e342bbb5492, 0x22e5646399bb8017, 0x7b6dd61eb772a955 }
+    },
+    {
+        { 0x5730abf9ab01d2c7, 0x16fb76dc40143b18, -0x7993419a5f344d7f, 0x53fa9b659bff6afe },
+        { -0x48523e17af0cc26e, 0x7998fa4f608cd5cf, -0x5269d2427203a425, 0x703e9bceaf1d2f4f },
+        { 0x6c14c8e994885455, -0x7bc5a2999a512b1b, 0x181bb73ebcd65af1, 0x398d93e5c4c61f50 }
+    },
+    {
+        { -0x3c78839f2d181c0e, 0x3b34aaa030828bb1, 0x283e26e7739ef138, 0x699c9c9002c30577 },
+        { 0x1c4bd16733e248f3, -0x4261ed78ea40f5a1, -0x2bc0730f5ef4fc8a, 0x53b09b5ddf191b13 },
+        { -0x0cf958dca6b90e34, -0x6de8e74a331a2683, 0x28cdd24781b4e975, 0x51caf30c6fcdd907 }
+    },
+    {
+        { 0x737af99a18ac54c7, -0x6fcc87233ae34cf1, 0x2b89bc334ce10cc7, 0x12ae29c189f8e99a },
+        { -0x59f458bd898b1ff6, 0x630e8570a17a7bf3, 0x3758563dcf3324cc, 0x5504aa292383fdaa },
+        { -0x56613f34e0f2fe31, 0x0dd1efcc3a34f7ae, 0x55ca7521d09c4e22, 0x5fd14fe958eba5ea }
+    },
+    {
+        { 0x3c42fe5ebf93cb8e, -0x412057aec92ba9a1, -0x1f0f7a6177bddf18, 0x7dd73f960725d128 },
+        { -0x4a23d220d7ba54d4, 0x069491b10a7fe993, 0x4daaf3d64002e346, 0x093ff26e586474d1 },
+        { -0x4ef2db0197fa67d7, 0x75730672dbaf23e5, 0x1367253ab457ac29, 0x2f59bcbc86b470a4 }
+    },
+    {
+        { 0x7041d560b691c301, -0x7adfe4c0522818e2, 0x16c2e16311335585, 0x2aa55e3d010828b1 },
+        { -0x7c7b82bd66e8eca1, -0x52e46ee0a982fc29, 0x7e7748d9be77aad1, 0x5458b42e2e51af4a },
+        { -0x12ae6d19f3f8bbb1, 0x42c54e2d74421d10, 0x352b4c82fdb5c864, 0x13e9004a8a768664 }
+    },
+},
+{
+    {
+        { 0x1e6284c5806b467c, -0x3a09668418a29f85, -0x749826a74c872d9e, 0x3d88d66a81cd8b70 },
+        { -0x344a4aaa93fcd401, -0x208e6e48d6d685c6, -0x3e008cd952127e45, 0x71ade8bb68be03f5 },
+        { -0x7489856cdfb12877, 0x762fcacb9fa0ae2a, 0x771febcc6dce4887, 0x343062158ff05fb3 }
+    },
+    {
+        { -0x031de6f8d584ce4c, 0x4d7adc75aa578016, 0x0ec276a687479324, 0x6d6d9d5d1fda4beb },
+        { -0x1fa25e581e0a40b7, 0x26457d6dd4736092, 0x77dcb07773cc32f6, 0x0a5d94969cdd5fcd },
+        { 0x22b1a58ae9b08183, -0x026a2f8e3ea3c775, -0x567edc897af5fae9, 0x33384cbabb7f335e }
+    },
+    {
+        { 0x33bc627a26218b8d, -0x157f4de03857f39f, -0x6ba74ed4e8c1611a, 0x076247be0e2f3059 },
+        { 0x3c6fa2680ca2c7b5, 0x1b5082046fb64fda, -0x14accb63abce2922, 0x5278b38f6b879c89 },
+        { 0x52e105f61416375a, -0x136850c97a54145c, 0x26e6b50623a67c36, 0x5cf0e856f3d4fb01 }
+    },
+    {
+        { -0x415131cec24cbd58, -0x345c9ca47bd24812, -0x177399df7e80ec11, 0x1b9438aa4e76d5c6 },
+        { -0x0936978ce517354c, 0x5e20741ecb4f92c5, 0x2da53be58ccdbc3e, 0x2dddfea269970df7 },
+        { -0x75af8881e990fce6, 0x067b39f10fb7a328, 0x1925c9a6010fbd76, 0x6df9b575cc740905 }
+    },
+    {
+        { -0x13203ca4b73521bf, 0x6a88471fb2328270, 0x740a4a2440a01b6a, 0x471e5796003b5f29 },
+        { 0x42c1192927f6bdcf, -0x706e6e85bfc29e36, -0x23e3a5997461e09f, 0x1596047804ec0f8d },
+        { -0x2569444c5312c854, 0x7a2423b5e9208cea, 0x24cc5c3038aebae2, 0x50c356afdc5dae2f }
+    },
+    {
+        { -0x30126320e4ce469c, -0x0b79567a735ae50d, 0x14897265ea8c1f84, 0x784a53dd932acc00 },
+        { 0x09dcbf4341c30318, -0x1145f9ee7ce7e232, -0x3e863f3123e1d65f, 0x1dbf7b89073f35b0 },
+        { 0x2d99f9df14fc4920, 0x76ccb60cc4499fe5, -0x5becd3441a30fffd, 0x3f93d82354f000ea }
+    },
+    {
+        { -0x1553ed2e861eb688, -0x006dc00c441400a2, 0x4af663e40663ce27, 0x0fd381a811a5f5ff },
+        { -0x7e7c189761fb317b, 0x678fb71e04465341, -0x526dfa7099771254, 0x5da350d3532b099a },
+        { -0x0da953135bc920ac, 0x108b6168ae69d6e8, 0x20d986cb6b5d036c, 0x655957b9fee2af50 }
+    },
+    {
+        { -0x423ebf642ffd2f54, 0x66660245b5ccd9a6, -0x7dce823b05217a14, 0x02fe934b6ad7df0d },
+        { -0x51574f8056fdfcf1, -0x077389950b9c2ebd, 0x15b083663c787a60, 0x08eab1148267a4a8 },
+        { -0x10a30eff3048158c, 0x22897633a1cb42ac, -0x2b31f3ab310d7a1e, 0x30408c048a146a55 }
+    },
+},
+{
+    {
+        { -0x44d1ff36e6c47881, -0x131c576f1f23af95, -0x130c483fc9219b61, 0x5f46040898de9e1a },
+        { 0x739d8845832fcedb, -0x05c729365194079d, 0x32bc0dcab74ffef7, 0x73937e8814bce45e },
+        { -0x46fc8ee9d6840b73, -0x562ec4dd2b0f97cc, -0x1e68eaa8b969423a, 0x2cf8a4e891d5e835 }
+    },
+    {
+        { 0x2cb5487e17d06ba2, 0x24d2381c3950196b, -0x289a637e7a6875d0, 0x7a6f7f2891d6a4f6 },
+        { 0x6d93fd8707110f67, -0x22b3f62c83c74ab7, 0x7cb16a4cc2736a86, 0x2049bd6e58252a09 },
+        { 0x7d09fd8d6a9aef49, -0x0f119f41a4c246f5, 0x4c21b52c519ebfd4, 0x6011aadfc545941d }
+    },
+    {
+        { 0x63ded0c802cbf890, -0x042f6735f2009556, 0x624d0afdb9b6ed99, 0x69ce18b779340b1e },
+        { 0x5f67926dcf95f83c, 0x7c7e856171289071, -0x295e180c667085a5, 0x6fc5cc1b0b62f9e0 },
+        { -0x2e10aad74d678635, -0x22e551c32b816f6e, 0x127e0442189f2352, 0x15596b3ae57101f1 }
+    },
+    {
+        { 0x09ff31167e5124ca, 0x0be4158bd9c745df, 0x292b7d227ef556e5, 0x3aa4e241afb6d138 },
+        { 0x462739d23f9179a2, -0x007cedce68292231, 0x1307deb553f2148a, 0x0d2237687b5f4dda },
+        { 0x2cc138bf2a3305f5, 0x48583f8fa2e926c3, 0x083ab1a25549d2eb, 0x32fcaa6e4687a36c }
+    },
+    {
+        { 0x3207a4732787ccdf, 0x17e31908f213e3f8, -0x2a4d132809f269b2, 0x746f6336c2600be9 },
+        { 0x7bc56e8dc57d9af5, 0x3e0bd2ed9df0bdf2, -0x553feb21dd101b5d, 0x4627e9cefebd6a5c },
+        { 0x3f4af345ab6c971c, -0x1d77148d66bc8ce1, 0x33596a8a0344186d, 0x7b4917007ed66293 }
+    },
+    {
+        { 0x54341b28dd53a2dd, -0x55e86fa420bd03c1, 0x0ff592d94dd2f8f4, 0x1d03620fe08cd37d },
+        { 0x2d85fb5cab84b064, 0x497810d289f3bc14, 0x476adc447b15ce0c, 0x122ba376f844fd7b },
+        { -0x3dfdcd325d4b1aac, -0x612f02bdeea2e781, 0x2eabb4be7dd479d9, 0x02c70bf52b68ec4c }
+    },
+    {
+        { -0x531acd40ba728d1f, 0x5be768e07cb73cb5, 0x56cf7d94ee8bbde7, 0x6b0697e3feb43a03 },
+        { -0x5d7813b4a2f4d045, 0x415c5790074882ca, -0x1fbb59e13e2f7ea4, 0x26334f0a409ef5e0 },
+        { -0x49370fb5209d5c40, 0x3ef000ef076da45d, -0x636346a7b60f2d57, 0x1cc37f43441b2fae }
+    },
+    {
+        { -0x2899a90e36315147, 0x1c5b15f818e5656a, 0x26e72832844c2334, 0x3a346f772f196838 },
+        { 0x508f565a5cc7324f, -0x2f9e3b3f1af956de, -0x04e75424a3ba53e7, 0x6c6809c10380314a },
+        { -0x2d2aaeed1d259538, -0x1642fcce4e17ae13, -0x69f8b92271398d9e, 0x05911b9f6ef7c5d0 }
+    },
+},
+{
+    {
+        { 0x01c18980c5fe9f94, -0x329a98968e902a38, -0x7e9fba3c2e6a5f7a, 0x6e2b7f3266cc7982 },
+        { -0x162328a949c800d3, -0x13b3cb7036780f3c, -0x312a6d7a0c043849, 0x3305354793e1ea87 },
+        { -0x337fdb97083ca971, -0x6216457de668b34d, -0x5448dd634a47eca0, 0x44e2017a6fbeba62 }
+    },
+    {
+        { -0x7807d30c49359133, 0x580f893e18f4a0c2, 0x058930072604e557, 0x6cab6ac256d19c1d },
+        { -0x3b3d58bcab25488c, -0x71a2b3c3b150fce6, -0x4893dc2dbd7c70e9, 0x749a098f68dce4ea },
+        { -0x23201f5fd33e21a0, 0x032665ff51c5575b, 0x2c0c32f1073abeeb, 0x6a882014cd7b8606 }
+    },
+    {
+        { -0x2eee2e8350b01492, 0x050bba42b33aa4a3, 0x17514c3ceeb46c30, 0x54bedb8b1bc27d75 },
+        { -0x5ad56d015b8b804b, -0x23ed5bb6e05a5477, -0x27d256b447b85b32, 0x4d77edce9512cc4e },
+        { 0x77c8e14577e2189c, -0x5c1b909500663bbb, 0x3144dfc86d335343, 0x3a96559e7c4216a9 }
+    },
+    {
+        { 0x4493896880baaa52, 0x4c98afc4f285940e, -0x10b558645babb74a, 0x5278c510a57aae7f },
+        { 0x12550d37f42ad2ee, -0x74871ffb675e040b, 0x5d53078233894cb2, 0x02c84e4e3e498d0c },
+        { -0x5ab22f8bd6b3f46c, -0x0aa2b94720e7004a, -0x0f90133a72517c9a, 0x588657668190d165 }
+    },
+    {
+        { -0x40a7cb0fc21da33d, -0x47783751297eab6a, 0x5105221a9481e892, 0x6760ed19f7723f93 },
+        { -0x2b88edcee5108ee9, 0x50343101229e92c7, 0x7a95e1849d159b97, 0x2449959b8b5d29c9 },
+        { 0x669ba3b7ac35e160, 0x2eccf73fba842056, 0x1aec1f17c0804f07, 0x0d96bc031856f4e7 }
+    },
+    {
+        { -0x4e2acb4f338afa1f, 0x32cd003416c35288, -0x34c95a7ff89d3d63, 0x5bfe69b9237a0bf8 },
+        { 0x3318be7775c52d82, 0x4cb764b554d0aab9, -0x5430c2d83388c26f, 0x3bf4d1848123288a },
+        { 0x183eab7e78a151ab, -0x44166f3666f6c89d, -0x008e8291b5381ccb, 0x4c5cddb325f39f88 }
+    },
+    {
+        { 0x57750967e7a9f902, 0x2c37fdfc4f5b467e, -0x4d9e99c5ce8845ba, 0x3a375e78dc2d532b },
+        { -0x3f0948b29e6f5915, 0x20ea81a42db8f4e4, -0x5742908268cea8a0, 0x33b1d60262ac7c21 },
+        { -0x7ebe18d0d2b22216, -0x191501679d39f838, 0x23c28458573cafd0, 0x46b9476f4ff97346 }
+    },
+    {
+        { 0x1215505c0d58359f, 0x2a2013c7fc28c46b, 0x24a0a1af89ea664e, 0x4400b638a1130e1f },
+        { 0x0c1ffea44f901e5c, 0x2b0b6fb72184b782, -0x1a78006efeeb2478, 0x37130f364785a142 },
+        { 0x3a01b76496ed19c3, 0x31e00ab0ed327230, 0x520a885783ca15b1, 0x06aab9875accbec7 }
+    },
+},
+{
+    {
+        { 0x5349acf3512eeaef, 0x20c141d31cc1cb49, 0x24180c07a99a688d, 0x555ef9d1c64b2d17 },
+        { -0x3ecc667c0a20f145, -0x3f0c8a70aed3b354, 0x2cf1130a0bb398e1, 0x6b3cecf9aa270c62 },
+        { 0x36a770ba3b73bd08, 0x624aef08a3afbf0c, 0x5737ff98b40946f2, 0x675f4de13381749d }
+    },
+    {
+        { -0x5ed00926c4254ce3, 0x0725d80f9d652dfe, 0x019c4ff39abe9487, 0x60f450b882cd3c43 },
+        { 0x0e2c52036b1782fc, 0x64816c816cad83b4, -0x2f234226969bf8c2, 0x13d99df70164c520 },
+        { 0x014b5ec321e5c0ca, 0x4fcb69c9d719bfa2, 0x4e5f1c18750023a0, 0x1c06de9e55edac80 }
+    },
+    {
+        { -0x002ad4bf00929656, 0x34530b18dc4049bb, 0x5e4a5c2fa34d9897, 0x78096f8e7d32ba2d },
+        { -0x66f085295cc13b1e, 0x6608f938be2ee08e, -0x635ebc3a9cd7baeb, 0x4cf38a1fec2db60d },
+        { -0x5f55559af205a319, -0x063b61d5b74ab874, 0x4f09cc7d7003725b, 0x373cad3a26091abe }
+    },
+    {
+        { -0x0e41570476224453, 0x3bcb2cbc61aeaecb, -0x70a75844e0647263, 0x21547eda5112a686 },
+        { -0x4d6b9cb27d360a84, 0x1fcbfde124934536, -0x6163b24cbe7324a6, 0x0040f3d9454419fc },
+        { -0x210216c602a6792d, -0x0bd8d376aef5c7f4, -0x48d45bf844cee647, 0x63550a334a254df4 }
+    },
+    {
+        { -0x6445a7ba8dab84b7, -0x0cfa39051d3bf720, 0x60e8fa69c734f18d, 0x39a92bafaa7d767a },
+        { 0x6507d6edb569cf37, 0x178429b00ca52ee1, -0x1583ff6f149429a3, 0x3eea62c7daf78f51 },
+        { -0x62db38ec196cd8b2, 0x5f63857768dbd375, 0x70525560eb8ab39a, 0x68436a0665c9c4cd }
+    },
+    {
+        { 0x1e56d317e820107c, -0x3ad997bb7bf5169b, -0x3e1f5e39cdf00386, 0x5373669c91611472 },
+        { -0x43fdca17dfd0c0d9, -0x38a3ff1d9b068a50, -0x6e5b162a5c73dbea, 0x17b6e7f68ab789f9 },
+        { 0x5d2814ab9a0e5257, -0x6f70df7b36354c04, -0x50350a77a4d2e136, 0x1cb4b5a678f87d11 }
+    },
+    {
+        { 0x6b74aa62a2a007e7, -0x0cee1f4f0f8e384f, 0x5707e438000be223, 0x2dc0fd2d82ef6eac },
+        { -0x499b3f94c6b50394, 0x0c88de2498da5fb1, 0x4f8d03164bcad834, 0x330bca78de7434a2 },
+        { -0x67d1007beee68bb2, -0x0696a169d4f8b8dc, -0x3a753eb04036ac05, 0x3c31be1b369f1cf5 }
+    },
+    {
+        { -0x3e97436c0634bd8e, -0x51478ee038312468, 0x7f0e52aa34ac8d7a, 0x41cec1097e7d55bb },
+        { -0x4f0b79b2f76b7512, 0x07dc19ee91ba1c6f, 0x7975cdaea6aca158, 0x330b61134262d4bb },
+        { -0x0869e6285d927f76, -0x44e02b61e261ea93, 0x73d7c36cdba1df27, 0x26b44cd91f28777d }
+    },
+},
+{
+    {
+        { -0x50bb7bd24fd7a0c9, -0x78ace76fb8103721, -0x6a8b1f6e07df6866, 0x0e378d6069615579 },
+        { 0x300a9035393aa6d8, 0x2b501131a12bb1cd, 0x7b1ff677f093c222, 0x4309c1f8cab82bad },
+        { -0x26056e8e7cf8a5ab, 0x4bdb5ad26b009fdc, 0x7829ad2cd63def0e, 0x078fc54975fd3877 }
+    },
+    {
+        { -0x1dffb4a447cc5676, 0x44775dec2d4c3330, 0x3aa244067eace913, 0x272630e3d58e00a9 },
+        { -0x782042ebd77870d3, 0x134636dd1e9421a1, 0x4f17c951257341a3, 0x5df98d4bad296cb8 },
+        { -0x0c98702f1336f4ac, -0x0ffeba64edfbca67, 0x26725fbc3758b89b, 0x4325e4aa73a719ae }
+    },
+    {
+        { -0x12db9d6530960a63, 0x2a4a1ccedd5abbf4, 0x3535ca1f56b2d67b, 0x5d8c68d043b1b42d },
+        { 0x657dc6ef433c3493, 0x65375e9f80dbf8c3, 0x47fd2d465b372dae, 0x4966ab79796e7947 },
+        { -0x11ccd2b21c4bd4f6, -0x27b1a5d4e95b9fe4, 0x78243877078ba3e4, 0x77ed1eb4184ee437 }
+    },
+    {
+        { 0x185d43f89e92ed1a, -0x4fb5e11501b8e63a, 0x499fbe88a6f03f4f, 0x5d8b0d2f3c859bdd },
+        { -0x402b1ec0dfe7c660, -0x5110001dc1c20e9f, -0x49a4fb0f94a2e01d, 0x52e085fb2b62fbc0 },
+        { 0x124079eaa54cf2ba, -0x28db9a14ffe4d919, 0x6843bcfdc97af7fd, 0x0524b42b55eacd02 }
+    },
+    {
+        { -0x43e72352647d6154, 0x23ae7d28b5f579d0, -0x3cb9edd596c7bdcd, 0x1a6110b2e7d4ac89 },
+        { -0x02f2a2411babb850, 0x6cec351a092005ee, -0x665b87bba98a8635, 0x59d242a216e7fa45 },
+        { 0x4f833f6ae66997ac, 0x6849762a361839a4, 0x6985dec1970ab525, 0x53045e89dcb1f546 }
+    },
+    {
+        { -0x7b25c32172ba01ee, -0x42bd3de71bbb1d2e, -0x57ae6987e081ca68, 0x7642c93f5616e2b2 },
+        { -0x34744cb928acac25, -0x03034db451aee1de, -0x345b72bf2af51911, 0x26e3bae5f4f7cb5d },
+        { 0x2323daa74595f8e4, -0x219773747a85414c, 0x3fc48e961c59326e, 0x0b2e73ca15c9b8ba }
+    },
+    {
+        { 0x0e3fbfaf79c03a55, 0x3077af054cbb5acf, -0x2a3aadba24c21c61, 0x015e68c1476a4af7 },
+        { -0x2944bbd73e80afda, -0x614d8ddc04a56359, -0x1c845afce6e639bc, 0x21ce380db59a6602 },
+        { -0x3e2ad7addff995c8, -0x6a9fc1adca8f510d, -0x7cd9a658dd9475b3, 0x5dd689091f8eedc9 }
+    },
+    {
+        { 0x1d022591a5313084, -0x35d2b55129d8f78e, -0x795ed47ad0f402e0, 0x56e6c439ad7da748 },
+        { -0x34537b21402c37aa, 0x1624c348b35ff244, -0x48077235a26352f9, 0x3b0e574da2c2ebe8 },
+        { -0x38fb00b6bd42451a, 0x5e21ade2b2de1f79, -0x16a24c0ca9ad0528, 0x0822b5378f08ebc1 }
+    },
+},
+{
+    {
+        { -0x1e480d6c9d8cfc7d, 0x4b5279ffebca8a2c, -0x25038875402becec, 0x7deb10149c72610f },
+        { 0x51f048478f387475, -0x4da2430b634134c4, -0x6554edbb2660dfab, 0x2c709e6c1c10a5d6 },
+        { -0x349d509578991186, 0x66cbec045553cd0e, 0x588001380f0be4b5, 0x08e68e9ff62ce2ea }
+    },
+    {
+        { 0x2f2d09d50ab8f2f9, -0x5346de723aa6dc21, 0x4a8f342673766cb9, 0x4cb13bd738f719f5 },
+        { 0x34ad500a4bc130ad, -0x72c724b6c2f42b64, -0x5da3c267aff57642, 0x2f1f3f87eeba3b09 },
+        { -0x087b738a1aea49b6, -0x5a6afe4524b56fc8, -0x3df2cec0c08ae4b0, 0x19a1e353c0ae2ee8 }
+    },
+    {
+        { -0x4bde8d322a694243, -0x6c1fbabc671103c0, -0x604eacb84bbef64b, 0x736bd3990266ae34 },
+        { 0x7d1c7560bafa05c3, -0x4c1e5f5f391aa19f, -0x1cad68e73f299b8d, 0x41546b11c20c3486 },
+        { -0x7aacd2af6ccb4c4c, 0x46fd114b60816573, -0x33a0a0cfbda37c8b, 0x412295a2b87fab5c }
+    },
+    {
+        { 0x2e655261e293eac6, -0x7ba56dfcdecc5325, 0x460975cb7900996b, 0x0760bb8d195add80 },
+        { 0x19c99b88f57ed6e9, 0x5393cb266df8c825, 0x5cee3213b30ad273, 0x14e153ebb52d2e34 },
+        { 0x413e1a17cde6818a, 0x57156da9ed69a084, 0x2cbf268f46caccb1, 0x6b34be9bc33ac5f2 }
+    },
+    {
+        { 0x11fc69656571f2d3, -0x393617baacf18c86, -0x1cc5185d2b01afcb, 0x01b9c7b62e6dd30b },
+        { -0x0c20d09bc5873f4e, 0x4c3e971ef22e027c, -0x1382e3a1b63e4a5d, 0x2012c18f0922dd2d },
+        { -0x77f4aa1aa53762d7, 0x1483241f45a0a763, 0x3d36efdfc2e76c1f, 0x08af5b784e4bade8 }
+    },
+    {
+        { -0x1d8ceb2d7633d3b5, 0x4be4bd11a287178d, 0x18d528d6fa3364ce, 0x6423c1d5afd9826e },
+        { 0x283499dc881f2533, -0x62fada25886cdc4a, -0x7685220498cbbe0c, 0x32b79d71163a168d },
+        { -0x337a072612034c96, 0x22bcc28f3746e5f9, -0x1b621cc7061a2c33, 0x480a5efbc13e2dcc }
+    },
+    {
+        { -0x499eb31bbd31dde1, 0x6e199dcc4c053928, 0x663fb4a4dc1cbe03, 0x24b31d47691c8e06 },
+        { 0x0b51e70b01622071, 0x06b505cf8b1dafc5, 0x2c6bb061ef5aabcd, 0x47aa27600cb7bf31 },
+        { 0x2a541eedc015f8c3, 0x11a4fe7e7c693f7c, -0x0f5099ecb15d872a, 0x545b585d14dda094 }
+    },
+    {
+        { 0x6204e4d0e3b321e1, 0x3baa637a28ff1e95, 0x0b0ccffd5b99bd9e, 0x4d22dc3e64c8d071 },
+        { 0x67bf275ea0d43a0f, -0x521971cbf7641142, 0x4289134cd479e72e, 0x0f62f9c332ba5454 },
+        { -0x034b9a7629c4a0c7, 0x5cae6a3f57cbcf61, -0x01453d2d6ac505fb, 0x1c0fa01a36371436 }
+    },
+},
+{
+    {
+        { -0x3ee11a17ab3ac052, 0x6a0b06c12b4f3ff4, 0x33540f80e0b67a72, 0x15f18fc3cd07e3ef },
+        { -0x18ab8bb64383296e, 0x0f9abeaae6f73ddf, 0x4af01ca700837e29, 0x63ab1b5d3f1bc183 },
+        { 0x32750763b028f48c, 0x06020740556a065f, -0x2ac427ed3cb6a4a8, 0x08706c9b865f508d }
+    },
+    {
+        { -0x3366e4bec74bedba, 0x243b9c526f9ac26b, -0x4610b6b248345443, 0x5fba433dd082ed00 },
+        { -0x0c835d54c2cbc201, 0x1a8c6a2d80abc617, -0x71b61fca2b330036, 0x48b46beebaa1d1b9 },
+        { -0x63b61caa366be530, -0x468cb5218bb6707c, 0x41c3fed066663e5c, 0x0ecfedf8e8e710b3 }
+    },
+    {
+        { 0x744f7463e9403762, -0x0865721172033637, 0x163a649655e4cde3, 0x3b61788db284f435 },
+        { 0x76430f9f9cd470d9, -0x49d533645bd09ff8, 0x1898297c59adad5e, 0x7789dd2db78c5080 },
+        { -0x4dddd7e6f291094e, -0x56b5994db931b406, 0x46c1a77a4f0b6cc7, 0x4236ccffeb7338cf }
+    },
+    {
+        { 0x3bd82dbfda777df6, 0x71b177cc0b98369e, 0x1d0e8463850c3699, 0x5a71945b48e2d1f1 },
+        { -0x7b68bfb2f2aa1d8c, 0x6c6663d9c4ad2b53, -0x13d04f265256a8cc, 0x2617e120cdb8f73c },
+        { 0x6f203dd5405b4b42, 0x327ec60410b24509, -0x63cb8dcf53d577ba, 0x77de29fc11ffeb6a }
+    },
+    {
+        { -0x7ca1ec7013312d36, -0x736150ec1569c466, -0x36a0403f4de9f15a, 0x575e66f3ad877892 },
+        { -0x4f53a8367c488758, 0x53cdcca9d7fe912c, 0x61c2b854ff1f59dc, 0x3a1a2cf0f0de7dac },
+        { -0x667fc5d8377034c6, 0x345a6789275ec0b0, 0x459789d0ff6c2be5, 0x62f882651e70a8b2 }
+    },
+    {
+        { 0x6d822986698a19e0, -0x2367de1e8b28758f, 0x41a85f31f6cb1f47, 0x352721c2bcda9c51 },
+        { 0x085ae2c759ff1be4, 0x149145c93b0e40b7, -0x3b981805800d8c87, 0x4eeecf0ad5c73a95 },
+        { 0x48329952213fc985, 0x1087cf0d368a1746, -0x71ad9e4e993ea55b, 0x2d5b2d842ed24c21 }
+    },
+    {
+        { 0x5eb7d13d196ac533, 0x377234ecdb80be2b, -0x1ebb3003830a51dc, 0x5226bcf9c441acec },
+        { 0x02cfebd9ebd3ded1, -0x2ba4de88c6fde68c, 0x7576f813fe30a1b7, 0x5691b6f9a34ef6c2 },
+        { 0x79ee6c7223e5b547, 0x6f5f50768330d679, -0x128c1e1692752317, 0x27c3da1e1d8ccc03 }
+    },
+    {
+        { 0x28302e71630ef9f6, -0x3d2b5dfcd49b3120, 0x090820304b6292be, 0x5fca747aa82adf18 },
+        { 0x7eb9efb23fe24c74, 0x3e50f49f1651be01, 0x3ea732dc21858dea, 0x17377bd75bb810f9 },
+        { 0x232a03c35c258ea5, -0x790dc5d39434f30f, 0x3dad8d0d2e442166, 0x04a8933cab76862b }
+    },
+},
+{
+    {
+        { 0x69082b0e8c936a50, -0x06365fca3e253a4a, 0x6fb73e54c4dfb634, 0x4005419b1d2bc140 },
+        { -0x2d39fb49dd6bc201, -0x43734131bb304c60, 0x5d254ff397808678, 0x0fa3614f3b1ca6bf },
+        { -0x5ffc014246417d10, 0x2089c1af3a44ac90, -0x07b6606ee6ab0572, 0x1fba218aef40ab42 }
+    },
+    {
+        { 0x4f3e57043e7b0194, -0x57e2c111f7255081, -0x37c639546623210f, 0x6c535d13ff7761d5 },
+        { -0x54ab6bb705370ac2, -0x7e0917658459c8bf, 0x74fd6c7d6c2b5e01, 0x392e3acaa8c86e42 },
+        { 0x4cbd34e93e8a35af, 0x2e0781445887e816, 0x19319c76f29ab0ab, 0x25e17fe4d50ac13b }
+    },
+    {
+        { -0x6ea0800a890ede59, -0x3cb5cdd8d032781d, -0x3345d021b2e41ada, 0x6bba828f8969899b },
+        { 0x0a289bd71e04f676, 0x208e1c52d6420f95, 0x5186d8b034691fab, 0x255751442a9fb351 },
+        { -0x1d2e43996f01c6ff, 0x4cb54a18a0997ad5, -0x68e296eb507b9f2c, 0x559d504f7f6b7be4 }
+    },
+    {
+        { -0x63b76e18092d9903, 0x0744a19b0307781b, -0x77c770e29f9e1dc5, 0x123ea6a3354bd50e },
+        { -0x588c7c874c14ab2b, 0x1d69d366a5553c7c, 0x0a26cf62f92800ba, 0x01ab12d5807e3217 },
+        { 0x118d189041e32d96, -0x46121c3d27cea7b8, 0x1eab4271d83245d9, 0x4a3961e2c918a154 }
+    },
+    {
+        { 0x0327d644f3233f1e, 0x499a260e34fcf016, -0x7c4a58e90d254687, 0x68aceead9bd4111f },
+        { 0x71dc3be0f8e6bba0, -0x293107cb81001cf6, -0x566dbda01ec5b896, 0x2cd6bce3fb1db763 },
+        { 0x38b4c90ef3d7c210, 0x308e6e24b7ad040c, 0x3860d9f1b7e73e23, 0x595760d5b508f597 }
+    },
+    {
+        { -0x77d5341402fdd870, -0x7650ccfa3beea8a0, 0x65f492e37d3473f4, 0x2cb2c5df54515a2b },
+        { 0x6129bfe104aa6397, -0x7069fff75b580335, 0x3f8bc0897d909458, 0x709fa43edcb291a9 },
+        { -0x14f5a2739c02d536, -0x2dd43e99d196b101, 0x2723f36ef8cbb03a, 0x70f029ecf0c8131f }
+    },
+    {
+        { 0x2a6aafaa5e10b0b9, 0x78f0a370ef041aa9, 0x773efb77aa3ad61f, 0x44eca5a2a74bd9e1 },
+        { 0x461307b32eed3e33, -0x51fbd0cc5baa7e19, -0x36bbb62ce6a0fc9a, 0x0b7d5d8a6c314858 },
+        { 0x25d448327b95d543, 0x70d38300a3340f1d, -0x21e3ace39f1e3ad5, 0x272224512c7de9e4 }
+    },
+    {
+        { -0x40844475bd568a04, -0x73a3c68869525ca8, -0x1d803890321255b8, 0x19735fd7f6bc20a6 },
+        { 0x1abc92af49c5342e, -0x001127ee4d190530, -0x105d73720337b1d7, 0x11b5df18a44cc543 },
+        { -0x1c546f2fbd37bd9a, -0x147b71f080e6ab82, 0x2503a1d065a497b9, 0x0fef911191df895f }
+    },
+},
+{
+    {
+        { 0x6ab5dcb85b1c16b7, -0x6b3f0317c384d85b, -0x5b4ee3e58caae842, 0x499238d0ba0eafaa },
+        { -0x4eaf835e54e39147, -0x42bb70c1e949784d, 0x3455fb7f2c7a91ab, 0x7579229e2f2adec1 },
+        { -0x130b91ad854574a9, 0x15a08c478bd1647b, 0x7af1c6a65f706fef, 0x6345fa78f03a30d5 }
+    },
+    {
+        { -0x6c2c341642270f5c, -0x24ead3e402e88cfe, 0x7dbddc6d7f17a875, 0x3e1a71cc8f426efe },
+        { -0x20fd06a0efea185f, 0x790ec41da9b40263, 0x4d3a0ea133ea1107, 0x54f70be7e33af8c9 },
+        { -0x37c35c1c6f45429e, -0x7f121c98fd6e37cd, -0x377fc7332c86ff3c, 0x2c5fc0231ec31fa1 }
+    },
+    {
+        { -0x3bdd1b2efdba919b, -0x78beb53e352b846f, 0x1592e2bba2b6ffdd, 0x75d9d2bff5c2100f },
+        { -0x01456ee8e8fc74b1, -0x1aedc8de3621107f, 0x1c97e4e75d0d8834, 0x68afae7a23dc3bc6 },
+        { 0x5bd9b4763626e81c, -0x766996c9435fd123, 0x0a41193d61f077b3, 0x3097a24200ce5471 }
+    },
+    {
+        { -0x5e9d18db996a3b7a, 0x131d633435a89607, 0x30521561a0d12a37, 0x56704bada6afb363 },
+        { 0x57427734c7f8b84c, -0x0ebe5ec1fe4d8f17, 0x02d1adfeb4e564a6, 0x4bb23d92ce83bd48 },
+        { -0x5093b558ad06ed47, 0x5e665f6cd86770c8, 0x4c35ac83a3c8cd58, 0x2b7a29c010a58a7e }
+    },
+    {
+        { 0x33810a23bf00086e, -0x50316da118c90084, 0x3d60e670e24922d4, 0x11ce9e714f96061b },
+        { -0x3bff80882f3e313d, -0x72efdf49453b6d08, 0x32ec29d57e69daaf, 0x599408759d95fce0 },
+        { 0x219ef713d815bac1, -0x0ebeb9a2b7a41da4, 0x6d5447cc4e513c51, 0x174926be5ef44393 }
+    },
+    {
+        { 0x3ef5d41593ea022e, 0x5cbcc1a20ed0eed6, -0x702db130f8c7d374, 0x6fa42ead06d8e1ad },
+        { -0x4a214d0603a42a45, -0x6d2558d51e27ef1f, -0x503b302348d5e3a7, 0x497d78813fc22a24 },
+        { -0x1d897db5e08cc8e1, 0x7f7cf01c4f5b6736, 0x7e201fe304fa46e7, 0x785a36a357808c96 }
+    },
+    {
+        { 0x070442985d517bc3, 0x6acd56c7ae653678, 0x00a27983985a7763, 0x5167effae512662b },
+        { -0x7da042029cfeb2d5, -0x37adc9639358a875, 0x5b2fcd285c0b5df0, 0x12ab214c58048c8f },
+        { -0x42b1561ef0ac3b4a, 0x1673dc5f8ac91a14, -0x5707e5b1d533e546, 0x33a92a7924332a25 }
+    },
+    {
+        { 0x7ba95ba0218f2ada, -0x300bdd78ccf04636, -0x2525b692a93926f9, 0x5380c296f4beee54 },
+        { -0x622e0b66d86693fe, 0x0cb3b058e04d1752, 0x1f7e88967fd02c3e, 0x2f964268cb8b3eb1 },
+        { -0x62b0d8fb997672f6, 0x3d0987990aff3f7a, -0x2f610c9d982545bb, 0x7761455e7b1c669c }
+    },
+},
+};
+#elif defined(CURVED25519_ASM_32BIT)
+static const ge_precomp base[64][8] = {
+{
+    {
+        { -0x0a73c47b, 0x2fbc93c6, -0x0473f1e7, -0x306cd23a, 0x643d42c2, 0x270b4898, 0x33d4ba65, 0x07cf9d3a },
+        { -0x28bf6ec2, -0x62efc6fb, -0x2ebf414d, -0x02c660fb, 0x688f8a09, -0x5a3e7bcc, -0x6707ed99, 0x44fd2f92 },
+        { 0x4b6fbb59, -0x2442ea99, -0x115d5a16, 0x41e13f00, -0x36a83906, -0x322b62e4, -0x50e91336, 0x4f0ebe1f }
+    },
+    {
+        { -0x6cc38e29, -0x6ddb1804, 0x7a0ff5b5, -0x60b9626a, -0x1e29f8fe, 0x5aa69a65, -0x5782d1d2, 0x590c063f },
+        { 0x42b4d5a8, -0x75665aa0, 0x4e60acf6, -0x70d47ef4, -0x4e91c856, -0x1f61dc95, 0x69c92555, 0x6bb595a6 },
+        { -0x252c97fe, 0x6e347eaa, -0x7c11b7fb, -0x450ca66d, -0x19f897da, 0x3bcabe10, 0x165ed1b8, 0x49314f0a }
+    },
+    {
+        { 0x4cee9730, -0x50da4f58, -0x1779b476, 0x025a8430, -0x60fe98ce, -0x3ee4affe, -0x657f070c, 0x7a164e1b },
+        { -0x5b032d9b, 0x56611fe8, -0x1a3e4583, 0x3bd353fd, 0x214bd6bd, -0x7ece0ce6, 0x555bda62, 0x2ab91587 },
+        { -0x0e98b7cc, -0x640dee0c, -0x09d2076b, -0x47b194e9, 0x5b722a4e, -0x282190f9, 0x63bb2a21, 0x549a04b9 }
+    },
+    {
+        { -0x7103f661, 0x287351b9, 0x7dfd2538, 0x6765c6f4, -0x04f56d9b, -0x35cb72c3, 0x21e58727, 0x680e9103 },
+        { 0x056818bf, -0x6a01faf6, 0x5660faa9, 0x327e8971, 0x06a05073, -0x3c171c33, 0x7445a49a, 0x27933f4c },
+        { -0x1aebd950, -0x40e1ba14, 0x6dba0f94, -0x1cd439c3, -0x7307ad40, -0x1bd68b2b, -0x4f19b3e8, 0x44f079b1 }
+    },
+    {
+        { 0x08a5bb33, -0x5ded43bc, -0x38a112fe, -0x72afb73d, 0x5abfec44, -0x22e414f4, 0x46e206eb, 0x2945ccf1 },
+        { -0x5bb82946, 0x7f9182c3, 0x4b2729b7, -0x2affeb2f, -0x479b5f79, -0x1cc30ee4, -0x14e4aa0d, 0x154a7e73 },
+        { -0x182ffc4d, -0x37cd5e87, 0x00124d7e, 0x5f729d0a, 0x0e6d8ff3, 0x62c1d4a1, 0x38b27a98, 0x68b8ac59 }
+    },
+    {
+        { 0x77157131, 0x3a0ceeeb, 0x00c8af88, -0x64d8ea77, -0x25a658ca, -0x7f9a4998, -0x5d33c743, 0x51e57bb6 },
+        { 0x7b7d8ca4, 0x499806b6, 0x27d22739, 0x575be284, 0x204553b9, -0x44f7a319, -0x51be877c, 0x38b64c41 },
+        { 0x689de3a4, -0x7062526f, -0x07046ec9, 0x175f2428, -0x60304678, 0x050ab532, 0x1354c09f, 0x7865dfa2 }
+    },
+    {
+        { -0x6bb15c41, 0x6b1a5cd0, -0x4c623f2e, 0x7470353a, 0x28542e49, 0x71b25282, 0x283c927e, 0x461bea69 },
+        { -0x55cdde4f, -0x4590d366, 0x3bba23a7, 0x6ca02153, -0x6de6d3c6, -0x621589b1, 0x2e5317e0, 0x1d6edd5d },
+        { -0x54f025ca, 0x217a8aac, 0x3d3549c8, -0x5ad739ac, 0x13ab7568, 0x37d05b8b, 0x3a2cbc37, 0x233cef62 }
+    },
+    {
+        { 0x04dd3e8f, 0x59b75966, -0x1d778fd4, 0x6cb30377, 0x5ed9c323, -0x4ecc639a, 0x61bce52f, 0x0915e760 },
+        { -0x0c6dcb27, -0x1d58a213, -0x1e4aa707, -0x69c28980, 0x6e3c23fb, 0x2c2741ac, 0x320e01c3, 0x3a9024a1 },
+        { -0x57cb5c82, -0x208217cb, 0x689857ea, -0x741e6326, 0x7167b326, 0x2c118536, -0x24102a3e, 0x589eb3d9 }
+    },
+},
+{
+    {
+        { 0x2d9021f6, 0x322d04a5, 0x75c6bf9c, -0x463e60cd, 0x42d20b09, 0x587a3a43, -0x559b019f, 0x143b1cf8 },
+        { 0x553e2df3, 0x7ec851ca, -0x59b7874d, -0x58ed7b35, 0x3288d1e7, -0x194a1be7, 0x5a9a8883, 0x4cf210ec },
+        { -0x69753555, -0x60798383, 0x27092729, 0x5f54258e, -0x15e7f68b, -0x2f582cb5, 0x374126e1, 0x21b546a3 }
+    },
+    {
+        { -0x2e7ade71, 0x490a7a45, 0x46049335, -0x65eac888, -0x33ce1e0a, 0x0060ea09, -0x0791169b, 0x7e041577 },
+        { -0x5d777cbd, -0x56b007a8, 0x5313ed3c, -0x31f12baa, -0x4a40cb06, -0x0aa3c231, -0x36154c8f, 0x0a653ca5 },
+        { -0x31a4980d, 0x66b2a496, -0x42a9686a, -0x00ab6d28, 0x4a592cd0, 0x503cec29, 0x0813acb2, 0x56694365 }
+    },
+    {
+        { 0x1dabb69d, 0x5672f9eb, -0x5017ac04, -0x458f4acb, 0x2796d66d, 0x47ac0f75, -0x6bee8d8b, 0x32a53517 },
+        { 0x26620798, -0x47e724f4, 0x606e354a, 0x5d5c31d9, 0x00a8cdc7, 0x0982fa4f, 0x4653e2d4, 0x17e12bcd },
+        { -0x209b7bc9, -0x2c59bb5a, -0x77f04023, 0x703b6559, -0x52c5e55b, -0x347adac0, -0x71b39b98, 0x0900b3f7 }
+    },
+    {
+        { -0x37e952cf, -0x12d7f042, -0x2719101d, 0x52d9595b, -0x0939dc0b, 0x0fe71772, 0x051e293c, 0x4314030b },
+        { 0x679d651b, 0x0a851b9f, 0x033342f2, -0x1ef7349f, -0x1774cf5d, -0x29fe0a81, -0x12d228ec, 0x371f3aca },
+        { -0x040f4353, -0x2a9fffa2, -0x2e78f3a2, -0x7148f0d2, -0x2f7b1960, 0x201f9033, -0x31849990, 0x4c3a5ae1 }
+    },
+    {
+        { -0x36c25f23, -0x45078a1c, 0x71b9294d, -0x46cd7d59, -0x0b393ba0, -0x7f29c049, -0x15993e7f, 0x6de9c73d },
+        { -0x2347056b, 0x4138a434, 0x6c96840b, -0x78f30983, 0x297be82c, -0x21c77a8c, 0x7262a55a, 0x7c814db2 },
+        { -0x5fb2070e, 0x478904d5, -0x4efebd2d, -0x050451b6, 0x555d0998, -0x0937539d, 0x2f90b104, 0x5aac4a41 }
+    },
+    {
+        { -0x4280aecc, 0x603a0d0a, -0x1e2c51ba, -0x7f7636ce, -0x7867429d, -0x20da6ec7, 0x74ba0235, 0x1c145cd2 },
+        { 0x3ac92908, -0x39b0cd95, -0x199c1e20, 0x5551b282, 0x4a1a4b83, 0x476b35f5, 0x189f68c2, 0x1b9da3fe },
+        { 0x75f3d743, 0x32e83864, 0x6ae5d9ef, 0x365b8baf, 0x385b681e, -0x7dadc74a, 0x167d65e1, 0x234929c1 }
+    },
+    {
+        { 0x1d099fcf, 0x48145cc2, -0x33d7281b, 0x4535c192, 0x48247e01, -0x7f183e1b, 0x3b2973ee, 0x4a5f2874 },
+        { -0x5f885218, -0x67b21355, 0x19eb389d, 0x383f77ad, 0x2954d794, -0x38139482, -0x1483c586, 0x59c77b3a },
+        { 0x225ccf62, -0x2c5228db, -0x4dead3a3, -0x6ee5cc7f, 0x5b08f87d, -0x274c6053, 0x4799fe3b, 0x6f05606b }
+    },
+    {
+        { -0x06e49b7d, 0x5b433149, 0x5a2cbf62, -0x524a239b, 0x632827b3, -0x78057bee, -0x54b60728, 0x60895e91 },
+        { 0x177ba962, -0x6001616e, 0x0de5cae1, -0x675118e3, 0x2d831044, 0x3ff4ae94, 0x58533ac8, 0x714de12e },
+        { 0x0cf86c18, -0x16130d13, 0x0735dfd4, -0x4b92f9ee, 0x04b96be7, -0x43625f68, -0x26923d95, 0x73e2e62f }
+    },
+},
+{
+    {
+        { 0x632f9c1d, 0x2eccdd0e, 0x76893115, 0x51d0b696, -0x579c85a8, 0x52dfb76b, -0x5ff110c7, 0x6dd37d49 },
+        { 0x49aa515e, -0x12a49cac, 0x0bc6823a, -0x579a3b61, 0x5b42d1c4, -0x7af3e017, 0x03d315b9, 0x30d76d6f },
+        { 0x2106e4c7, 0x6c444417, -0x6d728097, -0x04ac2980, 0x694d3f26, -0x4b8c615c, 0x2e864bb0, 0x10c69711 }
+    },
+    {
+        { -0x7ca737fb, 0x0ca62aa0, 0x7a204247, 0x6a3d4ae3, 0x3b11eddc, 0x7464d3a6, 0x550806ef, 0x03bf9baf },
+        { 0x7dbe5fde, 0x6493c427, 0x19ad7ea2, 0x265d4fad, 0x46304590, 0x0e00dfc8, -0x129901f7, 0x25e61cab },
+        { -0x33a799fc, 0x3f13e128, -0x4ba68b82, 0x6f5873ec, -0x33ed970b, -0x5f49c213, 0x4586e22c, 0x566d7863 }
+    },
+    {
+        { -0x39a5d030, -0x5efabd7b, -0x0ce9983d, 0x6c64112a, 0x731aee58, 0x680ae240, 0x4793b22a, 0x14fba5f3 },
+        { -0x633ef7cc, 0x1637a49f, -0x57643baf, -0x4371a92b, 0x7f7fd2db, 0x1cb5ec0f, 0x5ecc35d9, 0x33975bca },
+        { 0x6985f7d4, 0x3cd74616, -0x3637ffa9, 0x593e5e84, 0x7b61131e, 0x2fc3f2b6, -0x7c03ad94, 0x14829cea }
+    },
+    {
+        { 0x4e71ecb8, 0x21e70b2f, 0x40a477e3, -0x19a92247, -0x31e2b080, -0x409aa932, 0x535d7b7e, 0x05fc3bc4 },
+        { -0x68226a3e, -0x00bc847c, -0x55b14a59, 0x6c744e30, 0x3c85e88b, -0x61f3a29f, 0x5f758173, 0x2fd9c71e },
+        { 0x52afdedd, 0x24b8b3ae, -0x12c4cf31, 0x3495638c, -0x56417e6b, 0x33a4bc83, 0x5c651f04, 0x37376747 }
+    },
+    {
+        { 0x14246590, 0x634095cb, 0x16c15535, -0x10edebc0, -0x76ef43a0, -0x61c7ebf4, 0x30907c8c, 0x6bf59057 },
+        { 0x40d1add9, 0x2fba99fd, -0x690b2fd9, -0x4cf8e991, 0x15f03bae, 0x4363f052, 0x3b18f999, 0x1fbea56c },
+        { -0x1ebea476, 0x0fa778f1, -0x453c5882, 0x06409ff7, -0x655d65b0, 0x6f52d7b8, 0x7a635a56, 0x02521cf6 }
+    },
+    {
+        { 0x772f5ee4, -0x4eeb98e0, -0x69f86532, -0x17076b4f, 0x00ac824a, 0x4af8224d, -0x0832933c, 0x001753d9 },
+        { 0x0a9d5294, 0x513fee0b, 0x0fdf5a66, -0x706718a4, -0x401ef832, -0x2b9e7978, 0x71382ced, 0x3fa00a7e },
+        { -0x69c224cc, 0x3c69232d, -0x4b68c7a8, 0x1dde87da, -0x5f6e0d7b, -0x55282e07, -0x5fb7124a, 0x12b5fe2f }
+    },
+    {
+        { -0x5290e16e, -0x20d483da, 0x504b8913, 0x4b66d323, 0x751c8bc3, -0x73bf6240, 0x0796c7b8, 0x6f7e93c2 },
+        { -0x69031cb3, 0x71f0fbc4, -0x520ca413, 0x73b9826b, -0x00d73a9f, -0x2dfb8d9f, 0x6fb1206f, 0x749b76f9 },
+        { -0x515951fb, 0x1f5af604, -0x411b6367, -0x3edcae0f, -0x1100949a, 0x61a808b5, 0x01e02151, 0x0fcec10f }
+    },
+    {
+        { -0x3bdbb1bb, 0x3df2d29d, -0x6c2721f6, 0x2b020e74, -0x7df3deb3, 0x6cc8067e, 0x6feab90a, 0x41377916 },
+        { 0x49fe1e44, 0x644d58a6, 0x31ad777e, 0x21fcaea2, -0x77802f2e, 0x02441c5a, -0x7c3aee0d, 0x4901aa71 },
+        { -0x73e50710, 0x08b1b754, 0x246299b4, -0x31f08584, 0x1e06d939, -0x089f4f07, 0x726d1213, 0x41bb887b }
+    },
+},
+{
+    {
+        { -0x55c6082e, -0x68267f20, 0x52c6b51c, 0x35d03842, 0x07cd55aa, 0x7d43f493, -0x48753c9e, 0x56bd36cf },
+        { 0x567c49d8, -0x6d987f94, -0x3586e196, 0x066d04cc, -0x1c33c6b5, -0x5960a9bb, -0x5f87732e, 0x5c95b686 },
+        { 0x0d14a954, 0x2ac519c1, -0x6b4a0570, -0x150b8b4c, -0x560785a6, -0x19507c7e, -0x78641f6c, 0x0dea6db1 }
+    },
+    {
+        { -0x29578686, 0x15baeb74, -0x053be8ce, 0x7ef55cf1, 0x3c8b05c5, 0x29001f5a, 0x52eaccfb, 0x0ad7cc87 },
+        { 0x7344e5ab, -0x559940ac, -0x70e4bcf7, -0x25eda778, -0x02a9b4d1, 0x5e87d2b3, 0x5483b1dd, 0x5b2c7888 },
+        { 0x793408cf, 0x52151362, 0x19963d94, -0x14f0e8fd, -0x77c26b9a, -0x57cc4d06, 0x75003c78, 0x093a7fa7 }
+    },
+    {
+        { 0x60a91286, -0x47169fbc, 0x7778d3de, 0x7f3fd804, -0x4075a1d3, 0x67d01e31, -0x3d849ac2, 0x7b038a06 },
+        { 0x3a16d7be, -0x1aef821a, -0x650ccd31, -0x5c880024, 0x440b677f, 0x70d5bf18, -0x5b5cebfd, 0x6a252b19 },
+        { -0x2c966f0d, -0x6126e62b, -0x24b1460e, 0x5213aebb, 0x4cb99135, -0x38f715fb, 0x72260e56, 0x58ded57f }
+    },
+    {
+        { 0x5b0fd48b, -0x2592acda, -0x6c405678, -0x769f7dcf, 0x61d57e28, -0x287536ce, 0x3a5c8143, 0x79f2942d },
+        { -0x16bec289, 0x78e79dad, -0x68d61983, -0x0da8062b, -0x1c85581a, 0x59db910e, -0x4461fc64, 0x6aa11b5b },
+        { -0x49377217, -0x6825d0db, -0x530dfe97, 0x251ba7ea, -0x10b14b1c, 0x09b44f87, -0x4395825b, 0x7d90ab1b }
+    },
+    {
+        { -0x694c3c69, 0x1a07a3f4, -0x70b1dace, 0x11ceaa18, -0x588ae410, 0x7d9498d5, 0x508dd8a0, 0x19ed161f },
+        { -0x58fe9402, -0x6533597d, -0x0d3af493, -0x6fafa0b3, -0x331bca56, 0x6b610d5f, 0x6198ff96, 0x19a10d44 },
+        { -0x78231936, 0x560a2cd6, -0x799b30b3, 0x7f3568c4, 0x22803a38, -0x78be16ae, 0x595653fc, 0x483bdab1 }
+    },
+    {
+        { -0x4b257f0a, -0x2930b2f6, -0x07cf8020, -0x7db7c1bb, -0x5190625c, 0x05005269, -0x63087886, 0x1c705290 },
+        { -0x78cb05b7, -0x0587f0ec, 0x360534e0, 0x106f0b70, -0x1c1cf843, 0x2210776f, -0x22195f02, 0x3286c109 },
+        { -0x78b1672c, 0x32ee7de2, -0x4681f3a0, 0x14c362e9, 0x6a60a38a, 0x5781dcde, -0x558557c0, 0x217dd5ea }
+    },
+    {
+        { -0x4173f138, -0x7420e047, -0x1cf5fd7e, 0x00bae7f8, -0x5293b094, 0x4963991d, 0x5df6f60a, 0x07058a6e },
+        { 0x248e1eb0, -0x62483b30, 0x4d74bf52, -0x1f89681f, 0x3c562354, 0x1e6a9b17, 0x795a4965, 0x7fa7c21f },
+        { -0x24ce0981, -0x1614fd3c, 0x10bcfb2b, -0x12da0277, 0x5c5cddb4, 0x46c8131f, -0x5f346432, 0x33b21c13 }
+    },
+    {
+        { 0x5ee38c5b, -0x65504650, 0x071a13c7, -0x4062d2b2, -0x16ccd6f6, -0x71119193, -0x51ef68e9, 0x1c3bab17 },
+        { 0x087d8e31, 0x360692f8, -0x2d8e9c09, -0x0b2339c9, 0x65ea5963, 0x25a4e620, 0x5ac160d9, 0x659bf72e },
+        { -0x38354850, 0x1c9ab216, 0x07bbc3cc, 0x7d65d374, 0x504a58d5, 0x52744750, 0x131a2990, 0x09f2606b }
+    },
+},
+{
+    {
+        { 0x7c6691ae, 0x7e234c59, 0x0a85b4c8, 0x64889d3d, 0x354afae7, -0x251d36f4, 0x0c6a9e1d, 0x0a871e07 },
+        { 0x744346be, 0x40e87d44, 0x15b52b25, 0x1d48dad4, -0x5ec49fc2, 0x7c3a8a18, 0x2fcdbdf7, 0x4eb728c1 },
+        { 0x4bbc8989, 0x3301b599, 0x5bdd4260, 0x736bae3a, 0x19d59e3c, 0x0d61ade2, 0x2685d464, 0x3ee7300f }
+    },
+    {
+        { -0x7be18ae8, 0x43fa7947, 0x639c46d7, -0x1a3905a7, -0x1cfad48c, -0x5ef9a1e3, -0x30476fd0, 0x7d47c6a2 },
+        { -0x61822949, -0x0a2daa1c, 0x610b1eac, -0x7fe9eea4, -0x6d1e7836, 0x3c99975d, -0x686eda3e, 0x13815762 },
+        { -0x710f2920, 0x3fdad014, -0x6eab90c4, -0x62c18b66, 0x26bb8157, 0x71ec6210, 0x34c9ec80, 0x148cf58d }
+    },
+    {
+        { -0x651b8a93, -0x1da8d083, -0x770cb781, 0x56c345bb, 0x6960a88d, -0x602ef493, 0x4eaea1b9, 0x278febad },
+        { 0x7934f027, 0x46a492f6, -0x097bf557, 0x469984be, -0x769ee7ac, 0x5ca1bc2a, -0x42a2442c, 0x3ff2fa1e },
+        { -0x736cc69a, -0x4e5597e1, 0x20290c98, -0x73de6b64, 0x219d3c52, 0x39115291, -0x01639885, 0x4104dd02 }
+    },
+    {
+        { -0x24f69548, -0x7edeb1fa, 0x0ce44f35, 0x21a8b6c9, 0x409e2af5, 0x6524c12a, -0x71035b7f, 0x0165b5a4 },
+        { 0x1124422a, 0x72b2bf5e, -0x675cc54b, -0x5e05f3cd, -0x05ad499a, -0x6b349eff, -0x5050ac2b, 0x2c863b00 },
+        { -0x5f7b958a, -0x0e6f5b8c, -0x32d08340, 0x12eff984, 0x58aa2b8f, 0x695e2906, -0x40013748, 0x591b67d9 }
+    },
+    {
+        { -0x60e74aa3, -0x66464c8f, -0x5e739be2, -0x1b9a1a06, -0x3d60fa13, 0x61081136, 0x7030128b, 0x489b4f86 },
+        { -0x7f4b6406, 0x312f0d1c, -0x540c1376, 0x5979515e, -0x610fe378, 0x727033c0, -0x35708435, 0x3de02ec7 },
+        { 0x3aeb92ef, -0x2dcdefd3, 0x6116a861, -0x1e9dac4c, 0x190baa24, 0x3d7eabe7, 0x496cbebf, 0x49f5fbba }
+    },
+    {
+        { 0x1e9c572e, 0x155d628c, -0x3a77b8bf, -0x75b27954, 0x515763eb, -0x6e5cad0a, -0x7798aea5, 0x06a1a6c2 },
+        { -0x75a4302c, 0x30949a10, -0x439b8c15, -0x23bf2290, 0x307c0d1c, -0x6d3d6b3f, -0x3405918c, 0x5604a86d },
+        { 0x7c1764b6, 0x7288d1d4, -0x1fbe74af, 0x72541140, 0x18acf6d1, -0x60fce5a0, -0x01d8bd3a, 0x20989e89 }
+    },
+    {
+        { -0x7a1513d2, 0x1674278b, 0x7acb2bdf, 0x5621dc07, 0x61cbf45a, 0x640a4c16, -0x08fa6a2d, 0x730b9950 },
+        { 0x3a2dcc7f, 0x499777fd, -0x5ab0276e, 0x32857c2c, -0x2df81c60, -0x5d86279c, 0x0ca67e29, 0x0403ed1d },
+        { -0x78b13aae, -0x36b4d2cb, -0x67db9073, -0x3a193731, 0x16c035ce, -0x0834b906, 0x08303dcc, 0x5bd74543 }
+    },
+    {
+        { 0x15e7792a, -0x7a3b6cdf, -0x42322237, -0x39b3765e, -0x525c289e, -0x62e1c258, 0x3067f82c, 0x5bb7db12 },
+        { 0x28b24cc2, 0x7f9ad195, 0x6335c181, 0x7f6b5465, 0x4fc07236, 0x66b8b66e, 0x7380ad83, 0x133a7800 },
+        { -0x39359d42, 0x0961f467, 0x211952ee, 0x04ec21d6, -0x642ab890, 0x18236077, 0x58f0e0d2, 0x740dca6d }
+    },
+},
+{
+    {
+        { -0x12d9e51b, 0x3906c72a, -0x771eff09, -0x65497027, -0x0cc9fe69, -0x0a16fa66, -0x40d492b9, 0x0e53dc78 },
+        { -0x2c0f50f5, 0x50b70bf5, -0x1cd18e09, 0x4feaf48a, -0x5aa442cc, 0x60e84ed3, 0x3f50d1ed, 0x00ed489b },
+        { 0x7971877a, -0x46f7d641, 0x6d17e631, 0x5e444463, 0x18276893, 0x4d05c52e, 0x5a4a4af5, 0x27632d9a }
+    },
+    {
+        { -0x78150025, -0x567d7a2f, -0x272f579c, -0x5a4b0445, 0x022663f7, -0x49a70d81, -0x26631d7e, 0x3bbc2b22 },
+        { 0x54b260ce, -0x2ee00faf, 0x72f95270, -0x27923c72, 0x267cc138, 0x601fcd0d, 0x29e90ccd, 0x2b679164 },
+        { 0x583c0a58, -0x46e836ae, 0x0fe4c6f3, 0x653ff9b8, -0x4320c3f4, -0x64f25829, -0x54ab29f2, 0x43a0eeb6 }
+    },
+    {
+        { 0x57875fe8, 0x3ac63223, -0x0a043471, -0x262b0b14, 0x382bb620, -0x72117b6d, 0x4c799fdc, 0x50c5eaa1 },
+        { 0x6d4a5487, 0x396966a4, -0x53d44c46, -0x07ee5e76, 0x5628b26b, 0x66e4685b, -0x626d646e, 0x70a47702 },
+        { -0x290d04c4, -0x22f12375, -0x63384860, 0x54c63aa7, 0x2c8d9f1a, -0x51f4fcd5, 0x602967fb, 0x6f9ce107 }
+    },
+    {
+        { 0x3520e0b5, 0x13969306, -0x7715fc02, 0x437fcf7c, -0x2c36a644, -0x082b3bf5, -0x076c2127, 0x699154d1 },
+        { -0x321e3dd6, -0x52efab4f, 0x48eb32df, -0x3b5716fe, -0x53323f16, 0x5f3e7b33, -0x038669c2, 0x72364713 },
+        { -0x4b4d8ada, 0x315d5c75, 0x0236daa5, -0x33347bd3, 0x345fee8e, 0x22f0c8a3, 0x7d39dbed, 0x73975a61 }
+    },
+    {
+        { -0x0bbcc1ba, 0x6f37f392, 0x1f566b18, 0x0e19b9a1, 0x1fd1d662, 0x220fb78a, -0x5c7e36b3, 0x362a4258 },
+        { 0x6375da10, -0x1bfdb207, 0x1830c870, 0x78d3251a, 0x658cd91c, -0x6fd4e6b8, 0x29b7438a, 0x7e18b10b },
+        { 0x2b6beb2f, -0x6f8e26ed, 0x28418247, 0x0f26e9ad, -0x42136da3, -0x1546e137, -0x0b750d22, 0x4be65bc8 }
+    },
+    {
+        { 0x57c26234, 0x1d50fba2, -0x214f9875, 0x7bd4823a, -0x59ac750b, -0x3d4f2392, 0x351da73e, 0x5665eec6 },
+        { -0x5c918fd8, 0x78487feb, 0x1dd8ce34, 0x5f3f1300, 0x4b30c489, -0x6cb04ed3, 0x397f0a2b, 0x056c244d },
+        { 0x43bfb210, -0x24c11ff7, 0x20800ac2, 0x49720187, 0x73bd8667, 0x26ab5d61, -0x54dfb6c8, 0x20b209c2 }
+    },
+    {
+        { 0x16bd3289, 0x1fcca945, 0x41420428, 0x448d65aa, 0x16a55d62, 0x59c3b7b2, 0x4e612cd8, 0x49992cc6 },
+        { -0x3f804cb5, 0x549e342a, 0x21373d93, 0x02d82208, -0x532e0a99, -0x43d9d290, -0x0435387c, 0x7a92c9fd },
+        { 0x70f801de, 0x65bd1bea, -0x01b61d76, 0x1befb7c0, -0x4e4d51b6, -0x579cf933, 0x265c2a09, 0x3b7ac0cd }
+    },
+    {
+        { 0x22ed39a7, -0x0f2ab1b1, 0x5608150a, -0x5d5516e2, -0x1225178b, -0x0bde4d17, 0x6b7de992, 0x31bc531d },
+        { -0x73fe4314, -0x7dd411bd, -0x3f0438c5, 0x530cb525, -0x3e6ac017, 0x48519034, -0x1f65f0a5, 0x265cc261 },
+        { -0x567f068f, -0x20c2ecb3, 0x221a22a7, 0x7a4fb8d1, 0x35aad6d8, 0x3df7d420, 0x6a1a125e, 0x2a14edcc }
+    },
+},
+{
+    {
+        { 0x0478433c, 0x231a8c57, -0x3d7ebc63, -0x484ad8f2, -0x1c26f861, -0x24556616, 0x6c2b03d9, 0x2c03f525 },
+        { 0x52cfce4e, -0x20b711f9, 0x06ec08b7, -0x3c00050d, -0x46aba63c, 0x05710b2a, -0x69c15c73, 0x161d25fa },
+        { 0x7b53a47d, 0x790f1875, -0x30f3a787, 0x307b0130, 0x257ef7f9, 0x31903d77, -0x42694451, 0x699468bd }
+    },
+    {
+        { 0x6aa91948, -0x2722c21a, 0x2fc0d2cc, 0x485064c2, 0x34fdea2f, -0x64b7db9a, 0x6c4a2e3a, 0x293e1c4e },
+        { -0x0b250131, -0x42e0d0ba, -0x5b802909, 0x7cef0114, 0x4a47b37f, -0x2ce00226, 0x73905785, 0x525219a4 },
+        { -0x6daeed1f, 0x376e134b, -0x235ea260, 0x703778b5, 0x461c3111, -0x4fba7651, 0x7f032823, 0x5b605c44 }
+    },
+    {
+        { -0x0f180fb4, 0x3be9fec6, 0x75e34962, -0x7995a862, 0x1e1de61a, 0x5542ef16, -0x33a5422b, 0x2f12fef4 },
+        { 0x20c47c89, -0x469a7fa7, -0x6dc47034, -0x180feff4, 0x02e2ef77, 0x00012565, -0x57514c12, 0x24a76dce },
+        { -0x203f38c0, 0x0a4522b2, 0x40c9a407, 0x10d06e7f, 0x78cff668, -0x3930ebbf, 0x18a43790, 0x5e607b25 }
+    },
+    {
+        { -0x5a6930ec, -0x5fd3bce4, -0x512c1c00, -0x1c3bd2c0, 0x2e0f26db, -0x2dbad980, -0x61ba8f98, 0x201f3313 },
+        { 0x6cdf1818, 0x58b31d8f, -0x3c9da75e, 0x35cfa74f, 0x66e61d6e, -0x1e4c00b1, 0x6ccdd5f7, 0x5067acab },
+        { 0x08039d51, -0x02ad8095, 0x017c0006, 0x18b14964, 0x2e25a4a8, -0x2addf150, 0x62460375, 0x397cba88 }
+    },
+    {
+        { -0x37ec8619, 0x7815c3fb, -0x221ed50f, -0x599e6be0, -0x7a57022b, -0x00563f08, -0x3e1e3dae, 0x771b4022 },
+        { -0x0fa6a64e, 0x30c13093, -0x1656868a, -0x1dc55e73, 0x721d5e26, 0x222fd491, 0x766e6c3a, 0x2339d320 },
+        { 0x513a2fa7, -0x2782267a, -0x062b30f8, -0x0a53648f, 0x1ea283b3, -0x2f943ce5, 0x19971a76, 0x331a1892 }
+    },
+    {
+        { -0x628a8d51, 0x26512f3a, 0x68074a9e, 0x5bcbe288, 0x1180f7c4, -0x7b123e3f, -0x09b65985, 0x1ac9619f },
+        { -0x04b07f3a, -0x0ae990bb, 0x61c775cf, -0x63c93822, -0x6fbe26e4, -0x1c2b17e5, -0x7c4201df, 0x31167c6b },
+        { 0x524b1068, -0x0dd4c7be, -0x11631679, 0x5068343b, 0x4a6250c8, -0x03628e7c, 0x1f08b111, 0x61243634 }
+    },
+    {
+        { 0x1a2d2638, -0x749cb61d, -0x642c02cb, -0x62204900, -0x5c5f945c, 0x7f8bf1b8, 0x78d90445, 0x1522aa31 },
+        { -0x78b17673, -0x2662be25, 0x6c07dc20, 0x09fea5f1, -0x2ff06444, 0x793d2c67, -0x61a100c0, 0x46ebe230 },
+        { 0x69614938, 0x2c382f53, -0x48d292f0, -0x2501bf66, -0x49b90dd9, -0x1737cc6f, 0x0524306c, 0x45fe70f5 }
+    },
+    {
+        { -0x376aeb6f, 0x62f24920, 0x3f630ca2, 0x05f007c8, -0x0a362b48, 0x6fbb45d2, -0x4a85ddbb, 0x16619f6d },
+        { -0x69f3f474, -0x25b78a5a, -0x10f1d0e0, 0x5b68d076, 0x3d0b8fd4, 0x07fb51cf, -0x5f1c6d2c, 0x428d1623 },
+        { 0x01a308fd, 0x084f4a44, 0x76a5caac, -0x57dde63d, 0x43d1bc7d, -0x214721ba, 0x60bd38c6, 0x1d81592d }
+    },
+},
+{
+    {
+        { 0x2f89c8a1, 0x3a4a369a, 0x7c8de80d, 0x63137a1d, 0x78eda015, -0x4353ff76, -0x4b7c4fc1, 0x2cb8b3a5 },
+        { -0x13d5b3c8, -0x27cc2842, 0x0acc20ed, 0x2c916283, -0x6d208a7f, -0x16c5b856, 0x333c4a81, 0x702d67a3 },
+        { -0x34e46f5f, 0x36e417cb, 0x7f11794e, 0x33b3ddaa, -0x77a439f9, 0x3f510808, -0x1957fdf3, 0x24141dc0 }
+    },
+    {
+        { -0x427cea83, -0x6e6da234, 0x22cc8094, 0x3ca12053, 0x3f90d6e4, 0x28e57f18, -0x21d18985, 0x1a4714ce },
+        { 0x3fefee9d, 0x59f73c77, -0x3e306763, -0x4c0e1077, -0x1fd1aba1, -0x1ca204be, 0x47a1b47c, 0x5766120b },
+        { -0x47494801, -0x24df45f1, 0x77511fa1, -0x48cd3c4a, -0x660fd277, -0x56d4ae40, 0x489ca5f1, 0x4f3875ad }
+    },
+    {
+        { -0x118c1140, 0x79ed13f6, 0x69110bb1, -0x5a39ad93, -0x79fc79f4, -0x1b76d73d, -0x028fa60b, 0x722a1446 },
+        { 0x4932ab22, -0x380389d1, 0x2f4c3c1b, 0x7ac0edf7, -0x65576a18, 0x5f6b55aa, -0x52f5ff7f, 0x3680274d },
+        { -0x573077e7, -0x2f6a6017, -0x7b8a5664, -0x2f566ab0, 0x20b09cc5, 0x6eac1733, 0x331b1095, 0x628ecf04 }
+    },
+    {
+        { 0x5c74ccf1, -0x64be5308, 0x08265251, -0x498cce7f, 0x11adb147, -0x6636d513, 0x34ecb40f, 0x7a47d70d },
+        { -0x562f2244, -0x67434ee8, 0x08b4802b, -0x11bb61cc, -0x47594efc, -0x78f76dda, 0x45c7915d, 0x685f349a },
+        { -0x33bc5b0b, 0x60a0c4cb, 0x3677bea9, 0x775c66ca, 0x2ff8f5ed, -0x5e855e8b, 0x0e01fdc0, 0x11ded902 }
+    },
+    {
+        { 0x3bea93b7, 0x471f95b0, 0x3313abd3, 0x0552d7d4, -0x1e81c085, -0x426c8f1e, -0x4df1a414, 0x7b120f1d },
+        { -0x351018fc, -0x76f187f7, -0x1cf17394, -0x78d7d693, -0x6d514e37, 0x4c5cd2a3, 0x5771531f, 0x194263d1 },
+        { -0x79afd286, 0x17d2fb3d, 0x50a69352, -0x4a9b27bc, -0x59f128a3, 0x7da962c8, 0x318736aa, 0x00d0f85b }
+    },
+    {
+        { -0x0289de3f, -0x598ac3e2, 0x445671f5, 0x69c0b4a7, 0x05b23c11, -0x68e0ad8c, 0x51a8c7cd, 0x387bc748 },
+        { 0x777c84fd, -0x6874ebd2, 0x05a8c062, -0x0bfd9bb9, -0x1819ed39, -0x59852ae5, -0x672295cd, 0x2f7b4596 },
+        { 0x4a52a9a8, -0x7e76b4b3, -0x09477cd1, -0x5226c1ee, -0x49e429c8, 0x184d8548, -0x29360933, 0x3f1c62db }
+    },
+    {
+        { 0x148f693d, 0x3fad3e40, -0x6b14658e, 0x052656e1, 0x184f4e2f, 0x2f4dcbfd, -0x3b7d1e75, 0x406f8db1 },
+        { -0x6e6ef3e1, 0x2e8f1f00, -0x400d1ed4, -0x5b20b020, -0x116d8bc8, 0x60c6560a, -0x53103706, 0x6338283f },
+        { 0x7f191ee4, -0x619cf2d4, -0x43c00990, 0x4fbf8301, 0x7afb73c4, 0x787d8e4e, -0x170a705b, 0x50d83d5b }
+    },
+    {
+        { -0x4b2c4993, -0x3f533070, 0x61732e60, -0x58fa621b, 0x70c6b0ba, 0x033d1f78, 0x26d946e4, 0x584161cd },
+        { -0x3ee5e769, -0x7a97c6ea, -0x1af92ff8, 0x2d69a4ef, -0x099b42ff, 0x39af1378, 0x361517c6, 0x65942131 },
+        { 0x72d27ca2, -0x440d4e60, -0x042138fc, -0x40c6c3a7, -0x1d9d47e2, -0x16724432, 0x3029b589, 0x02eebd0b }
+    },
+},
+{
+    {
+        { 0x7b85c5e8, -0x789a4961, -0x2e97454e, 0x6ff0678b, 0x1d330f9b, 0x3a70e77c, -0x4f507184, 0x3a5f6d51 },
+        { -0x59f253a1, 0x61368756, -0x145423a9, 0x17e02f6a, 0x4cce0f7d, 0x7f193f2d, -0x76132310, 0x20234a77 },
+        { 0x7178b252, 0x76d20db6, -0x2ae12ea0, 0x071c34f9, -0x4c1bee90, -0x09d5b5e0, 0x3cffe366, 0x7cd68235 }
+    },
+    {
+        { 0x68acf4f3, -0x599a32a0, 0x3cd7e3d3, 0x42d92d18, 0x336025d9, 0x5759389d, 0x2b2cd8ff, 0x3ef0253b },
+        { -0x2778054a, 0x0be1a45b, -0x45bfc492, 0x2a846a32, -0x1691a000, -0x266defee, 0x3bdc0943, 0x2838c886 },
+        { 0x4a465030, -0x2e944f31, 0x15c577ab, -0x05b694bf, -0x0b54be63, -0x7d305176, 0x06a82812, 0x21dcb8a6 }
+    },
+    {
+        { -0x4188ce46, -0x6572ff06, 0x629e1889, -0x7dfc9f82, 0x43f3d97f, -0x4d33fdc9, 0x6c6f678b, 0x5d840dbf },
+        { -0x73626038, 0x5c600446, -0x2bd55c35, 0x2540096e, 0x12ee2f9c, 0x125b4d4c, -0x6b5ce255, 0x0bc3d081 },
+        { 0x309fe18b, 0x706e380d, -0x461e9a39, 0x6eb02da6, 0x7dae20ab, 0x57bbba99, 0x2ac196dd, 0x3a427623 }
+    },
+    {
+        { -0x24bb8135, 0x3bf8c172, -0x39d7d243, 0x5fcfc41f, 0x75aa15fe, -0x7f530040, 0x24e1a9f9, 0x0770c9e8 },
+        { -0x758f7b06, 0x4b42432c, -0x20461abb, -0x7675e61d, -0x63a71ba3, -0x4160ffdf, -0x5e92142f, 0x1ff177ce },
+        { 0x45b5b5fd, -0x309e2666, 0x1b3a7924, -0x79f67b17, 0x303e3e89, -0x18cff6e7, 0x41500b1e, 0x39f264fd }
+    },
+    {
+        { -0x01f6841f, -0x2e64b555, -0x201fe6d7, -0x5b92031f, 0x2ca6f1ff, -0x3c36f76c, 0x2c35f14e, 0x65c62127 },
+        { -0x24181d64, -0x5852cbe9, 0x2b9c139c, -0x426bc896, -0x6ca68457, -0x5f16e472, 0x68889840, 0x1712d734 },
+        { -0x31ce6c23, -0x18d47608, -0x5eda3f45, 0x4d103356, 0x2e1cfe83, 0x0419a93d, -0x4e631d8e, 0x22f9800a }
+    },
+    {
+        { -0x65910254, 0x42029fdd, 0x34a54941, -0x46ed3142, -0x78420c85, 0x640f64b9, -0x7a67354c, 0x4171a4d3 },
+        { 0x3e9ef8cb, 0x605a368a, -0x5aafb8eb, -0x1c163fde, 0x5f24248f, 0x553d48b0, 0x647626e5, 0x13f416cd },
+        { -0x6636b374, -0x05d8a756, -0x4fff47f9, 0x23006f6f, -0x5225ac6e, -0x042d6e23, 0x574bd1ab, 0x508214fa }
+    },
+    {
+        { 0x53d003d6, 0x461a15bb, -0x430c369b, -0x4defd778, 0x6c683a5a, 0x27c57675, -0x37934bb9, 0x3a7758a4 },
+        { 0x3ed6fe4b, -0x3dfd96eb, 0x511d77c4, -0x59a598c7, 0x2c14af94, -0x3421d9ba, 0x6faba74b, 0x22f960ec },
+        { -0x6c51af8a, 0x548111f6, 0x1dfd54a6, 0x1dae21df, -0x0ceea19b, 0x12248c90, -0x72180b6c, 0x5d9fd15f }
+    },
+    {
+        { -0x1128ade2, 0x3f244d2a, 0x432e9615, -0x71c56fd8, 0x2e9c16d4, -0x1e9b4589, 0x47eb98d8, 0x3bc187fa },
+        { 0x6d63727f, 0x031408d3, -0x28384acd, 0x6a379aef, -0x33511db5, -0x561e703b, 0x4f8fbed3, 0x332f3591 },
+        { -0x15793df4, 0x6d470115, 0x6c46d125, -0x66754835, 0x3a660188, -0x2887cd4b, -0x6f9045fd, 0x450d81ce }
+    },
+},
+{
+    {
+        { -0x4d351f4b, 0x23264d66, -0x14359a8a, 0x7dbaed33, -0x0f2db538, 0x030ebed6, -0x089caaf0, 0x2a887f78 },
+        { -0x27bac6fe, -0x0751b2d6, -0x1724d2e3, 0x7018058e, -0x382d3ee2, -0x554c66a1, 0x24ccca79, 0x53b16d23 },
+        { 0x5c012d4f, 0x2a23b9e7, -0x351e0d16, 0x0c974651, 0x675d70ca, 0x2fb63273, -0x79bbfc0b, 0x0ba7250b }
+    },
+    {
+        { -0x79079264, -0x229ca76d, -0x1ec57a5c, 0x61699176, 0x4eaa7d57, 0x2e511195, -0x049f4205, 0x32c21b57 },
+        { 0x029c6421, -0x44f2e703, -0x76d670fe, -0x43d2ebdf, -0x74daf16a, -0x7cb8071a, 0x032d71c9, 0x7b9f2fe8 },
+        { 0x319e0780, -0x2787dc33, -0x76888a3b, -0x103b303f, -0x65f54c09, 0x4854fb12, 0x7238c371, 0x12c49d41 }
+    },
+    {
+        { -0x7c866abe, 0x09b3a017, -0x552a11c1, 0x626dd08f, -0x148feb61, -0x45ff4312, -0x5f5bbb37, 0x1421b246 },
+        { -0x0017c897, 0x0950b533, -0x71e2942f, 0x21861c1d, 0x1302e510, -0x0fdd27c8, 0x6391cab4, 0x2509200c },
+        { -0x73db5839, 0x4aa43a8e, -0x270fa10b, 0x04c1f540, 0x0b3eb9dc, -0x5245a1f4, 0x48a49ce3, 0x2ab55044 }
+    },
+    {
+        { 0x1c5d3afa, -0x23f8539d, -0x06207394, 0x58615171, -0x628c1d50, 0x72a079d8, -0x4b151ea3, 0x7301f4ce },
+        { 0x6f0f5dec, 0x2ed22726, 0x5ed50824, -0x67db11bf, -0x6b972beb, -0x7f841384, -0x4ade1dc1, 0x7093bae1 },
+        { -0x298dd3bf, 0x6409e759, 0x72bf729b, -0x598b1e31, 0x3c21e569, -0x43f5db15, 0x4ebacb23, 0x390167d2 }
+    },
+    {
+        { -0x5d0dedf5, -0x2844fab5, -0x4efa7649, -0x1d463152, -0x0c3f1242, 0x3fe8bac8, 0x7112cb69, 0x4cbd4076 },
+        { -0x45cac0e4, 0x27f58e3b, -0x4095bc9f, 0x4c47764d, 0x6e562650, -0x50443b1b, -0x551e5ba3, 0x07db2ee6 },
+        { 0x29c58176, 0x0b603cc0, 0x5cb15d61, 0x5988e382, -0x230f5273, 0x2bb61413, 0x74183287, 0x7b8eec6c }
+    },
+    {
+        { -0x03c7948d, 0x32fee570, -0x25c57339, -0x2574febf, -0x37697ca7, -0x68a002f6, -0x4ecd57ab, 0x6ee809a1 },
+        { 0x2cd27cb0, -0x1b35bf88, -0x04169843, -0x25063cdd, -0x752be162, -0x4d642cb6, 0x626ede4d, 0x72810497 },
+        { -0x030279c6, -0x6bbb44cf, 0x3e4e48c5, 0x2fe3690a, -0x2f7705db, -0x23d63799, -0x2e8cd6d2, 0x13bd1e38 }
+    },
+    {
+        { 0x1dfac521, 0x223fb5cf, 0x6f554450, 0x325c2531, 0x659177ac, 0x030b98d7, 0x4f88a4bd, 0x1ed018b6 },
+        { 0x696149b5, -0x2cd4b328, -0x7e275549, -0x1aa6c829, -0x51edd46c, 0x0bcb2127, -0x4ebf6650, 0x41e86fcf },
+        { -0x47fd5950, 0x3630dfa1, 0x42ad3bd5, -0x77f078b9, -0x113a5b2c, 0x0af90d6c, 0x37cdc5d9, 0x746a247a }
+    },
+    {
+        { 0x78d941ed, 0x6eccd852, -0x2dd087bd, 0x2254ae83, 0x7bbfcdb7, -0x3add2fd2, -0x400f1b1e, 0x681e3351 },
+        { 0x2b7b9af6, -0x2ace4743, 0x37fc5b51, 0x50050935, -0x3a6cab93, 0x232fcf25, 0x2bb40f49, 0x20a36514 },
+        { -0x7cfcb0bb, -0x749b4a63, 0x1fa20efb, 0x2f8b71f2, -0x459aaf1c, 0x69249495, 0x45d5472b, 0x539ef98e }
+    },
+},
+{
+    {
+        { 0x1cae743f, -0x2f8b276a, -0x11e39c13, -0x0792e70b, -0x180b12d7, -0x68423aa5, 0x663ab108, 0x4cbad279 },
+        { -0x59dfad8b, 0x6e7bb6a1, 0x413c8e83, -0x55b0de29, -0x1770a34e, 0x6f56d155, -0x59cba41f, 0x2de25d4b },
+        { -0x5f28e033, -0x7f2e6fdc, -0x04d77508, -0x3ada3df6, 0x5f3a6419, -0x4e5c68b5, -0x1dff8dcd, 0x7d7fbcef }
+    },
+    {
+        { -0x0c3d6f6c, -0x3283a23b, 0x2a9105ab, -0x387e5d66, 0x421c3058, -0x7f39e2ca, -0x23272b29, 0x4f9cd196 },
+        { 0x266b2801, -0x0510e196, -0x2a8c60ea, -0x7993973c, 0x1b03762c, -0x0975d044, -0x7848a573, 0x5975435e },
+        { 0x6a7b3768, 0x199297d8, 0x1ad17a63, -0x2f2fa7dc, 0x5c1c0c17, -0x45fd6353, 0x387a0307, 0x7ccdd084 }
+    },
+    {
+        { 0x6760cc93, -0x64f37be8, 0x1ab32a99, -0x3251ff86, 0x620bda18, -0x5772137a, -0x7e6f35bc, 0x3593ca84 },
+        { 0x6d260417, -0x2359bdd4, -0x6b7dbf43, -0x51eac2b0, -0x04973989, -0x563f3e4c, 0x61d0cf53, 0x428bd0ed },
+        { 0x5e849aa7, -0x6dece766, 0x65d8facd, -0x2b273ccb, 0x53fdbbd1, -0x73adaba5, -0x25d29c1a, 0x27398308 }
+    },
+    {
+        { 0x0a702453, -0x465ef1b4, -0x2a82e422, 0x0fa25866, -0x32d82509, -0x0046264b, 0x492c33fd, 0x572c2945 },
+        { 0x435ed413, 0x42c38d28, 0x3278ccc9, -0x42af0ca0, 0x79da03ef, -0x44f854e6, -0x4173ccab, 0x269597ae },
+        { -0x2932cf42, -0x388038bb, -0x1c455105, -0x1b20172d, -0x55a225f4, -0x5dd377d0, -0x3fa43580, 0x7f985498 }
+    },
+    {
+        { 0x0fbf6363, -0x2ca9eaae, -0x30b2045a, 0x08045a45, -0x78c05f3e, -0x113db044, -0x2964ed19, 0x30f2653c },
+        { -0x60f41ee9, 0x3849ce88, 0x7b54a288, -0x7ffa52e5, 0x23fc921c, 0x3da3c39f, 0x0a31f304, 0x76c2ec47 },
+        { -0x553ef37b, -0x75f736c8, -0x24d89435, 0x46179b60, 0x0e6fac70, -0x56df3fe2, 0x596473da, 0x2f1273f1 }
+    },
+    {
+        { 0x55a70bc0, 0x30488bd7, -0x0e2bbd19, 0x06d6b5a4, -0x43a69e9e, -0x152e5962, -0x123a087c, 0x38ac1997 },
+        { -0x751fe1ef, 0x4739fc7c, 0x4a6aab9f, -0x02ad8b70, -0x788d70d2, 0x41d98a82, -0x27a4960e, 0x5d9e572a },
+        { -0x58ae4ec5, 0x0666b517, 0x7e9b858c, 0x747d0686, 0x454dde49, -0x53533fef, -0x40161964, 0x22dfcd9c }
+    },
+    {
+        { 0x103be0a1, 0x56ec59b4, -0x2da60697, 0x2ee3baec, 0x13f5cd32, 0x797cb294, 0x24cde472, 0x0fe98778 },
+        { -0x3cf2f327, -0x72242d20, -0x5344bccd, -0x527199a1, 0x322a961f, -0x7094da74, 0x5448c1c7, 0x6b2916c0 },
+        { 0x0aba913b, 0x7edb34d1, 0x2e6dac0e, 0x4ea3cd82, 0x6578f815, 0x66083dff, 0x7ff00a17, 0x4c303f30 }
+    },
+    {
+        { 0x0dd94500, 0x29fc0358, 0x6fbbec93, -0x132d855c, -0x3d1d5808, 0x130a155f, -0x48f95e2b, 0x416b151a },
+        { 0x17b28c85, -0x2cf5c42a, 0x39773bea, -0x3a2c8849, 0x1e6a5cbf, -0x39391874, -0x74d5483c, 0x0d61b8f7 },
+        { -0x163ec950, 0x56a8d7ef, 0x58e44b20, -0x42f81a33, 0x1b57e0ab, -0x5019d026, 0x4277e8d2, 0x191a2af7 }
+    },
+},
+{
+    {
+        { 0x2fe09a14, 0x09d4b60b, -0x244e8b82, -0x3c7b0f51, 0x78b5fd6e, 0x58e2ea89, -0x4a1f64f6, 0x519ef577 },
+        { -0x5490b67b, -0x2aaff6a5, 0x4fbfaf1a, 0x04f4cd5b, 0x2a0c7540, -0x6271d12f, -0x4ddedd7a, 0x2bc24e04 },
+        { 0x1124cca9, 0x1863d7d9, -0x47758f72, 0x7ac08145, -0x7a8fce0b, 0x2bcd7309, -0x7547051b, 0x62337a6e }
+    },
+    {
+        { 0x1b3a1273, -0x2e54cdb2, -0x7efaacc0, 0x18947cf1, -0x5673e692, 0x3b5d9567, -0x7fd1e198, 0x7fa00425 },
+        { 0x06ffca16, 0x4bcef17f, 0x692ae16a, -0x21f91e25, 0x614f42b0, 0x0753702d, 0x5b9212d0, 0x5f6041b4 },
+        { 0x028c2705, 0x7d531574, -0x24f28a02, -0x7fce8297, -0x10737223, 0x30fface8, -0x493c1668, 0x7e9de97b }
+    },
+    {
+        { -0x5db2bf23, -0x0ffb419e, 0x0452d41f, -0x45f9a66f, 0x62a44234, -0x7e3ba11f, -0x5ddd9911, 0x4cb829d8 },
+        { -0x619a7a5d, 0x1558967b, -0x6716746e, -0x68366320, 0x6eb3adad, 0x10af149b, -0x0b2c7306, 0x42181fe8 },
+        { 0x07b86681, 0x1dbcaa84, -0x74d98ac5, 0x081f001e, -0x7bfb717f, 0x3cd7ce6a, 0x3f25f22c, 0x78af1163 }
+    },
+    {
+        { 0x7d65318c, 0x3241c00e, -0x2f179219, -0x19411a24, -0x043f73da, 0x118b2dc2, -0x039fc23d, 0x680d04a7 },
+        { 0x0b50babc, -0x7be9142c, 0x28208bee, 0x15087226, -0x463e3c93, -0x5ceb7051, -0x2cd282a3, 0x0d07daac },
+        { 0x695aa3eb, -0x063dbeb6, 0x05a68f21, -0x255bd3b4, 0x7f93963e, 0x7c6c2398, 0x0c3954e3, 0x210e8cd3 }
+    },
+    {
+        { 0x37fe6c26, 0x2b50f161, 0x56e404d8, -0x1efd4328, 0x4c561f6b, 0x12b0f141, -0x2fd7136f, 0x51b17bc8 },
+        { 0x10a71c06, -0x53bdfe0e, -0x0c404fdf, 0x6a65e0ae, 0x393632f7, -0x43bd3ca4, -0x79a0f8be, 0x56ea8db1 },
+        { -0x30acaee7, -0x000a04b5, -0x20eef760, -0x0b676287, -0x65c45cdb, -0x4203159b, 0x74d1a6f2, 0x18a11f11 }
+    },
+    {
+        { -0x2d85a0d4, -0x0429c326, -0x755ef929, -0x0ff03b44, -0x719b5bd0, 0x53fb5c1a, 0x0c1a2e85, 0x04eaabe5 },
+        { 0x3f6bba29, 0x407375ab, -0x66e1b7d2, -0x613c4928, -0x1aa06d17, -0x6637f17e, -0x04f3f51f, 0x307c13b6 },
+        { -0x34754a19, 0x24751021, 0x5c5010eb, -0x03dcbbb7, 0x4e5610a1, 0x5f1e717b, -0x3d8ef32b, 0x44da5f18 }
+    },
+    {
+        { -0x76271534, -0x6ea90195, -0x1dced95f, -0x19486baf, 0x3944eb4e, -0x428b9c27, 0x767203ae, 0x726373f6 },
+        { -0x0e47d14b, 0x033cc55f, 0x411cae52, -0x4ea51c93, -0x7004532d, -0x45bf49e7, 0x532e861f, 0x768edce1 },
+        { -0x14810976, -0x1cfa358e, 0x70eadb23, 0x662cf31f, -0x4b3ba498, 0x18f026fd, -0x4a2d1343, 0x513b5384 }
+    },
+    {
+        { -0x750cb315, 0x5e270287, -0x46b92952, -0x6ff4fbf7, -0x25427aee, 0x6512ebf7, -0x77da707f, 0x61d9b769 },
+        { -0x38d66762, 0x46d46280, 0x5368a5dd, 0x4b93fbd0, -0x2e89a577, 0x63df3f81, -0x465f5ddd, 0x34cebd64 },
+        { 0x49b7d94b, -0x593a58ed, 0x23eb9446, -0x5c0c2ea8, 0x77484834, 0x0416fbd2, 0x2c70812f, 0x69d45e6f }
+    },
+},
+{
+    {
+        { 0x4f460efb, -0x6019d4bd, -0x59c9f82a, -0x212cfc2c, -0x485f25dc, -0x0faddef2, 0x00545b93, 0x237e7dbe },
+        { -0x3ac3ebcf, -0x31e908b5, 0x2072edde, 0x2b9725ce, -0x4a4dc119, -0x47463c91, 0x0b5cc908, 0x7e2e0e45 },
+        { 0x6701b430, 0x013575ed, -0x60f402f0, 0x231094e6, -0x7c1b80de, 0x75320f15, -0x4eeeaa1d, 0x71afa699 }
+    },
+    {
+        { 0x473b50d6, -0x15bdc3e4, 0x3b38ef10, 0x51e87a1f, -0x4d36416b, -0x647b40a1, 0x78f89a1c, 0x00731fbc },
+        { 0x3953b61d, 0x65ce6f9b, -0x505ebe1a, -0x39a7c616, -0x5608a602, 0x0f435ffd, -0x3d4e3d72, 0x021142e9 },
+        { 0x48f81880, -0x1bcf38e8, 0x5ecec119, -0x4069f3de, 0x6bba15e3, -0x49251f7d, 0x47e15808, 0x4c4d6f33 }
+    },
+    {
+        { -0x6770e690, 0x2f0cddfc, -0x4f460ae5, 0x6b916227, 0x779176be, 0x6ec7b6c4, -0x57706058, 0x38bf9500 },
+        { -0x3e82e037, 0x18f7eccf, 0x51403c14, 0x6c75f5a6, -0x0811f321, -0x24218ed5, -0x581b85de, 0x193fddaa },
+        { 0x37e8876f, 0x1fd2c93c, 0x18d1462c, -0x5d09e1a6, 0x39241276, 0x5080f582, -0x40f2b697, 0x6a6fb99e }
+    },
+    {
+        { -0x491bdc3a, -0x114edd4b, -0x0d790072, -0x6c628ff0, 0x1dcf5d8c, -0x6f56d57d, 0x42c5eb10, 0x136fda9f },
+        { 0x560855eb, 0x6a46c1bb, -0x076c0f63, 0x2416bb38, -0x708e533f, -0x28e2eec9, -0x5ce76916, 0x75f76914 },
+        { -0x5cfa422f, -0x06b3204f, -0x6007d3f8, 0x0f364b9d, -0x3c44a776, 0x2a87d8a5, 0x0be8dcba, 0x02218351 }
+    },
+    {
+        { 0x43307a7f, -0x62a58eff, -0x3b825ba1, -0x4f9c2162, -0x416d852d, 0x22bbfe52, -0x02bfbd94, 0x1387c441 },
+        { 0x5ead2d14, 0x4af76638, -0x3583a7d0, -0x5f712780, 0x10211e3d, 0x0d13a6e6, 0x7b806c03, 0x6a071ce1 },
+        { -0x78687508, -0x4a2c3c2f, 0x7f0e4413, 0x722b5a3d, -0x44b88360, 0x0d7b4848, -0x50e1236e, 0x3171b26a }
+    },
+    {
+        { -0x4d75b82f, -0x59f24828, 0x1770a4f1, -0x5940eb2a, 0x53ddbd58, -0x2b5e076d, 0x344243e9, 0x6c514a63 },
+        { -0x68a9b358, -0x56d0ce70, 0x2275e119, -0x008447b4, -0x5b78aeb0, 0x4f55fe37, 0x3cf0835a, 0x221fd487 },
+        { 0x3a156341, 0x2322204f, -0x45f5fcd3, -0x048c1f17, 0x410f030e, -0x031f22b4, -0x046db556, 0x48daa596 }
+    },
+    {
+        { -0x37b3686d, 0x14f61d5d, -0x10be7dfa, -0x66be061d, 0x346277ac, -0x320a4771, 0x0e8a79a9, 0x58c837fa },
+        { 0x5ca59cc7, 0x6eca8e66, 0x2e38aca0, -0x57b8dab5, -0x2de1e832, 0x31afc708, -0x3527b509, 0x676dd6fc },
+        { -0x69036fa8, 0x0cf96885, 0x7b56a01b, 0x1ddcbbf3, 0x4935d66a, -0x233d1883, -0x395a80f6, 0x1c4f73f2 }
+    },
+    {
+        { -0x0383cb7c, -0x4c918f92, -0x3c3e309f, 0x73dfc9b4, 0x781cc7e5, -0x14e28637, 0x7daf675c, 0x70459adb },
+        { 0x305fa0bb, 0x0e7a4fbd, 0x54c663ad, -0x7d62b320, 0x2fe33848, -0x0bde3c7d, 0x1bf64c42, 0x795ac80d },
+        { -0x6e4bd44d, 0x1b91db49, 0x4b02dcca, 0x57269623, 0x1f8c78dc, -0x6020611b, -0x731de02d, 0x5fe16284 }
+    },
+},
+{
+    {
+        { -0x6aeeac77, 0x315c29c7, -0x79d08b32, -0x281f1af9, -0x7a6d8bce, 0x0c4a7621, 0x4a25a1e4, 0x72de6c98 },
+        { 0x4d077c41, -0x1d86f552, -0x248b965d, -0x746c7d90, -0x7542e95e, 0x6eb632dc, -0x55f9b48e, 0x720814ec },
+        { -0x40955cf0, -0x51654aad, -0x7f9291e5, 0x050a50a9, -0x5200aec7, -0x6d448bfd, 0x45be618b, 0x0394d276 }
+    },
+    {
+        { -0x4dcaba5c, -0x0ac69bdb, -0x67044d6a, 0x15a7a27e, 0x636fdd86, -0x5493ad44, 0x419334ee, 0x79d995a8 },
+        { -0x7a81120c, 0x4d572251, -0x1e616c3b, -0x1c8db123, 0x0b797035, -0x758ebdf2, -0x785418bd, 0x3b3c8336 },
+        { 0x1195dd75, -0x3275715a, 0x1dd9a82f, -0x5afb2758, -0x5ca7864a, 0x540dca81, 0x79c86a8a, 0x60dd16a3 }
+    },
+    {
+        { 0x153e47b8, 0x3501d6f8, 0x14a2f60c, -0x485698ac, 0x455d9523, 0x112ee8b6, -0x7eed1576, 0x4e62a3c1 },
+        { 0x7381e559, 0x35a2c848, -0x287f7d35, 0x596ffea6, -0x245849ad, -0x34688e15, -0x64b2597b, 0x5a08b501 },
+        { 0x516ab786, -0x372b53fc, 0x5295b23d, 0x595af321, -0x24fdcf3f, -0x29122dcc, -0x7da4be34, 0x0929efe8 }
+    },
+    {
+        { -0x52a99ae3, -0x74ce8d49, 0x3fabd717, 0x01581b7a, 0x424df6e4, 0x2dc94df6, 0x2c29284f, 0x30376e5d },
+        { -0x342f0d2d, 0x5f0601d1, 0x6132bb7f, 0x736e412f, 0x238dde87, -0x7c9fbbce, -0x0a3f8ac4, 0x1e3a5272 },
+        { -0x7ea65a64, -0x2d6e7259, 0x3f0713f3, 0x6bdc1cd9, 0x4acd6590, 0x565f7a93, 0x4cb4c128, 0x53daacec }
+    },
+    {
+        { -0x7ad30250, -0x667ad43d, 0x59d6ed0b, 0x2cc12e95, -0x64a53d85, 0x70f9e2bf, 0x7959ae99, 0x4f3b8c11 },
+        { -0x6337582a, 0x4ca73bd7, 0x47e9a9b2, 0x4d4a738f, 0x42f5fe00, -0x0b340ed7, -0x4240f8ae, 0x01a13ff9 },
+        { 0x2ff26412, 0x55b6c9c8, 0x1fb667a8, 0x1ac4a8c9, -0x1488740e, -0x2ad84031, 0x7012a3be, 0x303337da }
+    },
+    {
+        { -0x052d022f, -0x6892c335, 0x37a640a8, -0x34777c69, 0x6734cb25, 0x2ff00c1d, 0x789c2d2b, 0x269ff4dc },
+        { -0x73e36284, -0x6aabddde, 0x1a9b340f, 0x01fac137, -0x6da4b729, 0x7e8d9177, 0x61b3e31b, 0x53f8ad56 },
+        { -0x3f729873, 0x0c003fbd, 0x7ead2b17, 0x4d982fa3, -0x4d1a7d0f, -0x3f819433, -0x20bed5bc, 0x296c7291 }
+    },
+    {
+        { -0x25474a62, -0x204dcdfb, -0x37f6ddb0, 0x465aeaa0, -0x658da2e8, -0x2ecc3ee8, 0x61f117d1, 0x23273702 },
+        { 0x33daf397, 0x7903de2b, -0x3659db4d, -0x2f00f9e7, 0x555b3e18, -0x75e2dad5, 0x52e0b7c0, 0x2b6d581c },
+        { 0x623e7986, 0x3d0543d3, -0x3d875cac, 0x679414c2, 0x726196f6, -0x51bc0f34, -0x7dba1546, 0x7836c41f }
+    },
+    {
+        { -0x7fee6c84, -0x359ae17c, 0x6ef41a28, -0x394f3b92, 0x5f3f8d52, -0x48fde459, -0x15284603, 0x119dff99 },
+        { 0x49e95a81, -0x185dab25, 0x08b0ad73, 0x5192d5d0, -0x2ff503f9, 0x4d20e5b1, 0x2cf25f38, 0x5d55f801 },
+        { -0x0b4ce2b3, 0x43eadfcb, 0x11148892, -0x39afc08c, 0x060d3b17, -0x0111973b, -0x22b5f538, 0x329293b3 }
+    },
+},
+{
+    {
+        { 0x5d7cb208, 0x2879852d, 0x687df2e7, -0x47212290, 0x21687891, -0x23f40055, 0x677daa35, 0x2b44c043 },
+        { -0x1e6b69e6, 0x4e59214f, 0x0d71cd4f, 0x49be7dc7, 0x3b50f22d, -0x6cff302e, -0x036e8dce, 0x4789d446 },
+        { 0x074eb78e, 0x1a1c87ab, -0x66250b99, -0x05392e72, 0x484f9067, 0x3eacbbcd, 0x2bb9a4e4, 0x60c52eef }
+    },
+    {
+        { 0x7cae6d11, 0x702bc5c2, 0x54a48cab, 0x44c7699b, -0x45b6d14e, -0x1043bfaa, -0x26499893, 0x70d77248 },
+        { 0x3bfd8bf1, 0x0b5d89bc, -0x360caae6, -0x4f946dc9, -0x2acfd70b, 0x0e4c16b0, 0x2ccfcaab, 0x10bc9c31 },
+        { 0x3ec2a05b, -0x557517b5, -0x12e87e20, -0x6796610c, 0x708e85d1, 0x794513e4, -0x56890bed, 0x63755bd3 }
+    },
+    {
+        { -0x680e5349, 0x3dc71018, -0x3e9a4428, 0x5dda7d5e, 0x0fa1020f, 0x508e5b9c, 0x37c52a56, 0x27637517 },
+        { 0x2ad10853, -0x4aa05fc2, -0x6119ca97, 0x356f7590, -0x41964770, -0x60060e03, -0x743e907c, 0x0d8cc1c4 },
+        { 0x6eb419a9, 0x029402d3, 0x77b460a5, -0x0f4bb182, -0x2bc3b6aa, -0x30579dd0, 0x7ad166e7, 0x70c2dd8a }
+    },
+    {
+        { -0x471281ed, -0x6e2b6983, -0x28897e86, 0x74252f0a, 0x0d852564, -0x1bf67d20, 0x16a53ce5, 0x32b86138 },
+        { -0x609013f2, 0x65619450, 0x46c6518d, -0x11d18157, 0x67e09b5c, -0x68cc3e0d, 0x63948495, 0x2e0fac63 },
+        { -0x1bb7329c, 0x79e7f7be, 0x087886d0, 0x6ac83a67, -0x5f1b24d2, -0x07602b27, 0x735a4f41, 0x4179215c }
+    },
+    {
+        { 0x286bcd34, -0x1b51cc47, 0x559dd6dc, -0x4810814a, -0x4c2c71e1, 0x278b141f, 0x2241c286, 0x31fa8566 },
+        { -0x282312d6, -0x738f6b19, 0x47d39c70, -0x6804753d, -0x56f926fe, -0x1ec41fcd, 0x0cd99d76, 0x700344a3 },
+        { 0x2e3622f4, -0x507d93be, -0x67ccafd3, -0x3edfd679, 0x2b389123, -0x643e481f, -0x566adb77, 0x24bb2312 }
+    },
+    {
+        { -0x0a07a395, 0x41f80c2a, 0x04fa6794, 0x687284c3, -0x5c45e453, -0x76ba2067, -0x0014a2ea, 0x0d1d2af9 },
+        { 0x32de67c3, -0x4e5712e9, 0x461b4948, 0x3cb49418, 0x76cfbcd2, -0x7142bcbd, 0x1e188008, 0x0fee3e87 },
+        { 0x32621edf, -0x5625755f, 0x59226579, 0x30b822a1, -0x58653e6d, 0x4004197b, 0x18531d76, 0x16acd797 }
+    },
+    {
+        { 0x7887b6ad, -0x36a6393b, 0x5f90feba, -0x6b1e6153, -0x5cbd0afc, 0x16e24e62, 0x18161700, 0x164ed34b },
+        { 0x2d9b1d3d, 0x72df72af, -0x5bcddba6, 0x63462a36, 0x16b39637, 0x3ecea079, -0x46cfdcf7, 0x123e0ef6 },
+        { 0x192fe69a, 0x487ed94c, 0x3a911513, 0x61ae2cea, -0x465b21d9, -0x7884092d, 0x1073f3eb, 0x78da0fc6 }
+    },
+    {
+        { 0x680c3a94, -0x5d607f0f, 0x1ae9e7e6, 0x71f77e15, 0x48017973, 0x1100f158, 0x16b38ddd, 0x054aa4b3 },
+        { -0x1ad43996, 0x5bf15d28, 0x70f01a8e, 0x2c47e318, 0x06c28bdd, 0x2419afbc, 0x256b173a, 0x2d25deeb },
+        { 0x19267cb8, -0x2037b973, 0x66e54daf, 0x0b28789c, 0x666eec17, 0x2aeb1d2a, -0x548258a0, 0x134610a6 }
+    },
+},
+{
+    {
+        { -0x23fd73c4, -0x26ebcf20, 0x5217c771, 0x0eb955a8, 0x2c99a1fa, 0x4b09e1ed, -0x42958bc4, 0x42881af2 },
+        { 0x7c59b23f, -0x350aa13e, 0x154d04f2, -0x665112c2, -0x1ebebe0c, 0x68441d72, 0x3932a0a2, 0x14034513 },
+        { -0x54a352c3, 0x7bfec69a, 0x4cb2cfad, -0x3dc1732d, -0x04c8295e, 0x685dd14b, 0x15677a18, 0x0ad6d644 }
+    },
+    {
+        { 0x47927e9f, 0x79148928, 0x370aa877, 0x33dad6ef, 0x11122703, 0x1f8f24fa, 0x2adf9592, 0x5265ac2f },
+        { 0x417becb5, 0x781a439e, -0x2ef1fd9a, 0x4ac5938c, 0x0692ac24, 0x5da38511, -0x521cedcd, 0x11b065a2 },
+        { -0x65034cba, 0x405fdd30, 0x28e63f54, -0x268dc2bc, 0x5f65aaae, -0x6b3fe210, -0x1eb3f7f7, 0x43e4dc3a }
+    },
+    {
+        { -0x523d395d, -0x1590853d, -0x168e836c, -0x2f16d70a, -0x29ba150b, -0x1d2c8616, -0x3ae00442, 0x46dd8785 },
+        { -0x56c75ae9, -0x43ed380f, 0x3180b2e1, 0x473028ab, -0x0432dab6, 0x3f78571e, 0x6ff6f90f, 0x74e53442 },
+        { 0x375c8898, 0x709801be, -0x1c027cb8, 0x4b06dab5, 0x27230714, 0x75880ced, -0x22d0b3be, 0x2b09468f }
+    },
+    {
+        { -0x7d005fd6, 0x5b979465, -0x01570ab7, -0x25f695af, 0x5f77af9b, -0x5f9caec9, 0x201d1e76, 0x1bcfde61 },
+        { -0x48fe346a, -0x6838b612, -0x495c963d, -0x7c0bc72c, -0x65bfd327, 0x62962b8b, -0x67772085, 0x6976c750 },
+        { 0x246a59a2, 0x4a4a5490, -0x17802270, -0x29c14222, 0x0d2371fa, -0x26bc8399, -0x2cf0712a, 0x69e87308 }
+    },
+    {
+        { -0x7437fcfd, 0x0f80bf02, 0x7a18cefb, 0x6aae16b3, -0x28d3295d, -0x22b815b9, -0x0b12c656, 0x61943588 },
+        { 0x5656beb0, 0x435a8bb1, 0x4f4d5bca, -0x07053646, 0x1548c075, -0x464d873c, -0x176d49de, 0x3eb0ef76 },
+        { -0x6efc607b, -0x2d91a3c2, -0x090cc557, -0x3f161883, 0x70066a93, -0x176973ab, 0x1faaaddd, 0x3c34d188 }
+    },
+    {
+        { 0x2fffe0d9, -0x42a4f471, 0x3ed24fb9, 0x6aa25410, -0x4d97de3c, 0x2ac7d7bc, 0x60dca36a, 0x605b394b },
+        { -0x5f606140, 0x3f9d2b5e, -0x49dc5770, 0x1dab3b6f, 0x72d926c4, -0x5f645c16, 0x3fd8b36d, 0x37419351 },
+        { 0x5a9d1ed2, -0x4b17a91c, 0x6c97a9a2, -0x1017b78a, 0x1e5eee7d, -0x4efb309c, -0x7758e371, 0x2f50b81c }
+    },
+    {
+        { -0x5825add6, 0x2b552ca0, 0x449b0250, 0x3230b336, -0x5b466047, -0x0d3b3a44, 0x58074a22, 0x7b2c6749 },
+        { -0x0397ee45, 0x31723c61, 0x6211800f, -0x634bafb8, 0x47995753, 0x768933d3, 0x02752fcd, 0x3491a535 },
+        { 0x3ed28cdf, -0x2aae9a78, -0x2c9d21c7, 0x12d84fd2, -0x1cc871b1, 0x0a874ad3, 0x7c763e74, 0x000d2b1f }
+    },
+    {
+        { 0x3e94a8ab, -0x69db8874, -0x16587414, 0x0ad6f3ce, 0x0d743c4f, -0x6b75387f, -0x55130334, 0x76627935 },
+        { -0x2f92b599, 0x3d420811, -0x6f1f001d, -0x4103fb7b, -0x42b78422, -0x078f3949, 0x319afa28, 0x6e2a7316 },
+        { -0x292a6561, 0x56a8ac24, 0x3096f006, -0x37248ac2, -0x70b3ad67, 0x477f41e6, -0x09379eec, 0x588d851c }
+    },
+},
+{
+    {
+        { 0x77d1f515, -0x32d59a19, -0x70559f0f, 0x54899187, -0x2543f91b, -0x4e48c444, -0x56833605, 0x654878cb },
+        { -0x72094f02, 0x51138ec7, -0x1a8a0ae5, 0x5397da89, 0x717af1b9, 0x09207a1d, 0x2b20d650, 0x2102fdba },
+        { 0x055ce6a1, -0x69611bfb, 0x1251ad29, 0x36bca768, -0x55825beb, 0x3a1af517, 0x29ecb2ba, 0x0ad725db }
+    },
+    {
+        { -0x64fa907b, -0x013843f4, -0x180a0029, 0x537d5268, 0x4312aefa, 0x77afc662, 0x02399fd9, 0x4f675f53 },
+        { -0x7cb1dba9, -0x23bd984f, 0x70ce1bc5, -0x498abb4b, -0x082ea129, 0x1af07a0b, 0x71a03650, 0x4aefcffb },
+        { 0x0415171e, -0x3cd2c9ca, -0x7667b7c5, -0x32d410ef, -0x2f6baef0, -0x78f59153, -0x5d579a9f, 0x0bccbb72 }
+    },
+    {
+        { 0x50fe1296, 0x186d5e4c, -0x01176082, -0x1fc6847e, 0x507031b0, 0x3bc7f6c5, 0x108f37c2, 0x6678fd69 },
+        { -0x154e5638, 0x185e962f, 0x65147dcd, -0x791819cb, -0x44a4920e, -0x4f6d1fcf, 0x59d6b73e, 0x4024f0ab },
+        { 0x636863c2, 0x1586fa31, 0x572d33f2, 0x07f68c48, 0x789eaefc, 0x4f73cc9f, -0x7152b8ff, 0x2d42e210 }
+    },
+    {
+        { 0x0f537593, 0x21717b0d, 0x131e064c, -0x6eb196f5, 0x752ae09f, 0x1bb687ae, -0x64bdc392, 0x420bf3a7 },
+        { -0x6b202d65, -0x680aeceb, 0x313f4c6a, 0x6155985d, 0x08455010, -0x145ec0f9, -0x472d2cde, 0x676b2608 },
+        { 0x1c5b2b47, -0x7ec7459b, 0x311b1b80, -0x798e4914, -0x43ceca50, 0x7bff0cb1, -0x63f30e20, 0x745d2ffa }
+    },
+    {
+        { 0x21d34e6a, 0x6036df57, -0x66844c30, -0x4e2477d9, -0x378a9506, -0x2c3df63d, 0x4c1dc839, 0x06e15be5 },
+        { 0x2bc9c8bd, -0x40ada5e2, 0x26479d81, -0x15a4d9f8, -0x20feaa25, -0x2aee38f2, -0x69f30a30, 0x1ae23ceb },
+        { 0x1932994a, 0x5b725d87, -0x314e2550, 0x32351cb5, -0x254835fb, 0x7dc41549, 0x278ec1f7, 0x58ded861 }
+    },
+    {
+        { -0x493d3658, 0x2dfb5ba8, -0x0ad3a674, 0x48eeef8e, -0x0ed2ea8d, 0x33809107, 0x531d5bd8, 0x08ba696b },
+        { -0x0d993aa4, -0x27e8c86d, -0x33bab1b7, -0x3736893b, -0x43d93c58, 0x5ce382f8, 0x5485f6f9, 0x2ff39de8 },
+        { -0x3c103a86, 0x77ed3eee, -0x2b00b7ef, 0x04e05517, -0x0e598e35, -0x15c285c1, -0x6b8301ac, 0x120633b4 }
+    },
+    {
+        { 0x4912100a, -0x7d42ceb9, 0x7e6fbe06, -0x21dc8493, 0x11ea79c6, -0x1ee189e7, -0x34c6c422, 0x07433be3 },
+        { -0x6e9effbe, 0x0b949878, -0x13140518, 0x4ee7b13c, -0x6b0f5b40, 0x70be7395, -0x4b2a6e7b, 0x35d30a99 },
+        { 0x5ce997f4, -0x0086bb40, -0x4fa3ae5d, 0x575d3de4, 0x5a76847c, 0x583381fd, 0x7af6da9f, 0x2d873ede }
+    },
+    {
+        { 0x4e5df981, -0x559dfd1f, 0x5015e1f5, -0x5df2a6e9, -0x451de294, 0x18a275d3, 0x01600253, 0x0543618a },
+        { 0x43373409, 0x157a3164, -0x0b557e27, -0x05474812, -0x0a59b7fa, -0x4f6c011a, 0x707fa7b6, 0x2e773654 },
+        { -0x68b3dc3f, 0x0deabdf4, -0x6231b96d, -0x5590f5db, -0x5d6545d4, 0x04202cb8, 0x2d07960d, 0x4b144336 }
+    },
+},
+{
+    {
+        { 0x57c5715e, 0x299b1c3f, 0x6b686d90, -0x69346d62, 0x47235ab3, 0x30048064, -0x5bb2601f, 0x2c435c24 },
+        { 0x53242cec, 0x47b837f7, -0x3fbded0e, 0x256dc48c, -0x1e26d73b, -0x1ddd0405, -0x5275d3f9, 0x48ea295b },
+        { -0x7f077cc1, 0x0607c97c, -0x35da13a5, 0x0e851578, 0x161ebb6f, 0x54f7450b, -0x5f2107f2, 0x7bcb4792 }
+    },
+    {
+        { 0x045224c2, 0x1cecd0a0, 0x69e53952, 0x757f1b1b, 0x5289f681, 0x775b7a92, 0x16736148, 0x1b6cc620 },
+        { 0x2bc73659, -0x7b781c30, 0x059979df, 0x4baf8445, -0x23529041, -0x2e8368a6, -0x2103694a, 0x57369f0b },
+        { 0x75638698, -0x0e5666ff, -0x11559f2d, 0x353dd1be, 0x4c9ba488, -0x7b6b8ecd, 0x43ade311, 0x63fa6e68 }
+    },
+    {
+        { -0x2db4a149, 0x2195becd, -0x3f32bb07, 0x5e41f18c, 0x41ca9ede, -0x20d7f8bc, -0x0ca48299, 0x07073b98 },
+        { 0x6597c168, -0x2ea3dfad, -0x672d7877, -0x608c8c00, 0x3257ba1f, 0x18aee7f1, 0x07346f14, 0x3418bfda },
+        { 0x4ce530d4, -0x2fc39894, 0x3b5df9f4, 0x0b64c047, 0x19b3a31e, 0x065cef8b, 0x533102c9, 0x3084d661 }
+    },
+    {
+        { 0x760321fd, -0x6593178a, -0x6149c528, 0x7fe2b510, -0x7537fa6e, 0x00e7d4ae, -0x44908dc6, 0x73d86b7a },
+        { -0x407b9653, -0x1e094862, -0x1d99cecb, 0x15801004, -0x508be7e5, -0x65b67cd0, 0x049b673c, 0x3ba2504f },
+        { 0x6dba5ab6, 0x0b52b560, -0x444e1255, -0x56ecb0f1, -0x64fb59cb, 0x30a9520d, 0x7973e5db, 0x6813b8f3 }
+    },
+    {
+        { -0x0cea81d7, -0x0e6b35aa, 0x5ef528a5, 0x136d3570, -0x74fa6644, -0x22b31089, 0x24f833ed, 0x7d5472af },
+        { 0x334127c1, -0x67ab4fac, -0x7d0400db, 0x105d0478, 0x44186f4f, -0x24b60807, -0x412f4700, 0x1768e838 },
+        { -0x50cc25b9, -0x2f1078b3, -0x491cc607, 0x00d3be5d, -0x63631132, 0x3f2a8a2f, 0x2352435a, 0x5d1aeb79 }
+    },
+    {
+        { -0x49e4588b, 0x12c7bfae, -0x1d9c4003, -0x47b19de1, 0x5c840dcf, 0x0b47a5c3, -0x335079cc, 0x7e83be0b },
+        { 0x19cd63ca, -0x0a61944d, 0x21d06839, 0x670c1592, 0x2150cab6, -0x4f92a9a5, 0x104f12a3, 0x20fb199d },
+        { 0x6d99c120, 0x61943dee, 0x460b9fe0, -0x79efe0d2, -0x7117a673, 0x6bb2f151, -0x033b8a34, 0x76b76289 }
+    },
+    {
+        { 0x522ec0b3, 0x4245f1a1, 0x2a75656d, 0x558785b2, 0x48a1b3c0, 0x1d485a25, -0x2a701f61, 0x60959ecc },
+        { 0x756286fa, 0x791b4cc1, -0x28b5ea84, -0x24312ce9, -0x158d421a, 0x7e732421, 0x1131c8e9, 0x01fe1849 },
+        { -0x571285f7, 0x3ebfeb7b, -0x1afd8764, 0x49fdc2bb, 0x3c119428, 0x44ebce5d, -0x416b80b6, 0x35e1eb55 }
+    },
+    {
+        { 0x726ccc74, 0x14fd6dfa, 0x2f53b965, 0x3b084cfe, 0x52a2c8b4, -0x0cc51b0b, 0x0d40166a, 0x59aab07a },
+        { -0x3a8c722d, -0x242518ff, -0x4d90e412, -0x063909cb, 0x42f15ef4, 0x61e96a80, -0x509f5b28, 0x3aa1d11f },
+        { -0x6da153db, 0x77bcec4c, 0x60137738, 0x18487184, -0x01560baf, 0x5b374337, -0x371955ba, 0x1865e78e }
+    },
+},
+{
+    {
+        { 0x1c529ccb, -0x6983ab17, 0x64c635fb, 0x30f62692, 0x78121965, 0x2747aff4, -0x150990a4, 0x17038418 },
+        { -0x4991e086, -0x333b4839, -0x0af3d082, 0x44157e25, 0x713eaf1c, 0x3ef06dfc, 0x52da63f7, 0x582f4467 },
+        { 0x20324ce4, -0x39ce842d, -0x5bb7743c, -0x57efbd18, 0x4e5a1364, -0x4de10e75, -0x325d7237, 0x0c2a1c4b }
+    },
+    {
+        { 0x69bd6945, -0x123b7eb8, -0x41e372de, 0x0d6d907d, -0x2aa33a55, -0x39c42dee, -0x5ceb237d, 0x5a6a9b30 },
+        { 0x6f1f0447, -0x2db23830, -0x24783fa7, -0x4dd961c2, -0x044d2d71, -0x2ea4fd8e, -0x3909b789, 0x7c558bd1 },
+        { -0x2c69b9c3, -0x2f13eadc, -0x3ca5db10, 0x12bb628a, 0x1cbc5fa4, -0x5af3c587, 0x0afbafc3, 0x0404a5ca }
+    },
+    {
+        { 0x2a416fd1, 0x62bc9e1b, -0x1cafa675, -0x4a3908d8, 0x3d5d6967, 0x04343fd8, -0x18071168, 0x39527516 },
+        { 0x0aa743d6, -0x73e0bff9, 0x5b265ee8, -0x33452f35, 0x668fd2de, 0x574b046b, -0x352269cd, 0x46395bfd },
+        { 0x1a5d9a9c, 0x117fdb2d, -0x2effa3d6, -0x6388ba44, 0x54d56fea, -0x102b410f, -0x17dd2fea, 0x76579a29 }
+    },
+    {
+        { 0x52b434f2, 0x333cb513, -0x6c217f1f, -0x27cdd7b7, 0x750d35ce, -0x4aaed779, 0x2a2777c1, 0x02c514bb },
+        { 0x49c02a17, 0x45b68e7e, -0x43565c81, 0x23cd51a2, -0x13ddb3e5, 0x3ed65f11, -0x61fa424f, 0x43a384dc },
+        { -0x740e49bb, 0x684bd5da, -0x094ab4ad, -0x04742c82, -0x564f2dad, 0x313916d7, 0x61548059, 0x11609209 }
+    },
+    {
+        { 0x369b4dcd, 0x7a385616, 0x655c3563, 0x75c02ca7, -0x2b0e7fdf, 0x7dc21bf9, -0x6e191fbe, 0x2f637d74 },
+        { 0x29dacfaa, -0x4bb2e997, -0x7beca671, -0x25ad60b4, 0x453d5559, -0x16109c36, -0x3a9671f5, 0x351e125b },
+        { 0x1af67bbe, -0x2b4b64ba, -0x3754769f, -0x29fcfc86, -0x06596605, 0x71dee19f, -0x1831d566, 0x7f182d06 }
+    },
+    {
+        { -0x71de8ade, 0x09454b72, -0x2b7b4728, -0x55a7170c, 0x7f46903c, -0x2ca7dab3, 0x241c5217, 0x44acc043 },
+        { -0x54fe9714, 0x7a7c8e64, 0x15edc543, -0x34a5b5ab, 0x47cd0eda, 0x095519d3, 0x343e93b0, 0x67d4ac8c },
+        { 0x4f7a5777, 0x1c7d6bbb, -0x6e7cec1f, -0x74ca012c, -0x3694b97c, 0x4adca1c6, 0x12ad71bd, 0x556d1c83 }
+    },
+    {
+        { -0x4ee417df, -0x7e0f98aa, 0x10a3f3dd, 0x0faff823, 0x6a99465d, -0x074d2fab, -0x337380fb, 0x097abe38 },
+        { 0x0c8d3982, 0x17ef40e3, 0x15a3fa34, 0x31f7073e, 0x0773646e, 0x4f21f3cb, 0x1d824eff, 0x746c6c6d },
+        { 0x7ea52da4, 0x0c49c987, -0x6423e2bd, 0x4c436955, -0x0833142e, 0x022c3809, 0x4bee84bd, 0x577e14a3 }
+    },
+    {
+        { -0x42b228d5, -0x6b013142, 0x060f2211, -0x0b95b026, -0x3f372e01, 0x124a5977, -0x04ff6d6b, 0x705304b8 },
+        { 0x61a73b0a, -0x0f1d9754, 0x3791a5f5, -0x0d0505f0, 0x6b6d00e9, -0x3e1ec17e, 0x6fd78f42, 0x60fa7ee9 },
+        { 0x4d296ec6, -0x49c2e2cb, 0x5fad31d8, -0x0c3cfac2, -0x4b42bd14, 0x670b958c, -0x5e9cac03, 0x21398e0c }
+    },
+},
+{
+    {
+        { -0x79e48166, -0x793a03ea, 0x6a27c451, -0x095ccfb9, -0x5e16ca69, 0x01667267, 0x6082dfeb, 0x05ffb9cd },
+        { -0x72582d11, 0x216ab2ca, -0x660bd7d9, 0x366ad9dd, 0x4fdd3c75, -0x519b4700, 0x53909e62, 0x403a395b },
+        { -0x0ac09ec7, -0x59e80561, 0x13e66cb6, 0x60f2b5e5, -0x4cbb755c, -0x28574111, 0x6f5ea192, 0x7a293285 }
+    },
+    {
+        { 0x79639302, -0x4763bbb8, 0x50c67f2c, 0x4ae4f193, -0x37e5063a, -0x0f4ca258, 0x46871017, 0x39d00035 },
+        { -0x4fd21778, 0x0b39d761, -0x2dbeb1e1, 0x5f550e7e, 0x22e1a940, -0x59405ba8, -0x02bb8467, 0x050a2f7d },
+        { -0x59af2489, 0x437c3b33, -0x453ad44e, 0x6bafe81d, 0x2db7d318, -0x0166bfd3, 0x372ba6ce, 0x2b5b7eec }
+    },
+    {
+        { 0x613ac8f4, -0x596bbfb3, -0x056818d4, 0x500c3c2b, 0x1fcec210, -0x78befb2e, -0x79fb5712, 0x1b205fb3 },
+        { -0x7c0af111, -0x4c43b443, -0x736d879a, 0x508f0c99, -0x37481992, 0x43e76587, -0x5b806727, 0x0f7655a3 },
+        { -0x2db4ecc4, 0x55ecad37, 0x6038c90b, 0x441e147d, -0x29d39012, 0x656683a1, -0x781f1352, 0x0157d5dc }
+    },
+    {
+        { -0x28e14adc, -0x6ad9aaec, 0x5df14593, -0x19fc277f, 0x0d4de6b7, 0x147cdf41, 0x0437c850, 0x5293b173 },
+        { 0x0354c13d, -0x0d5850af, -0x55c8d4a0, -0x285f4ebb, 0x05a3d470, 0x2869b96a, -0x7db9fe8d, 0x6528e42d },
+        { 0x4bccf226, 0x23d0e081, -0x7e69046d, -0x6d38ba33, 0x59541e5b, -0x749e8694, -0x3fde0688, 0x40a44df0 }
+    },
+    {
+        { 0x4bc5d095, -0x793691af, -0x03597fb6, -0x0df2bf68, -0x37d915a3, 0x27363d89, 0x5719cacf, 0x39ca3656 },
+        { 0x4f20ea6a, -0x25579677, 0x4c620618, -0x15eb5c2f, 0x090bf8be, 0x6001fccb, -0x6b816310, 0x35f4e822 },
+        { 0x6f87b75c, -0x68af90d1, 0x034ae070, -0x39db5160, -0x552cb22a, 0x1ec856e3, -0x1bbf1a71, 0x055b0be0 }
+    },
+    {
+        { 0x6ea33da2, 0x4d12a04b, -0x1c9ed923, 0x57cf4c15, -0x11bb2699, -0x6f13698b, 0x2a985aac, 0x64ca348d },
+        { -0x768ca2ee, 0x6469a17d, -0x199d460f, -0x2490d82b, 0x6a395681, -0x60345cd8, -0x2d9650db, 0x363b8004 },
+        { -0x1b3b6ed3, -0x66a771e7, 0x1ca5ce6b, -0x1033c4b2, -0x05a4672b, 0x4522ea60, 0x1de4a819, 0x7064bbab }
+    },
+    {
+        { 0x42542129, -0x5d6f3f9f, -0x4172a470, -0x0d1d3d52, 0x76abfe1b, -0x30dba725, -0x7c29d941, 0x02157ade },
+        { 0x5a770641, -0x46e61eaf, 0x4e7f8039, -0x565d1d39, 0x3df23109, 0x7527250b, -0x53d84875, 0x756a7330 },
+        { 0x1b9a038b, 0x3e46972a, 0x7ee03fb4, 0x2e4ee66a, 0x6edbb4ca, -0x7e5db789, -0x7132fa9d, 0x1a944ee8 }
+    },
+    {
+        { 0x182362d6, -0x44bf57a7, -0x75b2e545, -0x4660aa89, 0x758559f6, -0x72e74bd9, 0x4d26235a, 0x26c20fe7 },
+        { 0x51039372, -0x2a56e2ef, -0x6635d922, 0x2ed377b7, -0x02c99495, -0x5e8dfd54, -0x296fe66b, 0x0730291b },
+        { -0x1633dd0b, 0x648d1d9f, 0x28dd577c, 0x66bc5619, 0x652439d1, 0x47d3ed21, -0x125074b7, 0x49d271ac }
+    },
+},
+{
+    {
+        { -0x4b48a9ff, 0x2798aaf9, 0x5c8dad72, 0x5eac7213, 0x61b7a023, -0x2d31559f, -0x167082b2, 0x1bbfb284 },
+        { 0x382b33f3, -0x760afa76, -0x52b73f4c, 0x5ae2ba0b, -0x5ac24c92, -0x706c4afd, -0x6a5dcd1a, 0x5aa3ed9d },
+        { -0x38269a9f, 0x656777e9, 0x72c78036, -0x34d4edac, -0x26af9112, 0x65053299, 0x5e8957cc, 0x4a07e14e }
+    },
+    {
+        { -0x3b885b65, 0x240b58cd, 0x6447f017, -0x02c72522, -0x58379553, 0x19928d32, -0x7b505f7f, 0x50af7aed },
+        { -0x67f20667, 0x4ee412cb, 0x3c6ec771, -0x5cea2891, -0x6da38803, -0x445a1222, 0x1d313402, 0x3f0bac39 },
+        { 0x15f65be5, 0x6e4fde01, 0x216109b2, 0x29982621, 0x0badd6d9, 0x78020581, -0x45142ffa, 0x1921a316 }
+    },
+    {
+        { -0x260c3e75, -0x28a55266, 0x60b1c19c, 0x566a0eef, 0x255c0ed9, 0x3e9a0bac, -0x5f9d380b, 0x7b049dec },
+        { -0x20478f04, -0x76bdd082, 0x4f76b3bd, 0x2c296beb, 0x36c24df7, 0x0738f1d4, -0x1d8c5150, 0x6458df41 },
+        { 0x35444483, -0x23341c86, 0x0fedbe93, 0x75887933, 0x12c5dd87, 0x786004c3, -0x3d6af19c, 0x6093dccb }
+    },
+    {
+        { 0x6084034b, 0x6bdeeebe, 0x780fb854, 0x3199c2b6, -0x49d2f96b, -0x68cc8955, -0x749b8270, 0x6e3180c9 },
+        { -0x7a1f8f93, 0x1ff39a85, -0x4c18c6cd, 0x36d0a5d8, 0x718f453b, 0x43b9f2e1, 0x4827a97c, 0x57d1ea08 },
+        { -0x5ed74f8f, -0x11854919, -0x6c577456, -0x5b3ea693, -0x4dde9ed0, -0x084b217e, -0x226842e8, 0x363e999d }
+    },
+    {
+        { -0x1db4513a, 0x2f1848dc, -0x454350a0, 0x769b7255, 0x3cefe931, -0x6f34c392, -0x39064cab, 0x231f979b },
+        { 0x35ee1fc4, -0x6957bc3f, 0x08e4c8cf, -0x68914cab, -0x4a732cd0, -0x4bd097ff, 0x693a052b, 0x48ee9b78 },
+        { -0x33d50c3a, 0x5c31de4b, -0x01df72e1, -0x4fb44fd0, -0x3eb04b9a, -0x48728ff7, 0x08792413, 0x079bfa9b }
+    },
+    {
+        { -0x5d2abdbb, -0x0c361280, 0x77f63952, 0x0aa08b78, -0x2ef7ab8b, -0x2892539d, -0x6b8f9c95, 0x1ef4fb15 },
+        { -0x25cff20c, -0x1c6fc5af, 0x3da95ab0, -0x7bc69bdd, 0x0b356480, -0x12c30ed3, -0x7b7e8e6c, 0x038c77f6 },
+        { 0x5b167bec, -0x7ab1a11a, -0x692f323e, 0x59590a42, -0x67efde67, 0x72b2df34, 0x4a0bff56, 0x575ee92a }
+    },
+    {
+        { 0x0aa4d801, 0x5d46bc45, -0x5acc4628, -0x3c50edd9, 0x2b8906c2, 0x389e3b26, 0x382f581b, 0x200a1e7e },
+        { -0x75e7d031, -0x2b3f7f70, -0x66b76243, 0x30e170c2, 0x52f733de, 0x05babd57, 0x2cd3fd00, 0x43d4e711 },
+        { -0x1506c53b, 0x518db967, 0x056652c0, 0x71bc989b, 0x567197f5, -0x01d47a27, 0x651e4e38, 0x050eca52 }
+    },
+    {
+        { 0x60e668ea, -0x6853c68a, 0x153ab497, -0x64e64402, 0x34eca79f, 0x4cb179b5, -0x5ece51a9, 0x6151c09f },
+        { 0x453f0c9c, -0x3cbce522, -0x008fc465, -0x160afba2, -0x127b84c3, -0x03268537, 0x1c58f4c6, 0x4b0ee6c2 },
+        { -0x020fa26a, 0x3af55c0d, 0x2ab4ee7a, -0x22d9d120, 0x12171709, 0x11b2bb87, -0x7ff0fcf5, 0x1fef24fa }
+    },
+},
+{
+    {
+        { -0x6fe99de0, -0x006e5996, 0x5bf1e009, -0x0ddaad52, 0x7f90df7c, 0x7dff85d8, 0x0c736fb9, 0x4f620ffe },
+        { 0x6b6c6609, -0x4b69edc6, -0x7f54a6c8, -0x58af017b, -0x483d85a1, -0x0b8e40c7, 0x77ac193c, 0x507903ce },
+        { -0x2021c1cc, 0x62f90d65, -0x4605a053, -0x30d73a6e, -0x39e9baf0, -0x66379107, 0x4a256c84, 0x25d44804 }
+    },
+    {
+        { -0x36fdd4ab, 0x2c7c4415, -0x7ed14e02, 0x56a0d241, -0x2849a1f3, -0x0fd15e37, -0x2acdc4da, 0x4180512f },
+        { -0x38164e91, -0x4297dcf2, -0x3e3a86a3, 0x0eb1b9c1, -0x6a494e01, 0x7943c8c4, 0x0bbacf5e, 0x2f9faf62 },
+        { -0x75b75a25, -0x5b00c197, -0x426abfc5, -0x4595c7fa, 0x47d5b65d, -0x60831e51, 0x5939d2fb, 0x15e087e5 }
+    },
+    {
+        { -0x0469c0c8, -0x776be792, -0x239c642b, 0x48a00e80, -0x1693e367, -0x5b17f6d5, -0x35a8c99f, 0x5a097d54 },
+        { 0x745c1496, 0x12207543, -0x25c79ef4, -0x2500c303, 0x2c71c34f, -0x1b1868d9, 0x34bdede9, 0x39c07b19 },
+        { 0x17c9e755, 0x2d45892b, -0x76cf7208, -0x2fcc028e, 0x525b8bd9, 0x6c2fe9d9, -0x3ee33f87, 0x2edbecf1 }
+    },
+    {
+        { -0x2f785da1, -0x11f0f023, 0x5c3e34ee, -0x638aceab, -0x7054c54b, 0x660c572e, 0x544cd3b2, 0x0854fc44 },
+        { -0x38ea5f2e, 0x1616a4e3, -0x07cbe2b3, 0x53623cb0, -0x38176635, -0x6910acd7, -0x5997455a, 0x3d4e8dbb },
+        { 0x55edad19, 0x61eba0c5, -0x0f57c21a, 0x24b533fe, -0x7c455a08, 0x3b770428, -0x675b8173, 0x678f82b8 }
+    },
+    {
+        { 0x57775696, 0x1e09d940, 0x3cd951db, -0x112ed9a4, 0x20bce16f, -0x056253d5, -0x172f760c, 0x0f7f76e0 },
+        { -0x296ff3ac, -0x4eb6e2f5, -0x62ecd9ca, 0x3539722c, 0x0b362bc9, 0x4db92892, -0x59749621, 0x4d7cd1fe },
+        { -0x2b7a4ff4, 0x36d9ebc5, -0x1b524c9b, -0x5da69b6e, -0x3dee6333, -0x3e9a6b80, 0x186e0d5f, 0x45306349 }
+    },
+    {
+        { 0x2b072491, -0x695beb14, 0x27a7b65b, 0x1bb22181, 0x6e8a4af0, 0x6d284959, -0x32d889a1, 0x65f3b08c },
+        { -0x593200e3, -0x6b222f3f, -0x17bdec52, 0x55f6f115, -0x66d03096, 0x6c935f85, 0x4a37f16f, 0x067ee0f5 },
+        { 0x199801f7, -0x134d6001, -0x5d5f08d1, -0x62c9e2e1, 0x75fd2f49, 0x25f11d23, 0x0fe10fe2, 0x124cefe8 }
+    },
+    {
+        { 0x31b16489, 0x1518e85b, -0x248ef405, -0x70552349, -0x5eb51dc7, 0x39b0bdf4, 0x503d20c1, 0x05f4cbea },
+        { -0x2e720dab, 0x4c126cf9, 0x147a63b6, -0x3e2b8e17, -0x0c36c4a1, 0x2c6d3c73, -0x1c00795e, 0x6be3a6a2 },
+        { -0x3fbeba44, -0x31fbf162, 0x08f6834c, -0x38e00b1e, -0x5477b85d, -0x42ab9173, -0x5b2d545b, 0x64666aa0 }
+    },
+    {
+        { 0x3337e94c, -0x4f3ac409, 0x11e14f15, 0x7cb5697e, 0x1930c750, 0x4b84abac, -0x1f9bfb98, 0x28dd4abf },
+        { 0x7c06d912, 0x6841435a, -0x44c07cf5, -0x35edc3df, -0x4e341d88, -0x2b4c84d9, -0x3890afba, 0x1d753b84 },
+        { 0x44cb9f44, 0x7dc0b64c, -0x1c6da241, 0x18a3e1ac, 0x2d0457c4, 0x7a303486, -0x75f376d2, 0x4c498bf7 }
+    },
+},
+{
+    {
+        { 0x30976b86, 0x22d2aff5, -0x3d2db9fc, -0x726f47fa, 0x4de5bae5, -0x235e7694, -0x37cbf3e9, 0x28005fe6 },
+        { 0x1aa73196, 0x37d653fb, 0x3fd76418, 0x0f949530, -0x04c5e84e, -0x52dff4f7, 0x2fc8613e, 0x544d4929 },
+        { 0x34528688, 0x6aefba9f, 0x25107da1, 0x5c1bff94, 0x66d94b36, -0x08a44433, 0x0f316dfa, 0x72e47293 }
+    },
+    {
+        { -0x2cd589d9, 0x07f3f635, 0x5f6566f0, 0x7aaa4d86, 0x28d04450, 0x3c85e797, 0x0fe06438, 0x1fee7f00 },
+        { -0x687ef7b1, 0x2695208c, 0x23450ee1, -0x4eafd5f5, 0x03efde02, -0x0262515a, 0x2733a34c, 0x5a9d2e8c },
+        { 0x03dbf7e5, 0x765305da, 0x1434cdbd, -0x5b250db7, -0x2db57714, 0x7b4ad5cd, -0x11fbfabd, 0x00f94051 }
+    },
+    {
+        { 0x07af9753, -0x28106c45, 0x3db766a7, 0x583ed0cf, 0x6e0b1ec5, -0x31966741, 0x5dd40452, 0x47b7ffd2 },
+        { -0x3c2ccf4e, -0x72ca94dd, -0x4fb8e4fa, -0x0de37465, 0x6e42b83c, -0x4c93ce94, -0x74154ef3, 0x07d79c7e },
+        { -0x43f722ee, -0x78040464, -0x1e113d65, -0x75f994c6, -0x24e03e41, 0x0d57242b, 0x5ea64bb6, 0x1c3520a3 }
+    },
+    {
+        { 0x216bc059, -0x325790c0, 0x12bcd87e, 0x1fbb231d, 0x17c70990, -0x4b6a9562, 0x66d12e55, 0x38750c3b },
+        { -0x43345cb6, -0x7f2dac5a, 0x3838219b, 0x3e61c3a1, -0x677d1c6a, -0x6f3c49ff, 0x5d0ee66f, 0x1c3d0577 },
+        { -0x6bdd1ae6, 0x692ef140, 0x2b5df671, -0x343f38c4, 0x744ce029, 0x21014fe7, -0x2ccfb784, 0x0621e2c7 }
+    },
+    {
+        { -0x4f240f0d, -0x4851e86a, -0x1e831e6a, 0x54dfafb9, -0x16555c4c, 0x25923071, -0x5effd163, 0x5d8e589c },
+        { -0x7da67c73, -0x50679f34, -0x39606524, -0x6f15b73f, 0x65581e30, 0x65264837, 0x7bd3a5bc, 0x0007d609 },
+        { 0x0842a94b, -0x3f40e26b, 0x588f2e3e, -0x4d2c3c9d, -0x44ae1d11, 0x0a961438, 0x3c1cbf86, 0x1583d778 }
+    },
+    {
+        { -0x3362d739, -0x6ffcb8fc, -0x08d33a71, 0x1d1b679e, -0x41a478da, 0x16e12b5f, -0x7c3aa7f6, 0x4958064e },
+        { 0x5da27ae1, -0x13115d11, 0x55670174, 0x597c3a14, 0x6609167a, -0x3659d5ee, -0x7e127090, 0x252a5f2e },
+        { 0x5066e80d, 0x0d289426, 0x307c8c6b, -0x033c087b, 0x0c1112fd, 0x1b53da78, -0x27bc4c78, 0x079c170b }
+    },
+    {
+        { -0x3f2a2faa, -0x322932b0, -0x44fca8c5, -0x65089793, -0x0c3c10b8, 0x3ca6723f, 0x317b8acc, 0x6768c0d7 },
+        { 0x64fa6fff, 0x0506ece4, 0x6205e523, -0x411cbce2, 0x51b8ea42, 0x35794224, 0x4ac9fb00, 0x6dec05e3 },
+        { -0x0eaa3e4d, -0x6b49da1b, -0x6684846f, 0x417bf3a7, 0x6d6b2600, -0x3dd34224, -0x2232ad0c, 0x51445e14 }
+    },
+    {
+        { 0x2bbea455, -0x76ceb855, -0x6df86ed7, -0x73ac5db1, -0x41cf0859, 0x4b49f948, 0x6e4fd43d, 0x12e99008 },
+        { 0x3b144951, 0x57502b4b, 0x444bbcb3, -0x71980095, 0x166385db, -0x474296d9, -0x1c6d6a38, 0x13186f31 },
+        { 0x7fdfbb2e, -0x0ef3694d, 0x121ceaf9, -0x60656ca2, 0x3a5b983f, -0x20eec93c, 0x5d3e99af, 0x77b2e3f0 }
+    },
+},
+{
+    {
+        { -0x33a32d65, -0x6acd0b71, -0x5c31c98f, 0x2ba851be, 0x51122941, 0x32dacaa0, 0x350004f2, 0x478d99d9 },
+        { -0x630ed9a9, -0x02f28a79, -0x1ac5f1d7, -0x17d0106c, 0x5bbb4be7, -0x33cb5810, -0x5af3c75e, 0x0b251172 },
+        { -0x6f44fd40, 0x1d5ad948, 0x0ec25115, 0x50e208b1, 0x4ef21702, -0x5d95dd77, 0x3b524805, 0x4dc92334 }
+    },
+    {
+        { -0x0c93b68b, 0x3ad3e3eb, 0x37862125, -0x28a2da5b, -0x5fda5aea, -0x178c6bc3, -0x3bee37b9, 0x6bbc7cb4 },
+        { 0x0f8086b6, -0x1c7d73c0, -0x6860f238, 0x3f77e6f7, 0x4df42cb4, 0x7ef6de30, -0x4954287c, 0x5265797c },
+        { -0x2b5af2aa, 0x3c6f9cd1, -0x39015482, -0x49dbbf89, 0x3580972e, 0x6ff9bf48, -0x4ccd5305, 0x00375883 }
+    },
+    {
+        { 0x6c75c99c, -0x3674137b, 0x00e33cf4, -0x1bbe7b40, -0x456f89cc, 0x0a676b9b, 0x71f379d7, 0x669e2cb5 },
+        { 0x28cb0940, 0x0001b2cd, 0x6f1c24c9, 0x63fb51a0, -0x232a35cf, -0x4a52796f, -0x73baf9a0, 0x67238dbd },
+        { -0x5b642cf8, -0x34ee948d, 0x2392729e, 0x025aad6b, 0x3f55d9b1, -0x4b86c106, 0x40678bb9, 0x72a10561 }
+    },
+    {
+        { -0x1d1afa4a, 0x0d8d2909, -0x3fd6edd0, -0x67358755, -0x564edcd9, 0x77ef5569, -0x7ebc64b9, 0x7c77897b },
+        { 0x1cc9249d, -0x5d497ed5, 0x21211f58, 0x62866eee, 0x5df10ece, 0x2cb5c5b8, -0x1d9c5200, 0x03a6b259 },
+        { -0x21cce34b, -0x0e3e4a1e, 0x15fca420, 0x5a9f5d8e, 0x7bd932b1, -0x605bc70f, 0x1c6146e7, 0x2a381bf0 }
+    },
+    {
+        { -0x4acbe991, -0x083f41ce, 0x19cf70d4, 0x27e6ca64, -0x56a858a7, -0x6cb20829, -0x54213d56, 0x5701461d },
+        { -0x3037ee3f, -0x53646787, 0x3756e567, -0x7482d67f, 0x7c70edfc, 0x50da4e60, -0x77bbff4a, 0x5dbca62f },
+        { 0x2c915c25, 0x2c674740, 0x0b0d340a, 0x1bdcd1a8, 0x07b43f5f, 0x5e5601bd, 0x5539a242, 0x2555b4e0 }
+    },
+    {
+        { -0x781b9c2c, 0x78409b1d, -0x32049c63, -0x52b256a6, 0x55259b9c, -0x13d788c9, -0x3cedcf55, 0x69c806e9 },
+        { 0x66ddd216, 0x6fc09f52, -0x371c8fb8, -0x231a9f59, -0x5d209d03, -0x139a6c63, -0x1ad12e6e, 0x7a869ae7 },
+        { 0x14bb3f22, 0x7b48f574, -0x51233378, 0x68c7cee4, 0x79ed80be, -0x12d06c9f, 0x5f77bc4b, 0x25d70b88 }
+    },
+    {
+        { -0x44e51b2c, -0x67ba62d7, 0x39f954ec, 0x56b9c4c7, -0x3d64b4c2, -0x7cd8bc0a, -0x67497876, 0x21ea8e27 },
+        { 0x762bf4de, 0x4151c3d9, 0x2745d82b, 0x083f435f, 0x0d23ddd5, 0x29775a2e, 0x69a5db24, 0x138e3a62 },
+        { 0x6a5a7b9c, -0x78410b4c, 0x5fc1d062, -0x2dd662e5, -0x22cde9b8, -0x7dbf67e8, -0x1a5d1fc3, 0x5c5abeb1 }
+    },
+    {
+        { 0x1306a233, 0x02cde6de, 0x116f8ec7, 0x7b5a52a2, -0x3ee9c4a5, -0x1e397e0c, 0x60d32643, 0x241d3506 },
+        { -0x48c3d225, 0x14722af4, 0x5a05060d, -0x43b8f3a1, 0x2581b02e, 0x00943eac, 0x1f499c8f, 0x0e434b3b },
+        { 0x0ebc52c7, 0x6be4404d, -0x4e586e0b, -0x51b9dcc5, -0x2da24bd5, 0x2aec170e, 0x6645d694, 0x1d8dfd96 }
+    },
+},
+{
+    {
+        { 0x12ddb0a4, -0x2a679c64, -0x3fdb7995, -0x5a2e60d0, 0x58fce460, -0x2e83d0fd, 0x2e095e8a, 0x07a19515 },
+        { -0x63d13b22, 0x296fa9c5, 0x4f84f3cb, -0x43749e41, 0x17a8f908, 0x1c7706d9, 0x7ad3255d, 0x63b795fc },
+        { 0x389e5fc8, -0x57c970fe, -0x30721bc5, -0x6fbcc4fe, -0x3abed9bd, -0x505e02a3, 0x032f0137, 0x3e8fe83d }
+    },
+    {
+        { -0x17102ec4, 0x08704c8d, 0x33e03731, -0x203ae572, 0x1260cde3, -0x5a62a25b, -0x59da737a, 0x22d60899 },
+        { 0x0570a294, 0x2f8b15b9, 0x67084549, -0x6b0dbd90, 0x61bbfd84, -0x21e3a51f, 0x7fac4007, 0x75ba3b79 },
+        { 0x70cdd196, 0x6239dbc0, 0x6c7d8a9a, 0x60fe8a8b, -0x14bfeda0, -0x4c77b844, -0x788861a2, 0x0904d07b }
+    },
+    {
+        { 0x48f940b9, -0x0bcdd29a, -0x42d2f3c7, 0x06952f0c, -0x5f7e06cf, 0x167697ad, -0x4508d594, 0x6240aace },
+        { -0x22456e64, -0x4b31e02c, -0x38b37256, -0x30ce24c2, -0x527933af, 0x2c63cc63, -0x43e221f9, 0x43e2143f },
+        { 0x5ba295a0, -0x07cb8b64, -0x35c82da6, -0x296b83a5, -0x1836ce96, 0x66f13ba7, -0x724bf354, 0x56bdaf23 }
+    },
+    {
+        { -0x3e62c44e, 0x1310d36c, 0x622386b9, 0x062a6bb7, -0x285eb0a4, 0x7c9b8591, 0x7e1e5754, 0x03aa3150 },
+        { -0x0acacc15, 0x362ab9e3, 0x6eb93d40, 0x338568d5, 0x1d5a5572, -0x61f1ebae, -0x7c8bece8, 0x1d24a86d },
+        { -0x002b31e1, -0x0b1389b8, 0x54ac8c1c, -0x1fba1510, 0x1d09357c, -0x772dda7e, -0x6514b7a7, 0x43b261dc }
+    },
+    {
+        { 0x6c951364, 0x19513d8b, 0x000bf47b, -0x6b018eda, -0x2ab06a99, 0x028d10dd, 0x42940964, 0x02b4d5e2 },
+        { -0x77448645, -0x1aa4e1e7, -0x3e85ca63, -0x5f612f83, 0x603dea33, -0x4fd3d11e, 0x5b276bc2, 0x326055cf },
+        { 0x28d18df2, -0x4b5eaa35, 0x186ce508, -0x1533b9ba, 0x6c824389, -0x3b630b6d, -0x51a2cbf0, 0x27a6c809 }
+    },
+    {
+        { -0x3bc296ac, -0x32d3d8f6, 0x6a66cab2, -0x22b5c1a9, 0x69d7036c, 0x79fa5924, 0x3d8c2599, 0x22150360 },
+        { 0x1f0db188, -0x74591433, 0x675a5be8, 0x37d3d73a, 0x15f5585a, -0x0dd1205d, -0x009f5e82, 0x2cb67174 },
+        { 0x390be1d0, 0x59eecdf9, 0x728ce3f1, -0x56bddfbc, 0x7a94f0f4, -0x7d76e39a, 0x3890f436, 0x7b1df4b7 }
+    },
+    {
+        { 0x07f8f58c, 0x5f2e2218, -0x2b6bf62c, -0x1caaa361, 0x1fb6a630, -0x4d555773, -0x2cad1fc3, 0x68698245 },
+        { -0x4c4d5ddc, -0x1b6d0d20, 0x2b551160, 0x7c6c9e06, 0x0d7f7b0e, 0x15eb8fe2, 0x58fc5992, 0x61fcef26 },
+        { 0x2a18187a, -0x244ea27b, -0x79225329, -0x0c1b552d, 0x0ff6c482, 0x44bae281, 0x3daf01cf, 0x46cf4c47 }
+    },
+    {
+        { -0x0eb67ec0, 0x213c6ea7, 0x392b4854, 0x7c1e7ef8, 0x5629ceba, 0x2488c38c, 0x0d8cc5bb, 0x1065aae5 },
+        { -0x613b1a07, 0x426525ed, 0x16903303, 0x0e5eda01, -0x341a3524, 0x72b1a7f2, 0x14eb5f40, 0x29387bcd },
+        { -0x20dff2a9, 0x1c2c4525, -0x403598b6, 0x5c3b2dd6, -0x1e7cbfd0, 0x0a07e7b1, 0x4f1ce716, 0x69a198e6 }
+    },
+},
+{
+    {
+        { -0x61d2b8cc, 0x7b26e56b, -0x7e39e98b, -0x3b38ecd5, -0x13632181, -0x10a36adb, -0x18e8bc53, 0x39c80b16 },
+        { -0x10562969, 0x7afcd613, 0x1c067959, 0x0cc45aa4, -0x3e05256a, -0x5a901efc, 0x72e40365, 0x3a73b704 },
+        { 0x1b826c68, 0x0f196e0d, 0x4960e3db, -0x08e00f1e, 0x23b7436c, 0x61131670, 0x77da7282, 0x0cf0ea58 }
+    },
+    {
+        { 0x3ba6945a, -0x1ccd312c, -0x177e3fa3, -0x21f4ec9f, 0x5e67ed3b, 0x1ad40f09, -0x4739c2a3, 0x5da8acda },
+        { -0x222b3343, 0x196c80a4, -0x6a0d2263, 0x22e6f55d, 0x40d6c71b, -0x38a1cc39, -0x34c3fbd1, 0x7bb51279 },
+        { 0x3a70159f, -0x3b4999b6, 0x0a904e14, 0x76194f0f, -0x5bf693ed, -0x5a9eb3c7, -0x68601313, 0x6cd0ff50 }
+    },
+    {
+        { -0x4fb45e72, 0x7fecfabd, 0x3bddbcf7, -0x2f038404, 0x057a131c, -0x5be2b792, -0x0dddc59f, 0x641a4391 },
+        { -0x70bbd754, -0x3f1f9819, -0x59eeca1d, 0x14835ab0, 0x38062935, -0x0de2eb0d, -0x20fb7b64, 0x6390a4c8 },
+        { -0x59f95725, -0x3a3946a6, -0x4f97da0f, -0x6eb48062, 0x44fc9eff, 0x2a731f6b, 0x62705cfc, 0x30ddf385 }
+    },
+    {
+        { 0x68bcd52c, 0x33bef2bd, 0x69482ef2, -0x39b62450, 0x41cb1aee, -0x4a4911f4, 0x0212a7e5, 0x5c294d27 },
+        { -0x2e400807, 0x4e3dcbda, 0x20645717, -0x36ee717e, 0x0f189d56, -0x45333144, -0x2bb98998, 0x1b4822e9 },
+        { 0x25563781, -0x54c9f581, 0x480f7958, 0x2512228a, 0x6114b4e3, -0x38a2fad9, -0x268901d6, 0x222d9625 }
+    },
+    {
+        { 0x0a344f85, 0x0f94be7e, -0x780dd3c8, -0x14d05574, 0x4ee16f0f, -0x631e18a2, 0x18a08dea, 0x43e64e54 },
+        { -0x4c8d531f, 0x1c717f85, 0x4638bf18, -0x7e6cf197, 0x6bc08b58, 0x239cad05, -0x7807000c, 0x0b34271c },
+        { 0x1a35ce63, -0x7eaa1dae, -0x06edfd72, -0x41eff2b3, -0x5a822314, -0x4007f408, 0x6d6bc6e4, 0x57342dc9 }
+    },
+    {
+        { 0x1e707bf6, -0x0c3c4349, 0x7291a762, 0x351d9b8c, -0x252965cd, 0x00502e6e, 0x1ec8807f, 0x522f521f },
+        { -0x3731a668, -0x10110f9b, -0x4a34155e, -0x40fd6af0, 0x20b7c458, -0x739b5efa, 0x31c24855, 0x35134fb2 },
+        { -0x065c6fd5, 0x272c1f46, -0x669a8434, -0x36e45c49, 0x4f8a1c0e, -0x519eb4d0, 0x0b99017b, 0x7afcaad7 }
+    },
+    {
+        { -0x107bd495, -0x577ebe14, -0x6854193b, 0x55e7b147, 0x03784ffe, -0x738b7069, -0x5032ff49, 0x5b50a1f7 },
+        { -0x5b4741bf, -0x3da212ac, 0x1bb0e2dd, -0x6fd2ec1f, -0x3217d54e, 0x41f43233, -0x3c551835, 0x1085faa5 },
+        { -0x0ec9eceb, -0x647bf09a, 0x701003e9, 0x18462242, -0x1b5daf80, 0x65ed45fa, 0x3fda7320, 0x0a286239 }
+    },
+    {
+        { 0x6ecb9d17, -0x69f18c85, -0x2983151f, -0x050db6b8, -0x2aa1e477, 0x37e7a9b4, -0x4b93a615, 0x5cb7173c },
+        { 0x347cbc9d, 0x46ab13c8, -0x663edc7d, 0x3849e8d4, -0x7829b537, 0x4cea3140, -0x4e5d6119, 0x1f354134 },
+        { -0x7d485410, 0x4a89e68b, -0x64594847, -0x0be326d9, -0x1e727891, 0x16e6c210, 0x7f1b09c6, 0x7cacdb0f }
+    },
+},
+{
+    {
+        { -0x233a3513, -0x1efebbcc, 0x3c84fb33, 0x47ed5d96, -0x12795f19, 0x70019576, -0x2d98061c, 0x25b2697b },
+        { -0x26e58744, -0x6f9d4d20, -0x37af6999, 0x47c9889c, 0x405070b8, -0x620ab59a, 0x2493a1bf, 0x7369e6a9 },
+        { 0x13986864, -0x6298c005, 0x415dc7b8, 0x3ca5fbd9, -0x20d8c4a2, -0x1fb133c5, -0x4ab1b32e, 0x1420683d }
+    },
+    {
+        { -0x3e33a530, 0x34eebb6f, -0x69b95375, 0x6a1b0ce9, -0x599421ad, -0x2c4f25b7, 0x61d081c1, 0x31e83b41 },
+        { 0x249dd197, -0x4b8742e2, 0x5e58c102, 0x620c3500, -0x334553a4, -0x04fd2cd1, -0x0af758d3, 0x60b63beb },
+        { -0x61f9d4b1, -0x681738ee, 0x29320ad8, 0x49e48f4f, 0x6f18683f, 0x5bece14b, 0x2d550317, 0x55cf1eb6 }
+    },
+    {
+        { 0x7df58c52, 0x3076b5e3, -0x186633ca, -0x28c54623, 0x4913ee20, -0x427ce31d, 0x62ba0133, 0x1a56fbaa },
+        { 0x65c23d58, 0x58791010, 0x5094819c, -0x7462f793, 0x12c55fa7, -0x1dbfd057, 0x570891d4, 0x669a6564 },
+        { 0x5c9dc9ec, -0x6bc194b0, -0x5883c8e6, 0x302557bb, 0x41347651, -0x678c51aa, -0x663a75a4, 0x13c48367 }
+    },
+    {
+        { 0x5d8bd080, -0x3b230496, 0x571a4842, -0x21143b14, -0x471aac9b, -0x2b4d177d, -0x371a47d9, 0x50bdc87d },
+        { 0x5ab3e1b9, 0x423a5d46, -0x380ec09f, -0x03ec3e79, -0x134a464a, 0x19f83664, -0x59c849f9, 0x66f80c93 },
+        { 0x6edfe111, 0x606d3783, -0x0fee5427, 0x32353e15, 0x25b73b96, 0x64b03ac3, 0x725fd5ae, 0x1dd56444 }
+    },
+    {
+        { 0x08bac89a, -0x3d681a00, -0x151e3c20, 0x7d4cea11, -0x60186884, -0x0c1c741f, 0x63a305cd, 0x3a3a450f },
+        { 0x3362127d, -0x705b8008, 0x71cd7c15, -0x4360953c, 0x49220c8b, 0x6e714543, 0x219f732e, 0x0e645912 },
+        { -0x27c6b9d9, 0x078f2f31, -0x216b5af0, 0x389d3183, 0x17996f80, -0x2e1c9393, -0x6c565785, 0x318c8d93 }
+    },
+    {
+        { -0x54e22c68, 0x5d669e29, 0x342d9e3b, -0x036de9a8, -0x0ca68c33, 0x55851dfd, 0x25950af6, 0x509a41c3 },
+        { 0x2afffe19, -0x0d8ba2fd, 0x7f24db66, 0x0c9f3c49, -0x457a6711, -0x43672c1d, -0x65e2acec, 0x224c7c67 },
+        { -0x5906da17, -0x423f9124, 0x641b1f33, 0x793ef3f4, -0x627cc177, -0x7d13ed80, 0x28a11389, 0x05bff023 }
+    },
+    {
+        { 0x0dc512e4, 0x6881a0dd, 0x44a5fafe, 0x4fe70dc8, -0x70b5adc0, 0x1f748e6b, -0x11fe5c16, 0x576277cd },
+        { 0x23cae00b, 0x36321370, -0x2e5330a7, 0x544acf0a, -0x2de5e378, -0x698befb7, -0x05d5bb59, 0x780b8cc3 },
+        { 0x234f305f, 0x1ef38abc, 0x1405de08, -0x65a88043, 0x34e62a0d, 0x5e82a514, 0x6271b7a1, 0x5ff41872 }
+    },
+    {
+        { 0x13b69540, -0x1a24b818, 0x432610e1, -0x0ca2d5c5, 0x38781276, -0x53e0d917, -0x5f5f3497, 0x29d4db8c },
+        { 0x1789db9d, 0x398e080c, -0x0c18870b, -0x589fdfdb, 0x06bd035d, -0x056776b4, 0x25a966be, 0x106a03dc },
+        { 0x333353d0, -0x2652f551, -0x532cf61b, 0x38669da5, -0x37770810, 0x3c57658a, 0x052cbefa, 0x4ab38a51 }
+    },
+},
+{
+    {
+        { -0x7f621fac, -0x09701d18, -0x637d452f, -0x1c43f696, 0x0aadbf45, 0x076353d4, -0x215e6a62, 0x7b9b1fb5 },
+        { 0x4324c0e9, -0x20253412, 0x3f955bb7, 0x05444288, -0x15ce9f61, -0x21085558, 0x42287cff, 0x68aee706 },
+        { 0x7471cc0c, -0x0fe3370f, 0x579082bb, -0x6adbd1c9, -0x2c1b94a1, 0x27776093, 0x28bd85fb, 0x2d13d55a }
+    },
+    {
+        { 0x7aee7a52, -0x40fe6332, -0x1bab152d, -0x57212d4a, -0x785744e7, 0x3c619f0b, 0x560916d8, 0x3619b5d7 },
+        { 0x5b35b8da, -0x053a2dfa, -0x7a9db449, -0x57257566, 0x3d21cd0f, -0x332d356f, -0x7406f2a8, 0x6b8341ee },
+        { 0x0282c4b2, 0x3579f26b, 0x4fafefae, 0x64d592f2, 0x28c8c7c0, -0x48321285, 0x7173a8d7, 0x6a927b6b }
+    },
+    {
+        { 0x3ece88eb, -0x728fbf7a, -0x7f113f74, -0x0f1cf857, 0x0d788fda, -0x53ddaf9f, 0x3a0d478d, 0x056d92a4 },
+        { -0x6791b9aa, 0x1f6db24f, -0x2e16efa5, 0x1021c02e, 0x2cc0a375, -0x0700c001, -0x3937da6e, 0x1d2a6bf8 },
+        { -0x03c25a5f, 0x1b05a196, 0x43b59ed0, 0x77d7a8c2, -0x682e86e8, 0x06da3d62, -0x0edcac09, 0x66fbb494 }
+    },
+    {
+        { -0x0edcf62a, -0x2928f66a, -0x163c2ac7, -0x2404dc7b, -0x08aadbef, 0x46d602b0, 0x57843e0c, 0x270a0b05 },
+        { -0x27a3f048, 0x751a50b9, -0x7430f685, -0x2e5023db, -0x7cf65697, 0x2f16a6a3, -0x1a4ff9a7, 0x14ddff9e },
+        { -0x5879d434, 0x61ff0640, 0x5f11abfe, -0x7e353f66, 0x55d12abb, -0x6fb87cfc, -0x6ba5178d, 0x19a4bde1 }
+    },
+    {
+        { -0x3f893b61, 0x40c709de, 0x7f3e53f6, 0x657bfaf2, -0x135fbd3c, 0x40662331, 0x7eb4df04, 0x14b37548 },
+        { 0x20a6200a, -0x6460d90b, -0x30ec1508, 0x64804443, -0x79ce122d, -0x759c98c1, 0x1ed39dc1, 0x72bbbce1 },
+        { -0x549923b9, -0x517ac36c, -0x2089d292, -0x149dcbc2, 0x6fb2f7d1, -0x0f71f1e8, 0x700ab37a, 0x4f0b1c02 }
+    },
+    {
+        { -0x3e4d1dc1, 0x79fd21cc, 0x453df52a, 0x4ae7c281, -0x2eaeb795, -0x37e8d137, 0x3e0a7534, 0x68abe944 },
+        { -0x27e6ae06, -0x1e8f9879, -0x4d6f3885, -0x5ef5d372, 0x3ed66773, -0x18c7d060, 0x0bcc4b54, 0x0a4d8471 },
+        { 0x07831dcb, -0x25ed393c, 0x4d5c510d, 0x0da230d7, 0x6bd404e1, 0x4ab1531e, -0x430bbf11, 0x4106b166 }
+    },
+    {
+        { 0x39e4ecf2, -0x5b7a332b, 0x0555bab5, 0x5aa3f3ad, -0x6c8207d3, 0x145e3439, 0x1214283f, 0x1238b51e },
+        { 0x1cd23668, 0x02e57a42, 0x0eaef6fd, 0x4ad9fb5d, -0x4edbbb80, -0x6ab198d9, 0x2699f331, 0x7f792f9d },
+        { 0x5fd4d924, 0x0b886b92, 0x3626a80d, 0x60906f7a, -0x467542ee, -0x132c984c, -0x210cbb31, 0x2876beb1 }
+    },
+    {
+        { 0x3a8a85f8, -0x2a6b4ccd, -0x187282a8, 0x4ea37689, 0x5e8e351f, 0x73bf9f45, -0x43be144c, 0x5507d7d2 },
+        { 0x63144691, -0x237b16cb, -0x29e0dc0c, 0x632fe8a0, 0x12a9a8d5, 0x4caa8006, 0x0e9918d3, 0x48f9dbfa },
+        { 0x299572fc, 0x1ceb2903, -0x6afd2f12, 0x7c8ccaa2, 0x11cce67b, -0x6e405bcc, 0x64a831e7, 0x57844819 }
+    },
+},
+{
+    {
+        { 0x5fddc09c, -0x29302e11, -0x08a8a232, -0x17d4c103, 0x201634c2, 0x25d56b5d, 0x04ed2b9b, 0x3041c6bb },
+        { 0x6768d593, -0x2583d4db, 0x4422ca13, -0x673e3fa9, -0x35f531e3, -0x0e57f42b, -0x3f775970, 0x29cdd1ad },
+        { -0x26a91eb8, 0x0ff2f2f9, -0x60ca94d2, -0x5218688b, 0x5f6c025c, 0x1a4698bb, 0x14049a7b, 0x104bbd68 }
+    },
+    {
+        { -0x29800e9d, -0x56a265a1, 0x4cc75681, -0x16d41963, -0x21df0da9, -0x4807fdb4, -0x04f8d20b, 0x204f2a20 },
+        { 0x68f1ed67, 0x51f0fd31, -0x2790c43e, 0x2c811dcd, 0x04d2f2de, 0x44dc5c43, 0x092a7149, 0x5be8cc57 },
+        { 0x30ebb079, -0x37ebc4c3, -0x429ad1d0, 0x7589155a, -0x7092a3cf, 0x653c3c31, -0x3d86e9e1, 0x2570fb17 }
+    },
+    {
+        { 0x0bb8245a, 0x192ea955, -0x706faf2f, -0x37190458, -0x775b36cb, 0x7986ea2d, -0x21fe7998, 0x241c5f91 },
+        { 0x2cb61575, 0x3efa367f, 0x1cd6026c, -0x0a06908a, 0x65b52562, -0x1738ebd6, 0x53030acd, 0x3dcb65ea },
+        { 0x40de6caa, 0x28d81729, 0x22d9733a, -0x7040d310, 0x235b01d1, 0x16d7fcdd, 0x5fcdf0e5, 0x08420edd }
+    },
+    {
+        { 0x04f410ce, 0x0358c34e, 0x276e0685, -0x49eca4a6, -0x1446eadf, 0x5d9670c7, 0x21db889c, 0x04d654f3 },
+        { -0x7c9d05b6, -0x3200df55, -0x1de5c192, 0x57e118d4, -0x03c619d5, -0x1ce869e9, -0x43e89603, 0x0d9a53ef },
+        { -0x22424a2b, 0x5e7dc116, -0x725a22d3, 0x2954deb6, 0x3334a292, 0x1cb60817, 0x18991ad7, 0x4a7a4f26 }
+    },
+    {
+        { -0x50c8d5b5, 0x24c3b291, 0x718147f2, -0x6c257d90, -0x7976610e, -0x227b7a9c, 0x23e0ee33, 0x4a963142 },
+        { 0x5fb15f95, -0x0b58e7fe, 0x6b5c1b8f, 0x3df65f34, 0x00e01112, -0x32030f7b, -0x222ce7b8, 0x11b50c4c },
+        { 0x08a4ffd6, -0x5917d8bc, -0x63ea8927, 0x738e177e, 0x3d02b3f2, 0x773348b6, -0x319433af, 0x4f4bce4d }
+    },
+    {
+        { -0x3b62f491, 0x30e2616e, -0x3513dce9, -0x1ba98e71, -0x0d94b05a, 0x48eb409b, 0x61595f37, 0x3042cee5 },
+        { -0x1ddbda7c, -0x58e031a6, -0x6d0a7562, 0x26ea7256, 0x1cea3cf4, -0x2de5f629, -0x48e3fe1a, 0x73fcdd14 },
+        { 0x449bac41, 0x427e7079, -0x431dcef6, -0x7aa51c93, 0x5f841a7c, 0x4cae7621, -0x65631e2a, 0x389e740c }
+    },
+    {
+        { 0x570eac28, -0x3642870a, 0x27919ce1, -0x1aa4f4ce, -0x5e646e13, 0x65fc3eab, -0x29d9c970, 0x25c425e5 },
+        { 0x34dcb9ce, 0x64fcb3ae, -0x1cb72f53, -0x68affcdd, 0x62c6381b, 0x45b3f07d, 0x465a6788, 0x61545379 },
+        { -0x0e282192, 0x3f3e06a6, -0x71f9dcf8, 0x3ef97627, 0x4e8a6c77, -0x73eb09da, 0x15484759, 0x6539a089 }
+    },
+    {
+        { 0x14bb4a19, -0x223b242c, -0x67bdb072, 0x19b2bc3c, 0x36ca7169, 0x48a89fd7, -0x0fe64270, 0x0f65320e },
+        { -0x3c2d088d, -0x162de08c, 0x25c46845, -0x3eafabbf, -0x064661cd, 0x624e5ce8, -0x3a32e794, 0x11c5e4aa },
+        { -0x35021f3a, -0x2b792e4f, 0x163b5181, 0x4f3fe6e3, -0x050d6c66, 0x59a8af0d, -0x13ccf8d6, 0x4cabc7bd }
+    },
+},
+{
+    {
+        { 0x1a54a044, -0x083f5e64, 0x77bd9fbb, 0x4a1c5e24, 0x5af22972, -0x591c35ef, 0x3f2e9e0d, 0x1819bb95 },
+        { 0x532f7428, 0x16faa8fb, 0x46a4e272, -0x242bd160, -0x74615b80, 0x5337653b, 0x23973f03, 0x40659472 },
+        { 0x5e042e84, 0x498fbb79, 0x7698b714, 0x7d0dd89a, 0x27fe6295, -0x7404f45c, 0x21200524, 0x36ba82e7 }
+    },
+    {
+        { 0x57274ed5, -0x372962f6, 0x60804b17, 0x45ba8032, 0x2255dfac, -0x20c325f0, 0x2709b339, 0x77d22123 },
+        { 0x4245ec41, -0x29f13449, 0x34348716, -0x02641762, -0x1bdd7b22, -0x36dbf502, -0x2face24c, 0x4472f648 },
+        { 0x64ad94d8, 0x498a6d70, -0x6509dd9d, -0x5a4a3703, 0x45c141f4, -0x735712fb, 0x662d358c, 0x2c63bec3 }
+    },
+    {
+        { -0x7a790741, -0x65ae74c6, -0x344e6910, -0x6118e50a, -0x5dc7a30e, -0x55f9da1a, -0x2228372f, 0x1deb2176 },
+        { -0x158786ab, 0x7fe60d8b, -0x4a0bfe49, -0x4623ee82, 0x19355cce, -0x6e383f66, -0x6bbd4121, 0x22692ef5 },
+        { 0x2066cf6c, -0x7a9c2e66, 0x4dcc7cd7, 0x401bfd8c, -0x32f2709e, -0x26895942, -0x5d874fa2, 0x67cfd773 }
+    },
+    {
+        { 0x5a4e586a, 0x2d5fa985, 0x49beab7e, 0x65f8f7a4, -0x0de2cc2d, -0x55f8b223, 0x1bcb9dee, 0x185cba72 },
+        { -0x10c11b8b, -0x7213ce06, -0x61dd026e, -0x66240076, 0x4e26cab1, 0x512d1159, -0x13bcef47, 0x0cde561e },
+        { -0x0b1c34bf, -0x6c79625d, 0x40f7977e, -0x40fc6d0b, -0x2fb9c47d, 0x026204fc, -0x61139113, 0x3ec91a76 }
+    },
+    {
+        { -0x4f5cbfd1, 0x0fad2fb7, -0x04960b58, 0x46615ecb, -0x3a07155a, -0x08ba4338, 0x4a94e896, 0x7a5fa879 },
+        { -0x087e9953, 0x1e9df75b, -0x14f32851, 0x4dfda838, -0x3e150678, -0x45ffd128, 0x11f33cfc, 0x13fedb3e },
+        { 0x13cd67a1, 0x52958faa, -0x74244ae9, -0x69a11f7f, 0x2e8845b3, 0x16e58daa, 0x5499da8f, 0x357d397d }
+    },
+    {
+        { 0x194bfbf8, 0x481dacb4, -0x451a7d67, 0x4d77e3f1, 0x7d1372a0, 0x1ef4612e, 0x70ff69e1, 0x3a8d867e },
+        { -0x4f453194, 0x1ebfa05f, 0x1caf9a1e, -0x36cb9df4, 0x1d82b61a, -0x3388e33c, -0x5a08b014, 0x2d94a16a },
+        { 0x55aff958, 0x6f58cd5d, 0x75567721, -0x45c155a4, -0x6e9add83, 0x75c12399, -0x3d0d4ca2, 0x69be1343 }
+    },
+    {
+        { 0x684b8de3, -0x7d444254, 0x3fca0718, -0x5d0b3830, -0x1f695558, 0x337f92fb, 0x63587376, 0x200d4d8c },
+        { -0x1e6836d6, 0x0e091d5e, 0x2945119f, 0x4f51019f, -0x0fcb1664, 0x143679b9, 0x4d24c696, 0x7d88112e },
+        { 0x4893b32b, 0x208aed4b, -0x41a6469c, 0x3efbf23e, -0x245a1af9, -0x289d2150, -0x7e42626c, 0x69607bd6 }
+    },
+    {
+        { -0x6cdc56fe, 0x3b7f3bd4, 0x6b2c6e53, 0x7c21b556, 0x3a7852a7, -0x1a45700b, -0x7c713200, 0x28bc77a5 },
+        { 0x68de1ce1, -0x0941fdf0, 0x0edcbc1f, -0x172ae719, 0x1b5505a5, -0x1c100230, -0x2c13c030, 0x35f63353 },
+        { -0x1da27fca, 0x63ba78a8, -0x6bcccb70, 0x63651e00, 0x288ce532, 0x48d82f20, 0x36b57524, 0x3a31abfa }
+    },
+},
+{
+    {
+        { 0x3f78d289, -0x3f708771, -0x5ebfb261, -0x01cf58d4, -0x309a3363, -0x0d887404, 0x5acb2021, 0x7ee49816 },
+        { 0x089c0a2e, 0x239e9624, 0x3afe4738, -0x38b73b40, 0x764fa12a, 0x17dbed2a, 0x321c8582, 0x639b93f0 },
+        { -0x6eee5e3d, 0x7bd508e3, -0x7f6f8b77, 0x2b2b90d4, -0x518d02e7, -0x182d513e, -0x7a49fd5a, 0x0edf493c }
+    },
+    {
+        { -0x7b89beed, 0x6767c4d2, -0x080a07cb, -0x5f6fbfc1, -0x35194122, 0x1c8fcffa, -0x2e205c97, 0x04c00c54 },
+        { 0x599b5a68, -0x51337ea8, -0x14521df2, -0x15a8b0f1, 0x22b67f07, 0x4fe41d74, 0x019d4fb4, 0x403b92e3 },
+        { -0x74b9a308, 0x4dc22f81, 0x1480eff8, 0x71a0f35a, 0x04c7d657, -0x51174053, -0x4d9e890c, 0x355bb12a }
+    },
+    {
+        { 0x5a8c7318, -0x5cfe2539, -0x4c3155ef, -0x126ffc63, 0x3bae3f2d, 0x6f077cbf, -0x1fad5272, 0x7518eaf8 },
+        { 0x7493bbf4, -0x58e19b34, -0x135c4f3d, -0x1a427b27, -0x05fa187b, 0x0a6bc50c, 0x182ec312, 0x0f9b8132 },
+        { 0x1b7f6c32, -0x5b77a63c, -0x0bc7cd68, 0x0f2d60bc, -0x364e2e27, 0x1815a929, -0x44e8aa3c, 0x47c3871b }
+    },
+    {
+        { -0x37af9950, -0x0419a2b0, -0x4c5d6650, 0x62ecc4b0, 0x441ae8e0, -0x1ac8ab16, -0x172b72a1, 0x08fea02c },
+        { 0x71ec4f48, 0x51445397, -0x3673a292, -0x07fa4e83, 0x47c3c66b, -0x089d3ee6, 0x764699dc, 0x00b89b85 },
+        { 0x68deead0, -0x7db2228a, 0x4b685d23, -0x379bbae0, 0x5d89d665, -0x4aeb3033, 0x4f75d537, 0x473829a7 }
+    },
+    {
+        { -0x52c6fd37, 0x23d9533a, -0x10fca771, 0x64c2ddce, -0x301ed04c, 0x15257390, 0x44e4d390, 0x6c668b4d },
+        { 0x4679c418, -0x7d2d258b, -0x4d9e7210, -0x19c42828, -0x53b814f6, 0x355eef24, 0x4833c6b4, 0x2078684c },
+        { 0x7a78820c, 0x3b48cf21, -0x7ed8c169, -0x0895f54e, -0x73711285, -0x56939a59, 0x4f8a433f, 0x7411a605 }
+    },
+    {
+        { 0x18b175b4, 0x579ae53d, -0x0c6d5efe, 0x68713159, 0x1eef35f5, -0x7baa1346, 0x458c398f, 0x1ec9a872 },
+        { -0x46623793, 0x4d659d32, 0x603af115, 0x044cdc75, -0x233d1b78, -0x4cb38ed4, -0x047ecb01, 0x7c136574 },
+        { 0x00a2509b, -0x47195b2c, 0x0bc882b4, -0x647e28fe, -0x0e6a8a9f, 0x57e7cc9b, -0x38329ba0, 0x3add88a5 }
+    },
+    {
+        { 0x59393046, -0x7a3d672c, 0x5ff659ec, -0x7081ca68, -0x0d0991c6, 0x1d2ca22a, -0x5bf958e0, 0x61ba1131 },
+        { -0x49ca230e, -0x5476a890, -0x0993e044, 0x02dfef6c, -0x41492e79, -0x7aacfd98, -0x3378618c, 0x249929fc },
+        { 0x16959029, -0x5c2f5f0f, -0x45814277, 0x023b6b6c, 0x26783307, 0x7bf15a3e, -0x44271319, 0x5620310c }
+    },
+    {
+        { 0x77e285d6, 0x6646b5f4, 0x6c8f6193, 0x40e8ff67, -0x544a6b23, -0x59138cef, 0x658cec4d, 0x7ec846f3 },
+        { 0x4934d643, 0x52899343, -0x5aeddd0b, -0x462407fa, -0x3c0be3de, -0x70927871, 0x4d9d9730, 0x37676a2a },
+        { 0x1da22ec7, -0x64a170c1, 0x6c01cd13, 0x130f1d77, -0x5d676048, 0x214c8fcf, 0x399b9dd5, 0x6daaf723 }
+    },
+},
+{
+    {
+        { 0x2cd13070, -0x7e514423, -0x07a5f162, -0x69d1bcdb, -0x35200135, -0x216c6e56, 0x52c230e6, 0x53177fda },
+        { 0x10628564, 0x591e4a56, -0x574b20cc, 0x2a4bb87c, -0x185c71bd, -0x21d5da8e, -0x011afb92, 0x3cbdabd9 },
+        { 0x50b9de79, -0x584368fa, -0x3cfe4a65, 0x3d12a7fb, -0x2c951c74, 0x02652e68, 0x5a6199dc, 0x79d73983 }
+    },
+    {
+        { 0x0d591737, 0x21c9d992, -0x164b932a, -0x6415be2e, 0x0d89bfca, -0x1df17be0, 0x6eae5ff8, 0x79d99f94 },
+        { 0x4131c1bd, -0x26cab20a, -0x7913a7de, 0x758094a1, -0x1ba60c3e, 0x4464ee12, -0x34eccd7e, 0x6c11fce4 },
+        { 0x68673205, -0x0e84b7cb, 0x3caad96c, 0x387deae8, 0x56ffe386, 0x61b471fd, -0x48ba5a67, 0x31741195 }
+    },
+    {
+        { 0x3b02a047, 0x17f8ba68, -0x01104938, 0x50212096, 0x1556cbe2, 0x70139be2, 0x1d98915b, 0x203e44a1 },
+        { -0x4885c9f5, -0x172efe70, -0x666a18fe, -0x66467ce0, -0x05fdb856, -0x42b02008, -0x1f2c9579, 0x2772e344 },
+        { 0x37b9e39f, -0x2979c146, 0x723b5a23, 0x105bc169, -0x59a3f89e, 0x104f6459, 0x5b4d38d4, 0x56795129 }
+    },
+    {
+        { 0x0d4b497f, 0x07242eb3, -0x46433379, 0x1ef96306, -0x27ee90bb, 0x37950934, 0x01405b04, 0x05468d62 },
+        { 0x13037524, 0x535fd606, -0x4f043d96, -0x1def520a, 0x23e990ae, -0x5372f565, -0x28d02407, 0x47204d08 },
+        { -0x06cd9822, 0x00f565a9, -0x3f2a7176, -0x31302873, -0x0ce71d72, -0x5dea1d24, -0x649cccae, 0x4599ee91 }
+    },
+    {
+        { -0x79e51a87, -0x538b9295, -0x09515624, 0x31ab0650, 0x40256d4c, 0x241d6611, 0x3d21a5de, 0x2f485e85 },
+        { 0x70e0e76b, -0x2c3ddf36, -0x1560cf6c, -0x4ed415a8, -0x3cd8ed7e, 0x294ddec8, -0x5e2e2fd8, 0x0c3539e1 },
+        { -0x63f7cc0d, 0x32974483, -0x2d543b7c, 0x6fe6257f, 0x4b358817, 0x5327d181, -0x76c01644, 0x65712585 }
+    },
+    {
+        { -0x28f711c1, -0x7e3d60e5, -0x519bf830, -0x2234a5fb, -0x2d5c1459, -0x68513e29, -0x6e2af7cf, 0x1590521a },
+        { 0x32a61161, -0x63efd049, 0x34d520a8, -0x1b71ef23, 0x6f9a9176, 0x365c6354, 0x046f6006, 0x32f6fe4c },
+        { -0x386ef534, 0x40a3a11e, -0x0e92d852, -0x6fec2008, -0x544e6a2c, 0x1a9720d8, 0x2ea98463, 0x1bb9fe45 }
+    },
+    {
+        { -0x33c98b84, -0x30a1936b, 0x6b0bc30d, 0x29420153, -0x11868510, 0x453ac67c, 0x2a8bb3c9, 0x5eae6ab3 },
+        { -0x4c2ab062, -0x162e26b0, -0x1ff2cc3f, 0x2d5f9cbe, -0x5fb03954, 0x51c2c656, 0x3c1cbcc9, 0x65c091ee },
+        { 0x14f118ea, 0x70836611, -0x6bcb6353, 0x2b37b87b, -0x4b1660c0, 0x7273f51c, 0x23d75698, 0x78a2a958 }
+    },
+    {
+        { 0x5ef83207, -0x4b0dc3be, -0x3656cb4b, -0x54076b2d, 0x39fd87f7, -0x2f8f73ed, 0x17166130, 0x18767891 },
+        { 0x5c8c2ace, -0x5d4f8d17, 0x651e9c4b, 0x69cffc96, 0x42e7b42b, 0x44328ef8, 0x22aadeb3, 0x5dd996c1 },
+        { 0x670c507c, -0x6da4a110, -0x46c3cc41, -0x7e6437be, 0x70dd003f, 0x10792e9a, 0x6e28dc74, 0x59ad4b7a }
+    },
+},
+{
+    {
+        { -0x5352715e, 0x583b04bf, 0x148be884, 0x29b743e8, 0x0810c5db, 0x2b1e583b, -0x714c4456, 0x2b5449e5 },
+        { -0x14c241b9, 0x5f3a7562, -0x71425f48, -0x0815c7ac, 0x45747299, 0x00c3e531, 0x1627d551, 0x1304e9e7 },
+        { 0x6adc9cfe, 0x789814d2, -0x74b722f5, 0x3c1bab3f, -0x068639f6, -0x25f01e01, 0x7c2dd693, 0x4468de2d }
+    },
+    {
+        { -0x079cf832, 0x4b9ad8c6, 0x435d0c28, 0x21113531, 0x657a772c, -0x2b57993b, 0x63247352, 0x5da6427e },
+        { -0x6be6b962, 0x51bb355e, 0x23ddc754, 0x33e6dc4c, 0x447f9962, -0x6c5a492a, -0x04bb429d, 0x6cce7c6f },
+        { -0x2153dd36, 0x1a94c688, -0x4451e008, -0x46f99109, -0x72a6a7f1, -0x775273c8, -0x1860d358, 0x58f29abf }
+    },
+    {
+        { 0x710ecdf6, 0x4b5a64bf, 0x462c293c, -0x4eb31ac8, -0x2af4c547, 0x3643d056, 0x185b4870, 0x6af93724 },
+        { -0x7218c198, -0x16f13055, 0x377e76a5, 0x54036f9f, -0x41fea67e, -0x0fb6a4f5, -0x580be1ca, 0x577629c4 },
+        { 0x09c6a888, 0x32200245, 0x4b558973, -0x2d1fc9ed, 0x3c33289f, -0x7c1dc9dd, 0x0caec18f, 0x701f25bb }
+    },
+    {
+        { 0x7cbec113, -0x62e70927, 0x74bfdbe4, -0x7bb5f91a, -0x53b19f2a, 0x20f5b522, 0x50955e51, 0x720a5bc0 },
+        { -0x1b9e9313, -0x3c574f08, -0x61da5783, -0x08ff99f2, -0x0b435a64, 0x61e3061f, -0x423bf417, 0x2e0c92bf },
+        { -0x647fa5cb, 0x0c3f0943, 0x6242abfc, -0x17b174c9, 0x5c229346, 0x691417f3, 0x144ef0ec, 0x0e9b9cbb }
+    },
+    {
+        { 0x5db1beee, -0x7211642b, 0x0a723fb9, -0x363c54c9, 0x1c68d791, 0x44a8f1bf, 0x1cfd3cde, 0x366d4419 },
+        { -0x04a8df53, -0x04452b71, -0x2406f2f2, -0x117e6e95, 0x635543bf, -0x2b7eceae, 0x3f337bd8, 0x221104eb },
+        { -0x0d4373ec, -0x61c3e8bd, -0x4a7a93c5, 0x2eda26fc, 0x68a7fb97, -0x3347d0f2, -0x43a6cdbc, 0x4167a4e6 }
+    },
+    {
+        { -0x07317012, -0x3d41d99b, -0x177f29d4, -0x169800ec, 0x2f364eee, -0x0ed19182, -0x34812d0a, 0x34b33370 },
+        { 0x76f62700, 0x643b9d28, 0x0e7668eb, 0x5d1d9d40, 0x21fc0684, 0x1b4b4303, 0x2255246a, 0x7938bb7e },
+        { -0x797e2934, -0x323a6e12, -0x127a58ad, -0x31fdef64, 0x58808883, -0x128b7a3f, 0x2dfe65e4, 0x1176fc6e }
+    },
+    {
+        { 0x49770eb8, -0x246f1d77, -0x530bbf5d, -0x670433d6, -0x21287865, 0x21354ffe, -0x0d96f94a, 0x1f6a3e54 },
+        { 0x5b9c619b, -0x4b509330, -0x4d5a7b80, 0x2ddfc9f4, -0x1416b23c, 0x3d4fa502, 0x677d5f34, 0x08fc3a4c },
+        { -0x2cf8cb16, 0x60a4c199, 0x31165cd6, 0x40c085b6, -0x08a67d6b, -0x1dccc1dd, 0x16b900d1, 0x4f2fad01 }
+    },
+    {
+        { -0x48c449c8, -0x69d326e3, -0x03ed63f8, -0x19fa8856, -0x0c49e977, 0x6f619b39, 0x2944ee81, 0x3451995f },
+        { -0x6b51b1ac, 0x44beb241, 0x1857ef6c, 0x5f541c51, 0x368d0498, -0x59e194d3, -0x68d10855, 0x445484a4 },
+        { -0x60158284, -0x6ead0330, -0x4f6ca30a, 0x4a816c94, 0x47285c40, 0x258e9aaa, 0x042893b7, 0x10b89ca6 }
+    },
+},
+{
+    {
+        { 0x79d34aa0, -0x2983212a, -0x33b24c61, -0x33f46140, -0x1ca2e6f1, -0x5aca5baa, -0x09e09011, 0x2e05d9ea },
+        { 0x3b646025, -0x64d5bd92, 0x385ce4cf, 0x32127190, -0x229215bb, -0x5da3003e, -0x4157218b, 0x06409010 },
+        { -0x29e414a7, -0x3bb86fe6, -0x1a2377f6, 0x661f19bc, -0x483597d9, 0x24685482, -0x101f80da, 0x293c778c }
+    },
+    {
+        { -0x5ee00e00, 0x16c795d6, -0x4ea7ea37, -0x348f2f1e, -0x64ac6a4b, -0x760d6ce0, 0x31e47b4f, 0x50b8c2d0 },
+        { 0x07069096, -0x797f6190, -0x1b1afe77, -0x5528a4eb, -0x5de5feb9, 0x07f35715, 0x12815d5e, 0x0487f3f1 },
+        { 0x068a4962, 0x48350c08, 0x51092c9a, 0x6ffdd053, -0x50903723, 0x17af4f4a, 0x3cdba58b, 0x4b0553b5 }
+    },
+    {
+        { 0x27c152d4, -0x40fadee5, -0x42e509c7, 0x5ec26849, -0x71905468, 0x5e0b2caa, 0x50bd0840, 0x054c8bdd },
+        { 0x1b32ff79, -0x639a0342, 0x03b50f9b, -0x148a1561, 0x6c07e606, -0x0312d594, 0x51717908, 0x35106cd5 },
+        { 0x1dcf073d, 0x38a0b12f, -0x48095d8a, 0x4b60a8a3, -0x2cbfb066, -0x012a53db, 0x5505c229, 0x72e82d5e }
+    },
+    {
+        { 0x69771d02, 0x00d9cdfd, 0x6cfbf17e, 0x410276cd, 0x1cb12ec7, 0x4c45306c, 0x27500861, 0x2857bf16 },
+        { -0x0f27bb38, 0x6b0b697f, -0x268634b7, -0x44ed07a4, -0x3e25f0e1, -0x2d5abe3a, 0x58ce7211, 0x7b7c2429 },
+        { 0x0101689e, -0x60de6fc1, -0x4079effb, -0x2886202d, 0x3deb0f1b, -0x5edd11a1, 0x485a00d4, 0x510df84b }
+    },
+    {
+        { -0x38f53ea2, 0x24b3c887, -0x047e48ce, -0x4f0c5aa9, -0x1a8733e5, -0x64d321d1, 0x03b54f8e, 0x4cf7ed07 },
+        { -0x6d885e06, -0x5abecc45, 0x63991237, 0x74ec3b62, 0x35d2f15a, 0x1a3c54dc, -0x1b7d45c6, 0x2d347144 },
+        { -0x670411f1, 0x6bd47c65, -0x54aa41d3, -0x61b8cc1e, 0x127610c5, 0x1093f624, -0x2f5e155c, 0x4e05e26a }
+    },
+    {
+        { -0x1e701940, 0x1833c773, -0x2c378d9b, -0x1c3b8ee6, 0x0116b283, 0x3bfd3c4f, -0x4b32b248, 0x1955875e },
+        { 0x4b531f20, -0x2564949e, 0x77509abb, 0x429a760e, -0x17dc3480, -0x24160ade, -0x77f3707e, 0x618f1856 },
+        { 0x0e399799, 0x6da6de8f, 0x40fda178, 0x7ad61aa4, 0x5e3563dd, -0x4cd327f0, 0x2ae340ae, 0x15f6beae }
+    },
+    {
+        { -0x6dba1deb, -0x4565f085, -0x2673f245, -0x0c979ed3, -0x0ddf4fe0, 0x2e84e4cb, 0x62d90eda, 0x6ba92fe9 },
+        { 0x31ec3a62, -0x79d434f4, 0x1138f3c2, -0x7ef1d4bb, 0x39dac2a4, 0x788ec4b8, -0x51d56d7f, 0x28f76867 },
+        { 0x5884e2aa, 0x3e4df965, -0x242b9a5b, -0x429d0425, 0x0de9e524, -0x28a69356, -0x4d4e4c29, 0x6e8042cc }
+    },
+    {
+        { 0x16521f7e, 0x15306536, -0x69dfc246, 0x660d06b8, 0x545f0879, 0x2d3989bc, 0x78ebd7b0, 0x4b5303af },
+        { -0x31d73592, -0x0ef2c3d7, -0x0349f6c3, -0x452cbac0, -0x5d15d2c1, -0x18bd9129, 0x4ff298b9, 0x08af9d4e },
+        { -0x41434218, 0x72f8a6c3, -0x23c57177, 0x4f0fca4a, -0x38402086, 0x6fa9d4e8, -0x649db149, 0x0dcf2d67 }
+    },
+},
+{
+    {
+        { 0x5a45f06e, 0x753941be, 0x6d9c5f65, -0x2f835113, 0x72ff51b6, 0x11776b9c, -0x10f2b257, 0x17d2d1d9 },
+        { -0x68e7d764, 0x3d594749, 0x24533f26, 0x12ebf8c5, 0x14c3ef15, 0x0262bfcb, 0x77b7518e, 0x20b878d5 },
+        { 0x073f3e6a, 0x27f2af18, -0x28adef97, -0x02c01ae7, 0x3ca60022, 0x22e3b72c, -0x339a3959, 0x72214f63 }
+    },
+    {
+        { -0x0bc4d637, 0x1d9db7b9, 0x4f518f75, -0x29fa7db6, 0x312f9dc4, -0x0d3f8d43, 0x5a1545b0, 0x1f24ac85 },
+        { 0x5307a693, -0x4b1c80c0, 0x2f336795, -0x5458eb29, 0x73761099, -0x29042f59, -0x7e8e3437, 0x5fdf48c5 },
+        { -0x716afa56, 0x24d60832, 0x0c1420ee, 0x4748c1d1, 0x06fb25a2, -0x38001ba4, 0x2ae395e6, 0x00ba739e }
+    },
+    {
+        { -0x157744da, -0x51bbd90b, -0x7b68c405, 0x360679d9, 0x26694e50, 0x5c9f030c, -0x2ae72dda, 0x72297de7 },
+        { 0x5c8790d6, 0x592e98de, 0x45c2a2df, -0x1a40482d, -0x064b66de, 0x115a3b60, 0x67ad78f3, 0x03283a3e },
+        { -0x41f346c7, 0x48241dc7, -0x749ccf80, 0x32f19b4d, 0x02289308, -0x2c2036f3, 0x46271945, 0x05e12968 }
+    },
+    {
+        { 0x242c4550, -0x52404438, -0x2fcf7e27, -0x4337f314, -0x0a37206e, -0x7bca995a, -0x7da731b4, 0x78cf25d3 },
+        { 0x2d9c495a, -0x457d114d, -0x0ed44684, -0x31103704, -0x6c4a2e20, -0x4fd25452, 0x13698d9b, 0x39c00c9c },
+        { 0x31489d68, 0x15ae6b8e, -0x63d40f79, -0x557ae355, -0x0fb105fb, -0x3658a569, 0x6b3ff832, 0x006b5207 }
+    },
+    {
+        { -0x4631f7d3, -0x0a3481ea, 0x417abc29, 0x3407f14c, 0x2bf4a7ab, -0x2b4c9432, 0x1a9f75ce, 0x7de2e956 },
+        { -0x626a87e4, 0x29e0cfe1, -0x699cef1e, -0x497e20e8, 0x70516b39, 0x57df39d3, 0x3bc76122, 0x4d57e344 },
+        { -0x495aa135, -0x218f2b0c, 0x5d85db99, 0x4801527f, -0x2c11657f, -0x24363bc0, 0x1a6029ed, 0x6b2a90af }
+    },
+    {
+        { 0x5bb2d80a, 0x77ebf324, 0x2fb9079b, -0x27cfe4b9, 0x4cee7333, -0x39b8190e, 0x276c2109, 0x465812c8 },
+        { -0x6519e169, 0x6923f4fc, -0x1fc0a02f, 0x5735281d, -0x19122ed3, -0x589b51bd, -0x2ed2c1b6, 0x5fd8f4e9 },
+        { 0x2a1062d9, 0x4d43beb2, 0x3831dc16, 0x7065fb75, -0x21d69729, 0x180d4a7b, 0x1cb16790, 0x05b32c2b }
+    },
+    {
+        { 0x7ad58195, -0x08035bd4, 0x4333f3cc, 0x3214286e, 0x340b979d, -0x493d62f3, 0x567307e1, 0x31771a48 },
+        { -0x2db25703, -0x373fa134, 0x05dfef83, -0x5e30e554, 0x7df9cd61, -0x2441100e, 0x7b471e99, 0x3b5556a3 },
+        { -0x1eb22b7e, 0x32b0c524, 0x1a2ba4b6, -0x124caeac, 0x282b5af3, -0x5c2e9fb8, 0x7a7336eb, 0x4fc079d2 }
+    },
+    {
+        { 0x0c86c50d, -0x23cb74bc, -0x336b19af, 0x1337cbc9, 0x643e3cb9, 0x6422f74d, -0x451c32f8, 0x241170c2 },
+        { -0x7640d081, 0x51c938b0, 0x02dfe9a7, 0x2497bd65, 0x7880e453, -0x00003f64, -0x3506716e, 0x124567ce },
+        { 0x0ac473b4, 0x3ff9ab86, 0x0113e435, -0x0f6ee212, -0x14393b51, 0x4ae75060, 0x6c87000d, 0x3f861296 }
+    },
+},
+{
+    {
+        { 0x638c7bf3, 0x529fdffe, 0x388b4995, -0x20d461a0, 0x1bad0249, -0x1fd84cb1, -0x46058b13, 0x7bc92fc9 },
+        { -0x086a841c, 0x0c9c5303, -0x1f7a3ebb, -0x5c3ce5e0, -0x2f7affb0, -0x4f8de28f, -0x54f40d26, 0x0aba390e },
+        { -0x7fe52607, -0x606810d2, 0x79afda3a, -0x7c9682ac, -0x42a694b0, -0x16f94c01, -0x22c04720, 0x02672b37 }
+    },
+    {
+        { 0x398ca7f5, -0x116458d7, 0x7a4849db, -0x146359db, 0x7ec544e1, 0x29eb29ce, -0x08c91d38, 0x232ca21e },
+        { 0x260885e4, 0x48b2ca8b, -0x7d4cb3e4, -0x5bd79414, 0x17f58f74, -0x6c81e5da, -0x54d35d5b, 0x741d1fcb },
+        { 0x253fcb17, -0x409ebdc3, -0x05c614ec, 0x08803cea, -0x67ae3851, -0x0e79fd21, 0x49e3414b, 0x0400f3a0 }
+    },
+    {
+        { -0x5f9184fa, 0x2efba412, 0x2c8d2560, 0x14678545, -0x29856e39, -0x2068ec15, 0x157eadf3, 0x32830ac7 },
+        { -0x459e3aa5, -0x5431fb8a, -0x3b2c68ea, 0x36a3d6d7, -0x1727d2f7, 0x6eb259d5, -0x7b28a905, 0x0c9176e9 },
+        { -0x48c89618, 0x0e782a7a, 0x75b18e2c, 0x04a05d78, -0x1433151f, 0x29525226, -0x7c1457e0, 0x0d794f83 }
+    },
+    {
+        { -0x585d1e54, 0x7be44ce7, -0x052e4749, 0x411fd93e, 0x0d5f7c9b, 0x1734a1d7, 0x3127db16, 0x0d659223 },
+        { -0x61eae90c, -0x00ca0a35, 0x648aae45, -0x117fa431, -0x46c5610d, -0x0f28c3d5, 0x2092a6c2, 0x097b0bf2 },
+        { 0x21a9d733, -0x3b7454eb, -0x29e544db, -0x593d1516, -0x3934bcfb, 0x625c6c1c, -0x6c14c599, 0x7fc90fea }
+    },
+    {
+        { -0x63834dc3, -0x3ad8214b, 0x5328404e, -0x6aac6e97, 0x7ccf2c7a, -0x29bc6d7f, -0x082705ef, 0x6ce97dab },
+        { 0x1f5c5926, 0x0408f1fe, 0x3b258bf4, 0x1a8f2f5e, -0x0238e997, 0x40a951a2, -0x3674a882, 0x6598ee93 },
+        { 0x0ef7c48f, 0x25b5a8e5, 0x6f2ce532, -0x149fcbef, -0x1ac21ac9, -0x3a18ae8d, -0x73ed44fd, 0x73119fa0 }
+    },
+    {
+        { 0x21f4774d, 0x7845b94d, 0x7897b727, -0x409d0e94, 0x3c56522b, 0x671857c0, -0x6a9dedee, 0x3cd6a852 },
+        { 0x53f1a4cb, -0x12cfed6c, -0x370ac879, -0x4319de37, 0x38bee7b9, -0x0534d4ed, -0x6157bd74, 0x3025798a },
+        { 0x3aeca999, 0x3fecde92, 0x62e8c12f, -0x4255a500, -0x69677522, 0x67b99dfc, 0x52661036, 0x3f52c028 }
+    },
+    {
+        { -0x113be93a, -0x6da74067, -0x562d098f, -0x5375afe9, 0x16dea4ab, 0x629549ab, -0x66f6ea97, 0x05d0e85c },
+        { 0x2a1351c6, -0x00155b72, -0x0580ac29, 0x28624754, 0x7582ddf1, 0x0b5ba9e5, -0x596953a7, 0x60c0104b },
+        { -0x21634169, 0x051de020, -0x4af4308c, -0x05f803aa, 0x0f11df65, 0x378cec9f, -0x546921b3, 0x36853c69 }
+    },
+    {
+        { -0x053a1842, 0x4433c0b0, 0x4c08dcbe, 0x724bae85, 0x46978f9b, -0x0e0db33c, 0x62825fc8, 0x4a0aff6d },
+        { 0x78f39b2d, 0x36d9b8de, -0x57b84614, 0x7f42ed71, 0x79bd3fde, 0x241cd1d6, -0x6d043195, 0x6a704fec },
+        { 0x61095301, -0x16e80462, 0x02a092f8, -0x3efd206c, -0x0599e6f5, -0x40f61d0b, -0x1f2301c9, 0x681109be }
+    },
+},
+{
+    {
+        { 0x36048d13, -0x63e70306, 0x73899ddd, 0x29159db3, -0x606d2f56, -0x2360caf5, -0x7875e62c, 0x26f57eee },
+        { 0x782a0dde, 0x559a0cc9, -0x158e7c7b, 0x551dcdb2, 0x31ef238c, 0x7f62865b, 0x7973613d, 0x504aa776 },
+        { 0x5687efb1, 0x0cab2cd5, 0x247af17b, 0x5180d162, 0x4f5a2467, -0x7a3ea5cc, -0x6245cf97, 0x4041943d }
+    },
+    {
+        { -0x5d935523, 0x4b217743, 0x648ab7ce, 0x47a6b424, 0x03fbc9e3, -0x34e2b086, -0x67ff2fe7, 0x12d93142 },
+        { 0x43ebcc96, -0x3c3f1146, 0x26ea9caf, -0x728b6364, 0x1c77ccc6, -0x26056a12, 0x7684340f, 0x1420a1d9 },
+        { -0x2cc8a6b1, 0x00c67799, -0x4dc55b85, 0x5e3c5140, -0x1ca00c6b, 0x44182854, 0x4359a012, 0x1b4f9231 }
+    },
+    {
+        { -0x5b67994f, 0x33cf3030, 0x215f4859, 0x251f73d2, 0x51def4f6, -0x547d55c0, 0x6f9a23f6, 0x5ff191d5 },
+        { -0x76eaf6af, 0x3e5c109d, 0x2de9696a, 0x39cefa91, -0x68a0cfe0, 0x20eae43f, 0x7f132dae, 0x239b572a },
+        { -0x53d26f98, -0x7e612bcd, 0x5fc98523, 0x2883ab79, 0x5593eb3d, -0x10ba8d80, 0x758f36cb, 0x020c526a }
+    },
+    {
+        { -0x0fbd3377, -0x16ce10a7, -0x71edb44a, 0x2c589c9d, -0x5138a669, -0x52371e76, 0x5602c50c, 0x452cfe0a },
+        { -0x61272444, 0x779834f8, -0x23835b94, -0x370d5507, -0x5c1e4f8c, -0x56adb324, 0x15313877, 0x02aacc46 },
+        { 0x647877df, -0x795f0860, 0x0e607c9f, -0x443b9bd9, -0x0e04ee37, -0x54e815db, 0x304b877b, 0x4cfb7d7b }
+    },
+    {
+        { -0x687610ee, -0x1d79663e, -0x20a8e6f3, 0x2b6ecd71, -0x13368f30, -0x3cbc37a9, 0x434d3ac5, 0x5b1d4cbc },
+        { -0x47648a02, 0x72b43d6c, -0x63952380, 0x54c694d9, 0x3ee34c9f, -0x473c55c9, 0x39075364, 0x14b4622b },
+        { -0x33f560da, -0x4904d9eb, -0x4772331b, 0x3a4f0e2b, 0x3369a705, 0x1301498b, 0x58592dd1, 0x2f98f712 }
+    },
+    {
+        { 0x4f54a701, 0x2e12ae44, -0x56342822, -0x0301c110, 0x75835de0, -0x314076f3, -0x189ebaac, 0x1d8062e9 },
+        { -0x4af061aa, 0x0c94a74c, -0x7171ece0, 0x5b1ff4a9, -0x7dcff099, -0x65d533df, -0x27f95507, 0x3a6ae249 },
+        { -0x566f83a6, 0x657ada85, -0x6e46f09e, 0x1a0ea8b5, -0x20cb4b17, -0x72f1e205, -0x510da00d, 0x298b8ce8 }
+    },
+    {
+        { 0x0a2165de, -0x7c858d16, 0x0bcf79f6, 0x3fab07b4, 0x7738ae70, 0x521636c7, 0x03a7d7dc, 0x6ba62718 },
+        { -0x1008f34e, 0x2a927953, 0x79157076, 0x4b89c92a, 0x30a7cf6a, -0x6be7ba86, 0x4d5ce485, 0x34b8a840 },
+        { -0x7c96cccb, -0x3d91134b, 0x63b5fefd, -0x2a57ec21, -0x5b4dda8d, -0x5d6c5566, 0x465e1c6a, 0x71d62bdd }
+    },
+    {
+        { -0x4e08a10b, -0x32d24a26, 0x16b065f5, -0x28806a31, 0x3f49f085, 0x14571fea, 0x262b2b3d, 0x1c333621 },
+        { -0x2c872080, 0x6533cc28, 0x0a0fa4b4, -0x0924bc87, -0x08fe25a6, -0x1c9ba007, -0x0ce8d45c, 0x74d5f317 },
+        { 0x67d9ca81, -0x57901aac, 0x2b298c37, 0x398b7c75, -0x1c539dc5, -0x2592f76e, 0x47e9d98c, 0x4aebcc45 }
+    },
+},
+{
+    {
+        { -0x5fa65bbb, 0x0de9b204, 0x4b17ad0f, -0x1ea34b56, 0x1f79c557, -0x1e4413ae, -0x2f8ef7e5, 0x2633f1b9 },
+        { 0x05d21a77, 0x53175a72, -0x2c46cb2c, -0x4f3fbbde, -0x22a21524, -0x52260db5, -0x60ef0074, 0x074f46e6 },
+        { 0x018b9910, -0x3e04be89, 0x6c0fe140, -0x5915df24, 0x4354c6ff, -0x299e0c19, -0x0e5cbf86, 0x5ecb72e6 }
+    },
+    {
+        { -0x17179669, -0x01151efa, -0x672f6c7d, -0x679ccc81, -0x55f91411, -0x6b8fb7f2, -0x2b3a3d30, 0x038b6898 },
+        { 0x2259fb4e, -0x5aea5ce5, 0x2bcac52f, 0x0960f397, -0x72cbab35, -0x124ad014, -0x3b893fe7, 0x382e2720 },
+        { -0x7531af5a, -0x0c6e3ae3, -0x51d2d6b8, 0x3142d0b9, 0x7f24ca80, -0x24b2a5e6, 0x59250ea8, 0x21aeba8b }
+    },
+    {
+        { -0x0ff780dd, 0x53853600, -0x2582a87c, 0x4c461879, -0x4be097a0, 0x6af303de, -0x3d83e713, 0x0a3c16c5 },
+        { -0x30bfaad0, 0x24f13b34, 0x43088af7, 0x3c44ea4a, 0x0006a482, 0x5dd5c517, -0x76f4f793, 0x118eb8f8 },
+        { -0x336b80c3, 0x17e49c17, -0x553e2d85, -0x3339125a, -0x4f0f71aa, -0x209f6d32, 0x2c67c36b, 0x4909b3e2 }
+    },
+    {
+        { 0x706ff64e, 0x59a16676, 0x0d86a53d, 0x10b953dd, -0x31a3f46a, 0x5848e1e6, 0x12780c68, 0x2d8b78e7 },
+        { 0x63fe2e89, -0x63637a16, 0x0e9412ec, -0x41e4506f, -0x79040185, -0x70845576, -0x10697494, 0x0fb17f9f },
+        { -0x503c6fd5, 0x79d5c62e, -0x7617f8d8, 0x773a2152, -0x1efedf47, -0x3c7519c0, 0x7b2b1a6d, 0x09ae2371 }
+    },
+    {
+        { -0x52cd4e30, 0x10ab8fa1, -0x1d8874dc, -0x165312e5, 0x373de90f, -0x577a9440, -0x225ac66a, 0x66f35ddd },
+        { 0x4e4d083c, -0x4495e6d6, 0x0029e192, 0x34ace063, -0x55054515, -0x67dba5a7, -0x25680554, 0x6d9c8a9a },
+        { 0x24997323, -0x2d826505, -0x090fe2d2, 0x1bb7e07e, -0x0ad13381, 0x2ba7472d, 0x646f9dc8, 0x03019b4f }
+    },
+    {
+        { -0x194c2395, -0x50f64dec, -0x5282d09b, 0x3f7573b5, 0x100a23b0, -0x2fe62678, -0x74a3ca09, 0x392b63a5 },
+        { 0x565345cd, 0x04a186b5, -0x433bee96, -0x111899f0, 0x78fb2a45, 0x689c73b4, 0x65697512, 0x387dcbff },
+        { -0x63f83dfb, 0x4093addc, -0x0acd3c82, -0x3a9a41eb, 0x1583402a, 0x63dbecfd, -0x10d1fcd2, 0x61722b4a }
+    },
+    {
+        { -0x7e34f1c4, -0x294f85ab, -0x26bbb697, 0x290ff006, 0x16dcda1f, 0x08680b6a, 0x5a06de59, 0x5568d2b7 },
+        { -0x1342b851, 0x0012aafe, 0x1cd46309, 0x55a266fb, 0x0967c72c, -0x0dfc1498, -0x35c3ebd7, 0x39633944 },
+        { 0x1b37cfe1, -0x72f34774, 0x053818f3, 0x05b6a5a3, -0x487826a7, -0x0d1643fc, -0x6522809c, 0x6beba124 }
+    },
+    {
+        { 0x43f5a53b, 0x5c3cecb9, 0x06c08df2, -0x633659e3, -0x7a76abb9, -0x30459c66, 0x0df09fd5, 0x5a845ae8 },
+        { -0x5a4e4ebd, 0x1d06005c, 0x7fd1cda2, 0x6d4c6bb8, 0x53fcffe7, 0x6ef59676, -0x3e31e15b, 0x097c29e8 },
+        { 0x5deb94ca, 0x4ce97dbe, -0x738f63b8, 0x38d0a438, -0x5e962f69, -0x3bc1312c, -0x081a783d, 0x0a1249ff }
+    },
+},
+{
+    {
+        { 0x7354b610, 0x0b408d9e, 0x5ba85b6e, -0x7f94cdad, 0x4a58a207, -0x2419c5fd, -0x365e20d4, 0x173bd9dd },
+        { 0x276d01c9, 0x12f0071b, -0x793b7390, -0x1847453b, 0x71d6fba9, 0x5308129b, 0x5a3db792, 0x5d88fbf9 },
+        { -0x01a78d21, 0x2b500f1e, -0x2bc6e73f, 0x58d6582e, -0x3698c520, -0x1912d872, -0x4e615ce7, 0x06e1cd13 }
+    },
+    {
+        { -0x61a4fcad, 0x472baf62, 0x278d0447, 0x3baa0b90, -0x69bc40d9, 0x0c785f46, -0x727c84ed, 0x7f3a6a1a },
+        { 0x6f166f23, 0x40d0ad51, 0x1fab6abe, 0x118e3293, -0x5fb2f772, 0x3fe35e14, 0x26e16266, 0x30806035 },
+        { 0x5d3d800b, -0x0819bbc7, -0x36fe120a, -0x6a572aab, 0x592c6339, 0x68cd7830, 0x2e51307e, 0x30d0fded }
+    },
+    {
+        { 0x68b84750, -0x634b68e2, 0x6664bbcf, -0x5f6a8dd7, 0x72fa412b, 0x5c8de726, 0x51c589d9, 0x46150843 },
+        { -0x0dedcc4d, -0x1fa6b2e6, -0x0f33b264, 0x1bdbe78e, -0x70b66589, 0x6965187f, 0x2c099868, 0x0a921420 },
+        { -0x51465fd2, -0x436fe640, 0x16034cae, 0x55c7110d, 0x659932ec, 0x0e6df501, -0x6a35a202, 0x3bca0d28 }
+    },
+    {
+        { -0x6133fe41, -0x6397714a, -0x59bb7691, -0x0f437c53, 0x5f7a9fe2, -0x35d26aa1, -0x720d7dbf, 0x4ea8b403 },
+        { 0x3c5d62a4, 0x40f031bc, -0x300f85a0, 0x19fc8b3e, 0x130fb545, -0x67e7c25e, -0x5170ec33, 0x5631dedd },
+        { -0x0e352dfe, 0x2aed460a, -0x5b73117d, 0x46305305, 0x49f11a5f, -0x6ede88bb, 0x542ca463, 0x24ce0930 }
+    },
+    {
+        { -0x020cf47b, 0x3fcfa155, 0x36372ea4, -0x2d08e972, 0x6492f844, -0x4d1f9b22, 0x324f4280, 0x549928a7 },
+        { -0x02f93efa, 0x1fe890f5, 0x5d8810f2, -0x4a3b97cb, 0x6e8caf3e, -0x7d87f702, -0x75f928b5, 0x41d4e3c2 },
+        { 0x63ee1a2e, -0x0d91cd59, -0x2da00216, -0x516e1b49, -0x2e80b297, -0x43c42cc5, -0x3f230096, 0x491b66de }
+    },
+    {
+        { -0x2f259b5f, 0x75f04a8e, 0x67e2284b, -0x12ddd351, 0x1f7b7ba4, -0x7dcb5c87, -0x48fe7499, 0x4cf6b8b0 },
+        { -0x3815cd59, -0x670a4ec3, 0x7e16db98, -0x1c2a0734, -0x340726b9, -0x53f540ae, -0x37a11b54, 0x08f338d0 },
+        { -0x66e58c43, -0x3c7c57df, -0x20cdf386, -0x54d843ff, -0x7b888f9d, -0x3ec2cce5, -0x14f87567, 0x530d4a82 }
+    },
+    {
+        { 0x6c9abf9e, 0x6d697345, 0x4900a880, 0x257fb2fc, -0x373047b0, 0x2bacf412, 0x0cbfbd5b, 0x0db3e7e0 },
+        { -0x1e06b7db, 0x004c3630, -0x7354aca6, 0x7e2d7826, -0x337b0075, -0x38b7dcdd, 0x101770b9, 0x65ea753f },
+        { -0x1df69c9d, 0x3d66fc3e, 0x61b5cb6b, -0x7e29d381, 0x13443b1a, 0x0fbe0442, 0x21e1a1db, 0x02a4ec19 }
+    },
+    {
+        { -0x0e3086a1, -0x0a379e9e, 0x26ee57f2, 0x118c8619, 0x1c063578, 0x17212485, -0x13f98031, 0x36d12b5d },
+        { 0x3b24b8a2, 0x5ce6259a, 0x45afa0b8, -0x47a88534, -0x745f8fc9, -0x33341918, 0x127809bf, 0x3d143c51 },
+        { 0x79154557, 0x126d2791, -0x0387c5f6, -0x2a1b70a4, -0x20e86454, 0x36bdb6e8, 0x5ba82859, 0x2ef51788 }
+    },
+},
+{
+    {
+        { 0x7c6da1e9, 0x1ea43683, 0x1fb9bdbe, -0x063e7651, -0x31a22eab, 0x303001fc, -0x43a841ae, 0x28a7c99e },
+        { -0x2ee1f2b6, -0x7742bc74, 0x43ccf308, 0x30cb610d, -0x6e6c8434, -0x1f65f1c9, 0x25b1720c, 0x4559135b },
+        { -0x172e6163, -0x47026c67, -0x69dbdc01, -0x6f7e6e35, 0x47c742a3, -0x4d46b729, -0x2804bb3c, 0x37f33226 }
+    },
+    {
+        { -0x37de4ee3, 0x33912553, 0x41e301df, 0x66ed42c2, 0x104222fd, 0x066fcc11, -0x3e6de971, 0x307a3b41 },
+        { -0x4aa091f8, 0x0dae8767, 0x5b203a02, 0x4a43b3b3, -0x7f507387, -0x1c8da592, 0x705fa7a3, 0x0f7a7fd1 },
+        { 0x6eb55ce0, -0x7114a2f9, -0x55f26da6, 0x2fc536bf, -0x23493918, -0x417e7cf1, -0x7d8450ae, 0x556c7045 }
+    },
+    {
+        { 0x2bf44406, -0x46b46ffe, -0x006f4acc, -0x542bdc82, -0x050792c6, 0x7600a960, -0x3dcdd11d, 0x2f45abda },
+        { 0x02e9d8b7, -0x71d4ae8d, 0x248714e8, -0x1c1add97, 0x4ca960b5, -0x42b04289, -0x3a135257, 0x6f4b4199 },
+        { -0x37107596, 0x61af4912, 0x43fb6e5e, -0x1a705b02, 0x6fd427cf, -0x4a5033a3, 0x1e1e11eb, 0x6a539328 }
+    },
+    {
+        { 0x149443cf, 0x0fff04fe, -0x79a32229, 0x53cac6d9, 0x531ed1b7, 0x31385b03, -0x532efc63, 0x5846a27c },
+        { -0x5a2e1177, -0x0c25aec7, -0x006c9678, -0x7ebaba84, 0x00e188c4, 0x3f622fed, -0x2474a5c3, 0x0f513815 },
+        { 0x1eb08717, 0x4ff5cdac, -0x6f0d1644, 0x67e8b295, 0x237afa99, 0x44093b5e, -0x78f7474e, 0x0d414bed }
+    },
+    {
+        { 0x294ac9e8, -0x7e77956e, -0x2aaab842, 0x23162b45, 0x03715983, -0x6b3043bc, 0x134bc401, 0x50eb8fdb },
+        { -0x02f18a0a, -0x30497d9b, -0x446f18f9, -0x1ba4c1d8, -0x6006d386, 0x7242a8de, -0x6ccdfd23, 0x685b3201 },
+        { -0x294ccf33, -0x3f48c13a, 0x132faff1, -0x7b1bb7f9, -0x3b5a211f, 0x732b7352, -0x55832d2e, 0x5d7c7cf1 }
+    },
+    {
+        { -0x648c5a9e, 0x33d1013e, 0x48ec26e1, -0x6da310a9, -0x22b97fa8, -0x580319ec, 0x1e9aa438, 0x78b0fad4 },
+        { 0x7a4aafa2, -0x50c4b941, 0x4d40d411, -0x4878fa14, -0x3583ea1d, 0x114f0c6a, -0x56b762b3, 0x3f364faa },
+        { -0x12fa4b78, -0x40a95bcf, -0x63b6a382, -0x5acc1994, -0x780c9ae6, -0x179ad451, 0x59d66c33, 0x02418000 }
+    },
+    {
+        { -0x30c715ff, 0x28350c7d, -0x4d6e854a, 0x7c6cdbc0, -0x7a8f7d09, -0x53183042, -0x5d265e20, 0x4d2845ab },
+        { -0x5c85a41c, -0x314f8802, -0x1a5a1149, -0x249bd0fe, 0x471270b8, -0x3d192f3b, 0x38e4529c, 0x4771b655 },
+        { 0x447070de, -0x44ac8020, 0x6dd557df, -0x3458bbbd, 0x3600dbcb, -0x2c4a5cb9, -0x06002808, 0x4aeabbe6 }
+    },
+    {
+        { -0x3b56370e, 0x6a2134bc, -0x7531d1c9, -0x040702e4, -0x66ee5f46, 0x000ae304, 0x6bc89b9e, 0x046e3a61 },
+        { 0x40d8f78c, 0x4630119e, 0x3c710e11, -0x5fe5643b, -0x76ef2287, 0x486d2b25, -0x24fcdb1b, 0x1e6c47b3 },
+        { -0x0fc6f942, 0x14e65442, -0x1c9d41d6, 0x4a019d54, -0x723dcf39, 0x68ccdfec, -0x509479e4, 0x7cfb7e3f }
+    },
+},
+{
+    {
+        { 0x305b2f51, -0x69114005, -0x776a6948, -0x2c06c753, 0x46d5dd25, -0x0f0ad239, -0x44c5ff6b, 0x57968290 },
+        { -0x73a75124, 0x4637974e, -0x540fbe5c, -0x4610dd05, -0x167f8e76, -0x1e7a26aa, -0x4ebc575a, 0x2f1b78fa },
+        { 0x0a20e101, -0x08e547bd, 0x24f0ec47, -0x0c6c9a73, 0x6ee2eed1, -0x308af658, -0x23d55c1f, 0x7dc43e35 }
+    },
+    {
+        { 0x273e9718, 0x5a782a5c, 0x5e4efd94, 0x3576c699, 0x1f237d3e, 0x0f2ed805, -0x7d2af567, 0x044fb81d },
+        { -0x7782263d, -0x7a69999b, 0x4bb05355, -0x36f064cf, -0x10df864f, -0x391f7208, 0x758cc12f, 0x7ef72016 },
+        { -0x56f81c27, -0x3e20e73b, -0x31b39ca7, 0x57b3371d, -0x4dfe44b7, -0x358fbacc, -0x63cf22d2, 0x7f79823f }
+    },
+    {
+        { 0x68f587ba, 0x6a9c1ff0, 0x0050c8de, 0x0827894e, 0x7ded5be7, 0x3cbf9955, 0x1c06d6f0, 0x64a9b043 },
+        { -0x5c4aec18, -0x7ccb2dc7, -0x46e05728, -0x3ec98f2c, -0x0a6f42cd, 0x12b54136, -0x287b264c, 0x0a4e0373 },
+        { 0x5b7d2919, 0x2eb3d6a1, -0x2ac57dcb, -0x4f4b0960, -0x765ba2b9, 0x7156ce43, -0x31e7cb94, 0x071a7d0a }
+    },
+    {
+        { 0x20e14431, -0x33f3caae, 0x09b15141, 0x0d659507, 0x209d5f36, -0x650a9de5, 0x617755d3, 0x7c69bcf7 },
+        { -0x377845f5, -0x2cf8d256, -0x405a9d12, 0x01262905, -0x3f108975, -0x30abcffe, 0x46ea7e9c, 0x2c3bcc71 },
+        { 0x04e8295f, 0x07f0d7eb, 0x2f50f37d, 0x10db1825, 0x171798d7, -0x16ae565d, 0x22aca51d, 0x6f5a9a73 }
+    },
+    {
+        { -0x5c26bb42, -0x18d62b15, -0x7f875062, -0x7261f6c0, 0x47869c03, 0x4525567a, -0x1172c4dc, 0x02ab9680 },
+        { 0x2f41c6c5, -0x745efff4, 0x0cfefb9b, -0x3b60863f, 0x3cc51c9f, 0x4efa4770, -0x1eb85036, 0x494e21a2 },
+        { -0x221af266, -0x105b757b, 0x0fb9a249, 0x219a224e, -0x26e10927, -0x05f6e0e3, -0x15b944cc, 0x6b5d76cb }
+    },
+    {
+        { 0x1e782522, -0x1f06bee9, 0x036936d3, -0x0e19518c, -0x2f0338ba, 0x408b3ea2, 0x03dd313e, 0x16fb869c },
+        { -0x13f3266c, -0x77a8aa94, 0x5cd01dba, 0x6472dc6f, -0x70bd4b89, -0x50fe96ec, -0x7ad88cac, 0x0ae333f6 },
+        { 0x33b60962, 0x288e1997, -0x27541ecd, 0x24fc72b4, 0x0991d03e, 0x4811f7ed, -0x708f2f8b, 0x3f81e38b }
+    },
+    {
+        { 0x5f17c824, 0x0adb7f35, -0x28bd665c, 0x74b923c3, -0x34071509, -0x2a83c175, 0x4cdedc3d, 0x0ad3e2d3 },
+        { 0x7ed9affe, 0x7f910fcc, 0x2465874b, 0x545cb8a1, 0x4b0c4704, -0x57c6812e, 0x04f50993, 0x50510fc1 },
+        { 0x336e249d, 0x6f0c0fc5, -0x3cce3027, 0x745ede19, 0x09eefe1c, -0x0d290300, -0x0f05e142, 0x127c158b }
+    },
+    {
+        { -0x51ae468c, -0x215d703c, 0x744dfe96, 0x1d9973d3, -0x78c7b758, 0x6240680b, -0x2e98206b, 0x4ed82479 },
+        { 0x2e9879a2, -0x09e683be, 0x52ca3647, -0x5bb5222c, 0x4b4eaccb, -0x64bec03f, 0x07ef4f68, 0x354ef87d },
+        { 0x60c5d975, -0x011c4ade, -0x14be4f48, 0x50352efc, -0x56099ac4, -0x77f753d0, 0x0539236d, 0x302d92d2 }
+    },
+},
+{
+    {
+        { 0x0df53c30, -0x6a847475, -0x719f0f68, 0x2a1c770a, 0x345796de, -0x44385990, -0x6f366437, 0x22a48f9a },
+        { -0x34c10484, 0x4c59023f, -0x39c3d56c, 0x6c2fcb99, -0x3c381f7c, -0x45be6f1e, -0x5ae78b27, 0x0e545dae },
+        { -0x72c053a8, 0x6b7dc0dc, -0x191bd403, 0x5497cd6c, -0x0bff2cfb, 0x542f7d1b, 0x048d9136, 0x4159f47f }
+    },
+    {
+        { -0x442db7c7, 0x748515a8, -0x504fd4ab, 0x77128347, 0x49a2a17f, 0x50ba2ac6, 0x3ad730f1, 0x06052551 },
+        { 0x39e31e32, 0x20ad6608, -0x7bfa41b0, -0x07e1e42b, -0x0b254397, -0x07f9bfaa, -0x318e468b, 0x14d23dd4 },
+        { -0x755d807e, -0x0dc671f7, -0x765e4fdc, 0x6d7982bb, 0x214dd24c, -0x0596bf7c, -0x5cdcfe3d, 0x71ab966f }
+    },
+    {
+        { 0x02809955, -0x4ef775f9, 0x0b43c391, 0x43b273ea, -0x01f97913, -0x35649852, -0x7cca0b13, 0x605eecbf },
+        { 0x4ded02fc, 0x2dcbd8e3, 0x596f22aa, 0x1151f3ec, 0x4e0328da, -0x435daabd, -0x6dbee4de, 0x35768fbe },
+        { 0x6c340431, -0x7cdff59b, -0x711a63d1, -0x60328e99, 0x71300f8a, 0x75d4613f, 0x60f542f9, 0x7a912faf }
+    },
+    {
+        { -0x05d2aa69, 0x253f4f8d, 0x5477130c, 0x25e49c40, -0x6694eefe, 0x00c052e5, 0x33bb6c4a, 0x33cb966e },
+        { 0x5edc1a43, -0x4dfba7a2, 0x5897c73c, -0x60f1e912, 0x4e70483c, 0x5b82c0ae, 0x2bddf9be, 0x624a170e },
+        { 0x7f116909, 0x59702804, 0x1e564467, -0x7d753be4, -0x19de8c79, 0x70417dbd, -0x0453bc7c, 0x721627ae }
+    },
+    {
+        { 0x410b2f22, -0x02cf6844, -0x4a3057bc, -0x0e5fa259, -0x10a8358c, 0x61289a1d, -0x447de6fe, 0x245ea199 },
+        { -0x78c9522b, -0x682fc43d, -0x3acd4ed0, 0x2f1422af, 0x7101bbc4, 0x3aa68a05, -0x18b06059, 0x4c946cf7 },
+        { 0x78d477f8, -0x51235997, 0x29117fe1, 0x1898ba3c, 0x720cbd58, -0x308c067d, -0x474a9caf, 0x67da12e6 }
+    },
+    {
+        { -0x7137cf74, 0x2b7ef3d3, 0x71eb94ab, -0x7d702814, -0x3af9d543, -0x7f83c4ca, 0x31a94141, 0x0cb64cb8 },
+        { -0x4b4291f9, 0x7067e187, -0x382e018c, 0x6e8f0203, 0x38c85a30, -0x6c3955d1, 0x3d75a78a, 0x76297d1f },
+        { 0x534c6378, 0x3030fc33, -0x1abe179f, -0x469ca3a4, -0x264d38d8, 0x15d9a9be, -0x0c88a235, 0x49233ea3 }
+    },
+    {
+        { 0x1c9f249b, 0x7b3985fe, -0x5edccd6d, 0x4fd6b2d5, 0x1adf4d62, -0x314cba6c, 0x542de50c, 0x6987ff6f },
+        { -0x724003c6, 0x629398fa, -0x2ab24bab, -0x1ed01ad3, -0x250dad6b, -0x0c41ee21, -0x31a184af, 0x628b140d },
+        { -0x707c8ac4, 0x47e24142, -0x79950669, 0x6317bebc, 0x3d1a9829, -0x2544a4bd, 0x5287fb2d, 0x074d8d24 }
+    },
+    {
+        { -0x3f1ceb78, 0x481875c6, -0x1ddfcb4c, 0x219429b2, 0x31283b65, 0x7223c98a, 0x342277f9, 0x3420d60b },
+        { 0x440bfc31, -0x7cc82633, -0x50ce7029, 0x729d2ca1, 0x772c2070, -0x5fbf5b5c, 0x3a7349be, 0x46002ef0 },
+        { -0x50019a09, -0x055dc522, 0x5be0764c, 0x78261ed4, 0x2f164403, 0x441c0a1e, 0x7a87d395, 0x5aea8e56 }
+    },
+},
+{
+    {
+        { -0x1b1f0e89, 0x2dbc6fb6, -0x5b42956d, 0x04e1bf29, 0x787af6e8, 0x5e1966d4, -0x4bd92fa0, 0x0edc5f5e },
+        { -0x435bd7c3, 0x7813c1a2, -0x5e79c227, -0x129d0f6f, -0x3d97057a, -0x51384348, 0x6f1cae4c, 0x10e5d3b7 },
+        { 0x53da8e67, 0x5453bfd6, 0x24a9f641, -0x1623e114, 0x03578a23, -0x4078d9c5, 0x361cba72, 0x45b46c51 }
+    },
+    {
+        { -0x75801c1c, -0x3162b223, 0x76620e30, -0x54ec9baa, -0x4cf166a8, 0x4b594f7b, 0x321229df, 0x5c1c0aef },
+        { 0x314f7fa1, -0x56bfd541, -0x71730bb0, -0x1da80e24, 0x23a8be84, 0x1dbbd54b, 0x6dcb713b, 0x2177bfa3 },
+        { -0x05862471, 0x37081bbc, -0x3da0a64d, 0x6048811e, -0x637cdb79, 0x087a7665, 0x7d8ab5bb, 0x4ae61938 }
+    },
+    {
+        { -0x67a4047d, 0x61117e44, 0x71963136, -0x031fb9d6, -0x2bda6fb5, -0x7c53cbb8, 0x5ba43d64, 0x75685abe },
+        { 0x5344a32e, -0x72240956, -0x4be4bf88, 0x7d88eab4, 0x4a130d60, 0x5eb0eb97, 0x17bf3e03, 0x1a00d91b },
+        { -0x149e0d4e, 0x6e960933, -0x3600b6ae, 0x543d0fa8, 0x7af66569, -0x208d8af0, 0x23b0e6aa, 0x135529b6 }
+    },
+    {
+        { -0x1dd17c02, -0x0a38e944, -0x17f67a3f, -0x4bd414e7, 0x14254aae, -0x136259c9, 0x1590a613, 0x5972ea05 },
+        { -0x522e2ae8, 0x18f0dbd7, -0x303ee0ef, -0x68608778, 0x7114759b, -0x78cd1e10, 0x65ca3a01, 0x79b5b81a },
+        { -0x237087ef, 0x0fd4ac20, -0x53b2b058, -0x65652d6c, -0x4cc9fbcc, -0x3fe4d29c, -0x6fa0c425, 0x4f7e9c95 }
+    },
+    {
+        { 0x355299fe, 0x71c8443d, -0x24141529, -0x7432c4e4, -0x0e5b6b9a, -0x7f6db662, -0x5ebb5238, 0x1942eec4 },
+        { 0x5781302e, 0x62674bbc, -0x765223f1, -0x27adf0c7, 0x53fbd9c6, -0x73d66652, 0x2e638e4c, 0x31993ad9 },
+        { -0x51dcb66e, 0x7dac5319, 0x0cea3e92, 0x2c1b3d91, 0x253c1122, 0x553ce494, 0x4ef9ca75, 0x2a0a6531 }
+    },
+    {
+        { 0x3c1c793a, -0x30c9e533, 0x5a35bc3b, 0x2f9ebcac, -0x57325955, 0x60e860e9, 0x6dea1a13, 0x055dc39b },
+        { -0x0806d83e, 0x2db7937f, 0x17d0a635, -0x248be0fa, 0x1155af76, 0x5982f3a2, 0x647c2ded, 0x4cf6e218 },
+        { -0x3d72a44a, -0x4ee6dd84, 0x774dffab, 0x07e24ebc, -0x1b5cd377, -0x57c38732, 0x10aa24b6, 0x121a3077 }
+    },
+    {
+        { -0x388b7c37, -0x29a68ec2, -0x47d46951, -0x77401f89, 0x1097bcd3, 0x289e2823, 0x6ced3a9b, 0x527bb94a },
+        { -0x60fcb569, -0x1b24a2a2, 0x3034bc2d, -0x1eac03f7, -0x6aae2c4f, 0x46054691, 0x7a40e52d, 0x333fc76c },
+        { -0x66a4b7d2, 0x563d992a, 0x6e383801, 0x3405d07c, 0x2f64d8e5, 0x485035de, 0x20a7a9f7, 0x6b89069b }
+    },
+    {
+        { -0x4a382489, 0x4082fa8c, -0x38cb3eab, 0x068686f8, -0x09185a82, 0x29e6c8d9, -0x589c6431, 0x0473d308 },
+        { 0x6270220d, -0x7ed55fbf, -0x06dba4b2, -0x66a57606, 0x5072ef05, -0x00523b32, -0x558c148d, 0x23bc2103 },
+        { 0x03589e05, -0x351186da, 0x46dcc492, 0x2b4b4212, -0x19fe56b1, 0x02a1ef74, -0x21fbcbe6, 0x102f73bf }
+    },
+},
+{
+    {
+        { -0x6c5c9db9, 0x358ecba2, -0x4d97029b, -0x5070679e, 0x68a01c89, 0x412f7e99, -0x328abadc, 0x5786f312 },
+        { 0x7ec20d3e, -0x4a5d2af4, -0x5f368d9d, -0x39b42292, -0x3e008cb3, 0x56e89052, 0x2b2ffaba, 0x4929c6f7 },
+        { -0x35ebfcd4, 0x337788ff, 0x447f1ee3, -0x0c6defd8, 0x231bccad, -0x74ebf8e1, -0x0dcbb87d, 0x4c817b4b }
+    },
+    {
+        { -0x5bf4bb7c, 0x413ba057, 0x4f5f6a43, -0x45b3d1e6, -0x511e29e4, 0x614ba0a5, -0x74fa23ad, 0x78a1531a },
+        { 0x2871b96e, 0x0ff85385, 0x60c3f1bb, -0x1ec16055, 0x25344402, -0x1102a6ad, 0x75b7744b, 0x0a37c370 },
+        { 0x3ad0562b, 0x6cbdf170, -0x36dade5d, -0x7130b7d0, -0x027bdb19, -0x25142cfd, 0x2e5ec56f, 0x72ad82a4 }
+    },
+    {
+        { 0x67024bc3, -0x3c976c6f, 0x49502fda, -0x71962e93, -0x1ba0b4d7, -0x030d13c4, -0x5c4b343c, 0x065f669e },
+        { -0x45049a0a, 0x3f9e8e35, -0x0d8d6c5f, 0x39d69ec8, -0x73095c30, 0x6cb8cd95, 0x73adae6d, 0x17347781 },
+        { 0x5532db4d, -0x75ff5139, 0x43e31bb1, -0x47965b1c, -0x2c580aeb, 0x4a0f8552, 0x303d7c08, 0x19adeb7c }
+    },
+    {
+        { 0x43c31794, -0x62fa4583, -0x6ccddada, 0x2470c8ff, 0x16197438, -0x7cdc2138, -0x7ea964ad, 0x28527098 },
+        { 0x53ead9a3, -0x38df349f, 0x512b636e, 0x55b2c97f, -0x2bfd6f4f, -0x4e1ca4a1, 0x3b530ee2, 0x2fd9ccf1 },
+        { 0x47f796b8, 0x07bd475b, 0x542c8f54, -0x2d384fed, 0x3b24f87e, 0x2dbd23f4, 0x7b0901d6, 0x6551afd7 }
+    },
+    {
+        { -0x5e2a3654, 0x68a24ce3, 0x10ff6461, -0x44885cc3, 0x25d3166e, 0x0f86ce44, 0x50b9623b, 0x56507c09 },
+        { 0x54aac27f, 0x4546baaf, -0x4d5ba5d8, -0x09099014, 0x562bcfe8, 0x582d1b5b, -0x6df087a1, 0x44b123f3 },
+        { -0x2e8ec19d, 0x1206f0b7, 0x15bafc74, 0x353fe3d9, 0x0ad9d94d, 0x194ceb97, -0x062fc52d, 0x62fadd7c }
+    },
+    {
+        { -0x1831ba6c, 0x3cd7bc61, -0x4822d982, -0x3294ca57, 0x4366ef27, -0x5f7f5438, 0x59c79711, 0x6ec7c46f },
+        { 0x5598a074, -0x394a6985, -0x71b6c1db, 0x5efe91ce, 0x49280888, -0x2b48d3bb, -0x5d98bf3e, 0x20ef1149 },
+        { 0x6f09a8a2, 0x2f07ad63, 0x24205e7d, -0x79681932, -0x11ca5ec7, -0x3f5103fb, -0x4a062769, 0x15e80958 }
+    },
+    {
+        { 0x5bb061c4, 0x4dd1ed35, -0x6be3f900, 0x42dc0cef, -0x0279cbf2, 0x61305dc1, 0x0e55a443, 0x56b2cc93 },
+        { 0x0c3e235b, 0x25a5ef7d, -0x41ecb119, 0x6c39c17f, 0x2dc5c327, -0x388b1ecc, -0x6dfde0c7, 0x021354b8 },
+        { -0x59403a5e, 0x1df79da6, -0x6021bc97, 0x02f3a274, -0x325c6f59, -0x4cdc260e, -0x788b2c9d, 0x7be0847b }
+    },
+    {
+        { 0x5307fa11, 0x1466f5af, -0x1293f50e, -0x7e803383, -0x3c5b5c05, 0x0a6de44e, -0x436d82f5, 0x74071475 },
+        { -0x74c0aa3d, -0x736633a6, 0x3fded2a0, 0x0611d725, 0x36b70a36, -0x12d66a01, -0x2875d9e7, 0x1f699a54 },
+        { 0x73e7ea8a, -0x188d6d0d, -0x34fba5cf, 0x296537d2, -0x2cd8b022, 0x1bd0653e, 0x76bd2966, 0x2f9a2c44 }
+    },
+},
+{
+    {
+        { -0x4aaee366, -0x5d4b2520, 0x2bffff06, 0x7ac86029, -0x0aafbdcc, -0x67e0c8a3, -0x25b15ed3, 0x3f6bd725 },
+        { 0x7f5745c6, -0x14e74655, 0x5787c690, 0x023a8aee, 0x2df7afa9, -0x48d8ed26, -0x15a3fec3, 0x36597d25 },
+        { 0x106058ac, 0x734d8d7b, 0x6fc6905f, -0x26bfa862, -0x6dfd6cd3, 0x6466f8f9, -0x259f2930, 0x7b7ecc19 }
+    },
+    {
+        { -0x58830565, 0x6dae4a51, -0x185c79b0, -0x7dd9c9ac, -0x70d27d25, 0x09bbffcd, 0x1bf5caba, 0x03bedc66 },
+        { 0x695c690d, 0x78c2373c, 0x0642906e, -0x22dad19a, 0x4ae12bd2, -0x6ae2bbbc, 0x01743956, 0x4235ad76 },
+        { 0x078975f5, 0x6258cb0d, -0x6e760d68, 0x49294254, -0x1d1c911c, -0x5f354bdd, -0x320f995f, 0x0e7ce2b0 }
+    },
+    {
+        { -0x26b48f07, -0x01590121, -0x3e0345d3, -0x0ecf3faf, 0x7f2fab89, 0x4882d47e, -0x7513114b, 0x61525613 },
+        { -0x3b737a5d, -0x3b6b9bc6, 0x3c6139ad, -0x02c9e20c, 0x3ae94d48, 0x09db17dd, -0x704b98b6, 0x666e0a5d },
+        { 0x4870cb0d, 0x2abbf64e, -0x55ba7495, -0x329a4310, 0x75e8985d, -0x6541b146, -0x2aeb211c, 0x7f0bc810 }
+    },
+    {
+        { 0x737213a0, -0x7c536253, 0x2ef72e98, -0x60090746, 0x43ec6957, 0x311e2edd, -0x213a548b, 0x1d3a907d },
+        { 0x26f4136f, -0x46ff945c, 0x57e03035, -0x7298c962, 0x4f463c28, -0x34372027, -0x0711240b, 0x0d1f8dbc },
+        { 0x3ed081dc, -0x45e96ccf, -0x7ae4cb80, 0x29329fad, 0x030321cb, 0x0128013c, -0x5ce4021d, 0x00011b44 }
+    },
+    {
+        { 0x6a0aa75c, 0x16561f69, 0x5852bd6a, -0x3e408da4, -0x65869953, 0x11a8dd7f, -0x2d7aefda, 0x63d988a2 },
+        { 0x3fc66c0c, 0x3fdfa06c, 0x4dd60dd2, 0x5d40e38e, 0x268e4d71, 0x7ae38b38, 0x6e8357e1, 0x3ac48d91 },
+        { -0x5042dcd2, 0x00120753, -0x0227097d, -0x16d43148, -0x7b18d46f, -0x07e9964d, 0x2368a066, 0x33fad52b }
+    },
+    {
+        { -0x3bdd3018, -0x72d33730, 0x05a13acb, 0x072b4f7b, -0x13095a91, -0x5c01491a, -0x46f58e1e, 0x3cc355cc },
+        { -0x3a1be1ea, 0x540649c6, 0x333f7735, 0x0af86430, -0x0cfa18ba, -0x4d53032e, -0x5da92359, 0x16c0f429 },
+        { -0x6fc16ecf, -0x16496bbd, 0x7a5637ce, -0x475b6b35, -0x45456dbc, -0x37832e5c, 0x6bae7568, 0x631eaf42 }
+    },
+    {
+        { -0x5c8ff218, 0x47d975b9, -0x1d07faae, 0x7280c5fb, 0x32e45de1, 0x53658f27, 0x665f80b5, 0x431f2c7f },
+        { -0x25990161, -0x4c16fbf0, 0x6c16e5a6, -0x7a22b4ae, 0x1ef9bf83, -0x43c2689f, 0x1ea919b5, 0x5599648b },
+        { -0x7a7084e7, -0x29fd9cbc, -0x5e15aeb6, 0x14ab352f, 0x2090a9d7, -0x76ffbbe6, -0x6edac4da, 0x7b04715f }
+    },
+    {
+        { -0x3b19453a, -0x4c893d80, 0x6d1d9b0b, -0x68f12c23, 0x450bf944, -0x4f656aa8, 0x57cde223, 0x48d0acfa },
+        { -0x530951bd, -0x7c1242d8, 0x7d5c7ab4, -0x79ca8375, -0x4814d3bc, -0x3fbfb897, -0x3d09a7c1, 0x59b37bf5 },
+        { 0x7dabe671, -0x49f0d91c, 0x622f3a37, -0x0e2e5e69, -0x1669fc6c, 0x4208ce7e, 0x336d3bdb, 0x16234191 }
+    },
+},
+{
+    {
+        { 0x3d578bbe, -0x7ad22e03, -0x3cd79ef8, 0x2b65ce72, -0x1531dd8d, 0x658c07f4, -0x13c754c0, 0x0933f804 },
+        { 0x33a63aef, -0x0e651539, 0x4442454e, 0x2c7fba5d, 0x4795e441, 0x5da87aa0, -0x5b1f4f0b, 0x413051e1 },
+        { -0x72b69b8a, -0x58549687, -0x034a5438, -0x7ede5522, 0x7b539472, -0x5a23ed11, 0x5e45351a, 0x07fd4706 }
+    },
+    {
+        { -0x6517183d, 0x30421155, -0x6bb77d5b, -0x0d7e4dd7, 0x378250e4, -0x75ec53d2, 0x54ba48f4, 0x014afa09 },
+        { 0x258d2bcd, -0x37a7c3c3, -0x509f48c1, 0x17029a4d, 0x416a3781, -0x05f0362a, 0x38b3fb23, 0x1c1e5fba },
+        { 0x1bb3666c, -0x34ce6900, 0x4bffecb9, 0x33006052, 0x1a88233c, 0x29371199, 0x3d4ed364, 0x29188436 }
+    },
+    {
+        { -0x43e54915, -0x0462c83d, 0x4d57a240, 0x02be1453, -0x075a1e0a, -0x0b28cbeb, 0x0ccc8188, 0x5964f430 },
+        { -0x23b45406, 0x033c6805, 0x5596ecc1, 0x2c15bf5e, -0x4a64e2c5, 0x1bc70624, -0x5e60f13b, 0x3ede9850 },
+        { 0x2d096800, -0x1bb5dceb, 0x70866996, 0x5c08c559, 0x46affb6e, -0x20d249f6, -0x07a90277, 0x579155c1 }
+    },
+    {
+        { 0x0817e7a6, -0x4a0e949d, 0x3c351026, -0x7f7396dd, 0x54cef201, 0x324a983b, 0x4a485345, 0x53c09208 },
+        { 0x12e0c9ef, -0x69cdb123, -0x0dbdfd69, 0x468b878d, -0x5b0a8c42, 0x199a3776, -0x716e16d6, 0x1e7fbcf1 },
+        { -0x0e345041, -0x2d2beb7f, 0x716174e5, 0x231d2db6, -0x1d5aa368, 0x0b7d7656, 0x2aa495f6, 0x3e955cd8 }
+    },
+    {
+        { 0x61bb3a3f, -0x54c60c11, 0x2eb9193e, -0x714bff9b, 0x38c11f74, -0x4a219134, 0x26f3c49f, 0x654d7e96 },
+        { 0x3ed15433, -0x1b70aca2, 0x0d7270a3, -0x2f8a96d6, -0x55219c79, 0x40fbd21d, -0x30bb6a0b, 0x14264887 },
+        { 0x5c7d2ceb, -0x1a9b3023, -0x28c83347, -0x7d115022, -0x2e064f55, 0x6107db62, -0x4bca7245, 0x0b6baac3 }
+    },
+    {
+        { 0x3700a93b, 0x204abad6, -0x25886c8d, -0x41ffdc2d, 0x633ab709, -0x27a0fcba, -0x6f7dfbee, 0x00496dc4 },
+        { -0x79dd0168, 0x7ae62bcb, -0x31476e51, 0x47762256, -0x0d1bf94c, 0x1a5a92bc, -0x7b1beaff, 0x7d294017 },
+        { -0x3d819ca0, 0x1c74b88d, -0x72eb7af4, 0x07485426, 0x3e0dcb30, -0x5eba0485, 0x43803b23, 0x10843f1b }
+    },
+    {
+        { -0x1cdb9765, -0x2a9098d3, -0x4c6b567f, -0x2e257513, -0x6e973013, -0x2284a702, 0x4d56c1e8, 0x7ce246cd },
+        { 0x376276dd, -0x3a06fbab, -0x289ba327, -0x31a6ea73, 0x1d366b39, -0x6d09a2af, 0x526996c4, 0x11574b6e },
+        { 0x7f80be53, -0x470bcf72, 0x34a9d397, 0x5f3cb8cb, 0x33cc2b2c, 0x18a961bd, 0x3a9af671, 0x710045fb }
+    },
+    {
+        { 0x059d699e, -0x5fc0379e, -0x659e6197, 0x2370cfa1, 0x2f823deb, -0x3b01c4ee, -0x580f7bb2, 0x1d1b056f },
+        { 0x101b95eb, 0x73f93d36, 0x4f6f4486, -0x0510cc87, -0x70ea1a9e, 0x5651735f, 0x58b40da1, 0x7fa3f190 },
+        { -0x1a9409e1, 0x1bc64631, 0x6e5382a3, -0x2c8654f0, 0x0540168d, 0x4d58c57e, -0x7bbd271c, 0x56625662 }
+    },
+},
+{
+    {
+        { 0x1ff38640, -0x22b6632a, 0x063625a0, 0x29cd9bc3, 0x3dd73dc3, 0x51e2d802, 0x203b9231, 0x4a25707a },
+        { -0x09d9800a, -0x461b6622, 0x742c0843, 0x7772ca7b, -0x165b0d4f, 0x23a0153f, -0x2a2faffa, 0x2cdfdfec },
+        { 0x53f6ed6a, 0x2ab7668a, 0x1dd170a1, 0x30424258, 0x3ae20161, 0x4000144c, 0x248e49fc, 0x5721896d }
+    },
+    {
+        { -0x5e2f25b2, 0x285d5091, -0x4a01c1f8, 0x4baa6fa7, -0x1e6c6c4d, 0x63e5177c, -0x3b4fcf03, 0x03c935af },
+        { -0x02e7e452, 0x0b6e5517, 0x2bb963b4, -0x6fdd9d61, 0x32064625, 0x5509bce9, -0x09c3ec26, 0x578edd74 },
+        { 0x492b0c3d, -0x668d893a, -0x201dfa04, 0x47ccc2c4, -0x229dc5c4, -0x232d647c, 0x0288c7a2, 0x3ec2ab59 }
+    },
+    {
+        { -0x51cd2e35, -0x58dec5f7, 0x40f5c2d5, 0x0f2b87df, -0x17e154d7, 0x0baea4c6, 0x6adbac5e, 0x0e1bf66c },
+        { -0x1b278447, -0x5e5f2d85, 0x61391aed, -0x5674b215, 0x73cb9b83, -0x665f2230, 0x200fcace, 0x2dd5c25a },
+        { 0x792c887e, -0x1d542a17, -0x346d92a3, 0x1a020018, -0x4551a0e2, -0x40459633, 0x5ae88f5f, 0x730548b3 }
+    },
+    {
+        { -0x5e291ccc, -0x7fa4f6b5, 0x09353f19, -0x40c10e89, 0x0622702b, 0x423f06cb, -0x2787ba23, 0x585a2277 },
+        { -0x34574712, -0x3bcaae5d, -0x4deea0ea, 0x65a26f1d, -0x5473c7b0, 0x760f4f52, 0x411db8ca, 0x3043443b },
+        { 0x33d48962, -0x5e75a07e, -0x1387da81, 0x6698c4b5, 0x373e41ff, -0x5871905b, 0x50ef981f, 0x76562789 }
+    },
+    {
+        { -0x15793063, -0x1e8f8c5d, 0x07155fdc, 0x3a8cfbb7, 0x31838a8e, 0x4853e7fc, -0x49ec09ea, 0x28bbf484 },
+        { -0x2ae03740, 0x38c3cf59, 0x0506b6f2, -0x64122d03, -0x54a8f171, 0x26bf109f, -0x3e47b95a, 0x3f4160a8 },
+        { 0x6f136c7c, -0x0d9ed0a4, -0x0922ee42, -0x50152ef9, 0x13de6f33, 0x527e9ad2, -0x7e7708a3, 0x1e79cb35 }
+    },
+    {
+        { -0x0a1f7e7f, 0x77e953d8, 0x299dded9, -0x7b5af3bc, -0x79bada1b, -0x2393d2f4, 0x39d1f2f4, 0x478ab52d },
+        { -0x11081c0f, 0x013436c3, -0x0161ef08, -0x7d749581, -0x43062104, 0x7ff908e5, 0x3a3b3831, 0x65d7951b },
+        { -0x6dad2ea7, 0x66a6a4d3, -0x78e537f9, -0x1a221e44, -0x593e3691, -0x47d394c0, 0x1a212214, 0x16d87a41 }
+    },
+    {
+        { -0x2ab1fa7d, -0x045b2a1e, 0x2ebd99fa, -0x1de05029, 0x6ee9778f, 0x497ac273, 0x7a5a6dde, 0x1f990b57 },
+        { 0x42066215, -0x4c4281a6, 0x0c5a24c1, -0x78641c33, -0x29066b49, 0x57c05db1, 0x65f38ca6, 0x28f87c81 },
+        { 0x1be8f7d6, -0x5ccbb153, -0x53158671, 0x7d1e50eb, 0x520de052, 0x77c6569e, 0x534d6d3e, 0x45882fe1 }
+    },
+    {
+        { -0x6bc3901c, -0x275366d7, -0x5c7c6d5e, -0x4a060e9f, -0x4137650d, 0x2699db13, -0x1bfa0f8c, 0x7dcf843c },
+        { 0x757983d6, 0x6669345d, 0x17aa11a6, 0x62b6ed11, -0x67a1ed71, 0x7ddd1857, -0x09d90923, 0x688fe5b8 },
+        { 0x4a4732c0, 0x6c90d648, -0x35a9cd67, -0x2adebc03, -0x6ea2391f, -0x4c41d73d, 0x7327191b, 0x6739687e }
+    },
+},
+{
+    {
+        { -0x363468e1, -0x731a5530, -0x602ab5d7, 0x1156aaa9, 0x15af9b78, 0x41f72470, 0x420f49aa, 0x1fe8cca8 },
+        { 0x200814cf, -0x609a3a16, 0x69a31740, -0x7bfac91f, 0x25c8b4ad, -0x74f12ec7, -0x16c9c9e3, 0x0080dbaf },
+        { 0x3c0cc82a, 0x72a1848f, -0x788361ac, 0x38c560c2, -0x31aabec0, 0x5004e228, 0x03429d71, 0x042418a1 }
+    },
+    {
+        { 0x20816247, 0x58e84c6f, -0x1c90286d, -0x724d4d4a, 0x1d484d85, -0x688e7daa, -0x79cd5429, 0x0822024f },
+        { -0x540c00a1, -0x766215af, 0x2fc2d8ba, -0x646c5799, -0x419142a4, 0x2c38cb97, -0x68d9c4a3, 0x114d5784 },
+        { 0x6b1beca3, -0x4cfe4484, -0x3914ec8b, 0x55393f6d, -0x68491b15, -0x6ef2d7f0, -0x62b8615d, 0x1ad4548d }
+    },
+    {
+        { 0x0fe9fed3, -0x5f901993, 0x1c587909, -0x578cc5c0, 0x0df98953, 0x30d14d80, -0x384cfda8, 0x41ce5876 },
+        { 0x389a48fd, -0x32a58260, -0x6587c8e2, -0x4c705b56, 0x2cdb8e6c, -0x392689e5, -0x3681ebbd, 0x35cf51db },
+        { -0x298f3fde, 0x59ac3bc5, -0x64ee6bfa, -0x151983f0, -0x4c87d026, -0x68674210, -0x02f8bf6e, 0x651e3201 }
+    },
+    {
+        { 0x1efcae9e, -0x5a845b60, -0x23cf756c, 0x769f4bee, 0x3603cb2e, -0x2e0ef115, 0x7e441278, 0x4099ce5e },
+        { -0x10cf3a31, -0x29c27b7d, 0x2361cc0c, 0x4cd4b496, -0x5b7bd954, -0x116f1b00, 0x18c14eeb, 0x0af51d7d },
+        { -0x75aede17, 0x1ac98e4f, -0x2405d020, 0x7dae9544, -0x29bcf207, -0x7cdf55f3, 0x2c4a2fb5, 0x66728265 }
+    },
+    {
+        { 0x2946db23, -0x52574920, 0x7b253ab7, 0x1c0ce51a, 0x66dd485b, -0x7bb737a6, -0x2f98a521, 0x7f1fc025 },
+        { -0x27943655, -0x78b9de0c, 0x56fe6fea, -0x4ab38442, 0x7fadc22c, 0x077a2425, 0x19b90d39, 0x1ab53be4 },
+        { 0x319ea6aa, -0x2711e4e8, 0x3a21f0da, 0x004d8808, -0x77c5b0b5, 0x3bd6aa1d, -0x202602ec, 0x4db9a3a6 }
+    },
+    {
+        { -0x34488398, -0x26a4ff45, -0x6e0e87b7, -0x22437b96, -0x41d7264d, 0x7cf700ae, -0x7a2ce0c2, 0x5ce1285c },
+        { -0x4663f8ab, -0x73184dc5, -0x3b0af086, 0x35c5d6ed, -0x1264af3d, 0x7e1e2ed2, -0x176cb25f, 0x36305f16 },
+        { -0x674f4218, 0x31b6972d, -0x535921a5, 0x7d920706, -0x6f759a61, -0x198cef08, -0x1020fdcb, 0x50fac2a6 }
+    },
+    {
+        { -0x090bb644, 0x295b1c86, 0x1f0ab4dd, 0x51b2e84a, -0x5571aae3, -0x3ffe34d0, 0x44f43662, 0x6a28d359 },
+        { 0x5b880f5a, -0x0c2c560d, -0x24fc183e, -0x1213faf4, -0x060f4e5e, -0x576967e1, -0x53a1cb5c, 0x49a4ae2b },
+        { 0x04a740e0, 0x28bb12ee, -0x64317e8c, 0x14313bbd, -0x173ef3c0, 0x72f5b5e4, 0x36adcd5b, 0x7cbfb199 }
+    },
+    {
+        { -0x33c91920, -0x7186c586, 0x7d586eed, -0x0605485d, -0x451e0b1c, 0x3a4f9692, -0x00a0bb82, 0x1c14b03e },
+        { 0x6b89792d, -0x5cee223e, -0x25aed99c, 0x1b30b4c6, -0x30eaf7a7, 0x0ca77b4c, 0x1b009408, 0x1de443df },
+        { 0x14a85291, 0x19647bd1, 0x1034d3af, 0x57b76cb2, 0x0f9d6dfa, 0x6329db44, 0x6a571493, 0x5ef43e58 }
+    },
+},
+{
+    {
+        { -0x37f3e540, -0x59923363, 0x1b38a436, -0x685fa30c, -0x6a24283a, -0x58140c42, -0x72818255, 0x7da0b8f6 },
+        { 0x385675a6, -0x1087dfec, -0x55025618, -0x5d9b60d0, 0x5cdfa8cb, 0x4cd1eb50, 0x1d4dc0b3, 0x46115aba },
+        { -0x3c4a258a, -0x2bf0e6ad, 0x21119e9b, 0x1dac6f73, -0x014da6a0, 0x03cc6021, -0x7c98b4b5, 0x5a5f887e }
+    },
+    {
+        { -0x5f59bc47, -0x6169d72d, -0x193cdf9c, -0x4a3c3500, 0x7c2dec32, -0x64acfd77, -0x2a2e38f4, 0x43e37ae2 },
+        { 0x70a13d11, -0x709cfe31, 0x350dd0c4, -0x303147eb, -0x5b435b82, -0x08fd682c, -0x1bb2ebcc, 0x3669b656 },
+        { -0x12591ecd, 0x387e3f06, -0x665ec540, 0x67301d51, 0x36263811, -0x42a52708, 0x4fd5e9be, 0x6a21e6cd }
+    },
+    {
+        { 0x6699b2e3, -0x10bed6ee, 0x708d1301, 0x71d30847, 0x1182b0bd, 0x325432d0, 0x001e8b36, 0x45371b07 },
+        { 0x3046e65f, -0x0e39e8f6, 0x00d23524, 0x58712a2a, -0x737d48ab, 0x69dbbd3c, -0x5e6a00a9, 0x586bf9f1 },
+        { 0x5ef8790b, -0x5924f773, 0x610937e5, 0x5278f0dc, 0x61a16eb8, -0x53fcb62e, -0x6f1ade87, 0x0eafb037 }
+    },
+    {
+        { 0x0f75ae1d, 0x5140805e, 0x2662cc30, -0x13fd041d, -0x156dc693, 0x2cebdf1e, -0x3abca44d, 0x44ae3344 },
+        { 0x3748042f, -0x69faaa3f, -0x7df455ef, 0x219a41e6, 0x73486d0c, 0x1c81f738, 0x5a02c661, 0x309acc67 },
+        { -0x445abc12, -0x630d7647, 0x5ac97142, -0x0c89f163, 0x4f9360aa, 0x1d82e5c6, 0x7f94678f, 0x62d5221b }
+    },
+    {
+        { 0x3af77a3c, 0x7585d426, -0x0116ebb3, -0x205184ef, 0x59f7193d, -0x5af98f80, -0x7c6ddfc9, 0x14f29a53 },
+        { 0x18d0936d, 0x524c299c, -0x75f3e5f4, -0x37944a94, -0x24b579cf, -0x5c8afad2, -0x438aba9e, 0x5c0efde4 },
+        { 0x25b2d7f5, -0x208e8124, -0x664acfc0, 0x21f970db, -0x3c12b39e, -0x256dcb49, 0x7bee093e, 0x5e72365c }
+    },
+    {
+        { 0x2f08b33e, 0x7d933906, -0x2060cd42, 0x5b9659e5, 0x1f9ebdfd, -0x5300c253, -0x348cb649, 0x70b20555 },
+        { 0x4571217f, 0x575bfc07, 0x0694d95b, 0x3779675d, -0x0be6e1cd, -0x65f5c845, 0x47b4eabc, 0x77f1104c },
+        { 0x55112c4c, -0x41aeec3b, -0x6577e033, 0x6688423a, 0x5e503b47, 0x44667785, 0x4a06404a, 0x0e34398f }
+    },
+    {
+        { 0x3e4b1928, 0x18930b09, 0x73f3f640, 0x7de3e10e, 0x73395d6f, -0x0bcde826, -0x35c863c2, 0x6f8aded6 },
+        { 0x3ecebde8, -0x4982dd27, 0x27822f07, 0x09b3e841, -0x4fa49273, 0x743fa61f, -0x75c9dc8e, 0x5e540536 },
+        { -0x02484d66, -0x1cbfedc3, -0x5de54d6f, 0x487b97e1, -0x02196b62, -0x066982fe, -0x372c2169, 0x780de72e }
+    },
+    {
+        { 0x00f42772, 0x671feaf3, 0x2a8c41aa, -0x708d14d6, -0x68c8cd6e, 0x29a17fd7, 0x32b587a6, 0x1defc6ad },
+        { 0x089ae7bc, 0x0ae28545, 0x1c7f4d06, 0x388ddecf, 0x0a4811b8, 0x38ac1551, 0x71928ce4, 0x0eb28bf6 },
+        { -0x10ae6a59, -0x50a441e6, -0x6e84ea13, 0x148c1277, 0x7ae5da2e, 0x2991f7fb, -0x0722d799, 0x467d201b }
+    },
+},
+{
+    {
+        { 0x296bc318, 0x745f9d56, -0x27ead19b, -0x66ca7f2c, 0x5839e9ce, -0x4f1a4ec1, -0x2bc6de40, 0x51fc2b28 },
+        { -0x0842d195, 0x7906ee72, 0x109abf4e, 0x05d270d6, -0x46be575c, -0x72a301bb, 0x1c974287, 0x44c21867 },
+        { -0x6a1d5674, 0x1b8fd117, 0x2b6b6291, 0x1c4e5ee1, 0x7424b572, 0x5b30e710, 0x4c4f4ac6, 0x6e6b9de8 }
+    },
+    {
+        { -0x07f34f78, 0x6b7c5f10, 0x56e42151, 0x736b54dc, -0x3910663c, -0x3d49df5b, -0x3c5f90be, 0x5f4c802c },
+        { 0x4b1de151, -0x200da032, -0x1ee3bfdb, -0x27be3f39, 0x54749c87, 0x2554b3c8, -0x6f71f207, 0x2d292459 },
+        { 0x7d0752da, -0x649a370f, -0x38811800, -0x77e31cc8, 0x5b62f9e3, -0x3c4aeb10, -0x413ef2b8, 0x66ed5dd5 }
+    },
+    {
+        { -0x3435fb83, -0x0f520c37, -0x0baad095, -0x7e3c4d35, 0x44735f93, -0x3025eed3, 0x7e20048c, 0x1f23a0c7 },
+        { 0x0bb2089d, 0x7d38a1c2, -0x69332bee, -0x7f7ccb1f, 0x6c97d313, -0x3b58f474, 0x03007f20, 0x2eacf8bc },
+        { -0x1a43ea90, -0x0dcab985, 0x0dbab38c, 0x03d2d902, -0x03061f62, 0x27529aa2, -0x62cb43b0, 0x0840bef2 }
+    },
+    {
+        { 0x7f37e4eb, -0x32ab1f95, -0x0a169336, -0x733ea079, -0x2ca68232, -0x47db7450, 0x6074400c, 0x246affa0 },
+        { -0x23ef4d79, 0x796dfb35, 0x5c7ff29d, 0x27176bcd, -0x384db6fb, 0x7f3d43e8, -0x6e3abd8a, 0x0304f5a1 },
+        { -0x041bacdf, 0x37d88e68, -0x3f28afce, -0x79f68ab8, -0x76b5f2cb, 0x4e9b13ef, 0x5753d325, 0x25a83cac }
+    },
+    {
+        { 0x3952b6e2, -0x60f099d7, 0x0934267b, 0x33db5e0e, -0x29f60124, -0x00badad5, -0x3af91f37, 0x06be10f5 },
+        { -0x1127e9a2, 0x10222f48, 0x4b8bcf3a, 0x623fc123, -0x3dde1710, 0x1e145c09, -0x3587d9d0, 0x7ccfa59f },
+        { -0x49d5cba1, 0x1a9615a9, 0x4a52fecc, 0x22050c56, 0x28bc0dfe, -0x585d877b, 0x1a1ee71d, 0x5e82770a }
+    },
+    {
+        { 0x42339c74, -0x17fd17f6, -0x5800051b, 0x34175166, 0x1c408cae, 0x34865d1f, 0x605bc5ee, 0x2cca982c },
+        { -0x527695a4, 0x35425183, -0x1872ad0a, -0x1798c505, -0x6d5ca09c, 0x2c66f25f, 0x3b86b102, 0x09d04f3b },
+        { 0x197dbe6e, -0x02d2a2cb, -0x741b005d, 0x207c2eea, 0x325ae918, 0x2613d8db, 0x27741d3e, 0x7a325d17 }
+    },
+    {
+        { 0x7e2a076a, -0x132d82ff, 0x1636495e, -0x28779761, -0x6e6dcc1b, 0x52a61af0, 0x7bb1ae64, 0x2a479df1 },
+        { -0x2e92021e, -0x2fc94645, -0x3b6857d7, -0x5dfaa8a9, -0x580ed999, -0x7193369a, 0x1239c180, 0x4d3b1a79 },
+        { 0x33db2710, -0x61a11172, -0x293bc35b, 0x189854de, -0x6d8e7ec8, -0x5be3dd3b, -0x5bc5a165, 0x27ad5538 }
+    },
+    {
+        { -0x71b8f884, -0x34a5829d, 0x20a1c059, -0x7248ac9f, -0x74120234, 0x549e1e4d, 0x503b179d, 0x080153b7 },
+        { 0x15350d61, 0x2746dd4b, -0x116ade49, -0x2fc03438, 0x138672ca, -0x1791c9a6, 0x7e7d89e2, 0x510e987f },
+        { 0x0a3ed3e3, -0x2259626d, -0x329f58de, 0x3d386ef1, -0x4255b11a, -0x37e852a8, 0x4fe7372a, 0x23be8d55 }
+    },
+},
+{
+    {
+        { 0x567ae7a9, -0x43e10b43, -0x29bb6743, 0x3f624cb2, 0x2c1f4ec8, -0x1bef9b2e, -0x45c7bfff, 0x2ef9c5a5 },
+        { 0x74ef4fad, -0x6a016e66, -0x095cf75e, 0x3a827bec, 0x09a47b01, -0x69b1fe2d, 0x5ba3c797, 0x71c43c4f },
+        { -0x05618b33, -0x4902920a, -0x1b50d986, -0x0e7d8744, -0x0e1066f2, -0x7daa4c30, -0x6f3a0d6d, 0x5a758ca3 }
+    },
+    {
+        { 0x1d61dc94, -0x731f6e75, -0x657ecf9a, -0x7212c9ba, -0x5017552d, -0x2b1957d7, -0x09c62bc1, 0x0a738027 },
+        { -0x26b9db6b, -0x5d48d8f0, -0x2a82affd, 0x3aa8c6d2, -0x5f4b7836, -0x1c2bff41, -0x4c148d14, 0x2dbae244 },
+        { 0x57ffe1cc, -0x67f0b5d1, -0x1e7c67bd, 0x00670d0d, 0x49fb15fd, 0x105c3f4a, 0x5126a69c, 0x2698ca63 }
+    },
+    {
+        { 0x5e3dd90e, 0x2e3d702f, -0x1b2dac7a, -0x61c0f6e8, 0x024da96a, 0x5e773ef6, 0x4afa3332, 0x3c004b0c },
+        { 0x32b0ba78, -0x189ace78, -0x6da30075, 0x381831f7, -0x5fd6e034, 0x08a81b91, 0x49caeb07, 0x1fb43dcc },
+        { 0x06f4b82b, -0x6556b954, -0x57f93b0d, 0x1ca284a5, -0x3932b879, 0x3ed3265f, -0x32e02de9, 0x6b43fd01 }
+    },
+    {
+        { 0x3e760ef3, -0x4a38bda8, -0x11f54670, 0x75dc52b9, 0x072b923f, -0x40ebd83e, 0x6ff0d9f0, 0x73420b2d },
+        { 0x4697c544, -0x3858a2b5, -0x20f00041, 0x15fdf848, -0x55b987a6, 0x2868b9eb, 0x5b52f714, 0x5a68d710 },
+        { -0x617ae1fa, -0x50d30935, -0x39ddc73c, -0x70a6c6ed, -0x66040c8d, -0x2575476a, -0x15cb4362, 0x3db5632f }
+    },
+    {
+        { -0x7d67da2b, 0x2e4990b1, 0x3e9a8991, -0x12151479, 0x4c704af8, -0x110fc2c7, -0x6a20d4f2, 0x59197ea4 },
+        { -0x08a22628, -0x0b9111d5, 0x396759a5, 0x0d17b1f6, 0x499e7273, 0x1bf2d131, 0x49d75f13, 0x04321adf },
+        { -0x1b1aa552, 0x04e16019, 0x7e2f92e9, -0x1884bc86, 0x6f159aa4, -0x3831d23f, -0x0b28f340, 0x45eafdc1 }
+    },
+    {
+        { -0x30334e13, -0x49f1b9dc, -0x42a3fc6b, 0x59dbc292, -0x23fb7e37, 0x31a09d1d, 0x5d56d940, 0x3f73ceea },
+        { -0x7fba28d5, 0x69840185, -0x30d0f9af, 0x4c22faa2, 0x6b222dc6, -0x6be5c99b, 0x0362dade, 0x5a5eebc8 },
+        { 0x0a4e8dc6, -0x4858402f, 0x44c9b339, -0x41a8ff82, 0x1557aefa, 0x60c1207f, 0x266218db, 0x26058891 }
+    },
+    {
+        { -0x39891abe, 0x4c818e3c, 0x03ceccad, 0x5e422c93, -0x4bed60f8, -0x13f83336, -0x4dbbbc48, 0x0dedfa10 },
+        { -0x7c9f00fc, 0x59f704a6, 0x7661e6f4, -0x3c26c022, 0x12873551, -0x7ce4d58d, 0x4e615d57, 0x54ad0c2e },
+        { -0x47d4add6, -0x11c4982b, -0x605a3e15, 0x36f16346, 0x6ec19fd3, -0x5a4b2d0e, -0x58856bf8, 0x62ecb2ba }
+    },
+    {
+        { -0x5049d78c, -0x6df8d7ca, 0x79e104a5, 0x5fcd5e85, -0x39cf5eb6, 0x5aad01ad, 0x75663f98, 0x61913d50 },
+        { 0x61152b3d, -0x1a1286ae, 0x0eddd7d1, 0x4962357d, -0x4694b38f, 0x7482c8d0, -0x56992742, 0x2e59f919 },
+        { 0x1a3231da, 0x0dc62d36, -0x6bdffd90, -0x05b8a7ce, 0x3f9594ce, 0x02d80151, 0x31c05d5c, 0x3ddbc2a1 }
+    },
+},
+{
+    {
+        { 0x004a35d1, -0x048ca53e, 0x3a6607c3, 0x31de0f43, -0x3ad72a67, 0x7b8591bf, -0x0a44faf4, 0x55be9a25 },
+        { 0x4ffb81ef, 0x3f50a50a, 0x3bf420bf, -0x4e1fcaf7, -0x3955d330, -0x645571e4, -0x05dc85c0, 0x32239861 },
+        { 0x33db3dbf, 0x0d005acd, -0x7f53ca1e, 0x0111b37c, 0x6f88ebeb, 0x4892d66c, 0x6508fbcd, 0x770eadb1 }
+    },
+    {
+        { -0x5faf8e47, -0x0e2c497f, 0x3592ff3a, 0x2207659a, 0x7881e40e, 0x5f016929, -0x7945c8b2, 0x16bedd0e },
+        { 0x5e4e89dd, -0x7bae0620, -0x4386c6c9, -0x3f9cfd01, 0x56a6495c, 0x5d227495, -0x5fa9fc05, 0x09a6755c },
+        { 0x2c2737b5, 0x5ecccc4f, 0x2dccb703, 0x43b79e0c, 0x4ec43df3, 0x33e008bc, -0x0f8a9940, 0x06c1b840 }
+    },
+    {
+        { -0x64fd7fa4, 0x69ee9e7f, 0x547d1640, -0x34007d76, -0x4dbcf698, 0x3d93a869, 0x3fe26972, 0x46b7b8cd },
+        { -0x5c770789, 0x7688a5c6, -0x214d4954, 0x02a96c14, 0x1b8c2af8, 0x64c9f343, 0x54a1eed6, 0x36284355 },
+        { -0x01811420, -0x167edf7a, 0x2f515437, 0x4cba6be7, 0x516efae9, 0x1d04168b, 0x43982cb9, 0x5ea13910 }
+    },
+    {
+        { -0x2a2c4ffe, 0x6f2b3be4, 0x6a09c880, -0x5013cc27, -0x57433b34, 0x035f73a4, 0x4662198b, 0x22c5b928 },
+        { -0x0b8fd11f, 0x49125c9c, -0x74da4cd3, 0x4520b71f, 0x501fef7e, 0x33193026, -0x372d14d5, 0x656d8997 },
+        { 0x433d8939, -0x34a73702, 0x6a8d7e50, -0x765f34d2, 0x09fbbe5a, 0x79ca9553, -0x32803efa, 0x0c626616 }
+    },
+    {
+        { -0x040bab4f, -0x70203c87, -0x0e5b488f, 0x45a5a970, -0x452ca6eb, -0x536de109, -0x57e3de6e, 0x42d088dc },
+        { 0x4879b61f, 0x1ffeb80a, 0x4ada21ed, 0x6396726e, 0x368025ba, 0x33c7b093, -0x0c3ce878, 0x471aa0c6 },
+        { -0x5fe9ae67, -0x7025f0c9, -0x375f1cbd, 0x0adadb77, -0x378a17e0, 0x20fbfdfc, 0x0c2206e7, 0x1cf2bea8 }
+    },
+    {
+        { 0x02c0412f, -0x67d291e6, -0x24a71702, -0x6f05b37d, -0x234e7440, 0x01c2f5bc, 0x216abc66, 0x686e0c90 },
+        { -0x4c9dfd54, -0x3d220e22, -0x2d1d855b, -0x6d5a01f7, -0x03f60e2d, 0x7d1648f6, 0x13bc4959, 0x74c2cc05 },
+        { -0x5abc6a59, 0x1fadbadb, -0x51f25996, -0x4be5fd60, -0x445c83f9, -0x40e60a68, -0x21b7bcf3, 0x6a12b8ac }
+    },
+    {
+        { 0x1aaeeb5f, 0x793bdd80, -0x3eae778f, 0x00a2a0aa, 0x1f2136b4, -0x175c8c5d, -0x036e10e7, 0x48aab888 },
+        { 0x39d495d9, -0x072515e1, 0x525f1dfc, 0x592c190e, -0x3666e2e5, -0x247342fc, -0x2770f349, 0x11f7fda3 },
+        { 0x5830f40e, 0x041f7e92, 0x79661c06, 0x002d6ca9, 0x2b046a2e, -0x79236007, -0x74fb6c2f, 0x76036092 }
+    },
+    {
+        { 0x695a0b05, -0x4bcef71b, -0x52c85c75, 0x6cb00ee8, -0x5cac8c7f, 0x5edad6ee, -0x4923cddc, 0x3f2602d4 },
+        { 0x120cf9c6, 0x21bb41c6, -0x21325a65, -0x154d55ee, 0x0aa48b34, -0x3e58d2fe, -0x1782c498, 0x215d4d27 },
+        { 0x5bcaf19c, -0x374db84a, -0x4e4d39ae, 0x49779dc3, -0x2a131d1e, -0x765e7f45, -0x31371fc7, 0x13f098a3 }
+    },
+},
+{
+    {
+        { 0x2796bb14, -0x0c55a85e, -0x64f825df, -0x77c54549, 0x31a0391c, -0x1ab41de8, -0x27cdfa07, 0x5ee7fb38 },
+        { -0x31a13ab5, -0x6523f007, -0x73d0ecf3, 0x039c2a6b, -0x0f076aeb, 0x028007c7, -0x53fb4c95, 0x78968314 },
+        { 0x41446a8e, 0x538dfdcb, 0x434937f9, -0x5a530257, 0x263c8c78, 0x46af908d, -0x6435f2f7, 0x61d0633c }
+    },
+    {
+        { -0x07038c21, -0x525cd744, -0x590fc804, -0x117b96a3, 0x38c2a909, 0x637fb4db, -0x07f98424, 0x5b23ac2d },
+        { -0x0024da9a, 0x63744935, 0x780b68bb, -0x3a429477, 0x553eec03, 0x6f1b3280, 0x47aed7f5, 0x6e965fd8 },
+        { -0x117fad85, -0x652d46ad, -0x05219273, -0x1770e656, 0x150e82cf, 0x0e711704, -0x226a2124, 0x79b9bbb9 }
+    },
+    {
+        { -0x71608c8c, -0x2e668252, -0x3044f7ea, -0x5fcd5d08, 0x6d445f0a, -0x329345ee, 0x0accb834, 0x1ba81146 },
+        { 0x6a3126c2, -0x144caac0, 0x68c8c393, -0x2d9c7c58, -0x1a46857e, 0x6c0c6429, -0x3602deb9, 0x5065f158 },
+        { 0x0c429954, 0x708169fb, -0x28913099, -0x1eb9ff54, 0x70e645ba, 0x2eaab98a, 0x58a4faf2, 0x3981f39e }
+    },
+    {
+        { 0x6de66fde, -0x37ba205b, 0x2c40483a, -0x1ead5b00, -0x384b09ce, -0x162d1e9d, -0x2343e49b, 0x30f4452e },
+        { 0x59230a93, 0x18fb8a75, 0x60e6f45d, 0x1d168f69, 0x14a93cb5, 0x3a85a945, 0x05acd0fd, 0x38dc0837 },
+        { -0x3a8a68c0, -0x7a92d87e, -0x06634134, -0x05ecba97, -0x3f15b18f, -0x77bb038d, 0x593f2469, 0x632d9a1a }
+    },
+    {
+        { -0x12f37b59, -0x40f602ef, 0x0d9f693a, 0x63f07181, 0x57cf8779, 0x21908c2d, -0x7509b45e, 0x3a5a7df2 },
+        { -0x47f8345a, -0x094494eb, -0x43ab0f29, 0x1823c7df, 0x6e29670b, -0x44e268fd, 0x47ed4a57, 0x0b24f488 },
+        { 0x511beac7, -0x23252b42, -0x12d9330e, -0x5bac7f8b, 0x005f9a65, -0x1e630061, 0x75481f63, 0x34fcf744 }
+    },
+    {
+        { 0x78cfaa98, -0x5a44e255, 0x190b72f2, 0x5ceda267, 0x0a92608e, -0x6cf636ef, 0x2fb374b0, 0x0119a304 },
+        { 0x789767ca, -0x3e681fb4, 0x38d9467d, -0x478eb235, -0x7c06a058, 0x55de8882, 0x4dfa63f7, 0x3d3bdc16 },
+        { -0x173de883, 0x67a2d89c, 0x6895d0c1, 0x669da5f6, -0x4d7d5d50, -0x0a9a671b, -0x121df58d, 0x56c088f1 }
+    },
+    {
+        { 0x24f38f02, 0x581b5fac, -0x451cf343, -0x56f41602, -0x75306d10, -0x65de96fe, -0x7ca6fc71, 0x038b7ea4 },
+        { 0x10a86e17, 0x336d3d11, 0x0b75b2fa, -0x280c77ce, 0x25072988, -0x06eacc8a, -0x66ef7479, 0x09674c6b },
+        { -0x66ce9008, -0x60b107df, -0x155872b1, 0x2f49d282, 0x5aef3174, 0x0971a5ab, 0x5969eb65, 0x6e5e3102 }
+    },
+    {
+        { 0x63066222, 0x3304fb0e, -0x785345c1, -0x04caf977, -0x73ef9e5d, -0x42e6db89, -0x2e7c79e0, 0x3058ad43 },
+        { -0x781a6c05, -0x4e939d0b, -0x35a2c18f, 0x4999edde, 0x14cc3e6d, -0x4b6e3e20, -0x76572458, 0x08f51147 },
+        { -0x1a899c30, 0x323c0ffd, -0x5dd159f0, 0x05c3df38, -0x5366b066, -0x42387543, -0x101c2367, 0x26549fa4 }
+    },
+},
+{
+    {
+        { -0x08ac6947, 0x04dbbc17, -0x2d0798ba, 0x69e6a2d7, -0x0ac1543a, -0x39bf6267, 0x332e25d2, 0x606175f6 },
+        { -0x78317077, 0x738b38d7, 0x4179a88d, -0x49d9a71e, -0x0eaece93, 0x30738c9c, 0x727275c9, 0x49128c7f },
+        { -0x0abf1823, 0x4021370e, -0x5e0e2f5b, 0x0910d6f5, 0x5b06b807, 0x4634aacd, 0x6944f235, 0x6a39e635 }
+    },
+    {
+        { 0x74049e9d, 0x1da19657, -0x6701cad5, -0x0432915f, -0x33adc95a, -0x4e3432b0, 0x3f9846e2, 0x1f5ec83d },
+        { -0x206f0c19, -0x6932a9c0, -0x2405da16, 0x6c3a760e, 0x59e33cc4, 0x24f3ef09, 0x530d2e58, 0x42889e7e },
+        { 0x328ccb75, -0x7104dc3d, -0x22789117, -0x50bd5df9, 0x5dfae796, 0x20fbdadc, 0x06bf9f51, 0x241e246b }
+    },
+    {
+        { 0x6280bbb8, 0x7eaafc9a, -0x0bfc27f7, 0x22a70f12, 0x1bfc8d20, 0x31ce40bb, -0x1742ac12, 0x2bc65635 },
+        { -0x5291670a, 0x29e68e57, 0x0b462065, 0x4c9260c8, -0x5ae144b5, 0x3f00862e, -0x4c726f69, 0x5bc2c77f },
+        { -0x5694526d, -0x172a2361, -0x21e6b824, -0x1a704e83, 0x65185fa3, 0x681532ea, 0x034a7830, 0x1fdd6c3b }
+    },
+    {
+        { 0x2dd8f7a9, -0x63ec595b, 0x3efdcabf, 0x2dbb1f8c, 0x5e08f7b5, -0x69e1cdc0, -0x4419361b, 0x48c8a121 },
+        { 0x55dc18fe, 0x0a64e28c, 0x3399ebdd, -0x1c206167, 0x70e2e652, 0x79ac4323, 0x3ae4cc0e, 0x35ff7fc3 },
+        { 0x59646445, -0x03bea584, -0x3ed749eb, -0x2ddb4d29, 0x05fbb912, 0x6035c9c9, 0x74429fab, 0x42d7a912 }
+    },
+    {
+        { -0x6cc25a44, -0x565b76b9, -0x3d168614, 0x4a58920e, 0x13e5ac4c, -0x69278000, 0x4b48b147, 0x453692d7 },
+        { -0x1508d12d, 0x4e6213e3, 0x43acd4e7, 0x6794981a, 0x6eb508cb, -0x00ab8322, 0x10fcb532, 0x6fed19dd },
+        { -0x57aa6391, -0x2288a267, -0x20ffc1dc, -0x0bd5dec0, -0x256d759a, 0x5223e229, 0x6d38f22c, 0x063f46ba }
+    },
+    {
+        { 0x37346921, 0x39843cb7, 0x38c89447, -0x58b804f9, -0x5dbacf82, -0x34727fcf, 0x6d82f068, 0x67810f8e },
+        { 0x5f536694, -0x2d2dbd77, 0x42939b2c, -0x35cc5d3b, -0x382246a4, -0x6790525a, 0x2f712d5d, 0x5a152c04 },
+        { -0x2dd7824c, 0x3eeb8fbc, 0x01a03e93, 0x72c7d3a3, -0x4267d9a6, 0x5473e88c, 0x5921b403, 0x7324aa51 }
+    },
+    {
+        { -0x17dcab35, -0x52dc0926, -0x49a8e593, 0x6962502a, -0x1c71c82f, -0x649ae9ca, -0x2e5cced1, 0x5cac5005 },
+        { 0x6c3cbe8e, -0x7a86bd0c, 0x4730c046, -0x5e2c9b4f, -0x2dc3be41, 0x1c8ed914, -0x11092a2e, 0x0838e161 },
+        { -0x161c66fc, -0x733eab34, -0x7b2197ba, 0x5b3a040b, -0x4e41a292, -0x3b2759e4, -0x2779e0fe, 0x40fb897b }
+    },
+    {
+        { 0x5ab10761, -0x1a8127b9, 0x6fd13746, 0x71435e20, -0x32fda9ce, 0x342f824e, -0x5786e185, 0x4b16281e },
+        { 0x62de37a1, -0x7b3a5570, 0x0d1d96e1, 0x421da500, 0x6a9242d9, 0x78828630, 0x690d10da, 0x3c5e464a },
+        { 0x0b813381, -0x2e3efe2b, 0x76ee6828, -0x2119f0ef, 0x383f6409, 0x0cb68893, -0x0900b7b6, 0x6183c565 }
+    },
+},
+{
+    {
+        { -0x50c09992, -0x24b97ab7, -0x0eb5f15b, -0x288030fc, -0x5b45f3b9, 0x3df23ff7, 0x32ce3c85, 0x3a10dfe1 },
+        { 0x1e6bf9d6, 0x741d5a46, 0x7777a581, 0x2305b3fc, 0x6474d3d9, -0x2baa8b5e, 0x6401e0ff, 0x1926e1dc },
+        { -0x15e83160, -0x1f80b176, 0x3a1fc1fd, 0x2fd51546, 0x31f2c0f1, 0x175322fd, -0x79e1a2eb, 0x1fa1d01d }
+    },
+    {
+        { -0x2e206b55, 0x38dcac00, -0x2ef7f217, 0x2e712bdd, -0x022a1d9e, 0x7f13e93e, -0x1165fe1b, 0x73fced18 },
+        { 0x7d599832, -0x337faa6c, 0x37f15520, 0x1e4656da, 0x4e059320, -0x6609088c, 0x6a75cf33, 0x773563bc },
+        { 0x63139cb3, 0x06b1e908, -0x3a5fc133, -0x5b6c2599, -0x529c76ce, -0x72883138, 0x1b864f44, 0x1f426b70 }
+    },
+    {
+        { -0x6e5edaae, -0x0e81ca38, 0x575e9c76, -0x48947ead, 0x0d9b723e, -0x057cbf91, 0x3fa7e438, 0x0b76bb1b },
+        { 0x41911c01, -0x1036d9b4, 0x17a22c25, -0x0e5c4848, -0x0cf0ebb9, 0x5875da6b, 0x1d31b090, 0x4e1af527 },
+        { 0x7f92939b, 0x08b8c1f9, -0x2bbb5492, -0x41988e35, -0x66447fe9, 0x22e56463, -0x488d56ab, 0x7b6dd61e }
+    },
+    {
+        { -0x54fe2d39, 0x5730abf9, 0x40143b18, 0x16fb76dc, -0x5f344d7f, -0x7993419b, -0x64009502, 0x53fa9b65 },
+        { 0x50f33d92, -0x48523e18, 0x608cd5cf, 0x7998fa4f, -0x7203a425, -0x5269d243, -0x50e2d0b1, 0x703e9bce },
+        { -0x6b77abab, 0x6c14c8e9, 0x65aed4e5, -0x7bc5a29a, -0x4329a50f, 0x181bb73e, -0x3b39e0b0, 0x398d93e5 }
+    },
+    {
+        { -0x2d181c0e, -0x3c7883a0, 0x30828bb1, 0x3b34aaa0, 0x739ef138, 0x283e26e7, 0x02c30577, 0x699c9c90 },
+        { 0x33e248f3, 0x1c4bd167, 0x15bf0a5f, -0x4261ed79, -0x5ef4fc8a, -0x2bc07310, -0x20e6e4ed, 0x53b09b5d },
+        { 0x5946f1cc, -0x0cf958dd, -0x331a2683, -0x6de8e74b, -0x7e4b168b, 0x28cdd247, 0x6fcdd907, 0x51caf30c }
+    },
+    {
+        { 0x18ac54c7, 0x737af99a, -0x3ae34cf1, -0x6fcc8724, 0x4ce10cc7, 0x2b89bc33, -0x76071666, 0x12ae29c1 },
+        { 0x7674e00a, -0x59f458be, -0x5e85840d, 0x630e8570, -0x30ccdb34, 0x3758563d, 0x2383fdaa, 0x5504aa29 },
+        { 0x1f0d01cf, -0x56613f35, 0x3a34f7ae, 0x0dd1efcc, -0x2f63b1de, 0x55ca7521, 0x58eba5ea, 0x5fd14fe9 }
+    },
+    {
+        { -0x406c3472, 0x3c42fe5e, 0x36d4565f, -0x412057af, -0x77bddf18, -0x1f0f7a62, 0x0725d128, 0x7dd73f96 },
+        { 0x2845ab2c, -0x4a23d221, 0x0a7fe993, 0x069491b1, 0x4002e346, 0x4daaf3d6, 0x586474d1, 0x093ff26e },
+        { 0x68059829, -0x4ef2db02, -0x2450dc1b, 0x75730672, -0x4ba853d7, 0x1367253a, -0x794b8f5c, 0x2f59bcbc }
+    },
+    {
+        { -0x496e3cff, 0x7041d560, -0x522818e2, -0x7adfe4c1, 0x11335585, 0x16c2e163, 0x010828b1, 0x2aa55e3d },
+        { -0x66e8eca1, -0x7c7b82be, 0x567d03d7, -0x52e46ee1, -0x4188552f, 0x7e7748d9, 0x2e51af4a, 0x5458b42e },
+        { 0x0c07444f, -0x12ae6d1a, 0x74421d10, 0x42c54e2d, -0x024a379c, 0x352b4c82, -0x7589799c, 0x13e9004a }
+    },
+},
+{
+    {
+        { -0x7f94b984, 0x1e6284c5, -0x18a29f85, -0x3a096685, -0x4c872d9e, -0x749826a8, -0x7e327490, 0x3d88d66a },
+        { 0x6c032bff, -0x344a4aab, 0x29297a3a, -0x208e6e49, -0x52127e45, -0x3e008cda, 0x68be03f5, 0x71ade8bb },
+        { 0x204ed789, -0x7489856d, -0x605f51d6, 0x762fcacb, 0x6dce4887, 0x771febcc, -0x700fa04d, 0x34306215 }
+    },
+    {
+        { 0x2a7b31b4, -0x031de6f9, -0x55a87fea, 0x4d7adc75, -0x78b86cdc, 0x0ec276a6, 0x1fda4beb, 0x6d6d9d5d },
+        { -0x1e0a40b7, -0x1fa25e59, -0x2b8c9f6e, 0x26457d6d, 0x73cc32f6, 0x77dcb077, -0x6322a033, 0x0a5d9496 },
+        { -0x164f7e7d, 0x22b1a58a, -0x3ea3c775, -0x026a2f8f, -0x7af5fae9, -0x567edc8a, -0x4480cca2, 0x33384cba }
+    },
+    {
+        { 0x26218b8d, 0x33bc627a, -0x3857f39f, -0x157f4de1, 0x173e9ee6, -0x6ba74ed5, 0x0e2f3059, 0x076247be },
+        { 0x0ca2c7b5, 0x3c6fa268, 0x6fb64fda, 0x1b508204, 0x5431d6de, -0x14accb64, 0x6b879c89, 0x5278b38f },
+        { 0x1416375a, 0x52e105f6, -0x7a54145c, -0x136850ca, 0x23a67c36, 0x26e6b506, -0x0c2b04ff, 0x5cf0e856 }
+    },
+    {
+        { 0x3db342a8, -0x415131cf, -0x7bd24812, -0x345c9ca5, -0x7e80ec11, -0x177399e0, 0x4e76d5c6, 0x1b9438aa },
+        { 0x1ae8cab4, -0x0936978d, -0x34b06d3b, 0x5e20741e, -0x733243c2, 0x2da53be5, 0x69970df7, 0x2dddfea2 },
+        { 0x166f031a, -0x75af8882, 0x0fb7a328, 0x067b39f1, 0x010fbd76, 0x1925c9a6, -0x338bf6fb, 0x6df9b575 }
+    },
+    {
+        { 0x48cade41, -0x13203ca5, -0x4dcd7d90, 0x6a88471f, 0x40a01b6a, 0x740a4a24, 0x003b5f29, 0x471e5796 },
+        { 0x27f6bdcf, 0x42c11929, 0x403d61ca, -0x706e6e86, -0x7461e09f, -0x23e3a59a, 0x04ec0f8d, 0x15960478 },
+        { -0x5312c854, -0x2569444d, -0x16df7316, 0x7a2423b5, 0x38aebae2, 0x24cc5c30, -0x23a251d1, 0x50c356af }
+    },
+    {
+        { 0x1b31b964, -0x30126321, -0x735ae50d, -0x0b79567b, -0x1573e07c, 0x14897265, -0x6cd53400, 0x784a53dd },
+        { 0x41c30318, 0x09dcbf43, -0x7ce7e232, -0x1145f9ef, -0x23e1d65f, -0x3e863f32, 0x073f35b0, 0x1dbf7b89 },
+        { 0x14fc4920, 0x2d99f9df, -0x3bb6601b, 0x76ccb60c, -0x1a30fffd, -0x5becd345, 0x54f000ea, 0x3f93d823 }
+    },
+    {
+        { 0x79e14978, -0x1553ed2f, -0x441400a2, -0x006dc00d, 0x0663ce27, 0x4af663e4, 0x11a5f5ff, 0x0fd381a8 },
+        { -0x61fb317b, -0x7e7c1898, 0x04465341, 0x678fb71e, 0x6688edac, -0x526dfa71, 0x532b099a, 0x5da350d3 },
+        { -0x5bc920ac, -0x0da95314, -0x51962918, 0x108b6168, 0x6b5d036c, 0x20d986cb, -0x011d50b0, 0x655957b9 }
+    },
+    {
+        { -0x2ffd2f54, -0x423ebf65, -0x4a33265a, 0x66660245, -0x05217a14, -0x7dce823c, 0x6ad7df0d, 0x02fe934b },
+        { -0x56fdfcf1, -0x51574f81, -0x0b9c2ebd, -0x07738996, 0x3c787a60, 0x15b08366, -0x7d985b58, 0x08eab114 },
+        { -0x3048158c, -0x10a30f00, -0x5e34bd54, 0x22897633, -0x310d7a1e, -0x2b31f3ac, -0x75eb95ab, 0x30408c04 }
+    },
+},
+{
+    {
+        { 0x193b877f, -0x44d1ff37, -0x1f23af95, -0x131c5770, 0x36de649f, -0x130c4840, -0x672161e6, 0x5f460408 },
+        { -0x7cd03125, 0x739d8845, -0x5194079d, -0x05c72937, -0x48b00109, 0x32bc0dca, 0x14bce45e, 0x73937e88 },
+        { 0x297bf48d, -0x46fc8eea, -0x2b0f97cc, -0x562ec4de, 0x4696bdc6, -0x1e68eaa9, -0x6e2a17cb, 0x2cf8a4e8 }
+    },
+    {
+        { 0x17d06ba2, 0x2cb5487e, 0x3950196b, 0x24d2381c, -0x7a6875d0, -0x289a637f, -0x6e295b0a, 0x7a6f7f28 },
+        { 0x07110f67, 0x6d93fd87, 0x7c38b549, -0x22b3f62d, -0x3d8c957a, 0x7cb16a4c, 0x58252a09, 0x2049bd6e },
+        { 0x6a9aef49, 0x7d09fd8d, 0x5b3db90b, -0x0f119f42, 0x519ebfd4, 0x4c21b52c, -0x3aba6be3, 0x6011aadf }
+    },
+    {
+        { 0x02cbf890, 0x63ded0c8, 0x0dff6aaa, -0x042f6736, -0x46491267, 0x624d0afd, 0x79340b1e, 0x69ce18b7 },
+        { -0x306a07c4, 0x5f67926d, 0x71289071, 0x7c7e8561, -0x667085a5, -0x295e180d, 0x0b62f9e0, 0x6fc5cc1b },
+        { -0x4d678635, -0x2e10aad8, -0x2b816f6e, -0x22e551c4, 0x189f2352, 0x127e0442, -0x1a8efe0f, 0x15596b3a }
+    },
+    {
+        { 0x7e5124ca, 0x09ff3116, -0x2638ba21, 0x0be4158b, 0x7ef556e5, 0x292b7d22, -0x50492ec8, 0x3aa4e241 },
+        { 0x3f9179a2, 0x462739d2, -0x68292231, -0x007cedcf, 0x53f2148a, 0x1307deb5, 0x7b5f4dda, 0x0d223768 },
+        { 0x2a3305f5, 0x2cc138bf, -0x5d16d93d, 0x48583f8f, 0x5549d2eb, 0x083ab1a2, 0x4687a36c, 0x32fcaa6e }
+    },
+    {
+        { 0x2787ccdf, 0x3207a473, -0x0dec1c08, 0x17e31908, -0x09f269b2, -0x2a4d1329, -0x3d9ff417, 0x746f6336 },
+        { -0x3a82650b, 0x7bc56e8d, -0x620f420e, 0x3e0bd2ed, 0x22efe4a3, -0x553feb22, -0x014295a4, 0x4627e9ce },
+        { -0x549368e4, 0x3f4af345, -0x66bc8ce1, -0x1d77148e, 0x0344186d, 0x33596a8a, 0x7ed66293, 0x7b491700 }
+    },
+    {
+        { -0x22ac5d23, 0x54341b28, -0x20bd03c1, -0x55e86fa5, 0x4dd2f8f4, 0x0ff592d9, -0x1f732c83, 0x1d03620f },
+        { -0x547b4f9c, 0x2d85fb5c, -0x760c43ec, 0x497810d2, 0x7b15ce0c, 0x476adc44, -0x07bb0285, 0x122ba376 },
+        { -0x5d4b1aac, -0x3dfdcd33, 0x115d187f, -0x612f02be, 0x7dd479d9, 0x2eabb4be, 0x2b68ec4c, 0x02c70bf5 }
+    },
+    {
+        { 0x458d72e1, -0x531acd41, 0x7cb73cb5, 0x5be768e0, -0x11744219, 0x56cf7d94, -0x014bc5fd, 0x6b0697e3 },
+        { 0x5d0b2fbb, -0x5d7813b5, 0x074882ca, 0x415c5790, -0x3e2f7ea4, -0x1fbb59e2, 0x409ef5e0, 0x26334f0a },
+        { -0x209d5c40, -0x49370fb6, 0x076da45d, 0x3ef000ef, 0x49f0d2a9, -0x636346a8, 0x441b2fae, 0x1cc37f43 }
+    },
+    {
+        { -0x36315147, -0x2899a90f, 0x18e5656a, 0x1c5b15f8, -0x7bb3dccc, 0x26e72832, 0x2f196838, 0x3a346f77 },
+        { 0x5cc7324f, 0x508f565a, -0x1af956de, -0x2f9e3b40, 0x5c45ac19, -0x04e75425, 0x0380314a, 0x6c6809c1 },
+        { -0x1d259538, -0x2d2aaeee, -0x4e17ae13, -0x1642fccf, -0x71398d9e, -0x69f8b923, 0x6ef7c5d0, 0x05911b9f }
+    },
+},
+{
+    {
+        { -0x3a01606c, 0x01c18980, 0x716fd5c8, -0x329a9897, -0x2e6a5f7a, -0x7e9fba3d, 0x66cc7982, 0x6e2b7f32 },
+        { -0x49c800d3, -0x162328aa, -0x36780f3c, -0x13b3cb71, -0x0c043849, -0x312a6d7b, -0x6c1e1579, 0x33053547 },
+        { -0x083ca971, -0x337fdb98, 0x19974cb3, -0x6216457e, -0x4a47eca0, -0x5448dd64, 0x6fbeba62, 0x44e2017a }
+    },
+    {
+        { -0x49359133, -0x7807d30d, 0x18f4a0c2, 0x580f893e, 0x2604e557, 0x05893007, 0x56d19c1d, 0x6cab6ac2 },
+        { 0x54dab774, -0x3b3d58bd, 0x4eaf031a, -0x71a2b3c4, 0x42838f17, -0x4893dc2e, 0x68dce4ea, 0x749a098f },
+        { 0x2cc1de60, -0x23201f60, 0x51c5575b, 0x032665ff, 0x073abeeb, 0x2c0c32f1, -0x328479fa, 0x6a882014 }
+    },
+    {
+        { -0x50b01492, -0x2eee2e84, -0x4cc55b5d, 0x050bba42, -0x114b93d0, 0x17514c3c, 0x1bc27d75, 0x54bedb8b },
+        { -0x5b8b804b, -0x5ad56d02, 0x1fa5ab89, -0x23ed5bb7, -0x47b85b32, -0x27d256b5, -0x6aed33b2, 0x4d77edce },
+        { 0x77e2189c, 0x77c8e145, -0x00663bbb, -0x5c1b9096, 0x6d335343, 0x3144dfc8, 0x7c4216a9, 0x3a96559e }
+    },
+    {
+        { -0x7f4555ae, 0x44938968, -0x0d7a6bf2, 0x4c98afc4, -0x5babb74a, -0x10b55865, -0x5a855181, 0x5278c510 },
+        { -0x0bd52d12, 0x12550d37, -0x675e040b, -0x74871ffc, 0x33894cb2, 0x5d530782, 0x3e498d0c, 0x02c84e4e },
+        { 0x294c0b94, -0x5ab22f8c, -0x20e7004a, -0x0aa2b948, -0x72517c9a, -0x0f90133b, -0x7e6f2e9b, 0x58865766 }
+    },
+    {
+        { 0x3de25cc3, -0x40a7cb10, -0x297eab6a, -0x47783752, -0x6b7e176e, 0x5105221a, -0x088dc06d, 0x6760ed19 },
+        { 0x1aef7117, -0x2b88edcf, 0x229e92c7, 0x50343101, -0x62ea6469, 0x7a95e184, -0x74a2d637, 0x2449959b },
+        { -0x53ca1ea0, 0x669ba3b7, -0x457bdfaa, 0x2eccf73f, -0x3f7fb0f9, 0x1aec1f17, 0x1856f4e7, 0x0d96bc03 }
+    },
+    {
+        { -0x338afa1f, -0x4e2acb50, 0x16c35288, 0x32cd0034, 0x0762c29d, -0x34c95a80, 0x237a0bf8, 0x5bfe69b9 },
+        { 0x75c52d82, 0x3318be77, 0x54d0aab9, 0x4cb764b5, -0x3388c26f, -0x5430c2d9, -0x7edcd776, 0x3bf4d184 },
+        { 0x78a151ab, 0x183eab7e, -0x66f6c89d, -0x44166f37, 0x4ac7e335, -0x008e8292, 0x25f39f88, 0x4c5cddb3 }
+    },
+    {
+        { -0x185606fe, 0x57750967, 0x4f5b467e, 0x2c37fdfc, 0x3177ba46, -0x4d9e99c6, -0x23d2acd5, 0x3a375e78 },
+        { 0x6190a6eb, -0x3f0948b3, 0x2db8f4e4, 0x20ea81a4, -0x68cea8a0, -0x57429083, 0x62ac7c21, 0x33b1d602 },
+        { 0x2d4dddea, -0x7ebe18d1, 0x62c607c8, -0x19150168, 0x573cafd0, 0x23c28458, 0x4ff97346, 0x46b9476f }
+    },
+    {
+        { 0x0d58359f, 0x1215505c, -0x03d73b95, 0x2a2013c7, -0x761599b2, 0x24a0a1af, -0x5eecf1e1, 0x4400b638 },
+        { 0x4f901e5c, 0x0c1ffea4, 0x2184b782, 0x2b0b6fb7, 0x0114db88, -0x1a78006f, 0x4785a142, 0x37130f36 },
+        { -0x6912e63d, 0x3a01b764, -0x12cd8dd0, 0x31e00ab0, -0x7c35ea4f, 0x520a8857, 0x5accbec7, 0x06aab987 }
+    },
+},
+{
+    {
+        { 0x512eeaef, 0x5349acf3, 0x1cc1cb49, 0x20c141d3, -0x56659773, 0x24180c07, -0x39b4d2e9, 0x555ef9d1 },
+        { -0x0a20f145, -0x3ecc667d, 0x512c4cac, -0x3f0c8a71, 0x0bb398e1, 0x2cf1130a, -0x55d8f39e, 0x6b3cecf9 },
+        { 0x3b73bd08, 0x36a770ba, -0x5c5040f4, 0x624aef08, -0x4bf6b90e, 0x5737ff98, 0x3381749d, 0x675f4de1 }
+    },
+    {
+        { 0x3bdab31d, -0x5ed00927, -0x629ad202, 0x0725d80f, -0x65416b79, 0x019c4ff3, -0x7d32c3bd, 0x60f450b8 },
+        { 0x6b1782fc, 0x0e2c5203, 0x6cad83b4, 0x64816c81, 0x6964073e, -0x2f234227, 0x0164c520, 0x13d99df7 },
+        { 0x21e5c0ca, 0x014b5ec3, -0x28e6405e, 0x4fcb69c9, 0x750023a0, 0x4e5f1c18, 0x55edac80, 0x1c06de9e }
+    },
+    {
+        { -0x00929656, -0x002ad4c0, -0x23bfb645, 0x34530b18, -0x5cb26769, 0x5e4a5c2f, 0x7d32ba2d, 0x78096f8e },
+        { -0x5cc13b1e, -0x66f0852a, -0x41d11f72, 0x6608f938, 0x63284515, -0x635ebc3b, -0x13d249f3, 0x4cf38a1f },
+        { 0x0dfa5ce7, -0x5f55559b, 0x48b5478c, -0x063b61d6, 0x7003725b, 0x4f09cc7d, 0x26091abe, 0x373cad3a }
+    },
+    {
+        { -0x76224453, -0x0e415705, 0x61aeaecb, 0x3bcb2cbc, 0x1f9b8d9d, -0x70a75845, 0x5112a686, 0x21547eda },
+        { -0x7d360a84, -0x4d6b9cb3, 0x24934536, 0x1fcbfde1, 0x418cdb5a, -0x6163b24d, 0x454419fc, 0x0040f3d9 },
+        { -0x02a6792d, -0x210216c7, 0x510a380c, -0x0bd8d377, -0x44cee647, -0x48d45bf9, 0x4a254df4, 0x63550a33 }
+    },
+    {
+        { 0x72547b49, -0x6445a7bb, -0x1d3bf720, -0x0cfa3906, -0x38cb0e73, 0x60e8fa69, -0x55828986, 0x39a92baf },
+        { -0x4a9630c9, 0x6507d6ed, 0x0ca52ee1, 0x178429b0, -0x149429a3, -0x1583ff70, -0x250870af, 0x3eea62c7 },
+        { -0x196cd8b2, -0x62db38ed, 0x68dbd375, 0x5f638577, -0x14754c66, 0x70525560, 0x65c9c4cd, 0x68436a06 }
+    },
+    {
+        { -0x17dfef84, 0x1e56d317, -0x7bf5169b, -0x3ad997bc, 0x320ffc7a, -0x3e1f5e3a, -0x6e9eeb8e, 0x5373669c },
+        { 0x202f3f27, -0x43fdca18, 0x64f975b0, -0x38a3ff1e, -0x5c73dbea, -0x6e5b162b, -0x75487607, 0x17b6e7f6 },
+        { -0x65f1ada9, 0x5d2814ab, -0x36354c04, -0x6f70df7c, 0x5b2d1eca, -0x50350a78, 0x78f87d11, 0x1cb4b5a6 }
+    },
+    {
+        { -0x5d5ff819, 0x6b74aa62, -0x0f8e384f, -0x0cee1f50, 0x000be223, 0x5707e438, -0x7d109154, 0x2dc0fd2d },
+        { 0x394afc6c, -0x499b3f95, -0x6725a04f, 0x0c88de24, 0x4bcad834, 0x4f8d0316, -0x218bcb5e, 0x330bca78 },
+        { 0x1119744e, -0x67d1007c, 0x2b074724, -0x0696a16a, -0x4036ac05, -0x3a753eb1, 0x369f1cf5, 0x3c31be1b }
+    },
+    {
+        { -0x0634bd8e, -0x3e97436d, -0x38312468, -0x51478ee1, 0x34ac8d7a, 0x7f0e52aa, 0x7e7d55bb, 0x41cec109 },
+        { 0x08948aee, -0x4f0b79b3, -0x6e45e391, 0x07dc19ee, -0x59535ea8, 0x7975cdae, 0x4262d4bb, 0x330b6113 },
+        { -0x5d927f76, -0x0869e629, 0x1d9e156d, -0x44e02b62, -0x245e20d9, 0x73d7c36c, 0x1f28777d, 0x26b44cd9 }
+    },
+},
+{
+    {
+        { -0x4fd7a0c9, -0x50bb7bd3, 0x47efc8df, -0x78ace770, -0x07df6866, -0x6a8b1f6f, 0x69615579, 0x0e378d60 },
+        { 0x393aa6d8, 0x300a9035, -0x5ed44e33, 0x2b501131, -0x0f6c3dde, 0x7b1ff677, -0x3547d453, 0x4309c1f8 },
+        { -0x7cf8a5ab, -0x26056e8f, 0x6b009fdc, 0x4bdb5ad2, -0x29c210f2, 0x7829ad2c, 0x75fd3877, 0x078fc549 }
+    },
+    {
+        { -0x47cc5676, -0x1dffb4a5, 0x2d4c3330, 0x44775dec, 0x7eace913, 0x3aa24406, -0x2a71ff57, 0x272630e3 },
+        { 0x28878f2d, -0x782042ec, 0x1e9421a1, 0x134636dd, 0x257341a3, 0x4f17c951, -0x52d69348, 0x5df98d4b },
+        { -0x1336f4ac, -0x0c987030, 0x12043599, -0x0ffeba65, 0x3758b89b, 0x26725fbc, 0x73a719ae, 0x4325e4aa }
+    },
+    {
+        { -0x30960a63, -0x12db9d66, -0x22a5440c, 0x2a4a1cce, 0x56b2d67b, 0x3535ca1f, 0x43b1b42d, 0x5d8c68d0 },
+        { 0x433c3493, 0x657dc6ef, -0x7f24073d, 0x65375e9f, 0x5b372dae, 0x47fd2d46, 0x796e7947, 0x4966ab79 },
+        { -0x1c4bd4f6, -0x11ccd2b3, 0x16a4601c, -0x27b1a5d5, 0x078ba3e4, 0x78243877, 0x184ee437, 0x77ed1eb4 }
+    },
+    {
+        { -0x616d12e6, 0x185d43f8, -0x01b8e63a, -0x4fb5e116, -0x590fc0b1, 0x499fbe88, 0x3c859bdd, 0x5d8b0d2f },
+        { 0x201839a0, -0x402b1ec1, 0x3e3df161, -0x5110001e, 0x6b5d1fe3, -0x49a4fb10, 0x2b62fbc0, 0x52e085fb },
+        { -0x5ab30d46, 0x124079ea, 0x001b26e7, -0x28db9a15, -0x36850803, 0x6843bcfd, 0x55eacd02, 0x0524b42b }
+    },
+    {
+        { -0x647d6154, -0x43e72353, -0x4a0a8630, 0x23ae7d28, 0x69384233, -0x3cb9edd6, -0x182b5377, 0x1a6110b2 },
+        { -0x1babb850, -0x02f2a242, 0x092005ee, 0x6cec351a, 0x567579cb, -0x665b87bc, 0x16e7fa45, 0x59d242a2 },
+        { -0x19966854, 0x4f833f6a, 0x361839a4, 0x6849762a, -0x68f54adb, 0x6985dec1, -0x234e0aba, 0x53045e89 }
+    },
+    {
+        { -0x72ba01ee, -0x7b25c322, -0x1bbb1d2e, -0x42bd3de8, 0x1f7e3598, -0x57ae6988, 0x5616e2b2, 0x7642c93f },
+        { -0x28acac25, -0x34744cba, -0x51aee1de, -0x03034db5, -0x2af51911, -0x345b72c0, -0x0b0834a3, 0x26e3bae5 },
+        { 0x4595f8e4, 0x2323daa7, -0x7a85414c, -0x21977375, 0x1c59326e, 0x3fc48e96, 0x15c9b8ba, 0x0b2e73ca }
+    },
+    {
+        { 0x79c03a55, 0x0e3fbfaf, 0x4cbb5acf, 0x3077af05, -0x24c21c61, -0x2a3aadbb, 0x476a4af7, 0x015e68c1 },
+        { -0x3e80afda, -0x2944bbd8, -0x04a56359, -0x614d8ddd, 0x1919c644, -0x1c845afd, -0x4a6599fe, 0x21ce380d },
+        { 0x20066a38, -0x3e2ad7ae, 0x3570aef3, -0x6a9fc1ae, 0x226b8a4d, -0x7cd9a659, 0x1f8eedc9, 0x5dd68909 }
+    },
+    {
+        { -0x5acecf7c, 0x1d022591, -0x29d8f78e, -0x35d2b552, 0x2f0bfd20, -0x795ed47b, -0x528258b8, 0x56e6c439 },
+        { -0x402c37aa, -0x34537b22, -0x4ca00dbc, 0x1624c348, 0x5d9cad07, -0x48077236, -0x5d3d1418, 0x3b0e574d },
+        { 0x42bdbae6, -0x38fb00b7, -0x4d21e087, 0x5e21ade2, 0x5652fad8, -0x16a24c0d, -0x70f7143f, 0x0822b537 }
+    },
+},
+{
+    {
+        { 0x62730383, -0x1e480d6d, -0x143575d4, 0x4b5279ff, -0x402becec, -0x25038876, -0x638d9ef1, 0x7deb1014 },
+        { -0x70c78b8b, 0x51f04847, -0x634134c4, -0x4da2430c, -0x2660dfab, -0x6554edbc, 0x1c10a5d6, 0x2c709e6c },
+        { -0x78991186, -0x349d5096, 0x5553cd0e, 0x66cbec04, 0x0f0be4b5, 0x58800138, -0x09d31d16, 0x08e68e9f }
+    },
+    {
+        { 0x0ab8f2f9, 0x2f2d09d5, -0x3aa6dc21, -0x5346de73, 0x73766cb9, 0x4a8f3426, 0x38f719f5, 0x4cb13bd7 },
+        { 0x4bc130ad, 0x34ad500a, 0x3d0bd49c, -0x72c724b7, 0x500a89be, -0x5da3c268, -0x1145c4f7, 0x2f1f3f87 },
+        { -0x1aea49b6, -0x087b738b, -0x24b56fc8, -0x5a6afe46, 0x3f751b50, -0x3df2cec1, -0x3f51d118, 0x19a1e353 }
+    },
+    {
+        { -0x2a694243, -0x4bde8d33, -0x671103c0, -0x6c1fbabd, -0x4bbef64b, -0x604eacb9, 0x0266ae34, 0x736bd399 },
+        { -0x4505fa3d, 0x7d1c7560, -0x391aa19f, -0x4c1e5f60, -0x3f299b8d, -0x1cad68e8, -0x3df3cb7a, 0x41546b11 },
+        { -0x6ccb4c4c, -0x7aacd2b0, 0x60816573, 0x46fd114b, 0x425c8375, -0x33a0a0d0, -0x478054a4, 0x412295a2 }
+    },
+    {
+        { -0x1d6c153a, 0x2e655261, 0x2133acdb, -0x7ba56dfd, 0x7900996b, 0x460975cb, 0x195add80, 0x0760bb8d },
+        { -0x0a812917, 0x19c99b88, 0x6df8c825, 0x5393cb26, -0x4cf52d8d, 0x5cee3213, -0x4ad2d1cc, 0x14e153eb },
+        { -0x32197e76, 0x413e1a17, -0x12965f7c, 0x57156da9, 0x46caccb1, 0x2cbf268f, -0x3cc53a0e, 0x6b34be9b }
+    },
+    {
+        { 0x6571f2d3, 0x11fc6965, 0x530e737a, -0x393617bb, -0x2b01afcb, -0x1cc5185e, 0x2e6dd30b, 0x01b9c7b6 },
+        { 0x3a78c0b2, -0x0c20d09c, -0x0dd1fd84, 0x4c3e971e, 0x49c1b5a3, -0x1382e3a2, 0x0922dd2d, 0x2012c18f },
+        { 0x5ac89d29, -0x77f4aa1b, 0x45a0a763, 0x1483241f, -0x3d1893e1, 0x3d36efdf, 0x4e4bade8, 0x08af5b78 }
+    },
+    {
+        { -0x7633d3b5, -0x1d8ceb2e, -0x5d78e873, 0x4be4bd11, -0x05cc9b32, 0x18d528d6, -0x50267d92, 0x6423c1d5 },
+        { -0x77e0dacd, 0x283499dc, 0x779323b6, -0x62fada26, 0x673441f4, -0x76852205, 0x163a168d, 0x32b79d71 },
+        { -0x12034c96, -0x337a0727, 0x3746e5f9, 0x22bcc28f, -0x061a2c33, -0x1b621cc8, -0x3ec1d234, 0x480a5efb }
+    },
+    {
+        { 0x42ce221f, -0x499eb31c, 0x4c053928, 0x6e199dcc, -0x23e341fd, 0x663fb4a4, 0x691c8e06, 0x24b31d47 },
+        { 0x01622071, 0x0b51e70b, -0x74e2503b, 0x06b505cf, -0x10a55433, 0x2c6bb061, 0x0cb7bf31, 0x47aa2760 },
+        { -0x3fea073d, 0x2a541eed, 0x7c693f7c, 0x11a4fe7e, 0x4ea278d6, -0x0f5099ed, 0x14dda094, 0x545b585d }
+    },
+    {
+        { -0x1c4cde1f, 0x6204e4d0, 0x28ff1e95, 0x3baa637a, 0x5b99bd9e, 0x0b0ccffd, 0x64c8d071, 0x4d22dc3e },
+        { -0x5f2bc5f1, 0x67bf275e, 0x089beebe, -0x521971cc, -0x2b8618d2, 0x4289134c, 0x32ba5454, 0x0f62f9c3 },
+        { -0x29c4a0c7, -0x034b9a77, 0x57cbcf61, 0x5cae6a3f, -0x6ac505fb, -0x01453d2e, 0x36371436, 0x1c0fa01a }
+    },
+},
+{
+    {
+        { 0x54c53fae, -0x3ee11a18, 0x2b4f3ff4, 0x6a0b06c1, -0x1f49858e, 0x33540f80, -0x32f81c11, 0x15f18fc3 },
+        { -0x4383296e, -0x18ab8bb7, -0x1908c221, 0x0f9abeaa, 0x00837e29, 0x4af01ca7, 0x3f1bc183, 0x63ab1b5d },
+        { -0x4fd70b74, 0x32750763, 0x556a065f, 0x06020740, -0x3cb6a4a8, -0x2ac427ee, -0x79a0af73, 0x08706c9b }
+    },
+    {
+        { 0x38b41246, -0x3366e4bf, 0x6f9ac26b, 0x243b9c52, -0x48345443, -0x4610b6b3, -0x2f7d1300, 0x5fba433d },
+        { 0x3d343dff, -0x0c835d55, -0x7f5439e9, 0x1a8c6a2d, -0x2b330036, -0x71b61fcb, -0x455e2e47, 0x48b46bee },
+        { -0x366be530, -0x63b61cab, 0x74498f84, -0x468cb522, 0x66663e5c, 0x41c3fed0, -0x1718ef4d, 0x0ecfedf8 }
+    },
+    {
+        { -0x16bfc89e, 0x744f7463, -0x72033637, -0x08657212, 0x55e4cde3, 0x163a6496, -0x4d7b0bcb, 0x3b61788d },
+        { -0x632b8f27, 0x76430f9f, -0x5bd09ff8, -0x49d53365, 0x59adad5e, 0x1898297c, -0x4873af80, 0x7789dd2d },
+        { 0x0d6ef6b2, -0x4dddd7e7, 0x46ce4bfa, -0x56b5994e, 0x4f0b6cc7, 0x46c1a77a, -0x148cc731, 0x4236ccff }
+    },
+    {
+        { -0x2588820a, 0x3bd82dbf, 0x0b98369e, 0x71b177cc, -0x7af3c967, 0x1d0e8463, 0x48e2d1f1, 0x5a71945b },
+        { 0x0d55e274, -0x7b68bfb3, -0x3b52d4ad, 0x6c6663d9, -0x5256a8cc, -0x13d04f27, -0x324708c4, 0x2617e120 },
+        { 0x405b4b42, 0x6f203dd5, 0x10b24509, 0x327ec604, -0x53d577ba, -0x63cb8dd0, 0x11ffeb6a, 0x77de29fc }
+    },
+    {
+        { -0x13312d36, -0x7ca1ec71, -0x1569c466, -0x736150ed, -0x4de9f15a, -0x36a04040, -0x5278876e, 0x575e66f3 },
+        { -0x7c488758, -0x4f53a837, -0x28016ed4, 0x53cdcca9, -0x00e0a624, 0x61c2b854, -0x0f218254, 0x3a1a2cf0 },
+        { -0x377034c6, -0x667fc5d9, 0x275ec0b0, 0x345a6789, -0x0093d41b, 0x459789d0, 0x1e70a8b2, 0x62f88265 }
+    },
+    {
+        { 0x698a19e0, 0x6d822986, 0x74d78a71, -0x2367de1f, -0x0934e0b9, 0x41a85f31, -0x432563af, 0x352721c2 },
+        { 0x59ff1be4, 0x085ae2c7, 0x3b0e40b7, 0x149145c9, 0x7ff27379, -0x3b981806, -0x2a38c56b, 0x4eeecf0a },
+        { 0x213fc985, 0x48329952, 0x368a1746, 0x1087cf0d, 0x66c15aa5, -0x71ad9e4f, 0x2ed24c21, 0x2d5b2d84 }
+    },
+    {
+        { 0x196ac533, 0x5eb7d13d, -0x247f41d5, 0x377234ec, 0x7cf5ae24, -0x1ebb3004, -0x3bbe5314, 0x5226bcf9 },
+        { -0x142c212f, 0x02cfebd9, 0x39021974, -0x2ba4de89, -0x01cf5e49, 0x7576f813, -0x5cb1093e, 0x5691b6f9 },
+        { 0x23e5b547, 0x79ee6c72, -0x7ccf2987, 0x6f5f5076, 0x6d8adce9, -0x128c1e17, 0x1d8ccc03, 0x27c3da1e }
+    },
+    {
+        { 0x630ef9f6, 0x28302e71, 0x2b64cee0, -0x3d2b5dfd, 0x4b6292be, 0x09082030, -0x57d520e8, 0x5fca747a },
+        { 0x3fe24c74, 0x7eb9efb2, 0x1651be01, 0x3e50f49f, 0x21858dea, 0x3ea732dc, 0x5bb810f9, 0x17377bd7 },
+        { 0x5c258ea5, 0x232a03c3, 0x6bcb0cf1, -0x790dc5d4, 0x2e442166, 0x3dad8d0d, -0x548979d5, 0x04a8933c }
+    },
+},
+{
+    {
+        { -0x736c95b0, 0x69082b0e, -0x3e253a4a, -0x06365fcb, -0x3b2049cc, 0x6fb73e54, 0x1d2bc140, 0x4005419b },
+        { 0x22943dff, -0x2d39fb4a, 0x44cfb3a0, -0x43734132, -0x687f7988, 0x5d254ff3, 0x3b1ca6bf, 0x0fa3614f },
+        { -0x46417d10, -0x5ffc0143, 0x3a44ac90, 0x2089c1af, 0x1954fa8e, -0x07b6606f, -0x10bf54be, 0x1fba218a }
+    },
+    {
+        { 0x3e7b0194, 0x4f3e5704, 0x08daaf7f, -0x57e2c112, -0x6623210f, -0x37c63955, -0x00889e2b, 0x6c535d13 },
+        { -0x05370ac2, -0x54ab6bb8, 0x7ba63741, -0x7e091766, 0x6c2b5e01, 0x74fd6c7d, -0x573791be, 0x392e3aca },
+        { 0x3e8a35af, 0x4cbd34e9, 0x5887e816, 0x2e078144, -0x0d654f55, 0x19319c76, -0x2af53ec5, 0x25e17fe4 }
+    },
+    {
+        { 0x76f121a7, -0x6ea0800b, 0x2fcd87e3, -0x3cb5cdd9, 0x4d1be526, -0x3345d022, -0x76967665, 0x6bba828f },
+        { 0x1e04f676, 0x0a289bd7, -0x29bdf06b, 0x208e1c52, 0x34691fab, 0x5186d8b0, 0x2a9fb351, 0x25575144 },
+        { -0x6f01c6ff, -0x1d2e439a, -0x5f66852b, 0x4cb54a18, -0x507b9f2c, -0x68e296ec, 0x7f6b7be4, 0x559d504f }
+    },
+    {
+        { -0x092d9903, -0x63b76e19, 0x0307781b, 0x0744a19b, 0x6061e23b, -0x77c770e3, 0x354bd50e, 0x123ea6a3 },
+        { -0x4c14ab2b, -0x588c7c88, -0x5aaac384, 0x1d69d366, -0x06d7ff46, 0x0a26cf62, -0x7f81cde9, 0x01ab12d5 },
+        { 0x41e32d96, 0x118d1890, -0x27cea7b8, -0x46121c3e, -0x27cdba27, 0x1eab4271, -0x36e75eac, 0x4a3961e2 }
+    },
+    {
+        { -0x0cdcc0e2, 0x0327d644, 0x34fcf016, 0x499a260e, -0x0d254687, -0x7c4a58ea, -0x642beee1, 0x68aceead },
+        { -0x07194460, 0x71dc3be0, 0x7effe30a, -0x293107cc, -0x1ec5b896, -0x566dbda1, -0x04e2489d, 0x2cd6bce3 },
+        { -0x0c283df0, 0x38b4c90e, -0x4852fbf4, 0x308e6e24, -0x4818c1dd, 0x3860d9f1, -0x4af70a69, 0x595760d5 }
+    },
+    {
+        { -0x02fdd870, -0x77d53415, -0x3beea8a0, -0x7650ccfb, 0x7d3473f4, 0x65f492e3, 0x54515a2b, 0x2cb2c5df },
+        { 0x04aa6397, 0x6129bfe1, -0x5b580335, -0x7069fff8, 0x7d909458, 0x3f8bc089, -0x234d6e57, 0x709fa43e },
+        { 0x63fd2aca, -0x14f5a274, 0x2e694eff, -0x2dd43e9a, -0x07344fc6, 0x2723f36e, -0x0f37ece1, 0x70f029ec }
+    },
+    {
+        { 0x5e10b0b9, 0x2a6aafaa, -0x10fbe557, 0x78f0a370, -0x55c529e1, 0x773efb77, -0x58b4261f, 0x44eca5a2 },
+        { 0x2eed3e33, 0x461307b3, -0x5baa7e19, -0x51fbd0cd, 0x195f0366, -0x36bbb62d, 0x6c314858, 0x0b7d5d8a },
+        { 0x7b95d543, 0x25d44832, -0x5ccbf0e3, 0x70d38300, 0x60e1c52b, -0x21e3ace4, 0x2c7de9e4, 0x27222451 }
+    },
+    {
+        { 0x42a975fc, -0x40844476, -0x69525ca8, -0x73a3c689, -0x321255b8, -0x1d803891, -0x0943df5a, 0x19735fd7 },
+        { 0x49c5342e, 0x1abc92af, -0x4d190530, -0x001127ef, -0x0337b1d7, -0x105d7373, -0x5bb33abd, 0x11b5df18 },
+        { 0x42c84266, -0x1c546f30, 0x7f19547e, -0x147b71f1, 0x65a497b9, 0x2503a1d0, -0x6e2076a1, 0x0fef9111 }
+    },
+},
+{
+    {
+        { 0x5b1c16b7, 0x6ab5dcb8, 0x3c7b27a5, -0x6b3f0318, 0x735517be, -0x5b4ee3e6, -0x45f15056, 0x499238d0 },
+        { -0x54e39147, -0x4eaf835f, 0x16b687b3, -0x42bb70c2, 0x2c7a91ab, 0x3455fb7f, 0x2f2adec1, 0x7579229e },
+        { 0x7aba8b57, -0x130b91ae, -0x742e9b85, 0x15a08c47, 0x5f706fef, 0x7af1c6a6, -0x0fc5cf2b, 0x6345fa78 }
+    },
+    {
+        { -0x42270f5c, -0x6c2c3417, -0x02e88cfe, -0x24ead3e5, 0x7f17a875, 0x7dbddc6d, -0x70bd9102, 0x3e1a71cc },
+        { 0x1015e7a1, -0x20fd06a1, -0x564bfd9d, 0x790ec41d, 0x33ea1107, 0x4d3a0ea1, -0x1cc50737, 0x54f70be7 },
+        { -0x6f45429e, -0x37c35c1d, 0x0291c833, -0x7f121c99, -0x2c86ff3c, -0x377fc734, 0x1ec31fa1, 0x2c5fc023 }
+    },
+    {
+        { 0x02456e65, -0x3bdd1b2f, -0x352b846f, -0x78beb53f, -0x5d490023, 0x1592e2bb, -0x0a3deff1, 0x75d9d2bf },
+        { 0x17038b4f, -0x01456ee9, -0x3621107f, -0x1aedc8df, 0x5d0d8834, 0x1c97e4e7, 0x23dc3bc6, 0x68afae7a },
+        { 0x3626e81c, 0x5bd9b476, -0x435fd123, -0x766996ca, 0x61f077b3, 0x0a41193d, 0x00ce5471, 0x3097a242 }
+    },
+    {
+        { 0x6695c486, -0x5e9d18dc, 0x35a89607, 0x131d6334, -0x5f2ed5c9, 0x30521561, -0x59504c9d, 0x56704bad },
+        { -0x380747b4, 0x57427734, 0x01b270e9, -0x0ebe5ec2, -0x4b1a9b5a, 0x02d1adfe, -0x317c42b8, 0x4bb23d92 },
+        { 0x52f912b9, -0x5093b559, -0x27988f38, 0x5e665f6c, -0x5c3732a8, 0x4c35ac83, 0x10a58a7e, 0x2b7a29c0 }
+    },
+    {
+        { -0x40fff792, 0x33810a23, -0x18c90084, -0x50316da2, -0x1db6dd2c, 0x3d60e670, 0x4f96061b, 0x11ce9e71 },
+        { -0x2f3e313d, -0x3bff8089, -0x453b6d08, -0x72efdf4a, 0x7e69daaf, 0x32ec29d5, -0x626a0320, 0x59940875 },
+        { -0x27ea453f, 0x219ef713, 0x485be25c, -0x0ebeb9a3, 0x4e513c51, 0x6d5447cc, 0x5ef44393, 0x174926be }
+    },
+    {
+        { -0x6c15fdd2, 0x3ef5d415, 0x0ed0eed6, 0x5cbcc1a2, 0x07382c8c, -0x702db131, 0x06d8e1ad, 0x6fa42ead },
+        { -0x03a42a45, -0x4a214d07, -0x1e27ef1f, -0x6d2558d6, -0x48d5e3a7, -0x503b3024, 0x3fc22a24, 0x497d7881 },
+        { 0x1f73371f, -0x1d897db6, 0x4f5b6736, 0x7f7cf01c, 0x04fa46e7, 0x7e201fe3, 0x57808c96, 0x785a36a3 }
+    },
+    {
+        { 0x5d517bc3, 0x07044298, -0x519ac988, 0x6acd56c7, -0x67a5889d, 0x00a27983, -0x1aed99d5, 0x5167effa },
+        { 0x63014d2b, -0x7da04203, 0x6ca7578b, -0x37adc964, 0x5c0b5df0, 0x5b2fcd28, 0x58048c8f, 0x12ab214c },
+        { 0x0f53c4b6, -0x42b1561f, -0x7536e5ec, 0x1673dc5f, 0x2acc1aba, -0x5707e5b2, 0x24332a25, 0x33a92a79 }
+    },
+    {
+        { 0x218f2ada, 0x7ba95ba0, 0x330fb9ca, -0x300bdd79, 0x56c6d907, -0x2525b693, -0x0b4111ac, 0x5380c296 },
+        { 0x27996c02, -0x622e0b67, -0x1fb2e8ae, 0x0cb3b058, 0x7fd02c3e, 0x1f7e8896, -0x3474c14f, 0x2f964268 },
+        { 0x66898d0a, -0x62b0d8fc, 0x0aff3f7a, 0x3d098799, 0x67daba45, -0x2f610c9e, 0x7b1c669c, 0x7761455e }
+    },
+},
+};
+#elif defined(CURVED25519_128BIT)
+static const ge_precomp base[32][8] = {
+{
+    {
+        { 0x493c6f58c3b85, 0x0df7181c325f7, 0x0f50b0b3e4cb7, 0x5329385a44c32, 0x07cf9d3a33d4b },
+        { 0x03905d740913e, 0x0ba2817d673a2, 0x23e2827f4e67c, 0x133d2e0c21a34, 0x44fd2f9298f81 },
+        { 0x11205877aaa68, 0x479955893d579, 0x50d66309b67a0, 0x2d42d0dbee5ee, 0x6f117b689f0c6 },
+    },
+    {
+        { 0x4e7fc933c71d7, 0x2cf41feb6b244, 0x7581c0a7d1a76, 0x7172d534d32f0, 0x590c063fa87d2 },
+        { 0x1a56042b4d5a8, 0x189cc159ed153, 0x5b8deaa3cae04, 0x2aaf04f11b5d8, 0x6bb595a669c92 },
+        { 0x2a8b3a59b7a5f, 0x3abb359ef087f, 0x4f5a8c4db05af, 0x5b9a807d04205, 0x701af5b13ea50 },
+    },
+    {
+        { 0x5b0a84cee9730, 0x61d10c97155e4, 0x4059cc8096a10, 0x47a608da8014f, 0x7a164e1b9a80f },
+        { 0x11fe8a4fcd265, 0x7bcb8374faacc, 0x52f5af4ef4d4f, 0x5314098f98d10, 0x2ab91587555bd },
+        { 0x6933f0dd0d889, 0x44386bb4c4295, 0x3cb6d3162508c, 0x26368b872a2c6, 0x5a2826af12b9b },
+    },
+    {
+        { 0x351b98efc099f, 0x68fbfa4a7050e, 0x42a49959d971b, 0x393e51a469efd, 0x680e910321e58 },
+        { 0x6050a056818bf, 0x62acc1f5532bf, 0x28141ccc9fa25, 0x24d61f471e683, 0x27933f4c7445a },
+        { 0x3fbe9c476ff09, 0x0af6b982e4b42, 0x0ad1251ba78e5, 0x715aeedee7c88, 0x7f9d0cbf63553 },
+    },
+    {
+        { 0x2bc4408a5bb33, 0x078ebdda05442, 0x2ffb112354123, 0x375ee8df5862d, 0x2945ccf146e20 },
+        { 0x182c3a447d6ba, 0x22964e536eff2, 0x192821f540053, 0x2f9f19e788e5c, 0x154a7e73eb1b5 },
+        { 0x3dbf1812a8285, 0x0fa17ba3f9797, 0x6f69cb49c3820, 0x34d5a0db3858d, 0x43aabe696b3bb },
+    },
+    {
+        { 0x4eeeb77157131, 0x1201915f10741, 0x1669cda6c9c56, 0x45ec032db346d, 0x51e57bb6a2cc3 },
+        { 0x006b67b7d8ca4, 0x084fa44e72933, 0x1154ee55d6f8a, 0x4425d842e7390, 0x38b64c41ae417 },
+        { 0x4326702ea4b71, 0x06834376030b5, 0x0ef0512f9c380, 0x0f1a9f2512584, 0x10b8e91a9f0d6 },
+    },
+    {
+        { 0x25cd0944ea3bf, 0x75673b81a4d63, 0x150b925d1c0d4, 0x13f38d9294114, 0x461bea69283c9 },
+        { 0x72c9aaa3221b1, 0x267774474f74d, 0x064b0e9b28085, 0x3f04ef53b27c9, 0x1d6edd5d2e531 },
+        { 0x36dc801b8b3a2, 0x0e0a7d4935e30, 0x1deb7cecc0d7d, 0x053a94e20dd2c, 0x7a9fbb1c6a0f9 },
+    },
+    {
+        { 0x7596604dd3e8f, 0x6fc510e058b36, 0x3670c8db2cc0d, 0x297d899ce332f, 0x0915e76061bce },
+        { 0x75dedf39234d9, 0x01c36ab1f3c54, 0x0f08fee58f5da, 0x0e19613a0d637, 0x3a9024a1320e0 },
+        { 0x1f5d9c9a2911a, 0x7117994fafcf8, 0x2d8a8cae28dc5, 0x74ab1b2090c87, 0x26907c5c2ecc4 },
+    },
+},
+{
+    {
+        { 0x4dd0e632f9c1d, 0x2ced12622a5d9, 0x18de9614742da, 0x79ca96fdbb5d4, 0x6dd37d49a00ee },
+        { 0x3635449aa515e, 0x3e178d0475dab, 0x50b4712a19712, 0x2dcc2860ff4ad, 0x30d76d6f03d31 },
+        { 0x444172106e4c7, 0x01251afed2d88, 0x534fc9bed4f5a, 0x5d85a39cf5234, 0x10c697112e864 },
+    },
+    {
+        { 0x62aa08358c805, 0x46f440848e194, 0x447b771a8f52b, 0x377ba3269d31d, 0x03bf9baf55080 },
+        { 0x3c4277dbe5fde, 0x5a335afd44c92, 0x0c1164099753e, 0x70487006fe423, 0x25e61cabed66f },
+        { 0x3e128cc586604, 0x5968b2e8fc7e2, 0x049a3d5bd61cf, 0x116505b1ef6e6, 0x566d78634586e },
+    },
+    {
+        { 0x54285c65a2fd0, 0x55e62ccf87420, 0x46bb961b19044, 0x1153405712039, 0x14fba5f34793b },
+        { 0x7a49f9cc10834, 0x2b513788a22c6, 0x5ff4b6ef2395b, 0x2ec8e5af607bf, 0x33975bca5ecc3 },
+        { 0x746166985f7d4, 0x09939000ae79a, 0x5844c7964f97a, 0x13617e1f95b3d, 0x14829cea83fc5 },
+    },
+    {
+        { 0x70b2f4e71ecb8, 0x728148efc643c, 0x0753e03995b76, 0x5bf5fb2ab6767, 0x05fc3bc4535d7 },
+        { 0x37b8497dd95c2, 0x61549d6b4ffe8, 0x217a22db1d138, 0x0b9cf062eb09e, 0x2fd9c71e5f758 },
+        { 0x0b3ae52afdedd, 0x19da76619e497, 0x6fa0654d2558e, 0x78219d25e41d4, 0x373767475c651 },
+    },
+    {
+        { 0x095cb14246590, 0x002d82aa6ac68, 0x442f183bc4851, 0x6464f1c0a0644, 0x6bf5905730907 },
+        { 0x299fd40d1add9, 0x5f2de9a04e5f7, 0x7c0eebacc1c59, 0x4cca1b1f8290a, 0x1fbea56c3b18f },
+        { 0x778f1e1415b8a, 0x6f75874efc1f4, 0x28a694019027f, 0x52b37a96bdc4d, 0x02521cf67a635 },
+    },
+    {
+        { 0x46720772f5ee4, 0x632c0f359d622, 0x2b2092ba3e252, 0x662257c112680, 0x001753d9f7cd6 },
+        { 0x7ee0b0a9d5294, 0x381fbeb4cca27, 0x7841f3a3e639d, 0x676ea30c3445f, 0x3fa00a7e71382 },
+        { 0x1232d963ddb34, 0x35692e70b078d, 0x247ca14777a1f, 0x6db556be8fcd0, 0x12b5fe2fa048e },
+    },
+    {
+        { 0x37c26ad6f1e92, 0x46a0971227be5, 0x4722f0d2d9b4c, 0x3dc46204ee03a, 0x6f7e93c20796c },
+        { 0x0fbc496fce34d, 0x575be6b7dae3e, 0x4a31585cee609, 0x037e9023930ff, 0x749b76f96fb12 },
+        { 0x2f604aea6ae05, 0x637dc939323eb, 0x3fdad9b048d47, 0x0a8b0d4045af7, 0x0fcec10f01e02 },
+    },
+    {
+        { 0x2d29dc4244e45, 0x6927b1bc147be, 0x0308534ac0839, 0x4853664033f41, 0x413779166feab },
+        { 0x558a649fe1e44, 0x44635aeefcc89, 0x1ff434887f2ba, 0x0f981220e2d44, 0x4901aa7183c51 },
+        { 0x1b7548c1af8f0, 0x7848c53368116, 0x01b64e7383de9, 0x109fbb0587c8f, 0x41bb887b726d1 },
+    },
+},
+{
+    {
+        { 0x34c597c6691ae, 0x7a150b6990fc4, 0x52beb9d922274, 0x70eed7164861a, 0x0a871e070c6a9 },
+        { 0x07d44744346be, 0x282b6a564a81d, 0x4ed80f875236b, 0x6fbbe1d450c50, 0x4eb728c12fcdb },
+        { 0x1b5994bbc8989, 0x74b7ba84c0660, 0x75678f1cdaeb8, 0x23206b0d6f10c, 0x3ee7300f2685d },
+    },
+    {
+        { 0x27947841e7518, 0x32c7388dae87f, 0x414add3971be9, 0x01850832f0ef1, 0x7d47c6a2cfb89 },
+        { 0x255e49e7dd6b7, 0x38c2163d59eba, 0x3861f2a005845, 0x2e11e4ccbaec9, 0x1381576297912 },
+        { 0x2d0148ef0d6e0, 0x3522a8de787fb, 0x2ee055e74f9d2, 0x64038f6310813, 0x148cf58d34c9e },
+    },
+    {
+        { 0x72f7d9ae4756d, 0x7711e690ffc4a, 0x582a2355b0d16, 0x0dccfe885b6b4, 0x278febad4eaea },
+        { 0x492f67934f027, 0x7ded0815528d4, 0x58461511a6612, 0x5ea2e50de1544, 0x3ff2fa1ebd5db },
+        { 0x2681f8c933966, 0x3840521931635, 0x674f14a308652, 0x3bd9c88a94890, 0x4104dd02fe9c6 },
+    },
+    {
+        { 0x14e06db096ab8, 0x1219c89e6b024, 0x278abd486a2db, 0x240b292609520, 0x0165b5a48efca },
+        { 0x2bf5e1124422a, 0x673146756ae56, 0x14ad99a87e830, 0x1eaca65b080fd, 0x2c863b00afaf5 },
+        { 0x0a474a0846a76, 0x099a5ef981e32, 0x2a8ae3c4bbfe6, 0x45c34af14832c, 0x591b67d9bffec },
+    },
+    {
+        { 0x1b3719f18b55d, 0x754318c83d337, 0x27c17b7919797, 0x145b084089b61, 0x489b4f8670301 },
+        { 0x70d1c80b49bfa, 0x3d57e7d914625, 0x3c0722165e545, 0x5e5b93819e04f, 0x3de02ec7ca8f7 },
+        { 0x2102d3aeb92ef, 0x68c22d50c3a46, 0x42ea89385894e, 0x75f9ebf55f38c, 0x49f5fbba496cb },
+    },
+    {
+        { 0x5628c1e9c572e, 0x598b108e822ab, 0x55d8fae29361a, 0x0adc8d1a97b28, 0x06a1a6c288675 },
+        { 0x49a108a5bcfd4, 0x6178c8e7d6612, 0x1f03473710375, 0x73a49614a6098, 0x5604a86dcbfa6 },
+        { 0x0d1d47c1764b6, 0x01c08316a2e51, 0x2b3db45c95045, 0x1634f818d300c, 0x20989e89fe274 },
+    },
+    {
+        { 0x4278b85eaec2e, 0x0ef59657be2ce, 0x72fd169588770, 0x2e9b205260b30, 0x730b9950f7059 },
+        { 0x777fd3a2dcc7f, 0x594a9fb124932, 0x01f8e80ca15f0, 0x714d13cec3269, 0x0403ed1d0ca67 },
+        { 0x32d35874ec552, 0x1f3048df1b929, 0x300d73b179b23, 0x6e67be5a37d0b, 0x5bd7454308303 },
+    },
+    {
+        { 0x4932115e7792a, 0x457b9bbb930b8, 0x68f5d8b193226, 0x4164e8f1ed456, 0x5bb7db123067f },
+        { 0x2d19528b24cc2, 0x4ac66b8302ff3, 0x701c8d9fdad51, 0x6c1b35c5b3727, 0x133a78007380a },
+        { 0x1f467c6ca62be, 0x2c4232a5dc12c, 0x7551dc013b087, 0x0690c11b03bcd, 0x740dca6d58f0e },
+    },
+},
+{
+    {
+        { 0x28c570478433c, 0x1d8502873a463, 0x7641e7eded49c, 0x1ecedd54cf571, 0x2c03f5256c2b0 },
+        { 0x0ee0752cfce4e, 0x660dd8116fbe9, 0x55167130fffeb, 0x1c682b885955c, 0x161d25fa963ea },
+        { 0x718757b53a47d, 0x619e18b0f2f21, 0x5fbdfe4c1ec04, 0x5d798c81ebb92, 0x699468bdbd96b },
+    },
+    {
+        { 0x53de66aa91948, 0x045f81a599b1b, 0x3f7a8bd214193, 0x71d4da412331a, 0x293e1c4e6c4a2 },
+        { 0x72f46f4dafecf, 0x2948ffadef7a3, 0x11ecdfdf3bc04, 0x3c2e98ffeed25, 0x525219a473905 },
+        { 0x6134b925112e1, 0x6bb942bb406ed, 0x070c445c0dde2, 0x411d822c4d7a3, 0x5b605c447f032 },
+    },
+    {
+        { 0x1fec6f0e7f04c, 0x3cebc692c477d, 0x077986a19a95e, 0x6eaaaa1778b0f, 0x2f12fef4cc5ab },
+        { 0x5805920c47c89, 0x1924771f9972c, 0x38bbddf9fc040, 0x1f7000092b281, 0x24a76dcea8aeb },
+        { 0x522b2dfc0c740, 0x7e8193480e148, 0x33fd9a04341b9, 0x3c863678a20bc, 0x5e607b2518a43 },
+    },
+    {
+        { 0x4431ca596cf14, 0x015da7c801405, 0x03c9b6f8f10b5, 0x0346922934017, 0x201f33139e457 },
+        { 0x31d8f6cdf1818, 0x1f86c4b144b16, 0x39875b8d73e9d, 0x2fbf0d9ffa7b3, 0x5067acab6ccdd },
+        { 0x27f6b08039d51, 0x4802f8000dfaa, 0x09692a062c525, 0x1baea91075817, 0x397cba8862460 },
+    },
+    {
+        { 0x5c3fbc81379e7, 0x41bbc255e2f02, 0x6a3f756998650, 0x1297fd4e07c42, 0x771b4022c1e1c },
+        { 0x13093f05959b2, 0x1bd352f2ec618, 0x075789b88ea86, 0x61d1117ea48b9, 0x2339d320766e6 },
+        { 0x5d986513a2fa7, 0x63f3a99e11b0f, 0x28a0ecfd6b26d, 0x53b6835e18d8f, 0x331a189219971 },
+    },
+    {
+        { 0x12f3a9d7572af, 0x10d00e953c4ca, 0x603df116f2f8a, 0x33dc276e0e088, 0x1ac9619ff649a },
+        { 0x66f45fb4f80c6, 0x3cc38eeb9fea2, 0x107647270db1f, 0x710f1ea740dc8, 0x31167c6b83bdf },
+        { 0x33842524b1068, 0x77dd39d30fe45, 0x189432141a0d0, 0x088fe4eb8c225, 0x612436341f08b },
+    },
+    {
+        { 0x349e31a2d2638, 0x0137a7fa6b16c, 0x681ae92777edc, 0x222bfc5f8dc51, 0x1522aa3178d90 },
+        { 0x541db874e898d, 0x62d80fb841b33, 0x03e6ef027fa97, 0x7a03c9e9633e8, 0x46ebe2309e5ef },
+        { 0x02f5369614938, 0x356e5ada20587, 0x11bc89f6bf902, 0x036746419c8db, 0x45fe70f505243 },
+    },
+    {
+        { 0x24920c8951491, 0x107ec61944c5e, 0x72752e017c01f, 0x122b7dda2e97a, 0x16619f6db57a2 },
+        { 0x075a6960c0b8c, 0x6dde1c5e41b49, 0x42e3f516da341, 0x16a03fda8e79e, 0x428d1623a0e39 },
+        { 0x74a4401a308fd, 0x06ed4b9558109, 0x746f1f6a08867, 0x4636f5c6f2321, 0x1d81592d60bd3 },
+    },
+},
+{
+    {
+        { 0x5b69f7b85c5e8, 0x17a2d175650ec, 0x4cc3e6dbfc19e, 0x73e1d3873be0e, 0x3a5f6d51b0af8 },
+        { 0x68756a60dac5f, 0x55d757b8aec26, 0x3383df45f80bd, 0x6783f8c9f96a6, 0x20234a7789ecd },
+        { 0x20db67178b252, 0x73aa3da2c0eda, 0x79045c01c70d3, 0x1b37b15251059, 0x7cd682353cffe },
+    },
+    {
+        { 0x5cd6068acf4f3, 0x3079afc7a74cc, 0x58097650b64b4, 0x47fabac9c4e99, 0x3ef0253b2b2cd },
+        { 0x1a45bd887fab6, 0x65748076dc17c, 0x5b98000aa11a8, 0x4a1ecc9080974, 0x2838c8863bdc0 },
+        { 0x3b0cf4a465030, 0x022b8aef57a2d, 0x2ad0677e925ad, 0x4094167d7457a, 0x21dcb8a606a82 },
+    },
+    {
+        { 0x500fabe7731ba, 0x7cc53c3113351, 0x7cf65fe080d81, 0x3c5d966011ba1, 0x5d840dbf6c6f6 },
+        { 0x004468c9d9fc8, 0x5da8554796b8c, 0x3b8be70950025, 0x6d5892da6a609, 0x0bc3d08194a31 },
+        { 0x6380d309fe18b, 0x4d73c2cb8ee0d, 0x6b882adbac0b6, 0x36eabdddd4cbe, 0x3a4276232ac19 },
+    },
+    {
+        { 0x0c172db447ecb, 0x3f8c505b7a77f, 0x6a857f97f3f10, 0x4fcc0567fe03a, 0x0770c9e824e1a },
+        { 0x2432c8a7084fa, 0x47bf73ca8a968, 0x1639176262867, 0x5e8df4f8010ce, 0x1ff177cea16de },
+        { 0x1d99a45b5b5fd, 0x523674f2499ec, 0x0f8fa26182613, 0x58f7398048c98, 0x39f264fd41500 },
+    },
+    {
+        { 0x34aabfe097be1, 0x43bfc03253a33, 0x29bc7fe91b7f3, 0x0a761e4844a16, 0x65c621272c35f },
+        { 0x53417dbe7e29c, 0x54573827394f5, 0x565eea6f650dd, 0x42050748dc749, 0x1712d73468889 },
+        { 0x389f8ce3193dd, 0x2d424b8177ce5, 0x073fa0d3440cd, 0x139020cd49e97, 0x22f9800ab19ce },
+    },
+    {
+        { 0x29fdd9a6efdac, 0x7c694a9282840, 0x6f7cdeee44b3a, 0x55a3207b25cc3, 0x4171a4d38598c },
+        { 0x2368a3e9ef8cb, 0x454aa08e2ac0b, 0x490923f8fa700, 0x372aa9ea4582f, 0x13f416cd64762 },
+        { 0x758aa99c94c8c, 0x5f6001700ff44, 0x7694e488c01bd, 0x0d5fde948eed6, 0x508214fa574bd },
+    },
+    {
+        { 0x215bb53d003d6, 0x1179e792ca8c3, 0x1a0e96ac840a2, 0x22393e2bb3ab6, 0x3a7758a4c86cb },
+        { 0x269153ed6fe4b, 0x72a23aef89840, 0x052be5299699c, 0x3a5e5ef132316, 0x22f960ec6faba },
+        { 0x111f693ae5076, 0x3e3bfaa94ca90, 0x445799476b887, 0x24a0912464879, 0x5d9fd15f8de7f },
+    },
+    {
+        { 0x44d2aeed7521e, 0x50865d2c2a7e4, 0x2705b5238ea40, 0x46c70b25d3b97, 0x3bc187fa47eb9 },
+        { 0x408d36d63727f, 0x5faf8f6a66062, 0x2bb892da8de6b, 0x769d4f0c7e2e6, 0x332f35914f8fb },
+        { 0x70115ea86c20c, 0x16d88da24ada8, 0x1980622662adf, 0x501ebbc195a9d, 0x450d81ce906fb },
+    },
+},
+{
+    {
+        { 0x4d8961cae743f, 0x6bdc38c7dba0e, 0x7d3b4a7e1b463, 0x0844bdee2adf3, 0x4cbad279663ab },
+        { 0x3b6a1a6205275, 0x2e82791d06dcf, 0x23d72caa93c87, 0x5f0b7ab68aaf4, 0x2de25d4ba6345 },
+        { 0x19024a0d71fcd, 0x15f65115f101a, 0x4e99067149708, 0x119d8d1cba5af, 0x7d7fbcefe2007 },
+    },
+    {
+        { 0x45dc5f3c29094, 0x3455220b579af, 0x070c1631e068a, 0x26bc0630e9b21, 0x4f9cd196dcd8d },
+        { 0x71e6a266b2801, 0x09aae73e2df5d, 0x40dd8b219b1a3, 0x546fb4517de0d, 0x5975435e87b75 },
+        { 0x297d86a7b3768, 0x4835a2f4c6332, 0x070305f434160, 0x183dd014e56ae, 0x7ccdd084387a0 },
+    },
+    {
+        { 0x484186760cc93, 0x7435665533361, 0x02f686336b801, 0x5225446f64331, 0x3593ca848190c },
+        { 0x6422c6d260417, 0x212904817bb94, 0x5a319deb854f5, 0x7a9d4e060da7d, 0x428bd0ed61d0c },
+        { 0x3189a5e849aa7, 0x6acbb1f59b242, 0x7f6ef4753630c, 0x1f346292a2da9, 0x27398308da2d6 },
+    },
+    {
+        { 0x10e4c0a702453, 0x4daafa37bd734, 0x49f6bdc3e8961, 0x1feffdcecdae6, 0x572c2945492c3 },
+        { 0x38d28435ed413, 0x4064f19992858, 0x7680fbef543cd, 0x1aadd83d58d3c, 0x269597aebe8c3 },
+        { 0x7c745d6cd30be, 0x27c7755df78ef, 0x1776833937fa3, 0x5405116441855, 0x7f985498c05bc },
+    },
+    {
+        { 0x615520fbf6363, 0x0b9e9bf74da6a, 0x4fe8308201169, 0x173f76127de43, 0x30f2653cd69b1 },
+        { 0x1ce889f0be117, 0x36f6a94510709, 0x7f248720016b4, 0x1821ed1e1cf91, 0x76c2ec470a31f },
+        { 0x0c938aac10c85, 0x41b64ed797141, 0x1beb1c1185e6d, 0x1ed5490600f07, 0x2f1273f159647 },
+    },
+    {
+        { 0x08bd755a70bc0, 0x49e3a885ce609, 0x16585881b5ad6, 0x3c27568d34f5e, 0x38ac1997edc5f },
+        { 0x1fc7c8ae01e11, 0x2094d5573e8e7, 0x5ca3cbbf549d2, 0x4f920ecc54143, 0x5d9e572ad85b6 },
+        { 0x6b517a751b13b, 0x0cfd370b180cc, 0x5377925d1f41a, 0x34e56566008a2, 0x22dfcd9cbfe9e },
+    },
+    {
+        { 0x459b4103be0a1, 0x59a4b3f2d2add, 0x7d734c8bb8eeb, 0x2393cbe594a09, 0x0fe9877824cde },
+        { 0x3d2e0c30d0cd9, 0x3f597686671bb, 0x0aa587eb63999, 0x0e3c7b592c619, 0x6b2916c05448c },
+        { 0x334d10aba913b, 0x045cdb581cfdb, 0x5e3e0553a8f36, 0x50bb3041effb2, 0x4c303f307ff00 },
+    },
+    {
+        { 0x403580dd94500, 0x48df77d92653f, 0x38a9fe3b349ea, 0x0ea89850aafe1, 0x416b151ab706a },
+        { 0x23bd617b28c85, 0x6e72ee77d5a61, 0x1a972ff174dde, 0x3e2636373c60f, 0x0d61b8f78b2ab },
+        { 0x0d7efe9c136b0, 0x1ab1c89640ad5, 0x55f82aef41f97, 0x46957f317ed0d, 0x191a2af74277e },
+    },
+},
+{
+    {
+        { 0x62b434f460efb, 0x294c6c0fad3fc, 0x68368937b4c0f, 0x5c9f82910875b, 0x237e7dbe00545 },
+        { 0x6f74bc53c1431, 0x1c40e5dbbd9c2, 0x6c8fb9cae5c97, 0x4845c5ce1b7da, 0x7e2e0e450b5cc },
+        { 0x575ed6701b430, 0x4d3e17fa20026, 0x791fc888c4253, 0x2f1ba99078ac1, 0x71afa699b1115 },
+    },
+    {
+        { 0x23c1c473b50d6, 0x3e7671de21d48, 0x326fa5547a1e8, 0x50e4dc25fafd9, 0x00731fbc78f89 },
+        { 0x66f9b3953b61d, 0x555f4283cccb9, 0x7dd67fb1960e7, 0x14707a1affed4, 0x021142e9c2b1c },
+        { 0x0c71848f81880, 0x44bd9d8233c86, 0x6e8578efe5830, 0x4045b6d7041b5, 0x4c4d6f3347e15 },
+    },
+    {
+        { 0x4ddfc988f1970, 0x4f6173ea365e1, 0x645daf9ae4588, 0x7d43763db623b, 0x38bf9500a88f9 },
+        { 0x7eccfc17d1fc9, 0x4ca280782831e, 0x7b8337db1d7d6, 0x5116def3895fb, 0x193fddaaa7e47 },
+        { 0x2c93c37e8876f, 0x3431a28c583fa, 0x49049da8bd879, 0x4b4a8407ac11c, 0x6a6fb99ebf0d4 },
+    },
+    {
+        { 0x122b5b6e423c6, 0x21e50dff1ddd6, 0x73d76324e75c0, 0x588485495418e, 0x136fda9f42c5e },
+        { 0x6c1bb560855eb, 0x71f127e13ad48, 0x5c6b304905aec, 0x3756b8e889bc7, 0x75f76914a3189 },
+        { 0x4dfb1a305bdd1, 0x3b3ff05811f29, 0x6ed62283cd92e, 0x65d1543ec52e1, 0x022183510be8d },
+    },
+    {
+        { 0x2710143307a7f, 0x3d88fb48bf3ab, 0x249eb4ec18f7a, 0x136115dff295f, 0x1387c441fd404 },
+        { 0x766385ead2d14, 0x0194f8b06095e, 0x08478f6823b62, 0x6018689d37308, 0x6a071ce17b806 },
+        { 0x3c3d187978af8, 0x7afe1c88276ba, 0x51df281c8ad68, 0x64906bda4245d, 0x3171b26aaf1ed },
+    },
+    {
+        { 0x5b7d8b28a47d1, 0x2c2ee149e34c1, 0x776f5629afc53, 0x1f4ea50fc49a9, 0x6c514a6334424 },
+        { 0x7319097564ca8, 0x1844ebc233525, 0x21d4543fdeee1, 0x1ad27aaff1bd2, 0x221fd4873cf08 },
+        { 0x2204f3a156341, 0x537414065a464, 0x43c0c3bedcf83, 0x5557e706ea620, 0x48daa596fb924 },
+    },
+    {
+        { 0x61d5dc84c9793, 0x47de83040c29e, 0x189deb26507e7, 0x4d4e6fadc479a, 0x58c837fa0e8a7 },
+        { 0x28e665ca59cc7, 0x165c715940dd9, 0x0785f3aa11c95, 0x57b98d7e38469, 0x676dd6fccad84 },
+        { 0x1688596fc9058, 0x66f6ad403619f, 0x4d759a87772ef, 0x7856e6173bea4, 0x1c4f73f2c6a57 },
+    },
+    {
+        { 0x6706efc7c3484, 0x6987839ec366d, 0x0731f95cf7f26, 0x3ae758ebce4bc, 0x70459adb7daf6 },
+        { 0x24fbd305fa0bb, 0x40a98cc75a1cf, 0x78ce1220a7533, 0x6217a10e1c197, 0x795ac80d1bf64 },
+        { 0x1db4991b42bb3, 0x469605b994372, 0x631e3715c9a58, 0x7e9cfefcf728f, 0x5fe162848ce21 },
+    },
+},
+{
+    {
+        { 0x1852d5d7cb208, 0x60d0fbe5ce50f, 0x5a1e246e37b75, 0x51aee05ffd590, 0x2b44c043677da },
+        { 0x1214fe194961a, 0x0e1ae39a9e9cb, 0x543c8b526f9f7, 0x119498067e91d, 0x4789d446fc917 },
+        { 0x487ab074eb78e, 0x1d33b5e8ce343, 0x13e419feb1b46, 0x2721f565de6a4, 0x60c52eef2bb9a },
+    },
+    {
+        { 0x3c5c27cae6d11, 0x36a9491956e05, 0x124bac9131da6, 0x3b6f7de202b5d, 0x70d77248d9b66 },
+        { 0x589bc3bfd8bf1, 0x6f93e6aa3416b, 0x4c0a3d6c1ae48, 0x55587260b586a, 0x10bc9c312ccfc },
+        { 0x2e84b3ec2a05b, 0x69da2f03c1551, 0x23a174661a67b, 0x209bca289f238, 0x63755bd3a976f },
+    },
+    {
+        { 0x7101897f1acb7, 0x3d82cb77b07b8, 0x684083d7769f5, 0x52b28472dce07, 0x2763751737c52 },
+        { 0x7a03e2ad10853, 0x213dcc6ad36ab, 0x1a6e240d5bdd6, 0x7c24ffcf8fedf, 0x0d8cc1c48bc16 },
+        { 0x402d36eb419a9, 0x7cef68c14a052, 0x0f1255bc2d139, 0x373e7d431186a, 0x70c2dd8a7ad16 },
+    },
+    {
+        { 0x4967db8ed7e13, 0x15aeed02f523a, 0x6149591d094bc, 0x672f204c17006, 0x32b8613816a53 },
+        { 0x194509f6fec0e, 0x528d8ca31acac, 0x7826d73b8b9fa, 0x24acb99e0f9b3, 0x2e0fac6363948 },
+        { 0x7f7bee448cd64, 0x4e10f10da0f3c, 0x3936cb9ab20e9, 0x7a0fc4fea6cd0, 0x4179215c735a4 },
+    },
+    {
+        { 0x633b9286bcd34, 0x6cab3badb9c95, 0x74e387edfbdfa, 0x14313c58a0fd9, 0x31fa85662241c },
+        { 0x094e7d7dced2a, 0x068fa738e118e, 0x41b640a5fee2b, 0x6bb709df019d4, 0x700344a30cd99 },
+        { 0x26c422e3622f4, 0x0f3066a05b5f0, 0x4e2448f0480a6, 0x244cde0dbf095, 0x24bb2312a9952 },
+    },
+    {
+        { 0x00c2af5f85c6b, 0x0609f4cf2883f, 0x6e86eb5a1ca13, 0x68b44a2efccd1, 0x0d1d2af9ffeb5 },
+        { 0x0ed1732de67c3, 0x308c369291635, 0x33ef348f2d250, 0x004475ea1a1bb, 0x0fee3e871e188 },
+        { 0x28aa132621edf, 0x42b244caf353b, 0x66b064cc2e08a, 0x6bb20020cbdd3, 0x16acd79718531 },
+    },
+    {
+        { 0x1c6c57887b6ad, 0x5abf21fd7592b, 0x50bd41253867a, 0x3800b71273151, 0x164ed34b18161 },
+        { 0x772af2d9b1d3d, 0x6d486448b4e5b, 0x2ce58dd8d18a8, 0x1849f67503c8b, 0x123e0ef6b9302 },
+        { 0x6d94c192fe69a, 0x5475222a2690f, 0x693789d86b8b3, 0x1f5c3bdfb69dc, 0x78da0fc61073f },
+    },
+    {
+        { 0x780f1680c3a94, 0x2a35d3cfcd453, 0x005e5cdc7ddf8, 0x6ee888078ac24, 0x054aa4b316b38 },
+        { 0x15d28e52bc66a, 0x30e1e0351cb7e, 0x30a2f74b11f8c, 0x39d120cd7de03, 0x2d25deeb256b1 },
+        { 0x0468d19267cb8, 0x38cdca9b5fbf9, 0x1bbb05c2ca1e2, 0x3b015758e9533, 0x134610a6ab7da },
+    },
+},
+{
+    {
+        { 0x265e777d1f515, 0x0f1f54c1e39a5, 0x2f01b95522646, 0x4fdd8db9dde6d, 0x654878cba97cc },
+        { 0x38ec78df6b0fe, 0x13caebea36a22, 0x5ebc6e54e5f6a, 0x32804903d0eb8, 0x2102fdba2b20d },
+        { 0x6e405055ce6a1, 0x5024a35a532d3, 0x1f69054daf29d, 0x15d1d0d7a8bd5, 0x0ad725db29ecb },
+    },
+    {
+        { 0x7bc0c9b056f85, 0x51cfebffaffd8, 0x44abbe94df549, 0x7ecbbd7e33121, 0x4f675f5302399 },
+        { 0x267b1834e2457, 0x6ae19c378bb88, 0x7457b5ed9d512, 0x3280d783d05fb, 0x4aefcffb71a03 },
+        { 0x536360415171e, 0x2313309077865, 0x251444334afbc, 0x2b0c3853756e8, 0x0bccbb72a2a86 },
+    },
+    {
+        { 0x55e4c50fe1296, 0x05fdd13efc30d, 0x1c0c6c380e5ee, 0x3e11de3fb62a8, 0x6678fd69108f3 },
+        { 0x6962feab1a9c8, 0x6aca28fb9a30b, 0x56db7ca1b9f98, 0x39f58497018dd, 0x4024f0ab59d6b },
+        { 0x6fa31636863c2, 0x10ae5a67e42b0, 0x27abbf01fda31, 0x380a7b9e64fbc, 0x2d42e2108ead4 },
+    },
+    {
+        { 0x17b0d0f537593, 0x16263c0c9842e, 0x4ab827e4539a4, 0x6370ddb43d73a, 0x420bf3a79b423 },
+        { 0x5131594dfd29b, 0x3a627e98d52fe, 0x1154041855661, 0x19175d09f8384, 0x676b2608b8d2d },
+        { 0x0ba651c5b2b47, 0x5862363701027, 0x0c4d6c219c6db, 0x0f03dff8658de, 0x745d2ffa9c0cf },
+    },
+    {
+        { 0x6df5721d34e6a, 0x4f32f767a0c06, 0x1d5abeac76e20, 0x41ce9e104e1e4, 0x06e15be54c1dc },
+        { 0x25a1e2bc9c8bd, 0x104c8f3b037ea, 0x405576fa96c98, 0x2e86a88e3876f, 0x1ae23ceb960cf },
+        { 0x25d871932994a, 0x6b9d63b560b6e, 0x2df2814c8d472, 0x0fbbee20aa4ed, 0x58ded861278ec },
+    },
+    {
+        { 0x35ba8b6c2c9a8, 0x1dea58b3185bf, 0x4b455cd23bbbe, 0x5ec19c04883f8, 0x08ba696b531d5 },
+        { 0x73793f266c55c, 0x0b988a9c93b02, 0x09b0ea32325db, 0x37cae71c17c5e, 0x2ff39de85485f },
+        { 0x53eeec3efc57a, 0x2fa9fe9022efd, 0x699c72c138154, 0x72a751ebd1ff8, 0x120633b4947cf },
+    },
+    {
+        { 0x531474912100a, 0x5afcdf7c0d057, 0x7a9e71b788ded, 0x5ef708f3b0c88, 0x07433be3cb393 },
+        { 0x4987891610042, 0x79d9d7f5d0172, 0x3c293013b9ec4, 0x0c2b85f39caca, 0x35d30a99b4d59 },
+        { 0x144c05ce997f4, 0x4960b8a347fef, 0x1da11f15d74f7, 0x54fac19c0fead, 0x2d873ede7af6d },
+    },
+    {
+        { 0x202e14e5df981, 0x2ea02bc3eb54c, 0x38875b2883564, 0x1298c513ae9dd, 0x0543618a01600 },
+        { 0x2316443373409, 0x5de95503b22af, 0x699201beae2df, 0x3db5849ff737a, 0x2e773654707fa },
+        { 0x2bdf4974c23c1, 0x4b3b9c8d261bd, 0x26ae8b2a9bc28, 0x3068210165c51, 0x4b1443362d079 },
+    },
+},
+{
+    {
+        { 0x454e91c529ccb, 0x24c98c6bf72cf, 0x0486594c3d89a, 0x7ae13a3d7fa3c, 0x17038418eaf66 },
+        { 0x4b7c7b66e1f7a, 0x4bea185efd998, 0x4fabc711055f8, 0x1fb9f7836fe38, 0x582f446752da6 },
+        { 0x17bd320324ce4, 0x51489117898c6, 0x1684d92a0410b, 0x6e4d90f78c5a7, 0x0c2a1c4bcda28 },
+    },
+    {
+        { 0x4814869bd6945, 0x7b7c391a45db8, 0x57316ac35b641, 0x641e31de9096a, 0x5a6a9b30a314d },
+        { 0x5c7d06f1f0447, 0x7db70f80b3a49, 0x6cb4a3ec89a78, 0x43be8ad81397d, 0x7c558bd1c6f64 },
+        { 0x41524d396463d, 0x1586b449e1a1d, 0x2f17e904aed8a, 0x7e1d2861d3c8e, 0x0404a5ca0afba },
+    },
+    {
+        { 0x49e1b2a416fd1, 0x51c6a0b316c57, 0x575a59ed71bdc, 0x74c021a1fec1e, 0x39527516e7f8e },
+        { 0x740070aa743d6, 0x16b64cbdd1183, 0x23f4b7b32eb43, 0x319aba58235b3, 0x46395bfdcadd9 },
+        { 0x7db2d1a5d9a9c, 0x79a200b85422f, 0x355bfaa71dd16, 0x00b77ea5f78aa, 0x76579a29e822d },
+    },
+    {
+        { 0x4b51352b434f2, 0x1327bd01c2667, 0x434d73b60c8a1, 0x3e0daa89443ba, 0x02c514bb2a277 },
+        { 0x68e7e49c02a17, 0x45795346fe8b6, 0x089306c8f3546, 0x6d89f6b2f88f6, 0x43a384dc9e05b },
+        { 0x3d5da8bf1b645, 0x7ded6a96a6d09, 0x6c3494fee2f4d, 0x02c989c8b6bd4, 0x1160920961548 },
+    },
+    {
+        { 0x05616369b4dcd, 0x4ecab86ac6f47, 0x3c60085d700b2, 0x0213ee10dfcea, 0x2f637d7491e6e },
+        { 0x5166929dacfaa, 0x190826b31f689, 0x4f55567694a7d, 0x705f4f7b1e522, 0x351e125bc5698 },
+        { 0x49b461af67bbe, 0x75915712c3a96, 0x69a67ef580c0d, 0x54d38ef70cffc, 0x7f182d06e7ce2 },
+    },
+    {
+        { 0x54b728e217522, 0x69a90971b0128, 0x51a40f2a963a3, 0x10be9ac12a6bf, 0x44acc043241c5 },
+        { 0x48e64ab0168ec, 0x2a2bdb8a86f4f, 0x7343b6b2d6929, 0x1d804aa8ce9a3, 0x67d4ac8c343e9 },
+        { 0x56bbb4f7a5777, 0x29230627c238f, 0x5ad1a122cd7fb, 0x0dea56e50e364, 0x556d1c8312ad7 },
+    },
+    {
+        { 0x06756b11be821, 0x462147e7bb03e, 0x26519743ebfe0, 0x782fc59682ab5, 0x097abe38cc8c7 },
+        { 0x740e30c8d3982, 0x7c2b47f4682fd, 0x5cd91b8c7dc1c, 0x77fa790f9e583, 0x746c6c6d1d824 },
+        { 0x1c9877ea52da4, 0x2b37b83a86189, 0x733af49310da5, 0x25e81161c04fb, 0x577e14a34bee8 },
+    },
+    {
+        { 0x6cebebd4dd72b, 0x340c1e442329f, 0x32347ffd1a93f, 0x14a89252cbbe0, 0x705304b8fb009 },
+        { 0x268ac61a73b0a, 0x206f234bebe1c, 0x5b403a7cbebe8, 0x7a160f09f4135, 0x60fa7ee96fd78 },
+        { 0x51d354d296ec6, 0x7cbf5a63b16c7, 0x2f50bb3cf0c14, 0x1feb385cac65a, 0x21398e0ca1635 },
+    },
+},
+{
+    {
+        { 0x0aaf9b4b75601, 0x26b91b5ae44f3, 0x6de808d7ab1c8, 0x6a769675530b0, 0x1bbfb284e98f7 },
+        { 0x5058a382b33f3, 0x175a91816913e, 0x4f6cdb96b8ae8, 0x17347c9da81d2, 0x5aa3ed9d95a23 },
+        { 0x777e9c7d96561, 0x28e58f006ccac, 0x541bbbb2cac49, 0x3e63282994cec, 0x4a07e14e5e895 },
+    },
+    {
+        { 0x358cdc477a49b, 0x3cc88fe02e481, 0x721aab7f4e36b, 0x0408cc9469953, 0x50af7aed84afa },
+        { 0x412cb980df999, 0x5e78dd8ee29dc, 0x171dff68c575d, 0x2015dd2f6ef49, 0x3f0bac391d313 },
+        { 0x7de0115f65be5, 0x4242c21364dc9, 0x6b75b64a66098, 0x0033c0102c085, 0x1921a316baebd },
+    },
+    {
+        { 0x2ad9ad9f3c18b, 0x5ec1638339aeb, 0x5703b6559a83b, 0x3fa9f4d05d612, 0x7b049deca062c },
+        { 0x22f7edfb870fc, 0x569eed677b128, 0x30937dcb0a5af, 0x758039c78ea1b, 0x6458df41e273a },
+        { 0x3e37a35444483, 0x661fdb7d27b99, 0x317761dd621e4, 0x7323c30026189, 0x6093dccbc2950 },
+    },
+    {
+        { 0x6eebe6084034b, 0x6cf01f70a8d7b, 0x0b41a54c6670a, 0x6c84b99bb55db, 0x6e3180c98b647 },
+        { 0x39a8585e0706d, 0x3167ce72663fe, 0x63d14ecdb4297, 0x4be21dcf970b8, 0x57d1ea084827a },
+        { 0x2b6e7a128b071, 0x5b27511755dcf, 0x08584c2930565, 0x68c7bda6f4159, 0x363e999ddd97b },
+    },
+    {
+        { 0x048dce24baec6, 0x2b75795ec05e3, 0x3bfa4c5da6dc9, 0x1aac8659e371e, 0x231f979bc6f9b },
+        { 0x043c135ee1fc4, 0x2a11c9919f2d5, 0x6334cc25dbacd, 0x295da17b400da, 0x48ee9b78693a0 },
+        { 0x1de4bcc2af3c6, 0x61fc411a3eb86, 0x53ed19ac12ec0, 0x209dbc6b804e0, 0x079bfa9b08792 },
+    },
+    {
+        { 0x1ed80a2d54245, 0x70efec72a5e79, 0x42151d42a822d, 0x1b5ebb6d631e8, 0x1ef4fb1594706 },
+        { 0x03a51da300df4, 0x467b52b561c72, 0x4d5920210e590, 0x0ca769e789685, 0x038c77f684817 },
+        { 0x65ee65b167bec, 0x052da19b850a9, 0x0408665656429, 0x7ab39596f9a4c, 0x575ee92a4a0bf },
+    },
+    {
+        { 0x6bc450aa4d801, 0x4f4a6773b0ba8, 0x6241b0b0ebc48, 0x40d9c4f1d9315, 0x200a1e7e382f5 },
+        { 0x080908a182fcf, 0x0532913b7ba98, 0x3dccf78c385c3, 0x68002dd5eaba9, 0x43d4e7112cd3f },
+        { 0x5b967eaf93ac5, 0x360acca580a31, 0x1c65fd5c6f262, 0x71c7f15c2ecab, 0x050eca52651e4 },
+    },
+    {
+        { 0x4397660e668ea, 0x7c2a75692f2f5, 0x3b29e7e6c66ef, 0x72ba658bcda9a, 0x6151c09fa131a },
+        { 0x31ade453f0c9c, 0x3dfee07737868, 0x611ecf7a7d411, 0x2637e6cbd64f6, 0x4b0ee6c21c58f },
+        { 0x55c0dfdf05d96, 0x405569dcf475e, 0x05c5c277498bb, 0x18588d95dc389, 0x1fef24fa800f0 },
+    },
+},
+{
+    {
+        { 0x2aff530976b86, 0x0d85a48c0845a, 0x796eb963642e0, 0x60bee50c4b626, 0x28005fe6c8340 },
+        { 0x653fb1aa73196, 0x607faec8306fa, 0x4e85ec83e5254, 0x09f56900584fd, 0x544d49292fc86 },
+        { 0x7ba9f34528688, 0x284a20fb42d5d, 0x3652cd9706ffe, 0x6fd7baddde6b3, 0x72e472930f316 },
+    },
+    {
+        { 0x3f635d32a7627, 0x0cbecacde00fe, 0x3411141eaa936, 0x21c1e42f3cb94, 0x1fee7f000fe06 },
+        { 0x5208c9781084f, 0x16468a1dc24d2, 0x7bf780ac540a8, 0x1a67eced75301, 0x5a9d2e8c2733a },
+        { 0x305da03dbf7e5, 0x1228699b7aeca, 0x12a23b2936bc9, 0x2a1bda56ae6e9, 0x00f94051ee040 },
+    },
+    {
+        { 0x793bb07af9753, 0x1e7b6ecd4fafd, 0x02c7b1560fb43, 0x2296734cc5fb7, 0x47b7ffd25dd40 },
+        { 0x56b23c3d330b2, 0x37608e360d1a6, 0x10ae0f3c8722e, 0x086d9b618b637, 0x07d79c7e8beab },
+        { 0x3fb9cbc08dd12, 0x75c3dd85370ff, 0x47f06fe2819ac, 0x5db06ab9215ed, 0x1c3520a35ea64 },
+    },
+    {
+        { 0x06f40216bc059, 0x3a2579b0fd9b5, 0x71c26407eec8c, 0x72ada4ab54f0b, 0x38750c3b66d12 },
+        { 0x253a6bccba34a, 0x427070433701a, 0x20b8e58f9870e, 0x337c861db00cc, 0x1c3d05775d0ee },
+        { 0x6f1409422e51a, 0x7856bbece2d25, 0x13380a72f031c, 0x43e1080a7f3ba, 0x0621e2c7d3304 },
+    },
+    {
+        { 0x61796b0dbf0f3, 0x73c2f9c32d6f5, 0x6aa8ed1537ebe, 0x74e92c91838f4, 0x5d8e589ca1002 },
+        { 0x060cc8259838d, 0x038d3f35b95f3, 0x56078c243a923, 0x2de3293241bb2, 0x0007d6097bd3a },
+        { 0x71d950842a94b, 0x46b11e5c7d817, 0x5478bbecb4f0d, 0x7c3054b0a1c5d, 0x1583d7783c1cb },
+    },
+    {
+        { 0x34704cc9d28c7, 0x3dee598b1f200, 0x16e1c98746d9e, 0x4050b7095afdf, 0x4958064e83c55 },
+        { 0x6a2ef5da27ae1, 0x28aace02e9d9d, 0x02459e965f0e8, 0x7b864d3150933, 0x252a5f2e81ed8 },
+        { 0x094265066e80d, 0x0a60f918d61a5, 0x0444bf7f30fde, 0x1c40da9ed3c06, 0x079c170bd843b },
+    },
+    {
+        { 0x6cd50c0d5d056, 0x5b7606ae779ba, 0x70fbd226bdda1, 0x5661e53391ff9, 0x6768c0d7317b8 },
+        { 0x6ece464fa6fff, 0x3cc40bca460a0, 0x6e3a90afb8d0c, 0x5801abca11228, 0x6dec05e34ac9f },
+        { 0x625e5f155c1b3, 0x4f32f6f723296, 0x5ac980105efce, 0x17a61165eee36, 0x51445e14ddcd5 },
+    },
+    {
+        { 0x147ab2bbea455, 0x1f240f2253126, 0x0c3de9e314e89, 0x21ea5a4fca45f, 0x12e990086e4fd },
+        { 0x02b4b3b144951, 0x5688977966aea, 0x18e176e399ffd, 0x2e45c5eb4938b, 0x13186f31e3929 },
+        { 0x496b37fdfbb2e, 0x3c2439d5f3e21, 0x16e60fe7e6a4d, 0x4d7ef889b621d, 0x77b2e3f05d3e9 },
+    },
+},
+{
+    {
+        { 0x0639c12ddb0a4, 0x6180490cd7ab3, 0x3f3918297467c, 0x74568be1781ac, 0x07a195152e095 },
+        { 0x7a9c59c2ec4de, 0x7e9f09e79652d, 0x6a3e422f22d86, 0x2ae8e3b836c8b, 0x63b795fc7ad32 },
+        { 0x68f02389e5fc8, 0x059f1bc877506, 0x504990e410cec, 0x09bd7d0feaee2, 0x3e8fe83d032f0 },
+    },
+    {
+        { 0x04c8de8efd13c, 0x1c67c06e6210e, 0x183378f7f146a, 0x64352ceaed289, 0x22d60899a6258 },
+        { 0x315b90570a294, 0x60ce108a925f1, 0x6eff61253c909, 0x003ef0e2d70b0, 0x75ba3b797fac4 },
+        { 0x1dbc070cdd196, 0x16d8fb1534c47, 0x500498183fa2a, 0x72f59c423de75, 0x0904d07b87779 },
+    },
+    {
+        { 0x22d6648f940b9, 0x197a5a1873e86, 0x207e4c41a54bc, 0x5360b3b4bd6d0, 0x6240aacebaf72 },
+        { 0x61fd4ddba919c, 0x7d8e991b55699, 0x61b31473cc76c, 0x7039631e631d6, 0x43e2143fbc1dd },
+        { 0x4749c5ba295a0, 0x37946fa4b5f06, 0x724c5ab5a51f1, 0x65633789dd3f3, 0x56bdaf238db40 },
+    },
+    {
+        { 0x0d36cc19d3bb2, 0x6ec4470d72262, 0x6853d7018a9ae, 0x3aa3e4dc2c8eb, 0x03aa31507e1e5 },
+        { 0x2b9e3f53533eb, 0x2add727a806c5, 0x56955c8ce15a3, 0x18c4f070a290e, 0x1d24a86d83741 },
+        { 0x47648ffd4ce1f, 0x60a9591839e9d, 0x424d5f38117ab, 0x42cc46912c10e, 0x43b261dc9aeb4 },
+    },
+    {
+        { 0x13d8b6c951364, 0x4c0017e8f632a, 0x53e559e53f9c4, 0x4b20146886eea, 0x02b4d5e242940 },
+        { 0x31e1988bb79bb, 0x7b82f46b3bcab, 0x0f7a8ce827b41, 0x5e15816177130, 0x326055cf5b276 },
+        { 0x155cb28d18df2, 0x0c30d9ca11694, 0x2090e27ab3119, 0x208624e7a49b6, 0x27a6c809ae5d3 },
+    },
+    {
+        { 0x4270ac43d6954, 0x2ed4cd95659a5, 0x75c0db37528f9, 0x2ccbcfd2c9234, 0x221503603d8c2 },
+        { 0x6ebcd1f0db188, 0x74ceb4b7d1174, 0x7d56168df4f5c, 0x0bf79176fd18a, 0x2cb67174ff60a },
+        { 0x6cdf9390be1d0, 0x08e519c7e2b3d, 0x253c3d2a50881, 0x21b41448e333d, 0x7b1df4b73890f },
+    },
+    {
+        { 0x6221807f8f58c, 0x3fa92813a8be5, 0x6da98c38d5572, 0x01ed95554468f, 0x68698245d352e },
+        { 0x2f2e0b3b2a224, 0x0c56aa22c1c92, 0x5fdec39f1b278, 0x4c90af5c7f106, 0x61fcef2658fc5 },
+        { 0x15d852a18187a, 0x270dbb59afb76, 0x7db120bcf92ab, 0x0e7a25d714087, 0x46cf4c473daf0 },
+    },
+    {
+        { 0x46ea7f1498140, 0x70725690a8427, 0x0a73ae9f079fb, 0x2dd924461c62b, 0x1065aae50d8cc },
+        { 0x525ed9ec4e5f9, 0x022d20660684c, 0x7972b70397b68, 0x7a03958d3f965, 0x29387bcd14eb5 },
+        { 0x44525df200d57, 0x2d7f94ce94385, 0x60d00c170ecb7, 0x38b0503f3d8f0, 0x69a198e64f1ce },
+    },
+},
+{
+    {
+        { 0x14434dcc5caed, 0x2c7909f667c20, 0x61a839d1fb576, 0x4f23800cabb76, 0x25b2697bd267f },
+        { 0x2b2e0d91a78bc, 0x3990a12ccf20c, 0x141c2e11f2622, 0x0dfcefaa53320, 0x7369e6a92493a },
+        { 0x73ffb13986864, 0x3282bb8f713ac, 0x49ced78f297ef, 0x6697027661def, 0x1420683db54e4 },
+    },
+    {
+        { 0x6bb6fc1cc5ad0, 0x532c8d591669d, 0x1af794da86c33, 0x0e0e9d86d24d3, 0x31e83b4161d08 },
+        { 0x0bd1e249dd197, 0x00bcb1820568f, 0x2eab1718830d4, 0x396fd816997e6, 0x60b63bebf508a },
+        { 0x0c7129e062b4f, 0x1e526415b12fd, 0x461a0fd27923d, 0x18badf670a5b7, 0x55cf1eb62d550 },
+    },
+    {
+        { 0x6b5e37df58c52, 0x3bcf33986c60e, 0x44fb8835ceae7, 0x099dec18e71a4, 0x1a56fbaa62ba0 },
+        { 0x1101065c23d58, 0x5aa1290338b0f, 0x3157e9e2e7421, 0x0ea712017d489, 0x669a656457089 },
+        { 0x66b505c9dc9ec, 0x774ef86e35287, 0x4d1d944c0955e, 0x52e4c39d72b20, 0x13c4836799c58 },
+    },
+    {
+        { 0x4fb6a5d8bd080, 0x58ae34908589b, 0x3954d977baf13, 0x413ea597441dc, 0x50bdc87dc8e5b },
+        { 0x25d465ab3e1b9, 0x0f8fe27ec2847, 0x2d6e6dbf04f06, 0x3038cfc1b3276, 0x66f80c93a637b },
+        { 0x537836edfe111, 0x2be02357b2c0d, 0x6dcee58c8d4f8, 0x2d732581d6192, 0x1dd56444725fd },
+    },
+    {
+        { 0x7e60008bac89a, 0x23d5c387c1852, 0x79e5df1f533a8, 0x2e6f9f1c5f0cf, 0x3a3a450f63a30 },
+        { 0x47ff83362127d, 0x08e39af82b1f4, 0x488322ef27dab, 0x1973738a2a1a4, 0x0e645912219f7 },
+        { 0x72f31d8394627, 0x07bd294a200f1, 0x665be00e274c6, 0x43de8f1b6368b, 0x318c8d9393a9a },
+    },
+    {
+        { 0x69e29ab1dd398, 0x30685b3c76bac, 0x565cf37f24859, 0x57b2ac28efef9, 0x509a41c325950 },
+        { 0x45d032afffe19, 0x12fe49b6cde4e, 0x21663bc327cf1, 0x18a5e4c69f1dd, 0x224c7c679a1d5 },
+        { 0x06edca6f925e9, 0x68c8363e677b8, 0x60cfa25e4fbcf, 0x1c4c17609404e, 0x05bff02328a11 },
+    },
+    {
+        { 0x1a0dd0dc512e4, 0x10894bf5fcd10, 0x52949013f9c37, 0x1f50fba4735c7, 0x576277cdee01a },
+        { 0x2137023cae00b, 0x15a3599eb26c6, 0x0687221512b3c, 0x253cb3a0824e9, 0x780b8cc3fa2a4 },
+        { 0x38abc234f305f, 0x7a280bbc103de, 0x398a836695dfe, 0x3d0af41528a1a, 0x5ff418726271b },
+    },
+    {
+        { 0x347e813b69540, 0x76864c21c3cbb, 0x1e049dbcd74a8, 0x5b4d60f93749c, 0x29d4db8ca0a0c },
+        { 0x6080c1789db9d, 0x4be7cef1ea731, 0x2f40d769d8080, 0x35f7d4c44a603, 0x106a03dc25a96 },
+        { 0x50aaf333353d0, 0x4b59a613cbb35, 0x223dfc0e19a76, 0x77d1e2bb2c564, 0x4ab38a51052cb },
+    },
+},
+{
+    {
+        { 0x7d1ef5fddc09c, 0x7beeaebb9dad9, 0x058d30ba0acfb, 0x5cd92eab5ae90, 0x3041c6bb04ed2 },
+        { 0x42b256768d593, 0x2e88459427b4f, 0x02b3876630701, 0x34878d405eae5, 0x29cdd1adc088a },
+        { 0x2f2f9d956e148, 0x6b3e6ad65c1fe, 0x5b00972b79e5d, 0x53d8d234c5daf, 0x104bbd6814049 },
+    },
+    {
+        { 0x59a5fd67ff163, 0x3a998ead0352b, 0x083c95fa4af9a, 0x6fadbfc01266f, 0x204f2a20fb072 },
+        { 0x0fd3168f1ed67, 0x1bb0de7784a3e, 0x34bcb78b20477, 0x0a4a26e2e2182, 0x5be8cc57092a7 },
+        { 0x43b3d30ebb079, 0x357aca5c61902, 0x5b570c5d62455, 0x30fb29e1e18c7, 0x2570fb17c2791 },
+    },
+    {
+        { 0x6a9550bb8245a, 0x511f20a1a2325, 0x29324d7239bee, 0x3343cc37516c4, 0x241c5f91de018 },
+        { 0x2367f2cb61575, 0x6c39ac04d87df, 0x6d4958bd7e5bd, 0x566f4638a1532, 0x3dcb65ea53030 },
+        { 0x0172940de6caa, 0x6045b2e67451b, 0x56c07463efcb3, 0x0728b6bfe6e91, 0x08420edd5fcdf },
+    },
+    {
+        { 0x0c34e04f410ce, 0x344edc0d0a06b, 0x6e45486d84d6d, 0x44e2ecb3863f5, 0x04d654f321db8 },
+        { 0x720ab8362fa4a, 0x29c4347cdd9bf, 0x0e798ad5f8463, 0x4fef18bcb0bfe, 0x0d9a53efbc176 },
+        { 0x5c116ddbdb5d5, 0x6d1b4bba5abcf, 0x4d28a48a5537a, 0x56b8e5b040b99, 0x4a7a4f2618991 },
+    },
+    {
+        { 0x3b291af372a4b, 0x60e3028fe4498, 0x2267bca4f6a09, 0x719eec242b243, 0x4a96314223e0e },
+        { 0x718025fb15f95, 0x68d6b8371fe94, 0x3804448f7d97c, 0x42466fe784280, 0x11b50c4cddd31 },
+        { 0x0274408a4ffd6, 0x7d382aedb34dd, 0x40acfc9ce385d, 0x628bb99a45b1e, 0x4f4bce4dce6bc },
+    },
+    {
+        { 0x2616ec49d0b6f, 0x1f95d8462e61c, 0x1ad3e9b9159c6, 0x79ba475a04df9, 0x3042cee561595 },
+        { 0x7ce5ae2242584, 0x2d25eb153d4e3, 0x3a8f3d09ba9c9, 0x0f3690d04eb8e, 0x73fcdd14b71c0 },
+        { 0x67079449bac41, 0x5b79c4621484f, 0x61069f2156b8d, 0x0eb26573b10af, 0x389e740c9a9ce },
+    },
+    {
+        { 0x578f6570eac28, 0x644f2339c3937, 0x66e47b7956c2c, 0x34832fe1f55d0, 0x25c425e5d6263 },
+        { 0x4b3ae34dcb9ce, 0x47c691a15ac9f, 0x318e06e5d400c, 0x3c422d9f83eb1, 0x61545379465a6 },
+        { 0x606a6f1d7de6e, 0x4f1c0c46107e7, 0x229b1dcfbe5d8, 0x3acc60a7b1327, 0x6539a08915484 },
+    },
+    {
+        { 0x4dbd414bb4a19, 0x7930849f1dbb8, 0x329c5a466caf0, 0x6c824544feb9b, 0x0f65320ef019b },
+        { 0x21f74c3d2f773, 0x024b88d08bd3a, 0x6e678cf054151, 0x43631272e747c, 0x11c5e4aac5cd1 },
+        { 0x6d1b1cafde0c6, 0x462c76a303a90, 0x3ca4e693cff9b, 0x3952cd45786fd, 0x4cabc7bdec330 },
+    },
+},
+{
+    {
+        { 0x7788f3f78d289, 0x5942809b3f811, 0x5973277f8c29c, 0x010f93bc5fe67, 0x7ee498165acb2 },
+        { 0x69624089c0a2e, 0x0075fc8e70473, 0x13e84ab1d2313, 0x2c10bedf6953b, 0x639b93f0321c8 },
+        { 0x508e39111a1c3, 0x290120e912f7a, 0x1cbf464acae43, 0x15373e9576157, 0x0edf493c85b60 },
+    },
+    {
+        { 0x7c4d284764113, 0x7fefebf06acec, 0x39afb7a824100, 0x1b48e47e7fd65, 0x04c00c54d1dfa },
+        { 0x48158599b5a68, 0x1fd75bc41d5d9, 0x2d9fc1fa95d3c, 0x7da27f20eba11, 0x403b92e3019d4 },
+        { 0x22f818b465cf8, 0x342901dff09b8, 0x31f595dc683cd, 0x37a57745fd682, 0x355bb12ab2617 },
+    },
+    {
+        { 0x1dac75a8c7318, 0x3b679d5423460, 0x6b8fcb7b6400e, 0x6c73783be5f9d, 0x7518eaf8e052a },
+        { 0x664cc7493bbf4, 0x33d94761874e3, 0x0179e1796f613, 0x1890535e2867d, 0x0f9b8132182ec },
+        { 0x059c41b7f6c32, 0x79e8706531491, 0x6c747643cb582, 0x2e20c0ad494e4, 0x47c3871bbb175 },
+    },
+    {
+        { 0x65d50c85066b0, 0x6167453361f7c, 0x06ba3818bb312, 0x6aff29baa7522, 0x08fea02ce8d48 },
+        { 0x4539771ec4f48, 0x7b9318badca28, 0x70f19afe016c5, 0x4ee7bb1608d23, 0x00b89b8576469 },
+        { 0x5dd7668deead0, 0x4096d0ba47049, 0x6275997219114, 0x29bda8a67e6ae, 0x473829a74f75d },
+    },
+    {
+        { 0x1533aad3902c9, 0x1dde06b11e47b, 0x784bed1930b77, 0x1c80a92b9c867, 0x6c668b4d44e4d },
+        { 0x2da754679c418, 0x3164c31be105a, 0x11fac2b98ef5f, 0x35a1aaf779256, 0x2078684c4833c },
+        { 0x0cf217a78820c, 0x65024e7d2e769, 0x23bb5efdda82a, 0x19fd4b632d3c6, 0x7411a6054f8a4 },
+    },
+    {
+        { 0x2e53d18b175b4, 0x33e7254204af3, 0x3bcd7d5a1c4c5, 0x4c7c22af65d0f, 0x1ec9a872458c3 },
+        { 0x59d32b99dc86d, 0x6ac075e22a9ac, 0x30b9220113371, 0x27fd9a638966e, 0x7c136574fb813 },
+        { 0x6a4d400a2509b, 0x041791056971c, 0x655d5866e075c, 0x2302bf3e64df8, 0x3add88a5c7cd6 },
+    },
+    {
+        { 0x298d459393046, 0x30bfecb3d90b8, 0x3d9b8ea3df8d6, 0x3900e96511579, 0x61ba1131a406a },
+        { 0x15770b635dcf2, 0x59ecd83f79571, 0x2db461c0b7fbd, 0x73a42a981345f, 0x249929fccc879 },
+        { 0x0a0f116959029, 0x5974fd7b1347a, 0x1e0cc1c08edad, 0x673bdf8ad1f13, 0x5620310cbbd8e },
+    },
+    {
+        { 0x6b5f477e285d6, 0x4ed91ec326cc8, 0x6d6537503a3fd, 0x626d3763988d5, 0x7ec846f3658ce },
+        { 0x193434934d643, 0x0d4a2445eaa51, 0x7d0708ae76fe0, 0x39847b6c3c7e1, 0x37676a2a4d9d9 },
+        { 0x68f3f1da22ec7, 0x6ed8039a2736b, 0x2627ee04c3c75, 0x6ea90a647e7d1, 0x6daaf723399b9 },
+    },
+},
+{
+    {
+        { 0x304bfacad8ea2, 0x502917d108b07, 0x043176ca6dd0f, 0x5d5158f2c1d84, 0x2b5449e58eb3b },
+        { 0x27562eb3dbe47, 0x291d7b4170be7, 0x5d1ca67dfa8e1, 0x2a88061f298a2, 0x1304e9e71627d },
+        { 0x014d26adc9cfe, 0x7f1691ba16f13, 0x5e71828f06eac, 0x349ed07f0fffc, 0x4468de2d7c2dd },
+    },
+    {
+        { 0x2d8c6f86307ce, 0x6286ba1850973, 0x5e9dcb08444d4, 0x1a96a543362b2, 0x5da6427e63247 },
+        { 0x3355e9419469e, 0x1847bb8ea8a37, 0x1fe6588cf9b71, 0x6b1c9d2db6b22, 0x6cce7c6ffb44b },
+        { 0x4c688deac22ca, 0x6f775c3ff0352, 0x565603ee419bb, 0x6544456c61c46, 0x58f29abfe79f2 },
+    },
+    {
+        { 0x264bf710ecdf6, 0x708c58527896b, 0x42ceae6c53394, 0x4381b21e82b6a, 0x6af93724185b4 },
+        { 0x6cfab8de73e68, 0x3e6efced4bd21, 0x0056609500dbe, 0x71b7824ad85df, 0x577629c4a7f41 },
+        { 0x0024509c6a888, 0x2696ab12e6644, 0x0cca27f4b80d8, 0x0c7c1f11b119e, 0x701f25bb0caec },
+    },
+    {
+        { 0x0f6d97cbec113, 0x4ce97fb7c93a3, 0x139835a11281b, 0x728907ada9156, 0x720a5bc050955 },
+        { 0x0b0f8e4616ced, 0x1d3c4b50fb875, 0x2f29673dc0198, 0x5f4b0f1830ffa, 0x2e0c92bfbdc40 },
+        { 0x709439b805a35, 0x6ec48557f8187, 0x08a4d1ba13a2c, 0x076348a0bf9ae, 0x0e9b9cbb144ef },
+    },
+    {
+        { 0x69bd55db1beee, 0x6e14e47f731bd, 0x1a35e47270eac, 0x66f225478df8e, 0x366d44191cfd3 },
+        { 0x2d48ffb5720ad, 0x57b7f21a1df77, 0x5550effba0645, 0x5ec6a4098a931, 0x221104eb3f337 },
+        { 0x41743f2bc8c14, 0x796b0ad8773c7, 0x29fee5cbb689b, 0x122665c178734, 0x4167a4e6bc593 },
+    },
+    {
+        { 0x62665f8ce8fee, 0x29d101ac59857, 0x4d93bbba59ffc, 0x17b7897373f17, 0x34b33370cb7ed },
+        { 0x39d2876f62700, 0x001cecd1d6c87, 0x7f01a11747675, 0x2350da5a18190, 0x7938bb7e22552 },
+        { 0x591ee8681d6cc, 0x39db0b4ea79b8, 0x202220f380842, 0x2f276ba42e0ac, 0x1176fc6e2dfe6 },
+    },
+    {
+        { 0x0e28949770eb8, 0x5559e88147b72, 0x35e1e6e63ef30, 0x35b109aa7ff6f, 0x1f6a3e54f2690 },
+        { 0x76cd05b9c619b, 0x69654b0901695, 0x7a53710b77f27, 0x79a1ea7d28175, 0x08fc3a4c677d5 },
+        { 0x4c199d30734ea, 0x6c622cb9acc14, 0x5660a55030216, 0x068f1199f11fb, 0x4f2fad0116b90 },
+    },
+    {
+        { 0x4d91db73bb638, 0x55f82538112c5, 0x6d85a279815de, 0x740b7b0cd9cf9, 0x3451995f2944e },
+        { 0x6b24194ae4e54, 0x2230afded8897, 0x23412617d5071, 0x3d5d30f35969b, 0x445484a4972ef },
+        { 0x2fcd09fea7d7c, 0x296126b9ed22a, 0x4a171012a05b2, 0x1db92c74d5523, 0x10b89ca604289 },
+    },
+},
+{
+    {
+        { 0x141be5a45f06e, 0x5adb38becaea7, 0x3fd46db41f2bb, 0x6d488bbb5ce39, 0x17d2d1d9ef0d4 },
+        { 0x147499718289c, 0x0a48a67e4c7ab, 0x30fbc544bafe3, 0x0c701315fe58a, 0x20b878d577b75 },
+        { 0x2af18073f3e6a, 0x33aea420d24fe, 0x298008bf4ff94, 0x3539171db961e, 0x72214f63cc65c },
+    },
+    {
+        { 0x5b7b9f43b29c9, 0x149ea31eea3b3, 0x4be7713581609, 0x2d87960395e98, 0x1f24ac855a154 },
+        { 0x37f405307a693, 0x2e5e66cf2b69c, 0x5d84266ae9c53, 0x5e4eb7de853b9, 0x5fdf48c58171c },
+        { 0x608328e9505aa, 0x22182841dc49a, 0x3ec96891d2307, 0x2f363fff22e03, 0x00ba739e2ae39 },
+    },
+    {
+        { 0x426f5ea88bb26, 0x33092e77f75c8, 0x1a53940d819e7, 0x1132e4f818613, 0x72297de7d518d },
+        { 0x698de5c8790d6, 0x268b8545beb25, 0x6d2648b96fedf, 0x47988ad1db07c, 0x03283a3e67ad7 },
+        { 0x41dc7be0cb939, 0x1b16c66100904, 0x0a24c20cbc66d, 0x4a2e9efe48681, 0x05e1296846271 },
+    },
+    {
+        { 0x7bbc8242c4550, 0x59a06103b35b7, 0x7237e4af32033, 0x726421ab3537a, 0x78cf25d38258c },
+        { 0x2eeb32d9c495a, 0x79e25772f9750, 0x6d747833bbf23, 0x6cdd816d5d749, 0x39c00c9c13698 },
+        { 0x66b8e31489d68, 0x573857e10e2b5, 0x13be816aa1472, 0x41964d3ad4bf8, 0x006b52076b3ff },
+    },
+    {
+        { 0x37e16b9ce082d, 0x1882f57853eb9, 0x7d29eacd01fc5, 0x2e76a59b5e715, 0x7de2e9561a9f7 },
+        { 0x0cfe19d95781c, 0x312cc621c453c, 0x145ace6da077c, 0x0912bef9ce9b8, 0x4d57e3443bc76 },
+        { 0x0d4f4b6a55ecb, 0x7ebb0bb733bce, 0x7ba6a05200549, 0x4f6ede4e22069, 0x6b2a90af1a602 },
+    },
+    {
+        { 0x3f3245bb2d80a, 0x0e5f720f36efd, 0x3b9cccf60c06d, 0x084e323f37926, 0x465812c8276c2 },
+        { 0x3f4fc9ae61e97, 0x3bc07ebfa2d24, 0x3b744b55cd4a0, 0x72553b25721f3, 0x5fd8f4e9d12d3 },
+        { 0x3beb22a1062d9, 0x6a7063b82c9a8, 0x0a5a35dc197ed, 0x3c80c06a53def, 0x05b32c2b1cb16 },
+    },
+    {
+        { 0x4a42c7ad58195, 0x5c8667e799eff, 0x02e5e74c850a1, 0x3f0db614e869a, 0x31771a4856730 },
+        { 0x05eccd24da8fd, 0x580bbfdf07918, 0x7e73586873c6a, 0x74ceddf77f93e, 0x3b5556a37b471 },
+        { 0x0c524e14dd482, 0x283457496c656, 0x0ad6bcfb6cd45, 0x375d1e8b02414, 0x4fc079d27a733 },
+    },
+    {
+        { 0x48b440c86c50d, 0x139929cca3b86, 0x0f8f2e44cdf2f, 0x68432117ba6b2, 0x241170c2bae3c },
+        { 0x138b089bf2f7f, 0x4a05bfd34ea39, 0x203914c925ef5, 0x7497fffe04e3c, 0x124567cecaf98 },
+        { 0x1ab860ac473b4, 0x5c0227c86a7ff, 0x71b12bfc24477, 0x006a573a83075, 0x3f8612966c870 },
+    },
+},
+{
+    {
+        { 0x0fcfa36048d13, 0x66e7133bbb383, 0x64b42a8a45676, 0x4ea6e4f9a85cf, 0x26f57eee878a1 },
+        { 0x20cc9782a0dde, 0x65d4e3070aab3, 0x7bc8e31547736, 0x09ebfb1432d98, 0x504aa77679736 },
+        { 0x32cd55687efb1, 0x4448f5e2f6195, 0x568919d460345, 0x034c2e0ad1a27, 0x4041943d9dba3 },
+    },
+    {
+        { 0x17743a26caadd, 0x48c9156f9c964, 0x7ef278d1e9ad0, 0x00ce58ea7bd01, 0x12d931429800d },
+        { 0x0eeba43ebcc96, 0x384dd5395f878, 0x1df331a35d272, 0x207ecfd4af70e, 0x1420a1d976843 },
+        { 0x67799d337594f, 0x01647548f6018, 0x57fce5578f145, 0x009220c142a71, 0x1b4f92314359a },
+    },
+    {
+        { 0x73030a49866b1, 0x2442be90b2679, 0x77bd3d8947dcf, 0x1fb55c1552028, 0x5ff191d56f9a2 },
+        { 0x4109d89150951, 0x225bd2d2d47cb, 0x57cc080e73bea, 0x6d71075721fcb, 0x239b572a7f132 },
+        { 0x6d433ac2d9068, 0x72bf930a47033, 0x64facf4a20ead, 0x365f7a2b9402a, 0x020c526a758f3 },
+    },
+    {
+        { 0x1ef59f042cc89, 0x3b1c24976dd26, 0x31d665cb16272, 0x28656e470c557, 0x452cfe0a5602c },
+        { 0x034f89ed8dbbc, 0x73b8f948d8ef3, 0x786c1d323caab, 0x43bd4a9266e51, 0x02aacc4615313 },
+        { 0x0f7a0647877df, 0x4e1cc0f93f0d4, 0x7ec4726ef1190, 0x3bdd58bf512f8, 0x4cfb7d7b304b8 },
+    },
+    {
+        { 0x699c29789ef12, 0x63beae321bc50, 0x325c340adbb35, 0x562e1a1e42bf6, 0x5b1d4cbc434d3 },
+        { 0x43d6cb89b75fe, 0x3338d5b900e56, 0x38d327d531a53, 0x1b25c61d51b9f, 0x14b4622b39075 },
+        { 0x32615cc0a9f26, 0x57711b99cb6df, 0x5a69c14e93c38, 0x6e88980a4c599, 0x2f98f71258592 },
+    },
+    {
+        { 0x2ae444f54a701, 0x615397afbc5c2, 0x60d7783f3f8fb, 0x2aa675fc486ba, 0x1d8062e9e7614 },
+        { 0x4a74cb50f9e56, 0x531d1c2640192, 0x0c03d9d6c7fd2, 0x57ccd156610c1, 0x3a6ae249d806a },
+        { 0x2da85a9907c5a, 0x6b23721ec4caf, 0x4d2d3a4683aa2, 0x7f9c6870efdef, 0x298b8ce8aef25 },
+    },
+    {
+        { 0x272ea0a2165de, 0x68179ef3ed06f, 0x4e2b9c0feac1e, 0x3ee290b1b63bb, 0x6ba6271803a7d },
+        { 0x27953eff70cb2, 0x54f22ae0ec552, 0x29f3da92e2724, 0x242ca0c22bd18, 0x34b8a8404d5ce },
+        { 0x6ecb583693335, 0x3ec76bfdfb84d, 0x2c895cf56a04f, 0x6355149d54d52, 0x71d62bdd465e1 },
+    },
+    {
+        { 0x5b5dab1f75ef5, 0x1e2d60cbeb9a5, 0x527c2175dfe57, 0x59e8a2b8ff51f, 0x1c333621262b2 },
+        { 0x3cc28d378df80, 0x72141f4968ca6, 0x407696bdb6d0d, 0x5d271b22ffcfb, 0x74d5f317f3172 },
+        { 0x7e55467d9ca81, 0x6a5653186f50d, 0x6b188ece62df1, 0x4c66d36844971, 0x4aebcc4547e9d },
+    },
+},
+{
+    {
+        { 0x08d9e7354b610, 0x26b750b6dc168, 0x162881e01acc9, 0x7966df31d01a5, 0x173bd9ddc9a1d },
+        { 0x0071b276d01c9, 0x0b0d8918e025e, 0x75beea79ee2eb, 0x3c92984094db8, 0x5d88fbf95a3db },
+        { 0x00f1efe5872df, 0x5da872318256a, 0x59ceb81635960, 0x18cf37693c764, 0x06e1cd13b19ea },
+    },
+    {
+        { 0x3af629e5b0353, 0x204f1a088e8e5, 0x10efc9ceea82e, 0x589863c2fa34b, 0x7f3a6a1a8d837 },
+        { 0x0ad516f166f23, 0x263f56d57c81a, 0x13422384638ca, 0x1331ff1af0a50, 0x3080603526e16 },
+        { 0x644395d3d800b, 0x2b9203dbedefc, 0x4b18ce656a355, 0x03f3466bc182c, 0x30d0fded2e513 },
+    },
+    {
+        { 0x4971e68b84750, 0x52ccc9779f396, 0x3e904ae8255c8, 0x4ecae46f39339, 0x4615084351c58 },
+        { 0x14d1af21233b3, 0x1de1989b39c0b, 0x52669dc6f6f9e, 0x43434b28c3fc7, 0x0a9214202c099 },
+        { 0x019c0aeb9a02e, 0x1a2c06995d792, 0x664cbb1571c44, 0x6ff0736fa80b2, 0x3bca0d2895ca5 },
+    },
+    {
+        { 0x08eb69ecc01bf, 0x5b4c8912df38d, 0x5ea7f8bc2f20e, 0x120e516caafaf, 0x4ea8b4038df28 },
+        { 0x031bc3c5d62a4, 0x7d9fe0f4c081e, 0x43ed51467f22c, 0x1e6cc0c1ed109, 0x5631deddae8f1 },
+        { 0x5460af1cad202, 0x0b4919dd0655d, 0x7c4697d18c14c, 0x231c890bba2a4, 0x24ce0930542ca },
+    },
+    {
+        { 0x7a155fdf30b85, 0x1c6c6e5d487f9, 0x24be1134bdc5a, 0x1405970326f32, 0x549928a7324f4 },
+        { 0x090f5fd06c106, 0x6abb1021e43fd, 0x232bcfad711a0, 0x3a5c13c047f37, 0x41d4e3c28a06d },
+        { 0x632a763ee1a2e, 0x6fa4bffbd5e4d, 0x5fd35a6ba4792, 0x7b55e1de99de8, 0x491b66dec0dcf },
+    },
+    {
+        { 0x04a8ed0da64a1, 0x5ecfc45096ebe, 0x5edee93b488b2, 0x5b3c11a51bc8f, 0x4cf6b8b0b7018 },
+        { 0x5b13dc7ea32a7, 0x18fc2db73131e, 0x7e3651f8f57e3, 0x25656055fa965, 0x08f338d0c85ee },
+        { 0x3a821991a73bd, 0x03be6418f5870, 0x1ddc18eac9ef0, 0x54ce09e998dc2, 0x530d4a82eb078 },
+    },
+    {
+        { 0x173456c9abf9e, 0x7892015100dad, 0x33ee14095fecb, 0x6ad95d67a0964, 0x0db3e7e00cbfb },
+        { 0x43630e1f94825, 0x4d1956a6b4009, 0x213fe2df8b5e0, 0x05ce3a41191e6, 0x65ea753f10177 },
+        { 0x6fc3ee2096363, 0x7ec36b96d67ac, 0x510ec6a0758b1, 0x0ed87df022109, 0x02a4ec1921e1a },
+    },
+    {
+        { 0x06162f1cf795f, 0x324ddcafe5eb9, 0x018d5e0463218, 0x7e78b9092428e, 0x36d12b5dec067 },
+        { 0x6259a3b24b8a2, 0x188b5f4170b9c, 0x681c0dee15deb, 0x4dfe665f37445, 0x3d143c5112780 },
+        { 0x5279179154557, 0x39f8f0741424d, 0x45e6eb357923d, 0x42c9b5edb746f, 0x2ef517885ba82 },
+    },
+},
+{
+    {
+        { 0x6bffb305b2f51, 0x5b112b2d712dd, 0x35774974fe4e2, 0x04af87a96e3a3, 0x57968290bb3a0 },
+        { 0x7974e8c58aedc, 0x7757e083488c6, 0x601c62ae7bc8b, 0x45370c2ecab74, 0x2f1b78fab143a },
+        { 0x2b8430a20e101, 0x1a49e1d88fee3, 0x38bbb47ce4d96, 0x1f0e7ba84d437, 0x7dc43e35dc2aa },
+    },
+    {
+        { 0x02a5c273e9718, 0x32bc9dfb28b4f, 0x48df4f8d5db1a, 0x54c87976c028f, 0x044fb81d82d50 },
+        { 0x66665887dd9c3, 0x629760a6ab0b2, 0x481e6c7243e6c, 0x097e37046fc77, 0x7ef72016758cc },
+        { 0x718c5a907e3d9, 0x3b9c98c6b383b, 0x006ed255eccdc, 0x6976538229a59, 0x7f79823f9c30d },
+    },
+    {
+        { 0x41ff068f587ba, 0x1c00a191bcd53, 0x7b56f9c209e25, 0x3781e5fccaabe, 0x64a9b0431c06d },
+        { 0x4d239a3b513e8, 0x29723f51b1066, 0x642f4cf04d9c3, 0x4da095aa09b7a, 0x0a4e0373d784d },
+        { 0x3d6a15b7d2919, 0x41aa75046a5d6, 0x691751ec2d3da, 0x23638ab6721c4, 0x071a7d0ace183 },
+    },
+    {
+        { 0x4355220e14431, 0x0e1362a283981, 0x2757cd8359654, 0x2e9cd7ab10d90, 0x7c69bcf761775 },
+        { 0x72daac887ba0b, 0x0b7f4ac5dda60, 0x3bdda2c0498a4, 0x74e67aa180160, 0x2c3bcc7146ea7 },
+        { 0x0d7eb04e8295f, 0x4a5ea1e6fa0fe, 0x45e635c436c60, 0x28ef4a8d4d18b, 0x6f5a9a7322aca },
+    },
+    {
+        { 0x1d4eba3d944be, 0x0100f15f3dce5, 0x61a700e367825, 0x5922292ab3d23, 0x02ab9680ee8d3 },
+        { 0x1000c2f41c6c5, 0x0219fdf737174, 0x314727f127de7, 0x7e5277d23b81e, 0x494e21a2e147a },
+        { 0x48a85dde50d9a, 0x1c1f734493df4, 0x47bdb64866889, 0x59a7d048f8eec, 0x6b5d76cbea46b },
+    },
+    {
+        { 0x141171e782522, 0x6806d26da7c1f, 0x3f31d1bc79ab9, 0x09f20459f5168, 0x16fb869c03dd3 },
+        { 0x7556cec0cd994, 0x5eb9a03b7510a, 0x50ad1dd91cb71, 0x1aa5780b48a47, 0x0ae333f685277 },
+        { 0x6199733b60962, 0x69b157c266511, 0x64740f893f1ca, 0x03aa408fbf684, 0x3f81e38b8f70d },
+    },
+    {
+        { 0x37f355f17c824, 0x07ae85334815b, 0x7e3abddd2e48f, 0x61eeabe1f45e5, 0x0ad3e2d34cded },
+        { 0x10fcc7ed9affe, 0x4248cb0e96ff2, 0x4311c115172e2, 0x4c9d41cbf6925, 0x50510fc104f50 },
+        { 0x40fc5336e249d, 0x3386639fb2de1, 0x7bbf871d17b78, 0x75f796b7e8004, 0x127c158bf0fa1 },
+    },
+    {
+        { 0x28fc4ae51b974, 0x26e89bfd2dbd4, 0x4e122a07665cf, 0x7cab1203405c3, 0x4ed82479d167d },
+        { 0x17c422e9879a2, 0x28a5946c8fec3, 0x53ab32e912b77, 0x7b44da09fe0a5, 0x354ef87d07ef4 },
+        { 0x3b52260c5d975, 0x79d6836171fdc, 0x7d994f140d4bb, 0x1b6c404561854, 0x302d92d205392 },
+    },
+},
+{
+    {
+        { 0x46fb6e4e0f177, 0x53497ad5265b7, 0x1ebdba01386fc, 0x0302f0cb36a3c, 0x0edc5f5eb426d },
+        { 0x3c1a2bca4283d, 0x23430c7bb2f02, 0x1a3ea1bb58bc2, 0x7265763de5c61, 0x10e5d3b76f1ca },
+        { 0x3bfd653da8e67, 0x584953ec82a8a, 0x55e288fa7707b, 0x5395fc3931d81, 0x45b46c51361cb },
+    },
+    {
+        { 0x54ddd8a7fe3e4, 0x2cecc41c619d3, 0x43a6562ac4d91, 0x4efa5aca7bdd9, 0x5c1c0aef32122 },
+        { 0x02abf314f7fa1, 0x391d19e8a1528, 0x6a2fa13895fc7, 0x09d8eddeaa591, 0x2177bfa36dcb7 },
+        { 0x01bbcfa79db8f, 0x3d84beb3666e1, 0x20c921d812204, 0x2dd843d3b32ce, 0x4ae619387d8ab },
+    },
+    {
+        { 0x17e44985bfb83, 0x54e32c626cc22, 0x096412ff38118, 0x6b241d61a246a, 0x75685abe5ba43 },
+        { 0x3f6aa5344a32e, 0x69683680f11bb, 0x04c3581f623aa, 0x701af5875cba5, 0x1a00d91b17bf3 },
+        { 0x60933eb61f2b2, 0x5193fe92a4dd2, 0x3d995a550f43e, 0x3556fb93a883d, 0x135529b623b0e },
+    },
+    {
+        { 0x716bce22e83fe, 0x33d0130b83eb8, 0x0952abad0afac, 0x309f64ed31b8a, 0x5972ea051590a },
+        { 0x0dbd7add1d518, 0x119f823e2231e, 0x451d66e5e7de2, 0x500c39970f838, 0x79b5b81a65ca3 },
+        { 0x4ac20dc8f7811, 0x29589a9f501fa, 0x4d810d26a6b4a, 0x5ede00d96b259, 0x4f7e9c95905f3 },
+    },
+    {
+        { 0x0443d355299fe, 0x39b7d7d5aee39, 0x692519a2f34ec, 0x6e4404924cf78, 0x1942eec4a144a },
+        { 0x74bbc5781302e, 0x73135bb81ec4c, 0x7ef671b61483c, 0x7264614ccd729, 0x31993ad92e638 },
+        { 0x45319ae234992, 0x2219d47d24fb5, 0x4f04488b06cf6, 0x53aaa9e724a12, 0x2a0a65314ef9c },
+    },
+    {
+        { 0x61acd3c1c793a, 0x58b46b78779e6, 0x3369aacbe7af2, 0x509b0743074d4, 0x055dc39b6dea1 },
+        { 0x7937ff7f927c2, 0x0c2fa14c6a5b6, 0x556bddb6dd07c, 0x6f6acc179d108, 0x4cf6e218647c2 },
+        { 0x1227cc28d5bb6, 0x78ee9bff57623, 0x28cb2241f893a, 0x25b541e3c6772, 0x121a307710aa2 },
+    },
+    {
+        { 0x1713ec77483c9, 0x6f70572d5facb, 0x25ef34e22ff81, 0x54d944f141188, 0x527bb94a6ced3 },
+        { 0x35d5e9f034a97, 0x126069785bc9b, 0x5474ec7854ff0, 0x296a302a348ca, 0x333fc76c7a40e },
+        { 0x5992a995b482e, 0x78dc707002ac7, 0x5936394d01741, 0x4fba4281aef17, 0x6b89069b20a7a },
+    },
+    {
+        { 0x2fa8cb5c7db77, 0x718e6982aa810, 0x39e95f81a1a1b, 0x5e794f3646cfb, 0x0473d308a7639 },
+        { 0x2a0416270220d, 0x75f248b69d025, 0x1cbbc16656a27, 0x5b9ffd6e26728, 0x23bc2103aa73e },
+        { 0x6792603589e05, 0x248db9892595d, 0x006a53cad2d08, 0x20d0150f7ba73, 0x102f73bfde043 },
+    },
+},
+{
+    {
+        { 0x4dae0b5511c9a, 0x5257fffe0d456, 0x54108d1eb2180, 0x096cc0f9baefa, 0x3f6bd725da4ea },
+        { 0x0b9ab7f5745c6, 0x5caf0f8d21d63, 0x7debea408ea2b, 0x09edb93896d16, 0x36597d25ea5c0 },
+        { 0x58d7b106058ac, 0x3cdf8d20bee69, 0x00a4cb765015e, 0x36832337c7cc9, 0x7b7ecc19da60d },
+    },
+    {
+        { 0x64a51a77cfa9b, 0x29cf470ca0db5, 0x4b60b6e0898d9, 0x55d04ddffe6c7, 0x03bedc661bf5c },
+        { 0x2373c695c690d, 0x4c0c8520dcf18, 0x384af4b7494b9, 0x4ab4a8ea22225, 0x4235ad7601743 },
+        { 0x0cb0d078975f5, 0x292313e530c4b, 0x38dbb9124a509, 0x350d0655a11f1, 0x0e7ce2b0cdf06 },
+    },
+    {
+        { 0x6fedfd94b70f9, 0x2383f9745bfd4, 0x4beae27c4c301, 0x75aa4416a3f3f, 0x615256138aece },
+        { 0x4643ac48c85a3, 0x6878c2735b892, 0x3a53523f4d877, 0x3a504ed8bee9d, 0x666e0a5d8fb46 },
+        { 0x3f64e4870cb0d, 0x61548b16d6557, 0x7a261773596f3, 0x7724d5f275d3a, 0x7f0bc810d514d },
+    },
+    {
+        { 0x49dad737213a0, 0x745dee5d31075, 0x7b1a55e7fdbe2, 0x5ba988f176ea1, 0x1d3a907ddec5a },
+        { 0x06ba426f4136f, 0x3cafc0606b720, 0x518f0a2359cda, 0x5fae5e46feca7, 0x0d1f8dbcf8eed },
+        { 0x693313ed081dc, 0x5b0a366901742, 0x40c872ca4ca7e, 0x6f18094009e01, 0x00011b44a31bf },
+    },
+    {
+        { 0x61f696a0aa75c, 0x38b0a57ad42ca, 0x1e59ab706fdc9, 0x01308d46ebfcd, 0x63d988a2d2851 },
+        { 0x7a06c3fc66c0c, 0x1c9bac1ba47fb, 0x23935c575038e, 0x3f0bd71c59c13, 0x3ac48d916e835 },
+        { 0x20753afbd232e, 0x71fbb1ed06002, 0x39cae47a4af3a, 0x0337c0b34d9c2, 0x33fad52b2368a },
+    },
+    {
+        { 0x4c8d0c422cfe8, 0x760b4275971a5, 0x3da95bc1cad3d, 0x0f151ff5b7376, 0x3cc355ccb90a7 },
+        { 0x649c6c5e41e16, 0x60667eee6aa80, 0x4179d182be190, 0x653d9567e6979, 0x16c0f429a256d },
+        { 0x69443903e9131, 0x16f4ac6f9dd36, 0x2ea4912e29253, 0x2b4643e68d25d, 0x631eaf426bae7 },
+    },
+    {
+        { 0x175b9a3700de8, 0x77c5f00aa48fb, 0x3917785ca0317, 0x05aa9b2c79399, 0x431f2c7f665f8 },
+        { 0x10410da66fe9f, 0x24d82dcb4d67d, 0x3e6fe0e17752d, 0x4dade1ecbb08f, 0x5599648b1ea91 },
+        { 0x26344858f7b19, 0x5f43d4a295ac0, 0x242a75c52acd4, 0x5934480220d10, 0x7b04715f91253 },
+    },
+    {
+        { 0x6c280c4e6bac6, 0x3ada3b361766e, 0x42fe5125c3b4f, 0x111d84d4aac22, 0x48d0acfa57cde },
+        { 0x5bd28acf6ae43, 0x16fab8f56907d, 0x7acb11218d5f2, 0x41fe02023b4db, 0x59b37bf5c2f65 },
+        { 0x726e47dabe671, 0x2ec45e746f6c1, 0x6580e53c74686, 0x5eda104673f74, 0x16234191336d3 },
+    },
+},
+{
+    {
+        { 0x19cd61ff38640, 0x060c6c4b41ba9, 0x75cf70ca7366f, 0x118a8f16c011e, 0x4a25707a203b9 },
+        { 0x499def6267ff6, 0x76e858108773c, 0x693cac5ddcb29, 0x00311d00a9ff4, 0x2cdfdfecd5d05 },
+        { 0x7668a53f6ed6a, 0x303ba2e142556, 0x3880584c10909, 0x4fe20000a261d, 0x5721896d248e4 },
+    },
+    {
+        { 0x55091a1d0da4e, 0x4f6bfc7c1050b, 0x64e4ecd2ea9be, 0x07eb1f28bbe70, 0x03c935afc4b03 },
+        { 0x65517fd181bae, 0x3e5772c76816d, 0x019189640898a, 0x1ed2a84de7499, 0x578edd74f63c1 },
+        { 0x276c6492b0c3d, 0x09bfc40bf932e, 0x588e8f11f330b, 0x3d16e694dc26e, 0x3ec2ab590288c },
+    },
+    {
+        { 0x13a09ae32d1cb, 0x3e81eb85ab4e4, 0x07aaca43cae1f, 0x62f05d7526374, 0x0e1bf66c6adba },
+        { 0x0d27be4d87bb9, 0x56c27235db434, 0x72e6e0ea62d37, 0x5674cd06ee839, 0x2dd5c25a200fc },
+        { 0x3d5e9792c887e, 0x319724dabbc55, 0x2b97c78680800, 0x7afdfdd34e6dd, 0x730548b35ae88 },
+    },
+    {
+        { 0x3094ba1d6e334, 0x6e126a7e3300b, 0x089c0aefcfbc5, 0x2eea11f836583, 0x585a2277d8784 },
+        { 0x551a3cba8b8ee, 0x3b6422be2d886, 0x630e1419689bc, 0x4653b07a7a955, 0x3043443b411db },
+        { 0x25f8233d48962, 0x6bd8f04aff431, 0x4f907fd9a6312, 0x40fd3c737d29b, 0x7656278950ef9 },
+    },
+    {
+        { 0x073a3ea86cf9d, 0x6e0e2abfb9c2e, 0x60e2a38ea33ee, 0x30b2429f3fe18, 0x28bbf484b613f },
+        { 0x3cf59d51fc8c0, 0x7a0a0d6de4718, 0x55c3a3e6fb74b, 0x353135f884fd5, 0x3f4160a8c1b84 },
+        { 0x12f5c6f136c7c, 0x0fedba237de4c, 0x779bccebfab44, 0x3aea93f4d6909, 0x1e79cb358188f },
+    },
+    {
+        { 0x153d8f5e08181, 0x08533bbdb2efd, 0x1149796129431, 0x17a6e36168643, 0x478ab52d39d1f },
+        { 0x436c3eef7e3f1, 0x7ffd3c21f0026, 0x3e77bf20a2da9, 0x418bffc8472de, 0x65d7951b3a3b3 },
+        { 0x6a4d39252d159, 0x790e35900ecd4, 0x30725bf977786, 0x10a5c1635a053, 0x16d87a411a212 },
+    },
+    {
+        { 0x4d5e2d54e0583, 0x2e5d7b33f5f74, 0x3a5de3f887ebf, 0x6ef24bd6139b7, 0x1f990b577a5a6 },
+        { 0x57e5a42066215, 0x1a18b44983677, 0x3e652de1e6f8f, 0x6532be02ed8eb, 0x28f87c8165f38 },
+        { 0x44ead1be8f7d6, 0x5759d4f31f466, 0x0378149f47943, 0x69f3be32b4f29, 0x45882fe1534d6 },
+    },
+    {
+        { 0x49929943c6fe4, 0x4347072545b15, 0x3226bced7e7c5, 0x03a134ced89df, 0x7dcf843ce405f },
+        { 0x1345d757983d6, 0x222f54234cccd, 0x1784a3d8adbb4, 0x36ebeee8c2bcc, 0x688fe5b8f626f },
+        { 0x0d6484a4732c0, 0x7b94ac6532d92, 0x5771b8754850f, 0x48dd9df1461c8, 0x6739687e73271 },
+    },
+},
+{
+    {
+        { 0x5cc9dc80c1ac0, 0x683671486d4cd, 0x76f5f1a5e8173, 0x6d5d3f5f9df4a, 0x7da0b8f68d7e7 },
+        { 0x02014385675a6, 0x6155fb53d1def, 0x37ea32e89927c, 0x059a668f5a82e, 0x46115aba1d4dc },
+        { 0x71953c3b5da76, 0x6642233d37a81, 0x2c9658076b1bd, 0x5a581e63010ff, 0x5a5f887e83674 },
+    },
+    {
+        { 0x628d3a0a643b9, 0x01cd8640c93d2, 0x0b7b0cad70f2c, 0x3864da98144be, 0x43e37ae2d5d1c },
+        { 0x301cf70a13d11, 0x2a6a1ba1891ec, 0x2f291fb3f3ae0, 0x21a7b814bea52, 0x3669b656e44d1 },
+        { 0x63f06eda6e133, 0x233342758070f, 0x098e0459cc075, 0x4df5ead6c7c1b, 0x6a21e6cd4fd5e },
+    },
+    {
+        { 0x129126699b2e3, 0x0ee11a2603de8, 0x60ac2f5c74c21, 0x59b192a196808, 0x45371b07001e8 },
+        { 0x6170a3046e65f, 0x5401a46a49e38, 0x20add5561c4a8, 0x7abb4edde9e46, 0x586bf9f1a195f },
+        { 0x3088d5ef8790b, 0x38c2126fcb4db, 0x685bae149e3c3, 0x0bcd601a4e930, 0x0eafb03790e52 },
+    },
+    {
+        { 0x0805e0f75ae1d, 0x464cc59860a28, 0x248e5b7b00bef, 0x5d99675ef8f75, 0x44ae3344c5435 },
+        { 0x555c13748042f, 0x4d041754232c0, 0x521b430866907, 0x3308e40fb9c39, 0x309acc675a02c },
+        { 0x289b9bba543ee, 0x3ab592e28539e, 0x64d82abcdd83a, 0x3c78ec172e327, 0x62d5221b7f946 },
+    },
+    {
+        { 0x5d4263af77a3c, 0x23fdd2289aeb0, 0x7dc64f77eb9ec, 0x01bd28338402c, 0x14f29a5383922 },
+        { 0x4299c18d0936d, 0x5914183418a49, 0x52a18c721aed5, 0x2b151ba82976d, 0x5c0efde4bc754 },
+        { 0x17edc25b2d7f5, 0x37336a6081bee, 0x7b5318887e5c3, 0x49f6d491a5be1, 0x5e72365c7bee0 },
+    },
+    {
+        { 0x339062f08b33e, 0x4bbf3e657cfb2, 0x67af7f56e5967, 0x4dbd67f9ed68f, 0x70b20555cb734 },
+        { 0x3fc074571217f, 0x3a0d29b2b6aeb, 0x06478ccdde59d, 0x55e4d051bddfa, 0x77f1104c47b4e },
+        { 0x113c555112c4c, 0x7535103f9b7ca, 0x140ed1d9a2108, 0x02522333bc2af, 0x0e34398f4a064 },
+    },
+    {
+        { 0x30b093e4b1928, 0x1ce7e7ec80312, 0x4e575bdf78f84, 0x61f7a190bed39, 0x6f8aded6ca379 },
+        { 0x522d93ecebde8, 0x024f045e0f6cf, 0x16db63426cfa1, 0x1b93a1fd30fd8, 0x5e5405368a362 },
+        { 0x0123dfdb7b29a, 0x4344356523c68, 0x79a527921ee5f, 0x74bfccb3e817e, 0x780de72ec8d3d },
+    },
+    {
+        { 0x7eaf300f42772, 0x5455188354ce3, 0x4dcca4a3dcbac, 0x3d314d0bfebcb, 0x1defc6ad32b58 },
+        { 0x28545089ae7bc, 0x1e38fe9a0c15c, 0x12046e0e2377b, 0x6721c560aa885, 0x0eb28bf671928 },
+        { 0x3be1aef5195a7, 0x6f22f62bdb5eb, 0x39768b8523049, 0x43394c8fbfdbd, 0x467d201bf8dd2 },
+    },
+},
+{
+    {
+        { 0x6f4bd567ae7a9, 0x65ac89317b783, 0x07d3b20fd8932, 0x000f208326916, 0x2ef9c5a5ba384 },
+        { 0x6919a74ef4fad, 0x59ed4611452bf, 0x691ec04ea09ef, 0x3cbcb2700e984, 0x71c43c4f5ba3c },
+        { 0x56df6fa9e74cd, 0x79c95e4cf56df, 0x7be643bc609e2, 0x149c12ad9e878, 0x5a758ca390c5f },
+    },
+    {
+        { 0x0918b1d61dc94, 0x0d350260cd19c, 0x7a2ab4e37b4d9, 0x21fea735414d7, 0x0a738027f639d },
+        { 0x72710d9462495, 0x25aafaa007456, 0x2d21f28eaa31b, 0x17671ea005fd0, 0x2dbae244b3eb7 },
+        { 0x74a2f57ffe1cc, 0x1bc3073087301, 0x7ec57f4019c34, 0x34e082e1fa524, 0x2698ca635126a },
+    },
+    {
+        { 0x5702f5e3dd90e, 0x31c9a4a70c5c7, 0x136a5aa78fc24, 0x1992f3b9f7b01, 0x3c004b0c4afa3 },
+        { 0x5318832b0ba78, 0x6f24b9ff17cec, 0x0a47f30e060c7, 0x58384540dc8d0, 0x1fb43dcc49cae },
+        { 0x146ac06f4b82b, 0x4b500d89e7355, 0x3351e1c728a12, 0x10b9f69932fe3, 0x6b43fd01cd1fd },
+    },
+    {
+        { 0x742583e760ef3, 0x73dc1573216b8, 0x4ae48fdd7714a, 0x4f85f8a13e103, 0x73420b2d6ff0d },
+        { 0x75d4b4697c544, 0x11be1fff7f8f4, 0x119e16857f7e1, 0x38a14345cf5d5, 0x5a68d7105b52f },
+        { 0x4f6cb9e851e06, 0x278c4471895e5, 0x7efcdce3d64e4, 0x64f6d455c4b4c, 0x3db5632fea34b },
+    },
+    {
+        { 0x190b1829825d5, 0x0e7d3513225c9, 0x1c12be3b7abae, 0x58777781e9ca6, 0x59197ea495df2 },
+        { 0x6ee2bf75dd9d8, 0x6c72ceb34be8d, 0x679c9cc345ec7, 0x7898df96898a4, 0x04321adf49d75 },
+        { 0x16019e4e55aae, 0x74fc5f25d209c, 0x4566a939ded0d, 0x66063e716e0b7, 0x45eafdc1f4d70 },
+    },
+    {
+        { 0x64624cfccb1ed, 0x257ab8072b6c1, 0x0120725676f0a, 0x4a018d04e8eee, 0x3f73ceea5d56d },
+        { 0x401858045d72b, 0x459e5e0ca2d30, 0x488b719308bea, 0x56f4a0d1b32b5, 0x5a5eebc80362d },
+        { 0x7bfd10a4e8dc6, 0x7c899366736f4, 0x55ebbeaf95c01, 0x46db060903f8a, 0x2605889126621 },
+    },
+    {
+        { 0x18e3cc676e542, 0x26079d995a990, 0x04a7c217908b2, 0x1dc7603e6655a, 0x0dedfa10b2444 },
+        { 0x704a68360ff04, 0x3cecc3cde8b3e, 0x21cd5470f64ff, 0x6abc18d953989, 0x54ad0c2e4e615 },
+        { 0x367d5b82b522a, 0x0d3f4b83d7dc7, 0x3067f4cdbc58d, 0x20452da697937, 0x62ecb2baa77a9 },
+    },
+    {
+        { 0x72836afb62874, 0x0af3c2094b240, 0x0c285297f357a, 0x7cc2d5680d6e3, 0x61913d5075663 },
+        { 0x5795261152b3d, 0x7a1dbbafa3cbd, 0x5ad31c52588d5, 0x45f3a4164685c, 0x2e59f919a966d },
+        { 0x62d361a3231da, 0x65284004e01b8, 0x656533be91d60, 0x6ae016c00a89f, 0x3ddbc2a131c05 },
+    },
+},
+{
+    {
+        { 0x257a22796bb14, 0x6f360fb443e75, 0x680e47220eaea, 0x2fcf2a5f10c18, 0x5ee7fb38d8320 },
+        { 0x40ff9ce5ec54b, 0x57185e261b35b, 0x3e254540e70a9, 0x1b5814003e3f8, 0x78968314ac04b },
+        { 0x5fdcb41446a8e, 0x5286926ff2a71, 0x0f231e296b3f6, 0x684a357c84693, 0x61d0633c9bca0 },
+    },
+    {
+        { 0x328bcf8fc73df, 0x3b4de06ff95b4, 0x30aa427ba11a5, 0x5ee31bfda6d9c, 0x5b23ac2df8067 },
+        { 0x44935ffdb2566, 0x12f016d176c6e, 0x4fbb00f16f5ae, 0x3fab78d99402a, 0x6e965fd847aed },
+        { 0x2b953ee80527b, 0x55f5bcdb1b35a, 0x43a0b3fa23c66, 0x76e07388b820a, 0x79b9bbb9dd95d },
+    },
+    {
+        { 0x17dae8e9f7374, 0x719f76102da33, 0x5117c2a80ca8b, 0x41a66b65d0936, 0x1ba811460accb },
+        { 0x355406a3126c2, 0x50d1918727d76, 0x6e5ea0b498e0e, 0x0a3b6063214f2, 0x5065f158c9fd2 },
+        { 0x169fb0c429954, 0x59aedd9ecee10, 0x39916eb851802, 0x57917555cc538, 0x3981f39e58a4f },
+    },
+    {
+        { 0x5dfa56de66fde, 0x0058809075908, 0x6d3d8cb854a94, 0x5b2f4e970b1e3, 0x30f4452edcbc1 },
+        { 0x38a7559230a93, 0x52c1cde8ba31f, 0x2a4f2d4745a3d, 0x07e9d42d4a28a, 0x38dc083705acd },
+        { 0x52782c5759740, 0x53f3397d990ad, 0x3a939c7e84d15, 0x234c4227e39e0, 0x632d9a1a593f2 },
+    },
+    {
+        { 0x1fd11ed0c84a7, 0x021b3ed2757e1, 0x73e1de58fc1c6, 0x5d110c84616ab, 0x3a5a7df28af64 },
+        { 0x36b15b807cba6, 0x3f78a9e1afed7, 0x0a59c2c608f1f, 0x52bdd8ecb81b7, 0x0b24f48847ed4 },
+        { 0x2d4be511beac7, 0x6bda4d99e5b9b, 0x17e6996914e01, 0x7b1f0ce7fcf80, 0x34fcf74475481 },
+    },
+    {
+        { 0x31dab78cfaa98, 0x4e3216e5e54b7, 0x249823973b689, 0x2584984e48885, 0x0119a3042fb37 },
+        { 0x7e04c789767ca, 0x1671b28cfb832, 0x7e57ea2e1c537, 0x1fbaaef444141, 0x3d3bdc164dfa6 },
+        { 0x2d89ce8c2177d, 0x6cd12ba182cf4, 0x20a8ac19a7697, 0x539fab2cc72d9, 0x56c088f1ede20 },
+    },
+    {
+        { 0x35fac24f38f02, 0x7d75c6197ab03, 0x33e4bc2a42fa7, 0x1c7cd10b48145, 0x038b7ea483590 },
+        { 0x53d1110a86e17, 0x6416eb65f466d, 0x41ca6235fce20, 0x5c3fc8a99bb12, 0x09674c6b99108 },
+        { 0x6f82199316ff8, 0x05d54f1a9f3e9, 0x3bcc5d0bd274a, 0x5b284b8d2d5ad, 0x6e5e31025969e },
+    },
+    {
+        { 0x4fb0e63066222, 0x130f59747e660, 0x041868fecd41a, 0x3105e8c923bc6, 0x3058ad43d1838 },
+        { 0x462f587e593fb, 0x3d94ba7ce362d, 0x330f9b52667b7, 0x5d45a48e0f00a, 0x08f5114789a8d },
+        { 0x40ffde57663d0, 0x71445d4c20647, 0x2653e68170f7c, 0x64cdee3c55ed6, 0x26549fa4efe3d },
+    },
+},
+{
+    {
+        { 0x68549af3f666e, 0x09e2941d4bb68, 0x2e8311f5dff3c, 0x6429ef91ffbd2, 0x3a10dfe132ce3 },
+        { 0x55a461e6bf9d6, 0x78eeef4b02e83, 0x1d34f648c16cf, 0x07fea2aba5132, 0x1926e1dc6401e },
+        { 0x74e8aea17cea0, 0x0c743f83fbc0f, 0x7cb03c4bf5455, 0x68a8ba9917e98, 0x1fa1d01d861e5 },
+    },
+    {
+        { 0x4ac00d1df94ab, 0x3ba2101bd271b, 0x7578988b9c4af, 0x0f2bf89f49f7e, 0x73fced18ee9a0 },
+        { 0x055947d599832, 0x346fe2aa41990, 0x0164c8079195b, 0x799ccfb7bba27, 0x773563bc6a75c },
+        { 0x1e90863139cb3, 0x4f8b407d9a0d6, 0x58e24ca924f69, 0x7a246bbe76456, 0x1f426b701b864 },
+    },
+    {
+        { 0x635c891a12552, 0x26aebd38ede2f, 0x66dc8faddae05, 0x21c7d41a03786, 0x0b76bb1b3fa7e },
+        { 0x1264c41911c01, 0x702f44584bdf9, 0x43c511fc68ede, 0x0482c3aed35f9, 0x4e1af5271d31b },
+        { 0x0c1f97f92939b, 0x17a88956dc117, 0x6ee005ef99dc7, 0x4aa9172b231cc, 0x7b6dd61eb772a },
+    },
+    {
+        { 0x0abf9ab01d2c7, 0x3880287630ae6, 0x32eca045beddb, 0x57f43365f32d0, 0x53fa9b659bff6 },
+        { 0x5c1e850f33d92, 0x1ec119ab9f6f5, 0x7f16f6de663e9, 0x7a7d6cb16dec6, 0x703e9bceaf1d2 },
+        { 0x4c8e994885455, 0x4ccb5da9cad82, 0x3596bc610e975, 0x7a80c0ddb9f5e, 0x398d93e5c4c61 },
+    },
+    {
+        { 0x77c60d2e7e3f2, 0x4061051763870, 0x67bc4e0ecd2aa, 0x2bb941f1373b9, 0x699c9c9002c30 },
+        { 0x3d16733e248f3, 0x0e2b7e14be389, 0x42c0ddaf6784a, 0x589ea1fc67850, 0x53b09b5ddf191 },
+        { 0x6a7235946f1cc, 0x6b99cbb2fbe60, 0x6d3a5d6485c62, 0x4839466e923c0, 0x51caf30c6fcdd },
+    },
+    {
+        { 0x2f99a18ac54c7, 0x398a39661ee6f, 0x384331e40cde3, 0x4cd15c4de19a6, 0x12ae29c189f8e },
+        { 0x3a7427674e00a, 0x6142f4f7e74c1, 0x4cc93318c3a15, 0x6d51bac2b1ee7, 0x5504aa292383f },
+        { 0x6c0cb1f0d01cf, 0x187469ef5d533, 0x27138883747bf, 0x2f52ae53a90e8, 0x5fd14fe958eba },
+    },
+    {
+        { 0x2fe5ebf93cb8e, 0x226da8acbe788, 0x10883a2fb7ea1, 0x094707842cf44, 0x7dd73f960725d },
+        { 0x42ddf2845ab2c, 0x6214ffd3276bb, 0x00b8d181a5246, 0x268a6d579eb20, 0x093ff26e58647 },
+        { 0x524fe68059829, 0x65b75e47cb621, 0x15eb0a5d5cc19, 0x05209b3929d5a, 0x2f59bcbc86b47 },
+    },
+    {
+        { 0x1d560b691c301, 0x7f5bafce3ce08, 0x4cd561614806c, 0x4588b6170b188, 0x2aa55e3d01082 },
+        { 0x47d429917135f, 0x3eacfa07af070, 0x1deab46b46e44, 0x7a53f3ba46cdf, 0x5458b42e2e51a },
+        { 0x192e60c07444f, 0x5ae8843a21daa, 0x6d721910b1538, 0x3321a95a6417e, 0x13e9004a8a768 },
+    },
+},
+{
+    {
+        { 0x600c9193b877f, 0x21c1b8a0d7765, 0x379927fb38ea2, 0x70d7679dbe01b, 0x5f46040898de9 },
+        { 0x58845832fcedb, 0x135cd7f0c6e73, 0x53ffbdfe8e35b, 0x22f195e06e55b, 0x73937e8814bce },
+        { 0x37116297bf48d, 0x45a9e0d069720, 0x25af71aa744ec, 0x41af0cb8aaba3, 0x2cf8a4e891d5e },
+    },
+    {
+        { 0x5487e17d06ba2, 0x3872a032d6596, 0x65e28c09348e0, 0x27b6bb2ce40c2, 0x7a6f7f2891d6a },
+        { 0x3fd8707110f67, 0x26f8716a92db2, 0x1cdaa1b753027, 0x504be58b52661, 0x2049bd6e58252 },
+        { 0x1fd8d6a9aef49, 0x7cb67b7216fa1, 0x67aff53c3b982, 0x20ea610da9628, 0x6011aadfc5459 },
+    },
+    {
+        { 0x6d0c802cbf890, 0x141bfed554c7b, 0x6dbb667ef4263, 0x58f3126857edc, 0x69ce18b779340 },
+        { 0x7926dcf95f83c, 0x42e25120e2bec, 0x63de96df1fa15, 0x4f06b50f3f9cc, 0x6fc5cc1b0b62f },
+        { 0x75528b29879cb, 0x79a8fd2125a3d, 0x27c8d4b746ab8, 0x0f8893f02210c, 0x15596b3ae5710 },
+    },
+    {
+        { 0x731167e5124ca, 0x17b38e8bbe13f, 0x3d55b942f9056, 0x09c1495be913f, 0x3aa4e241afb6d },
+        { 0x739d23f9179a2, 0x632fadbb9e8c4, 0x7c8522bfe0c48, 0x6ed0983ef5aa9, 0x0d2237687b5f4 },
+        { 0x138bf2a3305f5, 0x1f45d24d86598, 0x5274bad2160fe, 0x1b6041d58d12a, 0x32fcaa6e4687a },
+    },
+    {
+        { 0x7a4732787ccdf, 0x11e427c7f0640, 0x03659385f8c64, 0x5f4ead9766bfb, 0x746f6336c2600 },
+        { 0x56e8dc57d9af5, 0x5b3be17be4f78, 0x3bf928cf82f4b, 0x52e55600a6f11, 0x4627e9cefebd6 },
+        { 0x2f345ab6c971c, 0x653286e63e7e9, 0x51061b78a23ad, 0x14999acb54501, 0x7b4917007ed66 },
+    },
+    {
+        { 0x41b28dd53a2dd, 0x37be85f87ea86, 0x74be3d2a85e41, 0x1be87fac96ca6, 0x1d03620fe08cd },
+        { 0x5fb5cab84b064, 0x2513e778285b0, 0x457383125e043, 0x6bda3b56e223d, 0x122ba376f844f },
+        { 0x232cda2b4e554, 0x0422ba30ff840, 0x751e7667b43f5, 0x6261755da5f3e, 0x02c70bf52b68e },
+    },
+    {
+        { 0x532bf458d72e1, 0x40f96e796b59c, 0x22ef79d6f9da3, 0x501ab67beca77, 0x6b0697e3feb43 },
+        { 0x7ec4b5d0b2fbb, 0x200e910595450, 0x742057105715e, 0x2f07022530f60, 0x26334f0a409ef },
+        { 0x0f04adf62a3c0, 0x5e0edb48bb6d9, 0x7c34aa4fbc003, 0x7d74e4e5cac24, 0x1cc37f43441b2 },
+    },
+    {
+        { 0x656f1c9ceaeb9, 0x7031cacad5aec, 0x1308cd0716c57, 0x41c1373941942, 0x3a346f772f196 },
+        { 0x7565a5cc7324f, 0x01ca0d5244a11, 0x116b067418713, 0x0a57d8c55edae, 0x6c6809c103803 },
+        { 0x55112e2da6ac8, 0x6363d0a3dba5a, 0x319c98ba6f40c, 0x2e84b03a36ec7, 0x05911b9f6ef7c },
+    },
+},
+{
+    {
+        { 0x1acf3512eeaef, 0x2639839692a69, 0x669a234830507, 0x68b920c0603d4, 0x555ef9d1c64b2 },
+        { 0x39983f5df0ebb, 0x1ea2589959826, 0x6ce638703cdd6, 0x6311678898505, 0x6b3cecf9aa270 },
+        { 0x770ba3b73bd08, 0x11475f7e186d4, 0x0251bc9892bbc, 0x24eab9bffcc5a, 0x675f4de133817 },
+    },
+    {
+        { 0x7f6d93bdab31d, 0x1f3aca5bfd425, 0x2fa521c1c9760, 0x62180ce27f9cd, 0x60f450b882cd3 },
+        { 0x452036b1782fc, 0x02d95b07681c5, 0x5901cf99205b2, 0x290686e5eecb4, 0x13d99df70164c },
+        { 0x35ec321e5c0ca, 0x13ae337f44029, 0x4008e813f2da7, 0x640272f8e0c3a, 0x1c06de9e55eda },
+    },
+    {
+        { 0x52b40ff6d69aa, 0x31b8809377ffa, 0x536625cd14c2c, 0x516af252e17d1, 0x78096f8e7d32b },
+        { 0x77ad6a33ec4e2, 0x717c5dc11d321, 0x4a114559823e4, 0x306ce50a1e2b1, 0x4cf38a1fec2db },
+        { 0x2aa650dfa5ce7, 0x54916a8f19415, 0x00dc96fe71278, 0x55f2784e63eb8, 0x373cad3a26091 },
+    },
+    {
+        { 0x6a8fb89ddbbad, 0x78c35d5d97e37, 0x66e3674ef2cb2, 0x34347ac53dd8f, 0x21547eda5112a },
+        { 0x4634d82c9f57c, 0x4249268a6d652, 0x6336d687f2ff7, 0x4fe4f4e26d9a0, 0x0040f3d945441 },
+        { 0x5e939fd5986d3, 0x12a2147019bdf, 0x4c466e7d09cb2, 0x6fa5b95d203dd, 0x63550a334a254 },
+    },
+    {
+        { 0x2584572547b49, 0x75c58811c1377, 0x4d3c637cc171b, 0x33d30747d34e3, 0x39a92bafaa7d7 },
+        { 0x7d6edb569cf37, 0x60194a5dc2ca0, 0x5af59745e10a6, 0x7a8f53e004875, 0x3eea62c7daf78 },
+        { 0x4c713e693274e, 0x6ed1b7a6eb3a4, 0x62ace697d8e15, 0x266b8292ab075, 0x68436a0665c9c },
+    },
+    {
+        { 0x6d317e820107c, 0x090815d2ca3ca, 0x03ff1eb1499a1, 0x23960f050e319, 0x5373669c91611 },
+        { 0x235e8202f3f27, 0x44c9f2eb61780, 0x630905b1d7003, 0x4fcc8d274ead1, 0x17b6e7f68ab78 },
+        { 0x014ab9a0e5257, 0x09939567f8ba5, 0x4b47b2a423c82, 0x688d7e57ac42d, 0x1cb4b5a678f87 },
+    },
+    {
+        { 0x4aa62a2a007e7, 0x61e0e38f62d6e, 0x02f888fcc4782, 0x7562b83f21c00, 0x2dc0fd2d82ef6 },
+        { 0x4c06b394afc6c, 0x4931b4bf636cc, 0x72b60d0322378, 0x25127c6818b25, 0x330bca78de743 },
+        { 0x6ff841119744e, 0x2c560e8e49305, 0x7254fefe5a57a, 0x67ae2c560a7df, 0x3c31be1b369f1 },
+    },
+    {
+        { 0x0bc93f9cb4272, 0x3f8f9db73182d, 0x2b235eabae1c4, 0x2ddbf8729551a, 0x41cec1097e7d5 },
+        { 0x4864d08948aee, 0x5d237438df61e, 0x2b285601f7067, 0x25dbcbae6d753, 0x330b61134262d },
+        { 0x619d7a26d808a, 0x3c3b3c2adbef2, 0x6877c9eec7f52, 0x3beb9ebe1b66d, 0x26b44cd91f287 },
+    },
+},
+{
+    {
+        { 0x7f29362730383, 0x7fd7951459c36, 0x7504c512d49e7, 0x087ed7e3bc55f, 0x7deb10149c726 },
+        { 0x048478f387475, 0x69397d9678a3e, 0x67c8156c976f3, 0x2eb4d5589226c, 0x2c709e6c1c10a },
+        { 0x2af6a8766ee7a, 0x08aaa79a1d96c, 0x42f92d59b2fb0, 0x1752c40009c07, 0x08e68e9ff62ce },
+    },
+    {
+        { 0x509d50ab8f2f9, 0x1b8ab247be5e5, 0x5d9b2e6b2e486, 0x4faa5479a1339, 0x4cb13bd738f71 },
+        { 0x5500a4bc130ad, 0x127a17a938695, 0x02a26fa34e36d, 0x584d12e1ecc28, 0x2f1f3f87eeba3 },
+        { 0x48c75e515b64a, 0x75b6952071ef0, 0x5d46d42965406, 0x7746106989f9f, 0x19a1e353c0ae2 },
+    },
+    {
+        { 0x172cdd596bdbd, 0x0731ddf881684, 0x10426d64f8115, 0x71a4fd8a9a3da, 0x736bd3990266a },
+        { 0x47560bafa05c3, 0x418dcabcc2fa3, 0x35991cecf8682, 0x24371a94b8c60, 0x41546b11c20c3 },
+        { 0x32d509334b3b4, 0x16c102cae70aa, 0x1720dd51bf445, 0x5ae662faf9821, 0x412295a2b87fa },
+    },
+    {
+        { 0x55261e293eac6, 0x06426759b65cc, 0x40265ae116a48, 0x6c02304bae5bc, 0x0760bb8d195ad },
+        { 0x19b88f57ed6e9, 0x4cdbf1904a339, 0x42b49cd4e4f2c, 0x71a2e771909d9, 0x14e153ebb52d2 },
+        { 0x61a17cde6818a, 0x53dad34108827, 0x32b32c55c55b6, 0x2f9165f9347a3, 0x6b34be9bc33ac },
+    },
+    {
+        { 0x469656571f2d3, 0x0aa61ce6f423f, 0x3f940d71b27a1, 0x185f19d73d16a, 0x01b9c7b62e6dd },
+        { 0x72f643a78c0b2, 0x3de45c04f9e7b, 0x706d68d30fa5c, 0x696f63e8e2f24, 0x2012c18f0922d },
+        { 0x355e55ac89d29, 0x3e8b414ec7101, 0x39db07c520c90, 0x6f41e9b77efe1, 0x08af5b784e4ba },
+    },
+    {
+        { 0x314d289cc2c4b, 0x23450e2f1bc4e, 0x0cd93392f92f4, 0x1370c6a946b7d, 0x6423c1d5afd98 },
+        { 0x499dc881f2533, 0x34ef26476c506, 0x4d107d2741497, 0x346c4bd6efdb3, 0x32b79d71163a1 },
+        { 0x5f8d9edfcb36a, 0x1e6e8dcbf3990, 0x7974f348af30a, 0x6e6724ef19c7c, 0x480a5efbc13e2 },
+    },
+    {
+        { 0x14ce442ce221f, 0x18980a72516cc, 0x072f80db86677, 0x703331fda526e, 0x24b31d47691c8 },
+        { 0x1e70b01622071, 0x1f163b5f8a16a, 0x56aaf341ad417, 0x7989635d830f7, 0x47aa27600cb7b },
+        { 0x41eedc015f8c3, 0x7cf8d27ef854a, 0x289e3584693f9, 0x04a7857b309a7, 0x545b585d14dda },
+    },
+    {
+        { 0x4e4d0e3b321e1, 0x7451fe3d2ac40, 0x666f678eea98d, 0x038858667fead, 0x4d22dc3e64c8d },
+        { 0x7275ea0d43a0f, 0x681137dd7ccf7, 0x1e79cbab79a38, 0x22a214489a66a, 0x0f62f9c332ba5 },
+        { 0x46589d63b5f39, 0x7eaf979ec3f96, 0x4ebe81572b9a8, 0x21b7f5d61694a, 0x1c0fa01a36371 },
+    },
+},
+{
+    {
+        { 0x02b0e8c936a50, 0x6b83b58b6cd21, 0x37ed8d3e72680, 0x0a037db9f2a62, 0x4005419b1d2bc },
+        { 0x604b622943dff, 0x1c899f6741a58, 0x60219e2f232fb, 0x35fae92a7f9cb, 0x0fa3614f3b1ca },
+        { 0x3febdb9be82f0, 0x5e74895921400, 0x553ea38822706, 0x5a17c24cfc88c, 0x1fba218aef40a },
+    },
+    {
+        { 0x657043e7b0194, 0x5c11b55efe9e7, 0x7737bc6a074fb, 0x0eae41ce355cc, 0x6c535d13ff776 },
+        { 0x49448fac8f53e, 0x34f74c6e8356a, 0x0ad780607dba2, 0x7213a7eb63eb6, 0x392e3acaa8c86 },
+        { 0x534e93e8a35af, 0x08b10fd02c997, 0x26ac2acb81e05, 0x09d8c98ce3b79, 0x25e17fe4d50ac },
+    },
+    {
+        { 0x77ff576f121a7, 0x4e5f9b0fc722b, 0x46f949b0d28c8, 0x4cde65d17ef26, 0x6bba828f89698 },
+        { 0x09bd71e04f676, 0x25ac841f2a145, 0x1a47eac823871, 0x1a8a8c36c581a, 0x255751442a9fb },
+        { 0x1bc6690fe3901, 0x314132f5abc5a, 0x611835132d528, 0x5f24b8eb48a57, 0x559d504f7f6b7 },
+    },
+    {
+        { 0x091e7f6d266fd, 0x36060ef037389, 0x18788ec1d1286, 0x287441c478eb0, 0x123ea6a3354bd },
+        { 0x38378b3eb54d5, 0x4d4aaa78f94ee, 0x4a002e875a74d, 0x10b851367b17c, 0x01ab12d5807e3 },
+        { 0x5189041e32d96, 0x05b062b090231, 0x0c91766e7b78f, 0x0aa0f55a138ec, 0x4a3961e2c918a },
+    },
+    {
+        { 0x7d644f3233f1e, 0x1c69f9e02c064, 0x36ae5e5266898, 0x08fc1dad38b79, 0x68aceead9bd41 },
+        { 0x43be0f8e6bba0, 0x68fdffc614e3b, 0x4e91dab5b3be0, 0x3b1d4c9212ff0, 0x2cd6bce3fb1db },
+        { 0x4c90ef3d7c210, 0x496f5a0818716, 0x79cf88cc239b8, 0x2cb9c306cf8db, 0x595760d5b508f },
+    },
+    {
+        { 0x2cbebfd022790, 0x0b8822aec1105, 0x4d1cfd226bccc, 0x515b2fa4971be, 0x2cb2c5df54515 },
+        { 0x1bfe104aa6397, 0x11494ff996c25, 0x64251623e5800, 0x0d49fc5e044be, 0x709fa43edcb29 },
+        { 0x25d8c63fd2aca, 0x4c5cd29dffd61, 0x32ec0eb48af05, 0x18f9391f9b77c, 0x70f029ecf0c81 },
+    },
+    {
+        { 0x2afaa5e10b0b9, 0x61de08355254d, 0x0eb587de3c28d, 0x4f0bb9f7dbbd5, 0x44eca5a2a74bd },
+        { 0x307b32eed3e33, 0x6748ab03ce8c2, 0x57c0d9ab810bc, 0x42c64a224e98c, 0x0b7d5d8a6c314 },
+        { 0x448327b95d543, 0x0146681e3a4ba, 0x38714adc34e0c, 0x4f26f0e298e30, 0x272224512c7de },
+    },
+    {
+        { 0x3bb8a42a975fc, 0x6f2d5b46b17ef, 0x7b6a9223170e5, 0x053713fe3b7e6, 0x19735fd7f6bc2 },
+        { 0x492af49c5342e, 0x2365cdf5a0357, 0x32138a7ffbb60, 0x2a1f7d14646fe, 0x11b5df18a44cc },
+        { 0x390d042c84266, 0x1efe32a8fdc75, 0x6925ee7ae1238, 0x4af9281d0e832, 0x0fef911191df8 },
+    },
+},
+};
+#else
 /* base[i][j] = (j+1)*256^i*B */
-static ge_precomp base[32][8] = {
+static const ge_precomp base[32][8] = {
 {
  {
   { 25967493,-14356035,29566456,3660896,-12694345,4014787,27544626,-11754271,-6079156,2047605 },
@@ -2109,30 +9090,33 @@ static ge_precomp base[32][8] = {
  },
 },
 } ;
+#endif
 
 
 static void ge_select(ge_precomp *t,int pos,signed char b)
 {
+#ifndef CURVED25519_ASM
   ge_precomp minust;
   unsigned char bnegative = negative(b);
   unsigned char babs = b - (((-bnegative) & b) << 1);
 
   ge_precomp_0(t);
-  cmov(t,&base[pos][0],equal(babs,1));
-  cmov(t,&base[pos][1],equal(babs,2));
-  cmov(t,&base[pos][2],equal(babs,3));
-  cmov(t,&base[pos][3],equal(babs,4));
-  cmov(t,&base[pos][4],equal(babs,5));
-  cmov(t,&base[pos][5],equal(babs,6));
-  cmov(t,&base[pos][6],equal(babs,7));
-  cmov(t,&base[pos][7],equal(babs,8));
-  fe_copy(minust.yplusx,t->yminusx);
-  fe_copy(minust.yminusx,t->yplusx);
+  cmov(t,&base[pos][0],babs,1);
+  cmov(t,&base[pos][1],babs,2);
+  cmov(t,&base[pos][2],babs,3);
+  cmov(t,&base[pos][3],babs,4);
+  cmov(t,&base[pos][4],babs,5);
+  cmov(t,&base[pos][5],babs,6);
+  cmov(t,&base[pos][6],babs,7);
+  cmov(t,&base[pos][7],babs,8);
+  fe_cswap(t->yminusx, t->yplusx, bnegative);
   fe_neg(minust.xy2d,t->xy2d);
-  cmov(t,&minust,bnegative);
+  fe_cmov(t->xy2d,minust.xy2d,bnegative);
+#else
+  fe_cmov_table((fe*)t, (fe*)base[pos], b);
+#endif
 }
 
-
 /*
 h = a * B
 where a = a[0]+256*a[1]+...+256^31 a[31]
@@ -2146,7 +9130,9 @@ void ge_scalarmult_base(ge_p3 *h,const unsigned char *a)
   signed char e[64];
   signed char carry;
   ge_p1p1 r;
+#ifndef CURVED25519_ASM
   ge_p2 s;
+#endif
   ge_precomp t;
   int i;
 
@@ -2167,8 +9153,17 @@ void ge_scalarmult_base(ge_p3 *h,const unsigned char *a)
   e[63] += carry;
   /* each e[i] is between -8 and 8 */
 
-  ge_p3_0(h);
-  for (i = 1;i < 64;i += 2) {
+#ifndef CURVED25519_ASM
+  ge_select(&t,0,e[1]);
+  fe_sub(h->X, t.yplusx, t.yminusx);
+  fe_add(h->Y, t.yplusx, t.yminusx);
+  fe_0(h->Z);
+  h->Z[0] = 4;
+  fe_mul(h->T,h->X,h->Y);
+  fe_add(h->X, h->X, h->X);
+  fe_add(h->Y, h->Y, h->Y);
+
+  for (i = 3;i < 64;i += 2) {
     ge_select(&t,i / 2,e[i]);
     ge_madd(&r,h,&t); ge_p1p1_to_p3(h,&r);
   }
@@ -2182,6 +9177,18 @@ void ge_scalarmult_base(ge_p3 *h,const unsigned char *a)
     ge_select(&t,i / 2,e[i]);
     ge_madd(&r,h,&t); ge_p1p1_to_p3(h,&r);
   }
+#else
+  ge_select(&t, 0, e[0]);
+  fe_sub(h->X, t.yplusx, t.yminusx);
+  fe_add(h->Y, t.yplusx, t.yminusx);
+  fe_0(h->Z);
+  h->Z[0] = 2;
+  fe_copy(h->T, t.xy2d);
+  for (i = 1; i < 64; i++) {
+    ge_select(&t, i, e[i]);
+    ge_madd(&r,h,&t); ge_p1p1_to_p3(h,&r);
+  }
+#endif
 }
 
 
@@ -2217,8 +9224,137 @@ static void slide(signed char *r,const unsigned char *a)
     }
 }
 
-
-static ge_precomp Bi[8] = {
+#ifdef CURVED25519_ASM_64BIT
+static const ge_precomp Bi[8] = {
+    {
+        { 0x2fbc93c6f58c3b85, -0x306cd2390473f1e7, 0x270b4898643d42c2, 0x07cf9d3a33d4ba65,  },
+        { -0x62efc6fa28bf6ec2, -0x02c660fa2ebf414d, -0x5a3e7bcb977075f7, 0x44fd2f9298f81267,  },
+        { -0x5436edfa78855598, 0x26d9e823ccaac49e, 0x5a1b7dcbdd43598c, 0x6f117b689f0c65a8,  },
+    },
+    {
+        { -0x50da4f57b31168d0, 0x025a8430e8864b8a, -0x3ee4affd60fe98ce, 0x7a164e1b9a80f8f4,  },
+        { 0x56611fe8a4fcd265, 0x3bd353fde5c1ba7d, -0x7ece0ce5deb42943, 0x2ab91587555bda62,  },
+        { 0x14ae933f0dd0d889, 0x589423221c35da62, -0x2e8f1aba730d24b4, 0x5a2826af12b9b4c6,  },
+    },
+    {
+        { -0x5ded43bbf75a44cd, -0x72afb73c38a112fe, -0x22e414f3a54013bc, 0x2945ccf146e206eb,  },
+        { 0x7f9182c3a447d6ba, -0x2affeb2eb4d8d649, -0x1cc30ee3479b5f79, 0x154a7e73eb1b55f3,  },
+        { -0x4344240e7ed57d7b, 0x270e0807d0bdd1fc, -0x4be498f4e44258d3, 0x43aabe696b3bb69a,  },
+    },
+    {
+        { 0x6b1a5cd0944ea3bf, 0x7470353ab39dc0d2, 0x71b2528228542e49, 0x461bea69283c927e,  },
+        { -0x4590d36555cdde4f, 0x6ca021533bba23a7, -0x621589b06de6d3c6, 0x1d6edd5d2e5317e0,  },
+        { -0x0e7c9237fe474c5e, -0x4cfca0b8fac15b66, 0x529c41ba5877adf3, 0x7a9fbb1c6a0f90a7,  },
+    },
+    {
+        { -0x64d1987559579cd1, -0x59af6190ae43b93b, -0x314dcc3639790a4b, 0x34b9ed338add7f59,  },
+        { -0x0c91de81fc627f9c, -0x675f7e490adfbe65, -0x693439f718a14fbc, 0x49c05a51fadc9c8f,  },
+        { 0x06b4e8bf9045af1b, -0x1d007c1758e62dd1, -0x550903d66c2b30ea, 0x73c172021b008b06,  },
+    },
+    {
+        { 0x2fbf00848a802ade, -0x1a260130fdcfd1d9, 0x113e847117703406, 0x4275aae2546d8faf,  },
+        { 0x315f5b0249864348, 0x3ed6b36977088381, -0x5c5f8aaa9572146b, 0x18ab598029d5c77f,  },
+        { -0x27d4d33a029f7617, 0x031eb4a13282e4a4, 0x44311199b51a8622, 0x3dc65522b53df948,  },
+    },
+    {
+        { -0x408f3ddd5dff8093, -0x407b4c654a432125, 0x537a0e12fb07ba07, 0x234fd7eec346f241,  },
+        { 0x506f013b327fbf93, -0x5103143664889095, -0x62ed4dcd5552a698, 0x0267882d176024a7,  },
+        { 0x5360a119732ea378, 0x2437e6b1df8dd471, -0x5d10c8076e581acd, 0x497ba6fdaa097863,  },
+    },
+    {
+        { 0x24cecc0313cfeaa0, -0x79b73d72e763db93, 0x2dbdbdfac1f2d4d0, 0x61e22917f12de72b,  },
+        { 0x040bcd86468ccf0b, -0x2c7d645bd566ef2a, 0x7508300807b25192, 0x43b5cd4218d05ebf,  },
+        { 0x5d9a762f9bd0b516, -0x14c750b1c8c02112, 0x032e5a7d93d64270, 0x511d61210ae4d842,  },
+    },
+};
+#elif defined(CURVED25519_ASM_32BIT)
+static const ge_precomp Bi[8] = {
+    {
+        { -0x0a73c47b, 0x2fbc93c6, -0x0473f1e7, -0x306cd23a, 0x643d42c2, 0x270b4898, 0x33d4ba65, 0x07cf9d3a,  },
+        { -0x28bf6ec2, -0x62efc6fb, -0x2ebf414d, -0x02c660fb, 0x688f8a09, -0x5a3e7bcc, -0x6707ed99, 0x44fd2f92,  },
+        { -0x78855598, -0x5436edfb, -0x33553b62, 0x26d9e823, -0x22bca674, 0x5a1b7dcb, -0x60f39a58, 0x6f117b68,  },
+    },
+    {
+        { 0x4cee9730, -0x50da4f58, -0x1779b476, 0x025a8430, -0x60fe98ce, -0x3ee4affe, -0x657f070c, 0x7a164e1b,  },
+        { -0x5b032d9b, 0x56611fe8, -0x1a3e4583, 0x3bd353fd, 0x214bd6bd, -0x7ece0ce6, 0x555bda62, 0x2ab91587,  },
+        { 0x0dd0d889, 0x14ae933f, 0x1c35da62, 0x58942322, -0x730d24b4, -0x2e8f1abb, 0x12b9b4c6, 0x5a2826af,  },
+    },
+    {
+        { 0x08a5bb33, -0x5ded43bc, -0x38a112fe, -0x72afb73d, 0x5abfec44, -0x22e414f4, 0x46e206eb, 0x2945ccf1,  },
+        { -0x5bb82946, 0x7f9182c3, 0x4b2729b7, -0x2affeb2f, -0x479b5f79, -0x1cc30ee4, -0x14e4aa0d, 0x154a7e73,  },
+        { -0x7ed57d7b, -0x4344240f, -0x2f422e04, 0x270e0807, 0x1bbda72d, -0x4be498f5, 0x6b3bb69a, 0x43aabe69,  },
+    },
+    {
+        { -0x6bb15c41, 0x6b1a5cd0, -0x4c623f2e, 0x7470353a, 0x28542e49, 0x71b25282, 0x283c927e, 0x461bea69,  },
+        { -0x55cdde4f, -0x4590d366, 0x3bba23a7, 0x6ca02153, -0x6de6d3c6, -0x621589b1, 0x2e5317e0, 0x1d6edd5d,  },
+        { 0x01b8b3a2, -0x0e7c9238, 0x053ea49a, -0x4cfca0b9, 0x5877adf3, 0x529c41ba, 0x6a0f90a7, 0x7a9fbb1c,  },
+    },
+    {
+        { -0x59579cd1, -0x64d19876, 0x51bc46c5, -0x59af6191, -0x39790a4b, -0x314dcc37, -0x752280a7, 0x34b9ed33,  },
+        { 0x039d8064, -0x0c91de82, -0x0adfbe65, -0x675f7e4a, -0x18a14fbc, -0x693439f8, -0x05236371, 0x49c05a51,  },
+        { -0x6fba50e5, 0x06b4e8bf, -0x58e62dd1, -0x1d007c18, -0x6c2b30ea, -0x550903d7, 0x1b008b06, 0x73c17202,  },
+    },
+    {
+        { -0x757fd522, 0x2fbf0084, 0x02302e27, -0x1a260131, 0x17703406, 0x113e8471, 0x546d8faf, 0x4275aae2,  },
+        { 0x49864348, 0x315f5b02, 0x77088381, 0x3ed6b369, 0x6a8deb95, -0x5c5f8aab, 0x29d5c77f, 0x18ab5980,  },
+        { -0x029f7617, -0x27d4d33b, 0x3282e4a4, 0x031eb4a1, -0x4ae579de, 0x44311199, -0x4ac206b8, 0x3dc65522,  },
+    },
+    {
+        { -0x5dff8093, -0x408f3dde, -0x4a432125, -0x407b4c66, -0x04f845f9, 0x537a0e12, -0x3cb90dbf, 0x234fd7ee,  },
+        { 0x327fbf93, 0x506f013b, -0x64889095, -0x51031437, -0x5552a698, -0x62ed4dce, 0x176024a7, 0x0267882d,  },
+        { 0x732ea378, 0x5360a119, -0x20722b8f, 0x2437e6b1, -0x6e581acd, -0x5d10c808, -0x55f6879d, 0x497ba6fd,  },
+    },
+    {
+        { 0x13cfeaa0, 0x24cecc03, 0x189c246d, -0x79b73d73, -0x3e0d2b30, 0x2dbdbdfa, -0x0ed218d5, 0x61e22917,  },
+        { 0x468ccf0b, 0x040bcd86, 0x2a9910d6, -0x2c7d645c, 0x07b25192, 0x75083008, 0x18d05ebf, 0x43b5cd42,  },
+        { -0x642f4aea, 0x5d9a762f, 0x373fdeee, -0x14c750b2, -0x6c29bd90, 0x032e5a7d, 0x0ae4d842, 0x511d6121,  },
+    },
+};
+#elif defined(CURVED25519_128BIT)
+static const ge_precomp Bi[8] = {
+    {
+        { 0x493c6f58c3b85, 0x0df7181c325f7, 0x0f50b0b3e4cb7, 0x5329385a44c32, 0x07cf9d3a33d4b },
+        { 0x03905d740913e, 0x0ba2817d673a2, 0x23e2827f4e67c, 0x133d2e0c21a34, 0x44fd2f9298f81 },
+        { 0x11205877aaa68, 0x479955893d579, 0x50d66309b67a0, 0x2d42d0dbee5ee, 0x6f117b689f0c6 },
+    },
+    {
+        { 0x5b0a84cee9730, 0x61d10c97155e4, 0x4059cc8096a10, 0x47a608da8014f, 0x7a164e1b9a80f },
+        { 0x11fe8a4fcd265, 0x7bcb8374faacc, 0x52f5af4ef4d4f, 0x5314098f98d10, 0x2ab91587555bd },
+        { 0x6933f0dd0d889, 0x44386bb4c4295, 0x3cb6d3162508c, 0x26368b872a2c6, 0x5a2826af12b9b },
+    },
+    {
+        { 0x2bc4408a5bb33, 0x078ebdda05442, 0x2ffb112354123, 0x375ee8df5862d, 0x2945ccf146e20 },
+        { 0x182c3a447d6ba, 0x22964e536eff2, 0x192821f540053, 0x2f9f19e788e5c, 0x154a7e73eb1b5 },
+        { 0x3dbf1812a8285, 0x0fa17ba3f9797, 0x6f69cb49c3820, 0x34d5a0db3858d, 0x43aabe696b3bb },
+    },
+    {
+        { 0x25cd0944ea3bf, 0x75673b81a4d63, 0x150b925d1c0d4, 0x13f38d9294114, 0x461bea69283c9 },
+        { 0x72c9aaa3221b1, 0x267774474f74d, 0x064b0e9b28085, 0x3f04ef53b27c9, 0x1d6edd5d2e531 },
+        { 0x36dc801b8b3a2, 0x0e0a7d4935e30, 0x1deb7cecc0d7d, 0x053a94e20dd2c, 0x7a9fbb1c6a0f9 },
+    },
+    {
+        { 0x6678aa6a8632f, 0x5ea3788d8b365, 0x21bd6d6994279, 0x7ace75919e4e3, 0x34b9ed338add7 },
+        { 0x6217e039d8064, 0x6dea408337e6d, 0x57ac112628206, 0x647cb65e30473, 0x49c05a51fadc9 },
+        { 0x4e8bf9045af1b, 0x514e33a45e0d6, 0x7533c5b8bfe0f, 0x583557b7e14c9, 0x73c172021b008 },
+    },
+    {
+        { 0x700848a802ade, 0x1e04605c4e5f7, 0x5c0d01b9767fb, 0x7d7889f42388b, 0x4275aae2546d8 },
+        { 0x75b0249864348, 0x52ee11070262b, 0x237ae54fb5acd, 0x3bfd1d03aaab5, 0x18ab598029d5c },
+        { 0x32cc5fd6089e9, 0x426505c949b05, 0x46a18880c7ad2, 0x4a4221888ccda, 0x3dc65522b53df },
+    },
+    {
+        { 0x0c222a2007f6d, 0x356b79bdb77ee, 0x41ee81efe12ce, 0x120a9bd07097d, 0x234fd7eec346f },
+        { 0x7013b327fbf93, 0x1336eeded6a0d, 0x2b565a2bbf3af, 0x253ce89591955, 0x0267882d17602 },
+        { 0x0a119732ea378, 0x63bf1ba8e2a6c, 0x69f94cc90df9a, 0x431d1779bfc48, 0x497ba6fdaa097 },
+    },
+    {
+        { 0x6cc0313cfeaa0, 0x1a313848da499, 0x7cb534219230a, 0x39596dedefd60, 0x61e22917f12de },
+        { 0x3cd86468ccf0b, 0x48553221ac081, 0x6c9464b4e0a6e, 0x75fba84180403, 0x43b5cd4218d05 },
+        { 0x2762f9bd0b516, 0x1c6e7fbddcbb3, 0x75909c3ace2bd, 0x42101972d3ec9, 0x511d61210ae4d },
+    },
+};
+#else
+static const ge_precomp Bi[8] = {
  {
   { 25967493,-14356035,29566456,3660896,-12694345,4014787,27544626,-11754271,-6079156,2047605 },
   { -12545711,934262,-2722910,3049990,-727428,9406986,12720692,5043384,19500929,-15469378 },
@@ -2260,6 +9396,7 @@ static ge_precomp Bi[8] = {
   { -3099351,10324967,-2241613,7453183,-5446979,-2735503,-13812022,-16236442,-32461234,-12290683 },
  },
 } ;
+#endif
 
 
 /*
@@ -2268,7 +9405,7 @@ where a = a[0]+256*a[1]+...+256^31 a[31].
 and b = b[0]+256*b[1]+...+256^31 b[31].
 B is the Ed25519 base point (x,4/5) with x positive.
 */
-int ge_double_scalarmult_vartime(ge_p2 *r, const unsigned char *a, 
+int ge_double_scalarmult_vartime(ge_p2 *r, const unsigned char *a,
                                  const ge_p3 *A, const unsigned char *b)
 {
   signed char aslide[256];
@@ -2323,26 +9460,55 @@ int ge_double_scalarmult_vartime(ge_p2 *r, const unsigned char *a,
   return 0;
 }
 
-
-static const fe d = {
+#ifdef CURVED25519_ASM_64BIT
+static const ge d = {
+    0x75eb4dca135978a3, 0x00700a4d4141d8ab, -0x7338bf8688861768, 0x52036cee2b6ffe73,
+};
+#elif defined(CURVED25519_ASM_32BIT)
+static const ge d = {
+    0x135978a3, 0x75eb4dca, 0x4141d8ab, 0x00700a4d, 0x7779e898, -0x7338bf87, 0x2b6ffe73, 0x52036cee,
+};
+#elif defined(CURVED25519_128BIT)
+static const ge d = {
+    0x34dca135978a3, 0x1a8283b156ebd, 0x5e7a26001c029, 0x739c663a03cbb,
+    0x52036cee2b6ff
+};
+#else
+static const ge d = {
 -10913610,13857413,-15372611,6949391,114729,
 -8787816,-6275908,-3247719,-18696448,-12055116
-} ;
+};
+#endif
 
 
-static const fe sqrtm1 = {
+#ifdef CURVED25519_ASM_64BIT
+static const ge sqrtm1 = {
+    -0x3b11e4d8b5f15f50, 0x2f431806ad2fe478, 0x2b4d00993dfbd7a7, 0x2b8324804fc1df0b,
+};
+#elif defined(CURVED25519_ASM_32BIT)
+static const ge sqrtm1 = {
+    0x4a0ea0b0, -0x3b11e4d9, -0x52d01b88, 0x2f431806, 0x3dfbd7a7, 0x2b4d0099, 0x4fc1df0b, 0x2b832480,
+};
+#elif defined(CURVED25519_128BIT)
+static const ge sqrtm1 = {
+    0x61b274a0ea0b0, 0x0d5a5fc8f189d, 0x7ef5e9cbd0c60, 0x78595a6804c9e,
+    0x2b8324804fc1d
+};
+#else
+static const ge sqrtm1 = {
 -32595792,-7943725,9377950,3500415,12389472,
 -272473,-25146209,-2005654,326686,11406482
-} ;
+};
+#endif
 
 
 int ge_frombytes_negate_vartime(ge_p3 *h,const unsigned char *s)
 {
-  fe u;
-  fe v;
-  fe v3;
-  fe vxx;
-  fe check;
+  ge u;
+  ge v;
+  ge v3;
+  ge vxx;
+  ge check;
 
   fe_frombytes(h->Y,s);
   fe_1(h->Z);
@@ -2384,19 +9550,24 @@ int ge_frombytes_negate_vartime(ge_p3 *h,const unsigned char *s)
 r = p + q
 */
 
-void ge_madd(ge_p1p1 *r,const ge_p3 *p,const ge_precomp *q)
-{
-	fe t0;
-	fe_add(r->X,p->Y,p->X);
-	fe_sub(r->Y,p->Y,p->X);
-	fe_mul(r->Z,r->X,q->yplusx);
-	fe_mul(r->Y,r->Y,q->yminusx);
-	fe_mul(r->T,q->xy2d,p->T);
-	fe_add(t0,p->Z,p->Z);
-	fe_sub(r->X,r->Z,r->Y);
-	fe_add(r->Y,r->Z,r->Y);
-	fe_add(r->Z,t0,r->T);
-	fe_sub(r->T,t0,r->T);
+static WC_INLINE void ge_madd(ge_p1p1 *r,const ge_p3 *p,const ge_precomp *q)
+{
+#ifndef CURVED25519_ASM
+    ge t0;
+    fe_add(r->X,p->Y,p->X);
+    fe_sub(r->Y,p->Y,p->X);
+    fe_mul(r->Z,r->X,q->yplusx);
+    fe_mul(r->Y,r->Y,q->yminusx);
+    fe_mul(r->T,q->xy2d,p->T);
+    fe_add(t0,p->Z,p->Z);
+    fe_sub(r->X,r->Z,r->Y);
+    fe_add(r->Y,r->Z,r->Y);
+    fe_add(r->Z,t0,r->T);
+    fe_sub(r->T,t0,r->T);
+#else
+    fe_ge_madd(r->X, r->Y, r->Z, r->T, p->X, p->Y, p->Z, p->T, q->xy2d,
+              q->yplusx, q->yminusx);
+#endif
 }
 
 
@@ -2406,19 +9577,24 @@ void ge_madd(ge_p1p1 *r,const ge_p3 *p,const ge_precomp *q)
 r = p - q
 */
 
-void ge_msub(ge_p1p1 *r,const ge_p3 *p,const ge_precomp *q)
-{
-	fe t0;
-	fe_add(r->X,p->Y,p->X);
-	fe_sub(r->Y,p->Y,p->X);
-	fe_mul(r->Z,r->X,q->yminusx);
-	fe_mul(r->Y,r->Y,q->yplusx);
-	fe_mul(r->T,q->xy2d,p->T);
-	fe_add(t0,p->Z,p->Z);
-	fe_sub(r->X,r->Z,r->Y);
-	fe_add(r->Y,r->Z,r->Y);
-	fe_sub(r->Z,t0,r->T);
-	fe_add(r->T,t0,r->T);
+static WC_INLINE void ge_msub(ge_p1p1 *r,const ge_p3 *p,const ge_precomp *q)
+{
+#ifndef CURVED25519_ASM
+    ge t0;
+    fe_add(r->X,p->Y,p->X);
+    fe_sub(r->Y,p->Y,p->X);
+    fe_mul(r->Z,r->X,q->yminusx);
+    fe_mul(r->Y,r->Y,q->yplusx);
+    fe_mul(r->T,q->xy2d,p->T);
+    fe_add(t0,p->Z,p->Z);
+    fe_sub(r->X,r->Z,r->Y);
+    fe_add(r->Y,r->Z,r->Y);
+    fe_sub(r->Z,t0,r->T);
+    fe_add(r->T,t0,r->T);
+#else
+    fe_ge_msub(r->X, r->Y, r->Z, r->T, p->X, p->Y, p->Z, p->T, q->xy2d,
+              q->yplusx, q->yminusx);
+#endif
 }
 
 
@@ -2427,11 +9603,15 @@ void ge_msub(ge_p1p1 *r,const ge_p3 *p,const ge_precomp *q)
 r = p
 */
 
-extern void ge_p1p1_to_p2(ge_p2 *r,const ge_p1p1 *p)
+static void ge_p1p1_to_p2(ge_p2 *r,const ge_p1p1 *p)
 {
+#ifndef CURVED25519_ASM
   fe_mul(r->X,p->X,p->T);
   fe_mul(r->Y,p->Y,p->Z);
   fe_mul(r->Z,p->Z,p->T);
+#else
+  fe_ge_to_p2(r->X, r->Y, r->Z, p->X, p->Y, p->Z, p->T);
+#endif
 }
 
 
@@ -2441,18 +9621,22 @@ extern void ge_p1p1_to_p2(ge_p2 *r,const ge_p1p1 *p)
 r = p
 */
 
-extern void ge_p1p1_to_p3(ge_p3 *r,const ge_p1p1 *p)
+static WC_INLINE void ge_p1p1_to_p3(ge_p3 *r,const ge_p1p1 *p)
 {
+#ifndef CURVED25519_ASM
   fe_mul(r->X,p->X,p->T);
   fe_mul(r->Y,p->Y,p->Z);
   fe_mul(r->Z,p->Z,p->T);
   fe_mul(r->T,p->X,p->Y);
+#else
+  fe_ge_to_p3(r->X, r->Y, r->Z, r->T, p->X, p->Y, p->Z, p->T);
+#endif
 }
 
 
 /* ge p2 0 */
 
-void ge_p2_0(ge_p2 *h)
+static void ge_p2_0(ge_p2 *h)
 {
   fe_0(h->X);
   fe_1(h->Y);
@@ -2466,29 +9650,22 @@ void ge_p2_0(ge_p2 *h)
 r = 2 * p
 */
 
-void ge_p2_dbl(ge_p1p1 *r,const ge_p2 *p)
-{
-	fe t0;
-	fe_sq(r->X,p->X);
-	fe_sq(r->Z,p->Y);
-	fe_sq2(r->T,p->Z);
-	fe_add(r->Y,p->X,p->Y);
-	fe_sq(t0,r->Y);
-	fe_add(r->Y,r->Z,r->X);
-	fe_sub(r->Z,r->Z,r->X);
-	fe_sub(r->X,t0,r->Y);
-	fe_sub(r->T,r->T,r->Z);
-}
-
-
-/* ge p3 0 */
-
-void ge_p3_0(ge_p3 *h)
+static WC_INLINE void ge_p2_dbl(ge_p1p1 *r,const ge_p2 *p)
 {
-  fe_0(h->X);
-  fe_1(h->Y);
-  fe_1(h->Z);
-  fe_0(h->T);
+#ifndef CURVED25519_ASM
+    ge t0;
+    fe_sq(r->X,p->X);
+    fe_sq(r->Z,p->Y);
+    fe_sq2(r->T,p->Z);
+    fe_add(r->Y,p->X,p->Y);
+    fe_sq(t0,r->Y);
+    fe_add(r->Y,r->Z,r->X);
+    fe_sub(r->Z,r->Z,r->X);
+    fe_sub(r->X,t0,r->Y);
+    fe_sub(r->T,r->T,r->Z);
+#else
+    fe_ge_dbl(r->X, r->Y, r->Z, r->T, p->X, p->Y, p->Z);
+#endif
 }
 
 
@@ -2498,7 +9675,7 @@ void ge_p3_0(ge_p3 *h)
 r = 2 * p
 */
 
-void ge_p3_dbl(ge_p1p1 *r,const ge_p3 *p)
+static void ge_p3_dbl(ge_p1p1 *r,const ge_p3 *p)
 {
   ge_p2 q;
   ge_p3_to_p2(&q,p);
@@ -2512,13 +9689,28 @@ void ge_p3_dbl(ge_p1p1 *r,const ge_p3 *p)
 r = p
 */
 
-static const fe d2 = {
+#ifdef CURVED25519_ASM_64BIT
+static const ge d2 = {
+    -0x1429646bd94d0ea7, 0x00e0149a8283b156, 0x198e80f2eef3d130, 0x2406d9dc56dffce7,
+};
+#elif defined(CURVED25519_ASM_32BIT)
+static const ge d2 = {
+    0x26b2f159, -0x1429646c, -0x7d7c4eaa, 0x00e0149a, -0x110c2ed0, 0x198e80f2, 0x56dffce7, 0x2406d9dc,
+};
+#elif defined(CURVED25519_128BIT)
+static const ge d2 = {
+    0x69b9426b2f159, 0x35050762add7a, 0x3cf44c0038052, 0x6738cc7407977,
+    0x2406d9dc56dff
+};
+#else
+static const ge d2 = {
 -21827239,-5839606,-30745221,13898782,229458,
 15978800,-12551817,-6495438,29715968,9444199
 } ;
+#endif
 
 
-extern void ge_p3_to_cached(ge_cached *r,const ge_p3 *p)
+static WC_INLINE void ge_p3_to_cached(ge_cached *r,const ge_p3 *p)
 {
   fe_add(r->YplusX,p->Y,p->X);
   fe_sub(r->YminusX,p->Y,p->X);
@@ -2532,7 +9724,7 @@ extern void ge_p3_to_cached(ge_cached *r,const ge_p3 *p)
 r = p
 */
 
-extern void ge_p3_to_p2(ge_p2 *r,const ge_p3 *p)
+static void ge_p3_to_p2(ge_p2 *r,const ge_p3 *p)
 {
   fe_copy(r->X,p->X);
   fe_copy(r->Y,p->Y);
@@ -2543,9 +9735,9 @@ extern void ge_p3_to_p2(ge_p2 *r,const ge_p3 *p)
 /* ge p3 tobytes */
 void ge_p3_tobytes(unsigned char *s,const ge_p3 *h)
 {
-  fe recip;
-  fe x;
-  fe y;
+  ge recip;
+  ge x;
+  ge y;
 
   fe_invert(recip,h->Z);
   fe_mul(x,h->X,recip);
@@ -2555,13 +9747,15 @@ void ge_p3_tobytes(unsigned char *s,const ge_p3 *h)
 }
 
 
+#ifndef CURVED25519_ASM
 /* ge_precomp_0 */
-void ge_precomp_0(ge_precomp *h)
+static void ge_precomp_0(ge_precomp *h)
 {
   fe_1(h->yplusx);
   fe_1(h->yminusx);
   fe_0(h->xy2d);
 }
+#endif
 
 
 /* ge_sub */
@@ -2569,29 +9763,34 @@ void ge_precomp_0(ge_precomp *h)
 r = p - q
 */
 
-void ge_sub(ge_p1p1 *r,const ge_p3 *p,const ge_cached *q)
-{
-	fe t0;
-	fe_add(r->X,p->Y,p->X);
-	fe_sub(r->Y,p->Y,p->X);
-	fe_mul(r->Z,r->X,q->YminusX);
-	fe_mul(r->Y,r->Y,q->YplusX);
-	fe_mul(r->T,q->T2d,p->T);
-	fe_mul(r->X,p->Z,q->Z);
-	fe_add(t0,r->X,r->X);
-	fe_sub(r->X,r->Z,r->Y);
-	fe_add(r->Y,r->Z,r->Y);
-	fe_sub(r->Z,t0,r->T);
-	fe_add(r->T,t0,r->T);
+static WC_INLINE void ge_sub(ge_p1p1 *r,const ge_p3 *p,const ge_cached *q)
+{
+#ifndef CURVED25519_ASM
+    ge t0;
+    fe_add(r->X,p->Y,p->X);
+    fe_sub(r->Y,p->Y,p->X);
+    fe_mul(r->Z,r->X,q->YminusX);
+    fe_mul(r->Y,r->Y,q->YplusX);
+    fe_mul(r->T,q->T2d,p->T);
+    fe_mul(r->X,p->Z,q->Z);
+    fe_add(t0,r->X,r->X);
+    fe_sub(r->X,r->Z,r->Y);
+    fe_add(r->Y,r->Z,r->Y);
+    fe_sub(r->Z,t0,r->T);
+    fe_add(r->T,t0,r->T);
+#else
+    fe_ge_sub(r->X, r->Y, r->Z, r->T, p->X, p->Y, p->Z, p->T, q->Z, q->T2d,
+              q->YplusX, q->YminusX);
+#endif
 }
 
 
 /* ge tobytes */
 void ge_tobytes(unsigned char *s,const ge_p2 *h)
 {
-  fe recip;
-  fe x;
-  fe y;
+  ge recip;
+  ge x;
+  ge y;
 
   fe_invert(recip,h->Z);
   fe_mul(x,h->X,recip);
@@ -2599,5 +9798,6 @@ void ge_tobytes(unsigned char *s,const ge_p2 *h)
   fe_tobytes(s,y);
   s[31] ^= fe_isnegative(x) << 7;
 }
-#endif /* HAVE_ED25519 */
 
+#endif /* !ED25519_SMALL */
+#endif /* HAVE_ED25519 */
diff --git a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/hash.c b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/hash.c
index 55a1f6a1d..c53f5e67a 100644
--- a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/hash.c
+++ b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/hash.c
@@ -1,8 +1,8 @@
 /* hash.c
  *
- * Copyright (C) 2006-2015 wolfSSL Inc.
+ * Copyright (C) 2006-2020 wolfSSL Inc.
  *
- * This file is part of wolfSSL. (formerly known as CyaSSL)
+ * This file is part of wolfSSL.
  *
  * wolfSSL is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -16,61 +16,1662 @@
  *
  * You should have received a copy of the GNU General Public License
  * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
  */
 
+
 #ifdef HAVE_CONFIG_H
     #include <config.h>
 #endif
 
 #include <wolfssl/wolfcrypt/settings.h>
-
-#if !defined(WOLFSSL_TI_HASH)
+#include <wolfssl/wolfcrypt/logging.h>
+#include <wolfssl/wolfcrypt/error-crypt.h>
+#ifndef NO_ASN
+#include <wolfssl/wolfcrypt/asn.h>
+#endif
 
 #include <wolfssl/wolfcrypt/hash.h>
+#include <wolfssl/wolfcrypt/hmac.h>
 
-#if !defined(NO_MD5)
-void wc_Md5GetHash(Md5* md5, byte* hash)
+#ifdef NO_INLINE
+    #include <wolfssl/wolfcrypt/misc.h>
+#else
+    #define WOLFSSL_MISC_INCLUDED
+    #include <wolfcrypt/src/misc.c>
+#endif
+
+
+#ifdef NO_ASN
+enum Hash_Sum  {
+    MD2h      = 646,
+    MD5h      = 649,
+    SHAh      =  88,
+    SHA224h   = 417,
+    SHA256h   = 414,
+    SHA384h   = 415,
+    SHA512h   = 416,
+    SHA3_224h = 420,
+    SHA3_256h = 421,
+    SHA3_384h = 422,
+    SHA3_512h = 423
+};
+#endif /* !NO_ASN */
+
+#if !defined(NO_PWDBASED) || !defined(NO_ASN)
+/* function converts int hash type to enum */
+enum wc_HashType wc_HashTypeConvert(int hashType)
 {
-    Md5 save = *md5 ;
-    wc_Md5Final(md5, hash) ;
-    *md5 = save ;
+    /* Default to hash type none as error */
+    enum wc_HashType eHashType = WC_HASH_TYPE_NONE;
+#if defined(HAVE_FIPS) || defined(HAVE_SELFTEST)
+    /* original FIPSv1  and CAVP selftest require a mapping for unique hash
+       type to wc_HashType */
+    switch (hashType) {
+    #ifndef NO_MD5
+        case WC_MD5:
+            eHashType = WC_HASH_TYPE_MD5;
+            break;
+    #endif /* !NO_MD5 */
+    #ifndef NO_SHA
+        case WC_SHA:
+            eHashType = WC_HASH_TYPE_SHA;
+            break;
+    #endif /* !NO_SHA */
+
+    #ifdef WOLFSSL_SHA224
+        case WC_SHA224:
+            eHashType = WC_HASH_TYPE_SHA224;
+            break;
+    #endif /* WOLFSSL_SHA224 */
+
+    #ifndef NO_SHA256
+        case WC_SHA256:
+            eHashType = WC_HASH_TYPE_SHA256;
+            break;
+    #endif /* !NO_SHA256 */
+
+    #ifdef WOLFSSL_SHA384
+        case WC_SHA384:
+            eHashType = WC_HASH_TYPE_SHA384;
+            break;
+    #endif /* WOLFSSL_SHA384 */
+    #ifdef WOLFSSL_SHA512
+        case WC_SHA512:
+            eHashType = WC_HASH_TYPE_SHA512;
+            break;
+    #endif /* WOLFSSL_SHA512 */
+    #ifdef WOLFSSL_SHA3
+        case WC_SHA3_224:
+            eHashType = WC_HASH_TYPE_SHA3_224;
+            break;
+        case WC_SHA3_256:
+            eHashType = WC_HASH_TYPE_SHA3_256;
+            break;
+        case WC_SHA3_384:
+            eHashType = WC_HASH_TYPE_SHA3_384;
+            break;
+        case WC_SHA3_512:
+            eHashType = WC_HASH_TYPE_SHA3_512;
+            break;
+    #endif /* WOLFSSL_SHA3 */
+        default:
+            eHashType = WC_HASH_TYPE_NONE;
+            break;
+    }
+#else
+    /* current master uses same unique types as wc_HashType */
+    if (hashType > 0 && hashType <= WC_HASH_TYPE_MAX) {
+        eHashType = (enum wc_HashType)hashType;
+    }
+#endif
+    return eHashType;
 }
+#endif /* !NO_PWDBASED || !NO_ASN */
 
-WOLFSSL_API void wc_Md5RestorePos(Md5* m1, Md5* m2) {
-    *m1 = *m2 ;
+#if !defined(NO_ASN) || !defined(NO_DH) || defined(HAVE_ECC)
+
+int wc_HashGetOID(enum wc_HashType hash_type)
+{
+    int oid = HASH_TYPE_E; /* Default to hash type error */
+    switch(hash_type)
+    {
+        case WC_HASH_TYPE_MD2:
+        #ifdef WOLFSSL_MD2
+            oid = MD2h;
+        #endif
+            break;
+        case WC_HASH_TYPE_MD5_SHA:
+        case WC_HASH_TYPE_MD5:
+        #ifndef NO_MD5
+            oid = MD5h;
+        #endif
+            break;
+        case WC_HASH_TYPE_SHA:
+        #ifndef NO_SHA
+            oid = SHAh;
+        #endif
+            break;
+        case WC_HASH_TYPE_SHA224:
+        #ifdef WOLFSSL_SHA224
+            oid = SHA224h;
+        #endif
+            break;
+        case WC_HASH_TYPE_SHA256:
+        #ifndef NO_SHA256
+            oid = SHA256h;
+        #endif
+            break;
+        case WC_HASH_TYPE_SHA384:
+        #ifdef WOLFSSL_SHA384
+            oid = SHA384h;
+        #endif
+            break;
+        case WC_HASH_TYPE_SHA512:
+        #ifdef WOLFSSL_SHA512
+            oid = SHA512h;
+        #endif
+            break;
+        case WC_HASH_TYPE_SHA3_224:
+        #if defined(WOLFSSL_SHA3) && !defined(WOLFSSL_NOSHA3_224)
+            oid = SHA3_224h;
+        #endif
+            break;
+        case WC_HASH_TYPE_SHA3_256:
+        #if defined(WOLFSSL_SHA3) && !defined(WOLFSSL_NOSHA3_256)
+            oid = SHA3_256h;
+        #endif
+            break;
+        case WC_HASH_TYPE_SHA3_384:
+        #if defined(WOLFSSL_SHA3) && !defined(WOLFSSL_NOSHA3_384)
+            oid = SHA3_384h;
+        #endif
+            break;
+        case WC_HASH_TYPE_SHA3_512:
+        #if defined(WOLFSSL_SHA3) && !defined(WOLFSSL_NOSHA3_512)
+            oid = SHA3_512h;
+        #endif
+            break;
+
+        /* Not Supported */
+        case WC_HASH_TYPE_MD4:
+        case WC_HASH_TYPE_BLAKE2B:
+        case WC_HASH_TYPE_BLAKE2S:
+        case WC_HASH_TYPE_NONE:
+        default:
+            oid = BAD_FUNC_ARG;
+            break;
+    }
+    return oid;
 }
+
+enum wc_HashType wc_OidGetHash(int oid)
+{
+    enum wc_HashType hash_type = WC_HASH_TYPE_NONE;
+    switch (oid)
+    {
+    #ifdef WOLFSSL_MD2
+        case MD2h:
+            hash_type = WC_HASH_TYPE_MD2;
+            break;
+    #endif
+        case MD5h:
+        #ifndef NO_MD5
+            hash_type = WC_HASH_TYPE_MD5;
+        #endif
+            break;
+        case SHAh:
+        #ifndef NO_SHA
+            hash_type = WC_HASH_TYPE_SHA;
+        #endif
+            break;
+        case SHA224h:
+        #ifdef WOLFSSL_SHA224
+            hash_type = WC_HASH_TYPE_SHA224;
+        #endif
+            break;
+        case SHA256h:
+        #ifndef NO_SHA256
+            hash_type = WC_HASH_TYPE_SHA256;
+        #endif
+            break;
+        case SHA384h:
+        #ifdef WOLFSSL_SHA384
+            hash_type = WC_HASH_TYPE_SHA384;
+        #endif
+            break;
+        case SHA512h:
+        #ifdef WOLFSSL_SHA512
+            hash_type = WC_HASH_TYPE_SHA512;
+        #endif
+            break;
+    #ifdef WOLFSSL_SHA3
+        case SHA3_224h:
+            hash_type = WC_HASH_TYPE_SHA3_224;
+            break;
+        case SHA3_256h:
+            hash_type = WC_HASH_TYPE_SHA3_256;
+            break;
+        case SHA3_384h:
+            hash_type = WC_HASH_TYPE_SHA3_384;
+            break;
+        case SHA3_512h:
+            hash_type = WC_HASH_TYPE_SHA3_512;
+            break;
+    #endif /* WOLFSSL_SHA3 */
+        default:
+            break;
+    }
+    return hash_type;
+}
+#endif /* !NO_ASN || !NO_DH || HAVE_ECC */
+
+#ifndef NO_HASH_WRAPPER
+
+/* Get Hash digest size */
+int wc_HashGetDigestSize(enum wc_HashType hash_type)
+{
+    int dig_size = HASH_TYPE_E; /* Default to hash type error */
+    switch(hash_type)
+    {
+        case WC_HASH_TYPE_MD2:
+        #ifdef WOLFSSL_MD2
+            dig_size = MD2_DIGEST_SIZE;
+        #endif
+            break;
+        case WC_HASH_TYPE_MD4:
+        #ifndef NO_MD4
+            dig_size = MD4_DIGEST_SIZE;
+        #endif
+            break;
+        case WC_HASH_TYPE_MD5:
+        #ifndef NO_MD5
+            dig_size = WC_MD5_DIGEST_SIZE;
+        #endif
+            break;
+        case WC_HASH_TYPE_SHA:
+        #ifndef NO_SHA
+            dig_size = WC_SHA_DIGEST_SIZE;
+        #endif
+            break;
+        case WC_HASH_TYPE_SHA224:
+        #ifdef WOLFSSL_SHA224
+            dig_size = WC_SHA224_DIGEST_SIZE;
+        #endif
+            break;
+        case WC_HASH_TYPE_SHA256:
+        #ifndef NO_SHA256
+            dig_size = WC_SHA256_DIGEST_SIZE;
+        #endif
+            break;
+        case WC_HASH_TYPE_SHA384:
+        #ifdef WOLFSSL_SHA384
+            dig_size = WC_SHA384_DIGEST_SIZE;
+        #endif
+            break;
+        case WC_HASH_TYPE_SHA512:
+        #ifdef WOLFSSL_SHA512
+            dig_size = WC_SHA512_DIGEST_SIZE;
+        #endif
+            break;
+        case WC_HASH_TYPE_MD5_SHA: /* Old TLS Specific */
+        #if !defined(NO_MD5) && !defined(NO_SHA)
+            dig_size = (int)WC_MD5_DIGEST_SIZE + (int)WC_SHA_DIGEST_SIZE;
+        #endif
+            break;
+
+        case WC_HASH_TYPE_SHA3_224:
+        #if defined(WOLFSSL_SHA3) && !defined(WOLFSSL_NOSHA3_224)
+            dig_size = WC_SHA3_224_DIGEST_SIZE;
+        #endif
+            break;
+        case WC_HASH_TYPE_SHA3_256:
+        #if defined(WOLFSSL_SHA3) && !defined(WOLFSSL_NOSHA3_256)
+            dig_size = WC_SHA3_256_DIGEST_SIZE;
+        #endif
+            break;
+        case WC_HASH_TYPE_SHA3_384:
+        #if defined(WOLFSSL_SHA3) && !defined(WOLFSSL_NOSHA3_384)
+            dig_size = WC_SHA3_384_DIGEST_SIZE;
+        #endif
+            break;
+        case WC_HASH_TYPE_SHA3_512:
+        #if defined(WOLFSSL_SHA3) && !defined(WOLFSSL_NOSHA3_512)
+            dig_size = WC_SHA3_512_DIGEST_SIZE;
+        #endif
+            break;
+        case WC_HASH_TYPE_BLAKE2B:
+        case WC_HASH_TYPE_BLAKE2S:
+        #if defined(HAVE_BLAKE2) || defined(HAVE_BLAKE2S)
+            dig_size = BLAKE2S_OUTBYTES;
+        #endif
+            break;
+
+        /* Not Supported */
+        case WC_HASH_TYPE_NONE:
+        default:
+            dig_size = BAD_FUNC_ARG;
+            break;
+    }
+    return dig_size;
+}
+
+
+/* Get Hash block size */
+int wc_HashGetBlockSize(enum wc_HashType hash_type)
+{
+    int block_size = HASH_TYPE_E; /* Default to hash type error */
+    switch (hash_type)
+    {
+        case WC_HASH_TYPE_MD2:
+        #ifdef WOLFSSL_MD2
+            block_size = MD2_BLOCK_SIZE;
+        #endif
+            break;
+        case WC_HASH_TYPE_MD4:
+        #ifndef NO_MD4
+            block_size = MD4_BLOCK_SIZE;
+        #endif
+            break;
+        case WC_HASH_TYPE_MD5:
+        #ifndef NO_MD5
+            block_size = WC_MD5_BLOCK_SIZE;
+        #endif
+            break;
+        case WC_HASH_TYPE_SHA:
+        #ifndef NO_SHA
+            block_size = WC_SHA_BLOCK_SIZE;
+        #endif
+            break;
+        case WC_HASH_TYPE_SHA224:
+        #ifdef WOLFSSL_SHA224
+            block_size = WC_SHA224_BLOCK_SIZE;
+        #endif
+            break;
+        case WC_HASH_TYPE_SHA256:
+        #ifndef NO_SHA256
+            block_size = WC_SHA256_BLOCK_SIZE;
+        #endif
+            break;
+        case WC_HASH_TYPE_SHA384:
+        #ifdef WOLFSSL_SHA384
+            block_size = WC_SHA384_BLOCK_SIZE;
+        #endif
+            break;
+        case WC_HASH_TYPE_SHA512:
+        #ifdef WOLFSSL_SHA512
+            block_size = WC_SHA512_BLOCK_SIZE;
+        #endif
+            break;
+        case WC_HASH_TYPE_MD5_SHA: /* Old TLS Specific */
+        #if !defined(NO_MD5) && !defined(NO_SHA)
+            block_size = (int)WC_MD5_BLOCK_SIZE + (int)WC_SHA_BLOCK_SIZE;
+        #endif
+            break;
+
+        case WC_HASH_TYPE_SHA3_224:
+        #if defined(WOLFSSL_SHA3) && !defined(WOLFSSL_NOSHA3_224)
+            block_size = WC_SHA3_224_BLOCK_SIZE;
+        #endif
+            break;
+        case WC_HASH_TYPE_SHA3_256:
+        #if defined(WOLFSSL_SHA3) && !defined(WOLFSSL_NOSHA3_256)
+            block_size = WC_SHA3_256_BLOCK_SIZE;
+        #endif
+            break;
+        case WC_HASH_TYPE_SHA3_384:
+        #if defined(WOLFSSL_SHA3) && !defined(WOLFSSL_NOSHA3_384)
+            block_size = WC_SHA3_384_BLOCK_SIZE;
+        #endif
+            break;
+        case WC_HASH_TYPE_SHA3_512:
+        #if defined(WOLFSSL_SHA3) && !defined(WOLFSSL_NOSHA3_512)
+            block_size = WC_SHA3_512_BLOCK_SIZE;
+        #endif
+            break;
+        case WC_HASH_TYPE_BLAKE2B:
+        case WC_HASH_TYPE_BLAKE2S:
+        #if defined(HAVE_BLAKE2) || defined(HAVE_BLAKE2S)
+            block_size = BLAKE2S_BLOCKBYTES;
+        #endif
+            break;
+
+        /* Not Supported */
+        case WC_HASH_TYPE_NONE:
+        default:
+            block_size = BAD_FUNC_ARG;
+            break;
+    }
+    return block_size;
+}
+
+/* Generic Hashing Wrapper */
+int wc_Hash(enum wc_HashType hash_type, const byte* data,
+    word32 data_len, byte* hash, word32 hash_len)
+{
+    int ret = HASH_TYPE_E; /* Default to hash type error */
+    word32 dig_size;
+
+    /* Validate hash buffer size */
+    dig_size = wc_HashGetDigestSize(hash_type);
+    if (hash_len < dig_size) {
+        return BUFFER_E;
+    }
+
+    /* Suppress possible unused arg if all hashing is disabled */
+    (void)data;
+    (void)data_len;
+    (void)hash;
+    (void)hash_len;
+
+    switch(hash_type)
+    {
+        case WC_HASH_TYPE_MD5:
+#ifndef NO_MD5
+            ret = wc_Md5Hash(data, data_len, hash);
+#endif
+            break;
+        case WC_HASH_TYPE_SHA:
+#ifndef NO_SHA
+            ret = wc_ShaHash(data, data_len, hash);
+#endif
+            break;
+        case WC_HASH_TYPE_SHA224:
+#ifdef WOLFSSL_SHA224
+            ret = wc_Sha224Hash(data, data_len, hash);
+#endif
+            break;
+        case WC_HASH_TYPE_SHA256:
+#ifndef NO_SHA256
+            ret = wc_Sha256Hash(data, data_len, hash);
+#endif
+            break;
+        case WC_HASH_TYPE_SHA384:
+#ifdef WOLFSSL_SHA384
+            ret = wc_Sha384Hash(data, data_len, hash);
+#endif
+            break;
+        case WC_HASH_TYPE_SHA512:
+#ifdef WOLFSSL_SHA512
+            ret = wc_Sha512Hash(data, data_len, hash);
+#endif
+            break;
+        case WC_HASH_TYPE_MD5_SHA:
+#if !defined(NO_MD5) && !defined(NO_SHA)
+            ret = wc_Md5Hash(data, data_len, hash);
+            if (ret == 0) {
+                ret = wc_ShaHash(data, data_len, &hash[WC_MD5_DIGEST_SIZE]);
+            }
 #endif
+            break;
 
-#if !defined(NO_SHA)
-int wc_ShaGetHash(Sha* sha, byte* hash)
+        case WC_HASH_TYPE_SHA3_224:
+#if defined(WOLFSSL_SHA3) && !defined(WOLFSSL_NOSHA3_224)
+            ret = wc_Sha3_224Hash(data, data_len, hash);
+#endif
+            break;
+        case WC_HASH_TYPE_SHA3_256:
+#if defined(WOLFSSL_SHA3) && !defined(WOLFSSL_NOSHA3_256)
+            ret = wc_Sha3_256Hash(data, data_len, hash);
+#endif
+            break;
+        case WC_HASH_TYPE_SHA3_384:
+#if defined(WOLFSSL_SHA3) && !defined(WOLFSSL_NOSHA3_384)
+            ret = wc_Sha3_384Hash(data, data_len, hash);
+#endif
+            break;
+        case WC_HASH_TYPE_SHA3_512:
+#if defined(WOLFSSL_SHA3) && !defined(WOLFSSL_NOSHA3_512)
+            ret = wc_Sha3_512Hash(data, data_len, hash);
+#endif
+            break;
+
+        /* Not Supported */
+        case WC_HASH_TYPE_MD2:
+        case WC_HASH_TYPE_MD4:
+        case WC_HASH_TYPE_BLAKE2B:
+        case WC_HASH_TYPE_BLAKE2S:
+        case WC_HASH_TYPE_NONE:
+        default:
+            ret = BAD_FUNC_ARG;
+            break;
+    }
+    return ret;
+}
+
+int wc_HashInit_ex(wc_HashAlg* hash, enum wc_HashType type, void* heap,
+    int devId)
 {
-    int ret ;
-    Sha save = *sha ;
-    ret = wc_ShaFinal(sha, hash) ;
-    *sha = save ;
-    return ret ;
+    int ret = HASH_TYPE_E; /* Default to hash type error */
+
+    if (hash == NULL)
+        return BAD_FUNC_ARG;
+
+    switch (type) {
+        case WC_HASH_TYPE_MD5:
+#ifndef NO_MD5
+            ret = wc_InitMd5_ex(&hash->md5, heap, devId);
+#endif
+            break;
+        case WC_HASH_TYPE_SHA:
+#ifndef NO_SHA
+            ret = wc_InitSha_ex(&hash->sha, heap, devId);
+#endif
+            break;
+        case WC_HASH_TYPE_SHA224:
+#ifdef WOLFSSL_SHA224
+            ret = wc_InitSha224_ex(&hash->sha224, heap, devId);
+#endif
+            break;
+        case WC_HASH_TYPE_SHA256:
+#ifndef NO_SHA256
+            ret = wc_InitSha256_ex(&hash->sha256, heap, devId);
+#endif
+            break;
+        case WC_HASH_TYPE_SHA384:
+#ifdef WOLFSSL_SHA384
+            ret = wc_InitSha384_ex(&hash->sha384, heap, devId);
+#endif
+            break;
+        case WC_HASH_TYPE_SHA512:
+#ifdef WOLFSSL_SHA512
+            ret = wc_InitSha512_ex(&hash->sha512, heap, devId);
+#endif
+            break;
+
+        case WC_HASH_TYPE_SHA3_224:
+#if defined(WOLFSSL_SHA3) && !defined(WOLFSSL_NOSHA3_224)
+            ret = wc_InitSha3_224(&hash->sha3, heap, devId);
+#endif
+            break;
+        case WC_HASH_TYPE_SHA3_256:
+#if defined(WOLFSSL_SHA3) && !defined(WOLFSSL_NOSHA3_256)
+            ret = wc_InitSha3_256(&hash->sha3, heap, devId);
+#endif
+            break;
+        case WC_HASH_TYPE_SHA3_384:
+#if defined(WOLFSSL_SHA3) && !defined(WOLFSSL_NOSHA3_384)
+            ret = wc_InitSha3_384(&hash->sha3, heap, devId);
+#endif
+            break;
+        case WC_HASH_TYPE_SHA3_512:
+#if defined(WOLFSSL_SHA3) && !defined(WOLFSSL_NOSHA3_512)
+            ret = wc_InitSha3_512(&hash->sha3, heap, devId);
+#endif
+            break;
+
+        /* not supported */
+        case WC_HASH_TYPE_MD5_SHA:
+        case WC_HASH_TYPE_MD2:
+        case WC_HASH_TYPE_MD4:
+        case WC_HASH_TYPE_BLAKE2B:
+        case WC_HASH_TYPE_BLAKE2S:
+        case WC_HASH_TYPE_NONE:
+        default:
+            ret = BAD_FUNC_ARG;
+    };
+
+    return ret;
 }
 
-WOLFSSL_API void wc_ShaRestorePos(Sha* s1, Sha* s2) {
-    *s1 = *s2 ;
+int wc_HashInit(wc_HashAlg* hash, enum wc_HashType type)
+{
+    return wc_HashInit_ex(hash, type, NULL, INVALID_DEVID);
 }
+
+int wc_HashUpdate(wc_HashAlg* hash, enum wc_HashType type, const byte* data,
+                  word32 dataSz)
+{
+    int ret = HASH_TYPE_E; /* Default to hash type error */
+
+    if (hash == NULL || data == NULL)
+        return BAD_FUNC_ARG;
+
+    switch (type) {
+        case WC_HASH_TYPE_MD5:
+#ifndef NO_MD5
+            ret = wc_Md5Update(&hash->md5, data, dataSz);
+#endif
+            break;
+        case WC_HASH_TYPE_SHA:
+#ifndef NO_SHA
+            ret = wc_ShaUpdate(&hash->sha, data, dataSz);
+#endif
+            break;
+        case WC_HASH_TYPE_SHA224:
+#ifdef WOLFSSL_SHA224
+            ret = wc_Sha224Update(&hash->sha224, data, dataSz);
+#endif
+            break;
+        case WC_HASH_TYPE_SHA256:
+#ifndef NO_SHA256
+            ret = wc_Sha256Update(&hash->sha256, data, dataSz);
+#endif
+            break;
+        case WC_HASH_TYPE_SHA384:
+#ifdef WOLFSSL_SHA384
+            ret = wc_Sha384Update(&hash->sha384, data, dataSz);
+#endif
+            break;
+        case WC_HASH_TYPE_SHA512:
+#ifdef WOLFSSL_SHA512
+            ret = wc_Sha512Update(&hash->sha512, data, dataSz);
 #endif
+            break;
 
-#if !defined(NO_SHA256)
-int wc_Sha256GetHash(Sha256* sha256, byte* hash)
+        case WC_HASH_TYPE_SHA3_224:
+#if defined(WOLFSSL_SHA3) && !defined(WOLFSSL_NOSHA3_224)
+            ret = wc_Sha3_224_Update(&hash->sha3, data, dataSz);
+#endif
+            break;
+        case WC_HASH_TYPE_SHA3_256:
+#if defined(WOLFSSL_SHA3) && !defined(WOLFSSL_NOSHA3_256)
+            ret = wc_Sha3_256_Update(&hash->sha3, data, dataSz);
+#endif
+            break;
+        case WC_HASH_TYPE_SHA3_384:
+#if defined(WOLFSSL_SHA3) && !defined(WOLFSSL_NOSHA3_384)
+            ret = wc_Sha3_384_Update(&hash->sha3, data, dataSz);
+#endif
+            break;
+        case WC_HASH_TYPE_SHA3_512:
+#if defined(WOLFSSL_SHA3) && !defined(WOLFSSL_NOSHA3_512)
+            ret = wc_Sha3_512_Update(&hash->sha3, data, dataSz);
+#endif
+            break;
+
+        /* not supported */
+        case WC_HASH_TYPE_MD5_SHA:
+        case WC_HASH_TYPE_MD2:
+        case WC_HASH_TYPE_MD4:
+        case WC_HASH_TYPE_BLAKE2B:
+        case WC_HASH_TYPE_BLAKE2S:
+        case WC_HASH_TYPE_NONE:
+        default:
+            ret = BAD_FUNC_ARG;
+    };
+
+    return ret;
+}
+
+int wc_HashFinal(wc_HashAlg* hash, enum wc_HashType type, byte* out)
 {
-    int ret ;
-    Sha256 save = *sha256 ;
-    ret = wc_Sha256Final(sha256, hash) ;
-    *sha256 = save ;
-    return ret ;
+    int ret = HASH_TYPE_E; /* Default to hash type error */
+
+    if (hash == NULL || out == NULL)
+        return BAD_FUNC_ARG;
+
+    switch (type) {
+        case WC_HASH_TYPE_MD5:
+#ifndef NO_MD5
+            ret = wc_Md5Final(&hash->md5, out);
+#endif
+            break;
+        case WC_HASH_TYPE_SHA:
+#ifndef NO_SHA
+            ret = wc_ShaFinal(&hash->sha, out);
+#endif
+            break;
+        case WC_HASH_TYPE_SHA224:
+#ifdef WOLFSSL_SHA224
+            ret = wc_Sha224Final(&hash->sha224, out);
+#endif
+            break;
+        case WC_HASH_TYPE_SHA256:
+#ifndef NO_SHA256
+            ret = wc_Sha256Final(&hash->sha256, out);
+#endif
+            break;
+        case WC_HASH_TYPE_SHA384:
+#ifdef WOLFSSL_SHA384
+            ret = wc_Sha384Final(&hash->sha384, out);
+#endif
+            break;
+        case WC_HASH_TYPE_SHA512:
+#ifdef WOLFSSL_SHA512
+            ret = wc_Sha512Final(&hash->sha512, out);
+#endif
+            break;
+
+        case WC_HASH_TYPE_SHA3_224:
+#if defined(WOLFSSL_SHA3) && !defined(WOLFSSL_NOSHA3_224)
+            ret = wc_Sha3_224_Final(&hash->sha3, out);
+#endif
+            break;
+        case WC_HASH_TYPE_SHA3_256:
+#if defined(WOLFSSL_SHA3) && !defined(WOLFSSL_NOSHA3_256)
+            ret = wc_Sha3_256_Final(&hash->sha3, out);
+#endif
+            break;
+        case WC_HASH_TYPE_SHA3_384:
+#if defined(WOLFSSL_SHA3) && !defined(WOLFSSL_NOSHA3_384)
+            ret = wc_Sha3_384_Final(&hash->sha3, out);
+#endif
+            break;
+        case WC_HASH_TYPE_SHA3_512:
+#if defined(WOLFSSL_SHA3) && !defined(WOLFSSL_NOSHA3_512)
+            ret = wc_Sha3_512_Final(&hash->sha3, out);
+#endif
+            break;
+
+        /* not supported */
+        case WC_HASH_TYPE_MD5_SHA:
+        case WC_HASH_TYPE_MD2:
+        case WC_HASH_TYPE_MD4:
+        case WC_HASH_TYPE_BLAKE2B:
+        case WC_HASH_TYPE_BLAKE2S:
+        case WC_HASH_TYPE_NONE:
+        default:
+            ret = BAD_FUNC_ARG;
+    };
+
+    return ret;
 }
 
-WOLFSSL_API void wc_Sha256RestorePos(Sha256* s1, Sha256* s2) {
-    *s1 = *s2 ;
+int wc_HashFree(wc_HashAlg* hash, enum wc_HashType type)
+{
+    int ret = HASH_TYPE_E; /* Default to hash type error */
+
+    if (hash == NULL)
+        return BAD_FUNC_ARG;
+
+    switch (type) {
+        case WC_HASH_TYPE_MD5:
+#ifndef NO_MD5
+            wc_Md5Free(&hash->md5);
+            ret = 0;
+#endif
+            break;
+        case WC_HASH_TYPE_SHA:
+#ifndef NO_SHA
+            wc_ShaFree(&hash->sha);
+            ret = 0;
+#endif
+            break;
+        case WC_HASH_TYPE_SHA224:
+#ifdef WOLFSSL_SHA224
+            wc_Sha224Free(&hash->sha224);
+            ret = 0;
+#endif
+            break;
+        case WC_HASH_TYPE_SHA256:
+#ifndef NO_SHA256
+            wc_Sha256Free(&hash->sha256);
+            ret = 0;
+#endif
+            break;
+        case WC_HASH_TYPE_SHA384:
+#ifdef WOLFSSL_SHA384
+            wc_Sha384Free(&hash->sha384);
+            ret = 0;
+#endif
+            break;
+        case WC_HASH_TYPE_SHA512:
+#ifdef WOLFSSL_SHA512
+            wc_Sha512Free(&hash->sha512);
+            ret = 0;
+#endif
+            break;
+
+        case WC_HASH_TYPE_SHA3_224:
+#if defined(WOLFSSL_SHA3) && !defined(WOLFSSL_NOSHA3_224)
+            wc_Sha3_224_Free(&hash->sha3);
+            ret = 0;
+#endif
+            break;
+        case WC_HASH_TYPE_SHA3_256:
+#if defined(WOLFSSL_SHA3) && !defined(WOLFSSL_NOSHA3_256)
+            wc_Sha3_256_Free(&hash->sha3);
+            ret = 0;
+#endif
+            break;
+        case WC_HASH_TYPE_SHA3_384:
+#if defined(WOLFSSL_SHA3) && !defined(WOLFSSL_NOSHA3_384)
+            wc_Sha3_384_Free(&hash->sha3);
+            ret = 0;
+#endif
+            break;
+        case WC_HASH_TYPE_SHA3_512:
+#if defined(WOLFSSL_SHA3) && !defined(WOLFSSL_NOSHA3_512)
+            wc_Sha3_512_Free(&hash->sha3);
+            ret = 0;
+#endif
+            break;
+
+        /* not supported */
+        case WC_HASH_TYPE_MD5_SHA:
+        case WC_HASH_TYPE_MD2:
+        case WC_HASH_TYPE_MD4:
+        case WC_HASH_TYPE_BLAKE2B:
+        case WC_HASH_TYPE_BLAKE2S:
+        case WC_HASH_TYPE_NONE:
+        default:
+            ret = BAD_FUNC_ARG;
+    };
+
+    return ret;
 }
+
+#if defined(WOLFSSL_HASH_FLAGS) || defined(WOLF_CRYPTO_CB)
+int wc_HashSetFlags(wc_HashAlg* hash, enum wc_HashType type, word32 flags)
+{
+    int ret = HASH_TYPE_E; /* Default to hash type error */
+
+    if (hash == NULL)
+        return BAD_FUNC_ARG;
+
+    switch (type) {
+        case WC_HASH_TYPE_MD5:
+#ifndef NO_MD5
+            ret = wc_Md5SetFlags(&hash->md5, flags);
+#endif
+            break;
+        case WC_HASH_TYPE_SHA:
+#ifndef NO_SHA
+            ret = wc_ShaSetFlags(&hash->sha, flags);
+#endif
+            break;
+        case WC_HASH_TYPE_SHA224:
+#ifdef WOLFSSL_SHA224
+            ret = wc_Sha224SetFlags(&hash->sha224, flags);
+#endif
+            break;
+        case WC_HASH_TYPE_SHA256:
+#ifndef NO_SHA256
+            ret = wc_Sha256SetFlags(&hash->sha256, flags);
+#endif
+            break;
+        case WC_HASH_TYPE_SHA384:
+#ifdef WOLFSSL_SHA384
+            ret = wc_Sha384SetFlags(&hash->sha384, flags);
 #endif
+            break;
+        case WC_HASH_TYPE_SHA512:
+#ifdef WOLFSSL_SHA512
+            ret = wc_Sha512SetFlags(&hash->sha512, flags);
+#endif
+            break;
 
+        case WC_HASH_TYPE_SHA3_224:
+        case WC_HASH_TYPE_SHA3_256:
+        case WC_HASH_TYPE_SHA3_384:
+        case WC_HASH_TYPE_SHA3_512:
+#ifdef WOLFSSL_SHA3
+            ret = wc_Sha3_SetFlags(&hash->sha3, flags);
 #endif
+            break;
+
+        /* not supported */
+        case WC_HASH_TYPE_MD5_SHA:
+        case WC_HASH_TYPE_MD2:
+        case WC_HASH_TYPE_MD4:
+        case WC_HASH_TYPE_BLAKE2B:
+        case WC_HASH_TYPE_BLAKE2S:
+        case WC_HASH_TYPE_NONE:
+        default:
+            ret = BAD_FUNC_ARG;
+    };
+
+    return ret;
+}
+int wc_HashGetFlags(wc_HashAlg* hash, enum wc_HashType type, word32* flags)
+{
+    int ret = HASH_TYPE_E; /* Default to hash type error */
+
+    if (hash == NULL)
+        return BAD_FUNC_ARG;
 
+    switch (type) {
+        case WC_HASH_TYPE_MD5:
+#ifndef NO_MD5
+            ret = wc_Md5GetFlags(&hash->md5, flags);
+#endif
+            break;
+        case WC_HASH_TYPE_SHA:
+#ifndef NO_SHA
+            ret = wc_ShaGetFlags(&hash->sha, flags);
+#endif
+            break;
+        case WC_HASH_TYPE_SHA224:
+#ifdef WOLFSSL_SHA224
+            ret = wc_Sha224GetFlags(&hash->sha224, flags);
+#endif
+            break;
+        case WC_HASH_TYPE_SHA256:
+#ifndef NO_SHA256
+            ret = wc_Sha256GetFlags(&hash->sha256, flags);
+#endif
+            break;
+        case WC_HASH_TYPE_SHA384:
+#ifdef WOLFSSL_SHA384
+            ret = wc_Sha384GetFlags(&hash->sha384, flags);
+#endif
+            break;
+        case WC_HASH_TYPE_SHA512:
+#ifdef WOLFSSL_SHA512
+            ret = wc_Sha512GetFlags(&hash->sha512, flags);
+#endif
+            break;
+
+        case WC_HASH_TYPE_SHA3_224:
+        case WC_HASH_TYPE_SHA3_256:
+        case WC_HASH_TYPE_SHA3_384:
+        case WC_HASH_TYPE_SHA3_512:
+#ifdef WOLFSSL_SHA3
+            ret = wc_Sha3_GetFlags(&hash->sha3, flags);
+#endif
+            break;
+
+        /* not supported */
+        case WC_HASH_TYPE_MD5_SHA:
+        case WC_HASH_TYPE_MD2:
+        case WC_HASH_TYPE_MD4:
+        case WC_HASH_TYPE_BLAKE2B:
+        case WC_HASH_TYPE_BLAKE2S:
+        case WC_HASH_TYPE_NONE:
+        default:
+            ret = BAD_FUNC_ARG;
+    };
+
+    return ret;
+}
+#endif
+
+
+#if !defined(WOLFSSL_TI_HASH)
+
+#if !defined(NO_MD5)
+    int wc_Md5Hash(const byte* data, word32 len, byte* hash)
+    {
+        int ret;
+    #ifdef WOLFSSL_SMALL_STACK
+        wc_Md5* md5;
+    #else
+        wc_Md5  md5[1];
+    #endif
+
+    #ifdef WOLFSSL_SMALL_STACK
+        md5 = (wc_Md5*)XMALLOC(sizeof(wc_Md5), NULL, DYNAMIC_TYPE_TMP_BUFFER);
+        if (md5 == NULL)
+            return MEMORY_E;
+    #endif
+
+        if ((ret = wc_InitMd5(md5)) != 0) {
+            WOLFSSL_MSG("InitMd5 failed");
+        }
+        else {
+            if ((ret = wc_Md5Update(md5, data, len)) != 0) {
+                WOLFSSL_MSG("Md5Update failed");
+            }
+            else if ((ret = wc_Md5Final(md5, hash)) != 0) {
+                WOLFSSL_MSG("Md5Final failed");
+            }
+            wc_Md5Free(md5);
+        }
+
+    #ifdef WOLFSSL_SMALL_STACK
+        XFREE(md5, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    #endif
+
+        return ret;
+    }
+#endif /* !NO_MD5 */
+
+#if !defined(NO_SHA)
+    int wc_ShaHash(const byte* data, word32 len, byte* hash)
+    {
+        int ret = 0;
+    #ifdef WOLFSSL_SMALL_STACK
+        wc_Sha* sha;
+    #else
+        wc_Sha sha[1];
+    #endif
+
+    #ifdef WOLFSSL_SMALL_STACK
+        sha = (wc_Sha*)XMALLOC(sizeof(wc_Sha), NULL, DYNAMIC_TYPE_TMP_BUFFER);
+        if (sha == NULL)
+            return MEMORY_E;
+    #endif
+
+        if ((ret = wc_InitSha(sha)) != 0) {
+            WOLFSSL_MSG("InitSha failed");
+        }
+        else {
+            if ((ret = wc_ShaUpdate(sha, data, len)) != 0) {
+                WOLFSSL_MSG("ShaUpdate failed");
+            }
+            else if ((ret = wc_ShaFinal(sha, hash)) != 0) {
+                WOLFSSL_MSG("ShaFinal failed");
+            }
+            wc_ShaFree(sha);
+        }
+
+    #ifdef WOLFSSL_SMALL_STACK
+        XFREE(sha, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    #endif
+
+        return ret;
+    }
+#endif /* !NO_SHA */
+
+#if defined(WOLFSSL_SHA224)
+    int wc_Sha224Hash(const byte* data, word32 len, byte* hash)
+    {
+        int ret = 0;
+    #ifdef WOLFSSL_SMALL_STACK
+        wc_Sha224* sha224;
+    #else
+        wc_Sha224 sha224[1];
+    #endif
+
+    #ifdef WOLFSSL_SMALL_STACK
+        sha224 = (wc_Sha224*)XMALLOC(sizeof(wc_Sha224), NULL,
+            DYNAMIC_TYPE_TMP_BUFFER);
+        if (sha224 == NULL)
+            return MEMORY_E;
+    #endif
+
+        if ((ret = wc_InitSha224(sha224)) != 0) {
+            WOLFSSL_MSG("InitSha224 failed");
+        }
+        else {
+            if ((ret = wc_Sha224Update(sha224, data, len)) != 0) {
+                WOLFSSL_MSG("Sha224Update failed");
+            }
+            else if ((ret = wc_Sha224Final(sha224, hash)) != 0) {
+                WOLFSSL_MSG("Sha224Final failed");
+            }
+            wc_Sha224Free(sha224);
+        }
+
+    #ifdef WOLFSSL_SMALL_STACK
+        XFREE(sha224, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    #endif
+
+    return ret;
+}
+#endif /* WOLFSSL_SHA224 */
+
+#if !defined(NO_SHA256)
+    int wc_Sha256Hash(const byte* data, word32 len, byte* hash)
+    {
+        int ret = 0;
+    #ifdef WOLFSSL_SMALL_STACK
+        wc_Sha256* sha256;
+    #else
+        wc_Sha256 sha256[1];
+    #endif
+
+    #ifdef WOLFSSL_SMALL_STACK
+        sha256 = (wc_Sha256*)XMALLOC(sizeof(wc_Sha256), NULL,
+            DYNAMIC_TYPE_TMP_BUFFER);
+        if (sha256 == NULL)
+            return MEMORY_E;
+    #endif
+
+        if ((ret = wc_InitSha256(sha256)) != 0) {
+            WOLFSSL_MSG("InitSha256 failed");
+        }
+        else {
+            if ((ret = wc_Sha256Update(sha256, data, len)) != 0) {
+                WOLFSSL_MSG("Sha256Update failed");
+            }
+            else if ((ret = wc_Sha256Final(sha256, hash)) != 0) {
+                WOLFSSL_MSG("Sha256Final failed");
+            }
+            wc_Sha256Free(sha256);
+        }
+
+
+    #ifdef WOLFSSL_SMALL_STACK
+        XFREE(sha256, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    #endif
+
+        return ret;
+    }
+#endif /* !NO_SHA256 */
+
+#endif /* !defined(WOLFSSL_TI_HASH) */
+
+
+#if defined(WOLFSSL_SHA512)
+    int wc_Sha512Hash(const byte* data, word32 len, byte* hash)
+    {
+        int ret = 0;
+    #ifdef WOLFSSL_SMALL_STACK
+        wc_Sha512* sha512;
+    #else
+        wc_Sha512 sha512[1];
+    #endif
+
+    #ifdef WOLFSSL_SMALL_STACK
+        sha512 = (wc_Sha512*)XMALLOC(sizeof(wc_Sha512), NULL,
+            DYNAMIC_TYPE_TMP_BUFFER);
+        if (sha512 == NULL)
+            return MEMORY_E;
+    #endif
+
+        if ((ret = wc_InitSha512(sha512)) != 0) {
+            WOLFSSL_MSG("InitSha512 failed");
+        }
+        else {
+            if ((ret = wc_Sha512Update(sha512, data, len)) != 0) {
+                WOLFSSL_MSG("Sha512Update failed");
+            }
+            else if ((ret = wc_Sha512Final(sha512, hash)) != 0) {
+                WOLFSSL_MSG("Sha512Final failed");
+            }
+            wc_Sha512Free(sha512);
+        }
+
+    #ifdef WOLFSSL_SMALL_STACK
+        XFREE(sha512, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    #endif
+
+        return ret;
+    }
+#endif /* WOLFSSL_SHA512 */
+
+#if defined(WOLFSSL_SHA384)
+    int wc_Sha384Hash(const byte* data, word32 len, byte* hash)
+    {
+        int ret = 0;
+    #ifdef WOLFSSL_SMALL_STACK
+        wc_Sha384* sha384;
+    #else
+        wc_Sha384 sha384[1];
+    #endif
+
+    #ifdef WOLFSSL_SMALL_STACK
+        sha384 = (wc_Sha384*)XMALLOC(sizeof(wc_Sha384), NULL,
+            DYNAMIC_TYPE_TMP_BUFFER);
+        if (sha384 == NULL)
+            return MEMORY_E;
+    #endif
+
+        if ((ret = wc_InitSha384(sha384)) != 0) {
+            WOLFSSL_MSG("InitSha384 failed");
+        }
+        else {
+            if ((ret = wc_Sha384Update(sha384, data, len)) != 0) {
+                WOLFSSL_MSG("Sha384Update failed");
+            }
+            else if ((ret = wc_Sha384Final(sha384, hash)) != 0) {
+                WOLFSSL_MSG("Sha384Final failed");
+            }
+            wc_Sha384Free(sha384);
+        }
+
+    #ifdef WOLFSSL_SMALL_STACK
+        XFREE(sha384, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    #endif
+
+        return ret;
+    }
+#endif /* WOLFSSL_SHA384 */
+
+#if defined(WOLFSSL_SHA3)
+#if !defined(WOLFSSL_NOSHA3_224)
+    int wc_Sha3_224Hash(const byte* data, word32 len, byte* hash)
+    {
+        int ret = 0;
+    #ifdef WOLFSSL_SMALL_STACK
+        wc_Sha3* sha3;
+    #else
+        wc_Sha3 sha3[1];
+    #endif
+
+    #ifdef WOLFSSL_SMALL_STACK
+        sha3 = (wc_Sha3*)XMALLOC(sizeof(wc_Sha3), NULL,
+            DYNAMIC_TYPE_TMP_BUFFER);
+        if (sha3 == NULL)
+            return MEMORY_E;
+    #endif
+
+        if ((ret = wc_InitSha3_224(sha3, NULL, INVALID_DEVID)) != 0) {
+            WOLFSSL_MSG("InitSha3_224 failed");
+        }
+        else {
+            if ((ret = wc_Sha3_224_Update(sha3, data, len)) != 0) {
+                WOLFSSL_MSG("Sha3_224_Update failed");
+            }
+            else if ((ret = wc_Sha3_224_Final(sha3, hash)) != 0) {
+                WOLFSSL_MSG("Sha3_224_Final failed");
+            }
+            wc_Sha3_224_Free(sha3);
+        }
+
+    #ifdef WOLFSSL_SMALL_STACK
+        XFREE(sha3, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    #endif
+
+        return ret;
+    }
+#endif /* !WOLFSSL_NOSHA3_224 */
+
+#if !defined(WOLFSSL_NOSHA3_256)
+    int wc_Sha3_256Hash(const byte* data, word32 len, byte* hash)
+    {
+        int ret = 0;
+    #ifdef WOLFSSL_SMALL_STACK
+        wc_Sha3* sha3;
+    #else
+        wc_Sha3 sha3[1];
+    #endif
+
+    #ifdef WOLFSSL_SMALL_STACK
+        sha3 = (wc_Sha3*)XMALLOC(sizeof(wc_Sha3), NULL,
+            DYNAMIC_TYPE_TMP_BUFFER);
+        if (sha3 == NULL)
+            return MEMORY_E;
+    #endif
+
+        if ((ret = wc_InitSha3_256(sha3, NULL, INVALID_DEVID)) != 0) {
+            WOLFSSL_MSG("InitSha3_256 failed");
+        }
+        else {
+            if ((ret = wc_Sha3_256_Update(sha3, data, len)) != 0) {
+                WOLFSSL_MSG("Sha3_256_Update failed");
+            }
+            else if ((ret = wc_Sha3_256_Final(sha3, hash)) != 0) {
+                WOLFSSL_MSG("Sha3_256_Final failed");
+            }
+            wc_Sha3_256_Free(sha3);
+        }
+
+    #ifdef WOLFSSL_SMALL_STACK
+        XFREE(sha3, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    #endif
+
+        return ret;
+    }
+#endif /* !WOLFSSL_NOSHA3_256 */
+
+#if !defined(WOLFSSL_NOSHA3_384)
+    int wc_Sha3_384Hash(const byte* data, word32 len, byte* hash)
+    {
+        int ret = 0;
+    #ifdef WOLFSSL_SMALL_STACK
+        wc_Sha3* sha3;
+    #else
+        wc_Sha3 sha3[1];
+    #endif
+
+    #ifdef WOLFSSL_SMALL_STACK
+        sha3 = (wc_Sha3*)XMALLOC(sizeof(wc_Sha3), NULL,
+            DYNAMIC_TYPE_TMP_BUFFER);
+        if (sha3 == NULL)
+            return MEMORY_E;
+    #endif
+
+        if ((ret = wc_InitSha3_384(sha3, NULL, INVALID_DEVID)) != 0) {
+            WOLFSSL_MSG("InitSha3_384 failed");
+        }
+        else {
+            if ((ret = wc_Sha3_384_Update(sha3, data, len)) != 0) {
+                WOLFSSL_MSG("Sha3_384_Update failed");
+            }
+            else if ((ret = wc_Sha3_384_Final(sha3, hash)) != 0) {
+                WOLFSSL_MSG("Sha3_384_Final failed");
+            }
+            wc_Sha3_384_Free(sha3);
+        }
+
+    #ifdef WOLFSSL_SMALL_STACK
+        XFREE(sha3, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    #endif
+
+        return ret;
+    }
+#endif /* !WOLFSSL_NOSHA3_384 */
+
+#if !defined(WOLFSSL_NOSHA3_512)
+    int wc_Sha3_512Hash(const byte* data, word32 len, byte* hash)
+    {
+        int ret = 0;
+    #ifdef WOLFSSL_SMALL_STACK
+        wc_Sha3* sha3;
+    #else
+        wc_Sha3 sha3[1];
+    #endif
+
+    #ifdef WOLFSSL_SMALL_STACK
+        sha3 = (wc_Sha3*)XMALLOC(sizeof(wc_Sha3), NULL,
+            DYNAMIC_TYPE_TMP_BUFFER);
+        if (sha3 == NULL)
+            return MEMORY_E;
+    #endif
+
+        if ((ret = wc_InitSha3_512(sha3, NULL, INVALID_DEVID)) != 0) {
+            WOLFSSL_MSG("InitSha3_512 failed");
+        }
+        else {
+            if ((ret = wc_Sha3_512_Update(sha3, data, len)) != 0) {
+                WOLFSSL_MSG("Sha3_512_Update failed");
+            }
+            else if ((ret = wc_Sha3_512_Final(sha3, hash)) != 0) {
+                WOLFSSL_MSG("Sha3_512_Final failed");
+            }
+            wc_Sha3_512_Free(sha3);
+        }
+
+    #ifdef WOLFSSL_SMALL_STACK
+        XFREE(sha3, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    #endif
+
+        return ret;
+    }
+#endif /* !WOLFSSL_NOSHA3_512 */
+
+#if defined(WOLFSSL_SHAKE256) && !defined(WOLFSSL_NO_SHAKE256)
+    int wc_Shake256Hash(const byte* data, word32 len, byte* hash,
+                        word32 hashLen)
+    {
+        int ret = 0;
+    #ifdef WOLFSSL_SMALL_STACK
+        wc_Shake* shake;
+    #else
+        wc_Shake shake[1];
+    #endif
+
+    #ifdef WOLFSSL_SMALL_STACK
+        shake = (wc_Shake*)XMALLOC(sizeof(wc_Shake), NULL,
+            DYNAMIC_TYPE_TMP_BUFFER);
+        if (shake == NULL)
+            return MEMORY_E;
+    #endif
+
+        if ((ret = wc_InitShake256(shake, NULL, INVALID_DEVID)) != 0) {
+            WOLFSSL_MSG("InitShake256 failed");
+        }
+        else {
+            if ((ret = wc_Shake256_Update(shake, data, len)) != 0) {
+                WOLFSSL_MSG("Shake256_Update failed");
+            }
+            else if ((ret = wc_Shake256_Final(shake, hash, hashLen)) != 0) {
+                WOLFSSL_MSG("Shake256_Final failed");
+            }
+            wc_Shake256_Free(shake);
+        }
+
+    #ifdef WOLFSSL_SMALL_STACK
+        XFREE(shake, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    #endif
+
+        return ret;
+    }
+#endif /* WOLFSSL_SHAKE_256 && !WOLFSSL_NO_SHAKE256 */
+#endif /* WOLFSSL_SHA3 */
+
+#endif /* !NO_HASH_WRAPPER */
+
+#ifdef WOLFSSL_HAVE_PRF
+
+#ifdef WOLFSSL_SHA384
+    #define P_HASH_MAX_SIZE WC_SHA384_DIGEST_SIZE
+#else
+    #define P_HASH_MAX_SIZE WC_SHA256_DIGEST_SIZE
+#endif
+
+/* Pseudo Random Function for MD5, SHA-1, SHA-256, or SHA-384 */
+int wc_PRF(byte* result, word32 resLen, const byte* secret,
+                  word32 secLen, const byte* seed, word32 seedLen, int hash,
+                  void* heap, int devId)
+{
+    word32 len = P_HASH_MAX_SIZE;
+    word32 times;
+    word32 lastLen;
+    word32 lastTime;
+    word32 i;
+    word32 idx = 0;
+    int    ret = 0;
+#ifdef WOLFSSL_SMALL_STACK
+    byte*  previous;
+    byte*  current;
+    Hmac*  hmac;
+#else
+    byte   previous[P_HASH_MAX_SIZE];  /* max size */
+    byte   current[P_HASH_MAX_SIZE];   /* max size */
+    Hmac   hmac[1];
+#endif
+
+#ifdef WOLFSSL_SMALL_STACK
+    previous = (byte*)XMALLOC(P_HASH_MAX_SIZE, heap, DYNAMIC_TYPE_DIGEST);
+    current  = (byte*)XMALLOC(P_HASH_MAX_SIZE, heap, DYNAMIC_TYPE_DIGEST);
+    hmac     = (Hmac*)XMALLOC(sizeof(Hmac),    heap, DYNAMIC_TYPE_HMAC);
+
+    if (previous == NULL || current == NULL || hmac == NULL) {
+        if (previous) XFREE(previous, heap, DYNAMIC_TYPE_DIGEST);
+        if (current)  XFREE(current,  heap, DYNAMIC_TYPE_DIGEST);
+        if (hmac)     XFREE(hmac,     heap, DYNAMIC_TYPE_HMAC);
+
+        return MEMORY_E;
+    }
+#endif
+
+    switch (hash) {
+    #ifndef NO_MD5
+        case md5_mac:
+            hash = WC_MD5;
+            len  = WC_MD5_DIGEST_SIZE;
+        break;
+    #endif
+
+    #ifndef NO_SHA256
+        case sha256_mac:
+            hash = WC_SHA256;
+            len  = WC_SHA256_DIGEST_SIZE;
+        break;
+    #endif
+
+    #ifdef WOLFSSL_SHA384
+        case sha384_mac:
+            hash = WC_SHA384;
+            len  = WC_SHA384_DIGEST_SIZE;
+        break;
+    #endif
+
+    #ifndef NO_SHA
+        case sha_mac:
+        default:
+            hash = WC_SHA;
+            len  = WC_SHA_DIGEST_SIZE;
+        break;
+    #endif
+    }
+
+    times   = resLen / len;
+    lastLen = resLen % len;
+
+    if (lastLen)
+        times += 1;
+
+    lastTime = times - 1;
+
+    ret = wc_HmacInit(hmac, heap, devId);
+    if (ret == 0) {
+        ret = wc_HmacSetKey(hmac, hash, secret, secLen);
+        if (ret == 0)
+            ret = wc_HmacUpdate(hmac, seed, seedLen); /* A0 = seed */
+        if (ret == 0)
+            ret = wc_HmacFinal(hmac, previous);       /* A1 */
+        if (ret == 0) {
+            for (i = 0; i < times; i++) {
+                ret = wc_HmacUpdate(hmac, previous, len);
+                if (ret != 0)
+                    break;
+                ret = wc_HmacUpdate(hmac, seed, seedLen);
+                if (ret != 0)
+                    break;
+                ret = wc_HmacFinal(hmac, current);
+                if (ret != 0)
+                    break;
+
+                if ((i == lastTime) && lastLen)
+                    XMEMCPY(&result[idx], current,
+                                             min(lastLen, P_HASH_MAX_SIZE));
+                else {
+                    XMEMCPY(&result[idx], current, len);
+                    idx += len;
+                    ret = wc_HmacUpdate(hmac, previous, len);
+                    if (ret != 0)
+                        break;
+                    ret = wc_HmacFinal(hmac, previous);
+                    if (ret != 0)
+                        break;
+                }
+            }
+        }
+        wc_HmacFree(hmac);
+    }
+
+    ForceZero(previous,  P_HASH_MAX_SIZE);
+    ForceZero(current,   P_HASH_MAX_SIZE);
+    ForceZero(hmac,      sizeof(Hmac));
+
+#ifdef WOLFSSL_SMALL_STACK
+    XFREE(previous, heap, DYNAMIC_TYPE_DIGEST);
+    XFREE(current,  heap, DYNAMIC_TYPE_DIGEST);
+    XFREE(hmac,     heap, DYNAMIC_TYPE_HMAC);
+#endif
+
+    return ret;
+}
+#undef P_HASH_MAX_SIZE
+
+/* compute PRF (pseudo random function) using SHA1 and MD5 for TLSv1 */
+int wc_PRF_TLSv1(byte* digest, word32 digLen, const byte* secret,
+           word32 secLen, const byte* label, word32 labLen,
+           const byte* seed, word32 seedLen, void* heap, int devId)
+{
+    int    ret  = 0;
+    word32 half = (secLen + 1) / 2;
+
+#ifdef WOLFSSL_SMALL_STACK
+    byte* md5_half;
+    byte* sha_half;
+    byte* md5_result;
+    byte* sha_result;
+#else
+    byte  md5_half[MAX_PRF_HALF];     /* half is real size */
+    byte  sha_half[MAX_PRF_HALF];     /* half is real size */
+    byte  md5_result[MAX_PRF_DIG];    /* digLen is real size */
+    byte  sha_result[MAX_PRF_DIG];    /* digLen is real size */
+#endif
+#if defined(WOLFSSL_ASYNC_CRYPT) && !defined(WC_ASYNC_NO_HASH)
+    DECLARE_VAR(labelSeed, byte, MAX_PRF_LABSEED, heap);
+    if (labelSeed == NULL)
+        return MEMORY_E;
+#else
+    byte labelSeed[MAX_PRF_LABSEED];
+#endif
+
+    if (half > MAX_PRF_HALF ||
+        labLen + seedLen > MAX_PRF_LABSEED ||
+        digLen > MAX_PRF_DIG)
+    {
+    #if defined(WOLFSSL_ASYNC_CRYPT) && !defined(WC_ASYNC_NO_HASH)
+        FREE_VAR(labelSeed, heap);
+    #endif
+        return BUFFER_E;
+    }
+
+#ifdef WOLFSSL_SMALL_STACK
+    md5_half   = (byte*)XMALLOC(MAX_PRF_HALF,    heap, DYNAMIC_TYPE_DIGEST);
+    sha_half   = (byte*)XMALLOC(MAX_PRF_HALF,    heap, DYNAMIC_TYPE_DIGEST);
+    md5_result = (byte*)XMALLOC(MAX_PRF_DIG,     heap, DYNAMIC_TYPE_DIGEST);
+    sha_result = (byte*)XMALLOC(MAX_PRF_DIG,     heap, DYNAMIC_TYPE_DIGEST);
+
+    if (md5_half == NULL || sha_half == NULL || md5_result == NULL ||
+                                                           sha_result == NULL) {
+        if (md5_half)   XFREE(md5_half,   heap, DYNAMIC_TYPE_DIGEST);
+        if (sha_half)   XFREE(sha_half,   heap, DYNAMIC_TYPE_DIGEST);
+        if (md5_result) XFREE(md5_result, heap, DYNAMIC_TYPE_DIGEST);
+        if (sha_result) XFREE(sha_result, heap, DYNAMIC_TYPE_DIGEST);
+    #if defined(WOLFSSL_ASYNC_CRYPT) && !defined(WC_ASYNC_NO_HASH)
+        FREE_VAR(labelSeed, heap);
+    #endif
+
+        return MEMORY_E;
+    }
+#endif
+
+    XMEMSET(md5_result, 0, digLen);
+    XMEMSET(sha_result, 0, digLen);
+
+    XMEMCPY(md5_half, secret, half);
+    XMEMCPY(sha_half, secret + half - secLen % 2, half);
+
+    XMEMCPY(labelSeed, label, labLen);
+    XMEMCPY(labelSeed + labLen, seed, seedLen);
+
+    if ((ret = wc_PRF(md5_result, digLen, md5_half, half, labelSeed,
+                                labLen + seedLen, md5_mac, heap, devId)) == 0) {
+        if ((ret = wc_PRF(sha_result, digLen, sha_half, half, labelSeed,
+                                labLen + seedLen, sha_mac, heap, devId)) == 0) {
+            /* calculate XOR for TLSv1 PRF */
+            XMEMCPY(digest, md5_result, digLen);
+            xorbuf(digest, sha_result, digLen);
+        }
+    }
+
+#ifdef WOLFSSL_SMALL_STACK
+    XFREE(md5_half,   heap, DYNAMIC_TYPE_DIGEST);
+    XFREE(sha_half,   heap, DYNAMIC_TYPE_DIGEST);
+    XFREE(md5_result, heap, DYNAMIC_TYPE_DIGEST);
+    XFREE(sha_result, heap, DYNAMIC_TYPE_DIGEST);
+#endif
+
+#if defined(WOLFSSL_ASYNC_CRYPT) && !defined(WC_ASYNC_NO_HASH)
+    FREE_VAR(labelSeed, heap);
+#endif
+
+    return ret;
+}
+
+/* Wrapper for TLS 1.2 and TLSv1 cases to calculate PRF */
+/* In TLS 1.2 case call straight thru to wc_PRF */
+int wc_PRF_TLS(byte* digest, word32 digLen, const byte* secret, word32 secLen,
+            const byte* label, word32 labLen, const byte* seed, word32 seedLen,
+            int useAtLeastSha256, int hash_type, void* heap, int devId)
+{
+    int ret = 0;
+
+    if (useAtLeastSha256) {
+    #if defined(WOLFSSL_ASYNC_CRYPT) && !defined(WC_ASYNC_NO_HASH)
+        DECLARE_VAR(labelSeed, byte, MAX_PRF_LABSEED, heap);
+        if (labelSeed == NULL)
+            return MEMORY_E;
+    #else
+        byte labelSeed[MAX_PRF_LABSEED];
+    #endif
+
+        if (labLen + seedLen > MAX_PRF_LABSEED)
+            return BUFFER_E;
+
+        XMEMCPY(labelSeed, label, labLen);
+        XMEMCPY(labelSeed + labLen, seed, seedLen);
+
+        /* If a cipher suite wants an algorithm better than sha256, it
+         * should use better. */
+        if (hash_type < sha256_mac || hash_type == blake2b_mac)
+            hash_type = sha256_mac;
+        /* compute PRF for MD5, SHA-1, SHA-256, or SHA-384 for TLSv1.2 PRF */
+        ret = wc_PRF(digest, digLen, secret, secLen, labelSeed,
+                     labLen + seedLen, hash_type, heap, devId);
+
+    #if defined(WOLFSSL_ASYNC_CRYPT) && !defined(WC_ASYNC_NO_HASH)
+        FREE_VAR(labelSeed, heap);
+    #endif
+    }
+#ifndef NO_OLD_TLS
+    else {
+        /* compute TLSv1 PRF (pseudo random function using HMAC) */
+        ret = wc_PRF_TLSv1(digest, digLen, secret, secLen, label, labLen, seed,
+                          seedLen, heap, devId);
+    }
+#endif
+
+    return ret;
+}
+#endif /* WOLFSSL_HAVE_PRF */
diff --git a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/hc128.c b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/hc128.c
index bcfa148e0..96f02d16d 100644
--- a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/hc128.c
+++ b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/hc128.c
@@ -1,8 +1,8 @@
 /* hc128.c
  *
- * Copyright (C) 2006-2015 wolfSSL Inc.
+ * Copyright (C) 2006-2020 wolfSSL Inc.
  *
- * This file is part of wolfSSL. (formerly known as CyaSSL)
+ * This file is part of wolfSSL.
  *
  * wolfSSL is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -16,9 +16,10 @@
  *
  * You should have received a copy of the GNU General Public License
  * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
  */
 
+
 #ifdef HAVE_CONFIG_H
     #include <config.h>
 #endif
@@ -34,6 +35,7 @@
     #include <wolfssl/wolfcrypt/hc128.h>
 		#include <wolfssl/wolfcrypt/misc.h>
 #else
+    #define WOLFSSL_MISC_INCLUDED
     #include <wolfcrypt/src/misc.c>
 #endif
 
@@ -71,7 +73,7 @@
      (ctx->T[(u)]) += tem2+(tem0 ^ tem1);       \
      (ctx->X[(a)]) = (ctx->T[(u)]);             \
      (n) = tem3 ^ (ctx->T[(u)]) ;               \
-}       
+}
 
 /*one step of HC-128, update Q and generate 32 bits keystream*/
 #define step_Q(ctx,u,v,a,b,c,d,n){              \
@@ -83,17 +85,17 @@
      (ctx->T[(u)]) += tem2 + (tem0 ^ tem1);     \
      (ctx->Y[(a)]) = (ctx->T[(u)]);             \
      (n) = tem3 ^ (ctx->T[(u)]) ;               \
-}   
+}
 
 /*16 steps of HC-128, generate 512 bits keystream*/
-static void generate_keystream(HC128* ctx, word32* keystream)  
+static void generate_keystream(HC128* ctx, word32* keystream)
 {
    word32 cc,dd;
    cc = ctx->counter1024 & 0x1ff;
    dd = (cc+16)&0x1ff;
 
-   if (ctx->counter1024 < 512)	
-   {   		
+   if (ctx->counter1024 < 512)
+   {
       ctx->counter1024 = (ctx->counter1024 + 16) & 0x3ff;
       step_P(ctx, cc+0, cc+1, 0, 6, 13,4, keystream[0]);
       step_P(ctx, cc+1, cc+2, 1, 7, 14,5, keystream[1]);
@@ -112,7 +114,7 @@ static void generate_keystream(HC128* ctx, word32* keystream)
       step_P(ctx, cc+14,cc+15,14,4, 11,2, keystream[14]);
       step_P(ctx, cc+15,dd+0, 15,5, 12,3, keystream[15]);
    }
-   else				    
+   else
    {
 	  ctx->counter1024 = (ctx->counter1024 + 16) & 0x3ff;
       step_Q(ctx, 512+cc+0, 512+cc+1, 0, 6, 13,4, keystream[0]);
@@ -148,7 +150,7 @@ static void generate_keystream(HC128* ctx, word32* keystream)
      h1((ctx),(ctx->X[(d)]),tem3);                  \
      (ctx->T[(u)]) = ((ctx->T[(u)]) + tem2+(tem0^tem1)) ^ tem3;     \
      (ctx->X[(a)]) = (ctx->T[(u)]);                 \
-}  
+}
 
 /*update table Q*/
 #define update_Q(ctx,u,v,a,b,c,d){                  \
@@ -159,7 +161,7 @@ static void generate_keystream(HC128* ctx, word32* keystream)
      h2((ctx),(ctx->Y[(d)]),tem3);                  \
      (ctx->T[(u)]) = ((ctx->T[(u)]) + tem2+(tem0^tem1)) ^ tem3;     \
      (ctx->Y[(a)]) = (ctx->T[(u)]);                 \
-}     
+}
 
 /*16 steps of HC-128, without generating keystream, */
 /*but use the outputs to update P and Q*/
@@ -169,8 +171,8 @@ static void setup_update(HC128* ctx)  /*each time 16 steps*/
    cc = ctx->counter1024 & 0x1ff;
    dd = (cc+16)&0x1ff;
 
-   if (ctx->counter1024 < 512)	
-   {   		
+   if (ctx->counter1024 < 512)
+   {
       ctx->counter1024 = (ctx->counter1024 + 16) & 0x3ff;
       update_P(ctx, cc+0, cc+1, 0, 6, 13, 4);
       update_P(ctx, cc+1, cc+2, 1, 7, 14, 5);
@@ -187,9 +189,9 @@ static void setup_update(HC128* ctx)  /*each time 16 steps*/
       update_P(ctx, cc+12,cc+13,12,2, 9,  0);
       update_P(ctx, cc+13,cc+14,13,3, 10, 1);
       update_P(ctx, cc+14,cc+15,14,4, 11, 2);
-      update_P(ctx, cc+15,dd+0, 15,5, 12, 3);   
+      update_P(ctx, cc+15,dd+0, 15,5, 12, 3);
    }
-   else				    
+   else
    {
       ctx->counter1024 = (ctx->counter1024 + 16) & 0x3ff;
       update_Q(ctx, 512+cc+0, 512+cc+1, 0, 6, 13, 4);
@@ -207,8 +209,8 @@ static void setup_update(HC128* ctx)  /*each time 16 steps*/
       update_Q(ctx, 512+cc+12,512+cc+13,12,2, 9,  0);
       update_Q(ctx, 512+cc+13,512+cc+14,13,3, 10, 1);
       update_Q(ctx, 512+cc+14,512+cc+15,14,4, 11, 2);
-      update_Q(ctx, 512+cc+15,512+dd+0, 15,5, 12, 3); 
-   }       
+      update_Q(ctx, 512+cc+15,512+dd+0, 15,5, 12, 3);
+   }
 }
 
 
@@ -230,7 +232,7 @@ static void setup_update(HC128* ctx)  /*each time 16 steps*/
 
 
 static void Hc128_SetIV(HC128* ctx, const byte* inIv)
-{ 
+{
     word32 i;
     word32 iv[4];
 
@@ -238,46 +240,46 @@ static void Hc128_SetIV(HC128* ctx, const byte* inIv)
         XMEMCPY(iv, inIv, sizeof(iv));
     else
         XMEMSET(iv,    0, sizeof(iv));
-    
+
 	for (i = 0; i < (128 >> 5); i++)
         ctx->iv[i] = LITTLE32(iv[i]);
-	
+
     for (; i < 8; i++) ctx->iv[i] = ctx->iv[i-4];
-  
-    /* expand the key and IV into the table T */ 
-    /* (expand the key and IV into the table P and Q) */ 
-	
+
+    /* expand the key and IV into the table T */
+    /* (expand the key and IV into the table P and Q) */
+
 	for (i = 0; i < 8;  i++)   ctx->T[i] = ctx->key[i];
 	for (i = 8; i < 16; i++)   ctx->T[i] = ctx->iv[i-8];
 
-    for (i = 16; i < (256+16); i++) 
+    for (i = 16; i < (256+16); i++)
 		ctx->T[i] = f2(ctx->T[i-2]) + ctx->T[i-7] + f1(ctx->T[i-15]) +
                                                        ctx->T[i-16]+i;
-    
+
 	for (i = 0; i < 16;  i++)  ctx->T[i] = ctx->T[256+i];
 
-	for (i = 16; i < 1024; i++) 
+	for (i = 16; i < 1024; i++)
 		ctx->T[i] = f2(ctx->T[i-2]) + ctx->T[i-7] + f1(ctx->T[i-15]) +
                                                        ctx->T[i-16]+256+i;
-    
+
     /* initialize counter1024, X and Y */
 	ctx->counter1024 = 0;
 	for (i = 0; i < 16; i++) ctx->X[i] = ctx->T[512-16+i];
     for (i = 0; i < 16; i++) ctx->Y[i] = ctx->T[512+512-16+i];
-    
+
     /* run the cipher 1024 steps before generating the output */
-	for (i = 0; i < 64; i++)  setup_update(ctx);  
+	for (i = 0; i < 64; i++)  setup_update(ctx);
 }
 
 
-static INLINE int DoKey(HC128* ctx, const byte* key, const byte* iv)
-{ 
-  word32 i;  
+static WC_INLINE int DoKey(HC128* ctx, const byte* key, const byte* iv)
+{
+  word32 i;
 
-  /* Key size in bits 128 */ 
+  /* Key size in bits 128 */
   for (i = 0; i < (128 >> 5); i++)
       ctx->key[i] = LITTLE32(((word32*)key)[i]);
- 
+
   for ( ; i < 8 ; i++) ctx->key[i] = ctx->key[i-4];
 
   Hc128_SetIV(ctx, iv);
@@ -286,10 +288,35 @@ static INLINE int DoKey(HC128* ctx, const byte* key, const byte* iv)
 }
 
 
+int wc_Hc128_SetHeap(HC128* ctx, void* heap)
+{
+    if (ctx == NULL) {
+        return BAD_FUNC_ARG;
+    }
+
+#ifdef XSTREAM_ALIGN
+    ctx->heap = heap;
+#endif
+
+    (void)heap;
+    return 0;
+}
+
 /* Key setup */
 int wc_Hc128_SetKey(HC128* ctx, const byte* key, const byte* iv)
 {
+    if (ctx == NULL || key == NULL) {
+        return BAD_FUNC_ARG;
+    }
+
 #ifdef XSTREAM_ALIGN
+    /* default heap to NULL or heap test value */
+    #ifdef WOLFSSL_HEAP_TEST
+        ctx->heap = (void*)WOLFSSL_HEAP_TEST;
+    #else
+        ctx->heap = NULL;
+    #endif /* WOLFSSL_HEAP_TEST */
+
     if ((wolfssl_word)key % 4) {
         int alignKey[4];
 
@@ -308,7 +335,7 @@ int wc_Hc128_SetKey(HC128* ctx, const byte* key, const byte* iv)
 
 
 /* The following defines the encryption of data stream */
-static INLINE int DoProcess(HC128* ctx, byte* output, const byte* input,
+static WC_INLINE int DoProcess(HC128* ctx, byte* output, const byte* input,
                             word32 msglen)
 {
   word32 i, keystream[16];
@@ -345,7 +372,7 @@ static INLINE int DoProcess(HC128* ctx, byte* output, const byte* input,
       {
           word32 wordsLeft = msglen / sizeof(word32);
           if (msglen % sizeof(word32)) wordsLeft++;
-          
+
           ByteReverseWords(keystream, keystream, wordsLeft * sizeof(word32));
       }
 #endif
@@ -361,20 +388,24 @@ static INLINE int DoProcess(HC128* ctx, byte* output, const byte* input,
 /* Encrypt/decrypt a message of any size */
 int wc_Hc128_Process(HC128* ctx, byte* output, const byte* input, word32 msglen)
 {
+    if (ctx == NULL || output == NULL || input == NULL) {
+        return BAD_FUNC_ARG;
+    }
+
 #ifdef XSTREAM_ALIGN
     if ((wolfssl_word)input % 4 || (wolfssl_word)output % 4) {
         #ifndef NO_WOLFSSL_ALLOC_ALIGN
             byte* tmp;
             WOLFSSL_MSG("Hc128Process unaligned");
 
-            tmp = (byte*)XMALLOC(msglen, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+            tmp = (byte*)XMALLOC(msglen, ctx->heap, DYNAMIC_TYPE_TMP_BUFFER);
             if (tmp == NULL) return MEMORY_E;
 
             XMEMCPY(tmp, input, msglen);
             DoProcess(ctx, tmp, tmp, msglen);
             XMEMCPY(output, tmp, msglen);
 
-            XFREE(tmp, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+            XFREE(tmp, ctx->heap, DYNAMIC_TYPE_TMP_BUFFER);
 
             return 0;
         #else
diff --git a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/hmac.c b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/hmac.c
index 242adfa55..bcebc1ce2 100644
--- a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/hmac.c
+++ b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/hmac.c
@@ -1,8 +1,8 @@
-/* hmac.h
+/* hmac.c
  *
- * Copyright (C) 2006-2015 wolfSSL Inc.
+ * Copyright (C) 2006-2020 wolfSSL Inc.
  *
- * This file is part of wolfSSL. (formerly known as CyaSSL)
+ * This file is part of wolfSSL.
  *
  * wolfSSL is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -16,170 +16,298 @@
  *
  * You should have received a copy of the GNU General Public License
  * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
  */
 
+
 #ifdef HAVE_CONFIG_H
     #include <config.h>
 #endif
 
 #include <wolfssl/wolfcrypt/settings.h>
+#include <wolfssl/wolfcrypt/error-crypt.h>
 
 #ifndef NO_HMAC
 
-#include <wolfssl/wolfcrypt/hmac.h>
+#if defined(HAVE_FIPS) && \
+    defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2)
 
-#ifdef HAVE_FIPS
-/* does init */
-int wc_HmacSetKey(Hmac* hmac, int type, const byte* key, word32 keySz)
-{
-    return HmacSetKey_fips(hmac, type, key, keySz);
-}
+    /* set NO_WRAPPERS before headers, use direct internal f()s not wrappers */
+    #define FIPS_NO_WRAPPERS
 
+    #ifdef USE_WINDOWS_API
+        #pragma code_seg(".fipsA$b")
+        #pragma const_seg(".fipsB$b")
+    #endif
+#endif
 
-int wc_HmacUpdate(Hmac* hmac, const byte* in, word32 sz)
-{
-    return HmacUpdate_fips(hmac, in, sz);
-}
+#include <wolfssl/wolfcrypt/hmac.h>
 
+#ifdef WOLF_CRYPTO_CB
+    #include <wolfssl/wolfcrypt/cryptocb.h>
+#endif
+
+#ifdef NO_INLINE
+    #include <wolfssl/wolfcrypt/misc.h>
+#else
+    #define WOLFSSL_MISC_INCLUDED
+    #include <wolfcrypt/src/misc.c>
+#endif
 
-int wc_HmacFinal(Hmac* hmac, byte* out)
-{
-    return HmacFinal_fips(hmac, out);
-}
 
+/* fips wrapper calls, user can call direct */
+/* If building for old FIPS. */
+#if defined(HAVE_FIPS) && \
+    (!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 2))
 
-#ifdef HAVE_CAVIUM
-    int  wc_HmacInitCavium(Hmac* hmac, int i)
+    /* does init */
+    int wc_HmacSetKey(Hmac* hmac, int type, const byte* key, word32 keySz)
     {
-        return HmacInitCavium(hmac, i);
+        if (hmac == NULL || (key == NULL && keySz != 0) ||
+           !(type == WC_MD5 || type == WC_SHA || type == WC_SHA256 ||
+                type == WC_SHA384 || type == WC_SHA512)) {
+            return BAD_FUNC_ARG;
+        }
+
+        return HmacSetKey_fips(hmac, type, key, keySz);
     }
+    int wc_HmacUpdate(Hmac* hmac, const byte* in, word32 sz)
+    {
+        if (hmac == NULL || (in == NULL && sz > 0)) {
+            return BAD_FUNC_ARG;
+        }
 
+        return HmacUpdate_fips(hmac, in, sz);
+    }
+    int wc_HmacFinal(Hmac* hmac, byte* out)
+    {
+        if (hmac == NULL) {
+            return BAD_FUNC_ARG;
+        }
 
-    void wc_HmacFreeCavium(Hmac* hmac)
+        return HmacFinal_fips(hmac, out);
+    }
+    int wolfSSL_GetHmacMaxSize(void)
     {
-        HmacFreeCavium(hmac);
+        return CyaSSL_GetHmacMaxSize();
     }
-#endif
 
-int wolfSSL_GetHmacMaxSize(void)
-{
-    return CyaSSL_GetHmacMaxSize();
-}
-
-#ifdef HAVE_HKDF
+    int wc_HmacInit(Hmac* hmac, void* heap, int devId)
+    {
+        (void)hmac;
+        (void)heap;
+        (void)devId;
+        /* FIPS doesn't support:
+            return HmacInit(hmac, heap, devId); */
+        return 0;
+    }
+    void wc_HmacFree(Hmac* hmac)
+    {
+        (void)hmac;
+        /* FIPS doesn't support:
+            HmacFree(hmac); */
+    }
 
-int wc_HKDF(int type, const byte* inKey, word32 inKeySz,
+    #ifdef HAVE_HKDF
+        int wc_HKDF(int type, const byte* inKey, word32 inKeySz,
                     const byte* salt, word32 saltSz,
                     const byte* info, word32 infoSz,
                     byte* out, word32 outSz)
-{
-    return HKDF(type, inKey, inKeySz, salt, saltSz, info, infoSz, out, outSz);
-}
-
-
-#endif /* HAVE_HKDF */
-#else /* else build without fips */
-#ifdef WOLFSSL_PIC32MZ_HASH
-
-#define wc_InitMd5   wc_InitMd5_sw
-#define wc_Md5Update wc_Md5Update_sw
-#define wc_Md5Final  wc_Md5Final_sw
+        {
+            return HKDF(type, inKey, inKeySz, salt, saltSz,
+                info, infoSz, out, outSz);
+        }
+    #endif /* HAVE_HKDF */
 
-#define wc_InitSha   wc_InitSha_sw
-#define wc_ShaUpdate wc_ShaUpdate_sw
-#define wc_ShaFinal  wc_ShaFinal_sw
+#else /* else build without fips, or for new fips */
 
-#define wc_InitSha256   wc_InitSha256_sw
-#define wc_Sha256Update wc_Sha256Update_sw
-#define wc_Sha256Final  wc_Sha256Final_sw
 
-#endif
+int wc_HmacSizeByType(int type)
+{
+    int ret;
 
-#ifdef HAVE_FIPS
-    /* set NO_WRAPPERS before headers, use direct internal f()s not wrappers */
-    #define FIPS_NO_WRAPPERS
-#endif
+    if (!(type == WC_MD5 || type == WC_SHA ||
+            type == WC_SHA224 || type == WC_SHA256 ||
+            type == WC_SHA384 || type == WC_SHA512 ||
+            type == WC_SHA3_224 || type == WC_SHA3_256 ||
+            type == WC_SHA3_384 || type == WC_SHA3_512)) {
+        return BAD_FUNC_ARG;
+    }
 
-#include <wolfssl/wolfcrypt/error-crypt.h>
+    switch (type) {
+    #ifndef NO_MD5
+        case WC_MD5:
+            ret = WC_MD5_DIGEST_SIZE;
+            break;
+    #endif /* !NO_MD5 */
+
+    #ifndef NO_SHA
+        case WC_SHA:
+            ret = WC_SHA_DIGEST_SIZE;
+            break;
+    #endif /* !NO_SHA */
+
+    #ifdef WOLFSSL_SHA224
+        case WC_SHA224:
+            ret = WC_SHA224_DIGEST_SIZE;
+            break;
+    #endif /* WOLFSSL_SHA224 */
+
+    #ifndef NO_SHA256
+        case WC_SHA256:
+            ret = WC_SHA256_DIGEST_SIZE;
+            break;
+    #endif /* !NO_SHA256 */
+
+    #ifdef WOLFSSL_SHA384
+        case WC_SHA384:
+            ret = WC_SHA384_DIGEST_SIZE;
+            break;
+    #endif /* WOLFSSL_SHA384 */
+    #ifdef WOLFSSL_SHA512
+        case WC_SHA512:
+            ret = WC_SHA512_DIGEST_SIZE;
+            break;
+    #endif /* WOLFSSL_SHA512 */
+
+    #ifdef WOLFSSL_SHA3
+        case WC_SHA3_224:
+            ret = WC_SHA3_224_DIGEST_SIZE;
+            break;
+
+        case WC_SHA3_256:
+            ret = WC_SHA3_256_DIGEST_SIZE;
+            break;
+
+        case WC_SHA3_384:
+            ret = WC_SHA3_384_DIGEST_SIZE;
+            break;
+
+        case WC_SHA3_512:
+            ret = WC_SHA3_512_DIGEST_SIZE;
+            break;
+
+    #endif
 
+        default:
+            ret = BAD_FUNC_ARG;
+            break;
+    }
 
-#ifdef HAVE_CAVIUM
-    static void HmacCaviumFinal(Hmac* hmac, byte* hash);
-    static void HmacCaviumUpdate(Hmac* hmac, const byte* msg, word32 length);
-    static void HmacCaviumSetKey(Hmac* hmac, int type, const byte* key,
-                                 word32 length);
-#endif
+    return ret;
+}
 
-static int InitHmac(Hmac* hmac, int type)
+int _InitHmac(Hmac* hmac, int type, void* heap)
 {
     int ret = 0;
 
-    hmac->innerHashKeyed = 0;
-    hmac->macType = (byte)type;
-
-    if (!(type == MD5 || type == SHA    || type == SHA256 || type == SHA384
-                      || type == SHA512 || type == BLAKE2B_ID))
-        return BAD_FUNC_ARG;
-
     switch (type) {
-        #ifndef NO_MD5
-        case MD5:
-            wc_InitMd5(&hmac->hash.md5);
-        break;
-        #endif
-
-        #ifndef NO_SHA
-        case SHA:
+    #ifndef NO_MD5
+        case WC_MD5:
+            ret = wc_InitMd5(&hmac->hash.md5);
+            break;
+    #endif /* !NO_MD5 */
+
+    #ifndef NO_SHA
+        case WC_SHA:
             ret = wc_InitSha(&hmac->hash.sha);
-        break;
-        #endif
-        
-        #ifndef NO_SHA256
-        case SHA256:
+            break;
+    #endif /* !NO_SHA */
+
+    #ifdef WOLFSSL_SHA224
+        case WC_SHA224:
+            ret = wc_InitSha224(&hmac->hash.sha224);
+            break;
+    #endif /* WOLFSSL_SHA224 */
+
+    #ifndef NO_SHA256
+        case WC_SHA256:
             ret = wc_InitSha256(&hmac->hash.sha256);
-        break;
-        #endif
-        
-        #ifdef WOLFSSL_SHA384
-        case SHA384:
+            break;
+    #endif /* !NO_SHA256 */
+
+    #ifdef WOLFSSL_SHA384
+        case WC_SHA384:
             ret = wc_InitSha384(&hmac->hash.sha384);
-        break;
-        #endif
-        
-        #ifdef WOLFSSL_SHA512
-        case SHA512:
+            break;
+    #endif /* WOLFSSL_SHA384 */
+    #ifdef WOLFSSL_SHA512
+        case WC_SHA512:
             ret = wc_InitSha512(&hmac->hash.sha512);
-        break;
-        #endif
-        
-        #ifdef HAVE_BLAKE2 
-        case BLAKE2B_ID:
-            ret = wc_InitBlake2b(&hmac->hash.blake2b, BLAKE2B_256);
-        break;
-        #endif
-        
+            break;
+    #endif /* WOLFSSL_SHA512 */
+
+    #ifdef WOLFSSL_SHA3
+    #ifndef WOLFSSL_NOSHA3_224
+        case WC_SHA3_224:
+            ret = wc_InitSha3_224(&hmac->hash.sha3, heap, INVALID_DEVID);
+            break;
+    #endif
+    #ifndef WOLFSSL_NOSHA3_256
+        case WC_SHA3_256:
+            ret = wc_InitSha3_256(&hmac->hash.sha3, heap, INVALID_DEVID);
+            break;
+    #endif
+    #ifndef WOLFSSL_NOSHA3_384
+        case WC_SHA3_384:
+            ret = wc_InitSha3_384(&hmac->hash.sha3, heap, INVALID_DEVID);
+            break;
+    #endif
+    #ifndef WOLFSSL_NOSHA3_512
+        case WC_SHA3_512:
+            ret = wc_InitSha3_512(&hmac->hash.sha3, heap, INVALID_DEVID);
+            break;
+    #endif
+    #endif
+
         default:
-            return BAD_FUNC_ARG;
+            ret = BAD_FUNC_ARG;
+            break;
     }
 
+    /* default to NULL heap hint or test value */
+#ifdef WOLFSSL_HEAP_TEST
+    hmac->heap = (void)WOLFSSL_HEAP_TEST;
+#else
+    hmac->heap = heap;
+#endif /* WOLFSSL_HEAP_TEST */
+
     return ret;
 }
 
 
 int wc_HmacSetKey(Hmac* hmac, int type, const byte* key, word32 length)
 {
-    byte*  ip = (byte*) hmac->ipad;
-    byte*  op = (byte*) hmac->opad;
+    byte*  ip;
+    byte*  op;
     word32 i, hmac_block_size = 0;
-    int    ret;
+    int    ret = 0;
+    void*  heap = NULL;
+
+    if (hmac == NULL || (key == NULL && length != 0) ||
+       !(type == WC_MD5 || type == WC_SHA ||
+            type == WC_SHA224 || type == WC_SHA256 ||
+            type == WC_SHA384 || type == WC_SHA512 ||
+            type == WC_SHA3_224 || type == WC_SHA3_256 ||
+            type == WC_SHA3_384 || type == WC_SHA3_512)) {
+        return BAD_FUNC_ARG;
+    }
 
-#ifdef HAVE_CAVIUM
-    if (hmac->magic == WOLFSSL_HMAC_CAVIUM_MAGIC)
-        return HmacCaviumSetKey(hmac, type, key, length);
+#ifndef HAVE_FIPS
+    /* if set key has already been run then make sure and free existing */
+    /* This is for async and PIC32MZ situations, and just normally OK,
+       provided the user calls wc_HmacInit() first. That function is not
+       available in FIPS builds. In current FIPS builds, the hashes are
+       not allocating resources. */
+    if (hmac->macType != WC_HASH_TYPE_NONE) {
+        wc_HmacFree(hmac);
+    }
 #endif
 
-    ret = InitHmac(hmac, type);
+    hmac->innerHashKeyed = 0;
+    hmac->macType = (byte)type;
+
+    ret = _InitHmac(hmac, type, heap);
     if (ret != 0)
         return ret;
 
@@ -188,138 +316,255 @@ int wc_HmacSetKey(Hmac* hmac, int type, const byte* key, word32 length)
         return HMAC_MIN_KEYLEN_E;
 #endif
 
+#ifdef WOLF_CRYPTO_CB
+    hmac->keyRaw = key; /* use buffer directly */
+    hmac->keyLen = length;
+#endif
+
+    ip = (byte*)hmac->ipad;
+    op = (byte*)hmac->opad;
+
     switch (hmac->macType) {
-        #ifndef NO_MD5
-        case MD5:
-        {
-            hmac_block_size = MD5_BLOCK_SIZE;
-            if (length <= MD5_BLOCK_SIZE) {
-                XMEMCPY(ip, key, length);
+    #ifndef NO_MD5
+        case WC_MD5:
+            hmac_block_size = WC_MD5_BLOCK_SIZE;
+            if (length <= WC_MD5_BLOCK_SIZE) {
+                if (key != NULL) {
+                    XMEMCPY(ip, key, length);
+                }
             }
             else {
-                wc_Md5Update(&hmac->hash.md5, key, length);
-                wc_Md5Final(&hmac->hash.md5, ip);
-                length = MD5_DIGEST_SIZE;
+                ret = wc_Md5Update(&hmac->hash.md5, key, length);
+                if (ret != 0)
+                    break;
+                ret = wc_Md5Final(&hmac->hash.md5, ip);
+                if (ret != 0)
+                    break;
+                length = WC_MD5_DIGEST_SIZE;
             }
-        }
-        break;
-        #endif
-
-        #ifndef NO_SHA
-        case SHA:
-        {
-            hmac_block_size = SHA_BLOCK_SIZE;
-            if (length <= SHA_BLOCK_SIZE) {
-                XMEMCPY(ip, key, length);
+            break;
+    #endif /* !NO_MD5 */
+
+    #ifndef NO_SHA
+        case WC_SHA:
+            hmac_block_size = WC_SHA_BLOCK_SIZE;
+            if (length <= WC_SHA_BLOCK_SIZE) {
+                if (key != NULL) {
+                    XMEMCPY(ip, key, length);
+                }
             }
             else {
-                wc_ShaUpdate(&hmac->hash.sha, key, length);
-                wc_ShaFinal(&hmac->hash.sha, ip);
-                length = SHA_DIGEST_SIZE;
+                ret = wc_ShaUpdate(&hmac->hash.sha, key, length);
+                if (ret != 0)
+                    break;
+                ret = wc_ShaFinal(&hmac->hash.sha, ip);
+                if (ret != 0)
+                    break;
+
+                length = WC_SHA_DIGEST_SIZE;
             }
-        }
-        break;
-        #endif
+            break;
+    #endif /* !NO_SHA */
+
+    #ifdef WOLFSSL_SHA224
+        case WC_SHA224:
+            hmac_block_size = WC_SHA224_BLOCK_SIZE;
+            if (length <= WC_SHA224_BLOCK_SIZE) {
+                if (key != NULL) {
+                    XMEMCPY(ip, key, length);
+                }
+            }
+            else {
+                ret = wc_Sha224Update(&hmac->hash.sha224, key, length);
+                if (ret != 0)
+                    break;
+                ret = wc_Sha224Final(&hmac->hash.sha224, ip);
+                if (ret != 0)
+                    break;
 
-        #ifndef NO_SHA256
-        case SHA256:
-        {
-    		hmac_block_size = SHA256_BLOCK_SIZE;
-            if (length <= SHA256_BLOCK_SIZE) {
-                XMEMCPY(ip, key, length);
+                length = WC_SHA224_DIGEST_SIZE;
+            }
+            break;
+    #endif /* WOLFSSL_SHA224 */
+    #ifndef NO_SHA256
+        case WC_SHA256:
+            hmac_block_size = WC_SHA256_BLOCK_SIZE;
+            if (length <= WC_SHA256_BLOCK_SIZE) {
+                if (key != NULL) {
+                    XMEMCPY(ip, key, length);
+                }
             }
             else {
                 ret = wc_Sha256Update(&hmac->hash.sha256, key, length);
                 if (ret != 0)
-                    return ret;
-
+                    break;
                 ret = wc_Sha256Final(&hmac->hash.sha256, ip);
                 if (ret != 0)
-                    return ret;
+                    break;
 
-                length = SHA256_DIGEST_SIZE;
+                length = WC_SHA256_DIGEST_SIZE;
             }
-        }
-        break;
-        #endif
-
-        #ifdef WOLFSSL_SHA384
-        case SHA384:
-        {
-            hmac_block_size = SHA384_BLOCK_SIZE;
-            if (length <= SHA384_BLOCK_SIZE) {
-                XMEMCPY(ip, key, length);
+            break;
+    #endif /* !NO_SHA256 */
+
+    #ifdef WOLFSSL_SHA384
+        case WC_SHA384:
+            hmac_block_size = WC_SHA384_BLOCK_SIZE;
+            if (length <= WC_SHA384_BLOCK_SIZE) {
+                if (key != NULL) {
+                    XMEMCPY(ip, key, length);
+                }
             }
             else {
                 ret = wc_Sha384Update(&hmac->hash.sha384, key, length);
                 if (ret != 0)
-                    return ret;
-
+                    break;
                 ret = wc_Sha384Final(&hmac->hash.sha384, ip);
                 if (ret != 0)
-                    return ret;
+                    break;
 
-                length = SHA384_DIGEST_SIZE;
+                length = WC_SHA384_DIGEST_SIZE;
             }
-        }
-        break;
-        #endif
-
-        #ifdef WOLFSSL_SHA512
-        case SHA512:
-        {
-            hmac_block_size = SHA512_BLOCK_SIZE;
-            if (length <= SHA512_BLOCK_SIZE) {
-                XMEMCPY(ip, key, length);
+            break;
+    #endif /* WOLFSSL_SHA384 */
+    #ifdef WOLFSSL_SHA512
+        case WC_SHA512:
+            hmac_block_size = WC_SHA512_BLOCK_SIZE;
+            if (length <= WC_SHA512_BLOCK_SIZE) {
+                if (key != NULL) {
+                    XMEMCPY(ip, key, length);
+                }
             }
             else {
                 ret = wc_Sha512Update(&hmac->hash.sha512, key, length);
                 if (ret != 0)
-                    return ret;
-
+                    break;
                 ret = wc_Sha512Final(&hmac->hash.sha512, ip);
                 if (ret != 0)
-                    return ret;
+                    break;
 
-                length = SHA512_DIGEST_SIZE;
+                length = WC_SHA512_DIGEST_SIZE;
             }
-        }
-        break;
-        #endif
+            break;
+    #endif /* WOLFSSL_SHA512 */
+
+    #ifdef WOLFSSL_SHA3
+    #ifndef WOLFSSL_NOSHA3_224
+        case WC_SHA3_224:
+            hmac_block_size = WC_SHA3_224_BLOCK_SIZE;
+            if (length <= WC_SHA3_224_BLOCK_SIZE) {
+                if (key != NULL) {
+                    XMEMCPY(ip, key, length);
+                }
+            }
+            else {
+                ret = wc_Sha3_224_Update(&hmac->hash.sha3, key, length);
+                if (ret != 0)
+                    break;
+                ret = wc_Sha3_224_Final(&hmac->hash.sha3, ip);
+                if (ret != 0)
+                    break;
 
-        #ifdef HAVE_BLAKE2 
-        case BLAKE2B_ID:
-        {
-            hmac_block_size = BLAKE2B_BLOCKBYTES;
-            if (length <= BLAKE2B_BLOCKBYTES) {
-                XMEMCPY(ip, key, length);
+                length = WC_SHA3_224_DIGEST_SIZE;
+            }
+            break;
+    #endif
+    #ifndef WOLFSSL_NOSHA3_256
+        case WC_SHA3_256:
+            hmac_block_size = WC_SHA3_256_BLOCK_SIZE;
+            if (length <= WC_SHA3_256_BLOCK_SIZE) {
+                if (key != NULL) {
+                    XMEMCPY(ip, key, length);
+                }
+            }
+            else {
+                ret = wc_Sha3_256_Update(&hmac->hash.sha3, key, length);
+                if (ret != 0)
+                    break;
+                ret = wc_Sha3_256_Final(&hmac->hash.sha3, ip);
+                if (ret != 0)
+                    break;
+
+                length = WC_SHA3_256_DIGEST_SIZE;
+            }
+            break;
+    #endif
+    #ifndef WOLFSSL_NOSHA3_384
+        case WC_SHA3_384:
+            hmac_block_size = WC_SHA3_384_BLOCK_SIZE;
+            if (length <= WC_SHA3_384_BLOCK_SIZE) {
+                if (key != NULL) {
+                    XMEMCPY(ip, key, length);
+                }
             }
             else {
-                ret = wc_Blake2bUpdate(&hmac->hash.blake2b, key, length);
+                ret = wc_Sha3_384_Update(&hmac->hash.sha3, key, length);
                 if (ret != 0)
-                    return ret;
+                    break;
+                ret = wc_Sha3_384_Final(&hmac->hash.sha3, ip);
+                if (ret != 0)
+                    break;
 
-                ret = wc_Blake2bFinal(&hmac->hash.blake2b, ip, BLAKE2B_256);
+                length = WC_SHA3_384_DIGEST_SIZE;
+            }
+            break;
+    #endif
+    #ifndef WOLFSSL_NOSHA3_512
+        case WC_SHA3_512:
+            hmac_block_size = WC_SHA3_512_BLOCK_SIZE;
+            if (length <= WC_SHA3_512_BLOCK_SIZE) {
+                if (key != NULL) {
+                    XMEMCPY(ip, key, length);
+                }
+            }
+            else {
+                ret = wc_Sha3_512_Update(&hmac->hash.sha3, key, length);
+                if (ret != 0)
+                    break;
+                ret = wc_Sha3_512_Final(&hmac->hash.sha3, ip);
                 if (ret != 0)
-                    return ret;
+                    break;
 
-                length = BLAKE2B_256;
+                length = WC_SHA3_512_DIGEST_SIZE;
             }
-        }
-        break;
-        #endif
+            break;
+    #endif
+    #endif /* WOLFSSL_SHA3 */
 
         default:
             return BAD_FUNC_ARG;
     }
-    if (length < hmac_block_size)
-        XMEMSET(ip + length, 0, hmac_block_size - length);
 
-    for(i = 0; i < hmac_block_size; i++) {
-        op[i] = ip[i] ^ OPAD;
-        ip[i] ^= IPAD;
+#if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_HMAC)
+    if (hmac->asyncDev.marker == WOLFSSL_ASYNC_MARKER_HMAC) {
+    #if defined(HAVE_INTEL_QA) || defined(HAVE_CAVIUM)
+        #ifdef HAVE_INTEL_QA
+        if (IntelQaHmacGetType(hmac->macType, NULL) == 0)
+        #endif
+        {
+            if (length > hmac_block_size)
+                length = hmac_block_size;
+            /* update key length */
+            hmac->keyLen = (word16)length;
+
+            return ret;
+        }
+        /* no need to pad below */
+    #endif
+    }
+#endif
+
+    if (ret == 0) {
+        if (length < hmac_block_size)
+            XMEMSET(ip + length, 0, hmac_block_size - length);
+
+        for(i = 0; i < hmac_block_size; i++) {
+            op[i] = ip[i] ^ OPAD;
+            ip[i] ^= IPAD;
+        }
     }
-    return 0;
+
+    return ret;
 }
 
 
@@ -328,59 +573,79 @@ static int HmacKeyInnerHash(Hmac* hmac)
     int ret = 0;
 
     switch (hmac->macType) {
-        #ifndef NO_MD5
-        case MD5:
-            wc_Md5Update(&hmac->hash.md5, (byte*) hmac->ipad, MD5_BLOCK_SIZE);
-        break;
-        #endif
-
-        #ifndef NO_SHA
-        case SHA:
-            wc_ShaUpdate(&hmac->hash.sha, (byte*) hmac->ipad, SHA_BLOCK_SIZE);
-        break;
-        #endif
-
-        #ifndef NO_SHA256
-        case SHA256:
-            ret = wc_Sha256Update(&hmac->hash.sha256,
-                                         (byte*) hmac->ipad, SHA256_BLOCK_SIZE);
-            if (ret != 0)
-                return ret;
-        break;
-        #endif
-
-        #ifdef WOLFSSL_SHA384
-        case SHA384:
-            ret = wc_Sha384Update(&hmac->hash.sha384,
-                                         (byte*) hmac->ipad, SHA384_BLOCK_SIZE);
-            if (ret != 0)
-                return ret;
-        break;
-        #endif
-
-        #ifdef WOLFSSL_SHA512
-        case SHA512:
-            ret = wc_Sha512Update(&hmac->hash.sha512,
-                                         (byte*) hmac->ipad, SHA512_BLOCK_SIZE);
-            if (ret != 0)
-                return ret;
-        break;
-        #endif
-
-        #ifdef HAVE_BLAKE2 
-        case BLAKE2B_ID:
-            ret = wc_Blake2bUpdate(&hmac->hash.blake2b,
-                                         (byte*) hmac->ipad,BLAKE2B_BLOCKBYTES);
-            if (ret != 0)
-                return ret;
-        break;
-        #endif
+    #ifndef NO_MD5
+        case WC_MD5:
+            ret = wc_Md5Update(&hmac->hash.md5, (byte*)hmac->ipad,
+                                                             WC_MD5_BLOCK_SIZE);
+            break;
+    #endif /* !NO_MD5 */
+
+    #ifndef NO_SHA
+        case WC_SHA:
+            ret = wc_ShaUpdate(&hmac->hash.sha, (byte*)hmac->ipad,
+                                                             WC_SHA_BLOCK_SIZE);
+            break;
+    #endif /* !NO_SHA */
+
+    #ifdef WOLFSSL_SHA224
+        case WC_SHA224:
+            ret = wc_Sha224Update(&hmac->hash.sha224, (byte*)hmac->ipad,
+                                                          WC_SHA224_BLOCK_SIZE);
+            break;
+    #endif /* WOLFSSL_SHA224 */
+    #ifndef NO_SHA256
+        case WC_SHA256:
+            ret = wc_Sha256Update(&hmac->hash.sha256, (byte*)hmac->ipad,
+                                                          WC_SHA256_BLOCK_SIZE);
+            break;
+    #endif /* !NO_SHA256 */
+
+    #ifdef WOLFSSL_SHA384
+        case WC_SHA384:
+            ret = wc_Sha384Update(&hmac->hash.sha384, (byte*)hmac->ipad,
+                                                          WC_SHA384_BLOCK_SIZE);
+            break;
+    #endif /* WOLFSSL_SHA384 */
+    #ifdef WOLFSSL_SHA512
+        case WC_SHA512:
+            ret = wc_Sha512Update(&hmac->hash.sha512, (byte*)hmac->ipad,
+                                                          WC_SHA512_BLOCK_SIZE);
+            break;
+    #endif /* WOLFSSL_SHA512 */
+
+    #ifdef WOLFSSL_SHA3
+    #ifndef WOLFSSL_NOSHA3_224
+        case WC_SHA3_224:
+            ret = wc_Sha3_224_Update(&hmac->hash.sha3, (byte*)hmac->ipad,
+                                                        WC_SHA3_224_BLOCK_SIZE);
+            break;
+    #endif
+    #ifndef WOLFSSL_NOSHA3_256
+        case WC_SHA3_256:
+            ret = wc_Sha3_256_Update(&hmac->hash.sha3, (byte*)hmac->ipad,
+                                                        WC_SHA3_256_BLOCK_SIZE);
+            break;
+    #endif
+    #ifndef WOLFSSL_NOSHA3_384
+        case WC_SHA3_384:
+            ret = wc_Sha3_384_Update(&hmac->hash.sha3, (byte*)hmac->ipad,
+                                                        WC_SHA3_384_BLOCK_SIZE);
+            break;
+    #endif
+    #ifndef WOLFSSL_NOSHA3_512
+        case WC_SHA3_512:
+            ret = wc_Sha3_512_Update(&hmac->hash.sha3, (byte*)hmac->ipad,
+                                                        WC_SHA3_512_BLOCK_SIZE);
+            break;
+    #endif
+    #endif /* WOLFSSL_SHA3 */
 
         default:
-        break;
+            break;
     }
 
-    hmac->innerHashKeyed = 1;
+    if (ret == 0)
+        hmac->innerHashKeyed = WC_HMAC_INNER_HASH_KEYED_SW;
 
     return ret;
 }
@@ -388,12 +653,33 @@ static int HmacKeyInnerHash(Hmac* hmac)
 
 int wc_HmacUpdate(Hmac* hmac, const byte* msg, word32 length)
 {
-    int ret;
+    int ret = 0;
+
+    if (hmac == NULL || (msg == NULL && length > 0)) {
+        return BAD_FUNC_ARG;
+    }
 
-#ifdef HAVE_CAVIUM
-    if (hmac->magic == WOLFSSL_HMAC_CAVIUM_MAGIC)
-        return HmacCaviumUpdate(hmac, msg, length);
+#ifdef WOLF_CRYPTO_CB
+    if (hmac->devId != INVALID_DEVID) {
+        ret = wc_CryptoCb_Hmac(hmac, hmac->macType, msg, length, NULL);
+        if (ret != CRYPTOCB_UNAVAILABLE)
+            return ret;
+        /* fall-through when unavailable */
+        ret = 0; /* reset error code */
+    }
 #endif
+#if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_HMAC)
+    if (hmac->asyncDev.marker == WOLFSSL_ASYNC_MARKER_HMAC) {
+    #if defined(HAVE_CAVIUM)
+        return NitroxHmacUpdate(hmac, msg, length);
+    #elif defined(HAVE_INTEL_QA)
+        if (IntelQaHmacGetType(hmac->macType, NULL) == 0) {
+            return IntelQaHmac(&hmac->asyncDev, hmac->macType,
+                (byte*)hmac->ipad, hmac->keyLen, NULL, msg, length);
+        }
+    #endif
+    }
+#endif /* WOLFSSL_ASYNC_CRYPT */
 
     if (!hmac->innerHashKeyed) {
         ret = HmacKeyInnerHash(hmac);
@@ -402,55 +688,69 @@ int wc_HmacUpdate(Hmac* hmac, const byte* msg, word32 length)
     }
 
     switch (hmac->macType) {
-        #ifndef NO_MD5
-        case MD5:
-            wc_Md5Update(&hmac->hash.md5, msg, length);
-        break;
-        #endif
-
-        #ifndef NO_SHA
-        case SHA:
-            wc_ShaUpdate(&hmac->hash.sha, msg, length);
-        break;
-        #endif
-
-        #ifndef NO_SHA256
-        case SHA256:
+    #ifndef NO_MD5
+        case WC_MD5:
+            ret = wc_Md5Update(&hmac->hash.md5, msg, length);
+            break;
+    #endif /* !NO_MD5 */
+
+    #ifndef NO_SHA
+        case WC_SHA:
+            ret = wc_ShaUpdate(&hmac->hash.sha, msg, length);
+            break;
+    #endif /* !NO_SHA */
+
+    #ifdef WOLFSSL_SHA224
+        case WC_SHA224:
+            ret = wc_Sha224Update(&hmac->hash.sha224, msg, length);
+            break;
+    #endif /* WOLFSSL_SHA224 */
+
+    #ifndef NO_SHA256
+        case WC_SHA256:
             ret = wc_Sha256Update(&hmac->hash.sha256, msg, length);
-            if (ret != 0)
-                return ret;
-        break;
-        #endif
+            break;
+    #endif /* !NO_SHA256 */
 
-        #ifdef WOLFSSL_SHA384
-        case SHA384:
+    #ifdef WOLFSSL_SHA384
+        case WC_SHA384:
             ret = wc_Sha384Update(&hmac->hash.sha384, msg, length);
-            if (ret != 0)
-                return ret;
-        break;
-        #endif
-
-        #ifdef WOLFSSL_SHA512
-        case SHA512:
+            break;
+    #endif /* WOLFSSL_SHA384 */
+    #ifdef WOLFSSL_SHA512
+        case WC_SHA512:
             ret = wc_Sha512Update(&hmac->hash.sha512, msg, length);
-            if (ret != 0)
-                return ret;
-        break;
-        #endif
-
-        #ifdef HAVE_BLAKE2 
-        case BLAKE2B_ID:
-            ret = wc_Blake2bUpdate(&hmac->hash.blake2b, msg, length);
-            if (ret != 0)
-                return ret;
-        break;
-        #endif
+            break;
+    #endif /* WOLFSSL_SHA512 */
+
+    #ifdef WOLFSSL_SHA3
+    #ifndef WOLFSSL_NOSHA3_224
+        case WC_SHA3_224:
+            ret = wc_Sha3_224_Update(&hmac->hash.sha3, msg, length);
+            break;
+    #endif
+    #ifndef WOLFSSL_NOSHA3_256
+        case WC_SHA3_256:
+            ret = wc_Sha3_256_Update(&hmac->hash.sha3, msg, length);
+            break;
+    #endif
+    #ifndef WOLFSSL_NOSHA3_384
+        case WC_SHA3_384:
+            ret = wc_Sha3_384_Update(&hmac->hash.sha3, msg, length);
+            break;
+    #endif
+    #ifndef WOLFSSL_NOSHA3_512
+        case WC_SHA3_512:
+            ret = wc_Sha3_512_Update(&hmac->hash.sha3, msg, length);
+            break;
+    #endif
+    #endif /* WOLFSSL_SHA3 */
 
         default:
-        break;
+            break;
     }
 
-    return 0;
+    return ret;
 }
 
 
@@ -458,10 +758,34 @@ int wc_HmacFinal(Hmac* hmac, byte* hash)
 {
     int ret;
 
-#ifdef HAVE_CAVIUM
-    if (hmac->magic == WOLFSSL_HMAC_CAVIUM_MAGIC)
-        return HmacCaviumFinal(hmac, hash);
+    if (hmac == NULL || hash == NULL) {
+        return BAD_FUNC_ARG;
+    }
+
+#ifdef WOLF_CRYPTO_CB
+    if (hmac->devId != INVALID_DEVID) {
+        ret = wc_CryptoCb_Hmac(hmac, hmac->macType, NULL, 0, hash);
+        if (ret != CRYPTOCB_UNAVAILABLE)
+            return ret;
+        /* fall-through when unavailable */
+    }
 #endif
+#if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_HMAC)
+    if (hmac->asyncDev.marker == WOLFSSL_ASYNC_MARKER_HMAC) {
+        int hashLen = wc_HmacSizeByType(hmac->macType);
+        if (hashLen <= 0)
+            return hashLen;
+
+    #if defined(HAVE_CAVIUM)
+        return NitroxHmacFinal(hmac, hash, hashLen);
+    #elif defined(HAVE_INTEL_QA)
+        if (IntelQaHmacGetType(hmac->macType, NULL) == 0) {
+            return IntelQaHmac(&hmac->asyncDev, hmac->macType,
+                (byte*)hmac->ipad, hmac->keyLen, hash, NULL, hashLen);
+        }
+    #endif
+    }
+#endif /* WOLFSSL_ASYNC_CRYPT */
 
     if (!hmac->innerHashKeyed) {
         ret = HmacKeyInnerHash(hmac);
@@ -470,377 +794,437 @@ int wc_HmacFinal(Hmac* hmac, byte* hash)
     }
 
     switch (hmac->macType) {
-        #ifndef NO_MD5
-        case MD5:
-        {
-            wc_Md5Final(&hmac->hash.md5, (byte*) hmac->innerHash);
-
-            wc_Md5Update(&hmac->hash.md5, (byte*) hmac->opad, MD5_BLOCK_SIZE);
-            wc_Md5Update(&hmac->hash.md5,
-                                     (byte*) hmac->innerHash, MD5_DIGEST_SIZE);
-
-            wc_Md5Final(&hmac->hash.md5, hash);
-        }
-        break;
-        #endif
-
-        #ifndef NO_SHA
-        case SHA:
-        {
-            wc_ShaFinal(&hmac->hash.sha, (byte*) hmac->innerHash);
-
-            wc_ShaUpdate(&hmac->hash.sha, (byte*) hmac->opad, SHA_BLOCK_SIZE);
-            wc_ShaUpdate(&hmac->hash.sha,
-                                     (byte*) hmac->innerHash, SHA_DIGEST_SIZE);
-
-            wc_ShaFinal(&hmac->hash.sha, hash);
-        }
-        break;
-        #endif
-
-        #ifndef NO_SHA256
-        case SHA256:
-        {
-            ret = wc_Sha256Final(&hmac->hash.sha256, (byte*) hmac->innerHash);
+    #ifndef NO_MD5
+        case WC_MD5:
+            ret = wc_Md5Final(&hmac->hash.md5, (byte*)hmac->innerHash);
             if (ret != 0)
-                return ret;
-
-            ret = wc_Sha256Update(&hmac->hash.sha256,
-                                (byte*) hmac->opad, SHA256_BLOCK_SIZE);
+                break;
+            ret = wc_Md5Update(&hmac->hash.md5, (byte*)hmac->opad,
+                                                             WC_MD5_BLOCK_SIZE);
             if (ret != 0)
-                return ret;
-
-            ret = wc_Sha256Update(&hmac->hash.sha256,
-                                (byte*) hmac->innerHash, SHA256_DIGEST_SIZE);
+                break;
+            ret = wc_Md5Update(&hmac->hash.md5, (byte*)hmac->innerHash,
+                                                            WC_MD5_DIGEST_SIZE);
             if (ret != 0)
-                return ret;
+                break;
+            ret = wc_Md5Final(&hmac->hash.md5, hash);
+            break;
+    #endif /* !NO_MD5 */
 
-            ret = wc_Sha256Final(&hmac->hash.sha256, hash);
+    #ifndef NO_SHA
+        case WC_SHA:
+            ret = wc_ShaFinal(&hmac->hash.sha, (byte*)hmac->innerHash);
             if (ret != 0)
-                return ret;
-        }
-        break;
-        #endif
-
-        #ifdef WOLFSSL_SHA384
-        case SHA384:
-        {
-            ret = wc_Sha384Final(&hmac->hash.sha384, (byte*) hmac->innerHash);
+                break;
+            ret = wc_ShaUpdate(&hmac->hash.sha, (byte*)hmac->opad,
+                                                             WC_SHA_BLOCK_SIZE);
             if (ret != 0)
-                return ret;
-
-            ret = wc_Sha384Update(&hmac->hash.sha384,
-                                 (byte*) hmac->opad, SHA384_BLOCK_SIZE);
+                break;
+            ret = wc_ShaUpdate(&hmac->hash.sha, (byte*)hmac->innerHash,
+                                                            WC_SHA_DIGEST_SIZE);
             if (ret != 0)
-                return ret;
+                break;
+            ret = wc_ShaFinal(&hmac->hash.sha, hash);
+            break;
+    #endif /* !NO_SHA */
 
-            ret = wc_Sha384Update(&hmac->hash.sha384,
-                                 (byte*) hmac->innerHash, SHA384_DIGEST_SIZE);
+    #ifdef WOLFSSL_SHA224
+        case WC_SHA224:
+            ret = wc_Sha224Final(&hmac->hash.sha224, (byte*)hmac->innerHash);
+            if (ret != 0)
+                break;
+            ret = wc_Sha224Update(&hmac->hash.sha224, (byte*)hmac->opad,
+                                                          WC_SHA224_BLOCK_SIZE);
+            if (ret != 0)
+                break;
+            ret = wc_Sha224Update(&hmac->hash.sha224, (byte*)hmac->innerHash,
+                                                         WC_SHA224_DIGEST_SIZE);
+            if (ret != 0)
+                break;
+            ret = wc_Sha224Final(&hmac->hash.sha224, hash);
+            if (ret != 0)
+                break;
+            break;
+    #endif /* WOLFSSL_SHA224 */
+    #ifndef NO_SHA256
+        case WC_SHA256:
+            ret = wc_Sha256Final(&hmac->hash.sha256, (byte*)hmac->innerHash);
             if (ret != 0)
-                return ret;
+                break;
+            ret = wc_Sha256Update(&hmac->hash.sha256, (byte*)hmac->opad,
+                                                          WC_SHA256_BLOCK_SIZE);
+            if (ret != 0)
+                break;
+            ret = wc_Sha256Update(&hmac->hash.sha256, (byte*)hmac->innerHash,
+                                                         WC_SHA256_DIGEST_SIZE);
+            if (ret != 0)
+                break;
+            ret = wc_Sha256Final(&hmac->hash.sha256, hash);
+            break;
+    #endif /* !NO_SHA256 */
 
+    #ifdef WOLFSSL_SHA384
+        case WC_SHA384:
+            ret = wc_Sha384Final(&hmac->hash.sha384, (byte*)hmac->innerHash);
+            if (ret != 0)
+                break;
+            ret = wc_Sha384Update(&hmac->hash.sha384, (byte*)hmac->opad,
+                                                          WC_SHA384_BLOCK_SIZE);
+            if (ret != 0)
+                break;
+            ret = wc_Sha384Update(&hmac->hash.sha384, (byte*)hmac->innerHash,
+                                                         WC_SHA384_DIGEST_SIZE);
+            if (ret != 0)
+                break;
             ret = wc_Sha384Final(&hmac->hash.sha384, hash);
+            break;
+    #endif /* WOLFSSL_SHA384 */
+    #ifdef WOLFSSL_SHA512
+        case WC_SHA512:
+            ret = wc_Sha512Final(&hmac->hash.sha512, (byte*)hmac->innerHash);
             if (ret != 0)
-                return ret;
-        }
-        break;
-        #endif
-
-        #ifdef WOLFSSL_SHA512
-        case SHA512:
-        {
-            ret = wc_Sha512Final(&hmac->hash.sha512, (byte*) hmac->innerHash);
+                break;
+            ret = wc_Sha512Update(&hmac->hash.sha512, (byte*)hmac->opad,
+                                                          WC_SHA512_BLOCK_SIZE);
             if (ret != 0)
-                return ret;
-
-            ret = wc_Sha512Update(&hmac->hash.sha512,
-                                 (byte*) hmac->opad, SHA512_BLOCK_SIZE);
+                break;
+            ret = wc_Sha512Update(&hmac->hash.sha512, (byte*)hmac->innerHash,
+                                                         WC_SHA512_DIGEST_SIZE);
             if (ret != 0)
-                return ret;
+                break;
+            ret = wc_Sha512Final(&hmac->hash.sha512, hash);
+            break;
+    #endif /* WOLFSSL_SHA512 */
 
-            ret = wc_Sha512Update(&hmac->hash.sha512,
-                                 (byte*) hmac->innerHash, SHA512_DIGEST_SIZE);
+    #ifdef WOLFSSL_SHA3
+    #ifndef WOLFSSL_NOSHA3_224
+        case WC_SHA3_224:
+            ret = wc_Sha3_224_Final(&hmac->hash.sha3, (byte*)hmac->innerHash);
             if (ret != 0)
-                return ret;
-
-            ret = wc_Sha512Final(&hmac->hash.sha512, hash);
+                break;
+            ret = wc_Sha3_224_Update(&hmac->hash.sha3, (byte*)hmac->opad,
+                                                        WC_SHA3_224_BLOCK_SIZE);
             if (ret != 0)
-                return ret;
-        }
-        break;
-        #endif
-
-        #ifdef HAVE_BLAKE2 
-        case BLAKE2B_ID:
-        {
-            ret = wc_Blake2bFinal(&hmac->hash.blake2b, (byte*) hmac->innerHash,
-                         BLAKE2B_256);
+                break;
+            ret = wc_Sha3_224_Update(&hmac->hash.sha3, (byte*)hmac->innerHash,
+                                                       WC_SHA3_224_DIGEST_SIZE);
             if (ret != 0)
-                return ret;
-
-            ret = wc_Blake2bUpdate(&hmac->hash.blake2b,
-                                 (byte*) hmac->opad, BLAKE2B_BLOCKBYTES);
+                break;
+            ret = wc_Sha3_224_Final(&hmac->hash.sha3, hash);
+            break;
+    #endif
+    #ifndef WOLFSSL_NOSHA3_256
+        case WC_SHA3_256:
+            ret = wc_Sha3_256_Final(&hmac->hash.sha3, (byte*)hmac->innerHash);
             if (ret != 0)
-                return ret;
-
-            ret = wc_Blake2bUpdate(&hmac->hash.blake2b,
-                                 (byte*) hmac->innerHash, BLAKE2B_256);
+                break;
+            ret = wc_Sha3_256_Update(&hmac->hash.sha3, (byte*)hmac->opad,
+                                                        WC_SHA3_256_BLOCK_SIZE);
             if (ret != 0)
-                return ret;
-
-            ret = wc_Blake2bFinal(&hmac->hash.blake2b, hash, BLAKE2B_256);
+                break;
+            ret = wc_Sha3_256_Update(&hmac->hash.sha3, (byte*)hmac->innerHash,
+                                                       WC_SHA3_256_DIGEST_SIZE);
             if (ret != 0)
-                return ret;
-        }
-        break;
-        #endif
+                break;
+            ret = wc_Sha3_256_Final(&hmac->hash.sha3, hash);
+            break;
+    #endif
+    #ifndef WOLFSSL_NOSHA3_384
+        case WC_SHA3_384:
+            ret = wc_Sha3_384_Final(&hmac->hash.sha3, (byte*)hmac->innerHash);
+            if (ret != 0)
+                break;
+            ret = wc_Sha3_384_Update(&hmac->hash.sha3, (byte*)hmac->opad,
+                                                        WC_SHA3_384_BLOCK_SIZE);
+            if (ret != 0)
+                break;
+            ret = wc_Sha3_384_Update(&hmac->hash.sha3, (byte*)hmac->innerHash,
+                                                       WC_SHA3_384_DIGEST_SIZE);
+            if (ret != 0)
+                break;
+            ret = wc_Sha3_384_Final(&hmac->hash.sha3, hash);
+            break;
+    #endif
+    #ifndef WOLFSSL_NOSHA3_512
+        case WC_SHA3_512:
+            ret = wc_Sha3_512_Final(&hmac->hash.sha3, (byte*)hmac->innerHash);
+            if (ret != 0)
+                break;
+            ret = wc_Sha3_512_Update(&hmac->hash.sha3, (byte*)hmac->opad,
+                                                        WC_SHA3_512_BLOCK_SIZE);
+            if (ret != 0)
+                break;
+            ret = wc_Sha3_512_Update(&hmac->hash.sha3, (byte*)hmac->innerHash,
+                                                       WC_SHA3_512_DIGEST_SIZE);
+            if (ret != 0)
+                break;
+            ret = wc_Sha3_512_Final(&hmac->hash.sha3, hash);
+            break;
+    #endif
+    #endif /* WOLFSSL_SHA3 */
 
         default:
-        break;
+            ret = BAD_FUNC_ARG;
+            break;
     }
 
-    hmac->innerHashKeyed = 0;
+    if (ret == 0) {
+        hmac->innerHashKeyed = 0;
+    }
 
-    return 0;
+    return ret;
 }
 
 
-#ifdef HAVE_CAVIUM
-
-/* Initiliaze Hmac for use with Nitrox device */
-int wc_HmacInitCavium(Hmac* hmac, int devId)
+/* Initialize Hmac for use with async device */
+int wc_HmacInit(Hmac* hmac, void* heap, int devId)
 {
-    if (hmac == NULL)
-        return -1;
-
-    if (CspAllocContext(CONTEXT_SSL, &hmac->contextHandle, devId) != 0)
-        return -1;
-
-    hmac->keyLen  = 0;
-    hmac->dataLen = 0;
-    hmac->type    = 0;
-    hmac->devId   = devId;
-    hmac->magic   = WOLFSSL_HMAC_CAVIUM_MAGIC;
-    hmac->data    = NULL;        /* buffered input data */
-   
-    hmac->innerHashKeyed = 0;
-
-    return 0;
-}
-
+    int ret = 0;
 
-/* Free Hmac from use with Nitrox device */
-void wc_HmacFreeCavium(Hmac* hmac)
-{
     if (hmac == NULL)
-        return;
+        return BAD_FUNC_ARG;
 
-    CspFreeContext(CONTEXT_SSL, hmac->contextHandle, hmac->devId);
-    hmac->magic = 0;
-    XFREE(hmac->data, NULL, DYNAMIC_TYPE_CAVIUM_TMP);
-    hmac->data = NULL;
-}
+    XMEMSET(hmac, 0, sizeof(Hmac));
+    hmac->macType = WC_HASH_TYPE_NONE;
+    hmac->heap = heap;
+#ifdef WOLF_CRYPTO_CB
+    hmac->devId = devId;
+    hmac->devCtx = NULL;
+#endif
 
+#if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_HMAC)
+    ret = wolfAsync_DevCtxInit(&hmac->asyncDev, WOLFSSL_ASYNC_MARKER_HMAC,
+                                                         hmac->heap, devId);
+#else
+    (void)devId;
+#endif /* WOLFSSL_ASYNC_CRYPT */
 
-static void HmacCaviumFinal(Hmac* hmac, byte* hash)
-{
-    word32 requestId;
-
-    if (CspHmac(CAVIUM_BLOCKING, hmac->type, NULL, hmac->keyLen,
-                (byte*)hmac->ipad, hmac->dataLen, hmac->data, hash, &requestId,
-                hmac->devId) != 0) {
-        WOLFSSL_MSG("Cavium Hmac failed");
-    } 
-    hmac->innerHashKeyed = 0;  /* tell update to start over if used again */
+    return ret;
 }
 
-
-static void HmacCaviumUpdate(Hmac* hmac, const byte* msg, word32 length)
+#ifdef HAVE_PKCS11
+int  wc_HmacInit_Id(Hmac* hmac, unsigned char* id, int len, void* heap,
+                    int devId)
 {
-    word16 add = (word16)length;
-    word32 total;
-    byte*  tmp;
+    int ret = 0;
 
-    if (length > WOLFSSL_MAX_16BIT) {
-        WOLFSSL_MSG("Too big msg for cavium hmac");
-        return;
-    }
+    if (hmac == NULL)
+        ret = BAD_FUNC_ARG;
+    if (ret == 0 && (len < 0 || len > HMAC_MAX_ID_LEN))
+        ret = BUFFER_E;
 
-    if (hmac->innerHashKeyed == 0) {  /* starting new */
-        hmac->dataLen        = 0;
-        hmac->innerHashKeyed = 1;
+    if (ret == 0)
+        ret  = wc_HmacInit(hmac, heap, devId);
+    if (ret == 0) {
+        XMEMCPY(hmac->id, id, len);
+        hmac->idLen = len;
     }
 
-    total = add + hmac->dataLen;
-    if (total > WOLFSSL_MAX_16BIT) {
-        WOLFSSL_MSG("Too big msg for cavium hmac");
-        return;
-    }
+    return ret;
+}
+#endif
 
-    tmp = XMALLOC(hmac->dataLen + add, NULL,DYNAMIC_TYPE_CAVIUM_TMP);
-    if (tmp == NULL) {
-        WOLFSSL_MSG("Out of memory for cavium update");
+/* Free Hmac from use with async device */
+void wc_HmacFree(Hmac* hmac)
+{
+    if (hmac == NULL)
         return;
+
+#ifdef WOLF_CRYPTO_CB
+    /* handle cleanup case where final is not called */
+    if (hmac->devId != INVALID_DEVID && hmac->devCtx != NULL) {
+        int  ret;
+        byte finalHash[WC_HMAC_BLOCK_SIZE];
+        ret = wc_CryptoCb_Hmac(hmac, hmac->macType, NULL, 0, finalHash);
+        (void)ret; /* must ignore return code here */
+        (void)finalHash;
     }
-    if (hmac->dataLen)
-        XMEMCPY(tmp, hmac->data,  hmac->dataLen);
-    XMEMCPY(tmp + hmac->dataLen, msg, add);
-        
-    hmac->dataLen += add;
-    XFREE(hmac->data, NULL, DYNAMIC_TYPE_CAVIUM_TMP);
-    hmac->data = tmp;
-}
+#endif
 
+    switch (hmac->macType) {
+    #ifndef NO_MD5
+        case WC_MD5:
+            wc_Md5Free(&hmac->hash.md5);
+            break;
+    #endif /* !NO_MD5 */
+
+    #ifndef NO_SHA
+        case WC_SHA:
+            wc_ShaFree(&hmac->hash.sha);
+            break;
+    #endif /* !NO_SHA */
+
+    #ifdef WOLFSSL_SHA224
+        case WC_SHA224:
+            wc_Sha224Free(&hmac->hash.sha224);
+            break;
+    #endif /* WOLFSSL_SHA224 */
+    #ifndef NO_SHA256
+        case WC_SHA256:
+            wc_Sha256Free(&hmac->hash.sha256);
+            break;
+    #endif /* !NO_SHA256 */
+
+    #ifdef WOLFSSL_SHA384
+        case WC_SHA384:
+            wc_Sha384Free(&hmac->hash.sha384);
+            break;
+    #endif /* WOLFSSL_SHA384 */
+    #ifdef WOLFSSL_SHA512
+        case WC_SHA512:
+            wc_Sha512Free(&hmac->hash.sha512);
+            break;
+    #endif /* WOLFSSL_SHA512 */
+
+    #ifdef WOLFSSL_SHA3
+    #ifndef WOLFSSL_NOSHA3_224
+        case WC_SHA3_224:
+            wc_Sha3_224_Free(&hmac->hash.sha3);
+            break;
+    #endif
+    #ifndef WOLFSSL_NOSHA3_256
+        case WC_SHA3_256:
+            wc_Sha3_256_Free(&hmac->hash.sha3);
+            break;
+    #endif
+    #ifndef WOLFSSL_NOSHA3_384
+        case WC_SHA3_384:
+            wc_Sha3_384_Free(&hmac->hash.sha3);
+            break;
+    #endif
+    #ifndef WOLFSSL_NOSHA3_512
+        case WC_SHA3_512:
+            wc_Sha3_512_Free(&hmac->hash.sha3);
+            break;
+    #endif
+    #endif /* WOLFSSL_SHA3 */
 
-static void HmacCaviumSetKey(Hmac* hmac, int type, const byte* key,
-                             word32 length)
-{
-    hmac->macType = (byte)type;
-    if (type == MD5)
-        hmac->type = MD5_TYPE;
-    else if (type == SHA)
-        hmac->type = SHA1_TYPE;
-    else if (type == SHA256)
-        hmac->type = SHA256_TYPE;
-    else  {
-        WOLFSSL_MSG("unsupported cavium hmac type");
+        default:
+            break;
     }
 
-    hmac->innerHashKeyed = 0;  /* should we key Startup flag */
+#if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_HMAC)
+    wolfAsync_DevCtxFree(&hmac->asyncDev, WOLFSSL_ASYNC_MARKER_HMAC);
+#endif /* WOLFSSL_ASYNC_CRYPT */
 
-    hmac->keyLen = (word16)length;
-    /* store key in ipad */
-    XMEMCPY(hmac->ipad, key, length);
+    switch (hmac->macType) {
+    #ifndef NO_MD5
+        case WC_MD5:
+            wc_Md5Free(&hmac->hash.md5);
+            break;
+    #endif /* !NO_MD5 */
+
+    #ifndef NO_SHA
+        case WC_SHA:
+            wc_ShaFree(&hmac->hash.sha);
+            break;
+    #endif /* !NO_SHA */
+
+    #ifdef WOLFSSL_SHA224
+        case WC_SHA224:
+            wc_Sha224Free(&hmac->hash.sha224);
+            break;
+    #endif /* WOLFSSL_SHA224 */
+    #ifndef NO_SHA256
+        case WC_SHA256:
+            wc_Sha256Free(&hmac->hash.sha256);
+            break;
+    #endif /* !NO_SHA256 */
+
+    #ifdef WOLFSSL_SHA512
+    #ifdef WOLFSSL_SHA384
+        case WC_SHA384:
+            wc_Sha384Free(&hmac->hash.sha384);
+            break;
+    #endif /* WOLFSSL_SHA384 */
+        case WC_SHA512:
+            wc_Sha512Free(&hmac->hash.sha512);
+            break;
+    #endif /* WOLFSSL_SHA512 */
+    }
 }
 
-#endif /* HAVE_CAVIUM */
-
 int wolfSSL_GetHmacMaxSize(void)
 {
-    return MAX_DIGEST_SIZE;
+    return WC_MAX_DIGEST_SIZE;
 }
 
 #ifdef HAVE_HKDF
-
-#ifndef WOLFSSL_HAVE_MIN
-#define WOLFSSL_HAVE_MIN
-
-    static INLINE word32 min(word32 a, word32 b)
+    /* HMAC-KDF-Extract.
+     * RFC 5869 - HMAC-based Extract-and-Expand Key Derivation Function (HKDF).
+     *
+     * type     The hash algorithm type.
+     * salt     The optional salt value.
+     * saltSz   The size of the salt.
+     * inKey    The input keying material.
+     * inKeySz  The size of the input keying material.
+     * out      The pseudorandom key with the length that of the hash.
+     * returns 0 on success, otherwise failure.
+     */
+    int wc_HKDF_Extract(int type, const byte* salt, word32 saltSz,
+                        const byte* inKey, word32 inKeySz, byte* out)
     {
-        return a > b ? b : a;
-    }
-
-#endif /* WOLFSSL_HAVE_MIN */
-
-
-static INLINE int GetHashSizeByType(int type)
-{
-    if (!(type == MD5 || type == SHA    || type == SHA256 || type == SHA384
-                      || type == SHA512 || type == BLAKE2B_ID))
-        return BAD_FUNC_ARG;
-
-    switch (type) {
-        #ifndef NO_MD5
-        case MD5:
-            return MD5_DIGEST_SIZE;
-        break;
-        #endif
-
-        #ifndef NO_SHA
-        case SHA:
-            return SHA_DIGEST_SIZE;
-        break;
-        #endif
-        
-        #ifndef NO_SHA256
-        case SHA256:
-            return SHA256_DIGEST_SIZE;
-        break;
-        #endif
-        
-        #ifdef WOLFSSL_SHA384
-        case SHA384:
-            return SHA384_DIGEST_SIZE;
-        break;
-        #endif
-        
-        #ifdef WOLFSSL_SHA512
-        case SHA512:
-            return SHA512_DIGEST_SIZE;
-        break;
-        #endif
-        
-        #ifdef HAVE_BLAKE2 
-        case BLAKE2B_ID:
-            return BLAKE2B_OUTBYTES;
-        break;
-        #endif
-        
-        default:
-            return BAD_FUNC_ARG;
-        break;
-    }
-}
-
-
-/* HMAC-KDF with hash type, optional salt and info, return 0 on success */
-int wc_HKDF(int type, const byte* inKey, word32 inKeySz,
-                   const byte* salt,  word32 saltSz,
-                   const byte* info,  word32 infoSz,
-                   byte* out,         word32 outSz)
-{
-    Hmac   myHmac;
-#ifdef WOLFSSL_SMALL_STACK
-    byte* tmp;
-    byte* prk;
-#else
-    byte   tmp[MAX_DIGEST_SIZE]; /* localSalt helper and T */
-    byte   prk[MAX_DIGEST_SIZE];
-#endif
-    const  byte* localSalt;  /* either points to user input or tmp */
-    int    hashSz = GetHashSizeByType(type);
-    word32 outIdx = 0;
-    byte   n = 0x1;
-    int    ret;
+        byte   tmp[WC_MAX_DIGEST_SIZE]; /* localSalt helper */
+        Hmac   myHmac;
+        int    ret;
+        const  byte* localSalt;  /* either points to user input or tmp */
+        int    hashSz;
+
+        ret = wc_HmacSizeByType(type);
+        if (ret < 0)
+            return ret;
 
-    if (hashSz < 0)
-        return BAD_FUNC_ARG;
+        hashSz = ret;
+        localSalt = salt;
+        if (localSalt == NULL) {
+            XMEMSET(tmp, 0, hashSz);
+            localSalt = tmp;
+            saltSz    = hashSz;
+        }
 
-#ifdef WOLFSSL_SMALL_STACK
-    tmp = (byte*)XMALLOC(MAX_DIGEST_SIZE, NULL, DYNAMIC_TYPE_TMP_BUFFER);
-    if (tmp == NULL)
-        return MEMORY_E;
+        ret = wc_HmacInit(&myHmac, NULL, INVALID_DEVID);
+        if (ret == 0) {
+            ret = wc_HmacSetKey(&myHmac, type, localSalt, saltSz);
+            if (ret == 0)
+                ret = wc_HmacUpdate(&myHmac, inKey, inKeySz);
+            if (ret == 0)
+                ret = wc_HmacFinal(&myHmac,  out);
+            wc_HmacFree(&myHmac);
+        }
 
-    prk = (byte*)XMALLOC(MAX_DIGEST_SIZE, NULL, DYNAMIC_TYPE_TMP_BUFFER);
-    if (prk == NULL) {
-        XFREE(tmp, NULL, DYNAMIC_TYPE_TMP_BUFFER);
-        return MEMORY_E;
+        return ret;
     }
-#endif
 
-    localSalt = salt;
-    if (localSalt == NULL) {
-        XMEMSET(tmp, 0, hashSz);
-        localSalt = tmp;
-        saltSz    = hashSz;
-    }
-    
-    do {
-    ret = wc_HmacSetKey(&myHmac, type, localSalt, saltSz);
-    if (ret != 0)
-        break;
-    ret = wc_HmacUpdate(&myHmac, inKey, inKeySz);
-    if (ret != 0)
-        break;
-    ret = wc_HmacFinal(&myHmac,  prk);
-    } while (0);
+    /* HMAC-KDF-Expand.
+     * RFC 5869 - HMAC-based Extract-and-Expand Key Derivation Function (HKDF).
+     *
+     * type     The hash algorithm type.
+     * inKey    The input key.
+     * inKeySz  The size of the input key.
+     * info     The application specific information.
+     * infoSz   The size of the application specific information.
+     * out      The output keying material.
+     * returns 0 on success, otherwise failure.
+     */
+    int wc_HKDF_Expand(int type, const byte* inKey, word32 inKeySz,
+                       const byte* info, word32 infoSz, byte* out, word32 outSz)
+    {
+        byte   tmp[WC_MAX_DIGEST_SIZE];
+        Hmac   myHmac;
+        int    ret = 0;
+        word32 outIdx = 0;
+        word32 hashSz = wc_HmacSizeByType(type);
+        byte   n = 0x1;
+
+        ret = wc_HmacInit(&myHmac, NULL, INVALID_DEVID);
+        if (ret != 0)
+            return ret;
 
-    if (ret == 0) {
         while (outIdx < outSz) {
             int    tmpSz = (n == 1) ? 0 : hashSz;
             word32 left = outSz - outIdx;
 
-            ret = wc_HmacSetKey(&myHmac, type, prk, hashSz);
+            ret = wc_HmacSetKey(&myHmac, type, inKey, inKeySz);
             if (ret != 0)
                 break;
             ret = wc_HmacUpdate(&myHmac, tmp, tmpSz);
@@ -856,24 +1240,51 @@ int wc_HKDF(int type, const byte* inKey, word32 inKeySz,
             if (ret != 0)
                 break;
 
-            left = min(left, (word32)hashSz);
+            left = min(left, hashSz);
             XMEMCPY(out+outIdx, tmp, left);
 
             outIdx += hashSz;
             n++;
         }
+
+        wc_HmacFree(&myHmac);
+
+        return ret;
     }
 
-#ifdef WOLFSSL_SMALL_STACK
-    XFREE(tmp, NULL, DYNAMIC_TYPE_TMP_BUFFER);
-    XFREE(prk, NULL, DYNAMIC_TYPE_TMP_BUFFER);
-#endif
+    /* HMAC-KDF.
+     * RFC 5869 - HMAC-based Extract-and-Expand Key Derivation Function (HKDF).
+     *
+     * type     The hash algorithm type.
+     * inKey    The input keying material.
+     * inKeySz  The size of the input keying material.
+     * salt     The optional salt value.
+     * saltSz   The size of the salt.
+     * info     The application specific information.
+     * infoSz   The size of the application specific information.
+     * out      The output keying material.
+     * returns 0 on success, otherwise failure.
+     */
+    int wc_HKDF(int type, const byte* inKey, word32 inKeySz,
+                       const byte* salt,  word32 saltSz,
+                       const byte* info,  word32 infoSz,
+                       byte* out,         word32 outSz)
+    {
+        byte   prk[WC_MAX_DIGEST_SIZE];
+        int    hashSz = wc_HmacSizeByType(type);
+        int    ret;
 
-    return ret;
-}
+        if (hashSz < 0)
+            return BAD_FUNC_ARG;
+
+        ret = wc_HKDF_Extract(type, salt, saltSz, inKey, inKeySz, prk);
+        if (ret != 0)
+            return ret;
+
+        return wc_HKDF_Expand(type, prk, hashSz, info, infoSz, out, outSz);
+    }
 
 #endif /* HAVE_HKDF */
 
 #endif /* HAVE_FIPS */
 #endif /* NO_HMAC */
-
diff --git a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/idea.c b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/idea.c
new file mode 100644
index 000000000..600c90654
--- /dev/null
+++ b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/idea.c
@@ -0,0 +1,303 @@
+/* idea.c
+ *
+ * Copyright (C) 2006-2020 wolfSSL Inc.
+ *
+ * This file is part of wolfSSL.
+ *
+ * wolfSSL is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * wolfSSL is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
+ */
+
+
+#ifdef HAVE_CONFIG_H
+    #include <config.h>
+#endif
+
+#include <wolfssl/wolfcrypt/settings.h>
+
+#ifdef HAVE_IDEA
+
+#include <wolfssl/wolfcrypt/idea.h>
+
+#include <wolfssl/wolfcrypt/error-crypt.h>
+#include <wolfssl/wolfcrypt/logging.h>
+
+#ifdef NO_INLINE
+    #include <wolfssl/wolfcrypt/misc.h>
+#else
+    #define WOLFSSL_MISC_INCLUDED
+    #include <wolfcrypt/src/misc.c>
+#endif
+
+/* multiplication of x and y modulo 2^16+1
+ * IDEA specify a special case when an entry value is 0 ( x or y)
+ * then it must be replaced by 2^16
+ */
+static WC_INLINE word16 idea_mult(word16 x, word16 y)
+{
+    long mul, res;
+
+    mul = (long)x * (long)y;
+    if (mul) {
+        res = (mul & IDEA_MASK) - ((word32)mul >> 16);
+        if (res <= 0)
+            res += IDEA_MODULO;
+
+        return (word16) (res & IDEA_MASK);
+    }
+
+    if (!x)
+        return ((IDEA_MODULO - y) & IDEA_MASK);
+
+    /* !y */
+    return ((IDEA_MODULO - x) & IDEA_MASK);
+}
+
+/* compute 1/a modulo 2^16+1 using Extended euclidean algorithm
+ * adapted from fp_invmod */
+static WC_INLINE word16 idea_invmod(word16 x)
+{
+    int   u, v, b, d;
+
+    if (x <= 1)
+        return x;
+
+    u = IDEA_MODULO;
+    v = x;
+    d = 1;
+    b = 0;
+
+    do {
+        while (!(u & 1)) {
+            u >>= 1;
+            if (b & 1)
+                b -= IDEA_MODULO;
+            b >>= 1;
+        }
+
+        while (!(v & 1)) {
+            v >>= 1;
+            if (d & 1) {
+                d -= IDEA_MODULO;
+            }
+            d >>= 1;
+        }
+
+        if (u >= v) {
+            u -= v;
+            b -= d;
+        } else {
+            v -= u;
+            d -= b;
+        }
+    } while (u != 0);
+
+    /* d is now the inverse, put positive value if required */
+    while (d < 0)
+        d += IDEA_MODULO;
+
+    /* d must be < IDEA_MODULO */
+    while (d >= (int)IDEA_MODULO)
+        d -= IDEA_MODULO;
+
+    return (word16)(d & IDEA_MASK);
+}
+
+/* generate the 52 16-bits key sub-blocks from the 128 key */
+int wc_IdeaSetKey(Idea *idea, const byte* key, word16 keySz,
+                  const byte *iv, int dir)
+{
+    word16  idx = 0;
+    word32  t;
+    short   i;
+
+    if (idea == NULL || key == NULL || keySz != IDEA_KEY_SIZE ||
+        (dir != IDEA_ENCRYPTION && dir != IDEA_DECRYPTION))
+        return BAD_FUNC_ARG;
+
+    /* initial key schedule for 0 -> 7 */
+    for (i = 0; i < IDEA_ROUNDS; i++) {
+        idea->skey[i]  = (word16)key[idx++] << 8;
+        idea->skey[i] |= (word16)key[idx++];
+    }
+
+    /* shift phase key schedule for 8 -> 51 */
+    for (i = IDEA_ROUNDS; i < IDEA_SK_NUM; i++) {
+        t  = (word32)idea->skey[((i+1) & 7) ? i-7 : i-15] << 9;
+        t |= (word32)idea->skey[((i+2) & 7) < 2 ? i-14 : i-6] >> 7;
+        idea->skey[i] = (word16)(t & IDEA_MASK);
+    }
+
+    /* compute decryption key from encryption key */
+    if (dir == IDEA_DECRYPTION) {
+        word16  enckey[IDEA_SK_NUM];
+
+        /* put encryption key in tmp buffer */
+        XMEMCPY(enckey, idea->skey, sizeof(idea->skey));
+
+        idx = 0;
+
+        idea->skey[6*IDEA_ROUNDS]   = idea_invmod(enckey[idx++]);
+        idea->skey[6*IDEA_ROUNDS+1] = (IDEA_2EXP16 - enckey[idx++]) & IDEA_MASK;
+        idea->skey[6*IDEA_ROUNDS+2] = (IDEA_2EXP16 - enckey[idx++]) & IDEA_MASK;
+        idea->skey[6*IDEA_ROUNDS+3] = idea_invmod(enckey[idx++]);
+
+        for (i = 6*(IDEA_ROUNDS-1); i >= 0; i -= 6) {
+            idea->skey[i+4] = enckey[idx++];
+            idea->skey[i+5] = enckey[idx++];
+
+            idea->skey[i] = idea_invmod(enckey[idx++]);
+            if (i) {
+                idea->skey[i+2] = (IDEA_2EXP16 - enckey[idx++]) & IDEA_MASK;
+                idea->skey[i+1] = (IDEA_2EXP16 - enckey[idx++]) & IDEA_MASK;
+            }
+            else {
+                idea->skey[1] = (IDEA_2EXP16 - enckey[idx++]) & IDEA_MASK;
+                idea->skey[2] = (IDEA_2EXP16 - enckey[idx++]) & IDEA_MASK;
+            }
+
+            idea->skey[i+3] = idea_invmod(enckey[idx++]);
+        }
+
+        /* erase temporary buffer */
+        ForceZero(enckey, sizeof(enckey));
+    }
+
+    /* set the iv */
+    return wc_IdeaSetIV(idea, iv);
+}
+
+/* set the IV in the Idea key structure */
+int wc_IdeaSetIV(Idea *idea, const byte* iv)
+{
+    if (idea == NULL)
+        return BAD_FUNC_ARG;
+
+    if (iv != NULL)
+        XMEMCPY(idea->reg, iv, IDEA_BLOCK_SIZE);
+    else
+        XMEMSET(idea->reg, 0, IDEA_BLOCK_SIZE);
+
+    return 0;
+}
+
+/* encryption/decryption for a block (64 bits)
+ */
+int wc_IdeaCipher(Idea *idea, byte* out, const byte* in)
+{
+    word32 t1, t2;
+    word16 i, skey_idx = 0, idx = 0;
+    word16 x[4];
+
+    if (idea == NULL || out == NULL || in == NULL) {
+        return BAD_FUNC_ARG;
+    }
+
+    /* put input byte block in word16 */
+    for (i = 0; i < IDEA_BLOCK_SIZE/2; i++) {
+        x[i]  = (word16)in[idx++] << 8;
+        x[i] |= (word16)in[idx++];
+    }
+
+    for (i = 0; i < IDEA_ROUNDS; i++) {
+        x[0] = idea_mult(x[0], idea->skey[skey_idx++]);
+        x[1] = ((word32)x[1] + (word32)idea->skey[skey_idx++]) & IDEA_MASK;
+        x[2] = ((word32)x[2] + (word32)idea->skey[skey_idx++]) & IDEA_MASK;
+        x[3] = idea_mult(x[3], idea->skey[skey_idx++]);
+
+        t2 = x[0] ^ x[2];
+        t2 = idea_mult((word16)t2, idea->skey[skey_idx++]);
+        t1 = (t2 + (x[1] ^ x[3])) & IDEA_MASK;
+        t1 = idea_mult((word16)t1, idea->skey[skey_idx++]);
+        t2 = (t1 + t2) & IDEA_MASK;
+
+        x[0] ^= t1;
+        x[3] ^= t2;
+
+        t2 ^= x[1];
+        x[1] = x[2] ^ (word16)t1;
+        x[2] = (word16)t2;
+    }
+
+    x[0] = idea_mult(x[0], idea->skey[skey_idx++]);
+    out[0] = (x[0] >> 8) & 0xFF;
+    out[1] = x[0] & 0xFF;
+
+    x[2] = ((word32)x[2] + (word32)idea->skey[skey_idx++]) & IDEA_MASK;
+    out[2] = (x[2] >> 8) & 0xFF;
+    out[3] = x[2] & 0xFF;
+
+    x[1] = ((word32)x[1] + (word32)idea->skey[skey_idx++]) & IDEA_MASK;
+    out[4] = (x[1] >> 8) & 0xFF;
+    out[5] = x[1] & 0xFF;
+
+    x[3] = idea_mult(x[3], idea->skey[skey_idx++]);
+    out[6] = (x[3] >> 8) & 0xFF;
+    out[7] = x[3] & 0xFF;
+
+    return 0;
+}
+
+int wc_IdeaCbcEncrypt(Idea *idea, byte* out, const byte* in, word32 len)
+{
+    int  blocks;
+    int  ret;
+
+    if (idea == NULL || out == NULL || in == NULL)
+        return BAD_FUNC_ARG;
+
+    blocks = len / IDEA_BLOCK_SIZE;
+    while (blocks--) {
+        xorbuf((byte*)idea->reg, in, IDEA_BLOCK_SIZE);
+        ret = wc_IdeaCipher(idea, (byte*)idea->reg, (byte*)idea->reg);
+        if (ret != 0) {
+            return ret;
+        }
+
+        XMEMCPY(out, idea->reg, IDEA_BLOCK_SIZE);
+
+        out += IDEA_BLOCK_SIZE;
+        in  += IDEA_BLOCK_SIZE;
+    }
+
+    return 0;
+}
+
+int wc_IdeaCbcDecrypt(Idea *idea, byte* out, const byte* in, word32 len)
+{
+    int  blocks;
+    int  ret;
+
+    if (idea == NULL || out == NULL || in == NULL)
+        return BAD_FUNC_ARG;
+
+    blocks = len / IDEA_BLOCK_SIZE;
+    while (blocks--) {
+        XMEMCPY((byte*)idea->tmp, in, IDEA_BLOCK_SIZE);
+        ret = wc_IdeaCipher(idea, out, (byte*)idea->tmp);
+        if (ret != 0) {
+            return ret;
+        }
+
+        xorbuf(out, (byte*)idea->reg, IDEA_BLOCK_SIZE);
+        XMEMCPY(idea->reg, idea->tmp, IDEA_BLOCK_SIZE);
+
+        out += IDEA_BLOCK_SIZE;
+        in  += IDEA_BLOCK_SIZE;
+    }
+
+    return 0;
+}
+
+#endif /* HAVE_IDEA */
diff --git a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/include.am b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/include.am
index 299921579..bba761bc1 100644
--- a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/include.am
+++ b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/include.am
@@ -1,9 +1,13 @@
 # vim:ft=automake
 # All paths should be given relative to the root
 
+EXTRA_DIST += src/bio.c
 EXTRA_DIST += wolfcrypt/src/misc.c
+EXTRA_DIST += wolfcrypt/src/evp.c
 EXTRA_DIST += wolfcrypt/src/asm.c
 EXTRA_DIST += wolfcrypt/src/aes_asm.asm
+EXTRA_DIST += wolfcrypt/src/wc_dsp.c
+EXTRA_DIST += wolfcrypt/src/sp_dsp32.c
 
 EXTRA_DIST += \
               wolfcrypt/src/ecc_fp.c \
@@ -37,12 +41,87 @@ EXTRA_DIST += \
               wolfcrypt/src/fp_sqr_comba_7.i \
               wolfcrypt/src/fp_sqr_comba_8.i \
               wolfcrypt/src/fp_sqr_comba_9.i \
-              wolfcrypt/src/fp_sqr_comba_small_set.i
+              wolfcrypt/src/fp_sqr_comba_small_set.i \
+              wolfcrypt/src/fe_x25519_128.i
 
 EXTRA_DIST += wolfcrypt/src/port/ti/ti-aes.c \
               wolfcrypt/src/port/ti/ti-des3.c \
               wolfcrypt/src/port/ti/ti-hash.c \
               wolfcrypt/src/port/ti/ti-ccm.c \
-              wolfcrypt/src/port/pic32/pic32mz-hash.c
+              wolfcrypt/src/port/pic32/pic32mz-crypt.c \
+              wolfcrypt/src/port/nrf51.c \
+              wolfcrypt/src/port/arm/armv8-aes.c \
+              wolfcrypt/src/port/arm/armv8-sha256.c \
+              wolfcrypt/src/port/arm/armv8-chacha.c \
+              wolfcrypt/src/port/arm/armv8-curve25519.c \
+              wolfcrypt/src/port/arm/armv8-32-curve25519.c \
+              wolfcrypt/src/port/arm/armv8-sha512-asm.c \
+              wolfcrypt/src/port/arm/armv8-32-sha512-asm.c \
+              wolfcrypt/src/port/nxp/ksdk_port.c \
+              wolfcrypt/src/port/atmel/README.md \
+              wolfcrypt/src/port/xilinx/xil-sha3.c \
+              wolfcrypt/src/port/xilinx/xil-aesgcm.c \
+              wolfcrypt/src/port/caam/caam_aes.c \
+              wolfcrypt/src/port/caam/caam_driver.c \
+              wolfcrypt/src/port/caam/caam_init.c \
+              wolfcrypt/src/port/caam/caam_sha.c \
+              wolfcrypt/src/port/caam/caam_doc.pdf \
+              wolfcrypt/src/port/st/stm32.c \
+              wolfcrypt/src/port/st/stsafe.c \
+              wolfcrypt/src/port/st/README.md \
+              wolfcrypt/src/port/af_alg/afalg_aes.c \
+              wolfcrypt/src/port/af_alg/afalg_hash.c \
+              wolfcrypt/src/port/devcrypto/devcrypto_hash.c \
+              wolfcrypt/src/port/devcrypto/wc_devcrypto.c \
+              wolfcrypt/src/port/devcrypto/README.md \
+              wolfcrypt/src/port/mynewt/mynewt_port.c \
+              wolfcrypt/src/port/Espressif/esp32_aes.c \
+              wolfcrypt/src/port/Espressif/esp32_sha.c \
+              wolfcrypt/src/port/Espressif/esp32_util.c \
+              wolfcrypt/src/port/Espressif/esp32_mp.c \
+              wolfcrypt/src/port/Espressif/README.md \
+              wolfcrypt/src/port/arm/cryptoCell.c \
+              wolfcrypt/src/port/arm/cryptoCellHash.c \
+              wolfcrypt/src/port/Renesas/renesas_tsip_aes.c \
+              wolfcrypt/src/port/Renesas/renesas_tsip_sha.c \
+              wolfcrypt/src/port/Renesas/renesas_tsip_util.c \
+              wolfcrypt/src/port/Renesas/README.md
 
 
+if BUILD_CRYPTOCB
+src_libwolfssl_la_SOURCES += wolfcrypt/src/cryptocb.c
+endif
+
+if BUILD_PKCS11
+src_libwolfssl_la_SOURCES += wolfcrypt/src/wc_pkcs11.c
+endif
+
+if BUILD_DEVCRYPTO
+src_libwolfssl_la_SOURCES += wolfcrypt/src/port/devcrypto/devcrypto_hash.c
+src_libwolfssl_la_SOURCES += wolfcrypt/src/port/devcrypto/devcrypto_aes.c
+src_libwolfssl_la_SOURCES += wolfcrypt/src/port/devcrypto/wc_devcrypto.c
+endif
+
+if BUILD_CAVIUM
+src_libwolfssl_la_SOURCES += wolfcrypt/src/port/cavium/cavium_nitrox.c
+endif
+EXTRA_DIST += wolfcrypt/src/port/cavium/README.md
+
+if BUILD_OCTEON_SYNC
+src_libwolfssl_la_SOURCES += wolfcrypt/src/port/cavium/cavium_octeon_sync.c
+endif
+EXTRA_DIST += wolfcrypt/src/port/cavium/README_Octeon.md
+
+if BUILD_INTEL_QA
+src_libwolfssl_la_SOURCES += wolfcrypt/src/port/intel/quickassist.c
+src_libwolfssl_la_SOURCES += wolfcrypt/src/port/intel/quickassist_mem.c
+endif
+EXTRA_DIST += wolfcrypt/src/port/intel/README.md
+
+if BUILD_INTEL_QA_SYNC
+src_libwolfssl_la_SOURCES += wolfcrypt/src/port/intel/quickassist_sync.c
+endif
+
+if BUILD_CRYPTOAUTHLIB
+src_libwolfssl_la_SOURCES += wolfcrypt/src/port/atmel/atmel.c
+endif
diff --git a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/integer.c b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/integer.c
index b3ce4203e..56d684b46 100644
--- a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/integer.c
+++ b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/integer.c
@@ -1,8 +1,8 @@
 /* integer.c
  *
- * Copyright (C) 2006-2015 wolfSSL Inc.
+ * Copyright (C) 2006-2020 wolfSSL Inc.
  *
- * This file is part of wolfSSL. (formerly known as CyaSSL)
+ * This file is part of wolfSSL.
  *
  * wolfSSL is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -16,10 +16,11 @@
  *
  * You should have received a copy of the GNU General Public License
  * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
  */
 
 
+
 /*
  * Based on public domain LibTomMath 0.38 by Tom St Denis, tomstdenis@iahu.ca,
  * http://math.libtomcrypt.com
@@ -33,19 +34,70 @@
 /* in case user set USE_FAST_MATH there */
 #include <wolfssl/wolfcrypt/settings.h>
 
+#ifdef NO_INLINE
+    #include <wolfssl/wolfcrypt/misc.h>
+#else
+    #define WOLFSSL_MISC_INCLUDED
+    #include <wolfcrypt/src/misc.c>
+#endif
+
 #ifndef NO_BIG_INT
 
 #ifndef USE_FAST_MATH
 
+#ifndef WOLFSSL_SP_MATH
+
 #include <wolfssl/wolfcrypt/integer.h>
 
-#ifndef NO_WOLFSSL_SMALL_STACK
-    #ifndef WOLFSSL_SMALL_STACK
-        #define WOLFSSL_SMALL_STACK
+#if defined(FREESCALE_LTC_TFM)
+    #include <wolfssl/wolfcrypt/port/nxp/ksdk_port.h>
+#endif
+#ifdef WOLFSSL_DEBUG_MATH
+    #include <stdio.h>
+#endif
+
+#ifdef SHOW_GEN
+    #ifndef NO_STDIO_FILESYSTEM
+        #include <stdio.h>
     #endif
 #endif
 
-static void bn_reverse (unsigned char *s, int len);
+#if defined(WOLFSSL_HAVE_SP_RSA) || defined(WOLFSSL_HAVE_SP_DH)
+#ifdef __cplusplus
+    extern "C" {
+#endif
+WOLFSSL_LOCAL int sp_ModExp_1024(mp_int* base, mp_int* exp, mp_int* mod,
+    mp_int* res);
+WOLFSSL_LOCAL int sp_ModExp_1536(mp_int* base, mp_int* exp, mp_int* mod,
+    mp_int* res);
+WOLFSSL_LOCAL int sp_ModExp_2048(mp_int* base, mp_int* exp, mp_int* mod,
+    mp_int* res);
+WOLFSSL_LOCAL int sp_ModExp_3072(mp_int* base, mp_int* exp, mp_int* mod,
+    mp_int* res);
+WOLFSSL_LOCAL int sp_ModExp_4096(mp_int* base, mp_int* exp, mp_int* mod,
+    mp_int* res);
+#ifdef __cplusplus
+    } /* extern "C" */
+#endif
+#endif
+
+/* reverse an array, used for radix code */
+static void
+bn_reverse (unsigned char *s, int len)
+{
+    int     ix, iy;
+    unsigned char t;
+
+    ix = 0;
+    iy = len - 1;
+    while (ix < iy) {
+        t     = s[ix];
+        s[ix] = s[iy];
+        s[iy] = t;
+        ++ix;
+        --iy;
+    }
+}
 
 /* math settings check */
 word32 CheckRunTimeSettings(void)
@@ -60,6 +112,13 @@ int mp_init_multi(mp_int* a, mp_int* b, mp_int* c, mp_int* d, mp_int* e,
 {
     int res = MP_OKAY;
 
+    if (a) XMEMSET(a, 0, sizeof(mp_int));
+    if (b) XMEMSET(b, 0, sizeof(mp_int));
+    if (c) XMEMSET(c, 0, sizeof(mp_int));
+    if (d) XMEMSET(d, 0, sizeof(mp_int));
+    if (e) XMEMSET(e, 0, sizeof(mp_int));
+    if (f) XMEMSET(f, 0, sizeof(mp_int));
+
     if (a && ((res = mp_init(a)) != MP_OKAY))
         return res;
 
@@ -95,33 +154,28 @@ int mp_init_multi(mp_int* a, mp_int* b, mp_int* c, mp_int* d, mp_int* e,
 /* init a new mp_int */
 int mp_init (mp_int * a)
 {
-  int i;
+  /* Safeguard against passing in a null pointer */
+  if (a == NULL)
+    return MP_VAL;
 
-  /* allocate memory required and clear it */
-  a->dp = OPT_CAST(mp_digit) XMALLOC (sizeof (mp_digit) * MP_PREC, 0,
-                                      DYNAMIC_TYPE_BIGINT);
-  if (a->dp == NULL) {
-    return MP_MEM;
-  }
-
-  /* set the digits to zero */
-  for (i = 0; i < MP_PREC; i++) {
-      a->dp[i] = 0;
-  }
+  /* defer allocation until mp_grow */
+  a->dp = NULL;
 
   /* set the used to zero, allocated digits to the default precision
    * and sign to positive */
   a->used  = 0;
-  a->alloc = MP_PREC;
+  a->alloc = 0;
   a->sign  = MP_ZPOS;
+#ifdef HAVE_WOLF_BIGINT
+  wc_bigint_init(&a->raw);
+#endif
 
   return MP_OKAY;
 }
 
 
 /* clear one (frees)  */
-void
-mp_clear (mp_int * a)
+void mp_clear (mp_int * a)
 {
   int i;
 
@@ -136,15 +190,52 @@ mp_clear (mp_int * a)
     }
 
     /* free ram */
-    XFREE(a->dp, 0, DYNAMIC_TYPE_BIGINT);
+    mp_free(a);
 
     /* reset members to make debugging easier */
-    a->dp    = NULL;
     a->alloc = a->used = 0;
     a->sign  = MP_ZPOS;
   }
 }
 
+void mp_free (mp_int * a)
+{
+  /* only do anything if a hasn't been freed previously */
+  if (a->dp != NULL) {
+    /* free ram */
+    XFREE(a->dp, 0, DYNAMIC_TYPE_BIGINT);
+    a->dp    = NULL;
+  }
+
+#ifdef HAVE_WOLF_BIGINT
+  wc_bigint_free(&a->raw);
+#endif
+}
+
+void mp_forcezero(mp_int * a)
+{
+    if (a == NULL)
+        return;
+
+    /* only do anything if a hasn't been freed previously */
+    if (a->dp != NULL) {
+      /* force zero the used digits */
+      ForceZero(a->dp, a->used * sizeof(mp_digit));
+#ifdef HAVE_WOLF_BIGINT
+      wc_bigint_zero(&a->raw);
+#endif
+      /* free ram */
+      mp_free(a);
+
+      /* reset members to make debugging easier */
+      a->alloc = a->used = 0;
+      a->sign  = MP_ZPOS;
+    }
+
+    a->sign = MP_ZPOS;
+    a->used = 0;
+}
+
 
 /* get the size for an unsigned equivalent */
 int mp_unsigned_bin_size (mp_int * a)
@@ -155,8 +246,7 @@ int mp_unsigned_bin_size (mp_int * a)
 
 
 /* returns the number of bits in an int */
-int
-mp_count_bits (mp_int * a)
+int mp_count_bits (mp_int * a)
 {
   int     r;
   mp_digit q;
@@ -187,11 +277,11 @@ int mp_leading_bit (mp_int * a)
     if (mp_init_copy(&t, a) != MP_OKAY)
         return 0;
 
-    while (mp_iszero(&t) == 0) {
+    while (mp_iszero(&t) == MP_NO) {
 #ifndef MP_8BIT
         bit = (t.dp[0] & 0x80) != 0;
 #else
-        bit = (t.dp[0] | ((t.dp[1] & 0x01) << 7)) & 0x80 != 0;
+        bit = ((t.dp[0] | ((t.dp[1] & 0x01) << 7)) & 0x80) != 0;
 #endif
         if (mp_div_2d (&t, 8, &t, NULL) != MP_OKAY)
             break;
@@ -200,6 +290,22 @@ int mp_leading_bit (mp_int * a)
     return bit;
 }
 
+int mp_to_unsigned_bin_at_pos(int x, mp_int *t, unsigned char *b)
+{
+  int res = 0;
+  while (mp_iszero(t) == MP_NO) {
+#ifndef MP_8BIT
+      b[x++] = (unsigned char) (t->dp[0] & 255);
+#else
+      b[x++] = (unsigned char) (t->dp[0] | ((t->dp[1] & 0x01) << 7));
+#endif
+    if ((res = mp_div_2d (t, 8, t, NULL)) != MP_OKAY) {
+      return res;
+    }
+    res = x;
+  }
+  return res;
+}
 
 /* store in unsigned [big endian] format */
 int mp_to_unsigned_bin (mp_int * a, unsigned char *b)
@@ -211,49 +317,62 @@ int mp_to_unsigned_bin (mp_int * a, unsigned char *b)
     return res;
   }
 
-  x = 0;
-  while (mp_iszero (&t) == 0) {
-#ifndef MP_8BIT
-      b[x++] = (unsigned char) (t.dp[0] & 255);
-#else
-      b[x++] = (unsigned char) (t.dp[0] | ((t.dp[1] & 0x01) << 7));
-#endif
-    if ((res = mp_div_2d (&t, 8, &t, NULL)) != MP_OKAY) {
-      mp_clear (&t);
-      return res;
-    }
+  x = mp_to_unsigned_bin_at_pos(0, &t, b);
+  if (x < 0) {
+    mp_clear(&t);
+    return x;
   }
+
   bn_reverse (b, x);
   mp_clear (&t);
-  return MP_OKAY;
+  return res;
 }
 
+int mp_to_unsigned_bin_len(mp_int * a, unsigned char *b, int c)
+{
+    int i, len;
+
+    len = mp_unsigned_bin_size(a);
+
+    /* pad front w/ zeros to match length */
+    for (i = 0; i < c - len; i++)
+        b[i] = 0x00;
+    return mp_to_unsigned_bin(a, b + i);
+}
 
 /* creates "a" then copies b into it */
 int mp_init_copy (mp_int * a, mp_int * b)
 {
   int     res;
 
-  if ((res = mp_init (a)) != MP_OKAY) {
+  if ((res = mp_init_size (a, b->used)) != MP_OKAY) {
     return res;
   }
-  return mp_copy (b, a);
+
+  if((res = mp_copy (b, a)) != MP_OKAY) {
+    mp_clear(a);
+  }
+
+  return res;
 }
 
 
 /* copy, b = a */
-int
-mp_copy (mp_int * a, mp_int * b)
+int mp_copy (mp_int * a, mp_int * b)
 {
   int     res, n;
 
+  /* Safeguard against passing in a null pointer */
+  if (a == NULL || b == NULL)
+    return MP_VAL;
+
   /* if dst == src do nothing */
   if (a == b) {
     return MP_OKAY;
   }
 
   /* grow dest */
-  if (b->alloc < a->used) {
+  if (b->alloc < a->used || b->alloc == 0) {
      if ((res = mp_grow (b, a->used)) != MP_OKAY) {
         return res;
      }
@@ -261,7 +380,7 @@ mp_copy (mp_int * a, mp_int * b)
 
   /* zero b and copy the parameters over */
   {
-    register mp_digit *tmpa, *tmpb;
+    mp_digit *tmpa, *tmpb;
 
     /* pointer aliases */
 
@@ -277,7 +396,7 @@ mp_copy (mp_int * a, mp_int * b)
     }
 
     /* clear high digits */
-    for (; n < b->used; n++) {
+    for (; n < b->used && b->dp; n++) {
       *tmpb++ = 0;
     }
   }
@@ -296,7 +415,7 @@ int mp_grow (mp_int * a, int size)
   mp_digit *tmp;
 
   /* if the alloc size is smaller alloc more ram */
-  if (a->alloc < size) {
+  if (a->alloc < size || size == 0) {
     /* ensure there are always at least MP_PREC digits extra on top */
     size += (MP_PREC * 2) - (size % MP_PREC);
 
@@ -306,8 +425,8 @@ int mp_grow (mp_int * a, int size)
      * in case the operation failed we don't want
      * to overwrite the dp member of a.
      */
-    tmp = OPT_CAST(mp_digit) XREALLOC (a->dp, sizeof (mp_digit) * size, 0,
-                                       DYNAMIC_TYPE_BIGINT);
+    tmp = OPT_CAST(mp_digit) XREALLOC (a->dp, sizeof (mp_digit) * size, NULL,
+                                                           DYNAMIC_TYPE_BIGINT);
     if (tmp == NULL) {
       /* reallocation failed but "a" is still valid [can be freed] */
       return MP_MEM;
@@ -327,25 +446,6 @@ int mp_grow (mp_int * a, int size)
 }
 
 
-/* reverse an array, used for radix code */
-void
-bn_reverse (unsigned char *s, int len)
-{
-  int     ix, iy;
-  unsigned char t;
-
-  ix = 0;
-  iy = len - 1;
-  while (ix < iy) {
-    t     = s[ix];
-    s[ix] = s[iy];
-    s[iy] = t;
-    ++ix;
-    --iy;
-  }
-}
-
-
 /* shift right by a certain bit count (store quotient in c, optional
    remainder in d) */
 int mp_div_2d (mp_int * a, int b, mp_int * c, mp_int * d)
@@ -406,6 +506,9 @@ void mp_zero (mp_int * a)
   int       n;
   mp_digit *tmp;
 
+  if (a == NULL)
+      return;
+
   a->sign = MP_ZPOS;
   a->used = 0;
 
@@ -419,12 +522,11 @@ void mp_zero (mp_int * a)
 /* trim unused digits
  *
  * This is used to ensure that leading zero digits are
- * trimed and the leading "used" digit will be non-zero
+ * trimmed and the leading "used" digit will be non-zero
  * Typically very fast.  Also fixes the sign if there
  * are no more leading digits
  */
-void
-mp_clamp (mp_int * a)
+void mp_clamp (mp_int * a)
 {
   /* decrease used while the most significant digit is
    * zero.
@@ -443,8 +545,7 @@ mp_clamp (mp_int * a)
 /* swap the elements of two integers, for cases where you can't simply swap the
  * mp_int pointers around
  */
-void
-mp_exch (mp_int * a, mp_int * b)
+void mp_exch (mp_int * a, mp_int * b)
 {
   mp_int  t;
 
@@ -457,10 +558,12 @@ mp_exch (mp_int * a, mp_int * b)
 /* shift right a certain number of bits */
 void mp_rshb (mp_int *c, int x)
 {
-    register mp_digit *tmpc, mask, shift;
+    mp_digit *tmpc, mask, shift;
     mp_digit r, rr;
     mp_digit D = x;
 
+    if (mp_iszero(c)) return;
+
     /* mask */
     mask = (((mp_digit)1) << D) - 1;
 
@@ -483,6 +586,7 @@ void mp_rshb (mp_int *c, int x)
       /* set the carry to the carry bits of the current word found above */
       r = rr;
     }
+    mp_clamp(c);
 }
 
 
@@ -503,7 +607,7 @@ void mp_rshd (mp_int * a, int b)
   }
 
   {
-    register mp_digit *bottom, *top;
+    mp_digit *bottom, *top;
 
     /* shift the digits down */
 
@@ -539,8 +643,7 @@ void mp_rshd (mp_int * a, int b)
 
 
 /* calc a value mod 2**b */
-int
-mp_mod_2d (mp_int * a, int b, mp_int * c)
+int mp_mod_2d (mp_int * a, int b, mp_int * c)
 {
   int     x, res;
 
@@ -637,8 +740,8 @@ int mp_mul_2d (mp_int * a, int b, mp_int * c)
   /* shift any bit count < DIGIT_BIT */
   d = (mp_digit) (b % DIGIT_BIT);
   if (d != 0) {
-    register mp_digit *tmpc, shift, mask, r, rr;
-    register int x;
+    mp_digit *tmpc, shift, mask, r, rr;
+    int x;
 
     /* bitmask for carries */
     mask = (((mp_digit)1) << d) - 1;
@@ -656,7 +759,7 @@ int mp_mul_2d (mp_int * a, int b, mp_int * c)
       rr = (*tmpc >> shift) & mask;
 
       /* shift the current word and OR in the carry */
-      *tmpc = ((*tmpc << d) | r) & MP_MASK;
+      *tmpc = (mp_digit)(((*tmpc << d) | r) & MP_MASK);
       ++tmpc;
 
       /* set the carry to the carry bits of the current word */
@@ -691,7 +794,7 @@ int mp_lshd (mp_int * a, int b)
   }
 
   {
-    register mp_digit *top, *bottom;
+    mp_digit *top, *bottom;
 
     /* increment the used by the shift amount then copy upwards */
     a->used += b;
@@ -703,7 +806,7 @@ int mp_lshd (mp_int * a, int b)
     bottom = a->dp + a->used - 1 - b;
 
     /* much like mp_rshd this is implemented using a sliding window
-     * except the window goes the otherway around.  Copying from
+     * except the window goes the other way around.  Copying from
      * the bottom to the top.  see bn_mp_rshd.c for more info.
      */
     for (x = a->used - 1; x >= b; x--) {
@@ -722,17 +825,33 @@ int mp_lshd (mp_int * a, int b)
 
 /* this is a shell function that calls either the normal or Montgomery
  * exptmod functions.  Originally the call to the montgomery code was
- * embedded in the normal function but that wasted alot of stack space
+ * embedded in the normal function but that wasted a lot of stack space
  * for nothing (since 99% of the time the Montgomery code would be called)
  */
+#if defined(FREESCALE_LTC_TFM)
+int wolfcrypt_mp_exptmod (mp_int * G, mp_int * X, mp_int * P, mp_int * Y)
+#else
 int mp_exptmod (mp_int * G, mp_int * X, mp_int * P, mp_int * Y)
+#endif
 {
   int dr;
 
   /* modulus P must be positive */
-  if (P->sign == MP_NEG) {
+  if (mp_iszero(P) || P->sign == MP_NEG) {
      return MP_VAL;
   }
+  if (mp_isone(P)) {
+     mp_set(Y, 0);
+     return MP_OKAY;
+  }
+  if (mp_iszero(X)) {
+     mp_set(Y, 1);
+     return MP_OKAY;
+  }
+  if (mp_iszero(G)) {
+     mp_set(Y, 0);
+     return MP_OKAY;
+  }
 
   /* if exponent X is negative we have to recurse */
   if (X->sign == MP_NEG) {
@@ -771,6 +890,12 @@ int mp_exptmod (mp_int * G, mp_int * X, mp_int * P, mp_int * Y)
 #endif
   }
 
+#ifdef BN_MP_EXPTMOD_BASE_2
+  if (G->used == 1 && G->dp[0] == 2) {
+    return mp_exptmod_base_2(X, P, Y);
+  }
+#endif
+
 /* modified diminished radix reduction */
 #if defined(BN_MP_REDUCE_IS_2K_L_C) && defined(BN_MP_REDUCE_2K_L_C) && \
   defined(BN_S_MP_EXPTMOD_C)
@@ -787,6 +912,8 @@ int mp_exptmod (mp_int * G, mp_int * X, mp_int * P, mp_int * Y)
   dr = 0;
 #endif
 
+  (void)dr;
+
 #ifdef BN_MP_REDUCE_IS_2K_C
   /* if not, is it a unrestricted DR modulus? */
   if (dr == 0) {
@@ -796,7 +923,7 @@ int mp_exptmod (mp_int * G, mp_int * X, mp_int * P, mp_int * Y)
 
   /* if the modulus is odd or dr != 0 use the montgomery method */
 #ifdef BN_MP_EXPTMOD_FAST_C
-  if (mp_isodd (P) == 1 || dr !=  0) {
+  if (mp_isodd (P) == MP_YES || dr !=  0) {
     return mp_exptmod_fast (G, X, P, Y, dr);
   } else {
 #endif
@@ -812,13 +939,17 @@ int mp_exptmod (mp_int * G, mp_int * X, mp_int * P, mp_int * Y)
 #endif
 }
 
+int mp_exptmod_ex (mp_int * G, mp_int * X, int digits, mp_int * P, mp_int * Y)
+{
+    (void)digits;
+    return mp_exptmod(G, X, P, Y);
+}
 
 /* b = |a|
  *
  * Simple function copies the input and fixes the sign to positive
  */
-int
-mp_abs (mp_int * a, mp_int * b)
+int mp_abs (mp_int * a, mp_int * b)
 {
   int     res;
 
@@ -837,22 +968,28 @@ mp_abs (mp_int * a, mp_int * b)
 
 
 /* hac 14.61, pp608 */
+#if defined(FREESCALE_LTC_TFM)
+int wolfcrypt_mp_invmod(mp_int * a, mp_int * b, mp_int * c)
+#else
 int mp_invmod (mp_int * a, mp_int * b, mp_int * c)
+#endif
 {
-  /* b cannot be negative */
-  if (b->sign == MP_NEG || mp_iszero(b) == 1) {
+  /* b cannot be negative or zero, and can not divide by 0 (1/a mod b) */
+  if (b->sign == MP_NEG || mp_iszero(b) == MP_YES || mp_iszero(a) == MP_YES) {
     return MP_VAL;
   }
 
 #ifdef BN_FAST_MP_INVMOD_C
   /* if the modulus is odd we can use a faster routine instead */
-  if (mp_isodd (b) == 1) {
+  if ((mp_isodd(b) == MP_YES) && (mp_cmp_d(b, 1) != MP_EQ)) {
     return fast_mp_invmod (a, b, c);
   }
 #endif
 
 #ifdef BN_MP_INVMOD_SLOW_C
   return mp_invmod_slow(a, b, c);
+#else
+  return MP_VAL;
 #endif
 }
 
@@ -869,7 +1006,7 @@ int fast_mp_invmod (mp_int * a, mp_int * b, mp_int * c)
   int     res, neg, loop_check = 0;
 
   /* 2. [modified] b must be odd   */
-  if (mp_iseven (b) == 1) {
+  if (mp_iseven (b) == MP_YES) {
     return MP_VAL;
   }
 
@@ -895,17 +1032,19 @@ int fast_mp_invmod (mp_int * a, mp_int * b, mp_int * c)
   if ((res = mp_copy (&y, &v)) != MP_OKAY) {
     goto LBL_ERR;
   }
-  mp_set (&D, 1);
+  if ((res = mp_set (&D, 1)) != MP_OKAY) {
+    goto LBL_ERR;
+  }
 
 top:
   /* 4.  while u is even do */
-  while (mp_iseven (&u) == 1) {
+  while (mp_iseven (&u) == MP_YES) {
     /* 4.1 u = u/2 */
     if ((res = mp_div_2 (&u, &u)) != MP_OKAY) {
       goto LBL_ERR;
     }
     /* 4.2 if B is odd then */
-    if (mp_isodd (&B) == 1) {
+    if (mp_isodd (&B) == MP_YES) {
       if ((res = mp_sub (&B, &x, &B)) != MP_OKAY) {
         goto LBL_ERR;
       }
@@ -917,13 +1056,13 @@ top:
   }
 
   /* 5.  while v is even do */
-  while (mp_iseven (&v) == 1) {
+  while (mp_iseven (&v) == MP_YES) {
     /* 5.1 v = v/2 */
     if ((res = mp_div_2 (&v, &v)) != MP_OKAY) {
       goto LBL_ERR;
     }
     /* 5.2 if D is odd then */
-    if (mp_isodd (&D) == 1) {
+    if (mp_isodd (&D) == MP_YES) {
       /* D = (D-x)/2 */
       if ((res = mp_sub (&D, &x, &D)) != MP_OKAY) {
         goto LBL_ERR;
@@ -957,8 +1096,8 @@ top:
   }
 
   /* if not zero goto step 4 */
-  if (mp_iszero (&u) == 0) {
-    if (++loop_check > 1024) {
+  if (mp_iszero (&u) == MP_NO) {
+    if (++loop_check > MAX_INVMOD_SZ) {
         res = MP_VAL;
         goto LBL_ERR;
     }
@@ -980,6 +1119,12 @@ top:
       goto LBL_ERR;
     }
   }
+  /* too big */
+  while (mp_cmp_mag(&D, b) != MP_LT) {
+      if ((res = mp_sub(&D, b, &D)) != MP_OKAY) {
+         goto LBL_ERR;
+      }
+  }
   mp_exch (&D, c);
   c->sign = neg;
   res = MP_OKAY;
@@ -1001,31 +1146,42 @@ int mp_invmod_slow (mp_int * a, mp_int * b, mp_int * c)
   int     res;
 
   /* b cannot be negative */
-  if (b->sign == MP_NEG || mp_iszero(b) == 1) {
+  if (b->sign == MP_NEG || mp_iszero(b) == MP_YES) {
     return MP_VAL;
   }
 
   /* init temps */
   if ((res = mp_init_multi(&x, &y, &u, &v,
                            &A, &B)) != MP_OKAY) {
-     return res;
+    return res;
   }
 
   /* init rest of tmps temps */
   if ((res = mp_init_multi(&C, &D, 0, 0, 0, 0)) != MP_OKAY) {
-     return res;
+    mp_clear(&x);
+    mp_clear(&y);
+    mp_clear(&u);
+    mp_clear(&v);
+    mp_clear(&A);
+    mp_clear(&B);
+    return res;
   }
 
   /* x = a, y = b */
   if ((res = mp_mod(a, b, &x)) != MP_OKAY) {
-      goto LBL_ERR;
+    goto LBL_ERR;
+  }
+  if (mp_isone(&x)) {
+    mp_set(c, 1);
+    res = MP_OKAY;
+    goto LBL_ERR;
   }
   if ((res = mp_copy (b, &y)) != MP_OKAY) {
     goto LBL_ERR;
   }
 
   /* 2. [modified] if x,y are both even then return an error! */
-  if (mp_iseven (&x) == 1 && mp_iseven (&y) == 1) {
+  if (mp_iseven (&x) == MP_YES && mp_iseven (&y) == MP_YES) {
     res = MP_VAL;
     goto LBL_ERR;
   }
@@ -1037,24 +1193,28 @@ int mp_invmod_slow (mp_int * a, mp_int * b, mp_int * c)
   if ((res = mp_copy (&y, &v)) != MP_OKAY) {
     goto LBL_ERR;
   }
-  mp_set (&A, 1);
-  mp_set (&D, 1);
+  if ((res = mp_set (&A, 1)) != MP_OKAY) {
+    goto LBL_ERR;
+  }
+  if ((res = mp_set (&D, 1)) != MP_OKAY) {
+    goto LBL_ERR;
+  }
 
 top:
   /* 4.  while u is even do */
-  while (mp_iseven (&u) == 1) {
+  while (mp_iseven (&u) == MP_YES) {
     /* 4.1 u = u/2 */
     if ((res = mp_div_2 (&u, &u)) != MP_OKAY) {
       goto LBL_ERR;
     }
     /* 4.2 if A or B is odd then */
-    if (mp_isodd (&A) == 1 || mp_isodd (&B) == 1) {
+    if (mp_isodd (&A) == MP_YES || mp_isodd (&B) == MP_YES) {
       /* A = (A+y)/2, B = (B-x)/2 */
       if ((res = mp_add (&A, &y, &A)) != MP_OKAY) {
-         goto LBL_ERR;
+        goto LBL_ERR;
       }
       if ((res = mp_sub (&B, &x, &B)) != MP_OKAY) {
-         goto LBL_ERR;
+        goto LBL_ERR;
       }
     }
     /* A = A/2, B = B/2 */
@@ -1067,19 +1227,19 @@ top:
   }
 
   /* 5.  while v is even do */
-  while (mp_iseven (&v) == 1) {
+  while (mp_iseven (&v) == MP_YES) {
     /* 5.1 v = v/2 */
     if ((res = mp_div_2 (&v, &v)) != MP_OKAY) {
       goto LBL_ERR;
     }
     /* 5.2 if C or D is odd then */
-    if (mp_isodd (&C) == 1 || mp_isodd (&D) == 1) {
+    if (mp_isodd (&C) == MP_YES || mp_isodd (&D) == MP_YES) {
       /* C = (C+y)/2, D = (D-x)/2 */
       if ((res = mp_add (&C, &y, &C)) != MP_OKAY) {
-         goto LBL_ERR;
+        goto LBL_ERR;
       }
       if ((res = mp_sub (&D, &x, &D)) != MP_OKAY) {
-         goto LBL_ERR;
+        goto LBL_ERR;
       }
     }
     /* C = C/2, D = D/2 */
@@ -1121,7 +1281,7 @@ top:
   }
 
   /* if not zero goto step 4 */
-  if (mp_iszero (&u) == 0)
+  if (mp_iszero (&u) == MP_NO)
     goto top;
 
   /* now a = C, b = D, gcd == g*v */
@@ -1161,7 +1321,7 @@ LBL_ERR:mp_clear(&x);
 }
 
 
-/* compare maginitude of two ints (unsigned) */
+/* compare magnitude of two ints (unsigned) */
 int mp_cmp_mag (mp_int * a, mp_int * b)
 {
   int     n;
@@ -1197,8 +1357,7 @@ int mp_cmp_mag (mp_int * a, mp_int * b)
 
 
 /* compare two ints (signed)*/
-int
-mp_cmp (mp_int * a, mp_int * b)
+int mp_cmp (mp_int * a, mp_int * b)
 {
   /* compare based on sign */
   if (a->sign != b->sign) {
@@ -1222,8 +1381,12 @@ mp_cmp (mp_int * a, mp_int * b)
 /* compare a digit */
 int mp_cmp_d(mp_int * a, mp_digit b)
 {
+  /* special case for zero*/
+  if (a->used == 0 && b == 0)
+    return MP_EQ;
+
   /* compare based on sign */
-  if (a->sign == MP_NEG) {
+  if ((b && a->used == 0) || a->sign == MP_NEG) {
     return MP_LT;
   }
 
@@ -1244,22 +1407,38 @@ int mp_cmp_d(mp_int * a, mp_digit b)
 
 
 /* set to a digit */
-void mp_set (mp_int * a, mp_digit b)
+int mp_set (mp_int * a, mp_digit b)
 {
+  int res;
   mp_zero (a);
-  a->dp[0] = b & MP_MASK;
-  a->used  = (a->dp[0] != 0) ? 1 : 0;
+  res = mp_grow (a, 1);
+  if (res == MP_OKAY) {
+    a->dp[0] = (mp_digit)(b & MP_MASK);
+    a->used  = (a->dp[0] != 0) ? 1 : 0;
+  }
+  return res;
 }
 
+/* check if a bit is set */
+int mp_is_bit_set (mp_int *a, mp_digit b)
+{
+    if ((mp_digit)a->used < b/DIGIT_BIT)
+        return 0;
+
+    return (int)((a->dp[b/DIGIT_BIT] >> b%DIGIT_BIT) & (mp_digit)1);
+}
 
 /* c = a mod b, 0 <= c < b */
-int
-mp_mod (mp_int * a, mp_int * b, mp_int * c)
+#if defined(FREESCALE_LTC_TFM)
+int wolfcrypt_mp_mod(mp_int * a, mp_int * b, mp_int * c)
+#else
+int mp_mod (mp_int * a, mp_int * b, mp_int * c)
+#endif
 {
   mp_int  t;
   int     res;
 
-  if ((res = mp_init (&t)) != MP_OKAY) {
+  if ((res = mp_init_size (&t, b->used)) != MP_OKAY) {
     return res;
   }
 
@@ -1268,11 +1447,11 @@ mp_mod (mp_int * a, mp_int * b, mp_int * c)
     return res;
   }
 
-  if (t.sign != b->sign) {
-    res = mp_add (b, &t, c);
-  } else {
+  if ((mp_iszero(&t) != MP_NO) || (t.sign == b->sign)) {
     res = MP_OKAY;
     mp_exch (&t, c);
+  } else {
+    res = mp_add (b, &t, c);
   }
 
   mp_clear (&t);
@@ -1287,7 +1466,7 @@ int mp_div(mp_int * a, mp_int * b, mp_int * c, mp_int * d)
    int    res, n, n2;
 
   /* is divisor zero ? */
-  if (mp_iszero (b) == 1) {
+  if (mp_iszero (b) == MP_YES) {
     return MP_VAL;
   }
 
@@ -1309,8 +1488,9 @@ int mp_div(mp_int * a, mp_int * b, mp_int * c, mp_int * d)
      return res;
   }
 
-
-  mp_set(&tq, 1);
+  if ((res = mp_set(&tq, 1)) != MP_OKAY) {
+     return res;
+  }
   n = mp_count_bits(a) - mp_count_bits(b);
   if (((res = mp_abs(a, &ta)) != MP_OKAY) ||
       ((res = mp_abs(b, &tb)) != MP_OKAY) ||
@@ -1367,7 +1547,7 @@ int mp_div_2(mp_int * a, mp_int * b)
   oldused = b->used;
   b->used = a->used;
   {
-    register mp_digit r, rr, *tmpa, *tmpb;
+    mp_digit r, rr, *tmpa, *tmpb;
 
     /* source alias */
     tmpa = a->dp + b->used - 1;
@@ -1403,7 +1583,7 @@ int mp_div_2(mp_int * a, mp_int * b)
 /* high level addition (handles signs) */
 int mp_add (mp_int * a, mp_int * b, mp_int * c)
 {
-  int     sa, sb, res;
+  int sa, sb, res;
 
   /* get sign of both inputs */
   sa = a->sign;
@@ -1433,39 +1613,38 @@ int mp_add (mp_int * a, mp_int * b, mp_int * c)
 
 
 /* low level addition, based on HAC pp.594, Algorithm 14.7 */
-int
-s_mp_add (mp_int * a, mp_int * b, mp_int * c)
+int s_mp_add (mp_int * a, mp_int * b, mp_int * c)
 {
   mp_int *x;
-  int     olduse, res, min, max;
+  int     olduse, res, min_ab, max_ab;
 
   /* find sizes, we let |a| <= |b| which means we have to sort
    * them.  "x" will point to the input with the most digits
    */
   if (a->used > b->used) {
-    min = b->used;
-    max = a->used;
+    min_ab = b->used;
+    max_ab = a->used;
     x = a;
   } else {
-    min = a->used;
-    max = b->used;
+    min_ab = a->used;
+    max_ab = b->used;
     x = b;
   }
 
   /* init result */
-  if (c->alloc < max + 1) {
-    if ((res = mp_grow (c, max + 1)) != MP_OKAY) {
+  if (c->alloc < max_ab + 1) {
+    if ((res = mp_grow (c, max_ab + 1)) != MP_OKAY) {
       return res;
     }
   }
 
   /* get old used digit count and set new one */
   olduse = c->used;
-  c->used = max + 1;
+  c->used = max_ab + 1;
 
   {
-    register mp_digit u, *tmpa, *tmpb, *tmpc;
-    register int i;
+    mp_digit u, *tmpa, *tmpb, *tmpc;
+    int i;
 
     /* alias for digit pointers */
 
@@ -1480,7 +1659,7 @@ s_mp_add (mp_int * a, mp_int * b, mp_int * c)
 
     /* zero the carry */
     u = 0;
-    for (i = 0; i < min; i++) {
+    for (i = 0; i < min_ab; i++) {
       /* Compute the sum at one digit, T[i] = A[i] + B[i] + U */
       *tmpc = *tmpa++ + *tmpb++ + u;
 
@@ -1494,8 +1673,8 @@ s_mp_add (mp_int * a, mp_int * b, mp_int * c)
     /* now copy higher words if any, that is in A+B
      * if A or B has more digits add those in
      */
-    if (min != max) {
-      for (; i < max; i++) {
+    if (min_ab != max_ab) {
+      for (; i < max_ab; i++) {
         /* T[i] = X[i] + U */
         *tmpc = x->dp[i] + u;
 
@@ -1510,7 +1689,7 @@ s_mp_add (mp_int * a, mp_int * b, mp_int * c)
     /* add carry */
     *tmpc++ = u;
 
-    /* clear digits above oldused */
+    /* clear digits above olduse */
     for (i = c->used; i < olduse; i++) {
       *tmpc++ = 0;
     }
@@ -1522,27 +1701,31 @@ s_mp_add (mp_int * a, mp_int * b, mp_int * c)
 
 
 /* low level subtraction (assumes |a| > |b|), HAC pp.595 Algorithm 14.9 */
-int
-s_mp_sub (mp_int * a, mp_int * b, mp_int * c)
+int s_mp_sub (mp_int * a, mp_int * b, mp_int * c)
 {
-  int     olduse, res, min, max;
+  int     olduse, res, min_b, max_a;
 
   /* find sizes */
-  min = b->used;
-  max = a->used;
+  min_b = b->used;
+  max_a = a->used;
 
   /* init result */
-  if (c->alloc < max) {
-    if ((res = mp_grow (c, max)) != MP_OKAY) {
+  if (c->alloc < max_a) {
+    if ((res = mp_grow (c, max_a)) != MP_OKAY) {
       return res;
     }
   }
+
+  /* sanity check on destination */
+  if (c->dp == NULL)
+     return MP_VAL;
+
   olduse = c->used;
-  c->used = max;
+  c->used = max_a;
 
   {
-    register mp_digit u, *tmpa, *tmpb, *tmpc;
-    register int i;
+    mp_digit u, *tmpa, *tmpb, *tmpc;
+    int i;
 
     /* alias for digit pointers */
     tmpa = a->dp;
@@ -1551,7 +1734,7 @@ s_mp_sub (mp_int * a, mp_int * b, mp_int * c)
 
     /* set carry to zero */
     u = 0;
-    for (i = 0; i < min; i++) {
+    for (i = 0; i < min_b; i++) {
       /* T[i] = A[i] - B[i] - U */
       *tmpc = *tmpa++ - *tmpb++ - u;
 
@@ -1567,7 +1750,7 @@ s_mp_sub (mp_int * a, mp_int * b, mp_int * c)
     }
 
     /* now copy higher words if any, e.g. if A has more digits than B  */
-    for (; i < max; i++) {
+    for (; i < max_a; i++) {
       /* T[i] = A[i] - U */
       *tmpc = *tmpa++ - u;
 
@@ -1590,8 +1773,7 @@ s_mp_sub (mp_int * a, mp_int * b, mp_int * c)
 
 
 /* high level subtraction (handles signs) */
-int
-mp_sub (mp_int * a, mp_int * b, mp_int * c)
+int mp_sub (mp_int * a, mp_int * b, mp_int * c)
 {
   int     sa, sb, res;
 
@@ -1725,7 +1907,7 @@ int mp_exptmod_fast (mp_int * G, mp_int * X, mp_int * P, mp_int * Y,
   mp_digit buf, mp;
   int     err, bitbuf, bitcpy, bitcnt, mode, digidx, x, y, winsize;
 #ifdef WOLFSSL_SMALL_STACK
-  mp_int* M = NULL;
+  mp_int* M;
 #else
   mp_int M[TAB_SIZE];
 #endif
@@ -1733,11 +1915,11 @@ int mp_exptmod_fast (mp_int * G, mp_int * X, mp_int * P, mp_int * Y,
    * one of many reduction algorithms without modding the guts of
    * the code with if statements everywhere.
    */
-  int     (*redux)(mp_int*,mp_int*,mp_digit);
+  int     (*redux)(mp_int*,mp_int*,mp_digit) = NULL;
 
 #ifdef WOLFSSL_SMALL_STACK
   M = (mp_int*) XMALLOC(sizeof(mp_int) * TAB_SIZE, NULL,
-                                                       DYNAMIC_TYPE_TMP_BUFFER);
+                                                       DYNAMIC_TYPE_BIGINT);
   if (M == NULL)
     return MP_MEM;
 #endif
@@ -1768,9 +1950,9 @@ int mp_exptmod_fast (mp_int * G, mp_int * X, mp_int * P, mp_int * Y,
 
   /* init M array */
   /* init first cell */
-  if ((err = mp_init(&M[1])) != MP_OKAY) {
+  if ((err = mp_init_size(&M[1], P->alloc)) != MP_OKAY) {
 #ifdef WOLFSSL_SMALL_STACK
-  XFREE(M, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+     XFREE(M, NULL, DYNAMIC_TYPE_BIGINT);
 #endif
 
      return err;
@@ -1778,14 +1960,14 @@ int mp_exptmod_fast (mp_int * G, mp_int * X, mp_int * P, mp_int * Y,
 
   /* now init the second half of the array */
   for (x = 1<<(winsize-1); x < (1 << winsize); x++) {
-    if ((err = mp_init(&M[x])) != MP_OKAY) {
+    if ((err = mp_init_size(&M[x], P->alloc)) != MP_OKAY) {
       for (y = 1<<(winsize-1); y < x; y++) {
         mp_clear (&M[y]);
       }
       mp_clear(&M[1]);
 
 #ifdef WOLFSSL_SMALL_STACK
-      XFREE(M, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+      XFREE(M, NULL, DYNAMIC_TYPE_BIGINT);
 #endif
 
       return err;
@@ -1807,7 +1989,7 @@ int mp_exptmod_fast (mp_int * G, mp_int * X, mp_int * P, mp_int * Y,
      /* automatically pick the comba one if available (saves quite a few
         calls/ifs) */
 #ifdef BN_FAST_MP_MONTGOMERY_REDUCE_C
-     if (((P->used * 2 + 1) < MP_WARRAY) &&
+     if (((P->used * 2 + 1) < (int)MP_WARRAY) &&
           P->used < (1 << ((CHAR_BIT * sizeof (mp_word)) - (2 * DIGIT_BIT)))) {
         redux = fast_mp_montgomery_reduce;
      } else
@@ -1816,9 +1998,6 @@ int mp_exptmod_fast (mp_int * G, mp_int * X, mp_int * P, mp_int * Y,
 #ifdef BN_MP_MONTGOMERY_REDUCE_C
         /* use slower baseline Montgomery method */
         redux = mp_montgomery_reduce;
-#else
-        err = MP_VAL;
-        goto LBL_M;
 #endif
      }
   } else if (redmode == 1) {
@@ -1826,9 +2005,6 @@ int mp_exptmod_fast (mp_int * G, mp_int * X, mp_int * P, mp_int * Y,
      /* setup DR reduction for moduli of the form B**k - b */
      mp_dr_setup(P, &mp);
      redux = mp_dr_reduce;
-#else
-     err = MP_VAL;
-     goto LBL_M;
 #endif
   } else {
 #if defined(BN_MP_REDUCE_2K_SETUP_C) && defined(BN_MP_REDUCE_2K_C)
@@ -1837,14 +2013,16 @@ int mp_exptmod_fast (mp_int * G, mp_int * X, mp_int * P, mp_int * Y,
         goto LBL_M;
      }
      redux = mp_reduce_2k;
-#else
+#endif
+  }
+
+  if (redux == NULL) {
      err = MP_VAL;
      goto LBL_M;
-#endif
   }
 
   /* setup result */
-  if ((err = mp_init (&res)) != MP_OKAY) {
+  if ((err = mp_init_size (&res, P->alloc)) != MP_OKAY) {
     goto LBL_M;
   }
 
@@ -1861,17 +2039,19 @@ int mp_exptmod_fast (mp_int * G, mp_int * X, mp_int * P, mp_int * Y,
      if ((err = mp_montgomery_calc_normalization (&res, P)) != MP_OKAY) {
        goto LBL_RES;
      }
-#else
-     err = MP_VAL;
-     goto LBL_RES;
-#endif
 
      /* now set M[1] to G * R mod m */
      if ((err = mp_mulmod (G, &res, P, &M[1])) != MP_OKAY) {
        goto LBL_RES;
      }
+#else
+     err = MP_VAL;
+     goto LBL_RES;
+#endif
   } else {
-     mp_set(&res, 1);
+     if ((err = mp_set(&res, 1)) != MP_OKAY) {
+        goto LBL_RES;
+     }
      if ((err = mp_mod(G, P, &M[1])) != MP_OKAY) {
         goto LBL_RES;
      }
@@ -1883,7 +2063,8 @@ int mp_exptmod_fast (mp_int * G, mp_int * X, mp_int * P, mp_int * Y,
   }
 
   for (x = 0; x < (winsize - 1); x++) {
-    if ((err = mp_sqr (&M[(mp_digit)(1 << (winsize - 1))], &M[(mp_digit)(1 << (winsize - 1))])) != MP_OKAY) {
+    if ((err = mp_sqr (&M[(mp_digit)(1 << (winsize - 1))],
+                       &M[(mp_digit)(1 << (winsize - 1))])) != MP_OKAY) {
       goto LBL_RES;
     }
     if ((err = redux (&M[(mp_digit)(1 << (winsize - 1))], P, mp)) != MP_OKAY) {
@@ -2024,16 +2205,179 @@ LBL_M:
   }
 
 #ifdef WOLFSSL_SMALL_STACK
-  XFREE(M, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+  XFREE(M, NULL, DYNAMIC_TYPE_BIGINT);
+#endif
+
+  return err;
+}
+
+#ifdef BN_MP_EXPTMOD_BASE_2
+#if DIGIT_BIT < 16
+    #define WINSIZE    3
+#elif DIGIT_BIT < 32
+    #define WINSIZE    4
+#elif DIGIT_BIT < 64
+    #define WINSIZE    5
+#elif DIGIT_BIT < 128
+    #define WINSIZE    6
+#endif
+int mp_exptmod_base_2(mp_int * X, mp_int * P, mp_int * Y)
+{
+  mp_digit buf, mp;
+  int      err = MP_OKAY, bitbuf, bitcpy, bitcnt, digidx, x, y;
+#ifdef WOLFSSL_SMALL_STACK
+  mp_int  *res = NULL;
+#else
+  mp_int   res[1];
+#endif
+  int     (*redux)(mp_int*,mp_int*,mp_digit) = NULL;
+
+  /* automatically pick the comba one if available (saves quite a few
+     calls/ifs) */
+#ifdef BN_FAST_MP_MONTGOMERY_REDUCE_C
+  if (((P->used * 2 + 1) < (int)MP_WARRAY) &&
+       P->used < (1 << ((CHAR_BIT * sizeof (mp_word)) - (2 * DIGIT_BIT)))) {
+     redux = fast_mp_montgomery_reduce;
+  } else
 #endif
+  {
+#ifdef BN_MP_MONTGOMERY_REDUCE_C
+     /* use slower baseline Montgomery method */
+     redux = mp_montgomery_reduce;
+#else
+     return MP_VAL;
+#endif
+  }
+
+#ifdef WOLFSSL_SMALL_STACK
+  res = (mp_int*)XMALLOC(sizeof(mp_int), NULL, DYNAMIC_TYPE_TMP_BUFFER);
+  if (res == NULL) {
+     return MP_MEM;
+  }
+#endif
+
+  /* now setup montgomery  */
+  if ((err = mp_montgomery_setup(P, &mp)) != MP_OKAY) {
+     goto LBL_M;
+  }
+
+  /* setup result */
+  if ((err = mp_init(res)) != MP_OKAY) {
+     goto LBL_M;
+  }
+
+  /* now we need R mod m */
+  if ((err = mp_montgomery_calc_normalization(res, P)) != MP_OKAY) {
+     goto LBL_RES;
+  }
+
+  /* Get the top bits left over after taking WINSIZE bits starting at the
+   * least-significant.
+   */
+  digidx = X->used - 1;
+  bitcpy = (X->used * DIGIT_BIT) % WINSIZE;
+  if (bitcpy > 0) {
+     bitcnt = (int)DIGIT_BIT - bitcpy;
+     buf    = X->dp[digidx--];
+     bitbuf = (int)(buf >> bitcnt);
+     /* Multiply montgomery representation of 1 by 2 ^ top */
+     err = mp_mul_2d(res, bitbuf, res);
+     if (err != MP_OKAY) {
+        goto LBL_RES;
+     }
+     err = mp_mod(res, P, res);
+     if (err != MP_OKAY) {
+        goto LBL_RES;
+     }
+     /* Move out bits used */
+     buf  <<= bitcpy;
+     bitcnt++;
+  }
+  else {
+     bitcnt = 1;
+     buf    = 0;
+  }
+
+  /* empty window and reset  */
+  bitbuf = 0;
+  bitcpy = 0;
+
+  for (;;) {
+    /* grab next digit as required */
+    if (--bitcnt == 0) {
+      /* if digidx == -1 we are out of digits so break */
+      if (digidx == -1) {
+        break;
+      }
+      /* read next digit and reset bitcnt */
+      buf    = X->dp[digidx--];
+      bitcnt = (int)DIGIT_BIT;
+    }
+
+    /* grab the next msb from the exponent */
+    y       = (int)(buf >> (DIGIT_BIT - 1)) & 1;
+    buf   <<= (mp_digit)1;
+    /* add bit to the window */
+    bitbuf |= (y << (WINSIZE - ++bitcpy));
+
+    if (bitcpy == WINSIZE) {
+      /* ok window is filled so square as required and multiply  */
+      /* square first */
+      for (x = 0; x < WINSIZE; x++) {
+        err = mp_sqr(res, res);
+        if (err != MP_OKAY) {
+          goto LBL_RES;
+        }
+        err = (*redux)(res, P, mp);
+        if (err != MP_OKAY) {
+          goto LBL_RES;
+        }
+      }
+
+      /* then multiply by 2^bitbuf */
+      err = mp_mul_2d(res, bitbuf, res);
+      if (err != MP_OKAY) {
+         goto LBL_RES;
+      }
+      err = mp_mod(res, P, res);
+      if (err != MP_OKAY) {
+         goto LBL_RES;
+      }
+
+      /* empty window and reset */
+      bitcpy = 0;
+      bitbuf = 0;
+    }
+  }
+
+  /* fixup result if Montgomery reduction is used
+   * recall that any value in a Montgomery system is
+   * actually multiplied by R mod n.  So we have
+   * to reduce one more time to cancel out the factor
+   * of R.
+   */
+  err = (*redux)(res, P, mp);
+  if (err != MP_OKAY) {
+     goto LBL_RES;
+  }
+
+  /* swap res with Y */
+  mp_copy(res, Y);
 
+LBL_RES:mp_clear (res);
+LBL_M:
+#ifdef WOLFSSL_SMALL_STACK
+  XFREE(res, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+#endif
   return err;
 }
 
+#undef WINSIZE
+#endif /* BN_MP_EXPTMOD_BASE_2 */
+
 
 /* setups the montgomery reduction stuff */
-int
-mp_montgomery_setup (mp_int * n, mp_digit * rho)
+int mp_montgomery_setup (mp_int * n, mp_digit * rho)
 {
   mp_digit x, b;
 
@@ -2065,7 +2409,7 @@ mp_montgomery_setup (mp_int * n, mp_digit * rho)
 
   /* rho = -1/m mod b */
   /* TAO, switched mp_word casts to mp_digit to shut up compiler */
-  *rho = (((mp_digit)1 << ((mp_digit) DIGIT_BIT)) - x) & MP_MASK;
+  *rho = (mp_digit)((((mp_digit)1 << ((mp_digit) DIGIT_BIT)) - x) & MP_MASK);
 
   return MP_OKAY;
 }
@@ -2099,7 +2443,7 @@ int fast_mp_montgomery_reduce (mp_int * x, mp_int * n, mp_digit rho)
   }
 
 #ifdef WOLFSSL_SMALL_STACK
-  W = (mp_word*)XMALLOC(sizeof(mp_word) * MP_WARRAY, 0, DYNAMIC_TYPE_BIGINT);
+  W = (mp_word*)XMALLOC(sizeof(mp_word) * MP_WARRAY, NULL, DYNAMIC_TYPE_BIGINT);
   if (W == NULL)
     return MP_MEM;
 #endif
@@ -2108,8 +2452,8 @@ int fast_mp_montgomery_reduce (mp_int * x, mp_int * n, mp_digit rho)
    * an array of double precision words W[...]
    */
   {
-    register mp_word *_W;
-    register mp_digit *tmpx;
+    mp_word *_W;
+    mp_digit *tmpx;
 
     /* alias for the W[] array */
     _W   = W;
@@ -2138,13 +2482,13 @@ int fast_mp_montgomery_reduce (mp_int * x, mp_int * n, mp_digit rho)
      * by casting the value down to a mp_digit.  Note this requires
      * that W[ix-1] have  the carry cleared (see after the inner loop)
      */
-    register mp_digit mu;
+    mp_digit mu;
     mu = (mp_digit) (((W[ix] & MP_MASK) * rho) & MP_MASK);
 
     /* a = a + mu * m * b**i
      *
      * This is computed in place and on the fly.  The multiplication
-     * by b**i is handled by offseting which columns the results
+     * by b**i is handled by offsetting which columns the results
      * are added to.
      *
      * Note the comba method normally doesn't handle carries in the
@@ -2156,9 +2500,9 @@ int fast_mp_montgomery_reduce (mp_int * x, mp_int * n, mp_digit rho)
      * first m->used words of W[] have the carries fixed
      */
     {
-      register int iy;
-      register mp_digit *tmpn;
-      register mp_word *_W;
+      int iy;
+      mp_digit *tmpn;
+      mp_word *_W;
 
       /* alias for the digits of the modulus */
       tmpn = n->dp;
@@ -2181,8 +2525,8 @@ int fast_mp_montgomery_reduce (mp_int * x, mp_int * n, mp_digit rho)
    * significant digits we zeroed].
    */
   {
-    register mp_digit *tmpx;
-    register mp_word *_W, *_W1;
+    mp_digit *tmpx;
+    mp_word *_W, *_W1;
 
     /* nox fix rest of carries */
 
@@ -2213,7 +2557,7 @@ int fast_mp_montgomery_reduce (mp_int * x, mp_int * n, mp_digit rho)
       *tmpx++ = (mp_digit)(*_W++ & ((mp_word) MP_MASK));
     }
 
-    /* zero oldused digits, if the input a was larger than
+    /* zero olduse digits, if the input a was larger than
      * m->used+1 we'll have to clear the digits
      */
     for (; ix < olduse; ix++) {
@@ -2226,7 +2570,7 @@ int fast_mp_montgomery_reduce (mp_int * x, mp_int * n, mp_digit rho)
   mp_clamp (x);
 
 #ifdef WOLFSSL_SMALL_STACK
-  XFREE(W, 0, DYNAMIC_TYPE_BIGINT);
+  XFREE(W, NULL, DYNAMIC_TYPE_BIGINT);
 #endif
 
   /* if A >= m then A = A - m */
@@ -2238,8 +2582,7 @@ int fast_mp_montgomery_reduce (mp_int * x, mp_int * n, mp_digit rho)
 
 
 /* computes xR**-1 == x (mod N) via Montgomery Reduction */
-int
-mp_montgomery_reduce (mp_int * x, mp_int * n, mp_digit rho)
+int mp_montgomery_reduce (mp_int * x, mp_int * n, mp_digit rho)
 {
   int     ix, res, digs;
   mp_digit mu;
@@ -2251,7 +2594,7 @@ mp_montgomery_reduce (mp_int * x, mp_int * n, mp_digit rho)
    * are fixed up in the inner loop.
    */
   digs = n->used * 2 + 1;
-  if ((digs < MP_WARRAY) &&
+  if ((digs < (int)MP_WARRAY) &&
       n->used <
       (1 << ((CHAR_BIT * sizeof (mp_word)) - (2 * DIGIT_BIT)))) {
     return fast_mp_montgomery_reduce (x, n, rho);
@@ -2278,9 +2621,9 @@ mp_montgomery_reduce (mp_int * x, mp_int * n, mp_digit rho)
 
     /* a = a + mu * m * b**i */
     {
-      register int iy;
-      register mp_digit *tmpn, *tmpx, u;
-      register mp_word r;
+      int iy;
+      mp_digit *tmpn, *tmpx, u;
+      mp_word r;
 
       /* alias for digits of the modulus */
       tmpn = n->dp;
@@ -2360,8 +2703,7 @@ void mp_dr_setup(mp_int *a, mp_digit *d)
  *
  * Input x must be in the range 0 <= x <= (n-1)**2
  */
-int
-mp_dr_reduce (mp_int * x, mp_int * n, mp_digit k)
+int mp_dr_reduce (mp_int * x, mp_int * n, mp_digit k)
 {
   int      err, i, m;
   mp_word  r;
@@ -2413,7 +2755,9 @@ top:
    * Each successive "recursion" makes the input smaller and smaller.
    */
   if (mp_cmp_mag (x, n) != MP_LT) {
-    s_mp_sub(x, n, x);
+    if ((err = s_mp_sub(x, n, x)) != MP_OKAY) {
+        return err;
+    }
     goto top;
   }
   return MP_OKAY;
@@ -2450,7 +2794,9 @@ top:
    }
 
    if (mp_cmp_mag(a, n) != MP_LT) {
-      s_mp_sub(a, n, a);
+      if ((res = s_mp_sub(a, n, a)) != MP_OKAY) {
+         goto ERR;
+      }
       goto top;
    }
 
@@ -2487,37 +2833,49 @@ int mp_reduce_2k_setup(mp_int *a, mp_digit *d)
 }
 
 
-/* computes a = 2**b
- *
- * Simple algorithm which zeroes the int, grows it then just sets one bit
- * as required.
- */
-int
-mp_2expt (mp_int * a, int b)
+/* set the b bit of a */
+int mp_set_bit (mp_int * a, int b)
 {
-  int     res;
+    int i = b / DIGIT_BIT, res;
 
-  /* zero a as per default */
-  mp_zero (a);
+    /*
+     * Require:
+     *  bit index b >= 0
+     *  a->alloc == a->used == 0 if a->dp == NULL
+     */
+    if (b < 0 || (a->dp == NULL && (a->alloc != 0 || a->used != 0)))
+        return MP_VAL;
 
-  /* grow a to accomodate the single bit */
-  if ((res = mp_grow (a, b / DIGIT_BIT + 1)) != MP_OKAY) {
-    return res;
-  }
+    if (a->dp == NULL || a->used < (int)(i + 1)) {
+        /* grow a to accommodate the single bit */
+        if ((res = mp_grow (a, i + 1)) != MP_OKAY) {
+            return res;
+        }
 
-  /* set the used count of where the bit will go */
-  a->used = b / DIGIT_BIT + 1;
+        /* set the used count of where the bit will go */
+        a->used = (int)(i + 1);
+    }
 
-  /* put the single bit in its place */
-  a->dp[b / DIGIT_BIT] = ((mp_digit)1) << (b % DIGIT_BIT);
+    /* put the single bit in its place */
+    a->dp[i] |= ((mp_digit)1) << (b % DIGIT_BIT);
 
-  return MP_OKAY;
+    return MP_OKAY;
 }
 
+/* computes a = 2**b
+ *
+ * Simple algorithm which zeros the int, set the required bit
+ */
+int mp_2expt (mp_int * a, int b)
+{
+    /* zero a as per default */
+    mp_zero (a);
+
+    return mp_set_bit(a, b);
+}
 
 /* multiply by a digit */
-int
-mp_mul_d (mp_int * a, mp_digit b, mp_int * c)
+int mp_mul_d (mp_int * a, mp_digit b, mp_int * c)
 {
   mp_digit u, *tmpa, *tmpc;
   mp_word  r;
@@ -2575,35 +2933,78 @@ mp_mul_d (mp_int * a, mp_digit b, mp_int * c)
 
 
 /* d = a * b (mod c) */
+#if defined(FREESCALE_LTC_TFM)
+int wolfcrypt_mp_mulmod(mp_int *a, mp_int *b, mp_int *c, mp_int *d)
+#else
 int mp_mulmod (mp_int * a, mp_int * b, mp_int * c, mp_int * d)
+#endif
 {
   int     res;
   mp_int  t;
 
-  if ((res = mp_init (&t)) != MP_OKAY) {
+  if ((res = mp_init_size (&t, c->used)) != MP_OKAY) {
     return res;
   }
 
-  if ((res = mp_mul (a, b, &t)) != MP_OKAY) {
-    mp_clear (&t);
+  res = mp_mul (a, b, &t);
+  if (res == MP_OKAY) {
+      res = mp_mod (&t, c, d);
+  }
+
+  mp_clear (&t);
+  return res;
+}
+
+
+/* d = a - b (mod c) */
+int mp_submod(mp_int* a, mp_int* b, mp_int* c, mp_int* d)
+{
+  int     res;
+  mp_int  t;
+
+  if ((res = mp_init (&t)) != MP_OKAY) {
     return res;
   }
-  res = mp_mod (&t, c, d);
+
+  res = mp_sub (a, b, &t);
+  if (res == MP_OKAY) {
+      res = mp_mod (&t, c, d);
+  }
+
   mp_clear (&t);
+
   return res;
 }
 
+/* d = a + b (mod c) */
+int mp_addmod(mp_int* a, mp_int* b, mp_int* c, mp_int* d)
+{
+   int     res;
+   mp_int  t;
+
+   if ((res = mp_init (&t)) != MP_OKAY) {
+     return res;
+   }
+
+   res = mp_add (a, b, &t);
+   if (res == MP_OKAY) {
+       res = mp_mod (&t, c, d);
+   }
+
+   mp_clear (&t);
+
+   return res;
+}
 
 /* computes b = a*a */
-int
-mp_sqr (mp_int * a, mp_int * b)
+int mp_sqr (mp_int * a, mp_int * b)
 {
   int     res;
 
   {
 #ifdef BN_FAST_S_MP_SQR_C
     /* can we use the fast comba multiplier? */
-    if ((a->used * 2 + 1) < MP_WARRAY &&
+    if ((a->used * 2 + 1) < (int)MP_WARRAY &&
          a->used <
          (1 << (sizeof(mp_word) * CHAR_BIT - 2*DIGIT_BIT - 1))) {
       res = fast_s_mp_sqr (a, b);
@@ -2621,12 +3022,17 @@ mp_sqr (mp_int * a, mp_int * b)
 
 
 /* high level multiplication (handles sign) */
+#if defined(FREESCALE_LTC_TFM)
+int wolfcrypt_mp_mul(mp_int *a, mp_int *b, mp_int *c)
+#else
 int mp_mul (mp_int * a, mp_int * b, mp_int * c)
+#endif
 {
   int     res, neg;
   neg = (a->sign == b->sign) ? MP_ZPOS : MP_NEG;
 
   {
+#ifdef BN_FAST_S_MP_MUL_DIGS_C
     /* can we use the fast multiplier?
      *
      * The fast multiplier can be used if the output will
@@ -2635,8 +3041,7 @@ int mp_mul (mp_int * a, mp_int * b, mp_int * c)
      */
     int     digs = a->used + b->used + 1;
 
-#ifdef BN_FAST_S_MP_MUL_DIGS_C
-    if ((digs < MP_WARRAY) &&
+    if ((digs < (int)MP_WARRAY) &&
         MIN(a->used, b->used) <=
         (1 << ((CHAR_BIT * sizeof (mp_word)) - (2 * DIGIT_BIT)))) {
       res = fast_s_mp_mul_digs (a, b, c, digs);
@@ -2659,7 +3064,7 @@ int mp_mul_2(mp_int * a, mp_int * b)
 {
   int     x, res, oldused;
 
-  /* grow to accomodate result */
+  /* grow to accommodate result */
   if (b->alloc < a->used + 1) {
     if ((res = mp_grow (b, a->used + 1)) != MP_OKAY) {
       return res;
@@ -2670,7 +3075,7 @@ int mp_mul_2(mp_int * a, mp_int * b)
   b->used = a->used;
 
   {
-    register mp_digit r, rr, *tmpa, *tmpb;
+    mp_digit r, rr, *tmpa, *tmpb;
 
     /* alias for source */
     tmpa = a->dp;
@@ -2688,7 +3093,7 @@ int mp_mul_2(mp_int * a, mp_int * b)
       rr = *tmpa >> ((mp_digit)(DIGIT_BIT - 1));
 
       /* now shift up this digit, add in the carry [from the previous] */
-      *tmpb++ = ((*tmpa++ << ((mp_digit)1)) | r) & MP_MASK;
+      *tmpb++ = (mp_digit)(((*tmpa++ << ((mp_digit)1)) | r) & MP_MASK);
 
       /* copy the carry that would be from the source
        * digit into the next iteration
@@ -2717,8 +3122,7 @@ int mp_mul_2(mp_int * a, mp_int * b)
 
 
 /* divide by three (based on routine from MPI and the GMP manual) */
-int
-mp_div_3 (mp_int * a, mp_int *c, mp_digit * d)
+int mp_div_3 (mp_int * a, mp_int *c, mp_digit * d)
 {
   mp_int   q;
   mp_word  w, t;
@@ -2783,7 +3187,7 @@ int mp_init_size (mp_int * a, int size)
   size += (MP_PREC * 2) - (size % MP_PREC);
 
   /* alloc mem */
-  a->dp = OPT_CAST(mp_digit) XMALLOC (sizeof (mp_digit) * size, 0,
+  a->dp = OPT_CAST(mp_digit) XMALLOC (sizeof (mp_digit) * size, NULL,
                                       DYNAMIC_TYPE_BIGINT);
   if (a->dp == NULL) {
     return MP_MEM;
@@ -2793,6 +3197,9 @@ int mp_init_size (mp_int * a, int size)
   a->used  = 0;
   a->alloc = size;
   a->sign  = MP_ZPOS;
+#ifdef HAVE_WOLF_BIGINT
+  wc_bigint_init(&a->raw);
+#endif
 
   /* zero the digits */
   for (x = 0; x < size; x++) {
@@ -2832,11 +3239,11 @@ int fast_s_mp_sqr (mp_int * a, mp_int * b)
     }
   }
 
-  if (pa > MP_WARRAY)
+  if (pa > (int)MP_WARRAY)
     return MP_RANGE;  /* TAO range check */
 
 #ifdef WOLFSSL_SMALL_STACK
-  W = (mp_digit*)XMALLOC(sizeof(mp_digit) * MP_WARRAY, 0, DYNAMIC_TYPE_BIGINT);
+  W = (mp_digit*)XMALLOC(sizeof(mp_digit) * MP_WARRAY, NULL, DYNAMIC_TYPE_BIGINT);
   if (W == NULL)
     return MP_MEM;
 #endif
@@ -2859,7 +3266,7 @@ int fast_s_mp_sqr (mp_int * a, mp_int * b)
       tmpx = a->dp + tx;
       tmpy = a->dp + ty;
 
-      /* this is the number of times the loop will iterrate, essentially
+      /* this is the number of times the loop will iterate, essentially
          while (tx++ < a->used && ty-- >= 0) { ... }
        */
       iy = MIN(a->used-tx, ty+1);
@@ -2898,7 +3305,7 @@ int fast_s_mp_sqr (mp_int * a, mp_int * b)
     mp_digit *tmpb;
     tmpb = b->dp;
     for (ix = 0; ix < pa; ix++) {
-      *tmpb++ = W[ix] & MP_MASK;
+      *tmpb++ = (mp_digit)(W[ix] & MP_MASK);
     }
 
     /* clear unused digits [that existed in the old copy of c] */
@@ -2909,7 +3316,7 @@ int fast_s_mp_sqr (mp_int * a, mp_int * b)
   mp_clamp (b);
 
 #ifdef WOLFSSL_SMALL_STACK
-  XFREE(W, 0, DYNAMIC_TYPE_BIGINT);
+  XFREE(W, NULL, DYNAMIC_TYPE_BIGINT);
 #endif
 
   return MP_OKAY;
@@ -2940,7 +3347,7 @@ int fast_s_mp_mul_digs (mp_int * a, mp_int * b, mp_int * c, int digs)
 #else
   mp_digit W[MP_WARRAY];
 #endif
-  register mp_word  _W;
+  mp_word  _W;
 
   /* grow the destination as required */
   if (c->alloc < digs) {
@@ -2951,11 +3358,11 @@ int fast_s_mp_mul_digs (mp_int * a, mp_int * b, mp_int * c, int digs)
 
   /* number of output digits to produce */
   pa = MIN(digs, a->used + b->used);
-  if (pa > MP_WARRAY)
+  if (pa > (int)MP_WARRAY)
     return MP_RANGE;  /* TAO range check */
 
 #ifdef WOLFSSL_SMALL_STACK
-  W = (mp_digit*)XMALLOC(sizeof(mp_digit) * MP_WARRAY, 0, DYNAMIC_TYPE_BIGINT);
+  W = (mp_digit*)XMALLOC(sizeof(mp_digit) * MP_WARRAY, NULL, DYNAMIC_TYPE_BIGINT);
   if (W == NULL)
     return MP_MEM;
 #endif
@@ -2975,7 +3382,7 @@ int fast_s_mp_mul_digs (mp_int * a, mp_int * b, mp_int * c, int digs)
       tmpx = a->dp + tx;
       tmpy = b->dp + ty;
 
-      /* this is the number of times the loop will iterrate, essentially
+      /* this is the number of times the loop will iterate, essentially
          while (tx++ < a->used && ty-- >= 0) { ... }
        */
       iy = MIN(a->used-tx, ty+1);
@@ -2987,7 +3394,7 @@ int fast_s_mp_mul_digs (mp_int * a, mp_int * b, mp_int * c, int digs)
       }
 
       /* store term */
-      W[ix] = ((mp_digit)_W) & MP_MASK;
+      W[ix] = (mp_digit)(((mp_digit)_W) & MP_MASK);
 
       /* make next carry */
       _W = _W >> ((mp_word)DIGIT_BIT);
@@ -2998,9 +3405,9 @@ int fast_s_mp_mul_digs (mp_int * a, mp_int * b, mp_int * c, int digs)
   c->used = pa;
 
   {
-    register mp_digit *tmpc;
+    mp_digit *tmpc;
     tmpc = c->dp;
-    for (ix = 0; ix < pa+1; ix++) {
+    for (ix = 0; ix < pa; ix++) { /* JRB, +1 could read uninitialized data */
       /* now extract the previous digit [below the carry] */
       *tmpc++ = W[ix];
     }
@@ -3013,7 +3420,7 @@ int fast_s_mp_mul_digs (mp_int * a, mp_int * b, mp_int * c, int digs)
   mp_clamp (c);
 
 #ifdef WOLFSSL_SMALL_STACK
-  XFREE(W, 0, DYNAMIC_TYPE_BIGINT);
+  XFREE(W, NULL, DYNAMIC_TYPE_BIGINT);
 #endif
 
   return MP_OKAY;
@@ -3084,7 +3491,7 @@ int s_mp_sqr (mp_int * a, mp_int * b)
 }
 
 
-/* multiplies |a| * |b| and only computes upto digs digits of result
+/* multiplies |a| * |b| and only computes up to digs digits of result
  * HAC pp. 595, Algorithm 14.12  Modified so you can control how
  * many digits of output are created.
  */
@@ -3097,7 +3504,7 @@ int s_mp_mul_digs (mp_int * a, mp_int * b, mp_int * c, int digs)
   mp_digit tmpx, *tmpt, *tmpy;
 
   /* can we use the fast multiplier? */
-  if (((digs) < MP_WARRAY) &&
+  if ((digs < (int)MP_WARRAY) &&
       MIN (a->used, b->used) <
           (1 << ((CHAR_BIT * sizeof (mp_word)) - (2 * DIGIT_BIT)))) {
     return fast_s_mp_mul_digs (a, b, c, digs);
@@ -3157,8 +3564,8 @@ int s_mp_mul_digs (mp_int * a, mp_int * b, mp_int * c, int digs)
 /*
  * shifts with subtractions when the result is greater than b.
  *
- * The method is slightly modified to shift B unconditionally upto just under
- * the leading bit of b.  This saves alot of multiple precision shifting.
+ * The method is slightly modified to shift B unconditionally up to just under
+ * the leading bit of b.  This saves a lot of multiple precision shifting.
  */
 int mp_montgomery_calc_normalization (mp_int * a, mp_int * b)
 {
@@ -3168,15 +3575,17 @@ int mp_montgomery_calc_normalization (mp_int * a, mp_int * b)
   bits = mp_count_bits (b) % DIGIT_BIT;
 
   if (b->used > 1) {
-     if ((res = mp_2expt (a, (b->used - 1) * DIGIT_BIT + bits - 1)) != MP_OKAY) {
+     if ((res = mp_2expt (a, (b->used - 1) * DIGIT_BIT + bits - 1))
+         != MP_OKAY) {
         return res;
      }
   } else {
-     mp_set(a, 1);
+     if ((res = mp_set(a, 1)) != MP_OKAY) {
+        return res;
+     }
      bits = 1;
   }
 
-
   /* now compute C = A * B mod b */
   for (x = bits - 1; x < (int)DIGIT_BIT; x++) {
     if ((res = mp_mul_2 (a, a)) != MP_OKAY) {
@@ -3312,7 +3721,9 @@ int s_mp_exptmod (mp_int * G, mp_int * X, mp_int * P, mp_int * Y, int redmode)
   if ((err = mp_init (&res)) != MP_OKAY) {
     goto LBL_MU;
   }
-  mp_set (&res, 1);
+  if ((err = mp_set (&res, 1)) != MP_OKAY) {
+    goto LBL_MU;
+  }
 
   /* set initial mode and bit cnt */
   mode   = 0;
@@ -3427,7 +3838,7 @@ LBL_M:
 
 
 /* pre-calculate the value required for Barrett reduction
- * For a given modulus "b" it calulates the value required in "a"
+ * For a given modulus "b" it calculates the value required in "a"
  */
 int mp_reduce_setup (mp_int * a, mp_int * b)
 {
@@ -3499,7 +3910,8 @@ int mp_reduce (mp_int * x, mp_int * m, mp_int * mu)
 
   /* If x < 0, add b**(k+1) to it */
   if (mp_cmp_d (x, 0) == MP_LT) {
-    mp_set (&q, 1);
+    if ((res = mp_set (&q, 1)) != MP_OKAY)
+        goto CLEANUP;
     if ((res = mp_lshd (&q, um + 1)) != MP_OKAY)
       goto CLEANUP;
     if ((res = mp_add (x, &q, x)) != MP_OKAY)
@@ -3551,7 +3963,9 @@ top:
    }
 
    if (mp_cmp_mag(a, n) != MP_LT) {
-      s_mp_sub(a, n, a);
+      if ((res = s_mp_sub(a, n, a)) != MP_OKAY) {
+         goto ERR;
+      }
       goto top;
    }
 
@@ -3588,8 +4002,7 @@ ERR:
 /* multiplies |a| * |b| and does not compute the lower digs digits
  * [meant to get the higher part of the product]
  */
-int
-s_mp_mul_high_digs (mp_int * a, mp_int * b, mp_int * c, int digs)
+int s_mp_mul_high_digs (mp_int * a, mp_int * b, mp_int * c, int digs)
 {
   mp_int  t;
   int     res, pa, pb, ix, iy;
@@ -3599,8 +4012,9 @@ s_mp_mul_high_digs (mp_int * a, mp_int * b, mp_int * c, int digs)
 
   /* can we use the fast multiplier? */
 #ifdef BN_FAST_S_MP_MUL_HIGH_DIGS_C
-  if (((a->used + b->used + 1) < MP_WARRAY)
-      && MIN (a->used, b->used) < (1 << ((CHAR_BIT * sizeof (mp_word)) - (2 * DIGIT_BIT)))) {
+  if (((a->used + b->used + 1) < (int)MP_WARRAY)
+      && MIN (a->used, b->used) <
+      (1 << ((CHAR_BIT * sizeof (mp_word)) - (2 * DIGIT_BIT)))) {
     return fast_s_mp_mul_high_digs (a, b, c, digs);
   }
 #endif
@@ -3612,7 +4026,7 @@ s_mp_mul_high_digs (mp_int * a, mp_int * b, mp_int * c, int digs)
 
   pa = a->used;
   pb = b->used;
-  for (ix = 0; ix < pa; ix++) {
+  for (ix = 0; ix < pa && a->dp; ix++) {
     /* clear the carry */
     u = 0;
 
@@ -3665,6 +4079,10 @@ int fast_s_mp_mul_high_digs (mp_int * a, mp_int * b, mp_int * c, int digs)
 #endif
   mp_word  _W;
 
+  if (a->dp == NULL) { /* JRB, avoid reading uninitialized values */
+      return MP_VAL;
+  }
+
   /* grow the destination as required */
   pa = a->used + b->used;
   if (c->alloc < pa) {
@@ -3673,11 +4091,11 @@ int fast_s_mp_mul_high_digs (mp_int * a, mp_int * b, mp_int * c, int digs)
     }
   }
 
-  if (pa > MP_WARRAY)
+  if (pa > (int)MP_WARRAY)
     return MP_RANGE;  /* TAO range check */
 
 #ifdef WOLFSSL_SMALL_STACK
-  W = (mp_digit*)XMALLOC(sizeof(mp_digit) * MP_WARRAY, 0, DYNAMIC_TYPE_BIGINT);
+  W = (mp_digit*)XMALLOC(sizeof(mp_digit) * MP_WARRAY, NULL, DYNAMIC_TYPE_BIGINT);
   if (W == NULL)
     return MP_MEM;
 #endif
@@ -3685,7 +4103,7 @@ int fast_s_mp_mul_high_digs (mp_int * a, mp_int * b, mp_int * c, int digs)
   /* number of output digits to produce */
   pa = a->used + b->used;
   _W = 0;
-  for (ix = digs; ix < pa; ix++) {
+  for (ix = digs; ix < pa; ix++) { /* JRB, have a->dp check at top of function*/
       int      tx, ty, iy;
       mp_digit *tmpx, *tmpy;
 
@@ -3697,7 +4115,7 @@ int fast_s_mp_mul_high_digs (mp_int * a, mp_int * b, mp_int * c, int digs)
       tmpx = a->dp + tx;
       tmpy = b->dp + ty;
 
-      /* this is the number of times the loop will iterrate, essentially its
+      /* this is the number of times the loop will iterate, essentially its
          while (tx++ < a->used && ty-- >= 0) { ... }
        */
       iy = MIN(a->used-tx, ty+1);
@@ -3708,7 +4126,7 @@ int fast_s_mp_mul_high_digs (mp_int * a, mp_int * b, mp_int * c, int digs)
       }
 
       /* store term */
-      W[ix] = ((mp_digit)_W) & MP_MASK;
+      W[ix] = (mp_digit)(((mp_digit)_W) & MP_MASK);
 
       /* make next carry */
       _W = _W >> ((mp_word)DIGIT_BIT);
@@ -3719,10 +4137,10 @@ int fast_s_mp_mul_high_digs (mp_int * a, mp_int * b, mp_int * c, int digs)
   c->used = pa;
 
   {
-    register mp_digit *tmpc;
+    mp_digit *tmpc;
 
     tmpc = c->dp + digs;
-    for (ix = digs; ix <= pa; ix++) {
+    for (ix = digs; ix < pa; ix++) {   /* TAO, <= could potentially overwrite */
       /* now extract the previous digit [below the carry] */
       *tmpc++ = W[ix];
     }
@@ -3735,32 +4153,40 @@ int fast_s_mp_mul_high_digs (mp_int * a, mp_int * b, mp_int * c, int digs)
   mp_clamp (c);
 
 #ifdef WOLFSSL_SMALL_STACK
-  XFREE(W, 0, DYNAMIC_TYPE_BIGINT);
+  XFREE(W, NULL, DYNAMIC_TYPE_BIGINT);
 #endif
 
   return MP_OKAY;
 }
 
 
-/* set a 32-bit const */
+#ifndef MP_SET_CHUNK_BITS
+    #define MP_SET_CHUNK_BITS 4
+#endif
 int mp_set_int (mp_int * a, unsigned long b)
 {
-  int     x, res;
+  int x, res;
+
+  /* use direct mp_set if b is less than mp_digit max */
+  if (b < MP_DIGIT_MAX) {
+    return mp_set (a, (mp_digit)b);
+  }
 
   mp_zero (a);
 
-  /* set four bits at a time */
-  for (x = 0; x < 8; x++) {
-    /* shift the number up four bits */
-    if ((res = mp_mul_2d (a, 4, a)) != MP_OKAY) {
+  /* set chunk bits at a time */
+  for (x = 0; x < (int)(sizeof(b) * 8) / MP_SET_CHUNK_BITS; x++) {
+    /* shift the number up chunk bits */
+    if ((res = mp_mul_2d (a, MP_SET_CHUNK_BITS, a)) != MP_OKAY) {
       return res;
     }
 
-    /* OR in the top four bits of the source */
-    a->dp[0] |= (b >> 28) & 15;
+    /* OR in the top bits of the source */
+    a->dp[0] |= (b >> ((sizeof(b) * 8) - MP_SET_CHUNK_BITS)) &
+                                  ((1 << MP_SET_CHUNK_BITS) - 1);
 
-    /* shift the source up to the next four bits */
-    b <<= 4;
+    /* shift the source up to the next chunk bits */
+    b <<= MP_SET_CHUNK_BITS;
 
     /* ensure that digits are not clamped off */
     a->used += 1;
@@ -3770,7 +4196,8 @@ int mp_set_int (mp_int * a, unsigned long b)
 }
 
 
-#if defined(WOLFSSL_KEY_GEN) || defined(HAVE_ECC)
+#if defined(WOLFSSL_KEY_GEN) || defined(HAVE_ECC) || !defined(NO_RSA) || \
+    !defined(NO_DSA) | !defined(NO_DH)
 
 /* c = a * a (mod b) */
 int mp_sqrmod (mp_int * a, mp_int * b, mp_int * c)
@@ -3794,7 +4221,10 @@ int mp_sqrmod (mp_int * a, mp_int * b, mp_int * c)
 #endif
 
 
-#if defined(HAVE_ECC) || !defined(NO_PWDBASED) || defined(WOLFSSL_SNIFFER) || defined(WOLFSSL_HAVE_WOLFSCEP) || defined(WOLFSSL_KEY_GEN)
+#if defined(HAVE_ECC) || !defined(NO_PWDBASED) || defined(WOLFSSL_SNIFFER) || \
+    defined(WOLFSSL_HAVE_WOLFSCEP) || defined(WOLFSSL_KEY_GEN) || \
+    defined(OPENSSL_EXTRA) || defined(WC_RSA_BLINDING) || \
+    (!defined(NO_RSA) && !defined(NO_RSA_BOUNDS_CHECK))
 
 /* single digit addition */
 int mp_add_d (mp_int* a, mp_digit b, mp_int* c)
@@ -3854,7 +4284,7 @@ int mp_add_d (mp_int* a, mp_digit b, mp_int* c)
         *tmpc++ &= MP_MASK;
      }
      /* set final carry */
-     if (mu != 0 && ix < c->alloc) {
+     if (ix < c->alloc) {
         ix++;
         *tmpc++  = mu;
      }
@@ -3961,7 +4391,9 @@ int mp_sub_d (mp_int * a, mp_digit b, mp_int * c)
 #endif /* defined(HAVE_ECC) || !defined(NO_PWDBASED) */
 
 
-#if defined(WOLFSSL_KEY_GEN) || defined(HAVE_COMP_KEY)
+#if defined(WOLFSSL_KEY_GEN) || defined(HAVE_COMP_KEY) || defined(HAVE_ECC) || \
+    defined(DEBUG_WOLFSSL) || !defined(NO_RSA) || !defined(NO_DSA) || \
+    !defined(NO_DH)
 
 static const int lnz[16] = {
    4, 0, 1, 0, 2, 0, 1, 0, 3, 0, 1, 0, 2, 0, 1, 0
@@ -3971,16 +4403,17 @@ static const int lnz[16] = {
 int mp_cnt_lsb(mp_int *a)
 {
     int x;
-    mp_digit q, qq;
+    mp_digit q = 0, qq;
 
     /* easy out */
-    if (mp_iszero(a) == 1) {
+    if (mp_iszero(a) == MP_YES) {
         return 0;
     }
 
     /* scan lower digits until non-zero */
-    for (x = 0; x < a->used && a->dp[x] == 0; x++);
-    q = a->dp[x];
+    for (x = 0; x < a->used && a->dp[x] == 0; x++) {}
+    if (a->dp)
+        q = a->dp[x];
     x *= DIGIT_BIT;
 
     /* now scan this digit until a 1 is found */
@@ -4021,7 +4454,7 @@ static int mp_div_d (mp_int * a, mp_digit b, mp_int * c, mp_digit * d)
   mp_int  q;
   mp_word w;
   mp_digit t;
-  int     res, ix;
+  int     res = MP_OKAY, ix;
 
   /* cannot divide by zero */
   if (b == 0) {
@@ -4029,7 +4462,7 @@ static int mp_div_d (mp_int * a, mp_digit b, mp_int * c, mp_digit * d)
   }
 
   /* quick outs */
-  if (b == 1 || mp_iszero(a) == 1) {
+  if (b == 1 || mp_iszero(a) == MP_YES) {
      if (d != NULL) {
         *d = 0;
      }
@@ -4058,12 +4491,21 @@ static int mp_div_d (mp_int * a, mp_digit b, mp_int * c, mp_digit * d)
 #endif
 
   /* no easy answer [c'est la vie].  Just division */
-  if ((res = mp_init_size(&q, a->used)) != MP_OKAY) {
-     return res;
+  if (c != NULL) {
+      if ((res = mp_init_size(&q, a->used)) != MP_OKAY) {
+         return res;
+      }
+
+      q.used = a->used;
+      q.sign = a->sign;
+  }
+  else {
+      if ((res = mp_init(&q)) != MP_OKAY) {
+         return res;
+      }
   }
 
-  q.used = a->used;
-  q.sign = a->sign;
+
   w = 0;
   for (ix = a->used - 1; ix >= 0; ix--) {
      w = (w << ((mp_word)DIGIT_BIT)) | ((mp_word)a->dp[ix]);
@@ -4074,7 +4516,8 @@ static int mp_div_d (mp_int * a, mp_digit b, mp_int * c, mp_digit * d)
       } else {
         t = 0;
       }
-      q.dp[ix] = (mp_digit)t;
+      if (c != NULL)
+        q.dp[ix] = (mp_digit)t;
   }
 
   if (d != NULL) {
@@ -4096,11 +4539,11 @@ int mp_mod_d (mp_int * a, mp_digit b, mp_digit * c)
   return mp_div_d(a, b, NULL, c);
 }
 
-#endif /* defined(WOLFSSL_KEY_GEN) || defined(HAVE_COMP_KEY) */
+#endif /* WOLFSSL_KEY_GEN || HAVE_COMP_KEY || HAVE_ECC || DEBUG_WOLFSSL */
 
-#ifdef WOLFSSL_KEY_GEN
+#if defined(WOLFSSL_KEY_GEN) || !defined(NO_DH) || !defined(NO_DSA) || !defined(NO_RSA)
 
-const mp_digit ltm_prime_tab[] = {
+const mp_digit ltm_prime_tab[PRIME_SIZE] = {
   0x0002, 0x0003, 0x0005, 0x0007, 0x000B, 0x000D, 0x0011, 0x0013,
   0x0017, 0x001D, 0x001F, 0x0025, 0x0029, 0x002B, 0x002F, 0x0035,
   0x003B, 0x003D, 0x0043, 0x0047, 0x0049, 0x004F, 0x0053, 0x0059,
@@ -4189,9 +4632,30 @@ static int mp_prime_miller_rabin (mp_int * a, mp_int * b, int *result)
   if ((err = mp_init (&y)) != MP_OKAY) {
     goto LBL_R;
   }
-  if ((err = mp_exptmod (b, &r, a, &y)) != MP_OKAY) {
-    goto LBL_Y;
-  }
+#if defined(WOLFSSL_HAVE_SP_RSA) || defined(WOLFSSL_HAVE_SP_DH)
+#ifndef WOLFSSL_SP_NO_2048
+  if (mp_count_bits(a) == 1024)
+      err = sp_ModExp_1024(b, &r, a, &y);
+  else if (mp_count_bits(a) == 2048)
+      err = sp_ModExp_2048(b, &r, a, &y);
+  else
+#endif
+#ifndef WOLFSSL_SP_NO_3072
+  if (mp_count_bits(a) == 1536)
+      err = sp_ModExp_1536(b, &r, a, &y);
+  else if (mp_count_bits(a) == 3072)
+      err = sp_ModExp_3072(b, &r, a, &y);
+  else
+#endif
+#ifdef WOLFSSL_SP_4096
+  if (mp_count_bits(a) == 4096)
+      err = sp_ModExp_4096(b, &r, a, &y);
+  else
+#endif
+#endif
+      err = mp_exptmod (b, &r, a, &y);
+  if (err != MP_OKAY)
+      goto LBL_Y;
 
   /* if y != 1 and y != n1 do */
   if (mp_cmp_d (&y, 1) != MP_EQ && mp_cmp (&y, &n1) != MP_EQ) {
@@ -4254,7 +4718,6 @@ static int mp_prime_is_divisible (mp_int * a, int *result)
   return MP_OKAY;
 }
 
-
 /*
  * Sets result to 1 if probably prime, 0 otherwise
  */
@@ -4271,10 +4734,15 @@ int mp_prime_is_prime (mp_int * a, int t, int *result)
     return MP_VAL;
   }
 
+  if (mp_isone(a)) {
+      *result = MP_NO;
+      return MP_OKAY;
+  }
+
   /* is the input equal to one of the primes in the table? */
   for (ix = 0; ix < PRIME_SIZE; ix++) {
       if (mp_cmp_d(a, ltm_prime_tab[ix]) == MP_EQ) {
-         *result = 1;
+         *result = MP_YES;
          return MP_OKAY;
       }
   }
@@ -4296,7 +4764,9 @@ int mp_prime_is_prime (mp_int * a, int t, int *result)
 
   for (ix = 0; ix < t; ix++) {
     /* set the prime */
-    mp_set (&b, ltm_prime_tab[ix]);
+    if ((err = mp_set (&b, ltm_prime_tab[ix])) != MP_OKAY) {
+        goto LBL_B;
+    }
 
     if ((err = mp_prime_miller_rabin (a, &b, &res)) != MP_OKAY) {
       goto LBL_B;
@@ -4314,6 +4784,177 @@ LBL_B:mp_clear (&b);
 }
 
 
+/*
+ * Sets result to 1 if probably prime, 0 otherwise
+ */
+int mp_prime_is_prime_ex (mp_int * a, int t, int *result, WC_RNG *rng)
+{
+  mp_int  b, c;
+  int     ix, err, res;
+  byte*   base = NULL;
+  word32  baseSz = 0;
+
+  /* default to no */
+  *result = MP_NO;
+
+  /* valid value of t? */
+  if (t <= 0 || t > PRIME_SIZE) {
+    return MP_VAL;
+  }
+
+  if (mp_isone(a)) {
+    *result = MP_NO;
+    return MP_OKAY;
+  }
+
+  /* is the input equal to one of the primes in the table? */
+  for (ix = 0; ix < PRIME_SIZE; ix++) {
+      if (mp_cmp_d(a, ltm_prime_tab[ix]) == MP_EQ) {
+         *result = MP_YES;
+         return MP_OKAY;
+      }
+  }
+
+  /* first perform trial division */
+  if ((err = mp_prime_is_divisible (a, &res)) != MP_OKAY) {
+    return err;
+  }
+
+  /* return if it was trivially divisible */
+  if (res == MP_YES) {
+    return MP_OKAY;
+  }
+
+  /* now perform the miller-rabin rounds */
+  if ((err = mp_init (&b)) != MP_OKAY) {
+    return err;
+  }
+  if ((err = mp_init (&c)) != MP_OKAY) {
+      mp_clear(&b);
+    return err;
+  }
+
+  baseSz = mp_count_bits(a);
+  baseSz = (baseSz / 8) + ((baseSz % 8) ? 1 : 0);
+
+  base = (byte*)XMALLOC(baseSz, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+  if (base == NULL) {
+      err = MP_MEM;
+      goto LBL_B;
+  }
+
+  if ((err = mp_sub_d(a, 2, &c)) != MP_OKAY) {
+      goto LBL_B;
+  }
+
+ /* now do a miller rabin with up to t random numbers, this should
+  * give a (1/4)^t chance of a false prime. */
+  for (ix = 0; ix < t; ix++) {
+    /* Set a test candidate. */
+    if ((err = wc_RNG_GenerateBlock(rng, base, baseSz)) != 0) {
+        goto LBL_B;
+    }
+
+    if ((err = mp_read_unsigned_bin(&b, base, baseSz)) != MP_OKAY) {
+        goto LBL_B;
+    }
+
+    if (mp_cmp_d(&b, 2) != MP_GT || mp_cmp(&b, &c) != MP_LT) {
+        ix--;
+        continue;
+    }
+
+    if ((err = mp_prime_miller_rabin (a, &b, &res)) != MP_OKAY) {
+      goto LBL_B;
+    }
+
+    if (res == MP_NO) {
+      goto LBL_B;
+    }
+  }
+
+  /* passed the test */
+  *result = MP_YES;
+LBL_B:mp_clear (&b);
+      mp_clear (&c);
+      XFREE(base, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+  return err;
+}
+
+#endif /* WOLFSSL_KEY_GEN NO_DH NO_DSA NO_RSA */
+
+#ifdef WOLFSSL_KEY_GEN
+
+static const int USE_BBS = 1;
+
+int mp_rand_prime(mp_int* N, int len, WC_RNG* rng, void* heap)
+{
+    int   err, res, type;
+    byte* buf;
+
+    if (N == NULL || rng == NULL)
+        return MP_VAL;
+
+    /* get type */
+    if (len < 0) {
+        type = USE_BBS;
+        len = -len;
+    } else {
+        type = 0;
+    }
+
+    /* allow sizes between 2 and 512 bytes for a prime size */
+    if (len < 2 || len > 512) {
+        return MP_VAL;
+    }
+
+    /* allocate buffer to work with */
+    buf = (byte*)XMALLOC(len, heap, DYNAMIC_TYPE_RSA);
+    if (buf == NULL) {
+        return MP_MEM;
+    }
+    XMEMSET(buf, 0, len);
+
+    do {
+#ifdef SHOW_GEN
+        printf(".");
+        fflush(stdout);
+#endif
+        /* generate value */
+        err = wc_RNG_GenerateBlock(rng, buf, len);
+        if (err != 0) {
+            XFREE(buf, heap, DYNAMIC_TYPE_RSA);
+            return err;
+        }
+
+        /* munge bits */
+        buf[0]     |= 0x80 | 0x40;
+        buf[len-1] |= 0x01 | ((type & USE_BBS) ? 0x02 : 0x00);
+
+        /* load value */
+        if ((err = mp_read_unsigned_bin(N, buf, len)) != MP_OKAY) {
+            XFREE(buf, heap, DYNAMIC_TYPE_RSA);
+            return err;
+        }
+
+        /* test */
+        /* Running Miller-Rabin up to 3 times gives us a 2^{-80} chance
+         * of a 1024-bit candidate being a false positive, when it is our
+         * prime candidate. (Note 4.49 of Handbook of Applied Cryptography.)
+         * Using 8 because we've always used 8. */
+        if ((err = mp_prime_is_prime_ex(N, 8, &res, rng)) != MP_OKAY) {
+            XFREE(buf, heap, DYNAMIC_TYPE_RSA);
+            return err;
+        }
+    } while (res == MP_NO);
+
+    XMEMSET(buf, 0, len);
+    XFREE(buf, heap, DYNAMIC_TYPE_RSA);
+
+    return MP_OKAY;
+}
+
+
 /* computes least common multiple as |a*b|/(a, b) */
 int mp_lcm (mp_int * a, mp_int * b, mp_int * c)
 {
@@ -4411,7 +5052,7 @@ int mp_gcd (mp_int * a, mp_int * b, mp_int * c)
         }
     }
 
-    while (mp_iszero(&v) == 0) {
+    while (mp_iszero(&v) == MP_NO) {
         /* make sure v is the largest */
         if (mp_cmp_mag(&u, &v) == MP_GT) {
             /* swap u and v to make sure v is >= u */
@@ -4435,21 +5076,24 @@ int mp_gcd (mp_int * a, mp_int * b, mp_int * c)
     }
     c->sign = MP_ZPOS;
     res = MP_OKAY;
-LBL_V:mp_clear (&u);
-LBL_U:mp_clear (&v);
+LBL_V:mp_clear (&v);
+LBL_U:mp_clear (&u);
     return res;
 }
 
-
-
 #endif /* WOLFSSL_KEY_GEN */
 
 
-#ifdef HAVE_ECC
+#if !defined(NO_DSA) || defined(HAVE_ECC) || defined(WOLFSSL_KEY_GEN) || \
+    defined(HAVE_COMP_KEY) || defined(WOLFSSL_DEBUG_MATH) || \
+    defined(DEBUG_WOLFSSL) || defined(OPENSSL_EXTRA)
 
 /* chars used in radix conversions */
-const char *mp_s_rmap = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz+/";
+const char *mp_s_rmap = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ\
+                         abcdefghijklmnopqrstuvwxyz+/";
+#endif
 
+#if !defined(NO_DSA) || defined(HAVE_ECC)
 /* read a string [ASCII] in a given radix */
 int mp_read_radix (mp_int * a, const char *str, int radix)
 {
@@ -4460,7 +5104,7 @@ int mp_read_radix (mp_int * a, const char *str, int radix)
   mp_zero(a);
 
   /* make sure the radix is ok */
-  if (radix < 2 || radix > 64) {
+  if (radix < MP_RADIX_BIN || radix > MP_RADIX_MAX) {
     return MP_VAL;
   }
 
@@ -4478,12 +5122,12 @@ int mp_read_radix (mp_int * a, const char *str, int radix)
   mp_zero (a);
 
   /* process each digit of the string */
-  while (*str) {
-    /* if the radix < 36 the conversion is case insensitive
+  while (*str != '\0') {
+    /* if the radix <= 36 the conversion is case insensitive
      * this allows numbers like 1AB and 1ab to represent the same  value
      * [e.g. in hex]
      */
-    ch = (char) ((radix < 36) ? XTOUPPER((unsigned char)*str) : *str);
+    ch = (radix <= 36) ? (char)XTOUPPER((unsigned char)*str) : *str;
     for (y = 0; y < 64; y++) {
       if (ch == mp_s_rmap[y]) {
          break;
@@ -4507,16 +5151,170 @@ int mp_read_radix (mp_int * a, const char *str, int radix)
     ++str;
   }
 
+  /* if digit in isn't null term, then invalid character was found */
+  if (*str != '\0') {
+     mp_zero (a);
+     return MP_VAL;
+  }
+
   /* set the sign only if a != 0 */
-  if (mp_iszero(a) != 1) {
+  if (mp_iszero(a) != MP_YES) {
      a->sign = neg;
   }
   return MP_OKAY;
 }
+#endif /* !defined(NO_DSA) || defined(HAVE_ECC) */
+
+#ifdef WC_MP_TO_RADIX
+
+/* returns size of ASCII representation */
+int mp_radix_size (mp_int *a, int radix, int *size)
+{
+    int     res, digs;
+    mp_int  t;
+    mp_digit d;
+
+    *size = 0;
+
+    /* special case for binary */
+    if (radix == MP_RADIX_BIN) {
+        *size = mp_count_bits (a) + (a->sign == MP_NEG ? 1 : 0) + 1;
+        return MP_OKAY;
+    }
+
+    /* make sure the radix is in range */
+    if (radix < MP_RADIX_BIN || radix > MP_RADIX_MAX) {
+        return MP_VAL;
+    }
+
+    if (mp_iszero(a) == MP_YES) {
+        *size = 2;
+        return MP_OKAY;
+    }
+
+    /* digs is the digit count */
+    digs = 0;
+
+    /* if it's negative add one for the sign */
+    if (a->sign == MP_NEG) {
+        ++digs;
+    }
+
+    /* init a copy of the input */
+    if ((res = mp_init_copy (&t, a)) != MP_OKAY) {
+        return res;
+    }
+
+    /* force temp to positive */
+    t.sign = MP_ZPOS;
+
+    /* fetch out all of the digits */
+    while (mp_iszero (&t) == MP_NO) {
+        if ((res = mp_div_d (&t, (mp_digit) radix, &t, &d)) != MP_OKAY) {
+            mp_clear (&t);
+            return res;
+        }
+        ++digs;
+    }
+    mp_clear (&t);
+
+    /* return digs + 1, the 1 is for the NULL byte that would be required. */
+    *size = digs + 1;
+    return MP_OKAY;
+}
+
+/* stores a bignum as a ASCII string in a given radix (2..64) */
+int mp_toradix (mp_int *a, char *str, int radix)
+{
+    int     res, digs;
+    mp_int  t;
+    mp_digit d;
+    char   *_s = str;
+
+    /* check range of the radix */
+    if (radix < MP_RADIX_BIN || radix > MP_RADIX_MAX) {
+        return MP_VAL;
+    }
+
+    /* quick out if its zero */
+    if (mp_iszero(a) == MP_YES) {
+        *str++ = '0';
+        *str = '\0';
+        return MP_OKAY;
+    }
+
+    if ((res = mp_init_copy (&t, a)) != MP_OKAY) {
+        return res;
+    }
+
+    /* if it is negative output a - */
+    if (t.sign == MP_NEG) {
+        ++_s;
+        *str++ = '-';
+        t.sign = MP_ZPOS;
+    }
+
+    digs = 0;
+    while (mp_iszero (&t) == MP_NO) {
+        if ((res = mp_div_d (&t, (mp_digit) radix, &t, &d)) != MP_OKAY) {
+            mp_clear (&t);
+            return res;
+        }
+        *str++ = mp_s_rmap[d];
+        ++digs;
+    }
+#ifndef WC_DISABLE_RADIX_ZERO_PAD
+    /* For hexadecimal output, add zero padding when number of digits is odd */
+    if ((digs & 1) && (radix == 16)) {
+        *str++ = mp_s_rmap[0];
+        ++digs;
+    }
+#endif
+    /* reverse the digits of the string.  In this case _s points
+     * to the first digit [excluding the sign] of the number]
+     */
+    bn_reverse ((unsigned char *)_s, digs);
+
+    /* append a NULL so the string is properly terminated */
+    *str = '\0';
+
+    mp_clear (&t);
+    return MP_OKAY;
+}
+
+#ifdef WOLFSSL_DEBUG_MATH
+void mp_dump(const char* desc, mp_int* a, byte verbose)
+{
+  char *buffer;
+  int size = a->alloc;
+
+  buffer = (char*)XMALLOC(size * sizeof(mp_digit) * 2, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+  if (buffer == NULL) {
+    return;
+  }
+
+  printf("%s: ptr=%p, used=%d, sign=%d, size=%d, mpd=%d\n",
+    desc, a, a->used, a->sign, size, (int)sizeof(mp_digit));
+
+  mp_tohex(a, buffer);
+  printf("  %s\n  ", buffer);
+
+  if (verbose) {
+    int i;
+    for(i=0; i<a->alloc * (int)sizeof(mp_digit); i++) {
+      printf("%02x ", *(((byte*)a->dp) + i));
+    }
+    printf("\n");
+  }
+
+  XFREE(buffer, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+}
+#endif /* WOLFSSL_DEBUG_MATH */
 
-#endif /* HAVE_ECC */
+#endif /* WC_MP_TO_RADIX */
+
+#endif /* WOLFSSL_SP_MATH */
 
 #endif /* USE_FAST_MATH */
 
 #endif /* NO_BIG_INT */
-
diff --git a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/logging.c b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/logging.c
index 321530616..0c818aa71 100644
--- a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/logging.c
+++ b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/logging.c
@@ -1,8 +1,8 @@
 /* logging.c
  *
- * Copyright (C) 2006-2015 wolfSSL Inc.
+ * Copyright (C) 2006-2020 wolfSSL Inc.
  *
- * This file is part of wolfSSL. (formerly known as CyaSSL)
+ * This file is part of wolfSSL.
  *
  * wolfSSL is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -16,62 +16,145 @@
  *
  * You should have received a copy of the GNU General Public License
  * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
  */
 
+
 #ifdef HAVE_CONFIG_H
     #include <config.h>
 #endif
 
 #include <wolfssl/wolfcrypt/settings.h>
 
-/* submitted by eof */
-
 #include <wolfssl/wolfcrypt/logging.h>
 #include <wolfssl/wolfcrypt/error-crypt.h>
-
-
-#ifdef __cplusplus
-    extern "C" {
+#if defined(OPENSSL_EXTRA) && !defined(WOLFCRYPT_ONLY)
+/* avoid adding WANT_READ and WANT_WRITE to error queue */
+#include <wolfssl/error-ssl.h>
 #endif
-    WOLFSSL_API int  wolfSSL_Debugging_ON(void);
-    WOLFSSL_API void wolfSSL_Debugging_OFF(void);
-#ifdef __cplusplus
-    } 
+
+#if defined(OPENSSL_EXTRA) || defined(DEBUG_WOLFSSL_VERBOSE)
+static wolfSSL_Mutex debug_mutex; /* mutex for access to debug structure */
+
+/* accessing any node from the queue should be wrapped in a lock of
+ * debug_mutex */
+static void* wc_error_heap;
+struct wc_error_queue {
+    void*  heap; /* the heap hint used with nodes creation */
+    struct wc_error_queue* next;
+    struct wc_error_queue* prev;
+    char   error[WOLFSSL_MAX_ERROR_SZ];
+    char   file[WOLFSSL_MAX_ERROR_SZ];
+    int    value;
+    int    line;
+};
+volatile struct wc_error_queue* wc_errors;
+static struct wc_error_queue* wc_current_node;
+static struct wc_error_queue* wc_last_node;
+/* pointer to last node in queue to make insertion O(1) */
 #endif
 
+#ifdef WOLFSSL_FUNC_TIME
+/* WARNING: This code is only to be used for debugging performance.
+ *          The code is not thread-safe.
+ *          Do not use WOLFSSL_FUNC_TIME in production code.
+ */
+static double wc_func_start[WC_FUNC_COUNT];
+static double wc_func_time[WC_FUNC_COUNT] = { 0, };
+static const char* wc_func_name[WC_FUNC_COUNT] = {
+    "SendHelloRequest",
+    "DoHelloRequest",
+    "SendClientHello",
+    "DoClientHello",
+    "SendServerHello",
+    "DoServerHello",
+    "SendEncryptedExtensions",
+    "DoEncryptedExtensions",
+    "SendCertificateRequest",
+    "DoCertificateRequest",
+    "SendCertificate",
+    "DoCertificate",
+    "SendCertificateVerify",
+    "DoCertificateVerify",
+    "SendFinished",
+    "DoFinished",
+    "SendKeyUpdate",
+    "DoKeyUpdate",
+    "SendEarlyData",
+    "DoEarlyData",
+    "SendNewSessionTicket",
+    "DoNewSessionTicket",
+    "SendServerHelloDone",
+    "DoServerHelloDone",
+    "SendTicket",
+    "DoTicket",
+    "SendClientKeyExchange",
+    "DoClientKeyExchange",
+    "SendCertificateStatus",
+    "DoCertificateStatus",
+    "SendServerKeyExchange",
+    "DoServerKeyExchange",
+    "SendEarlyData",
+    "DoEarlyData",
+};
+
+#include <sys/time.h>
+
+/* WARNING: This function is not portable. */
+static WC_INLINE double current_time(int reset)
+{
+    struct timeval tv;
+    gettimeofday(&tv, 0);
+    (void)reset;
+
+    return (double)tv.tv_sec + (double)tv.tv_usec / 1000000;
+}
+#endif /* WOLFSSL_FUNC_TIME */
 
 #ifdef DEBUG_WOLFSSL
 
 /* Set these to default values initially. */
-static wolfSSL_Logging_cb log_function = 0;
+static wolfSSL_Logging_cb log_function = NULL;
 static int loggingEnabled = 0;
 
+#if defined(WOLFSSL_APACHE_MYNEWT)
+#include "log/log.h"
+static struct log mynewt_log;
+#endif /* WOLFSSL_APACHE_MYNEWT */
+
 #endif /* DEBUG_WOLFSSL */
 
 
+/* allow this to be set to NULL, so logs can be redirected to default output */
 int wolfSSL_SetLoggingCb(wolfSSL_Logging_cb f)
 {
 #ifdef DEBUG_WOLFSSL
-    int res = 0;
-
-    if (f)
-        log_function = f;
-    else
-        res = BAD_FUNC_ARG;
-
-    return res;
+    log_function = f;
+    return 0;
 #else
     (void)f;
     return NOT_COMPILED_IN;
 #endif
 }
 
+/* allow this to be set to NULL, so logs can be redirected to default output */
+wolfSSL_Logging_cb wolfSSL_GetLoggingCb(void)
+{
+#ifdef DEBUG_WOLFSSL
+    return log_function;
+#else
+    return NULL;
+#endif
+}
+
 
 int wolfSSL_Debugging_ON(void)
 {
 #ifdef DEBUG_WOLFSSL
     loggingEnabled = 1;
+#if defined(WOLFSSL_APACHE_MYNEWT)
+    log_register("wolfcrypt", &mynewt_log, &log_console_handler, NULL, LOG_SYSLEVEL);
+#endif /* WOLFSSL_APACHE_MYNEWT */
     return 0;
 #else
     return NOT_COMPILED_IN;
@@ -86,16 +169,72 @@ void wolfSSL_Debugging_OFF(void)
 #endif
 }
 
+#ifdef WOLFSSL_FUNC_TIME
+/* WARNING: This code is only to be used for debugging performance.
+ *          The code is not thread-safe.
+ *          Do not use WOLFSSL_FUNC_TIME in production code.
+ */
+void WOLFSSL_START(int funcNum)
+{
+    double now = current_time(0) * 1000.0;
+#ifdef WOLFSSL_FUNC_TIME_LOG
+    fprintf(stderr, "%17.3f: START - %s\n", now, wc_func_name[funcNum]);
+#endif
+    wc_func_start[funcNum] = now;
+}
+
+void WOLFSSL_END(int funcNum)
+{
+    double now = current_time(0) * 1000.0;
+    wc_func_time[funcNum] += now - wc_func_start[funcNum];
+#ifdef WOLFSSL_FUNC_TIME_LOG
+    fprintf(stderr, "%17.3f: END   - %s\n", now, wc_func_name[funcNum]);
+#endif
+}
+
+void WOLFSSL_TIME(int count)
+{
+    int i;
+    double avg, total = 0;
+
+    for (i = 0; i < WC_FUNC_COUNT; i++) {
+        if (wc_func_time[i] > 0) {
+            avg = wc_func_time[i] / count;
+            fprintf(stderr, "%8.3f ms: %s\n", avg, wc_func_name[i]);
+            total += avg;
+        }
+    }
+    fprintf(stderr, "%8.3f ms\n", total);
+}
+#endif
 
 #ifdef DEBUG_WOLFSSL
 
-#ifdef FREESCALE_MQX
-    #include <fio.h>
+#if defined(FREESCALE_MQX) || defined(FREESCALE_KSDK_MQX)
+    /* see wc_port.h for fio.h and nio.h includes */
+#elif defined(WOLFSSL_SGX)
+    /* Declare sprintf for ocall */
+    int sprintf(char* buf, const char *fmt, ...);
+#elif defined(WOLFSSL_DEOS)
+#elif defined(MICRIUM)
+    #if (BSP_SER_COMM_EN  == DEF_ENABLED)
+        #include <bsp_ser.h>
+    #endif
+#elif defined(WOLFSSL_USER_LOG)
+    /* user includes their own headers */
+#elif defined(WOLFSSL_ESPIDF)
+    #include "esp_types.h"
+    #include "esp_log.h"
+#elif defined(WOLFSSL_TELIT_M2MB)
+    #include <stdio.h>
+    #include "m2m_log.h"
+#elif defined(WOLFSSL_ANDROID_DEBUG)
+    #include <android/log.h>
 #else
     #include <stdio.h>   /* for default printf stuff */
 #endif
 
-#ifdef THREADX
+#if defined(THREADX) && !defined(THREADX_NO_DC_PRINTF)
     int dc_log_printf(char*, ...);
 #endif
 
@@ -104,37 +243,105 @@ static void wolfssl_log(const int logLevel, const char *const logMessage)
     if (log_function)
         log_function(logLevel, logMessage);
     else {
-        if (loggingEnabled) {
-#ifdef THREADX
-            dc_log_printf("%s\n", logMessage);
+#if defined(WOLFSSL_USER_LOG)
+        WOLFSSL_USER_LOG(logMessage);
+#elif defined(WOLFSSL_LOG_PRINTF)
+        printf("%s\n", logMessage);
+
+#elif defined(THREADX) && !defined(THREADX_NO_DC_PRINTF)
+        dc_log_printf("%s\n", logMessage);
+#elif defined(WOLFSSL_DEOS)
+        printf("%s\r\n", logMessage);
 #elif defined(MICRIUM)
-        #if (NET_SECURE_MGR_CFG_EN == DEF_ENABLED)
-            NetSecure_TraceOut((CPU_CHAR *)logMessage);
-        #endif
+        BSP_Ser_Printf("%s\r\n", logMessage);
 #elif defined(WOLFSSL_MDK_ARM)
-            fflush(stdout) ;
-            printf("%s\n", logMessage);
-            fflush(stdout) ;
+        fflush(stdout) ;
+        printf("%s\n", logMessage);
+        fflush(stdout) ;
+#elif defined(WOLFSSL_UTASKER)
+        fnDebugMsg((char*)logMessage);
+        fnDebugMsg("\r\n");
+#elif defined(MQX_USE_IO_OLD)
+        fprintf(_mqxio_stderr, "%s\n", logMessage);
+
+#elif defined(WOLFSSL_APACHE_MYNEWT)
+        LOG_DEBUG(&mynewt_log, LOG_MODULE_DEFAULT, "%s\n", logMessage);
+#elif defined(WOLFSSL_ESPIDF)
+        ESP_LOGI("wolfssl", "%s", logMessage);
+#elif defined(WOLFSSL_ZEPHYR)
+        printk("%s\n", logMessage);
+#elif defined(WOLFSSL_TELIT_M2MB)
+        M2M_LOG_INFO("%s\n", logMessage);
+#elif defined(WOLFSSL_ANDROID_DEBUG)
+        __android_log_print(ANDROID_LOG_VERBOSE, "[wolfSSL]", "%s", logMessage);
 #else
-            fprintf(stderr, "%s\n", logMessage);
+        fprintf(stderr, "%s\n", logMessage);
 #endif
-        }
     }
 }
 
-
+#ifndef WOLFSSL_DEBUG_ERRORS_ONLY
 void WOLFSSL_MSG(const char* msg)
 {
     if (loggingEnabled)
         wolfssl_log(INFO_LOG , msg);
 }
 
+#ifndef LINE_LEN
+#define LINE_LEN 16
+#endif
+void WOLFSSL_BUFFER(const byte* buffer, word32 length)
+{
+    int i, buflen = (int)length, bufidx;
+    char line[(LINE_LEN * 4) + 3]; /* \t00..0F | chars...chars\0 */
+
+    if (!loggingEnabled) {
+        return;
+    }
+
+    if (!buffer) {
+        wolfssl_log(INFO_LOG, "\tNULL");
+        return;
+    }
+
+    while (buflen > 0) {
+        bufidx = 0;
+        XSNPRINTF(&line[bufidx], sizeof(line)-bufidx, "\t");
+        bufidx++;
+
+        for (i = 0; i < LINE_LEN; i++) {
+            if (i < buflen) {
+                XSNPRINTF(&line[bufidx], sizeof(line)-bufidx, "%02x ", buffer[i]);
+            }
+            else {
+                XSNPRINTF(&line[bufidx], sizeof(line)-bufidx, "   ");
+            }
+            bufidx += 3;
+        }
+
+        XSNPRINTF(&line[bufidx], sizeof(line)-bufidx, "| ");
+        bufidx++;
+
+        for (i = 0; i < LINE_LEN; i++) {
+            if (i < buflen) {
+                XSNPRINTF(&line[bufidx], sizeof(line)-bufidx,
+                     "%c", 31 < buffer[i] && buffer[i] < 127 ? buffer[i] : '.');
+                bufidx++;
+            }
+        }
+
+        wolfssl_log(INFO_LOG, line);
+        buffer += LINE_LEN;
+        buflen -= LINE_LEN;
+    }
+}
+
 
 void WOLFSSL_ENTER(const char* msg)
 {
     if (loggingEnabled) {
-        char buffer[80];
-        sprintf(buffer, "wolfSSL Entering %s", msg);
+        char buffer[WOLFSSL_MAX_ERROR_SZ];
+        XSNPRINTF(buffer, sizeof(buffer), "wolfSSL Entering %s", msg);
         wolfssl_log(ENTER_LOG , buffer);
     }
 }
@@ -143,20 +350,494 @@ void WOLFSSL_ENTER(const char* msg)
 void WOLFSSL_LEAVE(const char* msg, int ret)
 {
     if (loggingEnabled) {
-        char buffer[80];
-        sprintf(buffer, "wolfSSL Leaving %s, return %d", msg, ret);
+        char buffer[WOLFSSL_MAX_ERROR_SZ];
+        XSNPRINTF(buffer, sizeof(buffer), "wolfSSL Leaving %s, return %d",
+                msg, ret);
         wolfssl_log(LEAVE_LOG , buffer);
     }
 }
 
+WOLFSSL_API int WOLFSSL_IS_DEBUG_ON(void)
+{
+    return loggingEnabled;
+}
+#endif /* !WOLFSSL_DEBUG_ERRORS_ONLY */
+#endif /* DEBUG_WOLFSSL */
 
+/*
+ * When using OPENSSL_EXTRA or DEBUG_WOLFSSL_VERBOSE macro then WOLFSSL_ERROR is
+ * mapped to new function WOLFSSL_ERROR_LINE which gets the line # and function
+ * name where WOLFSSL_ERROR is called at.
+ */
+#if defined(DEBUG_WOLFSSL) || defined(OPENSSL_ALL) || \
+    defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) || \
+    defined(OPENSSL_EXTRA)
+
+#if (defined(OPENSSL_EXTRA) && !defined(_WIN32) && !defined(NO_ERROR_QUEUE)) \
+    || defined(DEBUG_WOLFSSL_VERBOSE)
+void WOLFSSL_ERROR_LINE(int error, const char* func, unsigned int line,
+        const char* file, void* usrCtx)
+#else
 void WOLFSSL_ERROR(int error)
+#endif
 {
-    if (loggingEnabled) {
-        char buffer[80];
-        sprintf(buffer, "wolfSSL error occured, error = %d", error);
-        wolfssl_log(ERROR_LOG , buffer);
+#ifdef WOLFSSL_ASYNC_CRYPT
+    if (error != WC_PENDING_E)
+#endif
+    {
+        char buffer[WOLFSSL_MAX_ERROR_SZ];
+
+    #if (defined(OPENSSL_EXTRA) && !defined(_WIN32) && \
+            !defined(NO_ERROR_QUEUE)) || defined(DEBUG_WOLFSSL_VERBOSE)
+        (void)usrCtx; /* a user ctx for future flexibility */
+        (void)func;
+
+        if (wc_LockMutex(&debug_mutex) != 0) {
+            WOLFSSL_MSG("Lock debug mutex failed");
+            XSNPRINTF(buffer, sizeof(buffer),
+                    "wolfSSL error occurred, error = %d", error);
+        }
+        else {
+            #if defined(OPENSSL_EXTRA) && !defined(WOLFCRYPT_ONLY)
+            /* If running in compatibility mode do not add want read and
+               want right to error queue */
+            if (error != WANT_READ && error != WANT_WRITE) {
+            #endif
+            if (error < 0)
+                error = error - (2 * error); /* get absolute value */
+            XSNPRINTF(buffer, sizeof(buffer),
+                    "wolfSSL error occurred, error = %d line:%d file:%s",
+                    error, line, file);
+            if (wc_AddErrorNode(error, line, buffer, (char*)file) != 0) {
+                WOLFSSL_MSG("Error creating logging node");
+                /* with void function there is no return here, continue on
+                 * to unlock mutex and log what buffer was created. */
+            }
+            #if defined(OPENSSL_EXTRA) && !defined(WOLFCRYPT_ONLY)
+            }
+            else {
+                XSNPRINTF(buffer, sizeof(buffer),
+                    "wolfSSL error occurred, error = %d", error);
+
+            }
+            #endif
+
+            wc_UnLockMutex(&debug_mutex);
+        }
+    #else
+        XSNPRINTF(buffer, sizeof(buffer),
+                "wolfSSL error occurred, error = %d", error);
+    #endif
+
+    #ifdef DEBUG_WOLFSSL
+        if (loggingEnabled)
+            wolfssl_log(ERROR_LOG , buffer);
+    #endif
+    }
+}
+
+void WOLFSSL_ERROR_MSG(const char* msg)
+{
+#ifdef DEBUG_WOLFSSL
+    if (loggingEnabled)
+        wolfssl_log(ERROR_LOG , msg);
+#else
+    (void)msg;
+#endif
+}
+
+#endif  /* DEBUG_WOLFSSL || WOLFSSL_NGINX || WOLFSSL_HAPROXY */
+
+#if defined(OPENSSL_EXTRA) || defined(DEBUG_WOLFSSL_VERBOSE)
+/* Internal function that is called by wolfCrypt_Init() */
+int wc_LoggingInit(void)
+{
+    if (wc_InitMutex(&debug_mutex) != 0) {
+        WOLFSSL_MSG("Bad Init Mutex");
+        return BAD_MUTEX_E;
+    }
+    wc_errors          = NULL;
+    wc_current_node    = NULL;
+    wc_last_node       = NULL;
+
+    return 0;
+}
+
+
+/* internal function that is called by wolfCrypt_Cleanup */
+int wc_LoggingCleanup(void)
+{
+    /* clear logging entries */
+    wc_ClearErrorNodes();
+
+    /* free mutex */
+    if (wc_FreeMutex(&debug_mutex) != 0) {
+        WOLFSSL_MSG("Bad Mutex free");
+        return BAD_MUTEX_E;
+    }
+    return 0;
+}
+
+
+/* peek at an error node
+ *
+ * idx : if -1 then the most recent node is looked at, otherwise search
+ *         through queue for node at the given index
+ * file  : pointer to internal file string
+ * reason : pointer to internal error reason
+ * line  : line number that error happened at
+ *
+ * Returns a negative value in error case, on success returns the nodes error
+ * value which is positive (absolute value)
+ */
+int wc_PeekErrorNode(int idx, const char **file, const char **reason,
+        int *line)
+{
+    struct wc_error_queue* err;
+
+    if (wc_LockMutex(&debug_mutex) != 0) {
+        WOLFSSL_MSG("Lock debug mutex failed");
+        return BAD_MUTEX_E;
+    }
+
+    if (idx < 0) {
+        err = wc_last_node;
+    }
+    else {
+        int i;
+
+        err = (struct wc_error_queue*)wc_errors;
+        for (i = 0; i < idx; i++) {
+            if (err == NULL) {
+                WOLFSSL_MSG("Error node not found. Bad index?");
+                wc_UnLockMutex(&debug_mutex);
+                return BAD_FUNC_ARG;
+            }
+            err = err->next;
+        }
+    }
+
+    if (err == NULL) {
+        WOLFSSL_MSG("No Errors in queue");
+        wc_UnLockMutex(&debug_mutex);
+        return BAD_STATE_E;
+    }
+
+    if (file != NULL) {
+        *file = err->file;
+    }
+
+    if (reason != NULL) {
+        *reason = err->error;
+    }
+
+    if (line != NULL) {
+        *line = err->line;
+    }
+
+    wc_UnLockMutex(&debug_mutex);
+
+    return err->value;
+}
+
+
+/* Pulls the current node from error queue and increments current state.
+ * Note: this does not delete nodes because input arguments are pointing to
+ *       node buffers.
+ *
+ * file   pointer to file that error was in. Can be NULL to return no file.
+ * reason error string giving reason for error. Can be NULL to return no reason.
+ * line   return line number of where error happened.
+ *
+ * returns the error value on success and BAD_MUTEX_E or BAD_STATE_E on failure
+ */
+int wc_PullErrorNode(const char **file, const char **reason, int *line)
+{
+    struct wc_error_queue* err;
+    int value;
+
+    if (wc_LockMutex(&debug_mutex) != 0) {
+        WOLFSSL_MSG("Lock debug mutex failed");
+        return BAD_MUTEX_E;
+    }
+
+    err = wc_current_node;
+    if (err == NULL) {
+        WOLFSSL_MSG("No Errors in queue");
+        wc_UnLockMutex(&debug_mutex);
+        return BAD_STATE_E;
+    }
+
+    if (file != NULL) {
+        *file = err->file;
+    }
+
+    if (reason != NULL) {
+        *reason = err->error;
+    }
+
+    if (line != NULL) {
+        *line = err->line;
+    }
+
+    value = err->value;
+    wc_current_node = err->next;
+    wc_UnLockMutex(&debug_mutex);
+
+    return value;
+}
+
+
+/* create new error node and add it to the queue
+ * buffers are assumed to be of size WOLFSSL_MAX_ERROR_SZ for this internal
+ * function. debug_mutex should be locked before a call to this function. */
+int wc_AddErrorNode(int error, int line, char* buf, char* file)
+{
+#if defined(NO_ERROR_QUEUE)
+    (void)error;
+    (void)line;
+    (void)buf;
+    (void)file;
+    WOLFSSL_MSG("Error queue turned off, can not add nodes");
+#else
+    struct wc_error_queue* err;
+    err = (struct wc_error_queue*)XMALLOC(
+            sizeof(struct wc_error_queue), wc_error_heap, DYNAMIC_TYPE_LOG);
+    if (err == NULL) {
+        WOLFSSL_MSG("Unable to create error node for log");
+        return MEMORY_E;
+    }
+    else {
+        int sz;
+
+        XMEMSET(err, 0, sizeof(struct wc_error_queue));
+        err->heap = wc_error_heap;
+        sz = (int)XSTRLEN(buf);
+        if (sz > WOLFSSL_MAX_ERROR_SZ - 1) {
+            sz = WOLFSSL_MAX_ERROR_SZ - 1;
+        }
+        if (sz > 0) {
+            XMEMCPY(err->error, buf, sz);
+        }
+
+        sz = (int)XSTRLEN(file);
+        if (sz > WOLFSSL_MAX_ERROR_SZ - 1) {
+            sz = WOLFSSL_MAX_ERROR_SZ - 1;
+        }
+        if (sz > 0) {
+            XMEMCPY(err->file, file, sz);
+        }
+
+        err->value = error;
+        err->line  = line;
+
+        /* make sure is terminated */
+        err->error[WOLFSSL_MAX_ERROR_SZ - 1] = '\0';
+        err->file[WOLFSSL_MAX_ERROR_SZ - 1]  = '\0';
+
+
+        /* since is queue place new node at last of the list */
+        if (wc_last_node == NULL) {
+            /* case of first node added to queue */
+            if (wc_errors != NULL) {
+                /* check for unexpected case before over writing wc_errors */
+                WOLFSSL_MSG("ERROR in adding new node to logging queue!!\n");
+                /* In the event both wc_last_node and wc_errors are NULL, err
+                 * goes unassigned to external wc_errors, wc_last_node. Free
+                 * err in this instance since wc_ClearErrorNodes will not
+                 */
+                XFREE(err, wc_error_heap, DYNAMIC_TYPE_LOG);
+            }
+            else {
+                wc_errors    = err;
+                wc_last_node = err;
+                wc_current_node = err;
+            }
+        }
+        else {
+            wc_last_node->next = err;
+            err->prev = wc_last_node;
+            wc_last_node = err;
+
+            /* check the case where have read to the end of the queue and the
+             * current node to read needs updated */
+            if (wc_current_node == NULL) {
+                wc_current_node = err;
+            }
+        }
+    }
+#endif
+    return 0;
+}
+
+/* Removes the error node at the specified index.
+ * idx : if -1 then the most recent node is looked at, otherwise search
+ *         through queue for node at the given index
+ */
+void wc_RemoveErrorNode(int idx)
+{
+    struct wc_error_queue* current;
+
+    if (wc_LockMutex(&debug_mutex) != 0) {
+        WOLFSSL_MSG("Lock debug mutex failed");
+        return;
+    }
+
+    if (idx == -1)
+        current = wc_last_node;
+    else {
+        current = (struct wc_error_queue*)wc_errors;
+        for (; current != NULL && idx > 0; idx--)
+             current = current->next;
+    }
+    if (current != NULL) {
+        if (current->prev != NULL)
+            current->prev->next = current->next;
+        if (current->next != NULL)
+            current->next->prev = current->prev;
+        if (wc_last_node == current)
+            wc_last_node = current->prev;
+        if (wc_errors == current)
+            wc_errors = current->next;
+        if (wc_current_node == current)
+            wc_current_node = current->next;
+        XFREE(current, current->heap, DYNAMIC_TYPE_LOG);
+    }
+
+    wc_UnLockMutex(&debug_mutex);
+}
+
+
+/* Clears out the list of error nodes.
+ */
+void wc_ClearErrorNodes(void)
+{
+#if defined(DEBUG_WOLFSSL) || defined(WOLFSSL_NGINX) || \
+    defined(OPENSSL_EXTRA) || defined(DEBUG_WOLFSSL_VERBOSE)
+
+    if (wc_LockMutex(&debug_mutex) != 0) {
+        WOLFSSL_MSG("Lock debug mutex failed");
+        return;
+    }
+
+    /* free all nodes from error queue */
+    {
+        struct wc_error_queue* current;
+        struct wc_error_queue* next;
+
+        current = (struct wc_error_queue*)wc_errors;
+        while (current != NULL) {
+            next = current->next;
+            XFREE(current, current->heap, DYNAMIC_TYPE_LOG);
+            current = next;
+        }
+    }
+
+    wc_errors       = NULL;
+    wc_last_node    = NULL;
+    wc_current_node = NULL;
+    wc_UnLockMutex(&debug_mutex);
+#endif /* DEBUG_WOLFSSL || WOLFSSL_NGINX */
+}
+
+int wc_SetLoggingHeap(void* h)
+{
+    if (wc_LockMutex(&debug_mutex) != 0) {
+        WOLFSSL_MSG("Lock debug mutex failed");
+        return BAD_MUTEX_E;
+    }
+    wc_error_heap = h;
+    wc_UnLockMutex(&debug_mutex);
+    return 0;
+}
+
+
+/* frees all nodes in the queue
+ *
+ * id  this is the thread id
+ */
+int wc_ERR_remove_state(void)
+{
+    struct wc_error_queue* current;
+    struct wc_error_queue* next;
+
+    if (wc_LockMutex(&debug_mutex) != 0) {
+        WOLFSSL_MSG("Lock debug mutex failed");
+        return BAD_MUTEX_E;
+    }
+
+    /* free all nodes from error queue */
+    current = (struct wc_error_queue*)wc_errors;
+    while (current != NULL) {
+        next = current->next;
+        XFREE(current, current->heap, DYNAMIC_TYPE_LOG);
+        current = next;
+    }
+
+    wc_errors          = NULL;
+    wc_last_node       = NULL;
+
+    wc_UnLockMutex(&debug_mutex);
+
+    return 0;
+}
+
+#if !defined(NO_FILESYSTEM) && !defined(NO_STDIO_FILESYSTEM)
+/* empties out the error queue into the file */
+static int wc_ERR_dump_to_file (const char *str, size_t len, void *u)
+{
+    XFILE fp = (XFILE ) u;
+    fprintf(fp, "%-*.*s\n", (int)len, (int)len, str);
+    return 0;
+}
+
+/* This callback allows the application to provide a custom error printing
+ * function. */
+void wc_ERR_print_errors_cb(int (*cb)(const char *str, size_t len, void *u),
+                            void *u)
+{
+    WOLFSSL_ENTER("wc_ERR_print_errors_cb");
+
+    if (cb == NULL) {
+        /* Invalid param */
+        return;
+    }
+
+    if (wc_LockMutex(&debug_mutex) != 0)
+    {
+        WOLFSSL_MSG("Lock debug mutex failed");
     }
+    else
+    {
+        /* free all nodes from error queue and print them to file */
+        struct wc_error_queue *current;
+        struct wc_error_queue *next;
+
+        current = (struct wc_error_queue *)wc_errors;
+        while (current != NULL)
+        {
+            next = current->next;
+            cb(current->error, strlen(current->error), u);
+            XFREE(current, current->heap, DYNAMIC_TYPE_LOG);
+            current = next;
+        }
+
+        /* set global pointers to match having been freed */
+        wc_errors = NULL;
+        wc_last_node = NULL;
+
+        wc_UnLockMutex(&debug_mutex);
+    }
+}
+
+void wc_ERR_print_errors_fp(XFILE fp)
+{
+    WOLFSSL_ENTER("wc_ERR_print_errors_fp");
+
+    /* Send all errors to the wc_ERR_dump_to_file function */
+    wc_ERR_print_errors_cb(wc_ERR_dump_to_file, fp);
 }
 
-#endif  /* DEBUG_WOLFSSL */
+#endif /* !defined(NO_FILESYSTEM) && !defined(NO_STDIO_FILESYSTEM) */
+
+#endif /* defined(OPENSSL_EXTRA) || defined(DEBUG_WOLFSSL_VERBOSE) */
diff --git a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/md2.c b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/md2.c
index ce4e424b7..c2f34203d 100644
--- a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/md2.c
+++ b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/md2.c
@@ -1,8 +1,8 @@
 /* md2.c
  *
- * Copyright (C) 2006-2015 wolfSSL Inc.
+ * Copyright (C) 2006-2020 wolfSSL Inc.
  *
- * This file is part of wolfSSL. (formerly known as CyaSSL)
+ * This file is part of wolfSSL.
  *
  * wolfSSL is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -16,10 +16,11 @@
  *
  * You should have received a copy of the GNU General Public License
  * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
  */
 
 
+
 #ifdef HAVE_CONFIG_H
     #include <config.h>
 #endif
@@ -34,6 +35,7 @@
 #ifdef NO_INLINE
     #include <wolfssl/wolfcrypt/misc.h>
 #else
+    #define WOLFSSL_MISC_INCLUDED
     #include <wolfcrypt/src/misc.c>
 #endif
 
@@ -49,7 +51,7 @@ void wc_InitMd2(Md2* md2)
 
 void wc_Md2Update(Md2* md2, const byte* data, word32 len)
 {
-    static const byte S[256] = 
+    static const byte S[256] =
     {
         41, 46, 67, 201, 162, 216, 124, 1, 61, 54, 84, 161, 236, 240, 6,
         19, 98, 167, 5, 243, 192, 199, 115, 140, 152, 147, 43, 217, 188,
diff --git a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/md4.c b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/md4.c
index c428610ef..f6f67454a 100644
--- a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/md4.c
+++ b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/md4.c
@@ -1,8 +1,8 @@
 /* md4.c
  *
- * Copyright (C) 2006-2015 wolfSSL Inc.
+ * Copyright (C) 2006-2020 wolfSSL Inc.
  *
- * This file is part of wolfSSL. (formerly known as CyaSSL)
+ * This file is part of wolfSSL.
  *
  * wolfSSL is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -16,9 +16,10 @@
  *
  * You should have received a copy of the GNU General Public License
  * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
  */
 
+
 #ifdef HAVE_CONFIG_H
     #include <config.h>
 #endif
@@ -31,21 +32,11 @@
 #ifdef NO_INLINE
     #include <wolfssl/wolfcrypt/misc.h>
 #else
+    #define WOLFSSL_MISC_INCLUDED
     #include <wolfcrypt/src/misc.c>
 #endif
 
 
-#ifndef WOLFSSL_HAVE_MIN
-#define WOLFSSL_HAVE_MIN
-
-    static INLINE word32 min(word32 a, word32 b)
-    {
-        return a > b ? b : a;
-    }
-
-#endif /* WOLFSSL_HAVE_MIN */
-
-
 void wc_InitMd4(Md4* md4)
 {
     md4->digest[0] = 0x67452301L;
@@ -89,7 +80,7 @@ static void Transform(Md4* md4)
     function(C,D,A,B,14,11);
     function(B,C,D,A,15,19);
 
-#undef function	  
+#undef function
 #define function(a,b,c,d,k,s) \
     a=rotlFixed(a+G(b,c,d)+md4->buffer[k]+0x5a827999,s);
 
@@ -110,7 +101,7 @@ static void Transform(Md4* md4)
     function(C,D,A,B,11, 9);
     function(B,C,D,A,15,13);
 
-#undef function	 
+#undef function
 #define function(a,b,c,d,k,s) \
     a=rotlFixed(a+H(b,c,d)+md4->buffer[k]+0x6ed9eba1,s);
 
@@ -130,7 +121,7 @@ static void Transform(Md4* md4)
     function(D,A,B,C,11, 9);
     function(C,D,A,B, 7,11);
     function(B,C,D,A,15,15);
-    
+
     /* Add the working vars back into digest state[]  */
     md4->digest[0] += A;
     md4->digest[1] += B;
@@ -139,7 +130,7 @@ static void Transform(Md4* md4)
 }
 
 
-static INLINE void AddLength(Md4* md4, word32 len)
+static WC_INLINE void AddLength(Md4* md4, word32 len)
 {
     word32 tmp = md4->loLen;
     if ( (md4->loLen += len) < tmp)
@@ -192,9 +183,9 @@ void wc_Md4Final(Md4* md4, byte* hash)
         md4->buffLen = 0;
     }
     XMEMSET(&local[md4->buffLen], 0, MD4_PAD_SIZE - md4->buffLen);
-   
+
     /* put lengths in bits */
-    md4->hiLen = (md4->loLen >> (8*sizeof(md4->loLen) - 3)) + 
+    md4->hiLen = (md4->loLen >> (8*sizeof(md4->loLen) - 3)) +
                  (md4->hiLen << 3);
     md4->loLen = md4->loLen << 3;
 
diff --git a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/md5.c b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/md5.c
index fbf732add..7eb2a5120 100644
--- a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/md5.c
+++ b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/md5.c
@@ -1,8 +1,8 @@
 /* md5.c
  *
- * Copyright (C) 2006-2015 wolfSSL Inc.
+ * Copyright (C) 2006-2020 wolfSSL Inc.
  *
- * This file is part of wolfSSL. (formerly known as CyaSSL)
+ * This file is part of wolfSSL.
  *
  * wolfSSL is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -16,12 +16,13 @@
  *
  * You should have received a copy of the GNU General Public License
  * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
  */
 
 
+
 #ifdef HAVE_CONFIG_H
-    #include <config.h>
+#include <config.h>
 #endif
 
 #include <wolfssl/wolfcrypt/settings.h>
@@ -29,369 +30,543 @@
 #if !defined(NO_MD5)
 
 #if defined(WOLFSSL_TI_HASH)
-    /* #include <wolfcrypt/src/port/ti/ti-hash.c> included by wc_port.c */
-#else
+/* #include <wolfcrypt/src/port/ti/ti-hash.c> included by wc_port.c */
 
-#ifdef WOLFSSL_PIC32MZ_HASH
-#define wc_InitMd5   wc_InitMd5_sw
-#define wc_Md5Update wc_Md5Update_sw
-#define wc_Md5Final  wc_Md5Final_sw
-#endif
+#else
 
 #include <wolfssl/wolfcrypt/md5.h>
 #include <wolfssl/wolfcrypt/error-crypt.h>
+#include <wolfssl/wolfcrypt/logging.h>
+#include <wolfssl/wolfcrypt/hash.h>
 
 #ifdef NO_INLINE
-    #include <wolfssl/wolfcrypt/misc.h>
+#include <wolfssl/wolfcrypt/misc.h>
 #else
-    #include <wolfcrypt/src/misc.c>
+#define WOLFSSL_MISC_INCLUDED
+#include <wolfcrypt/src/misc.c>
 #endif
 
-#ifdef FREESCALE_MMCAU
-    #include "cau_api.h"
-    #define XTRANSFORM(S,B)  cau_md5_hash_n((B), 1, (unsigned char*)(S)->digest)
-#else
-    #define XTRANSFORM(S,B)  Transform((S))
-#endif
 
+/* Hardware Acceleration */
+#if defined(STM32_HASH)
 
-#ifdef STM32F2_HASH
-    /*
-     * STM32F2 hardware MD5 support through the STM32F2 standard peripheral
-     * library. Documentation located in STM32F2xx Standard Peripheral Library
-     * document (See note in README).
-     */
-    #include "stm32f2xx.h"
-
-    void wc_InitMd5(Md5* md5)
-    {
-        /* STM32F2 struct notes:
-         * md5->buffer  = first 4 bytes used to hold partial block if needed 
-         * md5->buffLen = num bytes currently stored in md5->buffer
-         * md5->loLen   = num bytes that have been written to STM32 FIFO
-         */
-        XMEMSET(md5->buffer, 0, MD5_REG_SIZE);
-			
-        md5->buffLen = 0;
-        md5->loLen = 0;
+/* Supports CubeMX HAL or Standard Peripheral Library */
+#define HAVE_MD5_CUST_API
 
-        /* initialize HASH peripheral */
-        HASH_DeInit();
+int wc_InitMd5_ex(wc_Md5* md5, void* heap, int devId)
+{
+    if (md5 == NULL) {
+        return BAD_FUNC_ARG;
+    }
 
-        /* configure algo used, algo mode, datatype */
-        HASH->CR &= ~ (HASH_CR_ALGO | HASH_CR_DATATYPE | HASH_CR_MODE);
-        HASH->CR |= (HASH_AlgoSelection_MD5 | HASH_AlgoMode_HASH 
-                 | HASH_DataType_8b);
+    (void)devId;
+    (void)heap;
 
-        /* reset HASH processor */
-        HASH->CR |= HASH_CR_INIT;
-    }
+    wc_Stm32_Hash_Init(&md5->stmCtx);
 
-    void wc_Md5Update(Md5* md5, const byte* data, word32 len)
-    {
-        word32 i = 0;
-        word32 fill = 0;
-        word32 diff = 0;
-
-        /* if saved partial block is available */
-        if (md5->buffLen > 0) {
-            fill = 4 - md5->buffLen;
-
-            /* if enough data to fill, fill and push to FIFO */
-            if (fill <= len) {
-                XMEMCPY((byte*)md5->buffer + md5->buffLen, data, fill);
-                HASH_DataIn(*(uint32_t*)md5->buffer);
-
-                data += fill;
-                len -= fill;
-                md5->loLen += 4;
-                md5->buffLen = 0;
-            } else {
-                /* append partial to existing stored block */
-                XMEMCPY((byte*)md5->buffer + md5->buffLen, data, len);
-                md5->buffLen += len;
-                return;
-            }
-        }
+    return 0;
+}
 
-        /* write input block in the IN FIFO */
-        for (i = 0; i < len; i += 4)
-        {
-            diff = len - i;
-            if (diff < 4) {
-                /* store incomplete last block, not yet in FIFO */
-                XMEMSET(md5->buffer, 0, MD5_REG_SIZE);
-                XMEMCPY((byte*)md5->buffer, data, diff);
-                md5->buffLen = diff;
-            } else {
-                HASH_DataIn(*(uint32_t*)data);
-                data+=4;
-            }
-        }
+int wc_Md5Update(wc_Md5* md5, const byte* data, word32 len)
+{
+    int ret;
 
-        /* keep track of total data length thus far */
-        md5->loLen += (len - md5->buffLen);
+    if (md5 == NULL || (data == NULL && len > 0)) {
+        return BAD_FUNC_ARG;
     }
 
-    void wc_Md5Final(Md5* md5, byte* hash)
-    {
-        __IO uint16_t nbvalidbitsdata = 0;
+    ret = wolfSSL_CryptHwMutexLock();
+    if (ret == 0) {
+        ret = wc_Stm32_Hash_Update(&md5->stmCtx, HASH_AlgoSelection_MD5,
+                                   data, len);
+        wolfSSL_CryptHwMutexUnLock();
+    }
+    return ret;
+}
 
-        /* finish reading any trailing bytes into FIFO */
-        if (md5->buffLen > 0) {
-            HASH_DataIn(*(uint32_t*)md5->buffer);
-            md5->loLen += md5->buffLen;
-        }
+int wc_Md5Final(wc_Md5* md5, byte* hash)
+{
+    int ret;
 
-        /* calculate number of valid bits in last word of input data */
-        nbvalidbitsdata = 8 * (md5->loLen % MD5_REG_SIZE);
+    if (md5 == NULL || hash == NULL) {
+        return BAD_FUNC_ARG;
+    }
 
-        /* configure number of valid bits in last word of the data */
-        HASH_SetLastWordValidBitsNbr(nbvalidbitsdata);
+    ret = wolfSSL_CryptHwMutexLock();
+    if (ret == 0) {
+        ret = wc_Stm32_Hash_Final(&md5->stmCtx, HASH_AlgoSelection_MD5,
+                                  hash, WC_MD5_DIGEST_SIZE);
+        wolfSSL_CryptHwMutexUnLock();
+    }
 
-        /* start HASH processor */
-        HASH_StartDigest();
+    (void)wc_InitMd5(md5);  /* reset state */
 
-        /* wait until Busy flag == RESET */
-        while (HASH_GetFlagStatus(HASH_FLAG_BUSY) != RESET) {}
-        
-        /* read message digest */
-        md5->digest[0] = HASH->HR[0];
-        md5->digest[1] = HASH->HR[1];
-        md5->digest[2] = HASH->HR[2];
-        md5->digest[3] = HASH->HR[3];
+    return ret;
+}
 
-        ByteReverseWords(md5->digest, md5->digest, MD5_DIGEST_SIZE);
+#elif defined(FREESCALE_MMCAU_SHA)
 
-        XMEMCPY(hash, md5->digest, MD5_DIGEST_SIZE);
+#ifdef FREESCALE_MMCAU_CLASSIC_SHA
+    #include "cau_api.h"
+#else
+    #include "fsl_mmcau.h"
+#endif
 
-        wc_InitMd5(md5);  /* reset state */
-    }
+#define XTRANSFORM(S,B)       Transform((S), (B))
+#define XTRANSFORM_LEN(S,B,L) Transform_Len((S), (B), (L))
 
-#else /* CTaoCrypt software implementation */
+#ifndef WC_HASH_DATA_ALIGNMENT
+    /* these hardware API's require 4 byte (word32) alignment */
+    #define WC_HASH_DATA_ALIGNMENT 4
+#endif
 
-#ifndef WOLFSSL_HAVE_MIN
-#define WOLFSSL_HAVE_MIN
+static int Transform(wc_Md5* md5, const byte* data)
+{
+    int ret = wolfSSL_CryptHwMutexLock();
+    if (ret == 0) {
+#ifdef FREESCALE_MMCAU_CLASSIC_SHA
+        cau_md5_hash_n((byte*)data, 1, (unsigned char*)md5->digest);
+#else
+        MMCAU_MD5_HashN((byte*)data, 1, (uint32_t*)md5->digest);
+#endif
+        wolfSSL_CryptHwMutexUnLock();
+    }
+    return ret;
+}
 
-    static INLINE word32 min(word32 a, word32 b)
-    {
-        return a > b ? b : a;
+static int Transform_Len(wc_Md5* md5, const byte* data, word32 len)
+{
+    int ret = wolfSSL_CryptHwMutexLock();
+    if (ret == 0) {
+    #if defined(WC_HASH_DATA_ALIGNMENT) && WC_HASH_DATA_ALIGNMENT > 0
+        if ((size_t)data % WC_HASH_DATA_ALIGNMENT) {
+            /* data pointer is NOT aligned,
+             * so copy and perform one block at a time */
+            byte* local = (byte*)md5->buffer;
+            while (len >= WC_MD5_BLOCK_SIZE) {
+                XMEMCPY(local, data, WC_MD5_BLOCK_SIZE);
+            #ifdef FREESCALE_MMCAU_CLASSIC_SHA
+                cau_md5_hash_n(local, 1, (unsigned char*)md5->digest);
+            #else
+                MMCAU_MD5_HashN(local, 1, (uint32_t*)md5->digest);
+            #endif
+                data += WC_MD5_BLOCK_SIZE;
+                len  -= WC_MD5_BLOCK_SIZE;
+            }
+        }
+        else
+    #endif
+        {
+#ifdef FREESCALE_MMCAU_CLASSIC_SHA
+        cau_md5_hash_n((byte*)data, len / WC_MD5_BLOCK_SIZE,
+            (unsigned char*)md5->digest);
+#else
+        MMCAU_MD5_HashN((byte*)data, len / WC_MD5_BLOCK_SIZE,
+            (uint32_t*)md5->digest);
+#endif
+        }
+        wolfSSL_CryptHwMutexUnLock();
     }
+    return ret;
+}
 
-#endif /* WOLFSSL_HAVE_MIN */
+#elif defined(WOLFSSL_PIC32MZ_HASH)
+#include <wolfssl/wolfcrypt/port/pic32/pic32mz-crypt.h>
+#define HAVE_MD5_CUST_API
 
-void wc_InitMd5(Md5* md5)
-{
-    md5->digest[0] = 0x67452301L;
-    md5->digest[1] = 0xefcdab89L;
-    md5->digest[2] = 0x98badcfeL;
-    md5->digest[3] = 0x10325476L;
+#elif defined(WOLFSSL_IMX6_CAAM) && !defined(NO_IMX6_CAAM_HASH)
+/* functions implemented in wolfcrypt/src/port/caam/caam_sha.c */
+#define HAVE_MD5_CUST_API
+#else
+#define NEED_SOFT_MD5
+#endif /* End Hardware Acceleration */
 
-    md5->buffLen = 0;
-    md5->loLen   = 0;
-    md5->hiLen   = 0;
-}
+#ifdef NEED_SOFT_MD5
 
-#ifndef FREESCALE_MMCAU
+#define XTRANSFORM(S,B)  Transform((S),(B))
 
-static void Transform(Md5* md5)
-{
 #define F1(x, y, z) (z ^ (x & (y ^ z)))
 #define F2(x, y, z) F1(z, x, y)
 #define F3(x, y, z) (x ^ y ^ z)
 #define F4(x, y, z) (y ^ (x | ~z))
 
 #define MD5STEP(f, w, x, y, z, data, s) \
-    w = rotlFixed(w + f(x, y, z) + data, s) + x
+        w = rotlFixed(w + f(x, y, z) + data, s) + x
 
+static int Transform(wc_Md5* md5, const byte* data)
+{
+    word32* buffer = (word32*)data;
     /* Copy context->state[] to working vars  */
     word32 a = md5->digest[0];
     word32 b = md5->digest[1];
     word32 c = md5->digest[2];
     word32 d = md5->digest[3];
 
-    MD5STEP(F1, a, b, c, d, md5->buffer[0]  + 0xd76aa478,  7);
-    MD5STEP(F1, d, a, b, c, md5->buffer[1]  + 0xe8c7b756, 12);
-    MD5STEP(F1, c, d, a, b, md5->buffer[2]  + 0x242070db, 17);
-    MD5STEP(F1, b, c, d, a, md5->buffer[3]  + 0xc1bdceee, 22);
-    MD5STEP(F1, a, b, c, d, md5->buffer[4]  + 0xf57c0faf,  7);
-    MD5STEP(F1, d, a, b, c, md5->buffer[5]  + 0x4787c62a, 12);
-    MD5STEP(F1, c, d, a, b, md5->buffer[6]  + 0xa8304613, 17);
-    MD5STEP(F1, b, c, d, a, md5->buffer[7]  + 0xfd469501, 22);
-    MD5STEP(F1, a, b, c, d, md5->buffer[8]  + 0x698098d8,  7);
-    MD5STEP(F1, d, a, b, c, md5->buffer[9]  + 0x8b44f7af, 12);
-    MD5STEP(F1, c, d, a, b, md5->buffer[10] + 0xffff5bb1, 17);
-    MD5STEP(F1, b, c, d, a, md5->buffer[11] + 0x895cd7be, 22);
-    MD5STEP(F1, a, b, c, d, md5->buffer[12] + 0x6b901122,  7);
-    MD5STEP(F1, d, a, b, c, md5->buffer[13] + 0xfd987193, 12);
-    MD5STEP(F1, c, d, a, b, md5->buffer[14] + 0xa679438e, 17);
-    MD5STEP(F1, b, c, d, a, md5->buffer[15] + 0x49b40821, 22);
-
-    MD5STEP(F2, a, b, c, d, md5->buffer[1]  + 0xf61e2562,  5);
-    MD5STEP(F2, d, a, b, c, md5->buffer[6]  + 0xc040b340,  9);
-    MD5STEP(F2, c, d, a, b, md5->buffer[11] + 0x265e5a51, 14);
-    MD5STEP(F2, b, c, d, a, md5->buffer[0]  + 0xe9b6c7aa, 20);
-    MD5STEP(F2, a, b, c, d, md5->buffer[5]  + 0xd62f105d,  5);
-    MD5STEP(F2, d, a, b, c, md5->buffer[10] + 0x02441453,  9);
-    MD5STEP(F2, c, d, a, b, md5->buffer[15] + 0xd8a1e681, 14);
-    MD5STEP(F2, b, c, d, a, md5->buffer[4]  + 0xe7d3fbc8, 20);
-    MD5STEP(F2, a, b, c, d, md5->buffer[9]  + 0x21e1cde6,  5);
-    MD5STEP(F2, d, a, b, c, md5->buffer[14] + 0xc33707d6,  9);
-    MD5STEP(F2, c, d, a, b, md5->buffer[3]  + 0xf4d50d87, 14);
-    MD5STEP(F2, b, c, d, a, md5->buffer[8]  + 0x455a14ed, 20);
-    MD5STEP(F2, a, b, c, d, md5->buffer[13] + 0xa9e3e905,  5);
-    MD5STEP(F2, d, a, b, c, md5->buffer[2]  + 0xfcefa3f8,  9);
-    MD5STEP(F2, c, d, a, b, md5->buffer[7]  + 0x676f02d9, 14);
-    MD5STEP(F2, b, c, d, a, md5->buffer[12] + 0x8d2a4c8a, 20);
-
-    MD5STEP(F3, a, b, c, d, md5->buffer[5]  + 0xfffa3942,  4);
-    MD5STEP(F3, d, a, b, c, md5->buffer[8]  + 0x8771f681, 11);
-    MD5STEP(F3, c, d, a, b, md5->buffer[11] + 0x6d9d6122, 16);
-    MD5STEP(F3, b, c, d, a, md5->buffer[14] + 0xfde5380c, 23);
-    MD5STEP(F3, a, b, c, d, md5->buffer[1]  + 0xa4beea44,  4);
-    MD5STEP(F3, d, a, b, c, md5->buffer[4]  + 0x4bdecfa9, 11);
-    MD5STEP(F3, c, d, a, b, md5->buffer[7]  + 0xf6bb4b60, 16);
-    MD5STEP(F3, b, c, d, a, md5->buffer[10] + 0xbebfbc70, 23);
-    MD5STEP(F3, a, b, c, d, md5->buffer[13] + 0x289b7ec6,  4);
-    MD5STEP(F3, d, a, b, c, md5->buffer[0]  + 0xeaa127fa, 11);
-    MD5STEP(F3, c, d, a, b, md5->buffer[3]  + 0xd4ef3085, 16);
-    MD5STEP(F3, b, c, d, a, md5->buffer[6]  + 0x04881d05, 23);
-    MD5STEP(F3, a, b, c, d, md5->buffer[9]  + 0xd9d4d039,  4);
-    MD5STEP(F3, d, a, b, c, md5->buffer[12] + 0xe6db99e5, 11);
-    MD5STEP(F3, c, d, a, b, md5->buffer[15] + 0x1fa27cf8, 16);
-    MD5STEP(F3, b, c, d, a, md5->buffer[2]  + 0xc4ac5665, 23);
-
-    MD5STEP(F4, a, b, c, d, md5->buffer[0]  + 0xf4292244,  6);
-    MD5STEP(F4, d, a, b, c, md5->buffer[7]  + 0x432aff97, 10);
-    MD5STEP(F4, c, d, a, b, md5->buffer[14] + 0xab9423a7, 15);
-    MD5STEP(F4, b, c, d, a, md5->buffer[5]  + 0xfc93a039, 21);
-    MD5STEP(F4, a, b, c, d, md5->buffer[12] + 0x655b59c3,  6);
-    MD5STEP(F4, d, a, b, c, md5->buffer[3]  + 0x8f0ccc92, 10);
-    MD5STEP(F4, c, d, a, b, md5->buffer[10] + 0xffeff47d, 15);
-    MD5STEP(F4, b, c, d, a, md5->buffer[1]  + 0x85845dd1, 21);
-    MD5STEP(F4, a, b, c, d, md5->buffer[8]  + 0x6fa87e4f,  6);
-    MD5STEP(F4, d, a, b, c, md5->buffer[15] + 0xfe2ce6e0, 10);
-    MD5STEP(F4, c, d, a, b, md5->buffer[6]  + 0xa3014314, 15);
-    MD5STEP(F4, b, c, d, a, md5->buffer[13] + 0x4e0811a1, 21);
-    MD5STEP(F4, a, b, c, d, md5->buffer[4]  + 0xf7537e82,  6);
-    MD5STEP(F4, d, a, b, c, md5->buffer[11] + 0xbd3af235, 10);
-    MD5STEP(F4, c, d, a, b, md5->buffer[2]  + 0x2ad7d2bb, 15);
-    MD5STEP(F4, b, c, d, a, md5->buffer[9]  + 0xeb86d391, 21);
-    
+    MD5STEP(F1, a, b, c, d, buffer[0]  + 0xd76aa478,  7);
+    MD5STEP(F1, d, a, b, c, buffer[1]  + 0xe8c7b756, 12);
+    MD5STEP(F1, c, d, a, b, buffer[2]  + 0x242070db, 17);
+    MD5STEP(F1, b, c, d, a, buffer[3]  + 0xc1bdceee, 22);
+    MD5STEP(F1, a, b, c, d, buffer[4]  + 0xf57c0faf,  7);
+    MD5STEP(F1, d, a, b, c, buffer[5]  + 0x4787c62a, 12);
+    MD5STEP(F1, c, d, a, b, buffer[6]  + 0xa8304613, 17);
+    MD5STEP(F1, b, c, d, a, buffer[7]  + 0xfd469501, 22);
+    MD5STEP(F1, a, b, c, d, buffer[8]  + 0x698098d8,  7);
+    MD5STEP(F1, d, a, b, c, buffer[9]  + 0x8b44f7af, 12);
+    MD5STEP(F1, c, d, a, b, buffer[10] + 0xffff5bb1, 17);
+    MD5STEP(F1, b, c, d, a, buffer[11] + 0x895cd7be, 22);
+    MD5STEP(F1, a, b, c, d, buffer[12] + 0x6b901122,  7);
+    MD5STEP(F1, d, a, b, c, buffer[13] + 0xfd987193, 12);
+    MD5STEP(F1, c, d, a, b, buffer[14] + 0xa679438e, 17);
+    MD5STEP(F1, b, c, d, a, buffer[15] + 0x49b40821, 22);
+
+    MD5STEP(F2, a, b, c, d, buffer[1]  + 0xf61e2562,  5);
+    MD5STEP(F2, d, a, b, c, buffer[6]  + 0xc040b340,  9);
+    MD5STEP(F2, c, d, a, b, buffer[11] + 0x265e5a51, 14);
+    MD5STEP(F2, b, c, d, a, buffer[0]  + 0xe9b6c7aa, 20);
+    MD5STEP(F2, a, b, c, d, buffer[5]  + 0xd62f105d,  5);
+    MD5STEP(F2, d, a, b, c, buffer[10] + 0x02441453,  9);
+    MD5STEP(F2, c, d, a, b, buffer[15] + 0xd8a1e681, 14);
+    MD5STEP(F2, b, c, d, a, buffer[4]  + 0xe7d3fbc8, 20);
+    MD5STEP(F2, a, b, c, d, buffer[9]  + 0x21e1cde6,  5);
+    MD5STEP(F2, d, a, b, c, buffer[14] + 0xc33707d6,  9);
+    MD5STEP(F2, c, d, a, b, buffer[3]  + 0xf4d50d87, 14);
+    MD5STEP(F2, b, c, d, a, buffer[8]  + 0x455a14ed, 20);
+    MD5STEP(F2, a, b, c, d, buffer[13] + 0xa9e3e905,  5);
+    MD5STEP(F2, d, a, b, c, buffer[2]  + 0xfcefa3f8,  9);
+    MD5STEP(F2, c, d, a, b, buffer[7]  + 0x676f02d9, 14);
+    MD5STEP(F2, b, c, d, a, buffer[12] + 0x8d2a4c8a, 20);
+
+    MD5STEP(F3, a, b, c, d, buffer[5]  + 0xfffa3942,  4);
+    MD5STEP(F3, d, a, b, c, buffer[8]  + 0x8771f681, 11);
+    MD5STEP(F3, c, d, a, b, buffer[11] + 0x6d9d6122, 16);
+    MD5STEP(F3, b, c, d, a, buffer[14] + 0xfde5380c, 23);
+    MD5STEP(F3, a, b, c, d, buffer[1]  + 0xa4beea44,  4);
+    MD5STEP(F3, d, a, b, c, buffer[4]  + 0x4bdecfa9, 11);
+    MD5STEP(F3, c, d, a, b, buffer[7]  + 0xf6bb4b60, 16);
+    MD5STEP(F3, b, c, d, a, buffer[10] + 0xbebfbc70, 23);
+    MD5STEP(F3, a, b, c, d, buffer[13] + 0x289b7ec6,  4);
+    MD5STEP(F3, d, a, b, c, buffer[0]  + 0xeaa127fa, 11);
+    MD5STEP(F3, c, d, a, b, buffer[3]  + 0xd4ef3085, 16);
+    MD5STEP(F3, b, c, d, a, buffer[6]  + 0x04881d05, 23);
+    MD5STEP(F3, a, b, c, d, buffer[9]  + 0xd9d4d039,  4);
+    MD5STEP(F3, d, a, b, c, buffer[12] + 0xe6db99e5, 11);
+    MD5STEP(F3, c, d, a, b, buffer[15] + 0x1fa27cf8, 16);
+    MD5STEP(F3, b, c, d, a, buffer[2]  + 0xc4ac5665, 23);
+
+    MD5STEP(F4, a, b, c, d, buffer[0]  + 0xf4292244,  6);
+    MD5STEP(F4, d, a, b, c, buffer[7]  + 0x432aff97, 10);
+    MD5STEP(F4, c, d, a, b, buffer[14] + 0xab9423a7, 15);
+    MD5STEP(F4, b, c, d, a, buffer[5]  + 0xfc93a039, 21);
+    MD5STEP(F4, a, b, c, d, buffer[12] + 0x655b59c3,  6);
+    MD5STEP(F4, d, a, b, c, buffer[3]  + 0x8f0ccc92, 10);
+    MD5STEP(F4, c, d, a, b, buffer[10] + 0xffeff47d, 15);
+    MD5STEP(F4, b, c, d, a, buffer[1]  + 0x85845dd1, 21);
+    MD5STEP(F4, a, b, c, d, buffer[8]  + 0x6fa87e4f,  6);
+    MD5STEP(F4, d, a, b, c, buffer[15] + 0xfe2ce6e0, 10);
+    MD5STEP(F4, c, d, a, b, buffer[6]  + 0xa3014314, 15);
+    MD5STEP(F4, b, c, d, a, buffer[13] + 0x4e0811a1, 21);
+    MD5STEP(F4, a, b, c, d, buffer[4]  + 0xf7537e82,  6);
+    MD5STEP(F4, d, a, b, c, buffer[11] + 0xbd3af235, 10);
+    MD5STEP(F4, c, d, a, b, buffer[2]  + 0x2ad7d2bb, 15);
+    MD5STEP(F4, b, c, d, a, buffer[9]  + 0xeb86d391, 21);
+
     /* Add the working vars back into digest state[]  */
     md5->digest[0] += a;
     md5->digest[1] += b;
     md5->digest[2] += c;
     md5->digest[3] += d;
-}
 
-#endif /* FREESCALE_MMCAU */
+    return 0;
+}
+#endif /* NEED_SOFT_MD5 */
 
+#ifndef HAVE_MD5_CUST_API
 
-static INLINE void AddLength(Md5* md5, word32 len)
+static WC_INLINE void AddLength(wc_Md5* md5, word32 len)
 {
     word32 tmp = md5->loLen;
-    if ( (md5->loLen += len) < tmp)
+    if ((md5->loLen += len) < tmp) {
         md5->hiLen++;                       /* carry low to high */
+    }
 }
 
+static int _InitMd5(wc_Md5* md5)
+{
+    int ret = 0;
+
+    md5->digest[0] = 0x67452301L;
+    md5->digest[1] = 0xefcdab89L;
+    md5->digest[2] = 0x98badcfeL;
+    md5->digest[3] = 0x10325476L;
+
+    md5->buffLen = 0;
+    md5->loLen   = 0;
+    md5->hiLen   = 0;
+#if defined(WOLFSSL_HASH_FLAGS) || defined(WOLF_CRYPTO_CB)
+    md5->flags = 0;
+#endif
+
+    return ret;
+}
 
-void wc_Md5Update(Md5* md5, const byte* data, word32 len)
+int wc_InitMd5_ex(wc_Md5* md5, void* heap, int devId)
 {
-    /* do block size increments */
-    byte* local = (byte*)md5->buffer;
+    int ret = 0;
 
-    while (len) {
-        word32 add = min(len, MD5_BLOCK_SIZE - md5->buffLen);
-        XMEMCPY(&local[md5->buffLen], data, add);
+    if (md5 == NULL)
+        return BAD_FUNC_ARG;
 
-        md5->buffLen += add;
-        data         += add;
-        len          -= add;
+    md5->heap = heap;
+
+    ret = _InitMd5(md5);
+    if (ret != 0)
+        return ret;
+
+#if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_MD5)
+    ret = wolfAsync_DevCtxInit(&md5->asyncDev, WOLFSSL_ASYNC_MARKER_MD5,
+                               md5->heap, devId);
+#else
+    (void)devId;
+#endif
+    return ret;
+}
+
+/* do block size increments/updates */
+int wc_Md5Update(wc_Md5* md5, const byte* data, word32 len)
+{
+    int ret = 0;
+    word32 blocksLen;
+    byte* local;
+
+    if (md5 == NULL || (data == NULL && len > 0)) {
+        return BAD_FUNC_ARG;
+    }
+
+#if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_MD5)
+    if (md5->asyncDev.marker == WOLFSSL_ASYNC_MARKER_MD5) {
+#if defined(HAVE_INTEL_QA)
+        return IntelQaSymMd5(&md5->asyncDev, NULL, data, len);
+#endif
+    }
+#endif /* WOLFSSL_ASYNC_CRYPT */
+
+    /* check that internal buffLen is valid */
+    if (md5->buffLen >= WC_MD5_BLOCK_SIZE)
+        return BUFFER_E;
+
+    if (data == NULL && len == 0) {
+        /* valid, but do nothing */
+        return 0;
+    }
+
+    /* add length for final */
+    AddLength(md5, len);
+
+    local = (byte*)md5->buffer;
+
+    /* process any remainder from previous operation */
+    if (md5->buffLen > 0) {
+        blocksLen = min(len, WC_MD5_BLOCK_SIZE - md5->buffLen);
+        XMEMCPY(&local[md5->buffLen], data, blocksLen);
+
+        md5->buffLen += blocksLen;
+        data         += blocksLen;
+        len          -= blocksLen;
+
+        if (md5->buffLen == WC_MD5_BLOCK_SIZE) {
+        #if defined(BIG_ENDIAN_ORDER) && !defined(FREESCALE_MMCAU_SHA)
+            ByteReverseWords(md5->buffer, md5->buffer, WC_MD5_BLOCK_SIZE);
+        #endif
+
+            ret = XTRANSFORM(md5, (const byte*)local);
+            if (ret != 0)
+                return ret;
 
-        if (md5->buffLen == MD5_BLOCK_SIZE) {
-            #if defined(BIG_ENDIAN_ORDER) && !defined(FREESCALE_MMCAU)
-                ByteReverseWords(md5->buffer, md5->buffer, MD5_BLOCK_SIZE);
-            #endif
-            XTRANSFORM(md5, local);
-            AddLength(md5, MD5_BLOCK_SIZE);
             md5->buffLen = 0;
         }
     }
-}
 
+    /* process blocks */
+#ifdef XTRANSFORM_LEN
+    /* get number of blocks */
+    /* 64-1 = 0x3F (~ Inverted = 0xFFFFFFC0) */
+    /* len (masked by 0xFFFFFFC0) returns block aligned length */
+    blocksLen = len & ~(WC_MD5_BLOCK_SIZE-1);
+    if (blocksLen > 0) {
+        /* Byte reversal performed in function if required. */
+        XTRANSFORM_LEN(md5, data, blocksLen);
+        data += blocksLen;
+        len  -= blocksLen;
+    }
+#else
+    while (len >= WC_MD5_BLOCK_SIZE) {
+        word32* local32 = md5->buffer;
+        /* optimization to avoid memcpy if data pointer is properly aligned */
+        /* Big Endian requires byte swap, so can't use data directly */
+    #if defined(WC_HASH_DATA_ALIGNMENT) && !defined(BIG_ENDIAN_ORDER)
+        if (((size_t)data % WC_HASH_DATA_ALIGNMENT) == 0) {
+            local32 = (word32*)data;
+        }
+        else
+    #endif
+        {
+            XMEMCPY(local32, data, WC_MD5_BLOCK_SIZE);
+        }
+
+        data += WC_MD5_BLOCK_SIZE;
+        len  -= WC_MD5_BLOCK_SIZE;
+
+    #if defined(BIG_ENDIAN_ORDER) && !defined(FREESCALE_MMCAU_SHA)
+        ByteReverseWords(local32, local32, WC_MD5_BLOCK_SIZE);
+    #endif
+
+        ret = XTRANSFORM(md5, (const byte*)local32);
+    }
+#endif /* XTRANSFORM_LEN */
+
+    /* save remainder */
+    if (len > 0) {
+        XMEMCPY(local, data, len);
+        md5->buffLen = len;
+    }
+
+    return ret;
+}
 
-void wc_Md5Final(Md5* md5, byte* hash)
+int wc_Md5Final(wc_Md5* md5, byte* hash)
 {
-    byte* local = (byte*)md5->buffer;
+    byte* local;
+
+    if (md5 == NULL || hash == NULL) {
+        return BAD_FUNC_ARG;
+    }
+
+#if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_MD5)
+    if (md5->asyncDev.marker == WOLFSSL_ASYNC_MARKER_MD5) {
+#if defined(HAVE_INTEL_QA)
+        return IntelQaSymMd5(&md5->asyncDev, hash, NULL, WC_MD5_DIGEST_SIZE);
+#endif
+    }
+#endif /* WOLFSSL_ASYNC_CRYPT */
 
-    AddLength(md5, md5->buffLen);  /* before adding pads */
+    local = (byte*)md5->buffer;
 
     local[md5->buffLen++] = 0x80;  /* add 1 */
 
     /* pad with zeros */
-    if (md5->buffLen > MD5_PAD_SIZE) {
-        XMEMSET(&local[md5->buffLen], 0, MD5_BLOCK_SIZE - md5->buffLen);
-        md5->buffLen += MD5_BLOCK_SIZE - md5->buffLen;
+    if (md5->buffLen > WC_MD5_PAD_SIZE) {
+        XMEMSET(&local[md5->buffLen], 0, WC_MD5_BLOCK_SIZE - md5->buffLen);
+        md5->buffLen += WC_MD5_BLOCK_SIZE - md5->buffLen;
 
-        #if defined(BIG_ENDIAN_ORDER) && !defined(FREESCALE_MMCAU)
-            ByteReverseWords(md5->buffer, md5->buffer, MD5_BLOCK_SIZE);
-        #endif
+#if defined(BIG_ENDIAN_ORDER) && !defined(FREESCALE_MMCAU_SHA)
+        ByteReverseWords(md5->buffer, md5->buffer, WC_MD5_BLOCK_SIZE);
+#endif
         XTRANSFORM(md5, local);
         md5->buffLen = 0;
     }
-    XMEMSET(&local[md5->buffLen], 0, MD5_PAD_SIZE - md5->buffLen);
-   
+    XMEMSET(&local[md5->buffLen], 0, WC_MD5_PAD_SIZE - md5->buffLen);
+
+#if defined(BIG_ENDIAN_ORDER) && !defined(FREESCALE_MMCAU_SHA)
+    ByteReverseWords(md5->buffer, md5->buffer, WC_MD5_BLOCK_SIZE);
+#endif
+
     /* put lengths in bits */
-    md5->hiLen = (md5->loLen >> (8*sizeof(md5->loLen) - 3)) + 
+    md5->hiLen = (md5->loLen >> (8 * sizeof(md5->loLen) - 3)) +
                  (md5->hiLen << 3);
     md5->loLen = md5->loLen << 3;
 
     /* store lengths */
-    #if defined(BIG_ENDIAN_ORDER) && !defined(FREESCALE_MMCAU)
-        ByteReverseWords(md5->buffer, md5->buffer, MD5_BLOCK_SIZE);
-    #endif
     /* ! length ordering dependent on digest endian type ! */
-    XMEMCPY(&local[MD5_PAD_SIZE], &md5->loLen, sizeof(word32));
-    XMEMCPY(&local[MD5_PAD_SIZE + sizeof(word32)], &md5->hiLen, sizeof(word32));
+    XMEMCPY(&local[WC_MD5_PAD_SIZE], &md5->loLen, sizeof(word32));
+    XMEMCPY(&local[WC_MD5_PAD_SIZE + sizeof(word32)], &md5->hiLen, sizeof(word32));
 
+    /* final transform and result to hash */
     XTRANSFORM(md5, local);
-    #ifdef BIG_ENDIAN_ORDER
-        ByteReverseWords(md5->digest, md5->digest, MD5_DIGEST_SIZE);
-    #endif
-    XMEMCPY(hash, md5->digest, MD5_DIGEST_SIZE);
+#ifdef BIG_ENDIAN_ORDER
+    ByteReverseWords(md5->digest, md5->digest, WC_MD5_DIGEST_SIZE);
+#endif
+    XMEMCPY(hash, md5->digest, WC_MD5_DIGEST_SIZE);
 
-    wc_InitMd5(md5);  /* reset state */
+    return _InitMd5(md5); /* reset state */
 }
+#endif /* !HAVE_MD5_CUST_API */
 
-#endif /* STM32F2_HASH */
 
-
-int wc_Md5Hash(const byte* data, word32 len, byte* hash)
+int wc_InitMd5(wc_Md5* md5)
 {
-#ifdef WOLFSSL_SMALL_STACK
-    Md5* md5;
-#else
-    Md5 md5[1];
-#endif
+    if (md5 == NULL) {
+        return BAD_FUNC_ARG;
+    }
+    return wc_InitMd5_ex(md5, NULL, INVALID_DEVID);
+}
 
-#ifdef WOLFSSL_SMALL_STACK
-    md5 = (Md5*)XMALLOC(sizeof(Md5), NULL, DYNAMIC_TYPE_TMP_BUFFER);
+void wc_Md5Free(wc_Md5* md5)
+{
     if (md5 == NULL)
-        return MEMORY_E;
+        return;
+#if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_MD5)
+    wolfAsync_DevCtxFree(&md5->asyncDev, WOLFSSL_ASYNC_MARKER_MD5);
+#endif /* WOLFSSL_ASYNC_CRYPT */
+
+#ifdef WOLFSSL_PIC32MZ_HASH
+    wc_Md5Pic32Free(md5);
 #endif
+}
+
+int wc_Md5GetHash(wc_Md5* md5, byte* hash)
+{
+    int ret;
+    wc_Md5 tmpMd5;
+
+    if (md5 == NULL || hash == NULL)
+        return BAD_FUNC_ARG;
 
-    wc_InitMd5(md5);
-    wc_Md5Update(md5, data, len);
-    wc_Md5Final(md5, hash);
+    ret = wc_Md5Copy(md5, &tmpMd5);
+    if (ret == 0) {
+        ret = wc_Md5Final(&tmpMd5, hash);
+    }
+
+    return ret;
+}
+
+int wc_Md5Copy(wc_Md5* src, wc_Md5* dst)
+{
+    int ret = 0;
 
-#ifdef WOLFSSL_SMALL_STACK
-    XFREE(md5, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    if (src == NULL || dst == NULL)
+        return BAD_FUNC_ARG;
+
+    XMEMCPY(dst, src, sizeof(wc_Md5));
+
+#ifdef WOLFSSL_ASYNC_CRYPT
+    ret = wolfAsync_DevCopy(&src->asyncDev, &dst->asyncDev);
+#endif
+#ifdef WOLFSSL_PIC32MZ_HASH
+    ret = wc_Pic32HashCopy(&src->cache, &dst->cache);
+#endif
+#if defined(WOLFSSL_HASH_FLAGS) || defined(WOLF_CRYPTO_CB)
+    dst->flags |= WC_HASH_FLAG_ISCOPY;
 #endif
 
+    return ret;
+}
+
+#if defined(WOLFSSL_HASH_FLAGS) || defined(WOLF_CRYPTO_CB)
+int wc_Md5SetFlags(wc_Md5* md5, word32 flags)
+{
+    if (md5) {
+        md5->flags = flags;
+    }
+    return 0;
+}
+int wc_Md5GetFlags(wc_Md5* md5, word32* flags)
+{
+    if (md5 && flags) {
+        *flags = md5->flags;
+    }
     return 0;
 }
+#endif
 
 #endif /* WOLFSSL_TI_HASH */
-
 #endif /* NO_MD5 */
diff --git a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/memory.c b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/memory.c
index dd9281945..3bc8e21cf 100644
--- a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/memory.c
+++ b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/memory.c
@@ -1,8 +1,8 @@
 /* memory.c
  *
- * Copyright (C) 2006-2015 wolfSSL Inc.
+ * Copyright (C) 2006-2020 wolfSSL Inc.
  *
- * This file is part of wolfSSL. (formerly known as CyaSSL)
+ * This file is part of wolfSSL.
  *
  * wolfSSL is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -16,9 +16,10 @@
  *
  * You should have received a copy of the GNU General Public License
  * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
  */
 
+
 #ifdef HAVE_CONFIG_H
     #include <config.h>
 #endif
@@ -33,82 +34,921 @@
     #define WOLFSSL_MALLOC_CHECK
 #endif
 
+
+/*
+Possible memory options:
+ * NO_WOLFSSL_MEMORY:               Disables wolf memory callback support. When not defined settings.h defines USE_WOLFSSL_MEMORY.
+ * WOLFSSL_STATIC_MEMORY:           Turns on the use of static memory buffers and functions.
+                                        This allows for using static memory instead of dynamic.
+ * WOLFSSL_STATIC_ALIGN:            Define defaults to 16 to indicate static memory alignment.
+ * HAVE_IO_POOL:                    Enables use of static thread safe memory pool for input/output buffers.
+ * XMALLOC_OVERRIDE:                Allows override of the XMALLOC, XFREE and XREALLOC macros.
+ * XMALLOC_USER:                    Allows custom XMALLOC, XFREE and XREALLOC functions to be defined.
+ * WOLFSSL_NO_MALLOC:               Disables the fall-back case to use STDIO malloc/free when no callbacks are set.
+ * WOLFSSL_TRACK_MEMORY:            Enables memory tracking for total stats and list of allocated memory.
+ * WOLFSSL_DEBUG_MEMORY:            Enables extra function and line number args for memory callbacks.
+ * WOLFSSL_DEBUG_MEMORY_PRINT:      Enables printing of each malloc/free.
+ * WOLFSSL_MALLOC_CHECK:            Reports malloc or alignment failure using WOLFSSL_STATIC_ALIGN
+ * WOLFSSL_FORCE_MALLOC_FAIL_TEST:  Used for internal testing to induce random malloc failures.
+ * WOLFSSL_HEAP_TEST:               Used for internal testing of heap hint
+ */
+
+#ifdef WOLFSSL_ZEPHYR
+#undef realloc
+void *z_realloc(void *ptr, size_t size)
+{
+    if (ptr == NULL)
+        ptr = malloc(size);
+    else
+        ptr = realloc(ptr, size);
+
+    return ptr;
+}
+#define realloc z_realloc
+#endif
+
 #ifdef USE_WOLFSSL_MEMORY
 
 #include <wolfssl/wolfcrypt/memory.h>
 #include <wolfssl/wolfcrypt/error-crypt.h>
+#include <wolfssl/wolfcrypt/logging.h>
 
-#ifdef WOLFSSL_MALLOC_CHECK
+#if defined(WOLFSSL_DEBUG_MEMORY) && defined(WOLFSSL_DEBUG_MEMORY_PRINT)
+#include <stdio.h>
+#endif
+
+#ifdef WOLFSSL_FORCE_MALLOC_FAIL_TEST
+    static int gMemFailCountSeed;
+    static int gMemFailCount;
+    void wolfSSL_SetMemFailCount(int memFailCount)
+    {
+        if (gMemFailCountSeed == 0) {
+            gMemFailCountSeed = memFailCount;
+            gMemFailCount = memFailCount;
+        }
+    }
+#endif
+#if defined(WOLFSSL_MALLOC_CHECK) || defined(WOLFSSL_TRACK_MEMORY_FULL) || \
+                                                     defined(WOLFSSL_MEMORY_LOG)
     #include <stdio.h>
 #endif
 
+
 /* Set these to default values initially. */
-static wolfSSL_Malloc_cb  malloc_function = 0;
-static wolfSSL_Free_cb    free_function = 0;
-static wolfSSL_Realloc_cb realloc_function = 0;
+static wolfSSL_Malloc_cb  malloc_function = NULL;
+static wolfSSL_Free_cb    free_function = NULL;
+static wolfSSL_Realloc_cb realloc_function = NULL;
 
 int wolfSSL_SetAllocators(wolfSSL_Malloc_cb  mf,
                           wolfSSL_Free_cb    ff,
                           wolfSSL_Realloc_cb rf)
 {
-    int res = 0;
-
-    if (mf)
-        malloc_function = mf;
-    else
-        res = BAD_FUNC_ARG;
-
-    if (ff)
-        free_function = ff;
-    else
-        res = BAD_FUNC_ARG;
-
-    if (rf)
-        realloc_function = rf;
-    else
-        res = BAD_FUNC_ARG;
-
-    return res;
+    malloc_function = mf;
+    free_function = ff;
+    realloc_function = rf;
+    return 0;
 }
 
+int wolfSSL_GetAllocators(wolfSSL_Malloc_cb*  mf,
+                          wolfSSL_Free_cb*    ff,
+                          wolfSSL_Realloc_cb* rf)
+{
+    if (mf) *mf = malloc_function;
+    if (ff) *ff = free_function;
+    if (rf) *rf = realloc_function;
+    return 0;
+}
 
+#ifndef WOLFSSL_STATIC_MEMORY
+#ifdef WOLFSSL_DEBUG_MEMORY
+void* wolfSSL_Malloc(size_t size, const char* func, unsigned int line)
+#else
 void* wolfSSL_Malloc(size_t size)
+#endif
 {
     void* res = 0;
 
-    if (malloc_function)
+    if (malloc_function) {
+    #ifdef WOLFSSL_DEBUG_MEMORY
+        res = malloc_function(size, func, line);
+    #else
         res = malloc_function(size);
-    else
+    #endif
+    }
+    else {
+    #ifndef WOLFSSL_NO_MALLOC
         res = malloc(size);
-
-    #ifdef WOLFSSL_MALLOC_CHECK
-        if (res == NULL)
-            puts("wolfSSL_malloc failed");
+    #else
+        WOLFSSL_MSG("No malloc available");
     #endif
-                
+    }
+
+#ifdef WOLFSSL_DEBUG_MEMORY
+#if defined(WOLFSSL_DEBUG_MEMORY_PRINT) && !defined(WOLFSSL_TRACK_MEMORY)
+    printf("Alloc: %p -> %u at %s:%d\n", res, (word32)size, func, line);
+#else
+    (void)func;
+    (void)line;
+#endif
+#endif
+
+#ifdef WOLFSSL_MALLOC_CHECK
+    if (res == NULL)
+        WOLFSSL_MSG("wolfSSL_malloc failed");
+#endif
+
+#ifdef WOLFSSL_FORCE_MALLOC_FAIL_TEST
+    if (res && --gMemFailCount == 0) {
+        printf("\n---FORCED MEM FAIL TEST---\n");
+        if (free_function) {
+        #ifdef WOLFSSL_DEBUG_MEMORY
+            free_function(res, func, line);
+        #else
+            free_function(res);
+        #endif
+        }
+        else {
+            free(res); /* clear */
+        }
+        gMemFailCount = gMemFailCountSeed; /* reset */
+        return NULL;
+    }
+#endif
+
     return res;
 }
 
+#ifdef WOLFSSL_DEBUG_MEMORY
+void wolfSSL_Free(void *ptr, const char* func, unsigned int line)
+#else
 void wolfSSL_Free(void *ptr)
+#endif
 {
-    if (free_function)
+#ifdef WOLFSSL_DEBUG_MEMORY
+#if defined(WOLFSSL_DEBUG_MEMORY_PRINT) && !defined(WOLFSSL_TRACK_MEMORY)
+    printf("Free: %p at %s:%d\n", ptr, func, line);
+#else
+    (void)func;
+    (void)line;
+#endif
+#endif
+
+    if (free_function) {
+    #ifdef WOLFSSL_DEBUG_MEMORY
+        free_function(ptr, func, line);
+    #else
         free_function(ptr);
-    else
+    #endif
+    }
+    else {
+    #ifndef WOLFSSL_NO_MALLOC
         free(ptr);
+    #else
+        WOLFSSL_MSG("No free available");
+    #endif
+    }
 }
 
+#ifdef WOLFSSL_DEBUG_MEMORY
+void* wolfSSL_Realloc(void *ptr, size_t size, const char* func, unsigned int line)
+#else
 void* wolfSSL_Realloc(void *ptr, size_t size)
+#endif
 {
     void* res = 0;
 
-    if (realloc_function)
+    if (realloc_function) {
+    #ifdef WOLFSSL_DEBUG_MEMORY
+        res = realloc_function(ptr, size, func, line);
+    #else
         res = realloc_function(ptr, size);
-    else
+    #endif
+    }
+    else {
+    #ifndef WOLFSSL_NO_MALLOC
         res = realloc(ptr, size);
+    #else
+        WOLFSSL_MSG("No realloc available");
+    #endif
+    }
+
+    return res;
+}
+#endif /* WOLFSSL_STATIC_MEMORY */
+
+#ifdef WOLFSSL_STATIC_MEMORY
+
+struct wc_Memory {
+    byte*  buffer;
+    struct wc_Memory* next;
+    word32 sz;
+};
+
+
+/* returns amount of memory used on success. On error returns negative value
+   wc_Memory** list is the list that new buckets are prepended to
+ */
+static int create_memory_buckets(byte* buffer, word32 bufSz,
+                              word32 buckSz, word32 buckNum, wc_Memory** list) {
+    word32 i;
+    byte*  pt  = buffer;
+    int    ret = 0;
+    word32 memSz = (word32)sizeof(wc_Memory);
+    word32 padSz = -(int)memSz & (WOLFSSL_STATIC_ALIGN - 1);
+
+    /* if not enough space available for bucket size then do not try */
+    if (buckSz + memSz + padSz > bufSz) {
+        return ret;
+    }
+
+    for (i = 0; i < buckNum; i++) {
+        if ((buckSz + memSz + padSz) <= (bufSz - ret)) {
+            /* create a new struct and set its values */
+            wc_Memory* mem = (struct wc_Memory*)(pt);
+            mem->sz = buckSz;
+            mem->buffer = (byte*)pt + padSz + memSz;
+            mem->next = NULL;
+
+            /* add the newly created struct to front of list */
+            if (*list == NULL) {
+                *list = mem;
+            } else {
+                mem->next = *list;
+                *list = mem;
+            }
+
+            /* advance pointer and keep track of memory used */
+            ret += buckSz + padSz + memSz;
+            pt  += buckSz + padSz + memSz;
+        }
+        else {
+            break; /* not enough space left for more buckets of this size */
+        }
+    }
+
+    return ret;
+}
+
+int wolfSSL_init_memory_heap(WOLFSSL_HEAP* heap)
+{
+    word32 wc_MemSz[WOLFMEM_DEF_BUCKETS] = { WOLFMEM_BUCKETS };
+    word32 wc_Dist[WOLFMEM_DEF_BUCKETS]  = { WOLFMEM_DIST };
+
+    if (heap == NULL) {
+        return BAD_FUNC_ARG;
+    }
+
+    XMEMSET(heap, 0, sizeof(WOLFSSL_HEAP));
+
+    XMEMCPY(heap->sizeList, wc_MemSz, sizeof(wc_MemSz));
+    XMEMCPY(heap->distList, wc_Dist,  sizeof(wc_Dist));
+
+    if (wc_InitMutex(&(heap->memory_mutex)) != 0) {
+        WOLFSSL_MSG("Error creating heap memory mutex");
+        return BAD_MUTEX_E;
+    }
+
+    return 0;
+}
+
+int wc_LoadStaticMemory(WOLFSSL_HEAP_HINT** pHint,
+    unsigned char* buf, unsigned int sz, int flag, int max)
+{
+    int ret;
+    WOLFSSL_HEAP*      heap;
+    WOLFSSL_HEAP_HINT* hint;
+    word32 idx = 0;
+
+    if (pHint == NULL || buf == NULL) {
+        return BAD_FUNC_ARG;
+    }
+
+    if ((sizeof(WOLFSSL_HEAP) + sizeof(WOLFSSL_HEAP_HINT)) > sz - idx) {
+        return BUFFER_E; /* not enough memory for structures */
+    }
+
+    /* check if hint has already been assigned */
+    if (*pHint == NULL) {
+        heap = (WOLFSSL_HEAP*)buf;
+        idx += sizeof(WOLFSSL_HEAP);
+        hint = (WOLFSSL_HEAP_HINT*)(buf + idx);
+        idx += sizeof(WOLFSSL_HEAP_HINT);
+
+        ret = wolfSSL_init_memory_heap(heap);
+        if (ret != 0) {
+            return ret;
+        }
+
+        XMEMSET(hint, 0, sizeof(WOLFSSL_HEAP_HINT));
+        hint->memory = heap;
+    }
+    else {
+    #ifdef WOLFSSL_HEAP_TEST
+        /* do not load in memory if test has been set */
+        if (heap == (void*)WOLFSSL_HEAP_TEST) {
+            return 0;
+        }
+    #endif
+
+        hint = (WOLFSSL_HEAP_HINT*)(*pHint);
+        heap = hint->memory;
+    }
+
+    ret = wolfSSL_load_static_memory(buf + idx, sz - idx, flag, heap);
+    if (ret != 1) {
+        WOLFSSL_MSG("Error partitioning memory");
+        return -1;
+    }
+
+    /* determine what max applies too */
+    if ((flag & WOLFMEM_IO_POOL) || (flag & WOLFMEM_IO_POOL_FIXED)) {
+        heap->maxIO = max;
+    }
+    else { /* general memory used in handshakes */
+        heap->maxHa = max;
+    }
+
+    heap->flag |= flag;
+    *pHint = hint;
+
+    (void)max;
+
+    return 0;
+}
+
+int wolfSSL_load_static_memory(byte* buffer, word32 sz, int flag,
+                                                             WOLFSSL_HEAP* heap)
+{
+    word32 ava = sz;
+    byte*  pt  = buffer;
+    int    ret = 0;
+    word32 memSz = (word32)sizeof(wc_Memory);
+    word32 padSz = -(int)memSz & (WOLFSSL_STATIC_ALIGN - 1);
+
+    WOLFSSL_ENTER("wolfSSL_load_static_memory");
+
+    if (buffer == NULL) {
+        return BAD_FUNC_ARG;
+    }
+
+    /* align pt */
+    while ((wolfssl_word)pt % WOLFSSL_STATIC_ALIGN && pt < (buffer + sz)) {
+        *pt = 0x00;
+        pt++;
+        ava--;
+    }
+
+#ifdef WOLFSSL_DEBUG_MEMORY
+    printf("Allocated %d bytes for static memory @ %p\n", ava, pt);
+#endif
+
+    /* divide into chunks of memory and add them to available list */
+    while (ava >= (heap->sizeList[0] + padSz + memSz)) {
+        int i;
+        /* creating only IO buffers from memory passed in, max TLS is 16k */
+        if (flag & WOLFMEM_IO_POOL || flag & WOLFMEM_IO_POOL_FIXED) {
+            if ((ret = create_memory_buckets(pt, ava,
+                                          WOLFMEM_IO_SZ, 1, &(heap->io))) < 0) {
+                WOLFSSL_LEAVE("wolfSSL_load_static_memory", ret);
+                return ret;
+            }
+
+            /* check if no more room left for creating IO buffers */
+            if (ret == 0) {
+                break;
+            }
+
+            /* advance pointer in buffer for next buckets and keep track
+               of how much memory is left available */
+            pt  += ret;
+            ava -= ret;
+        }
+        else {
+            /* start at largest and move to smaller buckets */
+            for (i = (WOLFMEM_MAX_BUCKETS - 1); i >= 0; i--) {
+                if ((heap->sizeList[i] + padSz + memSz) <= ava) {
+                    if ((ret = create_memory_buckets(pt, ava, heap->sizeList[i],
+                                     heap->distList[i], &(heap->ava[i]))) < 0) {
+                        WOLFSSL_LEAVE("wolfSSL_load_static_memory", ret);
+                        return ret;
+                    }
+
+                    /* advance pointer in buffer for next buckets and keep track
+                       of how much memory is left available */
+                    pt  += ret;
+                    ava -= ret;
+                }
+            }
+        }
+    }
+
+    return 1;
+}
+
+
+/* returns the size of management memory needed for each bucket.
+ * This is memory that is used to keep track of and align memory buckets. */
+int wolfSSL_MemoryPaddingSz(void)
+{
+    word32 memSz = (word32)sizeof(wc_Memory);
+    word32 padSz = -(int)memSz & (WOLFSSL_STATIC_ALIGN - 1);
+    return memSz + padSz;
+}
+
+
+/* Used to calculate memory size for optimum use with buckets.
+   returns the suggested size rounded down to the nearest bucket. */
+int wolfSSL_StaticBufferSz(byte* buffer, word32 sz, int flag)
+{
+    word32 bucketSz[WOLFMEM_MAX_BUCKETS] = {WOLFMEM_BUCKETS};
+    word32 distList[WOLFMEM_MAX_BUCKETS] = {WOLFMEM_DIST};
+
+    word32 ava = sz;
+    byte*  pt  = buffer;
+    word32 memSz = (word32)sizeof(wc_Memory);
+    word32 padSz = -(int)memSz & (WOLFSSL_STATIC_ALIGN - 1);
+
+    WOLFSSL_ENTER("wolfSSL_static_size");
+
+    if (buffer == NULL) {
+        return BAD_FUNC_ARG;
+    }
+
+    /* align pt */
+    while ((wolfssl_word)pt % WOLFSSL_STATIC_ALIGN && pt < (buffer + sz)) {
+        pt++;
+        ava--;
+    }
+
+    /* creating only IO buffers from memory passed in, max TLS is 16k */
+    if (flag & WOLFMEM_IO_POOL || flag & WOLFMEM_IO_POOL_FIXED) {
+        if (ava < (memSz + padSz + WOLFMEM_IO_SZ)) {
+            return 0; /* not enough room for even one bucket */
+        }
+
+        ava = ava % (memSz + padSz + WOLFMEM_IO_SZ);
+    }
+    else {
+        int i, k;
+
+        if (ava < (bucketSz[0] + padSz + memSz)) {
+            return 0; /* not enough room for even one bucket */
+        }
+
+        while ((ava >= (bucketSz[0] + padSz + memSz)) && (ava > 0)) {
+            /* start at largest and move to smaller buckets */
+            for (i = (WOLFMEM_MAX_BUCKETS - 1); i >= 0; i--) {
+                for (k = distList[i]; k > 0; k--) {
+                    if ((bucketSz[i] + padSz + memSz) <= ava) {
+                        ava -= bucketSz[i] + padSz + memSz;
+                    }
+                }
+            }
+        }
+    }
+
+    return sz - ava; /* round down */
+}
+
+
+int FreeFixedIO(WOLFSSL_HEAP* heap, wc_Memory** io)
+{
+    WOLFSSL_MSG("Freeing fixed IO buffer");
+
+    /* check if fixed buffer was set */
+    if (*io == NULL) {
+        return 1;
+    }
+
+    if (heap == NULL) {
+        WOLFSSL_MSG("No heap to return fixed IO too");
+    }
+    else {
+        /* put IO buffer back into IO pool */
+        (*io)->next = heap->io;
+        heap->io    = *io;
+        *io         = NULL;
+    }
+
+    return 1;
+}
+
+
+int SetFixedIO(WOLFSSL_HEAP* heap, wc_Memory** io)
+{
+    WOLFSSL_MSG("Setting fixed IO for SSL");
+    if (heap == NULL) {
+        return MEMORY_E;
+    }
+
+    *io = heap->io;
+
+    if (*io != NULL) {
+        heap->io = (*io)->next;
+        (*io)->next = NULL;
+    }
+    else { /* failed to grab an IO buffer */
+        return 0;
+    }
+
+    return 1;
+}
+
+
+int wolfSSL_GetMemStats(WOLFSSL_HEAP* heap, WOLFSSL_MEM_STATS* stats)
+{
+        word32     i;
+        wc_Memory* pt;
+
+        XMEMSET(stats, 0, sizeof(WOLFSSL_MEM_STATS));
+
+        stats->totalAlloc = heap->alloc;
+        stats->totalFr    = heap->frAlc;
+        stats->curAlloc   = stats->totalAlloc - stats->totalFr;
+        stats->maxHa      = heap->maxHa;
+        stats->maxIO      = heap->maxIO;
+        for (i = 0; i < WOLFMEM_MAX_BUCKETS; i++) {
+            stats->blockSz[i] = heap->sizeList[i];
+            for (pt = heap->ava[i]; pt != NULL; pt = pt->next) {
+                stats->avaBlock[i] += 1;
+            }
+        }
+
+        for (pt = heap->io; pt != NULL; pt = pt->next) {
+            stats->avaIO++;
+        }
+
+        stats->flag       = heap->flag; /* flag used */
+
+    return 1;
+}
+
+
+#ifdef WOLFSSL_DEBUG_MEMORY
+void* wolfSSL_Malloc(size_t size, void* heap, int type, const char* func, unsigned int line)
+#else
+void* wolfSSL_Malloc(size_t size, void* heap, int type)
+#endif
+{
+    void* res = 0;
+    wc_Memory* pt = NULL;
+    int   i;
+
+    /* check for testing heap hint was set */
+#ifdef WOLFSSL_HEAP_TEST
+    if (heap == (void*)WOLFSSL_HEAP_TEST) {
+        return malloc(size);
+    }
+#endif
+
+    /* if no heap hint then use dynamic memory*/
+    if (heap == NULL) {
+        #ifdef WOLFSSL_HEAP_TEST
+            /* allow using malloc for creating ctx and method */
+            if (type == DYNAMIC_TYPE_CTX || type == DYNAMIC_TYPE_METHOD ||
+                                            type == DYNAMIC_TYPE_CERT_MANAGER) {
+                WOLFSSL_MSG("ERROR allowing null heap hint for ctx/method\n");
+                res = malloc(size);
+            }
+            else {
+                WOLFSSL_MSG("ERROR null heap hint passed into XMALLOC\n");
+                res = NULL;
+            }
+        #else
+        #ifndef WOLFSSL_NO_MALLOC
+            #ifdef FREERTOS
+                res = pvPortMalloc(size);
+            #else
+                res = malloc(size);
+            #endif
+        #else
+            WOLFSSL_MSG("No heap hint found to use and no malloc");
+            #ifdef WOLFSSL_DEBUG_MEMORY
+            printf("ERROR: at %s:%d\n", func, line);
+            #endif
+        #endif /* WOLFSSL_NO_MALLOC */
+        #endif /* WOLFSSL_HEAP_TEST */
+    }
+    else {
+        WOLFSSL_HEAP_HINT* hint = (WOLFSSL_HEAP_HINT*)heap;
+        WOLFSSL_HEAP*      mem  = hint->memory;
+
+        if (wc_LockMutex(&(mem->memory_mutex)) != 0) {
+            WOLFSSL_MSG("Bad memory_mutex lock");
+            return NULL;
+        }
+
+        /* case of using fixed IO buffers */
+        if (mem->flag & WOLFMEM_IO_POOL_FIXED &&
+                                             (type == DYNAMIC_TYPE_OUT_BUFFER ||
+                                              type == DYNAMIC_TYPE_IN_BUFFER)) {
+            if (type == DYNAMIC_TYPE_OUT_BUFFER) {
+                pt = hint->outBuf;
+            }
+            if (type == DYNAMIC_TYPE_IN_BUFFER) {
+                pt = hint->inBuf;
+            }
+        }
+        else {
+            /* check if using IO pool flag */
+            if (mem->flag & WOLFMEM_IO_POOL &&
+                                             (type == DYNAMIC_TYPE_OUT_BUFFER ||
+                                              type == DYNAMIC_TYPE_IN_BUFFER)) {
+                if (mem->io != NULL) {
+                    pt      = mem->io;
+                    mem->io = pt->next;
+                }
+            }
+
+            /* general static memory */
+            if (pt == NULL) {
+                for (i = 0; i < WOLFMEM_MAX_BUCKETS; i++) {
+                    if ((word32)size < mem->sizeList[i]) {
+                        if (mem->ava[i] != NULL) {
+                            pt = mem->ava[i];
+                            mem->ava[i] = pt->next;
+                            break;
+                        }
+                    #ifdef WOLFSSL_DEBUG_STATIC_MEMORY
+                        else {
+                            printf("Size: %ld, Empty: %d\n", size,
+                                                              mem->sizeList[i]);
+                        }
+                    #endif
+                    }
+                }
+            }
+        }
+
+        if (pt != NULL) {
+            mem->inUse += pt->sz;
+            mem->alloc += 1;
+            res = pt->buffer;
+
+        #ifdef WOLFSSL_DEBUG_MEMORY
+            printf("Alloc: %p -> %u at %s:%d\n", pt->buffer, pt->sz, func, line);
+        #endif
+
+            /* keep track of connection statistics if flag is set */
+            if (mem->flag & WOLFMEM_TRACK_STATS) {
+                WOLFSSL_MEM_CONN_STATS* stats = hint->stats;
+                if (stats != NULL) {
+                    stats->curMem += pt->sz;
+                    if (stats->peakMem < stats->curMem) {
+                        stats->peakMem = stats->curMem;
+                    }
+                    stats->curAlloc++;
+                    if (stats->peakAlloc < stats->curAlloc) {
+                        stats->peakAlloc = stats->curAlloc;
+                    }
+                    stats->totalAlloc++;
+                }
+            }
+        }
+        else {
+            WOLFSSL_MSG("ERROR ran out of static memory");
+            #ifdef WOLFSSL_DEBUG_MEMORY
+            printf("Looking for %lu bytes at %s:%d\n", size, func, line);
+            #endif
+        }
+
+        wc_UnLockMutex(&(mem->memory_mutex));
+    }
+
+    #ifdef WOLFSSL_MALLOC_CHECK
+        if ((wolfssl_word)res % WOLFSSL_STATIC_ALIGN) {
+            WOLFSSL_MSG("ERROR memory is not aligned");
+            res = NULL;
+        }
+    #endif
+
+
+    (void)i;
+    (void)pt;
+    (void)type;
 
     return res;
 }
 
+
+#ifdef WOLFSSL_DEBUG_MEMORY
+void wolfSSL_Free(void *ptr, void* heap, int type, const char* func, unsigned int line)
+#else
+void wolfSSL_Free(void *ptr, void* heap, int type)
+#endif
+{
+    int i;
+    wc_Memory* pt;
+
+    if (ptr) {
+        /* check for testing heap hint was set */
+    #ifdef WOLFSSL_HEAP_TEST
+        if (heap == (void*)WOLFSSL_HEAP_TEST) {
+            return free(ptr);
+        }
+    #endif
+
+        if (heap == NULL) {
+        #ifdef WOLFSSL_HEAP_TEST
+            /* allow using malloc for creating ctx and method */
+            if (type == DYNAMIC_TYPE_CTX || type == DYNAMIC_TYPE_METHOD ||
+                                            type == DYNAMIC_TYPE_CERT_MANAGER) {
+                WOLFSSL_MSG("ERROR allowing null heap hint for ctx/method\n");
+            }
+            else {
+                WOLFSSL_MSG("ERROR null heap hint passed into XFREE\n");
+            }
+        #endif
+        #ifndef WOLFSSL_NO_MALLOC
+            #ifdef FREERTOS
+                vPortFree(ptr);
+            #else
+                free(ptr);
+            #endif
+        #else
+            WOLFSSL_MSG("Error trying to call free when turned off");
+        #endif /* WOLFSSL_NO_MALLOC */
+        }
+        else {
+            WOLFSSL_HEAP_HINT* hint = (WOLFSSL_HEAP_HINT*)heap;
+            WOLFSSL_HEAP*      mem  = hint->memory;
+            word32 padSz = -(int)sizeof(wc_Memory) & (WOLFSSL_STATIC_ALIGN - 1);
+
+            /* get memory struct and add it to available list */
+            pt = (wc_Memory*)((byte*)ptr - sizeof(wc_Memory) - padSz);
+            if (wc_LockMutex(&(mem->memory_mutex)) != 0) {
+                WOLFSSL_MSG("Bad memory_mutex lock");
+                return;
+            }
+
+            /* case of using fixed IO buffers */
+            if (mem->flag & WOLFMEM_IO_POOL_FIXED &&
+                                             (type == DYNAMIC_TYPE_OUT_BUFFER ||
+                                              type == DYNAMIC_TYPE_IN_BUFFER)) {
+                /* fixed IO pools are free'd at the end of SSL lifetime
+                   using FreeFixedIO(WOLFSSL_HEAP* heap, wc_Memory** io) */
+            }
+            else if (mem->flag & WOLFMEM_IO_POOL && pt->sz == WOLFMEM_IO_SZ &&
+                                             (type == DYNAMIC_TYPE_OUT_BUFFER ||
+                                              type == DYNAMIC_TYPE_IN_BUFFER)) {
+                pt->next = mem->io;
+                mem->io  = pt;
+            }
+            else { /* general memory free */
+                for (i = 0; i < WOLFMEM_MAX_BUCKETS; i++) {
+                    if (pt->sz == mem->sizeList[i]) {
+                        pt->next = mem->ava[i];
+                        mem->ava[i] = pt;
+                        break;
+                    }
+                }
+            }
+            mem->inUse -= pt->sz;
+            mem->frAlc += 1;
+
+        #ifdef WOLFSSL_DEBUG_MEMORY
+            printf("Free: %p -> %u at %s:%d\n", pt->buffer, pt->sz, func, line);
+        #endif
+
+            /* keep track of connection statistics if flag is set */
+            if (mem->flag & WOLFMEM_TRACK_STATS) {
+                WOLFSSL_MEM_CONN_STATS* stats = hint->stats;
+                if (stats != NULL) {
+                    /* avoid under flow */
+                    if (stats->curMem > pt->sz) {
+                        stats->curMem -= pt->sz;
+                    }
+                    else {
+                        stats->curMem = 0;
+                    }
+
+                    if (stats->curAlloc > 0) {
+                        stats->curAlloc--;
+                    }
+                    stats->totalFr++;
+                }
+            }
+            wc_UnLockMutex(&(mem->memory_mutex));
+        }
+    }
+
+    (void)i;
+    (void)pt;
+    (void)type;
+}
+
+#ifdef WOLFSSL_DEBUG_MEMORY
+void* wolfSSL_Realloc(void *ptr, size_t size, void* heap, int type, const char* func, unsigned int line)
+#else
+void* wolfSSL_Realloc(void *ptr, size_t size, void* heap, int type)
+#endif
+{
+    void* res = 0;
+    wc_Memory* pt = NULL;
+    word32 prvSz;
+    int    i;
+
+    /* check for testing heap hint was set */
+#ifdef WOLFSSL_HEAP_TEST
+    if (heap == (void*)WOLFSSL_HEAP_TEST) {
+        return realloc(ptr, size);
+    }
+#endif
+
+    if (heap == NULL) {
+        #ifdef WOLFSSL_HEAP_TEST
+            WOLFSSL_MSG("ERROR null heap hint passed in to XREALLOC\n");
+        #endif
+        #ifndef WOLFSSL_NO_MALLOC
+            res = realloc(ptr, size);
+        #else
+            WOLFSSL_MSG("NO heap found to use for realloc");
+        #endif /* WOLFSSL_NO_MALLOC */
+    }
+    else {
+        WOLFSSL_HEAP_HINT* hint = (WOLFSSL_HEAP_HINT*)heap;
+        WOLFSSL_HEAP*      mem  = hint->memory;
+        word32 padSz = -(int)sizeof(wc_Memory) & (WOLFSSL_STATIC_ALIGN - 1);
+
+        if (ptr == NULL) {
+        #ifdef WOLFSSL_DEBUG_MEMORY
+            return wolfSSL_Malloc(size, heap, type, func, line);
+        #else
+            return wolfSSL_Malloc(size, heap, type);
+        #endif
+        }
+
+        if (wc_LockMutex(&(mem->memory_mutex)) != 0) {
+            WOLFSSL_MSG("Bad memory_mutex lock");
+            return NULL;
+        }
+
+        /* case of using fixed IO buffers or IO pool */
+        if (((mem->flag & WOLFMEM_IO_POOL)||(mem->flag & WOLFMEM_IO_POOL_FIXED))
+                                          && (type == DYNAMIC_TYPE_OUT_BUFFER ||
+                                              type == DYNAMIC_TYPE_IN_BUFFER)) {
+            /* no realloc, is fixed size */
+            pt = (wc_Memory*)((byte*)ptr - padSz - sizeof(wc_Memory));
+            if (pt->sz < size) {
+                WOLFSSL_MSG("Error IO memory was not large enough");
+                res = NULL; /* return NULL in error case */
+            }
+            res = pt->buffer;
+        }
+        else {
+        /* general memory */
+            for (i = 0; i < WOLFMEM_MAX_BUCKETS; i++) {
+                if ((word32)size < mem->sizeList[i]) {
+                    if (mem->ava[i] != NULL) {
+                        pt = mem->ava[i];
+                        mem->ava[i] = pt->next;
+                        break;
+                    }
+                }
+            }
+
+            if (pt != NULL && res == NULL) {
+                res = pt->buffer;
+
+                /* copy over original information and free ptr */
+                prvSz = ((wc_Memory*)((byte*)ptr - padSz -
+                                               sizeof(wc_Memory)))->sz;
+                prvSz = (prvSz > pt->sz)? pt->sz: prvSz;
+                XMEMCPY(pt->buffer, ptr, prvSz);
+                mem->inUse += pt->sz;
+                mem->alloc += 1;
+
+                /* free memory that was previously being used */
+                wc_UnLockMutex(&(mem->memory_mutex));
+                wolfSSL_Free(ptr, heap, type
+            #ifdef WOLFSSL_DEBUG_MEMORY
+                    , func, line
+            #endif
+                );
+                if (wc_LockMutex(&(mem->memory_mutex)) != 0) {
+                    WOLFSSL_MSG("Bad memory_mutex lock");
+                    return NULL;
+                }
+            }
+        }
+        wc_UnLockMutex(&(mem->memory_mutex));
+    }
+
+    #ifdef WOLFSSL_MALLOC_CHECK
+        if ((wolfssl_word)res % WOLFSSL_STATIC_ALIGN) {
+            WOLFSSL_MSG("ERROR memory is not aligned");
+            res = NULL;
+        }
+    #endif
+
+    (void)i;
+    (void)pt;
+    (void)type;
+
+    return res;
+}
+#endif /* WOLFSSL_STATIC_MEMORY */
+
 #endif /* USE_WOLFSSL_MEMORY */
 
 
@@ -125,7 +965,7 @@ void* wolfSSL_Realloc(void *ptr, size_t size)
 
 
 /* allow simple per thread in and out pools */
-/* use 17k size sense max record size is 16k plus overhead */
+/* use 17k size since max record size is 16k plus overhead */
 static THREAD_LS_T byte pool_in[17*1024];
 static THREAD_LS_T byte pool_out[17*1024];
 
@@ -172,9 +1012,7 @@ void* XREALLOC(void *p, size_t n, void* heap, int type)
     return realloc(p, n);
 }
 
-
-/* unit api calls, let's make sure visible with WOLFSSL_API */
-WOLFSSL_API void XFREE(void *p, void* heap, int type)
+void XFREE(void *p, void* heap, int type)
 {
     (void)heap;
 
@@ -189,3 +1027,100 @@ WOLFSSL_API void XFREE(void *p, void* heap, int type)
 
 #endif /* HAVE_IO_POOL */
 
+#ifdef WOLFSSL_MEMORY_LOG
+void *xmalloc(size_t n, void* heap, int type, const char* func,
+              const char* file, unsigned int line)
+{
+    void*   p;
+    word32* p32;
+
+    if (malloc_function)
+        p32 = malloc_function(n + sizeof(word32) * 4);
+    else
+        p32 = malloc(n + sizeof(word32) * 4);
+
+    p32[0] = (word32)n;
+    p = (void*)(p32 + 4);
+
+    fprintf(stderr, "Alloc: %p -> %u (%d) at %s:%s:%u\n", p, (word32)n, type,
+                                                              func, file, line);
+
+    (void)heap;
+
+    return p;
+}
+void *xrealloc(void *p, size_t n, void* heap, int type, const char* func,
+               const char* file, unsigned int line)
+{
+    void*   newp = NULL;
+    word32* p32;
+    word32* oldp32 = NULL;
+    word32  oldLen;
+
+    if (p != NULL) {
+        oldp32 = (word32*)p;
+        oldp32 -= 4;
+        oldLen = oldp32[0];
+    }
+
+    if (realloc_function)
+        p32 = realloc_function(oldp32, n + sizeof(word32) * 4);
+    else
+        p32 = realloc(oldp32, n + sizeof(word32) * 4);
+
+    if (p32 != NULL) {
+        p32[0] = (word32)n;
+        newp = (void*)(p32 + 4);
+
+        fprintf(stderr, "Alloc: %p -> %u (%d) at %s:%s:%u\n", newp, (word32)n,
+                                                        type, func, file, line);
+        if (p != NULL) {
+            fprintf(stderr, "Free: %p -> %u (%d) at %s:%s:%u\n", p, oldLen,
+                                                        type, func, file, line);
+        }
+    }
+
+    (void)heap;
+
+    return newp;
+}
+void xfree(void *p, void* heap, int type, const char* func, const char* file,
+           unsigned int line)
+{
+    word32* p32 = (word32*)p;
+
+    if (p != NULL) {
+        p32 -= 4;
+
+        fprintf(stderr, "Free: %p -> %u (%d) at %s:%s:%u\n", p, p32[0], type,
+                                                              func, file, line);
+
+        if (free_function)
+            free_function(p32);
+        else
+            free(p32);
+    }
+
+    (void)heap;
+}
+#endif /* WOLFSSL_MEMORY_LOG */
+
+#ifdef WOLFSSL_STACK_LOG
+/* Note: this code only works with GCC using -finstrument-functions. */
+void __attribute__((no_instrument_function))
+     __cyg_profile_func_enter(void *func,  void *caller)
+{
+    register void* sp asm("sp");
+    fprintf(stderr, "ENTER: %016lx %p\n", (unsigned long)(size_t)func, sp);
+    (void)caller;
+}
+
+void __attribute__((no_instrument_function))
+     __cyg_profile_func_exit(void *func, void *caller)
+{
+    register void* sp asm("sp");
+    fprintf(stderr, "EXIT: %016lx %p\n", (unsigned long)(size_t)func, sp);
+    (void)caller;
+}
+#endif
+
diff --git a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/misc.c b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/misc.c
index 8a79a4c29..8f2402c9c 100644
--- a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/misc.c
+++ b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/misc.c
@@ -1,8 +1,8 @@
 /* misc.c
  *
- * Copyright (C) 2006-2015 wolfSSL Inc.
+ * Copyright (C) 2006-2020 wolfSSL Inc.
  *
- * This file is part of wolfSSL. (formerly known as CyaSSL)
+ * This file is part of wolfSSL.
  *
  * wolfSSL is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -16,9 +16,10 @@
  *
  * You should have received a copy of the GNU General Public License
  * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
  */
 
+
 #ifdef HAVE_CONFIG_H
     #include <config.h>
 #endif
@@ -30,7 +31,7 @@
 
 #include <wolfssl/wolfcrypt/misc.h>
 
-/* inlining these functions is a huge speed increase and a small size decrease, 
+/* inlining these functions is a huge speed increase and a small size decrease,
    because the functions are smaller than function call setup/cleanup, e.g.,
    md5 benchmark is twice as fast with inline.  If you don't want it, then
    define NO_INLINE and compile this file into wolfssl, otherwise it's used as
@@ -38,9 +39,22 @@
  */
 
 #ifdef NO_INLINE
-    #define STATIC
+    #define WC_STATIC
+#else
+    #define WC_STATIC static
+#endif
+
+/* Check for if compiling misc.c when not needed. */
+#if !defined(WOLFSSL_MISC_INCLUDED) && !defined(NO_INLINE)
+    #ifndef WOLFSSL_IGNORE_FILE_WARN
+   //     #warning misc.c does not need to be compiled when using inline (NO_INLINE not defined)
+    #endif
+
 #else
-    #define STATIC static
+
+
+#if defined(__ICCARM__)
+    #include <intrinsics.h>
 #endif
 
 
@@ -52,25 +66,25 @@
      * i.e., _rotl and _rotr */
     #pragma intrinsic(_lrotl, _lrotr)
 
-    STATIC INLINE word32 rotlFixed(word32 x, word32 y)
+    WC_STATIC WC_INLINE word32 rotlFixed(word32 x, word32 y)
     {
         return y ? _lrotl(x, y) : x;
     }
 
-    STATIC INLINE word32 rotrFixed(word32 x, word32 y)
+    WC_STATIC WC_INLINE word32 rotrFixed(word32 x, word32 y)
     {
         return y ? _lrotr(x, y) : x;
     }
 
 #else /* generic */
 
-    STATIC INLINE word32 rotlFixed(word32 x, word32 y)
+    WC_STATIC WC_INLINE word32 rotlFixed(word32 x, word32 y)
     {
         return (x << y) | (x >> (sizeof(y) * 8 - y));
-    }   
+    }
 
 
-    STATIC INLINE word32 rotrFixed(word32 x, word32 y)
+    WC_STATIC WC_INLINE word32 rotrFixed(word32 x, word32 y)
     {
         return (x >> y) | (x << (sizeof(y) * 8 - y));
     }
@@ -78,13 +92,18 @@
 #endif
 
 
-STATIC INLINE word32 ByteReverseWord32(word32 value)
+WC_STATIC WC_INLINE word32 ByteReverseWord32(word32 value)
 {
 #ifdef PPC_INTRINSICS
     /* PPC: load reverse indexed instruction */
     return (word32)__lwbrx(&value,0);
+#elif defined(__ICCARM__)
+    return (word32)__REV(value);
 #elif defined(KEIL_INTRINSICS)
     return (word32)__rev(value);
+#elif defined(WOLF_ALLOW_BUILTIN) && \
+        defined(__GNUC_PREREQ) && __GNUC_PREREQ(4, 3)
+    return (word32)__builtin_bswap32(value);
 #elif defined(FAST_ROTATE)
     /* 5 instructions with rotate instruction, 9 without */
     return (rotrFixed(value, 8U) & 0xff00ff00) |
@@ -97,7 +116,7 @@ STATIC INLINE word32 ByteReverseWord32(word32 value)
 }
 
 
-STATIC INLINE void ByteReverseWords(word32* out, const word32* in,
+WC_STATIC WC_INLINE void ByteReverseWords(word32* out, const word32* in,
                                     word32 byteCount)
 {
     word32 count = byteCount/(word32)sizeof(word32), i;
@@ -108,26 +127,28 @@ STATIC INLINE void ByteReverseWords(word32* out, const word32* in,
 }
 
 
-#ifdef WORD64_AVAILABLE
+#if defined(WORD64_AVAILABLE) && !defined(WOLFSSL_NO_WORD64_OPS)
 
 
-STATIC INLINE word64 rotlFixed64(word64 x, word64 y)
+WC_STATIC WC_INLINE word64 rotlFixed64(word64 x, word64 y)
 {
     return (x << y) | (x >> (sizeof(y) * 8 - y));
-}  
+}
 
 
-STATIC INLINE word64 rotrFixed64(word64 x, word64 y)
+WC_STATIC WC_INLINE word64 rotrFixed64(word64 x, word64 y)
 {
     return (x >> y) | (x << (sizeof(y) * 8 - y));
 }
 
 
-STATIC INLINE word64 ByteReverseWord64(word64 value)
+WC_STATIC WC_INLINE word64 ByteReverseWord64(word64 value)
 {
-#ifdef WOLFCRYPT_SLOW_WORD64
-	return (word64)(ByteReverseWord32((word32)value)) << 32 | 
-                    ByteReverseWord32((word32)(value>>32));
+#if defined(WOLF_ALLOW_BUILTIN) && defined(__GNUC_PREREQ) && __GNUC_PREREQ(4, 3)
+    return (word64)__builtin_bswap64(value);
+#elif defined(WOLFCRYPT_SLOW_WORD64)
+	return (word64)((word64)ByteReverseWord32((word32) value)) << 32 |
+                    (word64)ByteReverseWord32((word32)(value   >> 32));
 #else
 	value = ((value & W64LIT(0xFF00FF00FF00FF00)) >> 8) |
             ((value & W64LIT(0x00FF00FF00FF00FF)) << 8);
@@ -138,7 +159,7 @@ STATIC INLINE word64 ByteReverseWord64(word64 value)
 }
 
 
-STATIC INLINE void ByteReverseWords64(word64* out, const word64* in,
+WC_STATIC WC_INLINE void ByteReverseWords64(word64* out, const word64* in,
                                       word32 byteCount)
 {
     word32 count = byteCount/(word32)sizeof(word64), i;
@@ -148,10 +169,10 @@ STATIC INLINE void ByteReverseWords64(word64* out, const word64* in,
 
 }
 
-#endif /* WORD64_AVAILABLE */
+#endif /* WORD64_AVAILABLE && !WOLFSSL_NO_WORD64_OPS */
 
-
-STATIC INLINE void XorWords(wolfssl_word* r, const wolfssl_word* a, word32 n)
+#ifndef WOLFSSL_NO_XOR_OPS
+WC_STATIC WC_INLINE void XorWords(wolfssl_word* r, const wolfssl_word* a, word32 n)
 {
     word32 i;
 
@@ -159,7 +180,7 @@ STATIC INLINE void XorWords(wolfssl_word* r, const wolfssl_word* a, word32 n)
 }
 
 
-STATIC INLINE void xorbuf(void* buf, const void* mask, word32 count)
+WC_STATIC WC_INLINE void xorbuf(void* buf, const void* mask, word32 count)
 {
     if (((wolfssl_word)buf | (wolfssl_word)mask | count) % WOLFSSL_WORD_SIZE == 0)
         XorWords( (wolfssl_word*)buf,
@@ -172,19 +193,37 @@ STATIC INLINE void xorbuf(void* buf, const void* mask, word32 count)
         for (i = 0; i < count; i++) b[i] ^= m[i];
     }
 }
+#endif
 
-
+#ifndef WOLFSSL_NO_FORCE_ZERO
 /* Make sure compiler doesn't skip */
-STATIC INLINE void ForceZero(const void* mem, word32 len)
+WC_STATIC WC_INLINE void ForceZero(const void* mem, word32 len)
 {
     volatile byte* z = (volatile byte*)mem;
 
+#if defined(WOLFSSL_X86_64_BUILD) && defined(WORD64_AVAILABLE)
+    volatile word64* w;
+    #ifndef WOLFSSL_UNALIGNED_64BIT_ACCESS
+        word32 l = (sizeof(word64) - ((size_t)z & (sizeof(word64)-1))) &
+                                                             (sizeof(word64)-1);
+
+        if (len < l) l = len;
+        len -= l;
+        while (l--) *z++ = 0;
+    #endif
+    for (w = (volatile word64*)z; len >= sizeof(*w); len -= sizeof(*w))
+        *w++ = 0;
+    z = (volatile byte*)w;
+#endif
+
     while (len--) *z++ = 0;
 }
+#endif
 
 
+#ifndef WOLFSSL_NO_CONST_CMP
 /* check all length bytes for equality, return 0 on success */
-STATIC INLINE int ConstantCompare(const byte* a, const byte* b, int length)
+WC_STATIC WC_INLINE int ConstantCompare(const byte* a, const byte* b, int length)
 {
     int i;
     int compareSum = 0;
@@ -195,7 +234,172 @@ STATIC INLINE int ConstantCompare(const byte* a, const byte* b, int length)
 
     return compareSum;
 }
+#endif
+
+
+#ifndef WOLFSSL_HAVE_MIN
+    #define WOLFSSL_HAVE_MIN
+    #if defined(HAVE_FIPS) && !defined(min) /* so ifdef check passes */
+        #define min min
+    #endif
+    WC_STATIC WC_INLINE word32 min(word32 a, word32 b)
+    {
+        return a > b ? b : a;
+    }
+#endif /* !WOLFSSL_HAVE_MIN */
+
+#ifndef WOLFSSL_HAVE_MAX
+    #define WOLFSSL_HAVE_MAX
+    #if defined(HAVE_FIPS) && !defined(max) /* so ifdef check passes */
+        #define max max
+    #endif
+    WC_STATIC WC_INLINE word32 max(word32 a, word32 b)
+    {
+        return a > b ? a : b;
+    }
+#endif /* !WOLFSSL_HAVE_MAX */
+
+#ifndef WOLFSSL_NO_INT_ENCODE
+/* converts a 32 bit integer to 24 bit */
+WC_STATIC WC_INLINE void c32to24(word32 in, word24 out)
+{
+    out[0] = (in >> 16) & 0xff;
+    out[1] = (in >>  8) & 0xff;
+    out[2] =  in & 0xff;
+}
+
+/* convert 16 bit integer to opaque */
+WC_STATIC WC_INLINE void c16toa(word16 wc_u16, byte* c)
+{
+    c[0] = (wc_u16 >> 8) & 0xff;
+    c[1] =  wc_u16 & 0xff;
+}
+
+/* convert 32 bit integer to opaque */
+WC_STATIC WC_INLINE void c32toa(word32 wc_u32, byte* c)
+{
+    c[0] = (wc_u32 >> 24) & 0xff;
+    c[1] = (wc_u32 >> 16) & 0xff;
+    c[2] = (wc_u32 >>  8) & 0xff;
+    c[3] =  wc_u32 & 0xff;
+}
+#endif
+
+#ifndef WOLFSSL_NO_INT_DECODE
+/* convert a 24 bit integer into a 32 bit one */
+WC_STATIC WC_INLINE void c24to32(const word24 wc_u24, word32* wc_u32)
+{
+    *wc_u32 = ((word32)wc_u24[0] << 16) | (wc_u24[1] << 8) | wc_u24[2];
+}
+
+
+/* convert opaque to 24 bit integer */
+WC_STATIC WC_INLINE void ato24(const byte* c, word32* wc_u24)
+{
+    *wc_u24 = ((word32)c[0] << 16) | (c[1] << 8) | c[2];
+}
+
+/* convert opaque to 16 bit integer */
+WC_STATIC WC_INLINE void ato16(const byte* c, word16* wc_u16)
+{
+    *wc_u16 = (word16) ((c[0] << 8) | (c[1]));
+}
+
+/* convert opaque to 32 bit integer */
+WC_STATIC WC_INLINE void ato32(const byte* c, word32* wc_u32)
+{
+    *wc_u32 = ((word32)c[0] << 24) | ((word32)c[1] << 16) | (c[2] << 8) | c[3];
+}
+
+
+WC_STATIC WC_INLINE word32 btoi(byte b)
+{
+    return (word32)(b - 0x30);
+}
+#endif
+
+
+#ifndef WOLFSSL_NO_CT_OPS
+/* Constant time - mask set when a > b. */
+WC_STATIC WC_INLINE byte ctMaskGT(int a, int b)
+{
+    return (((word32)a - b - 1) >> 31) - 1;
+}
+
+/* Constant time - mask set when a >= b. */
+WC_STATIC WC_INLINE byte ctMaskGTE(int a, int b)
+{
+    return (((word32)a - b    ) >> 31) - 1;
+}
+
+/* Constant time - mask set when a >= b. */
+WC_STATIC WC_INLINE int ctMaskIntGTE(int a, int b)
+{
+    return (((word32)a - b    ) >> 31) - 1;
+}
+
+/* Constant time - mask set when a < b. */
+WC_STATIC WC_INLINE byte ctMaskLT(int a, int b)
+{
+    return (((word32)b - a - 1) >> 31) - 1;
+}
+
+/* Constant time - mask set when a <= b. */
+WC_STATIC WC_INLINE byte ctMaskLTE(int a, int b)
+{
+    return (((word32)b - a    ) >> 31) - 1;
+}
+
+/* Constant time - mask set when a == b. */
+WC_STATIC WC_INLINE byte ctMaskEq(int a, int b)
+{
+    return (~ctMaskGT(a, b)) & (~ctMaskLT(a, b));
+}
+
+WC_STATIC WC_INLINE word16 ctMask16GT(int a, int b)
+{
+    return (((word32)a - b - 1) >> 31) - 1;
+}
+
+WC_STATIC WC_INLINE word16 ctMask16LT(int a, int b)
+{
+    return (((word32)a - b - 1) >> 31) - 1;
+}
+
+WC_STATIC WC_INLINE word16 ctMask16Eq(int a, int b)
+{
+    return (~ctMask16GT(a, b)) & (~ctMask16LT(a, b));
+}
+
+/* Constant time - mask set when a != b. */
+WC_STATIC WC_INLINE byte ctMaskNotEq(int a, int b)
+{
+    return ctMaskGT(a, b) | ctMaskLT(a, b);
+}
+
+/* Constant time - select a when mask is set and b otherwise. */
+WC_STATIC WC_INLINE byte ctMaskSel(byte m, byte a, byte b)
+{
+    return (b & ((byte)~(word32)m)) | (a & m);
+}
+
+/* Constant time - select integer a when mask is set and integer b otherwise. */
+WC_STATIC WC_INLINE int ctMaskSelInt(byte m, int a, int b)
+{
+    return (b & (~(signed int)(signed char)m)) |
+           (a & ( (signed int)(signed char)m));
+}
+
+/* Constant time - bit set when a <= b. */
+WC_STATIC WC_INLINE byte ctSetLTE(int a, int b)
+{
+    return ((word32)a - b - 1) >> 31;
+}
+#endif
+
+
+#undef WC_STATIC
 
-#undef STATIC
+#endif /* !WOLFSSL_MISC_INCLUDED && !NO_INLINE */
 
 #endif /* WOLF_CRYPT_MISC_C */
diff --git a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/pkcs12.c b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/pkcs12.c
new file mode 100644
index 000000000..8ae500417
--- /dev/null
+++ b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/pkcs12.c
@@ -0,0 +1,2403 @@
+/* pkcs12.c
+ *
+ * Copyright (C) 2006-2020 wolfSSL Inc.
+ *
+ * This file is part of wolfSSL.
+ *
+ * wolfSSL is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * wolfSSL is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
+ */
+
+
+#ifdef HAVE_CONFIG_H
+    #include <config.h>
+#endif
+
+#include <wolfssl/wolfcrypt/settings.h>
+
+#if !defined(NO_ASN) && !defined(NO_PWDBASED) && defined(HAVE_PKCS12)
+
+#include <wolfssl/wolfcrypt/asn.h>
+#include <wolfssl/wolfcrypt/asn_public.h>
+#include <wolfssl/wolfcrypt/error-crypt.h>
+#include <wolfssl/wolfcrypt/hmac.h>
+#include <wolfssl/wolfcrypt/logging.h>
+#ifdef NO_INLINE
+    #include <wolfssl/wolfcrypt/misc.h>
+#else
+    #define WOLFSSL_MISC_INCLUDED
+    #include <wolfcrypt/src/misc.c>
+#endif
+#include <wolfssl/wolfcrypt/pkcs12.h>
+#include <wolfssl/wolfcrypt/pwdbased.h>
+#include <wolfssl/wolfcrypt/hash.h>
+
+
+#define ERROR_OUT(err, eLabel) { ret = (err); goto eLabel; }
+
+enum {
+    WC_PKCS12_KeyBag = 667,
+    WC_PKCS12_ShroudedKeyBag = 668,
+    WC_PKCS12_CertBag = 669,
+    WC_PKCS12_CertBag_Type1 = 675,
+    WC_PKCS12_CrlBag = 670,
+    WC_PKCS12_SecretBag = 671,
+    WC_PKCS12_SafeContentsBag = 672,
+    WC_PKCS12_DATA = 651,
+    WC_PKCS12_ENCRYPTED_DATA = 656,
+
+    WC_PKCS12_DATA_OBJ_SZ = 11,
+};
+
+static const byte WC_PKCS12_ENCRYPTED_OID[] =
+                         {0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x07, 0x06};
+static const byte WC_PKCS12_DATA_OID[] =
+                         {0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x07, 0x01};
+static const byte WC_PKCS12_CertBag_Type1_OID[] =
+                   {0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x09, 0x16, 0x01};
+static const byte WC_PKCS12_CertBag_OID[] =
+             {0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x0c, 0x0a, 0x01, 0x03};
+static const byte WC_PKCS12_KeyBag_OID[] =
+             {0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x0c, 0x0a, 0x01, 0x01};
+static const byte WC_PKCS12_ShroudedKeyBag_OID[] =
+             {0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x0c, 0x0a, 0x01, 0x02};
+
+
+typedef struct ContentInfo {
+    byte* data;
+    struct ContentInfo* next;
+    word32 encC;  /* encryptedContent */
+    word32 dataSz;
+    int type; /* DATA / encrypted / enveloped */
+} ContentInfo;
+
+
+typedef struct AuthenticatedSafe {
+    ContentInfo* CI;
+    byte* data; /* T contents.... */
+    word32 oid; /* encrypted or not */
+    word32 numCI; /* number of Content Info structs */
+    word32 dataSz;
+} AuthenticatedSafe;
+
+
+typedef struct MacData {
+    byte* digest;
+    byte* salt;
+    word32 oid;
+    word32 digestSz;
+    word32 saltSz;
+    int itt; /* number of iterations when creating HMAC key */
+} MacData;
+
+
+struct WC_PKCS12 {
+    void* heap;
+    AuthenticatedSafe* safe;
+    MacData* signData;
+    word32 oid; /* DATA / Enveloped DATA ... */
+};
+
+
+/* for friendlyName, localKeyId .... */
+typedef struct WC_PKCS12_ATTRIBUTE {
+    byte* data;
+    word32 oid;
+    word32 dataSz;
+} WC_PKCS12_ATTRIBUTE;
+
+
+WC_PKCS12* wc_PKCS12_new(void)
+{
+    WC_PKCS12* pkcs12 = (WC_PKCS12*)XMALLOC(sizeof(WC_PKCS12),
+                                                      NULL, DYNAMIC_TYPE_PKCS);
+    if (pkcs12 == NULL) {
+        WOLFSSL_MSG("Memory issue when creating WC_PKCS12 struct");
+        return NULL;
+    }
+
+    XMEMSET(pkcs12, 0, sizeof(WC_PKCS12));
+
+    return pkcs12;
+}
+
+
+static void freeSafe(AuthenticatedSafe* safe, void* heap)
+{
+    int i;
+
+    if (safe == NULL) {
+        return;
+    }
+
+    /* free content info structs */
+    for (i = safe->numCI; i > 0; i--) {
+        ContentInfo* ci = safe->CI;
+        safe->CI = ci->next;
+        XFREE(ci, heap, DYNAMIC_TYPE_PKCS);
+    }
+    if (safe->data != NULL) {
+        XFREE(safe->data, heap, DYNAMIC_TYPE_PKCS);
+    }
+    XFREE(safe, heap, DYNAMIC_TYPE_PKCS);
+
+    (void)heap;
+}
+
+
+void wc_PKCS12_free(WC_PKCS12* pkcs12)
+{
+    void* heap;
+
+    /* if null pointer is passed in do nothing */
+    if (pkcs12 == NULL) {
+        WOLFSSL_MSG("Trying to free null WC_PKCS12 object");
+        return;
+    }
+
+    heap = pkcs12->heap;
+    if (pkcs12->safe != NULL) {
+    	freeSafe(pkcs12->safe, heap);
+    }
+
+    /* free mac data */
+    if (pkcs12->signData != NULL) {
+        if (pkcs12->signData->digest != NULL) {
+            XFREE(pkcs12->signData->digest, heap, DYNAMIC_TYPE_DIGEST);
+            pkcs12->signData->digest = NULL;
+        }
+        if (pkcs12->signData->salt != NULL) {
+            XFREE(pkcs12->signData->salt, heap, DYNAMIC_TYPE_SALT);
+            pkcs12->signData->salt = NULL;
+        }
+        XFREE(pkcs12->signData, heap, DYNAMIC_TYPE_PKCS);
+        pkcs12->signData = NULL;
+    }
+
+    XFREE(pkcs12, NULL, DYNAMIC_TYPE_PKCS);
+    pkcs12 = NULL;
+}
+
+
+static int GetSafeContent(WC_PKCS12* pkcs12, const byte* input,
+                          word32* idx, int maxIdx)
+{
+    AuthenticatedSafe* safe;
+    word32 oid;
+    word32 localIdx = *idx;
+    int ret;
+    int size = 0;
+    byte tag;
+
+    safe = (AuthenticatedSafe*)XMALLOC(sizeof(AuthenticatedSafe), pkcs12->heap,
+                                       DYNAMIC_TYPE_PKCS);
+    if (safe == NULL) {
+        return MEMORY_E;
+    }
+    XMEMSET(safe, 0, sizeof(AuthenticatedSafe));
+
+    ret = GetObjectId(input, &localIdx, &oid, oidIgnoreType, maxIdx);
+    if (ret < 0) {
+        WOLFSSL_LEAVE("Get object id failed", ret);
+        freeSafe(safe, pkcs12->heap);
+        return ASN_PARSE_E;
+    }
+
+    safe->oid = oid;
+    /* check tag, length */
+    if (GetASNTag(input, &localIdx, &tag, maxIdx) < 0) {
+        freeSafe(safe, pkcs12->heap);
+        return ASN_PARSE_E;
+    }
+
+    if (tag != (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC)) {
+        WOLFSSL_MSG("Unexpected tag in PKCS12 DER");
+        freeSafe(safe, pkcs12->heap);
+        return ASN_PARSE_E;
+    }
+    if ((ret = GetLength(input, &localIdx, &size, maxIdx)) <= 0) {
+        freeSafe(safe, pkcs12->heap);
+        return ret;
+    }
+
+    switch (oid) {
+        case WC_PKCS12_ENCRYPTED_DATA:
+            WOLFSSL_MSG("Found PKCS12 OBJECT: ENCRYPTED DATA\n");
+            break;
+
+        case WC_PKCS12_DATA:
+            WOLFSSL_MSG("Found PKCS12 OBJECT: DATA");
+            /* get octets holding contents */
+            if (GetASNTag(input, &localIdx, &tag, maxIdx) < 0) {
+                freeSafe(safe, pkcs12->heap);
+                return ASN_PARSE_E;
+            }
+
+            if (tag != ASN_OCTET_STRING) {
+                WOLFSSL_MSG("Wrong tag with content PKCS12 type DATA");
+                freeSafe(safe, pkcs12->heap);
+                return ASN_PARSE_E;
+            }
+            if ((ret = GetLength(input, &localIdx, &size, maxIdx)) <= 0) {
+                freeSafe(safe, pkcs12->heap);
+                return ret;
+            }
+
+            break;
+    }
+
+    safe->dataSz = size;
+    safe->data = (byte*)XMALLOC(size, pkcs12->heap, DYNAMIC_TYPE_PKCS);
+    if (safe->data == NULL) {
+        freeSafe(safe, pkcs12->heap);
+        return MEMORY_E;
+    }
+    XMEMCPY(safe->data, input + localIdx, size);
+    *idx = localIdx;
+
+    /* an instance of AuthenticatedSafe is created from
+     * ContentInfo's strung together in a SEQUENCE. Here we iterate
+     * through the ContentInfo's and add them to our
+     * AuthenticatedSafe struct */
+    localIdx = 0;
+    input = safe->data;
+    {
+        int CISz;
+        ret = GetSequence(input, &localIdx, &CISz, safe->dataSz);
+        if (ret < 0) {
+            freeSafe(safe, pkcs12->heap);
+            return ASN_PARSE_E;
+        }
+        CISz += localIdx;
+        while ((int)localIdx < CISz) {
+            int curSz = 0;
+            word32 curIdx;
+            ContentInfo* ci = NULL;
+
+        #ifdef WOLFSSL_DEBUG_PKCS12
+            printf("\t\tlooking for Content Info.... ");
+        #endif
+
+            if ((ret = GetSequence(input, &localIdx, &curSz, safe->dataSz))
+                                                                          < 0) {
+                freeSafe(safe, pkcs12->heap);
+                return ret;
+            }
+
+            if (curSz > CISz) {
+                /* subset should not be larger than universe */
+                freeSafe(safe, pkcs12->heap);
+                return ASN_PARSE_E;
+            }
+
+            curIdx = localIdx;
+            if ((ret = GetObjectId(input, &localIdx, &oid, oidIgnoreType,
+                                                           safe->dataSz)) < 0) {
+                WOLFSSL_LEAVE("Get object id failed", ret);
+                freeSafe(safe, pkcs12->heap);
+                return ret;
+            }
+
+            /* create new content info struct ... possible OID sanity check? */
+            ci = (ContentInfo*)XMALLOC(sizeof(ContentInfo), pkcs12->heap,
+                                       DYNAMIC_TYPE_PKCS);
+            if (ci == NULL) {
+                freeSafe(safe, pkcs12->heap);
+                return MEMORY_E;
+            }
+
+            ci->type   = oid;
+            ci->dataSz = curSz - (localIdx-curIdx);
+            ci->data   = (byte*)input + localIdx;
+            localIdx  += ci->dataSz;
+
+        #ifdef WOLFSSL_DEBUG_PKCS12
+            switch (oid) {
+                case WC_PKCS12_ENCRYPTED_DATA:
+                    printf("CONTENT INFO: ENCRYPTED DATA, size = %d\n", ci->dataSz);
+                    break;
+
+                case WC_PKCS12_DATA:
+                    printf("CONTENT INFO: DATA, size = %d\n", ci->dataSz);
+                    break;
+                default:
+                    printf("CONTENT INFO: UNKNOWN, size = %d\n", ci->dataSz);
+            }
+        #endif
+
+            /* insert to head of list */
+            ci->next = safe->CI;
+            safe->CI = ci;
+            safe->numCI += 1;
+        }
+    }
+
+    pkcs12->safe = safe;
+    *idx += localIdx;
+
+    return ret;
+}
+
+
+/* optional mac data */
+static int GetSignData(WC_PKCS12* pkcs12, const byte* mem, word32* idx,
+                       word32 totalSz)
+{
+    MacData* mac;
+    word32 curIdx = *idx;
+    word32 oid = 0;
+    int size, ret;
+    byte tag;
+
+    /* Digest Info : Sequence
+     *      DigestAlgorithmIdentifier
+     *      Digest
+     */
+    if ((ret = GetSequence(mem, &curIdx, &size, totalSz)) <= 0) {
+        WOLFSSL_MSG("Failed to get PKCS12 sequence");
+        return ret;
+    }
+
+#ifdef WOLFSSL_DEBUG_PKCS12
+    printf("\t\tSEQUENCE: DigestInfo size = %d\n", size);
+#endif
+
+    mac = (MacData*)XMALLOC(sizeof(MacData), pkcs12->heap, DYNAMIC_TYPE_PKCS);
+    if (mac == NULL) {
+        return MEMORY_E;
+    }
+    XMEMSET(mac, 0, sizeof(MacData));
+
+    /* DigestAlgorithmIdentifier */
+    if ((ret = GetAlgoId(mem, &curIdx, &oid, oidIgnoreType, totalSz)) < 0) {
+        WOLFSSL_MSG("Failed to get PKCS12 sequence");
+        XFREE(mac, pkcs12->heap, DYNAMIC_TYPE_PKCS);
+        return ret;
+    }
+    mac->oid = oid;
+
+#ifdef WOLFSSL_DEBUG_PKCS12
+    printf("\t\tALGO ID = %d\n", oid);
+#endif
+
+    /* Digest: should be octet type holding digest */
+    if (GetASNTag(mem, &curIdx, &tag, totalSz) < 0) {
+        XFREE(mac, pkcs12->heap, DYNAMIC_TYPE_PKCS);
+        return ASN_PARSE_E;
+    }
+
+    if (tag != ASN_OCTET_STRING) {
+        WOLFSSL_MSG("Failed to get digest");
+        XFREE(mac, pkcs12->heap, DYNAMIC_TYPE_PKCS);
+        return ASN_PARSE_E;
+    }
+
+    if ((ret = GetLength(mem, &curIdx, &size, totalSz)) <= 0) {
+        XFREE(mac, pkcs12->heap, DYNAMIC_TYPE_PKCS);
+        return ret;
+    }
+    mac->digestSz = size;
+    mac->digest = (byte*)XMALLOC(mac->digestSz, pkcs12->heap,
+                                 DYNAMIC_TYPE_DIGEST);
+    if (mac->digest == NULL || mac->digestSz + curIdx > totalSz) {
+        ERROR_OUT(MEMORY_E, exit_gsd);
+    }
+    XMEMCPY(mac->digest, mem + curIdx, mac->digestSz);
+
+#ifdef WOLFSSL_DEBUG_PKCS12
+    {
+        byte* p;
+        for (printf("\t\tDigest = "), p = (byte*)mem+curIdx;
+             p < (byte*)mem + curIdx + mac->digestSz;
+             printf("%02X", *p), p++);
+        printf(" : size = %d\n", mac->digestSz);
+    }
+#endif
+
+    curIdx += mac->digestSz;
+
+    /* get salt, should be octet string */
+    if (GetASNTag(mem, &curIdx, &tag, totalSz) < 0) {
+        ERROR_OUT(ASN_PARSE_E, exit_gsd);
+    }
+
+    if (tag != ASN_OCTET_STRING) {
+        WOLFSSL_MSG("Failed to get salt");
+        ERROR_OUT(ASN_PARSE_E, exit_gsd);
+    }
+
+    if ((ret = GetLength(mem, &curIdx, &size, totalSz)) < 0) {
+        goto exit_gsd;
+    }
+    mac->saltSz = size;
+    mac->salt = (byte*)XMALLOC(mac->saltSz, pkcs12->heap, DYNAMIC_TYPE_SALT);
+    if (mac->salt == NULL || mac->saltSz + curIdx > totalSz) {
+        ERROR_OUT(MEMORY_E, exit_gsd);
+    }
+    XMEMCPY(mac->salt, mem + curIdx, mac->saltSz);
+
+#ifdef WOLFSSL_DEBUG_PKCS12
+    {
+        byte* p;
+        for (printf("\t\tSalt = "), p = (byte*)mem + curIdx;
+             p < (byte*)mem + curIdx + mac->saltSz;
+             printf("%02X", *p), p++);
+        printf(" : size = %d\n", mac->saltSz);
+    }
+#endif
+
+    curIdx += mac->saltSz;
+
+    /* check for MAC iterations, default to 1 */
+    mac->itt = WC_PKCS12_MAC_DEFAULT;
+    if (curIdx < totalSz) {
+        int number = 0;
+        if ((ret = GetShortInt(mem, &curIdx, &number, totalSz)) >= 0) {
+            /* found a iteration value */
+            mac->itt = number;
+        }
+    }
+
+#ifdef WOLFSSL_DEBUG_PKCS12
+    printf("\t\tITERATIONS : %d\n", mac->itt);
+#endif
+
+    *idx = curIdx;
+    pkcs12->signData = mac;
+    ret = 0; /* success */
+
+exit_gsd:
+
+    /* failure cleanup */
+    if (ret != 0) {
+        if (mac) {
+            if (mac->digest)
+                XFREE(mac->digest, pkcs12->heap, DYNAMIC_TYPE_DIGEST);
+            XFREE(mac, pkcs12->heap, DYNAMIC_TYPE_PKCS);
+        }
+    }
+
+    return ret;
+}
+
+
+/* expects PKCS12 signData to be set up with OID
+ *
+ * returns the size of mac created on success. A negative value will be returned
+ *         in the case that an error happened.
+ */
+static int wc_PKCS12_create_mac(WC_PKCS12* pkcs12, byte* data, word32 dataSz,
+                         const byte* psw, word32 pswSz, byte* out, word32 outSz)
+{
+    Hmac     hmac;
+    MacData* mac;
+    int ret, kLen;
+    enum wc_HashType hashT;
+    int idx = 0;
+    int id  = 3; /* value from RFC 7292 indicating key is used for MAC */
+    word32 i;
+    byte unicodePasswd[MAX_UNICODE_SZ];
+    byte key[MAX_KEY_SIZE];
+
+    if (pkcs12 == NULL || pkcs12->signData == NULL || data == NULL ||
+            out == NULL) {
+        return BAD_FUNC_ARG;
+    }
+
+    mac = pkcs12->signData;
+
+    /* unicode set up from asn.c */
+    if ((pswSz * 2 + 2) > (int)sizeof(unicodePasswd)) {
+        WOLFSSL_MSG("PKCS12 max unicode size too small");
+        return UNICODE_SIZE_E;
+    }
+
+    for (i = 0; i < pswSz; i++) {
+        unicodePasswd[idx++] = 0x00;
+        unicodePasswd[idx++] = (byte)psw[i];
+    }
+    /* add trailing NULL */
+    unicodePasswd[idx++] = 0x00;
+    unicodePasswd[idx++] = 0x00;
+
+    /* get hash type used and resulting size of HMAC key */
+    hashT = wc_OidGetHash(mac->oid);
+    if (hashT == WC_HASH_TYPE_NONE) {
+        WOLFSSL_MSG("Unsupported hash used");
+        return BAD_FUNC_ARG;
+    }
+    kLen = wc_HashGetDigestSize(hashT);
+
+    /* check out buffer is large enough */
+    if (kLen < 0 || outSz < (word32)kLen) {
+        return BAD_FUNC_ARG;
+    }
+
+    /* idx contains size of unicodePasswd */
+    if ((ret = wc_PKCS12_PBKDF_ex(key, unicodePasswd, idx, mac->salt,
+              mac->saltSz, mac->itt, kLen, (int)hashT, id, pkcs12->heap)) < 0) {
+        return ret;
+    }
+
+    /* now that key has been created use it to get HMAC hash on data */
+    if ((ret = wc_HmacInit(&hmac, pkcs12->heap, INVALID_DEVID)) != 0) {
+        return ret;
+    }
+    ret = wc_HmacSetKey(&hmac, (int)hashT, key, kLen);
+    if (ret == 0)
+        ret = wc_HmacUpdate(&hmac, data, dataSz);
+    if (ret == 0)
+        ret = wc_HmacFinal(&hmac, out);
+    wc_HmacFree(&hmac);
+
+    if (ret != 0)
+        return ret;
+
+    return kLen; /* same as digest size */
+}
+
+
+/* check mac on pkcs12, pkcs12->mac has been sanity checked before entering *
+ * returns the result of comparison, success is 0 */
+static int wc_PKCS12_verify(WC_PKCS12* pkcs12, byte* data, word32 dataSz,
+                            const byte* psw, word32 pswSz)
+{
+    MacData* mac;
+    int ret;
+    byte digest[WC_MAX_DIGEST_SIZE];
+
+    if (pkcs12 == NULL || pkcs12->signData == NULL || data == NULL) {
+        return BAD_FUNC_ARG;
+    }
+
+    mac = pkcs12->signData;
+
+#ifdef WOLFSSL_DEBUG_PKCS12
+    printf("Verifying MAC with OID = %d\n", mac->oid);
+#endif
+
+    /* check if this builds digest size is too small */
+    if (mac->digestSz > WC_MAX_DIGEST_SIZE) {
+        WOLFSSL_MSG("PKCS12 max digest size too small");
+        return BAD_FUNC_ARG;
+    }
+
+    if ((ret = wc_PKCS12_create_mac(pkcs12, data, dataSz, psw, pswSz,
+            digest, WC_MAX_DIGEST_SIZE)) < 0) {
+        return ret;
+    }
+
+#ifdef WOLFSSL_DEBUG_PKCS12
+    {
+        byte* p;
+        for (printf("\t\tHash = "), p = (byte*)digest;
+             p < (byte*)digest + mac->digestSz;
+             printf("%02X", *p), p++);
+        printf(" : size = %d\n", mac->digestSz);
+    }
+#endif
+
+    return XMEMCMP(digest, mac->digest, mac->digestSz);
+}
+
+
+/* Convert DER format stored in der buffer to WC_PKCS12 struct
+ * Puts the raw contents of Content Info into structure without completely
+ * parsing or decoding.
+ * der    : pointer to der buffer holding PKCS12
+ * derSz  : size of der buffer
+ * pkcs12 : non-null pkcs12 pointer
+ * return 0 on success and negative on failure.
+ */
+int wc_d2i_PKCS12(const byte* der, word32 derSz, WC_PKCS12* pkcs12)
+{
+    word32 idx  = 0;
+    word32 totalSz = 0;
+    int ret;
+    int size    = 0;
+    int version = 0;
+
+    WOLFSSL_ENTER("wolfSSL_d2i_PKCS12_bio");
+
+    if (der == NULL || pkcs12 == NULL) {
+        return BAD_FUNC_ARG;
+    }
+
+    totalSz = derSz;
+    if ((ret = GetSequence(der, &idx, &size, totalSz)) <= 0) {
+        WOLFSSL_MSG("Failed to get PKCS12 sequence");
+        return ret;
+    }
+
+    /* get version */
+    if ((ret = GetMyVersion(der, &idx, &version, totalSz)) < 0) {
+        return ret;
+    }
+
+#ifdef WOLFSSL_DEBUG_PKCS12
+    printf("\nBEGIN: PKCS12 size = %d\n", totalSz);
+    printf("version = %d\n", version);
+#endif
+
+    if (version != WC_PKCS12_VERSION_DEFAULT) {
+        WOLFSSL_MSG("PKCS12 unsupported version!");
+        return ASN_VERSION_E;
+    }
+
+    if ((ret = GetSequence(der, &idx, &size, totalSz)) < 0) {
+        return ret;
+    }
+
+#ifdef WOLFSSL_DEBUG_PKCS12
+    printf("\tSEQUENCE: AuthenticatedSafe size = %d\n", size);
+#endif
+
+    if ((ret = GetSafeContent(pkcs12, der, &idx, size + idx)) < 0) {
+        WOLFSSL_MSG("GetSafeContent error");
+        return ret;
+    }
+
+    /* if more buffer left check for MAC data */
+    if (idx < totalSz) {
+        if ((ret = GetSequence(der, &idx, &size, totalSz)) < 0) {
+            WOLFSSL_MSG("Ignoring unknown data at end of PKCS12 DER buffer");
+        }
+        else {
+        #ifdef WOLFSSL_DEBUG_PKCS12
+            printf("\tSEQUENCE: Signature size = %d\n", size);
+        #endif
+
+            if ((ret = GetSignData(pkcs12, der, &idx, totalSz)) < 0) {
+                return ASN_PARSE_E;
+            }
+        }
+    }
+
+#ifdef WOLFSSL_DEBUG_PKCS12
+    printf("END: PKCS12\n");
+#endif
+
+    return ret;
+}
+
+/* Convert WC_PKCS12 struct to allocated DER buffer.
+ * pkcs12 : non-null pkcs12 pointer
+ * der    : pointer-pointer to der buffer. If NULL space will be
+ *          allocated for der, which must be freed by application.
+ * derSz  : size of buffer passed in when der is not NULL. NULL arg disables
+ *          sanity checks on buffer read/writes. Max size gets set to derSz when
+ *          the "der" buffer passed in is NULL and LENGTH_ONLY_E is returned.
+ * return size of DER on success and negative on failure.
+ */
+int wc_i2d_PKCS12(WC_PKCS12* pkcs12, byte** der, int* derSz)
+{
+    int ret = 0;
+    word32 seqSz = 0, verSz = 0, totalSz = 0, idx = 0, sdBufSz = 0;
+    byte *buf = NULL;
+    byte ver[MAX_VERSION_SZ];
+    byte seq[MAX_SEQ_SZ];
+    byte *sdBuf = NULL;
+
+    if ((pkcs12 == NULL) || (pkcs12->safe == NULL) ||
+            (der == NULL && derSz == NULL)) {
+        return BAD_FUNC_ARG;
+    }
+
+    /* Create the MAC portion */
+    if (pkcs12->signData != NULL) {
+        MacData *mac = (MacData*)pkcs12->signData;
+        word32 innerSz = 0;
+        word32 outerSz = 0;
+
+        /* get exact size */
+        {
+            byte ASNLENGTH[MAX_LENGTH_SZ];
+            byte ASNSHORT[MAX_SHORT_SZ];
+            byte ASNALGO[MAX_ALGO_SZ];
+            word32 tmpIdx = 0;
+
+            /* algo id */
+            innerSz += SetAlgoID(mac->oid, ASNALGO, oidHashType, 0);
+
+            /* Octet string holding digest */
+            innerSz += ASN_TAG_SZ;
+            innerSz += SetLength(mac->digestSz, ASNLENGTH);
+            innerSz += mac->digestSz;
+
+            /* salt */
+            outerSz += ASN_TAG_SZ;
+            outerSz += SetLength(mac->saltSz, ASNLENGTH);
+            outerSz += mac->saltSz;
+
+            /* MAC iterations */
+            outerSz += SetShortInt(ASNSHORT, &tmpIdx, mac->itt, MAX_SHORT_SZ);
+
+            /* sequence of inner data */
+            outerSz += SetSequence(innerSz, seq);
+            outerSz += innerSz;
+        }
+        sdBufSz = outerSz + SetSequence(outerSz, seq);
+        sdBuf = (byte*)XMALLOC(sdBufSz, pkcs12->heap, DYNAMIC_TYPE_PKCS);
+        if (sdBuf == NULL) {
+            ret = MEMORY_E;
+        }
+
+        if (ret == 0) {
+            idx += SetSequence(outerSz, sdBuf);
+            idx += SetSequence(innerSz, &sdBuf[idx]);
+
+            /* Set Algorithm Identifier */
+            {
+                word32 algoIdSz;
+
+                algoIdSz = SetAlgoID(mac->oid, &sdBuf[idx], oidHashType, 0);
+                if (algoIdSz == 0) {
+                    ret = ALGO_ID_E;
+                }
+                else {
+                    idx += algoIdSz;
+                }
+            }
+        }
+
+        if (ret == 0) {
+
+
+            /* Octet string holding digest */
+            idx += SetOctetString(mac->digestSz, &sdBuf[idx]);
+            XMEMCPY(&sdBuf[idx], mac->digest, mac->digestSz);
+            idx += mac->digestSz;
+
+            /* Set salt */
+            idx += SetOctetString(mac->saltSz, &sdBuf[idx]);
+            XMEMCPY(&sdBuf[idx], mac->salt, mac->saltSz);
+            idx += mac->saltSz;
+
+            /* MAC iterations */
+            {
+                int tmpSz;
+                word32 tmpIdx = 0;
+                byte ar[MAX_SHORT_SZ];
+                tmpSz = SetShortInt(ar, &tmpIdx, mac->itt, MAX_SHORT_SZ);
+                if (tmpSz < 0) {
+                    ret = tmpSz;
+                }
+                else {
+                    XMEMCPY(&sdBuf[idx], ar, tmpSz);
+                }
+            }
+            totalSz += sdBufSz;
+        }
+    }
+
+    /* Calculate size of der */
+    if (ret == 0) {
+        totalSz += pkcs12->safe->dataSz;
+
+        totalSz += 4; /* Octet string */
+
+        totalSz += 4; /* Element */
+
+        totalSz += 2 + sizeof(WC_PKCS12_DATA_OID);
+
+        totalSz += 4; /* Seq */
+
+        ret = SetMyVersion(WC_PKCS12_VERSION_DEFAULT, ver, FALSE);
+        if (ret > 0) {
+            verSz = (word32)ret;
+            ret   = 0; /* value larger than 0 is success */
+            totalSz += verSz;
+
+            seqSz = SetSequence(totalSz, seq);
+            totalSz += seqSz;
+
+            /* check if getting length only */
+            if (der == NULL && derSz != NULL) {
+                *derSz = totalSz;
+                XFREE(sdBuf, pkcs12->heap, DYNAMIC_TYPE_PKCS);
+                return LENGTH_ONLY_E;
+            }
+
+            if (*der == NULL) {
+                /* Allocate if requested */
+                buf = (byte*)XMALLOC(totalSz, NULL, DYNAMIC_TYPE_PKCS);
+            }
+            else {
+                buf = *der;
+
+                /* sanity check on buffer size if passed in */
+                if (derSz != NULL) {
+                    if (*derSz < (int)totalSz) {
+                        WOLFSSL_MSG("Buffer passed in is too small");
+                        ret = BUFFER_E;
+                    }
+                }
+            }
+        }
+    }
+
+    if (buf == NULL) {
+        ret = MEMORY_E;
+    }
+
+    if (ret == 0) {
+        idx = 0;
+
+        /* Copy parts to buf */
+        XMEMCPY(&buf[idx], seq, seqSz);
+        idx += seqSz;
+
+        XMEMCPY(&buf[idx], ver, verSz);
+        idx += verSz;
+
+        seqSz = SetSequence(totalSz - sdBufSz - idx - 4, seq);
+        XMEMCPY(&buf[idx], seq, seqSz);
+        idx += seqSz;
+
+        /* OID */
+        idx += SetObjectId(sizeof(WC_PKCS12_DATA_OID), &buf[idx]);
+        XMEMCPY(&buf[idx], WC_PKCS12_DATA_OID, sizeof(WC_PKCS12_DATA_OID));
+        idx += sizeof(WC_PKCS12_DATA_OID);
+
+        /* Element */
+        buf[idx++] = ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC;
+        idx += SetLength(totalSz - sdBufSz - idx - 3, &buf[idx]);
+
+        /* Octet string */
+        idx += SetOctetString(totalSz - sdBufSz - idx - 4, &buf[idx]);
+
+        XMEMCPY(&buf[idx], pkcs12->safe->data, pkcs12->safe->dataSz);
+        idx += pkcs12->safe->dataSz;
+
+        if (pkcs12->signData != NULL) {
+            XMEMCPY(&buf[idx], sdBuf, sdBufSz);
+        }
+
+        if (*der == NULL) {
+            /* Point to start of data allocated for DER */
+            *der = buf;
+        }
+        else {
+            /* Increment pointer to byte past DER */
+            *der = &buf[totalSz];
+        }
+
+        /* Return size of der */
+        ret = totalSz;
+    }
+
+    XFREE(sdBuf, pkcs12->heap, DYNAMIC_TYPE_PKCS);
+    /* Allocation of buf was the last time ret could be a failure,
+     * so no need to free here */
+
+    return ret;
+}
+
+
+/* helper function to free WC_DerCertList */
+void wc_FreeCertList(WC_DerCertList* list, void* heap)
+{
+    WC_DerCertList* current = list;
+    WC_DerCertList* next;
+
+    if (list == NULL) {
+        return;
+    }
+
+    while (current != NULL) {
+        next = current->next;
+        if (current->buffer != NULL) {
+            XFREE(current->buffer, heap, DYNAMIC_TYPE_PKCS);
+        }
+        XFREE(current, heap, DYNAMIC_TYPE_PKCS);
+        current = next;
+    }
+
+    (void)heap;
+}
+
+static void freeDecCertList(WC_DerCertList** list, byte** pkey, word32* pkeySz,
+    byte** cert, word32* certSz, void* heap)
+{
+    WC_DerCertList* current  = *list;
+    WC_DerCertList* previous = NULL;
+    DecodedCert DeCert;
+
+    while (current != NULL) {
+
+        InitDecodedCert(&DeCert, current->buffer, current->bufferSz, heap);
+        if (ParseCertRelative(&DeCert, CERT_TYPE, NO_VERIFY, NULL) == 0) {
+            if (wc_CheckPrivateKey(*pkey, *pkeySz, &DeCert) == 1) {
+                WOLFSSL_MSG("Key Pair found");
+                *cert = current->buffer;
+                *certSz = current->bufferSz;
+
+                if (previous == NULL) {
+                    *list = current->next;
+                }
+                else {
+                    previous->next = current->next;
+                }
+                FreeDecodedCert(&DeCert);
+                XFREE(current, heap, DYNAMIC_TYPE_PKCS);
+                break;
+            }
+        }
+        FreeDecodedCert(&DeCert);
+
+        previous = current;
+        current  = current->next;
+    }
+}
+
+
+/* return 0 on success and negative on failure.
+ * By side effect returns private key, cert, and optionally ca.
+ * Parses and decodes the parts of PKCS12
+ *
+ * NOTE: can parse with USER RSA enabled but may return cert that is not the
+ *       pair for the key when using RSA key pairs.
+ *
+ * pkcs12 : non-null WC_PKCS12 struct
+ * psw    : password to use for PKCS12 decode
+ * pkey   : Private key returned
+ * cert   : x509 cert returned
+ * ca     : optional ca returned
+ */
+int wc_PKCS12_parse(WC_PKCS12* pkcs12, const char* psw,
+        byte** pkey, word32* pkeySz, byte** cert, word32* certSz,
+        WC_DerCertList** ca)
+{
+    ContentInfo* ci       = NULL;
+    WC_DerCertList* certList = NULL;
+    WC_DerCertList* tailList = NULL;
+    byte* buf             = NULL;
+    word32 i, oid;
+    int ret, pswSz;
+    word32 algId;
+
+    WOLFSSL_ENTER("wc_PKCS12_parse");
+
+    if (pkcs12 == NULL || psw == NULL || cert == NULL || certSz == NULL ||
+        pkey == NULL   || pkeySz == NULL) {
+        return BAD_FUNC_ARG;
+    }
+
+    pswSz = (int)XSTRLEN(psw);
+    *cert = NULL;
+    *pkey = NULL;
+    if (ca != NULL)
+        *ca = NULL;
+
+    /* if there is sign data then verify the MAC */
+    if (pkcs12->signData != NULL ) {
+        if ((ret = wc_PKCS12_verify(pkcs12, pkcs12->safe->data,
+                               pkcs12->safe->dataSz, (byte*)psw, pswSz)) != 0) {
+            WOLFSSL_MSG("PKCS12 Bad MAC on verify");
+            WOLFSSL_LEAVE("wc_PKCS12_parse verify ", ret);
+            return MAC_CMP_FAILED_E;
+        }
+    }
+
+    if (pkcs12->safe == NULL) {
+        WOLFSSL_MSG("No PKCS12 safes to parse");
+        return BAD_FUNC_ARG;
+    }
+
+    /* Decode content infos */
+    ci = pkcs12->safe->CI;
+    for (i = 0; i < pkcs12->safe->numCI; i++) {
+        byte*  data;
+        word32 idx = 0;
+        int    size, totalSz;
+        byte   tag;
+
+        if (ci->type == WC_PKCS12_ENCRYPTED_DATA) {
+            int number;
+
+            WOLFSSL_MSG("Decrypting PKCS12 Content Info Container");
+            data = ci->data;
+            if (GetASNTag(data, &idx, &tag, ci->dataSz) < 0) {
+                ERROR_OUT(ASN_PARSE_E, exit_pk12par);
+            }
+
+            if (tag != (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC)) {
+                ERROR_OUT(ASN_PARSE_E, exit_pk12par);
+            }
+            if ((ret = GetLength(data, &idx, &size, ci->dataSz)) < 0) {
+                goto exit_pk12par;
+            }
+
+            if ((ret = GetSequence(data, &idx, &size, ci->dataSz)) < 0) {
+                goto exit_pk12par;
+            }
+
+            if ((ret = GetShortInt(data, &idx, &number, ci->dataSz)) < 0) {
+                goto exit_pk12par;
+            }
+
+            if (number != 0) {
+                WOLFSSL_MSG("Expecting 0 for Integer with Encrypted PKCS12");
+            }
+
+            if ((ret = GetSequence(data, &idx, &size, ci->dataSz)) < 0) {
+                goto exit_pk12par;
+            }
+
+            ret = GetObjectId(data, &idx, &oid, oidIgnoreType, ci->dataSz);
+            if (ret < 0 || oid != WC_PKCS12_DATA) {
+                WOLFSSL_MSG("Not PKCS12 DATA object or get object parse error");
+                ERROR_OUT(ASN_PARSE_E, exit_pk12par);
+            }
+
+            /* decrypted content overwrites input buffer */
+            size = ci->dataSz - idx;
+            buf = (byte*)XMALLOC(size, pkcs12->heap, DYNAMIC_TYPE_PKCS);
+            if (buf == NULL) {
+                ERROR_OUT(MEMORY_E, exit_pk12par);
+            }
+            XMEMCPY(buf, data + idx, size);
+
+            if ((ret = DecryptContent(buf, size, psw, pswSz)) < 0) {
+                WOLFSSL_MSG("Decryption failed, algorithm not compiled in?");
+                goto exit_pk12par;
+            }
+
+            data = buf;
+            idx = 0;
+
+        #ifdef WOLFSSL_DEBUG_PKCS12
+            {
+                byte* p;
+                for (printf("\tData = "), p = (byte*)buf;
+                    p < (byte*)buf + size;
+                    printf("%02X", *p), p++);
+                printf("\n");
+            }
+        #endif
+        }
+        else { /* type DATA */
+            WOLFSSL_MSG("Parsing PKCS12 DATA Content Info Container");
+            data = ci->data;
+            if (GetASNTag(data, &idx, &tag, ci->dataSz) < 0) {
+                ERROR_OUT(ASN_PARSE_E, exit_pk12par);
+            }
+
+            if (tag != (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC)) {
+                ERROR_OUT(ASN_PARSE_E, exit_pk12par);
+            }
+            if ((ret = GetLength(data, &idx, &size, ci->dataSz)) <= 0) {
+                ERROR_OUT(ASN_PARSE_E, exit_pk12par);
+            }
+
+            if (GetASNTag(data, &idx, &tag, ci->dataSz) < 0) {
+                ERROR_OUT(ASN_PARSE_E, exit_pk12par);
+            }
+            if (tag != ASN_OCTET_STRING) {
+                ERROR_OUT(ASN_PARSE_E, exit_pk12par);
+            }
+            if ((ret = GetLength(data, &idx, &size, ci->dataSz)) < 0) {
+                goto exit_pk12par;
+            }
+
+        }
+
+        /* parse through bags in ContentInfo */
+        if ((ret = GetSequence(data, &idx, &totalSz, ci->dataSz)) < 0) {
+            goto exit_pk12par;
+        }
+        totalSz += idx;
+
+        while ((int)idx < totalSz) {
+            int bagSz;
+            if ((ret = GetSequence(data, &idx, &bagSz, ci->dataSz)) < 0) {
+                goto exit_pk12par;
+            }
+            bagSz += idx;
+
+            if ((ret = GetObjectId(data, &idx, &oid, oidIgnoreType,
+                                                             ci->dataSz)) < 0) {
+                goto exit_pk12par;
+            }
+
+            switch (oid) {
+                case WC_PKCS12_KeyBag: /* 667 */
+                    WOLFSSL_MSG("PKCS12 Key Bag found");
+                    if (GetASNTag(data, &idx, &tag, ci->dataSz) < 0) {
+                        ERROR_OUT(ASN_PARSE_E, exit_pk12par);
+                    }
+                    if (tag != (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC)) {
+                        ERROR_OUT(ASN_PARSE_E, exit_pk12par);
+                    }
+                    if ((ret = GetLength(data, &idx, &size, ci->dataSz)) <= 0) {
+                        if (ret == 0)
+                            ret = ASN_PARSE_E;
+                        goto exit_pk12par;
+                    }
+                    if (*pkey == NULL) {
+                        *pkey = (byte*)XMALLOC(size, pkcs12->heap,
+                                                       DYNAMIC_TYPE_PUBLIC_KEY);
+                        if (*pkey == NULL) {
+                            ERROR_OUT(MEMORY_E, exit_pk12par);
+                        }
+                        XMEMCPY(*pkey, data + idx, size);
+                        *pkeySz =  ToTraditional_ex(*pkey, size, &algId);
+                    }
+
+                #ifdef WOLFSSL_DEBUG_PKCS12
+                    {
+                        byte* p;
+                        for (printf("\tKey = "), p = (byte*)*pkey;
+                            p < (byte*)*pkey + size;
+                            printf("%02X", *p), p++);
+                        printf("\n");
+                    }
+                #endif
+                    idx += size;
+                    break;
+
+                case WC_PKCS12_ShroudedKeyBag: /* 668 */
+                    {
+                        byte* k;
+
+                        WOLFSSL_MSG("PKCS12 Shrouded Key Bag found");
+                        if (GetASNTag(data, &idx, &tag, ci->dataSz) < 0) {
+                            ERROR_OUT(ASN_PARSE_E, exit_pk12par);
+                        }
+                        if (tag != (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC)) {
+                            ERROR_OUT(ASN_PARSE_E, exit_pk12par);
+                        }
+                        if ((ret = GetLength(data, &idx, &size,
+                                                             ci->dataSz)) < 0) {
+                            goto exit_pk12par;
+                        }
+
+                        k = (byte*)XMALLOC(size, pkcs12->heap,
+                                                       DYNAMIC_TYPE_PUBLIC_KEY);
+                        if (k == NULL) {
+                            ERROR_OUT(MEMORY_E, exit_pk12par);
+                        }
+                        XMEMCPY(k, data + idx, size);
+
+                        /* overwrites input, be warned */
+                        if ((ret = ToTraditionalEnc(k, size, psw, pswSz,
+                                                                 &algId)) < 0) {
+                            XFREE(k, pkcs12->heap, DYNAMIC_TYPE_PUBLIC_KEY);
+                            goto exit_pk12par;
+                        }
+
+                        if (ret < size) {
+                            /* shrink key buffer */
+                            byte* tmp = (byte*)XMALLOC(ret, pkcs12->heap,
+                                                 DYNAMIC_TYPE_PUBLIC_KEY);
+                            if (tmp == NULL) {
+                                XFREE(k, pkcs12->heap, DYNAMIC_TYPE_PUBLIC_KEY);
+                                ERROR_OUT(MEMORY_E, exit_pk12par);
+                            }
+                            XMEMCPY(tmp, k, ret);
+                            XFREE(k, pkcs12->heap, DYNAMIC_TYPE_PUBLIC_KEY);
+                            k = tmp;
+                        }
+                        size = ret;
+
+                        if (*pkey == NULL) {
+                            *pkey = k;
+                            *pkeySz = size;
+                        }
+                        else { /* only expecting one key */
+                            XFREE(k, pkcs12->heap, DYNAMIC_TYPE_PUBLIC_KEY);
+                        }
+                        idx += size;
+
+                    #ifdef WOLFSSL_DEBUG_PKCS12
+                        {
+                            byte* p;
+                            for (printf("\tKey = "), p = (byte*)k;
+                                p < (byte*)k + ret;
+                                printf("%02X", *p), p++);
+                            printf("\n");
+                        }
+                    #endif
+                    }
+                    break;
+
+                case WC_PKCS12_CertBag: /* 669 */
+                {
+                    WC_DerCertList* node;
+                    WOLFSSL_MSG("PKCS12 Cert Bag found");
+                    if (GetASNTag(data, &idx, &tag, ci->dataSz) < 0) {
+                        ERROR_OUT(ASN_PARSE_E, exit_pk12par);
+                    }
+                    if (tag != (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC)) {
+                        ERROR_OUT(ASN_PARSE_E, exit_pk12par);
+                    }
+                    if ((ret = GetLength(data, &idx, &size, ci->dataSz)) < 0) {
+                        goto exit_pk12par;
+                    }
+
+                    /* get cert bag type */
+                    if ((ret = GetSequence(data, &idx, &size, ci->dataSz)) <0) {
+                        goto exit_pk12par;
+                    }
+
+                    if ((ret = GetObjectId(data, &idx, &oid, oidIgnoreType,
+                                                             ci->dataSz)) < 0) {
+                        goto exit_pk12par;
+                    }
+
+                    switch (oid) {
+                        case WC_PKCS12_CertBag_Type1:  /* 675 */
+                            /* type 1 */
+                            WOLFSSL_MSG("PKCS12 cert bag type 1");
+                            if (GetASNTag(data, &idx, &tag, ci->dataSz) < 0) {
+                                ERROR_OUT(ASN_PARSE_E, exit_pk12par);
+                            }
+                            if (tag != (ASN_CONSTRUCTED |
+                                        ASN_CONTEXT_SPECIFIC)) {
+                                ERROR_OUT(ASN_PARSE_E, exit_pk12par);
+                            }
+                            if ((ret = GetLength(data, &idx, &size, ci->dataSz))
+                                                                         <= 0) {
+                                if (ret == 0)
+                                    ret = ASN_PARSE_E;
+                                goto exit_pk12par;
+                            }
+                            if (GetASNTag(data, &idx, &tag, ci->dataSz) < 0) {
+                                ERROR_OUT(ASN_PARSE_E, exit_pk12par);
+                            }
+                            if (tag != ASN_OCTET_STRING) {
+                                ERROR_OUT(ASN_PARSE_E, exit_pk12par);
+
+                            }
+                            if ((ret = GetLength(data, &idx, &size, ci->dataSz))
+                                                                          < 0) {
+                                goto exit_pk12par;
+                            }
+                            break;
+                       default:
+                            WOLFSSL_MSG("Unknown PKCS12 cert bag type");
+                    }
+
+                    if (size + idx > (word32)bagSz) {
+                        ERROR_OUT(ASN_PARSE_E, exit_pk12par);
+                    }
+
+                    /* list to hold all certs found */
+                    node = (WC_DerCertList*)XMALLOC(sizeof(WC_DerCertList),
+                                               pkcs12->heap, DYNAMIC_TYPE_PKCS);
+                    if (node == NULL) {
+                        ERROR_OUT(MEMORY_E, exit_pk12par);
+                    }
+                    XMEMSET(node, 0, sizeof(WC_DerCertList));
+
+                    node->buffer = (byte*)XMALLOC(size, pkcs12->heap,
+                                                             DYNAMIC_TYPE_PKCS);
+                    if (node->buffer == NULL) {
+                        XFREE(node, pkcs12->heap, DYNAMIC_TYPE_PKCS);
+                        ERROR_OUT(MEMORY_E, exit_pk12par);
+                    }
+                    XMEMCPY(node->buffer, data + idx, size);
+                    node->bufferSz = size;
+
+                    /* put the new node into the list */
+                    if (certList != NULL) {
+                        WOLFSSL_MSG("Pushing new cert onto queue");
+                        tailList->next = node;
+                        tailList = node;
+                    }
+                    else {
+                        certList = node;
+                        tailList = node;
+                    }
+
+                    /* on to next */
+                    idx += size;
+                }
+                    break;
+
+                case WC_PKCS12_CrlBag: /* 670 */
+                    WOLFSSL_MSG("PKCS12 CRL BAG not yet supported");
+                    break;
+
+                case WC_PKCS12_SecretBag: /* 671 */
+                    WOLFSSL_MSG("PKCS12 Secret BAG not yet supported");
+                    break;
+
+                case WC_PKCS12_SafeContentsBag: /* 672 */
+                    WOLFSSL_MSG("PKCS12 Safe Contents BAG not yet supported");
+                    break;
+
+                default:
+                    WOLFSSL_MSG("Unknown PKCS12 BAG type found");
+            }
+
+            /* Attribute, unknown bag or unsupported */
+            if ((int)idx < bagSz) {
+                idx = bagSz; /* skip for now */
+            }
+        }
+
+        /* free temporary buffer */
+        if (buf != NULL) {
+            XFREE(buf, pkcs12->heap, DYNAMIC_TYPE_PKCS);
+            buf = NULL;
+        }
+
+        ci = ci->next;
+        WOLFSSL_MSG("Done Parsing PKCS12 Content Info Container");
+    }
+
+    /* check if key pair, remove from list */
+    if (*pkey != NULL) {
+        freeDecCertList(&certList, pkey, pkeySz, cert, certSz, pkcs12->heap);
+    }
+
+    /* if ca arg provided return certList, otherwise free it */
+    if (ca != NULL) {
+        *ca = certList;
+    }
+    else {
+        /* free list, not wanted */
+        wc_FreeCertList(certList, pkcs12->heap);
+    }
+    (void)tailList; /* not used */
+
+    ret = 0; /* success */
+
+exit_pk12par:
+
+    if (ret != 0) {
+        /* failure cleanup */
+        if (*pkey) {
+            XFREE(*pkey, pkcs12->heap, DYNAMIC_TYPE_PUBLIC_KEY);
+            *pkey = NULL;
+        }
+        if (buf) {
+            XFREE(buf, pkcs12->heap, DYNAMIC_TYPE_PKCS);
+            buf = NULL;
+        }
+
+        wc_FreeCertList(certList, pkcs12->heap);
+    }
+
+    return ret;
+}
+
+
+/* Helper function to shroud keys.
+ *
+ * pkcs12 structure to use with shrouding key
+ * rng    random number generator used
+ * out    buffer to hold results
+ * outSz  size of out buffer
+ * key    key that is going to be shrouded
+ * keySz  size of key buffer
+ * vAlgo  algorithm version
+ * pass   password to use
+ * passSz size of pass buffer
+ * itt    number of iterations
+ *
+ * returns the size of the shrouded key on success
+ */
+static int wc_PKCS12_shroud_key(WC_PKCS12* pkcs12, WC_RNG* rng,
+        byte* out, word32* outSz, byte* key, word32 keySz, int vAlgo,
+        const char* pass, int passSz, int itt)
+{
+    void* heap;
+    word32 tmpIdx = 0;
+    int vPKCS     = 1; /* PKCS#12 default set to 1 */
+    word32 sz;
+    word32 totalSz = 0;
+    int ret;
+
+
+    if (outSz == NULL || pkcs12 == NULL || rng == NULL || key == NULL ||
+            pass == NULL) {
+        return BAD_FUNC_ARG;
+    }
+
+    heap = wc_PKCS12_GetHeap(pkcs12);
+
+    /* check if trying to get size */
+    if (out != NULL) {
+        tmpIdx += MAX_LENGTH_SZ + 1; /* save room for length and tag (+1) */
+        sz = *outSz - tmpIdx;
+    }
+
+    /* case of no encryption */
+    if (vAlgo < 0) {
+        const byte* curveOID = NULL;
+        word32 oidSz = 0;
+        int algoID;
+
+        WOLFSSL_MSG("creating PKCS12 Key Bag");
+
+        /* check key type and get OID if ECC */
+        if ((ret = wc_GetKeyOID(key, keySz, &curveOID, &oidSz, &algoID, heap))
+                < 0) {
+            return ret;
+        }
+
+        /* PKCS#8 wrapping around key */
+        ret = wc_CreatePKCS8Key(out + tmpIdx, &sz, key, keySz, algoID,
+                curveOID, oidSz);
+    }
+    else {
+        WOLFSSL_MSG("creating PKCS12 Shrouded Key Bag");
+
+        if (vAlgo == PBE_SHA1_DES) {
+            vPKCS = PKCS5;
+            vAlgo = 10;
+        }
+
+        ret = UnTraditionalEnc(key, keySz, out + tmpIdx, &sz, pass, passSz,
+                vPKCS, vAlgo, NULL, 0, itt, rng, heap);
+    }
+    if (ret == LENGTH_ONLY_E) {
+        *outSz =  sz + MAX_LENGTH_SZ + 1;
+        return LENGTH_ONLY_E;
+    }
+    if (ret < 0) {
+        return ret;
+    }
+
+    totalSz += ret;
+
+    /* out should not be null at this point but check before writing */
+    if (out == NULL) {
+        return BAD_FUNC_ARG;
+    }
+
+    /* rewind index and set tag and length */
+    tmpIdx -= MAX_LENGTH_SZ + 1;
+    sz = SetExplicit(0, ret, out + tmpIdx);
+    tmpIdx += sz; totalSz += sz;
+    XMEMMOVE(out + tmpIdx, out + MAX_LENGTH_SZ + 1, ret);
+
+    return totalSz;
+}
+
+
+/* Helper function to create key bag.
+ *
+ * pkcs12 structure to use with key bag
+ * rng    random number generator used
+ * out    buffer to hold results
+ * outSz  size of out buffer
+ * key    key that is going into key bag
+ * keySz  size of key buffer
+ * algo   algorithm version
+ * iter   number of iterations
+ * pass   password to use
+ * passSz size of pass buffer
+ *
+ * returns the size of the key bag on success
+ */
+static int wc_PKCS12_create_key_bag(WC_PKCS12* pkcs12, WC_RNG* rng,
+        byte* out, word32* outSz, byte* key, word32 keySz, int algo, int iter,
+        char* pass, int passSz)
+{
+    void* heap;
+    byte* tmp;
+    word32 length  = 0;
+    word32 idx     = 0;
+    word32 totalSz = 0;
+    word32 sz;
+    word32 i;
+    word32 tmpSz;
+    int ret;
+
+    /* get max size for shrouded key */
+    ret =  wc_PKCS12_shroud_key(pkcs12, rng, NULL, &length, key, keySz,
+            algo, pass, passSz, iter);
+    if (ret != LENGTH_ONLY_E && ret < 0) {
+        return ret;
+    }
+
+    if (out == NULL) {
+        *outSz = MAX_SEQ_SZ + WC_PKCS12_DATA_OBJ_SZ + 1 + MAX_LENGTH_SZ +
+            length;
+        return LENGTH_ONLY_E;
+    }
+
+    heap = wc_PKCS12_GetHeap(pkcs12);
+
+    /* leave room for sequence */
+    idx += MAX_SEQ_SZ;
+
+    if (algo < 0) { /* not encrypted */
+        out[idx++] = ASN_OBJECT_ID; totalSz++;
+        sz = SetLength(sizeof(WC_PKCS12_KeyBag_OID), out + idx);
+        idx += sz; totalSz += sz;
+        for (i = 0; i < sizeof(WC_PKCS12_KeyBag_OID); i++) {
+            out[idx++] = WC_PKCS12_KeyBag_OID[i]; totalSz++;
+        }
+    }
+    else { /* encrypted */
+        out[idx++] = ASN_OBJECT_ID; totalSz++;
+        sz = SetLength(sizeof(WC_PKCS12_ShroudedKeyBag_OID), out + idx);
+        idx += sz; totalSz += sz;
+        for (i = 0; i < sizeof(WC_PKCS12_ShroudedKeyBag_OID); i++) {
+            out[idx++] = WC_PKCS12_ShroudedKeyBag_OID[i]; totalSz++;
+        }
+    }
+
+    /* shroud key */
+    tmp = (byte*)XMALLOC(length, heap, DYNAMIC_TYPE_TMP_BUFFER);
+    if (tmp == NULL) {
+        return MEMORY_E;
+    }
+
+    ret =  wc_PKCS12_shroud_key(pkcs12, rng, tmp, &length, key, keySz,
+            algo, pass, passSz, iter);
+    if (ret < 0) {
+        XFREE(tmp, heap, DYNAMIC_TYPE_TMP_BUFFER);
+        return ret;
+    }
+    length = ret;
+    XMEMCPY(out + idx, tmp, length);
+    XFREE(tmp, heap, DYNAMIC_TYPE_TMP_BUFFER);
+    totalSz += length;
+
+    /* set beginning sequence */
+    tmpSz = SetSequence(totalSz, out);
+    XMEMMOVE(out + tmpSz, out + MAX_SEQ_SZ, totalSz);
+
+    (void)heap;
+    return totalSz + tmpSz;
+}
+
+
+/* Helper function to create cert bag.
+ *
+ * pkcs12 structure to use with cert bag
+ * out    buffer to hold results
+ * outSz  size of out buffer
+ * cert   cert that is going into cert bag
+ * certSz size of cert buffer
+ *
+ * returns the size of the cert bag on success
+ */
+static int wc_PKCS12_create_cert_bag(WC_PKCS12* pkcs12,
+        byte* out, word32* outSz, byte* cert, word32 certSz)
+{
+    word32 length = 0;
+    word32 idx = 0;
+    word32 totalSz = 0;
+    word32 sz;
+    int WC_CERTBAG_OBJECT_ID  = 13;
+    int WC_CERTBAG1_OBJECT_ID = 12;
+    word32 i;
+    word32 tmpSz;
+
+    if (out == NULL) {
+        *outSz = MAX_SEQ_SZ + WC_CERTBAG_OBJECT_ID + 1 + MAX_LENGTH_SZ +
+            MAX_SEQ_SZ + WC_CERTBAG1_OBJECT_ID + 1 + MAX_LENGTH_SZ + 1 +
+            MAX_LENGTH_SZ + certSz;
+        return LENGTH_ONLY_E;
+    }
+
+    /* check buffer size able to handle max size */
+    if (*outSz < (MAX_SEQ_SZ + WC_CERTBAG_OBJECT_ID + 1 + MAX_LENGTH_SZ +
+            MAX_SEQ_SZ + WC_CERTBAG1_OBJECT_ID + 1 + MAX_LENGTH_SZ + 1 +
+            MAX_LENGTH_SZ + certSz)) {
+        return BUFFER_E;
+    }
+
+    /* save room for sequence */
+    idx += MAX_SEQ_SZ;
+
+    /* objectId WC_PKCS12_CertBag */
+    out[idx++] = ASN_OBJECT_ID; totalSz++;
+    sz = SetLength(sizeof(WC_PKCS12_CertBag_OID), out + idx);
+    idx += sz; totalSz += sz;
+    for (i = 0; i < sizeof(WC_PKCS12_CertBag_OID); i++) {
+        out[idx++] = WC_PKCS12_CertBag_OID[i]; totalSz++;
+    }
+
+    /**** Cert Bag type 1 ****/
+    out[idx++] = (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC); totalSz++;
+
+    /* save room for length and sequence */
+    idx += MAX_LENGTH_SZ;
+    idx += MAX_SEQ_SZ;
+
+    /* object id WC_PKCS12_CertBag_Type1 */
+    out[idx++] = ASN_OBJECT_ID; length++;
+    sz = SetLength(sizeof(WC_PKCS12_CertBag_Type1_OID), out + idx);
+    idx += sz; length += sz;
+    for (i = 0; i < sizeof(WC_PKCS12_CertBag_Type1_OID); i++) {
+        out[idx++] = WC_PKCS12_CertBag_Type1_OID[i]; length++;
+    }
+
+    out[idx++] = (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC); length++;
+    sz = 0;
+    idx += MAX_LENGTH_SZ; /* save room for length */
+
+    /* place the cert in the buffer */
+    out[idx++] = ASN_OCTET_STRING; sz++;
+    tmpSz = SetLength(certSz, out + idx);
+    idx += tmpSz; sz += tmpSz;
+    XMEMCPY(out + idx, cert, certSz);
+    idx += certSz; sz += certSz;
+
+    /* rewind idx and place length */
+    idx -= (sz + MAX_LENGTH_SZ);
+    tmpSz = SetLength(sz, out + idx);
+    XMEMMOVE(out + idx + tmpSz, out + idx + MAX_LENGTH_SZ, sz);
+    idx += tmpSz + sz; length += tmpSz + sz;
+
+    /* rewind idx and set sequence */
+    idx -= (length + MAX_SEQ_SZ);
+    tmpSz = SetSequence(length, out + idx);
+    XMEMMOVE(out + idx + tmpSz, out + idx + MAX_SEQ_SZ, length);
+    length += tmpSz;
+
+    /* place final length */
+    idx -= MAX_LENGTH_SZ;
+    tmpSz = SetLength(length, out + idx);
+    XMEMMOVE(out + idx + tmpSz, out + idx + MAX_LENGTH_SZ, length);
+    length += tmpSz;
+
+    /* place final sequence */
+    totalSz += length;
+    tmpSz = SetSequence(totalSz, out);
+    XMEMMOVE(out + tmpSz, out + MAX_SEQ_SZ, totalSz);
+
+    (void)pkcs12;
+
+    return totalSz + tmpSz;
+}
+
+
+/* Helper function to encrypt content.
+ *
+ * pkcs12    structure to use with key bag
+ * rng       random number generator used
+ * out       buffer to hold results
+ * outSz     size of out buffer
+ * content   content to encrypt
+ * contentSz size of content buffer
+ * vAlgo     algorithm version
+ * pass      password to use
+ * passSz    size of pass buffer
+ * iter      number of iterations
+ * type      content type i.e WC_PKCS12_ENCRYPTED_DATA or WC_PKCS12_DATA
+ *
+ * returns the size of result on success
+ */
+static int wc_PKCS12_encrypt_content(WC_PKCS12* pkcs12, WC_RNG* rng,
+        byte* out, word32* outSz, byte* content, word32 contentSz, int vAlgo,
+        const char* pass, int passSz, int iter, int type)
+{
+    void* heap;
+    int vPKCS     = 1; /* PKCS#12 is always set to 1 */
+    int ret;
+    byte*  tmp;
+    word32 idx = 0;
+    word32 totalSz = 0;
+    word32 length = 0;
+    word32 tmpSz;
+    word32 encSz;
+
+    byte seq[MAX_SEQ_SZ];
+
+    WOLFSSL_MSG("encrypting PKCS12 content");
+
+    heap = wc_PKCS12_GetHeap(pkcs12);
+
+    /* ENCRYPTED DATA
+     * ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC
+     * length
+     * sequence
+     * short int
+     * sequence
+     * get object id */
+    if (type == WC_PKCS12_ENCRYPTED_DATA) {
+        word32 outerSz = 0;
+
+        encSz = contentSz;
+        if ((ret = EncryptContent(NULL, contentSz, NULL, &encSz,
+                   pass, passSz, vPKCS, vAlgo, NULL, 0, iter, rng, heap)) < 0) {
+            if (ret != LENGTH_ONLY_E) {
+                return ret;
+            }
+        }
+
+        /* calculate size */
+        totalSz  = SetObjectId(sizeof(WC_PKCS12_ENCRYPTED_OID), seq);
+        totalSz += sizeof(WC_PKCS12_ENCRYPTED_OID);
+        totalSz += ASN_TAG_SZ;
+
+        length  = SetMyVersion(0, seq, 0);
+        tmpSz   = SetObjectId(sizeof(WC_PKCS12_DATA_OID), seq);
+        tmpSz  += sizeof(WC_PKCS12_DATA_OID);
+        tmpSz  += encSz;
+        length += SetSequence(tmpSz, seq) + tmpSz;
+        outerSz = SetSequence(length, seq) + length;
+
+        totalSz += SetLength(outerSz, seq) + outerSz;
+        if (out == NULL) {
+            *outSz = totalSz + SetSequence(totalSz, seq);
+            return LENGTH_ONLY_E;
+        }
+
+        if (*outSz < totalSz + SetSequence(totalSz, seq)) {
+            return BUFFER_E;
+        }
+
+        idx = 0;
+        idx += SetSequence(totalSz, out + idx);
+        idx += SetObjectId(sizeof(WC_PKCS12_ENCRYPTED_OID), out + idx);
+        if (idx + sizeof(WC_PKCS12_ENCRYPTED_OID) > *outSz){
+            return BUFFER_E;
+        }
+        XMEMCPY(out + idx, WC_PKCS12_ENCRYPTED_OID,
+                sizeof(WC_PKCS12_ENCRYPTED_OID));
+        idx += sizeof(WC_PKCS12_ENCRYPTED_OID);
+
+        if (idx + 1 > *outSz){
+            return BUFFER_E;
+        }
+        out[idx++] = (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC);
+        idx += SetLength(outerSz, out + idx);
+
+        idx += SetSequence(length, out + idx);
+        idx += SetMyVersion(0, out + idx, 0);
+        tmp = (byte*)XMALLOC(encSz, heap, DYNAMIC_TYPE_TMP_BUFFER);
+        if (tmp == NULL) {
+            return MEMORY_E;
+        }
+
+        if ((ret = EncryptContent(content, contentSz, tmp, &encSz,
+                   pass, passSz, vPKCS, vAlgo, NULL, 0, iter, rng, heap)) < 0) {
+            XFREE(tmp, heap, DYNAMIC_TYPE_TMP_BUFFER);
+            return ret;
+        }
+        encSz = ret;
+
+        #ifdef WOLFSSL_DEBUG_PKCS12
+        {
+            byte* p;
+            for (printf("(size %u) Encrypted Content = ", encSz),
+                    p = (byte*)tmp;
+                p < (byte*)tmp + encSz;
+                printf("%02X", *p), p++);
+            printf("\n");
+        }
+        #endif
+
+        idx += SetSequence(WC_PKCS12_DATA_OBJ_SZ + encSz, out + idx);
+        idx += SetObjectId(sizeof(WC_PKCS12_DATA_OID), out + idx);
+        if (idx + sizeof(WC_PKCS12_DATA_OID) > *outSz){
+            WOLFSSL_MSG("Buffer not large enough for DATA OID");
+            return BUFFER_E;
+        }
+        XMEMCPY(out + idx, WC_PKCS12_DATA_OID, sizeof(WC_PKCS12_DATA_OID));
+        idx += sizeof(WC_PKCS12_DATA_OID);
+
+        /* copy over encrypted data */
+        if (idx + encSz > *outSz){
+            return BUFFER_E;
+        }
+        XMEMCPY(out + idx, tmp, encSz);
+        XFREE(tmp, heap, DYNAMIC_TYPE_TMP_BUFFER);
+        idx += encSz;
+        return idx;
+    }
+
+    /* DATA
+     * ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC
+     * length
+     * ASN_OCTET_STRING
+     * length
+     * sequence containing all bags */
+    if (type == WC_PKCS12_DATA) {
+        /* calculate size */
+        totalSz = SetObjectId(sizeof(WC_PKCS12_DATA_OID), seq);
+        totalSz += sizeof(WC_PKCS12_DATA_OID);
+        totalSz += ASN_TAG_SZ;
+
+        length   = SetOctetString(contentSz, seq);
+        length  += contentSz;
+        totalSz += SetLength(length, seq);
+        totalSz += length;
+
+        if (out == NULL) {
+            *outSz = totalSz + SetSequence(totalSz, seq);
+            return LENGTH_ONLY_E;
+        }
+
+        if (*outSz < (totalSz + SetSequence(totalSz, seq))) {
+            return BUFFER_E;
+        }
+
+        /* place data in output buffer */
+        idx  = 0;
+        idx += SetSequence(totalSz, out);
+        idx += SetObjectId(sizeof(WC_PKCS12_DATA_OID), out + idx);
+        if (idx + sizeof(WC_PKCS12_DATA_OID) > *outSz){
+            WOLFSSL_MSG("Buffer not large enough for DATA OID");
+            return BUFFER_E;
+        }
+        XMEMCPY(out + idx, WC_PKCS12_DATA_OID, sizeof(WC_PKCS12_DATA_OID));
+        idx += sizeof(WC_PKCS12_DATA_OID);
+
+        if (idx + 1 > *outSz){
+            return BUFFER_E;
+        }
+        out[idx++] = (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC);
+        idx += SetLength(length, out + idx);
+        idx += SetOctetString(contentSz, out + idx);
+
+        if (idx + contentSz > *outSz){
+            return BUFFER_E;
+        }
+        XMEMCPY(out + idx, content, contentSz);
+        idx += contentSz;
+
+        return idx;
+    }
+
+    WOLFSSL_MSG("Unknown/Unsupported content type");
+    return BAD_FUNC_ARG;
+}
+
+
+/* helper function to create the PKCS12 key content
+ * keyCiSz is output buffer size
+ * returns a pointer to be free'd by caller on success and NULL on failure */
+static byte* PKCS12_create_key_content(WC_PKCS12* pkcs12, int nidKey,
+        word32* keyCiSz, WC_RNG* rng, char* pass, word32 passSz,
+        byte* key, word32 keySz, int iter)
+{
+    byte*  keyBuf;
+    word32 keyBufSz = 0;
+    byte* keyCi = NULL;
+    word32 tmpSz;
+    int ret;
+    int algo;
+    void* heap;
+
+    heap = wc_PKCS12_GetHeap(pkcs12);
+    *keyCiSz = 0;
+    switch (nidKey) {
+        case PBE_SHA1_RC4_128:
+            algo = 1;
+            break;
+
+        case PBE_SHA1_DES:
+            algo = 2;
+            break;
+
+        case PBE_SHA1_DES3:
+            algo = 3;
+            break;
+
+        /* no encryption */
+        case -1:
+            algo = -1;
+            break;
+
+        default:
+            WOLFSSL_MSG("Unknown/Unsupported key encryption");
+            return NULL;
+    }
+
+    /* get max size for key bag */
+    ret = wc_PKCS12_create_key_bag(pkcs12, rng, NULL, &keyBufSz, key, keySz,
+            algo, iter, pass, passSz);
+    if (ret != LENGTH_ONLY_E && ret < 0) {
+        WOLFSSL_MSG("Error getting key bag size");
+        return NULL;
+    }
+
+    /* account for sequence around bag */
+    keyBufSz += MAX_SEQ_SZ;
+    keyBuf = (byte*)XMALLOC(keyBufSz, heap, DYNAMIC_TYPE_TMP_BUFFER);
+    if (keyBuf == NULL) {
+        WOLFSSL_MSG("Memory error creating keyBuf buffer");
+        return NULL;
+    }
+
+    ret = wc_PKCS12_create_key_bag(pkcs12, rng, keyBuf + MAX_SEQ_SZ, &keyBufSz,
+            key, keySz, algo, iter, pass, passSz);
+    if (ret < 0) {
+        XFREE(keyBuf, heap, DYNAMIC_TYPE_TMP_BUFFER);
+        WOLFSSL_MSG("Error creating key bag");
+        return NULL;
+    }
+    keyBufSz = ret;
+
+    tmpSz = SetSequence(keyBufSz, keyBuf);
+    XMEMMOVE(keyBuf + tmpSz, keyBuf + MAX_SEQ_SZ, keyBufSz);
+    keyBufSz += tmpSz;
+
+    #ifdef WOLFSSL_DEBUG_PKCS12
+    {
+        word32 i;
+        printf("(size %u) Key Bag = ", keyBufSz);
+        for (i = 0; i < keyBufSz; i++)
+            printf("%02X", keyBuf[i]);
+        printf("\n");
+    }
+    #endif
+    ret = wc_PKCS12_encrypt_content(pkcs12, rng, NULL, keyCiSz,
+            NULL, keyBufSz, algo, pass, passSz, iter, WC_PKCS12_DATA);
+    if (ret != LENGTH_ONLY_E) {
+        XFREE(keyBuf, heap, DYNAMIC_TYPE_TMP_BUFFER);
+        WOLFSSL_MSG("Error getting key encrypt content size");
+        return NULL;
+    }
+    keyCi = (byte*)XMALLOC(*keyCiSz, heap, DYNAMIC_TYPE_TMP_BUFFER);
+    if (keyCi == NULL) {
+        XFREE(keyBuf, heap, DYNAMIC_TYPE_TMP_BUFFER);
+        return NULL;
+    }
+
+    ret = wc_PKCS12_encrypt_content(pkcs12, rng, keyCi, keyCiSz,
+            keyBuf, keyBufSz, algo, pass, passSz, iter, WC_PKCS12_DATA);
+    XFREE(keyBuf, heap, DYNAMIC_TYPE_TMP_BUFFER);
+    if (ret < 0 ) {
+        XFREE(keyCi, heap, DYNAMIC_TYPE_TMP_BUFFER);
+        WOLFSSL_MSG("Error creating key encrypt content");
+        return NULL;
+    }
+    *keyCiSz = ret;
+
+    #ifdef WOLFSSL_DEBUG_PKCS12
+    {
+        word32 i;
+        printf("(size %u) Key Content Info = ", *keyCiSz);
+        for (i = 0; i < *keyCiSz; i++)
+            printf("%02X", keyCi[i]);
+        printf("\n");
+    }
+    #endif
+
+    (void)heap;
+    return keyCi;
+}
+
+
+/* helper function to create the PKCS12 certificate content
+ * certCiSz is output buffer size
+ * returns a pointer to be free'd by caller on success and NULL on failure */
+static byte* PKCS12_create_cert_content(WC_PKCS12* pkcs12, int nidCert,
+        WC_DerCertList* ca, byte* cert, word32 certSz, word32* certCiSz,
+        WC_RNG* rng, char* pass, word32 passSz, int iter)
+{
+    int algo;
+    int ret;
+    int type;
+
+    byte*  certBuf = NULL;
+    word32 certBufSz;
+    word32 idx;
+    word32 sz;
+    word32 tmpSz;
+
+    byte* certCi;
+    void* heap;
+
+    heap = wc_PKCS12_GetHeap(pkcs12);
+    switch (nidCert) {
+        case PBE_SHA1_RC4_128:
+            type = WC_PKCS12_ENCRYPTED_DATA;
+            algo = 1;
+            break;
+
+        case PBE_SHA1_DES:
+            type = WC_PKCS12_ENCRYPTED_DATA;
+            algo = 2;
+            break;
+
+        case PBE_SHA1_DES3:
+            type = WC_PKCS12_ENCRYPTED_DATA;
+            algo = 3;
+            break;
+
+        case -1:
+            type = WC_PKCS12_DATA;
+            algo = -1;
+            break;
+
+        default:
+            WOLFSSL_MSG("Unknown/Unsupported certificate encryption");
+            return NULL;
+    }
+
+    /* get max size of buffer needed */
+    ret = wc_PKCS12_create_cert_bag(pkcs12, NULL, &certBufSz, cert, certSz);
+    if (ret != LENGTH_ONLY_E) {
+        return NULL;
+    }
+
+    if (ca != NULL) {
+        WC_DerCertList* current = ca;
+        word32 curBufSz = 0;
+
+        /* get max buffer size */
+        while (current != NULL) {
+            ret = wc_PKCS12_create_cert_bag(pkcs12, NULL, &curBufSz,
+                    current->buffer, current->bufferSz);
+            if (ret != LENGTH_ONLY_E) {
+                return NULL;
+            }
+            certBufSz += curBufSz;
+            current    = current->next;
+        }
+    }
+
+    /* account for Sequence that holds all certificate bags */
+    certBufSz += MAX_SEQ_SZ;
+
+    /* completed getting max size, now create buffer and start adding bags */
+    certBuf = (byte*)XMALLOC(certBufSz, heap, DYNAMIC_TYPE_TMP_BUFFER);
+    if (certBuf == NULL) {
+        WOLFSSL_MSG("Memory error creating certificate bags");
+        return NULL;
+    }
+
+    idx = 0;
+    idx += MAX_SEQ_SZ;
+
+    sz = certBufSz - idx;
+    if ((ret = wc_PKCS12_create_cert_bag(pkcs12, certBuf + idx, &sz,
+            cert, certSz)) < 0) {
+        XFREE(certBuf, heap, DYNAMIC_TYPE_TMP_BUFFER);
+        return NULL;
+    }
+    idx += ret;
+
+    if (ca != NULL) {
+        WC_DerCertList* current = ca;
+
+        while (current != NULL) {
+            sz = certBufSz - idx;
+            if ((ret = wc_PKCS12_create_cert_bag(pkcs12, certBuf + idx, &sz,
+               current->buffer, current->bufferSz)) < 0) {
+                XFREE(certBuf, heap, DYNAMIC_TYPE_TMP_BUFFER);
+                return NULL;
+            }
+            idx    += ret;
+            current = current->next;
+        }
+    }
+
+    /* set sequence and create encrypted content with all certificate bags */
+    tmpSz = SetSequence(idx - MAX_SEQ_SZ, certBuf);
+    XMEMMOVE(certBuf + tmpSz, certBuf + MAX_SEQ_SZ, idx - MAX_SEQ_SZ);
+    certBufSz = tmpSz + (idx - MAX_SEQ_SZ);
+
+    /* get buffer size needed for content info */
+    ret = wc_PKCS12_encrypt_content(pkcs12, rng, NULL, certCiSz,
+            NULL, certBufSz, algo, pass, passSz, iter, type);
+    if (ret != LENGTH_ONLY_E) {
+        XFREE(certBuf, heap, DYNAMIC_TYPE_TMP_BUFFER);
+        WOLFSSL_LEAVE("wc_PKCS12_create()", ret);
+        return NULL;
+    }
+    certCi = (byte*)XMALLOC(*certCiSz, heap, DYNAMIC_TYPE_TMP_BUFFER);
+    if (certCi == NULL) {
+        XFREE(certBuf, heap, DYNAMIC_TYPE_TMP_BUFFER);
+        return NULL;
+    }
+
+    ret = wc_PKCS12_encrypt_content(pkcs12, rng, certCi, certCiSz,
+            certBuf, certBufSz, algo, pass, passSz, iter, type);
+    XFREE(certBuf, heap, DYNAMIC_TYPE_TMP_BUFFER);
+    if (ret < 0) {
+        WOLFSSL_LEAVE("wc_PKCS12_create()", ret);
+        return NULL;
+    }
+    *certCiSz = ret;
+
+    #ifdef WOLFSSL_DEBUG_PKCS12
+    {
+        word32 i;
+        printf("(size %u) Encrypted Certificate Content Info = ", *certCiSz);
+        for (i = 0; i < *certCiSz; i++)
+            printf("%02X", certCi[i]);
+        printf("\n");
+    }
+    #endif
+
+    (void)heap;
+    return certCi;
+}
+
+
+/* helper function to create the PKCS12 safe
+ * returns 0 on success */
+static int PKCS12_create_safe(WC_PKCS12* pkcs12, byte* certCi, word32 certCiSz,
+        byte* keyCi, word32 keyCiSz, WC_RNG* rng, char* pass, word32 passSz,
+        int iter)
+{
+    int length;
+    int ret;
+    byte seq[MAX_SEQ_SZ];
+    word32 safeDataSz;
+    word32 innerDataSz;
+    byte *innerData = NULL;
+    byte *safeData  = NULL;
+    word32 idx;
+
+    innerDataSz = certCiSz + keyCiSz+SetSequence(certCiSz + keyCiSz, seq);
+
+    /* add Content Info structs to safe, key first then cert */
+    ret = wc_PKCS12_encrypt_content(pkcs12, rng, NULL, &safeDataSz,
+            NULL, innerDataSz, 0, NULL, 0, 0, WC_PKCS12_DATA);
+    if (ret != LENGTH_ONLY_E) {
+        return ret;
+    }
+
+    safeData = (byte*)XMALLOC(safeDataSz, pkcs12->heap, DYNAMIC_TYPE_TMP_BUFFER);
+    if (safeData == NULL) {
+        WOLFSSL_MSG("Error malloc'ing safe data buffer");
+        return MEMORY_E;
+    }
+
+    /* create sequence of inner data */
+    innerData = (byte*)XMALLOC(innerDataSz, pkcs12->heap, DYNAMIC_TYPE_PKCS);
+    if (innerData == NULL) {
+        WOLFSSL_MSG("Error malloc'ing inner data buffer");
+        XFREE(safeData, pkcs12->heap, DYNAMIC_TYPE_TMP_BUFFER);
+        return MEMORY_E;
+    }
+    idx  = 0;
+    idx += SetSequence(certCiSz + keyCiSz, innerData);
+    XMEMCPY(innerData + idx, certCi, certCiSz);
+    XMEMCPY(innerData + idx + certCiSz, keyCi, keyCiSz);
+
+    ret = wc_PKCS12_encrypt_content(pkcs12, rng, safeData, &safeDataSz,
+            innerData, innerDataSz, 0, pass, passSz, iter, WC_PKCS12_DATA);
+    XFREE(innerData, pkcs12->heap, DYNAMIC_TYPE_PKCS);
+    if (ret < 0 ) {
+        WOLFSSL_MSG("Error setting data type for safe contents");
+        XFREE(safeData, pkcs12->heap, DYNAMIC_TYPE_TMP_BUFFER);
+        return ret;
+    }
+    idx = 0;
+
+    ret = GetSequence(safeData, &idx, &length, safeDataSz);
+    if (ret < 0) {
+        WOLFSSL_MSG("Error getting first sequence of safe");
+        XFREE(safeData, pkcs12->heap, DYNAMIC_TYPE_TMP_BUFFER);
+        return ret;
+    }
+
+    ret = GetSafeContent(pkcs12, safeData, &idx, safeDataSz);
+    XFREE(safeData, pkcs12->heap, DYNAMIC_TYPE_TMP_BUFFER);
+    if (ret < 0) {
+        WOLFSSL_MSG("Unable to create safe contents");
+        return ret;
+    }
+    return 0;
+}
+
+
+/*
+ * pass : password to use with encryption
+ * passSz : size of the password buffer
+ * name : friendlyName to use
+ * key  : DER format of key
+ * keySz : size of key buffer
+ * cert : DER format of certificate
+ * certSz : size of the certificate buffer
+ * ca   : a list of extra certificates
+ * nidKey  : type of encryption to use on the key (-1 means no encryption)
+ * nidCert : type of encryption to use on the certificate
+ *           (-1 means no encryption)
+ * iter    : number of iterations with encryption
+ * macIter : number of iterations when creating MAC
+ * keyType : flag for signature and/or encryption key
+ * heap : pointer to allocate from memory
+ *
+ * returns a pointer to a new WC_PKCS12 structure on success and NULL if failed
+ */
+WC_PKCS12* wc_PKCS12_create(char* pass, word32 passSz, char* name,
+        byte* key, word32 keySz, byte* cert, word32 certSz, WC_DerCertList* ca,
+        int nidKey, int nidCert, int iter, int macIter, int keyType, void* heap)
+{
+    WC_PKCS12* pkcs12;
+    WC_RNG     rng;
+    int ret;
+
+    byte*  certCi = NULL;
+    byte*  keyCi  = NULL;
+    word32 certCiSz;
+    word32 keyCiSz;
+
+    WOLFSSL_ENTER("wc_PKCS12_create()");
+
+    if ((ret = wc_InitRng_ex(&rng, heap, INVALID_DEVID)) != 0) {
+        return NULL;
+    }
+
+    if ((pkcs12 = wc_PKCS12_new()) == NULL) {
+        wc_FreeRng(&rng);
+        WOLFSSL_LEAVE("wc_PKCS12_create", MEMORY_E);
+        return NULL;
+    }
+
+    if ((ret = wc_PKCS12_SetHeap(pkcs12, heap)) != 0) {
+        wc_PKCS12_free(pkcs12);
+        wc_FreeRng(&rng);
+        WOLFSSL_LEAVE("wc_PKCS12_create", ret);
+        return NULL;
+    }
+
+    if (iter <= 0) {
+        iter = WC_PKCS12_ITT_DEFAULT;
+    }
+
+    /**** add private key bag ****/
+    keyCi = PKCS12_create_key_content(pkcs12, nidKey, &keyCiSz, &rng,
+            pass, passSz, key, keySz, iter);
+    if (keyCi == NULL) {
+        wc_PKCS12_free(pkcs12);
+        wc_FreeRng(&rng);
+        return NULL;
+    }
+
+    /**** add main certificate bag and extras ****/
+    certCi = PKCS12_create_cert_content(pkcs12, nidCert, ca, cert, certSz,
+            &certCiSz, &rng, pass, passSz, iter);
+    if (certCi == NULL) {
+        XFREE(keyCi, heap, DYNAMIC_TYPE_TMP_BUFFER);
+        wc_PKCS12_free(pkcs12);
+        wc_FreeRng(&rng);
+        return NULL;
+    }
+
+    /**** create safe and Content Info ****/
+    ret = PKCS12_create_safe(pkcs12, certCi, certCiSz, keyCi, keyCiSz, &rng,
+            pass, passSz, iter);
+    XFREE(keyCi,  heap, DYNAMIC_TYPE_TMP_BUFFER);
+    XFREE(certCi, heap, DYNAMIC_TYPE_TMP_BUFFER);
+    if (ret != 0) {
+        WOLFSSL_MSG("Unable to create PKCS12 safe");
+        wc_PKCS12_free(pkcs12);
+        wc_FreeRng(&rng);
+        return NULL;
+    }
+
+    /* create MAC */
+    if (macIter > 0) {
+        MacData* mac;
+        byte digest[WC_MAX_DIGEST_SIZE]; /* for MAC */
+
+        mac = (MacData*)XMALLOC(sizeof(MacData), heap, DYNAMIC_TYPE_PKCS);
+        if (mac == NULL) {
+            wc_PKCS12_free(pkcs12);
+            wc_FreeRng(&rng);
+            WOLFSSL_MSG("Error malloc'ing mac data buffer");
+            return NULL;
+        }
+        XMEMSET(mac, 0, sizeof(MacData));
+        pkcs12->signData = mac; /* now wc_PKCS12_free will free all mac too */
+
+        #ifndef NO_SHA256
+            mac->oid = SHA256h;
+        #elif !defined(NO_SHA)
+            mac->oid = SHA;
+        #elif defined(WOLFSSL_SHA384)
+            mac->oid = SHA384;
+        #elif defined(WOLFSSL_SHA512)
+            mac->oid = SHA512;
+        #else
+            WOLFSSL_MSG("No supported hash algorithm compiled in!");
+            wc_PKCS12_free(pkcs12);
+            wc_FreeRng(&rng);
+            return NULL;
+        #endif
+
+        /* store number of iterations */
+        mac->itt = macIter;
+
+        /* set mac salt */
+        mac->saltSz = 8;
+        mac->salt = (byte*)XMALLOC(mac->saltSz, heap, DYNAMIC_TYPE_PKCS);
+        if (mac->salt == NULL) {
+            wc_PKCS12_free(pkcs12);
+            wc_FreeRng(&rng);
+            WOLFSSL_MSG("Error malloc'ing salt data buffer");
+            return NULL;
+        }
+
+        if ((ret = wc_RNG_GenerateBlock(&rng, mac->salt, mac->saltSz)) != 0) {
+            WOLFSSL_MSG("Error generating random salt");
+            wc_PKCS12_free(pkcs12);
+            wc_FreeRng(&rng);
+            return NULL;
+        }
+        ret = wc_PKCS12_create_mac(pkcs12, pkcs12->safe->data,
+                pkcs12->safe->dataSz, (const byte*)pass, passSz, digest,
+                WC_MAX_DIGEST_SIZE);
+        if (ret < 0) {
+            wc_PKCS12_free(pkcs12);
+            wc_FreeRng(&rng);
+            WOLFSSL_MSG("Error creating mac");
+            WOLFSSL_LEAVE("wc_PKCS12_create", ret);
+            return NULL;
+        }
+
+        mac->digestSz = ret;
+        mac->digest = (byte*)XMALLOC(ret, heap, DYNAMIC_TYPE_PKCS);
+        if (mac->digest == NULL) {
+            WOLFSSL_MSG("Error malloc'ing mac digest buffer");
+            wc_PKCS12_free(pkcs12);
+            wc_FreeRng(&rng);
+            return NULL;
+        }
+        XMEMCPY(mac->digest, digest, mac->digestSz);
+    }
+    else {
+        pkcs12->signData = NULL;
+    }
+
+    wc_FreeRng(&rng);
+    (void)name;
+    (void)keyType;
+
+    return pkcs12;
+}
+
+
+/* if using a specific memory heap */
+int wc_PKCS12_SetHeap(WC_PKCS12* pkcs12, void* heap)
+{
+    if (pkcs12 == NULL) {
+        return BAD_FUNC_ARG;
+    }
+    pkcs12->heap = heap;
+
+    return 0;
+}
+
+
+/* getter for heap */
+void* wc_PKCS12_GetHeap(WC_PKCS12* pkcs12)
+{
+    if (pkcs12 == NULL) {
+        return NULL;
+    }
+
+    return pkcs12->heap;
+}
+
+#undef ERROR_OUT
+
+#endif /* !NO_ASN && !NO_PWDBASED && HAVE_PKCS12 */
diff --git a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/pkcs7.c b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/pkcs7.c
index 2f66ea216..e420cad37 100644
--- a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/pkcs7.c
+++ b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/pkcs7.c
@@ -1,8 +1,8 @@
 /* pkcs7.c
  *
- * Copyright (C) 2006-2015 wolfSSL Inc.
+ * Copyright (C) 2006-2020 wolfSSL Inc.
  *
- * This file is part of wolfSSL. (formerly known as CyaSSL)
+ * This file is part of wolfSSL.
  *
  * wolfSSL is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -16,9 +16,10 @@
  *
  * You should have received a copy of the GNU General Public License
  * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
  */
 
+
 #ifdef HAVE_CONFIG_H
     #include <config.h>
 #endif
@@ -30,45 +31,512 @@
 #include <wolfssl/wolfcrypt/pkcs7.h>
 #include <wolfssl/wolfcrypt/error-crypt.h>
 #include <wolfssl/wolfcrypt/logging.h>
+#include <wolfssl/wolfcrypt/hash.h>
+#ifndef NO_RSA
+    #include <wolfssl/wolfcrypt/rsa.h>
+#endif
+#ifdef HAVE_ECC
+    #include <wolfssl/wolfcrypt/ecc.h>
+#endif
+#ifdef HAVE_LIBZ
+    #include <wolfssl/wolfcrypt/compress.h>
+#endif
+#ifndef NO_PWDBASED
+    #include <wolfssl/wolfcrypt/pwdbased.h>
+#endif
 #ifdef NO_INLINE
     #include <wolfssl/wolfcrypt/misc.h>
 #else
+    #define WOLFSSL_MISC_INCLUDED
     #include <wolfcrypt/src/misc.c>
 #endif
 
-#ifndef WOLFSSL_HAVE_MIN
-#define WOLFSSL_HAVE_MIN
+/* direction for processing, encoding or decoding */
+typedef enum {
+    WC_PKCS7_ENCODE,
+    WC_PKCS7_DECODE
+} pkcs7Direction;
+
+#define NO_USER_CHECK 0
+
+/* holds information about the signers */
+struct PKCS7SignerInfo {
+    int version;
+    byte  *sid;
+    word32 sidSz;
+};
+
+
+#ifndef NO_PKCS7_STREAM
+
+#define MAX_PKCS7_STREAM_BUFFER 256
+struct PKCS7State {
+    byte* tmpCert;
+    byte* bufferPt;
+    byte* key;
+    byte* nonce;    /* stored nonce */
+    byte* aad;      /* additional data for AEAD algos */
+    byte* tag;      /* tag data for AEAD algos */
+    byte* content;
+    byte* buffer;   /* main internal read buffer */
+
+    /* stack variables to store for when returning */
+    word32 varOne;
+    int    varTwo;
+    int    varThree;
+
+    word32 vers;
+    word32 idx;      /* index read into current input buffer */
+    word32 maxLen;   /* sanity cap on maximum amount of data to allow
+                      * needed for GetSequence and other calls */
+    word32 length;   /* amount of data stored */
+    word32 bufferSz; /* size of internal buffer */
+    word32 expected; /* next amount of data expected, if needed */
+    word32 totalRd;  /* total amount of bytes read */
+    word32 nonceSz;  /* size of nonce stored */
+    word32 aadSz;    /* size of additional AEAD data */
+    word32 tagSz;    /* size of tag for AEAD */
+    word32 contentSz;
+    byte tmpIv[MAX_CONTENT_IV_SIZE]; /* store IV if needed */
+#ifdef WC_PKCS7_STREAM_DEBUG
+    word32 peakUsed; /* most bytes used for struct at any one time */
+    word32 peakRead; /* most bytes used by read buffer */
+#endif
+    byte   multi:1;  /* flag for if content is in multiple parts */
+    byte   flagOne:1;
+    byte   detached:1; /* flag to indicate detached signature is present */
+};
+
 
-    static INLINE word32 min(word32 a, word32 b)
-    {
-        return a > b ? b : a;
+enum PKCS7_MaxLen {
+    PKCS7_DEFAULT_PEEK = 0,
+    PKCS7_SEQ_PEEK
+};
+
+/* creates a PKCS7State structure and returns 0 on success */
+static int wc_PKCS7_CreateStream(PKCS7* pkcs7)
+{
+    WOLFSSL_MSG("creating PKCS7 stream structure");
+    pkcs7->stream = (PKCS7State*)XMALLOC(sizeof(PKCS7State), pkcs7->heap,
+        DYNAMIC_TYPE_PKCS7);
+    if (pkcs7->stream == NULL) {
+        return MEMORY_E;
+    }
+    XMEMSET(pkcs7->stream, 0, sizeof(PKCS7State));
+#ifdef WC_PKCS7_STREAM_DEBUG
+    printf("\nCreating new PKCS#7 stream %p\n", pkcs7->stream);
+#endif
+    return 0;
+}
+
+
+static void wc_PKCS7_ResetStream(PKCS7* pkcs7)
+{
+    if (pkcs7 != NULL && pkcs7->stream != NULL) {
+#ifdef WC_PKCS7_STREAM_DEBUG
+        /* collect final data point in case more was read right before reset */
+        if (pkcs7->stream->length > pkcs7->stream->peakRead) {
+            pkcs7->stream->peakRead = pkcs7->stream->length;
+        }
+        if (pkcs7->stream->bufferSz + pkcs7->stream->aadSz +
+                pkcs7->stream->nonceSz + pkcs7->stream->tagSz >
+                pkcs7->stream->peakUsed) {
+            pkcs7->stream->peakUsed = pkcs7->stream->bufferSz +
+                pkcs7->stream->aadSz + pkcs7->stream->nonceSz +
+                pkcs7->stream->tagSz;
+        }
+
+        /* print out debugging statistics */
+        if (pkcs7->stream->peakUsed > 0 || pkcs7->stream->peakRead > 0) {
+            printf("PKCS#7 STREAM:\n\tPeak heap used by struct = %d"
+                                 "\n\tPeak read buffer bytes   = %d"
+                                 "\n\tTotal bytes read         = %d"
+                                 "\n",
+                   pkcs7->stream->peakUsed, pkcs7->stream->peakRead,
+                   pkcs7->stream->totalRd);
+        }
+        printf("PKCS#7 stream reset : Address [%p]\n", pkcs7->stream);
+    #endif
+
+        /* free any buffers that may be allocated */
+        XFREE(pkcs7->stream->aad, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+        XFREE(pkcs7->stream->tag, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+        XFREE(pkcs7->stream->nonce, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+        XFREE(pkcs7->stream->buffer, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+        XFREE(pkcs7->stream->key, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+        pkcs7->stream->aad    = NULL;
+        pkcs7->stream->tag    = NULL;
+        pkcs7->stream->nonce  = NULL;
+        pkcs7->stream->buffer = NULL;
+        pkcs7->stream->key    = NULL;
+
+        /* reset values, note that content and tmpCert are saved */
+        pkcs7->stream->maxLen   = 0;
+        pkcs7->stream->length   = 0;
+        pkcs7->stream->idx      = 0;
+        pkcs7->stream->expected = 0;
+        pkcs7->stream->totalRd  = 0;
+        pkcs7->stream->bufferSz = 0;
+
+        pkcs7->stream->multi    = 0;
+        pkcs7->stream->flagOne  = 0;
+        pkcs7->stream->detached = 0;
+        pkcs7->stream->varOne   = 0;
+        pkcs7->stream->varTwo   = 0;
+        pkcs7->stream->varThree = 0;
+    }
+}
+
+
+static void wc_PKCS7_FreeStream(PKCS7* pkcs7)
+{
+    if (pkcs7 != NULL && pkcs7->stream != NULL) {
+        wc_PKCS7_ResetStream(pkcs7);
+
+        XFREE(pkcs7->stream->content, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+        XFREE(pkcs7->stream->tmpCert, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+        pkcs7->stream->content = NULL;
+        pkcs7->stream->tmpCert = NULL;
+
+        XFREE(pkcs7->stream, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+        pkcs7->stream = NULL;
+    }
+}
+
+
+/* used to increase the max size for internal buffer
+ * returns 0 on success  */
+static int wc_PKCS7_GrowStream(PKCS7* pkcs7, word32 newSz)
+{
+    byte* pt;
+
+    pt = (byte*)XMALLOC(newSz, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+    if (pt == NULL) {
+        return MEMORY_E;
+    }
+    XMEMCPY(pt, pkcs7->stream->buffer, pkcs7->stream->bufferSz);
+
+#ifdef WC_PKCS7_STREAM_DEBUG
+    printf("PKCS7 increasing internal stream buffer %d -> %d\n",
+            pkcs7->stream->bufferSz, newSz);
+#endif
+    pkcs7->stream->bufferSz = newSz;
+    XFREE(pkcs7->stream->buffer, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+    pkcs7->stream->buffer = pt;
+    return 0;
+}
+
+
+/* pt gets set to the buffer that is holding data in the case that stream struct
+ *    is used.
+ *
+ * Sets idx to be the current offset into "pt" buffer
+ * returns 0 on success
+ */
+static int wc_PKCS7_AddDataToStream(PKCS7* pkcs7, byte* in, word32 inSz,
+        word32 expected, byte** pt, word32* idx)
+{
+    word32 rdSz = pkcs7->stream->idx;
+
+    /* If the input size minus current index into input buffer is greater than
+     * the expected size then use the input buffer. If data is already stored
+     * in stream buffer or if there is not enough input data available then use
+     * the stream buffer. */
+    if (inSz - rdSz >= expected && pkcs7->stream->length == 0) {
+        /* storing input buffer is not needed */
+        *pt  = in; /* reset in case previously used internal buffer */
+        *idx = rdSz;
+        return 0;
+    }
+
+    /* is there enough stored in buffer already? */
+    if (pkcs7->stream->length >= expected) {
+        *idx = 0; /* start reading from beginning of stream buffer */
+        *pt  = pkcs7->stream->buffer;
+        return 0;
+    }
+
+    /* check if all data has been read from input */
+    if (rdSz >= inSz) {
+        /* no more input to read, reset input index and request more data */
+        pkcs7->stream->idx = 0;
+        return WC_PKCS7_WANT_READ_E;
+    }
+
+    /* try to store input data into stream buffer */
+    if (inSz - rdSz > 0 && pkcs7->stream->length < expected) {
+        int len = min(inSz - rdSz, expected - pkcs7->stream->length);
+
+        /* sanity check that the input buffer is not internal buffer */
+        if (in == pkcs7->stream->buffer) {
+            return WC_PKCS7_WANT_READ_E;
+        }
+
+        /* check if internal buffer size needs to be increased */
+        if (len + pkcs7->stream->length > pkcs7->stream->bufferSz) {
+            int ret = wc_PKCS7_GrowStream(pkcs7, expected);
+            if (ret < 0) {
+                return ret;
+            }
+        }
+        XMEMCPY(pkcs7->stream->buffer + pkcs7->stream->length, in + rdSz, len);
+        pkcs7->stream->length  += len;
+        pkcs7->stream->idx     += len;
+        pkcs7->stream->totalRd += len;
+    }
+
+#ifdef WC_PKCS7_STREAM_DEBUG
+    /* collects memory usage for debugging */
+    if (pkcs7->stream->length > pkcs7->stream->peakRead) {
+        pkcs7->stream->peakRead = pkcs7->stream->length;
     }
+    if (pkcs7->stream->bufferSz + pkcs7->stream->aadSz + pkcs7->stream->nonceSz +
+        pkcs7->stream->tagSz > pkcs7->stream->peakUsed) {
+        pkcs7->stream->peakUsed = pkcs7->stream->bufferSz +
+           pkcs7->stream->aadSz + pkcs7->stream->nonceSz + pkcs7->stream->tagSz;
+    }
+#endif
+
+    /* if not enough data was read in then request more */
+    if (pkcs7->stream->length < expected) {
+        pkcs7->stream->idx = 0;
+        return WC_PKCS7_WANT_READ_E;
+    }
+
+    /* adjust pointer to read from stored buffer */
+    *idx = 0;
+    *pt  = pkcs7->stream->buffer;
+    return 0;
+}
+
 
-#endif /* WOLFSSL_HAVE_MIN */
+/* Does two things
+ *  1) Tries to get the length from current buffer and set it as max length
+ *  2) Retrieves the set max length
+ *
+ * if no flag value is set then the stored max length is returned.
+ * returns length found on success and defSz if no stored data is found
+ */
+static long wc_PKCS7_GetMaxStream(PKCS7* pkcs7, byte flag, byte* in,
+        word32 defSz)
+{
+    /* check there is a buffer to read from */
+    if (pkcs7) {
+        int     length = 0, ret;
+        word32  idx = 0, maxIdx;
+        byte*   pt;
+
+        if (flag != PKCS7_DEFAULT_PEEK) {
+            if (pkcs7->stream->length > 0) {
+                length = pkcs7->stream->length;
+                pt     = pkcs7->stream->buffer;
+            }
+            else {
+                length = defSz;
+                pt     = in;
+            }
+            maxIdx = (word32)length;
+
+            if (length < MAX_SEQ_SZ) {
+                WOLFSSL_MSG("PKCS7 Error not enough data for SEQ peek\n");
+                return 0;
+            }
+            if (flag == PKCS7_SEQ_PEEK) {
+                if ((ret = GetSequence_ex(pt, &idx, &length, maxIdx,
+                                NO_USER_CHECK)) < 0) {
+                    return ret;
+                }
+
+            #ifdef ASN_BER_TO_DER
+                if (length == 0 && ret == 0) {
+                    idx = 0;
+                    if ((ret = wc_BerToDer(pt, defSz, NULL,
+                                    (word32*)&length)) != LENGTH_ONLY_E) {
+                        return ret;
+                    }
+                }
+            #endif /* ASN_BER_TO_DER */
+                pkcs7->stream->maxLen = length + idx;
+            }
+        }
+
+        if (pkcs7->stream->maxLen == 0) {
+            pkcs7->stream->maxLen = defSz;
+        }
+
+        return pkcs7->stream->maxLen;
+    }
+
+    return defSz;
+}
+
+
+/* setter function for stored variables */
+static void wc_PKCS7_StreamStoreVar(PKCS7* pkcs7, word32 var1, int var2,
+        int var3)
+{
+    if (pkcs7 != NULL && pkcs7->stream != NULL) {
+        pkcs7->stream->varOne   = var1;
+        pkcs7->stream->varTwo   = var2;
+        pkcs7->stream->varThree = var3;
+    }
+}
+
+/* getter function for stored variables */
+static void wc_PKCS7_StreamGetVar(PKCS7* pkcs7, word32* var1, int* var2,
+        int* var3)
+{
+    if (pkcs7 != NULL && pkcs7->stream != NULL) {
+        if (var1 != NULL) *var1 = pkcs7->stream->varOne;
+        if (var2 != NULL) *var2 = pkcs7->stream->varTwo;
+        if (var3 != NULL) *var3 = pkcs7->stream->varThree;
+    }
+}
+
+
+/* common update of index and total read after section complete
+ * returns 0 on success */
+static int wc_PKCS7_StreamEndCase(PKCS7* pkcs7, word32* tmpIdx, word32* idx)
+{
+    int ret = 0;
+
+    if (pkcs7->stream->length > 0) {
+        if (pkcs7->stream->length < *idx) {
+            WOLFSSL_MSG("PKCS7 read too much data from internal buffer");
+            ret = BUFFER_E;
+        }
+        else {
+            XMEMMOVE(pkcs7->stream->buffer, pkcs7->stream->buffer + *idx,
+                 pkcs7->stream->length - *idx);
+            pkcs7->stream->length -= *idx;
+        }
+    }
+    else {
+        pkcs7->stream->totalRd += *idx - *tmpIdx;
+        pkcs7->stream->idx = *idx; /* adjust index into input buffer */
+        *tmpIdx = *idx;
+    }
+
+    return ret;
+}
+#endif /* NO_PKCS7_STREAM */
+
+#ifdef WC_PKCS7_STREAM_DEBUG
+/* used to print out human readable state for debugging */
+static const char* wc_PKCS7_GetStateName(int in)
+{
+    switch (in) {
+        case WC_PKCS7_START: return "WC_PKCS7_START";
+
+        case WC_PKCS7_STAGE2: return "WC_PKCS7_STAGE2";
+        case WC_PKCS7_STAGE3: return "WC_PKCS7_STAGE3";
+        case WC_PKCS7_STAGE4: return "WC_PKCS7_STAGE4";
+        case WC_PKCS7_STAGE5: return "WC_PKCS7_STAGE5";
+        case WC_PKCS7_STAGE6: return "WC_PKCS7_STAGE6";
+
+        /* parse info set */
+        case WC_PKCS7_INFOSET_START:  return "WC_PKCS7_INFOSET_START";
+        case WC_PKCS7_INFOSET_BER:    return "WC_PKCS7_INFOSET_BER";
+        case WC_PKCS7_INFOSET_STAGE1: return "WC_PKCS7_INFOSET_STAGE1";
+        case WC_PKCS7_INFOSET_STAGE2: return "WC_PKCS7_INFOSET_STAGE2";
+        case WC_PKCS7_INFOSET_END:    return "WC_PKCS7_INFOSET_END";
+
+        /* decode enveloped data */
+        case WC_PKCS7_ENV_2: return "WC_PKCS7_ENV_2";
+        case WC_PKCS7_ENV_3: return "WC_PKCS7_ENV_3";
+        case WC_PKCS7_ENV_4: return "WC_PKCS7_ENV_4";
+        case WC_PKCS7_ENV_5: return "WC_PKCS7_ENV_5";
+
+        /* decode auth enveloped */
+        case WC_PKCS7_AUTHENV_2: return "WC_PKCS7_AUTHENV_2";
+        case WC_PKCS7_AUTHENV_3: return "WC_PKCS7_AUTHENV_3";
+        case WC_PKCS7_AUTHENV_4: return "WC_PKCS7_AUTHENV_4";
+        case WC_PKCS7_AUTHENV_5: return "WC_PKCS7_AUTHENV_5";
+        case WC_PKCS7_AUTHENV_6: return "WC_PKCS7_AUTHENV_6";
+        case WC_PKCS7_AUTHENV_ATRB: return "WC_PKCS7_AUTHENV_ATRB";
+        case WC_PKCS7_AUTHENV_ATRBEND: return "WC_PKCS7_AUTHENV_ATRBEND";
+        case WC_PKCS7_AUTHENV_7: return "WC_PKCS7_AUTHENV_7";
+
+        /* decryption state types */
+        case WC_PKCS7_DECRYPT_KTRI:   return "WC_PKCS7_DECRYPT_KTRI";
+        case WC_PKCS7_DECRYPT_KTRI_2: return "WC_PKCS7_DECRYPT_KTRI_2";
+        case WC_PKCS7_DECRYPT_KTRI_3: return "WC_PKCS7_DECRYPT_KTRI_3";
+
+        case WC_PKCS7_DECRYPT_KARI:  return "WC_PKCS7_DECRYPT_KARI";
+        case WC_PKCS7_DECRYPT_KEKRI: return "WC_PKCS7_DECRYPT_KEKRI";
+        case WC_PKCS7_DECRYPT_PWRI:  return "WC_PKCS7_DECRYPT_PWRI";
+        case WC_PKCS7_DECRYPT_ORI:   return "WC_PKCS7_DECRYPT_ORI";
+        case WC_PKCS7_DECRYPT_DONE:  return "WC_PKCS7_DECRYPT_DONE";
+
+        case WC_PKCS7_VERIFY_STAGE2: return "WC_PKCS7_VERIFY_STAGE2";
+        case WC_PKCS7_VERIFY_STAGE3: return "WC_PKCS7_VERIFY_STAGE3";
+        case WC_PKCS7_VERIFY_STAGE4: return "WC_PKCS7_VERIFY_STAGE4";
+        case WC_PKCS7_VERIFY_STAGE5: return "WC_PKCS7_VERIFY_STAGE5";
+        case WC_PKCS7_VERIFY_STAGE6: return "WC_PKCS7_VERIFY_STAGE6";
+
+        default:
+            return "Unknown state";
+    }
+}
+#endif
+
+/* Used to change the PKCS7 state. Having state change as a function allows
+ * for easier debugging */
+static void wc_PKCS7_ChangeState(PKCS7* pkcs7, int newState)
+{
+#ifdef WC_PKCS7_STREAM_DEBUG
+    printf("\tChanging from state [%02d] %s to [%02d] %s\n",
+            pkcs7->state, wc_PKCS7_GetStateName(pkcs7->state),
+            newState, wc_PKCS7_GetStateName(newState));
+#endif
+    pkcs7->state = newState;
+}
+
+#define MAX_PKCS7_DIGEST_SZ (MAX_SEQ_SZ + MAX_ALGO_SZ + \
+                             MAX_OCTET_STR_SZ + WC_MAX_DIGEST_SIZE)
 
 
 /* placed ASN.1 contentType OID into *output, return idx on success,
  * 0 upon failure */
-WOLFSSL_LOCAL int wc_SetContentType(int pkcs7TypeOID, byte* output)
+static int wc_SetContentType(int pkcs7TypeOID, byte* output, word32 outputSz)
 {
     /* PKCS#7 content types, RFC 2315, section 14 */
-    static const byte pkcs7[]              = { 0x2A, 0x86, 0x48, 0x86, 0xF7,
+    const byte pkcs7[]              = { 0x2A, 0x86, 0x48, 0x86, 0xF7,
                                                0x0D, 0x01, 0x07 };
-    static const byte data[]               = { 0x2A, 0x86, 0x48, 0x86, 0xF7,
+    const byte data[]               = { 0x2A, 0x86, 0x48, 0x86, 0xF7,
                                                0x0D, 0x01, 0x07, 0x01 };
-    static const byte signedData[]         = { 0x2A, 0x86, 0x48, 0x86, 0xF7,
+    const byte signedData[]         = { 0x2A, 0x86, 0x48, 0x86, 0xF7,
                                                0x0D, 0x01, 0x07, 0x02};
-    static const byte envelopedData[]      = { 0x2A, 0x86, 0x48, 0x86, 0xF7,
+    const byte envelopedData[]      = { 0x2A, 0x86, 0x48, 0x86, 0xF7,
                                                0x0D, 0x01, 0x07, 0x03 };
-    static const byte signedAndEnveloped[] = { 0x2A, 0x86, 0x48, 0x86, 0xF7,
+    const byte authEnvelopedData[]  = { 0x2A, 0x86, 0x48, 0x86, 0xF7,
+                                        0x0D, 0x01, 0x09, 0x10, 0x01, 0x17};
+    const byte signedAndEnveloped[] = { 0x2A, 0x86, 0x48, 0x86, 0xF7,
                                                0x0D, 0x01, 0x07, 0x04 };
-    static const byte digestedData[]       = { 0x2A, 0x86, 0x48, 0x86, 0xF7,
+    const byte digestedData[]       = { 0x2A, 0x86, 0x48, 0x86, 0xF7,
                                                0x0D, 0x01, 0x07, 0x05 };
-    static const byte encryptedData[]      = { 0x2A, 0x86, 0x48, 0x86, 0xF7,
+#ifndef NO_PKCS7_ENCRYPTED_DATA
+    const byte encryptedData[]      = { 0x2A, 0x86, 0x48, 0x86, 0xF7,
                                                0x0D, 0x01, 0x07, 0x06 };
+#endif
+    /* FirmwarePkgData (1.2.840.113549.1.9.16.1.16), RFC 4108 */
+    const byte firmwarePkgData[]    = { 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D,
+                                        0x01, 0x09, 0x10, 0x01, 0x10 };
+#if defined(HAVE_LIBZ) && !defined(NO_PKCS7_COMPRESSED_DATA)
+    /* id-ct-compressedData (1.2.840.113549.1.9.16.1.9), RFC 3274 */
+    const byte compressedData[]     = { 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D,
+                                        0x01, 0x09, 0x10, 0x01, 0x09 };
+#endif
 
-    int idSz;
-    int typeSz = 0, idx = 0;
+#if !defined(NO_PWDBASED) && !defined(NO_SHA)
+    const byte pwriKek[]            = { 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D,
+                                        0x01, 0x09, 0x10, 0x03, 0x09 };
+    const byte pbkdf2[]             = { 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D,
+                                        0x01, 0x05, 0x0C };
+#endif
+
+    int idSz, idx = 0;
+    word32 typeSz = 0;
     const byte* typeName = 0;
     byte ID_Length[MAX_LENGTH_SZ];
 
@@ -87,12 +555,17 @@ WOLFSSL_LOCAL int wc_SetContentType(int pkcs7TypeOID, byte* output)
             typeSz = sizeof(signedData);
             typeName = signedData;
             break;
-        
+
         case ENVELOPED_DATA:
             typeSz = sizeof(envelopedData);
             typeName = envelopedData;
             break;
 
+        case AUTH_ENVELOPED_DATA:
+            typeSz = sizeof(authEnvelopedData);
+            typeName = authEnvelopedData;
+            break;
+
         case SIGNED_AND_ENVELOPED_DATA:
             typeSz = sizeof(signedAndEnveloped);
             typeName = signedAndEnveloped;
@@ -103,16 +576,45 @@ WOLFSSL_LOCAL int wc_SetContentType(int pkcs7TypeOID, byte* output)
             typeName = digestedData;
             break;
 
+#ifndef NO_PKCS7_ENCRYPTED_DATA
         case ENCRYPTED_DATA:
             typeSz = sizeof(encryptedData);
             typeName = encryptedData;
             break;
+#endif
+#if defined(HAVE_LIBZ) && !defined(NO_PKCS7_COMPRESSED_DATA)
+        case COMPRESSED_DATA:
+            typeSz = sizeof(compressedData);
+            typeName = compressedData;
+            break;
+#endif
+        case FIRMWARE_PKG_DATA:
+            typeSz = sizeof(firmwarePkgData);
+            typeName = firmwarePkgData;
+            break;
+
+#if !defined(NO_PWDBASED) && !defined(NO_SHA)
+        case PWRI_KEK_WRAP:
+            typeSz = sizeof(pwriKek);
+            typeName = pwriKek;
+            break;
+
+        case PBKDF2_OID:
+            typeSz = sizeof(pbkdf2);
+            typeName = pbkdf2;
+            break;
+#endif
 
         default:
             WOLFSSL_MSG("Unknown PKCS#7 Type");
             return 0;
     };
 
+    if (outputSz < (MAX_LENGTH_SZ + 1 + typeSz)) {
+        WOLFSSL_MSG("CMS content type buffer too small");
+        return BAD_FUNC_ARG;
+    }
+
     idSz  = SetLength(typeSz, ID_Length);
     output[idx++] = ASN_OBJECT_ID;
     XMEMCPY(output + idx, ID_Length, idSz);
@@ -121,82 +623,384 @@ WOLFSSL_LOCAL int wc_SetContentType(int pkcs7TypeOID, byte* output)
     idx += typeSz;
 
     return idx;
-
 }
 
 
 /* get ASN.1 contentType OID sum, return 0 on success, <0 on failure */
-int wc_GetContentType(const byte* input, word32* inOutIdx, word32* oid,
-                   word32 maxIdx)
+static int wc_GetContentType(const byte* input, word32* inOutIdx, word32* oid,
+                             word32 maxIdx)
 {
-    int length;
-    word32 i = *inOutIdx;
-    byte b;
-    *oid = 0;
-
     WOLFSSL_ENTER("wc_GetContentType");
+    if (GetObjectId(input, inOutIdx, oid, oidIgnoreType, maxIdx) < 0)
+        return ASN_PARSE_E;
 
-    b = input[i++];
-    if (b != ASN_OBJECT_ID)
-        return ASN_OBJECT_ID_E;
+    return 0;
+}
 
-    if (GetLength(input, &i, &length, maxIdx) < 0)
-        return ASN_PARSE_E;
 
-    while(length--) {
-        *oid += input[i];
-        i++;
+/* return block size for algorithm represented by oid, or <0 on error */
+static int wc_PKCS7_GetOIDBlockSize(int oid)
+{
+    int blockSz;
+
+    switch (oid) {
+#ifndef NO_AES
+    #ifdef WOLFSSL_AES_128
+        case AES128CBCb:
+        case AES128GCMb:
+        case AES128CCMb:
+    #endif
+    #ifdef WOLFSSL_AES_192
+        case AES192CBCb:
+        case AES192GCMb:
+        case AES192CCMb:
+    #endif
+    #ifdef WOLFSSL_AES_256
+        case AES256CBCb:
+        case AES256GCMb:
+        case AES256CCMb:
+    #endif
+            blockSz = AES_BLOCK_SIZE;
+            break;
+#endif
+#ifndef NO_DES3
+        case DESb:
+        case DES3b:
+            blockSz = DES_BLOCK_SIZE;
+            break;
+#endif
+        default:
+            WOLFSSL_MSG("Unsupported content cipher type");
+            return ALGO_ID_E;
+    };
+
+    return blockSz;
+}
+
+
+/* get key size for algorithm represented by oid, or <0 on error */
+static int wc_PKCS7_GetOIDKeySize(int oid)
+{
+    int blockKeySz;
+
+    switch (oid) {
+#ifndef NO_AES
+    #ifdef WOLFSSL_AES_128
+        case AES128CBCb:
+        case AES128GCMb:
+        case AES128CCMb:
+        case AES128_WRAP:
+            blockKeySz = 16;
+            break;
+    #endif
+    #ifdef WOLFSSL_AES_192
+        case AES192CBCb:
+        case AES192GCMb:
+        case AES192CCMb:
+        case AES192_WRAP:
+            blockKeySz = 24;
+            break;
+    #endif
+    #ifdef WOLFSSL_AES_256
+        case AES256CBCb:
+        case AES256GCMb:
+        case AES256CCMb:
+        case AES256_WRAP:
+            blockKeySz = 32;
+            break;
+    #endif
+#endif
+#ifndef NO_DES3
+        case DESb:
+            blockKeySz = DES_KEYLEN;
+            break;
+
+        case DES3b:
+            blockKeySz = DES3_KEYLEN;
+            break;
+#endif
+        default:
+            WOLFSSL_MSG("Unsupported content cipher type");
+            return ALGO_ID_E;
+    };
+
+    return blockKeySz;
+}
+
+
+PKCS7* wc_PKCS7_New(void* heap, int devId)
+{
+    PKCS7* pkcs7 = (PKCS7*)XMALLOC(sizeof(PKCS7), heap, DYNAMIC_TYPE_PKCS7);
+    if (pkcs7) {
+        XMEMSET(pkcs7, 0, sizeof(PKCS7));
+        if (wc_PKCS7_Init(pkcs7, heap, devId) == 0) {
+            pkcs7->isDynamic = 1;
+        }
+        else {
+            XFREE(pkcs7, heap, DYNAMIC_TYPE_PKCS7);
+            pkcs7 = NULL;
+        }
     }
+    return pkcs7;
+}
+
+/* This is to initialize a PKCS7 structure. It sets all values to 0 and can be
+ * used to set the heap hint.
+ *
+ * pkcs7 PKCS7 structure to initialize
+ * heap  memory heap hint for PKCS7 structure to use
+ * devId currently not used but a place holder for async operations
+ *
+ * returns 0 on success or a negative value for failure
+ */
+int wc_PKCS7_Init(PKCS7* pkcs7, void* heap, int devId)
+{
+    word16 isDynamic;
+
+    WOLFSSL_ENTER("wc_PKCS7_Init");
+
+    if (pkcs7 == NULL) {
+        return BAD_FUNC_ARG;
+    }
+
+    isDynamic = pkcs7->isDynamic;
+    XMEMSET(pkcs7, 0, sizeof(PKCS7));
+    pkcs7->isDynamic = isDynamic;
+#ifdef WOLFSSL_HEAP_TEST
+    pkcs7->heap = (void*)WOLFSSL_HEAP_TEST;
+#else
+    pkcs7->heap = heap;
+#endif
+    pkcs7->devId = devId;
+
+    return 0;
+}
+
+
+/* Certificate structure holding der pointer, size, and pointer to next
+ * Pkcs7Cert struct. Used when creating SignedData types with multiple
+ * certificates. */
+struct Pkcs7Cert {
+    byte*  der;
+    word32 derSz;
+    Pkcs7Cert* next;
+};
+
+
+/* Linked list of ASN.1 encoded RecipientInfos */
+struct Pkcs7EncodedRecip {
+    byte recip[MAX_RECIP_SZ];
+    word32 recipSz;
+    int recipType;
+    int recipVersion;
+    Pkcs7EncodedRecip* next;
+};
+
+
+/* free all members of Pkcs7Cert linked list */
+static void wc_PKCS7_FreeCertSet(PKCS7* pkcs7)
+{
+    Pkcs7Cert* curr = NULL;
+    Pkcs7Cert* next = NULL;
+
+    if (pkcs7 == NULL)
+        return;
+
+    curr = pkcs7->certList;
+    pkcs7->certList = NULL;
+
+    while (curr != NULL) {
+        next = curr->next;
+        curr->next = NULL;
+        XFREE(curr, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+        curr = next;
+    }
+
+    return;
+}
 
-    *inOutIdx = i;
+
+/* Get total size of all recipients in recipient list.
+ *
+ * Returns total size of recipients, or negative upon error */
+static int wc_PKCS7_GetRecipientListSize(PKCS7* pkcs7)
+{
+    int totalSz = 0;
+    Pkcs7EncodedRecip* tmp = NULL;
+
+    if (pkcs7 == NULL)
+        return BAD_FUNC_ARG;
+
+    tmp = pkcs7->recipList;
+
+    while (tmp != NULL) {
+        totalSz += tmp->recipSz;
+        tmp = tmp->next;
+    }
+
+    return totalSz;
+}
+
+
+/* free all members of Pkcs7EncodedRecip linked list */
+static void wc_PKCS7_FreeEncodedRecipientSet(PKCS7* pkcs7)
+{
+    Pkcs7EncodedRecip* curr = NULL;
+    Pkcs7EncodedRecip* next = NULL;
+
+    if (pkcs7 == NULL)
+        return;
+
+    curr = pkcs7->recipList;
+    pkcs7->recipList = NULL;
+
+    while (curr != NULL) {
+        next = curr->next;
+        curr->next = NULL;
+        XFREE(curr, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+        curr = next;
+    }
+
+    return;
+}
+
+
+/* search through RecipientInfo list for specific type.
+ * return 1 if ANY recipient of type specified is present, otherwise
+ * return 0 */
+static int wc_PKCS7_RecipientListIncludesType(PKCS7* pkcs7, int type)
+{
+    Pkcs7EncodedRecip* tmp = NULL;
+
+    if (pkcs7 == NULL)
+        return BAD_FUNC_ARG;
+
+    tmp = pkcs7->recipList;
+
+    while (tmp != NULL) {
+        if (tmp->recipType == type)
+            return 1;
+
+        tmp = tmp->next;
+    }
 
     return 0;
 }
 
 
-/* init PKCS7 struct with recipient cert, decode into DecodedCert */
-int wc_PKCS7_InitWithCert(PKCS7* pkcs7, byte* cert, word32 certSz)
+/* searches through RecipientInfo list, returns 1 if all structure
+ * versions are set to 0, otherwise returns 0 */
+static int wc_PKCS7_RecipientListVersionsAllZero(PKCS7* pkcs7)
+{
+    Pkcs7EncodedRecip* tmp = NULL;
+
+    if (pkcs7 == NULL)
+        return BAD_FUNC_ARG;
+
+    tmp = pkcs7->recipList;
+
+    while (tmp != NULL) {
+        if (tmp->recipVersion != 0)
+            return 0;
+
+        tmp = tmp->next;
+    }
+
+    return 1;
+}
+
+
+/* Init PKCS7 struct with recipient cert, decode into DecodedCert
+ * NOTE: keeps previously set pkcs7 heap hint, devId and isDynamic */
+int wc_PKCS7_InitWithCert(PKCS7* pkcs7, byte* derCert, word32 derCertSz)
 {
     int ret = 0;
+    void* heap;
+    int devId;
+    Pkcs7Cert* cert;
+    Pkcs7Cert* lastCert;
 
-    XMEMSET(pkcs7, 0, sizeof(PKCS7));
-    if (cert != NULL && certSz > 0) {
+    if (pkcs7 == NULL || (derCert == NULL && derCertSz != 0)) {
+        return BAD_FUNC_ARG;
+    }
+
+    heap = pkcs7->heap;
+    devId = pkcs7->devId;
+    cert = pkcs7->certList;
+    ret = wc_PKCS7_Init(pkcs7, heap, devId);
+    if (ret != 0)
+        return ret;
+    pkcs7->certList = cert;
+
+    if (derCert != NULL && derCertSz > 0) {
 #ifdef WOLFSSL_SMALL_STACK
         DecodedCert* dCert;
 
-        dCert = (DecodedCert*)XMALLOC(sizeof(DecodedCert), NULL,
-                                                       DYNAMIC_TYPE_TMP_BUFFER);
+        dCert = (DecodedCert*)XMALLOC(sizeof(DecodedCert), pkcs7->heap,
+                                                       DYNAMIC_TYPE_DCERT);
         if (dCert == NULL)
             return MEMORY_E;
 #else
-        DecodedCert stack_dCert;
-        DecodedCert* dCert = &stack_dCert;
+        DecodedCert dCert[1];
 #endif
 
-        pkcs7->singleCert = cert;
-        pkcs7->singleCertSz = certSz;
-        InitDecodedCert(dCert, cert, certSz, 0);
+        pkcs7->singleCert = derCert;
+        pkcs7->singleCertSz = derCertSz;
+        pkcs7->cert[0] = derCert;
+        pkcs7->certSz[0] = derCertSz;
+
+        /* create new Pkcs7Cert for recipient, freed during cleanup */
+        cert = (Pkcs7Cert*)XMALLOC(sizeof(Pkcs7Cert), pkcs7->heap,
+                                   DYNAMIC_TYPE_PKCS7);
+        XMEMSET(cert, 0, sizeof(Pkcs7Cert));
+        cert->der = derCert;
+        cert->derSz = derCertSz;
+        cert->next = NULL;
+
+        /* free existing cert list if existing */
+        wc_PKCS7_FreeCertSet(pkcs7);
+
+        /* add cert to list */
+        if (pkcs7->certList == NULL) {
+            pkcs7->certList = cert;
+        } else {
+           lastCert = pkcs7->certList;
+           while (lastCert->next != NULL) {
+               lastCert = lastCert->next;
+           }
+           lastCert->next = cert;
+        }
 
+        InitDecodedCert(dCert, derCert, derCertSz, pkcs7->heap);
         ret = ParseCert(dCert, CA_TYPE, NO_VERIFY, 0);
         if (ret < 0) {
             FreeDecodedCert(dCert);
 #ifdef WOLFSSL_SMALL_STACK
-            XFREE(dCert, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+            XFREE(dCert, pkcs7->heap, DYNAMIC_TYPE_DCERT);
 #endif
             return ret;
         }
 
         XMEMCPY(pkcs7->publicKey, dCert->publicKey, dCert->pubKeySize);
         pkcs7->publicKeySz = dCert->pubKeySize;
+        pkcs7->publicKeyOID = dCert->keyOID;
         XMEMCPY(pkcs7->issuerHash, dCert->issuerHash, KEYID_SIZE);
         pkcs7->issuer = dCert->issuerRaw;
         pkcs7->issuerSz = dCert->issuerRawLen;
         XMEMCPY(pkcs7->issuerSn, dCert->serial, dCert->serialSz);
         pkcs7->issuerSnSz = dCert->serialSz;
+        XMEMCPY(pkcs7->issuerSubjKeyId, dCert->extSubjKeyId, KEYID_SIZE);
+
+        /* default to IssuerAndSerialNumber for SignerIdentifier */
+        pkcs7->sidType = CMS_ISSUER_AND_SERIAL_NUMBER;
+
+        /* free existing recipient list if existing */
+        wc_PKCS7_FreeEncodedRecipientSet(pkcs7);
+
         FreeDecodedCert(dCert);
 
 #ifdef WOLFSSL_SMALL_STACK
-        XFREE(dCert, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+        XFREE(dCert, pkcs7->heap, DYNAMIC_TYPE_DCERT);
 #endif
     }
 
@@ -204,10 +1008,265 @@ int wc_PKCS7_InitWithCert(PKCS7* pkcs7, byte* cert, word32 certSz)
 }
 
 
+/* Adds one DER-formatted certificate to the internal PKCS7/CMS certificate
+ * list, to be added as part of the certificates CertificateSet. Currently
+ * used in SignedData content type.
+ *
+ * Must be called after wc_PKCS7_Init() or wc_PKCS7_InitWithCert().
+ *
+ * Does not represent the recipient/signer certificate, only certificates that
+ * are part of the certificate chain used to build and verify signer
+ * certificates.
+ *
+ * This API does not currently validate certificates.
+ *
+ * Returns 0 on success, negative upon error */
+int wc_PKCS7_AddCertificate(PKCS7* pkcs7, byte* derCert, word32 derCertSz)
+{
+    Pkcs7Cert* cert;
+
+    if (pkcs7 == NULL || derCert == NULL || derCertSz == 0)
+        return BAD_FUNC_ARG;
+
+    cert = (Pkcs7Cert*)XMALLOC(sizeof(Pkcs7Cert), pkcs7->heap,
+                               DYNAMIC_TYPE_PKCS7);
+    if (cert == NULL)
+        return MEMORY_E;
+
+    cert->der = derCert;
+    cert->derSz = derCertSz;
+
+    if (pkcs7->certList == NULL) {
+        pkcs7->certList = cert;
+    } else {
+        cert->next = pkcs7->certList;
+        pkcs7->certList = cert;
+    }
+
+    return 0;
+}
+
+
+/* free linked list of PKCS7DecodedAttrib structs */
+static void wc_PKCS7_FreeDecodedAttrib(PKCS7DecodedAttrib* attrib, void* heap)
+{
+    PKCS7DecodedAttrib* current;
+
+    if (attrib == NULL) {
+        return;
+    }
+
+    current = attrib;
+    while (current != NULL) {
+        PKCS7DecodedAttrib* next = current->next;
+        if (current->oid != NULL)  {
+            XFREE(current->oid, heap, DYNAMIC_TYPE_PKCS7);
+        }
+        if (current->value != NULL) {
+            XFREE(current->value, heap, DYNAMIC_TYPE_PKCS7);
+        }
+        XFREE(current, heap, DYNAMIC_TYPE_PKCS7);
+        current = next;
+    }
+
+    (void)heap;
+}
+
+
+/* return 0 on success */
+static int wc_PKCS7_SignerInfoNew(PKCS7* pkcs7)
+{
+    if (pkcs7->signerInfo != NULL) {
+        XFREE(pkcs7->signerInfo, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+        pkcs7->signerInfo = NULL;
+    }
+
+    pkcs7->signerInfo = (PKCS7SignerInfo*)XMALLOC(sizeof(PKCS7SignerInfo),
+            pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+    if (pkcs7->signerInfo == NULL) {
+        WOLFSSL_MSG("Unable to malloc memory for signer info");
+        return MEMORY_E;
+    }
+    XMEMSET(pkcs7->signerInfo, 0, sizeof(PKCS7SignerInfo));
+    return 0;
+}
+
+
+static void wc_PKCS7_SignerInfoFree(PKCS7* pkcs7)
+{
+    if (pkcs7->signerInfo != NULL) {
+        if (pkcs7->signerInfo->sid != NULL) {
+            XFREE(pkcs7->signerInfo->sid, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+            pkcs7->signerInfo->sid = NULL;
+        }
+        XFREE(pkcs7->signerInfo, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+        pkcs7->signerInfo = NULL;
+    }
+}
+
+
+/* free's any current SID and sets it to "in"
+ * returns 0 on success
+ */
+static int wc_PKCS7_SignerInfoSetSID(PKCS7* pkcs7, byte* in, int inSz)
+{
+    if (pkcs7 == NULL || in == NULL || inSz < 0) {
+        return BAD_FUNC_ARG;
+    }
+
+    if (pkcs7->signerInfo->sid != NULL) {
+        XFREE(pkcs7->signerInfo->sid, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+        pkcs7->signerInfo->sid = NULL;
+    }
+    pkcs7->signerInfo->sid = (byte*)XMALLOC(inSz, pkcs7->heap,
+            DYNAMIC_TYPE_PKCS7);
+    if (pkcs7->signerInfo->sid == NULL) {
+        return MEMORY_E;
+    }
+    XMEMCPY(pkcs7->signerInfo->sid, in, inSz);
+    pkcs7->signerInfo->sidSz = inSz;
+    return 0;
+}
+
+
 /* releases any memory allocated by a PKCS7 initializer */
 void wc_PKCS7_Free(PKCS7* pkcs7)
 {
-    (void)pkcs7;
+    if (pkcs7 == NULL)
+        return;
+
+#ifndef NO_PKCS7_STREAM
+    wc_PKCS7_FreeStream(pkcs7);
+#endif
+
+    wc_PKCS7_SignerInfoFree(pkcs7);
+    wc_PKCS7_FreeDecodedAttrib(pkcs7->decodedAttrib, pkcs7->heap);
+    wc_PKCS7_FreeCertSet(pkcs7);
+
+#ifdef ASN_BER_TO_DER
+    if (pkcs7->der != NULL)
+        XFREE(pkcs7->der, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+#endif
+    if (pkcs7->contentDynamic != NULL)
+        XFREE(pkcs7->contentDynamic, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+
+    if (pkcs7->cek != NULL) {
+        ForceZero(pkcs7->cek, pkcs7->cekSz);
+        XFREE(pkcs7->cek, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+    }
+
+    pkcs7->contentTypeSz = 0;
+
+    if (pkcs7->signature) {
+        XFREE(pkcs7->signature, pkcs7->heap, DYNAMIC_TYPE_SIGNATURE);
+        pkcs7->signature = NULL;
+        pkcs7->signatureSz = 0;
+    }
+    if (pkcs7->plainDigest) {
+        XFREE(pkcs7->plainDigest, pkcs7->heap, DYNAMIC_TYPE_DIGEST);
+        pkcs7->plainDigest = NULL;
+        pkcs7->plainDigestSz = 0;
+    }
+    if (pkcs7->pkcs7Digest) {
+        XFREE(pkcs7->pkcs7Digest, pkcs7->heap, DYNAMIC_TYPE_DIGEST);
+        pkcs7->pkcs7Digest = NULL;
+        pkcs7->pkcs7DigestSz = 0;
+    }
+    if (pkcs7->cachedEncryptedContent != NULL) {
+        XFREE(pkcs7->cachedEncryptedContent, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+        pkcs7->cachedEncryptedContent = NULL;
+        pkcs7->cachedEncryptedContentSz = 0;
+    }
+
+    if (pkcs7->isDynamic) {
+        pkcs7->isDynamic = 0;
+        XFREE(pkcs7, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+    }
+}
+
+
+/* helper function for parsing through attributes and finding a specific one.
+ * returns PKCS7DecodedAttrib pointer on success */
+static PKCS7DecodedAttrib* findAttrib(PKCS7* pkcs7, const byte* oid, word32 oidSz)
+{
+    PKCS7DecodedAttrib* list;
+
+    if (pkcs7 == NULL || oid == NULL) {
+        return NULL;
+    }
+
+    /* search attributes for pkiStatus */
+    list = pkcs7->decodedAttrib;
+    while (list != NULL) {
+        word32 sz  = oidSz;
+        word32 idx = 0;
+        int    length = 0;
+        byte   tag;
+
+        if (GetASNTag(list->oid, &idx, &tag, list->oidSz) < 0) {
+            return NULL;
+        }
+        if (tag != ASN_OBJECT_ID) {
+            WOLFSSL_MSG("Bad attribute ASN1 syntax");
+            return NULL;
+        }
+
+        if (GetLength(list->oid, &idx, &length, list->oidSz) < 0) {
+            WOLFSSL_MSG("Bad attribute length");
+            return NULL;
+        }
+
+        sz = (sz < (word32)length)? sz : (word32)length;
+        if (XMEMCMP(oid, list->oid + idx, sz) == 0) {
+            return list;
+        }
+        list = list->next;
+    }
+    return NULL;
+}
+
+
+/* Searches through decoded attributes and returns the value for the first one
+ * matching the oid passed in. Note that this value includes the leading ASN1
+ * syntax. So for a printable string of "3" this would be something like
+ *
+ * 0x13, 0x01, 0x33
+ *  ID   SIZE  "3"
+ *
+ * pkcs7  structure to get value from
+ * oid    OID value to search for with attributes
+ * oidSz  size of oid buffer
+ * out    buffer to hold result
+ * outSz  size of out buffer (if out is NULL this is set to needed size and
+          LENGTH_ONLY_E is returned)
+ *
+ * returns size of value on success
+ */
+int wc_PKCS7_GetAttributeValue(PKCS7* pkcs7, const byte* oid, word32 oidSz,
+        byte* out, word32* outSz)
+{
+    PKCS7DecodedAttrib* attrib;
+
+    if (pkcs7 == NULL || oid == NULL || outSz == NULL) {
+        return BAD_FUNC_ARG;
+    }
+
+    attrib = findAttrib(pkcs7, oid, oidSz);
+    if (attrib == NULL) {
+        return ASN_PARSE_E;
+    }
+
+    if (out == NULL) {
+        *outSz = attrib->valueSz;
+        return LENGTH_ONLY_E;
+    }
+
+    if (*outSz < attrib->valueSz) {
+        return BUFFER_E;
+    }
+
+    XMEMCPY(out, attrib->value, attrib->valueSz);
+    return attrib->valueSz;
 }
 
 
@@ -224,6 +1283,10 @@ int wc_PKCS7_EncodeData(PKCS7* pkcs7, byte* output, word32 outputSz)
     word32 oidSz = (word32)sizeof(oid);
     int idx = 0;
 
+    if (pkcs7 == NULL || output == NULL) {
+        return BAD_FUNC_ARG;
+    }
+
     octetStrSz = SetOctetString(pkcs7->contentSz, octetStr);
     seqSz = SetSequence(pkcs7->contentSz + octetStrSz + oidSz, seq);
 
@@ -253,10 +1316,11 @@ typedef struct EncodedAttrib {
 
 
 typedef struct ESD {
-    Sha sha;
-    byte contentDigest[SHA_DIGEST_SIZE + 2]; /* content only + ASN.1 heading */
-    byte contentAttribsDigest[SHA_DIGEST_SIZE];
-    byte encContentDigest[512];
+    wc_HashAlg  hash;
+    enum wc_HashType hashType;
+    byte contentDigest[WC_MAX_DIGEST_SIZE + 2]; /* content only + ASN.1 heading */
+    byte contentAttribsDigest[WC_MAX_DIGEST_SIZE];
+    byte encContentDigest[MAX_ENCRYPTED_KEY_SZ];
 
     byte outerSeq[MAX_SEQ_SZ];
         byte outerContent[MAX_EXP_SZ];
@@ -274,20 +1338,24 @@ typedef struct ESD {
                 byte signerInfoSet[MAX_SET_SZ];
                     byte signerInfoSeq[MAX_SEQ_SZ];
                         byte signerVersion[MAX_VERSION_SZ];
+                        /* issuerAndSerialNumber ...*/
                         byte issuerSnSeq[MAX_SEQ_SZ];
                             byte issuerName[MAX_SEQ_SZ];
                             byte issuerSn[MAX_SN_SZ];
+                        /* OR subjectKeyIdentifier */
+                        byte issuerSKIDSeq[MAX_SEQ_SZ];
+                            byte issuerSKID[MAX_OCTET_STR_SZ];
                         byte signerDigAlgoId[MAX_ALGO_SZ];
                         byte digEncAlgoId[MAX_ALGO_SZ];
                         byte signedAttribSet[MAX_SET_SZ];
-                            EncodedAttrib signedAttribs[6];
+                            EncodedAttrib signedAttribs[7];
                         byte signerDigest[MAX_OCTET_STR_SZ];
     word32 innerOctetsSz, innerContSeqSz, contentInfoSeqSz;
     word32 outerSeqSz, outerContentSz, innerSeqSz, versionSz, digAlgoIdSetSz,
            singleDigAlgoIdSz, certsSetSz;
     word32 signerInfoSetSz, signerInfoSeqSz, signerVersionSz,
-           issuerSnSeqSz, issuerNameSz, issuerSnSz,
-           signerDigAlgoIdSz, digEncAlgoIdSz, signerDigestSz;
+           issuerSnSeqSz, issuerNameSz, issuerSnSz, issuerSKIDSz,
+           issuerSKIDSeqSz, signerDigAlgoIdSz, digEncAlgoIdSz, signerDigestSz;
     word32 encContentDigestSz, signedAttribsSz, signedAttribsCount,
            signedAttribSetSz;
 } ESD;
@@ -322,12 +1390,112 @@ static int EncodeAttributes(EncodedAttrib* ea, int eaSz,
 }
 
 
-static int FlattenAttributes(byte* output, EncodedAttrib* ea, int eaSz)
+typedef struct FlatAttrib {
+    byte* data;
+    word32 dataSz;
+} FlatAttrib;
+
+/* Returns a pointer to FlatAttrib whose members are initialized to 0.
+*  Caller is expected to free.
+*/
+static FlatAttrib* NewAttrib(void* heap)
 {
-    int i, idx;
+    FlatAttrib* fb = (FlatAttrib*) XMALLOC(sizeof(FlatAttrib), heap,
+                                                   DYNAMIC_TYPE_TMP_BUFFER);
+    if (fb != NULL) {
+        ForceZero(fb, sizeof(FlatAttrib));
+    }
+    (void)heap;
+    return fb;
+}
+
+/* Free FlatAttrib array and memory allocated to internal struct members */
+static void FreeAttribArray(PKCS7* pkcs7, FlatAttrib** arr, int rows)
+{
+    int i;
+
+    if (arr) {
+        for (i = 0; i < rows; i++) {
+            if (arr[i]) {
+                if (arr[i]->data) {
+                    ForceZero(arr[i]->data, arr[i]->dataSz);
+                    XFREE(arr[i]->data, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
+                }
+                ForceZero(arr[i], sizeof(FlatAttrib));
+                XFREE(arr[i], pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
+            }
+        }
+        ForceZero(arr, rows);
+        XFREE(arr, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
+    }
+    (void)pkcs7;
+}
+
+
+/* Sort FlatAttrib array in ascending order */
+static int SortAttribArray(FlatAttrib** arr, int rows)
+{
+    int i, j;
+    word32 minSz, minIdx;
+    FlatAttrib* a   = NULL;
+    FlatAttrib* b   = NULL;
+    FlatAttrib* tmp = NULL;
+
+    if (arr == NULL) {
+        return BAD_FUNC_ARG;
+    }
+
+    for (i = 0; i < rows; i++) {
+        a = arr[i];
+        minSz = a->dataSz;
+        minIdx = i;
+        for (j = i+1; j < rows; j++) {
+            b = arr[j];
+            if (b->dataSz < minSz) {
+                minSz = b->dataSz;
+                minIdx = j;
+            }
+        }
+        if (minSz < a->dataSz) {
+            /* swap array positions */
+            tmp = arr[i];
+            arr[i] = arr[minIdx];
+            arr[minIdx] = tmp;
+        }
+    }
+
+    return 0;
+}
+
+
+/* Build up array of FlatAttrib structs from EncodedAttrib ones. FlatAttrib
+ * holds flattened DER encoding of each attribute */
+static int FlattenEncodedAttribs(PKCS7* pkcs7, FlatAttrib** derArr, int rows,
+                                 EncodedAttrib* ea, int eaSz)
+{
+    int i, idx, sz;
+    byte* output   = NULL;
+    FlatAttrib* fa = NULL;
+
+    if (pkcs7 == NULL || derArr == NULL || ea == NULL) {
+        WOLFSSL_MSG("Invalid arguments to FlattenEncodedAttribs");
+        return BAD_FUNC_ARG;
+    }
+
+    if (rows != eaSz) {
+        WOLFSSL_MSG("DER array not large enough to hold attribute count");
+        return BAD_FUNC_ARG;
+    }
 
-    idx = 0;
     for (i = 0; i < eaSz; i++) {
+        sz = ea[i].valueSeqSz + ea[i].oidSz + ea[i].valueSetSz + ea[i].valueSz;
+
+        output = (byte*)XMALLOC(sz, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
+        if (output == NULL) {
+            return MEMORY_E;
+        }
+
+        idx = 0;
         XMEMCPY(output + idx, ea[i].valueSeq, ea[i].valueSeqSz);
         idx += ea[i].valueSeqSz;
         XMEMCPY(output + idx, ea[i].oid, ea[i].oidSz);
@@ -335,293 +1503,893 @@ static int FlattenAttributes(byte* output, EncodedAttrib* ea, int eaSz)
         XMEMCPY(output + idx, ea[i].valueSet, ea[i].valueSetSz);
         idx += ea[i].valueSetSz;
         XMEMCPY(output + idx, ea[i].value, ea[i].valueSz);
-        idx += ea[i].valueSz;
+
+        fa = derArr[i];
+        fa->data = output;
+        fa->dataSz = sz;
     }
+
     return 0;
 }
 
 
-/* build PKCS#7 signedData content type */
-int wc_PKCS7_EncodeSignedData(PKCS7* pkcs7, byte* output, word32 outputSz)
+/* Sort and Flatten EncodedAttrib attributes into output buffer */
+static int FlattenAttributes(PKCS7* pkcs7, byte* output, EncodedAttrib* ea,
+                             int eaSz)
 {
-    static const byte outerOid[] =
-        { ASN_OBJECT_ID, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01,
-                         0x07, 0x02 };
-    static const byte innerOid[] =
-        { ASN_OBJECT_ID, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01,
-                         0x07, 0x01 };
+    int i, idx, ret;
+    FlatAttrib** derArr = NULL;
+    FlatAttrib*  fa     = NULL;
+
+    if (pkcs7 == NULL || output == NULL || ea == NULL) {
+        return BAD_FUNC_ARG;
+    }
 
+    /* create array of FlatAttrib struct pointers to hold DER attribs */
+    derArr = (FlatAttrib**) XMALLOC(eaSz * sizeof(FlatAttrib*), pkcs7->heap,
+                                    DYNAMIC_TYPE_TMP_BUFFER);
+    if (derArr == NULL) {
+        return MEMORY_E;
+    }
+    XMEMSET(derArr, 0, eaSz * sizeof(FlatAttrib*));
+
+    for (i = 0; i < eaSz; i++) {
+        derArr[i] = NewAttrib(pkcs7->heap);
+        if (derArr[i] == NULL) {
+            FreeAttribArray(pkcs7, derArr, eaSz);
+            return MEMORY_E;
+        }
+        ForceZero(derArr[i], sizeof(FlatAttrib));
+    }
+
+    /* flatten EncodedAttrib into DER byte arrays */
+    ret = FlattenEncodedAttribs(pkcs7, derArr, eaSz, ea, eaSz);
+    if (ret != 0) {
+        FreeAttribArray(pkcs7, derArr, eaSz);
+        return ret;
+    }
+
+    /* SET OF DER signed attributes must be sorted in ascending order */
+    ret = SortAttribArray(derArr, eaSz);
+    if (ret != 0) {
+        FreeAttribArray(pkcs7, derArr, eaSz);
+        return ret;
+    }
+
+    /* copy sorted DER attribute arrays into output buffer */
+    idx = 0;
+    for (i = 0; i < eaSz; i++) {
+        fa = derArr[i];
+        XMEMCPY(output + idx, fa->data, fa->dataSz);
+        idx += fa->dataSz;
+    }
+
+    FreeAttribArray(pkcs7, derArr, eaSz);
+
+    return 0;
+}
+
+
+#ifndef NO_RSA
+
+/* returns size of signature put into out, negative on error */
+static int wc_PKCS7_RsaSign(PKCS7* pkcs7, byte* in, word32 inSz, ESD* esd)
+{
+    int ret;
+    word32 idx;
 #ifdef WOLFSSL_SMALL_STACK
-    ESD* esd = NULL;
+    RsaKey* privKey;
 #else
-    ESD stack_esd;
-    ESD* esd = &stack_esd;
+    RsaKey  privKey[1];
 #endif
 
-    word32 signerInfoSz = 0;
-    word32 totalSz = 0;
-    int idx = 0, ret = 0;
-    byte* flatSignedAttribs = NULL;
-    word32 flatSignedAttribsSz = 0;
-    word32 innerOidSz = sizeof(innerOid);
-    word32 outerOidSz = sizeof(outerOid);
+    if (pkcs7 == NULL || pkcs7->rng == NULL || in == NULL || esd == NULL) {
+        return BAD_FUNC_ARG;
+    }
 
-    if (pkcs7 == NULL || pkcs7->content == NULL || pkcs7->contentSz == 0 ||
-        pkcs7->encryptOID == 0 || pkcs7->hashOID == 0 || pkcs7->rng == 0 ||
-        pkcs7->singleCert == NULL || pkcs7->singleCertSz == 0 ||
-        pkcs7->privateKey == NULL || pkcs7->privateKeySz == 0 ||
-        output == NULL || outputSz == 0)
+#ifdef WOLFSSL_SMALL_STACK
+    privKey = (RsaKey*)XMALLOC(sizeof(RsaKey), pkcs7->heap,
+        DYNAMIC_TYPE_TMP_BUFFER);
+    if (privKey == NULL)
+        return MEMORY_E;
+#endif
+
+    ret = wc_InitRsaKey_ex(privKey, pkcs7->heap, pkcs7->devId);
+    if (ret == 0) {
+        if (pkcs7->privateKey != NULL && pkcs7->privateKeySz > 0) {
+            idx = 0;
+            ret = wc_RsaPrivateKeyDecode(pkcs7->privateKey, &idx, privKey,
+                                         pkcs7->privateKeySz);
+        }
+        else if (pkcs7->devId == INVALID_DEVID) {
+            ret = BAD_FUNC_ARG;
+        }
+    }
+    if (ret == 0) {
+    #ifdef WOLFSSL_ASYNC_CRYPT
+        do {
+            ret = wc_AsyncWait(ret, &privKey->asyncDev,
+                WC_ASYNC_FLAG_CALL_AGAIN);
+            if (ret >= 0)
+    #endif
+            {
+                ret = wc_RsaSSL_Sign(in, inSz, esd->encContentDigest,
+                                     sizeof(esd->encContentDigest),
+                                     privKey, pkcs7->rng);
+            }
+    #ifdef WOLFSSL_ASYNC_CRYPT
+        } while (ret == WC_PENDING_E);
+    #endif
+    }
+
+    wc_FreeRsaKey(privKey);
+#ifdef WOLFSSL_SMALL_STACK
+    XFREE(privKey, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
+#endif
+
+    return ret;
+}
+
+#endif /* NO_RSA */
+
+
+#ifdef HAVE_ECC
+
+/* returns size of signature put into out, negative on error */
+static int wc_PKCS7_EcdsaSign(PKCS7* pkcs7, byte* in, word32 inSz, ESD* esd)
+{
+    int ret;
+    word32 outSz, idx;
+#ifdef WOLFSSL_SMALL_STACK
+    ecc_key* privKey;
+#else
+    ecc_key  privKey[1];
+#endif
+
+    if (pkcs7 == NULL || pkcs7->rng == NULL || in == NULL || esd == NULL) {
         return BAD_FUNC_ARG;
+    }
 
 #ifdef WOLFSSL_SMALL_STACK
-    esd = (ESD*)XMALLOC(sizeof(ESD), NULL, DYNAMIC_TYPE_TMP_BUFFER);
-    if (esd == NULL)
+    privKey = (ecc_key*)XMALLOC(sizeof(ecc_key), pkcs7->heap,
+        DYNAMIC_TYPE_TMP_BUFFER);
+    if (privKey == NULL)
         return MEMORY_E;
 #endif
 
-    XMEMSET(esd, 0, sizeof(ESD));
-    ret = wc_InitSha(&esd->sha);
-    if (ret != 0) {
+    ret = wc_ecc_init_ex(privKey, pkcs7->heap, pkcs7->devId);
+    if (ret == 0) {
+        if (pkcs7->privateKey != NULL && pkcs7->privateKeySz > 0) {
+            idx = 0;
+            ret = wc_EccPrivateKeyDecode(pkcs7->privateKey, &idx, privKey,
+                                         pkcs7->privateKeySz);
+        }
+        else if (pkcs7->devId == INVALID_DEVID) {
+            ret = BAD_FUNC_ARG;
+        }
+    }
+    if (ret == 0) {
+        outSz = sizeof(esd->encContentDigest);
+    #ifdef WOLFSSL_ASYNC_CRYPT
+        do {
+            ret = wc_AsyncWait(ret, &privKey->asyncDev,
+                WC_ASYNC_FLAG_CALL_AGAIN);
+            if (ret >= 0)
+    #endif
+            {
+                ret = wc_ecc_sign_hash(in, inSz, esd->encContentDigest,
+                                       &outSz, pkcs7->rng, privKey);
+            }
+    #ifdef WOLFSSL_ASYNC_CRYPT
+        } while (ret == WC_PENDING_E);
+    #endif
+        if (ret == 0)
+            ret = (int)outSz;
+    }
+
+    wc_ecc_free(privKey);
 #ifdef WOLFSSL_SMALL_STACK
-        XFREE(esd, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    XFREE(privKey, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
 #endif
-        return ret;
+
+    return ret;
+}
+
+#endif /* HAVE_ECC */
+
+
+/* builds up SignedData signed attributes, including default ones.
+ *
+ * pkcs7 - pointer to initialized PKCS7 structure
+ * esd   - pointer to initialized ESD structure, used for output
+ *
+ * return 0 on success, negative on error */
+static int wc_PKCS7_BuildSignedAttributes(PKCS7* pkcs7, ESD* esd,
+                    const byte* contentType, word32 contentTypeSz,
+                    const byte* contentTypeOid, word32 contentTypeOidSz,
+                    const byte* messageDigestOid, word32 messageDigestOidSz,
+                    const byte* signingTimeOid, word32 signingTimeOidSz,
+                    byte* signingTime, word32 signingTimeSz)
+{
+    int hashSz;
+#ifdef NO_ASN_TIME
+    PKCS7Attrib cannedAttribs[2];
+#else
+    time_t tm;
+    int timeSz;
+    PKCS7Attrib cannedAttribs[3];
+#endif
+    word32 idx = 0;
+    word32 cannedAttribsCount;
+
+    if (pkcs7 == NULL || esd == NULL || contentType == NULL ||
+        contentTypeOid == NULL || messageDigestOid == NULL ||
+        signingTimeOid == NULL) {
+        return BAD_FUNC_ARG;
     }
 
-    if (pkcs7->contentSz != 0)
-    {
-        wc_ShaUpdate(&esd->sha, pkcs7->content, pkcs7->contentSz);
-        esd->contentDigest[0] = ASN_OCTET_STRING;
-        esd->contentDigest[1] = SHA_DIGEST_SIZE;
-        wc_ShaFinal(&esd->sha, &esd->contentDigest[2]);
-    }
-
-    esd->innerOctetsSz = SetOctetString(pkcs7->contentSz, esd->innerOctets);
-    esd->innerContSeqSz = SetExplicit(0, esd->innerOctetsSz + pkcs7->contentSz,
-                                esd->innerContSeq);
-    esd->contentInfoSeqSz = SetSequence(pkcs7->contentSz + esd->innerOctetsSz +
-                                    innerOidSz + esd->innerContSeqSz,
-                                    esd->contentInfoSeq);
-
-    esd->issuerSnSz = SetSerialNumber(pkcs7->issuerSn, pkcs7->issuerSnSz,
-                                     esd->issuerSn);
-    signerInfoSz += esd->issuerSnSz;
-    esd->issuerNameSz = SetSequence(pkcs7->issuerSz, esd->issuerName);
-    signerInfoSz += esd->issuerNameSz + pkcs7->issuerSz;
-    esd->issuerSnSeqSz = SetSequence(signerInfoSz, esd->issuerSnSeq);
-    signerInfoSz += esd->issuerSnSeqSz;
-    esd->signerVersionSz = SetMyVersion(1, esd->signerVersion, 0);
-    signerInfoSz += esd->signerVersionSz;
-    esd->signerDigAlgoIdSz = SetAlgoID(pkcs7->hashOID, esd->signerDigAlgoId,
-                                      hashType, 0);
-    signerInfoSz += esd->signerDigAlgoIdSz;
-    esd->digEncAlgoIdSz = SetAlgoID(pkcs7->encryptOID, esd->digEncAlgoId,
-                                   keyType, 0);
-    signerInfoSz += esd->digEncAlgoIdSz;
-
-    if (pkcs7->signedAttribsSz != 0) {
-        byte contentTypeOid[] =
-                { ASN_OBJECT_ID, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xF7, 0x0d, 0x01,
-                                 0x09, 0x03 };
-        byte contentType[] =
-                { ASN_OBJECT_ID, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01,
-                                 0x07, 0x01 };
-        byte messageDigestOid[] =
-                { ASN_OBJECT_ID, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01,
-                                 0x09, 0x04 };
-
-        PKCS7Attrib cannedAttribs[2] =
-        {
-            { contentTypeOid, sizeof(contentTypeOid),
-                             contentType, sizeof(contentType) },
-            { messageDigestOid, sizeof(messageDigestOid),
-                             esd->contentDigest, sizeof(esd->contentDigest) }
-        };
-        word32 cannedAttribsCount = sizeof(cannedAttribs)/sizeof(PKCS7Attrib);
+    if (pkcs7->skipDefaultSignedAttribs == 0) {
+        hashSz = wc_HashGetDigestSize(esd->hashType);
+        if (hashSz < 0)
+            return hashSz;
+
+    #ifndef NO_ASN_TIME
+        if (signingTime == NULL || signingTimeSz == 0)
+            return BAD_FUNC_ARG;
+
+        tm = XTIME(0);
+        timeSz = GetAsnTimeString(&tm, signingTime, signingTimeSz);
+        if (timeSz < 0)
+            return timeSz;
+    #endif
+
+        cannedAttribsCount = sizeof(cannedAttribs)/sizeof(PKCS7Attrib);
+
+        cannedAttribs[idx].oid     = contentTypeOid;
+        cannedAttribs[idx].oidSz   = contentTypeOidSz;
+        cannedAttribs[idx].value   = contentType;
+        cannedAttribs[idx].valueSz = contentTypeSz;
+        idx++;
+    #ifndef NO_ASN_TIME
+        cannedAttribs[idx].oid     = signingTimeOid;
+        cannedAttribs[idx].oidSz   = signingTimeOidSz;
+        cannedAttribs[idx].value   = signingTime;
+        cannedAttribs[idx].valueSz = timeSz;
+        idx++;
+    #endif
+        cannedAttribs[idx].oid     = messageDigestOid;
+        cannedAttribs[idx].oidSz   = messageDigestOidSz;
+        cannedAttribs[idx].value   = esd->contentDigest;
+        cannedAttribs[idx].valueSz = hashSz + 2;  /* ASN.1 heading */
 
         esd->signedAttribsCount += cannedAttribsCount;
-        esd->signedAttribsSz += EncodeAttributes(&esd->signedAttribs[0], 2,
+        esd->signedAttribsSz += EncodeAttributes(&esd->signedAttribs[0], 3,
                                              cannedAttribs, cannedAttribsCount);
+    } else {
+        esd->signedAttribsCount = 0;
+        esd->signedAttribsSz = 0;
+    }
 
+    /* add custom signed attributes if set */
+    if (pkcs7->signedAttribsSz > 0 && pkcs7->signedAttribs != NULL) {
         esd->signedAttribsCount += pkcs7->signedAttribsSz;
+    #ifdef NO_ASN_TIME
         esd->signedAttribsSz += EncodeAttributes(&esd->signedAttribs[2], 4,
                                   pkcs7->signedAttribs, pkcs7->signedAttribsSz);
+    #else
+        esd->signedAttribsSz += EncodeAttributes(&esd->signedAttribs[3], 4,
+                                  pkcs7->signedAttribs, pkcs7->signedAttribsSz);
+    #endif
+    }
 
-        flatSignedAttribs = (byte*)XMALLOC(esd->signedAttribsSz, 0, NULL);
-        flatSignedAttribsSz = esd->signedAttribsSz;
-        if (flatSignedAttribs == NULL) {
-#ifdef WOLFSSL_SMALL_STACK
-            XFREE(esd, NULL, DYNAMIC_TYPE_TMP_BUFFER);
-#endif   
-            return MEMORY_E;
+#ifdef NO_ASN_TIME
+    (void)signingTimeOidSz;
+    (void)signingTime;
+    (void)signingTimeSz;
+#endif
+
+    return 0;
+}
+
+
+/* gets correct encryption algo ID for SignedData, either CTC_<hash>wRSA or
+ * CTC_<hash>wECDSA, from pkcs7->publicKeyOID and pkcs7->hashOID.
+ *
+ * pkcs7          - pointer to PKCS7 structure
+ * digEncAlgoId   - [OUT] output int to store correct algo ID in
+ * digEncAlgoType - [OUT] output for algo ID type
+ *
+ * return 0 on success, negative on error */
+static int wc_PKCS7_SignedDataGetEncAlgoId(PKCS7* pkcs7, int* digEncAlgoId,
+                                           int* digEncAlgoType)
+{
+    int algoId   = 0;
+    int algoType = 0;
+
+    if (pkcs7 == NULL || digEncAlgoId == NULL || digEncAlgoType == NULL)
+        return BAD_FUNC_ARG;
+
+    if (pkcs7->publicKeyOID == RSAk) {
+
+        algoType = oidSigType;
+
+        switch (pkcs7->hashOID) {
+        #ifndef NO_SHA
+            case SHAh:
+                algoId = CTC_SHAwRSA;
+                break;
+        #endif
+        #ifdef WOLFSSL_SHA224
+            case SHA224h:
+                algoId = CTC_SHA224wRSA;
+                break;
+        #endif
+        #ifndef NO_SHA256
+            case SHA256h:
+                algoId = CTC_SHA256wRSA;
+                break;
+        #endif
+        #ifdef WOLFSSL_SHA384
+            case SHA384h:
+                algoId = CTC_SHA384wRSA;
+                break;
+        #endif
+        #ifdef WOLFSSL_SHA512
+            case SHA512h:
+                algoId = CTC_SHA512wRSA;
+                break;
+        #endif
         }
-        FlattenAttributes(flatSignedAttribs,
-                                   esd->signedAttribs, esd->signedAttribsCount);
-        esd->signedAttribSetSz = SetImplicit(ASN_SET, 0, esd->signedAttribsSz,
-                                                          esd->signedAttribSet);
+
     }
-    /* Calculate the final hash and encrypt it. */
-    {
-        int result;
-        word32 scratch = 0;
+#ifdef HAVE_ECC
+    else if (pkcs7->publicKeyOID == ECDSAk) {
+
+        algoType = oidSigType;
+
+        switch (pkcs7->hashOID) {
+        #ifndef NO_SHA
+            case SHAh:
+                algoId = CTC_SHAwECDSA;
+                break;
+        #endif
+        #ifdef WOLFSSL_SHA224
+            case SHA224h:
+                algoId = CTC_SHA224wECDSA;
+                break;
+        #endif
+        #ifndef NO_SHA256
+            case SHA256h:
+                algoId = CTC_SHA256wECDSA;
+                break;
+        #endif
+        #ifdef WOLFSSL_SHA384
+            case SHA384h:
+                algoId = CTC_SHA384wECDSA;
+                break;
+        #endif
+        #ifdef WOLFSSL_SHA512
+            case SHA512h:
+                algoId = CTC_SHA512wECDSA;
+                break;
+        #endif
+        }
+    }
+#endif /* HAVE_ECC */
+
+    if (algoId == 0) {
+        WOLFSSL_MSG("Invalid signature algorithm type");
+        return BAD_FUNC_ARG;
+    }
+
+    *digEncAlgoId = algoId;
+    *digEncAlgoType = algoType;
+
+    return 0;
+}
+
+
+/* build SignedData DigestInfo for use with PKCS#7/RSA
+ *
+ * pkcs7 - pointer to initialized PKCS7 struct
+ * flatSignedAttribs - flattened, signed attributes
+ * flatSignedAttrbsSz - size of flatSignedAttribs, octets
+ * esd - pointer to initialized ESD struct
+ * digestInfo - [OUT] output array for DigestInfo
+ * digestInfoSz - [IN/OUT] - input size of array, size of digestInfo
+ *
+ * return 0 on success, negative on error */
+static int wc_PKCS7_BuildDigestInfo(PKCS7* pkcs7, byte* flatSignedAttribs,
+                                    word32 flatSignedAttribsSz, ESD* esd,
+                                    byte* digestInfo, word32* digestInfoSz)
+{
+    int ret, hashSz, digIdx = 0;
+    byte digestInfoSeq[MAX_SEQ_SZ];
+    byte digestStr[MAX_OCTET_STR_SZ];
+    byte attribSet[MAX_SET_SZ];
+    byte algoId[MAX_ALGO_SZ];
+    word32 digestInfoSeqSz, digestStrSz, algoIdSz;
+    word32 attribSetSz;
+
+    if (pkcs7 == NULL || esd == NULL || digestInfo == NULL ||
+        digestInfoSz == NULL) {
+        return BAD_FUNC_ARG;
+    }
+
+    hashSz = wc_HashGetDigestSize(esd->hashType);
+    if (hashSz < 0)
+        return hashSz;
+
+    if (flatSignedAttribsSz != 0) {
+
+        if (flatSignedAttribs == NULL)
+            return BAD_FUNC_ARG;
+
+        attribSetSz = SetSet(flatSignedAttribsSz, attribSet);
+
+        ret = wc_HashInit(&esd->hash, esd->hashType);
+        if (ret < 0)
+            return ret;
+
+        ret = wc_HashUpdate(&esd->hash, esd->hashType,
+                            attribSet, attribSetSz);
+        if (ret == 0)
+            ret = wc_HashUpdate(&esd->hash, esd->hashType,
+                                flatSignedAttribs, flatSignedAttribsSz);
+        if (ret == 0)
+            ret = wc_HashFinal(&esd->hash, esd->hashType,
+                               esd->contentAttribsDigest);
+        wc_HashFree(&esd->hash, esd->hashType);
+
+        if (ret < 0)
+            return ret;
+
+    } else {
+        /* when no attrs, digest is contentDigest without tag and length */
+        XMEMCPY(esd->contentAttribsDigest, esd->contentDigest + 2, hashSz);
+    }
+
+    /* set algoID, with NULL attributes */
+    algoIdSz = SetAlgoID(pkcs7->hashOID, algoId, oidHashType, 0);
+
+    digestStrSz = SetOctetString(hashSz, digestStr);
+    digestInfoSeqSz = SetSequence(algoIdSz + digestStrSz + hashSz,
+                                  digestInfoSeq);
 
+    if (*digestInfoSz < (digestInfoSeqSz + algoIdSz + digestStrSz + hashSz)) {
+        return BUFFER_E;
+    }
+
+    XMEMCPY(digestInfo + digIdx, digestInfoSeq, digestInfoSeqSz);
+    digIdx += digestInfoSeqSz;
+    XMEMCPY(digestInfo + digIdx, algoId, algoIdSz);
+    digIdx += algoIdSz;
+    XMEMCPY(digestInfo + digIdx, digestStr, digestStrSz);
+    digIdx += digestStrSz;
+    XMEMCPY(digestInfo + digIdx, esd->contentAttribsDigest, hashSz);
+    digIdx += hashSz;
+
+    *digestInfoSz = digIdx;
+
+    return 0;
+}
+
+
+/* build SignedData signature over DigestInfo or content digest
+ *
+ * pkcs7 - pointer to initialized PKCS7 struct
+ * flatSignedAttribs - flattened, signed attributes
+ * flatSignedAttribsSz - size of flatSignedAttribs, octets
+ * esd - pointer to initialized ESD struct
+ *
+ * returns length of signature on success, negative on error */
+static int wc_PKCS7_SignedDataBuildSignature(PKCS7* pkcs7,
+                                             byte* flatSignedAttribs,
+                                             word32 flatSignedAttribsSz,
+                                             ESD* esd)
+{
+    int ret = 0;
+#if defined(HAVE_ECC) || \
+    (defined(HAVE_PKCS7_RSA_RAW_SIGN_CALLBACK) && !defined(NO_RSA))
+    int hashSz = 0;
+#endif
+#if defined(HAVE_PKCS7_RSA_RAW_SIGN_CALLBACK) && !defined(NO_RSA)
+    int hashOID;
+#endif
+    word32 digestInfoSz = MAX_PKCS7_DIGEST_SZ;
 #ifdef WOLFSSL_SMALL_STACK
-        byte* digestInfo;
-        RsaKey* privKey;
+    byte* digestInfo;
 #else
-        RsaKey stack_privKey;
-        RsaKey* privKey = &stack_privKey;
-        byte digestInfo[MAX_SEQ_SZ + MAX_ALGO_SZ +
-                        MAX_OCTET_STR_SZ + SHA_DIGEST_SIZE];
+    byte  digestInfo[MAX_PKCS7_DIGEST_SZ];
 #endif
-        byte digestInfoSeq[MAX_SEQ_SZ];
-        byte digestStr[MAX_OCTET_STR_SZ];
-        word32 digestInfoSeqSz, digestStrSz;
-        int digIdx = 0;
 
-        if (pkcs7->signedAttribsSz != 0) {
-            byte attribSet[MAX_SET_SZ];
-            word32 attribSetSz;
+    if (pkcs7 == NULL || esd == NULL)
+        return BAD_FUNC_ARG;
 
-            attribSetSz = SetSet(flatSignedAttribsSz, attribSet);
+#ifdef WOLFSSL_SMALL_STACK
+    digestInfo = (byte*)XMALLOC(digestInfoSz, pkcs7->heap,
+        DYNAMIC_TYPE_TMP_BUFFER);
+    if (digestInfo == NULL) {
+        return MEMORY_E;
+    }
+#endif
+    XMEMSET(digestInfo, 0, digestInfoSz);
 
-            ret = wc_InitSha(&esd->sha);
-            if (ret < 0) {
-                XFREE(flatSignedAttribs, 0, NULL);
+    ret = wc_PKCS7_BuildDigestInfo(pkcs7, flatSignedAttribs,
+                                   flatSignedAttribsSz, esd, digestInfo,
+                                   &digestInfoSz);
+    if (ret < 0) {
 #ifdef WOLFSSL_SMALL_STACK
-                XFREE(esd, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+        XFREE(digestInfo, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
 #endif
-                return ret;
-            }
-            wc_ShaUpdate(&esd->sha, attribSet, attribSetSz);
-            wc_ShaUpdate(&esd->sha, flatSignedAttribs, flatSignedAttribsSz);
-        }
-        wc_ShaFinal(&esd->sha, esd->contentAttribsDigest);
+        return ret;
+    }
 
-        digestStrSz = SetOctetString(SHA_DIGEST_SIZE, digestStr);
-        digestInfoSeqSz = SetSequence(esd->signerDigAlgoIdSz +
-                                      digestStrSz + SHA_DIGEST_SIZE,
-                                      digestInfoSeq);
+#if defined(HAVE_ECC) || \
+    (defined(HAVE_PKCS7_RSA_RAW_SIGN_CALLBACK) && !defined(NO_RSA))
+    /* get digest size from hash type */
+    hashSz = wc_HashGetDigestSize(esd->hashType);
+    if (hashSz < 0) {
+    #ifdef WOLFSSL_SMALL_STACK
+        XFREE(digestInfo, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
+    #endif
+        return hashSz;
+    }
+#endif
 
-#ifdef WOLFSSL_SMALL_STACK
-        digestInfo = (byte*)XMALLOC(MAX_SEQ_SZ + MAX_ALGO_SZ +
-                                    MAX_OCTET_STR_SZ + SHA_DIGEST_SIZE,
-                                    NULL, DYNAMIC_TYPE_TMP_BUFFER);
-        if (digestInfo == NULL) {
-            if (pkcs7->signedAttribsSz != 0)
-                XFREE(flatSignedAttribs, 0, NULL);
-            XFREE(esd, NULL, DYNAMIC_TYPE_TMP_BUFFER);
-            return MEMORY_E;
-        }
+    /* sign digestInfo */
+    switch (pkcs7->publicKeyOID) {
+
+#ifndef NO_RSA
+        case RSAk:
+        #ifdef HAVE_PKCS7_RSA_RAW_SIGN_CALLBACK
+            if (pkcs7->rsaSignRawDigestCb != NULL) {
+                /* get hash OID */
+                hashOID = wc_HashGetOID(esd->hashType);
+
+                /* user signing plain digest, build DigestInfo themselves */
+                ret = pkcs7->rsaSignRawDigestCb(pkcs7,
+                           esd->contentAttribsDigest, hashSz,
+                           esd->encContentDigest, sizeof(esd->encContentDigest),
+                           pkcs7->privateKey, pkcs7->privateKeySz, pkcs7->devId,
+                           hashOID);
+                break;
+            }
+        #endif
+            ret = wc_PKCS7_RsaSign(pkcs7, digestInfo, digestInfoSz, esd);
+            break;
+#endif
+
+#ifdef HAVE_ECC
+        case ECDSAk:
+            /* CMS with ECDSA does not sign DigestInfo structure
+             * like PKCS#7 with RSA does */
+            ret = wc_PKCS7_EcdsaSign(pkcs7, esd->contentAttribsDigest,
+                                     hashSz, esd);
+            break;
 #endif
 
-        XMEMCPY(digestInfo + digIdx, digestInfoSeq, digestInfoSeqSz);
-        digIdx += digestInfoSeqSz;
-        XMEMCPY(digestInfo + digIdx,
-                                  esd->signerDigAlgoId, esd->signerDigAlgoIdSz);
-        digIdx += esd->signerDigAlgoIdSz;
-        XMEMCPY(digestInfo + digIdx, digestStr, digestStrSz);
-        digIdx += digestStrSz;
-        XMEMCPY(digestInfo + digIdx, esd->contentAttribsDigest,
-                                                               SHA_DIGEST_SIZE);
-        digIdx += SHA_DIGEST_SIZE;
+        default:
+            WOLFSSL_MSG("Unsupported public key type");
+            ret = BAD_FUNC_ARG;
+    }
 
 #ifdef WOLFSSL_SMALL_STACK
-        privKey = (RsaKey*)XMALLOC(sizeof(RsaKey), NULL,
-                                                       DYNAMIC_TYPE_TMP_BUFFER);
-        if (privKey == NULL) {
-            if (pkcs7->signedAttribsSz != 0)
-                XFREE(flatSignedAttribs, 0, NULL);
-            XFREE(digestInfo, NULL, DYNAMIC_TYPE_TMP_BUFFER);
-            XFREE(esd,        NULL, DYNAMIC_TYPE_TMP_BUFFER);
-            return MEMORY_E;
-        }
+    XFREE(digestInfo, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
 #endif
 
-        result = wc_InitRsaKey(privKey, NULL);
-        if (result == 0)
-            result = wc_RsaPrivateKeyDecode(pkcs7->privateKey, &scratch, privKey,
-                                         pkcs7->privateKeySz);
-        if (result < 0) {
-            if (pkcs7->signedAttribsSz != 0)
-                XFREE(flatSignedAttribs, 0, NULL);
+    if (ret >= 0) {
+        esd->encContentDigestSz = (word32)ret;
+    }
+
+    return ret;
+}
+
+
+/* build PKCS#7 signedData content type */
+static int PKCS7_EncodeSigned(PKCS7* pkcs7, ESD* esd,
+    const byte* hashBuf, word32 hashSz, byte* output, word32* outputSz,
+    byte* output2, word32* output2Sz)
+{
+    /* contentType OID (1.2.840.113549.1.9.3) */
+    const byte contentTypeOid[] =
+            { ASN_OBJECT_ID, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xF7, 0x0d, 0x01,
+                             0x09, 0x03 };
+
+    /* messageDigest OID (1.2.840.113549.1.9.4) */
+    const byte messageDigestOid[] =
+            { ASN_OBJECT_ID, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01,
+                             0x09, 0x04 };
+
+    /* signingTime OID () */
+    byte signingTimeOid[] =
+            { ASN_OBJECT_ID, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01,
+                             0x09, 0x05};
+
+    Pkcs7Cert* certPtr = NULL;
+    word32 certSetSz = 0;
+
+    word32 signerInfoSz = 0;
+    word32 totalSz, total2Sz;
+    int idx = 0, ret = 0;
+    int digEncAlgoId, digEncAlgoType;
+    byte* flatSignedAttribs = NULL;
+    word32 flatSignedAttribsSz = 0;
+
+    byte signedDataOid[MAX_OID_SZ];
+    word32 signedDataOidSz;
+
+    byte signingTime[MAX_TIME_STRING_SZ];
+
+    if (pkcs7 == NULL || pkcs7->contentSz == 0 ||
+        pkcs7->encryptOID == 0 || pkcs7->hashOID == 0 || pkcs7->rng == 0 ||
+        output == NULL || outputSz == NULL || *outputSz == 0 || hashSz == 0 ||
+        hashBuf == NULL) {
+        return BAD_FUNC_ARG;
+    }
+
+    /* verify the hash size matches */
 #ifdef WOLFSSL_SMALL_STACK
-            XFREE(privKey,    NULL, DYNAMIC_TYPE_TMP_BUFFER);
-            XFREE(digestInfo, NULL, DYNAMIC_TYPE_TMP_BUFFER);
-            XFREE(esd,        NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    esd = (ESD*)XMALLOC(sizeof(ESD), pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
+    if (esd == NULL)
+        return MEMORY_E;
 #endif
-            return PUBLIC_KEY_E;
-        }
 
-        result = wc_RsaSSL_Sign(digestInfo, digIdx,
-                             esd->encContentDigest,
-                             sizeof(esd->encContentDigest),
-                             privKey, pkcs7->rng);
+    XMEMSET(esd, 0, sizeof(ESD));
 
-        wc_FreeRsaKey(privKey);
+    /* set content type based on contentOID, unless user has set custom one
+       with wc_PKCS7_SetContentType() */
+    if (pkcs7->contentTypeSz == 0) {
 
+        /* default to DATA content type if user has not set */
+        if (pkcs7->contentOID == 0) {
+            pkcs7->contentOID = DATA;
+        }
+
+        ret = wc_SetContentType(pkcs7->contentOID, pkcs7->contentType,
+                                sizeof(pkcs7->contentType));
+        if (ret < 0) {
 #ifdef WOLFSSL_SMALL_STACK
-        XFREE(privKey,    NULL, DYNAMIC_TYPE_TMP_BUFFER);
-        XFREE(digestInfo, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+        XFREE(esd, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
 #endif
+            return ret;
+        }
+        pkcs7->contentTypeSz = ret;
+    }
 
-        if (result < 0) {
-            if (pkcs7->signedAttribsSz != 0)
-                XFREE(flatSignedAttribs, 0, NULL);
+    /* set signedData outer content type */
+    ret = wc_SetContentType(SIGNED_DATA, signedDataOid, sizeof(signedDataOid));
+    if (ret < 0) {
 #ifdef WOLFSSL_SMALL_STACK
-            XFREE(esd, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+        XFREE(esd, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
 #endif
-            return result;
+        return ret;
+    }
+    signedDataOidSz = ret;
+
+    if (pkcs7->sidType != DEGENERATE_SID) {
+        esd->hashType = wc_OidGetHash(pkcs7->hashOID);
+        if (wc_HashGetDigestSize(esd->hashType) != (int)hashSz) {
+            WOLFSSL_MSG("hashSz did not match hashOID");
+    #ifdef WOLFSSL_SMALL_STACK
+            XFREE(esd, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
+    #endif
+            return BUFFER_E;
         }
-        esd->encContentDigestSz = (word32)result;
+
+        /* include hash */
+        esd->contentDigest[0] = ASN_OCTET_STRING;
+        esd->contentDigest[1] = (byte)hashSz;
+        XMEMCPY(&esd->contentDigest[2], hashBuf, hashSz);
     }
-    signerInfoSz += flatSignedAttribsSz + esd->signedAttribSetSz;
 
-    esd->signerDigestSz = SetOctetString(esd->encContentDigestSz,
-                                                             esd->signerDigest);
-    signerInfoSz += esd->signerDigestSz + esd->encContentDigestSz;
+    if (pkcs7->detached == 1) {
+        /* do not include content if generating detached signature */
+        esd->innerOctetsSz = 0;
+        esd->innerContSeqSz = 0;
+        esd->contentInfoSeqSz = SetSequence(pkcs7->contentTypeSz,
+                                            esd->contentInfoSeq);
+    } else {
+        esd->innerOctetsSz = SetOctetString(pkcs7->contentSz, esd->innerOctets);
+        esd->innerContSeqSz = SetExplicit(0, esd->innerOctetsSz +
+                                    pkcs7->contentSz, esd->innerContSeq);
+        esd->contentInfoSeqSz = SetSequence(pkcs7->contentSz +
+                                    esd->innerOctetsSz + pkcs7->contentTypeSz +
+                                    esd->innerContSeqSz, esd->contentInfoSeq);
+    }
 
-    esd->signerInfoSeqSz = SetSequence(signerInfoSz, esd->signerInfoSeq);
-    signerInfoSz += esd->signerInfoSeqSz;
+    /* SignerIdentifier */
+    if (pkcs7->sidType == CMS_ISSUER_AND_SERIAL_NUMBER) {
+        /* IssuerAndSerialNumber */
+        esd->issuerSnSz = SetSerialNumber(pkcs7->issuerSn, pkcs7->issuerSnSz,
+                                          esd->issuerSn, MAX_SN_SZ, MAX_SN_SZ);
+        signerInfoSz += esd->issuerSnSz;
+        esd->issuerNameSz = SetSequence(pkcs7->issuerSz, esd->issuerName);
+        signerInfoSz += esd->issuerNameSz + pkcs7->issuerSz;
+        esd->issuerSnSeqSz = SetSequence(signerInfoSz, esd->issuerSnSeq);
+        signerInfoSz += esd->issuerSnSeqSz;
+
+        if (pkcs7->version == 3) {
+            /* RFC 4108 version MUST be 3 for firmware package signer */
+            esd->signerVersionSz = SetMyVersion(3, esd->signerVersion, 0);
+        }
+        else {
+            /* version MUST be 1 otherwise*/
+            esd->signerVersionSz = SetMyVersion(1, esd->signerVersion, 0);
+        }
+
+    } else if (pkcs7->sidType == CMS_SKID) {
+        /* SubjectKeyIdentifier */
+        esd->issuerSKIDSz = SetOctetString(KEYID_SIZE, esd->issuerSKID);
+        esd->issuerSKIDSeqSz = SetExplicit(0, esd->issuerSKIDSz + KEYID_SIZE,
+                                           esd->issuerSKIDSeq);
+        signerInfoSz += (esd->issuerSKIDSz + esd->issuerSKIDSeqSz +
+                         KEYID_SIZE);
+
+        /* version MUST be 3 */
+        esd->signerVersionSz = SetMyVersion(3, esd->signerVersion, 0);
+    } else if (pkcs7->sidType == DEGENERATE_SID) {
+        /* no signer info added */
+    } else {
+    #ifdef WOLFSSL_SMALL_STACK
+        XFREE(esd, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
+    #endif
+        return SKID_E;
+    }
+
+    if (pkcs7->sidType != DEGENERATE_SID) {
+        signerInfoSz += esd->signerVersionSz;
+        esd->signerDigAlgoIdSz = SetAlgoID(pkcs7->hashOID, esd->signerDigAlgoId,
+                                          oidHashType, 0);
+        signerInfoSz += esd->signerDigAlgoIdSz;
+
+        /* set signatureAlgorithm */
+        ret = wc_PKCS7_SignedDataGetEncAlgoId(pkcs7, &digEncAlgoId,
+                                              &digEncAlgoType);
+        if (ret < 0) {
+    #ifdef WOLFSSL_SMALL_STACK
+            XFREE(esd, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
+    #endif
+            return ret;
+        }
+        esd->digEncAlgoIdSz = SetAlgoID(digEncAlgoId, esd->digEncAlgoId,
+                                        digEncAlgoType, 0);
+        signerInfoSz += esd->digEncAlgoIdSz;
+
+        /* build up signed attributes, include contentType, signingTime, and
+           messageDigest by default */
+        ret = wc_PKCS7_BuildSignedAttributes(pkcs7, esd, pkcs7->contentType,
+                                     pkcs7->contentTypeSz,
+                                     contentTypeOid, sizeof(contentTypeOid),
+                                     messageDigestOid, sizeof(messageDigestOid),
+                                     signingTimeOid, sizeof(signingTimeOid),
+                                     signingTime, sizeof(signingTime));
+        if (ret < 0) {
+        #ifdef WOLFSSL_SMALL_STACK
+            XFREE(esd, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
+        #endif
+            return ret;
+        }
+
+        if (esd->signedAttribsSz > 0) {
+            flatSignedAttribs = (byte*)XMALLOC(esd->signedAttribsSz, pkcs7->heap,
+                                                             DYNAMIC_TYPE_PKCS7);
+            flatSignedAttribsSz = esd->signedAttribsSz;
+            if (flatSignedAttribs == NULL) {
+            #ifdef WOLFSSL_SMALL_STACK
+                XFREE(esd, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
+            #endif
+                return MEMORY_E;
+            }
+
+            FlattenAttributes(pkcs7, flatSignedAttribs,
+                                       esd->signedAttribs, esd->signedAttribsCount);
+            esd->signedAttribSetSz = SetImplicit(ASN_SET, 0, esd->signedAttribsSz,
+                                                              esd->signedAttribSet);
+        } else {
+            esd->signedAttribSetSz = 0;
+        }
+
+        /* Calculate the final hash and encrypt it. */
+        ret = wc_PKCS7_SignedDataBuildSignature(pkcs7, flatSignedAttribs,
+                                                flatSignedAttribsSz, esd);
+        if (ret < 0) {
+            if (pkcs7->signedAttribsSz != 0)
+                XFREE(flatSignedAttribs, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+        #ifdef WOLFSSL_SMALL_STACK
+            XFREE(esd, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
+        #endif
+            return ret;
+        }
+
+        signerInfoSz += flatSignedAttribsSz + esd->signedAttribSetSz;
+
+        esd->signerDigestSz = SetOctetString(esd->encContentDigestSz,
+                                                                 esd->signerDigest);
+        signerInfoSz += esd->signerDigestSz + esd->encContentDigestSz;
+
+        esd->signerInfoSeqSz = SetSequence(signerInfoSz, esd->signerInfoSeq);
+        signerInfoSz += esd->signerInfoSeqSz;
+    }
     esd->signerInfoSetSz = SetSet(signerInfoSz, esd->signerInfoSet);
     signerInfoSz += esd->signerInfoSetSz;
 
-    esd->certsSetSz = SetImplicit(ASN_SET, 0, pkcs7->singleCertSz,
-                                                                 esd->certsSet);
+    /* certificates [0] IMPLICIT CertificateSet */
+    /* get total certificates size */
+    certPtr = pkcs7->certList;
+    while (certPtr != NULL) {
+        certSetSz += certPtr->derSz;
+        certPtr = certPtr->next;
+    }
+    certPtr = NULL;
 
-    esd->singleDigAlgoIdSz = SetAlgoID(pkcs7->hashOID, esd->singleDigAlgoId,
-                                      hashType, 0);
-    esd->digAlgoIdSetSz = SetSet(esd->singleDigAlgoIdSz, esd->digAlgoIdSet);
+    if (certSetSz > 0)
+        esd->certsSetSz = SetImplicit(ASN_SET, 0, certSetSz, esd->certsSet);
 
+    if (pkcs7->sidType != DEGENERATE_SID) {
+        esd->singleDigAlgoIdSz = SetAlgoID(pkcs7->hashOID, esd->singleDigAlgoId,
+                                      oidHashType, 0);
+    }
+    esd->digAlgoIdSetSz = SetSet(esd->singleDigAlgoIdSz, esd->digAlgoIdSet);
 
-    esd->versionSz = SetMyVersion(1, esd->version, 0);
+    if (pkcs7->version == 3) {
+        /* RFC 4108 version MUST be 3 for firmware package signer */
+        esd->versionSz = SetMyVersion(3, esd->version, 0);
+    }
+    else {
+        esd->versionSz = SetMyVersion(1, esd->version, 0);
+    }
 
     totalSz = esd->versionSz + esd->singleDigAlgoIdSz + esd->digAlgoIdSetSz +
-              esd->contentInfoSeqSz + esd->certsSetSz + pkcs7->singleCertSz +
-              esd->innerOctetsSz + esd->innerContSeqSz +
-              innerOidSz + pkcs7->contentSz +
-              signerInfoSz;
-    esd->innerSeqSz = SetSequence(totalSz, esd->innerSeq);
+              esd->contentInfoSeqSz + pkcs7->contentTypeSz +
+              esd->innerContSeqSz + esd->innerOctetsSz + pkcs7->contentSz;
+    total2Sz = esd->certsSetSz + certSetSz + signerInfoSz;
+
+    if (pkcs7->detached) {
+        totalSz -= pkcs7->contentSz;
+    }
+
+    esd->innerSeqSz = SetSequence(totalSz + total2Sz, esd->innerSeq);
     totalSz += esd->innerSeqSz;
-    esd->outerContentSz = SetExplicit(0, totalSz, esd->outerContent);
-    totalSz += esd->outerContentSz + outerOidSz;
-    esd->outerSeqSz = SetSequence(totalSz, esd->outerSeq);
+    esd->outerContentSz = SetExplicit(0, totalSz + total2Sz, esd->outerContent);
+    totalSz += esd->outerContentSz + signedDataOidSz;
+    esd->outerSeqSz = SetSequence(totalSz + total2Sz, esd->outerSeq);
     totalSz += esd->outerSeqSz;
 
-    if (outputSz < totalSz) {
+    /* if using header/footer, we are not returning the content */
+    if (output2 && output2Sz) {
+        if (total2Sz > *output2Sz) {
+            if (pkcs7->signedAttribsSz != 0)
+                XFREE(flatSignedAttribs, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+        #ifdef WOLFSSL_SMALL_STACK
+            XFREE(esd, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
+        #endif
+            return BUFFER_E;
+        }
+
+        if (!pkcs7->detached) {
+            totalSz -= pkcs7->contentSz;
+        }
+    }
+    else {
+        /* if using single output buffer include content and footer */
+        totalSz += total2Sz;
+    }
+
+    if (totalSz > *outputSz) {
         if (pkcs7->signedAttribsSz != 0)
-            XFREE(flatSignedAttribs, 0, NULL);
-#ifdef WOLFSSL_SMALL_STACK
-        XFREE(esd, NULL, DYNAMIC_TYPE_TMP_BUFFER);
-#endif
+            XFREE(flatSignedAttribs, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+    #ifdef WOLFSSL_SMALL_STACK
+        XFREE(esd, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
+    #endif
         return BUFFER_E;
     }
 
     idx = 0;
     XMEMCPY(output + idx, esd->outerSeq, esd->outerSeqSz);
     idx += esd->outerSeqSz;
-    XMEMCPY(output + idx, outerOid, outerOidSz);
-    idx += outerOidSz;
+    XMEMCPY(output + idx, signedDataOid, signedDataOidSz);
+    idx += signedDataOidSz;
     XMEMCPY(output + idx, esd->outerContent, esd->outerContentSz);
     idx += esd->outerContentSz;
     XMEMCPY(output + idx, esd->innerSeq, esd->innerSeqSz);
@@ -634,326 +2402,3617 @@ int wc_PKCS7_EncodeSignedData(PKCS7* pkcs7, byte* output, word32 outputSz)
     idx += esd->singleDigAlgoIdSz;
     XMEMCPY(output + idx, esd->contentInfoSeq, esd->contentInfoSeqSz);
     idx += esd->contentInfoSeqSz;
-    XMEMCPY(output + idx, innerOid, innerOidSz);
-    idx += innerOidSz;
+    XMEMCPY(output + idx, pkcs7->contentType, pkcs7->contentTypeSz);
+    idx += pkcs7->contentTypeSz;
     XMEMCPY(output + idx, esd->innerContSeq, esd->innerContSeqSz);
     idx += esd->innerContSeqSz;
     XMEMCPY(output + idx, esd->innerOctets, esd->innerOctetsSz);
     idx += esd->innerOctetsSz;
-    XMEMCPY(output + idx, pkcs7->content, pkcs7->contentSz);
-    idx += pkcs7->contentSz;
-    XMEMCPY(output + idx, esd->certsSet, esd->certsSetSz);
+
+    /* support returning header and footer without content */
+    if (output2 && output2Sz) {
+        *outputSz = idx;
+        idx = 0;
+    }
+    else {
+        if (!pkcs7->detached) {
+            XMEMCPY(output + idx, pkcs7->content, pkcs7->contentSz);
+            idx += pkcs7->contentSz;
+        }
+        output2 = output;
+    }
+
+    /* certificates */
+    XMEMCPY(output2 + idx, esd->certsSet, esd->certsSetSz);
     idx += esd->certsSetSz;
-    XMEMCPY(output + idx, pkcs7->singleCert, pkcs7->singleCertSz);
-    idx += pkcs7->singleCertSz;
-    XMEMCPY(output + idx, esd->signerInfoSet, esd->signerInfoSetSz);
+    certPtr = pkcs7->certList;
+    while (certPtr != NULL) {
+        XMEMCPY(output2 + idx, certPtr->der, certPtr->derSz);
+        idx += certPtr->derSz;
+        certPtr = certPtr->next;
+    }
+    wc_PKCS7_FreeCertSet(pkcs7);
+
+    XMEMCPY(output2 + idx, esd->signerInfoSet, esd->signerInfoSetSz);
     idx += esd->signerInfoSetSz;
-    XMEMCPY(output + idx, esd->signerInfoSeq, esd->signerInfoSeqSz);
+    XMEMCPY(output2 + idx, esd->signerInfoSeq, esd->signerInfoSeqSz);
     idx += esd->signerInfoSeqSz;
-    XMEMCPY(output + idx, esd->signerVersion, esd->signerVersionSz);
+    XMEMCPY(output2 + idx, esd->signerVersion, esd->signerVersionSz);
     idx += esd->signerVersionSz;
-    XMEMCPY(output + idx, esd->issuerSnSeq, esd->issuerSnSeqSz);
-    idx += esd->issuerSnSeqSz;
-    XMEMCPY(output + idx, esd->issuerName, esd->issuerNameSz);
-    idx += esd->issuerNameSz;
-    XMEMCPY(output + idx, pkcs7->issuer, pkcs7->issuerSz);
-    idx += pkcs7->issuerSz;
-    XMEMCPY(output + idx, esd->issuerSn, esd->issuerSnSz);
-    idx += esd->issuerSnSz;
-    XMEMCPY(output + idx, esd->signerDigAlgoId, esd->signerDigAlgoIdSz);
+    /* SignerIdentifier */
+    if (pkcs7->sidType == CMS_ISSUER_AND_SERIAL_NUMBER) {
+        /* IssuerAndSerialNumber */
+        XMEMCPY(output2 + idx, esd->issuerSnSeq, esd->issuerSnSeqSz);
+        idx += esd->issuerSnSeqSz;
+        XMEMCPY(output2 + idx, esd->issuerName, esd->issuerNameSz);
+        idx += esd->issuerNameSz;
+        XMEMCPY(output2 + idx, pkcs7->issuer, pkcs7->issuerSz);
+        idx += pkcs7->issuerSz;
+        XMEMCPY(output2 + idx, esd->issuerSn, esd->issuerSnSz);
+        idx += esd->issuerSnSz;
+    } else if (pkcs7->sidType == CMS_SKID) {
+        /* SubjectKeyIdentifier */
+        XMEMCPY(output2 + idx, esd->issuerSKIDSeq, esd->issuerSKIDSeqSz);
+        idx += esd->issuerSKIDSeqSz;
+        XMEMCPY(output2 + idx, esd->issuerSKID, esd->issuerSKIDSz);
+        idx += esd->issuerSKIDSz;
+        XMEMCPY(output2 + idx, pkcs7->issuerSubjKeyId, KEYID_SIZE);
+        idx += KEYID_SIZE;
+    } else if (pkcs7->sidType == DEGENERATE_SID) {
+        /* no signer infos in degenerate case */
+    } else {
+    #ifdef WOLFSSL_SMALL_STACK
+        XFREE(esd, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
+    #endif
+        return SKID_E;
+    }
+    XMEMCPY(output2 + idx, esd->signerDigAlgoId, esd->signerDigAlgoIdSz);
     idx += esd->signerDigAlgoIdSz;
 
     /* SignerInfo:Attributes */
-    if (pkcs7->signedAttribsSz != 0) {
-        XMEMCPY(output + idx, esd->signedAttribSet, esd->signedAttribSetSz);
+    if (flatSignedAttribsSz > 0) {
+        XMEMCPY(output2 + idx, esd->signedAttribSet, esd->signedAttribSetSz);
         idx += esd->signedAttribSetSz;
-        XMEMCPY(output + idx, flatSignedAttribs, flatSignedAttribsSz);
+        XMEMCPY(output2 + idx, flatSignedAttribs, flatSignedAttribsSz);
         idx += flatSignedAttribsSz;
-        XFREE(flatSignedAttribs, 0, NULL);
+        XFREE(flatSignedAttribs, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
     }
 
-    XMEMCPY(output + idx, esd->digEncAlgoId, esd->digEncAlgoIdSz);
+    XMEMCPY(output2 + idx, esd->digEncAlgoId, esd->digEncAlgoIdSz);
     idx += esd->digEncAlgoIdSz;
-    XMEMCPY(output + idx, esd->signerDigest, esd->signerDigestSz);
+    XMEMCPY(output2 + idx, esd->signerDigest, esd->signerDigestSz);
     idx += esd->signerDigestSz;
-    XMEMCPY(output + idx, esd->encContentDigest, esd->encContentDigestSz);
+    XMEMCPY(output2 + idx, esd->encContentDigest, esd->encContentDigestSz);
     idx += esd->encContentDigestSz;
 
+    if (output2 && output2Sz) {
+        *output2Sz = idx;
+        idx = 0; /* success */
+    }
+    else {
+        *outputSz = idx;
+    }
+
 #ifdef WOLFSSL_SMALL_STACK
-    XFREE(esd, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    XFREE(esd, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
 #endif
-
     return idx;
 }
 
+/* hashBuf: The computed digest for the pkcs7->content
+ * hashSz: The size of computed digest for the pkcs7->content based on hashOID
+ * outputHead: The PKCS7 header that goes on top of the raw data signed.
+ * outputFoot: The PKCS7 footer that goes at the end of the raw data signed.
+ * pkcs7->content: Not used
+ * pkcs7->contentSz: Must be provided as actual sign of raw data
+ * return codes: 0=success, negative=error
+ */
+int wc_PKCS7_EncodeSignedData_ex(PKCS7* pkcs7, const byte* hashBuf,
+    word32 hashSz, byte* outputHead, word32* outputHeadSz, byte* outputFoot,
+    word32* outputFootSz)
+{
+    int ret;
+#ifdef WOLFSSL_SMALL_STACK
+    ESD* esd;
+#else
+    ESD  esd[1];
+#endif
 
-/* Finds the certificates in the message and saves it. */
-int wc_PKCS7_VerifySignedData(PKCS7* pkcs7, byte* pkiMsg, word32 pkiMsgSz)
+    /* other args checked in wc_PKCS7_EncodeSigned_ex */
+    if (pkcs7 == NULL || outputFoot == NULL || outputFootSz == NULL) {
+        return BAD_FUNC_ARG;
+    }
+
+#ifdef WOLFSSL_SMALL_STACK
+    esd = (ESD*)XMALLOC(sizeof(ESD), pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
+    if (esd == NULL)
+        return MEMORY_E;
+#endif
+
+    XMEMSET(esd, 0, sizeof(ESD));
+
+    ret = PKCS7_EncodeSigned(pkcs7, esd, hashBuf, hashSz,
+        outputHead, outputHeadSz, outputFoot, outputFootSz);
+
+#ifdef WOLFSSL_SMALL_STACK
+    XFREE(esd, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
+#endif
+
+    return ret;
+}
+
+/* Toggle detached signature mode on/off for PKCS#7/CMS SignedData content type.
+ * By default wolfCrypt includes the data to be signed in the SignedData
+ * bundle. This data can be omitted in the case when a detached signature is
+ * being created. To enable generation of detached signatures, set flag to "1",
+ * otherwise set to "0":
+ *
+ *     flag 1 turns on support
+ *     flag 0 turns off support
+ *
+ * pkcs7 - pointer to initialized PKCS7 structure
+ * flag  - turn on/off detached signature generation (1 or 0)
+ *
+ * Returns 0 on success, negative upon error. */
+int wc_PKCS7_SetDetached(PKCS7* pkcs7, word16 flag)
 {
-    word32 idx, contentType;
-    int length, version, ret;
-    byte* content = NULL;
-    byte* sig = NULL;
-    byte* cert = NULL;
-    int contentSz = 0, sigSz = 0, certSz = 0;
+    if (pkcs7 == NULL || (flag != 0 && flag != 1))
+        return BAD_FUNC_ARG;
+
+    pkcs7->detached = flag;
+
+    return 0;
+}
 
-    if (pkcs7 == NULL || pkiMsg == NULL || pkiMsgSz == 0)
+/* By default, SignedData bundles have the following signed attributes attached:
+ *     contentType (1.2.840.113549.1.9.3)
+ *     signgingTime (1.2.840.113549.1.9.5)
+ *     messageDigest (1.2.840.113549.1.9.4)
+ *
+ * Calling this API before wc_PKCS7_EncodeSignedData() will disable the
+ * inclusion of those attributes.
+ *
+ * pkcs7 - pointer to initialized PKCS7 structure
+ *
+ * Returns 0 on success, negative upon error. */
+int wc_PKCS7_NoDefaultSignedAttribs(PKCS7* pkcs7)
+{
+    if (pkcs7 == NULL)
         return BAD_FUNC_ARG;
 
-    idx = 0;
+    pkcs7->skipDefaultSignedAttribs = 1;
 
-    /* Get the contentInfo sequence */
-    if (GetSequence(pkiMsg, &idx, &length, pkiMsgSz) < 0)
-        return ASN_PARSE_E;
+    return 0;
+}
 
-    /* Get the contentInfo contentType */
-    if (wc_GetContentType(pkiMsg, &idx, &contentType, pkiMsgSz) < 0)
-        return ASN_PARSE_E;
+/* return codes: >0: Size of signed PKCS7 output buffer, negative: error */
+int wc_PKCS7_EncodeSignedData(PKCS7* pkcs7, byte* output, word32 outputSz)
+{
+    int ret;
+    int hashSz;
+    enum wc_HashType hashType;
+    byte hashBuf[WC_MAX_DIGEST_SIZE];
+#ifdef WOLFSSL_SMALL_STACK
+    ESD* esd;
+#else
+    ESD  esd[1];
+#endif
 
-    if (contentType != SIGNED_DATA) {
-        WOLFSSL_MSG("PKCS#7 input not of type SignedData");
-        return PKCS7_OID_E;
+    /* other args checked in wc_PKCS7_EncodeSigned_ex */
+    if (pkcs7 == NULL || pkcs7->contentSz == 0 || pkcs7->content == NULL) {
+        return BAD_FUNC_ARG;
     }
 
-    /* get the ContentInfo content */
-    if (pkiMsg[idx++] != (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC | 0))
-        return ASN_PARSE_E;
+    /* get hash type and size, validate hashOID */
+    hashType = wc_OidGetHash(pkcs7->hashOID);
+    hashSz = wc_HashGetDigestSize(hashType);
+    if (hashSz < 0)
+        return hashSz;
 
-    if (GetLength(pkiMsg, &idx, &length, pkiMsgSz) < 0)
-        return ASN_PARSE_E;
+#ifdef WOLFSSL_SMALL_STACK
+    esd = (ESD*)XMALLOC(sizeof(ESD), pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
+    if (esd == NULL)
+        return MEMORY_E;
+#endif
 
-    /* Get the signedData sequence */
-    if (GetSequence(pkiMsg, &idx, &length, pkiMsgSz) < 0)
-        return ASN_PARSE_E;
+    XMEMSET(esd, 0, sizeof(ESD));
+    esd->hashType = hashType;
+
+    /* calculate hash for content */
+    ret = wc_HashInit(&esd->hash, esd->hashType);
+    if (ret == 0) {
+        ret = wc_HashUpdate(&esd->hash, esd->hashType,
+                            pkcs7->content, pkcs7->contentSz);
+        if (ret == 0) {
+            ret = wc_HashFinal(&esd->hash, esd->hashType, hashBuf);
+        }
+        wc_HashFree(&esd->hash, esd->hashType);
+    }
 
-    /* Get the version */
-    if (GetMyVersion(pkiMsg, &idx, &version) < 0)
-        return ASN_PARSE_E;
+    if (ret == 0) {
+        ret = PKCS7_EncodeSigned(pkcs7, esd, hashBuf, hashSz,
+            output, &outputSz, NULL, NULL);
+    }
+
+#ifdef WOLFSSL_SMALL_STACK
+    XFREE(esd, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
+#endif
+
+    return ret;
+}
+
+
+/* Single-shot API to generate a CMS SignedData bundle that encapsulates a
+ * content of type FirmwarePkgData. Any recipient certificates should be
+ * loaded into the PKCS7 structure prior to calling this function, using
+ * wc_PKCS7_InitWithCert() and/or wc_PKCS7_AddCertificate().
+ *
+ * pkcs7                - pointer to initialized PKCS7 struct
+ * privateKey           - private RSA/ECC key, used for signing SignedData
+ * privateKeySz         - size of privateKey, octets
+ * signOID              - public key algorithm OID, used for sign operation
+ * hashOID              - hash algorithm OID, used for signature generation
+ * content              - content to be encapsulated, of type FirmwarePkgData
+ * contentSz            - size of content, octets
+ * signedAttribs        - optional signed attributes
+ * signedAttribsSz      - number of PKCS7Attrib members in signedAttribs
+ * output               - output buffer for final bundle
+ * outputSz             - size of output buffer, octets
+ *
+ * Returns length of generated bundle on success, negative upon error. */
+int wc_PKCS7_EncodeSignedFPD(PKCS7* pkcs7, byte* privateKey,
+                             word32 privateKeySz, int signOID, int hashOID,
+                             byte* content, word32 contentSz,
+                             PKCS7Attrib* signedAttribs, word32 signedAttribsSz,
+                             byte* output, word32 outputSz)
+{
+    int ret = 0;
+    WC_RNG rng;
+
+    if (pkcs7 == NULL || privateKey == NULL || privateKeySz == 0 ||
+        content == NULL || contentSz == 0 || output == NULL || outputSz == 0)
+        return BAD_FUNC_ARG;
 
-    if (version != 1) {
-        WOLFSSL_MSG("PKCS#7 signedData needs to be of version 1");
-        return ASN_VERSION_E;
+    ret = wc_InitRng(&rng);
+    if (ret != 0)
+        return ret;
+
+    pkcs7->rng = &rng;
+    pkcs7->content = content;
+    pkcs7->contentSz = contentSz;
+    pkcs7->contentOID = FIRMWARE_PKG_DATA;
+    pkcs7->hashOID = hashOID;
+    pkcs7->encryptOID = signOID;
+    pkcs7->privateKey = privateKey;
+    pkcs7->privateKeySz = privateKeySz;
+    pkcs7->signedAttribs = signedAttribs;
+    pkcs7->signedAttribsSz = signedAttribsSz;
+    pkcs7->version = 3;
+
+    ret = wc_PKCS7_EncodeSignedData(pkcs7, output, outputSz);
+    if (ret <= 0) {
+        WOLFSSL_MSG("Error encoding CMS SignedData content type");
     }
 
-    /* Get the set of DigestAlgorithmIdentifiers */
-    if (GetSet(pkiMsg, &idx, &length, pkiMsgSz) < 0)
-        return ASN_PARSE_E;
+    pkcs7->rng = NULL;
+    wc_FreeRng(&rng);
 
-    /* Skip the set. */
-    idx += length;
+    return ret;
+}
 
-    /* Get the inner ContentInfo sequence */
-    if (GetSequence(pkiMsg, &idx, &length, pkiMsgSz) < 0)
-        return ASN_PARSE_E;
+#ifndef NO_PKCS7_ENCRYPTED_DATA
 
-    /* Get the inner ContentInfo contentType */
-    if (wc_GetContentType(pkiMsg, &idx, &contentType, pkiMsgSz) < 0)
-        return ASN_PARSE_E;
+/* Single-shot API to generate a CMS SignedData bundle that encapsulates a
+ * CMS EncryptedData bundle. Content of inner EncryptedData is set to that
+ * of FirmwarePkgData. Any recipient certificates should be loaded into the
+ * PKCS7 structure prior to calling this function, using wc_PKCS7_InitWithCert()
+ * and/or wc_PKCS7_AddCertificate().
+ *
+ * pkcs7                - pointer to initialized PKCS7 struct
+ * encryptKey           - encryption key used for encrypting EncryptedData
+ * encryptKeySz         - size of encryptKey, octets
+ * privateKey           - private RSA/ECC key, used for signing SignedData
+ * privateKeySz         - size of privateKey, octets
+ * encryptOID           - encryption algorithm OID, to be used as encryption
+ *                        algorithm for EncryptedData
+ * signOID              - public key algorithm OID, to be used for sign
+ *                        operation in SignedData generation
+ * hashOID              - hash algorithm OID, to be used for signature in
+ *                        SignedData generation
+ * content              - content to be encapsulated
+ * contentSz            - size of content, octets
+ * unprotectedAttribs   - optional unprotected attributes, for EncryptedData
+ * unprotectedAttribsSz - number of PKCS7Attrib members in unprotectedAttribs
+ * signedAttribs        - optional signed attributes, for SignedData
+ * signedAttribsSz      - number of PKCS7Attrib members in signedAttribs
+ * output               - output buffer for final bundle
+ * outputSz             - size of output buffer, octets
+ *
+ * Returns length of generated bundle on success, negative upon error. */
+int wc_PKCS7_EncodeSignedEncryptedFPD(PKCS7* pkcs7, byte* encryptKey,
+                                      word32 encryptKeySz, byte* privateKey,
+                                      word32 privateKeySz, int encryptOID,
+                                      int signOID, int hashOID,
+                                      byte* content, word32 contentSz,
+                                      PKCS7Attrib* unprotectedAttribs,
+                                      word32 unprotectedAttribsSz,
+                                      PKCS7Attrib* signedAttribs,
+                                      word32 signedAttribsSz,
+                                      byte* output, word32 outputSz)
+{
+    int ret = 0, encryptedSz = 0;
+    byte* encrypted = NULL;
+    WC_RNG rng;
+
+    if (pkcs7 == NULL || encryptKey == NULL || encryptKeySz == 0 ||
+        privateKey == NULL || privateKeySz == 0 || content == NULL ||
+        contentSz == 0 || output == NULL || outputSz == 0) {
+        return BAD_FUNC_ARG;
+    }
+
+    /* 1: build up EncryptedData using FirmwarePkgData type, use output
+     *    buffer as tmp for storage and to get size */
+
+    /* set struct elements, inner content type is FirmwarePkgData */
+    pkcs7->content = content;
+    pkcs7->contentSz = contentSz;
+    pkcs7->contentOID = FIRMWARE_PKG_DATA;
+    pkcs7->encryptOID = encryptOID;
+    pkcs7->encryptionKey = encryptKey;
+    pkcs7->encryptionKeySz = encryptKeySz;
+    pkcs7->unprotectedAttribs = unprotectedAttribs;
+    pkcs7->unprotectedAttribsSz = unprotectedAttribsSz;
+    pkcs7->version = 3;
+
+    encryptedSz = wc_PKCS7_EncodeEncryptedData(pkcs7, output, outputSz);
+    if (encryptedSz < 0) {
+        WOLFSSL_MSG("Error encoding CMS EncryptedData content type");
+        return encryptedSz;
+    }
+
+    /* save encryptedData, reset output buffer and struct */
+    encrypted = (byte*)XMALLOC(encryptedSz, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+    if (encrypted == NULL) {
+        ForceZero(output, outputSz);
+        return MEMORY_E;
+    }
+
+    XMEMCPY(encrypted, output, encryptedSz);
+    ForceZero(output, outputSz);
+
+    ret = wc_InitRng(&rng);
+    if (ret != 0) {
+        ForceZero(encrypted, encryptedSz);
+        XFREE(encrypted, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+        return ret;
+    }
+
+    /* 2: build up SignedData, encapsulating EncryptedData */
+    pkcs7->rng = &rng;
+    pkcs7->content = encrypted;
+    pkcs7->contentSz = encryptedSz;
+    pkcs7->contentOID = ENCRYPTED_DATA;
+    pkcs7->hashOID = hashOID;
+    pkcs7->encryptOID = signOID;
+    pkcs7->privateKey = privateKey;
+    pkcs7->privateKeySz = privateKeySz;
+    pkcs7->signedAttribs = signedAttribs;
+    pkcs7->signedAttribsSz = signedAttribsSz;
+
+    ret = wc_PKCS7_EncodeSignedData(pkcs7, output, outputSz);
+    if (ret <= 0) {
+        WOLFSSL_MSG("Error encoding CMS SignedData content type");
+    }
+
+    ForceZero(encrypted, encryptedSz);
+    XFREE(encrypted, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+    pkcs7->rng = NULL;
+    wc_FreeRng(&rng);
+
+    return ret;
+}
+
+#endif /* NO_PKCS7_ENCRYPTED_DATA */
+
+#if defined(HAVE_LIBZ) && !defined(NO_PKCS7_COMPRESSED_DATA)
+/* Single-shot API to generate a CMS SignedData bundle that encapsulates a
+ * CMS CompressedData bundle. Content of inner CompressedData is set to that
+ * of FirmwarePkgData. Any recipient certificates should be loaded into the
+ * PKCS7 structure prior to calling this function, using wc_PKCS7_InitWithCert()
+ * and/or wc_PKCS7_AddCertificate().
+ *
+ * pkcs7                - pointer to initialized PKCS7 struct
+ * privateKey           - private RSA/ECC key, used for signing SignedData
+ * privateKeySz         - size of privateKey, octets
+ * signOID              - public key algorithm OID, to be used for sign
+ *                        operation in SignedData generation
+ * hashOID              - hash algorithm OID, to be used for signature in
+ *                        SignedData generation
+ * content              - content to be encapsulated
+ * contentSz            - size of content, octets
+ * signedAttribs        - optional signed attributes, for SignedData
+ * signedAttribsSz      - number of PKCS7Attrib members in signedAttribs
+ * output               - output buffer for final bundle
+ * outputSz             - size of output buffer, octets
+ *
+ * Returns length of generated bundle on success, negative upon error. */
+int wc_PKCS7_EncodeSignedCompressedFPD(PKCS7* pkcs7, byte* privateKey,
+                                       word32 privateKeySz, int signOID,
+                                       int hashOID, byte* content,
+                                       word32 contentSz,
+                                       PKCS7Attrib* signedAttribs,
+                                       word32 signedAttribsSz, byte* output,
+                                       word32 outputSz)
+{
+    int ret = 0, compressedSz = 0;
+    byte* compressed = NULL;
+    WC_RNG rng;
+
+    if (pkcs7 == NULL || privateKey == NULL || privateKeySz == 0 ||
+        content == NULL || contentSz == 0 || output == NULL || outputSz == 0) {
+        return BAD_FUNC_ARG;
+    }
+
+    /* 1: build up CompressedData using FirmwarePkgData type, use output
+     *    buffer as tmp for storage and to get size */
+
+    /* set struct elements, inner content type is FirmwarePkgData */
+    pkcs7->content = content;
+    pkcs7->contentSz = contentSz;
+    pkcs7->contentOID = FIRMWARE_PKG_DATA;
+    pkcs7->version = 3;
+
+    compressedSz = wc_PKCS7_EncodeCompressedData(pkcs7, output, outputSz);
+    if (compressedSz < 0) {
+        WOLFSSL_MSG("Error encoding CMS CompressedData content type");
+        return compressedSz;
+    }
+
+    /* save compressedData, reset output buffer and struct */
+    compressed = (byte*)XMALLOC(compressedSz, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+    if (compressed == NULL) {
+        ForceZero(output, outputSz);
+        return MEMORY_E;
+    }
+
+    XMEMCPY(compressed, output, compressedSz);
+    ForceZero(output, outputSz);
+
+    ret = wc_InitRng(&rng);
+    if (ret != 0) {
+        ForceZero(compressed, compressedSz);
+        XFREE(compressed, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+        return ret;
+    }
+
+    /* 2: build up SignedData, encapsulating EncryptedData */
+    pkcs7->rng = &rng;
+    pkcs7->content = compressed;
+    pkcs7->contentSz = compressedSz;
+    pkcs7->contentOID = COMPRESSED_DATA;
+    pkcs7->hashOID = hashOID;
+    pkcs7->encryptOID = signOID;
+    pkcs7->privateKey = privateKey;
+    pkcs7->privateKeySz = privateKeySz;
+    pkcs7->signedAttribs = signedAttribs;
+    pkcs7->signedAttribsSz = signedAttribsSz;
+
+    ret = wc_PKCS7_EncodeSignedData(pkcs7, output, outputSz);
+    if (ret <= 0) {
+        WOLFSSL_MSG("Error encoding CMS SignedData content type");
+    }
+
+    ForceZero(compressed, compressedSz);
+    XFREE(compressed, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+    pkcs7->rng = NULL;
+    wc_FreeRng(&rng);
+
+    return ret;
+}
+
+#ifndef NO_PKCS7_ENCRYPTED_DATA
+
+/* Single-shot API to generate a CMS SignedData bundle that encapsulates a
+ * CMS EncryptedData bundle, which then encapsulates a CMS CompressedData
+ * bundle. Content of inner CompressedData is set to that of FirmwarePkgData.
+ * Any recipient certificates should be loaded into the PKCS7 structure prior
+ * to calling this function, using wc_PKCS7_InitWithCert() and/or
+ * wc_PKCS7_AddCertificate().
+ *
+ * pkcs7                - pointer to initialized PKCS7 struct
+ * encryptKey           - encryption key used for encrypting EncryptedData
+ * encryptKeySz         - size of encryptKey, octets
+ * privateKey           - private RSA/ECC key, used for signing SignedData
+ * privateKeySz         - size of privateKey, octets
+ * encryptOID           - encryption algorithm OID, to be used as encryption
+ *                        algorithm for EncryptedData
+ * signOID              - public key algorithm OID, to be used for sign
+ *                        operation in SignedData generation
+ * hashOID              - hash algorithm OID, to be used for signature in
+ *                        SignedData generation
+ * content              - content to be encapsulated
+ * contentSz            - size of content, octets
+ * unprotectedAttribs   - optional unprotected attributes, for EncryptedData
+ * unprotectedAttribsSz - number of PKCS7Attrib members in unprotectedAttribs
+ * signedAttribs        - optional signed attributes, for SignedData
+ * signedAttribsSz      - number of PKCS7Attrib members in signedAttribs
+ * output               - output buffer for final bundle
+ * outputSz             - size of output buffer, octets
+ *
+ * Returns length of generated bundle on success, negative upon error. */
+int  wc_PKCS7_EncodeSignedEncryptedCompressedFPD(PKCS7* pkcs7, byte* encryptKey,
+                                       word32 encryptKeySz, byte* privateKey,
+                                       word32 privateKeySz, int encryptOID,
+                                       int signOID, int hashOID, byte* content,
+                                       word32 contentSz,
+                                       PKCS7Attrib* unprotectedAttribs,
+                                       word32 unprotectedAttribsSz,
+                                       PKCS7Attrib* signedAttribs,
+                                       word32 signedAttribsSz,
+                                       byte* output, word32 outputSz)
+{
+    int ret = 0, compressedSz = 0, encryptedSz = 0;
+    byte* compressed = NULL;
+    byte* encrypted = NULL;
+    WC_RNG rng;
+
+    if (pkcs7 == NULL || encryptKey == NULL || encryptKeySz == 0 ||
+        privateKey == NULL || privateKeySz == 0 || content == NULL ||
+        contentSz == 0 || output == NULL || outputSz == 0) {
+        return BAD_FUNC_ARG;
+    }
+
+    /* 1: build up CompressedData using FirmwarePkgData type, use output
+     *    buffer as tmp for storage and to get size */
+    pkcs7->content = content;
+    pkcs7->contentSz = contentSz;
+    pkcs7->contentOID = FIRMWARE_PKG_DATA;
+    pkcs7->version = 3;
+
+    compressedSz = wc_PKCS7_EncodeCompressedData(pkcs7, output, outputSz);
+    if (compressedSz < 0) {
+        WOLFSSL_MSG("Error encoding CMS CompressedData content type");
+        return compressedSz;
+    }
+
+    /* save compressedData, reset output buffer and struct */
+    compressed = (byte*)XMALLOC(compressedSz, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+    if (compressed == NULL)
+        return MEMORY_E;
+
+    XMEMCPY(compressed, output, compressedSz);
+    ForceZero(output, outputSz);
+
+    /* 2: build up EncryptedData using CompressedData, use output
+     *    buffer as tmp for storage and to get size */
+    pkcs7->content = compressed;
+    pkcs7->contentSz = compressedSz;
+    pkcs7->contentOID = COMPRESSED_DATA;
+    pkcs7->encryptOID = encryptOID;
+    pkcs7->encryptionKey = encryptKey;
+    pkcs7->encryptionKeySz = encryptKeySz;
+    pkcs7->unprotectedAttribs = unprotectedAttribs;
+    pkcs7->unprotectedAttribsSz = unprotectedAttribsSz;
+
+    encryptedSz = wc_PKCS7_EncodeEncryptedData(pkcs7, output, outputSz);
+    if (encryptedSz < 0) {
+        WOLFSSL_MSG("Error encoding CMS EncryptedData content type");
+        XFREE(compressed, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+        return encryptedSz;
+    }
+
+    /* save encryptedData, reset output buffer and struct */
+    encrypted = (byte*)XMALLOC(encryptedSz, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+    if (encrypted == NULL) {
+        ForceZero(compressed, compressedSz);
+        XFREE(compressed, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+        return MEMORY_E;
+    }
+
+    XMEMCPY(encrypted, output, encryptedSz);
+    ForceZero(compressed, compressedSz);
+    XFREE(compressed, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+    ForceZero(output, outputSz);
+
+    ret = wc_InitRng(&rng);
+    if (ret != 0) {
+        ForceZero(encrypted, encryptedSz);
+        XFREE(encrypted, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+        return ret;
+    }
+
+    /* 3: build up SignedData, encapsulating EncryptedData */
+    pkcs7->rng = &rng;
+    pkcs7->content = encrypted;
+    pkcs7->contentSz = encryptedSz;
+    pkcs7->contentOID = ENCRYPTED_DATA;
+    pkcs7->hashOID = hashOID;
+    pkcs7->encryptOID = signOID;
+    pkcs7->privateKey = privateKey;
+    pkcs7->privateKeySz = privateKeySz;
+    pkcs7->signedAttribs = signedAttribs;
+    pkcs7->signedAttribsSz = signedAttribsSz;
+
+    ret = wc_PKCS7_EncodeSignedData(pkcs7, output, outputSz);
+    if (ret <= 0) {
+        WOLFSSL_MSG("Error encoding CMS SignedData content type");
+    }
+
+    ForceZero(encrypted, encryptedSz);
+    XFREE(encrypted, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+    pkcs7->rng = NULL;
+    wc_FreeRng(&rng);
+
+    return ret;
+}
+
+#endif /* !NO_PKCS7_ENCRYPTED_DATA */
+#endif /* HAVE_LIBZ && !NO_PKCS7_COMPRESSED_DATA */
+
+
+#ifndef NO_RSA
+
+#ifdef HAVE_PKCS7_RSA_RAW_SIGN_CALLBACK
+/* register raw RSA sign digest callback */
+int wc_PKCS7_SetRsaSignRawDigestCb(PKCS7* pkcs7, CallbackRsaSignRawDigest cb)
+{
+    if (pkcs7 == NULL || cb == NULL) {
+        return BAD_FUNC_ARG;
+    }
+
+    pkcs7->rsaSignRawDigestCb = cb;
+
+    return 0;
+}
+#endif
+
+/* returns size of signature put into out, negative on error */
+static int wc_PKCS7_RsaVerify(PKCS7* pkcs7, byte* sig, int sigSz,
+                              byte* hash, word32 hashSz)
+{
+    int ret = 0, i;
+    word32 scratch = 0, verified = 0;
+#ifdef WOLFSSL_SMALL_STACK
+    byte* digest;
+    RsaKey* key;
+    DecodedCert* dCert;
+#else
+    byte digest[MAX_PKCS7_DIGEST_SZ];
+    RsaKey key[1];
+    DecodedCert stack_dCert;
+    DecodedCert* dCert = &stack_dCert;
+#endif
+
+    if (pkcs7 == NULL || sig == NULL || hash == NULL) {
+        return BAD_FUNC_ARG;
+    }
+
+#ifdef WOLFSSL_SMALL_STACK
+    digest = (byte*)XMALLOC(MAX_PKCS7_DIGEST_SZ, pkcs7->heap,
+                            DYNAMIC_TYPE_TMP_BUFFER);
+    if (digest == NULL)
+        return MEMORY_E;
+
+    key = (RsaKey*)XMALLOC(sizeof(RsaKey), pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
+    if (key == NULL) {
+        XFREE(digest, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
+        return MEMORY_E;
+    }
+
+    dCert = (DecodedCert*)XMALLOC(sizeof(DecodedCert), pkcs7->heap,
+                                  DYNAMIC_TYPE_DCERT);
+    if (dCert == NULL) {
+        XFREE(digest, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
+        XFREE(key, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
+        return MEMORY_E;
+    }
+#endif
+
+    XMEMSET(digest, 0, MAX_PKCS7_DIGEST_SZ);
+
+    /* loop over certs received in certificates set, try to find one
+     * that will validate signature */
+    for (i = 0; i < MAX_PKCS7_CERTS; i++) {
+
+        verified = 0;
+        scratch  = 0;
+
+        if (pkcs7->certSz[i] == 0)
+            continue;
+
+        ret = wc_InitRsaKey_ex(key, pkcs7->heap, pkcs7->devId);
+        if (ret != 0) {
+#ifdef WOLFSSL_SMALL_STACK
+            XFREE(digest, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
+            XFREE(key,    pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
+            XFREE(dCert,  pkcs7->heap, DYNAMIC_TYPE_DCERT);
+#endif
+            return ret;
+        }
+
+        InitDecodedCert(dCert, pkcs7->cert[i], pkcs7->certSz[i], pkcs7->heap);
+        /* not verifying, only using this to extract public key */
+        ret = ParseCert(dCert, CA_TYPE, NO_VERIFY, 0);
+        if (ret < 0) {
+            WOLFSSL_MSG("ASN RSA cert parse error");
+            FreeDecodedCert(dCert);
+            wc_FreeRsaKey(key);
+            continue;
+        }
+
+        if (wc_RsaPublicKeyDecode(dCert->publicKey, &scratch, key,
+                                  dCert->pubKeySize) < 0) {
+            WOLFSSL_MSG("ASN RSA key decode error");
+            FreeDecodedCert(dCert);
+            wc_FreeRsaKey(key);
+            continue;
+        }
+
+    #ifdef WOLFSSL_ASYNC_CRYPT
+        do {
+            ret = wc_AsyncWait(ret, &key->asyncDev,
+                WC_ASYNC_FLAG_CALL_AGAIN);
+    #endif
+            if (ret >= 0) {
+                ret = wc_RsaSSL_Verify(sig, sigSz, digest, MAX_PKCS7_DIGEST_SZ,
+                    key);
+            }
+    #ifdef WOLFSSL_ASYNC_CRYPT
+        } while (ret == WC_PENDING_E);
+    #endif
+        FreeDecodedCert(dCert);
+        wc_FreeRsaKey(key);
+
+        if ((ret > 0) && (hashSz == (word32)ret)) {
+            if (XMEMCMP(digest, hash, hashSz) == 0) {
+                /* found signer that successfully verified signature */
+                verified = 1;
+                break;
+            }
+        }
+    }
+
+    if (verified == 0) {
+        ret = SIG_VERIFY_E;
+    }
+
+#ifdef WOLFSSL_SMALL_STACK
+    XFREE(digest, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
+    XFREE(key,    pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
+    XFREE(dCert,  pkcs7->heap, DYNAMIC_TYPE_DCERT);
+#endif
+
+    return ret;
+}
+
+#endif /* NO_RSA */
+
+
+#ifdef HAVE_ECC
+
+/* returns size of signature put into out, negative on error */
+static int wc_PKCS7_EcdsaVerify(PKCS7* pkcs7, byte* sig, int sigSz,
+                                byte* hash, word32 hashSz)
+{
+    int ret = 0, i;
+    int res = 0;
+    int verified = 0;
+#ifdef WOLFSSL_SMALL_STACK
+    byte* digest;
+    ecc_key* key;
+    DecodedCert* dCert;
+#else
+    byte digest[MAX_PKCS7_DIGEST_SZ];
+    ecc_key key[1];
+    DecodedCert stack_dCert;
+    DecodedCert* dCert = &stack_dCert;
+#endif
+    word32 idx = 0;
+
+    if (pkcs7 == NULL || sig == NULL)
+        return BAD_FUNC_ARG;
+
+#ifdef WOLFSSL_SMALL_STACK
+    digest = (byte*)XMALLOC(MAX_PKCS7_DIGEST_SZ, pkcs7->heap,
+                            DYNAMIC_TYPE_TMP_BUFFER);
+    if (digest == NULL)
+        return MEMORY_E;
+
+    key = (ecc_key*)XMALLOC(sizeof(ecc_key), pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
+    if (key == NULL) {
+        XFREE(digest, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
+        return MEMORY_E;
+    }
+
+    dCert = (DecodedCert*)XMALLOC(sizeof(DecodedCert), pkcs7->heap,
+                                  DYNAMIC_TYPE_DCERT);
+    if (dCert == NULL) {
+        XFREE(digest, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
+        XFREE(key,    pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
+        return MEMORY_E;
+    }
+#endif
+
+    XMEMSET(digest, 0, MAX_PKCS7_DIGEST_SZ);
+
+    /* loop over certs received in certificates set, try to find one
+     * that will validate signature */
+    for (i = 0; i < MAX_PKCS7_CERTS; i++) {
+
+        verified = 0;
+
+        if (pkcs7->certSz[i] == 0)
+            continue;
+
+        ret = wc_ecc_init_ex(key, pkcs7->heap, pkcs7->devId);
+        if (ret != 0) {
+#ifdef WOLFSSL_SMALL_STACK
+            XFREE(digest, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
+            XFREE(key,    pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
+            XFREE(dCert,  pkcs7->heap, DYNAMIC_TYPE_DCERT);
+#endif
+            return ret;
+        }
+
+        InitDecodedCert(dCert, pkcs7->cert[i], pkcs7->certSz[i], pkcs7->heap);
+        /* not verifying, only using this to extract public key */
+        ret = ParseCert(dCert, CA_TYPE, NO_VERIFY, 0);
+        if (ret < 0) {
+            WOLFSSL_MSG("ASN ECC cert parse error");
+            FreeDecodedCert(dCert);
+            wc_ecc_free(key);
+            continue;
+        }
+
+        if (wc_EccPublicKeyDecode(pkcs7->publicKey, &idx, key,
+                                  pkcs7->publicKeySz) < 0) {
+            WOLFSSL_MSG("ASN ECC key decode error");
+            FreeDecodedCert(dCert);
+            wc_ecc_free(key);
+            continue;
+        }
+
+    #ifdef WOLFSSL_ASYNC_CRYPT
+        do {
+            ret = wc_AsyncWait(ret, &key->asyncDev,
+                WC_ASYNC_FLAG_CALL_AGAIN);
+    #endif
+            if (ret >= 0) {
+                ret = wc_ecc_verify_hash(sig, sigSz, hash, hashSz, &res, key);
+            }
+    #ifdef WOLFSSL_ASYNC_CRYPT
+        } while (ret == WC_PENDING_E);
+    #endif
+
+        FreeDecodedCert(dCert);
+        wc_ecc_free(key);
+
+        if (ret == 0 && res == 1) {
+            /* found signer that successfully verified signature */
+            verified = 1;
+            break;
+        }
+    }
+
+    if (verified == 0) {
+        ret = SIG_VERIFY_E;
+    }
+
+#ifdef WOLFSSL_SMALL_STACK
+    XFREE(digest, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
+    XFREE(key,    pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
+    XFREE(dCert,  pkcs7->heap, DYNAMIC_TYPE_DCERT);
+#endif
+
+    return ret;
+}
+
+#endif /* HAVE_ECC */
+
+
+/* build SignedData digest, both in PKCS#7 DigestInfo format and
+ * as plain digest for CMS.
+ *
+ * pkcs7          - pointer to initialized PKCS7 struct
+ * signedAttrib   - signed attributes
+ * signedAttribSz - size of signedAttrib, octets
+ * pkcs7Digest    - [OUT] PKCS#7 DigestInfo
+ * pkcs7DigestSz  - [IN/OUT] size of pkcs7Digest
+ * plainDigest    - [OUT] pointer to plain digest, offset into pkcs7Digest
+ * plainDigestSz  - [OUT] size of digest at plainDigest
+ *
+ * returns 0 on success, negative on error */
+static int wc_PKCS7_BuildSignedDataDigest(PKCS7* pkcs7, byte* signedAttrib,
+                                      word32 signedAttribSz, byte* pkcs7Digest,
+                                      word32* pkcs7DigestSz, byte** plainDigest,
+                                      word32* plainDigestSz,
+                                      const byte* hashBuf, word32 hashBufSz)
+{
+    int ret = 0, digIdx = 0;
+    word32 attribSetSz = 0, hashSz = 0;
+    byte attribSet[MAX_SET_SZ];
+    byte digest[WC_MAX_DIGEST_SIZE];
+    byte digestInfoSeq[MAX_SEQ_SZ];
+    byte digestStr[MAX_OCTET_STR_SZ];
+    byte algoId[MAX_ALGO_SZ];
+    word32 digestInfoSeqSz, digestStrSz, algoIdSz;
+#ifdef WOLFSSL_SMALL_STACK
+    byte* digestInfo;
+#else
+    byte  digestInfo[MAX_PKCS7_DIGEST_SZ];
+#endif
+
+    wc_HashAlg hash;
+    enum wc_HashType hashType;
+
+    /* check arguments */
+    if (pkcs7 == NULL || pkcs7Digest == NULL ||
+        pkcs7DigestSz == NULL || plainDigest == NULL) {
+        return BAD_FUNC_ARG;
+    }
+
+    hashType = wc_OidGetHash(pkcs7->hashOID);
+    ret = wc_HashGetDigestSize(hashType);
+    if (ret < 0)
+        return ret;
+    hashSz = ret;
+
+    if (signedAttribSz > 0) {
+        if (signedAttrib == NULL)
+            return BAD_FUNC_ARG;
+    }
+    else {
+        if (hashBuf && hashBufSz > 0) {
+            if (hashSz != hashBufSz)
+                return BAD_FUNC_ARG;
+        }
+        else if (pkcs7->content == NULL)
+            return BAD_FUNC_ARG;
+    }
+
+#ifdef WOLFSSL_SMALL_STACK
+    digestInfo = (byte*)XMALLOC(MAX_PKCS7_DIGEST_SZ, pkcs7->heap,
+        DYNAMIC_TYPE_TMP_BUFFER);
+    if (digestInfo == NULL)
+        return MEMORY_E;
+#endif
+
+    XMEMSET(pkcs7Digest, 0, *pkcs7DigestSz);
+    XMEMSET(digest,      0, WC_MAX_DIGEST_SIZE);
+    XMEMSET(digestInfo,  0, MAX_PKCS7_DIGEST_SZ);
 
-    if (contentType != DATA) {
-        WOLFSSL_MSG("PKCS#7 inner input not of type Data");
-        return PKCS7_OID_E;
+
+    /* calculate digest */
+    if (hashBuf && hashBufSz > 0 && signedAttribSz == 0) {
+        XMEMCPY(digest, hashBuf, hashBufSz);
     }
+    else {
+        ret = wc_HashInit(&hash, hashType);
+        if (ret < 0) {
+    #ifdef WOLFSSL_SMALL_STACK
+            XFREE(digestInfo, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
+    #endif
+            return ret;
+        }
+
+        if (signedAttribSz > 0) {
+            attribSetSz = SetSet(signedAttribSz, attribSet);
+
+            /* calculate digest */
+            ret = wc_HashUpdate(&hash, hashType, attribSet, attribSetSz);
+            if (ret == 0)
+                ret = wc_HashUpdate(&hash, hashType, signedAttrib, signedAttribSz);
+            if (ret == 0)
+                ret = wc_HashFinal(&hash, hashType, digest);
+        } else {
+            ret = wc_HashUpdate(&hash, hashType, pkcs7->content, pkcs7->contentSz);
+            if (ret == 0)
+                ret = wc_HashFinal(&hash, hashType, digest);
+        }
+
+        wc_HashFree(&hash, hashType);
+        if (ret < 0) {
+    #ifdef WOLFSSL_SMALL_STACK
+            XFREE(digestInfo, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
+    #endif
+            return ret;
+        }
+    }
+
+    /* Set algoID, with NULL attributes */
+    algoIdSz = SetAlgoID(pkcs7->hashOID, algoId, oidHashType, 0);
+
+    digestStrSz = SetOctetString(hashSz, digestStr);
+    digestInfoSeqSz = SetSequence(algoIdSz + digestStrSz + hashSz,
+                                  digestInfoSeq);
+
+    XMEMCPY(digestInfo + digIdx, digestInfoSeq, digestInfoSeqSz);
+    digIdx += digestInfoSeqSz;
+    XMEMCPY(digestInfo + digIdx, algoId, algoIdSz);
+    digIdx += algoIdSz;
+    XMEMCPY(digestInfo + digIdx, digestStr, digestStrSz);
+    digIdx += digestStrSz;
+    XMEMCPY(digestInfo + digIdx, digest, hashSz);
+    digIdx += hashSz;
+
+    XMEMCPY(pkcs7Digest, digestInfo, digIdx);
+    *pkcs7DigestSz = digIdx;
+
+    /* set plain digest pointer */
+    *plainDigest = pkcs7Digest + digIdx - hashSz;
+    *plainDigestSz = hashSz;
+
+#ifdef WOLFSSL_SMALL_STACK
+    XFREE(digestInfo, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
+#endif
+    return 0;
+}
 
-    if (pkiMsg[idx++] != (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC | 0))
+
+/* Verifies CMS/PKCS7 SignedData content digest matches that which is
+ * included in the messageDigest signed attribute. Only called when
+ * signed attributes are present, otherwise original signature verification
+ * is done over content.
+ *
+ * pkcs7          - pointer to initialized PKCS7 struct
+ * hashBuf        - pointer to user-provided hash buffer, used with
+ *                  wc_PKCS7_VerifySignedData_ex()
+ * hashBufSz      - size of hashBuf, octets
+ *
+ * return 0 on success, negative on error */
+static int wc_PKCS7_VerifyContentMessageDigest(PKCS7* pkcs7,
+                                               const byte* hashBuf,
+                                               word32 hashSz)
+{
+    int ret = 0, digestSz = 0, innerAttribSz = 0;
+    word32 idx = 0;
+    byte* digestBuf = NULL;
+#ifdef WOLFSSL_SMALL_STACK
+    byte* digest = NULL;
+#else
+    byte  digest[MAX_PKCS7_DIGEST_SZ];
+#endif
+    PKCS7DecodedAttrib* attrib;
+    enum wc_HashType hashType;
+
+    /* messageDigest OID (1.2.840.113549.1.9.4) */
+    const byte mdOid[] =
+            { 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x04 };
+
+    if (pkcs7 == NULL)
+        return BAD_FUNC_ARG;
+
+    if ((pkcs7->content == NULL || pkcs7->contentSz == 0) &&
+        (hashBuf == NULL || hashSz == 0)) {
+        WOLFSSL_MSG("SignedData bundle has no content or hash to verify");
+        return BAD_FUNC_ARG;
+    }
+
+    /* lookup messageDigest attribute */
+    attrib = findAttrib(pkcs7, mdOid, sizeof(mdOid));
+    if (attrib == NULL) {
+        WOLFSSL_MSG("messageDigest attribute not in bundle, must be when "
+                    "signed attribs are present");
         return ASN_PARSE_E;
+    }
 
-    if (GetLength(pkiMsg, &idx, &length, pkiMsgSz) < 0)
+    /* advance past attrib->value ASN.1 header and length */
+    if (attrib->value == NULL || attrib->valueSz == 0)
         return ASN_PARSE_E;
 
-    if (pkiMsg[idx++] != ASN_OCTET_STRING)
+    if (attrib->value[idx++] != ASN_OCTET_STRING)
         return ASN_PARSE_E;
 
-    if (GetLength(pkiMsg, &idx, &length, pkiMsgSz) < 0)
+    if (GetLength(attrib->value, &idx, &innerAttribSz, attrib->valueSz) < 0)
         return ASN_PARSE_E;
 
-    /* Save the inner data as the content. */
-    if (length > 0) {
-        /* Local pointer for calculating hashes later */
-        pkcs7->content = content = &pkiMsg[idx];
-        pkcs7->contentSz = contentSz = length;
-        idx += length;
+    /* get hash type and size */
+    hashType = wc_OidGetHash(pkcs7->hashOID);
+    if (hashType == WC_HASH_TYPE_NONE) {
+        WOLFSSL_MSG("Error getting hash type for PKCS7 content verification");
+        return BAD_FUNC_ARG;
     }
 
-    /* Get the implicit[0] set of certificates */
-    if (pkiMsg[idx] == (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC | 0)) {
-        idx++;
-        if (GetLength(pkiMsg, &idx, &length, pkiMsgSz) < 0)
-            return ASN_PARSE_E;
+    /* build content hash if needed, or use existing hash value */
+    if (hashBuf == NULL) {
 
-        if (length > 0) {
-            /* At this point, idx is at the first certificate in
-             * a set of certificates. There may be more than one,
-             * or none, or they may be a PKCS 6 extended
-             * certificate. We want to save the first cert if it
-             * is X.509. */
+#ifdef WOLFSSL_SMALL_STACK
+        digest = (byte*)XMALLOC(MAX_PKCS7_DIGEST_SZ, pkcs7->heap,
+                                DYNAMIC_TYPE_TMP_BUFFER);
+        if (digest == NULL)
+            return MEMORY_E;
+#endif
+        XMEMSET(digest, 0, MAX_PKCS7_DIGEST_SZ);
 
-            word32 certIdx = idx;
+        ret = wc_Hash(hashType, pkcs7->content, pkcs7->contentSz, digest,
+                      MAX_PKCS7_DIGEST_SZ);
+        if (ret < 0) {
+            WOLFSSL_MSG("Error hashing PKCS7 content for verification");
+#ifdef WOLFSSL_SMALL_STACK
+            XFREE(digest, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
+#endif
+            return ret;
+        }
 
-            if (pkiMsg[certIdx++] == (ASN_CONSTRUCTED | ASN_SEQUENCE)) {
-                if (GetLength(pkiMsg, &certIdx, &certSz, pkiMsgSz) < 0)
-                    return ASN_PARSE_E;
+        digestBuf = digest;
+        digestSz = wc_HashGetDigestSize(hashType);
+        if (digestSz < 0) {
+            WOLFSSL_MSG("Invalid hash type");
+#ifdef WOLFSSL_SMALL_STACK
+            XFREE(digest, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
+#endif
+            return digestSz;
+        }
+    } else {
+
+        /* user passed in pre-computed hash */
+        digestBuf = (byte*)hashBuf;
+        digestSz  = (int)hashSz;
+    }
+
+    /* compare generated to hash in messageDigest attribute */
+    if ((innerAttribSz != digestSz) ||
+        (XMEMCMP(attrib->value + idx, digestBuf, (word32)digestSz) != 0)) {
+        WOLFSSL_MSG("Content digest does not match messageDigest attrib value");
+#ifdef WOLFSSL_SMALL_STACK
+        XFREE(digest, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
+#endif
+        return SIG_VERIFY_E;
+    }
+
+    if (hashBuf == NULL) {
+#ifdef WOLFSSL_SMALL_STACK
+        XFREE(digest, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
+#endif
+    }
 
-                cert = &pkiMsg[idx];
-                certSz += (certIdx - idx);
+    return 0;
+}
+
+
+/* verifies SignedData signature, over either PKCS#7 DigestInfo or
+ * content digest.
+ *
+ * pkcs7          - pointer to initialized PKCS7 struct
+ * sig            - signature to verify
+ * sigSz          - size of sig
+ * signedAttrib   - signed attributes, or null if empty
+ * signedAttribSz - size of signedAttributes
+ *
+ * return 0 on success, negative on error */
+static int wc_PKCS7_SignedDataVerifySignature(PKCS7* pkcs7, byte* sig,
+                                             word32 sigSz, byte* signedAttrib,
+                                             word32 signedAttribSz,
+                                             const byte* hashBuf, word32 hashSz)
+{
+    int ret = 0;
+    word32 plainDigestSz = 0, pkcs7DigestSz;
+    byte* plainDigest = NULL; /* offset into pkcs7Digest */
+#ifdef WOLFSSL_SMALL_STACK
+    byte* pkcs7Digest;
+#else
+    byte  pkcs7Digest[MAX_PKCS7_DIGEST_SZ];
+#endif
+
+    if (pkcs7 == NULL)
+        return BAD_FUNC_ARG;
+
+    /* allocate space to build hash */
+    pkcs7DigestSz = MAX_PKCS7_DIGEST_SZ;
+#ifdef WOLFSSL_SMALL_STACK
+    pkcs7Digest = (byte*)XMALLOC(pkcs7DigestSz, pkcs7->heap,
+                                 DYNAMIC_TYPE_TMP_BUFFER);
+    if (pkcs7Digest == NULL)
+        return MEMORY_E;
+#endif
+
+    XMEMSET(pkcs7Digest, 0, pkcs7DigestSz);
+
+    /* verify signed attrib digest matches that of content */
+    if (signedAttrib != NULL) {
+        ret = wc_PKCS7_VerifyContentMessageDigest(pkcs7, hashBuf, hashSz);
+        if (ret != 0) {
+#ifdef WOLFSSL_SMALL_STACK
+            XFREE(pkcs7Digest, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
+#endif
+            return ret;
+        }
+    }
+
+    /* build hash to verify against */
+    ret = wc_PKCS7_BuildSignedDataDigest(pkcs7, signedAttrib,
+                                         signedAttribSz, pkcs7Digest,
+                                         &pkcs7DigestSz, &plainDigest,
+                                         &plainDigestSz, hashBuf, hashSz);
+    if (ret < 0) {
+#ifdef WOLFSSL_SMALL_STACK
+        XFREE(pkcs7Digest, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
+#endif
+        return ret;
+    }
+
+    /* If no certificates are available then store the signature and hash for
+     * user to verify. Make sure that different return value than success is
+     * returned because the signature was not verified here. */
+    if (ret == 0) {
+        byte haveCert = 0;
+        int  i;
+
+        for (i = 0; i < MAX_PKCS7_CERTS; i++) {
+            if (pkcs7->certSz[i] == 0)
+                continue;
+            haveCert = 1;
+        }
+
+        if (!haveCert) {
+            WOLFSSL_MSG("No certificates in bundle to verify signature");
+
+            /* store signature */
+            XFREE(pkcs7->signature, pkcs7->heap, DYNAMIC_TYPE_SIGNATURE);
+            pkcs7->signature = NULL;
+            pkcs7->signatureSz = 0;
+            pkcs7->signature = (byte*)XMALLOC(sigSz, pkcs7->heap,
+                    DYNAMIC_TYPE_SIGNATURE);
+            if (pkcs7->signature == NULL) {
+            #ifdef WOLFSSL_SMALL_STACK
+                XFREE(pkcs7Digest, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
+            #endif
+                return MEMORY_E;
+            }
+            XMEMCPY(pkcs7->signature, sig, sigSz);
+            pkcs7->signatureSz = sigSz;
+
+            /* store plain digest (CMS and ECC) */
+            XFREE(pkcs7->plainDigest, pkcs7->heap, DYNAMIC_TYPE_DIGEST);
+            pkcs7->plainDigest = NULL;
+            pkcs7->plainDigestSz = 0;
+            pkcs7->plainDigest = (byte*)XMALLOC(plainDigestSz, pkcs7->heap,
+                    DYNAMIC_TYPE_DIGEST);
+            if (pkcs7->plainDigest == NULL) {
+            #ifdef WOLFSSL_SMALL_STACK
+                XFREE(pkcs7Digest, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
+            #endif
+                return MEMORY_E;
             }
-            wc_PKCS7_InitWithCert(pkcs7, cert, certSz);
+            XMEMCPY(pkcs7->plainDigest, plainDigest, plainDigestSz);
+            pkcs7->plainDigestSz = plainDigestSz;
+
+            /* store pkcs7 digest (default RSA) */
+            XFREE(pkcs7->pkcs7Digest, pkcs7->heap, DYNAMIC_TYPE_DIGEST);
+            pkcs7->pkcs7Digest = NULL;
+            pkcs7->pkcs7DigestSz = 0;
+            pkcs7->pkcs7Digest = (byte*)XMALLOC(pkcs7DigestSz, pkcs7->heap,
+                    DYNAMIC_TYPE_DIGEST);
+            if (pkcs7->pkcs7Digest == NULL) {
+            #ifdef WOLFSSL_SMALL_STACK
+                XFREE(pkcs7Digest, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
+            #endif
+                return MEMORY_E;
+            }
+            XMEMCPY(pkcs7->pkcs7Digest, pkcs7Digest, pkcs7DigestSz);
+            pkcs7->pkcs7DigestSz = pkcs7DigestSz;
+
+            #ifdef WOLFSSL_SMALL_STACK
+            XFREE(pkcs7Digest, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
+            #endif
+            return PKCS7_SIGNEEDS_CHECK;
         }
-        idx += length;
     }
 
-    /* Get the implicit[1] set of crls */
-    if (pkiMsg[idx] == (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC | 1)) {
-        idx++;
-        if (GetLength(pkiMsg, &idx, &length, pkiMsgSz) < 0)
-            return ASN_PARSE_E;
 
-        /* Skip the set */
-        idx += length;
+
+    switch (pkcs7->publicKeyOID) {
+
+#ifndef NO_RSA
+        case RSAk:
+            ret = wc_PKCS7_RsaVerify(pkcs7, sig, sigSz, pkcs7Digest,
+                                     pkcs7DigestSz);
+            if (ret < 0) {
+                WOLFSSL_MSG("PKCS#7 verification failed, trying CMS");
+                ret = wc_PKCS7_RsaVerify(pkcs7, sig, sigSz, plainDigest,
+                                         plainDigestSz);
+            }
+            break;
+#endif
+
+#ifdef HAVE_ECC
+        case ECDSAk:
+            ret = wc_PKCS7_EcdsaVerify(pkcs7, sig, sigSz, plainDigest,
+                                       plainDigestSz);
+            break;
+#endif
+
+        default:
+            WOLFSSL_MSG("Unsupported public key type");
+            ret = BAD_FUNC_ARG;
     }
 
-    /* Get the set of signerInfos */
-    if (GetSet(pkiMsg, &idx, &length, pkiMsgSz) < 0)
-        return ASN_PARSE_E;
+#ifdef WOLFSSL_SMALL_STACK
+     XFREE(pkcs7Digest, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
+#endif
+    return ret;
+}
 
-    if (length > 0) {
-        /* Get the sequence of the first signerInfo */
-        if (GetSequence(pkiMsg, &idx, &length, pkiMsgSz) < 0)
-            return ASN_PARSE_E;
 
-        /* Get the version */
-        if (GetMyVersion(pkiMsg, &idx, &version) < 0)
+/* set correct public key OID based on signature OID, stores in
+ * pkcs7->publicKeyOID and returns same value */
+static int wc_PKCS7_SetPublicKeyOID(PKCS7* pkcs7, int sigOID)
+{
+    if (pkcs7 == NULL)
+        return BAD_FUNC_ARG;
+
+    pkcs7->publicKeyOID = 0;
+
+    switch (sigOID) {
+
+    #ifndef NO_RSA
+        /* RSA signature types */
+        case CTC_MD2wRSA:
+        case CTC_MD5wRSA:
+        case CTC_SHAwRSA:
+        case CTC_SHA224wRSA:
+        case CTC_SHA256wRSA:
+        case CTC_SHA384wRSA:
+        case CTC_SHA512wRSA:
+            pkcs7->publicKeyOID = RSAk;
+            break;
+
+        /* if sigOID is already RSAk */
+        case RSAk:
+            pkcs7->publicKeyOID = sigOID;
+            break;
+    #endif
+
+    #ifndef NO_DSA
+        /* DSA signature types */
+        case CTC_SHAwDSA:
+            pkcs7->publicKeyOID = DSAk;
+            break;
+
+        /* if sigOID is already DSAk */
+        case DSAk:
+            pkcs7->publicKeyOID = sigOID;
+            break;
+    #endif
+
+    #ifdef HAVE_ECC
+        /* ECDSA signature types */
+        case CTC_SHAwECDSA:
+        case CTC_SHA224wECDSA:
+        case CTC_SHA256wECDSA:
+        case CTC_SHA384wECDSA:
+        case CTC_SHA512wECDSA:
+            pkcs7->publicKeyOID = ECDSAk;
+            break;
+
+        /* if sigOID is already ECDSAk */
+        case ECDSAk:
+            pkcs7->publicKeyOID = sigOID;
+            break;
+    #endif
+
+        default:
+            WOLFSSL_MSG("Unsupported public key algorithm");
+            return ASN_SIG_KEY_E;
+    }
+
+    return pkcs7->publicKeyOID;
+}
+
+
+/* Parses through the attributes and adds them to the PKCS7 structure
+ * Creates dynamic attribute structures that are free'd with calling
+ * wc_PKCS7_Free()
+ *
+ * NOTE: An attribute has the ASN1 format of
+ ** Sequence
+ ****** Object ID
+ ****** Set
+ ********** {PritnableString, UTCTime, OCTET STRING ...}
+ *
+ * pkcs7  the PKCS7 structure to put the parsed attributes into
+ * in     buffer holding all attributes
+ * inSz   size of in buffer
+ *
+ * returns the number of attributes parsed on success
+ */
+static int wc_PKCS7_ParseAttribs(PKCS7* pkcs7, byte* in, int inSz)
+{
+    int    found = 0;
+    word32 idx   = 0;
+    word32 oid;
+
+    if (pkcs7 == NULL || in == NULL || inSz < 0) {
+        return BAD_FUNC_ARG;
+    }
+
+    while (idx < (word32)inSz) {
+        int length  = 0;
+        int oidIdx;
+        PKCS7DecodedAttrib* attrib;
+
+        if (GetSequence(in, &idx, &length, inSz) < 0)
             return ASN_PARSE_E;
 
-        if (version != 1) {
-            WOLFSSL_MSG("PKCS#7 signerInfo needs to be of version 1");
-            return ASN_VERSION_E;
+        attrib = (PKCS7DecodedAttrib*)XMALLOC(sizeof(PKCS7DecodedAttrib),
+                pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+        if (attrib == NULL) {
+            return MEMORY_E;
         }
+        XMEMSET(attrib, 0, sizeof(PKCS7DecodedAttrib));
 
-        /* Get the sequence of IssuerAndSerialNumber */
-        if (GetSequence(pkiMsg, &idx, &length, pkiMsgSz) < 0)
+        oidIdx = idx;
+        if (GetObjectId(in, &idx, &oid, oidIgnoreType, inSz)
+                < 0) {
+            XFREE(attrib, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
             return ASN_PARSE_E;
+        }
+        attrib->oidSz = idx - oidIdx;
+        attrib->oid = (byte*)XMALLOC(attrib->oidSz, pkcs7->heap,
+                                     DYNAMIC_TYPE_PKCS7);
+        if (attrib->oid == NULL) {
+            XFREE(attrib, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+            return MEMORY_E;
+        }
+        XMEMCPY(attrib->oid, in + oidIdx, attrib->oidSz);
 
-        /* Skip it */
-        idx += length;
+        /* Get Set that contains the printable string value */
+        if (GetSet(in, &idx, &length, inSz) < 0) {
+            XFREE(attrib->oid, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+            XFREE(attrib, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+            return ASN_PARSE_E;
+        }
 
-        /* Get the sequence of digestAlgorithm */
-        if (GetSequence(pkiMsg, &idx, &length, pkiMsgSz) < 0)
+        if ((inSz - idx) < (word32)length) {
+            XFREE(attrib->oid, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+            XFREE(attrib, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
             return ASN_PARSE_E;
+        }
 
-        /* Skip it */
+        attrib->valueSz = (word32)length;
+        attrib->value = (byte*)XMALLOC(attrib->valueSz, pkcs7->heap,
+                                       DYNAMIC_TYPE_PKCS7);
+        if (attrib->value == NULL) {
+            XFREE(attrib->oid, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+            XFREE(attrib, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+            return MEMORY_E;
+        }
+        XMEMCPY(attrib->value, in + idx, attrib->valueSz);
         idx += length;
 
+        /* store attribute in linked list */
+        if (pkcs7->decodedAttrib != NULL) {
+            attrib->next = pkcs7->decodedAttrib;
+            pkcs7->decodedAttrib = attrib;
+        } else {
+            pkcs7->decodedAttrib = attrib;
+        }
+        found++;
+    }
+
+    return found;
+}
+
+
+/* option to turn off support for degenerate cases
+ * flag 0 turns off support
+ * flag 1 turns on support
+ *
+ * by default support for SignedData degenerate cases is on
+ */
+void wc_PKCS7_AllowDegenerate(PKCS7* pkcs7, word16 flag)
+{
+    if (pkcs7) {
+        if (flag) { /* flag of 1 turns on support for degenerate */
+            pkcs7->noDegenerate = 0;
+        }
+        else { /* flag of 0 turns off support */
+            pkcs7->noDegenerate = 1;
+        }
+    }
+}
+
+/* Parses through a signerInfo set. Reads buffer "in" from "idxIn" to "idxIn" +
+ * length treating the current "idxIn" plus the length of set as max possible
+ * index.
+ *
+ * In the case that signed attributes are found "signedAttrib" gets set to point
+ *  at their location in the buffer "in". Also in this case signedAttribSz gets
+ *  set to the size of the signedAttrib buffer.
+ *
+ * returns 0 on success
+ */
+static int wc_PKCS7_ParseSignerInfo(PKCS7* pkcs7, byte* in, word32 inSz,
+        word32* idxIn, int degenerate, byte** signedAttrib, int* signedAttribSz)
+{
+    int ret = 0;
+    int length;
+    int version;
+    word32 sigOID = 0, hashOID = 0;
+    word32 idx = *idxIn, localIdx;
+    byte tag;
+
+    WOLFSSL_ENTER("wc_PKCS7_ParseSignerInfo");
+    /* require a signer if degenerate case not allowed */
+    if (inSz == 0 && pkcs7->noDegenerate == 1) {
+        WOLFSSL_MSG("Set to not allow degenerate cases");
+        return PKCS7_NO_SIGNER_E;
+    }
+
+    if (inSz == 0 && degenerate == 0) {
+        WOLFSSL_MSG("PKCS7 signers expected");
+        return PKCS7_NO_SIGNER_E;
+    }
+
+    /* not a degenerate case and there is elements in the set */
+    if (inSz > 0 && degenerate == 0) {
+        ret = wc_PKCS7_SignerInfoNew(pkcs7);
+
+        /* Get the sequence of the first signerInfo */
+        if (ret == 0 && GetSequence(in, &idx, &length, inSz) < 0)
+            ret = ASN_PARSE_E;
+
+        /* Get the version */
+        if (ret == 0 && GetMyVersion(in, &idx, &version, inSz) < 0)
+            ret = ASN_PARSE_E;
+
+        if (ret == 0) {
+            pkcs7->signerInfo->version = version;
+        }
+
+        if (ret == 0 && version == 1) {
+            /* Get the sequence of IssuerAndSerialNumber */
+            if (GetSequence(in, &idx, &length, inSz) < 0)
+                ret = ASN_PARSE_E;
+
+            if (ret == 0) {
+                ret = wc_PKCS7_SignerInfoSetSID(pkcs7, in + idx, length);
+                idx += length;
+            }
+
+        } else if (ret == 0 && version == 3) {
+            /* Get the sequence of SubjectKeyIdentifier */
+            if (idx + 1 > inSz)
+                ret = BUFFER_E;
+
+            localIdx = idx;
+            if (ret == 0 && GetASNTag(in, &localIdx, &tag, inSz) == 0 &&
+                   tag == (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC | 0)) {
+                idx++;
+
+                if (GetLength(in, &idx, &length, inSz) <= 0)
+                    ret = ASN_PARSE_E;
+
+                if (ret == 0 && idx + 1 > inSz)
+                    ret = BUFFER_E;
+
+                if (ret == 0 && GetASNTag(in, &idx, &tag, inSz) < 0)
+                    ret = ASN_PARSE_E;
+
+                if (ret == 0 && tag != ASN_OCTET_STRING)
+                    ret = ASN_PARSE_E;
+
+                if (ret == 0 && GetLength(in, &idx, &length, inSz) < 0)
+                    ret = ASN_PARSE_E;
+            }
+            else {
+                /* check if SKID with ASN_CONTEXT_SPECIFIC otherwise in version
+                 * 3 try to get issuerAndSerial */
+                localIdx = idx;
+                if (GetASNTag(in, &localIdx, &tag, inSz) == 0 &&
+                        tag == ASN_CONTEXT_SPECIFIC) {
+                    idx++;
+                    if (ret == 0 && GetLength(in, &idx, &length, inSz) < 0)
+                        ret = ASN_PARSE_E;
+                }
+                else {
+                    if (pkcs7->version != 3) {
+                        WOLFSSL_MSG("Unexpected signer info found with version");
+                        ret = ASN_PARSE_E;
+                    }
+
+                    if (ret == 0 && GetSequence(in, &idx, &length, inSz) < 0)
+                        ret = ASN_PARSE_E;
+                }
+            }
+
+            if (ret == 0) {
+                ret = wc_PKCS7_SignerInfoSetSID(pkcs7, in + idx, length);
+                idx += length;
+            }
+
+        } else {
+            WOLFSSL_MSG("PKCS#7 signerInfo version must be 1 or 3");
+            ret = ASN_VERSION_E;
+        }
+
+        /* Get the sequence of digestAlgorithm */
+        if (ret == 0 && GetAlgoId(in, &idx, &hashOID, oidHashType, inSz) < 0) {
+            ret = ASN_PARSE_E;
+        }
+        pkcs7->hashOID = (int)hashOID;
+
         /* Get the IMPLICIT[0] SET OF signedAttributes */
-        if (pkiMsg[idx] == (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC | 0)) {
+        localIdx = idx;
+        if (ret == 0 && GetASNTag(in, &localIdx, &tag, inSz) == 0 &&
+                tag == (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC | 0)) {
             idx++;
 
-            if (GetLength(pkiMsg, &idx, &length, pkiMsgSz) < 0)
-                return ASN_PARSE_E;
+            if (GetLength(in, &idx, &length, inSz) < 0)
+                ret = ASN_PARSE_E;
+
+            /* save pointer and length */
+            *signedAttrib = &in[idx];
+            *signedAttribSz = length;
+
+            if (ret == 0 && wc_PKCS7_ParseAttribs(pkcs7, *signedAttrib,
+                        *signedAttribSz) < 0) {
+                WOLFSSL_MSG("Error parsing signed attributes");
+                ret = ASN_PARSE_E;
+            }
 
             idx += length;
         }
 
-        /* Get the sequence of digestEncryptionAlgorithm */
-        if (GetSequence(pkiMsg, &idx, &length, pkiMsgSz) < 0)
-            return ASN_PARSE_E;
+        /* Get digestEncryptionAlgorithm */
+        if (ret == 0 && GetAlgoId(in, &idx, &sigOID, oidSigType, inSz) < 0) {
+            ret = ASN_PARSE_E;
+        }
 
-        /* Skip it */
-        idx += length;
+        /* store public key type based on digestEncryptionAlgorithm */
+        if (ret == 0) {
+            ret = wc_PKCS7_SetPublicKeyOID(pkcs7, sigOID);
+            if (ret < 0) {
+                WOLFSSL_MSG("Failed to set public key OID from signature");
+            }
+            else {
+                /* if previous return was positive then was success */
+                ret = 0;
+            }
+        }
+    }
 
-        /* Get the signature */
-        if (pkiMsg[idx] == ASN_OCTET_STRING) {
-            idx++;
+    /* update index on success */
+    if (ret == 0) {
+        *idxIn = idx;
+    }
 
-            if (GetLength(pkiMsg, &idx, &length, pkiMsgSz) < 0)
-                return ASN_PARSE_E;
+    return ret;
+}
 
-            /* save pointer and length */
-            sig = &pkiMsg[idx];
-            sigSz = length;
 
+/* Finds the certificates in the message and saves it. By default allows
+ * degenerate cases which can have no signer.
+ *
+ * By default expects type SIGNED_DATA (SignedData) which can have any number of
+ * elements in signerInfos collection, including zero. (RFC2315 section 9.1)
+ * When adding support for the case of SignedAndEnvelopedData content types a
+ * signer is required. In this case the PKCS7 flag noDegenerate could be set.
+ */
+static int PKCS7_VerifySignedData(PKCS7* pkcs7, const byte* hashBuf,
+    word32 hashSz, byte* in, word32 inSz,
+    byte* in2, word32 in2Sz)
+{
+    word32 idx, maxIdx = inSz, outerContentType, contentTypeSz = 0, totalSz = 0;
+    int length = 0, version = 0, ret = 0;
+    byte* content = NULL;
+    byte* contentDynamic = NULL;
+    byte* sig = NULL;
+    byte* cert = NULL;
+    byte* signedAttrib = NULL;
+    byte* contentType = NULL;
+    int contentSz = 0, sigSz = 0, certSz = 0, signedAttribSz = 0;
+    word32 localIdx, start;
+    byte degenerate = 0;
+    byte detached = 0;
+    byte tag = 0;
+#ifdef ASN_BER_TO_DER
+    byte* der;
+#endif
+    int multiPart = 0, keepContent;
+    int contentLen = 0;
+
+    byte* pkiMsg    = in;
+    word32 pkiMsgSz = inSz;
+#ifndef NO_PKCS7_STREAM
+    word32 stateIdx = 0;
+    long rc;
+#endif
+
+    byte* pkiMsg2 = in2;
+    word32 pkiMsg2Sz = in2Sz;
+
+    if (pkcs7 == NULL)
+        return BAD_FUNC_ARG;
+
+#ifndef NO_PKCS7_STREAM
+    /* allow for 0 size inputs with stream mode */
+    if (pkiMsg == NULL && pkiMsgSz > 0)
+        return BAD_FUNC_ARG;
+
+#else
+    if (pkiMsg == NULL || pkiMsgSz == 0)
+        return BAD_FUNC_ARG;
+#endif
+
+    if ((hashSz > 0 && hashBuf == NULL) || (pkiMsg2Sz > 0 && pkiMsg2 == NULL)) {
+        return BAD_FUNC_ARG;
+    }
+    idx = 0;
+
+#ifdef ASN_BER_TO_DER
+    if (pkcs7->derSz > 0 && pkcs7->der) {
+        pkiMsg = in = pkcs7->der;
+    }
+#endif
+
+#ifndef NO_PKCS7_STREAM
+    if (pkcs7->stream == NULL) {
+        if ((ret = wc_PKCS7_CreateStream(pkcs7)) != 0) {
+            return ret;
+        }
+    }
+#endif
+
+    switch (pkcs7->state) {
+        case WC_PKCS7_START:
+        #ifndef NO_PKCS7_STREAM
+            if ((ret = wc_PKCS7_AddDataToStream(pkcs7, in, inSz, MAX_SEQ_SZ +
+                            MAX_VERSION_SZ + MAX_SEQ_SZ + MAX_LENGTH_SZ +
+                            ASN_TAG_SZ + MAX_OID_SZ + MAX_SEQ_SZ,
+                            &pkiMsg, &idx)) != 0) {
+                break;
+            }
+
+            rc = wc_PKCS7_GetMaxStream(pkcs7, PKCS7_SEQ_PEEK, in, inSz);
+            if (rc < 0) {
+                ret = (int)rc;
+                break;
+            }
+            pkiMsgSz = (pkcs7->stream->length > 0)? pkcs7->stream->length :inSz;
+        #endif
+
+            /* determine total message size */
+            totalSz = pkiMsgSz;
+            if (pkiMsg2 && pkiMsg2Sz > 0) {
+                totalSz += pkiMsg2Sz + pkcs7->contentSz;
+            }
+
+            /* Get the contentInfo sequence */
+            if (ret == 0 && GetSequence_ex(pkiMsg, &idx, &length, totalSz,
+                        NO_USER_CHECK) < 0)
+                ret = ASN_PARSE_E;
+
+            if (ret == 0 && length == 0 && pkiMsg[idx-1] == 0x80) {
+        #ifdef ASN_BER_TO_DER
+                word32 len = 0;
+
+                ret = wc_BerToDer(pkiMsg, pkiMsgSz, NULL, &len);
+                if (ret != LENGTH_ONLY_E)
+                    return ret;
+                pkcs7->der = (byte*)XMALLOC(len, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+                if (pkcs7->der == NULL)
+                    return MEMORY_E;
+                ret = wc_BerToDer(pkiMsg, pkiMsgSz, pkcs7->der, &len);
+                if (ret < 0)
+                    return ret;
+
+                pkiMsg   = in = pkcs7->der;
+                pkiMsgSz = pkcs7->derSz = len;
+                idx = 0;
+                if (GetSequence_ex(pkiMsg, &idx, &length, pkiMsgSz,
+                            NO_USER_CHECK) < 0)
+                    return ASN_PARSE_E;
+
+            #ifndef NO_PKCS7_STREAM
+                rc = wc_PKCS7_GetMaxStream(pkcs7, PKCS7_SEQ_PEEK,
+                    pkiMsg, pkiMsgSz);
+                if (rc < 0) {
+                    ret = (int)rc;
+                    break;
+                }
+            #endif
+        #else
+                ret = BER_INDEF_E;
+        #endif
+            }
+
+            /* Get the contentInfo contentType */
+            if (ret == 0 && wc_GetContentType(pkiMsg, &idx, &outerContentType,
+                        pkiMsgSz) < 0)
+                ret = ASN_PARSE_E;
+
+            if (ret == 0 && outerContentType != SIGNED_DATA) {
+                WOLFSSL_MSG("PKCS#7 input not of type SignedData");
+                ret = PKCS7_OID_E;
+            }
+
+            /* get the ContentInfo content */
+            if (ret == 0 && GetASNTag(pkiMsg, &idx, &tag, totalSz) != 0)
+                ret = ASN_PARSE_E;
+
+            if (ret == 0 && tag != (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC | 0))
+                ret = ASN_PARSE_E;
+
+            if (ret == 0 && GetLength_ex(pkiMsg, &idx, &length, totalSz,
+                        NO_USER_CHECK) < 0)
+                ret = ASN_PARSE_E;
+
+            /* Get the signedData sequence */
+            if (ret == 0 && GetSequence_ex(pkiMsg, &idx, &length, totalSz,
+                        NO_USER_CHECK) < 0)
+                ret = ASN_PARSE_E;
+
+            /* Get the version */
+            if (ret == 0 && GetMyVersion(pkiMsg, &idx, &version, pkiMsgSz) < 0)
+                ret = ASN_PARSE_E;
+
+
+            /* version 1 follows RFC 2315 */
+            /* version 3 follows RFC 4108 */
+            if (ret == 0 && (version != 1 && version != 3)) {
+                WOLFSSL_MSG("PKCS#7 signedData needs to be version 1 or 3");
+                ret = ASN_VERSION_E;
+            }
+            pkcs7->version = version;
+
+            /* Get the set of DigestAlgorithmIdentifiers */
+            if (ret == 0 && GetSet(pkiMsg, &idx, &length, pkiMsgSz) < 0)
+                ret = ASN_PARSE_E;
+
+            /* Skip the set. */
             idx += length;
+            degenerate = (length == 0)? 1 : 0;
+            if (pkcs7->noDegenerate == 1 && degenerate == 1) {
+                ret = PKCS7_NO_SIGNER_E;
+            }
+
+            if (ret != 0)
+                break;
+
+        #ifndef NO_PKCS7_STREAM
+            if ((ret = wc_PKCS7_StreamEndCase(pkcs7, &stateIdx, &idx)) != 0) {
+                break;
+            }
+            if (pkiMsg2 && pkiMsg2Sz > 0) {
+                pkcs7->stream->maxLen += pkiMsg2Sz + pkcs7->contentSz;
+            }
+            wc_PKCS7_StreamStoreVar(pkcs7, totalSz, 0, 0);
+        #endif
+
+            wc_PKCS7_ChangeState(pkcs7, WC_PKCS7_VERIFY_STAGE2);
+            FALL_THROUGH;
+
+        case WC_PKCS7_VERIFY_STAGE2:
+        #ifndef NO_PKCS7_STREAM
+            if ((ret = wc_PKCS7_AddDataToStream(pkcs7, in, inSz + in2Sz,
+                           MAX_SEQ_SZ + MAX_OID_SZ + ASN_TAG_SZ + MAX_LENGTH_SZ
+                           + ASN_TAG_SZ + MAX_LENGTH_SZ, &pkiMsg, &idx)) != 0) {
+                break;
+            }
+
+            wc_PKCS7_StreamGetVar(pkcs7, &totalSz, 0, 0);
+            if (pkcs7->stream->length > 0)
+                pkiMsgSz = pkcs7->stream->length;
+        #ifdef ASN_BER_TO_DER
+            else if (pkcs7->der)
+                pkiMsgSz = pkcs7->derSz;
+        #endif
+            else
+                pkiMsgSz = inSz;
+
+        #endif
+            /* Get the inner ContentInfo sequence */
+            if (GetSequence_ex(pkiMsg, &idx, &length, pkiMsgSz,
+                        NO_USER_CHECK) < 0)
+                ret = ASN_PARSE_E;
+
+            /* Get the inner ContentInfo contentType */
+            if (ret == 0) {
+                word32 tmpIdx = idx;
+
+                if (GetASNObjectId(pkiMsg, &idx, &length, pkiMsgSz) != 0)
+                    ret = ASN_PARSE_E;
+
+                contentType = pkiMsg + tmpIdx;
+                contentTypeSz = length + (idx - tmpIdx);
+
+                idx += length;
+            }
+
+            if (ret != 0)
+                break;
+
+            /* Check for content info, it could be omitted when degenerate */
+            localIdx = idx;
+            ret = 0;
+            if (localIdx + 1 > pkiMsgSz) {
+                ret = BUFFER_E;
+                break;
+            }
+
+            if (ret == 0 && GetASNTag(pkiMsg, &localIdx, &tag, pkiMsgSz) != 0)
+                ret = ASN_PARSE_E;
+
+            if (ret == 0 && tag != (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC | 0))
+                ret = ASN_PARSE_E;
+
+            if (ret == 0 && GetLength_ex(pkiMsg, &localIdx, &length, pkiMsgSz,
+                        NO_USER_CHECK) <= 0)
+                ret = ASN_PARSE_E;
+
+            if (localIdx >= pkiMsgSz) {
+                ret = BUFFER_E;
+            }
+
+            /* get length of content in the case that there is multiple parts */
+            if (ret == 0 && GetASNTag(pkiMsg, &localIdx, &tag, pkiMsgSz) < 0)
+                ret = ASN_PARSE_E;
+
+            if (ret == 0 && tag == (ASN_OCTET_STRING | ASN_CONSTRUCTED)) {
+                multiPart = 1;
+
+                /* Get length of all OCTET_STRINGs. */
+                if (GetLength_ex(pkiMsg, &localIdx, &contentLen, pkiMsgSz,
+                            NO_USER_CHECK) < 0)
+                    ret = ASN_PARSE_E;
+
+                /* Check whether there is one OCTET_STRING inside. */
+                start = localIdx;
+                if (localIdx >= pkiMsgSz) {
+                    ret = BUFFER_E;
+                }
+
+                if (ret == 0 && GetASNTag(pkiMsg, &localIdx, &tag, pkiMsgSz)
+                        != 0)
+                    ret = ASN_PARSE_E;
+
+                if (ret == 0 && tag != ASN_OCTET_STRING)
+                    ret = ASN_PARSE_E;
+
+                if (ret == 0 && GetLength_ex(pkiMsg, &localIdx, &length, pkiMsgSz,
+                            NO_USER_CHECK) < 0)
+                    ret = ASN_PARSE_E;
+
+                if (ret == 0) {
+                    /* Use single OCTET_STRING directly. */
+                    if (localIdx - start + length == (word32)contentLen)
+                        multiPart = 0;
+                    localIdx = start;
+                }
+            }
+
+            /* get length of content in case of single part */
+            if (ret == 0 && !multiPart) {
+                if (tag != ASN_OCTET_STRING)
+                    ret = ASN_PARSE_E;
+
+                if (ret == 0 && GetLength_ex(pkiMsg, &localIdx,
+                            &length, pkiMsgSz, NO_USER_CHECK) < 0)
+                    ret = ASN_PARSE_E;
+            }
+
+            /* update idx if successful */
+            if (ret == 0) {
+                /* support using header and footer without content */
+                if (pkiMsg2 && pkiMsg2Sz > 0 && hashBuf && hashSz > 0) {
+                    localIdx = 0;
+                }
+                idx = localIdx;
+            }
+            else {
+
+                /* if pkcs7->content and pkcs7->contentSz are set, try to
+                   process as a detached signature */
+                if (!degenerate &&
+                    (pkcs7->content != NULL && pkcs7->contentSz != 0)) {
+                    detached = 1;
+                }
+
+                if (!degenerate && !detached && ret != 0)
+                    break;
+
+                length = 0; /* no content to read */
+                pkiMsg2   = pkiMsg;
+                pkiMsg2Sz = pkiMsgSz;
+            }
+
+        #ifndef NO_PKCS7_STREAM
+            /* save detached flag value */
+            pkcs7->stream->detached = detached;
+
+            /* save contentType */
+            pkcs7->stream->nonce = (byte*)XMALLOC(contentTypeSz, pkcs7->heap,
+                    DYNAMIC_TYPE_PKCS7);
+            if (pkcs7->stream->nonce == NULL) {
+                ret = MEMORY_E;
+                break;
+            }
+            else {
+                pkcs7->stream->nonceSz = contentTypeSz;
+                XMEMCPY(pkcs7->stream->nonce, contentType, contentTypeSz);
+            }
+
+            /* content expected? */
+            if ((ret == 0 && length > 0) &&
+                !(pkiMsg2 && pkiMsg2Sz > 0 && hashBuf && hashSz > 0)) {
+                pkcs7->stream->expected = length + ASN_TAG_SZ + MAX_LENGTH_SZ;
+            }
+            else {
+                pkcs7->stream->expected = ASN_TAG_SZ + MAX_LENGTH_SZ;
+            }
+
+            if (pkcs7->stream->expected > (pkcs7->stream->maxLen - idx)) {
+                pkcs7->stream->expected = pkcs7->stream->maxLen - idx;
+            }
+
+            if ((ret = wc_PKCS7_StreamEndCase(pkcs7, &stateIdx, &idx)) != 0) {
+                break;
+            }
+            wc_PKCS7_StreamStoreVar(pkcs7, pkiMsg2Sz, localIdx, length);
+
+            /* content length is in multiple parts */
+            if (multiPart) {
+                pkcs7->stream->expected = contentLen + ASN_TAG_SZ;
+            }
+            pkcs7->stream->multi = multiPart;
+
+        #endif
+            wc_PKCS7_ChangeState(pkcs7, WC_PKCS7_VERIFY_STAGE3);
+            FALL_THROUGH;
+
+        case WC_PKCS7_VERIFY_STAGE3:
+        #ifndef NO_PKCS7_STREAM
+            if ((ret = wc_PKCS7_AddDataToStream(pkcs7, in, inSz + in2Sz,
+                            pkcs7->stream->expected, &pkiMsg, &idx)) != 0) {
+                break;
+            }
+
+            rc = wc_PKCS7_GetMaxStream(pkcs7, PKCS7_DEFAULT_PEEK,
+                    pkiMsg, pkiMsgSz);
+            if (rc < 0) {
+                ret = (int)rc;
+                break;
+            }
+        #ifdef ASN_BER_TO_DER
+            if (pkcs7->derSz != 0)
+                pkiMsgSz = pkcs7->derSz;
+            else
+        #endif
+                pkiMsgSz = (word32)rc;
+            wc_PKCS7_StreamGetVar(pkcs7, &pkiMsg2Sz, (int*)&localIdx, &length);
+
+            if (pkcs7->stream->length > 0) {
+                localIdx = 0;
+            }
+            multiPart = pkcs7->stream->multi;
+            detached  = pkcs7->stream->detached;
+            maxIdx = idx + pkcs7->stream->expected;
+        #endif
+
+            /* Break out before content because it can be optional in degenerate
+             * cases. */
+            if (ret != 0 && !degenerate)
+                break;
+
+            /* get parts of content */
+            if (ret == 0 && multiPart) {
+                int i = 0;
+                keepContent = !(pkiMsg2 && pkiMsg2Sz > 0 && hashBuf && hashSz > 0);
+
+                if (keepContent) {
+                    /* Create a buffer to hold content of OCTET_STRINGs. */
+                    pkcs7->contentDynamic = (byte*)XMALLOC(contentLen, pkcs7->heap,
+                                                            DYNAMIC_TYPE_PKCS7);
+                    if (pkcs7->contentDynamic == NULL)
+                        ret = MEMORY_E;
+                }
+
+                start = localIdx;
+                /* Use the data from each OCTET_STRING. */
+                while (ret == 0 && localIdx < start + contentLen) {
+                    if (GetASNTag(pkiMsg, &localIdx, &tag, totalSz) < 0)
+                        ret = ASN_PARSE_E;
+                    if (ret == 0 && tag != ASN_OCTET_STRING)
+                        ret = ASN_PARSE_E;
+
+                    if (ret == 0 && GetLength(pkiMsg, &localIdx, &length, totalSz) < 0)
+                        ret = ASN_PARSE_E;
+                    if (ret == 0 && length + localIdx > start + contentLen)
+                        ret = ASN_PARSE_E;
+
+                    if (ret == 0) {
+                        if (keepContent) {
+                            XMEMCPY(pkcs7->contentDynamic + i, pkiMsg + localIdx,
+                                                                        length);
+                        }
+                        i += length;
+                        localIdx += length;
+                    }
+                }
+                localIdx = start; /* reset for sanity check, increment later */
+                length = i;
+            }
+
+            /* Save the inner data as the content. */
+            if (ret == 0 && length > 0) {
+                contentSz = length;
+
+                /* support using header and footer without content */
+                if (pkiMsg2 && pkiMsg2Sz > 0 && hashBuf && hashSz > 0) {
+                    /* Content not provided, use provided pkiMsg2 footer */
+                    content = NULL;
+                    localIdx = 0;
+                    if (contentSz != (int)pkcs7->contentSz) {
+                        WOLFSSL_MSG("Data signed does not match contentSz provided");
+                        ret = BUFFER_E;
+                    }
+                }
+                else {
+                    if ((word32)length > pkiMsgSz - localIdx) {
+                        ret = BUFFER_E;
+                    }
+
+                    /* Content pointer for calculating hashes later */
+                    if (ret == 0 && !multiPart) {
+                        content = &pkiMsg[localIdx];
+                    }
+                    if (ret == 0 && multiPart) {
+                        content = pkcs7->contentDynamic;
+                    }
+
+                    if (ret == 0) {
+                        idx += length;
+
+                        pkiMsg2   = pkiMsg;
+                        pkiMsg2Sz = pkiMsgSz;
+                    #ifndef NO_PKCS7_STREAM
+                        pkcs7->stream->varOne = pkiMsg2Sz;
+                        pkcs7->stream->flagOne = 1;
+                    #endif
+                    }
+                }
+            }
+            else {
+                pkiMsg2 = pkiMsg;
+                pkiMsg2Sz = pkiMsgSz;
+            #ifndef NO_PKCS7_STREAM
+                pkcs7->stream->varOne = pkiMsg2Sz;
+                pkcs7->stream->flagOne = 1;
+            #endif
+            }
+
+            /* If getting the content info failed with non degenerate then return the
+             * error case. Otherwise with a degenerate it is ok if the content
+             * info was omitted */
+            if (!degenerate && !detached && (ret != 0)) {
+                break;
+            }
+            else {
+                ret = 0; /* reset ret state on degenerate case */
+            }
+
+        #ifndef NO_PKCS7_STREAM
+            /* save content */
+            if (detached == 1) {
+                /* if detached, use content from user in pkcs7 struct */
+                content = pkcs7->content;
+                contentSz = pkcs7->contentSz;
+            }
+
+            if (content != NULL) {
+                XFREE(pkcs7->stream->content, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+                pkcs7->stream->content = (byte*)XMALLOC(contentSz, pkcs7->heap,
+                        DYNAMIC_TYPE_PKCS7);
+                if (pkcs7->stream->content == NULL) {
+                    ret = MEMORY_E;
+                    break;
+                }
+                else {
+                    XMEMCPY(pkcs7->stream->content, content, contentSz);
+                    pkcs7->stream->contentSz = contentSz;
+                }
+            }
+        #endif /* !NO_PKCS7_STREAM */
+
+            /* Get the implicit[0] set of certificates */
+            if (ret == 0 && idx >= pkiMsg2Sz)
+                ret = BUFFER_E;
+
+            length = 0; /* set length to 0 to check if reading in any certs */
+            localIdx = idx;
+            if (ret == 0 && GetASNTag(pkiMsg2, &localIdx, &tag, pkiMsg2Sz) == 0
+                    && tag == (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC | 0)) {
+                idx++;
+                if (GetLength_ex(pkiMsg2, &idx, &length, maxIdx, NO_USER_CHECK)
+                        < 0)
+                    ret = ASN_PARSE_E;
+            }
+
+            if (ret != 0) {
+                break;
+            }
+        #ifndef NO_PKCS7_STREAM
+            if (in2 && in2Sz > 0 && hashBuf && hashSz > 0) {
+                stateIdx = idx; /* case where all data was read from in2 */
+            }
+
+            if ((ret = wc_PKCS7_StreamEndCase(pkcs7, &stateIdx, &idx)) != 0) {
+                break;
+            }
+            wc_PKCS7_StreamStoreVar(pkcs7, pkiMsg2Sz, 0, length);
+            if (length > 0) {
+                pkcs7->stream->expected = length;
+            }
+            else {
+                pkcs7->stream->expected = MAX_SEQ_SZ;
+                if (pkcs7->stream->expected > (pkcs7->stream->maxLen -
+                                pkcs7->stream->totalRd) + pkcs7->stream->length) {
+                    pkcs7->stream->expected = (pkcs7->stream->maxLen -
+                                pkcs7->stream->totalRd) + pkcs7->stream->length;
+                }
+            }
+        #endif
+            wc_PKCS7_ChangeState(pkcs7, WC_PKCS7_VERIFY_STAGE4);
+            FALL_THROUGH;
+
+        case WC_PKCS7_VERIFY_STAGE4:
+        #ifndef NO_PKCS7_STREAM
+            if ((ret = wc_PKCS7_AddDataToStream(pkcs7, in, inSz + in2Sz,
+                            pkcs7->stream->expected, &pkiMsg, &idx)) != 0) {
+                break;
+            }
+
+            wc_PKCS7_StreamGetVar(pkcs7, &pkiMsg2Sz, 0, &length);
+            if (pkcs7->stream->flagOne) {
+                pkiMsg2 = pkiMsg;
+            }
+
+            /* restore content */
+            content   = pkcs7->stream->content;
+            contentSz = pkcs7->stream->contentSz;
+
+            /* restore detached flag */
+            detached = pkcs7->stream->detached;
+
+            /* store certificate if needed */
+            if (length > 0 && in2Sz == 0) {
+                /* free tmpCert if not NULL */
+                XFREE(pkcs7->stream->tmpCert, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+                pkcs7->stream->tmpCert = (byte*)XMALLOC(length,
+                        pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+                if ((pkiMsg2 == NULL) || (pkcs7->stream->tmpCert == NULL)) {
+                    ret = MEMORY_E;
+                    break;
+                }
+                XMEMCPY(pkcs7->stream->tmpCert, pkiMsg2 + idx, length);
+                pkiMsg2 = pkcs7->stream->tmpCert;
+                pkiMsg2Sz = length;
+                idx = 0;
+            }
+        #endif
+
+                if (length > 0) {
+                    /* At this point, idx is at the first certificate in
+                     * a set of certificates. There may be more than one,
+                     * or none, or they may be a PKCS 6 extended
+                     * certificate. We want to save the first cert if it
+                     * is X.509. */
+
+                    word32 certIdx = idx;
+
+                    if (length < MAX_LENGTH_SZ + ASN_TAG_SZ)
+                        ret = BUFFER_E;
+
+                    if (ret == 0)
+                        ret = GetASNTag(pkiMsg2, &certIdx, &tag, pkiMsg2Sz);
+
+                    if (ret == 0 && tag == (ASN_CONSTRUCTED | ASN_SEQUENCE)) {
+                        if (GetLength(pkiMsg2, &certIdx, &certSz, pkiMsg2Sz) < 0)
+                            ret = ASN_PARSE_E;
+
+                        cert = &pkiMsg2[idx];
+                        certSz += (certIdx - idx);
+                        if (certSz > length) {
+                            ret = BUFFER_E;
+                            break;
+                        }
+                    }
+        #ifdef ASN_BER_TO_DER
+                    der = pkcs7->der;
+        #endif
+                    contentDynamic = pkcs7->contentDynamic;
+                    version = pkcs7->version;
+
+
+                    if (ret == 0) {
+                    #ifndef NO_PKCS7_STREAM
+                        PKCS7State* stream = pkcs7->stream;
+                    #endif
+                        /* This will reset PKCS7 structure and then set the
+                         * certificate */
+                        ret = wc_PKCS7_InitWithCert(pkcs7, cert, certSz);
+                    #ifndef NO_PKCS7_STREAM
+                        pkcs7->stream = stream;
+                    #endif
+                    }
+                    pkcs7->contentDynamic = contentDynamic;
+                    pkcs7->version = version;
+        #ifdef ASN_BER_TO_DER
+                    pkcs7->der = der;
+        #endif
+                    if (ret != 0)
+                        break;
+
+                    /* iterate through any additional certificates */
+                    if (ret == 0 && MAX_PKCS7_CERTS > 0) {
+                        int sz = 0;
+                        int i;
+
+                        pkcs7->cert[0]   = cert;
+                        pkcs7->certSz[0] = certSz;
+                        certIdx = idx + certSz;
+
+                        for (i = 1; i < MAX_PKCS7_CERTS &&
+                                certIdx + 1 < pkiMsg2Sz &&
+                                certIdx + 1 < (word32)length; i++) {
+                            localIdx = certIdx;
+
+                            if (ret == 0 && GetASNTag(pkiMsg2, &certIdx, &tag,
+                                        pkiMsg2Sz) < 0) {
+                                ret = ASN_PARSE_E;
+                                break;
+                            }
+
+                            if (ret == 0 &&
+                                    tag == (ASN_CONSTRUCTED | ASN_SEQUENCE)) {
+                                if (GetLength(pkiMsg2, &certIdx, &sz,
+                                            pkiMsg2Sz) < 0) {
+                                    ret = ASN_PARSE_E;
+                                    break;
+                                }
+
+                                pkcs7->cert[i]   = &pkiMsg2[localIdx];
+                                pkcs7->certSz[i] = sz + (certIdx - localIdx);
+                                certIdx += sz;
+                            }
+                        }
+                    }
+                }
+                idx += length;
+
+            if (!detached) {
+                /* set content and size after init of PKCS7 structure */
+                pkcs7->content   = content;
+                pkcs7->contentSz = contentSz;
+            }
+        #ifndef NO_PKCS7_STREAM
+            else {
+                /* save content if detached and using streaming API */
+                if (pkcs7->content != NULL) {
+                    XFREE(pkcs7->stream->content, pkcs7->heap,
+                          DYNAMIC_TYPE_PKCS7);
+                    pkcs7->stream->content = (byte*)XMALLOC(pkcs7->contentSz,
+                                                            pkcs7->heap,
+                                                            DYNAMIC_TYPE_PKCS7);
+                    if (pkcs7->stream->content == NULL) {
+                        ret = MEMORY_E;
+                        break;
+                    }
+                    else {
+                        XMEMCPY(pkcs7->stream->content, pkcs7->content,
+                                contentSz);
+                        pkcs7->stream->contentSz = pkcs7->contentSz;
+                    }
+                }
+            }
+        #endif
+
+            if (ret != 0) {
+                break;
+            }
+        #ifndef NO_PKCS7_STREAM
+            /* factor in that recent idx was in cert buffer. If in2 buffer was
+             * used then don't advance idx. */
+            if (length > 0 && pkcs7->stream->flagOne &&
+                    pkcs7->stream->length == 0) {
+                idx = stateIdx + idx;
+                if (idx > inSz) {
+                    /* index is more than input size */
+                    ret = BUFFER_E;
+                    break;
+                }
+            }
+            else {
+                stateIdx = idx; /* didn't read any from internal buffer */
+            }
+
+            if ((ret = wc_PKCS7_StreamEndCase(pkcs7, &stateIdx, &idx)) != 0) {
+                break;
+            }
+            if (pkcs7->stream->flagOne && pkcs7->stream->length > 0) {
+                idx = stateIdx + idx;
+            }
+
+            pkcs7->stream->expected = MAX_OID_SZ + ASN_TAG_SZ + MAX_LENGTH_SZ +
+                                      MAX_SET_SZ;
+
+            if (pkcs7->stream->expected > (pkcs7->stream->maxLen -
+                                pkcs7->stream->totalRd) + pkcs7->stream->length)
+                pkcs7->stream->expected = (pkcs7->stream->maxLen -
+                                pkcs7->stream->totalRd) + pkcs7->stream->length;
+
+            wc_PKCS7_StreamGetVar(pkcs7, &pkiMsg2Sz,  0, 0);
+            wc_PKCS7_StreamStoreVar(pkcs7, pkiMsg2Sz, 0, length);
+        #endif
+            wc_PKCS7_ChangeState(pkcs7, WC_PKCS7_VERIFY_STAGE5);
+            FALL_THROUGH;
+
+        case WC_PKCS7_VERIFY_STAGE5:
+        #ifndef NO_PKCS7_STREAM
+            if ((ret = wc_PKCS7_AddDataToStream(pkcs7, in, inSz + in2Sz,
+                            pkcs7->stream->expected, &pkiMsg, &idx)) != 0) {
+                break;
+            }
+            wc_PKCS7_StreamGetVar(pkcs7, &pkiMsg2Sz, 0, &length);
+            if (pkcs7->stream->flagOne) {
+                pkiMsg2 = pkiMsg;
+            }
+
+            /* restore content type */
+            contentType   = pkcs7->stream->nonce;
+            contentTypeSz = pkcs7->stream->nonceSz;
+
+            maxIdx = idx + pkcs7->stream->expected;
+            if (maxIdx > pkiMsg2Sz) {
+                ret = BUFFER_E;
+                break;
+            }
+            stateIdx = idx;
+        #endif
+
+            /* set contentType and size after init of PKCS7 structure */
+            if (ret == 0 && wc_PKCS7_SetContentType(pkcs7, contentType,
+                        contentTypeSz) < 0)
+                ret = ASN_PARSE_E;
+
+            /* Get the implicit[1] set of crls */
+            if (ret == 0 && idx >= maxIdx)
+                ret = BUFFER_E;
+
+            localIdx = idx;
+            if (ret == 0 && GetASNTag(pkiMsg2, &localIdx, &tag, pkiMsg2Sz) == 0
+                    && tag == (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC | 1)) {
+                idx++;
+                if (GetLength(pkiMsg2, &idx, &length, pkiMsg2Sz) < 0)
+                    ret = ASN_PARSE_E;
+
+                /* Skip the set */
+                idx += length;
+            }
+
+            /* Get the set of signerInfos */
+            if (ret == 0 && GetSet_ex(pkiMsg2, &idx, &length, maxIdx,
+                        NO_USER_CHECK) < 0)
+                ret = ASN_PARSE_E;
+
+            if (ret != 0)
+                break;
+        #ifndef NO_PKCS7_STREAM
+            if (!pkcs7->stream->flagOne) {
+                stateIdx = idx; /* didn't read any from internal buffer */
+            }
+            if ((ret = wc_PKCS7_StreamEndCase(pkcs7, &stateIdx, &idx)) != 0) {
+                break;
+            }
+            wc_PKCS7_StreamStoreVar(pkcs7, pkiMsg2Sz, 0, length);
+
+            if (in2 && in2Sz > 0 && hashBuf && hashSz > 0) {
+                if (length > 0) {
+                    pkcs7->stream->expected = length;
+                }
+                else {
+                    pkcs7->stream->expected = 0;
+                }
+            }
+            else {
+                /* last state expect the reset of the buffer */
+                pkcs7->stream->expected = (pkcs7->stream->maxLen -
+                    pkcs7->stream->totalRd) + pkcs7->stream->length;
+            }
+
+        #endif
+            wc_PKCS7_ChangeState(pkcs7, WC_PKCS7_VERIFY_STAGE6);
+            FALL_THROUGH;
+
+        case WC_PKCS7_VERIFY_STAGE6:
+        #ifndef NO_PKCS7_STREAM
+            if ((ret = wc_PKCS7_AddDataToStream(pkcs7, in, inSz + in2Sz,
+                            pkcs7->stream->expected, &pkiMsg, &idx)) != 0) {
+                break;
+            }
+
+            wc_PKCS7_StreamGetVar(pkcs7, &pkiMsg2Sz, 0, &length);
+            if (pkcs7->stream->flagOne) {
+                pkiMsg2 = pkiMsg;
+            }
+
+            /* restore content */
+            content   = pkcs7->stream->content;
+            contentSz = pkcs7->stream->contentSz;
+        #endif
+
+            ret = wc_PKCS7_ParseSignerInfo(pkcs7, pkiMsg2, pkiMsg2Sz, &idx,
+                    degenerate, &signedAttrib, &signedAttribSz);
+
+            /* parse out the signature if present and verify it */
+            if (ret == 0 && length > 0 && degenerate == 0) {
+                WOLFSSL_MSG("Parsing signature and verifying");
+                if (idx >= pkiMsg2Sz)
+                    ret = BUFFER_E;
+
+                /* Get the signature */
+                localIdx = idx;
+                if (ret == 0 && GetASNTag(pkiMsg2, &localIdx, &tag,
+                            pkiMsg2Sz) == 0 && tag == ASN_OCTET_STRING) {
+                    idx++;
+
+                    if (GetLength(pkiMsg2, &idx, &length, pkiMsg2Sz) < 0)
+                        ret = ASN_PARSE_E;
+
+                    /* save pointer and length */
+                    sig = &pkiMsg2[idx];
+                    sigSz = length;
+
+                    idx += length;
+                }
+
+                pkcs7->content = content;
+                pkcs7->contentSz = contentSz;
+
+                if (ret == 0) {
+                    ret = wc_PKCS7_SignedDataVerifySignature(pkcs7, sig, sigSz,
+                                                   signedAttrib, signedAttribSz,
+                                                   hashBuf, hashSz);
+                }
+            }
+
+            if (ret < 0)
+                break;
+
+            ret = 0; /* success */
+        #ifndef NO_PKCS7_STREAM
+            wc_PKCS7_ResetStream(pkcs7);
+        #endif
+            wc_PKCS7_ChangeState(pkcs7, WC_PKCS7_START);
+            break;
+
+        default:
+            WOLFSSL_MSG("PKCS7 Unknown verify state");
+            ret = BAD_FUNC_ARG;
+    }
+
+    if (ret != 0 && ret != WC_PKCS7_WANT_READ_E) {
+    #ifndef NO_PKCS7_STREAM
+        wc_PKCS7_ResetStream(pkcs7);
+    #endif
+        wc_PKCS7_ChangeState(pkcs7, WC_PKCS7_START);
+    }
+    return ret;
+}
+
+
+/* Gets a copy of the SID parsed from signerInfo. This can be called after
+ * wc_PKCS7_VerifySignedData has been called. SID can be SKID in version 3 case
+ * or issuerAndSerialNumber.
+ *
+ * return 0 on success and LENGTH_ONLY_E if just setting "outSz" for buffer
+ *  length needed.
+ */
+int wc_PKCS7_GetSignerSID(PKCS7* pkcs7, byte* out, word32* outSz)
+{
+    if (outSz == NULL || pkcs7 == NULL) {
+        return BAD_FUNC_ARG;
+    }
+
+    if (pkcs7->signerInfo == NULL) {
+        WOLFSSL_MSG("Either the bundle had no signers or"
+                "wc_PKCS7_VerifySignedData needs called yet");
+        return PKCS7_NO_SIGNER_E;
+    }
+
+    if (pkcs7->signerInfo->sidSz == 0) {
+        WOLFSSL_MSG("Bundle had no signer SID set");
+        return PKCS7_NO_SIGNER_E;
+    }
+
+    if (out == NULL) {
+        *outSz = pkcs7->signerInfo->sidSz;
+        return LENGTH_ONLY_E;
+    }
+
+    if (*outSz < pkcs7->signerInfo->sidSz) {
+        WOLFSSL_MSG("Buffer being passed in is not large enough for SKID");
+        return BUFFER_E;
+    }
+    XMEMCPY(out, pkcs7->signerInfo->sid, pkcs7->signerInfo->sidSz);
+    *outSz = pkcs7->signerInfo->sidSz;
+    return 0;
+}
+
+
+/* variant that allows computed data hash and header/foot,
+ * which is useful for large data signing */
+int wc_PKCS7_VerifySignedData_ex(PKCS7* pkcs7, const byte* hashBuf,
+    word32 hashSz, byte* pkiMsgHead, word32 pkiMsgHeadSz, byte* pkiMsgFoot,
+    word32 pkiMsgFootSz)
+{
+    return PKCS7_VerifySignedData(pkcs7, hashBuf, hashSz,
+        pkiMsgHead, pkiMsgHeadSz, pkiMsgFoot, pkiMsgFootSz);
+}
+
+int wc_PKCS7_VerifySignedData(PKCS7* pkcs7, byte* pkiMsg, word32 pkiMsgSz)
+{
+    return PKCS7_VerifySignedData(pkcs7, NULL, 0, pkiMsg, pkiMsgSz, NULL, 0);
+}
+
+
+/* Generate random content encryption key, store into pkcs7->cek and
+ * pkcs7->cekSz.
+ *
+ * pkcs7 - pointer to initialized PKCS7 structure
+ * len   - length of key to be generated
+ *
+ * Returns 0 on success, negative upon error */
+static int PKCS7_GenerateContentEncryptionKey(PKCS7* pkcs7, word32 len)
+{
+    int ret;
+    WC_RNG rng;
+    byte* tmpKey;
+
+    if (pkcs7 == NULL || len == 0)
+        return BAD_FUNC_ARG;
+
+    /* if key already exists, don't need to re-generate */
+    if (pkcs7->cek != NULL && pkcs7->cekSz != 0) {
+
+        /* if key exists, but is different size, return error */
+        if (pkcs7->cekSz != len) {
+            WOLFSSL_MSG("Random content-encryption key size is inconsistent "
+                        "between CMS recipients");
+            return WC_KEY_SIZE_E;
         }
 
-        pkcs7->content = content;
-        pkcs7->contentSz = contentSz;
+        return 0;
+    }
 
-        {
-            word32 scratch = 0;
-            int plainSz = 0;
-            int digestSz = MAX_SEQ_SZ + MAX_ALGO_SZ +
-                           MAX_OCTET_STR_SZ + SHA_DIGEST_SIZE;
+    /* allocate space for cek */
+    tmpKey = (byte*)XMALLOC(len, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+    if (tmpKey == NULL)
+        return MEMORY_E;
 
-#ifdef WOLFSSL_SMALL_STACK
-            byte* digest;
-            RsaKey* key;
+    XMEMSET(tmpKey, 0, len);
 
-            digest = (byte*)XMALLOC(digestSz, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    ret = wc_InitRng_ex(&rng, pkcs7->heap, pkcs7->devId);
+    if (ret != 0) {
+        XFREE(tmpKey, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+        return ret;
+    }
 
-            if (digest == NULL)
-                return MEMORY_E;
+    ret = wc_RNG_GenerateBlock(&rng, tmpKey, len);
+    if (ret != 0) {
+        wc_FreeRng(&rng);
+        XFREE(tmpKey, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+        return ret;
+    }
 
-            key = (RsaKey*)XMALLOC(sizeof(RsaKey), NULL,
-                                                       DYNAMIC_TYPE_TMP_BUFFER);
-            if (key == NULL) {
-                XFREE(digest, NULL, DYNAMIC_TYPE_TMP_BUFFER);
-                return MEMORY_E;
+    /* store into PKCS7, memory freed during final cleanup */
+    pkcs7->cek = tmpKey;
+    pkcs7->cekSz = len;
+
+    wc_FreeRng(&rng);
+
+    return 0;
+}
+
+
+/* wrap CEK (content encryption key) with KEK, 0 on success, < 0 on error */
+static int wc_PKCS7_KeyWrap(byte* cek, word32 cekSz, byte* kek,
+                            word32 kekSz, byte* out, word32 outSz,
+                            int keyWrapAlgo, int direction)
+{
+    int ret = 0;
+
+    if (cek == NULL || kek == NULL || out == NULL)
+        return BAD_FUNC_ARG;
+
+    switch (keyWrapAlgo) {
+#ifndef NO_AES
+    #ifdef WOLFSSL_AES_128
+        case AES128_WRAP:
+    #endif
+    #ifdef WOLFSSL_AES_192
+        case AES192_WRAP:
+    #endif
+    #ifdef WOLFSSL_AES_256
+        case AES256_WRAP:
+    #endif
+
+            if (direction == AES_ENCRYPTION) {
+
+                ret = wc_AesKeyWrap(kek, kekSz, cek, cekSz,
+                                    out, outSz, NULL);
+
+            } else if (direction == AES_DECRYPTION) {
+
+                ret = wc_AesKeyUnWrap(kek, kekSz, cek, cekSz,
+                                      out, outSz, NULL);
+            } else {
+                WOLFSSL_MSG("Bad key un/wrap direction");
+                return BAD_FUNC_ARG;
+            }
+
+            if (ret <= 0)
+                return ret;
+            break;
+#endif /* NO_AES */
+
+        default:
+            WOLFSSL_MSG("Unsupported key wrap algorithm");
+            return BAD_KEYWRAP_ALG_E;
+    };
+
+    (void)cekSz;
+    (void)kekSz;
+    (void)outSz;
+    (void)direction;
+    return ret;
+}
+
+
+#ifdef HAVE_ECC
+
+/* KARI == KeyAgreeRecipientInfo (key agreement) */
+typedef struct WC_PKCS7_KARI {
+    DecodedCert* decoded;          /* decoded recip cert */
+    void*    heap;                 /* user heap, points to PKCS7->heap */
+    int      devId;                /* device ID for HW based private key */
+    ecc_key* recipKey;             /* recip key  (pub | priv) */
+    ecc_key* senderKey;            /* sender key (pub | priv) */
+    byte*    senderKeyExport;      /* sender ephemeral key DER */
+    byte*    kek;                  /* key encryption key */
+    byte*    ukm;                  /* OPTIONAL user keying material */
+    byte*    sharedInfo;           /* ECC-CMS-SharedInfo ASN.1 encoded blob */
+    word32   senderKeyExportSz;    /* size of sender ephemeral key DER */
+    word32   kekSz;                /* size of key encryption key */
+    word32   ukmSz;                /* size of user keying material */
+    word32   sharedInfoSz;         /* size of ECC-CMS-SharedInfo encoded */
+    byte     ukmOwner;             /* do we own ukm buffer? 1:yes, 0:no */
+    byte     direction;            /* WC_PKCS7_ENCODE | WC_PKCS7_DECODE */
+    byte     decodedInit : 1;      /* indicates decoded was initialized */
+    byte     recipKeyInit : 1;     /* indicates recipKey was initialized */
+    byte     senderKeyInit : 1;    /* indicates senderKey was initialized */
+} WC_PKCS7_KARI;
+
+
+/* allocate and create new WC_PKCS7_KARI struct,
+ * returns struct pointer on success, NULL on failure */
+static WC_PKCS7_KARI* wc_PKCS7_KariNew(PKCS7* pkcs7, byte direction)
+{
+    WC_PKCS7_KARI* kari = NULL;
+
+    if (pkcs7 == NULL)
+        return NULL;
+
+    kari = (WC_PKCS7_KARI*)XMALLOC(sizeof(WC_PKCS7_KARI), pkcs7->heap,
+                                   DYNAMIC_TYPE_PKCS7);
+    if (kari == NULL) {
+        WOLFSSL_MSG("Failed to allocate WC_PKCS7_KARI");
+        return NULL;
+    }
+
+    kari->decoded = (DecodedCert*)XMALLOC(sizeof(DecodedCert), pkcs7->heap,
+                                          DYNAMIC_TYPE_PKCS7);
+    if (kari->decoded == NULL) {
+        WOLFSSL_MSG("Failed to allocate DecodedCert");
+        XFREE(kari, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+        return NULL;
+    }
+
+    kari->recipKey = (ecc_key*)XMALLOC(sizeof(ecc_key), pkcs7->heap,
+                                       DYNAMIC_TYPE_PKCS7);
+    if (kari->recipKey == NULL) {
+        WOLFSSL_MSG("Failed to allocate recipient ecc_key");
+        XFREE(kari->decoded, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+        XFREE(kari, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+        return NULL;
+    }
+
+    kari->senderKey = (ecc_key*)XMALLOC(sizeof(ecc_key), pkcs7->heap,
+                                        DYNAMIC_TYPE_PKCS7);
+    if (kari->senderKey == NULL) {
+        WOLFSSL_MSG("Failed to allocate sender ecc_key");
+        XFREE(kari->recipKey, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+        XFREE(kari->decoded, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+        XFREE(kari, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+        return NULL;
+    }
+
+    kari->senderKeyExport = NULL;
+    kari->senderKeyExportSz = 0;
+    kari->kek = NULL;
+    kari->kekSz = 0;
+    kari->ukm = NULL;
+    kari->ukmSz = 0;
+    kari->ukmOwner = 0;
+    kari->sharedInfo = NULL;
+    kari->sharedInfoSz = 0;
+    kari->direction = direction;
+    kari->decodedInit = 0;
+    kari->recipKeyInit = 0;
+    kari->senderKeyInit = 0;
+
+    kari->heap = pkcs7->heap;
+    kari->devId = pkcs7->devId;
+
+    return kari;
+}
+
+
+/* free WC_PKCS7_KARI struct, return 0 on success */
+static int wc_PKCS7_KariFree(WC_PKCS7_KARI* kari)
+{
+    void* heap;
+
+    if (kari) {
+        heap = kari->heap;
+
+        if (kari->decoded) {
+            if (kari->decodedInit)
+                FreeDecodedCert(kari->decoded);
+            XFREE(kari->decoded, heap, DYNAMIC_TYPE_PKCS7);
+        }
+        if (kari->senderKey) {
+            if (kari->senderKeyInit)
+                wc_ecc_free(kari->senderKey);
+            XFREE(kari->senderKey, heap, DYNAMIC_TYPE_PKCS7);
+        }
+        if (kari->recipKey) {
+            if (kari->recipKeyInit)
+                wc_ecc_free(kari->recipKey);
+            XFREE(kari->recipKey, heap, DYNAMIC_TYPE_PKCS7);
+        }
+        if (kari->senderKeyExport) {
+            ForceZero(kari->senderKeyExport, kari->senderKeyExportSz);
+            XFREE(kari->senderKeyExport, heap, DYNAMIC_TYPE_PKCS7);
+            kari->senderKeyExportSz = 0;
+        }
+        if (kari->kek) {
+            ForceZero(kari->kek, kari->kekSz);
+            XFREE(kari->kek, heap, DYNAMIC_TYPE_PKCS7);
+            kari->kekSz = 0;
+        }
+        if (kari->ukm) {
+            if (kari->ukmOwner == 1) {
+                XFREE(kari->ukm, heap, DYNAMIC_TYPE_PKCS7);
             }
+            kari->ukmSz = 0;
+        }
+        if (kari->sharedInfo) {
+            ForceZero(kari->sharedInfo, kari->sharedInfoSz);
+            XFREE(kari->sharedInfo, heap, DYNAMIC_TYPE_PKCS7);
+            kari->sharedInfoSz = 0;
+        }
+        XFREE(kari, heap, DYNAMIC_TYPE_PKCS7);
+    }
+
+    (void)heap;
+
+    return 0;
+}
+
+
+/* parse recipient cert/key, return 0 on success, negative on error
+ * key/keySz only needed during decoding (WC_PKCS7_DECODE) */
+static int wc_PKCS7_KariParseRecipCert(WC_PKCS7_KARI* kari, const byte* cert,
+                                       word32 certSz, const byte* key,
+                                       word32 keySz)
+{
+    int ret;
+    word32 idx;
+
+    if (kari == NULL || kari->decoded == NULL ||
+        cert == NULL || certSz == 0)
+        return BAD_FUNC_ARG;
+
+    /* decode certificate */
+    InitDecodedCert(kari->decoded, (byte*)cert, certSz, kari->heap);
+    kari->decodedInit = 1;
+    ret = ParseCert(kari->decoded, CA_TYPE, NO_VERIFY, 0);
+    if (ret < 0)
+        return ret;
+
+    /* only supports ECDSA for now */
+    if (kari->decoded->keyOID != ECDSAk) {
+        WOLFSSL_MSG("CMS KARI only supports ECDSA key types");
+        return BAD_FUNC_ARG;
+    }
+
+    /* make sure subject key id was read from cert */
+    if (kari->decoded->extSubjKeyIdSet == 0) {
+        WOLFSSL_MSG("Failed to read subject key ID from recipient cert");
+        return BAD_FUNC_ARG;
+    }
+
+    ret = wc_ecc_init_ex(kari->recipKey, kari->heap, kari->devId);
+    if (ret != 0)
+        return ret;
+
+    kari->recipKeyInit = 1;
+
+    /* get recip public key */
+    if (kari->direction == WC_PKCS7_ENCODE) {
+
+        idx = 0;
+        ret = wc_EccPublicKeyDecode(kari->decoded->publicKey, &idx,
+                                    kari->recipKey, kari->decoded->pubKeySize);
+        if (ret != 0)
+            return ret;
+    }
+    /* get recip private key */
+    else if (kari->direction == WC_PKCS7_DECODE) {
+        if (key != NULL && keySz > 0) {
+            idx = 0;
+            ret = wc_EccPrivateKeyDecode(key, &idx, kari->recipKey, keySz);
+        }
+        else if (kari->devId == INVALID_DEVID) {
+            ret = BAD_FUNC_ARG;
+        }
+        if (ret != 0)
+            return ret;
+
+    } else {
+        /* bad direction */
+        return BAD_FUNC_ARG;
+    }
+
+    (void)idx;
+
+    return 0;
+}
+
+
+/* create ephemeral ECC key, places ecc_key in kari->senderKey,
+ * DER encoded in kari->senderKeyExport. return 0 on success,
+ * negative on error */
+static int wc_PKCS7_KariGenerateEphemeralKey(WC_PKCS7_KARI* kari)
+{
+    int ret;
+    WC_RNG rng;
+
+    if (kari == NULL || kari->decoded == NULL ||
+        kari->recipKey == NULL || kari->recipKey->dp == NULL)
+        return BAD_FUNC_ARG;
+
+    kari->senderKeyExport = (byte*)XMALLOC(kari->decoded->pubKeySize,
+                                           kari->heap, DYNAMIC_TYPE_PKCS7);
+    if (kari->senderKeyExport == NULL)
+        return MEMORY_E;
+
+    kari->senderKeyExportSz = kari->decoded->pubKeySize;
+
+    ret = wc_ecc_init_ex(kari->senderKey, kari->heap, kari->devId);
+    if (ret != 0) {
+        XFREE(kari->senderKeyExport, kari->heap, DYNAMIC_TYPE_PKCS7);
+        return ret;
+    }
+
+    kari->senderKeyInit = 1;
+
+    ret = wc_InitRng_ex(&rng, kari->heap, kari->devId);
+    if (ret != 0) {
+        XFREE(kari->senderKeyExport, kari->heap, DYNAMIC_TYPE_PKCS7);
+        return ret;
+    }
+
+    ret = wc_ecc_make_key_ex(&rng, kari->recipKey->dp->size,
+                             kari->senderKey, kari->recipKey->dp->id);
+    if (ret != 0) {
+        XFREE(kari->senderKeyExport, kari->heap, DYNAMIC_TYPE_PKCS7);
+        wc_FreeRng(&rng);
+        return ret;
+    }
+
+    wc_FreeRng(&rng);
+
+    /* dump generated key to X.963 DER for output in CMS bundle */
+    ret = wc_ecc_export_x963(kari->senderKey, kari->senderKeyExport,
+                             &kari->senderKeyExportSz);
+    if (ret != 0) {
+        XFREE(kari->senderKeyExport, kari->heap, DYNAMIC_TYPE_PKCS7);
+        return ret;
+    }
+
+    return 0;
+}
+
+
+/* create ASN.1 encoded ECC-CMS-SharedInfo using specified key wrap algorithm,
+ * place in kari->sharedInfo. returns 0 on success, negative on error */
+static int wc_PKCS7_KariGenerateSharedInfo(WC_PKCS7_KARI* kari, int keyWrapOID)
+{
+    int idx = 0;
+    int sharedInfoSeqSz = 0;
+    int keyInfoSz = 0;
+    int suppPubInfoSeqSz = 0;
+    int entityUInfoOctetSz = 0;
+    int entityUInfoExplicitSz = 0;
+    int kekOctetSz = 0;
+    int sharedInfoSz = 0;
+
+    word32 kekBitSz = 0;
+
+    byte sharedInfoSeq[MAX_SEQ_SZ];
+    byte keyInfo[MAX_ALGO_SZ];
+    byte suppPubInfoSeq[MAX_SEQ_SZ];
+    byte entityUInfoOctet[MAX_OCTET_STR_SZ];
+    byte entityUInfoExplicitSeq[MAX_SEQ_SZ];
+    byte kekOctet[MAX_OCTET_STR_SZ];
+
+    if (kari == NULL)
+        return BAD_FUNC_ARG;
+
+    if ((kari->ukmSz > 0) && (kari->ukm == NULL))
+        return BAD_FUNC_ARG;
+
+    /* kekOctet */
+    kekOctetSz = SetOctetString(sizeof(word32), kekOctet);
+    sharedInfoSz += (kekOctetSz + sizeof(word32));
+
+    /* suppPubInfo */
+    suppPubInfoSeqSz = SetImplicit(ASN_SEQUENCE, 2,
+                                   kekOctetSz + sizeof(word32),
+                                   suppPubInfoSeq);
+    sharedInfoSz += suppPubInfoSeqSz;
+
+    /* optional ukm/entityInfo */
+    if (kari->ukmSz > 0) {
+        entityUInfoOctetSz = SetOctetString(kari->ukmSz, entityUInfoOctet);
+        sharedInfoSz += (entityUInfoOctetSz + kari->ukmSz);
+
+        entityUInfoExplicitSz = SetExplicit(0, entityUInfoOctetSz +
+                                            kari->ukmSz,
+                                            entityUInfoExplicitSeq);
+        sharedInfoSz += entityUInfoExplicitSz;
+    }
+
+    /* keyInfo */
+    keyInfoSz = SetAlgoID(keyWrapOID, keyInfo, oidKeyWrapType, 0);
+    sharedInfoSz += keyInfoSz;
+
+    /* sharedInfo */
+    sharedInfoSeqSz = SetSequence(sharedInfoSz, sharedInfoSeq);
+    sharedInfoSz += sharedInfoSeqSz;
+
+    kari->sharedInfo = (byte*)XMALLOC(sharedInfoSz, kari->heap,
+                                      DYNAMIC_TYPE_PKCS7);
+    if (kari->sharedInfo == NULL)
+        return MEMORY_E;
+
+    kari->sharedInfoSz = sharedInfoSz;
+
+    XMEMCPY(kari->sharedInfo + idx, sharedInfoSeq, sharedInfoSeqSz);
+    idx += sharedInfoSeqSz;
+    XMEMCPY(kari->sharedInfo + idx, keyInfo, keyInfoSz);
+    idx += keyInfoSz;
+    if (kari->ukmSz > 0) {
+        XMEMCPY(kari->sharedInfo + idx, entityUInfoExplicitSeq,
+                entityUInfoExplicitSz);
+        idx += entityUInfoExplicitSz;
+        XMEMCPY(kari->sharedInfo + idx, entityUInfoOctet, entityUInfoOctetSz);
+        idx += entityUInfoOctetSz;
+        XMEMCPY(kari->sharedInfo + idx, kari->ukm, kari->ukmSz);
+        idx += kari->ukmSz;
+    }
+    XMEMCPY(kari->sharedInfo + idx, suppPubInfoSeq, suppPubInfoSeqSz);
+    idx += suppPubInfoSeqSz;
+    XMEMCPY(kari->sharedInfo + idx, kekOctet, kekOctetSz);
+    idx += kekOctetSz;
+
+    kekBitSz = (kari->kekSz) * 8;              /* convert to bits */
+#ifdef LITTLE_ENDIAN_ORDER
+    kekBitSz = ByteReverseWord32(kekBitSz);    /* network byte order */
+#endif
+    XMEMCPY(kari->sharedInfo + idx, &kekBitSz, sizeof(kekBitSz));
+
+    return 0;
+}
+
+
+/* create key encryption key (KEK) using key wrap algorithm and key encryption
+ * algorithm, place in kari->kek. return 0 on success, <0 on error. */
+static int wc_PKCS7_KariGenerateKEK(WC_PKCS7_KARI* kari,
+                                    int keyWrapOID, int keyEncOID)
+{
+    int ret;
+    int kSz;
+    enum wc_HashType kdfType;
+    byte*  secret;
+    word32 secretSz;
+
+    if (kari == NULL || kari->recipKey == NULL ||
+        kari->senderKey == NULL || kari->senderKey->dp == NULL)
+        return BAD_FUNC_ARG;
+
+    /* get KEK size, allocate buff */
+    kSz = wc_PKCS7_GetOIDKeySize(keyWrapOID);
+    if (kSz < 0)
+        return kSz;
+
+    kari->kek = (byte*)XMALLOC(kSz, kari->heap, DYNAMIC_TYPE_PKCS7);
+    if (kari->kek == NULL)
+        return MEMORY_E;
+
+    kari->kekSz = (word32)kSz;
+
+    /* generate ECC-CMS-SharedInfo */
+    ret = wc_PKCS7_KariGenerateSharedInfo(kari, keyWrapOID);
+    if (ret != 0)
+        return ret;
+
+    /* generate shared secret */
+    secretSz = kari->senderKey->dp->size;
+    secret = (byte*)XMALLOC(secretSz, kari->heap, DYNAMIC_TYPE_PKCS7);
+    if (secret == NULL)
+        return MEMORY_E;
+
+    if (kari->direction == WC_PKCS7_ENCODE) {
+
+        ret = wc_ecc_shared_secret(kari->senderKey, kari->recipKey,
+                                   secret, &secretSz);
+
+    } else if (kari->direction == WC_PKCS7_DECODE) {
+
+        ret = wc_ecc_shared_secret(kari->recipKey, kari->senderKey,
+                                   secret, &secretSz);
+
+    } else {
+        /* bad direction */
+        XFREE(secret, kari->heap, DYNAMIC_TYPE_PKCS7);
+        return BAD_FUNC_ARG;
+    }
+
+    if (ret != 0) {
+        XFREE(secret, kari->heap, DYNAMIC_TYPE_PKCS7);
+        return ret;
+    }
+
+    /* run through KDF */
+    switch (keyEncOID) {
+
+    #ifndef NO_SHA
+        case dhSinglePass_stdDH_sha1kdf_scheme:
+            kdfType = WC_HASH_TYPE_SHA;
+            break;
+    #endif
+    #ifndef WOLFSSL_SHA224
+        case dhSinglePass_stdDH_sha224kdf_scheme:
+            kdfType = WC_HASH_TYPE_SHA224;
+            break;
+    #endif
+    #ifndef NO_SHA256
+        case dhSinglePass_stdDH_sha256kdf_scheme:
+            kdfType = WC_HASH_TYPE_SHA256;
+            break;
+    #endif
+    #ifdef WOLFSSL_SHA384
+        case dhSinglePass_stdDH_sha384kdf_scheme:
+            kdfType = WC_HASH_TYPE_SHA384;
+            break;
+    #endif
+    #ifdef WOLFSSL_SHA512
+        case dhSinglePass_stdDH_sha512kdf_scheme:
+            kdfType = WC_HASH_TYPE_SHA512;
+            break;
+    #endif
+        default:
+            WOLFSSL_MSG("Unsupported key agreement algorithm");
+            XFREE(secret, kari->heap, DYNAMIC_TYPE_PKCS7);
+            return BAD_FUNC_ARG;
+    };
+
+    ret = wc_X963_KDF(kdfType, secret, secretSz, kari->sharedInfo,
+                      kari->sharedInfoSz, kari->kek, kari->kekSz);
+    if (ret != 0) {
+        XFREE(secret, kari->heap, DYNAMIC_TYPE_PKCS7);
+        return ret;
+    }
+
+    XFREE(secret, kari->heap, DYNAMIC_TYPE_PKCS7);
+
+    return 0;
+}
+
+
+/* Encode and add CMS EnvelopedData KARI (KeyAgreeRecipientInfo) RecipientInfo
+ * to CMS/PKCS#7 EnvelopedData structure.
+ *
+ * Returns 0 on success, negative upon error */
+int wc_PKCS7_AddRecipient_KARI(PKCS7* pkcs7, const byte* cert, word32 certSz,
+                               int keyWrapOID, int keyAgreeOID, byte* ukm,
+                               word32 ukmSz, int options)
+{
+    Pkcs7EncodedRecip* recip;
+    Pkcs7EncodedRecip* lastRecip = NULL;
+    WC_PKCS7_KARI* kari = NULL;
+
+    word32 idx = 0;
+    word32 encryptedKeySz = MAX_ENCRYPTED_KEY_SZ;
+
+    int ret = 0;
+    int keySz, direction = 0;
+    int blockKeySz = 0;
+
+    /* ASN.1 layout */
+    int totalSz = 0;
+    int kariSeqSz = 0;
+    byte kariSeq[MAX_SEQ_SZ];           /* IMPLICIT [1] */
+    int verSz = 0;
+    byte ver[MAX_VERSION_SZ];
+
+    int origIdOrKeySeqSz = 0;
+    byte origIdOrKeySeq[MAX_SEQ_SZ];    /* IMPLICIT [0] */
+    int origPubKeySeqSz = 0;
+    byte origPubKeySeq[MAX_SEQ_SZ];     /* IMPLICIT [1] */
+    int origAlgIdSz = 0;
+    byte origAlgId[MAX_ALGO_SZ];
+    int origPubKeyStrSz = 0;
+    byte origPubKeyStr[MAX_OCTET_STR_SZ];
+
+    /* optional user keying material */
+    int ukmOctetSz = 0;
+    byte ukmOctetStr[MAX_OCTET_STR_SZ];
+    int ukmExplicitSz = 0;
+    byte ukmExplicitSeq[MAX_SEQ_SZ];
+
+    int keyEncryptAlgoIdSz = 0;
+    byte keyEncryptAlgoId[MAX_ALGO_SZ];
+    int keyWrapAlgSz = 0;
+    byte keyWrapAlg[MAX_ALGO_SZ];
+
+    int recipEncKeysSeqSz = 0;
+    byte recipEncKeysSeq[MAX_SEQ_SZ];
+    int recipEncKeySeqSz = 0;
+    byte recipEncKeySeq[MAX_SEQ_SZ];
+    int recipKeyIdSeqSz = 0;
+    byte recipKeyIdSeq[MAX_SEQ_SZ];     /* IMPLICIT [0] */
+    int subjKeyIdOctetSz = 0;
+    byte subjKeyIdOctet[MAX_OCTET_STR_SZ];
+    int encryptedKeyOctetSz = 0;
+    byte encryptedKeyOctet[MAX_OCTET_STR_SZ];
+
+#ifdef WOLFSSL_SMALL_STACK
+    byte* encryptedKey;
+
+    encryptedKey = (byte*)XMALLOC(MAX_ENCRYPTED_KEY_SZ, pkcs7->heap,
+                                  DYNAMIC_TYPE_TMP_BUFFER);
+    if (encryptedKey == NULL) {
+        return MEMORY_E;
+    }
 #else
-            byte digest[digestSz];
-            RsaKey stack_key;
-            RsaKey* key = &stack_key;
+    byte encryptedKey[MAX_ENCRYPTED_KEY_SZ];
 #endif
 
-            XMEMSET(digest, 0, digestSz);
+    /* allocate and init memory for recipient */
+    recip = (Pkcs7EncodedRecip*)XMALLOC(sizeof(Pkcs7EncodedRecip), pkcs7->heap,
+                                 DYNAMIC_TYPE_PKCS7);
+    if (recip == NULL) {
+#ifdef WOLFSSL_SMALL_STACK
+        XFREE(encryptedKey, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
+#endif
+        return MEMORY_E;
+    }
+    XMEMSET(recip, 0, sizeof(Pkcs7EncodedRecip));
 
-            ret = wc_InitRsaKey(key, NULL);
-            if (ret != 0) {
+    /* get key size for content-encryption key based on algorithm */
+    blockKeySz = wc_PKCS7_GetOIDKeySize(pkcs7->encryptOID);
+    if (blockKeySz < 0) {
 #ifdef WOLFSSL_SMALL_STACK
-                XFREE(digest, NULL, DYNAMIC_TYPE_TMP_BUFFER);
-                XFREE(key,    NULL, DYNAMIC_TYPE_TMP_BUFFER);
+        XFREE(encryptedKey, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
 #endif
-                return ret;
-            }
-            if (wc_RsaPublicKeyDecode(pkcs7->publicKey, &scratch, key,
-                                   pkcs7->publicKeySz) < 0) {
-                WOLFSSL_MSG("ASN RSA key decode error");
+        XFREE(recip, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+        return blockKeySz;
+    }
+
+    /* generate random content encryption key, if needed */
+    ret = PKCS7_GenerateContentEncryptionKey(pkcs7, blockKeySz);
+    if (ret < 0) {
 #ifdef WOLFSSL_SMALL_STACK
-                XFREE(digest, NULL, DYNAMIC_TYPE_TMP_BUFFER);
-                XFREE(key,    NULL, DYNAMIC_TYPE_TMP_BUFFER);
+        XFREE(encryptedKey, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
 #endif
-                return PUBLIC_KEY_E;
-            }
+        XFREE(recip, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+        return ret;
+    }
 
-            plainSz = wc_RsaSSL_Verify(sig, sigSz, digest, digestSz, key);
-            wc_FreeRsaKey(key);
+    /* set direction based on keyWrapAlgo */
+    switch (keyWrapOID) {
+#ifndef NO_AES
+    #ifdef WOLFSSL_AES_128
+        case AES128_WRAP:
+    #endif
+    #ifdef WOLFSSL_AES_192
+        case AES192_WRAP:
+    #endif
+    #ifdef WOLFSSL_AES_256
+        case AES256_WRAP:
+    #endif
+            direction = AES_ENCRYPTION;
+            break;
+#endif
+        default:
+            WOLFSSL_MSG("Unsupported key wrap algorithm");
+#ifdef WOLFSSL_SMALL_STACK
+            XFREE(encryptedKey, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
+#endif
+            XFREE(recip, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+            return BAD_KEYWRAP_ALG_E;
+    }
 
+    kari = wc_PKCS7_KariNew(pkcs7, WC_PKCS7_ENCODE);
+    if (kari == NULL) {
 #ifdef WOLFSSL_SMALL_STACK
-            XFREE(digest, NULL, DYNAMIC_TYPE_TMP_BUFFER);
-            XFREE(key,    NULL, DYNAMIC_TYPE_TMP_BUFFER);
+        XFREE(encryptedKey, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
 #endif
+        XFREE(recip, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+        return MEMORY_E;
+    }
 
-            if (plainSz < 0)
-                return plainSz;
+    /* set user keying material if available */
+    if (ukmSz > 0 && ukm != NULL) {
+        kari->ukm = ukm;
+        kari->ukmSz = ukmSz;
+        kari->ukmOwner = 0;
+    }
+
+    /* parse recipient cert, get public key */
+    ret = wc_PKCS7_KariParseRecipCert(kari, cert, certSz, NULL, 0);
+    if (ret != 0) {
+        wc_PKCS7_KariFree(kari);
+#ifdef WOLFSSL_SMALL_STACK
+        XFREE(encryptedKey, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
+#endif
+        XFREE(recip, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+        return ret;
+    }
+
+    /* generate sender ephemeral ECC key */
+    ret = wc_PKCS7_KariGenerateEphemeralKey(kari);
+    if (ret != 0) {
+        wc_PKCS7_KariFree(kari);
+#ifdef WOLFSSL_SMALL_STACK
+        XFREE(encryptedKey, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
+#endif
+        XFREE(recip, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+        return ret;
+    }
+
+    /* generate KEK (key encryption key) */
+    ret = wc_PKCS7_KariGenerateKEK(kari, keyWrapOID, keyAgreeOID);
+    if (ret != 0) {
+        wc_PKCS7_KariFree(kari);
+#ifdef WOLFSSL_SMALL_STACK
+        XFREE(encryptedKey, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
+#endif
+        XFREE(recip, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+        return ret;
+    }
+
+    /* encrypt CEK with KEK */
+    keySz = wc_PKCS7_KeyWrap(pkcs7->cek, pkcs7->cekSz, kari->kek,
+                             kari->kekSz, encryptedKey, encryptedKeySz,
+                             keyWrapOID, direction);
+    if (keySz <= 0) {
+        wc_PKCS7_KariFree(kari);
+#ifdef WOLFSSL_SMALL_STACK
+        XFREE(encryptedKey, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
+#endif
+        XFREE(recip, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+        return keySz;
+    }
+    encryptedKeySz = (word32)keySz;
+
+    /* Start of RecipientEncryptedKeys */
+
+    /* EncryptedKey */
+    encryptedKeyOctetSz = SetOctetString(encryptedKeySz, encryptedKeyOctet);
+    totalSz += (encryptedKeyOctetSz + encryptedKeySz);
+
+    /* SubjectKeyIdentifier */
+    subjKeyIdOctetSz = SetOctetString(KEYID_SIZE, subjKeyIdOctet);
+    totalSz += (subjKeyIdOctetSz + KEYID_SIZE);
+
+    /* RecipientKeyIdentifier IMPLICIT [0] */
+    recipKeyIdSeqSz = SetImplicit(ASN_SEQUENCE, 0, subjKeyIdOctetSz +
+                                  KEYID_SIZE, recipKeyIdSeq);
+    totalSz += recipKeyIdSeqSz;
+
+    /* RecipientEncryptedKey */
+    recipEncKeySeqSz = SetSequence(totalSz, recipEncKeySeq);
+    totalSz += recipEncKeySeqSz;
+
+    /* RecipientEncryptedKeys */
+    recipEncKeysSeqSz = SetSequence(totalSz, recipEncKeysSeq);
+    totalSz += recipEncKeysSeqSz;
+
+    /* Start of optional UserKeyingMaterial */
+
+    if (kari->ukmSz > 0) {
+        ukmOctetSz = SetOctetString(kari->ukmSz, ukmOctetStr);
+        totalSz += (ukmOctetSz + kari->ukmSz);
+
+        ukmExplicitSz = SetExplicit(1, ukmOctetSz + kari->ukmSz,
+                                    ukmExplicitSeq);
+        totalSz += ukmExplicitSz;
+    }
+
+    /* Start of KeyEncryptionAlgorithmIdentifier */
+
+    /* KeyWrapAlgorithm */
+    keyWrapAlgSz = SetAlgoID(keyWrapOID, keyWrapAlg, oidKeyWrapType, 0);
+    totalSz += keyWrapAlgSz;
+
+    /* KeyEncryptionAlgorithmIdentifier */
+    keyEncryptAlgoIdSz = SetAlgoID(keyAgreeOID, keyEncryptAlgoId,
+                                   oidCmsKeyAgreeType, keyWrapAlgSz);
+    totalSz += keyEncryptAlgoIdSz;
+
+    /* Start of OriginatorIdentifierOrKey */
+
+    /* recipient ECPoint, public key */
+    XMEMSET(origPubKeyStr, 0, sizeof(origPubKeyStr)); /* no unused bits */
+    origPubKeyStr[0] = ASN_BIT_STRING;
+    origPubKeyStrSz = SetLength(kari->senderKeyExportSz + 1,
+                                origPubKeyStr + 1) + 2;
+    totalSz += (origPubKeyStrSz + kari->senderKeyExportSz);
+
+    /* Originator AlgorithmIdentifier, params set to NULL for interop
+       compatibility */
+    origAlgIdSz = SetAlgoID(ECDSAk, origAlgId, oidKeyType, 2);
+    origAlgId[origAlgIdSz++] = ASN_TAG_NULL;
+    origAlgId[origAlgIdSz++] = 0;
+    totalSz += origAlgIdSz;
+
+    /* outer OriginatorPublicKey IMPLICIT [1] */
+    origPubKeySeqSz = SetImplicit(ASN_SEQUENCE, 1,
+                                  origAlgIdSz + origPubKeyStrSz +
+                                  kari->senderKeyExportSz, origPubKeySeq);
+    totalSz += origPubKeySeqSz;
+
+    /* outer OriginatorIdentiferOrKey IMPLICIT [0] */
+    origIdOrKeySeqSz = SetImplicit(ASN_SEQUENCE, 0,
+                                   origPubKeySeqSz + origAlgIdSz +
+                                   origPubKeyStrSz + kari->senderKeyExportSz,
+                                   origIdOrKeySeq);
+    totalSz += origIdOrKeySeqSz;
+
+    /* version, always 3 */
+    verSz = SetMyVersion(3, ver, 0);
+    totalSz += verSz;
+    recip->recipVersion = 3;
+
+    /* outer IMPLICIT [1] kari */
+    kariSeqSz = SetImplicit(ASN_SEQUENCE, 1, totalSz, kariSeq);
+    totalSz += kariSeqSz;
+
+    if (totalSz > MAX_RECIP_SZ) {
+        WOLFSSL_MSG("KeyAgreeRecipientInfo output buffer too small");
+        wc_PKCS7_KariFree(kari);
+#ifdef WOLFSSL_SMALL_STACK
+        XFREE(encryptedKey, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
+#endif
+        XFREE(recip, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+        return BUFFER_E;
+    }
+
+    XMEMCPY(recip->recip + idx, kariSeq, kariSeqSz);
+    idx += kariSeqSz;
+    XMEMCPY(recip->recip + idx, ver, verSz);
+    idx += verSz;
+
+    XMEMCPY(recip->recip + idx, origIdOrKeySeq, origIdOrKeySeqSz);
+    idx += origIdOrKeySeqSz;
+    XMEMCPY(recip->recip + idx, origPubKeySeq, origPubKeySeqSz);
+    idx += origPubKeySeqSz;
+
+    /* AlgorithmIdentifier with NULL parameter */
+    XMEMCPY(recip->recip + idx, origAlgId, origAlgIdSz);
+    idx += origAlgIdSz;
+
+    XMEMCPY(recip->recip + idx, origPubKeyStr, origPubKeyStrSz);
+    idx += origPubKeyStrSz;
+    /* ephemeral public key */
+    XMEMCPY(recip->recip + idx, kari->senderKeyExport, kari->senderKeyExportSz);
+    idx += kari->senderKeyExportSz;
+
+    if (kari->ukmSz > 0) {
+        XMEMCPY(recip->recip + idx, ukmExplicitSeq, ukmExplicitSz);
+        idx += ukmExplicitSz;
+        XMEMCPY(recip->recip + idx, ukmOctetStr, ukmOctetSz);
+        idx += ukmOctetSz;
+        XMEMCPY(recip->recip + idx, kari->ukm, kari->ukmSz);
+        idx += kari->ukmSz;
+    }
+
+    XMEMCPY(recip->recip + idx, keyEncryptAlgoId, keyEncryptAlgoIdSz);
+    idx += keyEncryptAlgoIdSz;
+    XMEMCPY(recip->recip + idx, keyWrapAlg, keyWrapAlgSz);
+    idx += keyWrapAlgSz;
+
+    XMEMCPY(recip->recip + idx, recipEncKeysSeq, recipEncKeysSeqSz);
+    idx += recipEncKeysSeqSz;
+    XMEMCPY(recip->recip + idx, recipEncKeySeq, recipEncKeySeqSz);
+    idx += recipEncKeySeqSz;
+    XMEMCPY(recip->recip + idx, recipKeyIdSeq, recipKeyIdSeqSz);
+    idx += recipKeyIdSeqSz;
+    XMEMCPY(recip->recip + idx, subjKeyIdOctet, subjKeyIdOctetSz);
+    idx += subjKeyIdOctetSz;
+    /* subject key id */
+    XMEMCPY(recip->recip + idx, kari->decoded->extSubjKeyId, KEYID_SIZE);
+    idx += KEYID_SIZE;
+    XMEMCPY(recip->recip + idx, encryptedKeyOctet, encryptedKeyOctetSz);
+    idx += encryptedKeyOctetSz;
+    /* encrypted CEK */
+    XMEMCPY(recip->recip + idx, encryptedKey, encryptedKeySz);
+    idx += encryptedKeySz;
+
+    wc_PKCS7_KariFree(kari);
+#ifdef WOLFSSL_SMALL_STACK
+    XFREE(encryptedKey, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
+#endif
+
+    /* store recipient size */
+    recip->recipSz = idx;
+    recip->recipType = PKCS7_KARI;
+
+    /* add recipient to recip list */
+    if (pkcs7->recipList == NULL) {
+        pkcs7->recipList = recip;
+    } else {
+        lastRecip = pkcs7->recipList;
+        while (lastRecip->next != NULL) {
+            lastRecip = lastRecip->next;
         }
+        lastRecip->next = recip;
     }
 
-    return 0;
+    (void)options;
+
+    return idx;
 }
 
+#endif /* HAVE_ECC */
+
+#ifndef NO_RSA
 
-/* create ASN.1 fomatted RecipientInfo structure, returns sequence size */
-WOLFSSL_LOCAL int wc_CreateRecipientInfo(const byte* cert, word32 certSz,
-                                     int keyEncAlgo, int blockKeySz,
-                                     RNG* rng, byte* contentKeyPlain,
-                                     byte* contentKeyEnc,
-                                     int* keyEncSz, byte* out, word32 outSz)
+/* Encode and add CMS EnvelopedData KTRI (KeyTransRecipientInfo) RecipientInfo
+ * to CMS/PKCS#7 EnvelopedData structure.
+ *
+ * Returns 0 on success, negative upon error */
+int wc_PKCS7_AddRecipient_KTRI(PKCS7* pkcs7, const byte* cert, word32 certSz,
+                               int options)
 {
+    Pkcs7EncodedRecip* recip = NULL;
+    Pkcs7EncodedRecip* lastRecip = NULL;
+
+    WC_RNG rng;
     word32 idx = 0;
-    int ret = 0, totalSz = 0;
-    int verSz, issuerSz, snSz, keyEncAlgSz;
-    int issuerSeqSz, recipSeqSz, issuerSerialSeqSz;
+    word32 encryptedKeySz = 0;
+
+    int ret = 0, blockKeySz;
+    int verSz = 0, issuerSz = 0, snSz = 0, keyEncAlgSz = 0;
+    int issuerSeqSz = 0, recipSeqSz = 0, issuerSerialSeqSz = 0;
     int encKeyOctetStrSz;
+    int sidType;
 
     byte ver[MAX_VERSION_SZ];
     byte issuerSerialSeq[MAX_SEQ_SZ];
@@ -961,241 +6020,1696 @@ WOLFSSL_LOCAL int wc_CreateRecipientInfo(const byte* cert, word32 certSz,
     byte issuerSeq[MAX_SEQ_SZ];
     byte encKeyOctetStr[MAX_OCTET_STR_SZ];
 
+    byte issuerSKIDSeq[MAX_SEQ_SZ];
+    byte issuerSKID[MAX_OCTET_STR_SZ];
+    word32 issuerSKIDSeqSz = 0, issuerSKIDSz = 0;
+
 #ifdef WOLFSSL_SMALL_STACK
-    byte *serial;
-    byte *keyAlgArray;
-    
+    byte*   serial;
+    byte*   keyAlgArray;
+    byte*   encryptedKey;
     RsaKey* pubKey;
     DecodedCert* decoded;
 
-    serial = (byte*)XMALLOC(MAX_SN_SZ, NULL, DYNAMIC_TYPE_TMP_BUFFER);
-    keyAlgArray = (byte*)XMALLOC(MAX_SN_SZ, NULL, DYNAMIC_TYPE_TMP_BUFFER);
-    decoded = (DecodedCert*)XMALLOC(sizeof(DecodedCert), NULL,
-                                                       DYNAMIC_TYPE_TMP_BUFFER);
-
-    if (decoded == NULL || serial == NULL || keyAlgArray == NULL) {
-        if (serial)      XFREE(serial,      NULL, DYNAMIC_TYPE_TMP_BUFFER);
-        if (keyAlgArray) XFREE(keyAlgArray, NULL, DYNAMIC_TYPE_TMP_BUFFER);
-        if (decoded)     XFREE(decoded,     NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    serial = (byte*)XMALLOC(MAX_SN_SZ, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
+    keyAlgArray = (byte*)XMALLOC(MAX_SN_SZ, pkcs7->heap,
+                                 DYNAMIC_TYPE_TMP_BUFFER);
+    encryptedKey = (byte*)XMALLOC(MAX_ENCRYPTED_KEY_SZ, pkcs7->heap,
+                                  DYNAMIC_TYPE_TMP_BUFFER);
+    decoded = (DecodedCert*)XMALLOC(sizeof(DecodedCert), pkcs7->heap,
+                                    DYNAMIC_TYPE_TMP_BUFFER);
+
+    if (decoded == NULL || serial == NULL ||
+        encryptedKey == NULL || keyAlgArray == NULL) {
+        if (serial)
+            XFREE(serial, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
+        if (keyAlgArray)
+            XFREE(keyAlgArray, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
+        if (encryptedKey)
+            XFREE(encryptedKey, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
+        if (decoded)
+            XFREE(decoded, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
         return MEMORY_E;
     }
-    
 #else
     byte serial[MAX_SN_SZ];
     byte keyAlgArray[MAX_ALGO_SZ];
-    
-    RsaKey stack_pubKey;
-    RsaKey* pubKey = &stack_pubKey;
-    DecodedCert stack_decoded;
-    DecodedCert* decoded = &stack_decoded;
+    byte encryptedKey[MAX_ENCRYPTED_KEY_SZ];
+
+    RsaKey pubKey[1];
+    DecodedCert decoded[1];
+#endif
+
+    encryptedKeySz = MAX_ENCRYPTED_KEY_SZ;
+    XMEMSET(encryptedKey, 0, encryptedKeySz);
+
+    /* default to IssuerAndSerialNumber if not set */
+    if (pkcs7->sidType != 0) {
+        sidType = pkcs7->sidType;
+    } else {
+        sidType = CMS_ISSUER_AND_SERIAL_NUMBER;
+    }
+
+    /* allow options to override SubjectIdentifier type if set */
+    if (options & CMS_SKID) {
+        sidType = CMS_SKID;
+    } else if (options & CMS_ISSUER_AND_SERIAL_NUMBER) {
+        sidType = CMS_ISSUER_AND_SERIAL_NUMBER;
+    }
+
+    /* allocate recipient struct */
+    recip = (Pkcs7EncodedRecip*)XMALLOC(sizeof(Pkcs7EncodedRecip), pkcs7->heap,
+                                 DYNAMIC_TYPE_PKCS7);
+    if (recip == NULL) {
+#ifdef WOLFSSL_SMALL_STACK
+        XFREE(serial,       pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
+        XFREE(keyAlgArray,  pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
+        XFREE(encryptedKey, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
+        XFREE(decoded,      pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
+#endif
+        return MEMORY_E;
+    }
+    XMEMSET(recip, 0, sizeof(Pkcs7EncodedRecip));
+
+    /* get key size for content-encryption key based on algorithm */
+    blockKeySz = wc_PKCS7_GetOIDKeySize(pkcs7->encryptOID);
+    if (blockKeySz < 0) {
+#ifdef WOLFSSL_SMALL_STACK
+        XFREE(serial,       pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
+        XFREE(keyAlgArray,  pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
+        XFREE(encryptedKey, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
+        XFREE(decoded,      pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
 #endif
+        XFREE(recip, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+        return blockKeySz;
+    }
+
+    /* generate random content encryption key, if needed */
+    ret = PKCS7_GenerateContentEncryptionKey(pkcs7, blockKeySz);
+    if (ret < 0) {
+#ifdef WOLFSSL_SMALL_STACK
+        XFREE(serial,       pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
+        XFREE(keyAlgArray,  pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
+        XFREE(encryptedKey, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
+        XFREE(decoded,      pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
+#endif
+        XFREE(recip, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+        return ret;
+    }
 
-    InitDecodedCert(decoded, (byte*)cert, certSz, 0);
+    InitDecodedCert(decoded, (byte*)cert, certSz, pkcs7->heap);
     ret = ParseCert(decoded, CA_TYPE, NO_VERIFY, 0);
     if (ret < 0) {
         FreeDecodedCert(decoded);
 #ifdef WOLFSSL_SMALL_STACK
-        XFREE(serial,      NULL, DYNAMIC_TYPE_TMP_BUFFER);
-        XFREE(keyAlgArray, NULL, DYNAMIC_TYPE_TMP_BUFFER);
-        XFREE(decoded,     NULL, DYNAMIC_TYPE_TMP_BUFFER);
+        XFREE(serial,       pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
+        XFREE(keyAlgArray,  pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
+        XFREE(encryptedKey, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
+        XFREE(decoded,      pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
 #endif
+        XFREE(recip, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
         return ret;
     }
 
-    /* version */
-    verSz = SetMyVersion(0, ver, 0);
+    if (sidType == CMS_ISSUER_AND_SERIAL_NUMBER) {
 
-    /* IssuerAndSerialNumber */
-    if (decoded->issuerRaw == NULL || decoded->issuerRawLen == 0) {
-        WOLFSSL_MSG("DecodedCert lacks raw issuer pointer and length");
-        FreeDecodedCert(decoded);
+        /* version, must be 0 for IssuerAndSerialNumber */
+        verSz = SetMyVersion(0, ver, 0);
+        recip->recipVersion = 0;
+
+        /* IssuerAndSerialNumber */
+        if (decoded->issuerRaw == NULL || decoded->issuerRawLen == 0) {
+            WOLFSSL_MSG("DecodedCert lacks raw issuer pointer and length");
+            FreeDecodedCert(decoded);
 #ifdef WOLFSSL_SMALL_STACK
-        XFREE(serial,      NULL, DYNAMIC_TYPE_TMP_BUFFER);
-        XFREE(keyAlgArray, NULL, DYNAMIC_TYPE_TMP_BUFFER);
-        XFREE(decoded,     NULL, DYNAMIC_TYPE_TMP_BUFFER);
+            XFREE(serial,       pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
+            XFREE(keyAlgArray,  pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
+            XFREE(encryptedKey, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
+            XFREE(decoded,      pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
 #endif
-        return -1;
-    }
-    issuerSz    = decoded->issuerRawLen;
-    issuerSeqSz = SetSequence(issuerSz, issuerSeq);
+            XFREE(recip, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+            return -1;
+        }
+        issuerSz    = decoded->issuerRawLen;
+        issuerSeqSz = SetSequence(issuerSz, issuerSeq);
 
-    if (decoded->serialSz == 0) {
-        WOLFSSL_MSG("DecodedCert missing serial number");
+        if (decoded->serialSz == 0) {
+            WOLFSSL_MSG("DecodedCert missing serial number");
+            FreeDecodedCert(decoded);
+#ifdef WOLFSSL_SMALL_STACK
+            XFREE(serial,       pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
+            XFREE(keyAlgArray,  pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
+            XFREE(encryptedKey, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
+            XFREE(decoded,      pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
+#endif
+            XFREE(recip, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+            return -1;
+        }
+        snSz = SetSerialNumber(decoded->serial, decoded->serialSz, serial,
+                               MAX_SN_SZ, MAX_SN_SZ);
+
+        issuerSerialSeqSz = SetSequence(issuerSeqSz + issuerSz + snSz,
+                                        issuerSerialSeq);
+
+    } else if (sidType == CMS_SKID) {
+
+        /* version, must be 2 for SubjectKeyIdentifier */
+        verSz = SetMyVersion(2, ver, 0);
+        recip->recipVersion = 2;
+
+        issuerSKIDSz = SetOctetString(KEYID_SIZE, issuerSKID);
+        issuerSKIDSeqSz = SetExplicit(0, issuerSKIDSz + KEYID_SIZE,
+                                      issuerSKIDSeq);
+    } else {
         FreeDecodedCert(decoded);
 #ifdef WOLFSSL_SMALL_STACK
-        XFREE(serial,      NULL, DYNAMIC_TYPE_TMP_BUFFER);
-        XFREE(keyAlgArray, NULL, DYNAMIC_TYPE_TMP_BUFFER);
-        XFREE(decoded,     NULL, DYNAMIC_TYPE_TMP_BUFFER);
+        XFREE(serial,       pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
+        XFREE(keyAlgArray,  pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
+        XFREE(encryptedKey, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
+        XFREE(decoded,      pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
 #endif
-        return -1;
+        XFREE(recip, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+        return PKCS7_RECIP_E;
     }
-    snSz = SetSerialNumber(decoded->serial, decoded->serialSz, serial);
 
-    issuerSerialSeqSz = SetSequence(issuerSeqSz + issuerSz + snSz,
-                                    issuerSerialSeq);
+    pkcs7->publicKeyOID = decoded->keyOID;
 
     /* KeyEncryptionAlgorithmIdentifier, only support RSA now */
-    if (keyEncAlgo != RSAk) {
+    if (pkcs7->publicKeyOID != RSAk) {
         FreeDecodedCert(decoded);
 #ifdef WOLFSSL_SMALL_STACK
-        XFREE(serial,      NULL, DYNAMIC_TYPE_TMP_BUFFER);
-        XFREE(keyAlgArray, NULL, DYNAMIC_TYPE_TMP_BUFFER);
-        XFREE(decoded,     NULL, DYNAMIC_TYPE_TMP_BUFFER);
+        XFREE(serial,       pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
+        XFREE(keyAlgArray,  pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
+        XFREE(encryptedKey, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
+        XFREE(decoded,      pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
 #endif
+        XFREE(recip, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
         return ALGO_ID_E;
     }
 
-    keyEncAlgSz = SetAlgoID(keyEncAlgo, keyAlgArray, keyType, 0);
+    keyEncAlgSz = SetAlgoID(pkcs7->publicKeyOID, keyAlgArray, oidKeyType, 0);
     if (keyEncAlgSz == 0) {
         FreeDecodedCert(decoded);
 #ifdef WOLFSSL_SMALL_STACK
-        XFREE(serial,      NULL, DYNAMIC_TYPE_TMP_BUFFER);
-        XFREE(keyAlgArray, NULL, DYNAMIC_TYPE_TMP_BUFFER);
-        XFREE(decoded,     NULL, DYNAMIC_TYPE_TMP_BUFFER);
+        XFREE(serial,       pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
+        XFREE(keyAlgArray,  pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
+        XFREE(encryptedKey, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
+        XFREE(decoded,      pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
 #endif
+        XFREE(recip, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
         return BAD_FUNC_ARG;
     }
 
 #ifdef WOLFSSL_SMALL_STACK
-    pubKey = (RsaKey*)XMALLOC(sizeof(RsaKey), NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    pubKey = (RsaKey*)XMALLOC(sizeof(RsaKey), pkcs7->heap,
+            DYNAMIC_TYPE_TMP_BUFFER);
     if (pubKey == NULL) {
         FreeDecodedCert(decoded);
-        XFREE(serial,      NULL, DYNAMIC_TYPE_TMP_BUFFER);
-        XFREE(keyAlgArray, NULL, DYNAMIC_TYPE_TMP_BUFFER);
-        XFREE(decoded,     NULL, DYNAMIC_TYPE_TMP_BUFFER);
+        XFREE(serial,       pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
+        XFREE(keyAlgArray,  pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
+        XFREE(encryptedKey, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
+        XFREE(decoded,      pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
+        XFREE(recip, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
         return MEMORY_E;
     }
 #endif
 
     /* EncryptedKey */
-    ret = wc_InitRsaKey(pubKey, 0);
+    ret = wc_InitRsaKey_ex(pubKey, pkcs7->heap, INVALID_DEVID);
     if (ret != 0) {
         FreeDecodedCert(decoded);
 #ifdef WOLFSSL_SMALL_STACK
-        XFREE(pubKey,      NULL, DYNAMIC_TYPE_TMP_BUFFER);
-        XFREE(serial,      NULL, DYNAMIC_TYPE_TMP_BUFFER);
-        XFREE(keyAlgArray, NULL, DYNAMIC_TYPE_TMP_BUFFER);
-        XFREE(decoded,     NULL, DYNAMIC_TYPE_TMP_BUFFER);
+        XFREE(pubKey,       pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
+        XFREE(serial,       pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
+        XFREE(keyAlgArray,  pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
+        XFREE(encryptedKey, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
+        XFREE(decoded,      pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
 #endif
+        XFREE(recip, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
         return ret;
     }
 
     if (wc_RsaPublicKeyDecode(decoded->publicKey, &idx, pubKey,
-                           decoded->pubKeySize) < 0) {
+                              decoded->pubKeySize) < 0) {
         WOLFSSL_MSG("ASN RSA key decode error");
         wc_FreeRsaKey(pubKey);
         FreeDecodedCert(decoded);
 #ifdef WOLFSSL_SMALL_STACK
-        XFREE(pubKey,      NULL, DYNAMIC_TYPE_TMP_BUFFER);
-        XFREE(serial,      NULL, DYNAMIC_TYPE_TMP_BUFFER);
-        XFREE(keyAlgArray, NULL, DYNAMIC_TYPE_TMP_BUFFER);
-        XFREE(decoded,     NULL, DYNAMIC_TYPE_TMP_BUFFER);
+        XFREE(pubKey,       pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
+        XFREE(serial,       pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
+        XFREE(keyAlgArray,  pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
+        XFREE(encryptedKey, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
+        XFREE(decoded,      pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
 #endif
+        XFREE(recip, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
         return PUBLIC_KEY_E;
     }
 
-    *keyEncSz = wc_RsaPublicEncrypt(contentKeyPlain, blockKeySz, contentKeyEnc,
-                                 MAX_ENCRYPTED_KEY_SZ, pubKey, rng);
+    ret = wc_InitRng_ex(&rng, pkcs7->heap, pkcs7->devId);
+    if (ret != 0) {
+        wc_FreeRsaKey(pubKey);
+        FreeDecodedCert(decoded);
+#ifdef WOLFSSL_SMALL_STACK
+        XFREE(pubKey,       pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
+        XFREE(serial,       pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
+        XFREE(keyAlgArray,  pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
+        XFREE(encryptedKey, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
+        XFREE(decoded,      pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
+#endif
+        XFREE(recip, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+        return MEMORY_E;
+    }
+
+
+    ret = wc_RsaPublicEncrypt(pkcs7->cek, pkcs7->cekSz, encryptedKey,
+                              encryptedKeySz, pubKey, &rng);
     wc_FreeRsaKey(pubKey);
+    wc_FreeRng(&rng);
 
 #ifdef WOLFSSL_SMALL_STACK
-    XFREE(pubKey, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    XFREE(pubKey, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
 #endif
 
-    if (*keyEncSz < 0) {
+    if (ret < 0) {
         WOLFSSL_MSG("RSA Public Encrypt failed");
         FreeDecodedCert(decoded);
 #ifdef WOLFSSL_SMALL_STACK
-        XFREE(serial,      NULL, DYNAMIC_TYPE_TMP_BUFFER);
-        XFREE(keyAlgArray, NULL, DYNAMIC_TYPE_TMP_BUFFER);
-        XFREE(decoded,     NULL, DYNAMIC_TYPE_TMP_BUFFER);
+        XFREE(serial,       pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
+        XFREE(keyAlgArray,  pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
+        XFREE(encryptedKey, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
+        XFREE(decoded,      pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
 #endif
-        return *keyEncSz;
+        XFREE(recip, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+        return ret;
     }
+    encryptedKeySz = ret;
 
-    encKeyOctetStrSz = SetOctetString(*keyEncSz, encKeyOctetStr);
+    encKeyOctetStrSz = SetOctetString(encryptedKeySz, encKeyOctetStr);
 
     /* RecipientInfo */
-    recipSeqSz = SetSequence(verSz + issuerSerialSeqSz + issuerSeqSz +
-                             issuerSz + snSz + keyEncAlgSz + encKeyOctetStrSz +
-                             *keyEncSz, recipSeq);
+    if (sidType == CMS_ISSUER_AND_SERIAL_NUMBER) {
+        recipSeqSz = SetSequence(verSz + issuerSerialSeqSz + issuerSeqSz +
+                                 issuerSz + snSz + keyEncAlgSz +
+                                 encKeyOctetStrSz + encryptedKeySz, recipSeq);
+
+        if (recipSeqSz + verSz + issuerSerialSeqSz + issuerSeqSz + snSz +
+            keyEncAlgSz + encKeyOctetStrSz + encryptedKeySz > MAX_RECIP_SZ) {
+            WOLFSSL_MSG("RecipientInfo output buffer too small");
+            FreeDecodedCert(decoded);
+#ifdef WOLFSSL_SMALL_STACK
+            XFREE(serial,       pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
+            XFREE(keyAlgArray,  pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
+            XFREE(encryptedKey, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
+            XFREE(decoded,      pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
+#endif
+            XFREE(recip, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+            return BUFFER_E;
+        }
 
-    if (recipSeqSz + verSz + issuerSerialSeqSz + issuerSeqSz + snSz +
-        keyEncAlgSz + encKeyOctetStrSz + *keyEncSz > (int)outSz) {
-        WOLFSSL_MSG("RecipientInfo output buffer too small");
-        FreeDecodedCert(decoded);
+    } else {
+        recipSeqSz = SetSequence(verSz + issuerSKIDSeqSz + issuerSKIDSz +
+                                 KEYID_SIZE + keyEncAlgSz + encKeyOctetStrSz +
+                                 encryptedKeySz, recipSeq);
+
+        if (recipSeqSz + verSz + issuerSKIDSeqSz + issuerSKIDSz + KEYID_SIZE +
+            keyEncAlgSz + encKeyOctetStrSz + encryptedKeySz > MAX_RECIP_SZ) {
+            WOLFSSL_MSG("RecipientInfo output buffer too small");
+            FreeDecodedCert(decoded);
 #ifdef WOLFSSL_SMALL_STACK
-        XFREE(serial,      NULL, DYNAMIC_TYPE_TMP_BUFFER);
-        XFREE(keyAlgArray, NULL, DYNAMIC_TYPE_TMP_BUFFER);
-        XFREE(decoded,     NULL, DYNAMIC_TYPE_TMP_BUFFER);
+            XFREE(serial,       pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
+            XFREE(keyAlgArray,  pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
+            XFREE(encryptedKey, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
+            XFREE(decoded,      pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
+#endif
+            XFREE(recip, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+            return BUFFER_E;
+        }
+    }
+
+    idx = 0;
+    XMEMCPY(recip->recip + idx, recipSeq, recipSeqSz);
+    idx += recipSeqSz;
+    XMEMCPY(recip->recip + idx, ver, verSz);
+    idx += verSz;
+    if (sidType == CMS_ISSUER_AND_SERIAL_NUMBER) {
+        XMEMCPY(recip->recip + idx, issuerSerialSeq, issuerSerialSeqSz);
+        idx += issuerSerialSeqSz;
+        XMEMCPY(recip->recip + idx, issuerSeq, issuerSeqSz);
+        idx += issuerSeqSz;
+        XMEMCPY(recip->recip + idx, decoded->issuerRaw, issuerSz);
+        idx += issuerSz;
+        XMEMCPY(recip->recip + idx, serial, snSz);
+        idx += snSz;
+    } else {
+        XMEMCPY(recip->recip + idx, issuerSKIDSeq, issuerSKIDSeqSz);
+        idx += issuerSKIDSeqSz;
+        XMEMCPY(recip->recip + idx, issuerSKID, issuerSKIDSz);
+        idx += issuerSKIDSz;
+        XMEMCPY(recip->recip + idx, pkcs7->issuerSubjKeyId, KEYID_SIZE);
+        idx += KEYID_SIZE;
+    }
+    XMEMCPY(recip->recip + idx, keyAlgArray, keyEncAlgSz);
+    idx += keyEncAlgSz;
+    XMEMCPY(recip->recip + idx, encKeyOctetStr, encKeyOctetStrSz);
+    idx += encKeyOctetStrSz;
+    XMEMCPY(recip->recip + idx, encryptedKey, encryptedKeySz);
+    idx += encryptedKeySz;
+
+    FreeDecodedCert(decoded);
+
+#ifdef WOLFSSL_SMALL_STACK
+    XFREE(serial,       pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
+    XFREE(keyAlgArray,  pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
+    XFREE(encryptedKey, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
+    XFREE(decoded,      pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
+#endif
+
+    /* store recipient size */
+    recip->recipSz = idx;
+    recip->recipType = PKCS7_KTRI;
+
+    /* add recipient to recip list */
+    if (pkcs7->recipList == NULL) {
+        pkcs7->recipList = recip;
+    } else {
+        lastRecip = pkcs7->recipList;
+        while (lastRecip->next != NULL) {
+            lastRecip = lastRecip->next;
+        }
+        lastRecip->next = recip;
+    }
+
+    return idx;
+}
+
+#endif /* !NO_RSA */
+
+
+/* encrypt content using encryptOID algo */
+static int wc_PKCS7_EncryptContent(int encryptOID, byte* key, int keySz,
+                                   byte* iv, int ivSz, byte* aad, word32 aadSz,
+                                   byte* authTag, word32 authTagSz, byte* in,
+                                   int inSz, byte* out)
+{
+    int ret;
+#ifndef NO_AES
+    Aes  aes;
+#endif
+#ifndef NO_DES3
+    Des  des;
+    Des3 des3;
+#endif
+
+    if (key == NULL || iv == NULL || in == NULL || out == NULL)
+        return BAD_FUNC_ARG;
+
+    switch (encryptOID) {
+#ifndef NO_AES
+    #ifdef WOLFSSL_AES_128
+        case AES128CBCb:
+    #endif
+    #ifdef WOLFSSL_AES_192
+        case AES192CBCb:
+    #endif
+    #ifdef WOLFSSL_AES_256
+        case AES256CBCb:
+    #endif
+            if (
+                #ifdef WOLFSSL_AES_128
+                    (encryptOID == AES128CBCb && keySz != 16 ) ||
+                #endif
+                #ifdef WOLFSSL_AES_192
+                    (encryptOID == AES192CBCb && keySz != 24 ) ||
+                #endif
+                #ifdef WOLFSSL_AES_256
+                    (encryptOID == AES256CBCb && keySz != 32 ) ||
+                #endif
+                    (ivSz  != AES_BLOCK_SIZE) )
+                return BAD_FUNC_ARG;
+
+            ret = wc_AesInit(&aes, NULL, INVALID_DEVID);
+            if (ret == 0) {
+                ret = wc_AesSetKey(&aes, key, keySz, iv, AES_ENCRYPTION);
+                if (ret == 0)
+                    ret = wc_AesCbcEncrypt(&aes, out, in, inSz);
+                wc_AesFree(&aes);
+            }
+            break;
+    #ifdef HAVE_AESGCM
+        #ifdef WOLFSSL_AES_128
+        case AES128GCMb:
+        #endif
+        #ifdef WOLFSSL_AES_192
+        case AES192GCMb:
+        #endif
+        #ifdef WOLFSSL_AES_256
+        case AES256GCMb:
+        #endif
+        #if defined(WOLFSSL_AES_128) || defined(WOLFSSL_AES_192) || \
+            defined(WOLFSSL_AES_256)
+            if (authTag == NULL)
+                return BAD_FUNC_ARG;
+
+            ret = wc_AesInit(&aes, NULL, INVALID_DEVID);
+            if (ret == 0) {
+                ret = wc_AesGcmSetKey(&aes, key, keySz);
+                if (ret == 0)
+                    ret = wc_AesGcmEncrypt(&aes, out, in, inSz, iv, ivSz,
+                                           authTag, authTagSz, aad, aadSz);
+                wc_AesFree(&aes);
+            }
+            break;
+        #endif
+    #endif /* HAVE_AESGCM */
+    #ifdef HAVE_AESCCM
+        #ifdef WOLFSSL_AES_128
+        case AES128CCMb:
+        #endif
+        #ifdef WOLFSSL_AES_192
+        case AES192CCMb:
+        #endif
+        #ifdef WOLFSSL_AES_256
+        case AES256CCMb:
+        #endif
+        #if defined(WOLFSSL_AES_128) || defined(WOLFSSL_AES_192) || \
+            defined(WOLFSSL_AES_256)
+            if (authTag == NULL)
+                return BAD_FUNC_ARG;
+
+            ret = wc_AesInit(&aes, NULL, INVALID_DEVID);
+            if (ret == 0) {
+                ret = wc_AesCcmSetKey(&aes, key, keySz);
+                if (ret == 0)
+                    ret = wc_AesCcmEncrypt(&aes, out, in, inSz, iv, ivSz,
+                                           authTag, authTagSz, aad, aadSz);
+                wc_AesFree(&aes);
+            }
+            break;
+        #endif
+    #endif /* HAVE_AESCCM */
+#endif /* NO_AES */
+#ifndef NO_DES3
+        case DESb:
+            if (keySz != DES_KEYLEN || ivSz != DES_BLOCK_SIZE)
+                return BAD_FUNC_ARG;
+
+            ret = wc_Des_SetKey(&des, key, iv, DES_ENCRYPTION);
+            if (ret == 0)
+                ret = wc_Des_CbcEncrypt(&des, out, in, inSz);
+
+            break;
+
+        case DES3b:
+            if (keySz != DES3_KEYLEN || ivSz != DES_BLOCK_SIZE)
+                return BAD_FUNC_ARG;
+
+            ret = wc_Des3Init(&des3, NULL, INVALID_DEVID);
+            if (ret == 0) {
+                ret = wc_Des3_SetKey(&des3, key, iv, DES_ENCRYPTION);
+                if (ret == 0)
+                    ret = wc_Des3_CbcEncrypt(&des3, out, in, inSz);
+                wc_Des3Free(&des3);
+            }
+            break;
 #endif
+        default:
+            WOLFSSL_MSG("Unsupported content cipher type");
+            return ALGO_ID_E;
+    };
+
+#if defined(NO_AES) || (!defined(HAVE_AESGCM) && !defined(HAVE_AESCCM))
+    (void)authTag;
+    (void)authTagSz;
+    (void)aad;
+    (void)aadSz;
+#endif
+    return ret;
+}
+
+
+/* decrypt content using encryptOID algo
+ * returns 0 on success */
+static int wc_PKCS7_DecryptContent(PKCS7* pkcs7, int encryptOID, byte* key,
+        int keySz, byte* iv, int ivSz, byte* aad, word32 aadSz, byte* authTag,
+        word32 authTagSz, byte* in, int inSz, byte* out)
+{
+    int ret;
+#ifndef NO_AES
+    Aes  aes;
+#endif
+#ifndef NO_DES3
+    Des  des;
+    Des3 des3;
+#endif
+
+    if (iv == NULL || in == NULL || out == NULL)
+        return BAD_FUNC_ARG;
+
+    if (pkcs7->decryptionCb != NULL) {
+        return pkcs7->decryptionCb(pkcs7, encryptOID, iv, ivSz,
+                                      aad, aadSz, authTag, authTagSz, in,
+                                      inSz, out, pkcs7->decryptionCtx);
+    }
+
+    if (key == NULL)
+        return BAD_FUNC_ARG;
+
+    switch (encryptOID) {
+#ifndef NO_AES
+    #ifdef WOLFSSL_AES_128
+        case AES128CBCb:
+    #endif
+    #ifdef WOLFSSL_AES_192
+        case AES192CBCb:
+    #endif
+    #ifdef WOLFSSL_AES_256
+        case AES256CBCb:
+    #endif
+            if (
+                #ifdef WOLFSSL_AES_128
+                    (encryptOID == AES128CBCb && keySz != 16 ) ||
+                #endif
+                #ifdef WOLFSSL_AES_192
+                    (encryptOID == AES192CBCb && keySz != 24 ) ||
+                #endif
+                #ifdef WOLFSSL_AES_256
+                    (encryptOID == AES256CBCb && keySz != 32 ) ||
+                #endif
+                    (ivSz  != AES_BLOCK_SIZE) )
+                return BAD_FUNC_ARG;
+            ret = wc_AesInit(&aes, NULL, INVALID_DEVID);
+            if (ret == 0) {
+                ret = wc_AesSetKey(&aes, key, keySz, iv, AES_DECRYPTION);
+                if (ret == 0)
+                    ret = wc_AesCbcDecrypt(&aes, out, in, inSz);
+                wc_AesFree(&aes);
+            }
+            break;
+    #ifdef HAVE_AESGCM
+        #ifdef WOLFSSL_AES_128
+        case AES128GCMb:
+        #endif
+        #ifdef WOLFSSL_AES_192
+        case AES192GCMb:
+        #endif
+        #ifdef WOLFSSL_AES_256
+        case AES256GCMb:
+        #endif
+        #if defined(WOLFSSL_AES_128) || defined(WOLFSSL_AES_192) || \
+            defined(WOLFSSL_AES_256)
+            if (authTag == NULL)
+                return BAD_FUNC_ARG;
+
+            ret = wc_AesInit(&aes, NULL, INVALID_DEVID);
+            if (ret == 0) {
+                ret = wc_AesGcmSetKey(&aes, key, keySz);
+                if (ret == 0)
+                    ret = wc_AesGcmDecrypt(&aes, out, in, inSz, iv, ivSz,
+                                           authTag, authTagSz, aad, aadSz);
+                wc_AesFree(&aes);
+            }
+            break;
+        #endif
+    #endif /* HAVE_AESGCM */
+    #ifdef HAVE_AESCCM
+        #ifdef WOLFSSL_AES_128
+        case AES128CCMb:
+        #endif
+        #ifdef WOLFSSL_AES_192
+        case AES192CCMb:
+        #endif
+        #ifdef WOLFSSL_AES_256
+        case AES256CCMb:
+        #endif
+        #if defined(WOLFSSL_AES_128) || defined(WOLFSSL_AES_192) || \
+            defined(WOLFSSL_AES_256)
+            if (authTag == NULL)
+                return BAD_FUNC_ARG;
+
+            ret = wc_AesInit(&aes, NULL, INVALID_DEVID);
+            if (ret == 0) {
+                ret = wc_AesCcmSetKey(&aes, key, keySz);
+                if (ret == 0)
+                    ret = wc_AesCcmDecrypt(&aes, out, in, inSz, iv, ivSz,
+                                           authTag, authTagSz, aad, aadSz);
+                wc_AesFree(&aes);
+            }
+            break;
+        #endif
+    #endif /* HAVE_AESCCM */
+#endif /* NO_AES */
+#ifndef NO_DES3
+        case DESb:
+            if (keySz != DES_KEYLEN || ivSz != DES_BLOCK_SIZE)
+                return BAD_FUNC_ARG;
+
+            ret = wc_Des_SetKey(&des, key, iv, DES_DECRYPTION);
+            if (ret == 0)
+                ret = wc_Des_CbcDecrypt(&des, out, in, inSz);
+
+            break;
+        case DES3b:
+            if (keySz != DES3_KEYLEN || ivSz != DES_BLOCK_SIZE)
+                return BAD_FUNC_ARG;
+
+            ret = wc_Des3Init(&des3, NULL, INVALID_DEVID);
+            if (ret == 0) {
+                ret = wc_Des3_SetKey(&des3, key, iv, DES_DECRYPTION);
+                if (ret == 0)
+                    ret = wc_Des3_CbcDecrypt(&des3, out, in, inSz);
+                wc_Des3Free(&des3);
+            }
+
+            break;
+#endif
+        default:
+            WOLFSSL_MSG("Unsupported content cipher type");
+            return ALGO_ID_E;
+    };
+
+#if defined(NO_AES) || (!defined(HAVE_AESGCM) && !defined(HAVE_AESCCM))
+    (void)authTag;
+    (void)authTagSz;
+    (void)aad;
+    (void)aadSz;
+#endif
+
+    return ret;
+}
+
+
+/* Generate random block, place in out, return 0 on success negative on error.
+ * Used for generation of IV, nonce, etc */
+static int wc_PKCS7_GenerateBlock(PKCS7* pkcs7, WC_RNG* rng, byte* out,
+                                  word32 outSz)
+{
+    int ret;
+    WC_RNG* rnd = NULL;
+
+    if (out == NULL || outSz == 0)
+        return BAD_FUNC_ARG;
+
+    /* input RNG is optional, init local one if input rng is NULL */
+    if (rng == NULL) {
+        rnd = (WC_RNG*)XMALLOC(sizeof(WC_RNG), pkcs7->heap, DYNAMIC_TYPE_RNG);
+        if (rnd == NULL)
+            return MEMORY_E;
+
+        ret = wc_InitRng_ex(rnd, pkcs7->heap, pkcs7->devId);
+        if (ret != 0) {
+            XFREE(rnd, pkcs7->heap, DYNAMIC_TYPE_RNG);
+            return ret;
+        }
+
+    } else {
+        rnd = rng;
+    }
+
+    ret = wc_RNG_GenerateBlock(rnd, out, outSz);
+
+    if (rng == NULL) {
+        wc_FreeRng(rnd);
+        XFREE(rnd, pkcs7->heap, DYNAMIC_TYPE_RNG);
+    }
+
+    return ret;
+}
+
+
+/* Set default SignerIdentifier type to be used. Is either
+ * IssuerAndSerialNumber or SubjectKeyIdentifier. Encoding defaults to using
+ * IssuerAndSerialNumber unless set with this function or explicitly
+ * overridden via options when adding RecipientInfo type.
+ *
+ * Using the type DEGENERATE_SID skips over signer information. In degenerate
+ * cases there are no signers.
+ *
+ * pkcs7 - pointer to initialized PKCS7 structure
+ * type  - either CMS_ISSUER_AND_SERIAL_NUMBER, CMS_SKID or DEGENERATE_SID
+ *
+ * return 0 on success, negative upon error */
+int wc_PKCS7_SetSignerIdentifierType(PKCS7* pkcs7, int type)
+{
+    if (pkcs7 == NULL)
+        return BAD_FUNC_ARG;
+
+    if (type != CMS_ISSUER_AND_SERIAL_NUMBER &&
+        type != CMS_SKID &&
+        type != DEGENERATE_SID) {
+        return BAD_FUNC_ARG;
+    }
+
+    pkcs7->sidType = type;
+
+    return 0;
+}
+
+
+/* Set custom contentType, currently supported with SignedData type
+ *
+ * pkcs7       - pointer to initialized PKCS7 structure
+ * contentType - pointer to array with ASN.1 encoded OID value
+ * sz          - length of contentType array, octets
+ *
+ * return 0 on success, negative upon error */
+int wc_PKCS7_SetContentType(PKCS7* pkcs7, byte* contentType, word32 sz)
+{
+    if (pkcs7 == NULL || contentType == NULL || sz == 0)
+        return BAD_FUNC_ARG;
+
+    if (sz > MAX_OID_SZ) {
+        WOLFSSL_MSG("input array too large, bounded by MAX_OID_SZ");
+        return BAD_FUNC_ARG;
+    }
+
+    XMEMCPY(pkcs7->contentType, contentType, sz);
+    pkcs7->contentTypeSz = sz;
+
+    return 0;
+}
+
+
+/* return size of padded data, padded to blockSz chunks, or negative on error */
+int wc_PKCS7_GetPadSize(word32 inputSz, word32 blockSz)
+{
+    int padSz;
+
+    if (blockSz == 0)
+        return BAD_FUNC_ARG;
+
+    padSz = blockSz - (inputSz % blockSz);
+
+    return padSz;
+}
+
+
+/* pad input data to blockSz chunk, place in outSz. out must be big enough
+ * for input + pad bytes. See wc_PKCS7_GetPadSize() helper. */
+int wc_PKCS7_PadData(byte* in, word32 inSz, byte* out, word32 outSz,
+                     word32 blockSz)
+{
+    int i, padSz;
+
+    if (in == NULL  || inSz == 0 ||
+        out == NULL || outSz == 0)
+        return BAD_FUNC_ARG;
+
+    padSz = wc_PKCS7_GetPadSize(inSz, blockSz);
+
+    if (outSz < (inSz + padSz))
+        return BAD_FUNC_ARG;
+
+    XMEMCPY(out, in, inSz);
+
+    for (i = 0; i < padSz; i++) {
+        out[inSz + i] = (byte)padSz;
+    }
+
+    return inSz + padSz;
+}
+
+
+/* Encode and add CMS EnvelopedData ORI (OtherRecipientInfo) RecipientInfo
+ * to CMS/PKCS#7 EnvelopedData structure.
+ *
+ * Return 0 on success, negative upon error */
+int wc_PKCS7_AddRecipient_ORI(PKCS7* pkcs7, CallbackOriEncrypt oriEncryptCb,
+                              int options)
+{
+    int oriTypeLenSz, blockKeySz, ret;
+    word32 idx, recipSeqSz;
+
+    Pkcs7EncodedRecip* recip = NULL;
+    Pkcs7EncodedRecip* lastRecip = NULL;
+
+    byte recipSeq[MAX_SEQ_SZ];
+    byte oriTypeLen[MAX_LENGTH_SZ];
+
+    byte oriType[MAX_ORI_TYPE_SZ];
+    byte oriValue[MAX_ORI_VALUE_SZ];
+    word32 oriTypeSz = MAX_ORI_TYPE_SZ;
+    word32 oriValueSz = MAX_ORI_VALUE_SZ;
+
+    if (pkcs7 == NULL || oriEncryptCb == NULL) {
+        return BAD_FUNC_ARG;
+    }
+
+    /* allocate memory for RecipientInfo, KEK, encrypted key */
+    recip = (Pkcs7EncodedRecip*)XMALLOC(sizeof(Pkcs7EncodedRecip),
+                                        pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+    if (recip == NULL)
+        return MEMORY_E;
+    XMEMSET(recip, 0, sizeof(Pkcs7EncodedRecip));
+
+    /* get key size for content-encryption key based on algorithm */
+    blockKeySz = wc_PKCS7_GetOIDKeySize(pkcs7->encryptOID);
+    if (blockKeySz < 0) {
+        XFREE(recip, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+        return blockKeySz;
+    }
+
+    /* generate random content encryption key, if needed */
+    ret = PKCS7_GenerateContentEncryptionKey(pkcs7, blockKeySz);
+    if (ret < 0) {
+        XFREE(recip, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+        return ret;
+    }
+
+    /* call user callback to encrypt CEK and get oriType and oriValue
+       values back */
+    ret = oriEncryptCb(pkcs7, pkcs7->cek, pkcs7->cekSz, oriType, &oriTypeSz,
+                       oriValue, &oriValueSz, pkcs7->oriEncryptCtx);
+    if (ret != 0) {
+        XFREE(recip, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+        return ret;
+    }
+
+    oriTypeLenSz = SetLength(oriTypeSz, oriTypeLen);
+
+    recipSeqSz = SetImplicit(ASN_SEQUENCE, 4, 1 + oriTypeLenSz + oriTypeSz +
+                             oriValueSz, recipSeq);
+
+    idx = 0;
+    XMEMCPY(recip->recip + idx, recipSeq, recipSeqSz);
+    idx += recipSeqSz;
+    /* oriType */
+    recip->recip[idx] = ASN_OBJECT_ID;
+    idx += 1;
+    XMEMCPY(recip->recip + idx, oriTypeLen, oriTypeLenSz);
+    idx += oriTypeLenSz;
+    XMEMCPY(recip->recip + idx, oriType, oriTypeSz);
+    idx += oriTypeSz;
+    /* oriValue, input MUST already be ASN.1 encoded */
+    XMEMCPY(recip->recip + idx, oriValue, oriValueSz);
+    idx += oriValueSz;
+
+    /* store recipient size */
+    recip->recipSz = idx;
+    recip->recipType = PKCS7_ORI;
+    recip->recipVersion = 4;
+
+    /* add recipient to recip list */
+    if (pkcs7->recipList == NULL) {
+        pkcs7->recipList = recip;
+    } else {
+        lastRecip = pkcs7->recipList;
+        while (lastRecip->next != NULL) {
+            lastRecip = lastRecip->next;
+        }
+        lastRecip->next = recip;
+    }
+
+    (void)options;
+
+    return idx;
+}
+
+#if !defined(NO_PWDBASED) && !defined(NO_SHA)
+
+
+static int wc_PKCS7_GenerateKEK_PWRI(PKCS7* pkcs7, byte* passwd, word32 pLen,
+                                     byte* salt, word32 saltSz, int kdfOID,
+                                     int prfOID, int iterations, byte* out,
+                                     word32 outSz)
+{
+    int ret;
+
+    if (pkcs7 == NULL || passwd == NULL || salt == NULL || out == NULL)
+        return BAD_FUNC_ARG;
+
+    switch (kdfOID) {
+
+        case PBKDF2_OID:
+
+            ret = wc_PBKDF2(out, passwd, pLen, salt, saltSz, iterations,
+                            outSz, prfOID);
+            if (ret != 0) {
+                return ret;
+            }
+
+            break;
+
+        default:
+            WOLFSSL_MSG("Unsupported KDF OID");
+            return PKCS7_OID_E;
+    }
+
+    return 0;
+}
+
+
+/* RFC3211 (Section 2.3.1) key wrap algorithm (id-alg-PWRI-KEK).
+ *
+ * Returns output size on success, negative upon error */
+static int wc_PKCS7_PwriKek_KeyWrap(PKCS7* pkcs7, const byte* kek, word32 kekSz,
+                                    const byte* cek, word32 cekSz,
+                                    byte* out, word32 *outSz,
+                                    const byte* iv, word32 ivSz, int algID)
+{
+    WC_RNG rng;
+    int blockSz, outLen, ret;
+    word32 padSz;
+    byte* lastBlock;
+
+    if (kek == NULL || cek == NULL || iv == NULL || outSz == NULL)
+        return BAD_FUNC_ARG;
+
+    /* get encryption algorithm block size */
+    blockSz = wc_PKCS7_GetOIDBlockSize(algID);
+    if (blockSz < 0)
+        return blockSz;
+
+    /* get pad bytes needed to block boundary */
+    padSz = blockSz - ((4 + cekSz) % blockSz);
+    outLen = 4 + cekSz + padSz;
+
+    /* must be at least two blocks long */
+    if (outLen < 2 * blockSz)
+        padSz += blockSz;
+
+    /* if user set out to NULL, give back required length */
+    if (out == NULL) {
+        *outSz = outLen;
+        return LENGTH_ONLY_E;
+    }
+
+    /* verify output buffer is large enough */
+    if (*outSz < (word32)outLen)
         return BUFFER_E;
+
+    out[0] = cekSz;
+    out[1] = ~cek[0];
+    out[2] = ~cek[1];
+    out[3] = ~cek[2];
+    XMEMCPY(out + 4, cek, cekSz);
+
+    /* random padding of size padSz */
+    ret = wc_InitRng_ex(&rng, pkcs7->heap, pkcs7->devId);
+    if (ret != 0)
+        return ret;
+
+    ret = wc_RNG_GenerateBlock(&rng, out + 4 + cekSz, padSz);
+
+    if (ret == 0) {
+        /* encrypt, normal */
+        ret = wc_PKCS7_EncryptContent(algID, (byte*)kek, kekSz, (byte*)iv,
+                                      ivSz, NULL, 0, NULL, 0, out, outLen, out);
+    }
+
+    if (ret == 0) {
+        /* encrypt again, using last ciphertext block as IV */
+        lastBlock = out + (((outLen / blockSz) - 1) * blockSz);
+        ret = wc_PKCS7_EncryptContent(algID, (byte*)kek, kekSz, lastBlock,
+                                      blockSz, NULL, 0, NULL, 0, out,
+                                      outLen, out);
     }
 
-    XMEMCPY(out + totalSz, recipSeq, recipSeqSz);
+    if (ret == 0) {
+        *outSz = outLen;
+    } else {
+        outLen = ret;
+    }
+
+    wc_FreeRng(&rng);
+
+    return outLen;
+}
+
+
+/* RFC3211 (Section 2.3.2) key unwrap algorithm (id-alg-PWRI-KEK).
+ *
+ * Returns cek size on success, negative upon error */
+static int wc_PKCS7_PwriKek_KeyUnWrap(PKCS7* pkcs7, const byte* kek,
+                                      word32 kekSz, const byte* in, word32 inSz,
+                                      byte* out, word32 outSz, const byte* iv,
+                                      word32 ivSz, int algID)
+{
+    int blockSz, cekLen, ret;
+    byte* tmpIv     = NULL;
+    byte* lastBlock = NULL;
+    byte* outTmp    = NULL;
+
+    if (pkcs7 == NULL || kek == NULL || in == NULL ||
+        out == NULL || iv == NULL) {
+        return BAD_FUNC_ARG;
+    }
+
+    outTmp = (byte*)XMALLOC(inSz, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
+    if (outTmp == NULL)
+        return MEMORY_E;
+
+    /* get encryption algorithm block size */
+    blockSz = wc_PKCS7_GetOIDBlockSize(algID);
+    if (blockSz < 0) {
+        XFREE(outTmp, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
+        return blockSz;
+    }
+
+    /* input needs to be blockSz multiple and at least 2 * blockSz */
+    if (((inSz % blockSz) != 0) || (inSz < (2 * (word32)blockSz))) {
+        WOLFSSL_MSG("PWRI-KEK unwrap input must of block size and >= 2 "
+                    "times block size");
+        XFREE(outTmp, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
+        return BAD_FUNC_ARG;
+    }
+
+    /* use block out[n-1] as IV to decrypt block out[n] */
+    lastBlock = (byte*)in + inSz - blockSz;
+    tmpIv = lastBlock - blockSz;
+
+    /* decrypt last block */
+    ret = wc_PKCS7_DecryptContent(pkcs7, algID, (byte*)kek, kekSz, tmpIv,
+            blockSz, NULL, 0, NULL, 0, lastBlock, blockSz,
+            outTmp + inSz - blockSz);
+
+    if (ret == 0) {
+        /* using last decrypted block as IV, decrypt [0 ... n-1] blocks */
+        lastBlock = outTmp + inSz - blockSz;
+        ret = wc_PKCS7_DecryptContent(pkcs7, algID, (byte*)kek, kekSz,
+                lastBlock, blockSz, NULL, 0, NULL, 0, (byte*)in, inSz - blockSz,
+                outTmp);
+    }
+
+    if (ret == 0) {
+        /* decrypt using original kek and iv */
+        ret = wc_PKCS7_DecryptContent(pkcs7, algID, (byte*)kek, kekSz,
+                (byte*)iv, ivSz, NULL, 0, NULL, 0, outTmp, inSz, outTmp);
+    }
+
+    if (ret != 0) {
+        ForceZero(outTmp, inSz);
+        XFREE(outTmp, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
+        return ret;
+    }
+
+    cekLen = outTmp[0];
+
+    /* verify length */
+    if ((word32)cekLen > inSz) {
+        ForceZero(outTmp, inSz);
+        XFREE(outTmp, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
+        return BAD_FUNC_ARG;
+    }
+
+    /* verify check bytes */
+    if ((outTmp[1] ^ outTmp[4]) != 0xFF ||
+        (outTmp[2] ^ outTmp[5]) != 0xFF ||
+        (outTmp[3] ^ outTmp[6]) != 0xFF) {
+        ForceZero(outTmp, inSz);
+        XFREE(outTmp, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
+        return BAD_FUNC_ARG;
+    }
+
+    if (outSz < (word32)cekLen) {
+        ForceZero(outTmp, inSz);
+        XFREE(outTmp, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
+        return BUFFER_E;
+    }
+
+    XMEMCPY(out, outTmp + 4, outTmp[0]);
+    ForceZero(outTmp, inSz);
+    XFREE(outTmp, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
+
+    return cekLen;
+}
+
+
+/* Encode and add CMS EnvelopedData PWRI (PasswordRecipientInfo) RecipientInfo
+ * to CMS/PKCS#7 EnvelopedData structure.
+ *
+ * Return 0 on success, negative upon error */
+int wc_PKCS7_AddRecipient_PWRI(PKCS7* pkcs7, byte* passwd, word32 pLen,
+                               byte* salt, word32 saltSz, int kdfOID,
+                               int hashOID, int iterations, int kekEncryptOID,
+                               int options)
+{
+    Pkcs7EncodedRecip* recip = NULL;
+    Pkcs7EncodedRecip* lastRecip = NULL;
+
+    /* PasswordRecipientInfo */
+    byte recipSeq[MAX_SEQ_SZ];
+    byte ver[MAX_VERSION_SZ];
+    word32 recipSeqSz, verSz;
+
+    /* KeyDerivationAlgorithmIdentifier */
+    byte kdfAlgoIdSeq[MAX_SEQ_SZ];
+    byte kdfAlgoId[MAX_OID_SZ];
+    byte kdfParamsSeq[MAX_SEQ_SZ];              /* PBKDF2-params */
+    byte kdfSaltOctetStr[MAX_OCTET_STR_SZ];     /* salt OCTET STRING */
+    byte kdfIterations[MAX_VERSION_SZ];
+    word32 kdfAlgoIdSeqSz, kdfAlgoIdSz;
+    word32 kdfParamsSeqSz, kdfSaltOctetStrSz, kdfIterationsSz;
+    /* OPTIONAL: keyLength, not supported yet */
+    /* OPTIONAL: prf AlgorithIdentifier, not supported yet */
+
+    /* KeyEncryptionAlgorithmIdentifier */
+    byte keyEncAlgoIdSeq[MAX_SEQ_SZ];
+    byte keyEncAlgoId[MAX_OID_SZ];              /* id-alg-PWRI-KEK */
+    byte pwriEncAlgoId[MAX_ALGO_SZ];
+    byte ivOctetString[MAX_OCTET_STR_SZ];
+    word32 keyEncAlgoIdSeqSz, keyEncAlgoIdSz;
+    word32 pwriEncAlgoIdSz, ivOctetStringSz;
+
+    /* EncryptedKey */
+    byte encKeyOctetStr[MAX_OCTET_STR_SZ];
+    word32 encKeyOctetStrSz;
+
+    byte tmpIv[MAX_CONTENT_IV_SIZE];
+    byte* encryptedKey = NULL;
+    byte* kek = NULL;
+
+    int cekKeySz = 0, kekKeySz = 0, kekBlockSz = 0, ret = 0;
+    int encryptOID;
+    word32 idx, totalSz = 0, encryptedKeySz;
+
+    if (pkcs7 == NULL || passwd == NULL || pLen == 0 ||
+        salt == NULL || saltSz == 0) {
+        return BAD_FUNC_ARG;
+    }
+
+    /* allow user to use different KEK encryption algorithm than used for
+     * main content encryption algorithm, if passed in */
+    if (kekEncryptOID != 0) {
+        encryptOID = kekEncryptOID;
+    } else {
+        encryptOID = pkcs7->encryptOID;
+    }
+
+    /* get content-encryption key size, based on algorithm */
+    cekKeySz = wc_PKCS7_GetOIDKeySize(pkcs7->encryptOID);
+    if (cekKeySz < 0)
+        return cekKeySz;
+
+    /* get KEK encryption key size, based on algorithm */
+    if (encryptOID != pkcs7->encryptOID) {
+        kekKeySz = wc_PKCS7_GetOIDKeySize(encryptOID);
+    } else {
+        kekKeySz = cekKeySz;
+    }
+
+    /* get KEK encryption block size */
+    kekBlockSz = wc_PKCS7_GetOIDBlockSize(encryptOID);
+    if (kekBlockSz < 0)
+        return kekBlockSz;
+
+    /* generate random CEK */
+    ret = PKCS7_GenerateContentEncryptionKey(pkcs7, cekKeySz);
+    if (ret < 0)
+        return ret;
+
+    /* generate random IV */
+    ret = wc_PKCS7_GenerateBlock(pkcs7, NULL, tmpIv, kekBlockSz);
+    if (ret != 0)
+        return ret;
+
+    /* allocate memory for RecipientInfo, KEK, encrypted key */
+    recip = (Pkcs7EncodedRecip*)XMALLOC(sizeof(Pkcs7EncodedRecip),
+                                        pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+    if (recip == NULL)
+        return MEMORY_E;
+
+    kek = (byte*)XMALLOC(kekKeySz, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+    if (kek == NULL) {
+        XFREE(recip, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+        return MEMORY_E;
+    }
+
+    encryptedKey = (byte*)XMALLOC(MAX_ENCRYPTED_KEY_SZ,
+                                  pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+    if (encryptedKey == NULL) {
+        XFREE(recip, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+        XFREE(kek, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+        return MEMORY_E;
+    }
+
+    encryptedKeySz = MAX_ENCRYPTED_KEY_SZ;
+    XMEMSET(recip, 0, sizeof(Pkcs7EncodedRecip));
+    XMEMSET(kek, 0, kekKeySz);
+    XMEMSET(encryptedKey, 0, encryptedKeySz);
+
+    /* generate KEK: expand password into KEK */
+    ret = wc_PKCS7_GenerateKEK_PWRI(pkcs7, passwd, pLen, salt, saltSz,
+                                    kdfOID, hashOID, iterations, kek,
+                                    kekKeySz);
+    if (ret < 0) {
+        XFREE(recip, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+        XFREE(kek, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+        XFREE(encryptedKey, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+        return ret;
+    }
+
+    /* generate encrypted key: encrypt CEK with KEK */
+    ret = wc_PKCS7_PwriKek_KeyWrap(pkcs7, kek, kekKeySz, pkcs7->cek,
+                                   pkcs7->cekSz, encryptedKey, &encryptedKeySz,
+                                   tmpIv, kekBlockSz, encryptOID);
+    if (ret < 0) {
+        XFREE(recip, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+        XFREE(kek, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+        XFREE(encryptedKey, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+        return ret;
+    }
+    encryptedKeySz = ret;
+
+    /* put together encrypted key OCTET STRING */
+    encKeyOctetStrSz = SetOctetString(encryptedKeySz, encKeyOctetStr);
+    totalSz += (encKeyOctetStrSz + encryptedKeySz);
+
+    /* put together IV OCTET STRING */
+    ivOctetStringSz = SetOctetString(kekBlockSz, ivOctetString);
+    totalSz += (ivOctetStringSz + kekBlockSz);
+
+    /* set PWRIAlgorithms AlgorithmIdentifier, adding (ivOctetStringSz +
+       blockKeySz) for IV OCTET STRING */
+    pwriEncAlgoIdSz = SetAlgoID(encryptOID, pwriEncAlgoId,
+                                oidBlkType, ivOctetStringSz + kekBlockSz);
+    totalSz += pwriEncAlgoIdSz;
+
+    /* set KeyEncryptionAlgorithms OID */
+    ret = wc_SetContentType(PWRI_KEK_WRAP, keyEncAlgoId, sizeof(keyEncAlgoId));
+    if (ret <= 0) {
+        XFREE(recip, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+        XFREE(kek, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+        XFREE(encryptedKey, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+        return ret;
+    }
+    keyEncAlgoIdSz = ret;
+    totalSz += keyEncAlgoIdSz;
+
+    /* KeyEncryptionAlgorithm SEQ */
+    keyEncAlgoIdSeqSz = SetSequence(keyEncAlgoIdSz + pwriEncAlgoIdSz +
+                                    ivOctetStringSz + kekBlockSz,
+                                    keyEncAlgoIdSeq);
+    totalSz += keyEncAlgoIdSeqSz;
+
+    /* set KDF salt */
+    kdfSaltOctetStrSz = SetOctetString(saltSz, kdfSaltOctetStr);
+    totalSz += (kdfSaltOctetStrSz + saltSz);
+
+    /* set KDF iteration count */
+    kdfIterationsSz = SetMyVersion(iterations, kdfIterations, 0);
+    totalSz += kdfIterationsSz;
+
+    /* set KDF params SEQ */
+    kdfParamsSeqSz = SetSequence(kdfSaltOctetStrSz + saltSz + kdfIterationsSz,
+                                 kdfParamsSeq);
+    totalSz += kdfParamsSeqSz;
+
+    /* set KDF algo OID */
+    ret = wc_SetContentType(kdfOID, kdfAlgoId, sizeof(kdfAlgoId));
+    if (ret <= 0) {
+        XFREE(recip, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+        XFREE(kek, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+        XFREE(encryptedKey, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+        return ret;
+    }
+    kdfAlgoIdSz = ret;
+    totalSz += kdfAlgoIdSz;
+
+    /* set KeyDerivationAlgorithmIdentifier EXPLICIT [0] SEQ */
+    kdfAlgoIdSeqSz = SetExplicit(0, kdfAlgoIdSz + kdfParamsSeqSz +
+                                 kdfSaltOctetStrSz + saltSz + kdfIterationsSz,
+                                 kdfAlgoIdSeq);
+    totalSz += kdfAlgoIdSeqSz;
+
+    /* set PasswordRecipientInfo CMSVersion, MUST be 0 */
+    verSz = SetMyVersion(0, ver, 0);
+    totalSz += verSz;
+    recip->recipVersion = 0;
+
+    /* set PasswordRecipientInfo SEQ */
+    recipSeqSz = SetImplicit(ASN_SEQUENCE, 3, totalSz, recipSeq);
     totalSz += recipSeqSz;
-    XMEMCPY(out + totalSz, ver, verSz);
+
+    if (totalSz > MAX_RECIP_SZ) {
+        WOLFSSL_MSG("CMS Recipient output buffer too small");
+        XFREE(recip, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+        XFREE(kek, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+        XFREE(encryptedKey, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+        return BUFFER_E;
+    }
+
+    idx = 0;
+    XMEMCPY(recip->recip + idx, recipSeq, recipSeqSz);
+    idx += recipSeqSz;
+    XMEMCPY(recip->recip + idx, ver, verSz);
+    idx += verSz;
+    XMEMCPY(recip->recip + idx, kdfAlgoIdSeq, kdfAlgoIdSeqSz);
+    idx += kdfAlgoIdSeqSz;
+    XMEMCPY(recip->recip + idx, kdfAlgoId, kdfAlgoIdSz);
+    idx += kdfAlgoIdSz;
+    XMEMCPY(recip->recip + idx, kdfParamsSeq, kdfParamsSeqSz);
+    idx += kdfParamsSeqSz;
+    XMEMCPY(recip->recip + idx, kdfSaltOctetStr, kdfSaltOctetStrSz);
+    idx += kdfSaltOctetStrSz;
+    XMEMCPY(recip->recip + idx, salt, saltSz);
+    idx += saltSz;
+    XMEMCPY(recip->recip + idx, kdfIterations, kdfIterationsSz);
+    idx += kdfIterationsSz;
+    XMEMCPY(recip->recip + idx, keyEncAlgoIdSeq, keyEncAlgoIdSeqSz);
+    idx += keyEncAlgoIdSeqSz;
+    XMEMCPY(recip->recip + idx, keyEncAlgoId, keyEncAlgoIdSz);
+    idx += keyEncAlgoIdSz;
+    XMEMCPY(recip->recip + idx, pwriEncAlgoId, pwriEncAlgoIdSz);
+    idx += pwriEncAlgoIdSz;
+    XMEMCPY(recip->recip + idx, ivOctetString, ivOctetStringSz);
+    idx += ivOctetStringSz;
+    XMEMCPY(recip->recip + idx, tmpIv, kekBlockSz);
+    idx += kekBlockSz;
+    XMEMCPY(recip->recip + idx, encKeyOctetStr, encKeyOctetStrSz);
+    idx += encKeyOctetStrSz;
+    XMEMCPY(recip->recip + idx, encryptedKey, encryptedKeySz);
+    idx += encryptedKeySz;
+
+    ForceZero(kek, kekBlockSz);
+    ForceZero(encryptedKey, encryptedKeySz);
+    XFREE(kek, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+    XFREE(encryptedKey, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+
+    /* store recipient size */
+    recip->recipSz = idx;
+    recip->recipType = PKCS7_PWRI;
+
+    /* add recipient to recip list */
+    if (pkcs7->recipList == NULL) {
+        pkcs7->recipList = recip;
+    } else {
+        lastRecip = pkcs7->recipList;
+        while (lastRecip->next != NULL) {
+            lastRecip = lastRecip->next;
+        }
+        lastRecip->next = recip;
+    }
+
+    (void)options;
+
+    return idx;
+}
+
+/* Import password and KDF settings into a PKCS7 structure. Used for setting
+ * the password info for decryption a EnvelopedData PWRI RecipientInfo.
+ *
+ * Returns 0 on success, negative upon error */
+int wc_PKCS7_SetPassword(PKCS7* pkcs7, byte* passwd, word32 pLen)
+{
+    if (pkcs7 == NULL || passwd == NULL || pLen == 0)
+        return BAD_FUNC_ARG;
+
+    pkcs7->pass = passwd;
+    pkcs7->passSz = pLen;
+
+    return 0;
+}
+
+#endif /* NO_PWDBASED */
+
+
+/* Encode and add CMS EnvelopedData KEKRI (KEKRecipientInfo) RecipientInfo
+ * to CMS/PKCS#7 EnvelopedData structure.
+ *
+ * pkcs7 - pointer to initialized PKCS7 structure
+ * keyWrapOID - OID sum of key wrap algorithm identifier
+ * kek        - key encryption key
+ * kekSz      - size of kek, bytes
+ * keyID      - key-encryption key identifier, pre-distributed to endpoints
+ * keyIDSz    - size of keyID, bytes
+ * timePtr    - pointer to "time_t", which is typically "long" (OPTIONAL)
+ * otherOID   - ASN.1 encoded OID of other attribute (OPTIONAL)
+ * otherOIDSz - size of otherOID, bytes (OPTIONAL)
+ * other      - other attribute (OPTIONAL)
+ * otherSz    - size of other (OPTIONAL)
+ *
+ * Returns 0 on success, negative upon error */
+int wc_PKCS7_AddRecipient_KEKRI(PKCS7* pkcs7, int keyWrapOID, byte* kek,
+                                word32 kekSz, byte* keyId, word32 keyIdSz,
+                                void* timePtr, byte* otherOID,
+                                word32 otherOIDSz, byte* other, word32 otherSz,
+                                int options)
+{
+    Pkcs7EncodedRecip* recip = NULL;
+    Pkcs7EncodedRecip* lastRecip = NULL;
+
+    byte recipSeq[MAX_SEQ_SZ];
+    byte ver[MAX_VERSION_SZ];
+    byte kekIdSeq[MAX_SEQ_SZ];
+    byte kekIdOctetStr[MAX_OCTET_STR_SZ];
+    byte genTime[ASN_GENERALIZED_TIME_SIZE];
+    byte otherAttSeq[MAX_SEQ_SZ];
+    byte encAlgoId[MAX_ALGO_SZ];
+    byte encKeyOctetStr[MAX_OCTET_STR_SZ];
+#ifdef WOLFSSL_SMALL_STACK
+    byte* encryptedKey;
+#else
+    byte encryptedKey[MAX_ENCRYPTED_KEY_SZ];
+#endif
+
+    int blockKeySz = 0, ret = 0, direction;
+    word32 idx = 0;
+    word32 totalSz = 0;
+    word32 recipSeqSz = 0, verSz = 0;
+    word32 kekIdSeqSz = 0, kekIdOctetStrSz = 0;
+    word32 otherAttSeqSz = 0, encAlgoIdSz = 0, encKeyOctetStrSz = 0;
+    int encryptedKeySz;
+
+    int timeSz = 0;
+#ifndef NO_ASN_TIME
+    time_t* tm = NULL;
+#endif
+
+    if (pkcs7 == NULL || kek == NULL || keyId == NULL)
+        return BAD_FUNC_ARG;
+
+    recip = (Pkcs7EncodedRecip*)XMALLOC(sizeof(Pkcs7EncodedRecip), pkcs7->heap,
+                                 DYNAMIC_TYPE_PKCS7);
+    if (recip == NULL)
+        return MEMORY_E;
+
+    XMEMSET(recip, 0, sizeof(Pkcs7EncodedRecip));
+
+    /* get key size for content-encryption key based on algorithm */
+    blockKeySz = wc_PKCS7_GetOIDKeySize(pkcs7->encryptOID);
+    if (blockKeySz < 0) {
+        XFREE(recip, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+        return blockKeySz;
+    }
+
+    /* generate random content encryption key, if needed */
+    ret = PKCS7_GenerateContentEncryptionKey(pkcs7, blockKeySz);
+    if (ret < 0) {
+        XFREE(recip, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+        return ret;
+    }
+
+    /* EncryptedKey */
+#ifdef WOLFSSL_SMALL_STACK
+    encryptedKey = (byte*)XMALLOC(MAX_ENCRYPTED_KEY_SZ, pkcs7->heap,
+                                  DYNAMIC_TYPE_PKCS7);
+    if (encryptedKey == NULL) {
+        XFREE(recip, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+        return MEMORY_E;
+    }
+#endif
+    encryptedKeySz = MAX_ENCRYPTED_KEY_SZ;
+    XMEMSET(encryptedKey, 0, encryptedKeySz);
+
+    #ifndef NO_AES
+        direction = AES_ENCRYPTION;
+    #else
+        direction = DES_ENCRYPTION;
+    #endif
+
+    encryptedKeySz = wc_PKCS7_KeyWrap(pkcs7->cek, pkcs7->cekSz, kek, kekSz,
+                                      encryptedKey, encryptedKeySz, keyWrapOID,
+                                      direction);
+    if (encryptedKeySz < 0) {
+    #ifdef WOLFSSL_SMALL_STACK
+        XFREE(encryptedKey, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+    #endif
+        XFREE(recip, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+        return encryptedKeySz;
+    }
+    /* handle a zero size encKey case as WC_KEY_SIZE_E */
+    if (encryptedKeySz == 0 || encryptedKeySz > MAX_ENCRYPTED_KEY_SZ) {
+    #ifdef WOLFSSL_SMALL_STACK
+        XFREE(encryptedKey, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+    #endif
+        XFREE(recip, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+        return WC_KEY_SIZE_E;
+    }
+
+    encKeyOctetStrSz = SetOctetString(encryptedKeySz, encKeyOctetStr);
+    totalSz += (encKeyOctetStrSz + encryptedKeySz);
+
+    /* KeyEncryptionAlgorithmIdentifier */
+    encAlgoIdSz = SetAlgoID(keyWrapOID, encAlgoId, oidKeyWrapType, 0);
+    totalSz += encAlgoIdSz;
+
+    /* KEKIdentifier: keyIdentifier */
+    kekIdOctetStrSz = SetOctetString(keyIdSz, kekIdOctetStr);
+    totalSz += (kekIdOctetStrSz + keyIdSz);
+
+    /* KEKIdentifier: GeneralizedTime (OPTIONAL) */
+#ifndef NO_ASN_TIME
+    if (timePtr != NULL) {
+        tm = (time_t*)timePtr;
+        timeSz = GetAsnTimeString(tm, genTime, sizeof(genTime));
+        if (timeSz < 0) {
+            XFREE(recip, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+        #ifdef WOLFSSL_SMALL_STACK
+            XFREE(encryptedKey, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+        #endif
+            return timeSz;
+        }
+        totalSz += timeSz;
+    }
+#endif
+
+    /* KEKIdentifier: OtherKeyAttribute SEQ (OPTIONAL) */
+    if (other != NULL && otherSz > 0) {
+        otherAttSeqSz = SetSequence(otherOIDSz + otherSz, otherAttSeq);
+        totalSz += otherAttSeqSz + otherOIDSz + otherSz;
+    }
+
+    /* KEKIdentifier SEQ */
+    kekIdSeqSz = SetSequence(kekIdOctetStrSz + keyIdSz + timeSz +
+                             otherAttSeqSz + otherOIDSz + otherSz, kekIdSeq);
+    totalSz += kekIdSeqSz;
+
+    /* version */
+    verSz = SetMyVersion(4, ver, 0);
     totalSz += verSz;
-    XMEMCPY(out + totalSz, issuerSerialSeq, issuerSerialSeqSz);
-    totalSz += issuerSerialSeqSz;
-    XMEMCPY(out + totalSz, issuerSeq, issuerSeqSz);
-    totalSz += issuerSeqSz;
-    XMEMCPY(out + totalSz, decoded->issuerRaw, issuerSz);
-    totalSz += issuerSz;
-    XMEMCPY(out + totalSz, serial, snSz);
-    totalSz += snSz;
-    XMEMCPY(out + totalSz, keyAlgArray, keyEncAlgSz);
-    totalSz += keyEncAlgSz;
-    XMEMCPY(out + totalSz, encKeyOctetStr, encKeyOctetStrSz);
-    totalSz += encKeyOctetStrSz;
-    XMEMCPY(out + totalSz, contentKeyEnc, *keyEncSz);
-    totalSz += *keyEncSz;
+    recip->recipVersion = 4;
 
-    FreeDecodedCert(decoded);
+    /* KEKRecipientInfo SEQ */
+    recipSeqSz = SetImplicit(ASN_SEQUENCE, 2, totalSz, recipSeq);
+    totalSz += recipSeqSz;
+
+    if (totalSz > MAX_RECIP_SZ) {
+        WOLFSSL_MSG("CMS Recipient output buffer too small");
+        XFREE(recip, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+    #ifdef WOLFSSL_SMALL_STACK
+        XFREE(encryptedKey, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+    #endif
+        return BUFFER_E;
+    }
+
+    XMEMCPY(recip->recip + idx, recipSeq, recipSeqSz);
+    idx += recipSeqSz;
+    XMEMCPY(recip->recip + idx, ver, verSz);
+    idx += verSz;
+    XMEMCPY(recip->recip + idx, kekIdSeq, kekIdSeqSz);
+    idx += kekIdSeqSz;
+    XMEMCPY(recip->recip + idx, kekIdOctetStr, kekIdOctetStrSz);
+    idx += kekIdOctetStrSz;
+    XMEMCPY(recip->recip + idx, keyId, keyIdSz);
+    idx += keyIdSz;
+    if (timePtr != NULL) {
+        XMEMCPY(recip->recip + idx, genTime, timeSz);
+        idx += timeSz;
+    }
+    if (other != NULL && otherSz > 0) {
+        XMEMCPY(recip->recip + idx, otherAttSeq, otherAttSeqSz);
+        idx += otherAttSeqSz;
+        XMEMCPY(recip->recip + idx, otherOID, otherOIDSz);
+        idx += otherOIDSz;
+        XMEMCPY(recip->recip + idx, other, otherSz);
+        idx += otherSz;
+    }
+    XMEMCPY(recip->recip + idx, encAlgoId, encAlgoIdSz);
+    idx += encAlgoIdSz;
+    XMEMCPY(recip->recip + idx, encKeyOctetStr, encKeyOctetStrSz);
+    idx += encKeyOctetStrSz;
+    XMEMCPY(recip->recip + idx, encryptedKey, encryptedKeySz);
+    idx += encryptedKeySz;
 
 #ifdef WOLFSSL_SMALL_STACK
-    XFREE(serial,      NULL, DYNAMIC_TYPE_TMP_BUFFER);
-    XFREE(keyAlgArray, NULL, DYNAMIC_TYPE_TMP_BUFFER);
-    XFREE(decoded,     NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    XFREE(encryptedKey, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
 #endif
 
-    return totalSz;
+    /* store recipient size */
+    recip->recipSz = idx;
+    recip->recipType = PKCS7_KEKRI;
+
+    /* add recipient to recip list */
+    if (pkcs7->recipList == NULL) {
+        pkcs7->recipList = recip;
+    } else {
+        lastRecip = pkcs7->recipList;
+        while(lastRecip->next != NULL) {
+            lastRecip = lastRecip->next;
+        }
+        lastRecip->next = recip;
+    }
+
+    (void)options;
+
+    return idx;
+}
+
+
+static int wc_PKCS7_GetCMSVersion(PKCS7* pkcs7, int cmsContentType)
+{
+    int version = -1;
+
+    if (pkcs7 == NULL)
+        return BAD_FUNC_ARG;
+
+    switch (cmsContentType) {
+        case ENVELOPED_DATA:
+
+            /* NOTE: EnvelopedData does not currently support
+               originatorInfo or unprotectedAttributes. When either of these
+               are added, version checking below needs to be updated to match
+               Section 6.1 of RFC 5652 */
+
+            /* if RecipientInfos include pwri or ori, version is 3 */
+            if (wc_PKCS7_RecipientListIncludesType(pkcs7, PKCS7_PWRI) ||
+                wc_PKCS7_RecipientListIncludesType(pkcs7, PKCS7_ORI)) {
+                version = 3;
+                break;
+            }
+
+            /* if unprotectedAttrs is absent AND all RecipientInfo structs
+               are version 0, version is 0 */
+            if (wc_PKCS7_RecipientListVersionsAllZero(pkcs7)) {
+                version = 0;
+                break;
+            }
+
+            /* otherwise, version is 2 */
+            version = 2;
+            break;
+
+        default:
+            break;
+    }
+
+    return version;
 }
 
 
 /* build PKCS#7 envelopedData content type, return enveloped size */
 int wc_PKCS7_EncodeEnvelopedData(PKCS7* pkcs7, byte* output, word32 outputSz)
 {
-    int i, ret = 0, idx = 0;
-    int totalSz = 0, padSz = 0, desOutSz = 0;
+    int ret, idx = 0;
+    int totalSz, padSz, encryptedOutSz;
 
-    int contentInfoSeqSz, outerContentTypeSz, outerContentSz;
+    int contentInfoSeqSz = 0, outerContentTypeSz = 0, outerContentSz;
     byte contentInfoSeq[MAX_SEQ_SZ];
     byte outerContentType[MAX_ALGO_SZ];
     byte outerContent[MAX_SEQ_SZ];
 
+    int kariVersion;
     int envDataSeqSz, verSz;
     byte envDataSeq[MAX_SEQ_SZ];
     byte ver[MAX_VERSION_SZ];
 
-    RNG rng;
-    int contentKeyEncSz, blockKeySz;
-    int dynamicFlag = 0;
-    byte contentKeyPlain[MAX_CONTENT_KEY_LEN];
-#ifdef WOLFSSL_SMALL_STACK
-    byte* contentKeyEnc;
-#else
-    byte contentKeyEnc[MAX_ENCRYPTED_KEY_SZ];
-#endif
+    WC_RNG rng;
+    int blockSz, blockKeySz;
     byte* plain;
     byte* encryptedContent;
 
+    Pkcs7EncodedRecip* tmpRecip = NULL;
     int recipSz, recipSetSz;
-#ifdef WOLFSSL_SMALL_STACK
-    byte* recip;
-#else
-    byte recip[MAX_RECIP_SZ];
-#endif
     byte recipSet[MAX_SET_SZ];
 
     int encContentOctetSz, encContentSeqSz, contentTypeSz;
@@ -1203,204 +7717,3109 @@ int wc_PKCS7_EncodeEnvelopedData(PKCS7* pkcs7, byte* output, word32 outputSz)
     byte encContentSeq[MAX_SEQ_SZ];
     byte contentType[MAX_ALGO_SZ];
     byte contentEncAlgo[MAX_ALGO_SZ];
-    byte tmpIv[DES_BLOCK_SIZE];
+    byte tmpIv[MAX_CONTENT_IV_SIZE];
     byte ivOctetString[MAX_OCTET_STR_SZ];
     byte encContentOctet[MAX_OCTET_STR_SZ];
 
-    if (pkcs7 == NULL || pkcs7->content == NULL || pkcs7->contentSz == 0 ||
-        pkcs7->encryptOID == 0 || pkcs7->singleCert == NULL)
+    if (pkcs7 == NULL || pkcs7->content == NULL || pkcs7->contentSz == 0)
         return BAD_FUNC_ARG;
 
     if (output == NULL || outputSz == 0)
         return BAD_FUNC_ARG;
 
-    /* PKCS#7 only supports DES, 3DES for now */
-    switch (pkcs7->encryptOID) {
-        case DESb:
-            blockKeySz = DES_KEYLEN;
-            break;
+    blockKeySz = wc_PKCS7_GetOIDKeySize(pkcs7->encryptOID);
+    if (blockKeySz < 0)
+        return blockKeySz;
 
-        case DES3b:
-            blockKeySz = DES3_KEYLEN;
+    blockSz = wc_PKCS7_GetOIDBlockSize(pkcs7->encryptOID);
+    if (blockSz < 0)
+        return blockSz;
+
+    if (pkcs7->contentOID != FIRMWARE_PKG_DATA) {
+        /* outer content type */
+        ret = wc_SetContentType(ENVELOPED_DATA, outerContentType,
+                                sizeof(outerContentType));
+        if (ret < 0)
+            return ret;
+
+        outerContentTypeSz = ret;
+    }
+
+    /* generate random content encryption key */
+    ret = PKCS7_GenerateContentEncryptionKey(pkcs7, blockKeySz);
+    if (ret != 0) {
+        return ret;
+    }
+
+    /* build RecipientInfo, only if user manually set singleCert and size */
+    if (pkcs7->singleCert != NULL && pkcs7->singleCertSz > 0) {
+        switch (pkcs7->publicKeyOID) {
+        #ifndef NO_RSA
+            case RSAk:
+                ret = wc_PKCS7_AddRecipient_KTRI(pkcs7, pkcs7->singleCert,
+                                                 pkcs7->singleCertSz, 0);
+                break;
+        #endif
+        #ifdef HAVE_ECC
+            case ECDSAk:
+                ret = wc_PKCS7_AddRecipient_KARI(pkcs7, pkcs7->singleCert,
+                                                 pkcs7->singleCertSz,
+                                                 pkcs7->keyWrapOID,
+                                                 pkcs7->keyAgreeOID, pkcs7->ukm,
+                                                 pkcs7->ukmSz, 0);
+                break;
+        #endif
+
+            default:
+                WOLFSSL_MSG("Unsupported RecipientInfo public key type");
+                return BAD_FUNC_ARG;
+        };
+
+        if (ret < 0) {
+            WOLFSSL_MSG("Failed to create RecipientInfo");
+            return ret;
+        }
+    }
+
+    recipSz = wc_PKCS7_GetRecipientListSize(pkcs7);
+    if (recipSz < 0) {
+        return ret;
+
+    } else if (recipSz == 0) {
+        WOLFSSL_MSG("You must add at least one CMS recipient");
+        return PKCS7_RECIP_E;
+    }
+    recipSetSz = SetSet(recipSz, recipSet);
+
+    /* version, defined in Section 6.1 of RFC 5652 */
+    kariVersion = wc_PKCS7_GetCMSVersion(pkcs7, ENVELOPED_DATA);
+    if (kariVersion < 0) {
+        WOLFSSL_MSG("Failed to set CMS EnvelopedData version");
+        return PKCS7_RECIP_E;
+    }
+
+    verSz = SetMyVersion(kariVersion, ver, 0);
+
+    ret = wc_InitRng_ex(&rng, pkcs7->heap, pkcs7->devId);
+    if (ret != 0)
+        return ret;
+
+    /* generate IV for block cipher */
+    ret = wc_PKCS7_GenerateBlock(pkcs7, &rng, tmpIv, blockSz);
+    wc_FreeRng(&rng);
+    if (ret != 0)
+        return ret;
+
+    /* EncryptedContentInfo */
+    ret = wc_SetContentType(pkcs7->contentOID, contentType,
+                            sizeof(contentType));
+    if (ret < 0)
+        return ret;
+
+    contentTypeSz = ret;
+
+    /* allocate encrypted content buffer and PKCS#7 padding */
+    padSz = wc_PKCS7_GetPadSize(pkcs7->contentSz, blockSz);
+    if (padSz < 0)
+        return padSz;
+
+    encryptedOutSz = pkcs7->contentSz + padSz;
+
+    plain = (byte*)XMALLOC(encryptedOutSz, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+    if (plain == NULL)
+        return MEMORY_E;
+
+    ret = wc_PKCS7_PadData(pkcs7->content, pkcs7->contentSz, plain,
+                           encryptedOutSz, blockSz);
+    if (ret < 0) {
+        XFREE(plain, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+        return ret;
+    }
+
+    encryptedContent = (byte*)XMALLOC(encryptedOutSz, pkcs7->heap,
+                                      DYNAMIC_TYPE_PKCS7);
+    if (encryptedContent == NULL) {
+        XFREE(plain, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+        return MEMORY_E;
+    }
+
+    /* put together IV OCTET STRING */
+    ivOctetStringSz = SetOctetString(blockSz, ivOctetString);
+
+    /* build up our ContentEncryptionAlgorithmIdentifier sequence,
+     * adding (ivOctetStringSz + blockSz) for IV OCTET STRING */
+    contentEncAlgoSz = SetAlgoID(pkcs7->encryptOID, contentEncAlgo,
+                                 oidBlkType, ivOctetStringSz + blockSz);
+
+    if (contentEncAlgoSz == 0) {
+        XFREE(encryptedContent, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+        XFREE(plain, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+        return BAD_FUNC_ARG;
+    }
+
+    /* encrypt content */
+    ret = wc_PKCS7_EncryptContent(pkcs7->encryptOID, pkcs7->cek,
+            pkcs7->cekSz, tmpIv, blockSz, NULL, 0, NULL, 0, plain,
+            encryptedOutSz, encryptedContent);
+
+    if (ret != 0) {
+        XFREE(encryptedContent, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+        XFREE(plain, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+        return ret;
+    }
+
+    encContentOctetSz = SetImplicit(ASN_OCTET_STRING, 0, encryptedOutSz,
+                                    encContentOctet);
+
+    encContentSeqSz = SetSequence(contentTypeSz + contentEncAlgoSz +
+                                  ivOctetStringSz + blockSz +
+                                  encContentOctetSz + encryptedOutSz,
+                                  encContentSeq);
+
+    /* keep track of sizes for outer wrapper layering */
+    totalSz = verSz + recipSetSz + recipSz + encContentSeqSz + contentTypeSz +
+              contentEncAlgoSz + ivOctetStringSz + blockSz +
+              encContentOctetSz + encryptedOutSz;
+
+    /* EnvelopedData */
+    envDataSeqSz = SetSequence(totalSz, envDataSeq);
+    totalSz += envDataSeqSz;
+
+    /* outer content */
+    outerContentSz = SetExplicit(0, totalSz, outerContent);
+    totalSz += outerContentTypeSz;
+    totalSz += outerContentSz;
+
+    if (pkcs7->contentOID != FIRMWARE_PKG_DATA) {
+        /* ContentInfo */
+        contentInfoSeqSz = SetSequence(totalSz, contentInfoSeq);
+        totalSz += contentInfoSeqSz;
+    }
+
+    if (totalSz > (int)outputSz) {
+        WOLFSSL_MSG("Pkcs7_encrypt output buffer too small");
+        XFREE(encryptedContent, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+        XFREE(plain, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
+        return BUFFER_E;
+    }
+
+    if (pkcs7->contentOID != FIRMWARE_PKG_DATA) {
+        XMEMCPY(output + idx, contentInfoSeq, contentInfoSeqSz);
+        idx += contentInfoSeqSz;
+        XMEMCPY(output + idx, outerContentType, outerContentTypeSz);
+        idx += outerContentTypeSz;
+        XMEMCPY(output + idx, outerContent, outerContentSz);
+        idx += outerContentSz;
+    }
+    XMEMCPY(output + idx, envDataSeq, envDataSeqSz);
+    idx += envDataSeqSz;
+    XMEMCPY(output + idx, ver, verSz);
+    idx += verSz;
+    XMEMCPY(output + idx, recipSet, recipSetSz);
+    idx += recipSetSz;
+    /* copy in recipients from list */
+    tmpRecip = pkcs7->recipList;
+    while (tmpRecip != NULL) {
+        XMEMCPY(output + idx, tmpRecip->recip, tmpRecip->recipSz);
+        idx += tmpRecip->recipSz;
+        tmpRecip = tmpRecip->next;
+    }
+    wc_PKCS7_FreeEncodedRecipientSet(pkcs7);
+    XMEMCPY(output + idx, encContentSeq, encContentSeqSz);
+    idx += encContentSeqSz;
+    XMEMCPY(output + idx, contentType, contentTypeSz);
+    idx += contentTypeSz;
+    XMEMCPY(output + idx, contentEncAlgo, contentEncAlgoSz);
+    idx += contentEncAlgoSz;
+    XMEMCPY(output + idx, ivOctetString, ivOctetStringSz);
+    idx += ivOctetStringSz;
+    XMEMCPY(output + idx, tmpIv, blockSz);
+    idx += blockSz;
+    XMEMCPY(output + idx, encContentOctet, encContentOctetSz);
+    idx += encContentOctetSz;
+    XMEMCPY(output + idx, encryptedContent, encryptedOutSz);
+    idx += encryptedOutSz;
+
+    XFREE(plain, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+    XFREE(encryptedContent, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+
+    return idx;
+}
+
+#ifndef NO_RSA
+/* decode KeyTransRecipientInfo (ktri), return 0 on success, <0 on error */
+static int wc_PKCS7_DecryptKtri(PKCS7* pkcs7, byte* in, word32 inSz,
+                               word32* idx, byte* decryptedKey,
+                               word32* decryptedKeySz, int* recipFound)
+{
+    int length, encryptedKeySz = 0, ret = 0;
+    int keySz, version, sidType = 0;
+    word32 encOID;
+    word32 keyIdx;
+    byte   issuerHash[KEYID_SIZE];
+    byte*  outKey   = NULL;
+    byte* pkiMsg    = in;
+    word32 pkiMsgSz = inSz;
+    byte   tag;
+
+
+#ifndef NO_PKCS7_STREAM
+    word32 tmpIdx = *idx;
+    long rc;
+#endif
+#ifdef WC_RSA_BLINDING
+    WC_RNG rng;
+#endif
+
+#ifdef WOLFSSL_SMALL_STACK
+    mp_int* serialNum  = NULL;
+    byte* encryptedKey = NULL;
+    RsaKey* privKey    = NULL;
+#else
+    mp_int serialNum[1];
+    byte encryptedKey[MAX_ENCRYPTED_KEY_SZ];
+    RsaKey privKey[1];
+#endif
+
+    switch (pkcs7->state) {
+        case WC_PKCS7_DECRYPT_KTRI:
+        #ifndef NO_PKCS7_STREAM
+            if ((ret = wc_PKCS7_AddDataToStream(pkcs7, in, inSz, MAX_VERSION_SZ,
+                            &pkiMsg, idx)) != 0) {
+                return ret;
+            }
+
+            rc = wc_PKCS7_GetMaxStream(pkcs7, PKCS7_DEFAULT_PEEK,
+                    in, inSz);
+            if (rc < 0) {
+                ret = (int)rc;
+                break;
+            }
+            pkiMsgSz = (word32)rc;
+
+        #endif
+            if (GetMyVersion(pkiMsg, idx, &version, pkiMsgSz) < 0)
+                return ASN_PARSE_E;
+
+            if (version == 0) {
+                sidType = CMS_ISSUER_AND_SERIAL_NUMBER;
+            } else if (version == 2) {
+                sidType = CMS_SKID;
+            } else {
+                return ASN_VERSION_E;
+            }
+
+        #ifndef NO_PKCS7_STREAM
+            if ((ret = wc_PKCS7_StreamEndCase(pkcs7, &tmpIdx, idx)) != 0) {
+                    break;
+            }
+            wc_PKCS7_StreamStoreVar(pkcs7, 0, sidType, version);
+
+            /* @TODO getting total amount left because of GetInt call later on
+             * this could be optimized to stream better */
+            pkcs7->stream->expected = (pkcs7->stream->maxLen -
+                                pkcs7->stream->totalRd) + pkcs7->stream->length;
+        #endif
+            wc_PKCS7_ChangeState(pkcs7, WC_PKCS7_DECRYPT_KTRI_2);
+            FALL_THROUGH;
+
+        case WC_PKCS7_DECRYPT_KTRI_2:
+        #ifndef NO_PKCS7_STREAM
+
+            if ((ret = wc_PKCS7_AddDataToStream(pkcs7, in, inSz, pkcs7->stream->expected,
+                            &pkiMsg, idx)) != 0) {
+                return ret;
+            }
+
+            rc = wc_PKCS7_GetMaxStream(pkcs7, PKCS7_DEFAULT_PEEK,
+                    in, inSz);
+            if (rc < 0) {
+                ret = (int)rc;
+                break;
+            }
+            pkiMsgSz = (word32)rc;
+
+            wc_PKCS7_StreamGetVar(pkcs7, NULL, &sidType, &version);
+
+            /* @TODO get expected size for next part, does not account for
+             * GetInt call well */
+            if (pkcs7->stream->expected == MAX_SEQ_SZ) {
+                int sz;
+                word32 lidx;
+
+                if (sidType == CMS_ISSUER_AND_SERIAL_NUMBER) {
+                    lidx = *idx;
+                    ret = GetSequence(pkiMsg, &lidx, &sz, pkiMsgSz);
+                    if (ret < 0)
+                        return ret;
+                }
+                else {
+                    lidx = *idx + ASN_TAG_SZ;
+                    ret = GetLength(pkiMsg, &lidx, &sz, pkiMsgSz);
+                    if (ret < 0)
+                        return ret;
+                }
+
+                pkcs7->stream->expected = sz + MAX_ALGO_SZ + ASN_TAG_SZ +
+                                          MAX_LENGTH_SZ;
+                if (pkcs7->stream->length > 0 &&
+                        pkcs7->stream->length < pkcs7->stream->expected) {
+                    return WC_PKCS7_WANT_READ_E;
+                }
+            }
+        #endif /* !NO_PKCS7_STREAM */
+
+            if (sidType == CMS_ISSUER_AND_SERIAL_NUMBER) {
+
+                /* remove IssuerAndSerialNumber */
+                if (GetSequence(pkiMsg, idx, &length, pkiMsgSz) < 0)
+                    return ASN_PARSE_E;
+
+                if (GetNameHash(pkiMsg, idx, issuerHash, pkiMsgSz) < 0)
+                    return ASN_PARSE_E;
+
+                /* if we found correct recipient, issuer hashes will match */
+                if (XMEMCMP(issuerHash, pkcs7->issuerHash, KEYID_SIZE) == 0) {
+                    *recipFound = 1;
+                }
+
+        #ifdef WOLFSSL_SMALL_STACK
+                serialNum = (mp_int*)XMALLOC(sizeof(mp_int), pkcs7->heap,
+                                             DYNAMIC_TYPE_TMP_BUFFER);
+                if (serialNum == NULL)
+                    return MEMORY_E;
+        #endif
+
+                if (GetInt(serialNum, pkiMsg, idx, pkiMsgSz) < 0) {
+        #ifdef WOLFSSL_SMALL_STACK
+                    XFREE(serialNum, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
+        #endif
+                    return ASN_PARSE_E;
+                }
+
+                mp_clear(serialNum);
+
+        #ifdef WOLFSSL_SMALL_STACK
+                XFREE(serialNum, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
+        #endif
+
+            } else {
+                /* remove SubjectKeyIdentifier */
+                if (GetASNTag(pkiMsg, idx, &tag, pkiMsgSz) < 0)
+                    return ASN_PARSE_E;
+
+                if (tag != (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC))
+                    return ASN_PARSE_E;
+
+                if (GetLength(pkiMsg, idx, &length, pkiMsgSz) < 0)
+                    return ASN_PARSE_E;
+
+                if (GetASNTag(pkiMsg, idx, &tag, pkiMsgSz) < 0)
+                    return ASN_PARSE_E;
+
+                if (tag != ASN_OCTET_STRING)
+                    return ASN_PARSE_E;
+
+                if (GetLength(pkiMsg, idx, &length, pkiMsgSz) < 0)
+                    return ASN_PARSE_E;
+
+                /* if we found correct recipient, SKID will match */
+                if (XMEMCMP(pkiMsg + (*idx), pkcs7->issuerSubjKeyId,
+                            KEYID_SIZE) == 0) {
+                    *recipFound = 1;
+                }
+                (*idx) += KEYID_SIZE;
+            }
+
+            if (GetAlgoId(pkiMsg, idx, &encOID, oidKeyType, pkiMsgSz) < 0)
+                return ASN_PARSE_E;
+
+            /* key encryption algorithm must be RSA for now */
+            if (encOID != RSAk)
+                return ALGO_ID_E;
+
+            /* read encryptedKey */
+            if (GetASNTag(pkiMsg, idx, &tag, pkiMsgSz) < 0)
+                return ASN_PARSE_E;
+
+            if (tag != ASN_OCTET_STRING)
+                return ASN_PARSE_E;
+
+            if (GetLength(pkiMsg, idx, &encryptedKeySz, pkiMsgSz) < 0) {
+                return ASN_PARSE_E;
+            }
+            if (encryptedKeySz > MAX_ENCRYPTED_KEY_SZ) {
+               return BUFFER_E;
+            }
+
+        #ifndef NO_PKCS7_STREAM
+            if ((ret = wc_PKCS7_StreamEndCase(pkcs7, &tmpIdx, idx)) != 0) {
+                    break;
+            }
+            wc_PKCS7_StreamStoreVar(pkcs7, encryptedKeySz, sidType, version);
+            pkcs7->stream->expected = encryptedKeySz;
+        #endif
+            wc_PKCS7_ChangeState(pkcs7, WC_PKCS7_DECRYPT_KTRI_3);
+            FALL_THROUGH;
+
+        case WC_PKCS7_DECRYPT_KTRI_3:
+        #ifndef NO_PKCS7_STREAM
+            if ((ret = wc_PKCS7_AddDataToStream(pkcs7, in, inSz,
+                            pkcs7->stream->expected, &pkiMsg, idx)) != 0) {
+                return ret;
+            }
+            encryptedKeySz = pkcs7->stream->expected;
+        #endif
+
+        #ifdef WOLFSSL_SMALL_STACK
+            encryptedKey = (byte*)XMALLOC(encryptedKeySz, pkcs7->heap,
+                                          DYNAMIC_TYPE_TMP_BUFFER);
+            if (encryptedKey == NULL)
+                return MEMORY_E;
+        #endif
+
+            if (*recipFound == 1)
+                XMEMCPY(encryptedKey, &pkiMsg[*idx], encryptedKeySz);
+            *idx += encryptedKeySz;
+
+            /* load private key */
+        #ifdef WOLFSSL_SMALL_STACK
+            privKey = (RsaKey*)XMALLOC(sizeof(RsaKey), pkcs7->heap,
+                DYNAMIC_TYPE_TMP_BUFFER);
+            if (privKey == NULL) {
+                XFREE(encryptedKey, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
+                return MEMORY_E;
+            }
+        #endif
+
+            ret = wc_InitRsaKey_ex(privKey, pkcs7->heap, INVALID_DEVID);
+            if (ret != 0) {
+        #ifdef WOLFSSL_SMALL_STACK
+                XFREE(encryptedKey, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
+                XFREE(privKey, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
+        #endif
+                return ret;
+            }
+
+            if (pkcs7->privateKey != NULL && pkcs7->privateKeySz > 0) {
+                keyIdx = 0;
+                ret = wc_RsaPrivateKeyDecode(pkcs7->privateKey, &keyIdx,
+                        privKey, pkcs7->privateKeySz);
+            }
+            else if (pkcs7->devId == INVALID_DEVID) {
+                ret = BAD_FUNC_ARG;
+            }
+            if (ret != 0) {
+                WOLFSSL_MSG("Failed to decode RSA private key");
+                wc_FreeRsaKey(privKey);
+        #ifdef WOLFSSL_SMALL_STACK
+                XFREE(encryptedKey, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
+                XFREE(privKey, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
+        #endif
+                return ret;
+            }
+
+            /* decrypt encryptedKey */
+            #ifdef WC_RSA_BLINDING
+            ret = wc_InitRng_ex(&rng, pkcs7->heap, pkcs7->devId);
+            if (ret == 0) {
+                ret = wc_RsaSetRNG(privKey, &rng);
+            }
+            #endif
+            if (ret == 0) {
+                keySz = wc_RsaPrivateDecryptInline(encryptedKey, encryptedKeySz,
+                                                   &outKey, privKey);
+                #ifdef WC_RSA_BLINDING
+                    wc_FreeRng(&rng);
+                #endif
+            } else {
+                keySz = ret;
+            }
+            wc_FreeRsaKey(privKey);
+
+            if (keySz <= 0 || outKey == NULL) {
+                ForceZero(encryptedKey, encryptedKeySz);
+        #ifdef WOLFSSL_SMALL_STACK
+                XFREE(encryptedKey, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
+                XFREE(privKey, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
+        #endif
+                return keySz;
+            } else {
+                *decryptedKeySz = keySz;
+                XMEMCPY(decryptedKey, outKey, keySz);
+                ForceZero(encryptedKey, encryptedKeySz);
+            }
+
+        #ifdef WOLFSSL_SMALL_STACK
+            XFREE(encryptedKey, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
+            XFREE(privKey, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
+        #endif
+
+        #ifndef NO_PKCS7_STREAM
+            if ((ret = wc_PKCS7_StreamEndCase(pkcs7, &tmpIdx, idx)) != 0) {
+                break;
+            }
+        #endif
+            ret = 0; /* success */
             break;
 
         default:
-            WOLFSSL_MSG("Unsupported content cipher type");
-            return ALGO_ID_E;
-    };
+            WOLFSSL_MSG("PKCS7 Unknown KTRI decrypt state");
+            ret = BAD_FUNC_ARG;
+    }
 
-    /* outer content type */
-    outerContentTypeSz = wc_SetContentType(ENVELOPED_DATA, outerContentType);
+    return ret;
+}
+#endif /* !NO_RSA */
 
-    /* version, defined as 0 in RFC 2315 */
-    verSz = SetMyVersion(0, ver, 0);
+#ifdef HAVE_ECC
 
-    /* generate random content encryption key */
-    ret = wc_InitRng(&rng);
+/* remove ASN.1 OriginatorIdentifierOrKey, return 0 on success, <0 on error */
+static int wc_PKCS7_KariGetOriginatorIdentifierOrKey(WC_PKCS7_KARI* kari,
+                        byte* pkiMsg, word32 pkiMsgSz, word32* idx)
+{
+    int ret, length;
+    word32 keyOID, oidSum = 0;
+    int curve_id = ECC_CURVE_DEF;
+    byte tag;
+
+    if (kari == NULL || pkiMsg == NULL || idx == NULL)
+        return BAD_FUNC_ARG;
+
+    /* remove OriginatorIdentifierOrKey */
+    if (GetASNTag(pkiMsg, idx, &tag, pkiMsgSz) == 0 &&
+            tag == (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC | 0)) {
+        if (GetLength(pkiMsg, idx, &length, pkiMsgSz) < 0)
+            return ASN_PARSE_E;
+
+    } else {
+        return ASN_PARSE_E;
+    }
+
+    /* remove OriginatorPublicKey */
+    if (GetASNTag(pkiMsg, idx, &tag, pkiMsgSz) == 0 &&
+            tag == (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC | 1)) {
+        if (GetLength(pkiMsg, idx, &length, pkiMsgSz) < 0)
+            return ASN_PARSE_E;
+
+    } else {
+        return ASN_PARSE_E;
+    }
+
+    /* remove AlgorithmIdentifier */
+    if (GetAlgoId(pkiMsg, idx, &keyOID, oidKeyType, pkiMsgSz) < 0)
+        return ASN_PARSE_E;
+
+    if (keyOID != ECDSAk)
+        return ASN_PARSE_E;
+
+    /* optional algorithm parameters */
+    ret = GetObjectId(pkiMsg, idx, &oidSum, oidIgnoreType, pkiMsgSz);
+    if (ret == 0) {
+        /* get curve id */
+        curve_id = wc_ecc_get_oid(oidSum, NULL, 0);
+        if (curve_id < 0)
+            return ECC_CURVE_OID_E;
+    }
+
+    /* remove ECPoint BIT STRING */
+    if (GetASNTag(pkiMsg, idx, &tag, pkiMsgSz) < 0)
+        return ASN_PARSE_E;
+
+    if (tag != ASN_BIT_STRING)
+        return ASN_PARSE_E;
+
+    if (GetLength(pkiMsg, idx, &length, pkiMsgSz) < 0)
+        return ASN_PARSE_E;
+
+    if (GetASNTag(pkiMsg, idx, &tag, pkiMsgSz) < 0)
+        return ASN_EXPECT_0_E;
+
+    if (tag != ASN_OTHER_TYPE)
+        return ASN_EXPECT_0_E;
+
+    /* get sender ephemeral public ECDSA key */
+    ret = wc_ecc_init_ex(kari->senderKey, kari->heap, kari->devId);
     if (ret != 0)
         return ret;
 
-    ret = wc_RNG_GenerateBlock(&rng, contentKeyPlain, blockKeySz);
+    kari->senderKeyInit = 1;
+
+    /* length-1 for unused bits counter */
+    ret = wc_ecc_import_x963_ex(pkiMsg + (*idx), length - 1, kari->senderKey,
+            curve_id);
     if (ret != 0) {
-        wc_FreeRng(&rng);
-        return ret;
+        ret = wc_EccPublicKeyDecode(pkiMsg, idx, kari->senderKey, *idx + length - 1);
+        if (ret != 0)
+            return ret;
+    }
+    else {
+        (*idx) += length - 1;
+    }
+
+    return 0;
+}
+
+
+/* remove optional UserKeyingMaterial if available, return 0 on success,
+ * < 0 on error */
+static int wc_PKCS7_KariGetUserKeyingMaterial(WC_PKCS7_KARI* kari,
+                        byte* pkiMsg, word32 pkiMsgSz, word32* idx)
+{
+    int length;
+    word32 savedIdx;
+    byte tag;
+
+    if (kari == NULL || pkiMsg == NULL || idx == NULL)
+        return BAD_FUNC_ARG;
+
+    savedIdx = *idx;
+
+    /* starts with EXPLICIT [1] */
+    if (GetASNTag(pkiMsg, idx, &tag, pkiMsgSz) < 0) {
+        *idx = savedIdx;
+        return 0;
+    }
+    if (tag != (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC | 1)) {
+        *idx = savedIdx;
+        return 0;
+    }
+
+    if (GetLength(pkiMsg, idx, &length, pkiMsgSz) < 0) {
+        *idx = savedIdx;
+        return 0;
+    }
+
+    /* get OCTET STRING */
+    if (GetASNTag(pkiMsg, idx, &tag, pkiMsgSz) < 0) {
+        *idx = savedIdx;
+        return 0;
+    }
+    if (tag != ASN_OCTET_STRING) {
+        *idx = savedIdx;
+        return 0;
     }
 
+    if (GetLength(pkiMsg, idx, &length, pkiMsgSz) < 0) {
+        *idx = savedIdx;
+        return 0;
+    }
+
+    kari->ukm = NULL;
+    if (length > 0) {
+        kari->ukm = (byte*)XMALLOC(length, kari->heap, DYNAMIC_TYPE_PKCS7);
+        if (kari->ukm == NULL)
+            return MEMORY_E;
+
+        XMEMCPY(kari->ukm, pkiMsg + (*idx), length);
+        kari->ukmOwner = 1;
+    }
+
+    (*idx) += length;
+    kari->ukmSz = length;
+
+    return 0;
+}
+
+
+/* remove ASN.1 KeyEncryptionAlgorithmIdentifier, return 0 on success,
+ * < 0 on error */
+static int wc_PKCS7_KariGetKeyEncryptionAlgorithmId(WC_PKCS7_KARI* kari,
+        byte* pkiMsg, word32 pkiMsgSz, word32* idx,
+        word32* keyAgreeOID, word32* keyWrapOID)
+{
+    int length = 0;
+    word32 localIdx;
+
+    if (kari == NULL || pkiMsg == NULL || idx == NULL ||
+        keyAgreeOID == NULL || keyWrapOID == NULL)
+        return BAD_FUNC_ARG;
+
+    localIdx = *idx;
+
+    /* remove KeyEncryptionAlgorithmIdentifier */
+    if (GetSequence(pkiMsg, &localIdx, &length, pkiMsgSz) < 0)
+        return ASN_PARSE_E;
+
+    localIdx = *idx;
+    if (GetAlgoId(pkiMsg, &localIdx, keyAgreeOID, oidCmsKeyAgreeType,
+              pkiMsgSz) < 0) {
+        return ASN_PARSE_E;
+    }
+
+    if (localIdx < *idx + length) {
+        *idx = localIdx;
+    }
+    /* remove KeyWrapAlgorithm, stored in parameter of KeyEncAlgoId */
+    if (GetAlgoId(pkiMsg, idx, keyWrapOID, oidKeyWrapType, pkiMsgSz) < 0)
+        return ASN_PARSE_E;
+
+    return 0;
+}
+
+
+/* remove ASN.1 SubjectKeyIdentifier, return 0 on success, < 0 on error
+ * if subject key ID matches, recipFound is set to 1 */
+static int wc_PKCS7_KariGetSubjectKeyIdentifier(WC_PKCS7_KARI* kari,
+                        byte* pkiMsg, word32 pkiMsgSz, word32* idx,
+                        int* recipFound, byte* rid)
+{
+    int length;
+    byte tag;
+
+    if (kari == NULL || pkiMsg == NULL || idx == NULL || recipFound == NULL ||
+            rid == NULL)
+        return BAD_FUNC_ARG;
+
+    /* remove RecipientKeyIdentifier IMPLICIT [0] */
+    if (GetASNTag(pkiMsg, idx, &tag, pkiMsgSz) < 0) {
+        return ASN_PARSE_E;
+    }
+
+    if (tag == (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC | 0)) {
+        if (GetLength(pkiMsg, idx, &length, pkiMsgSz) < 0)
+            return ASN_PARSE_E;
+
+    } else {
+        return ASN_PARSE_E;
+    }
+
+    /* remove SubjectKeyIdentifier */
+    if (GetASNTag(pkiMsg, idx, &tag, pkiMsgSz) < 0) {
+        return ASN_PARSE_E;
+    }
+
+    if (tag != ASN_OCTET_STRING)
+        return ASN_PARSE_E;
+
+    if (GetLength(pkiMsg, idx, &length, pkiMsgSz) < 0)
+        return ASN_PARSE_E;
+
+    if (length != KEYID_SIZE)
+        return ASN_PARSE_E;
+
+    XMEMCPY(rid, pkiMsg + (*idx), KEYID_SIZE);
+    (*idx) += length;
+
+    /* subject key id should match if recipient found */
+    if (XMEMCMP(rid, kari->decoded->extSubjKeyId, KEYID_SIZE) == 0) {
+        *recipFound = 1;
+    }
+
+    return 0;
+}
+
+
+/* remove ASN.1 IssuerAndSerialNumber, return 0 on success, < 0 on error
+ * if issuer and serial number match, recipFound is set to 1 */
+static int wc_PKCS7_KariGetIssuerAndSerialNumber(WC_PKCS7_KARI* kari,
+                        byte* pkiMsg, word32 pkiMsgSz, word32* idx,
+                        int* recipFound, byte* rid)
+{
+    int length, ret;
 #ifdef WOLFSSL_SMALL_STACK
-    recip         = (byte*)XMALLOC(MAX_RECIP_SZ, NULL, DYNAMIC_TYPE_TMP_BUFFER);
-    contentKeyEnc = (byte*)XMALLOC(MAX_ENCRYPTED_KEY_SZ, NULL, 
-                                                       DYNAMIC_TYPE_TMP_BUFFER);
-    if (contentKeyEnc == NULL || recip == NULL) {
-        if (recip)         XFREE(recip,         NULL, DYNAMIC_TYPE_TMP_BUFFER);
-        if (contentKeyEnc) XFREE(contentKeyEnc, NULL, DYNAMIC_TYPE_TMP_BUFFER);
-        wc_FreeRng(&rng);
+    mp_int* serial;
+    mp_int* recipSerial;
+#else
+    mp_int  serial[1];
+    mp_int  recipSerial[1];
+#endif
+
+    if (rid == NULL) {
+        return BAD_FUNC_ARG;
+    }
+
+    /* remove IssuerAndSerialNumber */
+    if (GetSequence(pkiMsg, idx, &length, pkiMsgSz) < 0)
+        return ASN_PARSE_E;
+
+    if (GetNameHash(pkiMsg, idx, rid, pkiMsgSz) < 0)
+        return ASN_PARSE_E;
+
+    /* if we found correct recipient, issuer hashes will match */
+    if (XMEMCMP(rid, kari->decoded->issuerHash, KEYID_SIZE) == 0) {
+        *recipFound = 1;
+    }
+
+#ifdef WOLFSSL_SMALL_STACK
+    serial = (mp_int*)XMALLOC(sizeof(mp_int), kari->heap,
+                              DYNAMIC_TYPE_TMP_BUFFER);
+    if (serial == NULL)
+        return MEMORY_E;
+
+    recipSerial = (mp_int*)XMALLOC(sizeof(mp_int), kari->heap,
+                                   DYNAMIC_TYPE_TMP_BUFFER);
+    if (recipSerial == NULL) {
+        XFREE(serial, kari->heap, DYNAMIC_TYPE_TMP_BUFFER);
         return MEMORY_E;
     }
-    
 #endif
 
-    /* build RecipientInfo, only handle 1 for now */
-    recipSz = wc_CreateRecipientInfo(pkcs7->singleCert, pkcs7->singleCertSz, RSAk,
-                                  blockKeySz, &rng, contentKeyPlain,
-                                  contentKeyEnc, &contentKeyEncSz, recip,
-                                  MAX_RECIP_SZ);
-                                                                      
-    ForceZero(contentKeyEnc, MAX_ENCRYPTED_KEY_SZ);
-    
+    if (GetInt(serial, pkiMsg, idx, pkiMsgSz) < 0) {
 #ifdef WOLFSSL_SMALL_STACK
-    XFREE(contentKeyEnc, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+        XFREE(serial,      kari->heap, DYNAMIC_TYPE_TMP_BUFFER);
+        XFREE(recipSerial, kari->heap, DYNAMIC_TYPE_TMP_BUFFER);
 #endif
+        return ASN_PARSE_E;
+    }
 
-    if (recipSz < 0) {
-        WOLFSSL_MSG("Failed to create RecipientInfo");
-        wc_FreeRng(&rng);
+    ret = mp_read_unsigned_bin(recipSerial, kari->decoded->serial,
+                             kari->decoded->serialSz);
+    if (ret != MP_OKAY) {
+        mp_clear(serial);
+        WOLFSSL_MSG("Failed to parse CMS recipient serial number");
 #ifdef WOLFSSL_SMALL_STACK
-        XFREE(recip, NULL, DYNAMMIC_TYPE_TMP_BUFFER);
+        XFREE(serial,      kari->heap, DYNAMIC_TYPE_TMP_BUFFER);
+        XFREE(recipSerial, kari->heap, DYNAMIC_TYPE_TMP_BUFFER);
 #endif
-        return recipSz;
+        return ret;
     }
-    recipSetSz = SetSet(recipSz, recipSet);
 
-    /* generate IV for block cipher */
-    ret = wc_RNG_GenerateBlock(&rng, tmpIv, DES_BLOCK_SIZE);
-    wc_FreeRng(&rng);
-    if (ret != 0) {
+    if (mp_cmp(recipSerial, serial) != MP_EQ) {
+        mp_clear(serial);
+        mp_clear(recipSerial);
+        WOLFSSL_MSG("CMS serial number does not match recipient");
 #ifdef WOLFSSL_SMALL_STACK
-        XFREE(recip, NULL, DYNAMMIC_TYPE_TMP_BUFFER);
+        XFREE(serial,      kari->heap, DYNAMIC_TYPE_TMP_BUFFER);
+        XFREE(recipSerial, kari->heap, DYNAMIC_TYPE_TMP_BUFFER);
 #endif
-        return ret;
+        return PKCS7_RECIP_E;
     }
 
-    /* EncryptedContentInfo */
-    contentTypeSz = wc_SetContentType(pkcs7->contentOID, contentType);
-    if (contentTypeSz == 0) {
+    mp_clear(serial);
+    mp_clear(recipSerial);
+
 #ifdef WOLFSSL_SMALL_STACK
-        XFREE(recip, NULL, DYNAMMIC_TYPE_TMP_BUFFER);
+    XFREE(serial,      kari->heap, DYNAMIC_TYPE_TMP_BUFFER);
+    XFREE(recipSerial, kari->heap, DYNAMIC_TYPE_TMP_BUFFER);
 #endif
+
+    return 0;
+}
+
+
+/* remove ASN.1 RecipientEncryptedKeys, return 0 on success, < 0 on error */
+static int wc_PKCS7_KariGetRecipientEncryptedKeys(WC_PKCS7_KARI* kari,
+                        byte* pkiMsg, word32 pkiMsgSz, word32* idx,
+                        int* recipFound, byte* encryptedKey,
+                        int* encryptedKeySz, byte* rid)
+{
+    int length;
+    int ret = 0;
+    byte tag;
+    word32 localIdx;
+
+    if (kari == NULL || pkiMsg == NULL || idx == NULL ||
+        recipFound == NULL || encryptedKey == NULL)
         return BAD_FUNC_ARG;
+
+    /* remove RecipientEncryptedKeys */
+    if (GetSequence(pkiMsg, idx, &length, pkiMsgSz) < 0)
+        return ASN_PARSE_E;
+
+    /* remove RecipientEncryptedKeys */
+    if (GetSequence(pkiMsg, idx, &length, pkiMsgSz) < 0)
+        return ASN_PARSE_E;
+
+    /* KeyAgreeRecipientIdentifier is CHOICE of IssuerAndSerialNumber
+     * or [0] IMMPLICIT RecipientKeyIdentifier */
+    localIdx = *idx;
+    if (GetASNTag(pkiMsg, &localIdx, &tag, pkiMsgSz) < 0)
+        return ASN_PARSE_E;
+
+    if (tag == (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC | 0)) {
+        /* try to get RecipientKeyIdentifier */
+        ret = wc_PKCS7_KariGetSubjectKeyIdentifier(kari, pkiMsg, pkiMsgSz,
+                                                   idx, recipFound, rid);
+    } else {
+        /* try to get IssuerAndSerialNumber */
+        ret = wc_PKCS7_KariGetIssuerAndSerialNumber(kari, pkiMsg, pkiMsgSz,
+                                                    idx, recipFound, rid);
     }
 
-    /* allocate encrypted content buffer, pad if necessary, PKCS#7 padding */
-    padSz = DES_BLOCK_SIZE - (pkcs7->contentSz % DES_BLOCK_SIZE);
-    desOutSz = pkcs7->contentSz + padSz;
+    /* if we don't have either option, malformed CMS */
+    if (ret != 0)
+        return ret;
+
+    /* remove EncryptedKey */
+    if (GetASNTag(pkiMsg, idx, &tag, pkiMsgSz) < 0)
+        return ASN_PARSE_E;
+
+    if (tag != ASN_OCTET_STRING)
+        return ASN_PARSE_E;
+
+    if (GetLength(pkiMsg, idx, &length, pkiMsgSz) < 0)
+        return ASN_PARSE_E;
+
+    /* put encrypted CEK in decryptedKey buffer for now, decrypt later */
+    if (length > *encryptedKeySz)
+        return BUFFER_E;
+
+    XMEMCPY(encryptedKey, pkiMsg + (*idx), length);
+    *encryptedKeySz = length;
+    (*idx) += length;
+
+    return 0;
+}
+
+#endif /* HAVE_ECC */
+
+
+int wc_PKCS7_SetOriEncryptCtx(PKCS7* pkcs7, void* ctx)
+{
+    if (pkcs7 == NULL)
+        return BAD_FUNC_ARG;
+
+    pkcs7->oriEncryptCtx = ctx;
+
+    return 0;
+}
+
+
+int wc_PKCS7_SetOriDecryptCtx(PKCS7* pkcs7, void* ctx)
+{
+
+    if (pkcs7 == NULL)
+        return BAD_FUNC_ARG;
+
+    pkcs7->oriDecryptCtx = ctx;
+
+    return 0;
+}
+
+
+int wc_PKCS7_SetOriDecryptCb(PKCS7* pkcs7, CallbackOriDecrypt cb)
+{
+    if (pkcs7 == NULL)
+        return BAD_FUNC_ARG;
+
+    pkcs7->oriDecryptCb = cb;
+
+    return 0;
+}
+
+
+/* return 0 on success */
+int wc_PKCS7_SetWrapCEKCb(PKCS7* pkcs7, CallbackWrapCEK cb)
+{
+    if (pkcs7 == NULL)
+        return BAD_FUNC_ARG;
+
+    pkcs7->wrapCEKCb = cb;
+
+    return 0;
+}
+
+/* Decrypt ASN.1 OtherRecipientInfo (ori), as defined by:
+ *
+ *   OtherRecipientInfo ::= SEQUENCE {
+ *     oriType OBJECT IDENTIFIER,
+ *     oriValue ANY DEFINED BY oriType }
+ *
+ * pkcs7          - pointer to initialized PKCS7 structure
+ * pkiMsg         - pointer to encoded CMS bundle
+ * pkiMsgSz       - size of pkiMsg, bytes
+ * idx            - [IN/OUT] pointer to index into pkiMsg
+ * decryptedKey   - [OUT] output buf for decrypted content encryption key
+ * decryptedKeySz - [IN/OUT] size of buffer, size of decrypted key
+ * recipFound     - [OUT] 1 if recipient has been found, 0 if not
+ *
+ * Return 0 on success, negative upon error.
+ */
+static int wc_PKCS7_DecryptOri(PKCS7* pkcs7, byte* in, word32 inSz,
+                               word32* idx, byte* decryptedKey,
+                               word32* decryptedKeySz, int* recipFound)
+{
+    int ret, seqSz, oriOIDSz;
+    word32 oriValueSz, tmpIdx;
+    byte* oriValue;
+    byte oriOID[MAX_OID_SZ];
+
+    byte* pkiMsg    = in;
+    word32 pkiMsgSz = inSz;
+#ifndef NO_PKCS7_STREAM
+    word32 stateIdx = *idx;
+    long rc;
+#endif
+
+    if (pkcs7->oriDecryptCb == NULL) {
+        WOLFSSL_MSG("You must register an ORI Decrypt callback");
+        return BAD_FUNC_ARG;
+    }
+
+    switch (pkcs7->state) {
+
+        case WC_PKCS7_DECRYPT_ORI:
+        #ifndef NO_PKCS7_STREAM
+            /* @TODO for now just get full buffer, needs divided up */
+            if ((ret = wc_PKCS7_AddDataToStream(pkcs7, in, inSz,
+                   (pkcs7->stream->maxLen - pkcs7->stream->totalRd) +
+                   pkcs7->stream->length, &pkiMsg, idx)) != 0) {
+                return ret;
+            }
+
+            rc = wc_PKCS7_GetMaxStream(pkcs7, PKCS7_DEFAULT_PEEK, in,
+                inSz);
+            if (rc < 0) {
+                ret = (int)rc;
+                break;
+            }
+            pkiMsgSz = (word32)rc;
+        #endif
+            /* get OtherRecipientInfo sequence length */
+            if (GetLength(pkiMsg, idx, &seqSz, pkiMsgSz) < 0)
+                return ASN_PARSE_E;
+
+            tmpIdx = *idx;
+
+            /* remove and store oriType OBJECT IDENTIFIER */
+            if (GetASNObjectId(pkiMsg, idx, &oriOIDSz, pkiMsgSz) != 0)
+                return ASN_PARSE_E;
+
+            XMEMCPY(oriOID, pkiMsg + *idx, oriOIDSz);
+            *idx += oriOIDSz;
+
+            /* get oriValue, increment idx */
+            oriValue = pkiMsg + *idx;
+            oriValueSz = seqSz - (*idx - tmpIdx);
+            *idx += oriValueSz;
+
+            /* pass oriOID and oriValue to user callback, expect back
+               decryptedKey and size */
+            ret = pkcs7->oriDecryptCb(pkcs7, oriOID, (word32)oriOIDSz, oriValue,
+                                      oriValueSz, decryptedKey, decryptedKeySz,
+                                      pkcs7->oriDecryptCtx);
+
+            if (ret != 0 || decryptedKey == NULL || *decryptedKeySz == 0) {
+                /* decrypt operation failed */
+                *recipFound = 0;
+                return PKCS7_RECIP_E;
+            }
+
+            /* mark recipFound, since we only support one RecipientInfo for now */
+            *recipFound = 1;
+
+        #ifndef NO_PKCS7_STREAM
+            if ((ret = wc_PKCS7_StreamEndCase(pkcs7, &stateIdx, idx)) != 0) {
+                break;
+            }
+        #endif
+            ret = 0; /* success */
+            break;
+
+        default:
+            WOLFSSL_MSG("PKCS7 ORI unknown state");
+            ret = BAD_FUNC_ARG;
+
+    }
+
+    return ret;
+}
+
+#if !defined(NO_PWDBASED) && !defined(NO_SHA)
+
+/* decode ASN.1 PasswordRecipientInfo (pwri), return 0 on success,
+ * < 0 on error */
+static int wc_PKCS7_DecryptPwri(PKCS7* pkcs7, byte* in, word32 inSz,
+                               word32* idx, byte* decryptedKey,
+                               word32* decryptedKeySz, int* recipFound)
+{
+    byte* salt;
+    byte* cek;
+    byte* kek;
+
+    byte tmpIv[MAX_CONTENT_IV_SIZE];
+
+    int ret = 0, length, saltSz, iterations, blockSz, kekKeySz;
+    int hashOID = WC_SHA; /* default to SHA1 */
+    word32 kdfAlgoId, pwriEncAlgoId, keyEncAlgoId, cekSz;
+    byte* pkiMsg = in;
+    word32 pkiMsgSz = inSz;
+    byte  tag;
+#ifndef NO_PKCS7_STREAM
+    word32 tmpIdx = *idx;
+    long rc;
+#endif
+
+    switch (pkcs7->state) {
+        case WC_PKCS7_DECRYPT_PWRI:
+        #ifndef NO_PKCS7_STREAM
+            /*@TODO for now just get full buffer, needs divided up */
+            if ((ret = wc_PKCS7_AddDataToStream(pkcs7, in, inSz,
+                   (pkcs7->stream->maxLen - pkcs7->stream->totalRd) +
+                   pkcs7->stream->length, &pkiMsg, idx)) != 0) {
+                return ret;
+            }
+
+            rc = wc_PKCS7_GetMaxStream(pkcs7, PKCS7_DEFAULT_PEEK, in,
+                    inSz);
+            if (rc < 0) {
+                ret = (int)rc;
+                break;
+            }
+            pkiMsgSz = (word32)rc;
+        #endif
+            /* remove KeyDerivationAlgorithmIdentifier */
+            if (GetASNTag(pkiMsg, idx, &tag, pkiMsgSz) < 0)
+                return ASN_PARSE_E;
+
+            if (tag != (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC | 0))
+                return ASN_PARSE_E;
+
+            if (GetLength(pkiMsg, idx, &length, pkiMsgSz) < 0)
+                return ASN_PARSE_E;
+
+            /* get KeyDerivationAlgorithmIdentifier */
+            if (wc_GetContentType(pkiMsg, idx, &kdfAlgoId, pkiMsgSz) < 0)
+                return ASN_PARSE_E;
+
+            /* get KDF params SEQ */
+            if (GetSequence(pkiMsg, idx, &length, pkiMsgSz) < 0)
+                return ASN_PARSE_E;
+
+            /* get KDF salt OCTET STRING */
+            if (GetASNTag(pkiMsg, idx, &tag, pkiMsgSz) < 0)
+                return ASN_PARSE_E;
+
+            if (tag != ASN_OCTET_STRING)
+                return ASN_PARSE_E;
+
+            if (GetLength(pkiMsg, idx, &saltSz, pkiMsgSz) < 0)
+                return ASN_PARSE_E;
+
+            salt = (byte*)XMALLOC(saltSz, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+            if (salt == NULL)
+                return MEMORY_E;
+
+            XMEMCPY(salt, pkiMsg + (*idx), saltSz);
+            *idx += saltSz;
+
+            /* get KDF iterations */
+            if (GetMyVersion(pkiMsg, idx, &iterations, pkiMsgSz) < 0) {
+                XFREE(salt, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+                return ASN_PARSE_E;
+            }
+
+            /* get KeyEncAlgoId SEQ */
+            if (GetSequence(pkiMsg, idx, &length, pkiMsgSz) < 0) {
+                XFREE(salt, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+                return ASN_PARSE_E;
+            }
+
+            /* get KeyEncAlgoId */
+            if (wc_GetContentType(pkiMsg, idx, &keyEncAlgoId, pkiMsgSz) < 0) {
+                XFREE(salt, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+                return ASN_PARSE_E;
+            }
+
+            /* get pwriEncAlgoId */
+            if (GetAlgoId(pkiMsg, idx, &pwriEncAlgoId, oidBlkType, pkiMsgSz) < 0) {
+                XFREE(salt, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+                return ASN_PARSE_E;
+            }
+
+            blockSz = wc_PKCS7_GetOIDBlockSize(pwriEncAlgoId);
+            if (blockSz < 0) {
+                XFREE(salt, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+                return blockSz;
+            }
+
+            /* get content-encryption key size, based on algorithm */
+            kekKeySz = wc_PKCS7_GetOIDKeySize(pwriEncAlgoId);
+            if (kekKeySz < 0) {
+                XFREE(salt, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+                return kekKeySz;
+            }
+
+            /* get block cipher IV, stored in OPTIONAL parameter of AlgoID */
+            if (GetASNTag(pkiMsg, idx, &tag, pkiMsgSz) < 0) {
+                XFREE(salt, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+                return ASN_PARSE_E;
+            }
+
+            if (tag != ASN_OCTET_STRING) {
+                XFREE(salt, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+                return ASN_PARSE_E;
+            }
+
+            if (GetLength(pkiMsg, idx, &length, pkiMsgSz) < 0) {
+                XFREE(salt, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+                return ASN_PARSE_E;
+            }
+
+            if (length != blockSz) {
+                WOLFSSL_MSG("Incorrect IV length, must be of content alg block size");
+                XFREE(salt, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+                return ASN_PARSE_E;
+            }
+
+            XMEMCPY(tmpIv, pkiMsg + (*idx), length);
+            *idx += length;
+
+            /* get EncryptedKey */
+            if (GetASNTag(pkiMsg, idx, &tag, pkiMsgSz) < 0) {
+                XFREE(salt, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+                return ASN_PARSE_E;
+            }
+
+            if (tag != ASN_OCTET_STRING) {
+                XFREE(salt, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+                return ASN_PARSE_E;
+            }
+
+            if (GetLength(pkiMsg, idx, &length, pkiMsgSz) < 0) {
+                XFREE(salt, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+                return ASN_PARSE_E;
+            }
+
+            /* allocate temporary space for decrypted key */
+            cekSz = length;
+            cek = (byte*)XMALLOC(cekSz, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
+            if (cek == NULL) {
+                XFREE(salt, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+                return MEMORY_E;
+            }
+
+            /* generate KEK */
+            kek = (byte*)XMALLOC(kekKeySz, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+            if (kek == NULL) {
+                XFREE(salt, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+                XFREE(cek, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+                return MEMORY_E;
+            }
+
+            ret = wc_PKCS7_GenerateKEK_PWRI(pkcs7, pkcs7->pass, pkcs7->passSz,
+                                            salt, saltSz, kdfAlgoId, hashOID,
+                                            iterations, kek, kekKeySz);
+            if (ret < 0) {
+                XFREE(salt, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+                XFREE(kek, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+                XFREE(cek, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+                return ASN_PARSE_E;
+            }
+
+            /* decrypt CEK with KEK */
+            ret = wc_PKCS7_PwriKek_KeyUnWrap(pkcs7, kek, kekKeySz,
+                                             pkiMsg + (*idx), length, cek,
+                                             cekSz, tmpIv, blockSz,
+                                             pwriEncAlgoId);
+            if (ret < 0) {
+                XFREE(salt, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+                XFREE(kek, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+                XFREE(cek, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+                return ret;
+            }
+            cekSz = ret;
+
+            if (*decryptedKeySz < cekSz) {
+                WOLFSSL_MSG("Decrypted key buffer too small for CEK");
+                XFREE(salt, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+                XFREE(kek, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+                XFREE(cek, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+                return BUFFER_E;
+            }
+
+            XMEMCPY(decryptedKey, cek, cekSz);
+            *decryptedKeySz = cekSz;
+
+            XFREE(salt, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+            XFREE(kek, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+            XFREE(cek, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+
+            /* mark recipFound, since we only support one RecipientInfo for now */
+            *recipFound = 1;
+            *idx += length;
+        #ifndef NO_PKCS7_STREAM
+            if ((ret = wc_PKCS7_StreamEndCase(pkcs7, &tmpIdx, idx)) != 0) {
+                break;
+            }
+        #endif
+            ret = 0; /* success */
+            break;
+
+        default:
+            WOLFSSL_MSG("PKCS7 PWRI unknown state");
+            ret = BAD_FUNC_ARG;
+    }
+
+    return ret;
+}
+
+#endif /* NO_PWDBASED | NO_SHA */
+
+/* decode ASN.1 KEKRecipientInfo (kekri), return 0 on success,
+ * < 0 on error */
+static int wc_PKCS7_DecryptKekri(PKCS7* pkcs7, byte* in, word32 inSz,
+                               word32* idx, byte* decryptedKey,
+                               word32* decryptedKeySz, int* recipFound)
+{
+    int length, keySz, dateLen, direction;
+    byte* keyId = NULL;
+    const byte* datePtr = NULL;
+    byte  dateFormat, tag;
+    word32 keyIdSz, kekIdSz, keyWrapOID, localIdx;
+
+    int ret = 0;
+    byte* pkiMsg    = in;
+    word32 pkiMsgSz = inSz;
+#ifndef NO_PKCS7_STREAM
+    word32 tmpIdx = *idx;
+    long rc;
+#endif
+
+    WOLFSSL_ENTER("wc_PKCS7_DecryptKekri");
+    switch (pkcs7->state) {
+        case WC_PKCS7_DECRYPT_KEKRI:
+        #ifndef NO_PKCS7_STREAM
+            /* @TODO for now just get full buffer, needs divided up */
+            if ((ret = wc_PKCS7_AddDataToStream(pkcs7, in, inSz,
+                   (pkcs7->stream->maxLen - pkcs7->stream->totalRd) +
+                   pkcs7->stream->length, &pkiMsg, idx)) != 0) {
+                return ret;
+            }
+
+            rc = wc_PKCS7_GetMaxStream(pkcs7, PKCS7_DEFAULT_PEEK, in,
+                    inSz);
+            if (rc < 0) {
+                ret = (int)rc;
+                break;
+            }
+            pkiMsgSz = (word32)rc;
+        #endif
+            /* remove KEKIdentifier */
+            if (GetSequence(pkiMsg, idx, &length, pkiMsgSz) < 0)
+                return ASN_PARSE_E;
+
+            kekIdSz = length;
+
+            if (GetASNTag(pkiMsg, idx, &tag, pkiMsgSz) < 0)
+                return ASN_PARSE_E;
+
+            if (tag != ASN_OCTET_STRING)
+                return ASN_PARSE_E;
+
+            if (GetLength(pkiMsg, idx, &length, pkiMsgSz) < 0)
+                return ASN_PARSE_E;
+
+            /* save keyIdentifier and length */
+            keyId = pkiMsg + *idx;
+            keyIdSz = length;
+            *idx += keyIdSz;
+
+            /* may have OPTIONAL GeneralizedTime */
+            localIdx = *idx;
+            if ((*idx < kekIdSz) && GetASNTag(pkiMsg, &localIdx, &tag,
+                        pkiMsgSz) == 0 && tag == ASN_GENERALIZED_TIME) {
+                if (wc_GetDateInfo(pkiMsg + *idx, pkiMsgSz, &datePtr, &dateFormat,
+                                   &dateLen) != 0) {
+                    return ASN_PARSE_E;
+                }
+                *idx += (dateLen + 1);
+            }
+
+            /* may have OPTIONAL OtherKeyAttribute */
+            localIdx = *idx;
+            if ((*idx < kekIdSz) && GetASNTag(pkiMsg, &localIdx, &tag,
+                            pkiMsgSz) == 0 && tag == (ASN_SEQUENCE |
+                            ASN_CONSTRUCTED)) {
+                if (GetSequence(pkiMsg, idx, &length, pkiMsgSz) < 0)
+                    return ASN_PARSE_E;
+
+                /* skip it */
+                *idx += length;
+            }
+
+            /* get KeyEncryptionAlgorithmIdentifier */
+            if (GetAlgoId(pkiMsg, idx, &keyWrapOID, oidKeyWrapType, pkiMsgSz) < 0)
+                return ASN_PARSE_E;
+
+            /* get EncryptedKey */
+            if (GetASNTag(pkiMsg, idx, &tag, pkiMsgSz) < 0)
+                return ASN_PARSE_E;
+
+            if (tag != ASN_OCTET_STRING)
+                return ASN_PARSE_E;
+
+            if (GetLength(pkiMsg, idx, &length, pkiMsgSz) < 0)
+                return ASN_PARSE_E;
+
+            #ifndef NO_AES
+                direction = AES_DECRYPTION;
+            #else
+                direction = DES_DECRYPTION;
+            #endif
+
+            /* decrypt CEK with KEK */
+            if (pkcs7->wrapCEKCb) {
+                keySz = pkcs7->wrapCEKCb(pkcs7, pkiMsg + *idx, length, keyId,
+                                     keyIdSz, NULL, 0, decryptedKey,
+                                     *decryptedKeySz, keyWrapOID,
+                                     (int)PKCS7_KEKRI, direction);
+            }
+            else {
+                keySz = wc_PKCS7_KeyWrap(pkiMsg + *idx, length, pkcs7->privateKey,
+                                     pkcs7->privateKeySz, decryptedKey, *decryptedKeySz,
+                                     keyWrapOID, direction);
+            }
+            if (keySz <= 0)
+                return keySz;
+
+            *decryptedKeySz = (word32)keySz;
+
+            /* mark recipFound, since we only support one RecipientInfo for now */
+            *recipFound = 1;
+            *idx += length;
+
+        #ifndef NO_PKCS7_STREAM
+            if ((ret = wc_PKCS7_StreamEndCase(pkcs7, &tmpIdx, idx)) != 0) {
+                break;
+            }
+        #endif
+            ret = 0; /* success */
+            break;
+
+        default:
+            WOLFSSL_MSG("PKCS7 KEKRI unknown state");
+            ret = BAD_FUNC_ARG;
+
+    }
+
+    (void)keyId;
+    return ret;
+}
+
+
+/* decode ASN.1 KeyAgreeRecipientInfo (kari), return 0 on success,
+ * < 0 on error */
+static int wc_PKCS7_DecryptKari(PKCS7* pkcs7, byte* in, word32 inSz,
+                               word32* idx, byte* decryptedKey,
+                               word32* decryptedKeySz, int* recipFound)
+{
+#ifdef HAVE_ECC
+    int ret, keySz;
+    int encryptedKeySz;
+    int direction = 0;
+    word32 keyAgreeOID, keyWrapOID;
+    byte rid[KEYID_SIZE];
 
-    if (padSz != 0) {
-        plain = (byte*)XMALLOC(desOutSz, NULL, DYNAMIC_TYPE_TMP_BUFFER);
-        if (plain == NULL) {
 #ifdef WOLFSSL_SMALL_STACK
-            XFREE(recip, NULL, DYNAMMIC_TYPE_TMP_BUFFER);
+    byte* encryptedKey;
+#else
+    byte  encryptedKey[MAX_ENCRYPTED_KEY_SZ];
 #endif
-            return MEMORY_E;
-        }
-        XMEMCPY(plain, pkcs7->content, pkcs7->contentSz);
-        dynamicFlag = 1;
 
-        for (i = 0; i < padSz; i++) {
-            plain[pkcs7->contentSz + i] = padSz;
+    byte* pkiMsg    = in;
+    word32 pkiMsgSz = inSz;
+#ifndef NO_PKCS7_STREAM
+    word32 tmpIdx = (idx) ? *idx : 0;
+    long rc;
+#endif
+
+    WOLFSSL_ENTER("wc_PKCS7_DecryptKari");
+    if (pkcs7 == NULL || pkiMsg == NULL ||
+            ((pkcs7->singleCert == NULL || pkcs7->singleCertSz == 0) &&
+              pkcs7->wrapCEKCb == NULL) ||
+        idx == NULL || decryptedKey == NULL || decryptedKeySz == NULL) {
+        return BAD_FUNC_ARG;
+    }
+
+    switch (pkcs7->state) {
+        case WC_PKCS7_DECRYPT_KARI: {
+        #ifndef NO_PKCS7_STREAM
+            /* @TODO for now just get full buffer, needs divided up */
+            if ((ret = wc_PKCS7_AddDataToStream(pkcs7, in, inSz,
+                   (pkcs7->stream->maxLen - pkcs7->stream->totalRd) +
+                   pkcs7->stream->length, &pkiMsg, idx)) != 0) {
+                return ret;
+            }
+
+            rc = wc_PKCS7_GetMaxStream(pkcs7, PKCS7_DEFAULT_PEEK, in,
+                    inSz);
+            if (rc < 0) {
+                ret = (int)rc;
+                break;
+            }
+            pkiMsgSz = (word32)rc;
+        #endif
+            WC_PKCS7_KARI* kari;
+
+            kari = wc_PKCS7_KariNew(pkcs7, WC_PKCS7_DECODE);
+            if (kari == NULL)
+                return MEMORY_E;
+
+        #ifdef WOLFSSL_SMALL_STACK
+            encryptedKey = (byte*)XMALLOC(MAX_ENCRYPTED_KEY_SZ, pkcs7->heap,
+                                          DYNAMIC_TYPE_PKCS7);
+            if (encryptedKey == NULL) {
+                wc_PKCS7_KariFree(kari);
+                return MEMORY_E;
+            }
+        #endif
+            encryptedKeySz = MAX_ENCRYPTED_KEY_SZ;
+
+            /* parse cert and key */
+            if (pkcs7->singleCert != NULL) {
+                ret = wc_PKCS7_KariParseRecipCert(kari, (byte*)pkcs7->singleCert,
+                                              pkcs7->singleCertSz, pkcs7->privateKey,
+                                              pkcs7->privateKeySz);
+                if (ret != 0) {
+                    wc_PKCS7_KariFree(kari);
+                #ifdef WOLFSSL_SMALL_STACK
+                    XFREE(encryptedKey, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+                #endif
+                    return ret;
+                }
+            }
+
+            /* remove OriginatorIdentifierOrKey */
+            ret = wc_PKCS7_KariGetOriginatorIdentifierOrKey(kari, pkiMsg,
+                                                            pkiMsgSz, idx);
+            if (ret != 0) {
+                wc_PKCS7_KariFree(kari);
+                #ifdef WOLFSSL_SMALL_STACK
+                    XFREE(encryptedKey, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+                #endif
+                return ret;
+            }
+
+            /* try and remove optional UserKeyingMaterial */
+            ret = wc_PKCS7_KariGetUserKeyingMaterial(kari, pkiMsg, pkiMsgSz, idx);
+            if (ret != 0) {
+                wc_PKCS7_KariFree(kari);
+                #ifdef WOLFSSL_SMALL_STACK
+                    XFREE(encryptedKey, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+                #endif
+                return ret;
+            }
+
+            /* remove KeyEncryptionAlgorithmIdentifier */
+            ret = wc_PKCS7_KariGetKeyEncryptionAlgorithmId(kari, pkiMsg,
+                    pkiMsgSz, idx, &keyAgreeOID, &keyWrapOID);
+            if (ret != 0) {
+                wc_PKCS7_KariFree(kari);
+                #ifdef WOLFSSL_SMALL_STACK
+                    XFREE(encryptedKey, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+                #endif
+                return ret;
+            }
+
+            /* if user has not explicitly set keyAgreeOID, set from one in bundle */
+            if (pkcs7->keyAgreeOID == 0)
+                pkcs7->keyAgreeOID = keyAgreeOID;
+
+            /* set direction based on key wrap algorithm */
+            switch (keyWrapOID) {
+        #ifndef NO_AES
+            #ifdef WOLFSSL_AES_128
+                case AES128_WRAP:
+            #endif
+            #ifdef WOLFSSL_AES_192
+                case AES192_WRAP:
+            #endif
+            #ifdef WOLFSSL_AES_256
+                case AES256_WRAP:
+            #endif
+                    direction = AES_DECRYPTION;
+                    break;
+        #endif
+                default:
+                    WOLFSSL_MSG("AES key wrap algorithm unsupported");
+                    if (pkcs7->wrapCEKCb) {
+                        WOLFSSL_MSG("Direction not set!");
+                        break; /* if unwrapping callback is set then do not
+                                * force restriction of supported wrap
+                                * algorithms */
+                    }
+
+                    wc_PKCS7_KariFree(kari);
+                    #ifdef WOLFSSL_SMALL_STACK
+                        XFREE(encryptedKey, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+                    #endif
+                    return BAD_KEYWRAP_ALG_E;
+            }
+
+            /* remove RecipientEncryptedKeys */
+            ret = wc_PKCS7_KariGetRecipientEncryptedKeys(kari, pkiMsg, pkiMsgSz,
+                           idx, recipFound, encryptedKey, &encryptedKeySz, rid);
+            if (ret != 0) {
+                wc_PKCS7_KariFree(kari);
+                #ifdef WOLFSSL_SMALL_STACK
+                    XFREE(encryptedKey, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+                #endif
+                return ret;
+            }
+
+            /* decrypt CEK with KEK */
+            if (pkcs7->wrapCEKCb) {
+                word32 tmpKeySz = 0;
+                byte* tmpKeyDer = NULL;
+
+                ret = wc_ecc_export_x963(kari->senderKey, NULL, &tmpKeySz);
+                if (ret != LENGTH_ONLY_E) {
+                    return ret;
+                }
+
+                /* buffer space for algorithm/curve */
+                tmpKeySz += MAX_SEQ_SZ;
+                tmpKeySz += 2 * MAX_ALGO_SZ;
+
+                /* buffer space for public key sequence */
+                tmpKeySz += MAX_SEQ_SZ;
+                tmpKeySz += TRAILING_ZERO;
+
+                tmpKeyDer = (byte*)XMALLOC(tmpKeySz, pkcs7->heap,
+                        DYNAMIC_TYPE_TMP_BUFFER);
+                if (tmpKeyDer == NULL) {
+                    return MEMORY_E;
+                }
+
+                ret = wc_EccPublicKeyToDer(kari->senderKey, tmpKeyDer,
+                                         tmpKeySz, 1);
+                if (ret < 0) {
+                    XFREE(tmpKeyDer, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
+                    return ret;
+                }
+                tmpKeySz = (word32)ret;
+
+                keySz = pkcs7->wrapCEKCb(pkcs7, encryptedKey, encryptedKeySz,
+                        rid, KEYID_SIZE, tmpKeyDer, tmpKeySz,
+                        decryptedKey, *decryptedKeySz,
+                        keyWrapOID, (int)PKCS7_KARI, direction);
+                XFREE(tmpKeyDer, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
+
+                if (keySz  > 0) {
+                    /* If unwrapping was successful then consider recipient
+                     * found. Checking for NULL singleCert to confirm previous
+                     * SID check was not done */
+                    if (pkcs7->singleCert == NULL)
+                        *recipFound = 1;
+                }
+            }
+            else {
+                /* create KEK */
+                ret = wc_PKCS7_KariGenerateKEK(kari, keyWrapOID, pkcs7->keyAgreeOID);
+                if (ret != 0) {
+                    wc_PKCS7_KariFree(kari);
+                    #ifdef WOLFSSL_SMALL_STACK
+                        XFREE(encryptedKey, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+                    #endif
+                    return ret;
+                }
+
+                /* decrypt CEK with KEK */
+                keySz = wc_PKCS7_KeyWrap(encryptedKey, encryptedKeySz, kari->kek,
+                                         kari->kekSz, decryptedKey, *decryptedKeySz,
+                                         keyWrapOID, direction);
+            }
+            if (keySz <= 0) {
+                wc_PKCS7_KariFree(kari);
+                #ifdef WOLFSSL_SMALL_STACK
+                    XFREE(encryptedKey, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+                #endif
+                return keySz;
+            }
+            *decryptedKeySz = (word32)keySz;
+
+            wc_PKCS7_KariFree(kari);
+            #ifdef WOLFSSL_SMALL_STACK
+                XFREE(encryptedKey, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+            #endif
+            #ifndef NO_PKCS7_STREAM
+            if ((ret = wc_PKCS7_StreamEndCase(pkcs7, &tmpIdx, idx)) != 0) {
+                break;
+            }
+            #endif
+            ret = 0; /* success */
         }
+        break;
+
+        default:
+            WOLFSSL_MSG("PKCS7 kari unknown state");
+            ret = BAD_FUNC_ARG;
 
-    } else {
-        plain = pkcs7->content;
-        desOutSz = pkcs7->contentSz;
     }
 
-    encryptedContent = (byte*)XMALLOC(desOutSz, NULL, DYNAMIC_TYPE_TMP_BUFFER);
-    if (encryptedContent == NULL) {
-        if (dynamicFlag)
-            XFREE(plain, NULL, DYNAMIC_TYPE_TMP_BUFFER);
-#ifdef WOLFSSL_SMALL_STACK
-        XFREE(recip, NULL, DYNAMMIC_TYPE_TMP_BUFFER);
+    (void)pkiMsg;
+    (void)pkiMsgSz;
+
+    return ret;
+#else
+    (void)in;
+    (void)inSz;
+    (void)pkcs7;
+    (void)idx;
+    (void)decryptedKey;
+    (void)decryptedKeySz;
+    (void)recipFound;
+
+    return NOT_COMPILED_IN;
+#endif /* HAVE_ECC */
+}
+
+
+/* decode ASN.1 RecipientInfos SET, return 0 on success, < 0 on error */
+static int wc_PKCS7_DecryptRecipientInfos(PKCS7* pkcs7, byte* in,
+                            word32  inSz, word32* idx, byte* decryptedKey,
+                            word32* decryptedKeySz, int* recipFound)
+{
+    word32 savedIdx;
+    int version, ret = 0, length;
+    byte* pkiMsg = in;
+    word32 pkiMsgSz = inSz;
+    byte  tag;
+#ifndef NO_PKCS7_STREAM
+    word32 tmpIdx;
+    long rc;
 #endif
-        return MEMORY_E;
+
+    if (pkcs7 == NULL || pkiMsg == NULL || idx == NULL ||
+        decryptedKey == NULL || decryptedKeySz == NULL ||
+        recipFound == NULL) {
+        return BAD_FUNC_ARG;
     }
 
-    /* put together IV OCTET STRING */
-    ivOctetStringSz = SetOctetString(DES_BLOCK_SIZE, ivOctetString);
+    WOLFSSL_ENTER("wc_PKCS7_DecryptRecipientInfos");
+#ifndef NO_PKCS7_STREAM
+    tmpIdx = *idx;
+#endif
 
-    /* build up our ContentEncryptionAlgorithmIdentifier sequence,
-     * adding (ivOctetStringSz + DES_BLOCK_SIZE) for IV OCTET STRING */
-    contentEncAlgoSz = SetAlgoID(pkcs7->encryptOID, contentEncAlgo,
-                                 blkType, ivOctetStringSz + DES_BLOCK_SIZE);
+    /* check if in the process of decrypting */
+    switch (pkcs7->state) {
+        case WC_PKCS7_DECRYPT_KTRI:
+        case WC_PKCS7_DECRYPT_KTRI_2:
+        case WC_PKCS7_DECRYPT_KTRI_3:
+        #ifndef NO_RSA
+            ret = wc_PKCS7_DecryptKtri(pkcs7, in, inSz, idx,
+                                      decryptedKey, decryptedKeySz, recipFound);
+        #else
+            return NOT_COMPILED_IN;
+        #endif
+            break;
 
-    if (contentEncAlgoSz == 0) {
-        XFREE(encryptedContent, NULL, DYNAMIC_TYPE_TMP_BUFFER);
-        if (dynamicFlag)
-            XFREE(plain, NULL, DYNAMIC_TYPE_TMP_BUFFER);
-#ifdef WOLFSSL_SMALL_STACK
-        XFREE(recip, NULL, DYNAMMIC_TYPE_TMP_BUFFER);
+        case WC_PKCS7_DECRYPT_KARI:
+                ret = wc_PKCS7_DecryptKari(pkcs7, in, inSz, idx,
+                                      decryptedKey, decryptedKeySz, recipFound);
+                break;
+
+        case WC_PKCS7_DECRYPT_KEKRI:
+                ret = wc_PKCS7_DecryptKekri(pkcs7, in, inSz, idx,
+                                      decryptedKey, decryptedKeySz, recipFound);
+                break;
+
+        case WC_PKCS7_DECRYPT_PWRI:
+        #if !defined(NO_PWDBASED) && !defined(NO_SHA)
+                ret = wc_PKCS7_DecryptPwri(pkcs7, in, inSz, idx,
+                                      decryptedKey, decryptedKeySz, recipFound);
+        #else
+                return NOT_COMPILED_IN;
+        #endif
+                break;
+
+        case WC_PKCS7_DECRYPT_ORI:
+            ret = wc_PKCS7_DecryptOri(pkcs7, in, inSz, idx,
+                                      decryptedKey, decryptedKeySz, recipFound);
+            break;
+
+        default:
+            /* not in decrypting state */
+            break;
+    }
+
+    if (ret < 0) {
+        return ret;
+    }
+
+    savedIdx = *idx;
+#ifndef NO_PKCS7_STREAM
+    rc = wc_PKCS7_GetMaxStream(pkcs7, PKCS7_DEFAULT_PEEK, in, inSz);
+    if (rc < 0) {
+        return (int)rc;
+    }
+    pkiMsgSz = (word32)rc;
+    if (pkcs7->stream->length > 0)
+        pkiMsg = pkcs7->stream->buffer;
+#endif
+
+    /* when looking for next recipient, use first sequence and version to
+     * indicate there is another, if not, move on */
+    while(*recipFound == 0) {
+
+        /* remove RecipientInfo, if we don't have a SEQUENCE, back up idx to
+         * last good saved one */
+        if (GetSequence(pkiMsg, idx, &length, pkiMsgSz) > 0) {
+
+        #ifndef NO_RSA
+            /* found ktri */
+            #ifndef NO_PKCS7_STREAM
+            if ((ret = wc_PKCS7_StreamEndCase(pkcs7, &tmpIdx, idx)) != 0) {
+                break;
+            }
+            #endif
+            wc_PKCS7_ChangeState(pkcs7, WC_PKCS7_DECRYPT_KTRI);
+            ret = wc_PKCS7_DecryptKtri(pkcs7, in, inSz, idx,
+                                      decryptedKey, decryptedKeySz,
+                                      recipFound);
+            if (ret != 0)
+                return ret;
+        #else
+            return NOT_COMPILED_IN;
+        #endif
+        }
+        else {
+            word32 localIdx;
+            /* kari is IMPLICIT[1] */
+            *idx = savedIdx;
+            localIdx = *idx;
+
+            if (GetASNTag(pkiMsg, &localIdx, &tag, pkiMsgSz) != 0) {
+                /* no room for recipient info */
+                break;
+            }
+
+            if (tag == (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC | 1)) {
+                (*idx)++;
+                if (GetLength(pkiMsg, idx, &length, pkiMsgSz) < 0)
+                    return ASN_PARSE_E;
+
+                if (GetMyVersion(pkiMsg, idx, &version, pkiMsgSz) < 0) {
+                    *idx = savedIdx;
+                    break;
+                }
+
+                if (version != 3)
+                    return ASN_VERSION_E;
+
+                /* found kari */
+            #ifndef NO_PKCS7_STREAM
+                if ((ret = wc_PKCS7_StreamEndCase(pkcs7, &tmpIdx, idx)) != 0) {
+                    break;
+                }
+            #endif
+                wc_PKCS7_ChangeState(pkcs7, WC_PKCS7_DECRYPT_KARI);
+                ret = wc_PKCS7_DecryptKari(pkcs7, in, inSz, idx,
+                                          decryptedKey, decryptedKeySz,
+                                          recipFound);
+                if (ret != 0)
+                    return ret;
+
+            /* kekri is IMPLICIT[2] */
+            } else if (tag == (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC | 2)) {
+                (*idx)++;
+
+                if (GetLength(pkiMsg, idx, &version, pkiMsgSz) < 0)
+                    return ASN_PARSE_E;
+
+                if (GetMyVersion(pkiMsg, idx, &version, pkiMsgSz) < 0) {
+                    *idx = savedIdx;
+                    break;
+                }
+
+                if (version != 4)
+                    return ASN_VERSION_E;
+
+                /* found kekri */
+            #ifndef NO_PKCS7_STREAM
+                if ((ret = wc_PKCS7_StreamEndCase(pkcs7, &tmpIdx, idx)) != 0) {
+                    break;
+                }
+            #endif
+                wc_PKCS7_ChangeState(pkcs7, WC_PKCS7_DECRYPT_KEKRI);
+                ret = wc_PKCS7_DecryptKekri(pkcs7, in, inSz, idx,
+                                           decryptedKey, decryptedKeySz,
+                                           recipFound);
+                if (ret != 0)
+                    return ret;
+
+            /* pwri is IMPLICIT[3] */
+            } else if (tag == (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC | 3)) {
+        #if !defined(NO_PWDBASED) && !defined(NO_SHA)
+                (*idx)++;
+
+                if (GetLength(pkiMsg, idx, &version, pkiMsgSz) < 0)
+                    return ASN_PARSE_E;
+
+                if (GetMyVersion(pkiMsg, idx, &version, pkiMsgSz) < 0) {
+                    *idx = savedIdx;
+                    break;
+                }
+
+                if (version != 0)
+                    return ASN_VERSION_E;
+
+                /* found pwri */
+            #ifndef NO_PKCS7_STREAM
+                if ((ret = wc_PKCS7_StreamEndCase(pkcs7, &tmpIdx, idx)) != 0) {
+                    break;
+                }
+            #endif
+                wc_PKCS7_ChangeState(pkcs7, WC_PKCS7_DECRYPT_PWRI);
+                ret = wc_PKCS7_DecryptPwri(pkcs7, in, inSz, idx,
+                                           decryptedKey, decryptedKeySz,
+                                           recipFound);
+                if (ret != 0)
+                    return ret;
+        #else
+                return NOT_COMPILED_IN;
+        #endif
+
+            /* ori is IMPLICIT[4] */
+            } else if (tag == (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC | 4)) {
+                (*idx)++;
+
+                /* found ori */
+            #ifndef NO_PKCS7_STREAM
+                if ((ret = wc_PKCS7_StreamEndCase(pkcs7, &tmpIdx, idx)) != 0) {
+                    break;
+                }
+            #endif
+                wc_PKCS7_ChangeState(pkcs7, WC_PKCS7_DECRYPT_ORI);
+                ret = wc_PKCS7_DecryptOri(pkcs7, in, inSz, idx,
+                                          decryptedKey, decryptedKeySz,
+                                          recipFound);
+                if (ret != 0)
+                    return ret;
+
+            } else {
+                /* failed to find RecipientInfo, restore idx and continue */
+                *idx = savedIdx;
+                break;
+            }
+        }
+
+        /* update good idx */
+        savedIdx = *idx;
+    }
+
+    return ret;
+}
+
+
+/* Parse encoded EnvelopedData bundle up to RecipientInfo set.
+ *
+ * return size of RecipientInfo SET on success, negative upon error */
+static int wc_PKCS7_ParseToRecipientInfoSet(PKCS7* pkcs7, byte* in,
+                                            word32 inSz, word32* idx,
+                                            int type)
+{
+    int version = 0, length, ret = 0;
+    word32 contentType;
+    byte* pkiMsg = in;
+    word32 pkiMsgSz = inSz;
+    byte  tag;
+#ifndef NO_PKCS7_STREAM
+    word32 tmpIdx = 0;
+    long rc;
 #endif
+
+    if (pkcs7 == NULL || pkiMsg == NULL || pkiMsgSz == 0 || idx == NULL)
+        return BAD_FUNC_ARG;
+
+    if ((type != ENVELOPED_DATA) && (type != AUTH_ENVELOPED_DATA) &&
+            pkcs7->contentOID != FIRMWARE_PKG_DATA)
         return BAD_FUNC_ARG;
+
+#ifndef NO_PKCS7_STREAM
+    if (pkcs7->stream == NULL) {
+        if ((ret = wc_PKCS7_CreateStream(pkcs7)) != 0) {
+            return ret;
+        }
     }
+#endif
 
-    /* encrypt content */
-    if (pkcs7->encryptOID == DESb) {
-        Des des;
+    switch (pkcs7->state) {
+        case WC_PKCS7_INFOSET_START:
+        case WC_PKCS7_INFOSET_BER:
+        case WC_PKCS7_INFOSET_STAGE1:
+        case WC_PKCS7_INFOSET_STAGE2:
+        case WC_PKCS7_INFOSET_END:
+            break;
 
-        ret = wc_Des_SetKey(&des, contentKeyPlain, tmpIv, DES_ENCRYPTION);
+        default:
+            WOLFSSL_MSG("Warning, setting PKCS7 info state to start");
+            wc_PKCS7_ChangeState(pkcs7, WC_PKCS7_INFOSET_START);
+    }
 
-        if (ret == 0)
-            wc_Des_CbcEncrypt(&des, encryptedContent, plain, desOutSz);
+    switch (pkcs7->state) {
+        case WC_PKCS7_INFOSET_START:
+        #ifndef NO_PKCS7_STREAM
+            if ((ret = wc_PKCS7_AddDataToStream(pkcs7, in, inSz, MAX_SEQ_SZ +
+                            ASN_TAG_SZ, &pkiMsg, idx)) != 0) {
+                return ret;
+            }
 
-        if (ret != 0) {
-            XFREE(encryptedContent, NULL, DYNAMIC_TYPE_TMP_BUFFER);
-            if (dynamicFlag)
-                XFREE(plain, NULL, DYNAMIC_TYPE_TMP_BUFFER);
-#ifdef WOLFSSL_SMALL_STACK
-            XFREE(recip, NULL, DYNAMMIC_TYPE_TMP_BUFFER);
+            rc  = wc_PKCS7_GetMaxStream(pkcs7, PKCS7_SEQ_PEEK, in, inSz);
+            if (rc < 0) {
+                ret = (int)rc;
+                break;
+            }
+            pkiMsgSz = (word32)rc;
+        #endif
+            /* read past ContentInfo, verify type is envelopedData */
+            if (ret == 0 && GetSequence(pkiMsg, idx, &length, pkiMsgSz) < 0)
+            {
+                ret = ASN_PARSE_E;
+            }
+
+            if (ret == 0 && length == 0 && pkiMsg[(*idx)-1] == 0x80) {
+        #ifdef ASN_BER_TO_DER
+                word32 len;
+
+                wc_PKCS7_ChangeState(pkcs7, WC_PKCS7_INFOSET_BER);
+                FALL_THROUGH;
+
+                /* full buffer is needed for conversion */
+                case WC_PKCS7_INFOSET_BER:
+                #ifndef NO_PKCS7_STREAM
+                if ((ret = wc_PKCS7_AddDataToStream(pkcs7, in, inSz,
+                            pkcs7->stream->maxLen - pkcs7->stream->length,
+                            &pkiMsg, idx)) != 0) {
+                    return ret;
+                }
+
+                rc = wc_PKCS7_GetMaxStream(pkcs7, PKCS7_DEFAULT_PEEK,
+                        in, inSz);
+                if (rc < 0) {
+                    ret = (int)rc;
+                    break;
+                }
+                pkiMsgSz = (word32)rc;
+                #endif
+
+                len = 0;
+
+                ret = wc_BerToDer(pkiMsg, pkiMsgSz, NULL, &len);
+                if (ret != LENGTH_ONLY_E)
+                    return ret;
+                pkcs7->der = (byte*)XMALLOC(len, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+                if (pkcs7->der == NULL)
+                    return MEMORY_E;
+                ret = wc_BerToDer(pkiMsg, pkiMsgSz, pkcs7->der, &len);
+                if (ret < 0)
+                    return ret;
+
+                pkiMsg = in = pkcs7->der;
+                pkiMsgSz = pkcs7->derSz = len;
+                *idx = 0;
+
+                if (GetSequence(pkiMsg, idx, &length, pkiMsgSz) < 0)
+                    return ASN_PARSE_E;
+        #else
+                return BER_INDEF_E;
+        #endif
+            }
+        #ifndef NO_PKCS7_STREAM
+            if ((ret = wc_PKCS7_StreamEndCase(pkcs7, &tmpIdx, idx)) != 0) {
+                break;
+            }
+        #endif
+            wc_PKCS7_ChangeState(pkcs7, WC_PKCS7_INFOSET_STAGE1);
+            FALL_THROUGH;
+
+        case WC_PKCS7_INFOSET_STAGE1:
+        #ifndef NO_PKCS7_STREAM
+            if ((ret = wc_PKCS7_AddDataToStream(pkcs7, in, inSz, MAX_OID_SZ +
+                            MAX_LENGTH_SZ + ASN_TAG_SZ, &pkiMsg, idx)) != 0) {
+                return ret;
+            }
+
+            pkiMsgSz = (pkcs7->stream->length > 0)? pkcs7->stream->length :inSz;
+        #endif
+            if (pkcs7->contentOID != FIRMWARE_PKG_DATA ||
+                    type == AUTH_ENVELOPED_DATA) {
+                if (ret == 0 && wc_GetContentType(pkiMsg, idx, &contentType,
+                            pkiMsgSz) < 0)
+                    ret = ASN_PARSE_E;
+
+                if (ret == 0) {
+                    if (type == ENVELOPED_DATA && contentType != ENVELOPED_DATA) {
+                        WOLFSSL_MSG("PKCS#7 input not of type EnvelopedData");
+                        ret = PKCS7_OID_E;
+                    } else if (type == AUTH_ENVELOPED_DATA &&
+                           contentType != AUTH_ENVELOPED_DATA) {
+                        WOLFSSL_MSG("PKCS#7 input not of type AuthEnvelopedData");
+                        ret = PKCS7_OID_E;
+                    }
+                }
+
+                if (ret == 0 && GetASNTag(pkiMsg, idx, &tag, pkiMsgSz) != 0)
+                    ret = ASN_PARSE_E;
+
+                if (ret == 0 && tag != (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC
+                            | 0))
+                    ret = ASN_PARSE_E;
+
+                if (ret == 0 && GetLength_ex(pkiMsg, idx, &length, pkiMsgSz,
+                            NO_USER_CHECK) < 0)
+                    ret = ASN_PARSE_E;
+            }
+
+            if (ret < 0)
+                break;
+
+        #ifndef NO_PKCS7_STREAM
+            if ((ret = wc_PKCS7_StreamEndCase(pkcs7, &tmpIdx, idx)) != 0) {
+                    break;
+            }
+        #endif
+            wc_PKCS7_ChangeState(pkcs7, WC_PKCS7_INFOSET_STAGE2);
+            FALL_THROUGH;
+
+        case WC_PKCS7_INFOSET_STAGE2:
+        #ifndef NO_PKCS7_STREAM
+            if ((ret = wc_PKCS7_AddDataToStream(pkcs7, in, inSz, MAX_SEQ_SZ +
+                            MAX_VERSION_SZ, &pkiMsg, idx)) != 0) {
+                return ret;
+            }
+
+            rc = wc_PKCS7_GetMaxStream(pkcs7, PKCS7_DEFAULT_PEEK, in,
+                    inSz);
+            if (rc < 0) {
+                ret = (int)rc;
+                break;
+            }
+            pkiMsgSz = (word32)rc;
+        #endif
+            /* remove EnvelopedData and version */
+            if (pkcs7->contentOID != FIRMWARE_PKG_DATA ||
+                    type == AUTH_ENVELOPED_DATA) {
+                if (ret == 0 && GetSequence(pkiMsg, idx, &length, pkiMsgSz) < 0)
+                    ret = ASN_PARSE_E;
+            }
+
+            if (ret == 0 && GetMyVersion(pkiMsg, idx, &version, pkiMsgSz) < 0)
+                ret = ASN_PARSE_E;
+
+            if (ret < 0)
+                break;
+
+        #ifndef NO_PKCS7_STREAM
+            if ((ret = wc_PKCS7_StreamEndCase(pkcs7, &tmpIdx, idx)) != 0) {
+                break;
+            }
+
+            pkcs7->stream->varOne = version;
+        #endif
+            wc_PKCS7_ChangeState(pkcs7, WC_PKCS7_INFOSET_END);
+            FALL_THROUGH;
+
+        case WC_PKCS7_INFOSET_END:
+        #ifndef NO_PKCS7_STREAM
+            if ((ret = wc_PKCS7_AddDataToStream(pkcs7, in, inSz,
+                            MAX_SET_SZ, &pkiMsg, idx)) != 0) {
+                return ret;
+            }
+
+            rc = wc_PKCS7_GetMaxStream(pkcs7, PKCS7_DEFAULT_PEEK, in,
+                    inSz);
+            if (rc < 0) {
+                ret = (int)rc;
+                break;
+            }
+            pkiMsgSz = (word32)rc;
+            version = pkcs7->stream->varOne;
+        #endif
+
+            if (type == ENVELOPED_DATA) {
+                /* TODO :: make this more accurate */
+                if ((pkcs7->publicKeyOID == RSAk &&
+                     (version != 0 && version != 2))
+                #ifdef HAVE_ECC
+                        || (pkcs7->publicKeyOID == ECDSAk &&
+                            (version != 0 && version != 2 && version != 3))
+                #endif
+                        ) {
+                    WOLFSSL_MSG("PKCS#7 envelopedData version incorrect");
+                    ret = ASN_VERSION_E;
+                }
+            } else {
+                /* AuthEnvelopedData version MUST be 0 */
+                if (version != 0) {
+                    WOLFSSL_MSG("PKCS#7 AuthEnvelopedData needs to be of version 0");
+                    ret = ASN_VERSION_E;
+                }
+            }
+
+            /* remove RecipientInfo set, get length of set */
+            if (ret == 0 && GetSet(pkiMsg, idx, &length, pkiMsgSz) < 0)
+                ret = ASN_PARSE_E;
+
+            if (ret < 0)
+                break;
+
+        #ifndef NO_PKCS7_STREAM
+            if ((ret = wc_PKCS7_StreamEndCase(pkcs7, &tmpIdx, idx)) != 0) {
+                break;
+            }
+        #endif
+
+            if (ret == 0)
+                ret = length;
+
+            break;
+
+        default:
+            WOLFSSL_MSG("Bad PKCS7 info set state");
+            ret = BAD_FUNC_ARG;
+            break;
+    }
+
+    return ret;
+}
+
+
+/* Import secret/private key into a PKCS7 structure. Used for setting
+ * the secret key for decryption a EnvelopedData KEKRI RecipientInfo.
+ *
+ * Returns 0 on success, negative upon error */
+WOLFSSL_API int wc_PKCS7_SetKey(PKCS7* pkcs7, byte* key, word32 keySz)
+{
+    if (pkcs7 == NULL || key == NULL || keySz == 0)
+        return BAD_FUNC_ARG;
+
+    pkcs7->privateKey = key;
+    pkcs7->privateKeySz = keySz;
+
+    return 0;
+}
+
+
+/* append data to encrypted content cache in PKCS7 structure
+ * return 0 on success, negative on error */
+static int PKCS7_CacheEncryptedContent(PKCS7* pkcs7, byte* in, word32 inSz)
+{
+    byte* oldCache;
+    word32 oldCacheSz;
+
+    if (pkcs7 == NULL || in == NULL)
+        return BAD_FUNC_ARG;
+
+    /* save pointer to old cache */
+    oldCache = pkcs7->cachedEncryptedContent;
+    oldCacheSz = pkcs7->cachedEncryptedContentSz;
+
+    /* re-allocate new buffer to fit appended data */
+    pkcs7->cachedEncryptedContent = (byte*)XMALLOC(oldCacheSz + inSz,
+            pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+    if (pkcs7->cachedEncryptedContent == NULL) {
+        pkcs7->cachedEncryptedContentSz = 0;
+        XFREE(oldCache, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+        return MEMORY_E;
+    }
+
+    if (oldCache != NULL) {
+        XMEMCPY(pkcs7->cachedEncryptedContent, oldCache, oldCacheSz);
+    }
+    XMEMCPY(pkcs7->cachedEncryptedContent + oldCacheSz, in, inSz);
+    pkcs7->cachedEncryptedContentSz += inSz;
+
+    XFREE(oldCache, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+
+    return 0;
+}
+
+
+/* unwrap and decrypt PKCS#7 envelopedData object, return decoded size */
+WOLFSSL_API int wc_PKCS7_DecodeEnvelopedData(PKCS7* pkcs7, byte* in,
+                                         word32 inSz, byte* output,
+                                         word32 outputSz)
+{
+    int recipFound = 0;
+    int ret, length = 0;
+    word32 idx = 0;
+#ifndef NO_PKCS7_STREAM
+    word32 tmpIdx = 0;
+    long rc;
 #endif
+    word32 contentType, encOID = 0;
+    word32 decryptedKeySz = MAX_ENCRYPTED_KEY_SZ;
+
+    int expBlockSz = 0, blockKeySz = 0;
+    byte  tmpIvBuf[MAX_CONTENT_IV_SIZE];
+    byte* tmpIv = tmpIvBuf;
+
+    byte* pkiMsg    = in;
+    word32 pkiMsgSz = inSz;
+    byte* decryptedKey = NULL;
+    int encryptedContentTotalSz = 0;
+    int encryptedContentSz = 0;
+    byte padLen;
+    byte* encryptedContent = NULL;
+    int explicitOctet = 0;
+    word32 localIdx;
+    byte   tag;
+
+    if (pkcs7 == NULL)
+        return BAD_FUNC_ARG;
+
+    if (pkiMsg == NULL || pkiMsgSz == 0 ||
+        output == NULL || outputSz == 0)
+        return BAD_FUNC_ARG;
+
+#ifndef NO_PKCS7_STREAM
+    (void)tmpIv; /* help out static analysis */
+    if (pkcs7->stream == NULL) {
+        if ((ret = wc_PKCS7_CreateStream(pkcs7)) != 0) {
             return ret;
         }
     }
-    else if (pkcs7->encryptOID == DES3b) {
-        Des3 des3;
+#endif
 
-        ret = wc_Des3_SetKey(&des3, contentKeyPlain, tmpIv, DES_ENCRYPTION);
+    switch (pkcs7->state) {
+        case WC_PKCS7_START:
+        case WC_PKCS7_INFOSET_START:
+        case WC_PKCS7_INFOSET_BER:
+        case WC_PKCS7_INFOSET_STAGE1:
+        case WC_PKCS7_INFOSET_STAGE2:
+        case WC_PKCS7_INFOSET_END:
+            ret = wc_PKCS7_ParseToRecipientInfoSet(pkcs7, pkiMsg, pkiMsgSz,
+                    &idx, ENVELOPED_DATA);
+            if (ret < 0) {
+                break;
+            }
 
-        if (ret == 0)
-            ret = wc_Des3_CbcEncrypt(&des3, encryptedContent, plain, desOutSz);
+        #ifdef ASN_BER_TO_DER
+            /* check if content was BER and has been converted to DER */
+            if (pkcs7->derSz > 0)
+                pkiMsg = in = pkcs7->der;
+        #endif
 
-        if (ret != 0) {
-            XFREE(encryptedContent, NULL, DYNAMIC_TYPE_TMP_BUFFER);
-            if (dynamicFlag)
-                XFREE(plain, NULL, DYNAMIC_TYPE_TMP_BUFFER);
-#ifdef WOLFSSL_SMALL_STACK
-            XFREE(recip, NULL, DYNAMMIC_TYPE_TMP_BUFFER);
+            decryptedKey = (byte*)XMALLOC(MAX_ENCRYPTED_KEY_SZ, pkcs7->heap,
+                                                       DYNAMIC_TYPE_PKCS7);
+            if (decryptedKey == NULL)
+                return MEMORY_E;
+            wc_PKCS7_ChangeState(pkcs7, WC_PKCS7_ENV_2);
+        #ifndef NO_PKCS7_STREAM
+            tmpIdx = idx;
+            pkcs7->stream->aad = decryptedKey;
+        #endif
+            FALL_THROUGH;
+
+        case WC_PKCS7_ENV_2:
+        #ifndef NO_PKCS7_STREAM
+            /* store up enough buffer for initial info set decode */
+            if ((ret = wc_PKCS7_AddDataToStream(pkcs7, in, inSz, MAX_LENGTH_SZ +
+                            MAX_VERSION_SZ + ASN_TAG_SZ, &pkiMsg, &idx)) != 0) {
+                return ret;
+            }
+        #endif
+            FALL_THROUGH;
+
+        case WC_PKCS7_DECRYPT_KTRI:
+        case WC_PKCS7_DECRYPT_KTRI_2:
+        case WC_PKCS7_DECRYPT_KTRI_3:
+        case WC_PKCS7_DECRYPT_KARI:
+        case WC_PKCS7_DECRYPT_KEKRI:
+        case WC_PKCS7_DECRYPT_PWRI:
+        case WC_PKCS7_DECRYPT_ORI:
+        #ifndef NO_PKCS7_STREAM
+            decryptedKey   = pkcs7->stream->aad;
+            decryptedKeySz = MAX_ENCRYPTED_KEY_SZ;
+        #endif
+
+            ret = wc_PKCS7_DecryptRecipientInfos(pkcs7, in, inSz, &idx,
+                                        decryptedKey, &decryptedKeySz,
+                                        &recipFound);
+            if (ret == 0 && recipFound == 0) {
+                WOLFSSL_MSG("No recipient found in envelopedData that matches input");
+                ret = PKCS7_RECIP_E;
+            }
+
+            if (ret != 0)
+                break;
+        #ifndef NO_PKCS7_STREAM
+            tmpIdx               = idx;
+            pkcs7->stream->aadSz = decryptedKeySz;
+        #endif
+            wc_PKCS7_ChangeState(pkcs7, WC_PKCS7_ENV_3);
+            FALL_THROUGH;
+
+        case WC_PKCS7_ENV_3:
+
+        #ifndef NO_PKCS7_STREAM
+            if ((ret = wc_PKCS7_AddDataToStream(pkcs7, in, inSz, MAX_LENGTH_SZ +
+                                                MAX_VERSION_SZ + ASN_TAG_SZ +
+                                                MAX_LENGTH_SZ, &pkiMsg, &idx))
+                                                != 0) {
+                return ret;
+            }
+
+            rc = wc_PKCS7_GetMaxStream(pkcs7, PKCS7_DEFAULT_PEEK, in,
+                    inSz);
+            if (rc < 0) {
+                ret = (int)rc;
+                break;
+            }
+            pkiMsgSz = (word32)rc;
+        #else
+            ret = 0;
+        #endif
+
+            /* remove EncryptedContentInfo */
+            if (GetSequence(pkiMsg, &idx, &length, pkiMsgSz) < 0) {
+                ret = ASN_PARSE_E;
+            }
+
+            if (ret == 0 && wc_GetContentType(pkiMsg, &idx, &contentType,
+                        pkiMsgSz) < 0) {
+                ret = ASN_PARSE_E;
+            }
+
+            if (ret == 0 && GetAlgoId(pkiMsg, &idx, &encOID, oidBlkType,
+                        pkiMsgSz) < 0) {
+                ret = ASN_PARSE_E;
+            }
+
+            blockKeySz = wc_PKCS7_GetOIDKeySize(encOID);
+            if (ret == 0 && blockKeySz < 0) {
+                ret = blockKeySz;
+            }
+
+            expBlockSz = wc_PKCS7_GetOIDBlockSize(encOID);
+            if (ret == 0 && expBlockSz < 0) {
+                ret = expBlockSz;
+            }
+
+            /* get block cipher IV, stored in OPTIONAL parameter of AlgoID */
+            if (ret == 0 && GetASNTag(pkiMsg, &idx, &tag, pkiMsgSz) != 0) {
+                ret = ASN_PARSE_E;
+            }
+
+            if (ret == 0 && tag != ASN_OCTET_STRING) {
+                ret = ASN_PARSE_E;
+            }
+
+            if (ret == 0 && GetLength(pkiMsg, &idx, &length, pkiMsgSz) < 0) {
+                ret = ASN_PARSE_E;
+            }
+
+            if (ret == 0 && length != expBlockSz) {
+                WOLFSSL_MSG("Incorrect IV length, must be of content alg block size");
+                ret = ASN_PARSE_E;
+            }
+
+            if (ret != 0)
+                break;
+        #ifndef NO_PKCS7_STREAM
+            if ((ret = wc_PKCS7_StreamEndCase(pkcs7, &tmpIdx, &idx)) != 0) {
+                break;
+            }
+            wc_PKCS7_StreamStoreVar(pkcs7, encOID, expBlockSz, length);
+            pkcs7->stream->contentSz = blockKeySz;
+            pkcs7->stream->expected = length + MAX_LENGTH_SZ + MAX_LENGTH_SZ +
+                ASN_TAG_SZ + ASN_TAG_SZ;
+        #endif
+            wc_PKCS7_ChangeState(pkcs7, WC_PKCS7_ENV_4);
+            FALL_THROUGH;
+
+        case WC_PKCS7_ENV_4:
+
+        #ifndef NO_PKCS7_STREAM
+            if ((ret = wc_PKCS7_AddDataToStream(pkcs7, in, inSz,
+                            pkcs7->stream->expected, &pkiMsg, &idx)) != 0) {
+                return ret;
+            }
+
+            rc = wc_PKCS7_GetMaxStream(pkcs7, PKCS7_DEFAULT_PEEK, in,
+                    inSz);
+            if (rc < 0) {
+                ret = (int)rc;
+                break;
+            }
+            pkiMsgSz = (word32)rc;
+
+            wc_PKCS7_StreamGetVar(pkcs7, 0, 0, &length);
+            tmpIv = pkcs7->stream->tmpIv;
+            if (tmpIv == NULL) {
+                /* check added to help out static analysis tool */
+                ret = MEMORY_E;
+                break;
+            }
+        #else
+            ret = 0;
+        #endif
+
+            XMEMCPY(tmpIv, &pkiMsg[idx], length);
+            idx += length;
+
+            explicitOctet = 0;
+            localIdx = idx;
+            if (GetASNTag(pkiMsg, &localIdx, &tag, pkiMsgSz) == 0 &&
+                    tag == (ASN_CONTEXT_SPECIFIC | ASN_CONSTRUCTED | 0)) {
+                explicitOctet = 1;
+            }
+
+            /* read encryptedContent, cont[0] */
+            if (tag != (ASN_CONTEXT_SPECIFIC | 0) &&
+                          tag != (ASN_CONTEXT_SPECIFIC | ASN_CONSTRUCTED | 0)) {
+                ret = ASN_PARSE_E;
+            }
+            idx++;
+
+            if (ret == 0 && GetLength(pkiMsg, &idx, &encryptedContentTotalSz,
+                                                               pkiMsgSz) <= 0) {
+                ret = ASN_PARSE_E;
+            }
+
+            if (ret != 0)
+                break;
+
+        #ifndef NO_PKCS7_STREAM
+            if ((ret = wc_PKCS7_StreamEndCase(pkcs7, &tmpIdx, &idx)) != 0) {
+                break;
+            }
+            pkcs7->stream->expected = encryptedContentTotalSz;
+            wc_PKCS7_StreamGetVar(pkcs7, &encOID, &expBlockSz, 0);
+            wc_PKCS7_StreamStoreVar(pkcs7, encOID, expBlockSz, explicitOctet);
+        #endif
+            wc_PKCS7_ChangeState(pkcs7, WC_PKCS7_ENV_5);
+            FALL_THROUGH;
+
+        case WC_PKCS7_ENV_5:
+
+        #ifndef NO_PKCS7_STREAM
+            if ((ret = wc_PKCS7_AddDataToStream(pkcs7, in, inSz,
+                            pkcs7->stream->expected, &pkiMsg, &idx)) != 0) {
+                return ret;
+            }
+
+            wc_PKCS7_StreamGetVar(pkcs7, &encOID, &expBlockSz, &explicitOctet);
+            tmpIv = pkcs7->stream->tmpIv;
+            encryptedContentTotalSz = pkcs7->stream->expected;
+
+            /* restore decrypted key */
+            decryptedKey   = pkcs7->stream->aad;
+            decryptedKeySz = pkcs7->stream->aadSz;
+            blockKeySz = pkcs7->stream->contentSz;
+        #else
+            ret = 0;
+        #endif
+
+            if (explicitOctet) {
+                /* encrypted content may be fragmented into multiple
+                 * consecutive OCTET STRINGs, if so loop through
+                 * collecting and caching encrypted content bytes */
+                localIdx = idx;
+                while (idx < (localIdx + encryptedContentTotalSz)) {
+
+                    if (GetASNTag(pkiMsg, &idx, &tag, pkiMsgSz) < 0) {
+                        ret = ASN_PARSE_E;
+                    }
+
+                    if (ret == 0 && (tag != ASN_OCTET_STRING)) {
+                        ret = ASN_PARSE_E;
+                    }
+
+                    if (ret == 0 && GetLength(pkiMsg, &idx,
+                                &encryptedContentSz, pkiMsgSz) <= 0) {
+                        ret = ASN_PARSE_E;
+                    }
+
+                    if (ret == 0) {
+                        ret = PKCS7_CacheEncryptedContent(pkcs7, &pkiMsg[idx],
+                                                          encryptedContentSz);
+                    }
+
+                    if (ret != 0) {
+                        break;
+                    }
+
+                    /* advance idx past encrypted content */
+                    idx += encryptedContentSz;
+                }
+
+                if (ret != 0) {
+                    break;
+                }
+
+            } else {
+                /* cache encrypted content, no OCTET STRING */
+                ret = PKCS7_CacheEncryptedContent(pkcs7, &pkiMsg[idx],
+                                                  encryptedContentTotalSz);
+                if (ret != 0) {
+                    break;
+                }
+                idx += encryptedContentTotalSz;
+            }
+
+            /* use cached content */
+            encryptedContent = pkcs7->cachedEncryptedContent;
+            encryptedContentSz = pkcs7->cachedEncryptedContentSz;
+
+            /* decrypt encryptedContent */
+            ret = wc_PKCS7_DecryptContent(pkcs7, encOID, decryptedKey,
+                    blockKeySz, tmpIv, expBlockSz, NULL, 0, NULL, 0,
+                    encryptedContent, encryptedContentSz, encryptedContent);
+            if (ret != 0) {
+                break;
+            }
+
+            padLen = encryptedContent[encryptedContentSz-1];
+
+            /* copy plaintext to output */
+            if (padLen > encryptedContentSz ||
+                    (word32)(encryptedContentSz - padLen) > outputSz) {
+                ret = BUFFER_E;
+                break;
+            }
+            XMEMCPY(output, encryptedContent, encryptedContentSz - padLen);
+
+            /* free memory, zero out keys */
+            ForceZero(decryptedKey, MAX_ENCRYPTED_KEY_SZ);
+            XFREE(decryptedKey, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+            if (pkcs7->cachedEncryptedContent != NULL) {
+                XFREE(pkcs7->cachedEncryptedContent, pkcs7->heap,
+                      DYNAMIC_TYPE_PKCS7);
+                pkcs7->cachedEncryptedContent = NULL;
+                pkcs7->cachedEncryptedContentSz = 0;
+            }
+
+            ret = encryptedContentSz - padLen;
+        #ifndef NO_PKCS7_STREAM
+            pkcs7->stream->aad = NULL;
+            pkcs7->stream->aadSz = 0;
+            wc_PKCS7_ResetStream(pkcs7);
+        #endif
+            wc_PKCS7_ChangeState(pkcs7, WC_PKCS7_START);
+            break;
+
+        default:
+            WOLFSSL_MSG("PKCS#7 unknown decode enveloped state");
+            ret = BAD_FUNC_ARG;
+    }
+
+#ifndef NO_PKCS7_STREAM
+    if (ret < 0 && ret != WC_PKCS7_WANT_READ_E) {
+        wc_PKCS7_ResetStream(pkcs7);
+        wc_PKCS7_ChangeState(pkcs7, WC_PKCS7_START);
+        if (pkcs7->cachedEncryptedContent != NULL) {
+            XFREE(pkcs7->cachedEncryptedContent, pkcs7->heap,
+                  DYNAMIC_TYPE_PKCS7);
+            pkcs7->cachedEncryptedContent = NULL;
+            pkcs7->cachedEncryptedContentSz = 0;
+        }
+    }
+#else
+    if (decryptedKey != NULL && ret < 0) {
+        ForceZero(decryptedKey, MAX_ENCRYPTED_KEY_SZ);
+        XFREE(decryptedKey, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+    }
+    if (pkcs7->cachedEncryptedContent != NULL && ret < 0) {
+        XFREE(pkcs7->cachedEncryptedContent, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+        pkcs7->cachedEncryptedContent = NULL;
+        pkcs7->cachedEncryptedContentSz = 0;
+    }
 #endif
+    return ret;
+}
+
+
+/* build PKCS#7 authEnvelopedData content type, return enveloped size */
+int wc_PKCS7_EncodeAuthEnvelopedData(PKCS7* pkcs7, byte* output,
+                                     word32 outputSz)
+{
+#if defined(HAVE_AESGCM) || defined(HAVE_AESCCM)
+    int ret, idx = 0;
+    int totalSz, encryptedOutSz;
+
+    int contentInfoSeqSz, outerContentTypeSz, outerContentSz;
+    byte contentInfoSeq[MAX_SEQ_SZ];
+    byte outerContentType[MAX_ALGO_SZ];
+    byte outerContent[MAX_SEQ_SZ];
+
+    int envDataSeqSz, verSz;
+    byte envDataSeq[MAX_SEQ_SZ];
+    byte ver[MAX_VERSION_SZ];
+
+    WC_RNG rng;
+    int blockSz, blockKeySz;
+    byte* encryptedContent;
+
+    Pkcs7EncodedRecip* tmpRecip = NULL;
+    int recipSz, recipSetSz;
+    byte recipSet[MAX_SET_SZ];
+
+    int encContentOctetSz, encContentSeqSz, contentTypeSz;
+    int contentEncAlgoSz, nonceOctetStringSz, macOctetStringSz;
+    byte encContentSeq[MAX_SEQ_SZ];
+    byte contentType[MAX_ALGO_SZ];
+    byte contentEncAlgo[MAX_ALGO_SZ];
+    byte nonceOctetString[MAX_OCTET_STR_SZ];
+    byte encContentOctet[MAX_OCTET_STR_SZ];
+    byte macOctetString[MAX_OCTET_STR_SZ];
+
+    byte authTag[AES_BLOCK_SIZE];
+    byte nonce[GCM_NONCE_MID_SZ];   /* GCM nonce is larger than CCM */
+    byte macInt[MAX_VERSION_SZ];
+    word32 nonceSz = 0, macIntSz = 0;
+
+    /* authAttribs */
+    byte* flatAuthAttribs = NULL;
+    byte authAttribSet[MAX_SET_SZ];
+    EncodedAttrib authAttribs[MAX_AUTH_ATTRIBS_SZ];
+    word32 authAttribsSz = 0, authAttribsCount = 0;
+    word32 authAttribsSetSz = 0;
+
+    byte* aadBuffer = NULL;
+    word32 aadBufferSz = 0;
+    byte authAttribAadSet[MAX_SET_SZ];
+    word32 authAttribsAadSetSz = 0;
+
+    /* unauthAttribs */
+    byte* flatUnauthAttribs = NULL;
+    byte unauthAttribSet[MAX_SET_SZ];
+    EncodedAttrib unauthAttribs[MAX_UNAUTH_ATTRIBS_SZ];
+    word32 unauthAttribsSz = 0, unauthAttribsCount = 0;
+    word32 unauthAttribsSetSz = 0;
+
+
+    PKCS7Attrib contentTypeAttrib;
+    byte contentTypeValue[MAX_OID_SZ];
+    /* contentType OID (1.2.840.113549.1.9.3) */
+    const byte contentTypeOid[] =
+            { ASN_OBJECT_ID, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xF7, 0x0d, 0x01,
+                             0x09, 0x03 };
+
+    if (pkcs7 == NULL || pkcs7->content == NULL || pkcs7->contentSz == 0)
+        return BAD_FUNC_ARG;
+
+    if (output == NULL || outputSz == 0)
+        return BAD_FUNC_ARG;
+
+    switch (pkcs7->encryptOID) {
+#ifdef HAVE_AESGCM
+    #ifdef WOLFSSL_AES_128
+        case AES128GCMb:
+            break;
+    #endif
+    #ifdef WOLFSSL_AES_192
+        case AES192GCMb:
+            break;
+    #endif
+    #ifdef WOLFSSL_AES_256
+        case AES256GCMb:
+            break;
+    #endif
+#endif
+#ifdef HAVE_AESCCM
+    #ifdef WOLFSSL_AES_128
+        case AES128CCMb:
+            break;
+    #endif
+    #ifdef WOLFSSL_AES_192
+        case AES192CCMb:
+            break;
+    #endif
+    #ifdef WOLFSSL_AES_256
+        case AES256CCMb:
+            break;
+    #endif
+#endif
+        default:
+            WOLFSSL_MSG("CMS AuthEnvelopedData must use AES-GCM or AES-CCM");
+            return BAD_FUNC_ARG;
+    }
+
+    blockKeySz = wc_PKCS7_GetOIDKeySize(pkcs7->encryptOID);
+    if (blockKeySz < 0)
+        return blockKeySz;
+
+    blockSz = wc_PKCS7_GetOIDBlockSize(pkcs7->encryptOID);
+    if (blockSz < 0)
+        return blockSz;
+
+    /* outer content type */
+    ret = wc_SetContentType(AUTH_ENVELOPED_DATA, outerContentType,
+                            sizeof(outerContentType));
+    if (ret < 0)
+        return ret;
+
+    outerContentTypeSz = ret;
+
+    /* version, defined as 0 in RFC 5083 */
+    verSz = SetMyVersion(0, ver, 0);
+
+    /* generate random content encryption key */
+    ret = PKCS7_GenerateContentEncryptionKey(pkcs7, blockKeySz);
+    if (ret != 0) {
+        return ret;
+    }
+
+    /* build RecipientInfo, only if user manually set singleCert and size */
+    if (pkcs7->singleCert != NULL && pkcs7->singleCertSz > 0) {
+        switch (pkcs7->publicKeyOID) {
+        #ifndef NO_RSA
+            case RSAk:
+                ret = wc_PKCS7_AddRecipient_KTRI(pkcs7, pkcs7->singleCert,
+                                                 pkcs7->singleCertSz, 0);
+                break;
+        #endif
+        #ifdef HAVE_ECC
+            case ECDSAk:
+                ret = wc_PKCS7_AddRecipient_KARI(pkcs7, pkcs7->singleCert,
+                                                 pkcs7->singleCertSz,
+                                                 pkcs7->keyWrapOID,
+                                                 pkcs7->keyAgreeOID, pkcs7->ukm,
+                                                 pkcs7->ukmSz, 0);
+                break;
+        #endif
+
+            default:
+                WOLFSSL_MSG("Unsupported RecipientInfo public key type");
+                return BAD_FUNC_ARG;
+        };
+
+        if (ret < 0) {
+            WOLFSSL_MSG("Failed to create RecipientInfo");
             return ret;
         }
     }
 
-    encContentOctetSz = SetImplicit(ASN_OCTET_STRING, 0,
-                                    desOutSz, encContentOctet);
+    recipSz = wc_PKCS7_GetRecipientListSize(pkcs7);
+    if (recipSz < 0) {
+        return ret;
+
+    } else if (recipSz == 0) {
+        WOLFSSL_MSG("You must add at least one CMS recipient");
+        return PKCS7_RECIP_E;
+    }
+    recipSetSz = SetSet(recipSz, recipSet);
+
+    /* generate random nonce and IV for encryption */
+    switch (pkcs7->encryptOID) {
+#ifdef HAVE_AESGCM
+    #ifdef WOLFSSL_AES_128
+        case AES128GCMb:
+            FALL_THROUGH;
+    #endif
+    #ifdef WOLFSSL_AES_192
+        case AES192GCMb:
+            FALL_THROUGH;
+    #endif
+    #ifdef WOLFSSL_AES_256
+        case AES256GCMb:
+    #endif
+    #if defined(WOLFSSL_AES_128) || defined(WOLFSSL_AES_192) || \
+        defined(WOLFSSL_AES_256)
+            /* GCM nonce is GCM_NONCE_MID_SZ (12) */
+            nonceSz = GCM_NONCE_MID_SZ;
+            break;
+    #endif
+#endif /* HAVE_AESGCM */
+#ifdef HAVE_AESCCM
+    #ifdef WOLFSSL_AES_128
+        case AES128CCMb:
+            FALL_THROUGH;
+    #endif
+    #ifdef WOLFSSL_AES_192
+        case AES192CCMb:
+            FALL_THROUGH;
+    #endif
+    #ifdef WOLFSSL_AES_256
+        case AES256CCMb:
+    #endif
+    #if defined(WOLFSSL_AES_128) || defined(WOLFSSL_AES_192) || \
+        defined(WOLFSSL_AES_256)
+            /* CCM nonce is CCM_NONCE_MIN_SZ (7) */
+            nonceSz = CCM_NONCE_MIN_SZ;
+            break;
+    #endif
+#endif /* HAVE_AESCCM */
+    }
+
+    ret = wc_InitRng_ex(&rng, pkcs7->heap, pkcs7->devId);
+    if (ret != 0)
+        return ret;
+
+    ret = wc_PKCS7_GenerateBlock(pkcs7, &rng, nonce, nonceSz);
+    wc_FreeRng(&rng);
+    if (ret != 0) {
+        return ret;
+    }
+
+
+    /* authAttribs: add contentType attrib if needed */
+    if (pkcs7->contentOID != DATA) {
+
+        /* if type is not id-data, contentType attribute MUST be added */
+        contentTypeAttrib.oid = contentTypeOid;
+        contentTypeAttrib.oidSz = sizeof(contentTypeOid);
+
+        /* try to set from contentOID first, known types */
+        ret = wc_SetContentType(pkcs7->contentOID, contentTypeValue,
+                                sizeof(contentTypeValue));
+        if (ret > 0) {
+            contentTypeAttrib.value = contentTypeValue;
+            contentTypeAttrib.valueSz = ret;
+
+        /* otherwise, try to set from custom content type */
+        } else {
+            if (pkcs7->contentTypeSz == 0) {
+                WOLFSSL_MSG("CMS pkcs7->contentType must be set if "
+                            "contentOID is not");
+                return BAD_FUNC_ARG;
+            }
+            contentTypeAttrib.value = pkcs7->contentType;
+            contentTypeAttrib.valueSz = pkcs7->contentTypeSz;
+        }
+
+        authAttribsSz += EncodeAttributes(authAttribs, 1,
+                                          &contentTypeAttrib, 1);
+        authAttribsCount += 1;
+    }
+
+    /* authAttribs: add in user authenticated attributes */
+    if (pkcs7->authAttribs != NULL && pkcs7->authAttribsSz > 0) {
+        authAttribsSz += EncodeAttributes(authAttribs + authAttribsCount,
+                                 MAX_AUTH_ATTRIBS_SZ - authAttribsCount,
+                                 pkcs7->authAttribs,
+                                 pkcs7->authAttribsSz);
+        authAttribsCount += pkcs7->authAttribsSz;
+    }
+
+    /* authAttribs: flatten authAttribs */
+    if (authAttribsSz > 0 && authAttribsCount > 0) {
+        flatAuthAttribs = (byte*)XMALLOC(authAttribsSz, pkcs7->heap,
+                                         DYNAMIC_TYPE_PKCS7);
+        if (flatAuthAttribs == NULL) {
+            return MEMORY_E;
+        }
+
+        FlattenAttributes(pkcs7, flatAuthAttribs, authAttribs,
+                          authAttribsCount);
+
+        authAttribsSetSz = SetImplicit(ASN_SET, 1, authAttribsSz,
+                                       authAttribSet);
+
+        /* From RFC5083, "For the purpose of constructing the AAD, the
+         * IMPLICIT [1] tag in the authAttrs field is not used for the
+         * DER encoding: rather a universal SET OF tag is used. */
+        authAttribsAadSetSz = SetSet(authAttribsSz, authAttribAadSet);
+
+        /* allocate temp buffer to hold alternate attrib encoding for aad */
+        aadBuffer = (byte*)XMALLOC(authAttribsSz + authAttribsAadSetSz,
+                                   pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
+        if (aadBuffer == NULL) {
+            XFREE(flatAuthAttribs, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+            return MEMORY_E;
+        }
+
+        /* build up alternate attrib encoding for aad */
+        aadBufferSz = 0;
+        XMEMCPY(aadBuffer + aadBufferSz, authAttribAadSet, authAttribsAadSetSz);
+        aadBufferSz += authAttribsAadSetSz;
+        XMEMCPY(aadBuffer + aadBufferSz, flatAuthAttribs, authAttribsSz);
+        aadBufferSz += authAttribsSz;
+    }
+
+    /* build up unauthenticated attributes (unauthAttrs) */
+    if (pkcs7->unauthAttribsSz > 0) {
+        unauthAttribsSz = EncodeAttributes(unauthAttribs + unauthAttribsCount,
+                                     MAX_UNAUTH_ATTRIBS_SZ - unauthAttribsCount,
+                                     pkcs7->unauthAttribs,
+                                     pkcs7->unauthAttribsSz);
+        unauthAttribsCount = pkcs7->unauthAttribsSz;
+
+        flatUnauthAttribs = (byte*)XMALLOC(unauthAttribsSz, pkcs7->heap,
+                                            DYNAMIC_TYPE_PKCS7);
+        if (flatUnauthAttribs == NULL) {
+            if (aadBuffer)
+                XFREE(aadBuffer, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
+            if (flatAuthAttribs)
+                XFREE(flatAuthAttribs, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+            return MEMORY_E;
+        }
+
+        FlattenAttributes(pkcs7, flatUnauthAttribs, unauthAttribs,
+                          unauthAttribsCount);
+        unauthAttribsSetSz = SetImplicit(ASN_SET, 2, unauthAttribsSz,
+                                         unauthAttribSet);
+    }
+
+    /* allocate encrypted content buffer */
+    encryptedOutSz = pkcs7->contentSz;
+    encryptedContent = (byte*)XMALLOC(encryptedOutSz, pkcs7->heap,
+                                      DYNAMIC_TYPE_PKCS7);
+    if (encryptedContent == NULL) {
+        if (aadBuffer)
+            XFREE(aadBuffer, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
+        if (flatUnauthAttribs)
+            XFREE(flatUnauthAttribs, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+        if (flatAuthAttribs)
+            XFREE(flatAuthAttribs, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+        return MEMORY_E;
+    }
+
+    /* encrypt content */
+    ret = wc_PKCS7_EncryptContent(pkcs7->encryptOID, pkcs7->cek,
+            pkcs7->cekSz, nonce, nonceSz, aadBuffer, aadBufferSz, authTag,
+            sizeof(authTag), pkcs7->content, encryptedOutSz, encryptedContent);
+
+    if (aadBuffer) {
+        XFREE(aadBuffer, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
+        aadBuffer = NULL;
+    }
+
+    if (ret != 0) {
+        if (flatUnauthAttribs)
+            XFREE(flatUnauthAttribs, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+        if (flatAuthAttribs)
+            XFREE(flatAuthAttribs, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+        XFREE(encryptedContent, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+        return ret;
+    }
+
+    /* EncryptedContentInfo */
+    ret = wc_SetContentType(pkcs7->contentOID, contentType,
+                            sizeof(contentType));
+    if (ret < 0) {
+        if (flatUnauthAttribs)
+            XFREE(flatUnauthAttribs, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+        if (flatAuthAttribs)
+            XFREE(flatAuthAttribs, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+        XFREE(encryptedContent, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+        return ret;
+    }
+
+    contentTypeSz = ret;
+
+    /* put together nonce OCTET STRING */
+    nonceOctetStringSz = SetOctetString(nonceSz, nonceOctetString);
+
+    /* put together aes-ICVlen INTEGER */
+    macIntSz = SetMyVersion(sizeof(authTag), macInt, 0);
+
+    /* build up our ContentEncryptionAlgorithmIdentifier sequence,
+     * adding (nonceOctetStringSz + blockSz + macIntSz) for nonce OCTET STRING
+     * and tag size */
+    contentEncAlgoSz = SetAlgoID(pkcs7->encryptOID, contentEncAlgo,
+                                 oidBlkType, nonceOctetStringSz + nonceSz +
+                                 macIntSz);
+
+    if (contentEncAlgoSz == 0) {
+        if (flatUnauthAttribs)
+            XFREE(flatUnauthAttribs, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+        if (flatAuthAttribs)
+            XFREE(flatAuthAttribs, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+        XFREE(encryptedContent, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+        return BAD_FUNC_ARG;
+    }
+
+    encContentOctetSz = SetImplicit(ASN_OCTET_STRING, 0, encryptedOutSz,
+                                    encContentOctet);
 
     encContentSeqSz = SetSequence(contentTypeSz + contentEncAlgoSz +
-                                  ivOctetStringSz + DES_BLOCK_SIZE +
-                                  encContentOctetSz + desOutSz, encContentSeq);
+                                  nonceOctetStringSz + nonceSz + macIntSz +
+                                  encContentOctetSz + encryptedOutSz,
+                                  encContentSeq);
+
+    macOctetStringSz = SetOctetString(sizeof(authTag), macOctetString);
 
     /* keep track of sizes for outer wrapper layering */
     totalSz = verSz + recipSetSz + recipSz + encContentSeqSz + contentTypeSz +
-              contentEncAlgoSz + ivOctetStringSz + DES_BLOCK_SIZE +
-              encContentOctetSz + desOutSz;
+              contentEncAlgoSz + nonceOctetStringSz + nonceSz + macIntSz +
+              encContentOctetSz + encryptedOutSz + authAttribsSz +
+              authAttribsSetSz + macOctetStringSz + sizeof(authTag) +
+              unauthAttribsSz + unauthAttribsSetSz;
 
     /* EnvelopedData */
     envDataSeqSz = SetSequence(totalSz, envDataSeq);
@@ -1417,12 +10836,11 @@ int wc_PKCS7_EncodeEnvelopedData(PKCS7* pkcs7, byte* output, word32 outputSz)
 
     if (totalSz > (int)outputSz) {
         WOLFSSL_MSG("Pkcs7_encrypt output buffer too small");
-        XFREE(encryptedContent, NULL, DYNAMIC_TYPE_TMP_BUFFER);
-        if (dynamicFlag)
-            XFREE(plain, NULL, DYNAMIC_TYPE_TMP_BUFFER);
-#ifdef WOLFSSL_SMALL_STACK
-        XFREE(recip, NULL, DYNAMMIC_TYPE_TMP_BUFFER);
-#endif
+        if (flatUnauthAttribs)
+            XFREE(flatUnauthAttribs, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+        if (flatAuthAttribs)
+            XFREE(flatAuthAttribs, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+        XFREE(encryptedContent, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
         return BUFFER_E;
     }
 
@@ -1438,412 +10856,1659 @@ int wc_PKCS7_EncodeEnvelopedData(PKCS7* pkcs7, byte* output, word32 outputSz)
     idx += verSz;
     XMEMCPY(output + idx, recipSet, recipSetSz);
     idx += recipSetSz;
-    XMEMCPY(output + idx, recip, recipSz);
-    idx += recipSz;
+    /* copy in recipients from list */
+    tmpRecip = pkcs7->recipList;
+    while (tmpRecip != NULL) {
+        XMEMCPY(output + idx, tmpRecip->recip, tmpRecip->recipSz);
+        idx += tmpRecip->recipSz;
+        tmpRecip = tmpRecip->next;
+    }
+    wc_PKCS7_FreeEncodedRecipientSet(pkcs7);
     XMEMCPY(output + idx, encContentSeq, encContentSeqSz);
     idx += encContentSeqSz;
     XMEMCPY(output + idx, contentType, contentTypeSz);
     idx += contentTypeSz;
     XMEMCPY(output + idx, contentEncAlgo, contentEncAlgoSz);
     idx += contentEncAlgoSz;
-    XMEMCPY(output + idx, ivOctetString, ivOctetStringSz);
-    idx += ivOctetStringSz;
-    XMEMCPY(output + idx, tmpIv, DES_BLOCK_SIZE);
-    idx += DES_BLOCK_SIZE;
+    XMEMCPY(output + idx, nonceOctetString, nonceOctetStringSz);
+    idx += nonceOctetStringSz;
+    XMEMCPY(output + idx, nonce, nonceSz);
+    idx += nonceSz;
+    XMEMCPY(output + idx, macInt, macIntSz);
+    idx += macIntSz;
     XMEMCPY(output + idx, encContentOctet, encContentOctetSz);
     idx += encContentOctetSz;
-    XMEMCPY(output + idx, encryptedContent, desOutSz);
-    idx += desOutSz;
+    XMEMCPY(output + idx, encryptedContent, encryptedOutSz);
+    idx += encryptedOutSz;
+
+    /* authenticated attributes */
+    if (flatAuthAttribs && authAttribsSz > 0) {
+        XMEMCPY(output + idx, authAttribSet, authAttribsSetSz);
+        idx += authAttribsSetSz;
+        XMEMCPY(output + idx, flatAuthAttribs, authAttribsSz);
+        idx += authAttribsSz;
+        XFREE(flatAuthAttribs, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+    }
 
-    ForceZero(contentKeyPlain, MAX_CONTENT_KEY_LEN);
+    XMEMCPY(output + idx, macOctetString, macOctetStringSz);
+    idx += macOctetStringSz;
+    XMEMCPY(output + idx, authTag, sizeof(authTag));
+    idx += sizeof(authTag);
+
+    /* unauthenticated attributes */
+    if (unauthAttribsSz > 0) {
+        XMEMCPY(output + idx, unauthAttribSet, unauthAttribsSetSz);
+        idx += unauthAttribsSetSz;
+        XMEMCPY(output + idx, flatUnauthAttribs, unauthAttribsSz);
+        idx += unauthAttribsSz;
+    }
 
-    if (dynamicFlag)
-        XFREE(plain, NULL, DYNAMMIC_TYPE_TMP_BUFFER);
-    XFREE(encryptedContent, NULL, DYNAMIC_TYPE_TMP_BUFFER);
-    
-#ifdef WOLFSSL_SMALL_STACK
-    XFREE(recip, NULL, DYNAMMIC_TYPE_TMP_BUFFER);
-#endif
+    if (flatUnauthAttribs != NULL) {
+        XFREE(flatUnauthAttribs, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+    }
+
+    XFREE(encryptedContent, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
 
     return idx;
+
+#else
+    WOLFSSL_MSG("AuthEnvelopedData requires AES-GCM or AES-CCM to be enabled");
+    (void)pkcs7;
+    (void)output;
+    (void)outputSz;
+
+    return NOT_COMPILED_IN;
+#endif /* HAVE_AESGCM | HAVE_AESCCM */
 }
 
-/* unwrap and decrypt PKCS#7 envelopedData object, return decoded size */
-WOLFSSL_API int wc_PKCS7_DecodeEnvelopedData(PKCS7* pkcs7, byte* pkiMsg,
-                                         word32 pkiMsgSz, byte* output,
-                                         word32 outputSz)
+
+/* unwrap and decrypt PKCS#7 AuthEnvelopedData object, return decoded size */
+WOLFSSL_API int wc_PKCS7_DecodeAuthEnvelopedData(PKCS7* pkcs7, byte* in,
+                                                 word32 inSz, byte* output,
+                                                 word32 outputSz)
 {
+#if defined(HAVE_AESGCM) || defined(HAVE_AESCCM)
     int recipFound = 0;
-    int ret, version, length;
-    word32 savedIdx = 0, idx = 0;
-    word32 contentType, encOID;
-    byte   issuerHash[SHA_DIGEST_SIZE];
+    int ret = 0, length;
+    word32 idx = 0;
+#ifndef NO_PKCS7_STREAM
+    word32 tmpIdx = 0;
+    long rc;
+#endif
+    word32 contentType, encOID = 0;
+    word32 decryptedKeySz = 0;
+    byte* pkiMsg = in;
+    word32 pkiMsgSz = inSz;
 
-    int encryptedKeySz, keySz;
-    byte tmpIv[DES_BLOCK_SIZE];
-    byte* decryptedKey = NULL;
+    int expBlockSz = 0, blockKeySz = 0;
+    byte authTag[AES_BLOCK_SIZE];
+    byte nonce[GCM_NONCE_MID_SZ];       /* GCM nonce is larger than CCM */
+    int nonceSz = 0, authTagSz = 0, macSz = 0;
 
 #ifdef WOLFSSL_SMALL_STACK
-    mp_int* serialNum;
-    byte* encryptedKey;
-    RsaKey* privKey;
+    byte* decryptedKey = NULL;
 #else
-    mp_int stack_serialNum;
-    mp_int* serialNum = &stack_serialNum;
-    byte encryptedKey[MAX_ENCRYPTED_KEY_SZ];
-    
-    RsaKey stack_privKey;
-    RsaKey* privKey = &stack_privKey;
+    byte  decryptedKey[MAX_ENCRYPTED_KEY_SZ];
 #endif
-    int encryptedContentSz;
-    byte padLen;
+    int encryptedContentSz = 0;
     byte* encryptedContent = NULL;
+    int explicitOctet = 0;
+
+    byte authAttribSetByte = 0;
+    byte* encodedAttribs = NULL;
+    word32 encodedAttribIdx = 0, encodedAttribSz = 0;
+    byte* authAttrib = NULL;
+    int authAttribSz = 0;
+    word32 localIdx;
+    byte tag;
 
-    if (pkcs7 == NULL || pkcs7->singleCert == NULL ||
-        pkcs7->singleCertSz == 0 || pkcs7->privateKey == NULL ||
-        pkcs7->privateKeySz == 0)
+    if (pkcs7 == NULL)
         return BAD_FUNC_ARG;
 
     if (pkiMsg == NULL || pkiMsgSz == 0 ||
         output == NULL || outputSz == 0)
         return BAD_FUNC_ARG;
+#ifndef NO_PKCS7_STREAM
+    if (pkcs7->stream == NULL) {
+        if ((ret = wc_PKCS7_CreateStream(pkcs7)) != 0) {
+            return ret;
+        }
+    }
+#endif
 
-    /* read past ContentInfo, verify type is envelopedData */
-    if (GetSequence(pkiMsg, &idx, &length, pkiMsgSz) < 0)
-        return ASN_PARSE_E;
+    switch (pkcs7->state) {
+        case WC_PKCS7_START:
+        case WC_PKCS7_INFOSET_START:
+        case WC_PKCS7_INFOSET_STAGE1:
+        case WC_PKCS7_INFOSET_STAGE2:
+        case WC_PKCS7_INFOSET_END:
+            ret = wc_PKCS7_ParseToRecipientInfoSet(pkcs7, pkiMsg, pkiMsgSz,
+                    &idx, AUTH_ENVELOPED_DATA);
+            if (ret < 0)
+                break;
+
+        #ifndef NO_PKCS7_STREAM
+            tmpIdx = idx;
+        #endif
+            wc_PKCS7_ChangeState(pkcs7, WC_PKCS7_AUTHENV_2);
+            FALL_THROUGH;
+
+        case WC_PKCS7_AUTHENV_2:
+        #ifndef NO_PKCS7_STREAM
+            if ((ret = wc_PKCS7_AddDataToStream(pkcs7, in, inSz, MAX_LENGTH_SZ +
+                            MAX_VERSION_SZ + ASN_TAG_SZ, &pkiMsg, &idx)) != 0) {
+                break;
+            }
+        #endif
+        #ifdef WOLFSSL_SMALL_STACK
+            decryptedKey = (byte*)XMALLOC(MAX_ENCRYPTED_KEY_SZ, pkcs7->heap,
+                                                               DYNAMIC_TYPE_PKCS7);
+            if (decryptedKey == NULL) {
+                ret = MEMORY_E;
+                break;
+            }
+        #ifndef NO_PKCS7_STREAM
+            pkcs7->stream->key = decryptedKey;
+        #endif
+        #endif
+            FALL_THROUGH;
+
+        case WC_PKCS7_DECRYPT_KTRI:
+        case WC_PKCS7_DECRYPT_KTRI_2:
+        case WC_PKCS7_DECRYPT_KTRI_3:
+        case WC_PKCS7_DECRYPT_KARI:
+        case WC_PKCS7_DECRYPT_KEKRI:
+        case WC_PKCS7_DECRYPT_PWRI:
+        case WC_PKCS7_DECRYPT_ORI:
+
+            decryptedKeySz = MAX_ENCRYPTED_KEY_SZ;
+        #ifdef WOLFSSL_SMALL_STACK
+            #ifndef NO_PKCS7_STREAM
+            decryptedKey = pkcs7->stream->key;
+            #endif
+        #endif
+
+            ret = wc_PKCS7_DecryptRecipientInfos(pkcs7, in, inSz, &idx,
+                                                decryptedKey, &decryptedKeySz,
+                                                &recipFound);
+            if (ret != 0) {
+                break;
+            }
 
-    if (wc_GetContentType(pkiMsg, &idx, &contentType, pkiMsgSz) < 0)
-        return ASN_PARSE_E;
+            if (recipFound == 0) {
+                WOLFSSL_MSG("No recipient found in envelopedData that matches input");
+                ret = PKCS7_RECIP_E;
+                break;
+            }
 
-    if (contentType != ENVELOPED_DATA) {
-        WOLFSSL_MSG("PKCS#7 input not of type EnvelopedData");
-        return PKCS7_OID_E;
-    }
+        #ifndef NO_PKCS7_STREAM
+            tmpIdx = idx;
+        #endif
+            wc_PKCS7_ChangeState(pkcs7, WC_PKCS7_AUTHENV_3);
+            FALL_THROUGH;
+
+        case WC_PKCS7_AUTHENV_3:
+        #ifndef NO_PKCS7_STREAM
+            if ((ret = wc_PKCS7_AddDataToStream(pkcs7, in, inSz, MAX_SEQ_SZ +
+                            MAX_ALGO_SZ + MAX_ALGO_SZ + ASN_TAG_SZ,
+                            &pkiMsg, &idx)) != 0) {
+                break;
+            }
 
-    if (pkiMsg[idx++] != (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC | 0))
-        return ASN_PARSE_E;
+            rc = wc_PKCS7_GetMaxStream(pkcs7, PKCS7_DEFAULT_PEEK,
+                in, inSz);
+            if (rc < 0) {
+                ret = (int)rc;
+                break;
+            }
+            pkiMsgSz = (word32)rc;
+        #endif
 
-    if (GetLength(pkiMsg, &idx, &length, pkiMsgSz) < 0)
-        return ASN_PARSE_E;
+            /* remove EncryptedContentInfo */
+            if (ret == 0 && GetSequence(pkiMsg, &idx, &length, pkiMsgSz) < 0) {
+                ret = ASN_PARSE_E;
+            }
 
-    /* remove EnvelopedData and version */
-    if (GetSequence(pkiMsg, &idx, &length, pkiMsgSz) < 0)
-        return ASN_PARSE_E;
+            if (ret == 0 && wc_GetContentType(pkiMsg, &idx, &contentType,
+                        pkiMsgSz) < 0) {
+                ret = ASN_PARSE_E;
+            }
 
-    if (GetMyVersion(pkiMsg, &idx, &version) < 0)
-        return ASN_PARSE_E;
+            if (ret == 0 && GetAlgoId(pkiMsg, &idx, &encOID, oidBlkType,
+                        pkiMsgSz) < 0) {
+                ret = ASN_PARSE_E;
+            }
 
-    if (version != 0) {
-        WOLFSSL_MSG("PKCS#7 envelopedData needs to be of version 0");
-        return ASN_VERSION_E;
-    }
+            blockKeySz = wc_PKCS7_GetOIDKeySize(encOID);
+            if (ret == 0 && blockKeySz < 0) {
+                ret = blockKeySz;
+            }
 
-    /* walk through RecipientInfo set, find correct recipient */
-    if (GetSet(pkiMsg, &idx, &length, pkiMsgSz) < 0)
-        return ASN_PARSE_E;
-    
-#ifdef WOLFSSL_SMALL_STACK
-    encryptedKey = (byte*)XMALLOC(MAX_ENCRYPTED_KEY_SZ, NULL,
-                                                       DYNAMIC_TYPE_TMP_BUFFER);
-    if (encryptedKey == NULL)
-        return MEMORY_E;
-#endif
-    
-    savedIdx = idx;
-    recipFound = 0;
+            expBlockSz = wc_PKCS7_GetOIDBlockSize(encOID);
+            if (ret == 0 && expBlockSz < 0) {
+                ret = expBlockSz;
+            }
 
-    /* when looking for next recipient, use first sequence and version to
-     * indicate there is another, if not, move on */
-    while(recipFound == 0) {
+            /* get nonce, stored in OPTIONAL parameter of AlgoID */
+            if (ret == 0 && GetASNTag(pkiMsg, &idx, &tag, pkiMsgSz) < 0) {
+                ret = ASN_PARSE_E;
+            }
 
-        /* remove RecipientInfo, if we don't have a SEQUENCE, back up idx to
-         * last good saved one */
-        if (GetSequence(pkiMsg, &idx, &length, pkiMsgSz) < 0) {
-            idx = savedIdx;
-            break;
-        }
+            if (ret == 0 && tag != ASN_OCTET_STRING) {
+                ret = ASN_PARSE_E;
+            }
+
+            if (ret < 0)
+                break;
+
+        #ifndef NO_PKCS7_STREAM
+            if ((ret = wc_PKCS7_StreamEndCase(pkcs7, &tmpIdx, &idx)) != 0) {
+                break;
+            }
+            wc_PKCS7_StreamStoreVar(pkcs7, encOID, blockKeySz, 0);
+        #endif
+            wc_PKCS7_ChangeState(pkcs7, WC_PKCS7_AUTHENV_4);
+            FALL_THROUGH;
+
+        case WC_PKCS7_AUTHENV_4:
+
+        #ifndef NO_PKCS7_STREAM
+            if ((ret = wc_PKCS7_AddDataToStream(pkcs7, in, inSz, MAX_LENGTH_SZ +
+                            MAX_VERSION_SZ + ASN_TAG_SZ + MAX_LENGTH_SZ,
+                            &pkiMsg, &idx)) != 0) {
+                break;
+            }
+
+            rc = wc_PKCS7_GetMaxStream(pkcs7, PKCS7_DEFAULT_PEEK, in,
+                    inSz);
+            if (rc < 0) {
+                ret = (int)rc;
+                break;
+            }
+            pkiMsgSz = (word32)rc;
+        #endif
+            if (ret == 0 && GetLength(pkiMsg, &idx, &nonceSz, pkiMsgSz) < 0) {
+                ret = ASN_PARSE_E;
+            }
+
+            if (ret == 0 && nonceSz > (int)sizeof(nonce)) {
+                WOLFSSL_MSG("AuthEnvelopedData nonce too large for buffer");
+                ret = ASN_PARSE_E;
+            }
+
+            if (ret == 0) {
+                XMEMCPY(nonce, &pkiMsg[idx], nonceSz);
+                idx += nonceSz;
+            }
+
+            /* get mac size, also stored in OPTIONAL parameter of AlgoID */
+            if (ret == 0 && GetMyVersion(pkiMsg, &idx, &macSz, pkiMsgSz) < 0) {
+                ret = ASN_PARSE_E;
+            }
+
+            if (ret == 0) {
+                explicitOctet = 0;
+                localIdx = idx;
+                if (GetASNTag(pkiMsg, &localIdx, &tag, pkiMsgSz) == 0 &&
+                        tag == (ASN_CONTEXT_SPECIFIC | ASN_CONSTRUCTED | 0))
+                    explicitOctet = 1;
+
+                /* read encryptedContent, cont[0] */
+                ret = GetASNTag(pkiMsg, &idx, &tag, pkiMsgSz);
+            }
+
+            if (ret == 0 &&
+                    tag != (ASN_CONTEXT_SPECIFIC | 0) &&
+                    tag != (ASN_CONTEXT_SPECIFIC | ASN_CONSTRUCTED | 0)) {
+                ret = ASN_PARSE_E;
+            }
+
+            if (ret == 0 && GetLength(pkiMsg, &idx, &encryptedContentSz,
+                        pkiMsgSz) <= 0) {
+                ret = ASN_PARSE_E;
+            }
+
+            if (explicitOctet) {
+                if (ret == 0 && GetASNTag(pkiMsg, &idx, &tag, pkiMsgSz) < 0) {
+                    ret = ASN_PARSE_E;
+                }
+                if (ret == 0 && tag != ASN_OCTET_STRING) {
+                    ret = ASN_PARSE_E;
+                }
+
+                if (ret == 0 && GetLength(pkiMsg, &idx, &encryptedContentSz,
+                            pkiMsgSz) <= 0) {
+                    ret = ASN_PARSE_E;
+                }
+            }
+
+            if (ret < 0)
+                break;
+
+        #ifndef NO_PKCS7_STREAM
+            if ((ret = wc_PKCS7_StreamEndCase(pkcs7, &tmpIdx, &idx)) != 0) {
+                break;
+            }
+
+            /* store nonce for later */
+            if (nonceSz > 0) {
+                pkcs7->stream->nonceSz = nonceSz;
+                pkcs7->stream->nonce = (byte*)XMALLOC(nonceSz, pkcs7->heap,
+                        DYNAMIC_TYPE_PKCS7);
+                if (pkcs7->stream->nonce == NULL) {
+                    ret = MEMORY_E;
+                    break;
+                }
+                else {
+                    XMEMCPY(pkcs7->stream->nonce, nonce, nonceSz);
+                }
+            }
+
+            pkcs7->stream->expected = encryptedContentSz;
+            wc_PKCS7_StreamStoreVar(pkcs7, encOID, blockKeySz,
+                    encryptedContentSz);
+        #endif
 
-        if (GetMyVersion(pkiMsg, &idx, &version) < 0) {
-            idx = savedIdx;
+            wc_PKCS7_ChangeState(pkcs7, WC_PKCS7_AUTHENV_5);
+            FALL_THROUGH;
+
+        case WC_PKCS7_AUTHENV_5:
+        #ifndef NO_PKCS7_STREAM
+            if ((ret = wc_PKCS7_AddDataToStream(pkcs7, in, inSz, MAX_LENGTH_SZ +
+                            ASN_TAG_SZ + ASN_TAG_SZ + pkcs7->stream->expected,
+                            &pkiMsg, &idx)) != 0) {
+                break;
+            }
+
+            rc = wc_PKCS7_GetMaxStream(pkcs7, PKCS7_DEFAULT_PEEK, in,
+                    inSz);
+            if (rc < 0) {
+                ret = (int)rc;
+                break;
+            }
+            pkiMsgSz = (word32)rc;
+
+            encryptedContentSz = pkcs7->stream->expected;
+        #endif
+
+            encryptedContent = (byte*)XMALLOC(encryptedContentSz, pkcs7->heap,
+                                                               DYNAMIC_TYPE_PKCS7);
+            if (ret == 0 && encryptedContent == NULL) {
+                ret = MEMORY_E;
+            }
+
+            if (ret == 0) {
+                XMEMCPY(encryptedContent, &pkiMsg[idx], encryptedContentSz);
+                idx += encryptedContentSz;
+            }
+        #ifndef NO_PKCS7_STREAM
+                pkcs7->stream->bufferPt = encryptedContent;
+        #endif
+
+            /* may have IMPLICIT [1] authenticatedAttributes */
+            localIdx = idx;
+            if (ret == 0 && GetASNTag(pkiMsg, &localIdx, &tag, pkiMsgSz) == 0 &&
+                    tag == (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC | 1)) {
+                encodedAttribIdx = idx;
+                encodedAttribs = pkiMsg + idx;
+                idx++;
+
+                if (GetLength(pkiMsg, &idx, &length, pkiMsgSz) < 0)
+                    ret = ASN_PARSE_E;
+            #ifndef NO_PKCS7_STREAM
+                pkcs7->stream->expected = length;
+            #endif
+                encodedAttribSz = length + (idx - encodedAttribIdx);
+
+                if (ret != 0)
+                    break;
+
+            #ifndef NO_PKCS7_STREAM
+                if (encodedAttribSz > 0) {
+                    pkcs7->stream->aadSz = encodedAttribSz;
+                    pkcs7->stream->aad = (byte*)XMALLOC(encodedAttribSz,
+                            pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+                    if (pkcs7->stream->aad == NULL) {
+                        ret = MEMORY_E;
+                        break;
+                    }
+                    else {
+                        XMEMCPY(pkcs7->stream->aad, encodedAttribs,
+                                (idx - encodedAttribIdx));
+                    }
+                }
+
+                if ((ret = wc_PKCS7_StreamEndCase(pkcs7, &tmpIdx, &idx)) != 0) {
+                    break;
+                }
+            #endif
+                wc_PKCS7_ChangeState(pkcs7, WC_PKCS7_AUTHENV_ATRB);
+            }
+            else {
+            #ifndef NO_PKCS7_STREAM
+                if ((ret = wc_PKCS7_StreamEndCase(pkcs7, &tmpIdx, &idx)) != 0) {
+                    break;
+                }
+            #endif
+                goto authenv_atrbend; /* jump over attribute cases */
+            }
+            FALL_THROUGH;
+
+        case WC_PKCS7_AUTHENV_ATRB:
+    #ifndef NO_PKCS7_STREAM
+            if ((ret = wc_PKCS7_AddDataToStream(pkcs7, in, inSz,
+                            pkcs7->stream->expected, &pkiMsg, &idx)) != 0) {
+                return ret;
+            }
+
+            length = pkcs7->stream->expected;
+            encodedAttribs = pkcs7->stream->aad;
+    #else
+            length = 0;
+    #endif
+
+            /* save pointer and length */
+            authAttrib = &pkiMsg[idx];
+            authAttribSz = length;
+
+            if (ret == 0 && wc_PKCS7_ParseAttribs(pkcs7, authAttrib, authAttribSz) < 0) {
+                WOLFSSL_MSG("Error parsing authenticated attributes");
+                ret = ASN_PARSE_E;
+                break;
+            }
+
+            idx += length;
+
+    #ifndef NO_PKCS7_STREAM
+            if (encodedAttribSz > 0) {
+                XMEMCPY(pkcs7->stream->aad + (encodedAttribSz - length),
+                        authAttrib, authAttribSz);
+            }
+            if ((ret = wc_PKCS7_StreamEndCase(pkcs7, &tmpIdx, &idx)) != 0) {
+                break;
+            }
+
+    #endif
+            wc_PKCS7_ChangeState(pkcs7, WC_PKCS7_AUTHENV_ATRBEND);
+            FALL_THROUGH;
+
+authenv_atrbend:
+        case WC_PKCS7_AUTHENV_ATRBEND:
+        #ifndef NO_PKCS7_STREAM
+            if ((ret = wc_PKCS7_AddDataToStream(pkcs7, in, inSz, MAX_LENGTH_SZ +
+                            ASN_TAG_SZ, &pkiMsg, &idx)) != 0) {
+                return ret;
+            }
+
+            rc = wc_PKCS7_GetMaxStream(pkcs7, PKCS7_DEFAULT_PEEK,
+                in, inSz);
+            if (rc < 0) {
+                ret = (int)rc;
+                break;
+            }
+            pkiMsgSz = (word32)rc;
+
+            if (pkcs7->stream->aadSz > 0) {
+                encodedAttribSz = pkcs7->stream->aadSz;
+                encodedAttribs  = pkcs7->stream->aad;
+            }
+        #endif
+
+
+            /* get authTag OCTET STRING */
+            if (ret == 0 && GetASNTag(pkiMsg, &idx, &tag, pkiMsgSz) < 0) {
+                ret = ASN_PARSE_E;
+            }
+            if (ret == 0 && tag != ASN_OCTET_STRING) {
+                ret = ASN_PARSE_E;
+            }
+
+            if (ret == 0 && GetLength(pkiMsg, &idx, &authTagSz, pkiMsgSz) < 0) {
+                ret = ASN_PARSE_E;
+            }
+
+            if (ret == 0 && authTagSz > (int)sizeof(authTag)) {
+                WOLFSSL_MSG("AuthEnvelopedData authTag too large for buffer");
+                ret = ASN_PARSE_E;
+            }
+
+            if (ret == 0) {
+                XMEMCPY(authTag, &pkiMsg[idx], authTagSz);
+                idx += authTagSz;
+            }
+
+            if (ret == 0 && authAttrib != NULL) {
+                /* temporarily swap authAttribs byte[0] to SET OF instead of
+                 * IMPLICIT [1], for aad calculation */
+                authAttribSetByte = encodedAttribs[0];
+
+                encodedAttribs[0] = ASN_SET | ASN_CONSTRUCTED;
+            }
+
+            if (ret < 0)
+                break;
+
+        #ifndef NO_PKCS7_STREAM
+            if ((ret = wc_PKCS7_StreamEndCase(pkcs7, &tmpIdx, &idx)) != 0) {
+                break;
+            }
+            pkcs7->stream->expected = (pkcs7->stream->maxLen -
+                pkcs7->stream->totalRd) + pkcs7->stream->length;
+
+
+            /* store tag for later */
+            if (authTagSz > 0) {
+                pkcs7->stream->tagSz = authTagSz;
+                pkcs7->stream->tag = (byte*)XMALLOC(authTagSz, pkcs7->heap,
+                        DYNAMIC_TYPE_PKCS7);
+                if (pkcs7->stream->tag == NULL) {
+                    ret = MEMORY_E;
+                    break;
+                }
+                else {
+                    XMEMCPY(pkcs7->stream->tag, authTag, authTagSz);
+                }
+            }
+
+        #endif
+            wc_PKCS7_ChangeState(pkcs7, WC_PKCS7_AUTHENV_6);
+            FALL_THROUGH;
+
+        case WC_PKCS7_AUTHENV_6:
+        #ifndef NO_PKCS7_STREAM
+            if ((ret = wc_PKCS7_AddDataToStream(pkcs7, in, inSz,
+                            pkcs7->stream->expected, &pkiMsg, &idx)) != 0) {
+                break;
+            }
+
+            /* restore all variables needed */
+            if (pkcs7->stream->nonceSz > 0) {
+                nonceSz = pkcs7->stream->nonceSz;
+                if (nonceSz > GCM_NONCE_MID_SZ) {
+                    WOLFSSL_MSG("PKCS7 saved nonce is too large");
+                    ret = BUFFER_E;
+                    break;
+                }
+                else {
+                    XMEMCPY(nonce, pkcs7->stream->nonce, nonceSz);
+                }
+            }
+
+            if (pkcs7->stream->tagSz > 0) {
+                authTagSz = pkcs7->stream->tagSz;
+                if (authTagSz > AES_BLOCK_SIZE) {
+                    WOLFSSL_MSG("PKCS7 saved tag is too large");
+                    ret = BUFFER_E;
+                    break;
+                }
+                else {
+                    XMEMCPY(authTag, pkcs7->stream->tag, authTagSz);
+                }
+            }
+
+            if (pkcs7->stream->aadSz > 0) {
+                encodedAttribSz = pkcs7->stream->aadSz;
+                encodedAttribs  = pkcs7->stream->aad;
+            }
+
+            wc_PKCS7_StreamGetVar(pkcs7, &encOID, &blockKeySz,
+                                  &encryptedContentSz);
+            encryptedContent   = pkcs7->stream->bufferPt;
+        #ifdef WOLFSSL_SMALL_STACK
+            decryptedKey = pkcs7->stream->key;
+        #endif
+        #endif
+
+            /* decrypt encryptedContent */
+            ret = wc_PKCS7_DecryptContent(pkcs7, encOID, decryptedKey,
+                    blockKeySz, nonce, nonceSz, encodedAttribs, encodedAttribSz,
+                    authTag, authTagSz, encryptedContent, encryptedContentSz,
+                    encryptedContent);
+            if (ret != 0) {
+                XFREE(encryptedContent, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+                return ret;
+            }
+
+            if (authAttrib != NULL) {
+                /* restore authAttrib IMPLICIT [1] */
+                encodedAttribs[0] = authAttribSetByte;
+            }
+
+            /* copy plaintext to output */
+            XMEMCPY(output, encryptedContent, encryptedContentSz);
+
+            /* free memory, zero out keys */
+            ForceZero(encryptedContent, encryptedContentSz);
+            XFREE(encryptedContent, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+            ForceZero(decryptedKey, MAX_ENCRYPTED_KEY_SZ);
+        #ifdef WOLFSSL_SMALL_STACK
+            XFREE(decryptedKey, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+            decryptedKey = NULL;
+        #ifdef WOLFSSL_SMALL_STACK
+            #ifndef NO_PKCS7_STREAM
+            pkcs7->stream->key = NULL;
+            #endif
+        #endif
+        #endif
+            ret = encryptedContentSz;
+        #ifndef NO_PKCS7_STREAM
+            wc_PKCS7_ResetStream(pkcs7);
+        #endif
+            wc_PKCS7_ChangeState(pkcs7, WC_PKCS7_START);
             break;
-        }
+        default:
+            WOLFSSL_MSG("Unknown PKCS7 state");
+            ret = BAD_FUNC_ARG;
+    }
 
-        if (version != 0) {
 #ifdef WOLFSSL_SMALL_STACK
-            XFREE(encryptedKey, NULL, DYNAMIC_TYPE_TMP_BUFFER);
-#endif
-            return ASN_VERSION_E;
+    if (ret != 0 && ret != WC_PKCS7_WANT_READ_E) {
+        if (decryptedKey != NULL) {
+            ForceZero(decryptedKey, MAX_ENCRYPTED_KEY_SZ);
         }
-        
-        /* remove IssuerAndSerialNumber */
-        if (GetSequence(pkiMsg, &idx, &length, pkiMsgSz) < 0) {
-#ifdef WOLFSSL_SMALL_STACK
-            XFREE(encryptedKey, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+        XFREE(decryptedKey, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+    }
 #endif
-            return ASN_PARSE_E;
-        }
-        
-        if (GetNameHash(pkiMsg, &idx, issuerHash, pkiMsgSz) < 0) {
-#ifdef WOLFSSL_SMALL_STACK
-            XFREE(encryptedKey, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+#ifndef NO_PKCS7_STREAM
+    if (ret != 0 && ret != WC_PKCS7_WANT_READ_E) {
+        wc_PKCS7_ResetStream(pkcs7);
+    }
 #endif
-            return ASN_PARSE_E;
+
+    return ret;
+
+#else
+    WOLFSSL_MSG("AuthEnvelopedData requires AES-GCM or AES-CCM to be enabled");
+    (void)pkcs7;
+    (void)in;
+    (void)inSz;
+    (void)output;
+    (void)outputSz;
+
+    return NOT_COMPILED_IN;
+#endif /* HAVE_AESGCM | HAVE_AESCCM */
+}
+
+
+#ifndef NO_PKCS7_ENCRYPTED_DATA
+
+/* build PKCS#7 encryptedData content type, return encrypted size */
+int wc_PKCS7_EncodeEncryptedData(PKCS7* pkcs7, byte* output, word32 outputSz)
+{
+    int ret, idx = 0;
+    int totalSz, padSz, encryptedOutSz;
+
+    int contentInfoSeqSz, outerContentTypeSz, outerContentSz;
+    byte contentInfoSeq[MAX_SEQ_SZ];
+    byte outerContentType[MAX_ALGO_SZ];
+    byte outerContent[MAX_SEQ_SZ];
+
+    int encDataSeqSz, verSz, blockSz;
+    byte encDataSeq[MAX_SEQ_SZ];
+    byte ver[MAX_VERSION_SZ];
+
+    byte* plain = NULL;
+    byte* encryptedContent = NULL;
+
+    int encContentOctetSz, encContentSeqSz, contentTypeSz;
+    int contentEncAlgoSz, ivOctetStringSz;
+    byte encContentSeq[MAX_SEQ_SZ];
+    byte contentType[MAX_OID_SZ];
+    byte contentEncAlgo[MAX_ALGO_SZ];
+    byte tmpIv[MAX_CONTENT_IV_SIZE];
+    byte ivOctetString[MAX_OCTET_STR_SZ];
+    byte encContentOctet[MAX_OCTET_STR_SZ];
+
+    byte attribSet[MAX_SET_SZ];
+    EncodedAttrib* attribs = NULL;
+    word32 attribsSz;
+    word32 attribsCount;
+    word32 attribsSetSz;
+
+    byte* flatAttribs = NULL;
+
+    if (pkcs7 == NULL || pkcs7->content == NULL || pkcs7->contentSz == 0 ||
+        pkcs7->encryptOID == 0 || pkcs7->encryptionKey == NULL ||
+        pkcs7->encryptionKeySz == 0)
+        return BAD_FUNC_ARG;
+
+    if (output == NULL || outputSz == 0)
+        return BAD_FUNC_ARG;
+
+    if (pkcs7->version == 3) {
+        verSz = SetMyVersion(0, ver, 0);
+        outerContentTypeSz = 0;
+    }
+    else {
+        /* outer content type */
+        ret = wc_SetContentType(ENCRYPTED_DATA, outerContentType,
+                                sizeof(outerContentType));
+        if (ret < 0)
+            return ret;
+
+        outerContentTypeSz = ret;
+
+        /* version, 2 if unprotectedAttrs present, 0 if absent */
+        if (pkcs7->unprotectedAttribsSz > 0) {
+            verSz = SetMyVersion(2, ver, 0);
+        } else {
+            verSz = SetMyVersion(0, ver, 0);
         }
-        
-        /* if we found correct recipient, issuer hashes will match */
-        if (XMEMCMP(issuerHash, pkcs7->issuerHash, SHA_DIGEST_SIZE) == 0) {
-            recipFound = 1;
+    }
+
+    /* EncryptedContentInfo */
+    ret = wc_SetContentType(pkcs7->contentOID, contentType,
+                            sizeof(contentType));
+    if (ret < 0)
+        return ret;
+
+    contentTypeSz = ret;
+
+    /* allocate encrypted content buffer, do PKCS#7 padding */
+    blockSz = wc_PKCS7_GetOIDBlockSize(pkcs7->encryptOID);
+    if (blockSz < 0)
+        return blockSz;
+
+    padSz = wc_PKCS7_GetPadSize(pkcs7->contentSz, blockSz);
+    if (padSz < 0)
+        return padSz;
+
+    encryptedOutSz = pkcs7->contentSz + padSz;
+
+    plain = (byte*)XMALLOC(encryptedOutSz, pkcs7->heap,
+                           DYNAMIC_TYPE_PKCS7);
+    if (plain == NULL)
+        return MEMORY_E;
+
+    ret = wc_PKCS7_PadData(pkcs7->content, pkcs7->contentSz, plain,
+                           encryptedOutSz, blockSz);
+    if (ret < 0) {
+        XFREE(plain, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+        return ret;
+    }
+
+    encryptedContent = (byte*)XMALLOC(encryptedOutSz, pkcs7->heap,
+                                      DYNAMIC_TYPE_PKCS7);
+    if (encryptedContent == NULL) {
+        XFREE(plain, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+        return MEMORY_E;
+    }
+
+    /* put together IV OCTET STRING */
+    ivOctetStringSz = SetOctetString(blockSz, ivOctetString);
+
+    /* build up ContentEncryptionAlgorithmIdentifier sequence,
+       adding (ivOctetStringSz + blockSz) for IV OCTET STRING */
+    contentEncAlgoSz = SetAlgoID(pkcs7->encryptOID, contentEncAlgo,
+                                 oidBlkType, ivOctetStringSz + blockSz);
+    if (contentEncAlgoSz == 0) {
+        XFREE(encryptedContent, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+        XFREE(plain, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+        return BAD_FUNC_ARG;
+    }
+
+    /* encrypt content */
+    WOLFSSL_MSG("Encrypting the content");
+    ret = wc_PKCS7_GenerateBlock(pkcs7, NULL, tmpIv, blockSz);
+    if (ret != 0) {
+        XFREE(encryptedContent, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+        XFREE(plain, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+        return ret;
+    }
+
+    ret = wc_PKCS7_EncryptContent(pkcs7->encryptOID, pkcs7->encryptionKey,
+            pkcs7->encryptionKeySz, tmpIv, blockSz, NULL, 0, NULL, 0,
+            plain, encryptedOutSz, encryptedContent);
+    if (ret != 0) {
+        XFREE(encryptedContent, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+        XFREE(plain, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+        return ret;
+    }
+
+    encContentOctetSz = SetImplicit(ASN_OCTET_STRING, 0,
+                                    encryptedOutSz, encContentOctet);
+
+    encContentSeqSz = SetSequence(contentTypeSz + contentEncAlgoSz +
+                                  ivOctetStringSz + blockSz +
+                                  encContentOctetSz + encryptedOutSz,
+                                  encContentSeq);
+
+    /* optional UnprotectedAttributes */
+    if (pkcs7->unprotectedAttribsSz != 0) {
+
+        if (pkcs7->unprotectedAttribs == NULL) {
+            XFREE(encryptedContent, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+            XFREE(plain, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+            return BAD_FUNC_ARG;
         }
-        
-#ifdef WOLFSSL_SMALL_STACK
-        serialNum = (mp_int*)XMALLOC(sizeof(mp_int), NULL,
-                                                       DYNAMIC_TYPE_TMP_BUFFER);
-        if (serialNum == NULL) {
-            XFREE(encryptedKey, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+
+        attribs = (EncodedAttrib*)XMALLOC(
+                sizeof(EncodedAttrib) * pkcs7->unprotectedAttribsSz,
+                pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+        if (attribs == NULL) {
+            XFREE(encryptedContent, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+            XFREE(plain, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
             return MEMORY_E;
         }
-#endif
-        
-        if (GetInt(serialNum, pkiMsg, &idx, pkiMsgSz) < 0) {
-#ifdef WOLFSSL_SMALL_STACK
-            XFREE(encryptedKey, NULL, DYNAMIC_TYPE_TMP_BUFFER);
-            XFREE(serialNum,    NULL, DYNAMIC_TYPE_TMP_BUFFER);
-#endif
-            return ASN_PARSE_E;
+
+        attribsCount = pkcs7->unprotectedAttribsSz;
+        attribsSz = EncodeAttributes(attribs, pkcs7->unprotectedAttribsSz,
+                                     pkcs7->unprotectedAttribs,
+                                     pkcs7->unprotectedAttribsSz);
+
+        flatAttribs = (byte*)XMALLOC(attribsSz, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+        if (flatAttribs == NULL) {
+            XFREE(attribs, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+            XFREE(encryptedContent, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+            XFREE(plain, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+            return MEMORY_E;
         }
-        
-        mp_clear(serialNum);
-        
-#ifdef WOLFSSL_SMALL_STACK
-        XFREE(serialNum, NULL, DYNAMIC_TYPE_TMP_BUFFER);
-#endif
-        
-        if (GetAlgoId(pkiMsg, &idx, &encOID, pkiMsgSz) < 0) {
-#ifdef WOLFSSL_SMALL_STACK
-            XFREE(encryptedKey, NULL, DYNAMIC_TYPE_TMP_BUFFER);
-#endif
-            return ASN_PARSE_E;
+
+        FlattenAttributes(pkcs7, flatAttribs, attribs, attribsCount);
+        attribsSetSz = SetImplicit(ASN_SET, 1, attribsSz, attribSet);
+
+    } else {
+        attribsSz = 0;
+        attribsSetSz = 0;
+    }
+
+    /* keep track of sizes for outer wrapper layering */
+    totalSz = verSz + encContentSeqSz + contentTypeSz + contentEncAlgoSz +
+              ivOctetStringSz + blockSz + encContentOctetSz + encryptedOutSz +
+              attribsSz + attribsSetSz;
+
+    /* EncryptedData */
+    encDataSeqSz = SetSequence(totalSz, encDataSeq);
+    totalSz += encDataSeqSz;
+
+    if (pkcs7->version != 3) {
+        /* outer content */
+        outerContentSz = SetExplicit(0, totalSz, outerContent);
+        totalSz += outerContentTypeSz;
+        totalSz += outerContentSz;
+        /* ContentInfo */
+        contentInfoSeqSz = SetSequence(totalSz, contentInfoSeq);
+        totalSz += contentInfoSeqSz;
+    } else {
+        contentInfoSeqSz = 0;
+        outerContentSz = 0;
+    }
+
+    if (totalSz > (int)outputSz) {
+        WOLFSSL_MSG("PKCS#7 output buffer too small");
+        if (pkcs7->unprotectedAttribsSz != 0) {
+            XFREE(attribs, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+            XFREE(flatAttribs, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
         }
-        
-        /* key encryption algorithm must be RSA for now */
-        if (encOID != RSAk) {
-#ifdef WOLFSSL_SMALL_STACK
-            XFREE(encryptedKey, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+        XFREE(encryptedContent, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+        XFREE(plain, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+        return BUFFER_E;
+    }
+
+    XMEMCPY(output + idx, contentInfoSeq, contentInfoSeqSz);
+    idx += contentInfoSeqSz;
+    XMEMCPY(output + idx, outerContentType, outerContentTypeSz);
+    idx += outerContentTypeSz;
+    XMEMCPY(output + idx, outerContent, outerContentSz);
+    idx += outerContentSz;
+    XMEMCPY(output + idx, encDataSeq, encDataSeqSz);
+    idx += encDataSeqSz;
+    XMEMCPY(output + idx, ver, verSz);
+    idx += verSz;
+    XMEMCPY(output + idx, encContentSeq, encContentSeqSz);
+    idx += encContentSeqSz;
+    XMEMCPY(output + idx, contentType, contentTypeSz);
+    idx += contentTypeSz;
+    XMEMCPY(output + idx, contentEncAlgo, contentEncAlgoSz);
+    idx += contentEncAlgoSz;
+    XMEMCPY(output + idx, ivOctetString, ivOctetStringSz);
+    idx += ivOctetStringSz;
+    XMEMCPY(output + idx, tmpIv, blockSz);
+    idx += blockSz;
+    XMEMCPY(output + idx, encContentOctet, encContentOctetSz);
+    idx += encContentOctetSz;
+    XMEMCPY(output + idx, encryptedContent, encryptedOutSz);
+    idx += encryptedOutSz;
+
+    if (pkcs7->unprotectedAttribsSz != 0) {
+        XMEMCPY(output + idx, attribSet, attribsSetSz);
+        idx += attribsSetSz;
+        XMEMCPY(output + idx, flatAttribs, attribsSz);
+        idx += attribsSz;
+        XFREE(attribs, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+        XFREE(flatAttribs, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+    }
+
+    XFREE(encryptedContent, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+    XFREE(plain, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+
+    return idx;
+}
+
+
+/* decode and store unprotected attributes in PKCS7->decodedAttrib. Return
+ * 0 on success, negative on error. User must call wc_PKCS7_Free(). */
+static int wc_PKCS7_DecodeUnprotectedAttributes(PKCS7* pkcs7, byte* pkiMsg,
+                                             word32 pkiMsgSz, word32* inOutIdx)
+{
+    int ret, attribLen;
+    word32 idx;
+    byte tag;
+
+    if (pkcs7 == NULL || pkiMsg == NULL ||
+        pkiMsgSz == 0 || inOutIdx == NULL)
+        return BAD_FUNC_ARG;
+
+    idx = *inOutIdx;
+
+    if (GetASNTag(pkiMsg, &idx, &tag, pkiMsgSz) < 0)
+        return ASN_PARSE_E;
+
+    if (tag != (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC | 1))
+        return ASN_PARSE_E;
+
+    if (GetLength(pkiMsg, &idx, &attribLen, pkiMsgSz) < 0)
+        return ASN_PARSE_E;
+
+    /* loop through attributes */
+    if ((ret = wc_PKCS7_ParseAttribs(pkcs7, pkiMsg + idx, attribLen)) < 0) {
+        return ret;
+    }
+
+    *inOutIdx = idx;
+
+    return 0;
+}
+
+
+/* unwrap and decrypt PKCS#7/CMS encrypted-data object, returned decoded size */
+int wc_PKCS7_DecodeEncryptedData(PKCS7* pkcs7, byte* in, word32 inSz,
+                                 byte* output, word32 outputSz)
+{
+    int ret = 0, version, length = 0, haveAttribs = 0;
+    word32 idx = 0;
+
+#ifndef NO_PKCS7_STREAM
+    word32 tmpIdx = 0;
+    long rc;
 #endif
-            return ALGO_ID_E;
+    word32 contentType, encOID;
+
+    int expBlockSz = 0;
+    byte tmpIvBuf[MAX_CONTENT_IV_SIZE];
+    byte *tmpIv = tmpIvBuf;
+
+    int encryptedContentSz = 0;
+    byte padLen;
+    byte* encryptedContent = NULL;
+
+    byte* pkiMsg = in;
+    word32 pkiMsgSz = inSz;
+    byte  tag;
+
+    if (pkcs7 == NULL ||
+            ((pkcs7->encryptionKey == NULL || pkcs7->encryptionKeySz == 0) &&
+              pkcs7->decryptionCb == NULL))
+        return BAD_FUNC_ARG;
+
+    if (pkiMsg == NULL || pkiMsgSz == 0 ||
+        output == NULL || outputSz == 0)
+        return BAD_FUNC_ARG;
+
+#ifndef NO_PKCS7_STREAM
+    (void)tmpIv; /* help out static analysis */
+    if (pkcs7->stream == NULL) {
+        if ((ret = wc_PKCS7_CreateStream(pkcs7)) != 0) {
+            return ret;
         }
-        
-        /* read encryptedKey */
-        if (pkiMsg[idx++] != ASN_OCTET_STRING) {
-#ifdef WOLFSSL_SMALL_STACK
-            XFREE(encryptedKey, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    }
 #endif
-            return ASN_PARSE_E;
-        }
-        
-        if (GetLength(pkiMsg, &idx, &encryptedKeySz, pkiMsgSz) < 0) {
-#ifdef WOLFSSL_SMALL_STACK
-            XFREE(encryptedKey, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+
+    switch (pkcs7->state) {
+        case WC_PKCS7_START:
+#ifndef NO_PKCS7_STREAM
+            if ((ret = wc_PKCS7_AddDataToStream(pkcs7, in, inSz, MAX_SEQ_SZ +
+                            MAX_ALGO_SZ, &pkiMsg, &idx)) != 0) {
+                return ret;
+            }
+
+            rc  = wc_PKCS7_GetMaxStream(pkcs7, PKCS7_SEQ_PEEK, in, inSz);
+            if (rc < 0) {
+                ret = (int)rc;
+                break;
+            }
+            pkiMsgSz = (word32)rc;
 #endif
-            return ASN_PARSE_E;
-        }
-          
-        if (recipFound == 1)
-            XMEMCPY(encryptedKey, &pkiMsg[idx], encryptedKeySz);
-        idx += encryptedKeySz;
 
-        /* update good idx */
-        savedIdx = idx;
-    }
+            if (GetSequence(pkiMsg, &idx, &length, pkiMsgSz) < 0)
+                ret = ASN_PARSE_E;
 
-    if (recipFound == 0) {
-        WOLFSSL_MSG("No recipient found in envelopedData that matches input");
-#ifdef WOLFSSL_SMALL_STACK
-        XFREE(encryptedKey, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+            if (pkcs7->version != 3) { /* ContentInfo not in firmware bundles */
+                /* read past ContentInfo, verify type is encrypted-data */
+                if (ret == 0 && wc_GetContentType(pkiMsg, &idx, &contentType,
+                            pkiMsgSz) < 0)
+                    ret = ASN_PARSE_E;
+
+                if (ret == 0 && contentType != ENCRYPTED_DATA) {
+                    WOLFSSL_MSG("PKCS#7 input not of type EncryptedData");
+                    ret = PKCS7_OID_E;
+                }
+            }
+            if (ret != 0) break;
+#ifndef NO_PKCS7_STREAM
+            if ((ret = wc_PKCS7_StreamEndCase(pkcs7, &tmpIdx, &idx)) != 0) {
+                break;
+            }
 #endif
-        return PKCS7_RECIP_E;
-    }
+            wc_PKCS7_ChangeState(pkcs7, WC_PKCS7_STAGE2);
+            FALL_THROUGH;
+            /* end of stage 1 */
+
+        case WC_PKCS7_STAGE2:
+#ifndef NO_PKCS7_STREAM
+            if ((ret = wc_PKCS7_AddDataToStream(pkcs7, in, inSz,
+                            MAX_LENGTH_SZ + MAX_SEQ_SZ + ASN_TAG_SZ, &pkiMsg,
+                            &idx)) != 0) {
+                return ret;
+            }
 
-    /* remove EncryptedContentInfo */
-    if (GetSequence(pkiMsg, &idx, &length, pkiMsgSz) < 0) {
-#ifdef WOLFSSL_SMALL_STACK
-        XFREE(encryptedKey, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+            rc = wc_PKCS7_GetMaxStream(pkcs7, PKCS7_DEFAULT_PEEK, in,
+                    inSz);
+            if (rc < 0) {
+                ret = (int)rc;
+                break;
+            }
+            pkiMsgSz = (word32)rc;
 #endif
-        return ASN_PARSE_E;
-    }
-    
-    if (wc_GetContentType(pkiMsg, &idx, &contentType, pkiMsgSz) < 0) {
-#ifdef WOLFSSL_SMALL_STACK
-        XFREE(encryptedKey, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+            if (pkcs7->version != 3) {
+                if (ret == 0 && GetASNTag(pkiMsg, &idx, &tag, pkiMsgSz) < 0)
+                    ret = ASN_PARSE_E;
+                if (ret == 0 && tag !=
+                        (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC | 0))
+                    ret = ASN_PARSE_E;
+
+                if (ret == 0 && GetLength(pkiMsg, &idx, &length, pkiMsgSz) < 0)
+                    ret = ASN_PARSE_E;
+
+                /* remove EncryptedData and version */
+                if (ret == 0 && GetSequence(pkiMsg, &idx, &length, pkiMsgSz) < 0)
+                    ret = ASN_PARSE_E;
+            }
+
+            if (ret != 0) break;
+#ifndef NO_PKCS7_STREAM
+            if ((ret = wc_PKCS7_StreamEndCase(pkcs7, &tmpIdx, &idx)) != 0) {
+                break;
+            }
 #endif
-        return ASN_PARSE_E;
-    }
+            wc_PKCS7_ChangeState(pkcs7, WC_PKCS7_STAGE3);
+            FALL_THROUGH;
+            /* end of stage 2 */
+
+       case WC_PKCS7_STAGE3:
+#ifndef NO_PKCS7_STREAM
+            if ((ret = wc_PKCS7_AddDataToStream(pkcs7, in, inSz,
+                            MAX_VERSION_SZ + MAX_SEQ_SZ + MAX_ALGO_SZ * 2,
+                            &pkiMsg, &idx)) != 0) {
+                return ret;
+            }
 
-    if (GetAlgoId(pkiMsg, &idx, &encOID, pkiMsgSz) < 0) {
-#ifdef WOLFSSL_SMALL_STACK
-        XFREE(encryptedKey, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+            rc = wc_PKCS7_GetMaxStream(pkcs7, PKCS7_DEFAULT_PEEK, in,
+                    inSz);
+            if (rc < 0) {
+                ret = (int)rc;
+                break;
+            }
+            pkiMsgSz = (word32)rc;
 #endif
-        return ASN_PARSE_E;
-    }
-    
-    /* get block cipher IV, stored in OPTIONAL parameter of AlgoID */
-    if (pkiMsg[idx++] != ASN_OCTET_STRING) {
-#ifdef WOLFSSL_SMALL_STACK
-        XFREE(encryptedKey, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+            /* get version, check later */
+            haveAttribs = 0;
+            if (ret == 0 && GetMyVersion(pkiMsg, &idx, &version, pkiMsgSz) < 0)
+                ret = ASN_PARSE_E;
+
+            /* remove EncryptedContentInfo */
+            if (ret == 0 && GetSequence(pkiMsg, &idx, &length, pkiMsgSz) < 0)
+                ret = ASN_PARSE_E;
+
+            if (ret == 0 && wc_GetContentType(pkiMsg, &idx, &contentType,
+                        pkiMsgSz) < 0)
+                ret = ASN_PARSE_E;
+
+            if (ret == 0 && (ret = GetAlgoId(pkiMsg, &idx, &encOID, oidBlkType,
+                        pkiMsgSz)) < 0)
+                ret = ASN_PARSE_E;
+            if (ret == 0 && (expBlockSz = wc_PKCS7_GetOIDBlockSize(encOID)) < 0)
+                ret = expBlockSz;
+
+            if (ret != 0) break;
+#ifndef NO_PKCS7_STREAM
+            /* store expBlockSz for later */
+            pkcs7->stream->varOne = expBlockSz;
+            pkcs7->stream->varTwo = encOID;
+
+            if ((ret = wc_PKCS7_StreamEndCase(pkcs7, &tmpIdx, &idx)) != 0) {
+                break;
+            }
+
+            /* store version for later */
+            pkcs7->stream->vers = version;
 #endif
-        return ASN_PARSE_E;
-    }
-    
-    if (GetLength(pkiMsg, &idx, &length, pkiMsgSz) < 0) {
-#ifdef WOLFSSL_SMALL_STACK
-        XFREE(encryptedKey, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+            wc_PKCS7_ChangeState(pkcs7, WC_PKCS7_STAGE4);
+            FALL_THROUGH;
+            /* end of stage 3 */
+
+        /* get block cipher IV, stored in OPTIONAL parameter of AlgoID */
+       case WC_PKCS7_STAGE4:
+#ifndef NO_PKCS7_STREAM
+            if ((ret = wc_PKCS7_AddDataToStream(pkcs7, in, inSz,
+                            ASN_TAG_SZ + MAX_LENGTH_SZ, &pkiMsg, &idx)) != 0) {
+                return ret;
+            }
+
+            rc = wc_PKCS7_GetMaxStream(pkcs7, PKCS7_DEFAULT_PEEK, in,
+                    inSz);
+            if (rc < 0) {
+                ret = (int)rc;
+                break;
+            }
+            pkiMsgSz = (word32)rc;
+
+            /* restore saved variables */
+            expBlockSz = pkcs7->stream->varOne;
 #endif
-        return ASN_PARSE_E;
-    }
-    
-    if (length != DES_BLOCK_SIZE) {
-        WOLFSSL_MSG("Incorrect IV length, must be of DES_BLOCK_SIZE");
-#ifdef WOLFSSL_SMALL_STACK
-        XFREE(encryptedKey, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+            if (ret == 0 && GetASNTag(pkiMsg, &idx, &tag, pkiMsgSz) < 0)
+                ret = ASN_PARSE_E;
+            if (ret == 0 && tag != ASN_OCTET_STRING)
+                ret = ASN_PARSE_E;
+
+            if (ret == 0 && GetLength(pkiMsg, &idx, &length, pkiMsgSz) < 0)
+                ret = ASN_PARSE_E;
+
+            if (ret == 0 && length != expBlockSz) {
+                WOLFSSL_MSG("Incorrect IV length, must be of content alg block size");
+                ret = ASN_PARSE_E;
+            }
+
+            if (ret != 0) break;
+#ifndef NO_PKCS7_STREAM
+            /* next chunk of data expected should have the IV */
+            pkcs7->stream->expected = length;
+
+            if ((ret = wc_PKCS7_StreamEndCase(pkcs7, &tmpIdx, &idx)) != 0) {
+                break;
+            }
 #endif
-        return ASN_PARSE_E;
-    }
+            wc_PKCS7_ChangeState(pkcs7, WC_PKCS7_STAGE5);
+            FALL_THROUGH;
+            /* end of stage 4 */
+
+       case WC_PKCS7_STAGE5:
+#ifndef NO_PKCS7_STREAM
+            if ((ret = wc_PKCS7_AddDataToStream(pkcs7, in, inSz,
+                            pkcs7->stream->expected + ASN_TAG_SZ +
+                            MAX_LENGTH_SZ, &pkiMsg, &idx)) != 0) {
+                return ret;
+            }
 
-    XMEMCPY(tmpIv, &pkiMsg[idx], length);
-    idx += length;
+            rc = wc_PKCS7_GetMaxStream(pkcs7, PKCS7_DEFAULT_PEEK, in,
+                    inSz);
+            if (rc < 0) {
+                ret = (int)rc;
+                break;
+            }
+            pkiMsgSz = (word32)rc;
 
-    /* read encryptedContent, cont[0] */
-    if (pkiMsg[idx++] != (ASN_CONTEXT_SPECIFIC | 0)) {
-#ifdef WOLFSSL_SMALL_STACK
-        XFREE(encryptedKey, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+            /* use IV buffer from stream structure */
+            tmpIv  = pkcs7->stream->tmpIv;
+            length = pkcs7->stream->expected;
 #endif
-        return ASN_PARSE_E;
-    }
+            XMEMCPY(tmpIv, &pkiMsg[idx], length);
+            idx += length;
+            /* read encryptedContent, cont[0] */
+            if (ret == 0 && GetASNTag(pkiMsg, &idx, &tag, pkiMsgSz) < 0)
+                ret = ASN_PARSE_E;
+            if (ret == 0 && tag != (ASN_CONTEXT_SPECIFIC | 0))
+                ret = ASN_PARSE_E;
+
+            if (ret == 0 && GetLength(pkiMsg, &idx, &encryptedContentSz,
+                        pkiMsgSz) <= 0)
+                ret = ASN_PARSE_E;
+
+            if (ret < 0)
+                break;
+#ifndef NO_PKCS7_STREAM
+            /* next chunk of data should contain encrypted content */
+            pkcs7->stream->varThree = encryptedContentSz;
+            if ((ret = wc_PKCS7_StreamEndCase(pkcs7, &tmpIdx, &idx)) != 0) {
+                break;
+            }
+
+            if (pkcs7->stream->totalRd +  encryptedContentSz < pkiMsgSz) {
+                pkcs7->stream->flagOne = 1;
+            }
+
+            pkcs7->stream->expected = (pkcs7->stream->maxLen -
+                pkcs7->stream->totalRd) + pkcs7->stream->length;
 
-    if (GetLength(pkiMsg, &idx, &encryptedContentSz, pkiMsgSz) < 0) {
-#ifdef WOLFSSL_SMALL_STACK
-        XFREE(encryptedKey, NULL, DYNAMIC_TYPE_TMP_BUFFER);
 #endif
-        return ASN_PARSE_E;
-    }
-    
-    encryptedContent = (byte*)XMALLOC(encryptedContentSz, NULL,
-                                                       DYNAMIC_TYPE_TMP_BUFFER);
-    if (encryptedContent == NULL) {
-#ifdef WOLFSSL_SMALL_STACK
-        XFREE(encryptedKey, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+            wc_PKCS7_ChangeState(pkcs7, WC_PKCS7_STAGE6);
+            FALL_THROUGH;
+            /* end of stage 5 */
+
+        case WC_PKCS7_STAGE6:
+#ifndef NO_PKCS7_STREAM
+            if ((ret = wc_PKCS7_AddDataToStream(pkcs7, in, inSz,
+                            pkcs7->stream->expected, &pkiMsg, &idx)) != 0) {
+                return ret;
+            }
+
+            rc = wc_PKCS7_GetMaxStream(pkcs7, PKCS7_DEFAULT_PEEK, in,
+                    inSz);
+            if (rc < 0) {
+                ret = (int)rc;
+                break;
+            }
+            pkiMsgSz = (word32)rc;
+
+            /* restore saved variables */
+            expBlockSz = pkcs7->stream->varOne;
+            encOID     = pkcs7->stream->varTwo;
+            encryptedContentSz = pkcs7->stream->varThree;
+            version    = pkcs7->stream->vers;
+            tmpIv      = pkcs7->stream->tmpIv;
+#else
+            encOID = 0;
 #endif
-        return MEMORY_E;
-    }
+            if (ret == 0 && (encryptedContent = (byte*)XMALLOC(
+                encryptedContentSz, pkcs7->heap, DYNAMIC_TYPE_PKCS7)) == NULL) {
+                ret = MEMORY_E;
+                break;
+            }
 
-    XMEMCPY(encryptedContent, &pkiMsg[idx], encryptedContentSz);
+            if (ret == 0) {
+                XMEMCPY(encryptedContent, &pkiMsg[idx], encryptedContentSz);
+                idx += encryptedContentSz;
+
+                /* decrypt encryptedContent */
+                ret = wc_PKCS7_DecryptContent(pkcs7, encOID,
+                            pkcs7->encryptionKey, pkcs7->encryptionKeySz, tmpIv,
+                            expBlockSz, NULL, 0, NULL, 0, encryptedContent,
+                            encryptedContentSz, encryptedContent);
+                if (ret != 0) {
+                    XFREE(encryptedContent, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+                }
+            }
 
-    /* load private key */
-#ifdef WOLFSSL_SMALL_STACK
-    privKey = (RsaKey*)XMALLOC(sizeof(RsaKey), NULL, DYNAMIC_TYPE_TMP_BUFFER);
-    if (privKey == NULL) {
-        XFREE(encryptedContent, NULL, DYNAMIC_TYPE_TMP_BUFFER);
-        XFREE(encryptedKey,     NULL, DYNAMIC_TYPE_TMP_BUFFER);        return MEMORY_E;
+            if (ret == 0) {
+                padLen = encryptedContent[encryptedContentSz-1];
+
+                if (padLen > encryptedContentSz) {
+                    WOLFSSL_MSG("Bad padding size found");
+                    ret = BUFFER_E;
+                    XFREE(encryptedContent, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+                    break;
+                }
+
+                /* copy plaintext to output */
+                XMEMCPY(output, encryptedContent, encryptedContentSz - padLen);
+
+                /* get implicit[1] unprotected attributes, optional */
+                wc_PKCS7_FreeDecodedAttrib(pkcs7->decodedAttrib, pkcs7->heap);
+                pkcs7->decodedAttrib = NULL;
+            #ifndef NO_PKCS7_STREAM
+                if (pkcs7->stream->flagOne)
+            #else
+                if (idx < pkiMsgSz)
+            #endif
+                {
+                    haveAttribs = 1;
+
+                    ret = wc_PKCS7_DecodeUnprotectedAttributes(pkcs7, pkiMsg,
+                                                       pkiMsgSz, &idx);
+                    if (ret != 0) {
+                        ForceZero(encryptedContent, encryptedContentSz);
+                        XFREE(encryptedContent, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+                        ret = ASN_PARSE_E;
+                    }
+                }
+            }
+
+            if (ret == 0) {
+                ForceZero(encryptedContent, encryptedContentSz);
+                XFREE(encryptedContent, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+
+                /* go back and check the version now that attribs have been processed */
+                if (pkcs7->version == 3 && version != 0) {
+                    WOLFSSL_MSG("Wrong PKCS#7 FirmwareEncryptedData version");
+                    return ASN_VERSION_E;
+                }
+
+                if (pkcs7->version != 3 &&
+                   ((haveAttribs == 0 && version != 0) ||
+                    (haveAttribs == 1 && version != 2))) {
+                    WOLFSSL_MSG("Wrong PKCS#7 EncryptedData version");
+                    return ASN_VERSION_E;
+                }
+                ret = encryptedContentSz - padLen;
+            }
+
+            if (ret != 0) break;
+        #ifndef NO_PKCS7_STREAM
+            wc_PKCS7_ResetStream(pkcs7);
+        #endif
+            wc_PKCS7_ChangeState(pkcs7, WC_PKCS7_START);
+            break;
+
+        default:
+            WOLFSSL_MSG("Error in unknown PKCS#7 Decode Encrypted Data state");
+            return BAD_STATE_E;
     }
-#endif
 
-    ret = wc_InitRsaKey(privKey, 0);
     if (ret != 0) {
-        XFREE(encryptedContent, NULL, DYNAMIC_TYPE_TMP_BUFFER);
-#ifdef WOLFSSL_SMALL_STACK
-        XFREE(privKey,      NULL, DYNAMIC_TYPE_TMP_BUFFER);
-        XFREE(encryptedKey, NULL, DYNAMIC_TYPE_TMP_BUFFER);
-#endif
-        return ret;
+    #ifndef NO_PKCS7_STREAM
+        /* restart in error case */
+        wc_PKCS7_ResetStream(pkcs7);
+    #endif
+        wc_PKCS7_ChangeState(pkcs7, WC_PKCS7_START);
     }
+    return ret;
+}
 
-    idx = 0;
 
-    ret = wc_RsaPrivateKeyDecode(pkcs7->privateKey, &idx, privKey,
-                              pkcs7->privateKeySz);
-    if (ret != 0) {
-        WOLFSSL_MSG("Failed to decode RSA private key");
-        XFREE(encryptedContent, NULL, DYNAMIC_TYPE_TMP_BUFFER);
-#ifdef WOLFSSL_SMALL_STACK
-        XFREE(privKey,      NULL, DYNAMIC_TYPE_TMP_BUFFER);
-        XFREE(encryptedKey, NULL, DYNAMIC_TYPE_TMP_BUFFER);
-#endif
+/* Function to set callback during decryption, this overrides the default
+ * decryption function and can be used for choosing a key at run time based
+ * on the parsed bundle so far.
+ * returns 0 on success
+ */
+int wc_PKCS7_SetDecodeEncryptedCb(PKCS7* pkcs7,
+        CallbackDecryptContent decryptionCb)
+{
+    if (pkcs7 != NULL) {
+        pkcs7->decryptionCb = decryptionCb;
+    }
+    return 0;
+}
+
+
+/* Set an optional user context that gets passed to callback
+ * returns 0 on success
+ */
+int wc_PKCS7_SetDecodeEncryptedCtx(PKCS7* pkcs7, void* ctx)
+{
+    if (pkcs7 != NULL) {
+        pkcs7->decryptionCtx = ctx;
+    }
+    return 0;
+}
+#endif /* NO_PKCS7_ENCRYPTED_DATA */
+
+#if defined(HAVE_LIBZ) && !defined(NO_PKCS7_COMPRESSED_DATA)
+
+/* build PKCS#7 compressedData content type, return encrypted size */
+int wc_PKCS7_EncodeCompressedData(PKCS7* pkcs7, byte* output, word32 outputSz)
+{
+    byte contentInfoSeq[MAX_SEQ_SZ];
+    byte contentInfoTypeOid[MAX_OID_SZ];
+    byte contentInfoContentSeq[MAX_SEQ_SZ]; /* EXPLICIT [0] */
+    byte compressedDataSeq[MAX_SEQ_SZ];
+    byte cmsVersion[MAX_VERSION_SZ];
+    byte compressAlgId[MAX_ALGO_SZ];
+    byte encapContentInfoSeq[MAX_SEQ_SZ];
+    byte contentTypeOid[MAX_OID_SZ];
+    byte contentSeq[MAX_SEQ_SZ];            /* EXPLICIT [0] */
+    byte contentOctetStr[MAX_OCTET_STR_SZ];
+
+    int ret;
+    word32 totalSz, idx;
+    word32 contentInfoSeqSz, contentInfoContentSeqSz, contentInfoTypeOidSz;
+    word32 compressedDataSeqSz, cmsVersionSz, compressAlgIdSz;
+    word32 encapContentInfoSeqSz, contentTypeOidSz, contentSeqSz;
+    word32 contentOctetStrSz;
+
+    byte* compressed;
+    word32 compressedSz;
+
+    if (pkcs7 == NULL || pkcs7->content == NULL || pkcs7->contentSz == 0 ||
+        output == NULL || outputSz == 0) {
+        return BAD_FUNC_ARG;
+    }
+
+    /* allocate space for compressed content. The libz code says the compressed
+     * buffer should be srcSz + 0.1% + 12. */
+    compressedSz = (pkcs7->contentSz + (word32)(pkcs7->contentSz * 0.001) + 12);
+    compressed = (byte*)XMALLOC(compressedSz, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+    if (compressed == NULL) {
+        WOLFSSL_MSG("Error allocating memory for CMS compressed content");
+        return MEMORY_E;
+    }
+
+    /* compress content */
+    ret = wc_Compress(compressed, compressedSz, pkcs7->content,
+                      pkcs7->contentSz, 0);
+    if (ret < 0) {
+        XFREE(compressed, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
         return ret;
     }
+    compressedSz = (word32)ret;
 
-    /* decrypt encryptedKey */
-    keySz = wc_RsaPrivateDecryptInline(encryptedKey, encryptedKeySz,
-                                    &decryptedKey, privKey);
-    wc_FreeRsaKey(privKey);
+    /* eContent OCTET STRING, working backwards */
+    contentOctetStrSz = SetOctetString(compressedSz, contentOctetStr);
+    totalSz = contentOctetStrSz + compressedSz;
 
-#ifdef WOLFSSL_SMALL_STACK
-    XFREE(privKey, NULL, DYNAMIC_TYPE_TMP_BUFFER);
-#endif
+    /* EXPLICIT [0] eContentType */
+    contentSeqSz = SetExplicit(0, totalSz, contentSeq);
+    totalSz += contentSeqSz;
 
-    if (keySz <= 0) {
-        XFREE(encryptedContent, NULL, DYNAMIC_TYPE_TMP_BUFFER);
-#ifdef WOLFSSL_SMALL_STACK
-        XFREE(encryptedKey, NULL, DYNAMIC_TYPE_TMP_BUFFER);
-#endif
-        return keySz;
+    /* eContentType OBJECT IDENTIFIER */
+    ret = wc_SetContentType(pkcs7->contentOID, contentTypeOid,
+                            sizeof(contentTypeOid));
+    if (ret < 0) {
+        XFREE(compressed, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+        return ret;
     }
 
-    /* decrypt encryptedContent */
-    if (encOID == DESb) {
-        Des des;
-        ret = wc_Des_SetKey(&des, decryptedKey, tmpIv, DES_DECRYPTION);
+    contentTypeOidSz = ret;
+    totalSz += contentTypeOidSz;
 
-        if (ret == 0)
-            wc_Des_CbcDecrypt(&des, encryptedContent, encryptedContent,
-                                 encryptedContentSz);
+    /* EncapsulatedContentInfo SEQUENCE */
+    encapContentInfoSeqSz = SetSequence(totalSz, encapContentInfoSeq);
+    totalSz += encapContentInfoSeqSz;
 
-        if (ret != 0) {
-            XFREE(encryptedContent, NULL, DYNAMIC_TYPE_TMP_BUFFER);
-#ifdef WOLFSSL_SMALL_STACK
-            XFREE(encryptedKey, NULL, DYNAMIC_TYPE_TMP_BUFFER);
-#endif
+    /* compressionAlgorithm AlgorithmIdentifier */
+    /* Only supports zlib for compression currently:
+     * id-alg-zlibCompress (1.2.840.113549.1.9.16.3.8) */
+    compressAlgIdSz = SetAlgoID(ZLIBc, compressAlgId, oidCompressType, 0);
+    totalSz += compressAlgIdSz;
+
+    /* version */
+    cmsVersionSz = SetMyVersion(0, cmsVersion, 0);
+    totalSz += cmsVersionSz;
+
+    /* CompressedData SEQUENCE */
+    compressedDataSeqSz = SetSequence(totalSz, compressedDataSeq);
+    totalSz += compressedDataSeqSz;
+
+    /* ContentInfo content EXPLICIT SEQUENCE */
+    contentInfoContentSeqSz = SetExplicit(0, totalSz, contentInfoContentSeq);
+    totalSz += contentInfoContentSeqSz;
+
+    /* ContentInfo ContentType (compressedData) */
+    if (pkcs7->version == 3) {
+        contentInfoTypeOidSz = 0;
+    }
+    else {
+        ret = wc_SetContentType(COMPRESSED_DATA, contentInfoTypeOid,
+                                sizeof(contentInfoTypeOid));
+        if (ret < 0) {
+            XFREE(compressed, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
             return ret;
         }
+
+        contentInfoTypeOidSz = ret;
+        totalSz += contentInfoTypeOidSz;
     }
-    else if (encOID == DES3b) {
-        Des3 des;
-        ret = wc_Des3_SetKey(&des, decryptedKey, tmpIv, DES_DECRYPTION);
-        if (ret == 0)
-            ret = wc_Des3_CbcDecrypt(&des, encryptedContent, encryptedContent,
-                                  encryptedContentSz);
 
-        if (ret != 0) {
-            XFREE(encryptedContent, NULL, DYNAMIC_TYPE_TMP_BUFFER);
-#ifdef WOLFSSL_SMALL_STACK
-            XFREE(encryptedKey, NULL, DYNAMIC_TYPE_TMP_BUFFER);
-#endif
-            return ret;
-        }
-    } else {
-        WOLFSSL_MSG("Unsupported content encryption OID type");
-        XFREE(encryptedContent, NULL, DYNAMIC_TYPE_TMP_BUFFER);
-#ifdef WOLFSSL_SMALL_STACK
-        XFREE(encryptedKey, NULL, DYNAMIC_TYPE_TMP_BUFFER);
-#endif
-        return ALGO_ID_E;
+    /* ContentInfo SEQUENCE */
+    contentInfoSeqSz = SetSequence(totalSz, contentInfoSeq);
+    totalSz += contentInfoSeqSz;
+
+    if (outputSz < totalSz) {
+        XFREE(compressed, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+        return BUFFER_E;
     }
 
-    padLen = encryptedContent[encryptedContentSz-1];
+    idx = 0;
+    XMEMCPY(output + idx, contentInfoSeq, contentInfoSeqSz);
+    idx += contentInfoSeqSz;
+    XMEMCPY(output + idx, contentInfoTypeOid, contentInfoTypeOidSz);
+    idx += contentInfoTypeOidSz;
+    XMEMCPY(output + idx, contentInfoContentSeq, contentInfoContentSeqSz);
+    idx += contentInfoContentSeqSz;
+    XMEMCPY(output + idx, compressedDataSeq, compressedDataSeqSz);
+    idx += compressedDataSeqSz;
+    XMEMCPY(output + idx, cmsVersion, cmsVersionSz);
+    idx += cmsVersionSz;
+    XMEMCPY(output + idx, compressAlgId, compressAlgIdSz);
+    idx += compressAlgIdSz;
+    XMEMCPY(output + idx, encapContentInfoSeq, encapContentInfoSeqSz);
+    idx += encapContentInfoSeqSz;
+    XMEMCPY(output + idx, contentTypeOid, contentTypeOidSz);
+    idx += contentTypeOidSz;
+    XMEMCPY(output + idx, contentSeq, contentSeqSz);
+    idx += contentSeqSz;
+    XMEMCPY(output + idx, contentOctetStr, contentOctetStrSz);
+    idx += contentOctetStrSz;
+    XMEMCPY(output + idx, compressed, compressedSz);
+    idx += compressedSz;
+
+    XFREE(compressed, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
 
-    /* copy plaintext to output */
-    XMEMCPY(output, encryptedContent, encryptedContentSz - padLen);
+    return idx;
+}
 
-    /* free memory, zero out keys */
-    ForceZero(encryptedKey, MAX_ENCRYPTED_KEY_SZ);
-    ForceZero(encryptedContent, encryptedContentSz);
-    XFREE(encryptedContent, NULL, DYNAMIC_TYPE_TMP_BUFFER);
-#ifdef WOLFSSL_SMALL_STACK
-    XFREE(encryptedKey, NULL, DYNAMIC_TYPE_TMP_BUFFER);
-#endif
-    
-    return encryptedContentSz - padLen;
+/* unwrap and decompress PKCS#7/CMS compressedData object,
+ * returned decoded size */
+int wc_PKCS7_DecodeCompressedData(PKCS7* pkcs7, byte* pkiMsg, word32 pkiMsgSz,
+                                  byte* output, word32 outputSz)
+{
+    int length, version, ret;
+    word32 idx = 0, algOID, contentType;
+    byte tag;
+
+    byte* decompressed;
+    word32 decompressedSz;
+
+    if (pkcs7 == NULL || pkiMsg == NULL || pkiMsgSz == 0 ||
+        output == NULL || outputSz == 0) {
+        return BAD_FUNC_ARG;
+    }
+
+    /* get ContentInfo SEQUENCE */
+    if (GetSequence(pkiMsg, &idx, &length, pkiMsgSz) < 0)
+        return ASN_PARSE_E;
+
+    if (pkcs7->version != 3) {
+        /* get ContentInfo contentType */
+        if (wc_GetContentType(pkiMsg, &idx, &contentType, pkiMsgSz) < 0)
+            return ASN_PARSE_E;
+
+        if (contentType != COMPRESSED_DATA)
+            return ASN_PARSE_E;
+    }
+
+    /* get ContentInfo content EXPLICIT SEQUENCE */
+    if (GetASNTag(pkiMsg, &idx, &tag, pkiMsgSz) < 0)
+        return ASN_PARSE_E;
+
+    if (tag != (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC | 0))
+        return ASN_PARSE_E;
+
+    if (GetLength(pkiMsg, &idx, &length, pkiMsgSz) < 0)
+        return ASN_PARSE_E;
+
+    /* get CompressedData SEQUENCE */
+    if (GetSequence(pkiMsg, &idx, &length, pkiMsgSz) < 0)
+        return ASN_PARSE_E;
+
+    /* get version */
+    if (GetMyVersion(pkiMsg, &idx, &version, pkiMsgSz) < 0)
+        return ASN_PARSE_E;
+
+    if (version != 0) {
+        WOLFSSL_MSG("CMS CompressedData version MUST be 0, but is not");
+        return ASN_PARSE_E;
+    }
+
+    /* get CompressionAlgorithmIdentifier */
+    if (GetAlgoId(pkiMsg, &idx, &algOID, oidIgnoreType, pkiMsgSz) < 0)
+        return ASN_PARSE_E;
+
+    /* Only supports zlib for compression currently:
+     * id-alg-zlibCompress (1.2.840.113549.1.9.16.3.8) */
+    if (algOID != ZLIBc) {
+        WOLFSSL_MSG("CMS CompressedData only supports zlib algorithm");
+        return ASN_PARSE_E;
+    }
+
+    /* get EncapsulatedContentInfo SEQUENCE */
+    if (GetSequence(pkiMsg, &idx, &length, pkiMsgSz) < 0)
+        return ASN_PARSE_E;
+
+    /* get ContentType OID */
+    if (wc_GetContentType(pkiMsg, &idx, &contentType, pkiMsgSz) < 0)
+        return ASN_PARSE_E;
+
+    pkcs7->contentOID = contentType;
+
+    /* get eContent EXPLICIT SEQUENCE */
+    if (GetASNTag(pkiMsg, &idx, &tag, pkiMsgSz) < 0)
+        return ASN_PARSE_E;
+
+    if (tag != (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC | 0))
+        return ASN_PARSE_E;
+
+    if (GetLength(pkiMsg, &idx, &length, pkiMsgSz) < 0)
+        return ASN_PARSE_E;
+
+    /* get content OCTET STRING */
+    if (GetASNTag(pkiMsg, &idx, &tag, pkiMsgSz) < 0)
+        return ASN_PARSE_E;
+
+    if (tag != ASN_OCTET_STRING)
+        return ASN_PARSE_E;
+
+    if (GetLength(pkiMsg, &idx, &length, pkiMsgSz) < 0)
+        return ASN_PARSE_E;
+
+    /* allocate space for decompressed data */
+    decompressed = (byte*)XMALLOC(length, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+    if (decompressed == NULL) {
+        WOLFSSL_MSG("Error allocating memory for CMS decompression buffer");
+        return MEMORY_E;
+    }
+
+    /* decompress content */
+    ret = wc_DeCompress(decompressed, length, &pkiMsg[idx], length);
+    if (ret < 0) {
+        XFREE(decompressed, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+        return ret;
+    }
+    decompressedSz = (word32)ret;
+
+    /* get content */
+    if (outputSz < decompressedSz) {
+        WOLFSSL_MSG("CMS output buffer too small to hold decompressed data");
+        XFREE(decompressed, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+        return BUFFER_E;
+    }
+
+    XMEMCPY(output, decompressed, decompressedSz);
+    XFREE(decompressed, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+
+    return decompressedSz;
 }
 
+#endif /* HAVE_LIBZ && !NO_PKCS7_COMPRESSED_DATA */
 
 #else  /* HAVE_PKCS7 */
 
diff --git a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/poly1305.c b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/poly1305.c
index 3cc86e1bb..651664884 100644
--- a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/poly1305.c
+++ b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/poly1305.c
@@ -1,8 +1,8 @@
 /* poly1305.c
  *
- * Copyright (C) 2006-2015 wolfSSL Inc.
+ * Copyright (C) 2006-2020 wolfSSL Inc.
  *
- * This file is part of wolfSSL. (formerly known as CyaSSL)
+ * This file is part of wolfSSL.
  *
  * wolfSSL is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -16,12 +16,15 @@
  *
  * You should have received a copy of the GNU General Public License
  * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
- *
- * Based off the public domain implementations by Andrew Moon 
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
+ */
+
+/*
+ * Based off the public domain implementations by Andrew Moon
  * and Daniel J. Bernstein
  */
 
+
 #ifdef HAVE_CONFIG_H
     #include <config.h>
 #endif
@@ -32,9 +35,11 @@
 #include <wolfssl/wolfcrypt/poly1305.h>
 #include <wolfssl/wolfcrypt/error-crypt.h>
 #include <wolfssl/wolfcrypt/logging.h>
+#include <wolfssl/wolfcrypt/cpuid.h>
 #ifdef NO_INLINE
     #include <wolfssl/wolfcrypt/misc.h>
 #else
+    #define WOLFSSL_MISC_INCLUDED
     #include <wolfcrypt/src/misc.c>
 #endif
 #ifdef CHACHA_AEAD_TEST
@@ -46,222 +51,354 @@
     #pragma warning(disable: 4127)
 #endif
 
-#if defined(POLY130564)
-	
-	#if defined(_MSC_VER)
-		#define POLY1305_NOINLINE __declspec(noinline)
-	#elif defined(__GNUC__)
-		#define POLY1305_NOINLINE __attribute__((noinline))
-	#else
-		#define POLY1305_NOINLINE
-	#endif
-	
-	#if defined(_MSC_VER)
-	    #include <intrin.h>
-		
-	    typedef struct word128 {
-			word64 lo;
-			word64 hi;
-		} word128;
-	
-		#define MUL(out, x, y) out.lo = _umul128((x), (y), &out.hi)
-		#define ADD(out, in) { word64 t = out.lo; out.lo += in.lo;
-	                           out.hi += (out.lo < t) + in.hi; }
-		#define ADDLO(out, in) { word64 t = out.lo; out.lo += in;
-	                             out.hi += (out.lo < t); }
-		#define SHR(in, shift) (__shiftright128(in.lo, in.hi, (shift)))
-		#define LO(in) (in.lo)
-	
-	#elif defined(__GNUC__)
-		#if defined(__SIZEOF_INT128__)
-			typedef unsigned __int128 word128;
-		#else
-			typedef unsigned word128 __attribute__((mode(TI)));
-		#endif
-	
-		#define MUL(out, x, y) out = ((word128)x * y)
-		#define ADD(out, in) out += in
-		#define ADDLO(out, in) out += in
-		#define SHR(in, shift) (word64)(in >> (shift))
-		#define LO(in) (word64)(in)
-	#endif
-	
-	static word64 U8TO64(const byte* p) {
-		return
-			(((word64)(p[0] & 0xff)      ) |
-		     ((word64)(p[1] & 0xff) <<  8) |
-	         ((word64)(p[2] & 0xff) << 16) |
-	         ((word64)(p[3] & 0xff) << 24) |
-			 ((word64)(p[4] & 0xff) << 32) |
-			 ((word64)(p[5] & 0xff) << 40) |
-			 ((word64)(p[6] & 0xff) << 48) |
-			 ((word64)(p[7] & 0xff) << 56));
-	}
-	
-	static void U64TO8(byte* p, word64 v) {
-		p[0] = (v      ) & 0xff;
-		p[1] = (v >>  8) & 0xff;
-		p[2] = (v >> 16) & 0xff;
-		p[3] = (v >> 24) & 0xff;
-		p[4] = (v >> 32) & 0xff;
-		p[5] = (v >> 40) & 0xff;
-		p[6] = (v >> 48) & 0xff;
-		p[7] = (v >> 56) & 0xff;
-	}
+#ifdef USE_INTEL_SPEEDUP
+    #include <emmintrin.h>
+    #include <immintrin.h>
+
+    #if defined(__GNUC__) && ((__GNUC__ < 4) || \
+                              (__GNUC__ == 4 && __GNUC_MINOR__ <= 8))
+        #undef  NO_AVX2_SUPPORT
+        #define NO_AVX2_SUPPORT
+    #endif
+    #if defined(__clang__) && ((__clang_major__ < 3) || \
+                               (__clang_major__ == 3 && __clang_minor__ <= 5))
+        #define NO_AVX2_SUPPORT
+    #elif defined(__clang__) && defined(NO_AVX2_SUPPORT)
+        #undef NO_AVX2_SUPPORT
+    #endif
+
+    #define HAVE_INTEL_AVX1
+    #ifndef NO_AVX2_SUPPORT
+        #define HAVE_INTEL_AVX2
+    #endif
+#endif
 
-#else /* if not 64 bit then use 32 bit */
-	
-	static word32 U8TO32(const byte *p) {
-		return
-			(((word32)(p[0] & 0xff)      ) |
-		     ((word32)(p[1] & 0xff) <<  8) |
-	         ((word32)(p[2] & 0xff) << 16) |
-	         ((word32)(p[3] & 0xff) << 24));
-	}
-	
-	static void U32TO8(byte *p, word32 v) {
-		p[0] = (v      ) & 0xff;
-		p[1] = (v >>  8) & 0xff;
-		p[2] = (v >> 16) & 0xff;
-		p[3] = (v >> 24) & 0xff;
-	}
+#ifdef USE_INTEL_SPEEDUP
+static word32 intel_flags = 0;
+static word32 cpu_flags_set = 0;
 #endif
 
-static void poly1305_blocks(Poly1305* ctx, const unsigned char *m,
-                            size_t bytes) {
+#if defined(USE_INTEL_SPEEDUP) || defined(POLY130564)
+    #if defined(_MSC_VER)
+        #define POLY1305_NOINLINE __declspec(noinline)
+    #elif defined(__GNUC__)
+        #define POLY1305_NOINLINE __attribute__((noinline))
+    #else
+        #define POLY1305_NOINLINE
+    #endif
+
+    #if defined(_MSC_VER)
+        #include <intrin.h>
+
+        typedef struct word128 {
+            word64 lo;
+            word64 hi;
+        } word128;
+
+        #define MUL(out, x, y) out.lo = _umul128((x), (y), &out.hi)
+        #define ADD(out, in) { word64 t = out.lo; out.lo += in.lo; \
+                               out.hi += (out.lo < t) + in.hi; }
+        #define ADDLO(out, in) { word64 t = out.lo; out.lo += in; \
+                                 out.hi += (out.lo < t); }
+        #define SHR(in, shift) (__shiftright128(in.lo, in.hi, (shift)))
+        #define LO(in) (in.lo)
+
+    #elif defined(__GNUC__)
+        #if defined(__SIZEOF_INT128__)
+            typedef unsigned __int128 word128;
+        #else
+            typedef unsigned word128 __attribute__((mode(TI)));
+        #endif
+
+        #define MUL(out, x, y) out = ((word128)x * y)
+        #define ADD(out, in) out += in
+        #define ADDLO(out, in) out += in
+        #define SHR(in, shift) (word64)(in >> (shift))
+        #define LO(in) (word64)(in)
+    #endif
+#endif
 
-#ifdef POLY130564
+#ifdef USE_INTEL_SPEEDUP
+#ifdef __cplusplus
+    extern "C" {
+#endif
 
-	const word64 hibit = (ctx->final) ? 0 : ((word64)1 << 40); /* 1 << 128 */
-	word64 r0,r1,r2;
-	word64 s1,s2;
-	word64 h0,h1,h2;
-	word64 c;
-	word128 d0,d1,d2,d;
+#ifdef HAVE_INTEL_AVX1
+/* Process one block (16 bytes) of data.
+ *
+ * ctx  Poly1305 context.
+ * m    One block of message data.
+ */
+extern void poly1305_block_avx(Poly1305* ctx, const unsigned char *m);
+/* Process multiple blocks (n * 16 bytes) of data.
+ *
+ * ctx    Poly1305 context.
+ * m      Blocks of message data.
+ * bytes  The number of bytes to process.
+ */
+extern void poly1305_blocks_avx(Poly1305* ctx, const unsigned char* m,
+                                size_t bytes);
+/* Set the key to use when processing data.
+ * Initialize the context.
+ *
+ * ctx  Poly1305 context.
+ * key  The key data (16 bytes).
+ */
+extern void poly1305_setkey_avx(Poly1305* ctx, const byte* key);
+/* Calculate the final result - authentication data.
+ * Zeros out the private data in the context.
+ *
+ * ctx  Poly1305 context.
+ * mac  Buffer to hold 16 bytes.
+ */
+extern void poly1305_final_avx(Poly1305* ctx, byte* mac);
+#endif
 
-#else
+#ifdef HAVE_INTEL_AVX2
+/* Process multiple blocks (n * 16 bytes) of data.
+ *
+ * ctx    Poly1305 context.
+ * m      Blocks of message data.
+ * bytes  The number of bytes to process.
+ */
+extern void poly1305_blocks_avx2(Poly1305* ctx, const unsigned char* m,
+                                 size_t bytes);
+/* Calculate R^1, R^2, R^3 and R^4 and store them in the context.
+ *
+ * ctx    Poly1305 context.
+ */
+extern void poly1305_calc_powers_avx2(Poly1305* ctx);
+/* Set the key to use when processing data.
+ * Initialize the context.
+ * Calls AVX set key function as final function calls AVX code.
+ *
+ * ctx  Poly1305 context.
+ * key  The key data (16 bytes).
+ */
+extern void poly1305_setkey_avx2(Poly1305* ctx, const byte* key);
+/* Calculate the final result - authentication data.
+ * Zeros out the private data in the context.
+ * Calls AVX final function to quickly process last blocks.
+ *
+ * ctx  Poly1305 context.
+ * mac  Buffer to hold 16 bytes - authentication data.
+ */
+extern void poly1305_final_avx2(Poly1305* ctx, byte* mac);
+#endif
 
-    const word32 hibit = (ctx->final) ? 0 : (1 << 24); /* 1 << 128 */
-	word32 r0,r1,r2,r3,r4;
-	word32 s1,s2,s3,s4;
-	word32 h0,h1,h2,h3,h4;
-	word64 d0,d1,d2,d3,d4;
-	word32 c;
+#ifdef __cplusplus
+    }  /* extern "C" */
+#endif
+
+#elif defined(POLY130564)
+#ifndef WOLFSSL_ARMASM
+    static word64 U8TO64(const byte* p)
+    {
+        return
+            (((word64)(p[0] & 0xff)      ) |
+             ((word64)(p[1] & 0xff) <<  8) |
+             ((word64)(p[2] & 0xff) << 16) |
+             ((word64)(p[3] & 0xff) << 24) |
+             ((word64)(p[4] & 0xff) << 32) |
+             ((word64)(p[5] & 0xff) << 40) |
+             ((word64)(p[6] & 0xff) << 48) |
+             ((word64)(p[7] & 0xff) << 56));
+    }
+
+    static void U64TO8(byte* p, word64 v) {
+        p[0] = (v      ) & 0xff;
+        p[1] = (v >>  8) & 0xff;
+        p[2] = (v >> 16) & 0xff;
+        p[3] = (v >> 24) & 0xff;
+        p[4] = (v >> 32) & 0xff;
+        p[5] = (v >> 40) & 0xff;
+        p[6] = (v >> 48) & 0xff;
+        p[7] = (v >> 56) & 0xff;
+    }
+#endif/* WOLFSSL_ARMASM */
+#else /* if not 64 bit then use 32 bit */
+
+    static word32 U8TO32(const byte *p)
+    {
+        return
+            (((word32)(p[0] & 0xff)      ) |
+             ((word32)(p[1] & 0xff) <<  8) |
+             ((word32)(p[2] & 0xff) << 16) |
+             ((word32)(p[3] & 0xff) << 24));
+    }
 
+    static void U32TO8(byte *p, word32 v) {
+        p[0] = (v      ) & 0xff;
+        p[1] = (v >>  8) & 0xff;
+        p[2] = (v >> 16) & 0xff;
+        p[3] = (v >> 24) & 0xff;
+    }
 #endif
 
-#ifdef POLY130564
+/* convert 32-bit unsigned to little endian 64 bit type as byte array */
+static WC_INLINE void u32tole64(const word32 inLe32, byte outLe64[8])
+{
+#ifndef WOLFSSL_X86_64_BUILD
+    outLe64[0] = (byte)(inLe32  & 0x000000FF);
+    outLe64[1] = (byte)((inLe32 & 0x0000FF00) >> 8);
+    outLe64[2] = (byte)((inLe32 & 0x00FF0000) >> 16);
+    outLe64[3] = (byte)((inLe32 & 0xFF000000) >> 24);
+    outLe64[4] = 0;
+    outLe64[5] = 0;
+    outLe64[6] = 0;
+    outLe64[7] = 0;
+#else
+    *(word64*)outLe64 = inLe32;
+#endif
+}
+
+
+#if !defined(WOLFSSL_ARMASM) || !defined(__aarch64__)
+void poly1305_blocks(Poly1305* ctx, const unsigned char *m,
+                     size_t bytes)
+{
+#ifdef USE_INTEL_SPEEDUP
+    /* AVX2 is handled in wc_Poly1305Update. */
+    poly1305_blocks_avx(ctx, m, bytes);
+#elif defined(POLY130564)
+    const word64 hibit = (ctx->finished) ? 0 : ((word64)1 << 40); /* 1 << 128 */
+    word64 r0,r1,r2;
+    word64 s1,s2;
+    word64 h0,h1,h2;
+    word64 c;
+    word128 d0,d1,d2,d;
 
     r0 = ctx->r[0];
-	r1 = ctx->r[1];
-	r2 = ctx->r[2];
+    r1 = ctx->r[1];
+    r2 = ctx->r[2];
 
-	h0 = ctx->h[0];
-	h1 = ctx->h[1];
-	h2 = ctx->h[2];
+    h0 = ctx->h[0];
+    h1 = ctx->h[1];
+    h2 = ctx->h[2];
 
-	s1 = r1 * (5 << 2);
-	s2 = r2 * (5 << 2);
+    s1 = r1 * (5 << 2);
+    s2 = r2 * (5 << 2);
 
-	while (bytes >= POLY1305_BLOCK_SIZE) {
-		word64 t0,t1;
+    while (bytes >= POLY1305_BLOCK_SIZE) {
+        word64 t0,t1;
 
-		/* h += m[i] */
-		t0 = U8TO64(&m[0]);
-		t1 = U8TO64(&m[8]);
+        /* h += m[i] */
+        t0 = U8TO64(&m[0]);
+        t1 = U8TO64(&m[8]);
 
-		h0 += (( t0                    ) & 0xfffffffffff);
-		h1 += (((t0 >> 44) | (t1 << 20)) & 0xfffffffffff);
-		h2 += (((t1 >> 24)             ) & 0x3ffffffffff) | hibit;
+        h0 += (( t0                    ) & 0xfffffffffff);
+        h1 += (((t0 >> 44) | (t1 << 20)) & 0xfffffffffff);
+        h2 += (((t1 >> 24)             ) & 0x3ffffffffff) | hibit;
 
-		/* h *= r */
-		MUL(d0, h0, r0); MUL(d, h1, s2); ADD(d0, d); MUL(d, h2, s1); ADD(d0, d);
-		MUL(d1, h0, r1); MUL(d, h1, r0); ADD(d1, d); MUL(d, h2, s2); ADD(d1, d);
-		MUL(d2, h0, r2); MUL(d, h1, r1); ADD(d2, d); MUL(d, h2, r0); ADD(d2, d);
+        /* h *= r */
+        MUL(d0, h0, r0); MUL(d, h1, s2); ADD(d0, d); MUL(d, h2, s1); ADD(d0, d);
+        MUL(d1, h0, r1); MUL(d, h1, r0); ADD(d1, d); MUL(d, h2, s2); ADD(d1, d);
+        MUL(d2, h0, r2); MUL(d, h1, r1); ADD(d2, d); MUL(d, h2, r0); ADD(d2, d);
 
-		/* (partial) h %= p */
-		              c = SHR(d0, 44); h0 = LO(d0) & 0xfffffffffff;
-		ADDLO(d1, c); c = SHR(d1, 44); h1 = LO(d1) & 0xfffffffffff;
-		ADDLO(d2, c); c = SHR(d2, 42); h2 = LO(d2) & 0x3ffffffffff;
-		h0  += c * 5; c = (h0 >> 44);  h0 =    h0  & 0xfffffffffff;
-		h1  += c;
+        /* (partial) h %= p */
+                      c = SHR(d0, 44); h0 = LO(d0) & 0xfffffffffff;
+        ADDLO(d1, c); c = SHR(d1, 44); h1 = LO(d1) & 0xfffffffffff;
+        ADDLO(d2, c); c = SHR(d2, 42); h2 = LO(d2) & 0x3ffffffffff;
+        h0  += c * 5; c = (h0 >> 44);  h0 =    h0  & 0xfffffffffff;
+        h1  += c;
 
-		m += POLY1305_BLOCK_SIZE;
-		bytes -= POLY1305_BLOCK_SIZE;
-	}
+        m += POLY1305_BLOCK_SIZE;
+        bytes -= POLY1305_BLOCK_SIZE;
+    }
 
-	ctx->h[0] = h0;
-	ctx->h[1] = h1;
-	ctx->h[2] = h2;
+    ctx->h[0] = h0;
+    ctx->h[1] = h1;
+    ctx->h[2] = h2;
 
 #else /* if not 64 bit then use 32 bit */
-   
-	r0 = ctx->r[0];
-	r1 = ctx->r[1];
-	r2 = ctx->r[2];
-	r3 = ctx->r[3];
-	r4 = ctx->r[4];
-
-	s1 = r1 * 5;
-	s2 = r2 * 5;
-	s3 = r3 * 5;
-	s4 = r4 * 5;
-
-	h0 = ctx->h[0];
-	h1 = ctx->h[1];
-	h2 = ctx->h[2];
-	h3 = ctx->h[3];
-	h4 = ctx->h[4];
-
-	while (bytes >= POLY1305_BLOCK_SIZE) {
-		/* h += m[i] */
-		h0 += (U8TO32(m+ 0)     ) & 0x3ffffff;
-		h1 += (U8TO32(m+ 3) >> 2) & 0x3ffffff;
-		h2 += (U8TO32(m+ 6) >> 4) & 0x3ffffff;
-		h3 += (U8TO32(m+ 9) >> 6) & 0x3ffffff;
-		h4 += (U8TO32(m+12) >> 8) | hibit;
-
-		/* h *= r */
-		d0 = ((word64)h0 * r0) + ((word64)h1 * s4) + ((word64)h2 * s3) +
+    const word32 hibit = (ctx->finished) ? 0 : ((word32)1 << 24); /* 1 << 128 */
+    word32 r0,r1,r2,r3,r4;
+    word32 s1,s2,s3,s4;
+    word32 h0,h1,h2,h3,h4;
+    word64 d0,d1,d2,d3,d4;
+    word32 c;
+
+
+    r0 = ctx->r[0];
+    r1 = ctx->r[1];
+    r2 = ctx->r[2];
+    r3 = ctx->r[3];
+    r4 = ctx->r[4];
+
+    s1 = r1 * 5;
+    s2 = r2 * 5;
+    s3 = r3 * 5;
+    s4 = r4 * 5;
+
+    h0 = ctx->h[0];
+    h1 = ctx->h[1];
+    h2 = ctx->h[2];
+    h3 = ctx->h[3];
+    h4 = ctx->h[4];
+
+    while (bytes >= POLY1305_BLOCK_SIZE) {
+        /* h += m[i] */
+        h0 += (U8TO32(m+ 0)     ) & 0x3ffffff;
+        h1 += (U8TO32(m+ 3) >> 2) & 0x3ffffff;
+        h2 += (U8TO32(m+ 6) >> 4) & 0x3ffffff;
+        h3 += (U8TO32(m+ 9) >> 6) & 0x3ffffff;
+        h4 += (U8TO32(m+12) >> 8) | hibit;
+
+        /* h *= r */
+        d0 = ((word64)h0 * r0) + ((word64)h1 * s4) + ((word64)h2 * s3) +
              ((word64)h3 * s2) + ((word64)h4 * s1);
-		d1 = ((word64)h0 * r1) + ((word64)h1 * r0) + ((word64)h2 * s4) +
+        d1 = ((word64)h0 * r1) + ((word64)h1 * r0) + ((word64)h2 * s4) +
              ((word64)h3 * s3) + ((word64)h4 * s2);
-		d2 = ((word64)h0 * r2) + ((word64)h1 * r1) + ((word64)h2 * r0) +
+        d2 = ((word64)h0 * r2) + ((word64)h1 * r1) + ((word64)h2 * r0) +
              ((word64)h3 * s4) + ((word64)h4 * s3);
-		d3 = ((word64)h0 * r3) + ((word64)h1 * r2) + ((word64)h2 * r1) +
+        d3 = ((word64)h0 * r3) + ((word64)h1 * r2) + ((word64)h2 * r1) +
              ((word64)h3 * r0) + ((word64)h4 * s4);
-		d4 = ((word64)h0 * r4) + ((word64)h1 * r3) + ((word64)h2 * r2) +
+        d4 = ((word64)h0 * r4) + ((word64)h1 * r3) + ((word64)h2 * r2) +
              ((word64)h3 * r1) + ((word64)h4 * r0);
 
-		/* (partial) h %= p */
-		              c = (word32)(d0 >> 26); h0 = (word32)d0 & 0x3ffffff;
-		d1 += c;      c = (word32)(d1 >> 26); h1 = (word32)d1 & 0x3ffffff;
-		d2 += c;      c = (word32)(d2 >> 26); h2 = (word32)d2 & 0x3ffffff;
-		d3 += c;      c = (word32)(d3 >> 26); h3 = (word32)d3 & 0x3ffffff;
-		d4 += c;      c = (word32)(d4 >> 26); h4 = (word32)d4 & 0x3ffffff;
-		h0 += c * 5;  c =  (h0 >> 26); h0 =                h0 & 0x3ffffff;
-		h1 += c;
-
-		m += POLY1305_BLOCK_SIZE;
-		bytes -= POLY1305_BLOCK_SIZE;
-	}
-
-	ctx->h[0] = h0;
-	ctx->h[1] = h1;
-	ctx->h[2] = h2;
-	ctx->h[3] = h3;
-	ctx->h[4] = h4;
+        /* (partial) h %= p */
+                      c = (word32)(d0 >> 26); h0 = (word32)d0 & 0x3ffffff;
+        d1 += c;      c = (word32)(d1 >> 26); h1 = (word32)d1 & 0x3ffffff;
+        d2 += c;      c = (word32)(d2 >> 26); h2 = (word32)d2 & 0x3ffffff;
+        d3 += c;      c = (word32)(d3 >> 26); h3 = (word32)d3 & 0x3ffffff;
+        d4 += c;      c = (word32)(d4 >> 26); h4 = (word32)d4 & 0x3ffffff;
+        h0 += c * 5;  c =  (h0 >> 26); h0 =                h0 & 0x3ffffff;
+        h1 += c;
+
+        m += POLY1305_BLOCK_SIZE;
+        bytes -= POLY1305_BLOCK_SIZE;
+    }
+
+    ctx->h[0] = h0;
+    ctx->h[1] = h1;
+    ctx->h[2] = h2;
+    ctx->h[3] = h3;
+    ctx->h[4] = h4;
 
 #endif /* end of 64 bit cpu blocks or 32 bit cpu */
 }
 
+void poly1305_block(Poly1305* ctx, const unsigned char *m)
+{
+#ifdef USE_INTEL_SPEEDUP
+    /* No call to poly1305_block when AVX2, AVX2 does 4 blocks at a time. */
+    poly1305_block_avx(ctx, m);
+#else
+    poly1305_blocks(ctx, m, POLY1305_BLOCK_SIZE);
+#endif
+}
+#endif /* !defined(WOLFSSL_ARMASM) || !defined(__aarch64__) */
 
-int wc_Poly1305SetKey(Poly1305* ctx, const byte* key, word32 keySz) {
-
-#if defined(POLY130564)
+#if !defined(WOLFSSL_ARMASM) || !defined(__aarch64__)
+int wc_Poly1305SetKey(Poly1305* ctx, const byte* key, word32 keySz)
+{
+#if defined(POLY130564) && !defined(USE_INTEL_SPEEDUP)
     word64 t0,t1;
 #endif
 
+    if (key == NULL)
+        return BAD_FUNC_ARG;
+
 #ifdef CHACHA_AEAD_TEST
     word32 k;
     printf("Poly key used:\n");
@@ -270,239 +407,261 @@ int wc_Poly1305SetKey(Poly1305* ctx, const byte* key, word32 keySz) {
         if ((k+1) % 8 == 0)
             printf("\n");
     }
-	printf("\n");
+    printf("\n");
 #endif
 
     if (keySz != 32 || ctx == NULL)
         return BAD_FUNC_ARG;
 
-#if defined(POLY130564)
+#ifdef USE_INTEL_SPEEDUP
+    if (!cpu_flags_set) {
+        intel_flags = cpuid_get_flags();
+        cpu_flags_set = 1;
+    }
+    #ifdef HAVE_INTEL_AVX2
+    if (IS_INTEL_AVX2(intel_flags))
+        poly1305_setkey_avx2(ctx, key);
+    else
+    #endif
+        poly1305_setkey_avx(ctx, key);
+#elif defined(POLY130564)
 
-	/* r &= 0xffffffc0ffffffc0ffffffc0fffffff */
-	t0 = U8TO64(key + 0);
-	t1 = U8TO64(key + 8);
+    /* r &= 0xffffffc0ffffffc0ffffffc0fffffff */
+    t0 = U8TO64(key + 0);
+    t1 = U8TO64(key + 8);
+
+    ctx->r[0] = ( t0                    ) & 0xffc0fffffff;
+    ctx->r[1] = ((t0 >> 44) | (t1 << 20)) & 0xfffffc0ffff;
+    ctx->r[2] = ((t1 >> 24)             ) & 0x00ffffffc0f;
 
-	ctx->r[0] = ( t0                    ) & 0xffc0fffffff;
-	ctx->r[1] = ((t0 >> 44) | (t1 << 20)) & 0xfffffc0ffff;
-	ctx->r[2] = ((t1 >> 24)             ) & 0x00ffffffc0f;
+    /* h (accumulator) = 0 */
+    ctx->h[0] = 0;
+    ctx->h[1] = 0;
+    ctx->h[2] = 0;
 
-	/* h (accumulator) = 0 */
-	ctx->h[0] = 0;
-	ctx->h[1] = 0;
-	ctx->h[2] = 0;
+    /* save pad for later */
+    ctx->pad[0] = U8TO64(key + 16);
+    ctx->pad[1] = U8TO64(key + 24);
 
-	/* save pad for later */
-	ctx->pad[0] = U8TO64(key + 16);
-	ctx->pad[1] = U8TO64(key + 24);
+    ctx->leftover = 0;
+    ctx->finished = 0;
 
 #else /* if not 64 bit then use 32 bit */
-	
+
     /* r &= 0xffffffc0ffffffc0ffffffc0fffffff */
-	ctx->r[0] = (U8TO32(key +  0)     ) & 0x3ffffff;
-	ctx->r[1] = (U8TO32(key +  3) >> 2) & 0x3ffff03;
-	ctx->r[2] = (U8TO32(key +  6) >> 4) & 0x3ffc0ff;
-	ctx->r[3] = (U8TO32(key +  9) >> 6) & 0x3f03fff;
-	ctx->r[4] = (U8TO32(key + 12) >> 8) & 0x00fffff;
-
-	/* h = 0 */
-	ctx->h[0] = 0;
-	ctx->h[1] = 0;
-	ctx->h[2] = 0;
-	ctx->h[3] = 0;
-	ctx->h[4] = 0;
-
-	/* save pad for later */
-	ctx->pad[0] = U8TO32(key + 16);
-	ctx->pad[1] = U8TO32(key + 20);
-	ctx->pad[2] = U8TO32(key + 24);
-	ctx->pad[3] = U8TO32(key + 28);
+    ctx->r[0] = (U8TO32(key +  0)     ) & 0x3ffffff;
+    ctx->r[1] = (U8TO32(key +  3) >> 2) & 0x3ffff03;
+    ctx->r[2] = (U8TO32(key +  6) >> 4) & 0x3ffc0ff;
+    ctx->r[3] = (U8TO32(key +  9) >> 6) & 0x3f03fff;
+    ctx->r[4] = (U8TO32(key + 12) >> 8) & 0x00fffff;
+
+    /* h = 0 */
+    ctx->h[0] = 0;
+    ctx->h[1] = 0;
+    ctx->h[2] = 0;
+    ctx->h[3] = 0;
+    ctx->h[4] = 0;
+
+    /* save pad for later */
+    ctx->pad[0] = U8TO32(key + 16);
+    ctx->pad[1] = U8TO32(key + 20);
+    ctx->pad[2] = U8TO32(key + 24);
+    ctx->pad[3] = U8TO32(key + 28);
+
+    ctx->leftover = 0;
+    ctx->finished = 0;
 
 #endif
 
-	ctx->leftover = 0;
-	ctx->final = 0;
-
     return 0;
 }
 
-
-int wc_Poly1305Final(Poly1305* ctx, byte* mac) {
-
-#if defined(POLY130564)
+int wc_Poly1305Final(Poly1305* ctx, byte* mac)
+{
+#ifdef USE_INTEL_SPEEDUP
+#elif defined(POLY130564)
 
     word64 h0,h1,h2,c;
-	word64 g0,g1,g2;
-	word64 t0,t1;
+    word64 g0,g1,g2;
+    word64 t0,t1;
 
 #else
 
     word32 h0,h1,h2,h3,h4,c;
-	word32 g0,g1,g2,g3,g4;
-	word64 f;
-	word32 mask;
+    word32 g0,g1,g2,g3,g4;
+    word64 f;
+    word32 mask;
 
 #endif
 
     if (ctx == NULL)
         return BAD_FUNC_ARG;
 
-#if defined(POLY130564)
-
-	/* process the remaining block */
-	if (ctx->leftover) {
-		size_t i = ctx->leftover;
-		ctx->buffer[i] = 1;
-		for (i = i + 1; i < POLY1305_BLOCK_SIZE; i++)
-			ctx->buffer[i] = 0;
-		ctx->final = 1;
-		poly1305_blocks(ctx, ctx->buffer, POLY1305_BLOCK_SIZE);
-	}
-
-	/* fully carry h */
-	h0 = ctx->h[0];
-	h1 = ctx->h[1];
-	h2 = ctx->h[2];
-
-	             c = (h1 >> 44); h1 &= 0xfffffffffff;
-	h2 += c;     c = (h2 >> 42); h2 &= 0x3ffffffffff;
-	h0 += c * 5; c = (h0 >> 44); h0 &= 0xfffffffffff;
-	h1 += c;	 c = (h1 >> 44); h1 &= 0xfffffffffff;
-	h2 += c;     c = (h2 >> 42); h2 &= 0x3ffffffffff;
-	h0 += c * 5; c = (h0 >> 44); h0 &= 0xfffffffffff;
-	h1 += c;
-
-	/* compute h + -p */
-	g0 = h0 + 5; c = (g0 >> 44); g0 &= 0xfffffffffff;
-	g1 = h1 + c; c = (g1 >> 44); g1 &= 0xfffffffffff;
-	g2 = h2 + c - ((word64)1 << 42);
-
-	/* select h if h < p, or h + -p if h >= p */
-	c = (g2 >> ((sizeof(word64) * 8) - 1)) - 1;
-	g0 &= c;
-	g1 &= c;
-	g2 &= c;
-	c = ~c;
-	h0 = (h0 & c) | g0;
-	h1 = (h1 & c) | g1;
-	h2 = (h2 & c) | g2;
-
-	/* h = (h + pad) */
-	t0 = ctx->pad[0];
-	t1 = ctx->pad[1];
-
-	h0 += (( t0                    ) & 0xfffffffffff)    ;
+#ifdef USE_INTEL_SPEEDUP
+    #ifdef HAVE_INTEL_AVX2
+    if (IS_INTEL_AVX2(intel_flags))
+        poly1305_final_avx2(ctx, mac);
+    else
+    #endif
+        poly1305_final_avx(ctx, mac);
+#elif defined(POLY130564)
+
+    /* process the remaining block */
+    if (ctx->leftover) {
+        size_t i = ctx->leftover;
+        ctx->buffer[i] = 1;
+        for (i = i + 1; i < POLY1305_BLOCK_SIZE; i++)
+            ctx->buffer[i] = 0;
+        ctx->finished = 1;
+        poly1305_block(ctx, ctx->buffer);
+    }
+
+    /* fully carry h */
+    h0 = ctx->h[0];
+    h1 = ctx->h[1];
+    h2 = ctx->h[2];
+
+                 c = (h1 >> 44); h1 &= 0xfffffffffff;
+    h2 += c;     c = (h2 >> 42); h2 &= 0x3ffffffffff;
+    h0 += c * 5; c = (h0 >> 44); h0 &= 0xfffffffffff;
+    h1 += c;     c = (h1 >> 44); h1 &= 0xfffffffffff;
+    h2 += c;     c = (h2 >> 42); h2 &= 0x3ffffffffff;
+    h0 += c * 5; c = (h0 >> 44); h0 &= 0xfffffffffff;
+    h1 += c;
+
+    /* compute h + -p */
+    g0 = h0 + 5; c = (g0 >> 44); g0 &= 0xfffffffffff;
+    g1 = h1 + c; c = (g1 >> 44); g1 &= 0xfffffffffff;
+    g2 = h2 + c - ((word64)1 << 42);
+
+    /* select h if h < p, or h + -p if h >= p */
+    c = (g2 >> ((sizeof(word64) * 8) - 1)) - 1;
+    g0 &= c;
+    g1 &= c;
+    g2 &= c;
+    c = ~c;
+    h0 = (h0 & c) | g0;
+    h1 = (h1 & c) | g1;
+    h2 = (h2 & c) | g2;
+
+    /* h = (h + pad) */
+    t0 = ctx->pad[0];
+    t1 = ctx->pad[1];
+
+    h0 += (( t0                    ) & 0xfffffffffff)    ;
     c = (h0 >> 44); h0 &= 0xfffffffffff;
-	h1 += (((t0 >> 44) | (t1 << 20)) & 0xfffffffffff) + c;
+    h1 += (((t0 >> 44) | (t1 << 20)) & 0xfffffffffff) + c;
     c = (h1 >> 44); h1 &= 0xfffffffffff;
-	h2 += (((t1 >> 24)             ) & 0x3ffffffffff) + c;
+    h2 += (((t1 >> 24)             ) & 0x3ffffffffff) + c;
     h2 &= 0x3ffffffffff;
 
-	/* mac = h % (2^128) */
-	h0 = ((h0      ) | (h1 << 44));
-	h1 = ((h1 >> 20) | (h2 << 24));
+    /* mac = h % (2^128) */
+    h0 = ((h0      ) | (h1 << 44));
+    h1 = ((h1 >> 20) | (h2 << 24));
 
-	U64TO8(mac + 0, h0);
-	U64TO8(mac + 8, h1);
+    U64TO8(mac + 0, h0);
+    U64TO8(mac + 8, h1);
 
-	/* zero out the state */
-	ctx->h[0] = 0;
-	ctx->h[1] = 0;
-	ctx->h[2] = 0;
-	ctx->r[0] = 0;
-	ctx->r[1] = 0;
-	ctx->r[2] = 0;
-	ctx->pad[0] = 0;
-	ctx->pad[1] = 0;
+    /* zero out the state */
+    ctx->h[0] = 0;
+    ctx->h[1] = 0;
+    ctx->h[2] = 0;
+    ctx->r[0] = 0;
+    ctx->r[1] = 0;
+    ctx->r[2] = 0;
+    ctx->pad[0] = 0;
+    ctx->pad[1] = 0;
 
 #else /* if not 64 bit then use 32 bit */
-    
-	/* process the remaining block */
-	if (ctx->leftover) {
-		size_t i = ctx->leftover;
-		ctx->buffer[i++] = 1;
-		for (; i < POLY1305_BLOCK_SIZE; i++)
-			ctx->buffer[i] = 0;
-		ctx->final = 1;
-		poly1305_blocks(ctx, ctx->buffer, POLY1305_BLOCK_SIZE);
-	}
-
-	/* fully carry h */
-	h0 = ctx->h[0];
-	h1 = ctx->h[1];
-	h2 = ctx->h[2];
-	h3 = ctx->h[3];
-	h4 = ctx->h[4];
-
-	             c = h1 >> 26; h1 = h1 & 0x3ffffff;
-	h2 +=     c; c = h2 >> 26; h2 = h2 & 0x3ffffff;
-	h3 +=     c; c = h3 >> 26; h3 = h3 & 0x3ffffff;
-	h4 +=     c; c = h4 >> 26; h4 = h4 & 0x3ffffff;
-	h0 += c * 5; c = h0 >> 26; h0 = h0 & 0x3ffffff;
-	h1 +=     c;
-
-	/* compute h + -p */
-	g0 = h0 + 5; c = g0 >> 26; g0 &= 0x3ffffff;
-	g1 = h1 + c; c = g1 >> 26; g1 &= 0x3ffffff;
-	g2 = h2 + c; c = g2 >> 26; g2 &= 0x3ffffff;
-	g3 = h3 + c; c = g3 >> 26; g3 &= 0x3ffffff;
-	g4 = h4 + c - (1 << 26);
-
-	/* select h if h < p, or h + -p if h >= p */
-	mask = (g4 >> ((sizeof(word32) * 8) - 1)) - 1;
-	g0 &= mask;
-	g1 &= mask;
-	g2 &= mask;
-	g3 &= mask;
-	g4 &= mask;
-	mask = ~mask;
-	h0 = (h0 & mask) | g0;
-	h1 = (h1 & mask) | g1;
-	h2 = (h2 & mask) | g2;
-	h3 = (h3 & mask) | g3;
-	h4 = (h4 & mask) | g4;
-
-	/* h = h % (2^128) */
-	h0 = ((h0      ) | (h1 << 26)) & 0xffffffff;
-	h1 = ((h1 >>  6) | (h2 << 20)) & 0xffffffff;
-	h2 = ((h2 >> 12) | (h3 << 14)) & 0xffffffff;
-	h3 = ((h3 >> 18) | (h4 <<  8)) & 0xffffffff;
-
-	/* mac = (h + pad) % (2^128) */
-	f = (word64)h0 + ctx->pad[0]            ; h0 = (word32)f;
-	f = (word64)h1 + ctx->pad[1] + (f >> 32); h1 = (word32)f;
-	f = (word64)h2 + ctx->pad[2] + (f >> 32); h2 = (word32)f;
-	f = (word64)h3 + ctx->pad[3] + (f >> 32); h3 = (word32)f;
-
-	U32TO8(mac + 0, h0);
-	U32TO8(mac + 4, h1);
-	U32TO8(mac + 8, h2);
-	U32TO8(mac + 12, h3);
-
-	/* zero out the state */
-	ctx->h[0] = 0;
-	ctx->h[1] = 0;
-	ctx->h[2] = 0;
-	ctx->h[3] = 0;
-	ctx->h[4] = 0;
-	ctx->r[0] = 0;
-	ctx->r[1] = 0;
-	ctx->r[2] = 0;
-	ctx->r[3] = 0;
-	ctx->r[4] = 0;
-	ctx->pad[0] = 0;
-	ctx->pad[1] = 0;
-	ctx->pad[2] = 0;
-	ctx->pad[3] = 0;
+
+    /* process the remaining block */
+    if (ctx->leftover) {
+        size_t i = ctx->leftover;
+        ctx->buffer[i++] = 1;
+        for (; i < POLY1305_BLOCK_SIZE; i++)
+            ctx->buffer[i] = 0;
+        ctx->finished = 1;
+        poly1305_block(ctx, ctx->buffer);
+    }
+
+    /* fully carry h */
+    h0 = ctx->h[0];
+    h1 = ctx->h[1];
+    h2 = ctx->h[2];
+    h3 = ctx->h[3];
+    h4 = ctx->h[4];
+
+                 c = h1 >> 26; h1 = h1 & 0x3ffffff;
+    h2 +=     c; c = h2 >> 26; h2 = h2 & 0x3ffffff;
+    h3 +=     c; c = h3 >> 26; h3 = h3 & 0x3ffffff;
+    h4 +=     c; c = h4 >> 26; h4 = h4 & 0x3ffffff;
+    h0 += c * 5; c = h0 >> 26; h0 = h0 & 0x3ffffff;
+    h1 +=     c;
+
+    /* compute h + -p */
+    g0 = h0 + 5; c = g0 >> 26; g0 &= 0x3ffffff;
+    g1 = h1 + c; c = g1 >> 26; g1 &= 0x3ffffff;
+    g2 = h2 + c; c = g2 >> 26; g2 &= 0x3ffffff;
+    g3 = h3 + c; c = g3 >> 26; g3 &= 0x3ffffff;
+    g4 = h4 + c - ((word32)1 << 26);
+
+    /* select h if h < p, or h + -p if h >= p */
+    mask = ((word32)g4 >> ((sizeof(word32) * 8) - 1)) - 1;
+    g0 &= mask;
+    g1 &= mask;
+    g2 &= mask;
+    g3 &= mask;
+    g4 &= mask;
+    mask = ~mask;
+    h0 = (h0 & mask) | g0;
+    h1 = (h1 & mask) | g1;
+    h2 = (h2 & mask) | g2;
+    h3 = (h3 & mask) | g3;
+    h4 = (h4 & mask) | g4;
+
+    /* h = h % (2^128) */
+    h0 = ((h0      ) | (h1 << 26)) & 0xffffffff;
+    h1 = ((h1 >>  6) | (h2 << 20)) & 0xffffffff;
+    h2 = ((h2 >> 12) | (h3 << 14)) & 0xffffffff;
+    h3 = ((h3 >> 18) | (h4 <<  8)) & 0xffffffff;
+
+    /* mac = (h + pad) % (2^128) */
+    f = (word64)h0 + ctx->pad[0]            ; h0 = (word32)f;
+    f = (word64)h1 + ctx->pad[1] + (f >> 32); h1 = (word32)f;
+    f = (word64)h2 + ctx->pad[2] + (f >> 32); h2 = (word32)f;
+    f = (word64)h3 + ctx->pad[3] + (f >> 32); h3 = (word32)f;
+
+    U32TO8(mac + 0, h0);
+    U32TO8(mac + 4, h1);
+    U32TO8(mac + 8, h2);
+    U32TO8(mac + 12, h3);
+
+    /* zero out the state */
+    ctx->h[0] = 0;
+    ctx->h[1] = 0;
+    ctx->h[2] = 0;
+    ctx->h[3] = 0;
+    ctx->h[4] = 0;
+    ctx->r[0] = 0;
+    ctx->r[1] = 0;
+    ctx->r[2] = 0;
+    ctx->r[3] = 0;
+    ctx->r[4] = 0;
+    ctx->pad[0] = 0;
+    ctx->pad[1] = 0;
+    ctx->pad[2] = 0;
+    ctx->pad[3] = 0;
 
 #endif
 
     return 0;
 }
+#endif /* !defined(WOLFSSL_ARMASM) || !defined(__aarch64__) */
 
 
-int wc_Poly1305Update(Poly1305* ctx, const byte* m, word32 bytes) {
-
-	size_t i;
+int wc_Poly1305Update(Poly1305* ctx, const byte* m, word32 bytes)
+{
+    size_t i;
 
 #ifdef CHACHA_AEAD_TEST
     word32 k;
@@ -512,43 +671,198 @@ int wc_Poly1305Update(Poly1305* ctx, const byte* m, word32 bytes) {
         if ((k+1) % 16 == 0)
             printf("\n");
     }
-	printf("\n");
+    printf("\n");
 #endif
-    
+
     if (ctx == NULL)
         return BAD_FUNC_ARG;
 
-	/* handle leftover */
-	if (ctx->leftover) {
-		size_t want = (POLY1305_BLOCK_SIZE - ctx->leftover);
-		if (want > bytes)
-			want = bytes;
-		for (i = 0; i < want; i++)
-			ctx->buffer[ctx->leftover + i] = m[i];
-		bytes -= want;
-		m += want;
-		ctx->leftover += want;
-		if (ctx->leftover < POLY1305_BLOCK_SIZE)
-			return 0;
-		poly1305_blocks(ctx, ctx->buffer, POLY1305_BLOCK_SIZE);
-		ctx->leftover = 0;
-	}
-
-	/* process full blocks */
-	if (bytes >= POLY1305_BLOCK_SIZE) {
-		size_t want = (bytes & ~(POLY1305_BLOCK_SIZE - 1));
-		poly1305_blocks(ctx, m, want);
-		m += want;
-		bytes -= want;
-	}
-
-	/* store leftover */
-	if (bytes) {
-		for (i = 0; i < bytes; i++)
-			ctx->buffer[ctx->leftover + i] = m[i];
-		ctx->leftover += bytes;
-	}
+#ifdef USE_INTEL_SPEEDUP
+    #ifdef HAVE_INTEL_AVX2
+    if (IS_INTEL_AVX2(intel_flags)) {
+        /* handle leftover */
+        if (ctx->leftover) {
+            size_t want = sizeof(ctx->buffer) - ctx->leftover;
+            if (want > bytes)
+                want = bytes;
+
+            for (i = 0; i < want; i++)
+                ctx->buffer[ctx->leftover + i] = m[i];
+            bytes -= (word32)want;
+            m += want;
+            ctx->leftover += want;
+            if (ctx->leftover < sizeof(ctx->buffer))
+                return 0;
+
+            if (!ctx->started)
+                poly1305_calc_powers_avx2(ctx);
+            poly1305_blocks_avx2(ctx, ctx->buffer, sizeof(ctx->buffer));
+            ctx->leftover = 0;
+        }
+
+        /* process full blocks */
+        if (bytes >= sizeof(ctx->buffer)) {
+            size_t want = bytes & ~(sizeof(ctx->buffer) - 1);
+
+            if (!ctx->started)
+                poly1305_calc_powers_avx2(ctx);
+            poly1305_blocks_avx2(ctx, m, want);
+            m += want;
+            bytes -= (word32)want;
+        }
+
+        /* store leftover */
+        if (bytes) {
+            for (i = 0; i < bytes; i++)
+                ctx->buffer[ctx->leftover + i] = m[i];
+            ctx->leftover += bytes;
+        }
+    }
+    else
+    #endif
+#endif
+    {
+        /* handle leftover */
+        if (ctx->leftover) {
+            size_t want = (POLY1305_BLOCK_SIZE - ctx->leftover);
+            if (want > bytes)
+                want = bytes;
+            for (i = 0; i < want; i++)
+                ctx->buffer[ctx->leftover + i] = m[i];
+            bytes -= (word32)want;
+            m += want;
+            ctx->leftover += want;
+            if (ctx->leftover < POLY1305_BLOCK_SIZE)
+                return 0;
+            poly1305_block(ctx, ctx->buffer);
+            ctx->leftover = 0;
+        }
+
+        /* process full blocks */
+        if (bytes >= POLY1305_BLOCK_SIZE) {
+            size_t want = (bytes & ~(POLY1305_BLOCK_SIZE - 1));
+            poly1305_blocks(ctx, m, want);
+            m += want;
+            bytes -= (word32)want;
+        }
+
+        /* store leftover */
+        if (bytes) {
+            for (i = 0; i < bytes; i++)
+                ctx->buffer[ctx->leftover + i] = m[i];
+            ctx->leftover += bytes;
+        }
+    }
+
     return 0;
 }
-#endif /* HAVE_POLY1305 */
 
+/*  Takes a Poly1305 struct that has a key loaded and pads the provided length
+    ctx        : Initialized Poly1305 struct to use
+    lenToPad   : Current number of bytes updated that needs padding to 16
+ */
+int wc_Poly1305_Pad(Poly1305* ctx, word32 lenToPad)
+{
+    int ret = 0;
+    word32 paddingLen;
+    byte padding[WC_POLY1305_PAD_SZ - 1];
+
+    if (ctx == NULL) {
+        return BAD_FUNC_ARG;
+    }
+    if (lenToPad == 0) {
+        return 0; /* nothing needs to be done */
+    }
+
+    XMEMSET(padding, 0, sizeof(padding));
+
+    /* Pad length to 16 bytes */
+    paddingLen = -(int)lenToPad & (WC_POLY1305_PAD_SZ - 1);
+    if (paddingLen > 0) {
+        ret = wc_Poly1305Update(ctx, padding, paddingLen);
+    }
+    return ret;
+}
+
+/*  Takes a Poly1305 struct that has a key loaded and adds the AEAD length
+    encoding in 64-bit little endian
+    aadSz      : Size of the additional authentication data
+    dataSz     : Size of the plaintext or ciphertext
+ */
+int wc_Poly1305_EncodeSizes(Poly1305* ctx, word32 aadSz, word32 dataSz)
+{
+    int ret;
+    byte little64[16]; /* sizeof(word64) * 2 */
+
+    if (ctx == NULL) {
+        return BAD_FUNC_ARG;
+    }
+
+    XMEMSET(little64, 0, sizeof(little64));
+
+    /* size of additional data and input data as little endian 64 bit types */
+    u32tole64(aadSz,  little64);
+    u32tole64(dataSz, little64 + 8);
+    ret = wc_Poly1305Update(ctx, little64, sizeof(little64));
+
+    return ret;
+}
+
+/*  Takes in an initialized Poly1305 struct that has a key loaded and creates
+    a MAC (tag) using recent TLS AEAD padding scheme.
+    ctx        : Initialized Poly1305 struct to use
+    additional : Additional data to use
+    addSz      : Size of additional buffer
+    input      : Input buffer to create tag from
+    sz         : Size of input buffer
+    tag        : Buffer to hold created tag
+    tagSz      : Size of input tag buffer (must be at least
+                 WC_POLY1305_MAC_SZ(16))
+ */
+int wc_Poly1305_MAC(Poly1305* ctx, byte* additional, word32 addSz,
+                    byte* input, word32 sz, byte* tag, word32 tagSz)
+{
+    int ret;
+
+    /* sanity check on arguments */
+    if (ctx == NULL || input == NULL || tag == NULL ||
+                                                   tagSz < WC_POLY1305_MAC_SZ) {
+        return BAD_FUNC_ARG;
+    }
+
+    /* additional allowed to be 0 */
+    if (addSz > 0) {
+        if (additional == NULL)
+            return BAD_FUNC_ARG;
+
+        /* additional data plus padding */
+        if ((ret = wc_Poly1305Update(ctx, additional, addSz)) != 0) {
+            return ret;
+        }
+        /* pad additional data */
+        if ((ret = wc_Poly1305_Pad(ctx, addSz)) != 0) {
+            return ret;
+        }
+    }
+
+    /* input plus padding */
+    if ((ret = wc_Poly1305Update(ctx, input, sz)) != 0) {
+        return ret;
+    }
+    /* pad input data */
+    if ((ret = wc_Poly1305_Pad(ctx, sz)) != 0) {
+        return ret;
+    }
+
+    /* encode size of AAD and input data as little endian 64 bit types */
+    if ((ret = wc_Poly1305_EncodeSizes(ctx, addSz, sz)) != 0) {
+        return ret;
+    }
+
+    /* Finalize the auth tag */
+    ret = wc_Poly1305Final(ctx, tag);
+
+    return ret;
+
+}
+#endif /* HAVE_POLY1305 */
diff --git a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/poly1305_asm.S b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/poly1305_asm.S
new file mode 100644
index 000000000..95711075b
--- /dev/null
+++ b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/poly1305_asm.S
@@ -0,0 +1,1105 @@
+/* poly1305_asm
+ *
+ * Copyright (C) 2006-2020 wolfSSL Inc.
+ *
+ * This file is part of wolfSSL.
+ *
+ * wolfSSL is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * wolfSSL is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
+ */
+
+#ifndef HAVE_INTEL_AVX1
+#define HAVE_INTEL_AVX1
+#endif /* HAVE_INTEL_AVX1 */
+#ifndef NO_AVX2_SUPPORT
+#define HAVE_INTEL_AVX2
+#endif /* NO_AVX2_SUPPORT */
+
+#ifdef HAVE_INTEL_AVX1
+#ifndef __APPLE__
+.text
+.globl	poly1305_setkey_avx
+.type	poly1305_setkey_avx,@function
+.align	4
+poly1305_setkey_avx:
+#else
+.section	__TEXT,__text
+.globl	_poly1305_setkey_avx
+.p2align	2
+_poly1305_setkey_avx:
+#endif /* __APPLE__ */
+        movabsq	$0xffffffc0fffffff, %r10
+        movabsq	$0xffffffc0ffffffc, %r11
+        movq	(%rsi), %rdx
+        movq	8(%rsi), %rax
+        movq	16(%rsi), %rcx
+        movq	24(%rsi), %r8
+        andq	%r10, %rdx
+        andq	%r11, %rax
+        movq	%rdx, %r10
+        movq	%rax, %r11
+        xorq	%r9, %r9
+        movq	%rdx, (%rdi)
+        movq	%rax, 8(%rdi)
+        movq	%r9, 24(%rdi)
+        movq	%r9, 32(%rdi)
+        movq	%r9, 40(%rdi)
+        movq	%rcx, 48(%rdi)
+        movq	%r8, 56(%rdi)
+        movq	%r9, 352(%rdi)
+        movq	%r9, 408(%rdi)
+        movq	%rdx, 360(%rdi)
+        movq	%rax, 416(%rdi)
+        addq	%rdx, %r10
+        addq	%rax, %r11
+        movq	%r10, 368(%rdi)
+        movq	%r11, 424(%rdi)
+        addq	%rdx, %r10
+        addq	%rax, %r11
+        movq	%r10, 376(%rdi)
+        movq	%r11, 432(%rdi)
+        addq	%rdx, %r10
+        addq	%rax, %r11
+        movq	%r10, 384(%rdi)
+        movq	%r11, 440(%rdi)
+        addq	%rdx, %r10
+        addq	%rax, %r11
+        movq	%r10, 392(%rdi)
+        movq	%r11, 448(%rdi)
+        addq	%rdx, %r10
+        addq	%rax, %r11
+        movq	%r10, 400(%rdi)
+        movq	%r11, 456(%rdi)
+        movq	%r9, 608(%rdi)
+        movb	$0x01, 616(%rdi)
+        repz retq
+#ifndef __APPLE__
+.size	poly1305_setkey_avx,.-poly1305_setkey_avx
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+.text
+.globl	poly1305_block_avx
+.type	poly1305_block_avx,@function
+.align	4
+poly1305_block_avx:
+#else
+.section	__TEXT,__text
+.globl	_poly1305_block_avx
+.p2align	2
+_poly1305_block_avx:
+#endif /* __APPLE__ */
+        pushq	%r15
+        pushq	%rbx
+        pushq	%r12
+        pushq	%r13
+        pushq	%r14
+        movq	(%rdi), %r15
+        movq	8(%rdi), %rbx
+        movq	24(%rdi), %r8
+        movq	32(%rdi), %r9
+        movq	40(%rdi), %r10
+        xorq	%r14, %r14
+        movb	616(%rdi), %r14b
+        # h += m
+        movq	(%rsi), %r11
+        movq	8(%rsi), %r12
+        addq	%r11, %r8
+        adcq	%r12, %r9
+        movq	%rbx, %rax
+        adcq	%r14, %r10
+        # r[1] * h[0] => rdx, rax ==> t2, t1
+        mulq	%r8
+        movq	%rax, %r12
+        movq	%rdx, %r13
+        # r[0] * h[1] => rdx, rax ++> t2, t1
+        movq	%r15, %rax
+        mulq	%r9
+        addq	%rax, %r12
+        movq	%r15, %rax
+        adcq	%rdx, %r13
+        # r[0] * h[0] => rdx, rax ==> t4, t0
+        mulq	%r8
+        movq	%rax, %r11
+        movq	%rdx, %r8
+        # r[1] * h[1] => rdx, rax =+> t3, t2
+        movq	%rbx, %rax
+        mulq	%r9
+        #   r[0] * h[2] +> t2
+        addq	352(%rdi,%r10,8), %r13
+        movq	%rdx, %r14
+        addq	%r8, %r12
+        adcq	%rax, %r13
+        #   r[1] * h[2] +> t3
+        adcq	408(%rdi,%r10,8), %r14
+        # r * h in r14, r13, r12, r11
+        # h = (r * h) mod 2^130 - 5
+        movq	%r13, %r10
+        andq	$-4, %r13
+        andq	$3, %r10
+        addq	%r13, %r11
+        movq	%r13, %r8
+        adcq	%r14, %r12
+        adcq	$0x00, %r10
+        shrdq	$2, %r14, %r8
+        shrq	$2, %r14
+        addq	%r11, %r8
+        adcq	%r14, %r12
+        movq	%r12, %r9
+        adcq	$0x00, %r10
+        # h in r10, r9, r8
+        # Store h to ctx
+        movq	%r8, 24(%rdi)
+        movq	%r9, 32(%rdi)
+        movq	%r10, 40(%rdi)
+        popq	%r14
+        popq	%r13
+        popq	%r12
+        popq	%rbx
+        popq	%r15
+        repz retq
+#ifndef __APPLE__
+.size	poly1305_block_avx,.-poly1305_block_avx
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+.text
+.globl	poly1305_blocks_avx
+.type	poly1305_blocks_avx,@function
+.align	4
+poly1305_blocks_avx:
+#else
+.section	__TEXT,__text
+.globl	_poly1305_blocks_avx
+.p2align	2
+_poly1305_blocks_avx:
+#endif /* __APPLE__ */
+        pushq	%r15
+        pushq	%rbx
+        pushq	%r12
+        pushq	%r13
+        pushq	%r14
+        movq	%rdx, %rcx
+        movq	(%rdi), %r15
+        movq	8(%rdi), %rbx
+        movq	24(%rdi), %r8
+        movq	32(%rdi), %r9
+        movq	40(%rdi), %r10
+L_poly1305_avx_blocks_start:
+        # h += m
+        movq	(%rsi), %r11
+        movq	8(%rsi), %r12
+        addq	%r11, %r8
+        adcq	%r12, %r9
+        movq	%rbx, %rax
+        adcq	$0x00, %r10
+        # r[1] * h[0] => rdx, rax ==> t2, t1
+        mulq	%r8
+        movq	%rax, %r12
+        movq	%rdx, %r13
+        # r[0] * h[1] => rdx, rax ++> t2, t1
+        movq	%r15, %rax
+        mulq	%r9
+        addq	%rax, %r12
+        movq	%r15, %rax
+        adcq	%rdx, %r13
+        # r[0] * h[0] => rdx, rax ==> t4, t0
+        mulq	%r8
+        movq	%rax, %r11
+        movq	%rdx, %r8
+        # r[1] * h[1] => rdx, rax =+> t3, t2
+        movq	%rbx, %rax
+        mulq	%r9
+        #   r[0] * h[2] +> t2
+        addq	360(%rdi,%r10,8), %r13
+        movq	%rdx, %r14
+        addq	%r8, %r12
+        adcq	%rax, %r13
+        #   r[1] * h[2] +> t3
+        adcq	416(%rdi,%r10,8), %r14
+        # r * h in r14, r13, r12, r11
+        # h = (r * h) mod 2^130 - 5
+        movq	%r13, %r10
+        andq	$-4, %r13
+        andq	$3, %r10
+        addq	%r13, %r11
+        movq	%r13, %r8
+        adcq	%r14, %r12
+        adcq	$0x00, %r10
+        shrdq	$2, %r14, %r8
+        shrq	$2, %r14
+        addq	%r11, %r8
+        adcq	%r14, %r12
+        movq	%r12, %r9
+        adcq	$0x00, %r10
+        # h in r10, r9, r8
+        # Next block from message
+        addq	$16, %rsi
+        subq	$16, %rcx
+        jg	L_poly1305_avx_blocks_start
+        # Store h to ctx
+        movq	%r8, 24(%rdi)
+        movq	%r9, 32(%rdi)
+        movq	%r10, 40(%rdi)
+        popq	%r14
+        popq	%r13
+        popq	%r12
+        popq	%rbx
+        popq	%r15
+        repz retq
+#ifndef __APPLE__
+.size	poly1305_blocks_avx,.-poly1305_blocks_avx
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+.text
+.globl	poly1305_final_avx
+.type	poly1305_final_avx,@function
+.align	4
+poly1305_final_avx:
+#else
+.section	__TEXT,__text
+.globl	_poly1305_final_avx
+.p2align	2
+_poly1305_final_avx:
+#endif /* __APPLE__ */
+        pushq	%rbx
+        pushq	%r12
+        movq	%rsi, %rbx
+        movq	608(%rdi), %rax
+        testq	%rax, %rax
+        je	L_poly1305_avx_final_no_more
+        movb	$0x01, 480(%rdi,%rax,1)
+        jmp	L_poly1305_avx_final_cmp_rem
+L_poly1305_avx_final_zero_rem:
+        movb	$0x00, 480(%rdi,%rax,1)
+L_poly1305_avx_final_cmp_rem:
+        incb	%al
+        cmpq	$16, %rax
+        jl	L_poly1305_avx_final_zero_rem
+        movb	$0x00, 616(%rdi)
+        leaq	480(%rdi), %rsi
+#ifndef __APPLE__
+        callq	poly1305_block_avx@plt
+#else
+        callq	_poly1305_block_avx
+#endif /* __APPLE__ */
+L_poly1305_avx_final_no_more:
+        movq	24(%rdi), %rax
+        movq	32(%rdi), %rdx
+        movq	40(%rdi), %rcx
+        movq	48(%rdi), %r11
+        movq	56(%rdi), %r12
+        # h %= p
+        # h = (h + pad)
+        # mod 2^130 - 5
+        movq	%rcx, %r8
+        andq	$3, %rcx
+        shrq	$2, %r8
+        #   Multily by 5
+        leaq	0(%r8,%r8,4), %r8
+        addq	%r8, %rax
+        adcq	$0x00, %rdx
+        adcq	$0x00, %rcx
+        # Fixup when between (1 << 130) - 1 and (1 << 130) - 5
+        movq	%rax, %r8
+        movq	%rdx, %r9
+        movq	%rcx, %r10
+        addq	$5, %r8
+        adcq	$0x00, %r9
+        adcq	$0x00, %r10
+        cmpq	$4, %r10
+        cmoveq	%r8, %rax
+        cmoveq	%r9, %rdx
+        # h += pad
+        addq	%r11, %rax
+        adcq	%r12, %rdx
+        movq	%rax, (%rbx)
+        movq	%rdx, 8(%rbx)
+        # Zero out r
+        movq	$0x00, (%rdi)
+        movq	$0x00, 8(%rdi)
+        # Zero out h
+        movq	$0x00, 24(%rdi)
+        movq	$0x00, 32(%rdi)
+        movq	$0x00, 40(%rdi)
+        # Zero out pad
+        movq	$0x00, 48(%rdi)
+        movq	$0x00, 56(%rdi)
+        popq	%r12
+        popq	%rbx
+        repz retq
+#ifndef __APPLE__
+.size	poly1305_final_avx,.-poly1305_final_avx
+#endif /* __APPLE__ */
+#endif /* HAVE_INTEL_AVX1 */
+#ifdef HAVE_INTEL_AVX2
+#ifndef __APPLE__
+.text
+.globl	poly1305_calc_powers_avx2
+.type	poly1305_calc_powers_avx2,@function
+.align	4
+poly1305_calc_powers_avx2:
+#else
+.section	__TEXT,__text
+.globl	_poly1305_calc_powers_avx2
+.p2align	2
+_poly1305_calc_powers_avx2:
+#endif /* __APPLE__ */
+        pushq	%r12
+        pushq	%r13
+        pushq	%r14
+        pushq	%r15
+        pushq	%rbx
+        pushq	%rbp
+        movq	(%rdi), %rcx
+        movq	8(%rdi), %r8
+        xorq	%r9, %r9
+        # Convert to 26 bits in 32
+        movq	%rcx, %rax
+        movq	%rcx, %rdx
+        movq	%rcx, %rsi
+        movq	%r8, %rbx
+        movq	%r8, %rbp
+        shrq	$26, %rdx
+        shrdq	$52, %r8, %rsi
+        shrq	$14, %rbx
+        shrdq	$40, %r9, %rbp
+        andq	$0x3ffffff, %rax
+        andq	$0x3ffffff, %rdx
+        andq	$0x3ffffff, %rsi
+        andq	$0x3ffffff, %rbx
+        andq	$0x3ffffff, %rbp
+        movl	%eax, 224(%rdi)
+        movl	%edx, 228(%rdi)
+        movl	%esi, 232(%rdi)
+        movl	%ebx, 236(%rdi)
+        movl	%ebp, 240(%rdi)
+        movl	$0x00, 244(%rdi)
+        # Square 128-bit
+        movq	%r8, %rax
+        mulq	%rcx
+        xorq	%r13, %r13
+        movq	%rax, %r11
+        movq	%rdx, %r12
+        addq	%rax, %r11
+        adcq	%rdx, %r12
+        adcq	$0x00, %r13
+        movq	%rcx, %rax
+        mulq	%rax
+        movq	%rax, %r10
+        movq	%rdx, %r15
+        movq	%r8, %rax
+        mulq	%rax
+        addq	%r15, %r11
+        adcq	%rax, %r12
+        adcq	%rdx, %r13
+        # Reduce 256-bit to 130-bit
+        movq	%r12, %rax
+        movq	%r13, %rdx
+        andq	$-4, %rax
+        andq	$3, %r12
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0x00, %r12
+        shrdq	$2, %rdx, %rax
+        shrq	$2, %rdx
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0x00, %r12
+        movq	%r12, %rax
+        shrq	$2, %rax
+        leaq	0(%rax,%rax,4), %rax
+        andq	$3, %r12
+        addq	%rax, %r10
+        adcq	$0x00, %r11
+        adcq	$0x00, %r12
+        # Convert to 26 bits in 32
+        movq	%r10, %rax
+        movq	%r10, %rdx
+        movq	%r10, %rsi
+        movq	%r11, %rbx
+        movq	%r11, %rbp
+        shrq	$26, %rdx
+        shrdq	$52, %r11, %rsi
+        shrq	$14, %rbx
+        shrdq	$40, %r12, %rbp
+        andq	$0x3ffffff, %rax
+        andq	$0x3ffffff, %rdx
+        andq	$0x3ffffff, %rsi
+        andq	$0x3ffffff, %rbx
+        andq	$0x3ffffff, %rbp
+        movl	%eax, 256(%rdi)
+        movl	%edx, 260(%rdi)
+        movl	%esi, 264(%rdi)
+        movl	%ebx, 268(%rdi)
+        movl	%ebp, 272(%rdi)
+        movl	$0x00, 276(%rdi)
+        # Multiply 128-bit by 130-bit
+        #   r1[0] * r2[0]
+        movq	%rcx, %rax
+        mulq	%r10
+        movq	%rax, %r13
+        movq	%rdx, %r14
+        #   r1[0] * r2[1]
+        movq	%rcx, %rax
+        mulq	%r11
+        movq	$0x00, %r15
+        addq	%rax, %r14
+        adcq	%rdx, %r15
+        #   r1[1] * r2[0]
+        movq	%r8, %rax
+        mulq	%r10
+        movq	$0x00, %rsi
+        addq	%rax, %r14
+        adcq	%rdx, %r15
+        adcq	$0x00, %rsi
+        #   r1[0] * r2[2]
+        movq	%rcx, %rax
+        mulq	%r12
+        addq	%rax, %r15
+        adcq	%rdx, %rsi
+        #   r1[1] * r2[1]
+        movq	%r8, %rax
+        mulq	%r11
+        movq	$0x00, %rbx
+        addq	%rax, %r15
+        adcq	%rdx, %rsi
+        adcq	$0x00, %rbx
+        #   r1[1] * r2[2]
+        movq	%r8, %rax
+        mulq	%r12
+        addq	%rax, %rsi
+        adcq	%rdx, %rbx
+        # Reduce 260-bit to 130-bit
+        movq	%r15, %rax
+        movq	%rsi, %rdx
+        movq	%rbx, %rbx
+        andq	$-4, %rax
+        andq	$3, %r15
+        addq	%rax, %r13
+        adcq	%rdx, %r14
+        adcq	%rbx, %r15
+        shrdq	$2, %rdx, %rax
+        shrdq	$2, %rbx, %rdx
+        shrq	$2, %rbx
+        addq	%rax, %r13
+        adcq	%rdx, %r14
+        adcq	%rbx, %r15
+        movq	%r15, %rax
+        andq	$3, %r15
+        shrq	$2, %rax
+        leaq	0(%rax,%rax,4), %rax
+        addq	%rax, %r13
+        adcq	$0x00, %r14
+        adcq	$0x00, %r15
+        # Convert to 26 bits in 32
+        movq	%r13, %rax
+        movq	%r13, %rdx
+        movq	%r13, %rsi
+        movq	%r14, %rbx
+        movq	%r14, %rbp
+        shrq	$26, %rdx
+        shrdq	$52, %r14, %rsi
+        shrq	$14, %rbx
+        shrdq	$40, %r15, %rbp
+        andq	$0x3ffffff, %rax
+        andq	$0x3ffffff, %rdx
+        andq	$0x3ffffff, %rsi
+        andq	$0x3ffffff, %rbx
+        andq	$0x3ffffff, %rbp
+        movl	%eax, 288(%rdi)
+        movl	%edx, 292(%rdi)
+        movl	%esi, 296(%rdi)
+        movl	%ebx, 300(%rdi)
+        movl	%ebp, 304(%rdi)
+        movl	$0x00, 308(%rdi)
+        # Square 130-bit
+        movq	%r11, %rax
+        mulq	%r10
+        xorq	%r13, %r13
+        movq	%rax, %r8
+        movq	%rdx, %r9
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0x00, %r13
+        movq	%r10, %rax
+        mulq	%rax
+        movq	%rax, %rcx
+        movq	%rdx, %r15
+        movq	%r11, %rax
+        mulq	%rax
+        addq	%r15, %r8
+        adcq	%rax, %r9
+        adcq	%rdx, %r13
+        movq	%r12, %rax
+        mulq	%rax
+        movq	%rax, %r14
+        movq	%r12, %rax
+        mulq	%r10
+        addq	%rax, %r9
+        adcq	%rdx, %r13
+        adcq	$0x00, %r14
+        addq	%rax, %r9
+        adcq	%rdx, %r13
+        adcq	$0x00, %r14
+        movq	%r12, %rax
+        mulq	%r11
+        addq	%rax, %r13
+        adcq	%rdx, %r14
+        addq	%rax, %r13
+        adcq	%rdx, %r14
+        # Reduce 260-bit to 130-bit
+        movq	%r9, %rax
+        movq	%r13, %rdx
+        movq	%r14, %r15
+        andq	$-4, %rax
+        andq	$3, %r9
+        addq	%rax, %rcx
+        adcq	%rdx, %r8
+        adcq	%r15, %r9
+        shrdq	$2, %rdx, %rax
+        shrdq	$2, %r15, %rdx
+        shrq	$2, %r15
+        addq	%rax, %rcx
+        adcq	%rdx, %r8
+        adcq	%r15, %r9
+        movq	%r9, %rax
+        andq	$3, %r9
+        shrq	$2, %rax
+        leaq	0(%rax,%rax,4), %rax
+        addq	%rax, %rcx
+        adcq	$0x00, %r8
+        adcq	$0x00, %r9
+        # Convert to 26 bits in 32
+        movq	%rcx, %rax
+        movq	%rcx, %rdx
+        movq	%rcx, %rsi
+        movq	%r8, %rbx
+        movq	%r8, %rbp
+        shrq	$26, %rdx
+        shrdq	$52, %r8, %rsi
+        shrq	$14, %rbx
+        shrdq	$40, %r9, %rbp
+        andq	$0x3ffffff, %rax
+        andq	$0x3ffffff, %rdx
+        andq	$0x3ffffff, %rsi
+        andq	$0x3ffffff, %rbx
+        andq	$0x3ffffff, %rbp
+        movl	%eax, 320(%rdi)
+        movl	%edx, 324(%rdi)
+        movl	%esi, 328(%rdi)
+        movl	%ebx, 332(%rdi)
+        movl	%ebp, 336(%rdi)
+        movl	$0x00, 340(%rdi)
+        popq	%rbp
+        popq	%rbx
+        popq	%r15
+        popq	%r14
+        popq	%r13
+        popq	%r12
+        repz retq
+#ifndef __APPLE__
+.size	poly1305_calc_powers_avx2,.-poly1305_calc_powers_avx2
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+.text
+.globl	poly1305_setkey_avx2
+.type	poly1305_setkey_avx2,@function
+.align	4
+poly1305_setkey_avx2:
+#else
+.section	__TEXT,__text
+.globl	_poly1305_setkey_avx2
+.p2align	2
+_poly1305_setkey_avx2:
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+        callq	poly1305_setkey_avx@plt
+#else
+        callq	_poly1305_setkey_avx
+#endif /* __APPLE__ */
+        vpxor	%ymm0, %ymm0, %ymm0
+        vmovdqu	%ymm0, 64(%rdi)
+        vmovdqu	%ymm0, 96(%rdi)
+        vmovdqu	%ymm0, 128(%rdi)
+        vmovdqu	%ymm0, 160(%rdi)
+        vmovdqu	%ymm0, 192(%rdi)
+        movq	$0x00, 608(%rdi)
+        movw	$0x00, 616(%rdi)
+        repz retq
+#ifndef __APPLE__
+.size	poly1305_setkey_avx2,.-poly1305_setkey_avx2
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+.data
+#else
+.section	__DATA,__data
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+.align	32
+#else
+.p2align	5
+#endif /* __APPLE__ */
+L_poly1305_avx2_blocks_mask:
+.quad	0x3ffffff, 0x3ffffff
+.quad	0x3ffffff, 0x3ffffff
+#ifndef __APPLE__
+.data
+#else
+.section	__DATA,__data
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+.align	32
+#else
+.p2align	5
+#endif /* __APPLE__ */
+L_poly1305_avx2_blocks_hibit:
+.quad	0x1000000, 0x1000000
+.quad	0x1000000, 0x1000000
+#ifndef __APPLE__
+.text
+.globl	poly1305_blocks_avx2
+.type	poly1305_blocks_avx2,@function
+.align	4
+poly1305_blocks_avx2:
+#else
+.section	__TEXT,__text
+.globl	_poly1305_blocks_avx2
+.p2align	2
+_poly1305_blocks_avx2:
+#endif /* __APPLE__ */
+        pushq	%r12
+        pushq	%rbx
+        subq	$0x140, %rsp
+        movq	%rsp, %rcx
+        andq	$-32, %rcx
+        addq	$32, %rcx
+        vpxor	%ymm15, %ymm15, %ymm15
+        movq	%rcx, %rbx
+        leaq	64(%rdi), %rax
+        addq	$0xa0, %rbx
+        cmpw	$0x00, 616(%rdi)
+        jne	L_poly1305_avx2_blocks_begin_h
+        # Load the message data
+        vmovdqu	(%rsi), %ymm0
+        vmovdqu	32(%rsi), %ymm1
+        vperm2i128	$32, %ymm1, %ymm0, %ymm2
+        vperm2i128	$49, %ymm1, %ymm0, %ymm0
+        vpunpckldq	%ymm0, %ymm2, %ymm1
+        vpunpckhdq	%ymm0, %ymm2, %ymm3
+        vpunpckldq	%ymm15, %ymm1, %ymm0
+        vpunpckhdq	%ymm15, %ymm1, %ymm1
+        vpunpckldq	%ymm15, %ymm3, %ymm2
+        vpunpckhdq	%ymm15, %ymm3, %ymm3
+        vmovdqu	L_poly1305_avx2_blocks_hibit(%rip), %ymm4
+        vpsllq	$6, %ymm1, %ymm1
+        vpsllq	$12, %ymm2, %ymm2
+        vpsllq	$18, %ymm3, %ymm3
+        vmovdqu	L_poly1305_avx2_blocks_mask(%rip), %ymm14
+        # Reduce, in place, the message data
+        vpsrlq	$26, %ymm0, %ymm10
+        vpsrlq	$26, %ymm3, %ymm11
+        vpand	%ymm14, %ymm0, %ymm0
+        vpand	%ymm14, %ymm3, %ymm3
+        vpaddq	%ymm1, %ymm10, %ymm1
+        vpaddq	%ymm4, %ymm11, %ymm4
+        vpsrlq	$26, %ymm1, %ymm10
+        vpsrlq	$26, %ymm4, %ymm11
+        vpand	%ymm14, %ymm1, %ymm1
+        vpand	%ymm14, %ymm4, %ymm4
+        vpaddq	%ymm2, %ymm10, %ymm2
+        vpslld	$2, %ymm11, %ymm12
+        vpaddd	%ymm12, %ymm11, %ymm12
+        vpsrlq	$26, %ymm2, %ymm10
+        vpaddq	%ymm0, %ymm12, %ymm0
+        vpsrlq	$26, %ymm0, %ymm11
+        vpand	%ymm14, %ymm2, %ymm2
+        vpand	%ymm14, %ymm0, %ymm0
+        vpaddq	%ymm3, %ymm10, %ymm3
+        vpaddq	%ymm1, %ymm11, %ymm1
+        vpsrlq	$26, %ymm3, %ymm10
+        vpand	%ymm14, %ymm3, %ymm3
+        vpaddq	%ymm4, %ymm10, %ymm4
+        addq	$0x40, %rsi
+        subq	$0x40, %rdx
+        jz	L_poly1305_avx2_blocks_store
+        jmp	L_poly1305_avx2_blocks_load_r4
+L_poly1305_avx2_blocks_begin_h:
+        # Load the H values.
+        vmovdqu	(%rax), %ymm0
+        vmovdqu	32(%rax), %ymm1
+        vmovdqu	64(%rax), %ymm2
+        vmovdqu	96(%rax), %ymm3
+        vmovdqu	128(%rax), %ymm4
+        # Check if there is a power of r to load - otherwise use r^4.
+        cmpb	$0x00, 616(%rdi)
+        je	L_poly1305_avx2_blocks_load_r4
+        # Load the 4 powers of r - r^4, r^3, r^2, r^1.
+        vmovdqu	224(%rdi), %ymm8
+        vmovdqu	256(%rdi), %ymm7
+        vmovdqu	288(%rdi), %ymm6
+        vmovdqu	320(%rdi), %ymm5
+        vpermq	$0xd8, %ymm5, %ymm5
+        vpermq	$0xd8, %ymm6, %ymm6
+        vpermq	$0xd8, %ymm7, %ymm7
+        vpermq	$0xd8, %ymm8, %ymm8
+        vpunpcklqdq	%ymm6, %ymm5, %ymm10
+        vpunpckhqdq	%ymm6, %ymm5, %ymm11
+        vpunpcklqdq	%ymm8, %ymm7, %ymm12
+        vpunpckhqdq	%ymm8, %ymm7, %ymm13
+        vperm2i128	$32, %ymm12, %ymm10, %ymm5
+        vperm2i128	$49, %ymm12, %ymm10, %ymm7
+        vperm2i128	$32, %ymm13, %ymm11, %ymm9
+        vpsrlq	$32, %ymm5, %ymm6
+        vpsrlq	$32, %ymm7, %ymm8
+        jmp	L_poly1305_avx2_blocks_mul_5
+L_poly1305_avx2_blocks_load_r4:
+        # Load r^4 into all four positions.
+        vmovdqu	320(%rdi), %ymm13
+        vpermq	$0x00, %ymm13, %ymm5
+        vpsrlq	$32, %ymm13, %ymm14
+        vpermq	$0x55, %ymm13, %ymm7
+        vpermq	$0xaa, %ymm13, %ymm9
+        vpermq	$0x00, %ymm14, %ymm6
+        vpermq	$0x55, %ymm14, %ymm8
+L_poly1305_avx2_blocks_mul_5:
+        # Multiply top 4 26-bit values of all four H by 5
+        vpslld	$2, %ymm6, %ymm10
+        vpslld	$2, %ymm7, %ymm11
+        vpslld	$2, %ymm8, %ymm12
+        vpslld	$2, %ymm9, %ymm13
+        vpaddq	%ymm10, %ymm6, %ymm10
+        vpaddq	%ymm11, %ymm7, %ymm11
+        vpaddq	%ymm12, %ymm8, %ymm12
+        vpaddq	%ymm13, %ymm9, %ymm13
+        # Store powers of r and multiple of 5 for use in multiply.
+        vmovdqa	%ymm10, (%rbx)
+        vmovdqa	%ymm11, 32(%rbx)
+        vmovdqa	%ymm12, 64(%rbx)
+        vmovdqa	%ymm13, 96(%rbx)
+        vmovdqa	%ymm5, (%rcx)
+        vmovdqa	%ymm6, 32(%rcx)
+        vmovdqa	%ymm7, 64(%rcx)
+        vmovdqa	%ymm8, 96(%rcx)
+        vmovdqa	%ymm9, 128(%rcx)
+        vmovdqu	L_poly1305_avx2_blocks_mask(%rip), %ymm14
+        # If not finished then loop over data
+        cmpb	$0x01, 616(%rdi)
+        jne	L_poly1305_avx2_blocks_start
+        # Do last multiply, reduce, add the four H together and move to
+        # 32-bit registers
+        vpmuludq	(%rbx), %ymm4, %ymm5
+        vpmuludq	32(%rbx), %ymm3, %ymm10
+        vpmuludq	32(%rbx), %ymm4, %ymm6
+        vpmuludq	64(%rbx), %ymm3, %ymm11
+        vpmuludq	64(%rbx), %ymm4, %ymm7
+        vpaddq	%ymm5, %ymm10, %ymm5
+        vpmuludq	64(%rbx), %ymm2, %ymm12
+        vpmuludq	96(%rbx), %ymm4, %ymm8
+        vpaddq	%ymm6, %ymm11, %ymm6
+        vpmuludq	96(%rbx), %ymm1, %ymm13
+        vpmuludq	96(%rbx), %ymm2, %ymm10
+        vpaddq	%ymm5, %ymm12, %ymm5
+        vpmuludq	96(%rbx), %ymm3, %ymm11
+        vpmuludq	(%rcx), %ymm3, %ymm12
+        vpaddq	%ymm5, %ymm13, %ymm5
+        vpmuludq	(%rcx), %ymm4, %ymm9
+        vpaddq	%ymm6, %ymm10, %ymm6
+        vpmuludq	(%rcx), %ymm0, %ymm13
+        vpaddq	%ymm7, %ymm11, %ymm7
+        vpmuludq	(%rcx), %ymm1, %ymm10
+        vpaddq	%ymm8, %ymm12, %ymm8
+        vpmuludq	(%rcx), %ymm2, %ymm11
+        vpmuludq	32(%rcx), %ymm2, %ymm12
+        vpaddq	%ymm5, %ymm13, %ymm5
+        vpmuludq	32(%rcx), %ymm3, %ymm13
+        vpaddq	%ymm6, %ymm10, %ymm6
+        vpmuludq	32(%rcx), %ymm0, %ymm10
+        vpaddq	%ymm7, %ymm11, %ymm7
+        vpmuludq	32(%rcx), %ymm1, %ymm11
+        vpaddq	%ymm8, %ymm12, %ymm8
+        vpmuludq	64(%rcx), %ymm1, %ymm12
+        vpaddq	%ymm9, %ymm13, %ymm9
+        vpmuludq	64(%rcx), %ymm2, %ymm13
+        vpaddq	%ymm6, %ymm10, %ymm6
+        vpmuludq	64(%rcx), %ymm0, %ymm10
+        vpaddq	%ymm7, %ymm11, %ymm7
+        vpmuludq	96(%rcx), %ymm0, %ymm11
+        vpaddq	%ymm8, %ymm12, %ymm8
+        vpmuludq	96(%rcx), %ymm1, %ymm12
+        vpaddq	%ymm9, %ymm13, %ymm9
+        vpaddq	%ymm7, %ymm10, %ymm7
+        vpmuludq	128(%rcx), %ymm0, %ymm13
+        vpaddq	%ymm8, %ymm11, %ymm8
+        vpaddq	%ymm9, %ymm12, %ymm9
+        vpaddq	%ymm9, %ymm13, %ymm9
+        vpsrlq	$26, %ymm5, %ymm10
+        vpsrlq	$26, %ymm8, %ymm11
+        vpand	%ymm14, %ymm5, %ymm5
+        vpand	%ymm14, %ymm8, %ymm8
+        vpaddq	%ymm6, %ymm10, %ymm6
+        vpaddq	%ymm9, %ymm11, %ymm9
+        vpsrlq	$26, %ymm6, %ymm10
+        vpsrlq	$26, %ymm9, %ymm11
+        vpand	%ymm14, %ymm6, %ymm1
+        vpand	%ymm14, %ymm9, %ymm4
+        vpaddq	%ymm7, %ymm10, %ymm7
+        vpslld	$2, %ymm11, %ymm12
+        vpaddd	%ymm12, %ymm11, %ymm12
+        vpsrlq	$26, %ymm7, %ymm10
+        vpaddq	%ymm5, %ymm12, %ymm5
+        vpsrlq	$26, %ymm5, %ymm11
+        vpand	%ymm14, %ymm7, %ymm2
+        vpand	%ymm14, %ymm5, %ymm0
+        vpaddq	%ymm8, %ymm10, %ymm8
+        vpaddq	%ymm1, %ymm11, %ymm1
+        vpsrlq	$26, %ymm8, %ymm10
+        vpand	%ymm14, %ymm8, %ymm3
+        vpaddq	%ymm4, %ymm10, %ymm4
+        vpsrldq	$8, %ymm0, %ymm5
+        vpsrldq	$8, %ymm1, %ymm6
+        vpsrldq	$8, %ymm2, %ymm7
+        vpsrldq	$8, %ymm3, %ymm8
+        vpsrldq	$8, %ymm4, %ymm9
+        vpaddq	%ymm0, %ymm5, %ymm0
+        vpaddq	%ymm1, %ymm6, %ymm1
+        vpaddq	%ymm2, %ymm7, %ymm2
+        vpaddq	%ymm3, %ymm8, %ymm3
+        vpaddq	%ymm4, %ymm9, %ymm4
+        vpermq	$2, %ymm0, %ymm5
+        vpermq	$2, %ymm1, %ymm6
+        vpermq	$2, %ymm2, %ymm7
+        vpermq	$2, %ymm3, %ymm8
+        vpermq	$2, %ymm4, %ymm9
+        vpaddq	%ymm0, %ymm5, %ymm0
+        vpaddq	%ymm1, %ymm6, %ymm1
+        vpaddq	%ymm2, %ymm7, %ymm2
+        vpaddq	%ymm3, %ymm8, %ymm3
+        vpaddq	%ymm4, %ymm9, %ymm4
+        vmovd	%xmm0, %r8d
+        vmovd	%xmm1, %r9d
+        vmovd	%xmm2, %r10d
+        vmovd	%xmm3, %r11d
+        vmovd	%xmm4, %r12d
+        jmp	L_poly1305_avx2_blocks_end_calc
+L_poly1305_avx2_blocks_start:
+        vmovdqu	(%rsi), %ymm5
+        vmovdqu	32(%rsi), %ymm6
+        vperm2i128	$32, %ymm6, %ymm5, %ymm7
+        vperm2i128	$49, %ymm6, %ymm5, %ymm5
+        vpunpckldq	%ymm5, %ymm7, %ymm6
+        vpunpckhdq	%ymm5, %ymm7, %ymm8
+        vpunpckldq	%ymm15, %ymm6, %ymm5
+        vpunpckhdq	%ymm15, %ymm6, %ymm6
+        vpunpckldq	%ymm15, %ymm8, %ymm7
+        vpunpckhdq	%ymm15, %ymm8, %ymm8
+        vmovdqu	L_poly1305_avx2_blocks_hibit(%rip), %ymm9
+        vpsllq	$6, %ymm6, %ymm6
+        vpsllq	$12, %ymm7, %ymm7
+        vpsllq	$18, %ymm8, %ymm8
+        vpmuludq	(%rbx), %ymm4, %ymm10
+        vpaddq	%ymm5, %ymm10, %ymm5
+        vpmuludq	32(%rbx), %ymm3, %ymm10
+        vpmuludq	32(%rbx), %ymm4, %ymm11
+        vpaddq	%ymm6, %ymm11, %ymm6
+        vpmuludq	64(%rbx), %ymm3, %ymm11
+        vpmuludq	64(%rbx), %ymm4, %ymm12
+        vpaddq	%ymm7, %ymm12, %ymm7
+        vpaddq	%ymm5, %ymm10, %ymm5
+        vpmuludq	64(%rbx), %ymm2, %ymm12
+        vpmuludq	96(%rbx), %ymm4, %ymm13
+        vpaddq	%ymm8, %ymm13, %ymm8
+        vpaddq	%ymm6, %ymm11, %ymm6
+        vpmuludq	96(%rbx), %ymm1, %ymm13
+        vpmuludq	96(%rbx), %ymm2, %ymm10
+        vpaddq	%ymm5, %ymm12, %ymm5
+        vpmuludq	96(%rbx), %ymm3, %ymm11
+        vpmuludq	(%rcx), %ymm3, %ymm12
+        vpaddq	%ymm5, %ymm13, %ymm5
+        vpmuludq	(%rcx), %ymm4, %ymm13
+        vpaddq	%ymm9, %ymm13, %ymm9
+        vpaddq	%ymm6, %ymm10, %ymm6
+        vpmuludq	(%rcx), %ymm0, %ymm13
+        vpaddq	%ymm7, %ymm11, %ymm7
+        vpmuludq	(%rcx), %ymm1, %ymm10
+        vpaddq	%ymm8, %ymm12, %ymm8
+        vpmuludq	(%rcx), %ymm2, %ymm11
+        vpmuludq	32(%rcx), %ymm2, %ymm12
+        vpaddq	%ymm5, %ymm13, %ymm5
+        vpmuludq	32(%rcx), %ymm3, %ymm13
+        vpaddq	%ymm6, %ymm10, %ymm6
+        vpmuludq	32(%rcx), %ymm0, %ymm10
+        vpaddq	%ymm7, %ymm11, %ymm7
+        vpmuludq	32(%rcx), %ymm1, %ymm11
+        vpaddq	%ymm8, %ymm12, %ymm8
+        vpmuludq	64(%rcx), %ymm1, %ymm12
+        vpaddq	%ymm9, %ymm13, %ymm9
+        vpmuludq	64(%rcx), %ymm2, %ymm13
+        vpaddq	%ymm6, %ymm10, %ymm6
+        vpmuludq	64(%rcx), %ymm0, %ymm10
+        vpaddq	%ymm7, %ymm11, %ymm7
+        vpmuludq	96(%rcx), %ymm0, %ymm11
+        vpaddq	%ymm8, %ymm12, %ymm8
+        vpmuludq	96(%rcx), %ymm1, %ymm12
+        vpaddq	%ymm9, %ymm13, %ymm9
+        vpaddq	%ymm7, %ymm10, %ymm7
+        vpmuludq	128(%rcx), %ymm0, %ymm13
+        vpaddq	%ymm8, %ymm11, %ymm8
+        vpaddq	%ymm9, %ymm12, %ymm9
+        vpaddq	%ymm9, %ymm13, %ymm9
+        vpsrlq	$26, %ymm5, %ymm10
+        vpsrlq	$26, %ymm8, %ymm11
+        vpand	%ymm14, %ymm5, %ymm5
+        vpand	%ymm14, %ymm8, %ymm8
+        vpaddq	%ymm6, %ymm10, %ymm6
+        vpaddq	%ymm9, %ymm11, %ymm9
+        vpsrlq	$26, %ymm6, %ymm10
+        vpsrlq	$26, %ymm9, %ymm11
+        vpand	%ymm14, %ymm6, %ymm1
+        vpand	%ymm14, %ymm9, %ymm4
+        vpaddq	%ymm7, %ymm10, %ymm7
+        vpslld	$2, %ymm11, %ymm12
+        vpaddd	%ymm12, %ymm11, %ymm12
+        vpsrlq	$26, %ymm7, %ymm10
+        vpaddq	%ymm5, %ymm12, %ymm5
+        vpsrlq	$26, %ymm5, %ymm11
+        vpand	%ymm14, %ymm7, %ymm2
+        vpand	%ymm14, %ymm5, %ymm0
+        vpaddq	%ymm8, %ymm10, %ymm8
+        vpaddq	%ymm1, %ymm11, %ymm1
+        vpsrlq	$26, %ymm8, %ymm10
+        vpand	%ymm14, %ymm8, %ymm3
+        vpaddq	%ymm4, %ymm10, %ymm4
+        addq	$0x40, %rsi
+        subq	$0x40, %rdx
+        jnz	L_poly1305_avx2_blocks_start
+L_poly1305_avx2_blocks_store:
+        # Store four H values - state
+        vmovdqu	%ymm0, (%rax)
+        vmovdqu	%ymm1, 32(%rax)
+        vmovdqu	%ymm2, 64(%rax)
+        vmovdqu	%ymm3, 96(%rax)
+        vmovdqu	%ymm4, 128(%rax)
+L_poly1305_avx2_blocks_end_calc:
+        cmpb	$0x00, 616(%rdi)
+        je	L_poly1305_avx2_blocks_complete
+        movq	%r8, %rax
+        movq	%r10, %rdx
+        movq	%r12, %rcx
+        shrq	$12, %rdx
+        shrq	$24, %rcx
+        shlq	$26, %r9
+        shlq	$52, %r10
+        shlq	$14, %r11
+        shlq	$40, %r12
+        addq	%r9, %rax
+        adcq	%r10, %rax
+        adcq	%r11, %rdx
+        adcq	%r12, %rdx
+        adcq	$0x00, %rcx
+        movq	%rcx, %r8
+        andq	$3, %rcx
+        shrq	$2, %r8
+        leaq	0(%r8,%r8,4), %r8
+        addq	%r8, %rax
+        adcq	$0x00, %rdx
+        adcq	$0x00, %rcx
+        movq	%rax, 24(%rdi)
+        movq	%rdx, 32(%rdi)
+        movq	%rcx, 40(%rdi)
+L_poly1305_avx2_blocks_complete:
+        movb	$0x01, 617(%rdi)
+        addq	$0x140, %rsp
+        popq	%rbx
+        popq	%r12
+        repz retq
+#ifndef __APPLE__
+.size	poly1305_blocks_avx2,.-poly1305_blocks_avx2
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+.text
+.globl	poly1305_final_avx2
+.type	poly1305_final_avx2,@function
+.align	4
+poly1305_final_avx2:
+#else
+.section	__TEXT,__text
+.globl	_poly1305_final_avx2
+.p2align	2
+_poly1305_final_avx2:
+#endif /* __APPLE__ */
+        movb	$0x01, 616(%rdi)
+        movb	617(%rdi), %cl
+        cmpb	$0x00, %cl
+        je	L_poly1305_avx2_final_done_blocks_X4
+        pushq	%rsi
+        movq	$0x40, %rdx
+        xorq	%rsi, %rsi
+#ifndef __APPLE__
+        callq	poly1305_blocks_avx2@plt
+#else
+        callq	_poly1305_blocks_avx2
+#endif /* __APPLE__ */
+        popq	%rsi
+L_poly1305_avx2_final_done_blocks_X4:
+        movq	608(%rdi), %rax
+        movq	%rax, %rcx
+        andq	$-16, %rcx
+        cmpb	$0x00, %cl
+        je	L_poly1305_avx2_final_done_blocks
+        pushq	%rcx
+        pushq	%rax
+        pushq	%rsi
+        movq	%rcx, %rdx
+        leaq	480(%rdi), %rsi
+#ifndef __APPLE__
+        callq	poly1305_blocks_avx@plt
+#else
+        callq	_poly1305_blocks_avx
+#endif /* __APPLE__ */
+        popq	%rsi
+        popq	%rax
+        popq	%rcx
+L_poly1305_avx2_final_done_blocks:
+        subq	%rcx, 608(%rdi)
+        xorq	%rdx, %rdx
+        jmp	L_poly1305_avx2_final_cmp_copy
+L_poly1305_avx2_final_start_copy:
+        movb	480(%rdi,%rcx,1), %r8b
+        movb	%r8b, 480(%rdi,%rdx,1)
+        incb	%cl
+        incb	%dl
+L_poly1305_avx2_final_cmp_copy:
+        cmp	%rcx, %rax
+        jne	L_poly1305_avx2_final_start_copy
+#ifndef __APPLE__
+        callq	poly1305_final_avx@plt
+#else
+        callq	_poly1305_final_avx
+#endif /* __APPLE__ */
+        vpxor	%ymm0, %ymm0, %ymm0
+        vmovdqu	%ymm0, 64(%rdi)
+        vmovdqu	%ymm0, 96(%rdi)
+        vmovdqu	%ymm0, 128(%rdi)
+        vmovdqu	%ymm0, 160(%rdi)
+        vmovdqu	%ymm0, 192(%rdi)
+        vmovdqu	%ymm0, 224(%rdi)
+        vmovdqu	%ymm0, 256(%rdi)
+        vmovdqu	%ymm0, 288(%rdi)
+        vmovdqu	%ymm0, 320(%rdi)
+        movq	$0x00, 608(%rdi)
+        movw	$0x00, 616(%rdi)
+        repz retq
+#ifndef __APPLE__
+.size	poly1305_final_avx2,.-poly1305_final_avx2
+#endif /* __APPLE__ */
+#endif /* HAVE_INTEL_AVX2 */
diff --git a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/port/pic32/pic32mz-crypt.c b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/port/pic32/pic32mz-crypt.c
new file mode 100644
index 000000000..1e618c194
--- /dev/null
+++ b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/port/pic32/pic32mz-crypt.c
@@ -0,0 +1,804 @@
+/* pic32mz-crypt.c
+ *
+ * Copyright (C) 2006-2020 wolfSSL Inc.
+ *
+ * This file is part of wolfSSL.
+ *
+ * wolfSSL is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * wolfSSL is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
+ */
+
+
+#ifdef HAVE_CONFIG_H
+    #include <config.h>
+#endif
+
+#include <wolfssl/wolfcrypt/settings.h>
+
+#ifdef WOLFSSL_MICROCHIP_PIC32MZ
+
+#ifdef NO_INLINE
+    #include <wolfssl/wolfcrypt/misc.h>
+#else
+    #define WOLFSSL_MISC_INCLUDED
+    #include <wolfcrypt/src/misc.c>
+#endif
+
+#include <wolfssl/wolfcrypt/logging.h>
+#include <wolfssl/wolfcrypt/error-crypt.h>
+
+#include <wolfssl/wolfcrypt/port/pic32/pic32mz-crypt.h>
+
+#ifdef WOLFSSL_PIC32MZ_CRYPT
+#include <wolfssl/wolfcrypt/aes.h>
+#include <wolfssl/wolfcrypt/des3.h>
+#endif
+
+#ifdef WOLFSSL_PIC32MZ_HASH
+#include <wolfssl/wolfcrypt/md5.h>
+#include <wolfssl/wolfcrypt/sha.h>
+#include <wolfssl/wolfcrypt/sha256.h>
+#endif
+
+
+#if defined(WOLFSSL_PIC32MZ_CRYPT) || defined(WOLFSSL_PIC32MZ_HASH)
+
+static int Pic32GetBlockSize(int algo)
+{
+    switch (algo) {
+        case PIC32_ALGO_HMAC1:
+            return PIC32_BLOCKSIZE_HMAC;
+        case PIC32_ALGO_SHA256:
+            return PIC32_BLOCKSIZE_SHA256;
+        case PIC32_ALGO_SHA1:
+            return PIC32_BLOCKSIZE_SHA1;
+        case PIC32_ALGO_MD5:
+            return PIC32_BLOCKSIZE_MD5;
+        case PIC32_ALGO_AES:
+            return PIC32_BLOCKSIZE_AES;
+        case PIC32_ALGO_TDES:
+            return PIC32_BLOCKSIZE_TDES;
+        case PIC32_ALGO_DES:
+            return PIC32_BLOCKSIZE_DES;
+    }
+    return 0;
+}
+
+static int Pic32Crypto(const byte* pIn, int inLen, word32* pOut, int outLen,
+    int dir, int algo, int cryptoalgo,
+
+    /* For DES/AES only */
+    word32* key, int keyLen, word32* iv, int ivLen)
+{
+    int ret = 0;
+    int blockSize = Pic32GetBlockSize(algo);
+    volatile bufferDescriptor bd __attribute__((aligned (8)));
+    securityAssociation sa __attribute__((aligned (8)));
+    securityAssociation *sa_p;
+    bufferDescriptor *bd_p;
+    byte *in_p;
+    byte *out_p;
+    word32* dst;
+    word32 padRemain;
+    int timeout = 0xFFFFFF;
+    word32* in = (word32*)pIn;
+    word32* out = pOut;
+    int isDynamic = 0;
+
+    /* check args */
+    if (in == NULL || inLen <= 0 || out == NULL || blockSize == 0) {
+        return BAD_FUNC_ARG;
+    }
+
+    /* check pointer alignment - must be word aligned */
+    if (((size_t)in % sizeof(word32)) || ((size_t)out % sizeof(word32))) {
+        /* dynamically allocate aligned pointers */
+        isDynamic = 1;
+        in = (word32*)XMALLOC(inLen, NULL, DYNAMIC_TYPE_AES_BUFFER);
+        if (in == NULL)
+            return MEMORY_E;
+        if ((word32*)pIn == pOut) /* inline */
+            out = (word32*)in;
+        else {
+            out = (word32*)XMALLOC(outLen, NULL, DYNAMIC_TYPE_AES_BUFFER);
+            if (out == NULL) {
+                XFREE(in, NULL, DYNAMIC_TYPE_AES_BUFFER);
+                return MEMORY_E;
+            }
+        }
+        XMEMCPY(in, pIn, inLen);
+    }
+
+    /* get uncached address */
+    sa_p = KVA0_TO_KVA1(&sa);
+    bd_p = KVA0_TO_KVA1(&bd);
+    out_p= KVA0_TO_KVA1(out);
+    in_p = KVA0_TO_KVA1(in);
+
+    /* Sync cache if in physical memory (not flash) */
+    if (PIC32MZ_IF_RAM(in_p)) {
+        XMEMCPY(in_p, in, inLen);
+    }
+
+    /* Set up the Security Association */
+    XMEMSET(sa_p, 0, sizeof(sa));
+    sa_p->SA_CTRL.ALGO = algo;
+    sa_p->SA_CTRL.ENCTYPE = dir;
+    sa_p->SA_CTRL.FB = 1; /* first block */
+    sa_p->SA_CTRL.LNC = 1; /* Load new set of keys */
+    if (key) {
+        /* cipher */
+        sa_p->SA_CTRL.CRYPTOALGO = cryptoalgo;
+
+        switch (keyLen) {
+            case 32:
+                sa_p->SA_CTRL.KEYSIZE = PIC32_KEYSIZE_256;
+                break;
+            case 24:
+            case 8: /* DES */
+                sa_p->SA_CTRL.KEYSIZE = PIC32_KEYSIZE_192;
+                break;
+            case 16:
+                sa_p->SA_CTRL.KEYSIZE = PIC32_KEYSIZE_128;
+                break;
+        }
+
+        dst = (word32*)KVA0_TO_KVA1(sa.SA_ENCKEY +
+            (sizeof(sa.SA_ENCKEY)/sizeof(word32)) - (keyLen/sizeof(word32)));
+        ByteReverseWords(dst, key, keyLen);
+
+        if (iv && ivLen > 0) {
+            sa_p->SA_CTRL.LOADIV = 1;
+            dst = (word32*)KVA0_TO_KVA1(sa.SA_ENCIV +
+                (sizeof(sa.SA_ENCIV)/sizeof(word32)) - (ivLen/sizeof(word32)));
+            ByteReverseWords(dst, iv, ivLen);
+        }
+    }
+    else {
+        /* hashing */
+        sa_p->SA_CTRL.LOADIV = 1;
+        sa_p->SA_CTRL.IRFLAG = 0; /* immediate result for hashing */
+
+        dst = (word32*)KVA0_TO_KVA1(sa.SA_AUTHIV +
+            (sizeof(sa.SA_AUTHIV)/sizeof(word32)) - (outLen/sizeof(word32)));
+        ByteReverseWords(dst, out, outLen);
+    }
+
+    /* Set up the Buffer Descriptor */
+    XMEMSET(bd_p, 0, sizeof(bd));
+    bd_p->BD_CTRL.BUFLEN = inLen;
+    padRemain = (inLen % 4); /* make sure buffer is 4-byte multiple */
+    if (padRemain != 0) {
+        bd_p->BD_CTRL.BUFLEN += (4 - padRemain);
+    }
+    bd_p->BD_CTRL.SA_FETCH_EN = 1; /* Fetch the security association */
+    bd_p->BD_CTRL.PKT_INT_EN = 1;  /* enable interrupt */
+    bd_p->BD_CTRL.LAST_BD = 1;     /* last buffer desc in chain */
+    bd_p->BD_CTRL.LIFM = 1;        /* last in frame */
+    bd_p->SA_ADDR = (unsigned int)KVA_TO_PA(&sa);
+    bd_p->SRCADDR = (unsigned int)KVA_TO_PA(in);
+    if (key) {
+        /* cipher */
+        if (in != out)
+            XMEMSET(out_p, 0, outLen); /* clear output buffer */
+        bd_p->DSTADDR = (unsigned int)KVA_TO_PA(out);
+    }
+    else {
+        /* hashing */
+        /* digest result returned in UPDPTR */
+        bd_p->UPDPTR = (unsigned int)KVA_TO_PA(out);
+    }
+    bd_p->NXTPTR = (unsigned int)KVA_TO_PA(&bd);
+    bd_p->MSGLEN = inLen;          /* actual message size */
+    bd_p->BD_CTRL.DESC_EN = 1;     /* enable this descriptor */
+
+    /* begin access to hardware */
+    ret = wolfSSL_CryptHwMutexLock();
+    if (ret == 0) {
+        /* Software Reset the Crypto Engine */
+        CECON = 1 << 6;
+        while (CECON);
+
+        /* Clear the interrupt flags */
+        CEINTSRC = 0xF;
+
+        /* Run the engine */
+        CEBDPADDR = (unsigned int)KVA_TO_PA(&bd);
+        CEINTEN = 0x07; /* enable DMA Packet Completion Interrupt */
+
+        /* input swap, enable BD fetch and start DMA */
+    #if PIC32_NO_OUT_SWAP
+        CECON = 0x25;
+    #else
+        CECON = 0xa5; /* bit 7 = enable out swap */
+    #endif
+
+        /* wait for operation to complete */
+        while (CEINTSRCbits.PKTIF == 0 && --timeout > 0) {};
+
+        /* Clear the interrupt flags */
+        CEINTSRC = 0xF;
+
+        /* check for errors */
+        if (CESTATbits.ERROP || timeout <= 0) {
+        #if 0
+            printf("PIC32 Crypto: ERROP %x, ERRPHASE %x, TIMEOUT %s\n",
+                CESTATbits.ERROP, CESTATbits.ERRPHASE, timeout <= 0 ? "yes" : "no");
+        #endif
+            ret = ASYNC_OP_E;
+        }
+
+        wolfSSL_CryptHwMutexUnLock();
+
+        /* copy result to output */
+    #if PIC32_NO_OUT_SWAP
+        /* swap bytes */
+        ByteReverseWords(out, (word32*)out_p, outLen);
+    #elif defined(_SYS_DEVCON_LOCAL_H)
+        /* sync cache */
+        SYS_DEVCON_DataCacheInvalidate((word32)out, outLen);
+    #else
+        XMEMCPY(out, out_p, outLen);
+    #endif
+    }
+
+    /* handle unaligned */
+    if (isDynamic) {
+        /* return result */
+        XMEMCPY(pOut, out, outLen);
+
+        /* free dynamic buffers */
+        XFREE(in, NULL, DYNAMIC_TYPE_AES_BUFFER);
+        if ((word32*)pIn != pOut)
+            XFREE(out, NULL, DYNAMIC_TYPE_AES_BUFFER);
+    }
+
+    return ret;
+}
+#endif /* WOLFSSL_PIC32MZ_CRYPT || WOLFSSL_PIC32MZ_HASH */
+
+
+#ifdef WOLFSSL_PIC32MZ_HASH
+
+#ifdef WOLFSSL_PIC32MZ_LARGE_HASH
+
+/* tunable large hash block size */
+#ifndef PIC32_BLOCK_SIZE
+    #define PIC32_BLOCK_SIZE 256
+#endif
+
+#define PIC32MZ_MIN_BLOCK    64
+#define PIC32MZ_MAX_BLOCK    (32*1024)
+
+#ifndef PIC32MZ_MAX_BD
+    #define PIC32MZ_MAX_BD   2
+#endif
+
+#if PIC32_BLOCK_SIZE < PIC32MZ_MIN_BLOCK
+    #error Encryption block size must be at least 64 bytes.
+#endif
+
+/* Crypt Engine descriptor */
+typedef struct {
+    int currBd;
+    int err;
+    unsigned int msgSize;
+    uint32_t processed;
+    uint32_t dbPtr;
+    int engine_ready;
+    volatile bufferDescriptor   bd[PIC32MZ_MAX_BD] __attribute__((aligned (8)));
+    securityAssociation         sa                 __attribute__((aligned (8)));
+} pic32mz_desc;
+
+static pic32mz_desc gLHDesc;
+static uint8_t gLHDataBuf[PIC32MZ_MAX_BD][PIC32_BLOCK_SIZE] __attribute__((aligned (4), coherent));
+
+static void reset_engine(pic32mz_desc *desc, int algo)
+{
+    int i;
+    pic32mz_desc* uc_desc = KVA0_TO_KVA1(desc);
+
+    wolfSSL_CryptHwMutexLock();
+
+    /* Software reset */
+    CECON = 1 << 6;
+    while (CECON);
+
+    /* Clear the interrupt flags */
+    CEINTSRC = 0xF;
+
+    /* Make sure everything is clear first before we setup */
+    XMEMSET(desc, 0, sizeof(pic32mz_desc));
+    XMEMSET((void *)&uc_desc->sa, 0, sizeof(uc_desc->sa));
+
+    /* Set up the Security Association */
+    uc_desc->sa.SA_CTRL.ALGO = algo;
+    uc_desc->sa.SA_CTRL.LNC = 1;
+    uc_desc->sa.SA_CTRL.FB = 1;
+    uc_desc->sa.SA_CTRL.ENCTYPE = 1;
+    uc_desc->sa.SA_CTRL.LOADIV = 1;
+
+    /* Set up the Buffer Descriptor */
+    uc_desc->err = 0;
+    for (i = 0; i < PIC32MZ_MAX_BD; i++) {
+        XMEMSET((void *)&uc_desc->bd[i], 0, sizeof(uc_desc->bd[i]));
+        uc_desc->bd[i].BD_CTRL.LAST_BD = 1;
+        uc_desc->bd[i].BD_CTRL.LIFM = 1;
+        uc_desc->bd[i].BD_CTRL.PKT_INT_EN = 1;
+        uc_desc->bd[i].SA_ADDR = KVA_TO_PA(&uc_desc->sa);
+        uc_desc->bd[i].SRCADDR = KVA_TO_PA(&gLHDataBuf[i]);
+        if (PIC32MZ_MAX_BD > i+1)
+            uc_desc->bd[i].NXTPTR = KVA_TO_PA(&uc_desc->bd[i+1]);
+        else
+            uc_desc->bd[i].NXTPTR = KVA_TO_PA(&uc_desc->bd[0]);
+        XMEMSET((void *)&gLHDataBuf[i], 0, PIC32_BLOCK_SIZE);
+    }
+    uc_desc->bd[0].BD_CTRL.SA_FETCH_EN = 1; /* Fetch the security association on the first BD */
+    desc->dbPtr = 0;
+    desc->currBd = 0;
+    desc->msgSize = 0;
+    desc->processed = 0;
+    CEBDPADDR = KVA_TO_PA(&(desc->bd[0]));
+
+    CEPOLLCON = 10;
+
+#if PIC32_NO_OUT_SWAP
+    CECON = 0x27;
+#else
+    CECON = 0xa7;
+#endif
+}
+
+static void update_engine(pic32mz_desc *desc, const byte *input, word32 len,
+    word32 *hash)
+{
+    int total;
+    pic32mz_desc *uc_desc = KVA0_TO_KVA1(desc);
+
+    uc_desc->bd[desc->currBd].UPDPTR = KVA_TO_PA(hash);
+
+    /* Add the data to the current buffer. If the buffer fills, start processing it
+       and fill the next one. */
+    while (len) {
+        /* If we've been given the message size, we can process along the
+           way.
+           Enable the current buffer descriptor if it is full. */
+        if (desc->dbPtr >= PIC32_BLOCK_SIZE) {
+            /* Wrap up the buffer descriptor and enable it so the engine can process */
+            uc_desc->bd[desc->currBd].MSGLEN = desc->msgSize;
+            uc_desc->bd[desc->currBd].BD_CTRL.BUFLEN = desc->dbPtr;
+            uc_desc->bd[desc->currBd].BD_CTRL.LAST_BD = 0;
+            uc_desc->bd[desc->currBd].BD_CTRL.LIFM = 0;
+            uc_desc->bd[desc->currBd].BD_CTRL.DESC_EN = 1;
+            /* Move to the next buffer descriptor, or wrap around. */
+            desc->currBd++;
+            if (desc->currBd >= PIC32MZ_MAX_BD)
+                desc->currBd = 0;
+            /* Wait until the engine has processed the new BD. */
+            while (uc_desc->bd[desc->currBd].BD_CTRL.DESC_EN);
+            uc_desc->bd[desc->currBd].UPDPTR = KVA_TO_PA(hash);
+            desc->dbPtr = 0;
+        }
+        if (!PIC32MZ_IF_RAM(input)) {
+            /* If we're inputting from flash, let the BD have
+               the address and max the buffer size */
+            uc_desc->bd[desc->currBd].SRCADDR = KVA_TO_PA(input);
+            total = (len > PIC32MZ_MAX_BLOCK ? PIC32MZ_MAX_BLOCK : len);
+            desc->dbPtr = total;
+            len -= total;
+            input += total;
+        }
+        else {
+            if (len > PIC32_BLOCK_SIZE - desc->dbPtr) {
+                /* We have more data than can be put in the buffer. Fill what we can.*/
+                total = PIC32_BLOCK_SIZE - desc->dbPtr;
+                XMEMCPY(&gLHDataBuf[desc->currBd][desc->dbPtr], input, total);
+                len -= total;
+                desc->dbPtr = PIC32_BLOCK_SIZE;
+                input += total;
+            }
+            else {
+                /* Fill up what we have, but don't turn on the engine.*/
+                XMEMCPY(&gLHDataBuf[desc->currBd][desc->dbPtr], input, len);
+                desc->dbPtr += len;
+                len = 0;
+            }
+        }
+    }
+}
+
+static void start_engine(pic32mz_desc *desc)
+{
+    /* Wrap up the last buffer descriptor and enable it */
+    int bufferLen;
+    pic32mz_desc *uc_desc = KVA0_TO_KVA1(desc);
+
+    bufferLen = desc->dbPtr;
+    if (bufferLen % 4)
+        bufferLen = (bufferLen + 4) - (bufferLen % 4);
+    /* initialize the MSGLEN on engine startup to avoid infinite loop when
+     * length is less than 257 (size of PIC32_BLOCK_SIZE) */
+    uc_desc->bd[desc->currBd].MSGLEN = desc->msgSize;
+    uc_desc->bd[desc->currBd].BD_CTRL.BUFLEN = bufferLen;
+    uc_desc->bd[desc->currBd].BD_CTRL.LAST_BD = 1;
+    uc_desc->bd[desc->currBd].BD_CTRL.LIFM = 1;
+    uc_desc->bd[desc->currBd].BD_CTRL.DESC_EN = 1;
+}
+
+void wait_engine(pic32mz_desc *desc, char *hash, int hash_sz)
+{
+    int i;
+    pic32mz_desc *uc_desc = KVA0_TO_KVA1(desc);
+    unsigned int engineRunning;
+
+    do {
+        engineRunning = 0;
+        for (i = 0; i < PIC32MZ_MAX_BD; i++) {
+            engineRunning = engineRunning || uc_desc->bd[i].BD_CTRL.DESC_EN;
+        }
+    } while (engineRunning);
+
+#if PIC32_NO_OUT_SWAP
+    /* swap bytes */
+    ByteReverseWords(hash, KVA0_TO_KVA1(hash), hash_sz);
+#else
+    /* copy output - hardware already swapped */
+    XMEMCPY(hash, KVA0_TO_KVA1(hash), hash_sz);
+#endif
+
+    wolfSSL_CryptHwMutexUnLock();
+}
+
+#endif /* WOLFSSL_PIC32MZ_LARGE_HASH */
+
+int wc_Pic32Hash(const byte* in, int inLen, word32* out, int outLen, int algo)
+{
+    return Pic32Crypto(in, inLen, out, outLen, PIC32_ENCRYPTION, algo, 0,
+        NULL, 0, NULL, 0);
+}
+
+int wc_Pic32HashCopy(hashUpdCache* src, hashUpdCache* dst)
+{
+    /* mark destination as copy, so cache->buf is not free'd */
+    if (dst) {
+        dst->isCopy = 1;
+    }
+    return 0;
+}
+
+static int wc_Pic32HashUpdate(hashUpdCache* cache, byte* stdBuf, int stdBufLen,
+    word32* digest, int digestSz, const byte* data, int len, int algo, void* heap)
+{
+    int ret = 0;
+    word32 newLenUpd, newLenPad, padRemain;
+    byte* newBuf;
+    int isNewBuf = 0;
+
+#ifdef WOLFSSL_PIC32MZ_LARGE_HASH
+    /* if final length is set then pass straight to hardware */
+    if (cache->finalLen) {
+        if (cache->bufLen == 0) {
+            reset_engine(&gLHDesc, algo);
+            gLHDesc.msgSize = cache->finalLen;
+        }
+        update_engine(&gLHDesc, data, len, digest);
+        cache->bufLen += len; /* track progress for blockType */
+        return 0;
+    }
+#endif
+
+    /* cache updates */
+    /* calculate new len */
+    newLenUpd = cache->updLen + len;
+
+    /* calculate padded len - pad buffer at 64-bytes for hardware */
+    newLenPad = newLenUpd;
+    padRemain = (newLenUpd % PIC32_BLOCKSIZE_HASH);
+    if (padRemain != 0) {
+        newLenPad += (PIC32_BLOCKSIZE_HASH - padRemain);
+    }
+
+    /* determine buffer source */
+    if (newLenPad <= stdBufLen) {
+        /* use standard buffer */
+        newBuf = stdBuf;
+    }
+    else if (newLenPad > cache->bufLen) {
+        /* alloc buffer */
+        newBuf = (byte*)XMALLOC(newLenPad, heap, DYNAMIC_TYPE_HASH_TMP);
+        if (newBuf == NULL) {
+            if (cache->buf != stdBuf && !cache->isCopy) {
+                XFREE(cache->buf, heap, DYNAMIC_TYPE_HASH_TMP);
+                cache->buf = NULL;
+                cache->updLen = cache->bufLen = 0;
+            }
+            return MEMORY_E;
+        }
+        isNewBuf = 1;
+        cache->isCopy = 0; /* no longer using copy buffer */
+    }
+    else {
+        /* use existing buffer */
+        newBuf = cache->buf;
+    }
+    if (cache->buf && cache->updLen > 0) {
+        XMEMCPY(newBuf, cache->buf, cache->updLen);
+        if (isNewBuf && cache->buf != stdBuf) {
+            XFREE(cache->buf, heap, DYNAMIC_TYPE_HASH_TMP);
+            cache->buf = NULL;
+        }
+    }
+    XMEMCPY(newBuf + cache->updLen, data, len);
+
+    cache->buf = newBuf;
+    cache->updLen = newLenUpd;
+    cache->bufLen = newLenPad;
+
+    return ret;
+}
+
+static int wc_Pic32HashFinal(hashUpdCache* cache, byte* stdBuf,
+    word32* digest, byte* hash, int digestSz, int algo, void* heap)
+{
+    int ret = 0;
+
+    /* if room add the pad */
+    if (cache->buf && cache->updLen < cache->bufLen) {
+        cache->buf[cache->updLen] = 0x80;
+    }
+
+#ifdef WOLFSSL_PIC32MZ_LARGE_HASH
+    if (cache->finalLen) {
+        start_engine(&gLHDesc);
+        wait_engine(&gLHDesc, (char*)digest, digestSz);
+        XMEMCPY(hash, digest, digestSz);
+        cache->finalLen = 0;
+    }
+    else
+#endif
+    {
+        if (cache->updLen == 0) {
+            /* handle empty input */
+            switch (algo) {
+                case PIC32_ALGO_SHA256: {
+                    const char* sha256EmptyHash =
+                        "\xe3\xb0\xc4\x42\x98\xfc\x1c\x14\x9a\xfb\xf4\xc8\x99\x6f\xb9"
+                        "\x24\x27\xae\x41\xe4\x64\x9b\x93\x4c\xa4\x95\x99\x1b\x78\x52"
+                        "\xb8\x55";
+                    XMEMCPY(hash, sha256EmptyHash, digestSz);
+                    break;
+                }
+                case PIC32_ALGO_SHA1: {
+                    const char* shaEmptyHash =
+                        "\xda\x39\xa3\xee\x5e\x6b\x4b\x0d\x32\x55\xbf\xef\x95\x60\x18"
+                        "\x90\xaf\xd8\x07\x09";
+                    XMEMCPY(hash, shaEmptyHash, digestSz);
+                    break;
+                }
+                case PIC32_ALGO_MD5: {
+                    const char* md5EmptyHash =
+                        "\xd4\x1d\x8c\xd9\x8f\x00\xb2\x04\xe9\x80\x09\x98\xec\xf8\x42"
+                        "\x7e";
+                    XMEMCPY(hash, md5EmptyHash, digestSz);
+                    break;
+                }
+            } /* switch */
+        }
+        else {
+            ret = wc_Pic32Hash(cache->buf, cache->updLen, digest, digestSz, algo);
+            if (ret == 0) {
+                XMEMCPY(hash, digest, digestSz);
+            }
+        }
+
+        if (cache->buf && cache->buf != stdBuf && !cache->isCopy) {
+            XFREE(cache->buf, heap, DYNAMIC_TYPE_HASH_TMP);
+            cache->buf = NULL;
+        }
+    }
+
+    cache->buf = NULL;
+    cache->bufLen = cache->updLen = 0;
+
+    return ret;
+}
+
+static void wc_Pic32HashFree(hashUpdCache* cache, void* heap)
+{
+    if (cache && cache->buf && !cache->isCopy) {
+        XFREE(cache->buf, heap, DYNAMIC_TYPE_HASH_TMP);
+        cache->buf = NULL;
+    }
+}
+
+/* API's for compatibility with Harmony wrappers - not used */
+#ifndef NO_MD5
+    int wc_InitMd5_ex(wc_Md5* md5, void* heap, int devId)
+    {
+        if (md5 == NULL)
+            return BAD_FUNC_ARG;
+
+        XMEMSET(md5, 0, sizeof(wc_Md5));
+        md5->heap = heap;
+        (void)devId;
+        return 0;
+    }
+    int wc_Md5Update(wc_Md5* md5, const byte* data, word32 len)
+    {
+        if (md5 == NULL || (data == NULL && len > 0))
+            return BAD_FUNC_ARG;
+        return wc_Pic32HashUpdate(&md5->cache, (byte*)md5->buffer,
+            sizeof(md5->buffer), md5->digest, MD5_DIGEST_SIZE,
+            data, len, PIC32_ALGO_MD5, md5->heap);
+    }
+    int wc_Md5Final(wc_Md5* md5, byte* hash)
+    {
+        int ret;
+
+        if (md5 == NULL || hash == NULL)
+            return BAD_FUNC_ARG;
+
+        ret = wc_Pic32HashFinal(&md5->cache, (byte*)md5->buffer,
+            md5->digest, hash, MD5_DIGEST_SIZE,
+            PIC32_ALGO_MD5, md5->heap);
+
+        wc_InitMd5_ex(md5, md5->heap, INVALID_DEVID);  /* reset state */
+
+        return ret;
+    }
+    void wc_Md5SizeSet(wc_Md5* md5, word32 len)
+    {
+        if (md5) {
+        #ifdef WOLFSSL_PIC32MZ_LARGE_HASH
+            md5->cache.finalLen = len;
+        #else
+            (void)len;
+        #endif
+        }
+    }
+    void wc_Md5Pic32Free(wc_Md5* md5)
+    {
+        if (md5) {
+            wc_Pic32HashFree(&md5->cache, md5->heap);
+        }
+    }
+#endif /* !NO_MD5 */
+#ifndef NO_SHA
+    int wc_InitSha_ex(wc_Sha* sha, void* heap, int devId)
+    {
+        if (sha == NULL)
+            return BAD_FUNC_ARG;
+
+        XMEMSET(sha, 0, sizeof(wc_Sha));
+        sha->heap = heap;
+        (void)devId;
+        return 0;
+    }
+    int wc_ShaUpdate(wc_Sha* sha, const byte* data, word32 len)
+    {
+        if (sha == NULL || (data == NULL && len > 0))
+            return BAD_FUNC_ARG;
+        return wc_Pic32HashUpdate(&sha->cache, (byte*)sha->buffer,
+            sizeof(sha->buffer), sha->digest, SHA_DIGEST_SIZE,
+            data, len, PIC32_ALGO_SHA1, sha->heap);
+    }
+    int wc_ShaFinal(wc_Sha* sha, byte* hash)
+    {
+        int ret;
+
+        if (sha == NULL || hash == NULL)
+            return BAD_FUNC_ARG;
+
+        ret = wc_Pic32HashFinal(&sha->cache, (byte*)sha->buffer,
+            sha->digest, hash, SHA_DIGEST_SIZE,
+            PIC32_ALGO_SHA1, sha->heap);
+
+        wc_InitSha_ex(sha, sha->heap, INVALID_DEVID);  /* reset state */
+
+        return ret;
+    }
+    void wc_ShaSizeSet(wc_Sha* sha, word32 len)
+    {
+        if (sha) {
+        #ifdef WOLFSSL_PIC32MZ_LARGE_HASH
+            sha->cache.finalLen = len;
+        #else
+            (void)len;
+        #endif
+        }
+    }
+    void wc_ShaPic32Free(wc_Sha* sha)
+    {
+        if (sha) {
+            wc_Pic32HashFree(&sha->cache, sha->heap);
+        }
+    }
+#endif /* !NO_SHA */
+#ifndef NO_SHA256
+    int wc_InitSha256_ex(wc_Sha256* sha256, void* heap, int devId)
+    {
+        if (sha256 == NULL)
+            return BAD_FUNC_ARG;
+
+        XMEMSET(sha256, 0, sizeof(wc_Sha256));
+        sha256->heap = heap;
+        (void)devId;
+        return 0;
+    }
+    int wc_Sha256Update(wc_Sha256* sha256, const byte* data, word32 len)
+    {
+        if (sha256 == NULL || (data == NULL && len > 0))
+            return BAD_FUNC_ARG;
+        return wc_Pic32HashUpdate(&sha256->cache, (byte*)sha256->buffer,
+            sizeof(sha256->buffer), sha256->digest, SHA256_DIGEST_SIZE,
+            data, len, PIC32_ALGO_SHA256, sha256->heap);
+    }
+    int wc_Sha256Final(wc_Sha256* sha256, byte* hash)
+    {
+        int ret;
+
+        if (sha256 == NULL || hash == NULL)
+            return BAD_FUNC_ARG;
+
+        ret = wc_Pic32HashFinal(&sha256->cache, (byte*)sha256->buffer,
+            sha256->digest, hash, SHA256_DIGEST_SIZE,
+            PIC32_ALGO_SHA256, sha256->heap);
+
+        wc_InitSha256_ex(sha256, sha256->heap, INVALID_DEVID);  /* reset state */
+
+        return ret;
+    }
+    void wc_Sha256SizeSet(wc_Sha256* sha256, word32 len)
+    {
+        if (sha256) {
+        #ifdef WOLFSSL_PIC32MZ_LARGE_HASH
+            sha256->cache.finalLen = len;
+        #else
+            (void)len;
+        #endif
+        }
+    }
+    void wc_Sha256Pic32Free(wc_Sha256* sha256)
+    {
+        if (sha256) {
+            wc_Pic32HashFree(&sha256->cache, sha256->heap);
+        }
+    }
+#endif /* !NO_SHA256 */
+#endif /* WOLFSSL_PIC32MZ_HASH */
+
+
+#ifdef WOLFSSL_PIC32MZ_CRYPT
+#if !defined(NO_AES)
+    int wc_Pic32AesCrypt(word32 *key, int keyLen, word32 *iv, int ivLen,
+        byte* out, const byte* in, word32 sz,
+        int dir, int algo, int cryptoalgo)
+    {
+        return Pic32Crypto(in, sz, (word32*)out, sz, dir, algo, cryptoalgo,
+            key, keyLen, iv, ivLen);
+    }
+#endif /* !NO_AES */
+
+#ifndef NO_DES3
+    int wc_Pic32DesCrypt(word32 *key, int keyLen, word32 *iv, int ivLen,
+        byte* out, const byte* in, word32 sz,
+        int dir, int algo, int cryptoalgo)
+    {
+        return Pic32Crypto(in, sz, (word32*)out, sz, dir, algo, cryptoalgo,
+            key, keyLen, iv, ivLen);
+    }
+#endif /* !NO_DES3 */
+#endif /* WOLFSSL_PIC32MZ_CRYPT */
+
+#endif /* WOLFSSL_MICROCHIP_PIC32MZ */
diff --git a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/port/ti/ti-aes.c b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/port/ti/ti-aes.c
index d38e7a3cb..52f2ceb97 100644
--- a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/port/ti/ti-aes.c
+++ b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/port/ti/ti-aes.c
@@ -1,8 +1,8 @@
 /* port/ti/ti-aes.c
  *
- * Copyright (C) 2006-2015 wolfSSL Inc.
+ * Copyright (C) 2006-2020 wolfSSL Inc.
  *
- * This file is part of wolfSSL. (formerly known as CyaSSL)
+ * This file is part of wolfSSL.
  *
  * wolfSSL is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -16,9 +16,10 @@
  *
  * You should have received a copy of the GNU General Public License
  * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
  */
- 
+
+
 #ifdef HAVE_CONFIG_H
     #include <config.h>
 #endif
@@ -65,14 +66,14 @@ WOLFSSL_API int  wc_AesSetKey(Aes* aes, const byte* key, word32 len, const byte*
         return BAD_FUNC_ARG;
     if(!((dir == AES_ENCRYPTION) || (dir == AES_DECRYPTION)))
         return BAD_FUNC_ARG;
-    
+
     switch(len) {
     case 16: aes->keylen = AES_CFG_KEY_SIZE_128BIT ; break ;
     case 24: aes->keylen = AES_CFG_KEY_SIZE_192BIT ; break ;
     case 32: aes->keylen = AES_CFG_KEY_SIZE_256BIT ; break ;
-    default: return BAD_FUNC_ARG;      
+    default: return BAD_FUNC_ARG;
     }
-    
+
     XMEMCPY(aes->key, key, len) ;
     #ifdef WOLFSSL_AES_COUNTER
     aes->left = 0;
@@ -84,19 +85,19 @@ WOLFSSL_API int  wc_AesSetKey(Aes* aes, const byte* key, word32 len, const byte*
 #define IS_ALIGN16(p) (((unsigned int)(p)&0xf) == 0)
 
 static int  AesAlign16(Aes* aes, byte* out, const byte* in, word32 sz, word32 dir, word32 mode)
-{   
+{
     wolfSSL_TI_lockCCM() ;
     ROM_AESReset(AES_BASE);
-    ROM_AESConfigSet(AES_BASE, (aes->keylen | dir | 
+    ROM_AESConfigSet(AES_BASE, (aes->keylen | dir |
                      (mode==AES_CFG_MODE_CTR_NOCTR ? AES_CFG_MODE_CTR : mode)));
-    ROM_AESIVSet(AES_BASE, aes->reg);
-    ROM_AESKey1Set(AES_BASE, aes->key, aes->keylen);
+    ROM_AESIVSet(AES_BASE, (uint32_t *)aes->reg);
+    ROM_AESKey1Set(AES_BASE, (uint32_t *)aes->key, aes->keylen);
     if((dir == AES_CFG_DIR_DECRYPT)&& (mode == AES_CFG_MODE_CBC))
         /* if input and output same will overwrite input iv */
         XMEMCPY(aes->tmp, in + sz - AES_BLOCK_SIZE, AES_BLOCK_SIZE);
     ROM_AESDataProcess(AES_BASE, (uint32_t *)in, (uint32_t *)out, sz);
     wolfSSL_TI_unlockCCM() ;
-    
+
     /* store iv for next call */
     if(mode == AES_CFG_MODE_CBC){
         if(dir == AES_CFG_DIR_ENCRYPT)
@@ -106,7 +107,7 @@ static int  AesAlign16(Aes* aes, byte* out, const byte* in, word32 sz, word32 di
     }
 
     if(mode == AES_CFG_MODE_CTR) {
-        do {  
+        do {
             int i ;
             for (i = AES_BLOCK_SIZE - 1; i >= 0; i--) {
                  if (++((byte *)aes->reg)[i])
@@ -120,12 +121,12 @@ static int  AesAlign16(Aes* aes, byte* out, const byte* in, word32 sz, word32 di
 }
 
 static int  AesProcess(Aes* aes, byte* out, const byte* in, word32 sz, word32 dir, word32 mode)
-{   
-    const byte * in_p ; byte * out_p ; 
+{
+    const byte * in_p ; byte * out_p ;
     word32 size ;
     #define TI_BUFFSIZE 1024
     byte buff[TI_BUFFSIZE] ;
-    
+
     if ((aes == NULL) || (in == NULL) || (out == NULL))
         return BAD_FUNC_ARG;
     if(sz % AES_BLOCK_SIZE)
@@ -135,16 +136,16 @@ static int  AesProcess(Aes* aes, byte* out, const byte* in, word32 sz, word32 di
         size = sz ; in_p = in ; out_p = out ;
         if(!IS_ALIGN16(in)){
             size = sz>TI_BUFFSIZE ? TI_BUFFSIZE : sz ;
-            XMEMCPY(buff, in, size) ; 
+            XMEMCPY(buff, in, size) ;
             in_p = (const byte *)buff ;
         }
         if(!IS_ALIGN16(out)){
             size = sz>TI_BUFFSIZE ? TI_BUFFSIZE : sz ;
             out_p = buff ;
         }
-   
+
         AesAlign16(aes, out_p, in_p, size, dir, mode) ;
- 
+
         if(!IS_ALIGN16(out)){
             XMEMCPY(out, buff, size) ;
         }
@@ -155,18 +156,18 @@ static int  AesProcess(Aes* aes, byte* out, const byte* in, word32 sz, word32 di
 }
 
 WOLFSSL_API int  wc_AesCbcEncrypt(Aes* aes, byte* out, const byte* in, word32 sz)
-{   
+{
     return AesProcess(aes, out, in, sz, AES_CFG_DIR_ENCRYPT, AES_CFG_MODE_CBC) ;
 }
 
 WOLFSSL_API int  wc_AesCbcDecrypt(Aes* aes, byte* out, const byte* in, word32 sz)
-{   
+{
     return AesProcess(aes, out, in, sz, AES_CFG_DIR_DECRYPT, AES_CFG_MODE_CBC) ;
 }
 
 #ifdef WOLFSSL_AES_COUNTER
 WOLFSSL_API void wc_AesCtrEncrypt(Aes* aes, byte* out, const byte* in, word32 sz)
-{ 
+{
             char out_block[AES_BLOCK_SIZE] ;
             int odd ;
             int even ;
@@ -181,7 +182,7 @@ WOLFSSL_API void wc_AesCtrEncrypt(Aes* aes, byte* out, const byte* in, word32 sz
                 }
                 XMEMCPY(tmp+aes->left, in, odd) ;
                 if((odd+aes->left) == AES_BLOCK_SIZE){
-                    AesProcess(aes, (byte *)out_block, (byte const *)tmp, AES_BLOCK_SIZE, 
+                    AesProcess(aes, (byte *)out_block, (byte const *)tmp, AES_BLOCK_SIZE,
                              AES_CFG_DIR_ENCRYPT, AES_CFG_MODE_CTR) ;
                     XMEMCPY(out, out_block+aes->left, odd) ;
                     aes->left = 0 ;
@@ -201,8 +202,8 @@ WOLFSSL_API void wc_AesCtrEncrypt(Aes* aes, byte* out, const byte* in, word32 sz
             if(odd) {
                 XMEMSET(tmp+aes->left, 0x0, AES_BLOCK_SIZE - aes->left) ;
                 XMEMCPY(tmp+aes->left, in, odd) ;
-                AesProcess(aes, (byte *)out_block, (byte const *)tmp, AES_BLOCK_SIZE, 
-                           AES_CFG_DIR_ENCRYPT, 
+                AesProcess(aes, (byte *)out_block, (byte const *)tmp, AES_BLOCK_SIZE,
+                           AES_CFG_DIR_ENCRYPT,
                            AES_CFG_MODE_CTR_NOCTR /* Counter mode without counting IV */
                            );
                 XMEMCPY(out, out_block+aes->left,odd) ;
@@ -250,11 +251,12 @@ static int AesAuthArgCheck(Aes* aes, byte* out, const byte* in, word32 inSz,
                               const byte* authTag, word32 authTagSz,
                               const byte* authIn, word32 authInSz, word32 *M,  word32 *L)
 {
+    (void) authInSz ;
     if((aes == NULL)||(nonce == NULL)||(authTag== NULL)||(authIn == NULL))
         return BAD_FUNC_ARG;
     if((inSz != 0) && ((out == NULL)||(in == NULL)))
         return BAD_FUNC_ARG;
-    
+
     switch(authTagSz){
     case  4:
         *M = AES_CFG_CCM_M_4; break ;
@@ -302,24 +304,24 @@ static void AesAuthSetIv(Aes *aes, const byte *nonce, word32 len, word32 L, int
   if(mode == AES_CFG_MODE_CCM){
     XMEMSET(aes->reg, 0, 16) ;
     switch(L){
-    case AES_CFG_CCM_L_8: 
+    case AES_CFG_CCM_L_8:
       aes->reg[0] = 0x7; break ;
-    case AES_CFG_CCM_L_7: 
+    case AES_CFG_CCM_L_7:
       aes->reg[0] = 0x6; break ;
-    case AES_CFG_CCM_L_6: 
+    case AES_CFG_CCM_L_6:
       aes->reg[0] = 0x5; break ;
-    case AES_CFG_CCM_L_5: 
+    case AES_CFG_CCM_L_5:
       aes->reg[0] = 0x4; break ;
-    case AES_CFG_CCM_L_4: 
+    case AES_CFG_CCM_L_4:
       aes->reg[0] = 0x3; break ;
-    case AES_CFG_CCM_L_3: 
+    case AES_CFG_CCM_L_3:
       aes->reg[0] = 0x2; break ;
-    case AES_CFG_CCM_L_2: 
+    case AES_CFG_CCM_L_2:
       aes->reg[0] = 0x1; break ;
-    case AES_CFG_CCM_L_1: 
+    case AES_CFG_CCM_L_1:
       aes->reg[0] = 0x0; break ;
     }
-    XMEMCPY(((byte *)aes->reg)+1, nonce, len) ; 
+    XMEMCPY(((byte *)aes->reg)+1, nonce, len) ;
   } else {
     byte *b = (byte *)aes->reg ;
     XMEMSET(aes->reg, 0, AES_BLOCK_SIZE);
@@ -342,7 +344,7 @@ static int AesAuthEncrypt(Aes* aes, byte* out, const byte* in, word32 inSz,
                               const byte* nonce, word32 nonceSz,
                               byte* authTag, word32 authTagSz,
                               const byte* authIn, word32 authInSz, int mode)
-{ 
+{
     word32 M, L ;
     byte *in_a,     *in_save ;
     byte *out_a,    *out_save ;
@@ -353,26 +355,26 @@ static int AesAuthEncrypt(Aes* aes, byte* out, const byte* in, word32 inSz,
 
     if(AesAuthArgCheck(aes, out, in, inSz, nonce, nonceSz, authTag, authTagSz, authIn, authInSz, &M, &L)
        == BAD_FUNC_ARG)return BAD_FUNC_ARG ;
-    
+
     /* 16 byte padding */
     in_save = NULL ; out_save = NULL ; authIn_save = NULL ; nonce_save = NULL ;
     if((inSz%16)==0){
         in_save = NULL ; in_a = (byte *)in ;
         out_save = NULL ; out_a = out ;
     } else {
-      if((in_save = XMALLOC(RoundUp16(inSz), NULL, DYNAMIC_TYPE_TMP_BUFFER)) == NULL){ 
+      if((in_save = XMALLOC(RoundUp16(inSz), NULL, DYNAMIC_TYPE_TMP_BUFFER)) == NULL){
           FREE_ALL; return MEMORY_E ; }
       in_a = in_save ; XMEMSET(in_a, 0, RoundUp16(inSz)) ; XMEMCPY(in_a, in, inSz) ;
-      
-      if((out_save = XMALLOC(RoundUp16(inSz), NULL, DYNAMIC_TYPE_TMP_BUFFER)) == NULL){ 
-          FREE_ALL; return MEMORY_E ; } 
-      out_a = out_save ; 
+
+      if((out_save = XMALLOC(RoundUp16(inSz), NULL, DYNAMIC_TYPE_TMP_BUFFER)) == NULL){
+          FREE_ALL; return MEMORY_E ; }
+      out_a = out_save ;
     }
-    
+
     if((authInSz%16)==0){
         authIn_save = NULL ; authIn_a = (byte *)authIn ;
     } else {
-      if((authIn_save = XMALLOC(RoundUp16(authInSz), NULL, DYNAMIC_TYPE_TMP_BUFFER)) == NULL){ 
+      if((authIn_save = XMALLOC(RoundUp16(authInSz), NULL, DYNAMIC_TYPE_TMP_BUFFER)) == NULL){
           FREE_ALL; return MEMORY_E ; }
       authIn_a = authIn_save ; XMEMSET(authIn_a, 0, RoundUp16(authInSz)) ; XMEMCPY(authIn_a, authIn, authInSz) ;
     }
@@ -380,7 +382,7 @@ static int AesAuthEncrypt(Aes* aes, byte* out, const byte* in, word32 inSz,
     if((nonceSz%16)==0){
         nonce_save = NULL ; nonce_a = (byte *)nonce ;
     } else {
-      if((nonce_save = XMALLOC(RoundUp16(nonceSz), NULL, DYNAMIC_TYPE_TMP_BUFFER)) == NULL){ 
+      if((nonce_save = XMALLOC(RoundUp16(nonceSz), NULL, DYNAMIC_TYPE_TMP_BUFFER)) == NULL){
           FREE_ALL; return MEMORY_E; }
       nonce_a = nonce_save ; XMEMSET(nonce_a, 0, RoundUp16(nonceSz)) ; XMEMCPY(nonce_a, nonce, nonceSz) ;
     }
@@ -403,7 +405,7 @@ static int AesAuthEncrypt(Aes* aes, byte* out, const byte* in, word32 inSz,
         XMEMCPY(authTag, tmpTag, authTagSz) ;
     }
 
-    FREE_ALL; 
+    FREE_ALL;
     return 0 ;
 }
 
@@ -411,7 +413,7 @@ static int AesAuthDecrypt(Aes* aes, byte* out, const byte* in, word32 inSz,
                               const byte* nonce, word32 nonceSz,
                               const byte* authTag, word32 authTagSz,
                               const byte* authIn, word32 authInSz, int mode)
-{ 
+{
     word32 M, L ;
     byte *in_a,     *in_save ;
     byte *out_a,    *out_save ;
@@ -422,26 +424,26 @@ static int AesAuthDecrypt(Aes* aes, byte* out, const byte* in, word32 inSz,
 
     if(AesAuthArgCheck(aes, out, in, inSz, nonce, nonceSz, authTag, authTagSz, authIn, authInSz, &M, &L)
        == BAD_FUNC_ARG)return  BAD_FUNC_ARG ;
-    
+
     /* 16 byte padding */
     in_save = NULL ; out_save = NULL ; authIn_save = NULL ; nonce_save = NULL ;
     if((inSz%16)==0){
         in_save = NULL ; in_a = (byte *)in ;
         out_save = NULL ; out_a = out ;
     } else {
-      if((in_save = XMALLOC(RoundUp16(inSz), NULL, DYNAMIC_TYPE_TMP_BUFFER)) == NULL){ 
+      if((in_save = XMALLOC(RoundUp16(inSz), NULL, DYNAMIC_TYPE_TMP_BUFFER)) == NULL){
           FREE_ALL; return MEMORY_E;}
       in_a = in_save ; XMEMSET(in_a, 0, RoundUp16(inSz)) ; XMEMCPY(in_a, in, inSz) ;
-      
-      if((out_save = XMALLOC(RoundUp16(inSz), NULL, DYNAMIC_TYPE_TMP_BUFFER)) == NULL){ 
+
+      if((out_save = XMALLOC(RoundUp16(inSz), NULL, DYNAMIC_TYPE_TMP_BUFFER)) == NULL){
           FREE_ALL; return MEMORY_E;}
-      out_a = out_save ; 
+      out_a = out_save ;
     }
-    
+
     if((authInSz%16)==0){
         authIn_save = NULL ; authIn_a = (byte *)authIn ;
     } else {
-      if((authIn_save = XMALLOC(RoundUp16(authInSz), NULL, DYNAMIC_TYPE_TMP_BUFFER)) == NULL){ 
+      if((authIn_save = XMALLOC(RoundUp16(authInSz), NULL, DYNAMIC_TYPE_TMP_BUFFER)) == NULL){
           FREE_ALL; return MEMORY_E; }
       authIn_a = authIn_save ; XMEMSET(authIn_a, 0, RoundUp16(authInSz)) ; XMEMCPY(authIn_a, authIn, authInSz) ;
     }
@@ -449,7 +451,7 @@ static int AesAuthDecrypt(Aes* aes, byte* out, const byte* in, word32 inSz,
     if((nonceSz%16)==0){
         nonce_save = NULL ; nonce_a = (byte *)nonce ;
     } else {
-      if((nonce_save = XMALLOC(RoundUp16(nonceSz), NULL, DYNAMIC_TYPE_TMP_BUFFER)) == NULL){ 
+      if((nonce_save = XMALLOC(RoundUp16(nonceSz), NULL, DYNAMIC_TYPE_TMP_BUFFER)) == NULL){
           FREE_ALL; return MEMORY_E; }
       nonce_a = nonce_save ; XMEMSET(nonce_a, 0, RoundUp16(nonceSz)) ; XMEMCPY(nonce_a, nonce, nonceSz) ;
     }
@@ -468,7 +470,7 @@ static int AesAuthDecrypt(Aes* aes, byte* out, const byte* in, word32 inSz,
         XMEMSET(out, 0, inSz) ;
         ret = false ;
     } else {
-        XMEMCPY(out, out_a, inSz) ;  
+        XMEMCPY(out, out_a, inSz) ;
     }
 
     FREE_ALL ;
@@ -488,6 +490,9 @@ WOLFSSL_API int  wc_AesGcmEncrypt(Aes* aes, byte* out, const byte* in, word32 sz
                               byte* authTag, word32 authTagSz,
                               const byte* authIn, word32 authInSz)
 {
+    if (authTagSz < WOLFSSL_MIN_AUTH_TAG_SZ) {
+        return BAD_FUNC_ARG;
+    }
     return AesAuthEncrypt(aes, out, in, sz, iv, ivSz, authTag, authTagSz,
                               authIn, authInSz, AES_CFG_MODE_GCM_HY0CALC) ;
 }
@@ -495,7 +500,7 @@ WOLFSSL_API int  wc_AesGcmDecrypt(Aes* aes, byte* out, const byte* in, word32 sz
                               const byte* iv, word32 ivSz,
                               const byte* authTag, word32 authTagSz,
                               const byte* authIn, word32 authInSz)
-{ 
+{
     return AesAuthDecrypt(aes, out, in, sz, iv, ivSz, authTag, authTagSz,
                               authIn, authInSz, AES_CFG_MODE_GCM_HY0CALC) ;
 }
@@ -516,17 +521,17 @@ WOLFSSL_API int wc_GmacUpdate(Gmac* gmac, const byte* iv, word32 ivSz,
 #endif /* HAVE_AESGCM */
 
 #ifdef HAVE_AESCCM
-WOLFSSL_API void wc_AesCcmSetKey(Aes* aes, const byte* key, word32 keySz)
+WOLFSSL_API int wc_AesCcmSetKey(Aes* aes, const byte* key, word32 keySz)
 {
-    AesAuthSetKey(aes, key, keySz) ;
+    return AesAuthSetKey(aes, key, keySz) ;
 }
 
-WOLFSSL_API void wc_AesCcmEncrypt(Aes* aes, byte* out, const byte* in, word32 inSz,
+WOLFSSL_API int wc_AesCcmEncrypt(Aes* aes, byte* out, const byte* in, word32 inSz,
                               const byte* nonce, word32 nonceSz,
                               byte* authTag, word32 authTagSz,
                               const byte* authIn, word32 authInSz)
-{ 
-    AesAuthEncrypt(aes, out, in, inSz, nonce, nonceSz, authTag, authTagSz,
+{
+    return AesAuthEncrypt(aes, out, in, inSz, nonce, nonceSz, authTag, authTagSz,
                               authIn, authInSz, AES_CFG_MODE_CCM) ;
 }
 
@@ -534,12 +539,28 @@ WOLFSSL_API int wc_AesCcmDecrypt(Aes* aes, byte* out, const byte* in, word32 inS
                               const byte* nonce, word32 nonceSz,
                               const byte* authTag, word32 authTagSz,
                               const byte* authIn, word32 authInSz)
-{ 
+{
     return AesAuthDecrypt(aes, out, in, inSz, nonce, nonceSz, authTag, authTagSz,
                               authIn, authInSz, AES_CFG_MODE_CCM) ;
 }
 #endif /* HAVE_AESCCM */
 
+WOLFSSL_API int wc_AesInit(Aes* aes, void* heap, int devId)
+{
+    if (aes == NULL)
+        return BAD_FUNC_ARG;
+
+    aes->heap = heap;
+    (void)devId;
+
+    return 0;
+}
+
+WOLFSSL_API void wc_AesFree(Aes* aes)
+{
+    (void)aes;
+}
+
 #endif /* WOLFSSL_TI_CRYPT */
 
 #endif /* NO_AES */
diff --git a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/port/ti/ti-ccm.c b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/port/ti/ti-ccm.c
index 09705cfb8..5c0051e03 100644
--- a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/port/ti/ti-ccm.c
+++ b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/port/ti/ti-ccm.c
@@ -1,8 +1,8 @@
 /* port/ti/ti_ccm.c
  *
- * Copyright (C) 2006-2015 wolfSSL Inc.
+ * Copyright (C) 2006-2020 wolfSSL Inc.
  *
- * This file is part of wolfSSL. (formerly known as CyaSSL)
+ * This file is part of wolfSSL.
  *
  * wolfSSL is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -16,9 +16,10 @@
  *
  * You should have received a copy of the GNU General Public License
  * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
  */
 
+
 #ifdef HAVE_CONFIG_H
     #include <config.h>
 #endif
@@ -27,56 +28,67 @@
 
 #if defined(WOLFSSL_TI_CRYPT) ||  defined(WOLFSSL_TI_HASH)
 
-
+#include "wolfssl/wolfcrypt/port/ti/ti-ccm.h"
 #include <stdbool.h>
 #include <stdint.h>
 
+#ifndef TI_DUMMY_BUILD
 #include "driverlib/sysctl.h"
 #include "driverlib/rom_map.h"
 #include "driverlib/rom.h"
 
 #ifndef SINGLE_THREADED
 #include <wolfssl/wolfcrypt/wc_port.h>
-    static wolfSSL_Mutex TI_CCM_Mutex ;
+    static wolfSSL_Mutex TI_CCM_Mutex;
 #endif
+#endif /* TI_DUMMY_BUILD */
 
 #define TIMEOUT  500000
-#define WAIT(stat) { volatile int i ; for(i=0; i<TIMEOUT; i++)if(stat)break ; if(i==TIMEOUT)return(false) ; }
+#define WAIT(stat) { volatile int i; for(i=0; i<TIMEOUT; i++)if(stat)break; if(i==TIMEOUT)return(false); }
 
-static bool ccm_init = false ;
-bool wolfSSL_TI_CCMInit(void)
+static bool ccm_init = false;
+int wolfSSL_TI_CCMInit(void)
 {
-    if(ccm_init)return true ;
-    ccm_init = true ;
+    if (ccm_init)
+        return true;
+    ccm_init = true;
 
+#ifndef TI_DUMMY_BUILD
     SysCtlClockFreqSet((SYSCTL_XTAL_25MHZ |
                                        SYSCTL_OSC_MAIN |
                                        SYSCTL_USE_PLL |
                                        SYSCTL_CFG_VCO_480), 120000000);
-   
-    if(!ROM_SysCtlPeripheralPresent(SYSCTL_PERIPH_CCM0))
-        return false ;
-        
+
+    if (!ROM_SysCtlPeripheralPresent(SYSCTL_PERIPH_CCM0))
+        return false;
+
          ROM_SysCtlPeripheralEnable(SYSCTL_PERIPH_CCM0);
-    WAIT(ROM_SysCtlPeripheralReady(SYSCTL_PERIPH_CCM0)) ;
+    WAIT(ROM_SysCtlPeripheralReady(SYSCTL_PERIPH_CCM0));
          ROM_SysCtlPeripheralReset(SYSCTL_PERIPH_CCM0);
-    WAIT(ROM_SysCtlPeripheralReady(SYSCTL_PERIPH_CCM0)) ;
-    
+    WAIT(ROM_SysCtlPeripheralReady(SYSCTL_PERIPH_CCM0));
+
 #ifndef SINGLE_THREADED
-    InitMutex(&TI_CCM_Mutex) ;
+    if (wc_InitMutex(&TI_CCM_Mutex))
+        return false;
 #endif
+#endif /* !TI_DUMMY_BUILD */
 
-    return true ;
+    return true;
 }
 
 #ifndef SINGLE_THREADED
-void wolfSSL_TI_lockCCM() {
-    LockMutex(&TI_CCM_Mutex) ;
+void wolfSSL_TI_lockCCM(void)
+{
+#ifndef TI_DUMMY_BUILD
+    wc_LockMutex(&TI_CCM_Mutex);
+#endif
 }
 
-void wolfSSL_TI_unlockCCM() {
-    UnLockMutex(&TI_CCM_Mutex) ;
-}
+void wolfSSL_TI_unlockCCM(void){
+#ifndef TI_DUMMY_BUILD
+    wc_UnLockMutex(&TI_CCM_Mutex);
 #endif
+}
+#endif /* !SINGLE_THREADED */
 
-#endif
+#endif /* WOLFSSL_TI_CRYPT || WOLFSSL_TI_HASH */
diff --git a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/port/ti/ti-des3.c b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/port/ti/ti-des3.c
index 21c61d310..0e3c81dcd 100644
--- a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/port/ti/ti-des3.c
+++ b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/port/ti/ti-des3.c
@@ -1,8 +1,8 @@
 /* port/ti/ti-des.c
  *
- * Copyright (C) 2006-2015 wolfSSL Inc.
+ * Copyright (C) 2006-2020 wolfSSL Inc.
  *
- * This file is part of wolfSSL. (formerly known as CyaSSL)
+ * This file is part of wolfSSL.
  *
  * wolfSSL is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -16,9 +16,10 @@
  *
  * You should have received a copy of the GNU General Public License
  * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
  */
 
+
 #ifdef HAVE_CONFIG_H
     #include <config.h>
 #endif
@@ -63,39 +64,39 @@ static int  DesSetKey(Des* des, const byte* key, const byte* iv,int dir, int tri
         return BAD_FUNC_ARG;
     if(!((dir == DES_ENCRYPTION) || (dir == DES_DECRYPTION)))
         return BAD_FUNC_ARG;
-    
+
     XMEMCPY(des->key, key, tri == DES_CFG_SINGLE ? DES_KEYLEN : DES3_KEYLEN) ;
     return DesSetIV(des, iv, tri);
 }
 
 static int  DesCbcAlign16(Des* des, byte* out, const byte* in, word32 sz, word32 dir, word32 tri)
-{   
+{
 
     wolfSSL_TI_lockCCM() ;
     ROM_DESReset(DES_BASE);
     ROM_DESConfigSet(DES_BASE, (dir | DES_CFG_MODE_CBC | tri));
-    ROM_DESIVSet(DES_BASE, des->reg);
-    ROM_DESKeySet(DES_BASE, des->key);
+    ROM_DESIVSet(DES_BASE, (uint32_t*)des->reg);
+    ROM_DESKeySet(DES_BASE,(uint32_t*)des->key);
     if(dir == DES_CFG_DIR_DECRYPT)
         /* if input and output same will overwrite input iv */
         XMEMCPY(des->tmp, in + sz - DES_BLOCK_SIZE, DES_BLOCK_SIZE);
     ROM_DESDataProcess(DES_BASE, (uint32_t *)in, (uint32_t *)out, sz);
     wolfSSL_TI_unlockCCM() ;
-    
+
     /* store iv for next call */
     if(dir == DES_CFG_DIR_ENCRYPT)
         XMEMCPY(des->reg, out + sz - DES_BLOCK_SIZE, DES_BLOCK_SIZE);
     else
         XMEMCPY(des->reg, des->tmp, DES_BLOCK_SIZE);
-    
+
     return 0 ;
 }
 
 #define IS_ALIGN16(p) (((unsigned int)(p)&0xf) == 0)
 
 static int  DesCbc(Des* des, byte* out, const byte* in, word32 sz, word32 dir, word32 tri)
-{   
-    const byte * in_p ; byte * out_p ; 
+{
+    const byte * in_p ; byte * out_p ;
     word32 size ;
     #define TI_BUFFSIZE 1024
     byte buff[TI_BUFFSIZE] ;
@@ -103,21 +104,21 @@ static int  DesCbc(Des* des, byte* out, const byte* in, word32 sz, word32 dir, w
         return BAD_FUNC_ARG;
     if(sz % DES_BLOCK_SIZE)
         return BAD_FUNC_ARG;
-    
+
     while(sz > 0) {
         size = sz ; in_p = in ; out_p = out ;
         if(!IS_ALIGN16(in)){
             size = sz>TI_BUFFSIZE ? TI_BUFFSIZE : sz ;
-            XMEMCPY(buff, in, size) ; 
+            XMEMCPY(buff, in, size) ;
             in_p = (const byte *)buff ;
         }
         if(!IS_ALIGN16(out)){
             size = sz>TI_BUFFSIZE ? TI_BUFFSIZE : sz ;
             out_p = (byte *)buff ;
         }
-    
+
         DesCbcAlign16(des, out_p, in_p, size, dir, tri) ;
-        
+
         if(!IS_ALIGN16(out)){
             XMEMCPY(out, buff, size) ;
         }
@@ -148,32 +149,54 @@ WOLFSSL_API int  wc_Des3_SetIV(Des3* des, const byte* iv)
 
 
 WOLFSSL_API int  wc_Des_CbcEncrypt(Des* des, byte* out, const byte* in, word32 sz)
-{   
+{
     return DesCbc(des, out, in, sz, DES_CFG_DIR_ENCRYPT, DES_CFG_SINGLE) ;
 }
 
 WOLFSSL_API int  wc_Des_CbcDecrypt(Des* des, byte* out, const byte* in, word32 sz)
-{   
+{
     return DesCbc(des, out, in, sz, DES_CFG_DIR_DECRYPT, DES_CFG_SINGLE) ;
 }
 
 WOLFSSL_API int  wc_Des_CbcDecryptWithKey(byte* out, const byte* in, word32 sz,
                                           const byte* key, const byte* iv)
-{ return 0 ;}
+{
+    (void)out; (void)in; (void)sz; (void)key; (void)iv ;
+    return -1 ;
+}
 
 WOLFSSL_API int  wc_Des3_CbcEncrypt(Des3* des, byte* out, const byte* in, word32 sz)
-{   
+{
     return DesCbc((Des *)des, out, in, sz, DES_CFG_DIR_ENCRYPT, DES_CFG_TRIPLE) ;
 }
 
 WOLFSSL_API int  wc_Des3_CbcDecrypt(Des3* des, byte* out, const byte* in, word32 sz)
-{   
+{
     return DesCbc((Des *)des, out, in, sz, DES_CFG_DIR_DECRYPT, DES_CFG_TRIPLE) ;
 }
 
 WOLFSSL_API int  wc_Des3_CbcDecryptWithKey(byte* out, const byte* in, word32 sz,
                                                const byte* key, const byte* iv)
-{ return 0 ; }
+{
+     (void)out; (void)in; (void)sz; (void)key; (void)iv ;
+     return -1 ;
+ }
+
+WOLFSSL_API int wc_Des3Init(Des3* des, void* heap, int devId)
+{
+    if (des == NULL)
+        return BAD_FUNC_ARG;
+
+    des->heap = heap;
+    (void)devId;
+
+    return 0;
+}
+
+WOLFSSL_API void wc_Des3Free(Des3* des)
+{
+    (void)des;
+}
 
 
 #endif /* WOLFSSL_TI_CRYPT */
diff --git a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/port/ti/ti-hash.c b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/port/ti/ti-hash.c
index c60f86423..ab8f2cc22 100644
--- a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/port/ti/ti-hash.c
+++ b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/port/ti/ti-hash.c
@@ -1,8 +1,8 @@
 /* port/ti/ti-hash.c
  *
- * Copyright (C) 2006-2015 wolfSSL Inc.
+ * Copyright (C) 2006-2020 wolfSSL Inc.
  *
- * This file is part of wolfSSL. (formerly known as CyaSSL)
+ * This file is part of wolfSSL.
  *
  * wolfSSL is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -16,10 +16,11 @@
  *
  * You should have received a copy of the GNU General Public License
  * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
  */
 
 
+
 #ifdef HAVE_CONFIG_H
     #include <config.h>
 #endif
@@ -38,12 +39,13 @@
 #include <stdint.h>
 
 #include <wolfssl/wolfcrypt/error-crypt.h>
-#include <wolfssl/wolfcrypt/md5.h>      
-#include <wolfssl/wolfcrypt/sha.h>      
-#include <wolfssl/wolfcrypt/sha256.h>      
+#include <wolfssl/wolfcrypt/md5.h>
+#include <wolfssl/wolfcrypt/sha.h>
+#include <wolfssl/wolfcrypt/sha256.h>
 #include <wolfssl/wolfcrypt/port/ti/ti-hash.h>
 #include <wolfssl/wolfcrypt/port/ti/ti-ccm.h>
 #include <wolfssl/wolfcrypt/logging.h>
+#include <wolfssl/wolfcrypt/hash.h>
 
 #ifndef TI_DUMMY_BUILD
 #include "inc/hw_memmap.h"
@@ -57,66 +59,70 @@
 #define SHAMD5_ALGO_MD5 1
 #define SHAMD5_ALGO_SHA1 2
 #define SHAMD5_ALGO_SHA256 3
-bool wolfSSL_TI_CCMInit(void) { return true ; }
+#define SHAMD5_ALGO_SHA224 4
 #endif
 
 static int hashInit(wolfssl_TI_Hash *hash) {
-    hash->used = 0 ;
-    hash->msg  = 0 ;
-    hash->len  = 0 ;
-    return 0 ;
+    if (!wolfSSL_TI_CCMInit())return 1;
+    hash->used = 0;
+    hash->msg  = 0;
+    hash->len  = 0;
+    return 0;
 }
 
 static int hashUpdate(wolfssl_TI_Hash *hash, const byte* data, word32 len)
 {
-    void *p ;
+    void *p;
 
-    if((hash== NULL) || (data == NULL))return BAD_FUNC_ARG;
+    if ((hash== NULL) || (data == NULL))return BAD_FUNC_ARG;
 
-    if(hash->len < hash->used+len) {
-        if(hash->msg == NULL) {
+    if (hash->len < hash->used+len) {
+        if (hash->msg == NULL) {
             p = XMALLOC(hash->used+len, NULL, DYNAMIC_TYPE_TMP_BUFFER);
         } else {
             p = XREALLOC(hash->msg, hash->used+len, NULL, DYNAMIC_TYPE_TMP_BUFFER);
         }
-        if(p == 0)return 1 ;
-        hash->msg = p ;     
-        hash->len = hash->used+len ;
-    } 
-    XMEMCPY(hash->msg+hash->used, data, len) ;
-    hash->used += len ;
-    return 0 ;
+        if (p == 0)return 1;
+        hash->msg = p;
+        hash->len = hash->used+len;
+    }
+    XMEMCPY(hash->msg+hash->used, data, len);
+    hash->used += len;
+    return 0;
 }
 
 static int hashGetHash(wolfssl_TI_Hash *hash, byte* result, word32 algo, word32 hsize)
-{   
-    uint32_t h[16] ;
+{
+    uint32_t h[16];
 #ifndef TI_DUMMY_BUILD
-    wolfSSL_TI_lockCCM() ;
+    wolfSSL_TI_lockCCM();
     ROM_SHAMD5Reset(SHAMD5_BASE);
     ROM_SHAMD5ConfigSet(SHAMD5_BASE, algo);
-    ROM_SHAMD5DataProcess(SHAMD5_BASE, 
+    ROM_SHAMD5DataProcess(SHAMD5_BASE,
                    (uint32_t *)hash->msg, hash->used, h);
-    wolfSSL_TI_unlockCCM() ;
+    wolfSSL_TI_unlockCCM();
 #else
-    (void) hash ;
-    (void) algo ;
+    (void) hash;
+    (void) algo;
+
+    XMEMSET(h, 0, sizeof(h));
 #endif
-    XMEMCPY(result, h, hsize) ;
+    XMEMCPY(result, h, hsize);
 
-    return 0 ;
+    return 0;
 }
 
-static void hashRestorePos(wolfssl_TI_Hash *h1, wolfssl_TI_Hash *h2) {
-	h1->used = h2->used ;
+static int hashCopy(wolfssl_TI_Hash *src, wolfssl_TI_Hash *dst) {
+    XMEMCPY(dst, src, sizeof(wolfssl_TI_Hash));
+    return 0;
 }
 
 static int hashFinal(wolfssl_TI_Hash *hash, byte* result, word32 algo, word32 hsize)
-{   
-    hashGetHash(hash, result, algo, hsize) ;
+{
+    hashGetHash(hash, result, algo, hsize);
     XFREE(hash->msg, NULL, DYNAMIC_TYPE_TMP_BUFFER);
-    hashInit(hash) ;
-    return 0 ;
+    hashInit(hash);
+    return 0;
 }
 
 static int hashHash(const byte* data, word32 len, byte* hash, word32 algo, word32 hsize)
@@ -143,149 +149,190 @@ static int hashHash(const byte* data, word32 len, byte* hash, word32 algo, word3
     }
 
 #ifdef WOLFSSL_SMALL_STACK
-    XFREE(hash, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    XFREE(hash_desc, NULL, DYNAMIC_TYPE_TMP_BUFFER);
 #endif
 
     return ret;
 }
 
+static int hashFree(wolfssl_TI_Hash *hash)
+{
+    XFREE(hash->msg, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    hashInit(hash);
+    return 0;
+}
+
 #if !defined(NO_MD5)
-WOLFSSL_API void wc_InitMd5(Md5* md5)
+WOLFSSL_API int wc_InitMd5_ex(Md5* md5, void* heap, int devId)
 {
     if (md5 == NULL)
-        return ;
-    if(!wolfSSL_TI_CCMInit())return  ;
-    hashInit((wolfssl_TI_Hash *)md5) ;
+        return 1;
+    (void)heap;
+    (void)devId;
+    return hashInit((wolfssl_TI_Hash *)md5);
+}
+WOLFSSL_API int wc_InitMd5(Md5* md5)
+{
+    return wc_InitMd5_ex(md5, NULL, INVALID_DEVID);
 }
 
-WOLFSSL_API void wc_Md5Update(Md5* md5, const byte* data, word32 len)
+WOLFSSL_API int wc_Md5Update(Md5* md5, const byte* data, word32 len)
 {
-    hashUpdate((wolfssl_TI_Hash *)md5, data, len) ;
+    return hashUpdate((wolfssl_TI_Hash *)md5, data, len);
 }
 
-WOLFSSL_API void wc_Md5Final(Md5* md5, byte* hash)
+WOLFSSL_API int wc_Md5Final(Md5* md5, byte* hash)
 {
-    hashFinal((wolfssl_TI_Hash *)md5, hash, SHAMD5_ALGO_MD5, MD5_DIGEST_SIZE) ;
+    return hashFinal((wolfssl_TI_Hash *)md5, hash, SHAMD5_ALGO_MD5, MD5_DIGEST_SIZE);
 }
 
-WOLFSSL_API void wc_Md5GetHash(Md5* md5, byte* hash)
+WOLFSSL_API int wc_Md5GetHash(Md5* md5, byte* hash)
 {
-    hashGetHash((wolfssl_TI_Hash *)md5, hash, SHAMD5_ALGO_MD5, MD5_DIGEST_SIZE) ;
+    return hashGetHash((wolfssl_TI_Hash *)md5, hash, SHAMD5_ALGO_MD5, MD5_DIGEST_SIZE);
 }
 
-WOLFSSL_API void wc_Md5RestorePos(Md5* m1, Md5* m2) {
-	hashRestorePos((wolfssl_TI_Hash *)m1, (wolfssl_TI_Hash *)m2) ;
+WOLFSSL_API int wc_Md5Copy(Md5* src, Md5* dst) {
+	return hashCopy((wolfssl_TI_Hash *)src, (wolfssl_TI_Hash *)dst);
 }
 
 WOLFSSL_API int wc_Md5Hash(const byte*data, word32 len, byte*hash)
-{ 
-    return hashHash(data, len, hash, SHAMD5_ALGO_MD5, MD5_DIGEST_SIZE) ;
+{
+    return hashHash(data, len, hash, SHAMD5_ALGO_MD5, MD5_DIGEST_SIZE);
 }
 
-#endif /* NO_MD5 */
+WOLFSSL_API void wc_Md5Free(Md5* md5)
+{
+    hashFree((wolfssl_TI_Hash *)md5);
+}
+
+#endif /* !NO_MD5 */
 
 #if !defined(NO_SHA)
-WOLFSSL_API int wc_InitSha(Sha* sha)
+WOLFSSL_API int wc_InitSha_ex(Md5* sha, void* heap, int devId)
 {
     if (sha == NULL)
-        return 1 ;
-    if(!wolfSSL_TI_CCMInit())return 1 ;
-    return hashInit((wolfssl_TI_Hash *)sha) ;
+        return 1;
+    (void)heap;
+    (void)devId;
+    return hashInit((wolfssl_TI_Hash *)sha);
+}
+WOLFSSL_API int wc_InitSha(Sha* sha)
+{
+    return wc_InitSha_ex(sha, NULL, INVALID_DEVID);
 }
 
 WOLFSSL_API int wc_ShaUpdate(Sha* sha, const byte* data, word32 len)
 {
-    return hashUpdate((wolfssl_TI_Hash *)sha, data, len) ;
+    return hashUpdate((wolfssl_TI_Hash *)sha, data, len);
 }
 
 WOLFSSL_API int wc_ShaFinal(Sha* sha, byte* hash)
 {
-    return hashFinal((wolfssl_TI_Hash *)sha, hash, SHAMD5_ALGO_SHA1, SHA_DIGEST_SIZE) ;
+    return hashFinal((wolfssl_TI_Hash *)sha, hash, SHAMD5_ALGO_SHA1, SHA_DIGEST_SIZE);
 }
 
 WOLFSSL_API int wc_ShaGetHash(Sha* sha, byte* hash)
 {
-    return hashGetHash(sha, hash, SHAMD5_ALGO_SHA1, SHA_DIGEST_SIZE) ;
+    return hashGetHash(sha, hash, SHAMD5_ALGO_SHA1, SHA_DIGEST_SIZE);
 }
 
-WOLFSSL_API void wc_ShaRestorePos(Sha* s1, Sha* s2) {
-	hashRestorePos((wolfssl_TI_Hash *)s1, (wolfssl_TI_Hash *)s2) ;
+WOLFSSL_API int wc_ShaCopy(Sha* src, Sha* dst) {
+	return hashCopy((wolfssl_TI_Hash *)src, (wolfssl_TI_Hash *)dst);
 }
 
 WOLFSSL_API int wc_ShaHash(const byte*data, word32 len, byte*hash)
-{ 
-    return hashHash(data, len, hash, SHAMD5_ALGO_SHA1, SHA_DIGEST_SIZE) ;
+{
+    return hashHash(data, len, hash, SHAMD5_ALGO_SHA1, SHA_DIGEST_SIZE);
 }
 
-#endif /* NO_SHA */
+WOLFSSL_API void wc_ShaFree(Sha* sha)
+{
+    hashFree((wolfssl_TI_Hash *)sha);
+}
 
-#if defined(HAVE_SHA224)
-WOLFSSL_API int wc_InitSha224(Sha224* sha224)
+#endif /* !NO_SHA */
+
+#if defined(WOLFSSL_SHA224)
+WOLFSSL_API int wc_InitSha224_ex(Sha224* sha224, void* heap, int devId)
 {
     if (sha224 == NULL)
-        return 1 ;
-    if(!wolfSSL_TI_CCMInit())return 1 ;
-    return hashInit((wolfssl_TI_Hash *)sha224) ;
+        return 1;
+    (void)heap;
+    (void)devId;
+    return hashInit((wolfssl_TI_Hash *)sha224);
+}
+WOLFSSL_API int wc_InitSha224(Sha224* sha224)
+{
+    return wc_InitSha224_ex(sha224, NULL, INVALID_DEVID);
 }
 
 WOLFSSL_API int wc_Sha224Update(Sha224* sha224, const byte* data, word32 len)
 {
-    return hashUpdate((wolfssl_TI_Hash *)sha224, data, len) ;
+    return hashUpdate((wolfssl_TI_Hash *)sha224, data, len);
 }
 
 WOLFSSL_API int wc_Sha224Final(Sha224* sha224, byte* hash)
 {
-    return hashFinal((wolfssl_TI_Hash *)sha224, hash, SHAMD5_ALGO_SHA224, SHA224_DIGEST_SIZE) ;
+    return hashFinal((wolfssl_TI_Hash *)sha224, hash, SHAMD5_ALGO_SHA224, SHA224_DIGEST_SIZE);
 }
 
 WOLFSSL_API int wc_Sha224GetHash(Sha224* sha224, byte* hash)
 {
-    return hashGetHash(sha224, hash, SHAMD5_ALGO_SHA224, SHA224_DIGEST_SIZE) ;
+    return hashGetHash(sha224, hash, SHAMD5_ALGO_SHA224, SHA224_DIGEST_SIZE);
 }
 
-WOLFSSL_API void wc_Sha224RestorePos(Sha224* s1, Sha224* s2) {
-	hashRestorePos((wolfssl_TI_Hash *)s1, (wolfssl_TI_Hash *)s2) ;
+WOLFSSL_API int wc_Sha224Hash(const byte* data, word32 len, byte*hash)
+{
+    return hashHash(data, len, hash, SHAMD5_ALGO_SHA224, SHA224_DIGEST_SIZE);
 }
 
-WOLFSSL_API int wc_Sha224Hash(const byte* data, word32 len, byte*hash)
-{ 
-    return hashHash(data, len, hash, SHAMD5_ALGO_SHA224, SHA224_DIGEST_SIZE) ;
+WOLFSSL_API void wc_Sha224Free(Sha224* sha224)
+{
+    hashFree((wolfssl_TI_Hash *)sha224);
 }
 
-#endif /* HAVE_SHA224 */
+#endif /* WOLFSSL_SHA224 */
 
 #if !defined(NO_SHA256)
-WOLFSSL_API int wc_InitSha256(Sha256* sha256)
+WOLFSSL_API int wc_InitSha256_ex(Sha256* sha256, void* heap, int devId)
 {
     if (sha256 == NULL)
-        return 1 ;
-    if(!wolfSSL_TI_CCMInit())return 1 ;
-    return hashInit((wolfssl_TI_Hash *)sha256) ;
+        return 1;
+    (void)heap;
+    (void)devId;
+    return hashInit((wolfssl_TI_Hash *)sha256);
+}
+
+WOLFSSL_API int wc_InitSha256(Sha256* sha256)
+{
+    return wc_InitSha256_ex(sha256, NULL, INVALID_DEVID);
 }
 
 WOLFSSL_API int wc_Sha256Update(Sha256* sha256, const byte* data, word32 len)
 {
-    return hashUpdate((wolfssl_TI_Hash *)sha256, data, len) ;
+    return hashUpdate((wolfssl_TI_Hash *)sha256, data, len);
 }
 
 WOLFSSL_API int wc_Sha256Final(Sha256* sha256, byte* hash)
 {
-    return hashFinal((wolfssl_TI_Hash *)sha256, hash, SHAMD5_ALGO_SHA256, SHA256_DIGEST_SIZE) ;
+    return hashFinal((wolfssl_TI_Hash *)sha256, hash, SHAMD5_ALGO_SHA256, SHA256_DIGEST_SIZE);
 }
 
 WOLFSSL_API int wc_Sha256GetHash(Sha256* sha256, byte* hash)
 {
-    return hashGetHash(sha256, hash, SHAMD5_ALGO_SHA256, SHA256_DIGEST_SIZE) ;
+    return hashGetHash(sha256, hash, SHAMD5_ALGO_SHA256, SHA256_DIGEST_SIZE);
 }
 
-WOLFSSL_API void wc_Sha256RestorePos(Sha256* s1, Sha256* s2) {
-	hashRestorePos((wolfssl_TI_Hash *)s1, (wolfssl_TI_Hash *)s2) ;
+WOLFSSL_API int wc_Sha256Hash(const byte* data, word32 len, byte*hash)
+{
+    return hashHash(data, len, hash, SHAMD5_ALGO_SHA256, SHA256_DIGEST_SIZE);
 }
 
-WOLFSSL_API int wc_Sha256Hash(const byte* data, word32 len, byte*hash)
+WOLFSSL_API void wc_Sha256Free(Sha256* sha256)
 {
-    return hashHash(data, len, hash, SHAMD5_ALGO_SHA256, SHA256_DIGEST_SIZE) ;
+    hashFree((wolfssl_TI_Hash *)sha256);
 }
-#endif
+
+#endif /* !NO_SHA256 */
 
 #endif
diff --git a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/pwdbased.c b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/pwdbased.c
index b9764d8d0..c672c2285 100644
--- a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/pwdbased.c
+++ b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/pwdbased.c
@@ -1,8 +1,8 @@
 /* pwdbased.c
  *
- * Copyright (C) 2006-2015 wolfSSL Inc.
+ * Copyright (C) 2006-2020 wolfSSL Inc.
  *
- * This file is part of wolfSSL. (formerly known as CyaSSL)
+ * This file is part of wolfSSL.
  *
  * wolfSSL is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -16,9 +16,10 @@
  *
  * You should have received a copy of the GNU General Public License
  * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
  */
 
+
 #ifdef HAVE_CONFIG_H
     #include <config.h>
 #endif
@@ -27,176 +28,196 @@
 
 #ifndef NO_PWDBASED
 
-#ifdef WOLFSSL_PIC32MZ_HASH
-    #ifndef NO_MD5
-        #define wc_InitMd5   wc_InitMd5_sw
-        #define wc_Md5Update wc_Md5Update_sw
-        #define wc_Md5Final  wc_Md5Final_sw
-    #endif /* NO_MD5 */
-
-    #define wc_InitSha   wc_InitSha_sw
-    #define wc_ShaUpdate wc_ShaUpdate_sw
-    #define wc_ShaFinal  wc_ShaFinal_sw
-
-    #define wc_InitSha256   wc_InitSha256_sw
-    #define wc_Sha256Update wc_Sha256Update_sw
-    #define wc_Sha256Final  wc_Sha256Final_sw
-#endif
-
 #include <wolfssl/wolfcrypt/pwdbased.h>
 #include <wolfssl/wolfcrypt/hmac.h>
+#include <wolfssl/wolfcrypt/hash.h>
 #include <wolfssl/wolfcrypt/integer.h>
 #include <wolfssl/wolfcrypt/error-crypt.h>
-#if defined(WOLFSSL_SHA512) || defined(WOLFSSL_SHA384)
-    #include <wolfssl/wolfcrypt/sha512.h>
-#endif
 
 #ifdef NO_INLINE
     #include <wolfssl/wolfcrypt/misc.h>
 #else
+    #define WOLFSSL_MISC_INCLUDED
     #include <wolfcrypt/src/misc.c>
 #endif
 
-#ifndef WOLFSSL_HAVE_MIN
-#define WOLFSSL_HAVE_MIN
-
-    static INLINE word32 min(word32 a, word32 b)
-    {
-        return a > b ? b : a;
-    }
 
-#endif /* WOLFSSL_HAVE_MIN */
+#ifdef HAVE_PBKDF1
 
-
-#ifndef NO_SHA
-/* PBKDF1 needs at least SHA available */
-int wc_PBKDF1(byte* output, const byte* passwd, int pLen, const byte* salt,
-           int sLen, int iterations, int kLen, int hashType)
+/* PKCS#5 v1.5 with non standard extension to optionally derive the extra data (IV) */
+int wc_PBKDF1_ex(byte* key, int keyLen, byte* iv, int ivLen,
+    const byte* passwd, int passwdLen, const byte* salt, int saltLen,
+    int iterations, int hashType, void* heap)
 {
-    Sha  sha;
-#ifndef NO_MD5
-    Md5  md5;
+    int  err;
+    int  keyLeft, ivLeft, i;
+    int  digestLeft, store;
+    int  keyOutput = 0;
+    int  diestLen;
+    byte digest[WC_MAX_DIGEST_SIZE];
+#ifdef WOLFSSL_SMALL_STACK
+    wc_HashAlg* hash = NULL;
+#else
+    wc_HashAlg  hash[1];
 #endif
-    int  hLen = (int)SHA_DIGEST_SIZE;
-    int  i, ret = 0;
-    byte buffer[SHA_DIGEST_SIZE];  /* max size */
+    enum wc_HashType hashT;
 
-    if (hashType != MD5 && hashType != SHA)
+    (void)heap;
+
+    if (key == NULL || keyLen < 0 || passwdLen < 0 || saltLen < 0 || ivLen < 0){
         return BAD_FUNC_ARG;
+    }
 
-#ifndef NO_MD5
-    if (hashType == MD5)
-        hLen = (int)MD5_DIGEST_SIZE;
-#endif
+    if (iterations <= 0)
+        iterations = 1;
 
-    if (kLen > hLen)
-        return BAD_FUNC_ARG;
+    hashT = wc_HashTypeConvert(hashType);
+    err = wc_HashGetDigestSize(hashT);
+    if (err < 0)
+        return err;
+    diestLen = err;
 
-    if (iterations < 1)
-        return BAD_FUNC_ARG;
+    /* initialize hash */
+#ifdef WOLFSSL_SMALL_STACK
+    hash = (wc_HashAlg*)XMALLOC(sizeof(wc_HashAlg), heap,
+                                DYNAMIC_TYPE_HASHCTX);
+    if (hash == NULL)
+        return MEMORY_E;
+#endif
 
-    switch (hashType) {
-#ifndef NO_MD5
-        case MD5:
-            wc_InitMd5(&md5);
-            wc_Md5Update(&md5, passwd, pLen);
-            wc_Md5Update(&md5, salt,   sLen);
-            wc_Md5Final(&md5,  buffer);
-            break;
-#endif /* NO_MD5 */
-        case SHA:
-        default:
-            ret = wc_InitSha(&sha);
-            if (ret != 0)
-                return ret;
-            wc_ShaUpdate(&sha, passwd, pLen);
-            wc_ShaUpdate(&sha, salt,   sLen);
-            wc_ShaFinal(&sha,  buffer);
-            break;
+    err = wc_HashInit_ex(hash, hashT, heap, INVALID_DEVID);
+    if (err != 0) {
+    #ifdef WOLFSSL_SMALL_STACK
+        XFREE(hash, heap, DYNAMIC_TYPE_HASHCTX);
+    #endif
+        return err;
     }
 
-    for (i = 1; i < iterations; i++) {
-        if (hashType == SHA) {
-            wc_ShaUpdate(&sha, buffer, hLen);
-            wc_ShaFinal(&sha,  buffer);
+    keyLeft = keyLen;
+    ivLeft  = ivLen;
+    while (keyOutput < (keyLen + ivLen)) {
+        digestLeft = diestLen;
+        /* D_(i - 1) */
+        if (keyOutput) { /* first time D_0 is empty */
+            err = wc_HashUpdate(hash, hashT, digest, diestLen);
+            if (err != 0) break;
         }
-#ifndef NO_MD5
-        else {
-            wc_Md5Update(&md5, buffer, hLen);
-            wc_Md5Final(&md5,  buffer);
+
+        /* data */
+        err = wc_HashUpdate(hash, hashT, passwd, passwdLen);
+        if (err != 0) break;
+
+        /* salt */
+        if (salt) {
+            err = wc_HashUpdate(hash, hashT, salt, saltLen);
+            if (err != 0) break;
         }
-#endif
-    }
-    XMEMCPY(output, buffer, kLen);
 
-    return 0;
-}
-#endif /* NO_SHA */
+        err = wc_HashFinal(hash, hashT, digest);
+        if (err != 0) break;
 
+        /* count */
+        for (i = 1; i < iterations; i++) {
+            err = wc_HashUpdate(hash, hashT, digest, diestLen);
+            if (err != 0) break;
 
-int GetDigestSize(int hashType)
-{
-    int hLen;
+            err = wc_HashFinal(hash, hashT, digest);
+            if (err != 0) break;
+        }
 
-    switch (hashType) {
-#ifndef NO_MD5
-        case MD5:
-            hLen = MD5_DIGEST_SIZE;
-            break;
-#endif
-#ifndef NO_SHA
-        case SHA:
-            hLen = SHA_DIGEST_SIZE;
-            break;
-#endif
-#ifndef NO_SHA256
-        case SHA256:
-            hLen = SHA256_DIGEST_SIZE;
-            break;
-#endif
-#ifdef WOLFSSL_SHA512
-        case SHA512:
-            hLen = SHA512_DIGEST_SIZE;
-            break;
-#endif
-        default:
-            return BAD_FUNC_ARG;
+        if (keyLeft) {
+            store = min(keyLeft, diestLen);
+            XMEMCPY(&key[keyLen - keyLeft], digest, store);
+
+            keyOutput  += store;
+            keyLeft    -= store;
+            digestLeft -= store;
+        }
+
+        if (ivLeft && digestLeft) {
+            store = min(ivLeft, digestLeft);
+            if (iv != NULL)
+                XMEMCPY(&iv[ivLen - ivLeft],
+                        &digest[diestLen - digestLeft], store);
+            keyOutput += store;
+            ivLeft    -= store;
+        }
     }
 
-    return hLen;
-}
+    wc_HashFree(hash, hashT);
 
+#ifdef WOLFSSL_SMALL_STACK
+    XFREE(hash, heap, DYNAMIC_TYPE_HASHCTX);
+#endif
 
-int wc_PBKDF2(byte* output, const byte* passwd, int pLen, const byte* salt,
+    if (err != 0)
+        return err;
+
+    if (keyOutput != (keyLen + ivLen))
+        return BUFFER_E;
+
+    return err;
+}
+
+/* PKCS#5 v1.5 */
+int wc_PBKDF1(byte* output, const byte* passwd, int pLen, const byte* salt,
            int sLen, int iterations, int kLen, int hashType)
 {
+    return wc_PBKDF1_ex(output, kLen, NULL, 0,
+        passwd, pLen, salt, sLen, iterations, hashType, NULL);
+}
+
+#endif /* HAVE_PKCS5 */
+
+#ifdef HAVE_PBKDF2
+
+int wc_PBKDF2_ex(byte* output, const byte* passwd, int pLen, const byte* salt,
+           int sLen, int iterations, int kLen, int hashType, void* heap, int devId)
+{
     word32 i = 1;
     int    hLen;
     int    j, ret;
-    Hmac   hmac;
 #ifdef WOLFSSL_SMALL_STACK
     byte*  buffer;
+    Hmac*  hmac;
 #else
-    byte   buffer[MAX_DIGEST_SIZE];
+    byte   buffer[WC_MAX_DIGEST_SIZE];
+    Hmac   hmac[1];
 #endif
+    enum wc_HashType hashT;
+
+    if (output == NULL || pLen < 0 || sLen < 0 || kLen < 0) {
+        return BAD_FUNC_ARG;
+    }
+
+    if (iterations <= 0)
+        iterations = 1;
 
-    hLen = GetDigestSize(hashType);
+    hashT = wc_HashTypeConvert(hashType);
+    hLen = wc_HashGetDigestSize(hashT);
     if (hLen < 0)
         return BAD_FUNC_ARG;
 
 #ifdef WOLFSSL_SMALL_STACK
-    buffer = (byte*)XMALLOC(MAX_DIGEST_SIZE, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    buffer = (byte*)XMALLOC(WC_MAX_DIGEST_SIZE, heap, DYNAMIC_TYPE_TMP_BUFFER);
     if (buffer == NULL)
         return MEMORY_E;
+    hmac = (Hmac*)XMALLOC(sizeof(Hmac), heap, DYNAMIC_TYPE_HMAC);
+    if (hmac == NULL) {
+        XFREE(buffer, heap, DYNAMIC_TYPE_TMP_BUFFER);
+        return MEMORY_E;
+    }
 #endif
 
-    ret = wc_HmacSetKey(&hmac, hashType, passwd, pLen);
-
+    ret = wc_HmacInit(hmac, heap, devId);
     if (ret == 0) {
-        while (kLen) {
+        /* use int hashType here, since HMAC FIPS uses the old unique value */
+        ret = wc_HmacSetKey(hmac, hashType, passwd, pLen);
+
+        while (ret == 0 && kLen) {
             int currentLen;
 
-            ret = wc_HmacUpdate(&hmac, salt, sLen);
+            ret = wc_HmacUpdate(hmac, salt, sLen);
             if (ret != 0)
                 break;
 
@@ -204,7 +225,7 @@ int wc_PBKDF2(byte* output, const byte* passwd, int pLen, const byte* salt,
             for (j = 0; j < 4; j++) {
                 byte b = (byte)(i >> ((3-j) * 8));
 
-                ret = wc_HmacUpdate(&hmac, &b, 1);
+                ret = wc_HmacUpdate(hmac, &b, 1);
                 if (ret != 0)
                     break;
             }
@@ -213,7 +234,7 @@ int wc_PBKDF2(byte* output, const byte* passwd, int pLen, const byte* salt,
             if (ret != 0)
                 break;
 
-            ret = wc_HmacFinal(&hmac, buffer);
+            ret = wc_HmacFinal(hmac, buffer);
             if (ret != 0)
                 break;
 
@@ -221,10 +242,10 @@ int wc_PBKDF2(byte* output, const byte* passwd, int pLen, const byte* salt,
             XMEMCPY(output, buffer, currentLen);
 
             for (j = 1; j < iterations; j++) {
-                ret = wc_HmacUpdate(&hmac, buffer, hLen);
+                ret = wc_HmacUpdate(hmac, buffer, hLen);
                 if (ret != 0)
                     break;
-                ret = wc_HmacFinal(&hmac, buffer);
+                ret = wc_HmacFinal(hmac, buffer);
                 if (ret != 0)
                     break;
                 xorbuf(output, buffer, currentLen);
@@ -238,171 +259,98 @@ int wc_PBKDF2(byte* output, const byte* passwd, int pLen, const byte* salt,
             kLen   -= currentLen;
             i++;
         }
+        wc_HmacFree(hmac);
     }
 
 #ifdef WOLFSSL_SMALL_STACK
-    XFREE(buffer, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    XFREE(buffer, heap, DYNAMIC_TYPE_TMP_BUFFER);
+    XFREE(hmac, heap, DYNAMIC_TYPE_HMAC);
 #endif
 
     return ret;
 }
 
-#ifdef WOLFSSL_SHA512
-    #define PBKDF_DIGEST_SIZE SHA512_BLOCK_SIZE
-#elif !defined(NO_SHA256)
-    #define PBKDF_DIGEST_SIZE SHA256_BLOCK_SIZE
-#else
-    #define PBKDF_DIGEST_SIZE SHA_DIGEST_SIZE
-#endif
-
-/* helper for wc_PKCS12_PBKDF(), sets block and digest sizes */
-int GetPKCS12HashSizes(int hashType, word32* v, word32* u)
+int wc_PBKDF2(byte* output, const byte* passwd, int pLen, const byte* salt,
+           int sLen, int iterations, int kLen, int hashType)
 {
-    if (!v || !u)
-        return BAD_FUNC_ARG;
+    return wc_PBKDF2_ex(output, passwd, pLen, salt, sLen, iterations, kLen,
+        hashType, NULL, INVALID_DEVID);
+}
 
-    switch (hashType) {
-#ifndef NO_MD5
-        case MD5:
-            *v = MD5_BLOCK_SIZE;
-            *u = MD5_DIGEST_SIZE;
-            break;
-#endif
-#ifndef NO_SHA
-        case SHA:
-            *v = SHA_BLOCK_SIZE;
-            *u = SHA_DIGEST_SIZE;
-            break;
-#endif
-#ifndef NO_SHA256
-        case SHA256:
-            *v = SHA256_BLOCK_SIZE;
-            *u = SHA256_DIGEST_SIZE;
-            break;
-#endif
-#ifdef WOLFSSL_SHA512
-        case SHA512:
-            *v = SHA512_BLOCK_SIZE;
-            *u = SHA512_DIGEST_SIZE;
-            break;
-#endif
-        default:
-            return BAD_FUNC_ARG;
-    }
+#endif /* HAVE_PBKDF2 */
 
-    return 0;
-}
+#ifdef HAVE_PKCS12
 
 /* helper for PKCS12_PBKDF(), does hash operation */
-int DoPKCS12Hash(int hashType, byte* buffer, word32 totalLen,
+static int DoPKCS12Hash(int hashType, byte* buffer, word32 totalLen,
                  byte* Ai, word32 u, int iterations)
 {
     int i;
     int ret = 0;
+#ifdef WOLFSSL_SMALL_STACK
+    wc_HashAlg* hash = NULL;
+#else
+    wc_HashAlg  hash[1];
+#endif
+    enum wc_HashType hashT;
 
-    if (buffer == NULL || Ai == NULL)
+    if (buffer == NULL || Ai == NULL) {
         return BAD_FUNC_ARG;
+    }
 
-    switch (hashType) {
-#ifndef NO_MD5
-        case MD5:
-            {
-                Md5 md5;
-                wc_InitMd5(&md5);
-                wc_Md5Update(&md5, buffer, totalLen);
-                wc_Md5Final(&md5, Ai);
-
-                for (i = 1; i < iterations; i++) {
-                    wc_Md5Update(&md5, Ai, u);
-                    wc_Md5Final(&md5, Ai);
-                }
-            }
-            break;
-#endif /* NO_MD5 */
-#ifndef NO_SHA
-        case SHA:
-            {
-                Sha sha;
-                ret = wc_InitSha(&sha);
-                if (ret != 0)
-                    break;
-                wc_ShaUpdate(&sha, buffer, totalLen);
-                wc_ShaFinal(&sha, Ai);
-
-                for (i = 1; i < iterations; i++) {
-                    wc_ShaUpdate(&sha, Ai, u);
-                    wc_ShaFinal(&sha, Ai);
-                }
-            }
-            break;
-#endif /* NO_SHA */
-#ifndef NO_SHA256
-        case SHA256:
-            {
-                Sha256 sha256;
-                ret = wc_InitSha256(&sha256);
-                if (ret != 0)
-                    break;
+    hashT = wc_HashTypeConvert(hashType);
 
-                ret = wc_Sha256Update(&sha256, buffer, totalLen);
-                if (ret != 0)
-                    break;
+    /* initialize hash */
+#ifdef WOLFSSL_SMALL_STACK
+    hash = (wc_HashAlg*)XMALLOC(sizeof(wc_HashAlg), NULL,
+                                DYNAMIC_TYPE_HASHCTX);
+    if (hash == NULL)
+        return MEMORY_E;
+#endif
 
-                ret = wc_Sha256Final(&sha256, Ai);
-                if (ret != 0)
-                    break;
+    ret = wc_HashInit(hash, hashT);
+    if (ret != 0) {
+    #ifdef WOLFSSL_SMALL_STACK
+        XFREE(hash, NULL, DYNAMIC_TYPE_HASHCTX);
+    #endif
+        return ret;
+    }
 
-                for (i = 1; i < iterations; i++) {
-                    ret = wc_Sha256Update(&sha256, Ai, u);
-                    if (ret != 0)
-                        break;
+    ret = wc_HashUpdate(hash, hashT, buffer, totalLen);
 
-                    ret = wc_Sha256Final(&sha256, Ai);
-                    if (ret != 0)
-                        break;
-                }
-            }
-            break;
-#endif /* NO_SHA256 */
-#ifdef WOLFSSL_SHA512
-        case SHA512:
-            {
-                Sha512 sha512;
-                ret = wc_InitSha512(&sha512);
-                if (ret != 0)
-                    break;
+    if (ret == 0)
+        ret = wc_HashFinal(hash, hashT, Ai);
 
-                ret = wc_Sha512Update(&sha512, buffer, totalLen);
-                if (ret != 0)
-                    break;
+    for (i = 1; i < iterations; i++) {
+        if (ret == 0)
+            ret = wc_HashUpdate(hash, hashT, Ai, u);
+        if (ret == 0)
+            ret = wc_HashFinal(hash, hashT, Ai);
+    }
 
-                ret = wc_Sha512Final(&sha512, Ai);
-                if (ret != 0)
-                    break;
+    wc_HashFree(hash, hashT);
 
-                for (i = 1; i < iterations; i++) {
-                    ret = wc_Sha512Update(&sha512, Ai, u);
-                    if (ret != 0)
-                        break;
+#ifdef WOLFSSL_SMALL_STACK
+    XFREE(hash, NULL, DYNAMIC_TYPE_HASHCTX);
+#endif
 
-                    ret = wc_Sha512Final(&sha512, Ai);
-                    if (ret != 0)
-                        break;
-                }
-            }
-            break;
-#endif /* WOLFSSL_SHA512 */
+    return ret;
+}
 
-        default:
-            ret = BAD_FUNC_ARG;
-            break;
-    }
 
-    return ret;
+int wc_PKCS12_PBKDF(byte* output, const byte* passwd, int passLen,
+    const byte* salt, int saltLen, int iterations, int kLen, int hashType,
+    int id)
+{
+    return wc_PKCS12_PBKDF_ex(output, passwd, passLen, salt, saltLen,
+                              iterations, kLen, hashType, id, NULL);
 }
 
-int wc_PKCS12_PBKDF(byte* output, const byte* passwd, int passLen,const byte* salt,
-                 int saltLen, int iterations, int kLen, int hashType, int id)
+
+/* extended API that allows a heap hint to be used */
+int wc_PKCS12_PBKDF_ex(byte* output, const byte* passwd, int passLen,
+                       const byte* salt, int saltLen, int iterations, int kLen,
+                       int hashType, int id, void* heap)
 {
     /* all in bytes instead of bits */
     word32 u, v, dLen, pLen, iLen, sLen, totalLen;
@@ -421,34 +369,48 @@ int wc_PKCS12_PBKDF(byte* output, const byte* passwd, int passLen,const byte* sa
     byte*  Ai;
     byte*  B;
 #else
-    byte   Ai[PBKDF_DIGEST_SIZE];
-    byte   B[PBKDF_DIGEST_SIZE];
+    byte   Ai[WC_MAX_DIGEST_SIZE];
+    byte   B[WC_MAX_BLOCK_SIZE];
 #endif
+    enum wc_HashType hashT;
+
+    (void)heap;
+
+    if (output == NULL || passLen < 0 || saltLen < 0 || kLen < 0) {
+        return BAD_FUNC_ARG;
+    }
 
-    if (!iterations)
+    if (iterations <= 0)
         iterations = 1;
 
-    ret = GetPKCS12HashSizes(hashType, &v, &u);
+    hashT = wc_HashTypeConvert(hashType);
+    ret = wc_HashGetDigestSize(hashT);
     if (ret < 0)
-        return BAD_FUNC_ARG;
+        return ret;
+    u = ret;
+
+    ret = wc_HashGetBlockSize(hashT);
+    if (ret < 0)
+        return ret;
+    v = ret;
 
 #ifdef WOLFSSL_SMALL_STACK
-    Ai = (byte*)XMALLOC(PBKDF_DIGEST_SIZE, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    Ai = (byte*)XMALLOC(WC_MAX_DIGEST_SIZE, heap, DYNAMIC_TYPE_TMP_BUFFER);
     if (Ai == NULL)
         return MEMORY_E;
 
-    B = (byte*)XMALLOC(PBKDF_DIGEST_SIZE, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    B = (byte*)XMALLOC(WC_MAX_BLOCK_SIZE, heap, DYNAMIC_TYPE_TMP_BUFFER);
     if (B == NULL) {
-        XFREE(Ai, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+        XFREE(Ai, heap, DYNAMIC_TYPE_TMP_BUFFER);
         return MEMORY_E;
     }
 #endif
 
-    XMEMSET(Ai, 0, PBKDF_DIGEST_SIZE);
-    XMEMSET(B,  0, PBKDF_DIGEST_SIZE);
+    XMEMSET(Ai, 0, WC_MAX_DIGEST_SIZE);
+    XMEMSET(B,  0, WC_MAX_BLOCK_SIZE);
 
     dLen = v;
-    sLen =  v * ((saltLen + v - 1) / v);
+    sLen = v * ((saltLen + v - 1) / v);
     if (passLen)
         pLen = v * ((passLen + v - 1) / v);
     else
@@ -458,11 +420,11 @@ int wc_PKCS12_PBKDF(byte* output, const byte* passwd, int passLen,const byte* sa
     totalLen = dLen + sLen + pLen;
 
     if (totalLen > sizeof(staticBuffer)) {
-        buffer = (byte*)XMALLOC(totalLen, 0, DYNAMIC_TYPE_KEY);
+        buffer = (byte*)XMALLOC(totalLen, heap, DYNAMIC_TYPE_KEY);
         if (buffer == NULL) {
 #ifdef WOLFSSL_SMALL_STACK
-            XFREE(Ai, NULL, DYNAMIC_TYPE_TMP_BUFFER);
-            XFREE(B,  NULL, DYNAMIC_TYPE_TMP_BUFFER);
+            XFREE(Ai, heap, DYNAMIC_TYPE_TMP_BUFFER);
+            XFREE(B,  heap, DYNAMIC_TYPE_TMP_BUFFER);
 #endif
             return MEMORY_E;
         }
@@ -522,7 +484,7 @@ int wc_PKCS12_PBKDF(byte* output, const byte* passwd, int passLen,const byte* sa
             else {
                 if (outSz > (int)v) {
                     /* take off MSB */
-                    byte  tmp[129];
+                    byte  tmp[WC_MAX_BLOCK_SIZE + 1];
                     ret = mp_to_unsigned_bin(&res, tmp);
                     XMEMCPY(I + i, tmp + 1, v);
                 }
@@ -546,17 +508,288 @@ int wc_PKCS12_PBKDF(byte* output, const byte* passwd, int passLen,const byte* sa
         mp_clear(&B1);
     }
 
-    if (dynamic) XFREE(buffer, 0, DYNAMIC_TYPE_KEY);
+    if (dynamic) XFREE(buffer, heap, DYNAMIC_TYPE_KEY);
 
 #ifdef WOLFSSL_SMALL_STACK
-    XFREE(Ai, NULL, DYNAMIC_TYPE_TMP_BUFFER);
-    XFREE(B,  NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    XFREE(Ai, heap, DYNAMIC_TYPE_TMP_BUFFER);
+    XFREE(B,  heap, DYNAMIC_TYPE_TMP_BUFFER);
 #endif
 
     return ret;
 }
 
-#undef PBKDF_DIGEST_SIZE
+#endif /* HAVE_PKCS12 */
 
-#endif /* NO_PWDBASED */
+#ifdef HAVE_SCRYPT
+/* Rotate the 32-bit value a by b bits to the left.
+ *
+ * a  32-bit value.
+ * b  Number of bits to rotate.
+ * returns rotated value.
+ */
+#define R(a, b) rotlFixed(a, b)
 
+/* One round of Salsa20/8.
+ * Code taken from RFC 7914: scrypt PBKDF.
+ *
+ * out  Output buffer.
+ * in   Input data to hash.
+ */
+static void scryptSalsa(word32* out, word32* in)
+{
+    int    i;
+    word32 x[16];
+
+#ifdef LITTLE_ENDIAN_ORDER
+    for (i = 0; i < 16; ++i)
+        x[i] = in[i];
+#else
+    for (i = 0; i < 16; i++)
+        x[i] = ByteReverseWord32(in[i]);
+#endif
+    for (i = 8; i > 0; i -= 2) {
+        x[ 4] ^= R(x[ 0] + x[12],  7);  x[ 8] ^= R(x[ 4] + x[ 0],  9);
+        x[12] ^= R(x[ 8] + x[ 4], 13);  x[ 0] ^= R(x[12] + x[ 8], 18);
+        x[ 9] ^= R(x[ 5] + x[ 1],  7);  x[13] ^= R(x[ 9] + x[ 5],  9);
+        x[ 1] ^= R(x[13] + x[ 9], 13);  x[ 5] ^= R(x[ 1] + x[13], 18);
+        x[14] ^= R(x[10] + x[ 6],  7);  x[ 2] ^= R(x[14] + x[10],  9);
+        x[ 6] ^= R(x[ 2] + x[14], 13);  x[10] ^= R(x[ 6] + x[ 2], 18);
+        x[ 3] ^= R(x[15] + x[11],  7);  x[ 7] ^= R(x[ 3] + x[15],  9);
+        x[11] ^= R(x[ 7] + x[ 3], 13);  x[15] ^= R(x[11] + x[ 7], 18);
+        x[ 1] ^= R(x[ 0] + x[ 3],  7);  x[ 2] ^= R(x[ 1] + x[ 0],  9);
+        x[ 3] ^= R(x[ 2] + x[ 1], 13);  x[ 0] ^= R(x[ 3] + x[ 2], 18);
+        x[ 6] ^= R(x[ 5] + x[ 4],  7);  x[ 7] ^= R(x[ 6] + x[ 5],  9);
+        x[ 4] ^= R(x[ 7] + x[ 6], 13);  x[ 5] ^= R(x[ 4] + x[ 7], 18);
+        x[11] ^= R(x[10] + x[ 9],  7);  x[ 8] ^= R(x[11] + x[10],  9);
+        x[ 9] ^= R(x[ 8] + x[11], 13);  x[10] ^= R(x[ 9] + x[ 8], 18);
+        x[12] ^= R(x[15] + x[14],  7);  x[13] ^= R(x[12] + x[15],  9);
+        x[14] ^= R(x[13] + x[12], 13);  x[15] ^= R(x[14] + x[13], 18);
+    }
+#ifdef LITTLE_ENDIAN_ORDER
+    for (i = 0; i < 16; ++i)
+        out[i] = in[i] + x[i];
+#else
+    for (i = 0; i < 16; i++)
+        out[i] = ByteReverseWord32(ByteReverseWord32(in[i]) + x[i]);
+#endif
+}
+
+/* Mix a block using Salsa20/8.
+ * Based on RFC 7914: scrypt PBKDF.
+ *
+ * b  Blocks to mix.
+ * y  Temporary storage.
+ * r  Size of the block.
+ */
+static void scryptBlockMix(byte* b, byte* y, int r)
+{
+    byte x[64];
+#ifdef WORD64_AVAILABLE
+    word64* b64 = (word64*)b;
+    word64* y64 = (word64*)y;
+    word64* x64 = (word64*)x;
+#else
+    word32* b32 = (word32*)b;
+    word32* y32 = (word32*)y;
+    word32* x32 = (word32*)x;
+#endif
+    int  i;
+    int  j;
+
+    /* Step 1. */
+    XMEMCPY(x, b + (2 * r - 1) * 64, sizeof(x));
+    /* Step 2. */
+    for (i = 0; i < 2 * r; i++)
+    {
+#ifdef WORD64_AVAILABLE
+        for (j = 0; j < 8; j++)
+            x64[j] ^= b64[i * 8 + j];
+#else
+        for (j = 0; j < 16; j++)
+            x32[j] ^= b32[i * 16 + j];
+#endif
+        scryptSalsa((word32*)x, (word32*)x);
+        XMEMCPY(y + i * 64, x, sizeof(x));
+    }
+    /* Step 3. */
+    for (i = 0; i < r; i++) {
+#ifdef WORD64_AVAILABLE
+        for (j = 0; j < 8; j++) {
+            b64[i * 8 + j] = y64[2 * i * 8 + j];
+            b64[(r + i) * 8 + j] = y64[(2 * i + 1) * 8 + j];
+        }
+#else
+        for (j = 0; j < 16; j++) {
+            b32[i * 16 + j] = y32[2 * i * 16 + j];
+            b32[(r + i) * 16 + j] = y32[(2 * i + 1) * 16 + j];
+        }
+#endif
+    }
+}
+
+/* Random oracles mix.
+ * Based on RFC 7914: scrypt PBKDF.
+ *
+ * x  Data to mix.
+ * v  Temporary buffer.
+ * y  Temporary buffer for the block mix.
+ * r  Block size parameter.
+ * n  CPU/Memory cost parameter.
+ */
+static void scryptROMix(byte* x, byte* v, byte* y, int r, word32 n)
+{
+    word32 i;
+    word32 j;
+    word32 k;
+    word32 bSz = 128 * r;
+#ifdef WORD64_AVAILABLE
+    word64* x64 = (word64*)x;
+    word64* v64 = (word64*)v;
+#else
+    word32* x32 = (word32*)x;
+    word32* v32 = (word32*)v;
+#endif
+
+    /* Step 1. X = B (B not needed therefore not implemented) */
+    /* Step 2. */
+    for (i = 0; i < n; i++)
+    {
+        XMEMCPY(v + i * bSz, x, bSz);
+        scryptBlockMix(x, y, r);
+    }
+
+    /* Step 3. */
+    for (i = 0; i < n; i++)
+    {
+#ifdef LITTLE_ENDIAN_ORDER
+#ifdef WORD64_AVAILABLE
+        j = *(word64*)(x + (2*r - 1) * 64) & (n-1);
+#else
+        j = *(word32*)(x + (2*r - 1) * 64) & (n-1);
+#endif
+#else
+        byte* t = x + (2*r - 1) * 64;
+        j = (t[0] | (t[1] << 8) | (t[2] << 16) | ((word32)t[3] << 24)) & (n-1);
+#endif
+#ifdef WORD64_AVAILABLE
+        for (k = 0; k < bSz / 8; k++)
+            x64[k] ^= v64[j * bSz / 8 + k];
+#else
+        for (k = 0; k < bSz / 4; k++)
+            x32[k] ^= v32[j * bSz / 4 + k];
+#endif
+        scryptBlockMix(x, y, r);
+    }
+    /* Step 4. B' = X (B = X = B' so not needed, therefore not implemented) */
+}
+
+/* Generates an key derived from a password and salt using a memory hard
+ * algorithm.
+ * Implements RFC 7914: scrypt PBKDF.
+ *
+ * output     The derived key.
+ * passwd     The password to derive key from.
+ * passLen    The length of the password.
+ * salt       The key specific data.
+ * saltLen    The length of the salt data.
+ * cost       The CPU/memory cost parameter. Range: 1..(128*r/8-1)
+ *            (Iterations = 2^cost)
+ * blockSize  The number of 128 byte octets in a working block.
+ * parallel   The number of parallel mix operations to perform.
+ *            (Note: this implementation does not use threads.)
+ * dkLen      The length of the derived key in bytes.
+ * returns BAD_FUNC_ARG when: blockSize is too large for cost.
+ */
+int wc_scrypt(byte* output, const byte* passwd, int passLen,
+              const byte* salt, int saltLen, int cost, int blockSize,
+              int parallel, int dkLen)
+{
+    int    ret = 0;
+    int    i;
+    byte*  v = NULL;
+    byte*  y = NULL;
+    byte*  blocks = NULL;
+    word32 blocksSz;
+    word32 bSz;
+
+    if (blockSize > 8)
+        return BAD_FUNC_ARG;
+
+    if (cost < 1 || cost >= 128 * blockSize / 8 || parallel < 1 || dkLen < 1)
+        return BAD_FUNC_ARG;
+
+    bSz = 128 * blockSize;
+    blocksSz = bSz * parallel;
+    blocks = (byte*)XMALLOC(blocksSz, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    if (blocks == NULL)
+        goto end;
+    /* Temporary for scryptROMix. */
+    v = (byte*)XMALLOC((1 << cost) * bSz, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    if (v == NULL)
+        goto end;
+    /* Temporary for scryptBlockMix. */
+    y = (byte*)XMALLOC(blockSize * 128, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    if (y == NULL)
+        goto end;
+
+    /* Step 1. */
+    ret = wc_PBKDF2(blocks, passwd, passLen, salt, saltLen, 1, blocksSz,
+                    WC_SHA256);
+    if (ret != 0)
+        goto end;
+
+    /* Step 2. */
+    for (i = 0; i < parallel; i++)
+        scryptROMix(blocks + i * bSz, v, y, blockSize, 1 << cost);
+
+    /* Step 3. */
+    ret = wc_PBKDF2(output, passwd, passLen, blocks, blocksSz, 1, dkLen,
+                    WC_SHA256);
+end:
+    if (blocks != NULL)
+        XFREE(blocks, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    if (v != NULL)
+        XFREE(v, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    if (y != NULL)
+        XFREE(y, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+
+    return ret;
+}
+
+/* Generates an key derived from a password and salt using a memory hard
+ * algorithm.
+ * Implements RFC 7914: scrypt PBKDF.
+ *
+ * output      Derived key.
+ * passwd      Password to derive key from.
+ * passLen     Length of the password.
+ * salt        Key specific data.
+ * saltLen     Length of the salt data.
+ * iterations  Number of iterations to perform. Range: 1 << (1..(128*r/8-1))
+ * blockSize   Number of 128 byte octets in a working block.
+ * parallel    Number of parallel mix operations to perform.
+ *             (Note: this implementation does not use threads.)
+ * dkLen       Length of the derived key in bytes.
+ * returns BAD_FUNC_ARG when: iterations is not a power of 2 or blockSize is too
+ *                            large for iterations.
+ */
+int wc_scrypt_ex(byte* output, const byte* passwd, int passLen,
+                 const byte* salt, int saltLen, word32 iterations,
+                 int blockSize, int parallel, int dkLen)
+{
+    int cost;
+
+    /* Iterations must be a power of 2. */
+    if ((iterations & (iterations - 1)) != 0)
+        return BAD_FUNC_ARG;
+
+    for (cost = -1; iterations != 0; cost++) {
+        iterations >>= 1;
+    }
+
+    return wc_scrypt(output, passwd, passLen, salt, saltLen, cost, blockSize,
+                     parallel, dkLen);
+}
+#endif /* HAVE_SCRYPT */
+
+#endif /* NO_PWDBASED */
diff --git a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/rabbit.c b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/rabbit.c
index fc7861115..820fd0ac3 100644
--- a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/rabbit.c
+++ b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/rabbit.c
@@ -1,8 +1,8 @@
 /* rabbit.c
  *
- * Copyright (C) 2006-2015 wolfSSL Inc.
+ * Copyright (C) 2006-2020 wolfSSL Inc.
  *
- * This file is part of wolfSSL. (formerly known as CyaSSL)
+ * This file is part of wolfSSL.
  *
  * wolfSSL is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -16,9 +16,10 @@
  *
  * You should have received a copy of the GNU General Public License
  * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
  */
 
+
 #ifdef HAVE_CONFIG_H
     #include <config.h>
 #endif
@@ -33,6 +34,7 @@
 #ifdef NO_INLINE
     #include <wolfssl/wolfcrypt/misc.h>
 #else
+    #define WOLFSSL_MISC_INCLUDED
     #include <wolfcrypt/src/misc.c>
 #endif
 
@@ -86,7 +88,7 @@ static void RABBIT_next_state(RabbitCtx* ctx)
     ctx->c[6] = U32V(ctx->c[6] + 0x4D34D34D + (ctx->c[5] < c_old[5]));
     ctx->c[7] = U32V(ctx->c[7] + 0xD34D34D3 + (ctx->c[6] < c_old[6]));
     ctx->carry = (ctx->c[7] < c_old[7]);
-   
+
     /* Calculate the g-values */
     for (i=0;i<8;i++)
         g[i] = RABBIT_g_func(U32V(ctx->x[i] + ctx->c[i]));
@@ -114,7 +116,7 @@ static void wc_RabbitSetIV(Rabbit* ctx, const byte* inIv)
         XMEMCPY(iv, inIv, sizeof(iv));
     else
         XMEMSET(iv,    0, sizeof(iv));
-      
+
     /* Generate four subvectors */
     i0 = LITTLE32(iv[0]);
     i2 = LITTLE32(iv[1]);
@@ -143,7 +145,7 @@ static void wc_RabbitSetIV(Rabbit* ctx, const byte* inIv)
 
 
 /* Key setup */
-static INLINE int DoKey(Rabbit* ctx, const byte* key, const byte* iv)
+static WC_INLINE int DoKey(Rabbit* ctx, const byte* key, const byte* iv)
 {
     /* Temporary variables */
     word32 k0, k1, k2, k3, i;
@@ -198,10 +200,36 @@ static INLINE int DoKey(Rabbit* ctx, const byte* key, const byte* iv)
 }
 
 
+int wc_Rabbit_SetHeap(Rabbit* ctx, void* heap)
+{
+    if (ctx == NULL) {
+        return BAD_FUNC_ARG;
+    }
+
+#ifdef XSTREAM_ALIGN
+    ctx->heap = heap;
+#endif
+
+    (void)heap;
+    return 0;
+}
+
+
 /* Key setup */
 int wc_RabbitSetKey(Rabbit* ctx, const byte* key, const byte* iv)
 {
+    if (ctx == NULL || key == NULL) {
+        return BAD_FUNC_ARG;
+    }
+
 #ifdef XSTREAM_ALIGN
+    /* default heap to NULL or heap test value */
+    #ifdef WOLFSSL_HEAP_TEST
+        ctx->heap = (void*)WOLFSSL_HEAP_TEST;
+    #else
+        ctx->heap = NULL;
+    #endif /* WOLFSSL_HEAP_TEST */
+
     if ((wolfssl_word)key % 4) {
         int alignKey[4];
 
@@ -219,7 +247,7 @@ int wc_RabbitSetKey(Rabbit* ctx, const byte* key, const byte* iv)
 
 
 /* Encrypt/decrypt a message of any size */
-static INLINE int DoProcess(Rabbit* ctx, byte* output, const byte* input,
+static WC_INLINE int DoProcess(Rabbit* ctx, byte* output, const byte* input,
                             word32 msglen)
 {
     /* Encrypt/decrypt all full blocks */
@@ -262,11 +290,11 @@ static INLINE int DoProcess(Rabbit* ctx, byte* output, const byte* input,
         /* Generate 16 bytes of pseudo-random data */
         tmp[0] = LITTLE32(ctx->workCtx.x[0] ^
                   (ctx->workCtx.x[5]>>16) ^ U32V(ctx->workCtx.x[3]<<16));
-        tmp[1] = LITTLE32(ctx->workCtx.x[2] ^ 
+        tmp[1] = LITTLE32(ctx->workCtx.x[2] ^
                   (ctx->workCtx.x[7]>>16) ^ U32V(ctx->workCtx.x[5]<<16));
-        tmp[2] = LITTLE32(ctx->workCtx.x[4] ^ 
+        tmp[2] = LITTLE32(ctx->workCtx.x[4] ^
                   (ctx->workCtx.x[1]>>16) ^ U32V(ctx->workCtx.x[7]<<16));
-        tmp[3] = LITTLE32(ctx->workCtx.x[6] ^ 
+        tmp[3] = LITTLE32(ctx->workCtx.x[6] ^
                   (ctx->workCtx.x[3]>>16) ^ U32V(ctx->workCtx.x[1]<<16));
 
         /* Encrypt/decrypt the data */
@@ -281,20 +309,24 @@ static INLINE int DoProcess(Rabbit* ctx, byte* output, const byte* input,
 /* Encrypt/decrypt a message of any size */
 int wc_RabbitProcess(Rabbit* ctx, byte* output, const byte* input, word32 msglen)
 {
+    if (ctx == NULL || output == NULL || input == NULL) {
+        return BAD_FUNC_ARG;
+    }
+
 #ifdef XSTREAM_ALIGN
     if ((wolfssl_word)input % 4 || (wolfssl_word)output % 4) {
         #ifndef NO_WOLFSSL_ALLOC_ALIGN
             byte* tmp;
             WOLFSSL_MSG("wc_RabbitProcess unaligned");
 
-            tmp = (byte*)XMALLOC(msglen, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+            tmp = (byte*)XMALLOC(msglen, ctx->heap, DYNAMIC_TYPE_TMP_BUFFER);
             if (tmp == NULL) return MEMORY_E;
 
             XMEMCPY(tmp, input, msglen);
             DoProcess(ctx, tmp, tmp, msglen);
             XMEMCPY(output, tmp, msglen);
 
-            XFREE(tmp, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+            XFREE(tmp, ctx->heap, DYNAMIC_TYPE_TMP_BUFFER);
 
             return 0;
         #else
diff --git a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/random.c b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/random.c
index 4a1f7ea5b..53041d164 100644
--- a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/random.c
+++ b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/random.c
@@ -1,8 +1,8 @@
 /* random.c
  *
- * Copyright (C) 2006-2015 wolfSSL Inc.
+ * Copyright (C) 2006-2020 wolfSSL Inc.
  *
- * This file is part of wolfSSL. (formerly known as CyaSSL)
+ * This file is part of wolfSSL.
  *
  * wolfSSL is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -16,135 +16,247 @@
  *
  * You should have received a copy of the GNU General Public License
  * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
  */
 
+
 #ifdef HAVE_CONFIG_H
     #include <config.h>
 #endif
- 
+
 #include <wolfssl/wolfcrypt/settings.h>
+#include <wolfssl/wolfcrypt/error-crypt.h>
 
 /* on HPUX 11 you may need to install /dev/random see
    http://h20293.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=KRNG11I
 
 */
 
+#if defined(HAVE_FIPS) && \
+    defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2)
+
+    /* set NO_WRAPPERS before headers, use direct internal f()s not wrappers */
+    #define FIPS_NO_WRAPPERS
+
+    #ifdef USE_WINDOWS_API
+        #pragma code_seg(".fipsA$c")
+        #pragma const_seg(".fipsB$c")
+    #endif
+#endif
+
+
 #include <wolfssl/wolfcrypt/random.h>
+#include <wolfssl/wolfcrypt/cpuid.h>
+
+
+/* If building for old FIPS. */
+#if defined(HAVE_FIPS) && \
+    (!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 2))
 
-#ifdef HAVE_FIPS
 int wc_GenerateSeed(OS_Seed* os, byte* seed, word32 sz)
 {
     return GenerateSeed(os, seed, sz);
 }
 
-#ifdef HAVE_CAVIUM
-    int  wc_InitRngCavium(RNG* rng, int i)
-    {
-        return InitRngCavium(rng, i);
-    }
-#endif
-
+int wc_InitRng_ex(WC_RNG* rng, void* heap, int devId)
+{
+    (void)heap;
+    (void)devId;
+    return InitRng_fips(rng);
+}
 
-int  wc_InitRng(RNG* rng)
+int wc_InitRng(WC_RNG* rng)
 {
     return InitRng_fips(rng);
 }
 
 
-int  wc_RNG_GenerateBlock(RNG* rng, byte* b, word32 sz)
+int wc_RNG_GenerateBlock(WC_RNG* rng, byte* b, word32 sz)
 {
     return RNG_GenerateBlock_fips(rng, b, sz);
 }
 
 
-int  wc_RNG_GenerateByte(RNG* rng, byte* b)
+int wc_RNG_GenerateByte(WC_RNG* rng, byte* b)
 {
     return RNG_GenerateByte(rng, b);
 }
 
-#if defined(HAVE_HASHDRBG) || defined(NO_RC4)
+#ifdef HAVE_HASHDRBG
 
-    int wc_FreeRng(RNG* rng)
+    int wc_FreeRng(WC_RNG* rng)
     {
         return FreeRng_fips(rng);
     }
 
-
-    int wc_RNG_HealthTest(int reseed,
-                                        const byte* entropyA, word32 entropyASz,
-                                        const byte* entropyB, word32 entropyBSz,
-                                        byte* output, word32 outputSz)
+    int wc_RNG_HealthTest(int reseed, const byte* seedA, word32 seedASz,
+                                      const byte* seedB, word32 seedBSz,
+                                      byte* output, word32 outputSz)
     {
-        return RNG_HealthTest_fips(reseed, entropyA, entropyASz,
-                              entropyB, entropyBSz, output, outputSz);
-    }
-#endif /* HAVE_HASHDRBG || NO_RC4 */
-#else /* else build without fips */
-#include <wolfssl/wolfcrypt/error-crypt.h>
+        return RNG_HealthTest_fips(reseed, seedA, seedASz,
+                              seedB, seedBSz, output, outputSz);
+   }
+#endif /* HAVE_HASHDRBG */
 
-#if defined(HAVE_HASHDRBG) || defined(NO_RC4)
+#else /* else build without fips, or for new fips */
 
-    #include <wolfssl/wolfcrypt/sha256.h>
+#ifndef WC_NO_RNG /* if not FIPS and RNG is disabled then do not compile */
 
-    #ifdef NO_INLINE
-        #include <wolfssl/wolfcrypt/misc.h>
-    #else
-        #include <wolfcrypt/src/misc.c>
-    #endif
-#endif /* HAVE_HASHDRBG || NO_RC4 */
+#include <wolfssl/wolfcrypt/sha256.h>
+
+#ifdef WOLF_CRYPTO_CB
+    #include <wolfssl/wolfcrypt/cryptocb.h>
+#endif
+
+#ifdef NO_INLINE
+    #include <wolfssl/wolfcrypt/misc.h>
+#else
+    #define WOLFSSL_MISC_INCLUDED
+    #include <wolfcrypt/src/misc.c>
+#endif
 
-#if defined(USE_WINDOWS_API)
+#if defined(WOLFSSL_SGX)
+    #include <sgx_trts.h>
+#elif defined(USE_WINDOWS_API)
     #ifndef _WIN32_WINNT
         #define _WIN32_WINNT 0x0400
     #endif
     #include <windows.h>
     #include <wincrypt.h>
+#elif defined(HAVE_WNR)
+    #include <wnr.h>
+    #include <wolfssl/wolfcrypt/logging.h>
+    wolfSSL_Mutex wnr_mutex;    /* global netRandom mutex */
+    int wnr_timeout     = 0;    /* entropy timeout, mililseconds */
+    int wnr_mutex_init  = 0;    /* flag for mutex init */
+    wnr_context*  wnr_ctx;      /* global netRandom context */
+#elif defined(FREESCALE_KSDK_2_0_TRNG)
+    #include "fsl_trng.h"
+#elif defined(FREESCALE_KSDK_2_0_RNGA)
+    #include "fsl_rnga.h"
+#elif defined(WOLFSSL_WICED)
+    #include "wiced_crypto.h"
+#elif defined(WOLFSSL_NETBURNER)
+    #include <predef.h>
+    #include <basictypes.h>
+    #include <random.h>
+#elif defined(NO_DEV_RANDOM)
+#elif defined(CUSTOM_RAND_GENERATE)
+#elif defined(CUSTOM_RAND_GENERATE_BLOCK)
+#elif defined(CUSTOM_RAND_GENERATE_SEED)
+#elif defined(WOLFSSL_GENSEED_FORTEST)
+#elif defined(WOLFSSL_MDK_ARM)
+#elif defined(WOLFSSL_IAR_ARM)
+#elif defined(WOLFSSL_ROWLEY_ARM)
+#elif defined(WOLFSSL_EMBOS)
+#elif defined(WOLFSSL_DEOS)
+#elif defined(MICRIUM)
+#elif defined(WOLFSSL_NUCLEUS)
+#elif defined(WOLFSSL_PB)
+#elif defined(WOLFSSL_ZEPHYR)
+#elif defined(WOLFSSL_TELIT_M2MB)
+#elif defined(WOLFSSL_SCE) && !defined(WOLFSSL_SCE_NO_TRNG)
 #else
-    #if !defined(NO_DEV_RANDOM) && !defined(CUSTOM_RAND_GENERATE) && \
-                          !defined(WOLFSSL_MDK_ARM) && !defined(WOLFSSL_IAR_ARM)
-            #include <fcntl.h>
-        #ifndef EBSNET
-            #include <unistd.h>
-        #endif
-    #else
-        /* include headers that may be needed to get good seed */
+    /* include headers that may be needed to get good seed */
+    #include <fcntl.h>
+    #ifndef EBSNET
+        #include <unistd.h>
+    #endif
+#endif
+
+
+#if defined(HAVE_INTEL_RDRAND) || defined(HAVE_INTEL_RDSEED)
+    static word32 intel_flags = 0;
+    static void wc_InitRng_IntelRD(void)
+    {
+        intel_flags = cpuid_get_flags();
+    }
+    #ifdef HAVE_INTEL_RDSEED
+    static int wc_GenerateSeed_IntelRD(OS_Seed* os, byte* output, word32 sz);
     #endif
+    #ifdef HAVE_INTEL_RDRAND
+    static int wc_GenerateRand_IntelRD(OS_Seed* os, byte* output, word32 sz);
+    #endif
+
+#ifdef USE_WINDOWS_API
+    #include <immintrin.h>
 #endif /* USE_WINDOWS_API */
-    
-#ifdef HAVE_INTEL_RDGEN
-    static int wc_InitRng_IntelRD(void) ;
-    #if defined(HAVE_HASHDRBG) || defined(NO_RC4)
-	static int wc_GenerateSeed_IntelRD(OS_Seed* os, byte* output, word32 sz) ;
+#endif
+
+/* Start NIST DRBG code */
+#ifdef HAVE_HASHDRBG
+
+#define OUTPUT_BLOCK_LEN  (WC_SHA256_DIGEST_SIZE)
+#define MAX_REQUEST_LEN   (0x10000)
+#define RESEED_INTERVAL   WC_RESEED_INTERVAL
+
+
+/* For FIPS builds, the user should not be adjusting the values. */
+#if defined(HAVE_FIPS) && \
+    defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2)
+    #if defined(RNG_SECURITY_STRENGTH) \
+            || defined(ENTROPY_SCALE_FACTOR) \
+            || defined(SEED_BLOCK_SZ)
+
+        #error "Do not change the RNG parameters for FIPS builds."
+    #endif
+#endif
+
+
+/* The security strength for the RNG is the target number of bits of
+ * entropy you are looking for in a seed. */
+#ifndef RNG_SECURITY_STRENGTH
+    #if defined(HAVE_FIPS) && \
+        defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2)
+        /* SHA-256 requires a minimum of 256-bits of entropy. The goal
+         * of 1024 will provide 4 times that. */
+        #define RNG_SECURITY_STRENGTH (1024)
     #else
-    static int wc_GenerateRand_IntelRD(OS_Seed* os, byte* output, word32 sz) ;
+        /* If not using FIPS or using old FIPS, set the number down a bit.
+         * More is better, but more is also slower. */
+        #define RNG_SECURITY_STRENGTH (256)
     #endif
-    static word32 cpuid_check = 0 ;
-    static word32 cpuid_flags = 0 ;
-    #define CPUID_RDRAND 0x4
-    #define CPUID_RDSEED 0x8
-    #define IS_INTEL_RDRAND     (cpuid_flags&CPUID_RDRAND)
-    #define IS_INTEL_RDSEED     (cpuid_flags&CPUID_RDSEED)
 #endif
 
-#if defined(HAVE_HASHDRBG) || defined(NO_RC4)
+#ifndef ENTROPY_SCALE_FACTOR
+    /* The entropy scale factor should be the whole number inverse of the
+     * minimum bits of entropy per bit of NDRNG output. */
+    #if defined(HAVE_INTEL_RDSEED) || defined(HAVE_INTEL_RDRAND)
+        /* The value of 2 applies to Intel's RDSEED which provides about
+         * 0.5 bits minimum of entropy per bit. */
+        #define ENTROPY_SCALE_FACTOR 2
+    #else
+        /* Setting the default to 1. */
+        #define ENTROPY_SCALE_FACTOR 1
+    #endif
+#endif
 
-/* Start NIST DRBG code */
+#ifndef SEED_BLOCK_SZ
+    /* The seed block size, is the size of the output of the underlying NDRNG.
+     * This value is used for testing the output of the NDRNG. */
+    #if defined(HAVE_INTEL_RDSEED) || defined(HAVE_INTEL_RDRAND)
+        /* RDSEED outputs in blocks of 64-bits. */
+        #define SEED_BLOCK_SZ sizeof(word64)
+    #else
+        /* Setting the default to 4. */
+        #define SEED_BLOCK_SZ 4
+    #endif
+#endif
+
+#define SEED_SZ        (RNG_SECURITY_STRENGTH*ENTROPY_SCALE_FACTOR/8)
+
+/* The maximum seed size will be the seed size plus a seed block for the
+ * test, and an additional half of the seed size. This additional half
+ * is in case the user does not supply a nonce. A nonce will be obtained
+ * from the NDRNG. */
+#define MAX_SEED_SZ    (SEED_SZ + SEED_SZ/2 + SEED_BLOCK_SZ)
 
-#define OUTPUT_BLOCK_LEN  (SHA256_DIGEST_SIZE)
-#define MAX_REQUEST_LEN   (0x10000)
-#define RESEED_INTERVAL   (1000000)
-#define SECURITY_STRENGTH (256)
-#define ENTROPY_SZ        (SECURITY_STRENGTH/8)
-#define NONCE_SZ          (ENTROPY_SZ/2)
-#define ENTROPY_NONCE_SZ  (ENTROPY_SZ+NONCE_SZ)
 
 /* Internal return codes */
 #define DRBG_SUCCESS      0
-#define DRBG_ERROR        1
-#define DRBG_FAILURE      2
-#define DRBG_NEED_RESEED  3
-#define DRBG_CONT_FAILURE 4
+#define DRBG_FAILURE      1
+#define DRBG_NEED_RESEED  2
+#define DRBG_CONT_FAILURE 3
 
 /* RNG health states */
 #define DRBG_NOT_INIT     0
@@ -152,6 +264,12 @@ int  wc_RNG_GenerateByte(RNG* rng, byte* b)
 #define DRBG_FAILED       2
 #define DRBG_CONT_FAILED  3
 
+#define RNG_HEALTH_TEST_CHECK_SIZE (WC_SHA256_DIGEST_SIZE * 4)
+
+/* Verify max gen block len */
+#if RNG_MAX_BLOCK_LEN > MAX_REQUEST_LEN
+    #error RNG_MAX_BLOCK_LEN is larger than NIST DBRG max request length
+#endif
 
 enum {
     drbgInitC     = 0,
@@ -161,13 +279,20 @@ enum {
     drbgInitV
 };
 
-
+/* NOTE: if DRBG struct is changed please update random.h drbg_data size */
 typedef struct DRBG {
     word32 reseedCtr;
     word32 lastBlock;
     byte V[DRBG_SEED_LEN];
     byte C[DRBG_SEED_LEN];
+#if defined(WOLFSSL_ASYNC_CRYPT) || defined(WOLF_CRYPTO_CB)
+    void* heap;
+    int devId;
+#endif
     byte   matchCount;
+#ifdef WOLFSSL_SMALL_STACK_CACHE
+    wc_Sha256 sha256;
+#endif
 } DRBG;
 
 
@@ -179,73 +304,104 @@ static int Hash_df(DRBG* drbg, byte* out, word32 outSz, byte type,
                                                   const byte* inA, word32 inASz,
                                                   const byte* inB, word32 inBSz)
 {
+    int ret = DRBG_FAILURE;
     byte ctr;
     int i;
     int len;
     word32 bits = (outSz * 8); /* reverse byte order */
-    Sha256 sha;
-    byte digest[SHA256_DIGEST_SIZE];
+#ifdef WOLFSSL_SMALL_STACK_CACHE
+    wc_Sha256* sha = &drbg->sha256;
+#else
+    wc_Sha256 sha[1];
+#endif
+#ifdef WC_ASYNC_ENABLE_SHA256
+    DECLARE_VAR(digest, byte, WC_SHA256_DIGEST_SIZE, drbg->heap);
+    if (digest == NULL)
+        return MEMORY_E;
+#else
+    byte digest[WC_SHA256_DIGEST_SIZE];
+#endif
 
     (void)drbg;
-    #ifdef LITTLE_ENDIAN_ORDER
-        bits = ByteReverseWord32(bits);
-    #endif
+#ifdef WC_ASYNC_ENABLE_SHA256
+    if (digest == NULL)
+        return DRBG_FAILURE;
+#endif
+
+#ifdef LITTLE_ENDIAN_ORDER
+    bits = ByteReverseWord32(bits);
+#endif
     len = (outSz / OUTPUT_BLOCK_LEN)
         + ((outSz % OUTPUT_BLOCK_LEN) ? 1 : 0);
 
-    for (i = 0, ctr = 1; i < len; i++, ctr++)
-    {
-        if (wc_InitSha256(&sha) != 0)
-            return DRBG_FAILURE;
-
-        if (wc_Sha256Update(&sha, &ctr, sizeof(ctr)) != 0)
-            return DRBG_FAILURE;
-
-        if (wc_Sha256Update(&sha, (byte*)&bits, sizeof(bits)) != 0)
-            return DRBG_FAILURE;
-
-        /* churning V is the only string that doesn't have the type added */
-        if (type != drbgInitV)
-            if (wc_Sha256Update(&sha, &type, sizeof(type)) != 0)
-                return DRBG_FAILURE;
-
-        if (wc_Sha256Update(&sha, inA, inASz) != 0)
-            return DRBG_FAILURE;
-
-        if (inB != NULL && inBSz > 0)
-            if (wc_Sha256Update(&sha, inB, inBSz) != 0)
-                return DRBG_FAILURE;
+    for (i = 0, ctr = 1; i < len; i++, ctr++) {
+#ifndef WOLFSSL_SMALL_STACK_CACHE
+    #if defined(WOLFSSL_ASYNC_CRYPT) || defined(WOLF_CRYPTO_CB)
+        ret = wc_InitSha256_ex(sha, drbg->heap, drbg->devId);
+    #else
+        ret = wc_InitSha256(sha);
+    #endif
+        if (ret != 0)
+            break;
 
-        if (wc_Sha256Final(&sha, digest) != 0)
-            return DRBG_FAILURE;
+        if (ret == 0)
+#endif
+            ret = wc_Sha256Update(sha, &ctr, sizeof(ctr));
+        if (ret == 0)
+            ret = wc_Sha256Update(sha, (byte*)&bits, sizeof(bits));
 
-        if (outSz > OUTPUT_BLOCK_LEN) {
-            XMEMCPY(out, digest, OUTPUT_BLOCK_LEN);
-            outSz -= OUTPUT_BLOCK_LEN;
-            out += OUTPUT_BLOCK_LEN;
+        if (ret == 0) {
+            /* churning V is the only string that doesn't have the type added */
+            if (type != drbgInitV)
+                ret = wc_Sha256Update(sha, &type, sizeof(type));
         }
-        else {
-            XMEMCPY(out, digest, outSz);
+        if (ret == 0)
+            ret = wc_Sha256Update(sha, inA, inASz);
+        if (ret == 0) {
+            if (inB != NULL && inBSz > 0)
+                ret = wc_Sha256Update(sha, inB, inBSz);
+        }
+        if (ret == 0)
+            ret = wc_Sha256Final(sha, digest);
+
+#ifndef WOLFSSL_SMALL_STACK_CACHE
+        wc_Sha256Free(sha);
+#endif
+        if (ret == 0) {
+            if (outSz > OUTPUT_BLOCK_LEN) {
+                XMEMCPY(out, digest, OUTPUT_BLOCK_LEN);
+                outSz -= OUTPUT_BLOCK_LEN;
+                out += OUTPUT_BLOCK_LEN;
+            }
+            else {
+                XMEMCPY(out, digest, outSz);
+            }
         }
     }
-    ForceZero(digest, sizeof(digest));
 
-    return DRBG_SUCCESS;
-}
+    ForceZero(digest, WC_SHA256_DIGEST_SIZE);
 
+#ifdef WC_ASYNC_ENABLE_SHA256
+    FREE_VAR(digest, drbg->heap);
+#endif
+
+    return (ret == 0) ? DRBG_SUCCESS : DRBG_FAILURE;
+}
 
 /* Returns: DRBG_SUCCESS or DRBG_FAILURE */
-static int Hash_DRBG_Reseed(DRBG* drbg, const byte* entropy, word32 entropySz)
+static int Hash_DRBG_Reseed(DRBG* drbg, const byte* seed, word32 seedSz)
 {
-    byte seed[DRBG_SEED_LEN];
+    byte newV[DRBG_SEED_LEN];
 
-    if (Hash_df(drbg, seed, sizeof(seed), drbgReseed, drbg->V, sizeof(drbg->V),
-                                          entropy, entropySz) != DRBG_SUCCESS) {
+    XMEMSET(newV, 0, DRBG_SEED_LEN);
+
+    if (Hash_df(drbg, newV, sizeof(newV), drbgReseed,
+                drbg->V, sizeof(drbg->V), seed, seedSz) != DRBG_SUCCESS) {
         return DRBG_FAILURE;
     }
 
-    XMEMCPY(drbg->V, seed, sizeof(drbg->V));
-    ForceZero(seed, sizeof(seed));
+    XMEMCPY(drbg->V, newV, sizeof(drbg->V));
+    ForceZero(newV, sizeof(newV));
 
     if (Hash_df(drbg, drbg->C, sizeof(drbg->C), drbgInitC, drbg->V,
                                     sizeof(drbg->V), NULL, 0) != DRBG_SUCCESS) {
@@ -258,7 +414,17 @@ static int Hash_DRBG_Reseed(DRBG* drbg, const byte* entropy, word32 entropySz)
     return DRBG_SUCCESS;
 }
 
-static INLINE void array_add_one(byte* data, word32 dataSz)
+/* Returns: DRBG_SUCCESS and DRBG_FAILURE or BAD_FUNC_ARG on fail */
+int wc_RNG_DRBG_Reseed(WC_RNG* rng, const byte* seed, word32 seedSz)
+{
+    if (rng == NULL || seed == NULL) {
+        return BAD_FUNC_ARG;
+    }
+
+    return Hash_DRBG_Reseed(rng->drbg, seed, seedSz);
+}
+
+static WC_INLINE void array_add_one(byte* data, word32 dataSz)
 {
     int i;
 
@@ -269,16 +435,26 @@ static INLINE void array_add_one(byte* data, word32 dataSz)
     }
 }
 
-
 /* Returns: DRBG_SUCCESS or DRBG_FAILURE */
 static int Hash_gen(DRBG* drbg, byte* out, word32 outSz, const byte* V)
 {
+    int ret = DRBG_FAILURE;
     byte data[DRBG_SEED_LEN];
     int i;
     int len;
     word32 checkBlock;
-    Sha256 sha;
-    byte digest[SHA256_DIGEST_SIZE];
+#ifdef WOLFSSL_SMALL_STACK_CACHE
+    wc_Sha256* sha = &drbg->sha256;
+#else
+    wc_Sha256 sha[1];
+#endif
+#ifdef WC_ASYNC_ENABLE_SHA256
+    DECLARE_VAR(digest, byte, WC_SHA256_DIGEST_SIZE, drbg->heap);
+    if (digest == NULL)
+        return MEMORY_E;
+#else
+    byte digest[WC_SHA256_DIGEST_SIZE];
+#endif
 
     /* Special case: outSz is 0 and out is NULL. wc_Generate a block to save for
      * the continuous test. */
@@ -289,48 +465,63 @@ static int Hash_gen(DRBG* drbg, byte* out, word32 outSz, const byte* V)
 
     XMEMCPY(data, V, sizeof(data));
     for (i = 0; i < len; i++) {
-        if (wc_InitSha256(&sha) != 0 ||
-            wc_Sha256Update(&sha, data, sizeof(data)) != 0 ||
-            wc_Sha256Final(&sha, digest) != 0) {
-
-            return DRBG_FAILURE;
-        }
+#ifndef WOLFSSL_SMALL_STACK_CACHE
+    #if defined(WOLFSSL_ASYNC_CRYPT) || defined(WOLF_CRYPTO_CB)
+        ret = wc_InitSha256_ex(sha, drbg->heap, drbg->devId);
+    #else
+        ret = wc_InitSha256(sha);
+    #endif
+        if (ret == 0)
+#endif
+            ret = wc_Sha256Update(sha, data, sizeof(data));
+        if (ret == 0)
+            ret = wc_Sha256Final(sha, digest);
+#ifndef WOLFSSL_SMALL_STACK_CACHE
+        wc_Sha256Free(sha);
+#endif
 
-        XMEMCPY(&checkBlock, digest, sizeof(word32));
-        if (drbg->reseedCtr > 1 && checkBlock == drbg->lastBlock) {
-            if (drbg->matchCount == 1) {
-                return DRBG_CONT_FAILURE;
+        if (ret == 0) {
+            XMEMCPY(&checkBlock, digest, sizeof(word32));
+            if (drbg->reseedCtr > 1 && checkBlock == drbg->lastBlock) {
+                if (drbg->matchCount == 1) {
+                    return DRBG_CONT_FAILURE;
+                }
+                else {
+                    if (i == len) {
+                        len++;
+                    }
+                    drbg->matchCount = 1;
+                }
             }
             else {
-                if (i == len) {
-                    len++;
-                }
-                drbg->matchCount = 1;
+                drbg->matchCount = 0;
+                drbg->lastBlock = checkBlock;
             }
-        }
-        else {
-            drbg->matchCount = 0;
-            drbg->lastBlock = checkBlock;
-        }
 
-        if (outSz >= OUTPUT_BLOCK_LEN) {
-            XMEMCPY(out, digest, OUTPUT_BLOCK_LEN);
-            outSz -= OUTPUT_BLOCK_LEN;
-            out += OUTPUT_BLOCK_LEN;
-            array_add_one(data, DRBG_SEED_LEN);
-        }
-        else if (out != NULL && outSz != 0) {
-            XMEMCPY(out, digest, outSz);
-            outSz = 0;
+            if (out != NULL && outSz != 0) {
+                if (outSz >= OUTPUT_BLOCK_LEN) {
+                    XMEMCPY(out, digest, OUTPUT_BLOCK_LEN);
+                    outSz -= OUTPUT_BLOCK_LEN;
+                    out += OUTPUT_BLOCK_LEN;
+                    array_add_one(data, DRBG_SEED_LEN);
+                }
+                else {
+                    XMEMCPY(out, digest, outSz);
+                    outSz = 0;
+                }
+            }
         }
     }
     ForceZero(data, sizeof(data));
 
-    return DRBG_SUCCESS;
-}
+#ifdef WC_ASYNC_ENABLE_SHA256
+    FREE_VAR(digest, drbg->heap);
+#endif
 
+    return (ret == 0) ? DRBG_SUCCESS : DRBG_FAILURE;
+}
 
-static INLINE void array_add(byte* d, word32 dLen, const byte* s, word32 sLen)
+static WC_INLINE void array_add(byte* d, word32 dLen, const byte* s, word32 sLen)
 {
     word16 carry = 0;
 
@@ -352,53 +543,97 @@ static INLINE void array_add(byte* d, word32 dLen, const byte* s, word32 sLen)
     }
 }
 
-
 /* Returns: DRBG_SUCCESS, DRBG_NEED_RESEED, or DRBG_FAILURE */
 static int Hash_DRBG_Generate(DRBG* drbg, byte* out, word32 outSz)
 {
-    int ret = DRBG_NEED_RESEED;
-    Sha256 sha;
-    byte digest[SHA256_DIGEST_SIZE];
+    int ret;
+#ifdef WOLFSSL_SMALL_STACK_CACHE
+    wc_Sha256* sha = &drbg->sha256;
+#else
+    wc_Sha256 sha[1];
+#endif
+    byte type;
+    word32 reseedCtr;
 
-    if (drbg->reseedCtr != RESEED_INTERVAL) {
-        byte type = drbgGenerateH;
-        word32 reseedCtr = drbg->reseedCtr;
+    if (drbg->reseedCtr == RESEED_INTERVAL) {
+        return DRBG_NEED_RESEED;
+    } else {
+    #ifdef WC_ASYNC_ENABLE_SHA256
+        DECLARE_VAR(digest, byte, WC_SHA256_DIGEST_SIZE, drbg->heap);
+        if (digest == NULL)
+            return MEMORY_E;
+    #else
+        byte digest[WC_SHA256_DIGEST_SIZE];
+    #endif
+        type = drbgGenerateH;
+        reseedCtr = drbg->reseedCtr;
 
         ret = Hash_gen(drbg, out, outSz, drbg->V);
         if (ret == DRBG_SUCCESS) {
-            if (wc_InitSha256(&sha) != 0 ||
-                wc_Sha256Update(&sha, &type, sizeof(type)) != 0 ||
-                wc_Sha256Update(&sha, drbg->V, sizeof(drbg->V)) != 0 ||
-                wc_Sha256Final(&sha, digest) != 0) {
+#ifndef WOLFSSL_SMALL_STACK_CACHE
+        #if defined(WOLFSSL_ASYNC_CRYPT) || defined(WOLF_CRYPTO_CB)
+            ret = wc_InitSha256_ex(sha, drbg->heap, drbg->devId);
+        #else
+            ret = wc_InitSha256(sha);
+        #endif
+            if (ret == 0)
+#endif
+                ret = wc_Sha256Update(sha, &type, sizeof(type));
+            if (ret == 0)
+                ret = wc_Sha256Update(sha, drbg->V, sizeof(drbg->V));
+            if (ret == 0)
+                ret = wc_Sha256Final(sha, digest);
+
+#ifndef WOLFSSL_SMALL_STACK_CACHE
+            wc_Sha256Free(sha);
+#endif
 
-                ret = DRBG_FAILURE;
-            }
-            else {
-                array_add(drbg->V, sizeof(drbg->V), digest, sizeof(digest));
+            if (ret == 0) {
+                array_add(drbg->V, sizeof(drbg->V), digest, WC_SHA256_DIGEST_SIZE);
                 array_add(drbg->V, sizeof(drbg->V), drbg->C, sizeof(drbg->C));
-                #ifdef LITTLE_ENDIAN_ORDER
-                    reseedCtr = ByteReverseWord32(reseedCtr);
-                #endif
+            #ifdef LITTLE_ENDIAN_ORDER
+                reseedCtr = ByteReverseWord32(reseedCtr);
+            #endif
                 array_add(drbg->V, sizeof(drbg->V),
                                           (byte*)&reseedCtr, sizeof(reseedCtr));
                 ret = DRBG_SUCCESS;
             }
             drbg->reseedCtr++;
         }
+        ForceZero(digest, WC_SHA256_DIGEST_SIZE);
+    #ifdef WC_ASYNC_ENABLE_SHA256
+        FREE_VAR(digest, drbg->heap);
+    #endif
     }
-    ForceZero(digest, sizeof(digest));
 
-    return ret;
+    return (ret == 0) ? DRBG_SUCCESS : DRBG_FAILURE;
 }
 
-
 /* Returns: DRBG_SUCCESS or DRBG_FAILURE */
 static int Hash_DRBG_Instantiate(DRBG* drbg, const byte* seed, word32 seedSz,
-                                             const byte* nonce, word32 nonceSz)
+                                             const byte* nonce, word32 nonceSz,
+                                             void* heap, int devId)
 {
-    int ret = DRBG_FAILURE;
+    int ret;
 
     XMEMSET(drbg, 0, sizeof(DRBG));
+#if defined(WOLFSSL_ASYNC_CRYPT) || defined(WOLF_CRYPTO_CB)
+    drbg->heap = heap;
+    drbg->devId = devId;
+#else
+    (void)heap;
+    (void)devId;
+#endif
+
+#ifdef WOLFSSL_SMALL_STACK_CACHE
+    #if defined(WOLFSSL_ASYNC_CRYPT) || defined(WOLF_CRYPTO_CB)
+        ret = wc_InitSha256_ex(&drbg->sha256, drbg->heap, drbg->devId);
+    #else
+        ret = wc_InitSha256(&drbg->sha256);
+    #endif
+    if (ret != 0)
+        return ret;
+#endif
 
     if (Hash_df(drbg, drbg->V, sizeof(drbg->V), drbgInitV, seed, seedSz,
                                               nonce, nonceSz) == DRBG_SUCCESS &&
@@ -410,11 +645,13 @@ static int Hash_DRBG_Instantiate(DRBG* drbg, const byte* seed, word32 seedSz,
         drbg->matchCount = 0;
         ret = DRBG_SUCCESS;
     }
+    else {
+        ret = DRBG_FAILURE;
+    }
 
     return ret;
 }
 
-
 /* Returns: DRBG_SUCCESS or DRBG_FAILURE */
 static int Hash_DRBG_Uninstantiate(DRBG* drbg)
 {
@@ -422,6 +659,10 @@ static int Hash_DRBG_Uninstantiate(DRBG* drbg)
     int    compareSum = 0;
     byte*  compareDrbg = (byte*)drbg;
 
+#ifdef WOLFSSL_SMALL_STACK_CACHE
+    wc_Sha256Free(&drbg->sha256);
+#endif
+
     ForceZero(drbg, sizeof(DRBG));
 
     for (i = 0; i < sizeof(DRBG); i++)
@@ -430,91 +671,293 @@ static int Hash_DRBG_Uninstantiate(DRBG* drbg)
     return (compareSum == 0) ? DRBG_SUCCESS : DRBG_FAILURE;
 }
 
+
+int wc_RNG_TestSeed(const byte* seed, word32 seedSz)
+{
+    int ret = DRBG_SUCCESS;
+
+    /* Check the seed for duplicate words. */
+    word32 seedIdx = 0;
+    word32 scratchSz = min(SEED_BLOCK_SZ, seedSz - SEED_BLOCK_SZ);
+
+    while (seedIdx < seedSz - SEED_BLOCK_SZ) {
+        if (ConstantCompare(seed + seedIdx,
+                            seed + seedIdx + scratchSz,
+                            scratchSz) == 0) {
+
+            ret = DRBG_CONT_FAILURE;
+        }
+        seedIdx += SEED_BLOCK_SZ;
+        scratchSz = min(SEED_BLOCK_SZ, (seedSz - seedIdx));
+    }
+
+    return ret;
+}
+#endif /* HAVE_HASHDRBG */
 /* End NIST DRBG Code */
 
 
-/* Get seed and key cipher */
-int wc_InitRng(RNG* rng)
+static int _InitRng(WC_RNG* rng, byte* nonce, word32 nonceSz,
+                    void* heap, int devId)
 {
-    int ret = BAD_FUNC_ARG;
+    int ret = RNG_FAILURE_E;
+#ifdef HAVE_HASHDRBG
+    word32 seedSz = SEED_SZ + SEED_BLOCK_SZ;
+#endif
 
-    if (rng != NULL) {
-        if (wc_RNG_HealthTestLocal(0) == 0) {
-            byte entropy[ENTROPY_NONCE_SZ];
+    (void)nonce;
+    (void)nonceSz;
 
-            rng->drbg =
-                    (struct DRBG*)XMALLOC(sizeof(DRBG), NULL, DYNAMIC_TYPE_RNG);
-            if (rng->drbg == NULL) {
-                ret = MEMORY_E;
-            }
-            /* This doesn't use a separate nonce. The entropy input will be
-             * the default size plus the size of the nonce making the seed
-             * size. */
-            else if (wc_GenerateSeed(&rng->seed,
-                                              entropy, ENTROPY_NONCE_SZ) == 0 &&
-                     Hash_DRBG_Instantiate(rng->drbg,
-                          entropy, ENTROPY_NONCE_SZ, NULL, 0) == DRBG_SUCCESS) {
-
-                ret = Hash_DRBG_Generate(rng->drbg, NULL, 0);
-            }
-            else
-                ret = DRBG_FAILURE;
+    if (rng == NULL)
+        return BAD_FUNC_ARG;
+    if (nonce == NULL && nonceSz != 0)
+        return BAD_FUNC_ARG;
 
-            ForceZero(entropy, ENTROPY_NONCE_SZ);
-        }
-        else
-            ret = DRBG_CONT_FAILURE;
+#ifdef WOLFSSL_HEAP_TEST
+    rng->heap = (void*)WOLFSSL_HEAP_TEST;
+    (void)heap;
+#else
+    rng->heap = heap;
+#endif
+#if defined(WOLFSSL_ASYNC_CRYPT) || defined(WOLF_CRYPTO_CB)
+    rng->devId = devId;
+    #if defined(WOLF_CRYPTO_CB)
+        rng->seed.devId = devId;
+    #endif
+#else
+    (void)devId;
+#endif
 
-        if (ret == DRBG_SUCCESS) {
-            rng->status = DRBG_OK;
-            ret = 0;
-        }
-        else if (ret == DRBG_CONT_FAILURE) {
-            rng->status = DRBG_CONT_FAILED;
-            ret = DRBG_CONT_FIPS_E;
-        }
-        else if (ret == DRBG_FAILURE) {
-            rng->status = DRBG_FAILED;
-            ret = RNG_FAILURE_E;
+#ifdef HAVE_HASHDRBG
+    /* init the DBRG to known values */
+    rng->drbg = NULL;
+    rng->status = DRBG_NOT_INIT;
+#endif
+
+#if defined(HAVE_INTEL_RDSEED) || defined(HAVE_INTEL_RDRAND)
+    /* init the intel RD seed and/or rand */
+    wc_InitRng_IntelRD();
+#endif
+
+    /* configure async RNG source if available */
+#ifdef WOLFSSL_ASYNC_CRYPT
+    ret = wolfAsync_DevCtxInit(&rng->asyncDev, WOLFSSL_ASYNC_MARKER_RNG,
+                                                        rng->heap, rng->devId);
+    if (ret != 0)
+        return ret;
+#endif
+
+#ifdef HAVE_INTEL_RDRAND
+    /* if CPU supports RDRAND, use it directly and by-pass DRBG init */
+    if (IS_INTEL_RDRAND(intel_flags))
+        return 0;
+#endif
+
+#ifdef CUSTOM_RAND_GENERATE_BLOCK
+    ret = 0; /* success */
+#else
+#ifdef HAVE_HASHDRBG
+    if (nonceSz == 0)
+        seedSz = MAX_SEED_SZ;
+
+    if (wc_RNG_HealthTestLocal(0) == 0) {
+    #ifdef WC_ASYNC_ENABLE_SHA256
+        DECLARE_VAR(seed, byte, MAX_SEED_SZ, rng->heap);
+        if (seed == NULL)
+            return MEMORY_E;
+    #else
+        byte seed[MAX_SEED_SZ];
+    #endif
+
+#if !defined(WOLFSSL_NO_MALLOC) || defined(WOLFSSL_STATIC_MEMORY)
+        rng->drbg =
+                (struct DRBG*)XMALLOC(sizeof(DRBG), rng->heap,
+                                                          DYNAMIC_TYPE_RNG);
+#else
+        /* compile-time validation of drbg_data size */
+        typedef char drbg_data_test[sizeof(rng->drbg_data) >=
+                sizeof(struct DRBG) ? 1 : -1];
+        (void)sizeof(drbg_data_test);
+        rng->drbg = (struct DRBG*)rng->drbg_data;
+#endif
+
+        if (rng->drbg == NULL) {
+            ret = MEMORY_E;
         }
         else {
-            rng->status = DRBG_FAILED;
+            ret = wc_GenerateSeed(&rng->seed, seed, seedSz);
+            if (ret != 0)
+                ret = DRBG_FAILURE;
+            else
+                ret = wc_RNG_TestSeed(seed, seedSz);
+
+            if (ret == DRBG_SUCCESS)
+                 ret = Hash_DRBG_Instantiate(rng->drbg,
+                            seed + SEED_BLOCK_SZ, seedSz - SEED_BLOCK_SZ,
+                            nonce, nonceSz, rng->heap, devId);
+
+            if (ret != DRBG_SUCCESS) {
+            #if !defined(WOLFSSL_NO_MALLOC) || defined(WOLFSSL_STATIC_MEMORY)
+                XFREE(rng->drbg, rng->heap, DYNAMIC_TYPE_RNG);
+            #endif
+                rng->drbg = NULL;
+            }
         }
+
+        ForceZero(seed, seedSz);
+    #ifdef WC_ASYNC_ENABLE_SHA256
+        FREE_VAR(seed, rng->heap);
+    #endif
+    }
+    else
+        ret = DRBG_CONT_FAILURE;
+
+    if (ret == DRBG_SUCCESS) {
+        rng->status = DRBG_OK;
+        ret = 0;
+    }
+    else if (ret == DRBG_CONT_FAILURE) {
+        rng->status = DRBG_CONT_FAILED;
+        ret = DRBG_CONT_FIPS_E;
+    }
+    else if (ret == DRBG_FAILURE) {
+        rng->status = DRBG_FAILED;
+        ret = RNG_FAILURE_E;
+    }
+    else {
+        rng->status = DRBG_FAILED;
     }
+#endif /* HAVE_HASHDRBG */
+#endif /* CUSTOM_RAND_GENERATE_BLOCK */
 
     return ret;
 }
 
 
+WOLFSSL_ABI
+WC_RNG* wc_rng_new(byte* nonce, word32 nonceSz, void* heap)
+{
+    WC_RNG* rng;
+
+    rng = (WC_RNG*)XMALLOC(sizeof(WC_RNG), heap, DYNAMIC_TYPE_RNG);
+    if (rng) {
+        int error = _InitRng(rng, nonce, nonceSz, heap, INVALID_DEVID) != 0;
+        if (error) {
+            XFREE(rng, heap, DYNAMIC_TYPE_RNG);
+            rng = NULL;
+        }
+    }
+
+    return rng;
+}
+
+
+WOLFSSL_ABI
+void wc_rng_free(WC_RNG* rng)
+{
+    if (rng) {
+        void* heap = rng->heap;
+
+        wc_FreeRng(rng);
+        ForceZero(rng, sizeof(WC_RNG));
+        XFREE(rng, heap, DYNAMIC_TYPE_RNG);
+        (void)heap;
+    }
+}
+
+
+int wc_InitRng(WC_RNG* rng)
+{
+    return _InitRng(rng, NULL, 0, NULL, INVALID_DEVID);
+}
+
+
+int wc_InitRng_ex(WC_RNG* rng, void* heap, int devId)
+{
+    return _InitRng(rng, NULL, 0, heap, devId);
+}
+
+
+int wc_InitRngNonce(WC_RNG* rng, byte* nonce, word32 nonceSz)
+{
+    return _InitRng(rng, nonce, nonceSz, NULL, INVALID_DEVID);
+}
+
+
+int wc_InitRngNonce_ex(WC_RNG* rng, byte* nonce, word32 nonceSz,
+                       void* heap, int devId)
+{
+    return _InitRng(rng, nonce, nonceSz, heap, devId);
+}
+
+
 /* place a generated block in output */
-int wc_RNG_GenerateBlock(RNG* rng, byte* output, word32 sz)
+WOLFSSL_ABI
+int wc_RNG_GenerateBlock(WC_RNG* rng, byte* output, word32 sz)
 {
     int ret;
 
-    if (rng == NULL || output == NULL || sz > MAX_REQUEST_LEN)
+    if (rng == NULL || output == NULL)
+        return BAD_FUNC_ARG;
+
+#ifdef WOLF_CRYPTO_CB
+    if (rng->devId != INVALID_DEVID) {
+        ret = wc_CryptoCb_RandomBlock(rng, output, sz);
+        if (ret != CRYPTOCB_UNAVAILABLE)
+            return ret;
+        /* fall-through when unavailable */
+    }
+#endif
+
+#ifdef HAVE_INTEL_RDRAND
+    if (IS_INTEL_RDRAND(intel_flags))
+        return wc_GenerateRand_IntelRD(NULL, output, sz);
+#endif
+
+#if defined(WOLFSSL_ASYNC_CRYPT)
+    if (rng->asyncDev.marker == WOLFSSL_ASYNC_MARKER_RNG) {
+        /* these are blocking */
+    #ifdef HAVE_CAVIUM
+        return NitroxRngGenerateBlock(rng, output, sz);
+    #elif defined(HAVE_INTEL_QA) && defined(QAT_ENABLE_RNG)
+        return IntelQaDrbg(&rng->asyncDev, output, sz);
+    #else
+        /* simulator not supported */
+    #endif
+    }
+#endif
+
+#ifdef CUSTOM_RAND_GENERATE_BLOCK
+    XMEMSET(output, 0, sz);
+    ret = CUSTOM_RAND_GENERATE_BLOCK(output, sz);
+#else
+
+#ifdef HAVE_HASHDRBG
+    if (sz > RNG_MAX_BLOCK_LEN)
         return BAD_FUNC_ARG;
 
     if (rng->status != DRBG_OK)
         return RNG_FAILURE_E;
 
     ret = Hash_DRBG_Generate(rng->drbg, output, sz);
-
     if (ret == DRBG_NEED_RESEED) {
         if (wc_RNG_HealthTestLocal(1) == 0) {
-            byte entropy[ENTROPY_SZ];
+            byte newSeed[SEED_SZ + SEED_BLOCK_SZ];
 
-            if (wc_GenerateSeed(&rng->seed, entropy, ENTROPY_SZ) == 0 &&
-                Hash_DRBG_Reseed(rng->drbg, entropy, ENTROPY_SZ)
-                                                              == DRBG_SUCCESS) {
-
-                ret = Hash_DRBG_Generate(rng->drbg, NULL, 0);
-                if (ret == DRBG_SUCCESS)
-                    ret = Hash_DRBG_Generate(rng->drbg, output, sz);
-            }
-            else
+            ret = wc_GenerateSeed(&rng->seed, newSeed,
+                                  SEED_SZ + SEED_BLOCK_SZ);
+            if (ret != 0)
                 ret = DRBG_FAILURE;
+            else
+                ret = wc_RNG_TestSeed(newSeed, SEED_SZ + SEED_BLOCK_SZ);
+
+            if (ret == DRBG_SUCCESS)
+                ret = Hash_DRBG_Reseed(rng->drbg, newSeed + SEED_BLOCK_SZ,
+                                       SEED_SZ);
+            if (ret == DRBG_SUCCESS)
+                ret = Hash_DRBG_Generate(rng->drbg, output, sz);
 
-            ForceZero(entropy, ENTROPY_SZ);
+            ForceZero(newSeed, sizeof(newSeed));
         }
         else
             ret = DRBG_CONT_FAILURE;
@@ -531,90 +974,147 @@ int wc_RNG_GenerateBlock(RNG* rng, byte* output, word32 sz)
         ret = RNG_FAILURE_E;
         rng->status = DRBG_FAILED;
     }
+#else
+
+    /* if we get here then there is an RNG configuration error */
+    ret = RNG_FAILURE_E;
+
+#endif /* HAVE_HASHDRBG */
+#endif /* CUSTOM_RAND_GENERATE_BLOCK */
 
     return ret;
 }
 
 
-int wc_RNG_GenerateByte(RNG* rng, byte* b)
+int wc_RNG_GenerateByte(WC_RNG* rng, byte* b)
 {
     return wc_RNG_GenerateBlock(rng, b, 1);
 }
 
 
-int wc_FreeRng(RNG* rng)
+int wc_FreeRng(WC_RNG* rng)
 {
-    int ret = BAD_FUNC_ARG;
+    int ret = 0;
 
-    if (rng != NULL) {
-        if (rng->drbg != NULL) {
-            if (Hash_DRBG_Uninstantiate(rng->drbg) == DRBG_SUCCESS)
-                ret = 0;
-            else
-                ret = RNG_FAILURE_E;
+    if (rng == NULL)
+        return BAD_FUNC_ARG;
 
-            XFREE(rng->drbg, NULL, DYNAMIC_TYPE_RNG);
-            rng->drbg = NULL;
-        }
+#if defined(WOLFSSL_ASYNC_CRYPT)
+    wolfAsync_DevCtxFree(&rng->asyncDev, WOLFSSL_ASYNC_MARKER_RNG);
+#endif
 
-        rng->status = DRBG_NOT_INIT;
+#ifdef HAVE_HASHDRBG
+    if (rng->drbg != NULL) {
+        if (Hash_DRBG_Uninstantiate(rng->drbg) != DRBG_SUCCESS)
+            ret = RNG_FAILURE_E;
+
+    #if !defined(WOLFSSL_NO_MALLOC) || defined(WOLFSSL_STATIC_MEMORY)
+        XFREE(rng->drbg, rng->heap, DYNAMIC_TYPE_RNG);
+    #endif
+        rng->drbg = NULL;
     }
 
+    rng->status = DRBG_NOT_INIT;
+#endif /* HAVE_HASHDRBG */
+
     return ret;
 }
 
-
-int wc_RNG_HealthTest(int reseed, const byte* entropyA, word32 entropyASz,
-                                  const byte* entropyB, word32 entropyBSz,
+#ifdef HAVE_HASHDRBG
+int wc_RNG_HealthTest(int reseed, const byte* seedA, word32 seedASz,
+                                  const byte* seedB, word32 seedBSz,
                                   byte* output, word32 outputSz)
 {
-    DRBG drbg;
+    return wc_RNG_HealthTest_ex(reseed, NULL, 0,
+                                seedA, seedASz, seedB, seedBSz,
+                                output, outputSz,
+                                NULL, INVALID_DEVID);
+}
+
+
+int wc_RNG_HealthTest_ex(int reseed, const byte* nonce, word32 nonceSz,
+                                  const byte* seedA, word32 seedASz,
+                                  const byte* seedB, word32 seedBSz,
+                                  byte* output, word32 outputSz,
+                                  void* heap, int devId)
+{
+    int ret = -1;
+    DRBG* drbg;
+#ifndef WOLFSSL_SMALL_STACK
+    DRBG  drbg_var;
+#endif
 
-    if (entropyA == NULL || output == NULL)
+    if (seedA == NULL || output == NULL) {
         return BAD_FUNC_ARG;
+    }
 
-    if (reseed != 0 && entropyB == NULL)
+    if (reseed != 0 && seedB == NULL) {
         return BAD_FUNC_ARG;
+    }
 
-    if (outputSz != (SHA256_DIGEST_SIZE * 4))
-        return -1;
+    if (outputSz != RNG_HEALTH_TEST_CHECK_SIZE) {
+        return ret;
+    }
 
-    if (Hash_DRBG_Instantiate(&drbg, entropyA, entropyASz, NULL, 0) != 0)
-        return -1;
+#ifdef WOLFSSL_SMALL_STACK
+    drbg = (DRBG*)XMALLOC(sizeof(DRBG), NULL, DYNAMIC_TYPE_RNG);
+    if (drbg == NULL) {
+        return MEMORY_E;
+    }
+#else
+    drbg = &drbg_var;
+#endif
+
+    if (Hash_DRBG_Instantiate(drbg, seedA, seedASz, nonce, nonceSz,
+                              heap, devId) != 0) {
+        goto exit_rng_ht;
+    }
 
     if (reseed) {
-        if (Hash_DRBG_Reseed(&drbg, entropyB, entropyBSz) != 0) {
-            Hash_DRBG_Uninstantiate(&drbg);
-            return -1;
+        if (Hash_DRBG_Reseed(drbg, seedB, seedBSz) != 0) {
+            goto exit_rng_ht;
         }
     }
 
-    if (Hash_DRBG_Generate(&drbg, output, outputSz) != 0) {
-        Hash_DRBG_Uninstantiate(&drbg);
-        return -1;
+    /* This call to generate is prescribed by the NIST DRBGVS
+     * procedure. The results are thrown away. The known
+     * answer test checks the second block of DRBG out of
+     * the generator to ensure the internal state is updated
+     * as expected. */
+    if (Hash_DRBG_Generate(drbg, output, outputSz) != 0) {
+        goto exit_rng_ht;
     }
 
-    if (Hash_DRBG_Generate(&drbg, output, outputSz) != 0) {
-        Hash_DRBG_Uninstantiate(&drbg);
-        return -1;
+    if (Hash_DRBG_Generate(drbg, output, outputSz) != 0) {
+        goto exit_rng_ht;
     }
 
-    if (Hash_DRBG_Uninstantiate(&drbg) != 0) {
-        return -1;
+    /* Mark success */
+    ret = 0;
+
+exit_rng_ht:
+
+    /* This is safe to call even if Hash_DRBG_Instantiate fails */
+    if (Hash_DRBG_Uninstantiate(drbg) != 0) {
+        ret = -1;
     }
 
-    return 0;
+#ifdef WOLFSSL_SMALL_STACK
+    XFREE(drbg, NULL, DYNAMIC_TYPE_RNG);
+#endif
+
+    return ret;
 }
 
 
-const byte entropyA[] = {
+const byte seedA[] = {
     0x63, 0x36, 0x33, 0x77, 0xe4, 0x1e, 0x86, 0x46, 0x8d, 0xeb, 0x0a, 0xb4,
     0xa8, 0xed, 0x68, 0x3f, 0x6a, 0x13, 0x4e, 0x47, 0xe0, 0x14, 0xc7, 0x00,
     0x45, 0x4e, 0x81, 0xe9, 0x53, 0x58, 0xa5, 0x69, 0x80, 0x8a, 0xa3, 0x8f,
     0x2a, 0x72, 0xa6, 0x23, 0x59, 0x91, 0x5a, 0x9f, 0x8a, 0x04, 0xca, 0x68
 };
 
-const byte reseedEntropyA[] = {
+const byte reseedSeedA[] = {
     0xe6, 0x2b, 0x8a, 0x8e, 0xe8, 0xf1, 0x41, 0xb6, 0x98, 0x05, 0x66, 0xe3,
     0xbf, 0xe3, 0xc0, 0x49, 0x03, 0xda, 0xd4, 0xac, 0x2c, 0xdf, 0x9f, 0x22,
     0x80, 0x01, 0x0a, 0x67, 0x39, 0xbc, 0x83, 0xd3
@@ -634,11 +1134,12 @@ const byte outputA[] = {
     0xa1, 0x80, 0x18, 0x3a, 0x07, 0xdf, 0xae, 0x17
 };
 
-const byte entropyB[] = {
+const byte seedB[] = {
     0xa6, 0x5a, 0xd0, 0xf3, 0x45, 0xdb, 0x4e, 0x0e, 0xff, 0xe8, 0x75, 0xc3,
     0xa2, 0xe7, 0x1f, 0x42, 0xc7, 0x12, 0x9d, 0x62, 0x0f, 0xf5, 0xc1, 0x19,
-    0xa9, 0xef, 0x55, 0xf0, 0x51, 0x85, 0xe0, 0xfb, 0x85, 0x81, 0xf9, 0x31,
-    0x75, 0x17, 0x27, 0x6e, 0x06, 0xe9, 0x60, 0x7d, 0xdb, 0xcb, 0xcc, 0x2e
+    0xa9, 0xef, 0x55, 0xf0, 0x51, 0x85, 0xe0, 0xfb, /* nonce next */
+    0x85, 0x81, 0xf9, 0x31, 0x75, 0x17, 0x27, 0x6e, 0x06, 0xe9, 0x60, 0x7d,
+    0xdb, 0xcb, 0xcc, 0x2e
 };
 
 const byte outputB[] = {
@@ -659,320 +1160,423 @@ const byte outputB[] = {
 static int wc_RNG_HealthTestLocal(int reseed)
 {
     int ret = 0;
-    byte check[SHA256_DIGEST_SIZE * 4];
+#ifdef WOLFSSL_SMALL_STACK
+    byte* check;
+#else
+    byte  check[RNG_HEALTH_TEST_CHECK_SIZE];
+#endif
+
+#ifdef WOLFSSL_SMALL_STACK
+    check = (byte*)XMALLOC(RNG_HEALTH_TEST_CHECK_SIZE, NULL,
+                           DYNAMIC_TYPE_TMP_BUFFER);
+    if (check == NULL) {
+        return MEMORY_E;
+    }
+#endif
 
     if (reseed) {
-        ret = wc_RNG_HealthTest(1, entropyA, sizeof(entropyA),
-                                reseedEntropyA, sizeof(reseedEntropyA),
-                                check, sizeof(check));
+        ret = wc_RNG_HealthTest(1, seedA, sizeof(seedA),
+                                reseedSeedA, sizeof(reseedSeedA),
+                                check, RNG_HEALTH_TEST_CHECK_SIZE);
         if (ret == 0) {
-            if (ConstantCompare(check, outputA, sizeof(check)) != 0)
+            if (ConstantCompare(check, outputA,
+                                RNG_HEALTH_TEST_CHECK_SIZE) != 0)
                 ret = -1;
         }
     }
     else {
-        ret = wc_RNG_HealthTest(0, entropyB, sizeof(entropyB),
+        ret = wc_RNG_HealthTest(0, seedB, sizeof(seedB),
                                 NULL, 0,
-                                check, sizeof(check));
+                                check, RNG_HEALTH_TEST_CHECK_SIZE);
         if (ret == 0) {
-            if (ConstantCompare(check, outputB, sizeof(check)) != 0)
+            if (ConstantCompare(check, outputB,
+                                RNG_HEALTH_TEST_CHECK_SIZE) != 0)
                 ret = -1;
         }
+
+        /* The previous test cases use a large seed instead of a seed and nonce.
+         * seedB is actually from a test case with a seed and nonce, and
+         * just concatenates them. The pivot point between seed and nonce is
+         * byte 32, feed them into the health test separately. */
+        if (ret == 0) {
+            ret = wc_RNG_HealthTest_ex(0,
+                                    seedB + 32, sizeof(seedB) - 32,
+                                    seedB, 32,
+                                    NULL, 0,
+                                    check, RNG_HEALTH_TEST_CHECK_SIZE,
+                                    NULL, INVALID_DEVID);
+            if (ret == 0) {
+                if (ConstantCompare(check, outputB, sizeof(outputB)) != 0)
+                    ret = -1;
+            }
+        }
     }
 
+#ifdef WOLFSSL_SMALL_STACK
+    XFREE(check, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+#endif
+
     return ret;
 }
 
+#endif /* HAVE_HASHDRBG */
 
-#else /* HAVE_HASHDRBG || NO_RC4 */
 
-/* Get seed and key cipher */
-int wc_InitRng(RNG* rng)
+#ifdef HAVE_WNR
+
+/*
+ * Init global Whitewood netRandom context
+ * Returns 0 on success, negative on error
+ */
+int wc_InitNetRandom(const char* configFile, wnr_hmac_key hmac_cb, int timeout)
 {
-    int  ret;
-#ifdef WOLFSSL_SMALL_STACK
-    byte* key;
-    byte* junk;
-#else
-    byte key[32];
-    byte junk[256];
-#endif
+    if (configFile == NULL || timeout < 0)
+        return BAD_FUNC_ARG;
 
-#ifdef HAVE_INTEL_RDGEN
-    wc_InitRng_IntelRD() ;
-    if(IS_INTEL_RDRAND)return 0 ;
-#endif
-#ifdef HAVE_CAVIUM
-    if (rng->magic == WOLFSSL_RNG_CAVIUM_MAGIC)
+    if (wnr_mutex_init > 0) {
+        WOLFSSL_MSG("netRandom context already created, skipping");
         return 0;
-#endif
-
-#ifdef WOLFSSL_SMALL_STACK
-    key = (byte*)XMALLOC(32, NULL, DYNAMIC_TYPE_TMP_BUFFER);
-    if (key == NULL)
-        return MEMORY_E;
+    }
 
-    junk = (byte*)XMALLOC(256, NULL, DYNAMIC_TYPE_TMP_BUFFER);
-    if (junk == NULL) {
-        XFREE(key, NULL, DYNAMIC_TYPE_TMP_BUFFER);
-        return MEMORY_E;
+    if (wc_InitMutex(&wnr_mutex) != 0) {
+        WOLFSSL_MSG("Bad Init Mutex wnr_mutex");
+        return BAD_MUTEX_E;
     }
-#endif
+    wnr_mutex_init = 1;
 
-    ret = wc_GenerateSeed(&rng->seed, key, 32);
+    if (wc_LockMutex(&wnr_mutex) != 0) {
+        WOLFSSL_MSG("Bad Lock Mutex wnr_mutex");
+        return BAD_MUTEX_E;
+    }
 
-    if (ret == 0) {
-        wc_Arc4SetKey(&rng->cipher, key, sizeof(key));
+    /* store entropy timeout */
+    wnr_timeout = timeout;
 
-        ret = wc_RNG_GenerateBlock(rng, junk, 256); /*rid initial state*/
+    /* create global wnr_context struct */
+    if (wnr_create(&wnr_ctx) != WNR_ERROR_NONE) {
+        WOLFSSL_MSG("Error creating global netRandom context");
+        return RNG_FAILURE_E;
     }
 
-#ifdef WOLFSSL_SMALL_STACK
-    XFREE(key, NULL, DYNAMIC_TYPE_TMP_BUFFER);
-    XFREE(junk, NULL, DYNAMIC_TYPE_TMP_BUFFER);
-#endif
+    /* load config file */
+    if (wnr_config_loadf(wnr_ctx, (char*)configFile) != WNR_ERROR_NONE) {
+        WOLFSSL_MSG("Error loading config file into netRandom context");
+        wnr_destroy(wnr_ctx);
+        wnr_ctx = NULL;
+        return RNG_FAILURE_E;
+    }
 
-    return ret;
-}
+    /* create/init polling mechanism */
+    if (wnr_poll_create() != WNR_ERROR_NONE) {
+        printf("ERROR: wnr_poll_create() failed\n");
+        WOLFSSL_MSG("Error initializing netRandom polling mechanism");
+        wnr_destroy(wnr_ctx);
+        wnr_ctx = NULL;
+        return RNG_FAILURE_E;
+    }
 
-#ifdef HAVE_CAVIUM
-    static void CaviumRNG_GenerateBlock(RNG* rng, byte* output, word32 sz);
-#endif
+    /* validate config, set HMAC callback (optional) */
+    if (wnr_setup(wnr_ctx, hmac_cb) != WNR_ERROR_NONE) {
+        WOLFSSL_MSG("Error setting up netRandom context");
+        wnr_destroy(wnr_ctx);
+        wnr_ctx = NULL;
+        wnr_poll_destroy();
+        return RNG_FAILURE_E;
+    }
 
-/* place a generated block in output */
-int wc_RNG_GenerateBlock(RNG* rng, byte* output, word32 sz)
-{
-#ifdef HAVE_INTEL_RDGEN
-    if(IS_INTEL_RDRAND)
-        return wc_GenerateRand_IntelRD(NULL, output, sz) ;
-#endif
-#ifdef HAVE_CAVIUM
-    if (rng->magic == WOLFSSL_RNG_CAVIUM_MAGIC)
-        return CaviumRNG_GenerateBlock(rng, output, sz);
-#endif
-    XMEMSET(output, 0, sz);
-    wc_Arc4Process(&rng->cipher, output, output, sz);
+    wc_UnLockMutex(&wnr_mutex);
 
     return 0;
 }
 
-
-int wc_RNG_GenerateByte(RNG* rng, byte* b)
+/*
+ * Free global Whitewood netRandom context
+ * Returns 0 on success, negative on error
+ */
+int wc_FreeNetRandom(void)
 {
-    return wc_RNG_GenerateBlock(rng, b, 1);
-}
+    if (wnr_mutex_init > 0) {
 
+        if (wc_LockMutex(&wnr_mutex) != 0) {
+            WOLFSSL_MSG("Bad Lock Mutex wnr_mutex");
+            return BAD_MUTEX_E;
+        }
+
+        if (wnr_ctx != NULL) {
+            wnr_destroy(wnr_ctx);
+            wnr_ctx = NULL;
+        }
+        wnr_poll_destroy();
+
+        wc_UnLockMutex(&wnr_mutex);
+
+        wc_FreeMutex(&wnr_mutex);
+        wnr_mutex_init = 0;
+    }
 
-int wc_FreeRng(RNG* rng)
-{
-    (void)rng;
     return 0;
 }
 
+#endif /* HAVE_WNR */
 
-#ifdef HAVE_CAVIUM
 
-#include <wolfssl/ctaocrypt/logging.h>
-#include "cavium_common.h"
+#if defined(HAVE_INTEL_RDRAND) || defined(HAVE_INTEL_RDSEED)
 
-/* Initiliaze RNG for use with Nitrox device */
-int wc_InitRngCavium(RNG* rng, int devId)
-{
-    if (rng == NULL)
-        return -1;
-
-    rng->devId = devId;
-    rng->magic = WOLFSSL_RNG_CAVIUM_MAGIC;
+#ifdef WOLFSSL_ASYNC_CRYPT
+    /* need more retries if multiple cores */
+    #define INTELRD_RETRY (32 * 8)
+#else
+    #define INTELRD_RETRY 32
+#endif
 
-    return 0;
-}
+#ifdef HAVE_INTEL_RDSEED
 
+#ifndef USE_WINDOWS_API
 
-static void CaviumRNG_GenerateBlock(RNG* rng, byte* output, word32 sz)
-{
-    wolfssl_word offset = 0;
-    word32      requestId;
+    /* return 0 on success */
+    static WC_INLINE int IntelRDseed64(word64* seed)
+    {
+        unsigned char ok;
 
-    while (sz > WOLFSSL_MAX_16BIT) {
-        word16 slen = (word16)WOLFSSL_MAX_16BIT;
-        if (CspRandom(CAVIUM_BLOCKING, slen, output + offset, &requestId,
-                      rng->devId) != 0) {
-            WOLFSSL_MSG("Cavium RNG failed");
-        }
-        sz     -= WOLFSSL_MAX_16BIT;
-        offset += WOLFSSL_MAX_16BIT;
-    }
-    if (sz) {
-        word16 slen = (word16)sz;
-        if (CspRandom(CAVIUM_BLOCKING, slen, output + offset, &requestId,
-                      rng->devId) != 0) {
-            WOLFSSL_MSG("Cavium RNG failed");
-        }
+        __asm__ volatile("rdseed %0; setc %1":"=r"(*seed), "=qm"(ok));
+        return (ok) ? 0 : -1;
     }
-}
 
-#endif /* HAVE_CAVIUM */
+#else /* USE_WINDOWS_API */
+    /* The compiler Visual Studio uses does not allow inline assembly.
+     * It does allow for Intel intrinsic functions. */
 
-#endif /* HAVE_HASHDRBG || NO_RC4 */
+    /* return 0 on success */
+    static WC_INLINE int IntelRDseed64(word64* seed)
+    {
+        int ok;
 
+        ok = _rdseed64_step(seed);
+        return (ok) ? 0 : -1;
+    }
 
-#if defined(HAVE_INTEL_RDGEN)
+#endif /* USE_WINDOWS_API */
 
-#ifndef _MSC_VER
-    #define cpuid(reg, leaf, sub)\
-            __asm__ __volatile__ ("cpuid":\
-             "=a" (reg[0]), "=b" (reg[1]), "=c" (reg[2]), "=d" (reg[3]) :\
-             "a" (leaf), "c"(sub));
+/* return 0 on success */
+static WC_INLINE int IntelRDseed64_r(word64* rnd)
+{
+    int i;
+    for (i = 0; i < INTELRD_RETRY; i++) {
+        if (IntelRDseed64(rnd) == 0)
+            return 0;
+    }
+    return -1;
+}
 
-    #define XASM_LINK(f) asm(f)
-#else
+/* return 0 on success */
+static int wc_GenerateSeed_IntelRD(OS_Seed* os, byte* output, word32 sz)
+{
+    int ret;
+    word64 rndTmp;
 
-    #include <intrin.h>
-    #define cpuid(a,b) __cpuid((int*)a,b)
+    (void)os;
 
-    #define XASM_LINK(f)
+    if (!IS_INTEL_RDSEED(intel_flags))
+        return -1;
 
-#endif /* _MSC_VER */
+    for (; (sz / sizeof(word64)) > 0; sz -= sizeof(word64),
+                                                    output += sizeof(word64)) {
+        ret = IntelRDseed64_r((word64*)output);
+        if (ret != 0)
+            return ret;
+    }
+    if (sz == 0)
+        return 0;
 
-#define EAX 0
-#define EBX 1
-#define ECX 2 
-#define EDX 3
+    /* handle unaligned remainder */
+    ret = IntelRDseed64_r(&rndTmp);
+    if (ret != 0)
+        return ret;
 
-static word32 cpuid_flag(word32 leaf, word32 sub, word32 num, word32 bit) {
-    int got_intel_cpu=0;
-    unsigned int reg[5]; 
-    
-    reg[4] = '\0' ;
-    cpuid(reg, 0, 0);  
-    if(memcmp((char *)&(reg[EBX]), "Genu", 4) == 0 &&  
-                memcmp((char *)&(reg[EDX]), "ineI", 4) == 0 &&  
-                memcmp((char *)&(reg[ECX]), "ntel", 4) == 0) {  
-        got_intel_cpu = 1;  
-    }    
-    if (got_intel_cpu) {
-        cpuid(reg, leaf, sub);
-        return((reg[num]>>bit)&0x1) ;
-    }
-    return 0 ;
-}
+    XMEMCPY(output, &rndTmp, sz);
+    ForceZero(&rndTmp, sizeof(rndTmp));
 
-static int wc_InitRng_IntelRD()
-{
-    if(cpuid_check==0) {
-        if(cpuid_flag(1, 0, ECX, 30)){ cpuid_flags |= CPUID_RDRAND ;} 
-        if(cpuid_flag(7, 0, EBX, 18)){ cpuid_flags |= CPUID_RDSEED ;}
-        cpuid_check = 1 ;
-    }
-    return 1 ;
+    return 0;
 }
 
-#define INTELRD_RETRY 10
+#endif /* HAVE_INTEL_RDSEED */
 
-#if defined(HAVE_HASHDRBG) || defined(NO_RC4)
+#ifdef HAVE_INTEL_RDRAND
 
-/* return 0 on success */
-static inline int IntelRDseed32(unsigned int *seed)  
-{  
-    int rdseed;  unsigned char ok ;
-
-    __asm__ volatile("rdseed %0; setc %1":"=r"(rdseed), "=qm"(ok));  
-    if(ok){
-        *seed = rdseed ;
-        return 0 ;
-    } else
-        return 1;
-}
+#ifndef USE_WINDOWS_API
 
 /* return 0 on success */
-static inline int IntelRDseed32_r(unsigned int *rnd)  
-{  
-    int i ;
-    for(i=0; i<INTELRD_RETRY;i++) {
-       if(IntelRDseed32(rnd) == 0) return 0 ;
-    }
-    return 1 ;
+static WC_INLINE int IntelRDrand64(word64 *rnd)
+{
+    unsigned char ok;
+
+    __asm__ volatile("rdrand %0; setc %1":"=r"(*rnd), "=qm"(ok));
+
+    return (ok) ? 0 : -1;
 }
 
+#else /* USE_WINDOWS_API */
+    /* The compiler Visual Studio uses does not allow inline assembly.
+     * It does allow for Intel intrinsic functions. */
+
 /* return 0 on success */
-static int wc_GenerateSeed_IntelRD(OS_Seed* os, byte* output, word32 sz)
+static WC_INLINE int IntelRDrand64(word64 *rnd)
 {
-    (void) os ;
-    int ret ;
-    unsigned int rndTmp ;
-
-    for(  ; sz/4 > 0; sz-=4, output+=4) {
-        if(IS_INTEL_RDSEED)ret = IntelRDseed32_r((word32 *)output) ;
-        else return 1 ;
-        if(ret)
-             return 1 ;
-    }
-    if(sz == 0)return 0 ;
-
-    if(IS_INTEL_RDSEED)ret = IntelRDseed32_r(&rndTmp) ;
-    else return 1 ;
-    if(ret)
-         return 1 ;
-    XMEMCPY(output, &rndTmp, sz) ;
-    return 0;
-}
+    int ok;
 
-#else
+    ok = _rdrand64_step(rnd);
 
-/* return 0 on success */
-static inline int IntelRDrand32(unsigned int *rnd)  
-{  
-    int rdrand; unsigned char ok ;  
-    __asm__ volatile("rdrand %0; setc %1":"=r"(rdrand), "=qm"(ok));  
-    if(ok){
-        *rnd = rdrand;
-        return 0 ;
-    } else
-        return 1;
+    return (ok) ? 0 : -1;
 }
 
+#endif /* USE_WINDOWS_API */
+
 /* return 0 on success */
-static inline int IntelRDrand32_r(unsigned int *rnd)  
-{  
-    int i ;
-    for(i=0; i<INTELRD_RETRY;i++) {
-       if(IntelRDrand32(rnd) == 0) return 0 ;
+static WC_INLINE int IntelRDrand64_r(word64 *rnd)
+{
+    int i;
+    for (i = 0; i < INTELRD_RETRY; i++) {
+        if (IntelRDrand64(rnd) == 0)
+            return 0;
     }
-    return 1 ;
+    return -1;
 }
 
 /* return 0 on success */
 static int wc_GenerateRand_IntelRD(OS_Seed* os, byte* output, word32 sz)
 {
-    (void) os ;
-    int ret ;
-    unsigned int rndTmp;
-
-    for(  ; sz/4 > 0; sz-=4, output+=4) {
-        if(IS_INTEL_RDRAND)ret = IntelRDrand32_r((word32 *)output);
-        else return 1 ;
-        if(ret)
-             return 1 ;
-    }
-    if(sz == 0)return 0 ;
-
-    if(IS_INTEL_RDRAND)ret = IntelRDrand32_r(&rndTmp);
-    else return 1 ;
-    if(ret)
-         return 1 ;
-    XMEMCPY(output, &rndTmp, sz) ;
+    int ret;
+    word64 rndTmp;
+
+    (void)os;
+
+    if (!IS_INTEL_RDRAND(intel_flags))
+        return -1;
+
+    for (; (sz / sizeof(word64)) > 0; sz -= sizeof(word64),
+                                                    output += sizeof(word64)) {
+        ret = IntelRDrand64_r((word64 *)output);
+        if (ret != 0)
+            return ret;
+    }
+    if (sz == 0)
+        return 0;
+
+    /* handle unaligned remainder */
+    ret = IntelRDrand64_r(&rndTmp);
+    if (ret != 0)
+        return ret;
+
+    XMEMCPY(output, &rndTmp, sz);
+
     return 0;
 }
-#endif /* defined(HAVE_HASHDRBG) || defined(NO_RC4) */
 
-#endif /* HAVE_INTEL_RDGEN */
+#endif /* HAVE_INTEL_RDRAND */
+#endif /* HAVE_INTEL_RDRAND || HAVE_INTEL_RDSEED */
+
+
+/* Begin wc_GenerateSeed Implementations */
+#if defined(CUSTOM_RAND_GENERATE_SEED)
+
+    /* Implement your own random generation function
+     * Return 0 to indicate success
+     * int rand_gen_seed(byte* output, word32 sz);
+     * #define CUSTOM_RAND_GENERATE_SEED  rand_gen_seed */
+
+    int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
+    {
+        (void)os; /* Suppress unused arg warning */
+        return CUSTOM_RAND_GENERATE_SEED(output, sz);
+    }
+
+#elif defined(CUSTOM_RAND_GENERATE_SEED_OS)
+
+    /* Implement your own random generation function,
+     *  which includes OS_Seed.
+     * Return 0 to indicate success
+     * int rand_gen_seed(OS_Seed* os, byte* output, word32 sz);
+     * #define CUSTOM_RAND_GENERATE_SEED_OS  rand_gen_seed */
+
+    int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
+    {
+        return CUSTOM_RAND_GENERATE_SEED_OS(os, output, sz);
+    }
+
+#elif defined(CUSTOM_RAND_GENERATE)
+
+   /* Implement your own random generation function
+    * word32 rand_gen(void);
+    * #define CUSTOM_RAND_GENERATE  rand_gen  */
+
+    int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
+    {
+        word32 i = 0;
+
+        (void)os;
+
+        while (i < sz)
+        {
+            /* If not aligned or there is odd/remainder */
+            if( (i + sizeof(CUSTOM_RAND_TYPE)) > sz ||
+                ((wolfssl_word)&output[i] % sizeof(CUSTOM_RAND_TYPE)) != 0
+            ) {
+                /* Single byte at a time */
+                output[i++] = (byte)CUSTOM_RAND_GENERATE();
+            }
+            else {
+                /* Use native 8, 16, 32 or 64 copy instruction */
+                *((CUSTOM_RAND_TYPE*)&output[i]) = CUSTOM_RAND_GENERATE();
+                i += sizeof(CUSTOM_RAND_TYPE);
+            }
+        }
 
+        return 0;
+    }
+
+#elif defined(WOLFSSL_SGX)
+
+int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
+{
+    int ret = !SGX_SUCCESS;
+	int i, read_max = 10;
+
+	for (i = 0; i < read_max && ret != SGX_SUCCESS; i++) {
+		ret = sgx_read_rand(output, sz);
+	}
 
-#if defined(USE_WINDOWS_API)
+	(void)os;
+	return (ret == SGX_SUCCESS) ? 0 : 1;
+}
 
+#elif defined(USE_WINDOWS_API)
 
 int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
 {
+#ifdef WOLF_CRYPTO_CB
+    int ret;
+
+    if (os != NULL && os->devId != INVALID_DEVID) {
+        ret = wc_CryptoCb_RandomSeed(os, output, sz);
+        if (ret != CRYPTOCB_UNAVAILABLE)
+            return ret;
+        /* fall-through when unavailable */
+    }
+#endif
+
+    #ifdef HAVE_INTEL_RDSEED
+        if (IS_INTEL_RDSEED(intel_flags)) {
+             if (!wc_GenerateSeed_IntelRD(NULL, output, sz)) {
+                 /* success, we're done */
+                 return 0;
+             }
+        #ifdef FORCE_FAILURE_RDSEED
+             /* don't fall back to CryptoAPI */
+             return READ_RAN_E;
+        #endif
+        }
+    #endif /* HAVE_INTEL_RDSEED */
+
     if(!CryptAcquireContext(&os->handle, 0, 0, PROV_RSA_FULL,
                             CRYPT_VERIFYCONTEXT))
         return WINCRYPT_E;
@@ -991,92 +1595,85 @@ int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
 #include "rtprand.h"   /* rtp_rand () */
 #include "rtptime.h"   /* rtp_get_system_msec() */
 
-
 int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
 {
-    int i;
-    rtp_srand(rtp_get_system_msec());
+    word32 i;
 
+    rtp_srand(rtp_get_system_msec());
     for (i = 0; i < sz; i++ ) {
         output[i] = rtp_rand() % 256;
-        if ( (i % 8) == 7)
-            rtp_srand(rtp_get_system_msec());
     }
 
     return 0;
 }
 
 
-#elif defined(MICRIUM)
-
-int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
-{
-    #if (NET_SECURE_MGR_CFG_EN == DEF_ENABLED)
-        NetSecure_InitSeed(output, sz);
-    #endif
-    return 0;
-}
-
-#elif defined(MBED)
-
-/* write a real one !!!, just for testing board */
-int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
-{
-    int i;
-    for (i = 0; i < sz; i++ )
-        output[i] = i;
-
-    return 0;
-}
-
 #elif defined(MICROCHIP_PIC32)
 
-#ifdef MICROCHIP_MPLAB_HARMONY
-    #define PIC32_SEED_COUNT _CP0_GET_COUNT
-#else
-    #if !defined(WOLFSSL_MICROCHIP_PIC32MZ)
-        #include <peripheral/timer.h>
+    #ifdef MICROCHIP_MPLAB_HARMONY
+        #ifdef MICROCHIP_MPLAB_HARMONY_3
+            #include "system/time/sys_time.h"
+            #define PIC32_SEED_COUNT SYS_TIME_CounterGet
+        #else
+            #define PIC32_SEED_COUNT _CP0_GET_COUNT
+        #endif
+    #else
+        #if !defined(WOLFSSL_MICROCHIP_PIC32MZ)
+            #include <peripheral/timer.h>
+        #endif
+        extern word32 ReadCoreTimer(void);
+        #define PIC32_SEED_COUNT ReadCoreTimer
     #endif
-    #define PIC32_SEED_COUNT ReadCoreTimer
-#endif
-    #ifdef WOLFSSL_MIC32MZ_RNG
+
+    #ifdef WOLFSSL_PIC32MZ_RNG
         #include "xc.h"
         int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
         {
-            int i ;
-            byte rnd[8] ;
-            word32 *rnd32 = (word32 *)rnd ;
-            word32 size = sz ;
-            byte* op = output ;
-
-            /* This part has to be replaced with better random seed */
-            RNGNUMGEN1 = ReadCoreTimer();
-            RNGPOLY1 = ReadCoreTimer();
-            RNGPOLY2 = ReadCoreTimer();
-            RNGNUMGEN2 = ReadCoreTimer();
-#ifdef DEBUG_WOLFSSL
-            printf("GenerateSeed::Seed=%08x, %08x\n", RNGNUMGEN1, RNGNUMGEN2) ;
+            int i;
+            byte rnd[8];
+            word32 *rnd32 = (word32 *)rnd;
+            word32 size = sz;
+            byte* op = output;
+
+#if ((__PIC32_FEATURE_SET0 == 'E') && (__PIC32_FEATURE_SET1 == 'C'))
+            RNGNUMGEN1 = _CP0_GET_COUNT();
+            RNGPOLY1 = _CP0_GET_COUNT();
+            RNGPOLY2 = _CP0_GET_COUNT();
+            RNGNUMGEN2 = _CP0_GET_COUNT();
+#else
+            // All others can be seeded from the TRNG
+            RNGCONbits.TRNGMODE = 1;
+            RNGCONbits.TRNGEN = 1;
+            while (RNGCNT < 64);
+            RNGCONbits.LOAD = 1;
+            while (RNGCONbits.LOAD == 1);
+            while (RNGCNT < 64);
+            RNGPOLY2 = RNGSEED2;
+            RNGPOLY1 = RNGSEED1;
 #endif
+
             RNGCONbits.PLEN = 0x40;
             RNGCONbits.PRNGEN = 1;
-            for(i=0; i<5; i++) { /* wait for RNGNUMGEN ready */
-                volatile int x ;
-                x = RNGNUMGEN1 ;
-                x = RNGNUMGEN2 ;
+            for (i=0; i<5; i++) { /* wait for RNGNUMGEN ready */
+                volatile int x, y;
+                x = RNGNUMGEN1;
+                y = RNGNUMGEN2;
+                (void)x;
+                (void)y;
             }
             do {
                 rnd32[0] = RNGNUMGEN1;
                 rnd32[1] = RNGNUMGEN2;
 
                 for(i=0; i<8; i++, op++) {
-                    *op = rnd[i] ;
-                    size -- ;
-                    if(size==0)break ;
+                    *op = rnd[i];
+                    size --;
+                    if(size==0)break;
                 }
-            } while(size) ;
+            } while(size);
             return 0;
         }
-    #else  /* WOLFSSL_MIC32MZ_RNG */
+    #else  /* WOLFSSL_PIC32MZ_RNG */
         /* uses the core timer, in nanoseconds to seed srand */
         int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
         {
@@ -1090,11 +1687,12 @@ int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
             }
             return 0;
         }
-    #endif /* WOLFSSL_MIC32MZ_RNG */
+    #endif /* WOLFSSL_PIC32MZ_RNG */
 
-#elif defined(FREESCALE_MQX)
+#elif defined(FREESCALE_MQX) || defined(FREESCALE_KSDK_MQX) || \
+      defined(FREESCALE_KSDK_BM) || defined(FREESCALE_FREE_RTOS)
 
-    #ifdef FREESCALE_K70_RNGA
+    #if defined(FREESCALE_K70_RNGA) || defined(FREESCALE_RNGA)
         /*
          * wc_Generates a RNG seed using the Random Number Generator Accelerator
          * on the Kinetis K70. Documentation located in Chapter 37 of
@@ -1102,10 +1700,16 @@ int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
          */
         int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
         {
-            int i;
+            word32 i;
 
             /* turn on RNGA module */
-            SIM_SCGC3 |= SIM_SCGC3_RNGA_MASK;
+            #if defined(SIM_SCGC3_RNGA_MASK)
+                SIM_SCGC3 |= SIM_SCGC3_RNGA_MASK;
+            #endif
+            #if defined(SIM_SCGC6_RNGA_MASK)
+                /* additionally needed for at least K64F */
+                SIM_SCGC6 |= SIM_SCGC6_RNGA_MASK;
+            #endif
 
             /* set SLP bit to 0 - "RNGA is not in sleep mode" */
             RNG_CR &= ~RNG_CR_SLP_MASK;
@@ -1128,7 +1732,7 @@ int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
             return 0;
         }
 
-    #elif defined(FREESCALE_K53_RNGB)
+    #elif defined(FREESCALE_K53_RNGB) || defined(FREESCALE_RNGB)
         /*
          * wc_Generates a RNG seed using the Random Number Generator (RNGB)
          * on the Kinetis K53. Documentation located in Chapter 33 of
@@ -1166,78 +1770,191 @@ int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
             return 0;
         }
 
-    #else
-        #warning "write a real random seed!!!!, just for testing now"
+    #elif defined(FREESCALE_KSDK_2_0_TRNG)
 
         int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
         {
-            int i;
-            for (i = 0; i < sz; i++ )
-                output[i] = i;
+            status_t status;
+            status = TRNG_GetRandomData(TRNG0, output, sz);
+            if (status == kStatus_Success)
+            {
+                return(0);
+            }
+            else
+            {
+                return RAN_BLOCK_E;
+            }
+        }
 
-            return 0;
+    #elif defined(FREESCALE_KSDK_2_0_RNGA)
+
+        int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
+        {
+            status_t status;
+            status = RNGA_GetRandomData(RNG, output, sz);
+            if (status == kStatus_Success)
+            {
+                return(0);
+            }
+            else
+            {
+                return RAN_BLOCK_E;
+            }
         }
-    #endif /* FREESCALE_K70_RNGA */
 
-#elif defined(WOLFSSL_SAFERTOS) || defined(WOLFSSL_LEANPSK) \
-   || defined(WOLFSSL_IAR_ARM)  || defined(WOLFSSL_MDK_ARM) \
-   || defined(WOLFSSL_uITRON4)  || defined(WOLFSSL_uTKERNEL2)
 
-#warning "write a real random seed!!!!, just for testing now"
+    #elif defined(FREESCALE_RNGA)
 
-int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
-{
-    word32 i;
-    for (i = 0; i < sz; i++ )
-        output[i] = i;
+        int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
+        {
+            RNGA_DRV_GetRandomData(RNGA_INSTANCE, output, sz);
+            return 0;
+        }
 
-    (void)os;
+    #else
+        #define USE_TEST_GENSEED
+    #endif /* FREESCALE_K70_RNGA */
 
-    return 0;
-}
+#elif defined(STM32_RNG)
+     /* Generate a RNG seed using the hardware random number generator
+      * on the STM32F2/F4/F7/L4. */
 
-#elif defined(STM32F2_RNG)
-    #undef RNG
-    #include "stm32f2xx_rng.h"
-    #include "stm32f2xx_rcc.h"
-    /*
-     * wc_Generate a RNG seed using the hardware random number generator
-     * on the STM32F2. Documentation located in STM32F2xx Standard Peripheral
-     * Library document (See note in README).
-     */
+    #ifdef WOLFSSL_STM32_CUBEMX
     int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
     {
-        int i;
+        int ret;
+        RNG_HandleTypeDef hrng;
+        word32 i = 0;
+        (void)os;
+
+        ret = wolfSSL_CryptHwMutexLock();
+        if (ret != 0) {
+            return ret;
+        }
 
         /* enable RNG clock source */
-        RCC_AHB2PeriphClockCmd(RCC_AHB2Periph_RNG, ENABLE);
+        __HAL_RCC_RNG_CLK_ENABLE();
 
         /* enable RNG peripheral */
-        RNG_Cmd(ENABLE);
+        XMEMSET(&hrng, 0, sizeof(hrng));
+        hrng.Instance = RNG;
+        HAL_RNG_Init(&hrng);
+
+        while (i < sz) {
+            /* If not aligned or there is odd/remainder */
+            if( (i + sizeof(word32)) > sz ||
+                ((wolfssl_word)&output[i] % sizeof(word32)) != 0
+            ) {
+                /* Single byte at a time */
+                uint32_t tmpRng = 0;
+                if (HAL_RNG_GenerateRandomNumber(&hrng, &tmpRng) != HAL_OK) {
+                    wolfSSL_CryptHwMutexUnLock();
+                    return RAN_BLOCK_E;
+                }
+                output[i++] = (byte)tmpRng;
+            }
+            else {
+                /* Use native 32 instruction */
+                if (HAL_RNG_GenerateRandomNumber(&hrng, (uint32_t*)&output[i]) != HAL_OK) {
+                    wolfSSL_CryptHwMutexUnLock();
+                    return RAN_BLOCK_E;
+                }
+                i += sizeof(word32);
+            }
+        }
+
+        wolfSSL_CryptHwMutexUnLock();
+
+        return 0;
+    }
+    #elif defined(WOLFSSL_STM32F427_RNG) || defined(WOLFSSL_STM32_RNG_NOLIB)
+
+    /* Generate a RNG seed using the hardware RNG on the STM32F427
+     * directly, following steps outlined in STM32F4 Reference
+     * Manual (Chapter 24) for STM32F4xx family. */
+    int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
+    {
+        int ret;
+        word32 i;
+        (void)os;
+
+        ret = wolfSSL_CryptHwMutexLock();
+        if (ret != 0) {
+            return ret;
+        }
+
+        /* enable RNG peripheral clock */
+        RCC->AHB2ENR |= RCC_AHB2ENR_RNGEN;
+
+        /* enable RNG interrupt, set IE bit in RNG->CR register */
+        RNG->CR |= RNG_CR_IE;
+
+        /* enable RNG, set RNGEN bit in RNG->CR. Activates RNG,
+         * RNG_LFSR, and error detector */
+        RNG->CR |= RNG_CR_RNGEN;
+
+        /* verify no errors, make sure SEIS and CEIS bits are 0
+         * in RNG->SR register */
+        if (RNG->SR & (RNG_SR_SECS | RNG_SR_CECS)) {
+            wolfSSL_CryptHwMutexUnLock();
+            return RNG_FAILURE_E;
+        }
 
         for (i = 0; i < sz; i++) {
             /* wait until RNG number is ready */
-            while(RNG_GetFlagStatus(RNG_FLAG_DRDY)== RESET) { }
+            while ((RNG->SR & RNG_SR_DRDY) == 0) { }
 
             /* get value */
-            output[i] = RNG_GetRandomNumber();
+            output[i] = RNG->DR;
         }
 
+        wolfSSL_CryptHwMutexUnLock();
+
         return 0;
     }
-#elif defined(WOLFSSL_LPC43xx) || defined(WOLFSSL_STM32F2xx)
 
-    #warning "write a real random seed!!!!, just for testing now"
+    #else
 
+    /* Generate a RNG seed using the STM32 Standard Peripheral Library */
     int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
     {
-        int i;
+        int ret;
+        word32 i;
+        (void)os;
 
-        for (i = 0; i < sz; i++ )
-            output[i] = i;
+        ret = wolfSSL_CryptHwMutexLock();
+        if (ret != 0) {
+            return ret;
+        }
+
+        /* enable RNG clock source */
+        RCC_AHB2PeriphClockCmd(RCC_AHB2Periph_RNG, ENABLE);
+
+        /* reset RNG */
+        RNG_DeInit();
+
+        /* enable RNG peripheral */
+        RNG_Cmd(ENABLE);
+
+        /* verify no errors with RNG_CLK or Seed */
+        if (RNG_GetFlagStatus(RNG_FLAG_SECS | RNG_FLAG_CECS) != RESET) {
+            wolfSSL_CryptHwMutexUnLock();
+            return RNG_FAILURE_E;
+        }
+
+        for (i = 0; i < sz; i++) {
+            /* wait until RNG number is ready */
+            while (RNG_GetFlagStatus(RNG_FLAG_DRDY) == RESET) { }
+
+            /* get value */
+            output[i] = RNG_GetRandomNumber();
+        }
+
+        wolfSSL_CryptHwMutexUnLock();
 
         return 0;
     }
+    #endif /* WOLFSSL_STM32_CUBEMX */
 
 #elif defined(WOLFSSL_TIRTOS)
 
@@ -1258,82 +1975,578 @@ int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
         return 0;
     }
 
-#elif defined(CUSTOM_RAND_GENERATE)
-
-   /* Implement your own random generation function
-    * word32 rand_gen(void);
-    * #define CUSTOM_RAND_GENERATE  rand_gen  */
+#elif defined(WOLFSSL_PB)
 
     int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
     {
         word32 i;
+        for (i = 0; i < sz; i++)
+            output[i] = UTL_Rand();
 
         (void)os;
 
-        for (i = 0; i < sz; i++ )
-            output[i] = CUSTOM_RAND_GENERATE();
-
         return 0;
     }
 
-#elif defined(NO_DEV_RANDOM)
-
-#error "you need to write an os specific wc_GenerateSeed() here"
+#elif defined(WOLFSSL_NUCLEUS)
+#include "nucleus.h"
+#include "kernel/plus_common.h"
 
-/*
+#warning "potential for not enough entropy, currently being used for testing"
 int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
 {
+    int i;
+    srand(NU_Get_Time_Stamp());
+
+    for (i = 0; i < sz; i++ ) {
+        output[i] = rand() % 256;
+        if ((i % 8) == 7) {
+            srand(NU_Get_Time_Stamp());
+        }
+    }
+
     return 0;
 }
-*/
+#elif defined(WOLFSSL_DEOS) && !defined(CUSTOM_RAND_GENERATE)
+    #include "stdlib.h"
 
+    #warning "potential for not enough entropy, currently being used for testing Deos"
+    int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
+    {
+        int i;
+        int seed = XTIME(0);
+        (void)os;
 
-#else /* !USE_WINDOWS_API && !HAVE_RPT_SYS && !MICRIUM && !NO_DEV_RANDOM */
+        for (i = 0; i < sz; i++ ) {
+            output[i] = rand_r(&seed) % 256;
+            if ((i % 8) == 7) {
+                seed = XTIME(0);
+                rand_r(&seed);
+            }
+        }
 
-/* may block */
-int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
-{
-    int ret = 0;
+        return 0;
+    }
+#elif defined(WOLFSSL_VXWORKS)
 
+    #include <randomNumGen.h>
+
+    int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz) {
+        STATUS        status;
+
+        #ifdef VXWORKS_SIM
+            /* cannot generate true entropy with VxWorks simulator */
+            #warning "not enough entropy, simulator for testing only"
+            int i = 0;
+
+            for (i = 0; i < 1000; i++) {
+                randomAddTimeStamp();
+            }
+        #endif
+
+        status = randBytes (output, sz);
+        if (status == ERROR) {
+            return RNG_FAILURE_E;
+        }
 
-#if defined(HAVE_INTEL_RDGEN) && (defined(HAVE_HASHDRBG) || defined(NO_RC4))
-    wc_InitRng_IntelRD() ; /* set cpuid_flags if not yet */
-    if(IS_INTEL_RDSEED)
-         return wc_GenerateSeed_IntelRD(NULL, output, sz) ;
+        return 0;
+    }
+
+#elif defined(WOLFSSL_NRF51)
+    #include "app_error.h"
+    #include "nrf_drv_rng.h"
+    int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
+    {
+        int remaining = sz, length, pos = 0;
+        uint8_t available;
+        uint32_t err_code;
+
+        (void)os;
+
+        /* Make sure RNG is running */
+        err_code = nrf_drv_rng_init(NULL);
+        if (err_code != NRF_SUCCESS && err_code != NRF_ERROR_INVALID_STATE) {
+            return -1;
+        }
+
+        while (remaining > 0) {
+            err_code = nrf_drv_rng_bytes_available(&available);
+            if (err_code == NRF_SUCCESS) {
+                length = (remaining < available) ? remaining : available;
+                if (length > 0) {
+                    err_code = nrf_drv_rng_rand(&output[pos], length);
+                    remaining -= length;
+                    pos += length;
+                }
+            }
+
+            if (err_code != NRF_SUCCESS) {
+                break;
+            }
+        }
+
+        return (err_code == NRF_SUCCESS) ? 0 : -1;
+    }
+
+#elif defined(HAVE_WNR)
+
+    int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
+    {
+        if (os == NULL || output == NULL || wnr_ctx == NULL ||
+                wnr_timeout < 0) {
+            return BAD_FUNC_ARG;
+        }
+
+        if (wnr_mutex_init == 0) {
+            WOLFSSL_MSG("netRandom context must be created before use");
+            return RNG_FAILURE_E;
+        }
+
+        if (wc_LockMutex(&wnr_mutex) != 0) {
+            WOLFSSL_MSG("Bad Lock Mutex wnr_mutex\n");
+            return BAD_MUTEX_E;
+        }
+
+        if (wnr_get_entropy(wnr_ctx, wnr_timeout, output, sz, sz) !=
+                WNR_ERROR_NONE)
+            return RNG_FAILURE_E;
+
+        wc_UnLockMutex(&wnr_mutex);
+
+        return 0;
+    }
+
+#elif defined(WOLFSSL_ATMEL)
+    #include <wolfssl/wolfcrypt/port/atmel/atmel.h>
+
+    int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
+    {
+        int ret = 0;
+
+        (void)os;
+        if (output == NULL) {
+            return BUFFER_E;
+        }
+
+        ret = atmel_get_random_number(sz, output);
+
+        return ret;
+    }
+
+#elif defined(INTIME_RTOS)
+    int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
+    {
+        int ret = 0;
+
+        (void)os;
+
+        if (output == NULL) {
+            return BUFFER_E;
+        }
+
+        /* Note: Investigate better solution */
+        /* no return to check */
+        arc4random_buf(output, sz);
+
+        return ret;
+    }
+
+#elif defined(WOLFSSL_WICED)
+    int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
+    {
+        int ret;
+        (void)os;
+
+        if (output == NULL || UINT16_MAX < sz) {
+            return BUFFER_E;
+        }
+
+        if ((ret = wiced_crypto_get_random((void*) output, sz) )
+                         != WICED_SUCCESS) {
+            return ret;
+        }
+
+        return ret;
+    }
+
+#elif defined(WOLFSSL_NETBURNER)
+    #warning using NetBurner pseudo random GetRandomByte for seed
+    int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
+    {
+        word32 i;
+        (void)os;
+
+        if (output == NULL) {
+            return BUFFER_E;
+        }
+
+        for (i = 0; i < sz; i++) {
+            output[i] = GetRandomByte();
+
+            /* check if was a valid random number */
+            if (!RandomValid())
+                return RNG_FAILURE_E;
+        }
+
+        return 0;
+    }
+#elif defined(IDIRECT_DEV_RANDOM)
+
+    extern int getRandom( int sz, unsigned char *output );
+
+    int GenerateSeed(OS_Seed* os, byte* output, word32 sz)
+    {
+        int num_bytes_returned = 0;
+
+        num_bytes_returned = getRandom( (int) sz, (unsigned char *) output );
+
+        return 0;
+    }
+
+#elif (defined(WOLFSSL_IMX6_CAAM) || defined(WOLFSSL_IMX6_CAAM_RNG))
+
+    #include <wolfssl/wolfcrypt/port/caam/wolfcaam.h>
+    #include <wolfssl/wolfcrypt/port/caam/caam_driver.h>
+
+    int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
+    {
+        Buffer buf[1];
+        int ret  = 0;
+        int times = 1000, i;
+
+        (void)os;
+
+        if (output == NULL) {
+            return BUFFER_E;
+        }
+
+        buf[0].BufferType = DataBuffer | LastBuffer;
+        buf[0].TheAddress = (Address)output;
+        buf[0].Length     = sz;
+
+        /* Check Waiting to make sure entropy is ready */
+        for (i = 0; i < times; i++) {
+            ret = wc_caamAddAndWait(buf, NULL, CAAM_ENTROPY);
+            if (ret == Success) {
+                break;
+            }
+
+            /* driver could be waiting for entropy */
+            if (ret != RAN_BLOCK_E) {
+                return ret;
+            }
+            usleep(100);
+        }
+
+        if (i == times && ret != Success) {
+             return RNG_FAILURE_E;
+        }
+        else { /* Success case */
+            ret = 0;
+        }
+
+        return ret;
+    }
+
+#elif defined(WOLFSSL_APACHE_MYNEWT)
+
+    #include <stdlib.h>
+    #include "os/os_time.h"
+    int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
+    {
+        int i;
+        srand(os_time_get());
+
+        for (i = 0; i < sz; i++ ) {
+            output[i] = rand() % 256;
+            if ((i % 8) == 7) {
+                srand(os_time_get());
+            }
+        }
+
+        return 0;
+    }
+
+#elif defined(WOLFSSL_ESPIDF)
+    #if defined(WOLFSSL_ESPWROOM32) || defined(WOLFSSL_ESPWROOM32SE)
+        #include <esp_system.h>
+
+        int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
+        {
+            word32 rand;
+            while (sz > 0) {
+                word32 len = sizeof(rand);
+                if (sz < len)
+                    len = sz;
+                /* Get one random 32-bit word from hw RNG */
+                rand = esp_random( );
+                XMEMCPY(output, &rand, len);
+                output += len;
+                sz -= len;
+            }
+
+            return 0;
+        }
+    #endif /* end WOLFSSL_ESPWROOM32 */
+
+#elif defined(WOLFSSL_RENESAS_TSIP)
+#if defined(WOLFSSL_RENESA_TSIP_IAREWRX)
+    #include "r_bsp/mcu/all/r_rx_compiler.h"
 #endif
+    #include "r_bsp/platform.h"
+    #include "r_tsip_rx_if.h"
+    
+    int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
+    {
+        int ret;
+        uint32_t buffer[4];
+
+        while (sz > 0) {
+            uint32_t len = sizeof(buffer);
+            
+            if (sz < len) {
+                len = sz;
+            }
+            /* return 4 words random number*/
+            ret = R_TSIP_GenerateRandomNumber(buffer);
+            if(ret == TSIP_SUCCESS) {
+                XMEMCPY(output, &buffer, len);
+                output += len;
+                sz -= len;
+            } else
+                return ret;
+        }
+        return ret;
+    }
 
-    os->fd = open("/dev/urandom",O_RDONLY);
-    if (os->fd == -1) {
-        /* may still have /dev/random */
-        os->fd = open("/dev/random",O_RDONLY);
-        if (os->fd == -1)
-            return OPEN_RAN_E;
+#elif defined(WOLFSSL_SCE) && !defined(WOLFSSL_SCE_NO_TRNG)
+    #include "hal_data.h"
+
+    #ifndef WOLFSSL_SCE_TRNG_HANDLE
+        #define WOLFSSL_SCE_TRNG_HANDLE g_sce_trng
+    #endif
+
+    int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
+    {
+        uint32_t ret;
+        uint32_t blocks;
+        word32   len = sz;
+
+        ret = WOLFSSL_SCE_TRNG_HANDLE.p_api->open(WOLFSSL_SCE_TRNG_HANDLE.p_ctrl,
+                                                  WOLFSSL_SCE_TRNG_HANDLE.p_cfg);
+        if (ret != SSP_SUCCESS && ret != SSP_ERR_CRYPTO_ALREADY_OPEN) {
+            /* error opening TRNG driver */
+            return -1;
+        }
+
+        blocks = sz / sizeof(uint32_t);
+        if (blocks > 0) {
+            ret = WOLFSSL_SCE_TRNG_HANDLE.p_api->read(WOLFSSL_SCE_TRNG_HANDLE.p_ctrl,
+                                                      (uint32_t*)output, blocks);
+            if (ret != SSP_SUCCESS) {
+                return -1;
+            }
+        }
+
+        len = len - (blocks * sizeof(uint32_t));
+        if (len > 0) {
+            uint32_t tmp;
+
+            if (len > sizeof(uint32_t)) {
+                return -1;
+            }
+            ret = WOLFSSL_SCE_TRNG_HANDLE.p_api->read(WOLFSSL_SCE_TRNG_HANDLE.p_ctrl,
+                                                      (uint32_t*)tmp, 1);
+            if (ret != SSP_SUCCESS) {
+                return -1;
+            }
+            XMEMCPY(output + (blocks * sizeof(uint32_t)), (byte*)&tmp, len);
+        }
+
+        ret = WOLFSSL_SCE_TRNG_HANDLE.p_api->close(WOLFSSL_SCE_TRNG_HANDLE.p_ctrl);
+        if (ret != SSP_SUCCESS) {
+            /* error opening TRNG driver */
+            return -1;
+        }
+        return 0;
     }
+#elif defined(CUSTOM_RAND_GENERATE_BLOCK)
+    /* #define CUSTOM_RAND_GENERATE_BLOCK myRngFunc
+     * extern int myRngFunc(byte* output, word32 sz);
+     */
 
-    while (sz) {
-        int len = (int)read(os->fd, output, sz);
-        if (len == -1) {
-            ret = READ_RAN_E;
-            break;
+#elif defined(WOLFSSL_SAFERTOS) || defined(WOLFSSL_LEANPSK) || \
+      defined(WOLFSSL_IAR_ARM)  || defined(WOLFSSL_MDK_ARM) || \
+      defined(WOLFSSL_uITRON4)  || defined(WOLFSSL_uTKERNEL2) || \
+      defined(WOLFSSL_LPC43xx)  || defined(WOLFSSL_STM32F2xx) || \
+      defined(MBED)             || defined(WOLFSSL_EMBOS) || \
+      defined(WOLFSSL_GENSEED_FORTEST) || defined(WOLFSSL_CHIBIOS) || \
+      defined(WOLFSSL_CONTIKI)  || defined(WOLFSSL_AZSPHERE)
+
+    /* these platforms do not have a default random seed and
+       you'll need to implement your own wc_GenerateSeed or define via
+       CUSTOM_RAND_GENERATE_BLOCK */
+
+    #define USE_TEST_GENSEED
+
+#elif defined(WOLFSSL_ZEPHYR)
+
+        #include <entropy.h>
+    #ifndef _POSIX_C_SOURCE
+        #include <posix/time.h>
+    #else
+        #include <sys/time.h>
+    #endif
+
+        int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
+        {
+            int ret = 0;
+            word32 rand;
+            while (sz > 0) {
+                word32 len = sizeof(rand);
+                if (sz < len)
+                    len = sz;
+                rand = sys_rand32_get();
+                XMEMCPY(output, &rand, len);
+                output += len;
+                sz -= len;
+            }
+
+            return ret;
+        }
+
+#elif defined(WOLFSSL_TELIT_M2MB)
+
+        #include "stdlib.h"
+        static long get_timestamp(void) {
+            long myTime = 0;
+            INT32 fd = m2mb_rtc_open("/dev/rtc0", 0);
+            if (fd >= 0) {
+                M2MB_RTC_TIMEVAL_T timeval;
+                m2mb_rtc_ioctl(fd, M2MB_RTC_IOCTL_GET_TIMEVAL, &timeval);
+                myTime = timeval.msec;
+                m2mb_rtc_close(fd);
+            }
+            return myTime;
+        }
+        int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
+        {
+            int i;
+            srand(get_timestamp());
+            for (i = 0; i < sz; i++ ) {
+                output[i] = rand() % 256;
+                if ((i % 8) == 7) {
+                    srand(get_timestamp());
+                }
+            }
+            return 0;
         }
 
-        sz     -= len;
-        output += len;
+#elif defined(NO_DEV_RANDOM)
+
+    #error "you need to write an os specific wc_GenerateSeed() here"
+
+    /*
+    int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
+    {
+        return 0;
+    }
+    */
 
-        if (sz) {
-#ifdef BLOCKING
-            sleep(0);             /* context switch */
 #else
-            ret = RAN_BLOCK_E;
-            break;
-#endif
+
+    /* may block */
+    int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
+    {
+        int ret = 0;
+
+        if (os == NULL) {
+            return BAD_FUNC_ARG;
         }
+
+    #ifdef WOLF_CRYPTO_CB
+        if (os->devId != INVALID_DEVID) {
+            ret = wc_CryptoCb_RandomSeed(os, output, sz);
+            if (ret != CRYPTOCB_UNAVAILABLE)
+                return ret;
+            /* fall-through when unavailable */
+            ret = 0; /* reset error code */
+        }
+    #endif
+
+    #ifdef HAVE_INTEL_RDSEED
+        if (IS_INTEL_RDSEED(intel_flags)) {
+             ret = wc_GenerateSeed_IntelRD(NULL, output, sz);
+             if (ret == 0) {
+                 /* success, we're done */
+                 return ret;
+             }
+        #ifdef FORCE_FAILURE_RDSEED
+             /* don't fallback to /dev/urandom */
+             return ret;
+        #else
+             /* reset error and fallback to using /dev/urandom */
+             ret = 0;
+        #endif
+        }
+    #endif /* HAVE_INTEL_RDSEED */
+
+    #ifndef NO_DEV_URANDOM /* way to disable use of /dev/urandom */
+        os->fd = open("/dev/urandom", O_RDONLY);
+        if (os->fd == -1)
+    #endif
+        {
+            /* may still have /dev/random */
+            os->fd = open("/dev/random", O_RDONLY);
+            if (os->fd == -1)
+                return OPEN_RAN_E;
+        }
+
+        while (sz) {
+            int len = (int)read(os->fd, output, sz);
+            if (len == -1) {
+                ret = READ_RAN_E;
+                break;
+            }
+
+            sz     -= len;
+            output += len;
+
+            if (sz) {
+    #if defined(BLOCKING) || defined(WC_RNG_BLOCKING)
+                sleep(0);             /* context switch */
+    #else
+                ret = RAN_BLOCK_E;
+                break;
+    #endif
+            }
+        }
+        close(os->fd);
+
+        return ret;
     }
-    close(os->fd);
 
-    return ret;
-}
+#endif
 
-#endif /* USE_WINDOWS_API */
-#endif /* HAVE_FIPS */
+#ifdef USE_TEST_GENSEED
+    #ifndef _MSC_VER
+        #warning "write a real random seed!!!!, just for testing now"
+    #else
+        #pragma message("Warning: write a real random seed!!!!, just for testing now")
+    #endif
+    int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
+    {
+        word32 i;
+        for (i = 0; i < sz; i++ )
+            output[i] = i;
+
+        (void)os;
 
+        return 0;
+    }
+#endif
+
+
+/* End wc_GenerateSeed */
+#endif /* WC_NO_RNG */
+#endif /* HAVE_FIPS */
diff --git a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/ripemd.c b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/ripemd.c
index 639a42d07..484c62fe4 100644
--- a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/ripemd.c
+++ b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/ripemd.c
@@ -1,8 +1,8 @@
 /* ripemd.c
  *
- * Copyright (C) 2006-2015 wolfSSL Inc.
+ * Copyright (C) 2006-2020 wolfSSL Inc.
  *
- * This file is part of wolfSSL. (formerly known as CyaSSL)
+ * This file is part of wolfSSL.
  *
  * wolfSSL is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -16,10 +16,11 @@
  *
  * You should have received a copy of the GNU General Public License
  * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
  */
 
 
+
 #ifdef HAVE_CONFIG_H
     #include <config.h>
 #endif
@@ -32,22 +33,18 @@
 #ifdef NO_INLINE
     #include <wolfssl/wolfcrypt/misc.h>
 #else
+    #define WOLFSSL_MISC_INCLUDED
     #include <wolfcrypt/src/misc.c>
 #endif
 
+#include <wolfssl/wolfcrypt/error-crypt.h>
 
-#ifndef WOLFSSL_HAVE_MIN
-#define WOLFSSL_HAVE_MIN
-
-    static INLINE word32 min(word32 a, word32 b)
-    {
-        return a > b ? b : a;
+int wc_InitRipeMd(RipeMd* ripemd)
+{
+    if (ripemd == NULL) {
+        return BAD_FUNC_ARG;
     }
 
-#endif /* WOLFSSL_HAVE_MIN */
-
-void wc_InitRipeMd(RipeMd* ripemd)
-{
     ripemd->digest[0] = 0x67452301L;
     ripemd->digest[1] = 0xEFCDAB89L;
     ripemd->digest[2] = 0x98BADCFEL;
@@ -57,11 +54,13 @@ void wc_InitRipeMd(RipeMd* ripemd)
     ripemd->buffLen = 0;
     ripemd->loLen   = 0;
     ripemd->hiLen   = 0;
+
+    return 0;
 }
 
 
 /* for all */
-#define F(x, y, z)    (x ^ y ^ z) 
+#define F(x, y, z)    (x ^ y ^ z)
 #define G(x, y, z)    (z ^ (x & (y^z)))
 #define H(x, y, z)    (z ^ (x | ~y))
 #define I(x, y, z)    (y ^ (z & (x^y)))
@@ -195,7 +194,7 @@ static void Transform(RipeMd* ripemd)
     Subround(J, b2, c2, d2, e2, a2, ripemd->buffer[ 3], 12, k5);
     Subround(J, a2, b2, c2, d2, e2, ripemd->buffer[12],  6, k5);
 
-    Subround(I, e2, a2, b2, c2, d2, ripemd->buffer[ 6],  9, k6); 
+    Subround(I, e2, a2, b2, c2, d2, ripemd->buffer[ 6],  9, k6);
     Subround(I, d2, e2, a2, b2, c2, ripemd->buffer[11], 13, k6);
     Subround(I, c2, d2, e2, a2, b2, ripemd->buffer[ 3], 15, k6);
     Subround(I, b2, c2, d2, e2, a2, ripemd->buffer[ 7],  7, k6);
@@ -272,7 +271,7 @@ static void Transform(RipeMd* ripemd)
 }
 
 
-static INLINE void AddLength(RipeMd* ripemd, word32 len)
+static WC_INLINE void AddLength(RipeMd* ripemd, word32 len)
 {
     word32 tmp = ripemd->loLen;
     if ( (ripemd->loLen += len) < tmp)
@@ -280,10 +279,16 @@ static INLINE void AddLength(RipeMd* ripemd, word32 len)
 }
 
 
-void wc_RipeMdUpdate(RipeMd* ripemd, const byte* data, word32 len)
+int wc_RipeMdUpdate(RipeMd* ripemd, const byte* data, word32 len)
 {
     /* do block size increments */
-    byte* local = (byte*)ripemd->buffer;
+    byte* local;
+
+    if (ripemd == NULL || (data == NULL && len > 0)) {
+        return BAD_FUNC_ARG;
+    }
+
+    local = (byte*)ripemd->buffer;
 
     while (len) {
         word32 add = min(len, RIPEMD_BLOCK_SIZE - ripemd->buffLen);
@@ -303,12 +308,19 @@ void wc_RipeMdUpdate(RipeMd* ripemd, const byte* data, word32 len)
             ripemd->buffLen = 0;
         }
     }
+    return 0;
 }
 
 
-void wc_RipeMdFinal(RipeMd* ripemd, byte* hash)
+int wc_RipeMdFinal(RipeMd* ripemd, byte* hash)
 {
-    byte* local = (byte*)ripemd->buffer;
+    byte* local;
+
+    if (ripemd == NULL || hash == NULL) {
+        return BAD_FUNC_ARG;
+    }
+
+    local = (byte*)ripemd->buffer;
 
     AddLength(ripemd, ripemd->buffLen);               /* before adding pads */
 
@@ -326,10 +338,10 @@ void wc_RipeMdFinal(RipeMd* ripemd, byte* hash)
         ripemd->buffLen = 0;
     }
     XMEMSET(&local[ripemd->buffLen], 0, RIPEMD_PAD_SIZE - ripemd->buffLen);
-   
+
     /* put lengths in bits */
     ripemd->loLen = ripemd->loLen << 3;
-    ripemd->hiLen = (ripemd->loLen >> (8*sizeof(ripemd->loLen) - 3)) + 
+    ripemd->hiLen = (ripemd->loLen >> (8*sizeof(ripemd->loLen) - 3)) +
                  (ripemd->hiLen << 3);
 
     /* store lengths */
@@ -338,7 +350,7 @@ void wc_RipeMdFinal(RipeMd* ripemd, byte* hash)
     #endif
     /* ! length ordering dependent on digest endian type ! */
     XMEMCPY(&local[RIPEMD_PAD_SIZE], &ripemd->loLen, sizeof(word32));
-    XMEMCPY(&local[RIPEMD_PAD_SIZE + sizeof(word32)], &ripemd->hiLen, 
+    XMEMCPY(&local[RIPEMD_PAD_SIZE + sizeof(word32)], &ripemd->hiLen,
            sizeof(word32));
 
     Transform(ripemd);
@@ -347,7 +359,7 @@ void wc_RipeMdFinal(RipeMd* ripemd, byte* hash)
     #endif
     XMEMCPY(hash, ripemd->digest, RIPEMD_DIGEST_SIZE);
 
-    wc_InitRipeMd(ripemd);  /* reset state */
+    return wc_InitRipeMd(ripemd);  /* reset state */
 }
 
 
diff --git a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/rsa.c b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/rsa.c
index 1a5021783..69ab7b21b 100644
--- a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/rsa.c
+++ b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/rsa.c
@@ -1,8 +1,8 @@
 /* rsa.c
  *
- * Copyright (C) 2006-2015 wolfSSL Inc.
+ * Copyright (C) 2006-2020 wolfSSL Inc.
  *
- * This file is part of wolfSSL. (formerly known as CyaSSL)
+ * This file is part of wolfSSL.
  *
  * wolfSSL is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -16,22 +16,82 @@
  *
  * You should have received a copy of the GNU General Public License
  * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
  */
 
+
 #ifdef HAVE_CONFIG_H
     #include <config.h>
 #endif
 
 #include <wolfssl/wolfcrypt/settings.h>
+#include <wolfssl/wolfcrypt/error-crypt.h>
 
 #ifndef NO_RSA
 
+#if defined(HAVE_FIPS) && \
+    defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2)
+
+    /* set NO_WRAPPERS before headers, use direct internal f()s not wrappers */
+    #define FIPS_NO_WRAPPERS
+
+       #ifdef USE_WINDOWS_API
+               #pragma code_seg(".fipsA$e")
+               #pragma const_seg(".fipsB$e")
+       #endif
+#endif
+
 #include <wolfssl/wolfcrypt/rsa.h>
 
-#ifdef HAVE_FIPS
+#ifdef WOLFSSL_AFALG_XILINX_RSA
+#include <wolfssl/wolfcrypt/port/af_alg/wc_afalg.h>
+#endif
+
+#ifdef WOLFSSL_HAVE_SP_RSA
+#include <wolfssl/wolfcrypt/sp.h>
+#endif
+
+/*
+Possible RSA enable options:
+ * NO_RSA:              Overall control of RSA                      default: on (not defined)
+ * WC_RSA_BLINDING:     Uses Blinding w/ Private Ops                default: off
+                        Note: slower by ~20%
+ * WOLFSSL_KEY_GEN:     Allows Private Key Generation               default: off
+ * RSA_LOW_MEM:         NON CRT Private Operations, less memory     default: off
+ * WC_NO_RSA_OAEP:      Disables RSA OAEP padding                   default: on (not defined)
+ * WC_RSA_NONBLOCK:     Enables support for RSA non-blocking        default: off
+ * WC_RSA_NONBLOCK_TIME:Enables support for time based blocking     default: off
+ *                      time calculation.
+*/
+
+/*
+RSA Key Size Configuration:
+ * FP_MAX_BITS:         With USE_FAST_MATH only                     default: 4096
+    If USE_FAST_MATH then use this to override default.
+    Value is key size * 2. Example: RSA 3072 = 6144
+*/
+
+
+/* If building for old FIPS. */
+#if defined(HAVE_FIPS) && \
+    (!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 2))
+
 int  wc_InitRsaKey(RsaKey* key, void* ptr)
 {
+    if (key == NULL) {
+        return BAD_FUNC_ARG;
+    }
+
+    return InitRsaKey_fips(key, ptr);
+}
+
+
+int  wc_InitRsaKey_ex(RsaKey* key, void* ptr, int devId)
+{
+    (void)devId;
+    if (key == NULL) {
+        return BAD_FUNC_ARG;
+    }
     return InitRsaKey_fips(key, ptr);
 }
 
@@ -42,16 +102,25 @@ int  wc_FreeRsaKey(RsaKey* key)
 }
 
 
+#ifndef WOLFSSL_RSA_VERIFY_ONLY
 int  wc_RsaPublicEncrypt(const byte* in, word32 inLen, byte* out,
-                                 word32 outLen, RsaKey* key, RNG* rng)
+                                 word32 outLen, RsaKey* key, WC_RNG* rng)
 {
+    if (in == NULL || out == NULL || key == NULL || rng == NULL) {
+        return BAD_FUNC_ARG;
+    }
     return RsaPublicEncrypt_fips(in, inLen, out, outLen, key, rng);
 }
+#endif
 
 
+#ifndef WOLFSSL_RSA_PUBLIC_ONLY
 int  wc_RsaPrivateDecryptInline(byte* in, word32 inLen, byte** out,
                                         RsaKey* key)
 {
+    if (in == NULL || out == NULL || key == NULL) {
+        return BAD_FUNC_ARG;
+    }
     return RsaPrivateDecryptInline_fips(in, inLen, out, key);
 }
 
@@ -59,19 +128,29 @@ int  wc_RsaPrivateDecryptInline(byte* in, word32 inLen, byte** out,
 int  wc_RsaPrivateDecrypt(const byte* in, word32 inLen, byte* out,
                                   word32 outLen, RsaKey* key)
 {
+    if (in == NULL || out == NULL || key == NULL) {
+        return BAD_FUNC_ARG;
+    }
     return RsaPrivateDecrypt_fips(in, inLen, out, outLen, key);
 }
 
 
 int  wc_RsaSSL_Sign(const byte* in, word32 inLen, byte* out,
-                            word32 outLen, RsaKey* key, RNG* rng)
+                            word32 outLen, RsaKey* key, WC_RNG* rng)
 {
+    if (in == NULL || out == NULL || key == NULL || inLen == 0) {
+        return BAD_FUNC_ARG;
+    }
     return RsaSSL_Sign_fips(in, inLen, out, outLen, key, rng);
 }
+#endif
 
 
 int  wc_RsaSSL_VerifyInline(byte* in, word32 inLen, byte** out, RsaKey* key)
 {
+    if (in == NULL || out == NULL || key == NULL) {
+        return BAD_FUNC_ARG;
+    }
     return RsaSSL_VerifyInline_fips(in, inLen, out, key);
 }
 
@@ -79,177 +158,1123 @@ int  wc_RsaSSL_VerifyInline(byte* in, word32 inLen, byte** out, RsaKey* key)
 int  wc_RsaSSL_Verify(const byte* in, word32 inLen, byte* out,
                               word32 outLen, RsaKey* key)
 {
+    if (in == NULL || out == NULL || key == NULL || inLen == 0) {
+        return BAD_FUNC_ARG;
+    }
     return RsaSSL_Verify_fips(in, inLen, out, outLen, key);
 }
 
 
 int  wc_RsaEncryptSize(RsaKey* key)
 {
+    if (key == NULL) {
+        return BAD_FUNC_ARG;
+    }
     return RsaEncryptSize_fips(key);
 }
 
 
+#ifndef WOLFSSL_RSA_VERIFY_ONLY
 int wc_RsaFlattenPublicKey(RsaKey* key, byte* a, word32* aSz, byte* b,
                            word32* bSz)
 {
+
     /* not specified as fips so not needing _fips */
     return RsaFlattenPublicKey(key, a, aSz, b, bSz);
 }
-#ifdef WOLFSSL_KEY_GEN
-    int wc_MakeRsaKey(RsaKey* key, int size, long e, RNG* rng)
-    {
-        return MakeRsaKey(key, size, e, rng);
-    }
 #endif
 
 
-#ifdef HAVE_CAVIUM
-    int  wc_RsaInitCavium(RsaKey* key, int i)
-    {
-        return RsaInitCavium(key, i);
-    }
-
-
-    void wc_RsaFreeCavium(RsaKey* key)
+#ifdef WOLFSSL_KEY_GEN
+    int wc_MakeRsaKey(RsaKey* key, int size, long e, WC_RNG* rng)
     {
-        RsaFreeCavium(key);
+        return MakeRsaKey(key, size, e, rng);
     }
 #endif
 
+
 /* these are functions in asn and are routed to wolfssl/wolfcrypt/asn.c
 * wc_RsaPrivateKeyDecode
 * wc_RsaPublicKeyDecode
 */
 
-#else /* else build without fips */
+#else /* else build without fips, or for new fips */
+
 #include <wolfssl/wolfcrypt/random.h>
-#include <wolfssl/wolfcrypt/error-crypt.h>
 #include <wolfssl/wolfcrypt/logging.h>
+#ifdef WOLF_CRYPTO_CB
+    #include <wolfssl/wolfcrypt/cryptocb.h>
+#endif
 #ifdef NO_INLINE
     #include <wolfssl/wolfcrypt/misc.h>
 #else
+    #define WOLFSSL_MISC_INCLUDED
     #include <wolfcrypt/src/misc.c>
 #endif
 
-#ifdef SHOW_GEN
-    #ifdef FREESCALE_MQX
-        #include <fio.h>
-    #else
-        #include <stdio.h>
-    #endif
+
+enum {
+    RSA_STATE_NONE = 0,
+
+    RSA_STATE_ENCRYPT_PAD,
+    RSA_STATE_ENCRYPT_EXPTMOD,
+    RSA_STATE_ENCRYPT_RES,
+
+    RSA_STATE_DECRYPT_EXPTMOD,
+    RSA_STATE_DECRYPT_UNPAD,
+    RSA_STATE_DECRYPT_RES,
+};
+
+
+static void wc_RsaCleanup(RsaKey* key)
+{
+#ifndef WOLFSSL_RSA_VERIFY_INLINE
+    if (key && key->data) {
+        /* make sure any allocated memory is free'd */
+        if (key->dataIsAlloc) {
+        #ifndef WOLFSSL_RSA_PUBLIC_ONLY
+            if (key->type == RSA_PRIVATE_DECRYPT ||
+                key->type == RSA_PRIVATE_ENCRYPT) {
+                ForceZero(key->data, key->dataLen);
+            }
+        #endif
+            XFREE(key->data, key->heap, DYNAMIC_TYPE_WOLF_BIGINT);
+            key->dataIsAlloc = 0;
+        }
+        key->data = NULL;
+        key->dataLen = 0;
+    }
+#else
+    (void)key;
 #endif
+}
+
+int wc_InitRsaKey_ex(RsaKey* key, void* heap, int devId)
+{
+    int ret = 0;
 
-#ifdef HAVE_CAVIUM
-    static int  InitCaviumRsaKey(RsaKey* key, void* heap);
-    static int  FreeCaviumRsaKey(RsaKey* key);
-    static int  CaviumRsaPublicEncrypt(const byte* in, word32 inLen, byte* out,
-                                       word32 outLen, RsaKey* key);
-    static int  CaviumRsaPrivateDecrypt(const byte* in, word32 inLen, byte* out,
-                                        word32 outLen, RsaKey* key);
-    static int  CaviumRsaSSL_Sign(const byte* in, word32 inLen, byte* out,
-                                  word32 outLen, RsaKey* key);
-    static int  CaviumRsaSSL_Verify(const byte* in, word32 inLen, byte* out,
-                                    word32 outLen, RsaKey* key);
+    if (key == NULL) {
+        return BAD_FUNC_ARG;
+    }
+
+    XMEMSET(key, 0, sizeof(RsaKey));
+
+    key->type = RSA_TYPE_UNKNOWN;
+    key->state = RSA_STATE_NONE;
+    key->heap = heap;
+#ifndef WOLFSSL_RSA_VERIFY_INLINE
+    key->dataIsAlloc = 0;
+    key->data = NULL;
+#endif
+    key->dataLen = 0;
+#ifdef WC_RSA_BLINDING
+    key->rng = NULL;
 #endif
 
-enum {
-    RSA_PUBLIC_ENCRYPT  = 0,
-    RSA_PUBLIC_DECRYPT  = 1,
-    RSA_PRIVATE_ENCRYPT = 2,
-    RSA_PRIVATE_DECRYPT = 3,
+#ifdef WOLF_CRYPTO_CB
+    key->devId = devId;
+#else
+    (void)devId;
+#endif
 
-    RSA_BLOCK_TYPE_1 = 1,
-    RSA_BLOCK_TYPE_2 = 2,
+#ifdef WOLFSSL_ASYNC_CRYPT
+    #ifdef WOLFSSL_CERT_GEN
+        XMEMSET(&key->certSignCtx, 0, sizeof(CertSignCtx));
+    #endif
 
-    RSA_MIN_SIZE = 512,
-    RSA_MAX_SIZE = 4096,
+    #ifdef WC_ASYNC_ENABLE_RSA
+        /* handle as async */
+        ret = wolfAsync_DevCtxInit(&key->asyncDev, WOLFSSL_ASYNC_MARKER_RSA,
+                                                            key->heap, devId);
+        if (ret != 0)
+            return ret;
+    #endif /* WC_ASYNC_ENABLE_RSA */
+#endif /* WOLFSSL_ASYNC_CRYPT */
 
-    RSA_MIN_PAD_SZ   = 11      /* seperator + 0 + pad value + 8 pads */
-};
+#ifndef WOLFSSL_RSA_PUBLIC_ONLY
+    ret = mp_init_multi(&key->n, &key->e, NULL, NULL, NULL, NULL);
+    if (ret != MP_OKAY)
+        return ret;
 
+#if !defined(WOLFSSL_KEY_GEN) && !defined(OPENSSL_EXTRA) && defined(RSA_LOW_MEM)
+    ret = mp_init_multi(&key->d, &key->p, &key->q, NULL, NULL, NULL);
+#else
+    ret = mp_init_multi(&key->d, &key->p, &key->q, &key->dP, &key->dQ, &key->u);
+#endif
+    if (ret != MP_OKAY) {
+        mp_clear(&key->n);
+        mp_clear(&key->e);
+        return ret;
+    }
+#else
+    ret = mp_init(&key->n);
+    if (ret != MP_OKAY)
+        return ret;
+    ret = mp_init(&key->e);
+    if (ret != MP_OKAY) {
+        mp_clear(&key->n);
+        return ret;
+    }
+#endif
+
+#ifdef WOLFSSL_XILINX_CRYPT
+    key->pubExp = 0;
+    key->mod    = NULL;
+#endif
+
+#ifdef WOLFSSL_AFALG_XILINX_RSA
+    key->alFd = WC_SOCK_NOTSET;
+    key->rdFd = WC_SOCK_NOTSET;
+#endif
+
+    return ret;
+}
 
 int wc_InitRsaKey(RsaKey* key, void* heap)
 {
-#ifdef HAVE_CAVIUM
-    if (key->magic == WOLFSSL_RSA_CAVIUM_MAGIC)
-        return InitCaviumRsaKey(key, heap);
+    return wc_InitRsaKey_ex(key, heap, INVALID_DEVID);
+}
+
+#ifdef HAVE_PKCS11
+int wc_InitRsaKey_Id(RsaKey* key, unsigned char* id, int len, void* heap,
+                     int devId)
+{
+    int ret = 0;
+
+    if (key == NULL)
+        ret = BAD_FUNC_ARG;
+    if (ret == 0 && (len < 0 || len > RSA_MAX_ID_LEN))
+        ret = BUFFER_E;
+
+    if (ret == 0)
+        ret = wc_InitRsaKey_ex(key, heap, devId);
+
+    if (ret == 0 && id != NULL && len != 0) {
+        XMEMCPY(key->id, id, len);
+        key->idLen = len;
+    }
+
+    return ret;
+}
 #endif
 
-    key->type = -1;  /* haven't decided yet */
-    key->heap = heap;
 
-/* TomsFastMath doesn't use memory allocation */
-#ifndef USE_FAST_MATH
-    key->n.dp = key->e.dp = 0;  /* public  alloc parts */
+#ifdef WOLFSSL_XILINX_CRYPT
+#define MAX_E_SIZE 4
+/* Used to setup hardware state
+ *
+ * key  the RSA key to setup
+ *
+ * returns 0 on success
+ */
+int wc_InitRsaHw(RsaKey* key)
+{
+    unsigned char* m; /* RSA modulous */
+    word32 e = 0;     /* RSA public exponent */
+    int mSz;
+    int eSz;
 
-    key->d.dp = key->p.dp  = 0;  /* private alloc parts */
-    key->q.dp = key->dP.dp = 0;  
-    key->u.dp = key->dQ.dp = 0;
-#else
-    mp_init(&key->n);
-    mp_init(&key->e);
-    mp_init(&key->d);
-    mp_init(&key->p);
-    mp_init(&key->q);
-    mp_init(&key->dP);
-    mp_init(&key->dQ);
-    mp_init(&key->u);
+    if (key == NULL) {
+        return BAD_FUNC_ARG;
+    }
+
+    mSz = mp_unsigned_bin_size(&(key->n));
+    m = (unsigned char*)XMALLOC(mSz, key->heap, DYNAMIC_TYPE_KEY);
+    if (m == 0) {
+        return MEMORY_E;
+    }
+
+    if (mp_to_unsigned_bin(&(key->n), m) != MP_OKAY) {
+        WOLFSSL_MSG("Unable to get RSA key modulus");
+        XFREE(m, key->heap, DYNAMIC_TYPE_KEY);
+        return MP_READ_E;
+    }
+
+    eSz = mp_unsigned_bin_size(&(key->e));
+    if (eSz > MAX_E_SIZE) {
+        WOLFSSL_MSG("Exponent of size 4 bytes expected");
+        XFREE(m, key->heap, DYNAMIC_TYPE_KEY);
+        return BAD_FUNC_ARG;
+    }
+
+    if (mp_to_unsigned_bin(&(key->e), (byte*)&e + (MAX_E_SIZE - eSz))
+                != MP_OKAY) {
+        XFREE(m, key->heap, DYNAMIC_TYPE_KEY);
+        WOLFSSL_MSG("Unable to get RSA key exponent");
+        return MP_READ_E;
+    }
+
+    /* check for existing mod buffer to avoid memory leak */
+    if (key->mod != NULL) {
+        XFREE(key->mod, key->heap, DYNAMIC_TYPE_KEY);
+    }
+
+    key->pubExp = e;
+    key->mod    = m;
+
+    if (XSecure_RsaInitialize(&(key->xRsa), key->mod, NULL,
+                (byte*)&(key->pubExp)) != XST_SUCCESS) {
+        WOLFSSL_MSG("Unable to initialize RSA on hardware");
+        XFREE(m, key->heap, DYNAMIC_TYPE_KEY);
+        return BAD_STATE_E;
+    }
+
+#ifdef WOLFSSL_XILINX_PATCH
+   /* currently a patch of xsecure_rsa.c for 2048 bit keys */
+   if (wc_RsaEncryptSize(key) == 256) {
+       if (XSecure_RsaSetSize(&(key->xRsa), 2048) != XST_SUCCESS) {
+           WOLFSSL_MSG("Unable to set RSA key size on hardware");
+           XFREE(m, key->heap, DYNAMIC_TYPE_KEY);
+           return BAD_STATE_E;
+       }
+   }
 #endif
+    return 0;
+} /* WOLFSSL_XILINX_CRYPT*/
+
+#elif defined(WOLFSSL_CRYPTOCELL)
+
+int wc_InitRsaHw(RsaKey* key)
+{
+    CRYSError_t ret = 0;
+    byte e[3];
+    word32 eSz = sizeof(e);
+    byte n[256];
+    word32 nSz = sizeof(n);
+    byte d[256];
+    word32 dSz = sizeof(d);
+    byte p[128];
+    word32 pSz = sizeof(p);
+    byte q[128];
+    word32 qSz = sizeof(q);
+
+    if (key == NULL) {
+        return BAD_FUNC_ARG;
+    }
+
+    ret = wc_RsaExportKey(key, e, &eSz, n, &nSz, d, &dSz, p, &pSz, q, &qSz);
+    if (ret != 0)
+        return MP_READ_E;
+
+    ret = CRYS_RSA_Build_PubKey(&key->ctx.pubKey, e, eSz, n, nSz);
+    if (ret != SA_SILIB_RET_OK){
+        WOLFSSL_MSG("CRYS_RSA_Build_PubKey failed");
+        return ret;
+    }
+
+    ret =  CRYS_RSA_Build_PrivKey(&key->ctx.privKey, d, dSz, e, eSz, n, nSz);
 
+    if (ret != SA_SILIB_RET_OK){
+        WOLFSSL_MSG("CRYS_RSA_Build_PrivKey failed");
+        return ret;
+    }
+    key->type = RSA_PRIVATE;
     return 0;
 }
+static int cc310_RSA_GenerateKeyPair(RsaKey* key, int size, long e)
+{
+    CRYSError_t             ret = 0;
+    CRYS_RSAKGData_t        KeyGenData;
+    CRYS_RSAKGFipsContext_t FipsCtx;
+    byte ex[3];
+    uint16_t eSz = sizeof(ex);
+    byte n[256];
+    uint16_t nSz = sizeof(n);
+
+    ret = CRYS_RSA_KG_GenerateKeyPair(&wc_rndState,
+                        wc_rndGenVectFunc,
+                        (byte*)&e,
+                        3*sizeof(uint8_t),
+                        size,
+                        &key->ctx.privKey,
+                        &key->ctx.pubKey,
+                        &KeyGenData,
+                        &FipsCtx);
+
+    if (ret != SA_SILIB_RET_OK){
+        WOLFSSL_MSG("CRYS_RSA_KG_GenerateKeyPair failed");
+        return ret;
+    }
 
+    ret = CRYS_RSA_Get_PubKey(&key->ctx.pubKey, ex, &eSz, n, &nSz);
+    if (ret != SA_SILIB_RET_OK){
+        WOLFSSL_MSG("CRYS_RSA_Get_PubKey failed");
+        return ret;
+    }
+    ret = wc_RsaPublicKeyDecodeRaw(n, nSz, ex, eSz, key);
+
+    key->type = RSA_PRIVATE;
+
+    return ret;
+}
+#endif /* WOLFSSL_CRYPTOCELL */
 
 int wc_FreeRsaKey(RsaKey* key)
 {
-    (void)key;
+    int ret = 0;
 
-#ifdef HAVE_CAVIUM
-    if (key->magic == WOLFSSL_RSA_CAVIUM_MAGIC)
-        return FreeCaviumRsaKey(key);
+    if (key == NULL) {
+        return BAD_FUNC_ARG;
+    }
+
+    wc_RsaCleanup(key);
+
+#if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_RSA)
+    wolfAsync_DevCtxFree(&key->asyncDev, WOLFSSL_ASYNC_MARKER_RSA);
 #endif
 
-/* TomsFastMath doesn't use memory allocation */
-#ifndef USE_FAST_MATH
+#ifndef WOLFSSL_RSA_PUBLIC_ONLY
     if (key->type == RSA_PRIVATE) {
-        mp_clear(&key->u);
-        mp_clear(&key->dQ);
-        mp_clear(&key->dP);
-        mp_clear(&key->q);
-        mp_clear(&key->p);
-        mp_clear(&key->d);
+#if defined(WOLFSSL_KEY_GEN) || defined(OPENSSL_EXTRA) || !defined(RSA_LOW_MEM)
+        mp_forcezero(&key->u);
+        mp_forcezero(&key->dQ);
+        mp_forcezero(&key->dP);
+#endif
+        mp_forcezero(&key->q);
+        mp_forcezero(&key->p);
+        mp_forcezero(&key->d);
     }
+    /* private part */
+#if defined(WOLFSSL_KEY_GEN) || defined(OPENSSL_EXTRA) || !defined(RSA_LOW_MEM)
+    mp_clear(&key->u);
+    mp_clear(&key->dQ);
+    mp_clear(&key->dP);
+#endif
+    mp_clear(&key->q);
+    mp_clear(&key->p);
+    mp_clear(&key->d);
+#endif /* WOLFSSL_RSA_PUBLIC_ONLY */
+
+    /* public part */
     mp_clear(&key->e);
     mp_clear(&key->n);
+
+#ifdef WOLFSSL_XILINX_CRYPT
+    XFREE(key->mod, key->heap, DYNAMIC_TYPE_KEY);
+    key->mod = NULL;
+#endif
+
+#ifdef WOLFSSL_AFALG_XILINX_RSA
+    /* make sure that sockets are closed on cleanup */
+    if (key->alFd > 0) {
+        close(key->alFd);
+        key->alFd = WC_SOCK_NOTSET;
+    }
+    if (key->rdFd > 0) {
+        close(key->rdFd);
+        key->rdFd = WC_SOCK_NOTSET;
+    }
+#endif
+
+    return ret;
+}
+
+#ifndef WOLFSSL_RSA_PUBLIC_ONLY
+#if defined(WOLFSSL_KEY_GEN) && !defined(WOLFSSL_NO_RSA_KEY_CHECK)
+/* Check the pair-wise consistency of the RSA key.
+ * From NIST SP 800-56B, section 6.4.1.1.
+ * Verify that k = (k^e)^d, for some k: 1 < k < n-1. */
+int wc_CheckRsaKey(RsaKey* key)
+{
+#if defined(WOLFSSL_CRYPTOCELL)
+    return 0;
+#endif
+#ifdef WOLFSSL_SMALL_STACK
+    mp_int *k = NULL, *tmp = NULL;
+#else
+    mp_int k[1], tmp[1];
+#endif
+    int ret = 0;
+
+#ifdef WOLFSSL_SMALL_STACK
+    k = (mp_int*)XMALLOC(sizeof(mp_int) * 2, NULL, DYNAMIC_TYPE_RSA);
+    if (k == NULL)
+        return MEMORY_E;
+    tmp = k + 1;
+#endif
+
+    if (mp_init_multi(k, tmp, NULL, NULL, NULL, NULL) != MP_OKAY)
+        ret = MP_INIT_E;
+
+    if (ret == 0) {
+        if (key == NULL)
+            ret = BAD_FUNC_ARG;
+    }
+
+    if (ret == 0) {
+        if (mp_set_int(k, 0x2342) != MP_OKAY)
+            ret = MP_READ_E;
+    }
+
+#ifdef WOLFSSL_HAVE_SP_RSA
+#ifndef WOLFSSL_SP_NO_2048
+    if (mp_count_bits(&key->n) == 2048) {
+        ret = sp_ModExp_2048(k, &key->e, &key->n, tmp);
+        if (ret != 0)
+            ret = MP_EXPTMOD_E;
+        ret = sp_ModExp_2048(tmp, &key->d, &key->n, tmp);
+        if (ret != 0)
+            ret = MP_EXPTMOD_E;
+    }
+    else
+#endif
+#ifndef WOLFSSL_SP_NO_3072
+    if (mp_count_bits(&key->n) == 3072) {
+        ret = sp_ModExp_3072(k, &key->e, &key->n, tmp);
+        if (ret != 0)
+            ret = MP_EXPTMOD_E;
+        ret = sp_ModExp_3072(tmp, &key->d, &key->n, tmp);
+        if (ret != 0)
+            ret = MP_EXPTMOD_E;
+    }
+    else
+#endif
+#ifdef WOLFSSL_SP_4096
+    if (mp_count_bits(&key->n) == 4096) {
+        ret = sp_ModExp_4096(k, &key->e, &key->n, tmp);
+        if (ret != 0)
+            ret = MP_EXPTMOD_E;
+        ret = sp_ModExp_4096(tmp, &key->d, &key->n, tmp);
+        if (ret != 0)
+            ret = MP_EXPTMOD_E;
+    }
+    else
+#endif
+#endif
+#ifdef WOLFSSL_SP_MATH
+    {
+        ret = WC_KEY_SIZE_E;
+    }
+#else
+    {
+        if (ret == 0) {
+            if (mp_exptmod(k, &key->e, &key->n, tmp) != MP_OKAY)
+                ret = MP_EXPTMOD_E;
+        }
+
+        if (ret == 0) {
+            if (mp_exptmod(tmp, &key->d, &key->n, tmp) != MP_OKAY)
+                ret = MP_EXPTMOD_E;
+        }
+    }
+#endif
+
+    if (ret == 0) {
+        if (mp_cmp(k, tmp) != MP_EQ)
+            ret = RSA_KEY_PAIR_E;
+    }
+
+    /* Check d is less than n. */
+    if (ret == 0 ) {
+        if (mp_cmp(&key->d, &key->n) != MP_LT) {
+            ret = MP_EXPTMOD_E;
+        }
+    }
+    /* Check p*q = n. */
+    if (ret == 0 ) {
+        if (mp_mul(&key->p, &key->q, tmp) != MP_OKAY) {
+            ret = MP_EXPTMOD_E;
+        }
+    }
+    if (ret == 0 ) {
+        if (mp_cmp(&key->n, tmp) != MP_EQ) {
+            ret = MP_EXPTMOD_E;
+        }
+    }
+
+    /* Check dP, dQ and u if they exist */
+    if (ret == 0 && !mp_iszero(&key->dP)) {
+        if (mp_sub_d(&key->p, 1, tmp) != MP_OKAY) {
+            ret = MP_EXPTMOD_E;
+        }
+        /* Check dP <= p-1. */
+        if (ret == 0) {
+            if (mp_cmp(&key->dP, tmp) != MP_LT) {
+                ret = MP_EXPTMOD_E;
+            }
+        }
+        /* Check e*dP mod p-1 = 1. (dP = 1/e mod p-1) */
+        if (ret == 0) {
+            if (mp_mulmod(&key->dP, &key->e, tmp, tmp) != MP_OKAY) {
+                ret = MP_EXPTMOD_E;
+            }
+        }
+        if (ret == 0 ) {
+            if (!mp_isone(tmp)) {
+                ret = MP_EXPTMOD_E;
+            }
+        }
+
+        if (ret == 0) {
+            if (mp_sub_d(&key->q, 1, tmp) != MP_OKAY) {
+                ret = MP_EXPTMOD_E;
+            }
+        }
+        /* Check dQ <= q-1. */
+        if (ret == 0) {
+            if (mp_cmp(&key->dQ, tmp) != MP_LT) {
+                ret = MP_EXPTMOD_E;
+            }
+        }
+        /* Check e*dP mod p-1 = 1. (dQ = 1/e mod q-1) */
+        if (ret == 0) {
+            if (mp_mulmod(&key->dQ, &key->e, tmp, tmp) != MP_OKAY) {
+                ret = MP_EXPTMOD_E;
+            }
+        }
+        if (ret == 0 ) {
+            if (!mp_isone(tmp)) {
+                ret = MP_EXPTMOD_E;
+            }
+        }
+
+        /* Check u <= p. */
+        if (ret == 0) {
+            if (mp_cmp(&key->u, &key->p) != MP_LT) {
+                ret = MP_EXPTMOD_E;
+            }
+        }
+        /* Check u*q mod p = 1. (u = 1/q mod p) */
+        if (ret == 0) {
+            if (mp_mulmod(&key->u, &key->q, &key->p, tmp) != MP_OKAY) {
+                ret = MP_EXPTMOD_E;
+            }
+        }
+        if (ret == 0 ) {
+            if (!mp_isone(tmp)) {
+                ret = MP_EXPTMOD_E;
+            }
+        }
+    }
+
+    mp_forcezero(tmp);
+    mp_clear(tmp);
+    mp_clear(k);
+#ifdef WOLFSSL_SMALL_STACK
+    XFREE(k, NULL, DYNAMIC_TYPE_RSA);
+#endif
+
+    return ret;
+}
 #endif
+#endif
+
+
+#if !defined(WC_NO_RSA_OAEP) || defined(WC_RSA_PSS)
+/* Uses MGF1 standard as a mask generation function
+   hType: hash type used
+   seed:  seed to use for generating mask
+   seedSz: size of seed buffer
+   out:   mask output after generation
+   outSz: size of output buffer
+ */
+#if !defined(NO_SHA) || !defined(NO_SHA256) || defined(WOLFSSL_SHA384) || defined(WOLFSSL_SHA512)
+static int RsaMGF1(enum wc_HashType hType, byte* seed, word32 seedSz,
+                                        byte* out, word32 outSz, void* heap)
+{
+    byte* tmp;
+    /* needs to be large enough for seed size plus counter(4) */
+    byte  tmpA[WC_MAX_DIGEST_SIZE + 4];
+    byte   tmpF;     /* 1 if dynamic memory needs freed */
+    word32 tmpSz;
+    int hLen;
+    int ret;
+    word32 counter;
+    word32 idx;
+    hLen    = wc_HashGetDigestSize(hType);
+    counter = 0;
+    idx     = 0;
+
+    (void)heap;
+
+    /* check error return of wc_HashGetDigestSize */
+    if (hLen < 0) {
+        return hLen;
+    }
+
+    /* if tmp is not large enough than use some dynamic memory */
+    if ((seedSz + 4) > sizeof(tmpA) || (word32)hLen > sizeof(tmpA)) {
+        /* find largest amount of memory needed which will be the max of
+         * hLen and (seedSz + 4) since tmp is used to store the hash digest */
+        tmpSz = ((seedSz + 4) > (word32)hLen)? seedSz + 4: (word32)hLen;
+        tmp = (byte*)XMALLOC(tmpSz, heap, DYNAMIC_TYPE_RSA_BUFFER);
+        if (tmp == NULL) {
+            return MEMORY_E;
+        }
+        tmpF = 1; /* make sure to free memory when done */
+    }
+    else {
+        /* use array on the stack */
+        tmpSz = sizeof(tmpA);
+        tmp  = tmpA;
+        tmpF = 0; /* no need to free memory at end */
+    }
+
+    do {
+        int i = 0;
+        XMEMCPY(tmp, seed, seedSz);
+
+        /* counter to byte array appended to tmp */
+        tmp[seedSz]     = (counter >> 24) & 0xFF;
+        tmp[seedSz + 1] = (counter >> 16) & 0xFF;
+        tmp[seedSz + 2] = (counter >>  8) & 0xFF;
+        tmp[seedSz + 3] = (counter)       & 0xFF;
+
+        /* hash and append to existing output */
+        if ((ret = wc_Hash(hType, tmp, (seedSz + 4), tmp, tmpSz)) != 0) {
+            /* check for if dynamic memory was needed, then free */
+            if (tmpF) {
+                XFREE(tmp, heap, DYNAMIC_TYPE_RSA_BUFFER);
+            }
+            return ret;
+        }
+
+        for (i = 0; i < hLen && idx < outSz; i++) {
+            out[idx++] = tmp[i];
+        }
+        counter++;
+    } while (idx < outSz);
+
+    /* check for if dynamic memory was needed, then free */
+    if (tmpF) {
+        XFREE(tmp, heap, DYNAMIC_TYPE_RSA_BUFFER);
+    }
 
     return 0;
 }
+#endif /* SHA2 Hashes */
 
-static int wc_RsaPad(const byte* input, word32 inputLen, byte* pkcsBlock,
-                   word32 pkcsBlockLen, byte padValue, RNG* rng)
+/* helper function to direct which mask generation function is used
+   switched on type input
+ */
+static int RsaMGF(int type, byte* seed, word32 seedSz, byte* out,
+                                                    word32 outSz, void* heap)
 {
-    if (inputLen == 0)
-        return 0;
+    int ret;
+
+    switch(type) {
+    #ifndef NO_SHA
+        case WC_MGF1SHA1:
+            ret = RsaMGF1(WC_HASH_TYPE_SHA, seed, seedSz, out, outSz, heap);
+            break;
+    #endif
+    #ifndef NO_SHA256
+    #ifdef WOLFSSL_SHA224
+        case WC_MGF1SHA224:
+            ret = RsaMGF1(WC_HASH_TYPE_SHA224, seed, seedSz, out, outSz, heap);
+            break;
+    #endif
+        case WC_MGF1SHA256:
+            ret = RsaMGF1(WC_HASH_TYPE_SHA256, seed, seedSz, out, outSz, heap);
+            break;
+    #endif
+    #ifdef WOLFSSL_SHA384
+        case WC_MGF1SHA384:
+            ret = RsaMGF1(WC_HASH_TYPE_SHA384, seed, seedSz, out, outSz, heap);
+            break;
+    #endif
+    #ifdef WOLFSSL_SHA512
+        case WC_MGF1SHA512:
+            ret = RsaMGF1(WC_HASH_TYPE_SHA512, seed, seedSz, out, outSz, heap);
+            break;
+    #endif
+        default:
+            WOLFSSL_MSG("Unknown MGF type: check build options");
+            ret = BAD_FUNC_ARG;
+    }
+
+    /* in case of default avoid unused warning */
+    (void)seed;
+    (void)seedSz;
+    (void)out;
+    (void)outSz;
+    (void)heap;
+
+    return ret;
+}
+#endif /* !WC_NO_RSA_OAEP || WC_RSA_PSS */
+
+
+/* Padding */
+#ifndef WOLFSSL_RSA_VERIFY_ONLY
+#ifndef WC_NO_RNG
+#ifndef WC_NO_RSA_OAEP
+static int RsaPad_OAEP(const byte* input, word32 inputLen, byte* pkcsBlock,
+        word32 pkcsBlockLen, byte padValue, WC_RNG* rng,
+        enum wc_HashType hType, int mgf, byte* optLabel, word32 labelLen,
+        void* heap)
+{
+    int ret;
+    int hLen;
+    int psLen;
+    int i;
+    word32 idx;
+
+    byte* dbMask;
+
+    #ifdef WOLFSSL_SMALL_STACK
+        byte* lHash = NULL;
+        byte* seed  = NULL;
+    #else
+        /* must be large enough to contain largest hash */
+        byte lHash[WC_MAX_DIGEST_SIZE];
+        byte seed[ WC_MAX_DIGEST_SIZE];
+    #endif
+
+    /* no label is allowed, but catch if no label provided and length > 0 */
+    if (optLabel == NULL && labelLen > 0) {
+        return BUFFER_E;
+    }
+
+    /* limit of label is the same as limit of hash function which is massive */
+    hLen = wc_HashGetDigestSize(hType);
+    if (hLen < 0) {
+        return hLen;
+    }
+
+    #ifdef WOLFSSL_SMALL_STACK
+        lHash = (byte*)XMALLOC(hLen, heap, DYNAMIC_TYPE_RSA_BUFFER);
+        if (lHash == NULL) {
+            return MEMORY_E;
+        }
+        seed = (byte*)XMALLOC(hLen, heap, DYNAMIC_TYPE_RSA_BUFFER);
+        if (seed == NULL) {
+            XFREE(lHash, heap, DYNAMIC_TYPE_RSA_BUFFER);
+            return MEMORY_E;
+        }
+    #else
+        /* hLen should never be larger than lHash since size is max digest size,
+           but check before blindly calling wc_Hash */
+        if ((word32)hLen > sizeof(lHash)) {
+            WOLFSSL_MSG("OAEP lHash to small for digest!!");
+            return MEMORY_E;
+        }
+    #endif
+
+    if ((ret = wc_Hash(hType, optLabel, labelLen, lHash, hLen)) != 0) {
+        WOLFSSL_MSG("OAEP hash type possibly not supported or lHash to small");
+        #ifdef WOLFSSL_SMALL_STACK
+            XFREE(lHash, heap, DYNAMIC_TYPE_RSA_BUFFER);
+            XFREE(seed,  heap, DYNAMIC_TYPE_RSA_BUFFER);
+        #endif
+        return ret;
+    }
+
+    /* handles check of location for idx as well as psLen, cast to int to check
+       for pkcsBlockLen(k) - 2 * hLen - 2 being negative
+       This check is similar to decryption where k > 2 * hLen + 2 as msg
+       size approaches 0. In decryption if k is less than or equal -- then there
+       is no possible room for msg.
+       k = RSA key size
+       hLen = hash digest size -- will always be >= 0 at this point
+     */
+    if ((word32)(2 * hLen + 2) > pkcsBlockLen) {
+        WOLFSSL_MSG("OAEP pad error hash to big for RSA key size");
+        #ifdef WOLFSSL_SMALL_STACK
+            XFREE(lHash, heap, DYNAMIC_TYPE_RSA_BUFFER);
+            XFREE(seed,  heap, DYNAMIC_TYPE_RSA_BUFFER);
+        #endif
+        return BAD_FUNC_ARG;
+    }
+
+    if (inputLen > (pkcsBlockLen - 2 * hLen - 2)) {
+        WOLFSSL_MSG("OAEP pad error message too long");
+        #ifdef WOLFSSL_SMALL_STACK
+            XFREE(lHash, heap, DYNAMIC_TYPE_RSA_BUFFER);
+            XFREE(seed,  heap, DYNAMIC_TYPE_RSA_BUFFER);
+        #endif
+        return BAD_FUNC_ARG;
+    }
+
+    /* concatenate lHash || PS || 0x01 || msg */
+    idx = pkcsBlockLen - 1 - inputLen;
+    psLen = pkcsBlockLen - inputLen - 2 * hLen - 2;
+    if (pkcsBlockLen < inputLen) { /*make sure not writing over end of buffer */
+        #ifdef WOLFSSL_SMALL_STACK
+            XFREE(lHash, heap, DYNAMIC_TYPE_RSA_BUFFER);
+            XFREE(seed,  heap, DYNAMIC_TYPE_RSA_BUFFER);
+        #endif
+        return BUFFER_E;
+    }
+    XMEMCPY(pkcsBlock + (pkcsBlockLen - inputLen), input, inputLen);
+    pkcsBlock[idx--] = 0x01; /* PS and M separator */
+    while (psLen > 0 && idx > 0) {
+        pkcsBlock[idx--] = 0x00;
+        psLen--;
+    }
+
+    idx = idx - hLen + 1;
+    XMEMCPY(pkcsBlock + idx, lHash, hLen);
+
+    /* generate random seed */
+    if ((ret = wc_RNG_GenerateBlock(rng, seed, hLen)) != 0) {
+        #ifdef WOLFSSL_SMALL_STACK
+            XFREE(lHash, heap, DYNAMIC_TYPE_RSA_BUFFER);
+            XFREE(seed,  heap, DYNAMIC_TYPE_RSA_BUFFER);
+        #endif
+        return ret;
+    }
+
+    /* create maskedDB from dbMask */
+    dbMask = (byte*)XMALLOC(pkcsBlockLen - hLen - 1, heap, DYNAMIC_TYPE_RSA);
+    if (dbMask == NULL) {
+        #ifdef WOLFSSL_SMALL_STACK
+            XFREE(lHash, heap, DYNAMIC_TYPE_RSA_BUFFER);
+            XFREE(seed,  heap, DYNAMIC_TYPE_RSA_BUFFER);
+        #endif
+        return MEMORY_E;
+    }
+    XMEMSET(dbMask, 0, pkcsBlockLen - hLen - 1); /* help static analyzer */
+
+    ret = RsaMGF(mgf, seed, hLen, dbMask, pkcsBlockLen - hLen - 1, heap);
+    if (ret != 0) {
+        XFREE(dbMask, heap, DYNAMIC_TYPE_RSA);
+        #ifdef WOLFSSL_SMALL_STACK
+            XFREE(lHash, heap, DYNAMIC_TYPE_RSA_BUFFER);
+            XFREE(seed,  heap, DYNAMIC_TYPE_RSA_BUFFER);
+        #endif
+        return ret;
+    }
+
+    i = 0;
+    idx = hLen + 1;
+    while (idx < pkcsBlockLen && (word32)i < (pkcsBlockLen - hLen -1)) {
+        pkcsBlock[idx] = dbMask[i++] ^ pkcsBlock[idx];
+        idx++;
+    }
+    XFREE(dbMask, heap, DYNAMIC_TYPE_RSA);
+
+
+    /* create maskedSeed from seedMask */
+    idx = 0;
+    pkcsBlock[idx++] = 0x00;
+    /* create seedMask inline */
+    if ((ret = RsaMGF(mgf, pkcsBlock + hLen + 1, pkcsBlockLen - hLen - 1,
+                                           pkcsBlock + 1, hLen, heap)) != 0) {
+        #ifdef WOLFSSL_SMALL_STACK
+            XFREE(lHash, heap, DYNAMIC_TYPE_RSA_BUFFER);
+            XFREE(seed,  heap, DYNAMIC_TYPE_RSA_BUFFER);
+        #endif
+        return ret;
+    }
+
+    /* xor created seedMask with seed to make maskedSeed */
+    i = 0;
+    while (idx < (word32)(hLen + 1) && i < hLen) {
+        pkcsBlock[idx] = pkcsBlock[idx] ^ seed[i++];
+        idx++;
+    }
+
+    #ifdef WOLFSSL_SMALL_STACK
+        XFREE(lHash, heap, DYNAMIC_TYPE_RSA_BUFFER);
+        XFREE(seed,  heap, DYNAMIC_TYPE_RSA_BUFFER);
+    #endif
+    (void)padValue;
+
+    return 0;
+}
+#endif /* !WC_NO_RSA_OAEP */
+
+#ifdef WC_RSA_PSS
+
+/* 0x00 .. 0x00 0x01 | Salt | Gen Hash | 0xbc
+ * XOR MGF over all bytes down to end of Salt
+ * Gen Hash = HASH(8 * 0x00 | Message Hash | Salt)
+ *
+ * input         Digest of the message.
+ * inputLen      Length of digest.
+ * pkcsBlock     Buffer to write to.
+ * pkcsBlockLen  Length of buffer to write to.
+ * rng           Random number generator (for salt).
+ * htype         Hash function to use.
+ * mgf           Mask generation function.
+ * saltLen       Length of salt to put in padding.
+ * bits          Length of key in bits.
+ * heap          Used for dynamic memory allocation.
+ * returns 0 on success, PSS_SALTLEN_E when the salt length is invalid
+ * and other negative values on error.
+ */
+static int RsaPad_PSS(const byte* input, word32 inputLen, byte* pkcsBlock,
+        word32 pkcsBlockLen, WC_RNG* rng, enum wc_HashType hType, int mgf,
+        int saltLen, int bits, void* heap)
+{
+    int   ret = 0;
+    int   hLen, i, o, maskLen, hiBits;
+    byte* m;
+    byte* s;
+#if defined(WOLFSSL_PSS_LONG_SALT) || defined(WOLFSSL_PSS_SALT_LEN_DISCOVER)
+    #if defined(WOLFSSL_NO_MALLOC) && !defined(WOLFSSL_STATIC_MEMORY)
+        byte salt[RSA_MAX_SIZE/8 + RSA_PSS_PAD_SZ];
+    #else
+        byte* salt = NULL;
+    #endif
+#else
+    byte salt[WC_MAX_DIGEST_SIZE];
+#endif
+
+#if defined(WOLFSSL_PSS_LONG_SALT) || defined(WOLFSSL_PSS_SALT_LEN_DISCOVER)
+    if (pkcsBlockLen > RSA_MAX_SIZE/8) {
+        return MEMORY_E;
+    }
+#endif
+
+    hLen = wc_HashGetDigestSize(hType);
+    if (hLen < 0)
+        return hLen;
+
+    hiBits = (bits - 1) & 0x7;
+    if (hiBits == 0) {
+        *(pkcsBlock++) = 0;
+        pkcsBlockLen--;
+    }
+
+    if (saltLen == RSA_PSS_SALT_LEN_DEFAULT) {
+        saltLen = hLen;
+        #ifdef WOLFSSL_SHA512
+            /* See FIPS 186-4 section 5.5 item (e). */
+            if (bits == 1024 && hLen == WC_SHA512_DIGEST_SIZE) {
+                saltLen = RSA_PSS_SALT_MAX_SZ;
+            }
+        #endif
+    }
+#ifndef WOLFSSL_PSS_LONG_SALT
+    else if (saltLen > hLen) {
+        return PSS_SALTLEN_E;
+    }
+#endif
+#ifndef WOLFSSL_PSS_SALT_LEN_DISCOVER
+    else if (saltLen < RSA_PSS_SALT_LEN_DEFAULT) {
+        return PSS_SALTLEN_E;
+    }
+#else
+    else if (saltLen == RSA_PSS_SALT_LEN_DISCOVER) {
+        saltLen = (int)pkcsBlockLen - hLen - 2;
+        if (saltLen < 0) {
+            return PSS_SALTLEN_E;
+        }
+    }
+    else if (saltLen < RSA_PSS_SALT_LEN_DISCOVER) {
+        return PSS_SALTLEN_E;
+    }
+#endif
+    if ((int)pkcsBlockLen - hLen < saltLen + 2) {
+        return PSS_SALTLEN_E;
+    }
+
+    maskLen = pkcsBlockLen - 1 - hLen;
+
+#if defined(WOLFSSL_PSS_LONG_SALT) || defined(WOLFSSL_PSS_SALT_LEN_DISCOVER)
+    #if !defined(WOLFSSL_NO_MALLOC) || defined(WOLFSSL_STATIC_MEMORY)
+        salt = (byte*)XMALLOC(RSA_PSS_PAD_SZ + inputLen + saltLen, heap,
+                                                       DYNAMIC_TYPE_RSA_BUFFER);
+        if (salt == NULL) {
+            return MEMORY_E;
+        }
+    #endif
+    s = m = salt;
+    XMEMSET(m, 0, RSA_PSS_PAD_SZ);
+    m += RSA_PSS_PAD_SZ;
+    XMEMCPY(m, input, inputLen);
+    m += inputLen;
+    o = (int)(m - s);
+    if (saltLen > 0) {
+        ret = wc_RNG_GenerateBlock(rng, m, saltLen);
+        if (ret == 0) {
+            m += saltLen;
+        }
+    }
+#else
+    s = m = pkcsBlock;
+    XMEMSET(m, 0, RSA_PSS_PAD_SZ);
+    m += RSA_PSS_PAD_SZ;
+    XMEMCPY(m, input, inputLen);
+    m += inputLen;
+    o = 0;
+    if (saltLen > 0) {
+        ret = wc_RNG_GenerateBlock(rng, salt, saltLen);
+        if (ret == 0) {
+            XMEMCPY(m, salt, saltLen);
+            m += saltLen;
+        }
+    }
+#endif
+    if (ret == 0) {
+        /* Put Hash at end of pkcsBlock - 1 */
+        ret = wc_Hash(hType, s, (word32)(m - s), pkcsBlock + maskLen, hLen);
+    }
+    if (ret == 0) {
+        pkcsBlock[pkcsBlockLen - 1] = RSA_PSS_PAD_TERM;
+
+        ret = RsaMGF(mgf, pkcsBlock + maskLen, hLen, pkcsBlock, maskLen, heap);
+    }
+    if (ret == 0) {
+        pkcsBlock[0] &= (1 << hiBits) - 1;
+
+        m = pkcsBlock + maskLen - saltLen - 1;
+        *(m++) ^= 0x01;
+        for (i = 0; i < saltLen; i++) {
+            m[i] ^= salt[o + i];
+        }
+    }
+
+#if defined(WOLFSSL_PSS_LONG_SALT) || defined(WOLFSSL_PSS_SALT_LEN_DISCOVER)
+    #if !defined(WOLFSSL_NO_MALLOC) || defined(WOLFSSL_STATIC_MEMORY)
+        if (salt != NULL) {
+            XFREE(salt, heap, DYNAMIC_TYPE_RSA_BUFFER);
+        }
+    #endif
+#endif
+    return ret;
+}
+#endif /* WC_RSA_PSS */
+#endif /* !WC_NO_RNG */
+
+static int RsaPad(const byte* input, word32 inputLen, byte* pkcsBlock,
+                           word32 pkcsBlockLen, byte padValue, WC_RNG* rng)
+{
+    if (input == NULL || inputLen == 0 || pkcsBlock == NULL ||
+                                                        pkcsBlockLen == 0) {
+        return BAD_FUNC_ARG;
+    }
 
     pkcsBlock[0] = 0x0;       /* set first byte to zero and advance */
     pkcsBlock++; pkcsBlockLen--;
     pkcsBlock[0] = padValue;  /* insert padValue */
 
-    if (padValue == RSA_BLOCK_TYPE_1)
+    if (padValue == RSA_BLOCK_TYPE_1) {
+        if (pkcsBlockLen < inputLen + 2) {
+            WOLFSSL_MSG("RsaPad error, invalid length");
+            return RSA_PAD_E;
+        }
+
         /* pad with 0xff bytes */
         XMEMSET(&pkcsBlock[1], 0xFF, pkcsBlockLen - inputLen - 2);
+    }
     else {
+#if !defined(WOLFSSL_RSA_VERIFY_ONLY) && !defined(WC_NO_RNG)
         /* pad with non-zero random bytes */
-        word32 padLen = pkcsBlockLen - inputLen - 1, i;
-        int    ret    = wc_RNG_GenerateBlock(rng, &pkcsBlock[1], padLen);
+        word32 padLen, i;
+        int    ret;
 
-        if (ret != 0)
+        if (pkcsBlockLen < inputLen + 1) {
+            WOLFSSL_MSG("RsaPad error, invalid length");
+            return RSA_PAD_E;
+        }
+
+        padLen = pkcsBlockLen - inputLen - 1;
+        ret    = wc_RNG_GenerateBlock(rng, &pkcsBlock[1], padLen);
+        if (ret != 0) {
             return ret;
+        }
 
         /* remove zeros */
-        for (i = 1; i < padLen; i++)
+        for (i = 1; i < padLen; i++) {
             if (pkcsBlock[i] == 0) pkcsBlock[i] = 0x01;
+        }
+#else
+        (void)rng;
+        return RSA_WRONG_TYPE_E;
+#endif
     }
 
     pkcsBlock[pkcsBlockLen-inputLen-1] = 0;     /* separator */
@@ -258,348 +1283,2300 @@ static int wc_RsaPad(const byte* input, word32 inputLen, byte* pkcsBlock,
     return 0;
 }
 
+/* helper function to direct which padding is used */
+int wc_RsaPad_ex(const byte* input, word32 inputLen, byte* pkcsBlock,
+    word32 pkcsBlockLen, byte padValue, WC_RNG* rng, int padType,
+    enum wc_HashType hType, int mgf, byte* optLabel, word32 labelLen,
+    int saltLen, int bits, void* heap)
+{
+    int ret;
+
+    switch (padType)
+    {
+        case WC_RSA_PKCSV15_PAD:
+            /*WOLFSSL_MSG("wolfSSL Using RSA PKCSV15 padding");*/
+            ret = RsaPad(input, inputLen, pkcsBlock, pkcsBlockLen,
+                                                                 padValue, rng);
+            break;
+
+#ifndef WC_NO_RNG
+    #ifndef WC_NO_RSA_OAEP
+        case WC_RSA_OAEP_PAD:
+            WOLFSSL_MSG("wolfSSL Using RSA OAEP padding");
+            ret = RsaPad_OAEP(input, inputLen, pkcsBlock, pkcsBlockLen,
+                           padValue, rng, hType, mgf, optLabel, labelLen, heap);
+            break;
+    #endif
+
+    #ifdef WC_RSA_PSS
+        case WC_RSA_PSS_PAD:
+            WOLFSSL_MSG("wolfSSL Using RSA PSS padding");
+            ret = RsaPad_PSS(input, inputLen, pkcsBlock, pkcsBlockLen, rng,
+                                               hType, mgf, saltLen, bits, heap);
+            break;
+    #endif
+#endif /* !WC_NO_RNG */
+
+    #ifdef WC_RSA_NO_PADDING
+        case WC_RSA_NO_PAD:
+            WOLFSSL_MSG("wolfSSL Using NO padding");
 
+            /* In the case of no padding being used check that input is exactly
+             * the RSA key length */
+            if (bits <= 0 || inputLen != ((word32)bits/WOLFSSL_BIT_SIZE)) {
+                WOLFSSL_MSG("Bad input size");
+                ret = RSA_PAD_E;
+            }
+            else {
+                XMEMCPY(pkcsBlock, input, inputLen);
+                ret = 0;
+            }
+            break;
+    #endif
+
+        default:
+            WOLFSSL_MSG("Unknown RSA Pad Type");
+            ret = RSA_PAD_E;
+    }
+
+    /* silence warning if not used with padding scheme */
+    (void)input;
+    (void)inputLen;
+    (void)pkcsBlock;
+    (void)pkcsBlockLen;
+    (void)padValue;
+    (void)rng;
+    (void)padType;
+    (void)hType;
+    (void)mgf;
+    (void)optLabel;
+    (void)labelLen;
+    (void)saltLen;
+    (void)bits;
+    (void)heap;
+
+    return ret;
+}
+#endif /* WOLFSSL_RSA_VERIFY_ONLY */
+
+
+/* UnPadding */
+#ifndef WC_NO_RSA_OAEP
 /* UnPad plaintext, set start to *output, return length of plaintext,
  * < 0 on error */
-static int RsaUnPad(const byte *pkcsBlock, unsigned int pkcsBlockLen,
-                       byte **output, byte padValue)
+static int RsaUnPad_OAEP(byte *pkcsBlock, unsigned int pkcsBlockLen,
+                            byte **output, enum wc_HashType hType, int mgf,
+                            byte* optLabel, word32 labelLen, void* heap)
 {
-    word32 maxOutputLen = (pkcsBlockLen > 10) ? (pkcsBlockLen - 10) : 0,
-           invalid = 0,
-           i = 1,
-           outputLen;
+    int hLen;
+    int ret;
+    byte h[WC_MAX_DIGEST_SIZE]; /* max digest size */
+    byte* tmp;
+    word32 idx;
 
-    if (pkcsBlock[0] != 0x0) /* skip past zero */
-        invalid = 1;
-    pkcsBlock++; pkcsBlockLen--;
+    /* no label is allowed, but catch if no label provided and length > 0 */
+    if (optLabel == NULL && labelLen > 0) {
+        return BUFFER_E;
+    }
+
+    hLen = wc_HashGetDigestSize(hType);
+    if ((hLen < 0) || (pkcsBlockLen < (2 * (word32)hLen + 2))) {
+        return BAD_FUNC_ARG;
+    }
+
+    tmp = (byte*)XMALLOC(pkcsBlockLen, heap, DYNAMIC_TYPE_RSA_BUFFER);
+    if (tmp == NULL) {
+        return MEMORY_E;
+    }
+    XMEMSET(tmp, 0, pkcsBlockLen);
+
+    /* find seedMask value */
+    if ((ret = RsaMGF(mgf, (byte*)(pkcsBlock + (hLen + 1)),
+                            pkcsBlockLen - hLen - 1, tmp, hLen, heap)) != 0) {
+        XFREE(tmp, heap, DYNAMIC_TYPE_RSA_BUFFER);
+        return ret;
+    }
+
+    /* xor seedMask value with maskedSeed to get seed value */
+    for (idx = 0; idx < (word32)hLen; idx++) {
+        tmp[idx] = tmp[idx] ^ pkcsBlock[1 + idx];
+    }
+
+    /* get dbMask value */
+    if ((ret = RsaMGF(mgf, tmp, hLen, tmp + hLen,
+                                       pkcsBlockLen - hLen - 1, heap)) != 0) {
+        XFREE(tmp, NULL, DYNAMIC_TYPE_RSA_BUFFER);
+        return ret;
+    }
+
+    /* get DB value by doing maskedDB xor dbMask */
+    for (idx = 0; idx < (pkcsBlockLen - hLen - 1); idx++) {
+        pkcsBlock[hLen + 1 + idx] = pkcsBlock[hLen + 1 + idx] ^ tmp[idx + hLen];
+    }
+
+    /* done with use of tmp buffer */
+    XFREE(tmp, heap, DYNAMIC_TYPE_RSA_BUFFER);
+
+    /* advance idx to index of PS and msg separator, account for PS size of 0*/
+    idx = hLen + 1 + hLen;
+    while (idx < pkcsBlockLen && pkcsBlock[idx] == 0) {idx++;}
+
+    /* create hash of label for comparison with hash sent */
+    if ((ret = wc_Hash(hType, optLabel, labelLen, h, hLen)) != 0) {
+        return ret;
+    }
+
+    /* say no to chosen ciphertext attack.
+       Comparison of lHash, Y, and separator value needs to all happen in
+       constant time.
+       Attackers should not be able to get error condition from the timing of
+       these checks.
+     */
+    ret = 0;
+    ret |= ConstantCompare(pkcsBlock + hLen + 1, h, hLen);
+    ret += pkcsBlock[idx++] ^ 0x01; /* separator value is 0x01 */
+    ret += pkcsBlock[0]     ^ 0x00; /* Y, the first value, should be 0 */
+
+    /* Return 0 data length on error. */
+    idx = ctMaskSelInt(ctMaskEq(ret, 0), idx, pkcsBlockLen);
+
+    /* adjust pointer to correct location in array and return size of M */
+    *output = (byte*)(pkcsBlock + idx);
+    return pkcsBlockLen - idx;
+}
+#endif /* WC_NO_RSA_OAEP */
+
+#ifdef WC_RSA_PSS
+/* 0x00 .. 0x00 0x01 | Salt | Gen Hash | 0xbc
+ * MGF over all bytes down to end of Salt
+ *
+ * pkcsBlock     Buffer holding decrypted data.
+ * pkcsBlockLen  Length of buffer.
+ * htype         Hash function to use.
+ * mgf           Mask generation function.
+ * saltLen       Length of salt to put in padding.
+ * bits          Length of key in bits.
+ * heap          Used for dynamic memory allocation.
+ * returns 0 on success, PSS_SALTLEN_E when the salt length is invalid,
+ * BAD_PADDING_E when the padding is not valid, MEMORY_E when allocation fails
+ * and other negative values on error.
+ */
+static int RsaUnPad_PSS(byte *pkcsBlock, unsigned int pkcsBlockLen,
+                        byte **output, enum wc_HashType hType, int mgf,
+                        int saltLen, int bits, void* heap)
+{
+    int   ret;
+    byte* tmp;
+    int   hLen, i, maskLen;
+#ifdef WOLFSSL_SHA512
+    int orig_bits = bits;
+#endif
+#if defined(WOLFSSL_NO_MALLOC) && !defined(WOLFSSL_STATIC_MEMORY)
+    byte tmp_buf[RSA_MAX_SIZE/8];
+    tmp = tmp_buf;
+
+    if (pkcsBlockLen > RSA_MAX_SIZE/8) {
+        return MEMORY_E;
+    }
+#endif
+
+    hLen = wc_HashGetDigestSize(hType);
+    if (hLen < 0)
+        return hLen;
+    bits = (bits - 1) & 0x7;
+    if ((pkcsBlock[0] & (0xff << bits)) != 0) {
+        return BAD_PADDING_E;
+    }
+    if (bits == 0) {
+        pkcsBlock++;
+        pkcsBlockLen--;
+    }
+    maskLen = (int)pkcsBlockLen - 1 - hLen;
+    if (maskLen < 0) {
+        WOLFSSL_MSG("RsaUnPad_PSS: Hash too large");
+        return WC_KEY_SIZE_E;
+    }
+
+    if (saltLen == RSA_PSS_SALT_LEN_DEFAULT) {
+        saltLen = hLen;
+        #ifdef WOLFSSL_SHA512
+            /* See FIPS 186-4 section 5.5 item (e). */
+            if (orig_bits == 1024 && hLen == WC_SHA512_DIGEST_SIZE)
+                saltLen = RSA_PSS_SALT_MAX_SZ;
+        #endif
+    }
+#ifndef WOLFSSL_PSS_LONG_SALT
+    else if (saltLen > hLen)
+        return PSS_SALTLEN_E;
+#endif
+#ifndef WOLFSSL_PSS_SALT_LEN_DISCOVER
+    else if (saltLen < RSA_PSS_SALT_LEN_DEFAULT)
+        return PSS_SALTLEN_E;
+    if (maskLen < saltLen + 1) {
+        return PSS_SALTLEN_E;
+    }
+#else
+    else if (saltLen < RSA_PSS_SALT_LEN_DISCOVER)
+        return PSS_SALTLEN_E;
+    if (saltLen != RSA_PSS_SALT_LEN_DISCOVER && maskLen < saltLen + 1) {
+        return WC_KEY_SIZE_E;
+    }
+#endif
 
-    /* Require block type padValue */
-    invalid = (pkcsBlock[0] != padValue) || invalid;
+    if (pkcsBlock[pkcsBlockLen - 1] != RSA_PSS_PAD_TERM) {
+        WOLFSSL_MSG("RsaUnPad_PSS: Padding Term Error");
+        return BAD_PADDING_E;
+    }
+
+#if !defined(WOLFSSL_NO_MALLOC) || defined(WOLFSSL_STATIC_MEMORY)
+    tmp = (byte*)XMALLOC(maskLen, heap, DYNAMIC_TYPE_RSA_BUFFER);
+    if (tmp == NULL) {
+        return MEMORY_E;
+    }
+#endif
+
+    if ((ret = RsaMGF(mgf, pkcsBlock + maskLen, hLen, tmp, maskLen,
+                                                                  heap)) != 0) {
+        XFREE(tmp, heap, DYNAMIC_TYPE_RSA_BUFFER);
+        return ret;
+    }
+
+    tmp[0] &= (1 << bits) - 1;
+    pkcsBlock[0] &= (1 << bits) - 1;
+#ifdef WOLFSSL_PSS_SALT_LEN_DISCOVER
+    if (saltLen == RSA_PSS_SALT_LEN_DISCOVER) {
+        for (i = 0; i < maskLen - 1; i++) {
+            if (tmp[i] != pkcsBlock[i]) {
+                break;
+            }
+        }
+        if (tmp[i] != (pkcsBlock[i] ^ 0x01)) {
+            XFREE(tmp, heap, DYNAMIC_TYPE_RSA_BUFFER);
+            WOLFSSL_MSG("RsaUnPad_PSS: Padding Error Match");
+            return PSS_SALTLEN_RECOVER_E;
+        }
+        saltLen = maskLen - (i + 1);
+    }
+    else
+#endif
+    {
+        for (i = 0; i < maskLen - 1 - saltLen; i++) {
+            if (tmp[i] != pkcsBlock[i]) {
+                XFREE(tmp, heap, DYNAMIC_TYPE_RSA_BUFFER);
+                WOLFSSL_MSG("RsaUnPad_PSS: Padding Error Match");
+                return PSS_SALTLEN_E;
+            }
+        }
+        if (tmp[i] != (pkcsBlock[i] ^ 0x01)) {
+            XFREE(tmp, heap, DYNAMIC_TYPE_RSA_BUFFER);
+            WOLFSSL_MSG("RsaUnPad_PSS: Padding Error End");
+            return PSS_SALTLEN_E;
+        }
+    }
+    for (i++; i < maskLen; i++)
+        pkcsBlock[i] ^= tmp[i];
+
+#if !defined(WOLFSSL_NO_MALLOC) || defined(WOLFSSL_STATIC_MEMORY)
+    XFREE(tmp, heap, DYNAMIC_TYPE_RSA_BUFFER);
+#endif
+
+    *output = pkcsBlock + maskLen - saltLen;
+    return saltLen + hLen;
+}
+#endif
+
+/* UnPad plaintext, set start to *output, return length of plaintext,
+ * < 0 on error */
+static int RsaUnPad(const byte *pkcsBlock, unsigned int pkcsBlockLen,
+                    byte **output, byte padValue)
+{
+    int    ret = BAD_FUNC_ARG;
+    word16 i;
+#ifndef WOLFSSL_RSA_VERIFY_ONLY
+    byte   invalid = 0;
+#endif
+
+    if (output == NULL || pkcsBlockLen == 0 || pkcsBlockLen > 0xFFFF) {
+        return BAD_FUNC_ARG;
+    }
 
-    /* verify the padding until we find the separator */
     if (padValue == RSA_BLOCK_TYPE_1) {
-        while (i<pkcsBlockLen && pkcsBlock[i++] == 0xFF) {/* Null body */}
+        /* First byte must be 0x00 and Second byte, block type, 0x01 */
+        if (pkcsBlock[0] != 0 || pkcsBlock[1] != RSA_BLOCK_TYPE_1) {
+            WOLFSSL_MSG("RsaUnPad error, invalid formatting");
+            return RSA_PAD_E;
+        }
+
+        /* check the padding until we find the separator */
+        for (i = 2; i < pkcsBlockLen && pkcsBlock[i++] == 0xFF; ) { }
+
+        /* Minimum of 11 bytes of pre-message data and must have separator. */
+        if (i < RSA_MIN_PAD_SZ || pkcsBlock[i-1] != 0) {
+            WOLFSSL_MSG("RsaUnPad error, bad formatting");
+            return RSA_PAD_E;
+        }
+
+        *output = (byte *)(pkcsBlock + i);
+        ret = pkcsBlockLen - i;
     }
+#ifndef WOLFSSL_RSA_VERIFY_ONLY
     else {
-        while (i<pkcsBlockLen && pkcsBlock[i++]) {/* Null body */}
-    }
+        word16 j;
+        word16 pastSep = 0;
+
+        /* Decrypted with private key - unpad must be constant time. */
+        for (i = 0, j = 2; j < pkcsBlockLen; j++) {
+           /* Update i if not passed the separator and at separator. */
+            i |= (~pastSep) & ctMask16Eq(pkcsBlock[j], 0x00) & (j + 1);
+            pastSep |= ctMask16Eq(pkcsBlock[j], 0x00);
+        }
 
-    if(!(i==pkcsBlockLen || pkcsBlock[i-1]==0)) {
-        WOLFSSL_MSG("RsaUnPad error, bad formatting");
-        return RSA_PAD_E;
+        /* Minimum of 11 bytes of pre-message data - including leading 0x00. */
+        invalid |= ctMaskLT(i, RSA_MIN_PAD_SZ);
+        /* Must have seen separator. */
+        invalid |= ~pastSep;
+        /* First byte must be 0x00. */
+        invalid |= ctMaskNotEq(pkcsBlock[0], 0x00);
+        /* Check against expected block type: padValue */
+        invalid |= ctMaskNotEq(pkcsBlock[1], padValue);
+
+        *output = (byte *)(pkcsBlock + i);
+        ret = ((int)~invalid) & (pkcsBlockLen - i);
     }
+#endif
+
+    return ret;
+}
+
+/* helper function to direct unpadding
+ *
+ * bits is the key modulus size in bits
+ */
+int wc_RsaUnPad_ex(byte* pkcsBlock, word32 pkcsBlockLen, byte** out,
+                   byte padValue, int padType, enum wc_HashType hType,
+                   int mgf, byte* optLabel, word32 labelLen, int saltLen,
+                   int bits, void* heap)
+{
+    int ret;
 
-    outputLen = pkcsBlockLen - i;
-    invalid = (outputLen > maxOutputLen) || invalid;
+    switch (padType) {
+        case WC_RSA_PKCSV15_PAD:
+            /*WOLFSSL_MSG("wolfSSL Using RSA PKCSV15 un-padding");*/
+            ret = RsaUnPad(pkcsBlock, pkcsBlockLen, out, padValue);
+            break;
+
+    #ifndef WC_NO_RSA_OAEP
+        case WC_RSA_OAEP_PAD:
+            WOLFSSL_MSG("wolfSSL Using RSA OAEP un-padding");
+            ret = RsaUnPad_OAEP((byte*)pkcsBlock, pkcsBlockLen, out,
+                                        hType, mgf, optLabel, labelLen, heap);
+            break;
+    #endif
+
+    #ifdef WC_RSA_PSS
+        case WC_RSA_PSS_PAD:
+            WOLFSSL_MSG("wolfSSL Using RSA PSS un-padding");
+            ret = RsaUnPad_PSS((byte*)pkcsBlock, pkcsBlockLen, out, hType, mgf,
+                                                           saltLen, bits, heap);
+            break;
+    #endif
+
+    #ifdef WC_RSA_NO_PADDING
+        case WC_RSA_NO_PAD:
+            WOLFSSL_MSG("wolfSSL Using NO un-padding");
+
+            /* In the case of no padding being used check that input is exactly
+             * the RSA key length */
+            if (bits <= 0 || pkcsBlockLen !=
+                         ((word32)(bits+WOLFSSL_BIT_SIZE-1)/WOLFSSL_BIT_SIZE)) {
+                WOLFSSL_MSG("Bad input size");
+                ret = RSA_PAD_E;
+            }
+            else {
+                if (out != NULL) {
+                    *out = pkcsBlock;
+                }
+                ret = pkcsBlockLen;
+            }
+            break;
+    #endif /* WC_RSA_NO_PADDING */
 
-    if (invalid) {
-        WOLFSSL_MSG("RsaUnPad error, bad formatting");
-        return RSA_PAD_E;
+        default:
+            WOLFSSL_MSG("Unknown RSA UnPad Type");
+            ret = RSA_PAD_E;
     }
 
-    *output = (byte *)(pkcsBlock + i);
-    return outputLen;
+    /* silence warning if not used with padding scheme */
+    (void)hType;
+    (void)mgf;
+    (void)optLabel;
+    (void)labelLen;
+    (void)saltLen;
+    (void)bits;
+    (void)heap;
+
+    return ret;
 }
 
+#if defined(WOLFSSL_XILINX_CRYPT)
+/*
+ * Xilinx hardened crypto acceleration.
+ *
+ * Returns 0 on success and negative values on error.
+ */
+static int wc_RsaFunctionXil(const byte* in, word32 inLen, byte* out,
+                          word32* outLen, int type, RsaKey* key, WC_RNG* rng)
+{
+    int    ret = 0;
+    word32 keyLen;
+    (void)rng;
+
+    keyLen = wc_RsaEncryptSize(key);
+    if (keyLen > *outLen) {
+        WOLFSSL_MSG("Output buffer is not big enough");
+        return BAD_FUNC_ARG;
+    }
+
+    if (inLen != keyLen) {
+        WOLFSSL_MSG("Expected that inLen equals RSA key length");
+        return BAD_FUNC_ARG;
+    }
 
-static int wc_RsaFunction(const byte* in, word32 inLen, byte* out,
+    switch(type) {
+    case RSA_PRIVATE_DECRYPT:
+    case RSA_PRIVATE_ENCRYPT:
+        /* Currently public exponent is loaded by default.
+         * In SDK 2017.1 RSA exponent values are expected to be of 4 bytes
+         * leading to private key operations with Xsecure_RsaDecrypt not being
+         * supported */
+        ret = RSA_WRONG_TYPE_E;
+        break;
+    case RSA_PUBLIC_ENCRYPT:
+    case RSA_PUBLIC_DECRYPT:
+        if (XSecure_RsaDecrypt(&(key->xRsa), in, out) != XST_SUCCESS) {
+            ret = BAD_STATE_E;
+        }
+        break;
+    default:
+        ret = RSA_WRONG_TYPE_E;
+    }
+
+    *outLen = keyLen;
+
+    return ret;
+}
+#endif /* WOLFSSL_XILINX_CRYPT */
+
+#ifdef WC_RSA_NONBLOCK
+static int wc_RsaFunctionNonBlock(const byte* in, word32 inLen, byte* out,
                           word32* outLen, int type, RsaKey* key)
 {
-    #define ERROR_OUT(x) { ret = (x); goto done;}
-
-    mp_int tmp;
     int    ret = 0;
     word32 keyLen, len;
 
-    if (mp_init(&tmp) != MP_OKAY)
-        return MP_INIT_E;
+    if (key == NULL || key->nb == NULL) {
+        return BAD_FUNC_ARG;
+    }
+
+    if (key->nb->exptmod.state == TFM_EXPTMOD_NB_INIT) {
+        if (mp_init(&key->nb->tmp) != MP_OKAY) {
+            ret = MP_INIT_E;
+        }
 
-    if (mp_read_unsigned_bin(&tmp, (byte*)in, inLen) != MP_OKAY)
-        ERROR_OUT(MP_READ_E);
+        if (ret == 0) {
+            if (mp_read_unsigned_bin(&key->nb->tmp, (byte*)in, inLen) != MP_OKAY) {
+                ret = MP_READ_E;
+            }
+        }
+    }
 
-    if (type == RSA_PRIVATE_DECRYPT || type == RSA_PRIVATE_ENCRYPT) {
-        #ifdef RSA_LOW_MEM      /* half as much memory but twice as slow */
-            if (mp_exptmod(&tmp, &key->d, &key->n, &tmp) != MP_OKAY)
-                ERROR_OUT(MP_EXPTMOD_E);
-        #else
-            #define INNER_ERROR_OUT(x) { ret = (x); goto inner_done; }
+    if (ret == 0) {
+        switch(type) {
+        case RSA_PRIVATE_DECRYPT:
+        case RSA_PRIVATE_ENCRYPT:
+            ret = fp_exptmod_nb(&key->nb->exptmod, &key->nb->tmp, &key->d,
+                &key->n, &key->nb->tmp);
+            if (ret == FP_WOULDBLOCK)
+                return ret;
+            if (ret != MP_OKAY)
+                ret = MP_EXPTMOD_E;
+            break;
+
+        case RSA_PUBLIC_ENCRYPT:
+        case RSA_PUBLIC_DECRYPT:
+            ret = fp_exptmod_nb(&key->nb->exptmod, &key->nb->tmp, &key->e,
+                &key->n, &key->nb->tmp);
+            if (ret == FP_WOULDBLOCK)
+                return ret;
+            if (ret != MP_OKAY)
+                ret = MP_EXPTMOD_E;
+            break;
+        default:
+            ret = RSA_WRONG_TYPE_E;
+            break;
+        }
+    }
 
-            mp_int tmpa, tmpb;
+    if (ret == 0) {
+        keyLen = wc_RsaEncryptSize(key);
+        if (keyLen > *outLen)
+            ret = RSA_BUFFER_E;
+    }
+    if (ret == 0) {
+        len = mp_unsigned_bin_size(&key->nb->tmp);
 
-            if (mp_init(&tmpa) != MP_OKAY)
-                ERROR_OUT(MP_INIT_E);
+        /* pad front w/ zeros to match key length */
+        while (len < keyLen) {
+            *out++ = 0x00;
+            len++;
+        }
 
-            if (mp_init(&tmpb) != MP_OKAY) {
-                mp_clear(&tmpa);
-                ERROR_OUT(MP_INIT_E);
-            }
+        *outLen = keyLen;
 
-            /* tmpa = tmp^dP mod p */
-            if (mp_exptmod(&tmp, &key->dP, &key->p, &tmpa) != MP_OKAY)
-                INNER_ERROR_OUT(MP_EXPTMOD_E);
+        /* convert */
+        if (mp_to_unsigned_bin(&key->nb->tmp, out) != MP_OKAY) {
+             ret = MP_TO_E;
+        }
+    }
 
-            /* tmpb = tmp^dQ mod q */
-            if (mp_exptmod(&tmp, &key->dQ, &key->q, &tmpb) != MP_OKAY)
-                INNER_ERROR_OUT(MP_EXPTMOD_E);
+    mp_clear(&key->nb->tmp);
 
-            /* tmp = (tmpa - tmpb) * qInv (mod p) */
-            if (mp_sub(&tmpa, &tmpb, &tmp) != MP_OKAY)
-                INNER_ERROR_OUT(MP_SUB_E);
+    return ret;
+}
+#endif /* WC_RSA_NONBLOCK */
 
-            if (mp_mulmod(&tmp, &key->u, &key->p, &tmp) != MP_OKAY)
-                INNER_ERROR_OUT(MP_MULMOD_E);
+#ifdef WOLFSSL_AFALG_XILINX_RSA
+#ifndef ERROR_OUT
+#define ERROR_OUT(x) ret = (x); goto done
+#endif
 
-            /* tmp = tmpb + q * tmp */
-            if (mp_mul(&tmp, &key->q, &tmp) != MP_OKAY)
-                INNER_ERROR_OUT(MP_MUL_E);
+static const char WC_TYPE_ASYMKEY[] = "skcipher";
+static const char WC_NAME_RSA[] = "xilinx-zynqmp-rsa";
+#ifndef MAX_XILINX_RSA_KEY
+    /* max key size of 4096 bits / 512 bytes */
+    #define MAX_XILINX_RSA_KEY 512
+#endif
+static const byte XILINX_RSA_FLAG[] = {0x1};
 
-            if (mp_add(&tmp, &tmpb, &tmp) != MP_OKAY)
-                INNER_ERROR_OUT(MP_ADD_E);
 
-        inner_done:
-            mp_clear(&tmpa);
-            mp_clear(&tmpb);
+/* AF_ALG implementation of RSA */
+static int wc_RsaFunctionSync(const byte* in, word32 inLen, byte* out,
+                          word32* outLen, int type, RsaKey* key, WC_RNG* rng)
+{
+    struct msghdr   msg;
+    struct cmsghdr* cmsg;
+    struct iovec      iov;
+    byte*  keyBuf   = NULL;
+    word32 keyBufSz = 0;
+    char cbuf[CMSG_SPACE(4) + CMSG_SPACE(sizeof(struct af_alg_iv) + 1)] = {0};
+    int    ret = 0;
+    int    op  = 0;    /* decryption vs encryption flag */
+    word32 keyLen;
 
-            if (ret != 0) return ret;
+    /* input and output buffer need to be aligned */
+    ALIGN64 byte outBuf[MAX_XILINX_RSA_KEY];
+    ALIGN64 byte inBuf[MAX_XILINX_RSA_KEY];
 
-        #endif   /* RSA_LOW_MEM */
+    XMEMSET(&msg, 0, sizeof(struct msghdr));
+    (void)rng;
+
+    keyLen = wc_RsaEncryptSize(key);
+    if (keyLen > *outLen) {
+        ERROR_OUT(RSA_BUFFER_E);
+    }
+
+    if (keyLen > MAX_XILINX_RSA_KEY) {
+        WOLFSSL_MSG("RSA key size larger than supported");
+        ERROR_OUT(BAD_FUNC_ARG);
     }
-    else if (type == RSA_PUBLIC_ENCRYPT || type == RSA_PUBLIC_DECRYPT) {
-        if (mp_exptmod(&tmp, &key->e, &key->n, &tmp) != MP_OKAY)
-            ERROR_OUT(MP_EXPTMOD_E);
+
+    if ((keyBuf = (byte*)XMALLOC(keyLen * 2, key->heap, DYNAMIC_TYPE_KEY))
+            == NULL) {
+        ERROR_OUT(MEMORY_E);
     }
-    else
-        ERROR_OUT(RSA_WRONG_TYPE_E);
 
-    keyLen = mp_unsigned_bin_size(&key->n);
-    if (keyLen > *outLen)
-        ERROR_OUT(RSA_BUFFER_E);
+    if ((ret = mp_to_unsigned_bin(&(key->n), keyBuf)) != MP_OKAY) {
+        ERROR_OUT(MP_TO_E);
+    }
 
-    len = mp_unsigned_bin_size(&tmp);
+    switch(type) {
+        case RSA_PRIVATE_DECRYPT:
+        case RSA_PRIVATE_ENCRYPT:
+            op = 1; /* set as decrypt */
+            {
+                keyBufSz = mp_unsigned_bin_size(&(key->d));
+                if ((mp_to_unsigned_bin(&(key->d), keyBuf + keyLen))
+                        != MP_OKAY) {
+                    ERROR_OUT(MP_TO_E);
+                }
+            }
+            break;
+
+        case RSA_PUBLIC_DECRYPT:
+        case RSA_PUBLIC_ENCRYPT: {
+            word32 exp = 0;
+            word32 eSz = mp_unsigned_bin_size(&(key->e));
+            if ((mp_to_unsigned_bin(&(key->e), (byte*)&exp +
+                            (sizeof(word32) - eSz))) != MP_OKAY) {
+                ERROR_OUT(MP_TO_E);
+            }
+            keyBufSz = sizeof(word32);
+            XMEMCPY(keyBuf + keyLen, (byte*)&exp, keyBufSz);
+            break;
+        }
 
-    /* pad front w/ zeros to match key length */
-    while (len < keyLen) {
-        *out++ = 0x00;
-        len++;
+        default:
+            ERROR_OUT(RSA_WRONG_TYPE_E);
     }
+    keyBufSz += keyLen; /* add size of modulus */
 
-    *outLen = keyLen;
+    /* check for existing sockets before creating new ones */
+    if (key->alFd > 0) {
+        close(key->alFd);
+        key->alFd = WC_SOCK_NOTSET;
+    }
+    if (key->rdFd > 0) {
+        close(key->rdFd);
+        key->rdFd = WC_SOCK_NOTSET;
+    }
 
-    /* convert */
-    if (mp_to_unsigned_bin(&tmp, out) != MP_OKAY)
-        ERROR_OUT(MP_TO_E);
+    /* create new sockets and set the key to use */
+    if ((key->alFd = wc_Afalg_Socket()) < 0) {
+        WOLFSSL_MSG("Unable to create socket");
+        ERROR_OUT(key->alFd);
+    }
+    if ((key->rdFd = wc_Afalg_CreateRead(key->alFd, WC_TYPE_ASYMKEY,
+                    WC_NAME_RSA)) < 0) {
+        WOLFSSL_MSG("Unable to bind and create read/send socket");
+        ERROR_OUT(key->rdFd);
+    }
+    if ((ret = setsockopt(key->alFd, SOL_ALG, ALG_SET_KEY, keyBuf,
+                    keyBufSz)) < 0) {
+        WOLFSSL_MSG("Error setting RSA key");
+        ERROR_OUT(ret);
+    }
+
+    msg.msg_control    = cbuf;
+    msg.msg_controllen = sizeof(cbuf);
+    cmsg = CMSG_FIRSTHDR(&msg);
+    if ((ret = wc_Afalg_SetOp(cmsg, op)) < 0) {
+        ERROR_OUT(ret);
+    }
+
+    /* set flag in IV spot, needed for Xilinx hardware acceleration use */
+    cmsg = CMSG_NXTHDR(&msg, cmsg);
+    if ((ret = wc_Afalg_SetIv(cmsg, (byte*)XILINX_RSA_FLAG,
+                    sizeof(XILINX_RSA_FLAG))) != 0) {
+        ERROR_OUT(ret);
+    }
+
+    /* compose and send msg */
+    XMEMCPY(inBuf, (byte*)in, inLen); /* for alignment */
+    iov.iov_base = inBuf;
+    iov.iov_len  = inLen;
+    msg.msg_iov  = &iov;
+    msg.msg_iovlen = 1;
+    if ((ret = sendmsg(key->rdFd, &msg, 0)) <= 0) {
+        ERROR_OUT(WC_AFALG_SOCK_E);
+    }
+
+    if ((ret = read(key->rdFd, outBuf, inLen)) <= 0) {
+        ERROR_OUT(WC_AFALG_SOCK_E);
+    }
+    XMEMCPY(out, outBuf, ret);
+    *outLen = keyLen;
 
 done:
-    mp_clear(&tmp);
-    if (ret == MP_EXPTMOD_E) {
-        WOLFSSL_MSG("RSA_FUNCTION MP_EXPTMOD_E: memory/config problem");
+    /* clear key data and free buffer */
+    if (keyBuf != NULL) {
+        ForceZero(keyBuf, keyBufSz);
     }
+    XFREE(keyBuf, key->heap, DYNAMIC_TYPE_KEY);
+
+    if (key->alFd > 0) {
+        close(key->alFd);
+        key->alFd = WC_SOCK_NOTSET;
+    }
+    if (key->rdFd > 0) {
+        close(key->rdFd);
+        key->rdFd = WC_SOCK_NOTSET;
+    }
+
     return ret;
 }
 
-
-int wc_RsaPublicEncrypt(const byte* in, word32 inLen, byte* out, word32 outLen,
-                     RsaKey* key, RNG* rng)
+#else
+static int wc_RsaFunctionSync(const byte* in, word32 inLen, byte* out,
+                          word32* outLen, int type, RsaKey* key, WC_RNG* rng)
 {
-    int sz, ret;
+#ifndef WOLFSSL_SP_MATH
+#ifdef WOLFSSL_SMALL_STACK
+    mp_int* tmp;
+#ifdef WC_RSA_BLINDING
+    mp_int* rnd;
+    mp_int* rndi;
+#endif
+#else
+    mp_int tmp[1];
+#ifdef WC_RSA_BLINDING
+    mp_int rnd[1], rndi[1];
+#endif
+#endif
+    int    ret = 0;
+    word32 keyLen = 0;
+#endif
+
+#ifdef WOLFSSL_HAVE_SP_RSA
+#ifndef WOLFSSL_SP_NO_2048
+    if (mp_count_bits(&key->n) == 2048) {
+        switch(type) {
+#ifndef WOLFSSL_RSA_PUBLIC_ONLY
+        case RSA_PRIVATE_DECRYPT:
+        case RSA_PRIVATE_ENCRYPT:
+    #ifdef WC_RSA_BLINDING
+            if (rng == NULL)
+                return MISSING_RNG_E;
+    #endif
+    #ifndef RSA_LOW_MEM
+            return sp_RsaPrivate_2048(in, inLen, &key->d, &key->p, &key->q,
+                                      &key->dP, &key->dQ, &key->u, &key->n,
+                                      out, outLen);
+    #else
+            return sp_RsaPrivate_2048(in, inLen, &key->d, &key->p, &key->q,
+                                      NULL, NULL, NULL, &key->n, out, outLen);
+    #endif
+#endif
+        case RSA_PUBLIC_ENCRYPT:
+        case RSA_PUBLIC_DECRYPT:
+            return sp_RsaPublic_2048(in, inLen, &key->e, &key->n, out, outLen);
+        }
+    }
+#endif
+#ifndef WOLFSSL_SP_NO_3072
+    if (mp_count_bits(&key->n) == 3072) {
+        switch(type) {
+#ifndef WOLFSSL_RSA_PUBLIC_ONLY
+        case RSA_PRIVATE_DECRYPT:
+        case RSA_PRIVATE_ENCRYPT:
+    #ifdef WC_RSA_BLINDING
+            if (rng == NULL)
+                return MISSING_RNG_E;
+    #endif
+    #ifndef RSA_LOW_MEM
+            return sp_RsaPrivate_3072(in, inLen, &key->d, &key->p, &key->q,
+                                      &key->dP, &key->dQ, &key->u, &key->n,
+                                      out, outLen);
+    #else
+            return sp_RsaPrivate_3072(in, inLen, &key->d, &key->p, &key->q,
+                                      NULL, NULL, NULL, &key->n, out, outLen);
+    #endif
+#endif
+        case RSA_PUBLIC_ENCRYPT:
+        case RSA_PUBLIC_DECRYPT:
+            return sp_RsaPublic_3072(in, inLen, &key->e, &key->n, out, outLen);
+        }
+    }
+#endif
+#ifdef WOLFSSL_SP_4096
+    if (mp_count_bits(&key->n) == 4096) {
+        switch(type) {
+#ifndef WOLFSSL_RSA_PUBLIC_ONLY
+        case RSA_PRIVATE_DECRYPT:
+        case RSA_PRIVATE_ENCRYPT:
+    #ifdef WC_RSA_BLINDING
+            if (rng == NULL)
+                return MISSING_RNG_E;
+    #endif
+    #ifndef RSA_LOW_MEM
+            return sp_RsaPrivate_4096(in, inLen, &key->d, &key->p, &key->q,
+                                      &key->dP, &key->dQ, &key->u, &key->n,
+                                      out, outLen);
+    #else
+            return sp_RsaPrivate_4096(in, inLen, &key->d, &key->p, &key->q,
+                                      NULL, NULL, NULL, &key->n, out, outLen);
+    #endif
+#endif
+        case RSA_PUBLIC_ENCRYPT:
+        case RSA_PUBLIC_DECRYPT:
+            return sp_RsaPublic_4096(in, inLen, &key->e, &key->n, out, outLen);
+        }
+    }
+#endif
+#endif /* WOLFSSL_HAVE_SP_RSA */
 
-#ifdef HAVE_CAVIUM
-    if (key->magic == WOLFSSL_RSA_CAVIUM_MAGIC)
-        return CaviumRsaPublicEncrypt(in, inLen, out, outLen, key);
+#ifdef WOLFSSL_SP_MATH
+    (void)rng;
+    WOLFSSL_MSG("SP Key Size Error");
+    return WC_KEY_SIZE_E;
+#else
+    (void)rng;
+
+#ifdef WOLFSSL_SMALL_STACK
+    tmp = (mp_int*)XMALLOC(sizeof(mp_int), key->heap, DYNAMIC_TYPE_RSA);
+    if (tmp == NULL)
+        return MEMORY_E;
+#ifdef WC_RSA_BLINDING
+    rnd = (mp_int*)XMALLOC(sizeof(mp_int) * 2, key->heap, DYNAMIC_TYPE_RSA);
+    if (rnd == NULL) {
+        XFREE(tmp, key->heap, DYNAMIC_TYPE_RSA);
+        return MEMORY_E;
+    }
+    rndi = rnd + 1;
+#endif /* WC_RSA_BLINDING */
+#endif /* WOLFSSL_SMALL_STACK */
+
+    if (mp_init(tmp) != MP_OKAY)
+        ret = MP_INIT_E;
+
+#ifdef WC_RSA_BLINDING
+    if (ret == 0) {
+        if (type == RSA_PRIVATE_DECRYPT || type == RSA_PRIVATE_ENCRYPT) {
+            if (mp_init_multi(rnd, rndi, NULL, NULL, NULL, NULL) != MP_OKAY) {
+                mp_clear(tmp);
+                ret = MP_INIT_E;
+            }
+        }
+    }
 #endif
 
-    sz = mp_unsigned_bin_size(&key->n);
-    if (sz > (int)outLen)
-        return RSA_BUFFER_E;
+#ifndef TEST_UNPAD_CONSTANT_TIME
+    if (ret == 0 && mp_read_unsigned_bin(tmp, (byte*)in, inLen) != MP_OKAY)
+        ret = MP_READ_E;
+
+    if (ret == 0) {
+        switch(type) {
+    #ifndef WOLFSSL_RSA_PUBLIC_ONLY
+        case RSA_PRIVATE_DECRYPT:
+        case RSA_PRIVATE_ENCRYPT:
+        {
+        #if defined(WC_RSA_BLINDING) && !defined(WC_NO_RNG)
+            /* blind */
+            ret = mp_rand(rnd, get_digit_count(&key->n), rng);
+
+            /* rndi = 1/rnd mod n */
+            if (ret == 0 && mp_invmod(rnd, &key->n, rndi) != MP_OKAY)
+                ret = MP_INVMOD_E;
+
+            /* rnd = rnd^e */
+            if (ret == 0 && mp_exptmod(rnd, &key->e, &key->n, rnd) != MP_OKAY)
+                ret = MP_EXPTMOD_E;
+
+            /* tmp = tmp*rnd mod n */
+            if (ret == 0 && mp_mulmod(tmp, rnd, &key->n, tmp) != MP_OKAY)
+                ret = MP_MULMOD_E;
+        #endif /* WC_RSA_BLINDING && !WC_NO_RNG */
 
-    if (inLen > (word32)(sz - RSA_MIN_PAD_SZ))
-        return RSA_BUFFER_E;
+        #ifdef RSA_LOW_MEM      /* half as much memory but twice as slow */
+            if (ret == 0 && mp_exptmod(tmp, &key->d, &key->n, tmp) != MP_OKAY)
+                ret = MP_EXPTMOD_E;
+        #else
+            if (ret == 0) {
+            #ifdef WOLFSSL_SMALL_STACK
+                mp_int* tmpa;
+                mp_int* tmpb = NULL;
+            #else
+                mp_int tmpa[1], tmpb[1];
+            #endif
+                int cleara = 0, clearb = 0;
+
+            #ifdef WOLFSSL_SMALL_STACK
+                tmpa = (mp_int*)XMALLOC(sizeof(mp_int) * 2,
+                        key->heap, DYNAMIC_TYPE_RSA);
+                if (tmpa != NULL)
+                    tmpb = tmpa + 1;
+                else
+                    ret = MEMORY_E;
+            #endif
+
+                if (ret == 0) {
+                    if (mp_init(tmpa) != MP_OKAY)
+                        ret = MP_INIT_E;
+                    else
+                        cleara = 1;
+                }
+
+                if (ret == 0) {
+                    if (mp_init(tmpb) != MP_OKAY)
+                        ret = MP_INIT_E;
+                    else
+                        clearb = 1;
+                }
+
+                /* tmpa = tmp^dP mod p */
+                if (ret == 0 && mp_exptmod(tmp, &key->dP, &key->p,
+                                                               tmpa) != MP_OKAY)
+                    ret = MP_EXPTMOD_E;
+
+                /* tmpb = tmp^dQ mod q */
+                if (ret == 0 && mp_exptmod(tmp, &key->dQ, &key->q,
+                                                               tmpb) != MP_OKAY)
+                    ret = MP_EXPTMOD_E;
+
+                /* tmp = (tmpa - tmpb) * qInv (mod p) */
+                if (ret == 0 && mp_sub(tmpa, tmpb, tmp) != MP_OKAY)
+                    ret = MP_SUB_E;
+
+                if (ret == 0 && mp_mulmod(tmp, &key->u, &key->p,
+                                                                tmp) != MP_OKAY)
+                    ret = MP_MULMOD_E;
+
+                /* tmp = tmpb + q * tmp */
+                if (ret == 0 && mp_mul(tmp, &key->q, tmp) != MP_OKAY)
+                    ret = MP_MUL_E;
+
+                if (ret == 0 && mp_add(tmp, tmpb, tmp) != MP_OKAY)
+                    ret = MP_ADD_E;
+
+            #ifdef WOLFSSL_SMALL_STACK
+                if (tmpa != NULL)
+            #endif
+                {
+                    if (cleara)
+                        mp_clear(tmpa);
+                    if (clearb)
+                        mp_clear(tmpb);
+            #ifdef WOLFSSL_SMALL_STACK
+                    XFREE(tmpa, key->heap, DYNAMIC_TYPE_RSA);
+            #endif
+                }
+            } /* tmpa/b scope */
+        #endif   /* RSA_LOW_MEM */
 
-    ret = wc_RsaPad(in, inLen, out, sz, RSA_BLOCK_TYPE_2, rng);
-    if (ret != 0)
-        return ret;
+        #ifdef WC_RSA_BLINDING
+            /* unblind */
+            if (ret == 0 && mp_mulmod(tmp, rndi, &key->n, tmp) != MP_OKAY)
+                ret = MP_MULMOD_E;
+        #endif   /* WC_RSA_BLINDING */
+
+            break;
+        }
+    #endif
+        case RSA_PUBLIC_ENCRYPT:
+        case RSA_PUBLIC_DECRYPT:
+        #ifdef WOLFSSL_XILINX_CRYPT
+            ret = wc_RsaFunctionXil(in, inLen, out, outLen, type, key, rng);
+        #else
+            if (mp_exptmod_nct(tmp, &key->e, &key->n, tmp) != MP_OKAY)
+                ret = MP_EXPTMOD_E;
+        #endif
+            break;
+        default:
+            ret = RSA_WRONG_TYPE_E;
+            break;
+        }
+    }
 
-    if ((ret = wc_RsaFunction(out, sz, out, &outLen,
-                              RSA_PUBLIC_ENCRYPT, key)) < 0)
-        sz = ret;
+    if (ret == 0) {
+        keyLen = wc_RsaEncryptSize(key);
+        if (keyLen > *outLen)
+            ret = RSA_BUFFER_E;
+    }
+    if (ret == 0) {
+        *outLen = keyLen;
+        if (mp_to_unsigned_bin_len(tmp, out, keyLen) != MP_OKAY)
+             ret = MP_TO_E;
+    }
+#else
+    (void)type;
+    (void)key;
+    (void)keyLen;
+    XMEMCPY(out, in, inLen);
+    *outLen = inLen;
+#endif
 
-    return sz;
+    mp_clear(tmp);
+#ifdef WOLFSSL_SMALL_STACK
+    XFREE(tmp, key->heap, DYNAMIC_TYPE_RSA);
+#endif
+#ifdef WC_RSA_BLINDING
+    if (type == RSA_PRIVATE_DECRYPT || type == RSA_PRIVATE_ENCRYPT) {
+        mp_clear(rndi);
+        mp_clear(rnd);
+    }
+#ifdef WOLFSSL_SMALL_STACK
+    XFREE(rnd, key->heap, DYNAMIC_TYPE_RSA);
+#endif
+#endif /* WC_RSA_BLINDING */
+    return ret;
+#endif /* WOLFSSL_SP_MATH */
 }
+#endif
+
+#if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_RSA)
+static int wc_RsaFunctionAsync(const byte* in, word32 inLen, byte* out,
+                          word32* outLen, int type, RsaKey* key, WC_RNG* rng)
+{
+    int ret = 0;
+
+    (void)rng;
+
+#ifdef WOLFSSL_ASYNC_CRYPT_TEST
+    if (wc_AsyncTestInit(&key->asyncDev, ASYNC_TEST_RSA_FUNC)) {
+        WC_ASYNC_TEST* testDev = &key->asyncDev.test;
+        testDev->rsaFunc.in = in;
+        testDev->rsaFunc.inSz = inLen;
+        testDev->rsaFunc.out = out;
+        testDev->rsaFunc.outSz = outLen;
+        testDev->rsaFunc.type = type;
+        testDev->rsaFunc.key = key;
+        testDev->rsaFunc.rng = rng;
+        return WC_PENDING_E;
+    }
+#endif /* WOLFSSL_ASYNC_CRYPT_TEST */
+
+    switch(type) {
+#ifndef WOLFSSL_RSA_PUBLIC_ONLY
+    case RSA_PRIVATE_DECRYPT:
+    case RSA_PRIVATE_ENCRYPT:
+    #ifdef HAVE_CAVIUM
+        key->dataLen = key->n.raw.len;
+        ret = NitroxRsaExptMod(in, inLen,
+                               key->d.raw.buf, key->d.raw.len,
+                               key->n.raw.buf, key->n.raw.len,
+                               out, outLen, key);
+    #elif defined(HAVE_INTEL_QA)
+        #ifdef RSA_LOW_MEM
+            ret = IntelQaRsaPrivate(&key->asyncDev, in, inLen,
+                                    &key->d.raw, &key->n.raw,
+                                    out, outLen);
+        #else
+            ret = IntelQaRsaCrtPrivate(&key->asyncDev, in, inLen,
+                                &key->p.raw, &key->q.raw,
+                                &key->dP.raw, &key->dQ.raw,
+                                &key->u.raw,
+                                out, outLen);
+        #endif
+    #else /* WOLFSSL_ASYNC_CRYPT_TEST */
+        ret = wc_RsaFunctionSync(in, inLen, out, outLen, type, key, rng);
+    #endif
+        break;
+#endif
 
+    case RSA_PUBLIC_ENCRYPT:
+    case RSA_PUBLIC_DECRYPT:
+    #ifdef HAVE_CAVIUM
+        key->dataLen = key->n.raw.len;
+        ret = NitroxRsaExptMod(in, inLen,
+                               key->e.raw.buf, key->e.raw.len,
+                               key->n.raw.buf, key->n.raw.len,
+                               out, outLen, key);
+    #elif defined(HAVE_INTEL_QA)
+        ret = IntelQaRsaPublic(&key->asyncDev, in, inLen,
+                               &key->e.raw, &key->n.raw,
+                               out, outLen);
+    #else /* WOLFSSL_ASYNC_CRYPT_TEST */
+        ret = wc_RsaFunctionSync(in, inLen, out, outLen, type, key, rng);
+    #endif
+        break;
 
-int wc_RsaPrivateDecryptInline(byte* in, word32 inLen, byte** out, RsaKey* key)
+    default:
+        ret = RSA_WRONG_TYPE_E;
+    }
+
+    return ret;
+}
+#endif /* WOLFSSL_ASYNC_CRYPT && WC_ASYNC_ENABLE_RSA */
+
+#if defined(WC_RSA_DIRECT) || defined(WC_RSA_NO_PADDING)
+/* Function that does the RSA operation directly with no padding.
+ *
+ * in       buffer to do operation on
+ * inLen    length of input buffer
+ * out      buffer to hold results
+ * outSz    gets set to size of result buffer. Should be passed in as length
+ *          of out buffer. If the pointer "out" is null then outSz gets set to
+ *          the expected buffer size needed and LENGTH_ONLY_E gets returned.
+ * key      RSA key to use for encrypt/decrypt
+ * type     if using private or public key {RSA_PUBLIC_ENCRYPT,
+ *          RSA_PUBLIC_DECRYPT, RSA_PRIVATE_ENCRYPT, RSA_PRIVATE_DECRYPT}
+ * rng      wolfSSL RNG to use if needed
+ *
+ * returns size of result on success
+ */
+int wc_RsaDirect(byte* in, word32 inLen, byte* out, word32* outSz,
+        RsaKey* key, int type, WC_RNG* rng)
 {
     int ret;
 
-#ifdef HAVE_CAVIUM
-    if (key->magic == WOLFSSL_RSA_CAVIUM_MAGIC) {
-        ret = CaviumRsaPrivateDecrypt(in, inLen, in, inLen, key);
-        if (ret > 0)
-            *out = in;
-        return ret;
+    if (in == NULL || outSz == NULL || key == NULL) {
+        return BAD_FUNC_ARG;
     }
-#endif
 
-    if ((ret = wc_RsaFunction(in, inLen, in, &inLen, RSA_PRIVATE_DECRYPT, key))
-            < 0) {
+    /* sanity check on type of RSA operation */
+    switch (type) {
+        case RSA_PUBLIC_ENCRYPT:
+        case RSA_PUBLIC_DECRYPT:
+        case RSA_PRIVATE_ENCRYPT:
+        case RSA_PRIVATE_DECRYPT:
+            break;
+        default:
+            WOLFSSL_MSG("Bad RSA type");
+            return BAD_FUNC_ARG;
+    }
+
+    if ((ret = wc_RsaEncryptSize(key)) < 0) {
+        return BAD_FUNC_ARG;
+    }
+
+    if (inLen != (word32)ret) {
+        WOLFSSL_MSG("Bad input length. Should be RSA key size");
+        return BAD_FUNC_ARG;
+    }
+
+    if (out == NULL) {
+        *outSz = inLen;
+        return LENGTH_ONLY_E;
+    }
+
+    switch (key->state) {
+        case RSA_STATE_NONE:
+        case RSA_STATE_ENCRYPT_PAD:
+        case RSA_STATE_ENCRYPT_EXPTMOD:
+        case RSA_STATE_DECRYPT_EXPTMOD:
+        case RSA_STATE_DECRYPT_UNPAD:
+            key->state = (type == RSA_PRIVATE_ENCRYPT ||
+                    type == RSA_PUBLIC_ENCRYPT) ? RSA_STATE_ENCRYPT_EXPTMOD:
+                                                  RSA_STATE_DECRYPT_EXPTMOD;
+
+            key->dataLen = *outSz;
+
+            ret = wc_RsaFunction(in, inLen, out, &key->dataLen, type, key, rng);
+            if (ret >= 0 || ret == WC_PENDING_E) {
+                key->state = (type == RSA_PRIVATE_ENCRYPT ||
+                    type == RSA_PUBLIC_ENCRYPT) ? RSA_STATE_ENCRYPT_RES:
+                                                  RSA_STATE_DECRYPT_RES;
+            }
+            if (ret < 0) {
+                break;
+            }
+
+            FALL_THROUGH;
+
+        case RSA_STATE_ENCRYPT_RES:
+        case RSA_STATE_DECRYPT_RES:
+            ret = key->dataLen;
+            break;
+
+        default:
+            ret = BAD_STATE_E;
+    }
+
+    /* if async pending then skip cleanup*/
+    if (ret == WC_PENDING_E
+    #ifdef WC_RSA_NONBLOCK
+        || ret == FP_WOULDBLOCK
+    #endif
+    ) {
         return ret;
     }
- 
-    return RsaUnPad(in, inLen, out, RSA_BLOCK_TYPE_2);
+
+    key->state = RSA_STATE_NONE;
+    wc_RsaCleanup(key);
+
+    return ret;
 }
+#endif /* WC_RSA_DIRECT || WC_RSA_NO_PADDING */
 
+#if defined(WOLFSSL_CRYPTOCELL)
+static int cc310_RsaPublicEncrypt(const byte* in, word32 inLen, byte* out,
+                            word32 outLen, RsaKey* key)
+{
+    CRYSError_t ret = 0;
+    CRYS_RSAPrimeData_t primeData;
+    int modulusSize = wc_RsaEncryptSize(key);
 
-int wc_RsaPrivateDecrypt(const byte* in, word32 inLen, byte* out, word32 outLen,
-                     RsaKey* key)
+    /* The out buffer must be at least modulus size bytes long. */
+    if (outLen < modulusSize)
+        return BAD_FUNC_ARG;
+
+    ret = CRYS_RSA_PKCS1v15_Encrypt(&wc_rndState,
+                                    wc_rndGenVectFunc,
+                                    &key->ctx.pubKey,
+                                    &primeData,
+                                    (byte*)in,
+                                    inLen,
+                                    out);
+
+    if (ret != SA_SILIB_RET_OK){
+        WOLFSSL_MSG("CRYS_RSA_PKCS1v15_Encrypt failed");
+        return -1;
+    }
+
+    return modulusSize;
+}
+static int cc310_RsaPublicDecrypt(const byte* in, word32 inLen, byte* out,
+                            word32 outLen, RsaKey* key)
 {
-    int plainLen;
-    byte*  tmp;
-    byte*  pad = 0;
+    CRYSError_t ret = 0;
+    CRYS_RSAPrimeData_t primeData;
+    uint16_t actualOutLen = outLen;
+
+    ret = CRYS_RSA_PKCS1v15_Decrypt(&key->ctx.privKey,
+                                    &primeData,
+                                    (byte*)in,
+                                    inLen,
+                                    out,
+                                    &actualOutLen);
+
+    if (ret != SA_SILIB_RET_OK){
+        WOLFSSL_MSG("CRYS_RSA_PKCS1v15_Decrypt failed");
+        return -1;
+    }
+    return actualOutLen;
+}
 
-#ifdef HAVE_CAVIUM
-    if (key->magic == WOLFSSL_RSA_CAVIUM_MAGIC)
-        return CaviumRsaPrivateDecrypt(in, inLen, out, outLen, key);
-#endif
+int cc310_RsaSSL_Sign(const byte* in, word32 inLen, byte* out,
+                  word32 outLen, RsaKey* key, CRYS_RSA_HASH_OpMode_t mode)
+{
+    CRYSError_t ret = 0;
+    uint16_t actualOutLen = outLen*sizeof(byte);
+    CRYS_RSAPrivUserContext_t  contextPrivate;
+
+    ret =  CRYS_RSA_PKCS1v15_Sign(&wc_rndState,
+                wc_rndGenVectFunc,
+                &contextPrivate,
+                &key->ctx.privKey,
+                mode,
+                (byte*)in,
+                inLen,
+                out,
+                &actualOutLen);
+
+    if (ret != SA_SILIB_RET_OK){
+        WOLFSSL_MSG("CRYS_RSA_PKCS1v15_Sign failed");
+        return -1;
+    }
+    return actualOutLen;
+}
 
-    tmp = (byte*)XMALLOC(inLen, key->heap, DYNAMIC_TYPE_RSA);
-    if (tmp == NULL) {
-        return MEMORY_E;
+int cc310_RsaSSL_Verify(const byte* in, word32 inLen, byte* sig,
+                               RsaKey* key, CRYS_RSA_HASH_OpMode_t mode)
+{
+    CRYSError_t ret = 0;
+    CRYS_RSAPubUserContext_t contextPub;
+
+    /* verify the signature in the sig pointer */
+    ret =  CRYS_RSA_PKCS1v15_Verify(&contextPub,
+                &key->ctx.pubKey,
+                mode,
+                (byte*)in,
+                inLen,
+                sig);
+
+    if (ret != SA_SILIB_RET_OK){
+        WOLFSSL_MSG("CRYS_RSA_PKCS1v15_Verify failed");
+        return -1;
     }
 
-    XMEMCPY(tmp, in, inLen);
+    return ret;
+}
+#endif /* WOLFSSL_CRYPTOCELL */
 
-    if ( (plainLen = wc_RsaPrivateDecryptInline(tmp, inLen, &pad, key) ) < 0) {
-        XFREE(tmp, key->heap, DYNAMIC_TYPE_RSA);
-        return plainLen;
+int wc_RsaFunction(const byte* in, word32 inLen, byte* out,
+                          word32* outLen, int type, RsaKey* key, WC_RNG* rng)
+{
+    int ret = 0;
+
+    if (key == NULL || in == NULL || inLen == 0 || out == NULL ||
+            outLen == NULL || *outLen == 0 || type == RSA_TYPE_UNKNOWN) {
+        return BAD_FUNC_ARG;
+    }
+
+#ifdef WOLF_CRYPTO_CB
+    if (key->devId != INVALID_DEVID) {
+        ret = wc_CryptoCb_Rsa(in, inLen, out, outLen, type, key, rng);
+        if (ret != CRYPTOCB_UNAVAILABLE)
+            return ret;
+        /* fall-through when unavailable */
+        ret = 0; /* reset error code and try using software */
+    }
+#endif
+
+#ifndef TEST_UNPAD_CONSTANT_TIME
+#ifndef NO_RSA_BOUNDS_CHECK
+    if (type == RSA_PRIVATE_DECRYPT &&
+        key->state == RSA_STATE_DECRYPT_EXPTMOD) {
+
+        /* Check that 1 < in < n-1. (Requirement of 800-56B.) */
+#ifdef WOLFSSL_SMALL_STACK
+        mp_int* c;
+#else
+        mp_int c[1];
+#endif
+
+#ifdef WOLFSSL_SMALL_STACK
+        c = (mp_int*)XMALLOC(sizeof(mp_int), key->heap, DYNAMIC_TYPE_RSA);
+        if (c == NULL)
+            ret = MEMORY_E;
+#endif
+
+        if (mp_init(c) != MP_OKAY)
+            ret = MEMORY_E;
+        if (ret == 0) {
+            if (mp_read_unsigned_bin(c, in, inLen) != 0)
+                ret = MP_READ_E;
+        }
+        if (ret == 0) {
+            /* check c > 1 */
+            if (mp_cmp_d(c, 1) != MP_GT)
+                ret = RSA_OUT_OF_RANGE_E;
+        }
+        if (ret == 0) {
+            /* add c+1 */
+            if (mp_add_d(c, 1, c) != MP_OKAY)
+                ret = MP_ADD_E;
+        }
+        if (ret == 0) {
+            /* check c+1 < n */
+            if (mp_cmp(c, &key->n) != MP_LT)
+                ret = RSA_OUT_OF_RANGE_E;
+        }
+        mp_clear(c);
+
+#ifdef WOLFSSL_SMALL_STACK
+        XFREE(c, key->heap, DYNAMIC_TYPE_RSA);
+#endif
+
+        if (ret != 0)
+            return ret;
+    }
+#endif /* NO_RSA_BOUNDS_CHECK */
+#endif
+
+#if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_RSA)
+    if (key->asyncDev.marker == WOLFSSL_ASYNC_MARKER_RSA &&
+                                                        key->n.raw.len > 0) {
+        ret = wc_RsaFunctionAsync(in, inLen, out, outLen, type, key, rng);
+    }
+    else
+#endif
+#ifdef WC_RSA_NONBLOCK
+    if (key->nb) {
+        ret = wc_RsaFunctionNonBlock(in, inLen, out, outLen, type, key);
     }
-    if (plainLen > (int)outLen)
-        plainLen = BAD_FUNC_ARG;
     else
-        XMEMCPY(out, pad, plainLen);
+#endif
+    {
+        ret = wc_RsaFunctionSync(in, inLen, out, outLen, type, key, rng);
+    }
 
-    ForceZero(tmp, inLen);
-    XFREE(tmp, key->heap, DYNAMIC_TYPE_RSA);
+    /* handle error */
+    if (ret < 0 && ret != WC_PENDING_E
+    #ifdef WC_RSA_NONBLOCK
+        && ret != FP_WOULDBLOCK
+    #endif
+    ) {
+        if (ret == MP_EXPTMOD_E) {
+            /* This can happen due to incorrectly set FP_MAX_BITS or missing XREALLOC */
+            WOLFSSL_MSG("RSA_FUNCTION MP_EXPTMOD_E: memory/config problem");
+        }
+
+        key->state = RSA_STATE_NONE;
+        wc_RsaCleanup(key);
+    }
 
-    return plainLen;
+    return ret;
 }
 
 
-/* for Rsa Verify */
-int wc_RsaSSL_VerifyInline(byte* in, word32 inLen, byte** out, RsaKey* key)
+#ifndef WOLFSSL_RSA_VERIFY_ONLY
+/* Internal Wrappers */
+/* Gives the option of choosing padding type
+   in : input to be encrypted
+   inLen: length of input buffer
+   out: encrypted output
+   outLen: length of encrypted output buffer
+   key   : wolfSSL initialized RSA key struct
+   rng   : wolfSSL initialized random number struct
+   rsa_type  : type of RSA: RSA_PUBLIC_ENCRYPT, RSA_PUBLIC_DECRYPT,
+        RSA_PRIVATE_ENCRYPT or RSA_PRIVATE_DECRYPT
+   pad_value: RSA_BLOCK_TYPE_1 or RSA_BLOCK_TYPE_2
+   pad_type  : type of padding: WC_RSA_PKCSV15_PAD, WC_RSA_OAEP_PAD,
+        WC_RSA_NO_PAD or WC_RSA_PSS_PAD
+   hash  : type of hash algorithm to use found in wolfssl/wolfcrypt/hash.h
+   mgf   : type of mask generation function to use
+   label : optional label
+   labelSz : size of optional label buffer
+   saltLen : Length of salt used in PSS
+   rng : random number generator */
+static int RsaPublicEncryptEx(const byte* in, word32 inLen, byte* out,
+                            word32 outLen, RsaKey* key, int rsa_type,
+                            byte pad_value, int pad_type,
+                            enum wc_HashType hash, int mgf,
+                            byte* label, word32 labelSz, int saltLen,
+                            WC_RNG* rng)
 {
-    int ret;
+    int ret, sz;
+
+    if (in == NULL || inLen == 0 || out == NULL || key == NULL) {
+        return BAD_FUNC_ARG;
+    }
+
+    sz = wc_RsaEncryptSize(key);
+    if (sz > (int)outLen) {
+        return RSA_BUFFER_E;
+    }
+
+    if (sz < RSA_MIN_PAD_SZ) {
+        return WC_KEY_SIZE_E;
+    }
+
+    if (inLen > (word32)(sz - RSA_MIN_PAD_SZ)) {
+#ifdef WC_RSA_NO_PADDING
+        /* In the case that no padding is used the input length can and should
+         * be the same size as the RSA key. */
+        if (pad_type != WC_RSA_NO_PAD)
+#endif
+        return RSA_BUFFER_E;
+    }
+
+    switch (key->state) {
+    case RSA_STATE_NONE:
+    case RSA_STATE_ENCRYPT_PAD:
+    #if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_RSA) && \
+            defined(HAVE_CAVIUM)
+        if (key->asyncDev.marker == WOLFSSL_ASYNC_MARKER_RSA &&
+                                 pad_type != WC_RSA_PSS_PAD && key->n.raw.buf) {
+            /* Async operations that include padding */
+            if (rsa_type == RSA_PUBLIC_ENCRYPT &&
+                                                pad_value == RSA_BLOCK_TYPE_2) {
+                key->state = RSA_STATE_ENCRYPT_RES;
+                key->dataLen = key->n.raw.len;
+                return NitroxRsaPublicEncrypt(in, inLen, out, outLen, key);
+            }
+            else if (rsa_type == RSA_PRIVATE_ENCRYPT &&
+                                                pad_value == RSA_BLOCK_TYPE_1) {
+                key->state = RSA_STATE_ENCRYPT_RES;
+                key->dataLen = key->n.raw.len;
+                return NitroxRsaSSL_Sign(in, inLen, out, outLen, key);
+            }
+        }
+    #elif defined(WOLFSSL_CRYPTOCELL)
+        if (rsa_type == RSA_PUBLIC_ENCRYPT &&
+                                            pad_value == RSA_BLOCK_TYPE_2) {
 
-#ifdef HAVE_CAVIUM
-    if (key->magic == WOLFSSL_RSA_CAVIUM_MAGIC) {
-        ret = CaviumRsaSSL_Verify(in, inLen, in, inLen, key);
-        if (ret > 0)
-            *out = in;
+            return cc310_RsaPublicEncrypt(in, inLen, out, outLen, key);
+        }
+        else if (rsa_type == RSA_PRIVATE_ENCRYPT &&
+                                         pad_value == RSA_BLOCK_TYPE_1) {
+         return cc310_RsaSSL_Sign(in, inLen, out, outLen, key,
+                                  cc310_hashModeRSA(hash, 0));
+        }
+    #endif /* WOLFSSL_CRYPTOCELL */
+
+        key->state = RSA_STATE_ENCRYPT_PAD;
+        ret = wc_RsaPad_ex(in, inLen, out, sz, pad_value, rng, pad_type, hash,
+                           mgf, label, labelSz, saltLen, mp_count_bits(&key->n),
+                           key->heap);
+        if (ret < 0) {
+            break;
+        }
+
+        key->state = RSA_STATE_ENCRYPT_EXPTMOD;
+        FALL_THROUGH;
+
+    case RSA_STATE_ENCRYPT_EXPTMOD:
+
+        key->dataLen = outLen;
+        ret = wc_RsaFunction(out, sz, out, &key->dataLen, rsa_type, key, rng);
+
+        if (ret >= 0 || ret == WC_PENDING_E) {
+            key->state = RSA_STATE_ENCRYPT_RES;
+        }
+        if (ret < 0) {
+            break;
+        }
+
+        FALL_THROUGH;
+
+    case RSA_STATE_ENCRYPT_RES:
+        ret = key->dataLen;
+        break;
+
+    default:
+        ret = BAD_STATE_E;
+        break;
+    }
+
+    /* if async pending then return and skip done cleanup below */
+    if (ret == WC_PENDING_E
+    #ifdef WC_RSA_NONBLOCK
+        || ret == FP_WOULDBLOCK
+    #endif
+    ) {
         return ret;
     }
+
+    key->state = RSA_STATE_NONE;
+    wc_RsaCleanup(key);
+
+    return ret;
+}
+
 #endif
 
-    if ((ret = wc_RsaFunction(in, inLen, in, &inLen, RSA_PUBLIC_DECRYPT, key))
-            < 0) {
+/* Gives the option of choosing padding type
+   in : input to be decrypted
+   inLen: length of input buffer
+   out:  decrypted message
+   outLen: length of decrypted message in bytes
+   outPtr: optional inline output pointer (if provided doing inline)
+   key   : wolfSSL initialized RSA key struct
+   rsa_type  : type of RSA: RSA_PUBLIC_ENCRYPT, RSA_PUBLIC_DECRYPT,
+        RSA_PRIVATE_ENCRYPT or RSA_PRIVATE_DECRYPT
+   pad_value: RSA_BLOCK_TYPE_1 or RSA_BLOCK_TYPE_2
+   pad_type  : type of padding: WC_RSA_PKCSV15_PAD, WC_RSA_OAEP_PAD,
+        WC_RSA_NO_PAD, WC_RSA_PSS_PAD
+   hash  : type of hash algorithm to use found in wolfssl/wolfcrypt/hash.h
+   mgf   : type of mask generation function to use
+   label : optional label
+   labelSz : size of optional label buffer
+   saltLen : Length of salt used in PSS
+   rng : random number generator */
+static int RsaPrivateDecryptEx(byte* in, word32 inLen, byte* out,
+                            word32 outLen, byte** outPtr, RsaKey* key,
+                            int rsa_type, byte pad_value, int pad_type,
+                            enum wc_HashType hash, int mgf,
+                            byte* label, word32 labelSz, int saltLen,
+                            WC_RNG* rng)
+{
+    int ret = RSA_WRONG_TYPE_E;
+    byte* pad = NULL;
+
+    if (in == NULL || inLen == 0 || out == NULL || key == NULL) {
+        return BAD_FUNC_ARG;
+    }
+
+    switch (key->state) {
+    case RSA_STATE_NONE:
+        key->dataLen = inLen;
+
+    #if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_RSA) && \
+            defined(HAVE_CAVIUM)
+        /* Async operations that include padding */
+        if (key->asyncDev.marker == WOLFSSL_ASYNC_MARKER_RSA &&
+                                                   pad_type != WC_RSA_PSS_PAD) {
+#ifndef WOLFSSL_RSA_PUBLIC_ONLY
+            if (rsa_type == RSA_PRIVATE_DECRYPT &&
+                                                pad_value == RSA_BLOCK_TYPE_2) {
+                key->state = RSA_STATE_DECRYPT_RES;
+                key->data = NULL;
+                return NitroxRsaPrivateDecrypt(in, inLen, out, &key->dataLen,
+                                               key);
+#endif
+            }
+            else if (rsa_type == RSA_PUBLIC_DECRYPT &&
+                                                pad_value == RSA_BLOCK_TYPE_1) {
+                key->state = RSA_STATE_DECRYPT_RES;
+                key->data = NULL;
+                return NitroxRsaSSL_Verify(in, inLen, out, &key->dataLen, key);
+            }
+        }
+    #elif defined(WOLFSSL_CRYPTOCELL)
+        if (rsa_type == RSA_PRIVATE_DECRYPT &&
+                                            pad_value == RSA_BLOCK_TYPE_2) {
+            ret = cc310_RsaPublicDecrypt(in, inLen, out, outLen, key);
+            if (outPtr != NULL)
+                *outPtr = out; /* for inline */
+            return ret;
+        }
+        else if (rsa_type == RSA_PUBLIC_DECRYPT &&
+                                            pad_value == RSA_BLOCK_TYPE_1) {
+            return cc310_RsaSSL_Verify(in, inLen, out, key,
+                                       cc310_hashModeRSA(hash, 0));
+        }
+    #endif /* WOLFSSL_CRYPTOCELL */
+
+
+#if !defined(WOLFSSL_RSA_VERIFY_ONLY) && !defined(WOLFSSL_RSA_VERIFY_INLINE)
+        /* verify the tmp ptr is NULL, otherwise indicates bad state */
+        if (key->data != NULL) {
+            ret = BAD_STATE_E;
+            break;
+        }
+
+        /* if not doing this inline then allocate a buffer for it */
+        if (outPtr == NULL) {
+            key->data = (byte*)XMALLOC(inLen, key->heap,
+                                                      DYNAMIC_TYPE_WOLF_BIGINT);
+            key->dataIsAlloc = 1;
+            if (key->data == NULL) {
+                ret = MEMORY_E;
+                break;
+            }
+            XMEMCPY(key->data, in, inLen);
+        }
+        else {
+            key->data = out;
+        }
+#endif
+
+        key->state = RSA_STATE_DECRYPT_EXPTMOD;
+        FALL_THROUGH;
+
+    case RSA_STATE_DECRYPT_EXPTMOD:
+#if !defined(WOLFSSL_RSA_VERIFY_ONLY) && !defined(WOLFSSL_RSA_VERIFY_INLINE)
+        ret = wc_RsaFunction(key->data, inLen, key->data, &key->dataLen,
+                                                            rsa_type, key, rng);
+#else
+        ret = wc_RsaFunction(in, inLen, out, &key->dataLen, rsa_type, key, rng);
+#endif
+
+        if (ret >= 0 || ret == WC_PENDING_E) {
+            key->state = RSA_STATE_DECRYPT_UNPAD;
+        }
+        if (ret < 0) {
+            break;
+        }
+
+        FALL_THROUGH;
+
+    case RSA_STATE_DECRYPT_UNPAD:
+#if !defined(WOLFSSL_RSA_VERIFY_ONLY) && !defined(WOLFSSL_RSA_VERIFY_INLINE)
+        ret = wc_RsaUnPad_ex(key->data, key->dataLen, &pad, pad_value, pad_type,
+                             hash, mgf, label, labelSz, saltLen,
+                             mp_count_bits(&key->n), key->heap);
+#else
+        ret = wc_RsaUnPad_ex(out, key->dataLen, &pad, pad_value, pad_type, hash,
+                             mgf, label, labelSz, saltLen,
+                             mp_count_bits(&key->n), key->heap);
+#endif
+        if (rsa_type == RSA_PUBLIC_DECRYPT && ret > (int)outLen)
+            ret = RSA_BUFFER_E;
+        else if (ret >= 0 && pad != NULL) {
+#if !defined(WOLFSSL_RSA_VERIFY_ONLY) && !defined(WOLFSSL_RSA_VERIFY_INLINE)
+            signed char c;
+#endif
+
+            /* only copy output if not inline */
+            if (outPtr == NULL) {
+#if !defined(WOLFSSL_RSA_VERIFY_ONLY) && !defined(WOLFSSL_RSA_VERIFY_INLINE)
+                if (rsa_type == RSA_PRIVATE_DECRYPT) {
+                    word32 i, j;
+                    int start = (int)((size_t)pad - (size_t)key->data);
+
+                    for (i = 0, j = 0; j < key->dataLen; j++) {
+                        out[i] = key->data[j];
+                        c  = ctMaskGTE(j, start);
+                        c &= ctMaskLT(i, outLen);
+                        /* 0 - no add, -1 add */
+                        i += (word32)((byte)(-c));
+                    }
+                }
+                else
+#endif
+                {
+                    XMEMCPY(out, pad, ret);
+                }
+            }
+            else
+                *outPtr = pad;
+
+#if !defined(WOLFSSL_RSA_VERIFY_ONLY)
+            ret = ctMaskSelInt(ctMaskLTE(ret, outLen), ret, RSA_BUFFER_E);
+            ret = ctMaskSelInt(ctMaskNotEq(ret, 0), ret, RSA_BUFFER_E);
+#else
+            if (outLen < (word32)ret)
+                ret = RSA_BUFFER_E;
+#endif
+        }
+
+        key->state = RSA_STATE_DECRYPT_RES;
+        FALL_THROUGH;
+
+    case RSA_STATE_DECRYPT_RES:
+    #if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_RSA) && \
+            defined(HAVE_CAVIUM)
+        if (key->asyncDev.marker == WOLFSSL_ASYNC_MARKER_RSA &&
+                                                   pad_type != WC_RSA_PSS_PAD) {
+            if (ret > 0) {
+                /* convert result */
+                byte* dataLen = (byte*)&key->dataLen;
+                ret = (dataLen[0] << 8) | (dataLen[1]);
+
+                if (outPtr)
+                    *outPtr = in;
+            }
+        }
+    #endif
+        break;
+
+    default:
+        ret = BAD_STATE_E;
+        break;
+    }
+
+    /* if async pending then return and skip done cleanup below */
+    if (ret == WC_PENDING_E
+    #ifdef WC_RSA_NONBLOCK
+        || ret == FP_WOULDBLOCK
+    #endif
+    ) {
         return ret;
     }
-  
-    return RsaUnPad(in, inLen, out, RSA_BLOCK_TYPE_1);
+
+    key->state = RSA_STATE_NONE;
+    wc_RsaCleanup(key);
+
+    return ret;
+}
+
+
+#ifndef WOLFSSL_RSA_VERIFY_ONLY
+/* Public RSA Functions */
+int wc_RsaPublicEncrypt(const byte* in, word32 inLen, byte* out, word32 outLen,
+                                                     RsaKey* key, WC_RNG* rng)
+{
+    return RsaPublicEncryptEx(in, inLen, out, outLen, key,
+        RSA_PUBLIC_ENCRYPT, RSA_BLOCK_TYPE_2, WC_RSA_PKCSV15_PAD,
+        WC_HASH_TYPE_NONE, WC_MGF1NONE, NULL, 0, 0, rng);
+}
+
+
+#if !defined(WC_NO_RSA_OAEP) || defined(WC_RSA_NO_PADDING)
+int wc_RsaPublicEncrypt_ex(const byte* in, word32 inLen, byte* out,
+                    word32 outLen, RsaKey* key, WC_RNG* rng, int type,
+                    enum wc_HashType hash, int mgf, byte* label,
+                    word32 labelSz)
+{
+    return RsaPublicEncryptEx(in, inLen, out, outLen, key, RSA_PUBLIC_ENCRYPT,
+        RSA_BLOCK_TYPE_2, type, hash, mgf, label, labelSz, 0, rng);
+}
+#endif /* WC_NO_RSA_OAEP */
+#endif
+
+
+#ifndef WOLFSSL_RSA_PUBLIC_ONLY
+int wc_RsaPrivateDecryptInline(byte* in, word32 inLen, byte** out, RsaKey* key)
+{
+    WC_RNG* rng;
+#ifdef WC_RSA_BLINDING
+    rng = key->rng;
+#else
+    rng = NULL;
+#endif
+    return RsaPrivateDecryptEx(in, inLen, in, inLen, out, key,
+        RSA_PRIVATE_DECRYPT, RSA_BLOCK_TYPE_2, WC_RSA_PKCSV15_PAD,
+        WC_HASH_TYPE_NONE, WC_MGF1NONE, NULL, 0, 0, rng);
 }
 
 
+#ifndef WC_NO_RSA_OAEP
+int wc_RsaPrivateDecryptInline_ex(byte* in, word32 inLen, byte** out,
+                                  RsaKey* key, int type, enum wc_HashType hash,
+                                  int mgf, byte* label, word32 labelSz)
+{
+    WC_RNG* rng;
+#ifdef WC_RSA_BLINDING
+    rng = key->rng;
+#else
+    rng = NULL;
+#endif
+    return RsaPrivateDecryptEx(in, inLen, in, inLen, out, key,
+        RSA_PRIVATE_DECRYPT, RSA_BLOCK_TYPE_2, type, hash,
+        mgf, label, labelSz, 0, rng);
+}
+#endif /* WC_NO_RSA_OAEP */
+
+
+int wc_RsaPrivateDecrypt(const byte* in, word32 inLen, byte* out,
+                                                 word32 outLen, RsaKey* key)
+{
+    WC_RNG* rng;
+#ifdef WC_RSA_BLINDING
+    rng = key->rng;
+#else
+    rng = NULL;
+#endif
+    return RsaPrivateDecryptEx((byte*)in, inLen, out, outLen, NULL, key,
+        RSA_PRIVATE_DECRYPT, RSA_BLOCK_TYPE_2, WC_RSA_PKCSV15_PAD,
+        WC_HASH_TYPE_NONE, WC_MGF1NONE, NULL, 0, 0, rng);
+}
+
+#if !defined(WC_NO_RSA_OAEP) || defined(WC_RSA_NO_PADDING)
+int wc_RsaPrivateDecrypt_ex(const byte* in, word32 inLen, byte* out,
+                            word32 outLen, RsaKey* key, int type,
+                            enum wc_HashType hash, int mgf, byte* label,
+                            word32 labelSz)
+{
+    WC_RNG* rng;
+#ifdef WC_RSA_BLINDING
+    rng = key->rng;
+#else
+    rng = NULL;
+#endif
+    return RsaPrivateDecryptEx((byte*)in, inLen, out, outLen, NULL, key,
+        RSA_PRIVATE_DECRYPT, RSA_BLOCK_TYPE_2, type, hash, mgf, label,
+        labelSz, 0, rng);
+}
+#endif /* WC_NO_RSA_OAEP || WC_RSA_NO_PADDING */
+#endif /* WOLFSSL_RSA_PUBLIC_ONLY */
+
+#if !defined(WOLFSSL_CRYPTOCELL)
+int wc_RsaSSL_VerifyInline(byte* in, word32 inLen, byte** out, RsaKey* key)
+{
+    WC_RNG* rng;
+#ifdef WC_RSA_BLINDING
+    rng = key->rng;
+#else
+    rng = NULL;
+#endif
+    return RsaPrivateDecryptEx(in, inLen, in, inLen, out, key,
+        RSA_PUBLIC_DECRYPT, RSA_BLOCK_TYPE_1, WC_RSA_PKCSV15_PAD,
+        WC_HASH_TYPE_NONE, WC_MGF1NONE, NULL, 0, 0, rng);
+}
+#endif
+
+#ifndef WOLFSSL_RSA_VERIFY_ONLY
 int wc_RsaSSL_Verify(const byte* in, word32 inLen, byte* out, word32 outLen,
-                     RsaKey* key)
+                                                                 RsaKey* key)
 {
-    int plainLen;
-    byte*  tmp;
-    byte*  pad = 0;
+    return wc_RsaSSL_Verify_ex(in, inLen, out, outLen, key , WC_RSA_PKCSV15_PAD);
+}
+
+int  wc_RsaSSL_Verify_ex(const byte* in, word32 inLen, byte* out, word32 outLen,
+                         RsaKey* key, int pad_type)
+{
+    WC_RNG* rng;
+
+    if (key == NULL) {
+        return BAD_FUNC_ARG;
+    }
 
-#ifdef HAVE_CAVIUM
-    if (key->magic == WOLFSSL_RSA_CAVIUM_MAGIC)
-        return CaviumRsaSSL_Verify(in, inLen, out, outLen, key);
+#ifdef WC_RSA_BLINDING
+    rng = key->rng;
+#else
+    rng = NULL;
 #endif
 
-    tmp = (byte*)XMALLOC(inLen, key->heap, DYNAMIC_TYPE_RSA);
-    if (tmp == NULL) {
-        return MEMORY_E;
+    return RsaPrivateDecryptEx((byte*)in, inLen, out, outLen, NULL, key,
+        RSA_PUBLIC_DECRYPT, RSA_BLOCK_TYPE_1, pad_type,
+        WC_HASH_TYPE_NONE, WC_MGF1NONE, NULL, 0, 0, rng);
+}
+#endif
+
+#ifdef WC_RSA_PSS
+/* Verify the message signed with RSA-PSS.
+ * The input buffer is reused for the output buffer.
+ * Salt length is equal to hash length.
+ *
+ * in     Buffer holding encrypted data.
+ * inLen  Length of data in buffer.
+ * out    Pointer to address containing the PSS data.
+ * hash   Hash algorithm.
+ * mgf    Mask generation function.
+ * key    Public RSA key.
+ * returns the length of the PSS data on success and negative indicates failure.
+ */
+int wc_RsaPSS_VerifyInline(byte* in, word32 inLen, byte** out,
+                           enum wc_HashType hash, int mgf, RsaKey* key)
+{
+#ifndef WOLFSSL_PSS_SALT_LEN_DISCOVER
+    return wc_RsaPSS_VerifyInline_ex(in, inLen, out, hash, mgf,
+                                                 RSA_PSS_SALT_LEN_DEFAULT, key);
+#else
+    return wc_RsaPSS_VerifyInline_ex(in, inLen, out, hash, mgf,
+                                                RSA_PSS_SALT_LEN_DISCOVER, key);
+#endif
+}
+
+/* Verify the message signed with RSA-PSS.
+ * The input buffer is reused for the output buffer.
+ *
+ * in       Buffer holding encrypted data.
+ * inLen    Length of data in buffer.
+ * out      Pointer to address containing the PSS data.
+ * hash     Hash algorithm.
+ * mgf      Mask generation function.
+ * key      Public RSA key.
+ * saltLen  Length of salt used. RSA_PSS_SALT_LEN_DEFAULT (-1) indicates salt
+ *          length is the same as the hash length. RSA_PSS_SALT_LEN_DISCOVER
+ *          indicates salt length is determined from the data.
+ * returns the length of the PSS data on success and negative indicates failure.
+ */
+int wc_RsaPSS_VerifyInline_ex(byte* in, word32 inLen, byte** out,
+                              enum wc_HashType hash, int mgf, int saltLen,
+                              RsaKey* key)
+{
+    WC_RNG* rng;
+#ifdef WC_RSA_BLINDING
+    rng = key->rng;
+#else
+    rng = NULL;
+#endif
+    return RsaPrivateDecryptEx(in, inLen, in, inLen, out, key,
+        RSA_PUBLIC_DECRYPT, RSA_BLOCK_TYPE_1, WC_RSA_PSS_PAD,
+        hash, mgf, NULL, 0, saltLen, rng);
+}
+
+/* Verify the message signed with RSA-PSS.
+ * Salt length is equal to hash length.
+ *
+ * in     Buffer holding encrypted data.
+ * inLen  Length of data in buffer.
+ * out    Pointer to address containing the PSS data.
+ * hash   Hash algorithm.
+ * mgf    Mask generation function.
+ * key    Public RSA key.
+ * returns the length of the PSS data on success and negative indicates failure.
+ */
+int wc_RsaPSS_Verify(byte* in, word32 inLen, byte* out, word32 outLen,
+                     enum wc_HashType hash, int mgf, RsaKey* key)
+{
+#ifndef WOLFSSL_PSS_SALT_LEN_DISCOVER
+    return wc_RsaPSS_Verify_ex(in, inLen, out, outLen, hash, mgf,
+                                                 RSA_PSS_SALT_LEN_DEFAULT, key);
+#else
+    return wc_RsaPSS_Verify_ex(in, inLen, out, outLen, hash, mgf,
+                                                RSA_PSS_SALT_LEN_DISCOVER, key);
+#endif
+}
+
+/* Verify the message signed with RSA-PSS.
+ *
+ * in       Buffer holding encrypted data.
+ * inLen    Length of data in buffer.
+ * out      Pointer to address containing the PSS data.
+ * hash     Hash algorithm.
+ * mgf      Mask generation function.
+ * key      Public RSA key.
+ * saltLen  Length of salt used. RSA_PSS_SALT_LEN_DEFAULT (-1) indicates salt
+ *          length is the same as the hash length. RSA_PSS_SALT_LEN_DISCOVER
+ *          indicates salt length is determined from the data.
+ * returns the length of the PSS data on success and negative indicates failure.
+ */
+int wc_RsaPSS_Verify_ex(byte* in, word32 inLen, byte* out, word32 outLen,
+                        enum wc_HashType hash, int mgf, int saltLen,
+                        RsaKey* key)
+{
+    WC_RNG* rng;
+#ifdef WC_RSA_BLINDING
+    rng = key->rng;
+#else
+    rng = NULL;
+#endif
+    return RsaPrivateDecryptEx(in, inLen, out, outLen, NULL, key,
+        RSA_PUBLIC_DECRYPT, RSA_BLOCK_TYPE_1, WC_RSA_PSS_PAD,
+        hash, mgf, NULL, 0, saltLen, rng);
+}
+
+
+/* Checks the PSS data to ensure that the signature matches.
+ * Salt length is equal to hash length.
+ *
+ * in        Hash of the data that is being verified.
+ * inSz      Length of hash.
+ * sig       Buffer holding PSS data.
+ * sigSz     Size of PSS data.
+ * hashType  Hash algorithm.
+ * returns BAD_PADDING_E when the PSS data is invalid, BAD_FUNC_ARG when
+ * NULL is passed in to in or sig or inSz is not the same as the hash
+ * algorithm length and 0 on success.
+ */
+int wc_RsaPSS_CheckPadding(const byte* in, word32 inSz, byte* sig,
+                           word32 sigSz, enum wc_HashType hashType)
+{
+    return wc_RsaPSS_CheckPadding_ex(in, inSz, sig, sigSz, hashType, inSz, 0);
+}
+
+/* Checks the PSS data to ensure that the signature matches.
+ *
+ * in        Hash of the data that is being verified.
+ * inSz      Length of hash.
+ * sig       Buffer holding PSS data.
+ * sigSz     Size of PSS data.
+ * hashType  Hash algorithm.
+ * saltLen   Length of salt used. RSA_PSS_SALT_LEN_DEFAULT (-1) indicates salt
+ *           length is the same as the hash length. RSA_PSS_SALT_LEN_DISCOVER
+ *           indicates salt length is determined from the data.
+ * returns BAD_PADDING_E when the PSS data is invalid, BAD_FUNC_ARG when
+ * NULL is passed in to in or sig or inSz is not the same as the hash
+ * algorithm length and 0 on success.
+ */
+int wc_RsaPSS_CheckPadding_ex(const byte* in, word32 inSz, byte* sig,
+                              word32 sigSz, enum wc_HashType hashType,
+                              int saltLen, int bits)
+{
+    int ret = 0;
+#ifndef WOLFSSL_PSS_LONG_SALT
+    byte sigCheck[WC_MAX_DIGEST_SIZE*2 + RSA_PSS_PAD_SZ];
+#else
+    byte *sigCheck = NULL;
+#endif
+
+    (void)bits;
+
+    if (in == NULL || sig == NULL ||
+                               inSz != (word32)wc_HashGetDigestSize(hashType)) {
+        ret = BAD_FUNC_ARG;
     }
 
-    XMEMCPY(tmp, in, inLen);
+    if (ret == 0) {
+        if (saltLen == RSA_PSS_SALT_LEN_DEFAULT) {
+            saltLen = inSz;
+            #ifdef WOLFSSL_SHA512
+                /* See FIPS 186-4 section 5.5 item (e). */
+                if (bits == 1024 && inSz == WC_SHA512_DIGEST_SIZE) {
+                    saltLen = RSA_PSS_SALT_MAX_SZ;
+                }
+            #endif
+        }
+#ifndef WOLFSSL_PSS_LONG_SALT
+        else if ((word32)saltLen > inSz) {
+            ret = PSS_SALTLEN_E;
+        }
+#endif
+#ifndef WOLFSSL_PSS_SALT_LEN_DISCOVER
+        else if (saltLen < RSA_PSS_SALT_LEN_DEFAULT) {
+            ret = PSS_SALTLEN_E;
+        }
+#else
+        else if (saltLen == RSA_PSS_SALT_LEN_DISCOVER) {
+            saltLen = sigSz - inSz;
+            if (saltLen < 0) {
+                ret = PSS_SALTLEN_E;
+            }
+        }
+        else if (saltLen < RSA_PSS_SALT_LEN_DISCOVER) {
+            ret = PSS_SALTLEN_E;
+        }
+#endif
+    }
 
-    if ( (plainLen = wc_RsaSSL_VerifyInline(tmp, inLen, &pad, key) ) < 0) {
-        XFREE(tmp, key->heap, DYNAMIC_TYPE_RSA);
-        return plainLen;
+    /* Sig = Salt | Exp Hash */
+    if (ret == 0) {
+        if (sigSz != inSz + saltLen) {
+            ret = PSS_SALTLEN_E;
+        }
     }
 
-    if (plainLen > (int)outLen)
-        plainLen = BAD_FUNC_ARG;
-    else
-        XMEMCPY(out, pad, plainLen);
+#ifdef WOLFSSL_PSS_LONG_SALT
+    if (ret == 0) {
+        sigCheck = (byte*)XMALLOC(RSA_PSS_PAD_SZ + inSz + saltLen, NULL,
+                                                       DYNAMIC_TYPE_RSA_BUFFER);
+        if (sigCheck == NULL) {
+            ret = MEMORY_E;
+        }
+    }
+#endif
 
-    ForceZero(tmp, inLen);
-    XFREE(tmp, key->heap, DYNAMIC_TYPE_RSA);
+    /* Exp Hash = HASH(8 * 0x00 | Message Hash | Salt) */
+    if (ret == 0) {
+        XMEMSET(sigCheck, 0, RSA_PSS_PAD_SZ);
+        XMEMCPY(sigCheck + RSA_PSS_PAD_SZ, in, inSz);
+        XMEMCPY(sigCheck + RSA_PSS_PAD_SZ + inSz, sig, saltLen);
+        ret = wc_Hash(hashType, sigCheck, RSA_PSS_PAD_SZ + inSz + saltLen,
+                      sigCheck, inSz);
+    }
+    if (ret == 0) {
+        if (XMEMCMP(sigCheck, sig + saltLen, inSz) != 0) {
+            WOLFSSL_MSG("RsaPSS_CheckPadding: Padding Error");
+            ret = BAD_PADDING_E;
+        }
+    }
 
-    return plainLen;
+#ifdef WOLFSSL_PSS_LONG_SALT
+    if (sigCheck != NULL) {
+        XFREE(sigCheck, NULL, DYNAMIC_TYPE_RSA_BUFFER);
+    }
+#endif
+    return ret;
 }
 
 
-/* for Rsa Sign */
-int wc_RsaSSL_Sign(const byte* in, word32 inLen, byte* out, word32 outLen,
-                      RsaKey* key, RNG* rng)
+/* Verify the message signed with RSA-PSS.
+ * The input buffer is reused for the output buffer.
+ * Salt length is equal to hash length.
+ *
+ * in     Buffer holding encrypted data.
+ * inLen  Length of data in buffer.
+ * out    Pointer to address containing the PSS data.
+ * digest Hash of the data that is being verified.
+ * digestLen Length of hash.
+ * hash   Hash algorithm.
+ * mgf    Mask generation function.
+ * key    Public RSA key.
+ * returns the length of the PSS data on success and negative indicates failure.
+ */
+int wc_RsaPSS_VerifyCheckInline(byte* in, word32 inLen, byte** out,
+                           const byte* digest, word32 digestLen,
+                           enum wc_HashType hash, int mgf, RsaKey* key)
 {
-    int sz, ret;
+    int ret = 0, verify, saltLen, hLen, bits = 0;
 
-#ifdef HAVE_CAVIUM
-    if (key->magic == WOLFSSL_RSA_CAVIUM_MAGIC)
-        return CaviumRsaSSL_Sign(in, inLen, out, outLen, key);
-#endif
+    hLen = wc_HashGetDigestSize(hash);
+    if (hLen < 0)
+        return hLen;
+    if ((word32)hLen != digestLen)
+        return BAD_FUNC_ARG;
 
-    sz = mp_unsigned_bin_size(&key->n);
-    if (sz > (int)outLen)
-        return RSA_BUFFER_E;
+    saltLen = hLen;
+    #ifdef WOLFSSL_SHA512
+        /* See FIPS 186-4 section 5.5 item (e). */
+        bits = mp_count_bits(&key->n);
+        if (bits == 1024 && hLen == WC_SHA512_DIGEST_SIZE)
+            saltLen = RSA_PSS_SALT_MAX_SZ;
+    #endif
 
-    if (inLen > (word32)(sz - RSA_MIN_PAD_SZ))
-        return RSA_BUFFER_E;
+    verify = wc_RsaPSS_VerifyInline_ex(in, inLen, out, hash, mgf, saltLen, key);
+    if (verify > 0)
+        ret = wc_RsaPSS_CheckPadding_ex(digest, digestLen, *out, verify,
+                                        hash, saltLen, bits);
+    if (ret == 0)
+        ret = verify;
 
-    ret = wc_RsaPad(in, inLen, out, sz, RSA_BLOCK_TYPE_1, rng);
-    if (ret != 0)
-        return ret;
+    return ret;
+}
+
+
+/* Verify the message signed with RSA-PSS.
+ * Salt length is equal to hash length.
+ *
+ * in     Buffer holding encrypted data.
+ * inLen  Length of data in buffer.
+ * out    Pointer to address containing the PSS data.
+ * outLen Length of the output.
+ * digest Hash of the data that is being verified.
+ * digestLen Length of hash.
+ * hash   Hash algorithm.
+ * mgf    Mask generation function.
+ * key    Public RSA key.
+ * returns the length of the PSS data on success and negative indicates failure.
+ */
+int wc_RsaPSS_VerifyCheck(byte* in, word32 inLen, byte* out, word32 outLen,
+                          const byte* digest, word32 digestLen,
+                          enum wc_HashType hash, int mgf,
+                          RsaKey* key)
+{
+    int ret = 0, verify, saltLen, hLen, bits = 0;
+
+    hLen = wc_HashGetDigestSize(hash);
+    if (hLen < 0)
+        return hLen;
+    if ((word32)hLen != digestLen)
+        return BAD_FUNC_ARG;
 
-    if ((ret = wc_RsaFunction(out, sz, out, &outLen,
-                              RSA_PRIVATE_ENCRYPT,key)) < 0)
-        sz = ret;
-    
-    return sz;
+    saltLen = hLen;
+    #ifdef WOLFSSL_SHA512
+        /* See FIPS 186-4 section 5.5 item (e). */
+        bits = mp_count_bits(&key->n);
+        if (bits == 1024 && hLen == WC_SHA512_DIGEST_SIZE)
+            saltLen = RSA_PSS_SALT_MAX_SZ;
+    #endif
+
+    verify = wc_RsaPSS_Verify_ex(in, inLen, out, outLen, hash,
+                                 mgf, saltLen, key);
+    if (verify > 0)
+        ret = wc_RsaPSS_CheckPadding_ex(digest, digestLen, out, verify,
+                                        hash, saltLen, bits);
+    if (ret == 0)
+        ret = verify;
+
+    return ret;
+}
+
+#endif
+
+#if !defined(WOLFSSL_RSA_PUBLIC_ONLY) && !defined(WOLFSSL_RSA_VERIFY_ONLY)
+int wc_RsaSSL_Sign(const byte* in, word32 inLen, byte* out, word32 outLen,
+                                                   RsaKey* key, WC_RNG* rng)
+{
+    return RsaPublicEncryptEx(in, inLen, out, outLen, key,
+        RSA_PRIVATE_ENCRYPT, RSA_BLOCK_TYPE_1, WC_RSA_PKCSV15_PAD,
+        WC_HASH_TYPE_NONE, WC_MGF1NONE, NULL, 0, 0, rng);
 }
 
+#ifdef WC_RSA_PSS
+/* Sign the hash of a message using RSA-PSS.
+ * Salt length is equal to hash length.
+ *
+ * in      Buffer holding hash of message.
+ * inLen   Length of data in buffer (hash length).
+ * out     Buffer to write encrypted signature into.
+ * outLen  Size of buffer to write to.
+ * hash    Hash algorithm.
+ * mgf     Mask generation function.
+ * key     Public RSA key.
+ * rng     Random number generator.
+ * returns the length of the encrypted signature on success, a negative value
+ * indicates failure.
+ */
+int wc_RsaPSS_Sign(const byte* in, word32 inLen, byte* out, word32 outLen,
+                       enum wc_HashType hash, int mgf, RsaKey* key, WC_RNG* rng)
+{
+    return wc_RsaPSS_Sign_ex(in, inLen, out, outLen, hash, mgf,
+                                            RSA_PSS_SALT_LEN_DEFAULT, key, rng);
+}
+
+/* Sign the hash of a message using RSA-PSS.
+ *
+ * in       Buffer holding hash of message.
+ * inLen    Length of data in buffer (hash length).
+ * out      Buffer to write encrypted signature into.
+ * outLen   Size of buffer to write to.
+ * hash     Hash algorithm.
+ * mgf      Mask generation function.
+ * saltLen  Length of salt used. RSA_PSS_SALT_LEN_DEFAULT (-1) indicates salt
+ *          length is the same as the hash length. RSA_PSS_SALT_LEN_DISCOVER
+ *          indicates salt length is determined from the data.
+ * key      Public RSA key.
+ * rng      Random number generator.
+ * returns the length of the encrypted signature on success, a negative value
+ * indicates failure.
+ */
+int wc_RsaPSS_Sign_ex(const byte* in, word32 inLen, byte* out, word32 outLen,
+                      enum wc_HashType hash, int mgf, int saltLen, RsaKey* key,
+                      WC_RNG* rng)
+{
+    return RsaPublicEncryptEx(in, inLen, out, outLen, key,
+        RSA_PRIVATE_ENCRYPT, RSA_BLOCK_TYPE_1, WC_RSA_PSS_PAD,
+        hash, mgf, NULL, 0, saltLen, rng);
+}
+#endif
+#endif
 
+#if !defined(WOLFSSL_RSA_VERIFY_ONLY) || !defined(WOLFSSL_SP_MATH) || \
+                                                             defined(WC_RSA_PSS)
 int wc_RsaEncryptSize(RsaKey* key)
 {
-#ifdef HAVE_CAVIUM
-    if (key->magic == WOLFSSL_RSA_CAVIUM_MAGIC)
-        return key->c_nSz;
+    int ret;
+
+    if (key == NULL) {
+        return BAD_FUNC_ARG;
+    }
+
+    ret = mp_unsigned_bin_size(&key->n);
+
+#ifdef WOLF_CRYPTO_CB
+    if (ret == 0 && key->devId != INVALID_DEVID) {
+        ret = 2048/8; /* hardware handles, use 2048-bit as default */
+    }
 #endif
-    return mp_unsigned_bin_size(&key->n);
+
+    return ret;
 }
+#endif
 
+#ifndef WOLFSSL_RSA_VERIFY_ONLY
 /* flatten RsaKey structure into individual elements (e, n) */
 int wc_RsaFlattenPublicKey(RsaKey* key, byte* e, word32* eSz, byte* n,
-                           word32* nSz)
+                                                                   word32* nSz)
 {
     int sz, ret;
 
-    if (key == NULL || e == NULL || eSz == NULL || n == NULL || nSz == NULL)
-       return BAD_FUNC_ARG;
+    if (key == NULL || e == NULL || eSz == NULL || n == NULL || nSz == NULL) {
+        return BAD_FUNC_ARG;
+    }
 
     sz = mp_unsigned_bin_size(&key->e);
-    if ((word32)sz > *nSz)
+    if ((word32)sz > *eSz)
         return RSA_BUFFER_E;
     ret = mp_to_unsigned_bin(&key->e, e);
     if (ret != MP_OKAY)
         return ret;
     *eSz = (word32)sz;
 
-    sz = mp_unsigned_bin_size(&key->n);
+    sz = wc_RsaEncryptSize(key);
     if ((word32)sz > *nSz)
         return RSA_BUFFER_E;
     ret = mp_to_unsigned_bin(&key->n, n);
@@ -609,364 +3586,616 @@ int wc_RsaFlattenPublicKey(RsaKey* key, byte* e, word32* eSz, byte* n,
 
     return 0;
 }
+#endif
 
+#endif /* HAVE_FIPS */
 
-#ifdef WOLFSSL_KEY_GEN
 
-static const int USE_BBS = 1;
+#ifndef WOLFSSL_RSA_VERIFY_ONLY
+static int RsaGetValue(mp_int* in, byte* out, word32* outSz)
+{
+    word32 sz;
+    int ret = 0;
+
+    /* Parameters ensured by calling function. */
+
+    sz = (word32)mp_unsigned_bin_size(in);
+    if (sz > *outSz)
+        ret = RSA_BUFFER_E;
 
-static int rand_prime(mp_int* N, int len, RNG* rng, void* heap)
+    if (ret == 0)
+        ret = mp_to_unsigned_bin(in, out);
+
+    if (ret == MP_OKAY)
+        *outSz = sz;
+
+    return ret;
+}
+
+
+int wc_RsaExportKey(RsaKey* key,
+                    byte* e, word32* eSz, byte* n, word32* nSz,
+                    byte* d, word32* dSz, byte* p, word32* pSz,
+                    byte* q, word32* qSz)
 {
-    int   err, res, type;
-    byte* buf;
+    int ret = BAD_FUNC_ARG;
+
+    if (key && e && eSz && n && nSz && d && dSz && p && pSz && q && qSz)
+        ret = 0;
+
+    if (ret == 0)
+        ret = RsaGetValue(&key->e, e, eSz);
+    if (ret == 0)
+        ret = RsaGetValue(&key->n, n, nSz);
+#ifndef WOLFSSL_RSA_PUBLIC_ONLY
+    if (ret == 0)
+        ret = RsaGetValue(&key->d, d, dSz);
+    if (ret == 0)
+        ret = RsaGetValue(&key->p, p, pSz);
+    if (ret == 0)
+        ret = RsaGetValue(&key->q, q, qSz);
+#else
+    /* no private parts to key */
+    if (d == NULL || p == NULL || q == NULL || dSz == NULL || pSz == NULL
+            || qSz == NULL) {
+        ret = BAD_FUNC_ARG;
+    }
+    else {
+        *dSz = 0;
+        *pSz = 0;
+        *qSz = 0;
+    }
+#endif /* WOLFSSL_RSA_PUBLIC_ONLY */
 
-    (void)heap;
-    if (N == NULL || rng == NULL)
-       return BAD_FUNC_ARG; 
+    return ret;
+}
+#endif
+
+
+#ifdef WOLFSSL_KEY_GEN
 
-    /* get type */
-    if (len < 0) {
-        type = USE_BBS;
-        len = -len;
-    } else {
-        type = 0;
+/* Check that |p-q| > 2^((size/2)-100) */
+static int wc_CompareDiffPQ(mp_int* p, mp_int* q, int size)
+{
+    mp_int c, d;
+    int ret;
+
+    if (p == NULL || q == NULL)
+        return BAD_FUNC_ARG;
+
+    ret = mp_init_multi(&c, &d, NULL, NULL, NULL, NULL);
+
+    /* c = 2^((size/2)-100) */
+    if (ret == 0)
+        ret = mp_2expt(&c, (size/2)-100);
+
+    /* d = |p-q| */
+    if (ret == 0)
+        ret = mp_sub(p, q, &d);
+
+    if (ret == 0)
+        ret = mp_abs(&d, &d);
+
+    /* compare */
+    if (ret == 0)
+        ret = mp_cmp(&d, &c);
+
+    if (ret == MP_GT)
+        ret = MP_OKAY;
+
+    mp_clear(&d);
+    mp_clear(&c);
+
+    return ret;
+}
+
+
+/* The lower_bound value is floor(2^(0.5) * 2^((nlen/2)-1)) where nlen is 4096.
+ * This number was calculated using a small test tool written with a common
+ * large number math library. Other values of nlen may be checked with a subset
+ * of lower_bound. */
+static const byte lower_bound[] = {
+    0xB5, 0x04, 0xF3, 0x33, 0xF9, 0xDE, 0x64, 0x84,
+    0x59, 0x7D, 0x89, 0xB3, 0x75, 0x4A, 0xBE, 0x9F,
+    0x1D, 0x6F, 0x60, 0xBA, 0x89, 0x3B, 0xA8, 0x4C,
+    0xED, 0x17, 0xAC, 0x85, 0x83, 0x33, 0x99, 0x15,
+/* 512 */
+    0x4A, 0xFC, 0x83, 0x04, 0x3A, 0xB8, 0xA2, 0xC3,
+    0xA8, 0xB1, 0xFE, 0x6F, 0xDC, 0x83, 0xDB, 0x39,
+    0x0F, 0x74, 0xA8, 0x5E, 0x43, 0x9C, 0x7B, 0x4A,
+    0x78, 0x04, 0x87, 0x36, 0x3D, 0xFA, 0x27, 0x68,
+/* 1024 */
+    0xD2, 0x20, 0x2E, 0x87, 0x42, 0xAF, 0x1F, 0x4E,
+    0x53, 0x05, 0x9C, 0x60, 0x11, 0xBC, 0x33, 0x7B,
+    0xCA, 0xB1, 0xBC, 0x91, 0x16, 0x88, 0x45, 0x8A,
+    0x46, 0x0A, 0xBC, 0x72, 0x2F, 0x7C, 0x4E, 0x33,
+    0xC6, 0xD5, 0xA8, 0xA3, 0x8B, 0xB7, 0xE9, 0xDC,
+    0xCB, 0x2A, 0x63, 0x43, 0x31, 0xF3, 0xC8, 0x4D,
+    0xF5, 0x2F, 0x12, 0x0F, 0x83, 0x6E, 0x58, 0x2E,
+    0xEA, 0xA4, 0xA0, 0x89, 0x90, 0x40, 0xCA, 0x4A,
+/* 2048 */
+    0x81, 0x39, 0x4A, 0xB6, 0xD8, 0xFD, 0x0E, 0xFD,
+    0xF4, 0xD3, 0xA0, 0x2C, 0xEB, 0xC9, 0x3E, 0x0C,
+    0x42, 0x64, 0xDA, 0xBC, 0xD5, 0x28, 0xB6, 0x51,
+    0xB8, 0xCF, 0x34, 0x1B, 0x6F, 0x82, 0x36, 0xC7,
+    0x01, 0x04, 0xDC, 0x01, 0xFE, 0x32, 0x35, 0x2F,
+    0x33, 0x2A, 0x5E, 0x9F, 0x7B, 0xDA, 0x1E, 0xBF,
+    0xF6, 0xA1, 0xBE, 0x3F, 0xCA, 0x22, 0x13, 0x07,
+    0xDE, 0xA0, 0x62, 0x41, 0xF7, 0xAA, 0x81, 0xC2,
+/* 3072 */
+    0xC1, 0xFC, 0xBD, 0xDE, 0xA2, 0xF7, 0xDC, 0x33,
+    0x18, 0x83, 0x8A, 0x2E, 0xAF, 0xF5, 0xF3, 0xB2,
+    0xD2, 0x4F, 0x4A, 0x76, 0x3F, 0xAC, 0xB8, 0x82,
+    0xFD, 0xFE, 0x17, 0x0F, 0xD3, 0xB1, 0xF7, 0x80,
+    0xF9, 0xAC, 0xCE, 0x41, 0x79, 0x7F, 0x28, 0x05,
+    0xC2, 0x46, 0x78, 0x5E, 0x92, 0x95, 0x70, 0x23,
+    0x5F, 0xCF, 0x8F, 0x7B, 0xCA, 0x3E, 0xA3, 0x3B,
+    0x4D, 0x7C, 0x60, 0xA5, 0xE6, 0x33, 0xE3, 0xE1
+/* 4096 */
+};
+
+
+/* returns 1 on key size ok and 0 if not ok */
+static WC_INLINE int RsaSizeCheck(int size)
+{
+    if (size < RSA_MIN_SIZE || size > RSA_MAX_SIZE) {
+        return 0;
+    }
+
+#ifdef HAVE_FIPS
+    /* Key size requirements for CAVP */
+    switch (size) {
+        case 1024:
+        case 2048:
+        case 3072:
+        case 4096:
+            return 1;
     }
 
-    /* allow sizes between 2 and 512 bytes for a prime size */
-    if (len < 2 || len > 512) { 
+    return 0;
+#else
+    return 1; /* allow unusual key sizes in non FIPS mode */
+#endif /* HAVE_FIPS */
+}
+
+
+static int _CheckProbablePrime(mp_int* p, mp_int* q, mp_int* e, int nlen,
+                                    int* isPrime, WC_RNG* rng)
+{
+    int ret;
+    mp_int tmp1, tmp2;
+    mp_int* prime;
+
+    if (p == NULL || e == NULL || isPrime == NULL)
+        return BAD_FUNC_ARG;
+
+    if (!RsaSizeCheck(nlen))
         return BAD_FUNC_ARG;
+
+    *isPrime = MP_NO;
+
+    if (q != NULL) {
+        /* 5.4 - check that |p-q| <= (2^(1/2))(2^((nlen/2)-1)) */
+        ret = wc_CompareDiffPQ(p, q, nlen);
+        if (ret != MP_OKAY) goto notOkay;
+        prime = q;
     }
-   
-    /* allocate buffer to work with */
-    buf = (byte*)XMALLOC(len, heap, DYNAMIC_TYPE_RSA);
-    if (buf == NULL) {
-        return MEMORY_E;
+    else
+        prime = p;
+
+    ret = mp_init_multi(&tmp1, &tmp2, NULL, NULL, NULL, NULL);
+    if (ret != MP_OKAY) goto notOkay;
+
+    /* 4.4,5.5 - Check that prime >= (2^(1/2))(2^((nlen/2)-1))
+     *           This is a comparison against lowerBound */
+    ret = mp_read_unsigned_bin(&tmp1, lower_bound, nlen/16);
+    if (ret != MP_OKAY) goto notOkay;
+    ret = mp_cmp(prime, &tmp1);
+    if (ret == MP_LT) goto exit;
+
+    /* 4.5,5.6 - Check that GCD(p-1, e) == 1 */
+    ret = mp_sub_d(prime, 1, &tmp1);  /* tmp1 = prime-1 */
+    if (ret != MP_OKAY) goto notOkay;
+    ret = mp_gcd(&tmp1, e, &tmp2);  /* tmp2 = gcd(prime-1, e) */
+    if (ret != MP_OKAY) goto notOkay;
+    ret = mp_cmp_d(&tmp2, 1);
+    if (ret != MP_EQ) goto exit; /* e divides p-1 */
+
+    /* 4.5.1,5.6.1 - Check primality of p with 8 rounds of M-R.
+     * mp_prime_is_prime_ex() performs test divisions against the first 256
+     * prime numbers. After that it performs 8 rounds of M-R using random
+     * bases between 2 and n-2.
+     * mp_prime_is_prime() performs the same test divisions and then does
+     * M-R with the first 8 primes. Both functions set isPrime as a
+     * side-effect. */
+    if (rng != NULL)
+        ret = mp_prime_is_prime_ex(prime, 8, isPrime, rng);
+    else
+        ret = mp_prime_is_prime(prime, 8, isPrime);
+    if (ret != MP_OKAY) goto notOkay;
+
+exit:
+    ret = MP_OKAY;
+notOkay:
+    mp_clear(&tmp1);
+    mp_clear(&tmp2);
+    return ret;
+}
+
+
+int wc_CheckProbablePrime_ex(const byte* pRaw, word32 pRawSz,
+                          const byte* qRaw, word32 qRawSz,
+                          const byte* eRaw, word32 eRawSz,
+                          int nlen, int* isPrime, WC_RNG* rng)
+{
+    mp_int p, q, e;
+    mp_int* Q = NULL;
+    int ret;
+
+    if (pRaw == NULL || pRawSz == 0 ||
+        eRaw == NULL || eRawSz == 0 ||
+        isPrime == NULL) {
+
+        return BAD_FUNC_ARG;
     }
-    XMEMSET(buf, 0, len);
 
-    do {
-#ifdef SHOW_GEN
-        printf(".");
-        fflush(stdout);
-#endif
-        /* generate value */
-        err = wc_RNG_GenerateBlock(rng, buf, len);
-        if (err != 0) {
-            XFREE(buf, heap, DYNAMIC_TYPE_RSA);
-            return err;
-        }
+    if ((qRaw != NULL && qRawSz == 0) || (qRaw == NULL && qRawSz != 0))
+        return BAD_FUNC_ARG;
 
-        /* munge bits */
-        buf[0]     |= 0x80 | 0x40;
-        buf[len-1] |= 0x01 | ((type & USE_BBS) ? 0x02 : 0x00);
- 
-        /* load value */
-        if ((err = mp_read_unsigned_bin(N, buf, len)) != MP_OKAY) {
-            XFREE(buf, heap, DYNAMIC_TYPE_RSA);
-            return err;
-        }
+    ret = mp_init_multi(&p, &q, &e, NULL, NULL, NULL);
+
+    if (ret == MP_OKAY)
+        ret = mp_read_unsigned_bin(&p, pRaw, pRawSz);
 
-        /* test */
-        if ((err = mp_prime_is_prime(N, 8, &res)) != MP_OKAY) {
-            XFREE(buf, heap, DYNAMIC_TYPE_RSA);
-            return err;
+    if (ret == MP_OKAY) {
+        if (qRaw != NULL) {
+            ret = mp_read_unsigned_bin(&q, qRaw, qRawSz);
+            if (ret == MP_OKAY)
+                Q = &q;
         }
-    } while (res == MP_NO);
+    }
 
-    ForceZero(buf, len);
-    XFREE(buf, heap, DYNAMIC_TYPE_RSA);
+    if (ret == MP_OKAY)
+        ret = mp_read_unsigned_bin(&e, eRaw, eRawSz);
 
-    return 0;
+    if (ret == MP_OKAY)
+        ret = _CheckProbablePrime(&p, Q, &e, nlen, isPrime, rng);
+
+    ret = (ret == MP_OKAY) ? 0 : PRIME_GEN_E;
+
+    mp_clear(&p);
+    mp_clear(&q);
+    mp_clear(&e);
+
+    return ret;
 }
 
 
+int wc_CheckProbablePrime(const byte* pRaw, word32 pRawSz,
+                          const byte* qRaw, word32 qRawSz,
+                          const byte* eRaw, word32 eRawSz,
+                          int nlen, int* isPrime)
+{
+    return wc_CheckProbablePrime_ex(pRaw, pRawSz, qRaw, qRawSz,
+                          eRaw, eRawSz, nlen, isPrime, NULL);
+}
+
+#if !defined(HAVE_FIPS) || (defined(HAVE_FIPS) && \
+        defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2))
 /* Make an RSA key for size bits, with e specified, 65537 is a good e */
-int wc_MakeRsaKey(RsaKey* key, int size, long e, RNG* rng)
+int wc_MakeRsaKey(RsaKey* key, int size, long e, WC_RNG* rng)
 {
+#ifndef WC_NO_RNG
     mp_int p, q, tmp1, tmp2, tmp3;
-    int    err;
+    int err, i, failCount, primeSz, isPrime = 0;
+    byte* buf = NULL;
 
     if (key == NULL || rng == NULL)
         return BAD_FUNC_ARG;
 
-    if (size < RSA_MIN_SIZE || size > RSA_MAX_SIZE)
+    if (!RsaSizeCheck(size))
         return BAD_FUNC_ARG;
 
     if (e < 3 || (e & 1) == 0)
         return BAD_FUNC_ARG;
 
-    if ((err = mp_init_multi(&p, &q, &tmp1, &tmp2, &tmp3, NULL)) != MP_OKAY)
-        return err;
+#if defined(WOLFSSL_CRYPTOCELL)
+
+    return cc310_RSA_GenerateKeyPair(key, size, e);
 
-    err = mp_set_int(&tmp3, e);
+#endif /*WOLFSSL_CRYPTOCELL*/
+
+#ifdef WOLF_CRYPTO_CB
+    if (key->devId != INVALID_DEVID) {
+        int ret = wc_CryptoCb_MakeRsaKey(key, size, e, rng);
+        if (ret != CRYPTOCB_UNAVAILABLE)
+            return ret;
+        /* fall-through when unavailable */
+    }
+#endif
+
+#if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_RSA) && \
+    defined(WC_ASYNC_ENABLE_RSA_KEYGEN)
+    if (key->asyncDev.marker == WOLFSSL_ASYNC_MARKER_RSA) {
+    #ifdef HAVE_CAVIUM
+        /* TODO: Not implemented */
+    #elif defined(HAVE_INTEL_QA)
+        return IntelQaRsaKeyGen(&key->asyncDev, key, size, e, rng);
+    #else
+        if (wc_AsyncTestInit(&key->asyncDev, ASYNC_TEST_RSA_MAKE)) {
+            WC_ASYNC_TEST* testDev = &key->asyncDev.test;
+            testDev->rsaMake.rng = rng;
+            testDev->rsaMake.key = key;
+            testDev->rsaMake.size = size;
+            testDev->rsaMake.e = e;
+            return WC_PENDING_E;
+        }
+    #endif
+    }
+#endif
+
+    err = mp_init_multi(&p, &q, &tmp1, &tmp2, &tmp3, NULL);
+
+    if (err == MP_OKAY)
+        err = mp_set_int(&tmp3, e);
+
+    /* The failCount value comes from NIST FIPS 186-4, section B.3.3,
+     * process steps 4.7 and 5.8. */
+    failCount = 5 * (size / 2);
+    primeSz = size / 16; /* size is the size of n in bits.
+                            primeSz is in bytes. */
+
+    /* allocate buffer to work with */
+    if (err == MP_OKAY) {
+        buf = (byte*)XMALLOC(primeSz, key->heap, DYNAMIC_TYPE_RSA);
+        if (buf == NULL)
+            err = MEMORY_E;
+    }
 
     /* make p */
     if (err == MP_OKAY) {
+        isPrime = 0;
+        i = 0;
         do {
-            err = rand_prime(&p, size/16, rng, key->heap); /* size in bytes/2 */
+#ifdef SHOW_GEN
+            printf(".");
+            fflush(stdout);
+#endif
+            /* generate value */
+            err = wc_RNG_GenerateBlock(rng, buf, primeSz);
+            if (err == 0) {
+                /* prime lower bound has the MSB set, set it in candidate */
+                buf[0] |= 0x80;
+                /* make candidate odd */
+                buf[primeSz-1] |= 0x01;
+                /* load value */
+                err = mp_read_unsigned_bin(&p, buf, primeSz);
+            }
 
             if (err == MP_OKAY)
-                err = mp_sub_d(&p, 1, &tmp1);  /* tmp1 = p-1 */
+                err = _CheckProbablePrime(&p, NULL, &tmp3, size, &isPrime, rng);
 
-            if (err == MP_OKAY)
-                err = mp_gcd(&tmp1, &tmp3, &tmp2);  /* tmp2 = gcd(p-1, e) */
-        } while (err == MP_OKAY && mp_cmp_d(&tmp2, 1) != 0);  /* e divdes p-1 */
+#ifdef HAVE_FIPS
+            i++;
+#else
+            /* Keep the old retry behavior in non-FIPS build. */
+            (void)i;
+#endif
+        } while (err == MP_OKAY && !isPrime && i < failCount);
     }
 
+    if (err == MP_OKAY && !isPrime)
+        err = PRIME_GEN_E;
+
     /* make q */
     if (err == MP_OKAY) {
+        isPrime = 0;
+        i = 0;
         do {
-            err = rand_prime(&q, size/16, rng, key->heap); /* size in bytes/2 */
+#ifdef SHOW_GEN
+            printf(".");
+            fflush(stdout);
+#endif
+            /* generate value */
+            err = wc_RNG_GenerateBlock(rng, buf, primeSz);
+            if (err == 0) {
+                /* prime lower bound has the MSB set, set it in candidate */
+                buf[0] |= 0x80;
+                /* make candidate odd */
+                buf[primeSz-1] |= 0x01;
+                /* load value */
+                err = mp_read_unsigned_bin(&q, buf, primeSz);
+            }
 
             if (err == MP_OKAY)
-                err = mp_sub_d(&q, 1, &tmp1);  /* tmp1 = q-1 */
+                err = _CheckProbablePrime(&p, &q, &tmp3, size, &isPrime, rng);
 
-            if (err == MP_OKAY)
-                err = mp_gcd(&tmp1, &tmp3, &tmp2);  /* tmp2 = gcd(q-1, e) */
-        } while (err == MP_OKAY && mp_cmp_d(&tmp2, 1) != 0);  /* e divdes q-1 */
+#ifdef HAVE_FIPS
+            i++;
+#else
+            /* Keep the old retry behavior in non-FIPS build. */
+            (void)i;
+#endif
+        } while (err == MP_OKAY && !isPrime && i < failCount);
     }
 
-    if (err == MP_OKAY)
-        err = mp_init_multi(&key->n, &key->e, &key->d, &key->p, &key->q, NULL);
+    if (err == MP_OKAY && !isPrime)
+        err = PRIME_GEN_E;
 
-    if (err == MP_OKAY)
-        err = mp_init_multi(&key->dP, &key->dQ, &key->u, NULL, NULL, NULL);
+    if (buf) {
+        ForceZero(buf, primeSz);
+        XFREE(buf, key->heap, DYNAMIC_TYPE_RSA);
+    }
 
-    if (err == MP_OKAY)
-        err = mp_sub_d(&p, 1, &tmp2);  /* tmp2 = p-1 */
+    if (err == MP_OKAY && mp_cmp(&p, &q) < 0) {
+        err = mp_copy(&p, &tmp1);
+        if (err == MP_OKAY)
+            err = mp_copy(&q, &p);
+        if (err == MP_OKAY)
+            mp_copy(&tmp1, &q);
+    }
 
+    /* Setup RsaKey buffers */
+    if (err == MP_OKAY)
+        err = mp_init_multi(&key->n, &key->e, &key->d, &key->p, &key->q, NULL);
     if (err == MP_OKAY)
-        err = mp_lcm(&tmp1, &tmp2, &tmp1);  /* tmp1 = lcm(p-1, q-1),last loop */
+        err = mp_init_multi(&key->dP, &key->dQ, &key->u, NULL, NULL, NULL);
 
+    /* Software Key Calculation */
+    if (err == MP_OKAY)                /* tmp1 = p-1 */
+        err = mp_sub_d(&p, 1, &tmp1);
+    if (err == MP_OKAY)                /* tmp2 = q-1 */
+        err = mp_sub_d(&q, 1, &tmp2);
+#ifdef WC_RSA_BLINDING
+    if (err == MP_OKAY)                /* tmp3 = order of n */
+        err = mp_mul(&tmp1, &tmp2, &tmp3);
+#else
+    if (err == MP_OKAY)                /* tmp3 = lcm(p-1, q-1), last loop */
+        err = mp_lcm(&tmp1, &tmp2, &tmp3);
+#endif
     /* make key */
+    if (err == MP_OKAY)                /* key->e = e */
+        err = mp_set_int(&key->e, (mp_digit)e);
+#ifdef WC_RSA_BLINDING
+    /* Blind the inverse operation with a value that is invertable */
+    if (err == MP_OKAY) {
+        do {
+            err = mp_rand(&key->p, get_digit_count(&tmp3), rng);
+            if (err == MP_OKAY)
+                err = mp_set_bit(&key->p, 0);
+            if (err == MP_OKAY)
+                err = mp_set_bit(&key->p, size - 1);
+            if (err == MP_OKAY)
+                err = mp_gcd(&key->p, &tmp3, &key->q);
+        }
+        while ((err == MP_OKAY) && !mp_isone(&key->q));
+    }
     if (err == MP_OKAY)
-        err = mp_set_int(&key->e, e);  /* key->e = e */
-
+        err = mp_mul_d(&key->p, (mp_digit)e, &key->e);
+#endif
     if (err == MP_OKAY)                /* key->d = 1/e mod lcm(p-1, q-1) */
-        err = mp_invmod(&key->e, &tmp1, &key->d);
-
-    if (err == MP_OKAY)
-        err = mp_mul(&p, &q, &key->n);  /* key->n = pq */
-
-    if (err == MP_OKAY)
-        err = mp_sub_d(&p, 1, &tmp1);
-
+        err = mp_invmod(&key->e, &tmp3, &key->d);
+#ifdef WC_RSA_BLINDING
+    /* Take off blinding from d and reset e */
     if (err == MP_OKAY)
-        err = mp_sub_d(&q, 1, &tmp2);
-
+        err = mp_mulmod(&key->d, &key->p, &tmp3, &key->d);
     if (err == MP_OKAY)
+        err = mp_set_int(&key->e, (mp_digit)e);
+#endif
+    if (err == MP_OKAY)                /* key->n = pq */
+        err = mp_mul(&p, &q, &key->n);
+    if (err == MP_OKAY)                /* key->dP = d mod(p-1) */
         err = mp_mod(&key->d, &tmp1, &key->dP);
-
-    if (err == MP_OKAY)
+    if (err == MP_OKAY)                /* key->dQ = d mod(q-1) */
         err = mp_mod(&key->d, &tmp2, &key->dQ);
-
-    if (err == MP_OKAY)
+#ifdef WOLFSSL_MP_INVMOD_CONSTANT_TIME
+    if (err == MP_OKAY)                /* key->u = 1/q mod p */
         err = mp_invmod(&q, &p, &key->u);
-
+#else
+    if (err == MP_OKAY)
+        err = mp_sub_d(&p, 2, &tmp3);
+    if (err == MP_OKAY)                /* key->u = 1/q mod p = q^p-2 mod p */
+        err = mp_exptmod(&q, &tmp3 , &p, &key->u);
+#endif
     if (err == MP_OKAY)
         err = mp_copy(&p, &key->p);
-
     if (err == MP_OKAY)
         err = mp_copy(&q, &key->q);
 
+#ifdef HAVE_WOLF_BIGINT
+    /* make sure raw unsigned bin version is available */
+    if (err == MP_OKAY)
+         err = wc_mp_to_bigint(&key->n, &key->n.raw);
+    if (err == MP_OKAY)
+         err = wc_mp_to_bigint(&key->e, &key->e.raw);
+    if (err == MP_OKAY)
+         err = wc_mp_to_bigint(&key->d, &key->d.raw);
+    if (err == MP_OKAY)
+         err = wc_mp_to_bigint(&key->p, &key->p.raw);
+    if (err == MP_OKAY)
+         err = wc_mp_to_bigint(&key->q, &key->q.raw);
+    if (err == MP_OKAY)
+         err = wc_mp_to_bigint(&key->dP, &key->dP.raw);
+    if (err == MP_OKAY)
+         err = wc_mp_to_bigint(&key->dQ, &key->dQ.raw);
+    if (err == MP_OKAY)
+         err = wc_mp_to_bigint(&key->u, &key->u.raw);
+#endif
+
     if (err == MP_OKAY)
-        key->type = RSA_PRIVATE; 
+        key->type = RSA_PRIVATE;
 
-    mp_clear(&tmp3); 
-    mp_clear(&tmp2); 
-    mp_clear(&tmp1); 
-    mp_clear(&q); 
+    mp_clear(&tmp1);
+    mp_clear(&tmp2);
+    mp_clear(&tmp3);
     mp_clear(&p);
+    mp_clear(&q);
 
-    if (err != MP_OKAY) {
-        wc_FreeRsaKey(key);        
+#if defined(WOLFSSL_KEY_GEN) && !defined(WOLFSSL_NO_RSA_KEY_CHECK)
+    /* Perform the pair-wise consistency test on the new key. */
+    if (err == 0)
+        err = wc_CheckRsaKey(key);
+#endif
+
+    if (err != 0) {
+        wc_FreeRsaKey(key);
         return err;
     }
 
+#if defined(WOLFSSL_XILINX_CRYPT) || defined(WOLFSSL_CRYPTOCELL)
+    if (wc_InitRsaHw(key) != 0) {
+        return BAD_STATE_E;
+    }
+#endif
     return 0;
+#else
+    return NOT_COMPILED_IN;
+#endif
 }
-
-
+#endif /* !FIPS || FIPS_VER >= 2 */
 #endif /* WOLFSSL_KEY_GEN */
 
 
-#ifdef HAVE_CAVIUM
-
-#include <cyassl/ctaocrypt/logging.h>
-#include "cavium_common.h"
-
-/* Initiliaze RSA for use with Nitrox device */
-int RsaInitCavium(RsaKey* rsa, int devId)
-{
-    if (rsa == NULL)
-        return -1;
-
-    if (CspAllocContext(CONTEXT_SSL, &rsa->contextHandle, devId) != 0)
-        return -1;
-
-    rsa->devId = devId;
-    rsa->magic = WOLFSSL_RSA_CAVIUM_MAGIC;
-   
-    return 0;
-}
-
-
-/* Free RSA from use with Nitrox device */
-void wc_RsaFreeCavium(RsaKey* rsa)
-{
-    if (rsa == NULL)
-        return;
-
-    CspFreeContext(CONTEXT_SSL, rsa->contextHandle, rsa->devId);
-    rsa->magic = 0;
-}
-
-
-/* Initialize cavium RSA key */
-static int InitCaviumRsaKey(RsaKey* key, void* heap)
+#ifdef WC_RSA_BLINDING
+int wc_RsaSetRNG(RsaKey* key, WC_RNG* rng)
 {
     if (key == NULL)
         return BAD_FUNC_ARG;
 
-    key->heap = heap;
-    key->type = -1;   /* don't know yet */
-
-    key->c_n  = NULL;
-    key->c_e  = NULL;
-    key->c_d  = NULL;
-    key->c_p  = NULL;
-    key->c_q  = NULL;
-    key->c_dP = NULL;
-    key->c_dQ = NULL;
-    key->c_u  = NULL;
-
-    key->c_nSz   = 0;
-    key->c_eSz   = 0;
-    key->c_dSz   = 0;
-    key->c_pSz   = 0;
-    key->c_qSz   = 0;
-    key->c_dP_Sz = 0;
-    key->c_dQ_Sz = 0;
-    key->c_uSz   = 0;
-    
+    key->rng = rng;
+
     return 0;
 }
+#endif /* WC_RSA_BLINDING */
 
-
-/* Free cavium RSA key */
-static int FreeCaviumRsaKey(RsaKey* key)
+#ifdef WC_RSA_NONBLOCK
+int wc_RsaSetNonBlock(RsaKey* key, RsaNb* nb)
 {
     if (key == NULL)
         return BAD_FUNC_ARG;
 
-    XFREE(key->c_n,  key->heap, DYNAMIC_TYPE_CAVIUM_TMP);
-    XFREE(key->c_e,  key->heap, DYNAMIC_TYPE_CAVIUM_TMP);
-    XFREE(key->c_d,  key->heap, DYNAMIC_TYPE_CAVIUM_TMP);
-    XFREE(key->c_p,  key->heap, DYNAMIC_TYPE_CAVIUM_TMP);
-    XFREE(key->c_q,  key->heap, DYNAMIC_TYPE_CAVIUM_TMP);
-    XFREE(key->c_dP, key->heap, DYNAMIC_TYPE_CAVIUM_TMP);
-    XFREE(key->c_dQ, key->heap, DYNAMIC_TYPE_CAVIUM_TMP);
-    XFREE(key->c_u,  key->heap, DYNAMIC_TYPE_CAVIUM_TMP);
-
-    return InitCaviumRsaKey(key, key->heap);  /* reset pointers */
-}
-
-
-static int CaviumRsaPublicEncrypt(const byte* in, word32 inLen, byte* out,
-                                   word32 outLen, RsaKey* key)
-{
-    word32 requestId;
-    word32 ret;
-
-    if (key == NULL || in == NULL || out == NULL || outLen < (word32)key->c_nSz)
-        return -1;
-
-    ret = CspPkcs1v15Enc(CAVIUM_BLOCKING, BT2, key->c_nSz, key->c_eSz,
-                         (word16)inLen, key->c_n, key->c_e, (byte*)in, out,
-                         &requestId, key->devId);
-    if (ret != 0) {
-        WOLFSSL_MSG("Cavium Enc BT2 failed");
-        return -1;
+    if (nb) {
+        XMEMSET(nb, 0, sizeof(RsaNb));
     }
-    return key->c_nSz;
-}
-
-
-static INLINE void ato16(const byte* c, word16* u16)
-{
-    *u16 = (c[0] << 8) | (c[1]);
-}
-
 
-static int CaviumRsaPrivateDecrypt(const byte* in, word32 inLen, byte* out,
-                                    word32 outLen, RsaKey* key)
-{
-    word32 requestId;
-    word32 ret;
-    word16 outSz = (word16)outLen;
-
-    if (key == NULL || in == NULL || out == NULL || inLen != (word32)key->c_nSz)
-        return -1;
-
-    ret = CspPkcs1v15CrtDec(CAVIUM_BLOCKING, BT2, key->c_nSz, key->c_q,
-                            key->c_dQ, key->c_p, key->c_dP, key->c_u,
-                            (byte*)in, &outSz, out, &requestId, key->devId);
-    if (ret != 0) {
-        WOLFSSL_MSG("Cavium CRT Dec BT2 failed");
-        return -1;
-    }
-    ato16((const byte*)&outSz, &outSz); 
+    /* Allow nb == NULL to clear non-block mode */
+    key->nb = nb;
 
-    return outSz;
+    return 0;
 }
-
-
-static int CaviumRsaSSL_Sign(const byte* in, word32 inLen, byte* out,
-                             word32 outLen, RsaKey* key)
+#ifdef WC_RSA_NONBLOCK_TIME
+int wc_RsaSetNonBlockTime(RsaKey* key, word32 maxBlockUs, word32 cpuMHz)
 {
-    word32 requestId;
-    word32 ret;
-
-    if (key == NULL || in == NULL || out == NULL || inLen == 0 || outLen <
-                                                             (word32)key->c_nSz)
-        return -1;
-
-    ret = CspPkcs1v15CrtEnc(CAVIUM_BLOCKING, BT1, key->c_nSz, (word16)inLen,
-                            key->c_q, key->c_dQ, key->c_p, key->c_dP, key->c_u,
-                            (byte*)in, out, &requestId, key->devId);
-    if (ret != 0) {
-        WOLFSSL_MSG("Cavium CRT Enc BT1 failed");
-        return -1;
+    if (key == NULL || key->nb == NULL) {
+        return BAD_FUNC_ARG;
     }
-    return key->c_nSz;
-}
-
-
-static int CaviumRsaSSL_Verify(const byte* in, word32 inLen, byte* out,
-                               word32 outLen, RsaKey* key)
-{
-    word32 requestId;
-    word32 ret;
-    word16 outSz = (word16)outLen;
 
-    if (key == NULL || in == NULL || out == NULL || inLen != (word32)key->c_nSz)
-        return -1;
-
-    ret = CspPkcs1v15Dec(CAVIUM_BLOCKING, BT1, key->c_nSz, key->c_eSz,
-                         key->c_n, key->c_e, (byte*)in, &outSz, out,
-                         &requestId, key->devId);
-    if (ret != 0) {
-        WOLFSSL_MSG("Cavium Dec BT1 failed");
-        return -1;
-    }
-    outSz = ntohs(outSz);
+    /* calculate maximum number of instructions to block */
+    key->nb->exptmod.maxBlockInst = cpuMHz * maxBlockUs;
 
-    return outSz;
+    return 0;
 }
+#endif /* WC_RSA_NONBLOCK_TIME */
+#endif /* WC_RSA_NONBLOCK */
 
-
-#endif /* HAVE_CAVIUM */
-
-#endif /* HAVE_FIPS */
 #endif /* NO_RSA */
-
diff --git a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/selftest.c b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/selftest.c
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/selftest.c
diff --git a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/sha.c b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/sha.c
index be8cf17af..5c80563e1 100644
--- a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/sha.c
+++ b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/sha.c
@@ -1,8 +1,8 @@
 /* sha.c
  *
- * Copyright (C) 2006-2015 wolfSSL Inc.
+ * Copyright (C) 2006-2020 wolfSSL Inc.
  *
- * This file is part of wolfSSL. (formerly known as CyaSSL)
+ * This file is part of wolfSSL.
  *
  * wolfSSL is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -16,7 +16,7 @@
  *
  * You should have received a copy of the GNU General Public License
  * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
  */
 
 
@@ -28,431 +28,855 @@
 
 #if !defined(NO_SHA)
 
+#if defined(HAVE_FIPS) && \
+	defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2)
+
+    /* set NO_WRAPPERS before headers, use direct internal f()s not wrappers */
+    #define FIPS_NO_WRAPPERS
+
+    #ifdef USE_WINDOWS_API
+        #pragma code_seg(".fipsA$j")
+        #pragma const_seg(".fipsB$j")
+    #endif
+#endif
+
 #include <wolfssl/wolfcrypt/sha.h>
-#include <wolfssl/wolfcrypt/logging.h>
 #include <wolfssl/wolfcrypt/error-crypt.h>
+#include <wolfssl/wolfcrypt/hash.h>
 
-#ifdef NO_INLINE
-    #include <wolfssl/wolfcrypt/misc.h>
-#else
-    #include <wolfcrypt/src/misc.c>
+#ifdef WOLF_CRYPTO_CB
+    #include <wolfssl/wolfcrypt/cryptocb.h>
 #endif
 
 /* fips wrapper calls, user can call direct */
-#ifdef HAVE_FIPS
-	int wc_InitSha(Sha* sha)
-	{
-	    return InitSha_fips(sha);
-	}
-
-
-	int wc_ShaUpdate(Sha* sha, const byte* data, word32 len)
-	{
-	    return ShaUpdate_fips(sha, data, len);
-	}
+#if defined(HAVE_FIPS) && \
+    (!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 2))
 
+    int wc_InitSha(wc_Sha* sha)
+    {
+        if (sha == NULL) {
+            return BAD_FUNC_ARG;
+        }
+        return InitSha_fips(sha);
+    }
+    int wc_InitSha_ex(wc_Sha* sha, void* heap, int devId)
+    {
+        (void)heap;
+        (void)devId;
+        if (sha == NULL) {
+            return BAD_FUNC_ARG;
+        }
+        return InitSha_fips(sha);
+    }
 
-	int wc_ShaFinal(Sha* sha, byte* out)
-	{
-	    return ShaFinal_fips(sha,out);
+    int wc_ShaUpdate(wc_Sha* sha, const byte* data, word32 len)
+    {
+        if (sha == NULL || (data == NULL && len > 0)) {
+            return BAD_FUNC_ARG;
+        }
+        return ShaUpdate_fips(sha, data, len);
     }
 
-    int wc_ShaHash(const byte* data, word32 sz, byte* out)
+    int wc_ShaFinal(wc_Sha* sha, byte* out)
+    {
+        if (sha == NULL || out == NULL) {
+            return BAD_FUNC_ARG;
+        }
+        return ShaFinal_fips(sha,out);
+    }
+    void wc_ShaFree(wc_Sha* sha)
     {
-        return ShaHash(data, sz, out);
+        (void)sha;
+        /* Not supported in FIPS */
     }
 
-#else /* else build without fips */
+#else /* else build without fips, or for FIPS v2 */
+
 
 #if defined(WOLFSSL_TI_HASH)
     /* #include <wolfcrypt/src/port/ti/ti-hash.c> included by wc_port.c */
-#else
-
-#ifdef WOLFSSL_PIC32MZ_HASH
-#define wc_InitSha   wc_InitSha_sw
-#define wc_ShaUpdate wc_ShaUpdate_sw
-#define wc_ShaFinal  wc_ShaFinal_sw
-#endif
 
+#else
 
-#ifdef FREESCALE_MMCAU
-    #include "cau_api.h"
-    #define XTRANSFORM(S,B)  cau_sha1_hash_n((B), 1, ((S))->digest)
+#include <wolfssl/wolfcrypt/logging.h>
+#ifdef NO_INLINE
+    #include <wolfssl/wolfcrypt/misc.h>
 #else
-    #define XTRANSFORM(S,B)  Transform((S))
+    #define WOLFSSL_MISC_INCLUDED
+    #include <wolfcrypt/src/misc.c>
 #endif
 
-#ifdef STM32F2_HASH
-/*
- * STM32F2 hardware SHA1 support through the STM32F2 standard peripheral
- * library. Documentation located in STM32F2xx Standard Peripheral Library
- * document (See note in README).
- */
-#include "stm32f2xx.h"
-#include "stm32f2xx_hash.h"
 
-int wc_InitSha(Sha* sha)
-{
-    /* STM32F2 struct notes:
-     * sha->buffer  = first 4 bytes used to hold partial block if needed
-     * sha->buffLen = num bytes currently stored in sha->buffer
-     * sha->loLen   = num bytes that have been written to STM32 FIFO
-     */
-    XMEMSET(sha->buffer, 0, SHA_REG_SIZE);
-    sha->buffLen = 0;
-    sha->loLen = 0;
-
-    /* initialize HASH peripheral */
-    HASH_DeInit();
-
-    /* configure algo used, algo mode, datatype */
-    HASH->CR &= ~ (HASH_CR_ALGO | HASH_CR_DATATYPE | HASH_CR_MODE);
-    HASH->CR |= (HASH_AlgoSelection_SHA1 | HASH_AlgoMode_HASH
-                 | HASH_DataType_8b);
-
-    /* reset HASH processor */
-    HASH->CR |= HASH_CR_INIT;
+/* Hardware Acceleration */
+#if defined(WOLFSSL_PIC32MZ_HASH)
+    #include <wolfssl/wolfcrypt/port/pic32/pic32mz-crypt.h>
 
-    return 0;
-}
+#elif defined(STM32_HASH)
 
-int wc_ShaUpdate(Sha* sha, const byte* data, word32 len)
-{
-    word32 i = 0;
-    word32 fill = 0;
-    word32 diff = 0;
-
-    /* if saved partial block is available */
-    if (sha->buffLen) {
-        fill = 4 - sha->buffLen;
-
-        /* if enough data to fill, fill and push to FIFO */
-        if (fill <= len) {
-            XMEMCPY((byte*)sha->buffer + sha->buffLen, data, fill);
-            HASH_DataIn(*(uint32_t*)sha->buffer);
-
-            data += fill;
-            len -= fill;
-            sha->loLen += 4;
-            sha->buffLen = 0;
-        } else {
-            /* append partial to existing stored block */
-            XMEMCPY((byte*)sha->buffer + sha->buffLen, data, len);
-            sha->buffLen += len;
-            return;
+    /* Supports CubeMX HAL or Standard Peripheral Library */
+    int wc_InitSha_ex(wc_Sha* sha, void* heap, int devId)
+    {
+        if (sha == NULL) {
+            return BAD_FUNC_ARG;
         }
+
+        (void)devId;
+        (void)heap;
+
+        wc_Stm32_Hash_Init(&sha->stmCtx);
+
+        return 0;
     }
 
-    /* write input block in the IN FIFO */
-    for(i = 0; i < len; i += 4)
+    int wc_ShaUpdate(wc_Sha* sha, const byte* data, word32 len)
     {
-        diff = len - i;
-        if ( diff < 4) {
-            /* store incomplete last block, not yet in FIFO */
-            XMEMSET(sha->buffer, 0, SHA_REG_SIZE);
-            XMEMCPY((byte*)sha->buffer, data, diff);
-            sha->buffLen = diff;
-        } else {
-            HASH_DataIn(*(uint32_t*)data);
-            data+=4;
+        int ret;
+
+        if (sha == NULL || (data == NULL && len > 0)) {
+            return BAD_FUNC_ARG;
+        }
+
+        ret = wolfSSL_CryptHwMutexLock();
+        if (ret == 0) {
+            ret = wc_Stm32_Hash_Update(&sha->stmCtx, HASH_AlgoSelection_SHA1,
+                data, len);
+            wolfSSL_CryptHwMutexUnLock();
         }
+        return ret;
     }
 
-    /* keep track of total data length thus far */
-    sha->loLen += (len - sha->buffLen);
+    int wc_ShaFinal(wc_Sha* sha, byte* hash)
+    {
+        int ret;
 
-    return 0;
-}
+        if (sha == NULL || hash == NULL) {
+            return BAD_FUNC_ARG;
+        }
 
-int wc_ShaFinal(Sha* sha, byte* hash)
-{
-    __IO uint16_t nbvalidbitsdata = 0;
+        ret = wolfSSL_CryptHwMutexLock();
+        if (ret == 0) {
+            ret = wc_Stm32_Hash_Final(&sha->stmCtx, HASH_AlgoSelection_SHA1,
+                hash, WC_SHA_DIGEST_SIZE);
+            wolfSSL_CryptHwMutexUnLock();
+        }
+
+        (void)wc_InitSha(sha);  /* reset state */
 
-    /* finish reading any trailing bytes into FIFO */
-    if (sha->buffLen) {
-        HASH_DataIn(*(uint32_t*)sha->buffer);
-        sha->loLen += sha->buffLen;
+        return ret;
     }
 
-    /* calculate number of valid bits in last word of input data */
-    nbvalidbitsdata = 8 * (sha->loLen % SHA_REG_SIZE);
 
-    /* configure number of valid bits in last word of the data */
-    HASH_SetLastWordValidBitsNbr(nbvalidbitsdata);
+#elif defined(FREESCALE_LTC_SHA)
 
-    /* start HASH processor */
-    HASH_StartDigest();
+    #include "fsl_ltc.h"
+    int wc_InitSha_ex(wc_Sha* sha, void* heap, int devId)
+    {
+        if (sha == NULL) {
+            return BAD_FUNC_ARG;
+        }
 
-    /* wait until Busy flag == RESET */
-    while (HASH_GetFlagStatus(HASH_FLAG_BUSY) != RESET) {}
+        (void)devId;
+        (void)heap;
 
-    /* read message digest */
-    sha->digest[0] = HASH->HR[0];
-    sha->digest[1] = HASH->HR[1];
-    sha->digest[2] = HASH->HR[2];
-    sha->digest[3] = HASH->HR[3];
-    sha->digest[4] = HASH->HR[4];
+        LTC_HASH_Init(LTC_BASE, &sha->ctx, kLTC_Sha1, NULL, 0);
+        return 0;
+    }
 
-    ByteReverseWords(sha->digest, sha->digest, SHA_DIGEST_SIZE);
+    int wc_ShaUpdate(wc_Sha* sha, const byte* data, word32 len)
+    {
+        LTC_HASH_Update(&sha->ctx, data, len);
+        return 0;
+    }
 
-    XMEMCPY(hash, sha->digest, SHA_DIGEST_SIZE);
+    int wc_ShaFinal(wc_Sha* sha, byte* hash)
+    {
+        uint32_t hashlen = WC_SHA_DIGEST_SIZE;
+        LTC_HASH_Finish(&sha->ctx, hash, &hashlen);
+        return wc_InitSha(sha);  /* reset state */
+    }
 
-    return wc_InitSha(sha);  /* reset state */
-}
 
-#else /* wc_ software implementation */
+#elif defined(FREESCALE_MMCAU_SHA)
+
+    #ifdef FREESCALE_MMCAU_CLASSIC_SHA
+        #include "cau_api.h"
+    #else
+        #include "fsl_mmcau.h"
+    #endif
+
+    #define USE_SHA_SOFTWARE_IMPL /* Only for API's, actual transform is here */
 
-#ifndef WOLFSSL_HAVE_MIN
-#define WOLFSSL_HAVE_MIN
+    #define XTRANSFORM(S,B)       Transform((S),(B))
+    #define XTRANSFORM_LEN(S,B,L) Transform_Len((S),(B),(L))
 
-    static INLINE word32 min(word32 a, word32 b)
+    #ifndef WC_HASH_DATA_ALIGNMENT
+        /* these hardware API's require 4 byte (word32) alignment */
+        #define WC_HASH_DATA_ALIGNMENT 4
+    #endif
+
+    static int InitSha(wc_Sha* sha)
     {
-        return a > b ? b : a;
+        int ret = 0;
+        ret = wolfSSL_CryptHwMutexLock();
+        if (ret != 0) {
+            return ret;
+        }
+    #ifdef FREESCALE_MMCAU_CLASSIC_SHA
+        cau_sha1_initialize_output(sha->digest);
+    #else
+        MMCAU_SHA1_InitializeOutput((uint32_t*)sha->digest);
+    #endif
+        wolfSSL_CryptHwMutexUnLock();
+
+        sha->buffLen = 0;
+        sha->loLen   = 0;
+        sha->hiLen   = 0;
+
+        return ret;
     }
 
-#endif /* WOLFSSL_HAVE_MIN */
+    static int Transform(wc_Sha* sha, const byte* data)
+    {
+        int ret = wolfSSL_CryptHwMutexLock();
+        if (ret == 0) {
+    #ifdef FREESCALE_MMCAU_CLASSIC_SHA
+            cau_sha1_hash_n((byte*)data, 1, sha->digest);
+    #else
+            MMCAU_SHA1_HashN((byte*)data, 1, (uint32_t*)sha->digest);
+    #endif
+            wolfSSL_CryptHwMutexUnLock();
+        }
+        return ret;
+    }
 
+    static int Transform_Len(wc_Sha* sha, const byte* data, word32 len)
+    {
+        int ret = wolfSSL_CryptHwMutexLock();
+        if (ret == 0) {
+        #if defined(WC_HASH_DATA_ALIGNMENT) && WC_HASH_DATA_ALIGNMENT > 0
+            if ((size_t)data % WC_HASH_DATA_ALIGNMENT) {
+                /* data pointer is NOT aligned,
+                 * so copy and perform one block at a time */
+                byte* local = (byte*)sha->buffer;
+                while (len >= WC_SHA_BLOCK_SIZE) {
+                    XMEMCPY(local, data, WC_SHA_BLOCK_SIZE);
+                #ifdef FREESCALE_MMCAU_CLASSIC_SHA
+                    cau_sha1_hash_n(local, 1, sha->digest);
+                #else
+                    MMCAU_SHA1_HashN(local, 1, sha->digest);
+                #endif
+                    data += WC_SHA_BLOCK_SIZE;
+                    len  -= WC_SHA_BLOCK_SIZE;
+                }
+            }
+            else
+        #endif
+            {
+    #ifdef FREESCALE_MMCAU_CLASSIC_SHA
+            cau_sha1_hash_n((byte*)data, len/WC_SHA_BLOCK_SIZE, sha->digest);
+    #else
+            MMCAU_SHA1_HashN((byte*)data, len/WC_SHA_BLOCK_SIZE,
+                (uint32_t*)sha->digest);
+    #endif
+            }
+            wolfSSL_CryptHwMutexUnLock();
+        }
+        return ret;
+    }
 
-int wc_InitSha(Sha* sha)
-{
-#ifdef FREESCALE_MMCAU
-    cau_sha1_initialize_output(sha->digest);
-#else
-    sha->digest[0] = 0x67452301L;
-    sha->digest[1] = 0xEFCDAB89L;
-    sha->digest[2] = 0x98BADCFEL;
-    sha->digest[3] = 0x10325476L;
-    sha->digest[4] = 0xC3D2E1F0L;
-#endif
+#elif defined(WOLFSSL_IMX6_CAAM) && !defined(NO_IMX6_CAAM_HASH)
+    /* wolfcrypt/src/port/caam/caam_sha.c */
 
-    sha->buffLen = 0;
-    sha->loLen   = 0;
-    sha->hiLen   = 0;
+#elif defined(WOLFSSL_ESP32WROOM32_CRYPT) && \
+     !defined(NO_WOLFSSL_ESP32WROOM32_CRYPT_HASH)
 
-    return 0;
-}
+    #include "wolfssl/wolfcrypt/port/Espressif/esp32-crypt.h"
 
-#ifndef FREESCALE_MMCAU
-
-#define blk0(i) (W[i] = sha->buffer[i])
-#define blk1(i) (W[(i)&15] = \
-rotlFixed(W[((i)+13)&15]^W[((i)+8)&15]^W[((i)+2)&15]^W[(i)&15],1))
-
-#define f1(x,y,z) ((z)^((x) &((y)^(z))))
-#define f2(x,y,z) ((x)^(y)^(z))
-#define f3(x,y,z) (((x)&(y))|((z)&((x)|(y))))
-#define f4(x,y,z) ((x)^(y)^(z))
-
-/* (R0+R1), R2, R3, R4 are the different operations used in SHA1 */
-#define R0(v,w,x,y,z,i) (z)+= f1((w),(x),(y)) + blk0((i)) + 0x5A827999+ \
-rotlFixed((v),5); (w) = rotlFixed((w),30);
-#define R1(v,w,x,y,z,i) (z)+= f1((w),(x),(y)) + blk1((i)) + 0x5A827999+ \
-rotlFixed((v),5); (w) = rotlFixed((w),30);
-#define R2(v,w,x,y,z,i) (z)+= f2((w),(x),(y)) + blk1((i)) + 0x6ED9EBA1+ \
-rotlFixed((v),5); (w) = rotlFixed((w),30);
-#define R3(v,w,x,y,z,i) (z)+= f3((w),(x),(y)) + blk1((i)) + 0x8F1BBCDC+ \
-rotlFixed((v),5); (w) = rotlFixed((w),30);
-#define R4(v,w,x,y,z,i) (z)+= f4((w),(x),(y)) + blk1((i)) + 0xCA62C1D6+ \
-rotlFixed((v),5); (w) = rotlFixed((w),30);
-
-static void Transform(Sha* sha)
-{
-    word32 W[SHA_BLOCK_SIZE / sizeof(word32)];
+    #define USE_SHA_SOFTWARE_IMPL
 
-    /* Copy context->state[] to working vars */
-    word32 a = sha->digest[0];
-    word32 b = sha->digest[1];
-    word32 c = sha->digest[2];
-    word32 d = sha->digest[3];
-    word32 e = sha->digest[4];
+    static int InitSha(wc_Sha* sha)
+    {
+        int ret = 0;
 
-#ifdef USE_SLOW_SHA
-    word32 t, i;
+        sha->digest[0] = 0x67452301L;
+        sha->digest[1] = 0xEFCDAB89L;
+        sha->digest[2] = 0x98BADCFEL;
+        sha->digest[3] = 0x10325476L;
+        sha->digest[4] = 0xC3D2E1F0L;
 
-    for (i = 0; i < 16; i++) {
-        R0(a, b, c, d, e, i);
-        t = e; e = d; d = c; c = b; b = a; a = t;
-    }
+        sha->buffLen = 0;
+        sha->loLen   = 0;
+        sha->hiLen   = 0;
+
+        /* always start firstblock = 1 when using hw engine */
+        sha->ctx.isfirstblock = 1;
+        sha->ctx.sha_type = SHA1;
+        if(sha->ctx.mode == ESP32_SHA_HW){
+            /* release hw engine */
+            esp_sha_hw_unlock();
+        }
+        /* always set mode as INIT
+        *  whether using HW or SW is determined at first call of update()
+        */
+        sha->ctx.mode = ESP32_SHA_INIT;
 
-    for (; i < 20; i++) {
-        R1(a, b, c, d, e, i);
-        t = e; e = d; d = c; c = b; b = a; a = t;
+        return ret;
     }
 
-    for (; i < 40; i++) {
-        R2(a, b, c, d, e, i);
-        t = e; e = d; d = c; c = b; b = a; a = t;
-    }
+#elif defined(WOLFSSL_RENESAS_TSIP_CRYPT) && \
+    !defined(NO_WOLFSSL_RENESAS_TSIP_CRYPT_HASH)
 
-    for (; i < 60; i++) {
-        R3(a, b, c, d, e, i);
-        t = e; e = d; d = c; c = b; b = a; a = t;
-    }
+    /* implemented in wolfcrypt/src/port/Renesas/renesas_tsip_sha.c */
 
-    for (; i < 80; i++) {
-        R4(a, b, c, d, e, i);
-        t = e; e = d; d = c; c = b; b = a; a = t;
-    }
 #else
-    /* nearly 1 K bigger in code size but 25% faster  */
-    /* 4 rounds of 20 operations each. Loop unrolled. */
-    R0(a,b,c,d,e, 0); R0(e,a,b,c,d, 1); R0(d,e,a,b,c, 2); R0(c,d,e,a,b, 3);
-    R0(b,c,d,e,a, 4); R0(a,b,c,d,e, 5); R0(e,a,b,c,d, 6); R0(d,e,a,b,c, 7);
-    R0(c,d,e,a,b, 8); R0(b,c,d,e,a, 9); R0(a,b,c,d,e,10); R0(e,a,b,c,d,11);
-    R0(d,e,a,b,c,12); R0(c,d,e,a,b,13); R0(b,c,d,e,a,14); R0(a,b,c,d,e,15);
-
-    R1(e,a,b,c,d,16); R1(d,e,a,b,c,17); R1(c,d,e,a,b,18); R1(b,c,d,e,a,19);
-
-    R2(a,b,c,d,e,20); R2(e,a,b,c,d,21); R2(d,e,a,b,c,22); R2(c,d,e,a,b,23);
-    R2(b,c,d,e,a,24); R2(a,b,c,d,e,25); R2(e,a,b,c,d,26); R2(d,e,a,b,c,27);
-    R2(c,d,e,a,b,28); R2(b,c,d,e,a,29); R2(a,b,c,d,e,30); R2(e,a,b,c,d,31);
-    R2(d,e,a,b,c,32); R2(c,d,e,a,b,33); R2(b,c,d,e,a,34); R2(a,b,c,d,e,35);
-    R2(e,a,b,c,d,36); R2(d,e,a,b,c,37); R2(c,d,e,a,b,38); R2(b,c,d,e,a,39);
-
-    R3(a,b,c,d,e,40); R3(e,a,b,c,d,41); R3(d,e,a,b,c,42); R3(c,d,e,a,b,43);
-    R3(b,c,d,e,a,44); R3(a,b,c,d,e,45); R3(e,a,b,c,d,46); R3(d,e,a,b,c,47);
-    R3(c,d,e,a,b,48); R3(b,c,d,e,a,49); R3(a,b,c,d,e,50); R3(e,a,b,c,d,51);
-    R3(d,e,a,b,c,52); R3(c,d,e,a,b,53); R3(b,c,d,e,a,54); R3(a,b,c,d,e,55);
-    R3(e,a,b,c,d,56); R3(d,e,a,b,c,57); R3(c,d,e,a,b,58); R3(b,c,d,e,a,59);
-
-    R4(a,b,c,d,e,60); R4(e,a,b,c,d,61); R4(d,e,a,b,c,62); R4(c,d,e,a,b,63);
-    R4(b,c,d,e,a,64); R4(a,b,c,d,e,65); R4(e,a,b,c,d,66); R4(d,e,a,b,c,67);
-    R4(c,d,e,a,b,68); R4(b,c,d,e,a,69); R4(a,b,c,d,e,70); R4(e,a,b,c,d,71);
-    R4(d,e,a,b,c,72); R4(c,d,e,a,b,73); R4(b,c,d,e,a,74); R4(a,b,c,d,e,75);
-    R4(e,a,b,c,d,76); R4(d,e,a,b,c,77); R4(c,d,e,a,b,78); R4(b,c,d,e,a,79);
-#endif
+    /* Software implementation */
+    #define USE_SHA_SOFTWARE_IMPL
 
-    /* Add the working vars back into digest state[] */
-    sha->digest[0] += a;
-    sha->digest[1] += b;
-    sha->digest[2] += c;
-    sha->digest[3] += d;
-    sha->digest[4] += e;
-}
+    static int InitSha(wc_Sha* sha)
+    {
+        int ret = 0;
+
+        sha->digest[0] = 0x67452301L;
+        sha->digest[1] = 0xEFCDAB89L;
+        sha->digest[2] = 0x98BADCFEL;
+        sha->digest[3] = 0x10325476L;
+        sha->digest[4] = 0xC3D2E1F0L;
 
-#endif /* FREESCALE_MMCAU */
+        sha->buffLen = 0;
+        sha->loLen   = 0;
+        sha->hiLen   = 0;
+    #if defined(WOLFSSL_HASH_FLAGS) || defined(WOLF_CRYPTO_CB)
+        sha->flags = 0;
+    #endif
+
+        return ret;
+    }
+#endif /* End Hardware Acceleration */
 
+/* Software implementation */
+#ifdef USE_SHA_SOFTWARE_IMPL
 
-static INLINE void AddLength(Sha* sha, word32 len)
+static WC_INLINE void AddLength(wc_Sha* sha, word32 len)
 {
     word32 tmp = sha->loLen;
-    if ( (sha->loLen += len) < tmp)
+    if ((sha->loLen += len) < tmp)
         sha->hiLen++;                       /* carry low to high */
 }
 
+/* Check if custom wc_Sha transform is used */
+#ifndef XTRANSFORM
+    #define XTRANSFORM(S,B)   Transform((S),(B))
+
+    #define blk0(i) (W[i] = *((word32*)&data[i*sizeof(word32)]))
+    #define blk1(i) (W[(i)&15] = \
+        rotlFixed(W[((i)+13)&15]^W[((i)+8)&15]^W[((i)+2)&15]^W[(i)&15],1))
+
+    #define f1(x,y,z) ((z)^((x) &((y)^(z))))
+    #define f2(x,y,z) ((x)^(y)^(z))
+    #define f3(x,y,z) (((x)&(y))|((z)&((x)|(y))))
+    #define f4(x,y,z) ((x)^(y)^(z))
+
+    #ifdef WOLFSSL_NUCLEUS_1_2
+        /* nucleus.h also defines R1-R4 */
+        #undef R1
+        #undef R2
+        #undef R3
+        #undef R4
+    #endif
+
+    /* (R0+R1), R2, R3, R4 are the different operations used in SHA1 */
+    #define R0(v,w,x,y,z,i) (z)+= f1((w),(x),(y)) + blk0((i)) + 0x5A827999+ \
+        rotlFixed((v),5); (w) = rotlFixed((w),30);
+    #define R1(v,w,x,y,z,i) (z)+= f1((w),(x),(y)) + blk1((i)) + 0x5A827999+ \
+        rotlFixed((v),5); (w) = rotlFixed((w),30);
+    #define R2(v,w,x,y,z,i) (z)+= f2((w),(x),(y)) + blk1((i)) + 0x6ED9EBA1+ \
+        rotlFixed((v),5); (w) = rotlFixed((w),30);
+    #define R3(v,w,x,y,z,i) (z)+= f3((w),(x),(y)) + blk1((i)) + 0x8F1BBCDC+ \
+        rotlFixed((v),5); (w) = rotlFixed((w),30);
+    #define R4(v,w,x,y,z,i) (z)+= f4((w),(x),(y)) + blk1((i)) + 0xCA62C1D6+ \
+        rotlFixed((v),5); (w) = rotlFixed((w),30);
+
+    static int Transform(wc_Sha* sha, const byte* data)
+    {
+        word32 W[WC_SHA_BLOCK_SIZE / sizeof(word32)];
+
+        /* Copy context->state[] to working vars */
+        word32 a = sha->digest[0];
+        word32 b = sha->digest[1];
+        word32 c = sha->digest[2];
+        word32 d = sha->digest[3];
+        word32 e = sha->digest[4];
+
+    #ifdef USE_SLOW_SHA
+        word32 t, i;
+
+        for (i = 0; i < 16; i++) {
+            R0(a, b, c, d, e, i);
+            t = e; e = d; d = c; c = b; b = a; a = t;
+        }
+
+        for (; i < 20; i++) {
+            R1(a, b, c, d, e, i);
+            t = e; e = d; d = c; c = b; b = a; a = t;
+        }
+
+        for (; i < 40; i++) {
+            R2(a, b, c, d, e, i);
+            t = e; e = d; d = c; c = b; b = a; a = t;
+        }
+
+        for (; i < 60; i++) {
+            R3(a, b, c, d, e, i);
+            t = e; e = d; d = c; c = b; b = a; a = t;
+        }
 
-int wc_ShaUpdate(Sha* sha, const byte* data, word32 len)
+        for (; i < 80; i++) {
+            R4(a, b, c, d, e, i);
+            t = e; e = d; d = c; c = b; b = a; a = t;
+        }
+    #else
+        /* nearly 1 K bigger in code size but 25% faster */
+        /* 4 rounds of 20 operations each. Loop unrolled. */
+        R0(a,b,c,d,e, 0); R0(e,a,b,c,d, 1); R0(d,e,a,b,c, 2); R0(c,d,e,a,b, 3);
+        R0(b,c,d,e,a, 4); R0(a,b,c,d,e, 5); R0(e,a,b,c,d, 6); R0(d,e,a,b,c, 7);
+        R0(c,d,e,a,b, 8); R0(b,c,d,e,a, 9); R0(a,b,c,d,e,10); R0(e,a,b,c,d,11);
+        R0(d,e,a,b,c,12); R0(c,d,e,a,b,13); R0(b,c,d,e,a,14); R0(a,b,c,d,e,15);
+
+        R1(e,a,b,c,d,16); R1(d,e,a,b,c,17); R1(c,d,e,a,b,18); R1(b,c,d,e,a,19);
+
+        R2(a,b,c,d,e,20); R2(e,a,b,c,d,21); R2(d,e,a,b,c,22); R2(c,d,e,a,b,23);
+        R2(b,c,d,e,a,24); R2(a,b,c,d,e,25); R2(e,a,b,c,d,26); R2(d,e,a,b,c,27);
+        R2(c,d,e,a,b,28); R2(b,c,d,e,a,29); R2(a,b,c,d,e,30); R2(e,a,b,c,d,31);
+        R2(d,e,a,b,c,32); R2(c,d,e,a,b,33); R2(b,c,d,e,a,34); R2(a,b,c,d,e,35);
+        R2(e,a,b,c,d,36); R2(d,e,a,b,c,37); R2(c,d,e,a,b,38); R2(b,c,d,e,a,39);
+
+        R3(a,b,c,d,e,40); R3(e,a,b,c,d,41); R3(d,e,a,b,c,42); R3(c,d,e,a,b,43);
+        R3(b,c,d,e,a,44); R3(a,b,c,d,e,45); R3(e,a,b,c,d,46); R3(d,e,a,b,c,47);
+        R3(c,d,e,a,b,48); R3(b,c,d,e,a,49); R3(a,b,c,d,e,50); R3(e,a,b,c,d,51);
+        R3(d,e,a,b,c,52); R3(c,d,e,a,b,53); R3(b,c,d,e,a,54); R3(a,b,c,d,e,55);
+        R3(e,a,b,c,d,56); R3(d,e,a,b,c,57); R3(c,d,e,a,b,58); R3(b,c,d,e,a,59);
+
+        R4(a,b,c,d,e,60); R4(e,a,b,c,d,61); R4(d,e,a,b,c,62); R4(c,d,e,a,b,63);
+        R4(b,c,d,e,a,64); R4(a,b,c,d,e,65); R4(e,a,b,c,d,66); R4(d,e,a,b,c,67);
+        R4(c,d,e,a,b,68); R4(b,c,d,e,a,69); R4(a,b,c,d,e,70); R4(e,a,b,c,d,71);
+        R4(d,e,a,b,c,72); R4(c,d,e,a,b,73); R4(b,c,d,e,a,74); R4(a,b,c,d,e,75);
+        R4(e,a,b,c,d,76); R4(d,e,a,b,c,77); R4(c,d,e,a,b,78); R4(b,c,d,e,a,79);
+    #endif
+
+        /* Add the working vars back into digest state[] */
+        sha->digest[0] += a;
+        sha->digest[1] += b;
+        sha->digest[2] += c;
+        sha->digest[3] += d;
+        sha->digest[4] += e;
+
+        (void)data; /* Not used */
+
+        return 0;
+    }
+#endif /* !USE_CUSTOM_SHA_TRANSFORM */
+
+
+int wc_InitSha_ex(wc_Sha* sha, void* heap, int devId)
 {
-    /* do block size increments */
-    byte* local = (byte*)sha->buffer;
+    int ret = 0;
+
+    if (sha == NULL)
+        return BAD_FUNC_ARG;
 
-    while (len) {
-        word32 add = min(len, SHA_BLOCK_SIZE - sha->buffLen);
-        XMEMCPY(&local[sha->buffLen], data, add);
+    sha->heap = heap;
+#ifdef WOLF_CRYPTO_CB
+    sha->devId = devId;
+#endif
+
+#if defined(WOLFSSL_ESP32WROOM32_CRYPT) && \
+    !defined(NO_WOLFSSL_ESP32WROOM32_CRYPT_HASH)
+    sha->ctx.mode = ESP32_SHA_INIT;
+    sha->ctx.isfirstblock = 1;
+#endif
+    ret = InitSha(sha);
+    if (ret != 0)
+        return ret;
+
+#if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_SHA)
+    ret = wolfAsync_DevCtxInit(&sha->asyncDev, WOLFSSL_ASYNC_MARKER_SHA,
+                                                            sha->heap, devId);
+#else
+    (void)devId;
+#endif /* WOLFSSL_ASYNC_CRYPT */
 
-        sha->buffLen += add;
-        data         += add;
-        len          -= add;
+    return ret;
+}
 
-        if (sha->buffLen == SHA_BLOCK_SIZE) {
-#if defined(LITTLE_ENDIAN_ORDER) && !defined(FREESCALE_MMCAU)
-            ByteReverseWords(sha->buffer, sha->buffer, SHA_BLOCK_SIZE);
+/* do block size increments/updates */
+int wc_ShaUpdate(wc_Sha* sha, const byte* data, word32 len)
+{
+    int ret = 0;
+    word32 blocksLen;
+    byte* local;
+
+    if (sha == NULL || (data == NULL && len > 0)) {
+        return BAD_FUNC_ARG;
+    }
+
+#ifdef WOLF_CRYPTO_CB
+    if (sha->devId != INVALID_DEVID) {
+        ret = wc_CryptoCb_ShaHash(sha, data, len, NULL);
+        if (ret != CRYPTOCB_UNAVAILABLE)
+            return ret;
+        ret = 0; /* reset ret */
+        /* fall-through when unavailable */
+    }
 #endif
-            XTRANSFORM(sha, local);
-            AddLength(sha, SHA_BLOCK_SIZE);
+#if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_SHA)
+    if (sha->asyncDev.marker == WOLFSSL_ASYNC_MARKER_SHA) {
+    #if defined(HAVE_INTEL_QA)
+        return IntelQaSymSha(&sha->asyncDev, NULL, data, len);
+    #endif
+    }
+#endif /* WOLFSSL_ASYNC_CRYPT */
+
+    /* check that internal buffLen is valid */
+    if (sha->buffLen >= WC_SHA_BLOCK_SIZE)
+        return BUFFER_E;
+
+    if (data == NULL && len == 0) {
+        /* valid, but do nothing */
+        return 0;
+    }
+
+    /* add length for final */
+    AddLength(sha, len);
+
+    local = (byte*)sha->buffer;
+
+    /* process any remainder from previous operation */
+    if (sha->buffLen > 0) {
+        blocksLen = min(len, WC_SHA_BLOCK_SIZE - sha->buffLen);
+        XMEMCPY(&local[sha->buffLen], data, blocksLen);
+
+        sha->buffLen += blocksLen;
+        data         += blocksLen;
+        len          -= blocksLen;
+
+        if (sha->buffLen == WC_SHA_BLOCK_SIZE) {
+        #if defined(LITTLE_ENDIAN_ORDER) && !defined(FREESCALE_MMCAU_SHA)
+            ByteReverseWords(sha->buffer, sha->buffer, WC_SHA_BLOCK_SIZE);
+        #endif
+
+        #if defined(WOLFSSL_ESP32WROOM32_CRYPT) && \
+            !defined(NO_WOLFSSL_ESP32WROOM32_CRYPT_HASH)
+            if (sha->ctx.mode == ESP32_SHA_INIT) {
+                esp_sha_try_hw_lock(&sha->ctx);
+            }
+            if (sha->ctx.mode == ESP32_SHA_SW) {
+                ret = XTRANSFORM(sha, (const byte*)local);
+            } else {
+                esp_sha_process(sha, (const byte*)local);
+            }
+        #else
+            ret = XTRANSFORM(sha, (const byte*)local);
+        #endif
+            if (ret != 0)
+                return ret;
+
             sha->buffLen = 0;
         }
     }
 
-    return 0;
+    /* process blocks */
+#ifdef XTRANSFORM_LEN
+    /* get number of blocks */
+    /* 64-1 = 0x3F (~ Inverted = 0xFFFFFFC0) */
+    /* len (masked by 0xFFFFFFC0) returns block aligned length */
+    blocksLen = len & ~(WC_SHA_BLOCK_SIZE-1);
+    if (blocksLen > 0) {
+        /* Byte reversal performed in function if required. */
+        XTRANSFORM_LEN(sha, data, blocksLen);
+        data += blocksLen;
+        len  -= blocksLen;
+    }
+#else
+    while (len >= WC_SHA_BLOCK_SIZE) {
+        word32* local32 = sha->buffer;
+        /* optimization to avoid memcpy if data pointer is properly aligned */
+        /* Little Endian requires byte swap, so can't use data directly */
+    #if defined(WC_HASH_DATA_ALIGNMENT) && !defined(LITTLE_ENDIAN_ORDER)
+        if (((size_t)data % WC_HASH_DATA_ALIGNMENT) == 0) {
+            local32 = (word32*)data;
+        }
+        else
+    #endif
+        {
+            XMEMCPY(local32, data, WC_SHA_BLOCK_SIZE);
+        }
+
+        data += WC_SHA_BLOCK_SIZE;
+        len  -= WC_SHA_BLOCK_SIZE;
+
+    #if defined(LITTLE_ENDIAN_ORDER) && !defined(FREESCALE_MMCAU_SHA)
+        ByteReverseWords(local32, local32, WC_SHA_BLOCK_SIZE);
+    #endif
+
+    #if defined(WOLFSSL_ESP32WROOM32_CRYPT) && \
+        !defined(NO_WOLFSSL_ESP32WROOM32_CRYPT_HASH)
+        if (sha->ctx.mode == ESP32_SHA_INIT){
+            esp_sha_try_hw_lock(&sha->ctx);
+        }
+        if (sha->ctx.mode == ESP32_SHA_SW){
+            ret = XTRANSFORM(sha, (const byte*)local32);
+        } else {
+            esp_sha_process(sha, (const byte*)local32);
+        }
+    #else
+        ret = XTRANSFORM(sha, (const byte*)local32);
+    #endif
+    }
+#endif /* XTRANSFORM_LEN */
+
+    /* save remainder */
+    if (len > 0) {
+        XMEMCPY(local, data, len);
+        sha->buffLen = len;
+    }
+
+    return ret;
 }
 
+int wc_ShaFinalRaw(wc_Sha* sha, byte* hash)
+{
+#ifdef LITTLE_ENDIAN_ORDER
+    word32 digest[WC_SHA_DIGEST_SIZE / sizeof(word32)];
+#endif
+
+    if (sha == NULL || hash == NULL) {
+        return BAD_FUNC_ARG;
+    }
+
+#ifdef LITTLE_ENDIAN_ORDER
+    ByteReverseWords((word32*)digest, (word32*)sha->digest, WC_SHA_DIGEST_SIZE);
+    XMEMCPY(hash, digest, WC_SHA_DIGEST_SIZE);
+#else
+    XMEMCPY(hash, sha->digest, WC_SHA_DIGEST_SIZE);
+#endif
+
+    return 0;
+}
 
-int wc_ShaFinal(Sha* sha, byte* hash)
+int wc_ShaFinal(wc_Sha* sha, byte* hash)
 {
-    byte* local = (byte*)sha->buffer;
+    int ret;
+    byte* local;
+
+    if (sha == NULL || hash == NULL) {
+        return BAD_FUNC_ARG;
+    }
+
+    local = (byte*)sha->buffer;
 
-    AddLength(sha, sha->buffLen);  /* before adding pads */
+#ifdef WOLF_CRYPTO_CB
+    if (sha->devId != INVALID_DEVID) {
+        ret = wc_CryptoCb_ShaHash(sha, NULL, 0, hash);
+        if (ret != CRYPTOCB_UNAVAILABLE)
+            return ret;
+        ret = 0; /* reset ret */
+        /* fall-through when unavailable */
+    }
+#endif
+#if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_SHA)
+    if (sha->asyncDev.marker == WOLFSSL_ASYNC_MARKER_SHA) {
+    #if defined(HAVE_INTEL_QA)
+        return IntelQaSymSha(&sha->asyncDev, hash, NULL, WC_SHA_DIGEST_SIZE);
+    #endif
+    }
+#endif /* WOLFSSL_ASYNC_CRYPT */
 
     local[sha->buffLen++] = 0x80;  /* add 1 */
 
     /* pad with zeros */
-    if (sha->buffLen > SHA_PAD_SIZE) {
-        XMEMSET(&local[sha->buffLen], 0, SHA_BLOCK_SIZE - sha->buffLen);
-        sha->buffLen += SHA_BLOCK_SIZE - sha->buffLen;
+    if (sha->buffLen > WC_SHA_PAD_SIZE) {
+        XMEMSET(&local[sha->buffLen], 0, WC_SHA_BLOCK_SIZE - sha->buffLen);
+        sha->buffLen += WC_SHA_BLOCK_SIZE - sha->buffLen;
+
+    #if defined(LITTLE_ENDIAN_ORDER) && !defined(FREESCALE_MMCAU_SHA)
+        ByteReverseWords(sha->buffer, sha->buffer, WC_SHA_BLOCK_SIZE);
+    #endif
+
+    #if defined(WOLFSSL_ESP32WROOM32_CRYPT) && \
+        !defined(NO_WOLFSSL_ESP32WROOM32_CRYPT_HASH)
+        if (sha->ctx.mode == ESP32_SHA_INIT) {
+            esp_sha_try_hw_lock(&sha->ctx);
+        }
+        if (sha->ctx.mode == ESP32_SHA_SW) {
+            ret = XTRANSFORM(sha, (const byte*)local);
+        } else {
+            ret = esp_sha_process(sha, (const byte*)local);
+        }
+    #else
+        ret = XTRANSFORM(sha, (const byte*)local);
+    #endif
+        if (ret != 0)
+            return ret;
 
-#if defined(LITTLE_ENDIAN_ORDER) && !defined(FREESCALE_MMCAU)
-        ByteReverseWords(sha->buffer, sha->buffer, SHA_BLOCK_SIZE);
-#endif
-        XTRANSFORM(sha, local);
         sha->buffLen = 0;
     }
-    XMEMSET(&local[sha->buffLen], 0, SHA_PAD_SIZE - sha->buffLen);
+    XMEMSET(&local[sha->buffLen], 0, WC_SHA_PAD_SIZE - sha->buffLen);
 
+#if defined(LITTLE_ENDIAN_ORDER) && !defined(FREESCALE_MMCAU_SHA)
+    ByteReverseWords(sha->buffer, sha->buffer, WC_SHA_BLOCK_SIZE);
+#endif
+
+    /* store lengths */
     /* put lengths in bits */
-    sha->hiLen = (sha->loLen >> (8*sizeof(sha->loLen) - 3)) +
-    (sha->hiLen << 3);
+    sha->hiLen = (sha->loLen >> (8*sizeof(sha->loLen) - 3)) + (sha->hiLen << 3);
     sha->loLen = sha->loLen << 3;
 
-    /* store lengths */
-#if defined(LITTLE_ENDIAN_ORDER) && !defined(FREESCALE_MMCAU)
-    ByteReverseWords(sha->buffer, sha->buffer, SHA_BLOCK_SIZE);
-#endif
     /* ! length ordering dependent on digest endian type ! */
-    XMEMCPY(&local[SHA_PAD_SIZE], &sha->hiLen, sizeof(word32));
-    XMEMCPY(&local[SHA_PAD_SIZE + sizeof(word32)], &sha->loLen, sizeof(word32));
+    XMEMCPY(&local[WC_SHA_PAD_SIZE], &sha->hiLen, sizeof(word32));
+    XMEMCPY(&local[WC_SHA_PAD_SIZE + sizeof(word32)], &sha->loLen, sizeof(word32));
 
-#ifdef FREESCALE_MMCAU
+#if defined(FREESCALE_MMCAU_SHA)
     /* Kinetis requires only these bytes reversed */
-    ByteReverseWords(&sha->buffer[SHA_PAD_SIZE/sizeof(word32)],
-                     &sha->buffer[SHA_PAD_SIZE/sizeof(word32)],
+    ByteReverseWords(&sha->buffer[WC_SHA_PAD_SIZE/sizeof(word32)],
+                     &sha->buffer[WC_SHA_PAD_SIZE/sizeof(word32)],
                      2 * sizeof(word32));
 #endif
 
-    XTRANSFORM(sha, local);
+#if defined(WOLFSSL_ESP32WROOM32_CRYPT) && \
+    !defined(NO_WOLFSSL_ESP32WROOM32_CRYPT_HASH)
+    if (sha->ctx.mode == ESP32_SHA_INIT) {
+        esp_sha_try_hw_lock(&sha->ctx);
+    }
+    if (sha->ctx.mode == ESP32_SHA_SW) {
+        ret = XTRANSFORM(sha, (const byte*)local);
+    } else {
+        ret = esp_sha_digest_process(sha, 1);
+    }
+#else
+    ret = XTRANSFORM(sha, (const byte*)local);
+#endif
+
 #ifdef LITTLE_ENDIAN_ORDER
-    ByteReverseWords(sha->digest, sha->digest, SHA_DIGEST_SIZE);
+    ByteReverseWords(sha->digest, sha->digest, WC_SHA_DIGEST_SIZE);
 #endif
-    XMEMCPY(hash, sha->digest, SHA_DIGEST_SIZE);
 
-    return wc_InitSha(sha);  /* reset state */
+    XMEMCPY(hash, sha->digest, WC_SHA_DIGEST_SIZE);
+
+    (void)InitSha(sha); /* reset state */
+
+    return ret;
 }
 
-#endif /* STM32F2_HASH */
+#endif /* USE_SHA_SOFTWARE_IMPL */
 
 
-int wc_ShaHash(const byte* data, word32 len, byte* hash)
+int wc_InitSha(wc_Sha* sha)
 {
-    int ret = 0;
-#ifdef WOLFSSL_SMALL_STACK
-    Sha* sha;
-#else
-    Sha sha[1];
-#endif
+    return wc_InitSha_ex(sha, NULL, INVALID_DEVID);
+}
 
-#ifdef WOLFSSL_SMALL_STACK
-    sha = (Sha*)XMALLOC(sizeof(Sha), NULL, DYNAMIC_TYPE_TMP_BUFFER);
+void wc_ShaFree(wc_Sha* sha)
+{
     if (sha == NULL)
-        return MEMORY_E;
-#endif
+        return;
+
+#if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_SHA)
+    wolfAsync_DevCtxFree(&sha->asyncDev, WOLFSSL_ASYNC_MARKER_SHA);
+#endif /* WOLFSSL_ASYNC_CRYPT */
 
-    if ((ret = wc_InitSha(sha)) != 0) {
-        WOLFSSL_MSG("wc_InitSha failed");
+#ifdef WOLFSSL_PIC32MZ_HASH
+    wc_ShaPic32Free(sha);
+#endif
+#if (defined(WOLFSSL_RENESAS_TSIP_CRYPT) && \
+    !defined(NO_WOLFSSL_RENESAS_TSIP_CRYPT_HASH))
+    if (sha->msg != NULL) {
+        XFREE(sha->msg, sha->heap, DYNAMIC_TYPE_TMP_BUFFER);
+        sha->msg = NULL;
     }
-    else {
-        wc_ShaUpdate(sha, data, len);
-        wc_ShaFinal(sha, hash);
+#endif
+}
+
+#endif /* !WOLFSSL_TI_HASH */
+#endif /* HAVE_FIPS */
+
+#ifndef WOLFSSL_TI_HASH
+#if !defined(WOLFSSL_RENESAS_TSIP_CRYPT) || \
+    defined(NO_WOLFSSL_RENESAS_TSIP_CRYPT_HASH)
+int wc_ShaGetHash(wc_Sha* sha, byte* hash)
+{
+    int ret;
+    wc_Sha tmpSha;
+
+    if (sha == NULL || hash == NULL)
+        return BAD_FUNC_ARG;
+
+#if defined(WOLFSSL_ESP32WROOM32_CRYPT) && \
+    !defined(NO_WOLFSSL_ESP32WROOM32_CRYPT_HASH)
+    if(sha->ctx.mode == ESP32_SHA_INIT){
+        esp_sha_try_hw_lock(&sha->ctx);
     }
+    if(sha->ctx.mode != ESP32_SHA_SW)
+        esp_sha_digest_process(sha, 0);
+#endif
 
-#ifdef WOLFSSL_SMALL_STACK
-    XFREE(sha, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    ret = wc_ShaCopy(sha, &tmpSha);
+    if (ret == 0) {
+       ret = wc_ShaFinal(&tmpSha, hash);
+#if defined(WOLFSSL_ESP32WROOM32_CRYPT) && \
+    !defined(NO_WOLFSSL_ESP32WROOM32_CRYPT_HASH)
+        sha->ctx.mode = ESP32_SHA_SW;
 #endif
 
+
+    }
     return ret;
+}
+
+int wc_ShaCopy(wc_Sha* src, wc_Sha* dst)
+{
+    int ret = 0;
+
+    if (src == NULL || dst == NULL)
+        return BAD_FUNC_ARG;
+
+    XMEMCPY(dst, src, sizeof(wc_Sha));
 
+#ifdef WOLFSSL_ASYNC_CRYPT
+    ret = wolfAsync_DevCopy(&src->asyncDev, &dst->asyncDev);
+#endif
+#ifdef WOLFSSL_PIC32MZ_HASH
+    ret = wc_Pic32HashCopy(&src->cache, &dst->cache);
+#endif
+#if defined(WOLFSSL_ESP32WROOM32_CRYPT) && \
+    !defined(NO_WOLFSSL_ESP32WROOM32_CRYPT_HASH)
+     dst->ctx.mode = src->ctx.mode;
+     dst->ctx.isfirstblock = src->ctx.isfirstblock;
+     dst->ctx.sha_type = src->ctx.sha_type;
+#endif
+#if defined(WOLFSSL_HASH_FLAGS) || defined(WOLF_CRYPTO_CB)
+     dst->flags |= WC_HASH_FLAG_ISCOPY;
+#endif
+    return ret;
 }
+#endif /* defined(WOLFSSL_RENESAS_TSIP_CRYPT) ... */
+#endif /* !WOLFSSL_TI_HASH */
 
-#endif /* HAVE_FIPS */
-#endif /* WOLFSSL_TI_HASH */
-#endif /* NO_SHA */
 
+#if defined(WOLFSSL_HASH_FLAGS) || defined(WOLF_CRYPTO_CB)
+int wc_ShaSetFlags(wc_Sha* sha, word32 flags)
+{
+    if (sha) {
+        sha->flags = flags;
+    }
+    return 0;
+}
+int wc_ShaGetFlags(wc_Sha* sha, word32* flags)
+{
+    if (sha && flags) {
+        *flags = sha->flags;
+    }
+    return 0;
+}
+#endif
+
+#endif /* !NO_SHA */
diff --git a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/sha256.c b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/sha256.c
index f9f02b003..eb0911b01 100644
--- a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/sha256.c
+++ b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/sha256.c
@@ -1,8 +1,8 @@
 /* sha256.c
  *
- * Copyright (C) 2006-2015 wolfSSL Inc.
+ * Copyright (C) 2006-2020 wolfSSL Inc.
  *
- * This file is part of wolfSSL. (formerly known as CyaSSL)
+ * This file is part of wolfSSL.
  *
  * wolfSSL is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -16,299 +16,604 @@
  *
  * You should have received a copy of the GNU General Public License
  * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
  */
 
-/* code submitted by raphael.huck@efixo.com */
-
 #ifdef HAVE_CONFIG_H
     #include <config.h>
 #endif
 
 #include <wolfssl/wolfcrypt/settings.h>
-#include <wolfssl/wolfcrypt/sha256.h>
 
-#if !defined(NO_SHA256)
-#ifdef HAVE_FIPS
+/*
+ * SHA256 Build Options:
+ * USE_SLOW_SHA256:            Reduces code size by not partially unrolling
+                                (~2KB smaller and ~25% slower) (default OFF)
+ * WOLFSSL_SHA256_BY_SPEC:     Uses the Ch/Maj based on SHA256 specification
+                                (default ON)
+ * WOLFSSL_SHA256_ALT_CH_MAJ:  Alternate Ch/Maj that is easier for compilers to
+                                optimize and recognize as SHA256 (default OFF)
+ * SHA256_MANY_REGISTERS:      A SHA256 version that keeps all data in registers
+                                and partial unrolled (default OFF)
+ */
 
-int wc_InitSha256(Sha256* sha)
-{
-    return InitSha256_fips(sha);
-}
+/* Default SHA256 to use Ch/Maj based on specification */
+#if !defined(WOLFSSL_SHA256_BY_SPEC) && !defined(WOLFSSL_SHA256_ALT_CH_MAJ)
+    #define WOLFSSL_SHA256_BY_SPEC
+#endif
 
 
-int wc_Sha256Update(Sha256* sha, const byte* data, word32 len)
-{
-    return Sha256Update_fips(sha, data, len);
-}
+#if !defined(NO_SHA256) && !defined(WOLFSSL_ARMASM)
 
+#if defined(HAVE_FIPS) && \
+	defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2)
 
-int wc_Sha256Final(Sha256* sha, byte* out)
-{
-    return Sha256Final_fips(sha, out);
-}
+    /* set NO_WRAPPERS before headers, use direct internal f()s not wrappers */
+    #define FIPS_NO_WRAPPERS
 
+    #ifdef USE_WINDOWS_API
+        #pragma code_seg(".fipsA$d")
+        #pragma const_seg(".fipsB$d")
+    #endif
+#endif
 
-int wc_Sha256Hash(const byte* data, word32 len, byte* out)
-{
-    return Sha256Hash(data, len, out);
-}
+#include <wolfssl/wolfcrypt/sha256.h>
+#include <wolfssl/wolfcrypt/error-crypt.h>
+#include <wolfssl/wolfcrypt/cpuid.h>
+#include <wolfssl/wolfcrypt/hash.h>
+
+#ifdef WOLF_CRYPTO_CB
+    #include <wolfssl/wolfcrypt/cryptocb.h>
+#endif
+
+/* fips wrapper calls, user can call direct */
+#if defined(HAVE_FIPS) && \
+    (!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 2))
+
+    int wc_InitSha256(wc_Sha256* sha)
+    {
+        if (sha == NULL) {
+            return BAD_FUNC_ARG;
+        }
+        return InitSha256_fips(sha);
+    }
+    int wc_InitSha256_ex(wc_Sha256* sha, void* heap, int devId)
+    {
+        (void)heap;
+        (void)devId;
+        if (sha == NULL) {
+            return BAD_FUNC_ARG;
+        }
+        return InitSha256_fips(sha);
+    }
+    int wc_Sha256Update(wc_Sha256* sha, const byte* data, word32 len)
+    {
+        if (sha == NULL ||  (data == NULL && len > 0)) {
+            return BAD_FUNC_ARG;
+        }
+
+        if (data == NULL && len == 0) {
+            /* valid, but do nothing */
+            return 0;
+        }
+
+        return Sha256Update_fips(sha, data, len);
+    }
+    int wc_Sha256Final(wc_Sha256* sha, byte* out)
+    {
+        if (sha == NULL || out == NULL) {
+            return BAD_FUNC_ARG;
+        }
+        return Sha256Final_fips(sha, out);
+    }
+    void wc_Sha256Free(wc_Sha256* sha)
+    {
+        (void)sha;
+        /* Not supported in FIPS */
+    }
 
-#else /* else build without fips */
+#else /* else build without fips, or for FIPS v2 */
 
-#if !defined(NO_SHA256) && defined(WOLFSSL_TI_HASH)
+
+#if defined(WOLFSSL_TI_HASH)
     /* #include <wolfcrypt/src/port/ti/ti-hash.c> included by wc_port.c */
+#elif defined(WOLFSSL_CRYPTOCELL)
+    /* wc_port.c includes wolfcrypt/src/port/arm/cryptoCellHash.c */
 #else
 
-#if !defined (ALIGN32)
-    #if defined (__GNUC__)
-        #define ALIGN32 __attribute__ ( (aligned (32)))
-    #elif defined(_MSC_VER)
-        /* disable align warning, we want alignment ! */
-        #pragma warning(disable: 4324)
-        #define ALIGN32 __declspec (align (32))
-    #else
-        #define ALIGN32
-    #endif
-#endif
+#include <wolfssl/wolfcrypt/logging.h>
 
-#ifdef WOLFSSL_PIC32MZ_HASH
-#define wc_InitSha256   wc_InitSha256_sw
-#define wc_Sha256Update wc_Sha256Update_sw
-#define wc_Sha256Final  wc_Sha256Final_sw
+#ifdef NO_INLINE
+    #include <wolfssl/wolfcrypt/misc.h>
+#else
+    #define WOLFSSL_MISC_INCLUDED
+    #include <wolfcrypt/src/misc.c>
 #endif
 
-#ifdef HAVE_FIPS
-    /* set NO_WRAPPERS before headers, use direct internal f()s not wrappers */
-    #define FIPS_NO_WRAPPERS
+#ifdef WOLFSSL_DEVCRYPTO_HASH
+    #include <wolfssl/wolfcrypt/port/devcrypto/wc_devcrypto.h>
 #endif
 
+
+
 #if defined(USE_INTEL_SPEEDUP)
-#define HAVE_INTEL_AVX1
-#define HAVE_INTEL_AVX2
+    #if defined(__GNUC__) && ((__GNUC__ < 4) || \
+                              (__GNUC__ == 4 && __GNUC_MINOR__ <= 8))
+        #undef  NO_AVX2_SUPPORT
+        #define NO_AVX2_SUPPORT
+    #endif
+    #if defined(__clang__) && ((__clang_major__ < 3) || \
+                               (__clang_major__ == 3 && __clang_minor__ <= 5))
+        #define NO_AVX2_SUPPORT
+    #elif defined(__clang__) && defined(NO_AVX2_SUPPORT)
+        #undef NO_AVX2_SUPPORT
+    #endif
 
-#if defined(DEBUG_XMM)
-#include "stdio.h"
+    #define HAVE_INTEL_AVX1
+    #ifndef NO_AVX2_SUPPORT
+        #define HAVE_INTEL_AVX2
+    #endif
+#endif /* USE_INTEL_SPEEDUP */
+
+#if defined(HAVE_INTEL_AVX2)
+    #define HAVE_INTEL_RORX
 #endif
 
+
+#if !defined(WOLFSSL_PIC32MZ_HASH) && !defined(STM32_HASH_SHA2) && \
+    (!defined(WOLFSSL_IMX6_CAAM) || defined(NO_IMX6_CAAM_HASH)) && \
+    !defined(WOLFSSL_AFALG_HASH) && !defined(WOLFSSL_DEVCRYPTO_HASH) && \
+    (!defined(WOLFSSL_ESP32WROOM32_CRYPT) || defined(NO_WOLFSSL_ESP32WROOM32_CRYPT_HASH)) && \
+    (!defined(WOLFSSL_RENESAS_TSIP_CRYPT) || defined(NO_WOLFSSL_RENESAS_TSIP_HASH))
+
+static int InitSha256(wc_Sha256* sha256)
+{
+    int ret = 0;
+
+    if (sha256 == NULL)
+        return BAD_FUNC_ARG;
+
+    XMEMSET(sha256->digest, 0, sizeof(sha256->digest));
+    sha256->digest[0] = 0x6A09E667L;
+    sha256->digest[1] = 0xBB67AE85L;
+    sha256->digest[2] = 0x3C6EF372L;
+    sha256->digest[3] = 0xA54FF53AL;
+    sha256->digest[4] = 0x510E527FL;
+    sha256->digest[5] = 0x9B05688CL;
+    sha256->digest[6] = 0x1F83D9ABL;
+    sha256->digest[7] = 0x5BE0CD19L;
+
+    sha256->buffLen = 0;
+    sha256->loLen   = 0;
+    sha256->hiLen   = 0;
+#if defined(WOLFSSL_HASH_FLAGS) || defined(WOLF_CRYPTO_CB)
+    sha256->flags = 0;
 #endif
 
-#if defined(HAVE_INTEL_AVX2)
-#define HAVE_INTEL_RORX
+    return ret;
+}
 #endif
- 
 
-/*****
-Intel AVX1/AVX2 Macro Control Structure
 
-#define HAVE_INTEL_AVX1
-#define HAVE_INTEL_AVX2
+/* Hardware Acceleration */
+#if defined(HAVE_INTEL_AVX1) || defined(HAVE_INTEL_AVX2)
 
-#define HAVE_INTEL_RORX
+    /* in case intel instructions aren't available, plus we need the K[] global */
+    #define NEED_SOFT_SHA256
 
+    /*****
+    Intel AVX1/AVX2 Macro Control Structure
 
-int InitSha256(Sha256* sha256) { 
-     Save/Recover XMM, YMM
-     ...
-}
+    #define HAVE_INTEL_AVX1
+    #define HAVE_INTEL_AVX2
 
-#if defined(HAVE_INTEL_AVX1)|| defined(HAVE_INTEL_AVX2)
-  Transform() ; Function prototype 
-#else
-  Transform() {   }
-  int Sha256Final() { 
-     Save/Recover XMM, YMM
-     ...
-  }
-#endif
+    #define HAVE_INTEL_RORX
 
-#if defined(HAVE_INTEL_AVX1)|| defined(HAVE_INTEL_AVX2)
-    #if defined(HAVE_INTEL_RORX
-         #define RND with rorx instuction
+
+    int InitSha256(wc_Sha256* sha256) {
+         Save/Recover XMM, YMM
+         ...
+    }
+
+    #if defined(HAVE_INTEL_AVX1)|| defined(HAVE_INTEL_AVX2)
+      Transform_Sha256(); Function prototype
     #else
-        #define RND
+      Transform_Sha256() {   }
+      int Sha256Final() {
+         Save/Recover XMM, YMM
+         ...
+      }
     #endif
-#endif
 
-#if defined(HAVE_INTEL_AVX1)
-   
-   #define XMM Instructions/inline asm
-   
-   int Transform() {
-       Stitched Message Sched/Round
-    } 
-   
-#elif defined(HAVE_INTEL_AVX2)
-  
-  #define YMM Instructions/inline asm
-  
-  int Transform() {
-      More granural Stitched Message Sched/Round
-  }
-  
-*/
+    #if defined(HAVE_INTEL_AVX1)|| defined(HAVE_INTEL_AVX2)
+        #if defined(HAVE_INTEL_RORX
+             #define RND with rorx instruction
+        #else
+            #define RND
+        #endif
+    #endif
 
+    #if defined(HAVE_INTEL_AVX1)
 
-#if defined(HAVE_INTEL_AVX1) || defined(HAVE_INTEL_AVX2)
+       #define XMM Instructions/inline asm
 
-/* Each platform needs to query info type 1 from cpuid to see if aesni is
- * supported. Also, let's setup a macro for proper linkage w/o ABI conflicts
- */
+       int Transform_Sha256() {
+           Stitched Message Sched/Round
+        }
 
-#ifndef _MSC_VER
-    #define cpuid(reg, leaf, sub)\
-            __asm__ __volatile__ ("cpuid":\
-             "=a" (reg[0]), "=b" (reg[1]), "=c" (reg[2]), "=d" (reg[3]) :\
-             "a" (leaf), "c"(sub));
+    #elif defined(HAVE_INTEL_AVX2)
 
-    #define XASM_LINK(f) asm(f)
-#else
+      #define YMM Instructions/inline asm
 
-    #include <intrin.h>
-    #define cpuid(a,b) __cpuid((int*)a,b)
-
-    #define XASM_LINK(f)
-
-#endif /* _MSC_VER */
-
-#define EAX 0
-#define EBX 1
-#define ECX 2 
-#define EDX 3
-    
-#define CPUID_AVX1   0x1
-#define CPUID_AVX2   0x2
-#define CPUID_RDRAND 0x4
-#define CPUID_RDSEED 0x8
-#define CPUID_BMI2   0x10   /* MULX, RORX */
-
-#define IS_INTEL_AVX1       (cpuid_flags&CPUID_AVX1)
-#define IS_INTEL_AVX2       (cpuid_flags&CPUID_AVX2)
-#define IS_INTEL_BMI2       (cpuid_flags&CPUID_BMI2)
-#define IS_INTEL_RDRAND     (cpuid_flags&CPUID_RDRAND)
-#define IS_INTEL_RDSEED     (cpuid_flags&CPUID_RDSEED)
-
-static word32 cpuid_check = 0 ;
-static word32 cpuid_flags = 0 ;
-
-static word32 cpuid_flag(word32 leaf, word32 sub, word32 num, word32 bit) {
-    int got_intel_cpu=0;
-    unsigned int reg[5]; 
-    
-    reg[4] = '\0' ;
-    cpuid(reg, 0, 0);  
-    if(memcmp((char *)&(reg[EBX]), "Genu", 4) == 0 &&  
-                memcmp((char *)&(reg[EDX]), "ineI", 4) == 0 &&  
-                memcmp((char *)&(reg[ECX]), "ntel", 4) == 0) {  
-        got_intel_cpu = 1;  
-    }    
-    if (got_intel_cpu) {
-        cpuid(reg, leaf, sub);
-        return((reg[num]>>bit)&0x1) ;
-    }
-    return 0 ;
-}
+      int Transform_Sha256() {
+          More granular Stitched Message Sched/Round
+      }
 
-static int set_cpuid_flags(void) {  
-    if(cpuid_check==0) {
-        if(cpuid_flag(1, 0, ECX, 28)){ cpuid_flags |= CPUID_AVX1 ;}
-        if(cpuid_flag(7, 0, EBX, 5)){  cpuid_flags |= CPUID_AVX2 ; }
-        if(cpuid_flag(7, 0, EBX, 8)) { cpuid_flags |= CPUID_BMI2 ; }
-        if(cpuid_flag(1, 0, ECX, 30)){ cpuid_flags |= CPUID_RDRAND ;  } 
-        if(cpuid_flag(7, 0, EBX, 18)){ cpuid_flags |= CPUID_RDSEED ;  }
-        cpuid_check = 1 ;
-        return 0 ;
-    }
-    return 1 ;
-}
+    #endif
 
+    */
 
-/* #if defined(HAVE_INTEL_AVX1/2) at the tail of sha512 */
-static int Transform(Sha256* sha256);
+    /* Each platform needs to query info type 1 from cpuid to see if aesni is
+     * supported. Also, let's setup a macro for proper linkage w/o ABI conflicts
+     */
 
-#if defined(HAVE_INTEL_AVX1)
-static int Transform_AVX1(Sha256 *sha256) ;
+    /* #if defined(HAVE_INTEL_AVX1/2) at the tail of sha256 */
+    static int Transform_Sha256(wc_Sha256* sha256, const byte* data);
+
+#ifdef __cplusplus
+    extern "C" {
 #endif
-#if defined(HAVE_INTEL_AVX2)
-static int Transform_AVX2(Sha256 *sha256) ; 
-static int Transform_AVX1_RORX(Sha256 *sha256) ; 
+
+    #if defined(HAVE_INTEL_AVX1)
+        extern int Transform_Sha256_AVX1(wc_Sha256 *sha256, const byte* data);
+        extern int Transform_Sha256_AVX1_Len(wc_Sha256* sha256,
+                                             const byte* data, word32 len);
+    #endif
+    #if defined(HAVE_INTEL_AVX2)
+        extern int Transform_Sha256_AVX2(wc_Sha256 *sha256, const byte* data);
+        extern int Transform_Sha256_AVX2_Len(wc_Sha256* sha256,
+                                             const byte* data, word32 len);
+        #ifdef HAVE_INTEL_RORX
+        extern int Transform_Sha256_AVX1_RORX(wc_Sha256 *sha256, const byte* data);
+        extern int Transform_Sha256_AVX1_RORX_Len(wc_Sha256* sha256,
+                                                  const byte* data, word32 len);
+        extern int Transform_Sha256_AVX2_RORX(wc_Sha256 *sha256, const byte* data);
+        extern int Transform_Sha256_AVX2_RORX_Len(wc_Sha256* sha256,
+                                                  const byte* data, word32 len);
+        #endif /* HAVE_INTEL_RORX */
+    #endif /* HAVE_INTEL_AVX2 */
+
+#ifdef __cplusplus
+    }  /* extern "C" */
 #endif
 
-static int (*Transform_p)(Sha256* sha256) /* = _Transform */;
+    static int (*Transform_Sha256_p)(wc_Sha256* sha256, const byte* data);
+                                                       /* = _Transform_Sha256 */
+    static int (*Transform_Sha256_Len_p)(wc_Sha256* sha256, const byte* data,
+                                         word32 len);
+                                                                    /* = NULL */
+    static int transform_check = 0;
+    static word32 intel_flags;
 
-#define XTRANSFORM(sha256, B)  (*Transform_p)(sha256)
+    #define XTRANSFORM(S, D)         (*Transform_Sha256_p)((S),(D))
+    #define XTRANSFORM_LEN(S, D, L)  (*Transform_Sha256_Len_p)((S),(D),(L))
 
-static void set_Transform(void) {
-     if(set_cpuid_flags())return ;
+    static void Sha256_SetTransform(void)
+    {
 
-#if defined(HAVE_INTEL_AVX2)
-     if(IS_INTEL_AVX2 && IS_INTEL_BMI2){ 
-         Transform_p = Transform_AVX1_RORX; return ; 
-         Transform_p = Transform_AVX2      ; 
-                  /* for avoiding warning,"not used" */
-     }
-#endif
-#if defined(HAVE_INTEL_AVX1)
-     Transform_p = ((IS_INTEL_AVX1) ? Transform_AVX1 : Transform) ; return ;
-#endif
-     Transform_p = Transform ; return ;
-}
+        if (transform_check)
+            return;
 
-#else
-   #if defined(FREESCALE_MMCAU)
-      #define XTRANSFORM(sha256, B) Transform(sha256, B)
-   #else
-      #define XTRANSFORM(sha256, B) Transform(sha256)
-   #endif
-#endif
+        intel_flags = cpuid_get_flags();
 
-/* Dummy for saving MM_REGs on behalf of Transform */
-#if defined(HAVE_INTEL_AVX2)&& !defined(HAVE_INTEL_AVX1)
-#define  SAVE_XMM_YMM   __asm__ volatile("or %%r8d, %%r8d":::\
-  "%ymm4","%ymm5","%ymm6","%ymm7","%ymm8","%ymm9","%ymm10","%ymm11","%ymm12","%ymm13","%ymm14","%ymm15")
-#elif defined(HAVE_INTEL_AVX1)
-#define  SAVE_XMM_YMM   __asm__ volatile("or %%r8d, %%r8d":::\
-    "xmm0","xmm1","xmm2","xmm3","xmm4","xmm5","xmm6","xmm7","xmm8","xmm9","xmm10",\
-    "xmm11","xmm12","xmm13","xmm14","xmm15")
-#else
-#define  SAVE_XMM_YMM
-#endif
+    #ifdef HAVE_INTEL_AVX2
+        if (1 && IS_INTEL_AVX2(intel_flags)) {
+        #ifdef HAVE_INTEL_RORX
+            if (IS_INTEL_BMI2(intel_flags)) {
+                Transform_Sha256_p = Transform_Sha256_AVX2_RORX;
+                Transform_Sha256_Len_p = Transform_Sha256_AVX2_RORX_Len;
+            }
+            else
+        #endif
+            if (1)
+            {
+                Transform_Sha256_p = Transform_Sha256_AVX2;
+                Transform_Sha256_Len_p = Transform_Sha256_AVX2_Len;
+            }
+        #ifdef HAVE_INTEL_RORX
+            else {
+                Transform_Sha256_p = Transform_Sha256_AVX1_RORX;
+                Transform_Sha256_Len_p = Transform_Sha256_AVX1_RORX_Len;
+            }
+        #endif
+        }
+        else
+    #endif
+    #ifdef HAVE_INTEL_AVX1
+        if (IS_INTEL_AVX1(intel_flags)) {
+            Transform_Sha256_p = Transform_Sha256_AVX1;
+            Transform_Sha256_Len_p = Transform_Sha256_AVX1_Len;
+        }
+        else
+    #endif
+        {
+            Transform_Sha256_p = Transform_Sha256;
+            Transform_Sha256_Len_p = NULL;
+        }
 
-#ifdef WOLFSSL_PIC32MZ_HASH
-#define InitSha256   InitSha256_sw
-#define Sha256Update Sha256Update_sw
-#define Sha256Final  Sha256Final_sw
-#endif
+        transform_check = 1;
+    }
 
-#include <wolfssl/wolfcrypt/logging.h>
-#include <wolfssl/wolfcrypt/error-crypt.h>
+    int wc_InitSha256_ex(wc_Sha256* sha256, void* heap, int devId)
+    {
+        int ret = 0;
+        if (sha256 == NULL)
+            return BAD_FUNC_ARG;
 
-#ifdef NO_INLINE
-    #include <wolfssl/wolfcrypt/misc.h>
-#else
-    #include <wolfcrypt/src/misc.c>
-#endif
+        sha256->heap = heap;
+    #ifdef WOLF_CRYPTO_CB
+        sha256->devId = devId;
+    #endif
 
-#ifdef FREESCALE_MMCAU
-    #include "cau_api.h"
-#endif
+        ret = InitSha256(sha256);
+        if (ret != 0)
+            return ret;
+
+        /* choose best Transform function under this runtime environment */
+        Sha256_SetTransform();
+
+    #if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_SHA256)
+        ret = wolfAsync_DevCtxInit(&sha256->asyncDev,
+                            WOLFSSL_ASYNC_MARKER_SHA256, sha256->heap, devId);
+    #else
+        (void)devId;
+    #endif /* WOLFSSL_ASYNC_CRYPT */
 
-#ifndef WOLFSSL_HAVE_MIN
-#define WOLFSSL_HAVE_MIN
+        return ret;
+    }
 
-    static INLINE word32 min(word32 a, word32 b)
+#elif defined(FREESCALE_LTC_SHA)
+    int wc_InitSha256_ex(wc_Sha256* sha256, void* heap, int devId)
     {
-        return a > b ? b : a;
+        (void)heap;
+        (void)devId;
+
+        LTC_HASH_Init(LTC_BASE, &sha256->ctx, kLTC_Sha256, NULL, 0);
+
+        return 0;
     }
 
-#endif /* WOLFSSL_HAVE_MIN */
+#elif defined(FREESCALE_MMCAU_SHA)
 
+    #ifdef FREESCALE_MMCAU_CLASSIC_SHA
+        #include "cau_api.h"
+    #else
+        #include "fsl_mmcau.h"
+    #endif
 
-int wc_InitSha256(Sha256* sha256)
-{
-    #ifdef FREESCALE_MMCAU
+    #define XTRANSFORM(S, D)         Transform_Sha256((S),(D))
+    #define XTRANSFORM_LEN(S, D, L)  Transform_Sha256_Len((S),(D),(L))
+
+    #ifndef WC_HASH_DATA_ALIGNMENT
+        /* these hardware API's require 4 byte (word32) alignment */
+        #define WC_HASH_DATA_ALIGNMENT 4
+    #endif
+
+    int wc_InitSha256_ex(wc_Sha256* sha256, void* heap, int devId)
+    {
+        int ret = 0;
+
+        (void)heap;
+        (void)devId;
+
+        ret = wolfSSL_CryptHwMutexLock();
+        if (ret != 0) {
+            return ret;
+        }
+
+    #ifdef FREESCALE_MMCAU_CLASSIC_SHA
         cau_sha256_initialize_output(sha256->digest);
     #else
+        MMCAU_SHA256_InitializeOutput((uint32_t*)sha256->digest);
+    #endif
+        wolfSSL_CryptHwMutexUnLock();
+
+        sha256->buffLen = 0;
+        sha256->loLen   = 0;
+        sha256->hiLen   = 0;
+    #ifdef WOLFSSL_SMALL_STACK_CACHE
+        sha256->W = NULL;
+    #endif
+
+        return ret;
+    }
+
+    static int Transform_Sha256(wc_Sha256* sha256, const byte* data)
+    {
+        int ret = wolfSSL_CryptHwMutexLock();
+        if (ret == 0) {
+    #ifdef FREESCALE_MMCAU_CLASSIC_SHA
+            cau_sha256_hash_n((byte*)data, 1, sha256->digest);
+    #else
+            MMCAU_SHA256_HashN((byte*)data, 1, sha256->digest);
+    #endif
+            wolfSSL_CryptHwMutexUnLock();
+        }
+        return ret;
+    }
+
+    static int Transform_Sha256_Len(wc_Sha256* sha256, const byte* data,
+        word32 len)
+    {
+        int ret = wolfSSL_CryptHwMutexLock();
+        if (ret == 0) {
+        #if defined(WC_HASH_DATA_ALIGNMENT) && WC_HASH_DATA_ALIGNMENT > 0
+            if ((size_t)data % WC_HASH_DATA_ALIGNMENT) {
+                /* data pointer is NOT aligned,
+                 * so copy and perform one block at a time */
+                byte* local = (byte*)sha256->buffer;
+                while (len >= WC_SHA256_BLOCK_SIZE) {
+                    XMEMCPY(local, data, WC_SHA256_BLOCK_SIZE);
+                #ifdef FREESCALE_MMCAU_CLASSIC_SHA
+                    cau_sha256_hash_n(local, 1, sha256->digest);
+                #else
+                    MMCAU_SHA256_HashN(local, 1, sha256->digest);
+                #endif
+                    data += WC_SHA256_BLOCK_SIZE;
+                    len  -= WC_SHA256_BLOCK_SIZE;
+                }
+            }
+            else
+        #endif
+            {
+    #ifdef FREESCALE_MMCAU_CLASSIC_SHA
+            cau_sha256_hash_n((byte*)data, len/WC_SHA256_BLOCK_SIZE,
+                sha256->digest);
+    #else
+            MMCAU_SHA256_HashN((byte*)data, len/WC_SHA256_BLOCK_SIZE,
+                sha256->digest);
+    #endif
+            }
+            wolfSSL_CryptHwMutexUnLock();
+        }
+        return ret;
+    }
+
+#elif defined(WOLFSSL_PIC32MZ_HASH)
+    #include <wolfssl/wolfcrypt/port/pic32/pic32mz-crypt.h>
+
+#elif defined(STM32_HASH_SHA2)
+
+    /* Supports CubeMX HAL or Standard Peripheral Library */
+
+    int wc_InitSha256_ex(wc_Sha256* sha256, void* heap, int devId)
+    {
+        if (sha256 == NULL)
+            return BAD_FUNC_ARG;
+
+        (void)devId;
+        (void)heap;
+
+        wc_Stm32_Hash_Init(&sha256->stmCtx);
+        return 0;
+    }
+
+    int wc_Sha256Update(wc_Sha256* sha256, const byte* data, word32 len)
+    {
+        int ret = 0;
+
+        if (sha256 == NULL || (data == NULL && len > 0)) {
+            return BAD_FUNC_ARG;
+        }
+
+        ret = wolfSSL_CryptHwMutexLock();
+        if (ret == 0) {
+            ret = wc_Stm32_Hash_Update(&sha256->stmCtx,
+                HASH_AlgoSelection_SHA256, data, len);
+            wolfSSL_CryptHwMutexUnLock();
+        }
+        return ret;
+    }
+
+    int wc_Sha256Final(wc_Sha256* sha256, byte* hash)
+    {
+        int ret = 0;
+
+        if (sha256 == NULL || hash == NULL) {
+            return BAD_FUNC_ARG;
+        }
+
+        ret = wolfSSL_CryptHwMutexLock();
+        if (ret == 0) {
+            ret = wc_Stm32_Hash_Final(&sha256->stmCtx,
+                HASH_AlgoSelection_SHA256, hash, WC_SHA256_DIGEST_SIZE);
+            wolfSSL_CryptHwMutexUnLock();
+        }
+
+        (void)wc_InitSha256(sha256); /* reset state */
+
+        return ret;
+    }
+
+#elif defined(WOLFSSL_IMX6_CAAM) && !defined(NO_IMX6_CAAM_HASH)
+    /* functions defined in wolfcrypt/src/port/caam/caam_sha256.c */
+
+#elif defined(WOLFSSL_AFALG_HASH)
+    /* implemented in wolfcrypt/src/port/af_alg/afalg_hash.c */
+
+#elif defined(WOLFSSL_DEVCRYPTO_HASH)
+    /* implemented in wolfcrypt/src/port/devcrypto/devcrypt_hash.c */
+
+#elif defined(WOLFSSL_SCE) && !defined(WOLFSSL_SCE_NO_HASH)
+    #include "hal_data.h"
+
+    #ifndef WOLFSSL_SCE_SHA256_HANDLE
+        #define WOLFSSL_SCE_SHA256_HANDLE g_sce_hash_0
+    #endif
+
+    #define WC_SHA256_DIGEST_WORD_SIZE 16
+    #define XTRANSFORM(S, D) wc_Sha256SCE_XTRANSFORM((S), (D))
+    static int wc_Sha256SCE_XTRANSFORM(wc_Sha256* sha256, const byte* data)
+    {
+        if (WOLFSSL_SCE_GSCE_HANDLE.p_cfg->endian_flag ==
+                CRYPTO_WORD_ENDIAN_LITTLE)
+        {
+            ByteReverseWords((word32*)data, (word32*)data,
+                    WC_SHA256_BLOCK_SIZE);
+            ByteReverseWords(sha256->digest, sha256->digest,
+                    WC_SHA256_DIGEST_SIZE);
+        }
+
+        if (WOLFSSL_SCE_SHA256_HANDLE.p_api->hashUpdate(
+                    WOLFSSL_SCE_SHA256_HANDLE.p_ctrl, (word32*)data,
+                    WC_SHA256_DIGEST_WORD_SIZE, sha256->digest) != SSP_SUCCESS){
+            WOLFSSL_MSG("Unexpected hardware return value");
+            return WC_HW_E;
+        }
+
+        if (WOLFSSL_SCE_GSCE_HANDLE.p_cfg->endian_flag ==
+                CRYPTO_WORD_ENDIAN_LITTLE)
+        {
+            ByteReverseWords((word32*)data, (word32*)data,
+                    WC_SHA256_BLOCK_SIZE);
+            ByteReverseWords(sha256->digest, sha256->digest,
+                    WC_SHA256_DIGEST_SIZE);
+        }
+
+        return 0;
+    }
+
+
+    int wc_InitSha256_ex(wc_Sha256* sha256, void* heap, int devId)
+    {
+        int ret = 0;
+        if (sha256 == NULL)
+            return BAD_FUNC_ARG;
+
+        sha256->heap = heap;
+
+        ret = InitSha256(sha256);
+        if (ret != 0)
+            return ret;
+
+        (void)devId;
+
+        return ret;
+    }
+
+#elif defined(WOLFSSL_ESP32WROOM32_CRYPT) && \
+    !defined(NO_WOLFSSL_ESP32WROOM32_CRYPT_HASH)
+
+    #define NEED_SOFT_SHA256
+
+    static int InitSha256(wc_Sha256* sha256)
+    {
+        int ret = 0;
+
+        if (sha256 == NULL)
+            return BAD_FUNC_ARG;
+
+        XMEMSET(sha256->digest, 0, sizeof(sha256->digest));
         sha256->digest[0] = 0x6A09E667L;
         sha256->digest[1] = 0xBB67AE85L;
         sha256->digest[2] = 0x3C6EF372L;
@@ -317,1450 +622,1023 @@ int wc_InitSha256(Sha256* sha256)
         sha256->digest[5] = 0x9B05688CL;
         sha256->digest[6] = 0x1F83D9ABL;
         sha256->digest[7] = 0x5BE0CD19L;
-    #endif
 
-    sha256->buffLen = 0;
-    sha256->loLen   = 0;
-    sha256->hiLen   = 0;
-    
-#if defined(HAVE_INTEL_AVX1)|| defined(HAVE_INTEL_AVX2)
-    set_Transform() ; /* choose best Transform function under this runtime environment */
-#endif
-
-    return 0;
-}
+        sha256->buffLen = 0;
+        sha256->loLen   = 0;
+        sha256->hiLen   = 0;
+
+        /* always start firstblock = 1 when using hw engine */
+        sha256->ctx.isfirstblock = 1;
+        sha256->ctx.sha_type = SHA2_256;
+        if(sha256->ctx.mode == ESP32_SHA_HW) {
+            /* release hw */
+            esp_sha_hw_unlock();
+        }
+        /* always set mode as INIT
+        *  whether using HW or SW is determined at first call of update()
+        */
+        sha256->ctx.mode = ESP32_SHA_INIT;
 
+        return ret;
+    }
+    int wc_InitSha256_ex(wc_Sha256* sha256, void* heap, int devId)
+    {
+        int ret = 0;
 
-#if !defined(FREESCALE_MMCAU)
-static const ALIGN32 word32 K[64] = {
-    0x428A2F98L, 0x71374491L, 0xB5C0FBCFL, 0xE9B5DBA5L, 0x3956C25BL,
-    0x59F111F1L, 0x923F82A4L, 0xAB1C5ED5L, 0xD807AA98L, 0x12835B01L,
-    0x243185BEL, 0x550C7DC3L, 0x72BE5D74L, 0x80DEB1FEL, 0x9BDC06A7L,
-    0xC19BF174L, 0xE49B69C1L, 0xEFBE4786L, 0x0FC19DC6L, 0x240CA1CCL,
-    0x2DE92C6FL, 0x4A7484AAL, 0x5CB0A9DCL, 0x76F988DAL, 0x983E5152L,
-    0xA831C66DL, 0xB00327C8L, 0xBF597FC7L, 0xC6E00BF3L, 0xD5A79147L,
-    0x06CA6351L, 0x14292967L, 0x27B70A85L, 0x2E1B2138L, 0x4D2C6DFCL,
-    0x53380D13L, 0x650A7354L, 0x766A0ABBL, 0x81C2C92EL, 0x92722C85L,
-    0xA2BFE8A1L, 0xA81A664BL, 0xC24B8B70L, 0xC76C51A3L, 0xD192E819L,
-    0xD6990624L, 0xF40E3585L, 0x106AA070L, 0x19A4C116L, 0x1E376C08L,
-    0x2748774CL, 0x34B0BCB5L, 0x391C0CB3L, 0x4ED8AA4AL, 0x5B9CCA4FL,
-    0x682E6FF3L, 0x748F82EEL, 0x78A5636FL, 0x84C87814L, 0x8CC70208L,
-    0x90BEFFFAL, 0xA4506CEBL, 0xBEF9A3F7L, 0xC67178F2L
-};
+        if (sha256 == NULL)
+            return BAD_FUNC_ARG;
 
-#endif
+        XMEMSET(sha256, 0, sizeof(wc_Sha256));
+        sha256->ctx.mode = ESP32_SHA_INIT;
+        sha256->ctx.isfirstblock = 1;
+        (void)devId;
 
-#if defined(FREESCALE_MMCAU)
+        ret = InitSha256(sha256);
 
-static int Transform(Sha256* sha256, byte* buf)
-{
-    cau_sha256_hash_n(buf, 1, sha256->digest);
+        return ret;
+    }
 
-    return 0;
-}
+#elif defined(WOLFSSL_RENESAS_TSIP_CRYPT) && \
+    !defined(NO_WOLFSSL_RENESAS_TSIP_CRYPT_HASH)
 
-#endif /* FREESCALE_MMCAU */
+    /* implemented in wolfcrypt/src/port/Renesas/renesas_tsip_sha.c */
 
-#define Ch(x,y,z)       ((z) ^ ((x) & ((y) ^ (z))))
-#define Maj(x,y,z)      ((((x) | (y)) & (z)) | ((x) & (y)))
-#define R(x, n)         (((x)&0xFFFFFFFFU)>>(n))
+#else
+    #define NEED_SOFT_SHA256
 
-#define S(x, n)         rotrFixed(x, n)
-#define Sigma0(x)       (S(x, 2) ^ S(x, 13) ^ S(x, 22))
-#define Sigma1(x)       (S(x, 6) ^ S(x, 11) ^ S(x, 25))
-#define Gamma0(x)       (S(x, 7) ^ S(x, 18) ^ R(x, 3))
-#define Gamma1(x)       (S(x, 17) ^ S(x, 19) ^ R(x, 10))
+    int wc_InitSha256_ex(wc_Sha256* sha256, void* heap, int devId)
+    {
+        int ret = 0;
+        if (sha256 == NULL)
+            return BAD_FUNC_ARG;
+
+        sha256->heap = heap;
+    #ifdef WOLF_CRYPTO_CB
+        sha256->devId = devId;
+        sha256->devCtx = NULL;
+    #endif
 
-#define RND(a,b,c,d,e,f,g,h,i) \
-     t0 = (h) + Sigma1((e)) + Ch((e), (f), (g)) + K[(i)] + W[(i)]; \
-     t1 = Sigma0((a)) + Maj((a), (b), (c)); \
-     (d) += t0; \
-     (h)  = t0 + t1;
+        ret = InitSha256(sha256);
+        if (ret != 0)
+            return ret;
 
-#if !defined(FREESCALE_MMCAU)
-static int Transform(Sha256* sha256)
-{
-    word32 S[8], t0, t1;
-    int i;
+    #ifdef WOLFSSL_SMALL_STACK_CACHE
+        sha256->W = NULL;
+    #endif
 
-#ifdef WOLFSSL_SMALL_STACK
-    word32* W;
+    #if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_SHA256)
+        ret = wolfAsync_DevCtxInit(&sha256->asyncDev,
+                            WOLFSSL_ASYNC_MARKER_SHA256, sha256->heap, devId);
+    #else
+        (void)devId;
+    #endif /* WOLFSSL_ASYNC_CRYPT */
 
-    W = (word32*) XMALLOC(sizeof(word32) * 64, NULL, DYNAMIC_TYPE_TMP_BUFFER);
-    if (W == NULL)
-        return MEMORY_E;
+        return ret;
+    }
+#endif /* End Hardware Acceleration */
+
+#ifdef NEED_SOFT_SHA256
+
+    static const ALIGN32 word32 K[64] = {
+        0x428A2F98L, 0x71374491L, 0xB5C0FBCFL, 0xE9B5DBA5L, 0x3956C25BL,
+        0x59F111F1L, 0x923F82A4L, 0xAB1C5ED5L, 0xD807AA98L, 0x12835B01L,
+        0x243185BEL, 0x550C7DC3L, 0x72BE5D74L, 0x80DEB1FEL, 0x9BDC06A7L,
+        0xC19BF174L, 0xE49B69C1L, 0xEFBE4786L, 0x0FC19DC6L, 0x240CA1CCL,
+        0x2DE92C6FL, 0x4A7484AAL, 0x5CB0A9DCL, 0x76F988DAL, 0x983E5152L,
+        0xA831C66DL, 0xB00327C8L, 0xBF597FC7L, 0xC6E00BF3L, 0xD5A79147L,
+        0x06CA6351L, 0x14292967L, 0x27B70A85L, 0x2E1B2138L, 0x4D2C6DFCL,
+        0x53380D13L, 0x650A7354L, 0x766A0ABBL, 0x81C2C92EL, 0x92722C85L,
+        0xA2BFE8A1L, 0xA81A664BL, 0xC24B8B70L, 0xC76C51A3L, 0xD192E819L,
+        0xD6990624L, 0xF40E3585L, 0x106AA070L, 0x19A4C116L, 0x1E376C08L,
+        0x2748774CL, 0x34B0BCB5L, 0x391C0CB3L, 0x4ED8AA4AL, 0x5B9CCA4FL,
+        0x682E6FF3L, 0x748F82EEL, 0x78A5636FL, 0x84C87814L, 0x8CC70208L,
+        0x90BEFFFAL, 0xA4506CEBL, 0xBEF9A3F7L, 0xC67178F2L
+    };
+
+/* Both versions of Ch and Maj are logically the same, but with the second set
+    the compilers can recognize them better for optimization */
+#ifdef WOLFSSL_SHA256_BY_SPEC
+    /* SHA256 math based on specification */
+    #define Ch(x,y,z)       ((z) ^ ((x) & ((y) ^ (z))))
+    #define Maj(x,y,z)      ((((x) | (y)) & (z)) | ((x) & (y)))
 #else
-    word32 W[64];
+    /* SHA256 math reworked for easier compiler optimization */
+    #define Ch(x,y,z)       ((((y) ^ (z)) & (x)) ^ (z))
+    #define Maj(x,y,z)      ((((x) ^ (y)) & ((y) ^ (z))) ^ (y))
 #endif
+    #define R(x, n)         (((x) & 0xFFFFFFFFU) >> (n))
+
+    #define S(x, n)         rotrFixed(x, n)
+    #define Sigma0(x)       (S(x, 2)  ^ S(x, 13) ^ S(x, 22))
+    #define Sigma1(x)       (S(x, 6)  ^ S(x, 11) ^ S(x, 25))
+    #define Gamma0(x)       (S(x, 7)  ^ S(x, 18) ^ R(x, 3))
+    #define Gamma1(x)       (S(x, 17) ^ S(x, 19) ^ R(x, 10))
+
+    #define a(i) S[(0-i) & 7]
+    #define b(i) S[(1-i) & 7]
+    #define c(i) S[(2-i) & 7]
+    #define d(i) S[(3-i) & 7]
+    #define e(i) S[(4-i) & 7]
+    #define f(i) S[(5-i) & 7]
+    #define g(i) S[(6-i) & 7]
+    #define h(i) S[(7-i) & 7]
+
+    #ifndef XTRANSFORM
+         #define XTRANSFORM(S, D)         Transform_Sha256((S),(D))
+    #endif
 
-    /* Copy context->state[] to working vars */
-    for (i = 0; i < 8; i++)
-        S[i] = sha256->digest[i];
-
-    for (i = 0; i < 16; i++)
-        W[i] = sha256->buffer[i];
-
-    for (i = 16; i < 64; i++)
-        W[i] = Gamma1(W[i-2]) + W[i-7] + Gamma0(W[i-15]) + W[i-16];
-
-    for (i = 0; i < 64; i += 8) {
-        RND(S[0],S[1],S[2],S[3],S[4],S[5],S[6],S[7],i+0);
-        RND(S[7],S[0],S[1],S[2],S[3],S[4],S[5],S[6],i+1);
-        RND(S[6],S[7],S[0],S[1],S[2],S[3],S[4],S[5],i+2);
-        RND(S[5],S[6],S[7],S[0],S[1],S[2],S[3],S[4],i+3);
-        RND(S[4],S[5],S[6],S[7],S[0],S[1],S[2],S[3],i+4);
-        RND(S[3],S[4],S[5],S[6],S[7],S[0],S[1],S[2],i+5);
-        RND(S[2],S[3],S[4],S[5],S[6],S[7],S[0],S[1],i+6);
-        RND(S[1],S[2],S[3],S[4],S[5],S[6],S[7],S[0],i+7);
-    }
+#ifndef SHA256_MANY_REGISTERS
+    #define RND(j) \
+         t0 = h(j) + Sigma1(e(j)) + Ch(e(j), f(j), g(j)) + K[i+j] + W[i+j]; \
+         t1 = Sigma0(a(j)) + Maj(a(j), b(j), c(j)); \
+         d(j) += t0; \
+         h(j)  = t0 + t1
+
+    static int Transform_Sha256(wc_Sha256* sha256, const byte* data)
+    {
+        word32 S[8], t0, t1;
+        int i;
+
+    #ifdef WOLFSSL_SMALL_STACK_CACHE
+        word32* W = sha256->W;
+        if (W == NULL) {
+            W = (word32*)XMALLOC(sizeof(word32) * WC_SHA256_BLOCK_SIZE, NULL,
+                                                           DYNAMIC_TYPE_DIGEST);
+            if (W == NULL)
+                return MEMORY_E;
+            sha256->W = W;
+        }
+    #elif defined(WOLFSSL_SMALL_STACK)
+        word32* W;
+        W = (word32*)XMALLOC(sizeof(word32) * WC_SHA256_BLOCK_SIZE, NULL,
+                                                       DYNAMIC_TYPE_TMP_BUFFER);
+        if (W == NULL)
+            return MEMORY_E;
+    #else
+        word32 W[WC_SHA256_BLOCK_SIZE];
+    #endif
+
+        /* Copy context->state[] to working vars */
+        for (i = 0; i < 8; i++)
+            S[i] = sha256->digest[i];
+
+        for (i = 0; i < 16; i++)
+            W[i] = *((word32*)&data[i*sizeof(word32)]);
+
+        for (i = 16; i < WC_SHA256_BLOCK_SIZE; i++)
+            W[i] = Gamma1(W[i-2]) + W[i-7] + Gamma0(W[i-15]) + W[i-16];
+
+    #ifdef USE_SLOW_SHA256
+        /* not unrolled - ~2k smaller and ~25% slower */
+        for (i = 0; i < WC_SHA256_BLOCK_SIZE; i += 8) {
+            int j;
+            for (j = 0; j < 8; j++) { /* braces needed here for macros {} */
+                RND(j);
+            }
+        }
+    #else
+        /* partially loop unrolled */
+        for (i = 0; i < WC_SHA256_BLOCK_SIZE; i += 8) {
+            RND(0); RND(1); RND(2); RND(3);
+            RND(4); RND(5); RND(6); RND(7);
+        }
+    #endif /* USE_SLOW_SHA256 */
 
-    /* Add the working vars back into digest state[] */
-    for (i = 0; i < 8; i++) {
-        sha256->digest[i] += S[i];
+        /* Add the working vars back into digest state[] */
+        for (i = 0; i < 8; i++) {
+            sha256->digest[i] += S[i];
+        }
+
+    #if defined(WOLFSSL_SMALL_STACK) && !defined(WOLFSSL_SMALL_STACK_CACHE)
+        XFREE(W, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    #endif
+        return 0;
     }
+#else
+    /* SHA256 version that keeps all data in registers */
+    #define SCHED1(j) (W[j] = *((word32*)&data[j*sizeof(word32)]))
+    #define SCHED(j) (               \
+                   W[ j     & 15] += \
+            Gamma1(W[(j-2)  & 15])+  \
+                   W[(j-7)  & 15] +  \
+            Gamma0(W[(j-15) & 15])   \
+        )
+
+    #define RND1(j) \
+         t0 = h(j) + Sigma1(e(j)) + Ch(e(j), f(j), g(j)) + K[i+j] + SCHED1(j); \
+         t1 = Sigma0(a(j)) + Maj(a(j), b(j), c(j)); \
+         d(j) += t0; \
+         h(j)  = t0 + t1
+    #define RNDN(j) \
+         t0 = h(j) + Sigma1(e(j)) + Ch(e(j), f(j), g(j)) + K[i+j] + SCHED(j); \
+         t1 = Sigma0(a(j)) + Maj(a(j), b(j), c(j)); \
+         d(j) += t0; \
+         h(j)  = t0 + t1
+
+    static int Transform_Sha256(wc_Sha256* sha256, const byte* data)
+    {
+        word32 S[8], t0, t1;
+        int i;
+        word32 W[WC_SHA256_BLOCK_SIZE/sizeof(word32)];
+
+        /* Copy digest to working vars */
+        S[0] = sha256->digest[0];
+        S[1] = sha256->digest[1];
+        S[2] = sha256->digest[2];
+        S[3] = sha256->digest[3];
+        S[4] = sha256->digest[4];
+        S[5] = sha256->digest[5];
+        S[6] = sha256->digest[6];
+        S[7] = sha256->digest[7];
+
+        i = 0;
+        RND1( 0); RND1( 1); RND1( 2); RND1( 3);
+        RND1( 4); RND1( 5); RND1( 6); RND1( 7);
+        RND1( 8); RND1( 9); RND1(10); RND1(11);
+        RND1(12); RND1(13); RND1(14); RND1(15);
+        /* 64 operations, partially loop unrolled */
+        for (i = 16; i < 64; i += 16) {
+            RNDN( 0); RNDN( 1); RNDN( 2); RNDN( 3);
+            RNDN( 4); RNDN( 5); RNDN( 6); RNDN( 7);
+            RNDN( 8); RNDN( 9); RNDN(10); RNDN(11);
+            RNDN(12); RNDN(13); RNDN(14); RNDN(15);
+        }
 
-#ifdef WOLFSSL_SMALL_STACK
-    XFREE(W, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+        /* Add the working vars back into digest */
+        sha256->digest[0] += S[0];
+        sha256->digest[1] += S[1];
+        sha256->digest[2] += S[2];
+        sha256->digest[3] += S[3];
+        sha256->digest[4] += S[4];
+        sha256->digest[5] += S[5];
+        sha256->digest[6] += S[6];
+        sha256->digest[7] += S[7];
+
+        return 0;
+    }
+#endif /* SHA256_MANY_REGISTERS */
 #endif
+/* End wc_ software implementation */
 
-    return 0;
-}
 
-#endif /* #if !defined(FREESCALE_MMCAU) */
+#ifdef XTRANSFORM
 
-static INLINE void AddLength(Sha256* sha256, word32 len)
-{
-    word32 tmp = sha256->loLen;
-    if ( (sha256->loLen += len) < tmp)
-        sha256->hiLen++;                       /* carry low to high */
-}
+    static WC_INLINE void AddLength(wc_Sha256* sha256, word32 len)
+    {
+        word32 tmp = sha256->loLen;
+        if ((sha256->loLen += len) < tmp) {
+            sha256->hiLen++;                       /* carry low to high */
+        }
+    }
 
-int wc_Sha256Update(Sha256* sha256, const byte* data, word32 len)
-{
+    /* do block size increments/updates */
+    static WC_INLINE int Sha256Update(wc_Sha256* sha256, const byte* data, word32 len)
+    {
+        int ret = 0;
+        word32 blocksLen;
+        byte* local;
 
-    /* do block size increments */
-    byte* local = (byte*)sha256->buffer;
+        if (sha256 == NULL || (data == NULL && len > 0)) {
+            return BAD_FUNC_ARG;
+        }
+
+        if (data == NULL && len == 0) {
+            /* valid, but do nothing */
+            return 0;
+        }
+
+        /* check that internal buffLen is valid */
+        if (sha256->buffLen >= WC_SHA256_BLOCK_SIZE) {
+            return BUFFER_E;
+        }
 
-    SAVE_XMM_YMM ; /* for Intel AVX */
+        /* add length for final */
+        AddLength(sha256, len);
 
-    while (len) {
-        word32 add = min(len, SHA256_BLOCK_SIZE - sha256->buffLen);
-        XMEMCPY(&local[sha256->buffLen], data, add);
+        local = (byte*)sha256->buffer;
 
-        sha256->buffLen += add;
-        data            += add;
-        len             -= add;
+        /* process any remainder from previous operation */
+        if (sha256->buffLen > 0) {
+            blocksLen = min(len, WC_SHA256_BLOCK_SIZE - sha256->buffLen);
+            XMEMCPY(&local[sha256->buffLen], data, blocksLen);
 
-        if (sha256->buffLen == SHA256_BLOCK_SIZE) {
-            int ret;
+            sha256->buffLen += blocksLen;
+            data            += blocksLen;
+            len             -= blocksLen;
 
-            #if defined(LITTLE_ENDIAN_ORDER) && !defined(FREESCALE_MMCAU)
+            if (sha256->buffLen == WC_SHA256_BLOCK_SIZE) {
+            #if defined(LITTLE_ENDIAN_ORDER) && !defined(FREESCALE_MMCAU_SHA)
                 #if defined(HAVE_INTEL_AVX1) || defined(HAVE_INTEL_AVX2)
-                if(!IS_INTEL_AVX1 && !IS_INTEL_AVX2)
+                if (!IS_INTEL_AVX1(intel_flags) && !IS_INTEL_AVX2(intel_flags))
                 #endif
-                ByteReverseWords(sha256->buffer, sha256->buffer,
-                                 SHA256_BLOCK_SIZE);
+                {
+                    ByteReverseWords(sha256->buffer, sha256->buffer,
+                        WC_SHA256_BLOCK_SIZE);
+                }
             #endif
-            ret = XTRANSFORM(sha256, local);
-            if (ret != 0)
-                return ret;
 
-            AddLength(sha256, SHA256_BLOCK_SIZE);
-            sha256->buffLen = 0;
+            #if defined(WOLFSSL_ESP32WROOM32_CRYPT) && \
+                !defined(NO_WOLFSSL_ESP32WROOM32_CRYPT_HASH)
+                if (sha256->ctx.mode == ESP32_SHA_INIT){
+                    esp_sha_try_hw_lock(&sha256->ctx);
+                }
+                if (sha256->ctx.mode == ESP32_SHA_SW){
+                    ret = XTRANSFORM(sha256, (const byte*)local);
+                } else {
+                    esp_sha256_process(sha256, (const byte*)local);
+                }
+            #else
+                ret = XTRANSFORM(sha256, (const byte*)local);
+            #endif
+
+                if (ret == 0)
+                    sha256->buffLen = 0;
+                else
+                    len = 0; /* error */
+            }
+        }
+
+        /* process blocks */
+    #ifdef XTRANSFORM_LEN
+        #if defined(HAVE_INTEL_AVX1) || defined(HAVE_INTEL_AVX2)
+        if (Transform_Sha256_Len_p != NULL)
+        #endif
+        {
+            /* get number of blocks */
+            /* 64-1 = 0x3F (~ Inverted = 0xFFFFFFC0) */
+            /* len (masked by 0xFFFFFFC0) returns block aligned length */
+            blocksLen = len & ~(WC_SHA256_BLOCK_SIZE-1);
+            if (blocksLen > 0) {
+                /* Byte reversal and alignment handled in function if required */
+                XTRANSFORM_LEN(sha256, data, blocksLen);
+                data += blocksLen;
+                len  -= blocksLen;
+            }
         }
+        #if defined(HAVE_INTEL_AVX1) || defined(HAVE_INTEL_AVX2)
+        else
+        #endif
+    #endif /* XTRANSFORM_LEN */
+    #if !defined(XTRANSFORM_LEN) || defined(HAVE_INTEL_AVX1) || defined(HAVE_INTEL_AVX2)
+        {
+            while (len >= WC_SHA256_BLOCK_SIZE) {
+                word32* local32 = sha256->buffer;
+                /* optimization to avoid memcpy if data pointer is properly aligned */
+                /* Intel transform function requires use of sha256->buffer */
+                /* Little Endian requires byte swap, so can't use data directly */
+            #if defined(WC_HASH_DATA_ALIGNMENT) && !defined(LITTLE_ENDIAN_ORDER) && \
+                !defined(HAVE_INTEL_AVX1) && !defined(HAVE_INTEL_AVX2)
+                if (((size_t)data % WC_HASH_DATA_ALIGNMENT) == 0) {
+                    local32 = (word32*)data;
+                }
+                else
+            #endif
+                {
+                    XMEMCPY(local32, data, WC_SHA256_BLOCK_SIZE);
+                }
+
+                data += WC_SHA256_BLOCK_SIZE;
+                len  -= WC_SHA256_BLOCK_SIZE;
+
+            #if defined(LITTLE_ENDIAN_ORDER) && !defined(FREESCALE_MMCAU_SHA)
+                #if defined(HAVE_INTEL_AVX1) || defined(HAVE_INTEL_AVX2)
+                if (!IS_INTEL_AVX1(intel_flags) && !IS_INTEL_AVX2(intel_flags))
+                #endif
+                {
+                    ByteReverseWords(local32, local32, WC_SHA256_BLOCK_SIZE);
+                }
+            #endif
+
+            #if defined(WOLFSSL_ESP32WROOM32_CRYPT) && \
+                !defined(NO_WOLFSSL_ESP32WROOM32_CRYPT_HASH)
+                if (sha256->ctx.mode == ESP32_SHA_INIT){
+                    esp_sha_try_hw_lock(&sha256->ctx);
+                }
+                if (sha256->ctx.mode == ESP32_SHA_SW){
+                    ret = XTRANSFORM(sha256, (const byte*)local32);
+                } else {
+                    esp_sha256_process(sha256, (const byte*)local32);
+                }
+            #else
+                ret = XTRANSFORM(sha256, (const byte*)local32);
+            #endif
+
+                if (ret != 0)
+                    break;
+            }
+        }
+    #endif
+
+        /* save remainder */
+        if (len > 0) {
+            XMEMCPY(local, data, len);
+            sha256->buffLen = len;
+        }
+
+        return ret;
     }
 
-    return 0;
-}
+    int wc_Sha256Update(wc_Sha256* sha256, const byte* data, word32 len)
+    {
+        if (sha256 == NULL || (data == NULL && len > 0)) {
+            return BAD_FUNC_ARG;
+        }
 
-int wc_Sha256Final(Sha256* sha256, byte* hash)
-{
-    byte* local = (byte*)sha256->buffer;
-    int ret;
-    
-    SAVE_XMM_YMM ; /* for Intel AVX */
+        if (data == NULL && len == 0) {
+            /* valid, but do nothing */
+            return 0;
+        }
+
+    #ifdef WOLF_CRYPTO_CB
+        if (sha256->devId != INVALID_DEVID) {
+            int ret = wc_CryptoCb_Sha256Hash(sha256, data, len, NULL);
+            if (ret != CRYPTOCB_UNAVAILABLE)
+                return ret;
+            /* fall-through when unavailable */
+        }
+    #endif
+    #if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_SHA256)
+        if (sha256->asyncDev.marker == WOLFSSL_ASYNC_MARKER_SHA256) {
+        #if defined(HAVE_INTEL_QA)
+            return IntelQaSymSha256(&sha256->asyncDev, NULL, data, len);
+        #endif
+        }
+    #endif /* WOLFSSL_ASYNC_CRYPT */
+
+        return Sha256Update(sha256, data, len);
+    }
+
+    static WC_INLINE int Sha256Final(wc_Sha256* sha256)
+    {
+
+        int ret;
+        byte* local;
 
-    AddLength(sha256, sha256->buffLen);  /* before adding pads */
+        if (sha256 == NULL) {
+            return BAD_FUNC_ARG;
+        }
 
-    local[sha256->buffLen++] = 0x80;     /* add 1 */
+        local = (byte*)sha256->buffer;
+        local[sha256->buffLen++] = 0x80; /* add 1 */
 
-    /* pad with zeros */
-    if (sha256->buffLen > SHA256_PAD_SIZE) {
-        XMEMSET(&local[sha256->buffLen], 0, SHA256_BLOCK_SIZE - sha256->buffLen);
-        sha256->buffLen += SHA256_BLOCK_SIZE - sha256->buffLen;
+        /* pad with zeros */
+        if (sha256->buffLen > WC_SHA256_PAD_SIZE) {
+            XMEMSET(&local[sha256->buffLen], 0,
+                WC_SHA256_BLOCK_SIZE - sha256->buffLen);
+            sha256->buffLen += WC_SHA256_BLOCK_SIZE - sha256->buffLen;
 
-        #if defined(LITTLE_ENDIAN_ORDER) && !defined(FREESCALE_MMCAU)
+        #if defined(LITTLE_ENDIAN_ORDER) && !defined(FREESCALE_MMCAU_SHA)
             #if defined(HAVE_INTEL_AVX1) || defined(HAVE_INTEL_AVX2)
-            if(!IS_INTEL_AVX1 && !IS_INTEL_AVX2)
+            if (!IS_INTEL_AVX1(intel_flags) && !IS_INTEL_AVX2(intel_flags))
             #endif
-            ByteReverseWords(sha256->buffer, sha256->buffer, SHA256_BLOCK_SIZE);
+            {
+                ByteReverseWords(sha256->buffer, sha256->buffer,
+                                                      WC_SHA256_BLOCK_SIZE);
+            }
         #endif
 
-        ret = XTRANSFORM(sha256, local);
-        if (ret != 0)
-            return ret;
+        #if defined(WOLFSSL_ESP32WROOM32_CRYPT) && \
+             !defined(NO_WOLFSSL_ESP32WROOM32_CRYPT_HASH)
+            if (sha256->ctx.mode == ESP32_SHA_INIT) {
+                esp_sha_try_hw_lock(&sha256->ctx);
+            }
+            if (sha256->ctx.mode == ESP32_SHA_SW) {
+                ret = XTRANSFORM(sha256, (const byte*)local);
+            } else {
+                ret = esp_sha256_process(sha256, (const byte*)local);
+            }
+        #else
+            ret = XTRANSFORM(sha256, (const byte*)local);
+        #endif
+            if (ret != 0)
+                return ret;
 
-        sha256->buffLen = 0;
-    }
-    XMEMSET(&local[sha256->buffLen], 0, SHA256_PAD_SIZE - sha256->buffLen);
+            sha256->buffLen = 0;
+        }
+        XMEMSET(&local[sha256->buffLen], 0,
+            WC_SHA256_PAD_SIZE - sha256->buffLen);
 
-    /* put lengths in bits */
-    sha256->hiLen = (sha256->loLen >> (8*sizeof(sha256->loLen) - 3)) +
-                 (sha256->hiLen << 3);
-    sha256->loLen = sha256->loLen << 3;
+        /* put lengths in bits */
+        sha256->hiLen = (sha256->loLen >> (8 * sizeof(sha256->loLen) - 3)) +
+                                                         (sha256->hiLen << 3);
+        sha256->loLen = sha256->loLen << 3;
 
-    /* store lengths */
-    #if defined(LITTLE_ENDIAN_ORDER) && !defined(FREESCALE_MMCAU)
+        /* store lengths */
+    #if defined(LITTLE_ENDIAN_ORDER) && !defined(FREESCALE_MMCAU_SHA)
         #if defined(HAVE_INTEL_AVX1) || defined(HAVE_INTEL_AVX2)
-        if(!IS_INTEL_AVX1 && !IS_INTEL_AVX2)
+        if (!IS_INTEL_AVX1(intel_flags) && !IS_INTEL_AVX2(intel_flags))
         #endif
-            ByteReverseWords(sha256->buffer, sha256->buffer, SHA256_BLOCK_SIZE);
+        {
+            ByteReverseWords(sha256->buffer, sha256->buffer,
+                WC_SHA256_BLOCK_SIZE);
+        }
     #endif
-    /* ! length ordering dependent on digest endian type ! */
-    XMEMCPY(&local[SHA256_PAD_SIZE], &sha256->hiLen, sizeof(word32));
-    XMEMCPY(&local[SHA256_PAD_SIZE + sizeof(word32)], &sha256->loLen,
-            sizeof(word32));
+        /* ! length ordering dependent on digest endian type ! */
+        XMEMCPY(&local[WC_SHA256_PAD_SIZE], &sha256->hiLen, sizeof(word32));
+        XMEMCPY(&local[WC_SHA256_PAD_SIZE + sizeof(word32)], &sha256->loLen,
+                sizeof(word32));
 
-    #if defined(FREESCALE_MMCAU) || defined(HAVE_INTEL_AVX1) || defined(HAVE_INTEL_AVX2)
+    #if defined(FREESCALE_MMCAU_SHA) || defined(HAVE_INTEL_AVX1) || \
+        defined(HAVE_INTEL_AVX2)
         /* Kinetis requires only these bytes reversed */
         #if defined(HAVE_INTEL_AVX1) || defined(HAVE_INTEL_AVX2)
-        if(IS_INTEL_AVX1 || IS_INTEL_AVX2)
+        if (IS_INTEL_AVX1(intel_flags) || IS_INTEL_AVX2(intel_flags))
         #endif
-        ByteReverseWords(&sha256->buffer[SHA256_PAD_SIZE/sizeof(word32)],
-                         &sha256->buffer[SHA256_PAD_SIZE/sizeof(word32)],
-                         2 * sizeof(word32));
+        {
+            ByteReverseWords(
+                &sha256->buffer[WC_SHA256_PAD_SIZE / sizeof(word32)],
+                &sha256->buffer[WC_SHA256_PAD_SIZE / sizeof(word32)],
+                2 * sizeof(word32));
+        }
+    #endif
+
+    #if defined(WOLFSSL_ESP32WROOM32_CRYPT) && \
+         !defined(NO_WOLFSSL_ESP32WROOM32_CRYPT_HASH)
+        if (sha256->ctx.mode == ESP32_SHA_INIT) {
+            esp_sha_try_hw_lock(&sha256->ctx);
+        }
+        if (sha256->ctx.mode == ESP32_SHA_SW) {
+            ret = XTRANSFORM(sha256, (const byte*)local);
+        } else {
+            ret = esp_sha256_digest_process(sha256, 1);
+        }
+    #else
+        ret = XTRANSFORM(sha256, (const byte*)local);
     #endif
 
-    ret = XTRANSFORM(sha256, local);
-    if (ret != 0)
         return ret;
+    }
 
-    #if defined(LITTLE_ENDIAN_ORDER)
-        ByteReverseWords(sha256->digest, sha256->digest, SHA256_DIGEST_SIZE);
+    int wc_Sha256FinalRaw(wc_Sha256* sha256, byte* hash)
+    {
+    #ifdef LITTLE_ENDIAN_ORDER
+        word32 digest[WC_SHA256_DIGEST_SIZE / sizeof(word32)];
     #endif
-    XMEMCPY(hash, sha256->digest, SHA256_DIGEST_SIZE);
 
-    return wc_InitSha256(sha256);  /* reset state */
-}
+        if (sha256 == NULL || hash == NULL) {
+            return BAD_FUNC_ARG;
+        }
 
+    #ifdef LITTLE_ENDIAN_ORDER
+        ByteReverseWords((word32*)digest, (word32*)sha256->digest,
+                                                         WC_SHA256_DIGEST_SIZE);
+        XMEMCPY(hash, digest, WC_SHA256_DIGEST_SIZE);
+    #else
+        XMEMCPY(hash, sha256->digest, WC_SHA256_DIGEST_SIZE);
+    #endif
 
+        return 0;
+    }
 
-int wc_Sha256Hash(const byte* data, word32 len, byte* hash)
-{
-    int ret = 0;
-#ifdef WOLFSSL_SMALL_STACK
-    Sha256* sha256;
-#else
-    Sha256 sha256[1];
-#endif
+    int wc_Sha256Final(wc_Sha256* sha256, byte* hash)
+    {
+        int ret;
 
-#ifdef WOLFSSL_SMALL_STACK
-    sha256 = (Sha256*)XMALLOC(sizeof(Sha256), NULL, DYNAMIC_TYPE_TMP_BUFFER);
-    if (sha256 == NULL)
-        return MEMORY_E;
-#endif
+        if (sha256 == NULL || hash == NULL) {
+            return BAD_FUNC_ARG;
+        }
 
-    if ((ret = wc_InitSha256(sha256)) != 0) {
-        WOLFSSL_MSG("InitSha256 failed");
+    #ifdef WOLF_CRYPTO_CB
+        if (sha256->devId != INVALID_DEVID) {
+            ret = wc_CryptoCb_Sha256Hash(sha256, NULL, 0, hash);
+            if (ret != CRYPTOCB_UNAVAILABLE)
+                return ret;
+            /* fall-through when unavailable */
+        }
+    #endif
+
+    #if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_SHA256)
+        if (sha256->asyncDev.marker == WOLFSSL_ASYNC_MARKER_SHA256) {
+        #if defined(HAVE_INTEL_QA)
+            return IntelQaSymSha256(&sha256->asyncDev, hash, NULL,
+                                            WC_SHA256_DIGEST_SIZE);
+        #endif
+        }
+    #endif /* WOLFSSL_ASYNC_CRYPT */
+
+        ret = Sha256Final(sha256);
+        if (ret != 0)
+            return ret;
+
+    #if defined(LITTLE_ENDIAN_ORDER)
+        ByteReverseWords(sha256->digest, sha256->digest, WC_SHA256_DIGEST_SIZE);
+    #endif
+        XMEMCPY(hash, sha256->digest, WC_SHA256_DIGEST_SIZE);
+
+        return InitSha256(sha256);  /* reset state */
     }
-    else if ((ret = wc_Sha256Update(sha256, data, len)) != 0) {
-        WOLFSSL_MSG("Sha256Update failed");
+
+#endif /* XTRANSFORM */
+
+#ifdef WOLFSSL_SHA224
+
+#ifdef STM32_HASH_SHA2
+
+    /* Supports CubeMX HAL or Standard Peripheral Library */
+
+    int wc_InitSha224_ex(wc_Sha224* sha224, void* heap, int devId)
+    {
+        if (sha224 == NULL)
+            return BAD_FUNC_ARG;
+
+        (void)devId;
+        (void)heap;
+
+        wc_Stm32_Hash_Init(&sha224->stmCtx);
+        return 0;
     }
-    else if ((ret = wc_Sha256Final(sha256, hash)) != 0) {
-        WOLFSSL_MSG("Sha256Final failed");
+
+    int wc_Sha224Update(wc_Sha224* sha224, const byte* data, word32 len)
+    {
+        int ret = 0;
+
+        if (sha224 == NULL || (data == NULL && len > 0)) {
+            return BAD_FUNC_ARG;
+        }
+
+        ret = wolfSSL_CryptHwMutexLock();
+        if (ret == 0) {
+            ret = wc_Stm32_Hash_Update(&sha224->stmCtx,
+                HASH_AlgoSelection_SHA224, data, len);
+            wolfSSL_CryptHwMutexUnLock();
+        }
+        return ret;
     }
 
-#ifdef WOLFSSL_SMALL_STACK
-    XFREE(sha256, NULL, DYNAMIC_TYPE_TMP_BUFFER);
-#endif
+    int wc_Sha224Final(wc_Sha224* sha224, byte* hash)
+    {
+        int ret = 0;
 
-    return ret;
-}
+        if (sha224 == NULL || hash == NULL) {
+            return BAD_FUNC_ARG;
+        }
 
-#if defined(HAVE_INTEL_AVX1) || defined(HAVE_INTEL_AVX2)
+        ret = wolfSSL_CryptHwMutexLock();
+        if (ret == 0) {
+            ret = wc_Stm32_Hash_Final(&sha224->stmCtx,
+                HASH_AlgoSelection_SHA224, hash, WC_SHA224_DIGEST_SIZE);
+            wolfSSL_CryptHwMutexUnLock();
+        }
 
-#define _DigestToReg(S_0, S_1, S_2, S_3, S_4, S_5, S_6, S_7 )\
-    { word32 d ;\
-    d = sha256->digest[0]; __asm__ volatile("movl %0, %"#S_0::"r"(d):SSE_REGs) ;\
-    d = sha256->digest[1]; __asm__ volatile("movl %0, %"#S_1::"r"(d):SSE_REGs) ;\
-    d = sha256->digest[2]; __asm__ volatile("movl %0, %"#S_2::"r"(d):SSE_REGs) ;\
-    d = sha256->digest[3]; __asm__ volatile("movl %0, %"#S_3::"r"(d):SSE_REGs) ;\
-    d = sha256->digest[4]; __asm__ volatile("movl %0, %"#S_4::"r"(d):SSE_REGs) ;\
-    d = sha256->digest[5]; __asm__ volatile("movl %0, %"#S_5::"r"(d):SSE_REGs) ;\
-    d = sha256->digest[6]; __asm__ volatile("movl %0, %"#S_6::"r"(d):SSE_REGs) ;\
-    d = sha256->digest[7]; __asm__ volatile("movl %0, %"#S_7::"r"(d):SSE_REGs) ;\
-}
+        (void)wc_InitSha224(sha224); /* reset state */
 
-#define _RegToDigest(S_0, S_1, S_2, S_3, S_4, S_5, S_6, S_7 )\
-    { word32 d ; \
-    __asm__ volatile("movl %"#S_0", %0":"=r"(d)::SSE_REGs) ; sha256->digest[0] += d;\
-    __asm__ volatile("movl %"#S_1", %0":"=r"(d)::SSE_REGs) ; sha256->digest[1] += d;\
-    __asm__ volatile("movl %"#S_2", %0":"=r"(d)::SSE_REGs) ; sha256->digest[2] += d;\
-    __asm__ volatile("movl %"#S_3", %0":"=r"(d)::SSE_REGs) ; sha256->digest[3] += d;\
-    __asm__ volatile("movl %"#S_4", %0":"=r"(d)::SSE_REGs) ; sha256->digest[4] += d;\
-    __asm__ volatile("movl %"#S_5", %0":"=r"(d)::SSE_REGs) ; sha256->digest[5] += d;\
-    __asm__ volatile("movl %"#S_6", %0":"=r"(d)::SSE_REGs) ; sha256->digest[6] += d;\
-    __asm__ volatile("movl %"#S_7", %0":"=r"(d)::SSE_REGs) ; sha256->digest[7] += d;\
-}
+        return ret;
+    }
 
+#elif defined(WOLFSSL_IMX6_CAAM) && !defined(NO_IMX6_CAAM_HASH)
+    /* functions defined in wolfcrypt/src/port/caam/caam_sha256.c */
 
-#define DigestToReg(S_0, S_1, S_2, S_3, S_4, S_5, S_6, S_7 )\
-    _DigestToReg(S_0, S_1, S_2, S_3, S_4, S_5, S_6, S_7 )
+#elif defined(WOLFSSL_AFALG_HASH)
+    #error SHA224 currently not supported with AF_ALG enabled
 
-#define RegToDigest(S_0, S_1, S_2, S_3, S_4, S_5, S_6, S_7 )\
-    _RegToDigest(S_0, S_1, S_2, S_3, S_4, S_5, S_6, S_7 )
+#elif defined(WOLFSSL_DEVCRYPTO_HASH)
+    /* implemented in wolfcrypt/src/port/devcrypto/devcrypt_hash.c */
 
+#else
 
+    #define NEED_SOFT_SHA224
 
 
-#define S_0 %r15d 
-#define S_1 %r10d
-#define S_2 %r11d       
-#define S_3 %r12d
-#define S_4 %r13d
-#define S_5 %r14d
-#define S_6 %ebx
-#define S_7 %r9d
+    static int InitSha224(wc_Sha224* sha224)
+    {
+        int ret = 0;
 
-#define SSE_REGs "%edi", "%ecx", "%esi", "%edx", "%ebx","%r8","%r9","%r10","%r11","%r12","%r13","%r14","%r15"
+        if (sha224 == NULL) {
+            return BAD_FUNC_ARG;
+        }
 
-#if defined(HAVE_INTEL_RORX)
-#define RND_STEP_RORX_1(a,b,c,d,e,f,g,h,i)\
-__asm__ volatile("rorx  $6, %"#e", %%edx\n\t":::"%edx",SSE_REGs);  /* edx = e>>6 */\
+        sha224->digest[0] = 0xc1059ed8;
+        sha224->digest[1] = 0x367cd507;
+        sha224->digest[2] = 0x3070dd17;
+        sha224->digest[3] = 0xf70e5939;
+        sha224->digest[4] = 0xffc00b31;
+        sha224->digest[5] = 0x68581511;
+        sha224->digest[6] = 0x64f98fa7;
+        sha224->digest[7] = 0xbefa4fa4;
+
+        sha224->buffLen = 0;
+        sha224->loLen   = 0;
+        sha224->hiLen   = 0;
+
+    #if defined(HAVE_INTEL_AVX1)|| defined(HAVE_INTEL_AVX2)
+        /* choose best Transform function under this runtime environment */
+        Sha256_SetTransform();
+    #endif
+    #if defined(WOLFSSL_HASH_FLAGS) || defined(WOLF_CRYPTO_CB)
+        sha224->flags = 0;
+    #endif
 
-#define RND_STEP_RORX_2(a,b,c,d,e,f,g,h,i)\
-__asm__ volatile("rorx  $11, %"#e",%%edi\n\t":::"%edi",SSE_REGs); /* edi = e>>11  */\
-__asm__ volatile("xorl  %%edx, %%edi\n\t":::"%edx","%edi",SSE_REGs); /* edi = (e>>11) ^ (e>>6)  */\
-__asm__ volatile("rorx  $25, %"#e", %%edx\n\t":::"%edx",SSE_REGs);   /* edx = e>>25             */\
+        return ret;
+    }
 
-#define RND_STEP_RORX_3(a,b,c,d,e,f,g,h,i)\
-__asm__ volatile("movl  %"#f", %%esi\n\t":::"%esi",SSE_REGs);  /* esi = f   */\
-__asm__ volatile("xorl  %"#g", %%esi\n\t":::"%esi",SSE_REGs);  /* esi = f ^ g  */\
-__asm__ volatile("xorl  %%edi, %%edx\n\t":::"%edi","%edx",SSE_REGs);  /* edx = Sigma1(e)  */\
-__asm__ volatile("andl  %"#e", %%esi\n\t":::"%esi",SSE_REGs);  /* esi = (f ^ g) & e       */\
-__asm__ volatile("xorl  %"#g", %%esi\n\t":::"%esi",SSE_REGs);  /* esi = Ch(e,f,g)         */\
+#endif
 
-#define RND_STEP_RORX_4(a,b,c,d,e,f,g,h,i)\
-/*__asm__ volatile("movl    %0, %%edx\n\t"::"m"(w_k):"%edx");*/\
-__asm__ volatile("addl  %0, %"#h"\n\t"::"r"(W_K[i]):SSE_REGs);    /* h += w_k  */\
-__asm__ volatile("addl  %%edx, %"#h"\n\t":::"%edx",SSE_REGs);     /* h = h + w_k + Sigma1(e) */\
-__asm__ volatile("rorx  $2, %"#a", %%r8d\n\t":::"%r8",SSE_REGs);  /* r8d = a>>2   */\
-__asm__ volatile("rorx  $13, %"#a", %%edi\n\t":::"%edi",SSE_REGs);/* edi = a>>13  */\
+#ifdef NEED_SOFT_SHA224
+    int wc_InitSha224_ex(wc_Sha224* sha224, void* heap, int devId)
+    {
+        int ret = 0;
 
-#define RND_STEP_RORX_5(a,b,c,d,e,f,g,h,i)\
-__asm__ volatile("rorx  $22, %"#a", %%edx\n\t":::"%edx",SSE_REGs); /* edx = a>>22 */\
-__asm__ volatile("xorl  %%r8d, %%edi\n\t":::"%edi","%r8",SSE_REGs);/* edi = (a>>2) ^ (a>>13)  */\
-__asm__ volatile("xorl  %%edi, %%edx\n\t":::"%edi","%edx",SSE_REGs);  /* edx = Sigma0(a)      */\
- 
-#define RND_STEP_RORX_6(a,b,c,d,e,f,g,h,i)\
-__asm__ volatile("movl  %"#b", %%edi\n\t":::"%edi",SSE_REGs);  /* edi = b          */\
-__asm__ volatile("orl   %"#a", %%edi\n\t":::"%edi",SSE_REGs);  /* edi = a | b      */\
-__asm__ volatile("andl  %"#c", %%edi\n\t":::"%edi",SSE_REGs);  /* edi = (a | b) & c*/\
-__asm__ volatile("movl  %"#b", %%r8d\n\t":::"%r8",SSE_REGs);  /* r8d = b           */\
+        if (sha224 == NULL)
+            return BAD_FUNC_ARG;
 
-#define RND_STEP_RORX_7(a,b,c,d,e,f,g,h,i)\
-__asm__ volatile("addl  %%esi, %"#h"\n\t":::"%esi",SSE_REGs);  /* h += Ch(e,f,g)   */\
-__asm__ volatile("andl  %"#a", %%r8d\n\t":::"%r8",SSE_REGs);  /* r8d = b & a       */\
-__asm__ volatile("orl   %%edi, %%r8d\n\t":::"%edi","%r8",SSE_REGs); /* r8d = Maj(a,b,c) */\
+        sha224->heap = heap;
 
-#define RND_STEP_RORX_8(a,b,c,d,e,f,g,h,i)\
-__asm__ volatile("addl  "#h", "#d"\n\t");  /* d += h + w_k + Sigma1(e) + Ch(e,f,g) */\
-__asm__ volatile("addl  %"#h", %%r8d\n\t":::"%r8",SSE_REGs); \
-__asm__ volatile("addl  %%edx, %%r8d\n\t":::"%edx","%r8",SSE_REGs); \
-__asm__ volatile("movl  %r8d, "#h"\n\t");   
+        ret = InitSha224(sha224);
+        if (ret != 0)
+            return ret;
 
-#endif
+    #ifdef WOLFSSL_SMALL_STACK_CACHE
+        sha224->W = NULL;
+    #endif
 
-#define RND_STEP_1(a,b,c,d,e,f,g,h,i)\
-__asm__ volatile("movl  %"#e", %%edx\n\t":::"%edx",SSE_REGs);\
-__asm__ volatile("roll  $26, %%edx\n\t":::"%edx",SSE_REGs);  /* edx = e>>6     */\
-__asm__ volatile("movl  %"#e", %%edi\n\t":::"%edi",SSE_REGs);\
-
-#define RND_STEP_2(a,b,c,d,e,f,g,h,i)\
-__asm__ volatile("roll  $21, %%edi\n\t":::"%edi",SSE_REGs);         /* edi = e>>11 */\
-__asm__ volatile("xorl  %%edx, %%edi\n\t":::"%edx","%edi",SSE_REGs); /* edi = (e>>11) ^ (e>>6)  */\
-__asm__ volatile("movl  %"#e", %%edx\n\t":::"%edx",SSE_REGs);   /* edx = e      */\
-__asm__ volatile("roll  $7, %%edx\n\t":::"%edx",SSE_REGs);      /* edx = e>>25  */\
-
-#define RND_STEP_3(a,b,c,d,e,f,g,h,i)\
-__asm__ volatile("movl  %"#f", %%esi\n\t":::"%esi",SSE_REGs);  /* esi = f       */\
-__asm__ volatile("xorl  %"#g", %%esi\n\t":::"%esi",SSE_REGs);  /* esi = f ^ g   */\
-__asm__ volatile("xorl  %%edi, %%edx\n\t":::"%edi","%edx",SSE_REGs); /* edx = Sigma1(e) */\
-__asm__ volatile("andl  %"#e", %%esi\n\t":::"%esi",SSE_REGs);  /* esi = (f ^ g) & e  */\
-__asm__ volatile("xorl  %"#g", %%esi\n\t":::"%esi",SSE_REGs);  /* esi = Ch(e,f,g)    */\
-
-#define RND_STEP_4(a,b,c,d,e,f,g,h,i)\
-__asm__ volatile("addl  %0, %"#h"\n\t"::"r"(W_K[i]):SSE_REGs); /* h += w_k  */\
-__asm__ volatile("addl  %%edx, %"#h"\n\t":::"%edx",SSE_REGs); /* h = h + w_k + Sigma1(e) */\
-__asm__ volatile("movl  %"#a", %%r8d\n\t":::"%r8",SSE_REGs);  /* r8d = a    */\
-__asm__ volatile("roll  $30, %%r8d\n\t":::"%r8",SSE_REGs);    /* r8d = a>>2 */\
-__asm__ volatile("movl  %"#a", %%edi\n\t":::"%edi",SSE_REGs);  /* edi = a   */\
-__asm__ volatile("roll  $19, %%edi\n\t":::"%edi",SSE_REGs);    /* edi = a>>13 */\
-__asm__ volatile("movl  %"#a", %%edx\n\t":::"%edx",SSE_REGs);  /* edx = a     */\
-
-#define RND_STEP_5(a,b,c,d,e,f,g,h,i)\
-__asm__ volatile("roll  $10, %%edx\n\t":::"%edx",SSE_REGs);    /* edx = a>>22 */\
-__asm__ volatile("xorl  %%r8d, %%edi\n\t":::"%edi","%r8",SSE_REGs); /* edi = (a>>2) ^ (a>>13)  */\
-__asm__ volatile("xorl  %%edi, %%edx\n\t":::"%edi","%edx",SSE_REGs);/* edx = Sigma0(a)         */\
-
-#define RND_STEP_6(a,b,c,d,e,f,g,h,i)\
-__asm__ volatile("movl  %"#b", %%edi\n\t":::"%edi",SSE_REGs);  /* edi = b      */\
-__asm__ volatile("orl   %"#a", %%edi\n\t":::"%edi",SSE_REGs);  /* edi = a | b  */\
-__asm__ volatile("andl  %"#c", %%edi\n\t":::"%edi",SSE_REGs);  /* edi = (a | b) & c */\
-__asm__ volatile("movl  %"#b", %%r8d\n\t":::"%r8",SSE_REGs);  /* r8d = b       */\
-
-#define RND_STEP_7(a,b,c,d,e,f,g,h,i)\
-__asm__ volatile("addl  %%esi, %"#h"\n\t":::"%esi",SSE_REGs);  /* h += Ch(e,f,g)        */\
-__asm__ volatile("andl  %"#a", %%r8d\n\t":::"%r8",SSE_REGs);  /* r8d = b & a            */\
-__asm__ volatile("orl   %%edi, %%r8d\n\t":::"%edi","%r8",SSE_REGs); /* r8d = Maj(a,b,c) */\
-
-#define RND_STEP_8(a,b,c,d,e,f,g,h,i)\
-__asm__ volatile("addl  "#h", "#d"\n\t");  /* d += h + w_k + Sigma1(e) + Ch(e,f,g) */\
-__asm__ volatile("addl  %"#h", %%r8d\n\t":::"%r8",SSE_REGs); \
-                 /* r8b = h + w_k + Sigma1(e) + Ch(e,f,g) + Maj(a,b,c) */\
-__asm__ volatile("addl  %%edx, %%r8d\n\t":::"%edx","%r8",SSE_REGs);\
-                 /* r8b = h + w_k + Sigma1(e) Sigma0(a) + Ch(e,f,g) + Maj(a,b,c)     */\
-__asm__ volatile("movl  %%r8d, %"#h"\n\t":::"%r8", SSE_REGs); \
-                 /* h = h + w_k + Sigma1(e) + Sigma0(a) + Ch(e,f,g) + Maj(a,b,c) */ \
-
-#define RND_X(a,b,c,d,e,f,g,h,i) \
-       RND_STEP_1(a,b,c,d,e,f,g,h,i); \
-       RND_STEP_2(a,b,c,d,e,f,g,h,i); \
-       RND_STEP_3(a,b,c,d,e,f,g,h,i); \
-       RND_STEP_4(a,b,c,d,e,f,g,h,i); \
-       RND_STEP_5(a,b,c,d,e,f,g,h,i); \
-       RND_STEP_6(a,b,c,d,e,f,g,h,i); \
-       RND_STEP_7(a,b,c,d,e,f,g,h,i); \
-       RND_STEP_8(a,b,c,d,e,f,g,h,i); 
-
-#define RND_0(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,_i) RND_X(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,_i);
-#define RND_7(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,_i) RND_X(S_7,S_0,S_1,S_2,S_3,S_4,S_5,S_6,_i);
-#define RND_6(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,_i) RND_X(S_6,S_7,S_0,S_1,S_2,S_3,S_4,S_5,_i);
-#define RND_5(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,_i) RND_X(S_5,S_6,S_7,S_0,S_1,S_2,S_3,S_4,_i);
-#define RND_4(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,_i) RND_X(S_4,S_5,S_6,S_7,S_0,S_1,S_2,S_3,_i);
-#define RND_3(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,_i) RND_X(S_3,S_4,S_5,S_6,S_7,S_0,S_1,S_2,_i);
-#define RND_2(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,_i) RND_X(S_2,S_3,S_4,S_5,S_6,S_7,S_0,S_1,_i);
-#define RND_1(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,_i) RND_X(S_1,S_2,S_3,S_4,S_5,S_6,S_7,S_0,_i);
-
-
-#define RND_1_3(a,b,c,d,e,f,g,h,i) {\
-       RND_STEP_1(a,b,c,d,e,f,g,h,i); \
-       RND_STEP_2(a,b,c,d,e,f,g,h,i); \
-       RND_STEP_3(a,b,c,d,e,f,g,h,i); \
-}
+    #if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_SHA224)
+        ret = wolfAsync_DevCtxInit(&sha224->asyncDev,
+                            WOLFSSL_ASYNC_MARKER_SHA224, sha224->heap, devId);
+    #else
+        (void)devId;
+    #endif /* WOLFSSL_ASYNC_CRYPT */
 
-#define RND_4_6(a,b,c,d,e,f,g,h,i) {\
-       RND_STEP_4(a,b,c,d,e,f,g,h,i); \
-       RND_STEP_5(a,b,c,d,e,f,g,h,i); \
-       RND_STEP_6(a,b,c,d,e,f,g,h,i); \
-}
+        return ret;
+    }
 
-#define RND_7_8(a,b,c,d,e,f,g,h,i) {\
-       RND_STEP_7(a,b,c,d,e,f,g,h,i); \
-       RND_STEP_8(a,b,c,d,e,f,g,h,i); \
-}
+    int wc_Sha224Update(wc_Sha224* sha224, const byte* data, word32 len)
+    {
+        int ret;
 
-#define RND_0(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,_i) RND_X(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,_i);
-#define RND_7(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,_i) RND_X(S_7,S_0,S_1,S_2,S_3,S_4,S_5,S_6,_i);
-#define RND_6(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,_i) RND_X(S_6,S_7,S_0,S_1,S_2,S_3,S_4,S_5,_i);
-#define RND_5(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,_i) RND_X(S_5,S_6,S_7,S_0,S_1,S_2,S_3,S_4,_i);
-#define RND_4(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,_i) RND_X(S_4,S_5,S_6,S_7,S_0,S_1,S_2,S_3,_i);
-#define RND_3(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,_i) RND_X(S_3,S_4,S_5,S_6,S_7,S_0,S_1,S_2,_i);
-#define RND_2(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,_i) RND_X(S_2,S_3,S_4,S_5,S_6,S_7,S_0,S_1,_i);
-#define RND_1(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,_i) RND_X(S_1,S_2,S_3,S_4,S_5,S_6,S_7,S_0,_i);
-
-
-#define RND_0_0(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,_i) RND_1_3(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,_i);
-#define RND_7_0(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,_i) RND_1_3(S_7,S_0,S_1,S_2,S_3,S_4,S_5,S_6,_i);
-#define RND_6_0(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,_i) RND_1_3(S_6,S_7,S_0,S_1,S_2,S_3,S_4,S_5,_i);
-#define RND_5_0(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,_i) RND_1_3(S_5,S_6,S_7,S_0,S_1,S_2,S_3,S_4,_i);
-#define RND_4_0(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,_i) RND_1_3(S_4,S_5,S_6,S_7,S_0,S_1,S_2,S_3,_i);
-#define RND_3_0(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,_i) RND_1_3(S_3,S_4,S_5,S_6,S_7,S_0,S_1,S_2,_i);
-#define RND_2_0(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,_i) RND_1_3(S_2,S_3,S_4,S_5,S_6,S_7,S_0,S_1,_i);
-#define RND_1_0(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,_i) RND_1_3(S_1,S_2,S_3,S_4,S_5,S_6,S_7,S_0,_i);
-
-#define RND_0_1(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,_i) RND_4_6(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,_i);
-#define RND_7_1(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,_i) RND_4_6(S_7,S_0,S_1,S_2,S_3,S_4,S_5,S_6,_i);
-#define RND_6_1(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,_i) RND_4_6(S_6,S_7,S_0,S_1,S_2,S_3,S_4,S_5,_i);
-#define RND_5_1(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,_i) RND_4_6(S_5,S_6,S_7,S_0,S_1,S_2,S_3,S_4,_i);
-#define RND_4_1(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,_i) RND_4_6(S_4,S_5,S_6,S_7,S_0,S_1,S_2,S_3,_i);
-#define RND_3_1(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,_i) RND_4_6(S_3,S_4,S_5,S_6,S_7,S_0,S_1,S_2,_i);
-#define RND_2_1(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,_i) RND_4_6(S_2,S_3,S_4,S_5,S_6,S_7,S_0,S_1,_i);
-#define RND_1_1(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,_i) RND_4_6(S_1,S_2,S_3,S_4,S_5,S_6,S_7,S_0,_i);
-
-#define RND_0_2(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,_i) RND_7_8(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,_i);
-#define RND_7_2(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,_i) RND_7_8(S_7,S_0,S_1,S_2,S_3,S_4,S_5,S_6,_i);
-#define RND_6_2(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,_i) RND_7_8(S_6,S_7,S_0,S_1,S_2,S_3,S_4,S_5,_i);
-#define RND_5_2(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,_i) RND_7_8(S_5,S_6,S_7,S_0,S_1,S_2,S_3,S_4,_i);
-#define RND_4_2(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,_i) RND_7_8(S_4,S_5,S_6,S_7,S_0,S_1,S_2,S_3,_i);
-#define RND_3_2(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,_i) RND_7_8(S_3,S_4,S_5,S_6,S_7,S_0,S_1,S_2,_i);
-#define RND_2_2(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,_i) RND_7_8(S_2,S_3,S_4,S_5,S_6,S_7,S_0,S_1,_i);
-#define RND_1_2(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,_i) RND_7_8(S_1,S_2,S_3,S_4,S_5,S_6,S_7,S_0,_i);
-
-#define FOR(cnt, init, max, inc, loop)  \
-    __asm__ volatile("movl $"#init", %0\n\t"#loop":"::"m"(cnt):) 
-#define END(cnt, init, max, inc, loop)  \
-    __asm__ volatile("addl $"#inc", %0\n\tcmpl $"#max", %0\n\tjle "#loop"\n\t":"=m"(cnt)::) ;
-
-#endif  /* defined(HAVE_INTEL_AVX1) ||  defined(HAVE_INTEL_AVX2) */
-
-#if defined(HAVE_INTEL_AVX1) /* inline Assember for Intel AVX1 instructions */
-
-#define VPALIGNR(op1,op2,op3,op4) __asm__ volatile("vpalignr $"#op4", %"#op3", %"#op2", %"#op1:::XMM_REGs) 
-#define VPADDD(op1,op2,op3)       __asm__ volatile("vpaddd %"#op3", %"#op2", %"#op1:::XMM_REGs)
-#define VPSRLD(op1,op2,op3)       __asm__ volatile("vpsrld $"#op3", %"#op2", %"#op1:::XMM_REGs)
-#define VPSRLQ(op1,op2,op3)       __asm__ volatile("vpsrlq $"#op3", %"#op2", %"#op1:::XMM_REGs)
-#define VPSLLD(op1,op2,op3)       __asm__ volatile("vpslld $"#op3", %"#op2", %"#op1:::XMM_REGs)
-#define VPOR(op1,op2,op3)         __asm__ volatile("vpor   %"#op3", %"#op2", %"#op1:::XMM_REGs)
-#define VPXOR(op1,op2,op3)        __asm__ volatile("vpxor  %"#op3", %"#op2", %"#op1:::XMM_REGs)
-#define VPSHUFD(op1,op2,op3)      __asm__ volatile("vpshufd $"#op3", %"#op2", %"#op1:::XMM_REGs)
-#define VPSHUFB(op1,op2,op3)      __asm__ volatile("vpshufb %"#op3", %"#op2", %"#op1:::XMM_REGs)
-
-#define MessageSched(X0, X1, X2, X3, XTMP0, XTMP1, XTMP2, XTMP3, XTMP4, XTMP5, XFER, SHUF_00BA, SHUF_DC00,\
-     a,b,c,d,e,f,g,h,_i)\
-            RND_STEP_1(a,b,c,d,e,f,g,h,_i);\
-    VPALIGNR (XTMP0, X3, X2, 4) ;\
-            RND_STEP_2(a,b,c,d,e,f,g,h,_i);\
-    VPADDD   (XTMP0, XTMP0, X0) ;\
-            RND_STEP_3(a,b,c,d,e,f,g,h,_i);\
-    VPALIGNR (XTMP1, X1, X0, 4) ;   /* XTMP1 = W[-15] */\
-            RND_STEP_4(a,b,c,d,e,f,g,h,_i);\
-    VPSRLD   (XTMP2, XTMP1, 7) ;\
-            RND_STEP_5(a,b,c,d,e,f,g,h,_i);\
-    VPSLLD   (XTMP3, XTMP1, 25) ; /* VPSLLD   (XTMP3, XTMP1, (32-7)) */\
-            RND_STEP_6(a,b,c,d,e,f,g,h,_i);\
-    VPOR     (XTMP3, XTMP3, XTMP2)  ;  /* XTMP1 = W[-15] MY_ROR 7 */\
-            RND_STEP_7(a,b,c,d,e,f,g,h,_i);\
-    VPSRLD   (XTMP2, XTMP1,18) ;\
-            RND_STEP_8(a,b,c,d,e,f,g,h,_i);\
-\
-            RND_STEP_1(h,a,b,c,d,e,f,g,_i+1);\
-    VPSRLD   (XTMP4, XTMP1, 3)      ;  /* XTMP4 = W[-15] >> 3 */\
-            RND_STEP_2(h,a,b,c,d,e,f,g,_i+1);\
-    VPSLLD   (XTMP1, XTMP1, 14) ; /* VPSLLD   (XTMP1, XTMP1, (32-18)) */\
-            RND_STEP_3(h,a,b,c,d,e,f,g,_i+1);\
-    VPXOR    (XTMP3, XTMP3, XTMP1)  ;\
-            RND_STEP_4(h,a,b,c,d,e,f,g,_i+1);\
-    VPXOR    (XTMP3, XTMP3, XTMP2)  ;  /* XTMP1 = W[-15] MY_ROR 7 ^ W[-15] MY_ROR 18 */\
-            RND_STEP_5(h,a,b,c,d,e,f,g,_i+1);\
-    VPXOR    (XTMP1, XTMP3, XTMP4)  ;  /* XTMP1 = s0 */\
-            RND_STEP_6(h,a,b,c,d,e,f,g,_i+1);\
-    VPSHUFD(XTMP2, X3, 0b11111010)  ;  /* XTMP2 = W[-2] {BBAA}*/\
-            RND_STEP_7(h,a,b,c,d,e,f,g,_i+1);\
-    VPADDD   (XTMP0, XTMP0, XTMP1)  ;  /* XTMP0 = W[-16] + W[-7] + s0 */\
-            RND_STEP_8(h,a,b,c,d,e,f,g,_i+1);\
-\
-            RND_STEP_1(g,h,a,b,c,d,e,f,_i+2);\
-    VPSRLD   (XTMP4, XTMP2, 10) ;      /* XTMP4 = W[-2] >> 10 {BBAA} */\
-            RND_STEP_2(g,h,a,b,c,d,e,f,_i+2);\
-    VPSRLQ   (XTMP3, XTMP2, 19) ;      /* XTMP3 = W[-2] MY_ROR 19 {xBxA} */\
-            RND_STEP_3(g,h,a,b,c,d,e,f,_i+2);\
-    VPSRLQ   (XTMP2, XTMP2, 17) ;      /* XTMP2 = W[-2] MY_ROR 17 {xBxA} */\
-            RND_STEP_4(g,h,a,b,c,d,e,f,_i+2);\
-    VPXOR    (XTMP2, XTMP2, XTMP3) ;\
-            RND_STEP_5(g,h,a,b,c,d,e,f,_i+2);\
-    VPXOR    (XTMP4, XTMP4, XTMP2) ;   /* XTMP4 = s1 {xBxA} */\
-            RND_STEP_6(g,h,a,b,c,d,e,f,_i+2);\
-    VPSHUFB  (XTMP4, XTMP4, SHUF_00BA)  ;  /* XTMP4 = s1 {00BA} */\
-            RND_STEP_7(g,h,a,b,c,d,e,f,_i+2);\
-    VPADDD   (XTMP0, XTMP0, XTMP4)  ;  /* XTMP0 = {..., ..., W[1], W[0]} */\
-            RND_STEP_8(g,h,a,b,c,d,e,f,_i+2);\
-\
-            RND_STEP_1(f,g,h,a,b,c,d,e,_i+3);\
-    VPSHUFD  (XTMP2, XTMP0, 0b01010000) ; /* XTMP2 = W[-2] {DDCC} */\
-            RND_STEP_2(f,g,h,a,b,c,d,e,_i+3);\
-    VPSRLD   (XTMP5, XTMP2, 10);       /* XTMP5 = W[-2] >> 10 {DDCC} */\
-            RND_STEP_3(f,g,h,a,b,c,d,e,_i+3);\
-    VPSRLQ   (XTMP3, XTMP2, 19);       /* XTMP3 = W[-2] MY_ROR 19 {xDxC} */\
-            RND_STEP_4(f,g,h,a,b,c,d,e,_i+3);\
-    VPSRLQ   (XTMP2, XTMP2, 17) ;      /* XTMP2 = W[-2] MY_ROR 17 {xDxC} */\
-            RND_STEP_5(f,g,h,a,b,c,d,e,_i+3);\
-    VPXOR    (XTMP2, XTMP2, XTMP3) ;\
-            RND_STEP_6(f,g,h,a,b,c,d,e,_i+3);\
-    VPXOR    (XTMP5, XTMP5, XTMP2) ;   /* XTMP5 = s1 {xDxC} */\
-            RND_STEP_7(f,g,h,a,b,c,d,e,_i+3);\
-    VPSHUFB  (XTMP5, XTMP5, SHUF_DC00) ; /* XTMP5 = s1 {DC00} */\
-            RND_STEP_8(f,g,h,a,b,c,d,e,_i+3);\
-    VPADDD   (X0, XTMP5, XTMP0) ;      /* X0 = {W[3], W[2], W[1], W[0]} */\
-
-#if defined(HAVE_INTEL_RORX)
-
-#define MessageSched_RORX(X0, X1, X2, X3, XTMP0, XTMP1, XTMP2, XTMP3, XTMP4, XTMP5, \
-                          XFER, SHUF_00BA, SHUF_DC00,a,b,c,d,e,f,g,h,_i)\
-            RND_STEP_RORX_1(a,b,c,d,e,f,g,h,_i);\
-    VPALIGNR (XTMP0, X3, X2, 4) ;\
-            RND_STEP_RORX_2(a,b,c,d,e,f,g,h,_i);\
-    VPADDD   (XTMP0, XTMP0, X0) ;\
-            RND_STEP_RORX_3(a,b,c,d,e,f,g,h,_i);\
-    VPALIGNR (XTMP1, X1, X0, 4) ;   /* XTMP1 = W[-15] */\
-            RND_STEP_RORX_4(a,b,c,d,e,f,g,h,_i);\
-    VPSRLD   (XTMP2, XTMP1, 7) ;\
-            RND_STEP_RORX_5(a,b,c,d,e,f,g,h,_i);\
-    VPSLLD   (XTMP3, XTMP1, 25) ; /* VPSLLD   (XTMP3, XTMP1, (32-7)) */\
-            RND_STEP_RORX_6(a,b,c,d,e,f,g,h,_i);\
-    VPOR     (XTMP3, XTMP3, XTMP2)  ;  /* XTMP1 = W[-15] MY_ROR 7 */\
-            RND_STEP_RORX_7(a,b,c,d,e,f,g,h,_i);\
-    VPSRLD   (XTMP2, XTMP1,18) ;\
-            RND_STEP_RORX_8(a,b,c,d,e,f,g,h,_i);\
-\
-            RND_STEP_RORX_1(h,a,b,c,d,e,f,g,_i+1);\
-    VPSRLD   (XTMP4, XTMP1, 3)      ;  /* XTMP4 = W[-15] >> 3 */\
-            RND_STEP_RORX_2(h,a,b,c,d,e,f,g,_i+1);\
-    VPSLLD   (XTMP1, XTMP1, 14) ; /* VPSLLD   (XTMP1, XTMP1, (32-18)) */\
-            RND_STEP_RORX_3(h,a,b,c,d,e,f,g,_i+1);\
-    VPXOR    (XTMP3, XTMP3, XTMP1)  ;\
-            RND_STEP_RORX_4(h,a,b,c,d,e,f,g,_i+1);\
-    VPXOR    (XTMP3, XTMP3, XTMP2)  ;  /* XTMP1 = W[-15] MY_ROR 7 ^ W[-15] MY_ROR 18 */\
-            RND_STEP_RORX_5(h,a,b,c,d,e,f,g,_i+1);\
-    VPXOR    (XTMP1, XTMP3, XTMP4)  ;  /* XTMP1 = s0 */\
-            RND_STEP_RORX_6(h,a,b,c,d,e,f,g,_i+1);\
-    VPSHUFD(XTMP2, X3, 0b11111010)  ;  /* XTMP2 = W[-2] {BBAA}*/\
-            RND_STEP_RORX_7(h,a,b,c,d,e,f,g,_i+1);\
-    VPADDD   (XTMP0, XTMP0, XTMP1)  ;  /* XTMP0 = W[-16] + W[-7] + s0 */\
-            RND_STEP_RORX_8(h,a,b,c,d,e,f,g,_i+1);\
-\
-            RND_STEP_RORX_1(g,h,a,b,c,d,e,f,_i+2);\
-    VPSRLD   (XTMP4, XTMP2, 10) ;      /* XTMP4 = W[-2] >> 10 {BBAA} */\
-            RND_STEP_RORX_2(g,h,a,b,c,d,e,f,_i+2);\
-    VPSRLQ   (XTMP3, XTMP2, 19) ;      /* XTMP3 = W[-2] MY_ROR 19 {xBxA} */\
-            RND_STEP_RORX_3(g,h,a,b,c,d,e,f,_i+2);\
-    VPSRLQ   (XTMP2, XTMP2, 17) ;      /* XTMP2 = W[-2] MY_ROR 17 {xBxA} */\
-            RND_STEP_RORX_4(g,h,a,b,c,d,e,f,_i+2);\
-    VPXOR    (XTMP2, XTMP2, XTMP3) ;\
-            RND_STEP_RORX_5(g,h,a,b,c,d,e,f,_i+2);\
-    VPXOR    (XTMP4, XTMP4, XTMP2) ;   /* XTMP4 = s1 {xBxA} */\
-            RND_STEP_RORX_6(g,h,a,b,c,d,e,f,_i+2);\
-    VPSHUFB  (XTMP4, XTMP4, SHUF_00BA)  ;  /* XTMP4 = s1 {00BA} */\
-            RND_STEP_RORX_7(g,h,a,b,c,d,e,f,_i+2);\
-    VPADDD   (XTMP0, XTMP0, XTMP4)  ;  /* XTMP0 = {..., ..., W[1], W[0]} */\
-            RND_STEP_RORX_8(g,h,a,b,c,d,e,f,_i+2);\
-\
-            RND_STEP_RORX_1(f,g,h,a,b,c,d,e,_i+3);\
-    VPSHUFD  (XTMP2, XTMP0, 0b01010000) ; /* XTMP2 = W[-2] {DDCC} */\
-            RND_STEP_RORX_2(f,g,h,a,b,c,d,e,_i+3);\
-    VPSRLD   (XTMP5, XTMP2, 10);       /* XTMP5 = W[-2] >> 10 {DDCC} */\
-            RND_STEP_RORX_3(f,g,h,a,b,c,d,e,_i+3);\
-    VPSRLQ   (XTMP3, XTMP2, 19);       /* XTMP3 = W[-2] MY_ROR 19 {xDxC} */\
-            RND_STEP_RORX_4(f,g,h,a,b,c,d,e,_i+3);\
-    VPSRLQ   (XTMP2, XTMP2, 17) ;      /* XTMP2 = W[-2] MY_ROR 17 {xDxC} */\
-            RND_STEP_RORX_5(f,g,h,a,b,c,d,e,_i+3);\
-    VPXOR    (XTMP2, XTMP2, XTMP3) ;\
-            RND_STEP_RORX_6(f,g,h,a,b,c,d,e,_i+3);\
-    VPXOR    (XTMP5, XTMP5, XTMP2) ;   /* XTMP5 = s1 {xDxC} */\
-            RND_STEP_RORX_7(f,g,h,a,b,c,d,e,_i+3);\
-    VPSHUFB  (XTMP5, XTMP5, SHUF_DC00) ; /* XTMP5 = s1 {DC00} */\
-            RND_STEP_RORX_8(f,g,h,a,b,c,d,e,_i+3);\
-    VPADDD   (X0, XTMP5, XTMP0) ;      /* X0 = {W[3], W[2], W[1], W[0]} */\
+        if (sha224 == NULL || (data == NULL && len > 0)) {
+            return BAD_FUNC_ARG;
+        }
 
-#endif
+    #if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_SHA224)
+        if (sha224->asyncDev.marker == WOLFSSL_ASYNC_MARKER_SHA224) {
+        #if defined(HAVE_INTEL_QA)
+            return IntelQaSymSha224(&sha224->asyncDev, NULL, data, len);
+        #endif
+        }
+    #endif /* WOLFSSL_ASYNC_CRYPT */
 
+        ret = Sha256Update((wc_Sha256*)sha224, data, len);
 
-#define W_K_from_buff\
-         __asm__ volatile("vmovdqu %0, %%xmm4\n\t"\
-                          "vpshufb %%xmm13, %%xmm4, %%xmm4\n\t"\
-                          :: "m"(sha256->buffer[0]):"%xmm4") ;\
-         __asm__ volatile("vmovdqu %0, %%xmm5\n\t"\
-                          "vpshufb %%xmm13, %%xmm5, %%xmm5\n\t"\
-                          ::"m"(sha256->buffer[4]):"%xmm5") ;\
-         __asm__ volatile("vmovdqu %0, %%xmm6\n\t"\
-                          "vpshufb %%xmm13, %%xmm6, %%xmm6\n\t"\
-                          ::"m"(sha256->buffer[8]):"%xmm6") ;\
-         __asm__ volatile("vmovdqu %0, %%xmm7\n\t"\
-                          "vpshufb %%xmm13, %%xmm7, %%xmm7\n\t"\
-                          ::"m"(sha256->buffer[12]):"%xmm7") ;\
-
-#define _SET_W_K_XFER(reg, i)\
-    __asm__ volatile("vpaddd %0, %"#reg", %%xmm9"::"m"(K[i]):XMM_REGs) ;\
-    __asm__ volatile("vmovdqa %%xmm9, %0":"=m"(W_K[i])::XMM_REGs) ;
-
-#define SET_W_K_XFER(reg, i) _SET_W_K_XFER(reg, i)
-
-static const ALIGN32 word64 mSHUF_00BA[] = { 0x0b0a090803020100, 0xFFFFFFFFFFFFFFFF } ; /* shuffle xBxA -> 00BA */
-static const ALIGN32 word64 mSHUF_DC00[] = { 0xFFFFFFFFFFFFFFFF, 0x0b0a090803020100 } ; /* shuffle xDxC -> DC00 */
-static const ALIGN32 word64 mBYTE_FLIP_MASK[] =  { 0x0405060700010203, 0x0c0d0e0f08090a0b } ;
-
-
-#define _Init_Masks(mask1, mask2, mask3)\
-__asm__ volatile("vmovdqu %0, %"#mask1 ::"m"(mBYTE_FLIP_MASK[0])) ;\
-__asm__ volatile("vmovdqu %0, %"#mask2 ::"m"(mSHUF_00BA[0])) ;\
-__asm__ volatile("vmovdqu %0, %"#mask3 ::"m"(mSHUF_DC00[0])) ;
-
-#define Init_Masks(BYTE_FLIP_MASK, SHUF_00BA, SHUF_DC00)\
-    _Init_Masks(BYTE_FLIP_MASK, SHUF_00BA, SHUF_DC00)
-
-#define X0 %xmm4
-#define X1 %xmm5
-#define X2 %xmm6
-#define X3 %xmm7
-#define X_ X0
-
-#define XTMP0 %xmm0
-#define XTMP1 %xmm1
-#define XTMP2 %xmm2
-#define XTMP3 %xmm3
-#define XTMP4 %xmm8
-#define XTMP5 %xmm9
-#define XFER  %xmm10
-
-#define SHUF_00BA   %xmm11 /* shuffle xBxA -> 00BA */
-#define SHUF_DC00   %xmm12 /* shuffle xDxC -> DC00 */
-#define BYTE_FLIP_MASK  %xmm13
-
-#define XMM_REGs   /* Registers are saved in Sha256Update/Finel */
-                   /*"xmm4","xmm5","xmm6","xmm7","xmm8","xmm9","xmm10","xmm11","xmm12","xmm13" */
-
-static int Transform_AVX1(Sha256* sha256)
-{
+        return ret;
+    }
 
-    word32 W_K[64] ;  /* temp for W+K */
+    int wc_Sha224Final(wc_Sha224* sha224, byte* hash)
+    {
+        int ret;
 
-    #if defined(DEBUG_XMM)
-    int i, j ;
-    word32 xmm[29][4*15] ;
+        if (sha224 == NULL || hash == NULL) {
+            return BAD_FUNC_ARG;
+        }
+
+    #if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_SHA224)
+        if (sha224->asyncDev.marker == WOLFSSL_ASYNC_MARKER_SHA224) {
+        #if defined(HAVE_INTEL_QA)
+            return IntelQaSymSha224(&sha224->asyncDev, hash, NULL,
+                                            WC_SHA224_DIGEST_SIZE);
+        #endif
+        }
+    #endif /* WOLFSSL_ASYNC_CRYPT */
+
+        ret = Sha256Final((wc_Sha256*)sha224);
+        if (ret != 0)
+            return ret;
+
+    #if defined(LITTLE_ENDIAN_ORDER)
+        ByteReverseWords(sha224->digest, sha224->digest, WC_SHA224_DIGEST_SIZE);
     #endif
+        XMEMCPY(hash, sha224->digest, WC_SHA224_DIGEST_SIZE);
 
-    Init_Masks(BYTE_FLIP_MASK, SHUF_00BA, SHUF_DC00) ;
-    W_K_from_buff ; /* X0, X1, X2, X3 = W[0..15] ; */
-
-    DigestToReg(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7) ;
-  
-    SET_W_K_XFER(X0, 0) ;
-    MessageSched(X0, X1, X2, X3, XTMP0, XTMP1, XTMP2, XTMP3, XTMP4, XTMP5, XFER, 
-            SHUF_00BA, SHUF_DC00, S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,0) ;
-    SET_W_K_XFER(X1, 4) ;
-    MessageSched(X1, X2, X3, X0, XTMP0, XTMP1, XTMP2, XTMP3, XTMP4, XTMP5, XFER,
-            SHUF_00BA, SHUF_DC00, S_4,S_5,S_6,S_7,S_0,S_1,S_2,S_3,4) ;
-    SET_W_K_XFER(X2, 8) ;
-    MessageSched(X2, X3, X0, X1, XTMP0, XTMP1, XTMP2, XTMP3, XTMP4, XTMP5, XFER, 
-            SHUF_00BA, SHUF_DC00, S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,8) ;
-    SET_W_K_XFER(X3, 12) ;
-    MessageSched(X3, X0, X1, X2, XTMP0, XTMP1, XTMP2, XTMP3, XTMP4, XTMP5, XFER, 
-            SHUF_00BA, SHUF_DC00, S_4,S_5,S_6,S_7,S_0,S_1,S_2,S_3,12) ;
-    SET_W_K_XFER(X0, 16) ;
-    MessageSched(X0, X1, X2, X3, XTMP0, XTMP1, XTMP2, XTMP3, XTMP4, XTMP5, XFER, 
-            SHUF_00BA, SHUF_DC00, S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,16) ;
-    SET_W_K_XFER(X1, 20) ;
-    MessageSched(X1, X2, X3, X0, XTMP0, XTMP1, XTMP2, XTMP3, XTMP4, XTMP5, XFER, 
-            SHUF_00BA, SHUF_DC00, S_4,S_5,S_6,S_7,S_0,S_1,S_2,S_3,20) ;
-    SET_W_K_XFER(X2, 24) ;
-    MessageSched(X2, X3, X0, X1, XTMP0, XTMP1, XTMP2, XTMP3, XTMP4, XTMP5, XFER, 
-            SHUF_00BA, SHUF_DC00, S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,24) ;
-    SET_W_K_XFER(X3, 28) ;
-    MessageSched(X3, X0, X1, X2, XTMP0, XTMP1, XTMP2, XTMP3, XTMP4, XTMP5, XFER, 
-            SHUF_00BA, SHUF_DC00, S_4,S_5,S_6,S_7,S_0,S_1,S_2,S_3,28) ;
-    SET_W_K_XFER(X0, 32) ;
-    MessageSched(X0, X1, X2, X3, XTMP0, XTMP1, XTMP2, XTMP3, XTMP4, XTMP5, XFER, 
-            SHUF_00BA, SHUF_DC00, S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,32) ;
-    SET_W_K_XFER(X1, 36) ;
-    MessageSched(X1, X2, X3, X0, XTMP0, XTMP1, XTMP2, XTMP3, XTMP4, XTMP5, XFER, 
-            SHUF_00BA, SHUF_DC00, S_4,S_5,S_6,S_7,S_0,S_1,S_2,S_3,36) ;
-    SET_W_K_XFER(X2, 40) ;
-    MessageSched(X2, X3, X0, X1, XTMP0, XTMP1, XTMP2, XTMP3, XTMP4, XTMP5, XFER, 
-            SHUF_00BA, SHUF_DC00, S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,40) ;
-    SET_W_K_XFER(X3, 44) ;
-    MessageSched(X3, X0, X1, X2, XTMP0, XTMP1, XTMP2, XTMP3, XTMP4, XTMP5, XFER, 
-            SHUF_00BA, SHUF_DC00, S_4,S_5,S_6,S_7,S_0,S_1,S_2,S_3,44) ;
-
-    SET_W_K_XFER(X0, 48) ;
-    SET_W_K_XFER(X1, 52) ;
-    SET_W_K_XFER(X2, 56) ;
-    SET_W_K_XFER(X3, 60) ;
-    
-    RND_0(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,48) ;
-    RND_7(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,49) ;
-    RND_6(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,50) ;
-    RND_5(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,51) ;
-
-    RND_4(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,52) ;
-    RND_3(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,53) ;
-    RND_2(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,54) ;
-    RND_1(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,55) ;
-
-    RND_0(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,56) ;     
-    RND_7(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,57) ;
-    RND_6(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,58) ;
-    RND_5(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,59) ;
-
-    RND_4(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,60) ;
-    RND_3(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,61) ;
-    RND_2(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,62) ;
-    RND_1(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,63) ;
-        
-    RegToDigest(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7) ;  
-        
-    #if defined(DEBUG_XMM)
-    for(i=0; i<29; i++) {
-        for(j=0; j<4*14; j+=4)
-            printf("xmm%d[%d]=%08x,%08x,%08x,%08x\n", j/4, i, 
-                   xmm[i][j],xmm[i][j+1],xmm[i][j+2],xmm[i][j+3]) ;
-        printf("\n") ;
+        return InitSha224(sha224);  /* reset state */
     }
-        
-    for(i=0; i<64; i++)printf("W_K[%d]%08x\n", i, W_K[i]) ;
+#endif /* end of SHA224 software implementation */
+
+    int wc_InitSha224(wc_Sha224* sha224)
+    {
+        return wc_InitSha224_ex(sha224, NULL, INVALID_DEVID);
+    }
+
+    void wc_Sha224Free(wc_Sha224* sha224)
+    {
+        if (sha224 == NULL)
+            return;
+
+#ifdef WOLFSSL_SMALL_STACK_CACHE
+    if (sha224->W != NULL) {
+        XFREE(sha224->W, NULL, DYNAMIC_TYPE_DIGEST);
+        sha224->W = NULL;
+    }
+#endif
+
+    #if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_SHA224)
+        wolfAsync_DevCtxFree(&sha224->asyncDev, WOLFSSL_ASYNC_MARKER_SHA224);
+    #endif /* WOLFSSL_ASYNC_CRYPT */
+
+    #ifdef WOLFSSL_PIC32MZ_HASH
+        wc_Sha256Pic32Free(sha224);
     #endif
+    }
+#endif /* WOLFSSL_SHA224 */
 
-    return 0;
+
+int wc_InitSha256(wc_Sha256* sha256)
+{
+    return wc_InitSha256_ex(sha256, NULL, INVALID_DEVID);
 }
 
-#if defined(HAVE_INTEL_RORX)
-static int Transform_AVX1_RORX(Sha256* sha256)
+void wc_Sha256Free(wc_Sha256* sha256)
 {
+    if (sha256 == NULL)
+        return;
 
-    word32 W_K[64] ;  /* temp for W+K */
+#ifdef WOLFSSL_SMALL_STACK_CACHE
+    if (sha256->W != NULL) {
+        XFREE(sha256->W, NULL, DYNAMIC_TYPE_DIGEST);
+        sha256->W = NULL;
+    }
+#endif
 
-    #if defined(DEBUG_XMM)
-    int i, j ;
-    word32 xmm[29][4*15] ;
-    #endif
+#if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_SHA256)
+    wolfAsync_DevCtxFree(&sha256->asyncDev, WOLFSSL_ASYNC_MARKER_SHA256);
+#endif /* WOLFSSL_ASYNC_CRYPT */
+#ifdef WOLFSSL_PIC32MZ_HASH
+    wc_Sha256Pic32Free(sha256);
+#endif
+#if defined(WOLFSSL_AFALG_HASH)
+    if (sha256->alFd > 0) {
+        close(sha256->alFd);
+        sha256->alFd = -1; /* avoid possible double close on socket */
+    }
+    if (sha256->rdFd > 0) {
+        close(sha256->rdFd);
+        sha256->rdFd = -1; /* avoid possible double close on socket */
+    }
+#endif /* WOLFSSL_AFALG_HASH */
+#ifdef WOLFSSL_DEVCRYPTO_HASH
+    wc_DevCryptoFree(&sha256->ctx);
+#endif /* WOLFSSL_DEVCRYPTO */
+#if (defined(WOLFSSL_AFALG_HASH) && defined(WOLFSSL_AFALG_HASH_KEEP)) || \
+    (defined(WOLFSSL_DEVCRYPTO_HASH) && defined(WOLFSSL_DEVCRYPTO_HASH_KEEP)) || \
+    (defined(WOLFSSL_RENESAS_TSIP_CRYPT) && \
+    !defined(NO_WOLFSSL_RENESAS_TSIP_CRYPT_HASH))
+    if (sha256->msg != NULL) {
+        XFREE(sha256->msg, sha256->heap, DYNAMIC_TYPE_TMP_BUFFER);
+        sha256->msg = NULL;
+    }
+#endif
+}
+
+#endif /* !WOLFSSL_TI_HASH */
+#endif /* HAVE_FIPS */
+
+
+#ifndef WOLFSSL_TI_HASH
+#ifdef WOLFSSL_SHA224
+    int wc_Sha224GetHash(wc_Sha224* sha224, byte* hash)
+    {
+        int ret;
+        wc_Sha224 tmpSha224;
 
-    Init_Masks(BYTE_FLIP_MASK, SHUF_00BA, SHUF_DC00) ;
-    W_K_from_buff ; /* X0, X1, X2, X3 = W[0..15] ; */
-
-    DigestToReg(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7) ;
-    SET_W_K_XFER(X0, 0) ;
-    MessageSched_RORX(X0, X1, X2, X3, XTMP0, XTMP1, XTMP2, XTMP3, XTMP4, XTMP5, 
-            XFER, SHUF_00BA, SHUF_DC00, S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,0) ;
-    SET_W_K_XFER(X1, 4) ;
-    MessageSched_RORX(X1, X2, X3, X0, XTMP0, XTMP1, XTMP2, XTMP3, XTMP4, XTMP5, 
-            XFER, SHUF_00BA, SHUF_DC00, S_4,S_5,S_6,S_7,S_0,S_1,S_2,S_3,4) ;
-    SET_W_K_XFER(X2, 8) ;
-    MessageSched_RORX(X2, X3, X0, X1, XTMP0, XTMP1, XTMP2, XTMP3, XTMP4, XTMP5, 
-            XFER, SHUF_00BA, SHUF_DC00, S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,8) ;
-    SET_W_K_XFER(X3, 12) ;
-    MessageSched_RORX(X3, X0, X1, X2, XTMP0, XTMP1, XTMP2, XTMP3, XTMP4, XTMP5, 
-            XFER, SHUF_00BA, SHUF_DC00, S_4,S_5,S_6,S_7,S_0,S_1,S_2,S_3,12) ;
-    SET_W_K_XFER(X0, 16) ;
-    MessageSched_RORX(X0, X1, X2, X3, XTMP0, XTMP1, XTMP2, XTMP3, XTMP4, XTMP5, 
-            XFER, SHUF_00BA, SHUF_DC00, S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,16) ;
-    SET_W_K_XFER(X1, 20) ;
-    MessageSched_RORX(X1, X2, X3, X0, XTMP0, XTMP1, XTMP2, XTMP3, XTMP4, XTMP5, 
-            XFER, SHUF_00BA, SHUF_DC00, S_4,S_5,S_6,S_7,S_0,S_1,S_2,S_3,20) ;
-    SET_W_K_XFER(X2, 24) ;
-    MessageSched_RORX(X2, X3, X0, X1, XTMP0, XTMP1, XTMP2, XTMP3, XTMP4, XTMP5, 
-            XFER, SHUF_00BA, SHUF_DC00, S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,24) ;
-    SET_W_K_XFER(X3, 28) ;
-    MessageSched_RORX(X3, X0, X1, X2, XTMP0, XTMP1, XTMP2, XTMP3, XTMP4, XTMP5, 
-            XFER, SHUF_00BA, SHUF_DC00, S_4,S_5,S_6,S_7,S_0,S_1,S_2,S_3,28) ;
-    SET_W_K_XFER(X0, 32) ;
-    MessageSched_RORX(X0, X1, X2, X3, XTMP0, XTMP1, XTMP2, XTMP3, XTMP4, XTMP5, 
-            XFER, SHUF_00BA, SHUF_DC00, S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,32) ;
-    SET_W_K_XFER(X1, 36) ;
-    MessageSched_RORX(X1, X2, X3, X0, XTMP0, XTMP1, XTMP2, XTMP3, XTMP4, XTMP5, 
-            XFER, SHUF_00BA, SHUF_DC00, S_4,S_5,S_6,S_7,S_0,S_1,S_2,S_3,36) ;
-    SET_W_K_XFER(X2, 40) ;
-    MessageSched_RORX(X2, X3, X0, X1, XTMP0, XTMP1, XTMP2, XTMP3, XTMP4, XTMP5,
-            XFER, SHUF_00BA, SHUF_DC00, S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,40) ;
-    SET_W_K_XFER(X3, 44) ;
-    MessageSched_RORX(X3, X0, X1, X2, XTMP0, XTMP1, XTMP2, XTMP3, XTMP4, XTMP5,
-            XFER, SHUF_00BA, SHUF_DC00, S_4,S_5,S_6,S_7,S_0,S_1,S_2,S_3,44) ;
-
-    SET_W_K_XFER(X0, 48) ;
-    SET_W_K_XFER(X1, 52) ;
-    SET_W_K_XFER(X2, 56) ;
-    SET_W_K_XFER(X3, 60) ;
-    
-    RND_0(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,48) ;
-    RND_7(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,49) ;
-    RND_6(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,50) ;
-    RND_5(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,51) ;
-
-    RND_4(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,52) ;
-    RND_3(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,53) ;
-    RND_2(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,54) ;
-    RND_1(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,55) ;
-
-    RND_0(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,56) ;     
-    RND_7(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,57) ;
-    RND_6(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,58) ;
-    RND_5(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,59) ;
-
-    RND_4(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,60) ;
-    RND_3(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,61) ;
-    RND_2(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,62) ;
-    RND_1(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,63) ;
-        
-    RegToDigest(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7) ;  
-        
-    #if defined(DEBUG_XMM)
-    for(i=0; i<29; i++) {
-        for(j=0; j<4*14; j+=4)
-            printf("xmm%d[%d]=%08x,%08x,%08x,%08x\n", j/4, i, 
-                    xmm[i][j],xmm[i][j+1],xmm[i][j+2],xmm[i][j+3]) ;
-        printf("\n") ;
+        if (sha224 == NULL || hash == NULL)
+            return BAD_FUNC_ARG;
+
+        ret = wc_Sha224Copy(sha224, &tmpSha224);
+        if (ret == 0) {
+            ret = wc_Sha224Final(&tmpSha224, hash);
+            wc_Sha224Free(&tmpSha224);
+        }
+        return ret;
     }
-        
-    for(i=0; i<64; i++)printf("W_K[%d]%08x\n", i, W_K[i]) ;
+    int wc_Sha224Copy(wc_Sha224* src, wc_Sha224* dst)
+    {
+        int ret = 0;
+
+        if (src == NULL || dst == NULL)
+            return BAD_FUNC_ARG;
+
+        XMEMCPY(dst, src, sizeof(wc_Sha224));
+    #ifdef WOLFSSL_SMALL_STACK_CACHE
+        dst->W = NULL;
     #endif
 
-    return 0;
-}
-#endif  /* HAVE_INTEL_RORX */
+    #ifdef WOLFSSL_ASYNC_CRYPT
+        ret = wolfAsync_DevCopy(&src->asyncDev, &dst->asyncDev);
+    #endif
+    #if defined(WOLFSSL_HASH_FLAGS) || defined(WOLF_CRYPTO_CB)
+        dst->flags |= WC_HASH_FLAG_ISCOPY;
+    #endif
+
+        return ret;
+    }
 
-#endif  /* HAVE_INTEL_AVX1 */
+#if defined(WOLFSSL_HASH_FLAGS) || defined(WOLF_CRYPTO_CB)
+    int wc_Sha224SetFlags(wc_Sha224* sha224, word32 flags)
+    {
+        if (sha224) {
+            sha224->flags = flags;
+        }
+        return 0;
+    }
+    int wc_Sha224GetFlags(wc_Sha224* sha224, word32* flags)
+    {
+        if (sha224 && flags) {
+            *flags = sha224->flags;
+        }
+        return 0;
+    }
+#endif
 
+#endif /* WOLFSSL_SHA224 */
 
-#if defined(HAVE_INTEL_AVX2)
+#ifdef WOLFSSL_AFALG_HASH
+    /* implemented in wolfcrypt/src/port/af_alg/afalg_hash.c */
 
-#define _MOVE_to_REG(ymm, mem)       __asm__ volatile("vmovdqu %0, %%"#ymm" ":: "m"(mem):YMM_REGs) ;
-#define _MOVE_to_MEM(mem, ymm)       __asm__ volatile("vmovdqu %%"#ymm", %0" : "=m"(mem)::YMM_REGs) ;
-#define _BYTE_SWAP(ymm, map)              __asm__ volatile("vpshufb %0, %%"#ymm", %%"#ymm"\n\t"\
-                                                       :: "m"(map):YMM_REGs) ;
-#define _MOVE_128(ymm0, ymm1, ymm2, map)   __asm__ volatile("vperm2i128  $"#map", %%"\
-                                  #ymm2", %%"#ymm1", %%"#ymm0" ":::YMM_REGs) ;
-#define _MOVE_BYTE(ymm0, ymm1, map)  __asm__ volatile("vpshufb %0, %%"#ymm1", %%"\
-                                  #ymm0"\n\t":: "m"(map):YMM_REGs) ;
-#define _S_TEMP(dest, src, bits, temp)    __asm__ volatile("vpsrld  $"#bits", %%"\
-         #src", %%"#dest"\n\tvpslld  $32-"#bits", %%"#src", %%"#temp"\n\tvpor %%"\
-         #temp",%%"#dest", %%"#dest" ":::YMM_REGs) ;
-#define _AVX2_R(dest, src, bits)          __asm__ volatile("vpsrld  $"#bits", %%"\
-                                  #src", %%"#dest" ":::YMM_REGs) ;
-#define _XOR(dest, src1, src2)       __asm__ volatile("vpxor   %%"#src1", %%"\
-         #src2", %%"#dest" ":::YMM_REGs) ;
-#define _OR(dest, src1, src2)       __asm__ volatile("vpor    %%"#src1", %%"\
-         #src2", %%"#dest" ":::YMM_REGs) ;
-#define _ADD(dest, src1, src2)       __asm__ volatile("vpaddd   %%"#src1", %%"\
-         #src2", %%"#dest" ":::YMM_REGs) ;
-#define _ADD_MEM(dest, src1, mem)    __asm__ volatile("vpaddd   %0, %%"#src1", %%"\
-         #dest" "::"m"(mem):YMM_REGs) ;
-#define _BLEND(map, dest, src1, src2)    __asm__ volatile("vpblendd    $"#map", %%"\
-         #src1",   %%"#src2", %%"#dest" ":::YMM_REGs) ;
-
-#define    _EXTRACT_XMM_0(xmm, mem)  __asm__ volatile("vpextrd $0, %%"#xmm", %0 ":"=r"(mem)::YMM_REGs) ;
-#define    _EXTRACT_XMM_1(xmm, mem)  __asm__ volatile("vpextrd $1, %%"#xmm", %0 ":"=r"(mem)::YMM_REGs) ;
-#define    _EXTRACT_XMM_2(xmm, mem)  __asm__ volatile("vpextrd $2, %%"#xmm", %0 ":"=r"(mem)::YMM_REGs) ;
-#define    _EXTRACT_XMM_3(xmm, mem)  __asm__ volatile("vpextrd $3, %%"#xmm", %0 ":"=r"(mem)::YMM_REGs) ;
-#define    _EXTRACT_XMM_4(ymm, xmm, mem)\
-      __asm__ volatile("vperm2i128 $0x1, %%"#ymm", %%"#ymm", %%"#ymm" ":::YMM_REGs) ;\
-      __asm__ volatile("vpextrd $0, %%"#xmm", %0 ":"=r"(mem)::YMM_REGs) ;
-#define    _EXTRACT_XMM_5(xmm, mem)  __asm__ volatile("vpextrd $1, %%"#xmm", %0 ":"=r"(mem)::YMM_REGs) ;
-#define    _EXTRACT_XMM_6(xmm, mem)  __asm__ volatile("vpextrd $2, %%"#xmm", %0 ":"=r"(mem)::YMM_REGs) ;
-#define    _EXTRACT_XMM_7(xmm, mem)  __asm__ volatile("vpextrd $3, %%"#xmm", %0 ":"=r"(mem)::YMM_REGs) ;
-
-#define    _SWAP_YMM_HL(ymm)   __asm__ volatile("vperm2i128 $0x1, %%"#ymm", %%"#ymm", %%"#ymm" ":::YMM_REGs) ;
-#define     SWAP_YMM_HL(ymm)   _SWAP_YMM_HL(ymm) 
-
-#define MOVE_to_REG(ymm, mem)      _MOVE_to_REG(ymm, mem)
-#define MOVE_to_MEM(mem, ymm)      _MOVE_to_MEM(mem, ymm)
-#define BYTE_SWAP(ymm, map)        _BYTE_SWAP(ymm, map)
-#define MOVE_128(ymm0, ymm1, ymm2, map) _MOVE_128(ymm0, ymm1, ymm2, map) 
-#define MOVE_BYTE(ymm0, ymm1, map) _MOVE_BYTE(ymm0, ymm1, map)
-#define XOR(dest, src1, src2)      _XOR(dest, src1, src2)
-#define OR(dest, src1, src2)       _OR(dest, src1, src2)
-#define ADD(dest, src1, src2)      _ADD(dest, src1, src2)
-#define ADD_MEM(dest, src1, mem)  _ADD_MEM(dest, src1, mem)
-#define BLEND(map, dest, src1, src2) _BLEND(map, dest, src1, src2)
-
-#define S_TMP(dest, src, bits, temp) _S_TEMP(dest, src, bits, temp); 
-#define AVX2_S(dest, src, bits)      S_TMP(dest, src, bits, S_TEMP)
-#define AVX2_R(dest, src, bits)      _AVX2_R(dest, src, bits)
-
-#define GAMMA0(dest, src)      AVX2_S(dest, src, 7);  AVX2_S(G_TEMP, src, 18); \
-    XOR(dest, G_TEMP, dest) ; AVX2_R(G_TEMP, src, 3);  XOR(dest, G_TEMP, dest) ;
-#define GAMMA0_1(dest, src)    AVX2_S(dest, src, 7);  AVX2_S(G_TEMP, src, 18); 
-#define GAMMA0_2(dest, src)    XOR(dest, G_TEMP, dest) ; AVX2_R(G_TEMP, src, 3);  \
-    XOR(dest, G_TEMP, dest) ;
-
-#define GAMMA1(dest, src)      AVX2_S(dest, src, 17); AVX2_S(G_TEMP, src, 19); \
-    XOR(dest, G_TEMP, dest) ; AVX2_R(G_TEMP, src, 10); XOR(dest, G_TEMP, dest) ;
-#define GAMMA1_1(dest, src)    AVX2_S(dest, src, 17); AVX2_S(G_TEMP, src, 19); 
-#define GAMMA1_2(dest, src)    XOR(dest, G_TEMP, dest) ; AVX2_R(G_TEMP, src, 10); \
-    XOR(dest, G_TEMP, dest) ;
-
-#define    FEEDBACK1_to_W_I_2    MOVE_BYTE(YMM_TEMP0, W_I, mMAP1toW_I_2[0]) ; \
-    BLEND(0x0c, W_I_2, YMM_TEMP0, W_I_2) ;
-#define    FEEDBACK2_to_W_I_2    MOVE_128(YMM_TEMP0, W_I, W_I, 0x08) ;  \
-    MOVE_BYTE(YMM_TEMP0, YMM_TEMP0, mMAP2toW_I_2[0]) ; BLEND(0x30, W_I_2, YMM_TEMP0, W_I_2) ; 
-#define    FEEDBACK3_to_W_I_2    MOVE_BYTE(YMM_TEMP0, W_I, mMAP3toW_I_2[0]) ; \
-    BLEND(0xc0, W_I_2, YMM_TEMP0, W_I_2) ; 
-
-#define    FEEDBACK_to_W_I_7     MOVE_128(YMM_TEMP0, W_I, W_I, 0x08) ;\
-    MOVE_BYTE(YMM_TEMP0, YMM_TEMP0, mMAPtoW_I_7[0]) ; BLEND(0x80, W_I_7, YMM_TEMP0, W_I_7) ;
-
-#undef voitle
-
-#define W_I_16  ymm8
-#define W_I_15  ymm9
-#define W_I_7  ymm10
-#define W_I_2  ymm11
-#define W_I    ymm12
-#define G_TEMP     ymm13
-#define S_TEMP     ymm14
-#define YMM_TEMP0  ymm15
-#define YMM_TEMP0x xmm15
-#define W_I_TEMP   ymm7
-#define W_K_TEMP   ymm15
-#define W_K_TEMPx  xmm15
-
-#define YMM_REGs /* Registers are saved in Sha256Update/Finel */
- /* "%ymm7","%ymm8","%ymm9","%ymm10","%ymm11","%ymm12","%ymm13","%ymm14","%ymm15"*/
-
-
-#define MOVE_15_to_16(w_i_16, w_i_15, w_i_7)\
-    __asm__ volatile("vperm2i128  $0x01, %%"#w_i_15", %%"#w_i_15", %%"#w_i_15" ":::YMM_REGs) ;\
-    __asm__ volatile("vpblendd    $0x08, %%"#w_i_15", %%"#w_i_7", %%"#w_i_16" ":::YMM_REGs) ;\
-    __asm__ volatile("vperm2i128 $0x01,  %%"#w_i_7",  %%"#w_i_7", %%"#w_i_15" ":::YMM_REGs) ;\
-    __asm__ volatile("vpblendd    $0x80, %%"#w_i_15", %%"#w_i_16", %%"#w_i_16" ":::YMM_REGs) ;\
-    __asm__ volatile("vpshufd    $0x93,  %%"#w_i_16", %%"#w_i_16" ":::YMM_REGs) ;\
-
-#define MOVE_7_to_15(w_i_15, w_i_7)\
-    __asm__ volatile("vmovdqu                 %%"#w_i_7",  %%"#w_i_15" ":::YMM_REGs) ;\
-
-#define MOVE_I_to_7(w_i_7, w_i)\
-    __asm__ volatile("vperm2i128 $0x01,       %%"#w_i",   %%"#w_i",   %%"#w_i_7" ":::YMM_REGs) ;\
-    __asm__ volatile("vpblendd    $0x01,       %%"#w_i_7",   %%"#w_i", %%"#w_i_7" ":::YMM_REGs) ;\
-    __asm__ volatile("vpshufd    $0x39, %%"#w_i_7", %%"#w_i_7" ":::YMM_REGs) ;\
-
-#define MOVE_I_to_2(w_i_2, w_i)\
-    __asm__ volatile("vperm2i128 $0x01,       %%"#w_i", %%"#w_i", %%"#w_i_2" ":::YMM_REGs) ;\
-    __asm__ volatile("vpshufd    $0x0e, %%"#w_i_2", %%"#w_i_2" ":::YMM_REGs) ;\
-
-#define ROTATE_W(w_i_16, w_i_15, w_i_7, w_i_2, w_i)\
-    MOVE_15_to_16(w_i_16, w_i_15, w_i_7) ; \
-    MOVE_7_to_15(w_i_15, w_i_7) ; \
-    MOVE_I_to_7(w_i_7, w_i) ; \
-    MOVE_I_to_2(w_i_2, w_i) ;\
-
-#define _RegToDigest(S_0, S_1, S_2, S_3, S_4, S_5, S_6, S_7 )\
-    { word32 d ;\
-    __asm__ volatile("movl %"#S_0", %0":"=r"(d)::SSE_REGs) ;\
-    sha256->digest[0] += d;\
-    __asm__ volatile("movl %"#S_1", %0":"=r"(d)::SSE_REGs) ;\
-    sha256->digest[1] += d;\
-    __asm__ volatile("movl %"#S_2", %0":"=r"(d)::SSE_REGs) ;\
-    sha256->digest[2] += d;\
-    __asm__ volatile("movl %"#S_3", %0":"=r"(d)::SSE_REGs) ;\
-    sha256->digest[3] += d;\
-    __asm__ volatile("movl %"#S_4", %0":"=r"(d)::SSE_REGs) ;\
-    sha256->digest[4] += d;\
-    __asm__ volatile("movl %"#S_5", %0":"=r"(d)::SSE_REGs) ;\
-    sha256->digest[5] += d;\
-    __asm__ volatile("movl %"#S_6", %0":"=r"(d)::SSE_REGs) ;\
-    sha256->digest[6] += d;\
-    __asm__ volatile("movl %"#S_7", %0":"=r"(d)::SSE_REGs) ;\
-    sha256->digest[7] += d;\
-}
+#elif defined(WOLFSSL_DEVCRYPTO_HASH)
+    /* implemented in wolfcrypt/src/port/devcrypto/devcrypt_hash.c */
 
-#define _DumpS(S_0, S_1, S_2, S_3, S_4, S_5, S_6, S_7 )\
-  { word32 d[8] ;\
-    __asm__ volatile("movl %"#S_0", %0":"=r"(d[0])::SSE_REGs) ;\
-    __asm__ volatile("movl %"#S_1", %0":"=r"(d[1])::SSE_REGs) ;\
-    __asm__ volatile("movl %"#S_2", %0":"=r"(d[2])::SSE_REGs) ;\
-    __asm__ volatile("movl %"#S_3", %0":"=r"(d[3])::SSE_REGs) ;\
-    __asm__ volatile("movl %"#S_4", %0":"=r"(d[4])::SSE_REGs) ;\
-    __asm__ volatile("movl %"#S_5", %0":"=r"(d[5])::SSE_REGs) ;\
-    __asm__ volatile("movl %"#S_6", %0":"=r"(d[6])::SSE_REGs) ;\
-    __asm__ volatile("movl %"#S_7", %0":"=r"(d[7])::SSE_REGs) ;\
-        printf("S[0..7]=%08x,%08x,%08x,%08x,%08x,%08x,%08x,%08x\n", d[0],d[1],d[2],d[3],d[4],d[5],d[6],d[7]);\
-    __asm__ volatile("movl %0, %"#S_0::"r"(d[0]):SSE_REGs) ;\
-    __asm__ volatile("movl %0, %"#S_1::"r"(d[1]):SSE_REGs) ;\
-    __asm__ volatile("movl %0, %"#S_2::"r"(d[2]):SSE_REGs) ;\
-    __asm__ volatile("movl %0, %"#S_3::"r"(d[3]):SSE_REGs) ;\
-    __asm__ volatile("movl %0, %"#S_4::"r"(d[4]):SSE_REGs) ;\
-    __asm__ volatile("movl %0, %"#S_5::"r"(d[5]):SSE_REGs) ;\
-    __asm__ volatile("movl %0, %"#S_6::"r"(d[6]):SSE_REGs) ;\
-    __asm__ volatile("movl %0, %"#S_7::"r"(d[7]):SSE_REGs) ;\
-}
+#elif defined(WOLFSSL_RENESAS_TSIP_CRYPT) && \
+    !defined(NO_WOLFSSL_RENESAS_TSIP_CRYPT_HASH)
 
+    /* implemented in wolfcrypt/src/port/Renesas/renesas_tsip_sha.c */
+#else
 
-#define DigestToReg(S_0, S_1, S_2, S_3, S_4, S_5, S_6, S_7 )\
-    _DigestToReg(S_0, S_1, S_2, S_3, S_4, S_5, S_6, S_7 )
-
-#define RegToDigest(S_0, S_1, S_2, S_3, S_4, S_5, S_6, S_7 )\
-    _RegToDigest(S_0, S_1, S_2, S_3, S_4, S_5, S_6, S_7 )
-
-#define DumS(S_0, S_1, S_2, S_3, S_4, S_5, S_6, S_7 )\
-    _DumpS(S_0, S_1, S_2, S_3, S_4, S_5, S_6, S_7 )
-
-        
-    /* Byte swap Masks to ensure that rest of the words are filled with zero's. */
-    static const unsigned long mBYTE_FLIP_MASK_16[] =  
-        { 0x0405060700010203, 0x0c0d0e0f08090a0b, 0x0405060700010203, 0x0c0d0e0f08090a0b } ;
-    static const unsigned long mBYTE_FLIP_MASK_15[] =  
-        { 0x0405060700010203, 0x0c0d0e0f08090a0b, 0x0405060700010203, 0x0c0d0e0f08090a0b } ;
-    static const unsigned long mBYTE_FLIP_MASK_7 [] =  
-        { 0x0405060700010203, 0x0c0d0e0f08090a0b, 0x0405060700010203, 0x8080808008090a0b } ;
-    static const unsigned long mBYTE_FLIP_MASK_2 [] =  
-        { 0x0405060700010203, 0x8080808080808080, 0x8080808080808080, 0x8080808080808080 } ;
-
-    static const unsigned long mMAPtoW_I_7[] =  
-        { 0x8080808080808080, 0x8080808080808080, 0x8080808080808080, 0x0302010080808080 } ;
-    static const unsigned long mMAP1toW_I_2[] = 
-        { 0x8080808080808080, 0x0706050403020100, 0x8080808080808080, 0x8080808080808080 } ;
-    static const unsigned long mMAP2toW_I_2[] = 
-        { 0x8080808080808080, 0x8080808080808080, 0x0f0e0d0c0b0a0908, 0x8080808080808080 } ;
-    static const unsigned long mMAP3toW_I_2[] = 
-        { 0x8080808080808080, 0x8080808080808080, 0x8080808080808080, 0x0706050403020100 } ;
- 
-static int Transform_AVX2(Sha256* sha256)
+int wc_Sha256GetHash(wc_Sha256* sha256, byte* hash)
 {
+    int ret;
+    wc_Sha256 tmpSha256;
 
-    #ifdef WOLFSSL_SMALL_STACK
-        word32* W_K;
-        W_K = (word32*) XMALLOC(sizeof(word32) * 64, NULL, DYNAMIC_TYPE_TMP_BUFFER);
-        if (W_K == NULL)
-            return MEMORY_E;
-    #else
-        word32 W_K[64]  ;
-    #endif
+    if (sha256 == NULL || hash == NULL)
+        return BAD_FUNC_ARG;
 
-    MOVE_to_REG(W_I_16, sha256->buffer[0]);     BYTE_SWAP(W_I_16, mBYTE_FLIP_MASK_16[0]) ;
-    MOVE_to_REG(W_I_15, sha256->buffer[1]);     BYTE_SWAP(W_I_15, mBYTE_FLIP_MASK_15[0]) ;
-    MOVE_to_REG(W_I,    sha256->buffer[8]) ;    BYTE_SWAP(W_I,    mBYTE_FLIP_MASK_16[0]) ;
-    MOVE_to_REG(W_I_7,  sha256->buffer[16-7]) ; BYTE_SWAP(W_I_7,  mBYTE_FLIP_MASK_7[0])  ;
-    MOVE_to_REG(W_I_2,  sha256->buffer[16-2]) ; BYTE_SWAP(W_I_2,  mBYTE_FLIP_MASK_2[0])  ;
-
-    DigestToReg(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7) ;
-
-    ADD_MEM(W_K_TEMP, W_I_16, K[0]) ;
-    MOVE_to_MEM(W_K[0], W_K_TEMP) ; 
-
-    RND_0(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,0) ;
-    RND_7(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,1) ;
-    RND_6(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,2) ;
-    RND_5(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,3) ;  
-    RND_4(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,4) ;
-    RND_3(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,5) ;
-    RND_2(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,6) ;
-    RND_1(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,7) ;
-
-    ADD_MEM(YMM_TEMP0, W_I, K[8]) ;
-    MOVE_to_MEM(W_K[8], YMM_TEMP0) ; 
-
-        /* W[i] = Gamma1(W[i-2]) + W[i-7] + Gamma0(W[i-15] + W[i-16]) */
-                RND_0_0(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,8) ;
-        GAMMA0_1(W_I_TEMP, W_I_15) ;
-                RND_0_1(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,8) ;
-        GAMMA0_2(W_I_TEMP, W_I_15) ;
-                RND_0_2(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,8) ;
-        ADD(W_I_TEMP, W_I_16, W_I_TEMP) ;/* for saving W_I before adding incomplete W_I_7 */
-                RND_7_0(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,9) ;
-        ADD(W_I, W_I_7, W_I_TEMP);
-                RND_7_1(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,9) ;
-        GAMMA1_1(YMM_TEMP0, W_I_2) ; 
-                RND_7_2(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,9) ;
-        GAMMA1_2(YMM_TEMP0, W_I_2) ; 
-                RND_6_0(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,10) ;
-        ADD(W_I, W_I, YMM_TEMP0) ;/* now W[16..17] are completed */
-                RND_6_1(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,10) ;
-        FEEDBACK1_to_W_I_2 ;
-                RND_6_2(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,10) ;
-        FEEDBACK_to_W_I_7 ; 
-                RND_5_0(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,11) ;
-        ADD(W_I_TEMP, W_I_7, W_I_TEMP);
-                RND_5_1(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,11) ;
-        GAMMA1_1(YMM_TEMP0, W_I_2) ; 
-                RND_5_2(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,11) ;
-        GAMMA1_2(YMM_TEMP0, W_I_2) ; 
-                RND_4_0(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,12) ;
-        ADD(W_I, W_I_TEMP, YMM_TEMP0) ;/* now W[16..19] are completed */
-                RND_4_1(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,12) ;
-        FEEDBACK2_to_W_I_2 ;
-                RND_4_2(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,12) ;
-        GAMMA1_1(YMM_TEMP0, W_I_2) ;
-                RND_3_0(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,13) ;
-        GAMMA1_2(YMM_TEMP0, W_I_2) ; 
-                RND_3_1(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,13) ;
-        ADD(W_I, W_I_TEMP, YMM_TEMP0) ; /* now W[16..21] are completed */
-                RND_3_2(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,13) ;
-        FEEDBACK3_to_W_I_2 ;
-                RND_2_0(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,14) ;
-        GAMMA1(YMM_TEMP0, W_I_2) ;
-                RND_2_1(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,14) ;
-                RND_2_2(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,14) ;
-        ADD(W_I, W_I_TEMP, YMM_TEMP0) ; /* now W[16..23] are completed */
-                RND_1_0(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,15) ;
-
-        MOVE_to_REG(YMM_TEMP0, K[16]) ;    
-                RND_1_1(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,15) ;
-        ROTATE_W(W_I_16, W_I_15, W_I_7, W_I_2, W_I) ;
-                RND_1_2(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,15) ;
-        ADD(YMM_TEMP0, YMM_TEMP0, W_I) ;
-        MOVE_to_MEM(W_K[16], YMM_TEMP0) ;
-
-        /* W[i] = Gamma1(W[i-2]) + W[i-7] + Gamma0(W[i-15] + W[i-16]) */
-                RND_0_0(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,16) ;
-        GAMMA0_1(W_I_TEMP, W_I_15) ;
-                RND_0_1(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,16) ;
-        GAMMA0_2(W_I_TEMP, W_I_15) ;
-                RND_0_2(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,16) ;
-        ADD(W_I_TEMP, W_I_16, W_I_TEMP) ;/* for saving W_I before adding incomplete W_I_7 */
-                RND_7_0(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,17) ;
-        ADD(W_I, W_I_7, W_I_TEMP);
-                RND_7_1(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,17) ;
-        GAMMA1_1(YMM_TEMP0, W_I_2) ; 
-                RND_7_2(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,17) ;
-        GAMMA1_2(YMM_TEMP0, W_I_2) ; 
-                RND_6_0(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,18) ;
-        ADD(W_I, W_I, YMM_TEMP0) ;/* now W[16..17] are completed */
-                RND_6_1(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,18) ;
-        FEEDBACK1_to_W_I_2 ;
-                RND_6_2(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,18) ;
-        FEEDBACK_to_W_I_7 ; 
-                RND_5_0(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,19) ;
-        ADD(W_I_TEMP, W_I_7, W_I_TEMP);
-                RND_5_1(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,19) ;
-        GAMMA1(YMM_TEMP0, W_I_2) ; 
-                RND_5_2(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,19) ;
-        GAMMA1_2(YMM_TEMP0, W_I_2) ; 
-                RND_4_0(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,20) ;
-        ADD(W_I, W_I_TEMP, YMM_TEMP0) ;/* now W[16..19] are completed */
-                RND_4_1(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,20) ;
-        FEEDBACK2_to_W_I_2 ;
-                RND_4_2(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,20) ;
-        GAMMA1_1(YMM_TEMP0, W_I_2) ;
-                RND_3_0(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,21) ;
-        GAMMA1_2(YMM_TEMP0, W_I_2) ; 
-                RND_3_1(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,21) ;
-        ADD(W_I, W_I_TEMP, YMM_TEMP0) ; /* now W[16..21] are completed */
-                RND_3_2(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,21) ;
-        FEEDBACK3_to_W_I_2 ;
-                RND_2_0(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,22) ;
-        GAMMA1_1(YMM_TEMP0, W_I_2) ;
-                RND_2_1(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,22) ;
-        GAMMA1_2(YMM_TEMP0, W_I_2) ; 
-                RND_2_2(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,22) ;
-        ADD(W_I, W_I_TEMP, YMM_TEMP0) ; /* now W[16..23] are completed */
-                RND_1_0(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,23) ;
-
-        MOVE_to_REG(YMM_TEMP0, K[24]) ;    
-                RND_1_1(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,23) ;
-        ROTATE_W(W_I_16, W_I_15, W_I_7, W_I_2, W_I) ;
-                RND_1_2(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,23) ;
-        ADD(YMM_TEMP0, YMM_TEMP0, W_I) ;
-        MOVE_to_MEM(W_K[24], YMM_TEMP0) ;
-
-                /* W[i] = Gamma1(W[i-2]) + W[i-7] + Gamma0(W[i-15] + W[i-16]) */
-                RND_0_0(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,24) ;
-        GAMMA0_1(W_I_TEMP, W_I_15) ;
-                RND_0_1(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,24) ;
-        GAMMA0_2(W_I_TEMP, W_I_15) ;
-                RND_0_2(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,24) ;
-        ADD(W_I_TEMP, W_I_16, W_I_TEMP) ;/* for saving W_I before adding incomplete W_I_7 */
-                RND_7_0(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,25) ;
-        ADD(W_I, W_I_7, W_I_TEMP);
-                RND_7_1(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,25) ;
-        GAMMA1_1(YMM_TEMP0, W_I_2) ; 
-                RND_7_2(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,25) ;
-        GAMMA1_2(YMM_TEMP0, W_I_2) ; 
-                RND_6_0(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,26) ;
-        ADD(W_I, W_I, YMM_TEMP0) ;/* now W[16..17] are completed */
-                RND_6_1(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,26) ;
-        FEEDBACK1_to_W_I_2 ;
-                RND_6_2(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,26) ;
-        FEEDBACK_to_W_I_7 ; 
-                RND_5_0(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,27) ;
-        ADD(W_I_TEMP, W_I_7, W_I_TEMP);
-                RND_5_1(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,27) ;
-        GAMMA1_1(YMM_TEMP0, W_I_2) ; 
-                RND_5_2(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,27) ;
-        GAMMA1_2(YMM_TEMP0, W_I_2) ; 
-                RND_4_0(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,28) ;
-        ADD(W_I, W_I_TEMP, YMM_TEMP0) ;/* now W[16..19] are completed */
-                RND_4_1(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,28) ;
-        FEEDBACK2_to_W_I_2 ;
-                RND_4_2(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,28) ;
-        GAMMA1_1(YMM_TEMP0, W_I_2) ;
-                RND_3_0(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,29) ;
-        GAMMA1_2(YMM_TEMP0, W_I_2) ; 
-                RND_3_1(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,29) ;
-        ADD(W_I, W_I_TEMP, YMM_TEMP0) ; /* now W[16..21] are completed */
-                RND_3_2(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,29) ;
-        FEEDBACK3_to_W_I_2 ;
-                RND_2_0(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,30) ;
-        GAMMA1(YMM_TEMP0, W_I_2) ;
-                RND_2_1(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,30) ;
-                RND_2_2(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,30) ;
-        ADD(W_I, W_I_TEMP, YMM_TEMP0) ; /* now W[16..23] are completed */
-                RND_1_0(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,31) ;
-
-        MOVE_to_REG(YMM_TEMP0, K[32]) ;    
-                RND_1_1(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,31) ;
-        ROTATE_W(W_I_16, W_I_15, W_I_7, W_I_2, W_I) ;
-                RND_1_2(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,31) ;
-        ADD(YMM_TEMP0, YMM_TEMP0, W_I) ;
-        MOVE_to_MEM(W_K[32], YMM_TEMP0) ;
-
-        
-                /* W[i] = Gamma1(W[i-2]) + W[i-7] + Gamma0(W[i-15] + W[i-16]) */
-                RND_0_0(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,32) ;
-        GAMMA0_1(W_I_TEMP, W_I_15) ;
-                RND_0_1(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,32) ;
-        GAMMA0_2(W_I_TEMP, W_I_15) ;
-                RND_0_2(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,32) ;
-        ADD(W_I_TEMP, W_I_16, W_I_TEMP) ;/* for saving W_I before adding incomplete W_I_7 */
-                RND_7_0(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,33) ;
-        ADD(W_I, W_I_7, W_I_TEMP);
-                RND_7_1(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,33) ;
-        GAMMA1_1(YMM_TEMP0, W_I_2) ;
-                RND_7_2(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,33) ;
-        GAMMA1_2(YMM_TEMP0, W_I_2) ; 
-                RND_6_0(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,34) ;
-        ADD(W_I, W_I, YMM_TEMP0) ;/* now W[16..17] are completed */
-                RND_6_1(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,34) ;
-        FEEDBACK1_to_W_I_2 ;
-                RND_6_2(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,34) ;
-        FEEDBACK_to_W_I_7 ; 
-                RND_5_0(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,35) ;
-        ADD(W_I_TEMP, W_I_7, W_I_TEMP);
-                RND_5_1(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,35) ;
-        GAMMA1_1(YMM_TEMP0, W_I_2) ;
-                RND_5_2(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,35) ;
-        GAMMA1_2(YMM_TEMP0, W_I_2) ;
-                RND_4_0(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,36) ;
-        ADD(W_I, W_I_TEMP, YMM_TEMP0) ;/* now W[16..19] are completed */
-                RND_4_1(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,36) ;
-        FEEDBACK2_to_W_I_2 ;
-                RND_4_2(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,36) ;
-        GAMMA1_1(YMM_TEMP0, W_I_2) ;
-                RND_3_0(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,37) ;
-        GAMMA1_2(YMM_TEMP0, W_I_2) ;
-                RND_3_1(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,37) ;
-        ADD(W_I, W_I_TEMP, YMM_TEMP0) ; /* now W[16..21] are completed */
-                RND_3_2(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,37) ;
-        FEEDBACK3_to_W_I_2 ;
-                RND_2_0(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,38) ;
-        GAMMA1_1(YMM_TEMP0, W_I_2) ;
-                RND_2_1(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,38) ;
-        GAMMA1_2(YMM_TEMP0, W_I_2) ;
-                RND_2_2(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,38) ;
-        ADD(W_I, W_I_TEMP, YMM_TEMP0) ; /* now W[16..23] are completed */
-                RND_1_0(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,39) ;
-
-        MOVE_to_REG(YMM_TEMP0, K[40]) ;    
-                RND_1_1(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,39) ;
-        ROTATE_W(W_I_16, W_I_15, W_I_7, W_I_2, W_I) ;
-                RND_1_2(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,39) ;
-        ADD(YMM_TEMP0, YMM_TEMP0, W_I) ;
-        MOVE_to_MEM(W_K[40], YMM_TEMP0) ;
-
-                /* W[i] = Gamma1(W[i-2]) + W[i-7] + Gamma0(W[i-15] + W[i-16]) */
-                RND_0_0(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,40) ;
-        GAMMA0_1(W_I_TEMP, W_I_15) ;
-                RND_0_1(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,40) ;
-        GAMMA0_2(W_I_TEMP, W_I_15) ;
-                RND_0_2(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,40) ;
-        ADD(W_I_TEMP, W_I_16, W_I_TEMP) ;/* for saving W_I before adding incomplete W_I_7 */
-                RND_7_0(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,41) ;
-        ADD(W_I, W_I_7, W_I_TEMP);
-                RND_7_1(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,41) ;
-        GAMMA1_1(YMM_TEMP0, W_I_2) ;
-                RND_7_2(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,41) ;
-        GAMMA1_2(YMM_TEMP0, W_I_2) ;
-                RND_6_0(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,42) ;
-        ADD(W_I, W_I, YMM_TEMP0) ;/* now W[16..17] are completed */
-                RND_6_1(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,42) ;
-        FEEDBACK1_to_W_I_2 ;
-                RND_6_2(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,42) ;
-        FEEDBACK_to_W_I_7 ; 
-                RND_5_0(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,43) ;
-        ADD(W_I_TEMP, W_I_7, W_I_TEMP);
-                RND_5_1(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,43) ;
-        GAMMA1_1(YMM_TEMP0, W_I_2) ; 
-                RND_5_2(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,43) ;
-        GAMMA1_2(YMM_TEMP0, W_I_2) ;
-                RND_4_0(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,44) ;
-        ADD(W_I, W_I_TEMP, YMM_TEMP0) ;/* now W[16..19] are completed */
-                RND_4_1(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,44) ;
-        FEEDBACK2_to_W_I_2 ;
-                RND_4_2(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,44) ;
-        GAMMA1_1(YMM_TEMP0, W_I_2) ;
-                RND_3_0(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,45) ;
-        GAMMA1_2(YMM_TEMP0, W_I_2) ;
-                RND_3_1(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,45) ;
-        ADD(W_I, W_I_TEMP, YMM_TEMP0) ; /* now W[16..21] are completed */
-                RND_3_2(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,45) ;
-        FEEDBACK3_to_W_I_2 ;
-                RND_2_0(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,46) ;
-        GAMMA1_1(YMM_TEMP0, W_I_2) ;
-                RND_2_1(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,46) ;
-        GAMMA1_2(YMM_TEMP0, W_I_2) ;
-                RND_2_2(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,46) ;
-        ADD(W_I, W_I_TEMP, YMM_TEMP0) ; /* now W[16..23] are completed */
-                RND_1_0(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,47) ;
-
-        MOVE_to_REG(YMM_TEMP0, K[48]) ;    
-                RND_1_1(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,47) ;
-        ROTATE_W(W_I_16, W_I_15, W_I_7, W_I_2, W_I) ;
-                RND_1_2(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,47) ;
-        ADD(YMM_TEMP0, YMM_TEMP0, W_I) ;
-        MOVE_to_MEM(W_K[48], YMM_TEMP0) ;
-        
-                /* W[i] = Gamma1(W[i-2]) + W[i-7] + Gamma0(W[i-15] + W[i-16]) */
-                RND_0_0(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,48) ;
-        GAMMA0_1(W_I_TEMP, W_I_15) ;
-                RND_0_1(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,48) ;
-        GAMMA0_2(W_I_TEMP, W_I_15) ;
-                RND_0_2(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,48) ;
-        ADD(W_I_TEMP, W_I_16, W_I_TEMP) ;/* for saving W_I before adding incomplete W_I_7 */
-                RND_7_0(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,49) ;
-        ADD(W_I, W_I_7, W_I_TEMP);
-                RND_7_1(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,49) ;
-        GAMMA1_1(YMM_TEMP0, W_I_2) ; 
-                RND_7_2(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,49) ;
-        GAMMA1_2(YMM_TEMP0, W_I_2) ;
-                RND_6_0(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,50) ;
-        ADD(W_I, W_I, YMM_TEMP0) ;/* now W[16..17] are completed */
-                RND_6_1(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,50) ;
-        FEEDBACK1_to_W_I_2 ;
-                RND_6_2(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,50) ;
-        FEEDBACK_to_W_I_7 ; 
-                RND_5_0(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,51) ;
-        ADD(W_I_TEMP, W_I_7, W_I_TEMP);
-                RND_5_1(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,51) ;
-        GAMMA1_1(YMM_TEMP0, W_I_2) ;
-                RND_5_2(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,51) ;
-        GAMMA1_2(YMM_TEMP0, W_I_2) ;
-                RND_4_0(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,52) ;
-        ADD(W_I, W_I_TEMP, YMM_TEMP0) ;/* now W[16..19] are completed */
-                RND_4_1(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,52) ;
-        FEEDBACK2_to_W_I_2 ;
-                RND_4_2(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,52) ;
-        GAMMA1_1(YMM_TEMP0, W_I_2) ;
-                RND_3_0(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,53) ;
-        GAMMA1_2(YMM_TEMP0, W_I_2) ;
-                RND_3_1(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,53) ;
-        ADD(W_I, W_I_TEMP, YMM_TEMP0) ; /* now W[16..21] are completed */
-                RND_3_2(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,53) ;
-        FEEDBACK3_to_W_I_2 ;
-                RND_2_0(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,54) ;
-        GAMMA1_1(YMM_TEMP0, W_I_2) ;
-                RND_2_1(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,54) ;
-        GAMMA1_2(YMM_TEMP0, W_I_2) ;
-                RND_2_2(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,54) ;
-        ADD(W_I, W_I_TEMP, YMM_TEMP0) ; /* now W[16..23] are completed */
-                RND_1_0(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,55) ;
-
-        MOVE_to_REG(YMM_TEMP0, K[56]) ;    
-                RND_1_1(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,55) ;
-        ROTATE_W(W_I_16, W_I_15, W_I_7, W_I_2, W_I) ;
-                RND_1_2(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,55) ;
-        ADD(YMM_TEMP0, YMM_TEMP0, W_I) ;
-        MOVE_to_MEM(W_K[56], YMM_TEMP0) ;        
-        
-        RND_0(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,56) ;
-        RND_7(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,57) ;
-        RND_6(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,58) ;
-        RND_5(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,59) ;
-
-        RND_4(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,60) ;
-        RND_3(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,61) ;
-        RND_2(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,62) ;
-        RND_1(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7,63) ;
-
-    RegToDigest(S_0,S_1,S_2,S_3,S_4,S_5,S_6,S_7) ;  
-
-    #ifdef WOLFSSL_SMALL_STACK
-        XFREE(W, NULL, DYNAMIC_TYPE_TMP_BUFFER);
-    #endif
-    
-    return 0;
+#if  defined(WOLFSSL_ESP32WROOM32_CRYPT) && \
+    !defined(NO_WOLFSSL_ESP32WROOM32_CRYPT_HASH)
+    if(sha256->ctx.mode == ESP32_SHA_INIT){
+        esp_sha_try_hw_lock(&sha256->ctx);
+    }
+    if(sha256->ctx.mode == ESP32_SHA_HW)
+    {
+        esp_sha256_digest_process(sha256, 0);
+    }
+#endif
+    ret = wc_Sha256Copy(sha256, &tmpSha256);
+    if (ret == 0) {
+        ret = wc_Sha256Final(&tmpSha256, hash);
+#if  defined(WOLFSSL_ESP32WROOM32_CRYPT) && \
+    !defined(NO_WOLFSSL_ESP32WROOM32_CRYPT_HASH)
+        sha256->ctx.mode = ESP32_SHA_SW;
+#endif
+
+        wc_Sha256Free(&tmpSha256);
+    }
+    return ret;
 }
+int wc_Sha256Copy(wc_Sha256* src, wc_Sha256* dst)
+{
+    int ret = 0;
 
-#endif   /* HAVE_INTEL_AVX2 */
+    if (src == NULL || dst == NULL)
+        return BAD_FUNC_ARG;
 
-#endif   /* HAVE_FIPS */
+    XMEMCPY(dst, src, sizeof(wc_Sha256));
+#ifdef WOLFSSL_SMALL_STACK_CACHE
+    dst->W = NULL;
+#endif
 
-#endif   /* WOLFSSL_TI_HAHS */
+#ifdef WOLFSSL_ASYNC_CRYPT
+    ret = wolfAsync_DevCopy(&src->asyncDev, &dst->asyncDev);
+#endif
+#ifdef WOLFSSL_PIC32MZ_HASH
+    ret = wc_Pic32HashCopy(&src->cache, &dst->cache);
+#endif
+#if  defined(WOLFSSL_ESP32WROOM32_CRYPT) && \
+    !defined(NO_WOLFSSL_ESP32WROOM32_CRYPT_HASH)
+     dst->ctx.mode = src->ctx.mode;
+     dst->ctx.isfirstblock = src->ctx.isfirstblock;
+     dst->ctx.sha_type = src->ctx.sha_type;
+#endif
+#if defined(WOLFSSL_HASH_FLAGS) || defined(WOLF_CRYPTO_CB)
+     dst->flags |= WC_HASH_FLAG_ISCOPY;
+#endif
 
-#endif /* NO_SHA256 */
+    return ret;
+}
+#endif
+
+#if defined(WOLFSSL_HASH_FLAGS) || defined(WOLF_CRYPTO_CB)
+int wc_Sha256SetFlags(wc_Sha256* sha256, word32 flags)
+{
+    if (sha256) {
+        sha256->flags = flags;
+    }
+    return 0;
+}
+int wc_Sha256GetFlags(wc_Sha256* sha256, word32* flags)
+{
+    if (sha256 && flags) {
+        *flags = sha256->flags;
+    }
+    return 0;
+}
+#endif
+#endif /* !WOLFSSL_TI_HASH */
 
+#endif /* NO_SHA256 */
diff --git a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/sha256_asm.S b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/sha256_asm.S
new file mode 100644
index 000000000..c433d341c
--- /dev/null
+++ b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/sha256_asm.S
@@ -0,0 +1,22653 @@
+/* sha256_asm
+ *
+ * Copyright (C) 2006-2020 wolfSSL Inc.
+ *
+ * This file is part of wolfSSL.
+ *
+ * wolfSSL is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * wolfSSL is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
+ */
+
+#ifndef HAVE_INTEL_AVX1
+#define HAVE_INTEL_AVX1
+#endif /* HAVE_INTEL_AVX1 */
+#ifndef NO_AVX2_SUPPORT
+#define HAVE_INTEL_AVX2
+#endif /* NO_AVX2_SUPPORT */
+
+#ifdef HAVE_INTEL_AVX1
+#ifndef __APPLE__
+.data
+#else
+.section	__DATA,__data
+#endif /* __APPLE__ */
+L_avx1_sha256_k:
+.long	0x428a2f98,0x71374491,0xb5c0fbcf,0xe9b5dba5
+.long	0x3956c25b,0x59f111f1,0x923f82a4,0xab1c5ed5
+.long	0xd807aa98,0x12835b01,0x243185be,0x550c7dc3
+.long	0x72be5d74,0x80deb1fe,0x9bdc06a7,0xc19bf174
+.long	0xe49b69c1,0xefbe4786,0xfc19dc6,0x240ca1cc
+.long	0x2de92c6f,0x4a7484aa,0x5cb0a9dc,0x76f988da
+.long	0x983e5152,0xa831c66d,0xb00327c8,0xbf597fc7
+.long	0xc6e00bf3,0xd5a79147,0x6ca6351,0x14292967
+.long	0x27b70a85,0x2e1b2138,0x4d2c6dfc,0x53380d13
+.long	0x650a7354,0x766a0abb,0x81c2c92e,0x92722c85
+.long	0xa2bfe8a1,0xa81a664b,0xc24b8b70,0xc76c51a3
+.long	0xd192e819,0xd6990624,0xf40e3585,0x106aa070
+.long	0x19a4c116,0x1e376c08,0x2748774c,0x34b0bcb5
+.long	0x391c0cb3,0x4ed8aa4a,0x5b9cca4f,0x682e6ff3
+.long	0x748f82ee,0x78a5636f,0x84c87814,0x8cc70208
+.long	0x90befffa,0xa4506ceb,0xbef9a3f7,0xc67178f2
+#ifndef __APPLE__
+.data
+#else
+.section	__DATA,__data
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+.align	16
+#else
+.p2align	4
+#endif /* __APPLE__ */
+L_avx1_sha256_shuf_00BA:
+.quad	0xb0a090803020100, 0xffffffffffffffff
+#ifndef __APPLE__
+.data
+#else
+.section	__DATA,__data
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+.align	16
+#else
+.p2align	4
+#endif /* __APPLE__ */
+L_avx1_sha256_shuf_DC00:
+.quad	0xffffffffffffffff, 0xb0a090803020100
+#ifndef __APPLE__
+.data
+#else
+.section	__DATA,__data
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+.align	16
+#else
+.p2align	4
+#endif /* __APPLE__ */
+L_avx1_sha256_flip_mask:
+.quad	0x405060700010203, 0xc0d0e0f08090a0b
+#ifndef __APPLE__
+.text
+.globl	Transform_Sha256_AVX1
+.type	Transform_Sha256_AVX1,@function
+.align	4
+Transform_Sha256_AVX1:
+#else
+.section	__TEXT,__text
+.globl	_Transform_Sha256_AVX1
+.p2align	2
+_Transform_Sha256_AVX1:
+#endif /* __APPLE__ */
+        pushq	%rbx
+        pushq	%r12
+        pushq	%r13
+        pushq	%r14
+        pushq	%r15
+        subq	$0x40, %rsp
+        leaq	32(%rdi), %rax
+        vmovdqa	L_avx1_sha256_flip_mask(%rip), %xmm13
+        vmovdqa	L_avx1_sha256_shuf_00BA(%rip), %xmm11
+        vmovdqa	L_avx1_sha256_shuf_DC00(%rip), %xmm12
+        movl	(%rdi), %r8d
+        movl	4(%rdi), %r9d
+        movl	8(%rdi), %r10d
+        movl	12(%rdi), %r11d
+        movl	16(%rdi), %r12d
+        movl	20(%rdi), %r13d
+        movl	24(%rdi), %r14d
+        movl	28(%rdi), %r15d
+        # X0, X1, X2, X3 = W[0..15]
+        vmovdqu	(%rax), %xmm0
+        vmovdqu	16(%rax), %xmm1
+        vpshufb	%xmm13, %xmm0, %xmm0
+        vpshufb	%xmm13, %xmm1, %xmm1
+        vmovdqu	32(%rax), %xmm2
+        vmovdqu	48(%rax), %xmm3
+        vpshufb	%xmm13, %xmm2, %xmm2
+        vpshufb	%xmm13, %xmm3, %xmm3
+        movl	%r9d, %ebx
+        movl	%r12d, %edx
+        xorl	%r10d, %ebx
+        # set_w_k_xfer_4: 0
+        vpaddd	0+L_avx1_sha256_k(%rip), %xmm0, %xmm4
+        vpaddd	16+L_avx1_sha256_k(%rip), %xmm1, %xmm5
+        vmovdqu	%xmm4, (%rsp)
+        vmovdqu	%xmm5, 16(%rsp)
+        vpaddd	32+L_avx1_sha256_k(%rip), %xmm2, %xmm6
+        vpaddd	48+L_avx1_sha256_k(%rip), %xmm3, %xmm7
+        vmovdqu	%xmm6, 32(%rsp)
+        vmovdqu	%xmm7, 48(%rsp)
+        # msg_sched: 0-3
+        # rnd_0: 0 - 0
+        rorl	$14, %edx
+        vpalignr	$4, %xmm0, %xmm1, %xmm5
+        vpalignr	$4, %xmm2, %xmm3, %xmm4
+        # rnd_0: 1 - 2
+        movl	%r9d, %eax
+        movl	%r13d, %ecx
+        addl	(%rsp), %r15d
+        xorl	%r14d, %ecx
+        xorl	%r12d, %edx
+        andl	%r12d, %ecx
+        vpsrld	$7, %xmm5, %xmm6
+        vpslld	$25, %xmm5, %xmm7
+        # rnd_0: 3 - 4
+        rorl	$5, %edx
+        xorl	%r14d, %ecx
+        xorl	%r12d, %edx
+        addl	%ecx, %r15d
+        rorl	$6, %edx
+        xorl	%r8d, %eax
+        addl	%edx, %r15d
+        movl	%r8d, %ecx
+        vpsrld	$18, %xmm5, %xmm8
+        vpslld	$14, %xmm5, %xmm9
+        # rnd_0: 5 - 6
+        andl	%eax, %ebx
+        rorl	$9, %ecx
+        xorl	%r8d, %ecx
+        xorl	%r9d, %ebx
+        rorl	$11, %ecx
+        addl	%r15d, %r11d
+        xorl	%r8d, %ecx
+        addl	%ebx, %r15d
+        vpor	%xmm6, %xmm7, %xmm6
+        vpor	%xmm8, %xmm9, %xmm8
+        # rnd_0: 7 - 7
+        rorl	$2, %ecx
+        movl	%r11d, %edx
+        addl	%ecx, %r15d
+        # rnd_1: 0 - 1
+        rorl	$14, %edx
+        movl	%r8d, %ebx
+        movl	%r12d, %ecx
+        addl	4(%rsp), %r14d
+        xorl	%r13d, %ecx
+        vpsrld	$3, %xmm5, %xmm9
+        vpxor	%xmm6, %xmm8, %xmm6
+        # rnd_1: 2 - 3
+        xorl	%r11d, %edx
+        andl	%r11d, %ecx
+        rorl	$5, %edx
+        xorl	%r13d, %ecx
+        xorl	%r11d, %edx
+        addl	%ecx, %r14d
+        vpxor	%xmm6, %xmm9, %xmm5
+        vpshufd	$0xfa, %xmm3, %xmm6
+        # rnd_1: 4 - 5
+        rorl	$6, %edx
+        xorl	%r15d, %ebx
+        addl	%edx, %r14d
+        movl	%r15d, %ecx
+        andl	%ebx, %eax
+        rorl	$9, %ecx
+        xorl	%r15d, %ecx
+        xorl	%r8d, %eax
+        vpsrld	$10, %xmm6, %xmm8
+        vpsrlq	$19, %xmm6, %xmm7
+        # rnd_1: 6 - 7
+        rorl	$11, %ecx
+        addl	%r14d, %r10d
+        xorl	%r15d, %ecx
+        addl	%eax, %r14d
+        rorl	$2, %ecx
+        movl	%r10d, %edx
+        addl	%ecx, %r14d
+        # rnd_0: 0 - 0
+        rorl	$14, %edx
+        vpsrlq	$0x11, %xmm6, %xmm6
+        vpaddd	%xmm0, %xmm4, %xmm4
+        # rnd_0: 1 - 3
+        movl	%r15d, %eax
+        movl	%r11d, %ecx
+        addl	8(%rsp), %r13d
+        xorl	%r12d, %ecx
+        xorl	%r10d, %edx
+        andl	%r10d, %ecx
+        rorl	$5, %edx
+        xorl	%r12d, %ecx
+        xorl	%r10d, %edx
+        addl	%ecx, %r13d
+        vpxor	%xmm6, %xmm7, %xmm6
+        vpaddd	%xmm5, %xmm4, %xmm4
+        # rnd_0: 4 - 4
+        rorl	$6, %edx
+        xorl	%r14d, %eax
+        addl	%edx, %r13d
+        movl	%r14d, %ecx
+        vpxor	%xmm6, %xmm8, %xmm8
+        # rnd_0: 5 - 5
+        andl	%eax, %ebx
+        rorl	$9, %ecx
+        xorl	%r14d, %ecx
+        xorl	%r15d, %ebx
+        vpshufb	%xmm11, %xmm8, %xmm8
+        # rnd_0: 6 - 6
+        rorl	$11, %ecx
+        addl	%r13d, %r9d
+        xorl	%r14d, %ecx
+        addl	%ebx, %r13d
+        vpaddd	%xmm8, %xmm4, %xmm4
+        # rnd_0: 7 - 7
+        rorl	$2, %ecx
+        movl	%r9d, %edx
+        addl	%ecx, %r13d
+        # rnd_1: 0 - 0
+        rorl	$14, %edx
+        vpshufd	$0x50, %xmm4, %xmm6
+        # rnd_1: 1 - 1
+        movl	%r14d, %ebx
+        movl	%r10d, %ecx
+        addl	12(%rsp), %r12d
+        xorl	%r11d, %ecx
+        vpsrlq	$0x11, %xmm6, %xmm8
+        vpsrlq	$19, %xmm6, %xmm7
+        # rnd_1: 2 - 3
+        xorl	%r9d, %edx
+        andl	%r9d, %ecx
+        rorl	$5, %edx
+        xorl	%r11d, %ecx
+        xorl	%r9d, %edx
+        addl	%ecx, %r12d
+        vpsrld	$10, %xmm6, %xmm9
+        vpxor	%xmm8, %xmm7, %xmm8
+        # rnd_1: 4 - 5
+        rorl	$6, %edx
+        xorl	%r13d, %ebx
+        addl	%edx, %r12d
+        movl	%r13d, %ecx
+        andl	%ebx, %eax
+        rorl	$9, %ecx
+        xorl	%r13d, %ecx
+        xorl	%r14d, %eax
+        vpxor	%xmm9, %xmm8, %xmm9
+        # rnd_1: 6 - 6
+        rorl	$11, %ecx
+        addl	%r12d, %r8d
+        xorl	%r13d, %ecx
+        addl	%eax, %r12d
+        vpshufb	%xmm12, %xmm9, %xmm9
+        # rnd_1: 7 - 7
+        rorl	$2, %ecx
+        movl	%r8d, %edx
+        addl	%ecx, %r12d
+        vpaddd	%xmm4, %xmm9, %xmm0
+        # msg_sched done: 0-3
+        # msg_sched: 4-7
+        # rnd_0: 0 - 0
+        rorl	$14, %edx
+        vpalignr	$4, %xmm1, %xmm2, %xmm5
+        vpalignr	$4, %xmm3, %xmm0, %xmm4
+        # rnd_0: 1 - 2
+        movl	%r13d, %eax
+        movl	%r9d, %ecx
+        addl	16(%rsp), %r11d
+        xorl	%r10d, %ecx
+        xorl	%r8d, %edx
+        andl	%r8d, %ecx
+        vpsrld	$7, %xmm5, %xmm6
+        vpslld	$25, %xmm5, %xmm7
+        # rnd_0: 3 - 4
+        rorl	$5, %edx
+        xorl	%r10d, %ecx
+        xorl	%r8d, %edx
+        addl	%ecx, %r11d
+        rorl	$6, %edx
+        xorl	%r12d, %eax
+        addl	%edx, %r11d
+        movl	%r12d, %ecx
+        vpsrld	$18, %xmm5, %xmm8
+        vpslld	$14, %xmm5, %xmm9
+        # rnd_0: 5 - 6
+        andl	%eax, %ebx
+        rorl	$9, %ecx
+        xorl	%r12d, %ecx
+        xorl	%r13d, %ebx
+        rorl	$11, %ecx
+        addl	%r11d, %r15d
+        xorl	%r12d, %ecx
+        addl	%ebx, %r11d
+        vpor	%xmm6, %xmm7, %xmm6
+        vpor	%xmm8, %xmm9, %xmm8
+        # rnd_0: 7 - 7
+        rorl	$2, %ecx
+        movl	%r15d, %edx
+        addl	%ecx, %r11d
+        # rnd_1: 0 - 1
+        rorl	$14, %edx
+        movl	%r12d, %ebx
+        movl	%r8d, %ecx
+        addl	20(%rsp), %r10d
+        xorl	%r9d, %ecx
+        vpsrld	$3, %xmm5, %xmm9
+        vpxor	%xmm6, %xmm8, %xmm6
+        # rnd_1: 2 - 3
+        xorl	%r15d, %edx
+        andl	%r15d, %ecx
+        rorl	$5, %edx
+        xorl	%r9d, %ecx
+        xorl	%r15d, %edx
+        addl	%ecx, %r10d
+        vpxor	%xmm6, %xmm9, %xmm5
+        vpshufd	$0xfa, %xmm0, %xmm6
+        # rnd_1: 4 - 5
+        rorl	$6, %edx
+        xorl	%r11d, %ebx
+        addl	%edx, %r10d
+        movl	%r11d, %ecx
+        andl	%ebx, %eax
+        rorl	$9, %ecx
+        xorl	%r11d, %ecx
+        xorl	%r12d, %eax
+        vpsrld	$10, %xmm6, %xmm8
+        vpsrlq	$19, %xmm6, %xmm7
+        # rnd_1: 6 - 7
+        rorl	$11, %ecx
+        addl	%r10d, %r14d
+        xorl	%r11d, %ecx
+        addl	%eax, %r10d
+        rorl	$2, %ecx
+        movl	%r14d, %edx
+        addl	%ecx, %r10d
+        # rnd_0: 0 - 0
+        rorl	$14, %edx
+        vpsrlq	$0x11, %xmm6, %xmm6
+        vpaddd	%xmm1, %xmm4, %xmm4
+        # rnd_0: 1 - 3
+        movl	%r11d, %eax
+        movl	%r15d, %ecx
+        addl	24(%rsp), %r9d
+        xorl	%r8d, %ecx
+        xorl	%r14d, %edx
+        andl	%r14d, %ecx
+        rorl	$5, %edx
+        xorl	%r8d, %ecx
+        xorl	%r14d, %edx
+        addl	%ecx, %r9d
+        vpxor	%xmm6, %xmm7, %xmm6
+        vpaddd	%xmm5, %xmm4, %xmm4
+        # rnd_0: 4 - 4
+        rorl	$6, %edx
+        xorl	%r10d, %eax
+        addl	%edx, %r9d
+        movl	%r10d, %ecx
+        vpxor	%xmm6, %xmm8, %xmm8
+        # rnd_0: 5 - 5
+        andl	%eax, %ebx
+        rorl	$9, %ecx
+        xorl	%r10d, %ecx
+        xorl	%r11d, %ebx
+        vpshufb	%xmm11, %xmm8, %xmm8
+        # rnd_0: 6 - 6
+        rorl	$11, %ecx
+        addl	%r9d, %r13d
+        xorl	%r10d, %ecx
+        addl	%ebx, %r9d
+        vpaddd	%xmm8, %xmm4, %xmm4
+        # rnd_0: 7 - 7
+        rorl	$2, %ecx
+        movl	%r13d, %edx
+        addl	%ecx, %r9d
+        # rnd_1: 0 - 0
+        rorl	$14, %edx
+        vpshufd	$0x50, %xmm4, %xmm6
+        # rnd_1: 1 - 1
+        movl	%r10d, %ebx
+        movl	%r14d, %ecx
+        addl	28(%rsp), %r8d
+        xorl	%r15d, %ecx
+        vpsrlq	$0x11, %xmm6, %xmm8
+        vpsrlq	$19, %xmm6, %xmm7
+        # rnd_1: 2 - 3
+        xorl	%r13d, %edx
+        andl	%r13d, %ecx
+        rorl	$5, %edx
+        xorl	%r15d, %ecx
+        xorl	%r13d, %edx
+        addl	%ecx, %r8d
+        vpsrld	$10, %xmm6, %xmm9
+        vpxor	%xmm8, %xmm7, %xmm8
+        # rnd_1: 4 - 5
+        rorl	$6, %edx
+        xorl	%r9d, %ebx
+        addl	%edx, %r8d
+        movl	%r9d, %ecx
+        andl	%ebx, %eax
+        rorl	$9, %ecx
+        xorl	%r9d, %ecx
+        xorl	%r10d, %eax
+        vpxor	%xmm9, %xmm8, %xmm9
+        # rnd_1: 6 - 6
+        rorl	$11, %ecx
+        addl	%r8d, %r12d
+        xorl	%r9d, %ecx
+        addl	%eax, %r8d
+        vpshufb	%xmm12, %xmm9, %xmm9
+        # rnd_1: 7 - 7
+        rorl	$2, %ecx
+        movl	%r12d, %edx
+        addl	%ecx, %r8d
+        vpaddd	%xmm4, %xmm9, %xmm1
+        # msg_sched done: 4-7
+        # msg_sched: 8-11
+        # rnd_0: 0 - 0
+        rorl	$14, %edx
+        vpalignr	$4, %xmm2, %xmm3, %xmm5
+        vpalignr	$4, %xmm0, %xmm1, %xmm4
+        # rnd_0: 1 - 2
+        movl	%r9d, %eax
+        movl	%r13d, %ecx
+        addl	32(%rsp), %r15d
+        xorl	%r14d, %ecx
+        xorl	%r12d, %edx
+        andl	%r12d, %ecx
+        vpsrld	$7, %xmm5, %xmm6
+        vpslld	$25, %xmm5, %xmm7
+        # rnd_0: 3 - 4
+        rorl	$5, %edx
+        xorl	%r14d, %ecx
+        xorl	%r12d, %edx
+        addl	%ecx, %r15d
+        rorl	$6, %edx
+        xorl	%r8d, %eax
+        addl	%edx, %r15d
+        movl	%r8d, %ecx
+        vpsrld	$18, %xmm5, %xmm8
+        vpslld	$14, %xmm5, %xmm9
+        # rnd_0: 5 - 6
+        andl	%eax, %ebx
+        rorl	$9, %ecx
+        xorl	%r8d, %ecx
+        xorl	%r9d, %ebx
+        rorl	$11, %ecx
+        addl	%r15d, %r11d
+        xorl	%r8d, %ecx
+        addl	%ebx, %r15d
+        vpor	%xmm6, %xmm7, %xmm6
+        vpor	%xmm8, %xmm9, %xmm8
+        # rnd_0: 7 - 7
+        rorl	$2, %ecx
+        movl	%r11d, %edx
+        addl	%ecx, %r15d
+        # rnd_1: 0 - 1
+        rorl	$14, %edx
+        movl	%r8d, %ebx
+        movl	%r12d, %ecx
+        addl	36(%rsp), %r14d
+        xorl	%r13d, %ecx
+        vpsrld	$3, %xmm5, %xmm9
+        vpxor	%xmm6, %xmm8, %xmm6
+        # rnd_1: 2 - 3
+        xorl	%r11d, %edx
+        andl	%r11d, %ecx
+        rorl	$5, %edx
+        xorl	%r13d, %ecx
+        xorl	%r11d, %edx
+        addl	%ecx, %r14d
+        vpxor	%xmm6, %xmm9, %xmm5
+        vpshufd	$0xfa, %xmm1, %xmm6
+        # rnd_1: 4 - 5
+        rorl	$6, %edx
+        xorl	%r15d, %ebx
+        addl	%edx, %r14d
+        movl	%r15d, %ecx
+        andl	%ebx, %eax
+        rorl	$9, %ecx
+        xorl	%r15d, %ecx
+        xorl	%r8d, %eax
+        vpsrld	$10, %xmm6, %xmm8
+        vpsrlq	$19, %xmm6, %xmm7
+        # rnd_1: 6 - 7
+        rorl	$11, %ecx
+        addl	%r14d, %r10d
+        xorl	%r15d, %ecx
+        addl	%eax, %r14d
+        rorl	$2, %ecx
+        movl	%r10d, %edx
+        addl	%ecx, %r14d
+        # rnd_0: 0 - 0
+        rorl	$14, %edx
+        vpsrlq	$0x11, %xmm6, %xmm6
+        vpaddd	%xmm2, %xmm4, %xmm4
+        # rnd_0: 1 - 3
+        movl	%r15d, %eax
+        movl	%r11d, %ecx
+        addl	40(%rsp), %r13d
+        xorl	%r12d, %ecx
+        xorl	%r10d, %edx
+        andl	%r10d, %ecx
+        rorl	$5, %edx
+        xorl	%r12d, %ecx
+        xorl	%r10d, %edx
+        addl	%ecx, %r13d
+        vpxor	%xmm6, %xmm7, %xmm6
+        vpaddd	%xmm5, %xmm4, %xmm4
+        # rnd_0: 4 - 4
+        rorl	$6, %edx
+        xorl	%r14d, %eax
+        addl	%edx, %r13d
+        movl	%r14d, %ecx
+        vpxor	%xmm6, %xmm8, %xmm8
+        # rnd_0: 5 - 5
+        andl	%eax, %ebx
+        rorl	$9, %ecx
+        xorl	%r14d, %ecx
+        xorl	%r15d, %ebx
+        vpshufb	%xmm11, %xmm8, %xmm8
+        # rnd_0: 6 - 6
+        rorl	$11, %ecx
+        addl	%r13d, %r9d
+        xorl	%r14d, %ecx
+        addl	%ebx, %r13d
+        vpaddd	%xmm8, %xmm4, %xmm4
+        # rnd_0: 7 - 7
+        rorl	$2, %ecx
+        movl	%r9d, %edx
+        addl	%ecx, %r13d
+        # rnd_1: 0 - 0
+        rorl	$14, %edx
+        vpshufd	$0x50, %xmm4, %xmm6
+        # rnd_1: 1 - 1
+        movl	%r14d, %ebx
+        movl	%r10d, %ecx
+        addl	44(%rsp), %r12d
+        xorl	%r11d, %ecx
+        vpsrlq	$0x11, %xmm6, %xmm8
+        vpsrlq	$19, %xmm6, %xmm7
+        # rnd_1: 2 - 3
+        xorl	%r9d, %edx
+        andl	%r9d, %ecx
+        rorl	$5, %edx
+        xorl	%r11d, %ecx
+        xorl	%r9d, %edx
+        addl	%ecx, %r12d
+        vpsrld	$10, %xmm6, %xmm9
+        vpxor	%xmm8, %xmm7, %xmm8
+        # rnd_1: 4 - 5
+        rorl	$6, %edx
+        xorl	%r13d, %ebx
+        addl	%edx, %r12d
+        movl	%r13d, %ecx
+        andl	%ebx, %eax
+        rorl	$9, %ecx
+        xorl	%r13d, %ecx
+        xorl	%r14d, %eax
+        vpxor	%xmm9, %xmm8, %xmm9
+        # rnd_1: 6 - 6
+        rorl	$11, %ecx
+        addl	%r12d, %r8d
+        xorl	%r13d, %ecx
+        addl	%eax, %r12d
+        vpshufb	%xmm12, %xmm9, %xmm9
+        # rnd_1: 7 - 7
+        rorl	$2, %ecx
+        movl	%r8d, %edx
+        addl	%ecx, %r12d
+        vpaddd	%xmm4, %xmm9, %xmm2
+        # msg_sched done: 8-11
+        # msg_sched: 12-15
+        # rnd_0: 0 - 0
+        rorl	$14, %edx
+        vpalignr	$4, %xmm3, %xmm0, %xmm5
+        vpalignr	$4, %xmm1, %xmm2, %xmm4
+        # rnd_0: 1 - 2
+        movl	%r13d, %eax
+        movl	%r9d, %ecx
+        addl	48(%rsp), %r11d
+        xorl	%r10d, %ecx
+        xorl	%r8d, %edx
+        andl	%r8d, %ecx
+        vpsrld	$7, %xmm5, %xmm6
+        vpslld	$25, %xmm5, %xmm7
+        # rnd_0: 3 - 4
+        rorl	$5, %edx
+        xorl	%r10d, %ecx
+        xorl	%r8d, %edx
+        addl	%ecx, %r11d
+        rorl	$6, %edx
+        xorl	%r12d, %eax
+        addl	%edx, %r11d
+        movl	%r12d, %ecx
+        vpsrld	$18, %xmm5, %xmm8
+        vpslld	$14, %xmm5, %xmm9
+        # rnd_0: 5 - 6
+        andl	%eax, %ebx
+        rorl	$9, %ecx
+        xorl	%r12d, %ecx
+        xorl	%r13d, %ebx
+        rorl	$11, %ecx
+        addl	%r11d, %r15d
+        xorl	%r12d, %ecx
+        addl	%ebx, %r11d
+        vpor	%xmm6, %xmm7, %xmm6
+        vpor	%xmm8, %xmm9, %xmm8
+        # rnd_0: 7 - 7
+        rorl	$2, %ecx
+        movl	%r15d, %edx
+        addl	%ecx, %r11d
+        # rnd_1: 0 - 1
+        rorl	$14, %edx
+        movl	%r12d, %ebx
+        movl	%r8d, %ecx
+        addl	52(%rsp), %r10d
+        xorl	%r9d, %ecx
+        vpsrld	$3, %xmm5, %xmm9
+        vpxor	%xmm6, %xmm8, %xmm6
+        # rnd_1: 2 - 3
+        xorl	%r15d, %edx
+        andl	%r15d, %ecx
+        rorl	$5, %edx
+        xorl	%r9d, %ecx
+        xorl	%r15d, %edx
+        addl	%ecx, %r10d
+        vpxor	%xmm6, %xmm9, %xmm5
+        vpshufd	$0xfa, %xmm2, %xmm6
+        # rnd_1: 4 - 5
+        rorl	$6, %edx
+        xorl	%r11d, %ebx
+        addl	%edx, %r10d
+        movl	%r11d, %ecx
+        andl	%ebx, %eax
+        rorl	$9, %ecx
+        xorl	%r11d, %ecx
+        xorl	%r12d, %eax
+        vpsrld	$10, %xmm6, %xmm8
+        vpsrlq	$19, %xmm6, %xmm7
+        # rnd_1: 6 - 7
+        rorl	$11, %ecx
+        addl	%r10d, %r14d
+        xorl	%r11d, %ecx
+        addl	%eax, %r10d
+        rorl	$2, %ecx
+        movl	%r14d, %edx
+        addl	%ecx, %r10d
+        # rnd_0: 0 - 0
+        rorl	$14, %edx
+        vpsrlq	$0x11, %xmm6, %xmm6
+        vpaddd	%xmm3, %xmm4, %xmm4
+        # rnd_0: 1 - 3
+        movl	%r11d, %eax
+        movl	%r15d, %ecx
+        addl	56(%rsp), %r9d
+        xorl	%r8d, %ecx
+        xorl	%r14d, %edx
+        andl	%r14d, %ecx
+        rorl	$5, %edx
+        xorl	%r8d, %ecx
+        xorl	%r14d, %edx
+        addl	%ecx, %r9d
+        vpxor	%xmm6, %xmm7, %xmm6
+        vpaddd	%xmm5, %xmm4, %xmm4
+        # rnd_0: 4 - 4
+        rorl	$6, %edx
+        xorl	%r10d, %eax
+        addl	%edx, %r9d
+        movl	%r10d, %ecx
+        vpxor	%xmm6, %xmm8, %xmm8
+        # rnd_0: 5 - 5
+        andl	%eax, %ebx
+        rorl	$9, %ecx
+        xorl	%r10d, %ecx
+        xorl	%r11d, %ebx
+        vpshufb	%xmm11, %xmm8, %xmm8
+        # rnd_0: 6 - 6
+        rorl	$11, %ecx
+        addl	%r9d, %r13d
+        xorl	%r10d, %ecx
+        addl	%ebx, %r9d
+        vpaddd	%xmm8, %xmm4, %xmm4
+        # rnd_0: 7 - 7
+        rorl	$2, %ecx
+        movl	%r13d, %edx
+        addl	%ecx, %r9d
+        # rnd_1: 0 - 0
+        rorl	$14, %edx
+        vpshufd	$0x50, %xmm4, %xmm6
+        # rnd_1: 1 - 1
+        movl	%r10d, %ebx
+        movl	%r14d, %ecx
+        addl	60(%rsp), %r8d
+        xorl	%r15d, %ecx
+        vpsrlq	$0x11, %xmm6, %xmm8
+        vpsrlq	$19, %xmm6, %xmm7
+        # rnd_1: 2 - 3
+        xorl	%r13d, %edx
+        andl	%r13d, %ecx
+        rorl	$5, %edx
+        xorl	%r15d, %ecx
+        xorl	%r13d, %edx
+        addl	%ecx, %r8d
+        vpsrld	$10, %xmm6, %xmm9
+        vpxor	%xmm8, %xmm7, %xmm8
+        # rnd_1: 4 - 5
+        rorl	$6, %edx
+        xorl	%r9d, %ebx
+        addl	%edx, %r8d
+        movl	%r9d, %ecx
+        andl	%ebx, %eax
+        rorl	$9, %ecx
+        xorl	%r9d, %ecx
+        xorl	%r10d, %eax
+        vpxor	%xmm9, %xmm8, %xmm9
+        # rnd_1: 6 - 6
+        rorl	$11, %ecx
+        addl	%r8d, %r12d
+        xorl	%r9d, %ecx
+        addl	%eax, %r8d
+        vpshufb	%xmm12, %xmm9, %xmm9
+        # rnd_1: 7 - 7
+        rorl	$2, %ecx
+        movl	%r12d, %edx
+        addl	%ecx, %r8d
+        vpaddd	%xmm4, %xmm9, %xmm3
+        # msg_sched done: 12-15
+        # set_w_k_xfer_4: 4
+        vpaddd	64+L_avx1_sha256_k(%rip), %xmm0, %xmm4
+        vpaddd	80+L_avx1_sha256_k(%rip), %xmm1, %xmm5
+        vmovdqu	%xmm4, (%rsp)
+        vmovdqu	%xmm5, 16(%rsp)
+        vpaddd	96+L_avx1_sha256_k(%rip), %xmm2, %xmm6
+        vpaddd	112+L_avx1_sha256_k(%rip), %xmm3, %xmm7
+        vmovdqu	%xmm6, 32(%rsp)
+        vmovdqu	%xmm7, 48(%rsp)
+        # msg_sched: 0-3
+        # rnd_0: 0 - 0
+        rorl	$14, %edx
+        vpalignr	$4, %xmm0, %xmm1, %xmm5
+        vpalignr	$4, %xmm2, %xmm3, %xmm4
+        # rnd_0: 1 - 2
+        movl	%r9d, %eax
+        movl	%r13d, %ecx
+        addl	(%rsp), %r15d
+        xorl	%r14d, %ecx
+        xorl	%r12d, %edx
+        andl	%r12d, %ecx
+        vpsrld	$7, %xmm5, %xmm6
+        vpslld	$25, %xmm5, %xmm7
+        # rnd_0: 3 - 4
+        rorl	$5, %edx
+        xorl	%r14d, %ecx
+        xorl	%r12d, %edx
+        addl	%ecx, %r15d
+        rorl	$6, %edx
+        xorl	%r8d, %eax
+        addl	%edx, %r15d
+        movl	%r8d, %ecx
+        vpsrld	$18, %xmm5, %xmm8
+        vpslld	$14, %xmm5, %xmm9
+        # rnd_0: 5 - 6
+        andl	%eax, %ebx
+        rorl	$9, %ecx
+        xorl	%r8d, %ecx
+        xorl	%r9d, %ebx
+        rorl	$11, %ecx
+        addl	%r15d, %r11d
+        xorl	%r8d, %ecx
+        addl	%ebx, %r15d
+        vpor	%xmm6, %xmm7, %xmm6
+        vpor	%xmm8, %xmm9, %xmm8
+        # rnd_0: 7 - 7
+        rorl	$2, %ecx
+        movl	%r11d, %edx
+        addl	%ecx, %r15d
+        # rnd_1: 0 - 1
+        rorl	$14, %edx
+        movl	%r8d, %ebx
+        movl	%r12d, %ecx
+        addl	4(%rsp), %r14d
+        xorl	%r13d, %ecx
+        vpsrld	$3, %xmm5, %xmm9
+        vpxor	%xmm6, %xmm8, %xmm6
+        # rnd_1: 2 - 3
+        xorl	%r11d, %edx
+        andl	%r11d, %ecx
+        rorl	$5, %edx
+        xorl	%r13d, %ecx
+        xorl	%r11d, %edx
+        addl	%ecx, %r14d
+        vpxor	%xmm6, %xmm9, %xmm5
+        vpshufd	$0xfa, %xmm3, %xmm6
+        # rnd_1: 4 - 5
+        rorl	$6, %edx
+        xorl	%r15d, %ebx
+        addl	%edx, %r14d
+        movl	%r15d, %ecx
+        andl	%ebx, %eax
+        rorl	$9, %ecx
+        xorl	%r15d, %ecx
+        xorl	%r8d, %eax
+        vpsrld	$10, %xmm6, %xmm8
+        vpsrlq	$19, %xmm6, %xmm7
+        # rnd_1: 6 - 7
+        rorl	$11, %ecx
+        addl	%r14d, %r10d
+        xorl	%r15d, %ecx
+        addl	%eax, %r14d
+        rorl	$2, %ecx
+        movl	%r10d, %edx
+        addl	%ecx, %r14d
+        # rnd_0: 0 - 0
+        rorl	$14, %edx
+        vpsrlq	$0x11, %xmm6, %xmm6
+        vpaddd	%xmm0, %xmm4, %xmm4
+        # rnd_0: 1 - 3
+        movl	%r15d, %eax
+        movl	%r11d, %ecx
+        addl	8(%rsp), %r13d
+        xorl	%r12d, %ecx
+        xorl	%r10d, %edx
+        andl	%r10d, %ecx
+        rorl	$5, %edx
+        xorl	%r12d, %ecx
+        xorl	%r10d, %edx
+        addl	%ecx, %r13d
+        vpxor	%xmm6, %xmm7, %xmm6
+        vpaddd	%xmm5, %xmm4, %xmm4
+        # rnd_0: 4 - 4
+        rorl	$6, %edx
+        xorl	%r14d, %eax
+        addl	%edx, %r13d
+        movl	%r14d, %ecx
+        vpxor	%xmm6, %xmm8, %xmm8
+        # rnd_0: 5 - 5
+        andl	%eax, %ebx
+        rorl	$9, %ecx
+        xorl	%r14d, %ecx
+        xorl	%r15d, %ebx
+        vpshufb	%xmm11, %xmm8, %xmm8
+        # rnd_0: 6 - 6
+        rorl	$11, %ecx
+        addl	%r13d, %r9d
+        xorl	%r14d, %ecx
+        addl	%ebx, %r13d
+        vpaddd	%xmm8, %xmm4, %xmm4
+        # rnd_0: 7 - 7
+        rorl	$2, %ecx
+        movl	%r9d, %edx
+        addl	%ecx, %r13d
+        # rnd_1: 0 - 0
+        rorl	$14, %edx
+        vpshufd	$0x50, %xmm4, %xmm6
+        # rnd_1: 1 - 1
+        movl	%r14d, %ebx
+        movl	%r10d, %ecx
+        addl	12(%rsp), %r12d
+        xorl	%r11d, %ecx
+        vpsrlq	$0x11, %xmm6, %xmm8
+        vpsrlq	$19, %xmm6, %xmm7
+        # rnd_1: 2 - 3
+        xorl	%r9d, %edx
+        andl	%r9d, %ecx
+        rorl	$5, %edx
+        xorl	%r11d, %ecx
+        xorl	%r9d, %edx
+        addl	%ecx, %r12d
+        vpsrld	$10, %xmm6, %xmm9
+        vpxor	%xmm8, %xmm7, %xmm8
+        # rnd_1: 4 - 5
+        rorl	$6, %edx
+        xorl	%r13d, %ebx
+        addl	%edx, %r12d
+        movl	%r13d, %ecx
+        andl	%ebx, %eax
+        rorl	$9, %ecx
+        xorl	%r13d, %ecx
+        xorl	%r14d, %eax
+        vpxor	%xmm9, %xmm8, %xmm9
+        # rnd_1: 6 - 6
+        rorl	$11, %ecx
+        addl	%r12d, %r8d
+        xorl	%r13d, %ecx
+        addl	%eax, %r12d
+        vpshufb	%xmm12, %xmm9, %xmm9
+        # rnd_1: 7 - 7
+        rorl	$2, %ecx
+        movl	%r8d, %edx
+        addl	%ecx, %r12d
+        vpaddd	%xmm4, %xmm9, %xmm0
+        # msg_sched done: 0-3
+        # msg_sched: 4-7
+        # rnd_0: 0 - 0
+        rorl	$14, %edx
+        vpalignr	$4, %xmm1, %xmm2, %xmm5
+        vpalignr	$4, %xmm3, %xmm0, %xmm4
+        # rnd_0: 1 - 2
+        movl	%r13d, %eax
+        movl	%r9d, %ecx
+        addl	16(%rsp), %r11d
+        xorl	%r10d, %ecx
+        xorl	%r8d, %edx
+        andl	%r8d, %ecx
+        vpsrld	$7, %xmm5, %xmm6
+        vpslld	$25, %xmm5, %xmm7
+        # rnd_0: 3 - 4
+        rorl	$5, %edx
+        xorl	%r10d, %ecx
+        xorl	%r8d, %edx
+        addl	%ecx, %r11d
+        rorl	$6, %edx
+        xorl	%r12d, %eax
+        addl	%edx, %r11d
+        movl	%r12d, %ecx
+        vpsrld	$18, %xmm5, %xmm8
+        vpslld	$14, %xmm5, %xmm9
+        # rnd_0: 5 - 6
+        andl	%eax, %ebx
+        rorl	$9, %ecx
+        xorl	%r12d, %ecx
+        xorl	%r13d, %ebx
+        rorl	$11, %ecx
+        addl	%r11d, %r15d
+        xorl	%r12d, %ecx
+        addl	%ebx, %r11d
+        vpor	%xmm6, %xmm7, %xmm6
+        vpor	%xmm8, %xmm9, %xmm8
+        # rnd_0: 7 - 7
+        rorl	$2, %ecx
+        movl	%r15d, %edx
+        addl	%ecx, %r11d
+        # rnd_1: 0 - 1
+        rorl	$14, %edx
+        movl	%r12d, %ebx
+        movl	%r8d, %ecx
+        addl	20(%rsp), %r10d
+        xorl	%r9d, %ecx
+        vpsrld	$3, %xmm5, %xmm9
+        vpxor	%xmm6, %xmm8, %xmm6
+        # rnd_1: 2 - 3
+        xorl	%r15d, %edx
+        andl	%r15d, %ecx
+        rorl	$5, %edx
+        xorl	%r9d, %ecx
+        xorl	%r15d, %edx
+        addl	%ecx, %r10d
+        vpxor	%xmm6, %xmm9, %xmm5
+        vpshufd	$0xfa, %xmm0, %xmm6
+        # rnd_1: 4 - 5
+        rorl	$6, %edx
+        xorl	%r11d, %ebx
+        addl	%edx, %r10d
+        movl	%r11d, %ecx
+        andl	%ebx, %eax
+        rorl	$9, %ecx
+        xorl	%r11d, %ecx
+        xorl	%r12d, %eax
+        vpsrld	$10, %xmm6, %xmm8
+        vpsrlq	$19, %xmm6, %xmm7
+        # rnd_1: 6 - 7
+        rorl	$11, %ecx
+        addl	%r10d, %r14d
+        xorl	%r11d, %ecx
+        addl	%eax, %r10d
+        rorl	$2, %ecx
+        movl	%r14d, %edx
+        addl	%ecx, %r10d
+        # rnd_0: 0 - 0
+        rorl	$14, %edx
+        vpsrlq	$0x11, %xmm6, %xmm6
+        vpaddd	%xmm1, %xmm4, %xmm4
+        # rnd_0: 1 - 3
+        movl	%r11d, %eax
+        movl	%r15d, %ecx
+        addl	24(%rsp), %r9d
+        xorl	%r8d, %ecx
+        xorl	%r14d, %edx
+        andl	%r14d, %ecx
+        rorl	$5, %edx
+        xorl	%r8d, %ecx
+        xorl	%r14d, %edx
+        addl	%ecx, %r9d
+        vpxor	%xmm6, %xmm7, %xmm6
+        vpaddd	%xmm5, %xmm4, %xmm4
+        # rnd_0: 4 - 4
+        rorl	$6, %edx
+        xorl	%r10d, %eax
+        addl	%edx, %r9d
+        movl	%r10d, %ecx
+        vpxor	%xmm6, %xmm8, %xmm8
+        # rnd_0: 5 - 5
+        andl	%eax, %ebx
+        rorl	$9, %ecx
+        xorl	%r10d, %ecx
+        xorl	%r11d, %ebx
+        vpshufb	%xmm11, %xmm8, %xmm8
+        # rnd_0: 6 - 6
+        rorl	$11, %ecx
+        addl	%r9d, %r13d
+        xorl	%r10d, %ecx
+        addl	%ebx, %r9d
+        vpaddd	%xmm8, %xmm4, %xmm4
+        # rnd_0: 7 - 7
+        rorl	$2, %ecx
+        movl	%r13d, %edx
+        addl	%ecx, %r9d
+        # rnd_1: 0 - 0
+        rorl	$14, %edx
+        vpshufd	$0x50, %xmm4, %xmm6
+        # rnd_1: 1 - 1
+        movl	%r10d, %ebx
+        movl	%r14d, %ecx
+        addl	28(%rsp), %r8d
+        xorl	%r15d, %ecx
+        vpsrlq	$0x11, %xmm6, %xmm8
+        vpsrlq	$19, %xmm6, %xmm7
+        # rnd_1: 2 - 3
+        xorl	%r13d, %edx
+        andl	%r13d, %ecx
+        rorl	$5, %edx
+        xorl	%r15d, %ecx
+        xorl	%r13d, %edx
+        addl	%ecx, %r8d
+        vpsrld	$10, %xmm6, %xmm9
+        vpxor	%xmm8, %xmm7, %xmm8
+        # rnd_1: 4 - 5
+        rorl	$6, %edx
+        xorl	%r9d, %ebx
+        addl	%edx, %r8d
+        movl	%r9d, %ecx
+        andl	%ebx, %eax
+        rorl	$9, %ecx
+        xorl	%r9d, %ecx
+        xorl	%r10d, %eax
+        vpxor	%xmm9, %xmm8, %xmm9
+        # rnd_1: 6 - 6
+        rorl	$11, %ecx
+        addl	%r8d, %r12d
+        xorl	%r9d, %ecx
+        addl	%eax, %r8d
+        vpshufb	%xmm12, %xmm9, %xmm9
+        # rnd_1: 7 - 7
+        rorl	$2, %ecx
+        movl	%r12d, %edx
+        addl	%ecx, %r8d
+        vpaddd	%xmm4, %xmm9, %xmm1
+        # msg_sched done: 4-7
+        # msg_sched: 8-11
+        # rnd_0: 0 - 0
+        rorl	$14, %edx
+        vpalignr	$4, %xmm2, %xmm3, %xmm5
+        vpalignr	$4, %xmm0, %xmm1, %xmm4
+        # rnd_0: 1 - 2
+        movl	%r9d, %eax
+        movl	%r13d, %ecx
+        addl	32(%rsp), %r15d
+        xorl	%r14d, %ecx
+        xorl	%r12d, %edx
+        andl	%r12d, %ecx
+        vpsrld	$7, %xmm5, %xmm6
+        vpslld	$25, %xmm5, %xmm7
+        # rnd_0: 3 - 4
+        rorl	$5, %edx
+        xorl	%r14d, %ecx
+        xorl	%r12d, %edx
+        addl	%ecx, %r15d
+        rorl	$6, %edx
+        xorl	%r8d, %eax
+        addl	%edx, %r15d
+        movl	%r8d, %ecx
+        vpsrld	$18, %xmm5, %xmm8
+        vpslld	$14, %xmm5, %xmm9
+        # rnd_0: 5 - 6
+        andl	%eax, %ebx
+        rorl	$9, %ecx
+        xorl	%r8d, %ecx
+        xorl	%r9d, %ebx
+        rorl	$11, %ecx
+        addl	%r15d, %r11d
+        xorl	%r8d, %ecx
+        addl	%ebx, %r15d
+        vpor	%xmm6, %xmm7, %xmm6
+        vpor	%xmm8, %xmm9, %xmm8
+        # rnd_0: 7 - 7
+        rorl	$2, %ecx
+        movl	%r11d, %edx
+        addl	%ecx, %r15d
+        # rnd_1: 0 - 1
+        rorl	$14, %edx
+        movl	%r8d, %ebx
+        movl	%r12d, %ecx
+        addl	36(%rsp), %r14d
+        xorl	%r13d, %ecx
+        vpsrld	$3, %xmm5, %xmm9
+        vpxor	%xmm6, %xmm8, %xmm6
+        # rnd_1: 2 - 3
+        xorl	%r11d, %edx
+        andl	%r11d, %ecx
+        rorl	$5, %edx
+        xorl	%r13d, %ecx
+        xorl	%r11d, %edx
+        addl	%ecx, %r14d
+        vpxor	%xmm6, %xmm9, %xmm5
+        vpshufd	$0xfa, %xmm1, %xmm6
+        # rnd_1: 4 - 5
+        rorl	$6, %edx
+        xorl	%r15d, %ebx
+        addl	%edx, %r14d
+        movl	%r15d, %ecx
+        andl	%ebx, %eax
+        rorl	$9, %ecx
+        xorl	%r15d, %ecx
+        xorl	%r8d, %eax
+        vpsrld	$10, %xmm6, %xmm8
+        vpsrlq	$19, %xmm6, %xmm7
+        # rnd_1: 6 - 7
+        rorl	$11, %ecx
+        addl	%r14d, %r10d
+        xorl	%r15d, %ecx
+        addl	%eax, %r14d
+        rorl	$2, %ecx
+        movl	%r10d, %edx
+        addl	%ecx, %r14d
+        # rnd_0: 0 - 0
+        rorl	$14, %edx
+        vpsrlq	$0x11, %xmm6, %xmm6
+        vpaddd	%xmm2, %xmm4, %xmm4
+        # rnd_0: 1 - 3
+        movl	%r15d, %eax
+        movl	%r11d, %ecx
+        addl	40(%rsp), %r13d
+        xorl	%r12d, %ecx
+        xorl	%r10d, %edx
+        andl	%r10d, %ecx
+        rorl	$5, %edx
+        xorl	%r12d, %ecx
+        xorl	%r10d, %edx
+        addl	%ecx, %r13d
+        vpxor	%xmm6, %xmm7, %xmm6
+        vpaddd	%xmm5, %xmm4, %xmm4
+        # rnd_0: 4 - 4
+        rorl	$6, %edx
+        xorl	%r14d, %eax
+        addl	%edx, %r13d
+        movl	%r14d, %ecx
+        vpxor	%xmm6, %xmm8, %xmm8
+        # rnd_0: 5 - 5
+        andl	%eax, %ebx
+        rorl	$9, %ecx
+        xorl	%r14d, %ecx
+        xorl	%r15d, %ebx
+        vpshufb	%xmm11, %xmm8, %xmm8
+        # rnd_0: 6 - 6
+        rorl	$11, %ecx
+        addl	%r13d, %r9d
+        xorl	%r14d, %ecx
+        addl	%ebx, %r13d
+        vpaddd	%xmm8, %xmm4, %xmm4
+        # rnd_0: 7 - 7
+        rorl	$2, %ecx
+        movl	%r9d, %edx
+        addl	%ecx, %r13d
+        # rnd_1: 0 - 0
+        rorl	$14, %edx
+        vpshufd	$0x50, %xmm4, %xmm6
+        # rnd_1: 1 - 1
+        movl	%r14d, %ebx
+        movl	%r10d, %ecx
+        addl	44(%rsp), %r12d
+        xorl	%r11d, %ecx
+        vpsrlq	$0x11, %xmm6, %xmm8
+        vpsrlq	$19, %xmm6, %xmm7
+        # rnd_1: 2 - 3
+        xorl	%r9d, %edx
+        andl	%r9d, %ecx
+        rorl	$5, %edx
+        xorl	%r11d, %ecx
+        xorl	%r9d, %edx
+        addl	%ecx, %r12d
+        vpsrld	$10, %xmm6, %xmm9
+        vpxor	%xmm8, %xmm7, %xmm8
+        # rnd_1: 4 - 5
+        rorl	$6, %edx
+        xorl	%r13d, %ebx
+        addl	%edx, %r12d
+        movl	%r13d, %ecx
+        andl	%ebx, %eax
+        rorl	$9, %ecx
+        xorl	%r13d, %ecx
+        xorl	%r14d, %eax
+        vpxor	%xmm9, %xmm8, %xmm9
+        # rnd_1: 6 - 6
+        rorl	$11, %ecx
+        addl	%r12d, %r8d
+        xorl	%r13d, %ecx
+        addl	%eax, %r12d
+        vpshufb	%xmm12, %xmm9, %xmm9
+        # rnd_1: 7 - 7
+        rorl	$2, %ecx
+        movl	%r8d, %edx
+        addl	%ecx, %r12d
+        vpaddd	%xmm4, %xmm9, %xmm2
+        # msg_sched done: 8-11
+        # msg_sched: 12-15
+        # rnd_0: 0 - 0
+        rorl	$14, %edx
+        vpalignr	$4, %xmm3, %xmm0, %xmm5
+        vpalignr	$4, %xmm1, %xmm2, %xmm4
+        # rnd_0: 1 - 2
+        movl	%r13d, %eax
+        movl	%r9d, %ecx
+        addl	48(%rsp), %r11d
+        xorl	%r10d, %ecx
+        xorl	%r8d, %edx
+        andl	%r8d, %ecx
+        vpsrld	$7, %xmm5, %xmm6
+        vpslld	$25, %xmm5, %xmm7
+        # rnd_0: 3 - 4
+        rorl	$5, %edx
+        xorl	%r10d, %ecx
+        xorl	%r8d, %edx
+        addl	%ecx, %r11d
+        rorl	$6, %edx
+        xorl	%r12d, %eax
+        addl	%edx, %r11d
+        movl	%r12d, %ecx
+        vpsrld	$18, %xmm5, %xmm8
+        vpslld	$14, %xmm5, %xmm9
+        # rnd_0: 5 - 6
+        andl	%eax, %ebx
+        rorl	$9, %ecx
+        xorl	%r12d, %ecx
+        xorl	%r13d, %ebx
+        rorl	$11, %ecx
+        addl	%r11d, %r15d
+        xorl	%r12d, %ecx
+        addl	%ebx, %r11d
+        vpor	%xmm6, %xmm7, %xmm6
+        vpor	%xmm8, %xmm9, %xmm8
+        # rnd_0: 7 - 7
+        rorl	$2, %ecx
+        movl	%r15d, %edx
+        addl	%ecx, %r11d
+        # rnd_1: 0 - 1
+        rorl	$14, %edx
+        movl	%r12d, %ebx
+        movl	%r8d, %ecx
+        addl	52(%rsp), %r10d
+        xorl	%r9d, %ecx
+        vpsrld	$3, %xmm5, %xmm9
+        vpxor	%xmm6, %xmm8, %xmm6
+        # rnd_1: 2 - 3
+        xorl	%r15d, %edx
+        andl	%r15d, %ecx
+        rorl	$5, %edx
+        xorl	%r9d, %ecx
+        xorl	%r15d, %edx
+        addl	%ecx, %r10d
+        vpxor	%xmm6, %xmm9, %xmm5
+        vpshufd	$0xfa, %xmm2, %xmm6
+        # rnd_1: 4 - 5
+        rorl	$6, %edx
+        xorl	%r11d, %ebx
+        addl	%edx, %r10d
+        movl	%r11d, %ecx
+        andl	%ebx, %eax
+        rorl	$9, %ecx
+        xorl	%r11d, %ecx
+        xorl	%r12d, %eax
+        vpsrld	$10, %xmm6, %xmm8
+        vpsrlq	$19, %xmm6, %xmm7
+        # rnd_1: 6 - 7
+        rorl	$11, %ecx
+        addl	%r10d, %r14d
+        xorl	%r11d, %ecx
+        addl	%eax, %r10d
+        rorl	$2, %ecx
+        movl	%r14d, %edx
+        addl	%ecx, %r10d
+        # rnd_0: 0 - 0
+        rorl	$14, %edx
+        vpsrlq	$0x11, %xmm6, %xmm6
+        vpaddd	%xmm3, %xmm4, %xmm4
+        # rnd_0: 1 - 3
+        movl	%r11d, %eax
+        movl	%r15d, %ecx
+        addl	56(%rsp), %r9d
+        xorl	%r8d, %ecx
+        xorl	%r14d, %edx
+        andl	%r14d, %ecx
+        rorl	$5, %edx
+        xorl	%r8d, %ecx
+        xorl	%r14d, %edx
+        addl	%ecx, %r9d
+        vpxor	%xmm6, %xmm7, %xmm6
+        vpaddd	%xmm5, %xmm4, %xmm4
+        # rnd_0: 4 - 4
+        rorl	$6, %edx
+        xorl	%r10d, %eax
+        addl	%edx, %r9d
+        movl	%r10d, %ecx
+        vpxor	%xmm6, %xmm8, %xmm8
+        # rnd_0: 5 - 5
+        andl	%eax, %ebx
+        rorl	$9, %ecx
+        xorl	%r10d, %ecx
+        xorl	%r11d, %ebx
+        vpshufb	%xmm11, %xmm8, %xmm8
+        # rnd_0: 6 - 6
+        rorl	$11, %ecx
+        addl	%r9d, %r13d
+        xorl	%r10d, %ecx
+        addl	%ebx, %r9d
+        vpaddd	%xmm8, %xmm4, %xmm4
+        # rnd_0: 7 - 7
+        rorl	$2, %ecx
+        movl	%r13d, %edx
+        addl	%ecx, %r9d
+        # rnd_1: 0 - 0
+        rorl	$14, %edx
+        vpshufd	$0x50, %xmm4, %xmm6
+        # rnd_1: 1 - 1
+        movl	%r10d, %ebx
+        movl	%r14d, %ecx
+        addl	60(%rsp), %r8d
+        xorl	%r15d, %ecx
+        vpsrlq	$0x11, %xmm6, %xmm8
+        vpsrlq	$19, %xmm6, %xmm7
+        # rnd_1: 2 - 3
+        xorl	%r13d, %edx
+        andl	%r13d, %ecx
+        rorl	$5, %edx
+        xorl	%r15d, %ecx
+        xorl	%r13d, %edx
+        addl	%ecx, %r8d
+        vpsrld	$10, %xmm6, %xmm9
+        vpxor	%xmm8, %xmm7, %xmm8
+        # rnd_1: 4 - 5
+        rorl	$6, %edx
+        xorl	%r9d, %ebx
+        addl	%edx, %r8d
+        movl	%r9d, %ecx
+        andl	%ebx, %eax
+        rorl	$9, %ecx
+        xorl	%r9d, %ecx
+        xorl	%r10d, %eax
+        vpxor	%xmm9, %xmm8, %xmm9
+        # rnd_1: 6 - 6
+        rorl	$11, %ecx
+        addl	%r8d, %r12d
+        xorl	%r9d, %ecx
+        addl	%eax, %r8d
+        vpshufb	%xmm12, %xmm9, %xmm9
+        # rnd_1: 7 - 7
+        rorl	$2, %ecx
+        movl	%r12d, %edx
+        addl	%ecx, %r8d
+        vpaddd	%xmm4, %xmm9, %xmm3
+        # msg_sched done: 12-15
+        # set_w_k_xfer_4: 8
+        vpaddd	128+L_avx1_sha256_k(%rip), %xmm0, %xmm4
+        vpaddd	144+L_avx1_sha256_k(%rip), %xmm1, %xmm5
+        vmovdqu	%xmm4, (%rsp)
+        vmovdqu	%xmm5, 16(%rsp)
+        vpaddd	160+L_avx1_sha256_k(%rip), %xmm2, %xmm6
+        vpaddd	176+L_avx1_sha256_k(%rip), %xmm3, %xmm7
+        vmovdqu	%xmm6, 32(%rsp)
+        vmovdqu	%xmm7, 48(%rsp)
+        # msg_sched: 0-3
+        # rnd_0: 0 - 0
+        rorl	$14, %edx
+        vpalignr	$4, %xmm0, %xmm1, %xmm5
+        vpalignr	$4, %xmm2, %xmm3, %xmm4
+        # rnd_0: 1 - 2
+        movl	%r9d, %eax
+        movl	%r13d, %ecx
+        addl	(%rsp), %r15d
+        xorl	%r14d, %ecx
+        xorl	%r12d, %edx
+        andl	%r12d, %ecx
+        vpsrld	$7, %xmm5, %xmm6
+        vpslld	$25, %xmm5, %xmm7
+        # rnd_0: 3 - 4
+        rorl	$5, %edx
+        xorl	%r14d, %ecx
+        xorl	%r12d, %edx
+        addl	%ecx, %r15d
+        rorl	$6, %edx
+        xorl	%r8d, %eax
+        addl	%edx, %r15d
+        movl	%r8d, %ecx
+        vpsrld	$18, %xmm5, %xmm8
+        vpslld	$14, %xmm5, %xmm9
+        # rnd_0: 5 - 6
+        andl	%eax, %ebx
+        rorl	$9, %ecx
+        xorl	%r8d, %ecx
+        xorl	%r9d, %ebx
+        rorl	$11, %ecx
+        addl	%r15d, %r11d
+        xorl	%r8d, %ecx
+        addl	%ebx, %r15d
+        vpor	%xmm6, %xmm7, %xmm6
+        vpor	%xmm8, %xmm9, %xmm8
+        # rnd_0: 7 - 7
+        rorl	$2, %ecx
+        movl	%r11d, %edx
+        addl	%ecx, %r15d
+        # rnd_1: 0 - 1
+        rorl	$14, %edx
+        movl	%r8d, %ebx
+        movl	%r12d, %ecx
+        addl	4(%rsp), %r14d
+        xorl	%r13d, %ecx
+        vpsrld	$3, %xmm5, %xmm9
+        vpxor	%xmm6, %xmm8, %xmm6
+        # rnd_1: 2 - 3
+        xorl	%r11d, %edx
+        andl	%r11d, %ecx
+        rorl	$5, %edx
+        xorl	%r13d, %ecx
+        xorl	%r11d, %edx
+        addl	%ecx, %r14d
+        vpxor	%xmm6, %xmm9, %xmm5
+        vpshufd	$0xfa, %xmm3, %xmm6
+        # rnd_1: 4 - 5
+        rorl	$6, %edx
+        xorl	%r15d, %ebx
+        addl	%edx, %r14d
+        movl	%r15d, %ecx
+        andl	%ebx, %eax
+        rorl	$9, %ecx
+        xorl	%r15d, %ecx
+        xorl	%r8d, %eax
+        vpsrld	$10, %xmm6, %xmm8
+        vpsrlq	$19, %xmm6, %xmm7
+        # rnd_1: 6 - 7
+        rorl	$11, %ecx
+        addl	%r14d, %r10d
+        xorl	%r15d, %ecx
+        addl	%eax, %r14d
+        rorl	$2, %ecx
+        movl	%r10d, %edx
+        addl	%ecx, %r14d
+        # rnd_0: 0 - 0
+        rorl	$14, %edx
+        vpsrlq	$0x11, %xmm6, %xmm6
+        vpaddd	%xmm0, %xmm4, %xmm4
+        # rnd_0: 1 - 3
+        movl	%r15d, %eax
+        movl	%r11d, %ecx
+        addl	8(%rsp), %r13d
+        xorl	%r12d, %ecx
+        xorl	%r10d, %edx
+        andl	%r10d, %ecx
+        rorl	$5, %edx
+        xorl	%r12d, %ecx
+        xorl	%r10d, %edx
+        addl	%ecx, %r13d
+        vpxor	%xmm6, %xmm7, %xmm6
+        vpaddd	%xmm5, %xmm4, %xmm4
+        # rnd_0: 4 - 4
+        rorl	$6, %edx
+        xorl	%r14d, %eax
+        addl	%edx, %r13d
+        movl	%r14d, %ecx
+        vpxor	%xmm6, %xmm8, %xmm8
+        # rnd_0: 5 - 5
+        andl	%eax, %ebx
+        rorl	$9, %ecx
+        xorl	%r14d, %ecx
+        xorl	%r15d, %ebx
+        vpshufb	%xmm11, %xmm8, %xmm8
+        # rnd_0: 6 - 6
+        rorl	$11, %ecx
+        addl	%r13d, %r9d
+        xorl	%r14d, %ecx
+        addl	%ebx, %r13d
+        vpaddd	%xmm8, %xmm4, %xmm4
+        # rnd_0: 7 - 7
+        rorl	$2, %ecx
+        movl	%r9d, %edx
+        addl	%ecx, %r13d
+        # rnd_1: 0 - 0
+        rorl	$14, %edx
+        vpshufd	$0x50, %xmm4, %xmm6
+        # rnd_1: 1 - 1
+        movl	%r14d, %ebx
+        movl	%r10d, %ecx
+        addl	12(%rsp), %r12d
+        xorl	%r11d, %ecx
+        vpsrlq	$0x11, %xmm6, %xmm8
+        vpsrlq	$19, %xmm6, %xmm7
+        # rnd_1: 2 - 3
+        xorl	%r9d, %edx
+        andl	%r9d, %ecx
+        rorl	$5, %edx
+        xorl	%r11d, %ecx
+        xorl	%r9d, %edx
+        addl	%ecx, %r12d
+        vpsrld	$10, %xmm6, %xmm9
+        vpxor	%xmm8, %xmm7, %xmm8
+        # rnd_1: 4 - 5
+        rorl	$6, %edx
+        xorl	%r13d, %ebx
+        addl	%edx, %r12d
+        movl	%r13d, %ecx
+        andl	%ebx, %eax
+        rorl	$9, %ecx
+        xorl	%r13d, %ecx
+        xorl	%r14d, %eax
+        vpxor	%xmm9, %xmm8, %xmm9
+        # rnd_1: 6 - 6
+        rorl	$11, %ecx
+        addl	%r12d, %r8d
+        xorl	%r13d, %ecx
+        addl	%eax, %r12d
+        vpshufb	%xmm12, %xmm9, %xmm9
+        # rnd_1: 7 - 7
+        rorl	$2, %ecx
+        movl	%r8d, %edx
+        addl	%ecx, %r12d
+        vpaddd	%xmm4, %xmm9, %xmm0
+        # msg_sched done: 0-3
+        # msg_sched: 4-7
+        # rnd_0: 0 - 0
+        rorl	$14, %edx
+        vpalignr	$4, %xmm1, %xmm2, %xmm5
+        vpalignr	$4, %xmm3, %xmm0, %xmm4
+        # rnd_0: 1 - 2
+        movl	%r13d, %eax
+        movl	%r9d, %ecx
+        addl	16(%rsp), %r11d
+        xorl	%r10d, %ecx
+        xorl	%r8d, %edx
+        andl	%r8d, %ecx
+        vpsrld	$7, %xmm5, %xmm6
+        vpslld	$25, %xmm5, %xmm7
+        # rnd_0: 3 - 4
+        rorl	$5, %edx
+        xorl	%r10d, %ecx
+        xorl	%r8d, %edx
+        addl	%ecx, %r11d
+        rorl	$6, %edx
+        xorl	%r12d, %eax
+        addl	%edx, %r11d
+        movl	%r12d, %ecx
+        vpsrld	$18, %xmm5, %xmm8
+        vpslld	$14, %xmm5, %xmm9
+        # rnd_0: 5 - 6
+        andl	%eax, %ebx
+        rorl	$9, %ecx
+        xorl	%r12d, %ecx
+        xorl	%r13d, %ebx
+        rorl	$11, %ecx
+        addl	%r11d, %r15d
+        xorl	%r12d, %ecx
+        addl	%ebx, %r11d
+        vpor	%xmm6, %xmm7, %xmm6
+        vpor	%xmm8, %xmm9, %xmm8
+        # rnd_0: 7 - 7
+        rorl	$2, %ecx
+        movl	%r15d, %edx
+        addl	%ecx, %r11d
+        # rnd_1: 0 - 1
+        rorl	$14, %edx
+        movl	%r12d, %ebx
+        movl	%r8d, %ecx
+        addl	20(%rsp), %r10d
+        xorl	%r9d, %ecx
+        vpsrld	$3, %xmm5, %xmm9
+        vpxor	%xmm6, %xmm8, %xmm6
+        # rnd_1: 2 - 3
+        xorl	%r15d, %edx
+        andl	%r15d, %ecx
+        rorl	$5, %edx
+        xorl	%r9d, %ecx
+        xorl	%r15d, %edx
+        addl	%ecx, %r10d
+        vpxor	%xmm6, %xmm9, %xmm5
+        vpshufd	$0xfa, %xmm0, %xmm6
+        # rnd_1: 4 - 5
+        rorl	$6, %edx
+        xorl	%r11d, %ebx
+        addl	%edx, %r10d
+        movl	%r11d, %ecx
+        andl	%ebx, %eax
+        rorl	$9, %ecx
+        xorl	%r11d, %ecx
+        xorl	%r12d, %eax
+        vpsrld	$10, %xmm6, %xmm8
+        vpsrlq	$19, %xmm6, %xmm7
+        # rnd_1: 6 - 7
+        rorl	$11, %ecx
+        addl	%r10d, %r14d
+        xorl	%r11d, %ecx
+        addl	%eax, %r10d
+        rorl	$2, %ecx
+        movl	%r14d, %edx
+        addl	%ecx, %r10d
+        # rnd_0: 0 - 0
+        rorl	$14, %edx
+        vpsrlq	$0x11, %xmm6, %xmm6
+        vpaddd	%xmm1, %xmm4, %xmm4
+        # rnd_0: 1 - 3
+        movl	%r11d, %eax
+        movl	%r15d, %ecx
+        addl	24(%rsp), %r9d
+        xorl	%r8d, %ecx
+        xorl	%r14d, %edx
+        andl	%r14d, %ecx
+        rorl	$5, %edx
+        xorl	%r8d, %ecx
+        xorl	%r14d, %edx
+        addl	%ecx, %r9d
+        vpxor	%xmm6, %xmm7, %xmm6
+        vpaddd	%xmm5, %xmm4, %xmm4
+        # rnd_0: 4 - 4
+        rorl	$6, %edx
+        xorl	%r10d, %eax
+        addl	%edx, %r9d
+        movl	%r10d, %ecx
+        vpxor	%xmm6, %xmm8, %xmm8
+        # rnd_0: 5 - 5
+        andl	%eax, %ebx
+        rorl	$9, %ecx
+        xorl	%r10d, %ecx
+        xorl	%r11d, %ebx
+        vpshufb	%xmm11, %xmm8, %xmm8
+        # rnd_0: 6 - 6
+        rorl	$11, %ecx
+        addl	%r9d, %r13d
+        xorl	%r10d, %ecx
+        addl	%ebx, %r9d
+        vpaddd	%xmm8, %xmm4, %xmm4
+        # rnd_0: 7 - 7
+        rorl	$2, %ecx
+        movl	%r13d, %edx
+        addl	%ecx, %r9d
+        # rnd_1: 0 - 0
+        rorl	$14, %edx
+        vpshufd	$0x50, %xmm4, %xmm6
+        # rnd_1: 1 - 1
+        movl	%r10d, %ebx
+        movl	%r14d, %ecx
+        addl	28(%rsp), %r8d
+        xorl	%r15d, %ecx
+        vpsrlq	$0x11, %xmm6, %xmm8
+        vpsrlq	$19, %xmm6, %xmm7
+        # rnd_1: 2 - 3
+        xorl	%r13d, %edx
+        andl	%r13d, %ecx
+        rorl	$5, %edx
+        xorl	%r15d, %ecx
+        xorl	%r13d, %edx
+        addl	%ecx, %r8d
+        vpsrld	$10, %xmm6, %xmm9
+        vpxor	%xmm8, %xmm7, %xmm8
+        # rnd_1: 4 - 5
+        rorl	$6, %edx
+        xorl	%r9d, %ebx
+        addl	%edx, %r8d
+        movl	%r9d, %ecx
+        andl	%ebx, %eax
+        rorl	$9, %ecx
+        xorl	%r9d, %ecx
+        xorl	%r10d, %eax
+        vpxor	%xmm9, %xmm8, %xmm9
+        # rnd_1: 6 - 6
+        rorl	$11, %ecx
+        addl	%r8d, %r12d
+        xorl	%r9d, %ecx
+        addl	%eax, %r8d
+        vpshufb	%xmm12, %xmm9, %xmm9
+        # rnd_1: 7 - 7
+        rorl	$2, %ecx
+        movl	%r12d, %edx
+        addl	%ecx, %r8d
+        vpaddd	%xmm4, %xmm9, %xmm1
+        # msg_sched done: 4-7
+        # msg_sched: 8-11
+        # rnd_0: 0 - 0
+        rorl	$14, %edx
+        vpalignr	$4, %xmm2, %xmm3, %xmm5
+        vpalignr	$4, %xmm0, %xmm1, %xmm4
+        # rnd_0: 1 - 2
+        movl	%r9d, %eax
+        movl	%r13d, %ecx
+        addl	32(%rsp), %r15d
+        xorl	%r14d, %ecx
+        xorl	%r12d, %edx
+        andl	%r12d, %ecx
+        vpsrld	$7, %xmm5, %xmm6
+        vpslld	$25, %xmm5, %xmm7
+        # rnd_0: 3 - 4
+        rorl	$5, %edx
+        xorl	%r14d, %ecx
+        xorl	%r12d, %edx
+        addl	%ecx, %r15d
+        rorl	$6, %edx
+        xorl	%r8d, %eax
+        addl	%edx, %r15d
+        movl	%r8d, %ecx
+        vpsrld	$18, %xmm5, %xmm8
+        vpslld	$14, %xmm5, %xmm9
+        # rnd_0: 5 - 6
+        andl	%eax, %ebx
+        rorl	$9, %ecx
+        xorl	%r8d, %ecx
+        xorl	%r9d, %ebx
+        rorl	$11, %ecx
+        addl	%r15d, %r11d
+        xorl	%r8d, %ecx
+        addl	%ebx, %r15d
+        vpor	%xmm6, %xmm7, %xmm6
+        vpor	%xmm8, %xmm9, %xmm8
+        # rnd_0: 7 - 7
+        rorl	$2, %ecx
+        movl	%r11d, %edx
+        addl	%ecx, %r15d
+        # rnd_1: 0 - 1
+        rorl	$14, %edx
+        movl	%r8d, %ebx
+        movl	%r12d, %ecx
+        addl	36(%rsp), %r14d
+        xorl	%r13d, %ecx
+        vpsrld	$3, %xmm5, %xmm9
+        vpxor	%xmm6, %xmm8, %xmm6
+        # rnd_1: 2 - 3
+        xorl	%r11d, %edx
+        andl	%r11d, %ecx
+        rorl	$5, %edx
+        xorl	%r13d, %ecx
+        xorl	%r11d, %edx
+        addl	%ecx, %r14d
+        vpxor	%xmm6, %xmm9, %xmm5
+        vpshufd	$0xfa, %xmm1, %xmm6
+        # rnd_1: 4 - 5
+        rorl	$6, %edx
+        xorl	%r15d, %ebx
+        addl	%edx, %r14d
+        movl	%r15d, %ecx
+        andl	%ebx, %eax
+        rorl	$9, %ecx
+        xorl	%r15d, %ecx
+        xorl	%r8d, %eax
+        vpsrld	$10, %xmm6, %xmm8
+        vpsrlq	$19, %xmm6, %xmm7
+        # rnd_1: 6 - 7
+        rorl	$11, %ecx
+        addl	%r14d, %r10d
+        xorl	%r15d, %ecx
+        addl	%eax, %r14d
+        rorl	$2, %ecx
+        movl	%r10d, %edx
+        addl	%ecx, %r14d
+        # rnd_0: 0 - 0
+        rorl	$14, %edx
+        vpsrlq	$0x11, %xmm6, %xmm6
+        vpaddd	%xmm2, %xmm4, %xmm4
+        # rnd_0: 1 - 3
+        movl	%r15d, %eax
+        movl	%r11d, %ecx
+        addl	40(%rsp), %r13d
+        xorl	%r12d, %ecx
+        xorl	%r10d, %edx
+        andl	%r10d, %ecx
+        rorl	$5, %edx
+        xorl	%r12d, %ecx
+        xorl	%r10d, %edx
+        addl	%ecx, %r13d
+        vpxor	%xmm6, %xmm7, %xmm6
+        vpaddd	%xmm5, %xmm4, %xmm4
+        # rnd_0: 4 - 4
+        rorl	$6, %edx
+        xorl	%r14d, %eax
+        addl	%edx, %r13d
+        movl	%r14d, %ecx
+        vpxor	%xmm6, %xmm8, %xmm8
+        # rnd_0: 5 - 5
+        andl	%eax, %ebx
+        rorl	$9, %ecx
+        xorl	%r14d, %ecx
+        xorl	%r15d, %ebx
+        vpshufb	%xmm11, %xmm8, %xmm8
+        # rnd_0: 6 - 6
+        rorl	$11, %ecx
+        addl	%r13d, %r9d
+        xorl	%r14d, %ecx
+        addl	%ebx, %r13d
+        vpaddd	%xmm8, %xmm4, %xmm4
+        # rnd_0: 7 - 7
+        rorl	$2, %ecx
+        movl	%r9d, %edx
+        addl	%ecx, %r13d
+        # rnd_1: 0 - 0
+        rorl	$14, %edx
+        vpshufd	$0x50, %xmm4, %xmm6
+        # rnd_1: 1 - 1
+        movl	%r14d, %ebx
+        movl	%r10d, %ecx
+        addl	44(%rsp), %r12d
+        xorl	%r11d, %ecx
+        vpsrlq	$0x11, %xmm6, %xmm8
+        vpsrlq	$19, %xmm6, %xmm7
+        # rnd_1: 2 - 3
+        xorl	%r9d, %edx
+        andl	%r9d, %ecx
+        rorl	$5, %edx
+        xorl	%r11d, %ecx
+        xorl	%r9d, %edx
+        addl	%ecx, %r12d
+        vpsrld	$10, %xmm6, %xmm9
+        vpxor	%xmm8, %xmm7, %xmm8
+        # rnd_1: 4 - 5
+        rorl	$6, %edx
+        xorl	%r13d, %ebx
+        addl	%edx, %r12d
+        movl	%r13d, %ecx
+        andl	%ebx, %eax
+        rorl	$9, %ecx
+        xorl	%r13d, %ecx
+        xorl	%r14d, %eax
+        vpxor	%xmm9, %xmm8, %xmm9
+        # rnd_1: 6 - 6
+        rorl	$11, %ecx
+        addl	%r12d, %r8d
+        xorl	%r13d, %ecx
+        addl	%eax, %r12d
+        vpshufb	%xmm12, %xmm9, %xmm9
+        # rnd_1: 7 - 7
+        rorl	$2, %ecx
+        movl	%r8d, %edx
+        addl	%ecx, %r12d
+        vpaddd	%xmm4, %xmm9, %xmm2
+        # msg_sched done: 8-11
+        # msg_sched: 12-15
+        # rnd_0: 0 - 0
+        rorl	$14, %edx
+        vpalignr	$4, %xmm3, %xmm0, %xmm5
+        vpalignr	$4, %xmm1, %xmm2, %xmm4
+        # rnd_0: 1 - 2
+        movl	%r13d, %eax
+        movl	%r9d, %ecx
+        addl	48(%rsp), %r11d
+        xorl	%r10d, %ecx
+        xorl	%r8d, %edx
+        andl	%r8d, %ecx
+        vpsrld	$7, %xmm5, %xmm6
+        vpslld	$25, %xmm5, %xmm7
+        # rnd_0: 3 - 4
+        rorl	$5, %edx
+        xorl	%r10d, %ecx
+        xorl	%r8d, %edx
+        addl	%ecx, %r11d
+        rorl	$6, %edx
+        xorl	%r12d, %eax
+        addl	%edx, %r11d
+        movl	%r12d, %ecx
+        vpsrld	$18, %xmm5, %xmm8
+        vpslld	$14, %xmm5, %xmm9
+        # rnd_0: 5 - 6
+        andl	%eax, %ebx
+        rorl	$9, %ecx
+        xorl	%r12d, %ecx
+        xorl	%r13d, %ebx
+        rorl	$11, %ecx
+        addl	%r11d, %r15d
+        xorl	%r12d, %ecx
+        addl	%ebx, %r11d
+        vpor	%xmm6, %xmm7, %xmm6
+        vpor	%xmm8, %xmm9, %xmm8
+        # rnd_0: 7 - 7
+        rorl	$2, %ecx
+        movl	%r15d, %edx
+        addl	%ecx, %r11d
+        # rnd_1: 0 - 1
+        rorl	$14, %edx
+        movl	%r12d, %ebx
+        movl	%r8d, %ecx
+        addl	52(%rsp), %r10d
+        xorl	%r9d, %ecx
+        vpsrld	$3, %xmm5, %xmm9
+        vpxor	%xmm6, %xmm8, %xmm6
+        # rnd_1: 2 - 3
+        xorl	%r15d, %edx
+        andl	%r15d, %ecx
+        rorl	$5, %edx
+        xorl	%r9d, %ecx
+        xorl	%r15d, %edx
+        addl	%ecx, %r10d
+        vpxor	%xmm6, %xmm9, %xmm5
+        vpshufd	$0xfa, %xmm2, %xmm6
+        # rnd_1: 4 - 5
+        rorl	$6, %edx
+        xorl	%r11d, %ebx
+        addl	%edx, %r10d
+        movl	%r11d, %ecx
+        andl	%ebx, %eax
+        rorl	$9, %ecx
+        xorl	%r11d, %ecx
+        xorl	%r12d, %eax
+        vpsrld	$10, %xmm6, %xmm8
+        vpsrlq	$19, %xmm6, %xmm7
+        # rnd_1: 6 - 7
+        rorl	$11, %ecx
+        addl	%r10d, %r14d
+        xorl	%r11d, %ecx
+        addl	%eax, %r10d
+        rorl	$2, %ecx
+        movl	%r14d, %edx
+        addl	%ecx, %r10d
+        # rnd_0: 0 - 0
+        rorl	$14, %edx
+        vpsrlq	$0x11, %xmm6, %xmm6
+        vpaddd	%xmm3, %xmm4, %xmm4
+        # rnd_0: 1 - 3
+        movl	%r11d, %eax
+        movl	%r15d, %ecx
+        addl	56(%rsp), %r9d
+        xorl	%r8d, %ecx
+        xorl	%r14d, %edx
+        andl	%r14d, %ecx
+        rorl	$5, %edx
+        xorl	%r8d, %ecx
+        xorl	%r14d, %edx
+        addl	%ecx, %r9d
+        vpxor	%xmm6, %xmm7, %xmm6
+        vpaddd	%xmm5, %xmm4, %xmm4
+        # rnd_0: 4 - 4
+        rorl	$6, %edx
+        xorl	%r10d, %eax
+        addl	%edx, %r9d
+        movl	%r10d, %ecx
+        vpxor	%xmm6, %xmm8, %xmm8
+        # rnd_0: 5 - 5
+        andl	%eax, %ebx
+        rorl	$9, %ecx
+        xorl	%r10d, %ecx
+        xorl	%r11d, %ebx
+        vpshufb	%xmm11, %xmm8, %xmm8
+        # rnd_0: 6 - 6
+        rorl	$11, %ecx
+        addl	%r9d, %r13d
+        xorl	%r10d, %ecx
+        addl	%ebx, %r9d
+        vpaddd	%xmm8, %xmm4, %xmm4
+        # rnd_0: 7 - 7
+        rorl	$2, %ecx
+        movl	%r13d, %edx
+        addl	%ecx, %r9d
+        # rnd_1: 0 - 0
+        rorl	$14, %edx
+        vpshufd	$0x50, %xmm4, %xmm6
+        # rnd_1: 1 - 1
+        movl	%r10d, %ebx
+        movl	%r14d, %ecx
+        addl	60(%rsp), %r8d
+        xorl	%r15d, %ecx
+        vpsrlq	$0x11, %xmm6, %xmm8
+        vpsrlq	$19, %xmm6, %xmm7
+        # rnd_1: 2 - 3
+        xorl	%r13d, %edx
+        andl	%r13d, %ecx
+        rorl	$5, %edx
+        xorl	%r15d, %ecx
+        xorl	%r13d, %edx
+        addl	%ecx, %r8d
+        vpsrld	$10, %xmm6, %xmm9
+        vpxor	%xmm8, %xmm7, %xmm8
+        # rnd_1: 4 - 5
+        rorl	$6, %edx
+        xorl	%r9d, %ebx
+        addl	%edx, %r8d
+        movl	%r9d, %ecx
+        andl	%ebx, %eax
+        rorl	$9, %ecx
+        xorl	%r9d, %ecx
+        xorl	%r10d, %eax
+        vpxor	%xmm9, %xmm8, %xmm9
+        # rnd_1: 6 - 6
+        rorl	$11, %ecx
+        addl	%r8d, %r12d
+        xorl	%r9d, %ecx
+        addl	%eax, %r8d
+        vpshufb	%xmm12, %xmm9, %xmm9
+        # rnd_1: 7 - 7
+        rorl	$2, %ecx
+        movl	%r12d, %edx
+        addl	%ecx, %r8d
+        vpaddd	%xmm4, %xmm9, %xmm3
+        # msg_sched done: 12-15
+        # set_w_k_xfer_4: 12
+        vpaddd	192+L_avx1_sha256_k(%rip), %xmm0, %xmm4
+        vpaddd	208+L_avx1_sha256_k(%rip), %xmm1, %xmm5
+        vmovdqu	%xmm4, (%rsp)
+        vmovdqu	%xmm5, 16(%rsp)
+        vpaddd	224+L_avx1_sha256_k(%rip), %xmm2, %xmm6
+        vpaddd	240+L_avx1_sha256_k(%rip), %xmm3, %xmm7
+        vmovdqu	%xmm6, 32(%rsp)
+        vmovdqu	%xmm7, 48(%rsp)
+        # rnd_all_4: 0-3
+        addl	(%rsp), %r15d
+        movl	%r13d, %ecx
+        movl	%r9d, %eax
+        xorl	%r14d, %ecx
+        rorl	$14, %edx
+        andl	%r12d, %ecx
+        xorl	%r12d, %edx
+        xorl	%r14d, %ecx
+        rorl	$5, %edx
+        addl	%ecx, %r15d
+        xorl	%r12d, %edx
+        xorl	%r8d, %eax
+        rorl	$6, %edx
+        movl	%r8d, %ecx
+        addl	%edx, %r15d
+        rorl	$9, %ecx
+        andl	%eax, %ebx
+        xorl	%r8d, %ecx
+        xorl	%r9d, %ebx
+        rorl	$11, %ecx
+        addl	%r15d, %r11d
+        xorl	%r8d, %ecx
+        addl	%ebx, %r15d
+        rorl	$2, %ecx
+        movl	%r11d, %edx
+        addl	%ecx, %r15d
+        addl	4(%rsp), %r14d
+        movl	%r12d, %ecx
+        movl	%r8d, %ebx
+        xorl	%r13d, %ecx
+        rorl	$14, %edx
+        andl	%r11d, %ecx
+        xorl	%r11d, %edx
+        xorl	%r13d, %ecx
+        rorl	$5, %edx
+        addl	%ecx, %r14d
+        xorl	%r11d, %edx
+        xorl	%r15d, %ebx
+        rorl	$6, %edx
+        movl	%r15d, %ecx
+        addl	%edx, %r14d
+        rorl	$9, %ecx
+        andl	%ebx, %eax
+        xorl	%r15d, %ecx
+        xorl	%r8d, %eax
+        rorl	$11, %ecx
+        addl	%r14d, %r10d
+        xorl	%r15d, %ecx
+        addl	%eax, %r14d
+        rorl	$2, %ecx
+        movl	%r10d, %edx
+        addl	%ecx, %r14d
+        addl	8(%rsp), %r13d
+        movl	%r11d, %ecx
+        movl	%r15d, %eax
+        xorl	%r12d, %ecx
+        rorl	$14, %edx
+        andl	%r10d, %ecx
+        xorl	%r10d, %edx
+        xorl	%r12d, %ecx
+        rorl	$5, %edx
+        addl	%ecx, %r13d
+        xorl	%r10d, %edx
+        xorl	%r14d, %eax
+        rorl	$6, %edx
+        movl	%r14d, %ecx
+        addl	%edx, %r13d
+        rorl	$9, %ecx
+        andl	%eax, %ebx
+        xorl	%r14d, %ecx
+        xorl	%r15d, %ebx
+        rorl	$11, %ecx
+        addl	%r13d, %r9d
+        xorl	%r14d, %ecx
+        addl	%ebx, %r13d
+        rorl	$2, %ecx
+        movl	%r9d, %edx
+        addl	%ecx, %r13d
+        addl	12(%rsp), %r12d
+        movl	%r10d, %ecx
+        movl	%r14d, %ebx
+        xorl	%r11d, %ecx
+        rorl	$14, %edx
+        andl	%r9d, %ecx
+        xorl	%r9d, %edx
+        xorl	%r11d, %ecx
+        rorl	$5, %edx
+        addl	%ecx, %r12d
+        xorl	%r9d, %edx
+        xorl	%r13d, %ebx
+        rorl	$6, %edx
+        movl	%r13d, %ecx
+        addl	%edx, %r12d
+        rorl	$9, %ecx
+        andl	%ebx, %eax
+        xorl	%r13d, %ecx
+        xorl	%r14d, %eax
+        rorl	$11, %ecx
+        addl	%r12d, %r8d
+        xorl	%r13d, %ecx
+        addl	%eax, %r12d
+        rorl	$2, %ecx
+        movl	%r8d, %edx
+        addl	%ecx, %r12d
+        # rnd_all_4: 1-4
+        addl	16(%rsp), %r11d
+        movl	%r9d, %ecx
+        movl	%r13d, %eax
+        xorl	%r10d, %ecx
+        rorl	$14, %edx
+        andl	%r8d, %ecx
+        xorl	%r8d, %edx
+        xorl	%r10d, %ecx
+        rorl	$5, %edx
+        addl	%ecx, %r11d
+        xorl	%r8d, %edx
+        xorl	%r12d, %eax
+        rorl	$6, %edx
+        movl	%r12d, %ecx
+        addl	%edx, %r11d
+        rorl	$9, %ecx
+        andl	%eax, %ebx
+        xorl	%r12d, %ecx
+        xorl	%r13d, %ebx
+        rorl	$11, %ecx
+        addl	%r11d, %r15d
+        xorl	%r12d, %ecx
+        addl	%ebx, %r11d
+        rorl	$2, %ecx
+        movl	%r15d, %edx
+        addl	%ecx, %r11d
+        addl	20(%rsp), %r10d
+        movl	%r8d, %ecx
+        movl	%r12d, %ebx
+        xorl	%r9d, %ecx
+        rorl	$14, %edx
+        andl	%r15d, %ecx
+        xorl	%r15d, %edx
+        xorl	%r9d, %ecx
+        rorl	$5, %edx
+        addl	%ecx, %r10d
+        xorl	%r15d, %edx
+        xorl	%r11d, %ebx
+        rorl	$6, %edx
+        movl	%r11d, %ecx
+        addl	%edx, %r10d
+        rorl	$9, %ecx
+        andl	%ebx, %eax
+        xorl	%r11d, %ecx
+        xorl	%r12d, %eax
+        rorl	$11, %ecx
+        addl	%r10d, %r14d
+        xorl	%r11d, %ecx
+        addl	%eax, %r10d
+        rorl	$2, %ecx
+        movl	%r14d, %edx
+        addl	%ecx, %r10d
+        addl	24(%rsp), %r9d
+        movl	%r15d, %ecx
+        movl	%r11d, %eax
+        xorl	%r8d, %ecx
+        rorl	$14, %edx
+        andl	%r14d, %ecx
+        xorl	%r14d, %edx
+        xorl	%r8d, %ecx
+        rorl	$5, %edx
+        addl	%ecx, %r9d
+        xorl	%r14d, %edx
+        xorl	%r10d, %eax
+        rorl	$6, %edx
+        movl	%r10d, %ecx
+        addl	%edx, %r9d
+        rorl	$9, %ecx
+        andl	%eax, %ebx
+        xorl	%r10d, %ecx
+        xorl	%r11d, %ebx
+        rorl	$11, %ecx
+        addl	%r9d, %r13d
+        xorl	%r10d, %ecx
+        addl	%ebx, %r9d
+        rorl	$2, %ecx
+        movl	%r13d, %edx
+        addl	%ecx, %r9d
+        addl	28(%rsp), %r8d
+        movl	%r14d, %ecx
+        movl	%r10d, %ebx
+        xorl	%r15d, %ecx
+        rorl	$14, %edx
+        andl	%r13d, %ecx
+        xorl	%r13d, %edx
+        xorl	%r15d, %ecx
+        rorl	$5, %edx
+        addl	%ecx, %r8d
+        xorl	%r13d, %edx
+        xorl	%r9d, %ebx
+        rorl	$6, %edx
+        movl	%r9d, %ecx
+        addl	%edx, %r8d
+        rorl	$9, %ecx
+        andl	%ebx, %eax
+        xorl	%r9d, %ecx
+        xorl	%r10d, %eax
+        rorl	$11, %ecx
+        addl	%r8d, %r12d
+        xorl	%r9d, %ecx
+        addl	%eax, %r8d
+        rorl	$2, %ecx
+        movl	%r12d, %edx
+        addl	%ecx, %r8d
+        # rnd_all_4: 2-5
+        addl	32(%rsp), %r15d
+        movl	%r13d, %ecx
+        movl	%r9d, %eax
+        xorl	%r14d, %ecx
+        rorl	$14, %edx
+        andl	%r12d, %ecx
+        xorl	%r12d, %edx
+        xorl	%r14d, %ecx
+        rorl	$5, %edx
+        addl	%ecx, %r15d
+        xorl	%r12d, %edx
+        xorl	%r8d, %eax
+        rorl	$6, %edx
+        movl	%r8d, %ecx
+        addl	%edx, %r15d
+        rorl	$9, %ecx
+        andl	%eax, %ebx
+        xorl	%r8d, %ecx
+        xorl	%r9d, %ebx
+        rorl	$11, %ecx
+        addl	%r15d, %r11d
+        xorl	%r8d, %ecx
+        addl	%ebx, %r15d
+        rorl	$2, %ecx
+        movl	%r11d, %edx
+        addl	%ecx, %r15d
+        addl	36(%rsp), %r14d
+        movl	%r12d, %ecx
+        movl	%r8d, %ebx
+        xorl	%r13d, %ecx
+        rorl	$14, %edx
+        andl	%r11d, %ecx
+        xorl	%r11d, %edx
+        xorl	%r13d, %ecx
+        rorl	$5, %edx
+        addl	%ecx, %r14d
+        xorl	%r11d, %edx
+        xorl	%r15d, %ebx
+        rorl	$6, %edx
+        movl	%r15d, %ecx
+        addl	%edx, %r14d
+        rorl	$9, %ecx
+        andl	%ebx, %eax
+        xorl	%r15d, %ecx
+        xorl	%r8d, %eax
+        rorl	$11, %ecx
+        addl	%r14d, %r10d
+        xorl	%r15d, %ecx
+        addl	%eax, %r14d
+        rorl	$2, %ecx
+        movl	%r10d, %edx
+        addl	%ecx, %r14d
+        addl	40(%rsp), %r13d
+        movl	%r11d, %ecx
+        movl	%r15d, %eax
+        xorl	%r12d, %ecx
+        rorl	$14, %edx
+        andl	%r10d, %ecx
+        xorl	%r10d, %edx
+        xorl	%r12d, %ecx
+        rorl	$5, %edx
+        addl	%ecx, %r13d
+        xorl	%r10d, %edx
+        xorl	%r14d, %eax
+        rorl	$6, %edx
+        movl	%r14d, %ecx
+        addl	%edx, %r13d
+        rorl	$9, %ecx
+        andl	%eax, %ebx
+        xorl	%r14d, %ecx
+        xorl	%r15d, %ebx
+        rorl	$11, %ecx
+        addl	%r13d, %r9d
+        xorl	%r14d, %ecx
+        addl	%ebx, %r13d
+        rorl	$2, %ecx
+        movl	%r9d, %edx
+        addl	%ecx, %r13d
+        addl	44(%rsp), %r12d
+        movl	%r10d, %ecx
+        movl	%r14d, %ebx
+        xorl	%r11d, %ecx
+        rorl	$14, %edx
+        andl	%r9d, %ecx
+        xorl	%r9d, %edx
+        xorl	%r11d, %ecx
+        rorl	$5, %edx
+        addl	%ecx, %r12d
+        xorl	%r9d, %edx
+        xorl	%r13d, %ebx
+        rorl	$6, %edx
+        movl	%r13d, %ecx
+        addl	%edx, %r12d
+        rorl	$9, %ecx
+        andl	%ebx, %eax
+        xorl	%r13d, %ecx
+        xorl	%r14d, %eax
+        rorl	$11, %ecx
+        addl	%r12d, %r8d
+        xorl	%r13d, %ecx
+        addl	%eax, %r12d
+        rorl	$2, %ecx
+        movl	%r8d, %edx
+        addl	%ecx, %r12d
+        # rnd_all_4: 3-6
+        addl	48(%rsp), %r11d
+        movl	%r9d, %ecx
+        movl	%r13d, %eax
+        xorl	%r10d, %ecx
+        rorl	$14, %edx
+        andl	%r8d, %ecx
+        xorl	%r8d, %edx
+        xorl	%r10d, %ecx
+        rorl	$5, %edx
+        addl	%ecx, %r11d
+        xorl	%r8d, %edx
+        xorl	%r12d, %eax
+        rorl	$6, %edx
+        movl	%r12d, %ecx
+        addl	%edx, %r11d
+        rorl	$9, %ecx
+        andl	%eax, %ebx
+        xorl	%r12d, %ecx
+        xorl	%r13d, %ebx
+        rorl	$11, %ecx
+        addl	%r11d, %r15d
+        xorl	%r12d, %ecx
+        addl	%ebx, %r11d
+        rorl	$2, %ecx
+        movl	%r15d, %edx
+        addl	%ecx, %r11d
+        addl	52(%rsp), %r10d
+        movl	%r8d, %ecx
+        movl	%r12d, %ebx
+        xorl	%r9d, %ecx
+        rorl	$14, %edx
+        andl	%r15d, %ecx
+        xorl	%r15d, %edx
+        xorl	%r9d, %ecx
+        rorl	$5, %edx
+        addl	%ecx, %r10d
+        xorl	%r15d, %edx
+        xorl	%r11d, %ebx
+        rorl	$6, %edx
+        movl	%r11d, %ecx
+        addl	%edx, %r10d
+        rorl	$9, %ecx
+        andl	%ebx, %eax
+        xorl	%r11d, %ecx
+        xorl	%r12d, %eax
+        rorl	$11, %ecx
+        addl	%r10d, %r14d
+        xorl	%r11d, %ecx
+        addl	%eax, %r10d
+        rorl	$2, %ecx
+        movl	%r14d, %edx
+        addl	%ecx, %r10d
+        addl	56(%rsp), %r9d
+        movl	%r15d, %ecx
+        movl	%r11d, %eax
+        xorl	%r8d, %ecx
+        rorl	$14, %edx
+        andl	%r14d, %ecx
+        xorl	%r14d, %edx
+        xorl	%r8d, %ecx
+        rorl	$5, %edx
+        addl	%ecx, %r9d
+        xorl	%r14d, %edx
+        xorl	%r10d, %eax
+        rorl	$6, %edx
+        movl	%r10d, %ecx
+        addl	%edx, %r9d
+        rorl	$9, %ecx
+        andl	%eax, %ebx
+        xorl	%r10d, %ecx
+        xorl	%r11d, %ebx
+        rorl	$11, %ecx
+        addl	%r9d, %r13d
+        xorl	%r10d, %ecx
+        addl	%ebx, %r9d
+        rorl	$2, %ecx
+        movl	%r13d, %edx
+        addl	%ecx, %r9d
+        addl	60(%rsp), %r8d
+        movl	%r14d, %ecx
+        movl	%r10d, %ebx
+        xorl	%r15d, %ecx
+        rorl	$14, %edx
+        andl	%r13d, %ecx
+        xorl	%r13d, %edx
+        xorl	%r15d, %ecx
+        rorl	$5, %edx
+        addl	%ecx, %r8d
+        xorl	%r13d, %edx
+        xorl	%r9d, %ebx
+        rorl	$6, %edx
+        movl	%r9d, %ecx
+        addl	%edx, %r8d
+        rorl	$9, %ecx
+        andl	%ebx, %eax
+        xorl	%r9d, %ecx
+        xorl	%r10d, %eax
+        rorl	$11, %ecx
+        addl	%r8d, %r12d
+        xorl	%r9d, %ecx
+        addl	%eax, %r8d
+        rorl	$2, %ecx
+        movl	%r12d, %edx
+        addl	%ecx, %r8d
+        addl	%r8d, (%rdi)
+        addl	%r9d, 4(%rdi)
+        addl	%r10d, 8(%rdi)
+        addl	%r11d, 12(%rdi)
+        addl	%r12d, 16(%rdi)
+        addl	%r13d, 20(%rdi)
+        addl	%r14d, 24(%rdi)
+        addl	%r15d, 28(%rdi)
+        xorq	%rax, %rax
+        vzeroupper
+        addq	$0x40, %rsp
+        popq	%r15
+        popq	%r14
+        popq	%r13
+        popq	%r12
+        popq	%rbx
+        repz retq
+#ifndef __APPLE__
+.size	Transform_Sha256_AVX1,.-Transform_Sha256_AVX1
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+.text
+.globl	Transform_Sha256_AVX1_Len
+.type	Transform_Sha256_AVX1_Len,@function
+.align	4
+Transform_Sha256_AVX1_Len:
+#else
+.section	__TEXT,__text
+.globl	_Transform_Sha256_AVX1_Len
+.p2align	2
+_Transform_Sha256_AVX1_Len:
+#endif /* __APPLE__ */
+        pushq	%rbx
+        pushq	%r12
+        pushq	%r13
+        pushq	%r14
+        pushq	%r15
+        pushq	%rbp
+        movq	%rsi, %rbp
+        movq	%rdx, %rsi
+        subq	$0x40, %rsp
+        vmovdqa	L_avx1_sha256_flip_mask(%rip), %xmm13
+        vmovdqa	L_avx1_sha256_shuf_00BA(%rip), %xmm11
+        vmovdqa	L_avx1_sha256_shuf_DC00(%rip), %xmm12
+        movl	(%rdi), %r8d
+        movl	4(%rdi), %r9d
+        movl	8(%rdi), %r10d
+        movl	12(%rdi), %r11d
+        movl	16(%rdi), %r12d
+        movl	20(%rdi), %r13d
+        movl	24(%rdi), %r14d
+        movl	28(%rdi), %r15d
+        # Start of loop processing a block
+L_sha256_len_avx1_start:
+        # X0, X1, X2, X3 = W[0..15]
+        vmovdqu	(%rbp), %xmm0
+        vmovdqu	16(%rbp), %xmm1
+        vpshufb	%xmm13, %xmm0, %xmm0
+        vpshufb	%xmm13, %xmm1, %xmm1
+        vmovdqu	32(%rbp), %xmm2
+        vmovdqu	48(%rbp), %xmm3
+        vpshufb	%xmm13, %xmm2, %xmm2
+        vpshufb	%xmm13, %xmm3, %xmm3
+        movl	%r9d, %ebx
+        movl	%r12d, %edx
+        xorl	%r10d, %ebx
+        # set_w_k_xfer_4: 0
+        vpaddd	0+L_avx1_sha256_k(%rip), %xmm0, %xmm4
+        vpaddd	16+L_avx1_sha256_k(%rip), %xmm1, %xmm5
+        vmovdqu	%xmm4, (%rsp)
+        vmovdqu	%xmm5, 16(%rsp)
+        vpaddd	32+L_avx1_sha256_k(%rip), %xmm2, %xmm6
+        vpaddd	48+L_avx1_sha256_k(%rip), %xmm3, %xmm7
+        vmovdqu	%xmm6, 32(%rsp)
+        vmovdqu	%xmm7, 48(%rsp)
+        # msg_sched: 0-3
+        # rnd_0: 0 - 0
+        rorl	$14, %edx
+        vpalignr	$4, %xmm0, %xmm1, %xmm5
+        vpalignr	$4, %xmm2, %xmm3, %xmm4
+        # rnd_0: 1 - 2
+        movl	%r9d, %eax
+        movl	%r13d, %ecx
+        addl	(%rsp), %r15d
+        xorl	%r14d, %ecx
+        xorl	%r12d, %edx
+        andl	%r12d, %ecx
+        vpsrld	$7, %xmm5, %xmm6
+        vpslld	$25, %xmm5, %xmm7
+        # rnd_0: 3 - 4
+        rorl	$5, %edx
+        xorl	%r14d, %ecx
+        xorl	%r12d, %edx
+        addl	%ecx, %r15d
+        rorl	$6, %edx
+        xorl	%r8d, %eax
+        addl	%edx, %r15d
+        movl	%r8d, %ecx
+        vpsrld	$18, %xmm5, %xmm8
+        vpslld	$14, %xmm5, %xmm9
+        # rnd_0: 5 - 6
+        andl	%eax, %ebx
+        rorl	$9, %ecx
+        xorl	%r8d, %ecx
+        xorl	%r9d, %ebx
+        rorl	$11, %ecx
+        addl	%r15d, %r11d
+        xorl	%r8d, %ecx
+        addl	%ebx, %r15d
+        vpor	%xmm6, %xmm7, %xmm6
+        vpor	%xmm8, %xmm9, %xmm8
+        # rnd_0: 7 - 7
+        rorl	$2, %ecx
+        movl	%r11d, %edx
+        addl	%ecx, %r15d
+        # rnd_1: 0 - 1
+        rorl	$14, %edx
+        movl	%r8d, %ebx
+        movl	%r12d, %ecx
+        addl	4(%rsp), %r14d
+        xorl	%r13d, %ecx
+        vpsrld	$3, %xmm5, %xmm9
+        vpxor	%xmm6, %xmm8, %xmm6
+        # rnd_1: 2 - 3
+        xorl	%r11d, %edx
+        andl	%r11d, %ecx
+        rorl	$5, %edx
+        xorl	%r13d, %ecx
+        xorl	%r11d, %edx
+        addl	%ecx, %r14d
+        vpxor	%xmm6, %xmm9, %xmm5
+        vpshufd	$0xfa, %xmm3, %xmm6
+        # rnd_1: 4 - 5
+        rorl	$6, %edx
+        xorl	%r15d, %ebx
+        addl	%edx, %r14d
+        movl	%r15d, %ecx
+        andl	%ebx, %eax
+        rorl	$9, %ecx
+        xorl	%r15d, %ecx
+        xorl	%r8d, %eax
+        vpsrld	$10, %xmm6, %xmm8
+        vpsrlq	$19, %xmm6, %xmm7
+        # rnd_1: 6 - 7
+        rorl	$11, %ecx
+        addl	%r14d, %r10d
+        xorl	%r15d, %ecx
+        addl	%eax, %r14d
+        rorl	$2, %ecx
+        movl	%r10d, %edx
+        addl	%ecx, %r14d
+        # rnd_0: 0 - 0
+        rorl	$14, %edx
+        vpsrlq	$0x11, %xmm6, %xmm6
+        vpaddd	%xmm0, %xmm4, %xmm4
+        # rnd_0: 1 - 3
+        movl	%r15d, %eax
+        movl	%r11d, %ecx
+        addl	8(%rsp), %r13d
+        xorl	%r12d, %ecx
+        xorl	%r10d, %edx
+        andl	%r10d, %ecx
+        rorl	$5, %edx
+        xorl	%r12d, %ecx
+        xorl	%r10d, %edx
+        addl	%ecx, %r13d
+        vpxor	%xmm6, %xmm7, %xmm6
+        vpaddd	%xmm5, %xmm4, %xmm4
+        # rnd_0: 4 - 4
+        rorl	$6, %edx
+        xorl	%r14d, %eax
+        addl	%edx, %r13d
+        movl	%r14d, %ecx
+        vpxor	%xmm6, %xmm8, %xmm8
+        # rnd_0: 5 - 5
+        andl	%eax, %ebx
+        rorl	$9, %ecx
+        xorl	%r14d, %ecx
+        xorl	%r15d, %ebx
+        vpshufb	%xmm11, %xmm8, %xmm8
+        # rnd_0: 6 - 6
+        rorl	$11, %ecx
+        addl	%r13d, %r9d
+        xorl	%r14d, %ecx
+        addl	%ebx, %r13d
+        vpaddd	%xmm8, %xmm4, %xmm4
+        # rnd_0: 7 - 7
+        rorl	$2, %ecx
+        movl	%r9d, %edx
+        addl	%ecx, %r13d
+        # rnd_1: 0 - 0
+        rorl	$14, %edx
+        vpshufd	$0x50, %xmm4, %xmm6
+        # rnd_1: 1 - 1
+        movl	%r14d, %ebx
+        movl	%r10d, %ecx
+        addl	12(%rsp), %r12d
+        xorl	%r11d, %ecx
+        vpsrlq	$0x11, %xmm6, %xmm8
+        vpsrlq	$19, %xmm6, %xmm7
+        # rnd_1: 2 - 3
+        xorl	%r9d, %edx
+        andl	%r9d, %ecx
+        rorl	$5, %edx
+        xorl	%r11d, %ecx
+        xorl	%r9d, %edx
+        addl	%ecx, %r12d
+        vpsrld	$10, %xmm6, %xmm9
+        vpxor	%xmm8, %xmm7, %xmm8
+        # rnd_1: 4 - 5
+        rorl	$6, %edx
+        xorl	%r13d, %ebx
+        addl	%edx, %r12d
+        movl	%r13d, %ecx
+        andl	%ebx, %eax
+        rorl	$9, %ecx
+        xorl	%r13d, %ecx
+        xorl	%r14d, %eax
+        vpxor	%xmm9, %xmm8, %xmm9
+        # rnd_1: 6 - 6
+        rorl	$11, %ecx
+        addl	%r12d, %r8d
+        xorl	%r13d, %ecx
+        addl	%eax, %r12d
+        vpshufb	%xmm12, %xmm9, %xmm9
+        # rnd_1: 7 - 7
+        rorl	$2, %ecx
+        movl	%r8d, %edx
+        addl	%ecx, %r12d
+        vpaddd	%xmm4, %xmm9, %xmm0
+        # msg_sched done: 0-3
+        # msg_sched: 4-7
+        # rnd_0: 0 - 0
+        rorl	$14, %edx
+        vpalignr	$4, %xmm1, %xmm2, %xmm5
+        vpalignr	$4, %xmm3, %xmm0, %xmm4
+        # rnd_0: 1 - 2
+        movl	%r13d, %eax
+        movl	%r9d, %ecx
+        addl	16(%rsp), %r11d
+        xorl	%r10d, %ecx
+        xorl	%r8d, %edx
+        andl	%r8d, %ecx
+        vpsrld	$7, %xmm5, %xmm6
+        vpslld	$25, %xmm5, %xmm7
+        # rnd_0: 3 - 4
+        rorl	$5, %edx
+        xorl	%r10d, %ecx
+        xorl	%r8d, %edx
+        addl	%ecx, %r11d
+        rorl	$6, %edx
+        xorl	%r12d, %eax
+        addl	%edx, %r11d
+        movl	%r12d, %ecx
+        vpsrld	$18, %xmm5, %xmm8
+        vpslld	$14, %xmm5, %xmm9
+        # rnd_0: 5 - 6
+        andl	%eax, %ebx
+        rorl	$9, %ecx
+        xorl	%r12d, %ecx
+        xorl	%r13d, %ebx
+        rorl	$11, %ecx
+        addl	%r11d, %r15d
+        xorl	%r12d, %ecx
+        addl	%ebx, %r11d
+        vpor	%xmm6, %xmm7, %xmm6
+        vpor	%xmm8, %xmm9, %xmm8
+        # rnd_0: 7 - 7
+        rorl	$2, %ecx
+        movl	%r15d, %edx
+        addl	%ecx, %r11d
+        # rnd_1: 0 - 1
+        rorl	$14, %edx
+        movl	%r12d, %ebx
+        movl	%r8d, %ecx
+        addl	20(%rsp), %r10d
+        xorl	%r9d, %ecx
+        vpsrld	$3, %xmm5, %xmm9
+        vpxor	%xmm6, %xmm8, %xmm6
+        # rnd_1: 2 - 3
+        xorl	%r15d, %edx
+        andl	%r15d, %ecx
+        rorl	$5, %edx
+        xorl	%r9d, %ecx
+        xorl	%r15d, %edx
+        addl	%ecx, %r10d
+        vpxor	%xmm6, %xmm9, %xmm5
+        vpshufd	$0xfa, %xmm0, %xmm6
+        # rnd_1: 4 - 5
+        rorl	$6, %edx
+        xorl	%r11d, %ebx
+        addl	%edx, %r10d
+        movl	%r11d, %ecx
+        andl	%ebx, %eax
+        rorl	$9, %ecx
+        xorl	%r11d, %ecx
+        xorl	%r12d, %eax
+        vpsrld	$10, %xmm6, %xmm8
+        vpsrlq	$19, %xmm6, %xmm7
+        # rnd_1: 6 - 7
+        rorl	$11, %ecx
+        addl	%r10d, %r14d
+        xorl	%r11d, %ecx
+        addl	%eax, %r10d
+        rorl	$2, %ecx
+        movl	%r14d, %edx
+        addl	%ecx, %r10d
+        # rnd_0: 0 - 0
+        rorl	$14, %edx
+        vpsrlq	$0x11, %xmm6, %xmm6
+        vpaddd	%xmm1, %xmm4, %xmm4
+        # rnd_0: 1 - 3
+        movl	%r11d, %eax
+        movl	%r15d, %ecx
+        addl	24(%rsp), %r9d
+        xorl	%r8d, %ecx
+        xorl	%r14d, %edx
+        andl	%r14d, %ecx
+        rorl	$5, %edx
+        xorl	%r8d, %ecx
+        xorl	%r14d, %edx
+        addl	%ecx, %r9d
+        vpxor	%xmm6, %xmm7, %xmm6
+        vpaddd	%xmm5, %xmm4, %xmm4
+        # rnd_0: 4 - 4
+        rorl	$6, %edx
+        xorl	%r10d, %eax
+        addl	%edx, %r9d
+        movl	%r10d, %ecx
+        vpxor	%xmm6, %xmm8, %xmm8
+        # rnd_0: 5 - 5
+        andl	%eax, %ebx
+        rorl	$9, %ecx
+        xorl	%r10d, %ecx
+        xorl	%r11d, %ebx
+        vpshufb	%xmm11, %xmm8, %xmm8
+        # rnd_0: 6 - 6
+        rorl	$11, %ecx
+        addl	%r9d, %r13d
+        xorl	%r10d, %ecx
+        addl	%ebx, %r9d
+        vpaddd	%xmm8, %xmm4, %xmm4
+        # rnd_0: 7 - 7
+        rorl	$2, %ecx
+        movl	%r13d, %edx
+        addl	%ecx, %r9d
+        # rnd_1: 0 - 0
+        rorl	$14, %edx
+        vpshufd	$0x50, %xmm4, %xmm6
+        # rnd_1: 1 - 1
+        movl	%r10d, %ebx
+        movl	%r14d, %ecx
+        addl	28(%rsp), %r8d
+        xorl	%r15d, %ecx
+        vpsrlq	$0x11, %xmm6, %xmm8
+        vpsrlq	$19, %xmm6, %xmm7
+        # rnd_1: 2 - 3
+        xorl	%r13d, %edx
+        andl	%r13d, %ecx
+        rorl	$5, %edx
+        xorl	%r15d, %ecx
+        xorl	%r13d, %edx
+        addl	%ecx, %r8d
+        vpsrld	$10, %xmm6, %xmm9
+        vpxor	%xmm8, %xmm7, %xmm8
+        # rnd_1: 4 - 5
+        rorl	$6, %edx
+        xorl	%r9d, %ebx
+        addl	%edx, %r8d
+        movl	%r9d, %ecx
+        andl	%ebx, %eax
+        rorl	$9, %ecx
+        xorl	%r9d, %ecx
+        xorl	%r10d, %eax
+        vpxor	%xmm9, %xmm8, %xmm9
+        # rnd_1: 6 - 6
+        rorl	$11, %ecx
+        addl	%r8d, %r12d
+        xorl	%r9d, %ecx
+        addl	%eax, %r8d
+        vpshufb	%xmm12, %xmm9, %xmm9
+        # rnd_1: 7 - 7
+        rorl	$2, %ecx
+        movl	%r12d, %edx
+        addl	%ecx, %r8d
+        vpaddd	%xmm4, %xmm9, %xmm1
+        # msg_sched done: 4-7
+        # msg_sched: 8-11
+        # rnd_0: 0 - 0
+        rorl	$14, %edx
+        vpalignr	$4, %xmm2, %xmm3, %xmm5
+        vpalignr	$4, %xmm0, %xmm1, %xmm4
+        # rnd_0: 1 - 2
+        movl	%r9d, %eax
+        movl	%r13d, %ecx
+        addl	32(%rsp), %r15d
+        xorl	%r14d, %ecx
+        xorl	%r12d, %edx
+        andl	%r12d, %ecx
+        vpsrld	$7, %xmm5, %xmm6
+        vpslld	$25, %xmm5, %xmm7
+        # rnd_0: 3 - 4
+        rorl	$5, %edx
+        xorl	%r14d, %ecx
+        xorl	%r12d, %edx
+        addl	%ecx, %r15d
+        rorl	$6, %edx
+        xorl	%r8d, %eax
+        addl	%edx, %r15d
+        movl	%r8d, %ecx
+        vpsrld	$18, %xmm5, %xmm8
+        vpslld	$14, %xmm5, %xmm9
+        # rnd_0: 5 - 6
+        andl	%eax, %ebx
+        rorl	$9, %ecx
+        xorl	%r8d, %ecx
+        xorl	%r9d, %ebx
+        rorl	$11, %ecx
+        addl	%r15d, %r11d
+        xorl	%r8d, %ecx
+        addl	%ebx, %r15d
+        vpor	%xmm6, %xmm7, %xmm6
+        vpor	%xmm8, %xmm9, %xmm8
+        # rnd_0: 7 - 7
+        rorl	$2, %ecx
+        movl	%r11d, %edx
+        addl	%ecx, %r15d
+        # rnd_1: 0 - 1
+        rorl	$14, %edx
+        movl	%r8d, %ebx
+        movl	%r12d, %ecx
+        addl	36(%rsp), %r14d
+        xorl	%r13d, %ecx
+        vpsrld	$3, %xmm5, %xmm9
+        vpxor	%xmm6, %xmm8, %xmm6
+        # rnd_1: 2 - 3
+        xorl	%r11d, %edx
+        andl	%r11d, %ecx
+        rorl	$5, %edx
+        xorl	%r13d, %ecx
+        xorl	%r11d, %edx
+        addl	%ecx, %r14d
+        vpxor	%xmm6, %xmm9, %xmm5
+        vpshufd	$0xfa, %xmm1, %xmm6
+        # rnd_1: 4 - 5
+        rorl	$6, %edx
+        xorl	%r15d, %ebx
+        addl	%edx, %r14d
+        movl	%r15d, %ecx
+        andl	%ebx, %eax
+        rorl	$9, %ecx
+        xorl	%r15d, %ecx
+        xorl	%r8d, %eax
+        vpsrld	$10, %xmm6, %xmm8
+        vpsrlq	$19, %xmm6, %xmm7
+        # rnd_1: 6 - 7
+        rorl	$11, %ecx
+        addl	%r14d, %r10d
+        xorl	%r15d, %ecx
+        addl	%eax, %r14d
+        rorl	$2, %ecx
+        movl	%r10d, %edx
+        addl	%ecx, %r14d
+        # rnd_0: 0 - 0
+        rorl	$14, %edx
+        vpsrlq	$0x11, %xmm6, %xmm6
+        vpaddd	%xmm2, %xmm4, %xmm4
+        # rnd_0: 1 - 3
+        movl	%r15d, %eax
+        movl	%r11d, %ecx
+        addl	40(%rsp), %r13d
+        xorl	%r12d, %ecx
+        xorl	%r10d, %edx
+        andl	%r10d, %ecx
+        rorl	$5, %edx
+        xorl	%r12d, %ecx
+        xorl	%r10d, %edx
+        addl	%ecx, %r13d
+        vpxor	%xmm6, %xmm7, %xmm6
+        vpaddd	%xmm5, %xmm4, %xmm4
+        # rnd_0: 4 - 4
+        rorl	$6, %edx
+        xorl	%r14d, %eax
+        addl	%edx, %r13d
+        movl	%r14d, %ecx
+        vpxor	%xmm6, %xmm8, %xmm8
+        # rnd_0: 5 - 5
+        andl	%eax, %ebx
+        rorl	$9, %ecx
+        xorl	%r14d, %ecx
+        xorl	%r15d, %ebx
+        vpshufb	%xmm11, %xmm8, %xmm8
+        # rnd_0: 6 - 6
+        rorl	$11, %ecx
+        addl	%r13d, %r9d
+        xorl	%r14d, %ecx
+        addl	%ebx, %r13d
+        vpaddd	%xmm8, %xmm4, %xmm4
+        # rnd_0: 7 - 7
+        rorl	$2, %ecx
+        movl	%r9d, %edx
+        addl	%ecx, %r13d
+        # rnd_1: 0 - 0
+        rorl	$14, %edx
+        vpshufd	$0x50, %xmm4, %xmm6
+        # rnd_1: 1 - 1
+        movl	%r14d, %ebx
+        movl	%r10d, %ecx
+        addl	44(%rsp), %r12d
+        xorl	%r11d, %ecx
+        vpsrlq	$0x11, %xmm6, %xmm8
+        vpsrlq	$19, %xmm6, %xmm7
+        # rnd_1: 2 - 3
+        xorl	%r9d, %edx
+        andl	%r9d, %ecx
+        rorl	$5, %edx
+        xorl	%r11d, %ecx
+        xorl	%r9d, %edx
+        addl	%ecx, %r12d
+        vpsrld	$10, %xmm6, %xmm9
+        vpxor	%xmm8, %xmm7, %xmm8
+        # rnd_1: 4 - 5
+        rorl	$6, %edx
+        xorl	%r13d, %ebx
+        addl	%edx, %r12d
+        movl	%r13d, %ecx
+        andl	%ebx, %eax
+        rorl	$9, %ecx
+        xorl	%r13d, %ecx
+        xorl	%r14d, %eax
+        vpxor	%xmm9, %xmm8, %xmm9
+        # rnd_1: 6 - 6
+        rorl	$11, %ecx
+        addl	%r12d, %r8d
+        xorl	%r13d, %ecx
+        addl	%eax, %r12d
+        vpshufb	%xmm12, %xmm9, %xmm9
+        # rnd_1: 7 - 7
+        rorl	$2, %ecx
+        movl	%r8d, %edx
+        addl	%ecx, %r12d
+        vpaddd	%xmm4, %xmm9, %xmm2
+        # msg_sched done: 8-11
+        # msg_sched: 12-15
+        # rnd_0: 0 - 0
+        rorl	$14, %edx
+        vpalignr	$4, %xmm3, %xmm0, %xmm5
+        vpalignr	$4, %xmm1, %xmm2, %xmm4
+        # rnd_0: 1 - 2
+        movl	%r13d, %eax
+        movl	%r9d, %ecx
+        addl	48(%rsp), %r11d
+        xorl	%r10d, %ecx
+        xorl	%r8d, %edx
+        andl	%r8d, %ecx
+        vpsrld	$7, %xmm5, %xmm6
+        vpslld	$25, %xmm5, %xmm7
+        # rnd_0: 3 - 4
+        rorl	$5, %edx
+        xorl	%r10d, %ecx
+        xorl	%r8d, %edx
+        addl	%ecx, %r11d
+        rorl	$6, %edx
+        xorl	%r12d, %eax
+        addl	%edx, %r11d
+        movl	%r12d, %ecx
+        vpsrld	$18, %xmm5, %xmm8
+        vpslld	$14, %xmm5, %xmm9
+        # rnd_0: 5 - 6
+        andl	%eax, %ebx
+        rorl	$9, %ecx
+        xorl	%r12d, %ecx
+        xorl	%r13d, %ebx
+        rorl	$11, %ecx
+        addl	%r11d, %r15d
+        xorl	%r12d, %ecx
+        addl	%ebx, %r11d
+        vpor	%xmm6, %xmm7, %xmm6
+        vpor	%xmm8, %xmm9, %xmm8
+        # rnd_0: 7 - 7
+        rorl	$2, %ecx
+        movl	%r15d, %edx
+        addl	%ecx, %r11d
+        # rnd_1: 0 - 1
+        rorl	$14, %edx
+        movl	%r12d, %ebx
+        movl	%r8d, %ecx
+        addl	52(%rsp), %r10d
+        xorl	%r9d, %ecx
+        vpsrld	$3, %xmm5, %xmm9
+        vpxor	%xmm6, %xmm8, %xmm6
+        # rnd_1: 2 - 3
+        xorl	%r15d, %edx
+        andl	%r15d, %ecx
+        rorl	$5, %edx
+        xorl	%r9d, %ecx
+        xorl	%r15d, %edx
+        addl	%ecx, %r10d
+        vpxor	%xmm6, %xmm9, %xmm5
+        vpshufd	$0xfa, %xmm2, %xmm6
+        # rnd_1: 4 - 5
+        rorl	$6, %edx
+        xorl	%r11d, %ebx
+        addl	%edx, %r10d
+        movl	%r11d, %ecx
+        andl	%ebx, %eax
+        rorl	$9, %ecx
+        xorl	%r11d, %ecx
+        xorl	%r12d, %eax
+        vpsrld	$10, %xmm6, %xmm8
+        vpsrlq	$19, %xmm6, %xmm7
+        # rnd_1: 6 - 7
+        rorl	$11, %ecx
+        addl	%r10d, %r14d
+        xorl	%r11d, %ecx
+        addl	%eax, %r10d
+        rorl	$2, %ecx
+        movl	%r14d, %edx
+        addl	%ecx, %r10d
+        # rnd_0: 0 - 0
+        rorl	$14, %edx
+        vpsrlq	$0x11, %xmm6, %xmm6
+        vpaddd	%xmm3, %xmm4, %xmm4
+        # rnd_0: 1 - 3
+        movl	%r11d, %eax
+        movl	%r15d, %ecx
+        addl	56(%rsp), %r9d
+        xorl	%r8d, %ecx
+        xorl	%r14d, %edx
+        andl	%r14d, %ecx
+        rorl	$5, %edx
+        xorl	%r8d, %ecx
+        xorl	%r14d, %edx
+        addl	%ecx, %r9d
+        vpxor	%xmm6, %xmm7, %xmm6
+        vpaddd	%xmm5, %xmm4, %xmm4
+        # rnd_0: 4 - 4
+        rorl	$6, %edx
+        xorl	%r10d, %eax
+        addl	%edx, %r9d
+        movl	%r10d, %ecx
+        vpxor	%xmm6, %xmm8, %xmm8
+        # rnd_0: 5 - 5
+        andl	%eax, %ebx
+        rorl	$9, %ecx
+        xorl	%r10d, %ecx
+        xorl	%r11d, %ebx
+        vpshufb	%xmm11, %xmm8, %xmm8
+        # rnd_0: 6 - 6
+        rorl	$11, %ecx
+        addl	%r9d, %r13d
+        xorl	%r10d, %ecx
+        addl	%ebx, %r9d
+        vpaddd	%xmm8, %xmm4, %xmm4
+        # rnd_0: 7 - 7
+        rorl	$2, %ecx
+        movl	%r13d, %edx
+        addl	%ecx, %r9d
+        # rnd_1: 0 - 0
+        rorl	$14, %edx
+        vpshufd	$0x50, %xmm4, %xmm6
+        # rnd_1: 1 - 1
+        movl	%r10d, %ebx
+        movl	%r14d, %ecx
+        addl	60(%rsp), %r8d
+        xorl	%r15d, %ecx
+        vpsrlq	$0x11, %xmm6, %xmm8
+        vpsrlq	$19, %xmm6, %xmm7
+        # rnd_1: 2 - 3
+        xorl	%r13d, %edx
+        andl	%r13d, %ecx
+        rorl	$5, %edx
+        xorl	%r15d, %ecx
+        xorl	%r13d, %edx
+        addl	%ecx, %r8d
+        vpsrld	$10, %xmm6, %xmm9
+        vpxor	%xmm8, %xmm7, %xmm8
+        # rnd_1: 4 - 5
+        rorl	$6, %edx
+        xorl	%r9d, %ebx
+        addl	%edx, %r8d
+        movl	%r9d, %ecx
+        andl	%ebx, %eax
+        rorl	$9, %ecx
+        xorl	%r9d, %ecx
+        xorl	%r10d, %eax
+        vpxor	%xmm9, %xmm8, %xmm9
+        # rnd_1: 6 - 6
+        rorl	$11, %ecx
+        addl	%r8d, %r12d
+        xorl	%r9d, %ecx
+        addl	%eax, %r8d
+        vpshufb	%xmm12, %xmm9, %xmm9
+        # rnd_1: 7 - 7
+        rorl	$2, %ecx
+        movl	%r12d, %edx
+        addl	%ecx, %r8d
+        vpaddd	%xmm4, %xmm9, %xmm3
+        # msg_sched done: 12-15
+        # set_w_k_xfer_4: 4
+        vpaddd	64+L_avx1_sha256_k(%rip), %xmm0, %xmm4
+        vpaddd	80+L_avx1_sha256_k(%rip), %xmm1, %xmm5
+        vmovdqu	%xmm4, (%rsp)
+        vmovdqu	%xmm5, 16(%rsp)
+        vpaddd	96+L_avx1_sha256_k(%rip), %xmm2, %xmm6
+        vpaddd	112+L_avx1_sha256_k(%rip), %xmm3, %xmm7
+        vmovdqu	%xmm6, 32(%rsp)
+        vmovdqu	%xmm7, 48(%rsp)
+        # msg_sched: 0-3
+        # rnd_0: 0 - 0
+        rorl	$14, %edx
+        vpalignr	$4, %xmm0, %xmm1, %xmm5
+        vpalignr	$4, %xmm2, %xmm3, %xmm4
+        # rnd_0: 1 - 2
+        movl	%r9d, %eax
+        movl	%r13d, %ecx
+        addl	(%rsp), %r15d
+        xorl	%r14d, %ecx
+        xorl	%r12d, %edx
+        andl	%r12d, %ecx
+        vpsrld	$7, %xmm5, %xmm6
+        vpslld	$25, %xmm5, %xmm7
+        # rnd_0: 3 - 4
+        rorl	$5, %edx
+        xorl	%r14d, %ecx
+        xorl	%r12d, %edx
+        addl	%ecx, %r15d
+        rorl	$6, %edx
+        xorl	%r8d, %eax
+        addl	%edx, %r15d
+        movl	%r8d, %ecx
+        vpsrld	$18, %xmm5, %xmm8
+        vpslld	$14, %xmm5, %xmm9
+        # rnd_0: 5 - 6
+        andl	%eax, %ebx
+        rorl	$9, %ecx
+        xorl	%r8d, %ecx
+        xorl	%r9d, %ebx
+        rorl	$11, %ecx
+        addl	%r15d, %r11d
+        xorl	%r8d, %ecx
+        addl	%ebx, %r15d
+        vpor	%xmm6, %xmm7, %xmm6
+        vpor	%xmm8, %xmm9, %xmm8
+        # rnd_0: 7 - 7
+        rorl	$2, %ecx
+        movl	%r11d, %edx
+        addl	%ecx, %r15d
+        # rnd_1: 0 - 1
+        rorl	$14, %edx
+        movl	%r8d, %ebx
+        movl	%r12d, %ecx
+        addl	4(%rsp), %r14d
+        xorl	%r13d, %ecx
+        vpsrld	$3, %xmm5, %xmm9
+        vpxor	%xmm6, %xmm8, %xmm6
+        # rnd_1: 2 - 3
+        xorl	%r11d, %edx
+        andl	%r11d, %ecx
+        rorl	$5, %edx
+        xorl	%r13d, %ecx
+        xorl	%r11d, %edx
+        addl	%ecx, %r14d
+        vpxor	%xmm6, %xmm9, %xmm5
+        vpshufd	$0xfa, %xmm3, %xmm6
+        # rnd_1: 4 - 5
+        rorl	$6, %edx
+        xorl	%r15d, %ebx
+        addl	%edx, %r14d
+        movl	%r15d, %ecx
+        andl	%ebx, %eax
+        rorl	$9, %ecx
+        xorl	%r15d, %ecx
+        xorl	%r8d, %eax
+        vpsrld	$10, %xmm6, %xmm8
+        vpsrlq	$19, %xmm6, %xmm7
+        # rnd_1: 6 - 7
+        rorl	$11, %ecx
+        addl	%r14d, %r10d
+        xorl	%r15d, %ecx
+        addl	%eax, %r14d
+        rorl	$2, %ecx
+        movl	%r10d, %edx
+        addl	%ecx, %r14d
+        # rnd_0: 0 - 0
+        rorl	$14, %edx
+        vpsrlq	$0x11, %xmm6, %xmm6
+        vpaddd	%xmm0, %xmm4, %xmm4
+        # rnd_0: 1 - 3
+        movl	%r15d, %eax
+        movl	%r11d, %ecx
+        addl	8(%rsp), %r13d
+        xorl	%r12d, %ecx
+        xorl	%r10d, %edx
+        andl	%r10d, %ecx
+        rorl	$5, %edx
+        xorl	%r12d, %ecx
+        xorl	%r10d, %edx
+        addl	%ecx, %r13d
+        vpxor	%xmm6, %xmm7, %xmm6
+        vpaddd	%xmm5, %xmm4, %xmm4
+        # rnd_0: 4 - 4
+        rorl	$6, %edx
+        xorl	%r14d, %eax
+        addl	%edx, %r13d
+        movl	%r14d, %ecx
+        vpxor	%xmm6, %xmm8, %xmm8
+        # rnd_0: 5 - 5
+        andl	%eax, %ebx
+        rorl	$9, %ecx
+        xorl	%r14d, %ecx
+        xorl	%r15d, %ebx
+        vpshufb	%xmm11, %xmm8, %xmm8
+        # rnd_0: 6 - 6
+        rorl	$11, %ecx
+        addl	%r13d, %r9d
+        xorl	%r14d, %ecx
+        addl	%ebx, %r13d
+        vpaddd	%xmm8, %xmm4, %xmm4
+        # rnd_0: 7 - 7
+        rorl	$2, %ecx
+        movl	%r9d, %edx
+        addl	%ecx, %r13d
+        # rnd_1: 0 - 0
+        rorl	$14, %edx
+        vpshufd	$0x50, %xmm4, %xmm6
+        # rnd_1: 1 - 1
+        movl	%r14d, %ebx
+        movl	%r10d, %ecx
+        addl	12(%rsp), %r12d
+        xorl	%r11d, %ecx
+        vpsrlq	$0x11, %xmm6, %xmm8
+        vpsrlq	$19, %xmm6, %xmm7
+        # rnd_1: 2 - 3
+        xorl	%r9d, %edx
+        andl	%r9d, %ecx
+        rorl	$5, %edx
+        xorl	%r11d, %ecx
+        xorl	%r9d, %edx
+        addl	%ecx, %r12d
+        vpsrld	$10, %xmm6, %xmm9
+        vpxor	%xmm8, %xmm7, %xmm8
+        # rnd_1: 4 - 5
+        rorl	$6, %edx
+        xorl	%r13d, %ebx
+        addl	%edx, %r12d
+        movl	%r13d, %ecx
+        andl	%ebx, %eax
+        rorl	$9, %ecx
+        xorl	%r13d, %ecx
+        xorl	%r14d, %eax
+        vpxor	%xmm9, %xmm8, %xmm9
+        # rnd_1: 6 - 6
+        rorl	$11, %ecx
+        addl	%r12d, %r8d
+        xorl	%r13d, %ecx
+        addl	%eax, %r12d
+        vpshufb	%xmm12, %xmm9, %xmm9
+        # rnd_1: 7 - 7
+        rorl	$2, %ecx
+        movl	%r8d, %edx
+        addl	%ecx, %r12d
+        vpaddd	%xmm4, %xmm9, %xmm0
+        # msg_sched done: 0-3
+        # msg_sched: 4-7
+        # rnd_0: 0 - 0
+        rorl	$14, %edx
+        vpalignr	$4, %xmm1, %xmm2, %xmm5
+        vpalignr	$4, %xmm3, %xmm0, %xmm4
+        # rnd_0: 1 - 2
+        movl	%r13d, %eax
+        movl	%r9d, %ecx
+        addl	16(%rsp), %r11d
+        xorl	%r10d, %ecx
+        xorl	%r8d, %edx
+        andl	%r8d, %ecx
+        vpsrld	$7, %xmm5, %xmm6
+        vpslld	$25, %xmm5, %xmm7
+        # rnd_0: 3 - 4
+        rorl	$5, %edx
+        xorl	%r10d, %ecx
+        xorl	%r8d, %edx
+        addl	%ecx, %r11d
+        rorl	$6, %edx
+        xorl	%r12d, %eax
+        addl	%edx, %r11d
+        movl	%r12d, %ecx
+        vpsrld	$18, %xmm5, %xmm8
+        vpslld	$14, %xmm5, %xmm9
+        # rnd_0: 5 - 6
+        andl	%eax, %ebx
+        rorl	$9, %ecx
+        xorl	%r12d, %ecx
+        xorl	%r13d, %ebx
+        rorl	$11, %ecx
+        addl	%r11d, %r15d
+        xorl	%r12d, %ecx
+        addl	%ebx, %r11d
+        vpor	%xmm6, %xmm7, %xmm6
+        vpor	%xmm8, %xmm9, %xmm8
+        # rnd_0: 7 - 7
+        rorl	$2, %ecx
+        movl	%r15d, %edx
+        addl	%ecx, %r11d
+        # rnd_1: 0 - 1
+        rorl	$14, %edx
+        movl	%r12d, %ebx
+        movl	%r8d, %ecx
+        addl	20(%rsp), %r10d
+        xorl	%r9d, %ecx
+        vpsrld	$3, %xmm5, %xmm9
+        vpxor	%xmm6, %xmm8, %xmm6
+        # rnd_1: 2 - 3
+        xorl	%r15d, %edx
+        andl	%r15d, %ecx
+        rorl	$5, %edx
+        xorl	%r9d, %ecx
+        xorl	%r15d, %edx
+        addl	%ecx, %r10d
+        vpxor	%xmm6, %xmm9, %xmm5
+        vpshufd	$0xfa, %xmm0, %xmm6
+        # rnd_1: 4 - 5
+        rorl	$6, %edx
+        xorl	%r11d, %ebx
+        addl	%edx, %r10d
+        movl	%r11d, %ecx
+        andl	%ebx, %eax
+        rorl	$9, %ecx
+        xorl	%r11d, %ecx
+        xorl	%r12d, %eax
+        vpsrld	$10, %xmm6, %xmm8
+        vpsrlq	$19, %xmm6, %xmm7
+        # rnd_1: 6 - 7
+        rorl	$11, %ecx
+        addl	%r10d, %r14d
+        xorl	%r11d, %ecx
+        addl	%eax, %r10d
+        rorl	$2, %ecx
+        movl	%r14d, %edx
+        addl	%ecx, %r10d
+        # rnd_0: 0 - 0
+        rorl	$14, %edx
+        vpsrlq	$0x11, %xmm6, %xmm6
+        vpaddd	%xmm1, %xmm4, %xmm4
+        # rnd_0: 1 - 3
+        movl	%r11d, %eax
+        movl	%r15d, %ecx
+        addl	24(%rsp), %r9d
+        xorl	%r8d, %ecx
+        xorl	%r14d, %edx
+        andl	%r14d, %ecx
+        rorl	$5, %edx
+        xorl	%r8d, %ecx
+        xorl	%r14d, %edx
+        addl	%ecx, %r9d
+        vpxor	%xmm6, %xmm7, %xmm6
+        vpaddd	%xmm5, %xmm4, %xmm4
+        # rnd_0: 4 - 4
+        rorl	$6, %edx
+        xorl	%r10d, %eax
+        addl	%edx, %r9d
+        movl	%r10d, %ecx
+        vpxor	%xmm6, %xmm8, %xmm8
+        # rnd_0: 5 - 5
+        andl	%eax, %ebx
+        rorl	$9, %ecx
+        xorl	%r10d, %ecx
+        xorl	%r11d, %ebx
+        vpshufb	%xmm11, %xmm8, %xmm8
+        # rnd_0: 6 - 6
+        rorl	$11, %ecx
+        addl	%r9d, %r13d
+        xorl	%r10d, %ecx
+        addl	%ebx, %r9d
+        vpaddd	%xmm8, %xmm4, %xmm4
+        # rnd_0: 7 - 7
+        rorl	$2, %ecx
+        movl	%r13d, %edx
+        addl	%ecx, %r9d
+        # rnd_1: 0 - 0
+        rorl	$14, %edx
+        vpshufd	$0x50, %xmm4, %xmm6
+        # rnd_1: 1 - 1
+        movl	%r10d, %ebx
+        movl	%r14d, %ecx
+        addl	28(%rsp), %r8d
+        xorl	%r15d, %ecx
+        vpsrlq	$0x11, %xmm6, %xmm8
+        vpsrlq	$19, %xmm6, %xmm7
+        # rnd_1: 2 - 3
+        xorl	%r13d, %edx
+        andl	%r13d, %ecx
+        rorl	$5, %edx
+        xorl	%r15d, %ecx
+        xorl	%r13d, %edx
+        addl	%ecx, %r8d
+        vpsrld	$10, %xmm6, %xmm9
+        vpxor	%xmm8, %xmm7, %xmm8
+        # rnd_1: 4 - 5
+        rorl	$6, %edx
+        xorl	%r9d, %ebx
+        addl	%edx, %r8d
+        movl	%r9d, %ecx
+        andl	%ebx, %eax
+        rorl	$9, %ecx
+        xorl	%r9d, %ecx
+        xorl	%r10d, %eax
+        vpxor	%xmm9, %xmm8, %xmm9
+        # rnd_1: 6 - 6
+        rorl	$11, %ecx
+        addl	%r8d, %r12d
+        xorl	%r9d, %ecx
+        addl	%eax, %r8d
+        vpshufb	%xmm12, %xmm9, %xmm9
+        # rnd_1: 7 - 7
+        rorl	$2, %ecx
+        movl	%r12d, %edx
+        addl	%ecx, %r8d
+        vpaddd	%xmm4, %xmm9, %xmm1
+        # msg_sched done: 4-7
+        # msg_sched: 8-11
+        # rnd_0: 0 - 0
+        rorl	$14, %edx
+        vpalignr	$4, %xmm2, %xmm3, %xmm5
+        vpalignr	$4, %xmm0, %xmm1, %xmm4
+        # rnd_0: 1 - 2
+        movl	%r9d, %eax
+        movl	%r13d, %ecx
+        addl	32(%rsp), %r15d
+        xorl	%r14d, %ecx
+        xorl	%r12d, %edx
+        andl	%r12d, %ecx
+        vpsrld	$7, %xmm5, %xmm6
+        vpslld	$25, %xmm5, %xmm7
+        # rnd_0: 3 - 4
+        rorl	$5, %edx
+        xorl	%r14d, %ecx
+        xorl	%r12d, %edx
+        addl	%ecx, %r15d
+        rorl	$6, %edx
+        xorl	%r8d, %eax
+        addl	%edx, %r15d
+        movl	%r8d, %ecx
+        vpsrld	$18, %xmm5, %xmm8
+        vpslld	$14, %xmm5, %xmm9
+        # rnd_0: 5 - 6
+        andl	%eax, %ebx
+        rorl	$9, %ecx
+        xorl	%r8d, %ecx
+        xorl	%r9d, %ebx
+        rorl	$11, %ecx
+        addl	%r15d, %r11d
+        xorl	%r8d, %ecx
+        addl	%ebx, %r15d
+        vpor	%xmm6, %xmm7, %xmm6
+        vpor	%xmm8, %xmm9, %xmm8
+        # rnd_0: 7 - 7
+        rorl	$2, %ecx
+        movl	%r11d, %edx
+        addl	%ecx, %r15d
+        # rnd_1: 0 - 1
+        rorl	$14, %edx
+        movl	%r8d, %ebx
+        movl	%r12d, %ecx
+        addl	36(%rsp), %r14d
+        xorl	%r13d, %ecx
+        vpsrld	$3, %xmm5, %xmm9
+        vpxor	%xmm6, %xmm8, %xmm6
+        # rnd_1: 2 - 3
+        xorl	%r11d, %edx
+        andl	%r11d, %ecx
+        rorl	$5, %edx
+        xorl	%r13d, %ecx
+        xorl	%r11d, %edx
+        addl	%ecx, %r14d
+        vpxor	%xmm6, %xmm9, %xmm5
+        vpshufd	$0xfa, %xmm1, %xmm6
+        # rnd_1: 4 - 5
+        rorl	$6, %edx
+        xorl	%r15d, %ebx
+        addl	%edx, %r14d
+        movl	%r15d, %ecx
+        andl	%ebx, %eax
+        rorl	$9, %ecx
+        xorl	%r15d, %ecx
+        xorl	%r8d, %eax
+        vpsrld	$10, %xmm6, %xmm8
+        vpsrlq	$19, %xmm6, %xmm7
+        # rnd_1: 6 - 7
+        rorl	$11, %ecx
+        addl	%r14d, %r10d
+        xorl	%r15d, %ecx
+        addl	%eax, %r14d
+        rorl	$2, %ecx
+        movl	%r10d, %edx
+        addl	%ecx, %r14d
+        # rnd_0: 0 - 0
+        rorl	$14, %edx
+        vpsrlq	$0x11, %xmm6, %xmm6
+        vpaddd	%xmm2, %xmm4, %xmm4
+        # rnd_0: 1 - 3
+        movl	%r15d, %eax
+        movl	%r11d, %ecx
+        addl	40(%rsp), %r13d
+        xorl	%r12d, %ecx
+        xorl	%r10d, %edx
+        andl	%r10d, %ecx
+        rorl	$5, %edx
+        xorl	%r12d, %ecx
+        xorl	%r10d, %edx
+        addl	%ecx, %r13d
+        vpxor	%xmm6, %xmm7, %xmm6
+        vpaddd	%xmm5, %xmm4, %xmm4
+        # rnd_0: 4 - 4
+        rorl	$6, %edx
+        xorl	%r14d, %eax
+        addl	%edx, %r13d
+        movl	%r14d, %ecx
+        vpxor	%xmm6, %xmm8, %xmm8
+        # rnd_0: 5 - 5
+        andl	%eax, %ebx
+        rorl	$9, %ecx
+        xorl	%r14d, %ecx
+        xorl	%r15d, %ebx
+        vpshufb	%xmm11, %xmm8, %xmm8
+        # rnd_0: 6 - 6
+        rorl	$11, %ecx
+        addl	%r13d, %r9d
+        xorl	%r14d, %ecx
+        addl	%ebx, %r13d
+        vpaddd	%xmm8, %xmm4, %xmm4
+        # rnd_0: 7 - 7
+        rorl	$2, %ecx
+        movl	%r9d, %edx
+        addl	%ecx, %r13d
+        # rnd_1: 0 - 0
+        rorl	$14, %edx
+        vpshufd	$0x50, %xmm4, %xmm6
+        # rnd_1: 1 - 1
+        movl	%r14d, %ebx
+        movl	%r10d, %ecx
+        addl	44(%rsp), %r12d
+        xorl	%r11d, %ecx
+        vpsrlq	$0x11, %xmm6, %xmm8
+        vpsrlq	$19, %xmm6, %xmm7
+        # rnd_1: 2 - 3
+        xorl	%r9d, %edx
+        andl	%r9d, %ecx
+        rorl	$5, %edx
+        xorl	%r11d, %ecx
+        xorl	%r9d, %edx
+        addl	%ecx, %r12d
+        vpsrld	$10, %xmm6, %xmm9
+        vpxor	%xmm8, %xmm7, %xmm8
+        # rnd_1: 4 - 5
+        rorl	$6, %edx
+        xorl	%r13d, %ebx
+        addl	%edx, %r12d
+        movl	%r13d, %ecx
+        andl	%ebx, %eax
+        rorl	$9, %ecx
+        xorl	%r13d, %ecx
+        xorl	%r14d, %eax
+        vpxor	%xmm9, %xmm8, %xmm9
+        # rnd_1: 6 - 6
+        rorl	$11, %ecx
+        addl	%r12d, %r8d
+        xorl	%r13d, %ecx
+        addl	%eax, %r12d
+        vpshufb	%xmm12, %xmm9, %xmm9
+        # rnd_1: 7 - 7
+        rorl	$2, %ecx
+        movl	%r8d, %edx
+        addl	%ecx, %r12d
+        vpaddd	%xmm4, %xmm9, %xmm2
+        # msg_sched done: 8-11
+        # msg_sched: 12-15
+        # rnd_0: 0 - 0
+        rorl	$14, %edx
+        vpalignr	$4, %xmm3, %xmm0, %xmm5
+        vpalignr	$4, %xmm1, %xmm2, %xmm4
+        # rnd_0: 1 - 2
+        movl	%r13d, %eax
+        movl	%r9d, %ecx
+        addl	48(%rsp), %r11d
+        xorl	%r10d, %ecx
+        xorl	%r8d, %edx
+        andl	%r8d, %ecx
+        vpsrld	$7, %xmm5, %xmm6
+        vpslld	$25, %xmm5, %xmm7
+        # rnd_0: 3 - 4
+        rorl	$5, %edx
+        xorl	%r10d, %ecx
+        xorl	%r8d, %edx
+        addl	%ecx, %r11d
+        rorl	$6, %edx
+        xorl	%r12d, %eax
+        addl	%edx, %r11d
+        movl	%r12d, %ecx
+        vpsrld	$18, %xmm5, %xmm8
+        vpslld	$14, %xmm5, %xmm9
+        # rnd_0: 5 - 6
+        andl	%eax, %ebx
+        rorl	$9, %ecx
+        xorl	%r12d, %ecx
+        xorl	%r13d, %ebx
+        rorl	$11, %ecx
+        addl	%r11d, %r15d
+        xorl	%r12d, %ecx
+        addl	%ebx, %r11d
+        vpor	%xmm6, %xmm7, %xmm6
+        vpor	%xmm8, %xmm9, %xmm8
+        # rnd_0: 7 - 7
+        rorl	$2, %ecx
+        movl	%r15d, %edx
+        addl	%ecx, %r11d
+        # rnd_1: 0 - 1
+        rorl	$14, %edx
+        movl	%r12d, %ebx
+        movl	%r8d, %ecx
+        addl	52(%rsp), %r10d
+        xorl	%r9d, %ecx
+        vpsrld	$3, %xmm5, %xmm9
+        vpxor	%xmm6, %xmm8, %xmm6
+        # rnd_1: 2 - 3
+        xorl	%r15d, %edx
+        andl	%r15d, %ecx
+        rorl	$5, %edx
+        xorl	%r9d, %ecx
+        xorl	%r15d, %edx
+        addl	%ecx, %r10d
+        vpxor	%xmm6, %xmm9, %xmm5
+        vpshufd	$0xfa, %xmm2, %xmm6
+        # rnd_1: 4 - 5
+        rorl	$6, %edx
+        xorl	%r11d, %ebx
+        addl	%edx, %r10d
+        movl	%r11d, %ecx
+        andl	%ebx, %eax
+        rorl	$9, %ecx
+        xorl	%r11d, %ecx
+        xorl	%r12d, %eax
+        vpsrld	$10, %xmm6, %xmm8
+        vpsrlq	$19, %xmm6, %xmm7
+        # rnd_1: 6 - 7
+        rorl	$11, %ecx
+        addl	%r10d, %r14d
+        xorl	%r11d, %ecx
+        addl	%eax, %r10d
+        rorl	$2, %ecx
+        movl	%r14d, %edx
+        addl	%ecx, %r10d
+        # rnd_0: 0 - 0
+        rorl	$14, %edx
+        vpsrlq	$0x11, %xmm6, %xmm6
+        vpaddd	%xmm3, %xmm4, %xmm4
+        # rnd_0: 1 - 3
+        movl	%r11d, %eax
+        movl	%r15d, %ecx
+        addl	56(%rsp), %r9d
+        xorl	%r8d, %ecx
+        xorl	%r14d, %edx
+        andl	%r14d, %ecx
+        rorl	$5, %edx
+        xorl	%r8d, %ecx
+        xorl	%r14d, %edx
+        addl	%ecx, %r9d
+        vpxor	%xmm6, %xmm7, %xmm6
+        vpaddd	%xmm5, %xmm4, %xmm4
+        # rnd_0: 4 - 4
+        rorl	$6, %edx
+        xorl	%r10d, %eax
+        addl	%edx, %r9d
+        movl	%r10d, %ecx
+        vpxor	%xmm6, %xmm8, %xmm8
+        # rnd_0: 5 - 5
+        andl	%eax, %ebx
+        rorl	$9, %ecx
+        xorl	%r10d, %ecx
+        xorl	%r11d, %ebx
+        vpshufb	%xmm11, %xmm8, %xmm8
+        # rnd_0: 6 - 6
+        rorl	$11, %ecx
+        addl	%r9d, %r13d
+        xorl	%r10d, %ecx
+        addl	%ebx, %r9d
+        vpaddd	%xmm8, %xmm4, %xmm4
+        # rnd_0: 7 - 7
+        rorl	$2, %ecx
+        movl	%r13d, %edx
+        addl	%ecx, %r9d
+        # rnd_1: 0 - 0
+        rorl	$14, %edx
+        vpshufd	$0x50, %xmm4, %xmm6
+        # rnd_1: 1 - 1
+        movl	%r10d, %ebx
+        movl	%r14d, %ecx
+        addl	60(%rsp), %r8d
+        xorl	%r15d, %ecx
+        vpsrlq	$0x11, %xmm6, %xmm8
+        vpsrlq	$19, %xmm6, %xmm7
+        # rnd_1: 2 - 3
+        xorl	%r13d, %edx
+        andl	%r13d, %ecx
+        rorl	$5, %edx
+        xorl	%r15d, %ecx
+        xorl	%r13d, %edx
+        addl	%ecx, %r8d
+        vpsrld	$10, %xmm6, %xmm9
+        vpxor	%xmm8, %xmm7, %xmm8
+        # rnd_1: 4 - 5
+        rorl	$6, %edx
+        xorl	%r9d, %ebx
+        addl	%edx, %r8d
+        movl	%r9d, %ecx
+        andl	%ebx, %eax
+        rorl	$9, %ecx
+        xorl	%r9d, %ecx
+        xorl	%r10d, %eax
+        vpxor	%xmm9, %xmm8, %xmm9
+        # rnd_1: 6 - 6
+        rorl	$11, %ecx
+        addl	%r8d, %r12d
+        xorl	%r9d, %ecx
+        addl	%eax, %r8d
+        vpshufb	%xmm12, %xmm9, %xmm9
+        # rnd_1: 7 - 7
+        rorl	$2, %ecx
+        movl	%r12d, %edx
+        addl	%ecx, %r8d
+        vpaddd	%xmm4, %xmm9, %xmm3
+        # msg_sched done: 12-15
+        # set_w_k_xfer_4: 8
+        vpaddd	128+L_avx1_sha256_k(%rip), %xmm0, %xmm4
+        vpaddd	144+L_avx1_sha256_k(%rip), %xmm1, %xmm5
+        vmovdqu	%xmm4, (%rsp)
+        vmovdqu	%xmm5, 16(%rsp)
+        vpaddd	160+L_avx1_sha256_k(%rip), %xmm2, %xmm6
+        vpaddd	176+L_avx1_sha256_k(%rip), %xmm3, %xmm7
+        vmovdqu	%xmm6, 32(%rsp)
+        vmovdqu	%xmm7, 48(%rsp)
+        # msg_sched: 0-3
+        # rnd_0: 0 - 0
+        rorl	$14, %edx
+        vpalignr	$4, %xmm0, %xmm1, %xmm5
+        vpalignr	$4, %xmm2, %xmm3, %xmm4
+        # rnd_0: 1 - 2
+        movl	%r9d, %eax
+        movl	%r13d, %ecx
+        addl	(%rsp), %r15d
+        xorl	%r14d, %ecx
+        xorl	%r12d, %edx
+        andl	%r12d, %ecx
+        vpsrld	$7, %xmm5, %xmm6
+        vpslld	$25, %xmm5, %xmm7
+        # rnd_0: 3 - 4
+        rorl	$5, %edx
+        xorl	%r14d, %ecx
+        xorl	%r12d, %edx
+        addl	%ecx, %r15d
+        rorl	$6, %edx
+        xorl	%r8d, %eax
+        addl	%edx, %r15d
+        movl	%r8d, %ecx
+        vpsrld	$18, %xmm5, %xmm8
+        vpslld	$14, %xmm5, %xmm9
+        # rnd_0: 5 - 6
+        andl	%eax, %ebx
+        rorl	$9, %ecx
+        xorl	%r8d, %ecx
+        xorl	%r9d, %ebx
+        rorl	$11, %ecx
+        addl	%r15d, %r11d
+        xorl	%r8d, %ecx
+        addl	%ebx, %r15d
+        vpor	%xmm6, %xmm7, %xmm6
+        vpor	%xmm8, %xmm9, %xmm8
+        # rnd_0: 7 - 7
+        rorl	$2, %ecx
+        movl	%r11d, %edx
+        addl	%ecx, %r15d
+        # rnd_1: 0 - 1
+        rorl	$14, %edx
+        movl	%r8d, %ebx
+        movl	%r12d, %ecx
+        addl	4(%rsp), %r14d
+        xorl	%r13d, %ecx
+        vpsrld	$3, %xmm5, %xmm9
+        vpxor	%xmm6, %xmm8, %xmm6
+        # rnd_1: 2 - 3
+        xorl	%r11d, %edx
+        andl	%r11d, %ecx
+        rorl	$5, %edx
+        xorl	%r13d, %ecx
+        xorl	%r11d, %edx
+        addl	%ecx, %r14d
+        vpxor	%xmm6, %xmm9, %xmm5
+        vpshufd	$0xfa, %xmm3, %xmm6
+        # rnd_1: 4 - 5
+        rorl	$6, %edx
+        xorl	%r15d, %ebx
+        addl	%edx, %r14d
+        movl	%r15d, %ecx
+        andl	%ebx, %eax
+        rorl	$9, %ecx
+        xorl	%r15d, %ecx
+        xorl	%r8d, %eax
+        vpsrld	$10, %xmm6, %xmm8
+        vpsrlq	$19, %xmm6, %xmm7
+        # rnd_1: 6 - 7
+        rorl	$11, %ecx
+        addl	%r14d, %r10d
+        xorl	%r15d, %ecx
+        addl	%eax, %r14d
+        rorl	$2, %ecx
+        movl	%r10d, %edx
+        addl	%ecx, %r14d
+        # rnd_0: 0 - 0
+        rorl	$14, %edx
+        vpsrlq	$0x11, %xmm6, %xmm6
+        vpaddd	%xmm0, %xmm4, %xmm4
+        # rnd_0: 1 - 3
+        movl	%r15d, %eax
+        movl	%r11d, %ecx
+        addl	8(%rsp), %r13d
+        xorl	%r12d, %ecx
+        xorl	%r10d, %edx
+        andl	%r10d, %ecx
+        rorl	$5, %edx
+        xorl	%r12d, %ecx
+        xorl	%r10d, %edx
+        addl	%ecx, %r13d
+        vpxor	%xmm6, %xmm7, %xmm6
+        vpaddd	%xmm5, %xmm4, %xmm4
+        # rnd_0: 4 - 4
+        rorl	$6, %edx
+        xorl	%r14d, %eax
+        addl	%edx, %r13d
+        movl	%r14d, %ecx
+        vpxor	%xmm6, %xmm8, %xmm8
+        # rnd_0: 5 - 5
+        andl	%eax, %ebx
+        rorl	$9, %ecx
+        xorl	%r14d, %ecx
+        xorl	%r15d, %ebx
+        vpshufb	%xmm11, %xmm8, %xmm8
+        # rnd_0: 6 - 6
+        rorl	$11, %ecx
+        addl	%r13d, %r9d
+        xorl	%r14d, %ecx
+        addl	%ebx, %r13d
+        vpaddd	%xmm8, %xmm4, %xmm4
+        # rnd_0: 7 - 7
+        rorl	$2, %ecx
+        movl	%r9d, %edx
+        addl	%ecx, %r13d
+        # rnd_1: 0 - 0
+        rorl	$14, %edx
+        vpshufd	$0x50, %xmm4, %xmm6
+        # rnd_1: 1 - 1
+        movl	%r14d, %ebx
+        movl	%r10d, %ecx
+        addl	12(%rsp), %r12d
+        xorl	%r11d, %ecx
+        vpsrlq	$0x11, %xmm6, %xmm8
+        vpsrlq	$19, %xmm6, %xmm7
+        # rnd_1: 2 - 3
+        xorl	%r9d, %edx
+        andl	%r9d, %ecx
+        rorl	$5, %edx
+        xorl	%r11d, %ecx
+        xorl	%r9d, %edx
+        addl	%ecx, %r12d
+        vpsrld	$10, %xmm6, %xmm9
+        vpxor	%xmm8, %xmm7, %xmm8
+        # rnd_1: 4 - 5
+        rorl	$6, %edx
+        xorl	%r13d, %ebx
+        addl	%edx, %r12d
+        movl	%r13d, %ecx
+        andl	%ebx, %eax
+        rorl	$9, %ecx
+        xorl	%r13d, %ecx
+        xorl	%r14d, %eax
+        vpxor	%xmm9, %xmm8, %xmm9
+        # rnd_1: 6 - 6
+        rorl	$11, %ecx
+        addl	%r12d, %r8d
+        xorl	%r13d, %ecx
+        addl	%eax, %r12d
+        vpshufb	%xmm12, %xmm9, %xmm9
+        # rnd_1: 7 - 7
+        rorl	$2, %ecx
+        movl	%r8d, %edx
+        addl	%ecx, %r12d
+        vpaddd	%xmm4, %xmm9, %xmm0
+        # msg_sched done: 0-3
+        # msg_sched: 4-7
+        # rnd_0: 0 - 0
+        rorl	$14, %edx
+        vpalignr	$4, %xmm1, %xmm2, %xmm5
+        vpalignr	$4, %xmm3, %xmm0, %xmm4
+        # rnd_0: 1 - 2
+        movl	%r13d, %eax
+        movl	%r9d, %ecx
+        addl	16(%rsp), %r11d
+        xorl	%r10d, %ecx
+        xorl	%r8d, %edx
+        andl	%r8d, %ecx
+        vpsrld	$7, %xmm5, %xmm6
+        vpslld	$25, %xmm5, %xmm7
+        # rnd_0: 3 - 4
+        rorl	$5, %edx
+        xorl	%r10d, %ecx
+        xorl	%r8d, %edx
+        addl	%ecx, %r11d
+        rorl	$6, %edx
+        xorl	%r12d, %eax
+        addl	%edx, %r11d
+        movl	%r12d, %ecx
+        vpsrld	$18, %xmm5, %xmm8
+        vpslld	$14, %xmm5, %xmm9
+        # rnd_0: 5 - 6
+        andl	%eax, %ebx
+        rorl	$9, %ecx
+        xorl	%r12d, %ecx
+        xorl	%r13d, %ebx
+        rorl	$11, %ecx
+        addl	%r11d, %r15d
+        xorl	%r12d, %ecx
+        addl	%ebx, %r11d
+        vpor	%xmm6, %xmm7, %xmm6
+        vpor	%xmm8, %xmm9, %xmm8
+        # rnd_0: 7 - 7
+        rorl	$2, %ecx
+        movl	%r15d, %edx
+        addl	%ecx, %r11d
+        # rnd_1: 0 - 1
+        rorl	$14, %edx
+        movl	%r12d, %ebx
+        movl	%r8d, %ecx
+        addl	20(%rsp), %r10d
+        xorl	%r9d, %ecx
+        vpsrld	$3, %xmm5, %xmm9
+        vpxor	%xmm6, %xmm8, %xmm6
+        # rnd_1: 2 - 3
+        xorl	%r15d, %edx
+        andl	%r15d, %ecx
+        rorl	$5, %edx
+        xorl	%r9d, %ecx
+        xorl	%r15d, %edx
+        addl	%ecx, %r10d
+        vpxor	%xmm6, %xmm9, %xmm5
+        vpshufd	$0xfa, %xmm0, %xmm6
+        # rnd_1: 4 - 5
+        rorl	$6, %edx
+        xorl	%r11d, %ebx
+        addl	%edx, %r10d
+        movl	%r11d, %ecx
+        andl	%ebx, %eax
+        rorl	$9, %ecx
+        xorl	%r11d, %ecx
+        xorl	%r12d, %eax
+        vpsrld	$10, %xmm6, %xmm8
+        vpsrlq	$19, %xmm6, %xmm7
+        # rnd_1: 6 - 7
+        rorl	$11, %ecx
+        addl	%r10d, %r14d
+        xorl	%r11d, %ecx
+        addl	%eax, %r10d
+        rorl	$2, %ecx
+        movl	%r14d, %edx
+        addl	%ecx, %r10d
+        # rnd_0: 0 - 0
+        rorl	$14, %edx
+        vpsrlq	$0x11, %xmm6, %xmm6
+        vpaddd	%xmm1, %xmm4, %xmm4
+        # rnd_0: 1 - 3
+        movl	%r11d, %eax
+        movl	%r15d, %ecx
+        addl	24(%rsp), %r9d
+        xorl	%r8d, %ecx
+        xorl	%r14d, %edx
+        andl	%r14d, %ecx
+        rorl	$5, %edx
+        xorl	%r8d, %ecx
+        xorl	%r14d, %edx
+        addl	%ecx, %r9d
+        vpxor	%xmm6, %xmm7, %xmm6
+        vpaddd	%xmm5, %xmm4, %xmm4
+        # rnd_0: 4 - 4
+        rorl	$6, %edx
+        xorl	%r10d, %eax
+        addl	%edx, %r9d
+        movl	%r10d, %ecx
+        vpxor	%xmm6, %xmm8, %xmm8
+        # rnd_0: 5 - 5
+        andl	%eax, %ebx
+        rorl	$9, %ecx
+        xorl	%r10d, %ecx
+        xorl	%r11d, %ebx
+        vpshufb	%xmm11, %xmm8, %xmm8
+        # rnd_0: 6 - 6
+        rorl	$11, %ecx
+        addl	%r9d, %r13d
+        xorl	%r10d, %ecx
+        addl	%ebx, %r9d
+        vpaddd	%xmm8, %xmm4, %xmm4
+        # rnd_0: 7 - 7
+        rorl	$2, %ecx
+        movl	%r13d, %edx
+        addl	%ecx, %r9d
+        # rnd_1: 0 - 0
+        rorl	$14, %edx
+        vpshufd	$0x50, %xmm4, %xmm6
+        # rnd_1: 1 - 1
+        movl	%r10d, %ebx
+        movl	%r14d, %ecx
+        addl	28(%rsp), %r8d
+        xorl	%r15d, %ecx
+        vpsrlq	$0x11, %xmm6, %xmm8
+        vpsrlq	$19, %xmm6, %xmm7
+        # rnd_1: 2 - 3
+        xorl	%r13d, %edx
+        andl	%r13d, %ecx
+        rorl	$5, %edx
+        xorl	%r15d, %ecx
+        xorl	%r13d, %edx
+        addl	%ecx, %r8d
+        vpsrld	$10, %xmm6, %xmm9
+        vpxor	%xmm8, %xmm7, %xmm8
+        # rnd_1: 4 - 5
+        rorl	$6, %edx
+        xorl	%r9d, %ebx
+        addl	%edx, %r8d
+        movl	%r9d, %ecx
+        andl	%ebx, %eax
+        rorl	$9, %ecx
+        xorl	%r9d, %ecx
+        xorl	%r10d, %eax
+        vpxor	%xmm9, %xmm8, %xmm9
+        # rnd_1: 6 - 6
+        rorl	$11, %ecx
+        addl	%r8d, %r12d
+        xorl	%r9d, %ecx
+        addl	%eax, %r8d
+        vpshufb	%xmm12, %xmm9, %xmm9
+        # rnd_1: 7 - 7
+        rorl	$2, %ecx
+        movl	%r12d, %edx
+        addl	%ecx, %r8d
+        vpaddd	%xmm4, %xmm9, %xmm1
+        # msg_sched done: 4-7
+        # msg_sched: 8-11
+        # rnd_0: 0 - 0
+        rorl	$14, %edx
+        vpalignr	$4, %xmm2, %xmm3, %xmm5
+        vpalignr	$4, %xmm0, %xmm1, %xmm4
+        # rnd_0: 1 - 2
+        movl	%r9d, %eax
+        movl	%r13d, %ecx
+        addl	32(%rsp), %r15d
+        xorl	%r14d, %ecx
+        xorl	%r12d, %edx
+        andl	%r12d, %ecx
+        vpsrld	$7, %xmm5, %xmm6
+        vpslld	$25, %xmm5, %xmm7
+        # rnd_0: 3 - 4
+        rorl	$5, %edx
+        xorl	%r14d, %ecx
+        xorl	%r12d, %edx
+        addl	%ecx, %r15d
+        rorl	$6, %edx
+        xorl	%r8d, %eax
+        addl	%edx, %r15d
+        movl	%r8d, %ecx
+        vpsrld	$18, %xmm5, %xmm8
+        vpslld	$14, %xmm5, %xmm9
+        # rnd_0: 5 - 6
+        andl	%eax, %ebx
+        rorl	$9, %ecx
+        xorl	%r8d, %ecx
+        xorl	%r9d, %ebx
+        rorl	$11, %ecx
+        addl	%r15d, %r11d
+        xorl	%r8d, %ecx
+        addl	%ebx, %r15d
+        vpor	%xmm6, %xmm7, %xmm6
+        vpor	%xmm8, %xmm9, %xmm8
+        # rnd_0: 7 - 7
+        rorl	$2, %ecx
+        movl	%r11d, %edx
+        addl	%ecx, %r15d
+        # rnd_1: 0 - 1
+        rorl	$14, %edx
+        movl	%r8d, %ebx
+        movl	%r12d, %ecx
+        addl	36(%rsp), %r14d
+        xorl	%r13d, %ecx
+        vpsrld	$3, %xmm5, %xmm9
+        vpxor	%xmm6, %xmm8, %xmm6
+        # rnd_1: 2 - 3
+        xorl	%r11d, %edx
+        andl	%r11d, %ecx
+        rorl	$5, %edx
+        xorl	%r13d, %ecx
+        xorl	%r11d, %edx
+        addl	%ecx, %r14d
+        vpxor	%xmm6, %xmm9, %xmm5
+        vpshufd	$0xfa, %xmm1, %xmm6
+        # rnd_1: 4 - 5
+        rorl	$6, %edx
+        xorl	%r15d, %ebx
+        addl	%edx, %r14d
+        movl	%r15d, %ecx
+        andl	%ebx, %eax
+        rorl	$9, %ecx
+        xorl	%r15d, %ecx
+        xorl	%r8d, %eax
+        vpsrld	$10, %xmm6, %xmm8
+        vpsrlq	$19, %xmm6, %xmm7
+        # rnd_1: 6 - 7
+        rorl	$11, %ecx
+        addl	%r14d, %r10d
+        xorl	%r15d, %ecx
+        addl	%eax, %r14d
+        rorl	$2, %ecx
+        movl	%r10d, %edx
+        addl	%ecx, %r14d
+        # rnd_0: 0 - 0
+        rorl	$14, %edx
+        vpsrlq	$0x11, %xmm6, %xmm6
+        vpaddd	%xmm2, %xmm4, %xmm4
+        # rnd_0: 1 - 3
+        movl	%r15d, %eax
+        movl	%r11d, %ecx
+        addl	40(%rsp), %r13d
+        xorl	%r12d, %ecx
+        xorl	%r10d, %edx
+        andl	%r10d, %ecx
+        rorl	$5, %edx
+        xorl	%r12d, %ecx
+        xorl	%r10d, %edx
+        addl	%ecx, %r13d
+        vpxor	%xmm6, %xmm7, %xmm6
+        vpaddd	%xmm5, %xmm4, %xmm4
+        # rnd_0: 4 - 4
+        rorl	$6, %edx
+        xorl	%r14d, %eax
+        addl	%edx, %r13d
+        movl	%r14d, %ecx
+        vpxor	%xmm6, %xmm8, %xmm8
+        # rnd_0: 5 - 5
+        andl	%eax, %ebx
+        rorl	$9, %ecx
+        xorl	%r14d, %ecx
+        xorl	%r15d, %ebx
+        vpshufb	%xmm11, %xmm8, %xmm8
+        # rnd_0: 6 - 6
+        rorl	$11, %ecx
+        addl	%r13d, %r9d
+        xorl	%r14d, %ecx
+        addl	%ebx, %r13d
+        vpaddd	%xmm8, %xmm4, %xmm4
+        # rnd_0: 7 - 7
+        rorl	$2, %ecx
+        movl	%r9d, %edx
+        addl	%ecx, %r13d
+        # rnd_1: 0 - 0
+        rorl	$14, %edx
+        vpshufd	$0x50, %xmm4, %xmm6
+        # rnd_1: 1 - 1
+        movl	%r14d, %ebx
+        movl	%r10d, %ecx
+        addl	44(%rsp), %r12d
+        xorl	%r11d, %ecx
+        vpsrlq	$0x11, %xmm6, %xmm8
+        vpsrlq	$19, %xmm6, %xmm7
+        # rnd_1: 2 - 3
+        xorl	%r9d, %edx
+        andl	%r9d, %ecx
+        rorl	$5, %edx
+        xorl	%r11d, %ecx
+        xorl	%r9d, %edx
+        addl	%ecx, %r12d
+        vpsrld	$10, %xmm6, %xmm9
+        vpxor	%xmm8, %xmm7, %xmm8
+        # rnd_1: 4 - 5
+        rorl	$6, %edx
+        xorl	%r13d, %ebx
+        addl	%edx, %r12d
+        movl	%r13d, %ecx
+        andl	%ebx, %eax
+        rorl	$9, %ecx
+        xorl	%r13d, %ecx
+        xorl	%r14d, %eax
+        vpxor	%xmm9, %xmm8, %xmm9
+        # rnd_1: 6 - 6
+        rorl	$11, %ecx
+        addl	%r12d, %r8d
+        xorl	%r13d, %ecx
+        addl	%eax, %r12d
+        vpshufb	%xmm12, %xmm9, %xmm9
+        # rnd_1: 7 - 7
+        rorl	$2, %ecx
+        movl	%r8d, %edx
+        addl	%ecx, %r12d
+        vpaddd	%xmm4, %xmm9, %xmm2
+        # msg_sched done: 8-11
+        # msg_sched: 12-15
+        # rnd_0: 0 - 0
+        rorl	$14, %edx
+        vpalignr	$4, %xmm3, %xmm0, %xmm5
+        vpalignr	$4, %xmm1, %xmm2, %xmm4
+        # rnd_0: 1 - 2
+        movl	%r13d, %eax
+        movl	%r9d, %ecx
+        addl	48(%rsp), %r11d
+        xorl	%r10d, %ecx
+        xorl	%r8d, %edx
+        andl	%r8d, %ecx
+        vpsrld	$7, %xmm5, %xmm6
+        vpslld	$25, %xmm5, %xmm7
+        # rnd_0: 3 - 4
+        rorl	$5, %edx
+        xorl	%r10d, %ecx
+        xorl	%r8d, %edx
+        addl	%ecx, %r11d
+        rorl	$6, %edx
+        xorl	%r12d, %eax
+        addl	%edx, %r11d
+        movl	%r12d, %ecx
+        vpsrld	$18, %xmm5, %xmm8
+        vpslld	$14, %xmm5, %xmm9
+        # rnd_0: 5 - 6
+        andl	%eax, %ebx
+        rorl	$9, %ecx
+        xorl	%r12d, %ecx
+        xorl	%r13d, %ebx
+        rorl	$11, %ecx
+        addl	%r11d, %r15d
+        xorl	%r12d, %ecx
+        addl	%ebx, %r11d
+        vpor	%xmm6, %xmm7, %xmm6
+        vpor	%xmm8, %xmm9, %xmm8
+        # rnd_0: 7 - 7
+        rorl	$2, %ecx
+        movl	%r15d, %edx
+        addl	%ecx, %r11d
+        # rnd_1: 0 - 1
+        rorl	$14, %edx
+        movl	%r12d, %ebx
+        movl	%r8d, %ecx
+        addl	52(%rsp), %r10d
+        xorl	%r9d, %ecx
+        vpsrld	$3, %xmm5, %xmm9
+        vpxor	%xmm6, %xmm8, %xmm6
+        # rnd_1: 2 - 3
+        xorl	%r15d, %edx
+        andl	%r15d, %ecx
+        rorl	$5, %edx
+        xorl	%r9d, %ecx
+        xorl	%r15d, %edx
+        addl	%ecx, %r10d
+        vpxor	%xmm6, %xmm9, %xmm5
+        vpshufd	$0xfa, %xmm2, %xmm6
+        # rnd_1: 4 - 5
+        rorl	$6, %edx
+        xorl	%r11d, %ebx
+        addl	%edx, %r10d
+        movl	%r11d, %ecx
+        andl	%ebx, %eax
+        rorl	$9, %ecx
+        xorl	%r11d, %ecx
+        xorl	%r12d, %eax
+        vpsrld	$10, %xmm6, %xmm8
+        vpsrlq	$19, %xmm6, %xmm7
+        # rnd_1: 6 - 7
+        rorl	$11, %ecx
+        addl	%r10d, %r14d
+        xorl	%r11d, %ecx
+        addl	%eax, %r10d
+        rorl	$2, %ecx
+        movl	%r14d, %edx
+        addl	%ecx, %r10d
+        # rnd_0: 0 - 0
+        rorl	$14, %edx
+        vpsrlq	$0x11, %xmm6, %xmm6
+        vpaddd	%xmm3, %xmm4, %xmm4
+        # rnd_0: 1 - 3
+        movl	%r11d, %eax
+        movl	%r15d, %ecx
+        addl	56(%rsp), %r9d
+        xorl	%r8d, %ecx
+        xorl	%r14d, %edx
+        andl	%r14d, %ecx
+        rorl	$5, %edx
+        xorl	%r8d, %ecx
+        xorl	%r14d, %edx
+        addl	%ecx, %r9d
+        vpxor	%xmm6, %xmm7, %xmm6
+        vpaddd	%xmm5, %xmm4, %xmm4
+        # rnd_0: 4 - 4
+        rorl	$6, %edx
+        xorl	%r10d, %eax
+        addl	%edx, %r9d
+        movl	%r10d, %ecx
+        vpxor	%xmm6, %xmm8, %xmm8
+        # rnd_0: 5 - 5
+        andl	%eax, %ebx
+        rorl	$9, %ecx
+        xorl	%r10d, %ecx
+        xorl	%r11d, %ebx
+        vpshufb	%xmm11, %xmm8, %xmm8
+        # rnd_0: 6 - 6
+        rorl	$11, %ecx
+        addl	%r9d, %r13d
+        xorl	%r10d, %ecx
+        addl	%ebx, %r9d
+        vpaddd	%xmm8, %xmm4, %xmm4
+        # rnd_0: 7 - 7
+        rorl	$2, %ecx
+        movl	%r13d, %edx
+        addl	%ecx, %r9d
+        # rnd_1: 0 - 0
+        rorl	$14, %edx
+        vpshufd	$0x50, %xmm4, %xmm6
+        # rnd_1: 1 - 1
+        movl	%r10d, %ebx
+        movl	%r14d, %ecx
+        addl	60(%rsp), %r8d
+        xorl	%r15d, %ecx
+        vpsrlq	$0x11, %xmm6, %xmm8
+        vpsrlq	$19, %xmm6, %xmm7
+        # rnd_1: 2 - 3
+        xorl	%r13d, %edx
+        andl	%r13d, %ecx
+        rorl	$5, %edx
+        xorl	%r15d, %ecx
+        xorl	%r13d, %edx
+        addl	%ecx, %r8d
+        vpsrld	$10, %xmm6, %xmm9
+        vpxor	%xmm8, %xmm7, %xmm8
+        # rnd_1: 4 - 5
+        rorl	$6, %edx
+        xorl	%r9d, %ebx
+        addl	%edx, %r8d
+        movl	%r9d, %ecx
+        andl	%ebx, %eax
+        rorl	$9, %ecx
+        xorl	%r9d, %ecx
+        xorl	%r10d, %eax
+        vpxor	%xmm9, %xmm8, %xmm9
+        # rnd_1: 6 - 6
+        rorl	$11, %ecx
+        addl	%r8d, %r12d
+        xorl	%r9d, %ecx
+        addl	%eax, %r8d
+        vpshufb	%xmm12, %xmm9, %xmm9
+        # rnd_1: 7 - 7
+        rorl	$2, %ecx
+        movl	%r12d, %edx
+        addl	%ecx, %r8d
+        vpaddd	%xmm4, %xmm9, %xmm3
+        # msg_sched done: 12-15
+        # set_w_k_xfer_4: 12
+        vpaddd	192+L_avx1_sha256_k(%rip), %xmm0, %xmm4
+        vpaddd	208+L_avx1_sha256_k(%rip), %xmm1, %xmm5
+        vmovdqu	%xmm4, (%rsp)
+        vmovdqu	%xmm5, 16(%rsp)
+        vpaddd	224+L_avx1_sha256_k(%rip), %xmm2, %xmm6
+        vpaddd	240+L_avx1_sha256_k(%rip), %xmm3, %xmm7
+        vmovdqu	%xmm6, 32(%rsp)
+        vmovdqu	%xmm7, 48(%rsp)
+        # rnd_all_4: 0-3
+        addl	(%rsp), %r15d
+        movl	%r13d, %ecx
+        movl	%r9d, %eax
+        xorl	%r14d, %ecx
+        rorl	$14, %edx
+        andl	%r12d, %ecx
+        xorl	%r12d, %edx
+        xorl	%r14d, %ecx
+        rorl	$5, %edx
+        addl	%ecx, %r15d
+        xorl	%r12d, %edx
+        xorl	%r8d, %eax
+        rorl	$6, %edx
+        movl	%r8d, %ecx
+        addl	%edx, %r15d
+        rorl	$9, %ecx
+        andl	%eax, %ebx
+        xorl	%r8d, %ecx
+        xorl	%r9d, %ebx
+        rorl	$11, %ecx
+        addl	%r15d, %r11d
+        xorl	%r8d, %ecx
+        addl	%ebx, %r15d
+        rorl	$2, %ecx
+        movl	%r11d, %edx
+        addl	%ecx, %r15d
+        addl	4(%rsp), %r14d
+        movl	%r12d, %ecx
+        movl	%r8d, %ebx
+        xorl	%r13d, %ecx
+        rorl	$14, %edx
+        andl	%r11d, %ecx
+        xorl	%r11d, %edx
+        xorl	%r13d, %ecx
+        rorl	$5, %edx
+        addl	%ecx, %r14d
+        xorl	%r11d, %edx
+        xorl	%r15d, %ebx
+        rorl	$6, %edx
+        movl	%r15d, %ecx
+        addl	%edx, %r14d
+        rorl	$9, %ecx
+        andl	%ebx, %eax
+        xorl	%r15d, %ecx
+        xorl	%r8d, %eax
+        rorl	$11, %ecx
+        addl	%r14d, %r10d
+        xorl	%r15d, %ecx
+        addl	%eax, %r14d
+        rorl	$2, %ecx
+        movl	%r10d, %edx
+        addl	%ecx, %r14d
+        addl	8(%rsp), %r13d
+        movl	%r11d, %ecx
+        movl	%r15d, %eax
+        xorl	%r12d, %ecx
+        rorl	$14, %edx
+        andl	%r10d, %ecx
+        xorl	%r10d, %edx
+        xorl	%r12d, %ecx
+        rorl	$5, %edx
+        addl	%ecx, %r13d
+        xorl	%r10d, %edx
+        xorl	%r14d, %eax
+        rorl	$6, %edx
+        movl	%r14d, %ecx
+        addl	%edx, %r13d
+        rorl	$9, %ecx
+        andl	%eax, %ebx
+        xorl	%r14d, %ecx
+        xorl	%r15d, %ebx
+        rorl	$11, %ecx
+        addl	%r13d, %r9d
+        xorl	%r14d, %ecx
+        addl	%ebx, %r13d
+        rorl	$2, %ecx
+        movl	%r9d, %edx
+        addl	%ecx, %r13d
+        addl	12(%rsp), %r12d
+        movl	%r10d, %ecx
+        movl	%r14d, %ebx
+        xorl	%r11d, %ecx
+        rorl	$14, %edx
+        andl	%r9d, %ecx
+        xorl	%r9d, %edx
+        xorl	%r11d, %ecx
+        rorl	$5, %edx
+        addl	%ecx, %r12d
+        xorl	%r9d, %edx
+        xorl	%r13d, %ebx
+        rorl	$6, %edx
+        movl	%r13d, %ecx
+        addl	%edx, %r12d
+        rorl	$9, %ecx
+        andl	%ebx, %eax
+        xorl	%r13d, %ecx
+        xorl	%r14d, %eax
+        rorl	$11, %ecx
+        addl	%r12d, %r8d
+        xorl	%r13d, %ecx
+        addl	%eax, %r12d
+        rorl	$2, %ecx
+        movl	%r8d, %edx
+        addl	%ecx, %r12d
+        # rnd_all_4: 1-4
+        addl	16(%rsp), %r11d
+        movl	%r9d, %ecx
+        movl	%r13d, %eax
+        xorl	%r10d, %ecx
+        rorl	$14, %edx
+        andl	%r8d, %ecx
+        xorl	%r8d, %edx
+        xorl	%r10d, %ecx
+        rorl	$5, %edx
+        addl	%ecx, %r11d
+        xorl	%r8d, %edx
+        xorl	%r12d, %eax
+        rorl	$6, %edx
+        movl	%r12d, %ecx
+        addl	%edx, %r11d
+        rorl	$9, %ecx
+        andl	%eax, %ebx
+        xorl	%r12d, %ecx
+        xorl	%r13d, %ebx
+        rorl	$11, %ecx
+        addl	%r11d, %r15d
+        xorl	%r12d, %ecx
+        addl	%ebx, %r11d
+        rorl	$2, %ecx
+        movl	%r15d, %edx
+        addl	%ecx, %r11d
+        addl	20(%rsp), %r10d
+        movl	%r8d, %ecx
+        movl	%r12d, %ebx
+        xorl	%r9d, %ecx
+        rorl	$14, %edx
+        andl	%r15d, %ecx
+        xorl	%r15d, %edx
+        xorl	%r9d, %ecx
+        rorl	$5, %edx
+        addl	%ecx, %r10d
+        xorl	%r15d, %edx
+        xorl	%r11d, %ebx
+        rorl	$6, %edx
+        movl	%r11d, %ecx
+        addl	%edx, %r10d
+        rorl	$9, %ecx
+        andl	%ebx, %eax
+        xorl	%r11d, %ecx
+        xorl	%r12d, %eax
+        rorl	$11, %ecx
+        addl	%r10d, %r14d
+        xorl	%r11d, %ecx
+        addl	%eax, %r10d
+        rorl	$2, %ecx
+        movl	%r14d, %edx
+        addl	%ecx, %r10d
+        addl	24(%rsp), %r9d
+        movl	%r15d, %ecx
+        movl	%r11d, %eax
+        xorl	%r8d, %ecx
+        rorl	$14, %edx
+        andl	%r14d, %ecx
+        xorl	%r14d, %edx
+        xorl	%r8d, %ecx
+        rorl	$5, %edx
+        addl	%ecx, %r9d
+        xorl	%r14d, %edx
+        xorl	%r10d, %eax
+        rorl	$6, %edx
+        movl	%r10d, %ecx
+        addl	%edx, %r9d
+        rorl	$9, %ecx
+        andl	%eax, %ebx
+        xorl	%r10d, %ecx
+        xorl	%r11d, %ebx
+        rorl	$11, %ecx
+        addl	%r9d, %r13d
+        xorl	%r10d, %ecx
+        addl	%ebx, %r9d
+        rorl	$2, %ecx
+        movl	%r13d, %edx
+        addl	%ecx, %r9d
+        addl	28(%rsp), %r8d
+        movl	%r14d, %ecx
+        movl	%r10d, %ebx
+        xorl	%r15d, %ecx
+        rorl	$14, %edx
+        andl	%r13d, %ecx
+        xorl	%r13d, %edx
+        xorl	%r15d, %ecx
+        rorl	$5, %edx
+        addl	%ecx, %r8d
+        xorl	%r13d, %edx
+        xorl	%r9d, %ebx
+        rorl	$6, %edx
+        movl	%r9d, %ecx
+        addl	%edx, %r8d
+        rorl	$9, %ecx
+        andl	%ebx, %eax
+        xorl	%r9d, %ecx
+        xorl	%r10d, %eax
+        rorl	$11, %ecx
+        addl	%r8d, %r12d
+        xorl	%r9d, %ecx
+        addl	%eax, %r8d
+        rorl	$2, %ecx
+        movl	%r12d, %edx
+        addl	%ecx, %r8d
+        # rnd_all_4: 2-5
+        addl	32(%rsp), %r15d
+        movl	%r13d, %ecx
+        movl	%r9d, %eax
+        xorl	%r14d, %ecx
+        rorl	$14, %edx
+        andl	%r12d, %ecx
+        xorl	%r12d, %edx
+        xorl	%r14d, %ecx
+        rorl	$5, %edx
+        addl	%ecx, %r15d
+        xorl	%r12d, %edx
+        xorl	%r8d, %eax
+        rorl	$6, %edx
+        movl	%r8d, %ecx
+        addl	%edx, %r15d
+        rorl	$9, %ecx
+        andl	%eax, %ebx
+        xorl	%r8d, %ecx
+        xorl	%r9d, %ebx
+        rorl	$11, %ecx
+        addl	%r15d, %r11d
+        xorl	%r8d, %ecx
+        addl	%ebx, %r15d
+        rorl	$2, %ecx
+        movl	%r11d, %edx
+        addl	%ecx, %r15d
+        addl	36(%rsp), %r14d
+        movl	%r12d, %ecx
+        movl	%r8d, %ebx
+        xorl	%r13d, %ecx
+        rorl	$14, %edx
+        andl	%r11d, %ecx
+        xorl	%r11d, %edx
+        xorl	%r13d, %ecx
+        rorl	$5, %edx
+        addl	%ecx, %r14d
+        xorl	%r11d, %edx
+        xorl	%r15d, %ebx
+        rorl	$6, %edx
+        movl	%r15d, %ecx
+        addl	%edx, %r14d
+        rorl	$9, %ecx
+        andl	%ebx, %eax
+        xorl	%r15d, %ecx
+        xorl	%r8d, %eax
+        rorl	$11, %ecx
+        addl	%r14d, %r10d
+        xorl	%r15d, %ecx
+        addl	%eax, %r14d
+        rorl	$2, %ecx
+        movl	%r10d, %edx
+        addl	%ecx, %r14d
+        addl	40(%rsp), %r13d
+        movl	%r11d, %ecx
+        movl	%r15d, %eax
+        xorl	%r12d, %ecx
+        rorl	$14, %edx
+        andl	%r10d, %ecx
+        xorl	%r10d, %edx
+        xorl	%r12d, %ecx
+        rorl	$5, %edx
+        addl	%ecx, %r13d
+        xorl	%r10d, %edx
+        xorl	%r14d, %eax
+        rorl	$6, %edx
+        movl	%r14d, %ecx
+        addl	%edx, %r13d
+        rorl	$9, %ecx
+        andl	%eax, %ebx
+        xorl	%r14d, %ecx
+        xorl	%r15d, %ebx
+        rorl	$11, %ecx
+        addl	%r13d, %r9d
+        xorl	%r14d, %ecx
+        addl	%ebx, %r13d
+        rorl	$2, %ecx
+        movl	%r9d, %edx
+        addl	%ecx, %r13d
+        addl	44(%rsp), %r12d
+        movl	%r10d, %ecx
+        movl	%r14d, %ebx
+        xorl	%r11d, %ecx
+        rorl	$14, %edx
+        andl	%r9d, %ecx
+        xorl	%r9d, %edx
+        xorl	%r11d, %ecx
+        rorl	$5, %edx
+        addl	%ecx, %r12d
+        xorl	%r9d, %edx
+        xorl	%r13d, %ebx
+        rorl	$6, %edx
+        movl	%r13d, %ecx
+        addl	%edx, %r12d
+        rorl	$9, %ecx
+        andl	%ebx, %eax
+        xorl	%r13d, %ecx
+        xorl	%r14d, %eax
+        rorl	$11, %ecx
+        addl	%r12d, %r8d
+        xorl	%r13d, %ecx
+        addl	%eax, %r12d
+        rorl	$2, %ecx
+        movl	%r8d, %edx
+        addl	%ecx, %r12d
+        # rnd_all_4: 3-6
+        addl	48(%rsp), %r11d
+        movl	%r9d, %ecx
+        movl	%r13d, %eax
+        xorl	%r10d, %ecx
+        rorl	$14, %edx
+        andl	%r8d, %ecx
+        xorl	%r8d, %edx
+        xorl	%r10d, %ecx
+        rorl	$5, %edx
+        addl	%ecx, %r11d
+        xorl	%r8d, %edx
+        xorl	%r12d, %eax
+        rorl	$6, %edx
+        movl	%r12d, %ecx
+        addl	%edx, %r11d
+        rorl	$9, %ecx
+        andl	%eax, %ebx
+        xorl	%r12d, %ecx
+        xorl	%r13d, %ebx
+        rorl	$11, %ecx
+        addl	%r11d, %r15d
+        xorl	%r12d, %ecx
+        addl	%ebx, %r11d
+        rorl	$2, %ecx
+        movl	%r15d, %edx
+        addl	%ecx, %r11d
+        addl	52(%rsp), %r10d
+        movl	%r8d, %ecx
+        movl	%r12d, %ebx
+        xorl	%r9d, %ecx
+        rorl	$14, %edx
+        andl	%r15d, %ecx
+        xorl	%r15d, %edx
+        xorl	%r9d, %ecx
+        rorl	$5, %edx
+        addl	%ecx, %r10d
+        xorl	%r15d, %edx
+        xorl	%r11d, %ebx
+        rorl	$6, %edx
+        movl	%r11d, %ecx
+        addl	%edx, %r10d
+        rorl	$9, %ecx
+        andl	%ebx, %eax
+        xorl	%r11d, %ecx
+        xorl	%r12d, %eax
+        rorl	$11, %ecx
+        addl	%r10d, %r14d
+        xorl	%r11d, %ecx
+        addl	%eax, %r10d
+        rorl	$2, %ecx
+        movl	%r14d, %edx
+        addl	%ecx, %r10d
+        addl	56(%rsp), %r9d
+        movl	%r15d, %ecx
+        movl	%r11d, %eax
+        xorl	%r8d, %ecx
+        rorl	$14, %edx
+        andl	%r14d, %ecx
+        xorl	%r14d, %edx
+        xorl	%r8d, %ecx
+        rorl	$5, %edx
+        addl	%ecx, %r9d
+        xorl	%r14d, %edx
+        xorl	%r10d, %eax
+        rorl	$6, %edx
+        movl	%r10d, %ecx
+        addl	%edx, %r9d
+        rorl	$9, %ecx
+        andl	%eax, %ebx
+        xorl	%r10d, %ecx
+        xorl	%r11d, %ebx
+        rorl	$11, %ecx
+        addl	%r9d, %r13d
+        xorl	%r10d, %ecx
+        addl	%ebx, %r9d
+        rorl	$2, %ecx
+        movl	%r13d, %edx
+        addl	%ecx, %r9d
+        addl	60(%rsp), %r8d
+        movl	%r14d, %ecx
+        movl	%r10d, %ebx
+        xorl	%r15d, %ecx
+        rorl	$14, %edx
+        andl	%r13d, %ecx
+        xorl	%r13d, %edx
+        xorl	%r15d, %ecx
+        rorl	$5, %edx
+        addl	%ecx, %r8d
+        xorl	%r13d, %edx
+        xorl	%r9d, %ebx
+        rorl	$6, %edx
+        movl	%r9d, %ecx
+        addl	%edx, %r8d
+        rorl	$9, %ecx
+        andl	%ebx, %eax
+        xorl	%r9d, %ecx
+        xorl	%r10d, %eax
+        rorl	$11, %ecx
+        addl	%r8d, %r12d
+        xorl	%r9d, %ecx
+        addl	%eax, %r8d
+        rorl	$2, %ecx
+        movl	%r12d, %edx
+        addl	%ecx, %r8d
+        addl	(%rdi), %r8d
+        addl	4(%rdi), %r9d
+        addl	8(%rdi), %r10d
+        addl	12(%rdi), %r11d
+        addl	16(%rdi), %r12d
+        addl	20(%rdi), %r13d
+        addl	24(%rdi), %r14d
+        addl	28(%rdi), %r15d
+        addq	$0x40, %rbp
+        subl	$0x40, %esi
+        movl	%r8d, (%rdi)
+        movl	%r9d, 4(%rdi)
+        movl	%r10d, 8(%rdi)
+        movl	%r11d, 12(%rdi)
+        movl	%r12d, 16(%rdi)
+        movl	%r13d, 20(%rdi)
+        movl	%r14d, 24(%rdi)
+        movl	%r15d, 28(%rdi)
+        jnz	L_sha256_len_avx1_start
+        xorq	%rax, %rax
+        vzeroupper
+        addq	$0x40, %rsp
+        popq	%rbp
+        popq	%r15
+        popq	%r14
+        popq	%r13
+        popq	%r12
+        popq	%rbx
+        repz retq
+#ifndef __APPLE__
+.size	Transform_Sha256_AVX1_Len,.-Transform_Sha256_AVX1_Len
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+.data
+#else
+.section	__DATA,__data
+#endif /* __APPLE__ */
+L_avx1_rorx_sha256_k:
+.long	0x428a2f98,0x71374491,0xb5c0fbcf,0xe9b5dba5
+.long	0x3956c25b,0x59f111f1,0x923f82a4,0xab1c5ed5
+.long	0xd807aa98,0x12835b01,0x243185be,0x550c7dc3
+.long	0x72be5d74,0x80deb1fe,0x9bdc06a7,0xc19bf174
+.long	0xe49b69c1,0xefbe4786,0xfc19dc6,0x240ca1cc
+.long	0x2de92c6f,0x4a7484aa,0x5cb0a9dc,0x76f988da
+.long	0x983e5152,0xa831c66d,0xb00327c8,0xbf597fc7
+.long	0xc6e00bf3,0xd5a79147,0x6ca6351,0x14292967
+.long	0x27b70a85,0x2e1b2138,0x4d2c6dfc,0x53380d13
+.long	0x650a7354,0x766a0abb,0x81c2c92e,0x92722c85
+.long	0xa2bfe8a1,0xa81a664b,0xc24b8b70,0xc76c51a3
+.long	0xd192e819,0xd6990624,0xf40e3585,0x106aa070
+.long	0x19a4c116,0x1e376c08,0x2748774c,0x34b0bcb5
+.long	0x391c0cb3,0x4ed8aa4a,0x5b9cca4f,0x682e6ff3
+.long	0x748f82ee,0x78a5636f,0x84c87814,0x8cc70208
+.long	0x90befffa,0xa4506ceb,0xbef9a3f7,0xc67178f2
+#ifndef __APPLE__
+.data
+#else
+.section	__DATA,__data
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+.align	16
+#else
+.p2align	4
+#endif /* __APPLE__ */
+L_avx1_rorx_sha256_shuf_00BA:
+.quad	0xb0a090803020100, 0xffffffffffffffff
+#ifndef __APPLE__
+.data
+#else
+.section	__DATA,__data
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+.align	16
+#else
+.p2align	4
+#endif /* __APPLE__ */
+L_avx1_rorx_sha256_shuf_DC00:
+.quad	0xffffffffffffffff, 0xb0a090803020100
+#ifndef __APPLE__
+.data
+#else
+.section	__DATA,__data
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+.align	16
+#else
+.p2align	4
+#endif /* __APPLE__ */
+L_avx1_rorx_sha256_flip_mask:
+.quad	0x405060700010203, 0xc0d0e0f08090a0b
+#ifndef __APPLE__
+.text
+.globl	Transform_Sha256_AVX1_RORX
+.type	Transform_Sha256_AVX1_RORX,@function
+.align	4
+Transform_Sha256_AVX1_RORX:
+#else
+.section	__TEXT,__text
+.globl	_Transform_Sha256_AVX1_RORX
+.p2align	2
+_Transform_Sha256_AVX1_RORX:
+#endif /* __APPLE__ */
+        pushq	%rbx
+        pushq	%r12
+        pushq	%r13
+        pushq	%r14
+        pushq	%r15
+        subq	$0x40, %rsp
+        vmovdqa	L_avx1_rorx_sha256_flip_mask(%rip), %xmm13
+        vmovdqa	L_avx1_rorx_sha256_shuf_00BA(%rip), %xmm11
+        vmovdqa	L_avx1_rorx_sha256_shuf_DC00(%rip), %xmm12
+        leaq	32(%rdi), %rax
+        # X0, X1, X2, X3 = W[0..15]
+        vmovdqu	(%rax), %xmm0
+        vmovdqu	16(%rax), %xmm1
+        vpshufb	%xmm13, %xmm0, %xmm0
+        vpshufb	%xmm13, %xmm1, %xmm1
+        vmovdqu	32(%rax), %xmm2
+        vmovdqu	48(%rax), %xmm3
+        vpshufb	%xmm13, %xmm2, %xmm2
+        vpshufb	%xmm13, %xmm3, %xmm3
+        movl	(%rdi), %r8d
+        movl	4(%rdi), %r9d
+        movl	8(%rdi), %r10d
+        movl	12(%rdi), %r11d
+        movl	16(%rdi), %r12d
+        movl	20(%rdi), %r13d
+        movl	24(%rdi), %r14d
+        movl	28(%rdi), %r15d
+        # set_w_k_xfer_4: 0
+        vpaddd	0+L_avx1_rorx_sha256_k(%rip), %xmm0, %xmm4
+        vpaddd	16+L_avx1_rorx_sha256_k(%rip), %xmm1, %xmm5
+        vmovdqu	%xmm4, (%rsp)
+        vmovdqu	%xmm5, 16(%rsp)
+        vpaddd	32+L_avx1_rorx_sha256_k(%rip), %xmm2, %xmm6
+        vpaddd	48+L_avx1_rorx_sha256_k(%rip), %xmm3, %xmm7
+        vmovdqu	%xmm6, 32(%rsp)
+        vmovdqu	%xmm7, 48(%rsp)
+        movl	%r9d, %ebx
+        rorxl	$6, %r12d, %edx
+        xorl	%r10d, %ebx
+        # msg_sched: 0-3
+        # rnd_0: 0 - 0
+        movl	%r13d, %eax
+        rorxl	$11, %r12d, %ecx
+        addl	(%rsp), %r15d
+        vpalignr	$4, %xmm2, %xmm3, %xmm4
+        vpalignr	$4, %xmm0, %xmm1, %xmm5
+        # rnd_0: 1 - 2
+        xorl	%edx, %ecx
+        xorl	%r14d, %eax
+        rorxl	$25, %r12d, %edx
+        andl	%r12d, %eax
+        xorl	%ecx, %edx
+        rorxl	$13, %r8d, %ecx
+        vpsrld	$7, %xmm5, %xmm6
+        vpslld	$25, %xmm5, %xmm7
+        # rnd_0: 3 - 4
+        addl	%edx, %r15d
+        rorxl	$2, %r8d, %edx
+        xorl	%r14d, %eax
+        xorl	%edx, %ecx
+        rorxl	$22, %r8d, %edx
+        addl	%eax, %r15d
+        vpsrld	$3, %xmm5, %xmm8
+        vpor	%xmm6, %xmm7, %xmm7
+        # rnd_0: 5 - 7
+        xorl	%ecx, %edx
+        movl	%r9d, %eax
+        addl	%r15d, %r11d
+        xorl	%r8d, %eax
+        addl	%edx, %r15d
+        andl	%eax, %ebx
+        xorl	%r9d, %ebx
+        rorxl	$6, %r11d, %edx
+        addl	%ebx, %r15d
+        # rnd_1: 0 - 0
+        movl	%r12d, %ebx
+        rorxl	$11, %r11d, %ecx
+        addl	4(%rsp), %r14d
+        vpsrld	$18, %xmm5, %xmm6
+        # rnd_1: 1 - 1
+        xorl	%edx, %ecx
+        xorl	%r13d, %ebx
+        rorxl	$25, %r11d, %edx
+        vpslld	$14, %xmm5, %xmm5
+        # rnd_1: 2 - 2
+        andl	%r11d, %ebx
+        xorl	%ecx, %edx
+        rorxl	$13, %r15d, %ecx
+        vpxor	%xmm5, %xmm7, %xmm7
+        # rnd_1: 3 - 3
+        addl	%edx, %r14d
+        rorxl	$2, %r15d, %edx
+        xorl	%r13d, %ebx
+        vpxor	%xmm6, %xmm7, %xmm7
+        # rnd_1: 4 - 4
+        xorl	%edx, %ecx
+        rorxl	$22, %r15d, %edx
+        addl	%ebx, %r14d
+        vpshufd	$0xfa, %xmm3, %xmm6
+        # rnd_1: 5 - 5
+        xorl	%ecx, %edx
+        movl	%r8d, %ebx
+        addl	%r14d, %r10d
+        vpxor	%xmm8, %xmm7, %xmm5
+        # rnd_1: 6 - 6
+        xorl	%r15d, %ebx
+        addl	%edx, %r14d
+        andl	%ebx, %eax
+        vpsrld	$10, %xmm6, %xmm8
+        # rnd_1: 7 - 7
+        xorl	%r8d, %eax
+        rorxl	$6, %r10d, %edx
+        addl	%eax, %r14d
+        # rnd_0: 0 - 0
+        movl	%r11d, %eax
+        rorxl	$11, %r10d, %ecx
+        addl	8(%rsp), %r13d
+        vpsrlq	$19, %xmm6, %xmm7
+        # rnd_0: 1 - 1
+        xorl	%edx, %ecx
+        xorl	%r12d, %eax
+        rorxl	$25, %r10d, %edx
+        vpsrlq	$0x11, %xmm6, %xmm6
+        vpaddd	%xmm0, %xmm4, %xmm4
+        # rnd_0: 2 - 2
+        andl	%r10d, %eax
+        xorl	%ecx, %edx
+        rorxl	$13, %r14d, %ecx
+        vpaddd	%xmm5, %xmm4, %xmm4
+        # rnd_0: 3 - 3
+        addl	%edx, %r13d
+        rorxl	$2, %r14d, %edx
+        xorl	%r12d, %eax
+        vpxor	%xmm7, %xmm6, %xmm6
+        # rnd_0: 4 - 4
+        xorl	%edx, %ecx
+        rorxl	$22, %r14d, %edx
+        addl	%eax, %r13d
+        vpxor	%xmm6, %xmm8, %xmm8
+        # rnd_0: 5 - 5
+        xorl	%ecx, %edx
+        movl	%r15d, %eax
+        addl	%r13d, %r9d
+        vpshufb	%xmm11, %xmm8, %xmm8
+        # rnd_0: 6 - 6
+        xorl	%r14d, %eax
+        addl	%edx, %r13d
+        andl	%eax, %ebx
+        vpaddd	%xmm8, %xmm4, %xmm4
+        # rnd_0: 7 - 7
+        xorl	%r15d, %ebx
+        rorxl	$6, %r9d, %edx
+        addl	%ebx, %r13d
+        # rnd_1: 0 - 0
+        movl	%r10d, %ebx
+        rorxl	$11, %r9d, %ecx
+        addl	12(%rsp), %r12d
+        vpshufd	$0x50, %xmm4, %xmm6
+        # rnd_1: 1 - 1
+        xorl	%edx, %ecx
+        xorl	%r11d, %ebx
+        rorxl	$25, %r9d, %edx
+        vpsrld	$10, %xmm6, %xmm9
+        # rnd_1: 2 - 2
+        andl	%r9d, %ebx
+        xorl	%ecx, %edx
+        rorxl	$13, %r13d, %ecx
+        vpsrlq	$19, %xmm6, %xmm7
+        # rnd_1: 3 - 3
+        addl	%edx, %r12d
+        rorxl	$2, %r13d, %edx
+        xorl	%r11d, %ebx
+        vpsrlq	$0x11, %xmm6, %xmm6
+        # rnd_1: 4 - 4
+        xorl	%edx, %ecx
+        rorxl	$22, %r13d, %edx
+        addl	%ebx, %r12d
+        vpxor	%xmm7, %xmm6, %xmm6
+        # rnd_1: 5 - 5
+        xorl	%ecx, %edx
+        movl	%r14d, %ebx
+        addl	%r12d, %r8d
+        vpxor	%xmm6, %xmm9, %xmm9
+        # rnd_1: 6 - 6
+        xorl	%r13d, %ebx
+        addl	%edx, %r12d
+        andl	%ebx, %eax
+        vpshufb	%xmm12, %xmm9, %xmm9
+        # rnd_1: 7 - 7
+        xorl	%r14d, %eax
+        rorxl	$6, %r8d, %edx
+        addl	%eax, %r12d
+        vpaddd	%xmm4, %xmm9, %xmm0
+        # msg_sched done: 0-3
+        # msg_sched: 4-7
+        # rnd_0: 0 - 0
+        movl	%r9d, %eax
+        rorxl	$11, %r8d, %ecx
+        addl	16(%rsp), %r11d
+        vpalignr	$4, %xmm3, %xmm0, %xmm4
+        vpalignr	$4, %xmm1, %xmm2, %xmm5
+        # rnd_0: 1 - 2
+        xorl	%edx, %ecx
+        xorl	%r10d, %eax
+        rorxl	$25, %r8d, %edx
+        andl	%r8d, %eax
+        xorl	%ecx, %edx
+        rorxl	$13, %r12d, %ecx
+        vpsrld	$7, %xmm5, %xmm6
+        vpslld	$25, %xmm5, %xmm7
+        # rnd_0: 3 - 4
+        addl	%edx, %r11d
+        rorxl	$2, %r12d, %edx
+        xorl	%r10d, %eax
+        xorl	%edx, %ecx
+        rorxl	$22, %r12d, %edx
+        addl	%eax, %r11d
+        vpsrld	$3, %xmm5, %xmm8
+        vpor	%xmm6, %xmm7, %xmm7
+        # rnd_0: 5 - 7
+        xorl	%ecx, %edx
+        movl	%r13d, %eax
+        addl	%r11d, %r15d
+        xorl	%r12d, %eax
+        addl	%edx, %r11d
+        andl	%eax, %ebx
+        xorl	%r13d, %ebx
+        rorxl	$6, %r15d, %edx
+        addl	%ebx, %r11d
+        # rnd_1: 0 - 0
+        movl	%r8d, %ebx
+        rorxl	$11, %r15d, %ecx
+        addl	20(%rsp), %r10d
+        vpsrld	$18, %xmm5, %xmm6
+        # rnd_1: 1 - 1
+        xorl	%edx, %ecx
+        xorl	%r9d, %ebx
+        rorxl	$25, %r15d, %edx
+        vpslld	$14, %xmm5, %xmm5
+        # rnd_1: 2 - 2
+        andl	%r15d, %ebx
+        xorl	%ecx, %edx
+        rorxl	$13, %r11d, %ecx
+        vpxor	%xmm5, %xmm7, %xmm7
+        # rnd_1: 3 - 3
+        addl	%edx, %r10d
+        rorxl	$2, %r11d, %edx
+        xorl	%r9d, %ebx
+        vpxor	%xmm6, %xmm7, %xmm7
+        # rnd_1: 4 - 4
+        xorl	%edx, %ecx
+        rorxl	$22, %r11d, %edx
+        addl	%ebx, %r10d
+        vpshufd	$0xfa, %xmm0, %xmm6
+        # rnd_1: 5 - 5
+        xorl	%ecx, %edx
+        movl	%r12d, %ebx
+        addl	%r10d, %r14d
+        vpxor	%xmm8, %xmm7, %xmm5
+        # rnd_1: 6 - 6
+        xorl	%r11d, %ebx
+        addl	%edx, %r10d
+        andl	%ebx, %eax
+        vpsrld	$10, %xmm6, %xmm8
+        # rnd_1: 7 - 7
+        xorl	%r12d, %eax
+        rorxl	$6, %r14d, %edx
+        addl	%eax, %r10d
+        # rnd_0: 0 - 0
+        movl	%r15d, %eax
+        rorxl	$11, %r14d, %ecx
+        addl	24(%rsp), %r9d
+        vpsrlq	$19, %xmm6, %xmm7
+        # rnd_0: 1 - 1
+        xorl	%edx, %ecx
+        xorl	%r8d, %eax
+        rorxl	$25, %r14d, %edx
+        vpsrlq	$0x11, %xmm6, %xmm6
+        vpaddd	%xmm1, %xmm4, %xmm4
+        # rnd_0: 2 - 2
+        andl	%r14d, %eax
+        xorl	%ecx, %edx
+        rorxl	$13, %r10d, %ecx
+        vpaddd	%xmm5, %xmm4, %xmm4
+        # rnd_0: 3 - 3
+        addl	%edx, %r9d
+        rorxl	$2, %r10d, %edx
+        xorl	%r8d, %eax
+        vpxor	%xmm7, %xmm6, %xmm6
+        # rnd_0: 4 - 4
+        xorl	%edx, %ecx
+        rorxl	$22, %r10d, %edx
+        addl	%eax, %r9d
+        vpxor	%xmm6, %xmm8, %xmm8
+        # rnd_0: 5 - 5
+        xorl	%ecx, %edx
+        movl	%r11d, %eax
+        addl	%r9d, %r13d
+        vpshufb	%xmm11, %xmm8, %xmm8
+        # rnd_0: 6 - 6
+        xorl	%r10d, %eax
+        addl	%edx, %r9d
+        andl	%eax, %ebx
+        vpaddd	%xmm8, %xmm4, %xmm4
+        # rnd_0: 7 - 7
+        xorl	%r11d, %ebx
+        rorxl	$6, %r13d, %edx
+        addl	%ebx, %r9d
+        # rnd_1: 0 - 0
+        movl	%r14d, %ebx
+        rorxl	$11, %r13d, %ecx
+        addl	28(%rsp), %r8d
+        vpshufd	$0x50, %xmm4, %xmm6
+        # rnd_1: 1 - 1
+        xorl	%edx, %ecx
+        xorl	%r15d, %ebx
+        rorxl	$25, %r13d, %edx
+        vpsrld	$10, %xmm6, %xmm9
+        # rnd_1: 2 - 2
+        andl	%r13d, %ebx
+        xorl	%ecx, %edx
+        rorxl	$13, %r9d, %ecx
+        vpsrlq	$19, %xmm6, %xmm7
+        # rnd_1: 3 - 3
+        addl	%edx, %r8d
+        rorxl	$2, %r9d, %edx
+        xorl	%r15d, %ebx
+        vpsrlq	$0x11, %xmm6, %xmm6
+        # rnd_1: 4 - 4
+        xorl	%edx, %ecx
+        rorxl	$22, %r9d, %edx
+        addl	%ebx, %r8d
+        vpxor	%xmm7, %xmm6, %xmm6
+        # rnd_1: 5 - 5
+        xorl	%ecx, %edx
+        movl	%r10d, %ebx
+        addl	%r8d, %r12d
+        vpxor	%xmm6, %xmm9, %xmm9
+        # rnd_1: 6 - 6
+        xorl	%r9d, %ebx
+        addl	%edx, %r8d
+        andl	%ebx, %eax
+        vpshufb	%xmm12, %xmm9, %xmm9
+        # rnd_1: 7 - 7
+        xorl	%r10d, %eax
+        rorxl	$6, %r12d, %edx
+        addl	%eax, %r8d
+        vpaddd	%xmm4, %xmm9, %xmm1
+        # msg_sched done: 4-7
+        # msg_sched: 8-11
+        # rnd_0: 0 - 0
+        movl	%r13d, %eax
+        rorxl	$11, %r12d, %ecx
+        addl	32(%rsp), %r15d
+        vpalignr	$4, %xmm0, %xmm1, %xmm4
+        vpalignr	$4, %xmm2, %xmm3, %xmm5
+        # rnd_0: 1 - 2
+        xorl	%edx, %ecx
+        xorl	%r14d, %eax
+        rorxl	$25, %r12d, %edx
+        andl	%r12d, %eax
+        xorl	%ecx, %edx
+        rorxl	$13, %r8d, %ecx
+        vpsrld	$7, %xmm5, %xmm6
+        vpslld	$25, %xmm5, %xmm7
+        # rnd_0: 3 - 4
+        addl	%edx, %r15d
+        rorxl	$2, %r8d, %edx
+        xorl	%r14d, %eax
+        xorl	%edx, %ecx
+        rorxl	$22, %r8d, %edx
+        addl	%eax, %r15d
+        vpsrld	$3, %xmm5, %xmm8
+        vpor	%xmm6, %xmm7, %xmm7
+        # rnd_0: 5 - 7
+        xorl	%ecx, %edx
+        movl	%r9d, %eax
+        addl	%r15d, %r11d
+        xorl	%r8d, %eax
+        addl	%edx, %r15d
+        andl	%eax, %ebx
+        xorl	%r9d, %ebx
+        rorxl	$6, %r11d, %edx
+        addl	%ebx, %r15d
+        # rnd_1: 0 - 0
+        movl	%r12d, %ebx
+        rorxl	$11, %r11d, %ecx
+        addl	36(%rsp), %r14d
+        vpsrld	$18, %xmm5, %xmm6
+        # rnd_1: 1 - 1
+        xorl	%edx, %ecx
+        xorl	%r13d, %ebx
+        rorxl	$25, %r11d, %edx
+        vpslld	$14, %xmm5, %xmm5
+        # rnd_1: 2 - 2
+        andl	%r11d, %ebx
+        xorl	%ecx, %edx
+        rorxl	$13, %r15d, %ecx
+        vpxor	%xmm5, %xmm7, %xmm7
+        # rnd_1: 3 - 3
+        addl	%edx, %r14d
+        rorxl	$2, %r15d, %edx
+        xorl	%r13d, %ebx
+        vpxor	%xmm6, %xmm7, %xmm7
+        # rnd_1: 4 - 4
+        xorl	%edx, %ecx
+        rorxl	$22, %r15d, %edx
+        addl	%ebx, %r14d
+        vpshufd	$0xfa, %xmm1, %xmm6
+        # rnd_1: 5 - 5
+        xorl	%ecx, %edx
+        movl	%r8d, %ebx
+        addl	%r14d, %r10d
+        vpxor	%xmm8, %xmm7, %xmm5
+        # rnd_1: 6 - 6
+        xorl	%r15d, %ebx
+        addl	%edx, %r14d
+        andl	%ebx, %eax
+        vpsrld	$10, %xmm6, %xmm8
+        # rnd_1: 7 - 7
+        xorl	%r8d, %eax
+        rorxl	$6, %r10d, %edx
+        addl	%eax, %r14d
+        # rnd_0: 0 - 0
+        movl	%r11d, %eax
+        rorxl	$11, %r10d, %ecx
+        addl	40(%rsp), %r13d
+        vpsrlq	$19, %xmm6, %xmm7
+        # rnd_0: 1 - 1
+        xorl	%edx, %ecx
+        xorl	%r12d, %eax
+        rorxl	$25, %r10d, %edx
+        vpsrlq	$0x11, %xmm6, %xmm6
+        vpaddd	%xmm2, %xmm4, %xmm4
+        # rnd_0: 2 - 2
+        andl	%r10d, %eax
+        xorl	%ecx, %edx
+        rorxl	$13, %r14d, %ecx
+        vpaddd	%xmm5, %xmm4, %xmm4
+        # rnd_0: 3 - 3
+        addl	%edx, %r13d
+        rorxl	$2, %r14d, %edx
+        xorl	%r12d, %eax
+        vpxor	%xmm7, %xmm6, %xmm6
+        # rnd_0: 4 - 4
+        xorl	%edx, %ecx
+        rorxl	$22, %r14d, %edx
+        addl	%eax, %r13d
+        vpxor	%xmm6, %xmm8, %xmm8
+        # rnd_0: 5 - 5
+        xorl	%ecx, %edx
+        movl	%r15d, %eax
+        addl	%r13d, %r9d
+        vpshufb	%xmm11, %xmm8, %xmm8
+        # rnd_0: 6 - 6
+        xorl	%r14d, %eax
+        addl	%edx, %r13d
+        andl	%eax, %ebx
+        vpaddd	%xmm8, %xmm4, %xmm4
+        # rnd_0: 7 - 7
+        xorl	%r15d, %ebx
+        rorxl	$6, %r9d, %edx
+        addl	%ebx, %r13d
+        # rnd_1: 0 - 0
+        movl	%r10d, %ebx
+        rorxl	$11, %r9d, %ecx
+        addl	44(%rsp), %r12d
+        vpshufd	$0x50, %xmm4, %xmm6
+        # rnd_1: 1 - 1
+        xorl	%edx, %ecx
+        xorl	%r11d, %ebx
+        rorxl	$25, %r9d, %edx
+        vpsrld	$10, %xmm6, %xmm9
+        # rnd_1: 2 - 2
+        andl	%r9d, %ebx
+        xorl	%ecx, %edx
+        rorxl	$13, %r13d, %ecx
+        vpsrlq	$19, %xmm6, %xmm7
+        # rnd_1: 3 - 3
+        addl	%edx, %r12d
+        rorxl	$2, %r13d, %edx
+        xorl	%r11d, %ebx
+        vpsrlq	$0x11, %xmm6, %xmm6
+        # rnd_1: 4 - 4
+        xorl	%edx, %ecx
+        rorxl	$22, %r13d, %edx
+        addl	%ebx, %r12d
+        vpxor	%xmm7, %xmm6, %xmm6
+        # rnd_1: 5 - 5
+        xorl	%ecx, %edx
+        movl	%r14d, %ebx
+        addl	%r12d, %r8d
+        vpxor	%xmm6, %xmm9, %xmm9
+        # rnd_1: 6 - 6
+        xorl	%r13d, %ebx
+        addl	%edx, %r12d
+        andl	%ebx, %eax
+        vpshufb	%xmm12, %xmm9, %xmm9
+        # rnd_1: 7 - 7
+        xorl	%r14d, %eax
+        rorxl	$6, %r8d, %edx
+        addl	%eax, %r12d
+        vpaddd	%xmm4, %xmm9, %xmm2
+        # msg_sched done: 8-11
+        # msg_sched: 12-15
+        # rnd_0: 0 - 0
+        movl	%r9d, %eax
+        rorxl	$11, %r8d, %ecx
+        addl	48(%rsp), %r11d
+        vpalignr	$4, %xmm1, %xmm2, %xmm4
+        vpalignr	$4, %xmm3, %xmm0, %xmm5
+        # rnd_0: 1 - 2
+        xorl	%edx, %ecx
+        xorl	%r10d, %eax
+        rorxl	$25, %r8d, %edx
+        andl	%r8d, %eax
+        xorl	%ecx, %edx
+        rorxl	$13, %r12d, %ecx
+        vpsrld	$7, %xmm5, %xmm6
+        vpslld	$25, %xmm5, %xmm7
+        # rnd_0: 3 - 4
+        addl	%edx, %r11d
+        rorxl	$2, %r12d, %edx
+        xorl	%r10d, %eax
+        xorl	%edx, %ecx
+        rorxl	$22, %r12d, %edx
+        addl	%eax, %r11d
+        vpsrld	$3, %xmm5, %xmm8
+        vpor	%xmm6, %xmm7, %xmm7
+        # rnd_0: 5 - 7
+        xorl	%ecx, %edx
+        movl	%r13d, %eax
+        addl	%r11d, %r15d
+        xorl	%r12d, %eax
+        addl	%edx, %r11d
+        andl	%eax, %ebx
+        xorl	%r13d, %ebx
+        rorxl	$6, %r15d, %edx
+        addl	%ebx, %r11d
+        # rnd_1: 0 - 0
+        movl	%r8d, %ebx
+        rorxl	$11, %r15d, %ecx
+        addl	52(%rsp), %r10d
+        vpsrld	$18, %xmm5, %xmm6
+        # rnd_1: 1 - 1
+        xorl	%edx, %ecx
+        xorl	%r9d, %ebx
+        rorxl	$25, %r15d, %edx
+        vpslld	$14, %xmm5, %xmm5
+        # rnd_1: 2 - 2
+        andl	%r15d, %ebx
+        xorl	%ecx, %edx
+        rorxl	$13, %r11d, %ecx
+        vpxor	%xmm5, %xmm7, %xmm7
+        # rnd_1: 3 - 3
+        addl	%edx, %r10d
+        rorxl	$2, %r11d, %edx
+        xorl	%r9d, %ebx
+        vpxor	%xmm6, %xmm7, %xmm7
+        # rnd_1: 4 - 4
+        xorl	%edx, %ecx
+        rorxl	$22, %r11d, %edx
+        addl	%ebx, %r10d
+        vpshufd	$0xfa, %xmm2, %xmm6
+        # rnd_1: 5 - 5
+        xorl	%ecx, %edx
+        movl	%r12d, %ebx
+        addl	%r10d, %r14d
+        vpxor	%xmm8, %xmm7, %xmm5
+        # rnd_1: 6 - 6
+        xorl	%r11d, %ebx
+        addl	%edx, %r10d
+        andl	%ebx, %eax
+        vpsrld	$10, %xmm6, %xmm8
+        # rnd_1: 7 - 7
+        xorl	%r12d, %eax
+        rorxl	$6, %r14d, %edx
+        addl	%eax, %r10d
+        # rnd_0: 0 - 0
+        movl	%r15d, %eax
+        rorxl	$11, %r14d, %ecx
+        addl	56(%rsp), %r9d
+        vpsrlq	$19, %xmm6, %xmm7
+        # rnd_0: 1 - 1
+        xorl	%edx, %ecx
+        xorl	%r8d, %eax
+        rorxl	$25, %r14d, %edx
+        vpsrlq	$0x11, %xmm6, %xmm6
+        vpaddd	%xmm3, %xmm4, %xmm4
+        # rnd_0: 2 - 2
+        andl	%r14d, %eax
+        xorl	%ecx, %edx
+        rorxl	$13, %r10d, %ecx
+        vpaddd	%xmm5, %xmm4, %xmm4
+        # rnd_0: 3 - 3
+        addl	%edx, %r9d
+        rorxl	$2, %r10d, %edx
+        xorl	%r8d, %eax
+        vpxor	%xmm7, %xmm6, %xmm6
+        # rnd_0: 4 - 4
+        xorl	%edx, %ecx
+        rorxl	$22, %r10d, %edx
+        addl	%eax, %r9d
+        vpxor	%xmm6, %xmm8, %xmm8
+        # rnd_0: 5 - 5
+        xorl	%ecx, %edx
+        movl	%r11d, %eax
+        addl	%r9d, %r13d
+        vpshufb	%xmm11, %xmm8, %xmm8
+        # rnd_0: 6 - 6
+        xorl	%r10d, %eax
+        addl	%edx, %r9d
+        andl	%eax, %ebx
+        vpaddd	%xmm8, %xmm4, %xmm4
+        # rnd_0: 7 - 7
+        xorl	%r11d, %ebx
+        rorxl	$6, %r13d, %edx
+        addl	%ebx, %r9d
+        # rnd_1: 0 - 0
+        movl	%r14d, %ebx
+        rorxl	$11, %r13d, %ecx
+        addl	60(%rsp), %r8d
+        vpshufd	$0x50, %xmm4, %xmm6
+        # rnd_1: 1 - 1
+        xorl	%edx, %ecx
+        xorl	%r15d, %ebx
+        rorxl	$25, %r13d, %edx
+        vpsrld	$10, %xmm6, %xmm9
+        # rnd_1: 2 - 2
+        andl	%r13d, %ebx
+        xorl	%ecx, %edx
+        rorxl	$13, %r9d, %ecx
+        vpsrlq	$19, %xmm6, %xmm7
+        # rnd_1: 3 - 3
+        addl	%edx, %r8d
+        rorxl	$2, %r9d, %edx
+        xorl	%r15d, %ebx
+        vpsrlq	$0x11, %xmm6, %xmm6
+        # rnd_1: 4 - 4
+        xorl	%edx, %ecx
+        rorxl	$22, %r9d, %edx
+        addl	%ebx, %r8d
+        vpxor	%xmm7, %xmm6, %xmm6
+        # rnd_1: 5 - 5
+        xorl	%ecx, %edx
+        movl	%r10d, %ebx
+        addl	%r8d, %r12d
+        vpxor	%xmm6, %xmm9, %xmm9
+        # rnd_1: 6 - 6
+        xorl	%r9d, %ebx
+        addl	%edx, %r8d
+        andl	%ebx, %eax
+        vpshufb	%xmm12, %xmm9, %xmm9
+        # rnd_1: 7 - 7
+        xorl	%r10d, %eax
+        rorxl	$6, %r12d, %edx
+        addl	%eax, %r8d
+        vpaddd	%xmm4, %xmm9, %xmm3
+        # msg_sched done: 12-15
+        # set_w_k_xfer_4: 4
+        vpaddd	64+L_avx1_rorx_sha256_k(%rip), %xmm0, %xmm4
+        vpaddd	80+L_avx1_rorx_sha256_k(%rip), %xmm1, %xmm5
+        vmovdqu	%xmm4, (%rsp)
+        vmovdqu	%xmm5, 16(%rsp)
+        vpaddd	96+L_avx1_rorx_sha256_k(%rip), %xmm2, %xmm6
+        vpaddd	112+L_avx1_rorx_sha256_k(%rip), %xmm3, %xmm7
+        vmovdqu	%xmm6, 32(%rsp)
+        vmovdqu	%xmm7, 48(%rsp)
+        # msg_sched: 0-3
+        # rnd_0: 0 - 0
+        movl	%r13d, %eax
+        rorxl	$11, %r12d, %ecx
+        addl	(%rsp), %r15d
+        vpalignr	$4, %xmm2, %xmm3, %xmm4
+        vpalignr	$4, %xmm0, %xmm1, %xmm5
+        # rnd_0: 1 - 2
+        xorl	%edx, %ecx
+        xorl	%r14d, %eax
+        rorxl	$25, %r12d, %edx
+        andl	%r12d, %eax
+        xorl	%ecx, %edx
+        rorxl	$13, %r8d, %ecx
+        vpsrld	$7, %xmm5, %xmm6
+        vpslld	$25, %xmm5, %xmm7
+        # rnd_0: 3 - 4
+        addl	%edx, %r15d
+        rorxl	$2, %r8d, %edx
+        xorl	%r14d, %eax
+        xorl	%edx, %ecx
+        rorxl	$22, %r8d, %edx
+        addl	%eax, %r15d
+        vpsrld	$3, %xmm5, %xmm8
+        vpor	%xmm6, %xmm7, %xmm7
+        # rnd_0: 5 - 7
+        xorl	%ecx, %edx
+        movl	%r9d, %eax
+        addl	%r15d, %r11d
+        xorl	%r8d, %eax
+        addl	%edx, %r15d
+        andl	%eax, %ebx
+        xorl	%r9d, %ebx
+        rorxl	$6, %r11d, %edx
+        addl	%ebx, %r15d
+        # rnd_1: 0 - 0
+        movl	%r12d, %ebx
+        rorxl	$11, %r11d, %ecx
+        addl	4(%rsp), %r14d
+        vpsrld	$18, %xmm5, %xmm6
+        # rnd_1: 1 - 1
+        xorl	%edx, %ecx
+        xorl	%r13d, %ebx
+        rorxl	$25, %r11d, %edx
+        vpslld	$14, %xmm5, %xmm5
+        # rnd_1: 2 - 2
+        andl	%r11d, %ebx
+        xorl	%ecx, %edx
+        rorxl	$13, %r15d, %ecx
+        vpxor	%xmm5, %xmm7, %xmm7
+        # rnd_1: 3 - 3
+        addl	%edx, %r14d
+        rorxl	$2, %r15d, %edx
+        xorl	%r13d, %ebx
+        vpxor	%xmm6, %xmm7, %xmm7
+        # rnd_1: 4 - 4
+        xorl	%edx, %ecx
+        rorxl	$22, %r15d, %edx
+        addl	%ebx, %r14d
+        vpshufd	$0xfa, %xmm3, %xmm6
+        # rnd_1: 5 - 5
+        xorl	%ecx, %edx
+        movl	%r8d, %ebx
+        addl	%r14d, %r10d
+        vpxor	%xmm8, %xmm7, %xmm5
+        # rnd_1: 6 - 6
+        xorl	%r15d, %ebx
+        addl	%edx, %r14d
+        andl	%ebx, %eax
+        vpsrld	$10, %xmm6, %xmm8
+        # rnd_1: 7 - 7
+        xorl	%r8d, %eax
+        rorxl	$6, %r10d, %edx
+        addl	%eax, %r14d
+        # rnd_0: 0 - 0
+        movl	%r11d, %eax
+        rorxl	$11, %r10d, %ecx
+        addl	8(%rsp), %r13d
+        vpsrlq	$19, %xmm6, %xmm7
+        # rnd_0: 1 - 1
+        xorl	%edx, %ecx
+        xorl	%r12d, %eax
+        rorxl	$25, %r10d, %edx
+        vpsrlq	$0x11, %xmm6, %xmm6
+        vpaddd	%xmm0, %xmm4, %xmm4
+        # rnd_0: 2 - 2
+        andl	%r10d, %eax
+        xorl	%ecx, %edx
+        rorxl	$13, %r14d, %ecx
+        vpaddd	%xmm5, %xmm4, %xmm4
+        # rnd_0: 3 - 3
+        addl	%edx, %r13d
+        rorxl	$2, %r14d, %edx
+        xorl	%r12d, %eax
+        vpxor	%xmm7, %xmm6, %xmm6
+        # rnd_0: 4 - 4
+        xorl	%edx, %ecx
+        rorxl	$22, %r14d, %edx
+        addl	%eax, %r13d
+        vpxor	%xmm6, %xmm8, %xmm8
+        # rnd_0: 5 - 5
+        xorl	%ecx, %edx
+        movl	%r15d, %eax
+        addl	%r13d, %r9d
+        vpshufb	%xmm11, %xmm8, %xmm8
+        # rnd_0: 6 - 6
+        xorl	%r14d, %eax
+        addl	%edx, %r13d
+        andl	%eax, %ebx
+        vpaddd	%xmm8, %xmm4, %xmm4
+        # rnd_0: 7 - 7
+        xorl	%r15d, %ebx
+        rorxl	$6, %r9d, %edx
+        addl	%ebx, %r13d
+        # rnd_1: 0 - 0
+        movl	%r10d, %ebx
+        rorxl	$11, %r9d, %ecx
+        addl	12(%rsp), %r12d
+        vpshufd	$0x50, %xmm4, %xmm6
+        # rnd_1: 1 - 1
+        xorl	%edx, %ecx
+        xorl	%r11d, %ebx
+        rorxl	$25, %r9d, %edx
+        vpsrld	$10, %xmm6, %xmm9
+        # rnd_1: 2 - 2
+        andl	%r9d, %ebx
+        xorl	%ecx, %edx
+        rorxl	$13, %r13d, %ecx
+        vpsrlq	$19, %xmm6, %xmm7
+        # rnd_1: 3 - 3
+        addl	%edx, %r12d
+        rorxl	$2, %r13d, %edx
+        xorl	%r11d, %ebx
+        vpsrlq	$0x11, %xmm6, %xmm6
+        # rnd_1: 4 - 4
+        xorl	%edx, %ecx
+        rorxl	$22, %r13d, %edx
+        addl	%ebx, %r12d
+        vpxor	%xmm7, %xmm6, %xmm6
+        # rnd_1: 5 - 5
+        xorl	%ecx, %edx
+        movl	%r14d, %ebx
+        addl	%r12d, %r8d
+        vpxor	%xmm6, %xmm9, %xmm9
+        # rnd_1: 6 - 6
+        xorl	%r13d, %ebx
+        addl	%edx, %r12d
+        andl	%ebx, %eax
+        vpshufb	%xmm12, %xmm9, %xmm9
+        # rnd_1: 7 - 7
+        xorl	%r14d, %eax
+        rorxl	$6, %r8d, %edx
+        addl	%eax, %r12d
+        vpaddd	%xmm4, %xmm9, %xmm0
+        # msg_sched done: 0-3
+        # msg_sched: 4-7
+        # rnd_0: 0 - 0
+        movl	%r9d, %eax
+        rorxl	$11, %r8d, %ecx
+        addl	16(%rsp), %r11d
+        vpalignr	$4, %xmm3, %xmm0, %xmm4
+        vpalignr	$4, %xmm1, %xmm2, %xmm5
+        # rnd_0: 1 - 2
+        xorl	%edx, %ecx
+        xorl	%r10d, %eax
+        rorxl	$25, %r8d, %edx
+        andl	%r8d, %eax
+        xorl	%ecx, %edx
+        rorxl	$13, %r12d, %ecx
+        vpsrld	$7, %xmm5, %xmm6
+        vpslld	$25, %xmm5, %xmm7
+        # rnd_0: 3 - 4
+        addl	%edx, %r11d
+        rorxl	$2, %r12d, %edx
+        xorl	%r10d, %eax
+        xorl	%edx, %ecx
+        rorxl	$22, %r12d, %edx
+        addl	%eax, %r11d
+        vpsrld	$3, %xmm5, %xmm8
+        vpor	%xmm6, %xmm7, %xmm7
+        # rnd_0: 5 - 7
+        xorl	%ecx, %edx
+        movl	%r13d, %eax
+        addl	%r11d, %r15d
+        xorl	%r12d, %eax
+        addl	%edx, %r11d
+        andl	%eax, %ebx
+        xorl	%r13d, %ebx
+        rorxl	$6, %r15d, %edx
+        addl	%ebx, %r11d
+        # rnd_1: 0 - 0
+        movl	%r8d, %ebx
+        rorxl	$11, %r15d, %ecx
+        addl	20(%rsp), %r10d
+        vpsrld	$18, %xmm5, %xmm6
+        # rnd_1: 1 - 1
+        xorl	%edx, %ecx
+        xorl	%r9d, %ebx
+        rorxl	$25, %r15d, %edx
+        vpslld	$14, %xmm5, %xmm5
+        # rnd_1: 2 - 2
+        andl	%r15d, %ebx
+        xorl	%ecx, %edx
+        rorxl	$13, %r11d, %ecx
+        vpxor	%xmm5, %xmm7, %xmm7
+        # rnd_1: 3 - 3
+        addl	%edx, %r10d
+        rorxl	$2, %r11d, %edx
+        xorl	%r9d, %ebx
+        vpxor	%xmm6, %xmm7, %xmm7
+        # rnd_1: 4 - 4
+        xorl	%edx, %ecx
+        rorxl	$22, %r11d, %edx
+        addl	%ebx, %r10d
+        vpshufd	$0xfa, %xmm0, %xmm6
+        # rnd_1: 5 - 5
+        xorl	%ecx, %edx
+        movl	%r12d, %ebx
+        addl	%r10d, %r14d
+        vpxor	%xmm8, %xmm7, %xmm5
+        # rnd_1: 6 - 6
+        xorl	%r11d, %ebx
+        addl	%edx, %r10d
+        andl	%ebx, %eax
+        vpsrld	$10, %xmm6, %xmm8
+        # rnd_1: 7 - 7
+        xorl	%r12d, %eax
+        rorxl	$6, %r14d, %edx
+        addl	%eax, %r10d
+        # rnd_0: 0 - 0
+        movl	%r15d, %eax
+        rorxl	$11, %r14d, %ecx
+        addl	24(%rsp), %r9d
+        vpsrlq	$19, %xmm6, %xmm7
+        # rnd_0: 1 - 1
+        xorl	%edx, %ecx
+        xorl	%r8d, %eax
+        rorxl	$25, %r14d, %edx
+        vpsrlq	$0x11, %xmm6, %xmm6
+        vpaddd	%xmm1, %xmm4, %xmm4
+        # rnd_0: 2 - 2
+        andl	%r14d, %eax
+        xorl	%ecx, %edx
+        rorxl	$13, %r10d, %ecx
+        vpaddd	%xmm5, %xmm4, %xmm4
+        # rnd_0: 3 - 3
+        addl	%edx, %r9d
+        rorxl	$2, %r10d, %edx
+        xorl	%r8d, %eax
+        vpxor	%xmm7, %xmm6, %xmm6
+        # rnd_0: 4 - 4
+        xorl	%edx, %ecx
+        rorxl	$22, %r10d, %edx
+        addl	%eax, %r9d
+        vpxor	%xmm6, %xmm8, %xmm8
+        # rnd_0: 5 - 5
+        xorl	%ecx, %edx
+        movl	%r11d, %eax
+        addl	%r9d, %r13d
+        vpshufb	%xmm11, %xmm8, %xmm8
+        # rnd_0: 6 - 6
+        xorl	%r10d, %eax
+        addl	%edx, %r9d
+        andl	%eax, %ebx
+        vpaddd	%xmm8, %xmm4, %xmm4
+        # rnd_0: 7 - 7
+        xorl	%r11d, %ebx
+        rorxl	$6, %r13d, %edx
+        addl	%ebx, %r9d
+        # rnd_1: 0 - 0
+        movl	%r14d, %ebx
+        rorxl	$11, %r13d, %ecx
+        addl	28(%rsp), %r8d
+        vpshufd	$0x50, %xmm4, %xmm6
+        # rnd_1: 1 - 1
+        xorl	%edx, %ecx
+        xorl	%r15d, %ebx
+        rorxl	$25, %r13d, %edx
+        vpsrld	$10, %xmm6, %xmm9
+        # rnd_1: 2 - 2
+        andl	%r13d, %ebx
+        xorl	%ecx, %edx
+        rorxl	$13, %r9d, %ecx
+        vpsrlq	$19, %xmm6, %xmm7
+        # rnd_1: 3 - 3
+        addl	%edx, %r8d
+        rorxl	$2, %r9d, %edx
+        xorl	%r15d, %ebx
+        vpsrlq	$0x11, %xmm6, %xmm6
+        # rnd_1: 4 - 4
+        xorl	%edx, %ecx
+        rorxl	$22, %r9d, %edx
+        addl	%ebx, %r8d
+        vpxor	%xmm7, %xmm6, %xmm6
+        # rnd_1: 5 - 5
+        xorl	%ecx, %edx
+        movl	%r10d, %ebx
+        addl	%r8d, %r12d
+        vpxor	%xmm6, %xmm9, %xmm9
+        # rnd_1: 6 - 6
+        xorl	%r9d, %ebx
+        addl	%edx, %r8d
+        andl	%ebx, %eax
+        vpshufb	%xmm12, %xmm9, %xmm9
+        # rnd_1: 7 - 7
+        xorl	%r10d, %eax
+        rorxl	$6, %r12d, %edx
+        addl	%eax, %r8d
+        vpaddd	%xmm4, %xmm9, %xmm1
+        # msg_sched done: 4-7
+        # msg_sched: 8-11
+        # rnd_0: 0 - 0
+        movl	%r13d, %eax
+        rorxl	$11, %r12d, %ecx
+        addl	32(%rsp), %r15d
+        vpalignr	$4, %xmm0, %xmm1, %xmm4
+        vpalignr	$4, %xmm2, %xmm3, %xmm5
+        # rnd_0: 1 - 2
+        xorl	%edx, %ecx
+        xorl	%r14d, %eax
+        rorxl	$25, %r12d, %edx
+        andl	%r12d, %eax
+        xorl	%ecx, %edx
+        rorxl	$13, %r8d, %ecx
+        vpsrld	$7, %xmm5, %xmm6
+        vpslld	$25, %xmm5, %xmm7
+        # rnd_0: 3 - 4
+        addl	%edx, %r15d
+        rorxl	$2, %r8d, %edx
+        xorl	%r14d, %eax
+        xorl	%edx, %ecx
+        rorxl	$22, %r8d, %edx
+        addl	%eax, %r15d
+        vpsrld	$3, %xmm5, %xmm8
+        vpor	%xmm6, %xmm7, %xmm7
+        # rnd_0: 5 - 7
+        xorl	%ecx, %edx
+        movl	%r9d, %eax
+        addl	%r15d, %r11d
+        xorl	%r8d, %eax
+        addl	%edx, %r15d
+        andl	%eax, %ebx
+        xorl	%r9d, %ebx
+        rorxl	$6, %r11d, %edx
+        addl	%ebx, %r15d
+        # rnd_1: 0 - 0
+        movl	%r12d, %ebx
+        rorxl	$11, %r11d, %ecx
+        addl	36(%rsp), %r14d
+        vpsrld	$18, %xmm5, %xmm6
+        # rnd_1: 1 - 1
+        xorl	%edx, %ecx
+        xorl	%r13d, %ebx
+        rorxl	$25, %r11d, %edx
+        vpslld	$14, %xmm5, %xmm5
+        # rnd_1: 2 - 2
+        andl	%r11d, %ebx
+        xorl	%ecx, %edx
+        rorxl	$13, %r15d, %ecx
+        vpxor	%xmm5, %xmm7, %xmm7
+        # rnd_1: 3 - 3
+        addl	%edx, %r14d
+        rorxl	$2, %r15d, %edx
+        xorl	%r13d, %ebx
+        vpxor	%xmm6, %xmm7, %xmm7
+        # rnd_1: 4 - 4
+        xorl	%edx, %ecx
+        rorxl	$22, %r15d, %edx
+        addl	%ebx, %r14d
+        vpshufd	$0xfa, %xmm1, %xmm6
+        # rnd_1: 5 - 5
+        xorl	%ecx, %edx
+        movl	%r8d, %ebx
+        addl	%r14d, %r10d
+        vpxor	%xmm8, %xmm7, %xmm5
+        # rnd_1: 6 - 6
+        xorl	%r15d, %ebx
+        addl	%edx, %r14d
+        andl	%ebx, %eax
+        vpsrld	$10, %xmm6, %xmm8
+        # rnd_1: 7 - 7
+        xorl	%r8d, %eax
+        rorxl	$6, %r10d, %edx
+        addl	%eax, %r14d
+        # rnd_0: 0 - 0
+        movl	%r11d, %eax
+        rorxl	$11, %r10d, %ecx
+        addl	40(%rsp), %r13d
+        vpsrlq	$19, %xmm6, %xmm7
+        # rnd_0: 1 - 1
+        xorl	%edx, %ecx
+        xorl	%r12d, %eax
+        rorxl	$25, %r10d, %edx
+        vpsrlq	$0x11, %xmm6, %xmm6
+        vpaddd	%xmm2, %xmm4, %xmm4
+        # rnd_0: 2 - 2
+        andl	%r10d, %eax
+        xorl	%ecx, %edx
+        rorxl	$13, %r14d, %ecx
+        vpaddd	%xmm5, %xmm4, %xmm4
+        # rnd_0: 3 - 3
+        addl	%edx, %r13d
+        rorxl	$2, %r14d, %edx
+        xorl	%r12d, %eax
+        vpxor	%xmm7, %xmm6, %xmm6
+        # rnd_0: 4 - 4
+        xorl	%edx, %ecx
+        rorxl	$22, %r14d, %edx
+        addl	%eax, %r13d
+        vpxor	%xmm6, %xmm8, %xmm8
+        # rnd_0: 5 - 5
+        xorl	%ecx, %edx
+        movl	%r15d, %eax
+        addl	%r13d, %r9d
+        vpshufb	%xmm11, %xmm8, %xmm8
+        # rnd_0: 6 - 6
+        xorl	%r14d, %eax
+        addl	%edx, %r13d
+        andl	%eax, %ebx
+        vpaddd	%xmm8, %xmm4, %xmm4
+        # rnd_0: 7 - 7
+        xorl	%r15d, %ebx
+        rorxl	$6, %r9d, %edx
+        addl	%ebx, %r13d
+        # rnd_1: 0 - 0
+        movl	%r10d, %ebx
+        rorxl	$11, %r9d, %ecx
+        addl	44(%rsp), %r12d
+        vpshufd	$0x50, %xmm4, %xmm6
+        # rnd_1: 1 - 1
+        xorl	%edx, %ecx
+        xorl	%r11d, %ebx
+        rorxl	$25, %r9d, %edx
+        vpsrld	$10, %xmm6, %xmm9
+        # rnd_1: 2 - 2
+        andl	%r9d, %ebx
+        xorl	%ecx, %edx
+        rorxl	$13, %r13d, %ecx
+        vpsrlq	$19, %xmm6, %xmm7
+        # rnd_1: 3 - 3
+        addl	%edx, %r12d
+        rorxl	$2, %r13d, %edx
+        xorl	%r11d, %ebx
+        vpsrlq	$0x11, %xmm6, %xmm6
+        # rnd_1: 4 - 4
+        xorl	%edx, %ecx
+        rorxl	$22, %r13d, %edx
+        addl	%ebx, %r12d
+        vpxor	%xmm7, %xmm6, %xmm6
+        # rnd_1: 5 - 5
+        xorl	%ecx, %edx
+        movl	%r14d, %ebx
+        addl	%r12d, %r8d
+        vpxor	%xmm6, %xmm9, %xmm9
+        # rnd_1: 6 - 6
+        xorl	%r13d, %ebx
+        addl	%edx, %r12d
+        andl	%ebx, %eax
+        vpshufb	%xmm12, %xmm9, %xmm9
+        # rnd_1: 7 - 7
+        xorl	%r14d, %eax
+        rorxl	$6, %r8d, %edx
+        addl	%eax, %r12d
+        vpaddd	%xmm4, %xmm9, %xmm2
+        # msg_sched done: 8-11
+        # msg_sched: 12-15
+        # rnd_0: 0 - 0
+        movl	%r9d, %eax
+        rorxl	$11, %r8d, %ecx
+        addl	48(%rsp), %r11d
+        vpalignr	$4, %xmm1, %xmm2, %xmm4
+        vpalignr	$4, %xmm3, %xmm0, %xmm5
+        # rnd_0: 1 - 2
+        xorl	%edx, %ecx
+        xorl	%r10d, %eax
+        rorxl	$25, %r8d, %edx
+        andl	%r8d, %eax
+        xorl	%ecx, %edx
+        rorxl	$13, %r12d, %ecx
+        vpsrld	$7, %xmm5, %xmm6
+        vpslld	$25, %xmm5, %xmm7
+        # rnd_0: 3 - 4
+        addl	%edx, %r11d
+        rorxl	$2, %r12d, %edx
+        xorl	%r10d, %eax
+        xorl	%edx, %ecx
+        rorxl	$22, %r12d, %edx
+        addl	%eax, %r11d
+        vpsrld	$3, %xmm5, %xmm8
+        vpor	%xmm6, %xmm7, %xmm7
+        # rnd_0: 5 - 7
+        xorl	%ecx, %edx
+        movl	%r13d, %eax
+        addl	%r11d, %r15d
+        xorl	%r12d, %eax
+        addl	%edx, %r11d
+        andl	%eax, %ebx
+        xorl	%r13d, %ebx
+        rorxl	$6, %r15d, %edx
+        addl	%ebx, %r11d
+        # rnd_1: 0 - 0
+        movl	%r8d, %ebx
+        rorxl	$11, %r15d, %ecx
+        addl	52(%rsp), %r10d
+        vpsrld	$18, %xmm5, %xmm6
+        # rnd_1: 1 - 1
+        xorl	%edx, %ecx
+        xorl	%r9d, %ebx
+        rorxl	$25, %r15d, %edx
+        vpslld	$14, %xmm5, %xmm5
+        # rnd_1: 2 - 2
+        andl	%r15d, %ebx
+        xorl	%ecx, %edx
+        rorxl	$13, %r11d, %ecx
+        vpxor	%xmm5, %xmm7, %xmm7
+        # rnd_1: 3 - 3
+        addl	%edx, %r10d
+        rorxl	$2, %r11d, %edx
+        xorl	%r9d, %ebx
+        vpxor	%xmm6, %xmm7, %xmm7
+        # rnd_1: 4 - 4
+        xorl	%edx, %ecx
+        rorxl	$22, %r11d, %edx
+        addl	%ebx, %r10d
+        vpshufd	$0xfa, %xmm2, %xmm6
+        # rnd_1: 5 - 5
+        xorl	%ecx, %edx
+        movl	%r12d, %ebx
+        addl	%r10d, %r14d
+        vpxor	%xmm8, %xmm7, %xmm5
+        # rnd_1: 6 - 6
+        xorl	%r11d, %ebx
+        addl	%edx, %r10d
+        andl	%ebx, %eax
+        vpsrld	$10, %xmm6, %xmm8
+        # rnd_1: 7 - 7
+        xorl	%r12d, %eax
+        rorxl	$6, %r14d, %edx
+        addl	%eax, %r10d
+        # rnd_0: 0 - 0
+        movl	%r15d, %eax
+        rorxl	$11, %r14d, %ecx
+        addl	56(%rsp), %r9d
+        vpsrlq	$19, %xmm6, %xmm7
+        # rnd_0: 1 - 1
+        xorl	%edx, %ecx
+        xorl	%r8d, %eax
+        rorxl	$25, %r14d, %edx
+        vpsrlq	$0x11, %xmm6, %xmm6
+        vpaddd	%xmm3, %xmm4, %xmm4
+        # rnd_0: 2 - 2
+        andl	%r14d, %eax
+        xorl	%ecx, %edx
+        rorxl	$13, %r10d, %ecx
+        vpaddd	%xmm5, %xmm4, %xmm4
+        # rnd_0: 3 - 3
+        addl	%edx, %r9d
+        rorxl	$2, %r10d, %edx
+        xorl	%r8d, %eax
+        vpxor	%xmm7, %xmm6, %xmm6
+        # rnd_0: 4 - 4
+        xorl	%edx, %ecx
+        rorxl	$22, %r10d, %edx
+        addl	%eax, %r9d
+        vpxor	%xmm6, %xmm8, %xmm8
+        # rnd_0: 5 - 5
+        xorl	%ecx, %edx
+        movl	%r11d, %eax
+        addl	%r9d, %r13d
+        vpshufb	%xmm11, %xmm8, %xmm8
+        # rnd_0: 6 - 6
+        xorl	%r10d, %eax
+        addl	%edx, %r9d
+        andl	%eax, %ebx
+        vpaddd	%xmm8, %xmm4, %xmm4
+        # rnd_0: 7 - 7
+        xorl	%r11d, %ebx
+        rorxl	$6, %r13d, %edx
+        addl	%ebx, %r9d
+        # rnd_1: 0 - 0
+        movl	%r14d, %ebx
+        rorxl	$11, %r13d, %ecx
+        addl	60(%rsp), %r8d
+        vpshufd	$0x50, %xmm4, %xmm6
+        # rnd_1: 1 - 1
+        xorl	%edx, %ecx
+        xorl	%r15d, %ebx
+        rorxl	$25, %r13d, %edx
+        vpsrld	$10, %xmm6, %xmm9
+        # rnd_1: 2 - 2
+        andl	%r13d, %ebx
+        xorl	%ecx, %edx
+        rorxl	$13, %r9d, %ecx
+        vpsrlq	$19, %xmm6, %xmm7
+        # rnd_1: 3 - 3
+        addl	%edx, %r8d
+        rorxl	$2, %r9d, %edx
+        xorl	%r15d, %ebx
+        vpsrlq	$0x11, %xmm6, %xmm6
+        # rnd_1: 4 - 4
+        xorl	%edx, %ecx
+        rorxl	$22, %r9d, %edx
+        addl	%ebx, %r8d
+        vpxor	%xmm7, %xmm6, %xmm6
+        # rnd_1: 5 - 5
+        xorl	%ecx, %edx
+        movl	%r10d, %ebx
+        addl	%r8d, %r12d
+        vpxor	%xmm6, %xmm9, %xmm9
+        # rnd_1: 6 - 6
+        xorl	%r9d, %ebx
+        addl	%edx, %r8d
+        andl	%ebx, %eax
+        vpshufb	%xmm12, %xmm9, %xmm9
+        # rnd_1: 7 - 7
+        xorl	%r10d, %eax
+        rorxl	$6, %r12d, %edx
+        addl	%eax, %r8d
+        vpaddd	%xmm4, %xmm9, %xmm3
+        # msg_sched done: 12-15
+        # set_w_k_xfer_4: 8
+        vpaddd	128+L_avx1_rorx_sha256_k(%rip), %xmm0, %xmm4
+        vpaddd	144+L_avx1_rorx_sha256_k(%rip), %xmm1, %xmm5
+        vmovdqu	%xmm4, (%rsp)
+        vmovdqu	%xmm5, 16(%rsp)
+        vpaddd	160+L_avx1_rorx_sha256_k(%rip), %xmm2, %xmm6
+        vpaddd	176+L_avx1_rorx_sha256_k(%rip), %xmm3, %xmm7
+        vmovdqu	%xmm6, 32(%rsp)
+        vmovdqu	%xmm7, 48(%rsp)
+        # msg_sched: 0-3
+        # rnd_0: 0 - 0
+        movl	%r13d, %eax
+        rorxl	$11, %r12d, %ecx
+        addl	(%rsp), %r15d
+        vpalignr	$4, %xmm2, %xmm3, %xmm4
+        vpalignr	$4, %xmm0, %xmm1, %xmm5
+        # rnd_0: 1 - 2
+        xorl	%edx, %ecx
+        xorl	%r14d, %eax
+        rorxl	$25, %r12d, %edx
+        andl	%r12d, %eax
+        xorl	%ecx, %edx
+        rorxl	$13, %r8d, %ecx
+        vpsrld	$7, %xmm5, %xmm6
+        vpslld	$25, %xmm5, %xmm7
+        # rnd_0: 3 - 4
+        addl	%edx, %r15d
+        rorxl	$2, %r8d, %edx
+        xorl	%r14d, %eax
+        xorl	%edx, %ecx
+        rorxl	$22, %r8d, %edx
+        addl	%eax, %r15d
+        vpsrld	$3, %xmm5, %xmm8
+        vpor	%xmm6, %xmm7, %xmm7
+        # rnd_0: 5 - 7
+        xorl	%ecx, %edx
+        movl	%r9d, %eax
+        addl	%r15d, %r11d
+        xorl	%r8d, %eax
+        addl	%edx, %r15d
+        andl	%eax, %ebx
+        xorl	%r9d, %ebx
+        rorxl	$6, %r11d, %edx
+        addl	%ebx, %r15d
+        # rnd_1: 0 - 0
+        movl	%r12d, %ebx
+        rorxl	$11, %r11d, %ecx
+        addl	4(%rsp), %r14d
+        vpsrld	$18, %xmm5, %xmm6
+        # rnd_1: 1 - 1
+        xorl	%edx, %ecx
+        xorl	%r13d, %ebx
+        rorxl	$25, %r11d, %edx
+        vpslld	$14, %xmm5, %xmm5
+        # rnd_1: 2 - 2
+        andl	%r11d, %ebx
+        xorl	%ecx, %edx
+        rorxl	$13, %r15d, %ecx
+        vpxor	%xmm5, %xmm7, %xmm7
+        # rnd_1: 3 - 3
+        addl	%edx, %r14d
+        rorxl	$2, %r15d, %edx
+        xorl	%r13d, %ebx
+        vpxor	%xmm6, %xmm7, %xmm7
+        # rnd_1: 4 - 4
+        xorl	%edx, %ecx
+        rorxl	$22, %r15d, %edx
+        addl	%ebx, %r14d
+        vpshufd	$0xfa, %xmm3, %xmm6
+        # rnd_1: 5 - 5
+        xorl	%ecx, %edx
+        movl	%r8d, %ebx
+        addl	%r14d, %r10d
+        vpxor	%xmm8, %xmm7, %xmm5
+        # rnd_1: 6 - 6
+        xorl	%r15d, %ebx
+        addl	%edx, %r14d
+        andl	%ebx, %eax
+        vpsrld	$10, %xmm6, %xmm8
+        # rnd_1: 7 - 7
+        xorl	%r8d, %eax
+        rorxl	$6, %r10d, %edx
+        addl	%eax, %r14d
+        # rnd_0: 0 - 0
+        movl	%r11d, %eax
+        rorxl	$11, %r10d, %ecx
+        addl	8(%rsp), %r13d
+        vpsrlq	$19, %xmm6, %xmm7
+        # rnd_0: 1 - 1
+        xorl	%edx, %ecx
+        xorl	%r12d, %eax
+        rorxl	$25, %r10d, %edx
+        vpsrlq	$0x11, %xmm6, %xmm6
+        vpaddd	%xmm0, %xmm4, %xmm4
+        # rnd_0: 2 - 2
+        andl	%r10d, %eax
+        xorl	%ecx, %edx
+        rorxl	$13, %r14d, %ecx
+        vpaddd	%xmm5, %xmm4, %xmm4
+        # rnd_0: 3 - 3
+        addl	%edx, %r13d
+        rorxl	$2, %r14d, %edx
+        xorl	%r12d, %eax
+        vpxor	%xmm7, %xmm6, %xmm6
+        # rnd_0: 4 - 4
+        xorl	%edx, %ecx
+        rorxl	$22, %r14d, %edx
+        addl	%eax, %r13d
+        vpxor	%xmm6, %xmm8, %xmm8
+        # rnd_0: 5 - 5
+        xorl	%ecx, %edx
+        movl	%r15d, %eax
+        addl	%r13d, %r9d
+        vpshufb	%xmm11, %xmm8, %xmm8
+        # rnd_0: 6 - 6
+        xorl	%r14d, %eax
+        addl	%edx, %r13d
+        andl	%eax, %ebx
+        vpaddd	%xmm8, %xmm4, %xmm4
+        # rnd_0: 7 - 7
+        xorl	%r15d, %ebx
+        rorxl	$6, %r9d, %edx
+        addl	%ebx, %r13d
+        # rnd_1: 0 - 0
+        movl	%r10d, %ebx
+        rorxl	$11, %r9d, %ecx
+        addl	12(%rsp), %r12d
+        vpshufd	$0x50, %xmm4, %xmm6
+        # rnd_1: 1 - 1
+        xorl	%edx, %ecx
+        xorl	%r11d, %ebx
+        rorxl	$25, %r9d, %edx
+        vpsrld	$10, %xmm6, %xmm9
+        # rnd_1: 2 - 2
+        andl	%r9d, %ebx
+        xorl	%ecx, %edx
+        rorxl	$13, %r13d, %ecx
+        vpsrlq	$19, %xmm6, %xmm7
+        # rnd_1: 3 - 3
+        addl	%edx, %r12d
+        rorxl	$2, %r13d, %edx
+        xorl	%r11d, %ebx
+        vpsrlq	$0x11, %xmm6, %xmm6
+        # rnd_1: 4 - 4
+        xorl	%edx, %ecx
+        rorxl	$22, %r13d, %edx
+        addl	%ebx, %r12d
+        vpxor	%xmm7, %xmm6, %xmm6
+        # rnd_1: 5 - 5
+        xorl	%ecx, %edx
+        movl	%r14d, %ebx
+        addl	%r12d, %r8d
+        vpxor	%xmm6, %xmm9, %xmm9
+        # rnd_1: 6 - 6
+        xorl	%r13d, %ebx
+        addl	%edx, %r12d
+        andl	%ebx, %eax
+        vpshufb	%xmm12, %xmm9, %xmm9
+        # rnd_1: 7 - 7
+        xorl	%r14d, %eax
+        rorxl	$6, %r8d, %edx
+        addl	%eax, %r12d
+        vpaddd	%xmm4, %xmm9, %xmm0
+        # msg_sched done: 0-3
+        # msg_sched: 4-7
+        # rnd_0: 0 - 0
+        movl	%r9d, %eax
+        rorxl	$11, %r8d, %ecx
+        addl	16(%rsp), %r11d
+        vpalignr	$4, %xmm3, %xmm0, %xmm4
+        vpalignr	$4, %xmm1, %xmm2, %xmm5
+        # rnd_0: 1 - 2
+        xorl	%edx, %ecx
+        xorl	%r10d, %eax
+        rorxl	$25, %r8d, %edx
+        andl	%r8d, %eax
+        xorl	%ecx, %edx
+        rorxl	$13, %r12d, %ecx
+        vpsrld	$7, %xmm5, %xmm6
+        vpslld	$25, %xmm5, %xmm7
+        # rnd_0: 3 - 4
+        addl	%edx, %r11d
+        rorxl	$2, %r12d, %edx
+        xorl	%r10d, %eax
+        xorl	%edx, %ecx
+        rorxl	$22, %r12d, %edx
+        addl	%eax, %r11d
+        vpsrld	$3, %xmm5, %xmm8
+        vpor	%xmm6, %xmm7, %xmm7
+        # rnd_0: 5 - 7
+        xorl	%ecx, %edx
+        movl	%r13d, %eax
+        addl	%r11d, %r15d
+        xorl	%r12d, %eax
+        addl	%edx, %r11d
+        andl	%eax, %ebx
+        xorl	%r13d, %ebx
+        rorxl	$6, %r15d, %edx
+        addl	%ebx, %r11d
+        # rnd_1: 0 - 0
+        movl	%r8d, %ebx
+        rorxl	$11, %r15d, %ecx
+        addl	20(%rsp), %r10d
+        vpsrld	$18, %xmm5, %xmm6
+        # rnd_1: 1 - 1
+        xorl	%edx, %ecx
+        xorl	%r9d, %ebx
+        rorxl	$25, %r15d, %edx
+        vpslld	$14, %xmm5, %xmm5
+        # rnd_1: 2 - 2
+        andl	%r15d, %ebx
+        xorl	%ecx, %edx
+        rorxl	$13, %r11d, %ecx
+        vpxor	%xmm5, %xmm7, %xmm7
+        # rnd_1: 3 - 3
+        addl	%edx, %r10d
+        rorxl	$2, %r11d, %edx
+        xorl	%r9d, %ebx
+        vpxor	%xmm6, %xmm7, %xmm7
+        # rnd_1: 4 - 4
+        xorl	%edx, %ecx
+        rorxl	$22, %r11d, %edx
+        addl	%ebx, %r10d
+        vpshufd	$0xfa, %xmm0, %xmm6
+        # rnd_1: 5 - 5
+        xorl	%ecx, %edx
+        movl	%r12d, %ebx
+        addl	%r10d, %r14d
+        vpxor	%xmm8, %xmm7, %xmm5
+        # rnd_1: 6 - 6
+        xorl	%r11d, %ebx
+        addl	%edx, %r10d
+        andl	%ebx, %eax
+        vpsrld	$10, %xmm6, %xmm8
+        # rnd_1: 7 - 7
+        xorl	%r12d, %eax
+        rorxl	$6, %r14d, %edx
+        addl	%eax, %r10d
+        # rnd_0: 0 - 0
+        movl	%r15d, %eax
+        rorxl	$11, %r14d, %ecx
+        addl	24(%rsp), %r9d
+        vpsrlq	$19, %xmm6, %xmm7
+        # rnd_0: 1 - 1
+        xorl	%edx, %ecx
+        xorl	%r8d, %eax
+        rorxl	$25, %r14d, %edx
+        vpsrlq	$0x11, %xmm6, %xmm6
+        vpaddd	%xmm1, %xmm4, %xmm4
+        # rnd_0: 2 - 2
+        andl	%r14d, %eax
+        xorl	%ecx, %edx
+        rorxl	$13, %r10d, %ecx
+        vpaddd	%xmm5, %xmm4, %xmm4
+        # rnd_0: 3 - 3
+        addl	%edx, %r9d
+        rorxl	$2, %r10d, %edx
+        xorl	%r8d, %eax
+        vpxor	%xmm7, %xmm6, %xmm6
+        # rnd_0: 4 - 4
+        xorl	%edx, %ecx
+        rorxl	$22, %r10d, %edx
+        addl	%eax, %r9d
+        vpxor	%xmm6, %xmm8, %xmm8
+        # rnd_0: 5 - 5
+        xorl	%ecx, %edx
+        movl	%r11d, %eax
+        addl	%r9d, %r13d
+        vpshufb	%xmm11, %xmm8, %xmm8
+        # rnd_0: 6 - 6
+        xorl	%r10d, %eax
+        addl	%edx, %r9d
+        andl	%eax, %ebx
+        vpaddd	%xmm8, %xmm4, %xmm4
+        # rnd_0: 7 - 7
+        xorl	%r11d, %ebx
+        rorxl	$6, %r13d, %edx
+        addl	%ebx, %r9d
+        # rnd_1: 0 - 0
+        movl	%r14d, %ebx
+        rorxl	$11, %r13d, %ecx
+        addl	28(%rsp), %r8d
+        vpshufd	$0x50, %xmm4, %xmm6
+        # rnd_1: 1 - 1
+        xorl	%edx, %ecx
+        xorl	%r15d, %ebx
+        rorxl	$25, %r13d, %edx
+        vpsrld	$10, %xmm6, %xmm9
+        # rnd_1: 2 - 2
+        andl	%r13d, %ebx
+        xorl	%ecx, %edx
+        rorxl	$13, %r9d, %ecx
+        vpsrlq	$19, %xmm6, %xmm7
+        # rnd_1: 3 - 3
+        addl	%edx, %r8d
+        rorxl	$2, %r9d, %edx
+        xorl	%r15d, %ebx
+        vpsrlq	$0x11, %xmm6, %xmm6
+        # rnd_1: 4 - 4
+        xorl	%edx, %ecx
+        rorxl	$22, %r9d, %edx
+        addl	%ebx, %r8d
+        vpxor	%xmm7, %xmm6, %xmm6
+        # rnd_1: 5 - 5
+        xorl	%ecx, %edx
+        movl	%r10d, %ebx
+        addl	%r8d, %r12d
+        vpxor	%xmm6, %xmm9, %xmm9
+        # rnd_1: 6 - 6
+        xorl	%r9d, %ebx
+        addl	%edx, %r8d
+        andl	%ebx, %eax
+        vpshufb	%xmm12, %xmm9, %xmm9
+        # rnd_1: 7 - 7
+        xorl	%r10d, %eax
+        rorxl	$6, %r12d, %edx
+        addl	%eax, %r8d
+        vpaddd	%xmm4, %xmm9, %xmm1
+        # msg_sched done: 4-7
+        # msg_sched: 8-11
+        # rnd_0: 0 - 0
+        movl	%r13d, %eax
+        rorxl	$11, %r12d, %ecx
+        addl	32(%rsp), %r15d
+        vpalignr	$4, %xmm0, %xmm1, %xmm4
+        vpalignr	$4, %xmm2, %xmm3, %xmm5
+        # rnd_0: 1 - 2
+        xorl	%edx, %ecx
+        xorl	%r14d, %eax
+        rorxl	$25, %r12d, %edx
+        andl	%r12d, %eax
+        xorl	%ecx, %edx
+        rorxl	$13, %r8d, %ecx
+        vpsrld	$7, %xmm5, %xmm6
+        vpslld	$25, %xmm5, %xmm7
+        # rnd_0: 3 - 4
+        addl	%edx, %r15d
+        rorxl	$2, %r8d, %edx
+        xorl	%r14d, %eax
+        xorl	%edx, %ecx
+        rorxl	$22, %r8d, %edx
+        addl	%eax, %r15d
+        vpsrld	$3, %xmm5, %xmm8
+        vpor	%xmm6, %xmm7, %xmm7
+        # rnd_0: 5 - 7
+        xorl	%ecx, %edx
+        movl	%r9d, %eax
+        addl	%r15d, %r11d
+        xorl	%r8d, %eax
+        addl	%edx, %r15d
+        andl	%eax, %ebx
+        xorl	%r9d, %ebx
+        rorxl	$6, %r11d, %edx
+        addl	%ebx, %r15d
+        # rnd_1: 0 - 0
+        movl	%r12d, %ebx
+        rorxl	$11, %r11d, %ecx
+        addl	36(%rsp), %r14d
+        vpsrld	$18, %xmm5, %xmm6
+        # rnd_1: 1 - 1
+        xorl	%edx, %ecx
+        xorl	%r13d, %ebx
+        rorxl	$25, %r11d, %edx
+        vpslld	$14, %xmm5, %xmm5
+        # rnd_1: 2 - 2
+        andl	%r11d, %ebx
+        xorl	%ecx, %edx
+        rorxl	$13, %r15d, %ecx
+        vpxor	%xmm5, %xmm7, %xmm7
+        # rnd_1: 3 - 3
+        addl	%edx, %r14d
+        rorxl	$2, %r15d, %edx
+        xorl	%r13d, %ebx
+        vpxor	%xmm6, %xmm7, %xmm7
+        # rnd_1: 4 - 4
+        xorl	%edx, %ecx
+        rorxl	$22, %r15d, %edx
+        addl	%ebx, %r14d
+        vpshufd	$0xfa, %xmm1, %xmm6
+        # rnd_1: 5 - 5
+        xorl	%ecx, %edx
+        movl	%r8d, %ebx
+        addl	%r14d, %r10d
+        vpxor	%xmm8, %xmm7, %xmm5
+        # rnd_1: 6 - 6
+        xorl	%r15d, %ebx
+        addl	%edx, %r14d
+        andl	%ebx, %eax
+        vpsrld	$10, %xmm6, %xmm8
+        # rnd_1: 7 - 7
+        xorl	%r8d, %eax
+        rorxl	$6, %r10d, %edx
+        addl	%eax, %r14d
+        # rnd_0: 0 - 0
+        movl	%r11d, %eax
+        rorxl	$11, %r10d, %ecx
+        addl	40(%rsp), %r13d
+        vpsrlq	$19, %xmm6, %xmm7
+        # rnd_0: 1 - 1
+        xorl	%edx, %ecx
+        xorl	%r12d, %eax
+        rorxl	$25, %r10d, %edx
+        vpsrlq	$0x11, %xmm6, %xmm6
+        vpaddd	%xmm2, %xmm4, %xmm4
+        # rnd_0: 2 - 2
+        andl	%r10d, %eax
+        xorl	%ecx, %edx
+        rorxl	$13, %r14d, %ecx
+        vpaddd	%xmm5, %xmm4, %xmm4
+        # rnd_0: 3 - 3
+        addl	%edx, %r13d
+        rorxl	$2, %r14d, %edx
+        xorl	%r12d, %eax
+        vpxor	%xmm7, %xmm6, %xmm6
+        # rnd_0: 4 - 4
+        xorl	%edx, %ecx
+        rorxl	$22, %r14d, %edx
+        addl	%eax, %r13d
+        vpxor	%xmm6, %xmm8, %xmm8
+        # rnd_0: 5 - 5
+        xorl	%ecx, %edx
+        movl	%r15d, %eax
+        addl	%r13d, %r9d
+        vpshufb	%xmm11, %xmm8, %xmm8
+        # rnd_0: 6 - 6
+        xorl	%r14d, %eax
+        addl	%edx, %r13d
+        andl	%eax, %ebx
+        vpaddd	%xmm8, %xmm4, %xmm4
+        # rnd_0: 7 - 7
+        xorl	%r15d, %ebx
+        rorxl	$6, %r9d, %edx
+        addl	%ebx, %r13d
+        # rnd_1: 0 - 0
+        movl	%r10d, %ebx
+        rorxl	$11, %r9d, %ecx
+        addl	44(%rsp), %r12d
+        vpshufd	$0x50, %xmm4, %xmm6
+        # rnd_1: 1 - 1
+        xorl	%edx, %ecx
+        xorl	%r11d, %ebx
+        rorxl	$25, %r9d, %edx
+        vpsrld	$10, %xmm6, %xmm9
+        # rnd_1: 2 - 2
+        andl	%r9d, %ebx
+        xorl	%ecx, %edx
+        rorxl	$13, %r13d, %ecx
+        vpsrlq	$19, %xmm6, %xmm7
+        # rnd_1: 3 - 3
+        addl	%edx, %r12d
+        rorxl	$2, %r13d, %edx
+        xorl	%r11d, %ebx
+        vpsrlq	$0x11, %xmm6, %xmm6
+        # rnd_1: 4 - 4
+        xorl	%edx, %ecx
+        rorxl	$22, %r13d, %edx
+        addl	%ebx, %r12d
+        vpxor	%xmm7, %xmm6, %xmm6
+        # rnd_1: 5 - 5
+        xorl	%ecx, %edx
+        movl	%r14d, %ebx
+        addl	%r12d, %r8d
+        vpxor	%xmm6, %xmm9, %xmm9
+        # rnd_1: 6 - 6
+        xorl	%r13d, %ebx
+        addl	%edx, %r12d
+        andl	%ebx, %eax
+        vpshufb	%xmm12, %xmm9, %xmm9
+        # rnd_1: 7 - 7
+        xorl	%r14d, %eax
+        rorxl	$6, %r8d, %edx
+        addl	%eax, %r12d
+        vpaddd	%xmm4, %xmm9, %xmm2
+        # msg_sched done: 8-11
+        # msg_sched: 12-15
+        # rnd_0: 0 - 0
+        movl	%r9d, %eax
+        rorxl	$11, %r8d, %ecx
+        addl	48(%rsp), %r11d
+        vpalignr	$4, %xmm1, %xmm2, %xmm4
+        vpalignr	$4, %xmm3, %xmm0, %xmm5
+        # rnd_0: 1 - 2
+        xorl	%edx, %ecx
+        xorl	%r10d, %eax
+        rorxl	$25, %r8d, %edx
+        andl	%r8d, %eax
+        xorl	%ecx, %edx
+        rorxl	$13, %r12d, %ecx
+        vpsrld	$7, %xmm5, %xmm6
+        vpslld	$25, %xmm5, %xmm7
+        # rnd_0: 3 - 4
+        addl	%edx, %r11d
+        rorxl	$2, %r12d, %edx
+        xorl	%r10d, %eax
+        xorl	%edx, %ecx
+        rorxl	$22, %r12d, %edx
+        addl	%eax, %r11d
+        vpsrld	$3, %xmm5, %xmm8
+        vpor	%xmm6, %xmm7, %xmm7
+        # rnd_0: 5 - 7
+        xorl	%ecx, %edx
+        movl	%r13d, %eax
+        addl	%r11d, %r15d
+        xorl	%r12d, %eax
+        addl	%edx, %r11d
+        andl	%eax, %ebx
+        xorl	%r13d, %ebx
+        rorxl	$6, %r15d, %edx
+        addl	%ebx, %r11d
+        # rnd_1: 0 - 0
+        movl	%r8d, %ebx
+        rorxl	$11, %r15d, %ecx
+        addl	52(%rsp), %r10d
+        vpsrld	$18, %xmm5, %xmm6
+        # rnd_1: 1 - 1
+        xorl	%edx, %ecx
+        xorl	%r9d, %ebx
+        rorxl	$25, %r15d, %edx
+        vpslld	$14, %xmm5, %xmm5
+        # rnd_1: 2 - 2
+        andl	%r15d, %ebx
+        xorl	%ecx, %edx
+        rorxl	$13, %r11d, %ecx
+        vpxor	%xmm5, %xmm7, %xmm7
+        # rnd_1: 3 - 3
+        addl	%edx, %r10d
+        rorxl	$2, %r11d, %edx
+        xorl	%r9d, %ebx
+        vpxor	%xmm6, %xmm7, %xmm7
+        # rnd_1: 4 - 4
+        xorl	%edx, %ecx
+        rorxl	$22, %r11d, %edx
+        addl	%ebx, %r10d
+        vpshufd	$0xfa, %xmm2, %xmm6
+        # rnd_1: 5 - 5
+        xorl	%ecx, %edx
+        movl	%r12d, %ebx
+        addl	%r10d, %r14d
+        vpxor	%xmm8, %xmm7, %xmm5
+        # rnd_1: 6 - 6
+        xorl	%r11d, %ebx
+        addl	%edx, %r10d
+        andl	%ebx, %eax
+        vpsrld	$10, %xmm6, %xmm8
+        # rnd_1: 7 - 7
+        xorl	%r12d, %eax
+        rorxl	$6, %r14d, %edx
+        addl	%eax, %r10d
+        # rnd_0: 0 - 0
+        movl	%r15d, %eax
+        rorxl	$11, %r14d, %ecx
+        addl	56(%rsp), %r9d
+        vpsrlq	$19, %xmm6, %xmm7
+        # rnd_0: 1 - 1
+        xorl	%edx, %ecx
+        xorl	%r8d, %eax
+        rorxl	$25, %r14d, %edx
+        vpsrlq	$0x11, %xmm6, %xmm6
+        vpaddd	%xmm3, %xmm4, %xmm4
+        # rnd_0: 2 - 2
+        andl	%r14d, %eax
+        xorl	%ecx, %edx
+        rorxl	$13, %r10d, %ecx
+        vpaddd	%xmm5, %xmm4, %xmm4
+        # rnd_0: 3 - 3
+        addl	%edx, %r9d
+        rorxl	$2, %r10d, %edx
+        xorl	%r8d, %eax
+        vpxor	%xmm7, %xmm6, %xmm6
+        # rnd_0: 4 - 4
+        xorl	%edx, %ecx
+        rorxl	$22, %r10d, %edx
+        addl	%eax, %r9d
+        vpxor	%xmm6, %xmm8, %xmm8
+        # rnd_0: 5 - 5
+        xorl	%ecx, %edx
+        movl	%r11d, %eax
+        addl	%r9d, %r13d
+        vpshufb	%xmm11, %xmm8, %xmm8
+        # rnd_0: 6 - 6
+        xorl	%r10d, %eax
+        addl	%edx, %r9d
+        andl	%eax, %ebx
+        vpaddd	%xmm8, %xmm4, %xmm4
+        # rnd_0: 7 - 7
+        xorl	%r11d, %ebx
+        rorxl	$6, %r13d, %edx
+        addl	%ebx, %r9d
+        # rnd_1: 0 - 0
+        movl	%r14d, %ebx
+        rorxl	$11, %r13d, %ecx
+        addl	60(%rsp), %r8d
+        vpshufd	$0x50, %xmm4, %xmm6
+        # rnd_1: 1 - 1
+        xorl	%edx, %ecx
+        xorl	%r15d, %ebx
+        rorxl	$25, %r13d, %edx
+        vpsrld	$10, %xmm6, %xmm9
+        # rnd_1: 2 - 2
+        andl	%r13d, %ebx
+        xorl	%ecx, %edx
+        rorxl	$13, %r9d, %ecx
+        vpsrlq	$19, %xmm6, %xmm7
+        # rnd_1: 3 - 3
+        addl	%edx, %r8d
+        rorxl	$2, %r9d, %edx
+        xorl	%r15d, %ebx
+        vpsrlq	$0x11, %xmm6, %xmm6
+        # rnd_1: 4 - 4
+        xorl	%edx, %ecx
+        rorxl	$22, %r9d, %edx
+        addl	%ebx, %r8d
+        vpxor	%xmm7, %xmm6, %xmm6
+        # rnd_1: 5 - 5
+        xorl	%ecx, %edx
+        movl	%r10d, %ebx
+        addl	%r8d, %r12d
+        vpxor	%xmm6, %xmm9, %xmm9
+        # rnd_1: 6 - 6
+        xorl	%r9d, %ebx
+        addl	%edx, %r8d
+        andl	%ebx, %eax
+        vpshufb	%xmm12, %xmm9, %xmm9
+        # rnd_1: 7 - 7
+        xorl	%r10d, %eax
+        rorxl	$6, %r12d, %edx
+        addl	%eax, %r8d
+        vpaddd	%xmm4, %xmm9, %xmm3
+        # msg_sched done: 12-15
+        # set_w_k_xfer_4: 12
+        vpaddd	192+L_avx1_rorx_sha256_k(%rip), %xmm0, %xmm4
+        vpaddd	208+L_avx1_rorx_sha256_k(%rip), %xmm1, %xmm5
+        vmovdqu	%xmm4, (%rsp)
+        vmovdqu	%xmm5, 16(%rsp)
+        vpaddd	224+L_avx1_rorx_sha256_k(%rip), %xmm2, %xmm6
+        vpaddd	240+L_avx1_rorx_sha256_k(%rip), %xmm3, %xmm7
+        vmovdqu	%xmm6, 32(%rsp)
+        vmovdqu	%xmm7, 48(%rsp)
+        xorl	%eax, %eax
+        # rnd_all_4: 0-3
+        rorxl	$6, %r12d, %edx
+        rorxl	$11, %r12d, %ecx
+        addl	%eax, %r8d
+        addl	(%rsp), %r15d
+        movl	%r13d, %eax
+        xorl	%edx, %ecx
+        xorl	%r14d, %eax
+        rorxl	$25, %r12d, %edx
+        xorl	%ecx, %edx
+        andl	%r12d, %eax
+        addl	%edx, %r15d
+        rorxl	$2, %r8d, %edx
+        rorxl	$13, %r8d, %ecx
+        xorl	%r14d, %eax
+        xorl	%edx, %ecx
+        rorxl	$22, %r8d, %edx
+        addl	%eax, %r15d
+        xorl	%ecx, %edx
+        movl	%r9d, %eax
+        addl	%r15d, %r11d
+        xorl	%r8d, %eax
+        andl	%eax, %ebx
+        addl	%edx, %r15d
+        xorl	%r9d, %ebx
+        rorxl	$6, %r11d, %edx
+        rorxl	$11, %r11d, %ecx
+        addl	%ebx, %r15d
+        addl	4(%rsp), %r14d
+        movl	%r12d, %ebx
+        xorl	%edx, %ecx
+        xorl	%r13d, %ebx
+        rorxl	$25, %r11d, %edx
+        xorl	%ecx, %edx
+        andl	%r11d, %ebx
+        addl	%edx, %r14d
+        rorxl	$2, %r15d, %edx
+        rorxl	$13, %r15d, %ecx
+        xorl	%r13d, %ebx
+        xorl	%edx, %ecx
+        rorxl	$22, %r15d, %edx
+        addl	%ebx, %r14d
+        xorl	%ecx, %edx
+        movl	%r8d, %ebx
+        addl	%r14d, %r10d
+        xorl	%r15d, %ebx
+        andl	%ebx, %eax
+        addl	%edx, %r14d
+        xorl	%r8d, %eax
+        rorxl	$6, %r10d, %edx
+        rorxl	$11, %r10d, %ecx
+        addl	%eax, %r14d
+        addl	8(%rsp), %r13d
+        movl	%r11d, %eax
+        xorl	%edx, %ecx
+        xorl	%r12d, %eax
+        rorxl	$25, %r10d, %edx
+        xorl	%ecx, %edx
+        andl	%r10d, %eax
+        addl	%edx, %r13d
+        rorxl	$2, %r14d, %edx
+        rorxl	$13, %r14d, %ecx
+        xorl	%r12d, %eax
+        xorl	%edx, %ecx
+        rorxl	$22, %r14d, %edx
+        addl	%eax, %r13d
+        xorl	%ecx, %edx
+        movl	%r15d, %eax
+        addl	%r13d, %r9d
+        xorl	%r14d, %eax
+        andl	%eax, %ebx
+        addl	%edx, %r13d
+        xorl	%r15d, %ebx
+        rorxl	$6, %r9d, %edx
+        rorxl	$11, %r9d, %ecx
+        addl	%ebx, %r13d
+        addl	12(%rsp), %r12d
+        movl	%r10d, %ebx
+        xorl	%edx, %ecx
+        xorl	%r11d, %ebx
+        rorxl	$25, %r9d, %edx
+        xorl	%ecx, %edx
+        andl	%r9d, %ebx
+        addl	%edx, %r12d
+        rorxl	$2, %r13d, %edx
+        rorxl	$13, %r13d, %ecx
+        xorl	%r11d, %ebx
+        xorl	%edx, %ecx
+        rorxl	$22, %r13d, %edx
+        addl	%ebx, %r12d
+        xorl	%ecx, %edx
+        movl	%r14d, %ebx
+        addl	%r12d, %r8d
+        xorl	%r13d, %ebx
+        andl	%ebx, %eax
+        addl	%edx, %r12d
+        xorl	%r14d, %eax
+        # rnd_all_4: 1-4
+        rorxl	$6, %r8d, %edx
+        rorxl	$11, %r8d, %ecx
+        addl	%eax, %r12d
+        addl	16(%rsp), %r11d
+        movl	%r9d, %eax
+        xorl	%edx, %ecx
+        xorl	%r10d, %eax
+        rorxl	$25, %r8d, %edx
+        xorl	%ecx, %edx
+        andl	%r8d, %eax
+        addl	%edx, %r11d
+        rorxl	$2, %r12d, %edx
+        rorxl	$13, %r12d, %ecx
+        xorl	%r10d, %eax
+        xorl	%edx, %ecx
+        rorxl	$22, %r12d, %edx
+        addl	%eax, %r11d
+        xorl	%ecx, %edx
+        movl	%r13d, %eax
+        addl	%r11d, %r15d
+        xorl	%r12d, %eax
+        andl	%eax, %ebx
+        addl	%edx, %r11d
+        xorl	%r13d, %ebx
+        rorxl	$6, %r15d, %edx
+        rorxl	$11, %r15d, %ecx
+        addl	%ebx, %r11d
+        addl	20(%rsp), %r10d
+        movl	%r8d, %ebx
+        xorl	%edx, %ecx
+        xorl	%r9d, %ebx
+        rorxl	$25, %r15d, %edx
+        xorl	%ecx, %edx
+        andl	%r15d, %ebx
+        addl	%edx, %r10d
+        rorxl	$2, %r11d, %edx
+        rorxl	$13, %r11d, %ecx
+        xorl	%r9d, %ebx
+        xorl	%edx, %ecx
+        rorxl	$22, %r11d, %edx
+        addl	%ebx, %r10d
+        xorl	%ecx, %edx
+        movl	%r12d, %ebx
+        addl	%r10d, %r14d
+        xorl	%r11d, %ebx
+        andl	%ebx, %eax
+        addl	%edx, %r10d
+        xorl	%r12d, %eax
+        rorxl	$6, %r14d, %edx
+        rorxl	$11, %r14d, %ecx
+        addl	%eax, %r10d
+        addl	24(%rsp), %r9d
+        movl	%r15d, %eax
+        xorl	%edx, %ecx
+        xorl	%r8d, %eax
+        rorxl	$25, %r14d, %edx
+        xorl	%ecx, %edx
+        andl	%r14d, %eax
+        addl	%edx, %r9d
+        rorxl	$2, %r10d, %edx
+        rorxl	$13, %r10d, %ecx
+        xorl	%r8d, %eax
+        xorl	%edx, %ecx
+        rorxl	$22, %r10d, %edx
+        addl	%eax, %r9d
+        xorl	%ecx, %edx
+        movl	%r11d, %eax
+        addl	%r9d, %r13d
+        xorl	%r10d, %eax
+        andl	%eax, %ebx
+        addl	%edx, %r9d
+        xorl	%r11d, %ebx
+        rorxl	$6, %r13d, %edx
+        rorxl	$11, %r13d, %ecx
+        addl	%ebx, %r9d
+        addl	28(%rsp), %r8d
+        movl	%r14d, %ebx
+        xorl	%edx, %ecx
+        xorl	%r15d, %ebx
+        rorxl	$25, %r13d, %edx
+        xorl	%ecx, %edx
+        andl	%r13d, %ebx
+        addl	%edx, %r8d
+        rorxl	$2, %r9d, %edx
+        rorxl	$13, %r9d, %ecx
+        xorl	%r15d, %ebx
+        xorl	%edx, %ecx
+        rorxl	$22, %r9d, %edx
+        addl	%ebx, %r8d
+        xorl	%ecx, %edx
+        movl	%r10d, %ebx
+        addl	%r8d, %r12d
+        xorl	%r9d, %ebx
+        andl	%ebx, %eax
+        addl	%edx, %r8d
+        xorl	%r10d, %eax
+        # rnd_all_4: 2-5
+        rorxl	$6, %r12d, %edx
+        rorxl	$11, %r12d, %ecx
+        addl	%eax, %r8d
+        addl	32(%rsp), %r15d
+        movl	%r13d, %eax
+        xorl	%edx, %ecx
+        xorl	%r14d, %eax
+        rorxl	$25, %r12d, %edx
+        xorl	%ecx, %edx
+        andl	%r12d, %eax
+        addl	%edx, %r15d
+        rorxl	$2, %r8d, %edx
+        rorxl	$13, %r8d, %ecx
+        xorl	%r14d, %eax
+        xorl	%edx, %ecx
+        rorxl	$22, %r8d, %edx
+        addl	%eax, %r15d
+        xorl	%ecx, %edx
+        movl	%r9d, %eax
+        addl	%r15d, %r11d
+        xorl	%r8d, %eax
+        andl	%eax, %ebx
+        addl	%edx, %r15d
+        xorl	%r9d, %ebx
+        rorxl	$6, %r11d, %edx
+        rorxl	$11, %r11d, %ecx
+        addl	%ebx, %r15d
+        addl	36(%rsp), %r14d
+        movl	%r12d, %ebx
+        xorl	%edx, %ecx
+        xorl	%r13d, %ebx
+        rorxl	$25, %r11d, %edx
+        xorl	%ecx, %edx
+        andl	%r11d, %ebx
+        addl	%edx, %r14d
+        rorxl	$2, %r15d, %edx
+        rorxl	$13, %r15d, %ecx
+        xorl	%r13d, %ebx
+        xorl	%edx, %ecx
+        rorxl	$22, %r15d, %edx
+        addl	%ebx, %r14d
+        xorl	%ecx, %edx
+        movl	%r8d, %ebx
+        addl	%r14d, %r10d
+        xorl	%r15d, %ebx
+        andl	%ebx, %eax
+        addl	%edx, %r14d
+        xorl	%r8d, %eax
+        rorxl	$6, %r10d, %edx
+        rorxl	$11, %r10d, %ecx
+        addl	%eax, %r14d
+        addl	40(%rsp), %r13d
+        movl	%r11d, %eax
+        xorl	%edx, %ecx
+        xorl	%r12d, %eax
+        rorxl	$25, %r10d, %edx
+        xorl	%ecx, %edx
+        andl	%r10d, %eax
+        addl	%edx, %r13d
+        rorxl	$2, %r14d, %edx
+        rorxl	$13, %r14d, %ecx
+        xorl	%r12d, %eax
+        xorl	%edx, %ecx
+        rorxl	$22, %r14d, %edx
+        addl	%eax, %r13d
+        xorl	%ecx, %edx
+        movl	%r15d, %eax
+        addl	%r13d, %r9d
+        xorl	%r14d, %eax
+        andl	%eax, %ebx
+        addl	%edx, %r13d
+        xorl	%r15d, %ebx
+        rorxl	$6, %r9d, %edx
+        rorxl	$11, %r9d, %ecx
+        addl	%ebx, %r13d
+        addl	44(%rsp), %r12d
+        movl	%r10d, %ebx
+        xorl	%edx, %ecx
+        xorl	%r11d, %ebx
+        rorxl	$25, %r9d, %edx
+        xorl	%ecx, %edx
+        andl	%r9d, %ebx
+        addl	%edx, %r12d
+        rorxl	$2, %r13d, %edx
+        rorxl	$13, %r13d, %ecx
+        xorl	%r11d, %ebx
+        xorl	%edx, %ecx
+        rorxl	$22, %r13d, %edx
+        addl	%ebx, %r12d
+        xorl	%ecx, %edx
+        movl	%r14d, %ebx
+        addl	%r12d, %r8d
+        xorl	%r13d, %ebx
+        andl	%ebx, %eax
+        addl	%edx, %r12d
+        xorl	%r14d, %eax
+        # rnd_all_4: 3-6
+        rorxl	$6, %r8d, %edx
+        rorxl	$11, %r8d, %ecx
+        addl	%eax, %r12d
+        addl	48(%rsp), %r11d
+        movl	%r9d, %eax
+        xorl	%edx, %ecx
+        xorl	%r10d, %eax
+        rorxl	$25, %r8d, %edx
+        xorl	%ecx, %edx
+        andl	%r8d, %eax
+        addl	%edx, %r11d
+        rorxl	$2, %r12d, %edx
+        rorxl	$13, %r12d, %ecx
+        xorl	%r10d, %eax
+        xorl	%edx, %ecx
+        rorxl	$22, %r12d, %edx
+        addl	%eax, %r11d
+        xorl	%ecx, %edx
+        movl	%r13d, %eax
+        addl	%r11d, %r15d
+        xorl	%r12d, %eax
+        andl	%eax, %ebx
+        addl	%edx, %r11d
+        xorl	%r13d, %ebx
+        rorxl	$6, %r15d, %edx
+        rorxl	$11, %r15d, %ecx
+        addl	%ebx, %r11d
+        addl	52(%rsp), %r10d
+        movl	%r8d, %ebx
+        xorl	%edx, %ecx
+        xorl	%r9d, %ebx
+        rorxl	$25, %r15d, %edx
+        xorl	%ecx, %edx
+        andl	%r15d, %ebx
+        addl	%edx, %r10d
+        rorxl	$2, %r11d, %edx
+        rorxl	$13, %r11d, %ecx
+        xorl	%r9d, %ebx
+        xorl	%edx, %ecx
+        rorxl	$22, %r11d, %edx
+        addl	%ebx, %r10d
+        xorl	%ecx, %edx
+        movl	%r12d, %ebx
+        addl	%r10d, %r14d
+        xorl	%r11d, %ebx
+        andl	%ebx, %eax
+        addl	%edx, %r10d
+        xorl	%r12d, %eax
+        rorxl	$6, %r14d, %edx
+        rorxl	$11, %r14d, %ecx
+        addl	%eax, %r10d
+        addl	56(%rsp), %r9d
+        movl	%r15d, %eax
+        xorl	%edx, %ecx
+        xorl	%r8d, %eax
+        rorxl	$25, %r14d, %edx
+        xorl	%ecx, %edx
+        andl	%r14d, %eax
+        addl	%edx, %r9d
+        rorxl	$2, %r10d, %edx
+        rorxl	$13, %r10d, %ecx
+        xorl	%r8d, %eax
+        xorl	%edx, %ecx
+        rorxl	$22, %r10d, %edx
+        addl	%eax, %r9d
+        xorl	%ecx, %edx
+        movl	%r11d, %eax
+        addl	%r9d, %r13d
+        xorl	%r10d, %eax
+        andl	%eax, %ebx
+        addl	%edx, %r9d
+        xorl	%r11d, %ebx
+        rorxl	$6, %r13d, %edx
+        rorxl	$11, %r13d, %ecx
+        addl	%ebx, %r9d
+        addl	60(%rsp), %r8d
+        movl	%r14d, %ebx
+        xorl	%edx, %ecx
+        xorl	%r15d, %ebx
+        rorxl	$25, %r13d, %edx
+        xorl	%ecx, %edx
+        andl	%r13d, %ebx
+        addl	%edx, %r8d
+        rorxl	$2, %r9d, %edx
+        rorxl	$13, %r9d, %ecx
+        xorl	%r15d, %ebx
+        xorl	%edx, %ecx
+        rorxl	$22, %r9d, %edx
+        addl	%ebx, %r8d
+        xorl	%ecx, %edx
+        movl	%r10d, %ebx
+        addl	%r8d, %r12d
+        xorl	%r9d, %ebx
+        andl	%ebx, %eax
+        addl	%edx, %r8d
+        xorl	%r10d, %eax
+        addl	%eax, %r8d
+        addl	%r8d, (%rdi)
+        addl	%r9d, 4(%rdi)
+        addl	%r10d, 8(%rdi)
+        addl	%r11d, 12(%rdi)
+        addl	%r12d, 16(%rdi)
+        addl	%r13d, 20(%rdi)
+        addl	%r14d, 24(%rdi)
+        addl	%r15d, 28(%rdi)
+        xorq	%rax, %rax
+        vzeroupper
+        addq	$0x40, %rsp
+        popq	%r15
+        popq	%r14
+        popq	%r13
+        popq	%r12
+        popq	%rbx
+        repz retq
+#ifndef __APPLE__
+.size	Transform_Sha256_AVX1_RORX,.-Transform_Sha256_AVX1_RORX
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+.text
+.globl	Transform_Sha256_AVX1_RORX_Len
+.type	Transform_Sha256_AVX1_RORX_Len,@function
+.align	4
+Transform_Sha256_AVX1_RORX_Len:
+#else
+.section	__TEXT,__text
+.globl	_Transform_Sha256_AVX1_RORX_Len
+.p2align	2
+_Transform_Sha256_AVX1_RORX_Len:
+#endif /* __APPLE__ */
+        pushq	%rbx
+        pushq	%r12
+        pushq	%r13
+        pushq	%r14
+        pushq	%r15
+        pushq	%rbp
+        movq	%rsi, %rbp
+        movq	%rdx, %rsi
+        subq	$0x40, %rsp
+        vmovdqa	L_avx1_rorx_sha256_flip_mask(%rip), %xmm13
+        vmovdqa	L_avx1_rorx_sha256_shuf_00BA(%rip), %xmm11
+        vmovdqa	L_avx1_rorx_sha256_shuf_DC00(%rip), %xmm12
+        movl	(%rdi), %r8d
+        movl	4(%rdi), %r9d
+        movl	8(%rdi), %r10d
+        movl	12(%rdi), %r11d
+        movl	16(%rdi), %r12d
+        movl	20(%rdi), %r13d
+        movl	24(%rdi), %r14d
+        movl	28(%rdi), %r15d
+        # Start of loop processing a block
+L_sha256_len_avx1_len_rorx_start:
+        # X0, X1, X2, X3 = W[0..15]
+        vmovdqu	(%rbp), %xmm0
+        vmovdqu	16(%rbp), %xmm1
+        vpshufb	%xmm13, %xmm0, %xmm0
+        vpshufb	%xmm13, %xmm1, %xmm1
+        vmovdqu	32(%rbp), %xmm2
+        vmovdqu	48(%rbp), %xmm3
+        vpshufb	%xmm13, %xmm2, %xmm2
+        vpshufb	%xmm13, %xmm3, %xmm3
+        # set_w_k_xfer_4: 0
+        vpaddd	0+L_avx1_rorx_sha256_k(%rip), %xmm0, %xmm4
+        vpaddd	16+L_avx1_rorx_sha256_k(%rip), %xmm1, %xmm5
+        vmovdqu	%xmm4, (%rsp)
+        vmovdqu	%xmm5, 16(%rsp)
+        vpaddd	32+L_avx1_rorx_sha256_k(%rip), %xmm2, %xmm6
+        vpaddd	48+L_avx1_rorx_sha256_k(%rip), %xmm3, %xmm7
+        vmovdqu	%xmm6, 32(%rsp)
+        vmovdqu	%xmm7, 48(%rsp)
+        movl	%r9d, %ebx
+        rorxl	$6, %r12d, %edx
+        xorl	%r10d, %ebx
+        # msg_sched: 0-3
+        # rnd_0: 0 - 0
+        movl	%r13d, %eax
+        rorxl	$11, %r12d, %ecx
+        addl	(%rsp), %r15d
+        vpalignr	$4, %xmm2, %xmm3, %xmm4
+        vpalignr	$4, %xmm0, %xmm1, %xmm5
+        # rnd_0: 1 - 2
+        xorl	%edx, %ecx
+        xorl	%r14d, %eax
+        rorxl	$25, %r12d, %edx
+        andl	%r12d, %eax
+        xorl	%ecx, %edx
+        rorxl	$13, %r8d, %ecx
+        vpsrld	$7, %xmm5, %xmm6
+        vpslld	$25, %xmm5, %xmm7
+        # rnd_0: 3 - 4
+        addl	%edx, %r15d
+        rorxl	$2, %r8d, %edx
+        xorl	%r14d, %eax
+        xorl	%edx, %ecx
+        rorxl	$22, %r8d, %edx
+        addl	%eax, %r15d
+        vpsrld	$3, %xmm5, %xmm8
+        vpor	%xmm6, %xmm7, %xmm7
+        # rnd_0: 5 - 7
+        xorl	%ecx, %edx
+        movl	%r9d, %eax
+        addl	%r15d, %r11d
+        xorl	%r8d, %eax
+        addl	%edx, %r15d
+        andl	%eax, %ebx
+        xorl	%r9d, %ebx
+        rorxl	$6, %r11d, %edx
+        addl	%ebx, %r15d
+        # rnd_1: 0 - 0
+        movl	%r12d, %ebx
+        rorxl	$11, %r11d, %ecx
+        addl	4(%rsp), %r14d
+        vpsrld	$18, %xmm5, %xmm6
+        # rnd_1: 1 - 1
+        xorl	%edx, %ecx
+        xorl	%r13d, %ebx
+        rorxl	$25, %r11d, %edx
+        vpslld	$14, %xmm5, %xmm5
+        # rnd_1: 2 - 2
+        andl	%r11d, %ebx
+        xorl	%ecx, %edx
+        rorxl	$13, %r15d, %ecx
+        vpxor	%xmm5, %xmm7, %xmm7
+        # rnd_1: 3 - 3
+        addl	%edx, %r14d
+        rorxl	$2, %r15d, %edx
+        xorl	%r13d, %ebx
+        vpxor	%xmm6, %xmm7, %xmm7
+        # rnd_1: 4 - 4
+        xorl	%edx, %ecx
+        rorxl	$22, %r15d, %edx
+        addl	%ebx, %r14d
+        vpshufd	$0xfa, %xmm3, %xmm6
+        # rnd_1: 5 - 5
+        xorl	%ecx, %edx
+        movl	%r8d, %ebx
+        addl	%r14d, %r10d
+        vpxor	%xmm8, %xmm7, %xmm5
+        # rnd_1: 6 - 6
+        xorl	%r15d, %ebx
+        addl	%edx, %r14d
+        andl	%ebx, %eax
+        vpsrld	$10, %xmm6, %xmm8
+        # rnd_1: 7 - 7
+        xorl	%r8d, %eax
+        rorxl	$6, %r10d, %edx
+        addl	%eax, %r14d
+        # rnd_0: 0 - 0
+        movl	%r11d, %eax
+        rorxl	$11, %r10d, %ecx
+        addl	8(%rsp), %r13d
+        vpsrlq	$19, %xmm6, %xmm7
+        # rnd_0: 1 - 1
+        xorl	%edx, %ecx
+        xorl	%r12d, %eax
+        rorxl	$25, %r10d, %edx
+        vpsrlq	$0x11, %xmm6, %xmm6
+        vpaddd	%xmm0, %xmm4, %xmm4
+        # rnd_0: 2 - 2
+        andl	%r10d, %eax
+        xorl	%ecx, %edx
+        rorxl	$13, %r14d, %ecx
+        vpaddd	%xmm5, %xmm4, %xmm4
+        # rnd_0: 3 - 3
+        addl	%edx, %r13d
+        rorxl	$2, %r14d, %edx
+        xorl	%r12d, %eax
+        vpxor	%xmm7, %xmm6, %xmm6
+        # rnd_0: 4 - 4
+        xorl	%edx, %ecx
+        rorxl	$22, %r14d, %edx
+        addl	%eax, %r13d
+        vpxor	%xmm6, %xmm8, %xmm8
+        # rnd_0: 5 - 5
+        xorl	%ecx, %edx
+        movl	%r15d, %eax
+        addl	%r13d, %r9d
+        vpshufb	%xmm11, %xmm8, %xmm8
+        # rnd_0: 6 - 6
+        xorl	%r14d, %eax
+        addl	%edx, %r13d
+        andl	%eax, %ebx
+        vpaddd	%xmm8, %xmm4, %xmm4
+        # rnd_0: 7 - 7
+        xorl	%r15d, %ebx
+        rorxl	$6, %r9d, %edx
+        addl	%ebx, %r13d
+        # rnd_1: 0 - 0
+        movl	%r10d, %ebx
+        rorxl	$11, %r9d, %ecx
+        addl	12(%rsp), %r12d
+        vpshufd	$0x50, %xmm4, %xmm6
+        # rnd_1: 1 - 1
+        xorl	%edx, %ecx
+        xorl	%r11d, %ebx
+        rorxl	$25, %r9d, %edx
+        vpsrld	$10, %xmm6, %xmm9
+        # rnd_1: 2 - 2
+        andl	%r9d, %ebx
+        xorl	%ecx, %edx
+        rorxl	$13, %r13d, %ecx
+        vpsrlq	$19, %xmm6, %xmm7
+        # rnd_1: 3 - 3
+        addl	%edx, %r12d
+        rorxl	$2, %r13d, %edx
+        xorl	%r11d, %ebx
+        vpsrlq	$0x11, %xmm6, %xmm6
+        # rnd_1: 4 - 4
+        xorl	%edx, %ecx
+        rorxl	$22, %r13d, %edx
+        addl	%ebx, %r12d
+        vpxor	%xmm7, %xmm6, %xmm6
+        # rnd_1: 5 - 5
+        xorl	%ecx, %edx
+        movl	%r14d, %ebx
+        addl	%r12d, %r8d
+        vpxor	%xmm6, %xmm9, %xmm9
+        # rnd_1: 6 - 6
+        xorl	%r13d, %ebx
+        addl	%edx, %r12d
+        andl	%ebx, %eax
+        vpshufb	%xmm12, %xmm9, %xmm9
+        # rnd_1: 7 - 7
+        xorl	%r14d, %eax
+        rorxl	$6, %r8d, %edx
+        addl	%eax, %r12d
+        vpaddd	%xmm4, %xmm9, %xmm0
+        # msg_sched done: 0-3
+        # msg_sched: 4-7
+        # rnd_0: 0 - 0
+        movl	%r9d, %eax
+        rorxl	$11, %r8d, %ecx
+        addl	16(%rsp), %r11d
+        vpalignr	$4, %xmm3, %xmm0, %xmm4
+        vpalignr	$4, %xmm1, %xmm2, %xmm5
+        # rnd_0: 1 - 2
+        xorl	%edx, %ecx
+        xorl	%r10d, %eax
+        rorxl	$25, %r8d, %edx
+        andl	%r8d, %eax
+        xorl	%ecx, %edx
+        rorxl	$13, %r12d, %ecx
+        vpsrld	$7, %xmm5, %xmm6
+        vpslld	$25, %xmm5, %xmm7
+        # rnd_0: 3 - 4
+        addl	%edx, %r11d
+        rorxl	$2, %r12d, %edx
+        xorl	%r10d, %eax
+        xorl	%edx, %ecx
+        rorxl	$22, %r12d, %edx
+        addl	%eax, %r11d
+        vpsrld	$3, %xmm5, %xmm8
+        vpor	%xmm6, %xmm7, %xmm7
+        # rnd_0: 5 - 7
+        xorl	%ecx, %edx
+        movl	%r13d, %eax
+        addl	%r11d, %r15d
+        xorl	%r12d, %eax
+        addl	%edx, %r11d
+        andl	%eax, %ebx
+        xorl	%r13d, %ebx
+        rorxl	$6, %r15d, %edx
+        addl	%ebx, %r11d
+        # rnd_1: 0 - 0
+        movl	%r8d, %ebx
+        rorxl	$11, %r15d, %ecx
+        addl	20(%rsp), %r10d
+        vpsrld	$18, %xmm5, %xmm6
+        # rnd_1: 1 - 1
+        xorl	%edx, %ecx
+        xorl	%r9d, %ebx
+        rorxl	$25, %r15d, %edx
+        vpslld	$14, %xmm5, %xmm5
+        # rnd_1: 2 - 2
+        andl	%r15d, %ebx
+        xorl	%ecx, %edx
+        rorxl	$13, %r11d, %ecx
+        vpxor	%xmm5, %xmm7, %xmm7
+        # rnd_1: 3 - 3
+        addl	%edx, %r10d
+        rorxl	$2, %r11d, %edx
+        xorl	%r9d, %ebx
+        vpxor	%xmm6, %xmm7, %xmm7
+        # rnd_1: 4 - 4
+        xorl	%edx, %ecx
+        rorxl	$22, %r11d, %edx
+        addl	%ebx, %r10d
+        vpshufd	$0xfa, %xmm0, %xmm6
+        # rnd_1: 5 - 5
+        xorl	%ecx, %edx
+        movl	%r12d, %ebx
+        addl	%r10d, %r14d
+        vpxor	%xmm8, %xmm7, %xmm5
+        # rnd_1: 6 - 6
+        xorl	%r11d, %ebx
+        addl	%edx, %r10d
+        andl	%ebx, %eax
+        vpsrld	$10, %xmm6, %xmm8
+        # rnd_1: 7 - 7
+        xorl	%r12d, %eax
+        rorxl	$6, %r14d, %edx
+        addl	%eax, %r10d
+        # rnd_0: 0 - 0
+        movl	%r15d, %eax
+        rorxl	$11, %r14d, %ecx
+        addl	24(%rsp), %r9d
+        vpsrlq	$19, %xmm6, %xmm7
+        # rnd_0: 1 - 1
+        xorl	%edx, %ecx
+        xorl	%r8d, %eax
+        rorxl	$25, %r14d, %edx
+        vpsrlq	$0x11, %xmm6, %xmm6
+        vpaddd	%xmm1, %xmm4, %xmm4
+        # rnd_0: 2 - 2
+        andl	%r14d, %eax
+        xorl	%ecx, %edx
+        rorxl	$13, %r10d, %ecx
+        vpaddd	%xmm5, %xmm4, %xmm4
+        # rnd_0: 3 - 3
+        addl	%edx, %r9d
+        rorxl	$2, %r10d, %edx
+        xorl	%r8d, %eax
+        vpxor	%xmm7, %xmm6, %xmm6
+        # rnd_0: 4 - 4
+        xorl	%edx, %ecx
+        rorxl	$22, %r10d, %edx
+        addl	%eax, %r9d
+        vpxor	%xmm6, %xmm8, %xmm8
+        # rnd_0: 5 - 5
+        xorl	%ecx, %edx
+        movl	%r11d, %eax
+        addl	%r9d, %r13d
+        vpshufb	%xmm11, %xmm8, %xmm8
+        # rnd_0: 6 - 6
+        xorl	%r10d, %eax
+        addl	%edx, %r9d
+        andl	%eax, %ebx
+        vpaddd	%xmm8, %xmm4, %xmm4
+        # rnd_0: 7 - 7
+        xorl	%r11d, %ebx
+        rorxl	$6, %r13d, %edx
+        addl	%ebx, %r9d
+        # rnd_1: 0 - 0
+        movl	%r14d, %ebx
+        rorxl	$11, %r13d, %ecx
+        addl	28(%rsp), %r8d
+        vpshufd	$0x50, %xmm4, %xmm6
+        # rnd_1: 1 - 1
+        xorl	%edx, %ecx
+        xorl	%r15d, %ebx
+        rorxl	$25, %r13d, %edx
+        vpsrld	$10, %xmm6, %xmm9
+        # rnd_1: 2 - 2
+        andl	%r13d, %ebx
+        xorl	%ecx, %edx
+        rorxl	$13, %r9d, %ecx
+        vpsrlq	$19, %xmm6, %xmm7
+        # rnd_1: 3 - 3
+        addl	%edx, %r8d
+        rorxl	$2, %r9d, %edx
+        xorl	%r15d, %ebx
+        vpsrlq	$0x11, %xmm6, %xmm6
+        # rnd_1: 4 - 4
+        xorl	%edx, %ecx
+        rorxl	$22, %r9d, %edx
+        addl	%ebx, %r8d
+        vpxor	%xmm7, %xmm6, %xmm6
+        # rnd_1: 5 - 5
+        xorl	%ecx, %edx
+        movl	%r10d, %ebx
+        addl	%r8d, %r12d
+        vpxor	%xmm6, %xmm9, %xmm9
+        # rnd_1: 6 - 6
+        xorl	%r9d, %ebx
+        addl	%edx, %r8d
+        andl	%ebx, %eax
+        vpshufb	%xmm12, %xmm9, %xmm9
+        # rnd_1: 7 - 7
+        xorl	%r10d, %eax
+        rorxl	$6, %r12d, %edx
+        addl	%eax, %r8d
+        vpaddd	%xmm4, %xmm9, %xmm1
+        # msg_sched done: 4-7
+        # msg_sched: 8-11
+        # rnd_0: 0 - 0
+        movl	%r13d, %eax
+        rorxl	$11, %r12d, %ecx
+        addl	32(%rsp), %r15d
+        vpalignr	$4, %xmm0, %xmm1, %xmm4
+        vpalignr	$4, %xmm2, %xmm3, %xmm5
+        # rnd_0: 1 - 2
+        xorl	%edx, %ecx
+        xorl	%r14d, %eax
+        rorxl	$25, %r12d, %edx
+        andl	%r12d, %eax
+        xorl	%ecx, %edx
+        rorxl	$13, %r8d, %ecx
+        vpsrld	$7, %xmm5, %xmm6
+        vpslld	$25, %xmm5, %xmm7
+        # rnd_0: 3 - 4
+        addl	%edx, %r15d
+        rorxl	$2, %r8d, %edx
+        xorl	%r14d, %eax
+        xorl	%edx, %ecx
+        rorxl	$22, %r8d, %edx
+        addl	%eax, %r15d
+        vpsrld	$3, %xmm5, %xmm8
+        vpor	%xmm6, %xmm7, %xmm7
+        # rnd_0: 5 - 7
+        xorl	%ecx, %edx
+        movl	%r9d, %eax
+        addl	%r15d, %r11d
+        xorl	%r8d, %eax
+        addl	%edx, %r15d
+        andl	%eax, %ebx
+        xorl	%r9d, %ebx
+        rorxl	$6, %r11d, %edx
+        addl	%ebx, %r15d
+        # rnd_1: 0 - 0
+        movl	%r12d, %ebx
+        rorxl	$11, %r11d, %ecx
+        addl	36(%rsp), %r14d
+        vpsrld	$18, %xmm5, %xmm6
+        # rnd_1: 1 - 1
+        xorl	%edx, %ecx
+        xorl	%r13d, %ebx
+        rorxl	$25, %r11d, %edx
+        vpslld	$14, %xmm5, %xmm5
+        # rnd_1: 2 - 2
+        andl	%r11d, %ebx
+        xorl	%ecx, %edx
+        rorxl	$13, %r15d, %ecx
+        vpxor	%xmm5, %xmm7, %xmm7
+        # rnd_1: 3 - 3
+        addl	%edx, %r14d
+        rorxl	$2, %r15d, %edx
+        xorl	%r13d, %ebx
+        vpxor	%xmm6, %xmm7, %xmm7
+        # rnd_1: 4 - 4
+        xorl	%edx, %ecx
+        rorxl	$22, %r15d, %edx
+        addl	%ebx, %r14d
+        vpshufd	$0xfa, %xmm1, %xmm6
+        # rnd_1: 5 - 5
+        xorl	%ecx, %edx
+        movl	%r8d, %ebx
+        addl	%r14d, %r10d
+        vpxor	%xmm8, %xmm7, %xmm5
+        # rnd_1: 6 - 6
+        xorl	%r15d, %ebx
+        addl	%edx, %r14d
+        andl	%ebx, %eax
+        vpsrld	$10, %xmm6, %xmm8
+        # rnd_1: 7 - 7
+        xorl	%r8d, %eax
+        rorxl	$6, %r10d, %edx
+        addl	%eax, %r14d
+        # rnd_0: 0 - 0
+        movl	%r11d, %eax
+        rorxl	$11, %r10d, %ecx
+        addl	40(%rsp), %r13d
+        vpsrlq	$19, %xmm6, %xmm7
+        # rnd_0: 1 - 1
+        xorl	%edx, %ecx
+        xorl	%r12d, %eax
+        rorxl	$25, %r10d, %edx
+        vpsrlq	$0x11, %xmm6, %xmm6
+        vpaddd	%xmm2, %xmm4, %xmm4
+        # rnd_0: 2 - 2
+        andl	%r10d, %eax
+        xorl	%ecx, %edx
+        rorxl	$13, %r14d, %ecx
+        vpaddd	%xmm5, %xmm4, %xmm4
+        # rnd_0: 3 - 3
+        addl	%edx, %r13d
+        rorxl	$2, %r14d, %edx
+        xorl	%r12d, %eax
+        vpxor	%xmm7, %xmm6, %xmm6
+        # rnd_0: 4 - 4
+        xorl	%edx, %ecx
+        rorxl	$22, %r14d, %edx
+        addl	%eax, %r13d
+        vpxor	%xmm6, %xmm8, %xmm8
+        # rnd_0: 5 - 5
+        xorl	%ecx, %edx
+        movl	%r15d, %eax
+        addl	%r13d, %r9d
+        vpshufb	%xmm11, %xmm8, %xmm8
+        # rnd_0: 6 - 6
+        xorl	%r14d, %eax
+        addl	%edx, %r13d
+        andl	%eax, %ebx
+        vpaddd	%xmm8, %xmm4, %xmm4
+        # rnd_0: 7 - 7
+        xorl	%r15d, %ebx
+        rorxl	$6, %r9d, %edx
+        addl	%ebx, %r13d
+        # rnd_1: 0 - 0
+        movl	%r10d, %ebx
+        rorxl	$11, %r9d, %ecx
+        addl	44(%rsp), %r12d
+        vpshufd	$0x50, %xmm4, %xmm6
+        # rnd_1: 1 - 1
+        xorl	%edx, %ecx
+        xorl	%r11d, %ebx
+        rorxl	$25, %r9d, %edx
+        vpsrld	$10, %xmm6, %xmm9
+        # rnd_1: 2 - 2
+        andl	%r9d, %ebx
+        xorl	%ecx, %edx
+        rorxl	$13, %r13d, %ecx
+        vpsrlq	$19, %xmm6, %xmm7
+        # rnd_1: 3 - 3
+        addl	%edx, %r12d
+        rorxl	$2, %r13d, %edx
+        xorl	%r11d, %ebx
+        vpsrlq	$0x11, %xmm6, %xmm6
+        # rnd_1: 4 - 4
+        xorl	%edx, %ecx
+        rorxl	$22, %r13d, %edx
+        addl	%ebx, %r12d
+        vpxor	%xmm7, %xmm6, %xmm6
+        # rnd_1: 5 - 5
+        xorl	%ecx, %edx
+        movl	%r14d, %ebx
+        addl	%r12d, %r8d
+        vpxor	%xmm6, %xmm9, %xmm9
+        # rnd_1: 6 - 6
+        xorl	%r13d, %ebx
+        addl	%edx, %r12d
+        andl	%ebx, %eax
+        vpshufb	%xmm12, %xmm9, %xmm9
+        # rnd_1: 7 - 7
+        xorl	%r14d, %eax
+        rorxl	$6, %r8d, %edx
+        addl	%eax, %r12d
+        vpaddd	%xmm4, %xmm9, %xmm2
+        # msg_sched done: 8-11
+        # msg_sched: 12-15
+        # rnd_0: 0 - 0
+        movl	%r9d, %eax
+        rorxl	$11, %r8d, %ecx
+        addl	48(%rsp), %r11d
+        vpalignr	$4, %xmm1, %xmm2, %xmm4
+        vpalignr	$4, %xmm3, %xmm0, %xmm5
+        # rnd_0: 1 - 2
+        xorl	%edx, %ecx
+        xorl	%r10d, %eax
+        rorxl	$25, %r8d, %edx
+        andl	%r8d, %eax
+        xorl	%ecx, %edx
+        rorxl	$13, %r12d, %ecx
+        vpsrld	$7, %xmm5, %xmm6
+        vpslld	$25, %xmm5, %xmm7
+        # rnd_0: 3 - 4
+        addl	%edx, %r11d
+        rorxl	$2, %r12d, %edx
+        xorl	%r10d, %eax
+        xorl	%edx, %ecx
+        rorxl	$22, %r12d, %edx
+        addl	%eax, %r11d
+        vpsrld	$3, %xmm5, %xmm8
+        vpor	%xmm6, %xmm7, %xmm7
+        # rnd_0: 5 - 7
+        xorl	%ecx, %edx
+        movl	%r13d, %eax
+        addl	%r11d, %r15d
+        xorl	%r12d, %eax
+        addl	%edx, %r11d
+        andl	%eax, %ebx
+        xorl	%r13d, %ebx
+        rorxl	$6, %r15d, %edx
+        addl	%ebx, %r11d
+        # rnd_1: 0 - 0
+        movl	%r8d, %ebx
+        rorxl	$11, %r15d, %ecx
+        addl	52(%rsp), %r10d
+        vpsrld	$18, %xmm5, %xmm6
+        # rnd_1: 1 - 1
+        xorl	%edx, %ecx
+        xorl	%r9d, %ebx
+        rorxl	$25, %r15d, %edx
+        vpslld	$14, %xmm5, %xmm5
+        # rnd_1: 2 - 2
+        andl	%r15d, %ebx
+        xorl	%ecx, %edx
+        rorxl	$13, %r11d, %ecx
+        vpxor	%xmm5, %xmm7, %xmm7
+        # rnd_1: 3 - 3
+        addl	%edx, %r10d
+        rorxl	$2, %r11d, %edx
+        xorl	%r9d, %ebx
+        vpxor	%xmm6, %xmm7, %xmm7
+        # rnd_1: 4 - 4
+        xorl	%edx, %ecx
+        rorxl	$22, %r11d, %edx
+        addl	%ebx, %r10d
+        vpshufd	$0xfa, %xmm2, %xmm6
+        # rnd_1: 5 - 5
+        xorl	%ecx, %edx
+        movl	%r12d, %ebx
+        addl	%r10d, %r14d
+        vpxor	%xmm8, %xmm7, %xmm5
+        # rnd_1: 6 - 6
+        xorl	%r11d, %ebx
+        addl	%edx, %r10d
+        andl	%ebx, %eax
+        vpsrld	$10, %xmm6, %xmm8
+        # rnd_1: 7 - 7
+        xorl	%r12d, %eax
+        rorxl	$6, %r14d, %edx
+        addl	%eax, %r10d
+        # rnd_0: 0 - 0
+        movl	%r15d, %eax
+        rorxl	$11, %r14d, %ecx
+        addl	56(%rsp), %r9d
+        vpsrlq	$19, %xmm6, %xmm7
+        # rnd_0: 1 - 1
+        xorl	%edx, %ecx
+        xorl	%r8d, %eax
+        rorxl	$25, %r14d, %edx
+        vpsrlq	$0x11, %xmm6, %xmm6
+        vpaddd	%xmm3, %xmm4, %xmm4
+        # rnd_0: 2 - 2
+        andl	%r14d, %eax
+        xorl	%ecx, %edx
+        rorxl	$13, %r10d, %ecx
+        vpaddd	%xmm5, %xmm4, %xmm4
+        # rnd_0: 3 - 3
+        addl	%edx, %r9d
+        rorxl	$2, %r10d, %edx
+        xorl	%r8d, %eax
+        vpxor	%xmm7, %xmm6, %xmm6
+        # rnd_0: 4 - 4
+        xorl	%edx, %ecx
+        rorxl	$22, %r10d, %edx
+        addl	%eax, %r9d
+        vpxor	%xmm6, %xmm8, %xmm8
+        # rnd_0: 5 - 5
+        xorl	%ecx, %edx
+        movl	%r11d, %eax
+        addl	%r9d, %r13d
+        vpshufb	%xmm11, %xmm8, %xmm8
+        # rnd_0: 6 - 6
+        xorl	%r10d, %eax
+        addl	%edx, %r9d
+        andl	%eax, %ebx
+        vpaddd	%xmm8, %xmm4, %xmm4
+        # rnd_0: 7 - 7
+        xorl	%r11d, %ebx
+        rorxl	$6, %r13d, %edx
+        addl	%ebx, %r9d
+        # rnd_1: 0 - 0
+        movl	%r14d, %ebx
+        rorxl	$11, %r13d, %ecx
+        addl	60(%rsp), %r8d
+        vpshufd	$0x50, %xmm4, %xmm6
+        # rnd_1: 1 - 1
+        xorl	%edx, %ecx
+        xorl	%r15d, %ebx
+        rorxl	$25, %r13d, %edx
+        vpsrld	$10, %xmm6, %xmm9
+        # rnd_1: 2 - 2
+        andl	%r13d, %ebx
+        xorl	%ecx, %edx
+        rorxl	$13, %r9d, %ecx
+        vpsrlq	$19, %xmm6, %xmm7
+        # rnd_1: 3 - 3
+        addl	%edx, %r8d
+        rorxl	$2, %r9d, %edx
+        xorl	%r15d, %ebx
+        vpsrlq	$0x11, %xmm6, %xmm6
+        # rnd_1: 4 - 4
+        xorl	%edx, %ecx
+        rorxl	$22, %r9d, %edx
+        addl	%ebx, %r8d
+        vpxor	%xmm7, %xmm6, %xmm6
+        # rnd_1: 5 - 5
+        xorl	%ecx, %edx
+        movl	%r10d, %ebx
+        addl	%r8d, %r12d
+        vpxor	%xmm6, %xmm9, %xmm9
+        # rnd_1: 6 - 6
+        xorl	%r9d, %ebx
+        addl	%edx, %r8d
+        andl	%ebx, %eax
+        vpshufb	%xmm12, %xmm9, %xmm9
+        # rnd_1: 7 - 7
+        xorl	%r10d, %eax
+        rorxl	$6, %r12d, %edx
+        addl	%eax, %r8d
+        vpaddd	%xmm4, %xmm9, %xmm3
+        # msg_sched done: 12-15
+        # set_w_k_xfer_4: 4
+        vpaddd	64+L_avx1_rorx_sha256_k(%rip), %xmm0, %xmm4
+        vpaddd	80+L_avx1_rorx_sha256_k(%rip), %xmm1, %xmm5
+        vmovdqu	%xmm4, (%rsp)
+        vmovdqu	%xmm5, 16(%rsp)
+        vpaddd	96+L_avx1_rorx_sha256_k(%rip), %xmm2, %xmm6
+        vpaddd	112+L_avx1_rorx_sha256_k(%rip), %xmm3, %xmm7
+        vmovdqu	%xmm6, 32(%rsp)
+        vmovdqu	%xmm7, 48(%rsp)
+        # msg_sched: 0-3
+        # rnd_0: 0 - 0
+        movl	%r13d, %eax
+        rorxl	$11, %r12d, %ecx
+        addl	(%rsp), %r15d
+        vpalignr	$4, %xmm2, %xmm3, %xmm4
+        vpalignr	$4, %xmm0, %xmm1, %xmm5
+        # rnd_0: 1 - 2
+        xorl	%edx, %ecx
+        xorl	%r14d, %eax
+        rorxl	$25, %r12d, %edx
+        andl	%r12d, %eax
+        xorl	%ecx, %edx
+        rorxl	$13, %r8d, %ecx
+        vpsrld	$7, %xmm5, %xmm6
+        vpslld	$25, %xmm5, %xmm7
+        # rnd_0: 3 - 4
+        addl	%edx, %r15d
+        rorxl	$2, %r8d, %edx
+        xorl	%r14d, %eax
+        xorl	%edx, %ecx
+        rorxl	$22, %r8d, %edx
+        addl	%eax, %r15d
+        vpsrld	$3, %xmm5, %xmm8
+        vpor	%xmm6, %xmm7, %xmm7
+        # rnd_0: 5 - 7
+        xorl	%ecx, %edx
+        movl	%r9d, %eax
+        addl	%r15d, %r11d
+        xorl	%r8d, %eax
+        addl	%edx, %r15d
+        andl	%eax, %ebx
+        xorl	%r9d, %ebx
+        rorxl	$6, %r11d, %edx
+        addl	%ebx, %r15d
+        # rnd_1: 0 - 0
+        movl	%r12d, %ebx
+        rorxl	$11, %r11d, %ecx
+        addl	4(%rsp), %r14d
+        vpsrld	$18, %xmm5, %xmm6
+        # rnd_1: 1 - 1
+        xorl	%edx, %ecx
+        xorl	%r13d, %ebx
+        rorxl	$25, %r11d, %edx
+        vpslld	$14, %xmm5, %xmm5
+        # rnd_1: 2 - 2
+        andl	%r11d, %ebx
+        xorl	%ecx, %edx
+        rorxl	$13, %r15d, %ecx
+        vpxor	%xmm5, %xmm7, %xmm7
+        # rnd_1: 3 - 3
+        addl	%edx, %r14d
+        rorxl	$2, %r15d, %edx
+        xorl	%r13d, %ebx
+        vpxor	%xmm6, %xmm7, %xmm7
+        # rnd_1: 4 - 4
+        xorl	%edx, %ecx
+        rorxl	$22, %r15d, %edx
+        addl	%ebx, %r14d
+        vpshufd	$0xfa, %xmm3, %xmm6
+        # rnd_1: 5 - 5
+        xorl	%ecx, %edx
+        movl	%r8d, %ebx
+        addl	%r14d, %r10d
+        vpxor	%xmm8, %xmm7, %xmm5
+        # rnd_1: 6 - 6
+        xorl	%r15d, %ebx
+        addl	%edx, %r14d
+        andl	%ebx, %eax
+        vpsrld	$10, %xmm6, %xmm8
+        # rnd_1: 7 - 7
+        xorl	%r8d, %eax
+        rorxl	$6, %r10d, %edx
+        addl	%eax, %r14d
+        # rnd_0: 0 - 0
+        movl	%r11d, %eax
+        rorxl	$11, %r10d, %ecx
+        addl	8(%rsp), %r13d
+        vpsrlq	$19, %xmm6, %xmm7
+        # rnd_0: 1 - 1
+        xorl	%edx, %ecx
+        xorl	%r12d, %eax
+        rorxl	$25, %r10d, %edx
+        vpsrlq	$0x11, %xmm6, %xmm6
+        vpaddd	%xmm0, %xmm4, %xmm4
+        # rnd_0: 2 - 2
+        andl	%r10d, %eax
+        xorl	%ecx, %edx
+        rorxl	$13, %r14d, %ecx
+        vpaddd	%xmm5, %xmm4, %xmm4
+        # rnd_0: 3 - 3
+        addl	%edx, %r13d
+        rorxl	$2, %r14d, %edx
+        xorl	%r12d, %eax
+        vpxor	%xmm7, %xmm6, %xmm6
+        # rnd_0: 4 - 4
+        xorl	%edx, %ecx
+        rorxl	$22, %r14d, %edx
+        addl	%eax, %r13d
+        vpxor	%xmm6, %xmm8, %xmm8
+        # rnd_0: 5 - 5
+        xorl	%ecx, %edx
+        movl	%r15d, %eax
+        addl	%r13d, %r9d
+        vpshufb	%xmm11, %xmm8, %xmm8
+        # rnd_0: 6 - 6
+        xorl	%r14d, %eax
+        addl	%edx, %r13d
+        andl	%eax, %ebx
+        vpaddd	%xmm8, %xmm4, %xmm4
+        # rnd_0: 7 - 7
+        xorl	%r15d, %ebx
+        rorxl	$6, %r9d, %edx
+        addl	%ebx, %r13d
+        # rnd_1: 0 - 0
+        movl	%r10d, %ebx
+        rorxl	$11, %r9d, %ecx
+        addl	12(%rsp), %r12d
+        vpshufd	$0x50, %xmm4, %xmm6
+        # rnd_1: 1 - 1
+        xorl	%edx, %ecx
+        xorl	%r11d, %ebx
+        rorxl	$25, %r9d, %edx
+        vpsrld	$10, %xmm6, %xmm9
+        # rnd_1: 2 - 2
+        andl	%r9d, %ebx
+        xorl	%ecx, %edx
+        rorxl	$13, %r13d, %ecx
+        vpsrlq	$19, %xmm6, %xmm7
+        # rnd_1: 3 - 3
+        addl	%edx, %r12d
+        rorxl	$2, %r13d, %edx
+        xorl	%r11d, %ebx
+        vpsrlq	$0x11, %xmm6, %xmm6
+        # rnd_1: 4 - 4
+        xorl	%edx, %ecx
+        rorxl	$22, %r13d, %edx
+        addl	%ebx, %r12d
+        vpxor	%xmm7, %xmm6, %xmm6
+        # rnd_1: 5 - 5
+        xorl	%ecx, %edx
+        movl	%r14d, %ebx
+        addl	%r12d, %r8d
+        vpxor	%xmm6, %xmm9, %xmm9
+        # rnd_1: 6 - 6
+        xorl	%r13d, %ebx
+        addl	%edx, %r12d
+        andl	%ebx, %eax
+        vpshufb	%xmm12, %xmm9, %xmm9
+        # rnd_1: 7 - 7
+        xorl	%r14d, %eax
+        rorxl	$6, %r8d, %edx
+        addl	%eax, %r12d
+        vpaddd	%xmm4, %xmm9, %xmm0
+        # msg_sched done: 0-3
+        # msg_sched: 4-7
+        # rnd_0: 0 - 0
+        movl	%r9d, %eax
+        rorxl	$11, %r8d, %ecx
+        addl	16(%rsp), %r11d
+        vpalignr	$4, %xmm3, %xmm0, %xmm4
+        vpalignr	$4, %xmm1, %xmm2, %xmm5
+        # rnd_0: 1 - 2
+        xorl	%edx, %ecx
+        xorl	%r10d, %eax
+        rorxl	$25, %r8d, %edx
+        andl	%r8d, %eax
+        xorl	%ecx, %edx
+        rorxl	$13, %r12d, %ecx
+        vpsrld	$7, %xmm5, %xmm6
+        vpslld	$25, %xmm5, %xmm7
+        # rnd_0: 3 - 4
+        addl	%edx, %r11d
+        rorxl	$2, %r12d, %edx
+        xorl	%r10d, %eax
+        xorl	%edx, %ecx
+        rorxl	$22, %r12d, %edx
+        addl	%eax, %r11d
+        vpsrld	$3, %xmm5, %xmm8
+        vpor	%xmm6, %xmm7, %xmm7
+        # rnd_0: 5 - 7
+        xorl	%ecx, %edx
+        movl	%r13d, %eax
+        addl	%r11d, %r15d
+        xorl	%r12d, %eax
+        addl	%edx, %r11d
+        andl	%eax, %ebx
+        xorl	%r13d, %ebx
+        rorxl	$6, %r15d, %edx
+        addl	%ebx, %r11d
+        # rnd_1: 0 - 0
+        movl	%r8d, %ebx
+        rorxl	$11, %r15d, %ecx
+        addl	20(%rsp), %r10d
+        vpsrld	$18, %xmm5, %xmm6
+        # rnd_1: 1 - 1
+        xorl	%edx, %ecx
+        xorl	%r9d, %ebx
+        rorxl	$25, %r15d, %edx
+        vpslld	$14, %xmm5, %xmm5
+        # rnd_1: 2 - 2
+        andl	%r15d, %ebx
+        xorl	%ecx, %edx
+        rorxl	$13, %r11d, %ecx
+        vpxor	%xmm5, %xmm7, %xmm7
+        # rnd_1: 3 - 3
+        addl	%edx, %r10d
+        rorxl	$2, %r11d, %edx
+        xorl	%r9d, %ebx
+        vpxor	%xmm6, %xmm7, %xmm7
+        # rnd_1: 4 - 4
+        xorl	%edx, %ecx
+        rorxl	$22, %r11d, %edx
+        addl	%ebx, %r10d
+        vpshufd	$0xfa, %xmm0, %xmm6
+        # rnd_1: 5 - 5
+        xorl	%ecx, %edx
+        movl	%r12d, %ebx
+        addl	%r10d, %r14d
+        vpxor	%xmm8, %xmm7, %xmm5
+        # rnd_1: 6 - 6
+        xorl	%r11d, %ebx
+        addl	%edx, %r10d
+        andl	%ebx, %eax
+        vpsrld	$10, %xmm6, %xmm8
+        # rnd_1: 7 - 7
+        xorl	%r12d, %eax
+        rorxl	$6, %r14d, %edx
+        addl	%eax, %r10d
+        # rnd_0: 0 - 0
+        movl	%r15d, %eax
+        rorxl	$11, %r14d, %ecx
+        addl	24(%rsp), %r9d
+        vpsrlq	$19, %xmm6, %xmm7
+        # rnd_0: 1 - 1
+        xorl	%edx, %ecx
+        xorl	%r8d, %eax
+        rorxl	$25, %r14d, %edx
+        vpsrlq	$0x11, %xmm6, %xmm6
+        vpaddd	%xmm1, %xmm4, %xmm4
+        # rnd_0: 2 - 2
+        andl	%r14d, %eax
+        xorl	%ecx, %edx
+        rorxl	$13, %r10d, %ecx
+        vpaddd	%xmm5, %xmm4, %xmm4
+        # rnd_0: 3 - 3
+        addl	%edx, %r9d
+        rorxl	$2, %r10d, %edx
+        xorl	%r8d, %eax
+        vpxor	%xmm7, %xmm6, %xmm6
+        # rnd_0: 4 - 4
+        xorl	%edx, %ecx
+        rorxl	$22, %r10d, %edx
+        addl	%eax, %r9d
+        vpxor	%xmm6, %xmm8, %xmm8
+        # rnd_0: 5 - 5
+        xorl	%ecx, %edx
+        movl	%r11d, %eax
+        addl	%r9d, %r13d
+        vpshufb	%xmm11, %xmm8, %xmm8
+        # rnd_0: 6 - 6
+        xorl	%r10d, %eax
+        addl	%edx, %r9d
+        andl	%eax, %ebx
+        vpaddd	%xmm8, %xmm4, %xmm4
+        # rnd_0: 7 - 7
+        xorl	%r11d, %ebx
+        rorxl	$6, %r13d, %edx
+        addl	%ebx, %r9d
+        # rnd_1: 0 - 0
+        movl	%r14d, %ebx
+        rorxl	$11, %r13d, %ecx
+        addl	28(%rsp), %r8d
+        vpshufd	$0x50, %xmm4, %xmm6
+        # rnd_1: 1 - 1
+        xorl	%edx, %ecx
+        xorl	%r15d, %ebx
+        rorxl	$25, %r13d, %edx
+        vpsrld	$10, %xmm6, %xmm9
+        # rnd_1: 2 - 2
+        andl	%r13d, %ebx
+        xorl	%ecx, %edx
+        rorxl	$13, %r9d, %ecx
+        vpsrlq	$19, %xmm6, %xmm7
+        # rnd_1: 3 - 3
+        addl	%edx, %r8d
+        rorxl	$2, %r9d, %edx
+        xorl	%r15d, %ebx
+        vpsrlq	$0x11, %xmm6, %xmm6
+        # rnd_1: 4 - 4
+        xorl	%edx, %ecx
+        rorxl	$22, %r9d, %edx
+        addl	%ebx, %r8d
+        vpxor	%xmm7, %xmm6, %xmm6
+        # rnd_1: 5 - 5
+        xorl	%ecx, %edx
+        movl	%r10d, %ebx
+        addl	%r8d, %r12d
+        vpxor	%xmm6, %xmm9, %xmm9
+        # rnd_1: 6 - 6
+        xorl	%r9d, %ebx
+        addl	%edx, %r8d
+        andl	%ebx, %eax
+        vpshufb	%xmm12, %xmm9, %xmm9
+        # rnd_1: 7 - 7
+        xorl	%r10d, %eax
+        rorxl	$6, %r12d, %edx
+        addl	%eax, %r8d
+        vpaddd	%xmm4, %xmm9, %xmm1
+        # msg_sched done: 4-7
+        # msg_sched: 8-11
+        # rnd_0: 0 - 0
+        movl	%r13d, %eax
+        rorxl	$11, %r12d, %ecx
+        addl	32(%rsp), %r15d
+        vpalignr	$4, %xmm0, %xmm1, %xmm4
+        vpalignr	$4, %xmm2, %xmm3, %xmm5
+        # rnd_0: 1 - 2
+        xorl	%edx, %ecx
+        xorl	%r14d, %eax
+        rorxl	$25, %r12d, %edx
+        andl	%r12d, %eax
+        xorl	%ecx, %edx
+        rorxl	$13, %r8d, %ecx
+        vpsrld	$7, %xmm5, %xmm6
+        vpslld	$25, %xmm5, %xmm7
+        # rnd_0: 3 - 4
+        addl	%edx, %r15d
+        rorxl	$2, %r8d, %edx
+        xorl	%r14d, %eax
+        xorl	%edx, %ecx
+        rorxl	$22, %r8d, %edx
+        addl	%eax, %r15d
+        vpsrld	$3, %xmm5, %xmm8
+        vpor	%xmm6, %xmm7, %xmm7
+        # rnd_0: 5 - 7
+        xorl	%ecx, %edx
+        movl	%r9d, %eax
+        addl	%r15d, %r11d
+        xorl	%r8d, %eax
+        addl	%edx, %r15d
+        andl	%eax, %ebx
+        xorl	%r9d, %ebx
+        rorxl	$6, %r11d, %edx
+        addl	%ebx, %r15d
+        # rnd_1: 0 - 0
+        movl	%r12d, %ebx
+        rorxl	$11, %r11d, %ecx
+        addl	36(%rsp), %r14d
+        vpsrld	$18, %xmm5, %xmm6
+        # rnd_1: 1 - 1
+        xorl	%edx, %ecx
+        xorl	%r13d, %ebx
+        rorxl	$25, %r11d, %edx
+        vpslld	$14, %xmm5, %xmm5
+        # rnd_1: 2 - 2
+        andl	%r11d, %ebx
+        xorl	%ecx, %edx
+        rorxl	$13, %r15d, %ecx
+        vpxor	%xmm5, %xmm7, %xmm7
+        # rnd_1: 3 - 3
+        addl	%edx, %r14d
+        rorxl	$2, %r15d, %edx
+        xorl	%r13d, %ebx
+        vpxor	%xmm6, %xmm7, %xmm7
+        # rnd_1: 4 - 4
+        xorl	%edx, %ecx
+        rorxl	$22, %r15d, %edx
+        addl	%ebx, %r14d
+        vpshufd	$0xfa, %xmm1, %xmm6
+        # rnd_1: 5 - 5
+        xorl	%ecx, %edx
+        movl	%r8d, %ebx
+        addl	%r14d, %r10d
+        vpxor	%xmm8, %xmm7, %xmm5
+        # rnd_1: 6 - 6
+        xorl	%r15d, %ebx
+        addl	%edx, %r14d
+        andl	%ebx, %eax
+        vpsrld	$10, %xmm6, %xmm8
+        # rnd_1: 7 - 7
+        xorl	%r8d, %eax
+        rorxl	$6, %r10d, %edx
+        addl	%eax, %r14d
+        # rnd_0: 0 - 0
+        movl	%r11d, %eax
+        rorxl	$11, %r10d, %ecx
+        addl	40(%rsp), %r13d
+        vpsrlq	$19, %xmm6, %xmm7
+        # rnd_0: 1 - 1
+        xorl	%edx, %ecx
+        xorl	%r12d, %eax
+        rorxl	$25, %r10d, %edx
+        vpsrlq	$0x11, %xmm6, %xmm6
+        vpaddd	%xmm2, %xmm4, %xmm4
+        # rnd_0: 2 - 2
+        andl	%r10d, %eax
+        xorl	%ecx, %edx
+        rorxl	$13, %r14d, %ecx
+        vpaddd	%xmm5, %xmm4, %xmm4
+        # rnd_0: 3 - 3
+        addl	%edx, %r13d
+        rorxl	$2, %r14d, %edx
+        xorl	%r12d, %eax
+        vpxor	%xmm7, %xmm6, %xmm6
+        # rnd_0: 4 - 4
+        xorl	%edx, %ecx
+        rorxl	$22, %r14d, %edx
+        addl	%eax, %r13d
+        vpxor	%xmm6, %xmm8, %xmm8
+        # rnd_0: 5 - 5
+        xorl	%ecx, %edx
+        movl	%r15d, %eax
+        addl	%r13d, %r9d
+        vpshufb	%xmm11, %xmm8, %xmm8
+        # rnd_0: 6 - 6
+        xorl	%r14d, %eax
+        addl	%edx, %r13d
+        andl	%eax, %ebx
+        vpaddd	%xmm8, %xmm4, %xmm4
+        # rnd_0: 7 - 7
+        xorl	%r15d, %ebx
+        rorxl	$6, %r9d, %edx
+        addl	%ebx, %r13d
+        # rnd_1: 0 - 0
+        movl	%r10d, %ebx
+        rorxl	$11, %r9d, %ecx
+        addl	44(%rsp), %r12d
+        vpshufd	$0x50, %xmm4, %xmm6
+        # rnd_1: 1 - 1
+        xorl	%edx, %ecx
+        xorl	%r11d, %ebx
+        rorxl	$25, %r9d, %edx
+        vpsrld	$10, %xmm6, %xmm9
+        # rnd_1: 2 - 2
+        andl	%r9d, %ebx
+        xorl	%ecx, %edx
+        rorxl	$13, %r13d, %ecx
+        vpsrlq	$19, %xmm6, %xmm7
+        # rnd_1: 3 - 3
+        addl	%edx, %r12d
+        rorxl	$2, %r13d, %edx
+        xorl	%r11d, %ebx
+        vpsrlq	$0x11, %xmm6, %xmm6
+        # rnd_1: 4 - 4
+        xorl	%edx, %ecx
+        rorxl	$22, %r13d, %edx
+        addl	%ebx, %r12d
+        vpxor	%xmm7, %xmm6, %xmm6
+        # rnd_1: 5 - 5
+        xorl	%ecx, %edx
+        movl	%r14d, %ebx
+        addl	%r12d, %r8d
+        vpxor	%xmm6, %xmm9, %xmm9
+        # rnd_1: 6 - 6
+        xorl	%r13d, %ebx
+        addl	%edx, %r12d
+        andl	%ebx, %eax
+        vpshufb	%xmm12, %xmm9, %xmm9
+        # rnd_1: 7 - 7
+        xorl	%r14d, %eax
+        rorxl	$6, %r8d, %edx
+        addl	%eax, %r12d
+        vpaddd	%xmm4, %xmm9, %xmm2
+        # msg_sched done: 8-11
+        # msg_sched: 12-15
+        # rnd_0: 0 - 0
+        movl	%r9d, %eax
+        rorxl	$11, %r8d, %ecx
+        addl	48(%rsp), %r11d
+        vpalignr	$4, %xmm1, %xmm2, %xmm4
+        vpalignr	$4, %xmm3, %xmm0, %xmm5
+        # rnd_0: 1 - 2
+        xorl	%edx, %ecx
+        xorl	%r10d, %eax
+        rorxl	$25, %r8d, %edx
+        andl	%r8d, %eax
+        xorl	%ecx, %edx
+        rorxl	$13, %r12d, %ecx
+        vpsrld	$7, %xmm5, %xmm6
+        vpslld	$25, %xmm5, %xmm7
+        # rnd_0: 3 - 4
+        addl	%edx, %r11d
+        rorxl	$2, %r12d, %edx
+        xorl	%r10d, %eax
+        xorl	%edx, %ecx
+        rorxl	$22, %r12d, %edx
+        addl	%eax, %r11d
+        vpsrld	$3, %xmm5, %xmm8
+        vpor	%xmm6, %xmm7, %xmm7
+        # rnd_0: 5 - 7
+        xorl	%ecx, %edx
+        movl	%r13d, %eax
+        addl	%r11d, %r15d
+        xorl	%r12d, %eax
+        addl	%edx, %r11d
+        andl	%eax, %ebx
+        xorl	%r13d, %ebx
+        rorxl	$6, %r15d, %edx
+        addl	%ebx, %r11d
+        # rnd_1: 0 - 0
+        movl	%r8d, %ebx
+        rorxl	$11, %r15d, %ecx
+        addl	52(%rsp), %r10d
+        vpsrld	$18, %xmm5, %xmm6
+        # rnd_1: 1 - 1
+        xorl	%edx, %ecx
+        xorl	%r9d, %ebx
+        rorxl	$25, %r15d, %edx
+        vpslld	$14, %xmm5, %xmm5
+        # rnd_1: 2 - 2
+        andl	%r15d, %ebx
+        xorl	%ecx, %edx
+        rorxl	$13, %r11d, %ecx
+        vpxor	%xmm5, %xmm7, %xmm7
+        # rnd_1: 3 - 3
+        addl	%edx, %r10d
+        rorxl	$2, %r11d, %edx
+        xorl	%r9d, %ebx
+        vpxor	%xmm6, %xmm7, %xmm7
+        # rnd_1: 4 - 4
+        xorl	%edx, %ecx
+        rorxl	$22, %r11d, %edx
+        addl	%ebx, %r10d
+        vpshufd	$0xfa, %xmm2, %xmm6
+        # rnd_1: 5 - 5
+        xorl	%ecx, %edx
+        movl	%r12d, %ebx
+        addl	%r10d, %r14d
+        vpxor	%xmm8, %xmm7, %xmm5
+        # rnd_1: 6 - 6
+        xorl	%r11d, %ebx
+        addl	%edx, %r10d
+        andl	%ebx, %eax
+        vpsrld	$10, %xmm6, %xmm8
+        # rnd_1: 7 - 7
+        xorl	%r12d, %eax
+        rorxl	$6, %r14d, %edx
+        addl	%eax, %r10d
+        # rnd_0: 0 - 0
+        movl	%r15d, %eax
+        rorxl	$11, %r14d, %ecx
+        addl	56(%rsp), %r9d
+        vpsrlq	$19, %xmm6, %xmm7
+        # rnd_0: 1 - 1
+        xorl	%edx, %ecx
+        xorl	%r8d, %eax
+        rorxl	$25, %r14d, %edx
+        vpsrlq	$0x11, %xmm6, %xmm6
+        vpaddd	%xmm3, %xmm4, %xmm4
+        # rnd_0: 2 - 2
+        andl	%r14d, %eax
+        xorl	%ecx, %edx
+        rorxl	$13, %r10d, %ecx
+        vpaddd	%xmm5, %xmm4, %xmm4
+        # rnd_0: 3 - 3
+        addl	%edx, %r9d
+        rorxl	$2, %r10d, %edx
+        xorl	%r8d, %eax
+        vpxor	%xmm7, %xmm6, %xmm6
+        # rnd_0: 4 - 4
+        xorl	%edx, %ecx
+        rorxl	$22, %r10d, %edx
+        addl	%eax, %r9d
+        vpxor	%xmm6, %xmm8, %xmm8
+        # rnd_0: 5 - 5
+        xorl	%ecx, %edx
+        movl	%r11d, %eax
+        addl	%r9d, %r13d
+        vpshufb	%xmm11, %xmm8, %xmm8
+        # rnd_0: 6 - 6
+        xorl	%r10d, %eax
+        addl	%edx, %r9d
+        andl	%eax, %ebx
+        vpaddd	%xmm8, %xmm4, %xmm4
+        # rnd_0: 7 - 7
+        xorl	%r11d, %ebx
+        rorxl	$6, %r13d, %edx
+        addl	%ebx, %r9d
+        # rnd_1: 0 - 0
+        movl	%r14d, %ebx
+        rorxl	$11, %r13d, %ecx
+        addl	60(%rsp), %r8d
+        vpshufd	$0x50, %xmm4, %xmm6
+        # rnd_1: 1 - 1
+        xorl	%edx, %ecx
+        xorl	%r15d, %ebx
+        rorxl	$25, %r13d, %edx
+        vpsrld	$10, %xmm6, %xmm9
+        # rnd_1: 2 - 2
+        andl	%r13d, %ebx
+        xorl	%ecx, %edx
+        rorxl	$13, %r9d, %ecx
+        vpsrlq	$19, %xmm6, %xmm7
+        # rnd_1: 3 - 3
+        addl	%edx, %r8d
+        rorxl	$2, %r9d, %edx
+        xorl	%r15d, %ebx
+        vpsrlq	$0x11, %xmm6, %xmm6
+        # rnd_1: 4 - 4
+        xorl	%edx, %ecx
+        rorxl	$22, %r9d, %edx
+        addl	%ebx, %r8d
+        vpxor	%xmm7, %xmm6, %xmm6
+        # rnd_1: 5 - 5
+        xorl	%ecx, %edx
+        movl	%r10d, %ebx
+        addl	%r8d, %r12d
+        vpxor	%xmm6, %xmm9, %xmm9
+        # rnd_1: 6 - 6
+        xorl	%r9d, %ebx
+        addl	%edx, %r8d
+        andl	%ebx, %eax
+        vpshufb	%xmm12, %xmm9, %xmm9
+        # rnd_1: 7 - 7
+        xorl	%r10d, %eax
+        rorxl	$6, %r12d, %edx
+        addl	%eax, %r8d
+        vpaddd	%xmm4, %xmm9, %xmm3
+        # msg_sched done: 12-15
+        # set_w_k_xfer_4: 8
+        vpaddd	128+L_avx1_rorx_sha256_k(%rip), %xmm0, %xmm4
+        vpaddd	144+L_avx1_rorx_sha256_k(%rip), %xmm1, %xmm5
+        vmovdqu	%xmm4, (%rsp)
+        vmovdqu	%xmm5, 16(%rsp)
+        vpaddd	160+L_avx1_rorx_sha256_k(%rip), %xmm2, %xmm6
+        vpaddd	176+L_avx1_rorx_sha256_k(%rip), %xmm3, %xmm7
+        vmovdqu	%xmm6, 32(%rsp)
+        vmovdqu	%xmm7, 48(%rsp)
+        # msg_sched: 0-3
+        # rnd_0: 0 - 0
+        movl	%r13d, %eax
+        rorxl	$11, %r12d, %ecx
+        addl	(%rsp), %r15d
+        vpalignr	$4, %xmm2, %xmm3, %xmm4
+        vpalignr	$4, %xmm0, %xmm1, %xmm5
+        # rnd_0: 1 - 2
+        xorl	%edx, %ecx
+        xorl	%r14d, %eax
+        rorxl	$25, %r12d, %edx
+        andl	%r12d, %eax
+        xorl	%ecx, %edx
+        rorxl	$13, %r8d, %ecx
+        vpsrld	$7, %xmm5, %xmm6
+        vpslld	$25, %xmm5, %xmm7
+        # rnd_0: 3 - 4
+        addl	%edx, %r15d
+        rorxl	$2, %r8d, %edx
+        xorl	%r14d, %eax
+        xorl	%edx, %ecx
+        rorxl	$22, %r8d, %edx
+        addl	%eax, %r15d
+        vpsrld	$3, %xmm5, %xmm8
+        vpor	%xmm6, %xmm7, %xmm7
+        # rnd_0: 5 - 7
+        xorl	%ecx, %edx
+        movl	%r9d, %eax
+        addl	%r15d, %r11d
+        xorl	%r8d, %eax
+        addl	%edx, %r15d
+        andl	%eax, %ebx
+        xorl	%r9d, %ebx
+        rorxl	$6, %r11d, %edx
+        addl	%ebx, %r15d
+        # rnd_1: 0 - 0
+        movl	%r12d, %ebx
+        rorxl	$11, %r11d, %ecx
+        addl	4(%rsp), %r14d
+        vpsrld	$18, %xmm5, %xmm6
+        # rnd_1: 1 - 1
+        xorl	%edx, %ecx
+        xorl	%r13d, %ebx
+        rorxl	$25, %r11d, %edx
+        vpslld	$14, %xmm5, %xmm5
+        # rnd_1: 2 - 2
+        andl	%r11d, %ebx
+        xorl	%ecx, %edx
+        rorxl	$13, %r15d, %ecx
+        vpxor	%xmm5, %xmm7, %xmm7
+        # rnd_1: 3 - 3
+        addl	%edx, %r14d
+        rorxl	$2, %r15d, %edx
+        xorl	%r13d, %ebx
+        vpxor	%xmm6, %xmm7, %xmm7
+        # rnd_1: 4 - 4
+        xorl	%edx, %ecx
+        rorxl	$22, %r15d, %edx
+        addl	%ebx, %r14d
+        vpshufd	$0xfa, %xmm3, %xmm6
+        # rnd_1: 5 - 5
+        xorl	%ecx, %edx
+        movl	%r8d, %ebx
+        addl	%r14d, %r10d
+        vpxor	%xmm8, %xmm7, %xmm5
+        # rnd_1: 6 - 6
+        xorl	%r15d, %ebx
+        addl	%edx, %r14d
+        andl	%ebx, %eax
+        vpsrld	$10, %xmm6, %xmm8
+        # rnd_1: 7 - 7
+        xorl	%r8d, %eax
+        rorxl	$6, %r10d, %edx
+        addl	%eax, %r14d
+        # rnd_0: 0 - 0
+        movl	%r11d, %eax
+        rorxl	$11, %r10d, %ecx
+        addl	8(%rsp), %r13d
+        vpsrlq	$19, %xmm6, %xmm7
+        # rnd_0: 1 - 1
+        xorl	%edx, %ecx
+        xorl	%r12d, %eax
+        rorxl	$25, %r10d, %edx
+        vpsrlq	$0x11, %xmm6, %xmm6
+        vpaddd	%xmm0, %xmm4, %xmm4
+        # rnd_0: 2 - 2
+        andl	%r10d, %eax
+        xorl	%ecx, %edx
+        rorxl	$13, %r14d, %ecx
+        vpaddd	%xmm5, %xmm4, %xmm4
+        # rnd_0: 3 - 3
+        addl	%edx, %r13d
+        rorxl	$2, %r14d, %edx
+        xorl	%r12d, %eax
+        vpxor	%xmm7, %xmm6, %xmm6
+        # rnd_0: 4 - 4
+        xorl	%edx, %ecx
+        rorxl	$22, %r14d, %edx
+        addl	%eax, %r13d
+        vpxor	%xmm6, %xmm8, %xmm8
+        # rnd_0: 5 - 5
+        xorl	%ecx, %edx
+        movl	%r15d, %eax
+        addl	%r13d, %r9d
+        vpshufb	%xmm11, %xmm8, %xmm8
+        # rnd_0: 6 - 6
+        xorl	%r14d, %eax
+        addl	%edx, %r13d
+        andl	%eax, %ebx
+        vpaddd	%xmm8, %xmm4, %xmm4
+        # rnd_0: 7 - 7
+        xorl	%r15d, %ebx
+        rorxl	$6, %r9d, %edx
+        addl	%ebx, %r13d
+        # rnd_1: 0 - 0
+        movl	%r10d, %ebx
+        rorxl	$11, %r9d, %ecx
+        addl	12(%rsp), %r12d
+        vpshufd	$0x50, %xmm4, %xmm6
+        # rnd_1: 1 - 1
+        xorl	%edx, %ecx
+        xorl	%r11d, %ebx
+        rorxl	$25, %r9d, %edx
+        vpsrld	$10, %xmm6, %xmm9
+        # rnd_1: 2 - 2
+        andl	%r9d, %ebx
+        xorl	%ecx, %edx
+        rorxl	$13, %r13d, %ecx
+        vpsrlq	$19, %xmm6, %xmm7
+        # rnd_1: 3 - 3
+        addl	%edx, %r12d
+        rorxl	$2, %r13d, %edx
+        xorl	%r11d, %ebx
+        vpsrlq	$0x11, %xmm6, %xmm6
+        # rnd_1: 4 - 4
+        xorl	%edx, %ecx
+        rorxl	$22, %r13d, %edx
+        addl	%ebx, %r12d
+        vpxor	%xmm7, %xmm6, %xmm6
+        # rnd_1: 5 - 5
+        xorl	%ecx, %edx
+        movl	%r14d, %ebx
+        addl	%r12d, %r8d
+        vpxor	%xmm6, %xmm9, %xmm9
+        # rnd_1: 6 - 6
+        xorl	%r13d, %ebx
+        addl	%edx, %r12d
+        andl	%ebx, %eax
+        vpshufb	%xmm12, %xmm9, %xmm9
+        # rnd_1: 7 - 7
+        xorl	%r14d, %eax
+        rorxl	$6, %r8d, %edx
+        addl	%eax, %r12d
+        vpaddd	%xmm4, %xmm9, %xmm0
+        # msg_sched done: 0-3
+        # msg_sched: 4-7
+        # rnd_0: 0 - 0
+        movl	%r9d, %eax
+        rorxl	$11, %r8d, %ecx
+        addl	16(%rsp), %r11d
+        vpalignr	$4, %xmm3, %xmm0, %xmm4
+        vpalignr	$4, %xmm1, %xmm2, %xmm5
+        # rnd_0: 1 - 2
+        xorl	%edx, %ecx
+        xorl	%r10d, %eax
+        rorxl	$25, %r8d, %edx
+        andl	%r8d, %eax
+        xorl	%ecx, %edx
+        rorxl	$13, %r12d, %ecx
+        vpsrld	$7, %xmm5, %xmm6
+        vpslld	$25, %xmm5, %xmm7
+        # rnd_0: 3 - 4
+        addl	%edx, %r11d
+        rorxl	$2, %r12d, %edx
+        xorl	%r10d, %eax
+        xorl	%edx, %ecx
+        rorxl	$22, %r12d, %edx
+        addl	%eax, %r11d
+        vpsrld	$3, %xmm5, %xmm8
+        vpor	%xmm6, %xmm7, %xmm7
+        # rnd_0: 5 - 7
+        xorl	%ecx, %edx
+        movl	%r13d, %eax
+        addl	%r11d, %r15d
+        xorl	%r12d, %eax
+        addl	%edx, %r11d
+        andl	%eax, %ebx
+        xorl	%r13d, %ebx
+        rorxl	$6, %r15d, %edx
+        addl	%ebx, %r11d
+        # rnd_1: 0 - 0
+        movl	%r8d, %ebx
+        rorxl	$11, %r15d, %ecx
+        addl	20(%rsp), %r10d
+        vpsrld	$18, %xmm5, %xmm6
+        # rnd_1: 1 - 1
+        xorl	%edx, %ecx
+        xorl	%r9d, %ebx
+        rorxl	$25, %r15d, %edx
+        vpslld	$14, %xmm5, %xmm5
+        # rnd_1: 2 - 2
+        andl	%r15d, %ebx
+        xorl	%ecx, %edx
+        rorxl	$13, %r11d, %ecx
+        vpxor	%xmm5, %xmm7, %xmm7
+        # rnd_1: 3 - 3
+        addl	%edx, %r10d
+        rorxl	$2, %r11d, %edx
+        xorl	%r9d, %ebx
+        vpxor	%xmm6, %xmm7, %xmm7
+        # rnd_1: 4 - 4
+        xorl	%edx, %ecx
+        rorxl	$22, %r11d, %edx
+        addl	%ebx, %r10d
+        vpshufd	$0xfa, %xmm0, %xmm6
+        # rnd_1: 5 - 5
+        xorl	%ecx, %edx
+        movl	%r12d, %ebx
+        addl	%r10d, %r14d
+        vpxor	%xmm8, %xmm7, %xmm5
+        # rnd_1: 6 - 6
+        xorl	%r11d, %ebx
+        addl	%edx, %r10d
+        andl	%ebx, %eax
+        vpsrld	$10, %xmm6, %xmm8
+        # rnd_1: 7 - 7
+        xorl	%r12d, %eax
+        rorxl	$6, %r14d, %edx
+        addl	%eax, %r10d
+        # rnd_0: 0 - 0
+        movl	%r15d, %eax
+        rorxl	$11, %r14d, %ecx
+        addl	24(%rsp), %r9d
+        vpsrlq	$19, %xmm6, %xmm7
+        # rnd_0: 1 - 1
+        xorl	%edx, %ecx
+        xorl	%r8d, %eax
+        rorxl	$25, %r14d, %edx
+        vpsrlq	$0x11, %xmm6, %xmm6
+        vpaddd	%xmm1, %xmm4, %xmm4
+        # rnd_0: 2 - 2
+        andl	%r14d, %eax
+        xorl	%ecx, %edx
+        rorxl	$13, %r10d, %ecx
+        vpaddd	%xmm5, %xmm4, %xmm4
+        # rnd_0: 3 - 3
+        addl	%edx, %r9d
+        rorxl	$2, %r10d, %edx
+        xorl	%r8d, %eax
+        vpxor	%xmm7, %xmm6, %xmm6
+        # rnd_0: 4 - 4
+        xorl	%edx, %ecx
+        rorxl	$22, %r10d, %edx
+        addl	%eax, %r9d
+        vpxor	%xmm6, %xmm8, %xmm8
+        # rnd_0: 5 - 5
+        xorl	%ecx, %edx
+        movl	%r11d, %eax
+        addl	%r9d, %r13d
+        vpshufb	%xmm11, %xmm8, %xmm8
+        # rnd_0: 6 - 6
+        xorl	%r10d, %eax
+        addl	%edx, %r9d
+        andl	%eax, %ebx
+        vpaddd	%xmm8, %xmm4, %xmm4
+        # rnd_0: 7 - 7
+        xorl	%r11d, %ebx
+        rorxl	$6, %r13d, %edx
+        addl	%ebx, %r9d
+        # rnd_1: 0 - 0
+        movl	%r14d, %ebx
+        rorxl	$11, %r13d, %ecx
+        addl	28(%rsp), %r8d
+        vpshufd	$0x50, %xmm4, %xmm6
+        # rnd_1: 1 - 1
+        xorl	%edx, %ecx
+        xorl	%r15d, %ebx
+        rorxl	$25, %r13d, %edx
+        vpsrld	$10, %xmm6, %xmm9
+        # rnd_1: 2 - 2
+        andl	%r13d, %ebx
+        xorl	%ecx, %edx
+        rorxl	$13, %r9d, %ecx
+        vpsrlq	$19, %xmm6, %xmm7
+        # rnd_1: 3 - 3
+        addl	%edx, %r8d
+        rorxl	$2, %r9d, %edx
+        xorl	%r15d, %ebx
+        vpsrlq	$0x11, %xmm6, %xmm6
+        # rnd_1: 4 - 4
+        xorl	%edx, %ecx
+        rorxl	$22, %r9d, %edx
+        addl	%ebx, %r8d
+        vpxor	%xmm7, %xmm6, %xmm6
+        # rnd_1: 5 - 5
+        xorl	%ecx, %edx
+        movl	%r10d, %ebx
+        addl	%r8d, %r12d
+        vpxor	%xmm6, %xmm9, %xmm9
+        # rnd_1: 6 - 6
+        xorl	%r9d, %ebx
+        addl	%edx, %r8d
+        andl	%ebx, %eax
+        vpshufb	%xmm12, %xmm9, %xmm9
+        # rnd_1: 7 - 7
+        xorl	%r10d, %eax
+        rorxl	$6, %r12d, %edx
+        addl	%eax, %r8d
+        vpaddd	%xmm4, %xmm9, %xmm1
+        # msg_sched done: 4-7
+        # msg_sched: 8-11
+        # rnd_0: 0 - 0
+        movl	%r13d, %eax
+        rorxl	$11, %r12d, %ecx
+        addl	32(%rsp), %r15d
+        vpalignr	$4, %xmm0, %xmm1, %xmm4
+        vpalignr	$4, %xmm2, %xmm3, %xmm5
+        # rnd_0: 1 - 2
+        xorl	%edx, %ecx
+        xorl	%r14d, %eax
+        rorxl	$25, %r12d, %edx
+        andl	%r12d, %eax
+        xorl	%ecx, %edx
+        rorxl	$13, %r8d, %ecx
+        vpsrld	$7, %xmm5, %xmm6
+        vpslld	$25, %xmm5, %xmm7
+        # rnd_0: 3 - 4
+        addl	%edx, %r15d
+        rorxl	$2, %r8d, %edx
+        xorl	%r14d, %eax
+        xorl	%edx, %ecx
+        rorxl	$22, %r8d, %edx
+        addl	%eax, %r15d
+        vpsrld	$3, %xmm5, %xmm8
+        vpor	%xmm6, %xmm7, %xmm7
+        # rnd_0: 5 - 7
+        xorl	%ecx, %edx
+        movl	%r9d, %eax
+        addl	%r15d, %r11d
+        xorl	%r8d, %eax
+        addl	%edx, %r15d
+        andl	%eax, %ebx
+        xorl	%r9d, %ebx
+        rorxl	$6, %r11d, %edx
+        addl	%ebx, %r15d
+        # rnd_1: 0 - 0
+        movl	%r12d, %ebx
+        rorxl	$11, %r11d, %ecx
+        addl	36(%rsp), %r14d
+        vpsrld	$18, %xmm5, %xmm6
+        # rnd_1: 1 - 1
+        xorl	%edx, %ecx
+        xorl	%r13d, %ebx
+        rorxl	$25, %r11d, %edx
+        vpslld	$14, %xmm5, %xmm5
+        # rnd_1: 2 - 2
+        andl	%r11d, %ebx
+        xorl	%ecx, %edx
+        rorxl	$13, %r15d, %ecx
+        vpxor	%xmm5, %xmm7, %xmm7
+        # rnd_1: 3 - 3
+        addl	%edx, %r14d
+        rorxl	$2, %r15d, %edx
+        xorl	%r13d, %ebx
+        vpxor	%xmm6, %xmm7, %xmm7
+        # rnd_1: 4 - 4
+        xorl	%edx, %ecx
+        rorxl	$22, %r15d, %edx
+        addl	%ebx, %r14d
+        vpshufd	$0xfa, %xmm1, %xmm6
+        # rnd_1: 5 - 5
+        xorl	%ecx, %edx
+        movl	%r8d, %ebx
+        addl	%r14d, %r10d
+        vpxor	%xmm8, %xmm7, %xmm5
+        # rnd_1: 6 - 6
+        xorl	%r15d, %ebx
+        addl	%edx, %r14d
+        andl	%ebx, %eax
+        vpsrld	$10, %xmm6, %xmm8
+        # rnd_1: 7 - 7
+        xorl	%r8d, %eax
+        rorxl	$6, %r10d, %edx
+        addl	%eax, %r14d
+        # rnd_0: 0 - 0
+        movl	%r11d, %eax
+        rorxl	$11, %r10d, %ecx
+        addl	40(%rsp), %r13d
+        vpsrlq	$19, %xmm6, %xmm7
+        # rnd_0: 1 - 1
+        xorl	%edx, %ecx
+        xorl	%r12d, %eax
+        rorxl	$25, %r10d, %edx
+        vpsrlq	$0x11, %xmm6, %xmm6
+        vpaddd	%xmm2, %xmm4, %xmm4
+        # rnd_0: 2 - 2
+        andl	%r10d, %eax
+        xorl	%ecx, %edx
+        rorxl	$13, %r14d, %ecx
+        vpaddd	%xmm5, %xmm4, %xmm4
+        # rnd_0: 3 - 3
+        addl	%edx, %r13d
+        rorxl	$2, %r14d, %edx
+        xorl	%r12d, %eax
+        vpxor	%xmm7, %xmm6, %xmm6
+        # rnd_0: 4 - 4
+        xorl	%edx, %ecx
+        rorxl	$22, %r14d, %edx
+        addl	%eax, %r13d
+        vpxor	%xmm6, %xmm8, %xmm8
+        # rnd_0: 5 - 5
+        xorl	%ecx, %edx
+        movl	%r15d, %eax
+        addl	%r13d, %r9d
+        vpshufb	%xmm11, %xmm8, %xmm8
+        # rnd_0: 6 - 6
+        xorl	%r14d, %eax
+        addl	%edx, %r13d
+        andl	%eax, %ebx
+        vpaddd	%xmm8, %xmm4, %xmm4
+        # rnd_0: 7 - 7
+        xorl	%r15d, %ebx
+        rorxl	$6, %r9d, %edx
+        addl	%ebx, %r13d
+        # rnd_1: 0 - 0
+        movl	%r10d, %ebx
+        rorxl	$11, %r9d, %ecx
+        addl	44(%rsp), %r12d
+        vpshufd	$0x50, %xmm4, %xmm6
+        # rnd_1: 1 - 1
+        xorl	%edx, %ecx
+        xorl	%r11d, %ebx
+        rorxl	$25, %r9d, %edx
+        vpsrld	$10, %xmm6, %xmm9
+        # rnd_1: 2 - 2
+        andl	%r9d, %ebx
+        xorl	%ecx, %edx
+        rorxl	$13, %r13d, %ecx
+        vpsrlq	$19, %xmm6, %xmm7
+        # rnd_1: 3 - 3
+        addl	%edx, %r12d
+        rorxl	$2, %r13d, %edx
+        xorl	%r11d, %ebx
+        vpsrlq	$0x11, %xmm6, %xmm6
+        # rnd_1: 4 - 4
+        xorl	%edx, %ecx
+        rorxl	$22, %r13d, %edx
+        addl	%ebx, %r12d
+        vpxor	%xmm7, %xmm6, %xmm6
+        # rnd_1: 5 - 5
+        xorl	%ecx, %edx
+        movl	%r14d, %ebx
+        addl	%r12d, %r8d
+        vpxor	%xmm6, %xmm9, %xmm9
+        # rnd_1: 6 - 6
+        xorl	%r13d, %ebx
+        addl	%edx, %r12d
+        andl	%ebx, %eax
+        vpshufb	%xmm12, %xmm9, %xmm9
+        # rnd_1: 7 - 7
+        xorl	%r14d, %eax
+        rorxl	$6, %r8d, %edx
+        addl	%eax, %r12d
+        vpaddd	%xmm4, %xmm9, %xmm2
+        # msg_sched done: 8-11
+        # msg_sched: 12-15
+        # rnd_0: 0 - 0
+        movl	%r9d, %eax
+        rorxl	$11, %r8d, %ecx
+        addl	48(%rsp), %r11d
+        vpalignr	$4, %xmm1, %xmm2, %xmm4
+        vpalignr	$4, %xmm3, %xmm0, %xmm5
+        # rnd_0: 1 - 2
+        xorl	%edx, %ecx
+        xorl	%r10d, %eax
+        rorxl	$25, %r8d, %edx
+        andl	%r8d, %eax
+        xorl	%ecx, %edx
+        rorxl	$13, %r12d, %ecx
+        vpsrld	$7, %xmm5, %xmm6
+        vpslld	$25, %xmm5, %xmm7
+        # rnd_0: 3 - 4
+        addl	%edx, %r11d
+        rorxl	$2, %r12d, %edx
+        xorl	%r10d, %eax
+        xorl	%edx, %ecx
+        rorxl	$22, %r12d, %edx
+        addl	%eax, %r11d
+        vpsrld	$3, %xmm5, %xmm8
+        vpor	%xmm6, %xmm7, %xmm7
+        # rnd_0: 5 - 7
+        xorl	%ecx, %edx
+        movl	%r13d, %eax
+        addl	%r11d, %r15d
+        xorl	%r12d, %eax
+        addl	%edx, %r11d
+        andl	%eax, %ebx
+        xorl	%r13d, %ebx
+        rorxl	$6, %r15d, %edx
+        addl	%ebx, %r11d
+        # rnd_1: 0 - 0
+        movl	%r8d, %ebx
+        rorxl	$11, %r15d, %ecx
+        addl	52(%rsp), %r10d
+        vpsrld	$18, %xmm5, %xmm6
+        # rnd_1: 1 - 1
+        xorl	%edx, %ecx
+        xorl	%r9d, %ebx
+        rorxl	$25, %r15d, %edx
+        vpslld	$14, %xmm5, %xmm5
+        # rnd_1: 2 - 2
+        andl	%r15d, %ebx
+        xorl	%ecx, %edx
+        rorxl	$13, %r11d, %ecx
+        vpxor	%xmm5, %xmm7, %xmm7
+        # rnd_1: 3 - 3
+        addl	%edx, %r10d
+        rorxl	$2, %r11d, %edx
+        xorl	%r9d, %ebx
+        vpxor	%xmm6, %xmm7, %xmm7
+        # rnd_1: 4 - 4
+        xorl	%edx, %ecx
+        rorxl	$22, %r11d, %edx
+        addl	%ebx, %r10d
+        vpshufd	$0xfa, %xmm2, %xmm6
+        # rnd_1: 5 - 5
+        xorl	%ecx, %edx
+        movl	%r12d, %ebx
+        addl	%r10d, %r14d
+        vpxor	%xmm8, %xmm7, %xmm5
+        # rnd_1: 6 - 6
+        xorl	%r11d, %ebx
+        addl	%edx, %r10d
+        andl	%ebx, %eax
+        vpsrld	$10, %xmm6, %xmm8
+        # rnd_1: 7 - 7
+        xorl	%r12d, %eax
+        rorxl	$6, %r14d, %edx
+        addl	%eax, %r10d
+        # rnd_0: 0 - 0
+        movl	%r15d, %eax
+        rorxl	$11, %r14d, %ecx
+        addl	56(%rsp), %r9d
+        vpsrlq	$19, %xmm6, %xmm7
+        # rnd_0: 1 - 1
+        xorl	%edx, %ecx
+        xorl	%r8d, %eax
+        rorxl	$25, %r14d, %edx
+        vpsrlq	$0x11, %xmm6, %xmm6
+        vpaddd	%xmm3, %xmm4, %xmm4
+        # rnd_0: 2 - 2
+        andl	%r14d, %eax
+        xorl	%ecx, %edx
+        rorxl	$13, %r10d, %ecx
+        vpaddd	%xmm5, %xmm4, %xmm4
+        # rnd_0: 3 - 3
+        addl	%edx, %r9d
+        rorxl	$2, %r10d, %edx
+        xorl	%r8d, %eax
+        vpxor	%xmm7, %xmm6, %xmm6
+        # rnd_0: 4 - 4
+        xorl	%edx, %ecx
+        rorxl	$22, %r10d, %edx
+        addl	%eax, %r9d
+        vpxor	%xmm6, %xmm8, %xmm8
+        # rnd_0: 5 - 5
+        xorl	%ecx, %edx
+        movl	%r11d, %eax
+        addl	%r9d, %r13d
+        vpshufb	%xmm11, %xmm8, %xmm8
+        # rnd_0: 6 - 6
+        xorl	%r10d, %eax
+        addl	%edx, %r9d
+        andl	%eax, %ebx
+        vpaddd	%xmm8, %xmm4, %xmm4
+        # rnd_0: 7 - 7
+        xorl	%r11d, %ebx
+        rorxl	$6, %r13d, %edx
+        addl	%ebx, %r9d
+        # rnd_1: 0 - 0
+        movl	%r14d, %ebx
+        rorxl	$11, %r13d, %ecx
+        addl	60(%rsp), %r8d
+        vpshufd	$0x50, %xmm4, %xmm6
+        # rnd_1: 1 - 1
+        xorl	%edx, %ecx
+        xorl	%r15d, %ebx
+        rorxl	$25, %r13d, %edx
+        vpsrld	$10, %xmm6, %xmm9
+        # rnd_1: 2 - 2
+        andl	%r13d, %ebx
+        xorl	%ecx, %edx
+        rorxl	$13, %r9d, %ecx
+        vpsrlq	$19, %xmm6, %xmm7
+        # rnd_1: 3 - 3
+        addl	%edx, %r8d
+        rorxl	$2, %r9d, %edx
+        xorl	%r15d, %ebx
+        vpsrlq	$0x11, %xmm6, %xmm6
+        # rnd_1: 4 - 4
+        xorl	%edx, %ecx
+        rorxl	$22, %r9d, %edx
+        addl	%ebx, %r8d
+        vpxor	%xmm7, %xmm6, %xmm6
+        # rnd_1: 5 - 5
+        xorl	%ecx, %edx
+        movl	%r10d, %ebx
+        addl	%r8d, %r12d
+        vpxor	%xmm6, %xmm9, %xmm9
+        # rnd_1: 6 - 6
+        xorl	%r9d, %ebx
+        addl	%edx, %r8d
+        andl	%ebx, %eax
+        vpshufb	%xmm12, %xmm9, %xmm9
+        # rnd_1: 7 - 7
+        xorl	%r10d, %eax
+        rorxl	$6, %r12d, %edx
+        addl	%eax, %r8d
+        vpaddd	%xmm4, %xmm9, %xmm3
+        # msg_sched done: 12-15
+        # set_w_k_xfer_4: 12
+        vpaddd	192+L_avx1_rorx_sha256_k(%rip), %xmm0, %xmm4
+        vpaddd	208+L_avx1_rorx_sha256_k(%rip), %xmm1, %xmm5
+        vmovdqu	%xmm4, (%rsp)
+        vmovdqu	%xmm5, 16(%rsp)
+        vpaddd	224+L_avx1_rorx_sha256_k(%rip), %xmm2, %xmm6
+        vpaddd	240+L_avx1_rorx_sha256_k(%rip), %xmm3, %xmm7
+        vmovdqu	%xmm6, 32(%rsp)
+        vmovdqu	%xmm7, 48(%rsp)
+        xorl	%eax, %eax
+        xorl	%ecx, %ecx
+        # rnd_all_4: 0-3
+        rorxl	$6, %r12d, %edx
+        rorxl	$11, %r12d, %ecx
+        addl	%eax, %r8d
+        addl	(%rsp), %r15d
+        movl	%r13d, %eax
+        xorl	%edx, %ecx
+        xorl	%r14d, %eax
+        rorxl	$25, %r12d, %edx
+        xorl	%ecx, %edx
+        andl	%r12d, %eax
+        addl	%edx, %r15d
+        rorxl	$2, %r8d, %edx
+        rorxl	$13, %r8d, %ecx
+        xorl	%r14d, %eax
+        xorl	%edx, %ecx
+        rorxl	$22, %r8d, %edx
+        addl	%eax, %r15d
+        xorl	%ecx, %edx
+        movl	%r9d, %eax
+        addl	%r15d, %r11d
+        xorl	%r8d, %eax
+        andl	%eax, %ebx
+        addl	%edx, %r15d
+        xorl	%r9d, %ebx
+        rorxl	$6, %r11d, %edx
+        rorxl	$11, %r11d, %ecx
+        addl	%ebx, %r15d
+        addl	4(%rsp), %r14d
+        movl	%r12d, %ebx
+        xorl	%edx, %ecx
+        xorl	%r13d, %ebx
+        rorxl	$25, %r11d, %edx
+        xorl	%ecx, %edx
+        andl	%r11d, %ebx
+        addl	%edx, %r14d
+        rorxl	$2, %r15d, %edx
+        rorxl	$13, %r15d, %ecx
+        xorl	%r13d, %ebx
+        xorl	%edx, %ecx
+        rorxl	$22, %r15d, %edx
+        addl	%ebx, %r14d
+        xorl	%ecx, %edx
+        movl	%r8d, %ebx
+        addl	%r14d, %r10d
+        xorl	%r15d, %ebx
+        andl	%ebx, %eax
+        addl	%edx, %r14d
+        xorl	%r8d, %eax
+        rorxl	$6, %r10d, %edx
+        rorxl	$11, %r10d, %ecx
+        addl	%eax, %r14d
+        addl	8(%rsp), %r13d
+        movl	%r11d, %eax
+        xorl	%edx, %ecx
+        xorl	%r12d, %eax
+        rorxl	$25, %r10d, %edx
+        xorl	%ecx, %edx
+        andl	%r10d, %eax
+        addl	%edx, %r13d
+        rorxl	$2, %r14d, %edx
+        rorxl	$13, %r14d, %ecx
+        xorl	%r12d, %eax
+        xorl	%edx, %ecx
+        rorxl	$22, %r14d, %edx
+        addl	%eax, %r13d
+        xorl	%ecx, %edx
+        movl	%r15d, %eax
+        addl	%r13d, %r9d
+        xorl	%r14d, %eax
+        andl	%eax, %ebx
+        addl	%edx, %r13d
+        xorl	%r15d, %ebx
+        rorxl	$6, %r9d, %edx
+        rorxl	$11, %r9d, %ecx
+        addl	%ebx, %r13d
+        addl	12(%rsp), %r12d
+        movl	%r10d, %ebx
+        xorl	%edx, %ecx
+        xorl	%r11d, %ebx
+        rorxl	$25, %r9d, %edx
+        xorl	%ecx, %edx
+        andl	%r9d, %ebx
+        addl	%edx, %r12d
+        rorxl	$2, %r13d, %edx
+        rorxl	$13, %r13d, %ecx
+        xorl	%r11d, %ebx
+        xorl	%edx, %ecx
+        rorxl	$22, %r13d, %edx
+        addl	%ebx, %r12d
+        xorl	%ecx, %edx
+        movl	%r14d, %ebx
+        addl	%r12d, %r8d
+        xorl	%r13d, %ebx
+        andl	%ebx, %eax
+        addl	%edx, %r12d
+        xorl	%r14d, %eax
+        # rnd_all_4: 1-4
+        rorxl	$6, %r8d, %edx
+        rorxl	$11, %r8d, %ecx
+        addl	%eax, %r12d
+        addl	16(%rsp), %r11d
+        movl	%r9d, %eax
+        xorl	%edx, %ecx
+        xorl	%r10d, %eax
+        rorxl	$25, %r8d, %edx
+        xorl	%ecx, %edx
+        andl	%r8d, %eax
+        addl	%edx, %r11d
+        rorxl	$2, %r12d, %edx
+        rorxl	$13, %r12d, %ecx
+        xorl	%r10d, %eax
+        xorl	%edx, %ecx
+        rorxl	$22, %r12d, %edx
+        addl	%eax, %r11d
+        xorl	%ecx, %edx
+        movl	%r13d, %eax
+        addl	%r11d, %r15d
+        xorl	%r12d, %eax
+        andl	%eax, %ebx
+        addl	%edx, %r11d
+        xorl	%r13d, %ebx
+        rorxl	$6, %r15d, %edx
+        rorxl	$11, %r15d, %ecx
+        addl	%ebx, %r11d
+        addl	20(%rsp), %r10d
+        movl	%r8d, %ebx
+        xorl	%edx, %ecx
+        xorl	%r9d, %ebx
+        rorxl	$25, %r15d, %edx
+        xorl	%ecx, %edx
+        andl	%r15d, %ebx
+        addl	%edx, %r10d
+        rorxl	$2, %r11d, %edx
+        rorxl	$13, %r11d, %ecx
+        xorl	%r9d, %ebx
+        xorl	%edx, %ecx
+        rorxl	$22, %r11d, %edx
+        addl	%ebx, %r10d
+        xorl	%ecx, %edx
+        movl	%r12d, %ebx
+        addl	%r10d, %r14d
+        xorl	%r11d, %ebx
+        andl	%ebx, %eax
+        addl	%edx, %r10d
+        xorl	%r12d, %eax
+        rorxl	$6, %r14d, %edx
+        rorxl	$11, %r14d, %ecx
+        addl	%eax, %r10d
+        addl	24(%rsp), %r9d
+        movl	%r15d, %eax
+        xorl	%edx, %ecx
+        xorl	%r8d, %eax
+        rorxl	$25, %r14d, %edx
+        xorl	%ecx, %edx
+        andl	%r14d, %eax
+        addl	%edx, %r9d
+        rorxl	$2, %r10d, %edx
+        rorxl	$13, %r10d, %ecx
+        xorl	%r8d, %eax
+        xorl	%edx, %ecx
+        rorxl	$22, %r10d, %edx
+        addl	%eax, %r9d
+        xorl	%ecx, %edx
+        movl	%r11d, %eax
+        addl	%r9d, %r13d
+        xorl	%r10d, %eax
+        andl	%eax, %ebx
+        addl	%edx, %r9d
+        xorl	%r11d, %ebx
+        rorxl	$6, %r13d, %edx
+        rorxl	$11, %r13d, %ecx
+        addl	%ebx, %r9d
+        addl	28(%rsp), %r8d
+        movl	%r14d, %ebx
+        xorl	%edx, %ecx
+        xorl	%r15d, %ebx
+        rorxl	$25, %r13d, %edx
+        xorl	%ecx, %edx
+        andl	%r13d, %ebx
+        addl	%edx, %r8d
+        rorxl	$2, %r9d, %edx
+        rorxl	$13, %r9d, %ecx
+        xorl	%r15d, %ebx
+        xorl	%edx, %ecx
+        rorxl	$22, %r9d, %edx
+        addl	%ebx, %r8d
+        xorl	%ecx, %edx
+        movl	%r10d, %ebx
+        addl	%r8d, %r12d
+        xorl	%r9d, %ebx
+        andl	%ebx, %eax
+        addl	%edx, %r8d
+        xorl	%r10d, %eax
+        # rnd_all_4: 2-5
+        rorxl	$6, %r12d, %edx
+        rorxl	$11, %r12d, %ecx
+        addl	%eax, %r8d
+        addl	32(%rsp), %r15d
+        movl	%r13d, %eax
+        xorl	%edx, %ecx
+        xorl	%r14d, %eax
+        rorxl	$25, %r12d, %edx
+        xorl	%ecx, %edx
+        andl	%r12d, %eax
+        addl	%edx, %r15d
+        rorxl	$2, %r8d, %edx
+        rorxl	$13, %r8d, %ecx
+        xorl	%r14d, %eax
+        xorl	%edx, %ecx
+        rorxl	$22, %r8d, %edx
+        addl	%eax, %r15d
+        xorl	%ecx, %edx
+        movl	%r9d, %eax
+        addl	%r15d, %r11d
+        xorl	%r8d, %eax
+        andl	%eax, %ebx
+        addl	%edx, %r15d
+        xorl	%r9d, %ebx
+        rorxl	$6, %r11d, %edx
+        rorxl	$11, %r11d, %ecx
+        addl	%ebx, %r15d
+        addl	36(%rsp), %r14d
+        movl	%r12d, %ebx
+        xorl	%edx, %ecx
+        xorl	%r13d, %ebx
+        rorxl	$25, %r11d, %edx
+        xorl	%ecx, %edx
+        andl	%r11d, %ebx
+        addl	%edx, %r14d
+        rorxl	$2, %r15d, %edx
+        rorxl	$13, %r15d, %ecx
+        xorl	%r13d, %ebx
+        xorl	%edx, %ecx
+        rorxl	$22, %r15d, %edx
+        addl	%ebx, %r14d
+        xorl	%ecx, %edx
+        movl	%r8d, %ebx
+        addl	%r14d, %r10d
+        xorl	%r15d, %ebx
+        andl	%ebx, %eax
+        addl	%edx, %r14d
+        xorl	%r8d, %eax
+        rorxl	$6, %r10d, %edx
+        rorxl	$11, %r10d, %ecx
+        addl	%eax, %r14d
+        addl	40(%rsp), %r13d
+        movl	%r11d, %eax
+        xorl	%edx, %ecx
+        xorl	%r12d, %eax
+        rorxl	$25, %r10d, %edx
+        xorl	%ecx, %edx
+        andl	%r10d, %eax
+        addl	%edx, %r13d
+        rorxl	$2, %r14d, %edx
+        rorxl	$13, %r14d, %ecx
+        xorl	%r12d, %eax
+        xorl	%edx, %ecx
+        rorxl	$22, %r14d, %edx
+        addl	%eax, %r13d
+        xorl	%ecx, %edx
+        movl	%r15d, %eax
+        addl	%r13d, %r9d
+        xorl	%r14d, %eax
+        andl	%eax, %ebx
+        addl	%edx, %r13d
+        xorl	%r15d, %ebx
+        rorxl	$6, %r9d, %edx
+        rorxl	$11, %r9d, %ecx
+        addl	%ebx, %r13d
+        addl	44(%rsp), %r12d
+        movl	%r10d, %ebx
+        xorl	%edx, %ecx
+        xorl	%r11d, %ebx
+        rorxl	$25, %r9d, %edx
+        xorl	%ecx, %edx
+        andl	%r9d, %ebx
+        addl	%edx, %r12d
+        rorxl	$2, %r13d, %edx
+        rorxl	$13, %r13d, %ecx
+        xorl	%r11d, %ebx
+        xorl	%edx, %ecx
+        rorxl	$22, %r13d, %edx
+        addl	%ebx, %r12d
+        xorl	%ecx, %edx
+        movl	%r14d, %ebx
+        addl	%r12d, %r8d
+        xorl	%r13d, %ebx
+        andl	%ebx, %eax
+        addl	%edx, %r12d
+        xorl	%r14d, %eax
+        # rnd_all_4: 3-6
+        rorxl	$6, %r8d, %edx
+        rorxl	$11, %r8d, %ecx
+        addl	%eax, %r12d
+        addl	48(%rsp), %r11d
+        movl	%r9d, %eax
+        xorl	%edx, %ecx
+        xorl	%r10d, %eax
+        rorxl	$25, %r8d, %edx
+        xorl	%ecx, %edx
+        andl	%r8d, %eax
+        addl	%edx, %r11d
+        rorxl	$2, %r12d, %edx
+        rorxl	$13, %r12d, %ecx
+        xorl	%r10d, %eax
+        xorl	%edx, %ecx
+        rorxl	$22, %r12d, %edx
+        addl	%eax, %r11d
+        xorl	%ecx, %edx
+        movl	%r13d, %eax
+        addl	%r11d, %r15d
+        xorl	%r12d, %eax
+        andl	%eax, %ebx
+        addl	%edx, %r11d
+        xorl	%r13d, %ebx
+        rorxl	$6, %r15d, %edx
+        rorxl	$11, %r15d, %ecx
+        addl	%ebx, %r11d
+        addl	52(%rsp), %r10d
+        movl	%r8d, %ebx
+        xorl	%edx, %ecx
+        xorl	%r9d, %ebx
+        rorxl	$25, %r15d, %edx
+        xorl	%ecx, %edx
+        andl	%r15d, %ebx
+        addl	%edx, %r10d
+        rorxl	$2, %r11d, %edx
+        rorxl	$13, %r11d, %ecx
+        xorl	%r9d, %ebx
+        xorl	%edx, %ecx
+        rorxl	$22, %r11d, %edx
+        addl	%ebx, %r10d
+        xorl	%ecx, %edx
+        movl	%r12d, %ebx
+        addl	%r10d, %r14d
+        xorl	%r11d, %ebx
+        andl	%ebx, %eax
+        addl	%edx, %r10d
+        xorl	%r12d, %eax
+        rorxl	$6, %r14d, %edx
+        rorxl	$11, %r14d, %ecx
+        addl	%eax, %r10d
+        addl	56(%rsp), %r9d
+        movl	%r15d, %eax
+        xorl	%edx, %ecx
+        xorl	%r8d, %eax
+        rorxl	$25, %r14d, %edx
+        xorl	%ecx, %edx
+        andl	%r14d, %eax
+        addl	%edx, %r9d
+        rorxl	$2, %r10d, %edx
+        rorxl	$13, %r10d, %ecx
+        xorl	%r8d, %eax
+        xorl	%edx, %ecx
+        rorxl	$22, %r10d, %edx
+        addl	%eax, %r9d
+        xorl	%ecx, %edx
+        movl	%r11d, %eax
+        addl	%r9d, %r13d
+        xorl	%r10d, %eax
+        andl	%eax, %ebx
+        addl	%edx, %r9d
+        xorl	%r11d, %ebx
+        rorxl	$6, %r13d, %edx
+        rorxl	$11, %r13d, %ecx
+        addl	%ebx, %r9d
+        addl	60(%rsp), %r8d
+        movl	%r14d, %ebx
+        xorl	%edx, %ecx
+        xorl	%r15d, %ebx
+        rorxl	$25, %r13d, %edx
+        xorl	%ecx, %edx
+        andl	%r13d, %ebx
+        addl	%edx, %r8d
+        rorxl	$2, %r9d, %edx
+        rorxl	$13, %r9d, %ecx
+        xorl	%r15d, %ebx
+        xorl	%edx, %ecx
+        rorxl	$22, %r9d, %edx
+        addl	%ebx, %r8d
+        xorl	%ecx, %edx
+        movl	%r10d, %ebx
+        addl	%r8d, %r12d
+        xorl	%r9d, %ebx
+        andl	%ebx, %eax
+        addl	%edx, %r8d
+        xorl	%r10d, %eax
+        addl	%eax, %r8d
+        addl	(%rdi), %r8d
+        addl	4(%rdi), %r9d
+        addl	8(%rdi), %r10d
+        addl	12(%rdi), %r11d
+        addl	16(%rdi), %r12d
+        addl	20(%rdi), %r13d
+        addl	24(%rdi), %r14d
+        addl	28(%rdi), %r15d
+        addq	$0x40, %rbp
+        subl	$0x40, %esi
+        movl	%r8d, (%rdi)
+        movl	%r9d, 4(%rdi)
+        movl	%r10d, 8(%rdi)
+        movl	%r11d, 12(%rdi)
+        movl	%r12d, 16(%rdi)
+        movl	%r13d, 20(%rdi)
+        movl	%r14d, 24(%rdi)
+        movl	%r15d, 28(%rdi)
+        jnz	L_sha256_len_avx1_len_rorx_start
+        xorq	%rax, %rax
+        vzeroupper
+        addq	$0x40, %rsp
+        popq	%rbp
+        popq	%r15
+        popq	%r14
+        popq	%r13
+        popq	%r12
+        popq	%rbx
+        repz retq
+#ifndef __APPLE__
+.size	Transform_Sha256_AVX1_RORX_Len,.-Transform_Sha256_AVX1_RORX_Len
+#endif /* __APPLE__ */
+#endif /* HAVE_INTEL_AVX1 */
+#ifdef HAVE_INTEL_AVX2
+#ifndef __APPLE__
+.data
+#else
+.section	__DATA,__data
+#endif /* __APPLE__ */
+L_avx2_sha256_k:
+.long	0x428a2f98,0x71374491,0xb5c0fbcf,0xe9b5dba5
+.long	0x428a2f98,0x71374491,0xb5c0fbcf,0xe9b5dba5
+.long	0x3956c25b,0x59f111f1,0x923f82a4,0xab1c5ed5
+.long	0x3956c25b,0x59f111f1,0x923f82a4,0xab1c5ed5
+.long	0xd807aa98,0x12835b01,0x243185be,0x550c7dc3
+.long	0xd807aa98,0x12835b01,0x243185be,0x550c7dc3
+.long	0x72be5d74,0x80deb1fe,0x9bdc06a7,0xc19bf174
+.long	0x72be5d74,0x80deb1fe,0x9bdc06a7,0xc19bf174
+.long	0xe49b69c1,0xefbe4786,0xfc19dc6,0x240ca1cc
+.long	0xe49b69c1,0xefbe4786,0xfc19dc6,0x240ca1cc
+.long	0x2de92c6f,0x4a7484aa,0x5cb0a9dc,0x76f988da
+.long	0x2de92c6f,0x4a7484aa,0x5cb0a9dc,0x76f988da
+.long	0x983e5152,0xa831c66d,0xb00327c8,0xbf597fc7
+.long	0x983e5152,0xa831c66d,0xb00327c8,0xbf597fc7
+.long	0xc6e00bf3,0xd5a79147,0x6ca6351,0x14292967
+.long	0xc6e00bf3,0xd5a79147,0x6ca6351,0x14292967
+.long	0x27b70a85,0x2e1b2138,0x4d2c6dfc,0x53380d13
+.long	0x27b70a85,0x2e1b2138,0x4d2c6dfc,0x53380d13
+.long	0x650a7354,0x766a0abb,0x81c2c92e,0x92722c85
+.long	0x650a7354,0x766a0abb,0x81c2c92e,0x92722c85
+.long	0xa2bfe8a1,0xa81a664b,0xc24b8b70,0xc76c51a3
+.long	0xa2bfe8a1,0xa81a664b,0xc24b8b70,0xc76c51a3
+.long	0xd192e819,0xd6990624,0xf40e3585,0x106aa070
+.long	0xd192e819,0xd6990624,0xf40e3585,0x106aa070
+.long	0x19a4c116,0x1e376c08,0x2748774c,0x34b0bcb5
+.long	0x19a4c116,0x1e376c08,0x2748774c,0x34b0bcb5
+.long	0x391c0cb3,0x4ed8aa4a,0x5b9cca4f,0x682e6ff3
+.long	0x391c0cb3,0x4ed8aa4a,0x5b9cca4f,0x682e6ff3
+.long	0x748f82ee,0x78a5636f,0x84c87814,0x8cc70208
+.long	0x748f82ee,0x78a5636f,0x84c87814,0x8cc70208
+.long	0x90befffa,0xa4506ceb,0xbef9a3f7,0xc67178f2
+.long	0x90befffa,0xa4506ceb,0xbef9a3f7,0xc67178f2
+#ifndef __APPLE__
+.data
+#else
+.section	__DATA,__data
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+.align	32
+#else
+.p2align	5
+#endif /* __APPLE__ */
+L_avx2_sha256_shuf_00BA:
+.quad	0xb0a090803020100, 0xffffffffffffffff
+.quad	0xb0a090803020100, 0xffffffffffffffff
+#ifndef __APPLE__
+.data
+#else
+.section	__DATA,__data
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+.align	32
+#else
+.p2align	5
+#endif /* __APPLE__ */
+L_avx2_sha256_shuf_DC00:
+.quad	0xffffffffffffffff, 0xb0a090803020100
+.quad	0xffffffffffffffff, 0xb0a090803020100
+#ifndef __APPLE__
+.data
+#else
+.section	__DATA,__data
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+.align	32
+#else
+.p2align	5
+#endif /* __APPLE__ */
+L_avx2_sha256_flip_mask:
+.quad	0x405060700010203, 0xc0d0e0f08090a0b
+.quad	0x405060700010203, 0xc0d0e0f08090a0b
+#ifndef __APPLE__
+.text
+.globl	Transform_Sha256_AVX2
+.type	Transform_Sha256_AVX2,@function
+.align	4
+Transform_Sha256_AVX2:
+#else
+.section	__TEXT,__text
+.globl	_Transform_Sha256_AVX2
+.p2align	2
+_Transform_Sha256_AVX2:
+#endif /* __APPLE__ */
+        pushq	%rbx
+        pushq	%r12
+        pushq	%r13
+        pushq	%r14
+        pushq	%r15
+        subq	$0x200, %rsp
+        leaq	32(%rdi), %rax
+        vmovdqa	L_avx2_sha256_flip_mask(%rip), %xmm13
+        vmovdqa	L_avx2_sha256_shuf_00BA(%rip), %ymm11
+        vmovdqa	L_avx2_sha256_shuf_DC00(%rip), %ymm12
+        movl	(%rdi), %r8d
+        movl	4(%rdi), %r9d
+        movl	8(%rdi), %r10d
+        movl	12(%rdi), %r11d
+        movl	16(%rdi), %r12d
+        movl	20(%rdi), %r13d
+        movl	24(%rdi), %r14d
+        movl	28(%rdi), %r15d
+        # X0, X1, X2, X3 = W[0..15]
+        vmovdqu	(%rax), %xmm0
+        vmovdqu	16(%rax), %xmm1
+        vpshufb	%xmm13, %xmm0, %xmm0
+        vpshufb	%xmm13, %xmm1, %xmm1
+        vmovdqu	32(%rax), %xmm2
+        vmovdqu	48(%rax), %xmm3
+        vpshufb	%xmm13, %xmm2, %xmm2
+        vpshufb	%xmm13, %xmm3, %xmm3
+        movl	%r9d, %ebx
+        movl	%r12d, %edx
+        xorl	%r10d, %ebx
+        # set_w_k_xfer_4: 0
+        vpaddd	0+L_avx2_sha256_k(%rip), %ymm0, %ymm4
+        vpaddd	32+L_avx2_sha256_k(%rip), %ymm1, %ymm5
+        vmovdqu	%ymm4, (%rsp)
+        vmovdqu	%ymm5, 32(%rsp)
+        vpaddd	64+L_avx2_sha256_k(%rip), %ymm2, %ymm4
+        vpaddd	96+L_avx2_sha256_k(%rip), %ymm3, %ymm5
+        vmovdqu	%ymm4, 64(%rsp)
+        vmovdqu	%ymm5, 96(%rsp)
+        # msg_sched: 0-3
+        # rnd_0: 0 - 0
+        rorl	$14, %edx
+        vpalignr	$4, %ymm0, %ymm1, %ymm5
+        vpalignr	$4, %ymm2, %ymm3, %ymm4
+        # rnd_0: 1 - 2
+        movl	%r9d, %eax
+        movl	%r13d, %ecx
+        addl	(%rsp), %r15d
+        xorl	%r14d, %ecx
+        xorl	%r12d, %edx
+        andl	%r12d, %ecx
+        vpsrld	$7, %ymm5, %ymm6
+        vpslld	$25, %ymm5, %ymm7
+        # rnd_0: 3 - 4
+        rorl	$5, %edx
+        xorl	%r14d, %ecx
+        xorl	%r12d, %edx
+        addl	%ecx, %r15d
+        rorl	$6, %edx
+        xorl	%r8d, %eax
+        addl	%edx, %r15d
+        movl	%r8d, %ecx
+        vpsrld	$18, %ymm5, %ymm8
+        vpslld	$14, %ymm5, %ymm9
+        # rnd_0: 5 - 6
+        andl	%eax, %ebx
+        rorl	$9, %ecx
+        xorl	%r8d, %ecx
+        xorl	%r9d, %ebx
+        rorl	$11, %ecx
+        addl	%r15d, %r11d
+        xorl	%r8d, %ecx
+        addl	%ebx, %r15d
+        vpor	%ymm6, %ymm7, %ymm6
+        vpor	%ymm8, %ymm9, %ymm8
+        # rnd_0: 7 - 7
+        rorl	$2, %ecx
+        movl	%r11d, %edx
+        addl	%ecx, %r15d
+        # rnd_1: 0 - 1
+        rorl	$14, %edx
+        movl	%r8d, %ebx
+        movl	%r12d, %ecx
+        addl	4(%rsp), %r14d
+        xorl	%r13d, %ecx
+        vpsrld	$3, %ymm5, %ymm9
+        vpxor	%ymm6, %ymm8, %ymm6
+        # rnd_1: 2 - 3
+        xorl	%r11d, %edx
+        andl	%r11d, %ecx
+        rorl	$5, %edx
+        xorl	%r13d, %ecx
+        xorl	%r11d, %edx
+        addl	%ecx, %r14d
+        vpxor	%ymm6, %ymm9, %ymm5
+        vpshufd	$0xfa, %ymm3, %ymm6
+        # rnd_1: 4 - 5
+        rorl	$6, %edx
+        xorl	%r15d, %ebx
+        addl	%edx, %r14d
+        movl	%r15d, %ecx
+        andl	%ebx, %eax
+        rorl	$9, %ecx
+        xorl	%r15d, %ecx
+        xorl	%r8d, %eax
+        vpsrld	$10, %ymm6, %ymm8
+        vpsrlq	$19, %ymm6, %ymm7
+        # rnd_1: 6 - 7
+        rorl	$11, %ecx
+        addl	%r14d, %r10d
+        xorl	%r15d, %ecx
+        addl	%eax, %r14d
+        rorl	$2, %ecx
+        movl	%r10d, %edx
+        addl	%ecx, %r14d
+        # rnd_0: 0 - 0
+        rorl	$14, %edx
+        vpsrlq	$0x11, %ymm6, %ymm6
+        vpaddd	%ymm0, %ymm4, %ymm4
+        # rnd_0: 1 - 3
+        movl	%r15d, %eax
+        movl	%r11d, %ecx
+        addl	8(%rsp), %r13d
+        xorl	%r12d, %ecx
+        xorl	%r10d, %edx
+        andl	%r10d, %ecx
+        rorl	$5, %edx
+        xorl	%r12d, %ecx
+        xorl	%r10d, %edx
+        addl	%ecx, %r13d
+        vpxor	%ymm6, %ymm7, %ymm6
+        vpaddd	%ymm5, %ymm4, %ymm4
+        # rnd_0: 4 - 4
+        rorl	$6, %edx
+        xorl	%r14d, %eax
+        addl	%edx, %r13d
+        movl	%r14d, %ecx
+        vpxor	%ymm6, %ymm8, %ymm8
+        # rnd_0: 5 - 5
+        andl	%eax, %ebx
+        rorl	$9, %ecx
+        xorl	%r14d, %ecx
+        xorl	%r15d, %ebx
+        vpshufb	%ymm11, %ymm8, %ymm8
+        # rnd_0: 6 - 6
+        rorl	$11, %ecx
+        addl	%r13d, %r9d
+        xorl	%r14d, %ecx
+        addl	%ebx, %r13d
+        vpaddd	%ymm8, %ymm4, %ymm4
+        # rnd_0: 7 - 7
+        rorl	$2, %ecx
+        movl	%r9d, %edx
+        addl	%ecx, %r13d
+        # rnd_1: 0 - 0
+        rorl	$14, %edx
+        vpshufd	$0x50, %ymm4, %ymm6
+        # rnd_1: 1 - 1
+        movl	%r14d, %ebx
+        movl	%r10d, %ecx
+        addl	12(%rsp), %r12d
+        xorl	%r11d, %ecx
+        vpsrlq	$0x11, %ymm6, %ymm8
+        vpsrlq	$19, %ymm6, %ymm7
+        # rnd_1: 2 - 3
+        xorl	%r9d, %edx
+        andl	%r9d, %ecx
+        rorl	$5, %edx
+        xorl	%r11d, %ecx
+        xorl	%r9d, %edx
+        addl	%ecx, %r12d
+        vpsrld	$10, %ymm6, %ymm9
+        vpxor	%ymm8, %ymm7, %ymm8
+        # rnd_1: 4 - 5
+        rorl	$6, %edx
+        xorl	%r13d, %ebx
+        addl	%edx, %r12d
+        movl	%r13d, %ecx
+        andl	%ebx, %eax
+        rorl	$9, %ecx
+        xorl	%r13d, %ecx
+        xorl	%r14d, %eax
+        vpxor	%ymm9, %ymm8, %ymm9
+        # rnd_1: 6 - 6
+        rorl	$11, %ecx
+        addl	%r12d, %r8d
+        xorl	%r13d, %ecx
+        addl	%eax, %r12d
+        vpshufb	%ymm12, %ymm9, %ymm9
+        # rnd_1: 7 - 7
+        rorl	$2, %ecx
+        movl	%r8d, %edx
+        addl	%ecx, %r12d
+        vpaddd	%ymm4, %ymm9, %ymm0
+        # msg_sched done: 0-3
+        # msg_sched: 8-11
+        # rnd_0: 0 - 0
+        rorl	$14, %edx
+        vpalignr	$4, %ymm1, %ymm2, %ymm5
+        vpalignr	$4, %ymm3, %ymm0, %ymm4
+        # rnd_0: 1 - 2
+        movl	%r13d, %eax
+        movl	%r9d, %ecx
+        addl	32(%rsp), %r11d
+        xorl	%r10d, %ecx
+        xorl	%r8d, %edx
+        andl	%r8d, %ecx
+        vpsrld	$7, %ymm5, %ymm6
+        vpslld	$25, %ymm5, %ymm7
+        # rnd_0: 3 - 4
+        rorl	$5, %edx
+        xorl	%r10d, %ecx
+        xorl	%r8d, %edx
+        addl	%ecx, %r11d
+        rorl	$6, %edx
+        xorl	%r12d, %eax
+        addl	%edx, %r11d
+        movl	%r12d, %ecx
+        vpsrld	$18, %ymm5, %ymm8
+        vpslld	$14, %ymm5, %ymm9
+        # rnd_0: 5 - 6
+        andl	%eax, %ebx
+        rorl	$9, %ecx
+        xorl	%r12d, %ecx
+        xorl	%r13d, %ebx
+        rorl	$11, %ecx
+        addl	%r11d, %r15d
+        xorl	%r12d, %ecx
+        addl	%ebx, %r11d
+        vpor	%ymm6, %ymm7, %ymm6
+        vpor	%ymm8, %ymm9, %ymm8
+        # rnd_0: 7 - 7
+        rorl	$2, %ecx
+        movl	%r15d, %edx
+        addl	%ecx, %r11d
+        # rnd_1: 0 - 1
+        rorl	$14, %edx
+        movl	%r12d, %ebx
+        movl	%r8d, %ecx
+        addl	36(%rsp), %r10d
+        xorl	%r9d, %ecx
+        vpsrld	$3, %ymm5, %ymm9
+        vpxor	%ymm6, %ymm8, %ymm6
+        # rnd_1: 2 - 3
+        xorl	%r15d, %edx
+        andl	%r15d, %ecx
+        rorl	$5, %edx
+        xorl	%r9d, %ecx
+        xorl	%r15d, %edx
+        addl	%ecx, %r10d
+        vpxor	%ymm6, %ymm9, %ymm5
+        vpshufd	$0xfa, %ymm0, %ymm6
+        # rnd_1: 4 - 5
+        rorl	$6, %edx
+        xorl	%r11d, %ebx
+        addl	%edx, %r10d
+        movl	%r11d, %ecx
+        andl	%ebx, %eax
+        rorl	$9, %ecx
+        xorl	%r11d, %ecx
+        xorl	%r12d, %eax
+        vpsrld	$10, %ymm6, %ymm8
+        vpsrlq	$19, %ymm6, %ymm7
+        # rnd_1: 6 - 7
+        rorl	$11, %ecx
+        addl	%r10d, %r14d
+        xorl	%r11d, %ecx
+        addl	%eax, %r10d
+        rorl	$2, %ecx
+        movl	%r14d, %edx
+        addl	%ecx, %r10d
+        # rnd_0: 0 - 0
+        rorl	$14, %edx
+        vpsrlq	$0x11, %ymm6, %ymm6
+        vpaddd	%ymm1, %ymm4, %ymm4
+        # rnd_0: 1 - 3
+        movl	%r11d, %eax
+        movl	%r15d, %ecx
+        addl	40(%rsp), %r9d
+        xorl	%r8d, %ecx
+        xorl	%r14d, %edx
+        andl	%r14d, %ecx
+        rorl	$5, %edx
+        xorl	%r8d, %ecx
+        xorl	%r14d, %edx
+        addl	%ecx, %r9d
+        vpxor	%ymm6, %ymm7, %ymm6
+        vpaddd	%ymm5, %ymm4, %ymm4
+        # rnd_0: 4 - 4
+        rorl	$6, %edx
+        xorl	%r10d, %eax
+        addl	%edx, %r9d
+        movl	%r10d, %ecx
+        vpxor	%ymm6, %ymm8, %ymm8
+        # rnd_0: 5 - 5
+        andl	%eax, %ebx
+        rorl	$9, %ecx
+        xorl	%r10d, %ecx
+        xorl	%r11d, %ebx
+        vpshufb	%ymm11, %ymm8, %ymm8
+        # rnd_0: 6 - 6
+        rorl	$11, %ecx
+        addl	%r9d, %r13d
+        xorl	%r10d, %ecx
+        addl	%ebx, %r9d
+        vpaddd	%ymm8, %ymm4, %ymm4
+        # rnd_0: 7 - 7
+        rorl	$2, %ecx
+        movl	%r13d, %edx
+        addl	%ecx, %r9d
+        # rnd_1: 0 - 0
+        rorl	$14, %edx
+        vpshufd	$0x50, %ymm4, %ymm6
+        # rnd_1: 1 - 1
+        movl	%r10d, %ebx
+        movl	%r14d, %ecx
+        addl	44(%rsp), %r8d
+        xorl	%r15d, %ecx
+        vpsrlq	$0x11, %ymm6, %ymm8
+        vpsrlq	$19, %ymm6, %ymm7
+        # rnd_1: 2 - 3
+        xorl	%r13d, %edx
+        andl	%r13d, %ecx
+        rorl	$5, %edx
+        xorl	%r15d, %ecx
+        xorl	%r13d, %edx
+        addl	%ecx, %r8d
+        vpsrld	$10, %ymm6, %ymm9
+        vpxor	%ymm8, %ymm7, %ymm8
+        # rnd_1: 4 - 5
+        rorl	$6, %edx
+        xorl	%r9d, %ebx
+        addl	%edx, %r8d
+        movl	%r9d, %ecx
+        andl	%ebx, %eax
+        rorl	$9, %ecx
+        xorl	%r9d, %ecx
+        xorl	%r10d, %eax
+        vpxor	%ymm9, %ymm8, %ymm9
+        # rnd_1: 6 - 6
+        rorl	$11, %ecx
+        addl	%r8d, %r12d
+        xorl	%r9d, %ecx
+        addl	%eax, %r8d
+        vpshufb	%ymm12, %ymm9, %ymm9
+        # rnd_1: 7 - 7
+        rorl	$2, %ecx
+        movl	%r12d, %edx
+        addl	%ecx, %r8d
+        vpaddd	%ymm4, %ymm9, %ymm1
+        # msg_sched done: 8-11
+        # msg_sched: 16-19
+        # rnd_0: 0 - 0
+        rorl	$14, %edx
+        vpalignr	$4, %ymm2, %ymm3, %ymm5
+        vpalignr	$4, %ymm0, %ymm1, %ymm4
+        # rnd_0: 1 - 2
+        movl	%r9d, %eax
+        movl	%r13d, %ecx
+        addl	64(%rsp), %r15d
+        xorl	%r14d, %ecx
+        xorl	%r12d, %edx
+        andl	%r12d, %ecx
+        vpsrld	$7, %ymm5, %ymm6
+        vpslld	$25, %ymm5, %ymm7
+        # rnd_0: 3 - 4
+        rorl	$5, %edx
+        xorl	%r14d, %ecx
+        xorl	%r12d, %edx
+        addl	%ecx, %r15d
+        rorl	$6, %edx
+        xorl	%r8d, %eax
+        addl	%edx, %r15d
+        movl	%r8d, %ecx
+        vpsrld	$18, %ymm5, %ymm8
+        vpslld	$14, %ymm5, %ymm9
+        # rnd_0: 5 - 6
+        andl	%eax, %ebx
+        rorl	$9, %ecx
+        xorl	%r8d, %ecx
+        xorl	%r9d, %ebx
+        rorl	$11, %ecx
+        addl	%r15d, %r11d
+        xorl	%r8d, %ecx
+        addl	%ebx, %r15d
+        vpor	%ymm6, %ymm7, %ymm6
+        vpor	%ymm8, %ymm9, %ymm8
+        # rnd_0: 7 - 7
+        rorl	$2, %ecx
+        movl	%r11d, %edx
+        addl	%ecx, %r15d
+        # rnd_1: 0 - 1
+        rorl	$14, %edx
+        movl	%r8d, %ebx
+        movl	%r12d, %ecx
+        addl	68(%rsp), %r14d
+        xorl	%r13d, %ecx
+        vpsrld	$3, %ymm5, %ymm9
+        vpxor	%ymm6, %ymm8, %ymm6
+        # rnd_1: 2 - 3
+        xorl	%r11d, %edx
+        andl	%r11d, %ecx
+        rorl	$5, %edx
+        xorl	%r13d, %ecx
+        xorl	%r11d, %edx
+        addl	%ecx, %r14d
+        vpxor	%ymm6, %ymm9, %ymm5
+        vpshufd	$0xfa, %ymm1, %ymm6
+        # rnd_1: 4 - 5
+        rorl	$6, %edx
+        xorl	%r15d, %ebx
+        addl	%edx, %r14d
+        movl	%r15d, %ecx
+        andl	%ebx, %eax
+        rorl	$9, %ecx
+        xorl	%r15d, %ecx
+        xorl	%r8d, %eax
+        vpsrld	$10, %ymm6, %ymm8
+        vpsrlq	$19, %ymm6, %ymm7
+        # rnd_1: 6 - 7
+        rorl	$11, %ecx
+        addl	%r14d, %r10d
+        xorl	%r15d, %ecx
+        addl	%eax, %r14d
+        rorl	$2, %ecx
+        movl	%r10d, %edx
+        addl	%ecx, %r14d
+        # rnd_0: 0 - 0
+        rorl	$14, %edx
+        vpsrlq	$0x11, %ymm6, %ymm6
+        vpaddd	%ymm2, %ymm4, %ymm4
+        # rnd_0: 1 - 3
+        movl	%r15d, %eax
+        movl	%r11d, %ecx
+        addl	72(%rsp), %r13d
+        xorl	%r12d, %ecx
+        xorl	%r10d, %edx
+        andl	%r10d, %ecx
+        rorl	$5, %edx
+        xorl	%r12d, %ecx
+        xorl	%r10d, %edx
+        addl	%ecx, %r13d
+        vpxor	%ymm6, %ymm7, %ymm6
+        vpaddd	%ymm5, %ymm4, %ymm4
+        # rnd_0: 4 - 4
+        rorl	$6, %edx
+        xorl	%r14d, %eax
+        addl	%edx, %r13d
+        movl	%r14d, %ecx
+        vpxor	%ymm6, %ymm8, %ymm8
+        # rnd_0: 5 - 5
+        andl	%eax, %ebx
+        rorl	$9, %ecx
+        xorl	%r14d, %ecx
+        xorl	%r15d, %ebx
+        vpshufb	%ymm11, %ymm8, %ymm8
+        # rnd_0: 6 - 6
+        rorl	$11, %ecx
+        addl	%r13d, %r9d
+        xorl	%r14d, %ecx
+        addl	%ebx, %r13d
+        vpaddd	%ymm8, %ymm4, %ymm4
+        # rnd_0: 7 - 7
+        rorl	$2, %ecx
+        movl	%r9d, %edx
+        addl	%ecx, %r13d
+        # rnd_1: 0 - 0
+        rorl	$14, %edx
+        vpshufd	$0x50, %ymm4, %ymm6
+        # rnd_1: 1 - 1
+        movl	%r14d, %ebx
+        movl	%r10d, %ecx
+        addl	76(%rsp), %r12d
+        xorl	%r11d, %ecx
+        vpsrlq	$0x11, %ymm6, %ymm8
+        vpsrlq	$19, %ymm6, %ymm7
+        # rnd_1: 2 - 3
+        xorl	%r9d, %edx
+        andl	%r9d, %ecx
+        rorl	$5, %edx
+        xorl	%r11d, %ecx
+        xorl	%r9d, %edx
+        addl	%ecx, %r12d
+        vpsrld	$10, %ymm6, %ymm9
+        vpxor	%ymm8, %ymm7, %ymm8
+        # rnd_1: 4 - 5
+        rorl	$6, %edx
+        xorl	%r13d, %ebx
+        addl	%edx, %r12d
+        movl	%r13d, %ecx
+        andl	%ebx, %eax
+        rorl	$9, %ecx
+        xorl	%r13d, %ecx
+        xorl	%r14d, %eax
+        vpxor	%ymm9, %ymm8, %ymm9
+        # rnd_1: 6 - 6
+        rorl	$11, %ecx
+        addl	%r12d, %r8d
+        xorl	%r13d, %ecx
+        addl	%eax, %r12d
+        vpshufb	%ymm12, %ymm9, %ymm9
+        # rnd_1: 7 - 7
+        rorl	$2, %ecx
+        movl	%r8d, %edx
+        addl	%ecx, %r12d
+        vpaddd	%ymm4, %ymm9, %ymm2
+        # msg_sched done: 16-19
+        # msg_sched: 24-27
+        # rnd_0: 0 - 0
+        rorl	$14, %edx
+        vpalignr	$4, %ymm3, %ymm0, %ymm5
+        vpalignr	$4, %ymm1, %ymm2, %ymm4
+        # rnd_0: 1 - 2
+        movl	%r13d, %eax
+        movl	%r9d, %ecx
+        addl	96(%rsp), %r11d
+        xorl	%r10d, %ecx
+        xorl	%r8d, %edx
+        andl	%r8d, %ecx
+        vpsrld	$7, %ymm5, %ymm6
+        vpslld	$25, %ymm5, %ymm7
+        # rnd_0: 3 - 4
+        rorl	$5, %edx
+        xorl	%r10d, %ecx
+        xorl	%r8d, %edx
+        addl	%ecx, %r11d
+        rorl	$6, %edx
+        xorl	%r12d, %eax
+        addl	%edx, %r11d
+        movl	%r12d, %ecx
+        vpsrld	$18, %ymm5, %ymm8
+        vpslld	$14, %ymm5, %ymm9
+        # rnd_0: 5 - 6
+        andl	%eax, %ebx
+        rorl	$9, %ecx
+        xorl	%r12d, %ecx
+        xorl	%r13d, %ebx
+        rorl	$11, %ecx
+        addl	%r11d, %r15d
+        xorl	%r12d, %ecx
+        addl	%ebx, %r11d
+        vpor	%ymm6, %ymm7, %ymm6
+        vpor	%ymm8, %ymm9, %ymm8
+        # rnd_0: 7 - 7
+        rorl	$2, %ecx
+        movl	%r15d, %edx
+        addl	%ecx, %r11d
+        # rnd_1: 0 - 1
+        rorl	$14, %edx
+        movl	%r12d, %ebx
+        movl	%r8d, %ecx
+        addl	100(%rsp), %r10d
+        xorl	%r9d, %ecx
+        vpsrld	$3, %ymm5, %ymm9
+        vpxor	%ymm6, %ymm8, %ymm6
+        # rnd_1: 2 - 3
+        xorl	%r15d, %edx
+        andl	%r15d, %ecx
+        rorl	$5, %edx
+        xorl	%r9d, %ecx
+        xorl	%r15d, %edx
+        addl	%ecx, %r10d
+        vpxor	%ymm6, %ymm9, %ymm5
+        vpshufd	$0xfa, %ymm2, %ymm6
+        # rnd_1: 4 - 5
+        rorl	$6, %edx
+        xorl	%r11d, %ebx
+        addl	%edx, %r10d
+        movl	%r11d, %ecx
+        andl	%ebx, %eax
+        rorl	$9, %ecx
+        xorl	%r11d, %ecx
+        xorl	%r12d, %eax
+        vpsrld	$10, %ymm6, %ymm8
+        vpsrlq	$19, %ymm6, %ymm7
+        # rnd_1: 6 - 7
+        rorl	$11, %ecx
+        addl	%r10d, %r14d
+        xorl	%r11d, %ecx
+        addl	%eax, %r10d
+        rorl	$2, %ecx
+        movl	%r14d, %edx
+        addl	%ecx, %r10d
+        # rnd_0: 0 - 0
+        rorl	$14, %edx
+        vpsrlq	$0x11, %ymm6, %ymm6
+        vpaddd	%ymm3, %ymm4, %ymm4
+        # rnd_0: 1 - 3
+        movl	%r11d, %eax
+        movl	%r15d, %ecx
+        addl	104(%rsp), %r9d
+        xorl	%r8d, %ecx
+        xorl	%r14d, %edx
+        andl	%r14d, %ecx
+        rorl	$5, %edx
+        xorl	%r8d, %ecx
+        xorl	%r14d, %edx
+        addl	%ecx, %r9d
+        vpxor	%ymm6, %ymm7, %ymm6
+        vpaddd	%ymm5, %ymm4, %ymm4
+        # rnd_0: 4 - 4
+        rorl	$6, %edx
+        xorl	%r10d, %eax
+        addl	%edx, %r9d
+        movl	%r10d, %ecx
+        vpxor	%ymm6, %ymm8, %ymm8
+        # rnd_0: 5 - 5
+        andl	%eax, %ebx
+        rorl	$9, %ecx
+        xorl	%r10d, %ecx
+        xorl	%r11d, %ebx
+        vpshufb	%ymm11, %ymm8, %ymm8
+        # rnd_0: 6 - 6
+        rorl	$11, %ecx
+        addl	%r9d, %r13d
+        xorl	%r10d, %ecx
+        addl	%ebx, %r9d
+        vpaddd	%ymm8, %ymm4, %ymm4
+        # rnd_0: 7 - 7
+        rorl	$2, %ecx
+        movl	%r13d, %edx
+        addl	%ecx, %r9d
+        # rnd_1: 0 - 0
+        rorl	$14, %edx
+        vpshufd	$0x50, %ymm4, %ymm6
+        # rnd_1: 1 - 1
+        movl	%r10d, %ebx
+        movl	%r14d, %ecx
+        addl	108(%rsp), %r8d
+        xorl	%r15d, %ecx
+        vpsrlq	$0x11, %ymm6, %ymm8
+        vpsrlq	$19, %ymm6, %ymm7
+        # rnd_1: 2 - 3
+        xorl	%r13d, %edx
+        andl	%r13d, %ecx
+        rorl	$5, %edx
+        xorl	%r15d, %ecx
+        xorl	%r13d, %edx
+        addl	%ecx, %r8d
+        vpsrld	$10, %ymm6, %ymm9
+        vpxor	%ymm8, %ymm7, %ymm8
+        # rnd_1: 4 - 5
+        rorl	$6, %edx
+        xorl	%r9d, %ebx
+        addl	%edx, %r8d
+        movl	%r9d, %ecx
+        andl	%ebx, %eax
+        rorl	$9, %ecx
+        xorl	%r9d, %ecx
+        xorl	%r10d, %eax
+        vpxor	%ymm9, %ymm8, %ymm9
+        # rnd_1: 6 - 6
+        rorl	$11, %ecx
+        addl	%r8d, %r12d
+        xorl	%r9d, %ecx
+        addl	%eax, %r8d
+        vpshufb	%ymm12, %ymm9, %ymm9
+        # rnd_1: 7 - 7
+        rorl	$2, %ecx
+        movl	%r12d, %edx
+        addl	%ecx, %r8d
+        vpaddd	%ymm4, %ymm9, %ymm3
+        # msg_sched done: 24-27
+        # set_w_k_xfer_4: 4
+        vpaddd	128+L_avx2_sha256_k(%rip), %ymm0, %ymm4
+        vpaddd	160+L_avx2_sha256_k(%rip), %ymm1, %ymm5
+        vmovdqu	%ymm4, 128(%rsp)
+        vmovdqu	%ymm5, 160(%rsp)
+        vpaddd	192+L_avx2_sha256_k(%rip), %ymm2, %ymm4
+        vpaddd	224+L_avx2_sha256_k(%rip), %ymm3, %ymm5
+        vmovdqu	%ymm4, 192(%rsp)
+        vmovdqu	%ymm5, 224(%rsp)
+        # msg_sched: 32-35
+        # rnd_0: 0 - 0
+        rorl	$14, %edx
+        vpalignr	$4, %ymm0, %ymm1, %ymm5
+        vpalignr	$4, %ymm2, %ymm3, %ymm4
+        # rnd_0: 1 - 2
+        movl	%r9d, %eax
+        movl	%r13d, %ecx
+        addl	128(%rsp), %r15d
+        xorl	%r14d, %ecx
+        xorl	%r12d, %edx
+        andl	%r12d, %ecx
+        vpsrld	$7, %ymm5, %ymm6
+        vpslld	$25, %ymm5, %ymm7
+        # rnd_0: 3 - 4
+        rorl	$5, %edx
+        xorl	%r14d, %ecx
+        xorl	%r12d, %edx
+        addl	%ecx, %r15d
+        rorl	$6, %edx
+        xorl	%r8d, %eax
+        addl	%edx, %r15d
+        movl	%r8d, %ecx
+        vpsrld	$18, %ymm5, %ymm8
+        vpslld	$14, %ymm5, %ymm9
+        # rnd_0: 5 - 6
+        andl	%eax, %ebx
+        rorl	$9, %ecx
+        xorl	%r8d, %ecx
+        xorl	%r9d, %ebx
+        rorl	$11, %ecx
+        addl	%r15d, %r11d
+        xorl	%r8d, %ecx
+        addl	%ebx, %r15d
+        vpor	%ymm6, %ymm7, %ymm6
+        vpor	%ymm8, %ymm9, %ymm8
+        # rnd_0: 7 - 7
+        rorl	$2, %ecx
+        movl	%r11d, %edx
+        addl	%ecx, %r15d
+        # rnd_1: 0 - 1
+        rorl	$14, %edx
+        movl	%r8d, %ebx
+        movl	%r12d, %ecx
+        addl	132(%rsp), %r14d
+        xorl	%r13d, %ecx
+        vpsrld	$3, %ymm5, %ymm9
+        vpxor	%ymm6, %ymm8, %ymm6
+        # rnd_1: 2 - 3
+        xorl	%r11d, %edx
+        andl	%r11d, %ecx
+        rorl	$5, %edx
+        xorl	%r13d, %ecx
+        xorl	%r11d, %edx
+        addl	%ecx, %r14d
+        vpxor	%ymm6, %ymm9, %ymm5
+        vpshufd	$0xfa, %ymm3, %ymm6
+        # rnd_1: 4 - 5
+        rorl	$6, %edx
+        xorl	%r15d, %ebx
+        addl	%edx, %r14d
+        movl	%r15d, %ecx
+        andl	%ebx, %eax
+        rorl	$9, %ecx
+        xorl	%r15d, %ecx
+        xorl	%r8d, %eax
+        vpsrld	$10, %ymm6, %ymm8
+        vpsrlq	$19, %ymm6, %ymm7
+        # rnd_1: 6 - 7
+        rorl	$11, %ecx
+        addl	%r14d, %r10d
+        xorl	%r15d, %ecx
+        addl	%eax, %r14d
+        rorl	$2, %ecx
+        movl	%r10d, %edx
+        addl	%ecx, %r14d
+        # rnd_0: 0 - 0
+        rorl	$14, %edx
+        vpsrlq	$0x11, %ymm6, %ymm6
+        vpaddd	%ymm0, %ymm4, %ymm4
+        # rnd_0: 1 - 3
+        movl	%r15d, %eax
+        movl	%r11d, %ecx
+        addl	136(%rsp), %r13d
+        xorl	%r12d, %ecx
+        xorl	%r10d, %edx
+        andl	%r10d, %ecx
+        rorl	$5, %edx
+        xorl	%r12d, %ecx
+        xorl	%r10d, %edx
+        addl	%ecx, %r13d
+        vpxor	%ymm6, %ymm7, %ymm6
+        vpaddd	%ymm5, %ymm4, %ymm4
+        # rnd_0: 4 - 4
+        rorl	$6, %edx
+        xorl	%r14d, %eax
+        addl	%edx, %r13d
+        movl	%r14d, %ecx
+        vpxor	%ymm6, %ymm8, %ymm8
+        # rnd_0: 5 - 5
+        andl	%eax, %ebx
+        rorl	$9, %ecx
+        xorl	%r14d, %ecx
+        xorl	%r15d, %ebx
+        vpshufb	%ymm11, %ymm8, %ymm8
+        # rnd_0: 6 - 6
+        rorl	$11, %ecx
+        addl	%r13d, %r9d
+        xorl	%r14d, %ecx
+        addl	%ebx, %r13d
+        vpaddd	%ymm8, %ymm4, %ymm4
+        # rnd_0: 7 - 7
+        rorl	$2, %ecx
+        movl	%r9d, %edx
+        addl	%ecx, %r13d
+        # rnd_1: 0 - 0
+        rorl	$14, %edx
+        vpshufd	$0x50, %ymm4, %ymm6
+        # rnd_1: 1 - 1
+        movl	%r14d, %ebx
+        movl	%r10d, %ecx
+        addl	140(%rsp), %r12d
+        xorl	%r11d, %ecx
+        vpsrlq	$0x11, %ymm6, %ymm8
+        vpsrlq	$19, %ymm6, %ymm7
+        # rnd_1: 2 - 3
+        xorl	%r9d, %edx
+        andl	%r9d, %ecx
+        rorl	$5, %edx
+        xorl	%r11d, %ecx
+        xorl	%r9d, %edx
+        addl	%ecx, %r12d
+        vpsrld	$10, %ymm6, %ymm9
+        vpxor	%ymm8, %ymm7, %ymm8
+        # rnd_1: 4 - 5
+        rorl	$6, %edx
+        xorl	%r13d, %ebx
+        addl	%edx, %r12d
+        movl	%r13d, %ecx
+        andl	%ebx, %eax
+        rorl	$9, %ecx
+        xorl	%r13d, %ecx
+        xorl	%r14d, %eax
+        vpxor	%ymm9, %ymm8, %ymm9
+        # rnd_1: 6 - 6
+        rorl	$11, %ecx
+        addl	%r12d, %r8d
+        xorl	%r13d, %ecx
+        addl	%eax, %r12d
+        vpshufb	%ymm12, %ymm9, %ymm9
+        # rnd_1: 7 - 7
+        rorl	$2, %ecx
+        movl	%r8d, %edx
+        addl	%ecx, %r12d
+        vpaddd	%ymm4, %ymm9, %ymm0
+        # msg_sched done: 32-35
+        # msg_sched: 40-43
+        # rnd_0: 0 - 0
+        rorl	$14, %edx
+        vpalignr	$4, %ymm1, %ymm2, %ymm5
+        vpalignr	$4, %ymm3, %ymm0, %ymm4
+        # rnd_0: 1 - 2
+        movl	%r13d, %eax
+        movl	%r9d, %ecx
+        addl	160(%rsp), %r11d
+        xorl	%r10d, %ecx
+        xorl	%r8d, %edx
+        andl	%r8d, %ecx
+        vpsrld	$7, %ymm5, %ymm6
+        vpslld	$25, %ymm5, %ymm7
+        # rnd_0: 3 - 4
+        rorl	$5, %edx
+        xorl	%r10d, %ecx
+        xorl	%r8d, %edx
+        addl	%ecx, %r11d
+        rorl	$6, %edx
+        xorl	%r12d, %eax
+        addl	%edx, %r11d
+        movl	%r12d, %ecx
+        vpsrld	$18, %ymm5, %ymm8
+        vpslld	$14, %ymm5, %ymm9
+        # rnd_0: 5 - 6
+        andl	%eax, %ebx
+        rorl	$9, %ecx
+        xorl	%r12d, %ecx
+        xorl	%r13d, %ebx
+        rorl	$11, %ecx
+        addl	%r11d, %r15d
+        xorl	%r12d, %ecx
+        addl	%ebx, %r11d
+        vpor	%ymm6, %ymm7, %ymm6
+        vpor	%ymm8, %ymm9, %ymm8
+        # rnd_0: 7 - 7
+        rorl	$2, %ecx
+        movl	%r15d, %edx
+        addl	%ecx, %r11d
+        # rnd_1: 0 - 1
+        rorl	$14, %edx
+        movl	%r12d, %ebx
+        movl	%r8d, %ecx
+        addl	164(%rsp), %r10d
+        xorl	%r9d, %ecx
+        vpsrld	$3, %ymm5, %ymm9
+        vpxor	%ymm6, %ymm8, %ymm6
+        # rnd_1: 2 - 3
+        xorl	%r15d, %edx
+        andl	%r15d, %ecx
+        rorl	$5, %edx
+        xorl	%r9d, %ecx
+        xorl	%r15d, %edx
+        addl	%ecx, %r10d
+        vpxor	%ymm6, %ymm9, %ymm5
+        vpshufd	$0xfa, %ymm0, %ymm6
+        # rnd_1: 4 - 5
+        rorl	$6, %edx
+        xorl	%r11d, %ebx
+        addl	%edx, %r10d
+        movl	%r11d, %ecx
+        andl	%ebx, %eax
+        rorl	$9, %ecx
+        xorl	%r11d, %ecx
+        xorl	%r12d, %eax
+        vpsrld	$10, %ymm6, %ymm8
+        vpsrlq	$19, %ymm6, %ymm7
+        # rnd_1: 6 - 7
+        rorl	$11, %ecx
+        addl	%r10d, %r14d
+        xorl	%r11d, %ecx
+        addl	%eax, %r10d
+        rorl	$2, %ecx
+        movl	%r14d, %edx
+        addl	%ecx, %r10d
+        # rnd_0: 0 - 0
+        rorl	$14, %edx
+        vpsrlq	$0x11, %ymm6, %ymm6
+        vpaddd	%ymm1, %ymm4, %ymm4
+        # rnd_0: 1 - 3
+        movl	%r11d, %eax
+        movl	%r15d, %ecx
+        addl	168(%rsp), %r9d
+        xorl	%r8d, %ecx
+        xorl	%r14d, %edx
+        andl	%r14d, %ecx
+        rorl	$5, %edx
+        xorl	%r8d, %ecx
+        xorl	%r14d, %edx
+        addl	%ecx, %r9d
+        vpxor	%ymm6, %ymm7, %ymm6
+        vpaddd	%ymm5, %ymm4, %ymm4
+        # rnd_0: 4 - 4
+        rorl	$6, %edx
+        xorl	%r10d, %eax
+        addl	%edx, %r9d
+        movl	%r10d, %ecx
+        vpxor	%ymm6, %ymm8, %ymm8
+        # rnd_0: 5 - 5
+        andl	%eax, %ebx
+        rorl	$9, %ecx
+        xorl	%r10d, %ecx
+        xorl	%r11d, %ebx
+        vpshufb	%ymm11, %ymm8, %ymm8
+        # rnd_0: 6 - 6
+        rorl	$11, %ecx
+        addl	%r9d, %r13d
+        xorl	%r10d, %ecx
+        addl	%ebx, %r9d
+        vpaddd	%ymm8, %ymm4, %ymm4
+        # rnd_0: 7 - 7
+        rorl	$2, %ecx
+        movl	%r13d, %edx
+        addl	%ecx, %r9d
+        # rnd_1: 0 - 0
+        rorl	$14, %edx
+        vpshufd	$0x50, %ymm4, %ymm6
+        # rnd_1: 1 - 1
+        movl	%r10d, %ebx
+        movl	%r14d, %ecx
+        addl	172(%rsp), %r8d
+        xorl	%r15d, %ecx
+        vpsrlq	$0x11, %ymm6, %ymm8
+        vpsrlq	$19, %ymm6, %ymm7
+        # rnd_1: 2 - 3
+        xorl	%r13d, %edx
+        andl	%r13d, %ecx
+        rorl	$5, %edx
+        xorl	%r15d, %ecx
+        xorl	%r13d, %edx
+        addl	%ecx, %r8d
+        vpsrld	$10, %ymm6, %ymm9
+        vpxor	%ymm8, %ymm7, %ymm8
+        # rnd_1: 4 - 5
+        rorl	$6, %edx
+        xorl	%r9d, %ebx
+        addl	%edx, %r8d
+        movl	%r9d, %ecx
+        andl	%ebx, %eax
+        rorl	$9, %ecx
+        xorl	%r9d, %ecx
+        xorl	%r10d, %eax
+        vpxor	%ymm9, %ymm8, %ymm9
+        # rnd_1: 6 - 6
+        rorl	$11, %ecx
+        addl	%r8d, %r12d
+        xorl	%r9d, %ecx
+        addl	%eax, %r8d
+        vpshufb	%ymm12, %ymm9, %ymm9
+        # rnd_1: 7 - 7
+        rorl	$2, %ecx
+        movl	%r12d, %edx
+        addl	%ecx, %r8d
+        vpaddd	%ymm4, %ymm9, %ymm1
+        # msg_sched done: 40-43
+        # msg_sched: 48-51
+        # rnd_0: 0 - 0
+        rorl	$14, %edx
+        vpalignr	$4, %ymm2, %ymm3, %ymm5
+        vpalignr	$4, %ymm0, %ymm1, %ymm4
+        # rnd_0: 1 - 2
+        movl	%r9d, %eax
+        movl	%r13d, %ecx
+        addl	192(%rsp), %r15d
+        xorl	%r14d, %ecx
+        xorl	%r12d, %edx
+        andl	%r12d, %ecx
+        vpsrld	$7, %ymm5, %ymm6
+        vpslld	$25, %ymm5, %ymm7
+        # rnd_0: 3 - 4
+        rorl	$5, %edx
+        xorl	%r14d, %ecx
+        xorl	%r12d, %edx
+        addl	%ecx, %r15d
+        rorl	$6, %edx
+        xorl	%r8d, %eax
+        addl	%edx, %r15d
+        movl	%r8d, %ecx
+        vpsrld	$18, %ymm5, %ymm8
+        vpslld	$14, %ymm5, %ymm9
+        # rnd_0: 5 - 6
+        andl	%eax, %ebx
+        rorl	$9, %ecx
+        xorl	%r8d, %ecx
+        xorl	%r9d, %ebx
+        rorl	$11, %ecx
+        addl	%r15d, %r11d
+        xorl	%r8d, %ecx
+        addl	%ebx, %r15d
+        vpor	%ymm6, %ymm7, %ymm6
+        vpor	%ymm8, %ymm9, %ymm8
+        # rnd_0: 7 - 7
+        rorl	$2, %ecx
+        movl	%r11d, %edx
+        addl	%ecx, %r15d
+        # rnd_1: 0 - 1
+        rorl	$14, %edx
+        movl	%r8d, %ebx
+        movl	%r12d, %ecx
+        addl	196(%rsp), %r14d
+        xorl	%r13d, %ecx
+        vpsrld	$3, %ymm5, %ymm9
+        vpxor	%ymm6, %ymm8, %ymm6
+        # rnd_1: 2 - 3
+        xorl	%r11d, %edx
+        andl	%r11d, %ecx
+        rorl	$5, %edx
+        xorl	%r13d, %ecx
+        xorl	%r11d, %edx
+        addl	%ecx, %r14d
+        vpxor	%ymm6, %ymm9, %ymm5
+        vpshufd	$0xfa, %ymm1, %ymm6
+        # rnd_1: 4 - 5
+        rorl	$6, %edx
+        xorl	%r15d, %ebx
+        addl	%edx, %r14d
+        movl	%r15d, %ecx
+        andl	%ebx, %eax
+        rorl	$9, %ecx
+        xorl	%r15d, %ecx
+        xorl	%r8d, %eax
+        vpsrld	$10, %ymm6, %ymm8
+        vpsrlq	$19, %ymm6, %ymm7
+        # rnd_1: 6 - 7
+        rorl	$11, %ecx
+        addl	%r14d, %r10d
+        xorl	%r15d, %ecx
+        addl	%eax, %r14d
+        rorl	$2, %ecx
+        movl	%r10d, %edx
+        addl	%ecx, %r14d
+        # rnd_0: 0 - 0
+        rorl	$14, %edx
+        vpsrlq	$0x11, %ymm6, %ymm6
+        vpaddd	%ymm2, %ymm4, %ymm4
+        # rnd_0: 1 - 3
+        movl	%r15d, %eax
+        movl	%r11d, %ecx
+        addl	200(%rsp), %r13d
+        xorl	%r12d, %ecx
+        xorl	%r10d, %edx
+        andl	%r10d, %ecx
+        rorl	$5, %edx
+        xorl	%r12d, %ecx
+        xorl	%r10d, %edx
+        addl	%ecx, %r13d
+        vpxor	%ymm6, %ymm7, %ymm6
+        vpaddd	%ymm5, %ymm4, %ymm4
+        # rnd_0: 4 - 4
+        rorl	$6, %edx
+        xorl	%r14d, %eax
+        addl	%edx, %r13d
+        movl	%r14d, %ecx
+        vpxor	%ymm6, %ymm8, %ymm8
+        # rnd_0: 5 - 5
+        andl	%eax, %ebx
+        rorl	$9, %ecx
+        xorl	%r14d, %ecx
+        xorl	%r15d, %ebx
+        vpshufb	%ymm11, %ymm8, %ymm8
+        # rnd_0: 6 - 6
+        rorl	$11, %ecx
+        addl	%r13d, %r9d
+        xorl	%r14d, %ecx
+        addl	%ebx, %r13d
+        vpaddd	%ymm8, %ymm4, %ymm4
+        # rnd_0: 7 - 7
+        rorl	$2, %ecx
+        movl	%r9d, %edx
+        addl	%ecx, %r13d
+        # rnd_1: 0 - 0
+        rorl	$14, %edx
+        vpshufd	$0x50, %ymm4, %ymm6
+        # rnd_1: 1 - 1
+        movl	%r14d, %ebx
+        movl	%r10d, %ecx
+        addl	204(%rsp), %r12d
+        xorl	%r11d, %ecx
+        vpsrlq	$0x11, %ymm6, %ymm8
+        vpsrlq	$19, %ymm6, %ymm7
+        # rnd_1: 2 - 3
+        xorl	%r9d, %edx
+        andl	%r9d, %ecx
+        rorl	$5, %edx
+        xorl	%r11d, %ecx
+        xorl	%r9d, %edx
+        addl	%ecx, %r12d
+        vpsrld	$10, %ymm6, %ymm9
+        vpxor	%ymm8, %ymm7, %ymm8
+        # rnd_1: 4 - 5
+        rorl	$6, %edx
+        xorl	%r13d, %ebx
+        addl	%edx, %r12d
+        movl	%r13d, %ecx
+        andl	%ebx, %eax
+        rorl	$9, %ecx
+        xorl	%r13d, %ecx
+        xorl	%r14d, %eax
+        vpxor	%ymm9, %ymm8, %ymm9
+        # rnd_1: 6 - 6
+        rorl	$11, %ecx
+        addl	%r12d, %r8d
+        xorl	%r13d, %ecx
+        addl	%eax, %r12d
+        vpshufb	%ymm12, %ymm9, %ymm9
+        # rnd_1: 7 - 7
+        rorl	$2, %ecx
+        movl	%r8d, %edx
+        addl	%ecx, %r12d
+        vpaddd	%ymm4, %ymm9, %ymm2
+        # msg_sched done: 48-51
+        # msg_sched: 56-59
+        # rnd_0: 0 - 0
+        rorl	$14, %edx
+        vpalignr	$4, %ymm3, %ymm0, %ymm5
+        vpalignr	$4, %ymm1, %ymm2, %ymm4
+        # rnd_0: 1 - 2
+        movl	%r13d, %eax
+        movl	%r9d, %ecx
+        addl	224(%rsp), %r11d
+        xorl	%r10d, %ecx
+        xorl	%r8d, %edx
+        andl	%r8d, %ecx
+        vpsrld	$7, %ymm5, %ymm6
+        vpslld	$25, %ymm5, %ymm7
+        # rnd_0: 3 - 4
+        rorl	$5, %edx
+        xorl	%r10d, %ecx
+        xorl	%r8d, %edx
+        addl	%ecx, %r11d
+        rorl	$6, %edx
+        xorl	%r12d, %eax
+        addl	%edx, %r11d
+        movl	%r12d, %ecx
+        vpsrld	$18, %ymm5, %ymm8
+        vpslld	$14, %ymm5, %ymm9
+        # rnd_0: 5 - 6
+        andl	%eax, %ebx
+        rorl	$9, %ecx
+        xorl	%r12d, %ecx
+        xorl	%r13d, %ebx
+        rorl	$11, %ecx
+        addl	%r11d, %r15d
+        xorl	%r12d, %ecx
+        addl	%ebx, %r11d
+        vpor	%ymm6, %ymm7, %ymm6
+        vpor	%ymm8, %ymm9, %ymm8
+        # rnd_0: 7 - 7
+        rorl	$2, %ecx
+        movl	%r15d, %edx
+        addl	%ecx, %r11d
+        # rnd_1: 0 - 1
+        rorl	$14, %edx
+        movl	%r12d, %ebx
+        movl	%r8d, %ecx
+        addl	228(%rsp), %r10d
+        xorl	%r9d, %ecx
+        vpsrld	$3, %ymm5, %ymm9
+        vpxor	%ymm6, %ymm8, %ymm6
+        # rnd_1: 2 - 3
+        xorl	%r15d, %edx
+        andl	%r15d, %ecx
+        rorl	$5, %edx
+        xorl	%r9d, %ecx
+        xorl	%r15d, %edx
+        addl	%ecx, %r10d
+        vpxor	%ymm6, %ymm9, %ymm5
+        vpshufd	$0xfa, %ymm2, %ymm6
+        # rnd_1: 4 - 5
+        rorl	$6, %edx
+        xorl	%r11d, %ebx
+        addl	%edx, %r10d
+        movl	%r11d, %ecx
+        andl	%ebx, %eax
+        rorl	$9, %ecx
+        xorl	%r11d, %ecx
+        xorl	%r12d, %eax
+        vpsrld	$10, %ymm6, %ymm8
+        vpsrlq	$19, %ymm6, %ymm7
+        # rnd_1: 6 - 7
+        rorl	$11, %ecx
+        addl	%r10d, %r14d
+        xorl	%r11d, %ecx
+        addl	%eax, %r10d
+        rorl	$2, %ecx
+        movl	%r14d, %edx
+        addl	%ecx, %r10d
+        # rnd_0: 0 - 0
+        rorl	$14, %edx
+        vpsrlq	$0x11, %ymm6, %ymm6
+        vpaddd	%ymm3, %ymm4, %ymm4
+        # rnd_0: 1 - 3
+        movl	%r11d, %eax
+        movl	%r15d, %ecx
+        addl	232(%rsp), %r9d
+        xorl	%r8d, %ecx
+        xorl	%r14d, %edx
+        andl	%r14d, %ecx
+        rorl	$5, %edx
+        xorl	%r8d, %ecx
+        xorl	%r14d, %edx
+        addl	%ecx, %r9d
+        vpxor	%ymm6, %ymm7, %ymm6
+        vpaddd	%ymm5, %ymm4, %ymm4
+        # rnd_0: 4 - 4
+        rorl	$6, %edx
+        xorl	%r10d, %eax
+        addl	%edx, %r9d
+        movl	%r10d, %ecx
+        vpxor	%ymm6, %ymm8, %ymm8
+        # rnd_0: 5 - 5
+        andl	%eax, %ebx
+        rorl	$9, %ecx
+        xorl	%r10d, %ecx
+        xorl	%r11d, %ebx
+        vpshufb	%ymm11, %ymm8, %ymm8
+        # rnd_0: 6 - 6
+        rorl	$11, %ecx
+        addl	%r9d, %r13d
+        xorl	%r10d, %ecx
+        addl	%ebx, %r9d
+        vpaddd	%ymm8, %ymm4, %ymm4
+        # rnd_0: 7 - 7
+        rorl	$2, %ecx
+        movl	%r13d, %edx
+        addl	%ecx, %r9d
+        # rnd_1: 0 - 0
+        rorl	$14, %edx
+        vpshufd	$0x50, %ymm4, %ymm6
+        # rnd_1: 1 - 1
+        movl	%r10d, %ebx
+        movl	%r14d, %ecx
+        addl	236(%rsp), %r8d
+        xorl	%r15d, %ecx
+        vpsrlq	$0x11, %ymm6, %ymm8
+        vpsrlq	$19, %ymm6, %ymm7
+        # rnd_1: 2 - 3
+        xorl	%r13d, %edx
+        andl	%r13d, %ecx
+        rorl	$5, %edx
+        xorl	%r15d, %ecx
+        xorl	%r13d, %edx
+        addl	%ecx, %r8d
+        vpsrld	$10, %ymm6, %ymm9
+        vpxor	%ymm8, %ymm7, %ymm8
+        # rnd_1: 4 - 5
+        rorl	$6, %edx
+        xorl	%r9d, %ebx
+        addl	%edx, %r8d
+        movl	%r9d, %ecx
+        andl	%ebx, %eax
+        rorl	$9, %ecx
+        xorl	%r9d, %ecx
+        xorl	%r10d, %eax
+        vpxor	%ymm9, %ymm8, %ymm9
+        # rnd_1: 6 - 6
+        rorl	$11, %ecx
+        addl	%r8d, %r12d
+        xorl	%r9d, %ecx
+        addl	%eax, %r8d
+        vpshufb	%ymm12, %ymm9, %ymm9
+        # rnd_1: 7 - 7
+        rorl	$2, %ecx
+        movl	%r12d, %edx
+        addl	%ecx, %r8d
+        vpaddd	%ymm4, %ymm9, %ymm3
+        # msg_sched done: 56-59
+        # set_w_k_xfer_4: 8
+        vpaddd	256+L_avx2_sha256_k(%rip), %ymm0, %ymm4
+        vpaddd	288+L_avx2_sha256_k(%rip), %ymm1, %ymm5
+        vmovdqu	%ymm4, 256(%rsp)
+        vmovdqu	%ymm5, 288(%rsp)
+        vpaddd	320+L_avx2_sha256_k(%rip), %ymm2, %ymm4
+        vpaddd	352+L_avx2_sha256_k(%rip), %ymm3, %ymm5
+        vmovdqu	%ymm4, 320(%rsp)
+        vmovdqu	%ymm5, 352(%rsp)
+        # msg_sched: 64-67
+        # rnd_0: 0 - 0
+        rorl	$14, %edx
+        vpalignr	$4, %ymm0, %ymm1, %ymm5
+        vpalignr	$4, %ymm2, %ymm3, %ymm4
+        # rnd_0: 1 - 2
+        movl	%r9d, %eax
+        movl	%r13d, %ecx
+        addl	256(%rsp), %r15d
+        xorl	%r14d, %ecx
+        xorl	%r12d, %edx
+        andl	%r12d, %ecx
+        vpsrld	$7, %ymm5, %ymm6
+        vpslld	$25, %ymm5, %ymm7
+        # rnd_0: 3 - 4
+        rorl	$5, %edx
+        xorl	%r14d, %ecx
+        xorl	%r12d, %edx
+        addl	%ecx, %r15d
+        rorl	$6, %edx
+        xorl	%r8d, %eax
+        addl	%edx, %r15d
+        movl	%r8d, %ecx
+        vpsrld	$18, %ymm5, %ymm8
+        vpslld	$14, %ymm5, %ymm9
+        # rnd_0: 5 - 6
+        andl	%eax, %ebx
+        rorl	$9, %ecx
+        xorl	%r8d, %ecx
+        xorl	%r9d, %ebx
+        rorl	$11, %ecx
+        addl	%r15d, %r11d
+        xorl	%r8d, %ecx
+        addl	%ebx, %r15d
+        vpor	%ymm6, %ymm7, %ymm6
+        vpor	%ymm8, %ymm9, %ymm8
+        # rnd_0: 7 - 7
+        rorl	$2, %ecx
+        movl	%r11d, %edx
+        addl	%ecx, %r15d
+        # rnd_1: 0 - 1
+        rorl	$14, %edx
+        movl	%r8d, %ebx
+        movl	%r12d, %ecx
+        addl	260(%rsp), %r14d
+        xorl	%r13d, %ecx
+        vpsrld	$3, %ymm5, %ymm9
+        vpxor	%ymm6, %ymm8, %ymm6
+        # rnd_1: 2 - 3
+        xorl	%r11d, %edx
+        andl	%r11d, %ecx
+        rorl	$5, %edx
+        xorl	%r13d, %ecx
+        xorl	%r11d, %edx
+        addl	%ecx, %r14d
+        vpxor	%ymm6, %ymm9, %ymm5
+        vpshufd	$0xfa, %ymm3, %ymm6
+        # rnd_1: 4 - 5
+        rorl	$6, %edx
+        xorl	%r15d, %ebx
+        addl	%edx, %r14d
+        movl	%r15d, %ecx
+        andl	%ebx, %eax
+        rorl	$9, %ecx
+        xorl	%r15d, %ecx
+        xorl	%r8d, %eax
+        vpsrld	$10, %ymm6, %ymm8
+        vpsrlq	$19, %ymm6, %ymm7
+        # rnd_1: 6 - 7
+        rorl	$11, %ecx
+        addl	%r14d, %r10d
+        xorl	%r15d, %ecx
+        addl	%eax, %r14d
+        rorl	$2, %ecx
+        movl	%r10d, %edx
+        addl	%ecx, %r14d
+        # rnd_0: 0 - 0
+        rorl	$14, %edx
+        vpsrlq	$0x11, %ymm6, %ymm6
+        vpaddd	%ymm0, %ymm4, %ymm4
+        # rnd_0: 1 - 3
+        movl	%r15d, %eax
+        movl	%r11d, %ecx
+        addl	264(%rsp), %r13d
+        xorl	%r12d, %ecx
+        xorl	%r10d, %edx
+        andl	%r10d, %ecx
+        rorl	$5, %edx
+        xorl	%r12d, %ecx
+        xorl	%r10d, %edx
+        addl	%ecx, %r13d
+        vpxor	%ymm6, %ymm7, %ymm6
+        vpaddd	%ymm5, %ymm4, %ymm4
+        # rnd_0: 4 - 4
+        rorl	$6, %edx
+        xorl	%r14d, %eax
+        addl	%edx, %r13d
+        movl	%r14d, %ecx
+        vpxor	%ymm6, %ymm8, %ymm8
+        # rnd_0: 5 - 5
+        andl	%eax, %ebx
+        rorl	$9, %ecx
+        xorl	%r14d, %ecx
+        xorl	%r15d, %ebx
+        vpshufb	%ymm11, %ymm8, %ymm8
+        # rnd_0: 6 - 6
+        rorl	$11, %ecx
+        addl	%r13d, %r9d
+        xorl	%r14d, %ecx
+        addl	%ebx, %r13d
+        vpaddd	%ymm8, %ymm4, %ymm4
+        # rnd_0: 7 - 7
+        rorl	$2, %ecx
+        movl	%r9d, %edx
+        addl	%ecx, %r13d
+        # rnd_1: 0 - 0
+        rorl	$14, %edx
+        vpshufd	$0x50, %ymm4, %ymm6
+        # rnd_1: 1 - 1
+        movl	%r14d, %ebx
+        movl	%r10d, %ecx
+        addl	268(%rsp), %r12d
+        xorl	%r11d, %ecx
+        vpsrlq	$0x11, %ymm6, %ymm8
+        vpsrlq	$19, %ymm6, %ymm7
+        # rnd_1: 2 - 3
+        xorl	%r9d, %edx
+        andl	%r9d, %ecx
+        rorl	$5, %edx
+        xorl	%r11d, %ecx
+        xorl	%r9d, %edx
+        addl	%ecx, %r12d
+        vpsrld	$10, %ymm6, %ymm9
+        vpxor	%ymm8, %ymm7, %ymm8
+        # rnd_1: 4 - 5
+        rorl	$6, %edx
+        xorl	%r13d, %ebx
+        addl	%edx, %r12d
+        movl	%r13d, %ecx
+        andl	%ebx, %eax
+        rorl	$9, %ecx
+        xorl	%r13d, %ecx
+        xorl	%r14d, %eax
+        vpxor	%ymm9, %ymm8, %ymm9
+        # rnd_1: 6 - 6
+        rorl	$11, %ecx
+        addl	%r12d, %r8d
+        xorl	%r13d, %ecx
+        addl	%eax, %r12d
+        vpshufb	%ymm12, %ymm9, %ymm9
+        # rnd_1: 7 - 7
+        rorl	$2, %ecx
+        movl	%r8d, %edx
+        addl	%ecx, %r12d
+        vpaddd	%ymm4, %ymm9, %ymm0
+        # msg_sched done: 64-67
+        # msg_sched: 72-75
+        # rnd_0: 0 - 0
+        rorl	$14, %edx
+        vpalignr	$4, %ymm1, %ymm2, %ymm5
+        vpalignr	$4, %ymm3, %ymm0, %ymm4
+        # rnd_0: 1 - 2
+        movl	%r13d, %eax
+        movl	%r9d, %ecx
+        addl	288(%rsp), %r11d
+        xorl	%r10d, %ecx
+        xorl	%r8d, %edx
+        andl	%r8d, %ecx
+        vpsrld	$7, %ymm5, %ymm6
+        vpslld	$25, %ymm5, %ymm7
+        # rnd_0: 3 - 4
+        rorl	$5, %edx
+        xorl	%r10d, %ecx
+        xorl	%r8d, %edx
+        addl	%ecx, %r11d
+        rorl	$6, %edx
+        xorl	%r12d, %eax
+        addl	%edx, %r11d
+        movl	%r12d, %ecx
+        vpsrld	$18, %ymm5, %ymm8
+        vpslld	$14, %ymm5, %ymm9
+        # rnd_0: 5 - 6
+        andl	%eax, %ebx
+        rorl	$9, %ecx
+        xorl	%r12d, %ecx
+        xorl	%r13d, %ebx
+        rorl	$11, %ecx
+        addl	%r11d, %r15d
+        xorl	%r12d, %ecx
+        addl	%ebx, %r11d
+        vpor	%ymm6, %ymm7, %ymm6
+        vpor	%ymm8, %ymm9, %ymm8
+        # rnd_0: 7 - 7
+        rorl	$2, %ecx
+        movl	%r15d, %edx
+        addl	%ecx, %r11d
+        # rnd_1: 0 - 1
+        rorl	$14, %edx
+        movl	%r12d, %ebx
+        movl	%r8d, %ecx
+        addl	292(%rsp), %r10d
+        xorl	%r9d, %ecx
+        vpsrld	$3, %ymm5, %ymm9
+        vpxor	%ymm6, %ymm8, %ymm6
+        # rnd_1: 2 - 3
+        xorl	%r15d, %edx
+        andl	%r15d, %ecx
+        rorl	$5, %edx
+        xorl	%r9d, %ecx
+        xorl	%r15d, %edx
+        addl	%ecx, %r10d
+        vpxor	%ymm6, %ymm9, %ymm5
+        vpshufd	$0xfa, %ymm0, %ymm6
+        # rnd_1: 4 - 5
+        rorl	$6, %edx
+        xorl	%r11d, %ebx
+        addl	%edx, %r10d
+        movl	%r11d, %ecx
+        andl	%ebx, %eax
+        rorl	$9, %ecx
+        xorl	%r11d, %ecx
+        xorl	%r12d, %eax
+        vpsrld	$10, %ymm6, %ymm8
+        vpsrlq	$19, %ymm6, %ymm7
+        # rnd_1: 6 - 7
+        rorl	$11, %ecx
+        addl	%r10d, %r14d
+        xorl	%r11d, %ecx
+        addl	%eax, %r10d
+        rorl	$2, %ecx
+        movl	%r14d, %edx
+        addl	%ecx, %r10d
+        # rnd_0: 0 - 0
+        rorl	$14, %edx
+        vpsrlq	$0x11, %ymm6, %ymm6
+        vpaddd	%ymm1, %ymm4, %ymm4
+        # rnd_0: 1 - 3
+        movl	%r11d, %eax
+        movl	%r15d, %ecx
+        addl	296(%rsp), %r9d
+        xorl	%r8d, %ecx
+        xorl	%r14d, %edx
+        andl	%r14d, %ecx
+        rorl	$5, %edx
+        xorl	%r8d, %ecx
+        xorl	%r14d, %edx
+        addl	%ecx, %r9d
+        vpxor	%ymm6, %ymm7, %ymm6
+        vpaddd	%ymm5, %ymm4, %ymm4
+        # rnd_0: 4 - 4
+        rorl	$6, %edx
+        xorl	%r10d, %eax
+        addl	%edx, %r9d
+        movl	%r10d, %ecx
+        vpxor	%ymm6, %ymm8, %ymm8
+        # rnd_0: 5 - 5
+        andl	%eax, %ebx
+        rorl	$9, %ecx
+        xorl	%r10d, %ecx
+        xorl	%r11d, %ebx
+        vpshufb	%ymm11, %ymm8, %ymm8
+        # rnd_0: 6 - 6
+        rorl	$11, %ecx
+        addl	%r9d, %r13d
+        xorl	%r10d, %ecx
+        addl	%ebx, %r9d
+        vpaddd	%ymm8, %ymm4, %ymm4
+        # rnd_0: 7 - 7
+        rorl	$2, %ecx
+        movl	%r13d, %edx
+        addl	%ecx, %r9d
+        # rnd_1: 0 - 0
+        rorl	$14, %edx
+        vpshufd	$0x50, %ymm4, %ymm6
+        # rnd_1: 1 - 1
+        movl	%r10d, %ebx
+        movl	%r14d, %ecx
+        addl	300(%rsp), %r8d
+        xorl	%r15d, %ecx
+        vpsrlq	$0x11, %ymm6, %ymm8
+        vpsrlq	$19, %ymm6, %ymm7
+        # rnd_1: 2 - 3
+        xorl	%r13d, %edx
+        andl	%r13d, %ecx
+        rorl	$5, %edx
+        xorl	%r15d, %ecx
+        xorl	%r13d, %edx
+        addl	%ecx, %r8d
+        vpsrld	$10, %ymm6, %ymm9
+        vpxor	%ymm8, %ymm7, %ymm8
+        # rnd_1: 4 - 5
+        rorl	$6, %edx
+        xorl	%r9d, %ebx
+        addl	%edx, %r8d
+        movl	%r9d, %ecx
+        andl	%ebx, %eax
+        rorl	$9, %ecx
+        xorl	%r9d, %ecx
+        xorl	%r10d, %eax
+        vpxor	%ymm9, %ymm8, %ymm9
+        # rnd_1: 6 - 6
+        rorl	$11, %ecx
+        addl	%r8d, %r12d
+        xorl	%r9d, %ecx
+        addl	%eax, %r8d
+        vpshufb	%ymm12, %ymm9, %ymm9
+        # rnd_1: 7 - 7
+        rorl	$2, %ecx
+        movl	%r12d, %edx
+        addl	%ecx, %r8d
+        vpaddd	%ymm4, %ymm9, %ymm1
+        # msg_sched done: 72-75
+        # msg_sched: 80-83
+        # rnd_0: 0 - 0
+        rorl	$14, %edx
+        vpalignr	$4, %ymm2, %ymm3, %ymm5
+        vpalignr	$4, %ymm0, %ymm1, %ymm4
+        # rnd_0: 1 - 2
+        movl	%r9d, %eax
+        movl	%r13d, %ecx
+        addl	320(%rsp), %r15d
+        xorl	%r14d, %ecx
+        xorl	%r12d, %edx
+        andl	%r12d, %ecx
+        vpsrld	$7, %ymm5, %ymm6
+        vpslld	$25, %ymm5, %ymm7
+        # rnd_0: 3 - 4
+        rorl	$5, %edx
+        xorl	%r14d, %ecx
+        xorl	%r12d, %edx
+        addl	%ecx, %r15d
+        rorl	$6, %edx
+        xorl	%r8d, %eax
+        addl	%edx, %r15d
+        movl	%r8d, %ecx
+        vpsrld	$18, %ymm5, %ymm8
+        vpslld	$14, %ymm5, %ymm9
+        # rnd_0: 5 - 6
+        andl	%eax, %ebx
+        rorl	$9, %ecx
+        xorl	%r8d, %ecx
+        xorl	%r9d, %ebx
+        rorl	$11, %ecx
+        addl	%r15d, %r11d
+        xorl	%r8d, %ecx
+        addl	%ebx, %r15d
+        vpor	%ymm6, %ymm7, %ymm6
+        vpor	%ymm8, %ymm9, %ymm8
+        # rnd_0: 7 - 7
+        rorl	$2, %ecx
+        movl	%r11d, %edx
+        addl	%ecx, %r15d
+        # rnd_1: 0 - 1
+        rorl	$14, %edx
+        movl	%r8d, %ebx
+        movl	%r12d, %ecx
+        addl	324(%rsp), %r14d
+        xorl	%r13d, %ecx
+        vpsrld	$3, %ymm5, %ymm9
+        vpxor	%ymm6, %ymm8, %ymm6
+        # rnd_1: 2 - 3
+        xorl	%r11d, %edx
+        andl	%r11d, %ecx
+        rorl	$5, %edx
+        xorl	%r13d, %ecx
+        xorl	%r11d, %edx
+        addl	%ecx, %r14d
+        vpxor	%ymm6, %ymm9, %ymm5
+        vpshufd	$0xfa, %ymm1, %ymm6
+        # rnd_1: 4 - 5
+        rorl	$6, %edx
+        xorl	%r15d, %ebx
+        addl	%edx, %r14d
+        movl	%r15d, %ecx
+        andl	%ebx, %eax
+        rorl	$9, %ecx
+        xorl	%r15d, %ecx
+        xorl	%r8d, %eax
+        vpsrld	$10, %ymm6, %ymm8
+        vpsrlq	$19, %ymm6, %ymm7
+        # rnd_1: 6 - 7
+        rorl	$11, %ecx
+        addl	%r14d, %r10d
+        xorl	%r15d, %ecx
+        addl	%eax, %r14d
+        rorl	$2, %ecx
+        movl	%r10d, %edx
+        addl	%ecx, %r14d
+        # rnd_0: 0 - 0
+        rorl	$14, %edx
+        vpsrlq	$0x11, %ymm6, %ymm6
+        vpaddd	%ymm2, %ymm4, %ymm4
+        # rnd_0: 1 - 3
+        movl	%r15d, %eax
+        movl	%r11d, %ecx
+        addl	328(%rsp), %r13d
+        xorl	%r12d, %ecx
+        xorl	%r10d, %edx
+        andl	%r10d, %ecx
+        rorl	$5, %edx
+        xorl	%r12d, %ecx
+        xorl	%r10d, %edx
+        addl	%ecx, %r13d
+        vpxor	%ymm6, %ymm7, %ymm6
+        vpaddd	%ymm5, %ymm4, %ymm4
+        # rnd_0: 4 - 4
+        rorl	$6, %edx
+        xorl	%r14d, %eax
+        addl	%edx, %r13d
+        movl	%r14d, %ecx
+        vpxor	%ymm6, %ymm8, %ymm8
+        # rnd_0: 5 - 5
+        andl	%eax, %ebx
+        rorl	$9, %ecx
+        xorl	%r14d, %ecx
+        xorl	%r15d, %ebx
+        vpshufb	%ymm11, %ymm8, %ymm8
+        # rnd_0: 6 - 6
+        rorl	$11, %ecx
+        addl	%r13d, %r9d
+        xorl	%r14d, %ecx
+        addl	%ebx, %r13d
+        vpaddd	%ymm8, %ymm4, %ymm4
+        # rnd_0: 7 - 7
+        rorl	$2, %ecx
+        movl	%r9d, %edx
+        addl	%ecx, %r13d
+        # rnd_1: 0 - 0
+        rorl	$14, %edx
+        vpshufd	$0x50, %ymm4, %ymm6
+        # rnd_1: 1 - 1
+        movl	%r14d, %ebx
+        movl	%r10d, %ecx
+        addl	332(%rsp), %r12d
+        xorl	%r11d, %ecx
+        vpsrlq	$0x11, %ymm6, %ymm8
+        vpsrlq	$19, %ymm6, %ymm7
+        # rnd_1: 2 - 3
+        xorl	%r9d, %edx
+        andl	%r9d, %ecx
+        rorl	$5, %edx
+        xorl	%r11d, %ecx
+        xorl	%r9d, %edx
+        addl	%ecx, %r12d
+        vpsrld	$10, %ymm6, %ymm9
+        vpxor	%ymm8, %ymm7, %ymm8
+        # rnd_1: 4 - 5
+        rorl	$6, %edx
+        xorl	%r13d, %ebx
+        addl	%edx, %r12d
+        movl	%r13d, %ecx
+        andl	%ebx, %eax
+        rorl	$9, %ecx
+        xorl	%r13d, %ecx
+        xorl	%r14d, %eax
+        vpxor	%ymm9, %ymm8, %ymm9
+        # rnd_1: 6 - 6
+        rorl	$11, %ecx
+        addl	%r12d, %r8d
+        xorl	%r13d, %ecx
+        addl	%eax, %r12d
+        vpshufb	%ymm12, %ymm9, %ymm9
+        # rnd_1: 7 - 7
+        rorl	$2, %ecx
+        movl	%r8d, %edx
+        addl	%ecx, %r12d
+        vpaddd	%ymm4, %ymm9, %ymm2
+        # msg_sched done: 80-83
+        # msg_sched: 88-91
+        # rnd_0: 0 - 0
+        rorl	$14, %edx
+        vpalignr	$4, %ymm3, %ymm0, %ymm5
+        vpalignr	$4, %ymm1, %ymm2, %ymm4
+        # rnd_0: 1 - 2
+        movl	%r13d, %eax
+        movl	%r9d, %ecx
+        addl	352(%rsp), %r11d
+        xorl	%r10d, %ecx
+        xorl	%r8d, %edx
+        andl	%r8d, %ecx
+        vpsrld	$7, %ymm5, %ymm6
+        vpslld	$25, %ymm5, %ymm7
+        # rnd_0: 3 - 4
+        rorl	$5, %edx
+        xorl	%r10d, %ecx
+        xorl	%r8d, %edx
+        addl	%ecx, %r11d
+        rorl	$6, %edx
+        xorl	%r12d, %eax
+        addl	%edx, %r11d
+        movl	%r12d, %ecx
+        vpsrld	$18, %ymm5, %ymm8
+        vpslld	$14, %ymm5, %ymm9
+        # rnd_0: 5 - 6
+        andl	%eax, %ebx
+        rorl	$9, %ecx
+        xorl	%r12d, %ecx
+        xorl	%r13d, %ebx
+        rorl	$11, %ecx
+        addl	%r11d, %r15d
+        xorl	%r12d, %ecx
+        addl	%ebx, %r11d
+        vpor	%ymm6, %ymm7, %ymm6
+        vpor	%ymm8, %ymm9, %ymm8
+        # rnd_0: 7 - 7
+        rorl	$2, %ecx
+        movl	%r15d, %edx
+        addl	%ecx, %r11d
+        # rnd_1: 0 - 1
+        rorl	$14, %edx
+        movl	%r12d, %ebx
+        movl	%r8d, %ecx
+        addl	356(%rsp), %r10d
+        xorl	%r9d, %ecx
+        vpsrld	$3, %ymm5, %ymm9
+        vpxor	%ymm6, %ymm8, %ymm6
+        # rnd_1: 2 - 3
+        xorl	%r15d, %edx
+        andl	%r15d, %ecx
+        rorl	$5, %edx
+        xorl	%r9d, %ecx
+        xorl	%r15d, %edx
+        addl	%ecx, %r10d
+        vpxor	%ymm6, %ymm9, %ymm5
+        vpshufd	$0xfa, %ymm2, %ymm6
+        # rnd_1: 4 - 5
+        rorl	$6, %edx
+        xorl	%r11d, %ebx
+        addl	%edx, %r10d
+        movl	%r11d, %ecx
+        andl	%ebx, %eax
+        rorl	$9, %ecx
+        xorl	%r11d, %ecx
+        xorl	%r12d, %eax
+        vpsrld	$10, %ymm6, %ymm8
+        vpsrlq	$19, %ymm6, %ymm7
+        # rnd_1: 6 - 7
+        rorl	$11, %ecx
+        addl	%r10d, %r14d
+        xorl	%r11d, %ecx
+        addl	%eax, %r10d
+        rorl	$2, %ecx
+        movl	%r14d, %edx
+        addl	%ecx, %r10d
+        # rnd_0: 0 - 0
+        rorl	$14, %edx
+        vpsrlq	$0x11, %ymm6, %ymm6
+        vpaddd	%ymm3, %ymm4, %ymm4
+        # rnd_0: 1 - 3
+        movl	%r11d, %eax
+        movl	%r15d, %ecx
+        addl	360(%rsp), %r9d
+        xorl	%r8d, %ecx
+        xorl	%r14d, %edx
+        andl	%r14d, %ecx
+        rorl	$5, %edx
+        xorl	%r8d, %ecx
+        xorl	%r14d, %edx
+        addl	%ecx, %r9d
+        vpxor	%ymm6, %ymm7, %ymm6
+        vpaddd	%ymm5, %ymm4, %ymm4
+        # rnd_0: 4 - 4
+        rorl	$6, %edx
+        xorl	%r10d, %eax
+        addl	%edx, %r9d
+        movl	%r10d, %ecx
+        vpxor	%ymm6, %ymm8, %ymm8
+        # rnd_0: 5 - 5
+        andl	%eax, %ebx
+        rorl	$9, %ecx
+        xorl	%r10d, %ecx
+        xorl	%r11d, %ebx
+        vpshufb	%ymm11, %ymm8, %ymm8
+        # rnd_0: 6 - 6
+        rorl	$11, %ecx
+        addl	%r9d, %r13d
+        xorl	%r10d, %ecx
+        addl	%ebx, %r9d
+        vpaddd	%ymm8, %ymm4, %ymm4
+        # rnd_0: 7 - 7
+        rorl	$2, %ecx
+        movl	%r13d, %edx
+        addl	%ecx, %r9d
+        # rnd_1: 0 - 0
+        rorl	$14, %edx
+        vpshufd	$0x50, %ymm4, %ymm6
+        # rnd_1: 1 - 1
+        movl	%r10d, %ebx
+        movl	%r14d, %ecx
+        addl	364(%rsp), %r8d
+        xorl	%r15d, %ecx
+        vpsrlq	$0x11, %ymm6, %ymm8
+        vpsrlq	$19, %ymm6, %ymm7
+        # rnd_1: 2 - 3
+        xorl	%r13d, %edx
+        andl	%r13d, %ecx
+        rorl	$5, %edx
+        xorl	%r15d, %ecx
+        xorl	%r13d, %edx
+        addl	%ecx, %r8d
+        vpsrld	$10, %ymm6, %ymm9
+        vpxor	%ymm8, %ymm7, %ymm8
+        # rnd_1: 4 - 5
+        rorl	$6, %edx
+        xorl	%r9d, %ebx
+        addl	%edx, %r8d
+        movl	%r9d, %ecx
+        andl	%ebx, %eax
+        rorl	$9, %ecx
+        xorl	%r9d, %ecx
+        xorl	%r10d, %eax
+        vpxor	%ymm9, %ymm8, %ymm9
+        # rnd_1: 6 - 6
+        rorl	$11, %ecx
+        addl	%r8d, %r12d
+        xorl	%r9d, %ecx
+        addl	%eax, %r8d
+        vpshufb	%ymm12, %ymm9, %ymm9
+        # rnd_1: 7 - 7
+        rorl	$2, %ecx
+        movl	%r12d, %edx
+        addl	%ecx, %r8d
+        vpaddd	%ymm4, %ymm9, %ymm3
+        # msg_sched done: 88-91
+        # set_w_k_xfer_4: 12
+        vpaddd	384+L_avx2_sha256_k(%rip), %ymm0, %ymm4
+        vpaddd	416+L_avx2_sha256_k(%rip), %ymm1, %ymm5
+        vmovdqu	%ymm4, 384(%rsp)
+        vmovdqu	%ymm5, 416(%rsp)
+        vpaddd	448+L_avx2_sha256_k(%rip), %ymm2, %ymm4
+        vpaddd	480+L_avx2_sha256_k(%rip), %ymm3, %ymm5
+        vmovdqu	%ymm4, 448(%rsp)
+        vmovdqu	%ymm5, 480(%rsp)
+        # rnd_all_4: 24-27
+        addl	384(%rsp), %r15d
+        movl	%r13d, %ecx
+        movl	%r9d, %eax
+        xorl	%r14d, %ecx
+        rorl	$14, %edx
+        andl	%r12d, %ecx
+        xorl	%r12d, %edx
+        xorl	%r14d, %ecx
+        rorl	$5, %edx
+        addl	%ecx, %r15d
+        xorl	%r12d, %edx
+        xorl	%r8d, %eax
+        rorl	$6, %edx
+        movl	%r8d, %ecx
+        addl	%edx, %r15d
+        rorl	$9, %ecx
+        andl	%eax, %ebx
+        xorl	%r8d, %ecx
+        xorl	%r9d, %ebx
+        rorl	$11, %ecx
+        addl	%r15d, %r11d
+        xorl	%r8d, %ecx
+        addl	%ebx, %r15d
+        rorl	$2, %ecx
+        movl	%r11d, %edx
+        addl	%ecx, %r15d
+        addl	388(%rsp), %r14d
+        movl	%r12d, %ecx
+        movl	%r8d, %ebx
+        xorl	%r13d, %ecx
+        rorl	$14, %edx
+        andl	%r11d, %ecx
+        xorl	%r11d, %edx
+        xorl	%r13d, %ecx
+        rorl	$5, %edx
+        addl	%ecx, %r14d
+        xorl	%r11d, %edx
+        xorl	%r15d, %ebx
+        rorl	$6, %edx
+        movl	%r15d, %ecx
+        addl	%edx, %r14d
+        rorl	$9, %ecx
+        andl	%ebx, %eax
+        xorl	%r15d, %ecx
+        xorl	%r8d, %eax
+        rorl	$11, %ecx
+        addl	%r14d, %r10d
+        xorl	%r15d, %ecx
+        addl	%eax, %r14d
+        rorl	$2, %ecx
+        movl	%r10d, %edx
+        addl	%ecx, %r14d
+        addl	392(%rsp), %r13d
+        movl	%r11d, %ecx
+        movl	%r15d, %eax
+        xorl	%r12d, %ecx
+        rorl	$14, %edx
+        andl	%r10d, %ecx
+        xorl	%r10d, %edx
+        xorl	%r12d, %ecx
+        rorl	$5, %edx
+        addl	%ecx, %r13d
+        xorl	%r10d, %edx
+        xorl	%r14d, %eax
+        rorl	$6, %edx
+        movl	%r14d, %ecx
+        addl	%edx, %r13d
+        rorl	$9, %ecx
+        andl	%eax, %ebx
+        xorl	%r14d, %ecx
+        xorl	%r15d, %ebx
+        rorl	$11, %ecx
+        addl	%r13d, %r9d
+        xorl	%r14d, %ecx
+        addl	%ebx, %r13d
+        rorl	$2, %ecx
+        movl	%r9d, %edx
+        addl	%ecx, %r13d
+        addl	396(%rsp), %r12d
+        movl	%r10d, %ecx
+        movl	%r14d, %ebx
+        xorl	%r11d, %ecx
+        rorl	$14, %edx
+        andl	%r9d, %ecx
+        xorl	%r9d, %edx
+        xorl	%r11d, %ecx
+        rorl	$5, %edx
+        addl	%ecx, %r12d
+        xorl	%r9d, %edx
+        xorl	%r13d, %ebx
+        rorl	$6, %edx
+        movl	%r13d, %ecx
+        addl	%edx, %r12d
+        rorl	$9, %ecx
+        andl	%ebx, %eax
+        xorl	%r13d, %ecx
+        xorl	%r14d, %eax
+        rorl	$11, %ecx
+        addl	%r12d, %r8d
+        xorl	%r13d, %ecx
+        addl	%eax, %r12d
+        rorl	$2, %ecx
+        movl	%r8d, %edx
+        addl	%ecx, %r12d
+        # rnd_all_4: 26-29
+        addl	416(%rsp), %r11d
+        movl	%r9d, %ecx
+        movl	%r13d, %eax
+        xorl	%r10d, %ecx
+        rorl	$14, %edx
+        andl	%r8d, %ecx
+        xorl	%r8d, %edx
+        xorl	%r10d, %ecx
+        rorl	$5, %edx
+        addl	%ecx, %r11d
+        xorl	%r8d, %edx
+        xorl	%r12d, %eax
+        rorl	$6, %edx
+        movl	%r12d, %ecx
+        addl	%edx, %r11d
+        rorl	$9, %ecx
+        andl	%eax, %ebx
+        xorl	%r12d, %ecx
+        xorl	%r13d, %ebx
+        rorl	$11, %ecx
+        addl	%r11d, %r15d
+        xorl	%r12d, %ecx
+        addl	%ebx, %r11d
+        rorl	$2, %ecx
+        movl	%r15d, %edx
+        addl	%ecx, %r11d
+        addl	420(%rsp), %r10d
+        movl	%r8d, %ecx
+        movl	%r12d, %ebx
+        xorl	%r9d, %ecx
+        rorl	$14, %edx
+        andl	%r15d, %ecx
+        xorl	%r15d, %edx
+        xorl	%r9d, %ecx
+        rorl	$5, %edx
+        addl	%ecx, %r10d
+        xorl	%r15d, %edx
+        xorl	%r11d, %ebx
+        rorl	$6, %edx
+        movl	%r11d, %ecx
+        addl	%edx, %r10d
+        rorl	$9, %ecx
+        andl	%ebx, %eax
+        xorl	%r11d, %ecx
+        xorl	%r12d, %eax
+        rorl	$11, %ecx
+        addl	%r10d, %r14d
+        xorl	%r11d, %ecx
+        addl	%eax, %r10d
+        rorl	$2, %ecx
+        movl	%r14d, %edx
+        addl	%ecx, %r10d
+        addl	424(%rsp), %r9d
+        movl	%r15d, %ecx
+        movl	%r11d, %eax
+        xorl	%r8d, %ecx
+        rorl	$14, %edx
+        andl	%r14d, %ecx
+        xorl	%r14d, %edx
+        xorl	%r8d, %ecx
+        rorl	$5, %edx
+        addl	%ecx, %r9d
+        xorl	%r14d, %edx
+        xorl	%r10d, %eax
+        rorl	$6, %edx
+        movl	%r10d, %ecx
+        addl	%edx, %r9d
+        rorl	$9, %ecx
+        andl	%eax, %ebx
+        xorl	%r10d, %ecx
+        xorl	%r11d, %ebx
+        rorl	$11, %ecx
+        addl	%r9d, %r13d
+        xorl	%r10d, %ecx
+        addl	%ebx, %r9d
+        rorl	$2, %ecx
+        movl	%r13d, %edx
+        addl	%ecx, %r9d
+        addl	428(%rsp), %r8d
+        movl	%r14d, %ecx
+        movl	%r10d, %ebx
+        xorl	%r15d, %ecx
+        rorl	$14, %edx
+        andl	%r13d, %ecx
+        xorl	%r13d, %edx
+        xorl	%r15d, %ecx
+        rorl	$5, %edx
+        addl	%ecx, %r8d
+        xorl	%r13d, %edx
+        xorl	%r9d, %ebx
+        rorl	$6, %edx
+        movl	%r9d, %ecx
+        addl	%edx, %r8d
+        rorl	$9, %ecx
+        andl	%ebx, %eax
+        xorl	%r9d, %ecx
+        xorl	%r10d, %eax
+        rorl	$11, %ecx
+        addl	%r8d, %r12d
+        xorl	%r9d, %ecx
+        addl	%eax, %r8d
+        rorl	$2, %ecx
+        movl	%r12d, %edx
+        addl	%ecx, %r8d
+        # rnd_all_4: 28-31
+        addl	448(%rsp), %r15d
+        movl	%r13d, %ecx
+        movl	%r9d, %eax
+        xorl	%r14d, %ecx
+        rorl	$14, %edx
+        andl	%r12d, %ecx
+        xorl	%r12d, %edx
+        xorl	%r14d, %ecx
+        rorl	$5, %edx
+        addl	%ecx, %r15d
+        xorl	%r12d, %edx
+        xorl	%r8d, %eax
+        rorl	$6, %edx
+        movl	%r8d, %ecx
+        addl	%edx, %r15d
+        rorl	$9, %ecx
+        andl	%eax, %ebx
+        xorl	%r8d, %ecx
+        xorl	%r9d, %ebx
+        rorl	$11, %ecx
+        addl	%r15d, %r11d
+        xorl	%r8d, %ecx
+        addl	%ebx, %r15d
+        rorl	$2, %ecx
+        movl	%r11d, %edx
+        addl	%ecx, %r15d
+        addl	452(%rsp), %r14d
+        movl	%r12d, %ecx
+        movl	%r8d, %ebx
+        xorl	%r13d, %ecx
+        rorl	$14, %edx
+        andl	%r11d, %ecx
+        xorl	%r11d, %edx
+        xorl	%r13d, %ecx
+        rorl	$5, %edx
+        addl	%ecx, %r14d
+        xorl	%r11d, %edx
+        xorl	%r15d, %ebx
+        rorl	$6, %edx
+        movl	%r15d, %ecx
+        addl	%edx, %r14d
+        rorl	$9, %ecx
+        andl	%ebx, %eax
+        xorl	%r15d, %ecx
+        xorl	%r8d, %eax
+        rorl	$11, %ecx
+        addl	%r14d, %r10d
+        xorl	%r15d, %ecx
+        addl	%eax, %r14d
+        rorl	$2, %ecx
+        movl	%r10d, %edx
+        addl	%ecx, %r14d
+        addl	456(%rsp), %r13d
+        movl	%r11d, %ecx
+        movl	%r15d, %eax
+        xorl	%r12d, %ecx
+        rorl	$14, %edx
+        andl	%r10d, %ecx
+        xorl	%r10d, %edx
+        xorl	%r12d, %ecx
+        rorl	$5, %edx
+        addl	%ecx, %r13d
+        xorl	%r10d, %edx
+        xorl	%r14d, %eax
+        rorl	$6, %edx
+        movl	%r14d, %ecx
+        addl	%edx, %r13d
+        rorl	$9, %ecx
+        andl	%eax, %ebx
+        xorl	%r14d, %ecx
+        xorl	%r15d, %ebx
+        rorl	$11, %ecx
+        addl	%r13d, %r9d
+        xorl	%r14d, %ecx
+        addl	%ebx, %r13d
+        rorl	$2, %ecx
+        movl	%r9d, %edx
+        addl	%ecx, %r13d
+        addl	460(%rsp), %r12d
+        movl	%r10d, %ecx
+        movl	%r14d, %ebx
+        xorl	%r11d, %ecx
+        rorl	$14, %edx
+        andl	%r9d, %ecx
+        xorl	%r9d, %edx
+        xorl	%r11d, %ecx
+        rorl	$5, %edx
+        addl	%ecx, %r12d
+        xorl	%r9d, %edx
+        xorl	%r13d, %ebx
+        rorl	$6, %edx
+        movl	%r13d, %ecx
+        addl	%edx, %r12d
+        rorl	$9, %ecx
+        andl	%ebx, %eax
+        xorl	%r13d, %ecx
+        xorl	%r14d, %eax
+        rorl	$11, %ecx
+        addl	%r12d, %r8d
+        xorl	%r13d, %ecx
+        addl	%eax, %r12d
+        rorl	$2, %ecx
+        movl	%r8d, %edx
+        addl	%ecx, %r12d
+        # rnd_all_4: 30-33
+        addl	480(%rsp), %r11d
+        movl	%r9d, %ecx
+        movl	%r13d, %eax
+        xorl	%r10d, %ecx
+        rorl	$14, %edx
+        andl	%r8d, %ecx
+        xorl	%r8d, %edx
+        xorl	%r10d, %ecx
+        rorl	$5, %edx
+        addl	%ecx, %r11d
+        xorl	%r8d, %edx
+        xorl	%r12d, %eax
+        rorl	$6, %edx
+        movl	%r12d, %ecx
+        addl	%edx, %r11d
+        rorl	$9, %ecx
+        andl	%eax, %ebx
+        xorl	%r12d, %ecx
+        xorl	%r13d, %ebx
+        rorl	$11, %ecx
+        addl	%r11d, %r15d
+        xorl	%r12d, %ecx
+        addl	%ebx, %r11d
+        rorl	$2, %ecx
+        movl	%r15d, %edx
+        addl	%ecx, %r11d
+        addl	484(%rsp), %r10d
+        movl	%r8d, %ecx
+        movl	%r12d, %ebx
+        xorl	%r9d, %ecx
+        rorl	$14, %edx
+        andl	%r15d, %ecx
+        xorl	%r15d, %edx
+        xorl	%r9d, %ecx
+        rorl	$5, %edx
+        addl	%ecx, %r10d
+        xorl	%r15d, %edx
+        xorl	%r11d, %ebx
+        rorl	$6, %edx
+        movl	%r11d, %ecx
+        addl	%edx, %r10d
+        rorl	$9, %ecx
+        andl	%ebx, %eax
+        xorl	%r11d, %ecx
+        xorl	%r12d, %eax
+        rorl	$11, %ecx
+        addl	%r10d, %r14d
+        xorl	%r11d, %ecx
+        addl	%eax, %r10d
+        rorl	$2, %ecx
+        movl	%r14d, %edx
+        addl	%ecx, %r10d
+        addl	488(%rsp), %r9d
+        movl	%r15d, %ecx
+        movl	%r11d, %eax
+        xorl	%r8d, %ecx
+        rorl	$14, %edx
+        andl	%r14d, %ecx
+        xorl	%r14d, %edx
+        xorl	%r8d, %ecx
+        rorl	$5, %edx
+        addl	%ecx, %r9d
+        xorl	%r14d, %edx
+        xorl	%r10d, %eax
+        rorl	$6, %edx
+        movl	%r10d, %ecx
+        addl	%edx, %r9d
+        rorl	$9, %ecx
+        andl	%eax, %ebx
+        xorl	%r10d, %ecx
+        xorl	%r11d, %ebx
+        rorl	$11, %ecx
+        addl	%r9d, %r13d
+        xorl	%r10d, %ecx
+        addl	%ebx, %r9d
+        rorl	$2, %ecx
+        movl	%r13d, %edx
+        addl	%ecx, %r9d
+        addl	492(%rsp), %r8d
+        movl	%r14d, %ecx
+        movl	%r10d, %ebx
+        xorl	%r15d, %ecx
+        rorl	$14, %edx
+        andl	%r13d, %ecx
+        xorl	%r13d, %edx
+        xorl	%r15d, %ecx
+        rorl	$5, %edx
+        addl	%ecx, %r8d
+        xorl	%r13d, %edx
+        xorl	%r9d, %ebx
+        rorl	$6, %edx
+        movl	%r9d, %ecx
+        addl	%edx, %r8d
+        rorl	$9, %ecx
+        andl	%ebx, %eax
+        xorl	%r9d, %ecx
+        xorl	%r10d, %eax
+        rorl	$11, %ecx
+        addl	%r8d, %r12d
+        xorl	%r9d, %ecx
+        addl	%eax, %r8d
+        rorl	$2, %ecx
+        movl	%r12d, %edx
+        addl	%ecx, %r8d
+        addl	%r8d, (%rdi)
+        addl	%r9d, 4(%rdi)
+        addl	%r10d, 8(%rdi)
+        addl	%r11d, 12(%rdi)
+        addl	%r12d, 16(%rdi)
+        addl	%r13d, 20(%rdi)
+        addl	%r14d, 24(%rdi)
+        addl	%r15d, 28(%rdi)
+        xorq	%rax, %rax
+        vzeroupper
+        addq	$0x200, %rsp
+        popq	%r15
+        popq	%r14
+        popq	%r13
+        popq	%r12
+        popq	%rbx
+        repz retq
+#ifndef __APPLE__
+.size	Transform_Sha256_AVX2,.-Transform_Sha256_AVX2
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+.text
+.globl	Transform_Sha256_AVX2_Len
+.type	Transform_Sha256_AVX2_Len,@function
+.align	4
+Transform_Sha256_AVX2_Len:
+#else
+.section	__TEXT,__text
+.globl	_Transform_Sha256_AVX2_Len
+.p2align	2
+_Transform_Sha256_AVX2_Len:
+#endif /* __APPLE__ */
+        pushq	%rbx
+        pushq	%r12
+        pushq	%r13
+        pushq	%r14
+        pushq	%r15
+        pushq	%rbp
+        movq	%rsi, %rbp
+        movq	%rdx, %rsi
+        subq	$0x200, %rsp
+        testb	$0x40, %sil
+        je	L_sha256_len_avx2_block
+        vmovdqu	(%rbp), %ymm0
+        vmovdqu	32(%rbp), %ymm1
+        vmovups	%ymm0, 32(%rdi)
+        vmovups	%ymm1, 64(%rdi)
+#ifndef __APPLE__
+        call	Transform_Sha256_AVX2@plt
+#else
+        call	_Transform_Sha256_AVX2
+#endif /* __APPLE__ */
+        addq	$0x40, %rbp
+        subl	$0x40, %esi
+        jz	L_sha256_len_avx2_done
+L_sha256_len_avx2_block:
+        vmovdqa	L_avx2_sha256_flip_mask(%rip), %ymm13
+        vmovdqa	L_avx2_sha256_shuf_00BA(%rip), %ymm11
+        vmovdqa	L_avx2_sha256_shuf_DC00(%rip), %ymm12
+        movl	(%rdi), %r8d
+        movl	4(%rdi), %r9d
+        movl	8(%rdi), %r10d
+        movl	12(%rdi), %r11d
+        movl	16(%rdi), %r12d
+        movl	20(%rdi), %r13d
+        movl	24(%rdi), %r14d
+        movl	28(%rdi), %r15d
+        # Start of loop processing two blocks
+L_sha256_len_avx2_start:
+        # X0, X1, X2, X3 = W[0..15]
+        vmovdqu	(%rbp), %xmm0
+        vmovdqu	16(%rbp), %xmm1
+        vmovdqu	64(%rbp), %xmm4
+        vmovdqu	80(%rbp), %xmm5
+        vinserti128	$0x01, %xmm4, %ymm0, %ymm0
+        vinserti128	$0x01, %xmm5, %ymm1, %ymm1
+        vpshufb	%ymm13, %ymm0, %ymm0
+        vpshufb	%ymm13, %ymm1, %ymm1
+        vmovdqu	32(%rbp), %xmm2
+        vmovdqu	48(%rbp), %xmm3
+        vmovdqu	96(%rbp), %xmm6
+        vmovdqu	112(%rbp), %xmm7
+        vinserti128	$0x01, %xmm6, %ymm2, %ymm2
+        vinserti128	$0x01, %xmm7, %ymm3, %ymm3
+        vpshufb	%ymm13, %ymm2, %ymm2
+        vpshufb	%ymm13, %ymm3, %ymm3
+        movl	%r9d, %ebx
+        movl	%r12d, %edx
+        xorl	%r10d, %ebx
+        # set_w_k_xfer_4: 0
+        vpaddd	0+L_avx2_sha256_k(%rip), %ymm0, %ymm4
+        vpaddd	32+L_avx2_sha256_k(%rip), %ymm1, %ymm5
+        vmovdqu	%ymm4, (%rsp)
+        vmovdqu	%ymm5, 32(%rsp)
+        vpaddd	64+L_avx2_sha256_k(%rip), %ymm2, %ymm4
+        vpaddd	96+L_avx2_sha256_k(%rip), %ymm3, %ymm5
+        vmovdqu	%ymm4, 64(%rsp)
+        vmovdqu	%ymm5, 96(%rsp)
+        # msg_sched: 0-3
+        # rnd_0: 0 - 0
+        rorl	$14, %edx
+        vpalignr	$4, %ymm0, %ymm1, %ymm5
+        vpalignr	$4, %ymm2, %ymm3, %ymm4
+        # rnd_0: 1 - 2
+        movl	%r9d, %eax
+        movl	%r13d, %ecx
+        addl	(%rsp), %r15d
+        xorl	%r14d, %ecx
+        xorl	%r12d, %edx
+        andl	%r12d, %ecx
+        vpsrld	$7, %ymm5, %ymm6
+        vpslld	$25, %ymm5, %ymm7
+        # rnd_0: 3 - 4
+        rorl	$5, %edx
+        xorl	%r14d, %ecx
+        xorl	%r12d, %edx
+        addl	%ecx, %r15d
+        rorl	$6, %edx
+        xorl	%r8d, %eax
+        addl	%edx, %r15d
+        movl	%r8d, %ecx
+        vpsrld	$18, %ymm5, %ymm8
+        vpslld	$14, %ymm5, %ymm9
+        # rnd_0: 5 - 6
+        andl	%eax, %ebx
+        rorl	$9, %ecx
+        xorl	%r8d, %ecx
+        xorl	%r9d, %ebx
+        rorl	$11, %ecx
+        addl	%r15d, %r11d
+        xorl	%r8d, %ecx
+        addl	%ebx, %r15d
+        vpor	%ymm6, %ymm7, %ymm6
+        vpor	%ymm8, %ymm9, %ymm8
+        # rnd_0: 7 - 7
+        rorl	$2, %ecx
+        movl	%r11d, %edx
+        addl	%ecx, %r15d
+        # rnd_1: 0 - 1
+        rorl	$14, %edx
+        movl	%r8d, %ebx
+        movl	%r12d, %ecx
+        addl	4(%rsp), %r14d
+        xorl	%r13d, %ecx
+        vpsrld	$3, %ymm5, %ymm9
+        vpxor	%ymm6, %ymm8, %ymm6
+        # rnd_1: 2 - 3
+        xorl	%r11d, %edx
+        andl	%r11d, %ecx
+        rorl	$5, %edx
+        xorl	%r13d, %ecx
+        xorl	%r11d, %edx
+        addl	%ecx, %r14d
+        vpxor	%ymm6, %ymm9, %ymm5
+        vpshufd	$0xfa, %ymm3, %ymm6
+        # rnd_1: 4 - 5
+        rorl	$6, %edx
+        xorl	%r15d, %ebx
+        addl	%edx, %r14d
+        movl	%r15d, %ecx
+        andl	%ebx, %eax
+        rorl	$9, %ecx
+        xorl	%r15d, %ecx
+        xorl	%r8d, %eax
+        vpsrld	$10, %ymm6, %ymm8
+        vpsrlq	$19, %ymm6, %ymm7
+        # rnd_1: 6 - 7
+        rorl	$11, %ecx
+        addl	%r14d, %r10d
+        xorl	%r15d, %ecx
+        addl	%eax, %r14d
+        rorl	$2, %ecx
+        movl	%r10d, %edx
+        addl	%ecx, %r14d
+        # rnd_0: 0 - 0
+        rorl	$14, %edx
+        vpsrlq	$0x11, %ymm6, %ymm6
+        vpaddd	%ymm0, %ymm4, %ymm4
+        # rnd_0: 1 - 3
+        movl	%r15d, %eax
+        movl	%r11d, %ecx
+        addl	8(%rsp), %r13d
+        xorl	%r12d, %ecx
+        xorl	%r10d, %edx
+        andl	%r10d, %ecx
+        rorl	$5, %edx
+        xorl	%r12d, %ecx
+        xorl	%r10d, %edx
+        addl	%ecx, %r13d
+        vpxor	%ymm6, %ymm7, %ymm6
+        vpaddd	%ymm5, %ymm4, %ymm4
+        # rnd_0: 4 - 4
+        rorl	$6, %edx
+        xorl	%r14d, %eax
+        addl	%edx, %r13d
+        movl	%r14d, %ecx
+        vpxor	%ymm6, %ymm8, %ymm8
+        # rnd_0: 5 - 5
+        andl	%eax, %ebx
+        rorl	$9, %ecx
+        xorl	%r14d, %ecx
+        xorl	%r15d, %ebx
+        vpshufb	%ymm11, %ymm8, %ymm8
+        # rnd_0: 6 - 6
+        rorl	$11, %ecx
+        addl	%r13d, %r9d
+        xorl	%r14d, %ecx
+        addl	%ebx, %r13d
+        vpaddd	%ymm8, %ymm4, %ymm4
+        # rnd_0: 7 - 7
+        rorl	$2, %ecx
+        movl	%r9d, %edx
+        addl	%ecx, %r13d
+        # rnd_1: 0 - 0
+        rorl	$14, %edx
+        vpshufd	$0x50, %ymm4, %ymm6
+        # rnd_1: 1 - 1
+        movl	%r14d, %ebx
+        movl	%r10d, %ecx
+        addl	12(%rsp), %r12d
+        xorl	%r11d, %ecx
+        vpsrlq	$0x11, %ymm6, %ymm8
+        vpsrlq	$19, %ymm6, %ymm7
+        # rnd_1: 2 - 3
+        xorl	%r9d, %edx
+        andl	%r9d, %ecx
+        rorl	$5, %edx
+        xorl	%r11d, %ecx
+        xorl	%r9d, %edx
+        addl	%ecx, %r12d
+        vpsrld	$10, %ymm6, %ymm9
+        vpxor	%ymm8, %ymm7, %ymm8
+        # rnd_1: 4 - 5
+        rorl	$6, %edx
+        xorl	%r13d, %ebx
+        addl	%edx, %r12d
+        movl	%r13d, %ecx
+        andl	%ebx, %eax
+        rorl	$9, %ecx
+        xorl	%r13d, %ecx
+        xorl	%r14d, %eax
+        vpxor	%ymm9, %ymm8, %ymm9
+        # rnd_1: 6 - 6
+        rorl	$11, %ecx
+        addl	%r12d, %r8d
+        xorl	%r13d, %ecx
+        addl	%eax, %r12d
+        vpshufb	%ymm12, %ymm9, %ymm9
+        # rnd_1: 7 - 7
+        rorl	$2, %ecx
+        movl	%r8d, %edx
+        addl	%ecx, %r12d
+        vpaddd	%ymm4, %ymm9, %ymm0
+        # msg_sched done: 0-3
+        # msg_sched: 8-11
+        # rnd_0: 0 - 0
+        rorl	$14, %edx
+        vpalignr	$4, %ymm1, %ymm2, %ymm5
+        vpalignr	$4, %ymm3, %ymm0, %ymm4
+        # rnd_0: 1 - 2
+        movl	%r13d, %eax
+        movl	%r9d, %ecx
+        addl	32(%rsp), %r11d
+        xorl	%r10d, %ecx
+        xorl	%r8d, %edx
+        andl	%r8d, %ecx
+        vpsrld	$7, %ymm5, %ymm6
+        vpslld	$25, %ymm5, %ymm7
+        # rnd_0: 3 - 4
+        rorl	$5, %edx
+        xorl	%r10d, %ecx
+        xorl	%r8d, %edx
+        addl	%ecx, %r11d
+        rorl	$6, %edx
+        xorl	%r12d, %eax
+        addl	%edx, %r11d
+        movl	%r12d, %ecx
+        vpsrld	$18, %ymm5, %ymm8
+        vpslld	$14, %ymm5, %ymm9
+        # rnd_0: 5 - 6
+        andl	%eax, %ebx
+        rorl	$9, %ecx
+        xorl	%r12d, %ecx
+        xorl	%r13d, %ebx
+        rorl	$11, %ecx
+        addl	%r11d, %r15d
+        xorl	%r12d, %ecx
+        addl	%ebx, %r11d
+        vpor	%ymm6, %ymm7, %ymm6
+        vpor	%ymm8, %ymm9, %ymm8
+        # rnd_0: 7 - 7
+        rorl	$2, %ecx
+        movl	%r15d, %edx
+        addl	%ecx, %r11d
+        # rnd_1: 0 - 1
+        rorl	$14, %edx
+        movl	%r12d, %ebx
+        movl	%r8d, %ecx
+        addl	36(%rsp), %r10d
+        xorl	%r9d, %ecx
+        vpsrld	$3, %ymm5, %ymm9
+        vpxor	%ymm6, %ymm8, %ymm6
+        # rnd_1: 2 - 3
+        xorl	%r15d, %edx
+        andl	%r15d, %ecx
+        rorl	$5, %edx
+        xorl	%r9d, %ecx
+        xorl	%r15d, %edx
+        addl	%ecx, %r10d
+        vpxor	%ymm6, %ymm9, %ymm5
+        vpshufd	$0xfa, %ymm0, %ymm6
+        # rnd_1: 4 - 5
+        rorl	$6, %edx
+        xorl	%r11d, %ebx
+        addl	%edx, %r10d
+        movl	%r11d, %ecx
+        andl	%ebx, %eax
+        rorl	$9, %ecx
+        xorl	%r11d, %ecx
+        xorl	%r12d, %eax
+        vpsrld	$10, %ymm6, %ymm8
+        vpsrlq	$19, %ymm6, %ymm7
+        # rnd_1: 6 - 7
+        rorl	$11, %ecx
+        addl	%r10d, %r14d
+        xorl	%r11d, %ecx
+        addl	%eax, %r10d
+        rorl	$2, %ecx
+        movl	%r14d, %edx
+        addl	%ecx, %r10d
+        # rnd_0: 0 - 0
+        rorl	$14, %edx
+        vpsrlq	$0x11, %ymm6, %ymm6
+        vpaddd	%ymm1, %ymm4, %ymm4
+        # rnd_0: 1 - 3
+        movl	%r11d, %eax
+        movl	%r15d, %ecx
+        addl	40(%rsp), %r9d
+        xorl	%r8d, %ecx
+        xorl	%r14d, %edx
+        andl	%r14d, %ecx
+        rorl	$5, %edx
+        xorl	%r8d, %ecx
+        xorl	%r14d, %edx
+        addl	%ecx, %r9d
+        vpxor	%ymm6, %ymm7, %ymm6
+        vpaddd	%ymm5, %ymm4, %ymm4
+        # rnd_0: 4 - 4
+        rorl	$6, %edx
+        xorl	%r10d, %eax
+        addl	%edx, %r9d
+        movl	%r10d, %ecx
+        vpxor	%ymm6, %ymm8, %ymm8
+        # rnd_0: 5 - 5
+        andl	%eax, %ebx
+        rorl	$9, %ecx
+        xorl	%r10d, %ecx
+        xorl	%r11d, %ebx
+        vpshufb	%ymm11, %ymm8, %ymm8
+        # rnd_0: 6 - 6
+        rorl	$11, %ecx
+        addl	%r9d, %r13d
+        xorl	%r10d, %ecx
+        addl	%ebx, %r9d
+        vpaddd	%ymm8, %ymm4, %ymm4
+        # rnd_0: 7 - 7
+        rorl	$2, %ecx
+        movl	%r13d, %edx
+        addl	%ecx, %r9d
+        # rnd_1: 0 - 0
+        rorl	$14, %edx
+        vpshufd	$0x50, %ymm4, %ymm6
+        # rnd_1: 1 - 1
+        movl	%r10d, %ebx
+        movl	%r14d, %ecx
+        addl	44(%rsp), %r8d
+        xorl	%r15d, %ecx
+        vpsrlq	$0x11, %ymm6, %ymm8
+        vpsrlq	$19, %ymm6, %ymm7
+        # rnd_1: 2 - 3
+        xorl	%r13d, %edx
+        andl	%r13d, %ecx
+        rorl	$5, %edx
+        xorl	%r15d, %ecx
+        xorl	%r13d, %edx
+        addl	%ecx, %r8d
+        vpsrld	$10, %ymm6, %ymm9
+        vpxor	%ymm8, %ymm7, %ymm8
+        # rnd_1: 4 - 5
+        rorl	$6, %edx
+        xorl	%r9d, %ebx
+        addl	%edx, %r8d
+        movl	%r9d, %ecx
+        andl	%ebx, %eax
+        rorl	$9, %ecx
+        xorl	%r9d, %ecx
+        xorl	%r10d, %eax
+        vpxor	%ymm9, %ymm8, %ymm9
+        # rnd_1: 6 - 6
+        rorl	$11, %ecx
+        addl	%r8d, %r12d
+        xorl	%r9d, %ecx
+        addl	%eax, %r8d
+        vpshufb	%ymm12, %ymm9, %ymm9
+        # rnd_1: 7 - 7
+        rorl	$2, %ecx
+        movl	%r12d, %edx
+        addl	%ecx, %r8d
+        vpaddd	%ymm4, %ymm9, %ymm1
+        # msg_sched done: 8-11
+        # msg_sched: 16-19
+        # rnd_0: 0 - 0
+        rorl	$14, %edx
+        vpalignr	$4, %ymm2, %ymm3, %ymm5
+        vpalignr	$4, %ymm0, %ymm1, %ymm4
+        # rnd_0: 1 - 2
+        movl	%r9d, %eax
+        movl	%r13d, %ecx
+        addl	64(%rsp), %r15d
+        xorl	%r14d, %ecx
+        xorl	%r12d, %edx
+        andl	%r12d, %ecx
+        vpsrld	$7, %ymm5, %ymm6
+        vpslld	$25, %ymm5, %ymm7
+        # rnd_0: 3 - 4
+        rorl	$5, %edx
+        xorl	%r14d, %ecx
+        xorl	%r12d, %edx
+        addl	%ecx, %r15d
+        rorl	$6, %edx
+        xorl	%r8d, %eax
+        addl	%edx, %r15d
+        movl	%r8d, %ecx
+        vpsrld	$18, %ymm5, %ymm8
+        vpslld	$14, %ymm5, %ymm9
+        # rnd_0: 5 - 6
+        andl	%eax, %ebx
+        rorl	$9, %ecx
+        xorl	%r8d, %ecx
+        xorl	%r9d, %ebx
+        rorl	$11, %ecx
+        addl	%r15d, %r11d
+        xorl	%r8d, %ecx
+        addl	%ebx, %r15d
+        vpor	%ymm6, %ymm7, %ymm6
+        vpor	%ymm8, %ymm9, %ymm8
+        # rnd_0: 7 - 7
+        rorl	$2, %ecx
+        movl	%r11d, %edx
+        addl	%ecx, %r15d
+        # rnd_1: 0 - 1
+        rorl	$14, %edx
+        movl	%r8d, %ebx
+        movl	%r12d, %ecx
+        addl	68(%rsp), %r14d
+        xorl	%r13d, %ecx
+        vpsrld	$3, %ymm5, %ymm9
+        vpxor	%ymm6, %ymm8, %ymm6
+        # rnd_1: 2 - 3
+        xorl	%r11d, %edx
+        andl	%r11d, %ecx
+        rorl	$5, %edx
+        xorl	%r13d, %ecx
+        xorl	%r11d, %edx
+        addl	%ecx, %r14d
+        vpxor	%ymm6, %ymm9, %ymm5
+        vpshufd	$0xfa, %ymm1, %ymm6
+        # rnd_1: 4 - 5
+        rorl	$6, %edx
+        xorl	%r15d, %ebx
+        addl	%edx, %r14d
+        movl	%r15d, %ecx
+        andl	%ebx, %eax
+        rorl	$9, %ecx
+        xorl	%r15d, %ecx
+        xorl	%r8d, %eax
+        vpsrld	$10, %ymm6, %ymm8
+        vpsrlq	$19, %ymm6, %ymm7
+        # rnd_1: 6 - 7
+        rorl	$11, %ecx
+        addl	%r14d, %r10d
+        xorl	%r15d, %ecx
+        addl	%eax, %r14d
+        rorl	$2, %ecx
+        movl	%r10d, %edx
+        addl	%ecx, %r14d
+        # rnd_0: 0 - 0
+        rorl	$14, %edx
+        vpsrlq	$0x11, %ymm6, %ymm6
+        vpaddd	%ymm2, %ymm4, %ymm4
+        # rnd_0: 1 - 3
+        movl	%r15d, %eax
+        movl	%r11d, %ecx
+        addl	72(%rsp), %r13d
+        xorl	%r12d, %ecx
+        xorl	%r10d, %edx
+        andl	%r10d, %ecx
+        rorl	$5, %edx
+        xorl	%r12d, %ecx
+        xorl	%r10d, %edx
+        addl	%ecx, %r13d
+        vpxor	%ymm6, %ymm7, %ymm6
+        vpaddd	%ymm5, %ymm4, %ymm4
+        # rnd_0: 4 - 4
+        rorl	$6, %edx
+        xorl	%r14d, %eax
+        addl	%edx, %r13d
+        movl	%r14d, %ecx
+        vpxor	%ymm6, %ymm8, %ymm8
+        # rnd_0: 5 - 5
+        andl	%eax, %ebx
+        rorl	$9, %ecx
+        xorl	%r14d, %ecx
+        xorl	%r15d, %ebx
+        vpshufb	%ymm11, %ymm8, %ymm8
+        # rnd_0: 6 - 6
+        rorl	$11, %ecx
+        addl	%r13d, %r9d
+        xorl	%r14d, %ecx
+        addl	%ebx, %r13d
+        vpaddd	%ymm8, %ymm4, %ymm4
+        # rnd_0: 7 - 7
+        rorl	$2, %ecx
+        movl	%r9d, %edx
+        addl	%ecx, %r13d
+        # rnd_1: 0 - 0
+        rorl	$14, %edx
+        vpshufd	$0x50, %ymm4, %ymm6
+        # rnd_1: 1 - 1
+        movl	%r14d, %ebx
+        movl	%r10d, %ecx
+        addl	76(%rsp), %r12d
+        xorl	%r11d, %ecx
+        vpsrlq	$0x11, %ymm6, %ymm8
+        vpsrlq	$19, %ymm6, %ymm7
+        # rnd_1: 2 - 3
+        xorl	%r9d, %edx
+        andl	%r9d, %ecx
+        rorl	$5, %edx
+        xorl	%r11d, %ecx
+        xorl	%r9d, %edx
+        addl	%ecx, %r12d
+        vpsrld	$10, %ymm6, %ymm9
+        vpxor	%ymm8, %ymm7, %ymm8
+        # rnd_1: 4 - 5
+        rorl	$6, %edx
+        xorl	%r13d, %ebx
+        addl	%edx, %r12d
+        movl	%r13d, %ecx
+        andl	%ebx, %eax
+        rorl	$9, %ecx
+        xorl	%r13d, %ecx
+        xorl	%r14d, %eax
+        vpxor	%ymm9, %ymm8, %ymm9
+        # rnd_1: 6 - 6
+        rorl	$11, %ecx
+        addl	%r12d, %r8d
+        xorl	%r13d, %ecx
+        addl	%eax, %r12d
+        vpshufb	%ymm12, %ymm9, %ymm9
+        # rnd_1: 7 - 7
+        rorl	$2, %ecx
+        movl	%r8d, %edx
+        addl	%ecx, %r12d
+        vpaddd	%ymm4, %ymm9, %ymm2
+        # msg_sched done: 16-19
+        # msg_sched: 24-27
+        # rnd_0: 0 - 0
+        rorl	$14, %edx
+        vpalignr	$4, %ymm3, %ymm0, %ymm5
+        vpalignr	$4, %ymm1, %ymm2, %ymm4
+        # rnd_0: 1 - 2
+        movl	%r13d, %eax
+        movl	%r9d, %ecx
+        addl	96(%rsp), %r11d
+        xorl	%r10d, %ecx
+        xorl	%r8d, %edx
+        andl	%r8d, %ecx
+        vpsrld	$7, %ymm5, %ymm6
+        vpslld	$25, %ymm5, %ymm7
+        # rnd_0: 3 - 4
+        rorl	$5, %edx
+        xorl	%r10d, %ecx
+        xorl	%r8d, %edx
+        addl	%ecx, %r11d
+        rorl	$6, %edx
+        xorl	%r12d, %eax
+        addl	%edx, %r11d
+        movl	%r12d, %ecx
+        vpsrld	$18, %ymm5, %ymm8
+        vpslld	$14, %ymm5, %ymm9
+        # rnd_0: 5 - 6
+        andl	%eax, %ebx
+        rorl	$9, %ecx
+        xorl	%r12d, %ecx
+        xorl	%r13d, %ebx
+        rorl	$11, %ecx
+        addl	%r11d, %r15d
+        xorl	%r12d, %ecx
+        addl	%ebx, %r11d
+        vpor	%ymm6, %ymm7, %ymm6
+        vpor	%ymm8, %ymm9, %ymm8
+        # rnd_0: 7 - 7
+        rorl	$2, %ecx
+        movl	%r15d, %edx
+        addl	%ecx, %r11d
+        # rnd_1: 0 - 1
+        rorl	$14, %edx
+        movl	%r12d, %ebx
+        movl	%r8d, %ecx
+        addl	100(%rsp), %r10d
+        xorl	%r9d, %ecx
+        vpsrld	$3, %ymm5, %ymm9
+        vpxor	%ymm6, %ymm8, %ymm6
+        # rnd_1: 2 - 3
+        xorl	%r15d, %edx
+        andl	%r15d, %ecx
+        rorl	$5, %edx
+        xorl	%r9d, %ecx
+        xorl	%r15d, %edx
+        addl	%ecx, %r10d
+        vpxor	%ymm6, %ymm9, %ymm5
+        vpshufd	$0xfa, %ymm2, %ymm6
+        # rnd_1: 4 - 5
+        rorl	$6, %edx
+        xorl	%r11d, %ebx
+        addl	%edx, %r10d
+        movl	%r11d, %ecx
+        andl	%ebx, %eax
+        rorl	$9, %ecx
+        xorl	%r11d, %ecx
+        xorl	%r12d, %eax
+        vpsrld	$10, %ymm6, %ymm8
+        vpsrlq	$19, %ymm6, %ymm7
+        # rnd_1: 6 - 7
+        rorl	$11, %ecx
+        addl	%r10d, %r14d
+        xorl	%r11d, %ecx
+        addl	%eax, %r10d
+        rorl	$2, %ecx
+        movl	%r14d, %edx
+        addl	%ecx, %r10d
+        # rnd_0: 0 - 0
+        rorl	$14, %edx
+        vpsrlq	$0x11, %ymm6, %ymm6
+        vpaddd	%ymm3, %ymm4, %ymm4
+        # rnd_0: 1 - 3
+        movl	%r11d, %eax
+        movl	%r15d, %ecx
+        addl	104(%rsp), %r9d
+        xorl	%r8d, %ecx
+        xorl	%r14d, %edx
+        andl	%r14d, %ecx
+        rorl	$5, %edx
+        xorl	%r8d, %ecx
+        xorl	%r14d, %edx
+        addl	%ecx, %r9d
+        vpxor	%ymm6, %ymm7, %ymm6
+        vpaddd	%ymm5, %ymm4, %ymm4
+        # rnd_0: 4 - 4
+        rorl	$6, %edx
+        xorl	%r10d, %eax
+        addl	%edx, %r9d
+        movl	%r10d, %ecx
+        vpxor	%ymm6, %ymm8, %ymm8
+        # rnd_0: 5 - 5
+        andl	%eax, %ebx
+        rorl	$9, %ecx
+        xorl	%r10d, %ecx
+        xorl	%r11d, %ebx
+        vpshufb	%ymm11, %ymm8, %ymm8
+        # rnd_0: 6 - 6
+        rorl	$11, %ecx
+        addl	%r9d, %r13d
+        xorl	%r10d, %ecx
+        addl	%ebx, %r9d
+        vpaddd	%ymm8, %ymm4, %ymm4
+        # rnd_0: 7 - 7
+        rorl	$2, %ecx
+        movl	%r13d, %edx
+        addl	%ecx, %r9d
+        # rnd_1: 0 - 0
+        rorl	$14, %edx
+        vpshufd	$0x50, %ymm4, %ymm6
+        # rnd_1: 1 - 1
+        movl	%r10d, %ebx
+        movl	%r14d, %ecx
+        addl	108(%rsp), %r8d
+        xorl	%r15d, %ecx
+        vpsrlq	$0x11, %ymm6, %ymm8
+        vpsrlq	$19, %ymm6, %ymm7
+        # rnd_1: 2 - 3
+        xorl	%r13d, %edx
+        andl	%r13d, %ecx
+        rorl	$5, %edx
+        xorl	%r15d, %ecx
+        xorl	%r13d, %edx
+        addl	%ecx, %r8d
+        vpsrld	$10, %ymm6, %ymm9
+        vpxor	%ymm8, %ymm7, %ymm8
+        # rnd_1: 4 - 5
+        rorl	$6, %edx
+        xorl	%r9d, %ebx
+        addl	%edx, %r8d
+        movl	%r9d, %ecx
+        andl	%ebx, %eax
+        rorl	$9, %ecx
+        xorl	%r9d, %ecx
+        xorl	%r10d, %eax
+        vpxor	%ymm9, %ymm8, %ymm9
+        # rnd_1: 6 - 6
+        rorl	$11, %ecx
+        addl	%r8d, %r12d
+        xorl	%r9d, %ecx
+        addl	%eax, %r8d
+        vpshufb	%ymm12, %ymm9, %ymm9
+        # rnd_1: 7 - 7
+        rorl	$2, %ecx
+        movl	%r12d, %edx
+        addl	%ecx, %r8d
+        vpaddd	%ymm4, %ymm9, %ymm3
+        # msg_sched done: 24-27
+        # set_w_k_xfer_4: 4
+        vpaddd	128+L_avx2_sha256_k(%rip), %ymm0, %ymm4
+        vpaddd	160+L_avx2_sha256_k(%rip), %ymm1, %ymm5
+        vmovdqu	%ymm4, 128(%rsp)
+        vmovdqu	%ymm5, 160(%rsp)
+        vpaddd	192+L_avx2_sha256_k(%rip), %ymm2, %ymm4
+        vpaddd	224+L_avx2_sha256_k(%rip), %ymm3, %ymm5
+        vmovdqu	%ymm4, 192(%rsp)
+        vmovdqu	%ymm5, 224(%rsp)
+        # msg_sched: 32-35
+        # rnd_0: 0 - 0
+        rorl	$14, %edx
+        vpalignr	$4, %ymm0, %ymm1, %ymm5
+        vpalignr	$4, %ymm2, %ymm3, %ymm4
+        # rnd_0: 1 - 2
+        movl	%r9d, %eax
+        movl	%r13d, %ecx
+        addl	128(%rsp), %r15d
+        xorl	%r14d, %ecx
+        xorl	%r12d, %edx
+        andl	%r12d, %ecx
+        vpsrld	$7, %ymm5, %ymm6
+        vpslld	$25, %ymm5, %ymm7
+        # rnd_0: 3 - 4
+        rorl	$5, %edx
+        xorl	%r14d, %ecx
+        xorl	%r12d, %edx
+        addl	%ecx, %r15d
+        rorl	$6, %edx
+        xorl	%r8d, %eax
+        addl	%edx, %r15d
+        movl	%r8d, %ecx
+        vpsrld	$18, %ymm5, %ymm8
+        vpslld	$14, %ymm5, %ymm9
+        # rnd_0: 5 - 6
+        andl	%eax, %ebx
+        rorl	$9, %ecx
+        xorl	%r8d, %ecx
+        xorl	%r9d, %ebx
+        rorl	$11, %ecx
+        addl	%r15d, %r11d
+        xorl	%r8d, %ecx
+        addl	%ebx, %r15d
+        vpor	%ymm6, %ymm7, %ymm6
+        vpor	%ymm8, %ymm9, %ymm8
+        # rnd_0: 7 - 7
+        rorl	$2, %ecx
+        movl	%r11d, %edx
+        addl	%ecx, %r15d
+        # rnd_1: 0 - 1
+        rorl	$14, %edx
+        movl	%r8d, %ebx
+        movl	%r12d, %ecx
+        addl	132(%rsp), %r14d
+        xorl	%r13d, %ecx
+        vpsrld	$3, %ymm5, %ymm9
+        vpxor	%ymm6, %ymm8, %ymm6
+        # rnd_1: 2 - 3
+        xorl	%r11d, %edx
+        andl	%r11d, %ecx
+        rorl	$5, %edx
+        xorl	%r13d, %ecx
+        xorl	%r11d, %edx
+        addl	%ecx, %r14d
+        vpxor	%ymm6, %ymm9, %ymm5
+        vpshufd	$0xfa, %ymm3, %ymm6
+        # rnd_1: 4 - 5
+        rorl	$6, %edx
+        xorl	%r15d, %ebx
+        addl	%edx, %r14d
+        movl	%r15d, %ecx
+        andl	%ebx, %eax
+        rorl	$9, %ecx
+        xorl	%r15d, %ecx
+        xorl	%r8d, %eax
+        vpsrld	$10, %ymm6, %ymm8
+        vpsrlq	$19, %ymm6, %ymm7
+        # rnd_1: 6 - 7
+        rorl	$11, %ecx
+        addl	%r14d, %r10d
+        xorl	%r15d, %ecx
+        addl	%eax, %r14d
+        rorl	$2, %ecx
+        movl	%r10d, %edx
+        addl	%ecx, %r14d
+        # rnd_0: 0 - 0
+        rorl	$14, %edx
+        vpsrlq	$0x11, %ymm6, %ymm6
+        vpaddd	%ymm0, %ymm4, %ymm4
+        # rnd_0: 1 - 3
+        movl	%r15d, %eax
+        movl	%r11d, %ecx
+        addl	136(%rsp), %r13d
+        xorl	%r12d, %ecx
+        xorl	%r10d, %edx
+        andl	%r10d, %ecx
+        rorl	$5, %edx
+        xorl	%r12d, %ecx
+        xorl	%r10d, %edx
+        addl	%ecx, %r13d
+        vpxor	%ymm6, %ymm7, %ymm6
+        vpaddd	%ymm5, %ymm4, %ymm4
+        # rnd_0: 4 - 4
+        rorl	$6, %edx
+        xorl	%r14d, %eax
+        addl	%edx, %r13d
+        movl	%r14d, %ecx
+        vpxor	%ymm6, %ymm8, %ymm8
+        # rnd_0: 5 - 5
+        andl	%eax, %ebx
+        rorl	$9, %ecx
+        xorl	%r14d, %ecx
+        xorl	%r15d, %ebx
+        vpshufb	%ymm11, %ymm8, %ymm8
+        # rnd_0: 6 - 6
+        rorl	$11, %ecx
+        addl	%r13d, %r9d
+        xorl	%r14d, %ecx
+        addl	%ebx, %r13d
+        vpaddd	%ymm8, %ymm4, %ymm4
+        # rnd_0: 7 - 7
+        rorl	$2, %ecx
+        movl	%r9d, %edx
+        addl	%ecx, %r13d
+        # rnd_1: 0 - 0
+        rorl	$14, %edx
+        vpshufd	$0x50, %ymm4, %ymm6
+        # rnd_1: 1 - 1
+        movl	%r14d, %ebx
+        movl	%r10d, %ecx
+        addl	140(%rsp), %r12d
+        xorl	%r11d, %ecx
+        vpsrlq	$0x11, %ymm6, %ymm8
+        vpsrlq	$19, %ymm6, %ymm7
+        # rnd_1: 2 - 3
+        xorl	%r9d, %edx
+        andl	%r9d, %ecx
+        rorl	$5, %edx
+        xorl	%r11d, %ecx
+        xorl	%r9d, %edx
+        addl	%ecx, %r12d
+        vpsrld	$10, %ymm6, %ymm9
+        vpxor	%ymm8, %ymm7, %ymm8
+        # rnd_1: 4 - 5
+        rorl	$6, %edx
+        xorl	%r13d, %ebx
+        addl	%edx, %r12d
+        movl	%r13d, %ecx
+        andl	%ebx, %eax
+        rorl	$9, %ecx
+        xorl	%r13d, %ecx
+        xorl	%r14d, %eax
+        vpxor	%ymm9, %ymm8, %ymm9
+        # rnd_1: 6 - 6
+        rorl	$11, %ecx
+        addl	%r12d, %r8d
+        xorl	%r13d, %ecx
+        addl	%eax, %r12d
+        vpshufb	%ymm12, %ymm9, %ymm9
+        # rnd_1: 7 - 7
+        rorl	$2, %ecx
+        movl	%r8d, %edx
+        addl	%ecx, %r12d
+        vpaddd	%ymm4, %ymm9, %ymm0
+        # msg_sched done: 32-35
+        # msg_sched: 40-43
+        # rnd_0: 0 - 0
+        rorl	$14, %edx
+        vpalignr	$4, %ymm1, %ymm2, %ymm5
+        vpalignr	$4, %ymm3, %ymm0, %ymm4
+        # rnd_0: 1 - 2
+        movl	%r13d, %eax
+        movl	%r9d, %ecx
+        addl	160(%rsp), %r11d
+        xorl	%r10d, %ecx
+        xorl	%r8d, %edx
+        andl	%r8d, %ecx
+        vpsrld	$7, %ymm5, %ymm6
+        vpslld	$25, %ymm5, %ymm7
+        # rnd_0: 3 - 4
+        rorl	$5, %edx
+        xorl	%r10d, %ecx
+        xorl	%r8d, %edx
+        addl	%ecx, %r11d
+        rorl	$6, %edx
+        xorl	%r12d, %eax
+        addl	%edx, %r11d
+        movl	%r12d, %ecx
+        vpsrld	$18, %ymm5, %ymm8
+        vpslld	$14, %ymm5, %ymm9
+        # rnd_0: 5 - 6
+        andl	%eax, %ebx
+        rorl	$9, %ecx
+        xorl	%r12d, %ecx
+        xorl	%r13d, %ebx
+        rorl	$11, %ecx
+        addl	%r11d, %r15d
+        xorl	%r12d, %ecx
+        addl	%ebx, %r11d
+        vpor	%ymm6, %ymm7, %ymm6
+        vpor	%ymm8, %ymm9, %ymm8
+        # rnd_0: 7 - 7
+        rorl	$2, %ecx
+        movl	%r15d, %edx
+        addl	%ecx, %r11d
+        # rnd_1: 0 - 1
+        rorl	$14, %edx
+        movl	%r12d, %ebx
+        movl	%r8d, %ecx
+        addl	164(%rsp), %r10d
+        xorl	%r9d, %ecx
+        vpsrld	$3, %ymm5, %ymm9
+        vpxor	%ymm6, %ymm8, %ymm6
+        # rnd_1: 2 - 3
+        xorl	%r15d, %edx
+        andl	%r15d, %ecx
+        rorl	$5, %edx
+        xorl	%r9d, %ecx
+        xorl	%r15d, %edx
+        addl	%ecx, %r10d
+        vpxor	%ymm6, %ymm9, %ymm5
+        vpshufd	$0xfa, %ymm0, %ymm6
+        # rnd_1: 4 - 5
+        rorl	$6, %edx
+        xorl	%r11d, %ebx
+        addl	%edx, %r10d
+        movl	%r11d, %ecx
+        andl	%ebx, %eax
+        rorl	$9, %ecx
+        xorl	%r11d, %ecx
+        xorl	%r12d, %eax
+        vpsrld	$10, %ymm6, %ymm8
+        vpsrlq	$19, %ymm6, %ymm7
+        # rnd_1: 6 - 7
+        rorl	$11, %ecx
+        addl	%r10d, %r14d
+        xorl	%r11d, %ecx
+        addl	%eax, %r10d
+        rorl	$2, %ecx
+        movl	%r14d, %edx
+        addl	%ecx, %r10d
+        # rnd_0: 0 - 0
+        rorl	$14, %edx
+        vpsrlq	$0x11, %ymm6, %ymm6
+        vpaddd	%ymm1, %ymm4, %ymm4
+        # rnd_0: 1 - 3
+        movl	%r11d, %eax
+        movl	%r15d, %ecx
+        addl	168(%rsp), %r9d
+        xorl	%r8d, %ecx
+        xorl	%r14d, %edx
+        andl	%r14d, %ecx
+        rorl	$5, %edx
+        xorl	%r8d, %ecx
+        xorl	%r14d, %edx
+        addl	%ecx, %r9d
+        vpxor	%ymm6, %ymm7, %ymm6
+        vpaddd	%ymm5, %ymm4, %ymm4
+        # rnd_0: 4 - 4
+        rorl	$6, %edx
+        xorl	%r10d, %eax
+        addl	%edx, %r9d
+        movl	%r10d, %ecx
+        vpxor	%ymm6, %ymm8, %ymm8
+        # rnd_0: 5 - 5
+        andl	%eax, %ebx
+        rorl	$9, %ecx
+        xorl	%r10d, %ecx
+        xorl	%r11d, %ebx
+        vpshufb	%ymm11, %ymm8, %ymm8
+        # rnd_0: 6 - 6
+        rorl	$11, %ecx
+        addl	%r9d, %r13d
+        xorl	%r10d, %ecx
+        addl	%ebx, %r9d
+        vpaddd	%ymm8, %ymm4, %ymm4
+        # rnd_0: 7 - 7
+        rorl	$2, %ecx
+        movl	%r13d, %edx
+        addl	%ecx, %r9d
+        # rnd_1: 0 - 0
+        rorl	$14, %edx
+        vpshufd	$0x50, %ymm4, %ymm6
+        # rnd_1: 1 - 1
+        movl	%r10d, %ebx
+        movl	%r14d, %ecx
+        addl	172(%rsp), %r8d
+        xorl	%r15d, %ecx
+        vpsrlq	$0x11, %ymm6, %ymm8
+        vpsrlq	$19, %ymm6, %ymm7
+        # rnd_1: 2 - 3
+        xorl	%r13d, %edx
+        andl	%r13d, %ecx
+        rorl	$5, %edx
+        xorl	%r15d, %ecx
+        xorl	%r13d, %edx
+        addl	%ecx, %r8d
+        vpsrld	$10, %ymm6, %ymm9
+        vpxor	%ymm8, %ymm7, %ymm8
+        # rnd_1: 4 - 5
+        rorl	$6, %edx
+        xorl	%r9d, %ebx
+        addl	%edx, %r8d
+        movl	%r9d, %ecx
+        andl	%ebx, %eax
+        rorl	$9, %ecx
+        xorl	%r9d, %ecx
+        xorl	%r10d, %eax
+        vpxor	%ymm9, %ymm8, %ymm9
+        # rnd_1: 6 - 6
+        rorl	$11, %ecx
+        addl	%r8d, %r12d
+        xorl	%r9d, %ecx
+        addl	%eax, %r8d
+        vpshufb	%ymm12, %ymm9, %ymm9
+        # rnd_1: 7 - 7
+        rorl	$2, %ecx
+        movl	%r12d, %edx
+        addl	%ecx, %r8d
+        vpaddd	%ymm4, %ymm9, %ymm1
+        # msg_sched done: 40-43
+        # msg_sched: 48-51
+        # rnd_0: 0 - 0
+        rorl	$14, %edx
+        vpalignr	$4, %ymm2, %ymm3, %ymm5
+        vpalignr	$4, %ymm0, %ymm1, %ymm4
+        # rnd_0: 1 - 2
+        movl	%r9d, %eax
+        movl	%r13d, %ecx
+        addl	192(%rsp), %r15d
+        xorl	%r14d, %ecx
+        xorl	%r12d, %edx
+        andl	%r12d, %ecx
+        vpsrld	$7, %ymm5, %ymm6
+        vpslld	$25, %ymm5, %ymm7
+        # rnd_0: 3 - 4
+        rorl	$5, %edx
+        xorl	%r14d, %ecx
+        xorl	%r12d, %edx
+        addl	%ecx, %r15d
+        rorl	$6, %edx
+        xorl	%r8d, %eax
+        addl	%edx, %r15d
+        movl	%r8d, %ecx
+        vpsrld	$18, %ymm5, %ymm8
+        vpslld	$14, %ymm5, %ymm9
+        # rnd_0: 5 - 6
+        andl	%eax, %ebx
+        rorl	$9, %ecx
+        xorl	%r8d, %ecx
+        xorl	%r9d, %ebx
+        rorl	$11, %ecx
+        addl	%r15d, %r11d
+        xorl	%r8d, %ecx
+        addl	%ebx, %r15d
+        vpor	%ymm6, %ymm7, %ymm6
+        vpor	%ymm8, %ymm9, %ymm8
+        # rnd_0: 7 - 7
+        rorl	$2, %ecx
+        movl	%r11d, %edx
+        addl	%ecx, %r15d
+        # rnd_1: 0 - 1
+        rorl	$14, %edx
+        movl	%r8d, %ebx
+        movl	%r12d, %ecx
+        addl	196(%rsp), %r14d
+        xorl	%r13d, %ecx
+        vpsrld	$3, %ymm5, %ymm9
+        vpxor	%ymm6, %ymm8, %ymm6
+        # rnd_1: 2 - 3
+        xorl	%r11d, %edx
+        andl	%r11d, %ecx
+        rorl	$5, %edx
+        xorl	%r13d, %ecx
+        xorl	%r11d, %edx
+        addl	%ecx, %r14d
+        vpxor	%ymm6, %ymm9, %ymm5
+        vpshufd	$0xfa, %ymm1, %ymm6
+        # rnd_1: 4 - 5
+        rorl	$6, %edx
+        xorl	%r15d, %ebx
+        addl	%edx, %r14d
+        movl	%r15d, %ecx
+        andl	%ebx, %eax
+        rorl	$9, %ecx
+        xorl	%r15d, %ecx
+        xorl	%r8d, %eax
+        vpsrld	$10, %ymm6, %ymm8
+        vpsrlq	$19, %ymm6, %ymm7
+        # rnd_1: 6 - 7
+        rorl	$11, %ecx
+        addl	%r14d, %r10d
+        xorl	%r15d, %ecx
+        addl	%eax, %r14d
+        rorl	$2, %ecx
+        movl	%r10d, %edx
+        addl	%ecx, %r14d
+        # rnd_0: 0 - 0
+        rorl	$14, %edx
+        vpsrlq	$0x11, %ymm6, %ymm6
+        vpaddd	%ymm2, %ymm4, %ymm4
+        # rnd_0: 1 - 3
+        movl	%r15d, %eax
+        movl	%r11d, %ecx
+        addl	200(%rsp), %r13d
+        xorl	%r12d, %ecx
+        xorl	%r10d, %edx
+        andl	%r10d, %ecx
+        rorl	$5, %edx
+        xorl	%r12d, %ecx
+        xorl	%r10d, %edx
+        addl	%ecx, %r13d
+        vpxor	%ymm6, %ymm7, %ymm6
+        vpaddd	%ymm5, %ymm4, %ymm4
+        # rnd_0: 4 - 4
+        rorl	$6, %edx
+        xorl	%r14d, %eax
+        addl	%edx, %r13d
+        movl	%r14d, %ecx
+        vpxor	%ymm6, %ymm8, %ymm8
+        # rnd_0: 5 - 5
+        andl	%eax, %ebx
+        rorl	$9, %ecx
+        xorl	%r14d, %ecx
+        xorl	%r15d, %ebx
+        vpshufb	%ymm11, %ymm8, %ymm8
+        # rnd_0: 6 - 6
+        rorl	$11, %ecx
+        addl	%r13d, %r9d
+        xorl	%r14d, %ecx
+        addl	%ebx, %r13d
+        vpaddd	%ymm8, %ymm4, %ymm4
+        # rnd_0: 7 - 7
+        rorl	$2, %ecx
+        movl	%r9d, %edx
+        addl	%ecx, %r13d
+        # rnd_1: 0 - 0
+        rorl	$14, %edx
+        vpshufd	$0x50, %ymm4, %ymm6
+        # rnd_1: 1 - 1
+        movl	%r14d, %ebx
+        movl	%r10d, %ecx
+        addl	204(%rsp), %r12d
+        xorl	%r11d, %ecx
+        vpsrlq	$0x11, %ymm6, %ymm8
+        vpsrlq	$19, %ymm6, %ymm7
+        # rnd_1: 2 - 3
+        xorl	%r9d, %edx
+        andl	%r9d, %ecx
+        rorl	$5, %edx
+        xorl	%r11d, %ecx
+        xorl	%r9d, %edx
+        addl	%ecx, %r12d
+        vpsrld	$10, %ymm6, %ymm9
+        vpxor	%ymm8, %ymm7, %ymm8
+        # rnd_1: 4 - 5
+        rorl	$6, %edx
+        xorl	%r13d, %ebx
+        addl	%edx, %r12d
+        movl	%r13d, %ecx
+        andl	%ebx, %eax
+        rorl	$9, %ecx
+        xorl	%r13d, %ecx
+        xorl	%r14d, %eax
+        vpxor	%ymm9, %ymm8, %ymm9
+        # rnd_1: 6 - 6
+        rorl	$11, %ecx
+        addl	%r12d, %r8d
+        xorl	%r13d, %ecx
+        addl	%eax, %r12d
+        vpshufb	%ymm12, %ymm9, %ymm9
+        # rnd_1: 7 - 7
+        rorl	$2, %ecx
+        movl	%r8d, %edx
+        addl	%ecx, %r12d
+        vpaddd	%ymm4, %ymm9, %ymm2
+        # msg_sched done: 48-51
+        # msg_sched: 56-59
+        # rnd_0: 0 - 0
+        rorl	$14, %edx
+        vpalignr	$4, %ymm3, %ymm0, %ymm5
+        vpalignr	$4, %ymm1, %ymm2, %ymm4
+        # rnd_0: 1 - 2
+        movl	%r13d, %eax
+        movl	%r9d, %ecx
+        addl	224(%rsp), %r11d
+        xorl	%r10d, %ecx
+        xorl	%r8d, %edx
+        andl	%r8d, %ecx
+        vpsrld	$7, %ymm5, %ymm6
+        vpslld	$25, %ymm5, %ymm7
+        # rnd_0: 3 - 4
+        rorl	$5, %edx
+        xorl	%r10d, %ecx
+        xorl	%r8d, %edx
+        addl	%ecx, %r11d
+        rorl	$6, %edx
+        xorl	%r12d, %eax
+        addl	%edx, %r11d
+        movl	%r12d, %ecx
+        vpsrld	$18, %ymm5, %ymm8
+        vpslld	$14, %ymm5, %ymm9
+        # rnd_0: 5 - 6
+        andl	%eax, %ebx
+        rorl	$9, %ecx
+        xorl	%r12d, %ecx
+        xorl	%r13d, %ebx
+        rorl	$11, %ecx
+        addl	%r11d, %r15d
+        xorl	%r12d, %ecx
+        addl	%ebx, %r11d
+        vpor	%ymm6, %ymm7, %ymm6
+        vpor	%ymm8, %ymm9, %ymm8
+        # rnd_0: 7 - 7
+        rorl	$2, %ecx
+        movl	%r15d, %edx
+        addl	%ecx, %r11d
+        # rnd_1: 0 - 1
+        rorl	$14, %edx
+        movl	%r12d, %ebx
+        movl	%r8d, %ecx
+        addl	228(%rsp), %r10d
+        xorl	%r9d, %ecx
+        vpsrld	$3, %ymm5, %ymm9
+        vpxor	%ymm6, %ymm8, %ymm6
+        # rnd_1: 2 - 3
+        xorl	%r15d, %edx
+        andl	%r15d, %ecx
+        rorl	$5, %edx
+        xorl	%r9d, %ecx
+        xorl	%r15d, %edx
+        addl	%ecx, %r10d
+        vpxor	%ymm6, %ymm9, %ymm5
+        vpshufd	$0xfa, %ymm2, %ymm6
+        # rnd_1: 4 - 5
+        rorl	$6, %edx
+        xorl	%r11d, %ebx
+        addl	%edx, %r10d
+        movl	%r11d, %ecx
+        andl	%ebx, %eax
+        rorl	$9, %ecx
+        xorl	%r11d, %ecx
+        xorl	%r12d, %eax
+        vpsrld	$10, %ymm6, %ymm8
+        vpsrlq	$19, %ymm6, %ymm7
+        # rnd_1: 6 - 7
+        rorl	$11, %ecx
+        addl	%r10d, %r14d
+        xorl	%r11d, %ecx
+        addl	%eax, %r10d
+        rorl	$2, %ecx
+        movl	%r14d, %edx
+        addl	%ecx, %r10d
+        # rnd_0: 0 - 0
+        rorl	$14, %edx
+        vpsrlq	$0x11, %ymm6, %ymm6
+        vpaddd	%ymm3, %ymm4, %ymm4
+        # rnd_0: 1 - 3
+        movl	%r11d, %eax
+        movl	%r15d, %ecx
+        addl	232(%rsp), %r9d
+        xorl	%r8d, %ecx
+        xorl	%r14d, %edx
+        andl	%r14d, %ecx
+        rorl	$5, %edx
+        xorl	%r8d, %ecx
+        xorl	%r14d, %edx
+        addl	%ecx, %r9d
+        vpxor	%ymm6, %ymm7, %ymm6
+        vpaddd	%ymm5, %ymm4, %ymm4
+        # rnd_0: 4 - 4
+        rorl	$6, %edx
+        xorl	%r10d, %eax
+        addl	%edx, %r9d
+        movl	%r10d, %ecx
+        vpxor	%ymm6, %ymm8, %ymm8
+        # rnd_0: 5 - 5
+        andl	%eax, %ebx
+        rorl	$9, %ecx
+        xorl	%r10d, %ecx
+        xorl	%r11d, %ebx
+        vpshufb	%ymm11, %ymm8, %ymm8
+        # rnd_0: 6 - 6
+        rorl	$11, %ecx
+        addl	%r9d, %r13d
+        xorl	%r10d, %ecx
+        addl	%ebx, %r9d
+        vpaddd	%ymm8, %ymm4, %ymm4
+        # rnd_0: 7 - 7
+        rorl	$2, %ecx
+        movl	%r13d, %edx
+        addl	%ecx, %r9d
+        # rnd_1: 0 - 0
+        rorl	$14, %edx
+        vpshufd	$0x50, %ymm4, %ymm6
+        # rnd_1: 1 - 1
+        movl	%r10d, %ebx
+        movl	%r14d, %ecx
+        addl	236(%rsp), %r8d
+        xorl	%r15d, %ecx
+        vpsrlq	$0x11, %ymm6, %ymm8
+        vpsrlq	$19, %ymm6, %ymm7
+        # rnd_1: 2 - 3
+        xorl	%r13d, %edx
+        andl	%r13d, %ecx
+        rorl	$5, %edx
+        xorl	%r15d, %ecx
+        xorl	%r13d, %edx
+        addl	%ecx, %r8d
+        vpsrld	$10, %ymm6, %ymm9
+        vpxor	%ymm8, %ymm7, %ymm8
+        # rnd_1: 4 - 5
+        rorl	$6, %edx
+        xorl	%r9d, %ebx
+        addl	%edx, %r8d
+        movl	%r9d, %ecx
+        andl	%ebx, %eax
+        rorl	$9, %ecx
+        xorl	%r9d, %ecx
+        xorl	%r10d, %eax
+        vpxor	%ymm9, %ymm8, %ymm9
+        # rnd_1: 6 - 6
+        rorl	$11, %ecx
+        addl	%r8d, %r12d
+        xorl	%r9d, %ecx
+        addl	%eax, %r8d
+        vpshufb	%ymm12, %ymm9, %ymm9
+        # rnd_1: 7 - 7
+        rorl	$2, %ecx
+        movl	%r12d, %edx
+        addl	%ecx, %r8d
+        vpaddd	%ymm4, %ymm9, %ymm3
+        # msg_sched done: 56-59
+        # set_w_k_xfer_4: 8
+        vpaddd	256+L_avx2_sha256_k(%rip), %ymm0, %ymm4
+        vpaddd	288+L_avx2_sha256_k(%rip), %ymm1, %ymm5
+        vmovdqu	%ymm4, 256(%rsp)
+        vmovdqu	%ymm5, 288(%rsp)
+        vpaddd	320+L_avx2_sha256_k(%rip), %ymm2, %ymm4
+        vpaddd	352+L_avx2_sha256_k(%rip), %ymm3, %ymm5
+        vmovdqu	%ymm4, 320(%rsp)
+        vmovdqu	%ymm5, 352(%rsp)
+        # msg_sched: 64-67
+        # rnd_0: 0 - 0
+        rorl	$14, %edx
+        vpalignr	$4, %ymm0, %ymm1, %ymm5
+        vpalignr	$4, %ymm2, %ymm3, %ymm4
+        # rnd_0: 1 - 2
+        movl	%r9d, %eax
+        movl	%r13d, %ecx
+        addl	256(%rsp), %r15d
+        xorl	%r14d, %ecx
+        xorl	%r12d, %edx
+        andl	%r12d, %ecx
+        vpsrld	$7, %ymm5, %ymm6
+        vpslld	$25, %ymm5, %ymm7
+        # rnd_0: 3 - 4
+        rorl	$5, %edx
+        xorl	%r14d, %ecx
+        xorl	%r12d, %edx
+        addl	%ecx, %r15d
+        rorl	$6, %edx
+        xorl	%r8d, %eax
+        addl	%edx, %r15d
+        movl	%r8d, %ecx
+        vpsrld	$18, %ymm5, %ymm8
+        vpslld	$14, %ymm5, %ymm9
+        # rnd_0: 5 - 6
+        andl	%eax, %ebx
+        rorl	$9, %ecx
+        xorl	%r8d, %ecx
+        xorl	%r9d, %ebx
+        rorl	$11, %ecx
+        addl	%r15d, %r11d
+        xorl	%r8d, %ecx
+        addl	%ebx, %r15d
+        vpor	%ymm6, %ymm7, %ymm6
+        vpor	%ymm8, %ymm9, %ymm8
+        # rnd_0: 7 - 7
+        rorl	$2, %ecx
+        movl	%r11d, %edx
+        addl	%ecx, %r15d
+        # rnd_1: 0 - 1
+        rorl	$14, %edx
+        movl	%r8d, %ebx
+        movl	%r12d, %ecx
+        addl	260(%rsp), %r14d
+        xorl	%r13d, %ecx
+        vpsrld	$3, %ymm5, %ymm9
+        vpxor	%ymm6, %ymm8, %ymm6
+        # rnd_1: 2 - 3
+        xorl	%r11d, %edx
+        andl	%r11d, %ecx
+        rorl	$5, %edx
+        xorl	%r13d, %ecx
+        xorl	%r11d, %edx
+        addl	%ecx, %r14d
+        vpxor	%ymm6, %ymm9, %ymm5
+        vpshufd	$0xfa, %ymm3, %ymm6
+        # rnd_1: 4 - 5
+        rorl	$6, %edx
+        xorl	%r15d, %ebx
+        addl	%edx, %r14d
+        movl	%r15d, %ecx
+        andl	%ebx, %eax
+        rorl	$9, %ecx
+        xorl	%r15d, %ecx
+        xorl	%r8d, %eax
+        vpsrld	$10, %ymm6, %ymm8
+        vpsrlq	$19, %ymm6, %ymm7
+        # rnd_1: 6 - 7
+        rorl	$11, %ecx
+        addl	%r14d, %r10d
+        xorl	%r15d, %ecx
+        addl	%eax, %r14d
+        rorl	$2, %ecx
+        movl	%r10d, %edx
+        addl	%ecx, %r14d
+        # rnd_0: 0 - 0
+        rorl	$14, %edx
+        vpsrlq	$0x11, %ymm6, %ymm6
+        vpaddd	%ymm0, %ymm4, %ymm4
+        # rnd_0: 1 - 3
+        movl	%r15d, %eax
+        movl	%r11d, %ecx
+        addl	264(%rsp), %r13d
+        xorl	%r12d, %ecx
+        xorl	%r10d, %edx
+        andl	%r10d, %ecx
+        rorl	$5, %edx
+        xorl	%r12d, %ecx
+        xorl	%r10d, %edx
+        addl	%ecx, %r13d
+        vpxor	%ymm6, %ymm7, %ymm6
+        vpaddd	%ymm5, %ymm4, %ymm4
+        # rnd_0: 4 - 4
+        rorl	$6, %edx
+        xorl	%r14d, %eax
+        addl	%edx, %r13d
+        movl	%r14d, %ecx
+        vpxor	%ymm6, %ymm8, %ymm8
+        # rnd_0: 5 - 5
+        andl	%eax, %ebx
+        rorl	$9, %ecx
+        xorl	%r14d, %ecx
+        xorl	%r15d, %ebx
+        vpshufb	%ymm11, %ymm8, %ymm8
+        # rnd_0: 6 - 6
+        rorl	$11, %ecx
+        addl	%r13d, %r9d
+        xorl	%r14d, %ecx
+        addl	%ebx, %r13d
+        vpaddd	%ymm8, %ymm4, %ymm4
+        # rnd_0: 7 - 7
+        rorl	$2, %ecx
+        movl	%r9d, %edx
+        addl	%ecx, %r13d
+        # rnd_1: 0 - 0
+        rorl	$14, %edx
+        vpshufd	$0x50, %ymm4, %ymm6
+        # rnd_1: 1 - 1
+        movl	%r14d, %ebx
+        movl	%r10d, %ecx
+        addl	268(%rsp), %r12d
+        xorl	%r11d, %ecx
+        vpsrlq	$0x11, %ymm6, %ymm8
+        vpsrlq	$19, %ymm6, %ymm7
+        # rnd_1: 2 - 3
+        xorl	%r9d, %edx
+        andl	%r9d, %ecx
+        rorl	$5, %edx
+        xorl	%r11d, %ecx
+        xorl	%r9d, %edx
+        addl	%ecx, %r12d
+        vpsrld	$10, %ymm6, %ymm9
+        vpxor	%ymm8, %ymm7, %ymm8
+        # rnd_1: 4 - 5
+        rorl	$6, %edx
+        xorl	%r13d, %ebx
+        addl	%edx, %r12d
+        movl	%r13d, %ecx
+        andl	%ebx, %eax
+        rorl	$9, %ecx
+        xorl	%r13d, %ecx
+        xorl	%r14d, %eax
+        vpxor	%ymm9, %ymm8, %ymm9
+        # rnd_1: 6 - 6
+        rorl	$11, %ecx
+        addl	%r12d, %r8d
+        xorl	%r13d, %ecx
+        addl	%eax, %r12d
+        vpshufb	%ymm12, %ymm9, %ymm9
+        # rnd_1: 7 - 7
+        rorl	$2, %ecx
+        movl	%r8d, %edx
+        addl	%ecx, %r12d
+        vpaddd	%ymm4, %ymm9, %ymm0
+        # msg_sched done: 64-67
+        # msg_sched: 72-75
+        # rnd_0: 0 - 0
+        rorl	$14, %edx
+        vpalignr	$4, %ymm1, %ymm2, %ymm5
+        vpalignr	$4, %ymm3, %ymm0, %ymm4
+        # rnd_0: 1 - 2
+        movl	%r13d, %eax
+        movl	%r9d, %ecx
+        addl	288(%rsp), %r11d
+        xorl	%r10d, %ecx
+        xorl	%r8d, %edx
+        andl	%r8d, %ecx
+        vpsrld	$7, %ymm5, %ymm6
+        vpslld	$25, %ymm5, %ymm7
+        # rnd_0: 3 - 4
+        rorl	$5, %edx
+        xorl	%r10d, %ecx
+        xorl	%r8d, %edx
+        addl	%ecx, %r11d
+        rorl	$6, %edx
+        xorl	%r12d, %eax
+        addl	%edx, %r11d
+        movl	%r12d, %ecx
+        vpsrld	$18, %ymm5, %ymm8
+        vpslld	$14, %ymm5, %ymm9
+        # rnd_0: 5 - 6
+        andl	%eax, %ebx
+        rorl	$9, %ecx
+        xorl	%r12d, %ecx
+        xorl	%r13d, %ebx
+        rorl	$11, %ecx
+        addl	%r11d, %r15d
+        xorl	%r12d, %ecx
+        addl	%ebx, %r11d
+        vpor	%ymm6, %ymm7, %ymm6
+        vpor	%ymm8, %ymm9, %ymm8
+        # rnd_0: 7 - 7
+        rorl	$2, %ecx
+        movl	%r15d, %edx
+        addl	%ecx, %r11d
+        # rnd_1: 0 - 1
+        rorl	$14, %edx
+        movl	%r12d, %ebx
+        movl	%r8d, %ecx
+        addl	292(%rsp), %r10d
+        xorl	%r9d, %ecx
+        vpsrld	$3, %ymm5, %ymm9
+        vpxor	%ymm6, %ymm8, %ymm6
+        # rnd_1: 2 - 3
+        xorl	%r15d, %edx
+        andl	%r15d, %ecx
+        rorl	$5, %edx
+        xorl	%r9d, %ecx
+        xorl	%r15d, %edx
+        addl	%ecx, %r10d
+        vpxor	%ymm6, %ymm9, %ymm5
+        vpshufd	$0xfa, %ymm0, %ymm6
+        # rnd_1: 4 - 5
+        rorl	$6, %edx
+        xorl	%r11d, %ebx
+        addl	%edx, %r10d
+        movl	%r11d, %ecx
+        andl	%ebx, %eax
+        rorl	$9, %ecx
+        xorl	%r11d, %ecx
+        xorl	%r12d, %eax
+        vpsrld	$10, %ymm6, %ymm8
+        vpsrlq	$19, %ymm6, %ymm7
+        # rnd_1: 6 - 7
+        rorl	$11, %ecx
+        addl	%r10d, %r14d
+        xorl	%r11d, %ecx
+        addl	%eax, %r10d
+        rorl	$2, %ecx
+        movl	%r14d, %edx
+        addl	%ecx, %r10d
+        # rnd_0: 0 - 0
+        rorl	$14, %edx
+        vpsrlq	$0x11, %ymm6, %ymm6
+        vpaddd	%ymm1, %ymm4, %ymm4
+        # rnd_0: 1 - 3
+        movl	%r11d, %eax
+        movl	%r15d, %ecx
+        addl	296(%rsp), %r9d
+        xorl	%r8d, %ecx
+        xorl	%r14d, %edx
+        andl	%r14d, %ecx
+        rorl	$5, %edx
+        xorl	%r8d, %ecx
+        xorl	%r14d, %edx
+        addl	%ecx, %r9d
+        vpxor	%ymm6, %ymm7, %ymm6
+        vpaddd	%ymm5, %ymm4, %ymm4
+        # rnd_0: 4 - 4
+        rorl	$6, %edx
+        xorl	%r10d, %eax
+        addl	%edx, %r9d
+        movl	%r10d, %ecx
+        vpxor	%ymm6, %ymm8, %ymm8
+        # rnd_0: 5 - 5
+        andl	%eax, %ebx
+        rorl	$9, %ecx
+        xorl	%r10d, %ecx
+        xorl	%r11d, %ebx
+        vpshufb	%ymm11, %ymm8, %ymm8
+        # rnd_0: 6 - 6
+        rorl	$11, %ecx
+        addl	%r9d, %r13d
+        xorl	%r10d, %ecx
+        addl	%ebx, %r9d
+        vpaddd	%ymm8, %ymm4, %ymm4
+        # rnd_0: 7 - 7
+        rorl	$2, %ecx
+        movl	%r13d, %edx
+        addl	%ecx, %r9d
+        # rnd_1: 0 - 0
+        rorl	$14, %edx
+        vpshufd	$0x50, %ymm4, %ymm6
+        # rnd_1: 1 - 1
+        movl	%r10d, %ebx
+        movl	%r14d, %ecx
+        addl	300(%rsp), %r8d
+        xorl	%r15d, %ecx
+        vpsrlq	$0x11, %ymm6, %ymm8
+        vpsrlq	$19, %ymm6, %ymm7
+        # rnd_1: 2 - 3
+        xorl	%r13d, %edx
+        andl	%r13d, %ecx
+        rorl	$5, %edx
+        xorl	%r15d, %ecx
+        xorl	%r13d, %edx
+        addl	%ecx, %r8d
+        vpsrld	$10, %ymm6, %ymm9
+        vpxor	%ymm8, %ymm7, %ymm8
+        # rnd_1: 4 - 5
+        rorl	$6, %edx
+        xorl	%r9d, %ebx
+        addl	%edx, %r8d
+        movl	%r9d, %ecx
+        andl	%ebx, %eax
+        rorl	$9, %ecx
+        xorl	%r9d, %ecx
+        xorl	%r10d, %eax
+        vpxor	%ymm9, %ymm8, %ymm9
+        # rnd_1: 6 - 6
+        rorl	$11, %ecx
+        addl	%r8d, %r12d
+        xorl	%r9d, %ecx
+        addl	%eax, %r8d
+        vpshufb	%ymm12, %ymm9, %ymm9
+        # rnd_1: 7 - 7
+        rorl	$2, %ecx
+        movl	%r12d, %edx
+        addl	%ecx, %r8d
+        vpaddd	%ymm4, %ymm9, %ymm1
+        # msg_sched done: 72-75
+        # msg_sched: 80-83
+        # rnd_0: 0 - 0
+        rorl	$14, %edx
+        vpalignr	$4, %ymm2, %ymm3, %ymm5
+        vpalignr	$4, %ymm0, %ymm1, %ymm4
+        # rnd_0: 1 - 2
+        movl	%r9d, %eax
+        movl	%r13d, %ecx
+        addl	320(%rsp), %r15d
+        xorl	%r14d, %ecx
+        xorl	%r12d, %edx
+        andl	%r12d, %ecx
+        vpsrld	$7, %ymm5, %ymm6
+        vpslld	$25, %ymm5, %ymm7
+        # rnd_0: 3 - 4
+        rorl	$5, %edx
+        xorl	%r14d, %ecx
+        xorl	%r12d, %edx
+        addl	%ecx, %r15d
+        rorl	$6, %edx
+        xorl	%r8d, %eax
+        addl	%edx, %r15d
+        movl	%r8d, %ecx
+        vpsrld	$18, %ymm5, %ymm8
+        vpslld	$14, %ymm5, %ymm9
+        # rnd_0: 5 - 6
+        andl	%eax, %ebx
+        rorl	$9, %ecx
+        xorl	%r8d, %ecx
+        xorl	%r9d, %ebx
+        rorl	$11, %ecx
+        addl	%r15d, %r11d
+        xorl	%r8d, %ecx
+        addl	%ebx, %r15d
+        vpor	%ymm6, %ymm7, %ymm6
+        vpor	%ymm8, %ymm9, %ymm8
+        # rnd_0: 7 - 7
+        rorl	$2, %ecx
+        movl	%r11d, %edx
+        addl	%ecx, %r15d
+        # rnd_1: 0 - 1
+        rorl	$14, %edx
+        movl	%r8d, %ebx
+        movl	%r12d, %ecx
+        addl	324(%rsp), %r14d
+        xorl	%r13d, %ecx
+        vpsrld	$3, %ymm5, %ymm9
+        vpxor	%ymm6, %ymm8, %ymm6
+        # rnd_1: 2 - 3
+        xorl	%r11d, %edx
+        andl	%r11d, %ecx
+        rorl	$5, %edx
+        xorl	%r13d, %ecx
+        xorl	%r11d, %edx
+        addl	%ecx, %r14d
+        vpxor	%ymm6, %ymm9, %ymm5
+        vpshufd	$0xfa, %ymm1, %ymm6
+        # rnd_1: 4 - 5
+        rorl	$6, %edx
+        xorl	%r15d, %ebx
+        addl	%edx, %r14d
+        movl	%r15d, %ecx
+        andl	%ebx, %eax
+        rorl	$9, %ecx
+        xorl	%r15d, %ecx
+        xorl	%r8d, %eax
+        vpsrld	$10, %ymm6, %ymm8
+        vpsrlq	$19, %ymm6, %ymm7
+        # rnd_1: 6 - 7
+        rorl	$11, %ecx
+        addl	%r14d, %r10d
+        xorl	%r15d, %ecx
+        addl	%eax, %r14d
+        rorl	$2, %ecx
+        movl	%r10d, %edx
+        addl	%ecx, %r14d
+        # rnd_0: 0 - 0
+        rorl	$14, %edx
+        vpsrlq	$0x11, %ymm6, %ymm6
+        vpaddd	%ymm2, %ymm4, %ymm4
+        # rnd_0: 1 - 3
+        movl	%r15d, %eax
+        movl	%r11d, %ecx
+        addl	328(%rsp), %r13d
+        xorl	%r12d, %ecx
+        xorl	%r10d, %edx
+        andl	%r10d, %ecx
+        rorl	$5, %edx
+        xorl	%r12d, %ecx
+        xorl	%r10d, %edx
+        addl	%ecx, %r13d
+        vpxor	%ymm6, %ymm7, %ymm6
+        vpaddd	%ymm5, %ymm4, %ymm4
+        # rnd_0: 4 - 4
+        rorl	$6, %edx
+        xorl	%r14d, %eax
+        addl	%edx, %r13d
+        movl	%r14d, %ecx
+        vpxor	%ymm6, %ymm8, %ymm8
+        # rnd_0: 5 - 5
+        andl	%eax, %ebx
+        rorl	$9, %ecx
+        xorl	%r14d, %ecx
+        xorl	%r15d, %ebx
+        vpshufb	%ymm11, %ymm8, %ymm8
+        # rnd_0: 6 - 6
+        rorl	$11, %ecx
+        addl	%r13d, %r9d
+        xorl	%r14d, %ecx
+        addl	%ebx, %r13d
+        vpaddd	%ymm8, %ymm4, %ymm4
+        # rnd_0: 7 - 7
+        rorl	$2, %ecx
+        movl	%r9d, %edx
+        addl	%ecx, %r13d
+        # rnd_1: 0 - 0
+        rorl	$14, %edx
+        vpshufd	$0x50, %ymm4, %ymm6
+        # rnd_1: 1 - 1
+        movl	%r14d, %ebx
+        movl	%r10d, %ecx
+        addl	332(%rsp), %r12d
+        xorl	%r11d, %ecx
+        vpsrlq	$0x11, %ymm6, %ymm8
+        vpsrlq	$19, %ymm6, %ymm7
+        # rnd_1: 2 - 3
+        xorl	%r9d, %edx
+        andl	%r9d, %ecx
+        rorl	$5, %edx
+        xorl	%r11d, %ecx
+        xorl	%r9d, %edx
+        addl	%ecx, %r12d
+        vpsrld	$10, %ymm6, %ymm9
+        vpxor	%ymm8, %ymm7, %ymm8
+        # rnd_1: 4 - 5
+        rorl	$6, %edx
+        xorl	%r13d, %ebx
+        addl	%edx, %r12d
+        movl	%r13d, %ecx
+        andl	%ebx, %eax
+        rorl	$9, %ecx
+        xorl	%r13d, %ecx
+        xorl	%r14d, %eax
+        vpxor	%ymm9, %ymm8, %ymm9
+        # rnd_1: 6 - 6
+        rorl	$11, %ecx
+        addl	%r12d, %r8d
+        xorl	%r13d, %ecx
+        addl	%eax, %r12d
+        vpshufb	%ymm12, %ymm9, %ymm9
+        # rnd_1: 7 - 7
+        rorl	$2, %ecx
+        movl	%r8d, %edx
+        addl	%ecx, %r12d
+        vpaddd	%ymm4, %ymm9, %ymm2
+        # msg_sched done: 80-83
+        # msg_sched: 88-91
+        # rnd_0: 0 - 0
+        rorl	$14, %edx
+        vpalignr	$4, %ymm3, %ymm0, %ymm5
+        vpalignr	$4, %ymm1, %ymm2, %ymm4
+        # rnd_0: 1 - 2
+        movl	%r13d, %eax
+        movl	%r9d, %ecx
+        addl	352(%rsp), %r11d
+        xorl	%r10d, %ecx
+        xorl	%r8d, %edx
+        andl	%r8d, %ecx
+        vpsrld	$7, %ymm5, %ymm6
+        vpslld	$25, %ymm5, %ymm7
+        # rnd_0: 3 - 4
+        rorl	$5, %edx
+        xorl	%r10d, %ecx
+        xorl	%r8d, %edx
+        addl	%ecx, %r11d
+        rorl	$6, %edx
+        xorl	%r12d, %eax
+        addl	%edx, %r11d
+        movl	%r12d, %ecx
+        vpsrld	$18, %ymm5, %ymm8
+        vpslld	$14, %ymm5, %ymm9
+        # rnd_0: 5 - 6
+        andl	%eax, %ebx
+        rorl	$9, %ecx
+        xorl	%r12d, %ecx
+        xorl	%r13d, %ebx
+        rorl	$11, %ecx
+        addl	%r11d, %r15d
+        xorl	%r12d, %ecx
+        addl	%ebx, %r11d
+        vpor	%ymm6, %ymm7, %ymm6
+        vpor	%ymm8, %ymm9, %ymm8
+        # rnd_0: 7 - 7
+        rorl	$2, %ecx
+        movl	%r15d, %edx
+        addl	%ecx, %r11d
+        # rnd_1: 0 - 1
+        rorl	$14, %edx
+        movl	%r12d, %ebx
+        movl	%r8d, %ecx
+        addl	356(%rsp), %r10d
+        xorl	%r9d, %ecx
+        vpsrld	$3, %ymm5, %ymm9
+        vpxor	%ymm6, %ymm8, %ymm6
+        # rnd_1: 2 - 3
+        xorl	%r15d, %edx
+        andl	%r15d, %ecx
+        rorl	$5, %edx
+        xorl	%r9d, %ecx
+        xorl	%r15d, %edx
+        addl	%ecx, %r10d
+        vpxor	%ymm6, %ymm9, %ymm5
+        vpshufd	$0xfa, %ymm2, %ymm6
+        # rnd_1: 4 - 5
+        rorl	$6, %edx
+        xorl	%r11d, %ebx
+        addl	%edx, %r10d
+        movl	%r11d, %ecx
+        andl	%ebx, %eax
+        rorl	$9, %ecx
+        xorl	%r11d, %ecx
+        xorl	%r12d, %eax
+        vpsrld	$10, %ymm6, %ymm8
+        vpsrlq	$19, %ymm6, %ymm7
+        # rnd_1: 6 - 7
+        rorl	$11, %ecx
+        addl	%r10d, %r14d
+        xorl	%r11d, %ecx
+        addl	%eax, %r10d
+        rorl	$2, %ecx
+        movl	%r14d, %edx
+        addl	%ecx, %r10d
+        # rnd_0: 0 - 0
+        rorl	$14, %edx
+        vpsrlq	$0x11, %ymm6, %ymm6
+        vpaddd	%ymm3, %ymm4, %ymm4
+        # rnd_0: 1 - 3
+        movl	%r11d, %eax
+        movl	%r15d, %ecx
+        addl	360(%rsp), %r9d
+        xorl	%r8d, %ecx
+        xorl	%r14d, %edx
+        andl	%r14d, %ecx
+        rorl	$5, %edx
+        xorl	%r8d, %ecx
+        xorl	%r14d, %edx
+        addl	%ecx, %r9d
+        vpxor	%ymm6, %ymm7, %ymm6
+        vpaddd	%ymm5, %ymm4, %ymm4
+        # rnd_0: 4 - 4
+        rorl	$6, %edx
+        xorl	%r10d, %eax
+        addl	%edx, %r9d
+        movl	%r10d, %ecx
+        vpxor	%ymm6, %ymm8, %ymm8
+        # rnd_0: 5 - 5
+        andl	%eax, %ebx
+        rorl	$9, %ecx
+        xorl	%r10d, %ecx
+        xorl	%r11d, %ebx
+        vpshufb	%ymm11, %ymm8, %ymm8
+        # rnd_0: 6 - 6
+        rorl	$11, %ecx
+        addl	%r9d, %r13d
+        xorl	%r10d, %ecx
+        addl	%ebx, %r9d
+        vpaddd	%ymm8, %ymm4, %ymm4
+        # rnd_0: 7 - 7
+        rorl	$2, %ecx
+        movl	%r13d, %edx
+        addl	%ecx, %r9d
+        # rnd_1: 0 - 0
+        rorl	$14, %edx
+        vpshufd	$0x50, %ymm4, %ymm6
+        # rnd_1: 1 - 1
+        movl	%r10d, %ebx
+        movl	%r14d, %ecx
+        addl	364(%rsp), %r8d
+        xorl	%r15d, %ecx
+        vpsrlq	$0x11, %ymm6, %ymm8
+        vpsrlq	$19, %ymm6, %ymm7
+        # rnd_1: 2 - 3
+        xorl	%r13d, %edx
+        andl	%r13d, %ecx
+        rorl	$5, %edx
+        xorl	%r15d, %ecx
+        xorl	%r13d, %edx
+        addl	%ecx, %r8d
+        vpsrld	$10, %ymm6, %ymm9
+        vpxor	%ymm8, %ymm7, %ymm8
+        # rnd_1: 4 - 5
+        rorl	$6, %edx
+        xorl	%r9d, %ebx
+        addl	%edx, %r8d
+        movl	%r9d, %ecx
+        andl	%ebx, %eax
+        rorl	$9, %ecx
+        xorl	%r9d, %ecx
+        xorl	%r10d, %eax
+        vpxor	%ymm9, %ymm8, %ymm9
+        # rnd_1: 6 - 6
+        rorl	$11, %ecx
+        addl	%r8d, %r12d
+        xorl	%r9d, %ecx
+        addl	%eax, %r8d
+        vpshufb	%ymm12, %ymm9, %ymm9
+        # rnd_1: 7 - 7
+        rorl	$2, %ecx
+        movl	%r12d, %edx
+        addl	%ecx, %r8d
+        vpaddd	%ymm4, %ymm9, %ymm3
+        # msg_sched done: 88-91
+        # set_w_k_xfer_4: 12
+        vpaddd	384+L_avx2_sha256_k(%rip), %ymm0, %ymm4
+        vpaddd	416+L_avx2_sha256_k(%rip), %ymm1, %ymm5
+        vmovdqu	%ymm4, 384(%rsp)
+        vmovdqu	%ymm5, 416(%rsp)
+        vpaddd	448+L_avx2_sha256_k(%rip), %ymm2, %ymm4
+        vpaddd	480+L_avx2_sha256_k(%rip), %ymm3, %ymm5
+        vmovdqu	%ymm4, 448(%rsp)
+        vmovdqu	%ymm5, 480(%rsp)
+        # rnd_all_4: 24-27
+        addl	384(%rsp), %r15d
+        movl	%r13d, %ecx
+        movl	%r9d, %eax
+        xorl	%r14d, %ecx
+        rorl	$14, %edx
+        andl	%r12d, %ecx
+        xorl	%r12d, %edx
+        xorl	%r14d, %ecx
+        rorl	$5, %edx
+        addl	%ecx, %r15d
+        xorl	%r12d, %edx
+        xorl	%r8d, %eax
+        rorl	$6, %edx
+        movl	%r8d, %ecx
+        addl	%edx, %r15d
+        rorl	$9, %ecx
+        andl	%eax, %ebx
+        xorl	%r8d, %ecx
+        xorl	%r9d, %ebx
+        rorl	$11, %ecx
+        addl	%r15d, %r11d
+        xorl	%r8d, %ecx
+        addl	%ebx, %r15d
+        rorl	$2, %ecx
+        movl	%r11d, %edx
+        addl	%ecx, %r15d
+        addl	388(%rsp), %r14d
+        movl	%r12d, %ecx
+        movl	%r8d, %ebx
+        xorl	%r13d, %ecx
+        rorl	$14, %edx
+        andl	%r11d, %ecx
+        xorl	%r11d, %edx
+        xorl	%r13d, %ecx
+        rorl	$5, %edx
+        addl	%ecx, %r14d
+        xorl	%r11d, %edx
+        xorl	%r15d, %ebx
+        rorl	$6, %edx
+        movl	%r15d, %ecx
+        addl	%edx, %r14d
+        rorl	$9, %ecx
+        andl	%ebx, %eax
+        xorl	%r15d, %ecx
+        xorl	%r8d, %eax
+        rorl	$11, %ecx
+        addl	%r14d, %r10d
+        xorl	%r15d, %ecx
+        addl	%eax, %r14d
+        rorl	$2, %ecx
+        movl	%r10d, %edx
+        addl	%ecx, %r14d
+        addl	392(%rsp), %r13d
+        movl	%r11d, %ecx
+        movl	%r15d, %eax
+        xorl	%r12d, %ecx
+        rorl	$14, %edx
+        andl	%r10d, %ecx
+        xorl	%r10d, %edx
+        xorl	%r12d, %ecx
+        rorl	$5, %edx
+        addl	%ecx, %r13d
+        xorl	%r10d, %edx
+        xorl	%r14d, %eax
+        rorl	$6, %edx
+        movl	%r14d, %ecx
+        addl	%edx, %r13d
+        rorl	$9, %ecx
+        andl	%eax, %ebx
+        xorl	%r14d, %ecx
+        xorl	%r15d, %ebx
+        rorl	$11, %ecx
+        addl	%r13d, %r9d
+        xorl	%r14d, %ecx
+        addl	%ebx, %r13d
+        rorl	$2, %ecx
+        movl	%r9d, %edx
+        addl	%ecx, %r13d
+        addl	396(%rsp), %r12d
+        movl	%r10d, %ecx
+        movl	%r14d, %ebx
+        xorl	%r11d, %ecx
+        rorl	$14, %edx
+        andl	%r9d, %ecx
+        xorl	%r9d, %edx
+        xorl	%r11d, %ecx
+        rorl	$5, %edx
+        addl	%ecx, %r12d
+        xorl	%r9d, %edx
+        xorl	%r13d, %ebx
+        rorl	$6, %edx
+        movl	%r13d, %ecx
+        addl	%edx, %r12d
+        rorl	$9, %ecx
+        andl	%ebx, %eax
+        xorl	%r13d, %ecx
+        xorl	%r14d, %eax
+        rorl	$11, %ecx
+        addl	%r12d, %r8d
+        xorl	%r13d, %ecx
+        addl	%eax, %r12d
+        rorl	$2, %ecx
+        movl	%r8d, %edx
+        addl	%ecx, %r12d
+        # rnd_all_4: 26-29
+        addl	416(%rsp), %r11d
+        movl	%r9d, %ecx
+        movl	%r13d, %eax
+        xorl	%r10d, %ecx
+        rorl	$14, %edx
+        andl	%r8d, %ecx
+        xorl	%r8d, %edx
+        xorl	%r10d, %ecx
+        rorl	$5, %edx
+        addl	%ecx, %r11d
+        xorl	%r8d, %edx
+        xorl	%r12d, %eax
+        rorl	$6, %edx
+        movl	%r12d, %ecx
+        addl	%edx, %r11d
+        rorl	$9, %ecx
+        andl	%eax, %ebx
+        xorl	%r12d, %ecx
+        xorl	%r13d, %ebx
+        rorl	$11, %ecx
+        addl	%r11d, %r15d
+        xorl	%r12d, %ecx
+        addl	%ebx, %r11d
+        rorl	$2, %ecx
+        movl	%r15d, %edx
+        addl	%ecx, %r11d
+        addl	420(%rsp), %r10d
+        movl	%r8d, %ecx
+        movl	%r12d, %ebx
+        xorl	%r9d, %ecx
+        rorl	$14, %edx
+        andl	%r15d, %ecx
+        xorl	%r15d, %edx
+        xorl	%r9d, %ecx
+        rorl	$5, %edx
+        addl	%ecx, %r10d
+        xorl	%r15d, %edx
+        xorl	%r11d, %ebx
+        rorl	$6, %edx
+        movl	%r11d, %ecx
+        addl	%edx, %r10d
+        rorl	$9, %ecx
+        andl	%ebx, %eax
+        xorl	%r11d, %ecx
+        xorl	%r12d, %eax
+        rorl	$11, %ecx
+        addl	%r10d, %r14d
+        xorl	%r11d, %ecx
+        addl	%eax, %r10d
+        rorl	$2, %ecx
+        movl	%r14d, %edx
+        addl	%ecx, %r10d
+        addl	424(%rsp), %r9d
+        movl	%r15d, %ecx
+        movl	%r11d, %eax
+        xorl	%r8d, %ecx
+        rorl	$14, %edx
+        andl	%r14d, %ecx
+        xorl	%r14d, %edx
+        xorl	%r8d, %ecx
+        rorl	$5, %edx
+        addl	%ecx, %r9d
+        xorl	%r14d, %edx
+        xorl	%r10d, %eax
+        rorl	$6, %edx
+        movl	%r10d, %ecx
+        addl	%edx, %r9d
+        rorl	$9, %ecx
+        andl	%eax, %ebx
+        xorl	%r10d, %ecx
+        xorl	%r11d, %ebx
+        rorl	$11, %ecx
+        addl	%r9d, %r13d
+        xorl	%r10d, %ecx
+        addl	%ebx, %r9d
+        rorl	$2, %ecx
+        movl	%r13d, %edx
+        addl	%ecx, %r9d
+        addl	428(%rsp), %r8d
+        movl	%r14d, %ecx
+        movl	%r10d, %ebx
+        xorl	%r15d, %ecx
+        rorl	$14, %edx
+        andl	%r13d, %ecx
+        xorl	%r13d, %edx
+        xorl	%r15d, %ecx
+        rorl	$5, %edx
+        addl	%ecx, %r8d
+        xorl	%r13d, %edx
+        xorl	%r9d, %ebx
+        rorl	$6, %edx
+        movl	%r9d, %ecx
+        addl	%edx, %r8d
+        rorl	$9, %ecx
+        andl	%ebx, %eax
+        xorl	%r9d, %ecx
+        xorl	%r10d, %eax
+        rorl	$11, %ecx
+        addl	%r8d, %r12d
+        xorl	%r9d, %ecx
+        addl	%eax, %r8d
+        rorl	$2, %ecx
+        movl	%r12d, %edx
+        addl	%ecx, %r8d
+        # rnd_all_4: 28-31
+        addl	448(%rsp), %r15d
+        movl	%r13d, %ecx
+        movl	%r9d, %eax
+        xorl	%r14d, %ecx
+        rorl	$14, %edx
+        andl	%r12d, %ecx
+        xorl	%r12d, %edx
+        xorl	%r14d, %ecx
+        rorl	$5, %edx
+        addl	%ecx, %r15d
+        xorl	%r12d, %edx
+        xorl	%r8d, %eax
+        rorl	$6, %edx
+        movl	%r8d, %ecx
+        addl	%edx, %r15d
+        rorl	$9, %ecx
+        andl	%eax, %ebx
+        xorl	%r8d, %ecx
+        xorl	%r9d, %ebx
+        rorl	$11, %ecx
+        addl	%r15d, %r11d
+        xorl	%r8d, %ecx
+        addl	%ebx, %r15d
+        rorl	$2, %ecx
+        movl	%r11d, %edx
+        addl	%ecx, %r15d
+        addl	452(%rsp), %r14d
+        movl	%r12d, %ecx
+        movl	%r8d, %ebx
+        xorl	%r13d, %ecx
+        rorl	$14, %edx
+        andl	%r11d, %ecx
+        xorl	%r11d, %edx
+        xorl	%r13d, %ecx
+        rorl	$5, %edx
+        addl	%ecx, %r14d
+        xorl	%r11d, %edx
+        xorl	%r15d, %ebx
+        rorl	$6, %edx
+        movl	%r15d, %ecx
+        addl	%edx, %r14d
+        rorl	$9, %ecx
+        andl	%ebx, %eax
+        xorl	%r15d, %ecx
+        xorl	%r8d, %eax
+        rorl	$11, %ecx
+        addl	%r14d, %r10d
+        xorl	%r15d, %ecx
+        addl	%eax, %r14d
+        rorl	$2, %ecx
+        movl	%r10d, %edx
+        addl	%ecx, %r14d
+        addl	456(%rsp), %r13d
+        movl	%r11d, %ecx
+        movl	%r15d, %eax
+        xorl	%r12d, %ecx
+        rorl	$14, %edx
+        andl	%r10d, %ecx
+        xorl	%r10d, %edx
+        xorl	%r12d, %ecx
+        rorl	$5, %edx
+        addl	%ecx, %r13d
+        xorl	%r10d, %edx
+        xorl	%r14d, %eax
+        rorl	$6, %edx
+        movl	%r14d, %ecx
+        addl	%edx, %r13d
+        rorl	$9, %ecx
+        andl	%eax, %ebx
+        xorl	%r14d, %ecx
+        xorl	%r15d, %ebx
+        rorl	$11, %ecx
+        addl	%r13d, %r9d
+        xorl	%r14d, %ecx
+        addl	%ebx, %r13d
+        rorl	$2, %ecx
+        movl	%r9d, %edx
+        addl	%ecx, %r13d
+        addl	460(%rsp), %r12d
+        movl	%r10d, %ecx
+        movl	%r14d, %ebx
+        xorl	%r11d, %ecx
+        rorl	$14, %edx
+        andl	%r9d, %ecx
+        xorl	%r9d, %edx
+        xorl	%r11d, %ecx
+        rorl	$5, %edx
+        addl	%ecx, %r12d
+        xorl	%r9d, %edx
+        xorl	%r13d, %ebx
+        rorl	$6, %edx
+        movl	%r13d, %ecx
+        addl	%edx, %r12d
+        rorl	$9, %ecx
+        andl	%ebx, %eax
+        xorl	%r13d, %ecx
+        xorl	%r14d, %eax
+        rorl	$11, %ecx
+        addl	%r12d, %r8d
+        xorl	%r13d, %ecx
+        addl	%eax, %r12d
+        rorl	$2, %ecx
+        movl	%r8d, %edx
+        addl	%ecx, %r12d
+        # rnd_all_4: 30-33
+        addl	480(%rsp), %r11d
+        movl	%r9d, %ecx
+        movl	%r13d, %eax
+        xorl	%r10d, %ecx
+        rorl	$14, %edx
+        andl	%r8d, %ecx
+        xorl	%r8d, %edx
+        xorl	%r10d, %ecx
+        rorl	$5, %edx
+        addl	%ecx, %r11d
+        xorl	%r8d, %edx
+        xorl	%r12d, %eax
+        rorl	$6, %edx
+        movl	%r12d, %ecx
+        addl	%edx, %r11d
+        rorl	$9, %ecx
+        andl	%eax, %ebx
+        xorl	%r12d, %ecx
+        xorl	%r13d, %ebx
+        rorl	$11, %ecx
+        addl	%r11d, %r15d
+        xorl	%r12d, %ecx
+        addl	%ebx, %r11d
+        rorl	$2, %ecx
+        movl	%r15d, %edx
+        addl	%ecx, %r11d
+        addl	484(%rsp), %r10d
+        movl	%r8d, %ecx
+        movl	%r12d, %ebx
+        xorl	%r9d, %ecx
+        rorl	$14, %edx
+        andl	%r15d, %ecx
+        xorl	%r15d, %edx
+        xorl	%r9d, %ecx
+        rorl	$5, %edx
+        addl	%ecx, %r10d
+        xorl	%r15d, %edx
+        xorl	%r11d, %ebx
+        rorl	$6, %edx
+        movl	%r11d, %ecx
+        addl	%edx, %r10d
+        rorl	$9, %ecx
+        andl	%ebx, %eax
+        xorl	%r11d, %ecx
+        xorl	%r12d, %eax
+        rorl	$11, %ecx
+        addl	%r10d, %r14d
+        xorl	%r11d, %ecx
+        addl	%eax, %r10d
+        rorl	$2, %ecx
+        movl	%r14d, %edx
+        addl	%ecx, %r10d
+        addl	488(%rsp), %r9d
+        movl	%r15d, %ecx
+        movl	%r11d, %eax
+        xorl	%r8d, %ecx
+        rorl	$14, %edx
+        andl	%r14d, %ecx
+        xorl	%r14d, %edx
+        xorl	%r8d, %ecx
+        rorl	$5, %edx
+        addl	%ecx, %r9d
+        xorl	%r14d, %edx
+        xorl	%r10d, %eax
+        rorl	$6, %edx
+        movl	%r10d, %ecx
+        addl	%edx, %r9d
+        rorl	$9, %ecx
+        andl	%eax, %ebx
+        xorl	%r10d, %ecx
+        xorl	%r11d, %ebx
+        rorl	$11, %ecx
+        addl	%r9d, %r13d
+        xorl	%r10d, %ecx
+        addl	%ebx, %r9d
+        rorl	$2, %ecx
+        movl	%r13d, %edx
+        addl	%ecx, %r9d
+        addl	492(%rsp), %r8d
+        movl	%r14d, %ecx
+        movl	%r10d, %ebx
+        xorl	%r15d, %ecx
+        rorl	$14, %edx
+        andl	%r13d, %ecx
+        xorl	%r13d, %edx
+        xorl	%r15d, %ecx
+        rorl	$5, %edx
+        addl	%ecx, %r8d
+        xorl	%r13d, %edx
+        xorl	%r9d, %ebx
+        rorl	$6, %edx
+        movl	%r9d, %ecx
+        addl	%edx, %r8d
+        rorl	$9, %ecx
+        andl	%ebx, %eax
+        xorl	%r9d, %ecx
+        xorl	%r10d, %eax
+        rorl	$11, %ecx
+        addl	%r8d, %r12d
+        xorl	%r9d, %ecx
+        addl	%eax, %r8d
+        rorl	$2, %ecx
+        movl	%r12d, %edx
+        addl	%ecx, %r8d
+        addl	(%rdi), %r8d
+        addl	4(%rdi), %r9d
+        addl	8(%rdi), %r10d
+        addl	12(%rdi), %r11d
+        addl	16(%rdi), %r12d
+        addl	20(%rdi), %r13d
+        addl	24(%rdi), %r14d
+        addl	28(%rdi), %r15d
+        movl	%r8d, (%rdi)
+        movl	%r9d, 4(%rdi)
+        movl	%r10d, 8(%rdi)
+        movl	%r11d, 12(%rdi)
+        movl	%r12d, 16(%rdi)
+        movl	%r13d, 20(%rdi)
+        movl	%r14d, 24(%rdi)
+        movl	%r15d, 28(%rdi)
+        movl	%r9d, %ebx
+        movl	%r12d, %edx
+        xorl	%r10d, %ebx
+        # rnd_all_4: 1-4
+        addl	16(%rsp), %r15d
+        movl	%r13d, %ecx
+        movl	%r9d, %eax
+        xorl	%r14d, %ecx
+        rorl	$14, %edx
+        andl	%r12d, %ecx
+        xorl	%r12d, %edx
+        xorl	%r14d, %ecx
+        rorl	$5, %edx
+        addl	%ecx, %r15d
+        xorl	%r12d, %edx
+        xorl	%r8d, %eax
+        rorl	$6, %edx
+        movl	%r8d, %ecx
+        addl	%edx, %r15d
+        rorl	$9, %ecx
+        andl	%eax, %ebx
+        xorl	%r8d, %ecx
+        xorl	%r9d, %ebx
+        rorl	$11, %ecx
+        addl	%r15d, %r11d
+        xorl	%r8d, %ecx
+        addl	%ebx, %r15d
+        rorl	$2, %ecx
+        movl	%r11d, %edx
+        addl	%ecx, %r15d
+        addl	20(%rsp), %r14d
+        movl	%r12d, %ecx
+        movl	%r8d, %ebx
+        xorl	%r13d, %ecx
+        rorl	$14, %edx
+        andl	%r11d, %ecx
+        xorl	%r11d, %edx
+        xorl	%r13d, %ecx
+        rorl	$5, %edx
+        addl	%ecx, %r14d
+        xorl	%r11d, %edx
+        xorl	%r15d, %ebx
+        rorl	$6, %edx
+        movl	%r15d, %ecx
+        addl	%edx, %r14d
+        rorl	$9, %ecx
+        andl	%ebx, %eax
+        xorl	%r15d, %ecx
+        xorl	%r8d, %eax
+        rorl	$11, %ecx
+        addl	%r14d, %r10d
+        xorl	%r15d, %ecx
+        addl	%eax, %r14d
+        rorl	$2, %ecx
+        movl	%r10d, %edx
+        addl	%ecx, %r14d
+        addl	24(%rsp), %r13d
+        movl	%r11d, %ecx
+        movl	%r15d, %eax
+        xorl	%r12d, %ecx
+        rorl	$14, %edx
+        andl	%r10d, %ecx
+        xorl	%r10d, %edx
+        xorl	%r12d, %ecx
+        rorl	$5, %edx
+        addl	%ecx, %r13d
+        xorl	%r10d, %edx
+        xorl	%r14d, %eax
+        rorl	$6, %edx
+        movl	%r14d, %ecx
+        addl	%edx, %r13d
+        rorl	$9, %ecx
+        andl	%eax, %ebx
+        xorl	%r14d, %ecx
+        xorl	%r15d, %ebx
+        rorl	$11, %ecx
+        addl	%r13d, %r9d
+        xorl	%r14d, %ecx
+        addl	%ebx, %r13d
+        rorl	$2, %ecx
+        movl	%r9d, %edx
+        addl	%ecx, %r13d
+        addl	28(%rsp), %r12d
+        movl	%r10d, %ecx
+        movl	%r14d, %ebx
+        xorl	%r11d, %ecx
+        rorl	$14, %edx
+        andl	%r9d, %ecx
+        xorl	%r9d, %edx
+        xorl	%r11d, %ecx
+        rorl	$5, %edx
+        addl	%ecx, %r12d
+        xorl	%r9d, %edx
+        xorl	%r13d, %ebx
+        rorl	$6, %edx
+        movl	%r13d, %ecx
+        addl	%edx, %r12d
+        rorl	$9, %ecx
+        andl	%ebx, %eax
+        xorl	%r13d, %ecx
+        xorl	%r14d, %eax
+        rorl	$11, %ecx
+        addl	%r12d, %r8d
+        xorl	%r13d, %ecx
+        addl	%eax, %r12d
+        rorl	$2, %ecx
+        movl	%r8d, %edx
+        addl	%ecx, %r12d
+        # rnd_all_4: 3-6
+        addl	48(%rsp), %r11d
+        movl	%r9d, %ecx
+        movl	%r13d, %eax
+        xorl	%r10d, %ecx
+        rorl	$14, %edx
+        andl	%r8d, %ecx
+        xorl	%r8d, %edx
+        xorl	%r10d, %ecx
+        rorl	$5, %edx
+        addl	%ecx, %r11d
+        xorl	%r8d, %edx
+        xorl	%r12d, %eax
+        rorl	$6, %edx
+        movl	%r12d, %ecx
+        addl	%edx, %r11d
+        rorl	$9, %ecx
+        andl	%eax, %ebx
+        xorl	%r12d, %ecx
+        xorl	%r13d, %ebx
+        rorl	$11, %ecx
+        addl	%r11d, %r15d
+        xorl	%r12d, %ecx
+        addl	%ebx, %r11d
+        rorl	$2, %ecx
+        movl	%r15d, %edx
+        addl	%ecx, %r11d
+        addl	52(%rsp), %r10d
+        movl	%r8d, %ecx
+        movl	%r12d, %ebx
+        xorl	%r9d, %ecx
+        rorl	$14, %edx
+        andl	%r15d, %ecx
+        xorl	%r15d, %edx
+        xorl	%r9d, %ecx
+        rorl	$5, %edx
+        addl	%ecx, %r10d
+        xorl	%r15d, %edx
+        xorl	%r11d, %ebx
+        rorl	$6, %edx
+        movl	%r11d, %ecx
+        addl	%edx, %r10d
+        rorl	$9, %ecx
+        andl	%ebx, %eax
+        xorl	%r11d, %ecx
+        xorl	%r12d, %eax
+        rorl	$11, %ecx
+        addl	%r10d, %r14d
+        xorl	%r11d, %ecx
+        addl	%eax, %r10d
+        rorl	$2, %ecx
+        movl	%r14d, %edx
+        addl	%ecx, %r10d
+        addl	56(%rsp), %r9d
+        movl	%r15d, %ecx
+        movl	%r11d, %eax
+        xorl	%r8d, %ecx
+        rorl	$14, %edx
+        andl	%r14d, %ecx
+        xorl	%r14d, %edx
+        xorl	%r8d, %ecx
+        rorl	$5, %edx
+        addl	%ecx, %r9d
+        xorl	%r14d, %edx
+        xorl	%r10d, %eax
+        rorl	$6, %edx
+        movl	%r10d, %ecx
+        addl	%edx, %r9d
+        rorl	$9, %ecx
+        andl	%eax, %ebx
+        xorl	%r10d, %ecx
+        xorl	%r11d, %ebx
+        rorl	$11, %ecx
+        addl	%r9d, %r13d
+        xorl	%r10d, %ecx
+        addl	%ebx, %r9d
+        rorl	$2, %ecx
+        movl	%r13d, %edx
+        addl	%ecx, %r9d
+        addl	60(%rsp), %r8d
+        movl	%r14d, %ecx
+        movl	%r10d, %ebx
+        xorl	%r15d, %ecx
+        rorl	$14, %edx
+        andl	%r13d, %ecx
+        xorl	%r13d, %edx
+        xorl	%r15d, %ecx
+        rorl	$5, %edx
+        addl	%ecx, %r8d
+        xorl	%r13d, %edx
+        xorl	%r9d, %ebx
+        rorl	$6, %edx
+        movl	%r9d, %ecx
+        addl	%edx, %r8d
+        rorl	$9, %ecx
+        andl	%ebx, %eax
+        xorl	%r9d, %ecx
+        xorl	%r10d, %eax
+        rorl	$11, %ecx
+        addl	%r8d, %r12d
+        xorl	%r9d, %ecx
+        addl	%eax, %r8d
+        rorl	$2, %ecx
+        movl	%r12d, %edx
+        addl	%ecx, %r8d
+        # rnd_all_4: 5-8
+        addl	80(%rsp), %r15d
+        movl	%r13d, %ecx
+        movl	%r9d, %eax
+        xorl	%r14d, %ecx
+        rorl	$14, %edx
+        andl	%r12d, %ecx
+        xorl	%r12d, %edx
+        xorl	%r14d, %ecx
+        rorl	$5, %edx
+        addl	%ecx, %r15d
+        xorl	%r12d, %edx
+        xorl	%r8d, %eax
+        rorl	$6, %edx
+        movl	%r8d, %ecx
+        addl	%edx, %r15d
+        rorl	$9, %ecx
+        andl	%eax, %ebx
+        xorl	%r8d, %ecx
+        xorl	%r9d, %ebx
+        rorl	$11, %ecx
+        addl	%r15d, %r11d
+        xorl	%r8d, %ecx
+        addl	%ebx, %r15d
+        rorl	$2, %ecx
+        movl	%r11d, %edx
+        addl	%ecx, %r15d
+        addl	84(%rsp), %r14d
+        movl	%r12d, %ecx
+        movl	%r8d, %ebx
+        xorl	%r13d, %ecx
+        rorl	$14, %edx
+        andl	%r11d, %ecx
+        xorl	%r11d, %edx
+        xorl	%r13d, %ecx
+        rorl	$5, %edx
+        addl	%ecx, %r14d
+        xorl	%r11d, %edx
+        xorl	%r15d, %ebx
+        rorl	$6, %edx
+        movl	%r15d, %ecx
+        addl	%edx, %r14d
+        rorl	$9, %ecx
+        andl	%ebx, %eax
+        xorl	%r15d, %ecx
+        xorl	%r8d, %eax
+        rorl	$11, %ecx
+        addl	%r14d, %r10d
+        xorl	%r15d, %ecx
+        addl	%eax, %r14d
+        rorl	$2, %ecx
+        movl	%r10d, %edx
+        addl	%ecx, %r14d
+        addl	88(%rsp), %r13d
+        movl	%r11d, %ecx
+        movl	%r15d, %eax
+        xorl	%r12d, %ecx
+        rorl	$14, %edx
+        andl	%r10d, %ecx
+        xorl	%r10d, %edx
+        xorl	%r12d, %ecx
+        rorl	$5, %edx
+        addl	%ecx, %r13d
+        xorl	%r10d, %edx
+        xorl	%r14d, %eax
+        rorl	$6, %edx
+        movl	%r14d, %ecx
+        addl	%edx, %r13d
+        rorl	$9, %ecx
+        andl	%eax, %ebx
+        xorl	%r14d, %ecx
+        xorl	%r15d, %ebx
+        rorl	$11, %ecx
+        addl	%r13d, %r9d
+        xorl	%r14d, %ecx
+        addl	%ebx, %r13d
+        rorl	$2, %ecx
+        movl	%r9d, %edx
+        addl	%ecx, %r13d
+        addl	92(%rsp), %r12d
+        movl	%r10d, %ecx
+        movl	%r14d, %ebx
+        xorl	%r11d, %ecx
+        rorl	$14, %edx
+        andl	%r9d, %ecx
+        xorl	%r9d, %edx
+        xorl	%r11d, %ecx
+        rorl	$5, %edx
+        addl	%ecx, %r12d
+        xorl	%r9d, %edx
+        xorl	%r13d, %ebx
+        rorl	$6, %edx
+        movl	%r13d, %ecx
+        addl	%edx, %r12d
+        rorl	$9, %ecx
+        andl	%ebx, %eax
+        xorl	%r13d, %ecx
+        xorl	%r14d, %eax
+        rorl	$11, %ecx
+        addl	%r12d, %r8d
+        xorl	%r13d, %ecx
+        addl	%eax, %r12d
+        rorl	$2, %ecx
+        movl	%r8d, %edx
+        addl	%ecx, %r12d
+        # rnd_all_4: 7-10
+        addl	112(%rsp), %r11d
+        movl	%r9d, %ecx
+        movl	%r13d, %eax
+        xorl	%r10d, %ecx
+        rorl	$14, %edx
+        andl	%r8d, %ecx
+        xorl	%r8d, %edx
+        xorl	%r10d, %ecx
+        rorl	$5, %edx
+        addl	%ecx, %r11d
+        xorl	%r8d, %edx
+        xorl	%r12d, %eax
+        rorl	$6, %edx
+        movl	%r12d, %ecx
+        addl	%edx, %r11d
+        rorl	$9, %ecx
+        andl	%eax, %ebx
+        xorl	%r12d, %ecx
+        xorl	%r13d, %ebx
+        rorl	$11, %ecx
+        addl	%r11d, %r15d
+        xorl	%r12d, %ecx
+        addl	%ebx, %r11d
+        rorl	$2, %ecx
+        movl	%r15d, %edx
+        addl	%ecx, %r11d
+        addl	116(%rsp), %r10d
+        movl	%r8d, %ecx
+        movl	%r12d, %ebx
+        xorl	%r9d, %ecx
+        rorl	$14, %edx
+        andl	%r15d, %ecx
+        xorl	%r15d, %edx
+        xorl	%r9d, %ecx
+        rorl	$5, %edx
+        addl	%ecx, %r10d
+        xorl	%r15d, %edx
+        xorl	%r11d, %ebx
+        rorl	$6, %edx
+        movl	%r11d, %ecx
+        addl	%edx, %r10d
+        rorl	$9, %ecx
+        andl	%ebx, %eax
+        xorl	%r11d, %ecx
+        xorl	%r12d, %eax
+        rorl	$11, %ecx
+        addl	%r10d, %r14d
+        xorl	%r11d, %ecx
+        addl	%eax, %r10d
+        rorl	$2, %ecx
+        movl	%r14d, %edx
+        addl	%ecx, %r10d
+        addl	120(%rsp), %r9d
+        movl	%r15d, %ecx
+        movl	%r11d, %eax
+        xorl	%r8d, %ecx
+        rorl	$14, %edx
+        andl	%r14d, %ecx
+        xorl	%r14d, %edx
+        xorl	%r8d, %ecx
+        rorl	$5, %edx
+        addl	%ecx, %r9d
+        xorl	%r14d, %edx
+        xorl	%r10d, %eax
+        rorl	$6, %edx
+        movl	%r10d, %ecx
+        addl	%edx, %r9d
+        rorl	$9, %ecx
+        andl	%eax, %ebx
+        xorl	%r10d, %ecx
+        xorl	%r11d, %ebx
+        rorl	$11, %ecx
+        addl	%r9d, %r13d
+        xorl	%r10d, %ecx
+        addl	%ebx, %r9d
+        rorl	$2, %ecx
+        movl	%r13d, %edx
+        addl	%ecx, %r9d
+        addl	124(%rsp), %r8d
+        movl	%r14d, %ecx
+        movl	%r10d, %ebx
+        xorl	%r15d, %ecx
+        rorl	$14, %edx
+        andl	%r13d, %ecx
+        xorl	%r13d, %edx
+        xorl	%r15d, %ecx
+        rorl	$5, %edx
+        addl	%ecx, %r8d
+        xorl	%r13d, %edx
+        xorl	%r9d, %ebx
+        rorl	$6, %edx
+        movl	%r9d, %ecx
+        addl	%edx, %r8d
+        rorl	$9, %ecx
+        andl	%ebx, %eax
+        xorl	%r9d, %ecx
+        xorl	%r10d, %eax
+        rorl	$11, %ecx
+        addl	%r8d, %r12d
+        xorl	%r9d, %ecx
+        addl	%eax, %r8d
+        rorl	$2, %ecx
+        movl	%r12d, %edx
+        addl	%ecx, %r8d
+        # rnd_all_4: 9-12
+        addl	144(%rsp), %r15d
+        movl	%r13d, %ecx
+        movl	%r9d, %eax
+        xorl	%r14d, %ecx
+        rorl	$14, %edx
+        andl	%r12d, %ecx
+        xorl	%r12d, %edx
+        xorl	%r14d, %ecx
+        rorl	$5, %edx
+        addl	%ecx, %r15d
+        xorl	%r12d, %edx
+        xorl	%r8d, %eax
+        rorl	$6, %edx
+        movl	%r8d, %ecx
+        addl	%edx, %r15d
+        rorl	$9, %ecx
+        andl	%eax, %ebx
+        xorl	%r8d, %ecx
+        xorl	%r9d, %ebx
+        rorl	$11, %ecx
+        addl	%r15d, %r11d
+        xorl	%r8d, %ecx
+        addl	%ebx, %r15d
+        rorl	$2, %ecx
+        movl	%r11d, %edx
+        addl	%ecx, %r15d
+        addl	148(%rsp), %r14d
+        movl	%r12d, %ecx
+        movl	%r8d, %ebx
+        xorl	%r13d, %ecx
+        rorl	$14, %edx
+        andl	%r11d, %ecx
+        xorl	%r11d, %edx
+        xorl	%r13d, %ecx
+        rorl	$5, %edx
+        addl	%ecx, %r14d
+        xorl	%r11d, %edx
+        xorl	%r15d, %ebx
+        rorl	$6, %edx
+        movl	%r15d, %ecx
+        addl	%edx, %r14d
+        rorl	$9, %ecx
+        andl	%ebx, %eax
+        xorl	%r15d, %ecx
+        xorl	%r8d, %eax
+        rorl	$11, %ecx
+        addl	%r14d, %r10d
+        xorl	%r15d, %ecx
+        addl	%eax, %r14d
+        rorl	$2, %ecx
+        movl	%r10d, %edx
+        addl	%ecx, %r14d
+        addl	152(%rsp), %r13d
+        movl	%r11d, %ecx
+        movl	%r15d, %eax
+        xorl	%r12d, %ecx
+        rorl	$14, %edx
+        andl	%r10d, %ecx
+        xorl	%r10d, %edx
+        xorl	%r12d, %ecx
+        rorl	$5, %edx
+        addl	%ecx, %r13d
+        xorl	%r10d, %edx
+        xorl	%r14d, %eax
+        rorl	$6, %edx
+        movl	%r14d, %ecx
+        addl	%edx, %r13d
+        rorl	$9, %ecx
+        andl	%eax, %ebx
+        xorl	%r14d, %ecx
+        xorl	%r15d, %ebx
+        rorl	$11, %ecx
+        addl	%r13d, %r9d
+        xorl	%r14d, %ecx
+        addl	%ebx, %r13d
+        rorl	$2, %ecx
+        movl	%r9d, %edx
+        addl	%ecx, %r13d
+        addl	156(%rsp), %r12d
+        movl	%r10d, %ecx
+        movl	%r14d, %ebx
+        xorl	%r11d, %ecx
+        rorl	$14, %edx
+        andl	%r9d, %ecx
+        xorl	%r9d, %edx
+        xorl	%r11d, %ecx
+        rorl	$5, %edx
+        addl	%ecx, %r12d
+        xorl	%r9d, %edx
+        xorl	%r13d, %ebx
+        rorl	$6, %edx
+        movl	%r13d, %ecx
+        addl	%edx, %r12d
+        rorl	$9, %ecx
+        andl	%ebx, %eax
+        xorl	%r13d, %ecx
+        xorl	%r14d, %eax
+        rorl	$11, %ecx
+        addl	%r12d, %r8d
+        xorl	%r13d, %ecx
+        addl	%eax, %r12d
+        rorl	$2, %ecx
+        movl	%r8d, %edx
+        addl	%ecx, %r12d
+        # rnd_all_4: 11-14
+        addl	176(%rsp), %r11d
+        movl	%r9d, %ecx
+        movl	%r13d, %eax
+        xorl	%r10d, %ecx
+        rorl	$14, %edx
+        andl	%r8d, %ecx
+        xorl	%r8d, %edx
+        xorl	%r10d, %ecx
+        rorl	$5, %edx
+        addl	%ecx, %r11d
+        xorl	%r8d, %edx
+        xorl	%r12d, %eax
+        rorl	$6, %edx
+        movl	%r12d, %ecx
+        addl	%edx, %r11d
+        rorl	$9, %ecx
+        andl	%eax, %ebx
+        xorl	%r12d, %ecx
+        xorl	%r13d, %ebx
+        rorl	$11, %ecx
+        addl	%r11d, %r15d
+        xorl	%r12d, %ecx
+        addl	%ebx, %r11d
+        rorl	$2, %ecx
+        movl	%r15d, %edx
+        addl	%ecx, %r11d
+        addl	180(%rsp), %r10d
+        movl	%r8d, %ecx
+        movl	%r12d, %ebx
+        xorl	%r9d, %ecx
+        rorl	$14, %edx
+        andl	%r15d, %ecx
+        xorl	%r15d, %edx
+        xorl	%r9d, %ecx
+        rorl	$5, %edx
+        addl	%ecx, %r10d
+        xorl	%r15d, %edx
+        xorl	%r11d, %ebx
+        rorl	$6, %edx
+        movl	%r11d, %ecx
+        addl	%edx, %r10d
+        rorl	$9, %ecx
+        andl	%ebx, %eax
+        xorl	%r11d, %ecx
+        xorl	%r12d, %eax
+        rorl	$11, %ecx
+        addl	%r10d, %r14d
+        xorl	%r11d, %ecx
+        addl	%eax, %r10d
+        rorl	$2, %ecx
+        movl	%r14d, %edx
+        addl	%ecx, %r10d
+        addl	184(%rsp), %r9d
+        movl	%r15d, %ecx
+        movl	%r11d, %eax
+        xorl	%r8d, %ecx
+        rorl	$14, %edx
+        andl	%r14d, %ecx
+        xorl	%r14d, %edx
+        xorl	%r8d, %ecx
+        rorl	$5, %edx
+        addl	%ecx, %r9d
+        xorl	%r14d, %edx
+        xorl	%r10d, %eax
+        rorl	$6, %edx
+        movl	%r10d, %ecx
+        addl	%edx, %r9d
+        rorl	$9, %ecx
+        andl	%eax, %ebx
+        xorl	%r10d, %ecx
+        xorl	%r11d, %ebx
+        rorl	$11, %ecx
+        addl	%r9d, %r13d
+        xorl	%r10d, %ecx
+        addl	%ebx, %r9d
+        rorl	$2, %ecx
+        movl	%r13d, %edx
+        addl	%ecx, %r9d
+        addl	188(%rsp), %r8d
+        movl	%r14d, %ecx
+        movl	%r10d, %ebx
+        xorl	%r15d, %ecx
+        rorl	$14, %edx
+        andl	%r13d, %ecx
+        xorl	%r13d, %edx
+        xorl	%r15d, %ecx
+        rorl	$5, %edx
+        addl	%ecx, %r8d
+        xorl	%r13d, %edx
+        xorl	%r9d, %ebx
+        rorl	$6, %edx
+        movl	%r9d, %ecx
+        addl	%edx, %r8d
+        rorl	$9, %ecx
+        andl	%ebx, %eax
+        xorl	%r9d, %ecx
+        xorl	%r10d, %eax
+        rorl	$11, %ecx
+        addl	%r8d, %r12d
+        xorl	%r9d, %ecx
+        addl	%eax, %r8d
+        rorl	$2, %ecx
+        movl	%r12d, %edx
+        addl	%ecx, %r8d
+        # rnd_all_4: 13-16
+        addl	208(%rsp), %r15d
+        movl	%r13d, %ecx
+        movl	%r9d, %eax
+        xorl	%r14d, %ecx
+        rorl	$14, %edx
+        andl	%r12d, %ecx
+        xorl	%r12d, %edx
+        xorl	%r14d, %ecx
+        rorl	$5, %edx
+        addl	%ecx, %r15d
+        xorl	%r12d, %edx
+        xorl	%r8d, %eax
+        rorl	$6, %edx
+        movl	%r8d, %ecx
+        addl	%edx, %r15d
+        rorl	$9, %ecx
+        andl	%eax, %ebx
+        xorl	%r8d, %ecx
+        xorl	%r9d, %ebx
+        rorl	$11, %ecx
+        addl	%r15d, %r11d
+        xorl	%r8d, %ecx
+        addl	%ebx, %r15d
+        rorl	$2, %ecx
+        movl	%r11d, %edx
+        addl	%ecx, %r15d
+        addl	212(%rsp), %r14d
+        movl	%r12d, %ecx
+        movl	%r8d, %ebx
+        xorl	%r13d, %ecx
+        rorl	$14, %edx
+        andl	%r11d, %ecx
+        xorl	%r11d, %edx
+        xorl	%r13d, %ecx
+        rorl	$5, %edx
+        addl	%ecx, %r14d
+        xorl	%r11d, %edx
+        xorl	%r15d, %ebx
+        rorl	$6, %edx
+        movl	%r15d, %ecx
+        addl	%edx, %r14d
+        rorl	$9, %ecx
+        andl	%ebx, %eax
+        xorl	%r15d, %ecx
+        xorl	%r8d, %eax
+        rorl	$11, %ecx
+        addl	%r14d, %r10d
+        xorl	%r15d, %ecx
+        addl	%eax, %r14d
+        rorl	$2, %ecx
+        movl	%r10d, %edx
+        addl	%ecx, %r14d
+        addl	216(%rsp), %r13d
+        movl	%r11d, %ecx
+        movl	%r15d, %eax
+        xorl	%r12d, %ecx
+        rorl	$14, %edx
+        andl	%r10d, %ecx
+        xorl	%r10d, %edx
+        xorl	%r12d, %ecx
+        rorl	$5, %edx
+        addl	%ecx, %r13d
+        xorl	%r10d, %edx
+        xorl	%r14d, %eax
+        rorl	$6, %edx
+        movl	%r14d, %ecx
+        addl	%edx, %r13d
+        rorl	$9, %ecx
+        andl	%eax, %ebx
+        xorl	%r14d, %ecx
+        xorl	%r15d, %ebx
+        rorl	$11, %ecx
+        addl	%r13d, %r9d
+        xorl	%r14d, %ecx
+        addl	%ebx, %r13d
+        rorl	$2, %ecx
+        movl	%r9d, %edx
+        addl	%ecx, %r13d
+        addl	220(%rsp), %r12d
+        movl	%r10d, %ecx
+        movl	%r14d, %ebx
+        xorl	%r11d, %ecx
+        rorl	$14, %edx
+        andl	%r9d, %ecx
+        xorl	%r9d, %edx
+        xorl	%r11d, %ecx
+        rorl	$5, %edx
+        addl	%ecx, %r12d
+        xorl	%r9d, %edx
+        xorl	%r13d, %ebx
+        rorl	$6, %edx
+        movl	%r13d, %ecx
+        addl	%edx, %r12d
+        rorl	$9, %ecx
+        andl	%ebx, %eax
+        xorl	%r13d, %ecx
+        xorl	%r14d, %eax
+        rorl	$11, %ecx
+        addl	%r12d, %r8d
+        xorl	%r13d, %ecx
+        addl	%eax, %r12d
+        rorl	$2, %ecx
+        movl	%r8d, %edx
+        addl	%ecx, %r12d
+        # rnd_all_4: 15-18
+        addl	240(%rsp), %r11d
+        movl	%r9d, %ecx
+        movl	%r13d, %eax
+        xorl	%r10d, %ecx
+        rorl	$14, %edx
+        andl	%r8d, %ecx
+        xorl	%r8d, %edx
+        xorl	%r10d, %ecx
+        rorl	$5, %edx
+        addl	%ecx, %r11d
+        xorl	%r8d, %edx
+        xorl	%r12d, %eax
+        rorl	$6, %edx
+        movl	%r12d, %ecx
+        addl	%edx, %r11d
+        rorl	$9, %ecx
+        andl	%eax, %ebx
+        xorl	%r12d, %ecx
+        xorl	%r13d, %ebx
+        rorl	$11, %ecx
+        addl	%r11d, %r15d
+        xorl	%r12d, %ecx
+        addl	%ebx, %r11d
+        rorl	$2, %ecx
+        movl	%r15d, %edx
+        addl	%ecx, %r11d
+        addl	244(%rsp), %r10d
+        movl	%r8d, %ecx
+        movl	%r12d, %ebx
+        xorl	%r9d, %ecx
+        rorl	$14, %edx
+        andl	%r15d, %ecx
+        xorl	%r15d, %edx
+        xorl	%r9d, %ecx
+        rorl	$5, %edx
+        addl	%ecx, %r10d
+        xorl	%r15d, %edx
+        xorl	%r11d, %ebx
+        rorl	$6, %edx
+        movl	%r11d, %ecx
+        addl	%edx, %r10d
+        rorl	$9, %ecx
+        andl	%ebx, %eax
+        xorl	%r11d, %ecx
+        xorl	%r12d, %eax
+        rorl	$11, %ecx
+        addl	%r10d, %r14d
+        xorl	%r11d, %ecx
+        addl	%eax, %r10d
+        rorl	$2, %ecx
+        movl	%r14d, %edx
+        addl	%ecx, %r10d
+        addl	248(%rsp), %r9d
+        movl	%r15d, %ecx
+        movl	%r11d, %eax
+        xorl	%r8d, %ecx
+        rorl	$14, %edx
+        andl	%r14d, %ecx
+        xorl	%r14d, %edx
+        xorl	%r8d, %ecx
+        rorl	$5, %edx
+        addl	%ecx, %r9d
+        xorl	%r14d, %edx
+        xorl	%r10d, %eax
+        rorl	$6, %edx
+        movl	%r10d, %ecx
+        addl	%edx, %r9d
+        rorl	$9, %ecx
+        andl	%eax, %ebx
+        xorl	%r10d, %ecx
+        xorl	%r11d, %ebx
+        rorl	$11, %ecx
+        addl	%r9d, %r13d
+        xorl	%r10d, %ecx
+        addl	%ebx, %r9d
+        rorl	$2, %ecx
+        movl	%r13d, %edx
+        addl	%ecx, %r9d
+        addl	252(%rsp), %r8d
+        movl	%r14d, %ecx
+        movl	%r10d, %ebx
+        xorl	%r15d, %ecx
+        rorl	$14, %edx
+        andl	%r13d, %ecx
+        xorl	%r13d, %edx
+        xorl	%r15d, %ecx
+        rorl	$5, %edx
+        addl	%ecx, %r8d
+        xorl	%r13d, %edx
+        xorl	%r9d, %ebx
+        rorl	$6, %edx
+        movl	%r9d, %ecx
+        addl	%edx, %r8d
+        rorl	$9, %ecx
+        andl	%ebx, %eax
+        xorl	%r9d, %ecx
+        xorl	%r10d, %eax
+        rorl	$11, %ecx
+        addl	%r8d, %r12d
+        xorl	%r9d, %ecx
+        addl	%eax, %r8d
+        rorl	$2, %ecx
+        movl	%r12d, %edx
+        addl	%ecx, %r8d
+        # rnd_all_4: 17-20
+        addl	272(%rsp), %r15d
+        movl	%r13d, %ecx
+        movl	%r9d, %eax
+        xorl	%r14d, %ecx
+        rorl	$14, %edx
+        andl	%r12d, %ecx
+        xorl	%r12d, %edx
+        xorl	%r14d, %ecx
+        rorl	$5, %edx
+        addl	%ecx, %r15d
+        xorl	%r12d, %edx
+        xorl	%r8d, %eax
+        rorl	$6, %edx
+        movl	%r8d, %ecx
+        addl	%edx, %r15d
+        rorl	$9, %ecx
+        andl	%eax, %ebx
+        xorl	%r8d, %ecx
+        xorl	%r9d, %ebx
+        rorl	$11, %ecx
+        addl	%r15d, %r11d
+        xorl	%r8d, %ecx
+        addl	%ebx, %r15d
+        rorl	$2, %ecx
+        movl	%r11d, %edx
+        addl	%ecx, %r15d
+        addl	276(%rsp), %r14d
+        movl	%r12d, %ecx
+        movl	%r8d, %ebx
+        xorl	%r13d, %ecx
+        rorl	$14, %edx
+        andl	%r11d, %ecx
+        xorl	%r11d, %edx
+        xorl	%r13d, %ecx
+        rorl	$5, %edx
+        addl	%ecx, %r14d
+        xorl	%r11d, %edx
+        xorl	%r15d, %ebx
+        rorl	$6, %edx
+        movl	%r15d, %ecx
+        addl	%edx, %r14d
+        rorl	$9, %ecx
+        andl	%ebx, %eax
+        xorl	%r15d, %ecx
+        xorl	%r8d, %eax
+        rorl	$11, %ecx
+        addl	%r14d, %r10d
+        xorl	%r15d, %ecx
+        addl	%eax, %r14d
+        rorl	$2, %ecx
+        movl	%r10d, %edx
+        addl	%ecx, %r14d
+        addl	280(%rsp), %r13d
+        movl	%r11d, %ecx
+        movl	%r15d, %eax
+        xorl	%r12d, %ecx
+        rorl	$14, %edx
+        andl	%r10d, %ecx
+        xorl	%r10d, %edx
+        xorl	%r12d, %ecx
+        rorl	$5, %edx
+        addl	%ecx, %r13d
+        xorl	%r10d, %edx
+        xorl	%r14d, %eax
+        rorl	$6, %edx
+        movl	%r14d, %ecx
+        addl	%edx, %r13d
+        rorl	$9, %ecx
+        andl	%eax, %ebx
+        xorl	%r14d, %ecx
+        xorl	%r15d, %ebx
+        rorl	$11, %ecx
+        addl	%r13d, %r9d
+        xorl	%r14d, %ecx
+        addl	%ebx, %r13d
+        rorl	$2, %ecx
+        movl	%r9d, %edx
+        addl	%ecx, %r13d
+        addl	284(%rsp), %r12d
+        movl	%r10d, %ecx
+        movl	%r14d, %ebx
+        xorl	%r11d, %ecx
+        rorl	$14, %edx
+        andl	%r9d, %ecx
+        xorl	%r9d, %edx
+        xorl	%r11d, %ecx
+        rorl	$5, %edx
+        addl	%ecx, %r12d
+        xorl	%r9d, %edx
+        xorl	%r13d, %ebx
+        rorl	$6, %edx
+        movl	%r13d, %ecx
+        addl	%edx, %r12d
+        rorl	$9, %ecx
+        andl	%ebx, %eax
+        xorl	%r13d, %ecx
+        xorl	%r14d, %eax
+        rorl	$11, %ecx
+        addl	%r12d, %r8d
+        xorl	%r13d, %ecx
+        addl	%eax, %r12d
+        rorl	$2, %ecx
+        movl	%r8d, %edx
+        addl	%ecx, %r12d
+        # rnd_all_4: 19-22
+        addl	304(%rsp), %r11d
+        movl	%r9d, %ecx
+        movl	%r13d, %eax
+        xorl	%r10d, %ecx
+        rorl	$14, %edx
+        andl	%r8d, %ecx
+        xorl	%r8d, %edx
+        xorl	%r10d, %ecx
+        rorl	$5, %edx
+        addl	%ecx, %r11d
+        xorl	%r8d, %edx
+        xorl	%r12d, %eax
+        rorl	$6, %edx
+        movl	%r12d, %ecx
+        addl	%edx, %r11d
+        rorl	$9, %ecx
+        andl	%eax, %ebx
+        xorl	%r12d, %ecx
+        xorl	%r13d, %ebx
+        rorl	$11, %ecx
+        addl	%r11d, %r15d
+        xorl	%r12d, %ecx
+        addl	%ebx, %r11d
+        rorl	$2, %ecx
+        movl	%r15d, %edx
+        addl	%ecx, %r11d
+        addl	308(%rsp), %r10d
+        movl	%r8d, %ecx
+        movl	%r12d, %ebx
+        xorl	%r9d, %ecx
+        rorl	$14, %edx
+        andl	%r15d, %ecx
+        xorl	%r15d, %edx
+        xorl	%r9d, %ecx
+        rorl	$5, %edx
+        addl	%ecx, %r10d
+        xorl	%r15d, %edx
+        xorl	%r11d, %ebx
+        rorl	$6, %edx
+        movl	%r11d, %ecx
+        addl	%edx, %r10d
+        rorl	$9, %ecx
+        andl	%ebx, %eax
+        xorl	%r11d, %ecx
+        xorl	%r12d, %eax
+        rorl	$11, %ecx
+        addl	%r10d, %r14d
+        xorl	%r11d, %ecx
+        addl	%eax, %r10d
+        rorl	$2, %ecx
+        movl	%r14d, %edx
+        addl	%ecx, %r10d
+        addl	312(%rsp), %r9d
+        movl	%r15d, %ecx
+        movl	%r11d, %eax
+        xorl	%r8d, %ecx
+        rorl	$14, %edx
+        andl	%r14d, %ecx
+        xorl	%r14d, %edx
+        xorl	%r8d, %ecx
+        rorl	$5, %edx
+        addl	%ecx, %r9d
+        xorl	%r14d, %edx
+        xorl	%r10d, %eax
+        rorl	$6, %edx
+        movl	%r10d, %ecx
+        addl	%edx, %r9d
+        rorl	$9, %ecx
+        andl	%eax, %ebx
+        xorl	%r10d, %ecx
+        xorl	%r11d, %ebx
+        rorl	$11, %ecx
+        addl	%r9d, %r13d
+        xorl	%r10d, %ecx
+        addl	%ebx, %r9d
+        rorl	$2, %ecx
+        movl	%r13d, %edx
+        addl	%ecx, %r9d
+        addl	316(%rsp), %r8d
+        movl	%r14d, %ecx
+        movl	%r10d, %ebx
+        xorl	%r15d, %ecx
+        rorl	$14, %edx
+        andl	%r13d, %ecx
+        xorl	%r13d, %edx
+        xorl	%r15d, %ecx
+        rorl	$5, %edx
+        addl	%ecx, %r8d
+        xorl	%r13d, %edx
+        xorl	%r9d, %ebx
+        rorl	$6, %edx
+        movl	%r9d, %ecx
+        addl	%edx, %r8d
+        rorl	$9, %ecx
+        andl	%ebx, %eax
+        xorl	%r9d, %ecx
+        xorl	%r10d, %eax
+        rorl	$11, %ecx
+        addl	%r8d, %r12d
+        xorl	%r9d, %ecx
+        addl	%eax, %r8d
+        rorl	$2, %ecx
+        movl	%r12d, %edx
+        addl	%ecx, %r8d
+        # rnd_all_4: 21-24
+        addl	336(%rsp), %r15d
+        movl	%r13d, %ecx
+        movl	%r9d, %eax
+        xorl	%r14d, %ecx
+        rorl	$14, %edx
+        andl	%r12d, %ecx
+        xorl	%r12d, %edx
+        xorl	%r14d, %ecx
+        rorl	$5, %edx
+        addl	%ecx, %r15d
+        xorl	%r12d, %edx
+        xorl	%r8d, %eax
+        rorl	$6, %edx
+        movl	%r8d, %ecx
+        addl	%edx, %r15d
+        rorl	$9, %ecx
+        andl	%eax, %ebx
+        xorl	%r8d, %ecx
+        xorl	%r9d, %ebx
+        rorl	$11, %ecx
+        addl	%r15d, %r11d
+        xorl	%r8d, %ecx
+        addl	%ebx, %r15d
+        rorl	$2, %ecx
+        movl	%r11d, %edx
+        addl	%ecx, %r15d
+        addl	340(%rsp), %r14d
+        movl	%r12d, %ecx
+        movl	%r8d, %ebx
+        xorl	%r13d, %ecx
+        rorl	$14, %edx
+        andl	%r11d, %ecx
+        xorl	%r11d, %edx
+        xorl	%r13d, %ecx
+        rorl	$5, %edx
+        addl	%ecx, %r14d
+        xorl	%r11d, %edx
+        xorl	%r15d, %ebx
+        rorl	$6, %edx
+        movl	%r15d, %ecx
+        addl	%edx, %r14d
+        rorl	$9, %ecx
+        andl	%ebx, %eax
+        xorl	%r15d, %ecx
+        xorl	%r8d, %eax
+        rorl	$11, %ecx
+        addl	%r14d, %r10d
+        xorl	%r15d, %ecx
+        addl	%eax, %r14d
+        rorl	$2, %ecx
+        movl	%r10d, %edx
+        addl	%ecx, %r14d
+        addl	344(%rsp), %r13d
+        movl	%r11d, %ecx
+        movl	%r15d, %eax
+        xorl	%r12d, %ecx
+        rorl	$14, %edx
+        andl	%r10d, %ecx
+        xorl	%r10d, %edx
+        xorl	%r12d, %ecx
+        rorl	$5, %edx
+        addl	%ecx, %r13d
+        xorl	%r10d, %edx
+        xorl	%r14d, %eax
+        rorl	$6, %edx
+        movl	%r14d, %ecx
+        addl	%edx, %r13d
+        rorl	$9, %ecx
+        andl	%eax, %ebx
+        xorl	%r14d, %ecx
+        xorl	%r15d, %ebx
+        rorl	$11, %ecx
+        addl	%r13d, %r9d
+        xorl	%r14d, %ecx
+        addl	%ebx, %r13d
+        rorl	$2, %ecx
+        movl	%r9d, %edx
+        addl	%ecx, %r13d
+        addl	348(%rsp), %r12d
+        movl	%r10d, %ecx
+        movl	%r14d, %ebx
+        xorl	%r11d, %ecx
+        rorl	$14, %edx
+        andl	%r9d, %ecx
+        xorl	%r9d, %edx
+        xorl	%r11d, %ecx
+        rorl	$5, %edx
+        addl	%ecx, %r12d
+        xorl	%r9d, %edx
+        xorl	%r13d, %ebx
+        rorl	$6, %edx
+        movl	%r13d, %ecx
+        addl	%edx, %r12d
+        rorl	$9, %ecx
+        andl	%ebx, %eax
+        xorl	%r13d, %ecx
+        xorl	%r14d, %eax
+        rorl	$11, %ecx
+        addl	%r12d, %r8d
+        xorl	%r13d, %ecx
+        addl	%eax, %r12d
+        rorl	$2, %ecx
+        movl	%r8d, %edx
+        addl	%ecx, %r12d
+        # rnd_all_4: 23-26
+        addl	368(%rsp), %r11d
+        movl	%r9d, %ecx
+        movl	%r13d, %eax
+        xorl	%r10d, %ecx
+        rorl	$14, %edx
+        andl	%r8d, %ecx
+        xorl	%r8d, %edx
+        xorl	%r10d, %ecx
+        rorl	$5, %edx
+        addl	%ecx, %r11d
+        xorl	%r8d, %edx
+        xorl	%r12d, %eax
+        rorl	$6, %edx
+        movl	%r12d, %ecx
+        addl	%edx, %r11d
+        rorl	$9, %ecx
+        andl	%eax, %ebx
+        xorl	%r12d, %ecx
+        xorl	%r13d, %ebx
+        rorl	$11, %ecx
+        addl	%r11d, %r15d
+        xorl	%r12d, %ecx
+        addl	%ebx, %r11d
+        rorl	$2, %ecx
+        movl	%r15d, %edx
+        addl	%ecx, %r11d
+        addl	372(%rsp), %r10d
+        movl	%r8d, %ecx
+        movl	%r12d, %ebx
+        xorl	%r9d, %ecx
+        rorl	$14, %edx
+        andl	%r15d, %ecx
+        xorl	%r15d, %edx
+        xorl	%r9d, %ecx
+        rorl	$5, %edx
+        addl	%ecx, %r10d
+        xorl	%r15d, %edx
+        xorl	%r11d, %ebx
+        rorl	$6, %edx
+        movl	%r11d, %ecx
+        addl	%edx, %r10d
+        rorl	$9, %ecx
+        andl	%ebx, %eax
+        xorl	%r11d, %ecx
+        xorl	%r12d, %eax
+        rorl	$11, %ecx
+        addl	%r10d, %r14d
+        xorl	%r11d, %ecx
+        addl	%eax, %r10d
+        rorl	$2, %ecx
+        movl	%r14d, %edx
+        addl	%ecx, %r10d
+        addl	376(%rsp), %r9d
+        movl	%r15d, %ecx
+        movl	%r11d, %eax
+        xorl	%r8d, %ecx
+        rorl	$14, %edx
+        andl	%r14d, %ecx
+        xorl	%r14d, %edx
+        xorl	%r8d, %ecx
+        rorl	$5, %edx
+        addl	%ecx, %r9d
+        xorl	%r14d, %edx
+        xorl	%r10d, %eax
+        rorl	$6, %edx
+        movl	%r10d, %ecx
+        addl	%edx, %r9d
+        rorl	$9, %ecx
+        andl	%eax, %ebx
+        xorl	%r10d, %ecx
+        xorl	%r11d, %ebx
+        rorl	$11, %ecx
+        addl	%r9d, %r13d
+        xorl	%r10d, %ecx
+        addl	%ebx, %r9d
+        rorl	$2, %ecx
+        movl	%r13d, %edx
+        addl	%ecx, %r9d
+        addl	380(%rsp), %r8d
+        movl	%r14d, %ecx
+        movl	%r10d, %ebx
+        xorl	%r15d, %ecx
+        rorl	$14, %edx
+        andl	%r13d, %ecx
+        xorl	%r13d, %edx
+        xorl	%r15d, %ecx
+        rorl	$5, %edx
+        addl	%ecx, %r8d
+        xorl	%r13d, %edx
+        xorl	%r9d, %ebx
+        rorl	$6, %edx
+        movl	%r9d, %ecx
+        addl	%edx, %r8d
+        rorl	$9, %ecx
+        andl	%ebx, %eax
+        xorl	%r9d, %ecx
+        xorl	%r10d, %eax
+        rorl	$11, %ecx
+        addl	%r8d, %r12d
+        xorl	%r9d, %ecx
+        addl	%eax, %r8d
+        rorl	$2, %ecx
+        movl	%r12d, %edx
+        addl	%ecx, %r8d
+        # rnd_all_4: 25-28
+        addl	400(%rsp), %r15d
+        movl	%r13d, %ecx
+        movl	%r9d, %eax
+        xorl	%r14d, %ecx
+        rorl	$14, %edx
+        andl	%r12d, %ecx
+        xorl	%r12d, %edx
+        xorl	%r14d, %ecx
+        rorl	$5, %edx
+        addl	%ecx, %r15d
+        xorl	%r12d, %edx
+        xorl	%r8d, %eax
+        rorl	$6, %edx
+        movl	%r8d, %ecx
+        addl	%edx, %r15d
+        rorl	$9, %ecx
+        andl	%eax, %ebx
+        xorl	%r8d, %ecx
+        xorl	%r9d, %ebx
+        rorl	$11, %ecx
+        addl	%r15d, %r11d
+        xorl	%r8d, %ecx
+        addl	%ebx, %r15d
+        rorl	$2, %ecx
+        movl	%r11d, %edx
+        addl	%ecx, %r15d
+        addl	404(%rsp), %r14d
+        movl	%r12d, %ecx
+        movl	%r8d, %ebx
+        xorl	%r13d, %ecx
+        rorl	$14, %edx
+        andl	%r11d, %ecx
+        xorl	%r11d, %edx
+        xorl	%r13d, %ecx
+        rorl	$5, %edx
+        addl	%ecx, %r14d
+        xorl	%r11d, %edx
+        xorl	%r15d, %ebx
+        rorl	$6, %edx
+        movl	%r15d, %ecx
+        addl	%edx, %r14d
+        rorl	$9, %ecx
+        andl	%ebx, %eax
+        xorl	%r15d, %ecx
+        xorl	%r8d, %eax
+        rorl	$11, %ecx
+        addl	%r14d, %r10d
+        xorl	%r15d, %ecx
+        addl	%eax, %r14d
+        rorl	$2, %ecx
+        movl	%r10d, %edx
+        addl	%ecx, %r14d
+        addl	408(%rsp), %r13d
+        movl	%r11d, %ecx
+        movl	%r15d, %eax
+        xorl	%r12d, %ecx
+        rorl	$14, %edx
+        andl	%r10d, %ecx
+        xorl	%r10d, %edx
+        xorl	%r12d, %ecx
+        rorl	$5, %edx
+        addl	%ecx, %r13d
+        xorl	%r10d, %edx
+        xorl	%r14d, %eax
+        rorl	$6, %edx
+        movl	%r14d, %ecx
+        addl	%edx, %r13d
+        rorl	$9, %ecx
+        andl	%eax, %ebx
+        xorl	%r14d, %ecx
+        xorl	%r15d, %ebx
+        rorl	$11, %ecx
+        addl	%r13d, %r9d
+        xorl	%r14d, %ecx
+        addl	%ebx, %r13d
+        rorl	$2, %ecx
+        movl	%r9d, %edx
+        addl	%ecx, %r13d
+        addl	412(%rsp), %r12d
+        movl	%r10d, %ecx
+        movl	%r14d, %ebx
+        xorl	%r11d, %ecx
+        rorl	$14, %edx
+        andl	%r9d, %ecx
+        xorl	%r9d, %edx
+        xorl	%r11d, %ecx
+        rorl	$5, %edx
+        addl	%ecx, %r12d
+        xorl	%r9d, %edx
+        xorl	%r13d, %ebx
+        rorl	$6, %edx
+        movl	%r13d, %ecx
+        addl	%edx, %r12d
+        rorl	$9, %ecx
+        andl	%ebx, %eax
+        xorl	%r13d, %ecx
+        xorl	%r14d, %eax
+        rorl	$11, %ecx
+        addl	%r12d, %r8d
+        xorl	%r13d, %ecx
+        addl	%eax, %r12d
+        rorl	$2, %ecx
+        movl	%r8d, %edx
+        addl	%ecx, %r12d
+        # rnd_all_4: 27-30
+        addl	432(%rsp), %r11d
+        movl	%r9d, %ecx
+        movl	%r13d, %eax
+        xorl	%r10d, %ecx
+        rorl	$14, %edx
+        andl	%r8d, %ecx
+        xorl	%r8d, %edx
+        xorl	%r10d, %ecx
+        rorl	$5, %edx
+        addl	%ecx, %r11d
+        xorl	%r8d, %edx
+        xorl	%r12d, %eax
+        rorl	$6, %edx
+        movl	%r12d, %ecx
+        addl	%edx, %r11d
+        rorl	$9, %ecx
+        andl	%eax, %ebx
+        xorl	%r12d, %ecx
+        xorl	%r13d, %ebx
+        rorl	$11, %ecx
+        addl	%r11d, %r15d
+        xorl	%r12d, %ecx
+        addl	%ebx, %r11d
+        rorl	$2, %ecx
+        movl	%r15d, %edx
+        addl	%ecx, %r11d
+        addl	436(%rsp), %r10d
+        movl	%r8d, %ecx
+        movl	%r12d, %ebx
+        xorl	%r9d, %ecx
+        rorl	$14, %edx
+        andl	%r15d, %ecx
+        xorl	%r15d, %edx
+        xorl	%r9d, %ecx
+        rorl	$5, %edx
+        addl	%ecx, %r10d
+        xorl	%r15d, %edx
+        xorl	%r11d, %ebx
+        rorl	$6, %edx
+        movl	%r11d, %ecx
+        addl	%edx, %r10d
+        rorl	$9, %ecx
+        andl	%ebx, %eax
+        xorl	%r11d, %ecx
+        xorl	%r12d, %eax
+        rorl	$11, %ecx
+        addl	%r10d, %r14d
+        xorl	%r11d, %ecx
+        addl	%eax, %r10d
+        rorl	$2, %ecx
+        movl	%r14d, %edx
+        addl	%ecx, %r10d
+        addl	440(%rsp), %r9d
+        movl	%r15d, %ecx
+        movl	%r11d, %eax
+        xorl	%r8d, %ecx
+        rorl	$14, %edx
+        andl	%r14d, %ecx
+        xorl	%r14d, %edx
+        xorl	%r8d, %ecx
+        rorl	$5, %edx
+        addl	%ecx, %r9d
+        xorl	%r14d, %edx
+        xorl	%r10d, %eax
+        rorl	$6, %edx
+        movl	%r10d, %ecx
+        addl	%edx, %r9d
+        rorl	$9, %ecx
+        andl	%eax, %ebx
+        xorl	%r10d, %ecx
+        xorl	%r11d, %ebx
+        rorl	$11, %ecx
+        addl	%r9d, %r13d
+        xorl	%r10d, %ecx
+        addl	%ebx, %r9d
+        rorl	$2, %ecx
+        movl	%r13d, %edx
+        addl	%ecx, %r9d
+        addl	444(%rsp), %r8d
+        movl	%r14d, %ecx
+        movl	%r10d, %ebx
+        xorl	%r15d, %ecx
+        rorl	$14, %edx
+        andl	%r13d, %ecx
+        xorl	%r13d, %edx
+        xorl	%r15d, %ecx
+        rorl	$5, %edx
+        addl	%ecx, %r8d
+        xorl	%r13d, %edx
+        xorl	%r9d, %ebx
+        rorl	$6, %edx
+        movl	%r9d, %ecx
+        addl	%edx, %r8d
+        rorl	$9, %ecx
+        andl	%ebx, %eax
+        xorl	%r9d, %ecx
+        xorl	%r10d, %eax
+        rorl	$11, %ecx
+        addl	%r8d, %r12d
+        xorl	%r9d, %ecx
+        addl	%eax, %r8d
+        rorl	$2, %ecx
+        movl	%r12d, %edx
+        addl	%ecx, %r8d
+        # rnd_all_4: 29-32
+        addl	464(%rsp), %r15d
+        movl	%r13d, %ecx
+        movl	%r9d, %eax
+        xorl	%r14d, %ecx
+        rorl	$14, %edx
+        andl	%r12d, %ecx
+        xorl	%r12d, %edx
+        xorl	%r14d, %ecx
+        rorl	$5, %edx
+        addl	%ecx, %r15d
+        xorl	%r12d, %edx
+        xorl	%r8d, %eax
+        rorl	$6, %edx
+        movl	%r8d, %ecx
+        addl	%edx, %r15d
+        rorl	$9, %ecx
+        andl	%eax, %ebx
+        xorl	%r8d, %ecx
+        xorl	%r9d, %ebx
+        rorl	$11, %ecx
+        addl	%r15d, %r11d
+        xorl	%r8d, %ecx
+        addl	%ebx, %r15d
+        rorl	$2, %ecx
+        movl	%r11d, %edx
+        addl	%ecx, %r15d
+        addl	468(%rsp), %r14d
+        movl	%r12d, %ecx
+        movl	%r8d, %ebx
+        xorl	%r13d, %ecx
+        rorl	$14, %edx
+        andl	%r11d, %ecx
+        xorl	%r11d, %edx
+        xorl	%r13d, %ecx
+        rorl	$5, %edx
+        addl	%ecx, %r14d
+        xorl	%r11d, %edx
+        xorl	%r15d, %ebx
+        rorl	$6, %edx
+        movl	%r15d, %ecx
+        addl	%edx, %r14d
+        rorl	$9, %ecx
+        andl	%ebx, %eax
+        xorl	%r15d, %ecx
+        xorl	%r8d, %eax
+        rorl	$11, %ecx
+        addl	%r14d, %r10d
+        xorl	%r15d, %ecx
+        addl	%eax, %r14d
+        rorl	$2, %ecx
+        movl	%r10d, %edx
+        addl	%ecx, %r14d
+        addl	472(%rsp), %r13d
+        movl	%r11d, %ecx
+        movl	%r15d, %eax
+        xorl	%r12d, %ecx
+        rorl	$14, %edx
+        andl	%r10d, %ecx
+        xorl	%r10d, %edx
+        xorl	%r12d, %ecx
+        rorl	$5, %edx
+        addl	%ecx, %r13d
+        xorl	%r10d, %edx
+        xorl	%r14d, %eax
+        rorl	$6, %edx
+        movl	%r14d, %ecx
+        addl	%edx, %r13d
+        rorl	$9, %ecx
+        andl	%eax, %ebx
+        xorl	%r14d, %ecx
+        xorl	%r15d, %ebx
+        rorl	$11, %ecx
+        addl	%r13d, %r9d
+        xorl	%r14d, %ecx
+        addl	%ebx, %r13d
+        rorl	$2, %ecx
+        movl	%r9d, %edx
+        addl	%ecx, %r13d
+        addl	476(%rsp), %r12d
+        movl	%r10d, %ecx
+        movl	%r14d, %ebx
+        xorl	%r11d, %ecx
+        rorl	$14, %edx
+        andl	%r9d, %ecx
+        xorl	%r9d, %edx
+        xorl	%r11d, %ecx
+        rorl	$5, %edx
+        addl	%ecx, %r12d
+        xorl	%r9d, %edx
+        xorl	%r13d, %ebx
+        rorl	$6, %edx
+        movl	%r13d, %ecx
+        addl	%edx, %r12d
+        rorl	$9, %ecx
+        andl	%ebx, %eax
+        xorl	%r13d, %ecx
+        xorl	%r14d, %eax
+        rorl	$11, %ecx
+        addl	%r12d, %r8d
+        xorl	%r13d, %ecx
+        addl	%eax, %r12d
+        rorl	$2, %ecx
+        movl	%r8d, %edx
+        addl	%ecx, %r12d
+        # rnd_all_4: 31-34
+        addl	496(%rsp), %r11d
+        movl	%r9d, %ecx
+        movl	%r13d, %eax
+        xorl	%r10d, %ecx
+        rorl	$14, %edx
+        andl	%r8d, %ecx
+        xorl	%r8d, %edx
+        xorl	%r10d, %ecx
+        rorl	$5, %edx
+        addl	%ecx, %r11d
+        xorl	%r8d, %edx
+        xorl	%r12d, %eax
+        rorl	$6, %edx
+        movl	%r12d, %ecx
+        addl	%edx, %r11d
+        rorl	$9, %ecx
+        andl	%eax, %ebx
+        xorl	%r12d, %ecx
+        xorl	%r13d, %ebx
+        rorl	$11, %ecx
+        addl	%r11d, %r15d
+        xorl	%r12d, %ecx
+        addl	%ebx, %r11d
+        rorl	$2, %ecx
+        movl	%r15d, %edx
+        addl	%ecx, %r11d
+        addl	500(%rsp), %r10d
+        movl	%r8d, %ecx
+        movl	%r12d, %ebx
+        xorl	%r9d, %ecx
+        rorl	$14, %edx
+        andl	%r15d, %ecx
+        xorl	%r15d, %edx
+        xorl	%r9d, %ecx
+        rorl	$5, %edx
+        addl	%ecx, %r10d
+        xorl	%r15d, %edx
+        xorl	%r11d, %ebx
+        rorl	$6, %edx
+        movl	%r11d, %ecx
+        addl	%edx, %r10d
+        rorl	$9, %ecx
+        andl	%ebx, %eax
+        xorl	%r11d, %ecx
+        xorl	%r12d, %eax
+        rorl	$11, %ecx
+        addl	%r10d, %r14d
+        xorl	%r11d, %ecx
+        addl	%eax, %r10d
+        rorl	$2, %ecx
+        movl	%r14d, %edx
+        addl	%ecx, %r10d
+        addl	504(%rsp), %r9d
+        movl	%r15d, %ecx
+        movl	%r11d, %eax
+        xorl	%r8d, %ecx
+        rorl	$14, %edx
+        andl	%r14d, %ecx
+        xorl	%r14d, %edx
+        xorl	%r8d, %ecx
+        rorl	$5, %edx
+        addl	%ecx, %r9d
+        xorl	%r14d, %edx
+        xorl	%r10d, %eax
+        rorl	$6, %edx
+        movl	%r10d, %ecx
+        addl	%edx, %r9d
+        rorl	$9, %ecx
+        andl	%eax, %ebx
+        xorl	%r10d, %ecx
+        xorl	%r11d, %ebx
+        rorl	$11, %ecx
+        addl	%r9d, %r13d
+        xorl	%r10d, %ecx
+        addl	%ebx, %r9d
+        rorl	$2, %ecx
+        movl	%r13d, %edx
+        addl	%ecx, %r9d
+        addl	508(%rsp), %r8d
+        movl	%r14d, %ecx
+        movl	%r10d, %ebx
+        xorl	%r15d, %ecx
+        rorl	$14, %edx
+        andl	%r13d, %ecx
+        xorl	%r13d, %edx
+        xorl	%r15d, %ecx
+        rorl	$5, %edx
+        addl	%ecx, %r8d
+        xorl	%r13d, %edx
+        xorl	%r9d, %ebx
+        rorl	$6, %edx
+        movl	%r9d, %ecx
+        addl	%edx, %r8d
+        rorl	$9, %ecx
+        andl	%ebx, %eax
+        xorl	%r9d, %ecx
+        xorl	%r10d, %eax
+        rorl	$11, %ecx
+        addl	%r8d, %r12d
+        xorl	%r9d, %ecx
+        addl	%eax, %r8d
+        rorl	$2, %ecx
+        movl	%r12d, %edx
+        addl	%ecx, %r8d
+        addl	(%rdi), %r8d
+        addl	4(%rdi), %r9d
+        addl	8(%rdi), %r10d
+        addl	12(%rdi), %r11d
+        addl	16(%rdi), %r12d
+        addl	20(%rdi), %r13d
+        addl	24(%rdi), %r14d
+        addl	28(%rdi), %r15d
+        addq	$0x80, %rbp
+        subl	$0x80, %esi
+        movl	%r8d, (%rdi)
+        movl	%r9d, 4(%rdi)
+        movl	%r10d, 8(%rdi)
+        movl	%r11d, 12(%rdi)
+        movl	%r12d, 16(%rdi)
+        movl	%r13d, 20(%rdi)
+        movl	%r14d, 24(%rdi)
+        movl	%r15d, 28(%rdi)
+        jnz	L_sha256_len_avx2_start
+L_sha256_len_avx2_done:
+        xorq	%rax, %rax
+        vzeroupper
+        addq	$0x200, %rsp
+        popq	%rbp
+        popq	%r15
+        popq	%r14
+        popq	%r13
+        popq	%r12
+        popq	%rbx
+        repz retq
+#ifndef __APPLE__
+.size	Transform_Sha256_AVX2_Len,.-Transform_Sha256_AVX2_Len
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+.data
+#else
+.section	__DATA,__data
+#endif /* __APPLE__ */
+L_avx2_rorx_sha256_k:
+.long	0x428a2f98,0x71374491,0xb5c0fbcf,0xe9b5dba5
+.long	0x428a2f98,0x71374491,0xb5c0fbcf,0xe9b5dba5
+.long	0x3956c25b,0x59f111f1,0x923f82a4,0xab1c5ed5
+.long	0x3956c25b,0x59f111f1,0x923f82a4,0xab1c5ed5
+.long	0xd807aa98,0x12835b01,0x243185be,0x550c7dc3
+.long	0xd807aa98,0x12835b01,0x243185be,0x550c7dc3
+.long	0x72be5d74,0x80deb1fe,0x9bdc06a7,0xc19bf174
+.long	0x72be5d74,0x80deb1fe,0x9bdc06a7,0xc19bf174
+.long	0xe49b69c1,0xefbe4786,0xfc19dc6,0x240ca1cc
+.long	0xe49b69c1,0xefbe4786,0xfc19dc6,0x240ca1cc
+.long	0x2de92c6f,0x4a7484aa,0x5cb0a9dc,0x76f988da
+.long	0x2de92c6f,0x4a7484aa,0x5cb0a9dc,0x76f988da
+.long	0x983e5152,0xa831c66d,0xb00327c8,0xbf597fc7
+.long	0x983e5152,0xa831c66d,0xb00327c8,0xbf597fc7
+.long	0xc6e00bf3,0xd5a79147,0x6ca6351,0x14292967
+.long	0xc6e00bf3,0xd5a79147,0x6ca6351,0x14292967
+.long	0x27b70a85,0x2e1b2138,0x4d2c6dfc,0x53380d13
+.long	0x27b70a85,0x2e1b2138,0x4d2c6dfc,0x53380d13
+.long	0x650a7354,0x766a0abb,0x81c2c92e,0x92722c85
+.long	0x650a7354,0x766a0abb,0x81c2c92e,0x92722c85
+.long	0xa2bfe8a1,0xa81a664b,0xc24b8b70,0xc76c51a3
+.long	0xa2bfe8a1,0xa81a664b,0xc24b8b70,0xc76c51a3
+.long	0xd192e819,0xd6990624,0xf40e3585,0x106aa070
+.long	0xd192e819,0xd6990624,0xf40e3585,0x106aa070
+.long	0x19a4c116,0x1e376c08,0x2748774c,0x34b0bcb5
+.long	0x19a4c116,0x1e376c08,0x2748774c,0x34b0bcb5
+.long	0x391c0cb3,0x4ed8aa4a,0x5b9cca4f,0x682e6ff3
+.long	0x391c0cb3,0x4ed8aa4a,0x5b9cca4f,0x682e6ff3
+.long	0x748f82ee,0x78a5636f,0x84c87814,0x8cc70208
+.long	0x748f82ee,0x78a5636f,0x84c87814,0x8cc70208
+.long	0x90befffa,0xa4506ceb,0xbef9a3f7,0xc67178f2
+.long	0x90befffa,0xa4506ceb,0xbef9a3f7,0xc67178f2
+#ifndef __APPLE__
+.data
+#else
+.section	__DATA,__data
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+.align	32
+#else
+.p2align	5
+#endif /* __APPLE__ */
+L_avx2_rorx_sha256_flip_mask:
+.quad	0x405060700010203, 0xc0d0e0f08090a0b
+.quad	0x405060700010203, 0xc0d0e0f08090a0b
+#ifndef __APPLE__
+.data
+#else
+.section	__DATA,__data
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+.align	32
+#else
+.p2align	5
+#endif /* __APPLE__ */
+L_avx2_rorx_sha256_shuf_00BA:
+.quad	0xb0a090803020100, 0xffffffffffffffff
+.quad	0xb0a090803020100, 0xffffffffffffffff
+#ifndef __APPLE__
+.data
+#else
+.section	__DATA,__data
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+.align	32
+#else
+.p2align	5
+#endif /* __APPLE__ */
+L_avx2_rorx_sha256_shuf_DC00:
+.quad	0xffffffffffffffff, 0xb0a090803020100
+.quad	0xffffffffffffffff, 0xb0a090803020100
+#ifndef __APPLE__
+.text
+.globl	Transform_Sha256_AVX2_RORX
+.type	Transform_Sha256_AVX2_RORX,@function
+.align	4
+Transform_Sha256_AVX2_RORX:
+#else
+.section	__TEXT,__text
+.globl	_Transform_Sha256_AVX2_RORX
+.p2align	2
+_Transform_Sha256_AVX2_RORX:
+#endif /* __APPLE__ */
+        pushq	%rbx
+        pushq	%r12
+        pushq	%r13
+        pushq	%r14
+        pushq	%r15
+        subq	$0x200, %rsp
+        leaq	32(%rdi), %rax
+        vmovdqa	L_avx2_rorx_sha256_flip_mask(%rip), %xmm13
+        vmovdqa	L_avx2_rorx_sha256_shuf_00BA(%rip), %ymm11
+        vmovdqa	L_avx2_rorx_sha256_shuf_DC00(%rip), %ymm12
+        # X0, X1, X2, X3 = W[0..15]
+        vmovdqu	(%rax), %xmm0
+        vmovdqu	16(%rax), %xmm1
+        vpshufb	%xmm13, %xmm0, %xmm0
+        vpshufb	%xmm13, %xmm1, %xmm1
+        vpaddd	0+L_avx2_rorx_sha256_k(%rip), %ymm0, %ymm4
+        vpaddd	32+L_avx2_rorx_sha256_k(%rip), %ymm1, %ymm5
+        vmovdqu	%ymm4, (%rsp)
+        vmovdqu	%ymm5, 32(%rsp)
+        vmovdqu	32(%rax), %xmm2
+        vmovdqu	48(%rax), %xmm3
+        vpshufb	%xmm13, %xmm2, %xmm2
+        vpshufb	%xmm13, %xmm3, %xmm3
+        vpaddd	64+L_avx2_rorx_sha256_k(%rip), %ymm2, %ymm4
+        vpaddd	96+L_avx2_rorx_sha256_k(%rip), %ymm3, %ymm5
+        vmovdqu	%ymm4, 64(%rsp)
+        vmovdqu	%ymm5, 96(%rsp)
+        movl	(%rdi), %r8d
+        movl	4(%rdi), %r9d
+        movl	8(%rdi), %r10d
+        movl	12(%rdi), %r11d
+        movl	16(%rdi), %r12d
+        movl	20(%rdi), %r13d
+        movl	24(%rdi), %r14d
+        movl	28(%rdi), %r15d
+        movl	%r9d, %ebx
+        rorxl	$6, %r12d, %edx
+        xorl	%r10d, %ebx
+        # rnd_0: 0 - 0
+        movl	%r13d, %eax
+        rorxl	$11, %r12d, %ecx
+        addl	(%rsp), %r15d
+        vpalignr	$4, %ymm0, %ymm1, %ymm5
+        # rnd_0: 1 - 1
+        xorl	%edx, %ecx
+        xorl	%r14d, %eax
+        rorxl	$25, %r12d, %edx
+        vpalignr	$4, %ymm2, %ymm3, %ymm4
+        # rnd_0: 2 - 2
+        andl	%r12d, %eax
+        xorl	%ecx, %edx
+        rorxl	$13, %r8d, %ecx
+        vpsrld	$7, %ymm5, %ymm6
+        # rnd_0: 3 - 3
+        addl	%edx, %r15d
+        rorxl	$2, %r8d, %edx
+        xorl	%r14d, %eax
+        vpslld	$25, %ymm5, %ymm7
+        # rnd_0: 4 - 4
+        xorl	%edx, %ecx
+        rorxl	$22, %r8d, %edx
+        addl	%eax, %r15d
+        vpsrld	$18, %ymm5, %ymm8
+        # rnd_0: 5 - 5
+        xorl	%ecx, %edx
+        movl	%r9d, %eax
+        addl	%r15d, %r11d
+        vpslld	$14, %ymm5, %ymm9
+        # rnd_0: 6 - 6
+        xorl	%r8d, %eax
+        addl	%edx, %r15d
+        andl	%eax, %ebx
+        vpor	%ymm7, %ymm6, %ymm6
+        # rnd_0: 7 - 7
+        xorl	%r9d, %ebx
+        rorxl	$6, %r11d, %edx
+        addl	%ebx, %r15d
+        vpor	%ymm9, %ymm8, %ymm8
+        # rnd_1: 0 - 0
+        movl	%r12d, %ebx
+        rorxl	$11, %r11d, %ecx
+        addl	4(%rsp), %r14d
+        vpsrld	$3, %ymm5, %ymm9
+        # rnd_1: 1 - 1
+        xorl	%edx, %ecx
+        xorl	%r13d, %ebx
+        rorxl	$25, %r11d, %edx
+        vpxor	%ymm8, %ymm6, %ymm6
+        # rnd_1: 2 - 2
+        andl	%r11d, %ebx
+        xorl	%ecx, %edx
+        rorxl	$13, %r15d, %ecx
+        vpshufd	$0xfa, %ymm3, %ymm7
+        # rnd_1: 3 - 3
+        addl	%edx, %r14d
+        rorxl	$2, %r15d, %edx
+        xorl	%r13d, %ebx
+        vpxor	%ymm6, %ymm9, %ymm5
+        # rnd_1: 4 - 4
+        xorl	%edx, %ecx
+        rorxl	$22, %r15d, %edx
+        addl	%ebx, %r14d
+        vpsrld	$10, %ymm7, %ymm8
+        # rnd_1: 5 - 5
+        xorl	%ecx, %edx
+        addl	%r14d, %r10d
+        movl	%r8d, %ebx
+        vpsrlq	$19, %ymm7, %ymm6
+        # rnd_1: 6 - 6
+        xorl	%r15d, %ebx
+        addl	%edx, %r14d
+        andl	%ebx, %eax
+        vpsrlq	$0x11, %ymm7, %ymm7
+        # rnd_1: 7 - 7
+        xorl	%r8d, %eax
+        rorxl	$6, %r10d, %edx
+        addl	%eax, %r14d
+        vpaddd	%ymm0, %ymm4, %ymm4
+        # rnd_0: 0 - 0
+        movl	%r11d, %eax
+        rorxl	$11, %r10d, %ecx
+        addl	8(%rsp), %r13d
+        vpxor	%ymm7, %ymm6, %ymm6
+        # rnd_0: 1 - 1
+        xorl	%edx, %ecx
+        xorl	%r12d, %eax
+        rorxl	$25, %r10d, %edx
+        vpxor	%ymm6, %ymm8, %ymm8
+        # rnd_0: 2 - 2
+        andl	%r10d, %eax
+        xorl	%ecx, %edx
+        rorxl	$13, %r14d, %ecx
+        vpaddd	%ymm5, %ymm4, %ymm4
+        # rnd_0: 3 - 3
+        addl	%edx, %r13d
+        rorxl	$2, %r14d, %edx
+        xorl	%r12d, %eax
+        vpshufb	%ymm11, %ymm8, %ymm8
+        # rnd_0: 4 - 4
+        xorl	%edx, %ecx
+        rorxl	$22, %r14d, %edx
+        addl	%eax, %r13d
+        vpaddd	%ymm8, %ymm4, %ymm4
+        # rnd_0: 5 - 5
+        xorl	%ecx, %edx
+        movl	%r15d, %eax
+        addl	%r13d, %r9d
+        vpshufd	$0x50, %ymm4, %ymm6
+        # rnd_0: 6 - 6
+        xorl	%r14d, %eax
+        addl	%edx, %r13d
+        andl	%eax, %ebx
+        vpsrlq	$0x11, %ymm6, %ymm8
+        # rnd_0: 7 - 7
+        xorl	%r15d, %ebx
+        rorxl	$6, %r9d, %edx
+        addl	%ebx, %r13d
+        vpsrlq	$19, %ymm6, %ymm7
+        # rnd_1: 0 - 0
+        movl	%r10d, %ebx
+        rorxl	$11, %r9d, %ecx
+        addl	12(%rsp), %r12d
+        vpsrld	$10, %ymm6, %ymm9
+        # rnd_1: 1 - 1
+        xorl	%edx, %ecx
+        xorl	%r11d, %ebx
+        rorxl	$25, %r9d, %edx
+        vpxor	%ymm7, %ymm8, %ymm8
+        # rnd_1: 2 - 2
+        andl	%r9d, %ebx
+        xorl	%ecx, %edx
+        rorxl	$13, %r13d, %ecx
+        vpxor	%ymm8, %ymm9, %ymm9
+        # rnd_1: 3 - 3
+        addl	%edx, %r12d
+        rorxl	$2, %r13d, %edx
+        xorl	%r11d, %ebx
+        vpshufb	%ymm12, %ymm9, %ymm9
+        # rnd_1: 4 - 4
+        xorl	%edx, %ecx
+        rorxl	$22, %r13d, %edx
+        addl	%ebx, %r12d
+        vpaddd	%ymm4, %ymm9, %ymm0
+        # rnd_1: 5 - 5
+        xorl	%ecx, %edx
+        addl	%r12d, %r8d
+        movl	%r14d, %ebx
+        vpaddd	128+L_avx2_rorx_sha256_k(%rip), %ymm0, %ymm4
+        # rnd_1: 6 - 6
+        xorl	%r13d, %ebx
+        addl	%edx, %r12d
+        andl	%ebx, %eax
+        # rnd_1: 7 - 7
+        xorl	%r14d, %eax
+        rorxl	$6, %r8d, %edx
+        addl	%eax, %r12d
+        vmovdqu	%ymm4, 128(%rsp)
+        # rnd_0: 0 - 0
+        movl	%r9d, %eax
+        rorxl	$11, %r8d, %ecx
+        addl	32(%rsp), %r11d
+        vpalignr	$4, %ymm1, %ymm2, %ymm5
+        # rnd_0: 1 - 1
+        xorl	%edx, %ecx
+        xorl	%r10d, %eax
+        rorxl	$25, %r8d, %edx
+        vpalignr	$4, %ymm3, %ymm0, %ymm4
+        # rnd_0: 2 - 2
+        andl	%r8d, %eax
+        xorl	%ecx, %edx
+        rorxl	$13, %r12d, %ecx
+        vpsrld	$7, %ymm5, %ymm6
+        # rnd_0: 3 - 3
+        addl	%edx, %r11d
+        rorxl	$2, %r12d, %edx
+        xorl	%r10d, %eax
+        vpslld	$25, %ymm5, %ymm7
+        # rnd_0: 4 - 4
+        xorl	%edx, %ecx
+        rorxl	$22, %r12d, %edx
+        addl	%eax, %r11d
+        vpsrld	$18, %ymm5, %ymm8
+        # rnd_0: 5 - 5
+        xorl	%ecx, %edx
+        movl	%r13d, %eax
+        addl	%r11d, %r15d
+        vpslld	$14, %ymm5, %ymm9
+        # rnd_0: 6 - 6
+        xorl	%r12d, %eax
+        addl	%edx, %r11d
+        andl	%eax, %ebx
+        vpor	%ymm7, %ymm6, %ymm6
+        # rnd_0: 7 - 7
+        xorl	%r13d, %ebx
+        rorxl	$6, %r15d, %edx
+        addl	%ebx, %r11d
+        vpor	%ymm9, %ymm8, %ymm8
+        # rnd_1: 0 - 0
+        movl	%r8d, %ebx
+        rorxl	$11, %r15d, %ecx
+        addl	36(%rsp), %r10d
+        vpsrld	$3, %ymm5, %ymm9
+        # rnd_1: 1 - 1
+        xorl	%edx, %ecx
+        xorl	%r9d, %ebx
+        rorxl	$25, %r15d, %edx
+        vpxor	%ymm8, %ymm6, %ymm6
+        # rnd_1: 2 - 2
+        andl	%r15d, %ebx
+        xorl	%ecx, %edx
+        rorxl	$13, %r11d, %ecx
+        vpshufd	$0xfa, %ymm0, %ymm7
+        # rnd_1: 3 - 3
+        addl	%edx, %r10d
+        rorxl	$2, %r11d, %edx
+        xorl	%r9d, %ebx
+        vpxor	%ymm6, %ymm9, %ymm5
+        # rnd_1: 4 - 4
+        xorl	%edx, %ecx
+        rorxl	$22, %r11d, %edx
+        addl	%ebx, %r10d
+        vpsrld	$10, %ymm7, %ymm8
+        # rnd_1: 5 - 5
+        xorl	%ecx, %edx
+        addl	%r10d, %r14d
+        movl	%r12d, %ebx
+        vpsrlq	$19, %ymm7, %ymm6
+        # rnd_1: 6 - 6
+        xorl	%r11d, %ebx
+        addl	%edx, %r10d
+        andl	%ebx, %eax
+        vpsrlq	$0x11, %ymm7, %ymm7
+        # rnd_1: 7 - 7
+        xorl	%r12d, %eax
+        rorxl	$6, %r14d, %edx
+        addl	%eax, %r10d
+        vpaddd	%ymm1, %ymm4, %ymm4
+        # rnd_0: 0 - 0
+        movl	%r15d, %eax
+        rorxl	$11, %r14d, %ecx
+        addl	40(%rsp), %r9d
+        vpxor	%ymm7, %ymm6, %ymm6
+        # rnd_0: 1 - 1
+        xorl	%edx, %ecx
+        xorl	%r8d, %eax
+        rorxl	$25, %r14d, %edx
+        vpxor	%ymm6, %ymm8, %ymm8
+        # rnd_0: 2 - 2
+        andl	%r14d, %eax
+        xorl	%ecx, %edx
+        rorxl	$13, %r10d, %ecx
+        vpaddd	%ymm5, %ymm4, %ymm4
+        # rnd_0: 3 - 3
+        addl	%edx, %r9d
+        rorxl	$2, %r10d, %edx
+        xorl	%r8d, %eax
+        vpshufb	%ymm11, %ymm8, %ymm8
+        # rnd_0: 4 - 4
+        xorl	%edx, %ecx
+        rorxl	$22, %r10d, %edx
+        addl	%eax, %r9d
+        vpaddd	%ymm8, %ymm4, %ymm4
+        # rnd_0: 5 - 5
+        xorl	%ecx, %edx
+        movl	%r11d, %eax
+        addl	%r9d, %r13d
+        vpshufd	$0x50, %ymm4, %ymm6
+        # rnd_0: 6 - 6
+        xorl	%r10d, %eax
+        addl	%edx, %r9d
+        andl	%eax, %ebx
+        vpsrlq	$0x11, %ymm6, %ymm8
+        # rnd_0: 7 - 7
+        xorl	%r11d, %ebx
+        rorxl	$6, %r13d, %edx
+        addl	%ebx, %r9d
+        vpsrlq	$19, %ymm6, %ymm7
+        # rnd_1: 0 - 0
+        movl	%r14d, %ebx
+        rorxl	$11, %r13d, %ecx
+        addl	44(%rsp), %r8d
+        vpsrld	$10, %ymm6, %ymm9
+        # rnd_1: 1 - 1
+        xorl	%edx, %ecx
+        xorl	%r15d, %ebx
+        rorxl	$25, %r13d, %edx
+        vpxor	%ymm7, %ymm8, %ymm8
+        # rnd_1: 2 - 2
+        andl	%r13d, %ebx
+        xorl	%ecx, %edx
+        rorxl	$13, %r9d, %ecx
+        vpxor	%ymm8, %ymm9, %ymm9
+        # rnd_1: 3 - 3
+        addl	%edx, %r8d
+        rorxl	$2, %r9d, %edx
+        xorl	%r15d, %ebx
+        vpshufb	%ymm12, %ymm9, %ymm9
+        # rnd_1: 4 - 4
+        xorl	%edx, %ecx
+        rorxl	$22, %r9d, %edx
+        addl	%ebx, %r8d
+        vpaddd	%ymm4, %ymm9, %ymm1
+        # rnd_1: 5 - 5
+        xorl	%ecx, %edx
+        addl	%r8d, %r12d
+        movl	%r10d, %ebx
+        vpaddd	160+L_avx2_rorx_sha256_k(%rip), %ymm1, %ymm4
+        # rnd_1: 6 - 6
+        xorl	%r9d, %ebx
+        addl	%edx, %r8d
+        andl	%ebx, %eax
+        # rnd_1: 7 - 7
+        xorl	%r10d, %eax
+        rorxl	$6, %r12d, %edx
+        addl	%eax, %r8d
+        vmovdqu	%ymm4, 160(%rsp)
+        # rnd_0: 0 - 0
+        movl	%r13d, %eax
+        rorxl	$11, %r12d, %ecx
+        addl	64(%rsp), %r15d
+        vpalignr	$4, %ymm2, %ymm3, %ymm5
+        # rnd_0: 1 - 1
+        xorl	%edx, %ecx
+        xorl	%r14d, %eax
+        rorxl	$25, %r12d, %edx
+        vpalignr	$4, %ymm0, %ymm1, %ymm4
+        # rnd_0: 2 - 2
+        andl	%r12d, %eax
+        xorl	%ecx, %edx
+        rorxl	$13, %r8d, %ecx
+        vpsrld	$7, %ymm5, %ymm6
+        # rnd_0: 3 - 3
+        addl	%edx, %r15d
+        rorxl	$2, %r8d, %edx
+        xorl	%r14d, %eax
+        vpslld	$25, %ymm5, %ymm7
+        # rnd_0: 4 - 4
+        xorl	%edx, %ecx
+        rorxl	$22, %r8d, %edx
+        addl	%eax, %r15d
+        vpsrld	$18, %ymm5, %ymm8
+        # rnd_0: 5 - 5
+        xorl	%ecx, %edx
+        movl	%r9d, %eax
+        addl	%r15d, %r11d
+        vpslld	$14, %ymm5, %ymm9
+        # rnd_0: 6 - 6
+        xorl	%r8d, %eax
+        addl	%edx, %r15d
+        andl	%eax, %ebx
+        vpor	%ymm7, %ymm6, %ymm6
+        # rnd_0: 7 - 7
+        xorl	%r9d, %ebx
+        rorxl	$6, %r11d, %edx
+        addl	%ebx, %r15d
+        vpor	%ymm9, %ymm8, %ymm8
+        # rnd_1: 0 - 0
+        movl	%r12d, %ebx
+        rorxl	$11, %r11d, %ecx
+        addl	68(%rsp), %r14d
+        vpsrld	$3, %ymm5, %ymm9
+        # rnd_1: 1 - 1
+        xorl	%edx, %ecx
+        xorl	%r13d, %ebx
+        rorxl	$25, %r11d, %edx
+        vpxor	%ymm8, %ymm6, %ymm6
+        # rnd_1: 2 - 2
+        andl	%r11d, %ebx
+        xorl	%ecx, %edx
+        rorxl	$13, %r15d, %ecx
+        vpshufd	$0xfa, %ymm1, %ymm7
+        # rnd_1: 3 - 3
+        addl	%edx, %r14d
+        rorxl	$2, %r15d, %edx
+        xorl	%r13d, %ebx
+        vpxor	%ymm6, %ymm9, %ymm5
+        # rnd_1: 4 - 4
+        xorl	%edx, %ecx
+        rorxl	$22, %r15d, %edx
+        addl	%ebx, %r14d
+        vpsrld	$10, %ymm7, %ymm8
+        # rnd_1: 5 - 5
+        xorl	%ecx, %edx
+        addl	%r14d, %r10d
+        movl	%r8d, %ebx
+        vpsrlq	$19, %ymm7, %ymm6
+        # rnd_1: 6 - 6
+        xorl	%r15d, %ebx
+        addl	%edx, %r14d
+        andl	%ebx, %eax
+        vpsrlq	$0x11, %ymm7, %ymm7
+        # rnd_1: 7 - 7
+        xorl	%r8d, %eax
+        rorxl	$6, %r10d, %edx
+        addl	%eax, %r14d
+        vpaddd	%ymm2, %ymm4, %ymm4
+        # rnd_0: 0 - 0
+        movl	%r11d, %eax
+        rorxl	$11, %r10d, %ecx
+        addl	72(%rsp), %r13d
+        vpxor	%ymm7, %ymm6, %ymm6
+        # rnd_0: 1 - 1
+        xorl	%edx, %ecx
+        xorl	%r12d, %eax
+        rorxl	$25, %r10d, %edx
+        vpxor	%ymm6, %ymm8, %ymm8
+        # rnd_0: 2 - 2
+        andl	%r10d, %eax
+        xorl	%ecx, %edx
+        rorxl	$13, %r14d, %ecx
+        vpaddd	%ymm5, %ymm4, %ymm4
+        # rnd_0: 3 - 3
+        addl	%edx, %r13d
+        rorxl	$2, %r14d, %edx
+        xorl	%r12d, %eax
+        vpshufb	%ymm11, %ymm8, %ymm8
+        # rnd_0: 4 - 4
+        xorl	%edx, %ecx
+        rorxl	$22, %r14d, %edx
+        addl	%eax, %r13d
+        vpaddd	%ymm8, %ymm4, %ymm4
+        # rnd_0: 5 - 5
+        xorl	%ecx, %edx
+        movl	%r15d, %eax
+        addl	%r13d, %r9d
+        vpshufd	$0x50, %ymm4, %ymm6
+        # rnd_0: 6 - 6
+        xorl	%r14d, %eax
+        addl	%edx, %r13d
+        andl	%eax, %ebx
+        vpsrlq	$0x11, %ymm6, %ymm8
+        # rnd_0: 7 - 7
+        xorl	%r15d, %ebx
+        rorxl	$6, %r9d, %edx
+        addl	%ebx, %r13d
+        vpsrlq	$19, %ymm6, %ymm7
+        # rnd_1: 0 - 0
+        movl	%r10d, %ebx
+        rorxl	$11, %r9d, %ecx
+        addl	76(%rsp), %r12d
+        vpsrld	$10, %ymm6, %ymm9
+        # rnd_1: 1 - 1
+        xorl	%edx, %ecx
+        xorl	%r11d, %ebx
+        rorxl	$25, %r9d, %edx
+        vpxor	%ymm7, %ymm8, %ymm8
+        # rnd_1: 2 - 2
+        andl	%r9d, %ebx
+        xorl	%ecx, %edx
+        rorxl	$13, %r13d, %ecx
+        vpxor	%ymm8, %ymm9, %ymm9
+        # rnd_1: 3 - 3
+        addl	%edx, %r12d
+        rorxl	$2, %r13d, %edx
+        xorl	%r11d, %ebx
+        vpshufb	%ymm12, %ymm9, %ymm9
+        # rnd_1: 4 - 4
+        xorl	%edx, %ecx
+        rorxl	$22, %r13d, %edx
+        addl	%ebx, %r12d
+        vpaddd	%ymm4, %ymm9, %ymm2
+        # rnd_1: 5 - 5
+        xorl	%ecx, %edx
+        addl	%r12d, %r8d
+        movl	%r14d, %ebx
+        vpaddd	192+L_avx2_rorx_sha256_k(%rip), %ymm2, %ymm4
+        # rnd_1: 6 - 6
+        xorl	%r13d, %ebx
+        addl	%edx, %r12d
+        andl	%ebx, %eax
+        # rnd_1: 7 - 7
+        xorl	%r14d, %eax
+        rorxl	$6, %r8d, %edx
+        addl	%eax, %r12d
+        vmovdqu	%ymm4, 192(%rsp)
+        # rnd_0: 0 - 0
+        movl	%r9d, %eax
+        rorxl	$11, %r8d, %ecx
+        addl	96(%rsp), %r11d
+        vpalignr	$4, %ymm3, %ymm0, %ymm5
+        # rnd_0: 1 - 1
+        xorl	%edx, %ecx
+        xorl	%r10d, %eax
+        rorxl	$25, %r8d, %edx
+        vpalignr	$4, %ymm1, %ymm2, %ymm4
+        # rnd_0: 2 - 2
+        andl	%r8d, %eax
+        xorl	%ecx, %edx
+        rorxl	$13, %r12d, %ecx
+        vpsrld	$7, %ymm5, %ymm6
+        # rnd_0: 3 - 3
+        addl	%edx, %r11d
+        rorxl	$2, %r12d, %edx
+        xorl	%r10d, %eax
+        vpslld	$25, %ymm5, %ymm7
+        # rnd_0: 4 - 4
+        xorl	%edx, %ecx
+        rorxl	$22, %r12d, %edx
+        addl	%eax, %r11d
+        vpsrld	$18, %ymm5, %ymm8
+        # rnd_0: 5 - 5
+        xorl	%ecx, %edx
+        movl	%r13d, %eax
+        addl	%r11d, %r15d
+        vpslld	$14, %ymm5, %ymm9
+        # rnd_0: 6 - 6
+        xorl	%r12d, %eax
+        addl	%edx, %r11d
+        andl	%eax, %ebx
+        vpor	%ymm7, %ymm6, %ymm6
+        # rnd_0: 7 - 7
+        xorl	%r13d, %ebx
+        rorxl	$6, %r15d, %edx
+        addl	%ebx, %r11d
+        vpor	%ymm9, %ymm8, %ymm8
+        # rnd_1: 0 - 0
+        movl	%r8d, %ebx
+        rorxl	$11, %r15d, %ecx
+        addl	100(%rsp), %r10d
+        vpsrld	$3, %ymm5, %ymm9
+        # rnd_1: 1 - 1
+        xorl	%edx, %ecx
+        xorl	%r9d, %ebx
+        rorxl	$25, %r15d, %edx
+        vpxor	%ymm8, %ymm6, %ymm6
+        # rnd_1: 2 - 2
+        andl	%r15d, %ebx
+        xorl	%ecx, %edx
+        rorxl	$13, %r11d, %ecx
+        vpshufd	$0xfa, %ymm2, %ymm7
+        # rnd_1: 3 - 3
+        addl	%edx, %r10d
+        rorxl	$2, %r11d, %edx
+        xorl	%r9d, %ebx
+        vpxor	%ymm6, %ymm9, %ymm5
+        # rnd_1: 4 - 4
+        xorl	%edx, %ecx
+        rorxl	$22, %r11d, %edx
+        addl	%ebx, %r10d
+        vpsrld	$10, %ymm7, %ymm8
+        # rnd_1: 5 - 5
+        xorl	%ecx, %edx
+        addl	%r10d, %r14d
+        movl	%r12d, %ebx
+        vpsrlq	$19, %ymm7, %ymm6
+        # rnd_1: 6 - 6
+        xorl	%r11d, %ebx
+        addl	%edx, %r10d
+        andl	%ebx, %eax
+        vpsrlq	$0x11, %ymm7, %ymm7
+        # rnd_1: 7 - 7
+        xorl	%r12d, %eax
+        rorxl	$6, %r14d, %edx
+        addl	%eax, %r10d
+        vpaddd	%ymm3, %ymm4, %ymm4
+        # rnd_0: 0 - 0
+        movl	%r15d, %eax
+        rorxl	$11, %r14d, %ecx
+        addl	104(%rsp), %r9d
+        vpxor	%ymm7, %ymm6, %ymm6
+        # rnd_0: 1 - 1
+        xorl	%edx, %ecx
+        xorl	%r8d, %eax
+        rorxl	$25, %r14d, %edx
+        vpxor	%ymm6, %ymm8, %ymm8
+        # rnd_0: 2 - 2
+        andl	%r14d, %eax
+        xorl	%ecx, %edx
+        rorxl	$13, %r10d, %ecx
+        vpaddd	%ymm5, %ymm4, %ymm4
+        # rnd_0: 3 - 3
+        addl	%edx, %r9d
+        rorxl	$2, %r10d, %edx
+        xorl	%r8d, %eax
+        vpshufb	%ymm11, %ymm8, %ymm8
+        # rnd_0: 4 - 4
+        xorl	%edx, %ecx
+        rorxl	$22, %r10d, %edx
+        addl	%eax, %r9d
+        vpaddd	%ymm8, %ymm4, %ymm4
+        # rnd_0: 5 - 5
+        xorl	%ecx, %edx
+        movl	%r11d, %eax
+        addl	%r9d, %r13d
+        vpshufd	$0x50, %ymm4, %ymm6
+        # rnd_0: 6 - 6
+        xorl	%r10d, %eax
+        addl	%edx, %r9d
+        andl	%eax, %ebx
+        vpsrlq	$0x11, %ymm6, %ymm8
+        # rnd_0: 7 - 7
+        xorl	%r11d, %ebx
+        rorxl	$6, %r13d, %edx
+        addl	%ebx, %r9d
+        vpsrlq	$19, %ymm6, %ymm7
+        # rnd_1: 0 - 0
+        movl	%r14d, %ebx
+        rorxl	$11, %r13d, %ecx
+        addl	108(%rsp), %r8d
+        vpsrld	$10, %ymm6, %ymm9
+        # rnd_1: 1 - 1
+        xorl	%edx, %ecx
+        xorl	%r15d, %ebx
+        rorxl	$25, %r13d, %edx
+        vpxor	%ymm7, %ymm8, %ymm8
+        # rnd_1: 2 - 2
+        andl	%r13d, %ebx
+        xorl	%ecx, %edx
+        rorxl	$13, %r9d, %ecx
+        vpxor	%ymm8, %ymm9, %ymm9
+        # rnd_1: 3 - 3
+        addl	%edx, %r8d
+        rorxl	$2, %r9d, %edx
+        xorl	%r15d, %ebx
+        vpshufb	%ymm12, %ymm9, %ymm9
+        # rnd_1: 4 - 4
+        xorl	%edx, %ecx
+        rorxl	$22, %r9d, %edx
+        addl	%ebx, %r8d
+        vpaddd	%ymm4, %ymm9, %ymm3
+        # rnd_1: 5 - 5
+        xorl	%ecx, %edx
+        addl	%r8d, %r12d
+        movl	%r10d, %ebx
+        vpaddd	224+L_avx2_rorx_sha256_k(%rip), %ymm3, %ymm4
+        # rnd_1: 6 - 6
+        xorl	%r9d, %ebx
+        addl	%edx, %r8d
+        andl	%ebx, %eax
+        # rnd_1: 7 - 7
+        xorl	%r10d, %eax
+        rorxl	$6, %r12d, %edx
+        addl	%eax, %r8d
+        vmovdqu	%ymm4, 224(%rsp)
+        # rnd_0: 0 - 0
+        movl	%r13d, %eax
+        rorxl	$11, %r12d, %ecx
+        addl	128(%rsp), %r15d
+        vpalignr	$4, %ymm0, %ymm1, %ymm5
+        # rnd_0: 1 - 1
+        xorl	%edx, %ecx
+        xorl	%r14d, %eax
+        rorxl	$25, %r12d, %edx
+        vpalignr	$4, %ymm2, %ymm3, %ymm4
+        # rnd_0: 2 - 2
+        andl	%r12d, %eax
+        xorl	%ecx, %edx
+        rorxl	$13, %r8d, %ecx
+        vpsrld	$7, %ymm5, %ymm6
+        # rnd_0: 3 - 3
+        addl	%edx, %r15d
+        rorxl	$2, %r8d, %edx
+        xorl	%r14d, %eax
+        vpslld	$25, %ymm5, %ymm7
+        # rnd_0: 4 - 4
+        xorl	%edx, %ecx
+        rorxl	$22, %r8d, %edx
+        addl	%eax, %r15d
+        vpsrld	$18, %ymm5, %ymm8
+        # rnd_0: 5 - 5
+        xorl	%ecx, %edx
+        movl	%r9d, %eax
+        addl	%r15d, %r11d
+        vpslld	$14, %ymm5, %ymm9
+        # rnd_0: 6 - 6
+        xorl	%r8d, %eax
+        addl	%edx, %r15d
+        andl	%eax, %ebx
+        vpor	%ymm7, %ymm6, %ymm6
+        # rnd_0: 7 - 7
+        xorl	%r9d, %ebx
+        rorxl	$6, %r11d, %edx
+        addl	%ebx, %r15d
+        vpor	%ymm9, %ymm8, %ymm8
+        # rnd_1: 0 - 0
+        movl	%r12d, %ebx
+        rorxl	$11, %r11d, %ecx
+        addl	132(%rsp), %r14d
+        vpsrld	$3, %ymm5, %ymm9
+        # rnd_1: 1 - 1
+        xorl	%edx, %ecx
+        xorl	%r13d, %ebx
+        rorxl	$25, %r11d, %edx
+        vpxor	%ymm8, %ymm6, %ymm6
+        # rnd_1: 2 - 2
+        andl	%r11d, %ebx
+        xorl	%ecx, %edx
+        rorxl	$13, %r15d, %ecx
+        vpshufd	$0xfa, %ymm3, %ymm7
+        # rnd_1: 3 - 3
+        addl	%edx, %r14d
+        rorxl	$2, %r15d, %edx
+        xorl	%r13d, %ebx
+        vpxor	%ymm6, %ymm9, %ymm5
+        # rnd_1: 4 - 4
+        xorl	%edx, %ecx
+        rorxl	$22, %r15d, %edx
+        addl	%ebx, %r14d
+        vpsrld	$10, %ymm7, %ymm8
+        # rnd_1: 5 - 5
+        xorl	%ecx, %edx
+        addl	%r14d, %r10d
+        movl	%r8d, %ebx
+        vpsrlq	$19, %ymm7, %ymm6
+        # rnd_1: 6 - 6
+        xorl	%r15d, %ebx
+        addl	%edx, %r14d
+        andl	%ebx, %eax
+        vpsrlq	$0x11, %ymm7, %ymm7
+        # rnd_1: 7 - 7
+        xorl	%r8d, %eax
+        rorxl	$6, %r10d, %edx
+        addl	%eax, %r14d
+        vpaddd	%ymm0, %ymm4, %ymm4
+        # rnd_0: 0 - 0
+        movl	%r11d, %eax
+        rorxl	$11, %r10d, %ecx
+        addl	136(%rsp), %r13d
+        vpxor	%ymm7, %ymm6, %ymm6
+        # rnd_0: 1 - 1
+        xorl	%edx, %ecx
+        xorl	%r12d, %eax
+        rorxl	$25, %r10d, %edx
+        vpxor	%ymm6, %ymm8, %ymm8
+        # rnd_0: 2 - 2
+        andl	%r10d, %eax
+        xorl	%ecx, %edx
+        rorxl	$13, %r14d, %ecx
+        vpaddd	%ymm5, %ymm4, %ymm4
+        # rnd_0: 3 - 3
+        addl	%edx, %r13d
+        rorxl	$2, %r14d, %edx
+        xorl	%r12d, %eax
+        vpshufb	%ymm11, %ymm8, %ymm8
+        # rnd_0: 4 - 4
+        xorl	%edx, %ecx
+        rorxl	$22, %r14d, %edx
+        addl	%eax, %r13d
+        vpaddd	%ymm8, %ymm4, %ymm4
+        # rnd_0: 5 - 5
+        xorl	%ecx, %edx
+        movl	%r15d, %eax
+        addl	%r13d, %r9d
+        vpshufd	$0x50, %ymm4, %ymm6
+        # rnd_0: 6 - 6
+        xorl	%r14d, %eax
+        addl	%edx, %r13d
+        andl	%eax, %ebx
+        vpsrlq	$0x11, %ymm6, %ymm8
+        # rnd_0: 7 - 7
+        xorl	%r15d, %ebx
+        rorxl	$6, %r9d, %edx
+        addl	%ebx, %r13d
+        vpsrlq	$19, %ymm6, %ymm7
+        # rnd_1: 0 - 0
+        movl	%r10d, %ebx
+        rorxl	$11, %r9d, %ecx
+        addl	140(%rsp), %r12d
+        vpsrld	$10, %ymm6, %ymm9
+        # rnd_1: 1 - 1
+        xorl	%edx, %ecx
+        xorl	%r11d, %ebx
+        rorxl	$25, %r9d, %edx
+        vpxor	%ymm7, %ymm8, %ymm8
+        # rnd_1: 2 - 2
+        andl	%r9d, %ebx
+        xorl	%ecx, %edx
+        rorxl	$13, %r13d, %ecx
+        vpxor	%ymm8, %ymm9, %ymm9
+        # rnd_1: 3 - 3
+        addl	%edx, %r12d
+        rorxl	$2, %r13d, %edx
+        xorl	%r11d, %ebx
+        vpshufb	%ymm12, %ymm9, %ymm9
+        # rnd_1: 4 - 4
+        xorl	%edx, %ecx
+        rorxl	$22, %r13d, %edx
+        addl	%ebx, %r12d
+        vpaddd	%ymm4, %ymm9, %ymm0
+        # rnd_1: 5 - 5
+        xorl	%ecx, %edx
+        addl	%r12d, %r8d
+        movl	%r14d, %ebx
+        vpaddd	256+L_avx2_rorx_sha256_k(%rip), %ymm0, %ymm4
+        # rnd_1: 6 - 6
+        xorl	%r13d, %ebx
+        addl	%edx, %r12d
+        andl	%ebx, %eax
+        # rnd_1: 7 - 7
+        xorl	%r14d, %eax
+        rorxl	$6, %r8d, %edx
+        addl	%eax, %r12d
+        vmovdqu	%ymm4, 256(%rsp)
+        # rnd_0: 0 - 0
+        movl	%r9d, %eax
+        rorxl	$11, %r8d, %ecx
+        addl	160(%rsp), %r11d
+        vpalignr	$4, %ymm1, %ymm2, %ymm5
+        # rnd_0: 1 - 1
+        xorl	%edx, %ecx
+        xorl	%r10d, %eax
+        rorxl	$25, %r8d, %edx
+        vpalignr	$4, %ymm3, %ymm0, %ymm4
+        # rnd_0: 2 - 2
+        andl	%r8d, %eax
+        xorl	%ecx, %edx
+        rorxl	$13, %r12d, %ecx
+        vpsrld	$7, %ymm5, %ymm6
+        # rnd_0: 3 - 3
+        addl	%edx, %r11d
+        rorxl	$2, %r12d, %edx
+        xorl	%r10d, %eax
+        vpslld	$25, %ymm5, %ymm7
+        # rnd_0: 4 - 4
+        xorl	%edx, %ecx
+        rorxl	$22, %r12d, %edx
+        addl	%eax, %r11d
+        vpsrld	$18, %ymm5, %ymm8
+        # rnd_0: 5 - 5
+        xorl	%ecx, %edx
+        movl	%r13d, %eax
+        addl	%r11d, %r15d
+        vpslld	$14, %ymm5, %ymm9
+        # rnd_0: 6 - 6
+        xorl	%r12d, %eax
+        addl	%edx, %r11d
+        andl	%eax, %ebx
+        vpor	%ymm7, %ymm6, %ymm6
+        # rnd_0: 7 - 7
+        xorl	%r13d, %ebx
+        rorxl	$6, %r15d, %edx
+        addl	%ebx, %r11d
+        vpor	%ymm9, %ymm8, %ymm8
+        # rnd_1: 0 - 0
+        movl	%r8d, %ebx
+        rorxl	$11, %r15d, %ecx
+        addl	164(%rsp), %r10d
+        vpsrld	$3, %ymm5, %ymm9
+        # rnd_1: 1 - 1
+        xorl	%edx, %ecx
+        xorl	%r9d, %ebx
+        rorxl	$25, %r15d, %edx
+        vpxor	%ymm8, %ymm6, %ymm6
+        # rnd_1: 2 - 2
+        andl	%r15d, %ebx
+        xorl	%ecx, %edx
+        rorxl	$13, %r11d, %ecx
+        vpshufd	$0xfa, %ymm0, %ymm7
+        # rnd_1: 3 - 3
+        addl	%edx, %r10d
+        rorxl	$2, %r11d, %edx
+        xorl	%r9d, %ebx
+        vpxor	%ymm6, %ymm9, %ymm5
+        # rnd_1: 4 - 4
+        xorl	%edx, %ecx
+        rorxl	$22, %r11d, %edx
+        addl	%ebx, %r10d
+        vpsrld	$10, %ymm7, %ymm8
+        # rnd_1: 5 - 5
+        xorl	%ecx, %edx
+        addl	%r10d, %r14d
+        movl	%r12d, %ebx
+        vpsrlq	$19, %ymm7, %ymm6
+        # rnd_1: 6 - 6
+        xorl	%r11d, %ebx
+        addl	%edx, %r10d
+        andl	%ebx, %eax
+        vpsrlq	$0x11, %ymm7, %ymm7
+        # rnd_1: 7 - 7
+        xorl	%r12d, %eax
+        rorxl	$6, %r14d, %edx
+        addl	%eax, %r10d
+        vpaddd	%ymm1, %ymm4, %ymm4
+        # rnd_0: 0 - 0
+        movl	%r15d, %eax
+        rorxl	$11, %r14d, %ecx
+        addl	168(%rsp), %r9d
+        vpxor	%ymm7, %ymm6, %ymm6
+        # rnd_0: 1 - 1
+        xorl	%edx, %ecx
+        xorl	%r8d, %eax
+        rorxl	$25, %r14d, %edx
+        vpxor	%ymm6, %ymm8, %ymm8
+        # rnd_0: 2 - 2
+        andl	%r14d, %eax
+        xorl	%ecx, %edx
+        rorxl	$13, %r10d, %ecx
+        vpaddd	%ymm5, %ymm4, %ymm4
+        # rnd_0: 3 - 3
+        addl	%edx, %r9d
+        rorxl	$2, %r10d, %edx
+        xorl	%r8d, %eax
+        vpshufb	%ymm11, %ymm8, %ymm8
+        # rnd_0: 4 - 4
+        xorl	%edx, %ecx
+        rorxl	$22, %r10d, %edx
+        addl	%eax, %r9d
+        vpaddd	%ymm8, %ymm4, %ymm4
+        # rnd_0: 5 - 5
+        xorl	%ecx, %edx
+        movl	%r11d, %eax
+        addl	%r9d, %r13d
+        vpshufd	$0x50, %ymm4, %ymm6
+        # rnd_0: 6 - 6
+        xorl	%r10d, %eax
+        addl	%edx, %r9d
+        andl	%eax, %ebx
+        vpsrlq	$0x11, %ymm6, %ymm8
+        # rnd_0: 7 - 7
+        xorl	%r11d, %ebx
+        rorxl	$6, %r13d, %edx
+        addl	%ebx, %r9d
+        vpsrlq	$19, %ymm6, %ymm7
+        # rnd_1: 0 - 0
+        movl	%r14d, %ebx
+        rorxl	$11, %r13d, %ecx
+        addl	172(%rsp), %r8d
+        vpsrld	$10, %ymm6, %ymm9
+        # rnd_1: 1 - 1
+        xorl	%edx, %ecx
+        xorl	%r15d, %ebx
+        rorxl	$25, %r13d, %edx
+        vpxor	%ymm7, %ymm8, %ymm8
+        # rnd_1: 2 - 2
+        andl	%r13d, %ebx
+        xorl	%ecx, %edx
+        rorxl	$13, %r9d, %ecx
+        vpxor	%ymm8, %ymm9, %ymm9
+        # rnd_1: 3 - 3
+        addl	%edx, %r8d
+        rorxl	$2, %r9d, %edx
+        xorl	%r15d, %ebx
+        vpshufb	%ymm12, %ymm9, %ymm9
+        # rnd_1: 4 - 4
+        xorl	%edx, %ecx
+        rorxl	$22, %r9d, %edx
+        addl	%ebx, %r8d
+        vpaddd	%ymm4, %ymm9, %ymm1
+        # rnd_1: 5 - 5
+        xorl	%ecx, %edx
+        addl	%r8d, %r12d
+        movl	%r10d, %ebx
+        vpaddd	288+L_avx2_rorx_sha256_k(%rip), %ymm1, %ymm4
+        # rnd_1: 6 - 6
+        xorl	%r9d, %ebx
+        addl	%edx, %r8d
+        andl	%ebx, %eax
+        # rnd_1: 7 - 7
+        xorl	%r10d, %eax
+        rorxl	$6, %r12d, %edx
+        addl	%eax, %r8d
+        vmovdqu	%ymm4, 288(%rsp)
+        # rnd_0: 0 - 0
+        movl	%r13d, %eax
+        rorxl	$11, %r12d, %ecx
+        addl	192(%rsp), %r15d
+        vpalignr	$4, %ymm2, %ymm3, %ymm5
+        # rnd_0: 1 - 1
+        xorl	%edx, %ecx
+        xorl	%r14d, %eax
+        rorxl	$25, %r12d, %edx
+        vpalignr	$4, %ymm0, %ymm1, %ymm4
+        # rnd_0: 2 - 2
+        andl	%r12d, %eax
+        xorl	%ecx, %edx
+        rorxl	$13, %r8d, %ecx
+        vpsrld	$7, %ymm5, %ymm6
+        # rnd_0: 3 - 3
+        addl	%edx, %r15d
+        rorxl	$2, %r8d, %edx
+        xorl	%r14d, %eax
+        vpslld	$25, %ymm5, %ymm7
+        # rnd_0: 4 - 4
+        xorl	%edx, %ecx
+        rorxl	$22, %r8d, %edx
+        addl	%eax, %r15d
+        vpsrld	$18, %ymm5, %ymm8
+        # rnd_0: 5 - 5
+        xorl	%ecx, %edx
+        movl	%r9d, %eax
+        addl	%r15d, %r11d
+        vpslld	$14, %ymm5, %ymm9
+        # rnd_0: 6 - 6
+        xorl	%r8d, %eax
+        addl	%edx, %r15d
+        andl	%eax, %ebx
+        vpor	%ymm7, %ymm6, %ymm6
+        # rnd_0: 7 - 7
+        xorl	%r9d, %ebx
+        rorxl	$6, %r11d, %edx
+        addl	%ebx, %r15d
+        vpor	%ymm9, %ymm8, %ymm8
+        # rnd_1: 0 - 0
+        movl	%r12d, %ebx
+        rorxl	$11, %r11d, %ecx
+        addl	196(%rsp), %r14d
+        vpsrld	$3, %ymm5, %ymm9
+        # rnd_1: 1 - 1
+        xorl	%edx, %ecx
+        xorl	%r13d, %ebx
+        rorxl	$25, %r11d, %edx
+        vpxor	%ymm8, %ymm6, %ymm6
+        # rnd_1: 2 - 2
+        andl	%r11d, %ebx
+        xorl	%ecx, %edx
+        rorxl	$13, %r15d, %ecx
+        vpshufd	$0xfa, %ymm1, %ymm7
+        # rnd_1: 3 - 3
+        addl	%edx, %r14d
+        rorxl	$2, %r15d, %edx
+        xorl	%r13d, %ebx
+        vpxor	%ymm6, %ymm9, %ymm5
+        # rnd_1: 4 - 4
+        xorl	%edx, %ecx
+        rorxl	$22, %r15d, %edx
+        addl	%ebx, %r14d
+        vpsrld	$10, %ymm7, %ymm8
+        # rnd_1: 5 - 5
+        xorl	%ecx, %edx
+        addl	%r14d, %r10d
+        movl	%r8d, %ebx
+        vpsrlq	$19, %ymm7, %ymm6
+        # rnd_1: 6 - 6
+        xorl	%r15d, %ebx
+        addl	%edx, %r14d
+        andl	%ebx, %eax
+        vpsrlq	$0x11, %ymm7, %ymm7
+        # rnd_1: 7 - 7
+        xorl	%r8d, %eax
+        rorxl	$6, %r10d, %edx
+        addl	%eax, %r14d
+        vpaddd	%ymm2, %ymm4, %ymm4
+        # rnd_0: 0 - 0
+        movl	%r11d, %eax
+        rorxl	$11, %r10d, %ecx
+        addl	200(%rsp), %r13d
+        vpxor	%ymm7, %ymm6, %ymm6
+        # rnd_0: 1 - 1
+        xorl	%edx, %ecx
+        xorl	%r12d, %eax
+        rorxl	$25, %r10d, %edx
+        vpxor	%ymm6, %ymm8, %ymm8
+        # rnd_0: 2 - 2
+        andl	%r10d, %eax
+        xorl	%ecx, %edx
+        rorxl	$13, %r14d, %ecx
+        vpaddd	%ymm5, %ymm4, %ymm4
+        # rnd_0: 3 - 3
+        addl	%edx, %r13d
+        rorxl	$2, %r14d, %edx
+        xorl	%r12d, %eax
+        vpshufb	%ymm11, %ymm8, %ymm8
+        # rnd_0: 4 - 4
+        xorl	%edx, %ecx
+        rorxl	$22, %r14d, %edx
+        addl	%eax, %r13d
+        vpaddd	%ymm8, %ymm4, %ymm4
+        # rnd_0: 5 - 5
+        xorl	%ecx, %edx
+        movl	%r15d, %eax
+        addl	%r13d, %r9d
+        vpshufd	$0x50, %ymm4, %ymm6
+        # rnd_0: 6 - 6
+        xorl	%r14d, %eax
+        addl	%edx, %r13d
+        andl	%eax, %ebx
+        vpsrlq	$0x11, %ymm6, %ymm8
+        # rnd_0: 7 - 7
+        xorl	%r15d, %ebx
+        rorxl	$6, %r9d, %edx
+        addl	%ebx, %r13d
+        vpsrlq	$19, %ymm6, %ymm7
+        # rnd_1: 0 - 0
+        movl	%r10d, %ebx
+        rorxl	$11, %r9d, %ecx
+        addl	204(%rsp), %r12d
+        vpsrld	$10, %ymm6, %ymm9
+        # rnd_1: 1 - 1
+        xorl	%edx, %ecx
+        xorl	%r11d, %ebx
+        rorxl	$25, %r9d, %edx
+        vpxor	%ymm7, %ymm8, %ymm8
+        # rnd_1: 2 - 2
+        andl	%r9d, %ebx
+        xorl	%ecx, %edx
+        rorxl	$13, %r13d, %ecx
+        vpxor	%ymm8, %ymm9, %ymm9
+        # rnd_1: 3 - 3
+        addl	%edx, %r12d
+        rorxl	$2, %r13d, %edx
+        xorl	%r11d, %ebx
+        vpshufb	%ymm12, %ymm9, %ymm9
+        # rnd_1: 4 - 4
+        xorl	%edx, %ecx
+        rorxl	$22, %r13d, %edx
+        addl	%ebx, %r12d
+        vpaddd	%ymm4, %ymm9, %ymm2
+        # rnd_1: 5 - 5
+        xorl	%ecx, %edx
+        addl	%r12d, %r8d
+        movl	%r14d, %ebx
+        vpaddd	320+L_avx2_rorx_sha256_k(%rip), %ymm2, %ymm4
+        # rnd_1: 6 - 6
+        xorl	%r13d, %ebx
+        addl	%edx, %r12d
+        andl	%ebx, %eax
+        # rnd_1: 7 - 7
+        xorl	%r14d, %eax
+        rorxl	$6, %r8d, %edx
+        addl	%eax, %r12d
+        vmovdqu	%ymm4, 320(%rsp)
+        # rnd_0: 0 - 0
+        movl	%r9d, %eax
+        rorxl	$11, %r8d, %ecx
+        addl	224(%rsp), %r11d
+        vpalignr	$4, %ymm3, %ymm0, %ymm5
+        # rnd_0: 1 - 1
+        xorl	%edx, %ecx
+        xorl	%r10d, %eax
+        rorxl	$25, %r8d, %edx
+        vpalignr	$4, %ymm1, %ymm2, %ymm4
+        # rnd_0: 2 - 2
+        andl	%r8d, %eax
+        xorl	%ecx, %edx
+        rorxl	$13, %r12d, %ecx
+        vpsrld	$7, %ymm5, %ymm6
+        # rnd_0: 3 - 3
+        addl	%edx, %r11d
+        rorxl	$2, %r12d, %edx
+        xorl	%r10d, %eax
+        vpslld	$25, %ymm5, %ymm7
+        # rnd_0: 4 - 4
+        xorl	%edx, %ecx
+        rorxl	$22, %r12d, %edx
+        addl	%eax, %r11d
+        vpsrld	$18, %ymm5, %ymm8
+        # rnd_0: 5 - 5
+        xorl	%ecx, %edx
+        movl	%r13d, %eax
+        addl	%r11d, %r15d
+        vpslld	$14, %ymm5, %ymm9
+        # rnd_0: 6 - 6
+        xorl	%r12d, %eax
+        addl	%edx, %r11d
+        andl	%eax, %ebx
+        vpor	%ymm7, %ymm6, %ymm6
+        # rnd_0: 7 - 7
+        xorl	%r13d, %ebx
+        rorxl	$6, %r15d, %edx
+        addl	%ebx, %r11d
+        vpor	%ymm9, %ymm8, %ymm8
+        # rnd_1: 0 - 0
+        movl	%r8d, %ebx
+        rorxl	$11, %r15d, %ecx
+        addl	228(%rsp), %r10d
+        vpsrld	$3, %ymm5, %ymm9
+        # rnd_1: 1 - 1
+        xorl	%edx, %ecx
+        xorl	%r9d, %ebx
+        rorxl	$25, %r15d, %edx
+        vpxor	%ymm8, %ymm6, %ymm6
+        # rnd_1: 2 - 2
+        andl	%r15d, %ebx
+        xorl	%ecx, %edx
+        rorxl	$13, %r11d, %ecx
+        vpshufd	$0xfa, %ymm2, %ymm7
+        # rnd_1: 3 - 3
+        addl	%edx, %r10d
+        rorxl	$2, %r11d, %edx
+        xorl	%r9d, %ebx
+        vpxor	%ymm6, %ymm9, %ymm5
+        # rnd_1: 4 - 4
+        xorl	%edx, %ecx
+        rorxl	$22, %r11d, %edx
+        addl	%ebx, %r10d
+        vpsrld	$10, %ymm7, %ymm8
+        # rnd_1: 5 - 5
+        xorl	%ecx, %edx
+        addl	%r10d, %r14d
+        movl	%r12d, %ebx
+        vpsrlq	$19, %ymm7, %ymm6
+        # rnd_1: 6 - 6
+        xorl	%r11d, %ebx
+        addl	%edx, %r10d
+        andl	%ebx, %eax
+        vpsrlq	$0x11, %ymm7, %ymm7
+        # rnd_1: 7 - 7
+        xorl	%r12d, %eax
+        rorxl	$6, %r14d, %edx
+        addl	%eax, %r10d
+        vpaddd	%ymm3, %ymm4, %ymm4
+        # rnd_0: 0 - 0
+        movl	%r15d, %eax
+        rorxl	$11, %r14d, %ecx
+        addl	232(%rsp), %r9d
+        vpxor	%ymm7, %ymm6, %ymm6
+        # rnd_0: 1 - 1
+        xorl	%edx, %ecx
+        xorl	%r8d, %eax
+        rorxl	$25, %r14d, %edx
+        vpxor	%ymm6, %ymm8, %ymm8
+        # rnd_0: 2 - 2
+        andl	%r14d, %eax
+        xorl	%ecx, %edx
+        rorxl	$13, %r10d, %ecx
+        vpaddd	%ymm5, %ymm4, %ymm4
+        # rnd_0: 3 - 3
+        addl	%edx, %r9d
+        rorxl	$2, %r10d, %edx
+        xorl	%r8d, %eax
+        vpshufb	%ymm11, %ymm8, %ymm8
+        # rnd_0: 4 - 4
+        xorl	%edx, %ecx
+        rorxl	$22, %r10d, %edx
+        addl	%eax, %r9d
+        vpaddd	%ymm8, %ymm4, %ymm4
+        # rnd_0: 5 - 5
+        xorl	%ecx, %edx
+        movl	%r11d, %eax
+        addl	%r9d, %r13d
+        vpshufd	$0x50, %ymm4, %ymm6
+        # rnd_0: 6 - 6
+        xorl	%r10d, %eax
+        addl	%edx, %r9d
+        andl	%eax, %ebx
+        vpsrlq	$0x11, %ymm6, %ymm8
+        # rnd_0: 7 - 7
+        xorl	%r11d, %ebx
+        rorxl	$6, %r13d, %edx
+        addl	%ebx, %r9d
+        vpsrlq	$19, %ymm6, %ymm7
+        # rnd_1: 0 - 0
+        movl	%r14d, %ebx
+        rorxl	$11, %r13d, %ecx
+        addl	236(%rsp), %r8d
+        vpsrld	$10, %ymm6, %ymm9
+        # rnd_1: 1 - 1
+        xorl	%edx, %ecx
+        xorl	%r15d, %ebx
+        rorxl	$25, %r13d, %edx
+        vpxor	%ymm7, %ymm8, %ymm8
+        # rnd_1: 2 - 2
+        andl	%r13d, %ebx
+        xorl	%ecx, %edx
+        rorxl	$13, %r9d, %ecx
+        vpxor	%ymm8, %ymm9, %ymm9
+        # rnd_1: 3 - 3
+        addl	%edx, %r8d
+        rorxl	$2, %r9d, %edx
+        xorl	%r15d, %ebx
+        vpshufb	%ymm12, %ymm9, %ymm9
+        # rnd_1: 4 - 4
+        xorl	%edx, %ecx
+        rorxl	$22, %r9d, %edx
+        addl	%ebx, %r8d
+        vpaddd	%ymm4, %ymm9, %ymm3
+        # rnd_1: 5 - 5
+        xorl	%ecx, %edx
+        addl	%r8d, %r12d
+        movl	%r10d, %ebx
+        vpaddd	352+L_avx2_rorx_sha256_k(%rip), %ymm3, %ymm4
+        # rnd_1: 6 - 6
+        xorl	%r9d, %ebx
+        addl	%edx, %r8d
+        andl	%ebx, %eax
+        # rnd_1: 7 - 7
+        xorl	%r10d, %eax
+        rorxl	$6, %r12d, %edx
+        addl	%eax, %r8d
+        vmovdqu	%ymm4, 352(%rsp)
+        # rnd_0: 0 - 0
+        movl	%r13d, %eax
+        rorxl	$11, %r12d, %ecx
+        addl	256(%rsp), %r15d
+        vpalignr	$4, %ymm0, %ymm1, %ymm5
+        # rnd_0: 1 - 1
+        xorl	%edx, %ecx
+        xorl	%r14d, %eax
+        rorxl	$25, %r12d, %edx
+        vpalignr	$4, %ymm2, %ymm3, %ymm4
+        # rnd_0: 2 - 2
+        andl	%r12d, %eax
+        xorl	%ecx, %edx
+        rorxl	$13, %r8d, %ecx
+        vpsrld	$7, %ymm5, %ymm6
+        # rnd_0: 3 - 3
+        addl	%edx, %r15d
+        rorxl	$2, %r8d, %edx
+        xorl	%r14d, %eax
+        vpslld	$25, %ymm5, %ymm7
+        # rnd_0: 4 - 4
+        xorl	%edx, %ecx
+        rorxl	$22, %r8d, %edx
+        addl	%eax, %r15d
+        vpsrld	$18, %ymm5, %ymm8
+        # rnd_0: 5 - 5
+        xorl	%ecx, %edx
+        movl	%r9d, %eax
+        addl	%r15d, %r11d
+        vpslld	$14, %ymm5, %ymm9
+        # rnd_0: 6 - 6
+        xorl	%r8d, %eax
+        addl	%edx, %r15d
+        andl	%eax, %ebx
+        vpor	%ymm7, %ymm6, %ymm6
+        # rnd_0: 7 - 7
+        xorl	%r9d, %ebx
+        rorxl	$6, %r11d, %edx
+        addl	%ebx, %r15d
+        vpor	%ymm9, %ymm8, %ymm8
+        # rnd_1: 0 - 0
+        movl	%r12d, %ebx
+        rorxl	$11, %r11d, %ecx
+        addl	260(%rsp), %r14d
+        vpsrld	$3, %ymm5, %ymm9
+        # rnd_1: 1 - 1
+        xorl	%edx, %ecx
+        xorl	%r13d, %ebx
+        rorxl	$25, %r11d, %edx
+        vpxor	%ymm8, %ymm6, %ymm6
+        # rnd_1: 2 - 2
+        andl	%r11d, %ebx
+        xorl	%ecx, %edx
+        rorxl	$13, %r15d, %ecx
+        vpshufd	$0xfa, %ymm3, %ymm7
+        # rnd_1: 3 - 3
+        addl	%edx, %r14d
+        rorxl	$2, %r15d, %edx
+        xorl	%r13d, %ebx
+        vpxor	%ymm6, %ymm9, %ymm5
+        # rnd_1: 4 - 4
+        xorl	%edx, %ecx
+        rorxl	$22, %r15d, %edx
+        addl	%ebx, %r14d
+        vpsrld	$10, %ymm7, %ymm8
+        # rnd_1: 5 - 5
+        xorl	%ecx, %edx
+        addl	%r14d, %r10d
+        movl	%r8d, %ebx
+        vpsrlq	$19, %ymm7, %ymm6
+        # rnd_1: 6 - 6
+        xorl	%r15d, %ebx
+        addl	%edx, %r14d
+        andl	%ebx, %eax
+        vpsrlq	$0x11, %ymm7, %ymm7
+        # rnd_1: 7 - 7
+        xorl	%r8d, %eax
+        rorxl	$6, %r10d, %edx
+        addl	%eax, %r14d
+        vpaddd	%ymm0, %ymm4, %ymm4
+        # rnd_0: 0 - 0
+        movl	%r11d, %eax
+        rorxl	$11, %r10d, %ecx
+        addl	264(%rsp), %r13d
+        vpxor	%ymm7, %ymm6, %ymm6
+        # rnd_0: 1 - 1
+        xorl	%edx, %ecx
+        xorl	%r12d, %eax
+        rorxl	$25, %r10d, %edx
+        vpxor	%ymm6, %ymm8, %ymm8
+        # rnd_0: 2 - 2
+        andl	%r10d, %eax
+        xorl	%ecx, %edx
+        rorxl	$13, %r14d, %ecx
+        vpaddd	%ymm5, %ymm4, %ymm4
+        # rnd_0: 3 - 3
+        addl	%edx, %r13d
+        rorxl	$2, %r14d, %edx
+        xorl	%r12d, %eax
+        vpshufb	%ymm11, %ymm8, %ymm8
+        # rnd_0: 4 - 4
+        xorl	%edx, %ecx
+        rorxl	$22, %r14d, %edx
+        addl	%eax, %r13d
+        vpaddd	%ymm8, %ymm4, %ymm4
+        # rnd_0: 5 - 5
+        xorl	%ecx, %edx
+        movl	%r15d, %eax
+        addl	%r13d, %r9d
+        vpshufd	$0x50, %ymm4, %ymm6
+        # rnd_0: 6 - 6
+        xorl	%r14d, %eax
+        addl	%edx, %r13d
+        andl	%eax, %ebx
+        vpsrlq	$0x11, %ymm6, %ymm8
+        # rnd_0: 7 - 7
+        xorl	%r15d, %ebx
+        rorxl	$6, %r9d, %edx
+        addl	%ebx, %r13d
+        vpsrlq	$19, %ymm6, %ymm7
+        # rnd_1: 0 - 0
+        movl	%r10d, %ebx
+        rorxl	$11, %r9d, %ecx
+        addl	268(%rsp), %r12d
+        vpsrld	$10, %ymm6, %ymm9
+        # rnd_1: 1 - 1
+        xorl	%edx, %ecx
+        xorl	%r11d, %ebx
+        rorxl	$25, %r9d, %edx
+        vpxor	%ymm7, %ymm8, %ymm8
+        # rnd_1: 2 - 2
+        andl	%r9d, %ebx
+        xorl	%ecx, %edx
+        rorxl	$13, %r13d, %ecx
+        vpxor	%ymm8, %ymm9, %ymm9
+        # rnd_1: 3 - 3
+        addl	%edx, %r12d
+        rorxl	$2, %r13d, %edx
+        xorl	%r11d, %ebx
+        vpshufb	%ymm12, %ymm9, %ymm9
+        # rnd_1: 4 - 4
+        xorl	%edx, %ecx
+        rorxl	$22, %r13d, %edx
+        addl	%ebx, %r12d
+        vpaddd	%ymm4, %ymm9, %ymm0
+        # rnd_1: 5 - 5
+        xorl	%ecx, %edx
+        addl	%r12d, %r8d
+        movl	%r14d, %ebx
+        vpaddd	384+L_avx2_rorx_sha256_k(%rip), %ymm0, %ymm4
+        # rnd_1: 6 - 6
+        xorl	%r13d, %ebx
+        addl	%edx, %r12d
+        andl	%ebx, %eax
+        # rnd_1: 7 - 7
+        xorl	%r14d, %eax
+        rorxl	$6, %r8d, %edx
+        addl	%eax, %r12d
+        vmovdqu	%ymm4, 384(%rsp)
+        # rnd_0: 0 - 0
+        movl	%r9d, %eax
+        rorxl	$11, %r8d, %ecx
+        addl	288(%rsp), %r11d
+        vpalignr	$4, %ymm1, %ymm2, %ymm5
+        # rnd_0: 1 - 1
+        xorl	%edx, %ecx
+        xorl	%r10d, %eax
+        rorxl	$25, %r8d, %edx
+        vpalignr	$4, %ymm3, %ymm0, %ymm4
+        # rnd_0: 2 - 2
+        andl	%r8d, %eax
+        xorl	%ecx, %edx
+        rorxl	$13, %r12d, %ecx
+        vpsrld	$7, %ymm5, %ymm6
+        # rnd_0: 3 - 3
+        addl	%edx, %r11d
+        rorxl	$2, %r12d, %edx
+        xorl	%r10d, %eax
+        vpslld	$25, %ymm5, %ymm7
+        # rnd_0: 4 - 4
+        xorl	%edx, %ecx
+        rorxl	$22, %r12d, %edx
+        addl	%eax, %r11d
+        vpsrld	$18, %ymm5, %ymm8
+        # rnd_0: 5 - 5
+        xorl	%ecx, %edx
+        movl	%r13d, %eax
+        addl	%r11d, %r15d
+        vpslld	$14, %ymm5, %ymm9
+        # rnd_0: 6 - 6
+        xorl	%r12d, %eax
+        addl	%edx, %r11d
+        andl	%eax, %ebx
+        vpor	%ymm7, %ymm6, %ymm6
+        # rnd_0: 7 - 7
+        xorl	%r13d, %ebx
+        rorxl	$6, %r15d, %edx
+        addl	%ebx, %r11d
+        vpor	%ymm9, %ymm8, %ymm8
+        # rnd_1: 0 - 0
+        movl	%r8d, %ebx
+        rorxl	$11, %r15d, %ecx
+        addl	292(%rsp), %r10d
+        vpsrld	$3, %ymm5, %ymm9
+        # rnd_1: 1 - 1
+        xorl	%edx, %ecx
+        xorl	%r9d, %ebx
+        rorxl	$25, %r15d, %edx
+        vpxor	%ymm8, %ymm6, %ymm6
+        # rnd_1: 2 - 2
+        andl	%r15d, %ebx
+        xorl	%ecx, %edx
+        rorxl	$13, %r11d, %ecx
+        vpshufd	$0xfa, %ymm0, %ymm7
+        # rnd_1: 3 - 3
+        addl	%edx, %r10d
+        rorxl	$2, %r11d, %edx
+        xorl	%r9d, %ebx
+        vpxor	%ymm6, %ymm9, %ymm5
+        # rnd_1: 4 - 4
+        xorl	%edx, %ecx
+        rorxl	$22, %r11d, %edx
+        addl	%ebx, %r10d
+        vpsrld	$10, %ymm7, %ymm8
+        # rnd_1: 5 - 5
+        xorl	%ecx, %edx
+        addl	%r10d, %r14d
+        movl	%r12d, %ebx
+        vpsrlq	$19, %ymm7, %ymm6
+        # rnd_1: 6 - 6
+        xorl	%r11d, %ebx
+        addl	%edx, %r10d
+        andl	%ebx, %eax
+        vpsrlq	$0x11, %ymm7, %ymm7
+        # rnd_1: 7 - 7
+        xorl	%r12d, %eax
+        rorxl	$6, %r14d, %edx
+        addl	%eax, %r10d
+        vpaddd	%ymm1, %ymm4, %ymm4
+        # rnd_0: 0 - 0
+        movl	%r15d, %eax
+        rorxl	$11, %r14d, %ecx
+        addl	296(%rsp), %r9d
+        vpxor	%ymm7, %ymm6, %ymm6
+        # rnd_0: 1 - 1
+        xorl	%edx, %ecx
+        xorl	%r8d, %eax
+        rorxl	$25, %r14d, %edx
+        vpxor	%ymm6, %ymm8, %ymm8
+        # rnd_0: 2 - 2
+        andl	%r14d, %eax
+        xorl	%ecx, %edx
+        rorxl	$13, %r10d, %ecx
+        vpaddd	%ymm5, %ymm4, %ymm4
+        # rnd_0: 3 - 3
+        addl	%edx, %r9d
+        rorxl	$2, %r10d, %edx
+        xorl	%r8d, %eax
+        vpshufb	%ymm11, %ymm8, %ymm8
+        # rnd_0: 4 - 4
+        xorl	%edx, %ecx
+        rorxl	$22, %r10d, %edx
+        addl	%eax, %r9d
+        vpaddd	%ymm8, %ymm4, %ymm4
+        # rnd_0: 5 - 5
+        xorl	%ecx, %edx
+        movl	%r11d, %eax
+        addl	%r9d, %r13d
+        vpshufd	$0x50, %ymm4, %ymm6
+        # rnd_0: 6 - 6
+        xorl	%r10d, %eax
+        addl	%edx, %r9d
+        andl	%eax, %ebx
+        vpsrlq	$0x11, %ymm6, %ymm8
+        # rnd_0: 7 - 7
+        xorl	%r11d, %ebx
+        rorxl	$6, %r13d, %edx
+        addl	%ebx, %r9d
+        vpsrlq	$19, %ymm6, %ymm7
+        # rnd_1: 0 - 0
+        movl	%r14d, %ebx
+        rorxl	$11, %r13d, %ecx
+        addl	300(%rsp), %r8d
+        vpsrld	$10, %ymm6, %ymm9
+        # rnd_1: 1 - 1
+        xorl	%edx, %ecx
+        xorl	%r15d, %ebx
+        rorxl	$25, %r13d, %edx
+        vpxor	%ymm7, %ymm8, %ymm8
+        # rnd_1: 2 - 2
+        andl	%r13d, %ebx
+        xorl	%ecx, %edx
+        rorxl	$13, %r9d, %ecx
+        vpxor	%ymm8, %ymm9, %ymm9
+        # rnd_1: 3 - 3
+        addl	%edx, %r8d
+        rorxl	$2, %r9d, %edx
+        xorl	%r15d, %ebx
+        vpshufb	%ymm12, %ymm9, %ymm9
+        # rnd_1: 4 - 4
+        xorl	%edx, %ecx
+        rorxl	$22, %r9d, %edx
+        addl	%ebx, %r8d
+        vpaddd	%ymm4, %ymm9, %ymm1
+        # rnd_1: 5 - 5
+        xorl	%ecx, %edx
+        addl	%r8d, %r12d
+        movl	%r10d, %ebx
+        vpaddd	416+L_avx2_rorx_sha256_k(%rip), %ymm1, %ymm4
+        # rnd_1: 6 - 6
+        xorl	%r9d, %ebx
+        addl	%edx, %r8d
+        andl	%ebx, %eax
+        # rnd_1: 7 - 7
+        xorl	%r10d, %eax
+        rorxl	$6, %r12d, %edx
+        addl	%eax, %r8d
+        vmovdqu	%ymm4, 416(%rsp)
+        # rnd_0: 0 - 0
+        movl	%r13d, %eax
+        rorxl	$11, %r12d, %ecx
+        addl	320(%rsp), %r15d
+        vpalignr	$4, %ymm2, %ymm3, %ymm5
+        # rnd_0: 1 - 1
+        xorl	%edx, %ecx
+        xorl	%r14d, %eax
+        rorxl	$25, %r12d, %edx
+        vpalignr	$4, %ymm0, %ymm1, %ymm4
+        # rnd_0: 2 - 2
+        andl	%r12d, %eax
+        xorl	%ecx, %edx
+        rorxl	$13, %r8d, %ecx
+        vpsrld	$7, %ymm5, %ymm6
+        # rnd_0: 3 - 3
+        addl	%edx, %r15d
+        rorxl	$2, %r8d, %edx
+        xorl	%r14d, %eax
+        vpslld	$25, %ymm5, %ymm7
+        # rnd_0: 4 - 4
+        xorl	%edx, %ecx
+        rorxl	$22, %r8d, %edx
+        addl	%eax, %r15d
+        vpsrld	$18, %ymm5, %ymm8
+        # rnd_0: 5 - 5
+        xorl	%ecx, %edx
+        movl	%r9d, %eax
+        addl	%r15d, %r11d
+        vpslld	$14, %ymm5, %ymm9
+        # rnd_0: 6 - 6
+        xorl	%r8d, %eax
+        addl	%edx, %r15d
+        andl	%eax, %ebx
+        vpor	%ymm7, %ymm6, %ymm6
+        # rnd_0: 7 - 7
+        xorl	%r9d, %ebx
+        rorxl	$6, %r11d, %edx
+        addl	%ebx, %r15d
+        vpor	%ymm9, %ymm8, %ymm8
+        # rnd_1: 0 - 0
+        movl	%r12d, %ebx
+        rorxl	$11, %r11d, %ecx
+        addl	324(%rsp), %r14d
+        vpsrld	$3, %ymm5, %ymm9
+        # rnd_1: 1 - 1
+        xorl	%edx, %ecx
+        xorl	%r13d, %ebx
+        rorxl	$25, %r11d, %edx
+        vpxor	%ymm8, %ymm6, %ymm6
+        # rnd_1: 2 - 2
+        andl	%r11d, %ebx
+        xorl	%ecx, %edx
+        rorxl	$13, %r15d, %ecx
+        vpshufd	$0xfa, %ymm1, %ymm7
+        # rnd_1: 3 - 3
+        addl	%edx, %r14d
+        rorxl	$2, %r15d, %edx
+        xorl	%r13d, %ebx
+        vpxor	%ymm6, %ymm9, %ymm5
+        # rnd_1: 4 - 4
+        xorl	%edx, %ecx
+        rorxl	$22, %r15d, %edx
+        addl	%ebx, %r14d
+        vpsrld	$10, %ymm7, %ymm8
+        # rnd_1: 5 - 5
+        xorl	%ecx, %edx
+        addl	%r14d, %r10d
+        movl	%r8d, %ebx
+        vpsrlq	$19, %ymm7, %ymm6
+        # rnd_1: 6 - 6
+        xorl	%r15d, %ebx
+        addl	%edx, %r14d
+        andl	%ebx, %eax
+        vpsrlq	$0x11, %ymm7, %ymm7
+        # rnd_1: 7 - 7
+        xorl	%r8d, %eax
+        rorxl	$6, %r10d, %edx
+        addl	%eax, %r14d
+        vpaddd	%ymm2, %ymm4, %ymm4
+        # rnd_0: 0 - 0
+        movl	%r11d, %eax
+        rorxl	$11, %r10d, %ecx
+        addl	328(%rsp), %r13d
+        vpxor	%ymm7, %ymm6, %ymm6
+        # rnd_0: 1 - 1
+        xorl	%edx, %ecx
+        xorl	%r12d, %eax
+        rorxl	$25, %r10d, %edx
+        vpxor	%ymm6, %ymm8, %ymm8
+        # rnd_0: 2 - 2
+        andl	%r10d, %eax
+        xorl	%ecx, %edx
+        rorxl	$13, %r14d, %ecx
+        vpaddd	%ymm5, %ymm4, %ymm4
+        # rnd_0: 3 - 3
+        addl	%edx, %r13d
+        rorxl	$2, %r14d, %edx
+        xorl	%r12d, %eax
+        vpshufb	%ymm11, %ymm8, %ymm8
+        # rnd_0: 4 - 4
+        xorl	%edx, %ecx
+        rorxl	$22, %r14d, %edx
+        addl	%eax, %r13d
+        vpaddd	%ymm8, %ymm4, %ymm4
+        # rnd_0: 5 - 5
+        xorl	%ecx, %edx
+        movl	%r15d, %eax
+        addl	%r13d, %r9d
+        vpshufd	$0x50, %ymm4, %ymm6
+        # rnd_0: 6 - 6
+        xorl	%r14d, %eax
+        addl	%edx, %r13d
+        andl	%eax, %ebx
+        vpsrlq	$0x11, %ymm6, %ymm8
+        # rnd_0: 7 - 7
+        xorl	%r15d, %ebx
+        rorxl	$6, %r9d, %edx
+        addl	%ebx, %r13d
+        vpsrlq	$19, %ymm6, %ymm7
+        # rnd_1: 0 - 0
+        movl	%r10d, %ebx
+        rorxl	$11, %r9d, %ecx
+        addl	332(%rsp), %r12d
+        vpsrld	$10, %ymm6, %ymm9
+        # rnd_1: 1 - 1
+        xorl	%edx, %ecx
+        xorl	%r11d, %ebx
+        rorxl	$25, %r9d, %edx
+        vpxor	%ymm7, %ymm8, %ymm8
+        # rnd_1: 2 - 2
+        andl	%r9d, %ebx
+        xorl	%ecx, %edx
+        rorxl	$13, %r13d, %ecx
+        vpxor	%ymm8, %ymm9, %ymm9
+        # rnd_1: 3 - 3
+        addl	%edx, %r12d
+        rorxl	$2, %r13d, %edx
+        xorl	%r11d, %ebx
+        vpshufb	%ymm12, %ymm9, %ymm9
+        # rnd_1: 4 - 4
+        xorl	%edx, %ecx
+        rorxl	$22, %r13d, %edx
+        addl	%ebx, %r12d
+        vpaddd	%ymm4, %ymm9, %ymm2
+        # rnd_1: 5 - 5
+        xorl	%ecx, %edx
+        addl	%r12d, %r8d
+        movl	%r14d, %ebx
+        vpaddd	448+L_avx2_rorx_sha256_k(%rip), %ymm2, %ymm4
+        # rnd_1: 6 - 6
+        xorl	%r13d, %ebx
+        addl	%edx, %r12d
+        andl	%ebx, %eax
+        # rnd_1: 7 - 7
+        xorl	%r14d, %eax
+        rorxl	$6, %r8d, %edx
+        addl	%eax, %r12d
+        vmovdqu	%ymm4, 448(%rsp)
+        # rnd_0: 0 - 0
+        movl	%r9d, %eax
+        rorxl	$11, %r8d, %ecx
+        addl	352(%rsp), %r11d
+        vpalignr	$4, %ymm3, %ymm0, %ymm5
+        # rnd_0: 1 - 1
+        xorl	%edx, %ecx
+        xorl	%r10d, %eax
+        rorxl	$25, %r8d, %edx
+        vpalignr	$4, %ymm1, %ymm2, %ymm4
+        # rnd_0: 2 - 2
+        andl	%r8d, %eax
+        xorl	%ecx, %edx
+        rorxl	$13, %r12d, %ecx
+        vpsrld	$7, %ymm5, %ymm6
+        # rnd_0: 3 - 3
+        addl	%edx, %r11d
+        rorxl	$2, %r12d, %edx
+        xorl	%r10d, %eax
+        vpslld	$25, %ymm5, %ymm7
+        # rnd_0: 4 - 4
+        xorl	%edx, %ecx
+        rorxl	$22, %r12d, %edx
+        addl	%eax, %r11d
+        vpsrld	$18, %ymm5, %ymm8
+        # rnd_0: 5 - 5
+        xorl	%ecx, %edx
+        movl	%r13d, %eax
+        addl	%r11d, %r15d
+        vpslld	$14, %ymm5, %ymm9
+        # rnd_0: 6 - 6
+        xorl	%r12d, %eax
+        addl	%edx, %r11d
+        andl	%eax, %ebx
+        vpor	%ymm7, %ymm6, %ymm6
+        # rnd_0: 7 - 7
+        xorl	%r13d, %ebx
+        rorxl	$6, %r15d, %edx
+        addl	%ebx, %r11d
+        vpor	%ymm9, %ymm8, %ymm8
+        # rnd_1: 0 - 0
+        movl	%r8d, %ebx
+        rorxl	$11, %r15d, %ecx
+        addl	356(%rsp), %r10d
+        vpsrld	$3, %ymm5, %ymm9
+        # rnd_1: 1 - 1
+        xorl	%edx, %ecx
+        xorl	%r9d, %ebx
+        rorxl	$25, %r15d, %edx
+        vpxor	%ymm8, %ymm6, %ymm6
+        # rnd_1: 2 - 2
+        andl	%r15d, %ebx
+        xorl	%ecx, %edx
+        rorxl	$13, %r11d, %ecx
+        vpshufd	$0xfa, %ymm2, %ymm7
+        # rnd_1: 3 - 3
+        addl	%edx, %r10d
+        rorxl	$2, %r11d, %edx
+        xorl	%r9d, %ebx
+        vpxor	%ymm6, %ymm9, %ymm5
+        # rnd_1: 4 - 4
+        xorl	%edx, %ecx
+        rorxl	$22, %r11d, %edx
+        addl	%ebx, %r10d
+        vpsrld	$10, %ymm7, %ymm8
+        # rnd_1: 5 - 5
+        xorl	%ecx, %edx
+        addl	%r10d, %r14d
+        movl	%r12d, %ebx
+        vpsrlq	$19, %ymm7, %ymm6
+        # rnd_1: 6 - 6
+        xorl	%r11d, %ebx
+        addl	%edx, %r10d
+        andl	%ebx, %eax
+        vpsrlq	$0x11, %ymm7, %ymm7
+        # rnd_1: 7 - 7
+        xorl	%r12d, %eax
+        rorxl	$6, %r14d, %edx
+        addl	%eax, %r10d
+        vpaddd	%ymm3, %ymm4, %ymm4
+        # rnd_0: 0 - 0
+        movl	%r15d, %eax
+        rorxl	$11, %r14d, %ecx
+        addl	360(%rsp), %r9d
+        vpxor	%ymm7, %ymm6, %ymm6
+        # rnd_0: 1 - 1
+        xorl	%edx, %ecx
+        xorl	%r8d, %eax
+        rorxl	$25, %r14d, %edx
+        vpxor	%ymm6, %ymm8, %ymm8
+        # rnd_0: 2 - 2
+        andl	%r14d, %eax
+        xorl	%ecx, %edx
+        rorxl	$13, %r10d, %ecx
+        vpaddd	%ymm5, %ymm4, %ymm4
+        # rnd_0: 3 - 3
+        addl	%edx, %r9d
+        rorxl	$2, %r10d, %edx
+        xorl	%r8d, %eax
+        vpshufb	%ymm11, %ymm8, %ymm8
+        # rnd_0: 4 - 4
+        xorl	%edx, %ecx
+        rorxl	$22, %r10d, %edx
+        addl	%eax, %r9d
+        vpaddd	%ymm8, %ymm4, %ymm4
+        # rnd_0: 5 - 5
+        xorl	%ecx, %edx
+        movl	%r11d, %eax
+        addl	%r9d, %r13d
+        vpshufd	$0x50, %ymm4, %ymm6
+        # rnd_0: 6 - 6
+        xorl	%r10d, %eax
+        addl	%edx, %r9d
+        andl	%eax, %ebx
+        vpsrlq	$0x11, %ymm6, %ymm8
+        # rnd_0: 7 - 7
+        xorl	%r11d, %ebx
+        rorxl	$6, %r13d, %edx
+        addl	%ebx, %r9d
+        vpsrlq	$19, %ymm6, %ymm7
+        # rnd_1: 0 - 0
+        movl	%r14d, %ebx
+        rorxl	$11, %r13d, %ecx
+        addl	364(%rsp), %r8d
+        vpsrld	$10, %ymm6, %ymm9
+        # rnd_1: 1 - 1
+        xorl	%edx, %ecx
+        xorl	%r15d, %ebx
+        rorxl	$25, %r13d, %edx
+        vpxor	%ymm7, %ymm8, %ymm8
+        # rnd_1: 2 - 2
+        andl	%r13d, %ebx
+        xorl	%ecx, %edx
+        rorxl	$13, %r9d, %ecx
+        vpxor	%ymm8, %ymm9, %ymm9
+        # rnd_1: 3 - 3
+        addl	%edx, %r8d
+        rorxl	$2, %r9d, %edx
+        xorl	%r15d, %ebx
+        vpshufb	%ymm12, %ymm9, %ymm9
+        # rnd_1: 4 - 4
+        xorl	%edx, %ecx
+        rorxl	$22, %r9d, %edx
+        addl	%ebx, %r8d
+        vpaddd	%ymm4, %ymm9, %ymm3
+        # rnd_1: 5 - 5
+        xorl	%ecx, %edx
+        addl	%r8d, %r12d
+        movl	%r10d, %ebx
+        vpaddd	480+L_avx2_rorx_sha256_k(%rip), %ymm3, %ymm4
+        # rnd_1: 6 - 6
+        xorl	%r9d, %ebx
+        addl	%edx, %r8d
+        andl	%ebx, %eax
+        # rnd_1: 7 - 7
+        xorl	%r10d, %eax
+        rorxl	$6, %r12d, %edx
+        addl	%eax, %r8d
+        vmovdqu	%ymm4, 480(%rsp)
+        xorl	%eax, %eax
+        xorl	%ecx, %ecx
+        rorxl	$6, %r12d, %edx
+        rorxl	$11, %r12d, %ecx
+        leal	(%r8,%rax,1), %r8d
+        addl	384(%rsp), %r15d
+        movl	%r13d, %eax
+        xorl	%edx, %ecx
+        xorl	%r14d, %eax
+        rorxl	$25, %r12d, %edx
+        xorl	%ecx, %edx
+        andl	%r12d, %eax
+        addl	%edx, %r15d
+        rorxl	$2, %r8d, %edx
+        rorxl	$13, %r8d, %ecx
+        xorl	%r14d, %eax
+        xorl	%edx, %ecx
+        rorxl	$22, %r8d, %edx
+        addl	%eax, %r15d
+        xorl	%ecx, %edx
+        movl	%r9d, %eax
+        addl	%r15d, %r11d
+        xorl	%r8d, %eax
+        andl	%eax, %ebx
+        addl	%edx, %r15d
+        xorl	%r9d, %ebx
+        rorxl	$6, %r11d, %edx
+        rorxl	$11, %r11d, %ecx
+        addl	%ebx, %r15d
+        addl	388(%rsp), %r14d
+        movl	%r12d, %ebx
+        xorl	%edx, %ecx
+        xorl	%r13d, %ebx
+        rorxl	$25, %r11d, %edx
+        xorl	%ecx, %edx
+        andl	%r11d, %ebx
+        addl	%edx, %r14d
+        rorxl	$2, %r15d, %edx
+        rorxl	$13, %r15d, %ecx
+        xorl	%r13d, %ebx
+        xorl	%edx, %ecx
+        rorxl	$22, %r15d, %edx
+        addl	%ebx, %r14d
+        xorl	%ecx, %edx
+        movl	%r8d, %ebx
+        leal	(%r10,%r14,1), %r10d
+        xorl	%r15d, %ebx
+        andl	%ebx, %eax
+        addl	%edx, %r14d
+        xorl	%r8d, %eax
+        rorxl	$6, %r10d, %edx
+        rorxl	$11, %r10d, %ecx
+        leal	(%r14,%rax,1), %r14d
+        addl	392(%rsp), %r13d
+        movl	%r11d, %eax
+        xorl	%edx, %ecx
+        xorl	%r12d, %eax
+        rorxl	$25, %r10d, %edx
+        xorl	%ecx, %edx
+        andl	%r10d, %eax
+        addl	%edx, %r13d
+        rorxl	$2, %r14d, %edx
+        rorxl	$13, %r14d, %ecx
+        xorl	%r12d, %eax
+        xorl	%edx, %ecx
+        rorxl	$22, %r14d, %edx
+        addl	%eax, %r13d
+        xorl	%ecx, %edx
+        movl	%r15d, %eax
+        addl	%r13d, %r9d
+        xorl	%r14d, %eax
+        andl	%eax, %ebx
+        addl	%edx, %r13d
+        xorl	%r15d, %ebx
+        rorxl	$6, %r9d, %edx
+        rorxl	$11, %r9d, %ecx
+        addl	%ebx, %r13d
+        addl	396(%rsp), %r12d
+        movl	%r10d, %ebx
+        xorl	%edx, %ecx
+        xorl	%r11d, %ebx
+        rorxl	$25, %r9d, %edx
+        xorl	%ecx, %edx
+        andl	%r9d, %ebx
+        addl	%edx, %r12d
+        rorxl	$2, %r13d, %edx
+        rorxl	$13, %r13d, %ecx
+        xorl	%r11d, %ebx
+        xorl	%edx, %ecx
+        rorxl	$22, %r13d, %edx
+        addl	%ebx, %r12d
+        xorl	%ecx, %edx
+        movl	%r14d, %ebx
+        leal	(%r8,%r12,1), %r8d
+        xorl	%r13d, %ebx
+        andl	%ebx, %eax
+        addl	%edx, %r12d
+        xorl	%r14d, %eax
+        rorxl	$6, %r8d, %edx
+        rorxl	$11, %r8d, %ecx
+        leal	(%r12,%rax,1), %r12d
+        addl	416(%rsp), %r11d
+        movl	%r9d, %eax
+        xorl	%edx, %ecx
+        xorl	%r10d, %eax
+        rorxl	$25, %r8d, %edx
+        xorl	%ecx, %edx
+        andl	%r8d, %eax
+        addl	%edx, %r11d
+        rorxl	$2, %r12d, %edx
+        rorxl	$13, %r12d, %ecx
+        xorl	%r10d, %eax
+        xorl	%edx, %ecx
+        rorxl	$22, %r12d, %edx
+        addl	%eax, %r11d
+        xorl	%ecx, %edx
+        movl	%r13d, %eax
+        addl	%r11d, %r15d
+        xorl	%r12d, %eax
+        andl	%eax, %ebx
+        addl	%edx, %r11d
+        xorl	%r13d, %ebx
+        rorxl	$6, %r15d, %edx
+        rorxl	$11, %r15d, %ecx
+        addl	%ebx, %r11d
+        addl	420(%rsp), %r10d
+        movl	%r8d, %ebx
+        xorl	%edx, %ecx
+        xorl	%r9d, %ebx
+        rorxl	$25, %r15d, %edx
+        xorl	%ecx, %edx
+        andl	%r15d, %ebx
+        addl	%edx, %r10d
+        rorxl	$2, %r11d, %edx
+        rorxl	$13, %r11d, %ecx
+        xorl	%r9d, %ebx
+        xorl	%edx, %ecx
+        rorxl	$22, %r11d, %edx
+        addl	%ebx, %r10d
+        xorl	%ecx, %edx
+        movl	%r12d, %ebx
+        leal	(%r14,%r10,1), %r14d
+        xorl	%r11d, %ebx
+        andl	%ebx, %eax
+        addl	%edx, %r10d
+        xorl	%r12d, %eax
+        rorxl	$6, %r14d, %edx
+        rorxl	$11, %r14d, %ecx
+        leal	(%r10,%rax,1), %r10d
+        addl	424(%rsp), %r9d
+        movl	%r15d, %eax
+        xorl	%edx, %ecx
+        xorl	%r8d, %eax
+        rorxl	$25, %r14d, %edx
+        xorl	%ecx, %edx
+        andl	%r14d, %eax
+        addl	%edx, %r9d
+        rorxl	$2, %r10d, %edx
+        rorxl	$13, %r10d, %ecx
+        xorl	%r8d, %eax
+        xorl	%edx, %ecx
+        rorxl	$22, %r10d, %edx
+        addl	%eax, %r9d
+        xorl	%ecx, %edx
+        movl	%r11d, %eax
+        addl	%r9d, %r13d
+        xorl	%r10d, %eax
+        andl	%eax, %ebx
+        addl	%edx, %r9d
+        xorl	%r11d, %ebx
+        rorxl	$6, %r13d, %edx
+        rorxl	$11, %r13d, %ecx
+        addl	%ebx, %r9d
+        addl	428(%rsp), %r8d
+        movl	%r14d, %ebx
+        xorl	%edx, %ecx
+        xorl	%r15d, %ebx
+        rorxl	$25, %r13d, %edx
+        xorl	%ecx, %edx
+        andl	%r13d, %ebx
+        addl	%edx, %r8d
+        rorxl	$2, %r9d, %edx
+        rorxl	$13, %r9d, %ecx
+        xorl	%r15d, %ebx
+        xorl	%edx, %ecx
+        rorxl	$22, %r9d, %edx
+        addl	%ebx, %r8d
+        xorl	%ecx, %edx
+        movl	%r10d, %ebx
+        leal	(%r12,%r8,1), %r12d
+        xorl	%r9d, %ebx
+        andl	%ebx, %eax
+        addl	%edx, %r8d
+        xorl	%r10d, %eax
+        rorxl	$6, %r12d, %edx
+        rorxl	$11, %r12d, %ecx
+        leal	(%r8,%rax,1), %r8d
+        addl	448(%rsp), %r15d
+        movl	%r13d, %eax
+        xorl	%edx, %ecx
+        xorl	%r14d, %eax
+        rorxl	$25, %r12d, %edx
+        xorl	%ecx, %edx
+        andl	%r12d, %eax
+        addl	%edx, %r15d
+        rorxl	$2, %r8d, %edx
+        rorxl	$13, %r8d, %ecx
+        xorl	%r14d, %eax
+        xorl	%edx, %ecx
+        rorxl	$22, %r8d, %edx
+        addl	%eax, %r15d
+        xorl	%ecx, %edx
+        movl	%r9d, %eax
+        addl	%r15d, %r11d
+        xorl	%r8d, %eax
+        andl	%eax, %ebx
+        addl	%edx, %r15d
+        xorl	%r9d, %ebx
+        rorxl	$6, %r11d, %edx
+        rorxl	$11, %r11d, %ecx
+        addl	%ebx, %r15d
+        addl	452(%rsp), %r14d
+        movl	%r12d, %ebx
+        xorl	%edx, %ecx
+        xorl	%r13d, %ebx
+        rorxl	$25, %r11d, %edx
+        xorl	%ecx, %edx
+        andl	%r11d, %ebx
+        addl	%edx, %r14d
+        rorxl	$2, %r15d, %edx
+        rorxl	$13, %r15d, %ecx
+        xorl	%r13d, %ebx
+        xorl	%edx, %ecx
+        rorxl	$22, %r15d, %edx
+        addl	%ebx, %r14d
+        xorl	%ecx, %edx
+        movl	%r8d, %ebx
+        leal	(%r10,%r14,1), %r10d
+        xorl	%r15d, %ebx
+        andl	%ebx, %eax
+        addl	%edx, %r14d
+        xorl	%r8d, %eax
+        rorxl	$6, %r10d, %edx
+        rorxl	$11, %r10d, %ecx
+        leal	(%r14,%rax,1), %r14d
+        addl	456(%rsp), %r13d
+        movl	%r11d, %eax
+        xorl	%edx, %ecx
+        xorl	%r12d, %eax
+        rorxl	$25, %r10d, %edx
+        xorl	%ecx, %edx
+        andl	%r10d, %eax
+        addl	%edx, %r13d
+        rorxl	$2, %r14d, %edx
+        rorxl	$13, %r14d, %ecx
+        xorl	%r12d, %eax
+        xorl	%edx, %ecx
+        rorxl	$22, %r14d, %edx
+        addl	%eax, %r13d
+        xorl	%ecx, %edx
+        movl	%r15d, %eax
+        addl	%r13d, %r9d
+        xorl	%r14d, %eax
+        andl	%eax, %ebx
+        addl	%edx, %r13d
+        xorl	%r15d, %ebx
+        rorxl	$6, %r9d, %edx
+        rorxl	$11, %r9d, %ecx
+        addl	%ebx, %r13d
+        addl	460(%rsp), %r12d
+        movl	%r10d, %ebx
+        xorl	%edx, %ecx
+        xorl	%r11d, %ebx
+        rorxl	$25, %r9d, %edx
+        xorl	%ecx, %edx
+        andl	%r9d, %ebx
+        addl	%edx, %r12d
+        rorxl	$2, %r13d, %edx
+        rorxl	$13, %r13d, %ecx
+        xorl	%r11d, %ebx
+        xorl	%edx, %ecx
+        rorxl	$22, %r13d, %edx
+        addl	%ebx, %r12d
+        xorl	%ecx, %edx
+        movl	%r14d, %ebx
+        leal	(%r8,%r12,1), %r8d
+        xorl	%r13d, %ebx
+        andl	%ebx, %eax
+        addl	%edx, %r12d
+        xorl	%r14d, %eax
+        rorxl	$6, %r8d, %edx
+        rorxl	$11, %r8d, %ecx
+        leal	(%r12,%rax,1), %r12d
+        addl	480(%rsp), %r11d
+        movl	%r9d, %eax
+        xorl	%edx, %ecx
+        xorl	%r10d, %eax
+        rorxl	$25, %r8d, %edx
+        xorl	%ecx, %edx
+        andl	%r8d, %eax
+        addl	%edx, %r11d
+        rorxl	$2, %r12d, %edx
+        rorxl	$13, %r12d, %ecx
+        xorl	%r10d, %eax
+        xorl	%edx, %ecx
+        rorxl	$22, %r12d, %edx
+        addl	%eax, %r11d
+        xorl	%ecx, %edx
+        movl	%r13d, %eax
+        addl	%r11d, %r15d
+        xorl	%r12d, %eax
+        andl	%eax, %ebx
+        addl	%edx, %r11d
+        xorl	%r13d, %ebx
+        rorxl	$6, %r15d, %edx
+        rorxl	$11, %r15d, %ecx
+        addl	%ebx, %r11d
+        addl	484(%rsp), %r10d
+        movl	%r8d, %ebx
+        xorl	%edx, %ecx
+        xorl	%r9d, %ebx
+        rorxl	$25, %r15d, %edx
+        xorl	%ecx, %edx
+        andl	%r15d, %ebx
+        addl	%edx, %r10d
+        rorxl	$2, %r11d, %edx
+        rorxl	$13, %r11d, %ecx
+        xorl	%r9d, %ebx
+        xorl	%edx, %ecx
+        rorxl	$22, %r11d, %edx
+        addl	%ebx, %r10d
+        xorl	%ecx, %edx
+        movl	%r12d, %ebx
+        leal	(%r14,%r10,1), %r14d
+        xorl	%r11d, %ebx
+        andl	%ebx, %eax
+        addl	%edx, %r10d
+        xorl	%r12d, %eax
+        rorxl	$6, %r14d, %edx
+        rorxl	$11, %r14d, %ecx
+        leal	(%r10,%rax,1), %r10d
+        addl	488(%rsp), %r9d
+        movl	%r15d, %eax
+        xorl	%edx, %ecx
+        xorl	%r8d, %eax
+        rorxl	$25, %r14d, %edx
+        xorl	%ecx, %edx
+        andl	%r14d, %eax
+        addl	%edx, %r9d
+        rorxl	$2, %r10d, %edx
+        rorxl	$13, %r10d, %ecx
+        xorl	%r8d, %eax
+        xorl	%edx, %ecx
+        rorxl	$22, %r10d, %edx
+        addl	%eax, %r9d
+        xorl	%ecx, %edx
+        movl	%r11d, %eax
+        addl	%r9d, %r13d
+        xorl	%r10d, %eax
+        andl	%eax, %ebx
+        addl	%edx, %r9d
+        xorl	%r11d, %ebx
+        rorxl	$6, %r13d, %edx
+        rorxl	$11, %r13d, %ecx
+        addl	%ebx, %r9d
+        addl	492(%rsp), %r8d
+        movl	%r14d, %ebx
+        xorl	%edx, %ecx
+        xorl	%r15d, %ebx
+        rorxl	$25, %r13d, %edx
+        xorl	%ecx, %edx
+        andl	%r13d, %ebx
+        addl	%edx, %r8d
+        rorxl	$2, %r9d, %edx
+        rorxl	$13, %r9d, %ecx
+        xorl	%r15d, %ebx
+        xorl	%edx, %ecx
+        rorxl	$22, %r9d, %edx
+        addl	%ebx, %r8d
+        xorl	%ecx, %edx
+        movl	%r10d, %ebx
+        leal	(%r12,%r8,1), %r12d
+        xorl	%r9d, %ebx
+        andl	%ebx, %eax
+        addl	%edx, %r8d
+        xorl	%r10d, %eax
+        addl	%eax, %r8d
+        addl	%r8d, (%rdi)
+        addl	%r9d, 4(%rdi)
+        addl	%r10d, 8(%rdi)
+        addl	%r11d, 12(%rdi)
+        addl	%r12d, 16(%rdi)
+        addl	%r13d, 20(%rdi)
+        addl	%r14d, 24(%rdi)
+        addl	%r15d, 28(%rdi)
+        xorq	%rax, %rax
+        vzeroupper
+        addq	$0x200, %rsp
+        popq	%r15
+        popq	%r14
+        popq	%r13
+        popq	%r12
+        popq	%rbx
+        repz retq
+#ifndef __APPLE__
+.size	Transform_Sha256_AVX2_RORX,.-Transform_Sha256_AVX2_RORX
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+.text
+.globl	Transform_Sha256_AVX2_RORX_Len
+.type	Transform_Sha256_AVX2_RORX_Len,@function
+.align	4
+Transform_Sha256_AVX2_RORX_Len:
+#else
+.section	__TEXT,__text
+.globl	_Transform_Sha256_AVX2_RORX_Len
+.p2align	2
+_Transform_Sha256_AVX2_RORX_Len:
+#endif /* __APPLE__ */
+        pushq	%rbx
+        pushq	%r12
+        pushq	%r13
+        pushq	%r14
+        pushq	%r15
+        pushq	%rbp
+        movq	%rsi, %rbp
+        movq	%rdx, %rsi
+        subq	$0x200, %rsp
+        testb	$0x40, %sil
+        je	L_sha256_len_avx2_rorx_block
+        vmovdqu	(%rbp), %ymm0
+        vmovdqu	32(%rbp), %ymm1
+        vmovups	%ymm0, 32(%rdi)
+        vmovups	%ymm1, 64(%rdi)
+#ifndef __APPLE__
+        call	Transform_Sha256_AVX2_RORX@plt
+#else
+        call	_Transform_Sha256_AVX2_RORX
+#endif /* __APPLE__ */
+        addq	$0x40, %rbp
+        subl	$0x40, %esi
+        jz	L_sha256_len_avx2_rorx_done
+L_sha256_len_avx2_rorx_block:
+        vmovdqa	L_avx2_rorx_sha256_flip_mask(%rip), %ymm13
+        vmovdqa	L_avx2_rorx_sha256_shuf_00BA(%rip), %ymm11
+        vmovdqa	L_avx2_rorx_sha256_shuf_DC00(%rip), %ymm12
+        movl	(%rdi), %r8d
+        movl	4(%rdi), %r9d
+        movl	8(%rdi), %r10d
+        movl	12(%rdi), %r11d
+        movl	16(%rdi), %r12d
+        movl	20(%rdi), %r13d
+        movl	24(%rdi), %r14d
+        movl	28(%rdi), %r15d
+        # Start of loop processing two blocks
+L_sha256_len_avx2_rorx_start:
+        # X0, X1, X2, X3 = W[0..15]
+        vmovdqu	(%rbp), %xmm0
+        vmovdqu	16(%rbp), %xmm1
+        vinserti128	$0x01, 64(%rbp), %ymm0, %ymm0
+        vinserti128	$0x01, 80(%rbp), %ymm1, %ymm1
+        vpshufb	%ymm13, %ymm0, %ymm0
+        vpshufb	%ymm13, %ymm1, %ymm1
+        vpaddd	0+L_avx2_rorx_sha256_k(%rip), %ymm0, %ymm4
+        vpaddd	32+L_avx2_rorx_sha256_k(%rip), %ymm1, %ymm5
+        vmovdqu	%ymm4, (%rsp)
+        vmovdqu	%ymm5, 32(%rsp)
+        vmovdqu	32(%rbp), %xmm2
+        vmovdqu	48(%rbp), %xmm3
+        vinserti128	$0x01, 96(%rbp), %ymm2, %ymm2
+        vinserti128	$0x01, 112(%rbp), %ymm3, %ymm3
+        vpshufb	%ymm13, %ymm2, %ymm2
+        vpshufb	%ymm13, %ymm3, %ymm3
+        vpaddd	64+L_avx2_rorx_sha256_k(%rip), %ymm2, %ymm4
+        vpaddd	96+L_avx2_rorx_sha256_k(%rip), %ymm3, %ymm5
+        vmovdqu	%ymm4, 64(%rsp)
+        vmovdqu	%ymm5, 96(%rsp)
+        movl	%r9d, %ebx
+        rorxl	$6, %r12d, %edx
+        xorl	%r10d, %ebx
+        # rnd_0: 0 - 0
+        movl	%r13d, %eax
+        rorxl	$11, %r12d, %ecx
+        addl	(%rsp), %r15d
+        vpalignr	$4, %ymm0, %ymm1, %ymm5
+        # rnd_0: 1 - 1
+        xorl	%edx, %ecx
+        xorl	%r14d, %eax
+        rorxl	$25, %r12d, %edx
+        vpalignr	$4, %ymm2, %ymm3, %ymm4
+        # rnd_0: 2 - 2
+        andl	%r12d, %eax
+        xorl	%ecx, %edx
+        rorxl	$13, %r8d, %ecx
+        vpsrld	$7, %ymm5, %ymm6
+        # rnd_0: 3 - 3
+        addl	%edx, %r15d
+        rorxl	$2, %r8d, %edx
+        xorl	%r14d, %eax
+        vpslld	$25, %ymm5, %ymm7
+        # rnd_0: 4 - 4
+        xorl	%edx, %ecx
+        rorxl	$22, %r8d, %edx
+        addl	%eax, %r15d
+        vpsrld	$18, %ymm5, %ymm8
+        # rnd_0: 5 - 5
+        xorl	%ecx, %edx
+        movl	%r9d, %eax
+        addl	%r15d, %r11d
+        vpslld	$14, %ymm5, %ymm9
+        # rnd_0: 6 - 6
+        xorl	%r8d, %eax
+        addl	%edx, %r15d
+        andl	%eax, %ebx
+        vpor	%ymm7, %ymm6, %ymm6
+        # rnd_0: 7 - 7
+        xorl	%r9d, %ebx
+        rorxl	$6, %r11d, %edx
+        addl	%ebx, %r15d
+        vpor	%ymm9, %ymm8, %ymm8
+        # rnd_1: 0 - 0
+        movl	%r12d, %ebx
+        rorxl	$11, %r11d, %ecx
+        addl	4(%rsp), %r14d
+        vpsrld	$3, %ymm5, %ymm9
+        # rnd_1: 1 - 1
+        xorl	%edx, %ecx
+        xorl	%r13d, %ebx
+        rorxl	$25, %r11d, %edx
+        vpxor	%ymm8, %ymm6, %ymm6
+        # rnd_1: 2 - 2
+        andl	%r11d, %ebx
+        xorl	%ecx, %edx
+        rorxl	$13, %r15d, %ecx
+        vpshufd	$0xfa, %ymm3, %ymm7
+        # rnd_1: 3 - 3
+        addl	%edx, %r14d
+        rorxl	$2, %r15d, %edx
+        xorl	%r13d, %ebx
+        vpxor	%ymm6, %ymm9, %ymm5
+        # rnd_1: 4 - 4
+        xorl	%edx, %ecx
+        rorxl	$22, %r15d, %edx
+        addl	%ebx, %r14d
+        vpsrld	$10, %ymm7, %ymm8
+        # rnd_1: 5 - 5
+        xorl	%ecx, %edx
+        addl	%r14d, %r10d
+        movl	%r8d, %ebx
+        vpsrlq	$19, %ymm7, %ymm6
+        # rnd_1: 6 - 6
+        xorl	%r15d, %ebx
+        addl	%edx, %r14d
+        andl	%ebx, %eax
+        vpsrlq	$0x11, %ymm7, %ymm7
+        # rnd_1: 7 - 7
+        xorl	%r8d, %eax
+        rorxl	$6, %r10d, %edx
+        addl	%eax, %r14d
+        vpaddd	%ymm0, %ymm4, %ymm4
+        # rnd_0: 0 - 0
+        movl	%r11d, %eax
+        rorxl	$11, %r10d, %ecx
+        addl	8(%rsp), %r13d
+        vpxor	%ymm7, %ymm6, %ymm6
+        # rnd_0: 1 - 1
+        xorl	%edx, %ecx
+        xorl	%r12d, %eax
+        rorxl	$25, %r10d, %edx
+        vpxor	%ymm6, %ymm8, %ymm8
+        # rnd_0: 2 - 2
+        andl	%r10d, %eax
+        xorl	%ecx, %edx
+        rorxl	$13, %r14d, %ecx
+        vpaddd	%ymm5, %ymm4, %ymm4
+        # rnd_0: 3 - 3
+        addl	%edx, %r13d
+        rorxl	$2, %r14d, %edx
+        xorl	%r12d, %eax
+        vpshufb	%ymm11, %ymm8, %ymm8
+        # rnd_0: 4 - 4
+        xorl	%edx, %ecx
+        rorxl	$22, %r14d, %edx
+        addl	%eax, %r13d
+        vpaddd	%ymm8, %ymm4, %ymm4
+        # rnd_0: 5 - 5
+        xorl	%ecx, %edx
+        movl	%r15d, %eax
+        addl	%r13d, %r9d
+        vpshufd	$0x50, %ymm4, %ymm6
+        # rnd_0: 6 - 6
+        xorl	%r14d, %eax
+        addl	%edx, %r13d
+        andl	%eax, %ebx
+        vpsrlq	$0x11, %ymm6, %ymm8
+        # rnd_0: 7 - 7
+        xorl	%r15d, %ebx
+        rorxl	$6, %r9d, %edx
+        addl	%ebx, %r13d
+        vpsrlq	$19, %ymm6, %ymm7
+        # rnd_1: 0 - 0
+        movl	%r10d, %ebx
+        rorxl	$11, %r9d, %ecx
+        addl	12(%rsp), %r12d
+        vpsrld	$10, %ymm6, %ymm9
+        # rnd_1: 1 - 1
+        xorl	%edx, %ecx
+        xorl	%r11d, %ebx
+        rorxl	$25, %r9d, %edx
+        vpxor	%ymm7, %ymm8, %ymm8
+        # rnd_1: 2 - 2
+        andl	%r9d, %ebx
+        xorl	%ecx, %edx
+        rorxl	$13, %r13d, %ecx
+        vpxor	%ymm8, %ymm9, %ymm9
+        # rnd_1: 3 - 3
+        addl	%edx, %r12d
+        rorxl	$2, %r13d, %edx
+        xorl	%r11d, %ebx
+        vpshufb	%ymm12, %ymm9, %ymm9
+        # rnd_1: 4 - 4
+        xorl	%edx, %ecx
+        rorxl	$22, %r13d, %edx
+        addl	%ebx, %r12d
+        vpaddd	%ymm4, %ymm9, %ymm0
+        # rnd_1: 5 - 5
+        xorl	%ecx, %edx
+        addl	%r12d, %r8d
+        movl	%r14d, %ebx
+        vpaddd	128+L_avx2_rorx_sha256_k(%rip), %ymm0, %ymm4
+        # rnd_1: 6 - 6
+        xorl	%r13d, %ebx
+        addl	%edx, %r12d
+        andl	%ebx, %eax
+        # rnd_1: 7 - 7
+        xorl	%r14d, %eax
+        rorxl	$6, %r8d, %edx
+        addl	%eax, %r12d
+        vmovdqu	%ymm4, 128(%rsp)
+        # rnd_0: 0 - 0
+        movl	%r9d, %eax
+        rorxl	$11, %r8d, %ecx
+        addl	32(%rsp), %r11d
+        vpalignr	$4, %ymm1, %ymm2, %ymm5
+        # rnd_0: 1 - 1
+        xorl	%edx, %ecx
+        xorl	%r10d, %eax
+        rorxl	$25, %r8d, %edx
+        vpalignr	$4, %ymm3, %ymm0, %ymm4
+        # rnd_0: 2 - 2
+        andl	%r8d, %eax
+        xorl	%ecx, %edx
+        rorxl	$13, %r12d, %ecx
+        vpsrld	$7, %ymm5, %ymm6
+        # rnd_0: 3 - 3
+        addl	%edx, %r11d
+        rorxl	$2, %r12d, %edx
+        xorl	%r10d, %eax
+        vpslld	$25, %ymm5, %ymm7
+        # rnd_0: 4 - 4
+        xorl	%edx, %ecx
+        rorxl	$22, %r12d, %edx
+        addl	%eax, %r11d
+        vpsrld	$18, %ymm5, %ymm8
+        # rnd_0: 5 - 5
+        xorl	%ecx, %edx
+        movl	%r13d, %eax
+        addl	%r11d, %r15d
+        vpslld	$14, %ymm5, %ymm9
+        # rnd_0: 6 - 6
+        xorl	%r12d, %eax
+        addl	%edx, %r11d
+        andl	%eax, %ebx
+        vpor	%ymm7, %ymm6, %ymm6
+        # rnd_0: 7 - 7
+        xorl	%r13d, %ebx
+        rorxl	$6, %r15d, %edx
+        addl	%ebx, %r11d
+        vpor	%ymm9, %ymm8, %ymm8
+        # rnd_1: 0 - 0
+        movl	%r8d, %ebx
+        rorxl	$11, %r15d, %ecx
+        addl	36(%rsp), %r10d
+        vpsrld	$3, %ymm5, %ymm9
+        # rnd_1: 1 - 1
+        xorl	%edx, %ecx
+        xorl	%r9d, %ebx
+        rorxl	$25, %r15d, %edx
+        vpxor	%ymm8, %ymm6, %ymm6
+        # rnd_1: 2 - 2
+        andl	%r15d, %ebx
+        xorl	%ecx, %edx
+        rorxl	$13, %r11d, %ecx
+        vpshufd	$0xfa, %ymm0, %ymm7
+        # rnd_1: 3 - 3
+        addl	%edx, %r10d
+        rorxl	$2, %r11d, %edx
+        xorl	%r9d, %ebx
+        vpxor	%ymm6, %ymm9, %ymm5
+        # rnd_1: 4 - 4
+        xorl	%edx, %ecx
+        rorxl	$22, %r11d, %edx
+        addl	%ebx, %r10d
+        vpsrld	$10, %ymm7, %ymm8
+        # rnd_1: 5 - 5
+        xorl	%ecx, %edx
+        addl	%r10d, %r14d
+        movl	%r12d, %ebx
+        vpsrlq	$19, %ymm7, %ymm6
+        # rnd_1: 6 - 6
+        xorl	%r11d, %ebx
+        addl	%edx, %r10d
+        andl	%ebx, %eax
+        vpsrlq	$0x11, %ymm7, %ymm7
+        # rnd_1: 7 - 7
+        xorl	%r12d, %eax
+        rorxl	$6, %r14d, %edx
+        addl	%eax, %r10d
+        vpaddd	%ymm1, %ymm4, %ymm4
+        # rnd_0: 0 - 0
+        movl	%r15d, %eax
+        rorxl	$11, %r14d, %ecx
+        addl	40(%rsp), %r9d
+        vpxor	%ymm7, %ymm6, %ymm6
+        # rnd_0: 1 - 1
+        xorl	%edx, %ecx
+        xorl	%r8d, %eax
+        rorxl	$25, %r14d, %edx
+        vpxor	%ymm6, %ymm8, %ymm8
+        # rnd_0: 2 - 2
+        andl	%r14d, %eax
+        xorl	%ecx, %edx
+        rorxl	$13, %r10d, %ecx
+        vpaddd	%ymm5, %ymm4, %ymm4
+        # rnd_0: 3 - 3
+        addl	%edx, %r9d
+        rorxl	$2, %r10d, %edx
+        xorl	%r8d, %eax
+        vpshufb	%ymm11, %ymm8, %ymm8
+        # rnd_0: 4 - 4
+        xorl	%edx, %ecx
+        rorxl	$22, %r10d, %edx
+        addl	%eax, %r9d
+        vpaddd	%ymm8, %ymm4, %ymm4
+        # rnd_0: 5 - 5
+        xorl	%ecx, %edx
+        movl	%r11d, %eax
+        addl	%r9d, %r13d
+        vpshufd	$0x50, %ymm4, %ymm6
+        # rnd_0: 6 - 6
+        xorl	%r10d, %eax
+        addl	%edx, %r9d
+        andl	%eax, %ebx
+        vpsrlq	$0x11, %ymm6, %ymm8
+        # rnd_0: 7 - 7
+        xorl	%r11d, %ebx
+        rorxl	$6, %r13d, %edx
+        addl	%ebx, %r9d
+        vpsrlq	$19, %ymm6, %ymm7
+        # rnd_1: 0 - 0
+        movl	%r14d, %ebx
+        rorxl	$11, %r13d, %ecx
+        addl	44(%rsp), %r8d
+        vpsrld	$10, %ymm6, %ymm9
+        # rnd_1: 1 - 1
+        xorl	%edx, %ecx
+        xorl	%r15d, %ebx
+        rorxl	$25, %r13d, %edx
+        vpxor	%ymm7, %ymm8, %ymm8
+        # rnd_1: 2 - 2
+        andl	%r13d, %ebx
+        xorl	%ecx, %edx
+        rorxl	$13, %r9d, %ecx
+        vpxor	%ymm8, %ymm9, %ymm9
+        # rnd_1: 3 - 3
+        addl	%edx, %r8d
+        rorxl	$2, %r9d, %edx
+        xorl	%r15d, %ebx
+        vpshufb	%ymm12, %ymm9, %ymm9
+        # rnd_1: 4 - 4
+        xorl	%edx, %ecx
+        rorxl	$22, %r9d, %edx
+        addl	%ebx, %r8d
+        vpaddd	%ymm4, %ymm9, %ymm1
+        # rnd_1: 5 - 5
+        xorl	%ecx, %edx
+        addl	%r8d, %r12d
+        movl	%r10d, %ebx
+        vpaddd	160+L_avx2_rorx_sha256_k(%rip), %ymm1, %ymm4
+        # rnd_1: 6 - 6
+        xorl	%r9d, %ebx
+        addl	%edx, %r8d
+        andl	%ebx, %eax
+        # rnd_1: 7 - 7
+        xorl	%r10d, %eax
+        rorxl	$6, %r12d, %edx
+        addl	%eax, %r8d
+        vmovdqu	%ymm4, 160(%rsp)
+        # rnd_0: 0 - 0
+        movl	%r13d, %eax
+        rorxl	$11, %r12d, %ecx
+        addl	64(%rsp), %r15d
+        vpalignr	$4, %ymm2, %ymm3, %ymm5
+        # rnd_0: 1 - 1
+        xorl	%edx, %ecx
+        xorl	%r14d, %eax
+        rorxl	$25, %r12d, %edx
+        vpalignr	$4, %ymm0, %ymm1, %ymm4
+        # rnd_0: 2 - 2
+        andl	%r12d, %eax
+        xorl	%ecx, %edx
+        rorxl	$13, %r8d, %ecx
+        vpsrld	$7, %ymm5, %ymm6
+        # rnd_0: 3 - 3
+        addl	%edx, %r15d
+        rorxl	$2, %r8d, %edx
+        xorl	%r14d, %eax
+        vpslld	$25, %ymm5, %ymm7
+        # rnd_0: 4 - 4
+        xorl	%edx, %ecx
+        rorxl	$22, %r8d, %edx
+        addl	%eax, %r15d
+        vpsrld	$18, %ymm5, %ymm8
+        # rnd_0: 5 - 5
+        xorl	%ecx, %edx
+        movl	%r9d, %eax
+        addl	%r15d, %r11d
+        vpslld	$14, %ymm5, %ymm9
+        # rnd_0: 6 - 6
+        xorl	%r8d, %eax
+        addl	%edx, %r15d
+        andl	%eax, %ebx
+        vpor	%ymm7, %ymm6, %ymm6
+        # rnd_0: 7 - 7
+        xorl	%r9d, %ebx
+        rorxl	$6, %r11d, %edx
+        addl	%ebx, %r15d
+        vpor	%ymm9, %ymm8, %ymm8
+        # rnd_1: 0 - 0
+        movl	%r12d, %ebx
+        rorxl	$11, %r11d, %ecx
+        addl	68(%rsp), %r14d
+        vpsrld	$3, %ymm5, %ymm9
+        # rnd_1: 1 - 1
+        xorl	%edx, %ecx
+        xorl	%r13d, %ebx
+        rorxl	$25, %r11d, %edx
+        vpxor	%ymm8, %ymm6, %ymm6
+        # rnd_1: 2 - 2
+        andl	%r11d, %ebx
+        xorl	%ecx, %edx
+        rorxl	$13, %r15d, %ecx
+        vpshufd	$0xfa, %ymm1, %ymm7
+        # rnd_1: 3 - 3
+        addl	%edx, %r14d
+        rorxl	$2, %r15d, %edx
+        xorl	%r13d, %ebx
+        vpxor	%ymm6, %ymm9, %ymm5
+        # rnd_1: 4 - 4
+        xorl	%edx, %ecx
+        rorxl	$22, %r15d, %edx
+        addl	%ebx, %r14d
+        vpsrld	$10, %ymm7, %ymm8
+        # rnd_1: 5 - 5
+        xorl	%ecx, %edx
+        addl	%r14d, %r10d
+        movl	%r8d, %ebx
+        vpsrlq	$19, %ymm7, %ymm6
+        # rnd_1: 6 - 6
+        xorl	%r15d, %ebx
+        addl	%edx, %r14d
+        andl	%ebx, %eax
+        vpsrlq	$0x11, %ymm7, %ymm7
+        # rnd_1: 7 - 7
+        xorl	%r8d, %eax
+        rorxl	$6, %r10d, %edx
+        addl	%eax, %r14d
+        vpaddd	%ymm2, %ymm4, %ymm4
+        # rnd_0: 0 - 0
+        movl	%r11d, %eax
+        rorxl	$11, %r10d, %ecx
+        addl	72(%rsp), %r13d
+        vpxor	%ymm7, %ymm6, %ymm6
+        # rnd_0: 1 - 1
+        xorl	%edx, %ecx
+        xorl	%r12d, %eax
+        rorxl	$25, %r10d, %edx
+        vpxor	%ymm6, %ymm8, %ymm8
+        # rnd_0: 2 - 2
+        andl	%r10d, %eax
+        xorl	%ecx, %edx
+        rorxl	$13, %r14d, %ecx
+        vpaddd	%ymm5, %ymm4, %ymm4
+        # rnd_0: 3 - 3
+        addl	%edx, %r13d
+        rorxl	$2, %r14d, %edx
+        xorl	%r12d, %eax
+        vpshufb	%ymm11, %ymm8, %ymm8
+        # rnd_0: 4 - 4
+        xorl	%edx, %ecx
+        rorxl	$22, %r14d, %edx
+        addl	%eax, %r13d
+        vpaddd	%ymm8, %ymm4, %ymm4
+        # rnd_0: 5 - 5
+        xorl	%ecx, %edx
+        movl	%r15d, %eax
+        addl	%r13d, %r9d
+        vpshufd	$0x50, %ymm4, %ymm6
+        # rnd_0: 6 - 6
+        xorl	%r14d, %eax
+        addl	%edx, %r13d
+        andl	%eax, %ebx
+        vpsrlq	$0x11, %ymm6, %ymm8
+        # rnd_0: 7 - 7
+        xorl	%r15d, %ebx
+        rorxl	$6, %r9d, %edx
+        addl	%ebx, %r13d
+        vpsrlq	$19, %ymm6, %ymm7
+        # rnd_1: 0 - 0
+        movl	%r10d, %ebx
+        rorxl	$11, %r9d, %ecx
+        addl	76(%rsp), %r12d
+        vpsrld	$10, %ymm6, %ymm9
+        # rnd_1: 1 - 1
+        xorl	%edx, %ecx
+        xorl	%r11d, %ebx
+        rorxl	$25, %r9d, %edx
+        vpxor	%ymm7, %ymm8, %ymm8
+        # rnd_1: 2 - 2
+        andl	%r9d, %ebx
+        xorl	%ecx, %edx
+        rorxl	$13, %r13d, %ecx
+        vpxor	%ymm8, %ymm9, %ymm9
+        # rnd_1: 3 - 3
+        addl	%edx, %r12d
+        rorxl	$2, %r13d, %edx
+        xorl	%r11d, %ebx
+        vpshufb	%ymm12, %ymm9, %ymm9
+        # rnd_1: 4 - 4
+        xorl	%edx, %ecx
+        rorxl	$22, %r13d, %edx
+        addl	%ebx, %r12d
+        vpaddd	%ymm4, %ymm9, %ymm2
+        # rnd_1: 5 - 5
+        xorl	%ecx, %edx
+        addl	%r12d, %r8d
+        movl	%r14d, %ebx
+        vpaddd	192+L_avx2_rorx_sha256_k(%rip), %ymm2, %ymm4
+        # rnd_1: 6 - 6
+        xorl	%r13d, %ebx
+        addl	%edx, %r12d
+        andl	%ebx, %eax
+        # rnd_1: 7 - 7
+        xorl	%r14d, %eax
+        rorxl	$6, %r8d, %edx
+        addl	%eax, %r12d
+        vmovdqu	%ymm4, 192(%rsp)
+        # rnd_0: 0 - 0
+        movl	%r9d, %eax
+        rorxl	$11, %r8d, %ecx
+        addl	96(%rsp), %r11d
+        vpalignr	$4, %ymm3, %ymm0, %ymm5
+        # rnd_0: 1 - 1
+        xorl	%edx, %ecx
+        xorl	%r10d, %eax
+        rorxl	$25, %r8d, %edx
+        vpalignr	$4, %ymm1, %ymm2, %ymm4
+        # rnd_0: 2 - 2
+        andl	%r8d, %eax
+        xorl	%ecx, %edx
+        rorxl	$13, %r12d, %ecx
+        vpsrld	$7, %ymm5, %ymm6
+        # rnd_0: 3 - 3
+        addl	%edx, %r11d
+        rorxl	$2, %r12d, %edx
+        xorl	%r10d, %eax
+        vpslld	$25, %ymm5, %ymm7
+        # rnd_0: 4 - 4
+        xorl	%edx, %ecx
+        rorxl	$22, %r12d, %edx
+        addl	%eax, %r11d
+        vpsrld	$18, %ymm5, %ymm8
+        # rnd_0: 5 - 5
+        xorl	%ecx, %edx
+        movl	%r13d, %eax
+        addl	%r11d, %r15d
+        vpslld	$14, %ymm5, %ymm9
+        # rnd_0: 6 - 6
+        xorl	%r12d, %eax
+        addl	%edx, %r11d
+        andl	%eax, %ebx
+        vpor	%ymm7, %ymm6, %ymm6
+        # rnd_0: 7 - 7
+        xorl	%r13d, %ebx
+        rorxl	$6, %r15d, %edx
+        addl	%ebx, %r11d
+        vpor	%ymm9, %ymm8, %ymm8
+        # rnd_1: 0 - 0
+        movl	%r8d, %ebx
+        rorxl	$11, %r15d, %ecx
+        addl	100(%rsp), %r10d
+        vpsrld	$3, %ymm5, %ymm9
+        # rnd_1: 1 - 1
+        xorl	%edx, %ecx
+        xorl	%r9d, %ebx
+        rorxl	$25, %r15d, %edx
+        vpxor	%ymm8, %ymm6, %ymm6
+        # rnd_1: 2 - 2
+        andl	%r15d, %ebx
+        xorl	%ecx, %edx
+        rorxl	$13, %r11d, %ecx
+        vpshufd	$0xfa, %ymm2, %ymm7
+        # rnd_1: 3 - 3
+        addl	%edx, %r10d
+        rorxl	$2, %r11d, %edx
+        xorl	%r9d, %ebx
+        vpxor	%ymm6, %ymm9, %ymm5
+        # rnd_1: 4 - 4
+        xorl	%edx, %ecx
+        rorxl	$22, %r11d, %edx
+        addl	%ebx, %r10d
+        vpsrld	$10, %ymm7, %ymm8
+        # rnd_1: 5 - 5
+        xorl	%ecx, %edx
+        addl	%r10d, %r14d
+        movl	%r12d, %ebx
+        vpsrlq	$19, %ymm7, %ymm6
+        # rnd_1: 6 - 6
+        xorl	%r11d, %ebx
+        addl	%edx, %r10d
+        andl	%ebx, %eax
+        vpsrlq	$0x11, %ymm7, %ymm7
+        # rnd_1: 7 - 7
+        xorl	%r12d, %eax
+        rorxl	$6, %r14d, %edx
+        addl	%eax, %r10d
+        vpaddd	%ymm3, %ymm4, %ymm4
+        # rnd_0: 0 - 0
+        movl	%r15d, %eax
+        rorxl	$11, %r14d, %ecx
+        addl	104(%rsp), %r9d
+        vpxor	%ymm7, %ymm6, %ymm6
+        # rnd_0: 1 - 1
+        xorl	%edx, %ecx
+        xorl	%r8d, %eax
+        rorxl	$25, %r14d, %edx
+        vpxor	%ymm6, %ymm8, %ymm8
+        # rnd_0: 2 - 2
+        andl	%r14d, %eax
+        xorl	%ecx, %edx
+        rorxl	$13, %r10d, %ecx
+        vpaddd	%ymm5, %ymm4, %ymm4
+        # rnd_0: 3 - 3
+        addl	%edx, %r9d
+        rorxl	$2, %r10d, %edx
+        xorl	%r8d, %eax
+        vpshufb	%ymm11, %ymm8, %ymm8
+        # rnd_0: 4 - 4
+        xorl	%edx, %ecx
+        rorxl	$22, %r10d, %edx
+        addl	%eax, %r9d
+        vpaddd	%ymm8, %ymm4, %ymm4
+        # rnd_0: 5 - 5
+        xorl	%ecx, %edx
+        movl	%r11d, %eax
+        addl	%r9d, %r13d
+        vpshufd	$0x50, %ymm4, %ymm6
+        # rnd_0: 6 - 6
+        xorl	%r10d, %eax
+        addl	%edx, %r9d
+        andl	%eax, %ebx
+        vpsrlq	$0x11, %ymm6, %ymm8
+        # rnd_0: 7 - 7
+        xorl	%r11d, %ebx
+        rorxl	$6, %r13d, %edx
+        addl	%ebx, %r9d
+        vpsrlq	$19, %ymm6, %ymm7
+        # rnd_1: 0 - 0
+        movl	%r14d, %ebx
+        rorxl	$11, %r13d, %ecx
+        addl	108(%rsp), %r8d
+        vpsrld	$10, %ymm6, %ymm9
+        # rnd_1: 1 - 1
+        xorl	%edx, %ecx
+        xorl	%r15d, %ebx
+        rorxl	$25, %r13d, %edx
+        vpxor	%ymm7, %ymm8, %ymm8
+        # rnd_1: 2 - 2
+        andl	%r13d, %ebx
+        xorl	%ecx, %edx
+        rorxl	$13, %r9d, %ecx
+        vpxor	%ymm8, %ymm9, %ymm9
+        # rnd_1: 3 - 3
+        addl	%edx, %r8d
+        rorxl	$2, %r9d, %edx
+        xorl	%r15d, %ebx
+        vpshufb	%ymm12, %ymm9, %ymm9
+        # rnd_1: 4 - 4
+        xorl	%edx, %ecx
+        rorxl	$22, %r9d, %edx
+        addl	%ebx, %r8d
+        vpaddd	%ymm4, %ymm9, %ymm3
+        # rnd_1: 5 - 5
+        xorl	%ecx, %edx
+        addl	%r8d, %r12d
+        movl	%r10d, %ebx
+        vpaddd	224+L_avx2_rorx_sha256_k(%rip), %ymm3, %ymm4
+        # rnd_1: 6 - 6
+        xorl	%r9d, %ebx
+        addl	%edx, %r8d
+        andl	%ebx, %eax
+        # rnd_1: 7 - 7
+        xorl	%r10d, %eax
+        rorxl	$6, %r12d, %edx
+        addl	%eax, %r8d
+        vmovdqu	%ymm4, 224(%rsp)
+        # rnd_0: 0 - 0
+        movl	%r13d, %eax
+        rorxl	$11, %r12d, %ecx
+        addl	128(%rsp), %r15d
+        vpalignr	$4, %ymm0, %ymm1, %ymm5
+        # rnd_0: 1 - 1
+        xorl	%edx, %ecx
+        xorl	%r14d, %eax
+        rorxl	$25, %r12d, %edx
+        vpalignr	$4, %ymm2, %ymm3, %ymm4
+        # rnd_0: 2 - 2
+        andl	%r12d, %eax
+        xorl	%ecx, %edx
+        rorxl	$13, %r8d, %ecx
+        vpsrld	$7, %ymm5, %ymm6
+        # rnd_0: 3 - 3
+        addl	%edx, %r15d
+        rorxl	$2, %r8d, %edx
+        xorl	%r14d, %eax
+        vpslld	$25, %ymm5, %ymm7
+        # rnd_0: 4 - 4
+        xorl	%edx, %ecx
+        rorxl	$22, %r8d, %edx
+        addl	%eax, %r15d
+        vpsrld	$18, %ymm5, %ymm8
+        # rnd_0: 5 - 5
+        xorl	%ecx, %edx
+        movl	%r9d, %eax
+        addl	%r15d, %r11d
+        vpslld	$14, %ymm5, %ymm9
+        # rnd_0: 6 - 6
+        xorl	%r8d, %eax
+        addl	%edx, %r15d
+        andl	%eax, %ebx
+        vpor	%ymm7, %ymm6, %ymm6
+        # rnd_0: 7 - 7
+        xorl	%r9d, %ebx
+        rorxl	$6, %r11d, %edx
+        addl	%ebx, %r15d
+        vpor	%ymm9, %ymm8, %ymm8
+        # rnd_1: 0 - 0
+        movl	%r12d, %ebx
+        rorxl	$11, %r11d, %ecx
+        addl	132(%rsp), %r14d
+        vpsrld	$3, %ymm5, %ymm9
+        # rnd_1: 1 - 1
+        xorl	%edx, %ecx
+        xorl	%r13d, %ebx
+        rorxl	$25, %r11d, %edx
+        vpxor	%ymm8, %ymm6, %ymm6
+        # rnd_1: 2 - 2
+        andl	%r11d, %ebx
+        xorl	%ecx, %edx
+        rorxl	$13, %r15d, %ecx
+        vpshufd	$0xfa, %ymm3, %ymm7
+        # rnd_1: 3 - 3
+        addl	%edx, %r14d
+        rorxl	$2, %r15d, %edx
+        xorl	%r13d, %ebx
+        vpxor	%ymm6, %ymm9, %ymm5
+        # rnd_1: 4 - 4
+        xorl	%edx, %ecx
+        rorxl	$22, %r15d, %edx
+        addl	%ebx, %r14d
+        vpsrld	$10, %ymm7, %ymm8
+        # rnd_1: 5 - 5
+        xorl	%ecx, %edx
+        addl	%r14d, %r10d
+        movl	%r8d, %ebx
+        vpsrlq	$19, %ymm7, %ymm6
+        # rnd_1: 6 - 6
+        xorl	%r15d, %ebx
+        addl	%edx, %r14d
+        andl	%ebx, %eax
+        vpsrlq	$0x11, %ymm7, %ymm7
+        # rnd_1: 7 - 7
+        xorl	%r8d, %eax
+        rorxl	$6, %r10d, %edx
+        addl	%eax, %r14d
+        vpaddd	%ymm0, %ymm4, %ymm4
+        # rnd_0: 0 - 0
+        movl	%r11d, %eax
+        rorxl	$11, %r10d, %ecx
+        addl	136(%rsp), %r13d
+        vpxor	%ymm7, %ymm6, %ymm6
+        # rnd_0: 1 - 1
+        xorl	%edx, %ecx
+        xorl	%r12d, %eax
+        rorxl	$25, %r10d, %edx
+        vpxor	%ymm6, %ymm8, %ymm8
+        # rnd_0: 2 - 2
+        andl	%r10d, %eax
+        xorl	%ecx, %edx
+        rorxl	$13, %r14d, %ecx
+        vpaddd	%ymm5, %ymm4, %ymm4
+        # rnd_0: 3 - 3
+        addl	%edx, %r13d
+        rorxl	$2, %r14d, %edx
+        xorl	%r12d, %eax
+        vpshufb	%ymm11, %ymm8, %ymm8
+        # rnd_0: 4 - 4
+        xorl	%edx, %ecx
+        rorxl	$22, %r14d, %edx
+        addl	%eax, %r13d
+        vpaddd	%ymm8, %ymm4, %ymm4
+        # rnd_0: 5 - 5
+        xorl	%ecx, %edx
+        movl	%r15d, %eax
+        addl	%r13d, %r9d
+        vpshufd	$0x50, %ymm4, %ymm6
+        # rnd_0: 6 - 6
+        xorl	%r14d, %eax
+        addl	%edx, %r13d
+        andl	%eax, %ebx
+        vpsrlq	$0x11, %ymm6, %ymm8
+        # rnd_0: 7 - 7
+        xorl	%r15d, %ebx
+        rorxl	$6, %r9d, %edx
+        addl	%ebx, %r13d
+        vpsrlq	$19, %ymm6, %ymm7
+        # rnd_1: 0 - 0
+        movl	%r10d, %ebx
+        rorxl	$11, %r9d, %ecx
+        addl	140(%rsp), %r12d
+        vpsrld	$10, %ymm6, %ymm9
+        # rnd_1: 1 - 1
+        xorl	%edx, %ecx
+        xorl	%r11d, %ebx
+        rorxl	$25, %r9d, %edx
+        vpxor	%ymm7, %ymm8, %ymm8
+        # rnd_1: 2 - 2
+        andl	%r9d, %ebx
+        xorl	%ecx, %edx
+        rorxl	$13, %r13d, %ecx
+        vpxor	%ymm8, %ymm9, %ymm9
+        # rnd_1: 3 - 3
+        addl	%edx, %r12d
+        rorxl	$2, %r13d, %edx
+        xorl	%r11d, %ebx
+        vpshufb	%ymm12, %ymm9, %ymm9
+        # rnd_1: 4 - 4
+        xorl	%edx, %ecx
+        rorxl	$22, %r13d, %edx
+        addl	%ebx, %r12d
+        vpaddd	%ymm4, %ymm9, %ymm0
+        # rnd_1: 5 - 5
+        xorl	%ecx, %edx
+        addl	%r12d, %r8d
+        movl	%r14d, %ebx
+        vpaddd	256+L_avx2_rorx_sha256_k(%rip), %ymm0, %ymm4
+        # rnd_1: 6 - 6
+        xorl	%r13d, %ebx
+        addl	%edx, %r12d
+        andl	%ebx, %eax
+        # rnd_1: 7 - 7
+        xorl	%r14d, %eax
+        rorxl	$6, %r8d, %edx
+        addl	%eax, %r12d
+        vmovdqu	%ymm4, 256(%rsp)
+        # rnd_0: 0 - 0
+        movl	%r9d, %eax
+        rorxl	$11, %r8d, %ecx
+        addl	160(%rsp), %r11d
+        vpalignr	$4, %ymm1, %ymm2, %ymm5
+        # rnd_0: 1 - 1
+        xorl	%edx, %ecx
+        xorl	%r10d, %eax
+        rorxl	$25, %r8d, %edx
+        vpalignr	$4, %ymm3, %ymm0, %ymm4
+        # rnd_0: 2 - 2
+        andl	%r8d, %eax
+        xorl	%ecx, %edx
+        rorxl	$13, %r12d, %ecx
+        vpsrld	$7, %ymm5, %ymm6
+        # rnd_0: 3 - 3
+        addl	%edx, %r11d
+        rorxl	$2, %r12d, %edx
+        xorl	%r10d, %eax
+        vpslld	$25, %ymm5, %ymm7
+        # rnd_0: 4 - 4
+        xorl	%edx, %ecx
+        rorxl	$22, %r12d, %edx
+        addl	%eax, %r11d
+        vpsrld	$18, %ymm5, %ymm8
+        # rnd_0: 5 - 5
+        xorl	%ecx, %edx
+        movl	%r13d, %eax
+        addl	%r11d, %r15d
+        vpslld	$14, %ymm5, %ymm9
+        # rnd_0: 6 - 6
+        xorl	%r12d, %eax
+        addl	%edx, %r11d
+        andl	%eax, %ebx
+        vpor	%ymm7, %ymm6, %ymm6
+        # rnd_0: 7 - 7
+        xorl	%r13d, %ebx
+        rorxl	$6, %r15d, %edx
+        addl	%ebx, %r11d
+        vpor	%ymm9, %ymm8, %ymm8
+        # rnd_1: 0 - 0
+        movl	%r8d, %ebx
+        rorxl	$11, %r15d, %ecx
+        addl	164(%rsp), %r10d
+        vpsrld	$3, %ymm5, %ymm9
+        # rnd_1: 1 - 1
+        xorl	%edx, %ecx
+        xorl	%r9d, %ebx
+        rorxl	$25, %r15d, %edx
+        vpxor	%ymm8, %ymm6, %ymm6
+        # rnd_1: 2 - 2
+        andl	%r15d, %ebx
+        xorl	%ecx, %edx
+        rorxl	$13, %r11d, %ecx
+        vpshufd	$0xfa, %ymm0, %ymm7
+        # rnd_1: 3 - 3
+        addl	%edx, %r10d
+        rorxl	$2, %r11d, %edx
+        xorl	%r9d, %ebx
+        vpxor	%ymm6, %ymm9, %ymm5
+        # rnd_1: 4 - 4
+        xorl	%edx, %ecx
+        rorxl	$22, %r11d, %edx
+        addl	%ebx, %r10d
+        vpsrld	$10, %ymm7, %ymm8
+        # rnd_1: 5 - 5
+        xorl	%ecx, %edx
+        addl	%r10d, %r14d
+        movl	%r12d, %ebx
+        vpsrlq	$19, %ymm7, %ymm6
+        # rnd_1: 6 - 6
+        xorl	%r11d, %ebx
+        addl	%edx, %r10d
+        andl	%ebx, %eax
+        vpsrlq	$0x11, %ymm7, %ymm7
+        # rnd_1: 7 - 7
+        xorl	%r12d, %eax
+        rorxl	$6, %r14d, %edx
+        addl	%eax, %r10d
+        vpaddd	%ymm1, %ymm4, %ymm4
+        # rnd_0: 0 - 0
+        movl	%r15d, %eax
+        rorxl	$11, %r14d, %ecx
+        addl	168(%rsp), %r9d
+        vpxor	%ymm7, %ymm6, %ymm6
+        # rnd_0: 1 - 1
+        xorl	%edx, %ecx
+        xorl	%r8d, %eax
+        rorxl	$25, %r14d, %edx
+        vpxor	%ymm6, %ymm8, %ymm8
+        # rnd_0: 2 - 2
+        andl	%r14d, %eax
+        xorl	%ecx, %edx
+        rorxl	$13, %r10d, %ecx
+        vpaddd	%ymm5, %ymm4, %ymm4
+        # rnd_0: 3 - 3
+        addl	%edx, %r9d
+        rorxl	$2, %r10d, %edx
+        xorl	%r8d, %eax
+        vpshufb	%ymm11, %ymm8, %ymm8
+        # rnd_0: 4 - 4
+        xorl	%edx, %ecx
+        rorxl	$22, %r10d, %edx
+        addl	%eax, %r9d
+        vpaddd	%ymm8, %ymm4, %ymm4
+        # rnd_0: 5 - 5
+        xorl	%ecx, %edx
+        movl	%r11d, %eax
+        addl	%r9d, %r13d
+        vpshufd	$0x50, %ymm4, %ymm6
+        # rnd_0: 6 - 6
+        xorl	%r10d, %eax
+        addl	%edx, %r9d
+        andl	%eax, %ebx
+        vpsrlq	$0x11, %ymm6, %ymm8
+        # rnd_0: 7 - 7
+        xorl	%r11d, %ebx
+        rorxl	$6, %r13d, %edx
+        addl	%ebx, %r9d
+        vpsrlq	$19, %ymm6, %ymm7
+        # rnd_1: 0 - 0
+        movl	%r14d, %ebx
+        rorxl	$11, %r13d, %ecx
+        addl	172(%rsp), %r8d
+        vpsrld	$10, %ymm6, %ymm9
+        # rnd_1: 1 - 1
+        xorl	%edx, %ecx
+        xorl	%r15d, %ebx
+        rorxl	$25, %r13d, %edx
+        vpxor	%ymm7, %ymm8, %ymm8
+        # rnd_1: 2 - 2
+        andl	%r13d, %ebx
+        xorl	%ecx, %edx
+        rorxl	$13, %r9d, %ecx
+        vpxor	%ymm8, %ymm9, %ymm9
+        # rnd_1: 3 - 3
+        addl	%edx, %r8d
+        rorxl	$2, %r9d, %edx
+        xorl	%r15d, %ebx
+        vpshufb	%ymm12, %ymm9, %ymm9
+        # rnd_1: 4 - 4
+        xorl	%edx, %ecx
+        rorxl	$22, %r9d, %edx
+        addl	%ebx, %r8d
+        vpaddd	%ymm4, %ymm9, %ymm1
+        # rnd_1: 5 - 5
+        xorl	%ecx, %edx
+        addl	%r8d, %r12d
+        movl	%r10d, %ebx
+        vpaddd	288+L_avx2_rorx_sha256_k(%rip), %ymm1, %ymm4
+        # rnd_1: 6 - 6
+        xorl	%r9d, %ebx
+        addl	%edx, %r8d
+        andl	%ebx, %eax
+        # rnd_1: 7 - 7
+        xorl	%r10d, %eax
+        rorxl	$6, %r12d, %edx
+        addl	%eax, %r8d
+        vmovdqu	%ymm4, 288(%rsp)
+        # rnd_0: 0 - 0
+        movl	%r13d, %eax
+        rorxl	$11, %r12d, %ecx
+        addl	192(%rsp), %r15d
+        vpalignr	$4, %ymm2, %ymm3, %ymm5
+        # rnd_0: 1 - 1
+        xorl	%edx, %ecx
+        xorl	%r14d, %eax
+        rorxl	$25, %r12d, %edx
+        vpalignr	$4, %ymm0, %ymm1, %ymm4
+        # rnd_0: 2 - 2
+        andl	%r12d, %eax
+        xorl	%ecx, %edx
+        rorxl	$13, %r8d, %ecx
+        vpsrld	$7, %ymm5, %ymm6
+        # rnd_0: 3 - 3
+        addl	%edx, %r15d
+        rorxl	$2, %r8d, %edx
+        xorl	%r14d, %eax
+        vpslld	$25, %ymm5, %ymm7
+        # rnd_0: 4 - 4
+        xorl	%edx, %ecx
+        rorxl	$22, %r8d, %edx
+        addl	%eax, %r15d
+        vpsrld	$18, %ymm5, %ymm8
+        # rnd_0: 5 - 5
+        xorl	%ecx, %edx
+        movl	%r9d, %eax
+        addl	%r15d, %r11d
+        vpslld	$14, %ymm5, %ymm9
+        # rnd_0: 6 - 6
+        xorl	%r8d, %eax
+        addl	%edx, %r15d
+        andl	%eax, %ebx
+        vpor	%ymm7, %ymm6, %ymm6
+        # rnd_0: 7 - 7
+        xorl	%r9d, %ebx
+        rorxl	$6, %r11d, %edx
+        addl	%ebx, %r15d
+        vpor	%ymm9, %ymm8, %ymm8
+        # rnd_1: 0 - 0
+        movl	%r12d, %ebx
+        rorxl	$11, %r11d, %ecx
+        addl	196(%rsp), %r14d
+        vpsrld	$3, %ymm5, %ymm9
+        # rnd_1: 1 - 1
+        xorl	%edx, %ecx
+        xorl	%r13d, %ebx
+        rorxl	$25, %r11d, %edx
+        vpxor	%ymm8, %ymm6, %ymm6
+        # rnd_1: 2 - 2
+        andl	%r11d, %ebx
+        xorl	%ecx, %edx
+        rorxl	$13, %r15d, %ecx
+        vpshufd	$0xfa, %ymm1, %ymm7
+        # rnd_1: 3 - 3
+        addl	%edx, %r14d
+        rorxl	$2, %r15d, %edx
+        xorl	%r13d, %ebx
+        vpxor	%ymm6, %ymm9, %ymm5
+        # rnd_1: 4 - 4
+        xorl	%edx, %ecx
+        rorxl	$22, %r15d, %edx
+        addl	%ebx, %r14d
+        vpsrld	$10, %ymm7, %ymm8
+        # rnd_1: 5 - 5
+        xorl	%ecx, %edx
+        addl	%r14d, %r10d
+        movl	%r8d, %ebx
+        vpsrlq	$19, %ymm7, %ymm6
+        # rnd_1: 6 - 6
+        xorl	%r15d, %ebx
+        addl	%edx, %r14d
+        andl	%ebx, %eax
+        vpsrlq	$0x11, %ymm7, %ymm7
+        # rnd_1: 7 - 7
+        xorl	%r8d, %eax
+        rorxl	$6, %r10d, %edx
+        addl	%eax, %r14d
+        vpaddd	%ymm2, %ymm4, %ymm4
+        # rnd_0: 0 - 0
+        movl	%r11d, %eax
+        rorxl	$11, %r10d, %ecx
+        addl	200(%rsp), %r13d
+        vpxor	%ymm7, %ymm6, %ymm6
+        # rnd_0: 1 - 1
+        xorl	%edx, %ecx
+        xorl	%r12d, %eax
+        rorxl	$25, %r10d, %edx
+        vpxor	%ymm6, %ymm8, %ymm8
+        # rnd_0: 2 - 2
+        andl	%r10d, %eax
+        xorl	%ecx, %edx
+        rorxl	$13, %r14d, %ecx
+        vpaddd	%ymm5, %ymm4, %ymm4
+        # rnd_0: 3 - 3
+        addl	%edx, %r13d
+        rorxl	$2, %r14d, %edx
+        xorl	%r12d, %eax
+        vpshufb	%ymm11, %ymm8, %ymm8
+        # rnd_0: 4 - 4
+        xorl	%edx, %ecx
+        rorxl	$22, %r14d, %edx
+        addl	%eax, %r13d
+        vpaddd	%ymm8, %ymm4, %ymm4
+        # rnd_0: 5 - 5
+        xorl	%ecx, %edx
+        movl	%r15d, %eax
+        addl	%r13d, %r9d
+        vpshufd	$0x50, %ymm4, %ymm6
+        # rnd_0: 6 - 6
+        xorl	%r14d, %eax
+        addl	%edx, %r13d
+        andl	%eax, %ebx
+        vpsrlq	$0x11, %ymm6, %ymm8
+        # rnd_0: 7 - 7
+        xorl	%r15d, %ebx
+        rorxl	$6, %r9d, %edx
+        addl	%ebx, %r13d
+        vpsrlq	$19, %ymm6, %ymm7
+        # rnd_1: 0 - 0
+        movl	%r10d, %ebx
+        rorxl	$11, %r9d, %ecx
+        addl	204(%rsp), %r12d
+        vpsrld	$10, %ymm6, %ymm9
+        # rnd_1: 1 - 1
+        xorl	%edx, %ecx
+        xorl	%r11d, %ebx
+        rorxl	$25, %r9d, %edx
+        vpxor	%ymm7, %ymm8, %ymm8
+        # rnd_1: 2 - 2
+        andl	%r9d, %ebx
+        xorl	%ecx, %edx
+        rorxl	$13, %r13d, %ecx
+        vpxor	%ymm8, %ymm9, %ymm9
+        # rnd_1: 3 - 3
+        addl	%edx, %r12d
+        rorxl	$2, %r13d, %edx
+        xorl	%r11d, %ebx
+        vpshufb	%ymm12, %ymm9, %ymm9
+        # rnd_1: 4 - 4
+        xorl	%edx, %ecx
+        rorxl	$22, %r13d, %edx
+        addl	%ebx, %r12d
+        vpaddd	%ymm4, %ymm9, %ymm2
+        # rnd_1: 5 - 5
+        xorl	%ecx, %edx
+        addl	%r12d, %r8d
+        movl	%r14d, %ebx
+        vpaddd	320+L_avx2_rorx_sha256_k(%rip), %ymm2, %ymm4
+        # rnd_1: 6 - 6
+        xorl	%r13d, %ebx
+        addl	%edx, %r12d
+        andl	%ebx, %eax
+        # rnd_1: 7 - 7
+        xorl	%r14d, %eax
+        rorxl	$6, %r8d, %edx
+        addl	%eax, %r12d
+        vmovdqu	%ymm4, 320(%rsp)
+        # rnd_0: 0 - 0
+        movl	%r9d, %eax
+        rorxl	$11, %r8d, %ecx
+        addl	224(%rsp), %r11d
+        vpalignr	$4, %ymm3, %ymm0, %ymm5
+        # rnd_0: 1 - 1
+        xorl	%edx, %ecx
+        xorl	%r10d, %eax
+        rorxl	$25, %r8d, %edx
+        vpalignr	$4, %ymm1, %ymm2, %ymm4
+        # rnd_0: 2 - 2
+        andl	%r8d, %eax
+        xorl	%ecx, %edx
+        rorxl	$13, %r12d, %ecx
+        vpsrld	$7, %ymm5, %ymm6
+        # rnd_0: 3 - 3
+        addl	%edx, %r11d
+        rorxl	$2, %r12d, %edx
+        xorl	%r10d, %eax
+        vpslld	$25, %ymm5, %ymm7
+        # rnd_0: 4 - 4
+        xorl	%edx, %ecx
+        rorxl	$22, %r12d, %edx
+        addl	%eax, %r11d
+        vpsrld	$18, %ymm5, %ymm8
+        # rnd_0: 5 - 5
+        xorl	%ecx, %edx
+        movl	%r13d, %eax
+        addl	%r11d, %r15d
+        vpslld	$14, %ymm5, %ymm9
+        # rnd_0: 6 - 6
+        xorl	%r12d, %eax
+        addl	%edx, %r11d
+        andl	%eax, %ebx
+        vpor	%ymm7, %ymm6, %ymm6
+        # rnd_0: 7 - 7
+        xorl	%r13d, %ebx
+        rorxl	$6, %r15d, %edx
+        addl	%ebx, %r11d
+        vpor	%ymm9, %ymm8, %ymm8
+        # rnd_1: 0 - 0
+        movl	%r8d, %ebx
+        rorxl	$11, %r15d, %ecx
+        addl	228(%rsp), %r10d
+        vpsrld	$3, %ymm5, %ymm9
+        # rnd_1: 1 - 1
+        xorl	%edx, %ecx
+        xorl	%r9d, %ebx
+        rorxl	$25, %r15d, %edx
+        vpxor	%ymm8, %ymm6, %ymm6
+        # rnd_1: 2 - 2
+        andl	%r15d, %ebx
+        xorl	%ecx, %edx
+        rorxl	$13, %r11d, %ecx
+        vpshufd	$0xfa, %ymm2, %ymm7
+        # rnd_1: 3 - 3
+        addl	%edx, %r10d
+        rorxl	$2, %r11d, %edx
+        xorl	%r9d, %ebx
+        vpxor	%ymm6, %ymm9, %ymm5
+        # rnd_1: 4 - 4
+        xorl	%edx, %ecx
+        rorxl	$22, %r11d, %edx
+        addl	%ebx, %r10d
+        vpsrld	$10, %ymm7, %ymm8
+        # rnd_1: 5 - 5
+        xorl	%ecx, %edx
+        addl	%r10d, %r14d
+        movl	%r12d, %ebx
+        vpsrlq	$19, %ymm7, %ymm6
+        # rnd_1: 6 - 6
+        xorl	%r11d, %ebx
+        addl	%edx, %r10d
+        andl	%ebx, %eax
+        vpsrlq	$0x11, %ymm7, %ymm7
+        # rnd_1: 7 - 7
+        xorl	%r12d, %eax
+        rorxl	$6, %r14d, %edx
+        addl	%eax, %r10d
+        vpaddd	%ymm3, %ymm4, %ymm4
+        # rnd_0: 0 - 0
+        movl	%r15d, %eax
+        rorxl	$11, %r14d, %ecx
+        addl	232(%rsp), %r9d
+        vpxor	%ymm7, %ymm6, %ymm6
+        # rnd_0: 1 - 1
+        xorl	%edx, %ecx
+        xorl	%r8d, %eax
+        rorxl	$25, %r14d, %edx
+        vpxor	%ymm6, %ymm8, %ymm8
+        # rnd_0: 2 - 2
+        andl	%r14d, %eax
+        xorl	%ecx, %edx
+        rorxl	$13, %r10d, %ecx
+        vpaddd	%ymm5, %ymm4, %ymm4
+        # rnd_0: 3 - 3
+        addl	%edx, %r9d
+        rorxl	$2, %r10d, %edx
+        xorl	%r8d, %eax
+        vpshufb	%ymm11, %ymm8, %ymm8
+        # rnd_0: 4 - 4
+        xorl	%edx, %ecx
+        rorxl	$22, %r10d, %edx
+        addl	%eax, %r9d
+        vpaddd	%ymm8, %ymm4, %ymm4
+        # rnd_0: 5 - 5
+        xorl	%ecx, %edx
+        movl	%r11d, %eax
+        addl	%r9d, %r13d
+        vpshufd	$0x50, %ymm4, %ymm6
+        # rnd_0: 6 - 6
+        xorl	%r10d, %eax
+        addl	%edx, %r9d
+        andl	%eax, %ebx
+        vpsrlq	$0x11, %ymm6, %ymm8
+        # rnd_0: 7 - 7
+        xorl	%r11d, %ebx
+        rorxl	$6, %r13d, %edx
+        addl	%ebx, %r9d
+        vpsrlq	$19, %ymm6, %ymm7
+        # rnd_1: 0 - 0
+        movl	%r14d, %ebx
+        rorxl	$11, %r13d, %ecx
+        addl	236(%rsp), %r8d
+        vpsrld	$10, %ymm6, %ymm9
+        # rnd_1: 1 - 1
+        xorl	%edx, %ecx
+        xorl	%r15d, %ebx
+        rorxl	$25, %r13d, %edx
+        vpxor	%ymm7, %ymm8, %ymm8
+        # rnd_1: 2 - 2
+        andl	%r13d, %ebx
+        xorl	%ecx, %edx
+        rorxl	$13, %r9d, %ecx
+        vpxor	%ymm8, %ymm9, %ymm9
+        # rnd_1: 3 - 3
+        addl	%edx, %r8d
+        rorxl	$2, %r9d, %edx
+        xorl	%r15d, %ebx
+        vpshufb	%ymm12, %ymm9, %ymm9
+        # rnd_1: 4 - 4
+        xorl	%edx, %ecx
+        rorxl	$22, %r9d, %edx
+        addl	%ebx, %r8d
+        vpaddd	%ymm4, %ymm9, %ymm3
+        # rnd_1: 5 - 5
+        xorl	%ecx, %edx
+        addl	%r8d, %r12d
+        movl	%r10d, %ebx
+        vpaddd	352+L_avx2_rorx_sha256_k(%rip), %ymm3, %ymm4
+        # rnd_1: 6 - 6
+        xorl	%r9d, %ebx
+        addl	%edx, %r8d
+        andl	%ebx, %eax
+        # rnd_1: 7 - 7
+        xorl	%r10d, %eax
+        rorxl	$6, %r12d, %edx
+        addl	%eax, %r8d
+        vmovdqu	%ymm4, 352(%rsp)
+        # rnd_0: 0 - 0
+        movl	%r13d, %eax
+        rorxl	$11, %r12d, %ecx
+        addl	256(%rsp), %r15d
+        vpalignr	$4, %ymm0, %ymm1, %ymm5
+        # rnd_0: 1 - 1
+        xorl	%edx, %ecx
+        xorl	%r14d, %eax
+        rorxl	$25, %r12d, %edx
+        vpalignr	$4, %ymm2, %ymm3, %ymm4
+        # rnd_0: 2 - 2
+        andl	%r12d, %eax
+        xorl	%ecx, %edx
+        rorxl	$13, %r8d, %ecx
+        vpsrld	$7, %ymm5, %ymm6
+        # rnd_0: 3 - 3
+        addl	%edx, %r15d
+        rorxl	$2, %r8d, %edx
+        xorl	%r14d, %eax
+        vpslld	$25, %ymm5, %ymm7
+        # rnd_0: 4 - 4
+        xorl	%edx, %ecx
+        rorxl	$22, %r8d, %edx
+        addl	%eax, %r15d
+        vpsrld	$18, %ymm5, %ymm8
+        # rnd_0: 5 - 5
+        xorl	%ecx, %edx
+        movl	%r9d, %eax
+        addl	%r15d, %r11d
+        vpslld	$14, %ymm5, %ymm9
+        # rnd_0: 6 - 6
+        xorl	%r8d, %eax
+        addl	%edx, %r15d
+        andl	%eax, %ebx
+        vpor	%ymm7, %ymm6, %ymm6
+        # rnd_0: 7 - 7
+        xorl	%r9d, %ebx
+        rorxl	$6, %r11d, %edx
+        addl	%ebx, %r15d
+        vpor	%ymm9, %ymm8, %ymm8
+        # rnd_1: 0 - 0
+        movl	%r12d, %ebx
+        rorxl	$11, %r11d, %ecx
+        addl	260(%rsp), %r14d
+        vpsrld	$3, %ymm5, %ymm9
+        # rnd_1: 1 - 1
+        xorl	%edx, %ecx
+        xorl	%r13d, %ebx
+        rorxl	$25, %r11d, %edx
+        vpxor	%ymm8, %ymm6, %ymm6
+        # rnd_1: 2 - 2
+        andl	%r11d, %ebx
+        xorl	%ecx, %edx
+        rorxl	$13, %r15d, %ecx
+        vpshufd	$0xfa, %ymm3, %ymm7
+        # rnd_1: 3 - 3
+        addl	%edx, %r14d
+        rorxl	$2, %r15d, %edx
+        xorl	%r13d, %ebx
+        vpxor	%ymm6, %ymm9, %ymm5
+        # rnd_1: 4 - 4
+        xorl	%edx, %ecx
+        rorxl	$22, %r15d, %edx
+        addl	%ebx, %r14d
+        vpsrld	$10, %ymm7, %ymm8
+        # rnd_1: 5 - 5
+        xorl	%ecx, %edx
+        addl	%r14d, %r10d
+        movl	%r8d, %ebx
+        vpsrlq	$19, %ymm7, %ymm6
+        # rnd_1: 6 - 6
+        xorl	%r15d, %ebx
+        addl	%edx, %r14d
+        andl	%ebx, %eax
+        vpsrlq	$0x11, %ymm7, %ymm7
+        # rnd_1: 7 - 7
+        xorl	%r8d, %eax
+        rorxl	$6, %r10d, %edx
+        addl	%eax, %r14d
+        vpaddd	%ymm0, %ymm4, %ymm4
+        # rnd_0: 0 - 0
+        movl	%r11d, %eax
+        rorxl	$11, %r10d, %ecx
+        addl	264(%rsp), %r13d
+        vpxor	%ymm7, %ymm6, %ymm6
+        # rnd_0: 1 - 1
+        xorl	%edx, %ecx
+        xorl	%r12d, %eax
+        rorxl	$25, %r10d, %edx
+        vpxor	%ymm6, %ymm8, %ymm8
+        # rnd_0: 2 - 2
+        andl	%r10d, %eax
+        xorl	%ecx, %edx
+        rorxl	$13, %r14d, %ecx
+        vpaddd	%ymm5, %ymm4, %ymm4
+        # rnd_0: 3 - 3
+        addl	%edx, %r13d
+        rorxl	$2, %r14d, %edx
+        xorl	%r12d, %eax
+        vpshufb	%ymm11, %ymm8, %ymm8
+        # rnd_0: 4 - 4
+        xorl	%edx, %ecx
+        rorxl	$22, %r14d, %edx
+        addl	%eax, %r13d
+        vpaddd	%ymm8, %ymm4, %ymm4
+        # rnd_0: 5 - 5
+        xorl	%ecx, %edx
+        movl	%r15d, %eax
+        addl	%r13d, %r9d
+        vpshufd	$0x50, %ymm4, %ymm6
+        # rnd_0: 6 - 6
+        xorl	%r14d, %eax
+        addl	%edx, %r13d
+        andl	%eax, %ebx
+        vpsrlq	$0x11, %ymm6, %ymm8
+        # rnd_0: 7 - 7
+        xorl	%r15d, %ebx
+        rorxl	$6, %r9d, %edx
+        addl	%ebx, %r13d
+        vpsrlq	$19, %ymm6, %ymm7
+        # rnd_1: 0 - 0
+        movl	%r10d, %ebx
+        rorxl	$11, %r9d, %ecx
+        addl	268(%rsp), %r12d
+        vpsrld	$10, %ymm6, %ymm9
+        # rnd_1: 1 - 1
+        xorl	%edx, %ecx
+        xorl	%r11d, %ebx
+        rorxl	$25, %r9d, %edx
+        vpxor	%ymm7, %ymm8, %ymm8
+        # rnd_1: 2 - 2
+        andl	%r9d, %ebx
+        xorl	%ecx, %edx
+        rorxl	$13, %r13d, %ecx
+        vpxor	%ymm8, %ymm9, %ymm9
+        # rnd_1: 3 - 3
+        addl	%edx, %r12d
+        rorxl	$2, %r13d, %edx
+        xorl	%r11d, %ebx
+        vpshufb	%ymm12, %ymm9, %ymm9
+        # rnd_1: 4 - 4
+        xorl	%edx, %ecx
+        rorxl	$22, %r13d, %edx
+        addl	%ebx, %r12d
+        vpaddd	%ymm4, %ymm9, %ymm0
+        # rnd_1: 5 - 5
+        xorl	%ecx, %edx
+        addl	%r12d, %r8d
+        movl	%r14d, %ebx
+        vpaddd	384+L_avx2_rorx_sha256_k(%rip), %ymm0, %ymm4
+        # rnd_1: 6 - 6
+        xorl	%r13d, %ebx
+        addl	%edx, %r12d
+        andl	%ebx, %eax
+        # rnd_1: 7 - 7
+        xorl	%r14d, %eax
+        rorxl	$6, %r8d, %edx
+        addl	%eax, %r12d
+        vmovdqu	%ymm4, 384(%rsp)
+        # rnd_0: 0 - 0
+        movl	%r9d, %eax
+        rorxl	$11, %r8d, %ecx
+        addl	288(%rsp), %r11d
+        vpalignr	$4, %ymm1, %ymm2, %ymm5
+        # rnd_0: 1 - 1
+        xorl	%edx, %ecx
+        xorl	%r10d, %eax
+        rorxl	$25, %r8d, %edx
+        vpalignr	$4, %ymm3, %ymm0, %ymm4
+        # rnd_0: 2 - 2
+        andl	%r8d, %eax
+        xorl	%ecx, %edx
+        rorxl	$13, %r12d, %ecx
+        vpsrld	$7, %ymm5, %ymm6
+        # rnd_0: 3 - 3
+        addl	%edx, %r11d
+        rorxl	$2, %r12d, %edx
+        xorl	%r10d, %eax
+        vpslld	$25, %ymm5, %ymm7
+        # rnd_0: 4 - 4
+        xorl	%edx, %ecx
+        rorxl	$22, %r12d, %edx
+        addl	%eax, %r11d
+        vpsrld	$18, %ymm5, %ymm8
+        # rnd_0: 5 - 5
+        xorl	%ecx, %edx
+        movl	%r13d, %eax
+        addl	%r11d, %r15d
+        vpslld	$14, %ymm5, %ymm9
+        # rnd_0: 6 - 6
+        xorl	%r12d, %eax
+        addl	%edx, %r11d
+        andl	%eax, %ebx
+        vpor	%ymm7, %ymm6, %ymm6
+        # rnd_0: 7 - 7
+        xorl	%r13d, %ebx
+        rorxl	$6, %r15d, %edx
+        addl	%ebx, %r11d
+        vpor	%ymm9, %ymm8, %ymm8
+        # rnd_1: 0 - 0
+        movl	%r8d, %ebx
+        rorxl	$11, %r15d, %ecx
+        addl	292(%rsp), %r10d
+        vpsrld	$3, %ymm5, %ymm9
+        # rnd_1: 1 - 1
+        xorl	%edx, %ecx
+        xorl	%r9d, %ebx
+        rorxl	$25, %r15d, %edx
+        vpxor	%ymm8, %ymm6, %ymm6
+        # rnd_1: 2 - 2
+        andl	%r15d, %ebx
+        xorl	%ecx, %edx
+        rorxl	$13, %r11d, %ecx
+        vpshufd	$0xfa, %ymm0, %ymm7
+        # rnd_1: 3 - 3
+        addl	%edx, %r10d
+        rorxl	$2, %r11d, %edx
+        xorl	%r9d, %ebx
+        vpxor	%ymm6, %ymm9, %ymm5
+        # rnd_1: 4 - 4
+        xorl	%edx, %ecx
+        rorxl	$22, %r11d, %edx
+        addl	%ebx, %r10d
+        vpsrld	$10, %ymm7, %ymm8
+        # rnd_1: 5 - 5
+        xorl	%ecx, %edx
+        addl	%r10d, %r14d
+        movl	%r12d, %ebx
+        vpsrlq	$19, %ymm7, %ymm6
+        # rnd_1: 6 - 6
+        xorl	%r11d, %ebx
+        addl	%edx, %r10d
+        andl	%ebx, %eax
+        vpsrlq	$0x11, %ymm7, %ymm7
+        # rnd_1: 7 - 7
+        xorl	%r12d, %eax
+        rorxl	$6, %r14d, %edx
+        addl	%eax, %r10d
+        vpaddd	%ymm1, %ymm4, %ymm4
+        # rnd_0: 0 - 0
+        movl	%r15d, %eax
+        rorxl	$11, %r14d, %ecx
+        addl	296(%rsp), %r9d
+        vpxor	%ymm7, %ymm6, %ymm6
+        # rnd_0: 1 - 1
+        xorl	%edx, %ecx
+        xorl	%r8d, %eax
+        rorxl	$25, %r14d, %edx
+        vpxor	%ymm6, %ymm8, %ymm8
+        # rnd_0: 2 - 2
+        andl	%r14d, %eax
+        xorl	%ecx, %edx
+        rorxl	$13, %r10d, %ecx
+        vpaddd	%ymm5, %ymm4, %ymm4
+        # rnd_0: 3 - 3
+        addl	%edx, %r9d
+        rorxl	$2, %r10d, %edx
+        xorl	%r8d, %eax
+        vpshufb	%ymm11, %ymm8, %ymm8
+        # rnd_0: 4 - 4
+        xorl	%edx, %ecx
+        rorxl	$22, %r10d, %edx
+        addl	%eax, %r9d
+        vpaddd	%ymm8, %ymm4, %ymm4
+        # rnd_0: 5 - 5
+        xorl	%ecx, %edx
+        movl	%r11d, %eax
+        addl	%r9d, %r13d
+        vpshufd	$0x50, %ymm4, %ymm6
+        # rnd_0: 6 - 6
+        xorl	%r10d, %eax
+        addl	%edx, %r9d
+        andl	%eax, %ebx
+        vpsrlq	$0x11, %ymm6, %ymm8
+        # rnd_0: 7 - 7
+        xorl	%r11d, %ebx
+        rorxl	$6, %r13d, %edx
+        addl	%ebx, %r9d
+        vpsrlq	$19, %ymm6, %ymm7
+        # rnd_1: 0 - 0
+        movl	%r14d, %ebx
+        rorxl	$11, %r13d, %ecx
+        addl	300(%rsp), %r8d
+        vpsrld	$10, %ymm6, %ymm9
+        # rnd_1: 1 - 1
+        xorl	%edx, %ecx
+        xorl	%r15d, %ebx
+        rorxl	$25, %r13d, %edx
+        vpxor	%ymm7, %ymm8, %ymm8
+        # rnd_1: 2 - 2
+        andl	%r13d, %ebx
+        xorl	%ecx, %edx
+        rorxl	$13, %r9d, %ecx
+        vpxor	%ymm8, %ymm9, %ymm9
+        # rnd_1: 3 - 3
+        addl	%edx, %r8d
+        rorxl	$2, %r9d, %edx
+        xorl	%r15d, %ebx
+        vpshufb	%ymm12, %ymm9, %ymm9
+        # rnd_1: 4 - 4
+        xorl	%edx, %ecx
+        rorxl	$22, %r9d, %edx
+        addl	%ebx, %r8d
+        vpaddd	%ymm4, %ymm9, %ymm1
+        # rnd_1: 5 - 5
+        xorl	%ecx, %edx
+        addl	%r8d, %r12d
+        movl	%r10d, %ebx
+        vpaddd	416+L_avx2_rorx_sha256_k(%rip), %ymm1, %ymm4
+        # rnd_1: 6 - 6
+        xorl	%r9d, %ebx
+        addl	%edx, %r8d
+        andl	%ebx, %eax
+        # rnd_1: 7 - 7
+        xorl	%r10d, %eax
+        rorxl	$6, %r12d, %edx
+        addl	%eax, %r8d
+        vmovdqu	%ymm4, 416(%rsp)
+        # rnd_0: 0 - 0
+        movl	%r13d, %eax
+        rorxl	$11, %r12d, %ecx
+        addl	320(%rsp), %r15d
+        vpalignr	$4, %ymm2, %ymm3, %ymm5
+        # rnd_0: 1 - 1
+        xorl	%edx, %ecx
+        xorl	%r14d, %eax
+        rorxl	$25, %r12d, %edx
+        vpalignr	$4, %ymm0, %ymm1, %ymm4
+        # rnd_0: 2 - 2
+        andl	%r12d, %eax
+        xorl	%ecx, %edx
+        rorxl	$13, %r8d, %ecx
+        vpsrld	$7, %ymm5, %ymm6
+        # rnd_0: 3 - 3
+        addl	%edx, %r15d
+        rorxl	$2, %r8d, %edx
+        xorl	%r14d, %eax
+        vpslld	$25, %ymm5, %ymm7
+        # rnd_0: 4 - 4
+        xorl	%edx, %ecx
+        rorxl	$22, %r8d, %edx
+        addl	%eax, %r15d
+        vpsrld	$18, %ymm5, %ymm8
+        # rnd_0: 5 - 5
+        xorl	%ecx, %edx
+        movl	%r9d, %eax
+        addl	%r15d, %r11d
+        vpslld	$14, %ymm5, %ymm9
+        # rnd_0: 6 - 6
+        xorl	%r8d, %eax
+        addl	%edx, %r15d
+        andl	%eax, %ebx
+        vpor	%ymm7, %ymm6, %ymm6
+        # rnd_0: 7 - 7
+        xorl	%r9d, %ebx
+        rorxl	$6, %r11d, %edx
+        addl	%ebx, %r15d
+        vpor	%ymm9, %ymm8, %ymm8
+        # rnd_1: 0 - 0
+        movl	%r12d, %ebx
+        rorxl	$11, %r11d, %ecx
+        addl	324(%rsp), %r14d
+        vpsrld	$3, %ymm5, %ymm9
+        # rnd_1: 1 - 1
+        xorl	%edx, %ecx
+        xorl	%r13d, %ebx
+        rorxl	$25, %r11d, %edx
+        vpxor	%ymm8, %ymm6, %ymm6
+        # rnd_1: 2 - 2
+        andl	%r11d, %ebx
+        xorl	%ecx, %edx
+        rorxl	$13, %r15d, %ecx
+        vpshufd	$0xfa, %ymm1, %ymm7
+        # rnd_1: 3 - 3
+        addl	%edx, %r14d
+        rorxl	$2, %r15d, %edx
+        xorl	%r13d, %ebx
+        vpxor	%ymm6, %ymm9, %ymm5
+        # rnd_1: 4 - 4
+        xorl	%edx, %ecx
+        rorxl	$22, %r15d, %edx
+        addl	%ebx, %r14d
+        vpsrld	$10, %ymm7, %ymm8
+        # rnd_1: 5 - 5
+        xorl	%ecx, %edx
+        addl	%r14d, %r10d
+        movl	%r8d, %ebx
+        vpsrlq	$19, %ymm7, %ymm6
+        # rnd_1: 6 - 6
+        xorl	%r15d, %ebx
+        addl	%edx, %r14d
+        andl	%ebx, %eax
+        vpsrlq	$0x11, %ymm7, %ymm7
+        # rnd_1: 7 - 7
+        xorl	%r8d, %eax
+        rorxl	$6, %r10d, %edx
+        addl	%eax, %r14d
+        vpaddd	%ymm2, %ymm4, %ymm4
+        # rnd_0: 0 - 0
+        movl	%r11d, %eax
+        rorxl	$11, %r10d, %ecx
+        addl	328(%rsp), %r13d
+        vpxor	%ymm7, %ymm6, %ymm6
+        # rnd_0: 1 - 1
+        xorl	%edx, %ecx
+        xorl	%r12d, %eax
+        rorxl	$25, %r10d, %edx
+        vpxor	%ymm6, %ymm8, %ymm8
+        # rnd_0: 2 - 2
+        andl	%r10d, %eax
+        xorl	%ecx, %edx
+        rorxl	$13, %r14d, %ecx
+        vpaddd	%ymm5, %ymm4, %ymm4
+        # rnd_0: 3 - 3
+        addl	%edx, %r13d
+        rorxl	$2, %r14d, %edx
+        xorl	%r12d, %eax
+        vpshufb	%ymm11, %ymm8, %ymm8
+        # rnd_0: 4 - 4
+        xorl	%edx, %ecx
+        rorxl	$22, %r14d, %edx
+        addl	%eax, %r13d
+        vpaddd	%ymm8, %ymm4, %ymm4
+        # rnd_0: 5 - 5
+        xorl	%ecx, %edx
+        movl	%r15d, %eax
+        addl	%r13d, %r9d
+        vpshufd	$0x50, %ymm4, %ymm6
+        # rnd_0: 6 - 6
+        xorl	%r14d, %eax
+        addl	%edx, %r13d
+        andl	%eax, %ebx
+        vpsrlq	$0x11, %ymm6, %ymm8
+        # rnd_0: 7 - 7
+        xorl	%r15d, %ebx
+        rorxl	$6, %r9d, %edx
+        addl	%ebx, %r13d
+        vpsrlq	$19, %ymm6, %ymm7
+        # rnd_1: 0 - 0
+        movl	%r10d, %ebx
+        rorxl	$11, %r9d, %ecx
+        addl	332(%rsp), %r12d
+        vpsrld	$10, %ymm6, %ymm9
+        # rnd_1: 1 - 1
+        xorl	%edx, %ecx
+        xorl	%r11d, %ebx
+        rorxl	$25, %r9d, %edx
+        vpxor	%ymm7, %ymm8, %ymm8
+        # rnd_1: 2 - 2
+        andl	%r9d, %ebx
+        xorl	%ecx, %edx
+        rorxl	$13, %r13d, %ecx
+        vpxor	%ymm8, %ymm9, %ymm9
+        # rnd_1: 3 - 3
+        addl	%edx, %r12d
+        rorxl	$2, %r13d, %edx
+        xorl	%r11d, %ebx
+        vpshufb	%ymm12, %ymm9, %ymm9
+        # rnd_1: 4 - 4
+        xorl	%edx, %ecx
+        rorxl	$22, %r13d, %edx
+        addl	%ebx, %r12d
+        vpaddd	%ymm4, %ymm9, %ymm2
+        # rnd_1: 5 - 5
+        xorl	%ecx, %edx
+        addl	%r12d, %r8d
+        movl	%r14d, %ebx
+        vpaddd	448+L_avx2_rorx_sha256_k(%rip), %ymm2, %ymm4
+        # rnd_1: 6 - 6
+        xorl	%r13d, %ebx
+        addl	%edx, %r12d
+        andl	%ebx, %eax
+        # rnd_1: 7 - 7
+        xorl	%r14d, %eax
+        rorxl	$6, %r8d, %edx
+        addl	%eax, %r12d
+        vmovdqu	%ymm4, 448(%rsp)
+        # rnd_0: 0 - 0
+        movl	%r9d, %eax
+        rorxl	$11, %r8d, %ecx
+        addl	352(%rsp), %r11d
+        vpalignr	$4, %ymm3, %ymm0, %ymm5
+        # rnd_0: 1 - 1
+        xorl	%edx, %ecx
+        xorl	%r10d, %eax
+        rorxl	$25, %r8d, %edx
+        vpalignr	$4, %ymm1, %ymm2, %ymm4
+        # rnd_0: 2 - 2
+        andl	%r8d, %eax
+        xorl	%ecx, %edx
+        rorxl	$13, %r12d, %ecx
+        vpsrld	$7, %ymm5, %ymm6
+        # rnd_0: 3 - 3
+        addl	%edx, %r11d
+        rorxl	$2, %r12d, %edx
+        xorl	%r10d, %eax
+        vpslld	$25, %ymm5, %ymm7
+        # rnd_0: 4 - 4
+        xorl	%edx, %ecx
+        rorxl	$22, %r12d, %edx
+        addl	%eax, %r11d
+        vpsrld	$18, %ymm5, %ymm8
+        # rnd_0: 5 - 5
+        xorl	%ecx, %edx
+        movl	%r13d, %eax
+        addl	%r11d, %r15d
+        vpslld	$14, %ymm5, %ymm9
+        # rnd_0: 6 - 6
+        xorl	%r12d, %eax
+        addl	%edx, %r11d
+        andl	%eax, %ebx
+        vpor	%ymm7, %ymm6, %ymm6
+        # rnd_0: 7 - 7
+        xorl	%r13d, %ebx
+        rorxl	$6, %r15d, %edx
+        addl	%ebx, %r11d
+        vpor	%ymm9, %ymm8, %ymm8
+        # rnd_1: 0 - 0
+        movl	%r8d, %ebx
+        rorxl	$11, %r15d, %ecx
+        addl	356(%rsp), %r10d
+        vpsrld	$3, %ymm5, %ymm9
+        # rnd_1: 1 - 1
+        xorl	%edx, %ecx
+        xorl	%r9d, %ebx
+        rorxl	$25, %r15d, %edx
+        vpxor	%ymm8, %ymm6, %ymm6
+        # rnd_1: 2 - 2
+        andl	%r15d, %ebx
+        xorl	%ecx, %edx
+        rorxl	$13, %r11d, %ecx
+        vpshufd	$0xfa, %ymm2, %ymm7
+        # rnd_1: 3 - 3
+        addl	%edx, %r10d
+        rorxl	$2, %r11d, %edx
+        xorl	%r9d, %ebx
+        vpxor	%ymm6, %ymm9, %ymm5
+        # rnd_1: 4 - 4
+        xorl	%edx, %ecx
+        rorxl	$22, %r11d, %edx
+        addl	%ebx, %r10d
+        vpsrld	$10, %ymm7, %ymm8
+        # rnd_1: 5 - 5
+        xorl	%ecx, %edx
+        addl	%r10d, %r14d
+        movl	%r12d, %ebx
+        vpsrlq	$19, %ymm7, %ymm6
+        # rnd_1: 6 - 6
+        xorl	%r11d, %ebx
+        addl	%edx, %r10d
+        andl	%ebx, %eax
+        vpsrlq	$0x11, %ymm7, %ymm7
+        # rnd_1: 7 - 7
+        xorl	%r12d, %eax
+        rorxl	$6, %r14d, %edx
+        addl	%eax, %r10d
+        vpaddd	%ymm3, %ymm4, %ymm4
+        # rnd_0: 0 - 0
+        movl	%r15d, %eax
+        rorxl	$11, %r14d, %ecx
+        addl	360(%rsp), %r9d
+        vpxor	%ymm7, %ymm6, %ymm6
+        # rnd_0: 1 - 1
+        xorl	%edx, %ecx
+        xorl	%r8d, %eax
+        rorxl	$25, %r14d, %edx
+        vpxor	%ymm6, %ymm8, %ymm8
+        # rnd_0: 2 - 2
+        andl	%r14d, %eax
+        xorl	%ecx, %edx
+        rorxl	$13, %r10d, %ecx
+        vpaddd	%ymm5, %ymm4, %ymm4
+        # rnd_0: 3 - 3
+        addl	%edx, %r9d
+        rorxl	$2, %r10d, %edx
+        xorl	%r8d, %eax
+        vpshufb	%ymm11, %ymm8, %ymm8
+        # rnd_0: 4 - 4
+        xorl	%edx, %ecx
+        rorxl	$22, %r10d, %edx
+        addl	%eax, %r9d
+        vpaddd	%ymm8, %ymm4, %ymm4
+        # rnd_0: 5 - 5
+        xorl	%ecx, %edx
+        movl	%r11d, %eax
+        addl	%r9d, %r13d
+        vpshufd	$0x50, %ymm4, %ymm6
+        # rnd_0: 6 - 6
+        xorl	%r10d, %eax
+        addl	%edx, %r9d
+        andl	%eax, %ebx
+        vpsrlq	$0x11, %ymm6, %ymm8
+        # rnd_0: 7 - 7
+        xorl	%r11d, %ebx
+        rorxl	$6, %r13d, %edx
+        addl	%ebx, %r9d
+        vpsrlq	$19, %ymm6, %ymm7
+        # rnd_1: 0 - 0
+        movl	%r14d, %ebx
+        rorxl	$11, %r13d, %ecx
+        addl	364(%rsp), %r8d
+        vpsrld	$10, %ymm6, %ymm9
+        # rnd_1: 1 - 1
+        xorl	%edx, %ecx
+        xorl	%r15d, %ebx
+        rorxl	$25, %r13d, %edx
+        vpxor	%ymm7, %ymm8, %ymm8
+        # rnd_1: 2 - 2
+        andl	%r13d, %ebx
+        xorl	%ecx, %edx
+        rorxl	$13, %r9d, %ecx
+        vpxor	%ymm8, %ymm9, %ymm9
+        # rnd_1: 3 - 3
+        addl	%edx, %r8d
+        rorxl	$2, %r9d, %edx
+        xorl	%r15d, %ebx
+        vpshufb	%ymm12, %ymm9, %ymm9
+        # rnd_1: 4 - 4
+        xorl	%edx, %ecx
+        rorxl	$22, %r9d, %edx
+        addl	%ebx, %r8d
+        vpaddd	%ymm4, %ymm9, %ymm3
+        # rnd_1: 5 - 5
+        xorl	%ecx, %edx
+        addl	%r8d, %r12d
+        movl	%r10d, %ebx
+        vpaddd	480+L_avx2_rorx_sha256_k(%rip), %ymm3, %ymm4
+        # rnd_1: 6 - 6
+        xorl	%r9d, %ebx
+        addl	%edx, %r8d
+        andl	%ebx, %eax
+        # rnd_1: 7 - 7
+        xorl	%r10d, %eax
+        rorxl	$6, %r12d, %edx
+        addl	%eax, %r8d
+        vmovdqu	%ymm4, 480(%rsp)
+        xorl	%eax, %eax
+        xorl	%ecx, %ecx
+        rorxl	$6, %r12d, %edx
+        rorxl	$11, %r12d, %ecx
+        leal	(%r8,%rax,1), %r8d
+        addl	384(%rsp), %r15d
+        movl	%r13d, %eax
+        xorl	%edx, %ecx
+        xorl	%r14d, %eax
+        rorxl	$25, %r12d, %edx
+        xorl	%ecx, %edx
+        andl	%r12d, %eax
+        addl	%edx, %r15d
+        rorxl	$2, %r8d, %edx
+        rorxl	$13, %r8d, %ecx
+        xorl	%r14d, %eax
+        xorl	%edx, %ecx
+        rorxl	$22, %r8d, %edx
+        addl	%eax, %r15d
+        xorl	%ecx, %edx
+        movl	%r9d, %eax
+        addl	%r15d, %r11d
+        xorl	%r8d, %eax
+        andl	%eax, %ebx
+        addl	%edx, %r15d
+        xorl	%r9d, %ebx
+        rorxl	$6, %r11d, %edx
+        rorxl	$11, %r11d, %ecx
+        addl	%ebx, %r15d
+        addl	388(%rsp), %r14d
+        movl	%r12d, %ebx
+        xorl	%edx, %ecx
+        xorl	%r13d, %ebx
+        rorxl	$25, %r11d, %edx
+        xorl	%ecx, %edx
+        andl	%r11d, %ebx
+        addl	%edx, %r14d
+        rorxl	$2, %r15d, %edx
+        rorxl	$13, %r15d, %ecx
+        xorl	%r13d, %ebx
+        xorl	%edx, %ecx
+        rorxl	$22, %r15d, %edx
+        addl	%ebx, %r14d
+        xorl	%ecx, %edx
+        movl	%r8d, %ebx
+        leal	(%r10,%r14,1), %r10d
+        xorl	%r15d, %ebx
+        andl	%ebx, %eax
+        addl	%edx, %r14d
+        xorl	%r8d, %eax
+        rorxl	$6, %r10d, %edx
+        rorxl	$11, %r10d, %ecx
+        leal	(%r14,%rax,1), %r14d
+        addl	392(%rsp), %r13d
+        movl	%r11d, %eax
+        xorl	%edx, %ecx
+        xorl	%r12d, %eax
+        rorxl	$25, %r10d, %edx
+        xorl	%ecx, %edx
+        andl	%r10d, %eax
+        addl	%edx, %r13d
+        rorxl	$2, %r14d, %edx
+        rorxl	$13, %r14d, %ecx
+        xorl	%r12d, %eax
+        xorl	%edx, %ecx
+        rorxl	$22, %r14d, %edx
+        addl	%eax, %r13d
+        xorl	%ecx, %edx
+        movl	%r15d, %eax
+        addl	%r13d, %r9d
+        xorl	%r14d, %eax
+        andl	%eax, %ebx
+        addl	%edx, %r13d
+        xorl	%r15d, %ebx
+        rorxl	$6, %r9d, %edx
+        rorxl	$11, %r9d, %ecx
+        addl	%ebx, %r13d
+        addl	396(%rsp), %r12d
+        movl	%r10d, %ebx
+        xorl	%edx, %ecx
+        xorl	%r11d, %ebx
+        rorxl	$25, %r9d, %edx
+        xorl	%ecx, %edx
+        andl	%r9d, %ebx
+        addl	%edx, %r12d
+        rorxl	$2, %r13d, %edx
+        rorxl	$13, %r13d, %ecx
+        xorl	%r11d, %ebx
+        xorl	%edx, %ecx
+        rorxl	$22, %r13d, %edx
+        addl	%ebx, %r12d
+        xorl	%ecx, %edx
+        movl	%r14d, %ebx
+        leal	(%r8,%r12,1), %r8d
+        xorl	%r13d, %ebx
+        andl	%ebx, %eax
+        addl	%edx, %r12d
+        xorl	%r14d, %eax
+        rorxl	$6, %r8d, %edx
+        rorxl	$11, %r8d, %ecx
+        leal	(%r12,%rax,1), %r12d
+        addl	416(%rsp), %r11d
+        movl	%r9d, %eax
+        xorl	%edx, %ecx
+        xorl	%r10d, %eax
+        rorxl	$25, %r8d, %edx
+        xorl	%ecx, %edx
+        andl	%r8d, %eax
+        addl	%edx, %r11d
+        rorxl	$2, %r12d, %edx
+        rorxl	$13, %r12d, %ecx
+        xorl	%r10d, %eax
+        xorl	%edx, %ecx
+        rorxl	$22, %r12d, %edx
+        addl	%eax, %r11d
+        xorl	%ecx, %edx
+        movl	%r13d, %eax
+        addl	%r11d, %r15d
+        xorl	%r12d, %eax
+        andl	%eax, %ebx
+        addl	%edx, %r11d
+        xorl	%r13d, %ebx
+        rorxl	$6, %r15d, %edx
+        rorxl	$11, %r15d, %ecx
+        addl	%ebx, %r11d
+        addl	420(%rsp), %r10d
+        movl	%r8d, %ebx
+        xorl	%edx, %ecx
+        xorl	%r9d, %ebx
+        rorxl	$25, %r15d, %edx
+        xorl	%ecx, %edx
+        andl	%r15d, %ebx
+        addl	%edx, %r10d
+        rorxl	$2, %r11d, %edx
+        rorxl	$13, %r11d, %ecx
+        xorl	%r9d, %ebx
+        xorl	%edx, %ecx
+        rorxl	$22, %r11d, %edx
+        addl	%ebx, %r10d
+        xorl	%ecx, %edx
+        movl	%r12d, %ebx
+        leal	(%r14,%r10,1), %r14d
+        xorl	%r11d, %ebx
+        andl	%ebx, %eax
+        addl	%edx, %r10d
+        xorl	%r12d, %eax
+        rorxl	$6, %r14d, %edx
+        rorxl	$11, %r14d, %ecx
+        leal	(%r10,%rax,1), %r10d
+        addl	424(%rsp), %r9d
+        movl	%r15d, %eax
+        xorl	%edx, %ecx
+        xorl	%r8d, %eax
+        rorxl	$25, %r14d, %edx
+        xorl	%ecx, %edx
+        andl	%r14d, %eax
+        addl	%edx, %r9d
+        rorxl	$2, %r10d, %edx
+        rorxl	$13, %r10d, %ecx
+        xorl	%r8d, %eax
+        xorl	%edx, %ecx
+        rorxl	$22, %r10d, %edx
+        addl	%eax, %r9d
+        xorl	%ecx, %edx
+        movl	%r11d, %eax
+        addl	%r9d, %r13d
+        xorl	%r10d, %eax
+        andl	%eax, %ebx
+        addl	%edx, %r9d
+        xorl	%r11d, %ebx
+        rorxl	$6, %r13d, %edx
+        rorxl	$11, %r13d, %ecx
+        addl	%ebx, %r9d
+        addl	428(%rsp), %r8d
+        movl	%r14d, %ebx
+        xorl	%edx, %ecx
+        xorl	%r15d, %ebx
+        rorxl	$25, %r13d, %edx
+        xorl	%ecx, %edx
+        andl	%r13d, %ebx
+        addl	%edx, %r8d
+        rorxl	$2, %r9d, %edx
+        rorxl	$13, %r9d, %ecx
+        xorl	%r15d, %ebx
+        xorl	%edx, %ecx
+        rorxl	$22, %r9d, %edx
+        addl	%ebx, %r8d
+        xorl	%ecx, %edx
+        movl	%r10d, %ebx
+        leal	(%r12,%r8,1), %r12d
+        xorl	%r9d, %ebx
+        andl	%ebx, %eax
+        addl	%edx, %r8d
+        xorl	%r10d, %eax
+        rorxl	$6, %r12d, %edx
+        rorxl	$11, %r12d, %ecx
+        leal	(%r8,%rax,1), %r8d
+        addl	448(%rsp), %r15d
+        movl	%r13d, %eax
+        xorl	%edx, %ecx
+        xorl	%r14d, %eax
+        rorxl	$25, %r12d, %edx
+        xorl	%ecx, %edx
+        andl	%r12d, %eax
+        addl	%edx, %r15d
+        rorxl	$2, %r8d, %edx
+        rorxl	$13, %r8d, %ecx
+        xorl	%r14d, %eax
+        xorl	%edx, %ecx
+        rorxl	$22, %r8d, %edx
+        addl	%eax, %r15d
+        xorl	%ecx, %edx
+        movl	%r9d, %eax
+        addl	%r15d, %r11d
+        xorl	%r8d, %eax
+        andl	%eax, %ebx
+        addl	%edx, %r15d
+        xorl	%r9d, %ebx
+        rorxl	$6, %r11d, %edx
+        rorxl	$11, %r11d, %ecx
+        addl	%ebx, %r15d
+        addl	452(%rsp), %r14d
+        movl	%r12d, %ebx
+        xorl	%edx, %ecx
+        xorl	%r13d, %ebx
+        rorxl	$25, %r11d, %edx
+        xorl	%ecx, %edx
+        andl	%r11d, %ebx
+        addl	%edx, %r14d
+        rorxl	$2, %r15d, %edx
+        rorxl	$13, %r15d, %ecx
+        xorl	%r13d, %ebx
+        xorl	%edx, %ecx
+        rorxl	$22, %r15d, %edx
+        addl	%ebx, %r14d
+        xorl	%ecx, %edx
+        movl	%r8d, %ebx
+        leal	(%r10,%r14,1), %r10d
+        xorl	%r15d, %ebx
+        andl	%ebx, %eax
+        addl	%edx, %r14d
+        xorl	%r8d, %eax
+        rorxl	$6, %r10d, %edx
+        rorxl	$11, %r10d, %ecx
+        leal	(%r14,%rax,1), %r14d
+        addl	456(%rsp), %r13d
+        movl	%r11d, %eax
+        xorl	%edx, %ecx
+        xorl	%r12d, %eax
+        rorxl	$25, %r10d, %edx
+        xorl	%ecx, %edx
+        andl	%r10d, %eax
+        addl	%edx, %r13d
+        rorxl	$2, %r14d, %edx
+        rorxl	$13, %r14d, %ecx
+        xorl	%r12d, %eax
+        xorl	%edx, %ecx
+        rorxl	$22, %r14d, %edx
+        addl	%eax, %r13d
+        xorl	%ecx, %edx
+        movl	%r15d, %eax
+        addl	%r13d, %r9d
+        xorl	%r14d, %eax
+        andl	%eax, %ebx
+        addl	%edx, %r13d
+        xorl	%r15d, %ebx
+        rorxl	$6, %r9d, %edx
+        rorxl	$11, %r9d, %ecx
+        addl	%ebx, %r13d
+        addl	460(%rsp), %r12d
+        movl	%r10d, %ebx
+        xorl	%edx, %ecx
+        xorl	%r11d, %ebx
+        rorxl	$25, %r9d, %edx
+        xorl	%ecx, %edx
+        andl	%r9d, %ebx
+        addl	%edx, %r12d
+        rorxl	$2, %r13d, %edx
+        rorxl	$13, %r13d, %ecx
+        xorl	%r11d, %ebx
+        xorl	%edx, %ecx
+        rorxl	$22, %r13d, %edx
+        addl	%ebx, %r12d
+        xorl	%ecx, %edx
+        movl	%r14d, %ebx
+        leal	(%r8,%r12,1), %r8d
+        xorl	%r13d, %ebx
+        andl	%ebx, %eax
+        addl	%edx, %r12d
+        xorl	%r14d, %eax
+        rorxl	$6, %r8d, %edx
+        rorxl	$11, %r8d, %ecx
+        leal	(%r12,%rax,1), %r12d
+        addl	480(%rsp), %r11d
+        movl	%r9d, %eax
+        xorl	%edx, %ecx
+        xorl	%r10d, %eax
+        rorxl	$25, %r8d, %edx
+        xorl	%ecx, %edx
+        andl	%r8d, %eax
+        addl	%edx, %r11d
+        rorxl	$2, %r12d, %edx
+        rorxl	$13, %r12d, %ecx
+        xorl	%r10d, %eax
+        xorl	%edx, %ecx
+        rorxl	$22, %r12d, %edx
+        addl	%eax, %r11d
+        xorl	%ecx, %edx
+        movl	%r13d, %eax
+        addl	%r11d, %r15d
+        xorl	%r12d, %eax
+        andl	%eax, %ebx
+        addl	%edx, %r11d
+        xorl	%r13d, %ebx
+        rorxl	$6, %r15d, %edx
+        rorxl	$11, %r15d, %ecx
+        addl	%ebx, %r11d
+        addl	484(%rsp), %r10d
+        movl	%r8d, %ebx
+        xorl	%edx, %ecx
+        xorl	%r9d, %ebx
+        rorxl	$25, %r15d, %edx
+        xorl	%ecx, %edx
+        andl	%r15d, %ebx
+        addl	%edx, %r10d
+        rorxl	$2, %r11d, %edx
+        rorxl	$13, %r11d, %ecx
+        xorl	%r9d, %ebx
+        xorl	%edx, %ecx
+        rorxl	$22, %r11d, %edx
+        addl	%ebx, %r10d
+        xorl	%ecx, %edx
+        movl	%r12d, %ebx
+        leal	(%r14,%r10,1), %r14d
+        xorl	%r11d, %ebx
+        andl	%ebx, %eax
+        addl	%edx, %r10d
+        xorl	%r12d, %eax
+        rorxl	$6, %r14d, %edx
+        rorxl	$11, %r14d, %ecx
+        leal	(%r10,%rax,1), %r10d
+        addl	488(%rsp), %r9d
+        movl	%r15d, %eax
+        xorl	%edx, %ecx
+        xorl	%r8d, %eax
+        rorxl	$25, %r14d, %edx
+        xorl	%ecx, %edx
+        andl	%r14d, %eax
+        addl	%edx, %r9d
+        rorxl	$2, %r10d, %edx
+        rorxl	$13, %r10d, %ecx
+        xorl	%r8d, %eax
+        xorl	%edx, %ecx
+        rorxl	$22, %r10d, %edx
+        addl	%eax, %r9d
+        xorl	%ecx, %edx
+        movl	%r11d, %eax
+        addl	%r9d, %r13d
+        xorl	%r10d, %eax
+        andl	%eax, %ebx
+        addl	%edx, %r9d
+        xorl	%r11d, %ebx
+        rorxl	$6, %r13d, %edx
+        rorxl	$11, %r13d, %ecx
+        addl	%ebx, %r9d
+        addl	492(%rsp), %r8d
+        movl	%r14d, %ebx
+        xorl	%edx, %ecx
+        xorl	%r15d, %ebx
+        rorxl	$25, %r13d, %edx
+        xorl	%ecx, %edx
+        andl	%r13d, %ebx
+        addl	%edx, %r8d
+        rorxl	$2, %r9d, %edx
+        rorxl	$13, %r9d, %ecx
+        xorl	%r15d, %ebx
+        xorl	%edx, %ecx
+        rorxl	$22, %r9d, %edx
+        addl	%ebx, %r8d
+        xorl	%ecx, %edx
+        movl	%r10d, %ebx
+        leal	(%r12,%r8,1), %r12d
+        xorl	%r9d, %ebx
+        andl	%ebx, %eax
+        addl	%edx, %r8d
+        xorl	%r10d, %eax
+        addl	%eax, %r8d
+        xorl	%ecx, %ecx
+        addl	(%rdi), %r8d
+        addl	4(%rdi), %r9d
+        addl	8(%rdi), %r10d
+        addl	12(%rdi), %r11d
+        addl	16(%rdi), %r12d
+        addl	20(%rdi), %r13d
+        addl	24(%rdi), %r14d
+        addl	28(%rdi), %r15d
+        movl	%r8d, (%rdi)
+        movl	%r9d, 4(%rdi)
+        movl	%r10d, 8(%rdi)
+        movl	%r11d, 12(%rdi)
+        movl	%r12d, 16(%rdi)
+        movl	%r13d, 20(%rdi)
+        movl	%r14d, 24(%rdi)
+        movl	%r15d, 28(%rdi)
+        movl	%r9d, %ebx
+        xorl	%eax, %eax
+        xorl	%r10d, %ebx
+        rorxl	$6, %r12d, %edx
+        rorxl	$11, %r12d, %ecx
+        leal	(%r8,%rax,1), %r8d
+        addl	16(%rsp), %r15d
+        movl	%r13d, %eax
+        xorl	%edx, %ecx
+        xorl	%r14d, %eax
+        rorxl	$25, %r12d, %edx
+        xorl	%ecx, %edx
+        andl	%r12d, %eax
+        addl	%edx, %r15d
+        rorxl	$2, %r8d, %edx
+        rorxl	$13, %r8d, %ecx
+        xorl	%r14d, %eax
+        xorl	%edx, %ecx
+        rorxl	$22, %r8d, %edx
+        addl	%eax, %r15d
+        xorl	%ecx, %edx
+        movl	%r9d, %eax
+        addl	%r15d, %r11d
+        xorl	%r8d, %eax
+        andl	%eax, %ebx
+        addl	%edx, %r15d
+        xorl	%r9d, %ebx
+        rorxl	$6, %r11d, %edx
+        rorxl	$11, %r11d, %ecx
+        addl	%ebx, %r15d
+        addl	20(%rsp), %r14d
+        movl	%r12d, %ebx
+        xorl	%edx, %ecx
+        xorl	%r13d, %ebx
+        rorxl	$25, %r11d, %edx
+        xorl	%ecx, %edx
+        andl	%r11d, %ebx
+        addl	%edx, %r14d
+        rorxl	$2, %r15d, %edx
+        rorxl	$13, %r15d, %ecx
+        xorl	%r13d, %ebx
+        xorl	%edx, %ecx
+        rorxl	$22, %r15d, %edx
+        addl	%ebx, %r14d
+        xorl	%ecx, %edx
+        movl	%r8d, %ebx
+        leal	(%r10,%r14,1), %r10d
+        xorl	%r15d, %ebx
+        andl	%ebx, %eax
+        addl	%edx, %r14d
+        xorl	%r8d, %eax
+        rorxl	$6, %r10d, %edx
+        rorxl	$11, %r10d, %ecx
+        leal	(%r14,%rax,1), %r14d
+        addl	24(%rsp), %r13d
+        movl	%r11d, %eax
+        xorl	%edx, %ecx
+        xorl	%r12d, %eax
+        rorxl	$25, %r10d, %edx
+        xorl	%ecx, %edx
+        andl	%r10d, %eax
+        addl	%edx, %r13d
+        rorxl	$2, %r14d, %edx
+        rorxl	$13, %r14d, %ecx
+        xorl	%r12d, %eax
+        xorl	%edx, %ecx
+        rorxl	$22, %r14d, %edx
+        addl	%eax, %r13d
+        xorl	%ecx, %edx
+        movl	%r15d, %eax
+        addl	%r13d, %r9d
+        xorl	%r14d, %eax
+        andl	%eax, %ebx
+        addl	%edx, %r13d
+        xorl	%r15d, %ebx
+        rorxl	$6, %r9d, %edx
+        rorxl	$11, %r9d, %ecx
+        addl	%ebx, %r13d
+        addl	28(%rsp), %r12d
+        movl	%r10d, %ebx
+        xorl	%edx, %ecx
+        xorl	%r11d, %ebx
+        rorxl	$25, %r9d, %edx
+        xorl	%ecx, %edx
+        andl	%r9d, %ebx
+        addl	%edx, %r12d
+        rorxl	$2, %r13d, %edx
+        rorxl	$13, %r13d, %ecx
+        xorl	%r11d, %ebx
+        xorl	%edx, %ecx
+        rorxl	$22, %r13d, %edx
+        addl	%ebx, %r12d
+        xorl	%ecx, %edx
+        movl	%r14d, %ebx
+        leal	(%r8,%r12,1), %r8d
+        xorl	%r13d, %ebx
+        andl	%ebx, %eax
+        addl	%edx, %r12d
+        xorl	%r14d, %eax
+        rorxl	$6, %r8d, %edx
+        rorxl	$11, %r8d, %ecx
+        leal	(%r12,%rax,1), %r12d
+        addl	48(%rsp), %r11d
+        movl	%r9d, %eax
+        xorl	%edx, %ecx
+        xorl	%r10d, %eax
+        rorxl	$25, %r8d, %edx
+        xorl	%ecx, %edx
+        andl	%r8d, %eax
+        addl	%edx, %r11d
+        rorxl	$2, %r12d, %edx
+        rorxl	$13, %r12d, %ecx
+        xorl	%r10d, %eax
+        xorl	%edx, %ecx
+        rorxl	$22, %r12d, %edx
+        addl	%eax, %r11d
+        xorl	%ecx, %edx
+        movl	%r13d, %eax
+        addl	%r11d, %r15d
+        xorl	%r12d, %eax
+        andl	%eax, %ebx
+        addl	%edx, %r11d
+        xorl	%r13d, %ebx
+        rorxl	$6, %r15d, %edx
+        rorxl	$11, %r15d, %ecx
+        addl	%ebx, %r11d
+        addl	52(%rsp), %r10d
+        movl	%r8d, %ebx
+        xorl	%edx, %ecx
+        xorl	%r9d, %ebx
+        rorxl	$25, %r15d, %edx
+        xorl	%ecx, %edx
+        andl	%r15d, %ebx
+        addl	%edx, %r10d
+        rorxl	$2, %r11d, %edx
+        rorxl	$13, %r11d, %ecx
+        xorl	%r9d, %ebx
+        xorl	%edx, %ecx
+        rorxl	$22, %r11d, %edx
+        addl	%ebx, %r10d
+        xorl	%ecx, %edx
+        movl	%r12d, %ebx
+        leal	(%r14,%r10,1), %r14d
+        xorl	%r11d, %ebx
+        andl	%ebx, %eax
+        addl	%edx, %r10d
+        xorl	%r12d, %eax
+        rorxl	$6, %r14d, %edx
+        rorxl	$11, %r14d, %ecx
+        leal	(%r10,%rax,1), %r10d
+        addl	56(%rsp), %r9d
+        movl	%r15d, %eax
+        xorl	%edx, %ecx
+        xorl	%r8d, %eax
+        rorxl	$25, %r14d, %edx
+        xorl	%ecx, %edx
+        andl	%r14d, %eax
+        addl	%edx, %r9d
+        rorxl	$2, %r10d, %edx
+        rorxl	$13, %r10d, %ecx
+        xorl	%r8d, %eax
+        xorl	%edx, %ecx
+        rorxl	$22, %r10d, %edx
+        addl	%eax, %r9d
+        xorl	%ecx, %edx
+        movl	%r11d, %eax
+        addl	%r9d, %r13d
+        xorl	%r10d, %eax
+        andl	%eax, %ebx
+        addl	%edx, %r9d
+        xorl	%r11d, %ebx
+        rorxl	$6, %r13d, %edx
+        rorxl	$11, %r13d, %ecx
+        addl	%ebx, %r9d
+        addl	60(%rsp), %r8d
+        movl	%r14d, %ebx
+        xorl	%edx, %ecx
+        xorl	%r15d, %ebx
+        rorxl	$25, %r13d, %edx
+        xorl	%ecx, %edx
+        andl	%r13d, %ebx
+        addl	%edx, %r8d
+        rorxl	$2, %r9d, %edx
+        rorxl	$13, %r9d, %ecx
+        xorl	%r15d, %ebx
+        xorl	%edx, %ecx
+        rorxl	$22, %r9d, %edx
+        addl	%ebx, %r8d
+        xorl	%ecx, %edx
+        movl	%r10d, %ebx
+        leal	(%r12,%r8,1), %r12d
+        xorl	%r9d, %ebx
+        andl	%ebx, %eax
+        addl	%edx, %r8d
+        xorl	%r10d, %eax
+        rorxl	$6, %r12d, %edx
+        rorxl	$11, %r12d, %ecx
+        leal	(%r8,%rax,1), %r8d
+        addl	80(%rsp), %r15d
+        movl	%r13d, %eax
+        xorl	%edx, %ecx
+        xorl	%r14d, %eax
+        rorxl	$25, %r12d, %edx
+        xorl	%ecx, %edx
+        andl	%r12d, %eax
+        addl	%edx, %r15d
+        rorxl	$2, %r8d, %edx
+        rorxl	$13, %r8d, %ecx
+        xorl	%r14d, %eax
+        xorl	%edx, %ecx
+        rorxl	$22, %r8d, %edx
+        addl	%eax, %r15d
+        xorl	%ecx, %edx
+        movl	%r9d, %eax
+        addl	%r15d, %r11d
+        xorl	%r8d, %eax
+        andl	%eax, %ebx
+        addl	%edx, %r15d
+        xorl	%r9d, %ebx
+        rorxl	$6, %r11d, %edx
+        rorxl	$11, %r11d, %ecx
+        addl	%ebx, %r15d
+        addl	84(%rsp), %r14d
+        movl	%r12d, %ebx
+        xorl	%edx, %ecx
+        xorl	%r13d, %ebx
+        rorxl	$25, %r11d, %edx
+        xorl	%ecx, %edx
+        andl	%r11d, %ebx
+        addl	%edx, %r14d
+        rorxl	$2, %r15d, %edx
+        rorxl	$13, %r15d, %ecx
+        xorl	%r13d, %ebx
+        xorl	%edx, %ecx
+        rorxl	$22, %r15d, %edx
+        addl	%ebx, %r14d
+        xorl	%ecx, %edx
+        movl	%r8d, %ebx
+        leal	(%r10,%r14,1), %r10d
+        xorl	%r15d, %ebx
+        andl	%ebx, %eax
+        addl	%edx, %r14d
+        xorl	%r8d, %eax
+        rorxl	$6, %r10d, %edx
+        rorxl	$11, %r10d, %ecx
+        leal	(%r14,%rax,1), %r14d
+        addl	88(%rsp), %r13d
+        movl	%r11d, %eax
+        xorl	%edx, %ecx
+        xorl	%r12d, %eax
+        rorxl	$25, %r10d, %edx
+        xorl	%ecx, %edx
+        andl	%r10d, %eax
+        addl	%edx, %r13d
+        rorxl	$2, %r14d, %edx
+        rorxl	$13, %r14d, %ecx
+        xorl	%r12d, %eax
+        xorl	%edx, %ecx
+        rorxl	$22, %r14d, %edx
+        addl	%eax, %r13d
+        xorl	%ecx, %edx
+        movl	%r15d, %eax
+        addl	%r13d, %r9d
+        xorl	%r14d, %eax
+        andl	%eax, %ebx
+        addl	%edx, %r13d
+        xorl	%r15d, %ebx
+        rorxl	$6, %r9d, %edx
+        rorxl	$11, %r9d, %ecx
+        addl	%ebx, %r13d
+        addl	92(%rsp), %r12d
+        movl	%r10d, %ebx
+        xorl	%edx, %ecx
+        xorl	%r11d, %ebx
+        rorxl	$25, %r9d, %edx
+        xorl	%ecx, %edx
+        andl	%r9d, %ebx
+        addl	%edx, %r12d
+        rorxl	$2, %r13d, %edx
+        rorxl	$13, %r13d, %ecx
+        xorl	%r11d, %ebx
+        xorl	%edx, %ecx
+        rorxl	$22, %r13d, %edx
+        addl	%ebx, %r12d
+        xorl	%ecx, %edx
+        movl	%r14d, %ebx
+        leal	(%r8,%r12,1), %r8d
+        xorl	%r13d, %ebx
+        andl	%ebx, %eax
+        addl	%edx, %r12d
+        xorl	%r14d, %eax
+        rorxl	$6, %r8d, %edx
+        rorxl	$11, %r8d, %ecx
+        leal	(%r12,%rax,1), %r12d
+        addl	112(%rsp), %r11d
+        movl	%r9d, %eax
+        xorl	%edx, %ecx
+        xorl	%r10d, %eax
+        rorxl	$25, %r8d, %edx
+        xorl	%ecx, %edx
+        andl	%r8d, %eax
+        addl	%edx, %r11d
+        rorxl	$2, %r12d, %edx
+        rorxl	$13, %r12d, %ecx
+        xorl	%r10d, %eax
+        xorl	%edx, %ecx
+        rorxl	$22, %r12d, %edx
+        addl	%eax, %r11d
+        xorl	%ecx, %edx
+        movl	%r13d, %eax
+        addl	%r11d, %r15d
+        xorl	%r12d, %eax
+        andl	%eax, %ebx
+        addl	%edx, %r11d
+        xorl	%r13d, %ebx
+        rorxl	$6, %r15d, %edx
+        rorxl	$11, %r15d, %ecx
+        addl	%ebx, %r11d
+        addl	116(%rsp), %r10d
+        movl	%r8d, %ebx
+        xorl	%edx, %ecx
+        xorl	%r9d, %ebx
+        rorxl	$25, %r15d, %edx
+        xorl	%ecx, %edx
+        andl	%r15d, %ebx
+        addl	%edx, %r10d
+        rorxl	$2, %r11d, %edx
+        rorxl	$13, %r11d, %ecx
+        xorl	%r9d, %ebx
+        xorl	%edx, %ecx
+        rorxl	$22, %r11d, %edx
+        addl	%ebx, %r10d
+        xorl	%ecx, %edx
+        movl	%r12d, %ebx
+        leal	(%r14,%r10,1), %r14d
+        xorl	%r11d, %ebx
+        andl	%ebx, %eax
+        addl	%edx, %r10d
+        xorl	%r12d, %eax
+        rorxl	$6, %r14d, %edx
+        rorxl	$11, %r14d, %ecx
+        leal	(%r10,%rax,1), %r10d
+        addl	120(%rsp), %r9d
+        movl	%r15d, %eax
+        xorl	%edx, %ecx
+        xorl	%r8d, %eax
+        rorxl	$25, %r14d, %edx
+        xorl	%ecx, %edx
+        andl	%r14d, %eax
+        addl	%edx, %r9d
+        rorxl	$2, %r10d, %edx
+        rorxl	$13, %r10d, %ecx
+        xorl	%r8d, %eax
+        xorl	%edx, %ecx
+        rorxl	$22, %r10d, %edx
+        addl	%eax, %r9d
+        xorl	%ecx, %edx
+        movl	%r11d, %eax
+        addl	%r9d, %r13d
+        xorl	%r10d, %eax
+        andl	%eax, %ebx
+        addl	%edx, %r9d
+        xorl	%r11d, %ebx
+        rorxl	$6, %r13d, %edx
+        rorxl	$11, %r13d, %ecx
+        addl	%ebx, %r9d
+        addl	124(%rsp), %r8d
+        movl	%r14d, %ebx
+        xorl	%edx, %ecx
+        xorl	%r15d, %ebx
+        rorxl	$25, %r13d, %edx
+        xorl	%ecx, %edx
+        andl	%r13d, %ebx
+        addl	%edx, %r8d
+        rorxl	$2, %r9d, %edx
+        rorxl	$13, %r9d, %ecx
+        xorl	%r15d, %ebx
+        xorl	%edx, %ecx
+        rorxl	$22, %r9d, %edx
+        addl	%ebx, %r8d
+        xorl	%ecx, %edx
+        movl	%r10d, %ebx
+        leal	(%r12,%r8,1), %r12d
+        xorl	%r9d, %ebx
+        andl	%ebx, %eax
+        addl	%edx, %r8d
+        xorl	%r10d, %eax
+        rorxl	$6, %r12d, %edx
+        rorxl	$11, %r12d, %ecx
+        leal	(%r8,%rax,1), %r8d
+        addl	144(%rsp), %r15d
+        movl	%r13d, %eax
+        xorl	%edx, %ecx
+        xorl	%r14d, %eax
+        rorxl	$25, %r12d, %edx
+        xorl	%ecx, %edx
+        andl	%r12d, %eax
+        addl	%edx, %r15d
+        rorxl	$2, %r8d, %edx
+        rorxl	$13, %r8d, %ecx
+        xorl	%r14d, %eax
+        xorl	%edx, %ecx
+        rorxl	$22, %r8d, %edx
+        addl	%eax, %r15d
+        xorl	%ecx, %edx
+        movl	%r9d, %eax
+        addl	%r15d, %r11d
+        xorl	%r8d, %eax
+        andl	%eax, %ebx
+        addl	%edx, %r15d
+        xorl	%r9d, %ebx
+        rorxl	$6, %r11d, %edx
+        rorxl	$11, %r11d, %ecx
+        addl	%ebx, %r15d
+        addl	148(%rsp), %r14d
+        movl	%r12d, %ebx
+        xorl	%edx, %ecx
+        xorl	%r13d, %ebx
+        rorxl	$25, %r11d, %edx
+        xorl	%ecx, %edx
+        andl	%r11d, %ebx
+        addl	%edx, %r14d
+        rorxl	$2, %r15d, %edx
+        rorxl	$13, %r15d, %ecx
+        xorl	%r13d, %ebx
+        xorl	%edx, %ecx
+        rorxl	$22, %r15d, %edx
+        addl	%ebx, %r14d
+        xorl	%ecx, %edx
+        movl	%r8d, %ebx
+        leal	(%r10,%r14,1), %r10d
+        xorl	%r15d, %ebx
+        andl	%ebx, %eax
+        addl	%edx, %r14d
+        xorl	%r8d, %eax
+        rorxl	$6, %r10d, %edx
+        rorxl	$11, %r10d, %ecx
+        leal	(%r14,%rax,1), %r14d
+        addl	152(%rsp), %r13d
+        movl	%r11d, %eax
+        xorl	%edx, %ecx
+        xorl	%r12d, %eax
+        rorxl	$25, %r10d, %edx
+        xorl	%ecx, %edx
+        andl	%r10d, %eax
+        addl	%edx, %r13d
+        rorxl	$2, %r14d, %edx
+        rorxl	$13, %r14d, %ecx
+        xorl	%r12d, %eax
+        xorl	%edx, %ecx
+        rorxl	$22, %r14d, %edx
+        addl	%eax, %r13d
+        xorl	%ecx, %edx
+        movl	%r15d, %eax
+        addl	%r13d, %r9d
+        xorl	%r14d, %eax
+        andl	%eax, %ebx
+        addl	%edx, %r13d
+        xorl	%r15d, %ebx
+        rorxl	$6, %r9d, %edx
+        rorxl	$11, %r9d, %ecx
+        addl	%ebx, %r13d
+        addl	156(%rsp), %r12d
+        movl	%r10d, %ebx
+        xorl	%edx, %ecx
+        xorl	%r11d, %ebx
+        rorxl	$25, %r9d, %edx
+        xorl	%ecx, %edx
+        andl	%r9d, %ebx
+        addl	%edx, %r12d
+        rorxl	$2, %r13d, %edx
+        rorxl	$13, %r13d, %ecx
+        xorl	%r11d, %ebx
+        xorl	%edx, %ecx
+        rorxl	$22, %r13d, %edx
+        addl	%ebx, %r12d
+        xorl	%ecx, %edx
+        movl	%r14d, %ebx
+        leal	(%r8,%r12,1), %r8d
+        xorl	%r13d, %ebx
+        andl	%ebx, %eax
+        addl	%edx, %r12d
+        xorl	%r14d, %eax
+        rorxl	$6, %r8d, %edx
+        rorxl	$11, %r8d, %ecx
+        leal	(%r12,%rax,1), %r12d
+        addl	176(%rsp), %r11d
+        movl	%r9d, %eax
+        xorl	%edx, %ecx
+        xorl	%r10d, %eax
+        rorxl	$25, %r8d, %edx
+        xorl	%ecx, %edx
+        andl	%r8d, %eax
+        addl	%edx, %r11d
+        rorxl	$2, %r12d, %edx
+        rorxl	$13, %r12d, %ecx
+        xorl	%r10d, %eax
+        xorl	%edx, %ecx
+        rorxl	$22, %r12d, %edx
+        addl	%eax, %r11d
+        xorl	%ecx, %edx
+        movl	%r13d, %eax
+        addl	%r11d, %r15d
+        xorl	%r12d, %eax
+        andl	%eax, %ebx
+        addl	%edx, %r11d
+        xorl	%r13d, %ebx
+        rorxl	$6, %r15d, %edx
+        rorxl	$11, %r15d, %ecx
+        addl	%ebx, %r11d
+        addl	180(%rsp), %r10d
+        movl	%r8d, %ebx
+        xorl	%edx, %ecx
+        xorl	%r9d, %ebx
+        rorxl	$25, %r15d, %edx
+        xorl	%ecx, %edx
+        andl	%r15d, %ebx
+        addl	%edx, %r10d
+        rorxl	$2, %r11d, %edx
+        rorxl	$13, %r11d, %ecx
+        xorl	%r9d, %ebx
+        xorl	%edx, %ecx
+        rorxl	$22, %r11d, %edx
+        addl	%ebx, %r10d
+        xorl	%ecx, %edx
+        movl	%r12d, %ebx
+        leal	(%r14,%r10,1), %r14d
+        xorl	%r11d, %ebx
+        andl	%ebx, %eax
+        addl	%edx, %r10d
+        xorl	%r12d, %eax
+        rorxl	$6, %r14d, %edx
+        rorxl	$11, %r14d, %ecx
+        leal	(%r10,%rax,1), %r10d
+        addl	184(%rsp), %r9d
+        movl	%r15d, %eax
+        xorl	%edx, %ecx
+        xorl	%r8d, %eax
+        rorxl	$25, %r14d, %edx
+        xorl	%ecx, %edx
+        andl	%r14d, %eax
+        addl	%edx, %r9d
+        rorxl	$2, %r10d, %edx
+        rorxl	$13, %r10d, %ecx
+        xorl	%r8d, %eax
+        xorl	%edx, %ecx
+        rorxl	$22, %r10d, %edx
+        addl	%eax, %r9d
+        xorl	%ecx, %edx
+        movl	%r11d, %eax
+        addl	%r9d, %r13d
+        xorl	%r10d, %eax
+        andl	%eax, %ebx
+        addl	%edx, %r9d
+        xorl	%r11d, %ebx
+        rorxl	$6, %r13d, %edx
+        rorxl	$11, %r13d, %ecx
+        addl	%ebx, %r9d
+        addl	188(%rsp), %r8d
+        movl	%r14d, %ebx
+        xorl	%edx, %ecx
+        xorl	%r15d, %ebx
+        rorxl	$25, %r13d, %edx
+        xorl	%ecx, %edx
+        andl	%r13d, %ebx
+        addl	%edx, %r8d
+        rorxl	$2, %r9d, %edx
+        rorxl	$13, %r9d, %ecx
+        xorl	%r15d, %ebx
+        xorl	%edx, %ecx
+        rorxl	$22, %r9d, %edx
+        addl	%ebx, %r8d
+        xorl	%ecx, %edx
+        movl	%r10d, %ebx
+        leal	(%r12,%r8,1), %r12d
+        xorl	%r9d, %ebx
+        andl	%ebx, %eax
+        addl	%edx, %r8d
+        xorl	%r10d, %eax
+        rorxl	$6, %r12d, %edx
+        rorxl	$11, %r12d, %ecx
+        leal	(%r8,%rax,1), %r8d
+        addl	208(%rsp), %r15d
+        movl	%r13d, %eax
+        xorl	%edx, %ecx
+        xorl	%r14d, %eax
+        rorxl	$25, %r12d, %edx
+        xorl	%ecx, %edx
+        andl	%r12d, %eax
+        addl	%edx, %r15d
+        rorxl	$2, %r8d, %edx
+        rorxl	$13, %r8d, %ecx
+        xorl	%r14d, %eax
+        xorl	%edx, %ecx
+        rorxl	$22, %r8d, %edx
+        addl	%eax, %r15d
+        xorl	%ecx, %edx
+        movl	%r9d, %eax
+        addl	%r15d, %r11d
+        xorl	%r8d, %eax
+        andl	%eax, %ebx
+        addl	%edx, %r15d
+        xorl	%r9d, %ebx
+        rorxl	$6, %r11d, %edx
+        rorxl	$11, %r11d, %ecx
+        addl	%ebx, %r15d
+        addl	212(%rsp), %r14d
+        movl	%r12d, %ebx
+        xorl	%edx, %ecx
+        xorl	%r13d, %ebx
+        rorxl	$25, %r11d, %edx
+        xorl	%ecx, %edx
+        andl	%r11d, %ebx
+        addl	%edx, %r14d
+        rorxl	$2, %r15d, %edx
+        rorxl	$13, %r15d, %ecx
+        xorl	%r13d, %ebx
+        xorl	%edx, %ecx
+        rorxl	$22, %r15d, %edx
+        addl	%ebx, %r14d
+        xorl	%ecx, %edx
+        movl	%r8d, %ebx
+        leal	(%r10,%r14,1), %r10d
+        xorl	%r15d, %ebx
+        andl	%ebx, %eax
+        addl	%edx, %r14d
+        xorl	%r8d, %eax
+        rorxl	$6, %r10d, %edx
+        rorxl	$11, %r10d, %ecx
+        leal	(%r14,%rax,1), %r14d
+        addl	216(%rsp), %r13d
+        movl	%r11d, %eax
+        xorl	%edx, %ecx
+        xorl	%r12d, %eax
+        rorxl	$25, %r10d, %edx
+        xorl	%ecx, %edx
+        andl	%r10d, %eax
+        addl	%edx, %r13d
+        rorxl	$2, %r14d, %edx
+        rorxl	$13, %r14d, %ecx
+        xorl	%r12d, %eax
+        xorl	%edx, %ecx
+        rorxl	$22, %r14d, %edx
+        addl	%eax, %r13d
+        xorl	%ecx, %edx
+        movl	%r15d, %eax
+        addl	%r13d, %r9d
+        xorl	%r14d, %eax
+        andl	%eax, %ebx
+        addl	%edx, %r13d
+        xorl	%r15d, %ebx
+        rorxl	$6, %r9d, %edx
+        rorxl	$11, %r9d, %ecx
+        addl	%ebx, %r13d
+        addl	220(%rsp), %r12d
+        movl	%r10d, %ebx
+        xorl	%edx, %ecx
+        xorl	%r11d, %ebx
+        rorxl	$25, %r9d, %edx
+        xorl	%ecx, %edx
+        andl	%r9d, %ebx
+        addl	%edx, %r12d
+        rorxl	$2, %r13d, %edx
+        rorxl	$13, %r13d, %ecx
+        xorl	%r11d, %ebx
+        xorl	%edx, %ecx
+        rorxl	$22, %r13d, %edx
+        addl	%ebx, %r12d
+        xorl	%ecx, %edx
+        movl	%r14d, %ebx
+        leal	(%r8,%r12,1), %r8d
+        xorl	%r13d, %ebx
+        andl	%ebx, %eax
+        addl	%edx, %r12d
+        xorl	%r14d, %eax
+        rorxl	$6, %r8d, %edx
+        rorxl	$11, %r8d, %ecx
+        leal	(%r12,%rax,1), %r12d
+        addl	240(%rsp), %r11d
+        movl	%r9d, %eax
+        xorl	%edx, %ecx
+        xorl	%r10d, %eax
+        rorxl	$25, %r8d, %edx
+        xorl	%ecx, %edx
+        andl	%r8d, %eax
+        addl	%edx, %r11d
+        rorxl	$2, %r12d, %edx
+        rorxl	$13, %r12d, %ecx
+        xorl	%r10d, %eax
+        xorl	%edx, %ecx
+        rorxl	$22, %r12d, %edx
+        addl	%eax, %r11d
+        xorl	%ecx, %edx
+        movl	%r13d, %eax
+        addl	%r11d, %r15d
+        xorl	%r12d, %eax
+        andl	%eax, %ebx
+        addl	%edx, %r11d
+        xorl	%r13d, %ebx
+        rorxl	$6, %r15d, %edx
+        rorxl	$11, %r15d, %ecx
+        addl	%ebx, %r11d
+        addl	244(%rsp), %r10d
+        movl	%r8d, %ebx
+        xorl	%edx, %ecx
+        xorl	%r9d, %ebx
+        rorxl	$25, %r15d, %edx
+        xorl	%ecx, %edx
+        andl	%r15d, %ebx
+        addl	%edx, %r10d
+        rorxl	$2, %r11d, %edx
+        rorxl	$13, %r11d, %ecx
+        xorl	%r9d, %ebx
+        xorl	%edx, %ecx
+        rorxl	$22, %r11d, %edx
+        addl	%ebx, %r10d
+        xorl	%ecx, %edx
+        movl	%r12d, %ebx
+        leal	(%r14,%r10,1), %r14d
+        xorl	%r11d, %ebx
+        andl	%ebx, %eax
+        addl	%edx, %r10d
+        xorl	%r12d, %eax
+        rorxl	$6, %r14d, %edx
+        rorxl	$11, %r14d, %ecx
+        leal	(%r10,%rax,1), %r10d
+        addl	248(%rsp), %r9d
+        movl	%r15d, %eax
+        xorl	%edx, %ecx
+        xorl	%r8d, %eax
+        rorxl	$25, %r14d, %edx
+        xorl	%ecx, %edx
+        andl	%r14d, %eax
+        addl	%edx, %r9d
+        rorxl	$2, %r10d, %edx
+        rorxl	$13, %r10d, %ecx
+        xorl	%r8d, %eax
+        xorl	%edx, %ecx
+        rorxl	$22, %r10d, %edx
+        addl	%eax, %r9d
+        xorl	%ecx, %edx
+        movl	%r11d, %eax
+        addl	%r9d, %r13d
+        xorl	%r10d, %eax
+        andl	%eax, %ebx
+        addl	%edx, %r9d
+        xorl	%r11d, %ebx
+        rorxl	$6, %r13d, %edx
+        rorxl	$11, %r13d, %ecx
+        addl	%ebx, %r9d
+        addl	252(%rsp), %r8d
+        movl	%r14d, %ebx
+        xorl	%edx, %ecx
+        xorl	%r15d, %ebx
+        rorxl	$25, %r13d, %edx
+        xorl	%ecx, %edx
+        andl	%r13d, %ebx
+        addl	%edx, %r8d
+        rorxl	$2, %r9d, %edx
+        rorxl	$13, %r9d, %ecx
+        xorl	%r15d, %ebx
+        xorl	%edx, %ecx
+        rorxl	$22, %r9d, %edx
+        addl	%ebx, %r8d
+        xorl	%ecx, %edx
+        movl	%r10d, %ebx
+        leal	(%r12,%r8,1), %r12d
+        xorl	%r9d, %ebx
+        andl	%ebx, %eax
+        addl	%edx, %r8d
+        xorl	%r10d, %eax
+        rorxl	$6, %r12d, %edx
+        rorxl	$11, %r12d, %ecx
+        leal	(%r8,%rax,1), %r8d
+        addl	272(%rsp), %r15d
+        movl	%r13d, %eax
+        xorl	%edx, %ecx
+        xorl	%r14d, %eax
+        rorxl	$25, %r12d, %edx
+        xorl	%ecx, %edx
+        andl	%r12d, %eax
+        addl	%edx, %r15d
+        rorxl	$2, %r8d, %edx
+        rorxl	$13, %r8d, %ecx
+        xorl	%r14d, %eax
+        xorl	%edx, %ecx
+        rorxl	$22, %r8d, %edx
+        addl	%eax, %r15d
+        xorl	%ecx, %edx
+        movl	%r9d, %eax
+        addl	%r15d, %r11d
+        xorl	%r8d, %eax
+        andl	%eax, %ebx
+        addl	%edx, %r15d
+        xorl	%r9d, %ebx
+        rorxl	$6, %r11d, %edx
+        rorxl	$11, %r11d, %ecx
+        addl	%ebx, %r15d
+        addl	276(%rsp), %r14d
+        movl	%r12d, %ebx
+        xorl	%edx, %ecx
+        xorl	%r13d, %ebx
+        rorxl	$25, %r11d, %edx
+        xorl	%ecx, %edx
+        andl	%r11d, %ebx
+        addl	%edx, %r14d
+        rorxl	$2, %r15d, %edx
+        rorxl	$13, %r15d, %ecx
+        xorl	%r13d, %ebx
+        xorl	%edx, %ecx
+        rorxl	$22, %r15d, %edx
+        addl	%ebx, %r14d
+        xorl	%ecx, %edx
+        movl	%r8d, %ebx
+        leal	(%r10,%r14,1), %r10d
+        xorl	%r15d, %ebx
+        andl	%ebx, %eax
+        addl	%edx, %r14d
+        xorl	%r8d, %eax
+        rorxl	$6, %r10d, %edx
+        rorxl	$11, %r10d, %ecx
+        leal	(%r14,%rax,1), %r14d
+        addl	280(%rsp), %r13d
+        movl	%r11d, %eax
+        xorl	%edx, %ecx
+        xorl	%r12d, %eax
+        rorxl	$25, %r10d, %edx
+        xorl	%ecx, %edx
+        andl	%r10d, %eax
+        addl	%edx, %r13d
+        rorxl	$2, %r14d, %edx
+        rorxl	$13, %r14d, %ecx
+        xorl	%r12d, %eax
+        xorl	%edx, %ecx
+        rorxl	$22, %r14d, %edx
+        addl	%eax, %r13d
+        xorl	%ecx, %edx
+        movl	%r15d, %eax
+        addl	%r13d, %r9d
+        xorl	%r14d, %eax
+        andl	%eax, %ebx
+        addl	%edx, %r13d
+        xorl	%r15d, %ebx
+        rorxl	$6, %r9d, %edx
+        rorxl	$11, %r9d, %ecx
+        addl	%ebx, %r13d
+        addl	284(%rsp), %r12d
+        movl	%r10d, %ebx
+        xorl	%edx, %ecx
+        xorl	%r11d, %ebx
+        rorxl	$25, %r9d, %edx
+        xorl	%ecx, %edx
+        andl	%r9d, %ebx
+        addl	%edx, %r12d
+        rorxl	$2, %r13d, %edx
+        rorxl	$13, %r13d, %ecx
+        xorl	%r11d, %ebx
+        xorl	%edx, %ecx
+        rorxl	$22, %r13d, %edx
+        addl	%ebx, %r12d
+        xorl	%ecx, %edx
+        movl	%r14d, %ebx
+        leal	(%r8,%r12,1), %r8d
+        xorl	%r13d, %ebx
+        andl	%ebx, %eax
+        addl	%edx, %r12d
+        xorl	%r14d, %eax
+        rorxl	$6, %r8d, %edx
+        rorxl	$11, %r8d, %ecx
+        leal	(%r12,%rax,1), %r12d
+        addl	304(%rsp), %r11d
+        movl	%r9d, %eax
+        xorl	%edx, %ecx
+        xorl	%r10d, %eax
+        rorxl	$25, %r8d, %edx
+        xorl	%ecx, %edx
+        andl	%r8d, %eax
+        addl	%edx, %r11d
+        rorxl	$2, %r12d, %edx
+        rorxl	$13, %r12d, %ecx
+        xorl	%r10d, %eax
+        xorl	%edx, %ecx
+        rorxl	$22, %r12d, %edx
+        addl	%eax, %r11d
+        xorl	%ecx, %edx
+        movl	%r13d, %eax
+        addl	%r11d, %r15d
+        xorl	%r12d, %eax
+        andl	%eax, %ebx
+        addl	%edx, %r11d
+        xorl	%r13d, %ebx
+        rorxl	$6, %r15d, %edx
+        rorxl	$11, %r15d, %ecx
+        addl	%ebx, %r11d
+        addl	308(%rsp), %r10d
+        movl	%r8d, %ebx
+        xorl	%edx, %ecx
+        xorl	%r9d, %ebx
+        rorxl	$25, %r15d, %edx
+        xorl	%ecx, %edx
+        andl	%r15d, %ebx
+        addl	%edx, %r10d
+        rorxl	$2, %r11d, %edx
+        rorxl	$13, %r11d, %ecx
+        xorl	%r9d, %ebx
+        xorl	%edx, %ecx
+        rorxl	$22, %r11d, %edx
+        addl	%ebx, %r10d
+        xorl	%ecx, %edx
+        movl	%r12d, %ebx
+        leal	(%r14,%r10,1), %r14d
+        xorl	%r11d, %ebx
+        andl	%ebx, %eax
+        addl	%edx, %r10d
+        xorl	%r12d, %eax
+        rorxl	$6, %r14d, %edx
+        rorxl	$11, %r14d, %ecx
+        leal	(%r10,%rax,1), %r10d
+        addl	312(%rsp), %r9d
+        movl	%r15d, %eax
+        xorl	%edx, %ecx
+        xorl	%r8d, %eax
+        rorxl	$25, %r14d, %edx
+        xorl	%ecx, %edx
+        andl	%r14d, %eax
+        addl	%edx, %r9d
+        rorxl	$2, %r10d, %edx
+        rorxl	$13, %r10d, %ecx
+        xorl	%r8d, %eax
+        xorl	%edx, %ecx
+        rorxl	$22, %r10d, %edx
+        addl	%eax, %r9d
+        xorl	%ecx, %edx
+        movl	%r11d, %eax
+        addl	%r9d, %r13d
+        xorl	%r10d, %eax
+        andl	%eax, %ebx
+        addl	%edx, %r9d
+        xorl	%r11d, %ebx
+        rorxl	$6, %r13d, %edx
+        rorxl	$11, %r13d, %ecx
+        addl	%ebx, %r9d
+        addl	316(%rsp), %r8d
+        movl	%r14d, %ebx
+        xorl	%edx, %ecx
+        xorl	%r15d, %ebx
+        rorxl	$25, %r13d, %edx
+        xorl	%ecx, %edx
+        andl	%r13d, %ebx
+        addl	%edx, %r8d
+        rorxl	$2, %r9d, %edx
+        rorxl	$13, %r9d, %ecx
+        xorl	%r15d, %ebx
+        xorl	%edx, %ecx
+        rorxl	$22, %r9d, %edx
+        addl	%ebx, %r8d
+        xorl	%ecx, %edx
+        movl	%r10d, %ebx
+        leal	(%r12,%r8,1), %r12d
+        xorl	%r9d, %ebx
+        andl	%ebx, %eax
+        addl	%edx, %r8d
+        xorl	%r10d, %eax
+        rorxl	$6, %r12d, %edx
+        rorxl	$11, %r12d, %ecx
+        leal	(%r8,%rax,1), %r8d
+        addl	336(%rsp), %r15d
+        movl	%r13d, %eax
+        xorl	%edx, %ecx
+        xorl	%r14d, %eax
+        rorxl	$25, %r12d, %edx
+        xorl	%ecx, %edx
+        andl	%r12d, %eax
+        addl	%edx, %r15d
+        rorxl	$2, %r8d, %edx
+        rorxl	$13, %r8d, %ecx
+        xorl	%r14d, %eax
+        xorl	%edx, %ecx
+        rorxl	$22, %r8d, %edx
+        addl	%eax, %r15d
+        xorl	%ecx, %edx
+        movl	%r9d, %eax
+        addl	%r15d, %r11d
+        xorl	%r8d, %eax
+        andl	%eax, %ebx
+        addl	%edx, %r15d
+        xorl	%r9d, %ebx
+        rorxl	$6, %r11d, %edx
+        rorxl	$11, %r11d, %ecx
+        addl	%ebx, %r15d
+        addl	340(%rsp), %r14d
+        movl	%r12d, %ebx
+        xorl	%edx, %ecx
+        xorl	%r13d, %ebx
+        rorxl	$25, %r11d, %edx
+        xorl	%ecx, %edx
+        andl	%r11d, %ebx
+        addl	%edx, %r14d
+        rorxl	$2, %r15d, %edx
+        rorxl	$13, %r15d, %ecx
+        xorl	%r13d, %ebx
+        xorl	%edx, %ecx
+        rorxl	$22, %r15d, %edx
+        addl	%ebx, %r14d
+        xorl	%ecx, %edx
+        movl	%r8d, %ebx
+        leal	(%r10,%r14,1), %r10d
+        xorl	%r15d, %ebx
+        andl	%ebx, %eax
+        addl	%edx, %r14d
+        xorl	%r8d, %eax
+        rorxl	$6, %r10d, %edx
+        rorxl	$11, %r10d, %ecx
+        leal	(%r14,%rax,1), %r14d
+        addl	344(%rsp), %r13d
+        movl	%r11d, %eax
+        xorl	%edx, %ecx
+        xorl	%r12d, %eax
+        rorxl	$25, %r10d, %edx
+        xorl	%ecx, %edx
+        andl	%r10d, %eax
+        addl	%edx, %r13d
+        rorxl	$2, %r14d, %edx
+        rorxl	$13, %r14d, %ecx
+        xorl	%r12d, %eax
+        xorl	%edx, %ecx
+        rorxl	$22, %r14d, %edx
+        addl	%eax, %r13d
+        xorl	%ecx, %edx
+        movl	%r15d, %eax
+        addl	%r13d, %r9d
+        xorl	%r14d, %eax
+        andl	%eax, %ebx
+        addl	%edx, %r13d
+        xorl	%r15d, %ebx
+        rorxl	$6, %r9d, %edx
+        rorxl	$11, %r9d, %ecx
+        addl	%ebx, %r13d
+        addl	348(%rsp), %r12d
+        movl	%r10d, %ebx
+        xorl	%edx, %ecx
+        xorl	%r11d, %ebx
+        rorxl	$25, %r9d, %edx
+        xorl	%ecx, %edx
+        andl	%r9d, %ebx
+        addl	%edx, %r12d
+        rorxl	$2, %r13d, %edx
+        rorxl	$13, %r13d, %ecx
+        xorl	%r11d, %ebx
+        xorl	%edx, %ecx
+        rorxl	$22, %r13d, %edx
+        addl	%ebx, %r12d
+        xorl	%ecx, %edx
+        movl	%r14d, %ebx
+        leal	(%r8,%r12,1), %r8d
+        xorl	%r13d, %ebx
+        andl	%ebx, %eax
+        addl	%edx, %r12d
+        xorl	%r14d, %eax
+        rorxl	$6, %r8d, %edx
+        rorxl	$11, %r8d, %ecx
+        leal	(%r12,%rax,1), %r12d
+        addl	368(%rsp), %r11d
+        movl	%r9d, %eax
+        xorl	%edx, %ecx
+        xorl	%r10d, %eax
+        rorxl	$25, %r8d, %edx
+        xorl	%ecx, %edx
+        andl	%r8d, %eax
+        addl	%edx, %r11d
+        rorxl	$2, %r12d, %edx
+        rorxl	$13, %r12d, %ecx
+        xorl	%r10d, %eax
+        xorl	%edx, %ecx
+        rorxl	$22, %r12d, %edx
+        addl	%eax, %r11d
+        xorl	%ecx, %edx
+        movl	%r13d, %eax
+        addl	%r11d, %r15d
+        xorl	%r12d, %eax
+        andl	%eax, %ebx
+        addl	%edx, %r11d
+        xorl	%r13d, %ebx
+        rorxl	$6, %r15d, %edx
+        rorxl	$11, %r15d, %ecx
+        addl	%ebx, %r11d
+        addl	372(%rsp), %r10d
+        movl	%r8d, %ebx
+        xorl	%edx, %ecx
+        xorl	%r9d, %ebx
+        rorxl	$25, %r15d, %edx
+        xorl	%ecx, %edx
+        andl	%r15d, %ebx
+        addl	%edx, %r10d
+        rorxl	$2, %r11d, %edx
+        rorxl	$13, %r11d, %ecx
+        xorl	%r9d, %ebx
+        xorl	%edx, %ecx
+        rorxl	$22, %r11d, %edx
+        addl	%ebx, %r10d
+        xorl	%ecx, %edx
+        movl	%r12d, %ebx
+        leal	(%r14,%r10,1), %r14d
+        xorl	%r11d, %ebx
+        andl	%ebx, %eax
+        addl	%edx, %r10d
+        xorl	%r12d, %eax
+        rorxl	$6, %r14d, %edx
+        rorxl	$11, %r14d, %ecx
+        leal	(%r10,%rax,1), %r10d
+        addl	376(%rsp), %r9d
+        movl	%r15d, %eax
+        xorl	%edx, %ecx
+        xorl	%r8d, %eax
+        rorxl	$25, %r14d, %edx
+        xorl	%ecx, %edx
+        andl	%r14d, %eax
+        addl	%edx, %r9d
+        rorxl	$2, %r10d, %edx
+        rorxl	$13, %r10d, %ecx
+        xorl	%r8d, %eax
+        xorl	%edx, %ecx
+        rorxl	$22, %r10d, %edx
+        addl	%eax, %r9d
+        xorl	%ecx, %edx
+        movl	%r11d, %eax
+        addl	%r9d, %r13d
+        xorl	%r10d, %eax
+        andl	%eax, %ebx
+        addl	%edx, %r9d
+        xorl	%r11d, %ebx
+        rorxl	$6, %r13d, %edx
+        rorxl	$11, %r13d, %ecx
+        addl	%ebx, %r9d
+        addl	380(%rsp), %r8d
+        movl	%r14d, %ebx
+        xorl	%edx, %ecx
+        xorl	%r15d, %ebx
+        rorxl	$25, %r13d, %edx
+        xorl	%ecx, %edx
+        andl	%r13d, %ebx
+        addl	%edx, %r8d
+        rorxl	$2, %r9d, %edx
+        rorxl	$13, %r9d, %ecx
+        xorl	%r15d, %ebx
+        xorl	%edx, %ecx
+        rorxl	$22, %r9d, %edx
+        addl	%ebx, %r8d
+        xorl	%ecx, %edx
+        movl	%r10d, %ebx
+        leal	(%r12,%r8,1), %r12d
+        xorl	%r9d, %ebx
+        andl	%ebx, %eax
+        addl	%edx, %r8d
+        xorl	%r10d, %eax
+        rorxl	$6, %r12d, %edx
+        rorxl	$11, %r12d, %ecx
+        leal	(%r8,%rax,1), %r8d
+        addl	400(%rsp), %r15d
+        movl	%r13d, %eax
+        xorl	%edx, %ecx
+        xorl	%r14d, %eax
+        rorxl	$25, %r12d, %edx
+        xorl	%ecx, %edx
+        andl	%r12d, %eax
+        addl	%edx, %r15d
+        rorxl	$2, %r8d, %edx
+        rorxl	$13, %r8d, %ecx
+        xorl	%r14d, %eax
+        xorl	%edx, %ecx
+        rorxl	$22, %r8d, %edx
+        addl	%eax, %r15d
+        xorl	%ecx, %edx
+        movl	%r9d, %eax
+        addl	%r15d, %r11d
+        xorl	%r8d, %eax
+        andl	%eax, %ebx
+        addl	%edx, %r15d
+        xorl	%r9d, %ebx
+        rorxl	$6, %r11d, %edx
+        rorxl	$11, %r11d, %ecx
+        addl	%ebx, %r15d
+        addl	404(%rsp), %r14d
+        movl	%r12d, %ebx
+        xorl	%edx, %ecx
+        xorl	%r13d, %ebx
+        rorxl	$25, %r11d, %edx
+        xorl	%ecx, %edx
+        andl	%r11d, %ebx
+        addl	%edx, %r14d
+        rorxl	$2, %r15d, %edx
+        rorxl	$13, %r15d, %ecx
+        xorl	%r13d, %ebx
+        xorl	%edx, %ecx
+        rorxl	$22, %r15d, %edx
+        addl	%ebx, %r14d
+        xorl	%ecx, %edx
+        movl	%r8d, %ebx
+        leal	(%r10,%r14,1), %r10d
+        xorl	%r15d, %ebx
+        andl	%ebx, %eax
+        addl	%edx, %r14d
+        xorl	%r8d, %eax
+        rorxl	$6, %r10d, %edx
+        rorxl	$11, %r10d, %ecx
+        leal	(%r14,%rax,1), %r14d
+        addl	408(%rsp), %r13d
+        movl	%r11d, %eax
+        xorl	%edx, %ecx
+        xorl	%r12d, %eax
+        rorxl	$25, %r10d, %edx
+        xorl	%ecx, %edx
+        andl	%r10d, %eax
+        addl	%edx, %r13d
+        rorxl	$2, %r14d, %edx
+        rorxl	$13, %r14d, %ecx
+        xorl	%r12d, %eax
+        xorl	%edx, %ecx
+        rorxl	$22, %r14d, %edx
+        addl	%eax, %r13d
+        xorl	%ecx, %edx
+        movl	%r15d, %eax
+        addl	%r13d, %r9d
+        xorl	%r14d, %eax
+        andl	%eax, %ebx
+        addl	%edx, %r13d
+        xorl	%r15d, %ebx
+        rorxl	$6, %r9d, %edx
+        rorxl	$11, %r9d, %ecx
+        addl	%ebx, %r13d
+        addl	412(%rsp), %r12d
+        movl	%r10d, %ebx
+        xorl	%edx, %ecx
+        xorl	%r11d, %ebx
+        rorxl	$25, %r9d, %edx
+        xorl	%ecx, %edx
+        andl	%r9d, %ebx
+        addl	%edx, %r12d
+        rorxl	$2, %r13d, %edx
+        rorxl	$13, %r13d, %ecx
+        xorl	%r11d, %ebx
+        xorl	%edx, %ecx
+        rorxl	$22, %r13d, %edx
+        addl	%ebx, %r12d
+        xorl	%ecx, %edx
+        movl	%r14d, %ebx
+        leal	(%r8,%r12,1), %r8d
+        xorl	%r13d, %ebx
+        andl	%ebx, %eax
+        addl	%edx, %r12d
+        xorl	%r14d, %eax
+        rorxl	$6, %r8d, %edx
+        rorxl	$11, %r8d, %ecx
+        leal	(%r12,%rax,1), %r12d
+        addl	432(%rsp), %r11d
+        movl	%r9d, %eax
+        xorl	%edx, %ecx
+        xorl	%r10d, %eax
+        rorxl	$25, %r8d, %edx
+        xorl	%ecx, %edx
+        andl	%r8d, %eax
+        addl	%edx, %r11d
+        rorxl	$2, %r12d, %edx
+        rorxl	$13, %r12d, %ecx
+        xorl	%r10d, %eax
+        xorl	%edx, %ecx
+        rorxl	$22, %r12d, %edx
+        addl	%eax, %r11d
+        xorl	%ecx, %edx
+        movl	%r13d, %eax
+        addl	%r11d, %r15d
+        xorl	%r12d, %eax
+        andl	%eax, %ebx
+        addl	%edx, %r11d
+        xorl	%r13d, %ebx
+        rorxl	$6, %r15d, %edx
+        rorxl	$11, %r15d, %ecx
+        addl	%ebx, %r11d
+        addl	436(%rsp), %r10d
+        movl	%r8d, %ebx
+        xorl	%edx, %ecx
+        xorl	%r9d, %ebx
+        rorxl	$25, %r15d, %edx
+        xorl	%ecx, %edx
+        andl	%r15d, %ebx
+        addl	%edx, %r10d
+        rorxl	$2, %r11d, %edx
+        rorxl	$13, %r11d, %ecx
+        xorl	%r9d, %ebx
+        xorl	%edx, %ecx
+        rorxl	$22, %r11d, %edx
+        addl	%ebx, %r10d
+        xorl	%ecx, %edx
+        movl	%r12d, %ebx
+        leal	(%r14,%r10,1), %r14d
+        xorl	%r11d, %ebx
+        andl	%ebx, %eax
+        addl	%edx, %r10d
+        xorl	%r12d, %eax
+        rorxl	$6, %r14d, %edx
+        rorxl	$11, %r14d, %ecx
+        leal	(%r10,%rax,1), %r10d
+        addl	440(%rsp), %r9d
+        movl	%r15d, %eax
+        xorl	%edx, %ecx
+        xorl	%r8d, %eax
+        rorxl	$25, %r14d, %edx
+        xorl	%ecx, %edx
+        andl	%r14d, %eax
+        addl	%edx, %r9d
+        rorxl	$2, %r10d, %edx
+        rorxl	$13, %r10d, %ecx
+        xorl	%r8d, %eax
+        xorl	%edx, %ecx
+        rorxl	$22, %r10d, %edx
+        addl	%eax, %r9d
+        xorl	%ecx, %edx
+        movl	%r11d, %eax
+        addl	%r9d, %r13d
+        xorl	%r10d, %eax
+        andl	%eax, %ebx
+        addl	%edx, %r9d
+        xorl	%r11d, %ebx
+        rorxl	$6, %r13d, %edx
+        rorxl	$11, %r13d, %ecx
+        addl	%ebx, %r9d
+        addl	444(%rsp), %r8d
+        movl	%r14d, %ebx
+        xorl	%edx, %ecx
+        xorl	%r15d, %ebx
+        rorxl	$25, %r13d, %edx
+        xorl	%ecx, %edx
+        andl	%r13d, %ebx
+        addl	%edx, %r8d
+        rorxl	$2, %r9d, %edx
+        rorxl	$13, %r9d, %ecx
+        xorl	%r15d, %ebx
+        xorl	%edx, %ecx
+        rorxl	$22, %r9d, %edx
+        addl	%ebx, %r8d
+        xorl	%ecx, %edx
+        movl	%r10d, %ebx
+        leal	(%r12,%r8,1), %r12d
+        xorl	%r9d, %ebx
+        andl	%ebx, %eax
+        addl	%edx, %r8d
+        xorl	%r10d, %eax
+        rorxl	$6, %r12d, %edx
+        rorxl	$11, %r12d, %ecx
+        leal	(%r8,%rax,1), %r8d
+        addl	464(%rsp), %r15d
+        movl	%r13d, %eax
+        xorl	%edx, %ecx
+        xorl	%r14d, %eax
+        rorxl	$25, %r12d, %edx
+        xorl	%ecx, %edx
+        andl	%r12d, %eax
+        addl	%edx, %r15d
+        rorxl	$2, %r8d, %edx
+        rorxl	$13, %r8d, %ecx
+        xorl	%r14d, %eax
+        xorl	%edx, %ecx
+        rorxl	$22, %r8d, %edx
+        addl	%eax, %r15d
+        xorl	%ecx, %edx
+        movl	%r9d, %eax
+        addl	%r15d, %r11d
+        xorl	%r8d, %eax
+        andl	%eax, %ebx
+        addl	%edx, %r15d
+        xorl	%r9d, %ebx
+        rorxl	$6, %r11d, %edx
+        rorxl	$11, %r11d, %ecx
+        addl	%ebx, %r15d
+        addl	468(%rsp), %r14d
+        movl	%r12d, %ebx
+        xorl	%edx, %ecx
+        xorl	%r13d, %ebx
+        rorxl	$25, %r11d, %edx
+        xorl	%ecx, %edx
+        andl	%r11d, %ebx
+        addl	%edx, %r14d
+        rorxl	$2, %r15d, %edx
+        rorxl	$13, %r15d, %ecx
+        xorl	%r13d, %ebx
+        xorl	%edx, %ecx
+        rorxl	$22, %r15d, %edx
+        addl	%ebx, %r14d
+        xorl	%ecx, %edx
+        movl	%r8d, %ebx
+        leal	(%r10,%r14,1), %r10d
+        xorl	%r15d, %ebx
+        andl	%ebx, %eax
+        addl	%edx, %r14d
+        xorl	%r8d, %eax
+        rorxl	$6, %r10d, %edx
+        rorxl	$11, %r10d, %ecx
+        leal	(%r14,%rax,1), %r14d
+        addl	472(%rsp), %r13d
+        movl	%r11d, %eax
+        xorl	%edx, %ecx
+        xorl	%r12d, %eax
+        rorxl	$25, %r10d, %edx
+        xorl	%ecx, %edx
+        andl	%r10d, %eax
+        addl	%edx, %r13d
+        rorxl	$2, %r14d, %edx
+        rorxl	$13, %r14d, %ecx
+        xorl	%r12d, %eax
+        xorl	%edx, %ecx
+        rorxl	$22, %r14d, %edx
+        addl	%eax, %r13d
+        xorl	%ecx, %edx
+        movl	%r15d, %eax
+        addl	%r13d, %r9d
+        xorl	%r14d, %eax
+        andl	%eax, %ebx
+        addl	%edx, %r13d
+        xorl	%r15d, %ebx
+        rorxl	$6, %r9d, %edx
+        rorxl	$11, %r9d, %ecx
+        addl	%ebx, %r13d
+        addl	476(%rsp), %r12d
+        movl	%r10d, %ebx
+        xorl	%edx, %ecx
+        xorl	%r11d, %ebx
+        rorxl	$25, %r9d, %edx
+        xorl	%ecx, %edx
+        andl	%r9d, %ebx
+        addl	%edx, %r12d
+        rorxl	$2, %r13d, %edx
+        rorxl	$13, %r13d, %ecx
+        xorl	%r11d, %ebx
+        xorl	%edx, %ecx
+        rorxl	$22, %r13d, %edx
+        addl	%ebx, %r12d
+        xorl	%ecx, %edx
+        movl	%r14d, %ebx
+        leal	(%r8,%r12,1), %r8d
+        xorl	%r13d, %ebx
+        andl	%ebx, %eax
+        addl	%edx, %r12d
+        xorl	%r14d, %eax
+        rorxl	$6, %r8d, %edx
+        rorxl	$11, %r8d, %ecx
+        leal	(%r12,%rax,1), %r12d
+        addl	496(%rsp), %r11d
+        movl	%r9d, %eax
+        xorl	%edx, %ecx
+        xorl	%r10d, %eax
+        rorxl	$25, %r8d, %edx
+        xorl	%ecx, %edx
+        andl	%r8d, %eax
+        addl	%edx, %r11d
+        rorxl	$2, %r12d, %edx
+        rorxl	$13, %r12d, %ecx
+        xorl	%r10d, %eax
+        xorl	%edx, %ecx
+        rorxl	$22, %r12d, %edx
+        addl	%eax, %r11d
+        xorl	%ecx, %edx
+        movl	%r13d, %eax
+        addl	%r11d, %r15d
+        xorl	%r12d, %eax
+        andl	%eax, %ebx
+        addl	%edx, %r11d
+        xorl	%r13d, %ebx
+        rorxl	$6, %r15d, %edx
+        rorxl	$11, %r15d, %ecx
+        addl	%ebx, %r11d
+        addl	500(%rsp), %r10d
+        movl	%r8d, %ebx
+        xorl	%edx, %ecx
+        xorl	%r9d, %ebx
+        rorxl	$25, %r15d, %edx
+        xorl	%ecx, %edx
+        andl	%r15d, %ebx
+        addl	%edx, %r10d
+        rorxl	$2, %r11d, %edx
+        rorxl	$13, %r11d, %ecx
+        xorl	%r9d, %ebx
+        xorl	%edx, %ecx
+        rorxl	$22, %r11d, %edx
+        addl	%ebx, %r10d
+        xorl	%ecx, %edx
+        movl	%r12d, %ebx
+        leal	(%r14,%r10,1), %r14d
+        xorl	%r11d, %ebx
+        andl	%ebx, %eax
+        addl	%edx, %r10d
+        xorl	%r12d, %eax
+        rorxl	$6, %r14d, %edx
+        rorxl	$11, %r14d, %ecx
+        leal	(%r10,%rax,1), %r10d
+        addl	504(%rsp), %r9d
+        movl	%r15d, %eax
+        xorl	%edx, %ecx
+        xorl	%r8d, %eax
+        rorxl	$25, %r14d, %edx
+        xorl	%ecx, %edx
+        andl	%r14d, %eax
+        addl	%edx, %r9d
+        rorxl	$2, %r10d, %edx
+        rorxl	$13, %r10d, %ecx
+        xorl	%r8d, %eax
+        xorl	%edx, %ecx
+        rorxl	$22, %r10d, %edx
+        addl	%eax, %r9d
+        xorl	%ecx, %edx
+        movl	%r11d, %eax
+        addl	%r9d, %r13d
+        xorl	%r10d, %eax
+        andl	%eax, %ebx
+        addl	%edx, %r9d
+        xorl	%r11d, %ebx
+        rorxl	$6, %r13d, %edx
+        rorxl	$11, %r13d, %ecx
+        addl	%ebx, %r9d
+        addl	508(%rsp), %r8d
+        movl	%r14d, %ebx
+        xorl	%edx, %ecx
+        xorl	%r15d, %ebx
+        rorxl	$25, %r13d, %edx
+        xorl	%ecx, %edx
+        andl	%r13d, %ebx
+        addl	%edx, %r8d
+        rorxl	$2, %r9d, %edx
+        rorxl	$13, %r9d, %ecx
+        xorl	%r15d, %ebx
+        xorl	%edx, %ecx
+        rorxl	$22, %r9d, %edx
+        addl	%ebx, %r8d
+        xorl	%ecx, %edx
+        movl	%r10d, %ebx
+        leal	(%r12,%r8,1), %r12d
+        xorl	%r9d, %ebx
+        andl	%ebx, %eax
+        addl	%edx, %r8d
+        xorl	%r10d, %eax
+        addl	%eax, %r8d
+        addq	$0x80, %rbp
+        addl	(%rdi), %r8d
+        addl	4(%rdi), %r9d
+        addl	8(%rdi), %r10d
+        addl	12(%rdi), %r11d
+        addl	16(%rdi), %r12d
+        addl	20(%rdi), %r13d
+        addl	24(%rdi), %r14d
+        addl	28(%rdi), %r15d
+        subl	$0x80, %esi
+        movl	%r8d, (%rdi)
+        movl	%r9d, 4(%rdi)
+        movl	%r10d, 8(%rdi)
+        movl	%r11d, 12(%rdi)
+        movl	%r12d, 16(%rdi)
+        movl	%r13d, 20(%rdi)
+        movl	%r14d, 24(%rdi)
+        movl	%r15d, 28(%rdi)
+        jnz	L_sha256_len_avx2_rorx_start
+L_sha256_len_avx2_rorx_done:
+        xorq	%rax, %rax
+        vzeroupper
+        addq	$0x200, %rsp
+        popq	%rbp
+        popq	%r15
+        popq	%r14
+        popq	%r13
+        popq	%r12
+        popq	%rbx
+        repz retq
+#ifndef __APPLE__
+.size	Transform_Sha256_AVX2_RORX_Len,.-Transform_Sha256_AVX2_RORX_Len
+#endif /* __APPLE__ */
+#endif /* HAVE_INTEL_AVX2 */
diff --git a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/sha3.c b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/sha3.c
new file mode 100644
index 000000000..3a0c8ddbb
--- /dev/null
+++ b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/sha3.c
@@ -0,0 +1,1216 @@
+/* sha3.c
+ *
+ * Copyright (C) 2006-2020 wolfSSL Inc.
+ *
+ * This file is part of wolfSSL.
+ *
+ * wolfSSL is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * wolfSSL is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
+ */
+
+
+#ifdef HAVE_CONFIG_H
+    #include <config.h>
+#endif
+
+#include <wolfssl/wolfcrypt/settings.h>
+
+#if defined(WOLFSSL_SHA3) && !defined(WOLFSSL_XILINX_CRYPT) && \
+   !defined(WOLFSSL_AFALG_XILINX_SHA3)
+
+#if defined(HAVE_FIPS) && \
+	defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2)
+
+    /* set NO_WRAPPERS before headers, use direct internal f()s not wrappers */
+    #define FIPS_NO_WRAPPERS
+
+    #ifdef USE_WINDOWS_API
+        #pragma code_seg(".fipsA$l")
+        #pragma const_seg(".fipsB$l")
+    #endif
+#endif
+
+#include <wolfssl/wolfcrypt/sha3.h>
+#include <wolfssl/wolfcrypt/error-crypt.h>
+#include <wolfssl/wolfcrypt/hash.h>
+
+#ifdef NO_INLINE
+    #include <wolfssl/wolfcrypt/misc.h>
+#else
+    #define WOLFSSL_MISC_INCLUDED
+    #include <wolfcrypt/src/misc.c>
+#endif
+
+
+#ifdef WOLFSSL_SHA3_SMALL
+/* Rotate a 64-bit value left.
+ *
+ * a  Number to rotate left.
+ * r  Number od bits to rotate left.
+ * returns the rotated number.
+ */
+#define ROTL64(a, n)    (((a)<<(n))|((a)>>(64-(n))))
+
+/* An array of values to XOR for block operation. */
+static const word64 hash_keccak_r[24] =
+{
+    0x0000000000000001UL, 0x0000000000008082UL,
+    0x800000000000808aUL, 0x8000000080008000UL,
+    0x000000000000808bUL, 0x0000000080000001UL,
+    0x8000000080008081UL, 0x8000000000008009UL,
+    0x000000000000008aUL, 0x0000000000000088UL,
+    0x0000000080008009UL, 0x000000008000000aUL,
+    0x000000008000808bUL, 0x800000000000008bUL,
+    0x8000000000008089UL, 0x8000000000008003UL,
+    0x8000000000008002UL, 0x8000000000000080UL,
+    0x000000000000800aUL, 0x800000008000000aUL,
+    0x8000000080008081UL, 0x8000000000008080UL,
+    0x0000000080000001UL, 0x8000000080008008UL
+};
+
+/* Indices used in swap and rotate operation. */
+#define K_I_0   10
+#define K_I_1    7
+#define K_I_2   11
+#define K_I_3   17
+#define K_I_4   18
+#define K_I_5    3
+#define K_I_6    5
+#define K_I_7   16
+#define K_I_8    8
+#define K_I_9   21
+#define K_I_10  24
+#define K_I_11   4
+#define K_I_12  15
+#define K_I_13  23
+#define K_I_14  19
+#define K_I_15  13
+#define K_I_16  12
+#define K_I_17   2
+#define K_I_18  20
+#define K_I_19  14
+#define K_I_20  22
+#define K_I_21   9
+#define K_I_22   6
+#define K_I_23   1
+
+/* Number of bits to rotate in swap and rotate operation. */
+#define K_R_0    1
+#define K_R_1    3
+#define K_R_2    6
+#define K_R_3   10
+#define K_R_4   15
+#define K_R_5   21
+#define K_R_6   28
+#define K_R_7   36
+#define K_R_8   45
+#define K_R_9   55
+#define K_R_10   2
+#define K_R_11  14
+#define K_R_12  27
+#define K_R_13  41
+#define K_R_14  56
+#define K_R_15   8
+#define K_R_16  25
+#define K_R_17  43
+#define K_R_18  62
+#define K_R_19  18
+#define K_R_20  39
+#define K_R_21  61
+#define K_R_22  20
+#define K_R_23  44
+
+/* Swap and rotate left operation.
+ *
+ * s   The state.
+ * t1  Temporary value.
+ * t2  Second temporary value.
+ * i   The index of the loop.
+ */
+#define SWAP_ROTL(s, t1, t2, i)                                         \
+do                                                                      \
+{                                                                       \
+    t2 = s[K_I_##i]; s[K_I_##i] = ROTL64(t1, K_R_##i);                  \
+}                                                                       \
+while (0)
+
+/* Mix the XOR of the column's values into each number by column.
+ *
+ * s  The state.
+ * b  Temporary array of XORed column values.
+ * x  The index of the column.
+ * t  Temporary variable.
+ */
+#define COL_MIX(s, b, x, t)                                             \
+do                                                                      \
+{                                                                       \
+    for (x = 0; x < 5; x++)                                             \
+        b[x] = s[x + 0] ^ s[x + 5] ^ s[x + 10] ^ s[x + 15] ^ s[x + 20]; \
+    for (x = 0; x < 5; x++)                                             \
+    {                                                                   \
+        t = b[(x + 4) % 5] ^ ROTL64(b[(x + 1) % 5], 1);                 \
+        s[x +  0] ^= t;                                                 \
+        s[x +  5] ^= t;                                                 \
+        s[x + 10] ^= t;                                                 \
+        s[x + 15] ^= t;                                                 \
+        s[x + 20] ^= t;                                                 \
+    }                                                                   \
+}                                                                       \
+while (0)
+
+#ifdef SHA3_BY_SPEC
+/* Mix the row values.
+ * BMI1 has ANDN instruction ((~a) & b) - Haswell and above.
+ *
+ * s   The state.
+ * b   Temporary array of XORed row values.
+ * y   The index of the row to work on.
+ * x   The index of the column.
+ * t0  Temporary variable.
+ * t1  Temporary variable.
+ */
+#define ROW_MIX(s, b, y, x, t0, t1)                                     \
+do                                                                      \
+{                                                                       \
+    for (y = 0; y < 5; y++)                                             \
+    {                                                                   \
+        for (x = 0; x < 5; x++)                                         \
+            b[x] = s[y * 5 + x];                                        \
+        for (x = 0; x < 5; x++)                                         \
+           s[y * 5 + x] = b[x] ^ (~b[(x + 1) % 5] & b[(x + 2) % 5]);    \
+    }                                                                   \
+}                                                                       \
+while (0)
+#else
+/* Mix the row values.
+ * a ^ (~b & c) == a ^ (c & (b ^ c)) == (a ^ b) ^ (b | c)
+ *
+ * s   The state.
+ * b   Temporary array of XORed row values.
+ * y   The index of the row to work on.
+ * x   The index of the column.
+ * t0  Temporary variable.
+ * t1  Temporary variable.
+ */
+#define ROW_MIX(s, b, y, x, t12, t34)                                   \
+do                                                                      \
+{                                                                       \
+    for (y = 0; y < 5; y++)                                             \
+    {                                                                   \
+        for (x = 0; x < 5; x++)                                         \
+            b[x] = s[y * 5 + x];                                        \
+        t12 = (b[1] ^ b[2]); t34 = (b[3] ^ b[4]);                       \
+        s[y * 5 + 0] = b[0] ^ (b[2] &  t12);                            \
+        s[y * 5 + 1] =  t12 ^ (b[2] | b[3]);                            \
+        s[y * 5 + 2] = b[2] ^ (b[4] &  t34);                            \
+        s[y * 5 + 3] =  t34 ^ (b[4] | b[0]);                            \
+        s[y * 5 + 4] = b[4] ^ (b[1] & (b[0] ^ b[1]));                   \
+    }                                                                   \
+}                                                                       \
+while (0)
+#endif /* SHA3_BY_SPEC */
+
+/* The block operation performed on the state.
+ *
+ * s  The state.
+ */
+static void BlockSha3(word64 *s)
+{
+    byte i, x, y;
+    word64 t0, t1;
+    word64 b[5];
+
+    for (i = 0; i < 24; i++)
+    {
+        COL_MIX(s, b, x, t0);
+
+        t0 = s[1];
+        SWAP_ROTL(s, t0, t1,  0);
+        SWAP_ROTL(s, t1, t0,  1);
+        SWAP_ROTL(s, t0, t1,  2);
+        SWAP_ROTL(s, t1, t0,  3);
+        SWAP_ROTL(s, t0, t1,  4);
+        SWAP_ROTL(s, t1, t0,  5);
+        SWAP_ROTL(s, t0, t1,  6);
+        SWAP_ROTL(s, t1, t0,  7);
+        SWAP_ROTL(s, t0, t1,  8);
+        SWAP_ROTL(s, t1, t0,  9);
+        SWAP_ROTL(s, t0, t1, 10);
+        SWAP_ROTL(s, t1, t0, 11);
+        SWAP_ROTL(s, t0, t1, 12);
+        SWAP_ROTL(s, t1, t0, 13);
+        SWAP_ROTL(s, t0, t1, 14);
+        SWAP_ROTL(s, t1, t0, 15);
+        SWAP_ROTL(s, t0, t1, 16);
+        SWAP_ROTL(s, t1, t0, 17);
+        SWAP_ROTL(s, t0, t1, 18);
+        SWAP_ROTL(s, t1, t0, 19);
+        SWAP_ROTL(s, t0, t1, 20);
+        SWAP_ROTL(s, t1, t0, 21);
+        SWAP_ROTL(s, t0, t1, 22);
+        SWAP_ROTL(s, t1, t0, 23);
+
+        ROW_MIX(s, b, y, x, t0, t1);
+
+        s[0] ^= hash_keccak_r[i];
+    }
+}
+#else
+/* Rotate a 64-bit value left.
+ *
+ * a  Number to rotate left.
+ * r  Number od bits to rotate left.
+ * returns the rotated number.
+ */
+#define ROTL64(a, n)    (((a)<<(n))|((a)>>(64-(n))))
+
+/* An array of values to XOR for block operation. */
+static const word64 hash_keccak_r[24] =
+{
+    0x0000000000000001UL, 0x0000000000008082UL,
+    0x800000000000808aUL, 0x8000000080008000UL,
+    0x000000000000808bUL, 0x0000000080000001UL,
+    0x8000000080008081UL, 0x8000000000008009UL,
+    0x000000000000008aUL, 0x0000000000000088UL,
+    0x0000000080008009UL, 0x000000008000000aUL,
+    0x000000008000808bUL, 0x800000000000008bUL,
+    0x8000000000008089UL, 0x8000000000008003UL,
+    0x8000000000008002UL, 0x8000000000000080UL,
+    0x000000000000800aUL, 0x800000008000000aUL,
+    0x8000000080008081UL, 0x8000000000008080UL,
+    0x0000000080000001UL, 0x8000000080008008UL
+};
+
+/* Indices used in swap and rotate operation. */
+#define KI_0     6
+#define KI_1    12
+#define KI_2    18
+#define KI_3    24
+#define KI_4     3
+#define KI_5     9
+#define KI_6    10
+#define KI_7    16
+#define KI_8    22
+#define KI_9     1
+#define KI_10    7
+#define KI_11   13
+#define KI_12   19
+#define KI_13   20
+#define KI_14    4
+#define KI_15    5
+#define KI_16   11
+#define KI_17   17
+#define KI_18   23
+#define KI_19    2
+#define KI_20    8
+#define KI_21   14
+#define KI_22   15
+#define KI_23   21
+
+/* Number of bits to rotate in swap and rotate operation. */
+#define KR_0    44
+#define KR_1    43
+#define KR_2    21
+#define KR_3    14
+#define KR_4    28
+#define KR_5    20
+#define KR_6     3
+#define KR_7    45
+#define KR_8    61
+#define KR_9     1
+#define KR_10    6
+#define KR_11   25
+#define KR_12    8
+#define KR_13   18
+#define KR_14   27
+#define KR_15   36
+#define KR_16   10
+#define KR_17   15
+#define KR_18   56
+#define KR_19   62
+#define KR_20   55
+#define KR_21   39
+#define KR_22   41
+#define KR_23    2
+
+/* Mix the XOR of the column's values into each number by column.
+ *
+ * s  The state.
+ * b  Temporary array of XORed column values.
+ * x  The index of the column.
+ * t  Temporary variable.
+ */
+#define COL_MIX(s, b, x, t)                                     \
+do                                                              \
+{                                                               \
+    b[0] = s[0] ^ s[5] ^ s[10] ^ s[15] ^ s[20];                 \
+    b[1] = s[1] ^ s[6] ^ s[11] ^ s[16] ^ s[21];                 \
+    b[2] = s[2] ^ s[7] ^ s[12] ^ s[17] ^ s[22];                 \
+    b[3] = s[3] ^ s[8] ^ s[13] ^ s[18] ^ s[23];                 \
+    b[4] = s[4] ^ s[9] ^ s[14] ^ s[19] ^ s[24];                 \
+    t = b[(0 + 4) % 5] ^ ROTL64(b[(0 + 1) % 5], 1);             \
+    s[ 0] ^= t; s[ 5] ^= t; s[10] ^= t; s[15] ^= t; s[20] ^= t; \
+    t = b[(1 + 4) % 5] ^ ROTL64(b[(1 + 1) % 5], 1);             \
+    s[ 1] ^= t; s[ 6] ^= t; s[11] ^= t; s[16] ^= t; s[21] ^= t; \
+    t = b[(2 + 4) % 5] ^ ROTL64(b[(2 + 1) % 5], 1);             \
+    s[ 2] ^= t; s[ 7] ^= t; s[12] ^= t; s[17] ^= t; s[22] ^= t; \
+    t = b[(3 + 4) % 5] ^ ROTL64(b[(3 + 1) % 5], 1);             \
+    s[ 3] ^= t; s[ 8] ^= t; s[13] ^= t; s[18] ^= t; s[23] ^= t; \
+    t = b[(4 + 4) % 5] ^ ROTL64(b[(4 + 1) % 5], 1);             \
+    s[ 4] ^= t; s[ 9] ^= t; s[14] ^= t; s[19] ^= t; s[24] ^= t; \
+}                                                               \
+while (0)
+
+#define S(s1, i) ROTL64(s1[KI_##i], KR_##i)
+
+#ifdef SHA3_BY_SPEC
+/* Mix the row values.
+ * BMI1 has ANDN instruction ((~a) & b) - Haswell and above.
+ *
+ * s2  The new state.
+ * s1  The current state.
+ * b   Temporary array of XORed row values.
+ * t0  Temporary variable. (Unused)
+ * t1  Temporary variable. (Unused)
+ */
+#define ROW_MIX(s2, s1, b, t0, t1)            \
+do                                            \
+{                                             \
+    b[0] = s1[0];                             \
+    b[1] = S(s1, 0);                          \
+    b[2] = S(s1, 1);                          \
+    b[3] = S(s1, 2);                          \
+    b[4] = S(s1, 3);                          \
+    s2[0] = b[0] ^ (~b[1] & b[2]);            \
+    s2[1] = b[1] ^ (~b[2] & b[3]);            \
+    s2[2] = b[2] ^ (~b[3] & b[4]);            \
+    s2[3] = b[3] ^ (~b[4] & b[0]);            \
+    s2[4] = b[4] ^ (~b[0] & b[1]);            \
+    b[0] = S(s1, 4);                          \
+    b[1] = S(s1, 5);                          \
+    b[2] = S(s1, 6);                          \
+    b[3] = S(s1, 7);                          \
+    b[4] = S(s1, 8);                          \
+    s2[5] = b[0] ^ (~b[1] & b[2]);            \
+    s2[6] = b[1] ^ (~b[2] & b[3]);            \
+    s2[7] = b[2] ^ (~b[3] & b[4]);            \
+    s2[8] = b[3] ^ (~b[4] & b[0]);            \
+    s2[9] = b[4] ^ (~b[0] & b[1]);            \
+    b[0] = S(s1, 9);                          \
+    b[1] = S(s1, 10);                         \
+    b[2] = S(s1, 11);                         \
+    b[3] = S(s1, 12);                         \
+    b[4] = S(s1, 13);                         \
+    s2[10] = b[0] ^ (~b[1] & b[2]);           \
+    s2[11] = b[1] ^ (~b[2] & b[3]);           \
+    s2[12] = b[2] ^ (~b[3] & b[4]);           \
+    s2[13] = b[3] ^ (~b[4] & b[0]);           \
+    s2[14] = b[4] ^ (~b[0] & b[1]);           \
+    b[0] = S(s1, 14);                         \
+    b[1] = S(s1, 15);                         \
+    b[2] = S(s1, 16);                         \
+    b[3] = S(s1, 17);                         \
+    b[4] = S(s1, 18);                         \
+    s2[15] = b[0] ^ (~b[1] & b[2]);           \
+    s2[16] = b[1] ^ (~b[2] & b[3]);           \
+    s2[17] = b[2] ^ (~b[3] & b[4]);           \
+    s2[18] = b[3] ^ (~b[4] & b[0]);           \
+    s2[19] = b[4] ^ (~b[0] & b[1]);           \
+    b[0] = S(s1, 19);                         \
+    b[1] = S(s1, 20);                         \
+    b[2] = S(s1, 21);                         \
+    b[3] = S(s1, 22);                         \
+    b[4] = S(s1, 23);                         \
+    s2[20] = b[0] ^ (~b[1] & b[2]);           \
+    s2[21] = b[1] ^ (~b[2] & b[3]);           \
+    s2[22] = b[2] ^ (~b[3] & b[4]);           \
+    s2[23] = b[3] ^ (~b[4] & b[0]);           \
+    s2[24] = b[4] ^ (~b[0] & b[1]);           \
+}                                             \
+while (0)
+#else
+/* Mix the row values.
+ * a ^ (~b & c) == a ^ (c & (b ^ c)) == (a ^ b) ^ (b | c)
+ *
+ * s2  The new state.
+ * s1  The current state.
+ * b   Temporary array of XORed row values.
+ * t12 Temporary variable.
+ * t34 Temporary variable.
+ */
+#define ROW_MIX(s2, s1, b, t12, t34)          \
+do                                            \
+{                                             \
+    b[0] = s1[0];                             \
+    b[1] = S(s1, 0);                          \
+    b[2] = S(s1, 1);                          \
+    b[3] = S(s1, 2);                          \
+    b[4] = S(s1, 3);                          \
+    t12 = (b[1] ^ b[2]); t34 = (b[3] ^ b[4]); \
+    s2[0] = b[0] ^ (b[2] &  t12);             \
+    s2[1] =  t12 ^ (b[2] | b[3]);             \
+    s2[2] = b[2] ^ (b[4] &  t34);             \
+    s2[3] =  t34 ^ (b[4] | b[0]);             \
+    s2[4] = b[4] ^ (b[1] & (b[0] ^ b[1]));    \
+    b[0] = S(s1, 4);                          \
+    b[1] = S(s1, 5);                          \
+    b[2] = S(s1, 6);                          \
+    b[3] = S(s1, 7);                          \
+    b[4] = S(s1, 8);                          \
+    t12 = (b[1] ^ b[2]); t34 = (b[3] ^ b[4]); \
+    s2[5] = b[0] ^ (b[2] &  t12);             \
+    s2[6] =  t12 ^ (b[2] | b[3]);             \
+    s2[7] = b[2] ^ (b[4] &  t34);             \
+    s2[8] =  t34 ^ (b[4] | b[0]);             \
+    s2[9] = b[4] ^ (b[1] & (b[0] ^ b[1]));    \
+    b[0] = S(s1, 9);                          \
+    b[1] = S(s1, 10);                         \
+    b[2] = S(s1, 11);                         \
+    b[3] = S(s1, 12);                         \
+    b[4] = S(s1, 13);                         \
+    t12 = (b[1] ^ b[2]); t34 = (b[3] ^ b[4]); \
+    s2[10] = b[0] ^ (b[2] &  t12);            \
+    s2[11] =  t12 ^ (b[2] | b[3]);            \
+    s2[12] = b[2] ^ (b[4] &  t34);            \
+    s2[13] =  t34 ^ (b[4] | b[0]);            \
+    s2[14] = b[4] ^ (b[1] & (b[0] ^ b[1]));   \
+    b[0] = S(s1, 14);                         \
+    b[1] = S(s1, 15);                         \
+    b[2] = S(s1, 16);                         \
+    b[3] = S(s1, 17);                         \
+    b[4] = S(s1, 18);                         \
+    t12 = (b[1] ^ b[2]); t34 = (b[3] ^ b[4]); \
+    s2[15] = b[0] ^ (b[2] &  t12);            \
+    s2[16] =  t12 ^ (b[2] | b[3]);            \
+    s2[17] = b[2] ^ (b[4] &  t34);            \
+    s2[18] =  t34 ^ (b[4] | b[0]);            \
+    s2[19] = b[4] ^ (b[1] & (b[0] ^ b[1]));   \
+    b[0] = S(s1, 19);                         \
+    b[1] = S(s1, 20);                         \
+    b[2] = S(s1, 21);                         \
+    b[3] = S(s1, 22);                         \
+    b[4] = S(s1, 23);                         \
+    t12 = (b[1] ^ b[2]); t34 = (b[3] ^ b[4]); \
+    s2[20] = b[0] ^ (b[2] &  t12);            \
+    s2[21] =  t12 ^ (b[2] | b[3]);            \
+    s2[22] = b[2] ^ (b[4] &  t34);            \
+    s2[23] =  t34 ^ (b[4] | b[0]);            \
+    s2[24] = b[4] ^ (b[1] & (b[0] ^ b[1]));   \
+}                                             \
+while (0)
+#endif /* SHA3_BY_SPEC */
+
+/* The block operation performed on the state.
+ *
+ * s  The state.
+ */
+static void BlockSha3(word64 *s)
+{
+    word64 n[25];
+    word64 b[5];
+    word64 t0;
+#ifndef SHA3_BY_SPEC
+    word64 t1;
+#endif
+    byte i;
+
+    for (i = 0; i < 24; i += 2)
+    {
+        COL_MIX(s, b, x, t0);
+        ROW_MIX(n, s, b, t0, t1);
+        n[0] ^= hash_keccak_r[i];
+
+        COL_MIX(n, b, x, t0);
+        ROW_MIX(s, n, b, t0, t1);
+        s[0] ^= hash_keccak_r[i+1];
+    }
+}
+#endif /* WOLFSSL_SHA3_SMALL */
+
+/* Convert the array of bytes, in little-endian order, to a 64-bit integer.
+ *
+ * a  Array of bytes.
+ * returns a 64-bit integer.
+ */
+static word64 Load64BitBigEndian(const byte* a)
+{
+#ifdef BIG_ENDIAN_ORDER
+    word64 n = 0;
+    int i;
+
+    for (i = 0; i < 8; i++)
+        n |= (word64)a[i] << (8 * i);
+
+    return n;
+#else
+    return *(word64*)a;
+#endif
+}
+
+/* Initialize the state for a SHA3-224 hash operation.
+ *
+ * sha3   wc_Sha3 object holding state.
+ * returns 0 on success.
+ */
+static int InitSha3(wc_Sha3* sha3)
+{
+    int i;
+
+    for (i = 0; i < 25; i++)
+        sha3->s[i] = 0;
+    sha3->i = 0;
+#if defined(WOLFSSL_HASH_FLAGS) || defined(WOLF_CRYPTO_CB)
+    sha3->flags = 0;
+#endif
+
+    return 0;
+}
+
+/* Update the SHA-3 hash state with message data.
+ *
+ * sha3  wc_Sha3 object holding state.
+ * data  Message data to be hashed.
+ * len   Length of the message data.
+ * p     Number of 64-bit numbers in a block of data to process.
+ * returns 0 on success.
+ */
+static int Sha3Update(wc_Sha3* sha3, const byte* data, word32 len, byte p)
+{
+    byte i;
+    byte l;
+    byte *t;
+
+    if (sha3->i > 0)
+    {
+        l = p * 8 - sha3->i;
+        if (l > len) {
+            l = (byte)len;
+        }
+
+        t = &sha3->t[sha3->i];
+        for (i = 0; i < l; i++)
+            t[i] = data[i];
+        data += i;
+        len -= i;
+        sha3->i += i;
+
+        if (sha3->i == p * 8)
+        {
+            for (i = 0; i < p; i++)
+                sha3->s[i] ^= Load64BitBigEndian(sha3->t + 8 * i);
+            BlockSha3(sha3->s);
+            sha3->i = 0;
+        }
+    }
+    while (len >= ((word32)(p * 8)))
+    {
+        for (i = 0; i < p; i++)
+            sha3->s[i] ^= Load64BitBigEndian(data + 8 * i);
+        BlockSha3(sha3->s);
+        len -= p * 8;
+        data += p * 8;
+    }
+    for (i = 0; i < len; i++)
+        sha3->t[i] = data[i];
+    sha3->i += i;
+
+    return 0;
+}
+
+/* Calculate the SHA-3 hash based on all the message data seen.
+ *
+ * sha3  wc_Sha3 object holding state.
+ * hash  Buffer to hold the hash result.
+ * p     Number of 64-bit numbers in a block of data to process.
+ * len   Number of bytes in output.
+ * returns 0 on success.
+ */
+static int Sha3Final(wc_Sha3* sha3, byte padChar, byte* hash, byte p, byte l)
+{
+    byte i;
+    byte *s8 = (byte *)sha3->s;
+
+    sha3->t[p * 8 - 1]  = 0x00;
+#ifdef WOLFSSL_HASH_FLAGS
+    if (p == WC_SHA3_256_COUNT && sha3->flags & WC_HASH_SHA3_KECCAK256) {
+        padChar = 0x01;
+    }
+#endif
+    sha3->t[  sha3->i]  = padChar;
+    sha3->t[p * 8 - 1] |= 0x80;
+    for (i=sha3->i + 1; i < p * 8 - 1; i++)
+        sha3->t[i] = 0;
+    for (i = 0; i < p; i++)
+        sha3->s[i] ^= Load64BitBigEndian(sha3->t + 8 * i);
+    BlockSha3(sha3->s);
+#if defined(BIG_ENDIAN_ORDER)
+    ByteReverseWords64(sha3->s, sha3->s, ((l+7)/8)*8);
+#endif
+    for (i = 0; i < l; i++)
+        hash[i] = s8[i];
+
+    return 0;
+}
+
+/* Initialize the state for a SHA-3 hash operation.
+ *
+ * sha3   wc_Sha3 object holding state.
+ * heap   Heap reference for dynamic memory allocation. (Used in async ops.)
+ * devId  Device identifier for asynchronous operation.
+ * returns 0 on success.
+ */
+static int wc_InitSha3(wc_Sha3* sha3, void* heap, int devId)
+{
+    int ret = 0;
+
+    if (sha3 == NULL)
+        return BAD_FUNC_ARG;
+
+    sha3->heap = heap;
+    ret = InitSha3(sha3);
+    if (ret != 0)
+        return ret;
+
+#if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_SHA3)
+    ret = wolfAsync_DevCtxInit(&sha3->asyncDev,
+                        WOLFSSL_ASYNC_MARKER_SHA3, sha3->heap, devId);
+#else
+    (void)devId;
+#endif /* WOLFSSL_ASYNC_CRYPT */
+
+    return ret;
+}
+
+/* Update the SHA-3 hash state with message data.
+ *
+ * sha3  wc_Sha3 object holding state.
+ * data  Message data to be hashed.
+ * len   Length of the message data.
+ * p     Number of 64-bit numbers in a block of data to process.
+ * returns 0 on success.
+ */
+static int wc_Sha3Update(wc_Sha3* sha3, const byte* data, word32 len, byte p)
+{
+    int ret;
+
+    if (sha3 == NULL || (data == NULL && len > 0)) {
+        return BAD_FUNC_ARG;
+    }
+
+#if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_SHA3)
+    if (sha3->asyncDev.marker == WOLFSSL_ASYNC_MARKER_SHA3) {
+    #if defined(HAVE_INTEL_QA) && defined(QAT_V2)
+        /* QAT only supports SHA3_256 */
+        if (p == WC_SHA3_256_COUNT) {
+            ret = IntelQaSymSha3(&sha3->asyncDev, NULL, data, len);
+            if (ret != NOT_COMPILED_IN)
+                return ret;
+            /* fall-through when unavailable */
+        }
+    #endif
+    }
+#endif /* WOLFSSL_ASYNC_CRYPT */
+
+    ret = Sha3Update(sha3, data, len, p);
+
+    return ret;
+}
+
+/* Calculate the SHA-3 hash based on all the message data seen.
+ *
+ * sha3  wc_Sha3 object holding state.
+ * hash  Buffer to hold the hash result.
+ * p     Number of 64-bit numbers in a block of data to process.
+ * len   Number of bytes in output.
+ * returns 0 on success.
+ */
+static int wc_Sha3Final(wc_Sha3* sha3, byte* hash, byte p, byte len)
+{
+    int ret;
+
+    if (sha3 == NULL || hash == NULL) {
+        return BAD_FUNC_ARG;
+    }
+
+#if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_SHA3)
+    if (sha3->asyncDev.marker == WOLFSSL_ASYNC_MARKER_SHA3) {
+    #if defined(HAVE_INTEL_QA) && defined(QAT_V2)
+        /* QAT only supports SHA3_256 */
+        /* QAT SHA-3 only supported on v2 (8970 or later cards) */
+        if (len == WC_SHA3_256_DIGEST_SIZE) {
+            ret = IntelQaSymSha3(&sha3->asyncDev, hash, NULL, len);
+            if (ret != NOT_COMPILED_IN)
+                return ret;
+            /* fall-through when unavailable */
+        }
+    #endif
+    }
+#endif /* WOLFSSL_ASYNC_CRYPT */
+
+    ret = Sha3Final(sha3, 0x06, hash, p, len);
+    if (ret != 0)
+        return ret;
+
+    return InitSha3(sha3);  /* reset state */
+}
+
+/* Dispose of any dynamically allocated data from the SHA3-384 operation.
+ * (Required for async ops.)
+ *
+ * sha3  wc_Sha3 object holding state.
+ * returns 0 on success.
+ */
+static void wc_Sha3Free(wc_Sha3* sha3)
+{
+    (void)sha3;
+
+#if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_SHA3)
+    if (sha3 == NULL)
+        return;
+
+    wolfAsync_DevCtxFree(&sha3->asyncDev, WOLFSSL_ASYNC_MARKER_SHA3);
+#endif /* WOLFSSL_ASYNC_CRYPT */
+}
+
+
+/* Copy the state of the SHA3 operation.
+ *
+ * src  wc_Sha3 object holding state top copy.
+ * dst  wc_Sha3 object to copy into.
+ * returns 0 on success.
+ */
+static int wc_Sha3Copy(wc_Sha3* src, wc_Sha3* dst)
+{
+    int ret = 0;
+
+    if (src == NULL || dst == NULL)
+        return BAD_FUNC_ARG;
+
+    XMEMCPY(dst, src, sizeof(wc_Sha3));
+
+#ifdef WOLFSSL_ASYNC_CRYPT
+    ret = wolfAsync_DevCopy(&src->asyncDev, &dst->asyncDev);
+#endif
+#if defined(WOLFSSL_HASH_FLAGS) || defined(WOLF_CRYPTO_CB)
+     dst->flags |= WC_HASH_FLAG_ISCOPY;
+#endif
+
+    return ret;
+}
+
+/* Calculate the SHA3-224 hash based on all the message data so far.
+ * More message data can be added, after this operation, using the current
+ * state.
+ *
+ * sha3  wc_Sha3 object holding state.
+ * hash  Buffer to hold the hash result. Must be at least 28 bytes.
+ * p     Number of 64-bit numbers in a block of data to process.
+ * len   Number of bytes in output.
+ * returns 0 on success.
+ */
+static int wc_Sha3GetHash(wc_Sha3* sha3, byte* hash, byte p, byte len)
+{
+    int ret;
+    wc_Sha3 tmpSha3;
+
+    if (sha3 == NULL || hash == NULL)
+        return BAD_FUNC_ARG;
+
+    ret = wc_Sha3Copy(sha3, &tmpSha3);
+    if (ret == 0) {
+        ret = wc_Sha3Final(&tmpSha3, hash, p, len);
+    }
+    return ret;
+}
+
+
+/* Initialize the state for a SHA3-224 hash operation.
+ *
+ * sha3   wc_Sha3 object holding state.
+ * heap   Heap reference for dynamic memory allocation. (Used in async ops.)
+ * devId  Device identifier for asynchronous operation.
+ * returns 0 on success.
+ */
+int wc_InitSha3_224(wc_Sha3* sha3, void* heap, int devId)
+{
+    return wc_InitSha3(sha3, heap, devId);
+}
+
+/* Update the SHA3-224 hash state with message data.
+ *
+ * sha3  wc_Sha3 object holding state.
+ * data  Message data to be hashed.
+ * len   Length of the message data.
+ * returns 0 on success.
+ */
+int wc_Sha3_224_Update(wc_Sha3* sha3, const byte* data, word32 len)
+{
+    return wc_Sha3Update(sha3, data, len, WC_SHA3_224_COUNT);
+}
+
+/* Calculate the SHA3-224 hash based on all the message data seen.
+ * The state is initialized ready for a new message to hash.
+ *
+ * sha3  wc_Sha3 object holding state.
+ * hash  Buffer to hold the hash result. Must be at least 28 bytes.
+ * returns 0 on success.
+ */
+int wc_Sha3_224_Final(wc_Sha3* sha3, byte* hash)
+{
+    return wc_Sha3Final(sha3, hash, WC_SHA3_224_COUNT, WC_SHA3_224_DIGEST_SIZE);
+}
+
+/* Dispose of any dynamically allocated data from the SHA3-224 operation.
+ * (Required for async ops.)
+ *
+ * sha3  wc_Sha3 object holding state.
+ * returns 0 on success.
+ */
+void wc_Sha3_224_Free(wc_Sha3* sha3)
+{
+    wc_Sha3Free(sha3);
+}
+
+/* Calculate the SHA3-224 hash based on all the message data so far.
+ * More message data can be added, after this operation, using the current
+ * state.
+ *
+ * sha3  wc_Sha3 object holding state.
+ * hash  Buffer to hold the hash result. Must be at least 28 bytes.
+ * returns 0 on success.
+ */
+int wc_Sha3_224_GetHash(wc_Sha3* sha3, byte* hash)
+{
+    return wc_Sha3GetHash(sha3, hash, WC_SHA3_224_COUNT, WC_SHA3_224_DIGEST_SIZE);
+}
+
+/* Copy the state of the SHA3-224 operation.
+ *
+ * src  wc_Sha3 object holding state top copy.
+ * dst  wc_Sha3 object to copy into.
+ * returns 0 on success.
+ */
+int wc_Sha3_224_Copy(wc_Sha3* src, wc_Sha3* dst)
+{
+    return wc_Sha3Copy(src, dst);
+}
+
+
+/* Initialize the state for a SHA3-256 hash operation.
+ *
+ * sha3   wc_Sha3 object holding state.
+ * heap   Heap reference for dynamic memory allocation. (Used in async ops.)
+ * devId  Device identifier for asynchronous operation.
+ * returns 0 on success.
+ */
+int wc_InitSha3_256(wc_Sha3* sha3, void* heap, int devId)
+{
+    return wc_InitSha3(sha3, heap, devId);
+}
+
+/* Update the SHA3-256 hash state with message data.
+ *
+ * sha3  wc_Sha3 object holding state.
+ * data  Message data to be hashed.
+ * len   Length of the message data.
+ * returns 0 on success.
+ */
+int wc_Sha3_256_Update(wc_Sha3* sha3, const byte* data, word32 len)
+{
+    return wc_Sha3Update(sha3, data, len, WC_SHA3_256_COUNT);
+}
+
+/* Calculate the SHA3-256 hash based on all the message data seen.
+ * The state is initialized ready for a new message to hash.
+ *
+ * sha3  wc_Sha3 object holding state.
+ * hash  Buffer to hold the hash result. Must be at least 32 bytes.
+ * returns 0 on success.
+ */
+int wc_Sha3_256_Final(wc_Sha3* sha3, byte* hash)
+{
+    return wc_Sha3Final(sha3, hash, WC_SHA3_256_COUNT, WC_SHA3_256_DIGEST_SIZE);
+}
+
+/* Dispose of any dynamically allocated data from the SHA3-256 operation.
+ * (Required for async ops.)
+ *
+ * sha3  wc_Sha3 object holding state.
+ * returns 0 on success.
+ */
+void wc_Sha3_256_Free(wc_Sha3* sha3)
+{
+    wc_Sha3Free(sha3);
+}
+
+/* Calculate the SHA3-256 hash based on all the message data so far.
+ * More message data can be added, after this operation, using the current
+ * state.
+ *
+ * sha3  wc_Sha3 object holding state.
+ * hash  Buffer to hold the hash result. Must be at least 32 bytes.
+ * returns 0 on success.
+ */
+int wc_Sha3_256_GetHash(wc_Sha3* sha3, byte* hash)
+{
+    return wc_Sha3GetHash(sha3, hash, WC_SHA3_256_COUNT, WC_SHA3_256_DIGEST_SIZE);
+}
+
+/* Copy the state of the SHA3-256 operation.
+ *
+ * src  wc_Sha3 object holding state top copy.
+ * dst  wc_Sha3 object to copy into.
+ * returns 0 on success.
+ */
+int wc_Sha3_256_Copy(wc_Sha3* src, wc_Sha3* dst)
+{
+    return wc_Sha3Copy(src, dst);
+}
+
+
+/* Initialize the state for a SHA3-384 hash operation.
+ *
+ * sha3   wc_Sha3 object holding state.
+ * heap   Heap reference for dynamic memory allocation. (Used in async ops.)
+ * devId  Device identifier for asynchronous operation.
+ * returns 0 on success.
+ */
+int wc_InitSha3_384(wc_Sha3* sha3, void* heap, int devId)
+{
+    return wc_InitSha3(sha3, heap, devId);
+}
+
+/* Update the SHA3-384 hash state with message data.
+ *
+ * sha3  wc_Sha3 object holding state.
+ * data  Message data to be hashed.
+ * len   Length of the message data.
+ * returns 0 on success.
+ */
+int wc_Sha3_384_Update(wc_Sha3* sha3, const byte* data, word32 len)
+{
+    return wc_Sha3Update(sha3, data, len, WC_SHA3_384_COUNT);
+}
+
+/* Calculate the SHA3-384 hash based on all the message data seen.
+ * The state is initialized ready for a new message to hash.
+ *
+ * sha3  wc_Sha3 object holding state.
+ * hash  Buffer to hold the hash result. Must be at least 48 bytes.
+ * returns 0 on success.
+ */
+int wc_Sha3_384_Final(wc_Sha3* sha3, byte* hash)
+{
+    return wc_Sha3Final(sha3, hash, WC_SHA3_384_COUNT, WC_SHA3_384_DIGEST_SIZE);
+}
+
+/* Dispose of any dynamically allocated data from the SHA3-384 operation.
+ * (Required for async ops.)
+ *
+ * sha3  wc_Sha3 object holding state.
+ * returns 0 on success.
+ */
+void wc_Sha3_384_Free(wc_Sha3* sha3)
+{
+    wc_Sha3Free(sha3);
+}
+
+/* Calculate the SHA3-384 hash based on all the message data so far.
+ * More message data can be added, after this operation, using the current
+ * state.
+ *
+ * sha3  wc_Sha3 object holding state.
+ * hash  Buffer to hold the hash result. Must be at least 48 bytes.
+ * returns 0 on success.
+ */
+int wc_Sha3_384_GetHash(wc_Sha3* sha3, byte* hash)
+{
+    return wc_Sha3GetHash(sha3, hash, WC_SHA3_384_COUNT, WC_SHA3_384_DIGEST_SIZE);
+}
+
+/* Copy the state of the SHA3-384 operation.
+ *
+ * src  wc_Sha3 object holding state top copy.
+ * dst  wc_Sha3 object to copy into.
+ * returns 0 on success.
+ */
+int wc_Sha3_384_Copy(wc_Sha3* src, wc_Sha3* dst)
+{
+    return wc_Sha3Copy(src, dst);
+}
+
+
+/* Initialize the state for a SHA3-512 hash operation.
+ *
+ * sha3   wc_Sha3 object holding state.
+ * heap   Heap reference for dynamic memory allocation. (Used in async ops.)
+ * devId  Device identifier for asynchronous operation.
+ * returns 0 on success.
+ */
+int wc_InitSha3_512(wc_Sha3* sha3, void* heap, int devId)
+{
+    return wc_InitSha3(sha3, heap, devId);
+}
+
+/* Update the SHA3-512 hash state with message data.
+ *
+ * sha3  wc_Sha3 object holding state.
+ * data  Message data to be hashed.
+ * len   Length of the message data.
+ * returns 0 on success.
+ */
+int wc_Sha3_512_Update(wc_Sha3* sha3, const byte* data, word32 len)
+{
+    return wc_Sha3Update(sha3, data, len, WC_SHA3_512_COUNT);
+}
+
+/* Calculate the SHA3-512 hash based on all the message data seen.
+ * The state is initialized ready for a new message to hash.
+ *
+ * sha3  wc_Sha3 object holding state.
+ * hash  Buffer to hold the hash result. Must be at least 64 bytes.
+ * returns 0 on success.
+ */
+int wc_Sha3_512_Final(wc_Sha3* sha3, byte* hash)
+{
+    return wc_Sha3Final(sha3, hash, WC_SHA3_512_COUNT, WC_SHA3_512_DIGEST_SIZE);
+}
+
+/* Dispose of any dynamically allocated data from the SHA3-512 operation.
+ * (Required for async ops.)
+ *
+ * sha3  wc_Sha3 object holding state.
+ * returns 0 on success.
+ */
+void wc_Sha3_512_Free(wc_Sha3* sha3)
+{
+    wc_Sha3Free(sha3);
+}
+
+/* Calculate the SHA3-512 hash based on all the message data so far.
+ * More message data can be added, after this operation, using the current
+ * state.
+ *
+ * sha3  wc_Sha3 object holding state.
+ * hash  Buffer to hold the hash result. Must be at least 64 bytes.
+ * returns 0 on success.
+ */
+int wc_Sha3_512_GetHash(wc_Sha3* sha3, byte* hash)
+{
+    return wc_Sha3GetHash(sha3, hash, WC_SHA3_512_COUNT, WC_SHA3_512_DIGEST_SIZE);
+}
+
+/* Copy the state of the SHA3-512 operation.
+ *
+ * src  wc_Sha3 object holding state top copy.
+ * dst  wc_Sha3 object to copy into.
+ * returns 0 on success.
+ */
+int wc_Sha3_512_Copy(wc_Sha3* src, wc_Sha3* dst)
+{
+    return wc_Sha3Copy(src, dst);
+}
+
+#if defined(WOLFSSL_HASH_FLAGS) || defined(WOLF_CRYPTO_CB)
+int wc_Sha3_SetFlags(wc_Sha3* sha3, word32 flags)
+{
+    if (sha3) {
+        sha3->flags = flags;
+    }
+    return 0;
+}
+int wc_Sha3_GetFlags(wc_Sha3* sha3, word32* flags)
+{
+    if (sha3 && flags) {
+        *flags = sha3->flags;
+    }
+    return 0;
+}
+#endif
+
+#if defined(WOLFSSL_SHAKE256)
+/* Initialize the state for a Shake256 hash operation.
+ *
+ * shake  wc_Shake object holding state.
+ * heap   Heap reference for dynamic memory allocation. (Used in async ops.)
+ * devId  Device identifier for asynchronous operation.
+ * returns 0 on success.
+ */
+int wc_InitShake256(wc_Shake* shake, void* heap, int devId)
+{
+    return wc_InitSha3(shake, heap, devId);
+}
+
+/* Update the SHAKE256 hash state with message data.
+ *
+ * shake  wc_Shake object holding state.
+ * data  Message data to be hashed.
+ * len   Length of the message data.
+ * returns 0 on success.
+ */
+int wc_Shake256_Update(wc_Shake* shake, const byte* data, word32 len)
+{
+    if (shake == NULL || (data == NULL && len > 0)) {
+         return BAD_FUNC_ARG;
+    }
+
+    return Sha3Update(shake, data, len, WC_SHA3_256_COUNT);
+}
+
+/* Calculate the SHAKE256 hash based on all the message data seen.
+ * The state is initialized ready for a new message to hash.
+ *
+ * shake  wc_Shake object holding state.
+ * hash  Buffer to hold the hash result. Must be at least 64 bytes.
+ * returns 0 on success.
+ */
+int wc_Shake256_Final(wc_Shake* shake, byte* hash, word32 hashLen)
+{
+    int ret;
+
+    if (shake == NULL || hash == NULL) {
+        return BAD_FUNC_ARG;
+    }
+
+    ret = Sha3Final(shake, 0x1f, hash, WC_SHA3_256_COUNT, hashLen);
+    if (ret != 0)
+        return ret;
+
+    return InitSha3(shake);  /* reset state */
+}
+
+/* Dispose of any dynamically allocated data from the SHAKE256 operation.
+ * (Required for async ops.)
+ *
+ * shake  wc_Shake object holding state.
+ * returns 0 on success.
+ */
+void wc_Shake256_Free(wc_Shake* shake)
+{
+    wc_Sha3Free(shake);
+}
+
+/* Copy the state of the SHA3-512 operation.
+ *
+ * src  wc_Shake object holding state top copy.
+ * dst  wc_Shake object to copy into.
+ * returns 0 on success.
+ */
+int wc_Shake256_Copy(wc_Shake* src, wc_Shake* dst)
+{
+    return wc_Sha3Copy(src, dst);
+}
+#endif
+
+#endif /* WOLFSSL_SHA3 */
diff --git a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/sha512.c b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/sha512.c
index 8e52da909..0a648bf4a 100644
--- a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/sha512.c
+++ b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/sha512.c
@@ -1,8 +1,8 @@
 /* sha512.c
  *
- * Copyright (C) 2006-2015 wolfSSL Inc.
+ * Copyright (C) 2006-2020 wolfSSL Inc.
  *
- * This file is part of wolfSSL. (formerly known as CyaSSL)
+ * This file is part of wolfSSL.
  *
  * wolfSSL is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -16,441 +16,504 @@
  *
  * You should have received a copy of the GNU General Public License
  * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
  */
 
+
 #ifdef HAVE_CONFIG_H
     #include <config.h>
 #endif
 
 #include <wolfssl/wolfcrypt/settings.h>
-#include <wolfssl/wolfcrypt/sha512.h>
 
-#ifdef WOLFSSL_SHA512
+#if (defined(WOLFSSL_SHA512) || defined(WOLFSSL_SHA384)) && !defined(WOLFSSL_ARMASM)
 
-#ifdef HAVE_FIPS
-int wc_InitSha512(Sha512* sha)
-{
-    return InitSha512_fips(sha);
-}
+#if defined(HAVE_FIPS) && \
+	defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2)
 
+    /* set NO_WRAPPERS before headers, use direct internal f()s not wrappers */
+    #define FIPS_NO_WRAPPERS
 
-int wc_Sha512Update(Sha512* sha, const byte* data, word32 len)
-{
-    return Sha512Update_fips(sha, data, len);
-}
+    #ifdef USE_WINDOWS_API
+        #pragma code_seg(".fipsA$k")
+        #pragma const_seg(".fipsB$k")
+    #endif
+#endif
 
+#include <wolfssl/wolfcrypt/sha512.h>
+#include <wolfssl/wolfcrypt/error-crypt.h>
+#include <wolfssl/wolfcrypt/cpuid.h>
+#include <wolfssl/wolfcrypt/hash.h>
 
-int wc_Sha512Final(Sha512* sha, byte* out)
-{
-    return Sha512Final_fips(sha, out);
-}
+/* deprecated USE_SLOW_SHA2 (replaced with USE_SLOW_SHA512) */
+#if defined(USE_SLOW_SHA2) && !defined(USE_SLOW_SHA512)
+    #define USE_SLOW_SHA512
+#endif
 
+/* fips wrapper calls, user can call direct */
+#if defined(HAVE_FIPS) && \
+    (!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 2))
 
-int wc_Sha512Hash(const byte* data, word32 len, byte* out)
-{
-    return Sha512Hash(data, len, out);
-}
+    #ifdef WOLFSSL_SHA512
 
-#if defined(WOLFSSL_SHA384) || defined(HAVE_AESGCM)
-
-int wc_InitSha384(Sha384* sha)
-{
-    return InitSha384_fips(sha);
-}
+        int wc_InitSha512(wc_Sha512* sha)
+        {
+            if (sha == NULL) {
+                return BAD_FUNC_ARG;
+            }
 
+            return InitSha512_fips(sha);
+        }
+        int wc_InitSha512_ex(wc_Sha512* sha, void* heap, int devId)
+        {
+            (void)heap;
+            (void)devId;
+            if (sha == NULL) {
+                return BAD_FUNC_ARG;
+            }
+            return InitSha512_fips(sha);
+        }
+        int wc_Sha512Update(wc_Sha512* sha, const byte* data, word32 len)
+        {
+            if (sha == NULL || (data == NULL && len > 0)) {
+                return BAD_FUNC_ARG;
+            }
 
-int wc_Sha384Update(Sha384* sha, const byte* data, word32 len)
-{
-    return Sha384Update_fips(sha, data, len);
-}
+            return Sha512Update_fips(sha, data, len);
+        }
+        int wc_Sha512Final(wc_Sha512* sha, byte* out)
+        {
+            if (sha == NULL || out == NULL) {
+                return BAD_FUNC_ARG;
+            }
 
+            return Sha512Final_fips(sha, out);
+        }
+        void wc_Sha512Free(wc_Sha512* sha)
+        {
+            (void)sha;
+            /* Not supported in FIPS */
+        }
+    #endif
 
-int wc_Sha384Final(Sha384* sha, byte* out)
-{
-    return Sha384Final_fips(sha, out);
-}
+    #if defined(WOLFSSL_SHA384) || defined(HAVE_AESGCM)
+        int wc_InitSha384(wc_Sha384* sha)
+        {
+            if (sha == NULL) {
+                return BAD_FUNC_ARG;
+            }
+            return InitSha384_fips(sha);
+        }
+        int wc_InitSha384_ex(wc_Sha384* sha, void* heap, int devId)
+        {
+            (void)heap;
+            (void)devId;
+            if (sha == NULL) {
+                return BAD_FUNC_ARG;
+            }
+            return InitSha384_fips(sha);
+        }
+        int wc_Sha384Update(wc_Sha384* sha, const byte* data, word32 len)
+        {
+            if (sha == NULL || (data == NULL && len > 0)) {
+                return BAD_FUNC_ARG;
+            }
+            return Sha384Update_fips(sha, data, len);
+        }
+        int wc_Sha384Final(wc_Sha384* sha, byte* out)
+        {
+            if (sha == NULL || out == NULL) {
+                return BAD_FUNC_ARG;
+            }
+            return Sha384Final_fips(sha, out);
+        }
+        void wc_Sha384Free(wc_Sha384* sha)
+        {
+            (void)sha;
+            /* Not supported in FIPS */
+        }
+    #endif /* WOLFSSL_SHA384 || HAVE_AESGCM */
 
+#else /* else build without fips, or for FIPS v2 */
 
-int wc_Sha384Hash(const byte* data, word32 len, byte* out)
-{
-    return Sha384Hash(data, len, out);
-}
-#endif /* WOLFSSL_SHA384 */
-#else /* else build without using fips */
 #include <wolfssl/wolfcrypt/logging.h>
-#include <wolfssl/wolfcrypt/error-crypt.h>
 
 #ifdef NO_INLINE
     #include <wolfssl/wolfcrypt/misc.h>
 #else
+    #define WOLFSSL_MISC_INCLUDED
     #include <wolfcrypt/src/misc.c>
 #endif
 
 
-#ifndef WOLFSSL_HAVE_MIN
-#define WOLFSSL_HAVE_MIN
-
-    static INLINE word32 min(word32 a, word32 b)
-    {
-        return a > b ? b : a;
-    }
-
-#endif /* WOLFSSL_HAVE_MIN */
-
 #if defined(USE_INTEL_SPEEDUP)
-  #define HAVE_INTEL_AVX1
-  #define HAVE_INTEL_AVX2
+    #if defined(__GNUC__) && ((__GNUC__ < 4) || \
+                              (__GNUC__ == 4 && __GNUC_MINOR__ <= 8))
+        #undef  NO_AVX2_SUPPORT
+        #define NO_AVX2_SUPPORT
+    #endif
+    #if defined(__clang__) && ((__clang_major__ < 3) || \
+                               (__clang_major__ == 3 && __clang_minor__ <= 5))
+        #define NO_AVX2_SUPPORT
+    #elif defined(__clang__) && defined(NO_AVX2_SUPPORT)
+        #undef NO_AVX2_SUPPORT
+    #endif
+
+    #define HAVE_INTEL_AVX1
+    #ifndef NO_AVX2_SUPPORT
+        #define HAVE_INTEL_AVX2
+    #endif
 #endif
 
 #if defined(HAVE_INTEL_AVX1)
-/* #define DEBUG_XMM  */
+    /* #define DEBUG_XMM  */
 #endif
 
 #if defined(HAVE_INTEL_AVX2)
-#define HAVE_INTEL_RORX
-/* #define DEBUG_YMM  */
-#endif
-
-/*****
-Intel AVX1/AVX2 Macro Control Structure
-
-#if defined(HAVE_INteL_SPEEDUP)
-    #define HAVE_INTEL_AVX1
-    #define HAVE_INTEL_AVX2
+    #define HAVE_INTEL_RORX
+    /* #define DEBUG_YMM  */
 #endif
 
-int InitSha512(Sha512* sha512) { 
-     Save/Recover XMM, YMM
-     ...
-
-     Check Intel AVX cpuid flags
-}
-
-#if defined(HAVE_INTEL_AVX1)|| defined(HAVE_INTEL_AVX2)
-  Transform_AVX1() ; # Function prototype 
-  Transform_AVX2() ; #
+#if defined(HAVE_BYTEREVERSE64) && \
+        !defined(HAVE_INTEL_AVX1) && !defined(HAVE_INTEL_AVX2)
+    #define ByteReverseWords64(out, in, size) ByteReverseWords64_1(out, size)
+    #define ByteReverseWords64_1(buf, size) \
+        { unsigned int i ;\
+            for(i=0; i< size/sizeof(word64); i++){\
+                __asm__ volatile("bswapq %0":"+r"(buf[i])::) ;\
+            }\
+        }
 #endif
 
-  _Transform() {     # Native Transform Function body
-  
-  }
-  
-  int Sha512Update() { 
-     Save/Recover XMM, YMM
-     ...
-  }
-  
-  int Sha512Final() { 
-     Save/Recover XMM, YMM
-     ...
-  }
-
+#if defined(WOLFSSL_IMX6_CAAM) && !defined(NO_IMX6_CAAM_HASH)
+    /* functions defined in wolfcrypt/src/port/caam/caam_sha.c */
 
-#if defined(HAVE_INTEL_AVX1)
-   
-   XMM Instructions/inline asm Definitions
+#else
 
-#endif
+#ifdef WOLFSSL_SHA512
 
-#if defined(HAVE_INTEL_AVX2)
+static int InitSha512(wc_Sha512* sha512)
+{
+    if (sha512 == NULL)
+        return BAD_FUNC_ARG;
 
-   YMM Instructions/inline asm Definitions
+    sha512->digest[0] = W64LIT(0x6a09e667f3bcc908);
+    sha512->digest[1] = W64LIT(0xbb67ae8584caa73b);
+    sha512->digest[2] = W64LIT(0x3c6ef372fe94f82b);
+    sha512->digest[3] = W64LIT(0xa54ff53a5f1d36f1);
+    sha512->digest[4] = W64LIT(0x510e527fade682d1);
+    sha512->digest[5] = W64LIT(0x9b05688c2b3e6c1f);
+    sha512->digest[6] = W64LIT(0x1f83d9abfb41bd6b);
+    sha512->digest[7] = W64LIT(0x5be0cd19137e2179);
 
-#endif
+    sha512->buffLen = 0;
+    sha512->loLen   = 0;
+    sha512->hiLen   = 0;
 
-#if defnied(HAVE_INTEL_AVX1)
-  
-  int Transform_AVX1() {
-      Stitched Message Sched/Round
-  }
+#if defined(WOLFSSL_ESP32WROOM32_CRYPT) && \
+    !defined(NO_WOLFSSL_ESP32WROOM32_CRYPT_HASH)
 
+    sha512->ctx.sha_type = SHA2_512;
+     /* always start firstblock = 1 when using hw engine */
+    sha512->ctx.isfirstblock = 1;
+    if(sha512->ctx.mode == ESP32_SHA_HW) {
+        /* release hw */
+        esp_sha_hw_unlock();
+    }
+    /* always set mode as INIT
+    *  whether using HW or SW is determined at first call of update()
+    */
+    sha512->ctx.mode = ESP32_SHA_INIT;
 #endif
-
-#if defnied(HAVE_INTEL_AVX2)
-  
-  int Transform_AVX2() {
-      Stitched Message Sched/Round
-  }
+#if defined(WOLFSSL_HASH_FLAGS) || defined(WOLF_CRYPTO_CB)
+    sha512->flags = 0;
 #endif
+    return 0;
+}
 
+#endif /* WOLFSSL_SHA512 */
 
-*/
-
+/* Hardware Acceleration */
 #if defined(HAVE_INTEL_AVX1) || defined(HAVE_INTEL_AVX2)
 
+#ifdef WOLFSSL_SHA512
 
-/* Each platform needs to query info type 1 from cpuid to see if aesni is
- * supported. Also, let's setup a macro for proper linkage w/o ABI conflicts
- */
+    /*****
+    Intel AVX1/AVX2 Macro Control Structure
 
-#ifndef _MSC_VER
-    #define cpuid(reg, leaf, sub)\
-            __asm__ __volatile__ ("cpuid":\
-             "=a" (reg[0]), "=b" (reg[1]), "=c" (reg[2]), "=d" (reg[3]) :\
-             "a" (leaf), "c"(sub));
+    #if defined(HAVE_INteL_SPEEDUP)
+        #define HAVE_INTEL_AVX1
+        #define HAVE_INTEL_AVX2
+    #endif
 
-    #define XASM_LINK(f) asm(f)
-#else
+    int InitSha512(wc_Sha512* sha512) {
+         Save/Recover XMM, YMM
+         ...
 
-    #include <intrin.h>
-    #define cpuid(a,b) __cpuid((int*)a,b)
-
-    #define XASM_LINK(f)
-
-#endif /* _MSC_VER */
-
-#define EAX 0
-#define EBX 1
-#define ECX 2 
-#define EDX 3
-    
-#define CPUID_AVX1   0x1
-#define CPUID_AVX2   0x2
-#define CPUID_RDRAND 0x4
-#define CPUID_RDSEED 0x8
-#define CPUID_BMI2   0x10   /* MULX, RORX */
-
-#define IS_INTEL_AVX1       (cpuid_flags&CPUID_AVX1)
-#define IS_INTEL_AVX2       (cpuid_flags&CPUID_AVX2)
-#define IS_INTEL_BMI2       (cpuid_flags&CPUID_BMI2)
-#define IS_INTEL_RDRAND     (cpuid_flags&CPUID_RDRAND)
-#define IS_INTEL_RDSEED     (cpuid_flags&CPUID_RDSEED)
-
-static word32 cpuid_check = 0 ;
-static word32 cpuid_flags = 0 ;
-
-static word32 cpuid_flag(word32 leaf, word32 sub, word32 num, word32 bit) {
-    int got_intel_cpu=0;
-    unsigned int reg[5]; 
-    
-    reg[4] = '\0' ;
-    cpuid(reg, 0, 0);  
-    if(memcmp((char *)&(reg[EBX]), "Genu", 4) == 0 &&  
-                memcmp((char *)&(reg[EDX]), "ineI", 4) == 0 &&  
-                memcmp((char *)&(reg[ECX]), "ntel", 4) == 0) {  
-        got_intel_cpu = 1;  
-    }    
-    if (got_intel_cpu) {
-        cpuid(reg, leaf, sub);
-        return((reg[num]>>bit)&0x1) ;
+         Check Intel AVX cpuid flags
     }
-    return 0 ;
-}
 
-#define CHECK_SHA512 0x1
-#define CHECK_SHA384 0x2
-
-static int set_cpuid_flags(int sha) {  
-    if((cpuid_check & sha) ==0) {
-        if(cpuid_flag(1, 0, ECX, 28)){ cpuid_flags |= CPUID_AVX1 ;}
-        if(cpuid_flag(7, 0, EBX, 5)){  cpuid_flags |= CPUID_AVX2 ; }
-        if(cpuid_flag(7, 0, EBX, 8)) { cpuid_flags |= CPUID_BMI2 ; }
-        if(cpuid_flag(1, 0, ECX, 30)){ cpuid_flags |= CPUID_RDRAND ;  } 
-        if(cpuid_flag(7, 0, EBX, 18)){ cpuid_flags |= CPUID_RDSEED ;  }
-		cpuid_check |= sha ;
-		return 0 ;
-    }
-    return 1 ;
-}
+    #if defined(HAVE_INTEL_AVX1)|| defined(HAVE_INTEL_AVX2)
+      Transform_Sha512_AVX1(); # Function prototype
+      Transform_Sha512_AVX2(); #
+    #endif
 
+      _Transform_Sha512() {     # Native Transform Function body
 
-/* #if defined(HAVE_INTEL_AVX1/2) at the tail of sha512 */
+      }
 
-#if defined(HAVE_INTEL_AVX1)
-static int Transform_AVX1(Sha512 *sha512) ;
-#endif
+      int Sha512Update() {
+         Save/Recover XMM, YMM
+         ...
+      }
 
-#if defined(HAVE_INTEL_AVX2)
-static int Transform_AVX2(Sha512 *sha512) ; 
+      int Sha512Final() {
+         Save/Recover XMM, YMM
+         ...
+      }
 
-#if defined(HAVE_INTEL_AVX1) && defined(HAVE_INTEL_AVX2) && defined(HAVE_INTEL_RORX)
-static int Transform_AVX1_RORX(Sha512 *sha512) ;
-#endif
 
-#endif
+    #if defined(HAVE_INTEL_AVX1)
 
-static int _Transform(Sha512 *sha512) ; 
-    
-static int (*Transform_p)(Sha512* sha512) = _Transform ;
+       XMM Instructions/INLINE asm Definitions
 
-#define Transform(sha512) (*Transform_p)(sha512)
+    #endif
 
-static void set_Transform(void) {
-     if(set_cpuid_flags(CHECK_SHA512)) return ;
+    #if defined(HAVE_INTEL_AVX2)
 
-#if defined(HAVE_INTEL_AVX2)
-     if(IS_INTEL_AVX2 && IS_INTEL_BMI2){ 
-         Transform_p = Transform_AVX1_RORX; return ; 
-         Transform_p = Transform_AVX2      ; 
-                  /* for avoiding warning,"not used" */
-     }
-#endif
-#if defined(HAVE_INTEL_AVX1)
-     Transform_p = ((IS_INTEL_AVX1) ? Transform_AVX1 : _Transform) ; return ;
-#endif
-     Transform_p = _Transform ; return ;
-}
+       YMM Instructions/INLINE asm Definitions
 
-#else
-   #define Transform(sha512) _Transform(sha512)
-#endif
+    #endif
 
-/* Dummy for saving MM_REGs on behalf of Transform */
-/* #if defined(HAVE_INTEL_AVX2)
- #define  SAVE_XMM_YMM   __asm__ volatile("orq %%r8, %%r8":::\
-   "%ymm0","%ymm1","%ymm2","%ymm3","%ymm4","%ymm5","%ymm6","%ymm7","%ymm8","%ymm9","%ymm10","%ymm11",\
-   "%ymm12","%ymm13","%ymm14","%ymm15")
-*/
-#if defined(HAVE_INTEL_AVX1)
-   #define  SAVE_XMM_YMM   __asm__ volatile("orq %%r8, %%r8":::\
-    "xmm0","xmm1","xmm2","xmm3","xmm4","xmm5","xmm6","xmm7","xmm8","xmm9","xmm10","xmm11","xmm12","xmm13","xmm14","xmm15")
-#else
-#define  SAVE_XMM_YMM
-#endif
+    #if defnied(HAVE_INTEL_AVX1)
 
-#if defined(HAVE_INTEL_AVX1)|| defined(HAVE_INTEL_AVX2)
+      int Transform_Sha512_AVX1() {
+          Stitched Message Sched/Round
+      }
 
-#include <string.h>
+    #endif
 
-#endif /* defined(HAVE_INTEL_AVX1)|| defined(HAVE_INTEL_AVX2) */
+    #if defnied(HAVE_INTEL_AVX2)
 
+      int Transform_Sha512_AVX2() {
+          Stitched Message Sched/Round
+      }
+    #endif
 
-#if defined(HAVE_INTEL_RORX)
-#define ROTR(func, bits, x) \
-word64 func(word64 x) {  word64 ret ;\
-    __asm__ ("rorx $"#bits", %1, %0\n\t":"=r"(ret):"r"(x):) ;\
-    return ret ;\
-}
+    */
 
-static INLINE ROTR(rotrFixed64_28, 28, x)
-static INLINE ROTR(rotrFixed64_34, 34, x)
-static INLINE ROTR(rotrFixed64_39, 39, x)
-static INLINE ROTR(rotrFixed64_14, 14, x)
-static INLINE ROTR(rotrFixed64_18, 18, x)
-static INLINE ROTR(rotrFixed64_41, 41, x)
 
-#define S0_RORX(x) (rotrFixed64_28(x)^rotrFixed64_34(x)^rotrFixed64_39(x))
-#define S1_RORX(x) (rotrFixed64_14(x)^rotrFixed64_18(x)^rotrFixed64_41(x))
+    /* Each platform needs to query info type 1 from cpuid to see if aesni is
+     * supported. Also, let's setup a macro for proper linkage w/o ABI conflicts
+     */
+
+#ifdef __cplusplus
+    extern "C" {
 #endif
 
-#if defined(HAVE_BYTEREVERSE64) && !defined(HAVE_INTEL_AVX1) && !defined(HAVE_INTEL_AVX2)
-#define ByteReverseWords64(out, in, size) ByteReverseWords64_1(out, size)
-#define ByteReverseWords64_1(buf, size)\
- { unsigned int i ;\
-   for(i=0; i< size/sizeof(word64); i++){\
-       __asm__ volatile("bswapq %0":"+r"(buf[i])::) ;\
-   }\
-}
+    #if defined(HAVE_INTEL_AVX1)
+        extern int Transform_Sha512_AVX1(wc_Sha512 *sha512);
+        extern int Transform_Sha512_AVX1_Len(wc_Sha512 *sha512, word32 len);
+    #endif
+    #if defined(HAVE_INTEL_AVX2)
+        extern int Transform_Sha512_AVX2(wc_Sha512 *sha512);
+        extern int Transform_Sha512_AVX2_Len(wc_Sha512 *sha512, word32 len);
+        #if defined(HAVE_INTEL_RORX)
+            extern int Transform_Sha512_AVX1_RORX(wc_Sha512 *sha512);
+            extern int Transform_Sha512_AVX1_RORX_Len(wc_Sha512 *sha512,
+                                                      word32 len);
+            extern int Transform_Sha512_AVX2_RORX(wc_Sha512 *sha512);
+            extern int Transform_Sha512_AVX2_RORX_Len(wc_Sha512 *sha512,
+                                                      word32 len);
+        #endif
+    #endif
+
+#ifdef __cplusplus
+    }  /* extern "C" */
 #endif
 
+    static int _Transform_Sha512(wc_Sha512 *sha512);
+    static int (*Transform_Sha512_p)(wc_Sha512* sha512) = _Transform_Sha512;
+    static int (*Transform_Sha512_Len_p)(wc_Sha512* sha512, word32 len) = NULL;
+    static int transform_check = 0;
+    static int intel_flags;
+    #define Transform_Sha512(sha512)     (*Transform_Sha512_p)(sha512)
+    #define Transform_Sha512_Len(sha512, len) \
+                                          (*Transform_Sha512_Len_p)(sha512, len)
 
-int wc_InitSha512(Sha512* sha512)
-{
-    sha512->digest[0] = W64LIT(0x6a09e667f3bcc908);
-    sha512->digest[1] = W64LIT(0xbb67ae8584caa73b);
-    sha512->digest[2] = W64LIT(0x3c6ef372fe94f82b);
-    sha512->digest[3] = W64LIT(0xa54ff53a5f1d36f1);
-    sha512->digest[4] = W64LIT(0x510e527fade682d1);
-    sha512->digest[5] = W64LIT(0x9b05688c2b3e6c1f);
-    sha512->digest[6] = W64LIT(0x1f83d9abfb41bd6b);
-    sha512->digest[7] = W64LIT(0x5be0cd19137e2179);
+    static void Sha512_SetTransform()
+    {
+        if (transform_check)
+            return;
+
+        intel_flags = cpuid_get_flags();
+
+    #if defined(HAVE_INTEL_AVX2)
+        if (IS_INTEL_AVX2(intel_flags)) {
+        #ifdef HAVE_INTEL_RORX
+            if (IS_INTEL_BMI2(intel_flags)) {
+                Transform_Sha512_p = Transform_Sha512_AVX2_RORX;
+                Transform_Sha512_Len_p = Transform_Sha512_AVX2_RORX_Len;
+            }
+            else
+        #endif
+            if (1) {
+                Transform_Sha512_p = Transform_Sha512_AVX2;
+                Transform_Sha512_Len_p = Transform_Sha512_AVX2_Len;
+            }
+        #ifdef HAVE_INTEL_RORX
+            else {
+                Transform_Sha512_p = Transform_Sha512_AVX1_RORX;
+                Transform_Sha512_Len_p = Transform_Sha512_AVX1_RORX_Len;
+            }
+        #endif
+        }
+        else
+    #endif
+    #if defined(HAVE_INTEL_AVX1)
+        if (IS_INTEL_AVX1(intel_flags)) {
+            Transform_Sha512_p = Transform_Sha512_AVX1;
+            Transform_Sha512_Len_p = Transform_Sha512_AVX1_Len;
+        }
+        else
+    #endif
+            Transform_Sha512_p = _Transform_Sha512;
+
+        transform_check = 1;
+    }
+#endif /* WOLFSSL_SHA512 */
+
+#else
+    #define Transform_Sha512(sha512) _Transform_Sha512(sha512)
 
-    sha512->buffLen = 0;
-    sha512->loLen   = 0;
-    sha512->hiLen   = 0;
-    
-#if defined(HAVE_INTEL_AVX1)|| defined(HAVE_INTEL_AVX2)
-    set_Transform() ; /* choose best Transform function under this runtime environment */
 #endif
-    
-    return 0 ;
-}
 
+#ifdef WOLFSSL_SHA512
 
-static const word64 K512[80] = {
-	W64LIT(0x428a2f98d728ae22), W64LIT(0x7137449123ef65cd),
-	W64LIT(0xb5c0fbcfec4d3b2f), W64LIT(0xe9b5dba58189dbbc),
-	W64LIT(0x3956c25bf348b538), W64LIT(0x59f111f1b605d019),
-	W64LIT(0x923f82a4af194f9b), W64LIT(0xab1c5ed5da6d8118),
-	W64LIT(0xd807aa98a3030242), W64LIT(0x12835b0145706fbe),
-	W64LIT(0x243185be4ee4b28c), W64LIT(0x550c7dc3d5ffb4e2),
-	W64LIT(0x72be5d74f27b896f), W64LIT(0x80deb1fe3b1696b1),
-	W64LIT(0x9bdc06a725c71235), W64LIT(0xc19bf174cf692694),
-	W64LIT(0xe49b69c19ef14ad2), W64LIT(0xefbe4786384f25e3),
-	W64LIT(0x0fc19dc68b8cd5b5), W64LIT(0x240ca1cc77ac9c65),
-	W64LIT(0x2de92c6f592b0275), W64LIT(0x4a7484aa6ea6e483),
-	W64LIT(0x5cb0a9dcbd41fbd4), W64LIT(0x76f988da831153b5),
-	W64LIT(0x983e5152ee66dfab), W64LIT(0xa831c66d2db43210),
-	W64LIT(0xb00327c898fb213f), W64LIT(0xbf597fc7beef0ee4),
-	W64LIT(0xc6e00bf33da88fc2), W64LIT(0xd5a79147930aa725),
-	W64LIT(0x06ca6351e003826f), W64LIT(0x142929670a0e6e70),
-	W64LIT(0x27b70a8546d22ffc), W64LIT(0x2e1b21385c26c926),
-	W64LIT(0x4d2c6dfc5ac42aed), W64LIT(0x53380d139d95b3df),
-	W64LIT(0x650a73548baf63de), W64LIT(0x766a0abb3c77b2a8),
-	W64LIT(0x81c2c92e47edaee6), W64LIT(0x92722c851482353b),
-	W64LIT(0xa2bfe8a14cf10364), W64LIT(0xa81a664bbc423001),
-	W64LIT(0xc24b8b70d0f89791), W64LIT(0xc76c51a30654be30),
-	W64LIT(0xd192e819d6ef5218), W64LIT(0xd69906245565a910),
-	W64LIT(0xf40e35855771202a), W64LIT(0x106aa07032bbd1b8),
-	W64LIT(0x19a4c116b8d2d0c8), W64LIT(0x1e376c085141ab53),
-	W64LIT(0x2748774cdf8eeb99), W64LIT(0x34b0bcb5e19b48a8),
-	W64LIT(0x391c0cb3c5c95a63), W64LIT(0x4ed8aa4ae3418acb),
-	W64LIT(0x5b9cca4f7763e373), W64LIT(0x682e6ff3d6b2b8a3),
-	W64LIT(0x748f82ee5defb2fc), W64LIT(0x78a5636f43172f60),
-	W64LIT(0x84c87814a1f0ab72), W64LIT(0x8cc702081a6439ec),
-	W64LIT(0x90befffa23631e28), W64LIT(0xa4506cebde82bde9),
-	W64LIT(0xbef9a3f7b2c67915), W64LIT(0xc67178f2e372532b),
-	W64LIT(0xca273eceea26619c), W64LIT(0xd186b8c721c0c207),
-	W64LIT(0xeada7dd6cde0eb1e), W64LIT(0xf57d4f7fee6ed178),
-	W64LIT(0x06f067aa72176fba), W64LIT(0x0a637dc5a2c898a6),
-	W64LIT(0x113f9804bef90dae), W64LIT(0x1b710b35131c471b),
-	W64LIT(0x28db77f523047d84), W64LIT(0x32caab7b40c72493),
-	W64LIT(0x3c9ebe0a15c9bebc), W64LIT(0x431d67c49c100d4c),
-	W64LIT(0x4cc5d4becb3e42b6), W64LIT(0x597f299cfc657e2a),
-	W64LIT(0x5fcb6fab3ad6faec), W64LIT(0x6c44198c4a475817)
-};
+int wc_InitSha512_ex(wc_Sha512* sha512, void* heap, int devId)
+{
+    int ret = 0;
 
+    if (sha512 == NULL)
+        return BAD_FUNC_ARG;
 
+    sha512->heap = heap;
 
-#define blk0(i) (W[i] = sha512->buffer[i])
+    ret = InitSha512(sha512);
+    if (ret != 0)
+        return ret;
 
-#define blk2(i) (W[i&15]+=s1(W[(i-2)&15])+W[(i-7)&15]+s0(W[(i-15)&15]))
+#if defined(HAVE_INTEL_AVX1) || defined(HAVE_INTEL_AVX2)
+    Sha512_SetTransform();
+#endif
 
-#define Ch(x,y,z) (z^(x&(y^z)))
-#define Maj(x,y,z) ((x&y)|(z&(x|y)))
+#ifdef WOLFSSL_SMALL_STACK_CACHE
+    sha512->W = NULL;
+#endif
 
-#define a(i) T[(0-i)&7]
-#define b(i) T[(1-i)&7]
-#define c(i) T[(2-i)&7]
-#define d(i) T[(3-i)&7]
-#define e(i) T[(4-i)&7]
-#define f(i) T[(5-i)&7]
-#define g(i) T[(6-i)&7]
-#define h(i) T[(7-i)&7]
+#if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_SHA512)
+    ret = wolfAsync_DevCtxInit(&sha512->asyncDev,
+                        WOLFSSL_ASYNC_MARKER_SHA512, sha512->heap, devId);
+#else
+    (void)devId;
+#endif /* WOLFSSL_ASYNC_CRYPT */
 
-#define S0(x) (rotrFixed64(x,28)^rotrFixed64(x,34)^rotrFixed64(x,39))
-#define S1(x) (rotrFixed64(x,14)^rotrFixed64(x,18)^rotrFixed64(x,41))
-#define s0(x) (rotrFixed64(x,1)^rotrFixed64(x,8)^(x>>7))
-#define s1(x) (rotrFixed64(x,19)^rotrFixed64(x,61)^(x>>6))
+    return ret;
+}
 
-#define R(i) h(i)+=S1(e(i))+Ch(e(i),f(i),g(i))+K[i+j]+(j?blk2(i):blk0(i));\
-    d(i)+=h(i);h(i)+=S0(a(i))+Maj(a(i),b(i),c(i))
+#endif /* WOLFSSL_SHA512 */
 
-#define blk384(i) (W[i] = sha384->buffer[i])
 
-#define R2(i) h(i)+=S1(e(i))+Ch(e(i),f(i),g(i))+K[i+j]+(j?blk2(i):blk384(i));\
-    d(i)+=h(i);h(i)+=S0(a(i))+Maj(a(i),b(i),c(i))
+static const word64 K512[80] = {
+    W64LIT(0x428a2f98d728ae22), W64LIT(0x7137449123ef65cd),
+    W64LIT(0xb5c0fbcfec4d3b2f), W64LIT(0xe9b5dba58189dbbc),
+    W64LIT(0x3956c25bf348b538), W64LIT(0x59f111f1b605d019),
+    W64LIT(0x923f82a4af194f9b), W64LIT(0xab1c5ed5da6d8118),
+    W64LIT(0xd807aa98a3030242), W64LIT(0x12835b0145706fbe),
+    W64LIT(0x243185be4ee4b28c), W64LIT(0x550c7dc3d5ffb4e2),
+    W64LIT(0x72be5d74f27b896f), W64LIT(0x80deb1fe3b1696b1),
+    W64LIT(0x9bdc06a725c71235), W64LIT(0xc19bf174cf692694),
+    W64LIT(0xe49b69c19ef14ad2), W64LIT(0xefbe4786384f25e3),
+    W64LIT(0x0fc19dc68b8cd5b5), W64LIT(0x240ca1cc77ac9c65),
+    W64LIT(0x2de92c6f592b0275), W64LIT(0x4a7484aa6ea6e483),
+    W64LIT(0x5cb0a9dcbd41fbd4), W64LIT(0x76f988da831153b5),
+    W64LIT(0x983e5152ee66dfab), W64LIT(0xa831c66d2db43210),
+    W64LIT(0xb00327c898fb213f), W64LIT(0xbf597fc7beef0ee4),
+    W64LIT(0xc6e00bf33da88fc2), W64LIT(0xd5a79147930aa725),
+    W64LIT(0x06ca6351e003826f), W64LIT(0x142929670a0e6e70),
+    W64LIT(0x27b70a8546d22ffc), W64LIT(0x2e1b21385c26c926),
+    W64LIT(0x4d2c6dfc5ac42aed), W64LIT(0x53380d139d95b3df),
+    W64LIT(0x650a73548baf63de), W64LIT(0x766a0abb3c77b2a8),
+    W64LIT(0x81c2c92e47edaee6), W64LIT(0x92722c851482353b),
+    W64LIT(0xa2bfe8a14cf10364), W64LIT(0xa81a664bbc423001),
+    W64LIT(0xc24b8b70d0f89791), W64LIT(0xc76c51a30654be30),
+    W64LIT(0xd192e819d6ef5218), W64LIT(0xd69906245565a910),
+    W64LIT(0xf40e35855771202a), W64LIT(0x106aa07032bbd1b8),
+    W64LIT(0x19a4c116b8d2d0c8), W64LIT(0x1e376c085141ab53),
+    W64LIT(0x2748774cdf8eeb99), W64LIT(0x34b0bcb5e19b48a8),
+    W64LIT(0x391c0cb3c5c95a63), W64LIT(0x4ed8aa4ae3418acb),
+    W64LIT(0x5b9cca4f7763e373), W64LIT(0x682e6ff3d6b2b8a3),
+    W64LIT(0x748f82ee5defb2fc), W64LIT(0x78a5636f43172f60),
+    W64LIT(0x84c87814a1f0ab72), W64LIT(0x8cc702081a6439ec),
+    W64LIT(0x90befffa23631e28), W64LIT(0xa4506cebde82bde9),
+    W64LIT(0xbef9a3f7b2c67915), W64LIT(0xc67178f2e372532b),
+    W64LIT(0xca273eceea26619c), W64LIT(0xd186b8c721c0c207),
+    W64LIT(0xeada7dd6cde0eb1e), W64LIT(0xf57d4f7fee6ed178),
+    W64LIT(0x06f067aa72176fba), W64LIT(0x0a637dc5a2c898a6),
+    W64LIT(0x113f9804bef90dae), W64LIT(0x1b710b35131c471b),
+    W64LIT(0x28db77f523047d84), W64LIT(0x32caab7b40c72493),
+    W64LIT(0x3c9ebe0a15c9bebc), W64LIT(0x431d67c49c100d4c),
+    W64LIT(0x4cc5d4becb3e42b6), W64LIT(0x597f299cfc657e2a),
+    W64LIT(0x5fcb6fab3ad6faec), W64LIT(0x6c44198c4a475817)
+};
 
-static int _Transform(Sha512* sha512)
+#define blk0(i) (W[i] = sha512->buffer[i])
+
+#define blk2(i) (\
+               W[ i     & 15] += \
+            s1(W[(i-2)  & 15])+ \
+               W[(i-7)  & 15] + \
+            s0(W[(i-15) & 15])  \
+        )
+
+#define Ch(x,y,z)  (z ^ (x & (y ^ z)))
+#define Maj(x,y,z) ((x & y) | (z & (x | y)))
+
+#define a(i) T[(0-i) & 7]
+#define b(i) T[(1-i) & 7]
+#define c(i) T[(2-i) & 7]
+#define d(i) T[(3-i) & 7]
+#define e(i) T[(4-i) & 7]
+#define f(i) T[(5-i) & 7]
+#define g(i) T[(6-i) & 7]
+#define h(i) T[(7-i) & 7]
+
+#define S0(x) (rotrFixed64(x,28) ^ rotrFixed64(x,34) ^ rotrFixed64(x,39))
+#define S1(x) (rotrFixed64(x,14) ^ rotrFixed64(x,18) ^ rotrFixed64(x,41))
+#define s0(x) (rotrFixed64(x,1)  ^ rotrFixed64(x,8)  ^ (x>>7))
+#define s1(x) (rotrFixed64(x,19) ^ rotrFixed64(x,61) ^ (x>>6))
+
+#define R(i) \
+    h(i) += S1(e(i)) + Ch(e(i),f(i),g(i)) + K[i+j] + (j ? blk2(i) : blk0(i)); \
+    d(i) += h(i); \
+    h(i) += S0(a(i)) + Maj(a(i),b(i),c(i))
+
+static int _Transform_Sha512(wc_Sha512* sha512)
 {
     const word64* K = K512;
-
     word32 j;
     word64 T[8];
 
-
-#ifdef WOLFSSL_SMALL_STACK
+#ifdef WOLFSSL_SMALL_STACK_CACHE
+    word64* W = sha512->W;
+    if (W == NULL) {
+        W = (word64*) XMALLOC(sizeof(word64) * 16, NULL,
+                                                       DYNAMIC_TYPE_TMP_BUFFER);
+        if (W == NULL)
+            return MEMORY_E;
+        sha512->W = W;
+    }
+#elif defined(WOLFSSL_SMALL_STACK)
     word64* W;
     W = (word64*) XMALLOC(sizeof(word64) * 16, NULL, DYNAMIC_TYPE_TMP_BUFFER);
     if (W == NULL)
@@ -462,11 +525,11 @@ static int _Transform(Sha512* sha512)
     /* Copy digest to working vars */
     XMEMCPY(T, sha512->digest, sizeof(T));
 
-#ifdef USE_SLOW_SHA2
+#ifdef USE_SLOW_SHA512
     /* over twice as small, but 50% slower */
     /* 80 operations, not unrolled */
     for (j = 0; j < 80; j += 16) {
-        int m; 
+        int m;
         for (m = 0; m < 16; m++) { /* braces needed here for macros {} */
             R(m);
         }
@@ -479,10 +542,9 @@ static int _Transform(Sha512* sha512)
         R( 8); R( 9); R(10); R(11);
         R(12); R(13); R(14); R(15);
     }
-#endif /* USE_SLOW_SHA2 */
+#endif /* USE_SLOW_SHA512 */
 
     /* Add the working vars back into digest */
-
     sha512->digest[0] += a(0);
     sha512->digest[1] += b(0);
     sha512->digest[2] += c(0);
@@ -496,7 +558,7 @@ static int _Transform(Sha512* sha512)
     ForceZero(W, sizeof(word64) * 16);
     ForceZero(T, sizeof(T));
 
-#ifdef WOLFSSL_SMALL_STACK
+#if defined(WOLFSSL_SMALL_STACK) && !defined(WOLFSSL_SMALL_STACK_CACHE)
     XFREE(W, NULL, DYNAMIC_TYPE_TMP_BUFFER);
 #endif
 
@@ -504,875 +566,350 @@ static int _Transform(Sha512* sha512)
 }
 
 
-static INLINE void AddLength(Sha512* sha512, word32 len)
+static WC_INLINE void AddLength(wc_Sha512* sha512, word32 len)
 {
-    word32 tmp = sha512->loLen;
+    word64 tmp = sha512->loLen;
     if ( (sha512->loLen += len) < tmp)
         sha512->hiLen++;                       /* carry low to high */
 }
 
-int wc_Sha512Update(Sha512* sha512, const byte* data, word32 len)
+static WC_INLINE int Sha512Update(wc_Sha512* sha512, const byte* data, word32 len)
 {
+    int ret = 0;
     /* do block size increments */
     byte* local = (byte*)sha512->buffer;
-    SAVE_XMM_YMM ; /* for Intel AVX */
-
-    while (len) {
-        word32 add = min(len, SHA512_BLOCK_SIZE - sha512->buffLen);
-        XMEMCPY(&local[sha512->buffLen], data, add);
-
-        sha512->buffLen += add;
-        data         += add;
-        len          -= add;
-
-        if (sha512->buffLen == SHA512_BLOCK_SIZE) {
-            int ret;
-            #if defined(LITTLE_ENDIAN_ORDER)
-                #if defined(HAVE_INTEL_AVX1) || defined(HAVE_INTEL_AVX2)
-                if(!IS_INTEL_AVX1 && !IS_INTEL_AVX2) 
-                #endif
-                    ByteReverseWords64(sha512->buffer, sha512->buffer,
-                                   SHA512_BLOCK_SIZE);
-            #endif
-            ret = Transform(sha512);
-            if (ret != 0)
-                return ret;
 
-            AddLength(sha512, SHA512_BLOCK_SIZE);
-            sha512->buffLen = 0;
-        }
-    }
-    return 0;
-}
+    /* check that internal buffLen is valid */
+    if (sha512->buffLen >= WC_SHA512_BLOCK_SIZE)
+        return BUFFER_E;
 
+    AddLength(sha512, len);
 
-int wc_Sha512Final(Sha512* sha512, byte* hash)
-{
-    byte* local = (byte*)sha512->buffer;
-    int ret;
+    if (sha512->buffLen > 0) {
+        word32 add = min(len, WC_SHA512_BLOCK_SIZE - sha512->buffLen);
+        if (add > 0) {
+            XMEMCPY(&local[sha512->buffLen], data, add);
 
-    SAVE_XMM_YMM ; /* for Intel AVX */
-    AddLength(sha512, sha512->buffLen);               /* before adding pads */
-
-    local[sha512->buffLen++] = 0x80;  /* add 1 */
-
-    /* pad with zeros */
-    if (sha512->buffLen > SHA512_PAD_SIZE) {
-        XMEMSET(&local[sha512->buffLen], 0, SHA512_BLOCK_SIZE -sha512->buffLen);
-        sha512->buffLen += SHA512_BLOCK_SIZE - sha512->buffLen;
-        #if defined(LITTLE_ENDIAN_ORDER) 
-            #if defined(HAVE_INTEL_AVX1) || defined(HAVE_INTEL_AVX2)
-            if(!IS_INTEL_AVX1 && !IS_INTEL_AVX2)
-            #endif
-            ByteReverseWords64(sha512->buffer,sha512->buffer,SHA512_BLOCK_SIZE);
-        #endif
-        ret = Transform(sha512);
-        if (ret != 0)
-            return ret;
-
-        sha512->buffLen = 0;
-    }
-    XMEMSET(&local[sha512->buffLen], 0, SHA512_PAD_SIZE - sha512->buffLen);
-   
-    /* put lengths in bits */
-    sha512->hiLen = (sha512->loLen >> (8*sizeof(sha512->loLen) - 3)) + 
-                 (sha512->hiLen << 3);
-    sha512->loLen = sha512->loLen << 3;
+            sha512->buffLen += add;
+            data            += add;
+            len             -= add;
+        }
 
-    /* store lengths */
+        if (sha512->buffLen == WC_SHA512_BLOCK_SIZE) {
     #if defined(LITTLE_ENDIAN_ORDER)
         #if defined(HAVE_INTEL_AVX1) || defined(HAVE_INTEL_AVX2)
-        if(!IS_INTEL_AVX1 && !IS_INTEL_AVX2)
+            if (!IS_INTEL_AVX1(intel_flags) && !IS_INTEL_AVX2(intel_flags))
         #endif
-        ByteReverseWords64(sha512->buffer, sha512->buffer, SHA512_PAD_SIZE);
-    #endif
-    /* ! length ordering dependent on digest endian type ! */
-
-    sha512->buffer[SHA512_BLOCK_SIZE / sizeof(word64) - 2] = sha512->hiLen;
-    sha512->buffer[SHA512_BLOCK_SIZE / sizeof(word64) - 1] = sha512->loLen;
-    #if defined(HAVE_INTEL_AVX1) || defined(HAVE_INTEL_AVX2)
-    if(IS_INTEL_AVX1 || IS_INTEL_AVX2)
-        ByteReverseWords64(&(sha512->buffer[SHA512_BLOCK_SIZE / sizeof(word64) - 2]),
-                           &(sha512->buffer[SHA512_BLOCK_SIZE / sizeof(word64) - 2]),
-                           SHA512_BLOCK_SIZE - SHA512_PAD_SIZE);
+            {
+        #if !defined(WOLFSSL_ESP32WROOM32_CRYPT) || \
+             defined(NO_WOLFSSL_ESP32WROOM32_CRYPT_HASH)
+                ByteReverseWords64(sha512->buffer, sha512->buffer,
+                                                         WC_SHA512_BLOCK_SIZE);
+        #endif
+            }
     #endif
-    ret = Transform(sha512);
-    if (ret != 0)
-        return ret;
-
-    #ifdef LITTLE_ENDIAN_ORDER
-        ByteReverseWords64(sha512->digest, sha512->digest, SHA512_DIGEST_SIZE);
+    #if !defined(WOLFSSL_ESP32WROOM32_CRYPT) || \
+         defined(NO_WOLFSSL_ESP32WROOM32_CRYPT_HASH)
+            ret = Transform_Sha512(sha512);
+    #else
+            if(sha512->ctx.mode == ESP32_SHA_INIT) {
+                esp_sha_try_hw_lock(&sha512->ctx);
+            }
+            ret = esp_sha512_process(sha512);
+            if(ret == 0 && sha512->ctx.mode == ESP32_SHA_SW){
+                ret = Transform_Sha512(sha512);
+            }
     #endif
-    XMEMCPY(hash, sha512->digest, SHA512_DIGEST_SIZE);
+            if (ret == 0)
+                sha512->buffLen = 0;
+            else
+                len = 0;
+        }
+    }
 
-    return wc_InitSha512(sha512);  /* reset state */
-}
+#if defined(HAVE_INTEL_AVX1) || defined(HAVE_INTEL_AVX2)
+    if (Transform_Sha512_Len_p != NULL) {
+        word32 blocksLen = len & ~(WC_SHA512_BLOCK_SIZE-1);
+
+        if (blocksLen > 0) {
+            sha512->data = data;
+            /* Byte reversal performed in function if required. */
+            Transform_Sha512_Len(sha512, blocksLen);
+            data += blocksLen;
+            len  -= blocksLen;
+        }
+    }
+    else
+#endif
+#if !defined(LITTLE_ENDIAN_ORDER) || defined(HAVE_INTEL_AVX1) || defined(HAVE_INTEL_AVX2)
+    {
+        while (len >= WC_SHA512_BLOCK_SIZE) {
+            XMEMCPY(local, data, WC_SHA512_BLOCK_SIZE);
 
+            data += WC_SHA512_BLOCK_SIZE;
+            len  -= WC_SHA512_BLOCK_SIZE;
 
-int wc_Sha512Hash(const byte* data, word32 len, byte* hash)
-{
-    int ret = 0;
-#ifdef WOLFSSL_SMALL_STACK
-    Sha512* sha512;
+        #if defined(HAVE_INTEL_AVX1) || defined(HAVE_INTEL_AVX2)
+            if (!IS_INTEL_AVX1(intel_flags) && !IS_INTEL_AVX2(intel_flags))
+            {
+                ByteReverseWords64(sha512->buffer, sha512->buffer,
+                                                          WC_SHA512_BLOCK_SIZE);
+            }
+        #endif
+            /* Byte reversal performed in function if required. */
+            ret = Transform_Sha512(sha512);
+            if (ret != 0)
+                break;
+        }
+    }
 #else
-    Sha512 sha512[1];
+    {
+        while (len >= WC_SHA512_BLOCK_SIZE) {
+            XMEMCPY(local, data, WC_SHA512_BLOCK_SIZE);
+
+            data += WC_SHA512_BLOCK_SIZE;
+            len  -= WC_SHA512_BLOCK_SIZE;
+    #if !defined(WOLFSSL_ESP32WROOM32_CRYPT) || \
+         defined(NO_WOLFSSL_ESP32WROOM32_CRYPT_HASH)
+            ByteReverseWords64(sha512->buffer, sha512->buffer,
+                                                       WC_SHA512_BLOCK_SIZE);
+    #endif
+    #if !defined(WOLFSSL_ESP32WROOM32_CRYPT) || \
+         defined(NO_WOLFSSL_ESP32WROOM32_CRYPT_HASH)
+            ret = Transform_Sha512(sha512);
+    #else
+            if(sha512->ctx.mode == ESP32_SHA_INIT) {
+                esp_sha_try_hw_lock(&sha512->ctx);
+            }
+            ret = esp_sha512_process(sha512);
+            if(ret == 0 && sha512->ctx.mode == ESP32_SHA_SW){
+                ret = Transform_Sha512(sha512);
+            }
+    #endif
+            if (ret != 0)
+                break;
+        }
+    }
 #endif
 
-#ifdef WOLFSSL_SMALL_STACK
-    sha512 = (Sha512*)XMALLOC(sizeof(Sha512), NULL, DYNAMIC_TYPE_TMP_BUFFER);
-    if (sha512 == NULL)
-        return MEMORY_E;
-#endif
-    
-    if ((ret = wc_InitSha512(sha512)) != 0) {
-        WOLFSSL_MSG("InitSha512 failed");
-    }
-    else if ((ret = wc_Sha512Update(sha512, data, len)) != 0) {
-        WOLFSSL_MSG("Sha512Update failed");
+    if (len > 0) {
+        XMEMCPY(local, data, len);
+        sha512->buffLen = len;
     }
-    else if ((ret = wc_Sha512Final(sha512, hash)) != 0) {
-        WOLFSSL_MSG("Sha512Final failed");
-    }
-    
-#ifdef WOLFSSL_SMALL_STACK
-    XFREE(sha512, NULL, DYNAMIC_TYPE_TMP_BUFFER);
-#endif
-    
+
     return ret;
 }
 
-#if defined(HAVE_INTEL_AVX1)
-
-#define Rx_1(i) h(i)+=S1(e(i))+Ch(e(i),f(i),g(i))+K[i+j] + W_X[i] ;
-#define Rx_2(i) d(i)+=h(i);
-#define Rx_3(i) h(i)+=S0(a(i))+Maj(a(i),b(i),c(i));
-
-#if defined(HAVE_INTEL_RORX)
-#define Rx_RORX_1(i) h(i)+=S1_RORX(e(i))+Ch(e(i),f(i),g(i))+K[i+j] + W_X[i] ;
-#define Rx_RORX_2(i) d(i)+=h(i);
-#define Rx_RORX_3(i) h(i)+=S0_RORX(a(i))+Maj(a(i),b(i),c(i));
-#endif
-
-#endif
-
-#if defined(HAVE_INTEL_AVX2) 
-#define Ry_1(i, w) h(i)+=S1(e(i))+Ch(e(i),f(i),g(i))+K[i+j] + w ; 
-#define Ry_2(i, w) d(i)+=h(i);
-#define Ry_3(i, w) h(i)+=S0(a(i))+Maj(a(i),b(i),c(i));
-#endif
+#ifdef WOLFSSL_SHA512
 
-#if defined(HAVE_INTEL_AVX1) /* inline Assember for Intel AVX1 instructions */
-#if defined(DEBUG_XMM)
-
-#define SAVE_REG(i)     __asm__ volatile("vmovdqu %%xmm"#i", %0 \n\t":"=m"(reg[i][0])::XMM_REGs);
-#define RECV_REG(i)     __asm__ volatile("vmovdqu %0, %%xmm"#i" \n\t"::"m"(reg[i][0]):XMM_REGs);
-
-#define _DUMP_REG(REG, name)\
-    { word64 buf[16] ;word64 reg[16][2];int k ;\
-      SAVE_REG(0); SAVE_REG(1); SAVE_REG(2);  SAVE_REG(3);  SAVE_REG(4);  \
-      SAVE_REG(5);   SAVE_REG(6); SAVE_REG(7);SAVE_REG(8); SAVE_REG(9); SAVE_REG(10);\
-       SAVE_REG(11); SAVE_REG(12); SAVE_REG(13); SAVE_REG(14); SAVE_REG(15); \
-      __asm__ volatile("vmovdqu %%"#REG", %0 \n\t":"=m"(buf[0])::XMM_REGs);\
-      printf(" "#name":\t") ; for(k=0; k<2; k++) printf("%016lx.", (word64)(buf[k])); printf("\n") ; \
-      RECV_REG(0); RECV_REG(1); RECV_REG(2);  RECV_REG(3);  RECV_REG(4);\
-      RECV_REG(5);   RECV_REG(6); RECV_REG(7); RECV_REG(8); RECV_REG(9);\
-      RECV_REG(10); RECV_REG(11); RECV_REG(12); RECV_REG(13); RECV_REG(14); RECV_REG(15);\
+int wc_Sha512Update(wc_Sha512* sha512, const byte* data, word32 len)
+{
+    if (sha512 == NULL || (data == NULL && len > 0)) {
+        return BAD_FUNC_ARG;
     }
 
-#define DUMP_REG(REG) _DUMP_REG(REG, #REG) 
-#define PRINTF(fmt, ...) 
-
-#else
+#if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_SHA512)
+    if (sha512->asyncDev.marker == WOLFSSL_ASYNC_MARKER_SHA512) {
+    #if defined(HAVE_INTEL_QA)
+        return IntelQaSymSha512(&sha512->asyncDev, NULL, data, len);
+    #endif
+    }
+#endif /* WOLFSSL_ASYNC_CRYPT */
 
-#define DUMP_REG(REG) 
-#define PRINTF(fmt, ...) 
+    return Sha512Update(sha512, data, len);
+}
 
-#endif
+#endif /* WOLFSSL_SHA512 */
 
-#define _MOVE_to_REG(xymm, mem)       __asm__ volatile("vmovdqu %0, %%"#xymm" "\
-        :: "m"(mem):XMM_REGs) ;
-#define _MOVE_to_MEM(mem,i, xymm)     __asm__ volatile("vmovdqu %%"#xymm", %0" :\
-         "=m"(mem[i]),"=m"(mem[i+1]),"=m"(mem[i+2]),"=m"(mem[i+3])::XMM_REGs) ;
-#define _MOVE(dest, src)              __asm__ volatile("vmovdqu %%"#src",  %%"\
-        #dest" ":::XMM_REGs) ;
-
-#define _S_TEMP(dest, src, bits, temp)  __asm__ volatile("vpsrlq  $"#bits", %%"\
-        #src", %%"#dest"\n\tvpsllq  $64-"#bits", %%"#src", %%"#temp"\n\tvpor %%"\
-        #temp",%%"#dest", %%"#dest" ":::XMM_REGs) ;
-#define _AVX1_R(dest, src, bits)      __asm__ volatile("vpsrlq  $"#bits", %%"\
-        #src", %%"#dest" ":::XMM_REGs) ;
-#define _XOR(dest, src1, src2)        __asm__ volatile("vpxor   %%"#src1", %%"\
-        #src2", %%"#dest" ":::XMM_REGs) ;
-#define _OR(dest, src1, src2)         __asm__ volatile("vpor    %%"#src1", %%"\
-        #src2", %%"#dest" ":::XMM_REGs) ;
-#define _ADD(dest, src1, src2)        __asm__ volatile("vpaddq   %%"#src1", %%"\
-        #src2", %%"#dest" ":::XMM_REGs) ;
-#define _ADD_MEM(dest, src1, mem)     __asm__ volatile("vpaddq   %0, %%"#src1", %%"\
-        #dest" "::"m"(mem):XMM_REGs) ;
-
-#define MOVE_to_REG(xymm, mem)      _MOVE_to_REG(xymm, mem)
-#define MOVE_to_MEM(mem, i, xymm)   _MOVE_to_MEM(mem, i, xymm)
-#define MOVE(dest, src)             _MOVE(dest, src)  
-
-#define XOR(dest, src1, src2)      _XOR(dest, src1, src2)
-#define OR(dest, src1, src2)       _OR(dest, src1, src2)
-#define ADD(dest, src1, src2)      _ADD(dest, src1, src2)
-
-#define S_TMP(dest, src, bits, temp) _S_TEMP(dest, src, bits, temp);
-#define AVX1_S(dest, src, bits)      S_TMP(dest, src, bits, S_TEMP)
-#define AVX1_R(dest, src, bits)      _AVX1_R(dest, src, bits)
-
-#define Init_Mask(mask) \
-     __asm__ volatile("vmovdqu %0, %%xmm1\n\t"::"m"(mask):"%xmm1") ;
-     
-#define _W_from_buff1(w, buff, xmm) \
-    /* X0..3(xmm4..7), W[0..15] = sha512->buffer[0.15];  */\
-     __asm__ volatile("vmovdqu %1, %%"#xmm"\n\t"\
-                      "vpshufb %%xmm1, %%"#xmm", %%"#xmm"\n\t"\
-                      "vmovdqu %%"#xmm", %0"\
-                      :"=m"(w): "m"(buff):"%xmm0") ;
-
-#define W_from_buff1(w, buff, xmm) _W_from_buff1(w, buff, xmm) 
-
-#define W_from_buff(w, buff)\
-     Init_Mask(mBYTE_FLIP_MASK[0]) ;\
-     W_from_buff1(w[0], buff[0], W_0);\
-     W_from_buff1(w[2], buff[2], W_2);\
-     W_from_buff1(w[4], buff[4], W_4);\
-     W_from_buff1(w[6], buff[6], W_6);\
-     W_from_buff1(w[8], buff[8], W_8);\
-     W_from_buff1(w[10],buff[10],W_10);\
-     W_from_buff1(w[12],buff[12],W_12);\
-     W_from_buff1(w[14],buff[14],W_14);
-                          
-static word64 mBYTE_FLIP_MASK[] =  { 0x0001020304050607, 0x08090a0b0c0d0e0f } ;
-
-#define W_I_15  xmm14
-#define W_I_7   xmm11
-#define W_I_2   xmm13
-#define W_I     xmm12
-#define G_TEMP  xmm0
-#define S_TEMP  xmm1
-#define XMM_TEMP0  xmm2
-
-#define W_0     xmm12
-#define W_2     xmm3
-#define W_4     xmm4
-#define W_6     xmm5
-#define W_8     xmm6
-#define W_10    xmm7
-#define W_12    xmm8
-#define W_14    xmm9
-
-#define XMM_REGs
-
-#define s0_1(dest, src)      AVX1_S(dest, src, 1); 
-#define s0_2(dest, src)      AVX1_S(G_TEMP, src, 8); XOR(dest, G_TEMP, dest) ; 
-#define s0_3(dest, src)      AVX1_R(G_TEMP, src, 7);  XOR(dest, G_TEMP, dest) ;
-
-#define s1_1(dest, src)      AVX1_S(dest, src, 19);
-#define s1_2(dest, src)      AVX1_S(G_TEMP, src, 61); XOR(dest, G_TEMP, dest) ; 
-#define s1_3(dest, src)      AVX1_R(G_TEMP, src, 6); XOR(dest, G_TEMP, dest) ;
-
-#define s0_(dest, src)       s0_1(dest, src) ; s0_2(dest, src) ; s0_3(dest, src)
-#define s1_(dest, src)       s1_1(dest, src) ; s1_2(dest, src) ; s1_3(dest, src)
-        
-#define Block_xx_1(i) \
-    MOVE_to_REG(W_I_15, W_X[(i-15)&15]) ;\
-    MOVE_to_REG(W_I_7,  W_X[(i- 7)&15]) ;\
-        
-#define Block_xx_2(i) \
-    MOVE_to_REG(W_I_2,  W_X[(i- 2)&15]) ;\
-    MOVE_to_REG(W_I,    W_X[(i)]) ;\
-        
-#define Block_xx_3(i) \
-    s0_ (XMM_TEMP0, W_I_15) ;\
-        
-#define Block_xx_4(i) \
-    ADD(W_I, W_I, XMM_TEMP0) ;\
-    ADD(W_I, W_I, W_I_7) ;\
-        
-#define Block_xx_5(i) \
-    s1_ (XMM_TEMP0, W_I_2) ;\
-    
-#define Block_xx_6(i) \
-    ADD(W_I, W_I, XMM_TEMP0) ;\
-    MOVE_to_MEM(W_X,i, W_I) ;\
-    if(i==0)\
-        MOVE_to_MEM(W_X,16, W_I) ;\
-
-#define Block_xx_7(i) \
-    MOVE_to_REG(W_I_15, W_X[(i-15)&15]) ;\
-    MOVE_to_REG(W_I_7,  W_X[(i- 7)&15]) ;\
-            
-#define Block_xx_8(i) \
-    MOVE_to_REG(W_I_2,  W_X[(i- 2)&15]) ;\
-    MOVE_to_REG(W_I,    W_X[(i)]) ;\
-
-#define Block_xx_9(i) \
-    s0_ (XMM_TEMP0, W_I_15) ;\
-
-#define Block_xx_10(i) \
-    ADD(W_I, W_I, XMM_TEMP0) ;\
-    ADD(W_I, W_I, W_I_7) ;\
-
-#define Block_xx_11(i) \
-    s1_ (XMM_TEMP0, W_I_2) ;\
-
-#define Block_xx_12(i) \
-    ADD(W_I, W_I, XMM_TEMP0) ;\
-    MOVE_to_MEM(W_X,i, W_I) ;\
-    if((i)==0)\
-        MOVE_to_MEM(W_X,16, W_I) ;\
-
-static inline void Block_0_1(word64 *W_X) { Block_xx_1(0) ; }
-static inline void Block_0_2(word64 *W_X) { Block_xx_2(0) ; }
-static inline void Block_0_3(void) { Block_xx_3(0) ; }
-static inline void Block_0_4(void) { Block_xx_4(0) ; }
-static inline void Block_0_5(void) { Block_xx_5(0) ; }
-static inline void Block_0_6(word64 *W_X) { Block_xx_6(0) ; }
-static inline void Block_0_7(word64 *W_X) { Block_xx_7(2) ; }
-static inline void Block_0_8(word64 *W_X) { Block_xx_8(2) ; }
-static inline void Block_0_9(void) { Block_xx_9(2) ; }
-static inline void Block_0_10(void){ Block_xx_10(2) ; }
-static inline void Block_0_11(void){ Block_xx_11(2) ; }
-static inline void Block_0_12(word64 *W_X){ Block_xx_12(2) ; }
-
-static inline void Block_4_1(word64 *W_X) { Block_xx_1(4) ; }
-static inline void Block_4_2(word64 *W_X) { Block_xx_2(4) ; }
-static inline void Block_4_3(void) { Block_xx_3(4) ; }
-static inline void Block_4_4(void) { Block_xx_4(4) ; }
-static inline void Block_4_5(void) { Block_xx_5(4) ; }
-static inline void Block_4_6(word64 *W_X) { Block_xx_6(4) ; }
-static inline void Block_4_7(word64 *W_X) { Block_xx_7(6) ; }
-static inline void Block_4_8(word64 *W_X) { Block_xx_8(6) ; }
-static inline void Block_4_9(void) { Block_xx_9(6) ; }
-static inline void Block_4_10(void){ Block_xx_10(6) ; }
-static inline void Block_4_11(void){ Block_xx_11(6) ; }
-static inline void Block_4_12(word64 *W_X){ Block_xx_12(6) ; }
-
-static inline void Block_8_1(word64 *W_X) { Block_xx_1(8) ; }
-static inline void Block_8_2(word64 *W_X) { Block_xx_2(8) ; }
-static inline void Block_8_3(void) { Block_xx_3(8) ; }
-static inline void Block_8_4(void) { Block_xx_4(8) ; }
-static inline void Block_8_5(void) { Block_xx_5(8) ; }
-static inline void Block_8_6(word64 *W_X) { Block_xx_6(8) ; }
-static inline void Block_8_7(word64 *W_X) { Block_xx_7(10) ; }
-static inline void Block_8_8(word64 *W_X) { Block_xx_8(10) ; }
-static inline void Block_8_9(void) { Block_xx_9(10) ; }
-static inline void Block_8_10(void){ Block_xx_10(10) ; }
-static inline void Block_8_11(void){ Block_xx_11(10) ; }
-static inline void Block_8_12(word64 *W_X){ Block_xx_12(10) ; }
-
-static inline void Block_12_1(word64 *W_X) { Block_xx_1(12) ; }
-static inline void Block_12_2(word64 *W_X) { Block_xx_2(12) ; }
-static inline void Block_12_3(void) { Block_xx_3(12) ; }
-static inline void Block_12_4(void) { Block_xx_4(12) ; }
-static inline void Block_12_5(void) { Block_xx_5(12) ; }
-static inline void Block_12_6(word64 *W_X) { Block_xx_6(12) ; }
-static inline void Block_12_7(word64 *W_X) { Block_xx_7(14) ; }
-static inline void Block_12_8(word64 *W_X) { Block_xx_8(14) ; }
-static inline void Block_12_9(void) { Block_xx_9(14) ; }
-static inline void Block_12_10(void){ Block_xx_10(14) ; }
-static inline void Block_12_11(void){ Block_xx_11(14) ; }
-static inline void Block_12_12(word64 *W_X){ Block_xx_12(14) ; }
+#endif /* WOLFSSL_IMX6_CAAM */
 
-#endif
+static WC_INLINE int Sha512Final(wc_Sha512* sha512)
+{
+    byte* local = (byte*)sha512->buffer;
+    int ret;
 
-#if defined(HAVE_INTEL_AVX2)
-static const unsigned long mBYTE_FLIP_MASK_Y[] =
-   { 0x0001020304050607, 0x08090a0b0c0d0e0f, 0x0001020304050607, 0x08090a0b0c0d0e0f } ;
-
-#define W_from_buff_Y(buff)\
-    { /* X0..3(ymm9..12), W_X[0..15] = sha512->buffer[0.15];  */\
-     __asm__ volatile("vmovdqu %0, %%ymm8\n\t"::"m"(mBYTE_FLIP_MASK_Y[0]):YMM_REGs) ;\
-     __asm__ volatile("vmovdqu %0, %%ymm12\n\t"\
-                      "vmovdqu %1, %%ymm4\n\t"\
-                      "vpshufb %%ymm8, %%ymm12, %%ymm12\n\t"\
-                      "vpshufb %%ymm8, %%ymm4, %%ymm4\n\t"\
-                      :: "m"(buff[0]),  "m"(buff[4]):YMM_REGs) ;\
-     __asm__ volatile("vmovdqu %0, %%ymm5\n\t"\
-                      "vmovdqu %1, %%ymm6\n\t"\
-                      "vpshufb %%ymm8, %%ymm5, %%ymm5\n\t"\
-                      "vpshufb %%ymm8, %%ymm6, %%ymm6\n\t"\
-                      :: "m"(buff[8]),  "m"(buff[12]):YMM_REGs) ;\
+    if (sha512 == NULL) {
+        return BAD_FUNC_ARG;
     }
 
-#if defined(DEBUG_YMM)
-
-#define SAVE_REG_Y(i) __asm__ volatile("vmovdqu %%ymm"#i", %0 \n\t":"=m"(reg[i-4][0])::YMM_REGs);
-#define RECV_REG_Y(i) __asm__ volatile("vmovdqu %0, %%ymm"#i" \n\t"::"m"(reg[i-4][0]):YMM_REGs);
-
-#define _DUMP_REG_Y(REG, name)\
-    { word64 buf[16] ;word64 reg[16][2];int k ;\
-      SAVE_REG_Y(4);  SAVE_REG_Y(5);   SAVE_REG_Y(6); SAVE_REG_Y(7); \
-      SAVE_REG_Y(8); SAVE_REG_Y(9); SAVE_REG_Y(10); SAVE_REG_Y(11); SAVE_REG_Y(12);\
-      SAVE_REG_Y(13); SAVE_REG_Y(14); SAVE_REG_Y(15); \
-      __asm__ volatile("vmovdqu %%"#REG", %0 \n\t":"=m"(buf[0])::YMM_REGs);\
-      printf(" "#name":\t") ; for(k=0; k<4; k++) printf("%016lx.", (word64)buf[k]) ; printf("\n") ; \
-      RECV_REG_Y(4);  RECV_REG_Y(5);   RECV_REG_Y(6); RECV_REG_Y(7); \
-      RECV_REG_Y(8); RECV_REG_Y(9); RECV_REG_Y(10); RECV_REG_Y(11); RECV_REG_Y(12); \
-      RECV_REG_Y(13); RECV_REG_Y(14); RECV_REG_Y(15);\
-    }
+    local[sha512->buffLen++] = 0x80;  /* add 1 */
 
-#define DUMP_REG_Y(REG) _DUMP_REG_Y(REG, #REG) 
-#define DUMP_REG2_Y(REG) _DUMP_REG_Y(REG, #REG) 
-#define PRINTF_Y(fmt, ...) 
+    /* pad with zeros */
+    if (sha512->buffLen > WC_SHA512_PAD_SIZE) {
+        XMEMSET(&local[sha512->buffLen], 0, WC_SHA512_BLOCK_SIZE - sha512->buffLen);
+        sha512->buffLen += WC_SHA512_BLOCK_SIZE - sha512->buffLen;
+#if defined(LITTLE_ENDIAN_ORDER)
+    #if defined(HAVE_INTEL_AVX1) || defined(HAVE_INTEL_AVX2)
+        if (!IS_INTEL_AVX1(intel_flags) && !IS_INTEL_AVX2(intel_flags))
+    #endif
+        {
 
+       #if !defined(WOLFSSL_ESP32WROOM32_CRYPT) || \
+            defined(NO_WOLFSSL_ESP32WROOM32_CRYPT_HASH)
+            ByteReverseWords64(sha512->buffer,sha512->buffer,
+                                                         WC_SHA512_BLOCK_SIZE);
+       #endif
+        }
+#endif /* LITTLE_ENDIAN_ORDER */
+#if !defined(WOLFSSL_ESP32WROOM32_CRYPT) || \
+     defined(NO_WOLFSSL_ESP32WROOM32_CRYPT_HASH)
+        ret = Transform_Sha512(sha512);
 #else
-
-#define DUMP_REG_Y(REG) 
-#define DUMP_REG2_Y(REG)
-#define PRINTF_Y(fmt, ...) 
-
+       if(sha512->ctx.mode == ESP32_SHA_INIT) {
+            esp_sha_try_hw_lock(&sha512->ctx);
+       }
+        ret = esp_sha512_process(sha512);
+        if(ret == 0 && sha512->ctx.mode == ESP32_SHA_SW){
+            ret = Transform_Sha512(sha512);
+        }
 #endif
+        if (ret != 0)
+            return ret;
 
-#define _MOVE_to_REGy(ymm, mem)         __asm__ volatile("vmovdqu %0, %%"#ymm" "\
-                                        :: "m"(mem):YMM_REGs) ;
-#define _MOVE_to_MEMy(mem,i, ymm)       __asm__ volatile("vmovdqu %%"#ymm", %0" \
-        : "=m"(mem[i]),"=m"(mem[i+1]),"=m"(mem[i+2]),"=m"(mem[i+3])::YMM_REGs) ;
-#define _MOVE_128y(ymm0, ymm1, ymm2, map)  __asm__ volatile("vperm2i128  $"\
-        #map", %%"#ymm2", %%"#ymm1", %%"#ymm0" ":::YMM_REGs) ;
-#define _S_TEMPy(dest, src, bits, temp) \
-         __asm__ volatile("vpsrlq  $"#bits", %%"#src", %%"#dest"\n\tvpsllq  $64-"#bits\
-        ", %%"#src", %%"#temp"\n\tvpor %%"#temp",%%"#dest", %%"#dest" ":::YMM_REGs) ;
-#define _AVX2_R(dest, src, bits)        __asm__ volatile("vpsrlq  $"#bits", %%"\
-         #src", %%"#dest" ":::YMM_REGs) ;
-#define _XORy(dest, src1, src2)         __asm__ volatile("vpxor   %%"#src1", %%"\
-         #src2", %%"#dest" ":::YMM_REGs) ;
-#define _ADDy(dest, src1, src2)         __asm__ volatile("vpaddq   %%"#src1", %%"\
-         #src2", %%"#dest" ":::YMM_REGs) ;
-#define _BLENDy(map, dest, src1, src2)  __asm__ volatile("vpblendd    $"#map", %%"\
-         #src1",   %%"#src2", %%"#dest" ":::YMM_REGs) ;
-#define _BLENDQy(map, dest, src1, src2) __asm__ volatile("vblendpd   $"#map", %%"\
-         #src1",   %%"#src2", %%"#dest" ":::YMM_REGs) ;
-#define _PERMQy(map, dest, src)         __asm__ volatile("vpermq  $"#map", %%"\
-         #src", %%"#dest" ":::YMM_REGs) ;
-
-#define MOVE_to_REGy(ymm, mem)      _MOVE_to_REGy(ymm, mem)
-#define MOVE_to_MEMy(mem, i, ymm)   _MOVE_to_MEMy(mem, i, ymm)
-
-#define MOVE_128y(ymm0, ymm1, ymm2, map) _MOVE_128y(ymm0, ymm1, ymm2, map) 
-#define XORy(dest, src1, src2)      _XORy(dest, src1, src2)
-#define ADDy(dest, src1, src2)      _ADDy(dest, src1, src2)
-#define BLENDy(map, dest, src1, src2) _BLENDy(map, dest, src1, src2)
-#define BLENDQy(map, dest, src1, src2) _BLENDQy(map, dest, src1, src2)
-#define PERMQy(map, dest, src)      _PERMQy(map, dest, src)
-
-
-#define S_TMPy(dest, src, bits, temp) _S_TEMPy(dest, src, bits, temp);
-#define AVX2_S(dest, src, bits)      S_TMPy(dest, src, bits, S_TEMPy)
-#define AVX2_R(dest, src, bits)      _AVX2_R(dest, src, bits)
-
-
-#define    FEEDBACK1_to_W_I_2(w_i_2, w_i)    MOVE_128y(YMM_TEMP0, w_i, w_i, 0x08) ;\
-                                       BLENDy(0xf0, w_i_2, YMM_TEMP0, w_i_2) ; 
-
-#define    MOVE_W_to_W_I_15(w_i_15, w_0, w_4)  BLENDQy(0x1, w_i_15, w_4, w_0) ;\
-                                       PERMQy(0x39, w_i_15, w_i_15) ;
-#define    MOVE_W_to_W_I_7(w_i_7,  w_8, w_12)  BLENDQy(0x1, w_i_7, w_12, w_8) ;\
-                                       PERMQy(0x39, w_i_7, w_i_7) ; 
-#define    MOVE_W_to_W_I_2(w_i_2,  w_12)       BLENDQy(0xc, w_i_2, w_12, w_i_2) ;\
-                                       PERMQy(0x0e, w_i_2, w_i_2) ;
-
-
-#define W_I_16y  ymm8
-#define W_I_15y  ymm9
-#define W_I_7y  ymm10
-#define W_I_2y  ymm11
-#define W_Iy    ymm12
-#define G_TEMPy     ymm13
-#define S_TEMPy     ymm14
-#define YMM_TEMP0  ymm15
-#define YMM_TEMP0x xmm15
-#define W_I_TEMPy   ymm7
-#define W_K_TEMPy   ymm15
-#define W_K_TEMPx  xmm15
-#define W_0y     ymm12
-#define W_4y     ymm4
-#define W_8y     ymm5
-#define W_12y    ymm6
-
-#define YMM_REGs
-/* Registers are saved in Sha512Update/Final */
-                 /* "%ymm7","%ymm8","%ymm9","%ymm10","%ymm11","%ymm12","%ymm13","%ymm14","%ymm15"*/
-
-#define MOVE_15_to_16(w_i_16, w_i_15, w_i_7)\
-    __asm__ volatile("vperm2i128  $0x01, %%"#w_i_15", %%"#w_i_15", %%"#w_i_15" ":::YMM_REGs) ;\
-    __asm__ volatile("vpblendd    $0x08, %%"#w_i_15", %%"#w_i_7", %%"#w_i_16" ":::YMM_REGs) ;\
-    __asm__ volatile("vperm2i128 $0x01,  %%"#w_i_7",  %%"#w_i_7", %%"#w_i_15" ":::YMM_REGs) ;\
-    __asm__ volatile("vpblendd    $0x80, %%"#w_i_15", %%"#w_i_16", %%"#w_i_16" ":::YMM_REGs) ;\
-    __asm__ volatile("vpshufd    $0x93,  %%"#w_i_16", %%"#w_i_16" ":::YMM_REGs) ;\
-
-#define MOVE_7_to_15(w_i_15, w_i_7)\
-    __asm__ volatile("vmovdqu                 %%"#w_i_7",  %%"#w_i_15" ":::YMM_REGs) ;\
-
-#define MOVE_I_to_7(w_i_7, w_i)\
-    __asm__ volatile("vperm2i128 $0x01,       %%"#w_i",   %%"#w_i",   %%"#w_i_7" ":::YMM_REGs) ;\
-    __asm__ volatile("vpblendd    $0x01,       %%"#w_i_7",   %%"#w_i", %%"#w_i_7" ":::YMM_REGs) ;\
-    __asm__ volatile("vpshufd    $0x39, %%"#w_i_7", %%"#w_i_7" ":::YMM_REGs) ;\
-
-#define MOVE_I_to_2(w_i_2, w_i)\
-    __asm__ volatile("vperm2i128 $0x01,       %%"#w_i", %%"#w_i", %%"#w_i_2" ":::YMM_REGs) ;\
-    __asm__ volatile("vpshufd    $0x0e, %%"#w_i_2", %%"#w_i_2" ":::YMM_REGs) ;\
-
-#endif
+        sha512->buffLen = 0;
+    }
+    XMEMSET(&local[sha512->buffLen], 0, WC_SHA512_PAD_SIZE - sha512->buffLen);
 
+    /* put lengths in bits */
+    sha512->hiLen = (sha512->loLen >> (8 * sizeof(sha512->loLen) - 3)) +
+                                                         (sha512->hiLen << 3);
+    sha512->loLen = sha512->loLen << 3;
 
-/***  Transform Body ***/
-#if defined(HAVE_INTEL_AVX1)
+    /* store lengths */
+#if defined(LITTLE_ENDIAN_ORDER)
+    #if defined(HAVE_INTEL_AVX1) || defined(HAVE_INTEL_AVX2)
+        if (!IS_INTEL_AVX1(intel_flags) && !IS_INTEL_AVX2(intel_flags))
+    #endif
+    #if !defined(WOLFSSL_ESP32WROOM32_CRYPT) || \
+         defined(NO_WOLFSSL_ESP32WROOM32_CRYPT_HASH)
+            ByteReverseWords64(sha512->buffer, sha512->buffer, WC_SHA512_PAD_SIZE);
+    #endif
+#endif
+    /* ! length ordering dependent on digest endian type ! */
 
-static int Transform_AVX1(Sha512* sha512)
-{
-    const word64* K = K512;
-    word64 W_X[16+4];
-    word32 j;
-    word64 T[8];
-    /* Copy digest to working vars */
-    XMEMCPY(T, sha512->digest, sizeof(T));
+#if !defined(WOLFSSL_ESP32WROOM32_CRYPT) || \
+     defined(NO_WOLFSSL_ESP32WROOM32_CRYPT_HASH)
+    sha512->buffer[WC_SHA512_BLOCK_SIZE / sizeof(word64) - 2] = sha512->hiLen;
+    sha512->buffer[WC_SHA512_BLOCK_SIZE / sizeof(word64) - 1] = sha512->loLen;
+#endif
 
-    W_from_buff(W_X, sha512->buffer) ;
-    for (j = 0; j < 80; j += 16) {
-        Rx_1( 0); Block_0_1(W_X); Rx_2( 0); Block_0_2(W_X); Rx_3( 0); Block_0_3(); 
-        Rx_1( 1); Block_0_4(); Rx_2( 1); Block_0_5(); Rx_3( 1); Block_0_6(W_X); 
-        Rx_1( 2); Block_0_7(W_X); Rx_2( 2); Block_0_8(W_X); Rx_3( 2); Block_0_9();
-        Rx_1( 3); Block_0_10();Rx_2( 3); Block_0_11();Rx_3( 3); Block_0_12(W_X);   
-        
-        Rx_1( 4); Block_4_1(W_X); Rx_2( 4); Block_4_2(W_X); Rx_3( 4); Block_4_3(); 
-        Rx_1( 5); Block_4_4(); Rx_2( 5); Block_4_5(); Rx_3( 5); Block_4_6(W_X); 
-        Rx_1( 6); Block_4_7(W_X); Rx_2( 6); Block_4_8(W_X); Rx_3( 6); Block_4_9();
-        Rx_1( 7); Block_4_10();Rx_2( 7); Block_4_11();Rx_3( 7); Block_4_12(W_X);   
-        
-        Rx_1( 8); Block_8_1(W_X); Rx_2( 8); Block_8_2(W_X); Rx_3( 8); Block_8_3(); 
-        Rx_1( 9); Block_8_4(); Rx_2( 9); Block_8_5(); Rx_3( 9); Block_8_6(W_X); 
-        Rx_1(10); Block_8_7(W_X); Rx_2(10); Block_8_8(W_X); Rx_3(10); Block_8_9();
-        Rx_1(11); Block_8_10();Rx_2(11); Block_8_11();Rx_3(11); Block_8_12(W_X);   
-        
-        Rx_1(12); Block_12_1(W_X); Rx_2(12); Block_12_2(W_X); Rx_3(12); Block_12_3(); 
-        Rx_1(13); Block_12_4(); Rx_2(13); Block_12_5(); Rx_3(13); Block_12_6(W_X); 
-        Rx_1(14); Block_12_7(W_X); Rx_2(14); Block_12_8(W_X); Rx_3(14); Block_12_9();
-        Rx_1(15); Block_12_10();Rx_2(15); Block_12_11();Rx_3(15); Block_12_12(W_X);     
+#if defined(HAVE_INTEL_AVX1) || defined(HAVE_INTEL_AVX2)
+    if (IS_INTEL_AVX1(intel_flags) || IS_INTEL_AVX2(intel_flags))
+        ByteReverseWords64(&(sha512->buffer[WC_SHA512_BLOCK_SIZE / sizeof(word64) - 2]),
+                           &(sha512->buffer[WC_SHA512_BLOCK_SIZE / sizeof(word64) - 2]),
+                           WC_SHA512_BLOCK_SIZE - WC_SHA512_PAD_SIZE);
+#endif
+#if !defined(WOLFSSL_ESP32WROOM32_CRYPT) || \
+    defined(NO_WOLFSSL_ESP32WROOM32_CRYPT_HASH)
+    ret = Transform_Sha512(sha512);
+#else
+    if(sha512->ctx.mode == ESP32_SHA_INIT) {
+        esp_sha_try_hw_lock(&sha512->ctx);
     }
+    ret = esp_sha512_digest_process(sha512, 1);
+    if(ret == 0 && sha512->ctx.mode == ESP32_SHA_SW) {
+        ret = Transform_Sha512(sha512);
+    }
+#endif
+    if (ret != 0)
+        return ret;
 
-    /* Add the working vars back into digest */
-
-    sha512->digest[0] += a(0);
-    sha512->digest[1] += b(0);
-    sha512->digest[2] += c(0);
-    sha512->digest[3] += d(0);
-    sha512->digest[4] += e(0);
-    sha512->digest[5] += f(0);
-    sha512->digest[6] += g(0);
-    sha512->digest[7] += h(0);
-
-    /* Wipe variables */
-    #if !defined(HAVE_INTEL_AVX1)&&!defined(HAVE_INTEL_AVX2)
-    XMEMSET(W_X, 0, sizeof(word64) * 16);
+    #ifdef LITTLE_ENDIAN_ORDER
+        ByteReverseWords64(sha512->digest, sha512->digest, WC_SHA512_DIGEST_SIZE);
     #endif
-    XMEMSET(T, 0, sizeof(T));
 
     return 0;
 }
 
-#endif
-
-#if defined(HAVE_INTEL_AVX2) && defined(HAVE_INTEL_AVX1) && defined(HAVE_INTEL_RORX)
+#ifdef WOLFSSL_SHA512
 
-static int Transform_AVX1_RORX(Sha512* sha512)
+int wc_Sha512FinalRaw(wc_Sha512* sha512, byte* hash)
 {
-    const word64* K = K512;
-    word64 W_X[16+4];
-    word32 j;
-    word64 T[8];
-    /* Copy digest to working vars */
-    XMEMCPY(T, sha512->digest, sizeof(T));
+#ifdef LITTLE_ENDIAN_ORDER
+    word64 digest[WC_SHA512_DIGEST_SIZE / sizeof(word64)];
+#endif
 
-    W_from_buff(W_X, sha512->buffer) ;
-    for (j = 0; j < 80; j += 16) {
-        Rx_RORX_1( 0); Block_0_1(W_X); Rx_RORX_2( 0); Block_0_2(W_X); 
-                                    Rx_RORX_3( 0); Block_0_3(); 
-        Rx_RORX_1( 1); Block_0_4(); Rx_RORX_2( 1); Block_0_5(); 
-                                    Rx_RORX_3( 1); Block_0_6(W_X); 
-        Rx_RORX_1( 2); Block_0_7(W_X); Rx_RORX_2( 2); Block_0_8(W_X); 
-                                    Rx_RORX_3( 2); Block_0_9();
-        Rx_RORX_1( 3); Block_0_10();Rx_RORX_2( 3); Block_0_11();
-                                    Rx_RORX_3( 3); Block_0_12(W_X);   
-        
-        Rx_RORX_1( 4); Block_4_1(W_X); Rx_RORX_2( 4); Block_4_2(W_X); 
-                                    Rx_RORX_3( 4); Block_4_3(); 
-        Rx_RORX_1( 5); Block_4_4(); Rx_RORX_2( 5); Block_4_5(); 
-                                    Rx_RORX_3( 5); Block_4_6(W_X); 
-        Rx_RORX_1( 6); Block_4_7(W_X); Rx_RORX_2( 6); Block_4_8(W_X); 
-                                    Rx_RORX_3( 6); Block_4_9();
-        Rx_RORX_1( 7); Block_4_10();Rx_RORX_2( 7); Block_4_11();
-                                    Rx_RORX_3( 7); Block_4_12(W_X);   
-        
-        Rx_RORX_1( 8); Block_8_1(W_X); Rx_RORX_2( 8); Block_8_2(W_X); 
-                                    Rx_RORX_3( 8); Block_8_3(); 
-        Rx_RORX_1( 9); Block_8_4(); Rx_RORX_2( 9); Block_8_5(); 
-                                    Rx_RORX_3( 9); Block_8_6(W_X); 
-        Rx_RORX_1(10); Block_8_7(W_X); Rx_RORX_2(10); Block_8_8(W_X); 
-                                    Rx_RORX_3(10); Block_8_9();
-        Rx_RORX_1(11); Block_8_10();Rx_RORX_2(11); Block_8_11();
-                                    Rx_RORX_3(11); Block_8_12(W_X);   
-        
-        Rx_RORX_1(12); Block_12_1(W_X); Rx_RORX_2(12); Block_12_2(W_X); 
-                                     Rx_RORX_3(12); Block_12_3(); 
-        Rx_RORX_1(13); Block_12_4(); Rx_RORX_2(13); Block_12_5(); 
-                                     Rx_RORX_3(13); Block_12_6(W_X); 
-        Rx_RORX_1(14); Block_12_7(W_X); Rx_RORX_2(14); Block_12_8(W_X); 
-                                     Rx_RORX_3(14); Block_12_9();
-        Rx_RORX_1(15); Block_12_10();Rx_RORX_2(15); Block_12_11();
-                                     Rx_RORX_3(15); Block_12_12(W_X);     
+    if (sha512 == NULL || hash == NULL) {
+        return BAD_FUNC_ARG;
     }
-    /* Add the working vars back into digest */
 
-    sha512->digest[0] += a(0);
-    sha512->digest[1] += b(0);
-    sha512->digest[2] += c(0);
-    sha512->digest[3] += d(0);
-    sha512->digest[4] += e(0);
-    sha512->digest[5] += f(0);
-    sha512->digest[6] += g(0);
-    sha512->digest[7] += h(0);
-
-    /* Wipe variables */
-    #if !defined(HAVE_INTEL_AVX1)&&!defined(HAVE_INTEL_AVX2)
-    XMEMSET(W_X, 0, sizeof(word64) * 16);
-    #endif
-    XMEMSET(T, 0, sizeof(T));
+#ifdef LITTLE_ENDIAN_ORDER
+    ByteReverseWords64((word64*)digest, (word64*)sha512->digest,
+                                                         WC_SHA512_DIGEST_SIZE);
+    XMEMCPY(hash, digest, WC_SHA512_DIGEST_SIZE);
+#else
+    XMEMCPY(hash, sha512->digest, WC_SHA512_DIGEST_SIZE);
+#endif
 
     return 0;
 }
-#endif
-
-#if defined(HAVE_INTEL_AVX2)
 
-#define s0_1y(dest, src)      AVX2_S(dest, src, 1); 
-#define s0_2y(dest, src)      AVX2_S(G_TEMPy, src, 8); XORy(dest, G_TEMPy, dest) ; 
-#define s0_3y(dest, src)      AVX2_R(G_TEMPy, src, 7);  XORy(dest, G_TEMPy, dest) ;
-
-#define s1_1y(dest, src)      AVX2_S(dest, src, 19);
-#define s1_2y(dest, src)      AVX2_S(G_TEMPy, src, 61); XORy(dest, G_TEMPy, dest) ; 
-#define s1_3y(dest, src)      AVX2_R(G_TEMPy, src, 6); XORy(dest, G_TEMPy, dest) ;
-
-#define s0_y(dest, src)       s0_1y(dest, src) ; s0_2y(dest, src) ; s0_3y(dest, src)
-#define s1_y(dest, src)       s1_1y(dest, src) ; s1_2y(dest, src) ; s1_3y(dest, src)
-
-#define blk384(i) (W[i] = sha384->buffer[i])
-
-
-#define Block_Y_xx_1(i, w_0, w_4, w_8, w_12)\
-    MOVE_W_to_W_I_15(W_I_15y, w_0, w_4) ;\
-    MOVE_W_to_W_I_7 (W_I_7y,  w_8, w_12) ;\
-    MOVE_W_to_W_I_2 (W_I_2y,  w_12) ;\
-
-#define Block_Y_xx_2(i, w_0, w_4, w_8, w_12)\
-    s0_1y (YMM_TEMP0, W_I_15y) ;\
-
-#define Block_Y_xx_3(i, w_0, w_4, w_8, w_12)\
-    s0_2y (YMM_TEMP0, W_I_15y) ;\
-
-#define Block_Y_xx_4(i, w_0, w_4, w_8, w_12)\
-    s0_3y (YMM_TEMP0, W_I_15y) ;\
-
-#define Block_Y_xx_5(i, w_0, w_4, w_8, w_12)\
-    ADDy(W_I_TEMPy, w_0, YMM_TEMP0) ;\
-
-#define Block_Y_xx_6(i, w_0, w_4, w_8, w_12)\
-    ADDy(W_I_TEMPy, W_I_TEMPy, W_I_7y) ;\
-    s1_1y (YMM_TEMP0, W_I_2y) ;\
-
-#define Block_Y_xx_7(i, w_0, w_4, w_8, w_12)\
-    s1_2y (YMM_TEMP0, W_I_2y) ;\
-
-#define Block_Y_xx_8(i, w_0, w_4, w_8, w_12)\
-    s1_3y (YMM_TEMP0, W_I_2y) ;\
-    ADDy(w_0, W_I_TEMPy, YMM_TEMP0) ;\
-
-#define Block_Y_xx_9(i, w_0, w_4, w_8, w_12)\
-    FEEDBACK1_to_W_I_2(W_I_2y, w_0) ;\
-
-#define Block_Y_xx_10(i, w_0, w_4, w_8, w_12) \
-    s1_1y (YMM_TEMP0, W_I_2y) ;\
-
-#define Block_Y_xx_11(i, w_0, w_4, w_8, w_12) \
-    s1_2y (YMM_TEMP0, W_I_2y) ;\
-
-#define Block_Y_xx_12(i, w_0, w_4, w_8, w_12)\
-    s1_3y (YMM_TEMP0, W_I_2y) ;\
-    ADDy(w_0, W_I_TEMPy, YMM_TEMP0) ;\
-    MOVE_to_MEMy(w,0, w_4) ;\
-
-
-static inline void Block_Y_0_1(void) { Block_Y_xx_1(0, W_0y, W_4y, W_8y, W_12y) ; }
-static inline void Block_Y_0_2(void) { Block_Y_xx_2(0, W_0y, W_4y, W_8y, W_12y) ; }
-static inline void Block_Y_0_3(void) { Block_Y_xx_3(0, W_0y, W_4y, W_8y, W_12y) ; }
-static inline void Block_Y_0_4(void) { Block_Y_xx_4(0, W_0y, W_4y, W_8y, W_12y) ; }
-static inline void Block_Y_0_5(void) { Block_Y_xx_5(0, W_0y, W_4y, W_8y, W_12y) ; }
-static inline void Block_Y_0_6(void) { Block_Y_xx_6(0, W_0y, W_4y, W_8y, W_12y) ; }
-static inline void Block_Y_0_7(void) { Block_Y_xx_7(0, W_0y, W_4y, W_8y, W_12y) ; }
-static inline void Block_Y_0_8(void) { Block_Y_xx_8(0, W_0y, W_4y, W_8y, W_12y) ; }
-static inline void Block_Y_0_9(void) { Block_Y_xx_9(0, W_0y, W_4y, W_8y, W_12y) ; }
-static inline void Block_Y_0_10(void){ Block_Y_xx_10(0, W_0y, W_4y, W_8y, W_12y) ; }
-static inline void Block_Y_0_11(void){ Block_Y_xx_11(0, W_0y, W_4y, W_8y, W_12y) ; }
-static inline void Block_Y_0_12(word64 *w){ Block_Y_xx_12(0, W_0y, W_4y, W_8y, W_12y) ; }
-
-static inline void Block_Y_4_1(void) { Block_Y_xx_1(4, W_4y, W_8y, W_12y, W_0y) ; }
-static inline void Block_Y_4_2(void) { Block_Y_xx_2(4, W_4y, W_8y, W_12y, W_0y) ; }
-static inline void Block_Y_4_3(void) { Block_Y_xx_3(4, W_4y, W_8y, W_12y, W_0y) ; }
-static inline void Block_Y_4_4(void) { Block_Y_xx_4(4, W_4y, W_8y, W_12y, W_0y) ; }
-static inline void Block_Y_4_5(void) { Block_Y_xx_5(4, W_4y, W_8y, W_12y, W_0y) ; }
-static inline void Block_Y_4_6(void) { Block_Y_xx_6(4, W_4y, W_8y, W_12y, W_0y) ; }
-static inline void Block_Y_4_7(void) { Block_Y_xx_7(4, W_4y, W_8y, W_12y, W_0y) ; }
-static inline void Block_Y_4_8(void) { Block_Y_xx_8(4, W_4y, W_8y, W_12y, W_0y) ; }
-static inline void Block_Y_4_9(void) { Block_Y_xx_9(4, W_4y, W_8y, W_12y, W_0y) ; }
-static inline void Block_Y_4_10(void) { Block_Y_xx_10(4, W_4y, W_8y, W_12y, W_0y) ; }
-static inline void Block_Y_4_11(void) { Block_Y_xx_11(4, W_4y, W_8y, W_12y, W_0y) ; }
-static inline void Block_Y_4_12(word64 *w) { Block_Y_xx_12(4, W_4y, W_8y, W_12y, W_0y) ; }
-
-static inline void Block_Y_8_1(void) { Block_Y_xx_1(8, W_8y, W_12y, W_0y, W_4y) ; }
-static inline void Block_Y_8_2(void) { Block_Y_xx_2(8, W_8y, W_12y, W_0y, W_4y) ; }
-static inline void Block_Y_8_3(void) { Block_Y_xx_3(8, W_8y, W_12y, W_0y, W_4y) ; }
-static inline void Block_Y_8_4(void) { Block_Y_xx_4(8, W_8y, W_12y, W_0y, W_4y) ; }
-static inline void Block_Y_8_5(void) { Block_Y_xx_5(8, W_8y, W_12y, W_0y, W_4y) ; }
-static inline void Block_Y_8_6(void) { Block_Y_xx_6(8, W_8y, W_12y, W_0y, W_4y) ; }
-static inline void Block_Y_8_7(void) { Block_Y_xx_7(8, W_8y, W_12y, W_0y, W_4y) ; }
-static inline void Block_Y_8_8(void) { Block_Y_xx_8(8, W_8y, W_12y, W_0y, W_4y) ; }
-static inline void Block_Y_8_9(void) { Block_Y_xx_9(8, W_8y, W_12y, W_0y, W_4y) ; }
-static inline void Block_Y_8_10(void) { Block_Y_xx_10(8, W_8y, W_12y, W_0y, W_4y) ; }
-static inline void Block_Y_8_11(void) { Block_Y_xx_11(8, W_8y, W_12y, W_0y, W_4y) ; }
-static inline void Block_Y_8_12(word64 *w) { Block_Y_xx_12(8, W_8y, W_12y, W_0y, W_4y) ; }
-
-static inline void Block_Y_12_1(void) { Block_Y_xx_1(12, W_12y, W_0y, W_4y, W_8y) ; }
-static inline void Block_Y_12_2(void) { Block_Y_xx_2(12, W_12y, W_0y, W_4y, W_8y) ; }
-static inline void Block_Y_12_3(void) { Block_Y_xx_3(12, W_12y, W_0y, W_4y, W_8y) ; }
-static inline void Block_Y_12_4(void) { Block_Y_xx_4(12, W_12y, W_0y, W_4y, W_8y) ; }
-static inline void Block_Y_12_5(void) { Block_Y_xx_5(12, W_12y, W_0y, W_4y, W_8y) ; }
-static inline void Block_Y_12_6(void) { Block_Y_xx_6(12, W_12y, W_0y, W_4y, W_8y) ; }
-static inline void Block_Y_12_7(void) { Block_Y_xx_7(12, W_12y, W_0y, W_4y, W_8y) ; }
-static inline void Block_Y_12_8(void) { Block_Y_xx_8(12, W_12y, W_0y, W_4y, W_8y) ; }
-static inline void Block_Y_12_9(void) { Block_Y_xx_9(12, W_12y, W_0y, W_4y, W_8y) ; }
-static inline void Block_Y_12_10(void) { Block_Y_xx_10(12, W_12y, W_0y, W_4y, W_8y) ; }
-static inline void Block_Y_12_11(void) { Block_Y_xx_11(12, W_12y, W_0y, W_4y, W_8y) ; }
-static inline void Block_Y_12_12(word64 *w) { Block_Y_xx_12(12, W_12y, W_0y, W_4y, W_8y) ; }
-
-
-static int Transform_AVX2(Sha512* sha512)
+int wc_Sha512Final(wc_Sha512* sha512, byte* hash)
 {
-    const word64* K = K512;
-    word64 w[4] ;
-    word32 j /*, k*/;
-    word64 T[8];
-    /* Copy digest to working vars */
-    XMEMCPY(T, sha512->digest, sizeof(T));
+    int ret;
 
-    W_from_buff_Y(sha512->buffer) ;
-    MOVE_to_MEMy(w,0, W_0y) ; 
-    for (j = 0; j < 80; j += 16) {
-        Ry_1( 0, w[0]); Block_Y_0_1(); Ry_2( 0, w[0]); Block_Y_0_2(); 
-                                       Ry_3( 0, w[0]); Block_Y_0_3(); 
-        Ry_1( 1, w[1]); Block_Y_0_4(); Ry_2( 1, w[1]); Block_Y_0_5(); 
-                                       Ry_3( 1, w[1]); Block_Y_0_6();  
-        Ry_1( 2, w[2]); Block_Y_0_7(); Ry_2( 2, w[2]); Block_Y_0_8(); 
-                                       Ry_3( 2, w[2]); Block_Y_0_9();
-        Ry_1( 3, w[3]); Block_Y_0_10();Ry_2( 3, w[3]); Block_Y_0_11();
-                                       Ry_3( 3, w[3]); Block_Y_0_12(w);
-        
-        Ry_1( 4, w[0]); Block_Y_4_1(); Ry_2( 4, w[0]); Block_Y_4_2(); 
-                                       Ry_3( 4, w[0]); Block_Y_4_3(); 
-        Ry_1( 5, w[1]); Block_Y_4_4(); Ry_2( 5, w[1]); Block_Y_4_5(); 
-                                       Ry_3( 5, w[1]); Block_Y_4_6();
-        Ry_1( 6, w[2]); Block_Y_4_7(); Ry_2( 6, w[2]); Block_Y_4_8(); 
-                                       Ry_3( 6, w[2]); Block_Y_4_9();
-        Ry_1( 7, w[3]); Block_Y_4_10(); Ry_2( 7, w[3]);Block_Y_4_11(); 
-                                        Ry_3( 7, w[3]);Block_Y_4_12(w);  
-        
-        Ry_1( 8, w[0]); Block_Y_8_1(); Ry_2( 8, w[0]); Block_Y_8_2(); 
-                                       Ry_3( 8, w[0]); Block_Y_8_3();
-        Ry_1( 9, w[1]); Block_Y_8_4(); Ry_2( 9, w[1]); Block_Y_8_5(); 
-                                       Ry_3( 9, w[1]); Block_Y_8_6();
-        Ry_1(10, w[2]); Block_Y_8_7(); Ry_2(10, w[2]); Block_Y_8_8(); 
-                                       Ry_3(10, w[2]); Block_Y_8_9(); 
-        Ry_1(11, w[3]); Block_Y_8_10();Ry_2(11, w[3]); Block_Y_8_11();
-                                       Ry_3(11, w[3]); Block_Y_8_12(w);
-                 
-        Ry_1(12, w[0]); Block_Y_12_1(); Ry_2(12, w[0]); Block_Y_12_2(); 
-                                        Ry_3(12, w[0]); Block_Y_12_3();
-        Ry_1(13, w[1]); Block_Y_12_4(); Ry_2(13, w[1]); Block_Y_12_5(); 
-                                        Ry_3(13, w[1]); Block_Y_12_6(); 
-        Ry_1(14, w[2]); Block_Y_12_7(); Ry_2(14, w[2]); Block_Y_12_8(); 
-                                        Ry_3(14, w[2]); Block_Y_12_9();
-        Ry_1(15, w[3]); Block_Y_12_10();Ry_2(15, w[3]); Block_Y_12_11();
-                                        Ry_3(15, w[3]);Block_Y_12_12(w);
+    if (sha512 == NULL || hash == NULL) {
+        return BAD_FUNC_ARG;
     }
- 
-    /* Add the working vars back into digest */
-
-    sha512->digest[0] += a(0);
-    sha512->digest[1] += b(0);
-    sha512->digest[2] += c(0);
-    sha512->digest[3] += d(0);
-    sha512->digest[4] += e(0);
-    sha512->digest[5] += f(0);
-    sha512->digest[6] += g(0);
-    sha512->digest[7] += h(0);
 
-    /* Wipe variables */
-    #if !defined(HAVE_INTEL_AVX1)&&!defined(HAVE_INTEL_AVX2)
-    XMEMSET(W, 0, sizeof(word64) * 16);
+#if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_SHA512)
+    if (sha512->asyncDev.marker == WOLFSSL_ASYNC_MARKER_SHA512) {
+    #if defined(HAVE_INTEL_QA)
+        return IntelQaSymSha512(&sha512->asyncDev, hash, NULL,
+                                            WC_SHA512_DIGEST_SIZE);
     #endif
-    XMEMSET(T, 0, sizeof(T));
-
-    return 0;
-}
+    }
+#endif /* WOLFSSL_ASYNC_CRYPT */
 
-#endif
+    ret = Sha512Final(sha512);
+    if (ret != 0)
+        return ret;
 
+    XMEMCPY(hash, sha512->digest, WC_SHA512_DIGEST_SIZE);
 
-#ifdef WOLFSSL_SHA384
+    return InitSha512(sha512);  /* reset state */
+}
 
-#if defined(HAVE_INTEL_AVX1) ||  defined(HAVE_INTEL_AVX2) 
+int wc_InitSha512(wc_Sha512* sha512)
+{
+    return wc_InitSha512_ex(sha512, NULL, INVALID_DEVID);
+}
 
-#if defined(HAVE_INTEL_AVX1)
-static int Transform384_AVX1(Sha384 *sha384) ;
-#endif
-#if defined(HAVE_INTEL_AVX2)
-static int Transform384_AVX2(Sha384 *sha384) ; 
-#endif
+void wc_Sha512Free(wc_Sha512* sha512)
+{
+    if (sha512 == NULL)
+        return;
 
-#if defined(HAVE_INTEL_AVX1) &&  defined(HAVE_INTEL_AVX2) &&defined(HAVE_INTEL_RORX)
-static int Transform384_AVX1_RORX(Sha384 *sha384) ; 
+#ifdef WOLFSSL_SMALL_STACK_CACHE
+    if (sha512->W != NULL) {
+        XFREE(sha512->W, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+        sha512->W = NULL;
+    }
 #endif
 
-static int _Transform384(Sha384 *sha384) ; 
-static int (*Transform384_p)(Sha384* sha384) = _Transform384 ;
-
-#define Transform384(sha384) (*Transform384_p)(sha384)
-static void set_Transform384(void) {
-     if(set_cpuid_flags(CHECK_SHA384))return ;
-
-#if defined(HAVE_INTEL_AVX1) && !defined(HAVE_INTEL_AVX2)
-     Transform384_p = ((IS_INTEL_AVX1) ? Transform384_AVX1 : _Transform384) ;
-#elif defined(HAVE_INTEL_AVX2)
-     #if defined(HAVE_INTEL_AVX1) && defined(HAVE_INTEL_RORX)
-     if(IS_INTEL_AVX2 && IS_INTEL_BMI2) { Transform384_p = Transform384_AVX1_RORX ; return ; }
-     #endif
-     if(IS_INTEL_AVX2) { Transform384_p = Transform384_AVX2 ; return ; }
-     #if defined(HAVE_INTEL_AVX1)
-     Transform384_p = ((IS_INTEL_AVX1) ? Transform384_AVX1 : _Transform384) ;
-     #endif
-#else
-     Transform384_p = ((IS_INTEL_AVX1) ? Transform384_AVX1 : _Transform384) ;
-#endif
+#if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_SHA512)
+    wolfAsync_DevCtxFree(&sha512->asyncDev, WOLFSSL_ASYNC_MARKER_SHA512);
+#endif /* WOLFSSL_ASYNC_CRYPT */
 }
 
+#endif /* WOLFSSL_SHA512 */
+
+/* -------------------------------------------------------------------------- */
+/* SHA384 */
+/* -------------------------------------------------------------------------- */
+#ifdef WOLFSSL_SHA384
+
+#if defined(WOLFSSL_IMX6_CAAM) && !defined(NO_IMX6_CAAM_HASH)
+    /* functions defined in wolfcrypt/src/port/caam/caam_sha.c */
+
 #else
-   #define Transform384(sha512) _Transform384(sha512)
-#endif
 
-int wc_InitSha384(Sha384* sha384)
+static int InitSha384(wc_Sha384* sha384)
 {
+    if (sha384 == NULL) {
+        return BAD_FUNC_ARG;
+    }
+
     sha384->digest[0] = W64LIT(0xcbbb9d5dc1059ed8);
     sha384->digest[1] = W64LIT(0x629a292a367cd507);
     sha384->digest[2] = W64LIT(0x9159015a3070dd17);
@@ -1386,420 +923,303 @@ int wc_InitSha384(Sha384* sha384)
     sha384->loLen   = 0;
     sha384->hiLen   = 0;
 
-#if defined(HAVE_INTEL_AVX1)|| defined(HAVE_INTEL_AVX2)
-    set_Transform384() ;
+#if  defined(WOLFSSL_ESP32WROOM32_CRYPT) && \
+    !defined(NO_WOLFSSL_ESP32WROOM32_CRYPT_HASH)
+    sha384->ctx.sha_type = SHA2_384;
+     /* always start firstblock = 1 when using hw engine */
+    sha384->ctx.isfirstblock = 1;
+    if(sha384->ctx.mode == ESP32_SHA_HW) {
+        /* release hw */
+        esp_sha_hw_unlock();
+    }
+    /* always set mode as INIT
+    *  whether using HW or SW is determined at first call of update()
+    */
+    sha384->ctx.mode = ESP32_SHA_INIT;
+
+#endif
+#if defined(WOLFSSL_HASH_FLAGS) || defined(WOLF_CRYPTO_CB)
+    sha384->flags = 0;
 #endif
-    
+
     return 0;
 }
 
-static int _Transform384(Sha384* sha384)
+int wc_Sha384Update(wc_Sha384* sha384, const byte* data, word32 len)
 {
-    const word64* K = K512;
+    if (sha384 == NULL || (data == NULL && len > 0)) {
+        return BAD_FUNC_ARG;
+    }
 
-    word32 j;
-    word64 T[8];
+#if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_SHA384)
+    if (sha384->asyncDev.marker == WOLFSSL_ASYNC_MARKER_SHA384) {
+    #if defined(HAVE_INTEL_QA)
+        return IntelQaSymSha384(&sha384->asyncDev, NULL, data, len);
+    #endif
+    }
+#endif /* WOLFSSL_ASYNC_CRYPT */
 
-#ifdef WOLFSSL_SMALL_STACK
-    word64* W;
+    return Sha512Update((wc_Sha512*)sha384, data, len);
+}
 
-    W = (word64*) XMALLOC(sizeof(word64) * 16, NULL, DYNAMIC_TYPE_TMP_BUFFER);
-    if (W == NULL)
-        return MEMORY_E;
-#else
-    word64 W[16];
-#endif
 
-    /* Copy digest to working vars */
-    XMEMCPY(T, sha384->digest, sizeof(T));
+int wc_Sha384FinalRaw(wc_Sha384* sha384, byte* hash)
+{
+#ifdef LITTLE_ENDIAN_ORDER
+    word64 digest[WC_SHA384_DIGEST_SIZE / sizeof(word64)];
+#endif
 
-#ifdef USE_SLOW_SHA2
-    /* over twice as small, but 50% slower */
-    /* 80 operations, not unrolled */
-    for (j = 0; j < 80; j += 16) {
-        int m;
-        for (m = 0; m < 16; m++) {  /* braces needed for macros {} */
-            R2(m);
-        }
+    if (sha384 == NULL || hash == NULL) {
+        return BAD_FUNC_ARG;
     }
-#else
-    /* 80 operations, partially loop unrolled */
-    for (j = 0; j < 80; j += 16) {
-        R2( 0); R2( 1); R2( 2); R2( 3);
-        R2( 4); R2( 5); R2( 6); R2( 7);
-        R2( 8); R2( 9); R2(10); R2(11);
-        R2(12); R2(13); R2(14); R2(15);
-    }
-#endif /* USE_SLOW_SHA2 */
 
-    /* Add the working vars back into digest */
-
-    sha384->digest[0] += a(0);
-    sha384->digest[1] += b(0);
-    sha384->digest[2] += c(0);
-    sha384->digest[3] += d(0);
-    sha384->digest[4] += e(0);
-    sha384->digest[5] += f(0);
-    sha384->digest[6] += g(0);
-    sha384->digest[7] += h(0);
-
-    /* Wipe variables */
-    XMEMSET(W, 0, sizeof(word64) * 16);
-    XMEMSET(T, 0, sizeof(T));
-
-#ifdef WOLFSSL_SMALL_STACK
-    XFREE(W, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+#ifdef LITTLE_ENDIAN_ORDER
+    ByteReverseWords64((word64*)digest, (word64*)sha384->digest,
+                                                         WC_SHA384_DIGEST_SIZE);
+    XMEMCPY(hash, digest, WC_SHA384_DIGEST_SIZE);
+#else
+    XMEMCPY(hash, sha384->digest, WC_SHA384_DIGEST_SIZE);
 #endif
 
     return 0;
 }
 
-static INLINE void AddLength384(Sha384* sha384, word32 len)
-{
-    word32 tmp = sha384->loLen;
-    if ( (sha384->loLen += len) < tmp)
-        sha384->hiLen++;                       /* carry low to high */
-}
-
-int wc_Sha384Update(Sha384* sha384, const byte* data, word32 len)
+int wc_Sha384Final(wc_Sha384* sha384, byte* hash)
 {
-    /* do block size increments */
-    byte* local = (byte*)sha384->buffer;
-	
-    SAVE_XMM_YMM ; /* for Intel AVX */
-    
-    while (len) {
-        word32 add = min(len, SHA384_BLOCK_SIZE - sha384->buffLen);
-        XMEMCPY(&local[sha384->buffLen], data, add);
-
-        sha384->buffLen += add;
-        data         += add;
-        len          -= add;
-
-        if (sha384->buffLen == SHA384_BLOCK_SIZE) {
-            int ret;
-
-            #if defined(LITTLE_ENDIAN_ORDER)
-                #if defined(HAVE_INTEL_AVX1) || defined(HAVE_INTEL_AVX2)
-                if(!IS_INTEL_AVX1 && !IS_INTEL_AVX2) 
-                #endif
-                    ByteReverseWords64(sha384->buffer, sha384->buffer,
-                                   SHA384_BLOCK_SIZE);
-            #endif
-            ret = Transform384(sha384);
-            if (ret != 0)
-                return ret;
+    int ret;
 
-            AddLength384(sha384, SHA384_BLOCK_SIZE);
-            sha384->buffLen = 0;
-        }
+    if (sha384 == NULL || hash == NULL) {
+        return BAD_FUNC_ARG;
     }
-    return 0;
-}
 
+#if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_SHA384)
+    if (sha384->asyncDev.marker == WOLFSSL_ASYNC_MARKER_SHA384) {
+    #if defined(HAVE_INTEL_QA)
+        return IntelQaSymSha384(&sha384->asyncDev, hash, NULL,
+                                            WC_SHA384_DIGEST_SIZE);
+    #endif
+    }
+#endif /* WOLFSSL_ASYNC_CRYPT */
 
-int wc_Sha384Final(Sha384* sha384, byte* hash)
-{
-    byte* local = (byte*)sha384->buffer;
-    int ret;
+    ret = Sha512Final((wc_Sha512*)sha384);
+    if (ret != 0)
+        return ret;
 
-    SAVE_XMM_YMM ; /* for Intel AVX */
-    AddLength384(sha384, sha384->buffLen);              /* before adding pads */
+    XMEMCPY(hash, sha384->digest, WC_SHA384_DIGEST_SIZE);
 
-    local[sha384->buffLen++] = 0x80;  /* add 1 */
+    return InitSha384(sha384);  /* reset state */
+}
 
-    /* pad with zeros */
-    if (sha384->buffLen > SHA384_PAD_SIZE) {
-        XMEMSET(&local[sha384->buffLen], 0, SHA384_BLOCK_SIZE -sha384->buffLen);
-        sha384->buffLen += SHA384_BLOCK_SIZE - sha384->buffLen;
-
-        #if defined(LITTLE_ENDIAN_ORDER)
-            #if defined(HAVE_INTEL_AVX1) || defined(HAVE_INTEL_AVX2)
-            if(!IS_INTEL_AVX1 && !IS_INTEL_AVX2) 
-            #endif
-                 ByteReverseWords64(sha384->buffer, sha384->buffer,
-                               SHA384_BLOCK_SIZE);
-        #endif
-        ret = Transform384(sha384);
-        if (ret !=  0)
-            return ret;
+int wc_InitSha384_ex(wc_Sha384* sha384, void* heap, int devId)
+{
+    int ret;
 
-        sha384->buffLen = 0;
+    if (sha384 == NULL) {
+        return BAD_FUNC_ARG;
     }
-    XMEMSET(&local[sha384->buffLen], 0, SHA384_PAD_SIZE - sha384->buffLen);
-   
-    /* put lengths in bits */
-    sha384->hiLen = (sha384->loLen >> (8*sizeof(sha384->loLen) - 3)) + 
-                 (sha384->hiLen << 3);
-    sha384->loLen = sha384->loLen << 3;
 
-    /* store lengths */
-    #if defined(LITTLE_ENDIAN_ORDER)
-        #if defined(HAVE_INTEL_AVX1) || defined(HAVE_INTEL_AVX2)
-        if(!IS_INTEL_AVX1 && !IS_INTEL_AVX2) 
-        #endif
-             ByteReverseWords64(sha384->buffer, sha384->buffer,
-                           SHA384_BLOCK_SIZE);
-    #endif
-    /* ! length ordering dependent on digest endian type ! */
-    sha384->buffer[SHA384_BLOCK_SIZE / sizeof(word64) - 2] = sha384->hiLen;
-    sha384->buffer[SHA384_BLOCK_SIZE / sizeof(word64) - 1] = sha384->loLen;
-    #if defined(HAVE_INTEL_AVX1) || defined(HAVE_INTEL_AVX2)
-    if(IS_INTEL_AVX1 || IS_INTEL_AVX2)
-        ByteReverseWords64(&(sha384->buffer[SHA384_BLOCK_SIZE / sizeof(word64) - 2]),
-                           &(sha384->buffer[SHA384_BLOCK_SIZE / sizeof(word64) - 2]),
-                           SHA384_BLOCK_SIZE - SHA384_PAD_SIZE);
-    #endif
-    ret = Transform384(sha384);
+    sha384->heap = heap;
+    ret = InitSha384(sha384);
     if (ret != 0)
         return ret;
 
-    #ifdef LITTLE_ENDIAN_ORDER
-        ByteReverseWords64(sha384->digest, sha384->digest, SHA384_DIGEST_SIZE);
-    #endif
-    XMEMCPY(hash, sha384->digest, SHA384_DIGEST_SIZE);
+#if defined(HAVE_INTEL_AVX1) || defined(HAVE_INTEL_AVX2)
+    Sha512_SetTransform();
+#endif
+#ifdef WOLFSSL_SMALL_STACK_CACHE
+    sha384->W = NULL;
+#endif
+
+#if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_SHA384)
+    ret = wolfAsync_DevCtxInit(&sha384->asyncDev, WOLFSSL_ASYNC_MARKER_SHA384,
+                                                           sha384->heap, devId);
+#else
+    (void)devId;
+#endif /* WOLFSSL_ASYNC_CRYPT */
 
-    return wc_InitSha384(sha384);  /* reset state */
+    return ret;
 }
 
+#endif /* WOLFSSL_IMX6_CAAM */
 
-int wc_Sha384Hash(const byte* data, word32 len, byte* hash)
+int wc_InitSha384(wc_Sha384* sha384)
 {
-    int ret = 0;
-#ifdef WOLFSSL_SMALL_STACK
-    Sha384* sha384;
-#else
-    Sha384 sha384[1];
-#endif
+    return wc_InitSha384_ex(sha384, NULL, INVALID_DEVID);
+}
 
-#ifdef WOLFSSL_SMALL_STACK
-    sha384 = (Sha384*)XMALLOC(sizeof(Sha384), NULL, DYNAMIC_TYPE_TMP_BUFFER);
+void wc_Sha384Free(wc_Sha384* sha384)
+{
     if (sha384 == NULL)
-        return MEMORY_E;
-#endif
+        return;
 
-    if ((ret = wc_InitSha384(sha384)) != 0) {
-        WOLFSSL_MSG("InitSha384 failed");
-    }
-    else if ((ret = wc_Sha384Update(sha384, data, len)) != 0) {
-        WOLFSSL_MSG("Sha384Update failed");
+#ifdef WOLFSSL_SMALL_STACK_CACHE
+    if (sha384->W != NULL) {
+        XFREE(sha384->W, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+        sha384->W = NULL;
     }
-    else if ((ret = wc_Sha384Final(sha384, hash)) != 0) {
-        WOLFSSL_MSG("Sha384Final failed");
-    }
-
-#ifdef WOLFSSL_SMALL_STACK
-    XFREE(sha384, NULL, DYNAMIC_TYPE_TMP_BUFFER);
 #endif
 
-    return ret;
+#if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_SHA384)
+    wolfAsync_DevCtxFree(&sha384->asyncDev, WOLFSSL_ASYNC_MARKER_SHA384);
+#endif /* WOLFSSL_ASYNC_CRYPT */
 }
 
-#if defined(HAVE_INTEL_AVX1)
- 
-static int Transform384_AVX1(Sha384* sha384)
-{
-    const word64* K = K512;
-    word64 W_X[16+4];
-    word32 j;
-    word64 T[8];
+#endif /* WOLFSSL_SHA384 */
 
-    /* Copy digest to working vars */
-    XMEMCPY(T, sha384->digest, sizeof(T));
-    W_from_buff(W_X, sha384->buffer) ;
-    for (j = 0; j < 80; j += 16) {
-        Rx_1( 0); Block_0_1(W_X); Rx_2( 0); Block_0_2(W_X); Rx_3( 0); Block_0_3(); 
-        Rx_1( 1); Block_0_4(); Rx_2( 1); Block_0_5(); Rx_3( 1); Block_0_6(W_X); 
-        Rx_1( 2); Block_0_7(W_X); Rx_2( 2); Block_0_8(W_X); Rx_3( 2); Block_0_9();
-        Rx_1( 3); Block_0_10();Rx_2( 3); Block_0_11();Rx_3( 3); Block_0_12(W_X);   
-        
-        Rx_1( 4); Block_4_1(W_X); Rx_2( 4); Block_4_2(W_X); Rx_3( 4); Block_4_3(); 
-        Rx_1( 5); Block_4_4(); Rx_2( 5); Block_4_5(); Rx_3( 5); Block_4_6(W_X); 
-        Rx_1( 6); Block_4_7(W_X); Rx_2( 6); Block_4_8(W_X); Rx_3( 6); Block_4_9();
-        Rx_1( 7); Block_4_10();Rx_2( 7); Block_4_11();Rx_3( 7); Block_4_12(W_X);   
-        
-        Rx_1( 8); Block_8_1(W_X); Rx_2( 8); Block_8_2(W_X); Rx_3( 8); Block_8_3(); 
-        Rx_1( 9); Block_8_4(); Rx_2( 9); Block_8_5(); Rx_3( 9); Block_8_6(W_X); 
-        Rx_1(10); Block_8_7(W_X); Rx_2(10); Block_8_8(W_X); Rx_3(10); Block_8_9();
-        Rx_1(11); Block_8_10();Rx_2(11); Block_8_11();Rx_3(11); Block_8_12(W_X);   
-        
-        Rx_1(12); Block_12_1(W_X); Rx_2(12); Block_12_2(W_X); Rx_3(12); Block_12_3(); 
-        Rx_1(13); Block_12_4(); Rx_2(13); Block_12_5(); Rx_3(13); Block_12_6(W_X); 
-        Rx_1(14); Block_12_7(W_X); Rx_2(14); Block_12_8(W_X); Rx_3(14); Block_12_9();
-        Rx_1(15); Block_12_10();Rx_2(15); Block_12_11();Rx_3(15); Block_12_12(W_X);     
-    }
+#endif /* HAVE_FIPS */
 
-    /* Add the working vars back into digest */
+#ifdef WOLFSSL_SHA512
 
-    sha384->digest[0] += a(0);
-    sha384->digest[1] += b(0);
-    sha384->digest[2] += c(0);
-    sha384->digest[3] += d(0);
-    sha384->digest[4] += e(0);
-    sha384->digest[5] += f(0);
-    sha384->digest[6] += g(0);
-    sha384->digest[7] += h(0);
+int wc_Sha512GetHash(wc_Sha512* sha512, byte* hash)
+{
+    int ret;
+    wc_Sha512 tmpSha512;
 
-    /* Wipe variables */
-    #if !defined(HAVE_INTEL_AVX1)&&!defined(HAVE_INTEL_AVX2)
-    XMEMSET(W, 0, sizeof(word64) * 16);
-    #endif
-    XMEMSET(T, 0, sizeof(T));
+    if (sha512 == NULL || hash == NULL)
+        return BAD_FUNC_ARG;
 
-    return 0;
-}
+#if  defined(WOLFSSL_ESP32WROOM32_CRYPT) && \
+    !defined(NO_WOLFSSL_ESP32WROOM32_CRYPT_HASH)
+    if(sha512->ctx.mode == ESP32_SHA_INIT) {
+        esp_sha_try_hw_lock(&sha512->ctx);
+    }
+    if(sha512->ctx.mode != ESP32_SHA_SW)
+       esp_sha512_digest_process(sha512, 0);
+#endif
 
+    ret = wc_Sha512Copy(sha512, &tmpSha512);
+    if (ret == 0) {
+        ret = wc_Sha512Final(&tmpSha512, hash);
+#if  defined(WOLFSSL_ESP32WROOM32_CRYPT) && \
+    !defined(NO_WOLFSSL_ESP32WROOM32_CRYPT_HASH)
+        sha512->ctx.mode = ESP32_SHA_SW;;
 #endif
+        wc_Sha512Free(&tmpSha512);
+    }
+    return ret;
+}
 
-#if defined(HAVE_INTEL_AVX1) && defined(HAVE_INTEL_AVX2) && defined(HAVE_INTEL_RORX)
-static int Transform384_AVX1_RORX(Sha384* sha384)
+int wc_Sha512Copy(wc_Sha512* src, wc_Sha512* dst)
 {
-    const word64* K = K512;
-    word64 W_X[16+4];
-    word32 j;
-    word64 T[8];
-
-    /* Copy digest to working vars */
-    XMEMCPY(T, sha384->digest, sizeof(T));
+    int ret = 0;
 
-    W_from_buff(W_X, sha384->buffer) ;
-    for (j = 0; j < 80; j += 16) {
-        Rx_RORX_1( 0); Block_0_1(W_X); Rx_RORX_2( 0); 
-            Block_0_2(W_X); Rx_RORX_3( 0); Block_0_3(); 
-        Rx_RORX_1( 1); Block_0_4(); Rx_RORX_2( 1); 
-            Block_0_5(); Rx_RORX_3( 1); Block_0_6(W_X); 
-        Rx_RORX_1( 2); Block_0_7(W_X); Rx_RORX_2( 2); 
-            Block_0_8(W_X); Rx_RORX_3( 2); Block_0_9();
-        Rx_RORX_1( 3); Block_0_10();Rx_RORX_2( 3); 
-            Block_0_11();Rx_RORX_3( 3); Block_0_12(W_X);   
-        
-        Rx_RORX_1( 4); Block_4_1(W_X); Rx_RORX_2( 4); 
-            Block_4_2(W_X); Rx_RORX_3( 4); Block_4_3(); 
-        Rx_RORX_1( 5); Block_4_4(); Rx_RORX_2( 5); 
-            Block_4_5(); Rx_RORX_3( 5); Block_4_6(W_X); 
-        Rx_RORX_1( 6); Block_4_7(W_X); Rx_RORX_2( 6); 
-            Block_4_8(W_X); Rx_RORX_3( 6); Block_4_9();
-        Rx_RORX_1( 7); Block_4_10();Rx_RORX_2( 7); 
-            Block_4_11();Rx_RORX_3( 7); Block_4_12(W_X);   
-        
-        Rx_RORX_1( 8); Block_8_1(W_X); Rx_RORX_2( 8); 
-            Block_8_2(W_X); Rx_RORX_3( 8); Block_8_3(); 
-        Rx_RORX_1( 9); Block_8_4(); Rx_RORX_2( 9); 
-            Block_8_5(); Rx_RORX_3( 9); Block_8_6(W_X); 
-        Rx_RORX_1(10); Block_8_7(W_X); Rx_RORX_2(10); 
-            Block_8_8(W_X); Rx_RORX_3(10); Block_8_9();
-        Rx_RORX_1(11); Block_8_10();Rx_RORX_2(11); 
-            Block_8_11();Rx_RORX_3(11); Block_8_12(W_X);   
-        
-        Rx_RORX_1(12); Block_12_1(W_X); Rx_RORX_2(12);
-            Block_12_2(W_X); Rx_RORX_3(12); Block_12_3(); 
-        Rx_RORX_1(13); Block_12_4(); Rx_RORX_2(13); 
-            Block_12_5(); Rx_RORX_3(13); Block_12_6(W_X); 
-        Rx_RORX_1(14); Block_12_7(W_X); Rx_RORX_2(14); 
-            Block_12_8(W_X); Rx_RORX_3(14); Block_12_9();
-        Rx_RORX_1(15); Block_12_10();Rx_RORX_2(15); 
-            Block_12_11();Rx_RORX_3(15); Block_12_12(W_X);     
-    }
+    if (src == NULL || dst == NULL)
+        return BAD_FUNC_ARG;
 
-    /* Add the working vars back into digest */
+    XMEMCPY(dst, src, sizeof(wc_Sha512));
+#ifdef WOLFSSL_SMALL_STACK_CACHE
+    dst->W = NULL;
+#endif
 
-    sha384->digest[0] += a(0);
-    sha384->digest[1] += b(0);
-    sha384->digest[2] += c(0);
-    sha384->digest[3] += d(0);
-    sha384->digest[4] += e(0);
-    sha384->digest[5] += f(0);
-    sha384->digest[6] += g(0);
-    sha384->digest[7] += h(0);
+#ifdef WOLFSSL_ASYNC_CRYPT
+    ret = wolfAsync_DevCopy(&src->asyncDev, &dst->asyncDev);
+#endif
+#if  defined(WOLFSSL_ESP32WROOM32_CRYPT) && \
+    !defined(NO_WOLFSSL_ESP32WROOM32_CRYPT_HASH)
+    dst->ctx.mode = src->ctx.mode;
+    dst->ctx.isfirstblock = src->ctx.isfirstblock;
+    dst->ctx.sha_type = src->ctx.sha_type;
+#endif
+#if defined(WOLFSSL_HASH_FLAGS) || defined(WOLF_CRYPTO_CB)
+     dst->flags |= WC_HASH_FLAG_ISCOPY;
+#endif
 
-    /* Wipe variables */
-    #if !defined(HAVE_INTEL_AVX1)&&!defined(HAVE_INTEL_AVX2)
-    XMEMSET(W, 0, sizeof(word64) * 16);
-    #endif
-    XMEMSET(T, 0, sizeof(T));
+    return ret;
+}
 
+#if defined(WOLFSSL_HASH_FLAGS) || defined(WOLF_CRYPTO_CB)
+int wc_Sha512SetFlags(wc_Sha512* sha512, word32 flags)
+{
+    if (sha512) {
+        sha512->flags = flags;
+    }
     return 0;
 }
-#endif
-
-#if defined(HAVE_INTEL_AVX2)
-
-static int Transform384_AVX2(Sha384* sha384)
+int wc_Sha512GetFlags(wc_Sha512* sha512, word32* flags)
 {
-    const word64* K = K512;
-    word64 w[4] ;
-    word32 j;
-    word64 T[8];
-
-    /* Copy digest to working vars */
-    XMEMCPY(T, sha384->digest, sizeof(T));
+    if (sha512 && flags) {
+        *flags = sha512->flags;
+    }
+    return 0;
+}
+#endif
 
-    /* over twice as small, but 50% slower */
-    /* 80 operations, not unrolled */
+#endif /* WOLFSSL_SHA512 */
 
-    W_from_buff_Y(sha384->buffer) ;
+#ifdef WOLFSSL_SHA384
 
-    MOVE_to_MEMy(w,0, W_0y) ;
-    for (j = 0; j < 80; j += 16) {
-        Ry_1( 0, w[0]); Block_Y_0_1(); Ry_2( 0, w[0]); 
-            Block_Y_0_2(); Ry_3( 0, w[0]); Block_Y_0_3(); 
-        Ry_1( 1, w[1]); Block_Y_0_4(); Ry_2( 1, w[1]); 
-            Block_Y_0_5(); Ry_3( 1, w[1]); Block_Y_0_6();  
-        Ry_1( 2, w[2]); Block_Y_0_7(); Ry_2( 2, w[2]); 
-            Block_Y_0_8(); Ry_3( 2, w[2]); Block_Y_0_9();
-        Ry_1( 3, w[3]); Block_Y_0_10();Ry_2( 3, w[3]); 
-            Block_Y_0_11();Ry_3( 3, w[3]); Block_Y_0_12(w);
-        
-        Ry_1( 4, w[0]); Block_Y_4_1(); Ry_2( 4, w[0]); 
-            Block_Y_4_2(); Ry_3( 4, w[0]); Block_Y_4_3(); 
-        Ry_1( 5, w[1]); Block_Y_4_4(); Ry_2( 5, w[1]);   
-            Block_Y_4_5(); Ry_3( 5, w[1]); Block_Y_4_6();
-        Ry_1( 6, w[2]); Block_Y_4_7(); Ry_2( 6, w[2]); 
-            Block_Y_4_8(); Ry_3( 6, w[2]); Block_Y_4_9();
-        Ry_1( 7, w[3]); Block_Y_4_10(); Ry_2( 7, w[3]);
-            Block_Y_4_11(); Ry_3( 7, w[3]);Block_Y_4_12(w);  
-        
-        Ry_1( 8, w[0]); Block_Y_8_1(); Ry_2( 8, w[0]); 
-            Block_Y_8_2(); Ry_3( 8, w[0]); Block_Y_8_3();
-        Ry_1( 9, w[1]); Block_Y_8_4(); Ry_2( 9, w[1]);
-            Block_Y_8_5(); Ry_3( 9, w[1]); Block_Y_8_6();
-        Ry_1(10, w[2]); Block_Y_8_7(); Ry_2(10, w[2]); 
-            Block_Y_8_8(); Ry_3(10, w[2]); Block_Y_8_9(); 
-        Ry_1(11, w[3]); Block_Y_8_10();Ry_2(11, w[3]); 
-           Block_Y_8_11();Ry_3(11, w[3]); Block_Y_8_12(w);
-                 
-        Ry_1(12, w[0]); Block_Y_12_1(); Ry_2(12, w[0]); 
-            Block_Y_12_2(); Ry_3(12, w[0]); Block_Y_12_3();
-        Ry_1(13, w[1]); Block_Y_12_4(); Ry_2(13, w[1]); 
-            Block_Y_12_5(); Ry_3(13, w[1]); Block_Y_12_6(); 
-        Ry_1(14, w[2]); Block_Y_12_7(); Ry_2(14, w[2]); 
-            Block_Y_12_8(); Ry_3(14, w[2]); Block_Y_12_9();
-        Ry_1(15, w[3]); Block_Y_12_10();Ry_2(15, w[3]); 
-            Block_Y_12_11();Ry_3(15, w[3]); Block_Y_12_12(w);
+int wc_Sha384GetHash(wc_Sha384* sha384, byte* hash)
+{
+    int ret;
+    wc_Sha384 tmpSha384;
+
+    if (sha384 == NULL || hash == NULL)
+        return BAD_FUNC_ARG;
+#if  defined(WOLFSSL_ESP32WROOM32_CRYPT) && \
+    !defined(NO_WOLFSSL_ESP32WROOM32_CRYPT_HASH)
+    if(sha384->ctx.mode == ESP32_SHA_INIT) {
+        esp_sha_try_hw_lock(&sha384->ctx);
+    }
+    if(sha384->ctx.mode != ESP32_SHA_SW) {
+        esp_sha512_digest_process(sha384, 0);
     }
+#endif
+    ret = wc_Sha384Copy(sha384, &tmpSha384);
+    if (ret == 0) {
+        ret = wc_Sha384Final(&tmpSha384, hash);
+#if  defined(WOLFSSL_ESP32WROOM32_CRYPT) && \
+    !defined(NO_WOLFSSL_ESP32WROOM32_CRYPT_HASH)
+        sha384->ctx.mode = ESP32_SHA_SW;
+#endif
+        wc_Sha384Free(&tmpSha384);
+    }
+    return ret;
+}
+int wc_Sha384Copy(wc_Sha384* src, wc_Sha384* dst)
+{
+    int ret = 0;
 
-    /* Add the working vars back into digest */
+    if (src == NULL || dst == NULL)
+        return BAD_FUNC_ARG;
 
-    sha384->digest[0] += a(0);
-    sha384->digest[1] += b(0);
-    sha384->digest[2] += c(0);
-    sha384->digest[3] += d(0);
-    sha384->digest[4] += e(0);
-    sha384->digest[5] += f(0);
-    sha384->digest[6] += g(0);
-    sha384->digest[7] += h(0);
+    XMEMCPY(dst, src, sizeof(wc_Sha384));
+#ifdef WOLFSSL_SMALL_STACK_CACHE
+    dst->W = NULL;
+#endif
 
-    /* Wipe variables */
-    XMEMSET(T, 0, sizeof(T));
+#ifdef WOLFSSL_ASYNC_CRYPT
+    ret = wolfAsync_DevCopy(&src->asyncDev, &dst->asyncDev);
+#endif
+#if defined(WOLFSSL_ESP32WROOM32_CRYPT) && \
+   !defined(NO_WOLFSSL_ESP32WROOM32_CRYPT_HASH)
+    dst->ctx.mode = src->ctx.mode;
+    dst->ctx.isfirstblock = src->ctx.isfirstblock;
+    dst->ctx.sha_type = src->ctx.sha_type;
+#endif
+#if defined(WOLFSSL_HASH_FLAGS) || defined(WOLF_CRYPTO_CB)
+     dst->flags |= WC_HASH_FLAG_ISCOPY;
+#endif
 
-    return 0;
+    return ret;
 }
 
+#if defined(WOLFSSL_HASH_FLAGS) || defined(WOLF_CRYPTO_CB)
+int wc_Sha384SetFlags(wc_Sha384* sha384, word32 flags)
+{
+    if (sha384) {
+        sha384->flags = flags;
+    }
+    return 0;
+}
+int wc_Sha384GetFlags(wc_Sha384* sha384, word32* flags)
+{
+    if (sha384 && flags) {
+        *flags = sha384->flags;
+    }
+    return 0;
+}
 #endif
 
 #endif /* WOLFSSL_SHA384 */
 
-#endif /* HAVE_FIPS */
-
-#endif /* WOLFSSL_SHA512 */
-
+#endif /* WOLFSSL_SHA512 || WOLFSSL_SHA384 */
diff --git a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/sha512_asm.S b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/sha512_asm.S
new file mode 100644
index 000000000..6a27ce42a
--- /dev/null
+++ b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/sha512_asm.S
@@ -0,0 +1,10741 @@
+/* sha512_asm
+ *
+ * Copyright (C) 2006-2020 wolfSSL Inc.
+ *
+ * This file is part of wolfSSL.
+ *
+ * wolfSSL is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * wolfSSL is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
+ */
+
+#ifndef HAVE_INTEL_AVX1
+#define HAVE_INTEL_AVX1
+#endif /* HAVE_INTEL_AVX1 */
+#ifndef NO_AVX2_SUPPORT
+#define HAVE_INTEL_AVX2
+#endif /* NO_AVX2_SUPPORT */
+
+#ifdef HAVE_INTEL_AVX1
+#ifndef __APPLE__
+.data
+#else
+.section	__DATA,__data
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+.align	16
+#else
+.p2align	4
+#endif /* __APPLE__ */
+L_avx1_sha512_k:
+.quad	0x428a2f98d728ae22,0x7137449123ef65cd
+.quad	0xb5c0fbcfec4d3b2f,0xe9b5dba58189dbbc
+.quad	0x3956c25bf348b538,0x59f111f1b605d019
+.quad	0x923f82a4af194f9b,0xab1c5ed5da6d8118
+.quad	0xd807aa98a3030242,0x12835b0145706fbe
+.quad	0x243185be4ee4b28c,0x550c7dc3d5ffb4e2
+.quad	0x72be5d74f27b896f,0x80deb1fe3b1696b1
+.quad	0x9bdc06a725c71235,0xc19bf174cf692694
+.quad	0xe49b69c19ef14ad2,0xefbe4786384f25e3
+.quad	0xfc19dc68b8cd5b5,0x240ca1cc77ac9c65
+.quad	0x2de92c6f592b0275,0x4a7484aa6ea6e483
+.quad	0x5cb0a9dcbd41fbd4,0x76f988da831153b5
+.quad	0x983e5152ee66dfab,0xa831c66d2db43210
+.quad	0xb00327c898fb213f,0xbf597fc7beef0ee4
+.quad	0xc6e00bf33da88fc2,0xd5a79147930aa725
+.quad	0x6ca6351e003826f,0x142929670a0e6e70
+.quad	0x27b70a8546d22ffc,0x2e1b21385c26c926
+.quad	0x4d2c6dfc5ac42aed,0x53380d139d95b3df
+.quad	0x650a73548baf63de,0x766a0abb3c77b2a8
+.quad	0x81c2c92e47edaee6,0x92722c851482353b
+.quad	0xa2bfe8a14cf10364,0xa81a664bbc423001
+.quad	0xc24b8b70d0f89791,0xc76c51a30654be30
+.quad	0xd192e819d6ef5218,0xd69906245565a910
+.quad	0xf40e35855771202a,0x106aa07032bbd1b8
+.quad	0x19a4c116b8d2d0c8,0x1e376c085141ab53
+.quad	0x2748774cdf8eeb99,0x34b0bcb5e19b48a8
+.quad	0x391c0cb3c5c95a63,0x4ed8aa4ae3418acb
+.quad	0x5b9cca4f7763e373,0x682e6ff3d6b2b8a3
+.quad	0x748f82ee5defb2fc,0x78a5636f43172f60
+.quad	0x84c87814a1f0ab72,0x8cc702081a6439ec
+.quad	0x90befffa23631e28,0xa4506cebde82bde9
+.quad	0xbef9a3f7b2c67915,0xc67178f2e372532b
+.quad	0xca273eceea26619c,0xd186b8c721c0c207
+.quad	0xeada7dd6cde0eb1e,0xf57d4f7fee6ed178
+.quad	0x6f067aa72176fba,0xa637dc5a2c898a6
+.quad	0x113f9804bef90dae,0x1b710b35131c471b
+.quad	0x28db77f523047d84,0x32caab7b40c72493
+.quad	0x3c9ebe0a15c9bebc,0x431d67c49c100d4c
+.quad	0x4cc5d4becb3e42b6,0x597f299cfc657e2a
+.quad	0x5fcb6fab3ad6faec,0x6c44198c4a475817
+#ifndef __APPLE__
+.data
+#else
+.section	__DATA,__data
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+.align	16
+#else
+.p2align	4
+#endif /* __APPLE__ */
+L_avx1_sha512_flip_mask:
+.quad	0x1020304050607, 0x8090a0b0c0d0e0f
+#ifndef __APPLE__
+.text
+.globl	Transform_Sha512_AVX1
+.type	Transform_Sha512_AVX1,@function
+.align	4
+Transform_Sha512_AVX1:
+#else
+.section	__TEXT,__text
+.globl	_Transform_Sha512_AVX1
+.p2align	2
+_Transform_Sha512_AVX1:
+#endif /* __APPLE__ */
+        pushq	%rbx
+        pushq	%r12
+        pushq	%r13
+        pushq	%r14
+        pushq	%r15
+        subq	$0x88, %rsp
+        leaq	64(%rdi), %rax
+        vmovdqa	L_avx1_sha512_flip_mask(%rip), %xmm14
+        movq	(%rdi), %r8
+        movq	8(%rdi), %r9
+        movq	16(%rdi), %r10
+        movq	24(%rdi), %r11
+        movq	32(%rdi), %r12
+        movq	40(%rdi), %r13
+        movq	48(%rdi), %r14
+        movq	56(%rdi), %r15
+        vmovdqu	(%rax), %xmm0
+        vmovdqu	16(%rax), %xmm1
+        vpshufb	%xmm14, %xmm0, %xmm0
+        vpshufb	%xmm14, %xmm1, %xmm1
+        vmovdqu	32(%rax), %xmm2
+        vmovdqu	48(%rax), %xmm3
+        vpshufb	%xmm14, %xmm2, %xmm2
+        vpshufb	%xmm14, %xmm3, %xmm3
+        vmovdqu	64(%rax), %xmm4
+        vmovdqu	80(%rax), %xmm5
+        vpshufb	%xmm14, %xmm4, %xmm4
+        vpshufb	%xmm14, %xmm5, %xmm5
+        vmovdqu	96(%rax), %xmm6
+        vmovdqu	112(%rax), %xmm7
+        vpshufb	%xmm14, %xmm6, %xmm6
+        vpshufb	%xmm14, %xmm7, %xmm7
+        movl	$4, 128(%rsp)
+        leaq	L_avx1_sha512_k(%rip), %rsi
+        movq	%r9, %rbx
+        movq	%r12, %rax
+        xorq	%r10, %rbx
+        # Start of 16 rounds
+L_sha256_len_avx1_start:
+        vpaddq	(%rsi), %xmm0, %xmm8
+        vpaddq	16(%rsi), %xmm1, %xmm9
+        vmovdqu	%xmm8, (%rsp)
+        vmovdqu	%xmm9, 16(%rsp)
+        vpaddq	32(%rsi), %xmm2, %xmm8
+        vpaddq	48(%rsi), %xmm3, %xmm9
+        vmovdqu	%xmm8, 32(%rsp)
+        vmovdqu	%xmm9, 48(%rsp)
+        vpaddq	64(%rsi), %xmm4, %xmm8
+        vpaddq	80(%rsi), %xmm5, %xmm9
+        vmovdqu	%xmm8, 64(%rsp)
+        vmovdqu	%xmm9, 80(%rsp)
+        vpaddq	96(%rsi), %xmm6, %xmm8
+        vpaddq	112(%rsi), %xmm7, %xmm9
+        vmovdqu	%xmm8, 96(%rsp)
+        vmovdqu	%xmm9, 112(%rsp)
+        addq	$0x80, %rsi
+        # msg_sched: 0-1
+        # rnd_0: 0 - 0
+        rorq	$23, %rax
+        vpalignr	$8, %xmm0, %xmm1, %xmm12
+        vpalignr	$8, %xmm4, %xmm5, %xmm13
+        # rnd_0: 1 - 1
+        movq	%r8, %rdx
+        movq	%r13, %rcx
+        addq	(%rsp), %r15
+        xorq	%r14, %rcx
+        vpsrlq	$0x01, %xmm12, %xmm8
+        vpsllq	$63, %xmm12, %xmm9
+        # rnd_0: 2 - 3
+        xorq	%r12, %rax
+        andq	%r12, %rcx
+        rorq	$4, %rax
+        xorq	%r14, %rcx
+        vpsrlq	$8, %xmm12, %xmm10
+        vpsllq	$56, %xmm12, %xmm11
+        # rnd_0: 4 - 5
+        xorq	%r12, %rax
+        addq	%rcx, %r15
+        rorq	$14, %rax
+        xorq	%r9, %rdx
+        vpor	%xmm9, %xmm8, %xmm8
+        vpor	%xmm11, %xmm10, %xmm10
+        # rnd_0: 6 - 7
+        addq	%rax, %r15
+        movq	%r8, %rcx
+        andq	%rdx, %rbx
+        rorq	$5, %rcx
+        vpsrlq	$7, %xmm12, %xmm11
+        vpxor	%xmm10, %xmm8, %xmm8
+        # rnd_0: 8 - 9
+        xorq	%r8, %rcx
+        xorq	%r9, %rbx
+        rorq	$6, %rcx
+        addq	%r15, %r11
+        vpxor	%xmm11, %xmm8, %xmm8
+        vpaddq	%xmm0, %xmm13, %xmm0
+        # rnd_0: 10 - 11
+        xorq	%r8, %rcx
+        addq	%rbx, %r15
+        rorq	$28, %rcx
+        movq	%r11, %rax
+        addq	%rcx, %r15
+        # rnd_1: 0 - 0
+        rorq	$23, %rax
+        vpaddq	%xmm0, %xmm8, %xmm0
+        # rnd_1: 1 - 1
+        movq	%r15, %rbx
+        movq	%r12, %rcx
+        addq	8(%rsp), %r14
+        xorq	%r13, %rcx
+        vpsrlq	$19, %xmm7, %xmm8
+        vpsllq	$45, %xmm7, %xmm9
+        # rnd_1: 2 - 3
+        xorq	%r11, %rax
+        andq	%r11, %rcx
+        rorq	$4, %rax
+        xorq	%r13, %rcx
+        vpsrlq	$61, %xmm7, %xmm10
+        vpsllq	$3, %xmm7, %xmm11
+        # rnd_1: 4 - 6
+        xorq	%r11, %rax
+        addq	%rcx, %r14
+        rorq	$14, %rax
+        xorq	%r8, %rbx
+        addq	%rax, %r14
+        movq	%r15, %rcx
+        vpor	%xmm9, %xmm8, %xmm8
+        vpor	%xmm11, %xmm10, %xmm10
+        # rnd_1: 7 - 8
+        andq	%rbx, %rdx
+        rorq	$5, %rcx
+        xorq	%r15, %rcx
+        xorq	%r8, %rdx
+        vpxor	%xmm10, %xmm8, %xmm8
+        vpsrlq	$6, %xmm7, %xmm11
+        # rnd_1: 9 - 10
+        rorq	$6, %rcx
+        addq	%r14, %r10
+        xorq	%r15, %rcx
+        addq	%rdx, %r14
+        vpxor	%xmm11, %xmm8, %xmm8
+        # rnd_1: 11 - 11
+        rorq	$28, %rcx
+        movq	%r10, %rax
+        addq	%rcx, %r14
+        vpaddq	%xmm0, %xmm8, %xmm0
+        # msg_sched done: 0-3
+        # msg_sched: 2-3
+        # rnd_0: 0 - 0
+        rorq	$23, %rax
+        vpalignr	$8, %xmm1, %xmm2, %xmm12
+        vpalignr	$8, %xmm5, %xmm6, %xmm13
+        # rnd_0: 1 - 1
+        movq	%r14, %rdx
+        movq	%r11, %rcx
+        addq	16(%rsp), %r13
+        xorq	%r12, %rcx
+        vpsrlq	$0x01, %xmm12, %xmm8
+        vpsllq	$63, %xmm12, %xmm9
+        # rnd_0: 2 - 3
+        xorq	%r10, %rax
+        andq	%r10, %rcx
+        rorq	$4, %rax
+        xorq	%r12, %rcx
+        vpsrlq	$8, %xmm12, %xmm10
+        vpsllq	$56, %xmm12, %xmm11
+        # rnd_0: 4 - 5
+        xorq	%r10, %rax
+        addq	%rcx, %r13
+        rorq	$14, %rax
+        xorq	%r15, %rdx
+        vpor	%xmm9, %xmm8, %xmm8
+        vpor	%xmm11, %xmm10, %xmm10
+        # rnd_0: 6 - 7
+        addq	%rax, %r13
+        movq	%r14, %rcx
+        andq	%rdx, %rbx
+        rorq	$5, %rcx
+        vpsrlq	$7, %xmm12, %xmm11
+        vpxor	%xmm10, %xmm8, %xmm8
+        # rnd_0: 8 - 9
+        xorq	%r14, %rcx
+        xorq	%r15, %rbx
+        rorq	$6, %rcx
+        addq	%r13, %r9
+        vpxor	%xmm11, %xmm8, %xmm8
+        vpaddq	%xmm1, %xmm13, %xmm1
+        # rnd_0: 10 - 11
+        xorq	%r14, %rcx
+        addq	%rbx, %r13
+        rorq	$28, %rcx
+        movq	%r9, %rax
+        addq	%rcx, %r13
+        # rnd_1: 0 - 0
+        rorq	$23, %rax
+        vpaddq	%xmm1, %xmm8, %xmm1
+        # rnd_1: 1 - 1
+        movq	%r13, %rbx
+        movq	%r10, %rcx
+        addq	24(%rsp), %r12
+        xorq	%r11, %rcx
+        vpsrlq	$19, %xmm0, %xmm8
+        vpsllq	$45, %xmm0, %xmm9
+        # rnd_1: 2 - 3
+        xorq	%r9, %rax
+        andq	%r9, %rcx
+        rorq	$4, %rax
+        xorq	%r11, %rcx
+        vpsrlq	$61, %xmm0, %xmm10
+        vpsllq	$3, %xmm0, %xmm11
+        # rnd_1: 4 - 6
+        xorq	%r9, %rax
+        addq	%rcx, %r12
+        rorq	$14, %rax
+        xorq	%r14, %rbx
+        addq	%rax, %r12
+        movq	%r13, %rcx
+        vpor	%xmm9, %xmm8, %xmm8
+        vpor	%xmm11, %xmm10, %xmm10
+        # rnd_1: 7 - 8
+        andq	%rbx, %rdx
+        rorq	$5, %rcx
+        xorq	%r13, %rcx
+        xorq	%r14, %rdx
+        vpxor	%xmm10, %xmm8, %xmm8
+        vpsrlq	$6, %xmm0, %xmm11
+        # rnd_1: 9 - 10
+        rorq	$6, %rcx
+        addq	%r12, %r8
+        xorq	%r13, %rcx
+        addq	%rdx, %r12
+        vpxor	%xmm11, %xmm8, %xmm8
+        # rnd_1: 11 - 11
+        rorq	$28, %rcx
+        movq	%r8, %rax
+        addq	%rcx, %r12
+        vpaddq	%xmm1, %xmm8, %xmm1
+        # msg_sched done: 2-5
+        # msg_sched: 4-5
+        # rnd_0: 0 - 0
+        rorq	$23, %rax
+        vpalignr	$8, %xmm2, %xmm3, %xmm12
+        vpalignr	$8, %xmm6, %xmm7, %xmm13
+        # rnd_0: 1 - 1
+        movq	%r12, %rdx
+        movq	%r9, %rcx
+        addq	32(%rsp), %r11
+        xorq	%r10, %rcx
+        vpsrlq	$0x01, %xmm12, %xmm8
+        vpsllq	$63, %xmm12, %xmm9
+        # rnd_0: 2 - 3
+        xorq	%r8, %rax
+        andq	%r8, %rcx
+        rorq	$4, %rax
+        xorq	%r10, %rcx
+        vpsrlq	$8, %xmm12, %xmm10
+        vpsllq	$56, %xmm12, %xmm11
+        # rnd_0: 4 - 5
+        xorq	%r8, %rax
+        addq	%rcx, %r11
+        rorq	$14, %rax
+        xorq	%r13, %rdx
+        vpor	%xmm9, %xmm8, %xmm8
+        vpor	%xmm11, %xmm10, %xmm10
+        # rnd_0: 6 - 7
+        addq	%rax, %r11
+        movq	%r12, %rcx
+        andq	%rdx, %rbx
+        rorq	$5, %rcx
+        vpsrlq	$7, %xmm12, %xmm11
+        vpxor	%xmm10, %xmm8, %xmm8
+        # rnd_0: 8 - 9
+        xorq	%r12, %rcx
+        xorq	%r13, %rbx
+        rorq	$6, %rcx
+        addq	%r11, %r15
+        vpxor	%xmm11, %xmm8, %xmm8
+        vpaddq	%xmm2, %xmm13, %xmm2
+        # rnd_0: 10 - 11
+        xorq	%r12, %rcx
+        addq	%rbx, %r11
+        rorq	$28, %rcx
+        movq	%r15, %rax
+        addq	%rcx, %r11
+        # rnd_1: 0 - 0
+        rorq	$23, %rax
+        vpaddq	%xmm2, %xmm8, %xmm2
+        # rnd_1: 1 - 1
+        movq	%r11, %rbx
+        movq	%r8, %rcx
+        addq	40(%rsp), %r10
+        xorq	%r9, %rcx
+        vpsrlq	$19, %xmm1, %xmm8
+        vpsllq	$45, %xmm1, %xmm9
+        # rnd_1: 2 - 3
+        xorq	%r15, %rax
+        andq	%r15, %rcx
+        rorq	$4, %rax
+        xorq	%r9, %rcx
+        vpsrlq	$61, %xmm1, %xmm10
+        vpsllq	$3, %xmm1, %xmm11
+        # rnd_1: 4 - 6
+        xorq	%r15, %rax
+        addq	%rcx, %r10
+        rorq	$14, %rax
+        xorq	%r12, %rbx
+        addq	%rax, %r10
+        movq	%r11, %rcx
+        vpor	%xmm9, %xmm8, %xmm8
+        vpor	%xmm11, %xmm10, %xmm10
+        # rnd_1: 7 - 8
+        andq	%rbx, %rdx
+        rorq	$5, %rcx
+        xorq	%r11, %rcx
+        xorq	%r12, %rdx
+        vpxor	%xmm10, %xmm8, %xmm8
+        vpsrlq	$6, %xmm1, %xmm11
+        # rnd_1: 9 - 10
+        rorq	$6, %rcx
+        addq	%r10, %r14
+        xorq	%r11, %rcx
+        addq	%rdx, %r10
+        vpxor	%xmm11, %xmm8, %xmm8
+        # rnd_1: 11 - 11
+        rorq	$28, %rcx
+        movq	%r14, %rax
+        addq	%rcx, %r10
+        vpaddq	%xmm2, %xmm8, %xmm2
+        # msg_sched done: 4-7
+        # msg_sched: 6-7
+        # rnd_0: 0 - 0
+        rorq	$23, %rax
+        vpalignr	$8, %xmm3, %xmm4, %xmm12
+        vpalignr	$8, %xmm7, %xmm0, %xmm13
+        # rnd_0: 1 - 1
+        movq	%r10, %rdx
+        movq	%r15, %rcx
+        addq	48(%rsp), %r9
+        xorq	%r8, %rcx
+        vpsrlq	$0x01, %xmm12, %xmm8
+        vpsllq	$63, %xmm12, %xmm9
+        # rnd_0: 2 - 3
+        xorq	%r14, %rax
+        andq	%r14, %rcx
+        rorq	$4, %rax
+        xorq	%r8, %rcx
+        vpsrlq	$8, %xmm12, %xmm10
+        vpsllq	$56, %xmm12, %xmm11
+        # rnd_0: 4 - 5
+        xorq	%r14, %rax
+        addq	%rcx, %r9
+        rorq	$14, %rax
+        xorq	%r11, %rdx
+        vpor	%xmm9, %xmm8, %xmm8
+        vpor	%xmm11, %xmm10, %xmm10
+        # rnd_0: 6 - 7
+        addq	%rax, %r9
+        movq	%r10, %rcx
+        andq	%rdx, %rbx
+        rorq	$5, %rcx
+        vpsrlq	$7, %xmm12, %xmm11
+        vpxor	%xmm10, %xmm8, %xmm8
+        # rnd_0: 8 - 9
+        xorq	%r10, %rcx
+        xorq	%r11, %rbx
+        rorq	$6, %rcx
+        addq	%r9, %r13
+        vpxor	%xmm11, %xmm8, %xmm8
+        vpaddq	%xmm3, %xmm13, %xmm3
+        # rnd_0: 10 - 11
+        xorq	%r10, %rcx
+        addq	%rbx, %r9
+        rorq	$28, %rcx
+        movq	%r13, %rax
+        addq	%rcx, %r9
+        # rnd_1: 0 - 0
+        rorq	$23, %rax
+        vpaddq	%xmm3, %xmm8, %xmm3
+        # rnd_1: 1 - 1
+        movq	%r9, %rbx
+        movq	%r14, %rcx
+        addq	56(%rsp), %r8
+        xorq	%r15, %rcx
+        vpsrlq	$19, %xmm2, %xmm8
+        vpsllq	$45, %xmm2, %xmm9
+        # rnd_1: 2 - 3
+        xorq	%r13, %rax
+        andq	%r13, %rcx
+        rorq	$4, %rax
+        xorq	%r15, %rcx
+        vpsrlq	$61, %xmm2, %xmm10
+        vpsllq	$3, %xmm2, %xmm11
+        # rnd_1: 4 - 6
+        xorq	%r13, %rax
+        addq	%rcx, %r8
+        rorq	$14, %rax
+        xorq	%r10, %rbx
+        addq	%rax, %r8
+        movq	%r9, %rcx
+        vpor	%xmm9, %xmm8, %xmm8
+        vpor	%xmm11, %xmm10, %xmm10
+        # rnd_1: 7 - 8
+        andq	%rbx, %rdx
+        rorq	$5, %rcx
+        xorq	%r9, %rcx
+        xorq	%r10, %rdx
+        vpxor	%xmm10, %xmm8, %xmm8
+        vpsrlq	$6, %xmm2, %xmm11
+        # rnd_1: 9 - 10
+        rorq	$6, %rcx
+        addq	%r8, %r12
+        xorq	%r9, %rcx
+        addq	%rdx, %r8
+        vpxor	%xmm11, %xmm8, %xmm8
+        # rnd_1: 11 - 11
+        rorq	$28, %rcx
+        movq	%r12, %rax
+        addq	%rcx, %r8
+        vpaddq	%xmm3, %xmm8, %xmm3
+        # msg_sched done: 6-9
+        # msg_sched: 8-9
+        # rnd_0: 0 - 0
+        rorq	$23, %rax
+        vpalignr	$8, %xmm4, %xmm5, %xmm12
+        vpalignr	$8, %xmm0, %xmm1, %xmm13
+        # rnd_0: 1 - 1
+        movq	%r8, %rdx
+        movq	%r13, %rcx
+        addq	64(%rsp), %r15
+        xorq	%r14, %rcx
+        vpsrlq	$0x01, %xmm12, %xmm8
+        vpsllq	$63, %xmm12, %xmm9
+        # rnd_0: 2 - 3
+        xorq	%r12, %rax
+        andq	%r12, %rcx
+        rorq	$4, %rax
+        xorq	%r14, %rcx
+        vpsrlq	$8, %xmm12, %xmm10
+        vpsllq	$56, %xmm12, %xmm11
+        # rnd_0: 4 - 5
+        xorq	%r12, %rax
+        addq	%rcx, %r15
+        rorq	$14, %rax
+        xorq	%r9, %rdx
+        vpor	%xmm9, %xmm8, %xmm8
+        vpor	%xmm11, %xmm10, %xmm10
+        # rnd_0: 6 - 7
+        addq	%rax, %r15
+        movq	%r8, %rcx
+        andq	%rdx, %rbx
+        rorq	$5, %rcx
+        vpsrlq	$7, %xmm12, %xmm11
+        vpxor	%xmm10, %xmm8, %xmm8
+        # rnd_0: 8 - 9
+        xorq	%r8, %rcx
+        xorq	%r9, %rbx
+        rorq	$6, %rcx
+        addq	%r15, %r11
+        vpxor	%xmm11, %xmm8, %xmm8
+        vpaddq	%xmm4, %xmm13, %xmm4
+        # rnd_0: 10 - 11
+        xorq	%r8, %rcx
+        addq	%rbx, %r15
+        rorq	$28, %rcx
+        movq	%r11, %rax
+        addq	%rcx, %r15
+        # rnd_1: 0 - 0
+        rorq	$23, %rax
+        vpaddq	%xmm4, %xmm8, %xmm4
+        # rnd_1: 1 - 1
+        movq	%r15, %rbx
+        movq	%r12, %rcx
+        addq	72(%rsp), %r14
+        xorq	%r13, %rcx
+        vpsrlq	$19, %xmm3, %xmm8
+        vpsllq	$45, %xmm3, %xmm9
+        # rnd_1: 2 - 3
+        xorq	%r11, %rax
+        andq	%r11, %rcx
+        rorq	$4, %rax
+        xorq	%r13, %rcx
+        vpsrlq	$61, %xmm3, %xmm10
+        vpsllq	$3, %xmm3, %xmm11
+        # rnd_1: 4 - 6
+        xorq	%r11, %rax
+        addq	%rcx, %r14
+        rorq	$14, %rax
+        xorq	%r8, %rbx
+        addq	%rax, %r14
+        movq	%r15, %rcx
+        vpor	%xmm9, %xmm8, %xmm8
+        vpor	%xmm11, %xmm10, %xmm10
+        # rnd_1: 7 - 8
+        andq	%rbx, %rdx
+        rorq	$5, %rcx
+        xorq	%r15, %rcx
+        xorq	%r8, %rdx
+        vpxor	%xmm10, %xmm8, %xmm8
+        vpsrlq	$6, %xmm3, %xmm11
+        # rnd_1: 9 - 10
+        rorq	$6, %rcx
+        addq	%r14, %r10
+        xorq	%r15, %rcx
+        addq	%rdx, %r14
+        vpxor	%xmm11, %xmm8, %xmm8
+        # rnd_1: 11 - 11
+        rorq	$28, %rcx
+        movq	%r10, %rax
+        addq	%rcx, %r14
+        vpaddq	%xmm4, %xmm8, %xmm4
+        # msg_sched done: 8-11
+        # msg_sched: 10-11
+        # rnd_0: 0 - 0
+        rorq	$23, %rax
+        vpalignr	$8, %xmm5, %xmm6, %xmm12
+        vpalignr	$8, %xmm1, %xmm2, %xmm13
+        # rnd_0: 1 - 1
+        movq	%r14, %rdx
+        movq	%r11, %rcx
+        addq	80(%rsp), %r13
+        xorq	%r12, %rcx
+        vpsrlq	$0x01, %xmm12, %xmm8
+        vpsllq	$63, %xmm12, %xmm9
+        # rnd_0: 2 - 3
+        xorq	%r10, %rax
+        andq	%r10, %rcx
+        rorq	$4, %rax
+        xorq	%r12, %rcx
+        vpsrlq	$8, %xmm12, %xmm10
+        vpsllq	$56, %xmm12, %xmm11
+        # rnd_0: 4 - 5
+        xorq	%r10, %rax
+        addq	%rcx, %r13
+        rorq	$14, %rax
+        xorq	%r15, %rdx
+        vpor	%xmm9, %xmm8, %xmm8
+        vpor	%xmm11, %xmm10, %xmm10
+        # rnd_0: 6 - 7
+        addq	%rax, %r13
+        movq	%r14, %rcx
+        andq	%rdx, %rbx
+        rorq	$5, %rcx
+        vpsrlq	$7, %xmm12, %xmm11
+        vpxor	%xmm10, %xmm8, %xmm8
+        # rnd_0: 8 - 9
+        xorq	%r14, %rcx
+        xorq	%r15, %rbx
+        rorq	$6, %rcx
+        addq	%r13, %r9
+        vpxor	%xmm11, %xmm8, %xmm8
+        vpaddq	%xmm5, %xmm13, %xmm5
+        # rnd_0: 10 - 11
+        xorq	%r14, %rcx
+        addq	%rbx, %r13
+        rorq	$28, %rcx
+        movq	%r9, %rax
+        addq	%rcx, %r13
+        # rnd_1: 0 - 0
+        rorq	$23, %rax
+        vpaddq	%xmm5, %xmm8, %xmm5
+        # rnd_1: 1 - 1
+        movq	%r13, %rbx
+        movq	%r10, %rcx
+        addq	88(%rsp), %r12
+        xorq	%r11, %rcx
+        vpsrlq	$19, %xmm4, %xmm8
+        vpsllq	$45, %xmm4, %xmm9
+        # rnd_1: 2 - 3
+        xorq	%r9, %rax
+        andq	%r9, %rcx
+        rorq	$4, %rax
+        xorq	%r11, %rcx
+        vpsrlq	$61, %xmm4, %xmm10
+        vpsllq	$3, %xmm4, %xmm11
+        # rnd_1: 4 - 6
+        xorq	%r9, %rax
+        addq	%rcx, %r12
+        rorq	$14, %rax
+        xorq	%r14, %rbx
+        addq	%rax, %r12
+        movq	%r13, %rcx
+        vpor	%xmm9, %xmm8, %xmm8
+        vpor	%xmm11, %xmm10, %xmm10
+        # rnd_1: 7 - 8
+        andq	%rbx, %rdx
+        rorq	$5, %rcx
+        xorq	%r13, %rcx
+        xorq	%r14, %rdx
+        vpxor	%xmm10, %xmm8, %xmm8
+        vpsrlq	$6, %xmm4, %xmm11
+        # rnd_1: 9 - 10
+        rorq	$6, %rcx
+        addq	%r12, %r8
+        xorq	%r13, %rcx
+        addq	%rdx, %r12
+        vpxor	%xmm11, %xmm8, %xmm8
+        # rnd_1: 11 - 11
+        rorq	$28, %rcx
+        movq	%r8, %rax
+        addq	%rcx, %r12
+        vpaddq	%xmm5, %xmm8, %xmm5
+        # msg_sched done: 10-13
+        # msg_sched: 12-13
+        # rnd_0: 0 - 0
+        rorq	$23, %rax
+        vpalignr	$8, %xmm6, %xmm7, %xmm12
+        vpalignr	$8, %xmm2, %xmm3, %xmm13
+        # rnd_0: 1 - 1
+        movq	%r12, %rdx
+        movq	%r9, %rcx
+        addq	96(%rsp), %r11
+        xorq	%r10, %rcx
+        vpsrlq	$0x01, %xmm12, %xmm8
+        vpsllq	$63, %xmm12, %xmm9
+        # rnd_0: 2 - 3
+        xorq	%r8, %rax
+        andq	%r8, %rcx
+        rorq	$4, %rax
+        xorq	%r10, %rcx
+        vpsrlq	$8, %xmm12, %xmm10
+        vpsllq	$56, %xmm12, %xmm11
+        # rnd_0: 4 - 5
+        xorq	%r8, %rax
+        addq	%rcx, %r11
+        rorq	$14, %rax
+        xorq	%r13, %rdx
+        vpor	%xmm9, %xmm8, %xmm8
+        vpor	%xmm11, %xmm10, %xmm10
+        # rnd_0: 6 - 7
+        addq	%rax, %r11
+        movq	%r12, %rcx
+        andq	%rdx, %rbx
+        rorq	$5, %rcx
+        vpsrlq	$7, %xmm12, %xmm11
+        vpxor	%xmm10, %xmm8, %xmm8
+        # rnd_0: 8 - 9
+        xorq	%r12, %rcx
+        xorq	%r13, %rbx
+        rorq	$6, %rcx
+        addq	%r11, %r15
+        vpxor	%xmm11, %xmm8, %xmm8
+        vpaddq	%xmm6, %xmm13, %xmm6
+        # rnd_0: 10 - 11
+        xorq	%r12, %rcx
+        addq	%rbx, %r11
+        rorq	$28, %rcx
+        movq	%r15, %rax
+        addq	%rcx, %r11
+        # rnd_1: 0 - 0
+        rorq	$23, %rax
+        vpaddq	%xmm6, %xmm8, %xmm6
+        # rnd_1: 1 - 1
+        movq	%r11, %rbx
+        movq	%r8, %rcx
+        addq	104(%rsp), %r10
+        xorq	%r9, %rcx
+        vpsrlq	$19, %xmm5, %xmm8
+        vpsllq	$45, %xmm5, %xmm9
+        # rnd_1: 2 - 3
+        xorq	%r15, %rax
+        andq	%r15, %rcx
+        rorq	$4, %rax
+        xorq	%r9, %rcx
+        vpsrlq	$61, %xmm5, %xmm10
+        vpsllq	$3, %xmm5, %xmm11
+        # rnd_1: 4 - 6
+        xorq	%r15, %rax
+        addq	%rcx, %r10
+        rorq	$14, %rax
+        xorq	%r12, %rbx
+        addq	%rax, %r10
+        movq	%r11, %rcx
+        vpor	%xmm9, %xmm8, %xmm8
+        vpor	%xmm11, %xmm10, %xmm10
+        # rnd_1: 7 - 8
+        andq	%rbx, %rdx
+        rorq	$5, %rcx
+        xorq	%r11, %rcx
+        xorq	%r12, %rdx
+        vpxor	%xmm10, %xmm8, %xmm8
+        vpsrlq	$6, %xmm5, %xmm11
+        # rnd_1: 9 - 10
+        rorq	$6, %rcx
+        addq	%r10, %r14
+        xorq	%r11, %rcx
+        addq	%rdx, %r10
+        vpxor	%xmm11, %xmm8, %xmm8
+        # rnd_1: 11 - 11
+        rorq	$28, %rcx
+        movq	%r14, %rax
+        addq	%rcx, %r10
+        vpaddq	%xmm6, %xmm8, %xmm6
+        # msg_sched done: 12-15
+        # msg_sched: 14-15
+        # rnd_0: 0 - 0
+        rorq	$23, %rax
+        vpalignr	$8, %xmm7, %xmm0, %xmm12
+        vpalignr	$8, %xmm3, %xmm4, %xmm13
+        # rnd_0: 1 - 1
+        movq	%r10, %rdx
+        movq	%r15, %rcx
+        addq	112(%rsp), %r9
+        xorq	%r8, %rcx
+        vpsrlq	$0x01, %xmm12, %xmm8
+        vpsllq	$63, %xmm12, %xmm9
+        # rnd_0: 2 - 3
+        xorq	%r14, %rax
+        andq	%r14, %rcx
+        rorq	$4, %rax
+        xorq	%r8, %rcx
+        vpsrlq	$8, %xmm12, %xmm10
+        vpsllq	$56, %xmm12, %xmm11
+        # rnd_0: 4 - 5
+        xorq	%r14, %rax
+        addq	%rcx, %r9
+        rorq	$14, %rax
+        xorq	%r11, %rdx
+        vpor	%xmm9, %xmm8, %xmm8
+        vpor	%xmm11, %xmm10, %xmm10
+        # rnd_0: 6 - 7
+        addq	%rax, %r9
+        movq	%r10, %rcx
+        andq	%rdx, %rbx
+        rorq	$5, %rcx
+        vpsrlq	$7, %xmm12, %xmm11
+        vpxor	%xmm10, %xmm8, %xmm8
+        # rnd_0: 8 - 9
+        xorq	%r10, %rcx
+        xorq	%r11, %rbx
+        rorq	$6, %rcx
+        addq	%r9, %r13
+        vpxor	%xmm11, %xmm8, %xmm8
+        vpaddq	%xmm7, %xmm13, %xmm7
+        # rnd_0: 10 - 11
+        xorq	%r10, %rcx
+        addq	%rbx, %r9
+        rorq	$28, %rcx
+        movq	%r13, %rax
+        addq	%rcx, %r9
+        # rnd_1: 0 - 0
+        rorq	$23, %rax
+        vpaddq	%xmm7, %xmm8, %xmm7
+        # rnd_1: 1 - 1
+        movq	%r9, %rbx
+        movq	%r14, %rcx
+        addq	120(%rsp), %r8
+        xorq	%r15, %rcx
+        vpsrlq	$19, %xmm6, %xmm8
+        vpsllq	$45, %xmm6, %xmm9
+        # rnd_1: 2 - 3
+        xorq	%r13, %rax
+        andq	%r13, %rcx
+        rorq	$4, %rax
+        xorq	%r15, %rcx
+        vpsrlq	$61, %xmm6, %xmm10
+        vpsllq	$3, %xmm6, %xmm11
+        # rnd_1: 4 - 6
+        xorq	%r13, %rax
+        addq	%rcx, %r8
+        rorq	$14, %rax
+        xorq	%r10, %rbx
+        addq	%rax, %r8
+        movq	%r9, %rcx
+        vpor	%xmm9, %xmm8, %xmm8
+        vpor	%xmm11, %xmm10, %xmm10
+        # rnd_1: 7 - 8
+        andq	%rbx, %rdx
+        rorq	$5, %rcx
+        xorq	%r9, %rcx
+        xorq	%r10, %rdx
+        vpxor	%xmm10, %xmm8, %xmm8
+        vpsrlq	$6, %xmm6, %xmm11
+        # rnd_1: 9 - 10
+        rorq	$6, %rcx
+        addq	%r8, %r12
+        xorq	%r9, %rcx
+        addq	%rdx, %r8
+        vpxor	%xmm11, %xmm8, %xmm8
+        # rnd_1: 11 - 11
+        rorq	$28, %rcx
+        movq	%r12, %rax
+        addq	%rcx, %r8
+        vpaddq	%xmm7, %xmm8, %xmm7
+        # msg_sched done: 14-17
+        subl	$0x01, 128(%rsp)
+        jne	L_sha256_len_avx1_start
+        vpaddq	(%rsi), %xmm0, %xmm8
+        vpaddq	16(%rsi), %xmm1, %xmm9
+        vmovdqu	%xmm8, (%rsp)
+        vmovdqu	%xmm9, 16(%rsp)
+        vpaddq	32(%rsi), %xmm2, %xmm8
+        vpaddq	48(%rsi), %xmm3, %xmm9
+        vmovdqu	%xmm8, 32(%rsp)
+        vmovdqu	%xmm9, 48(%rsp)
+        vpaddq	64(%rsi), %xmm4, %xmm8
+        vpaddq	80(%rsi), %xmm5, %xmm9
+        vmovdqu	%xmm8, 64(%rsp)
+        vmovdqu	%xmm9, 80(%rsp)
+        vpaddq	96(%rsi), %xmm6, %xmm8
+        vpaddq	112(%rsi), %xmm7, %xmm9
+        vmovdqu	%xmm8, 96(%rsp)
+        vmovdqu	%xmm9, 112(%rsp)
+        # rnd_all_2: 0-1
+        # rnd_0: 0 - 11
+        rorq	$23, %rax
+        movq	%r8, %rdx
+        movq	%r13, %rcx
+        addq	(%rsp), %r15
+        xorq	%r14, %rcx
+        xorq	%r12, %rax
+        andq	%r12, %rcx
+        rorq	$4, %rax
+        xorq	%r14, %rcx
+        xorq	%r12, %rax
+        addq	%rcx, %r15
+        rorq	$14, %rax
+        xorq	%r9, %rdx
+        addq	%rax, %r15
+        movq	%r8, %rcx
+        andq	%rdx, %rbx
+        rorq	$5, %rcx
+        xorq	%r8, %rcx
+        xorq	%r9, %rbx
+        rorq	$6, %rcx
+        addq	%r15, %r11
+        xorq	%r8, %rcx
+        addq	%rbx, %r15
+        rorq	$28, %rcx
+        movq	%r11, %rax
+        addq	%rcx, %r15
+        # rnd_1: 0 - 11
+        rorq	$23, %rax
+        movq	%r15, %rbx
+        movq	%r12, %rcx
+        addq	8(%rsp), %r14
+        xorq	%r13, %rcx
+        xorq	%r11, %rax
+        andq	%r11, %rcx
+        rorq	$4, %rax
+        xorq	%r13, %rcx
+        xorq	%r11, %rax
+        addq	%rcx, %r14
+        rorq	$14, %rax
+        xorq	%r8, %rbx
+        addq	%rax, %r14
+        movq	%r15, %rcx
+        andq	%rbx, %rdx
+        rorq	$5, %rcx
+        xorq	%r15, %rcx
+        xorq	%r8, %rdx
+        rorq	$6, %rcx
+        addq	%r14, %r10
+        xorq	%r15, %rcx
+        addq	%rdx, %r14
+        rorq	$28, %rcx
+        movq	%r10, %rax
+        addq	%rcx, %r14
+        # rnd_all_2: 2-3
+        # rnd_0: 0 - 11
+        rorq	$23, %rax
+        movq	%r14, %rdx
+        movq	%r11, %rcx
+        addq	16(%rsp), %r13
+        xorq	%r12, %rcx
+        xorq	%r10, %rax
+        andq	%r10, %rcx
+        rorq	$4, %rax
+        xorq	%r12, %rcx
+        xorq	%r10, %rax
+        addq	%rcx, %r13
+        rorq	$14, %rax
+        xorq	%r15, %rdx
+        addq	%rax, %r13
+        movq	%r14, %rcx
+        andq	%rdx, %rbx
+        rorq	$5, %rcx
+        xorq	%r14, %rcx
+        xorq	%r15, %rbx
+        rorq	$6, %rcx
+        addq	%r13, %r9
+        xorq	%r14, %rcx
+        addq	%rbx, %r13
+        rorq	$28, %rcx
+        movq	%r9, %rax
+        addq	%rcx, %r13
+        # rnd_1: 0 - 11
+        rorq	$23, %rax
+        movq	%r13, %rbx
+        movq	%r10, %rcx
+        addq	24(%rsp), %r12
+        xorq	%r11, %rcx
+        xorq	%r9, %rax
+        andq	%r9, %rcx
+        rorq	$4, %rax
+        xorq	%r11, %rcx
+        xorq	%r9, %rax
+        addq	%rcx, %r12
+        rorq	$14, %rax
+        xorq	%r14, %rbx
+        addq	%rax, %r12
+        movq	%r13, %rcx
+        andq	%rbx, %rdx
+        rorq	$5, %rcx
+        xorq	%r13, %rcx
+        xorq	%r14, %rdx
+        rorq	$6, %rcx
+        addq	%r12, %r8
+        xorq	%r13, %rcx
+        addq	%rdx, %r12
+        rorq	$28, %rcx
+        movq	%r8, %rax
+        addq	%rcx, %r12
+        # rnd_all_2: 4-5
+        # rnd_0: 0 - 11
+        rorq	$23, %rax
+        movq	%r12, %rdx
+        movq	%r9, %rcx
+        addq	32(%rsp), %r11
+        xorq	%r10, %rcx
+        xorq	%r8, %rax
+        andq	%r8, %rcx
+        rorq	$4, %rax
+        xorq	%r10, %rcx
+        xorq	%r8, %rax
+        addq	%rcx, %r11
+        rorq	$14, %rax
+        xorq	%r13, %rdx
+        addq	%rax, %r11
+        movq	%r12, %rcx
+        andq	%rdx, %rbx
+        rorq	$5, %rcx
+        xorq	%r12, %rcx
+        xorq	%r13, %rbx
+        rorq	$6, %rcx
+        addq	%r11, %r15
+        xorq	%r12, %rcx
+        addq	%rbx, %r11
+        rorq	$28, %rcx
+        movq	%r15, %rax
+        addq	%rcx, %r11
+        # rnd_1: 0 - 11
+        rorq	$23, %rax
+        movq	%r11, %rbx
+        movq	%r8, %rcx
+        addq	40(%rsp), %r10
+        xorq	%r9, %rcx
+        xorq	%r15, %rax
+        andq	%r15, %rcx
+        rorq	$4, %rax
+        xorq	%r9, %rcx
+        xorq	%r15, %rax
+        addq	%rcx, %r10
+        rorq	$14, %rax
+        xorq	%r12, %rbx
+        addq	%rax, %r10
+        movq	%r11, %rcx
+        andq	%rbx, %rdx
+        rorq	$5, %rcx
+        xorq	%r11, %rcx
+        xorq	%r12, %rdx
+        rorq	$6, %rcx
+        addq	%r10, %r14
+        xorq	%r11, %rcx
+        addq	%rdx, %r10
+        rorq	$28, %rcx
+        movq	%r14, %rax
+        addq	%rcx, %r10
+        # rnd_all_2: 6-7
+        # rnd_0: 0 - 11
+        rorq	$23, %rax
+        movq	%r10, %rdx
+        movq	%r15, %rcx
+        addq	48(%rsp), %r9
+        xorq	%r8, %rcx
+        xorq	%r14, %rax
+        andq	%r14, %rcx
+        rorq	$4, %rax
+        xorq	%r8, %rcx
+        xorq	%r14, %rax
+        addq	%rcx, %r9
+        rorq	$14, %rax
+        xorq	%r11, %rdx
+        addq	%rax, %r9
+        movq	%r10, %rcx
+        andq	%rdx, %rbx
+        rorq	$5, %rcx
+        xorq	%r10, %rcx
+        xorq	%r11, %rbx
+        rorq	$6, %rcx
+        addq	%r9, %r13
+        xorq	%r10, %rcx
+        addq	%rbx, %r9
+        rorq	$28, %rcx
+        movq	%r13, %rax
+        addq	%rcx, %r9
+        # rnd_1: 0 - 11
+        rorq	$23, %rax
+        movq	%r9, %rbx
+        movq	%r14, %rcx
+        addq	56(%rsp), %r8
+        xorq	%r15, %rcx
+        xorq	%r13, %rax
+        andq	%r13, %rcx
+        rorq	$4, %rax
+        xorq	%r15, %rcx
+        xorq	%r13, %rax
+        addq	%rcx, %r8
+        rorq	$14, %rax
+        xorq	%r10, %rbx
+        addq	%rax, %r8
+        movq	%r9, %rcx
+        andq	%rbx, %rdx
+        rorq	$5, %rcx
+        xorq	%r9, %rcx
+        xorq	%r10, %rdx
+        rorq	$6, %rcx
+        addq	%r8, %r12
+        xorq	%r9, %rcx
+        addq	%rdx, %r8
+        rorq	$28, %rcx
+        movq	%r12, %rax
+        addq	%rcx, %r8
+        # rnd_all_2: 8-9
+        # rnd_0: 0 - 11
+        rorq	$23, %rax
+        movq	%r8, %rdx
+        movq	%r13, %rcx
+        addq	64(%rsp), %r15
+        xorq	%r14, %rcx
+        xorq	%r12, %rax
+        andq	%r12, %rcx
+        rorq	$4, %rax
+        xorq	%r14, %rcx
+        xorq	%r12, %rax
+        addq	%rcx, %r15
+        rorq	$14, %rax
+        xorq	%r9, %rdx
+        addq	%rax, %r15
+        movq	%r8, %rcx
+        andq	%rdx, %rbx
+        rorq	$5, %rcx
+        xorq	%r8, %rcx
+        xorq	%r9, %rbx
+        rorq	$6, %rcx
+        addq	%r15, %r11
+        xorq	%r8, %rcx
+        addq	%rbx, %r15
+        rorq	$28, %rcx
+        movq	%r11, %rax
+        addq	%rcx, %r15
+        # rnd_1: 0 - 11
+        rorq	$23, %rax
+        movq	%r15, %rbx
+        movq	%r12, %rcx
+        addq	72(%rsp), %r14
+        xorq	%r13, %rcx
+        xorq	%r11, %rax
+        andq	%r11, %rcx
+        rorq	$4, %rax
+        xorq	%r13, %rcx
+        xorq	%r11, %rax
+        addq	%rcx, %r14
+        rorq	$14, %rax
+        xorq	%r8, %rbx
+        addq	%rax, %r14
+        movq	%r15, %rcx
+        andq	%rbx, %rdx
+        rorq	$5, %rcx
+        xorq	%r15, %rcx
+        xorq	%r8, %rdx
+        rorq	$6, %rcx
+        addq	%r14, %r10
+        xorq	%r15, %rcx
+        addq	%rdx, %r14
+        rorq	$28, %rcx
+        movq	%r10, %rax
+        addq	%rcx, %r14
+        # rnd_all_2: 10-11
+        # rnd_0: 0 - 11
+        rorq	$23, %rax
+        movq	%r14, %rdx
+        movq	%r11, %rcx
+        addq	80(%rsp), %r13
+        xorq	%r12, %rcx
+        xorq	%r10, %rax
+        andq	%r10, %rcx
+        rorq	$4, %rax
+        xorq	%r12, %rcx
+        xorq	%r10, %rax
+        addq	%rcx, %r13
+        rorq	$14, %rax
+        xorq	%r15, %rdx
+        addq	%rax, %r13
+        movq	%r14, %rcx
+        andq	%rdx, %rbx
+        rorq	$5, %rcx
+        xorq	%r14, %rcx
+        xorq	%r15, %rbx
+        rorq	$6, %rcx
+        addq	%r13, %r9
+        xorq	%r14, %rcx
+        addq	%rbx, %r13
+        rorq	$28, %rcx
+        movq	%r9, %rax
+        addq	%rcx, %r13
+        # rnd_1: 0 - 11
+        rorq	$23, %rax
+        movq	%r13, %rbx
+        movq	%r10, %rcx
+        addq	88(%rsp), %r12
+        xorq	%r11, %rcx
+        xorq	%r9, %rax
+        andq	%r9, %rcx
+        rorq	$4, %rax
+        xorq	%r11, %rcx
+        xorq	%r9, %rax
+        addq	%rcx, %r12
+        rorq	$14, %rax
+        xorq	%r14, %rbx
+        addq	%rax, %r12
+        movq	%r13, %rcx
+        andq	%rbx, %rdx
+        rorq	$5, %rcx
+        xorq	%r13, %rcx
+        xorq	%r14, %rdx
+        rorq	$6, %rcx
+        addq	%r12, %r8
+        xorq	%r13, %rcx
+        addq	%rdx, %r12
+        rorq	$28, %rcx
+        movq	%r8, %rax
+        addq	%rcx, %r12
+        # rnd_all_2: 12-13
+        # rnd_0: 0 - 11
+        rorq	$23, %rax
+        movq	%r12, %rdx
+        movq	%r9, %rcx
+        addq	96(%rsp), %r11
+        xorq	%r10, %rcx
+        xorq	%r8, %rax
+        andq	%r8, %rcx
+        rorq	$4, %rax
+        xorq	%r10, %rcx
+        xorq	%r8, %rax
+        addq	%rcx, %r11
+        rorq	$14, %rax
+        xorq	%r13, %rdx
+        addq	%rax, %r11
+        movq	%r12, %rcx
+        andq	%rdx, %rbx
+        rorq	$5, %rcx
+        xorq	%r12, %rcx
+        xorq	%r13, %rbx
+        rorq	$6, %rcx
+        addq	%r11, %r15
+        xorq	%r12, %rcx
+        addq	%rbx, %r11
+        rorq	$28, %rcx
+        movq	%r15, %rax
+        addq	%rcx, %r11
+        # rnd_1: 0 - 11
+        rorq	$23, %rax
+        movq	%r11, %rbx
+        movq	%r8, %rcx
+        addq	104(%rsp), %r10
+        xorq	%r9, %rcx
+        xorq	%r15, %rax
+        andq	%r15, %rcx
+        rorq	$4, %rax
+        xorq	%r9, %rcx
+        xorq	%r15, %rax
+        addq	%rcx, %r10
+        rorq	$14, %rax
+        xorq	%r12, %rbx
+        addq	%rax, %r10
+        movq	%r11, %rcx
+        andq	%rbx, %rdx
+        rorq	$5, %rcx
+        xorq	%r11, %rcx
+        xorq	%r12, %rdx
+        rorq	$6, %rcx
+        addq	%r10, %r14
+        xorq	%r11, %rcx
+        addq	%rdx, %r10
+        rorq	$28, %rcx
+        movq	%r14, %rax
+        addq	%rcx, %r10
+        # rnd_all_2: 14-15
+        # rnd_0: 0 - 11
+        rorq	$23, %rax
+        movq	%r10, %rdx
+        movq	%r15, %rcx
+        addq	112(%rsp), %r9
+        xorq	%r8, %rcx
+        xorq	%r14, %rax
+        andq	%r14, %rcx
+        rorq	$4, %rax
+        xorq	%r8, %rcx
+        xorq	%r14, %rax
+        addq	%rcx, %r9
+        rorq	$14, %rax
+        xorq	%r11, %rdx
+        addq	%rax, %r9
+        movq	%r10, %rcx
+        andq	%rdx, %rbx
+        rorq	$5, %rcx
+        xorq	%r10, %rcx
+        xorq	%r11, %rbx
+        rorq	$6, %rcx
+        addq	%r9, %r13
+        xorq	%r10, %rcx
+        addq	%rbx, %r9
+        rorq	$28, %rcx
+        movq	%r13, %rax
+        addq	%rcx, %r9
+        # rnd_1: 0 - 11
+        rorq	$23, %rax
+        movq	%r9, %rbx
+        movq	%r14, %rcx
+        addq	120(%rsp), %r8
+        xorq	%r15, %rcx
+        xorq	%r13, %rax
+        andq	%r13, %rcx
+        rorq	$4, %rax
+        xorq	%r15, %rcx
+        xorq	%r13, %rax
+        addq	%rcx, %r8
+        rorq	$14, %rax
+        xorq	%r10, %rbx
+        addq	%rax, %r8
+        movq	%r9, %rcx
+        andq	%rbx, %rdx
+        rorq	$5, %rcx
+        xorq	%r9, %rcx
+        xorq	%r10, %rdx
+        rorq	$6, %rcx
+        addq	%r8, %r12
+        xorq	%r9, %rcx
+        addq	%rdx, %r8
+        rorq	$28, %rcx
+        movq	%r12, %rax
+        addq	%rcx, %r8
+        addq	%r8, (%rdi)
+        addq	%r9, 8(%rdi)
+        addq	%r10, 16(%rdi)
+        addq	%r11, 24(%rdi)
+        addq	%r12, 32(%rdi)
+        addq	%r13, 40(%rdi)
+        addq	%r14, 48(%rdi)
+        addq	%r15, 56(%rdi)
+        xorq	%rax, %rax
+        vzeroupper
+        addq	$0x88, %rsp
+        popq	%r15
+        popq	%r14
+        popq	%r13
+        popq	%r12
+        popq	%rbx
+        repz retq
+#ifndef __APPLE__
+.size	Transform_Sha512_AVX1,.-Transform_Sha512_AVX1
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+.text
+.globl	Transform_Sha512_AVX1_Len
+.type	Transform_Sha512_AVX1_Len,@function
+.align	4
+Transform_Sha512_AVX1_Len:
+#else
+.section	__TEXT,__text
+.globl	_Transform_Sha512_AVX1_Len
+.p2align	2
+_Transform_Sha512_AVX1_Len:
+#endif /* __APPLE__ */
+        pushq	%rbx
+        pushq	%r12
+        pushq	%r13
+        pushq	%r14
+        pushq	%r15
+        pushq	%rbp
+        movq	%rsi, %rbp
+        subq	$0x90, %rsp
+        movq	224(%rdi), %rsi
+        leaq	L_avx1_sha512_k(%rip), %rdx
+        vmovdqa	L_avx1_sha512_flip_mask(%rip), %xmm14
+        movq	(%rdi), %r8
+        movq	8(%rdi), %r9
+        movq	16(%rdi), %r10
+        movq	24(%rdi), %r11
+        movq	32(%rdi), %r12
+        movq	40(%rdi), %r13
+        movq	48(%rdi), %r14
+        movq	56(%rdi), %r15
+        # Start of loop processing a block
+L_sha512_len_avx1_begin:
+        vmovdqu	(%rsi), %xmm0
+        vmovdqu	16(%rsi), %xmm1
+        vpshufb	%xmm14, %xmm0, %xmm0
+        vpshufb	%xmm14, %xmm1, %xmm1
+        vmovdqu	32(%rsi), %xmm2
+        vmovdqu	48(%rsi), %xmm3
+        vpshufb	%xmm14, %xmm2, %xmm2
+        vpshufb	%xmm14, %xmm3, %xmm3
+        vmovdqu	64(%rsi), %xmm4
+        vmovdqu	80(%rsi), %xmm5
+        vpshufb	%xmm14, %xmm4, %xmm4
+        vpshufb	%xmm14, %xmm5, %xmm5
+        vmovdqu	96(%rsi), %xmm6
+        vmovdqu	112(%rsi), %xmm7
+        vpshufb	%xmm14, %xmm6, %xmm6
+        vpshufb	%xmm14, %xmm7, %xmm7
+        movl	$4, 128(%rsp)
+        movq	%r9, %rbx
+        movq	%r12, %rax
+        xorq	%r10, %rbx
+        vpaddq	(%rdx), %xmm0, %xmm8
+        vpaddq	16(%rdx), %xmm1, %xmm9
+        vmovdqu	%xmm8, (%rsp)
+        vmovdqu	%xmm9, 16(%rsp)
+        vpaddq	32(%rdx), %xmm2, %xmm8
+        vpaddq	48(%rdx), %xmm3, %xmm9
+        vmovdqu	%xmm8, 32(%rsp)
+        vmovdqu	%xmm9, 48(%rsp)
+        vpaddq	64(%rdx), %xmm4, %xmm8
+        vpaddq	80(%rdx), %xmm5, %xmm9
+        vmovdqu	%xmm8, 64(%rsp)
+        vmovdqu	%xmm9, 80(%rsp)
+        vpaddq	96(%rdx), %xmm6, %xmm8
+        vpaddq	112(%rdx), %xmm7, %xmm9
+        vmovdqu	%xmm8, 96(%rsp)
+        vmovdqu	%xmm9, 112(%rsp)
+        # Start of 16 rounds
+L_sha512_len_avx1_start:
+        addq	$0x80, %rdx
+        movq	%rdx, 136(%rsp)
+        # msg_sched: 0-1
+        # rnd_0: 0 - 0
+        rorq	$23, %rax
+        vpalignr	$8, %xmm0, %xmm1, %xmm12
+        vpalignr	$8, %xmm4, %xmm5, %xmm13
+        # rnd_0: 1 - 1
+        movq	%r8, %rdx
+        movq	%r13, %rcx
+        addq	(%rsp), %r15
+        xorq	%r14, %rcx
+        vpsrlq	$0x01, %xmm12, %xmm8
+        vpsllq	$63, %xmm12, %xmm9
+        # rnd_0: 2 - 3
+        xorq	%r12, %rax
+        andq	%r12, %rcx
+        rorq	$4, %rax
+        xorq	%r14, %rcx
+        vpsrlq	$8, %xmm12, %xmm10
+        vpsllq	$56, %xmm12, %xmm11
+        # rnd_0: 4 - 5
+        xorq	%r12, %rax
+        addq	%rcx, %r15
+        rorq	$14, %rax
+        xorq	%r9, %rdx
+        vpor	%xmm9, %xmm8, %xmm8
+        vpor	%xmm11, %xmm10, %xmm10
+        # rnd_0: 6 - 7
+        addq	%rax, %r15
+        movq	%r8, %rcx
+        andq	%rdx, %rbx
+        rorq	$5, %rcx
+        vpsrlq	$7, %xmm12, %xmm11
+        vpxor	%xmm10, %xmm8, %xmm8
+        # rnd_0: 8 - 9
+        xorq	%r8, %rcx
+        xorq	%r9, %rbx
+        rorq	$6, %rcx
+        addq	%r15, %r11
+        vpxor	%xmm11, %xmm8, %xmm8
+        vpaddq	%xmm0, %xmm13, %xmm0
+        # rnd_0: 10 - 11
+        xorq	%r8, %rcx
+        addq	%rbx, %r15
+        rorq	$28, %rcx
+        movq	%r11, %rax
+        addq	%rcx, %r15
+        # rnd_1: 0 - 0
+        rorq	$23, %rax
+        vpaddq	%xmm0, %xmm8, %xmm0
+        # rnd_1: 1 - 1
+        movq	%r15, %rbx
+        movq	%r12, %rcx
+        addq	8(%rsp), %r14
+        xorq	%r13, %rcx
+        vpsrlq	$19, %xmm7, %xmm8
+        vpsllq	$45, %xmm7, %xmm9
+        # rnd_1: 2 - 3
+        xorq	%r11, %rax
+        andq	%r11, %rcx
+        rorq	$4, %rax
+        xorq	%r13, %rcx
+        vpsrlq	$61, %xmm7, %xmm10
+        vpsllq	$3, %xmm7, %xmm11
+        # rnd_1: 4 - 6
+        xorq	%r11, %rax
+        addq	%rcx, %r14
+        rorq	$14, %rax
+        xorq	%r8, %rbx
+        addq	%rax, %r14
+        movq	%r15, %rcx
+        vpor	%xmm9, %xmm8, %xmm8
+        vpor	%xmm11, %xmm10, %xmm10
+        # rnd_1: 7 - 8
+        andq	%rbx, %rdx
+        rorq	$5, %rcx
+        xorq	%r15, %rcx
+        xorq	%r8, %rdx
+        vpxor	%xmm10, %xmm8, %xmm8
+        vpsrlq	$6, %xmm7, %xmm11
+        # rnd_1: 9 - 10
+        rorq	$6, %rcx
+        addq	%r14, %r10
+        xorq	%r15, %rcx
+        addq	%rdx, %r14
+        vpxor	%xmm11, %xmm8, %xmm8
+        # rnd_1: 11 - 11
+        rorq	$28, %rcx
+        movq	%r10, %rax
+        addq	%rcx, %r14
+        vpaddq	%xmm0, %xmm8, %xmm0
+        # msg_sched done: 0-3
+        # msg_sched: 2-3
+        # rnd_0: 0 - 0
+        rorq	$23, %rax
+        vpalignr	$8, %xmm1, %xmm2, %xmm12
+        vpalignr	$8, %xmm5, %xmm6, %xmm13
+        # rnd_0: 1 - 1
+        movq	%r14, %rdx
+        movq	%r11, %rcx
+        addq	16(%rsp), %r13
+        xorq	%r12, %rcx
+        vpsrlq	$0x01, %xmm12, %xmm8
+        vpsllq	$63, %xmm12, %xmm9
+        # rnd_0: 2 - 3
+        xorq	%r10, %rax
+        andq	%r10, %rcx
+        rorq	$4, %rax
+        xorq	%r12, %rcx
+        vpsrlq	$8, %xmm12, %xmm10
+        vpsllq	$56, %xmm12, %xmm11
+        # rnd_0: 4 - 5
+        xorq	%r10, %rax
+        addq	%rcx, %r13
+        rorq	$14, %rax
+        xorq	%r15, %rdx
+        vpor	%xmm9, %xmm8, %xmm8
+        vpor	%xmm11, %xmm10, %xmm10
+        # rnd_0: 6 - 7
+        addq	%rax, %r13
+        movq	%r14, %rcx
+        andq	%rdx, %rbx
+        rorq	$5, %rcx
+        vpsrlq	$7, %xmm12, %xmm11
+        vpxor	%xmm10, %xmm8, %xmm8
+        # rnd_0: 8 - 9
+        xorq	%r14, %rcx
+        xorq	%r15, %rbx
+        rorq	$6, %rcx
+        addq	%r13, %r9
+        vpxor	%xmm11, %xmm8, %xmm8
+        vpaddq	%xmm1, %xmm13, %xmm1
+        # rnd_0: 10 - 11
+        xorq	%r14, %rcx
+        addq	%rbx, %r13
+        rorq	$28, %rcx
+        movq	%r9, %rax
+        addq	%rcx, %r13
+        # rnd_1: 0 - 0
+        rorq	$23, %rax
+        vpaddq	%xmm1, %xmm8, %xmm1
+        # rnd_1: 1 - 1
+        movq	%r13, %rbx
+        movq	%r10, %rcx
+        addq	24(%rsp), %r12
+        xorq	%r11, %rcx
+        vpsrlq	$19, %xmm0, %xmm8
+        vpsllq	$45, %xmm0, %xmm9
+        # rnd_1: 2 - 3
+        xorq	%r9, %rax
+        andq	%r9, %rcx
+        rorq	$4, %rax
+        xorq	%r11, %rcx
+        vpsrlq	$61, %xmm0, %xmm10
+        vpsllq	$3, %xmm0, %xmm11
+        # rnd_1: 4 - 6
+        xorq	%r9, %rax
+        addq	%rcx, %r12
+        rorq	$14, %rax
+        xorq	%r14, %rbx
+        addq	%rax, %r12
+        movq	%r13, %rcx
+        vpor	%xmm9, %xmm8, %xmm8
+        vpor	%xmm11, %xmm10, %xmm10
+        # rnd_1: 7 - 8
+        andq	%rbx, %rdx
+        rorq	$5, %rcx
+        xorq	%r13, %rcx
+        xorq	%r14, %rdx
+        vpxor	%xmm10, %xmm8, %xmm8
+        vpsrlq	$6, %xmm0, %xmm11
+        # rnd_1: 9 - 10
+        rorq	$6, %rcx
+        addq	%r12, %r8
+        xorq	%r13, %rcx
+        addq	%rdx, %r12
+        vpxor	%xmm11, %xmm8, %xmm8
+        # rnd_1: 11 - 11
+        rorq	$28, %rcx
+        movq	%r8, %rax
+        addq	%rcx, %r12
+        vpaddq	%xmm1, %xmm8, %xmm1
+        # msg_sched done: 2-5
+        # msg_sched: 4-5
+        # rnd_0: 0 - 0
+        rorq	$23, %rax
+        vpalignr	$8, %xmm2, %xmm3, %xmm12
+        vpalignr	$8, %xmm6, %xmm7, %xmm13
+        # rnd_0: 1 - 1
+        movq	%r12, %rdx
+        movq	%r9, %rcx
+        addq	32(%rsp), %r11
+        xorq	%r10, %rcx
+        vpsrlq	$0x01, %xmm12, %xmm8
+        vpsllq	$63, %xmm12, %xmm9
+        # rnd_0: 2 - 3
+        xorq	%r8, %rax
+        andq	%r8, %rcx
+        rorq	$4, %rax
+        xorq	%r10, %rcx
+        vpsrlq	$8, %xmm12, %xmm10
+        vpsllq	$56, %xmm12, %xmm11
+        # rnd_0: 4 - 5
+        xorq	%r8, %rax
+        addq	%rcx, %r11
+        rorq	$14, %rax
+        xorq	%r13, %rdx
+        vpor	%xmm9, %xmm8, %xmm8
+        vpor	%xmm11, %xmm10, %xmm10
+        # rnd_0: 6 - 7
+        addq	%rax, %r11
+        movq	%r12, %rcx
+        andq	%rdx, %rbx
+        rorq	$5, %rcx
+        vpsrlq	$7, %xmm12, %xmm11
+        vpxor	%xmm10, %xmm8, %xmm8
+        # rnd_0: 8 - 9
+        xorq	%r12, %rcx
+        xorq	%r13, %rbx
+        rorq	$6, %rcx
+        addq	%r11, %r15
+        vpxor	%xmm11, %xmm8, %xmm8
+        vpaddq	%xmm2, %xmm13, %xmm2
+        # rnd_0: 10 - 11
+        xorq	%r12, %rcx
+        addq	%rbx, %r11
+        rorq	$28, %rcx
+        movq	%r15, %rax
+        addq	%rcx, %r11
+        # rnd_1: 0 - 0
+        rorq	$23, %rax
+        vpaddq	%xmm2, %xmm8, %xmm2
+        # rnd_1: 1 - 1
+        movq	%r11, %rbx
+        movq	%r8, %rcx
+        addq	40(%rsp), %r10
+        xorq	%r9, %rcx
+        vpsrlq	$19, %xmm1, %xmm8
+        vpsllq	$45, %xmm1, %xmm9
+        # rnd_1: 2 - 3
+        xorq	%r15, %rax
+        andq	%r15, %rcx
+        rorq	$4, %rax
+        xorq	%r9, %rcx
+        vpsrlq	$61, %xmm1, %xmm10
+        vpsllq	$3, %xmm1, %xmm11
+        # rnd_1: 4 - 6
+        xorq	%r15, %rax
+        addq	%rcx, %r10
+        rorq	$14, %rax
+        xorq	%r12, %rbx
+        addq	%rax, %r10
+        movq	%r11, %rcx
+        vpor	%xmm9, %xmm8, %xmm8
+        vpor	%xmm11, %xmm10, %xmm10
+        # rnd_1: 7 - 8
+        andq	%rbx, %rdx
+        rorq	$5, %rcx
+        xorq	%r11, %rcx
+        xorq	%r12, %rdx
+        vpxor	%xmm10, %xmm8, %xmm8
+        vpsrlq	$6, %xmm1, %xmm11
+        # rnd_1: 9 - 10
+        rorq	$6, %rcx
+        addq	%r10, %r14
+        xorq	%r11, %rcx
+        addq	%rdx, %r10
+        vpxor	%xmm11, %xmm8, %xmm8
+        # rnd_1: 11 - 11
+        rorq	$28, %rcx
+        movq	%r14, %rax
+        addq	%rcx, %r10
+        vpaddq	%xmm2, %xmm8, %xmm2
+        # msg_sched done: 4-7
+        # msg_sched: 6-7
+        # rnd_0: 0 - 0
+        rorq	$23, %rax
+        vpalignr	$8, %xmm3, %xmm4, %xmm12
+        vpalignr	$8, %xmm7, %xmm0, %xmm13
+        # rnd_0: 1 - 1
+        movq	%r10, %rdx
+        movq	%r15, %rcx
+        addq	48(%rsp), %r9
+        xorq	%r8, %rcx
+        vpsrlq	$0x01, %xmm12, %xmm8
+        vpsllq	$63, %xmm12, %xmm9
+        # rnd_0: 2 - 3
+        xorq	%r14, %rax
+        andq	%r14, %rcx
+        rorq	$4, %rax
+        xorq	%r8, %rcx
+        vpsrlq	$8, %xmm12, %xmm10
+        vpsllq	$56, %xmm12, %xmm11
+        # rnd_0: 4 - 5
+        xorq	%r14, %rax
+        addq	%rcx, %r9
+        rorq	$14, %rax
+        xorq	%r11, %rdx
+        vpor	%xmm9, %xmm8, %xmm8
+        vpor	%xmm11, %xmm10, %xmm10
+        # rnd_0: 6 - 7
+        addq	%rax, %r9
+        movq	%r10, %rcx
+        andq	%rdx, %rbx
+        rorq	$5, %rcx
+        vpsrlq	$7, %xmm12, %xmm11
+        vpxor	%xmm10, %xmm8, %xmm8
+        # rnd_0: 8 - 9
+        xorq	%r10, %rcx
+        xorq	%r11, %rbx
+        rorq	$6, %rcx
+        addq	%r9, %r13
+        vpxor	%xmm11, %xmm8, %xmm8
+        vpaddq	%xmm3, %xmm13, %xmm3
+        # rnd_0: 10 - 11
+        xorq	%r10, %rcx
+        addq	%rbx, %r9
+        rorq	$28, %rcx
+        movq	%r13, %rax
+        addq	%rcx, %r9
+        # rnd_1: 0 - 0
+        rorq	$23, %rax
+        vpaddq	%xmm3, %xmm8, %xmm3
+        # rnd_1: 1 - 1
+        movq	%r9, %rbx
+        movq	%r14, %rcx
+        addq	56(%rsp), %r8
+        xorq	%r15, %rcx
+        vpsrlq	$19, %xmm2, %xmm8
+        vpsllq	$45, %xmm2, %xmm9
+        # rnd_1: 2 - 3
+        xorq	%r13, %rax
+        andq	%r13, %rcx
+        rorq	$4, %rax
+        xorq	%r15, %rcx
+        vpsrlq	$61, %xmm2, %xmm10
+        vpsllq	$3, %xmm2, %xmm11
+        # rnd_1: 4 - 6
+        xorq	%r13, %rax
+        addq	%rcx, %r8
+        rorq	$14, %rax
+        xorq	%r10, %rbx
+        addq	%rax, %r8
+        movq	%r9, %rcx
+        vpor	%xmm9, %xmm8, %xmm8
+        vpor	%xmm11, %xmm10, %xmm10
+        # rnd_1: 7 - 8
+        andq	%rbx, %rdx
+        rorq	$5, %rcx
+        xorq	%r9, %rcx
+        xorq	%r10, %rdx
+        vpxor	%xmm10, %xmm8, %xmm8
+        vpsrlq	$6, %xmm2, %xmm11
+        # rnd_1: 9 - 10
+        rorq	$6, %rcx
+        addq	%r8, %r12
+        xorq	%r9, %rcx
+        addq	%rdx, %r8
+        vpxor	%xmm11, %xmm8, %xmm8
+        # rnd_1: 11 - 11
+        rorq	$28, %rcx
+        movq	%r12, %rax
+        addq	%rcx, %r8
+        vpaddq	%xmm3, %xmm8, %xmm3
+        # msg_sched done: 6-9
+        # msg_sched: 8-9
+        # rnd_0: 0 - 0
+        rorq	$23, %rax
+        vpalignr	$8, %xmm4, %xmm5, %xmm12
+        vpalignr	$8, %xmm0, %xmm1, %xmm13
+        # rnd_0: 1 - 1
+        movq	%r8, %rdx
+        movq	%r13, %rcx
+        addq	64(%rsp), %r15
+        xorq	%r14, %rcx
+        vpsrlq	$0x01, %xmm12, %xmm8
+        vpsllq	$63, %xmm12, %xmm9
+        # rnd_0: 2 - 3
+        xorq	%r12, %rax
+        andq	%r12, %rcx
+        rorq	$4, %rax
+        xorq	%r14, %rcx
+        vpsrlq	$8, %xmm12, %xmm10
+        vpsllq	$56, %xmm12, %xmm11
+        # rnd_0: 4 - 5
+        xorq	%r12, %rax
+        addq	%rcx, %r15
+        rorq	$14, %rax
+        xorq	%r9, %rdx
+        vpor	%xmm9, %xmm8, %xmm8
+        vpor	%xmm11, %xmm10, %xmm10
+        # rnd_0: 6 - 7
+        addq	%rax, %r15
+        movq	%r8, %rcx
+        andq	%rdx, %rbx
+        rorq	$5, %rcx
+        vpsrlq	$7, %xmm12, %xmm11
+        vpxor	%xmm10, %xmm8, %xmm8
+        # rnd_0: 8 - 9
+        xorq	%r8, %rcx
+        xorq	%r9, %rbx
+        rorq	$6, %rcx
+        addq	%r15, %r11
+        vpxor	%xmm11, %xmm8, %xmm8
+        vpaddq	%xmm4, %xmm13, %xmm4
+        # rnd_0: 10 - 11
+        xorq	%r8, %rcx
+        addq	%rbx, %r15
+        rorq	$28, %rcx
+        movq	%r11, %rax
+        addq	%rcx, %r15
+        # rnd_1: 0 - 0
+        rorq	$23, %rax
+        vpaddq	%xmm4, %xmm8, %xmm4
+        # rnd_1: 1 - 1
+        movq	%r15, %rbx
+        movq	%r12, %rcx
+        addq	72(%rsp), %r14
+        xorq	%r13, %rcx
+        vpsrlq	$19, %xmm3, %xmm8
+        vpsllq	$45, %xmm3, %xmm9
+        # rnd_1: 2 - 3
+        xorq	%r11, %rax
+        andq	%r11, %rcx
+        rorq	$4, %rax
+        xorq	%r13, %rcx
+        vpsrlq	$61, %xmm3, %xmm10
+        vpsllq	$3, %xmm3, %xmm11
+        # rnd_1: 4 - 6
+        xorq	%r11, %rax
+        addq	%rcx, %r14
+        rorq	$14, %rax
+        xorq	%r8, %rbx
+        addq	%rax, %r14
+        movq	%r15, %rcx
+        vpor	%xmm9, %xmm8, %xmm8
+        vpor	%xmm11, %xmm10, %xmm10
+        # rnd_1: 7 - 8
+        andq	%rbx, %rdx
+        rorq	$5, %rcx
+        xorq	%r15, %rcx
+        xorq	%r8, %rdx
+        vpxor	%xmm10, %xmm8, %xmm8
+        vpsrlq	$6, %xmm3, %xmm11
+        # rnd_1: 9 - 10
+        rorq	$6, %rcx
+        addq	%r14, %r10
+        xorq	%r15, %rcx
+        addq	%rdx, %r14
+        vpxor	%xmm11, %xmm8, %xmm8
+        # rnd_1: 11 - 11
+        rorq	$28, %rcx
+        movq	%r10, %rax
+        addq	%rcx, %r14
+        vpaddq	%xmm4, %xmm8, %xmm4
+        # msg_sched done: 8-11
+        # msg_sched: 10-11
+        # rnd_0: 0 - 0
+        rorq	$23, %rax
+        vpalignr	$8, %xmm5, %xmm6, %xmm12
+        vpalignr	$8, %xmm1, %xmm2, %xmm13
+        # rnd_0: 1 - 1
+        movq	%r14, %rdx
+        movq	%r11, %rcx
+        addq	80(%rsp), %r13
+        xorq	%r12, %rcx
+        vpsrlq	$0x01, %xmm12, %xmm8
+        vpsllq	$63, %xmm12, %xmm9
+        # rnd_0: 2 - 3
+        xorq	%r10, %rax
+        andq	%r10, %rcx
+        rorq	$4, %rax
+        xorq	%r12, %rcx
+        vpsrlq	$8, %xmm12, %xmm10
+        vpsllq	$56, %xmm12, %xmm11
+        # rnd_0: 4 - 5
+        xorq	%r10, %rax
+        addq	%rcx, %r13
+        rorq	$14, %rax
+        xorq	%r15, %rdx
+        vpor	%xmm9, %xmm8, %xmm8
+        vpor	%xmm11, %xmm10, %xmm10
+        # rnd_0: 6 - 7
+        addq	%rax, %r13
+        movq	%r14, %rcx
+        andq	%rdx, %rbx
+        rorq	$5, %rcx
+        vpsrlq	$7, %xmm12, %xmm11
+        vpxor	%xmm10, %xmm8, %xmm8
+        # rnd_0: 8 - 9
+        xorq	%r14, %rcx
+        xorq	%r15, %rbx
+        rorq	$6, %rcx
+        addq	%r13, %r9
+        vpxor	%xmm11, %xmm8, %xmm8
+        vpaddq	%xmm5, %xmm13, %xmm5
+        # rnd_0: 10 - 11
+        xorq	%r14, %rcx
+        addq	%rbx, %r13
+        rorq	$28, %rcx
+        movq	%r9, %rax
+        addq	%rcx, %r13
+        # rnd_1: 0 - 0
+        rorq	$23, %rax
+        vpaddq	%xmm5, %xmm8, %xmm5
+        # rnd_1: 1 - 1
+        movq	%r13, %rbx
+        movq	%r10, %rcx
+        addq	88(%rsp), %r12
+        xorq	%r11, %rcx
+        vpsrlq	$19, %xmm4, %xmm8
+        vpsllq	$45, %xmm4, %xmm9
+        # rnd_1: 2 - 3
+        xorq	%r9, %rax
+        andq	%r9, %rcx
+        rorq	$4, %rax
+        xorq	%r11, %rcx
+        vpsrlq	$61, %xmm4, %xmm10
+        vpsllq	$3, %xmm4, %xmm11
+        # rnd_1: 4 - 6
+        xorq	%r9, %rax
+        addq	%rcx, %r12
+        rorq	$14, %rax
+        xorq	%r14, %rbx
+        addq	%rax, %r12
+        movq	%r13, %rcx
+        vpor	%xmm9, %xmm8, %xmm8
+        vpor	%xmm11, %xmm10, %xmm10
+        # rnd_1: 7 - 8
+        andq	%rbx, %rdx
+        rorq	$5, %rcx
+        xorq	%r13, %rcx
+        xorq	%r14, %rdx
+        vpxor	%xmm10, %xmm8, %xmm8
+        vpsrlq	$6, %xmm4, %xmm11
+        # rnd_1: 9 - 10
+        rorq	$6, %rcx
+        addq	%r12, %r8
+        xorq	%r13, %rcx
+        addq	%rdx, %r12
+        vpxor	%xmm11, %xmm8, %xmm8
+        # rnd_1: 11 - 11
+        rorq	$28, %rcx
+        movq	%r8, %rax
+        addq	%rcx, %r12
+        vpaddq	%xmm5, %xmm8, %xmm5
+        # msg_sched done: 10-13
+        # msg_sched: 12-13
+        # rnd_0: 0 - 0
+        rorq	$23, %rax
+        vpalignr	$8, %xmm6, %xmm7, %xmm12
+        vpalignr	$8, %xmm2, %xmm3, %xmm13
+        # rnd_0: 1 - 1
+        movq	%r12, %rdx
+        movq	%r9, %rcx
+        addq	96(%rsp), %r11
+        xorq	%r10, %rcx
+        vpsrlq	$0x01, %xmm12, %xmm8
+        vpsllq	$63, %xmm12, %xmm9
+        # rnd_0: 2 - 3
+        xorq	%r8, %rax
+        andq	%r8, %rcx
+        rorq	$4, %rax
+        xorq	%r10, %rcx
+        vpsrlq	$8, %xmm12, %xmm10
+        vpsllq	$56, %xmm12, %xmm11
+        # rnd_0: 4 - 5
+        xorq	%r8, %rax
+        addq	%rcx, %r11
+        rorq	$14, %rax
+        xorq	%r13, %rdx
+        vpor	%xmm9, %xmm8, %xmm8
+        vpor	%xmm11, %xmm10, %xmm10
+        # rnd_0: 6 - 7
+        addq	%rax, %r11
+        movq	%r12, %rcx
+        andq	%rdx, %rbx
+        rorq	$5, %rcx
+        vpsrlq	$7, %xmm12, %xmm11
+        vpxor	%xmm10, %xmm8, %xmm8
+        # rnd_0: 8 - 9
+        xorq	%r12, %rcx
+        xorq	%r13, %rbx
+        rorq	$6, %rcx
+        addq	%r11, %r15
+        vpxor	%xmm11, %xmm8, %xmm8
+        vpaddq	%xmm6, %xmm13, %xmm6
+        # rnd_0: 10 - 11
+        xorq	%r12, %rcx
+        addq	%rbx, %r11
+        rorq	$28, %rcx
+        movq	%r15, %rax
+        addq	%rcx, %r11
+        # rnd_1: 0 - 0
+        rorq	$23, %rax
+        vpaddq	%xmm6, %xmm8, %xmm6
+        # rnd_1: 1 - 1
+        movq	%r11, %rbx
+        movq	%r8, %rcx
+        addq	104(%rsp), %r10
+        xorq	%r9, %rcx
+        vpsrlq	$19, %xmm5, %xmm8
+        vpsllq	$45, %xmm5, %xmm9
+        # rnd_1: 2 - 3
+        xorq	%r15, %rax
+        andq	%r15, %rcx
+        rorq	$4, %rax
+        xorq	%r9, %rcx
+        vpsrlq	$61, %xmm5, %xmm10
+        vpsllq	$3, %xmm5, %xmm11
+        # rnd_1: 4 - 6
+        xorq	%r15, %rax
+        addq	%rcx, %r10
+        rorq	$14, %rax
+        xorq	%r12, %rbx
+        addq	%rax, %r10
+        movq	%r11, %rcx
+        vpor	%xmm9, %xmm8, %xmm8
+        vpor	%xmm11, %xmm10, %xmm10
+        # rnd_1: 7 - 8
+        andq	%rbx, %rdx
+        rorq	$5, %rcx
+        xorq	%r11, %rcx
+        xorq	%r12, %rdx
+        vpxor	%xmm10, %xmm8, %xmm8
+        vpsrlq	$6, %xmm5, %xmm11
+        # rnd_1: 9 - 10
+        rorq	$6, %rcx
+        addq	%r10, %r14
+        xorq	%r11, %rcx
+        addq	%rdx, %r10
+        vpxor	%xmm11, %xmm8, %xmm8
+        # rnd_1: 11 - 11
+        rorq	$28, %rcx
+        movq	%r14, %rax
+        addq	%rcx, %r10
+        vpaddq	%xmm6, %xmm8, %xmm6
+        # msg_sched done: 12-15
+        # msg_sched: 14-15
+        # rnd_0: 0 - 0
+        rorq	$23, %rax
+        vpalignr	$8, %xmm7, %xmm0, %xmm12
+        vpalignr	$8, %xmm3, %xmm4, %xmm13
+        # rnd_0: 1 - 1
+        movq	%r10, %rdx
+        movq	%r15, %rcx
+        addq	112(%rsp), %r9
+        xorq	%r8, %rcx
+        vpsrlq	$0x01, %xmm12, %xmm8
+        vpsllq	$63, %xmm12, %xmm9
+        # rnd_0: 2 - 3
+        xorq	%r14, %rax
+        andq	%r14, %rcx
+        rorq	$4, %rax
+        xorq	%r8, %rcx
+        vpsrlq	$8, %xmm12, %xmm10
+        vpsllq	$56, %xmm12, %xmm11
+        # rnd_0: 4 - 5
+        xorq	%r14, %rax
+        addq	%rcx, %r9
+        rorq	$14, %rax
+        xorq	%r11, %rdx
+        vpor	%xmm9, %xmm8, %xmm8
+        vpor	%xmm11, %xmm10, %xmm10
+        # rnd_0: 6 - 7
+        addq	%rax, %r9
+        movq	%r10, %rcx
+        andq	%rdx, %rbx
+        rorq	$5, %rcx
+        vpsrlq	$7, %xmm12, %xmm11
+        vpxor	%xmm10, %xmm8, %xmm8
+        # rnd_0: 8 - 9
+        xorq	%r10, %rcx
+        xorq	%r11, %rbx
+        rorq	$6, %rcx
+        addq	%r9, %r13
+        vpxor	%xmm11, %xmm8, %xmm8
+        vpaddq	%xmm7, %xmm13, %xmm7
+        # rnd_0: 10 - 11
+        xorq	%r10, %rcx
+        addq	%rbx, %r9
+        rorq	$28, %rcx
+        movq	%r13, %rax
+        addq	%rcx, %r9
+        # rnd_1: 0 - 0
+        rorq	$23, %rax
+        vpaddq	%xmm7, %xmm8, %xmm7
+        # rnd_1: 1 - 1
+        movq	%r9, %rbx
+        movq	%r14, %rcx
+        addq	120(%rsp), %r8
+        xorq	%r15, %rcx
+        vpsrlq	$19, %xmm6, %xmm8
+        vpsllq	$45, %xmm6, %xmm9
+        # rnd_1: 2 - 3
+        xorq	%r13, %rax
+        andq	%r13, %rcx
+        rorq	$4, %rax
+        xorq	%r15, %rcx
+        vpsrlq	$61, %xmm6, %xmm10
+        vpsllq	$3, %xmm6, %xmm11
+        # rnd_1: 4 - 6
+        xorq	%r13, %rax
+        addq	%rcx, %r8
+        rorq	$14, %rax
+        xorq	%r10, %rbx
+        addq	%rax, %r8
+        movq	%r9, %rcx
+        vpor	%xmm9, %xmm8, %xmm8
+        vpor	%xmm11, %xmm10, %xmm10
+        # rnd_1: 7 - 8
+        andq	%rbx, %rdx
+        rorq	$5, %rcx
+        xorq	%r9, %rcx
+        xorq	%r10, %rdx
+        vpxor	%xmm10, %xmm8, %xmm8
+        vpsrlq	$6, %xmm6, %xmm11
+        # rnd_1: 9 - 10
+        rorq	$6, %rcx
+        addq	%r8, %r12
+        xorq	%r9, %rcx
+        addq	%rdx, %r8
+        vpxor	%xmm11, %xmm8, %xmm8
+        # rnd_1: 11 - 11
+        rorq	$28, %rcx
+        movq	%r12, %rax
+        addq	%rcx, %r8
+        vpaddq	%xmm7, %xmm8, %xmm7
+        # msg_sched done: 14-17
+        movq	136(%rsp), %rdx
+        vpaddq	(%rdx), %xmm0, %xmm8
+        vpaddq	16(%rdx), %xmm1, %xmm9
+        vmovdqu	%xmm8, (%rsp)
+        vmovdqu	%xmm9, 16(%rsp)
+        vpaddq	32(%rdx), %xmm2, %xmm8
+        vpaddq	48(%rdx), %xmm3, %xmm9
+        vmovdqu	%xmm8, 32(%rsp)
+        vmovdqu	%xmm9, 48(%rsp)
+        vpaddq	64(%rdx), %xmm4, %xmm8
+        vpaddq	80(%rdx), %xmm5, %xmm9
+        vmovdqu	%xmm8, 64(%rsp)
+        vmovdqu	%xmm9, 80(%rsp)
+        vpaddq	96(%rdx), %xmm6, %xmm8
+        vpaddq	112(%rdx), %xmm7, %xmm9
+        vmovdqu	%xmm8, 96(%rsp)
+        vmovdqu	%xmm9, 112(%rsp)
+        subl	$0x01, 128(%rsp)
+        jne	L_sha512_len_avx1_start
+        # rnd_all_2: 0-1
+        # rnd_0: 0 - 11
+        rorq	$23, %rax
+        movq	%r8, %rdx
+        movq	%r13, %rcx
+        addq	(%rsp), %r15
+        xorq	%r14, %rcx
+        xorq	%r12, %rax
+        andq	%r12, %rcx
+        rorq	$4, %rax
+        xorq	%r14, %rcx
+        xorq	%r12, %rax
+        addq	%rcx, %r15
+        rorq	$14, %rax
+        xorq	%r9, %rdx
+        addq	%rax, %r15
+        movq	%r8, %rcx
+        andq	%rdx, %rbx
+        rorq	$5, %rcx
+        xorq	%r8, %rcx
+        xorq	%r9, %rbx
+        rorq	$6, %rcx
+        addq	%r15, %r11
+        xorq	%r8, %rcx
+        addq	%rbx, %r15
+        rorq	$28, %rcx
+        movq	%r11, %rax
+        addq	%rcx, %r15
+        # rnd_1: 0 - 11
+        rorq	$23, %rax
+        movq	%r15, %rbx
+        movq	%r12, %rcx
+        addq	8(%rsp), %r14
+        xorq	%r13, %rcx
+        xorq	%r11, %rax
+        andq	%r11, %rcx
+        rorq	$4, %rax
+        xorq	%r13, %rcx
+        xorq	%r11, %rax
+        addq	%rcx, %r14
+        rorq	$14, %rax
+        xorq	%r8, %rbx
+        addq	%rax, %r14
+        movq	%r15, %rcx
+        andq	%rbx, %rdx
+        rorq	$5, %rcx
+        xorq	%r15, %rcx
+        xorq	%r8, %rdx
+        rorq	$6, %rcx
+        addq	%r14, %r10
+        xorq	%r15, %rcx
+        addq	%rdx, %r14
+        rorq	$28, %rcx
+        movq	%r10, %rax
+        addq	%rcx, %r14
+        # rnd_all_2: 2-3
+        # rnd_0: 0 - 11
+        rorq	$23, %rax
+        movq	%r14, %rdx
+        movq	%r11, %rcx
+        addq	16(%rsp), %r13
+        xorq	%r12, %rcx
+        xorq	%r10, %rax
+        andq	%r10, %rcx
+        rorq	$4, %rax
+        xorq	%r12, %rcx
+        xorq	%r10, %rax
+        addq	%rcx, %r13
+        rorq	$14, %rax
+        xorq	%r15, %rdx
+        addq	%rax, %r13
+        movq	%r14, %rcx
+        andq	%rdx, %rbx
+        rorq	$5, %rcx
+        xorq	%r14, %rcx
+        xorq	%r15, %rbx
+        rorq	$6, %rcx
+        addq	%r13, %r9
+        xorq	%r14, %rcx
+        addq	%rbx, %r13
+        rorq	$28, %rcx
+        movq	%r9, %rax
+        addq	%rcx, %r13
+        # rnd_1: 0 - 11
+        rorq	$23, %rax
+        movq	%r13, %rbx
+        movq	%r10, %rcx
+        addq	24(%rsp), %r12
+        xorq	%r11, %rcx
+        xorq	%r9, %rax
+        andq	%r9, %rcx
+        rorq	$4, %rax
+        xorq	%r11, %rcx
+        xorq	%r9, %rax
+        addq	%rcx, %r12
+        rorq	$14, %rax
+        xorq	%r14, %rbx
+        addq	%rax, %r12
+        movq	%r13, %rcx
+        andq	%rbx, %rdx
+        rorq	$5, %rcx
+        xorq	%r13, %rcx
+        xorq	%r14, %rdx
+        rorq	$6, %rcx
+        addq	%r12, %r8
+        xorq	%r13, %rcx
+        addq	%rdx, %r12
+        rorq	$28, %rcx
+        movq	%r8, %rax
+        addq	%rcx, %r12
+        # rnd_all_2: 4-5
+        # rnd_0: 0 - 11
+        rorq	$23, %rax
+        movq	%r12, %rdx
+        movq	%r9, %rcx
+        addq	32(%rsp), %r11
+        xorq	%r10, %rcx
+        xorq	%r8, %rax
+        andq	%r8, %rcx
+        rorq	$4, %rax
+        xorq	%r10, %rcx
+        xorq	%r8, %rax
+        addq	%rcx, %r11
+        rorq	$14, %rax
+        xorq	%r13, %rdx
+        addq	%rax, %r11
+        movq	%r12, %rcx
+        andq	%rdx, %rbx
+        rorq	$5, %rcx
+        xorq	%r12, %rcx
+        xorq	%r13, %rbx
+        rorq	$6, %rcx
+        addq	%r11, %r15
+        xorq	%r12, %rcx
+        addq	%rbx, %r11
+        rorq	$28, %rcx
+        movq	%r15, %rax
+        addq	%rcx, %r11
+        # rnd_1: 0 - 11
+        rorq	$23, %rax
+        movq	%r11, %rbx
+        movq	%r8, %rcx
+        addq	40(%rsp), %r10
+        xorq	%r9, %rcx
+        xorq	%r15, %rax
+        andq	%r15, %rcx
+        rorq	$4, %rax
+        xorq	%r9, %rcx
+        xorq	%r15, %rax
+        addq	%rcx, %r10
+        rorq	$14, %rax
+        xorq	%r12, %rbx
+        addq	%rax, %r10
+        movq	%r11, %rcx
+        andq	%rbx, %rdx
+        rorq	$5, %rcx
+        xorq	%r11, %rcx
+        xorq	%r12, %rdx
+        rorq	$6, %rcx
+        addq	%r10, %r14
+        xorq	%r11, %rcx
+        addq	%rdx, %r10
+        rorq	$28, %rcx
+        movq	%r14, %rax
+        addq	%rcx, %r10
+        # rnd_all_2: 6-7
+        # rnd_0: 0 - 11
+        rorq	$23, %rax
+        movq	%r10, %rdx
+        movq	%r15, %rcx
+        addq	48(%rsp), %r9
+        xorq	%r8, %rcx
+        xorq	%r14, %rax
+        andq	%r14, %rcx
+        rorq	$4, %rax
+        xorq	%r8, %rcx
+        xorq	%r14, %rax
+        addq	%rcx, %r9
+        rorq	$14, %rax
+        xorq	%r11, %rdx
+        addq	%rax, %r9
+        movq	%r10, %rcx
+        andq	%rdx, %rbx
+        rorq	$5, %rcx
+        xorq	%r10, %rcx
+        xorq	%r11, %rbx
+        rorq	$6, %rcx
+        addq	%r9, %r13
+        xorq	%r10, %rcx
+        addq	%rbx, %r9
+        rorq	$28, %rcx
+        movq	%r13, %rax
+        addq	%rcx, %r9
+        # rnd_1: 0 - 11
+        rorq	$23, %rax
+        movq	%r9, %rbx
+        movq	%r14, %rcx
+        addq	56(%rsp), %r8
+        xorq	%r15, %rcx
+        xorq	%r13, %rax
+        andq	%r13, %rcx
+        rorq	$4, %rax
+        xorq	%r15, %rcx
+        xorq	%r13, %rax
+        addq	%rcx, %r8
+        rorq	$14, %rax
+        xorq	%r10, %rbx
+        addq	%rax, %r8
+        movq	%r9, %rcx
+        andq	%rbx, %rdx
+        rorq	$5, %rcx
+        xorq	%r9, %rcx
+        xorq	%r10, %rdx
+        rorq	$6, %rcx
+        addq	%r8, %r12
+        xorq	%r9, %rcx
+        addq	%rdx, %r8
+        rorq	$28, %rcx
+        movq	%r12, %rax
+        addq	%rcx, %r8
+        # rnd_all_2: 8-9
+        # rnd_0: 0 - 11
+        rorq	$23, %rax
+        movq	%r8, %rdx
+        movq	%r13, %rcx
+        addq	64(%rsp), %r15
+        xorq	%r14, %rcx
+        xorq	%r12, %rax
+        andq	%r12, %rcx
+        rorq	$4, %rax
+        xorq	%r14, %rcx
+        xorq	%r12, %rax
+        addq	%rcx, %r15
+        rorq	$14, %rax
+        xorq	%r9, %rdx
+        addq	%rax, %r15
+        movq	%r8, %rcx
+        andq	%rdx, %rbx
+        rorq	$5, %rcx
+        xorq	%r8, %rcx
+        xorq	%r9, %rbx
+        rorq	$6, %rcx
+        addq	%r15, %r11
+        xorq	%r8, %rcx
+        addq	%rbx, %r15
+        rorq	$28, %rcx
+        movq	%r11, %rax
+        addq	%rcx, %r15
+        # rnd_1: 0 - 11
+        rorq	$23, %rax
+        movq	%r15, %rbx
+        movq	%r12, %rcx
+        addq	72(%rsp), %r14
+        xorq	%r13, %rcx
+        xorq	%r11, %rax
+        andq	%r11, %rcx
+        rorq	$4, %rax
+        xorq	%r13, %rcx
+        xorq	%r11, %rax
+        addq	%rcx, %r14
+        rorq	$14, %rax
+        xorq	%r8, %rbx
+        addq	%rax, %r14
+        movq	%r15, %rcx
+        andq	%rbx, %rdx
+        rorq	$5, %rcx
+        xorq	%r15, %rcx
+        xorq	%r8, %rdx
+        rorq	$6, %rcx
+        addq	%r14, %r10
+        xorq	%r15, %rcx
+        addq	%rdx, %r14
+        rorq	$28, %rcx
+        movq	%r10, %rax
+        addq	%rcx, %r14
+        # rnd_all_2: 10-11
+        # rnd_0: 0 - 11
+        rorq	$23, %rax
+        movq	%r14, %rdx
+        movq	%r11, %rcx
+        addq	80(%rsp), %r13
+        xorq	%r12, %rcx
+        xorq	%r10, %rax
+        andq	%r10, %rcx
+        rorq	$4, %rax
+        xorq	%r12, %rcx
+        xorq	%r10, %rax
+        addq	%rcx, %r13
+        rorq	$14, %rax
+        xorq	%r15, %rdx
+        addq	%rax, %r13
+        movq	%r14, %rcx
+        andq	%rdx, %rbx
+        rorq	$5, %rcx
+        xorq	%r14, %rcx
+        xorq	%r15, %rbx
+        rorq	$6, %rcx
+        addq	%r13, %r9
+        xorq	%r14, %rcx
+        addq	%rbx, %r13
+        rorq	$28, %rcx
+        movq	%r9, %rax
+        addq	%rcx, %r13
+        # rnd_1: 0 - 11
+        rorq	$23, %rax
+        movq	%r13, %rbx
+        movq	%r10, %rcx
+        addq	88(%rsp), %r12
+        xorq	%r11, %rcx
+        xorq	%r9, %rax
+        andq	%r9, %rcx
+        rorq	$4, %rax
+        xorq	%r11, %rcx
+        xorq	%r9, %rax
+        addq	%rcx, %r12
+        rorq	$14, %rax
+        xorq	%r14, %rbx
+        addq	%rax, %r12
+        movq	%r13, %rcx
+        andq	%rbx, %rdx
+        rorq	$5, %rcx
+        xorq	%r13, %rcx
+        xorq	%r14, %rdx
+        rorq	$6, %rcx
+        addq	%r12, %r8
+        xorq	%r13, %rcx
+        addq	%rdx, %r12
+        rorq	$28, %rcx
+        movq	%r8, %rax
+        addq	%rcx, %r12
+        # rnd_all_2: 12-13
+        # rnd_0: 0 - 11
+        rorq	$23, %rax
+        movq	%r12, %rdx
+        movq	%r9, %rcx
+        addq	96(%rsp), %r11
+        xorq	%r10, %rcx
+        xorq	%r8, %rax
+        andq	%r8, %rcx
+        rorq	$4, %rax
+        xorq	%r10, %rcx
+        xorq	%r8, %rax
+        addq	%rcx, %r11
+        rorq	$14, %rax
+        xorq	%r13, %rdx
+        addq	%rax, %r11
+        movq	%r12, %rcx
+        andq	%rdx, %rbx
+        rorq	$5, %rcx
+        xorq	%r12, %rcx
+        xorq	%r13, %rbx
+        rorq	$6, %rcx
+        addq	%r11, %r15
+        xorq	%r12, %rcx
+        addq	%rbx, %r11
+        rorq	$28, %rcx
+        movq	%r15, %rax
+        addq	%rcx, %r11
+        # rnd_1: 0 - 11
+        rorq	$23, %rax
+        movq	%r11, %rbx
+        movq	%r8, %rcx
+        addq	104(%rsp), %r10
+        xorq	%r9, %rcx
+        xorq	%r15, %rax
+        andq	%r15, %rcx
+        rorq	$4, %rax
+        xorq	%r9, %rcx
+        xorq	%r15, %rax
+        addq	%rcx, %r10
+        rorq	$14, %rax
+        xorq	%r12, %rbx
+        addq	%rax, %r10
+        movq	%r11, %rcx
+        andq	%rbx, %rdx
+        rorq	$5, %rcx
+        xorq	%r11, %rcx
+        xorq	%r12, %rdx
+        rorq	$6, %rcx
+        addq	%r10, %r14
+        xorq	%r11, %rcx
+        addq	%rdx, %r10
+        rorq	$28, %rcx
+        movq	%r14, %rax
+        addq	%rcx, %r10
+        # rnd_all_2: 14-15
+        # rnd_0: 0 - 11
+        rorq	$23, %rax
+        movq	%r10, %rdx
+        movq	%r15, %rcx
+        addq	112(%rsp), %r9
+        xorq	%r8, %rcx
+        xorq	%r14, %rax
+        andq	%r14, %rcx
+        rorq	$4, %rax
+        xorq	%r8, %rcx
+        xorq	%r14, %rax
+        addq	%rcx, %r9
+        rorq	$14, %rax
+        xorq	%r11, %rdx
+        addq	%rax, %r9
+        movq	%r10, %rcx
+        andq	%rdx, %rbx
+        rorq	$5, %rcx
+        xorq	%r10, %rcx
+        xorq	%r11, %rbx
+        rorq	$6, %rcx
+        addq	%r9, %r13
+        xorq	%r10, %rcx
+        addq	%rbx, %r9
+        rorq	$28, %rcx
+        movq	%r13, %rax
+        addq	%rcx, %r9
+        # rnd_1: 0 - 11
+        rorq	$23, %rax
+        movq	%r9, %rbx
+        movq	%r14, %rcx
+        addq	120(%rsp), %r8
+        xorq	%r15, %rcx
+        xorq	%r13, %rax
+        andq	%r13, %rcx
+        rorq	$4, %rax
+        xorq	%r15, %rcx
+        xorq	%r13, %rax
+        addq	%rcx, %r8
+        rorq	$14, %rax
+        xorq	%r10, %rbx
+        addq	%rax, %r8
+        movq	%r9, %rcx
+        andq	%rbx, %rdx
+        rorq	$5, %rcx
+        xorq	%r9, %rcx
+        xorq	%r10, %rdx
+        rorq	$6, %rcx
+        addq	%r8, %r12
+        xorq	%r9, %rcx
+        addq	%rdx, %r8
+        rorq	$28, %rcx
+        movq	%r12, %rax
+        addq	%rcx, %r8
+        addq	(%rdi), %r8
+        addq	8(%rdi), %r9
+        addq	16(%rdi), %r10
+        addq	24(%rdi), %r11
+        addq	32(%rdi), %r12
+        addq	40(%rdi), %r13
+        addq	48(%rdi), %r14
+        addq	56(%rdi), %r15
+        leaq	L_avx1_sha512_k(%rip), %rdx
+        addq	$0x80, %rsi
+        subl	$0x80, %ebp
+        movq	%r8, (%rdi)
+        movq	%r9, 8(%rdi)
+        movq	%r10, 16(%rdi)
+        movq	%r11, 24(%rdi)
+        movq	%r12, 32(%rdi)
+        movq	%r13, 40(%rdi)
+        movq	%r14, 48(%rdi)
+        movq	%r15, 56(%rdi)
+        jnz	L_sha512_len_avx1_begin
+        xorq	%rax, %rax
+        vzeroupper
+        addq	$0x90, %rsp
+        popq	%rbp
+        popq	%r15
+        popq	%r14
+        popq	%r13
+        popq	%r12
+        popq	%rbx
+        repz retq
+#ifndef __APPLE__
+.size	Transform_Sha512_AVX1_Len,.-Transform_Sha512_AVX1_Len
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+.data
+#else
+.section	__DATA,__data
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+.align	16
+#else
+.p2align	4
+#endif /* __APPLE__ */
+L_avx1_rorx_sha512_k:
+.quad	0x428a2f98d728ae22,0x7137449123ef65cd
+.quad	0xb5c0fbcfec4d3b2f,0xe9b5dba58189dbbc
+.quad	0x3956c25bf348b538,0x59f111f1b605d019
+.quad	0x923f82a4af194f9b,0xab1c5ed5da6d8118
+.quad	0xd807aa98a3030242,0x12835b0145706fbe
+.quad	0x243185be4ee4b28c,0x550c7dc3d5ffb4e2
+.quad	0x72be5d74f27b896f,0x80deb1fe3b1696b1
+.quad	0x9bdc06a725c71235,0xc19bf174cf692694
+.quad	0xe49b69c19ef14ad2,0xefbe4786384f25e3
+.quad	0xfc19dc68b8cd5b5,0x240ca1cc77ac9c65
+.quad	0x2de92c6f592b0275,0x4a7484aa6ea6e483
+.quad	0x5cb0a9dcbd41fbd4,0x76f988da831153b5
+.quad	0x983e5152ee66dfab,0xa831c66d2db43210
+.quad	0xb00327c898fb213f,0xbf597fc7beef0ee4
+.quad	0xc6e00bf33da88fc2,0xd5a79147930aa725
+.quad	0x6ca6351e003826f,0x142929670a0e6e70
+.quad	0x27b70a8546d22ffc,0x2e1b21385c26c926
+.quad	0x4d2c6dfc5ac42aed,0x53380d139d95b3df
+.quad	0x650a73548baf63de,0x766a0abb3c77b2a8
+.quad	0x81c2c92e47edaee6,0x92722c851482353b
+.quad	0xa2bfe8a14cf10364,0xa81a664bbc423001
+.quad	0xc24b8b70d0f89791,0xc76c51a30654be30
+.quad	0xd192e819d6ef5218,0xd69906245565a910
+.quad	0xf40e35855771202a,0x106aa07032bbd1b8
+.quad	0x19a4c116b8d2d0c8,0x1e376c085141ab53
+.quad	0x2748774cdf8eeb99,0x34b0bcb5e19b48a8
+.quad	0x391c0cb3c5c95a63,0x4ed8aa4ae3418acb
+.quad	0x5b9cca4f7763e373,0x682e6ff3d6b2b8a3
+.quad	0x748f82ee5defb2fc,0x78a5636f43172f60
+.quad	0x84c87814a1f0ab72,0x8cc702081a6439ec
+.quad	0x90befffa23631e28,0xa4506cebde82bde9
+.quad	0xbef9a3f7b2c67915,0xc67178f2e372532b
+.quad	0xca273eceea26619c,0xd186b8c721c0c207
+.quad	0xeada7dd6cde0eb1e,0xf57d4f7fee6ed178
+.quad	0x6f067aa72176fba,0xa637dc5a2c898a6
+.quad	0x113f9804bef90dae,0x1b710b35131c471b
+.quad	0x28db77f523047d84,0x32caab7b40c72493
+.quad	0x3c9ebe0a15c9bebc,0x431d67c49c100d4c
+.quad	0x4cc5d4becb3e42b6,0x597f299cfc657e2a
+.quad	0x5fcb6fab3ad6faec,0x6c44198c4a475817
+#ifndef __APPLE__
+.data
+#else
+.section	__DATA,__data
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+.align	16
+#else
+.p2align	4
+#endif /* __APPLE__ */
+L_avx1_rorx_sha512_flip_mask:
+.quad	0x1020304050607, 0x8090a0b0c0d0e0f
+#ifndef __APPLE__
+.text
+.globl	Transform_Sha512_AVX1_RORX
+.type	Transform_Sha512_AVX1_RORX,@function
+.align	4
+Transform_Sha512_AVX1_RORX:
+#else
+.section	__TEXT,__text
+.globl	_Transform_Sha512_AVX1_RORX
+.p2align	2
+_Transform_Sha512_AVX1_RORX:
+#endif /* __APPLE__ */
+        pushq	%rbx
+        pushq	%r12
+        pushq	%r13
+        pushq	%r14
+        pushq	%r15
+        subq	$0x88, %rsp
+        leaq	64(%rdi), %rax
+        vmovdqa	L_avx1_rorx_sha512_flip_mask(%rip), %xmm14
+        movq	(%rdi), %r8
+        movq	8(%rdi), %r9
+        movq	16(%rdi), %r10
+        movq	24(%rdi), %r11
+        movq	32(%rdi), %r12
+        movq	40(%rdi), %r13
+        movq	48(%rdi), %r14
+        movq	56(%rdi), %r15
+        vmovdqu	(%rax), %xmm0
+        vmovdqu	16(%rax), %xmm1
+        vpshufb	%xmm14, %xmm0, %xmm0
+        vpshufb	%xmm14, %xmm1, %xmm1
+        vmovdqu	32(%rax), %xmm2
+        vmovdqu	48(%rax), %xmm3
+        vpshufb	%xmm14, %xmm2, %xmm2
+        vpshufb	%xmm14, %xmm3, %xmm3
+        vmovdqu	64(%rax), %xmm4
+        vmovdqu	80(%rax), %xmm5
+        vpshufb	%xmm14, %xmm4, %xmm4
+        vpshufb	%xmm14, %xmm5, %xmm5
+        vmovdqu	96(%rax), %xmm6
+        vmovdqu	112(%rax), %xmm7
+        vpshufb	%xmm14, %xmm6, %xmm6
+        vpshufb	%xmm14, %xmm7, %xmm7
+        movl	$4, 128(%rsp)
+        leaq	L_avx1_rorx_sha512_k(%rip), %rsi
+        movq	%r9, %rbx
+        xorq	%rdx, %rdx
+        xorq	%r10, %rbx
+        vpaddq	(%rsi), %xmm0, %xmm8
+        vpaddq	16(%rsi), %xmm1, %xmm9
+        vmovdqu	%xmm8, (%rsp)
+        vmovdqu	%xmm9, 16(%rsp)
+        vpaddq	32(%rsi), %xmm2, %xmm8
+        vpaddq	48(%rsi), %xmm3, %xmm9
+        vmovdqu	%xmm8, 32(%rsp)
+        vmovdqu	%xmm9, 48(%rsp)
+        vpaddq	64(%rsi), %xmm4, %xmm8
+        vpaddq	80(%rsi), %xmm5, %xmm9
+        vmovdqu	%xmm8, 64(%rsp)
+        vmovdqu	%xmm9, 80(%rsp)
+        vpaddq	96(%rsi), %xmm6, %xmm8
+        vpaddq	112(%rsi), %xmm7, %xmm9
+        vmovdqu	%xmm8, 96(%rsp)
+        vmovdqu	%xmm9, 112(%rsp)
+        # Start of 16 rounds
+L_sha256_len_avx1_rorx_start:
+        addq	$0x80, %rsi
+        # msg_sched: 0-1
+        # rnd_0: 0 - 0
+        rorxq	$14, %r12, %rax
+        rorxq	$18, %r12, %rcx
+        addq	%rdx, %r8
+        vpalignr	$8, %xmm0, %xmm1, %xmm12
+        vpalignr	$8, %xmm4, %xmm5, %xmm13
+        # rnd_0: 1 - 1
+        addq	(%rsp), %r15
+        movq	%r13, %rdx
+        xorq	%rax, %rcx
+        vpsrlq	$0x01, %xmm12, %xmm8
+        vpsllq	$63, %xmm12, %xmm9
+        # rnd_0: 2 - 2
+        xorq	%r14, %rdx
+        rorxq	$41, %r12, %rax
+        xorq	%rcx, %rax
+        vpsrlq	$8, %xmm12, %xmm10
+        vpsllq	$56, %xmm12, %xmm11
+        # rnd_0: 3 - 3
+        andq	%r12, %rdx
+        addq	%rax, %r15
+        rorxq	$28, %r8, %rax
+        vpor	%xmm9, %xmm8, %xmm8
+        vpor	%xmm11, %xmm10, %xmm10
+        # rnd_0: 4 - 4
+        rorxq	$34, %r8, %rcx
+        xorq	%r14, %rdx
+        xorq	%rax, %rcx
+        vpsrlq	$7, %xmm12, %xmm11
+        vpxor	%xmm10, %xmm8, %xmm8
+        # rnd_0: 5 - 5
+        rorxq	$39, %r8, %rax
+        addq	%rdx, %r15
+        xorq	%rcx, %rax
+        vpxor	%xmm11, %xmm8, %xmm8
+        vpaddq	%xmm0, %xmm13, %xmm0
+        # rnd_0: 6 - 7
+        movq	%r9, %rdx
+        addq	%r15, %r11
+        xorq	%r8, %rdx
+        andq	%rdx, %rbx
+        addq	%rax, %r15
+        xorq	%r9, %rbx
+        vpaddq	%xmm0, %xmm8, %xmm0
+        # rnd_1: 0 - 0
+        rorxq	$14, %r11, %rax
+        rorxq	$18, %r11, %rcx
+        addq	%rbx, %r15
+        vpsrlq	$19, %xmm7, %xmm8
+        vpsllq	$45, %xmm7, %xmm9
+        # rnd_1: 1 - 1
+        addq	8(%rsp), %r14
+        movq	%r12, %rbx
+        xorq	%rax, %rcx
+        vpsrlq	$61, %xmm7, %xmm10
+        vpsllq	$3, %xmm7, %xmm11
+        # rnd_1: 2 - 2
+        xorq	%r13, %rbx
+        rorxq	$41, %r11, %rax
+        xorq	%rcx, %rax
+        vpor	%xmm9, %xmm8, %xmm8
+        vpor	%xmm11, %xmm10, %xmm10
+        # rnd_1: 3 - 4
+        andq	%r11, %rbx
+        addq	%rax, %r14
+        rorxq	$28, %r15, %rax
+        rorxq	$34, %r15, %rcx
+        xorq	%r13, %rbx
+        xorq	%rax, %rcx
+        vpxor	%xmm10, %xmm8, %xmm8
+        vpsrlq	$6, %xmm7, %xmm11
+        # rnd_1: 5 - 6
+        rorxq	$39, %r15, %rax
+        addq	%rbx, %r14
+        xorq	%rcx, %rax
+        movq	%r8, %rbx
+        addq	%r14, %r10
+        xorq	%r15, %rbx
+        vpxor	%xmm11, %xmm8, %xmm8
+        # rnd_1: 7 - 7
+        andq	%rbx, %rdx
+        addq	%rax, %r14
+        xorq	%r8, %rdx
+        vpaddq	%xmm0, %xmm8, %xmm0
+        # msg_sched done: 0-3
+        # msg_sched: 2-3
+        # rnd_0: 0 - 0
+        rorxq	$14, %r10, %rax
+        rorxq	$18, %r10, %rcx
+        addq	%rdx, %r14
+        vpalignr	$8, %xmm1, %xmm2, %xmm12
+        vpalignr	$8, %xmm5, %xmm6, %xmm13
+        # rnd_0: 1 - 1
+        addq	16(%rsp), %r13
+        movq	%r11, %rdx
+        xorq	%rax, %rcx
+        vpsrlq	$0x01, %xmm12, %xmm8
+        vpsllq	$63, %xmm12, %xmm9
+        # rnd_0: 2 - 2
+        xorq	%r12, %rdx
+        rorxq	$41, %r10, %rax
+        xorq	%rcx, %rax
+        vpsrlq	$8, %xmm12, %xmm10
+        vpsllq	$56, %xmm12, %xmm11
+        # rnd_0: 3 - 3
+        andq	%r10, %rdx
+        addq	%rax, %r13
+        rorxq	$28, %r14, %rax
+        vpor	%xmm9, %xmm8, %xmm8
+        vpor	%xmm11, %xmm10, %xmm10
+        # rnd_0: 4 - 4
+        rorxq	$34, %r14, %rcx
+        xorq	%r12, %rdx
+        xorq	%rax, %rcx
+        vpsrlq	$7, %xmm12, %xmm11
+        vpxor	%xmm10, %xmm8, %xmm8
+        # rnd_0: 5 - 5
+        rorxq	$39, %r14, %rax
+        addq	%rdx, %r13
+        xorq	%rcx, %rax
+        vpxor	%xmm11, %xmm8, %xmm8
+        vpaddq	%xmm1, %xmm13, %xmm1
+        # rnd_0: 6 - 7
+        movq	%r15, %rdx
+        addq	%r13, %r9
+        xorq	%r14, %rdx
+        andq	%rdx, %rbx
+        addq	%rax, %r13
+        xorq	%r15, %rbx
+        vpaddq	%xmm1, %xmm8, %xmm1
+        # rnd_1: 0 - 0
+        rorxq	$14, %r9, %rax
+        rorxq	$18, %r9, %rcx
+        addq	%rbx, %r13
+        vpsrlq	$19, %xmm0, %xmm8
+        vpsllq	$45, %xmm0, %xmm9
+        # rnd_1: 1 - 1
+        addq	24(%rsp), %r12
+        movq	%r10, %rbx
+        xorq	%rax, %rcx
+        vpsrlq	$61, %xmm0, %xmm10
+        vpsllq	$3, %xmm0, %xmm11
+        # rnd_1: 2 - 2
+        xorq	%r11, %rbx
+        rorxq	$41, %r9, %rax
+        xorq	%rcx, %rax
+        vpor	%xmm9, %xmm8, %xmm8
+        vpor	%xmm11, %xmm10, %xmm10
+        # rnd_1: 3 - 4
+        andq	%r9, %rbx
+        addq	%rax, %r12
+        rorxq	$28, %r13, %rax
+        rorxq	$34, %r13, %rcx
+        xorq	%r11, %rbx
+        xorq	%rax, %rcx
+        vpxor	%xmm10, %xmm8, %xmm8
+        vpsrlq	$6, %xmm0, %xmm11
+        # rnd_1: 5 - 6
+        rorxq	$39, %r13, %rax
+        addq	%rbx, %r12
+        xorq	%rcx, %rax
+        movq	%r14, %rbx
+        addq	%r12, %r8
+        xorq	%r13, %rbx
+        vpxor	%xmm11, %xmm8, %xmm8
+        # rnd_1: 7 - 7
+        andq	%rbx, %rdx
+        addq	%rax, %r12
+        xorq	%r14, %rdx
+        vpaddq	%xmm1, %xmm8, %xmm1
+        # msg_sched done: 2-5
+        # msg_sched: 4-5
+        # rnd_0: 0 - 0
+        rorxq	$14, %r8, %rax
+        rorxq	$18, %r8, %rcx
+        addq	%rdx, %r12
+        vpalignr	$8, %xmm2, %xmm3, %xmm12
+        vpalignr	$8, %xmm6, %xmm7, %xmm13
+        # rnd_0: 1 - 1
+        addq	32(%rsp), %r11
+        movq	%r9, %rdx
+        xorq	%rax, %rcx
+        vpsrlq	$0x01, %xmm12, %xmm8
+        vpsllq	$63, %xmm12, %xmm9
+        # rnd_0: 2 - 2
+        xorq	%r10, %rdx
+        rorxq	$41, %r8, %rax
+        xorq	%rcx, %rax
+        vpsrlq	$8, %xmm12, %xmm10
+        vpsllq	$56, %xmm12, %xmm11
+        # rnd_0: 3 - 3
+        andq	%r8, %rdx
+        addq	%rax, %r11
+        rorxq	$28, %r12, %rax
+        vpor	%xmm9, %xmm8, %xmm8
+        vpor	%xmm11, %xmm10, %xmm10
+        # rnd_0: 4 - 4
+        rorxq	$34, %r12, %rcx
+        xorq	%r10, %rdx
+        xorq	%rax, %rcx
+        vpsrlq	$7, %xmm12, %xmm11
+        vpxor	%xmm10, %xmm8, %xmm8
+        # rnd_0: 5 - 5
+        rorxq	$39, %r12, %rax
+        addq	%rdx, %r11
+        xorq	%rcx, %rax
+        vpxor	%xmm11, %xmm8, %xmm8
+        vpaddq	%xmm2, %xmm13, %xmm2
+        # rnd_0: 6 - 7
+        movq	%r13, %rdx
+        addq	%r11, %r15
+        xorq	%r12, %rdx
+        andq	%rdx, %rbx
+        addq	%rax, %r11
+        xorq	%r13, %rbx
+        vpaddq	%xmm2, %xmm8, %xmm2
+        # rnd_1: 0 - 0
+        rorxq	$14, %r15, %rax
+        rorxq	$18, %r15, %rcx
+        addq	%rbx, %r11
+        vpsrlq	$19, %xmm1, %xmm8
+        vpsllq	$45, %xmm1, %xmm9
+        # rnd_1: 1 - 1
+        addq	40(%rsp), %r10
+        movq	%r8, %rbx
+        xorq	%rax, %rcx
+        vpsrlq	$61, %xmm1, %xmm10
+        vpsllq	$3, %xmm1, %xmm11
+        # rnd_1: 2 - 2
+        xorq	%r9, %rbx
+        rorxq	$41, %r15, %rax
+        xorq	%rcx, %rax
+        vpor	%xmm9, %xmm8, %xmm8
+        vpor	%xmm11, %xmm10, %xmm10
+        # rnd_1: 3 - 4
+        andq	%r15, %rbx
+        addq	%rax, %r10
+        rorxq	$28, %r11, %rax
+        rorxq	$34, %r11, %rcx
+        xorq	%r9, %rbx
+        xorq	%rax, %rcx
+        vpxor	%xmm10, %xmm8, %xmm8
+        vpsrlq	$6, %xmm1, %xmm11
+        # rnd_1: 5 - 6
+        rorxq	$39, %r11, %rax
+        addq	%rbx, %r10
+        xorq	%rcx, %rax
+        movq	%r12, %rbx
+        addq	%r10, %r14
+        xorq	%r11, %rbx
+        vpxor	%xmm11, %xmm8, %xmm8
+        # rnd_1: 7 - 7
+        andq	%rbx, %rdx
+        addq	%rax, %r10
+        xorq	%r12, %rdx
+        vpaddq	%xmm2, %xmm8, %xmm2
+        # msg_sched done: 4-7
+        # msg_sched: 6-7
+        # rnd_0: 0 - 0
+        rorxq	$14, %r14, %rax
+        rorxq	$18, %r14, %rcx
+        addq	%rdx, %r10
+        vpalignr	$8, %xmm3, %xmm4, %xmm12
+        vpalignr	$8, %xmm7, %xmm0, %xmm13
+        # rnd_0: 1 - 1
+        addq	48(%rsp), %r9
+        movq	%r15, %rdx
+        xorq	%rax, %rcx
+        vpsrlq	$0x01, %xmm12, %xmm8
+        vpsllq	$63, %xmm12, %xmm9
+        # rnd_0: 2 - 2
+        xorq	%r8, %rdx
+        rorxq	$41, %r14, %rax
+        xorq	%rcx, %rax
+        vpsrlq	$8, %xmm12, %xmm10
+        vpsllq	$56, %xmm12, %xmm11
+        # rnd_0: 3 - 3
+        andq	%r14, %rdx
+        addq	%rax, %r9
+        rorxq	$28, %r10, %rax
+        vpor	%xmm9, %xmm8, %xmm8
+        vpor	%xmm11, %xmm10, %xmm10
+        # rnd_0: 4 - 4
+        rorxq	$34, %r10, %rcx
+        xorq	%r8, %rdx
+        xorq	%rax, %rcx
+        vpsrlq	$7, %xmm12, %xmm11
+        vpxor	%xmm10, %xmm8, %xmm8
+        # rnd_0: 5 - 5
+        rorxq	$39, %r10, %rax
+        addq	%rdx, %r9
+        xorq	%rcx, %rax
+        vpxor	%xmm11, %xmm8, %xmm8
+        vpaddq	%xmm3, %xmm13, %xmm3
+        # rnd_0: 6 - 7
+        movq	%r11, %rdx
+        addq	%r9, %r13
+        xorq	%r10, %rdx
+        andq	%rdx, %rbx
+        addq	%rax, %r9
+        xorq	%r11, %rbx
+        vpaddq	%xmm3, %xmm8, %xmm3
+        # rnd_1: 0 - 0
+        rorxq	$14, %r13, %rax
+        rorxq	$18, %r13, %rcx
+        addq	%rbx, %r9
+        vpsrlq	$19, %xmm2, %xmm8
+        vpsllq	$45, %xmm2, %xmm9
+        # rnd_1: 1 - 1
+        addq	56(%rsp), %r8
+        movq	%r14, %rbx
+        xorq	%rax, %rcx
+        vpsrlq	$61, %xmm2, %xmm10
+        vpsllq	$3, %xmm2, %xmm11
+        # rnd_1: 2 - 2
+        xorq	%r15, %rbx
+        rorxq	$41, %r13, %rax
+        xorq	%rcx, %rax
+        vpor	%xmm9, %xmm8, %xmm8
+        vpor	%xmm11, %xmm10, %xmm10
+        # rnd_1: 3 - 4
+        andq	%r13, %rbx
+        addq	%rax, %r8
+        rorxq	$28, %r9, %rax
+        rorxq	$34, %r9, %rcx
+        xorq	%r15, %rbx
+        xorq	%rax, %rcx
+        vpxor	%xmm10, %xmm8, %xmm8
+        vpsrlq	$6, %xmm2, %xmm11
+        # rnd_1: 5 - 6
+        rorxq	$39, %r9, %rax
+        addq	%rbx, %r8
+        xorq	%rcx, %rax
+        movq	%r10, %rbx
+        addq	%r8, %r12
+        xorq	%r9, %rbx
+        vpxor	%xmm11, %xmm8, %xmm8
+        # rnd_1: 7 - 7
+        andq	%rbx, %rdx
+        addq	%rax, %r8
+        xorq	%r10, %rdx
+        vpaddq	%xmm3, %xmm8, %xmm3
+        # msg_sched done: 6-9
+        # msg_sched: 8-9
+        # rnd_0: 0 - 0
+        rorxq	$14, %r12, %rax
+        rorxq	$18, %r12, %rcx
+        addq	%rdx, %r8
+        vpalignr	$8, %xmm4, %xmm5, %xmm12
+        vpalignr	$8, %xmm0, %xmm1, %xmm13
+        # rnd_0: 1 - 1
+        addq	64(%rsp), %r15
+        movq	%r13, %rdx
+        xorq	%rax, %rcx
+        vpsrlq	$0x01, %xmm12, %xmm8
+        vpsllq	$63, %xmm12, %xmm9
+        # rnd_0: 2 - 2
+        xorq	%r14, %rdx
+        rorxq	$41, %r12, %rax
+        xorq	%rcx, %rax
+        vpsrlq	$8, %xmm12, %xmm10
+        vpsllq	$56, %xmm12, %xmm11
+        # rnd_0: 3 - 3
+        andq	%r12, %rdx
+        addq	%rax, %r15
+        rorxq	$28, %r8, %rax
+        vpor	%xmm9, %xmm8, %xmm8
+        vpor	%xmm11, %xmm10, %xmm10
+        # rnd_0: 4 - 4
+        rorxq	$34, %r8, %rcx
+        xorq	%r14, %rdx
+        xorq	%rax, %rcx
+        vpsrlq	$7, %xmm12, %xmm11
+        vpxor	%xmm10, %xmm8, %xmm8
+        # rnd_0: 5 - 5
+        rorxq	$39, %r8, %rax
+        addq	%rdx, %r15
+        xorq	%rcx, %rax
+        vpxor	%xmm11, %xmm8, %xmm8
+        vpaddq	%xmm4, %xmm13, %xmm4
+        # rnd_0: 6 - 7
+        movq	%r9, %rdx
+        addq	%r15, %r11
+        xorq	%r8, %rdx
+        andq	%rdx, %rbx
+        addq	%rax, %r15
+        xorq	%r9, %rbx
+        vpaddq	%xmm4, %xmm8, %xmm4
+        # rnd_1: 0 - 0
+        rorxq	$14, %r11, %rax
+        rorxq	$18, %r11, %rcx
+        addq	%rbx, %r15
+        vpsrlq	$19, %xmm3, %xmm8
+        vpsllq	$45, %xmm3, %xmm9
+        # rnd_1: 1 - 1
+        addq	72(%rsp), %r14
+        movq	%r12, %rbx
+        xorq	%rax, %rcx
+        vpsrlq	$61, %xmm3, %xmm10
+        vpsllq	$3, %xmm3, %xmm11
+        # rnd_1: 2 - 2
+        xorq	%r13, %rbx
+        rorxq	$41, %r11, %rax
+        xorq	%rcx, %rax
+        vpor	%xmm9, %xmm8, %xmm8
+        vpor	%xmm11, %xmm10, %xmm10
+        # rnd_1: 3 - 4
+        andq	%r11, %rbx
+        addq	%rax, %r14
+        rorxq	$28, %r15, %rax
+        rorxq	$34, %r15, %rcx
+        xorq	%r13, %rbx
+        xorq	%rax, %rcx
+        vpxor	%xmm10, %xmm8, %xmm8
+        vpsrlq	$6, %xmm3, %xmm11
+        # rnd_1: 5 - 6
+        rorxq	$39, %r15, %rax
+        addq	%rbx, %r14
+        xorq	%rcx, %rax
+        movq	%r8, %rbx
+        addq	%r14, %r10
+        xorq	%r15, %rbx
+        vpxor	%xmm11, %xmm8, %xmm8
+        # rnd_1: 7 - 7
+        andq	%rbx, %rdx
+        addq	%rax, %r14
+        xorq	%r8, %rdx
+        vpaddq	%xmm4, %xmm8, %xmm4
+        # msg_sched done: 8-11
+        # msg_sched: 10-11
+        # rnd_0: 0 - 0
+        rorxq	$14, %r10, %rax
+        rorxq	$18, %r10, %rcx
+        addq	%rdx, %r14
+        vpalignr	$8, %xmm5, %xmm6, %xmm12
+        vpalignr	$8, %xmm1, %xmm2, %xmm13
+        # rnd_0: 1 - 1
+        addq	80(%rsp), %r13
+        movq	%r11, %rdx
+        xorq	%rax, %rcx
+        vpsrlq	$0x01, %xmm12, %xmm8
+        vpsllq	$63, %xmm12, %xmm9
+        # rnd_0: 2 - 2
+        xorq	%r12, %rdx
+        rorxq	$41, %r10, %rax
+        xorq	%rcx, %rax
+        vpsrlq	$8, %xmm12, %xmm10
+        vpsllq	$56, %xmm12, %xmm11
+        # rnd_0: 3 - 3
+        andq	%r10, %rdx
+        addq	%rax, %r13
+        rorxq	$28, %r14, %rax
+        vpor	%xmm9, %xmm8, %xmm8
+        vpor	%xmm11, %xmm10, %xmm10
+        # rnd_0: 4 - 4
+        rorxq	$34, %r14, %rcx
+        xorq	%r12, %rdx
+        xorq	%rax, %rcx
+        vpsrlq	$7, %xmm12, %xmm11
+        vpxor	%xmm10, %xmm8, %xmm8
+        # rnd_0: 5 - 5
+        rorxq	$39, %r14, %rax
+        addq	%rdx, %r13
+        xorq	%rcx, %rax
+        vpxor	%xmm11, %xmm8, %xmm8
+        vpaddq	%xmm5, %xmm13, %xmm5
+        # rnd_0: 6 - 7
+        movq	%r15, %rdx
+        addq	%r13, %r9
+        xorq	%r14, %rdx
+        andq	%rdx, %rbx
+        addq	%rax, %r13
+        xorq	%r15, %rbx
+        vpaddq	%xmm5, %xmm8, %xmm5
+        # rnd_1: 0 - 0
+        rorxq	$14, %r9, %rax
+        rorxq	$18, %r9, %rcx
+        addq	%rbx, %r13
+        vpsrlq	$19, %xmm4, %xmm8
+        vpsllq	$45, %xmm4, %xmm9
+        # rnd_1: 1 - 1
+        addq	88(%rsp), %r12
+        movq	%r10, %rbx
+        xorq	%rax, %rcx
+        vpsrlq	$61, %xmm4, %xmm10
+        vpsllq	$3, %xmm4, %xmm11
+        # rnd_1: 2 - 2
+        xorq	%r11, %rbx
+        rorxq	$41, %r9, %rax
+        xorq	%rcx, %rax
+        vpor	%xmm9, %xmm8, %xmm8
+        vpor	%xmm11, %xmm10, %xmm10
+        # rnd_1: 3 - 4
+        andq	%r9, %rbx
+        addq	%rax, %r12
+        rorxq	$28, %r13, %rax
+        rorxq	$34, %r13, %rcx
+        xorq	%r11, %rbx
+        xorq	%rax, %rcx
+        vpxor	%xmm10, %xmm8, %xmm8
+        vpsrlq	$6, %xmm4, %xmm11
+        # rnd_1: 5 - 6
+        rorxq	$39, %r13, %rax
+        addq	%rbx, %r12
+        xorq	%rcx, %rax
+        movq	%r14, %rbx
+        addq	%r12, %r8
+        xorq	%r13, %rbx
+        vpxor	%xmm11, %xmm8, %xmm8
+        # rnd_1: 7 - 7
+        andq	%rbx, %rdx
+        addq	%rax, %r12
+        xorq	%r14, %rdx
+        vpaddq	%xmm5, %xmm8, %xmm5
+        # msg_sched done: 10-13
+        # msg_sched: 12-13
+        # rnd_0: 0 - 0
+        rorxq	$14, %r8, %rax
+        rorxq	$18, %r8, %rcx
+        addq	%rdx, %r12
+        vpalignr	$8, %xmm6, %xmm7, %xmm12
+        vpalignr	$8, %xmm2, %xmm3, %xmm13
+        # rnd_0: 1 - 1
+        addq	96(%rsp), %r11
+        movq	%r9, %rdx
+        xorq	%rax, %rcx
+        vpsrlq	$0x01, %xmm12, %xmm8
+        vpsllq	$63, %xmm12, %xmm9
+        # rnd_0: 2 - 2
+        xorq	%r10, %rdx
+        rorxq	$41, %r8, %rax
+        xorq	%rcx, %rax
+        vpsrlq	$8, %xmm12, %xmm10
+        vpsllq	$56, %xmm12, %xmm11
+        # rnd_0: 3 - 3
+        andq	%r8, %rdx
+        addq	%rax, %r11
+        rorxq	$28, %r12, %rax
+        vpor	%xmm9, %xmm8, %xmm8
+        vpor	%xmm11, %xmm10, %xmm10
+        # rnd_0: 4 - 4
+        rorxq	$34, %r12, %rcx
+        xorq	%r10, %rdx
+        xorq	%rax, %rcx
+        vpsrlq	$7, %xmm12, %xmm11
+        vpxor	%xmm10, %xmm8, %xmm8
+        # rnd_0: 5 - 5
+        rorxq	$39, %r12, %rax
+        addq	%rdx, %r11
+        xorq	%rcx, %rax
+        vpxor	%xmm11, %xmm8, %xmm8
+        vpaddq	%xmm6, %xmm13, %xmm6
+        # rnd_0: 6 - 7
+        movq	%r13, %rdx
+        addq	%r11, %r15
+        xorq	%r12, %rdx
+        andq	%rdx, %rbx
+        addq	%rax, %r11
+        xorq	%r13, %rbx
+        vpaddq	%xmm6, %xmm8, %xmm6
+        # rnd_1: 0 - 0
+        rorxq	$14, %r15, %rax
+        rorxq	$18, %r15, %rcx
+        addq	%rbx, %r11
+        vpsrlq	$19, %xmm5, %xmm8
+        vpsllq	$45, %xmm5, %xmm9
+        # rnd_1: 1 - 1
+        addq	104(%rsp), %r10
+        movq	%r8, %rbx
+        xorq	%rax, %rcx
+        vpsrlq	$61, %xmm5, %xmm10
+        vpsllq	$3, %xmm5, %xmm11
+        # rnd_1: 2 - 2
+        xorq	%r9, %rbx
+        rorxq	$41, %r15, %rax
+        xorq	%rcx, %rax
+        vpor	%xmm9, %xmm8, %xmm8
+        vpor	%xmm11, %xmm10, %xmm10
+        # rnd_1: 3 - 4
+        andq	%r15, %rbx
+        addq	%rax, %r10
+        rorxq	$28, %r11, %rax
+        rorxq	$34, %r11, %rcx
+        xorq	%r9, %rbx
+        xorq	%rax, %rcx
+        vpxor	%xmm10, %xmm8, %xmm8
+        vpsrlq	$6, %xmm5, %xmm11
+        # rnd_1: 5 - 6
+        rorxq	$39, %r11, %rax
+        addq	%rbx, %r10
+        xorq	%rcx, %rax
+        movq	%r12, %rbx
+        addq	%r10, %r14
+        xorq	%r11, %rbx
+        vpxor	%xmm11, %xmm8, %xmm8
+        # rnd_1: 7 - 7
+        andq	%rbx, %rdx
+        addq	%rax, %r10
+        xorq	%r12, %rdx
+        vpaddq	%xmm6, %xmm8, %xmm6
+        # msg_sched done: 12-15
+        # msg_sched: 14-15
+        # rnd_0: 0 - 0
+        rorxq	$14, %r14, %rax
+        rorxq	$18, %r14, %rcx
+        addq	%rdx, %r10
+        vpalignr	$8, %xmm7, %xmm0, %xmm12
+        vpalignr	$8, %xmm3, %xmm4, %xmm13
+        # rnd_0: 1 - 1
+        addq	112(%rsp), %r9
+        movq	%r15, %rdx
+        xorq	%rax, %rcx
+        vpsrlq	$0x01, %xmm12, %xmm8
+        vpsllq	$63, %xmm12, %xmm9
+        # rnd_0: 2 - 2
+        xorq	%r8, %rdx
+        rorxq	$41, %r14, %rax
+        xorq	%rcx, %rax
+        vpsrlq	$8, %xmm12, %xmm10
+        vpsllq	$56, %xmm12, %xmm11
+        # rnd_0: 3 - 3
+        andq	%r14, %rdx
+        addq	%rax, %r9
+        rorxq	$28, %r10, %rax
+        vpor	%xmm9, %xmm8, %xmm8
+        vpor	%xmm11, %xmm10, %xmm10
+        # rnd_0: 4 - 4
+        rorxq	$34, %r10, %rcx
+        xorq	%r8, %rdx
+        xorq	%rax, %rcx
+        vpsrlq	$7, %xmm12, %xmm11
+        vpxor	%xmm10, %xmm8, %xmm8
+        # rnd_0: 5 - 5
+        rorxq	$39, %r10, %rax
+        addq	%rdx, %r9
+        xorq	%rcx, %rax
+        vpxor	%xmm11, %xmm8, %xmm8
+        vpaddq	%xmm7, %xmm13, %xmm7
+        # rnd_0: 6 - 7
+        movq	%r11, %rdx
+        addq	%r9, %r13
+        xorq	%r10, %rdx
+        andq	%rdx, %rbx
+        addq	%rax, %r9
+        xorq	%r11, %rbx
+        vpaddq	%xmm7, %xmm8, %xmm7
+        # rnd_1: 0 - 0
+        rorxq	$14, %r13, %rax
+        rorxq	$18, %r13, %rcx
+        addq	%rbx, %r9
+        vpsrlq	$19, %xmm6, %xmm8
+        vpsllq	$45, %xmm6, %xmm9
+        # rnd_1: 1 - 1
+        addq	120(%rsp), %r8
+        movq	%r14, %rbx
+        xorq	%rax, %rcx
+        vpsrlq	$61, %xmm6, %xmm10
+        vpsllq	$3, %xmm6, %xmm11
+        # rnd_1: 2 - 2
+        xorq	%r15, %rbx
+        rorxq	$41, %r13, %rax
+        xorq	%rcx, %rax
+        vpor	%xmm9, %xmm8, %xmm8
+        vpor	%xmm11, %xmm10, %xmm10
+        # rnd_1: 3 - 4
+        andq	%r13, %rbx
+        addq	%rax, %r8
+        rorxq	$28, %r9, %rax
+        rorxq	$34, %r9, %rcx
+        xorq	%r15, %rbx
+        xorq	%rax, %rcx
+        vpxor	%xmm10, %xmm8, %xmm8
+        vpsrlq	$6, %xmm6, %xmm11
+        # rnd_1: 5 - 6
+        rorxq	$39, %r9, %rax
+        addq	%rbx, %r8
+        xorq	%rcx, %rax
+        movq	%r10, %rbx
+        addq	%r8, %r12
+        xorq	%r9, %rbx
+        vpxor	%xmm11, %xmm8, %xmm8
+        # rnd_1: 7 - 7
+        andq	%rbx, %rdx
+        addq	%rax, %r8
+        xorq	%r10, %rdx
+        vpaddq	%xmm7, %xmm8, %xmm7
+        # msg_sched done: 14-17
+        vpaddq	(%rsi), %xmm0, %xmm8
+        vpaddq	16(%rsi), %xmm1, %xmm9
+        vmovdqu	%xmm8, (%rsp)
+        vmovdqu	%xmm9, 16(%rsp)
+        vpaddq	32(%rsi), %xmm2, %xmm8
+        vpaddq	48(%rsi), %xmm3, %xmm9
+        vmovdqu	%xmm8, 32(%rsp)
+        vmovdqu	%xmm9, 48(%rsp)
+        vpaddq	64(%rsi), %xmm4, %xmm8
+        vpaddq	80(%rsi), %xmm5, %xmm9
+        vmovdqu	%xmm8, 64(%rsp)
+        vmovdqu	%xmm9, 80(%rsp)
+        vpaddq	96(%rsi), %xmm6, %xmm8
+        vpaddq	112(%rsi), %xmm7, %xmm9
+        vmovdqu	%xmm8, 96(%rsp)
+        vmovdqu	%xmm9, 112(%rsp)
+        subl	$0x01, 128(%rsp)
+        jne	L_sha256_len_avx1_rorx_start
+        # rnd_all_2: 0-1
+        # rnd_0: 0 - 7
+        rorxq	$14, %r12, %rax
+        rorxq	$18, %r12, %rcx
+        addq	%rdx, %r8
+        addq	(%rsp), %r15
+        movq	%r13, %rdx
+        xorq	%rax, %rcx
+        xorq	%r14, %rdx
+        rorxq	$41, %r12, %rax
+        xorq	%rcx, %rax
+        andq	%r12, %rdx
+        addq	%rax, %r15
+        rorxq	$28, %r8, %rax
+        rorxq	$34, %r8, %rcx
+        xorq	%r14, %rdx
+        xorq	%rax, %rcx
+        rorxq	$39, %r8, %rax
+        addq	%rdx, %r15
+        xorq	%rcx, %rax
+        movq	%r9, %rdx
+        addq	%r15, %r11
+        xorq	%r8, %rdx
+        andq	%rdx, %rbx
+        addq	%rax, %r15
+        xorq	%r9, %rbx
+        # rnd_1: 0 - 7
+        rorxq	$14, %r11, %rax
+        rorxq	$18, %r11, %rcx
+        addq	%rbx, %r15
+        addq	8(%rsp), %r14
+        movq	%r12, %rbx
+        xorq	%rax, %rcx
+        xorq	%r13, %rbx
+        rorxq	$41, %r11, %rax
+        xorq	%rcx, %rax
+        andq	%r11, %rbx
+        addq	%rax, %r14
+        rorxq	$28, %r15, %rax
+        rorxq	$34, %r15, %rcx
+        xorq	%r13, %rbx
+        xorq	%rax, %rcx
+        rorxq	$39, %r15, %rax
+        addq	%rbx, %r14
+        xorq	%rcx, %rax
+        movq	%r8, %rbx
+        addq	%r14, %r10
+        xorq	%r15, %rbx
+        andq	%rbx, %rdx
+        addq	%rax, %r14
+        xorq	%r8, %rdx
+        # rnd_all_2: 2-3
+        # rnd_0: 0 - 7
+        rorxq	$14, %r10, %rax
+        rorxq	$18, %r10, %rcx
+        addq	%rdx, %r14
+        addq	16(%rsp), %r13
+        movq	%r11, %rdx
+        xorq	%rax, %rcx
+        xorq	%r12, %rdx
+        rorxq	$41, %r10, %rax
+        xorq	%rcx, %rax
+        andq	%r10, %rdx
+        addq	%rax, %r13
+        rorxq	$28, %r14, %rax
+        rorxq	$34, %r14, %rcx
+        xorq	%r12, %rdx
+        xorq	%rax, %rcx
+        rorxq	$39, %r14, %rax
+        addq	%rdx, %r13
+        xorq	%rcx, %rax
+        movq	%r15, %rdx
+        addq	%r13, %r9
+        xorq	%r14, %rdx
+        andq	%rdx, %rbx
+        addq	%rax, %r13
+        xorq	%r15, %rbx
+        # rnd_1: 0 - 7
+        rorxq	$14, %r9, %rax
+        rorxq	$18, %r9, %rcx
+        addq	%rbx, %r13
+        addq	24(%rsp), %r12
+        movq	%r10, %rbx
+        xorq	%rax, %rcx
+        xorq	%r11, %rbx
+        rorxq	$41, %r9, %rax
+        xorq	%rcx, %rax
+        andq	%r9, %rbx
+        addq	%rax, %r12
+        rorxq	$28, %r13, %rax
+        rorxq	$34, %r13, %rcx
+        xorq	%r11, %rbx
+        xorq	%rax, %rcx
+        rorxq	$39, %r13, %rax
+        addq	%rbx, %r12
+        xorq	%rcx, %rax
+        movq	%r14, %rbx
+        addq	%r12, %r8
+        xorq	%r13, %rbx
+        andq	%rbx, %rdx
+        addq	%rax, %r12
+        xorq	%r14, %rdx
+        # rnd_all_2: 4-5
+        # rnd_0: 0 - 7
+        rorxq	$14, %r8, %rax
+        rorxq	$18, %r8, %rcx
+        addq	%rdx, %r12
+        addq	32(%rsp), %r11
+        movq	%r9, %rdx
+        xorq	%rax, %rcx
+        xorq	%r10, %rdx
+        rorxq	$41, %r8, %rax
+        xorq	%rcx, %rax
+        andq	%r8, %rdx
+        addq	%rax, %r11
+        rorxq	$28, %r12, %rax
+        rorxq	$34, %r12, %rcx
+        xorq	%r10, %rdx
+        xorq	%rax, %rcx
+        rorxq	$39, %r12, %rax
+        addq	%rdx, %r11
+        xorq	%rcx, %rax
+        movq	%r13, %rdx
+        addq	%r11, %r15
+        xorq	%r12, %rdx
+        andq	%rdx, %rbx
+        addq	%rax, %r11
+        xorq	%r13, %rbx
+        # rnd_1: 0 - 7
+        rorxq	$14, %r15, %rax
+        rorxq	$18, %r15, %rcx
+        addq	%rbx, %r11
+        addq	40(%rsp), %r10
+        movq	%r8, %rbx
+        xorq	%rax, %rcx
+        xorq	%r9, %rbx
+        rorxq	$41, %r15, %rax
+        xorq	%rcx, %rax
+        andq	%r15, %rbx
+        addq	%rax, %r10
+        rorxq	$28, %r11, %rax
+        rorxq	$34, %r11, %rcx
+        xorq	%r9, %rbx
+        xorq	%rax, %rcx
+        rorxq	$39, %r11, %rax
+        addq	%rbx, %r10
+        xorq	%rcx, %rax
+        movq	%r12, %rbx
+        addq	%r10, %r14
+        xorq	%r11, %rbx
+        andq	%rbx, %rdx
+        addq	%rax, %r10
+        xorq	%r12, %rdx
+        # rnd_all_2: 6-7
+        # rnd_0: 0 - 7
+        rorxq	$14, %r14, %rax
+        rorxq	$18, %r14, %rcx
+        addq	%rdx, %r10
+        addq	48(%rsp), %r9
+        movq	%r15, %rdx
+        xorq	%rax, %rcx
+        xorq	%r8, %rdx
+        rorxq	$41, %r14, %rax
+        xorq	%rcx, %rax
+        andq	%r14, %rdx
+        addq	%rax, %r9
+        rorxq	$28, %r10, %rax
+        rorxq	$34, %r10, %rcx
+        xorq	%r8, %rdx
+        xorq	%rax, %rcx
+        rorxq	$39, %r10, %rax
+        addq	%rdx, %r9
+        xorq	%rcx, %rax
+        movq	%r11, %rdx
+        addq	%r9, %r13
+        xorq	%r10, %rdx
+        andq	%rdx, %rbx
+        addq	%rax, %r9
+        xorq	%r11, %rbx
+        # rnd_1: 0 - 7
+        rorxq	$14, %r13, %rax
+        rorxq	$18, %r13, %rcx
+        addq	%rbx, %r9
+        addq	56(%rsp), %r8
+        movq	%r14, %rbx
+        xorq	%rax, %rcx
+        xorq	%r15, %rbx
+        rorxq	$41, %r13, %rax
+        xorq	%rcx, %rax
+        andq	%r13, %rbx
+        addq	%rax, %r8
+        rorxq	$28, %r9, %rax
+        rorxq	$34, %r9, %rcx
+        xorq	%r15, %rbx
+        xorq	%rax, %rcx
+        rorxq	$39, %r9, %rax
+        addq	%rbx, %r8
+        xorq	%rcx, %rax
+        movq	%r10, %rbx
+        addq	%r8, %r12
+        xorq	%r9, %rbx
+        andq	%rbx, %rdx
+        addq	%rax, %r8
+        xorq	%r10, %rdx
+        # rnd_all_2: 8-9
+        # rnd_0: 0 - 7
+        rorxq	$14, %r12, %rax
+        rorxq	$18, %r12, %rcx
+        addq	%rdx, %r8
+        addq	64(%rsp), %r15
+        movq	%r13, %rdx
+        xorq	%rax, %rcx
+        xorq	%r14, %rdx
+        rorxq	$41, %r12, %rax
+        xorq	%rcx, %rax
+        andq	%r12, %rdx
+        addq	%rax, %r15
+        rorxq	$28, %r8, %rax
+        rorxq	$34, %r8, %rcx
+        xorq	%r14, %rdx
+        xorq	%rax, %rcx
+        rorxq	$39, %r8, %rax
+        addq	%rdx, %r15
+        xorq	%rcx, %rax
+        movq	%r9, %rdx
+        addq	%r15, %r11
+        xorq	%r8, %rdx
+        andq	%rdx, %rbx
+        addq	%rax, %r15
+        xorq	%r9, %rbx
+        # rnd_1: 0 - 7
+        rorxq	$14, %r11, %rax
+        rorxq	$18, %r11, %rcx
+        addq	%rbx, %r15
+        addq	72(%rsp), %r14
+        movq	%r12, %rbx
+        xorq	%rax, %rcx
+        xorq	%r13, %rbx
+        rorxq	$41, %r11, %rax
+        xorq	%rcx, %rax
+        andq	%r11, %rbx
+        addq	%rax, %r14
+        rorxq	$28, %r15, %rax
+        rorxq	$34, %r15, %rcx
+        xorq	%r13, %rbx
+        xorq	%rax, %rcx
+        rorxq	$39, %r15, %rax
+        addq	%rbx, %r14
+        xorq	%rcx, %rax
+        movq	%r8, %rbx
+        addq	%r14, %r10
+        xorq	%r15, %rbx
+        andq	%rbx, %rdx
+        addq	%rax, %r14
+        xorq	%r8, %rdx
+        # rnd_all_2: 10-11
+        # rnd_0: 0 - 7
+        rorxq	$14, %r10, %rax
+        rorxq	$18, %r10, %rcx
+        addq	%rdx, %r14
+        addq	80(%rsp), %r13
+        movq	%r11, %rdx
+        xorq	%rax, %rcx
+        xorq	%r12, %rdx
+        rorxq	$41, %r10, %rax
+        xorq	%rcx, %rax
+        andq	%r10, %rdx
+        addq	%rax, %r13
+        rorxq	$28, %r14, %rax
+        rorxq	$34, %r14, %rcx
+        xorq	%r12, %rdx
+        xorq	%rax, %rcx
+        rorxq	$39, %r14, %rax
+        addq	%rdx, %r13
+        xorq	%rcx, %rax
+        movq	%r15, %rdx
+        addq	%r13, %r9
+        xorq	%r14, %rdx
+        andq	%rdx, %rbx
+        addq	%rax, %r13
+        xorq	%r15, %rbx
+        # rnd_1: 0 - 7
+        rorxq	$14, %r9, %rax
+        rorxq	$18, %r9, %rcx
+        addq	%rbx, %r13
+        addq	88(%rsp), %r12
+        movq	%r10, %rbx
+        xorq	%rax, %rcx
+        xorq	%r11, %rbx
+        rorxq	$41, %r9, %rax
+        xorq	%rcx, %rax
+        andq	%r9, %rbx
+        addq	%rax, %r12
+        rorxq	$28, %r13, %rax
+        rorxq	$34, %r13, %rcx
+        xorq	%r11, %rbx
+        xorq	%rax, %rcx
+        rorxq	$39, %r13, %rax
+        addq	%rbx, %r12
+        xorq	%rcx, %rax
+        movq	%r14, %rbx
+        addq	%r12, %r8
+        xorq	%r13, %rbx
+        andq	%rbx, %rdx
+        addq	%rax, %r12
+        xorq	%r14, %rdx
+        # rnd_all_2: 12-13
+        # rnd_0: 0 - 7
+        rorxq	$14, %r8, %rax
+        rorxq	$18, %r8, %rcx
+        addq	%rdx, %r12
+        addq	96(%rsp), %r11
+        movq	%r9, %rdx
+        xorq	%rax, %rcx
+        xorq	%r10, %rdx
+        rorxq	$41, %r8, %rax
+        xorq	%rcx, %rax
+        andq	%r8, %rdx
+        addq	%rax, %r11
+        rorxq	$28, %r12, %rax
+        rorxq	$34, %r12, %rcx
+        xorq	%r10, %rdx
+        xorq	%rax, %rcx
+        rorxq	$39, %r12, %rax
+        addq	%rdx, %r11
+        xorq	%rcx, %rax
+        movq	%r13, %rdx
+        addq	%r11, %r15
+        xorq	%r12, %rdx
+        andq	%rdx, %rbx
+        addq	%rax, %r11
+        xorq	%r13, %rbx
+        # rnd_1: 0 - 7
+        rorxq	$14, %r15, %rax
+        rorxq	$18, %r15, %rcx
+        addq	%rbx, %r11
+        addq	104(%rsp), %r10
+        movq	%r8, %rbx
+        xorq	%rax, %rcx
+        xorq	%r9, %rbx
+        rorxq	$41, %r15, %rax
+        xorq	%rcx, %rax
+        andq	%r15, %rbx
+        addq	%rax, %r10
+        rorxq	$28, %r11, %rax
+        rorxq	$34, %r11, %rcx
+        xorq	%r9, %rbx
+        xorq	%rax, %rcx
+        rorxq	$39, %r11, %rax
+        addq	%rbx, %r10
+        xorq	%rcx, %rax
+        movq	%r12, %rbx
+        addq	%r10, %r14
+        xorq	%r11, %rbx
+        andq	%rbx, %rdx
+        addq	%rax, %r10
+        xorq	%r12, %rdx
+        # rnd_all_2: 14-15
+        # rnd_0: 0 - 7
+        rorxq	$14, %r14, %rax
+        rorxq	$18, %r14, %rcx
+        addq	%rdx, %r10
+        addq	112(%rsp), %r9
+        movq	%r15, %rdx
+        xorq	%rax, %rcx
+        xorq	%r8, %rdx
+        rorxq	$41, %r14, %rax
+        xorq	%rcx, %rax
+        andq	%r14, %rdx
+        addq	%rax, %r9
+        rorxq	$28, %r10, %rax
+        rorxq	$34, %r10, %rcx
+        xorq	%r8, %rdx
+        xorq	%rax, %rcx
+        rorxq	$39, %r10, %rax
+        addq	%rdx, %r9
+        xorq	%rcx, %rax
+        movq	%r11, %rdx
+        addq	%r9, %r13
+        xorq	%r10, %rdx
+        andq	%rdx, %rbx
+        addq	%rax, %r9
+        xorq	%r11, %rbx
+        # rnd_1: 0 - 7
+        rorxq	$14, %r13, %rax
+        rorxq	$18, %r13, %rcx
+        addq	%rbx, %r9
+        addq	120(%rsp), %r8
+        movq	%r14, %rbx
+        xorq	%rax, %rcx
+        xorq	%r15, %rbx
+        rorxq	$41, %r13, %rax
+        xorq	%rcx, %rax
+        andq	%r13, %rbx
+        addq	%rax, %r8
+        rorxq	$28, %r9, %rax
+        rorxq	$34, %r9, %rcx
+        xorq	%r15, %rbx
+        xorq	%rax, %rcx
+        rorxq	$39, %r9, %rax
+        addq	%rbx, %r8
+        xorq	%rcx, %rax
+        movq	%r10, %rbx
+        addq	%r8, %r12
+        xorq	%r9, %rbx
+        andq	%rbx, %rdx
+        addq	%rax, %r8
+        xorq	%r10, %rdx
+        addq	%rdx, %r8
+        addq	%r8, (%rdi)
+        addq	%r9, 8(%rdi)
+        addq	%r10, 16(%rdi)
+        addq	%r11, 24(%rdi)
+        addq	%r12, 32(%rdi)
+        addq	%r13, 40(%rdi)
+        addq	%r14, 48(%rdi)
+        addq	%r15, 56(%rdi)
+        xorq	%rax, %rax
+        vzeroupper
+        addq	$0x88, %rsp
+        popq	%r15
+        popq	%r14
+        popq	%r13
+        popq	%r12
+        popq	%rbx
+        repz retq
+#ifndef __APPLE__
+.size	Transform_Sha512_AVX1_RORX,.-Transform_Sha512_AVX1_RORX
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+.text
+.globl	Transform_Sha512_AVX1_RORX_Len
+.type	Transform_Sha512_AVX1_RORX_Len,@function
+.align	4
+Transform_Sha512_AVX1_RORX_Len:
+#else
+.section	__TEXT,__text
+.globl	_Transform_Sha512_AVX1_RORX_Len
+.p2align	2
+_Transform_Sha512_AVX1_RORX_Len:
+#endif /* __APPLE__ */
+        pushq	%rbx
+        pushq	%r12
+        pushq	%r13
+        pushq	%r14
+        pushq	%r15
+        pushq	%rbp
+        movq	%rsi, %rbp
+        subq	$0x90, %rsp
+        movq	224(%rdi), %rsi
+        leaq	L_avx1_rorx_sha512_k(%rip), %rcx
+        vmovdqa	L_avx1_rorx_sha512_flip_mask(%rip), %xmm14
+        movq	(%rdi), %r8
+        movq	8(%rdi), %r9
+        movq	16(%rdi), %r10
+        movq	24(%rdi), %r11
+        movq	32(%rdi), %r12
+        movq	40(%rdi), %r13
+        movq	48(%rdi), %r14
+        movq	56(%rdi), %r15
+        # Start of loop processing a block
+L_sha512_len_avx1_rorx_begin:
+        vmovdqu	(%rsi), %xmm0
+        vmovdqu	16(%rsi), %xmm1
+        vpshufb	%xmm14, %xmm0, %xmm0
+        vpshufb	%xmm14, %xmm1, %xmm1
+        vmovdqu	32(%rsi), %xmm2
+        vmovdqu	48(%rsi), %xmm3
+        vpshufb	%xmm14, %xmm2, %xmm2
+        vpshufb	%xmm14, %xmm3, %xmm3
+        vmovdqu	64(%rsi), %xmm4
+        vmovdqu	80(%rsi), %xmm5
+        vpshufb	%xmm14, %xmm4, %xmm4
+        vpshufb	%xmm14, %xmm5, %xmm5
+        vmovdqu	96(%rsi), %xmm6
+        vmovdqu	112(%rsi), %xmm7
+        vpshufb	%xmm14, %xmm6, %xmm6
+        vpshufb	%xmm14, %xmm7, %xmm7
+        movl	$4, 128(%rsp)
+        movq	%r9, %rbx
+        xorq	%rdx, %rdx
+        xorq	%r10, %rbx
+        vpaddq	(%rcx), %xmm0, %xmm8
+        vpaddq	16(%rcx), %xmm1, %xmm9
+        vmovdqu	%xmm8, (%rsp)
+        vmovdqu	%xmm9, 16(%rsp)
+        vpaddq	32(%rcx), %xmm2, %xmm8
+        vpaddq	48(%rcx), %xmm3, %xmm9
+        vmovdqu	%xmm8, 32(%rsp)
+        vmovdqu	%xmm9, 48(%rsp)
+        vpaddq	64(%rcx), %xmm4, %xmm8
+        vpaddq	80(%rcx), %xmm5, %xmm9
+        vmovdqu	%xmm8, 64(%rsp)
+        vmovdqu	%xmm9, 80(%rsp)
+        vpaddq	96(%rcx), %xmm6, %xmm8
+        vpaddq	112(%rcx), %xmm7, %xmm9
+        vmovdqu	%xmm8, 96(%rsp)
+        vmovdqu	%xmm9, 112(%rsp)
+        # Start of 16 rounds
+L_sha512_len_avx1_rorx_start:
+        addq	$0x80, %rcx
+        movq	%rcx, 136(%rsp)
+        # msg_sched: 0-1
+        # rnd_0: 0 - 0
+        rorxq	$14, %r12, %rax
+        rorxq	$18, %r12, %rcx
+        addq	%rdx, %r8
+        vpalignr	$8, %xmm0, %xmm1, %xmm12
+        vpalignr	$8, %xmm4, %xmm5, %xmm13
+        # rnd_0: 1 - 1
+        addq	(%rsp), %r15
+        movq	%r13, %rdx
+        xorq	%rax, %rcx
+        vpsrlq	$0x01, %xmm12, %xmm8
+        vpsllq	$63, %xmm12, %xmm9
+        # rnd_0: 2 - 2
+        xorq	%r14, %rdx
+        rorxq	$41, %r12, %rax
+        xorq	%rcx, %rax
+        vpsrlq	$8, %xmm12, %xmm10
+        vpsllq	$56, %xmm12, %xmm11
+        # rnd_0: 3 - 3
+        andq	%r12, %rdx
+        addq	%rax, %r15
+        rorxq	$28, %r8, %rax
+        vpor	%xmm9, %xmm8, %xmm8
+        vpor	%xmm11, %xmm10, %xmm10
+        # rnd_0: 4 - 4
+        rorxq	$34, %r8, %rcx
+        xorq	%r14, %rdx
+        xorq	%rax, %rcx
+        vpsrlq	$7, %xmm12, %xmm11
+        vpxor	%xmm10, %xmm8, %xmm8
+        # rnd_0: 5 - 5
+        rorxq	$39, %r8, %rax
+        addq	%rdx, %r15
+        xorq	%rcx, %rax
+        vpxor	%xmm11, %xmm8, %xmm8
+        vpaddq	%xmm0, %xmm13, %xmm0
+        # rnd_0: 6 - 7
+        movq	%r9, %rdx
+        addq	%r15, %r11
+        xorq	%r8, %rdx
+        andq	%rdx, %rbx
+        addq	%rax, %r15
+        xorq	%r9, %rbx
+        vpaddq	%xmm0, %xmm8, %xmm0
+        # rnd_1: 0 - 0
+        rorxq	$14, %r11, %rax
+        rorxq	$18, %r11, %rcx
+        addq	%rbx, %r15
+        vpsrlq	$19, %xmm7, %xmm8
+        vpsllq	$45, %xmm7, %xmm9
+        # rnd_1: 1 - 1
+        addq	8(%rsp), %r14
+        movq	%r12, %rbx
+        xorq	%rax, %rcx
+        vpsrlq	$61, %xmm7, %xmm10
+        vpsllq	$3, %xmm7, %xmm11
+        # rnd_1: 2 - 2
+        xorq	%r13, %rbx
+        rorxq	$41, %r11, %rax
+        xorq	%rcx, %rax
+        vpor	%xmm9, %xmm8, %xmm8
+        vpor	%xmm11, %xmm10, %xmm10
+        # rnd_1: 3 - 4
+        andq	%r11, %rbx
+        addq	%rax, %r14
+        rorxq	$28, %r15, %rax
+        rorxq	$34, %r15, %rcx
+        xorq	%r13, %rbx
+        xorq	%rax, %rcx
+        vpxor	%xmm10, %xmm8, %xmm8
+        vpsrlq	$6, %xmm7, %xmm11
+        # rnd_1: 5 - 6
+        rorxq	$39, %r15, %rax
+        addq	%rbx, %r14
+        xorq	%rcx, %rax
+        movq	%r8, %rbx
+        addq	%r14, %r10
+        xorq	%r15, %rbx
+        vpxor	%xmm11, %xmm8, %xmm8
+        # rnd_1: 7 - 7
+        andq	%rbx, %rdx
+        addq	%rax, %r14
+        xorq	%r8, %rdx
+        vpaddq	%xmm0, %xmm8, %xmm0
+        # msg_sched done: 0-3
+        # msg_sched: 2-3
+        # rnd_0: 0 - 0
+        rorxq	$14, %r10, %rax
+        rorxq	$18, %r10, %rcx
+        addq	%rdx, %r14
+        vpalignr	$8, %xmm1, %xmm2, %xmm12
+        vpalignr	$8, %xmm5, %xmm6, %xmm13
+        # rnd_0: 1 - 1
+        addq	16(%rsp), %r13
+        movq	%r11, %rdx
+        xorq	%rax, %rcx
+        vpsrlq	$0x01, %xmm12, %xmm8
+        vpsllq	$63, %xmm12, %xmm9
+        # rnd_0: 2 - 2
+        xorq	%r12, %rdx
+        rorxq	$41, %r10, %rax
+        xorq	%rcx, %rax
+        vpsrlq	$8, %xmm12, %xmm10
+        vpsllq	$56, %xmm12, %xmm11
+        # rnd_0: 3 - 3
+        andq	%r10, %rdx
+        addq	%rax, %r13
+        rorxq	$28, %r14, %rax
+        vpor	%xmm9, %xmm8, %xmm8
+        vpor	%xmm11, %xmm10, %xmm10
+        # rnd_0: 4 - 4
+        rorxq	$34, %r14, %rcx
+        xorq	%r12, %rdx
+        xorq	%rax, %rcx
+        vpsrlq	$7, %xmm12, %xmm11
+        vpxor	%xmm10, %xmm8, %xmm8
+        # rnd_0: 5 - 5
+        rorxq	$39, %r14, %rax
+        addq	%rdx, %r13
+        xorq	%rcx, %rax
+        vpxor	%xmm11, %xmm8, %xmm8
+        vpaddq	%xmm1, %xmm13, %xmm1
+        # rnd_0: 6 - 7
+        movq	%r15, %rdx
+        addq	%r13, %r9
+        xorq	%r14, %rdx
+        andq	%rdx, %rbx
+        addq	%rax, %r13
+        xorq	%r15, %rbx
+        vpaddq	%xmm1, %xmm8, %xmm1
+        # rnd_1: 0 - 0
+        rorxq	$14, %r9, %rax
+        rorxq	$18, %r9, %rcx
+        addq	%rbx, %r13
+        vpsrlq	$19, %xmm0, %xmm8
+        vpsllq	$45, %xmm0, %xmm9
+        # rnd_1: 1 - 1
+        addq	24(%rsp), %r12
+        movq	%r10, %rbx
+        xorq	%rax, %rcx
+        vpsrlq	$61, %xmm0, %xmm10
+        vpsllq	$3, %xmm0, %xmm11
+        # rnd_1: 2 - 2
+        xorq	%r11, %rbx
+        rorxq	$41, %r9, %rax
+        xorq	%rcx, %rax
+        vpor	%xmm9, %xmm8, %xmm8
+        vpor	%xmm11, %xmm10, %xmm10
+        # rnd_1: 3 - 4
+        andq	%r9, %rbx
+        addq	%rax, %r12
+        rorxq	$28, %r13, %rax
+        rorxq	$34, %r13, %rcx
+        xorq	%r11, %rbx
+        xorq	%rax, %rcx
+        vpxor	%xmm10, %xmm8, %xmm8
+        vpsrlq	$6, %xmm0, %xmm11
+        # rnd_1: 5 - 6
+        rorxq	$39, %r13, %rax
+        addq	%rbx, %r12
+        xorq	%rcx, %rax
+        movq	%r14, %rbx
+        addq	%r12, %r8
+        xorq	%r13, %rbx
+        vpxor	%xmm11, %xmm8, %xmm8
+        # rnd_1: 7 - 7
+        andq	%rbx, %rdx
+        addq	%rax, %r12
+        xorq	%r14, %rdx
+        vpaddq	%xmm1, %xmm8, %xmm1
+        # msg_sched done: 2-5
+        # msg_sched: 4-5
+        # rnd_0: 0 - 0
+        rorxq	$14, %r8, %rax
+        rorxq	$18, %r8, %rcx
+        addq	%rdx, %r12
+        vpalignr	$8, %xmm2, %xmm3, %xmm12
+        vpalignr	$8, %xmm6, %xmm7, %xmm13
+        # rnd_0: 1 - 1
+        addq	32(%rsp), %r11
+        movq	%r9, %rdx
+        xorq	%rax, %rcx
+        vpsrlq	$0x01, %xmm12, %xmm8
+        vpsllq	$63, %xmm12, %xmm9
+        # rnd_0: 2 - 2
+        xorq	%r10, %rdx
+        rorxq	$41, %r8, %rax
+        xorq	%rcx, %rax
+        vpsrlq	$8, %xmm12, %xmm10
+        vpsllq	$56, %xmm12, %xmm11
+        # rnd_0: 3 - 3
+        andq	%r8, %rdx
+        addq	%rax, %r11
+        rorxq	$28, %r12, %rax
+        vpor	%xmm9, %xmm8, %xmm8
+        vpor	%xmm11, %xmm10, %xmm10
+        # rnd_0: 4 - 4
+        rorxq	$34, %r12, %rcx
+        xorq	%r10, %rdx
+        xorq	%rax, %rcx
+        vpsrlq	$7, %xmm12, %xmm11
+        vpxor	%xmm10, %xmm8, %xmm8
+        # rnd_0: 5 - 5
+        rorxq	$39, %r12, %rax
+        addq	%rdx, %r11
+        xorq	%rcx, %rax
+        vpxor	%xmm11, %xmm8, %xmm8
+        vpaddq	%xmm2, %xmm13, %xmm2
+        # rnd_0: 6 - 7
+        movq	%r13, %rdx
+        addq	%r11, %r15
+        xorq	%r12, %rdx
+        andq	%rdx, %rbx
+        addq	%rax, %r11
+        xorq	%r13, %rbx
+        vpaddq	%xmm2, %xmm8, %xmm2
+        # rnd_1: 0 - 0
+        rorxq	$14, %r15, %rax
+        rorxq	$18, %r15, %rcx
+        addq	%rbx, %r11
+        vpsrlq	$19, %xmm1, %xmm8
+        vpsllq	$45, %xmm1, %xmm9
+        # rnd_1: 1 - 1
+        addq	40(%rsp), %r10
+        movq	%r8, %rbx
+        xorq	%rax, %rcx
+        vpsrlq	$61, %xmm1, %xmm10
+        vpsllq	$3, %xmm1, %xmm11
+        # rnd_1: 2 - 2
+        xorq	%r9, %rbx
+        rorxq	$41, %r15, %rax
+        xorq	%rcx, %rax
+        vpor	%xmm9, %xmm8, %xmm8
+        vpor	%xmm11, %xmm10, %xmm10
+        # rnd_1: 3 - 4
+        andq	%r15, %rbx
+        addq	%rax, %r10
+        rorxq	$28, %r11, %rax
+        rorxq	$34, %r11, %rcx
+        xorq	%r9, %rbx
+        xorq	%rax, %rcx
+        vpxor	%xmm10, %xmm8, %xmm8
+        vpsrlq	$6, %xmm1, %xmm11
+        # rnd_1: 5 - 6
+        rorxq	$39, %r11, %rax
+        addq	%rbx, %r10
+        xorq	%rcx, %rax
+        movq	%r12, %rbx
+        addq	%r10, %r14
+        xorq	%r11, %rbx
+        vpxor	%xmm11, %xmm8, %xmm8
+        # rnd_1: 7 - 7
+        andq	%rbx, %rdx
+        addq	%rax, %r10
+        xorq	%r12, %rdx
+        vpaddq	%xmm2, %xmm8, %xmm2
+        # msg_sched done: 4-7
+        # msg_sched: 6-7
+        # rnd_0: 0 - 0
+        rorxq	$14, %r14, %rax
+        rorxq	$18, %r14, %rcx
+        addq	%rdx, %r10
+        vpalignr	$8, %xmm3, %xmm4, %xmm12
+        vpalignr	$8, %xmm7, %xmm0, %xmm13
+        # rnd_0: 1 - 1
+        addq	48(%rsp), %r9
+        movq	%r15, %rdx
+        xorq	%rax, %rcx
+        vpsrlq	$0x01, %xmm12, %xmm8
+        vpsllq	$63, %xmm12, %xmm9
+        # rnd_0: 2 - 2
+        xorq	%r8, %rdx
+        rorxq	$41, %r14, %rax
+        xorq	%rcx, %rax
+        vpsrlq	$8, %xmm12, %xmm10
+        vpsllq	$56, %xmm12, %xmm11
+        # rnd_0: 3 - 3
+        andq	%r14, %rdx
+        addq	%rax, %r9
+        rorxq	$28, %r10, %rax
+        vpor	%xmm9, %xmm8, %xmm8
+        vpor	%xmm11, %xmm10, %xmm10
+        # rnd_0: 4 - 4
+        rorxq	$34, %r10, %rcx
+        xorq	%r8, %rdx
+        xorq	%rax, %rcx
+        vpsrlq	$7, %xmm12, %xmm11
+        vpxor	%xmm10, %xmm8, %xmm8
+        # rnd_0: 5 - 5
+        rorxq	$39, %r10, %rax
+        addq	%rdx, %r9
+        xorq	%rcx, %rax
+        vpxor	%xmm11, %xmm8, %xmm8
+        vpaddq	%xmm3, %xmm13, %xmm3
+        # rnd_0: 6 - 7
+        movq	%r11, %rdx
+        addq	%r9, %r13
+        xorq	%r10, %rdx
+        andq	%rdx, %rbx
+        addq	%rax, %r9
+        xorq	%r11, %rbx
+        vpaddq	%xmm3, %xmm8, %xmm3
+        # rnd_1: 0 - 0
+        rorxq	$14, %r13, %rax
+        rorxq	$18, %r13, %rcx
+        addq	%rbx, %r9
+        vpsrlq	$19, %xmm2, %xmm8
+        vpsllq	$45, %xmm2, %xmm9
+        # rnd_1: 1 - 1
+        addq	56(%rsp), %r8
+        movq	%r14, %rbx
+        xorq	%rax, %rcx
+        vpsrlq	$61, %xmm2, %xmm10
+        vpsllq	$3, %xmm2, %xmm11
+        # rnd_1: 2 - 2
+        xorq	%r15, %rbx
+        rorxq	$41, %r13, %rax
+        xorq	%rcx, %rax
+        vpor	%xmm9, %xmm8, %xmm8
+        vpor	%xmm11, %xmm10, %xmm10
+        # rnd_1: 3 - 4
+        andq	%r13, %rbx
+        addq	%rax, %r8
+        rorxq	$28, %r9, %rax
+        rorxq	$34, %r9, %rcx
+        xorq	%r15, %rbx
+        xorq	%rax, %rcx
+        vpxor	%xmm10, %xmm8, %xmm8
+        vpsrlq	$6, %xmm2, %xmm11
+        # rnd_1: 5 - 6
+        rorxq	$39, %r9, %rax
+        addq	%rbx, %r8
+        xorq	%rcx, %rax
+        movq	%r10, %rbx
+        addq	%r8, %r12
+        xorq	%r9, %rbx
+        vpxor	%xmm11, %xmm8, %xmm8
+        # rnd_1: 7 - 7
+        andq	%rbx, %rdx
+        addq	%rax, %r8
+        xorq	%r10, %rdx
+        vpaddq	%xmm3, %xmm8, %xmm3
+        # msg_sched done: 6-9
+        # msg_sched: 8-9
+        # rnd_0: 0 - 0
+        rorxq	$14, %r12, %rax
+        rorxq	$18, %r12, %rcx
+        addq	%rdx, %r8
+        vpalignr	$8, %xmm4, %xmm5, %xmm12
+        vpalignr	$8, %xmm0, %xmm1, %xmm13
+        # rnd_0: 1 - 1
+        addq	64(%rsp), %r15
+        movq	%r13, %rdx
+        xorq	%rax, %rcx
+        vpsrlq	$0x01, %xmm12, %xmm8
+        vpsllq	$63, %xmm12, %xmm9
+        # rnd_0: 2 - 2
+        xorq	%r14, %rdx
+        rorxq	$41, %r12, %rax
+        xorq	%rcx, %rax
+        vpsrlq	$8, %xmm12, %xmm10
+        vpsllq	$56, %xmm12, %xmm11
+        # rnd_0: 3 - 3
+        andq	%r12, %rdx
+        addq	%rax, %r15
+        rorxq	$28, %r8, %rax
+        vpor	%xmm9, %xmm8, %xmm8
+        vpor	%xmm11, %xmm10, %xmm10
+        # rnd_0: 4 - 4
+        rorxq	$34, %r8, %rcx
+        xorq	%r14, %rdx
+        xorq	%rax, %rcx
+        vpsrlq	$7, %xmm12, %xmm11
+        vpxor	%xmm10, %xmm8, %xmm8
+        # rnd_0: 5 - 5
+        rorxq	$39, %r8, %rax
+        addq	%rdx, %r15
+        xorq	%rcx, %rax
+        vpxor	%xmm11, %xmm8, %xmm8
+        vpaddq	%xmm4, %xmm13, %xmm4
+        # rnd_0: 6 - 7
+        movq	%r9, %rdx
+        addq	%r15, %r11
+        xorq	%r8, %rdx
+        andq	%rdx, %rbx
+        addq	%rax, %r15
+        xorq	%r9, %rbx
+        vpaddq	%xmm4, %xmm8, %xmm4
+        # rnd_1: 0 - 0
+        rorxq	$14, %r11, %rax
+        rorxq	$18, %r11, %rcx
+        addq	%rbx, %r15
+        vpsrlq	$19, %xmm3, %xmm8
+        vpsllq	$45, %xmm3, %xmm9
+        # rnd_1: 1 - 1
+        addq	72(%rsp), %r14
+        movq	%r12, %rbx
+        xorq	%rax, %rcx
+        vpsrlq	$61, %xmm3, %xmm10
+        vpsllq	$3, %xmm3, %xmm11
+        # rnd_1: 2 - 2
+        xorq	%r13, %rbx
+        rorxq	$41, %r11, %rax
+        xorq	%rcx, %rax
+        vpor	%xmm9, %xmm8, %xmm8
+        vpor	%xmm11, %xmm10, %xmm10
+        # rnd_1: 3 - 4
+        andq	%r11, %rbx
+        addq	%rax, %r14
+        rorxq	$28, %r15, %rax
+        rorxq	$34, %r15, %rcx
+        xorq	%r13, %rbx
+        xorq	%rax, %rcx
+        vpxor	%xmm10, %xmm8, %xmm8
+        vpsrlq	$6, %xmm3, %xmm11
+        # rnd_1: 5 - 6
+        rorxq	$39, %r15, %rax
+        addq	%rbx, %r14
+        xorq	%rcx, %rax
+        movq	%r8, %rbx
+        addq	%r14, %r10
+        xorq	%r15, %rbx
+        vpxor	%xmm11, %xmm8, %xmm8
+        # rnd_1: 7 - 7
+        andq	%rbx, %rdx
+        addq	%rax, %r14
+        xorq	%r8, %rdx
+        vpaddq	%xmm4, %xmm8, %xmm4
+        # msg_sched done: 8-11
+        # msg_sched: 10-11
+        # rnd_0: 0 - 0
+        rorxq	$14, %r10, %rax
+        rorxq	$18, %r10, %rcx
+        addq	%rdx, %r14
+        vpalignr	$8, %xmm5, %xmm6, %xmm12
+        vpalignr	$8, %xmm1, %xmm2, %xmm13
+        # rnd_0: 1 - 1
+        addq	80(%rsp), %r13
+        movq	%r11, %rdx
+        xorq	%rax, %rcx
+        vpsrlq	$0x01, %xmm12, %xmm8
+        vpsllq	$63, %xmm12, %xmm9
+        # rnd_0: 2 - 2
+        xorq	%r12, %rdx
+        rorxq	$41, %r10, %rax
+        xorq	%rcx, %rax
+        vpsrlq	$8, %xmm12, %xmm10
+        vpsllq	$56, %xmm12, %xmm11
+        # rnd_0: 3 - 3
+        andq	%r10, %rdx
+        addq	%rax, %r13
+        rorxq	$28, %r14, %rax
+        vpor	%xmm9, %xmm8, %xmm8
+        vpor	%xmm11, %xmm10, %xmm10
+        # rnd_0: 4 - 4
+        rorxq	$34, %r14, %rcx
+        xorq	%r12, %rdx
+        xorq	%rax, %rcx
+        vpsrlq	$7, %xmm12, %xmm11
+        vpxor	%xmm10, %xmm8, %xmm8
+        # rnd_0: 5 - 5
+        rorxq	$39, %r14, %rax
+        addq	%rdx, %r13
+        xorq	%rcx, %rax
+        vpxor	%xmm11, %xmm8, %xmm8
+        vpaddq	%xmm5, %xmm13, %xmm5
+        # rnd_0: 6 - 7
+        movq	%r15, %rdx
+        addq	%r13, %r9
+        xorq	%r14, %rdx
+        andq	%rdx, %rbx
+        addq	%rax, %r13
+        xorq	%r15, %rbx
+        vpaddq	%xmm5, %xmm8, %xmm5
+        # rnd_1: 0 - 0
+        rorxq	$14, %r9, %rax
+        rorxq	$18, %r9, %rcx
+        addq	%rbx, %r13
+        vpsrlq	$19, %xmm4, %xmm8
+        vpsllq	$45, %xmm4, %xmm9
+        # rnd_1: 1 - 1
+        addq	88(%rsp), %r12
+        movq	%r10, %rbx
+        xorq	%rax, %rcx
+        vpsrlq	$61, %xmm4, %xmm10
+        vpsllq	$3, %xmm4, %xmm11
+        # rnd_1: 2 - 2
+        xorq	%r11, %rbx
+        rorxq	$41, %r9, %rax
+        xorq	%rcx, %rax
+        vpor	%xmm9, %xmm8, %xmm8
+        vpor	%xmm11, %xmm10, %xmm10
+        # rnd_1: 3 - 4
+        andq	%r9, %rbx
+        addq	%rax, %r12
+        rorxq	$28, %r13, %rax
+        rorxq	$34, %r13, %rcx
+        xorq	%r11, %rbx
+        xorq	%rax, %rcx
+        vpxor	%xmm10, %xmm8, %xmm8
+        vpsrlq	$6, %xmm4, %xmm11
+        # rnd_1: 5 - 6
+        rorxq	$39, %r13, %rax
+        addq	%rbx, %r12
+        xorq	%rcx, %rax
+        movq	%r14, %rbx
+        addq	%r12, %r8
+        xorq	%r13, %rbx
+        vpxor	%xmm11, %xmm8, %xmm8
+        # rnd_1: 7 - 7
+        andq	%rbx, %rdx
+        addq	%rax, %r12
+        xorq	%r14, %rdx
+        vpaddq	%xmm5, %xmm8, %xmm5
+        # msg_sched done: 10-13
+        # msg_sched: 12-13
+        # rnd_0: 0 - 0
+        rorxq	$14, %r8, %rax
+        rorxq	$18, %r8, %rcx
+        addq	%rdx, %r12
+        vpalignr	$8, %xmm6, %xmm7, %xmm12
+        vpalignr	$8, %xmm2, %xmm3, %xmm13
+        # rnd_0: 1 - 1
+        addq	96(%rsp), %r11
+        movq	%r9, %rdx
+        xorq	%rax, %rcx
+        vpsrlq	$0x01, %xmm12, %xmm8
+        vpsllq	$63, %xmm12, %xmm9
+        # rnd_0: 2 - 2
+        xorq	%r10, %rdx
+        rorxq	$41, %r8, %rax
+        xorq	%rcx, %rax
+        vpsrlq	$8, %xmm12, %xmm10
+        vpsllq	$56, %xmm12, %xmm11
+        # rnd_0: 3 - 3
+        andq	%r8, %rdx
+        addq	%rax, %r11
+        rorxq	$28, %r12, %rax
+        vpor	%xmm9, %xmm8, %xmm8
+        vpor	%xmm11, %xmm10, %xmm10
+        # rnd_0: 4 - 4
+        rorxq	$34, %r12, %rcx
+        xorq	%r10, %rdx
+        xorq	%rax, %rcx
+        vpsrlq	$7, %xmm12, %xmm11
+        vpxor	%xmm10, %xmm8, %xmm8
+        # rnd_0: 5 - 5
+        rorxq	$39, %r12, %rax
+        addq	%rdx, %r11
+        xorq	%rcx, %rax
+        vpxor	%xmm11, %xmm8, %xmm8
+        vpaddq	%xmm6, %xmm13, %xmm6
+        # rnd_0: 6 - 7
+        movq	%r13, %rdx
+        addq	%r11, %r15
+        xorq	%r12, %rdx
+        andq	%rdx, %rbx
+        addq	%rax, %r11
+        xorq	%r13, %rbx
+        vpaddq	%xmm6, %xmm8, %xmm6
+        # rnd_1: 0 - 0
+        rorxq	$14, %r15, %rax
+        rorxq	$18, %r15, %rcx
+        addq	%rbx, %r11
+        vpsrlq	$19, %xmm5, %xmm8
+        vpsllq	$45, %xmm5, %xmm9
+        # rnd_1: 1 - 1
+        addq	104(%rsp), %r10
+        movq	%r8, %rbx
+        xorq	%rax, %rcx
+        vpsrlq	$61, %xmm5, %xmm10
+        vpsllq	$3, %xmm5, %xmm11
+        # rnd_1: 2 - 2
+        xorq	%r9, %rbx
+        rorxq	$41, %r15, %rax
+        xorq	%rcx, %rax
+        vpor	%xmm9, %xmm8, %xmm8
+        vpor	%xmm11, %xmm10, %xmm10
+        # rnd_1: 3 - 4
+        andq	%r15, %rbx
+        addq	%rax, %r10
+        rorxq	$28, %r11, %rax
+        rorxq	$34, %r11, %rcx
+        xorq	%r9, %rbx
+        xorq	%rax, %rcx
+        vpxor	%xmm10, %xmm8, %xmm8
+        vpsrlq	$6, %xmm5, %xmm11
+        # rnd_1: 5 - 6
+        rorxq	$39, %r11, %rax
+        addq	%rbx, %r10
+        xorq	%rcx, %rax
+        movq	%r12, %rbx
+        addq	%r10, %r14
+        xorq	%r11, %rbx
+        vpxor	%xmm11, %xmm8, %xmm8
+        # rnd_1: 7 - 7
+        andq	%rbx, %rdx
+        addq	%rax, %r10
+        xorq	%r12, %rdx
+        vpaddq	%xmm6, %xmm8, %xmm6
+        # msg_sched done: 12-15
+        # msg_sched: 14-15
+        # rnd_0: 0 - 0
+        rorxq	$14, %r14, %rax
+        rorxq	$18, %r14, %rcx
+        addq	%rdx, %r10
+        vpalignr	$8, %xmm7, %xmm0, %xmm12
+        vpalignr	$8, %xmm3, %xmm4, %xmm13
+        # rnd_0: 1 - 1
+        addq	112(%rsp), %r9
+        movq	%r15, %rdx
+        xorq	%rax, %rcx
+        vpsrlq	$0x01, %xmm12, %xmm8
+        vpsllq	$63, %xmm12, %xmm9
+        # rnd_0: 2 - 2
+        xorq	%r8, %rdx
+        rorxq	$41, %r14, %rax
+        xorq	%rcx, %rax
+        vpsrlq	$8, %xmm12, %xmm10
+        vpsllq	$56, %xmm12, %xmm11
+        # rnd_0: 3 - 3
+        andq	%r14, %rdx
+        addq	%rax, %r9
+        rorxq	$28, %r10, %rax
+        vpor	%xmm9, %xmm8, %xmm8
+        vpor	%xmm11, %xmm10, %xmm10
+        # rnd_0: 4 - 4
+        rorxq	$34, %r10, %rcx
+        xorq	%r8, %rdx
+        xorq	%rax, %rcx
+        vpsrlq	$7, %xmm12, %xmm11
+        vpxor	%xmm10, %xmm8, %xmm8
+        # rnd_0: 5 - 5
+        rorxq	$39, %r10, %rax
+        addq	%rdx, %r9
+        xorq	%rcx, %rax
+        vpxor	%xmm11, %xmm8, %xmm8
+        vpaddq	%xmm7, %xmm13, %xmm7
+        # rnd_0: 6 - 7
+        movq	%r11, %rdx
+        addq	%r9, %r13
+        xorq	%r10, %rdx
+        andq	%rdx, %rbx
+        addq	%rax, %r9
+        xorq	%r11, %rbx
+        vpaddq	%xmm7, %xmm8, %xmm7
+        # rnd_1: 0 - 0
+        rorxq	$14, %r13, %rax
+        rorxq	$18, %r13, %rcx
+        addq	%rbx, %r9
+        vpsrlq	$19, %xmm6, %xmm8
+        vpsllq	$45, %xmm6, %xmm9
+        # rnd_1: 1 - 1
+        addq	120(%rsp), %r8
+        movq	%r14, %rbx
+        xorq	%rax, %rcx
+        vpsrlq	$61, %xmm6, %xmm10
+        vpsllq	$3, %xmm6, %xmm11
+        # rnd_1: 2 - 2
+        xorq	%r15, %rbx
+        rorxq	$41, %r13, %rax
+        xorq	%rcx, %rax
+        vpor	%xmm9, %xmm8, %xmm8
+        vpor	%xmm11, %xmm10, %xmm10
+        # rnd_1: 3 - 4
+        andq	%r13, %rbx
+        addq	%rax, %r8
+        rorxq	$28, %r9, %rax
+        rorxq	$34, %r9, %rcx
+        xorq	%r15, %rbx
+        xorq	%rax, %rcx
+        vpxor	%xmm10, %xmm8, %xmm8
+        vpsrlq	$6, %xmm6, %xmm11
+        # rnd_1: 5 - 6
+        rorxq	$39, %r9, %rax
+        addq	%rbx, %r8
+        xorq	%rcx, %rax
+        movq	%r10, %rbx
+        addq	%r8, %r12
+        xorq	%r9, %rbx
+        vpxor	%xmm11, %xmm8, %xmm8
+        # rnd_1: 7 - 7
+        andq	%rbx, %rdx
+        addq	%rax, %r8
+        xorq	%r10, %rdx
+        vpaddq	%xmm7, %xmm8, %xmm7
+        # msg_sched done: 14-17
+        movq	136(%rsp), %rcx
+        vpaddq	(%rcx), %xmm0, %xmm8
+        vpaddq	16(%rcx), %xmm1, %xmm9
+        vmovdqu	%xmm8, (%rsp)
+        vmovdqu	%xmm9, 16(%rsp)
+        vpaddq	32(%rcx), %xmm2, %xmm8
+        vpaddq	48(%rcx), %xmm3, %xmm9
+        vmovdqu	%xmm8, 32(%rsp)
+        vmovdqu	%xmm9, 48(%rsp)
+        vpaddq	64(%rcx), %xmm4, %xmm8
+        vpaddq	80(%rcx), %xmm5, %xmm9
+        vmovdqu	%xmm8, 64(%rsp)
+        vmovdqu	%xmm9, 80(%rsp)
+        vpaddq	96(%rcx), %xmm6, %xmm8
+        vpaddq	112(%rcx), %xmm7, %xmm9
+        vmovdqu	%xmm8, 96(%rsp)
+        vmovdqu	%xmm9, 112(%rsp)
+        subl	$0x01, 128(%rsp)
+        jne	L_sha512_len_avx1_rorx_start
+        vpaddq	(%rcx), %xmm0, %xmm8
+        vpaddq	16(%rcx), %xmm1, %xmm9
+        vmovdqu	%xmm8, (%rsp)
+        vmovdqu	%xmm9, 16(%rsp)
+        vpaddq	32(%rcx), %xmm2, %xmm8
+        vpaddq	48(%rcx), %xmm3, %xmm9
+        vmovdqu	%xmm8, 32(%rsp)
+        vmovdqu	%xmm9, 48(%rsp)
+        vpaddq	64(%rcx), %xmm4, %xmm8
+        vpaddq	80(%rcx), %xmm5, %xmm9
+        vmovdqu	%xmm8, 64(%rsp)
+        vmovdqu	%xmm9, 80(%rsp)
+        vpaddq	96(%rcx), %xmm6, %xmm8
+        vpaddq	112(%rcx), %xmm7, %xmm9
+        vmovdqu	%xmm8, 96(%rsp)
+        vmovdqu	%xmm9, 112(%rsp)
+        # rnd_all_2: 0-1
+        # rnd_0: 0 - 7
+        rorxq	$14, %r12, %rax
+        rorxq	$18, %r12, %rcx
+        addq	%rdx, %r8
+        addq	(%rsp), %r15
+        movq	%r13, %rdx
+        xorq	%rax, %rcx
+        xorq	%r14, %rdx
+        rorxq	$41, %r12, %rax
+        xorq	%rcx, %rax
+        andq	%r12, %rdx
+        addq	%rax, %r15
+        rorxq	$28, %r8, %rax
+        rorxq	$34, %r8, %rcx
+        xorq	%r14, %rdx
+        xorq	%rax, %rcx
+        rorxq	$39, %r8, %rax
+        addq	%rdx, %r15
+        xorq	%rcx, %rax
+        movq	%r9, %rdx
+        addq	%r15, %r11
+        xorq	%r8, %rdx
+        andq	%rdx, %rbx
+        addq	%rax, %r15
+        xorq	%r9, %rbx
+        # rnd_1: 0 - 7
+        rorxq	$14, %r11, %rax
+        rorxq	$18, %r11, %rcx
+        addq	%rbx, %r15
+        addq	8(%rsp), %r14
+        movq	%r12, %rbx
+        xorq	%rax, %rcx
+        xorq	%r13, %rbx
+        rorxq	$41, %r11, %rax
+        xorq	%rcx, %rax
+        andq	%r11, %rbx
+        addq	%rax, %r14
+        rorxq	$28, %r15, %rax
+        rorxq	$34, %r15, %rcx
+        xorq	%r13, %rbx
+        xorq	%rax, %rcx
+        rorxq	$39, %r15, %rax
+        addq	%rbx, %r14
+        xorq	%rcx, %rax
+        movq	%r8, %rbx
+        addq	%r14, %r10
+        xorq	%r15, %rbx
+        andq	%rbx, %rdx
+        addq	%rax, %r14
+        xorq	%r8, %rdx
+        # rnd_all_2: 2-3
+        # rnd_0: 0 - 7
+        rorxq	$14, %r10, %rax
+        rorxq	$18, %r10, %rcx
+        addq	%rdx, %r14
+        addq	16(%rsp), %r13
+        movq	%r11, %rdx
+        xorq	%rax, %rcx
+        xorq	%r12, %rdx
+        rorxq	$41, %r10, %rax
+        xorq	%rcx, %rax
+        andq	%r10, %rdx
+        addq	%rax, %r13
+        rorxq	$28, %r14, %rax
+        rorxq	$34, %r14, %rcx
+        xorq	%r12, %rdx
+        xorq	%rax, %rcx
+        rorxq	$39, %r14, %rax
+        addq	%rdx, %r13
+        xorq	%rcx, %rax
+        movq	%r15, %rdx
+        addq	%r13, %r9
+        xorq	%r14, %rdx
+        andq	%rdx, %rbx
+        addq	%rax, %r13
+        xorq	%r15, %rbx
+        # rnd_1: 0 - 7
+        rorxq	$14, %r9, %rax
+        rorxq	$18, %r9, %rcx
+        addq	%rbx, %r13
+        addq	24(%rsp), %r12
+        movq	%r10, %rbx
+        xorq	%rax, %rcx
+        xorq	%r11, %rbx
+        rorxq	$41, %r9, %rax
+        xorq	%rcx, %rax
+        andq	%r9, %rbx
+        addq	%rax, %r12
+        rorxq	$28, %r13, %rax
+        rorxq	$34, %r13, %rcx
+        xorq	%r11, %rbx
+        xorq	%rax, %rcx
+        rorxq	$39, %r13, %rax
+        addq	%rbx, %r12
+        xorq	%rcx, %rax
+        movq	%r14, %rbx
+        addq	%r12, %r8
+        xorq	%r13, %rbx
+        andq	%rbx, %rdx
+        addq	%rax, %r12
+        xorq	%r14, %rdx
+        # rnd_all_2: 4-5
+        # rnd_0: 0 - 7
+        rorxq	$14, %r8, %rax
+        rorxq	$18, %r8, %rcx
+        addq	%rdx, %r12
+        addq	32(%rsp), %r11
+        movq	%r9, %rdx
+        xorq	%rax, %rcx
+        xorq	%r10, %rdx
+        rorxq	$41, %r8, %rax
+        xorq	%rcx, %rax
+        andq	%r8, %rdx
+        addq	%rax, %r11
+        rorxq	$28, %r12, %rax
+        rorxq	$34, %r12, %rcx
+        xorq	%r10, %rdx
+        xorq	%rax, %rcx
+        rorxq	$39, %r12, %rax
+        addq	%rdx, %r11
+        xorq	%rcx, %rax
+        movq	%r13, %rdx
+        addq	%r11, %r15
+        xorq	%r12, %rdx
+        andq	%rdx, %rbx
+        addq	%rax, %r11
+        xorq	%r13, %rbx
+        # rnd_1: 0 - 7
+        rorxq	$14, %r15, %rax
+        rorxq	$18, %r15, %rcx
+        addq	%rbx, %r11
+        addq	40(%rsp), %r10
+        movq	%r8, %rbx
+        xorq	%rax, %rcx
+        xorq	%r9, %rbx
+        rorxq	$41, %r15, %rax
+        xorq	%rcx, %rax
+        andq	%r15, %rbx
+        addq	%rax, %r10
+        rorxq	$28, %r11, %rax
+        rorxq	$34, %r11, %rcx
+        xorq	%r9, %rbx
+        xorq	%rax, %rcx
+        rorxq	$39, %r11, %rax
+        addq	%rbx, %r10
+        xorq	%rcx, %rax
+        movq	%r12, %rbx
+        addq	%r10, %r14
+        xorq	%r11, %rbx
+        andq	%rbx, %rdx
+        addq	%rax, %r10
+        xorq	%r12, %rdx
+        # rnd_all_2: 6-7
+        # rnd_0: 0 - 7
+        rorxq	$14, %r14, %rax
+        rorxq	$18, %r14, %rcx
+        addq	%rdx, %r10
+        addq	48(%rsp), %r9
+        movq	%r15, %rdx
+        xorq	%rax, %rcx
+        xorq	%r8, %rdx
+        rorxq	$41, %r14, %rax
+        xorq	%rcx, %rax
+        andq	%r14, %rdx
+        addq	%rax, %r9
+        rorxq	$28, %r10, %rax
+        rorxq	$34, %r10, %rcx
+        xorq	%r8, %rdx
+        xorq	%rax, %rcx
+        rorxq	$39, %r10, %rax
+        addq	%rdx, %r9
+        xorq	%rcx, %rax
+        movq	%r11, %rdx
+        addq	%r9, %r13
+        xorq	%r10, %rdx
+        andq	%rdx, %rbx
+        addq	%rax, %r9
+        xorq	%r11, %rbx
+        # rnd_1: 0 - 7
+        rorxq	$14, %r13, %rax
+        rorxq	$18, %r13, %rcx
+        addq	%rbx, %r9
+        addq	56(%rsp), %r8
+        movq	%r14, %rbx
+        xorq	%rax, %rcx
+        xorq	%r15, %rbx
+        rorxq	$41, %r13, %rax
+        xorq	%rcx, %rax
+        andq	%r13, %rbx
+        addq	%rax, %r8
+        rorxq	$28, %r9, %rax
+        rorxq	$34, %r9, %rcx
+        xorq	%r15, %rbx
+        xorq	%rax, %rcx
+        rorxq	$39, %r9, %rax
+        addq	%rbx, %r8
+        xorq	%rcx, %rax
+        movq	%r10, %rbx
+        addq	%r8, %r12
+        xorq	%r9, %rbx
+        andq	%rbx, %rdx
+        addq	%rax, %r8
+        xorq	%r10, %rdx
+        # rnd_all_2: 8-9
+        # rnd_0: 0 - 7
+        rorxq	$14, %r12, %rax
+        rorxq	$18, %r12, %rcx
+        addq	%rdx, %r8
+        addq	64(%rsp), %r15
+        movq	%r13, %rdx
+        xorq	%rax, %rcx
+        xorq	%r14, %rdx
+        rorxq	$41, %r12, %rax
+        xorq	%rcx, %rax
+        andq	%r12, %rdx
+        addq	%rax, %r15
+        rorxq	$28, %r8, %rax
+        rorxq	$34, %r8, %rcx
+        xorq	%r14, %rdx
+        xorq	%rax, %rcx
+        rorxq	$39, %r8, %rax
+        addq	%rdx, %r15
+        xorq	%rcx, %rax
+        movq	%r9, %rdx
+        addq	%r15, %r11
+        xorq	%r8, %rdx
+        andq	%rdx, %rbx
+        addq	%rax, %r15
+        xorq	%r9, %rbx
+        # rnd_1: 0 - 7
+        rorxq	$14, %r11, %rax
+        rorxq	$18, %r11, %rcx
+        addq	%rbx, %r15
+        addq	72(%rsp), %r14
+        movq	%r12, %rbx
+        xorq	%rax, %rcx
+        xorq	%r13, %rbx
+        rorxq	$41, %r11, %rax
+        xorq	%rcx, %rax
+        andq	%r11, %rbx
+        addq	%rax, %r14
+        rorxq	$28, %r15, %rax
+        rorxq	$34, %r15, %rcx
+        xorq	%r13, %rbx
+        xorq	%rax, %rcx
+        rorxq	$39, %r15, %rax
+        addq	%rbx, %r14
+        xorq	%rcx, %rax
+        movq	%r8, %rbx
+        addq	%r14, %r10
+        xorq	%r15, %rbx
+        andq	%rbx, %rdx
+        addq	%rax, %r14
+        xorq	%r8, %rdx
+        # rnd_all_2: 10-11
+        # rnd_0: 0 - 7
+        rorxq	$14, %r10, %rax
+        rorxq	$18, %r10, %rcx
+        addq	%rdx, %r14
+        addq	80(%rsp), %r13
+        movq	%r11, %rdx
+        xorq	%rax, %rcx
+        xorq	%r12, %rdx
+        rorxq	$41, %r10, %rax
+        xorq	%rcx, %rax
+        andq	%r10, %rdx
+        addq	%rax, %r13
+        rorxq	$28, %r14, %rax
+        rorxq	$34, %r14, %rcx
+        xorq	%r12, %rdx
+        xorq	%rax, %rcx
+        rorxq	$39, %r14, %rax
+        addq	%rdx, %r13
+        xorq	%rcx, %rax
+        movq	%r15, %rdx
+        addq	%r13, %r9
+        xorq	%r14, %rdx
+        andq	%rdx, %rbx
+        addq	%rax, %r13
+        xorq	%r15, %rbx
+        # rnd_1: 0 - 7
+        rorxq	$14, %r9, %rax
+        rorxq	$18, %r9, %rcx
+        addq	%rbx, %r13
+        addq	88(%rsp), %r12
+        movq	%r10, %rbx
+        xorq	%rax, %rcx
+        xorq	%r11, %rbx
+        rorxq	$41, %r9, %rax
+        xorq	%rcx, %rax
+        andq	%r9, %rbx
+        addq	%rax, %r12
+        rorxq	$28, %r13, %rax
+        rorxq	$34, %r13, %rcx
+        xorq	%r11, %rbx
+        xorq	%rax, %rcx
+        rorxq	$39, %r13, %rax
+        addq	%rbx, %r12
+        xorq	%rcx, %rax
+        movq	%r14, %rbx
+        addq	%r12, %r8
+        xorq	%r13, %rbx
+        andq	%rbx, %rdx
+        addq	%rax, %r12
+        xorq	%r14, %rdx
+        # rnd_all_2: 12-13
+        # rnd_0: 0 - 7
+        rorxq	$14, %r8, %rax
+        rorxq	$18, %r8, %rcx
+        addq	%rdx, %r12
+        addq	96(%rsp), %r11
+        movq	%r9, %rdx
+        xorq	%rax, %rcx
+        xorq	%r10, %rdx
+        rorxq	$41, %r8, %rax
+        xorq	%rcx, %rax
+        andq	%r8, %rdx
+        addq	%rax, %r11
+        rorxq	$28, %r12, %rax
+        rorxq	$34, %r12, %rcx
+        xorq	%r10, %rdx
+        xorq	%rax, %rcx
+        rorxq	$39, %r12, %rax
+        addq	%rdx, %r11
+        xorq	%rcx, %rax
+        movq	%r13, %rdx
+        addq	%r11, %r15
+        xorq	%r12, %rdx
+        andq	%rdx, %rbx
+        addq	%rax, %r11
+        xorq	%r13, %rbx
+        # rnd_1: 0 - 7
+        rorxq	$14, %r15, %rax
+        rorxq	$18, %r15, %rcx
+        addq	%rbx, %r11
+        addq	104(%rsp), %r10
+        movq	%r8, %rbx
+        xorq	%rax, %rcx
+        xorq	%r9, %rbx
+        rorxq	$41, %r15, %rax
+        xorq	%rcx, %rax
+        andq	%r15, %rbx
+        addq	%rax, %r10
+        rorxq	$28, %r11, %rax
+        rorxq	$34, %r11, %rcx
+        xorq	%r9, %rbx
+        xorq	%rax, %rcx
+        rorxq	$39, %r11, %rax
+        addq	%rbx, %r10
+        xorq	%rcx, %rax
+        movq	%r12, %rbx
+        addq	%r10, %r14
+        xorq	%r11, %rbx
+        andq	%rbx, %rdx
+        addq	%rax, %r10
+        xorq	%r12, %rdx
+        # rnd_all_2: 14-15
+        # rnd_0: 0 - 7
+        rorxq	$14, %r14, %rax
+        rorxq	$18, %r14, %rcx
+        addq	%rdx, %r10
+        addq	112(%rsp), %r9
+        movq	%r15, %rdx
+        xorq	%rax, %rcx
+        xorq	%r8, %rdx
+        rorxq	$41, %r14, %rax
+        xorq	%rcx, %rax
+        andq	%r14, %rdx
+        addq	%rax, %r9
+        rorxq	$28, %r10, %rax
+        rorxq	$34, %r10, %rcx
+        xorq	%r8, %rdx
+        xorq	%rax, %rcx
+        rorxq	$39, %r10, %rax
+        addq	%rdx, %r9
+        xorq	%rcx, %rax
+        movq	%r11, %rdx
+        addq	%r9, %r13
+        xorq	%r10, %rdx
+        andq	%rdx, %rbx
+        addq	%rax, %r9
+        xorq	%r11, %rbx
+        # rnd_1: 0 - 7
+        rorxq	$14, %r13, %rax
+        rorxq	$18, %r13, %rcx
+        addq	%rbx, %r9
+        addq	120(%rsp), %r8
+        movq	%r14, %rbx
+        xorq	%rax, %rcx
+        xorq	%r15, %rbx
+        rorxq	$41, %r13, %rax
+        xorq	%rcx, %rax
+        andq	%r13, %rbx
+        addq	%rax, %r8
+        rorxq	$28, %r9, %rax
+        rorxq	$34, %r9, %rcx
+        xorq	%r15, %rbx
+        xorq	%rax, %rcx
+        rorxq	$39, %r9, %rax
+        addq	%rbx, %r8
+        xorq	%rcx, %rax
+        movq	%r10, %rbx
+        addq	%r8, %r12
+        xorq	%r9, %rbx
+        andq	%rbx, %rdx
+        addq	%rax, %r8
+        xorq	%r10, %rdx
+        addq	%rdx, %r8
+        addq	(%rdi), %r8
+        addq	8(%rdi), %r9
+        addq	16(%rdi), %r10
+        addq	24(%rdi), %r11
+        addq	32(%rdi), %r12
+        addq	40(%rdi), %r13
+        addq	48(%rdi), %r14
+        addq	56(%rdi), %r15
+        leaq	L_avx1_rorx_sha512_k(%rip), %rcx
+        addq	$0x80, %rsi
+        subl	$0x80, %ebp
+        movq	%r8, (%rdi)
+        movq	%r9, 8(%rdi)
+        movq	%r10, 16(%rdi)
+        movq	%r11, 24(%rdi)
+        movq	%r12, 32(%rdi)
+        movq	%r13, 40(%rdi)
+        movq	%r14, 48(%rdi)
+        movq	%r15, 56(%rdi)
+        jnz	L_sha512_len_avx1_rorx_begin
+        xorq	%rax, %rax
+        vzeroupper
+        addq	$0x90, %rsp
+        popq	%rbp
+        popq	%r15
+        popq	%r14
+        popq	%r13
+        popq	%r12
+        popq	%rbx
+        repz retq
+#ifndef __APPLE__
+.size	Transform_Sha512_AVX1_RORX_Len,.-Transform_Sha512_AVX1_RORX_Len
+#endif /* __APPLE__ */
+#endif /* HAVE_INTEL_AVX1 */
+#ifdef HAVE_INTEL_AVX2
+#ifndef __APPLE__
+.data
+#else
+.section	__DATA,__data
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+.align	16
+#else
+.p2align	4
+#endif /* __APPLE__ */
+L_avx2_sha512_k:
+.quad	0x428a2f98d728ae22,0x7137449123ef65cd
+.quad	0xb5c0fbcfec4d3b2f,0xe9b5dba58189dbbc
+.quad	0x3956c25bf348b538,0x59f111f1b605d019
+.quad	0x923f82a4af194f9b,0xab1c5ed5da6d8118
+.quad	0xd807aa98a3030242,0x12835b0145706fbe
+.quad	0x243185be4ee4b28c,0x550c7dc3d5ffb4e2
+.quad	0x72be5d74f27b896f,0x80deb1fe3b1696b1
+.quad	0x9bdc06a725c71235,0xc19bf174cf692694
+.quad	0xe49b69c19ef14ad2,0xefbe4786384f25e3
+.quad	0xfc19dc68b8cd5b5,0x240ca1cc77ac9c65
+.quad	0x2de92c6f592b0275,0x4a7484aa6ea6e483
+.quad	0x5cb0a9dcbd41fbd4,0x76f988da831153b5
+.quad	0x983e5152ee66dfab,0xa831c66d2db43210
+.quad	0xb00327c898fb213f,0xbf597fc7beef0ee4
+.quad	0xc6e00bf33da88fc2,0xd5a79147930aa725
+.quad	0x6ca6351e003826f,0x142929670a0e6e70
+.quad	0x27b70a8546d22ffc,0x2e1b21385c26c926
+.quad	0x4d2c6dfc5ac42aed,0x53380d139d95b3df
+.quad	0x650a73548baf63de,0x766a0abb3c77b2a8
+.quad	0x81c2c92e47edaee6,0x92722c851482353b
+.quad	0xa2bfe8a14cf10364,0xa81a664bbc423001
+.quad	0xc24b8b70d0f89791,0xc76c51a30654be30
+.quad	0xd192e819d6ef5218,0xd69906245565a910
+.quad	0xf40e35855771202a,0x106aa07032bbd1b8
+.quad	0x19a4c116b8d2d0c8,0x1e376c085141ab53
+.quad	0x2748774cdf8eeb99,0x34b0bcb5e19b48a8
+.quad	0x391c0cb3c5c95a63,0x4ed8aa4ae3418acb
+.quad	0x5b9cca4f7763e373,0x682e6ff3d6b2b8a3
+.quad	0x748f82ee5defb2fc,0x78a5636f43172f60
+.quad	0x84c87814a1f0ab72,0x8cc702081a6439ec
+.quad	0x90befffa23631e28,0xa4506cebde82bde9
+.quad	0xbef9a3f7b2c67915,0xc67178f2e372532b
+.quad	0xca273eceea26619c,0xd186b8c721c0c207
+.quad	0xeada7dd6cde0eb1e,0xf57d4f7fee6ed178
+.quad	0x6f067aa72176fba,0xa637dc5a2c898a6
+.quad	0x113f9804bef90dae,0x1b710b35131c471b
+.quad	0x28db77f523047d84,0x32caab7b40c72493
+.quad	0x3c9ebe0a15c9bebc,0x431d67c49c100d4c
+.quad	0x4cc5d4becb3e42b6,0x597f299cfc657e2a
+.quad	0x5fcb6fab3ad6faec,0x6c44198c4a475817
+#ifndef __APPLE__
+.data
+#else
+.section	__DATA,__data
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+.align	16
+#else
+.p2align	4
+#endif /* __APPLE__ */
+L_avx2_sha512_k_2:
+.quad	0x428a2f98d728ae22,0x7137449123ef65cd
+.quad	0x428a2f98d728ae22,0x7137449123ef65cd
+.quad	0xb5c0fbcfec4d3b2f,0xe9b5dba58189dbbc
+.quad	0xb5c0fbcfec4d3b2f,0xe9b5dba58189dbbc
+.quad	0x3956c25bf348b538,0x59f111f1b605d019
+.quad	0x3956c25bf348b538,0x59f111f1b605d019
+.quad	0x923f82a4af194f9b,0xab1c5ed5da6d8118
+.quad	0x923f82a4af194f9b,0xab1c5ed5da6d8118
+.quad	0xd807aa98a3030242,0x12835b0145706fbe
+.quad	0xd807aa98a3030242,0x12835b0145706fbe
+.quad	0x243185be4ee4b28c,0x550c7dc3d5ffb4e2
+.quad	0x243185be4ee4b28c,0x550c7dc3d5ffb4e2
+.quad	0x72be5d74f27b896f,0x80deb1fe3b1696b1
+.quad	0x72be5d74f27b896f,0x80deb1fe3b1696b1
+.quad	0x9bdc06a725c71235,0xc19bf174cf692694
+.quad	0x9bdc06a725c71235,0xc19bf174cf692694
+.quad	0xe49b69c19ef14ad2,0xefbe4786384f25e3
+.quad	0xe49b69c19ef14ad2,0xefbe4786384f25e3
+.quad	0xfc19dc68b8cd5b5,0x240ca1cc77ac9c65
+.quad	0xfc19dc68b8cd5b5,0x240ca1cc77ac9c65
+.quad	0x2de92c6f592b0275,0x4a7484aa6ea6e483
+.quad	0x2de92c6f592b0275,0x4a7484aa6ea6e483
+.quad	0x5cb0a9dcbd41fbd4,0x76f988da831153b5
+.quad	0x5cb0a9dcbd41fbd4,0x76f988da831153b5
+.quad	0x983e5152ee66dfab,0xa831c66d2db43210
+.quad	0x983e5152ee66dfab,0xa831c66d2db43210
+.quad	0xb00327c898fb213f,0xbf597fc7beef0ee4
+.quad	0xb00327c898fb213f,0xbf597fc7beef0ee4
+.quad	0xc6e00bf33da88fc2,0xd5a79147930aa725
+.quad	0xc6e00bf33da88fc2,0xd5a79147930aa725
+.quad	0x6ca6351e003826f,0x142929670a0e6e70
+.quad	0x6ca6351e003826f,0x142929670a0e6e70
+.quad	0x27b70a8546d22ffc,0x2e1b21385c26c926
+.quad	0x27b70a8546d22ffc,0x2e1b21385c26c926
+.quad	0x4d2c6dfc5ac42aed,0x53380d139d95b3df
+.quad	0x4d2c6dfc5ac42aed,0x53380d139d95b3df
+.quad	0x650a73548baf63de,0x766a0abb3c77b2a8
+.quad	0x650a73548baf63de,0x766a0abb3c77b2a8
+.quad	0x81c2c92e47edaee6,0x92722c851482353b
+.quad	0x81c2c92e47edaee6,0x92722c851482353b
+.quad	0xa2bfe8a14cf10364,0xa81a664bbc423001
+.quad	0xa2bfe8a14cf10364,0xa81a664bbc423001
+.quad	0xc24b8b70d0f89791,0xc76c51a30654be30
+.quad	0xc24b8b70d0f89791,0xc76c51a30654be30
+.quad	0xd192e819d6ef5218,0xd69906245565a910
+.quad	0xd192e819d6ef5218,0xd69906245565a910
+.quad	0xf40e35855771202a,0x106aa07032bbd1b8
+.quad	0xf40e35855771202a,0x106aa07032bbd1b8
+.quad	0x19a4c116b8d2d0c8,0x1e376c085141ab53
+.quad	0x19a4c116b8d2d0c8,0x1e376c085141ab53
+.quad	0x2748774cdf8eeb99,0x34b0bcb5e19b48a8
+.quad	0x2748774cdf8eeb99,0x34b0bcb5e19b48a8
+.quad	0x391c0cb3c5c95a63,0x4ed8aa4ae3418acb
+.quad	0x391c0cb3c5c95a63,0x4ed8aa4ae3418acb
+.quad	0x5b9cca4f7763e373,0x682e6ff3d6b2b8a3
+.quad	0x5b9cca4f7763e373,0x682e6ff3d6b2b8a3
+.quad	0x748f82ee5defb2fc,0x78a5636f43172f60
+.quad	0x748f82ee5defb2fc,0x78a5636f43172f60
+.quad	0x84c87814a1f0ab72,0x8cc702081a6439ec
+.quad	0x84c87814a1f0ab72,0x8cc702081a6439ec
+.quad	0x90befffa23631e28,0xa4506cebde82bde9
+.quad	0x90befffa23631e28,0xa4506cebde82bde9
+.quad	0xbef9a3f7b2c67915,0xc67178f2e372532b
+.quad	0xbef9a3f7b2c67915,0xc67178f2e372532b
+.quad	0xca273eceea26619c,0xd186b8c721c0c207
+.quad	0xca273eceea26619c,0xd186b8c721c0c207
+.quad	0xeada7dd6cde0eb1e,0xf57d4f7fee6ed178
+.quad	0xeada7dd6cde0eb1e,0xf57d4f7fee6ed178
+.quad	0x6f067aa72176fba,0xa637dc5a2c898a6
+.quad	0x6f067aa72176fba,0xa637dc5a2c898a6
+.quad	0x113f9804bef90dae,0x1b710b35131c471b
+.quad	0x113f9804bef90dae,0x1b710b35131c471b
+.quad	0x28db77f523047d84,0x32caab7b40c72493
+.quad	0x28db77f523047d84,0x32caab7b40c72493
+.quad	0x3c9ebe0a15c9bebc,0x431d67c49c100d4c
+.quad	0x3c9ebe0a15c9bebc,0x431d67c49c100d4c
+.quad	0x4cc5d4becb3e42b6,0x597f299cfc657e2a
+.quad	0x4cc5d4becb3e42b6,0x597f299cfc657e2a
+.quad	0x5fcb6fab3ad6faec,0x6c44198c4a475817
+.quad	0x5fcb6fab3ad6faec,0x6c44198c4a475817
+#ifndef __APPLE__
+.data
+#else
+.section	__DATA,__data
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+.align	8
+#else
+.p2align	3
+#endif /* __APPLE__ */
+L_avx2_sha512_k_2_end:
+.quad	1024+L_avx2_sha512_k_2
+#ifndef __APPLE__
+.data
+#else
+.section	__DATA,__data
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+.align	32
+#else
+.p2align	5
+#endif /* __APPLE__ */
+L_avx2_sha512_flip_mask:
+.quad	0x1020304050607, 0x8090a0b0c0d0e0f
+.quad	0x1020304050607, 0x8090a0b0c0d0e0f
+#ifndef __APPLE__
+.text
+.globl	Transform_Sha512_AVX2
+.type	Transform_Sha512_AVX2,@function
+.align	4
+Transform_Sha512_AVX2:
+#else
+.section	__TEXT,__text
+.globl	_Transform_Sha512_AVX2
+.p2align	2
+_Transform_Sha512_AVX2:
+#endif /* __APPLE__ */
+        pushq	%rbx
+        pushq	%r12
+        pushq	%r13
+        pushq	%r14
+        pushq	%r15
+        subq	$0x88, %rsp
+        leaq	64(%rdi), %rax
+        vmovdqa	L_avx2_sha512_flip_mask(%rip), %ymm15
+        movq	(%rdi), %r8
+        movq	8(%rdi), %r9
+        movq	16(%rdi), %r10
+        movq	24(%rdi), %r11
+        movq	32(%rdi), %r12
+        movq	40(%rdi), %r13
+        movq	48(%rdi), %r14
+        movq	56(%rdi), %r15
+        vmovdqu	(%rax), %ymm0
+        vmovdqu	32(%rax), %ymm1
+        vpshufb	%ymm15, %ymm0, %ymm0
+        vpshufb	%ymm15, %ymm1, %ymm1
+        vmovdqu	64(%rax), %ymm2
+        vmovdqu	96(%rax), %ymm3
+        vpshufb	%ymm15, %ymm2, %ymm2
+        vpshufb	%ymm15, %ymm3, %ymm3
+        movl	$4, 128(%rsp)
+        leaq	L_avx2_sha512_k(%rip), %rsi
+        movq	%r9, %rbx
+        movq	%r12, %rax
+        xorq	%r10, %rbx
+        vpaddq	(%rsi), %ymm0, %ymm8
+        vpaddq	32(%rsi), %ymm1, %ymm9
+        vmovdqu	%ymm8, (%rsp)
+        vmovdqu	%ymm9, 32(%rsp)
+        vpaddq	64(%rsi), %ymm2, %ymm8
+        vpaddq	96(%rsi), %ymm3, %ymm9
+        vmovdqu	%ymm8, 64(%rsp)
+        vmovdqu	%ymm9, 96(%rsp)
+        # Start of 16 rounds
+L_sha256_avx2_start:
+        addq	$0x80, %rsi
+        rorq	$23, %rax
+        vpblendd	$3, %ymm1, %ymm0, %ymm12
+        vpblendd	$3, %ymm3, %ymm2, %ymm13
+        movq	%r8, %rdx
+        movq	%r13, %rcx
+        addq	(%rsp), %r15
+        xorq	%r14, %rcx
+        xorq	%r12, %rax
+        andq	%r12, %rcx
+        vpermq	$57, %ymm12, %ymm12
+        rorq	$4, %rax
+        xorq	%r14, %rcx
+        vpermq	$57, %ymm13, %ymm13
+        xorq	%r12, %rax
+        addq	%rcx, %r15
+        rorq	$14, %rax
+        xorq	%r9, %rdx
+        vpsrlq	$0x01, %ymm12, %ymm8
+        addq	%rax, %r15
+        movq	%r8, %rcx
+        vpsllq	$63, %ymm12, %ymm9
+        andq	%rdx, %rbx
+        rorq	$5, %rcx
+        vpsrlq	$8, %ymm12, %ymm10
+        xorq	%r8, %rcx
+        xorq	%r9, %rbx
+        vpsllq	$56, %ymm12, %ymm11
+        rorq	$6, %rcx
+        addq	%r15, %r11
+        vpor	%ymm9, %ymm8, %ymm8
+        xorq	%r8, %rcx
+        addq	%rbx, %r15
+        vpor	%ymm11, %ymm10, %ymm10
+        rorq	$28, %rcx
+        movq	%r11, %rax
+        addq	%rcx, %r15
+        rorq	$23, %rax
+        vpsrlq	$7, %ymm12, %ymm11
+        movq	%r15, %rbx
+        movq	%r12, %rcx
+        vpxor	%ymm10, %ymm8, %ymm8
+        addq	8(%rsp), %r14
+        xorq	%r13, %rcx
+        vpxor	%ymm11, %ymm8, %ymm8
+        xorq	%r11, %rax
+        andq	%r11, %rcx
+        vpaddq	%ymm0, %ymm13, %ymm0
+        rorq	$4, %rax
+        xorq	%r13, %rcx
+        vpaddq	%ymm0, %ymm8, %ymm0
+        xorq	%r11, %rax
+        addq	%rcx, %r14
+        vperm2I128	$0x81, %ymm3, %ymm3, %ymm14
+        rorq	$14, %rax
+        xorq	%r8, %rbx
+        addq	%rax, %r14
+        movq	%r15, %rcx
+        andq	%rbx, %rdx
+        rorq	$5, %rcx
+        vpsrlq	$19, %ymm14, %ymm8
+        xorq	%r15, %rcx
+        xorq	%r8, %rdx
+        vpsllq	$45, %ymm14, %ymm9
+        rorq	$6, %rcx
+        addq	%r14, %r10
+        vpsrlq	$61, %ymm14, %ymm10
+        xorq	%r15, %rcx
+        addq	%rdx, %r14
+        vpsllq	$3, %ymm14, %ymm11
+        rorq	$28, %rcx
+        movq	%r10, %rax
+        addq	%rcx, %r14
+        rorq	$23, %rax
+        vpor	%ymm9, %ymm8, %ymm8
+        movq	%r14, %rdx
+        movq	%r11, %rcx
+        addq	16(%rsp), %r13
+        xorq	%r12, %rcx
+        vpor	%ymm11, %ymm10, %ymm10
+        xorq	%r10, %rax
+        andq	%r10, %rcx
+        vpxor	%ymm10, %ymm8, %ymm8
+        rorq	$4, %rax
+        xorq	%r12, %rcx
+        vpsrlq	$6, %ymm14, %ymm11
+        xorq	%r10, %rax
+        addq	%rcx, %r13
+        vpxor	%ymm11, %ymm8, %ymm8
+        rorq	$14, %rax
+        xorq	%r15, %rdx
+        vpaddq	%ymm0, %ymm8, %ymm0
+        addq	%rax, %r13
+        movq	%r14, %rcx
+        andq	%rdx, %rbx
+        rorq	$5, %rcx
+        vperm2I128	$8, %ymm0, %ymm0, %ymm14
+        xorq	%r14, %rcx
+        xorq	%r15, %rbx
+        rorq	$6, %rcx
+        addq	%r13, %r9
+        vpsrlq	$19, %ymm14, %ymm8
+        xorq	%r14, %rcx
+        addq	%rbx, %r13
+        vpsllq	$45, %ymm14, %ymm9
+        rorq	$28, %rcx
+        movq	%r9, %rax
+        addq	%rcx, %r13
+        rorq	$23, %rax
+        vpsrlq	$61, %ymm14, %ymm10
+        movq	%r13, %rbx
+        movq	%r10, %rcx
+        addq	24(%rsp), %r12
+        xorq	%r11, %rcx
+        vpsllq	$3, %ymm14, %ymm11
+        xorq	%r9, %rax
+        andq	%r9, %rcx
+        vpor	%ymm9, %ymm8, %ymm8
+        rorq	$4, %rax
+        xorq	%r11, %rcx
+        vpor	%ymm11, %ymm10, %ymm10
+        xorq	%r9, %rax
+        addq	%rcx, %r12
+        vpxor	%ymm10, %ymm8, %ymm8
+        rorq	$14, %rax
+        xorq	%r14, %rbx
+        vpsrlq	$6, %ymm14, %ymm11
+        addq	%rax, %r12
+        movq	%r13, %rcx
+        vpxor	%ymm11, %ymm8, %ymm8
+        andq	%rbx, %rdx
+        rorq	$5, %rcx
+        vpaddq	%ymm0, %ymm8, %ymm0
+        xorq	%r13, %rcx
+        xorq	%r14, %rdx
+        rorq	$6, %rcx
+        addq	%r12, %r8
+        xorq	%r13, %rcx
+        addq	%rdx, %r12
+        rorq	$28, %rcx
+        movq	%r8, %rax
+        addq	%rcx, %r12
+        rorq	$23, %rax
+        vpblendd	$3, %ymm2, %ymm1, %ymm12
+        vpblendd	$3, %ymm0, %ymm3, %ymm13
+        movq	%r12, %rdx
+        movq	%r9, %rcx
+        addq	32(%rsp), %r11
+        xorq	%r10, %rcx
+        xorq	%r8, %rax
+        andq	%r8, %rcx
+        vpermq	$57, %ymm12, %ymm12
+        rorq	$4, %rax
+        xorq	%r10, %rcx
+        vpermq	$57, %ymm13, %ymm13
+        xorq	%r8, %rax
+        addq	%rcx, %r11
+        rorq	$14, %rax
+        xorq	%r13, %rdx
+        vpsrlq	$0x01, %ymm12, %ymm8
+        addq	%rax, %r11
+        movq	%r12, %rcx
+        vpsllq	$63, %ymm12, %ymm9
+        andq	%rdx, %rbx
+        rorq	$5, %rcx
+        vpsrlq	$8, %ymm12, %ymm10
+        xorq	%r12, %rcx
+        xorq	%r13, %rbx
+        vpsllq	$56, %ymm12, %ymm11
+        rorq	$6, %rcx
+        addq	%r11, %r15
+        vpor	%ymm9, %ymm8, %ymm8
+        xorq	%r12, %rcx
+        addq	%rbx, %r11
+        vpor	%ymm11, %ymm10, %ymm10
+        rorq	$28, %rcx
+        movq	%r15, %rax
+        addq	%rcx, %r11
+        rorq	$23, %rax
+        vpsrlq	$7, %ymm12, %ymm11
+        movq	%r11, %rbx
+        movq	%r8, %rcx
+        vpxor	%ymm10, %ymm8, %ymm8
+        addq	40(%rsp), %r10
+        xorq	%r9, %rcx
+        vpxor	%ymm11, %ymm8, %ymm8
+        xorq	%r15, %rax
+        andq	%r15, %rcx
+        vpaddq	%ymm1, %ymm13, %ymm1
+        rorq	$4, %rax
+        xorq	%r9, %rcx
+        vpaddq	%ymm1, %ymm8, %ymm1
+        xorq	%r15, %rax
+        addq	%rcx, %r10
+        vperm2I128	$0x81, %ymm0, %ymm0, %ymm14
+        rorq	$14, %rax
+        xorq	%r12, %rbx
+        addq	%rax, %r10
+        movq	%r11, %rcx
+        andq	%rbx, %rdx
+        rorq	$5, %rcx
+        vpsrlq	$19, %ymm14, %ymm8
+        xorq	%r11, %rcx
+        xorq	%r12, %rdx
+        vpsllq	$45, %ymm14, %ymm9
+        rorq	$6, %rcx
+        addq	%r10, %r14
+        vpsrlq	$61, %ymm14, %ymm10
+        xorq	%r11, %rcx
+        addq	%rdx, %r10
+        vpsllq	$3, %ymm14, %ymm11
+        rorq	$28, %rcx
+        movq	%r14, %rax
+        addq	%rcx, %r10
+        rorq	$23, %rax
+        vpor	%ymm9, %ymm8, %ymm8
+        movq	%r10, %rdx
+        movq	%r15, %rcx
+        addq	48(%rsp), %r9
+        xorq	%r8, %rcx
+        vpor	%ymm11, %ymm10, %ymm10
+        xorq	%r14, %rax
+        andq	%r14, %rcx
+        vpxor	%ymm10, %ymm8, %ymm8
+        rorq	$4, %rax
+        xorq	%r8, %rcx
+        vpsrlq	$6, %ymm14, %ymm11
+        xorq	%r14, %rax
+        addq	%rcx, %r9
+        vpxor	%ymm11, %ymm8, %ymm8
+        rorq	$14, %rax
+        xorq	%r11, %rdx
+        vpaddq	%ymm1, %ymm8, %ymm1
+        addq	%rax, %r9
+        movq	%r10, %rcx
+        andq	%rdx, %rbx
+        rorq	$5, %rcx
+        vperm2I128	$8, %ymm1, %ymm1, %ymm14
+        xorq	%r10, %rcx
+        xorq	%r11, %rbx
+        rorq	$6, %rcx
+        addq	%r9, %r13
+        vpsrlq	$19, %ymm14, %ymm8
+        xorq	%r10, %rcx
+        addq	%rbx, %r9
+        vpsllq	$45, %ymm14, %ymm9
+        rorq	$28, %rcx
+        movq	%r13, %rax
+        addq	%rcx, %r9
+        rorq	$23, %rax
+        vpsrlq	$61, %ymm14, %ymm10
+        movq	%r9, %rbx
+        movq	%r14, %rcx
+        addq	56(%rsp), %r8
+        xorq	%r15, %rcx
+        vpsllq	$3, %ymm14, %ymm11
+        xorq	%r13, %rax
+        andq	%r13, %rcx
+        vpor	%ymm9, %ymm8, %ymm8
+        rorq	$4, %rax
+        xorq	%r15, %rcx
+        vpor	%ymm11, %ymm10, %ymm10
+        xorq	%r13, %rax
+        addq	%rcx, %r8
+        vpxor	%ymm10, %ymm8, %ymm8
+        rorq	$14, %rax
+        xorq	%r10, %rbx
+        vpsrlq	$6, %ymm14, %ymm11
+        addq	%rax, %r8
+        movq	%r9, %rcx
+        vpxor	%ymm11, %ymm8, %ymm8
+        andq	%rbx, %rdx
+        rorq	$5, %rcx
+        vpaddq	%ymm1, %ymm8, %ymm1
+        xorq	%r9, %rcx
+        xorq	%r10, %rdx
+        rorq	$6, %rcx
+        addq	%r8, %r12
+        xorq	%r9, %rcx
+        addq	%rdx, %r8
+        rorq	$28, %rcx
+        movq	%r12, %rax
+        addq	%rcx, %r8
+        rorq	$23, %rax
+        vpblendd	$3, %ymm3, %ymm2, %ymm12
+        vpblendd	$3, %ymm1, %ymm0, %ymm13
+        movq	%r8, %rdx
+        movq	%r13, %rcx
+        addq	64(%rsp), %r15
+        xorq	%r14, %rcx
+        xorq	%r12, %rax
+        andq	%r12, %rcx
+        vpermq	$57, %ymm12, %ymm12
+        rorq	$4, %rax
+        xorq	%r14, %rcx
+        vpermq	$57, %ymm13, %ymm13
+        xorq	%r12, %rax
+        addq	%rcx, %r15
+        rorq	$14, %rax
+        xorq	%r9, %rdx
+        vpsrlq	$0x01, %ymm12, %ymm8
+        addq	%rax, %r15
+        movq	%r8, %rcx
+        vpsllq	$63, %ymm12, %ymm9
+        andq	%rdx, %rbx
+        rorq	$5, %rcx
+        vpsrlq	$8, %ymm12, %ymm10
+        xorq	%r8, %rcx
+        xorq	%r9, %rbx
+        vpsllq	$56, %ymm12, %ymm11
+        rorq	$6, %rcx
+        addq	%r15, %r11
+        vpor	%ymm9, %ymm8, %ymm8
+        xorq	%r8, %rcx
+        addq	%rbx, %r15
+        vpor	%ymm11, %ymm10, %ymm10
+        rorq	$28, %rcx
+        movq	%r11, %rax
+        addq	%rcx, %r15
+        rorq	$23, %rax
+        vpsrlq	$7, %ymm12, %ymm11
+        movq	%r15, %rbx
+        movq	%r12, %rcx
+        vpxor	%ymm10, %ymm8, %ymm8
+        addq	72(%rsp), %r14
+        xorq	%r13, %rcx
+        vpxor	%ymm11, %ymm8, %ymm8
+        xorq	%r11, %rax
+        andq	%r11, %rcx
+        vpaddq	%ymm2, %ymm13, %ymm2
+        rorq	$4, %rax
+        xorq	%r13, %rcx
+        vpaddq	%ymm2, %ymm8, %ymm2
+        xorq	%r11, %rax
+        addq	%rcx, %r14
+        vperm2I128	$0x81, %ymm1, %ymm1, %ymm14
+        rorq	$14, %rax
+        xorq	%r8, %rbx
+        addq	%rax, %r14
+        movq	%r15, %rcx
+        andq	%rbx, %rdx
+        rorq	$5, %rcx
+        vpsrlq	$19, %ymm14, %ymm8
+        xorq	%r15, %rcx
+        xorq	%r8, %rdx
+        vpsllq	$45, %ymm14, %ymm9
+        rorq	$6, %rcx
+        addq	%r14, %r10
+        vpsrlq	$61, %ymm14, %ymm10
+        xorq	%r15, %rcx
+        addq	%rdx, %r14
+        vpsllq	$3, %ymm14, %ymm11
+        rorq	$28, %rcx
+        movq	%r10, %rax
+        addq	%rcx, %r14
+        rorq	$23, %rax
+        vpor	%ymm9, %ymm8, %ymm8
+        movq	%r14, %rdx
+        movq	%r11, %rcx
+        addq	80(%rsp), %r13
+        xorq	%r12, %rcx
+        vpor	%ymm11, %ymm10, %ymm10
+        xorq	%r10, %rax
+        andq	%r10, %rcx
+        vpxor	%ymm10, %ymm8, %ymm8
+        rorq	$4, %rax
+        xorq	%r12, %rcx
+        vpsrlq	$6, %ymm14, %ymm11
+        xorq	%r10, %rax
+        addq	%rcx, %r13
+        vpxor	%ymm11, %ymm8, %ymm8
+        rorq	$14, %rax
+        xorq	%r15, %rdx
+        vpaddq	%ymm2, %ymm8, %ymm2
+        addq	%rax, %r13
+        movq	%r14, %rcx
+        andq	%rdx, %rbx
+        rorq	$5, %rcx
+        vperm2I128	$8, %ymm2, %ymm2, %ymm14
+        xorq	%r14, %rcx
+        xorq	%r15, %rbx
+        rorq	$6, %rcx
+        addq	%r13, %r9
+        vpsrlq	$19, %ymm14, %ymm8
+        xorq	%r14, %rcx
+        addq	%rbx, %r13
+        vpsllq	$45, %ymm14, %ymm9
+        rorq	$28, %rcx
+        movq	%r9, %rax
+        addq	%rcx, %r13
+        rorq	$23, %rax
+        vpsrlq	$61, %ymm14, %ymm10
+        movq	%r13, %rbx
+        movq	%r10, %rcx
+        addq	88(%rsp), %r12
+        xorq	%r11, %rcx
+        vpsllq	$3, %ymm14, %ymm11
+        xorq	%r9, %rax
+        andq	%r9, %rcx
+        vpor	%ymm9, %ymm8, %ymm8
+        rorq	$4, %rax
+        xorq	%r11, %rcx
+        vpor	%ymm11, %ymm10, %ymm10
+        xorq	%r9, %rax
+        addq	%rcx, %r12
+        vpxor	%ymm10, %ymm8, %ymm8
+        rorq	$14, %rax
+        xorq	%r14, %rbx
+        vpsrlq	$6, %ymm14, %ymm11
+        addq	%rax, %r12
+        movq	%r13, %rcx
+        vpxor	%ymm11, %ymm8, %ymm8
+        andq	%rbx, %rdx
+        rorq	$5, %rcx
+        vpaddq	%ymm2, %ymm8, %ymm2
+        xorq	%r13, %rcx
+        xorq	%r14, %rdx
+        rorq	$6, %rcx
+        addq	%r12, %r8
+        xorq	%r13, %rcx
+        addq	%rdx, %r12
+        rorq	$28, %rcx
+        movq	%r8, %rax
+        addq	%rcx, %r12
+        rorq	$23, %rax
+        vpblendd	$3, %ymm0, %ymm3, %ymm12
+        vpblendd	$3, %ymm2, %ymm1, %ymm13
+        movq	%r12, %rdx
+        movq	%r9, %rcx
+        addq	96(%rsp), %r11
+        xorq	%r10, %rcx
+        xorq	%r8, %rax
+        andq	%r8, %rcx
+        vpermq	$57, %ymm12, %ymm12
+        rorq	$4, %rax
+        xorq	%r10, %rcx
+        vpermq	$57, %ymm13, %ymm13
+        xorq	%r8, %rax
+        addq	%rcx, %r11
+        rorq	$14, %rax
+        xorq	%r13, %rdx
+        vpsrlq	$0x01, %ymm12, %ymm8
+        addq	%rax, %r11
+        movq	%r12, %rcx
+        vpsllq	$63, %ymm12, %ymm9
+        andq	%rdx, %rbx
+        rorq	$5, %rcx
+        vpsrlq	$8, %ymm12, %ymm10
+        xorq	%r12, %rcx
+        xorq	%r13, %rbx
+        vpsllq	$56, %ymm12, %ymm11
+        rorq	$6, %rcx
+        addq	%r11, %r15
+        vpor	%ymm9, %ymm8, %ymm8
+        xorq	%r12, %rcx
+        addq	%rbx, %r11
+        vpor	%ymm11, %ymm10, %ymm10
+        rorq	$28, %rcx
+        movq	%r15, %rax
+        addq	%rcx, %r11
+        rorq	$23, %rax
+        vpsrlq	$7, %ymm12, %ymm11
+        movq	%r11, %rbx
+        movq	%r8, %rcx
+        vpxor	%ymm10, %ymm8, %ymm8
+        addq	104(%rsp), %r10
+        xorq	%r9, %rcx
+        vpxor	%ymm11, %ymm8, %ymm8
+        xorq	%r15, %rax
+        andq	%r15, %rcx
+        vpaddq	%ymm3, %ymm13, %ymm3
+        rorq	$4, %rax
+        xorq	%r9, %rcx
+        vpaddq	%ymm3, %ymm8, %ymm3
+        xorq	%r15, %rax
+        addq	%rcx, %r10
+        vperm2I128	$0x81, %ymm2, %ymm2, %ymm14
+        rorq	$14, %rax
+        xorq	%r12, %rbx
+        addq	%rax, %r10
+        movq	%r11, %rcx
+        andq	%rbx, %rdx
+        rorq	$5, %rcx
+        vpsrlq	$19, %ymm14, %ymm8
+        xorq	%r11, %rcx
+        xorq	%r12, %rdx
+        vpsllq	$45, %ymm14, %ymm9
+        rorq	$6, %rcx
+        addq	%r10, %r14
+        vpsrlq	$61, %ymm14, %ymm10
+        xorq	%r11, %rcx
+        addq	%rdx, %r10
+        vpsllq	$3, %ymm14, %ymm11
+        rorq	$28, %rcx
+        movq	%r14, %rax
+        addq	%rcx, %r10
+        rorq	$23, %rax
+        vpor	%ymm9, %ymm8, %ymm8
+        movq	%r10, %rdx
+        movq	%r15, %rcx
+        addq	112(%rsp), %r9
+        xorq	%r8, %rcx
+        vpor	%ymm11, %ymm10, %ymm10
+        xorq	%r14, %rax
+        andq	%r14, %rcx
+        vpxor	%ymm10, %ymm8, %ymm8
+        rorq	$4, %rax
+        xorq	%r8, %rcx
+        vpsrlq	$6, %ymm14, %ymm11
+        xorq	%r14, %rax
+        addq	%rcx, %r9
+        vpxor	%ymm11, %ymm8, %ymm8
+        rorq	$14, %rax
+        xorq	%r11, %rdx
+        vpaddq	%ymm3, %ymm8, %ymm3
+        addq	%rax, %r9
+        movq	%r10, %rcx
+        andq	%rdx, %rbx
+        rorq	$5, %rcx
+        vperm2I128	$8, %ymm3, %ymm3, %ymm14
+        xorq	%r10, %rcx
+        xorq	%r11, %rbx
+        rorq	$6, %rcx
+        addq	%r9, %r13
+        vpsrlq	$19, %ymm14, %ymm8
+        xorq	%r10, %rcx
+        addq	%rbx, %r9
+        vpsllq	$45, %ymm14, %ymm9
+        rorq	$28, %rcx
+        movq	%r13, %rax
+        addq	%rcx, %r9
+        rorq	$23, %rax
+        vpsrlq	$61, %ymm14, %ymm10
+        movq	%r9, %rbx
+        movq	%r14, %rcx
+        addq	120(%rsp), %r8
+        xorq	%r15, %rcx
+        vpsllq	$3, %ymm14, %ymm11
+        xorq	%r13, %rax
+        andq	%r13, %rcx
+        vpor	%ymm9, %ymm8, %ymm8
+        rorq	$4, %rax
+        xorq	%r15, %rcx
+        vpor	%ymm11, %ymm10, %ymm10
+        xorq	%r13, %rax
+        addq	%rcx, %r8
+        vpxor	%ymm10, %ymm8, %ymm8
+        rorq	$14, %rax
+        xorq	%r10, %rbx
+        vpsrlq	$6, %ymm14, %ymm11
+        addq	%rax, %r8
+        movq	%r9, %rcx
+        vpxor	%ymm11, %ymm8, %ymm8
+        andq	%rbx, %rdx
+        rorq	$5, %rcx
+        vpaddq	%ymm3, %ymm8, %ymm3
+        xorq	%r9, %rcx
+        xorq	%r10, %rdx
+        rorq	$6, %rcx
+        addq	%r8, %r12
+        xorq	%r9, %rcx
+        addq	%rdx, %r8
+        rorq	$28, %rcx
+        movq	%r12, %rax
+        addq	%rcx, %r8
+        vpaddq	(%rsi), %ymm0, %ymm8
+        vpaddq	32(%rsi), %ymm1, %ymm9
+        vmovdqu	%ymm8, (%rsp)
+        vmovdqu	%ymm9, 32(%rsp)
+        vpaddq	64(%rsi), %ymm2, %ymm8
+        vpaddq	96(%rsi), %ymm3, %ymm9
+        vmovdqu	%ymm8, 64(%rsp)
+        vmovdqu	%ymm9, 96(%rsp)
+        subl	$0x01, 128(%rsp)
+        jne	L_sha256_avx2_start
+        rorq	$23, %rax
+        movq	%r8, %rdx
+        movq	%r13, %rcx
+        addq	(%rsp), %r15
+        xorq	%r14, %rcx
+        xorq	%r12, %rax
+        andq	%r12, %rcx
+        rorq	$4, %rax
+        xorq	%r14, %rcx
+        xorq	%r12, %rax
+        addq	%rcx, %r15
+        rorq	$14, %rax
+        xorq	%r9, %rdx
+        addq	%rax, %r15
+        movq	%r8, %rcx
+        andq	%rdx, %rbx
+        rorq	$5, %rcx
+        xorq	%r8, %rcx
+        xorq	%r9, %rbx
+        rorq	$6, %rcx
+        addq	%r15, %r11
+        xorq	%r8, %rcx
+        addq	%rbx, %r15
+        rorq	$28, %rcx
+        movq	%r11, %rax
+        addq	%rcx, %r15
+        rorq	$23, %rax
+        movq	%r15, %rbx
+        movq	%r12, %rcx
+        addq	8(%rsp), %r14
+        xorq	%r13, %rcx
+        xorq	%r11, %rax
+        andq	%r11, %rcx
+        rorq	$4, %rax
+        xorq	%r13, %rcx
+        xorq	%r11, %rax
+        addq	%rcx, %r14
+        rorq	$14, %rax
+        xorq	%r8, %rbx
+        addq	%rax, %r14
+        movq	%r15, %rcx
+        andq	%rbx, %rdx
+        rorq	$5, %rcx
+        xorq	%r15, %rcx
+        xorq	%r8, %rdx
+        rorq	$6, %rcx
+        addq	%r14, %r10
+        xorq	%r15, %rcx
+        addq	%rdx, %r14
+        rorq	$28, %rcx
+        movq	%r10, %rax
+        addq	%rcx, %r14
+        rorq	$23, %rax
+        movq	%r14, %rdx
+        movq	%r11, %rcx
+        addq	16(%rsp), %r13
+        xorq	%r12, %rcx
+        xorq	%r10, %rax
+        andq	%r10, %rcx
+        rorq	$4, %rax
+        xorq	%r12, %rcx
+        xorq	%r10, %rax
+        addq	%rcx, %r13
+        rorq	$14, %rax
+        xorq	%r15, %rdx
+        addq	%rax, %r13
+        movq	%r14, %rcx
+        andq	%rdx, %rbx
+        rorq	$5, %rcx
+        xorq	%r14, %rcx
+        xorq	%r15, %rbx
+        rorq	$6, %rcx
+        addq	%r13, %r9
+        xorq	%r14, %rcx
+        addq	%rbx, %r13
+        rorq	$28, %rcx
+        movq	%r9, %rax
+        addq	%rcx, %r13
+        rorq	$23, %rax
+        movq	%r13, %rbx
+        movq	%r10, %rcx
+        addq	24(%rsp), %r12
+        xorq	%r11, %rcx
+        xorq	%r9, %rax
+        andq	%r9, %rcx
+        rorq	$4, %rax
+        xorq	%r11, %rcx
+        xorq	%r9, %rax
+        addq	%rcx, %r12
+        rorq	$14, %rax
+        xorq	%r14, %rbx
+        addq	%rax, %r12
+        movq	%r13, %rcx
+        andq	%rbx, %rdx
+        rorq	$5, %rcx
+        xorq	%r13, %rcx
+        xorq	%r14, %rdx
+        rorq	$6, %rcx
+        addq	%r12, %r8
+        xorq	%r13, %rcx
+        addq	%rdx, %r12
+        rorq	$28, %rcx
+        movq	%r8, %rax
+        addq	%rcx, %r12
+        rorq	$23, %rax
+        movq	%r12, %rdx
+        movq	%r9, %rcx
+        addq	32(%rsp), %r11
+        xorq	%r10, %rcx
+        xorq	%r8, %rax
+        andq	%r8, %rcx
+        rorq	$4, %rax
+        xorq	%r10, %rcx
+        xorq	%r8, %rax
+        addq	%rcx, %r11
+        rorq	$14, %rax
+        xorq	%r13, %rdx
+        addq	%rax, %r11
+        movq	%r12, %rcx
+        andq	%rdx, %rbx
+        rorq	$5, %rcx
+        xorq	%r12, %rcx
+        xorq	%r13, %rbx
+        rorq	$6, %rcx
+        addq	%r11, %r15
+        xorq	%r12, %rcx
+        addq	%rbx, %r11
+        rorq	$28, %rcx
+        movq	%r15, %rax
+        addq	%rcx, %r11
+        rorq	$23, %rax
+        movq	%r11, %rbx
+        movq	%r8, %rcx
+        addq	40(%rsp), %r10
+        xorq	%r9, %rcx
+        xorq	%r15, %rax
+        andq	%r15, %rcx
+        rorq	$4, %rax
+        xorq	%r9, %rcx
+        xorq	%r15, %rax
+        addq	%rcx, %r10
+        rorq	$14, %rax
+        xorq	%r12, %rbx
+        addq	%rax, %r10
+        movq	%r11, %rcx
+        andq	%rbx, %rdx
+        rorq	$5, %rcx
+        xorq	%r11, %rcx
+        xorq	%r12, %rdx
+        rorq	$6, %rcx
+        addq	%r10, %r14
+        xorq	%r11, %rcx
+        addq	%rdx, %r10
+        rorq	$28, %rcx
+        movq	%r14, %rax
+        addq	%rcx, %r10
+        rorq	$23, %rax
+        movq	%r10, %rdx
+        movq	%r15, %rcx
+        addq	48(%rsp), %r9
+        xorq	%r8, %rcx
+        xorq	%r14, %rax
+        andq	%r14, %rcx
+        rorq	$4, %rax
+        xorq	%r8, %rcx
+        xorq	%r14, %rax
+        addq	%rcx, %r9
+        rorq	$14, %rax
+        xorq	%r11, %rdx
+        addq	%rax, %r9
+        movq	%r10, %rcx
+        andq	%rdx, %rbx
+        rorq	$5, %rcx
+        xorq	%r10, %rcx
+        xorq	%r11, %rbx
+        rorq	$6, %rcx
+        addq	%r9, %r13
+        xorq	%r10, %rcx
+        addq	%rbx, %r9
+        rorq	$28, %rcx
+        movq	%r13, %rax
+        addq	%rcx, %r9
+        rorq	$23, %rax
+        movq	%r9, %rbx
+        movq	%r14, %rcx
+        addq	56(%rsp), %r8
+        xorq	%r15, %rcx
+        xorq	%r13, %rax
+        andq	%r13, %rcx
+        rorq	$4, %rax
+        xorq	%r15, %rcx
+        xorq	%r13, %rax
+        addq	%rcx, %r8
+        rorq	$14, %rax
+        xorq	%r10, %rbx
+        addq	%rax, %r8
+        movq	%r9, %rcx
+        andq	%rbx, %rdx
+        rorq	$5, %rcx
+        xorq	%r9, %rcx
+        xorq	%r10, %rdx
+        rorq	$6, %rcx
+        addq	%r8, %r12
+        xorq	%r9, %rcx
+        addq	%rdx, %r8
+        rorq	$28, %rcx
+        movq	%r12, %rax
+        addq	%rcx, %r8
+        rorq	$23, %rax
+        movq	%r8, %rdx
+        movq	%r13, %rcx
+        addq	64(%rsp), %r15
+        xorq	%r14, %rcx
+        xorq	%r12, %rax
+        andq	%r12, %rcx
+        rorq	$4, %rax
+        xorq	%r14, %rcx
+        xorq	%r12, %rax
+        addq	%rcx, %r15
+        rorq	$14, %rax
+        xorq	%r9, %rdx
+        addq	%rax, %r15
+        movq	%r8, %rcx
+        andq	%rdx, %rbx
+        rorq	$5, %rcx
+        xorq	%r8, %rcx
+        xorq	%r9, %rbx
+        rorq	$6, %rcx
+        addq	%r15, %r11
+        xorq	%r8, %rcx
+        addq	%rbx, %r15
+        rorq	$28, %rcx
+        movq	%r11, %rax
+        addq	%rcx, %r15
+        rorq	$23, %rax
+        movq	%r15, %rbx
+        movq	%r12, %rcx
+        addq	72(%rsp), %r14
+        xorq	%r13, %rcx
+        xorq	%r11, %rax
+        andq	%r11, %rcx
+        rorq	$4, %rax
+        xorq	%r13, %rcx
+        xorq	%r11, %rax
+        addq	%rcx, %r14
+        rorq	$14, %rax
+        xorq	%r8, %rbx
+        addq	%rax, %r14
+        movq	%r15, %rcx
+        andq	%rbx, %rdx
+        rorq	$5, %rcx
+        xorq	%r15, %rcx
+        xorq	%r8, %rdx
+        rorq	$6, %rcx
+        addq	%r14, %r10
+        xorq	%r15, %rcx
+        addq	%rdx, %r14
+        rorq	$28, %rcx
+        movq	%r10, %rax
+        addq	%rcx, %r14
+        rorq	$23, %rax
+        movq	%r14, %rdx
+        movq	%r11, %rcx
+        addq	80(%rsp), %r13
+        xorq	%r12, %rcx
+        xorq	%r10, %rax
+        andq	%r10, %rcx
+        rorq	$4, %rax
+        xorq	%r12, %rcx
+        xorq	%r10, %rax
+        addq	%rcx, %r13
+        rorq	$14, %rax
+        xorq	%r15, %rdx
+        addq	%rax, %r13
+        movq	%r14, %rcx
+        andq	%rdx, %rbx
+        rorq	$5, %rcx
+        xorq	%r14, %rcx
+        xorq	%r15, %rbx
+        rorq	$6, %rcx
+        addq	%r13, %r9
+        xorq	%r14, %rcx
+        addq	%rbx, %r13
+        rorq	$28, %rcx
+        movq	%r9, %rax
+        addq	%rcx, %r13
+        rorq	$23, %rax
+        movq	%r13, %rbx
+        movq	%r10, %rcx
+        addq	88(%rsp), %r12
+        xorq	%r11, %rcx
+        xorq	%r9, %rax
+        andq	%r9, %rcx
+        rorq	$4, %rax
+        xorq	%r11, %rcx
+        xorq	%r9, %rax
+        addq	%rcx, %r12
+        rorq	$14, %rax
+        xorq	%r14, %rbx
+        addq	%rax, %r12
+        movq	%r13, %rcx
+        andq	%rbx, %rdx
+        rorq	$5, %rcx
+        xorq	%r13, %rcx
+        xorq	%r14, %rdx
+        rorq	$6, %rcx
+        addq	%r12, %r8
+        xorq	%r13, %rcx
+        addq	%rdx, %r12
+        rorq	$28, %rcx
+        movq	%r8, %rax
+        addq	%rcx, %r12
+        rorq	$23, %rax
+        movq	%r12, %rdx
+        movq	%r9, %rcx
+        addq	96(%rsp), %r11
+        xorq	%r10, %rcx
+        xorq	%r8, %rax
+        andq	%r8, %rcx
+        rorq	$4, %rax
+        xorq	%r10, %rcx
+        xorq	%r8, %rax
+        addq	%rcx, %r11
+        rorq	$14, %rax
+        xorq	%r13, %rdx
+        addq	%rax, %r11
+        movq	%r12, %rcx
+        andq	%rdx, %rbx
+        rorq	$5, %rcx
+        xorq	%r12, %rcx
+        xorq	%r13, %rbx
+        rorq	$6, %rcx
+        addq	%r11, %r15
+        xorq	%r12, %rcx
+        addq	%rbx, %r11
+        rorq	$28, %rcx
+        movq	%r15, %rax
+        addq	%rcx, %r11
+        rorq	$23, %rax
+        movq	%r11, %rbx
+        movq	%r8, %rcx
+        addq	104(%rsp), %r10
+        xorq	%r9, %rcx
+        xorq	%r15, %rax
+        andq	%r15, %rcx
+        rorq	$4, %rax
+        xorq	%r9, %rcx
+        xorq	%r15, %rax
+        addq	%rcx, %r10
+        rorq	$14, %rax
+        xorq	%r12, %rbx
+        addq	%rax, %r10
+        movq	%r11, %rcx
+        andq	%rbx, %rdx
+        rorq	$5, %rcx
+        xorq	%r11, %rcx
+        xorq	%r12, %rdx
+        rorq	$6, %rcx
+        addq	%r10, %r14
+        xorq	%r11, %rcx
+        addq	%rdx, %r10
+        rorq	$28, %rcx
+        movq	%r14, %rax
+        addq	%rcx, %r10
+        rorq	$23, %rax
+        movq	%r10, %rdx
+        movq	%r15, %rcx
+        addq	112(%rsp), %r9
+        xorq	%r8, %rcx
+        xorq	%r14, %rax
+        andq	%r14, %rcx
+        rorq	$4, %rax
+        xorq	%r8, %rcx
+        xorq	%r14, %rax
+        addq	%rcx, %r9
+        rorq	$14, %rax
+        xorq	%r11, %rdx
+        addq	%rax, %r9
+        movq	%r10, %rcx
+        andq	%rdx, %rbx
+        rorq	$5, %rcx
+        xorq	%r10, %rcx
+        xorq	%r11, %rbx
+        rorq	$6, %rcx
+        addq	%r9, %r13
+        xorq	%r10, %rcx
+        addq	%rbx, %r9
+        rorq	$28, %rcx
+        movq	%r13, %rax
+        addq	%rcx, %r9
+        rorq	$23, %rax
+        movq	%r9, %rbx
+        movq	%r14, %rcx
+        addq	120(%rsp), %r8
+        xorq	%r15, %rcx
+        xorq	%r13, %rax
+        andq	%r13, %rcx
+        rorq	$4, %rax
+        xorq	%r15, %rcx
+        xorq	%r13, %rax
+        addq	%rcx, %r8
+        rorq	$14, %rax
+        xorq	%r10, %rbx
+        addq	%rax, %r8
+        movq	%r9, %rcx
+        andq	%rbx, %rdx
+        rorq	$5, %rcx
+        xorq	%r9, %rcx
+        xorq	%r10, %rdx
+        rorq	$6, %rcx
+        addq	%r8, %r12
+        xorq	%r9, %rcx
+        addq	%rdx, %r8
+        rorq	$28, %rcx
+        movq	%r12, %rax
+        addq	%rcx, %r8
+        addq	%r8, (%rdi)
+        addq	%r9, 8(%rdi)
+        addq	%r10, 16(%rdi)
+        addq	%r11, 24(%rdi)
+        addq	%r12, 32(%rdi)
+        addq	%r13, 40(%rdi)
+        addq	%r14, 48(%rdi)
+        addq	%r15, 56(%rdi)
+        xorq	%rax, %rax
+        vzeroupper
+        addq	$0x88, %rsp
+        popq	%r15
+        popq	%r14
+        popq	%r13
+        popq	%r12
+        popq	%rbx
+        repz retq
+#ifndef __APPLE__
+.size	Transform_Sha512_AVX2,.-Transform_Sha512_AVX2
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+.text
+.globl	Transform_Sha512_AVX2_Len
+.type	Transform_Sha512_AVX2_Len,@function
+.align	4
+Transform_Sha512_AVX2_Len:
+#else
+.section	__TEXT,__text
+.globl	_Transform_Sha512_AVX2_Len
+.p2align	2
+_Transform_Sha512_AVX2_Len:
+#endif /* __APPLE__ */
+        pushq	%rbx
+        pushq	%r12
+        pushq	%r13
+        pushq	%r14
+        pushq	%r15
+        pushq	%rbp
+        movq	%rsi, %rbp
+        testb	$0x80, %bpl
+        je	L_sha512_len_avx2_block
+        movq	224(%rdi), %rcx
+        vmovdqu	(%rcx), %ymm0
+        vmovdqu	32(%rcx), %ymm1
+        vmovdqu	64(%rcx), %ymm2
+        vmovdqu	96(%rcx), %ymm3
+        vmovups	%ymm0, 64(%rdi)
+        vmovups	%ymm1, 96(%rdi)
+        vmovups	%ymm2, 128(%rdi)
+        vmovups	%ymm3, 160(%rdi)
+#ifndef __APPLE__
+        call	Transform_Sha512_AVX2@plt
+#else
+        call	_Transform_Sha512_AVX2
+#endif /* __APPLE__ */
+        addq	$0x80, 224(%rdi)
+        subl	$0x80, %ebp
+        jz	L_sha512_len_avx2_done
+L_sha512_len_avx2_block:
+        movq	224(%rdi), %rcx
+        vmovdqa	L_avx2_sha512_flip_mask(%rip), %ymm15
+        movq	(%rdi), %r8
+        movq	8(%rdi), %r9
+        movq	16(%rdi), %r10
+        movq	24(%rdi), %r11
+        movq	32(%rdi), %r12
+        movq	40(%rdi), %r13
+        movq	48(%rdi), %r14
+        movq	56(%rdi), %r15
+        # Start of loop processing two blocks
+L_sha512_len_avx2_begin:
+        subq	$0x540, %rsp
+        leaq	L_avx2_sha512_k_2(%rip), %rsi
+        movq	%r9, %rbx
+        movq	%r12, %rax
+        vmovdqu	(%rcx), %xmm0
+        vmovdqu	16(%rcx), %xmm1
+        vinserti128	$0x01, 128(%rcx), %ymm0, %ymm0
+        vinserti128	$0x01, 144(%rcx), %ymm1, %ymm1
+        vpshufb	%ymm15, %ymm0, %ymm0
+        vpshufb	%ymm15, %ymm1, %ymm1
+        vmovdqu	32(%rcx), %xmm2
+        vmovdqu	48(%rcx), %xmm3
+        vinserti128	$0x01, 160(%rcx), %ymm2, %ymm2
+        vinserti128	$0x01, 176(%rcx), %ymm3, %ymm3
+        vpshufb	%ymm15, %ymm2, %ymm2
+        vpshufb	%ymm15, %ymm3, %ymm3
+        vmovdqu	64(%rcx), %xmm4
+        vmovdqu	80(%rcx), %xmm5
+        vinserti128	$0x01, 192(%rcx), %ymm4, %ymm4
+        vinserti128	$0x01, 208(%rcx), %ymm5, %ymm5
+        vpshufb	%ymm15, %ymm4, %ymm4
+        vpshufb	%ymm15, %ymm5, %ymm5
+        vmovdqu	96(%rcx), %xmm6
+        vmovdqu	112(%rcx), %xmm7
+        vinserti128	$0x01, 224(%rcx), %ymm6, %ymm6
+        vinserti128	$0x01, 240(%rcx), %ymm7, %ymm7
+        vpshufb	%ymm15, %ymm6, %ymm6
+        vpshufb	%ymm15, %ymm7, %ymm7
+        xorq	%r10, %rbx
+        # Start of 16 rounds
+L_sha512_len_avx2_start:
+        vpaddq	(%rsi), %ymm0, %ymm8
+        vpaddq	32(%rsi), %ymm1, %ymm9
+        vmovdqu	%ymm8, (%rsp)
+        vmovdqu	%ymm9, 32(%rsp)
+        vpaddq	64(%rsi), %ymm2, %ymm8
+        vpaddq	96(%rsi), %ymm3, %ymm9
+        vmovdqu	%ymm8, 64(%rsp)
+        vmovdqu	%ymm9, 96(%rsp)
+        vpaddq	128(%rsi), %ymm4, %ymm8
+        vpaddq	160(%rsi), %ymm5, %ymm9
+        vmovdqu	%ymm8, 128(%rsp)
+        vmovdqu	%ymm9, 160(%rsp)
+        vpaddq	192(%rsi), %ymm6, %ymm8
+        vpaddq	224(%rsi), %ymm7, %ymm9
+        vmovdqu	%ymm8, 192(%rsp)
+        vmovdqu	%ymm9, 224(%rsp)
+        # msg_sched: 0-1
+        rorq	$23, %rax
+        vpalignr	$8, %ymm0, %ymm1, %ymm12
+        vpalignr	$8, %ymm4, %ymm5, %ymm13
+        movq	%r8, %rdx
+        movq	%r13, %rcx
+        addq	(%rsp), %r15
+        xorq	%r14, %rcx
+        vpsrlq	$0x01, %ymm12, %ymm8
+        vpsllq	$63, %ymm12, %ymm9
+        xorq	%r12, %rax
+        andq	%r12, %rcx
+        rorq	$4, %rax
+        xorq	%r14, %rcx
+        vpsrlq	$8, %ymm12, %ymm10
+        vpsllq	$56, %ymm12, %ymm11
+        xorq	%r12, %rax
+        addq	%rcx, %r15
+        rorq	$14, %rax
+        xorq	%r9, %rdx
+        vpor	%ymm9, %ymm8, %ymm8
+        vpor	%ymm11, %ymm10, %ymm10
+        addq	%rax, %r15
+        movq	%r8, %rcx
+        andq	%rdx, %rbx
+        rorq	$5, %rcx
+        vpsrlq	$7, %ymm12, %ymm11
+        vpxor	%ymm10, %ymm8, %ymm8
+        xorq	%r8, %rcx
+        xorq	%r9, %rbx
+        rorq	$6, %rcx
+        addq	%r15, %r11
+        vpxor	%ymm11, %ymm8, %ymm8
+        vpaddq	%ymm0, %ymm13, %ymm0
+        xorq	%r8, %rcx
+        addq	%rbx, %r15
+        rorq	$28, %rcx
+        movq	%r11, %rax
+        addq	%rcx, %r15
+        rorq	$23, %rax
+        vpaddq	%ymm0, %ymm8, %ymm0
+        movq	%r15, %rbx
+        movq	%r12, %rcx
+        addq	8(%rsp), %r14
+        xorq	%r13, %rcx
+        vpsrlq	$19, %ymm7, %ymm8
+        vpsllq	$45, %ymm7, %ymm9
+        xorq	%r11, %rax
+        andq	%r11, %rcx
+        rorq	$4, %rax
+        xorq	%r13, %rcx
+        vpsrlq	$61, %ymm7, %ymm10
+        vpsllq	$3, %ymm7, %ymm11
+        xorq	%r11, %rax
+        addq	%rcx, %r14
+        rorq	$14, %rax
+        xorq	%r8, %rbx
+        addq	%rax, %r14
+        movq	%r15, %rcx
+        vpor	%ymm9, %ymm8, %ymm8
+        vpor	%ymm11, %ymm10, %ymm10
+        andq	%rbx, %rdx
+        rorq	$5, %rcx
+        xorq	%r15, %rcx
+        xorq	%r8, %rdx
+        vpxor	%ymm10, %ymm8, %ymm8
+        vpsrlq	$6, %ymm7, %ymm11
+        rorq	$6, %rcx
+        addq	%r14, %r10
+        xorq	%r15, %rcx
+        addq	%rdx, %r14
+        vpxor	%ymm11, %ymm8, %ymm8
+        rorq	$28, %rcx
+        movq	%r10, %rax
+        addq	%rcx, %r14
+        vpaddq	%ymm0, %ymm8, %ymm0
+        # msg_sched done: 0-3
+        # msg_sched: 4-5
+        rorq	$23, %rax
+        vpalignr	$8, %ymm1, %ymm2, %ymm12
+        vpalignr	$8, %ymm5, %ymm6, %ymm13
+        movq	%r14, %rdx
+        movq	%r11, %rcx
+        addq	32(%rsp), %r13
+        xorq	%r12, %rcx
+        vpsrlq	$0x01, %ymm12, %ymm8
+        vpsllq	$63, %ymm12, %ymm9
+        xorq	%r10, %rax
+        andq	%r10, %rcx
+        rorq	$4, %rax
+        xorq	%r12, %rcx
+        vpsrlq	$8, %ymm12, %ymm10
+        vpsllq	$56, %ymm12, %ymm11
+        xorq	%r10, %rax
+        addq	%rcx, %r13
+        rorq	$14, %rax
+        xorq	%r15, %rdx
+        vpor	%ymm9, %ymm8, %ymm8
+        vpor	%ymm11, %ymm10, %ymm10
+        addq	%rax, %r13
+        movq	%r14, %rcx
+        andq	%rdx, %rbx
+        rorq	$5, %rcx
+        vpsrlq	$7, %ymm12, %ymm11
+        vpxor	%ymm10, %ymm8, %ymm8
+        xorq	%r14, %rcx
+        xorq	%r15, %rbx
+        rorq	$6, %rcx
+        addq	%r13, %r9
+        vpxor	%ymm11, %ymm8, %ymm8
+        vpaddq	%ymm1, %ymm13, %ymm1
+        xorq	%r14, %rcx
+        addq	%rbx, %r13
+        rorq	$28, %rcx
+        movq	%r9, %rax
+        addq	%rcx, %r13
+        rorq	$23, %rax
+        vpaddq	%ymm1, %ymm8, %ymm1
+        movq	%r13, %rbx
+        movq	%r10, %rcx
+        addq	40(%rsp), %r12
+        xorq	%r11, %rcx
+        vpsrlq	$19, %ymm0, %ymm8
+        vpsllq	$45, %ymm0, %ymm9
+        xorq	%r9, %rax
+        andq	%r9, %rcx
+        rorq	$4, %rax
+        xorq	%r11, %rcx
+        vpsrlq	$61, %ymm0, %ymm10
+        vpsllq	$3, %ymm0, %ymm11
+        xorq	%r9, %rax
+        addq	%rcx, %r12
+        rorq	$14, %rax
+        xorq	%r14, %rbx
+        addq	%rax, %r12
+        movq	%r13, %rcx
+        vpor	%ymm9, %ymm8, %ymm8
+        vpor	%ymm11, %ymm10, %ymm10
+        andq	%rbx, %rdx
+        rorq	$5, %rcx
+        xorq	%r13, %rcx
+        xorq	%r14, %rdx
+        vpxor	%ymm10, %ymm8, %ymm8
+        vpsrlq	$6, %ymm0, %ymm11
+        rorq	$6, %rcx
+        addq	%r12, %r8
+        xorq	%r13, %rcx
+        addq	%rdx, %r12
+        vpxor	%ymm11, %ymm8, %ymm8
+        rorq	$28, %rcx
+        movq	%r8, %rax
+        addq	%rcx, %r12
+        vpaddq	%ymm1, %ymm8, %ymm1
+        # msg_sched done: 4-7
+        # msg_sched: 8-9
+        rorq	$23, %rax
+        vpalignr	$8, %ymm2, %ymm3, %ymm12
+        vpalignr	$8, %ymm6, %ymm7, %ymm13
+        movq	%r12, %rdx
+        movq	%r9, %rcx
+        addq	64(%rsp), %r11
+        xorq	%r10, %rcx
+        vpsrlq	$0x01, %ymm12, %ymm8
+        vpsllq	$63, %ymm12, %ymm9
+        xorq	%r8, %rax
+        andq	%r8, %rcx
+        rorq	$4, %rax
+        xorq	%r10, %rcx
+        vpsrlq	$8, %ymm12, %ymm10
+        vpsllq	$56, %ymm12, %ymm11
+        xorq	%r8, %rax
+        addq	%rcx, %r11
+        rorq	$14, %rax
+        xorq	%r13, %rdx
+        vpor	%ymm9, %ymm8, %ymm8
+        vpor	%ymm11, %ymm10, %ymm10
+        addq	%rax, %r11
+        movq	%r12, %rcx
+        andq	%rdx, %rbx
+        rorq	$5, %rcx
+        vpsrlq	$7, %ymm12, %ymm11
+        vpxor	%ymm10, %ymm8, %ymm8
+        xorq	%r12, %rcx
+        xorq	%r13, %rbx
+        rorq	$6, %rcx
+        addq	%r11, %r15
+        vpxor	%ymm11, %ymm8, %ymm8
+        vpaddq	%ymm2, %ymm13, %ymm2
+        xorq	%r12, %rcx
+        addq	%rbx, %r11
+        rorq	$28, %rcx
+        movq	%r15, %rax
+        addq	%rcx, %r11
+        rorq	$23, %rax
+        vpaddq	%ymm2, %ymm8, %ymm2
+        movq	%r11, %rbx
+        movq	%r8, %rcx
+        addq	72(%rsp), %r10
+        xorq	%r9, %rcx
+        vpsrlq	$19, %ymm1, %ymm8
+        vpsllq	$45, %ymm1, %ymm9
+        xorq	%r15, %rax
+        andq	%r15, %rcx
+        rorq	$4, %rax
+        xorq	%r9, %rcx
+        vpsrlq	$61, %ymm1, %ymm10
+        vpsllq	$3, %ymm1, %ymm11
+        xorq	%r15, %rax
+        addq	%rcx, %r10
+        rorq	$14, %rax
+        xorq	%r12, %rbx
+        addq	%rax, %r10
+        movq	%r11, %rcx
+        vpor	%ymm9, %ymm8, %ymm8
+        vpor	%ymm11, %ymm10, %ymm10
+        andq	%rbx, %rdx
+        rorq	$5, %rcx
+        xorq	%r11, %rcx
+        xorq	%r12, %rdx
+        vpxor	%ymm10, %ymm8, %ymm8
+        vpsrlq	$6, %ymm1, %ymm11
+        rorq	$6, %rcx
+        addq	%r10, %r14
+        xorq	%r11, %rcx
+        addq	%rdx, %r10
+        vpxor	%ymm11, %ymm8, %ymm8
+        rorq	$28, %rcx
+        movq	%r14, %rax
+        addq	%rcx, %r10
+        vpaddq	%ymm2, %ymm8, %ymm2
+        # msg_sched done: 8-11
+        # msg_sched: 12-13
+        rorq	$23, %rax
+        vpalignr	$8, %ymm3, %ymm4, %ymm12
+        vpalignr	$8, %ymm7, %ymm0, %ymm13
+        movq	%r10, %rdx
+        movq	%r15, %rcx
+        addq	96(%rsp), %r9
+        xorq	%r8, %rcx
+        vpsrlq	$0x01, %ymm12, %ymm8
+        vpsllq	$63, %ymm12, %ymm9
+        xorq	%r14, %rax
+        andq	%r14, %rcx
+        rorq	$4, %rax
+        xorq	%r8, %rcx
+        vpsrlq	$8, %ymm12, %ymm10
+        vpsllq	$56, %ymm12, %ymm11
+        xorq	%r14, %rax
+        addq	%rcx, %r9
+        rorq	$14, %rax
+        xorq	%r11, %rdx
+        vpor	%ymm9, %ymm8, %ymm8
+        vpor	%ymm11, %ymm10, %ymm10
+        addq	%rax, %r9
+        movq	%r10, %rcx
+        andq	%rdx, %rbx
+        rorq	$5, %rcx
+        vpsrlq	$7, %ymm12, %ymm11
+        vpxor	%ymm10, %ymm8, %ymm8
+        xorq	%r10, %rcx
+        xorq	%r11, %rbx
+        rorq	$6, %rcx
+        addq	%r9, %r13
+        vpxor	%ymm11, %ymm8, %ymm8
+        vpaddq	%ymm3, %ymm13, %ymm3
+        xorq	%r10, %rcx
+        addq	%rbx, %r9
+        rorq	$28, %rcx
+        movq	%r13, %rax
+        addq	%rcx, %r9
+        rorq	$23, %rax
+        vpaddq	%ymm3, %ymm8, %ymm3
+        movq	%r9, %rbx
+        movq	%r14, %rcx
+        addq	104(%rsp), %r8
+        xorq	%r15, %rcx
+        vpsrlq	$19, %ymm2, %ymm8
+        vpsllq	$45, %ymm2, %ymm9
+        xorq	%r13, %rax
+        andq	%r13, %rcx
+        rorq	$4, %rax
+        xorq	%r15, %rcx
+        vpsrlq	$61, %ymm2, %ymm10
+        vpsllq	$3, %ymm2, %ymm11
+        xorq	%r13, %rax
+        addq	%rcx, %r8
+        rorq	$14, %rax
+        xorq	%r10, %rbx
+        addq	%rax, %r8
+        movq	%r9, %rcx
+        vpor	%ymm9, %ymm8, %ymm8
+        vpor	%ymm11, %ymm10, %ymm10
+        andq	%rbx, %rdx
+        rorq	$5, %rcx
+        xorq	%r9, %rcx
+        xorq	%r10, %rdx
+        vpxor	%ymm10, %ymm8, %ymm8
+        vpsrlq	$6, %ymm2, %ymm11
+        rorq	$6, %rcx
+        addq	%r8, %r12
+        xorq	%r9, %rcx
+        addq	%rdx, %r8
+        vpxor	%ymm11, %ymm8, %ymm8
+        rorq	$28, %rcx
+        movq	%r12, %rax
+        addq	%rcx, %r8
+        vpaddq	%ymm3, %ymm8, %ymm3
+        # msg_sched done: 12-15
+        # msg_sched: 16-17
+        rorq	$23, %rax
+        vpalignr	$8, %ymm4, %ymm5, %ymm12
+        vpalignr	$8, %ymm0, %ymm1, %ymm13
+        movq	%r8, %rdx
+        movq	%r13, %rcx
+        addq	128(%rsp), %r15
+        xorq	%r14, %rcx
+        vpsrlq	$0x01, %ymm12, %ymm8
+        vpsllq	$63, %ymm12, %ymm9
+        xorq	%r12, %rax
+        andq	%r12, %rcx
+        rorq	$4, %rax
+        xorq	%r14, %rcx
+        vpsrlq	$8, %ymm12, %ymm10
+        vpsllq	$56, %ymm12, %ymm11
+        xorq	%r12, %rax
+        addq	%rcx, %r15
+        rorq	$14, %rax
+        xorq	%r9, %rdx
+        vpor	%ymm9, %ymm8, %ymm8
+        vpor	%ymm11, %ymm10, %ymm10
+        addq	%rax, %r15
+        movq	%r8, %rcx
+        andq	%rdx, %rbx
+        rorq	$5, %rcx
+        vpsrlq	$7, %ymm12, %ymm11
+        vpxor	%ymm10, %ymm8, %ymm8
+        xorq	%r8, %rcx
+        xorq	%r9, %rbx
+        rorq	$6, %rcx
+        addq	%r15, %r11
+        vpxor	%ymm11, %ymm8, %ymm8
+        vpaddq	%ymm4, %ymm13, %ymm4
+        xorq	%r8, %rcx
+        addq	%rbx, %r15
+        rorq	$28, %rcx
+        movq	%r11, %rax
+        addq	%rcx, %r15
+        rorq	$23, %rax
+        vpaddq	%ymm4, %ymm8, %ymm4
+        movq	%r15, %rbx
+        movq	%r12, %rcx
+        addq	136(%rsp), %r14
+        xorq	%r13, %rcx
+        vpsrlq	$19, %ymm3, %ymm8
+        vpsllq	$45, %ymm3, %ymm9
+        xorq	%r11, %rax
+        andq	%r11, %rcx
+        rorq	$4, %rax
+        xorq	%r13, %rcx
+        vpsrlq	$61, %ymm3, %ymm10
+        vpsllq	$3, %ymm3, %ymm11
+        xorq	%r11, %rax
+        addq	%rcx, %r14
+        rorq	$14, %rax
+        xorq	%r8, %rbx
+        addq	%rax, %r14
+        movq	%r15, %rcx
+        vpor	%ymm9, %ymm8, %ymm8
+        vpor	%ymm11, %ymm10, %ymm10
+        andq	%rbx, %rdx
+        rorq	$5, %rcx
+        xorq	%r15, %rcx
+        xorq	%r8, %rdx
+        vpxor	%ymm10, %ymm8, %ymm8
+        vpsrlq	$6, %ymm3, %ymm11
+        rorq	$6, %rcx
+        addq	%r14, %r10
+        xorq	%r15, %rcx
+        addq	%rdx, %r14
+        vpxor	%ymm11, %ymm8, %ymm8
+        rorq	$28, %rcx
+        movq	%r10, %rax
+        addq	%rcx, %r14
+        vpaddq	%ymm4, %ymm8, %ymm4
+        # msg_sched done: 16-19
+        # msg_sched: 20-21
+        rorq	$23, %rax
+        vpalignr	$8, %ymm5, %ymm6, %ymm12
+        vpalignr	$8, %ymm1, %ymm2, %ymm13
+        movq	%r14, %rdx
+        movq	%r11, %rcx
+        addq	160(%rsp), %r13
+        xorq	%r12, %rcx
+        vpsrlq	$0x01, %ymm12, %ymm8
+        vpsllq	$63, %ymm12, %ymm9
+        xorq	%r10, %rax
+        andq	%r10, %rcx
+        rorq	$4, %rax
+        xorq	%r12, %rcx
+        vpsrlq	$8, %ymm12, %ymm10
+        vpsllq	$56, %ymm12, %ymm11
+        xorq	%r10, %rax
+        addq	%rcx, %r13
+        rorq	$14, %rax
+        xorq	%r15, %rdx
+        vpor	%ymm9, %ymm8, %ymm8
+        vpor	%ymm11, %ymm10, %ymm10
+        addq	%rax, %r13
+        movq	%r14, %rcx
+        andq	%rdx, %rbx
+        rorq	$5, %rcx
+        vpsrlq	$7, %ymm12, %ymm11
+        vpxor	%ymm10, %ymm8, %ymm8
+        xorq	%r14, %rcx
+        xorq	%r15, %rbx
+        rorq	$6, %rcx
+        addq	%r13, %r9
+        vpxor	%ymm11, %ymm8, %ymm8
+        vpaddq	%ymm5, %ymm13, %ymm5
+        xorq	%r14, %rcx
+        addq	%rbx, %r13
+        rorq	$28, %rcx
+        movq	%r9, %rax
+        addq	%rcx, %r13
+        rorq	$23, %rax
+        vpaddq	%ymm5, %ymm8, %ymm5
+        movq	%r13, %rbx
+        movq	%r10, %rcx
+        addq	168(%rsp), %r12
+        xorq	%r11, %rcx
+        vpsrlq	$19, %ymm4, %ymm8
+        vpsllq	$45, %ymm4, %ymm9
+        xorq	%r9, %rax
+        andq	%r9, %rcx
+        rorq	$4, %rax
+        xorq	%r11, %rcx
+        vpsrlq	$61, %ymm4, %ymm10
+        vpsllq	$3, %ymm4, %ymm11
+        xorq	%r9, %rax
+        addq	%rcx, %r12
+        rorq	$14, %rax
+        xorq	%r14, %rbx
+        addq	%rax, %r12
+        movq	%r13, %rcx
+        vpor	%ymm9, %ymm8, %ymm8
+        vpor	%ymm11, %ymm10, %ymm10
+        andq	%rbx, %rdx
+        rorq	$5, %rcx
+        xorq	%r13, %rcx
+        xorq	%r14, %rdx
+        vpxor	%ymm10, %ymm8, %ymm8
+        vpsrlq	$6, %ymm4, %ymm11
+        rorq	$6, %rcx
+        addq	%r12, %r8
+        xorq	%r13, %rcx
+        addq	%rdx, %r12
+        vpxor	%ymm11, %ymm8, %ymm8
+        rorq	$28, %rcx
+        movq	%r8, %rax
+        addq	%rcx, %r12
+        vpaddq	%ymm5, %ymm8, %ymm5
+        # msg_sched done: 20-23
+        # msg_sched: 24-25
+        rorq	$23, %rax
+        vpalignr	$8, %ymm6, %ymm7, %ymm12
+        vpalignr	$8, %ymm2, %ymm3, %ymm13
+        movq	%r12, %rdx
+        movq	%r9, %rcx
+        addq	192(%rsp), %r11
+        xorq	%r10, %rcx
+        vpsrlq	$0x01, %ymm12, %ymm8
+        vpsllq	$63, %ymm12, %ymm9
+        xorq	%r8, %rax
+        andq	%r8, %rcx
+        rorq	$4, %rax
+        xorq	%r10, %rcx
+        vpsrlq	$8, %ymm12, %ymm10
+        vpsllq	$56, %ymm12, %ymm11
+        xorq	%r8, %rax
+        addq	%rcx, %r11
+        rorq	$14, %rax
+        xorq	%r13, %rdx
+        vpor	%ymm9, %ymm8, %ymm8
+        vpor	%ymm11, %ymm10, %ymm10
+        addq	%rax, %r11
+        movq	%r12, %rcx
+        andq	%rdx, %rbx
+        rorq	$5, %rcx
+        vpsrlq	$7, %ymm12, %ymm11
+        vpxor	%ymm10, %ymm8, %ymm8
+        xorq	%r12, %rcx
+        xorq	%r13, %rbx
+        rorq	$6, %rcx
+        addq	%r11, %r15
+        vpxor	%ymm11, %ymm8, %ymm8
+        vpaddq	%ymm6, %ymm13, %ymm6
+        xorq	%r12, %rcx
+        addq	%rbx, %r11
+        rorq	$28, %rcx
+        movq	%r15, %rax
+        addq	%rcx, %r11
+        rorq	$23, %rax
+        vpaddq	%ymm6, %ymm8, %ymm6
+        movq	%r11, %rbx
+        movq	%r8, %rcx
+        addq	200(%rsp), %r10
+        xorq	%r9, %rcx
+        vpsrlq	$19, %ymm5, %ymm8
+        vpsllq	$45, %ymm5, %ymm9
+        xorq	%r15, %rax
+        andq	%r15, %rcx
+        rorq	$4, %rax
+        xorq	%r9, %rcx
+        vpsrlq	$61, %ymm5, %ymm10
+        vpsllq	$3, %ymm5, %ymm11
+        xorq	%r15, %rax
+        addq	%rcx, %r10
+        rorq	$14, %rax
+        xorq	%r12, %rbx
+        addq	%rax, %r10
+        movq	%r11, %rcx
+        vpor	%ymm9, %ymm8, %ymm8
+        vpor	%ymm11, %ymm10, %ymm10
+        andq	%rbx, %rdx
+        rorq	$5, %rcx
+        xorq	%r11, %rcx
+        xorq	%r12, %rdx
+        vpxor	%ymm10, %ymm8, %ymm8
+        vpsrlq	$6, %ymm5, %ymm11
+        rorq	$6, %rcx
+        addq	%r10, %r14
+        xorq	%r11, %rcx
+        addq	%rdx, %r10
+        vpxor	%ymm11, %ymm8, %ymm8
+        rorq	$28, %rcx
+        movq	%r14, %rax
+        addq	%rcx, %r10
+        vpaddq	%ymm6, %ymm8, %ymm6
+        # msg_sched done: 24-27
+        # msg_sched: 28-29
+        rorq	$23, %rax
+        vpalignr	$8, %ymm7, %ymm0, %ymm12
+        vpalignr	$8, %ymm3, %ymm4, %ymm13
+        movq	%r10, %rdx
+        movq	%r15, %rcx
+        addq	224(%rsp), %r9
+        xorq	%r8, %rcx
+        vpsrlq	$0x01, %ymm12, %ymm8
+        vpsllq	$63, %ymm12, %ymm9
+        xorq	%r14, %rax
+        andq	%r14, %rcx
+        rorq	$4, %rax
+        xorq	%r8, %rcx
+        vpsrlq	$8, %ymm12, %ymm10
+        vpsllq	$56, %ymm12, %ymm11
+        xorq	%r14, %rax
+        addq	%rcx, %r9
+        rorq	$14, %rax
+        xorq	%r11, %rdx
+        vpor	%ymm9, %ymm8, %ymm8
+        vpor	%ymm11, %ymm10, %ymm10
+        addq	%rax, %r9
+        movq	%r10, %rcx
+        andq	%rdx, %rbx
+        rorq	$5, %rcx
+        vpsrlq	$7, %ymm12, %ymm11
+        vpxor	%ymm10, %ymm8, %ymm8
+        xorq	%r10, %rcx
+        xorq	%r11, %rbx
+        rorq	$6, %rcx
+        addq	%r9, %r13
+        vpxor	%ymm11, %ymm8, %ymm8
+        vpaddq	%ymm7, %ymm13, %ymm7
+        xorq	%r10, %rcx
+        addq	%rbx, %r9
+        rorq	$28, %rcx
+        movq	%r13, %rax
+        addq	%rcx, %r9
+        rorq	$23, %rax
+        vpaddq	%ymm7, %ymm8, %ymm7
+        movq	%r9, %rbx
+        movq	%r14, %rcx
+        addq	232(%rsp), %r8
+        xorq	%r15, %rcx
+        vpsrlq	$19, %ymm6, %ymm8
+        vpsllq	$45, %ymm6, %ymm9
+        xorq	%r13, %rax
+        andq	%r13, %rcx
+        rorq	$4, %rax
+        xorq	%r15, %rcx
+        vpsrlq	$61, %ymm6, %ymm10
+        vpsllq	$3, %ymm6, %ymm11
+        xorq	%r13, %rax
+        addq	%rcx, %r8
+        rorq	$14, %rax
+        xorq	%r10, %rbx
+        addq	%rax, %r8
+        movq	%r9, %rcx
+        vpor	%ymm9, %ymm8, %ymm8
+        vpor	%ymm11, %ymm10, %ymm10
+        andq	%rbx, %rdx
+        rorq	$5, %rcx
+        xorq	%r9, %rcx
+        xorq	%r10, %rdx
+        vpxor	%ymm10, %ymm8, %ymm8
+        vpsrlq	$6, %ymm6, %ymm11
+        rorq	$6, %rcx
+        addq	%r8, %r12
+        xorq	%r9, %rcx
+        addq	%rdx, %r8
+        vpxor	%ymm11, %ymm8, %ymm8
+        rorq	$28, %rcx
+        movq	%r12, %rax
+        addq	%rcx, %r8
+        vpaddq	%ymm7, %ymm8, %ymm7
+        # msg_sched done: 28-31
+        addq	$0x100, %rsi
+        addq	$0x100, %rsp
+        cmpq	L_avx2_sha512_k_2_end(%rip), %rsi
+        jne	L_sha512_len_avx2_start
+        vpaddq	(%rsi), %ymm0, %ymm8
+        vpaddq	32(%rsi), %ymm1, %ymm9
+        vmovdqu	%ymm8, (%rsp)
+        vmovdqu	%ymm9, 32(%rsp)
+        vpaddq	64(%rsi), %ymm2, %ymm8
+        vpaddq	96(%rsi), %ymm3, %ymm9
+        vmovdqu	%ymm8, 64(%rsp)
+        vmovdqu	%ymm9, 96(%rsp)
+        vpaddq	128(%rsi), %ymm4, %ymm8
+        vpaddq	160(%rsi), %ymm5, %ymm9
+        vmovdqu	%ymm8, 128(%rsp)
+        vmovdqu	%ymm9, 160(%rsp)
+        vpaddq	192(%rsi), %ymm6, %ymm8
+        vpaddq	224(%rsi), %ymm7, %ymm9
+        vmovdqu	%ymm8, 192(%rsp)
+        vmovdqu	%ymm9, 224(%rsp)
+        rorq	$23, %rax
+        movq	%r8, %rdx
+        movq	%r13, %rcx
+        addq	(%rsp), %r15
+        xorq	%r14, %rcx
+        xorq	%r12, %rax
+        andq	%r12, %rcx
+        rorq	$4, %rax
+        xorq	%r14, %rcx
+        xorq	%r12, %rax
+        addq	%rcx, %r15
+        rorq	$14, %rax
+        xorq	%r9, %rdx
+        addq	%rax, %r15
+        movq	%r8, %rcx
+        andq	%rdx, %rbx
+        rorq	$5, %rcx
+        xorq	%r8, %rcx
+        xorq	%r9, %rbx
+        rorq	$6, %rcx
+        addq	%r15, %r11
+        xorq	%r8, %rcx
+        addq	%rbx, %r15
+        rorq	$28, %rcx
+        movq	%r11, %rax
+        addq	%rcx, %r15
+        rorq	$23, %rax
+        movq	%r15, %rbx
+        movq	%r12, %rcx
+        addq	8(%rsp), %r14
+        xorq	%r13, %rcx
+        xorq	%r11, %rax
+        andq	%r11, %rcx
+        rorq	$4, %rax
+        xorq	%r13, %rcx
+        xorq	%r11, %rax
+        addq	%rcx, %r14
+        rorq	$14, %rax
+        xorq	%r8, %rbx
+        addq	%rax, %r14
+        movq	%r15, %rcx
+        andq	%rbx, %rdx
+        rorq	$5, %rcx
+        xorq	%r15, %rcx
+        xorq	%r8, %rdx
+        rorq	$6, %rcx
+        addq	%r14, %r10
+        xorq	%r15, %rcx
+        addq	%rdx, %r14
+        rorq	$28, %rcx
+        movq	%r10, %rax
+        addq	%rcx, %r14
+        rorq	$23, %rax
+        movq	%r14, %rdx
+        movq	%r11, %rcx
+        addq	32(%rsp), %r13
+        xorq	%r12, %rcx
+        xorq	%r10, %rax
+        andq	%r10, %rcx
+        rorq	$4, %rax
+        xorq	%r12, %rcx
+        xorq	%r10, %rax
+        addq	%rcx, %r13
+        rorq	$14, %rax
+        xorq	%r15, %rdx
+        addq	%rax, %r13
+        movq	%r14, %rcx
+        andq	%rdx, %rbx
+        rorq	$5, %rcx
+        xorq	%r14, %rcx
+        xorq	%r15, %rbx
+        rorq	$6, %rcx
+        addq	%r13, %r9
+        xorq	%r14, %rcx
+        addq	%rbx, %r13
+        rorq	$28, %rcx
+        movq	%r9, %rax
+        addq	%rcx, %r13
+        rorq	$23, %rax
+        movq	%r13, %rbx
+        movq	%r10, %rcx
+        addq	40(%rsp), %r12
+        xorq	%r11, %rcx
+        xorq	%r9, %rax
+        andq	%r9, %rcx
+        rorq	$4, %rax
+        xorq	%r11, %rcx
+        xorq	%r9, %rax
+        addq	%rcx, %r12
+        rorq	$14, %rax
+        xorq	%r14, %rbx
+        addq	%rax, %r12
+        movq	%r13, %rcx
+        andq	%rbx, %rdx
+        rorq	$5, %rcx
+        xorq	%r13, %rcx
+        xorq	%r14, %rdx
+        rorq	$6, %rcx
+        addq	%r12, %r8
+        xorq	%r13, %rcx
+        addq	%rdx, %r12
+        rorq	$28, %rcx
+        movq	%r8, %rax
+        addq	%rcx, %r12
+        rorq	$23, %rax
+        movq	%r12, %rdx
+        movq	%r9, %rcx
+        addq	64(%rsp), %r11
+        xorq	%r10, %rcx
+        xorq	%r8, %rax
+        andq	%r8, %rcx
+        rorq	$4, %rax
+        xorq	%r10, %rcx
+        xorq	%r8, %rax
+        addq	%rcx, %r11
+        rorq	$14, %rax
+        xorq	%r13, %rdx
+        addq	%rax, %r11
+        movq	%r12, %rcx
+        andq	%rdx, %rbx
+        rorq	$5, %rcx
+        xorq	%r12, %rcx
+        xorq	%r13, %rbx
+        rorq	$6, %rcx
+        addq	%r11, %r15
+        xorq	%r12, %rcx
+        addq	%rbx, %r11
+        rorq	$28, %rcx
+        movq	%r15, %rax
+        addq	%rcx, %r11
+        rorq	$23, %rax
+        movq	%r11, %rbx
+        movq	%r8, %rcx
+        addq	72(%rsp), %r10
+        xorq	%r9, %rcx
+        xorq	%r15, %rax
+        andq	%r15, %rcx
+        rorq	$4, %rax
+        xorq	%r9, %rcx
+        xorq	%r15, %rax
+        addq	%rcx, %r10
+        rorq	$14, %rax
+        xorq	%r12, %rbx
+        addq	%rax, %r10
+        movq	%r11, %rcx
+        andq	%rbx, %rdx
+        rorq	$5, %rcx
+        xorq	%r11, %rcx
+        xorq	%r12, %rdx
+        rorq	$6, %rcx
+        addq	%r10, %r14
+        xorq	%r11, %rcx
+        addq	%rdx, %r10
+        rorq	$28, %rcx
+        movq	%r14, %rax
+        addq	%rcx, %r10
+        rorq	$23, %rax
+        movq	%r10, %rdx
+        movq	%r15, %rcx
+        addq	96(%rsp), %r9
+        xorq	%r8, %rcx
+        xorq	%r14, %rax
+        andq	%r14, %rcx
+        rorq	$4, %rax
+        xorq	%r8, %rcx
+        xorq	%r14, %rax
+        addq	%rcx, %r9
+        rorq	$14, %rax
+        xorq	%r11, %rdx
+        addq	%rax, %r9
+        movq	%r10, %rcx
+        andq	%rdx, %rbx
+        rorq	$5, %rcx
+        xorq	%r10, %rcx
+        xorq	%r11, %rbx
+        rorq	$6, %rcx
+        addq	%r9, %r13
+        xorq	%r10, %rcx
+        addq	%rbx, %r9
+        rorq	$28, %rcx
+        movq	%r13, %rax
+        addq	%rcx, %r9
+        rorq	$23, %rax
+        movq	%r9, %rbx
+        movq	%r14, %rcx
+        addq	104(%rsp), %r8
+        xorq	%r15, %rcx
+        xorq	%r13, %rax
+        andq	%r13, %rcx
+        rorq	$4, %rax
+        xorq	%r15, %rcx
+        xorq	%r13, %rax
+        addq	%rcx, %r8
+        rorq	$14, %rax
+        xorq	%r10, %rbx
+        addq	%rax, %r8
+        movq	%r9, %rcx
+        andq	%rbx, %rdx
+        rorq	$5, %rcx
+        xorq	%r9, %rcx
+        xorq	%r10, %rdx
+        rorq	$6, %rcx
+        addq	%r8, %r12
+        xorq	%r9, %rcx
+        addq	%rdx, %r8
+        rorq	$28, %rcx
+        movq	%r12, %rax
+        addq	%rcx, %r8
+        rorq	$23, %rax
+        movq	%r8, %rdx
+        movq	%r13, %rcx
+        addq	128(%rsp), %r15
+        xorq	%r14, %rcx
+        xorq	%r12, %rax
+        andq	%r12, %rcx
+        rorq	$4, %rax
+        xorq	%r14, %rcx
+        xorq	%r12, %rax
+        addq	%rcx, %r15
+        rorq	$14, %rax
+        xorq	%r9, %rdx
+        addq	%rax, %r15
+        movq	%r8, %rcx
+        andq	%rdx, %rbx
+        rorq	$5, %rcx
+        xorq	%r8, %rcx
+        xorq	%r9, %rbx
+        rorq	$6, %rcx
+        addq	%r15, %r11
+        xorq	%r8, %rcx
+        addq	%rbx, %r15
+        rorq	$28, %rcx
+        movq	%r11, %rax
+        addq	%rcx, %r15
+        rorq	$23, %rax
+        movq	%r15, %rbx
+        movq	%r12, %rcx
+        addq	136(%rsp), %r14
+        xorq	%r13, %rcx
+        xorq	%r11, %rax
+        andq	%r11, %rcx
+        rorq	$4, %rax
+        xorq	%r13, %rcx
+        xorq	%r11, %rax
+        addq	%rcx, %r14
+        rorq	$14, %rax
+        xorq	%r8, %rbx
+        addq	%rax, %r14
+        movq	%r15, %rcx
+        andq	%rbx, %rdx
+        rorq	$5, %rcx
+        xorq	%r15, %rcx
+        xorq	%r8, %rdx
+        rorq	$6, %rcx
+        addq	%r14, %r10
+        xorq	%r15, %rcx
+        addq	%rdx, %r14
+        rorq	$28, %rcx
+        movq	%r10, %rax
+        addq	%rcx, %r14
+        rorq	$23, %rax
+        movq	%r14, %rdx
+        movq	%r11, %rcx
+        addq	160(%rsp), %r13
+        xorq	%r12, %rcx
+        xorq	%r10, %rax
+        andq	%r10, %rcx
+        rorq	$4, %rax
+        xorq	%r12, %rcx
+        xorq	%r10, %rax
+        addq	%rcx, %r13
+        rorq	$14, %rax
+        xorq	%r15, %rdx
+        addq	%rax, %r13
+        movq	%r14, %rcx
+        andq	%rdx, %rbx
+        rorq	$5, %rcx
+        xorq	%r14, %rcx
+        xorq	%r15, %rbx
+        rorq	$6, %rcx
+        addq	%r13, %r9
+        xorq	%r14, %rcx
+        addq	%rbx, %r13
+        rorq	$28, %rcx
+        movq	%r9, %rax
+        addq	%rcx, %r13
+        rorq	$23, %rax
+        movq	%r13, %rbx
+        movq	%r10, %rcx
+        addq	168(%rsp), %r12
+        xorq	%r11, %rcx
+        xorq	%r9, %rax
+        andq	%r9, %rcx
+        rorq	$4, %rax
+        xorq	%r11, %rcx
+        xorq	%r9, %rax
+        addq	%rcx, %r12
+        rorq	$14, %rax
+        xorq	%r14, %rbx
+        addq	%rax, %r12
+        movq	%r13, %rcx
+        andq	%rbx, %rdx
+        rorq	$5, %rcx
+        xorq	%r13, %rcx
+        xorq	%r14, %rdx
+        rorq	$6, %rcx
+        addq	%r12, %r8
+        xorq	%r13, %rcx
+        addq	%rdx, %r12
+        rorq	$28, %rcx
+        movq	%r8, %rax
+        addq	%rcx, %r12
+        rorq	$23, %rax
+        movq	%r12, %rdx
+        movq	%r9, %rcx
+        addq	192(%rsp), %r11
+        xorq	%r10, %rcx
+        xorq	%r8, %rax
+        andq	%r8, %rcx
+        rorq	$4, %rax
+        xorq	%r10, %rcx
+        xorq	%r8, %rax
+        addq	%rcx, %r11
+        rorq	$14, %rax
+        xorq	%r13, %rdx
+        addq	%rax, %r11
+        movq	%r12, %rcx
+        andq	%rdx, %rbx
+        rorq	$5, %rcx
+        xorq	%r12, %rcx
+        xorq	%r13, %rbx
+        rorq	$6, %rcx
+        addq	%r11, %r15
+        xorq	%r12, %rcx
+        addq	%rbx, %r11
+        rorq	$28, %rcx
+        movq	%r15, %rax
+        addq	%rcx, %r11
+        rorq	$23, %rax
+        movq	%r11, %rbx
+        movq	%r8, %rcx
+        addq	200(%rsp), %r10
+        xorq	%r9, %rcx
+        xorq	%r15, %rax
+        andq	%r15, %rcx
+        rorq	$4, %rax
+        xorq	%r9, %rcx
+        xorq	%r15, %rax
+        addq	%rcx, %r10
+        rorq	$14, %rax
+        xorq	%r12, %rbx
+        addq	%rax, %r10
+        movq	%r11, %rcx
+        andq	%rbx, %rdx
+        rorq	$5, %rcx
+        xorq	%r11, %rcx
+        xorq	%r12, %rdx
+        rorq	$6, %rcx
+        addq	%r10, %r14
+        xorq	%r11, %rcx
+        addq	%rdx, %r10
+        rorq	$28, %rcx
+        movq	%r14, %rax
+        addq	%rcx, %r10
+        rorq	$23, %rax
+        movq	%r10, %rdx
+        movq	%r15, %rcx
+        addq	224(%rsp), %r9
+        xorq	%r8, %rcx
+        xorq	%r14, %rax
+        andq	%r14, %rcx
+        rorq	$4, %rax
+        xorq	%r8, %rcx
+        xorq	%r14, %rax
+        addq	%rcx, %r9
+        rorq	$14, %rax
+        xorq	%r11, %rdx
+        addq	%rax, %r9
+        movq	%r10, %rcx
+        andq	%rdx, %rbx
+        rorq	$5, %rcx
+        xorq	%r10, %rcx
+        xorq	%r11, %rbx
+        rorq	$6, %rcx
+        addq	%r9, %r13
+        xorq	%r10, %rcx
+        addq	%rbx, %r9
+        rorq	$28, %rcx
+        movq	%r13, %rax
+        addq	%rcx, %r9
+        rorq	$23, %rax
+        movq	%r9, %rbx
+        movq	%r14, %rcx
+        addq	232(%rsp), %r8
+        xorq	%r15, %rcx
+        xorq	%r13, %rax
+        andq	%r13, %rcx
+        rorq	$4, %rax
+        xorq	%r15, %rcx
+        xorq	%r13, %rax
+        addq	%rcx, %r8
+        rorq	$14, %rax
+        xorq	%r10, %rbx
+        addq	%rax, %r8
+        movq	%r9, %rcx
+        andq	%rbx, %rdx
+        rorq	$5, %rcx
+        xorq	%r9, %rcx
+        xorq	%r10, %rdx
+        rorq	$6, %rcx
+        addq	%r8, %r12
+        xorq	%r9, %rcx
+        addq	%rdx, %r8
+        rorq	$28, %rcx
+        movq	%r12, %rax
+        addq	%rcx, %r8
+        subq	$0x400, %rsp
+        addq	(%rdi), %r8
+        addq	8(%rdi), %r9
+        addq	16(%rdi), %r10
+        addq	24(%rdi), %r11
+        addq	32(%rdi), %r12
+        addq	40(%rdi), %r13
+        addq	48(%rdi), %r14
+        addq	56(%rdi), %r15
+        movq	%r8, (%rdi)
+        movq	%r9, 8(%rdi)
+        movq	%r10, 16(%rdi)
+        movq	%r11, 24(%rdi)
+        movq	%r12, 32(%rdi)
+        movq	%r13, 40(%rdi)
+        movq	%r14, 48(%rdi)
+        movq	%r15, 56(%rdi)
+        movq	%r9, %rbx
+        movq	%r12, %rax
+        xorq	%r10, %rbx
+        movq	$5, %rsi
+L_sha512_len_avx2_tail:
+        rorq	$23, %rax
+        movq	%r8, %rdx
+        movq	%r13, %rcx
+        addq	16(%rsp), %r15
+        xorq	%r14, %rcx
+        xorq	%r12, %rax
+        andq	%r12, %rcx
+        rorq	$4, %rax
+        xorq	%r14, %rcx
+        xorq	%r12, %rax
+        addq	%rcx, %r15
+        rorq	$14, %rax
+        xorq	%r9, %rdx
+        addq	%rax, %r15
+        movq	%r8, %rcx
+        andq	%rdx, %rbx
+        rorq	$5, %rcx
+        xorq	%r8, %rcx
+        xorq	%r9, %rbx
+        rorq	$6, %rcx
+        addq	%r15, %r11
+        xorq	%r8, %rcx
+        addq	%rbx, %r15
+        rorq	$28, %rcx
+        movq	%r11, %rax
+        addq	%rcx, %r15
+        rorq	$23, %rax
+        movq	%r15, %rbx
+        movq	%r12, %rcx
+        addq	24(%rsp), %r14
+        xorq	%r13, %rcx
+        xorq	%r11, %rax
+        andq	%r11, %rcx
+        rorq	$4, %rax
+        xorq	%r13, %rcx
+        xorq	%r11, %rax
+        addq	%rcx, %r14
+        rorq	$14, %rax
+        xorq	%r8, %rbx
+        addq	%rax, %r14
+        movq	%r15, %rcx
+        andq	%rbx, %rdx
+        rorq	$5, %rcx
+        xorq	%r15, %rcx
+        xorq	%r8, %rdx
+        rorq	$6, %rcx
+        addq	%r14, %r10
+        xorq	%r15, %rcx
+        addq	%rdx, %r14
+        rorq	$28, %rcx
+        movq	%r10, %rax
+        addq	%rcx, %r14
+        rorq	$23, %rax
+        movq	%r14, %rdx
+        movq	%r11, %rcx
+        addq	48(%rsp), %r13
+        xorq	%r12, %rcx
+        xorq	%r10, %rax
+        andq	%r10, %rcx
+        rorq	$4, %rax
+        xorq	%r12, %rcx
+        xorq	%r10, %rax
+        addq	%rcx, %r13
+        rorq	$14, %rax
+        xorq	%r15, %rdx
+        addq	%rax, %r13
+        movq	%r14, %rcx
+        andq	%rdx, %rbx
+        rorq	$5, %rcx
+        xorq	%r14, %rcx
+        xorq	%r15, %rbx
+        rorq	$6, %rcx
+        addq	%r13, %r9
+        xorq	%r14, %rcx
+        addq	%rbx, %r13
+        rorq	$28, %rcx
+        movq	%r9, %rax
+        addq	%rcx, %r13
+        rorq	$23, %rax
+        movq	%r13, %rbx
+        movq	%r10, %rcx
+        addq	56(%rsp), %r12
+        xorq	%r11, %rcx
+        xorq	%r9, %rax
+        andq	%r9, %rcx
+        rorq	$4, %rax
+        xorq	%r11, %rcx
+        xorq	%r9, %rax
+        addq	%rcx, %r12
+        rorq	$14, %rax
+        xorq	%r14, %rbx
+        addq	%rax, %r12
+        movq	%r13, %rcx
+        andq	%rbx, %rdx
+        rorq	$5, %rcx
+        xorq	%r13, %rcx
+        xorq	%r14, %rdx
+        rorq	$6, %rcx
+        addq	%r12, %r8
+        xorq	%r13, %rcx
+        addq	%rdx, %r12
+        rorq	$28, %rcx
+        movq	%r8, %rax
+        addq	%rcx, %r12
+        rorq	$23, %rax
+        movq	%r12, %rdx
+        movq	%r9, %rcx
+        addq	80(%rsp), %r11
+        xorq	%r10, %rcx
+        xorq	%r8, %rax
+        andq	%r8, %rcx
+        rorq	$4, %rax
+        xorq	%r10, %rcx
+        xorq	%r8, %rax
+        addq	%rcx, %r11
+        rorq	$14, %rax
+        xorq	%r13, %rdx
+        addq	%rax, %r11
+        movq	%r12, %rcx
+        andq	%rdx, %rbx
+        rorq	$5, %rcx
+        xorq	%r12, %rcx
+        xorq	%r13, %rbx
+        rorq	$6, %rcx
+        addq	%r11, %r15
+        xorq	%r12, %rcx
+        addq	%rbx, %r11
+        rorq	$28, %rcx
+        movq	%r15, %rax
+        addq	%rcx, %r11
+        rorq	$23, %rax
+        movq	%r11, %rbx
+        movq	%r8, %rcx
+        addq	88(%rsp), %r10
+        xorq	%r9, %rcx
+        xorq	%r15, %rax
+        andq	%r15, %rcx
+        rorq	$4, %rax
+        xorq	%r9, %rcx
+        xorq	%r15, %rax
+        addq	%rcx, %r10
+        rorq	$14, %rax
+        xorq	%r12, %rbx
+        addq	%rax, %r10
+        movq	%r11, %rcx
+        andq	%rbx, %rdx
+        rorq	$5, %rcx
+        xorq	%r11, %rcx
+        xorq	%r12, %rdx
+        rorq	$6, %rcx
+        addq	%r10, %r14
+        xorq	%r11, %rcx
+        addq	%rdx, %r10
+        rorq	$28, %rcx
+        movq	%r14, %rax
+        addq	%rcx, %r10
+        rorq	$23, %rax
+        movq	%r10, %rdx
+        movq	%r15, %rcx
+        addq	112(%rsp), %r9
+        xorq	%r8, %rcx
+        xorq	%r14, %rax
+        andq	%r14, %rcx
+        rorq	$4, %rax
+        xorq	%r8, %rcx
+        xorq	%r14, %rax
+        addq	%rcx, %r9
+        rorq	$14, %rax
+        xorq	%r11, %rdx
+        addq	%rax, %r9
+        movq	%r10, %rcx
+        andq	%rdx, %rbx
+        rorq	$5, %rcx
+        xorq	%r10, %rcx
+        xorq	%r11, %rbx
+        rorq	$6, %rcx
+        addq	%r9, %r13
+        xorq	%r10, %rcx
+        addq	%rbx, %r9
+        rorq	$28, %rcx
+        movq	%r13, %rax
+        addq	%rcx, %r9
+        rorq	$23, %rax
+        movq	%r9, %rbx
+        movq	%r14, %rcx
+        addq	120(%rsp), %r8
+        xorq	%r15, %rcx
+        xorq	%r13, %rax
+        andq	%r13, %rcx
+        rorq	$4, %rax
+        xorq	%r15, %rcx
+        xorq	%r13, %rax
+        addq	%rcx, %r8
+        rorq	$14, %rax
+        xorq	%r10, %rbx
+        addq	%rax, %r8
+        movq	%r9, %rcx
+        andq	%rbx, %rdx
+        rorq	$5, %rcx
+        xorq	%r9, %rcx
+        xorq	%r10, %rdx
+        rorq	$6, %rcx
+        addq	%r8, %r12
+        xorq	%r9, %rcx
+        addq	%rdx, %r8
+        rorq	$28, %rcx
+        movq	%r12, %rax
+        addq	%rcx, %r8
+        rorq	$23, %rax
+        movq	%r8, %rdx
+        movq	%r13, %rcx
+        addq	144(%rsp), %r15
+        xorq	%r14, %rcx
+        xorq	%r12, %rax
+        andq	%r12, %rcx
+        rorq	$4, %rax
+        xorq	%r14, %rcx
+        xorq	%r12, %rax
+        addq	%rcx, %r15
+        rorq	$14, %rax
+        xorq	%r9, %rdx
+        addq	%rax, %r15
+        movq	%r8, %rcx
+        andq	%rdx, %rbx
+        rorq	$5, %rcx
+        xorq	%r8, %rcx
+        xorq	%r9, %rbx
+        rorq	$6, %rcx
+        addq	%r15, %r11
+        xorq	%r8, %rcx
+        addq	%rbx, %r15
+        rorq	$28, %rcx
+        movq	%r11, %rax
+        addq	%rcx, %r15
+        rorq	$23, %rax
+        movq	%r15, %rbx
+        movq	%r12, %rcx
+        addq	152(%rsp), %r14
+        xorq	%r13, %rcx
+        xorq	%r11, %rax
+        andq	%r11, %rcx
+        rorq	$4, %rax
+        xorq	%r13, %rcx
+        xorq	%r11, %rax
+        addq	%rcx, %r14
+        rorq	$14, %rax
+        xorq	%r8, %rbx
+        addq	%rax, %r14
+        movq	%r15, %rcx
+        andq	%rbx, %rdx
+        rorq	$5, %rcx
+        xorq	%r15, %rcx
+        xorq	%r8, %rdx
+        rorq	$6, %rcx
+        addq	%r14, %r10
+        xorq	%r15, %rcx
+        addq	%rdx, %r14
+        rorq	$28, %rcx
+        movq	%r10, %rax
+        addq	%rcx, %r14
+        rorq	$23, %rax
+        movq	%r14, %rdx
+        movq	%r11, %rcx
+        addq	176(%rsp), %r13
+        xorq	%r12, %rcx
+        xorq	%r10, %rax
+        andq	%r10, %rcx
+        rorq	$4, %rax
+        xorq	%r12, %rcx
+        xorq	%r10, %rax
+        addq	%rcx, %r13
+        rorq	$14, %rax
+        xorq	%r15, %rdx
+        addq	%rax, %r13
+        movq	%r14, %rcx
+        andq	%rdx, %rbx
+        rorq	$5, %rcx
+        xorq	%r14, %rcx
+        xorq	%r15, %rbx
+        rorq	$6, %rcx
+        addq	%r13, %r9
+        xorq	%r14, %rcx
+        addq	%rbx, %r13
+        rorq	$28, %rcx
+        movq	%r9, %rax
+        addq	%rcx, %r13
+        rorq	$23, %rax
+        movq	%r13, %rbx
+        movq	%r10, %rcx
+        addq	184(%rsp), %r12
+        xorq	%r11, %rcx
+        xorq	%r9, %rax
+        andq	%r9, %rcx
+        rorq	$4, %rax
+        xorq	%r11, %rcx
+        xorq	%r9, %rax
+        addq	%rcx, %r12
+        rorq	$14, %rax
+        xorq	%r14, %rbx
+        addq	%rax, %r12
+        movq	%r13, %rcx
+        andq	%rbx, %rdx
+        rorq	$5, %rcx
+        xorq	%r13, %rcx
+        xorq	%r14, %rdx
+        rorq	$6, %rcx
+        addq	%r12, %r8
+        xorq	%r13, %rcx
+        addq	%rdx, %r12
+        rorq	$28, %rcx
+        movq	%r8, %rax
+        addq	%rcx, %r12
+        rorq	$23, %rax
+        movq	%r12, %rdx
+        movq	%r9, %rcx
+        addq	208(%rsp), %r11
+        xorq	%r10, %rcx
+        xorq	%r8, %rax
+        andq	%r8, %rcx
+        rorq	$4, %rax
+        xorq	%r10, %rcx
+        xorq	%r8, %rax
+        addq	%rcx, %r11
+        rorq	$14, %rax
+        xorq	%r13, %rdx
+        addq	%rax, %r11
+        movq	%r12, %rcx
+        andq	%rdx, %rbx
+        rorq	$5, %rcx
+        xorq	%r12, %rcx
+        xorq	%r13, %rbx
+        rorq	$6, %rcx
+        addq	%r11, %r15
+        xorq	%r12, %rcx
+        addq	%rbx, %r11
+        rorq	$28, %rcx
+        movq	%r15, %rax
+        addq	%rcx, %r11
+        rorq	$23, %rax
+        movq	%r11, %rbx
+        movq	%r8, %rcx
+        addq	216(%rsp), %r10
+        xorq	%r9, %rcx
+        xorq	%r15, %rax
+        andq	%r15, %rcx
+        rorq	$4, %rax
+        xorq	%r9, %rcx
+        xorq	%r15, %rax
+        addq	%rcx, %r10
+        rorq	$14, %rax
+        xorq	%r12, %rbx
+        addq	%rax, %r10
+        movq	%r11, %rcx
+        andq	%rbx, %rdx
+        rorq	$5, %rcx
+        xorq	%r11, %rcx
+        xorq	%r12, %rdx
+        rorq	$6, %rcx
+        addq	%r10, %r14
+        xorq	%r11, %rcx
+        addq	%rdx, %r10
+        rorq	$28, %rcx
+        movq	%r14, %rax
+        addq	%rcx, %r10
+        rorq	$23, %rax
+        movq	%r10, %rdx
+        movq	%r15, %rcx
+        addq	240(%rsp), %r9
+        xorq	%r8, %rcx
+        xorq	%r14, %rax
+        andq	%r14, %rcx
+        rorq	$4, %rax
+        xorq	%r8, %rcx
+        xorq	%r14, %rax
+        addq	%rcx, %r9
+        rorq	$14, %rax
+        xorq	%r11, %rdx
+        addq	%rax, %r9
+        movq	%r10, %rcx
+        andq	%rdx, %rbx
+        rorq	$5, %rcx
+        xorq	%r10, %rcx
+        xorq	%r11, %rbx
+        rorq	$6, %rcx
+        addq	%r9, %r13
+        xorq	%r10, %rcx
+        addq	%rbx, %r9
+        rorq	$28, %rcx
+        movq	%r13, %rax
+        addq	%rcx, %r9
+        rorq	$23, %rax
+        movq	%r9, %rbx
+        movq	%r14, %rcx
+        addq	248(%rsp), %r8
+        xorq	%r15, %rcx
+        xorq	%r13, %rax
+        andq	%r13, %rcx
+        rorq	$4, %rax
+        xorq	%r15, %rcx
+        xorq	%r13, %rax
+        addq	%rcx, %r8
+        rorq	$14, %rax
+        xorq	%r10, %rbx
+        addq	%rax, %r8
+        movq	%r9, %rcx
+        andq	%rbx, %rdx
+        rorq	$5, %rcx
+        xorq	%r9, %rcx
+        xorq	%r10, %rdx
+        rorq	$6, %rcx
+        addq	%r8, %r12
+        xorq	%r9, %rcx
+        addq	%rdx, %r8
+        rorq	$28, %rcx
+        movq	%r12, %rax
+        addq	%rcx, %r8
+        addq	$0x100, %rsp
+        subq	$0x01, %rsi
+        jnz	L_sha512_len_avx2_tail
+        addq	(%rdi), %r8
+        addq	8(%rdi), %r9
+        addq	16(%rdi), %r10
+        addq	24(%rdi), %r11
+        addq	32(%rdi), %r12
+        addq	40(%rdi), %r13
+        addq	48(%rdi), %r14
+        addq	56(%rdi), %r15
+        movq	224(%rdi), %rcx
+        addq	$0x40, %rsp
+        addq	$0x100, %rcx
+        subl	$0x100, %ebp
+        movq	%rcx, 224(%rdi)
+        movq	%r8, (%rdi)
+        movq	%r9, 8(%rdi)
+        movq	%r10, 16(%rdi)
+        movq	%r11, 24(%rdi)
+        movq	%r12, 32(%rdi)
+        movq	%r13, 40(%rdi)
+        movq	%r14, 48(%rdi)
+        movq	%r15, 56(%rdi)
+        jnz	L_sha512_len_avx2_begin
+L_sha512_len_avx2_done:
+        xorq	%rax, %rax
+        vzeroupper
+        popq	%rbp
+        popq	%r15
+        popq	%r14
+        popq	%r13
+        popq	%r12
+        popq	%rbx
+        repz retq
+#ifndef __APPLE__
+.size	Transform_Sha512_AVX2_Len,.-Transform_Sha512_AVX2_Len
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+.data
+#else
+.section	__DATA,__data
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+.align	16
+#else
+.p2align	4
+#endif /* __APPLE__ */
+L_avx2_rorx_sha512_k:
+.quad	0x428a2f98d728ae22,0x7137449123ef65cd
+.quad	0xb5c0fbcfec4d3b2f,0xe9b5dba58189dbbc
+.quad	0x3956c25bf348b538,0x59f111f1b605d019
+.quad	0x923f82a4af194f9b,0xab1c5ed5da6d8118
+.quad	0xd807aa98a3030242,0x12835b0145706fbe
+.quad	0x243185be4ee4b28c,0x550c7dc3d5ffb4e2
+.quad	0x72be5d74f27b896f,0x80deb1fe3b1696b1
+.quad	0x9bdc06a725c71235,0xc19bf174cf692694
+.quad	0xe49b69c19ef14ad2,0xefbe4786384f25e3
+.quad	0xfc19dc68b8cd5b5,0x240ca1cc77ac9c65
+.quad	0x2de92c6f592b0275,0x4a7484aa6ea6e483
+.quad	0x5cb0a9dcbd41fbd4,0x76f988da831153b5
+.quad	0x983e5152ee66dfab,0xa831c66d2db43210
+.quad	0xb00327c898fb213f,0xbf597fc7beef0ee4
+.quad	0xc6e00bf33da88fc2,0xd5a79147930aa725
+.quad	0x6ca6351e003826f,0x142929670a0e6e70
+.quad	0x27b70a8546d22ffc,0x2e1b21385c26c926
+.quad	0x4d2c6dfc5ac42aed,0x53380d139d95b3df
+.quad	0x650a73548baf63de,0x766a0abb3c77b2a8
+.quad	0x81c2c92e47edaee6,0x92722c851482353b
+.quad	0xa2bfe8a14cf10364,0xa81a664bbc423001
+.quad	0xc24b8b70d0f89791,0xc76c51a30654be30
+.quad	0xd192e819d6ef5218,0xd69906245565a910
+.quad	0xf40e35855771202a,0x106aa07032bbd1b8
+.quad	0x19a4c116b8d2d0c8,0x1e376c085141ab53
+.quad	0x2748774cdf8eeb99,0x34b0bcb5e19b48a8
+.quad	0x391c0cb3c5c95a63,0x4ed8aa4ae3418acb
+.quad	0x5b9cca4f7763e373,0x682e6ff3d6b2b8a3
+.quad	0x748f82ee5defb2fc,0x78a5636f43172f60
+.quad	0x84c87814a1f0ab72,0x8cc702081a6439ec
+.quad	0x90befffa23631e28,0xa4506cebde82bde9
+.quad	0xbef9a3f7b2c67915,0xc67178f2e372532b
+.quad	0xca273eceea26619c,0xd186b8c721c0c207
+.quad	0xeada7dd6cde0eb1e,0xf57d4f7fee6ed178
+.quad	0x6f067aa72176fba,0xa637dc5a2c898a6
+.quad	0x113f9804bef90dae,0x1b710b35131c471b
+.quad	0x28db77f523047d84,0x32caab7b40c72493
+.quad	0x3c9ebe0a15c9bebc,0x431d67c49c100d4c
+.quad	0x4cc5d4becb3e42b6,0x597f299cfc657e2a
+.quad	0x5fcb6fab3ad6faec,0x6c44198c4a475817
+#ifndef __APPLE__
+.data
+#else
+.section	__DATA,__data
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+.align	16
+#else
+.p2align	4
+#endif /* __APPLE__ */
+L_avx2_rorx_sha512_k_2:
+.quad	0x428a2f98d728ae22,0x7137449123ef65cd
+.quad	0x428a2f98d728ae22,0x7137449123ef65cd
+.quad	0xb5c0fbcfec4d3b2f,0xe9b5dba58189dbbc
+.quad	0xb5c0fbcfec4d3b2f,0xe9b5dba58189dbbc
+.quad	0x3956c25bf348b538,0x59f111f1b605d019
+.quad	0x3956c25bf348b538,0x59f111f1b605d019
+.quad	0x923f82a4af194f9b,0xab1c5ed5da6d8118
+.quad	0x923f82a4af194f9b,0xab1c5ed5da6d8118
+.quad	0xd807aa98a3030242,0x12835b0145706fbe
+.quad	0xd807aa98a3030242,0x12835b0145706fbe
+.quad	0x243185be4ee4b28c,0x550c7dc3d5ffb4e2
+.quad	0x243185be4ee4b28c,0x550c7dc3d5ffb4e2
+.quad	0x72be5d74f27b896f,0x80deb1fe3b1696b1
+.quad	0x72be5d74f27b896f,0x80deb1fe3b1696b1
+.quad	0x9bdc06a725c71235,0xc19bf174cf692694
+.quad	0x9bdc06a725c71235,0xc19bf174cf692694
+.quad	0xe49b69c19ef14ad2,0xefbe4786384f25e3
+.quad	0xe49b69c19ef14ad2,0xefbe4786384f25e3
+.quad	0xfc19dc68b8cd5b5,0x240ca1cc77ac9c65
+.quad	0xfc19dc68b8cd5b5,0x240ca1cc77ac9c65
+.quad	0x2de92c6f592b0275,0x4a7484aa6ea6e483
+.quad	0x2de92c6f592b0275,0x4a7484aa6ea6e483
+.quad	0x5cb0a9dcbd41fbd4,0x76f988da831153b5
+.quad	0x5cb0a9dcbd41fbd4,0x76f988da831153b5
+.quad	0x983e5152ee66dfab,0xa831c66d2db43210
+.quad	0x983e5152ee66dfab,0xa831c66d2db43210
+.quad	0xb00327c898fb213f,0xbf597fc7beef0ee4
+.quad	0xb00327c898fb213f,0xbf597fc7beef0ee4
+.quad	0xc6e00bf33da88fc2,0xd5a79147930aa725
+.quad	0xc6e00bf33da88fc2,0xd5a79147930aa725
+.quad	0x6ca6351e003826f,0x142929670a0e6e70
+.quad	0x6ca6351e003826f,0x142929670a0e6e70
+.quad	0x27b70a8546d22ffc,0x2e1b21385c26c926
+.quad	0x27b70a8546d22ffc,0x2e1b21385c26c926
+.quad	0x4d2c6dfc5ac42aed,0x53380d139d95b3df
+.quad	0x4d2c6dfc5ac42aed,0x53380d139d95b3df
+.quad	0x650a73548baf63de,0x766a0abb3c77b2a8
+.quad	0x650a73548baf63de,0x766a0abb3c77b2a8
+.quad	0x81c2c92e47edaee6,0x92722c851482353b
+.quad	0x81c2c92e47edaee6,0x92722c851482353b
+.quad	0xa2bfe8a14cf10364,0xa81a664bbc423001
+.quad	0xa2bfe8a14cf10364,0xa81a664bbc423001
+.quad	0xc24b8b70d0f89791,0xc76c51a30654be30
+.quad	0xc24b8b70d0f89791,0xc76c51a30654be30
+.quad	0xd192e819d6ef5218,0xd69906245565a910
+.quad	0xd192e819d6ef5218,0xd69906245565a910
+.quad	0xf40e35855771202a,0x106aa07032bbd1b8
+.quad	0xf40e35855771202a,0x106aa07032bbd1b8
+.quad	0x19a4c116b8d2d0c8,0x1e376c085141ab53
+.quad	0x19a4c116b8d2d0c8,0x1e376c085141ab53
+.quad	0x2748774cdf8eeb99,0x34b0bcb5e19b48a8
+.quad	0x2748774cdf8eeb99,0x34b0bcb5e19b48a8
+.quad	0x391c0cb3c5c95a63,0x4ed8aa4ae3418acb
+.quad	0x391c0cb3c5c95a63,0x4ed8aa4ae3418acb
+.quad	0x5b9cca4f7763e373,0x682e6ff3d6b2b8a3
+.quad	0x5b9cca4f7763e373,0x682e6ff3d6b2b8a3
+.quad	0x748f82ee5defb2fc,0x78a5636f43172f60
+.quad	0x748f82ee5defb2fc,0x78a5636f43172f60
+.quad	0x84c87814a1f0ab72,0x8cc702081a6439ec
+.quad	0x84c87814a1f0ab72,0x8cc702081a6439ec
+.quad	0x90befffa23631e28,0xa4506cebde82bde9
+.quad	0x90befffa23631e28,0xa4506cebde82bde9
+.quad	0xbef9a3f7b2c67915,0xc67178f2e372532b
+.quad	0xbef9a3f7b2c67915,0xc67178f2e372532b
+.quad	0xca273eceea26619c,0xd186b8c721c0c207
+.quad	0xca273eceea26619c,0xd186b8c721c0c207
+.quad	0xeada7dd6cde0eb1e,0xf57d4f7fee6ed178
+.quad	0xeada7dd6cde0eb1e,0xf57d4f7fee6ed178
+.quad	0x6f067aa72176fba,0xa637dc5a2c898a6
+.quad	0x6f067aa72176fba,0xa637dc5a2c898a6
+.quad	0x113f9804bef90dae,0x1b710b35131c471b
+.quad	0x113f9804bef90dae,0x1b710b35131c471b
+.quad	0x28db77f523047d84,0x32caab7b40c72493
+.quad	0x28db77f523047d84,0x32caab7b40c72493
+.quad	0x3c9ebe0a15c9bebc,0x431d67c49c100d4c
+.quad	0x3c9ebe0a15c9bebc,0x431d67c49c100d4c
+.quad	0x4cc5d4becb3e42b6,0x597f299cfc657e2a
+.quad	0x4cc5d4becb3e42b6,0x597f299cfc657e2a
+.quad	0x5fcb6fab3ad6faec,0x6c44198c4a475817
+.quad	0x5fcb6fab3ad6faec,0x6c44198c4a475817
+#ifndef __APPLE__
+.data
+#else
+.section	__DATA,__data
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+.align	8
+#else
+.p2align	3
+#endif /* __APPLE__ */
+L_avx2_rorx_sha512_k_2_end:
+.quad	1024+L_avx2_rorx_sha512_k_2
+#ifndef __APPLE__
+.data
+#else
+.section	__DATA,__data
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+.align	32
+#else
+.p2align	5
+#endif /* __APPLE__ */
+L_avx2_rorx_sha512_flip_mask:
+.quad	0x1020304050607, 0x8090a0b0c0d0e0f
+.quad	0x1020304050607, 0x8090a0b0c0d0e0f
+#ifndef __APPLE__
+.text
+.globl	Transform_Sha512_AVX2_RORX
+.type	Transform_Sha512_AVX2_RORX,@function
+.align	4
+Transform_Sha512_AVX2_RORX:
+#else
+.section	__TEXT,__text
+.globl	_Transform_Sha512_AVX2_RORX
+.p2align	2
+_Transform_Sha512_AVX2_RORX:
+#endif /* __APPLE__ */
+        pushq	%rbx
+        pushq	%r12
+        pushq	%r13
+        pushq	%r14
+        pushq	%r15
+        subq	$0x88, %rsp
+        leaq	64(%rdi), %rcx
+        vmovdqa	L_avx2_rorx_sha512_flip_mask(%rip), %ymm15
+        movq	(%rdi), %r8
+        movq	8(%rdi), %r9
+        movq	16(%rdi), %r10
+        movq	24(%rdi), %r11
+        movq	32(%rdi), %r12
+        movq	40(%rdi), %r13
+        movq	48(%rdi), %r14
+        movq	56(%rdi), %r15
+        vmovdqu	(%rcx), %ymm0
+        vmovdqu	32(%rcx), %ymm1
+        vpshufb	%ymm15, %ymm0, %ymm0
+        vpshufb	%ymm15, %ymm1, %ymm1
+        vmovdqu	64(%rcx), %ymm2
+        vmovdqu	96(%rcx), %ymm3
+        vpshufb	%ymm15, %ymm2, %ymm2
+        vpshufb	%ymm15, %ymm3, %ymm3
+        movl	$4, 128(%rsp)
+        leaq	L_avx2_rorx_sha512_k(%rip), %rsi
+        movq	%r9, %rbx
+        xorq	%rdx, %rdx
+        xorq	%r10, %rbx
+        # set_w_k: 0
+        vpaddq	(%rsi), %ymm0, %ymm8
+        vpaddq	32(%rsi), %ymm1, %ymm9
+        vmovdqu	%ymm8, (%rsp)
+        vmovdqu	%ymm9, 32(%rsp)
+        vpaddq	64(%rsi), %ymm2, %ymm8
+        vpaddq	96(%rsi), %ymm3, %ymm9
+        vmovdqu	%ymm8, 64(%rsp)
+        vmovdqu	%ymm9, 96(%rsp)
+        # Start of 16 rounds
+L_sha256_len_avx2_rorx_start:
+        addq	$0x80, %rsi
+        rorxq	$14, %r12, %rax
+        rorxq	$18, %r12, %rcx
+        addq	%rdx, %r8
+        vpblendd	$3, %ymm1, %ymm0, %ymm12
+        vpblendd	$3, %ymm3, %ymm2, %ymm13
+        addq	(%rsp), %r15
+        movq	%r13, %rdx
+        xorq	%rax, %rcx
+        vpermq	$57, %ymm12, %ymm12
+        xorq	%r14, %rdx
+        rorxq	$41, %r12, %rax
+        xorq	%rcx, %rax
+        vpermq	$57, %ymm13, %ymm13
+        andq	%r12, %rdx
+        addq	%rax, %r15
+        rorxq	$28, %r8, %rax
+        vpsrlq	$0x01, %ymm12, %ymm8
+        vpsllq	$63, %ymm12, %ymm9
+        rorxq	$34, %r8, %rcx
+        xorq	%r14, %rdx
+        xorq	%rax, %rcx
+        vpsrlq	$8, %ymm12, %ymm10
+        vpsllq	$56, %ymm12, %ymm11
+        vpor	%ymm9, %ymm8, %ymm8
+        vpor	%ymm11, %ymm10, %ymm10
+        rorxq	$39, %r8, %rax
+        addq	%rdx, %r15
+        xorq	%rcx, %rax
+        vpsrlq	$7, %ymm12, %ymm11
+        movq	%r9, %rdx
+        addq	%r15, %r11
+        xorq	%r8, %rdx
+        vperm2I128	$0x81, %ymm3, %ymm3, %ymm14
+        andq	%rdx, %rbx
+        addq	%rax, %r15
+        xorq	%r9, %rbx
+        rorxq	$14, %r11, %rax
+        rorxq	$18, %r11, %rcx
+        addq	%rbx, %r15
+        vpxor	%ymm10, %ymm8, %ymm8
+        addq	8(%rsp), %r14
+        movq	%r12, %rbx
+        xorq	%rax, %rcx
+        vpxor	%ymm11, %ymm8, %ymm8
+        xorq	%r13, %rbx
+        rorxq	$41, %r11, %rax
+        xorq	%rcx, %rax
+        vpaddq	%ymm0, %ymm13, %ymm0
+        vpaddq	%ymm0, %ymm8, %ymm0
+        andq	%r11, %rbx
+        addq	%rax, %r14
+        rorxq	$28, %r15, %rax
+        vpsrlq	$19, %ymm14, %ymm8
+        vpsllq	$45, %ymm14, %ymm9
+        rorxq	$34, %r15, %rcx
+        xorq	%r13, %rbx
+        xorq	%rax, %rcx
+        vpsrlq	$61, %ymm14, %ymm10
+        vpsllq	$3, %ymm14, %ymm11
+        vpor	%ymm9, %ymm8, %ymm8
+        rorxq	$39, %r15, %rax
+        addq	%rbx, %r14
+        xorq	%rcx, %rax
+        vpor	%ymm11, %ymm10, %ymm10
+        movq	%r8, %rbx
+        leaq	(%r10,%r14,1), %r10
+        xorq	%r15, %rbx
+        vpxor	%ymm10, %ymm8, %ymm8
+        andq	%rbx, %rdx
+        addq	%rax, %r14
+        xorq	%r8, %rdx
+        vpsrlq	$6, %ymm14, %ymm11
+        rorxq	$14, %r10, %rax
+        rorxq	$18, %r10, %rcx
+        addq	%rdx, %r14
+        vpxor	%ymm11, %ymm8, %ymm8
+        addq	16(%rsp), %r13
+        movq	%r11, %rdx
+        xorq	%rax, %rcx
+        vpaddq	%ymm0, %ymm8, %ymm0
+        xorq	%r12, %rdx
+        rorxq	$41, %r10, %rax
+        xorq	%rcx, %rax
+        vperm2I128	$8, %ymm0, %ymm0, %ymm14
+        andq	%r10, %rdx
+        addq	%rax, %r13
+        rorxq	$28, %r14, %rax
+        rorxq	$34, %r14, %rcx
+        xorq	%r12, %rdx
+        xorq	%rax, %rcx
+        vpsrlq	$19, %ymm14, %ymm8
+        vpsllq	$45, %ymm14, %ymm9
+        rorxq	$39, %r14, %rax
+        addq	%rdx, %r13
+        xorq	%rcx, %rax
+        vpsrlq	$61, %ymm14, %ymm10
+        vpsllq	$3, %ymm14, %ymm11
+        vpor	%ymm9, %ymm8, %ymm8
+        movq	%r15, %rdx
+        addq	%r13, %r9
+        xorq	%r14, %rdx
+        vpor	%ymm11, %ymm10, %ymm10
+        andq	%rdx, %rbx
+        addq	%rax, %r13
+        xorq	%r15, %rbx
+        vpxor	%ymm10, %ymm8, %ymm8
+        rorxq	$14, %r9, %rax
+        rorxq	$18, %r9, %rcx
+        addq	%rbx, %r13
+        vpsrlq	$6, %ymm14, %ymm11
+        addq	24(%rsp), %r12
+        movq	%r10, %rbx
+        xorq	%rax, %rcx
+        xorq	%r11, %rbx
+        rorxq	$41, %r9, %rax
+        xorq	%rcx, %rax
+        vpxor	%ymm11, %ymm8, %ymm8
+        andq	%r9, %rbx
+        addq	%rax, %r12
+        rorxq	$28, %r13, %rax
+        rorxq	$34, %r13, %rcx
+        xorq	%r11, %rbx
+        xorq	%rax, %rcx
+        vpaddq	%ymm0, %ymm8, %ymm0
+        rorxq	$39, %r13, %rax
+        addq	%rbx, %r12
+        xorq	%rcx, %rax
+        vpaddq	(%rsi), %ymm0, %ymm8
+        movq	%r14, %rbx
+        leaq	(%r8,%r12,1), %r8
+        xorq	%r13, %rbx
+        andq	%rbx, %rdx
+        addq	%rax, %r12
+        xorq	%r14, %rdx
+        vmovdqu	%ymm8, (%rsp)
+        rorxq	$14, %r8, %rax
+        rorxq	$18, %r8, %rcx
+        addq	%rdx, %r12
+        vpblendd	$3, %ymm2, %ymm1, %ymm12
+        vpblendd	$3, %ymm0, %ymm3, %ymm13
+        addq	32(%rsp), %r11
+        movq	%r9, %rdx
+        xorq	%rax, %rcx
+        vpermq	$57, %ymm12, %ymm12
+        xorq	%r10, %rdx
+        rorxq	$41, %r8, %rax
+        xorq	%rcx, %rax
+        vpermq	$57, %ymm13, %ymm13
+        andq	%r8, %rdx
+        addq	%rax, %r11
+        rorxq	$28, %r12, %rax
+        vpsrlq	$0x01, %ymm12, %ymm8
+        vpsllq	$63, %ymm12, %ymm9
+        rorxq	$34, %r12, %rcx
+        xorq	%r10, %rdx
+        xorq	%rax, %rcx
+        vpsrlq	$8, %ymm12, %ymm10
+        vpsllq	$56, %ymm12, %ymm11
+        vpor	%ymm9, %ymm8, %ymm8
+        vpor	%ymm11, %ymm10, %ymm10
+        rorxq	$39, %r12, %rax
+        addq	%rdx, %r11
+        xorq	%rcx, %rax
+        vpsrlq	$7, %ymm12, %ymm11
+        movq	%r13, %rdx
+        addq	%r11, %r15
+        xorq	%r12, %rdx
+        vperm2I128	$0x81, %ymm0, %ymm0, %ymm14
+        andq	%rdx, %rbx
+        addq	%rax, %r11
+        xorq	%r13, %rbx
+        rorxq	$14, %r15, %rax
+        rorxq	$18, %r15, %rcx
+        addq	%rbx, %r11
+        vpxor	%ymm10, %ymm8, %ymm8
+        addq	40(%rsp), %r10
+        movq	%r8, %rbx
+        xorq	%rax, %rcx
+        vpxor	%ymm11, %ymm8, %ymm8
+        xorq	%r9, %rbx
+        rorxq	$41, %r15, %rax
+        xorq	%rcx, %rax
+        vpaddq	%ymm1, %ymm13, %ymm1
+        vpaddq	%ymm1, %ymm8, %ymm1
+        andq	%r15, %rbx
+        addq	%rax, %r10
+        rorxq	$28, %r11, %rax
+        vpsrlq	$19, %ymm14, %ymm8
+        vpsllq	$45, %ymm14, %ymm9
+        rorxq	$34, %r11, %rcx
+        xorq	%r9, %rbx
+        xorq	%rax, %rcx
+        vpsrlq	$61, %ymm14, %ymm10
+        vpsllq	$3, %ymm14, %ymm11
+        vpor	%ymm9, %ymm8, %ymm8
+        rorxq	$39, %r11, %rax
+        addq	%rbx, %r10
+        xorq	%rcx, %rax
+        vpor	%ymm11, %ymm10, %ymm10
+        movq	%r12, %rbx
+        leaq	(%r14,%r10,1), %r14
+        xorq	%r11, %rbx
+        vpxor	%ymm10, %ymm8, %ymm8
+        andq	%rbx, %rdx
+        addq	%rax, %r10
+        xorq	%r12, %rdx
+        vpsrlq	$6, %ymm14, %ymm11
+        rorxq	$14, %r14, %rax
+        rorxq	$18, %r14, %rcx
+        addq	%rdx, %r10
+        vpxor	%ymm11, %ymm8, %ymm8
+        addq	48(%rsp), %r9
+        movq	%r15, %rdx
+        xorq	%rax, %rcx
+        vpaddq	%ymm1, %ymm8, %ymm1
+        xorq	%r8, %rdx
+        rorxq	$41, %r14, %rax
+        xorq	%rcx, %rax
+        vperm2I128	$8, %ymm1, %ymm1, %ymm14
+        andq	%r14, %rdx
+        addq	%rax, %r9
+        rorxq	$28, %r10, %rax
+        rorxq	$34, %r10, %rcx
+        xorq	%r8, %rdx
+        xorq	%rax, %rcx
+        vpsrlq	$19, %ymm14, %ymm8
+        vpsllq	$45, %ymm14, %ymm9
+        rorxq	$39, %r10, %rax
+        addq	%rdx, %r9
+        xorq	%rcx, %rax
+        vpsrlq	$61, %ymm14, %ymm10
+        vpsllq	$3, %ymm14, %ymm11
+        vpor	%ymm9, %ymm8, %ymm8
+        movq	%r11, %rdx
+        addq	%r9, %r13
+        xorq	%r10, %rdx
+        vpor	%ymm11, %ymm10, %ymm10
+        andq	%rdx, %rbx
+        addq	%rax, %r9
+        xorq	%r11, %rbx
+        vpxor	%ymm10, %ymm8, %ymm8
+        rorxq	$14, %r13, %rax
+        rorxq	$18, %r13, %rcx
+        addq	%rbx, %r9
+        vpsrlq	$6, %ymm14, %ymm11
+        addq	56(%rsp), %r8
+        movq	%r14, %rbx
+        xorq	%rax, %rcx
+        xorq	%r15, %rbx
+        rorxq	$41, %r13, %rax
+        xorq	%rcx, %rax
+        vpxor	%ymm11, %ymm8, %ymm8
+        andq	%r13, %rbx
+        addq	%rax, %r8
+        rorxq	$28, %r9, %rax
+        rorxq	$34, %r9, %rcx
+        xorq	%r15, %rbx
+        xorq	%rax, %rcx
+        vpaddq	%ymm1, %ymm8, %ymm1
+        rorxq	$39, %r9, %rax
+        addq	%rbx, %r8
+        xorq	%rcx, %rax
+        vpaddq	32(%rsi), %ymm1, %ymm8
+        movq	%r10, %rbx
+        leaq	(%r12,%r8,1), %r12
+        xorq	%r9, %rbx
+        andq	%rbx, %rdx
+        addq	%rax, %r8
+        xorq	%r10, %rdx
+        vmovdqu	%ymm8, 32(%rsp)
+        rorxq	$14, %r12, %rax
+        rorxq	$18, %r12, %rcx
+        addq	%rdx, %r8
+        vpblendd	$3, %ymm3, %ymm2, %ymm12
+        vpblendd	$3, %ymm1, %ymm0, %ymm13
+        addq	64(%rsp), %r15
+        movq	%r13, %rdx
+        xorq	%rax, %rcx
+        vpermq	$57, %ymm12, %ymm12
+        xorq	%r14, %rdx
+        rorxq	$41, %r12, %rax
+        xorq	%rcx, %rax
+        vpermq	$57, %ymm13, %ymm13
+        andq	%r12, %rdx
+        addq	%rax, %r15
+        rorxq	$28, %r8, %rax
+        vpsrlq	$0x01, %ymm12, %ymm8
+        vpsllq	$63, %ymm12, %ymm9
+        rorxq	$34, %r8, %rcx
+        xorq	%r14, %rdx
+        xorq	%rax, %rcx
+        vpsrlq	$8, %ymm12, %ymm10
+        vpsllq	$56, %ymm12, %ymm11
+        vpor	%ymm9, %ymm8, %ymm8
+        vpor	%ymm11, %ymm10, %ymm10
+        rorxq	$39, %r8, %rax
+        addq	%rdx, %r15
+        xorq	%rcx, %rax
+        vpsrlq	$7, %ymm12, %ymm11
+        movq	%r9, %rdx
+        addq	%r15, %r11
+        xorq	%r8, %rdx
+        vperm2I128	$0x81, %ymm1, %ymm1, %ymm14
+        andq	%rdx, %rbx
+        addq	%rax, %r15
+        xorq	%r9, %rbx
+        rorxq	$14, %r11, %rax
+        rorxq	$18, %r11, %rcx
+        addq	%rbx, %r15
+        vpxor	%ymm10, %ymm8, %ymm8
+        addq	72(%rsp), %r14
+        movq	%r12, %rbx
+        xorq	%rax, %rcx
+        vpxor	%ymm11, %ymm8, %ymm8
+        xorq	%r13, %rbx
+        rorxq	$41, %r11, %rax
+        xorq	%rcx, %rax
+        vpaddq	%ymm2, %ymm13, %ymm2
+        vpaddq	%ymm2, %ymm8, %ymm2
+        andq	%r11, %rbx
+        addq	%rax, %r14
+        rorxq	$28, %r15, %rax
+        vpsrlq	$19, %ymm14, %ymm8
+        vpsllq	$45, %ymm14, %ymm9
+        rorxq	$34, %r15, %rcx
+        xorq	%r13, %rbx
+        xorq	%rax, %rcx
+        vpsrlq	$61, %ymm14, %ymm10
+        vpsllq	$3, %ymm14, %ymm11
+        vpor	%ymm9, %ymm8, %ymm8
+        rorxq	$39, %r15, %rax
+        addq	%rbx, %r14
+        xorq	%rcx, %rax
+        vpor	%ymm11, %ymm10, %ymm10
+        movq	%r8, %rbx
+        leaq	(%r10,%r14,1), %r10
+        xorq	%r15, %rbx
+        vpxor	%ymm10, %ymm8, %ymm8
+        andq	%rbx, %rdx
+        addq	%rax, %r14
+        xorq	%r8, %rdx
+        vpsrlq	$6, %ymm14, %ymm11
+        rorxq	$14, %r10, %rax
+        rorxq	$18, %r10, %rcx
+        addq	%rdx, %r14
+        vpxor	%ymm11, %ymm8, %ymm8
+        addq	80(%rsp), %r13
+        movq	%r11, %rdx
+        xorq	%rax, %rcx
+        vpaddq	%ymm2, %ymm8, %ymm2
+        xorq	%r12, %rdx
+        rorxq	$41, %r10, %rax
+        xorq	%rcx, %rax
+        vperm2I128	$8, %ymm2, %ymm2, %ymm14
+        andq	%r10, %rdx
+        addq	%rax, %r13
+        rorxq	$28, %r14, %rax
+        rorxq	$34, %r14, %rcx
+        xorq	%r12, %rdx
+        xorq	%rax, %rcx
+        vpsrlq	$19, %ymm14, %ymm8
+        vpsllq	$45, %ymm14, %ymm9
+        rorxq	$39, %r14, %rax
+        addq	%rdx, %r13
+        xorq	%rcx, %rax
+        vpsrlq	$61, %ymm14, %ymm10
+        vpsllq	$3, %ymm14, %ymm11
+        vpor	%ymm9, %ymm8, %ymm8
+        movq	%r15, %rdx
+        addq	%r13, %r9
+        xorq	%r14, %rdx
+        vpor	%ymm11, %ymm10, %ymm10
+        andq	%rdx, %rbx
+        addq	%rax, %r13
+        xorq	%r15, %rbx
+        vpxor	%ymm10, %ymm8, %ymm8
+        rorxq	$14, %r9, %rax
+        rorxq	$18, %r9, %rcx
+        addq	%rbx, %r13
+        vpsrlq	$6, %ymm14, %ymm11
+        addq	88(%rsp), %r12
+        movq	%r10, %rbx
+        xorq	%rax, %rcx
+        xorq	%r11, %rbx
+        rorxq	$41, %r9, %rax
+        xorq	%rcx, %rax
+        vpxor	%ymm11, %ymm8, %ymm8
+        andq	%r9, %rbx
+        addq	%rax, %r12
+        rorxq	$28, %r13, %rax
+        rorxq	$34, %r13, %rcx
+        xorq	%r11, %rbx
+        xorq	%rax, %rcx
+        vpaddq	%ymm2, %ymm8, %ymm2
+        rorxq	$39, %r13, %rax
+        addq	%rbx, %r12
+        xorq	%rcx, %rax
+        vpaddq	64(%rsi), %ymm2, %ymm8
+        movq	%r14, %rbx
+        leaq	(%r8,%r12,1), %r8
+        xorq	%r13, %rbx
+        andq	%rbx, %rdx
+        addq	%rax, %r12
+        xorq	%r14, %rdx
+        vmovdqu	%ymm8, 64(%rsp)
+        rorxq	$14, %r8, %rax
+        rorxq	$18, %r8, %rcx
+        addq	%rdx, %r12
+        vpblendd	$3, %ymm0, %ymm3, %ymm12
+        vpblendd	$3, %ymm2, %ymm1, %ymm13
+        addq	96(%rsp), %r11
+        movq	%r9, %rdx
+        xorq	%rax, %rcx
+        vpermq	$57, %ymm12, %ymm12
+        xorq	%r10, %rdx
+        rorxq	$41, %r8, %rax
+        xorq	%rcx, %rax
+        vpermq	$57, %ymm13, %ymm13
+        andq	%r8, %rdx
+        addq	%rax, %r11
+        rorxq	$28, %r12, %rax
+        vpsrlq	$0x01, %ymm12, %ymm8
+        vpsllq	$63, %ymm12, %ymm9
+        rorxq	$34, %r12, %rcx
+        xorq	%r10, %rdx
+        xorq	%rax, %rcx
+        vpsrlq	$8, %ymm12, %ymm10
+        vpsllq	$56, %ymm12, %ymm11
+        vpor	%ymm9, %ymm8, %ymm8
+        vpor	%ymm11, %ymm10, %ymm10
+        rorxq	$39, %r12, %rax
+        addq	%rdx, %r11
+        xorq	%rcx, %rax
+        vpsrlq	$7, %ymm12, %ymm11
+        movq	%r13, %rdx
+        addq	%r11, %r15
+        xorq	%r12, %rdx
+        vperm2I128	$0x81, %ymm2, %ymm2, %ymm14
+        andq	%rdx, %rbx
+        addq	%rax, %r11
+        xorq	%r13, %rbx
+        rorxq	$14, %r15, %rax
+        rorxq	$18, %r15, %rcx
+        addq	%rbx, %r11
+        vpxor	%ymm10, %ymm8, %ymm8
+        addq	104(%rsp), %r10
+        movq	%r8, %rbx
+        xorq	%rax, %rcx
+        vpxor	%ymm11, %ymm8, %ymm8
+        xorq	%r9, %rbx
+        rorxq	$41, %r15, %rax
+        xorq	%rcx, %rax
+        vpaddq	%ymm3, %ymm13, %ymm3
+        vpaddq	%ymm3, %ymm8, %ymm3
+        andq	%r15, %rbx
+        addq	%rax, %r10
+        rorxq	$28, %r11, %rax
+        vpsrlq	$19, %ymm14, %ymm8
+        vpsllq	$45, %ymm14, %ymm9
+        rorxq	$34, %r11, %rcx
+        xorq	%r9, %rbx
+        xorq	%rax, %rcx
+        vpsrlq	$61, %ymm14, %ymm10
+        vpsllq	$3, %ymm14, %ymm11
+        vpor	%ymm9, %ymm8, %ymm8
+        rorxq	$39, %r11, %rax
+        addq	%rbx, %r10
+        xorq	%rcx, %rax
+        vpor	%ymm11, %ymm10, %ymm10
+        movq	%r12, %rbx
+        leaq	(%r14,%r10,1), %r14
+        xorq	%r11, %rbx
+        vpxor	%ymm10, %ymm8, %ymm8
+        andq	%rbx, %rdx
+        addq	%rax, %r10
+        xorq	%r12, %rdx
+        vpsrlq	$6, %ymm14, %ymm11
+        rorxq	$14, %r14, %rax
+        rorxq	$18, %r14, %rcx
+        addq	%rdx, %r10
+        vpxor	%ymm11, %ymm8, %ymm8
+        addq	112(%rsp), %r9
+        movq	%r15, %rdx
+        xorq	%rax, %rcx
+        vpaddq	%ymm3, %ymm8, %ymm3
+        xorq	%r8, %rdx
+        rorxq	$41, %r14, %rax
+        xorq	%rcx, %rax
+        vperm2I128	$8, %ymm3, %ymm3, %ymm14
+        andq	%r14, %rdx
+        addq	%rax, %r9
+        rorxq	$28, %r10, %rax
+        rorxq	$34, %r10, %rcx
+        xorq	%r8, %rdx
+        xorq	%rax, %rcx
+        vpsrlq	$19, %ymm14, %ymm8
+        vpsllq	$45, %ymm14, %ymm9
+        rorxq	$39, %r10, %rax
+        addq	%rdx, %r9
+        xorq	%rcx, %rax
+        vpsrlq	$61, %ymm14, %ymm10
+        vpsllq	$3, %ymm14, %ymm11
+        vpor	%ymm9, %ymm8, %ymm8
+        movq	%r11, %rdx
+        addq	%r9, %r13
+        xorq	%r10, %rdx
+        vpor	%ymm11, %ymm10, %ymm10
+        andq	%rdx, %rbx
+        addq	%rax, %r9
+        xorq	%r11, %rbx
+        vpxor	%ymm10, %ymm8, %ymm8
+        rorxq	$14, %r13, %rax
+        rorxq	$18, %r13, %rcx
+        addq	%rbx, %r9
+        vpsrlq	$6, %ymm14, %ymm11
+        addq	120(%rsp), %r8
+        movq	%r14, %rbx
+        xorq	%rax, %rcx
+        xorq	%r15, %rbx
+        rorxq	$41, %r13, %rax
+        xorq	%rcx, %rax
+        vpxor	%ymm11, %ymm8, %ymm8
+        andq	%r13, %rbx
+        addq	%rax, %r8
+        rorxq	$28, %r9, %rax
+        rorxq	$34, %r9, %rcx
+        xorq	%r15, %rbx
+        xorq	%rax, %rcx
+        vpaddq	%ymm3, %ymm8, %ymm3
+        rorxq	$39, %r9, %rax
+        addq	%rbx, %r8
+        xorq	%rcx, %rax
+        vpaddq	96(%rsi), %ymm3, %ymm8
+        movq	%r10, %rbx
+        leaq	(%r12,%r8,1), %r12
+        xorq	%r9, %rbx
+        andq	%rbx, %rdx
+        addq	%rax, %r8
+        xorq	%r10, %rdx
+        vmovdqu	%ymm8, 96(%rsp)
+        subl	$0x01, 128(%rsp)
+        jne	L_sha256_len_avx2_rorx_start
+        # rnd_all_4: 0-3
+        rorxq	$14, %r12, %rax
+        rorxq	$18, %r12, %rcx
+        addq	%rdx, %r8
+        addq	(%rsp), %r15
+        movq	%r13, %rdx
+        xorq	%rax, %rcx
+        xorq	%r14, %rdx
+        rorxq	$41, %r12, %rax
+        xorq	%rcx, %rax
+        andq	%r12, %rdx
+        addq	%rax, %r15
+        rorxq	$28, %r8, %rax
+        rorxq	$34, %r8, %rcx
+        xorq	%r14, %rdx
+        xorq	%rax, %rcx
+        rorxq	$39, %r8, %rax
+        addq	%rdx, %r15
+        xorq	%rcx, %rax
+        movq	%r9, %rdx
+        addq	%r15, %r11
+        xorq	%r8, %rdx
+        andq	%rdx, %rbx
+        addq	%rax, %r15
+        xorq	%r9, %rbx
+        rorxq	$14, %r11, %rax
+        rorxq	$18, %r11, %rcx
+        addq	%rbx, %r15
+        addq	8(%rsp), %r14
+        movq	%r12, %rbx
+        xorq	%rax, %rcx
+        xorq	%r13, %rbx
+        rorxq	$41, %r11, %rax
+        xorq	%rcx, %rax
+        andq	%r11, %rbx
+        addq	%rax, %r14
+        rorxq	$28, %r15, %rax
+        rorxq	$34, %r15, %rcx
+        xorq	%r13, %rbx
+        xorq	%rax, %rcx
+        rorxq	$39, %r15, %rax
+        addq	%rbx, %r14
+        xorq	%rcx, %rax
+        movq	%r8, %rbx
+        leaq	(%r10,%r14,1), %r10
+        xorq	%r15, %rbx
+        andq	%rbx, %rdx
+        addq	%rax, %r14
+        xorq	%r8, %rdx
+        rorxq	$14, %r10, %rax
+        rorxq	$18, %r10, %rcx
+        addq	%rdx, %r14
+        addq	16(%rsp), %r13
+        movq	%r11, %rdx
+        xorq	%rax, %rcx
+        xorq	%r12, %rdx
+        rorxq	$41, %r10, %rax
+        xorq	%rcx, %rax
+        andq	%r10, %rdx
+        addq	%rax, %r13
+        rorxq	$28, %r14, %rax
+        rorxq	$34, %r14, %rcx
+        xorq	%r12, %rdx
+        xorq	%rax, %rcx
+        rorxq	$39, %r14, %rax
+        addq	%rdx, %r13
+        xorq	%rcx, %rax
+        movq	%r15, %rdx
+        addq	%r13, %r9
+        xorq	%r14, %rdx
+        andq	%rdx, %rbx
+        addq	%rax, %r13
+        xorq	%r15, %rbx
+        rorxq	$14, %r9, %rax
+        rorxq	$18, %r9, %rcx
+        addq	%rbx, %r13
+        addq	24(%rsp), %r12
+        movq	%r10, %rbx
+        xorq	%rax, %rcx
+        xorq	%r11, %rbx
+        rorxq	$41, %r9, %rax
+        xorq	%rcx, %rax
+        andq	%r9, %rbx
+        addq	%rax, %r12
+        rorxq	$28, %r13, %rax
+        rorxq	$34, %r13, %rcx
+        xorq	%r11, %rbx
+        xorq	%rax, %rcx
+        rorxq	$39, %r13, %rax
+        addq	%rbx, %r12
+        xorq	%rcx, %rax
+        movq	%r14, %rbx
+        leaq	(%r8,%r12,1), %r8
+        xorq	%r13, %rbx
+        andq	%rbx, %rdx
+        addq	%rax, %r12
+        xorq	%r14, %rdx
+        # rnd_all_4: 4-7
+        rorxq	$14, %r8, %rax
+        rorxq	$18, %r8, %rcx
+        addq	%rdx, %r12
+        addq	32(%rsp), %r11
+        movq	%r9, %rdx
+        xorq	%rax, %rcx
+        xorq	%r10, %rdx
+        rorxq	$41, %r8, %rax
+        xorq	%rcx, %rax
+        andq	%r8, %rdx
+        addq	%rax, %r11
+        rorxq	$28, %r12, %rax
+        rorxq	$34, %r12, %rcx
+        xorq	%r10, %rdx
+        xorq	%rax, %rcx
+        rorxq	$39, %r12, %rax
+        addq	%rdx, %r11
+        xorq	%rcx, %rax
+        movq	%r13, %rdx
+        addq	%r11, %r15
+        xorq	%r12, %rdx
+        andq	%rdx, %rbx
+        addq	%rax, %r11
+        xorq	%r13, %rbx
+        rorxq	$14, %r15, %rax
+        rorxq	$18, %r15, %rcx
+        addq	%rbx, %r11
+        addq	40(%rsp), %r10
+        movq	%r8, %rbx
+        xorq	%rax, %rcx
+        xorq	%r9, %rbx
+        rorxq	$41, %r15, %rax
+        xorq	%rcx, %rax
+        andq	%r15, %rbx
+        addq	%rax, %r10
+        rorxq	$28, %r11, %rax
+        rorxq	$34, %r11, %rcx
+        xorq	%r9, %rbx
+        xorq	%rax, %rcx
+        rorxq	$39, %r11, %rax
+        addq	%rbx, %r10
+        xorq	%rcx, %rax
+        movq	%r12, %rbx
+        leaq	(%r14,%r10,1), %r14
+        xorq	%r11, %rbx
+        andq	%rbx, %rdx
+        addq	%rax, %r10
+        xorq	%r12, %rdx
+        rorxq	$14, %r14, %rax
+        rorxq	$18, %r14, %rcx
+        addq	%rdx, %r10
+        addq	48(%rsp), %r9
+        movq	%r15, %rdx
+        xorq	%rax, %rcx
+        xorq	%r8, %rdx
+        rorxq	$41, %r14, %rax
+        xorq	%rcx, %rax
+        andq	%r14, %rdx
+        addq	%rax, %r9
+        rorxq	$28, %r10, %rax
+        rorxq	$34, %r10, %rcx
+        xorq	%r8, %rdx
+        xorq	%rax, %rcx
+        rorxq	$39, %r10, %rax
+        addq	%rdx, %r9
+        xorq	%rcx, %rax
+        movq	%r11, %rdx
+        addq	%r9, %r13
+        xorq	%r10, %rdx
+        andq	%rdx, %rbx
+        addq	%rax, %r9
+        xorq	%r11, %rbx
+        rorxq	$14, %r13, %rax
+        rorxq	$18, %r13, %rcx
+        addq	%rbx, %r9
+        addq	56(%rsp), %r8
+        movq	%r14, %rbx
+        xorq	%rax, %rcx
+        xorq	%r15, %rbx
+        rorxq	$41, %r13, %rax
+        xorq	%rcx, %rax
+        andq	%r13, %rbx
+        addq	%rax, %r8
+        rorxq	$28, %r9, %rax
+        rorxq	$34, %r9, %rcx
+        xorq	%r15, %rbx
+        xorq	%rax, %rcx
+        rorxq	$39, %r9, %rax
+        addq	%rbx, %r8
+        xorq	%rcx, %rax
+        movq	%r10, %rbx
+        leaq	(%r12,%r8,1), %r12
+        xorq	%r9, %rbx
+        andq	%rbx, %rdx
+        addq	%rax, %r8
+        xorq	%r10, %rdx
+        # rnd_all_4: 8-11
+        rorxq	$14, %r12, %rax
+        rorxq	$18, %r12, %rcx
+        addq	%rdx, %r8
+        addq	64(%rsp), %r15
+        movq	%r13, %rdx
+        xorq	%rax, %rcx
+        xorq	%r14, %rdx
+        rorxq	$41, %r12, %rax
+        xorq	%rcx, %rax
+        andq	%r12, %rdx
+        addq	%rax, %r15
+        rorxq	$28, %r8, %rax
+        rorxq	$34, %r8, %rcx
+        xorq	%r14, %rdx
+        xorq	%rax, %rcx
+        rorxq	$39, %r8, %rax
+        addq	%rdx, %r15
+        xorq	%rcx, %rax
+        movq	%r9, %rdx
+        addq	%r15, %r11
+        xorq	%r8, %rdx
+        andq	%rdx, %rbx
+        addq	%rax, %r15
+        xorq	%r9, %rbx
+        rorxq	$14, %r11, %rax
+        rorxq	$18, %r11, %rcx
+        addq	%rbx, %r15
+        addq	72(%rsp), %r14
+        movq	%r12, %rbx
+        xorq	%rax, %rcx
+        xorq	%r13, %rbx
+        rorxq	$41, %r11, %rax
+        xorq	%rcx, %rax
+        andq	%r11, %rbx
+        addq	%rax, %r14
+        rorxq	$28, %r15, %rax
+        rorxq	$34, %r15, %rcx
+        xorq	%r13, %rbx
+        xorq	%rax, %rcx
+        rorxq	$39, %r15, %rax
+        addq	%rbx, %r14
+        xorq	%rcx, %rax
+        movq	%r8, %rbx
+        leaq	(%r10,%r14,1), %r10
+        xorq	%r15, %rbx
+        andq	%rbx, %rdx
+        addq	%rax, %r14
+        xorq	%r8, %rdx
+        rorxq	$14, %r10, %rax
+        rorxq	$18, %r10, %rcx
+        addq	%rdx, %r14
+        addq	80(%rsp), %r13
+        movq	%r11, %rdx
+        xorq	%rax, %rcx
+        xorq	%r12, %rdx
+        rorxq	$41, %r10, %rax
+        xorq	%rcx, %rax
+        andq	%r10, %rdx
+        addq	%rax, %r13
+        rorxq	$28, %r14, %rax
+        rorxq	$34, %r14, %rcx
+        xorq	%r12, %rdx
+        xorq	%rax, %rcx
+        rorxq	$39, %r14, %rax
+        addq	%rdx, %r13
+        xorq	%rcx, %rax
+        movq	%r15, %rdx
+        addq	%r13, %r9
+        xorq	%r14, %rdx
+        andq	%rdx, %rbx
+        addq	%rax, %r13
+        xorq	%r15, %rbx
+        rorxq	$14, %r9, %rax
+        rorxq	$18, %r9, %rcx
+        addq	%rbx, %r13
+        addq	88(%rsp), %r12
+        movq	%r10, %rbx
+        xorq	%rax, %rcx
+        xorq	%r11, %rbx
+        rorxq	$41, %r9, %rax
+        xorq	%rcx, %rax
+        andq	%r9, %rbx
+        addq	%rax, %r12
+        rorxq	$28, %r13, %rax
+        rorxq	$34, %r13, %rcx
+        xorq	%r11, %rbx
+        xorq	%rax, %rcx
+        rorxq	$39, %r13, %rax
+        addq	%rbx, %r12
+        xorq	%rcx, %rax
+        movq	%r14, %rbx
+        leaq	(%r8,%r12,1), %r8
+        xorq	%r13, %rbx
+        andq	%rbx, %rdx
+        addq	%rax, %r12
+        xorq	%r14, %rdx
+        # rnd_all_4: 12-15
+        rorxq	$14, %r8, %rax
+        rorxq	$18, %r8, %rcx
+        addq	%rdx, %r12
+        addq	96(%rsp), %r11
+        movq	%r9, %rdx
+        xorq	%rax, %rcx
+        xorq	%r10, %rdx
+        rorxq	$41, %r8, %rax
+        xorq	%rcx, %rax
+        andq	%r8, %rdx
+        addq	%rax, %r11
+        rorxq	$28, %r12, %rax
+        rorxq	$34, %r12, %rcx
+        xorq	%r10, %rdx
+        xorq	%rax, %rcx
+        rorxq	$39, %r12, %rax
+        addq	%rdx, %r11
+        xorq	%rcx, %rax
+        movq	%r13, %rdx
+        addq	%r11, %r15
+        xorq	%r12, %rdx
+        andq	%rdx, %rbx
+        addq	%rax, %r11
+        xorq	%r13, %rbx
+        rorxq	$14, %r15, %rax
+        rorxq	$18, %r15, %rcx
+        addq	%rbx, %r11
+        addq	104(%rsp), %r10
+        movq	%r8, %rbx
+        xorq	%rax, %rcx
+        xorq	%r9, %rbx
+        rorxq	$41, %r15, %rax
+        xorq	%rcx, %rax
+        andq	%r15, %rbx
+        addq	%rax, %r10
+        rorxq	$28, %r11, %rax
+        rorxq	$34, %r11, %rcx
+        xorq	%r9, %rbx
+        xorq	%rax, %rcx
+        rorxq	$39, %r11, %rax
+        addq	%rbx, %r10
+        xorq	%rcx, %rax
+        movq	%r12, %rbx
+        leaq	(%r14,%r10,1), %r14
+        xorq	%r11, %rbx
+        andq	%rbx, %rdx
+        addq	%rax, %r10
+        xorq	%r12, %rdx
+        rorxq	$14, %r14, %rax
+        rorxq	$18, %r14, %rcx
+        addq	%rdx, %r10
+        addq	112(%rsp), %r9
+        movq	%r15, %rdx
+        xorq	%rax, %rcx
+        xorq	%r8, %rdx
+        rorxq	$41, %r14, %rax
+        xorq	%rcx, %rax
+        andq	%r14, %rdx
+        addq	%rax, %r9
+        rorxq	$28, %r10, %rax
+        rorxq	$34, %r10, %rcx
+        xorq	%r8, %rdx
+        xorq	%rax, %rcx
+        rorxq	$39, %r10, %rax
+        addq	%rdx, %r9
+        xorq	%rcx, %rax
+        movq	%r11, %rdx
+        addq	%r9, %r13
+        xorq	%r10, %rdx
+        andq	%rdx, %rbx
+        addq	%rax, %r9
+        xorq	%r11, %rbx
+        rorxq	$14, %r13, %rax
+        rorxq	$18, %r13, %rcx
+        addq	%rbx, %r9
+        addq	120(%rsp), %r8
+        movq	%r14, %rbx
+        xorq	%rax, %rcx
+        xorq	%r15, %rbx
+        rorxq	$41, %r13, %rax
+        xorq	%rcx, %rax
+        andq	%r13, %rbx
+        addq	%rax, %r8
+        rorxq	$28, %r9, %rax
+        rorxq	$34, %r9, %rcx
+        xorq	%r15, %rbx
+        xorq	%rax, %rcx
+        rorxq	$39, %r9, %rax
+        addq	%rbx, %r8
+        xorq	%rcx, %rax
+        movq	%r10, %rbx
+        leaq	(%r12,%r8,1), %r12
+        xorq	%r9, %rbx
+        andq	%rbx, %rdx
+        addq	%rax, %r8
+        xorq	%r10, %rdx
+        addq	%rdx, %r8
+        addq	%r8, (%rdi)
+        addq	%r9, 8(%rdi)
+        addq	%r10, 16(%rdi)
+        addq	%r11, 24(%rdi)
+        addq	%r12, 32(%rdi)
+        addq	%r13, 40(%rdi)
+        addq	%r14, 48(%rdi)
+        addq	%r15, 56(%rdi)
+        xorq	%rax, %rax
+        vzeroupper
+        addq	$0x88, %rsp
+        popq	%r15
+        popq	%r14
+        popq	%r13
+        popq	%r12
+        popq	%rbx
+        repz retq
+#ifndef __APPLE__
+.size	Transform_Sha512_AVX2_RORX,.-Transform_Sha512_AVX2_RORX
+#endif /* __APPLE__ */
+#ifndef __APPLE__
+.text
+.globl	Transform_Sha512_AVX2_RORX_Len
+.type	Transform_Sha512_AVX2_RORX_Len,@function
+.align	4
+Transform_Sha512_AVX2_RORX_Len:
+#else
+.section	__TEXT,__text
+.globl	_Transform_Sha512_AVX2_RORX_Len
+.p2align	2
+_Transform_Sha512_AVX2_RORX_Len:
+#endif /* __APPLE__ */
+        pushq	%rbx
+        pushq	%r12
+        pushq	%r13
+        pushq	%r14
+        pushq	%r15
+        pushq	%rbp
+        testb	$0x80, %sil
+        je	L_sha512_len_avx2_rorx_block
+        movq	224(%rdi), %rax
+        push	%rsi
+        vmovdqu	(%rax), %ymm0
+        vmovdqu	32(%rax), %ymm1
+        vmovdqu	64(%rax), %ymm2
+        vmovdqu	96(%rax), %ymm3
+        vmovups	%ymm0, 64(%rdi)
+        vmovups	%ymm1, 96(%rdi)
+        vmovups	%ymm2, 128(%rdi)
+        vmovups	%ymm3, 160(%rdi)
+#ifndef __APPLE__
+        call	Transform_Sha512_AVX2_RORX@plt
+#else
+        call	_Transform_Sha512_AVX2_RORX
+#endif /* __APPLE__ */
+        pop	%rsi
+        addq	$0x80, 224(%rdi)
+        subl	$0x80, %esi
+        jz	L_sha512_len_avx2_rorx_done
+L_sha512_len_avx2_rorx_block:
+        movq	224(%rdi), %rax
+        vmovdqa	L_avx2_rorx_sha512_flip_mask(%rip), %ymm15
+        movq	(%rdi), %r8
+        movq	8(%rdi), %r9
+        movq	16(%rdi), %r10
+        movq	24(%rdi), %r11
+        movq	32(%rdi), %r12
+        movq	40(%rdi), %r13
+        movq	48(%rdi), %r14
+        movq	56(%rdi), %r15
+        # Start of loop processing two blocks
+L_sha512_len_avx2_rorx_begin:
+        subq	$0x540, %rsp
+        leaq	L_avx2_rorx_sha512_k_2(%rip), %rbp
+        movq	%r9, %rbx
+        xorq	%rdx, %rdx
+        vmovdqu	(%rax), %xmm0
+        vmovdqu	16(%rax), %xmm1
+        vinserti128	$0x01, 128(%rax), %ymm0, %ymm0
+        vinserti128	$0x01, 144(%rax), %ymm1, %ymm1
+        vpshufb	%ymm15, %ymm0, %ymm0
+        vpshufb	%ymm15, %ymm1, %ymm1
+        vmovdqu	32(%rax), %xmm2
+        vmovdqu	48(%rax), %xmm3
+        vinserti128	$0x01, 160(%rax), %ymm2, %ymm2
+        vinserti128	$0x01, 176(%rax), %ymm3, %ymm3
+        vpshufb	%ymm15, %ymm2, %ymm2
+        vpshufb	%ymm15, %ymm3, %ymm3
+        vmovdqu	64(%rax), %xmm4
+        vmovdqu	80(%rax), %xmm5
+        vinserti128	$0x01, 192(%rax), %ymm4, %ymm4
+        vinserti128	$0x01, 208(%rax), %ymm5, %ymm5
+        vpshufb	%ymm15, %ymm4, %ymm4
+        vpshufb	%ymm15, %ymm5, %ymm5
+        vmovdqu	96(%rax), %xmm6
+        vmovdqu	112(%rax), %xmm7
+        vinserti128	$0x01, 224(%rax), %ymm6, %ymm6
+        vinserti128	$0x01, 240(%rax), %ymm7, %ymm7
+        vpshufb	%ymm15, %ymm6, %ymm6
+        vpshufb	%ymm15, %ymm7, %ymm7
+        xorq	%r10, %rbx
+        # Start of 16 rounds
+L_sha512_len_avx2_rorx_start:
+        vpaddq	(%rbp), %ymm0, %ymm8
+        vpaddq	32(%rbp), %ymm1, %ymm9
+        vmovdqu	%ymm8, (%rsp)
+        vmovdqu	%ymm9, 32(%rsp)
+        vpaddq	64(%rbp), %ymm2, %ymm8
+        vpaddq	96(%rbp), %ymm3, %ymm9
+        vmovdqu	%ymm8, 64(%rsp)
+        vmovdqu	%ymm9, 96(%rsp)
+        vpaddq	128(%rbp), %ymm4, %ymm8
+        vpaddq	160(%rbp), %ymm5, %ymm9
+        vmovdqu	%ymm8, 128(%rsp)
+        vmovdqu	%ymm9, 160(%rsp)
+        vpaddq	192(%rbp), %ymm6, %ymm8
+        vpaddq	224(%rbp), %ymm7, %ymm9
+        vmovdqu	%ymm8, 192(%rsp)
+        vmovdqu	%ymm9, 224(%rsp)
+        # msg_sched: 0-1
+        rorxq	$14, %r12, %rax
+        rorxq	$18, %r12, %rcx
+        addq	%rdx, %r8
+        vpalignr	$8, %ymm0, %ymm1, %ymm12
+        addq	(%rsp), %r15
+        movq	%r13, %rdx
+        xorq	%rax, %rcx
+        vpalignr	$8, %ymm4, %ymm5, %ymm13
+        xorq	%r14, %rdx
+        rorxq	$41, %r12, %rax
+        xorq	%rcx, %rax
+        vpsrlq	$0x01, %ymm12, %ymm8
+        vpsllq	$63, %ymm12, %ymm9
+        andq	%r12, %rdx
+        addq	%rax, %r15
+        rorxq	$28, %r8, %rax
+        vpsrlq	$8, %ymm12, %ymm10
+        vpsllq	$56, %ymm12, %ymm11
+        rorxq	$34, %r8, %rcx
+        xorq	%r14, %rdx
+        xorq	%rax, %rcx
+        vpor	%ymm9, %ymm8, %ymm8
+        vpor	%ymm11, %ymm10, %ymm10
+        rorxq	$39, %r8, %rax
+        addq	%rdx, %r15
+        xorq	%rcx, %rax
+        vpsrlq	$7, %ymm12, %ymm11
+        vpxor	%ymm10, %ymm8, %ymm8
+        movq	%r9, %rdx
+        addq	%r15, %r11
+        xorq	%r8, %rdx
+        vpxor	%ymm11, %ymm8, %ymm8
+        vpaddq	%ymm0, %ymm13, %ymm0
+        andq	%rdx, %rbx
+        addq	%rax, %r15
+        xorq	%r9, %rbx
+        vpaddq	%ymm0, %ymm8, %ymm0
+        rorxq	$14, %r11, %rax
+        rorxq	$18, %r11, %rcx
+        addq	%rbx, %r15
+        vpsrlq	$19, %ymm7, %ymm8
+        vpsllq	$45, %ymm7, %ymm9
+        addq	8(%rsp), %r14
+        movq	%r12, %rbx
+        xorq	%rax, %rcx
+        vpsrlq	$61, %ymm7, %ymm10
+        vpsllq	$3, %ymm7, %ymm11
+        xorq	%r13, %rbx
+        rorxq	$41, %r11, %rax
+        xorq	%rcx, %rax
+        vpor	%ymm9, %ymm8, %ymm8
+        vpor	%ymm11, %ymm10, %ymm10
+        andq	%r11, %rbx
+        addq	%rax, %r14
+        rorxq	$28, %r15, %rax
+        rorxq	$34, %r15, %rcx
+        xorq	%r13, %rbx
+        xorq	%rax, %rcx
+        vpxor	%ymm10, %ymm8, %ymm8
+        vpsrlq	$6, %ymm7, %ymm11
+        rorxq	$39, %r15, %rax
+        addq	%rbx, %r14
+        xorq	%rcx, %rax
+        movq	%r8, %rbx
+        leaq	(%r10,%r14,1), %r10
+        xorq	%r15, %rbx
+        vpxor	%ymm11, %ymm8, %ymm8
+        andq	%rbx, %rdx
+        addq	%rax, %r14
+        xorq	%r8, %rdx
+        vpaddq	%ymm0, %ymm8, %ymm0
+        # msg_sched done: 0-3
+        # msg_sched: 4-5
+        rorxq	$14, %r10, %rax
+        rorxq	$18, %r10, %rcx
+        addq	%rdx, %r14
+        vpalignr	$8, %ymm1, %ymm2, %ymm12
+        addq	32(%rsp), %r13
+        movq	%r11, %rdx
+        xorq	%rax, %rcx
+        vpalignr	$8, %ymm5, %ymm6, %ymm13
+        xorq	%r12, %rdx
+        rorxq	$41, %r10, %rax
+        xorq	%rcx, %rax
+        vpsrlq	$0x01, %ymm12, %ymm8
+        vpsllq	$63, %ymm12, %ymm9
+        andq	%r10, %rdx
+        addq	%rax, %r13
+        rorxq	$28, %r14, %rax
+        vpsrlq	$8, %ymm12, %ymm10
+        vpsllq	$56, %ymm12, %ymm11
+        rorxq	$34, %r14, %rcx
+        xorq	%r12, %rdx
+        xorq	%rax, %rcx
+        vpor	%ymm9, %ymm8, %ymm8
+        vpor	%ymm11, %ymm10, %ymm10
+        rorxq	$39, %r14, %rax
+        addq	%rdx, %r13
+        xorq	%rcx, %rax
+        vpsrlq	$7, %ymm12, %ymm11
+        vpxor	%ymm10, %ymm8, %ymm8
+        movq	%r15, %rdx
+        addq	%r13, %r9
+        xorq	%r14, %rdx
+        vpxor	%ymm11, %ymm8, %ymm8
+        vpaddq	%ymm1, %ymm13, %ymm1
+        andq	%rdx, %rbx
+        addq	%rax, %r13
+        xorq	%r15, %rbx
+        vpaddq	%ymm1, %ymm8, %ymm1
+        rorxq	$14, %r9, %rax
+        rorxq	$18, %r9, %rcx
+        addq	%rbx, %r13
+        vpsrlq	$19, %ymm0, %ymm8
+        vpsllq	$45, %ymm0, %ymm9
+        addq	40(%rsp), %r12
+        movq	%r10, %rbx
+        xorq	%rax, %rcx
+        vpsrlq	$61, %ymm0, %ymm10
+        vpsllq	$3, %ymm0, %ymm11
+        xorq	%r11, %rbx
+        rorxq	$41, %r9, %rax
+        xorq	%rcx, %rax
+        vpor	%ymm9, %ymm8, %ymm8
+        vpor	%ymm11, %ymm10, %ymm10
+        andq	%r9, %rbx
+        addq	%rax, %r12
+        rorxq	$28, %r13, %rax
+        rorxq	$34, %r13, %rcx
+        xorq	%r11, %rbx
+        xorq	%rax, %rcx
+        vpxor	%ymm10, %ymm8, %ymm8
+        vpsrlq	$6, %ymm0, %ymm11
+        rorxq	$39, %r13, %rax
+        addq	%rbx, %r12
+        xorq	%rcx, %rax
+        movq	%r14, %rbx
+        leaq	(%r8,%r12,1), %r8
+        xorq	%r13, %rbx
+        vpxor	%ymm11, %ymm8, %ymm8
+        andq	%rbx, %rdx
+        addq	%rax, %r12
+        xorq	%r14, %rdx
+        vpaddq	%ymm1, %ymm8, %ymm1
+        # msg_sched done: 4-7
+        # msg_sched: 8-9
+        rorxq	$14, %r8, %rax
+        rorxq	$18, %r8, %rcx
+        addq	%rdx, %r12
+        vpalignr	$8, %ymm2, %ymm3, %ymm12
+        addq	64(%rsp), %r11
+        movq	%r9, %rdx
+        xorq	%rax, %rcx
+        vpalignr	$8, %ymm6, %ymm7, %ymm13
+        xorq	%r10, %rdx
+        rorxq	$41, %r8, %rax
+        xorq	%rcx, %rax
+        vpsrlq	$0x01, %ymm12, %ymm8
+        vpsllq	$63, %ymm12, %ymm9
+        andq	%r8, %rdx
+        addq	%rax, %r11
+        rorxq	$28, %r12, %rax
+        vpsrlq	$8, %ymm12, %ymm10
+        vpsllq	$56, %ymm12, %ymm11
+        rorxq	$34, %r12, %rcx
+        xorq	%r10, %rdx
+        xorq	%rax, %rcx
+        vpor	%ymm9, %ymm8, %ymm8
+        vpor	%ymm11, %ymm10, %ymm10
+        rorxq	$39, %r12, %rax
+        addq	%rdx, %r11
+        xorq	%rcx, %rax
+        vpsrlq	$7, %ymm12, %ymm11
+        vpxor	%ymm10, %ymm8, %ymm8
+        movq	%r13, %rdx
+        addq	%r11, %r15
+        xorq	%r12, %rdx
+        vpxor	%ymm11, %ymm8, %ymm8
+        vpaddq	%ymm2, %ymm13, %ymm2
+        andq	%rdx, %rbx
+        addq	%rax, %r11
+        xorq	%r13, %rbx
+        vpaddq	%ymm2, %ymm8, %ymm2
+        rorxq	$14, %r15, %rax
+        rorxq	$18, %r15, %rcx
+        addq	%rbx, %r11
+        vpsrlq	$19, %ymm1, %ymm8
+        vpsllq	$45, %ymm1, %ymm9
+        addq	72(%rsp), %r10
+        movq	%r8, %rbx
+        xorq	%rax, %rcx
+        vpsrlq	$61, %ymm1, %ymm10
+        vpsllq	$3, %ymm1, %ymm11
+        xorq	%r9, %rbx
+        rorxq	$41, %r15, %rax
+        xorq	%rcx, %rax
+        vpor	%ymm9, %ymm8, %ymm8
+        vpor	%ymm11, %ymm10, %ymm10
+        andq	%r15, %rbx
+        addq	%rax, %r10
+        rorxq	$28, %r11, %rax
+        rorxq	$34, %r11, %rcx
+        xorq	%r9, %rbx
+        xorq	%rax, %rcx
+        vpxor	%ymm10, %ymm8, %ymm8
+        vpsrlq	$6, %ymm1, %ymm11
+        rorxq	$39, %r11, %rax
+        addq	%rbx, %r10
+        xorq	%rcx, %rax
+        movq	%r12, %rbx
+        leaq	(%r14,%r10,1), %r14
+        xorq	%r11, %rbx
+        vpxor	%ymm11, %ymm8, %ymm8
+        andq	%rbx, %rdx
+        addq	%rax, %r10
+        xorq	%r12, %rdx
+        vpaddq	%ymm2, %ymm8, %ymm2
+        # msg_sched done: 8-11
+        # msg_sched: 12-13
+        rorxq	$14, %r14, %rax
+        rorxq	$18, %r14, %rcx
+        addq	%rdx, %r10
+        vpalignr	$8, %ymm3, %ymm4, %ymm12
+        addq	96(%rsp), %r9
+        movq	%r15, %rdx
+        xorq	%rax, %rcx
+        vpalignr	$8, %ymm7, %ymm0, %ymm13
+        xorq	%r8, %rdx
+        rorxq	$41, %r14, %rax
+        xorq	%rcx, %rax
+        vpsrlq	$0x01, %ymm12, %ymm8
+        vpsllq	$63, %ymm12, %ymm9
+        andq	%r14, %rdx
+        addq	%rax, %r9
+        rorxq	$28, %r10, %rax
+        vpsrlq	$8, %ymm12, %ymm10
+        vpsllq	$56, %ymm12, %ymm11
+        rorxq	$34, %r10, %rcx
+        xorq	%r8, %rdx
+        xorq	%rax, %rcx
+        vpor	%ymm9, %ymm8, %ymm8
+        vpor	%ymm11, %ymm10, %ymm10
+        rorxq	$39, %r10, %rax
+        addq	%rdx, %r9
+        xorq	%rcx, %rax
+        vpsrlq	$7, %ymm12, %ymm11
+        vpxor	%ymm10, %ymm8, %ymm8
+        movq	%r11, %rdx
+        addq	%r9, %r13
+        xorq	%r10, %rdx
+        vpxor	%ymm11, %ymm8, %ymm8
+        vpaddq	%ymm3, %ymm13, %ymm3
+        andq	%rdx, %rbx
+        addq	%rax, %r9
+        xorq	%r11, %rbx
+        vpaddq	%ymm3, %ymm8, %ymm3
+        rorxq	$14, %r13, %rax
+        rorxq	$18, %r13, %rcx
+        addq	%rbx, %r9
+        vpsrlq	$19, %ymm2, %ymm8
+        vpsllq	$45, %ymm2, %ymm9
+        addq	104(%rsp), %r8
+        movq	%r14, %rbx
+        xorq	%rax, %rcx
+        vpsrlq	$61, %ymm2, %ymm10
+        vpsllq	$3, %ymm2, %ymm11
+        xorq	%r15, %rbx
+        rorxq	$41, %r13, %rax
+        xorq	%rcx, %rax
+        vpor	%ymm9, %ymm8, %ymm8
+        vpor	%ymm11, %ymm10, %ymm10
+        andq	%r13, %rbx
+        addq	%rax, %r8
+        rorxq	$28, %r9, %rax
+        rorxq	$34, %r9, %rcx
+        xorq	%r15, %rbx
+        xorq	%rax, %rcx
+        vpxor	%ymm10, %ymm8, %ymm8
+        vpsrlq	$6, %ymm2, %ymm11
+        rorxq	$39, %r9, %rax
+        addq	%rbx, %r8
+        xorq	%rcx, %rax
+        movq	%r10, %rbx
+        leaq	(%r12,%r8,1), %r12
+        xorq	%r9, %rbx
+        vpxor	%ymm11, %ymm8, %ymm8
+        andq	%rbx, %rdx
+        addq	%rax, %r8
+        xorq	%r10, %rdx
+        vpaddq	%ymm3, %ymm8, %ymm3
+        # msg_sched done: 12-15
+        # msg_sched: 16-17
+        rorxq	$14, %r12, %rax
+        rorxq	$18, %r12, %rcx
+        addq	%rdx, %r8
+        vpalignr	$8, %ymm4, %ymm5, %ymm12
+        addq	128(%rsp), %r15
+        movq	%r13, %rdx
+        xorq	%rax, %rcx
+        vpalignr	$8, %ymm0, %ymm1, %ymm13
+        xorq	%r14, %rdx
+        rorxq	$41, %r12, %rax
+        xorq	%rcx, %rax
+        vpsrlq	$0x01, %ymm12, %ymm8
+        vpsllq	$63, %ymm12, %ymm9
+        andq	%r12, %rdx
+        addq	%rax, %r15
+        rorxq	$28, %r8, %rax
+        vpsrlq	$8, %ymm12, %ymm10
+        vpsllq	$56, %ymm12, %ymm11
+        rorxq	$34, %r8, %rcx
+        xorq	%r14, %rdx
+        xorq	%rax, %rcx
+        vpor	%ymm9, %ymm8, %ymm8
+        vpor	%ymm11, %ymm10, %ymm10
+        rorxq	$39, %r8, %rax
+        addq	%rdx, %r15
+        xorq	%rcx, %rax
+        vpsrlq	$7, %ymm12, %ymm11
+        vpxor	%ymm10, %ymm8, %ymm8
+        movq	%r9, %rdx
+        addq	%r15, %r11
+        xorq	%r8, %rdx
+        vpxor	%ymm11, %ymm8, %ymm8
+        vpaddq	%ymm4, %ymm13, %ymm4
+        andq	%rdx, %rbx
+        addq	%rax, %r15
+        xorq	%r9, %rbx
+        vpaddq	%ymm4, %ymm8, %ymm4
+        rorxq	$14, %r11, %rax
+        rorxq	$18, %r11, %rcx
+        addq	%rbx, %r15
+        vpsrlq	$19, %ymm3, %ymm8
+        vpsllq	$45, %ymm3, %ymm9
+        addq	136(%rsp), %r14
+        movq	%r12, %rbx
+        xorq	%rax, %rcx
+        vpsrlq	$61, %ymm3, %ymm10
+        vpsllq	$3, %ymm3, %ymm11
+        xorq	%r13, %rbx
+        rorxq	$41, %r11, %rax
+        xorq	%rcx, %rax
+        vpor	%ymm9, %ymm8, %ymm8
+        vpor	%ymm11, %ymm10, %ymm10
+        andq	%r11, %rbx
+        addq	%rax, %r14
+        rorxq	$28, %r15, %rax
+        rorxq	$34, %r15, %rcx
+        xorq	%r13, %rbx
+        xorq	%rax, %rcx
+        vpxor	%ymm10, %ymm8, %ymm8
+        vpsrlq	$6, %ymm3, %ymm11
+        rorxq	$39, %r15, %rax
+        addq	%rbx, %r14
+        xorq	%rcx, %rax
+        movq	%r8, %rbx
+        leaq	(%r10,%r14,1), %r10
+        xorq	%r15, %rbx
+        vpxor	%ymm11, %ymm8, %ymm8
+        andq	%rbx, %rdx
+        addq	%rax, %r14
+        xorq	%r8, %rdx
+        vpaddq	%ymm4, %ymm8, %ymm4
+        # msg_sched done: 16-19
+        # msg_sched: 20-21
+        rorxq	$14, %r10, %rax
+        rorxq	$18, %r10, %rcx
+        addq	%rdx, %r14
+        vpalignr	$8, %ymm5, %ymm6, %ymm12
+        addq	160(%rsp), %r13
+        movq	%r11, %rdx
+        xorq	%rax, %rcx
+        vpalignr	$8, %ymm1, %ymm2, %ymm13
+        xorq	%r12, %rdx
+        rorxq	$41, %r10, %rax
+        xorq	%rcx, %rax
+        vpsrlq	$0x01, %ymm12, %ymm8
+        vpsllq	$63, %ymm12, %ymm9
+        andq	%r10, %rdx
+        addq	%rax, %r13
+        rorxq	$28, %r14, %rax
+        vpsrlq	$8, %ymm12, %ymm10
+        vpsllq	$56, %ymm12, %ymm11
+        rorxq	$34, %r14, %rcx
+        xorq	%r12, %rdx
+        xorq	%rax, %rcx
+        vpor	%ymm9, %ymm8, %ymm8
+        vpor	%ymm11, %ymm10, %ymm10
+        rorxq	$39, %r14, %rax
+        addq	%rdx, %r13
+        xorq	%rcx, %rax
+        vpsrlq	$7, %ymm12, %ymm11
+        vpxor	%ymm10, %ymm8, %ymm8
+        movq	%r15, %rdx
+        addq	%r13, %r9
+        xorq	%r14, %rdx
+        vpxor	%ymm11, %ymm8, %ymm8
+        vpaddq	%ymm5, %ymm13, %ymm5
+        andq	%rdx, %rbx
+        addq	%rax, %r13
+        xorq	%r15, %rbx
+        vpaddq	%ymm5, %ymm8, %ymm5
+        rorxq	$14, %r9, %rax
+        rorxq	$18, %r9, %rcx
+        addq	%rbx, %r13
+        vpsrlq	$19, %ymm4, %ymm8
+        vpsllq	$45, %ymm4, %ymm9
+        addq	168(%rsp), %r12
+        movq	%r10, %rbx
+        xorq	%rax, %rcx
+        vpsrlq	$61, %ymm4, %ymm10
+        vpsllq	$3, %ymm4, %ymm11
+        xorq	%r11, %rbx
+        rorxq	$41, %r9, %rax
+        xorq	%rcx, %rax
+        vpor	%ymm9, %ymm8, %ymm8
+        vpor	%ymm11, %ymm10, %ymm10
+        andq	%r9, %rbx
+        addq	%rax, %r12
+        rorxq	$28, %r13, %rax
+        rorxq	$34, %r13, %rcx
+        xorq	%r11, %rbx
+        xorq	%rax, %rcx
+        vpxor	%ymm10, %ymm8, %ymm8
+        vpsrlq	$6, %ymm4, %ymm11
+        rorxq	$39, %r13, %rax
+        addq	%rbx, %r12
+        xorq	%rcx, %rax
+        movq	%r14, %rbx
+        leaq	(%r8,%r12,1), %r8
+        xorq	%r13, %rbx
+        vpxor	%ymm11, %ymm8, %ymm8
+        andq	%rbx, %rdx
+        addq	%rax, %r12
+        xorq	%r14, %rdx
+        vpaddq	%ymm5, %ymm8, %ymm5
+        # msg_sched done: 20-23
+        # msg_sched: 24-25
+        rorxq	$14, %r8, %rax
+        rorxq	$18, %r8, %rcx
+        addq	%rdx, %r12
+        vpalignr	$8, %ymm6, %ymm7, %ymm12
+        addq	192(%rsp), %r11
+        movq	%r9, %rdx
+        xorq	%rax, %rcx
+        vpalignr	$8, %ymm2, %ymm3, %ymm13
+        xorq	%r10, %rdx
+        rorxq	$41, %r8, %rax
+        xorq	%rcx, %rax
+        vpsrlq	$0x01, %ymm12, %ymm8
+        vpsllq	$63, %ymm12, %ymm9
+        andq	%r8, %rdx
+        addq	%rax, %r11
+        rorxq	$28, %r12, %rax
+        vpsrlq	$8, %ymm12, %ymm10
+        vpsllq	$56, %ymm12, %ymm11
+        rorxq	$34, %r12, %rcx
+        xorq	%r10, %rdx
+        xorq	%rax, %rcx
+        vpor	%ymm9, %ymm8, %ymm8
+        vpor	%ymm11, %ymm10, %ymm10
+        rorxq	$39, %r12, %rax
+        addq	%rdx, %r11
+        xorq	%rcx, %rax
+        vpsrlq	$7, %ymm12, %ymm11
+        vpxor	%ymm10, %ymm8, %ymm8
+        movq	%r13, %rdx
+        addq	%r11, %r15
+        xorq	%r12, %rdx
+        vpxor	%ymm11, %ymm8, %ymm8
+        vpaddq	%ymm6, %ymm13, %ymm6
+        andq	%rdx, %rbx
+        addq	%rax, %r11
+        xorq	%r13, %rbx
+        vpaddq	%ymm6, %ymm8, %ymm6
+        rorxq	$14, %r15, %rax
+        rorxq	$18, %r15, %rcx
+        addq	%rbx, %r11
+        vpsrlq	$19, %ymm5, %ymm8
+        vpsllq	$45, %ymm5, %ymm9
+        addq	200(%rsp), %r10
+        movq	%r8, %rbx
+        xorq	%rax, %rcx
+        vpsrlq	$61, %ymm5, %ymm10
+        vpsllq	$3, %ymm5, %ymm11
+        xorq	%r9, %rbx
+        rorxq	$41, %r15, %rax
+        xorq	%rcx, %rax
+        vpor	%ymm9, %ymm8, %ymm8
+        vpor	%ymm11, %ymm10, %ymm10
+        andq	%r15, %rbx
+        addq	%rax, %r10
+        rorxq	$28, %r11, %rax
+        rorxq	$34, %r11, %rcx
+        xorq	%r9, %rbx
+        xorq	%rax, %rcx
+        vpxor	%ymm10, %ymm8, %ymm8
+        vpsrlq	$6, %ymm5, %ymm11
+        rorxq	$39, %r11, %rax
+        addq	%rbx, %r10
+        xorq	%rcx, %rax
+        movq	%r12, %rbx
+        leaq	(%r14,%r10,1), %r14
+        xorq	%r11, %rbx
+        vpxor	%ymm11, %ymm8, %ymm8
+        andq	%rbx, %rdx
+        addq	%rax, %r10
+        xorq	%r12, %rdx
+        vpaddq	%ymm6, %ymm8, %ymm6
+        # msg_sched done: 24-27
+        # msg_sched: 28-29
+        rorxq	$14, %r14, %rax
+        rorxq	$18, %r14, %rcx
+        addq	%rdx, %r10
+        vpalignr	$8, %ymm7, %ymm0, %ymm12
+        addq	224(%rsp), %r9
+        movq	%r15, %rdx
+        xorq	%rax, %rcx
+        vpalignr	$8, %ymm3, %ymm4, %ymm13
+        xorq	%r8, %rdx
+        rorxq	$41, %r14, %rax
+        xorq	%rcx, %rax
+        vpsrlq	$0x01, %ymm12, %ymm8
+        vpsllq	$63, %ymm12, %ymm9
+        andq	%r14, %rdx
+        addq	%rax, %r9
+        rorxq	$28, %r10, %rax
+        vpsrlq	$8, %ymm12, %ymm10
+        vpsllq	$56, %ymm12, %ymm11
+        rorxq	$34, %r10, %rcx
+        xorq	%r8, %rdx
+        xorq	%rax, %rcx
+        vpor	%ymm9, %ymm8, %ymm8
+        vpor	%ymm11, %ymm10, %ymm10
+        rorxq	$39, %r10, %rax
+        addq	%rdx, %r9
+        xorq	%rcx, %rax
+        vpsrlq	$7, %ymm12, %ymm11
+        vpxor	%ymm10, %ymm8, %ymm8
+        movq	%r11, %rdx
+        addq	%r9, %r13
+        xorq	%r10, %rdx
+        vpxor	%ymm11, %ymm8, %ymm8
+        vpaddq	%ymm7, %ymm13, %ymm7
+        andq	%rdx, %rbx
+        addq	%rax, %r9
+        xorq	%r11, %rbx
+        vpaddq	%ymm7, %ymm8, %ymm7
+        rorxq	$14, %r13, %rax
+        rorxq	$18, %r13, %rcx
+        addq	%rbx, %r9
+        vpsrlq	$19, %ymm6, %ymm8
+        vpsllq	$45, %ymm6, %ymm9
+        addq	232(%rsp), %r8
+        movq	%r14, %rbx
+        xorq	%rax, %rcx
+        vpsrlq	$61, %ymm6, %ymm10
+        vpsllq	$3, %ymm6, %ymm11
+        xorq	%r15, %rbx
+        rorxq	$41, %r13, %rax
+        xorq	%rcx, %rax
+        vpor	%ymm9, %ymm8, %ymm8
+        vpor	%ymm11, %ymm10, %ymm10
+        andq	%r13, %rbx
+        addq	%rax, %r8
+        rorxq	$28, %r9, %rax
+        rorxq	$34, %r9, %rcx
+        xorq	%r15, %rbx
+        xorq	%rax, %rcx
+        vpxor	%ymm10, %ymm8, %ymm8
+        vpsrlq	$6, %ymm6, %ymm11
+        rorxq	$39, %r9, %rax
+        addq	%rbx, %r8
+        xorq	%rcx, %rax
+        movq	%r10, %rbx
+        leaq	(%r12,%r8,1), %r12
+        xorq	%r9, %rbx
+        vpxor	%ymm11, %ymm8, %ymm8
+        andq	%rbx, %rdx
+        addq	%rax, %r8
+        xorq	%r10, %rdx
+        vpaddq	%ymm7, %ymm8, %ymm7
+        # msg_sched done: 28-31
+        addq	$0x100, %rbp
+        addq	$0x100, %rsp
+        cmpq	L_avx2_rorx_sha512_k_2_end(%rip), %rbp
+        jne	L_sha512_len_avx2_rorx_start
+        vpaddq	(%rbp), %ymm0, %ymm8
+        vpaddq	32(%rbp), %ymm1, %ymm9
+        vmovdqu	%ymm8, (%rsp)
+        vmovdqu	%ymm9, 32(%rsp)
+        vpaddq	64(%rbp), %ymm2, %ymm8
+        vpaddq	96(%rbp), %ymm3, %ymm9
+        vmovdqu	%ymm8, 64(%rsp)
+        vmovdqu	%ymm9, 96(%rsp)
+        vpaddq	128(%rbp), %ymm4, %ymm8
+        vpaddq	160(%rbp), %ymm5, %ymm9
+        vmovdqu	%ymm8, 128(%rsp)
+        vmovdqu	%ymm9, 160(%rsp)
+        vpaddq	192(%rbp), %ymm6, %ymm8
+        vpaddq	224(%rbp), %ymm7, %ymm9
+        vmovdqu	%ymm8, 192(%rsp)
+        vmovdqu	%ymm9, 224(%rsp)
+        # rnd_all_2: 0-1
+        rorxq	$14, %r12, %rax
+        rorxq	$18, %r12, %rcx
+        addq	%rdx, %r8
+        addq	(%rsp), %r15
+        movq	%r13, %rdx
+        xorq	%rax, %rcx
+        xorq	%r14, %rdx
+        rorxq	$41, %r12, %rax
+        xorq	%rcx, %rax
+        andq	%r12, %rdx
+        addq	%rax, %r15
+        rorxq	$28, %r8, %rax
+        rorxq	$34, %r8, %rcx
+        xorq	%r14, %rdx
+        xorq	%rax, %rcx
+        rorxq	$39, %r8, %rax
+        addq	%rdx, %r15
+        xorq	%rcx, %rax
+        movq	%r9, %rdx
+        addq	%r15, %r11
+        xorq	%r8, %rdx
+        andq	%rdx, %rbx
+        addq	%rax, %r15
+        xorq	%r9, %rbx
+        rorxq	$14, %r11, %rax
+        rorxq	$18, %r11, %rcx
+        addq	%rbx, %r15
+        addq	8(%rsp), %r14
+        movq	%r12, %rbx
+        xorq	%rax, %rcx
+        xorq	%r13, %rbx
+        rorxq	$41, %r11, %rax
+        xorq	%rcx, %rax
+        andq	%r11, %rbx
+        addq	%rax, %r14
+        rorxq	$28, %r15, %rax
+        rorxq	$34, %r15, %rcx
+        xorq	%r13, %rbx
+        xorq	%rax, %rcx
+        rorxq	$39, %r15, %rax
+        addq	%rbx, %r14
+        xorq	%rcx, %rax
+        movq	%r8, %rbx
+        leaq	(%r10,%r14,1), %r10
+        xorq	%r15, %rbx
+        andq	%rbx, %rdx
+        addq	%rax, %r14
+        xorq	%r8, %rdx
+        # rnd_all_2: 4-5
+        rorxq	$14, %r10, %rax
+        rorxq	$18, %r10, %rcx
+        addq	%rdx, %r14
+        addq	32(%rsp), %r13
+        movq	%r11, %rdx
+        xorq	%rax, %rcx
+        xorq	%r12, %rdx
+        rorxq	$41, %r10, %rax
+        xorq	%rcx, %rax
+        andq	%r10, %rdx
+        addq	%rax, %r13
+        rorxq	$28, %r14, %rax
+        rorxq	$34, %r14, %rcx
+        xorq	%r12, %rdx
+        xorq	%rax, %rcx
+        rorxq	$39, %r14, %rax
+        addq	%rdx, %r13
+        xorq	%rcx, %rax
+        movq	%r15, %rdx
+        addq	%r13, %r9
+        xorq	%r14, %rdx
+        andq	%rdx, %rbx
+        addq	%rax, %r13
+        xorq	%r15, %rbx
+        rorxq	$14, %r9, %rax
+        rorxq	$18, %r9, %rcx
+        addq	%rbx, %r13
+        addq	40(%rsp), %r12
+        movq	%r10, %rbx
+        xorq	%rax, %rcx
+        xorq	%r11, %rbx
+        rorxq	$41, %r9, %rax
+        xorq	%rcx, %rax
+        andq	%r9, %rbx
+        addq	%rax, %r12
+        rorxq	$28, %r13, %rax
+        rorxq	$34, %r13, %rcx
+        xorq	%r11, %rbx
+        xorq	%rax, %rcx
+        rorxq	$39, %r13, %rax
+        addq	%rbx, %r12
+        xorq	%rcx, %rax
+        movq	%r14, %rbx
+        leaq	(%r8,%r12,1), %r8
+        xorq	%r13, %rbx
+        andq	%rbx, %rdx
+        addq	%rax, %r12
+        xorq	%r14, %rdx
+        # rnd_all_2: 8-9
+        rorxq	$14, %r8, %rax
+        rorxq	$18, %r8, %rcx
+        addq	%rdx, %r12
+        addq	64(%rsp), %r11
+        movq	%r9, %rdx
+        xorq	%rax, %rcx
+        xorq	%r10, %rdx
+        rorxq	$41, %r8, %rax
+        xorq	%rcx, %rax
+        andq	%r8, %rdx
+        addq	%rax, %r11
+        rorxq	$28, %r12, %rax
+        rorxq	$34, %r12, %rcx
+        xorq	%r10, %rdx
+        xorq	%rax, %rcx
+        rorxq	$39, %r12, %rax
+        addq	%rdx, %r11
+        xorq	%rcx, %rax
+        movq	%r13, %rdx
+        addq	%r11, %r15
+        xorq	%r12, %rdx
+        andq	%rdx, %rbx
+        addq	%rax, %r11
+        xorq	%r13, %rbx
+        rorxq	$14, %r15, %rax
+        rorxq	$18, %r15, %rcx
+        addq	%rbx, %r11
+        addq	72(%rsp), %r10
+        movq	%r8, %rbx
+        xorq	%rax, %rcx
+        xorq	%r9, %rbx
+        rorxq	$41, %r15, %rax
+        xorq	%rcx, %rax
+        andq	%r15, %rbx
+        addq	%rax, %r10
+        rorxq	$28, %r11, %rax
+        rorxq	$34, %r11, %rcx
+        xorq	%r9, %rbx
+        xorq	%rax, %rcx
+        rorxq	$39, %r11, %rax
+        addq	%rbx, %r10
+        xorq	%rcx, %rax
+        movq	%r12, %rbx
+        leaq	(%r14,%r10,1), %r14
+        xorq	%r11, %rbx
+        andq	%rbx, %rdx
+        addq	%rax, %r10
+        xorq	%r12, %rdx
+        # rnd_all_2: 12-13
+        rorxq	$14, %r14, %rax
+        rorxq	$18, %r14, %rcx
+        addq	%rdx, %r10
+        addq	96(%rsp), %r9
+        movq	%r15, %rdx
+        xorq	%rax, %rcx
+        xorq	%r8, %rdx
+        rorxq	$41, %r14, %rax
+        xorq	%rcx, %rax
+        andq	%r14, %rdx
+        addq	%rax, %r9
+        rorxq	$28, %r10, %rax
+        rorxq	$34, %r10, %rcx
+        xorq	%r8, %rdx
+        xorq	%rax, %rcx
+        rorxq	$39, %r10, %rax
+        addq	%rdx, %r9
+        xorq	%rcx, %rax
+        movq	%r11, %rdx
+        addq	%r9, %r13
+        xorq	%r10, %rdx
+        andq	%rdx, %rbx
+        addq	%rax, %r9
+        xorq	%r11, %rbx
+        rorxq	$14, %r13, %rax
+        rorxq	$18, %r13, %rcx
+        addq	%rbx, %r9
+        addq	104(%rsp), %r8
+        movq	%r14, %rbx
+        xorq	%rax, %rcx
+        xorq	%r15, %rbx
+        rorxq	$41, %r13, %rax
+        xorq	%rcx, %rax
+        andq	%r13, %rbx
+        addq	%rax, %r8
+        rorxq	$28, %r9, %rax
+        rorxq	$34, %r9, %rcx
+        xorq	%r15, %rbx
+        xorq	%rax, %rcx
+        rorxq	$39, %r9, %rax
+        addq	%rbx, %r8
+        xorq	%rcx, %rax
+        movq	%r10, %rbx
+        leaq	(%r12,%r8,1), %r12
+        xorq	%r9, %rbx
+        andq	%rbx, %rdx
+        addq	%rax, %r8
+        xorq	%r10, %rdx
+        # rnd_all_2: 16-17
+        rorxq	$14, %r12, %rax
+        rorxq	$18, %r12, %rcx
+        addq	%rdx, %r8
+        addq	128(%rsp), %r15
+        movq	%r13, %rdx
+        xorq	%rax, %rcx
+        xorq	%r14, %rdx
+        rorxq	$41, %r12, %rax
+        xorq	%rcx, %rax
+        andq	%r12, %rdx
+        addq	%rax, %r15
+        rorxq	$28, %r8, %rax
+        rorxq	$34, %r8, %rcx
+        xorq	%r14, %rdx
+        xorq	%rax, %rcx
+        rorxq	$39, %r8, %rax
+        addq	%rdx, %r15
+        xorq	%rcx, %rax
+        movq	%r9, %rdx
+        addq	%r15, %r11
+        xorq	%r8, %rdx
+        andq	%rdx, %rbx
+        addq	%rax, %r15
+        xorq	%r9, %rbx
+        rorxq	$14, %r11, %rax
+        rorxq	$18, %r11, %rcx
+        addq	%rbx, %r15
+        addq	136(%rsp), %r14
+        movq	%r12, %rbx
+        xorq	%rax, %rcx
+        xorq	%r13, %rbx
+        rorxq	$41, %r11, %rax
+        xorq	%rcx, %rax
+        andq	%r11, %rbx
+        addq	%rax, %r14
+        rorxq	$28, %r15, %rax
+        rorxq	$34, %r15, %rcx
+        xorq	%r13, %rbx
+        xorq	%rax, %rcx
+        rorxq	$39, %r15, %rax
+        addq	%rbx, %r14
+        xorq	%rcx, %rax
+        movq	%r8, %rbx
+        leaq	(%r10,%r14,1), %r10
+        xorq	%r15, %rbx
+        andq	%rbx, %rdx
+        addq	%rax, %r14
+        xorq	%r8, %rdx
+        # rnd_all_2: 20-21
+        rorxq	$14, %r10, %rax
+        rorxq	$18, %r10, %rcx
+        addq	%rdx, %r14
+        addq	160(%rsp), %r13
+        movq	%r11, %rdx
+        xorq	%rax, %rcx
+        xorq	%r12, %rdx
+        rorxq	$41, %r10, %rax
+        xorq	%rcx, %rax
+        andq	%r10, %rdx
+        addq	%rax, %r13
+        rorxq	$28, %r14, %rax
+        rorxq	$34, %r14, %rcx
+        xorq	%r12, %rdx
+        xorq	%rax, %rcx
+        rorxq	$39, %r14, %rax
+        addq	%rdx, %r13
+        xorq	%rcx, %rax
+        movq	%r15, %rdx
+        addq	%r13, %r9
+        xorq	%r14, %rdx
+        andq	%rdx, %rbx
+        addq	%rax, %r13
+        xorq	%r15, %rbx
+        rorxq	$14, %r9, %rax
+        rorxq	$18, %r9, %rcx
+        addq	%rbx, %r13
+        addq	168(%rsp), %r12
+        movq	%r10, %rbx
+        xorq	%rax, %rcx
+        xorq	%r11, %rbx
+        rorxq	$41, %r9, %rax
+        xorq	%rcx, %rax
+        andq	%r9, %rbx
+        addq	%rax, %r12
+        rorxq	$28, %r13, %rax
+        rorxq	$34, %r13, %rcx
+        xorq	%r11, %rbx
+        xorq	%rax, %rcx
+        rorxq	$39, %r13, %rax
+        addq	%rbx, %r12
+        xorq	%rcx, %rax
+        movq	%r14, %rbx
+        leaq	(%r8,%r12,1), %r8
+        xorq	%r13, %rbx
+        andq	%rbx, %rdx
+        addq	%rax, %r12
+        xorq	%r14, %rdx
+        # rnd_all_2: 24-25
+        rorxq	$14, %r8, %rax
+        rorxq	$18, %r8, %rcx
+        addq	%rdx, %r12
+        addq	192(%rsp), %r11
+        movq	%r9, %rdx
+        xorq	%rax, %rcx
+        xorq	%r10, %rdx
+        rorxq	$41, %r8, %rax
+        xorq	%rcx, %rax
+        andq	%r8, %rdx
+        addq	%rax, %r11
+        rorxq	$28, %r12, %rax
+        rorxq	$34, %r12, %rcx
+        xorq	%r10, %rdx
+        xorq	%rax, %rcx
+        rorxq	$39, %r12, %rax
+        addq	%rdx, %r11
+        xorq	%rcx, %rax
+        movq	%r13, %rdx
+        addq	%r11, %r15
+        xorq	%r12, %rdx
+        andq	%rdx, %rbx
+        addq	%rax, %r11
+        xorq	%r13, %rbx
+        rorxq	$14, %r15, %rax
+        rorxq	$18, %r15, %rcx
+        addq	%rbx, %r11
+        addq	200(%rsp), %r10
+        movq	%r8, %rbx
+        xorq	%rax, %rcx
+        xorq	%r9, %rbx
+        rorxq	$41, %r15, %rax
+        xorq	%rcx, %rax
+        andq	%r15, %rbx
+        addq	%rax, %r10
+        rorxq	$28, %r11, %rax
+        rorxq	$34, %r11, %rcx
+        xorq	%r9, %rbx
+        xorq	%rax, %rcx
+        rorxq	$39, %r11, %rax
+        addq	%rbx, %r10
+        xorq	%rcx, %rax
+        movq	%r12, %rbx
+        leaq	(%r14,%r10,1), %r14
+        xorq	%r11, %rbx
+        andq	%rbx, %rdx
+        addq	%rax, %r10
+        xorq	%r12, %rdx
+        # rnd_all_2: 28-29
+        rorxq	$14, %r14, %rax
+        rorxq	$18, %r14, %rcx
+        addq	%rdx, %r10
+        addq	224(%rsp), %r9
+        movq	%r15, %rdx
+        xorq	%rax, %rcx
+        xorq	%r8, %rdx
+        rorxq	$41, %r14, %rax
+        xorq	%rcx, %rax
+        andq	%r14, %rdx
+        addq	%rax, %r9
+        rorxq	$28, %r10, %rax
+        rorxq	$34, %r10, %rcx
+        xorq	%r8, %rdx
+        xorq	%rax, %rcx
+        rorxq	$39, %r10, %rax
+        addq	%rdx, %r9
+        xorq	%rcx, %rax
+        movq	%r11, %rdx
+        addq	%r9, %r13
+        xorq	%r10, %rdx
+        andq	%rdx, %rbx
+        addq	%rax, %r9
+        xorq	%r11, %rbx
+        rorxq	$14, %r13, %rax
+        rorxq	$18, %r13, %rcx
+        addq	%rbx, %r9
+        addq	232(%rsp), %r8
+        movq	%r14, %rbx
+        xorq	%rax, %rcx
+        xorq	%r15, %rbx
+        rorxq	$41, %r13, %rax
+        xorq	%rcx, %rax
+        andq	%r13, %rbx
+        addq	%rax, %r8
+        rorxq	$28, %r9, %rax
+        rorxq	$34, %r9, %rcx
+        xorq	%r15, %rbx
+        xorq	%rax, %rcx
+        rorxq	$39, %r9, %rax
+        addq	%rbx, %r8
+        xorq	%rcx, %rax
+        movq	%r10, %rbx
+        leaq	(%r12,%r8,1), %r12
+        xorq	%r9, %rbx
+        andq	%rbx, %rdx
+        addq	%rax, %r8
+        xorq	%r10, %rdx
+        addq	%rdx, %r8
+        subq	$0x400, %rsp
+        addq	(%rdi), %r8
+        addq	8(%rdi), %r9
+        addq	16(%rdi), %r10
+        addq	24(%rdi), %r11
+        addq	32(%rdi), %r12
+        addq	40(%rdi), %r13
+        addq	48(%rdi), %r14
+        addq	56(%rdi), %r15
+        movq	%r8, (%rdi)
+        movq	%r9, 8(%rdi)
+        movq	%r10, 16(%rdi)
+        movq	%r11, 24(%rdi)
+        movq	%r12, 32(%rdi)
+        movq	%r13, 40(%rdi)
+        movq	%r14, 48(%rdi)
+        movq	%r15, 56(%rdi)
+        movq	%r9, %rbx
+        xorq	%rdx, %rdx
+        xorq	%r10, %rbx
+        movq	$5, %rbp
+L_sha512_len_avx2_rorx_tail:
+        # rnd_all_2: 2-3
+        rorxq	$14, %r12, %rax
+        rorxq	$18, %r12, %rcx
+        addq	%rdx, %r8
+        addq	16(%rsp), %r15
+        movq	%r13, %rdx
+        xorq	%rax, %rcx
+        xorq	%r14, %rdx
+        rorxq	$41, %r12, %rax
+        xorq	%rcx, %rax
+        andq	%r12, %rdx
+        addq	%rax, %r15
+        rorxq	$28, %r8, %rax
+        rorxq	$34, %r8, %rcx
+        xorq	%r14, %rdx
+        xorq	%rax, %rcx
+        rorxq	$39, %r8, %rax
+        addq	%rdx, %r15
+        xorq	%rcx, %rax
+        movq	%r9, %rdx
+        addq	%r15, %r11
+        xorq	%r8, %rdx
+        andq	%rdx, %rbx
+        addq	%rax, %r15
+        xorq	%r9, %rbx
+        rorxq	$14, %r11, %rax
+        rorxq	$18, %r11, %rcx
+        addq	%rbx, %r15
+        addq	24(%rsp), %r14
+        movq	%r12, %rbx
+        xorq	%rax, %rcx
+        xorq	%r13, %rbx
+        rorxq	$41, %r11, %rax
+        xorq	%rcx, %rax
+        andq	%r11, %rbx
+        addq	%rax, %r14
+        rorxq	$28, %r15, %rax
+        rorxq	$34, %r15, %rcx
+        xorq	%r13, %rbx
+        xorq	%rax, %rcx
+        rorxq	$39, %r15, %rax
+        addq	%rbx, %r14
+        xorq	%rcx, %rax
+        movq	%r8, %rbx
+        leaq	(%r10,%r14,1), %r10
+        xorq	%r15, %rbx
+        andq	%rbx, %rdx
+        addq	%rax, %r14
+        xorq	%r8, %rdx
+        # rnd_all_2: 6-7
+        rorxq	$14, %r10, %rax
+        rorxq	$18, %r10, %rcx
+        addq	%rdx, %r14
+        addq	48(%rsp), %r13
+        movq	%r11, %rdx
+        xorq	%rax, %rcx
+        xorq	%r12, %rdx
+        rorxq	$41, %r10, %rax
+        xorq	%rcx, %rax
+        andq	%r10, %rdx
+        addq	%rax, %r13
+        rorxq	$28, %r14, %rax
+        rorxq	$34, %r14, %rcx
+        xorq	%r12, %rdx
+        xorq	%rax, %rcx
+        rorxq	$39, %r14, %rax
+        addq	%rdx, %r13
+        xorq	%rcx, %rax
+        movq	%r15, %rdx
+        addq	%r13, %r9
+        xorq	%r14, %rdx
+        andq	%rdx, %rbx
+        addq	%rax, %r13
+        xorq	%r15, %rbx
+        rorxq	$14, %r9, %rax
+        rorxq	$18, %r9, %rcx
+        addq	%rbx, %r13
+        addq	56(%rsp), %r12
+        movq	%r10, %rbx
+        xorq	%rax, %rcx
+        xorq	%r11, %rbx
+        rorxq	$41, %r9, %rax
+        xorq	%rcx, %rax
+        andq	%r9, %rbx
+        addq	%rax, %r12
+        rorxq	$28, %r13, %rax
+        rorxq	$34, %r13, %rcx
+        xorq	%r11, %rbx
+        xorq	%rax, %rcx
+        rorxq	$39, %r13, %rax
+        addq	%rbx, %r12
+        xorq	%rcx, %rax
+        movq	%r14, %rbx
+        leaq	(%r8,%r12,1), %r8
+        xorq	%r13, %rbx
+        andq	%rbx, %rdx
+        addq	%rax, %r12
+        xorq	%r14, %rdx
+        # rnd_all_2: 10-11
+        rorxq	$14, %r8, %rax
+        rorxq	$18, %r8, %rcx
+        addq	%rdx, %r12
+        addq	80(%rsp), %r11
+        movq	%r9, %rdx
+        xorq	%rax, %rcx
+        xorq	%r10, %rdx
+        rorxq	$41, %r8, %rax
+        xorq	%rcx, %rax
+        andq	%r8, %rdx
+        addq	%rax, %r11
+        rorxq	$28, %r12, %rax
+        rorxq	$34, %r12, %rcx
+        xorq	%r10, %rdx
+        xorq	%rax, %rcx
+        rorxq	$39, %r12, %rax
+        addq	%rdx, %r11
+        xorq	%rcx, %rax
+        movq	%r13, %rdx
+        addq	%r11, %r15
+        xorq	%r12, %rdx
+        andq	%rdx, %rbx
+        addq	%rax, %r11
+        xorq	%r13, %rbx
+        rorxq	$14, %r15, %rax
+        rorxq	$18, %r15, %rcx
+        addq	%rbx, %r11
+        addq	88(%rsp), %r10
+        movq	%r8, %rbx
+        xorq	%rax, %rcx
+        xorq	%r9, %rbx
+        rorxq	$41, %r15, %rax
+        xorq	%rcx, %rax
+        andq	%r15, %rbx
+        addq	%rax, %r10
+        rorxq	$28, %r11, %rax
+        rorxq	$34, %r11, %rcx
+        xorq	%r9, %rbx
+        xorq	%rax, %rcx
+        rorxq	$39, %r11, %rax
+        addq	%rbx, %r10
+        xorq	%rcx, %rax
+        movq	%r12, %rbx
+        leaq	(%r14,%r10,1), %r14
+        xorq	%r11, %rbx
+        andq	%rbx, %rdx
+        addq	%rax, %r10
+        xorq	%r12, %rdx
+        # rnd_all_2: 14-15
+        rorxq	$14, %r14, %rax
+        rorxq	$18, %r14, %rcx
+        addq	%rdx, %r10
+        addq	112(%rsp), %r9
+        movq	%r15, %rdx
+        xorq	%rax, %rcx
+        xorq	%r8, %rdx
+        rorxq	$41, %r14, %rax
+        xorq	%rcx, %rax
+        andq	%r14, %rdx
+        addq	%rax, %r9
+        rorxq	$28, %r10, %rax
+        rorxq	$34, %r10, %rcx
+        xorq	%r8, %rdx
+        xorq	%rax, %rcx
+        rorxq	$39, %r10, %rax
+        addq	%rdx, %r9
+        xorq	%rcx, %rax
+        movq	%r11, %rdx
+        addq	%r9, %r13
+        xorq	%r10, %rdx
+        andq	%rdx, %rbx
+        addq	%rax, %r9
+        xorq	%r11, %rbx
+        rorxq	$14, %r13, %rax
+        rorxq	$18, %r13, %rcx
+        addq	%rbx, %r9
+        addq	120(%rsp), %r8
+        movq	%r14, %rbx
+        xorq	%rax, %rcx
+        xorq	%r15, %rbx
+        rorxq	$41, %r13, %rax
+        xorq	%rcx, %rax
+        andq	%r13, %rbx
+        addq	%rax, %r8
+        rorxq	$28, %r9, %rax
+        rorxq	$34, %r9, %rcx
+        xorq	%r15, %rbx
+        xorq	%rax, %rcx
+        rorxq	$39, %r9, %rax
+        addq	%rbx, %r8
+        xorq	%rcx, %rax
+        movq	%r10, %rbx
+        leaq	(%r12,%r8,1), %r12
+        xorq	%r9, %rbx
+        andq	%rbx, %rdx
+        addq	%rax, %r8
+        xorq	%r10, %rdx
+        # rnd_all_2: 18-19
+        rorxq	$14, %r12, %rax
+        rorxq	$18, %r12, %rcx
+        addq	%rdx, %r8
+        addq	144(%rsp), %r15
+        movq	%r13, %rdx
+        xorq	%rax, %rcx
+        xorq	%r14, %rdx
+        rorxq	$41, %r12, %rax
+        xorq	%rcx, %rax
+        andq	%r12, %rdx
+        addq	%rax, %r15
+        rorxq	$28, %r8, %rax
+        rorxq	$34, %r8, %rcx
+        xorq	%r14, %rdx
+        xorq	%rax, %rcx
+        rorxq	$39, %r8, %rax
+        addq	%rdx, %r15
+        xorq	%rcx, %rax
+        movq	%r9, %rdx
+        addq	%r15, %r11
+        xorq	%r8, %rdx
+        andq	%rdx, %rbx
+        addq	%rax, %r15
+        xorq	%r9, %rbx
+        rorxq	$14, %r11, %rax
+        rorxq	$18, %r11, %rcx
+        addq	%rbx, %r15
+        addq	152(%rsp), %r14
+        movq	%r12, %rbx
+        xorq	%rax, %rcx
+        xorq	%r13, %rbx
+        rorxq	$41, %r11, %rax
+        xorq	%rcx, %rax
+        andq	%r11, %rbx
+        addq	%rax, %r14
+        rorxq	$28, %r15, %rax
+        rorxq	$34, %r15, %rcx
+        xorq	%r13, %rbx
+        xorq	%rax, %rcx
+        rorxq	$39, %r15, %rax
+        addq	%rbx, %r14
+        xorq	%rcx, %rax
+        movq	%r8, %rbx
+        leaq	(%r10,%r14,1), %r10
+        xorq	%r15, %rbx
+        andq	%rbx, %rdx
+        addq	%rax, %r14
+        xorq	%r8, %rdx
+        # rnd_all_2: 22-23
+        rorxq	$14, %r10, %rax
+        rorxq	$18, %r10, %rcx
+        addq	%rdx, %r14
+        addq	176(%rsp), %r13
+        movq	%r11, %rdx
+        xorq	%rax, %rcx
+        xorq	%r12, %rdx
+        rorxq	$41, %r10, %rax
+        xorq	%rcx, %rax
+        andq	%r10, %rdx
+        addq	%rax, %r13
+        rorxq	$28, %r14, %rax
+        rorxq	$34, %r14, %rcx
+        xorq	%r12, %rdx
+        xorq	%rax, %rcx
+        rorxq	$39, %r14, %rax
+        addq	%rdx, %r13
+        xorq	%rcx, %rax
+        movq	%r15, %rdx
+        addq	%r13, %r9
+        xorq	%r14, %rdx
+        andq	%rdx, %rbx
+        addq	%rax, %r13
+        xorq	%r15, %rbx
+        rorxq	$14, %r9, %rax
+        rorxq	$18, %r9, %rcx
+        addq	%rbx, %r13
+        addq	184(%rsp), %r12
+        movq	%r10, %rbx
+        xorq	%rax, %rcx
+        xorq	%r11, %rbx
+        rorxq	$41, %r9, %rax
+        xorq	%rcx, %rax
+        andq	%r9, %rbx
+        addq	%rax, %r12
+        rorxq	$28, %r13, %rax
+        rorxq	$34, %r13, %rcx
+        xorq	%r11, %rbx
+        xorq	%rax, %rcx
+        rorxq	$39, %r13, %rax
+        addq	%rbx, %r12
+        xorq	%rcx, %rax
+        movq	%r14, %rbx
+        leaq	(%r8,%r12,1), %r8
+        xorq	%r13, %rbx
+        andq	%rbx, %rdx
+        addq	%rax, %r12
+        xorq	%r14, %rdx
+        # rnd_all_2: 26-27
+        rorxq	$14, %r8, %rax
+        rorxq	$18, %r8, %rcx
+        addq	%rdx, %r12
+        addq	208(%rsp), %r11
+        movq	%r9, %rdx
+        xorq	%rax, %rcx
+        xorq	%r10, %rdx
+        rorxq	$41, %r8, %rax
+        xorq	%rcx, %rax
+        andq	%r8, %rdx
+        addq	%rax, %r11
+        rorxq	$28, %r12, %rax
+        rorxq	$34, %r12, %rcx
+        xorq	%r10, %rdx
+        xorq	%rax, %rcx
+        rorxq	$39, %r12, %rax
+        addq	%rdx, %r11
+        xorq	%rcx, %rax
+        movq	%r13, %rdx
+        addq	%r11, %r15
+        xorq	%r12, %rdx
+        andq	%rdx, %rbx
+        addq	%rax, %r11
+        xorq	%r13, %rbx
+        rorxq	$14, %r15, %rax
+        rorxq	$18, %r15, %rcx
+        addq	%rbx, %r11
+        addq	216(%rsp), %r10
+        movq	%r8, %rbx
+        xorq	%rax, %rcx
+        xorq	%r9, %rbx
+        rorxq	$41, %r15, %rax
+        xorq	%rcx, %rax
+        andq	%r15, %rbx
+        addq	%rax, %r10
+        rorxq	$28, %r11, %rax
+        rorxq	$34, %r11, %rcx
+        xorq	%r9, %rbx
+        xorq	%rax, %rcx
+        rorxq	$39, %r11, %rax
+        addq	%rbx, %r10
+        xorq	%rcx, %rax
+        movq	%r12, %rbx
+        leaq	(%r14,%r10,1), %r14
+        xorq	%r11, %rbx
+        andq	%rbx, %rdx
+        addq	%rax, %r10
+        xorq	%r12, %rdx
+        # rnd_all_2: 30-31
+        rorxq	$14, %r14, %rax
+        rorxq	$18, %r14, %rcx
+        addq	%rdx, %r10
+        addq	240(%rsp), %r9
+        movq	%r15, %rdx
+        xorq	%rax, %rcx
+        xorq	%r8, %rdx
+        rorxq	$41, %r14, %rax
+        xorq	%rcx, %rax
+        andq	%r14, %rdx
+        addq	%rax, %r9
+        rorxq	$28, %r10, %rax
+        rorxq	$34, %r10, %rcx
+        xorq	%r8, %rdx
+        xorq	%rax, %rcx
+        rorxq	$39, %r10, %rax
+        addq	%rdx, %r9
+        xorq	%rcx, %rax
+        movq	%r11, %rdx
+        addq	%r9, %r13
+        xorq	%r10, %rdx
+        andq	%rdx, %rbx
+        addq	%rax, %r9
+        xorq	%r11, %rbx
+        rorxq	$14, %r13, %rax
+        rorxq	$18, %r13, %rcx
+        addq	%rbx, %r9
+        addq	248(%rsp), %r8
+        movq	%r14, %rbx
+        xorq	%rax, %rcx
+        xorq	%r15, %rbx
+        rorxq	$41, %r13, %rax
+        xorq	%rcx, %rax
+        andq	%r13, %rbx
+        addq	%rax, %r8
+        rorxq	$28, %r9, %rax
+        rorxq	$34, %r9, %rcx
+        xorq	%r15, %rbx
+        xorq	%rax, %rcx
+        rorxq	$39, %r9, %rax
+        addq	%rbx, %r8
+        xorq	%rcx, %rax
+        movq	%r10, %rbx
+        leaq	(%r12,%r8,1), %r12
+        xorq	%r9, %rbx
+        andq	%rbx, %rdx
+        addq	%rax, %r8
+        xorq	%r10, %rdx
+        addq	$0x100, %rsp
+        subq	$0x01, %rbp
+        jnz	L_sha512_len_avx2_rorx_tail
+        addq	%rdx, %r8
+        addq	(%rdi), %r8
+        addq	8(%rdi), %r9
+        addq	16(%rdi), %r10
+        addq	24(%rdi), %r11
+        addq	32(%rdi), %r12
+        addq	40(%rdi), %r13
+        addq	48(%rdi), %r14
+        addq	56(%rdi), %r15
+        movq	224(%rdi), %rax
+        addq	$0x40, %rsp
+        addq	$0x100, %rax
+        subl	$0x100, %esi
+        movq	%rax, 224(%rdi)
+        movq	%r8, (%rdi)
+        movq	%r9, 8(%rdi)
+        movq	%r10, 16(%rdi)
+        movq	%r11, 24(%rdi)
+        movq	%r12, 32(%rdi)
+        movq	%r13, 40(%rdi)
+        movq	%r14, 48(%rdi)
+        movq	%r15, 56(%rdi)
+        jnz	L_sha512_len_avx2_rorx_begin
+L_sha512_len_avx2_rorx_done:
+        xorq	%rax, %rax
+        vzeroupper
+        popq	%rbp
+        popq	%r15
+        popq	%r14
+        popq	%r13
+        popq	%r12
+        popq	%rbx
+        repz retq
+#ifndef __APPLE__
+.size	Transform_Sha512_AVX2_RORX_Len,.-Transform_Sha512_AVX2_RORX_Len
+#endif /* __APPLE__ */
+#endif /* HAVE_INTEL_AVX2 */
diff --git a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/signature.c b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/signature.c
new file mode 100644
index 000000000..5d503338a
--- /dev/null
+++ b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/signature.c
@@ -0,0 +1,559 @@
+/* signature.c
+ *
+ * Copyright (C) 2006-2020 wolfSSL Inc.
+ *
+ * This file is part of wolfSSL.
+ *
+ * wolfSSL is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * wolfSSL is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
+ */
+
+
+#ifdef HAVE_CONFIG_H
+    #include <config.h>
+#endif
+
+#include <wolfssl/wolfcrypt/settings.h>
+#include <wolfssl/wolfcrypt/signature.h>
+#include <wolfssl/wolfcrypt/error-crypt.h>
+#include <wolfssl/wolfcrypt/logging.h>
+#ifndef NO_ASN
+#include <wolfssl/wolfcrypt/asn.h>
+#endif
+#ifdef HAVE_ECC
+#include <wolfssl/wolfcrypt/ecc.h>
+#endif
+#ifndef NO_RSA
+#include <wolfssl/wolfcrypt/rsa.h>
+#endif
+
+/* If ECC and RSA are disabled then disable signature wrapper */
+#if (!defined(HAVE_ECC) || (defined(HAVE_ECC) && !defined(HAVE_ECC_SIGN) \
+    && !defined(HAVE_ECC_VERIFY))) && defined(NO_RSA)
+    #undef NO_SIG_WRAPPER
+    #define NO_SIG_WRAPPER
+#endif
+
+/* Signature wrapper disabled check */
+#ifndef NO_SIG_WRAPPER
+
+#if !defined(NO_RSA) && !defined(NO_ASN)
+static int wc_SignatureDerEncode(enum wc_HashType hash_type, byte* hash_data,
+    word32 hash_len, word32* hash_enc_len)
+{
+    int ret, oid;
+
+    ret = wc_HashGetOID(hash_type);
+    if (ret < 0) {
+        return ret;
+    }
+    oid = ret;
+
+    ret = wc_EncodeSignature(hash_data, hash_data, hash_len, oid);
+    if (ret > 0) {
+        *hash_enc_len = ret;
+        ret = 0;
+    }
+
+    return ret;
+}
+#endif /* !NO_RSA && !NO_ASN */
+
+int wc_SignatureGetSize(enum wc_SignatureType sig_type,
+    const void* key, word32 key_len)
+{
+    int sig_len = BAD_FUNC_ARG;
+
+    /* Suppress possible unused args if all signature types are disabled */
+    (void)key;
+    (void)key_len;
+
+    switch(sig_type) {
+        case WC_SIGNATURE_TYPE_ECC:
+#ifdef HAVE_ECC
+            /* Sanity check that void* key is at least ecc_key in size */
+            if (key_len >= sizeof(ecc_key)) {
+                sig_len = wc_ecc_sig_size((ecc_key*)key);
+            }
+            else {
+                WOLFSSL_MSG("wc_SignatureGetSize: Invalid ECC key size");
+            }
+#else
+            sig_len = SIG_TYPE_E;
+#endif
+            break;
+
+        case WC_SIGNATURE_TYPE_RSA_W_ENC:
+        case WC_SIGNATURE_TYPE_RSA:
+#ifndef NO_RSA
+            /* Sanity check that void* key is at least RsaKey in size */
+            if (key_len >= sizeof(RsaKey)) {
+                sig_len = wc_RsaEncryptSize((RsaKey*)key);
+            }
+            else {
+                WOLFSSL_MSG("wc_SignatureGetSize: Invalid RsaKey key size");
+            }
+#else
+            sig_len = SIG_TYPE_E;
+#endif
+            break;
+
+        case WC_SIGNATURE_TYPE_NONE:
+        default:
+            sig_len = BAD_FUNC_ARG;
+            break;
+    }
+    return sig_len;
+}
+
+int wc_SignatureVerifyHash(
+    enum wc_HashType hash_type, enum wc_SignatureType sig_type,
+    const byte* hash_data, word32 hash_len,
+    const byte* sig, word32 sig_len,
+    const void* key, word32 key_len)
+{
+    int ret;
+
+    /* Check arguments */
+    if (hash_data == NULL || hash_len == 0 ||
+        sig == NULL || sig_len == 0 ||
+        key == NULL || key_len == 0) {
+        return BAD_FUNC_ARG;
+    }
+
+    /* Validate signature len (1 to max is okay) */
+    if ((int)sig_len > wc_SignatureGetSize(sig_type, key, key_len)) {
+        WOLFSSL_MSG("wc_SignatureVerify: Invalid sig type/len");
+        return BAD_FUNC_ARG;
+    }
+
+    /* Validate hash size */
+    ret = wc_HashGetDigestSize(hash_type);
+    if (ret < 0) {
+        WOLFSSL_MSG("wc_SignatureVerify: Invalid hash type/len");
+        return ret;
+    }
+    ret = 0;
+
+    /* Verify signature using hash */
+    switch (sig_type) {
+        case WC_SIGNATURE_TYPE_ECC:
+        {
+#if defined(HAVE_ECC) && defined(HAVE_ECC_VERIFY)
+            int is_valid_sig = 0;
+
+            /* Perform verification of signature using provided ECC key */
+            do {
+            #ifdef WOLFSSL_ASYNC_CRYPT
+                ret = wc_AsyncWait(ret, &((ecc_key*)key)->asyncDev,
+                    WC_ASYNC_FLAG_CALL_AGAIN);
+            #endif
+            if (ret >= 0)
+                ret = wc_ecc_verify_hash(sig, sig_len, hash_data, hash_len,
+                    &is_valid_sig, (ecc_key*)key);
+            } while (ret == WC_PENDING_E);
+            if (ret != 0 || is_valid_sig != 1) {
+                ret = SIG_VERIFY_E;
+            }
+#else
+            ret = SIG_TYPE_E;
+#endif
+            break;
+        }
+
+        case WC_SIGNATURE_TYPE_RSA_W_ENC:
+        case WC_SIGNATURE_TYPE_RSA:
+        {
+#ifndef NO_RSA
+#if defined(WOLFSSL_CRYPTOCELL)
+        /* the signature must propagate to the cryptocell to get verfied */
+        if (sig_type == WC_SIGNATURE_TYPE_RSA_W_ENC) {
+            ret = cc310_RsaSSL_Verify(hash_data, hash_len,(byte*)sig, key,
+                                      CRYS_RSA_HASH_SHA256_mode);
+        }
+        else {
+            ret = cc310_RsaSSL_Verify(hash_data, hash_len,(byte*)sig, key,
+                                      CRYS_RSA_After_SHA256_mode);
+        }
+
+        if (ret != 0) {
+            WOLFSSL_MSG("RSA Signature Verify difference!");
+            ret = SIG_VERIFY_E;
+        }
+
+#else /* WOLFSSL_CRYPTOCELL */
+
+            word32 plain_len = hash_len;
+            byte *plain_data;
+
+            /* Make sure the plain text output is at least key size */
+            if (plain_len < sig_len) {
+                plain_len = sig_len;
+            }
+            plain_data = (byte*)XMALLOC(plain_len, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+            if (plain_data) {
+                /* Perform verification of signature using provided RSA key */
+                do {
+                #ifdef WOLFSSL_ASYNC_CRYPT
+                    ret = wc_AsyncWait(ret, &((RsaKey*)key)->asyncDev,
+                        WC_ASYNC_FLAG_CALL_AGAIN);
+                #endif
+                if (ret >= 0)
+                    ret = wc_RsaSSL_Verify(sig, sig_len, plain_data,
+                        plain_len, (RsaKey*)key);
+                } while (ret == WC_PENDING_E);
+                if (ret >= 0) {
+                    if ((word32)ret == hash_len &&
+                            XMEMCMP(plain_data, hash_data, hash_len) == 0) {
+                        ret = 0; /* Success */
+                    }
+                    else {
+                        WOLFSSL_MSG("RSA Signature Verify difference!");
+                        ret = SIG_VERIFY_E;
+                    }
+                }
+                XFREE(plain_data, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+            }
+            else {
+                ret = MEMORY_E;
+            }
+#endif /* !WOLFSSL_CRYPTOCELL */
+#else
+            ret = SIG_TYPE_E;
+#endif
+            break;
+        }
+
+        case WC_SIGNATURE_TYPE_NONE:
+        default:
+            ret = BAD_FUNC_ARG;
+            break;
+    }
+
+    return ret;
+}
+
+int wc_SignatureVerify(
+    enum wc_HashType hash_type, enum wc_SignatureType sig_type,
+    const byte* data, word32 data_len,
+    const byte* sig, word32 sig_len,
+    const void* key, word32 key_len)
+{
+    int ret;
+    word32 hash_len, hash_enc_len;
+#if defined(WOLFSSL_SMALL_STACK) || defined(NO_ASN)
+    byte *hash_data;
+#else
+    byte hash_data[MAX_DER_DIGEST_SZ];
+#endif
+
+    /* Check arguments */
+    if (data == NULL || data_len == 0 ||
+        sig == NULL || sig_len == 0 ||
+        key == NULL || key_len == 0) {
+        return BAD_FUNC_ARG;
+    }
+
+    /* Validate signature len (1 to max is okay) */
+    if ((int)sig_len > wc_SignatureGetSize(sig_type, key, key_len)) {
+        WOLFSSL_MSG("wc_SignatureVerify: Invalid sig type/len");
+        return BAD_FUNC_ARG;
+    }
+
+    /* Validate hash size */
+    ret = wc_HashGetDigestSize(hash_type);
+    if (ret < 0) {
+        WOLFSSL_MSG("wc_SignatureVerify: Invalid hash type/len");
+        return ret;
+    }
+    hash_enc_len = hash_len = ret;
+
+#ifndef NO_RSA
+    if (sig_type == WC_SIGNATURE_TYPE_RSA_W_ENC) {
+        /* For RSA with ASN.1 encoding include room */
+        hash_enc_len += MAX_DER_DIGEST_ASN_SZ;
+    }
+#endif
+
+#if defined(WOLFSSL_SMALL_STACK) || defined(NO_ASN)
+    /* Allocate temporary buffer for hash data */
+    hash_data = (byte*)XMALLOC(hash_enc_len, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    if (hash_data == NULL) {
+        return MEMORY_E;
+    }
+#endif
+
+    /* Perform hash of data */
+    ret = wc_Hash(hash_type, data, data_len, hash_data, hash_len);
+    if (ret == 0) {
+        /* Handle RSA with DER encoding */
+        if (sig_type == WC_SIGNATURE_TYPE_RSA_W_ENC) {
+        #if defined(NO_RSA) || defined(NO_ASN)
+            ret = SIG_TYPE_E;
+        #else
+            ret = wc_SignatureDerEncode(hash_type, hash_data, hash_len,
+                &hash_enc_len);
+        #endif
+        }
+
+        if (ret == 0) {
+#if defined(WOLFSSL_CRYPTOCELL)
+            if ((sig_type == WC_SIGNATURE_TYPE_RSA)
+                || (sig_type == WC_SIGNATURE_TYPE_RSA_W_ENC)) {
+                if (sig_type == WC_SIGNATURE_TYPE_RSA_W_ENC) {
+                    ret = cc310_RsaSSL_Verify(hash_data, hash_len, sig, key,
+                                              cc310_hashModeRSA(hash_type, 0));
+                }
+                else {
+                    ret = cc310_RsaSSL_Verify(hash_data, hash_len, sig, key,
+                                              cc310_hashModeRSA(hash_type, 1));
+                }
+            }
+#else
+            /* Verify signature using hash */
+            ret = wc_SignatureVerifyHash(hash_type, sig_type,
+                hash_data, hash_enc_len, sig, sig_len, key, key_len);
+#endif /* WOLFSSL_CRYPTOCELL */
+        }
+    }
+
+#if defined(WOLFSSL_SMALL_STACK) || defined(NO_ASN)
+    XFREE(hash_data, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+#endif
+
+    return ret;
+}
+
+
+int wc_SignatureGenerateHash(
+    enum wc_HashType hash_type, enum wc_SignatureType sig_type,
+    const byte* hash_data, word32 hash_len,
+    byte* sig, word32 *sig_len,
+    const void* key, word32 key_len, WC_RNG* rng)
+{
+    return wc_SignatureGenerateHash_ex(hash_type, sig_type, hash_data, hash_len,
+        sig, sig_len, key, key_len, rng, 1);
+}
+
+int wc_SignatureGenerateHash_ex(
+    enum wc_HashType hash_type, enum wc_SignatureType sig_type,
+    const byte* hash_data, word32 hash_len,
+    byte* sig, word32 *sig_len,
+    const void* key, word32 key_len, WC_RNG* rng, int verify)
+{
+    int ret;
+
+    /* Suppress possible unused arg if all signature types are disabled */
+    (void)rng;
+
+    /* Check arguments */
+    if (hash_data == NULL || hash_len == 0 ||
+        sig == NULL || sig_len == NULL || *sig_len == 0 ||
+        key == NULL || key_len == 0) {
+        return BAD_FUNC_ARG;
+    }
+
+    /* Validate signature len (needs to be at least max) */
+    if ((int)*sig_len < wc_SignatureGetSize(sig_type, key, key_len)) {
+        WOLFSSL_MSG("wc_SignatureGenerate: Invalid sig type/len");
+        return BAD_FUNC_ARG;
+    }
+
+    /* Validate hash size */
+    ret = wc_HashGetDigestSize(hash_type);
+    if (ret < 0) {
+        WOLFSSL_MSG("wc_SignatureGenerate: Invalid hash type/len");
+        return ret;
+    }
+    ret = 0;
+
+    /* Create signature using hash as data */
+    switch (sig_type) {
+        case WC_SIGNATURE_TYPE_ECC:
+#if defined(HAVE_ECC) && defined(HAVE_ECC_SIGN)
+            /* Create signature using provided ECC key */
+            do {
+            #ifdef WOLFSSL_ASYNC_CRYPT
+                ret = wc_AsyncWait(ret, &((ecc_key*)key)->asyncDev,
+                    WC_ASYNC_FLAG_CALL_AGAIN);
+            #endif
+            if (ret >= 0)
+                ret = wc_ecc_sign_hash(hash_data, hash_len, sig, sig_len,
+                    rng, (ecc_key*)key);
+            } while (ret == WC_PENDING_E);
+#else
+            ret = SIG_TYPE_E;
+#endif
+            break;
+
+        case WC_SIGNATURE_TYPE_RSA_W_ENC:
+        case WC_SIGNATURE_TYPE_RSA:
+#if !defined(NO_RSA) && !defined(WOLFSSL_RSA_PUBLIC_ONLY)
+    #if defined(WOLFSSL_CRYPTOCELL)
+        if (sig_type == WC_SIGNATURE_TYPE_RSA_W_ENC) {
+            ret = cc310_RsaSSL_Sign(hash_data, hash_len, sig, *sig_len, key,
+                                    cc310_hashModeRSA(hash_type, 0));
+            }
+        else {
+            ret = cc310_RsaSSL_Sign(hash_data, hash_len, sig, *sig_len, key,
+                                    cc310_hashModeRSA(hash_type, 1));
+        }
+    #else
+            /* Create signature using provided RSA key */
+            do {
+            #ifdef WOLFSSL_ASYNC_CRYPT
+                ret = wc_AsyncWait(ret, &((RsaKey*)key)->asyncDev,
+                    WC_ASYNC_FLAG_CALL_AGAIN);
+            #endif
+                if (ret >= 0)
+                    ret = wc_RsaSSL_Sign(hash_data, hash_len, sig, *sig_len,
+                        (RsaKey*)key, rng);
+            } while (ret == WC_PENDING_E);
+     #endif /* WOLFSSL_CRYPTOCELL */
+            if (ret >= 0) {
+                *sig_len = ret;
+                ret = 0; /* Success */
+            }
+#else
+            ret = SIG_TYPE_E;
+#endif
+            break;
+
+        case WC_SIGNATURE_TYPE_NONE:
+        default:
+            ret = BAD_FUNC_ARG;
+            break;
+    }
+
+    if (ret == 0 && verify) {
+        ret = wc_SignatureVerifyHash(hash_type, sig_type, hash_data, hash_len,
+            sig, *sig_len, key, key_len);
+    }
+
+    return ret;
+}
+
+int wc_SignatureGenerate(
+    enum wc_HashType hash_type, enum wc_SignatureType sig_type,
+    const byte* data, word32 data_len,
+    byte* sig, word32 *sig_len,
+    const void* key, word32 key_len, WC_RNG* rng)
+{
+    return wc_SignatureGenerate_ex(hash_type, sig_type, data, data_len, sig,
+        sig_len, key, key_len, rng, 1);
+}
+
+int wc_SignatureGenerate_ex(
+    enum wc_HashType hash_type, enum wc_SignatureType sig_type,
+    const byte* data, word32 data_len,
+    byte* sig, word32 *sig_len,
+    const void* key, word32 key_len, WC_RNG* rng, int verify)
+{
+    int ret;
+    word32 hash_len, hash_enc_len;
+#if defined(WOLFSSL_SMALL_STACK) || defined(NO_ASN)
+    byte *hash_data;
+#else
+    byte hash_data[MAX_DER_DIGEST_SZ];
+#endif
+
+    /* Check arguments */
+    if (data == NULL || data_len == 0 ||
+        sig == NULL || sig_len == NULL || *sig_len == 0 ||
+        key == NULL || key_len == 0) {
+        return BAD_FUNC_ARG;
+    }
+
+    /* Validate signature len (needs to be at least max) */
+    if ((int)*sig_len < wc_SignatureGetSize(sig_type, key, key_len)) {
+        WOLFSSL_MSG("wc_SignatureGenerate: Invalid sig type/len");
+        return BAD_FUNC_ARG;
+    }
+
+    /* Validate hash size */
+    ret = wc_HashGetDigestSize(hash_type);
+    if (ret < 0) {
+        WOLFSSL_MSG("wc_SignatureGenerate: Invalid hash type/len");
+        return ret;
+    }
+    hash_enc_len = hash_len = ret;
+
+#if !defined(NO_RSA) && !defined(WOLFSSL_RSA_PUBLIC_ONLY)
+    if (sig_type == WC_SIGNATURE_TYPE_RSA_W_ENC) {
+        /* For RSA with ASN.1 encoding include room */
+        hash_enc_len += MAX_DER_DIGEST_ASN_SZ;
+    }
+#endif
+
+#if defined(WOLFSSL_SMALL_STACK) || defined(NO_ASN)
+    /* Allocate temporary buffer for hash data */
+    hash_data = (byte*)XMALLOC(hash_enc_len, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    if (hash_data == NULL) {
+        return MEMORY_E;
+    }
+#endif
+
+    /* Perform hash of data */
+    ret = wc_Hash(hash_type, data, data_len, hash_data, hash_len);
+    if (ret == 0) {
+        /* Handle RSA with DER encoding */
+        if (sig_type == WC_SIGNATURE_TYPE_RSA_W_ENC) {
+        #if defined(NO_RSA) || defined(NO_ASN) || \
+                                                defined(WOLFSSL_RSA_PUBLIC_ONLY)
+            ret = SIG_TYPE_E;
+        #else
+            ret = wc_SignatureDerEncode(hash_type, hash_data, hash_len,
+                &hash_enc_len);
+        #endif
+        }
+        if (ret == 0) {
+#if defined(WOLFSSL_CRYPTOCELL)
+            if ((sig_type == WC_SIGNATURE_TYPE_RSA)
+                || (sig_type == WC_SIGNATURE_TYPE_RSA_W_ENC)) {
+                if (sig_type == WC_SIGNATURE_TYPE_RSA_W_ENC) {
+                    ret = cc310_RsaSSL_Sign(hash_data, hash_len, sig, *sig_len,
+                                         key, cc310_hashModeRSA(hash_type, 0));
+                }
+                else {
+                    ret = cc310_RsaSSL_Sign(hash_data, hash_len, sig, *sig_len,
+                                         key, cc310_hashModeRSA(hash_type, 1));
+                }
+
+                if (ret == *sig_len) {
+                    ret = 0;
+                }
+             }
+        }
+     }
+#else
+            /* Generate signature using hash */
+            ret = wc_SignatureGenerateHash(hash_type, sig_type,
+                hash_data, hash_enc_len, sig, sig_len, key, key_len, rng);
+        }
+    }
+
+    if (ret == 0 && verify) {
+        ret = wc_SignatureVerifyHash(hash_type, sig_type, hash_data,
+            hash_enc_len, sig, *sig_len, key, key_len);
+    }
+#endif /* WOLFSSL_CRYPTOCELL */
+
+#if defined(WOLFSSL_SMALL_STACK) || defined(NO_ASN)
+    XFREE(hash_data, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+#endif
+
+    return ret;
+}
+
+#endif /* NO_SIG_WRAPPER */
diff --git a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/sp_arm32.c b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/sp_arm32.c
new file mode 100644
index 000000000..4540dde65
--- /dev/null
+++ b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/sp_arm32.c
@@ -0,0 +1,89057 @@
+/* sp.c
+ *
+ * Copyright (C) 2006-2020 wolfSSL Inc.
+ *
+ * This file is part of wolfSSL.
+ *
+ * wolfSSL is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * wolfSSL is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
+ */
+
+/* Implementation by Sean Parkinson. */
+
+#ifdef HAVE_CONFIG_H
+    #include <config.h>
+#endif
+
+#include <wolfssl/wolfcrypt/settings.h>
+#include <wolfssl/wolfcrypt/error-crypt.h>
+#include <wolfssl/wolfcrypt/cpuid.h>
+#ifdef NO_INLINE
+    #include <wolfssl/wolfcrypt/misc.h>
+#else
+    #define WOLFSSL_MISC_INCLUDED
+    #include <wolfcrypt/src/misc.c>
+#endif
+
+#if defined(WOLFSSL_HAVE_SP_RSA) || defined(WOLFSSL_HAVE_SP_DH) || \
+                                    defined(WOLFSSL_HAVE_SP_ECC)
+
+#ifdef RSA_LOW_MEM
+#ifndef WOLFSSL_SP_SMALL
+#define WOLFSSL_SP_SMALL
+#endif
+#endif
+
+#include <wolfssl/wolfcrypt/sp.h>
+
+#ifdef WOLFSSL_SP_ARM32_ASM
+#if defined(WOLFSSL_HAVE_SP_RSA) || defined(WOLFSSL_HAVE_SP_DH)
+#ifndef WOLFSSL_SP_NO_2048
+/* Read big endian unsigned byte array into r.
+ *
+ * r  A single precision integer.
+ * size  Maximum number of bytes to convert
+ * a  Byte array.
+ * n  Number of bytes in array to read.
+ */
+static void sp_2048_from_bin(sp_digit* r, int size, const byte* a, int n)
+{
+    int i, j = 0;
+    word32 s = 0;
+
+    r[0] = 0;
+    for (i = n-1; i >= 0; i--) {
+        r[j] |= (((sp_digit)a[i]) << s);
+        if (s >= 24U) {
+            r[j] &= 0xffffffff;
+            s = 32U - s;
+            if (j + 1 >= size) {
+                break;
+            }
+            r[++j] = (sp_digit)a[i] >> s;
+            s = 8U - s;
+        }
+        else {
+            s += 8U;
+        }
+    }
+
+    for (j++; j < size; j++) {
+        r[j] = 0;
+    }
+}
+
+/* Convert an mp_int to an array of sp_digit.
+ *
+ * r  A single precision integer.
+ * size  Maximum number of bytes to convert
+ * a  A multi-precision integer.
+ */
+static void sp_2048_from_mp(sp_digit* r, int size, const mp_int* a)
+{
+#if DIGIT_BIT == 32
+    int j;
+
+    XMEMCPY(r, a->dp, sizeof(sp_digit) * a->used);
+
+    for (j = a->used; j < size; j++) {
+        r[j] = 0;
+    }
+#elif DIGIT_BIT > 32
+    int i, j = 0;
+    word32 s = 0;
+
+    r[0] = 0;
+    for (i = 0; i < a->used && j < size; i++) {
+        r[j] |= ((sp_digit)a->dp[i] << s);
+        r[j] &= 0xffffffff;
+        s = 32U - s;
+        if (j + 1 >= size) {
+            break;
+        }
+        /* lint allow cast of mismatch word32 and mp_digit */
+        r[++j] = (sp_digit)(a->dp[i] >> s); /*lint !e9033*/
+        while ((s + 32U) <= (word32)DIGIT_BIT) {
+            s += 32U;
+            r[j] &= 0xffffffff;
+            if (j + 1 >= size) {
+                break;
+            }
+            if (s < (word32)DIGIT_BIT) {
+                /* lint allow cast of mismatch word32 and mp_digit */
+                r[++j] = (sp_digit)(a->dp[i] >> s); /*lint !e9033*/
+            }
+            else {
+                r[++j] = 0L;
+            }
+        }
+        s = (word32)DIGIT_BIT - s;
+    }
+
+    for (j++; j < size; j++) {
+        r[j] = 0;
+    }
+#else
+    int i, j = 0, s = 0;
+
+    r[0] = 0;
+    for (i = 0; i < a->used && j < size; i++) {
+        r[j] |= ((sp_digit)a->dp[i]) << s;
+        if (s + DIGIT_BIT >= 32) {
+            r[j] &= 0xffffffff;
+            if (j + 1 >= size) {
+                break;
+            }
+            s = 32 - s;
+            if (s == DIGIT_BIT) {
+                r[++j] = 0;
+                s = 0;
+            }
+            else {
+                r[++j] = a->dp[i] >> s;
+                s = DIGIT_BIT - s;
+            }
+        }
+        else {
+            s += DIGIT_BIT;
+        }
+    }
+
+    for (j++; j < size; j++) {
+        r[j] = 0;
+    }
+#endif
+}
+
+/* Write r as big endian to byte array.
+ * Fixed length number of bytes written: 256
+ *
+ * r  A single precision integer.
+ * a  Byte array.
+ */
+static void sp_2048_to_bin(sp_digit* r, byte* a)
+{
+    int i, j, s = 0, b;
+
+    j = 2048 / 8 - 1;
+    a[j] = 0;
+    for (i=0; i<64 && j>=0; i++) {
+        b = 0;
+        /* lint allow cast of mismatch sp_digit and int */
+        a[j--] |= (byte)(r[i] << s); /*lint !e9033*/
+        b += 8 - s;
+        if (j < 0) {
+            break;
+        }
+        while (b < 32) {
+            a[j--] = (byte)(r[i] >> b);
+            b += 8;
+            if (j < 0) {
+                break;
+            }
+        }
+        s = 8 - (b - 32);
+        if (j >= 0) {
+            a[j] = 0;
+        }
+        if (s != 0) {
+            j++;
+        }
+    }
+}
+
+#ifndef WOLFSSL_SP_SMALL
+/* Multiply a and b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+static void sp_2048_mul_8(sp_digit* r, const sp_digit* a, const sp_digit* b)
+{
+    __asm__ __volatile__ (
+        "sub	sp, sp, #32\n\t"
+        "mov	r10, #0\n\t"
+        "#  A[0] * B[0]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "ldr	r9, [%[b], #0]\n\t"
+        "umull	r3, r4, r8, r9\n\t"
+        "mov	r5, #0\n\t"
+        "str	r3, [sp]\n\t"
+        "#  A[0] * B[1]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "ldr	r9, [%[b], #4]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r10, r10\n\t"
+        "#  A[1] * B[0]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "ldr	r9, [%[b], #0]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [sp, #4]\n\t"
+        "#  A[0] * B[2]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "ldr	r9, [%[b], #8]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r10, r10\n\t"
+        "#  A[1] * B[1]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "ldr	r9, [%[b], #4]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[2] * B[0]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "ldr	r9, [%[b], #0]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [sp, #8]\n\t"
+        "#  A[0] * B[3]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "ldr	r9, [%[b], #12]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r10, r10\n\t"
+        "#  A[1] * B[2]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "ldr	r9, [%[b], #8]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[2] * B[1]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "ldr	r9, [%[b], #4]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[3] * B[0]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "ldr	r9, [%[b], #0]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [sp, #12]\n\t"
+        "#  A[0] * B[4]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "ldr	r9, [%[b], #16]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r10, r10\n\t"
+        "#  A[1] * B[3]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "ldr	r9, [%[b], #12]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[2] * B[2]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "ldr	r9, [%[b], #8]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[3] * B[1]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "ldr	r9, [%[b], #4]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[4] * B[0]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "ldr	r9, [%[b], #0]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [sp, #16]\n\t"
+        "#  A[0] * B[5]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "ldr	r9, [%[b], #20]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r10, r10\n\t"
+        "#  A[1] * B[4]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "ldr	r9, [%[b], #16]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[2] * B[3]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "ldr	r9, [%[b], #12]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[3] * B[2]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "ldr	r9, [%[b], #8]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[4] * B[1]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "ldr	r9, [%[b], #4]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[5] * B[0]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "ldr	r9, [%[b], #0]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [sp, #20]\n\t"
+        "#  A[0] * B[6]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "ldr	r9, [%[b], #24]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r10, r10\n\t"
+        "#  A[1] * B[5]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "ldr	r9, [%[b], #20]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[2] * B[4]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "ldr	r9, [%[b], #16]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[3] * B[3]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "ldr	r9, [%[b], #12]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[4] * B[2]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "ldr	r9, [%[b], #8]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[5] * B[1]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "ldr	r9, [%[b], #4]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[6] * B[0]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "ldr	r9, [%[b], #0]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [sp, #24]\n\t"
+        "#  A[0] * B[7]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "ldr	r9, [%[b], #28]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r10, r10\n\t"
+        "#  A[1] * B[6]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "ldr	r9, [%[b], #24]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[2] * B[5]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "ldr	r9, [%[b], #20]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[3] * B[4]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "ldr	r9, [%[b], #16]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[4] * B[3]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "ldr	r9, [%[b], #12]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[5] * B[2]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "ldr	r9, [%[b], #8]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[6] * B[1]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "ldr	r9, [%[b], #4]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[7] * B[0]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "ldr	r9, [%[b], #0]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [sp, #28]\n\t"
+        "#  A[1] * B[7]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "ldr	r9, [%[b], #28]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r10, r10\n\t"
+        "#  A[2] * B[6]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "ldr	r9, [%[b], #24]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[3] * B[5]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "ldr	r9, [%[b], #20]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[4] * B[4]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "ldr	r9, [%[b], #16]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[5] * B[3]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "ldr	r9, [%[b], #12]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[6] * B[2]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "ldr	r9, [%[b], #8]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[7] * B[1]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "ldr	r9, [%[b], #4]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [%[r], #32]\n\t"
+        "#  A[2] * B[7]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "ldr	r9, [%[b], #28]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r10, r10\n\t"
+        "#  A[3] * B[6]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "ldr	r9, [%[b], #24]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[4] * B[5]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "ldr	r9, [%[b], #20]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[5] * B[4]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "ldr	r9, [%[b], #16]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[6] * B[3]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "ldr	r9, [%[b], #12]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[7] * B[2]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "ldr	r9, [%[b], #8]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [%[r], #36]\n\t"
+        "#  A[3] * B[7]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "ldr	r9, [%[b], #28]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r10, r10\n\t"
+        "#  A[4] * B[6]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "ldr	r9, [%[b], #24]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[5] * B[5]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "ldr	r9, [%[b], #20]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[6] * B[4]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "ldr	r9, [%[b], #16]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[7] * B[3]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "ldr	r9, [%[b], #12]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [%[r], #40]\n\t"
+        "#  A[4] * B[7]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "ldr	r9, [%[b], #28]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r10, r10\n\t"
+        "#  A[5] * B[6]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "ldr	r9, [%[b], #24]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[6] * B[5]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "ldr	r9, [%[b], #20]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[7] * B[4]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "ldr	r9, [%[b], #16]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [%[r], #44]\n\t"
+        "#  A[5] * B[7]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "ldr	r9, [%[b], #28]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r10, r10\n\t"
+        "#  A[6] * B[6]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "ldr	r9, [%[b], #24]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[7] * B[5]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "ldr	r9, [%[b], #20]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [%[r], #48]\n\t"
+        "#  A[6] * B[7]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "ldr	r9, [%[b], #28]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r10, r10\n\t"
+        "#  A[7] * B[6]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "ldr	r9, [%[b], #24]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [%[r], #52]\n\t"
+        "#  A[7] * B[7]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "ldr	r9, [%[b], #28]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adc	r3, r3, r7\n\t"
+        "str	r5, [%[r], #56]\n\t"
+        "str	r3, [%[r], #60]\n\t"
+        "ldr	r3, [sp, #0]\n\t"
+        "ldr	r4, [sp, #4]\n\t"
+        "ldr	r5, [sp, #8]\n\t"
+        "ldr	r6, [sp, #12]\n\t"
+        "str	r3, [%[r], #0]\n\t"
+        "str	r4, [%[r], #4]\n\t"
+        "str	r5, [%[r], #8]\n\t"
+        "str	r6, [%[r], #12]\n\t"
+        "ldr	r3, [sp, #16]\n\t"
+        "ldr	r4, [sp, #20]\n\t"
+        "ldr	r5, [sp, #24]\n\t"
+        "ldr	r6, [sp, #28]\n\t"
+        "str	r3, [%[r], #16]\n\t"
+        "str	r4, [%[r], #20]\n\t"
+        "str	r5, [%[r], #24]\n\t"
+        "str	r6, [%[r], #28]\n\t"
+        "add	sp, sp, #32\n\t"
+        :
+        : [r] "r" (r), [a] "r" (a), [b] "r" (b)
+        : "memory", "r3", "r4", "r5", "r6", "r7", "r8", "r9", "r10"
+    );
+}
+
+/* Square a and put result in r. (r = a * a)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ */
+static void sp_2048_sqr_8(sp_digit* r, const sp_digit* a)
+{
+    __asm__ __volatile__ (
+        "sub	sp, sp, #32\n\t"
+        "mov	r14, #0\n\t"
+        "#  A[0] * A[0]\n\t"
+        "ldr	r10, [%[a], #0]\n\t"
+        "umull	r8, r3, r10, r10\n\t"
+        "mov	r4, #0\n\t"
+        "str	r8, [sp]\n\t"
+        "#  A[0] * A[1]\n\t"
+        "ldr	r10, [%[a], #4]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r3, r3, r8\n\t"
+        "adcs	r4, r4, r9\n\t"
+        "adc	r2, r14, r14\n\t"
+        "adds	r3, r3, r8\n\t"
+        "adcs	r4, r4, r9\n\t"
+        "adc	r2, r2, r14\n\t"
+        "str	r3, [sp, #4]\n\t"
+        "#  A[0] * A[2]\n\t"
+        "ldr	r10, [%[a], #8]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r4, r4, r8\n\t"
+        "adcs	r2, r2, r9\n\t"
+        "adc	r3, r14, r14\n\t"
+        "adds	r4, r4, r8\n\t"
+        "adcs	r2, r2, r9\n\t"
+        "adc	r3, r3, r14\n\t"
+        "#  A[1] * A[1]\n\t"
+        "ldr	r10, [%[a], #4]\n\t"
+        "umull	r8, r9, r10, r10\n\t"
+        "adds	r4, r4, r8\n\t"
+        "adcs	r2, r2, r9\n\t"
+        "adc	r3, r3, r14\n\t"
+        "str	r4, [sp, #8]\n\t"
+        "#  A[0] * A[3]\n\t"
+        "ldr	r10, [%[a], #12]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r2, r2, r8\n\t"
+        "adcs	r3, r3, r9\n\t"
+        "adc	r4, r14, r14\n\t"
+        "adds	r2, r2, r8\n\t"
+        "adcs	r3, r3, r9\n\t"
+        "adc	r4, r4, r14\n\t"
+        "#  A[1] * A[2]\n\t"
+        "ldr	r10, [%[a], #8]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r2, r2, r8\n\t"
+        "adcs	r3, r3, r9\n\t"
+        "adc	r4, r4, r14\n\t"
+        "adds	r2, r2, r8\n\t"
+        "adcs	r3, r3, r9\n\t"
+        "adc	r4, r4, r14\n\t"
+        "str	r2, [sp, #12]\n\t"
+        "#  A[0] * A[4]\n\t"
+        "ldr	r10, [%[a], #16]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r3, r3, r8\n\t"
+        "adcs	r4, r4, r9\n\t"
+        "adc	r2, r14, r14\n\t"
+        "adds	r3, r3, r8\n\t"
+        "adcs	r4, r4, r9\n\t"
+        "adc	r2, r2, r14\n\t"
+        "#  A[1] * A[3]\n\t"
+        "ldr	r10, [%[a], #12]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r3, r3, r8\n\t"
+        "adcs	r4, r4, r9\n\t"
+        "adc	r2, r2, r14\n\t"
+        "adds	r3, r3, r8\n\t"
+        "adcs	r4, r4, r9\n\t"
+        "adc	r2, r2, r14\n\t"
+        "#  A[2] * A[2]\n\t"
+        "ldr	r10, [%[a], #8]\n\t"
+        "umull	r8, r9, r10, r10\n\t"
+        "adds	r3, r3, r8\n\t"
+        "adcs	r4, r4, r9\n\t"
+        "adc	r2, r2, r14\n\t"
+        "str	r3, [sp, #16]\n\t"
+        "#  A[0] * A[5]\n\t"
+        "ldr	r10, [%[a], #20]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "umull	r5, r6, r10, r8\n\t"
+        "mov	r3, #0\n\t"
+        "mov	r7, #0\n\t"
+        "#  A[1] * A[4]\n\t"
+        "ldr	r10, [%[a], #16]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[2] * A[3]\n\t"
+        "ldr	r10, [%[a], #12]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "adds	r5, r5, r5\n\t"
+        "adcs	r6, r6, r6\n\t"
+        "adc	r7, r7, r7\n\t"
+        "adds	r4, r4, r5\n\t"
+        "adcs	r2, r2, r6\n\t"
+        "adc	r3, r3, r7\n\t"
+        "str	r4, [sp, #20]\n\t"
+        "#  A[0] * A[6]\n\t"
+        "ldr	r10, [%[a], #24]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "umull	r5, r6, r10, r8\n\t"
+        "mov	r4, #0\n\t"
+        "mov	r7, #0\n\t"
+        "#  A[1] * A[5]\n\t"
+        "ldr	r10, [%[a], #20]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[2] * A[4]\n\t"
+        "ldr	r10, [%[a], #16]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[3] * A[3]\n\t"
+        "ldr	r10, [%[a], #12]\n\t"
+        "umull	r8, r9, r10, r10\n\t"
+        "adds	r5, r5, r5\n\t"
+        "adcs	r6, r6, r6\n\t"
+        "adc	r7, r7, r7\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "adds	r2, r2, r5\n\t"
+        "adcs	r3, r3, r6\n\t"
+        "adc	r4, r4, r7\n\t"
+        "str	r2, [sp, #24]\n\t"
+        "#  A[0] * A[7]\n\t"
+        "ldr	r10, [%[a], #28]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "umull	r5, r6, r10, r8\n\t"
+        "mov	r2, #0\n\t"
+        "mov	r7, #0\n\t"
+        "#  A[1] * A[6]\n\t"
+        "ldr	r10, [%[a], #24]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[2] * A[5]\n\t"
+        "ldr	r10, [%[a], #20]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[3] * A[4]\n\t"
+        "ldr	r10, [%[a], #16]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "adds	r5, r5, r5\n\t"
+        "adcs	r6, r6, r6\n\t"
+        "adc	r7, r7, r7\n\t"
+        "adds	r3, r3, r5\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adc	r2, r2, r7\n\t"
+        "str	r3, [sp, #28]\n\t"
+        "#  A[1] * A[7]\n\t"
+        "ldr	r10, [%[a], #28]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "umull	r5, r6, r10, r8\n\t"
+        "mov	r3, #0\n\t"
+        "mov	r7, #0\n\t"
+        "#  A[2] * A[6]\n\t"
+        "ldr	r10, [%[a], #24]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[3] * A[5]\n\t"
+        "ldr	r10, [%[a], #20]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[4] * A[4]\n\t"
+        "ldr	r10, [%[a], #16]\n\t"
+        "umull	r8, r9, r10, r10\n\t"
+        "adds	r5, r5, r5\n\t"
+        "adcs	r6, r6, r6\n\t"
+        "adc	r7, r7, r7\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "adds	r4, r4, r5\n\t"
+        "adcs	r2, r2, r6\n\t"
+        "adc	r3, r3, r7\n\t"
+        "str	r4, [%[r], #32]\n\t"
+        "#  A[2] * A[7]\n\t"
+        "ldr	r10, [%[a], #28]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "umull	r5, r6, r10, r8\n\t"
+        "mov	r4, #0\n\t"
+        "mov	r7, #0\n\t"
+        "#  A[3] * A[6]\n\t"
+        "ldr	r10, [%[a], #24]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[4] * A[5]\n\t"
+        "ldr	r10, [%[a], #20]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "adds	r5, r5, r5\n\t"
+        "adcs	r6, r6, r6\n\t"
+        "adc	r7, r7, r7\n\t"
+        "adds	r2, r2, r5\n\t"
+        "adcs	r3, r3, r6\n\t"
+        "adc	r4, r4, r7\n\t"
+        "str	r2, [%[r], #36]\n\t"
+        "#  A[3] * A[7]\n\t"
+        "ldr	r10, [%[a], #28]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r3, r3, r8\n\t"
+        "adcs	r4, r4, r9\n\t"
+        "adc	r2, r14, r14\n\t"
+        "adds	r3, r3, r8\n\t"
+        "adcs	r4, r4, r9\n\t"
+        "adc	r2, r2, r14\n\t"
+        "#  A[4] * A[6]\n\t"
+        "ldr	r10, [%[a], #24]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r3, r3, r8\n\t"
+        "adcs	r4, r4, r9\n\t"
+        "adc	r2, r2, r14\n\t"
+        "adds	r3, r3, r8\n\t"
+        "adcs	r4, r4, r9\n\t"
+        "adc	r2, r2, r14\n\t"
+        "#  A[5] * A[5]\n\t"
+        "ldr	r10, [%[a], #20]\n\t"
+        "umull	r8, r9, r10, r10\n\t"
+        "adds	r3, r3, r8\n\t"
+        "adcs	r4, r4, r9\n\t"
+        "adc	r2, r2, r14\n\t"
+        "str	r3, [%[r], #40]\n\t"
+        "#  A[4] * A[7]\n\t"
+        "ldr	r10, [%[a], #28]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r4, r4, r8\n\t"
+        "adcs	r2, r2, r9\n\t"
+        "adc	r3, r14, r14\n\t"
+        "adds	r4, r4, r8\n\t"
+        "adcs	r2, r2, r9\n\t"
+        "adc	r3, r3, r14\n\t"
+        "#  A[5] * A[6]\n\t"
+        "ldr	r10, [%[a], #24]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r4, r4, r8\n\t"
+        "adcs	r2, r2, r9\n\t"
+        "adc	r3, r3, r14\n\t"
+        "adds	r4, r4, r8\n\t"
+        "adcs	r2, r2, r9\n\t"
+        "adc	r3, r3, r14\n\t"
+        "str	r4, [%[r], #44]\n\t"
+        "#  A[5] * A[7]\n\t"
+        "ldr	r10, [%[a], #28]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r2, r2, r8\n\t"
+        "adcs	r3, r3, r9\n\t"
+        "adc	r4, r14, r14\n\t"
+        "adds	r2, r2, r8\n\t"
+        "adcs	r3, r3, r9\n\t"
+        "adc	r4, r4, r14\n\t"
+        "#  A[6] * A[6]\n\t"
+        "ldr	r10, [%[a], #24]\n\t"
+        "umull	r8, r9, r10, r10\n\t"
+        "adds	r2, r2, r8\n\t"
+        "adcs	r3, r3, r9\n\t"
+        "adc	r4, r4, r14\n\t"
+        "str	r2, [%[r], #48]\n\t"
+        "#  A[6] * A[7]\n\t"
+        "ldr	r10, [%[a], #28]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r3, r3, r8\n\t"
+        "adcs	r4, r4, r9\n\t"
+        "adc	r2, r14, r14\n\t"
+        "adds	r3, r3, r8\n\t"
+        "adcs	r4, r4, r9\n\t"
+        "adc	r2, r2, r14\n\t"
+        "str	r3, [%[r], #52]\n\t"
+        "#  A[7] * A[7]\n\t"
+        "ldr	r10, [%[a], #28]\n\t"
+        "umull	r8, r9, r10, r10\n\t"
+        "adds	r4, r4, r8\n\t"
+        "adc	r2, r2, r9\n\t"
+        "str	r4, [%[r], #56]\n\t"
+        "str	r2, [%[r], #60]\n\t"
+        "ldr	r2, [sp, #0]\n\t"
+        "ldr	r3, [sp, #4]\n\t"
+        "ldr	r4, [sp, #8]\n\t"
+        "ldr	r8, [sp, #12]\n\t"
+        "str	r2, [%[r], #0]\n\t"
+        "str	r3, [%[r], #4]\n\t"
+        "str	r4, [%[r], #8]\n\t"
+        "str	r8, [%[r], #12]\n\t"
+        "ldr	r2, [sp, #16]\n\t"
+        "ldr	r3, [sp, #20]\n\t"
+        "ldr	r4, [sp, #24]\n\t"
+        "ldr	r8, [sp, #28]\n\t"
+        "str	r2, [%[r], #16]\n\t"
+        "str	r3, [%[r], #20]\n\t"
+        "str	r4, [%[r], #24]\n\t"
+        "str	r8, [%[r], #28]\n\t"
+        "add	sp, sp, #32\n\t"
+        :
+        : [r] "r" (r), [a] "r" (a)
+        : "memory", "r2", "r3", "r4", "r8", "r9", "r10", "r8", "r5", "r6", "r7", "r14"
+    );
+}
+
+/* Add b to a into r. (r = a + b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+static sp_digit sp_2048_add_8(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    sp_digit c = 0;
+
+    __asm__ __volatile__ (
+        "mov	r12, #0\n\t"
+        "ldr	r4, [%[a], #0]\n\t"
+        "ldr	r5, [%[a], #4]\n\t"
+        "ldr	r6, [%[a], #8]\n\t"
+        "ldr	r7, [%[a], #12]\n\t"
+        "ldr	r8, [%[b], #0]\n\t"
+        "ldr	r9, [%[b], #4]\n\t"
+        "ldr	r10, [%[b], #8]\n\t"
+        "ldr	r14, [%[b], #12]\n\t"
+        "adds	r4, r4, r8\n\t"
+        "adcs	r5, r5, r9\n\t"
+        "adcs	r6, r6, r10\n\t"
+        "adcs	r7, r7, r14\n\t"
+        "str	r4, [%[r], #0]\n\t"
+        "str	r5, [%[r], #4]\n\t"
+        "str	r6, [%[r], #8]\n\t"
+        "str	r7, [%[r], #12]\n\t"
+        "ldr	r4, [%[a], #16]\n\t"
+        "ldr	r5, [%[a], #20]\n\t"
+        "ldr	r6, [%[a], #24]\n\t"
+        "ldr	r7, [%[a], #28]\n\t"
+        "ldr	r8, [%[b], #16]\n\t"
+        "ldr	r9, [%[b], #20]\n\t"
+        "ldr	r10, [%[b], #24]\n\t"
+        "ldr	r14, [%[b], #28]\n\t"
+        "adcs	r4, r4, r8\n\t"
+        "adcs	r5, r5, r9\n\t"
+        "adcs	r6, r6, r10\n\t"
+        "adcs	r7, r7, r14\n\t"
+        "str	r4, [%[r], #16]\n\t"
+        "str	r5, [%[r], #20]\n\t"
+        "str	r6, [%[r], #24]\n\t"
+        "str	r7, [%[r], #28]\n\t"
+        "adc	%[c], r12, r12\n\t"
+        : [c] "+r" (c)
+        : [r] "r" (r), [a] "r" (a), [b] "r" (b)
+        : "memory", "r4", "r5", "r6", "r7", "r8", "r9", "r10", "r14", "r12"
+    );
+
+    return c;
+}
+
+/* Sub b from a into a. (a -= b)
+ *
+ * a  A single precision integer and result.
+ * b  A single precision integer.
+ */
+static sp_digit sp_2048_sub_in_place_16(sp_digit* a, const sp_digit* b)
+{
+    sp_digit c = 0;
+
+    __asm__ __volatile__ (
+        "ldr	r2, [%[a], #0]\n\t"
+        "ldr	r3, [%[a], #4]\n\t"
+        "ldr	r4, [%[a], #8]\n\t"
+        "ldr	r5, [%[a], #12]\n\t"
+        "ldr	r6, [%[b], #0]\n\t"
+        "ldr	r7, [%[b], #4]\n\t"
+        "ldr	r8, [%[b], #8]\n\t"
+        "ldr	r9, [%[b], #12]\n\t"
+        "subs	r2, r2, r6\n\t"
+        "sbcs	r3, r3, r7\n\t"
+        "sbcs	r4, r4, r8\n\t"
+        "sbcs	r5, r5, r9\n\t"
+        "str	r2, [%[a], #0]\n\t"
+        "str	r3, [%[a], #4]\n\t"
+        "str	r4, [%[a], #8]\n\t"
+        "str	r5, [%[a], #12]\n\t"
+        "ldr	r2, [%[a], #16]\n\t"
+        "ldr	r3, [%[a], #20]\n\t"
+        "ldr	r4, [%[a], #24]\n\t"
+        "ldr	r5, [%[a], #28]\n\t"
+        "ldr	r6, [%[b], #16]\n\t"
+        "ldr	r7, [%[b], #20]\n\t"
+        "ldr	r8, [%[b], #24]\n\t"
+        "ldr	r9, [%[b], #28]\n\t"
+        "sbcs	r2, r2, r6\n\t"
+        "sbcs	r3, r3, r7\n\t"
+        "sbcs	r4, r4, r8\n\t"
+        "sbcs	r5, r5, r9\n\t"
+        "str	r2, [%[a], #16]\n\t"
+        "str	r3, [%[a], #20]\n\t"
+        "str	r4, [%[a], #24]\n\t"
+        "str	r5, [%[a], #28]\n\t"
+        "ldr	r2, [%[a], #32]\n\t"
+        "ldr	r3, [%[a], #36]\n\t"
+        "ldr	r4, [%[a], #40]\n\t"
+        "ldr	r5, [%[a], #44]\n\t"
+        "ldr	r6, [%[b], #32]\n\t"
+        "ldr	r7, [%[b], #36]\n\t"
+        "ldr	r8, [%[b], #40]\n\t"
+        "ldr	r9, [%[b], #44]\n\t"
+        "sbcs	r2, r2, r6\n\t"
+        "sbcs	r3, r3, r7\n\t"
+        "sbcs	r4, r4, r8\n\t"
+        "sbcs	r5, r5, r9\n\t"
+        "str	r2, [%[a], #32]\n\t"
+        "str	r3, [%[a], #36]\n\t"
+        "str	r4, [%[a], #40]\n\t"
+        "str	r5, [%[a], #44]\n\t"
+        "ldr	r2, [%[a], #48]\n\t"
+        "ldr	r3, [%[a], #52]\n\t"
+        "ldr	r4, [%[a], #56]\n\t"
+        "ldr	r5, [%[a], #60]\n\t"
+        "ldr	r6, [%[b], #48]\n\t"
+        "ldr	r7, [%[b], #52]\n\t"
+        "ldr	r8, [%[b], #56]\n\t"
+        "ldr	r9, [%[b], #60]\n\t"
+        "sbcs	r2, r2, r6\n\t"
+        "sbcs	r3, r3, r7\n\t"
+        "sbcs	r4, r4, r8\n\t"
+        "sbcs	r5, r5, r9\n\t"
+        "str	r2, [%[a], #48]\n\t"
+        "str	r3, [%[a], #52]\n\t"
+        "str	r4, [%[a], #56]\n\t"
+        "str	r5, [%[a], #60]\n\t"
+        "sbc	%[c], r9, r9\n\t"
+        : [c] "+r" (c)
+        : [a] "r" (a), [b] "r" (b)
+        : "memory", "r2", "r3", "r4", "r5", "r6", "r7", "r8", "r9"
+    );
+
+    return c;
+}
+
+/* Add b to a into r. (r = a + b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+static sp_digit sp_2048_add_16(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    sp_digit c = 0;
+
+    __asm__ __volatile__ (
+        "mov	r12, #0\n\t"
+        "ldr	r4, [%[a], #0]\n\t"
+        "ldr	r5, [%[a], #4]\n\t"
+        "ldr	r6, [%[a], #8]\n\t"
+        "ldr	r7, [%[a], #12]\n\t"
+        "ldr	r8, [%[b], #0]\n\t"
+        "ldr	r9, [%[b], #4]\n\t"
+        "ldr	r10, [%[b], #8]\n\t"
+        "ldr	r14, [%[b], #12]\n\t"
+        "adds	r4, r4, r8\n\t"
+        "adcs	r5, r5, r9\n\t"
+        "adcs	r6, r6, r10\n\t"
+        "adcs	r7, r7, r14\n\t"
+        "str	r4, [%[r], #0]\n\t"
+        "str	r5, [%[r], #4]\n\t"
+        "str	r6, [%[r], #8]\n\t"
+        "str	r7, [%[r], #12]\n\t"
+        "ldr	r4, [%[a], #16]\n\t"
+        "ldr	r5, [%[a], #20]\n\t"
+        "ldr	r6, [%[a], #24]\n\t"
+        "ldr	r7, [%[a], #28]\n\t"
+        "ldr	r8, [%[b], #16]\n\t"
+        "ldr	r9, [%[b], #20]\n\t"
+        "ldr	r10, [%[b], #24]\n\t"
+        "ldr	r14, [%[b], #28]\n\t"
+        "adcs	r4, r4, r8\n\t"
+        "adcs	r5, r5, r9\n\t"
+        "adcs	r6, r6, r10\n\t"
+        "adcs	r7, r7, r14\n\t"
+        "str	r4, [%[r], #16]\n\t"
+        "str	r5, [%[r], #20]\n\t"
+        "str	r6, [%[r], #24]\n\t"
+        "str	r7, [%[r], #28]\n\t"
+        "ldr	r4, [%[a], #32]\n\t"
+        "ldr	r5, [%[a], #36]\n\t"
+        "ldr	r6, [%[a], #40]\n\t"
+        "ldr	r7, [%[a], #44]\n\t"
+        "ldr	r8, [%[b], #32]\n\t"
+        "ldr	r9, [%[b], #36]\n\t"
+        "ldr	r10, [%[b], #40]\n\t"
+        "ldr	r14, [%[b], #44]\n\t"
+        "adcs	r4, r4, r8\n\t"
+        "adcs	r5, r5, r9\n\t"
+        "adcs	r6, r6, r10\n\t"
+        "adcs	r7, r7, r14\n\t"
+        "str	r4, [%[r], #32]\n\t"
+        "str	r5, [%[r], #36]\n\t"
+        "str	r6, [%[r], #40]\n\t"
+        "str	r7, [%[r], #44]\n\t"
+        "ldr	r4, [%[a], #48]\n\t"
+        "ldr	r5, [%[a], #52]\n\t"
+        "ldr	r6, [%[a], #56]\n\t"
+        "ldr	r7, [%[a], #60]\n\t"
+        "ldr	r8, [%[b], #48]\n\t"
+        "ldr	r9, [%[b], #52]\n\t"
+        "ldr	r10, [%[b], #56]\n\t"
+        "ldr	r14, [%[b], #60]\n\t"
+        "adcs	r4, r4, r8\n\t"
+        "adcs	r5, r5, r9\n\t"
+        "adcs	r6, r6, r10\n\t"
+        "adcs	r7, r7, r14\n\t"
+        "str	r4, [%[r], #48]\n\t"
+        "str	r5, [%[r], #52]\n\t"
+        "str	r6, [%[r], #56]\n\t"
+        "str	r7, [%[r], #60]\n\t"
+        "adc	%[c], r12, r12\n\t"
+        : [c] "+r" (c)
+        : [r] "r" (r), [a] "r" (a), [b] "r" (b)
+        : "memory", "r4", "r5", "r6", "r7", "r8", "r9", "r10", "r14", "r12"
+    );
+
+    return c;
+}
+
+/* AND m into each word of a and store in r.
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * m  Mask to AND against each digit.
+ */
+static void sp_2048_mask_8(sp_digit* r, const sp_digit* a, sp_digit m)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int i;
+
+    for (i=0; i<8; i++) {
+        r[i] = a[i] & m;
+    }
+#else
+    r[0] = a[0] & m;
+    r[1] = a[1] & m;
+    r[2] = a[2] & m;
+    r[3] = a[3] & m;
+    r[4] = a[4] & m;
+    r[5] = a[5] & m;
+    r[6] = a[6] & m;
+    r[7] = a[7] & m;
+#endif
+}
+
+/* Multiply a and b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static void sp_2048_mul_16(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    sp_digit* z0 = r;
+    sp_digit z1[16];
+    sp_digit a1[8];
+    sp_digit b1[8];
+    sp_digit z2[16];
+    sp_digit u, ca, cb;
+
+    ca = sp_2048_add_8(a1, a, &a[8]);
+    cb = sp_2048_add_8(b1, b, &b[8]);
+    u  = ca & cb;
+    sp_2048_mul_8(z1, a1, b1);
+    sp_2048_mul_8(z2, &a[8], &b[8]);
+    sp_2048_mul_8(z0, a, b);
+    sp_2048_mask_8(r + 16, a1, 0 - cb);
+    sp_2048_mask_8(b1, b1, 0 - ca);
+    u += sp_2048_add_8(r + 16, r + 16, b1);
+    u += sp_2048_sub_in_place_16(z1, z2);
+    u += sp_2048_sub_in_place_16(z1, z0);
+    u += sp_2048_add_16(r + 8, r + 8, z1);
+    r[24] = u;
+    XMEMSET(r + 24 + 1, 0, sizeof(sp_digit) * (8 - 1));
+    (void)sp_2048_add_16(r + 16, r + 16, z2);
+}
+
+/* Square a and put result in r. (r = a * a)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ */
+SP_NOINLINE static void sp_2048_sqr_16(sp_digit* r, const sp_digit* a)
+{
+    sp_digit* z0 = r;
+    sp_digit z2[16];
+    sp_digit z1[16];
+    sp_digit a1[8];
+    sp_digit u;
+
+    u = sp_2048_add_8(a1, a, &a[8]);
+    sp_2048_sqr_8(z1, a1);
+    sp_2048_sqr_8(z2, &a[8]);
+    sp_2048_sqr_8(z0, a);
+    sp_2048_mask_8(r + 16, a1, 0 - u);
+    u += sp_2048_add_8(r + 16, r + 16, r + 16);
+    u += sp_2048_sub_in_place_16(z1, z2);
+    u += sp_2048_sub_in_place_16(z1, z0);
+    u += sp_2048_add_16(r + 8, r + 8, z1);
+    r[24] = u;
+    XMEMSET(r + 24 + 1, 0, sizeof(sp_digit) * (8 - 1));
+    (void)sp_2048_add_16(r + 16, r + 16, z2);
+}
+
+/* Sub b from a into a. (a -= b)
+ *
+ * a  A single precision integer and result.
+ * b  A single precision integer.
+ */
+static sp_digit sp_2048_sub_in_place_32(sp_digit* a, const sp_digit* b)
+{
+    sp_digit c = 0;
+
+    __asm__ __volatile__ (
+        "ldr	r2, [%[a], #0]\n\t"
+        "ldr	r3, [%[a], #4]\n\t"
+        "ldr	r4, [%[a], #8]\n\t"
+        "ldr	r5, [%[a], #12]\n\t"
+        "ldr	r6, [%[b], #0]\n\t"
+        "ldr	r7, [%[b], #4]\n\t"
+        "ldr	r8, [%[b], #8]\n\t"
+        "ldr	r9, [%[b], #12]\n\t"
+        "subs	r2, r2, r6\n\t"
+        "sbcs	r3, r3, r7\n\t"
+        "sbcs	r4, r4, r8\n\t"
+        "sbcs	r5, r5, r9\n\t"
+        "str	r2, [%[a], #0]\n\t"
+        "str	r3, [%[a], #4]\n\t"
+        "str	r4, [%[a], #8]\n\t"
+        "str	r5, [%[a], #12]\n\t"
+        "ldr	r2, [%[a], #16]\n\t"
+        "ldr	r3, [%[a], #20]\n\t"
+        "ldr	r4, [%[a], #24]\n\t"
+        "ldr	r5, [%[a], #28]\n\t"
+        "ldr	r6, [%[b], #16]\n\t"
+        "ldr	r7, [%[b], #20]\n\t"
+        "ldr	r8, [%[b], #24]\n\t"
+        "ldr	r9, [%[b], #28]\n\t"
+        "sbcs	r2, r2, r6\n\t"
+        "sbcs	r3, r3, r7\n\t"
+        "sbcs	r4, r4, r8\n\t"
+        "sbcs	r5, r5, r9\n\t"
+        "str	r2, [%[a], #16]\n\t"
+        "str	r3, [%[a], #20]\n\t"
+        "str	r4, [%[a], #24]\n\t"
+        "str	r5, [%[a], #28]\n\t"
+        "ldr	r2, [%[a], #32]\n\t"
+        "ldr	r3, [%[a], #36]\n\t"
+        "ldr	r4, [%[a], #40]\n\t"
+        "ldr	r5, [%[a], #44]\n\t"
+        "ldr	r6, [%[b], #32]\n\t"
+        "ldr	r7, [%[b], #36]\n\t"
+        "ldr	r8, [%[b], #40]\n\t"
+        "ldr	r9, [%[b], #44]\n\t"
+        "sbcs	r2, r2, r6\n\t"
+        "sbcs	r3, r3, r7\n\t"
+        "sbcs	r4, r4, r8\n\t"
+        "sbcs	r5, r5, r9\n\t"
+        "str	r2, [%[a], #32]\n\t"
+        "str	r3, [%[a], #36]\n\t"
+        "str	r4, [%[a], #40]\n\t"
+        "str	r5, [%[a], #44]\n\t"
+        "ldr	r2, [%[a], #48]\n\t"
+        "ldr	r3, [%[a], #52]\n\t"
+        "ldr	r4, [%[a], #56]\n\t"
+        "ldr	r5, [%[a], #60]\n\t"
+        "ldr	r6, [%[b], #48]\n\t"
+        "ldr	r7, [%[b], #52]\n\t"
+        "ldr	r8, [%[b], #56]\n\t"
+        "ldr	r9, [%[b], #60]\n\t"
+        "sbcs	r2, r2, r6\n\t"
+        "sbcs	r3, r3, r7\n\t"
+        "sbcs	r4, r4, r8\n\t"
+        "sbcs	r5, r5, r9\n\t"
+        "str	r2, [%[a], #48]\n\t"
+        "str	r3, [%[a], #52]\n\t"
+        "str	r4, [%[a], #56]\n\t"
+        "str	r5, [%[a], #60]\n\t"
+        "ldr	r2, [%[a], #64]\n\t"
+        "ldr	r3, [%[a], #68]\n\t"
+        "ldr	r4, [%[a], #72]\n\t"
+        "ldr	r5, [%[a], #76]\n\t"
+        "ldr	r6, [%[b], #64]\n\t"
+        "ldr	r7, [%[b], #68]\n\t"
+        "ldr	r8, [%[b], #72]\n\t"
+        "ldr	r9, [%[b], #76]\n\t"
+        "sbcs	r2, r2, r6\n\t"
+        "sbcs	r3, r3, r7\n\t"
+        "sbcs	r4, r4, r8\n\t"
+        "sbcs	r5, r5, r9\n\t"
+        "str	r2, [%[a], #64]\n\t"
+        "str	r3, [%[a], #68]\n\t"
+        "str	r4, [%[a], #72]\n\t"
+        "str	r5, [%[a], #76]\n\t"
+        "ldr	r2, [%[a], #80]\n\t"
+        "ldr	r3, [%[a], #84]\n\t"
+        "ldr	r4, [%[a], #88]\n\t"
+        "ldr	r5, [%[a], #92]\n\t"
+        "ldr	r6, [%[b], #80]\n\t"
+        "ldr	r7, [%[b], #84]\n\t"
+        "ldr	r8, [%[b], #88]\n\t"
+        "ldr	r9, [%[b], #92]\n\t"
+        "sbcs	r2, r2, r6\n\t"
+        "sbcs	r3, r3, r7\n\t"
+        "sbcs	r4, r4, r8\n\t"
+        "sbcs	r5, r5, r9\n\t"
+        "str	r2, [%[a], #80]\n\t"
+        "str	r3, [%[a], #84]\n\t"
+        "str	r4, [%[a], #88]\n\t"
+        "str	r5, [%[a], #92]\n\t"
+        "ldr	r2, [%[a], #96]\n\t"
+        "ldr	r3, [%[a], #100]\n\t"
+        "ldr	r4, [%[a], #104]\n\t"
+        "ldr	r5, [%[a], #108]\n\t"
+        "ldr	r6, [%[b], #96]\n\t"
+        "ldr	r7, [%[b], #100]\n\t"
+        "ldr	r8, [%[b], #104]\n\t"
+        "ldr	r9, [%[b], #108]\n\t"
+        "sbcs	r2, r2, r6\n\t"
+        "sbcs	r3, r3, r7\n\t"
+        "sbcs	r4, r4, r8\n\t"
+        "sbcs	r5, r5, r9\n\t"
+        "str	r2, [%[a], #96]\n\t"
+        "str	r3, [%[a], #100]\n\t"
+        "str	r4, [%[a], #104]\n\t"
+        "str	r5, [%[a], #108]\n\t"
+        "ldr	r2, [%[a], #112]\n\t"
+        "ldr	r3, [%[a], #116]\n\t"
+        "ldr	r4, [%[a], #120]\n\t"
+        "ldr	r5, [%[a], #124]\n\t"
+        "ldr	r6, [%[b], #112]\n\t"
+        "ldr	r7, [%[b], #116]\n\t"
+        "ldr	r8, [%[b], #120]\n\t"
+        "ldr	r9, [%[b], #124]\n\t"
+        "sbcs	r2, r2, r6\n\t"
+        "sbcs	r3, r3, r7\n\t"
+        "sbcs	r4, r4, r8\n\t"
+        "sbcs	r5, r5, r9\n\t"
+        "str	r2, [%[a], #112]\n\t"
+        "str	r3, [%[a], #116]\n\t"
+        "str	r4, [%[a], #120]\n\t"
+        "str	r5, [%[a], #124]\n\t"
+        "sbc	%[c], r9, r9\n\t"
+        : [c] "+r" (c)
+        : [a] "r" (a), [b] "r" (b)
+        : "memory", "r2", "r3", "r4", "r5", "r6", "r7", "r8", "r9"
+    );
+
+    return c;
+}
+
+/* Add b to a into r. (r = a + b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+static sp_digit sp_2048_add_32(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    sp_digit c = 0;
+
+    __asm__ __volatile__ (
+        "mov	r12, #0\n\t"
+        "ldr	r4, [%[a], #0]\n\t"
+        "ldr	r5, [%[a], #4]\n\t"
+        "ldr	r6, [%[a], #8]\n\t"
+        "ldr	r7, [%[a], #12]\n\t"
+        "ldr	r8, [%[b], #0]\n\t"
+        "ldr	r9, [%[b], #4]\n\t"
+        "ldr	r10, [%[b], #8]\n\t"
+        "ldr	r14, [%[b], #12]\n\t"
+        "adds	r4, r4, r8\n\t"
+        "adcs	r5, r5, r9\n\t"
+        "adcs	r6, r6, r10\n\t"
+        "adcs	r7, r7, r14\n\t"
+        "str	r4, [%[r], #0]\n\t"
+        "str	r5, [%[r], #4]\n\t"
+        "str	r6, [%[r], #8]\n\t"
+        "str	r7, [%[r], #12]\n\t"
+        "ldr	r4, [%[a], #16]\n\t"
+        "ldr	r5, [%[a], #20]\n\t"
+        "ldr	r6, [%[a], #24]\n\t"
+        "ldr	r7, [%[a], #28]\n\t"
+        "ldr	r8, [%[b], #16]\n\t"
+        "ldr	r9, [%[b], #20]\n\t"
+        "ldr	r10, [%[b], #24]\n\t"
+        "ldr	r14, [%[b], #28]\n\t"
+        "adcs	r4, r4, r8\n\t"
+        "adcs	r5, r5, r9\n\t"
+        "adcs	r6, r6, r10\n\t"
+        "adcs	r7, r7, r14\n\t"
+        "str	r4, [%[r], #16]\n\t"
+        "str	r5, [%[r], #20]\n\t"
+        "str	r6, [%[r], #24]\n\t"
+        "str	r7, [%[r], #28]\n\t"
+        "ldr	r4, [%[a], #32]\n\t"
+        "ldr	r5, [%[a], #36]\n\t"
+        "ldr	r6, [%[a], #40]\n\t"
+        "ldr	r7, [%[a], #44]\n\t"
+        "ldr	r8, [%[b], #32]\n\t"
+        "ldr	r9, [%[b], #36]\n\t"
+        "ldr	r10, [%[b], #40]\n\t"
+        "ldr	r14, [%[b], #44]\n\t"
+        "adcs	r4, r4, r8\n\t"
+        "adcs	r5, r5, r9\n\t"
+        "adcs	r6, r6, r10\n\t"
+        "adcs	r7, r7, r14\n\t"
+        "str	r4, [%[r], #32]\n\t"
+        "str	r5, [%[r], #36]\n\t"
+        "str	r6, [%[r], #40]\n\t"
+        "str	r7, [%[r], #44]\n\t"
+        "ldr	r4, [%[a], #48]\n\t"
+        "ldr	r5, [%[a], #52]\n\t"
+        "ldr	r6, [%[a], #56]\n\t"
+        "ldr	r7, [%[a], #60]\n\t"
+        "ldr	r8, [%[b], #48]\n\t"
+        "ldr	r9, [%[b], #52]\n\t"
+        "ldr	r10, [%[b], #56]\n\t"
+        "ldr	r14, [%[b], #60]\n\t"
+        "adcs	r4, r4, r8\n\t"
+        "adcs	r5, r5, r9\n\t"
+        "adcs	r6, r6, r10\n\t"
+        "adcs	r7, r7, r14\n\t"
+        "str	r4, [%[r], #48]\n\t"
+        "str	r5, [%[r], #52]\n\t"
+        "str	r6, [%[r], #56]\n\t"
+        "str	r7, [%[r], #60]\n\t"
+        "ldr	r4, [%[a], #64]\n\t"
+        "ldr	r5, [%[a], #68]\n\t"
+        "ldr	r6, [%[a], #72]\n\t"
+        "ldr	r7, [%[a], #76]\n\t"
+        "ldr	r8, [%[b], #64]\n\t"
+        "ldr	r9, [%[b], #68]\n\t"
+        "ldr	r10, [%[b], #72]\n\t"
+        "ldr	r14, [%[b], #76]\n\t"
+        "adcs	r4, r4, r8\n\t"
+        "adcs	r5, r5, r9\n\t"
+        "adcs	r6, r6, r10\n\t"
+        "adcs	r7, r7, r14\n\t"
+        "str	r4, [%[r], #64]\n\t"
+        "str	r5, [%[r], #68]\n\t"
+        "str	r6, [%[r], #72]\n\t"
+        "str	r7, [%[r], #76]\n\t"
+        "ldr	r4, [%[a], #80]\n\t"
+        "ldr	r5, [%[a], #84]\n\t"
+        "ldr	r6, [%[a], #88]\n\t"
+        "ldr	r7, [%[a], #92]\n\t"
+        "ldr	r8, [%[b], #80]\n\t"
+        "ldr	r9, [%[b], #84]\n\t"
+        "ldr	r10, [%[b], #88]\n\t"
+        "ldr	r14, [%[b], #92]\n\t"
+        "adcs	r4, r4, r8\n\t"
+        "adcs	r5, r5, r9\n\t"
+        "adcs	r6, r6, r10\n\t"
+        "adcs	r7, r7, r14\n\t"
+        "str	r4, [%[r], #80]\n\t"
+        "str	r5, [%[r], #84]\n\t"
+        "str	r6, [%[r], #88]\n\t"
+        "str	r7, [%[r], #92]\n\t"
+        "ldr	r4, [%[a], #96]\n\t"
+        "ldr	r5, [%[a], #100]\n\t"
+        "ldr	r6, [%[a], #104]\n\t"
+        "ldr	r7, [%[a], #108]\n\t"
+        "ldr	r8, [%[b], #96]\n\t"
+        "ldr	r9, [%[b], #100]\n\t"
+        "ldr	r10, [%[b], #104]\n\t"
+        "ldr	r14, [%[b], #108]\n\t"
+        "adcs	r4, r4, r8\n\t"
+        "adcs	r5, r5, r9\n\t"
+        "adcs	r6, r6, r10\n\t"
+        "adcs	r7, r7, r14\n\t"
+        "str	r4, [%[r], #96]\n\t"
+        "str	r5, [%[r], #100]\n\t"
+        "str	r6, [%[r], #104]\n\t"
+        "str	r7, [%[r], #108]\n\t"
+        "ldr	r4, [%[a], #112]\n\t"
+        "ldr	r5, [%[a], #116]\n\t"
+        "ldr	r6, [%[a], #120]\n\t"
+        "ldr	r7, [%[a], #124]\n\t"
+        "ldr	r8, [%[b], #112]\n\t"
+        "ldr	r9, [%[b], #116]\n\t"
+        "ldr	r10, [%[b], #120]\n\t"
+        "ldr	r14, [%[b], #124]\n\t"
+        "adcs	r4, r4, r8\n\t"
+        "adcs	r5, r5, r9\n\t"
+        "adcs	r6, r6, r10\n\t"
+        "adcs	r7, r7, r14\n\t"
+        "str	r4, [%[r], #112]\n\t"
+        "str	r5, [%[r], #116]\n\t"
+        "str	r6, [%[r], #120]\n\t"
+        "str	r7, [%[r], #124]\n\t"
+        "adc	%[c], r12, r12\n\t"
+        : [c] "+r" (c)
+        : [r] "r" (r), [a] "r" (a), [b] "r" (b)
+        : "memory", "r4", "r5", "r6", "r7", "r8", "r9", "r10", "r14", "r12"
+    );
+
+    return c;
+}
+
+/* AND m into each word of a and store in r.
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * m  Mask to AND against each digit.
+ */
+static void sp_2048_mask_16(sp_digit* r, const sp_digit* a, sp_digit m)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int i;
+
+    for (i=0; i<16; i++) {
+        r[i] = a[i] & m;
+    }
+#else
+    int i;
+
+    for (i = 0; i < 16; i += 8) {
+        r[i+0] = a[i+0] & m;
+        r[i+1] = a[i+1] & m;
+        r[i+2] = a[i+2] & m;
+        r[i+3] = a[i+3] & m;
+        r[i+4] = a[i+4] & m;
+        r[i+5] = a[i+5] & m;
+        r[i+6] = a[i+6] & m;
+        r[i+7] = a[i+7] & m;
+    }
+#endif
+}
+
+/* Multiply a and b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static void sp_2048_mul_32(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    sp_digit* z0 = r;
+    sp_digit z1[32];
+    sp_digit a1[16];
+    sp_digit b1[16];
+    sp_digit z2[32];
+    sp_digit u, ca, cb;
+
+    ca = sp_2048_add_16(a1, a, &a[16]);
+    cb = sp_2048_add_16(b1, b, &b[16]);
+    u  = ca & cb;
+    sp_2048_mul_16(z1, a1, b1);
+    sp_2048_mul_16(z2, &a[16], &b[16]);
+    sp_2048_mul_16(z0, a, b);
+    sp_2048_mask_16(r + 32, a1, 0 - cb);
+    sp_2048_mask_16(b1, b1, 0 - ca);
+    u += sp_2048_add_16(r + 32, r + 32, b1);
+    u += sp_2048_sub_in_place_32(z1, z2);
+    u += sp_2048_sub_in_place_32(z1, z0);
+    u += sp_2048_add_32(r + 16, r + 16, z1);
+    r[48] = u;
+    XMEMSET(r + 48 + 1, 0, sizeof(sp_digit) * (16 - 1));
+    (void)sp_2048_add_32(r + 32, r + 32, z2);
+}
+
+/* Square a and put result in r. (r = a * a)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ */
+SP_NOINLINE static void sp_2048_sqr_32(sp_digit* r, const sp_digit* a)
+{
+    sp_digit* z0 = r;
+    sp_digit z2[32];
+    sp_digit z1[32];
+    sp_digit a1[16];
+    sp_digit u;
+
+    u = sp_2048_add_16(a1, a, &a[16]);
+    sp_2048_sqr_16(z1, a1);
+    sp_2048_sqr_16(z2, &a[16]);
+    sp_2048_sqr_16(z0, a);
+    sp_2048_mask_16(r + 32, a1, 0 - u);
+    u += sp_2048_add_16(r + 32, r + 32, r + 32);
+    u += sp_2048_sub_in_place_32(z1, z2);
+    u += sp_2048_sub_in_place_32(z1, z0);
+    u += sp_2048_add_32(r + 16, r + 16, z1);
+    r[48] = u;
+    XMEMSET(r + 48 + 1, 0, sizeof(sp_digit) * (16 - 1));
+    (void)sp_2048_add_32(r + 32, r + 32, z2);
+}
+
+/* Sub b from a into a. (a -= b)
+ *
+ * a  A single precision integer and result.
+ * b  A single precision integer.
+ */
+static sp_digit sp_2048_sub_in_place_64(sp_digit* a, const sp_digit* b)
+{
+    sp_digit c = 0;
+
+    __asm__ __volatile__ (
+        "ldr	r2, [%[a], #0]\n\t"
+        "ldr	r3, [%[a], #4]\n\t"
+        "ldr	r4, [%[a], #8]\n\t"
+        "ldr	r5, [%[a], #12]\n\t"
+        "ldr	r6, [%[b], #0]\n\t"
+        "ldr	r7, [%[b], #4]\n\t"
+        "ldr	r8, [%[b], #8]\n\t"
+        "ldr	r9, [%[b], #12]\n\t"
+        "subs	r2, r2, r6\n\t"
+        "sbcs	r3, r3, r7\n\t"
+        "sbcs	r4, r4, r8\n\t"
+        "sbcs	r5, r5, r9\n\t"
+        "str	r2, [%[a], #0]\n\t"
+        "str	r3, [%[a], #4]\n\t"
+        "str	r4, [%[a], #8]\n\t"
+        "str	r5, [%[a], #12]\n\t"
+        "ldr	r2, [%[a], #16]\n\t"
+        "ldr	r3, [%[a], #20]\n\t"
+        "ldr	r4, [%[a], #24]\n\t"
+        "ldr	r5, [%[a], #28]\n\t"
+        "ldr	r6, [%[b], #16]\n\t"
+        "ldr	r7, [%[b], #20]\n\t"
+        "ldr	r8, [%[b], #24]\n\t"
+        "ldr	r9, [%[b], #28]\n\t"
+        "sbcs	r2, r2, r6\n\t"
+        "sbcs	r3, r3, r7\n\t"
+        "sbcs	r4, r4, r8\n\t"
+        "sbcs	r5, r5, r9\n\t"
+        "str	r2, [%[a], #16]\n\t"
+        "str	r3, [%[a], #20]\n\t"
+        "str	r4, [%[a], #24]\n\t"
+        "str	r5, [%[a], #28]\n\t"
+        "ldr	r2, [%[a], #32]\n\t"
+        "ldr	r3, [%[a], #36]\n\t"
+        "ldr	r4, [%[a], #40]\n\t"
+        "ldr	r5, [%[a], #44]\n\t"
+        "ldr	r6, [%[b], #32]\n\t"
+        "ldr	r7, [%[b], #36]\n\t"
+        "ldr	r8, [%[b], #40]\n\t"
+        "ldr	r9, [%[b], #44]\n\t"
+        "sbcs	r2, r2, r6\n\t"
+        "sbcs	r3, r3, r7\n\t"
+        "sbcs	r4, r4, r8\n\t"
+        "sbcs	r5, r5, r9\n\t"
+        "str	r2, [%[a], #32]\n\t"
+        "str	r3, [%[a], #36]\n\t"
+        "str	r4, [%[a], #40]\n\t"
+        "str	r5, [%[a], #44]\n\t"
+        "ldr	r2, [%[a], #48]\n\t"
+        "ldr	r3, [%[a], #52]\n\t"
+        "ldr	r4, [%[a], #56]\n\t"
+        "ldr	r5, [%[a], #60]\n\t"
+        "ldr	r6, [%[b], #48]\n\t"
+        "ldr	r7, [%[b], #52]\n\t"
+        "ldr	r8, [%[b], #56]\n\t"
+        "ldr	r9, [%[b], #60]\n\t"
+        "sbcs	r2, r2, r6\n\t"
+        "sbcs	r3, r3, r7\n\t"
+        "sbcs	r4, r4, r8\n\t"
+        "sbcs	r5, r5, r9\n\t"
+        "str	r2, [%[a], #48]\n\t"
+        "str	r3, [%[a], #52]\n\t"
+        "str	r4, [%[a], #56]\n\t"
+        "str	r5, [%[a], #60]\n\t"
+        "ldr	r2, [%[a], #64]\n\t"
+        "ldr	r3, [%[a], #68]\n\t"
+        "ldr	r4, [%[a], #72]\n\t"
+        "ldr	r5, [%[a], #76]\n\t"
+        "ldr	r6, [%[b], #64]\n\t"
+        "ldr	r7, [%[b], #68]\n\t"
+        "ldr	r8, [%[b], #72]\n\t"
+        "ldr	r9, [%[b], #76]\n\t"
+        "sbcs	r2, r2, r6\n\t"
+        "sbcs	r3, r3, r7\n\t"
+        "sbcs	r4, r4, r8\n\t"
+        "sbcs	r5, r5, r9\n\t"
+        "str	r2, [%[a], #64]\n\t"
+        "str	r3, [%[a], #68]\n\t"
+        "str	r4, [%[a], #72]\n\t"
+        "str	r5, [%[a], #76]\n\t"
+        "ldr	r2, [%[a], #80]\n\t"
+        "ldr	r3, [%[a], #84]\n\t"
+        "ldr	r4, [%[a], #88]\n\t"
+        "ldr	r5, [%[a], #92]\n\t"
+        "ldr	r6, [%[b], #80]\n\t"
+        "ldr	r7, [%[b], #84]\n\t"
+        "ldr	r8, [%[b], #88]\n\t"
+        "ldr	r9, [%[b], #92]\n\t"
+        "sbcs	r2, r2, r6\n\t"
+        "sbcs	r3, r3, r7\n\t"
+        "sbcs	r4, r4, r8\n\t"
+        "sbcs	r5, r5, r9\n\t"
+        "str	r2, [%[a], #80]\n\t"
+        "str	r3, [%[a], #84]\n\t"
+        "str	r4, [%[a], #88]\n\t"
+        "str	r5, [%[a], #92]\n\t"
+        "ldr	r2, [%[a], #96]\n\t"
+        "ldr	r3, [%[a], #100]\n\t"
+        "ldr	r4, [%[a], #104]\n\t"
+        "ldr	r5, [%[a], #108]\n\t"
+        "ldr	r6, [%[b], #96]\n\t"
+        "ldr	r7, [%[b], #100]\n\t"
+        "ldr	r8, [%[b], #104]\n\t"
+        "ldr	r9, [%[b], #108]\n\t"
+        "sbcs	r2, r2, r6\n\t"
+        "sbcs	r3, r3, r7\n\t"
+        "sbcs	r4, r4, r8\n\t"
+        "sbcs	r5, r5, r9\n\t"
+        "str	r2, [%[a], #96]\n\t"
+        "str	r3, [%[a], #100]\n\t"
+        "str	r4, [%[a], #104]\n\t"
+        "str	r5, [%[a], #108]\n\t"
+        "ldr	r2, [%[a], #112]\n\t"
+        "ldr	r3, [%[a], #116]\n\t"
+        "ldr	r4, [%[a], #120]\n\t"
+        "ldr	r5, [%[a], #124]\n\t"
+        "ldr	r6, [%[b], #112]\n\t"
+        "ldr	r7, [%[b], #116]\n\t"
+        "ldr	r8, [%[b], #120]\n\t"
+        "ldr	r9, [%[b], #124]\n\t"
+        "sbcs	r2, r2, r6\n\t"
+        "sbcs	r3, r3, r7\n\t"
+        "sbcs	r4, r4, r8\n\t"
+        "sbcs	r5, r5, r9\n\t"
+        "str	r2, [%[a], #112]\n\t"
+        "str	r3, [%[a], #116]\n\t"
+        "str	r4, [%[a], #120]\n\t"
+        "str	r5, [%[a], #124]\n\t"
+        "ldr	r2, [%[a], #128]\n\t"
+        "ldr	r3, [%[a], #132]\n\t"
+        "ldr	r4, [%[a], #136]\n\t"
+        "ldr	r5, [%[a], #140]\n\t"
+        "ldr	r6, [%[b], #128]\n\t"
+        "ldr	r7, [%[b], #132]\n\t"
+        "ldr	r8, [%[b], #136]\n\t"
+        "ldr	r9, [%[b], #140]\n\t"
+        "sbcs	r2, r2, r6\n\t"
+        "sbcs	r3, r3, r7\n\t"
+        "sbcs	r4, r4, r8\n\t"
+        "sbcs	r5, r5, r9\n\t"
+        "str	r2, [%[a], #128]\n\t"
+        "str	r3, [%[a], #132]\n\t"
+        "str	r4, [%[a], #136]\n\t"
+        "str	r5, [%[a], #140]\n\t"
+        "ldr	r2, [%[a], #144]\n\t"
+        "ldr	r3, [%[a], #148]\n\t"
+        "ldr	r4, [%[a], #152]\n\t"
+        "ldr	r5, [%[a], #156]\n\t"
+        "ldr	r6, [%[b], #144]\n\t"
+        "ldr	r7, [%[b], #148]\n\t"
+        "ldr	r8, [%[b], #152]\n\t"
+        "ldr	r9, [%[b], #156]\n\t"
+        "sbcs	r2, r2, r6\n\t"
+        "sbcs	r3, r3, r7\n\t"
+        "sbcs	r4, r4, r8\n\t"
+        "sbcs	r5, r5, r9\n\t"
+        "str	r2, [%[a], #144]\n\t"
+        "str	r3, [%[a], #148]\n\t"
+        "str	r4, [%[a], #152]\n\t"
+        "str	r5, [%[a], #156]\n\t"
+        "ldr	r2, [%[a], #160]\n\t"
+        "ldr	r3, [%[a], #164]\n\t"
+        "ldr	r4, [%[a], #168]\n\t"
+        "ldr	r5, [%[a], #172]\n\t"
+        "ldr	r6, [%[b], #160]\n\t"
+        "ldr	r7, [%[b], #164]\n\t"
+        "ldr	r8, [%[b], #168]\n\t"
+        "ldr	r9, [%[b], #172]\n\t"
+        "sbcs	r2, r2, r6\n\t"
+        "sbcs	r3, r3, r7\n\t"
+        "sbcs	r4, r4, r8\n\t"
+        "sbcs	r5, r5, r9\n\t"
+        "str	r2, [%[a], #160]\n\t"
+        "str	r3, [%[a], #164]\n\t"
+        "str	r4, [%[a], #168]\n\t"
+        "str	r5, [%[a], #172]\n\t"
+        "ldr	r2, [%[a], #176]\n\t"
+        "ldr	r3, [%[a], #180]\n\t"
+        "ldr	r4, [%[a], #184]\n\t"
+        "ldr	r5, [%[a], #188]\n\t"
+        "ldr	r6, [%[b], #176]\n\t"
+        "ldr	r7, [%[b], #180]\n\t"
+        "ldr	r8, [%[b], #184]\n\t"
+        "ldr	r9, [%[b], #188]\n\t"
+        "sbcs	r2, r2, r6\n\t"
+        "sbcs	r3, r3, r7\n\t"
+        "sbcs	r4, r4, r8\n\t"
+        "sbcs	r5, r5, r9\n\t"
+        "str	r2, [%[a], #176]\n\t"
+        "str	r3, [%[a], #180]\n\t"
+        "str	r4, [%[a], #184]\n\t"
+        "str	r5, [%[a], #188]\n\t"
+        "ldr	r2, [%[a], #192]\n\t"
+        "ldr	r3, [%[a], #196]\n\t"
+        "ldr	r4, [%[a], #200]\n\t"
+        "ldr	r5, [%[a], #204]\n\t"
+        "ldr	r6, [%[b], #192]\n\t"
+        "ldr	r7, [%[b], #196]\n\t"
+        "ldr	r8, [%[b], #200]\n\t"
+        "ldr	r9, [%[b], #204]\n\t"
+        "sbcs	r2, r2, r6\n\t"
+        "sbcs	r3, r3, r7\n\t"
+        "sbcs	r4, r4, r8\n\t"
+        "sbcs	r5, r5, r9\n\t"
+        "str	r2, [%[a], #192]\n\t"
+        "str	r3, [%[a], #196]\n\t"
+        "str	r4, [%[a], #200]\n\t"
+        "str	r5, [%[a], #204]\n\t"
+        "ldr	r2, [%[a], #208]\n\t"
+        "ldr	r3, [%[a], #212]\n\t"
+        "ldr	r4, [%[a], #216]\n\t"
+        "ldr	r5, [%[a], #220]\n\t"
+        "ldr	r6, [%[b], #208]\n\t"
+        "ldr	r7, [%[b], #212]\n\t"
+        "ldr	r8, [%[b], #216]\n\t"
+        "ldr	r9, [%[b], #220]\n\t"
+        "sbcs	r2, r2, r6\n\t"
+        "sbcs	r3, r3, r7\n\t"
+        "sbcs	r4, r4, r8\n\t"
+        "sbcs	r5, r5, r9\n\t"
+        "str	r2, [%[a], #208]\n\t"
+        "str	r3, [%[a], #212]\n\t"
+        "str	r4, [%[a], #216]\n\t"
+        "str	r5, [%[a], #220]\n\t"
+        "ldr	r2, [%[a], #224]\n\t"
+        "ldr	r3, [%[a], #228]\n\t"
+        "ldr	r4, [%[a], #232]\n\t"
+        "ldr	r5, [%[a], #236]\n\t"
+        "ldr	r6, [%[b], #224]\n\t"
+        "ldr	r7, [%[b], #228]\n\t"
+        "ldr	r8, [%[b], #232]\n\t"
+        "ldr	r9, [%[b], #236]\n\t"
+        "sbcs	r2, r2, r6\n\t"
+        "sbcs	r3, r3, r7\n\t"
+        "sbcs	r4, r4, r8\n\t"
+        "sbcs	r5, r5, r9\n\t"
+        "str	r2, [%[a], #224]\n\t"
+        "str	r3, [%[a], #228]\n\t"
+        "str	r4, [%[a], #232]\n\t"
+        "str	r5, [%[a], #236]\n\t"
+        "ldr	r2, [%[a], #240]\n\t"
+        "ldr	r3, [%[a], #244]\n\t"
+        "ldr	r4, [%[a], #248]\n\t"
+        "ldr	r5, [%[a], #252]\n\t"
+        "ldr	r6, [%[b], #240]\n\t"
+        "ldr	r7, [%[b], #244]\n\t"
+        "ldr	r8, [%[b], #248]\n\t"
+        "ldr	r9, [%[b], #252]\n\t"
+        "sbcs	r2, r2, r6\n\t"
+        "sbcs	r3, r3, r7\n\t"
+        "sbcs	r4, r4, r8\n\t"
+        "sbcs	r5, r5, r9\n\t"
+        "str	r2, [%[a], #240]\n\t"
+        "str	r3, [%[a], #244]\n\t"
+        "str	r4, [%[a], #248]\n\t"
+        "str	r5, [%[a], #252]\n\t"
+        "sbc	%[c], r9, r9\n\t"
+        : [c] "+r" (c)
+        : [a] "r" (a), [b] "r" (b)
+        : "memory", "r2", "r3", "r4", "r5", "r6", "r7", "r8", "r9"
+    );
+
+    return c;
+}
+
+/* Add b to a into r. (r = a + b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+static sp_digit sp_2048_add_64(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    sp_digit c = 0;
+
+    __asm__ __volatile__ (
+        "mov	r12, #0\n\t"
+        "ldr	r4, [%[a], #0]\n\t"
+        "ldr	r5, [%[a], #4]\n\t"
+        "ldr	r6, [%[a], #8]\n\t"
+        "ldr	r7, [%[a], #12]\n\t"
+        "ldr	r8, [%[b], #0]\n\t"
+        "ldr	r9, [%[b], #4]\n\t"
+        "ldr	r10, [%[b], #8]\n\t"
+        "ldr	r14, [%[b], #12]\n\t"
+        "adds	r4, r4, r8\n\t"
+        "adcs	r5, r5, r9\n\t"
+        "adcs	r6, r6, r10\n\t"
+        "adcs	r7, r7, r14\n\t"
+        "str	r4, [%[r], #0]\n\t"
+        "str	r5, [%[r], #4]\n\t"
+        "str	r6, [%[r], #8]\n\t"
+        "str	r7, [%[r], #12]\n\t"
+        "ldr	r4, [%[a], #16]\n\t"
+        "ldr	r5, [%[a], #20]\n\t"
+        "ldr	r6, [%[a], #24]\n\t"
+        "ldr	r7, [%[a], #28]\n\t"
+        "ldr	r8, [%[b], #16]\n\t"
+        "ldr	r9, [%[b], #20]\n\t"
+        "ldr	r10, [%[b], #24]\n\t"
+        "ldr	r14, [%[b], #28]\n\t"
+        "adcs	r4, r4, r8\n\t"
+        "adcs	r5, r5, r9\n\t"
+        "adcs	r6, r6, r10\n\t"
+        "adcs	r7, r7, r14\n\t"
+        "str	r4, [%[r], #16]\n\t"
+        "str	r5, [%[r], #20]\n\t"
+        "str	r6, [%[r], #24]\n\t"
+        "str	r7, [%[r], #28]\n\t"
+        "ldr	r4, [%[a], #32]\n\t"
+        "ldr	r5, [%[a], #36]\n\t"
+        "ldr	r6, [%[a], #40]\n\t"
+        "ldr	r7, [%[a], #44]\n\t"
+        "ldr	r8, [%[b], #32]\n\t"
+        "ldr	r9, [%[b], #36]\n\t"
+        "ldr	r10, [%[b], #40]\n\t"
+        "ldr	r14, [%[b], #44]\n\t"
+        "adcs	r4, r4, r8\n\t"
+        "adcs	r5, r5, r9\n\t"
+        "adcs	r6, r6, r10\n\t"
+        "adcs	r7, r7, r14\n\t"
+        "str	r4, [%[r], #32]\n\t"
+        "str	r5, [%[r], #36]\n\t"
+        "str	r6, [%[r], #40]\n\t"
+        "str	r7, [%[r], #44]\n\t"
+        "ldr	r4, [%[a], #48]\n\t"
+        "ldr	r5, [%[a], #52]\n\t"
+        "ldr	r6, [%[a], #56]\n\t"
+        "ldr	r7, [%[a], #60]\n\t"
+        "ldr	r8, [%[b], #48]\n\t"
+        "ldr	r9, [%[b], #52]\n\t"
+        "ldr	r10, [%[b], #56]\n\t"
+        "ldr	r14, [%[b], #60]\n\t"
+        "adcs	r4, r4, r8\n\t"
+        "adcs	r5, r5, r9\n\t"
+        "adcs	r6, r6, r10\n\t"
+        "adcs	r7, r7, r14\n\t"
+        "str	r4, [%[r], #48]\n\t"
+        "str	r5, [%[r], #52]\n\t"
+        "str	r6, [%[r], #56]\n\t"
+        "str	r7, [%[r], #60]\n\t"
+        "ldr	r4, [%[a], #64]\n\t"
+        "ldr	r5, [%[a], #68]\n\t"
+        "ldr	r6, [%[a], #72]\n\t"
+        "ldr	r7, [%[a], #76]\n\t"
+        "ldr	r8, [%[b], #64]\n\t"
+        "ldr	r9, [%[b], #68]\n\t"
+        "ldr	r10, [%[b], #72]\n\t"
+        "ldr	r14, [%[b], #76]\n\t"
+        "adcs	r4, r4, r8\n\t"
+        "adcs	r5, r5, r9\n\t"
+        "adcs	r6, r6, r10\n\t"
+        "adcs	r7, r7, r14\n\t"
+        "str	r4, [%[r], #64]\n\t"
+        "str	r5, [%[r], #68]\n\t"
+        "str	r6, [%[r], #72]\n\t"
+        "str	r7, [%[r], #76]\n\t"
+        "ldr	r4, [%[a], #80]\n\t"
+        "ldr	r5, [%[a], #84]\n\t"
+        "ldr	r6, [%[a], #88]\n\t"
+        "ldr	r7, [%[a], #92]\n\t"
+        "ldr	r8, [%[b], #80]\n\t"
+        "ldr	r9, [%[b], #84]\n\t"
+        "ldr	r10, [%[b], #88]\n\t"
+        "ldr	r14, [%[b], #92]\n\t"
+        "adcs	r4, r4, r8\n\t"
+        "adcs	r5, r5, r9\n\t"
+        "adcs	r6, r6, r10\n\t"
+        "adcs	r7, r7, r14\n\t"
+        "str	r4, [%[r], #80]\n\t"
+        "str	r5, [%[r], #84]\n\t"
+        "str	r6, [%[r], #88]\n\t"
+        "str	r7, [%[r], #92]\n\t"
+        "ldr	r4, [%[a], #96]\n\t"
+        "ldr	r5, [%[a], #100]\n\t"
+        "ldr	r6, [%[a], #104]\n\t"
+        "ldr	r7, [%[a], #108]\n\t"
+        "ldr	r8, [%[b], #96]\n\t"
+        "ldr	r9, [%[b], #100]\n\t"
+        "ldr	r10, [%[b], #104]\n\t"
+        "ldr	r14, [%[b], #108]\n\t"
+        "adcs	r4, r4, r8\n\t"
+        "adcs	r5, r5, r9\n\t"
+        "adcs	r6, r6, r10\n\t"
+        "adcs	r7, r7, r14\n\t"
+        "str	r4, [%[r], #96]\n\t"
+        "str	r5, [%[r], #100]\n\t"
+        "str	r6, [%[r], #104]\n\t"
+        "str	r7, [%[r], #108]\n\t"
+        "ldr	r4, [%[a], #112]\n\t"
+        "ldr	r5, [%[a], #116]\n\t"
+        "ldr	r6, [%[a], #120]\n\t"
+        "ldr	r7, [%[a], #124]\n\t"
+        "ldr	r8, [%[b], #112]\n\t"
+        "ldr	r9, [%[b], #116]\n\t"
+        "ldr	r10, [%[b], #120]\n\t"
+        "ldr	r14, [%[b], #124]\n\t"
+        "adcs	r4, r4, r8\n\t"
+        "adcs	r5, r5, r9\n\t"
+        "adcs	r6, r6, r10\n\t"
+        "adcs	r7, r7, r14\n\t"
+        "str	r4, [%[r], #112]\n\t"
+        "str	r5, [%[r], #116]\n\t"
+        "str	r6, [%[r], #120]\n\t"
+        "str	r7, [%[r], #124]\n\t"
+        "ldr	r4, [%[a], #128]\n\t"
+        "ldr	r5, [%[a], #132]\n\t"
+        "ldr	r6, [%[a], #136]\n\t"
+        "ldr	r7, [%[a], #140]\n\t"
+        "ldr	r8, [%[b], #128]\n\t"
+        "ldr	r9, [%[b], #132]\n\t"
+        "ldr	r10, [%[b], #136]\n\t"
+        "ldr	r14, [%[b], #140]\n\t"
+        "adcs	r4, r4, r8\n\t"
+        "adcs	r5, r5, r9\n\t"
+        "adcs	r6, r6, r10\n\t"
+        "adcs	r7, r7, r14\n\t"
+        "str	r4, [%[r], #128]\n\t"
+        "str	r5, [%[r], #132]\n\t"
+        "str	r6, [%[r], #136]\n\t"
+        "str	r7, [%[r], #140]\n\t"
+        "ldr	r4, [%[a], #144]\n\t"
+        "ldr	r5, [%[a], #148]\n\t"
+        "ldr	r6, [%[a], #152]\n\t"
+        "ldr	r7, [%[a], #156]\n\t"
+        "ldr	r8, [%[b], #144]\n\t"
+        "ldr	r9, [%[b], #148]\n\t"
+        "ldr	r10, [%[b], #152]\n\t"
+        "ldr	r14, [%[b], #156]\n\t"
+        "adcs	r4, r4, r8\n\t"
+        "adcs	r5, r5, r9\n\t"
+        "adcs	r6, r6, r10\n\t"
+        "adcs	r7, r7, r14\n\t"
+        "str	r4, [%[r], #144]\n\t"
+        "str	r5, [%[r], #148]\n\t"
+        "str	r6, [%[r], #152]\n\t"
+        "str	r7, [%[r], #156]\n\t"
+        "ldr	r4, [%[a], #160]\n\t"
+        "ldr	r5, [%[a], #164]\n\t"
+        "ldr	r6, [%[a], #168]\n\t"
+        "ldr	r7, [%[a], #172]\n\t"
+        "ldr	r8, [%[b], #160]\n\t"
+        "ldr	r9, [%[b], #164]\n\t"
+        "ldr	r10, [%[b], #168]\n\t"
+        "ldr	r14, [%[b], #172]\n\t"
+        "adcs	r4, r4, r8\n\t"
+        "adcs	r5, r5, r9\n\t"
+        "adcs	r6, r6, r10\n\t"
+        "adcs	r7, r7, r14\n\t"
+        "str	r4, [%[r], #160]\n\t"
+        "str	r5, [%[r], #164]\n\t"
+        "str	r6, [%[r], #168]\n\t"
+        "str	r7, [%[r], #172]\n\t"
+        "ldr	r4, [%[a], #176]\n\t"
+        "ldr	r5, [%[a], #180]\n\t"
+        "ldr	r6, [%[a], #184]\n\t"
+        "ldr	r7, [%[a], #188]\n\t"
+        "ldr	r8, [%[b], #176]\n\t"
+        "ldr	r9, [%[b], #180]\n\t"
+        "ldr	r10, [%[b], #184]\n\t"
+        "ldr	r14, [%[b], #188]\n\t"
+        "adcs	r4, r4, r8\n\t"
+        "adcs	r5, r5, r9\n\t"
+        "adcs	r6, r6, r10\n\t"
+        "adcs	r7, r7, r14\n\t"
+        "str	r4, [%[r], #176]\n\t"
+        "str	r5, [%[r], #180]\n\t"
+        "str	r6, [%[r], #184]\n\t"
+        "str	r7, [%[r], #188]\n\t"
+        "ldr	r4, [%[a], #192]\n\t"
+        "ldr	r5, [%[a], #196]\n\t"
+        "ldr	r6, [%[a], #200]\n\t"
+        "ldr	r7, [%[a], #204]\n\t"
+        "ldr	r8, [%[b], #192]\n\t"
+        "ldr	r9, [%[b], #196]\n\t"
+        "ldr	r10, [%[b], #200]\n\t"
+        "ldr	r14, [%[b], #204]\n\t"
+        "adcs	r4, r4, r8\n\t"
+        "adcs	r5, r5, r9\n\t"
+        "adcs	r6, r6, r10\n\t"
+        "adcs	r7, r7, r14\n\t"
+        "str	r4, [%[r], #192]\n\t"
+        "str	r5, [%[r], #196]\n\t"
+        "str	r6, [%[r], #200]\n\t"
+        "str	r7, [%[r], #204]\n\t"
+        "ldr	r4, [%[a], #208]\n\t"
+        "ldr	r5, [%[a], #212]\n\t"
+        "ldr	r6, [%[a], #216]\n\t"
+        "ldr	r7, [%[a], #220]\n\t"
+        "ldr	r8, [%[b], #208]\n\t"
+        "ldr	r9, [%[b], #212]\n\t"
+        "ldr	r10, [%[b], #216]\n\t"
+        "ldr	r14, [%[b], #220]\n\t"
+        "adcs	r4, r4, r8\n\t"
+        "adcs	r5, r5, r9\n\t"
+        "adcs	r6, r6, r10\n\t"
+        "adcs	r7, r7, r14\n\t"
+        "str	r4, [%[r], #208]\n\t"
+        "str	r5, [%[r], #212]\n\t"
+        "str	r6, [%[r], #216]\n\t"
+        "str	r7, [%[r], #220]\n\t"
+        "ldr	r4, [%[a], #224]\n\t"
+        "ldr	r5, [%[a], #228]\n\t"
+        "ldr	r6, [%[a], #232]\n\t"
+        "ldr	r7, [%[a], #236]\n\t"
+        "ldr	r8, [%[b], #224]\n\t"
+        "ldr	r9, [%[b], #228]\n\t"
+        "ldr	r10, [%[b], #232]\n\t"
+        "ldr	r14, [%[b], #236]\n\t"
+        "adcs	r4, r4, r8\n\t"
+        "adcs	r5, r5, r9\n\t"
+        "adcs	r6, r6, r10\n\t"
+        "adcs	r7, r7, r14\n\t"
+        "str	r4, [%[r], #224]\n\t"
+        "str	r5, [%[r], #228]\n\t"
+        "str	r6, [%[r], #232]\n\t"
+        "str	r7, [%[r], #236]\n\t"
+        "ldr	r4, [%[a], #240]\n\t"
+        "ldr	r5, [%[a], #244]\n\t"
+        "ldr	r6, [%[a], #248]\n\t"
+        "ldr	r7, [%[a], #252]\n\t"
+        "ldr	r8, [%[b], #240]\n\t"
+        "ldr	r9, [%[b], #244]\n\t"
+        "ldr	r10, [%[b], #248]\n\t"
+        "ldr	r14, [%[b], #252]\n\t"
+        "adcs	r4, r4, r8\n\t"
+        "adcs	r5, r5, r9\n\t"
+        "adcs	r6, r6, r10\n\t"
+        "adcs	r7, r7, r14\n\t"
+        "str	r4, [%[r], #240]\n\t"
+        "str	r5, [%[r], #244]\n\t"
+        "str	r6, [%[r], #248]\n\t"
+        "str	r7, [%[r], #252]\n\t"
+        "adc	%[c], r12, r12\n\t"
+        : [c] "+r" (c)
+        : [r] "r" (r), [a] "r" (a), [b] "r" (b)
+        : "memory", "r4", "r5", "r6", "r7", "r8", "r9", "r10", "r14", "r12"
+    );
+
+    return c;
+}
+
+/* AND m into each word of a and store in r.
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * m  Mask to AND against each digit.
+ */
+static void sp_2048_mask_32(sp_digit* r, const sp_digit* a, sp_digit m)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int i;
+
+    for (i=0; i<32; i++) {
+        r[i] = a[i] & m;
+    }
+#else
+    int i;
+
+    for (i = 0; i < 32; i += 8) {
+        r[i+0] = a[i+0] & m;
+        r[i+1] = a[i+1] & m;
+        r[i+2] = a[i+2] & m;
+        r[i+3] = a[i+3] & m;
+        r[i+4] = a[i+4] & m;
+        r[i+5] = a[i+5] & m;
+        r[i+6] = a[i+6] & m;
+        r[i+7] = a[i+7] & m;
+    }
+#endif
+}
+
+/* Multiply a and b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static void sp_2048_mul_64(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    sp_digit* z0 = r;
+    sp_digit z1[64];
+    sp_digit a1[32];
+    sp_digit b1[32];
+    sp_digit z2[64];
+    sp_digit u, ca, cb;
+
+    ca = sp_2048_add_32(a1, a, &a[32]);
+    cb = sp_2048_add_32(b1, b, &b[32]);
+    u  = ca & cb;
+    sp_2048_mul_32(z1, a1, b1);
+    sp_2048_mul_32(z2, &a[32], &b[32]);
+    sp_2048_mul_32(z0, a, b);
+    sp_2048_mask_32(r + 64, a1, 0 - cb);
+    sp_2048_mask_32(b1, b1, 0 - ca);
+    u += sp_2048_add_32(r + 64, r + 64, b1);
+    u += sp_2048_sub_in_place_64(z1, z2);
+    u += sp_2048_sub_in_place_64(z1, z0);
+    u += sp_2048_add_64(r + 32, r + 32, z1);
+    r[96] = u;
+    XMEMSET(r + 96 + 1, 0, sizeof(sp_digit) * (32 - 1));
+    (void)sp_2048_add_64(r + 64, r + 64, z2);
+}
+
+/* Square a and put result in r. (r = a * a)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ */
+SP_NOINLINE static void sp_2048_sqr_64(sp_digit* r, const sp_digit* a)
+{
+    sp_digit* z0 = r;
+    sp_digit z2[64];
+    sp_digit z1[64];
+    sp_digit a1[32];
+    sp_digit u;
+
+    u = sp_2048_add_32(a1, a, &a[32]);
+    sp_2048_sqr_32(z1, a1);
+    sp_2048_sqr_32(z2, &a[32]);
+    sp_2048_sqr_32(z0, a);
+    sp_2048_mask_32(r + 64, a1, 0 - u);
+    u += sp_2048_add_32(r + 64, r + 64, r + 64);
+    u += sp_2048_sub_in_place_64(z1, z2);
+    u += sp_2048_sub_in_place_64(z1, z0);
+    u += sp_2048_add_64(r + 32, r + 32, z1);
+    r[96] = u;
+    XMEMSET(r + 96 + 1, 0, sizeof(sp_digit) * (32 - 1));
+    (void)sp_2048_add_64(r + 64, r + 64, z2);
+}
+
+#endif /* !WOLFSSL_SP_SMALL */
+#ifdef WOLFSSL_SP_SMALL
+/* Add b to a into r. (r = a + b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+static sp_digit sp_2048_add_64(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    sp_digit c = 0;
+
+    __asm__ __volatile__ (
+        "add	r12, %[a], #256\n\t"
+        "\n1:\n\t"
+        "adds	%[c], %[c], #-1\n\t"
+        "ldr	r4, [%[a]], #4\n\t"
+        "ldr	r5, [%[a]], #4\n\t"
+        "ldr	r6, [%[a]], #4\n\t"
+        "ldr	r7, [%[a]], #4\n\t"
+        "ldr	r8, [%[b]], #4\n\t"
+        "ldr	r9, [%[b]], #4\n\t"
+        "ldr	r10, [%[b]], #4\n\t"
+        "ldr	r14, [%[b]], #4\n\t"
+        "adcs	r4, r4, r8\n\t"
+        "adcs	r5, r5, r9\n\t"
+        "adcs	r6, r6, r10\n\t"
+        "adcs	r7, r7, r14\n\t"
+        "str	r4, [%[r]], #4\n\t"
+        "str	r5, [%[r]], #4\n\t"
+        "str	r6, [%[r]], #4\n\t"
+        "str	r7, [%[r]], #4\n\t"
+        "mov	r4, #0\n\t"
+        "adc	%[c], r4, #0\n\t"
+        "cmp	%[a], r12\n\t"
+        "bne	1b\n\t"
+        : [c] "+r" (c), [r] "+r" (r), [a] "+r" (a), [b] "+r" (b)
+        :
+        : "memory", "r4", "r5", "r6", "r7", "r8", "r9", "r10", "r14", "r12"
+    );
+
+    return c;
+}
+
+#endif /* WOLFSSL_SP_SMALL */
+#ifdef WOLFSSL_SP_SMALL
+/* Sub b from a into a. (a -= b)
+ *
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+static sp_digit sp_2048_sub_in_place_64(sp_digit* a, const sp_digit* b)
+{
+    sp_digit c = 0;
+
+    __asm__ __volatile__ (
+        "mov	r14, #0\n\t"
+        "add	r12, %[a], #256\n\t"
+        "\n1:\n\t"
+        "subs	%[c], r14, %[c]\n\t"
+        "ldr	r3, [%[a]]\n\t"
+        "ldr	r4, [%[a], #4]\n\t"
+        "ldr	r5, [%[a], #8]\n\t"
+        "ldr	r6, [%[a], #12]\n\t"
+        "ldr	r7, [%[b]], #4\n\t"
+        "ldr	r8, [%[b]], #4\n\t"
+        "ldr	r9, [%[b]], #4\n\t"
+        "ldr	r10, [%[b]], #4\n\t"
+        "sbcs	r3, r3, r7\n\t"
+        "sbcs	r4, r4, r8\n\t"
+        "sbcs	r5, r5, r9\n\t"
+        "sbcs	r6, r6, r10\n\t"
+        "str	r3, [%[a]], #4\n\t"
+        "str	r4, [%[a]], #4\n\t"
+        "str	r5, [%[a]], #4\n\t"
+        "str	r6, [%[a]], #4\n\t"
+        "sbc	%[c], r14, r14\n\t"
+        "cmp	%[a], r12\n\t"
+        "bne	1b\n\t"
+        : [c] "+r" (c), [a] "+r" (a), [b] "+r" (b)
+        :
+        : "memory", "r3", "r4", "r5", "r6", "r7", "r8", "r9", "r10", "r12", "r14"
+    );
+
+    return c;
+}
+
+#endif /* WOLFSSL_SP_SMALL */
+#ifdef WOLFSSL_SP_SMALL
+/* Multiply a and b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+static void sp_2048_mul_64(sp_digit* r, const sp_digit* a, const sp_digit* b)
+{
+    __asm__ __volatile__ (
+        "sub	sp, sp, #512\n\t"
+        "mov	r5, #0\n\t"
+        "mov	r6, #0\n\t"
+        "mov	r7, #0\n\t"
+        "mov	r8, #0\n\t"
+        "\n1:\n\t"
+        "subs	r3, r5, #252\n\t"
+        "it	cc\n\t"
+        "movcc	r3, #0\n\t"
+        "sub	r4, r5, r3\n\t"
+        "\n2:\n\t"
+        "ldr	r14, [%[a], r3]\n\t"
+        "ldr	r12, [%[b], r4]\n\t"
+        "umull	r9, r10, r14, r12\n\t"
+        "adds	r6, r6, r9\n\t"
+        "adcs	r7, r7, r10\n\t"
+        "adc	r8, r8, #0\n\t"
+        "add	r3, r3, #4\n\t"
+        "sub	r4, r4, #4\n\t"
+        "cmp	r3, #256\n\t"
+        "beq	3f\n\t"
+        "cmp	r3, r5\n\t"
+        "ble	2b\n\t"
+        "\n3:\n\t"
+        "str	r6, [sp, r5]\n\t"
+        "mov	r6, r7\n\t"
+        "mov	r7, r8\n\t"
+        "mov	r8, #0\n\t"
+        "add	r5, r5, #4\n\t"
+        "cmp	r5, #504\n\t"
+        "ble	1b\n\t"
+        "str	r6, [sp, r5]\n\t"
+        "\n4:\n\t"
+        "ldr	r6, [sp, #0]\n\t"
+        "ldr	r7, [sp, #4]\n\t"
+        "ldr	r8, [sp, #8]\n\t"
+        "ldr	r3, [sp, #12]\n\t"
+        "str	r6, [%[r], #0]\n\t"
+        "str	r7, [%[r], #4]\n\t"
+        "str	r8, [%[r], #8]\n\t"
+        "str	r3, [%[r], #12]\n\t"
+        "add	sp, sp, #16\n\t"
+        "add	%[r], %[r], #16\n\t"
+        "subs	r5, r5, #16\n\t"
+        "bgt	4b\n\t"
+        : [r] "+r" (r)
+        : [a] "r" (a), [b] "r" (b)
+        : "memory", "r3", "r4", "r5", "r6", "r7", "r8", "r9", "r10", "r14", "r12"
+    );
+}
+
+/* Square a and put result in r. (r = a * a)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ */
+static void sp_2048_sqr_64(sp_digit* r, const sp_digit* a)
+{
+    __asm__ __volatile__ (
+        "sub	sp, sp, #512\n\t"
+        "mov	r12, #0\n\t"
+        "mov	r6, #0\n\t"
+        "mov	r7, #0\n\t"
+        "mov	r8, #0\n\t"
+        "mov	r5, #0\n\t"
+        "\n1:\n\t"
+        "subs	r3, r5, #252\n\t"
+        "it	cc\n\t"
+        "movcc	r3, r12\n\t"
+        "sub	r4, r5, r3\n\t"
+        "\n2:\n\t"
+        "cmp	r4, r3\n\t"
+        "beq	4f\n\t"
+        "ldr	r14, [%[a], r3]\n\t"
+        "ldr	r9, [%[a], r4]\n\t"
+        "umull	r9, r10, r14, r9\n\t"
+        "adds	r6, r6, r9\n\t"
+        "adcs	r7, r7, r10\n\t"
+        "adc	r8, r8, r12\n\t"
+        "adds	r6, r6, r9\n\t"
+        "adcs	r7, r7, r10\n\t"
+        "adc	r8, r8, r12\n\t"
+        "bal	5f\n\t"
+        "\n4:\n\t"
+        "ldr	r14, [%[a], r3]\n\t"
+        "umull	r9, r10, r14, r14\n\t"
+        "adds	r6, r6, r9\n\t"
+        "adcs	r7, r7, r10\n\t"
+        "adc	r8, r8, r12\n\t"
+        "\n5:\n\t"
+        "add	r3, r3, #4\n\t"
+        "sub	r4, r4, #4\n\t"
+        "cmp	r3, #256\n\t"
+        "beq	3f\n\t"
+        "cmp	r3, r4\n\t"
+        "bgt	3f\n\t"
+        "cmp	r3, r5\n\t"
+        "ble	2b\n\t"
+        "\n3:\n\t"
+        "str	r6, [sp, r5]\n\t"
+        "mov	r6, r7\n\t"
+        "mov	r7, r8\n\t"
+        "mov	r8, #0\n\t"
+        "add	r5, r5, #4\n\t"
+        "cmp	r5, #504\n\t"
+        "ble	1b\n\t"
+        "str	r6, [sp, r5]\n\t"
+        "\n4:\n\t"
+        "ldr	r6, [sp, #0]\n\t"
+        "ldr	r7, [sp, #4]\n\t"
+        "ldr	r8, [sp, #8]\n\t"
+        "ldr	r3, [sp, #12]\n\t"
+        "str	r6, [%[r], #0]\n\t"
+        "str	r7, [%[r], #4]\n\t"
+        "str	r8, [%[r], #8]\n\t"
+        "str	r3, [%[r], #12]\n\t"
+        "add	sp, sp, #16\n\t"
+        "add	%[r], %[r], #16\n\t"
+        "subs	r5, r5, #16\n\t"
+        "bgt	4b\n\t"
+        : [r] "+r" (r)
+        : [a] "r" (a)
+        : "memory", "r3", "r4", "r5", "r6", "r7", "r8", "r9", "r10", "r14", "r9", "r12"
+    );
+}
+
+#endif /* WOLFSSL_SP_SMALL */
+#if (defined(WOLFSSL_HAVE_SP_RSA) || defined(WOLFSSL_HAVE_SP_DH)) && !defined(WOLFSSL_RSA_PUBLIC_ONLY)
+#ifdef WOLFSSL_SP_SMALL
+/* AND m into each word of a and store in r.
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * m  Mask to AND against each digit.
+ */
+static void sp_2048_mask_32(sp_digit* r, const sp_digit* a, sp_digit m)
+{
+    int i;
+
+    for (i=0; i<32; i++) {
+        r[i] = a[i] & m;
+    }
+}
+
+#endif /* WOLFSSL_SP_SMALL */
+#ifdef WOLFSSL_SP_SMALL
+/* Add b to a into r. (r = a + b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+static sp_digit sp_2048_add_32(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    sp_digit c = 0;
+
+    __asm__ __volatile__ (
+        "add	r12, %[a], #128\n\t"
+        "\n1:\n\t"
+        "adds	%[c], %[c], #-1\n\t"
+        "ldr	r4, [%[a]], #4\n\t"
+        "ldr	r5, [%[a]], #4\n\t"
+        "ldr	r6, [%[a]], #4\n\t"
+        "ldr	r7, [%[a]], #4\n\t"
+        "ldr	r8, [%[b]], #4\n\t"
+        "ldr	r9, [%[b]], #4\n\t"
+        "ldr	r10, [%[b]], #4\n\t"
+        "ldr	r14, [%[b]], #4\n\t"
+        "adcs	r4, r4, r8\n\t"
+        "adcs	r5, r5, r9\n\t"
+        "adcs	r6, r6, r10\n\t"
+        "adcs	r7, r7, r14\n\t"
+        "str	r4, [%[r]], #4\n\t"
+        "str	r5, [%[r]], #4\n\t"
+        "str	r6, [%[r]], #4\n\t"
+        "str	r7, [%[r]], #4\n\t"
+        "mov	r4, #0\n\t"
+        "adc	%[c], r4, #0\n\t"
+        "cmp	%[a], r12\n\t"
+        "bne	1b\n\t"
+        : [c] "+r" (c), [r] "+r" (r), [a] "+r" (a), [b] "+r" (b)
+        :
+        : "memory", "r4", "r5", "r6", "r7", "r8", "r9", "r10", "r14", "r12"
+    );
+
+    return c;
+}
+
+#endif /* WOLFSSL_SP_SMALL */
+#ifdef WOLFSSL_SP_SMALL
+/* Sub b from a into a. (a -= b)
+ *
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+static sp_digit sp_2048_sub_in_place_32(sp_digit* a, const sp_digit* b)
+{
+    sp_digit c = 0;
+
+    __asm__ __volatile__ (
+        "mov	r14, #0\n\t"
+        "add	r12, %[a], #128\n\t"
+        "\n1:\n\t"
+        "subs	%[c], r14, %[c]\n\t"
+        "ldr	r3, [%[a]]\n\t"
+        "ldr	r4, [%[a], #4]\n\t"
+        "ldr	r5, [%[a], #8]\n\t"
+        "ldr	r6, [%[a], #12]\n\t"
+        "ldr	r7, [%[b]], #4\n\t"
+        "ldr	r8, [%[b]], #4\n\t"
+        "ldr	r9, [%[b]], #4\n\t"
+        "ldr	r10, [%[b]], #4\n\t"
+        "sbcs	r3, r3, r7\n\t"
+        "sbcs	r4, r4, r8\n\t"
+        "sbcs	r5, r5, r9\n\t"
+        "sbcs	r6, r6, r10\n\t"
+        "str	r3, [%[a]], #4\n\t"
+        "str	r4, [%[a]], #4\n\t"
+        "str	r5, [%[a]], #4\n\t"
+        "str	r6, [%[a]], #4\n\t"
+        "sbc	%[c], r14, r14\n\t"
+        "cmp	%[a], r12\n\t"
+        "bne	1b\n\t"
+        : [c] "+r" (c), [a] "+r" (a), [b] "+r" (b)
+        :
+        : "memory", "r3", "r4", "r5", "r6", "r7", "r8", "r9", "r10", "r12", "r14"
+    );
+
+    return c;
+}
+
+#endif /* WOLFSSL_SP_SMALL */
+#ifdef WOLFSSL_SP_SMALL
+/* Multiply a and b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+static void sp_2048_mul_32(sp_digit* r, const sp_digit* a, const sp_digit* b)
+{
+    __asm__ __volatile__ (
+        "sub	sp, sp, #256\n\t"
+        "mov	r5, #0\n\t"
+        "mov	r6, #0\n\t"
+        "mov	r7, #0\n\t"
+        "mov	r8, #0\n\t"
+        "\n1:\n\t"
+        "subs	r3, r5, #124\n\t"
+        "it	cc\n\t"
+        "movcc	r3, #0\n\t"
+        "sub	r4, r5, r3\n\t"
+        "\n2:\n\t"
+        "ldr	r14, [%[a], r3]\n\t"
+        "ldr	r12, [%[b], r4]\n\t"
+        "umull	r9, r10, r14, r12\n\t"
+        "adds	r6, r6, r9\n\t"
+        "adcs	r7, r7, r10\n\t"
+        "adc	r8, r8, #0\n\t"
+        "add	r3, r3, #4\n\t"
+        "sub	r4, r4, #4\n\t"
+        "cmp	r3, #128\n\t"
+        "beq	3f\n\t"
+        "cmp	r3, r5\n\t"
+        "ble	2b\n\t"
+        "\n3:\n\t"
+        "str	r6, [sp, r5]\n\t"
+        "mov	r6, r7\n\t"
+        "mov	r7, r8\n\t"
+        "mov	r8, #0\n\t"
+        "add	r5, r5, #4\n\t"
+        "cmp	r5, #248\n\t"
+        "ble	1b\n\t"
+        "str	r6, [sp, r5]\n\t"
+        "\n4:\n\t"
+        "ldr	r6, [sp, #0]\n\t"
+        "ldr	r7, [sp, #4]\n\t"
+        "ldr	r8, [sp, #8]\n\t"
+        "ldr	r3, [sp, #12]\n\t"
+        "str	r6, [%[r], #0]\n\t"
+        "str	r7, [%[r], #4]\n\t"
+        "str	r8, [%[r], #8]\n\t"
+        "str	r3, [%[r], #12]\n\t"
+        "add	sp, sp, #16\n\t"
+        "add	%[r], %[r], #16\n\t"
+        "subs	r5, r5, #16\n\t"
+        "bgt	4b\n\t"
+        : [r] "+r" (r)
+        : [a] "r" (a), [b] "r" (b)
+        : "memory", "r3", "r4", "r5", "r6", "r7", "r8", "r9", "r10", "r14", "r12"
+    );
+}
+
+/* Square a and put result in r. (r = a * a)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ */
+static void sp_2048_sqr_32(sp_digit* r, const sp_digit* a)
+{
+    __asm__ __volatile__ (
+        "sub	sp, sp, #256\n\t"
+        "mov	r12, #0\n\t"
+        "mov	r6, #0\n\t"
+        "mov	r7, #0\n\t"
+        "mov	r8, #0\n\t"
+        "mov	r5, #0\n\t"
+        "\n1:\n\t"
+        "subs	r3, r5, #124\n\t"
+        "it	cc\n\t"
+        "movcc	r3, r12\n\t"
+        "sub	r4, r5, r3\n\t"
+        "\n2:\n\t"
+        "cmp	r4, r3\n\t"
+        "beq	4f\n\t"
+        "ldr	r14, [%[a], r3]\n\t"
+        "ldr	r9, [%[a], r4]\n\t"
+        "umull	r9, r10, r14, r9\n\t"
+        "adds	r6, r6, r9\n\t"
+        "adcs	r7, r7, r10\n\t"
+        "adc	r8, r8, r12\n\t"
+        "adds	r6, r6, r9\n\t"
+        "adcs	r7, r7, r10\n\t"
+        "adc	r8, r8, r12\n\t"
+        "bal	5f\n\t"
+        "\n4:\n\t"
+        "ldr	r14, [%[a], r3]\n\t"
+        "umull	r9, r10, r14, r14\n\t"
+        "adds	r6, r6, r9\n\t"
+        "adcs	r7, r7, r10\n\t"
+        "adc	r8, r8, r12\n\t"
+        "\n5:\n\t"
+        "add	r3, r3, #4\n\t"
+        "sub	r4, r4, #4\n\t"
+        "cmp	r3, #128\n\t"
+        "beq	3f\n\t"
+        "cmp	r3, r4\n\t"
+        "bgt	3f\n\t"
+        "cmp	r3, r5\n\t"
+        "ble	2b\n\t"
+        "\n3:\n\t"
+        "str	r6, [sp, r5]\n\t"
+        "mov	r6, r7\n\t"
+        "mov	r7, r8\n\t"
+        "mov	r8, #0\n\t"
+        "add	r5, r5, #4\n\t"
+        "cmp	r5, #248\n\t"
+        "ble	1b\n\t"
+        "str	r6, [sp, r5]\n\t"
+        "\n4:\n\t"
+        "ldr	r6, [sp, #0]\n\t"
+        "ldr	r7, [sp, #4]\n\t"
+        "ldr	r8, [sp, #8]\n\t"
+        "ldr	r3, [sp, #12]\n\t"
+        "str	r6, [%[r], #0]\n\t"
+        "str	r7, [%[r], #4]\n\t"
+        "str	r8, [%[r], #8]\n\t"
+        "str	r3, [%[r], #12]\n\t"
+        "add	sp, sp, #16\n\t"
+        "add	%[r], %[r], #16\n\t"
+        "subs	r5, r5, #16\n\t"
+        "bgt	4b\n\t"
+        : [r] "+r" (r)
+        : [a] "r" (a)
+        : "memory", "r3", "r4", "r5", "r6", "r7", "r8", "r9", "r10", "r14", "r9", "r12"
+    );
+}
+
+#endif /* WOLFSSL_SP_SMALL */
+#endif /* (WOLFSSL_HAVE_SP_RSA || WOLFSSL_HAVE_SP_DH) && !WOLFSSL_RSA_PUBLIC_ONLY */
+
+/* Caclulate the bottom digit of -1/a mod 2^n.
+ *
+ * a    A single precision number.
+ * rho  Bottom word of inverse.
+ */
+static void sp_2048_mont_setup(const sp_digit* a, sp_digit* rho)
+{
+    sp_digit x, b;
+
+    b = a[0];
+    x = (((b + 2) & 4) << 1) + b; /* here x*a==1 mod 2**4 */
+    x *= 2 - b * x;               /* here x*a==1 mod 2**8 */
+    x *= 2 - b * x;               /* here x*a==1 mod 2**16 */
+    x *= 2 - b * x;               /* here x*a==1 mod 2**32 */
+
+    /* rho = -1/m mod b */
+    *rho = -x;
+}
+
+/* Mul a by digit b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision digit.
+ */
+static void sp_2048_mul_d_64(sp_digit* r, const sp_digit* a,
+        sp_digit b)
+{
+#ifdef WOLFSSL_SP_SMALL
+    __asm__ __volatile__ (
+        "mov	r10, #0\n\t"
+        "# A[0] * B\n\t"
+        "ldr	r8, [%[a]]\n\t"
+        "umull	r5, r3, %[b], r8\n\t"
+        "mov	r4, #0\n\t"
+        "str	r5, [%[r]]\n\t"
+        "mov	r5, #0\n\t"
+        "mov	r9, #4\n\t"
+        "1:\n\t"
+        "ldr	r8, [%[a], r9]\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [%[r], r9]\n\t"
+        "mov	r3, r4\n\t"
+        "mov	r4, r5\n\t"
+        "mov	r5, #0\n\t"
+        "add	r9, r9, #4\n\t"
+        "cmp	r9, #256\n\t"
+        "blt	1b\n\t"
+        "str	r3, [%[r], #256]\n\t"
+        :
+        : [r] "r" (r), [a] "r" (a), [b] "r" (b)
+        : "memory", "r3", "r4", "r5", "r6", "r7", "r8", "r9", "r10"
+    );
+#else
+    __asm__ __volatile__ (
+        "mov	r10, #0\n\t"
+        "# A[0] * B\n\t"
+        "ldr	r8, [%[a]]\n\t"
+        "umull	r3, r4, %[b], r8\n\t"
+        "mov	r5, #0\n\t"
+        "str	r3, [%[r]]\n\t"
+        "# A[1] * B\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "mov	r3, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [%[r], #4]\n\t"
+        "# A[2] * B\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "mov	r4, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [%[r], #8]\n\t"
+        "# A[3] * B\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "mov	r5, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [%[r], #12]\n\t"
+        "# A[4] * B\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "mov	r3, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [%[r], #16]\n\t"
+        "# A[5] * B\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "mov	r4, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [%[r], #20]\n\t"
+        "# A[6] * B\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "mov	r5, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [%[r], #24]\n\t"
+        "# A[7] * B\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "mov	r3, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [%[r], #28]\n\t"
+        "# A[8] * B\n\t"
+        "ldr	r8, [%[a], #32]\n\t"
+        "mov	r4, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [%[r], #32]\n\t"
+        "# A[9] * B\n\t"
+        "ldr	r8, [%[a], #36]\n\t"
+        "mov	r5, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [%[r], #36]\n\t"
+        "# A[10] * B\n\t"
+        "ldr	r8, [%[a], #40]\n\t"
+        "mov	r3, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [%[r], #40]\n\t"
+        "# A[11] * B\n\t"
+        "ldr	r8, [%[a], #44]\n\t"
+        "mov	r4, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [%[r], #44]\n\t"
+        "# A[12] * B\n\t"
+        "ldr	r8, [%[a], #48]\n\t"
+        "mov	r5, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [%[r], #48]\n\t"
+        "# A[13] * B\n\t"
+        "ldr	r8, [%[a], #52]\n\t"
+        "mov	r3, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [%[r], #52]\n\t"
+        "# A[14] * B\n\t"
+        "ldr	r8, [%[a], #56]\n\t"
+        "mov	r4, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [%[r], #56]\n\t"
+        "# A[15] * B\n\t"
+        "ldr	r8, [%[a], #60]\n\t"
+        "mov	r5, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [%[r], #60]\n\t"
+        "# A[16] * B\n\t"
+        "ldr	r8, [%[a], #64]\n\t"
+        "mov	r3, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [%[r], #64]\n\t"
+        "# A[17] * B\n\t"
+        "ldr	r8, [%[a], #68]\n\t"
+        "mov	r4, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [%[r], #68]\n\t"
+        "# A[18] * B\n\t"
+        "ldr	r8, [%[a], #72]\n\t"
+        "mov	r5, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [%[r], #72]\n\t"
+        "# A[19] * B\n\t"
+        "ldr	r8, [%[a], #76]\n\t"
+        "mov	r3, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [%[r], #76]\n\t"
+        "# A[20] * B\n\t"
+        "ldr	r8, [%[a], #80]\n\t"
+        "mov	r4, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [%[r], #80]\n\t"
+        "# A[21] * B\n\t"
+        "ldr	r8, [%[a], #84]\n\t"
+        "mov	r5, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [%[r], #84]\n\t"
+        "# A[22] * B\n\t"
+        "ldr	r8, [%[a], #88]\n\t"
+        "mov	r3, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [%[r], #88]\n\t"
+        "# A[23] * B\n\t"
+        "ldr	r8, [%[a], #92]\n\t"
+        "mov	r4, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [%[r], #92]\n\t"
+        "# A[24] * B\n\t"
+        "ldr	r8, [%[a], #96]\n\t"
+        "mov	r5, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [%[r], #96]\n\t"
+        "# A[25] * B\n\t"
+        "ldr	r8, [%[a], #100]\n\t"
+        "mov	r3, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [%[r], #100]\n\t"
+        "# A[26] * B\n\t"
+        "ldr	r8, [%[a], #104]\n\t"
+        "mov	r4, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [%[r], #104]\n\t"
+        "# A[27] * B\n\t"
+        "ldr	r8, [%[a], #108]\n\t"
+        "mov	r5, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [%[r], #108]\n\t"
+        "# A[28] * B\n\t"
+        "ldr	r8, [%[a], #112]\n\t"
+        "mov	r3, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [%[r], #112]\n\t"
+        "# A[29] * B\n\t"
+        "ldr	r8, [%[a], #116]\n\t"
+        "mov	r4, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [%[r], #116]\n\t"
+        "# A[30] * B\n\t"
+        "ldr	r8, [%[a], #120]\n\t"
+        "mov	r5, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [%[r], #120]\n\t"
+        "# A[31] * B\n\t"
+        "ldr	r8, [%[a], #124]\n\t"
+        "mov	r3, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [%[r], #124]\n\t"
+        "# A[32] * B\n\t"
+        "ldr	r8, [%[a], #128]\n\t"
+        "mov	r4, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [%[r], #128]\n\t"
+        "# A[33] * B\n\t"
+        "ldr	r8, [%[a], #132]\n\t"
+        "mov	r5, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [%[r], #132]\n\t"
+        "# A[34] * B\n\t"
+        "ldr	r8, [%[a], #136]\n\t"
+        "mov	r3, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [%[r], #136]\n\t"
+        "# A[35] * B\n\t"
+        "ldr	r8, [%[a], #140]\n\t"
+        "mov	r4, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [%[r], #140]\n\t"
+        "# A[36] * B\n\t"
+        "ldr	r8, [%[a], #144]\n\t"
+        "mov	r5, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [%[r], #144]\n\t"
+        "# A[37] * B\n\t"
+        "ldr	r8, [%[a], #148]\n\t"
+        "mov	r3, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [%[r], #148]\n\t"
+        "# A[38] * B\n\t"
+        "ldr	r8, [%[a], #152]\n\t"
+        "mov	r4, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [%[r], #152]\n\t"
+        "# A[39] * B\n\t"
+        "ldr	r8, [%[a], #156]\n\t"
+        "mov	r5, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [%[r], #156]\n\t"
+        "# A[40] * B\n\t"
+        "ldr	r8, [%[a], #160]\n\t"
+        "mov	r3, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [%[r], #160]\n\t"
+        "# A[41] * B\n\t"
+        "ldr	r8, [%[a], #164]\n\t"
+        "mov	r4, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [%[r], #164]\n\t"
+        "# A[42] * B\n\t"
+        "ldr	r8, [%[a], #168]\n\t"
+        "mov	r5, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [%[r], #168]\n\t"
+        "# A[43] * B\n\t"
+        "ldr	r8, [%[a], #172]\n\t"
+        "mov	r3, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [%[r], #172]\n\t"
+        "# A[44] * B\n\t"
+        "ldr	r8, [%[a], #176]\n\t"
+        "mov	r4, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [%[r], #176]\n\t"
+        "# A[45] * B\n\t"
+        "ldr	r8, [%[a], #180]\n\t"
+        "mov	r5, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [%[r], #180]\n\t"
+        "# A[46] * B\n\t"
+        "ldr	r8, [%[a], #184]\n\t"
+        "mov	r3, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [%[r], #184]\n\t"
+        "# A[47] * B\n\t"
+        "ldr	r8, [%[a], #188]\n\t"
+        "mov	r4, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [%[r], #188]\n\t"
+        "# A[48] * B\n\t"
+        "ldr	r8, [%[a], #192]\n\t"
+        "mov	r5, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [%[r], #192]\n\t"
+        "# A[49] * B\n\t"
+        "ldr	r8, [%[a], #196]\n\t"
+        "mov	r3, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [%[r], #196]\n\t"
+        "# A[50] * B\n\t"
+        "ldr	r8, [%[a], #200]\n\t"
+        "mov	r4, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [%[r], #200]\n\t"
+        "# A[51] * B\n\t"
+        "ldr	r8, [%[a], #204]\n\t"
+        "mov	r5, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [%[r], #204]\n\t"
+        "# A[52] * B\n\t"
+        "ldr	r8, [%[a], #208]\n\t"
+        "mov	r3, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [%[r], #208]\n\t"
+        "# A[53] * B\n\t"
+        "ldr	r8, [%[a], #212]\n\t"
+        "mov	r4, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [%[r], #212]\n\t"
+        "# A[54] * B\n\t"
+        "ldr	r8, [%[a], #216]\n\t"
+        "mov	r5, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [%[r], #216]\n\t"
+        "# A[55] * B\n\t"
+        "ldr	r8, [%[a], #220]\n\t"
+        "mov	r3, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [%[r], #220]\n\t"
+        "# A[56] * B\n\t"
+        "ldr	r8, [%[a], #224]\n\t"
+        "mov	r4, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [%[r], #224]\n\t"
+        "# A[57] * B\n\t"
+        "ldr	r8, [%[a], #228]\n\t"
+        "mov	r5, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [%[r], #228]\n\t"
+        "# A[58] * B\n\t"
+        "ldr	r8, [%[a], #232]\n\t"
+        "mov	r3, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [%[r], #232]\n\t"
+        "# A[59] * B\n\t"
+        "ldr	r8, [%[a], #236]\n\t"
+        "mov	r4, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [%[r], #236]\n\t"
+        "# A[60] * B\n\t"
+        "ldr	r8, [%[a], #240]\n\t"
+        "mov	r5, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [%[r], #240]\n\t"
+        "# A[61] * B\n\t"
+        "ldr	r8, [%[a], #244]\n\t"
+        "mov	r3, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [%[r], #244]\n\t"
+        "# A[62] * B\n\t"
+        "ldr	r8, [%[a], #248]\n\t"
+        "mov	r4, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [%[r], #248]\n\t"
+        "# A[63] * B\n\t"
+        "ldr	r8, [%[a], #252]\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adc	r4, r4, r7\n\t"
+        "str	r3, [%[r], #252]\n\t"
+        "str	r4, [%[r], #256]\n\t"
+        :
+        : [r] "r" (r), [a] "r" (a), [b] "r" (b)
+        : "memory", "r3", "r4", "r5", "r6", "r7", "r8", "r9", "r10"
+    );
+#endif
+}
+
+#if (defined(WOLFSSL_HAVE_SP_RSA) || defined(WOLFSSL_HAVE_SP_DH)) && !defined(WOLFSSL_RSA_PUBLIC_ONLY)
+/* r = 2^n mod m where n is the number of bits to reduce by.
+ * Given m must be 2048 bits, just need to subtract.
+ *
+ * r  A single precision number.
+ * m  A single precision number.
+ */
+static void sp_2048_mont_norm_32(sp_digit* r, const sp_digit* m)
+{
+    XMEMSET(r, 0, sizeof(sp_digit) * 32);
+
+    /* r = 2^n mod m */
+    sp_2048_sub_in_place_32(r, m);
+}
+
+/* Conditionally subtract b from a using the mask m.
+ * m is -1 to subtract and 0 when not copying.
+ *
+ * r  A single precision number representing condition subtract result.
+ * a  A single precision number to subtract from.
+ * b  A single precision number to subtract.
+ * m  Mask value to apply.
+ */
+static sp_digit sp_2048_cond_sub_32(sp_digit* r, const sp_digit* a, const sp_digit* b,
+        sp_digit m)
+{
+    sp_digit c = 0;
+
+#ifdef WOLFSSL_SP_SMALL
+    __asm__ __volatile__ (
+        "mov	r9, #0\n\t"
+        "mov	r8, #0\n\t"
+        "1:\n\t"
+        "subs	%[c], r9, %[c]\n\t"
+        "ldr	r4, [%[a], r8]\n\t"
+        "ldr	r5, [%[b], r8]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbc	%[c], r9, r9\n\t"
+        "str	r4, [%[r], r8]\n\t"
+        "add	r8, r8, #4\n\t"
+        "cmp	r8, #128\n\t"
+        "blt	1b\n\t"
+        : [c] "+r" (c)
+        : [r] "r" (r), [a] "r" (a), [b] "r" (b), [m] "r" (m)
+        : "memory", "r4", "r6", "r5", "r7", "r8", "r9"
+    );
+#else
+    __asm__ __volatile__ (
+
+        "mov	r9, #0\n\t"
+        "ldr	r4, [%[a], #0]\n\t"
+        "ldr	r6, [%[a], #4]\n\t"
+        "ldr	r5, [%[b], #0]\n\t"
+        "ldr	r7, [%[b], #4]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "subs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #0]\n\t"
+        "str	r6, [%[r], #4]\n\t"
+        "ldr	r4, [%[a], #8]\n\t"
+        "ldr	r6, [%[a], #12]\n\t"
+        "ldr	r5, [%[b], #8]\n\t"
+        "ldr	r7, [%[b], #12]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #8]\n\t"
+        "str	r6, [%[r], #12]\n\t"
+        "ldr	r4, [%[a], #16]\n\t"
+        "ldr	r6, [%[a], #20]\n\t"
+        "ldr	r5, [%[b], #16]\n\t"
+        "ldr	r7, [%[b], #20]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #16]\n\t"
+        "str	r6, [%[r], #20]\n\t"
+        "ldr	r4, [%[a], #24]\n\t"
+        "ldr	r6, [%[a], #28]\n\t"
+        "ldr	r5, [%[b], #24]\n\t"
+        "ldr	r7, [%[b], #28]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #24]\n\t"
+        "str	r6, [%[r], #28]\n\t"
+        "ldr	r4, [%[a], #32]\n\t"
+        "ldr	r6, [%[a], #36]\n\t"
+        "ldr	r5, [%[b], #32]\n\t"
+        "ldr	r7, [%[b], #36]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #32]\n\t"
+        "str	r6, [%[r], #36]\n\t"
+        "ldr	r4, [%[a], #40]\n\t"
+        "ldr	r6, [%[a], #44]\n\t"
+        "ldr	r5, [%[b], #40]\n\t"
+        "ldr	r7, [%[b], #44]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #40]\n\t"
+        "str	r6, [%[r], #44]\n\t"
+        "ldr	r4, [%[a], #48]\n\t"
+        "ldr	r6, [%[a], #52]\n\t"
+        "ldr	r5, [%[b], #48]\n\t"
+        "ldr	r7, [%[b], #52]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #48]\n\t"
+        "str	r6, [%[r], #52]\n\t"
+        "ldr	r4, [%[a], #56]\n\t"
+        "ldr	r6, [%[a], #60]\n\t"
+        "ldr	r5, [%[b], #56]\n\t"
+        "ldr	r7, [%[b], #60]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #56]\n\t"
+        "str	r6, [%[r], #60]\n\t"
+        "ldr	r4, [%[a], #64]\n\t"
+        "ldr	r6, [%[a], #68]\n\t"
+        "ldr	r5, [%[b], #64]\n\t"
+        "ldr	r7, [%[b], #68]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #64]\n\t"
+        "str	r6, [%[r], #68]\n\t"
+        "ldr	r4, [%[a], #72]\n\t"
+        "ldr	r6, [%[a], #76]\n\t"
+        "ldr	r5, [%[b], #72]\n\t"
+        "ldr	r7, [%[b], #76]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #72]\n\t"
+        "str	r6, [%[r], #76]\n\t"
+        "ldr	r4, [%[a], #80]\n\t"
+        "ldr	r6, [%[a], #84]\n\t"
+        "ldr	r5, [%[b], #80]\n\t"
+        "ldr	r7, [%[b], #84]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #80]\n\t"
+        "str	r6, [%[r], #84]\n\t"
+        "ldr	r4, [%[a], #88]\n\t"
+        "ldr	r6, [%[a], #92]\n\t"
+        "ldr	r5, [%[b], #88]\n\t"
+        "ldr	r7, [%[b], #92]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #88]\n\t"
+        "str	r6, [%[r], #92]\n\t"
+        "ldr	r4, [%[a], #96]\n\t"
+        "ldr	r6, [%[a], #100]\n\t"
+        "ldr	r5, [%[b], #96]\n\t"
+        "ldr	r7, [%[b], #100]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #96]\n\t"
+        "str	r6, [%[r], #100]\n\t"
+        "ldr	r4, [%[a], #104]\n\t"
+        "ldr	r6, [%[a], #108]\n\t"
+        "ldr	r5, [%[b], #104]\n\t"
+        "ldr	r7, [%[b], #108]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #104]\n\t"
+        "str	r6, [%[r], #108]\n\t"
+        "ldr	r4, [%[a], #112]\n\t"
+        "ldr	r6, [%[a], #116]\n\t"
+        "ldr	r5, [%[b], #112]\n\t"
+        "ldr	r7, [%[b], #116]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #112]\n\t"
+        "str	r6, [%[r], #116]\n\t"
+        "ldr	r4, [%[a], #120]\n\t"
+        "ldr	r6, [%[a], #124]\n\t"
+        "ldr	r5, [%[b], #120]\n\t"
+        "ldr	r7, [%[b], #124]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #120]\n\t"
+        "str	r6, [%[r], #124]\n\t"
+        "sbc	%[c], r9, r9\n\t"
+        : [c] "+r" (c)
+        : [r] "r" (r), [a] "r" (a), [b] "r" (b), [m] "r" (m)
+        : "memory", "r4", "r6", "r5", "r7", "r8", "r9"
+    );
+#endif /* WOLFSSL_SP_SMALL */
+
+    return c;
+}
+
+/* Reduce the number back to 2048 bits using Montgomery reduction.
+ *
+ * a   A single precision number to reduce in place.
+ * m   The single precision number representing the modulus.
+ * mp  The digit representing the negative inverse of m mod 2^n.
+ */
+SP_NOINLINE static void sp_2048_mont_reduce_32(sp_digit* a, const sp_digit* m,
+        sp_digit mp)
+{
+    sp_digit ca = 0;
+
+    __asm__ __volatile__ (
+        "# i = 0\n\t"
+        "mov	r12, #0\n\t"
+        "ldr	r10, [%[a], #0]\n\t"
+        "ldr	r14, [%[a], #4]\n\t"
+        "\n1:\n\t"
+        "# mu = a[i] * mp\n\t"
+        "mul	r8, %[mp], r10\n\t"
+        "# a[i+0] += m[0] * mu\n\t"
+        "ldr	r7, [%[m], #0]\n\t"
+        "ldr	r9, [%[a], #0]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r10, r10, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "# a[i+1] += m[1] * mu\n\t"
+        "ldr	r7, [%[m], #4]\n\t"
+        "ldr	r9, [%[a], #4]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r10, r14, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r10, r10, r5\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+2] += m[2] * mu\n\t"
+        "ldr	r7, [%[m], #8]\n\t"
+        "ldr	r14, [%[a], #8]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r14, r14, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r14, r14, r4\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+3] += m[3] * mu\n\t"
+        "ldr	r7, [%[m], #12]\n\t"
+        "ldr	r9, [%[a], #12]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #12]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+4] += m[4] * mu\n\t"
+        "ldr	r7, [%[m], #16]\n\t"
+        "ldr	r9, [%[a], #16]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #16]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+5] += m[5] * mu\n\t"
+        "ldr	r7, [%[m], #20]\n\t"
+        "ldr	r9, [%[a], #20]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #20]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+6] += m[6] * mu\n\t"
+        "ldr	r7, [%[m], #24]\n\t"
+        "ldr	r9, [%[a], #24]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #24]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+7] += m[7] * mu\n\t"
+        "ldr	r7, [%[m], #28]\n\t"
+        "ldr	r9, [%[a], #28]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #28]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+8] += m[8] * mu\n\t"
+        "ldr	r7, [%[m], #32]\n\t"
+        "ldr	r9, [%[a], #32]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #32]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+9] += m[9] * mu\n\t"
+        "ldr	r7, [%[m], #36]\n\t"
+        "ldr	r9, [%[a], #36]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #36]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+10] += m[10] * mu\n\t"
+        "ldr	r7, [%[m], #40]\n\t"
+        "ldr	r9, [%[a], #40]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #40]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+11] += m[11] * mu\n\t"
+        "ldr	r7, [%[m], #44]\n\t"
+        "ldr	r9, [%[a], #44]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #44]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+12] += m[12] * mu\n\t"
+        "ldr	r7, [%[m], #48]\n\t"
+        "ldr	r9, [%[a], #48]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #48]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+13] += m[13] * mu\n\t"
+        "ldr	r7, [%[m], #52]\n\t"
+        "ldr	r9, [%[a], #52]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #52]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+14] += m[14] * mu\n\t"
+        "ldr	r7, [%[m], #56]\n\t"
+        "ldr	r9, [%[a], #56]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #56]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+15] += m[15] * mu\n\t"
+        "ldr	r7, [%[m], #60]\n\t"
+        "ldr	r9, [%[a], #60]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #60]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+16] += m[16] * mu\n\t"
+        "ldr	r7, [%[m], #64]\n\t"
+        "ldr	r9, [%[a], #64]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #64]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+17] += m[17] * mu\n\t"
+        "ldr	r7, [%[m], #68]\n\t"
+        "ldr	r9, [%[a], #68]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #68]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+18] += m[18] * mu\n\t"
+        "ldr	r7, [%[m], #72]\n\t"
+        "ldr	r9, [%[a], #72]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #72]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+19] += m[19] * mu\n\t"
+        "ldr	r7, [%[m], #76]\n\t"
+        "ldr	r9, [%[a], #76]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #76]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+20] += m[20] * mu\n\t"
+        "ldr	r7, [%[m], #80]\n\t"
+        "ldr	r9, [%[a], #80]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #80]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+21] += m[21] * mu\n\t"
+        "ldr	r7, [%[m], #84]\n\t"
+        "ldr	r9, [%[a], #84]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #84]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+22] += m[22] * mu\n\t"
+        "ldr	r7, [%[m], #88]\n\t"
+        "ldr	r9, [%[a], #88]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #88]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+23] += m[23] * mu\n\t"
+        "ldr	r7, [%[m], #92]\n\t"
+        "ldr	r9, [%[a], #92]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #92]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+24] += m[24] * mu\n\t"
+        "ldr	r7, [%[m], #96]\n\t"
+        "ldr	r9, [%[a], #96]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #96]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+25] += m[25] * mu\n\t"
+        "ldr	r7, [%[m], #100]\n\t"
+        "ldr	r9, [%[a], #100]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #100]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+26] += m[26] * mu\n\t"
+        "ldr	r7, [%[m], #104]\n\t"
+        "ldr	r9, [%[a], #104]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #104]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+27] += m[27] * mu\n\t"
+        "ldr	r7, [%[m], #108]\n\t"
+        "ldr	r9, [%[a], #108]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #108]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+28] += m[28] * mu\n\t"
+        "ldr	r7, [%[m], #112]\n\t"
+        "ldr	r9, [%[a], #112]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #112]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+29] += m[29] * mu\n\t"
+        "ldr	r7, [%[m], #116]\n\t"
+        "ldr	r9, [%[a], #116]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #116]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+30] += m[30] * mu\n\t"
+        "ldr	r7, [%[m], #120]\n\t"
+        "ldr	r9, [%[a], #120]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #120]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+31] += m[31] * mu\n\t"
+        "ldr	r7, [%[m], #124]\n\t"
+        "ldr   r9, [%[a], #124]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r7, r7, %[ca]\n\t"
+        "mov	%[ca], #0\n\t"
+        "adc	%[ca], %[ca], %[ca]\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #124]\n\t"
+        "ldr	r9, [%[a], #128]\n\t"
+        "adcs	r9, r9, r7\n\t"
+        "str	r9, [%[a], #128]\n\t"
+        "adc	%[ca], %[ca], #0\n\t"
+        "# i += 1\n\t"
+        "add	%[a], %[a], #4\n\t"
+        "add	r12, r12, #4\n\t"
+        "cmp	r12, #128\n\t"
+        "blt	1b\n\t"
+        "str	r10, [%[a], #0]\n\t"
+        "str	r14, [%[a], #4]\n\t"
+        : [ca] "+r" (ca), [a] "+r" (a)
+        : [m] "r" (m), [mp] "r" (mp)
+        : "memory", "r4", "r5", "r6", "r7", "r8", "r9", "r10", "r14", "r12"
+    );
+
+    sp_2048_cond_sub_32(a - 32, a, m, (sp_digit)0 - ca);
+}
+
+/* Multiply two Montogmery form numbers mod the modulus (prime).
+ * (r = a * b mod m)
+ *
+ * r   Result of multiplication.
+ * a   First number to multiply in Montogmery form.
+ * b   Second number to multiply in Montogmery form.
+ * m   Modulus (prime).
+ * mp  Montogmery mulitplier.
+ */
+static void sp_2048_mont_mul_32(sp_digit* r, const sp_digit* a, const sp_digit* b,
+        const sp_digit* m, sp_digit mp)
+{
+    sp_2048_mul_32(r, a, b);
+    sp_2048_mont_reduce_32(r, m, mp);
+}
+
+/* Square the Montgomery form number. (r = a * a mod m)
+ *
+ * r   Result of squaring.
+ * a   Number to square in Montogmery form.
+ * m   Modulus (prime).
+ * mp  Montogmery mulitplier.
+ */
+static void sp_2048_mont_sqr_32(sp_digit* r, const sp_digit* a, const sp_digit* m,
+        sp_digit mp)
+{
+    sp_2048_sqr_32(r, a);
+    sp_2048_mont_reduce_32(r, m, mp);
+}
+
+/* Mul a by digit b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision digit.
+ */
+static void sp_2048_mul_d_32(sp_digit* r, const sp_digit* a,
+        sp_digit b)
+{
+#ifdef WOLFSSL_SP_SMALL
+    __asm__ __volatile__ (
+        "mov	r10, #0\n\t"
+        "# A[0] * B\n\t"
+        "ldr	r8, [%[a]]\n\t"
+        "umull	r5, r3, %[b], r8\n\t"
+        "mov	r4, #0\n\t"
+        "str	r5, [%[r]]\n\t"
+        "mov	r5, #0\n\t"
+        "mov	r9, #4\n\t"
+        "1:\n\t"
+        "ldr	r8, [%[a], r9]\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [%[r], r9]\n\t"
+        "mov	r3, r4\n\t"
+        "mov	r4, r5\n\t"
+        "mov	r5, #0\n\t"
+        "add	r9, r9, #4\n\t"
+        "cmp	r9, #128\n\t"
+        "blt	1b\n\t"
+        "str	r3, [%[r], #128]\n\t"
+        :
+        : [r] "r" (r), [a] "r" (a), [b] "r" (b)
+        : "memory", "r3", "r4", "r5", "r6", "r7", "r8", "r9", "r10"
+    );
+#else
+    __asm__ __volatile__ (
+        "mov	r10, #0\n\t"
+        "# A[0] * B\n\t"
+        "ldr	r8, [%[a]]\n\t"
+        "umull	r3, r4, %[b], r8\n\t"
+        "mov	r5, #0\n\t"
+        "str	r3, [%[r]]\n\t"
+        "# A[1] * B\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "mov	r3, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [%[r], #4]\n\t"
+        "# A[2] * B\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "mov	r4, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [%[r], #8]\n\t"
+        "# A[3] * B\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "mov	r5, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [%[r], #12]\n\t"
+        "# A[4] * B\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "mov	r3, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [%[r], #16]\n\t"
+        "# A[5] * B\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "mov	r4, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [%[r], #20]\n\t"
+        "# A[6] * B\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "mov	r5, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [%[r], #24]\n\t"
+        "# A[7] * B\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "mov	r3, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [%[r], #28]\n\t"
+        "# A[8] * B\n\t"
+        "ldr	r8, [%[a], #32]\n\t"
+        "mov	r4, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [%[r], #32]\n\t"
+        "# A[9] * B\n\t"
+        "ldr	r8, [%[a], #36]\n\t"
+        "mov	r5, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [%[r], #36]\n\t"
+        "# A[10] * B\n\t"
+        "ldr	r8, [%[a], #40]\n\t"
+        "mov	r3, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [%[r], #40]\n\t"
+        "# A[11] * B\n\t"
+        "ldr	r8, [%[a], #44]\n\t"
+        "mov	r4, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [%[r], #44]\n\t"
+        "# A[12] * B\n\t"
+        "ldr	r8, [%[a], #48]\n\t"
+        "mov	r5, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [%[r], #48]\n\t"
+        "# A[13] * B\n\t"
+        "ldr	r8, [%[a], #52]\n\t"
+        "mov	r3, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [%[r], #52]\n\t"
+        "# A[14] * B\n\t"
+        "ldr	r8, [%[a], #56]\n\t"
+        "mov	r4, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [%[r], #56]\n\t"
+        "# A[15] * B\n\t"
+        "ldr	r8, [%[a], #60]\n\t"
+        "mov	r5, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [%[r], #60]\n\t"
+        "# A[16] * B\n\t"
+        "ldr	r8, [%[a], #64]\n\t"
+        "mov	r3, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [%[r], #64]\n\t"
+        "# A[17] * B\n\t"
+        "ldr	r8, [%[a], #68]\n\t"
+        "mov	r4, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [%[r], #68]\n\t"
+        "# A[18] * B\n\t"
+        "ldr	r8, [%[a], #72]\n\t"
+        "mov	r5, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [%[r], #72]\n\t"
+        "# A[19] * B\n\t"
+        "ldr	r8, [%[a], #76]\n\t"
+        "mov	r3, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [%[r], #76]\n\t"
+        "# A[20] * B\n\t"
+        "ldr	r8, [%[a], #80]\n\t"
+        "mov	r4, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [%[r], #80]\n\t"
+        "# A[21] * B\n\t"
+        "ldr	r8, [%[a], #84]\n\t"
+        "mov	r5, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [%[r], #84]\n\t"
+        "# A[22] * B\n\t"
+        "ldr	r8, [%[a], #88]\n\t"
+        "mov	r3, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [%[r], #88]\n\t"
+        "# A[23] * B\n\t"
+        "ldr	r8, [%[a], #92]\n\t"
+        "mov	r4, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [%[r], #92]\n\t"
+        "# A[24] * B\n\t"
+        "ldr	r8, [%[a], #96]\n\t"
+        "mov	r5, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [%[r], #96]\n\t"
+        "# A[25] * B\n\t"
+        "ldr	r8, [%[a], #100]\n\t"
+        "mov	r3, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [%[r], #100]\n\t"
+        "# A[26] * B\n\t"
+        "ldr	r8, [%[a], #104]\n\t"
+        "mov	r4, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [%[r], #104]\n\t"
+        "# A[27] * B\n\t"
+        "ldr	r8, [%[a], #108]\n\t"
+        "mov	r5, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [%[r], #108]\n\t"
+        "# A[28] * B\n\t"
+        "ldr	r8, [%[a], #112]\n\t"
+        "mov	r3, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [%[r], #112]\n\t"
+        "# A[29] * B\n\t"
+        "ldr	r8, [%[a], #116]\n\t"
+        "mov	r4, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [%[r], #116]\n\t"
+        "# A[30] * B\n\t"
+        "ldr	r8, [%[a], #120]\n\t"
+        "mov	r5, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [%[r], #120]\n\t"
+        "# A[31] * B\n\t"
+        "ldr	r8, [%[a], #124]\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adc	r5, r5, r7\n\t"
+        "str	r4, [%[r], #124]\n\t"
+        "str	r5, [%[r], #128]\n\t"
+        :
+        : [r] "r" (r), [a] "r" (a), [b] "r" (b)
+        : "memory", "r3", "r4", "r5", "r6", "r7", "r8", "r9", "r10"
+    );
+#endif
+}
+
+/* Divide the double width number (d1|d0) by the dividend. (d1|d0 / div)
+ *
+ * d1   The high order half of the number to divide.
+ * d0   The low order half of the number to divide.
+ * div  The dividend.
+ * returns the result of the division.
+ *
+ * Note that this is an approximate div. It may give an answer 1 larger.
+ */
+static sp_digit div_2048_word_32(sp_digit d1, sp_digit d0, sp_digit div)
+{
+    sp_digit r = 0;
+
+    __asm__ __volatile__ (
+        "lsr	r5, %[div], #1\n\t"
+        "add	r5, r5, #1\n\t"
+        "mov	r6, %[d0]\n\t"
+        "mov	r7, %[d1]\n\t"
+        "# Do top 32\n\t"
+        "subs	r8, r5, r7\n\t"
+        "sbc	r8, r8, r8\n\t"
+        "add	%[r], %[r], %[r]\n\t"
+        "sub	%[r], %[r], r8\n\t"
+        "and	r8, r8, r5\n\t"
+        "subs	r7, r7, r8\n\t"
+        "# Next 30 bits\n\t"
+        "mov	r4, #29\n\t"
+        "1:\n\t"
+        "movs	r6, r6, lsl #1\n\t"
+        "adc	r7, r7, r7\n\t"
+        "subs	r8, r5, r7\n\t"
+        "sbc	r8, r8, r8\n\t"
+        "add	%[r], %[r], %[r]\n\t"
+        "sub	%[r], %[r], r8\n\t"
+        "and	r8, r8, r5\n\t"
+        "subs	r7, r7, r8\n\t"
+        "subs	r4, r4, #1\n\t"
+        "bpl	1b\n\t"
+        "add	%[r], %[r], %[r]\n\t"
+        "add	%[r], %[r], #1\n\t"
+        "umull	r4, r5, %[r], %[div]\n\t"
+        "subs	r4, %[d0], r4\n\t"
+        "sbc	r5, %[d1], r5\n\t"
+        "add	%[r], %[r], r5\n\t"
+        "umull	r4, r5, %[r], %[div]\n\t"
+        "subs	r4, %[d0], r4\n\t"
+        "sbc	r5, %[d1], r5\n\t"
+        "add	%[r], %[r], r5\n\t"
+        "subs	r8, %[div], r4\n\t"
+        "sbc	r8, r8, r8\n\t"
+        "sub	%[r], %[r], r8\n\t"
+        : [r] "+r" (r)
+        : [d1] "r" (d1), [d0] "r" (d0), [div] "r" (div)
+        : "r4", "r5", "r6", "r7", "r8"
+    );
+    return r;
+}
+
+/* Compare a with b in constant time.
+ *
+ * a  A single precision integer.
+ * b  A single precision integer.
+ * return -ve, 0 or +ve if a is less than, equal to or greater than b
+ * respectively.
+ */
+static int32_t sp_2048_cmp_32(const sp_digit* a, const sp_digit* b)
+{
+    sp_digit r = -1;
+    sp_digit one = 1;
+
+
+#ifdef WOLFSSL_SP_SMALL
+    __asm__ __volatile__ (
+        "mov	r7, #0\n\t"
+        "mov	r3, #-1\n\t"
+        "mov	r6, #124\n\t"
+        "1:\n\t"
+        "ldr	r4, [%[a], r6]\n\t"
+        "ldr	r5, [%[b], r6]\n\t"
+        "and	r4, r4, r3\n\t"
+        "and	r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "subs	r6, r6, #4\n\t"
+        "bcs	1b\n\t"
+        "eor	%[r], %[r], r3\n\t"
+        : [r] "+r" (r)
+        : [a] "r" (a), [b] "r" (b), [one] "r" (one)
+        : "r3", "r4", "r5", "r6", "r7"
+    );
+#else
+    __asm__ __volatile__ (
+        "mov	r7, #0\n\t"
+        "mov	r3, #-1\n\t"
+        "ldr		r4, [%[a], #124]\n\t"
+        "ldr		r5, [%[b], #124]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #120]\n\t"
+        "ldr		r5, [%[b], #120]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #116]\n\t"
+        "ldr		r5, [%[b], #116]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #112]\n\t"
+        "ldr		r5, [%[b], #112]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #108]\n\t"
+        "ldr		r5, [%[b], #108]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #104]\n\t"
+        "ldr		r5, [%[b], #104]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #100]\n\t"
+        "ldr		r5, [%[b], #100]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #96]\n\t"
+        "ldr		r5, [%[b], #96]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #92]\n\t"
+        "ldr		r5, [%[b], #92]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #88]\n\t"
+        "ldr		r5, [%[b], #88]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #84]\n\t"
+        "ldr		r5, [%[b], #84]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #80]\n\t"
+        "ldr		r5, [%[b], #80]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #76]\n\t"
+        "ldr		r5, [%[b], #76]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #72]\n\t"
+        "ldr		r5, [%[b], #72]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #68]\n\t"
+        "ldr		r5, [%[b], #68]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #64]\n\t"
+        "ldr		r5, [%[b], #64]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #60]\n\t"
+        "ldr		r5, [%[b], #60]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #56]\n\t"
+        "ldr		r5, [%[b], #56]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #52]\n\t"
+        "ldr		r5, [%[b], #52]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #48]\n\t"
+        "ldr		r5, [%[b], #48]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #44]\n\t"
+        "ldr		r5, [%[b], #44]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #40]\n\t"
+        "ldr		r5, [%[b], #40]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #36]\n\t"
+        "ldr		r5, [%[b], #36]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #32]\n\t"
+        "ldr		r5, [%[b], #32]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #28]\n\t"
+        "ldr		r5, [%[b], #28]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #24]\n\t"
+        "ldr		r5, [%[b], #24]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #20]\n\t"
+        "ldr		r5, [%[b], #20]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #16]\n\t"
+        "ldr		r5, [%[b], #16]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #12]\n\t"
+        "ldr		r5, [%[b], #12]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #8]\n\t"
+        "ldr		r5, [%[b], #8]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #4]\n\t"
+        "ldr		r5, [%[b], #4]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #0]\n\t"
+        "ldr		r5, [%[b], #0]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "eor	%[r], %[r], r3\n\t"
+        : [r] "+r" (r)
+        : [a] "r" (a), [b] "r" (b), [one] "r" (one)
+        : "r3", "r4", "r5", "r6", "r7"
+    );
+#endif
+
+    return r;
+}
+
+/* Divide d in a and put remainder into r (m*d + r = a)
+ * m is not calculated as it is not needed at this time.
+ *
+ * a  Nmber to be divided.
+ * d  Number to divide with.
+ * m  Multiplier result.
+ * r  Remainder from the division.
+ * returns MP_OKAY indicating success.
+ */
+static WC_INLINE int sp_2048_div_32(const sp_digit* a, const sp_digit* d, sp_digit* m,
+        sp_digit* r)
+{
+    sp_digit t1[64], t2[33];
+    sp_digit div, r1;
+    int i;
+
+    (void)m;
+
+
+    div = d[31];
+    XMEMCPY(t1, a, sizeof(*t1) * 2 * 32);
+    for (i=31; i>=0; i--) {
+        r1 = div_2048_word_32(t1[32 + i], t1[32 + i - 1], div);
+
+        sp_2048_mul_d_32(t2, d, r1);
+        t1[32 + i] += sp_2048_sub_in_place_32(&t1[i], t2);
+        t1[32 + i] -= t2[32];
+        sp_2048_mask_32(t2, d, t1[32 + i]);
+        t1[32 + i] += sp_2048_add_32(&t1[i], &t1[i], t2);
+        sp_2048_mask_32(t2, d, t1[32 + i]);
+        t1[32 + i] += sp_2048_add_32(&t1[i], &t1[i], t2);
+    }
+
+    r1 = sp_2048_cmp_32(t1, d) >= 0;
+    sp_2048_cond_sub_32(r, t1, d, (sp_digit)0 - r1);
+
+    return MP_OKAY;
+}
+
+/* Reduce a modulo m into r. (r = a mod m)
+ *
+ * r  A single precision number that is the reduced result.
+ * a  A single precision number that is to be reduced.
+ * m  A single precision number that is the modulus to reduce with.
+ * returns MP_OKAY indicating success.
+ */
+static WC_INLINE int sp_2048_mod_32(sp_digit* r, const sp_digit* a, const sp_digit* m)
+{
+    return sp_2048_div_32(a, m, NULL, r);
+}
+
+#ifdef WOLFSSL_SP_SMALL
+/* Modular exponentiate a to the e mod m. (r = a^e mod m)
+ *
+ * r     A single precision number that is the result of the operation.
+ * a     A single precision number being exponentiated.
+ * e     A single precision number that is the exponent.
+ * bits  The number of bits in the exponent.
+ * m     A single precision number that is the modulus.
+ * returns 0 on success and MEMORY_E on dynamic memory allocation failure.
+ */
+static int sp_2048_mod_exp_32(sp_digit* r, const sp_digit* a, const sp_digit* e,
+        int bits, const sp_digit* m, int reduceA)
+{
+#ifndef WOLFSSL_SMALL_STACK
+    sp_digit t[16][64];
+#else
+    sp_digit* t[16];
+    sp_digit* td;
+#endif
+    sp_digit* norm;
+    sp_digit mp = 1;
+    sp_digit n;
+    sp_digit mask;
+    int i;
+    int c, y;
+    int err = MP_OKAY;
+
+#ifdef WOLFSSL_SMALL_STACK
+    td = (sp_digit*)XMALLOC(sizeof(sp_digit) * 16 * 64, NULL,
+                            DYNAMIC_TYPE_TMP_BUFFER);
+    if (td == NULL) {
+        err = MEMORY_E;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#ifdef WOLFSSL_SMALL_STACK
+        for (i=0; i<16; i++) {
+            t[i] = td + i * 64;
+        }
+#endif
+        norm = t[0];
+
+        sp_2048_mont_setup(m, &mp);
+        sp_2048_mont_norm_32(norm, m);
+
+        XMEMSET(t[1], 0, sizeof(sp_digit) * 32U);
+        if (reduceA != 0) {
+            err = sp_2048_mod_32(t[1] + 32, a, m);
+            if (err == MP_OKAY) {
+                err = sp_2048_mod_32(t[1], t[1], m);
+            }
+        }
+        else {
+            XMEMCPY(t[1] + 32, a, sizeof(sp_digit) * 32);
+            err = sp_2048_mod_32(t[1], t[1], m);
+        }
+    }
+
+    if (err == MP_OKAY) {
+        sp_2048_mont_sqr_32(t[ 2], t[ 1], m, mp);
+        sp_2048_mont_mul_32(t[ 3], t[ 2], t[ 1], m, mp);
+        sp_2048_mont_sqr_32(t[ 4], t[ 2], m, mp);
+        sp_2048_mont_mul_32(t[ 5], t[ 3], t[ 2], m, mp);
+        sp_2048_mont_sqr_32(t[ 6], t[ 3], m, mp);
+        sp_2048_mont_mul_32(t[ 7], t[ 4], t[ 3], m, mp);
+        sp_2048_mont_sqr_32(t[ 8], t[ 4], m, mp);
+        sp_2048_mont_mul_32(t[ 9], t[ 5], t[ 4], m, mp);
+        sp_2048_mont_sqr_32(t[10], t[ 5], m, mp);
+        sp_2048_mont_mul_32(t[11], t[ 6], t[ 5], m, mp);
+        sp_2048_mont_sqr_32(t[12], t[ 6], m, mp);
+        sp_2048_mont_mul_32(t[13], t[ 7], t[ 6], m, mp);
+        sp_2048_mont_sqr_32(t[14], t[ 7], m, mp);
+        sp_2048_mont_mul_32(t[15], t[ 8], t[ 7], m, mp);
+
+        i = (bits - 1) / 32;
+        n = e[i--];
+        c = bits & 31;
+        if (c == 0) {
+            c = 32;
+        }
+        c -= bits % 4;
+        if (c == 32) {
+            c = 28;
+        }
+        y = (int)(n >> c);
+        n <<= 32 - c;
+        XMEMCPY(r, t[y], sizeof(sp_digit) * 32);
+        for (; i>=0 || c>=4; ) {
+            if (c == 0) {
+                n = e[i--];
+                y = n >> 28;
+                n <<= 4;
+                c = 28;
+            }
+            else if (c < 4) {
+                y = n >> 28;
+                n = e[i--];
+                c = 4 - c;
+                y |= n >> (32 - c);
+                n <<= c;
+                c = 32 - c;
+            }
+            else {
+                y = (n >> 28) & 0xf;
+                n <<= 4;
+                c -= 4;
+            }
+
+            sp_2048_mont_sqr_32(r, r, m, mp);
+            sp_2048_mont_sqr_32(r, r, m, mp);
+            sp_2048_mont_sqr_32(r, r, m, mp);
+            sp_2048_mont_sqr_32(r, r, m, mp);
+
+            sp_2048_mont_mul_32(r, r, t[y], m, mp);
+        }
+
+        XMEMSET(&r[32], 0, sizeof(sp_digit) * 32U);
+        sp_2048_mont_reduce_32(r, m, mp);
+
+        mask = 0 - (sp_2048_cmp_32(r, m) >= 0);
+        sp_2048_cond_sub_32(r, r, m, mask);
+    }
+
+#ifdef WOLFSSL_SMALL_STACK
+    if (td != NULL) {
+        XFREE(td, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    }
+#endif
+
+    return err;
+}
+#else
+/* Modular exponentiate a to the e mod m. (r = a^e mod m)
+ *
+ * r     A single precision number that is the result of the operation.
+ * a     A single precision number being exponentiated.
+ * e     A single precision number that is the exponent.
+ * bits  The number of bits in the exponent.
+ * m     A single precision number that is the modulus.
+ * returns 0 on success and MEMORY_E on dynamic memory allocation failure.
+ */
+static int sp_2048_mod_exp_32(sp_digit* r, const sp_digit* a, const sp_digit* e,
+        int bits, const sp_digit* m, int reduceA)
+{
+#ifndef WOLFSSL_SMALL_STACK
+    sp_digit t[32][64];
+#else
+    sp_digit* t[32];
+    sp_digit* td;
+#endif
+    sp_digit* norm;
+    sp_digit mp = 1;
+    sp_digit n;
+    sp_digit mask;
+    int i;
+    int c, y;
+    int err = MP_OKAY;
+
+#ifdef WOLFSSL_SMALL_STACK
+    td = (sp_digit*)XMALLOC(sizeof(sp_digit) * 32 * 64, NULL,
+                            DYNAMIC_TYPE_TMP_BUFFER);
+    if (td == NULL) {
+        err = MEMORY_E;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#ifdef WOLFSSL_SMALL_STACK
+        for (i=0; i<32; i++) {
+            t[i] = td + i * 64;
+        }
+#endif
+        norm = t[0];
+
+        sp_2048_mont_setup(m, &mp);
+        sp_2048_mont_norm_32(norm, m);
+
+        XMEMSET(t[1], 0, sizeof(sp_digit) * 32U);
+        if (reduceA != 0) {
+            err = sp_2048_mod_32(t[1] + 32, a, m);
+            if (err == MP_OKAY) {
+                err = sp_2048_mod_32(t[1], t[1], m);
+            }
+        }
+        else {
+            XMEMCPY(t[1] + 32, a, sizeof(sp_digit) * 32);
+            err = sp_2048_mod_32(t[1], t[1], m);
+        }
+    }
+
+    if (err == MP_OKAY) {
+        sp_2048_mont_sqr_32(t[ 2], t[ 1], m, mp);
+        sp_2048_mont_mul_32(t[ 3], t[ 2], t[ 1], m, mp);
+        sp_2048_mont_sqr_32(t[ 4], t[ 2], m, mp);
+        sp_2048_mont_mul_32(t[ 5], t[ 3], t[ 2], m, mp);
+        sp_2048_mont_sqr_32(t[ 6], t[ 3], m, mp);
+        sp_2048_mont_mul_32(t[ 7], t[ 4], t[ 3], m, mp);
+        sp_2048_mont_sqr_32(t[ 8], t[ 4], m, mp);
+        sp_2048_mont_mul_32(t[ 9], t[ 5], t[ 4], m, mp);
+        sp_2048_mont_sqr_32(t[10], t[ 5], m, mp);
+        sp_2048_mont_mul_32(t[11], t[ 6], t[ 5], m, mp);
+        sp_2048_mont_sqr_32(t[12], t[ 6], m, mp);
+        sp_2048_mont_mul_32(t[13], t[ 7], t[ 6], m, mp);
+        sp_2048_mont_sqr_32(t[14], t[ 7], m, mp);
+        sp_2048_mont_mul_32(t[15], t[ 8], t[ 7], m, mp);
+        sp_2048_mont_sqr_32(t[16], t[ 8], m, mp);
+        sp_2048_mont_mul_32(t[17], t[ 9], t[ 8], m, mp);
+        sp_2048_mont_sqr_32(t[18], t[ 9], m, mp);
+        sp_2048_mont_mul_32(t[19], t[10], t[ 9], m, mp);
+        sp_2048_mont_sqr_32(t[20], t[10], m, mp);
+        sp_2048_mont_mul_32(t[21], t[11], t[10], m, mp);
+        sp_2048_mont_sqr_32(t[22], t[11], m, mp);
+        sp_2048_mont_mul_32(t[23], t[12], t[11], m, mp);
+        sp_2048_mont_sqr_32(t[24], t[12], m, mp);
+        sp_2048_mont_mul_32(t[25], t[13], t[12], m, mp);
+        sp_2048_mont_sqr_32(t[26], t[13], m, mp);
+        sp_2048_mont_mul_32(t[27], t[14], t[13], m, mp);
+        sp_2048_mont_sqr_32(t[28], t[14], m, mp);
+        sp_2048_mont_mul_32(t[29], t[15], t[14], m, mp);
+        sp_2048_mont_sqr_32(t[30], t[15], m, mp);
+        sp_2048_mont_mul_32(t[31], t[16], t[15], m, mp);
+
+        i = (bits - 1) / 32;
+        n = e[i--];
+        c = bits & 31;
+        if (c == 0) {
+            c = 32;
+        }
+        c -= bits % 5;
+        if (c == 32) {
+            c = 27;
+        }
+        y = (int)(n >> c);
+        n <<= 32 - c;
+        XMEMCPY(r, t[y], sizeof(sp_digit) * 32);
+        for (; i>=0 || c>=5; ) {
+            if (c == 0) {
+                n = e[i--];
+                y = n >> 27;
+                n <<= 5;
+                c = 27;
+            }
+            else if (c < 5) {
+                y = n >> 27;
+                n = e[i--];
+                c = 5 - c;
+                y |= n >> (32 - c);
+                n <<= c;
+                c = 32 - c;
+            }
+            else {
+                y = (n >> 27) & 0x1f;
+                n <<= 5;
+                c -= 5;
+            }
+
+            sp_2048_mont_sqr_32(r, r, m, mp);
+            sp_2048_mont_sqr_32(r, r, m, mp);
+            sp_2048_mont_sqr_32(r, r, m, mp);
+            sp_2048_mont_sqr_32(r, r, m, mp);
+            sp_2048_mont_sqr_32(r, r, m, mp);
+
+            sp_2048_mont_mul_32(r, r, t[y], m, mp);
+        }
+
+        XMEMSET(&r[32], 0, sizeof(sp_digit) * 32U);
+        sp_2048_mont_reduce_32(r, m, mp);
+
+        mask = 0 - (sp_2048_cmp_32(r, m) >= 0);
+        sp_2048_cond_sub_32(r, r, m, mask);
+    }
+
+#ifdef WOLFSSL_SMALL_STACK
+    if (td != NULL) {
+        XFREE(td, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    }
+#endif
+
+    return err;
+}
+#endif /* WOLFSSL_SP_SMALL */
+
+#endif /* (WOLFSSL_HAVE_SP_RSA || WOLFSSL_HAVE_SP_DH) && !WOLFSSL_RSA_PUBLIC_ONLY */
+
+#if defined(WOLFSSL_HAVE_SP_RSA) || defined(WOLFSSL_HAVE_SP_DH)
+/* r = 2^n mod m where n is the number of bits to reduce by.
+ * Given m must be 2048 bits, just need to subtract.
+ *
+ * r  A single precision number.
+ * m  A single precision number.
+ */
+static void sp_2048_mont_norm_64(sp_digit* r, const sp_digit* m)
+{
+    XMEMSET(r, 0, sizeof(sp_digit) * 64);
+
+    /* r = 2^n mod m */
+    sp_2048_sub_in_place_64(r, m);
+}
+
+#endif /* WOLFSSL_HAVE_SP_RSA || WOLFSSL_HAVE_SP_DH */
+/* Conditionally subtract b from a using the mask m.
+ * m is -1 to subtract and 0 when not copying.
+ *
+ * r  A single precision number representing condition subtract result.
+ * a  A single precision number to subtract from.
+ * b  A single precision number to subtract.
+ * m  Mask value to apply.
+ */
+static sp_digit sp_2048_cond_sub_64(sp_digit* r, const sp_digit* a, const sp_digit* b,
+        sp_digit m)
+{
+    sp_digit c = 0;
+
+#ifdef WOLFSSL_SP_SMALL
+    __asm__ __volatile__ (
+        "mov	r9, #0\n\t"
+        "mov	r8, #0\n\t"
+        "1:\n\t"
+        "subs	%[c], r9, %[c]\n\t"
+        "ldr	r4, [%[a], r8]\n\t"
+        "ldr	r5, [%[b], r8]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbc	%[c], r9, r9\n\t"
+        "str	r4, [%[r], r8]\n\t"
+        "add	r8, r8, #4\n\t"
+        "cmp	r8, #256\n\t"
+        "blt	1b\n\t"
+        : [c] "+r" (c)
+        : [r] "r" (r), [a] "r" (a), [b] "r" (b), [m] "r" (m)
+        : "memory", "r4", "r6", "r5", "r7", "r8", "r9"
+    );
+#else
+    __asm__ __volatile__ (
+
+        "mov	r9, #0\n\t"
+        "ldr	r4, [%[a], #0]\n\t"
+        "ldr	r6, [%[a], #4]\n\t"
+        "ldr	r5, [%[b], #0]\n\t"
+        "ldr	r7, [%[b], #4]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "subs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #0]\n\t"
+        "str	r6, [%[r], #4]\n\t"
+        "ldr	r4, [%[a], #8]\n\t"
+        "ldr	r6, [%[a], #12]\n\t"
+        "ldr	r5, [%[b], #8]\n\t"
+        "ldr	r7, [%[b], #12]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #8]\n\t"
+        "str	r6, [%[r], #12]\n\t"
+        "ldr	r4, [%[a], #16]\n\t"
+        "ldr	r6, [%[a], #20]\n\t"
+        "ldr	r5, [%[b], #16]\n\t"
+        "ldr	r7, [%[b], #20]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #16]\n\t"
+        "str	r6, [%[r], #20]\n\t"
+        "ldr	r4, [%[a], #24]\n\t"
+        "ldr	r6, [%[a], #28]\n\t"
+        "ldr	r5, [%[b], #24]\n\t"
+        "ldr	r7, [%[b], #28]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #24]\n\t"
+        "str	r6, [%[r], #28]\n\t"
+        "ldr	r4, [%[a], #32]\n\t"
+        "ldr	r6, [%[a], #36]\n\t"
+        "ldr	r5, [%[b], #32]\n\t"
+        "ldr	r7, [%[b], #36]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #32]\n\t"
+        "str	r6, [%[r], #36]\n\t"
+        "ldr	r4, [%[a], #40]\n\t"
+        "ldr	r6, [%[a], #44]\n\t"
+        "ldr	r5, [%[b], #40]\n\t"
+        "ldr	r7, [%[b], #44]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #40]\n\t"
+        "str	r6, [%[r], #44]\n\t"
+        "ldr	r4, [%[a], #48]\n\t"
+        "ldr	r6, [%[a], #52]\n\t"
+        "ldr	r5, [%[b], #48]\n\t"
+        "ldr	r7, [%[b], #52]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #48]\n\t"
+        "str	r6, [%[r], #52]\n\t"
+        "ldr	r4, [%[a], #56]\n\t"
+        "ldr	r6, [%[a], #60]\n\t"
+        "ldr	r5, [%[b], #56]\n\t"
+        "ldr	r7, [%[b], #60]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #56]\n\t"
+        "str	r6, [%[r], #60]\n\t"
+        "ldr	r4, [%[a], #64]\n\t"
+        "ldr	r6, [%[a], #68]\n\t"
+        "ldr	r5, [%[b], #64]\n\t"
+        "ldr	r7, [%[b], #68]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #64]\n\t"
+        "str	r6, [%[r], #68]\n\t"
+        "ldr	r4, [%[a], #72]\n\t"
+        "ldr	r6, [%[a], #76]\n\t"
+        "ldr	r5, [%[b], #72]\n\t"
+        "ldr	r7, [%[b], #76]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #72]\n\t"
+        "str	r6, [%[r], #76]\n\t"
+        "ldr	r4, [%[a], #80]\n\t"
+        "ldr	r6, [%[a], #84]\n\t"
+        "ldr	r5, [%[b], #80]\n\t"
+        "ldr	r7, [%[b], #84]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #80]\n\t"
+        "str	r6, [%[r], #84]\n\t"
+        "ldr	r4, [%[a], #88]\n\t"
+        "ldr	r6, [%[a], #92]\n\t"
+        "ldr	r5, [%[b], #88]\n\t"
+        "ldr	r7, [%[b], #92]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #88]\n\t"
+        "str	r6, [%[r], #92]\n\t"
+        "ldr	r4, [%[a], #96]\n\t"
+        "ldr	r6, [%[a], #100]\n\t"
+        "ldr	r5, [%[b], #96]\n\t"
+        "ldr	r7, [%[b], #100]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #96]\n\t"
+        "str	r6, [%[r], #100]\n\t"
+        "ldr	r4, [%[a], #104]\n\t"
+        "ldr	r6, [%[a], #108]\n\t"
+        "ldr	r5, [%[b], #104]\n\t"
+        "ldr	r7, [%[b], #108]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #104]\n\t"
+        "str	r6, [%[r], #108]\n\t"
+        "ldr	r4, [%[a], #112]\n\t"
+        "ldr	r6, [%[a], #116]\n\t"
+        "ldr	r5, [%[b], #112]\n\t"
+        "ldr	r7, [%[b], #116]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #112]\n\t"
+        "str	r6, [%[r], #116]\n\t"
+        "ldr	r4, [%[a], #120]\n\t"
+        "ldr	r6, [%[a], #124]\n\t"
+        "ldr	r5, [%[b], #120]\n\t"
+        "ldr	r7, [%[b], #124]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #120]\n\t"
+        "str	r6, [%[r], #124]\n\t"
+        "ldr	r4, [%[a], #128]\n\t"
+        "ldr	r6, [%[a], #132]\n\t"
+        "ldr	r5, [%[b], #128]\n\t"
+        "ldr	r7, [%[b], #132]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #128]\n\t"
+        "str	r6, [%[r], #132]\n\t"
+        "ldr	r4, [%[a], #136]\n\t"
+        "ldr	r6, [%[a], #140]\n\t"
+        "ldr	r5, [%[b], #136]\n\t"
+        "ldr	r7, [%[b], #140]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #136]\n\t"
+        "str	r6, [%[r], #140]\n\t"
+        "ldr	r4, [%[a], #144]\n\t"
+        "ldr	r6, [%[a], #148]\n\t"
+        "ldr	r5, [%[b], #144]\n\t"
+        "ldr	r7, [%[b], #148]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #144]\n\t"
+        "str	r6, [%[r], #148]\n\t"
+        "ldr	r4, [%[a], #152]\n\t"
+        "ldr	r6, [%[a], #156]\n\t"
+        "ldr	r5, [%[b], #152]\n\t"
+        "ldr	r7, [%[b], #156]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #152]\n\t"
+        "str	r6, [%[r], #156]\n\t"
+        "ldr	r4, [%[a], #160]\n\t"
+        "ldr	r6, [%[a], #164]\n\t"
+        "ldr	r5, [%[b], #160]\n\t"
+        "ldr	r7, [%[b], #164]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #160]\n\t"
+        "str	r6, [%[r], #164]\n\t"
+        "ldr	r4, [%[a], #168]\n\t"
+        "ldr	r6, [%[a], #172]\n\t"
+        "ldr	r5, [%[b], #168]\n\t"
+        "ldr	r7, [%[b], #172]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #168]\n\t"
+        "str	r6, [%[r], #172]\n\t"
+        "ldr	r4, [%[a], #176]\n\t"
+        "ldr	r6, [%[a], #180]\n\t"
+        "ldr	r5, [%[b], #176]\n\t"
+        "ldr	r7, [%[b], #180]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #176]\n\t"
+        "str	r6, [%[r], #180]\n\t"
+        "ldr	r4, [%[a], #184]\n\t"
+        "ldr	r6, [%[a], #188]\n\t"
+        "ldr	r5, [%[b], #184]\n\t"
+        "ldr	r7, [%[b], #188]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #184]\n\t"
+        "str	r6, [%[r], #188]\n\t"
+        "ldr	r4, [%[a], #192]\n\t"
+        "ldr	r6, [%[a], #196]\n\t"
+        "ldr	r5, [%[b], #192]\n\t"
+        "ldr	r7, [%[b], #196]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #192]\n\t"
+        "str	r6, [%[r], #196]\n\t"
+        "ldr	r4, [%[a], #200]\n\t"
+        "ldr	r6, [%[a], #204]\n\t"
+        "ldr	r5, [%[b], #200]\n\t"
+        "ldr	r7, [%[b], #204]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #200]\n\t"
+        "str	r6, [%[r], #204]\n\t"
+        "ldr	r4, [%[a], #208]\n\t"
+        "ldr	r6, [%[a], #212]\n\t"
+        "ldr	r5, [%[b], #208]\n\t"
+        "ldr	r7, [%[b], #212]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #208]\n\t"
+        "str	r6, [%[r], #212]\n\t"
+        "ldr	r4, [%[a], #216]\n\t"
+        "ldr	r6, [%[a], #220]\n\t"
+        "ldr	r5, [%[b], #216]\n\t"
+        "ldr	r7, [%[b], #220]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #216]\n\t"
+        "str	r6, [%[r], #220]\n\t"
+        "ldr	r4, [%[a], #224]\n\t"
+        "ldr	r6, [%[a], #228]\n\t"
+        "ldr	r5, [%[b], #224]\n\t"
+        "ldr	r7, [%[b], #228]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #224]\n\t"
+        "str	r6, [%[r], #228]\n\t"
+        "ldr	r4, [%[a], #232]\n\t"
+        "ldr	r6, [%[a], #236]\n\t"
+        "ldr	r5, [%[b], #232]\n\t"
+        "ldr	r7, [%[b], #236]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #232]\n\t"
+        "str	r6, [%[r], #236]\n\t"
+        "ldr	r4, [%[a], #240]\n\t"
+        "ldr	r6, [%[a], #244]\n\t"
+        "ldr	r5, [%[b], #240]\n\t"
+        "ldr	r7, [%[b], #244]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #240]\n\t"
+        "str	r6, [%[r], #244]\n\t"
+        "ldr	r4, [%[a], #248]\n\t"
+        "ldr	r6, [%[a], #252]\n\t"
+        "ldr	r5, [%[b], #248]\n\t"
+        "ldr	r7, [%[b], #252]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #248]\n\t"
+        "str	r6, [%[r], #252]\n\t"
+        "sbc	%[c], r9, r9\n\t"
+        : [c] "+r" (c)
+        : [r] "r" (r), [a] "r" (a), [b] "r" (b), [m] "r" (m)
+        : "memory", "r4", "r6", "r5", "r7", "r8", "r9"
+    );
+#endif /* WOLFSSL_SP_SMALL */
+
+    return c;
+}
+
+/* Reduce the number back to 2048 bits using Montgomery reduction.
+ *
+ * a   A single precision number to reduce in place.
+ * m   The single precision number representing the modulus.
+ * mp  The digit representing the negative inverse of m mod 2^n.
+ */
+SP_NOINLINE static void sp_2048_mont_reduce_64(sp_digit* a, const sp_digit* m,
+        sp_digit mp)
+{
+    sp_digit ca = 0;
+
+    __asm__ __volatile__ (
+        "# i = 0\n\t"
+        "mov	r12, #0\n\t"
+        "ldr	r10, [%[a], #0]\n\t"
+        "ldr	r14, [%[a], #4]\n\t"
+        "\n1:\n\t"
+        "# mu = a[i] * mp\n\t"
+        "mul	r8, %[mp], r10\n\t"
+        "# a[i+0] += m[0] * mu\n\t"
+        "ldr	r7, [%[m], #0]\n\t"
+        "ldr	r9, [%[a], #0]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r10, r10, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "# a[i+1] += m[1] * mu\n\t"
+        "ldr	r7, [%[m], #4]\n\t"
+        "ldr	r9, [%[a], #4]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r10, r14, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r10, r10, r5\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+2] += m[2] * mu\n\t"
+        "ldr	r7, [%[m], #8]\n\t"
+        "ldr	r14, [%[a], #8]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r14, r14, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r14, r14, r4\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+3] += m[3] * mu\n\t"
+        "ldr	r7, [%[m], #12]\n\t"
+        "ldr	r9, [%[a], #12]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #12]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+4] += m[4] * mu\n\t"
+        "ldr	r7, [%[m], #16]\n\t"
+        "ldr	r9, [%[a], #16]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #16]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+5] += m[5] * mu\n\t"
+        "ldr	r7, [%[m], #20]\n\t"
+        "ldr	r9, [%[a], #20]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #20]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+6] += m[6] * mu\n\t"
+        "ldr	r7, [%[m], #24]\n\t"
+        "ldr	r9, [%[a], #24]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #24]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+7] += m[7] * mu\n\t"
+        "ldr	r7, [%[m], #28]\n\t"
+        "ldr	r9, [%[a], #28]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #28]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+8] += m[8] * mu\n\t"
+        "ldr	r7, [%[m], #32]\n\t"
+        "ldr	r9, [%[a], #32]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #32]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+9] += m[9] * mu\n\t"
+        "ldr	r7, [%[m], #36]\n\t"
+        "ldr	r9, [%[a], #36]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #36]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+10] += m[10] * mu\n\t"
+        "ldr	r7, [%[m], #40]\n\t"
+        "ldr	r9, [%[a], #40]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #40]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+11] += m[11] * mu\n\t"
+        "ldr	r7, [%[m], #44]\n\t"
+        "ldr	r9, [%[a], #44]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #44]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+12] += m[12] * mu\n\t"
+        "ldr	r7, [%[m], #48]\n\t"
+        "ldr	r9, [%[a], #48]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #48]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+13] += m[13] * mu\n\t"
+        "ldr	r7, [%[m], #52]\n\t"
+        "ldr	r9, [%[a], #52]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #52]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+14] += m[14] * mu\n\t"
+        "ldr	r7, [%[m], #56]\n\t"
+        "ldr	r9, [%[a], #56]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #56]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+15] += m[15] * mu\n\t"
+        "ldr	r7, [%[m], #60]\n\t"
+        "ldr	r9, [%[a], #60]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #60]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+16] += m[16] * mu\n\t"
+        "ldr	r7, [%[m], #64]\n\t"
+        "ldr	r9, [%[a], #64]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #64]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+17] += m[17] * mu\n\t"
+        "ldr	r7, [%[m], #68]\n\t"
+        "ldr	r9, [%[a], #68]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #68]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+18] += m[18] * mu\n\t"
+        "ldr	r7, [%[m], #72]\n\t"
+        "ldr	r9, [%[a], #72]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #72]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+19] += m[19] * mu\n\t"
+        "ldr	r7, [%[m], #76]\n\t"
+        "ldr	r9, [%[a], #76]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #76]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+20] += m[20] * mu\n\t"
+        "ldr	r7, [%[m], #80]\n\t"
+        "ldr	r9, [%[a], #80]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #80]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+21] += m[21] * mu\n\t"
+        "ldr	r7, [%[m], #84]\n\t"
+        "ldr	r9, [%[a], #84]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #84]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+22] += m[22] * mu\n\t"
+        "ldr	r7, [%[m], #88]\n\t"
+        "ldr	r9, [%[a], #88]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #88]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+23] += m[23] * mu\n\t"
+        "ldr	r7, [%[m], #92]\n\t"
+        "ldr	r9, [%[a], #92]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #92]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+24] += m[24] * mu\n\t"
+        "ldr	r7, [%[m], #96]\n\t"
+        "ldr	r9, [%[a], #96]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #96]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+25] += m[25] * mu\n\t"
+        "ldr	r7, [%[m], #100]\n\t"
+        "ldr	r9, [%[a], #100]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #100]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+26] += m[26] * mu\n\t"
+        "ldr	r7, [%[m], #104]\n\t"
+        "ldr	r9, [%[a], #104]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #104]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+27] += m[27] * mu\n\t"
+        "ldr	r7, [%[m], #108]\n\t"
+        "ldr	r9, [%[a], #108]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #108]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+28] += m[28] * mu\n\t"
+        "ldr	r7, [%[m], #112]\n\t"
+        "ldr	r9, [%[a], #112]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #112]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+29] += m[29] * mu\n\t"
+        "ldr	r7, [%[m], #116]\n\t"
+        "ldr	r9, [%[a], #116]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #116]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+30] += m[30] * mu\n\t"
+        "ldr	r7, [%[m], #120]\n\t"
+        "ldr	r9, [%[a], #120]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #120]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+31] += m[31] * mu\n\t"
+        "ldr	r7, [%[m], #124]\n\t"
+        "ldr	r9, [%[a], #124]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #124]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+32] += m[32] * mu\n\t"
+        "ldr	r7, [%[m], #128]\n\t"
+        "ldr	r9, [%[a], #128]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #128]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+33] += m[33] * mu\n\t"
+        "ldr	r7, [%[m], #132]\n\t"
+        "ldr	r9, [%[a], #132]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #132]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+34] += m[34] * mu\n\t"
+        "ldr	r7, [%[m], #136]\n\t"
+        "ldr	r9, [%[a], #136]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #136]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+35] += m[35] * mu\n\t"
+        "ldr	r7, [%[m], #140]\n\t"
+        "ldr	r9, [%[a], #140]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #140]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+36] += m[36] * mu\n\t"
+        "ldr	r7, [%[m], #144]\n\t"
+        "ldr	r9, [%[a], #144]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #144]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+37] += m[37] * mu\n\t"
+        "ldr	r7, [%[m], #148]\n\t"
+        "ldr	r9, [%[a], #148]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #148]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+38] += m[38] * mu\n\t"
+        "ldr	r7, [%[m], #152]\n\t"
+        "ldr	r9, [%[a], #152]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #152]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+39] += m[39] * mu\n\t"
+        "ldr	r7, [%[m], #156]\n\t"
+        "ldr	r9, [%[a], #156]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #156]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+40] += m[40] * mu\n\t"
+        "ldr	r7, [%[m], #160]\n\t"
+        "ldr	r9, [%[a], #160]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #160]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+41] += m[41] * mu\n\t"
+        "ldr	r7, [%[m], #164]\n\t"
+        "ldr	r9, [%[a], #164]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #164]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+42] += m[42] * mu\n\t"
+        "ldr	r7, [%[m], #168]\n\t"
+        "ldr	r9, [%[a], #168]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #168]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+43] += m[43] * mu\n\t"
+        "ldr	r7, [%[m], #172]\n\t"
+        "ldr	r9, [%[a], #172]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #172]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+44] += m[44] * mu\n\t"
+        "ldr	r7, [%[m], #176]\n\t"
+        "ldr	r9, [%[a], #176]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #176]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+45] += m[45] * mu\n\t"
+        "ldr	r7, [%[m], #180]\n\t"
+        "ldr	r9, [%[a], #180]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #180]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+46] += m[46] * mu\n\t"
+        "ldr	r7, [%[m], #184]\n\t"
+        "ldr	r9, [%[a], #184]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #184]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+47] += m[47] * mu\n\t"
+        "ldr	r7, [%[m], #188]\n\t"
+        "ldr	r9, [%[a], #188]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #188]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+48] += m[48] * mu\n\t"
+        "ldr	r7, [%[m], #192]\n\t"
+        "ldr	r9, [%[a], #192]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #192]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+49] += m[49] * mu\n\t"
+        "ldr	r7, [%[m], #196]\n\t"
+        "ldr	r9, [%[a], #196]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #196]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+50] += m[50] * mu\n\t"
+        "ldr	r7, [%[m], #200]\n\t"
+        "ldr	r9, [%[a], #200]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #200]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+51] += m[51] * mu\n\t"
+        "ldr	r7, [%[m], #204]\n\t"
+        "ldr	r9, [%[a], #204]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #204]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+52] += m[52] * mu\n\t"
+        "ldr	r7, [%[m], #208]\n\t"
+        "ldr	r9, [%[a], #208]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #208]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+53] += m[53] * mu\n\t"
+        "ldr	r7, [%[m], #212]\n\t"
+        "ldr	r9, [%[a], #212]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #212]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+54] += m[54] * mu\n\t"
+        "ldr	r7, [%[m], #216]\n\t"
+        "ldr	r9, [%[a], #216]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #216]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+55] += m[55] * mu\n\t"
+        "ldr	r7, [%[m], #220]\n\t"
+        "ldr	r9, [%[a], #220]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #220]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+56] += m[56] * mu\n\t"
+        "ldr	r7, [%[m], #224]\n\t"
+        "ldr	r9, [%[a], #224]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #224]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+57] += m[57] * mu\n\t"
+        "ldr	r7, [%[m], #228]\n\t"
+        "ldr	r9, [%[a], #228]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #228]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+58] += m[58] * mu\n\t"
+        "ldr	r7, [%[m], #232]\n\t"
+        "ldr	r9, [%[a], #232]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #232]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+59] += m[59] * mu\n\t"
+        "ldr	r7, [%[m], #236]\n\t"
+        "ldr	r9, [%[a], #236]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #236]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+60] += m[60] * mu\n\t"
+        "ldr	r7, [%[m], #240]\n\t"
+        "ldr	r9, [%[a], #240]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #240]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+61] += m[61] * mu\n\t"
+        "ldr	r7, [%[m], #244]\n\t"
+        "ldr	r9, [%[a], #244]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #244]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+62] += m[62] * mu\n\t"
+        "ldr	r7, [%[m], #248]\n\t"
+        "ldr	r9, [%[a], #248]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #248]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+63] += m[63] * mu\n\t"
+        "ldr	r7, [%[m], #252]\n\t"
+        "ldr   r9, [%[a], #252]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r7, r7, %[ca]\n\t"
+        "mov	%[ca], #0\n\t"
+        "adc	%[ca], %[ca], %[ca]\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #252]\n\t"
+        "ldr	r9, [%[a], #256]\n\t"
+        "adcs	r9, r9, r7\n\t"
+        "str	r9, [%[a], #256]\n\t"
+        "adc	%[ca], %[ca], #0\n\t"
+        "# i += 1\n\t"
+        "add	%[a], %[a], #4\n\t"
+        "add	r12, r12, #4\n\t"
+        "cmp	r12, #256\n\t"
+        "blt	1b\n\t"
+        "str	r10, [%[a], #0]\n\t"
+        "str	r14, [%[a], #4]\n\t"
+        : [ca] "+r" (ca), [a] "+r" (a)
+        : [m] "r" (m), [mp] "r" (mp)
+        : "memory", "r4", "r5", "r6", "r7", "r8", "r9", "r10", "r14", "r12"
+    );
+
+    sp_2048_cond_sub_64(a - 64, a, m, (sp_digit)0 - ca);
+}
+
+/* Multiply two Montogmery form numbers mod the modulus (prime).
+ * (r = a * b mod m)
+ *
+ * r   Result of multiplication.
+ * a   First number to multiply in Montogmery form.
+ * b   Second number to multiply in Montogmery form.
+ * m   Modulus (prime).
+ * mp  Montogmery mulitplier.
+ */
+static void sp_2048_mont_mul_64(sp_digit* r, const sp_digit* a, const sp_digit* b,
+        const sp_digit* m, sp_digit mp)
+{
+    sp_2048_mul_64(r, a, b);
+    sp_2048_mont_reduce_64(r, m, mp);
+}
+
+/* Square the Montgomery form number. (r = a * a mod m)
+ *
+ * r   Result of squaring.
+ * a   Number to square in Montogmery form.
+ * m   Modulus (prime).
+ * mp  Montogmery mulitplier.
+ */
+static void sp_2048_mont_sqr_64(sp_digit* r, const sp_digit* a, const sp_digit* m,
+        sp_digit mp)
+{
+    sp_2048_sqr_64(r, a);
+    sp_2048_mont_reduce_64(r, m, mp);
+}
+
+#ifndef WOLFSSL_RSA_PUBLIC_ONLY
+/* Divide the double width number (d1|d0) by the dividend. (d1|d0 / div)
+ *
+ * d1   The high order half of the number to divide.
+ * d0   The low order half of the number to divide.
+ * div  The dividend.
+ * returns the result of the division.
+ *
+ * Note that this is an approximate div. It may give an answer 1 larger.
+ */
+static sp_digit div_2048_word_64(sp_digit d1, sp_digit d0, sp_digit div)
+{
+    sp_digit r = 0;
+
+    __asm__ __volatile__ (
+        "lsr	r5, %[div], #1\n\t"
+        "add	r5, r5, #1\n\t"
+        "mov	r6, %[d0]\n\t"
+        "mov	r7, %[d1]\n\t"
+        "# Do top 32\n\t"
+        "subs	r8, r5, r7\n\t"
+        "sbc	r8, r8, r8\n\t"
+        "add	%[r], %[r], %[r]\n\t"
+        "sub	%[r], %[r], r8\n\t"
+        "and	r8, r8, r5\n\t"
+        "subs	r7, r7, r8\n\t"
+        "# Next 30 bits\n\t"
+        "mov	r4, #29\n\t"
+        "1:\n\t"
+        "movs	r6, r6, lsl #1\n\t"
+        "adc	r7, r7, r7\n\t"
+        "subs	r8, r5, r7\n\t"
+        "sbc	r8, r8, r8\n\t"
+        "add	%[r], %[r], %[r]\n\t"
+        "sub	%[r], %[r], r8\n\t"
+        "and	r8, r8, r5\n\t"
+        "subs	r7, r7, r8\n\t"
+        "subs	r4, r4, #1\n\t"
+        "bpl	1b\n\t"
+        "add	%[r], %[r], %[r]\n\t"
+        "add	%[r], %[r], #1\n\t"
+        "umull	r4, r5, %[r], %[div]\n\t"
+        "subs	r4, %[d0], r4\n\t"
+        "sbc	r5, %[d1], r5\n\t"
+        "add	%[r], %[r], r5\n\t"
+        "umull	r4, r5, %[r], %[div]\n\t"
+        "subs	r4, %[d0], r4\n\t"
+        "sbc	r5, %[d1], r5\n\t"
+        "add	%[r], %[r], r5\n\t"
+        "subs	r8, %[div], r4\n\t"
+        "sbc	r8, r8, r8\n\t"
+        "sub	%[r], %[r], r8\n\t"
+        : [r] "+r" (r)
+        : [d1] "r" (d1), [d0] "r" (d0), [div] "r" (div)
+        : "r4", "r5", "r6", "r7", "r8"
+    );
+    return r;
+}
+
+/* AND m into each word of a and store in r.
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * m  Mask to AND against each digit.
+ */
+static void sp_2048_mask_64(sp_digit* r, const sp_digit* a, sp_digit m)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int i;
+
+    for (i=0; i<64; i++) {
+        r[i] = a[i] & m;
+    }
+#else
+    int i;
+
+    for (i = 0; i < 64; i += 8) {
+        r[i+0] = a[i+0] & m;
+        r[i+1] = a[i+1] & m;
+        r[i+2] = a[i+2] & m;
+        r[i+3] = a[i+3] & m;
+        r[i+4] = a[i+4] & m;
+        r[i+5] = a[i+5] & m;
+        r[i+6] = a[i+6] & m;
+        r[i+7] = a[i+7] & m;
+    }
+#endif
+}
+
+/* Compare a with b in constant time.
+ *
+ * a  A single precision integer.
+ * b  A single precision integer.
+ * return -ve, 0 or +ve if a is less than, equal to or greater than b
+ * respectively.
+ */
+static int32_t sp_2048_cmp_64(const sp_digit* a, const sp_digit* b)
+{
+    sp_digit r = -1;
+    sp_digit one = 1;
+
+
+#ifdef WOLFSSL_SP_SMALL
+    __asm__ __volatile__ (
+        "mov	r7, #0\n\t"
+        "mov	r3, #-1\n\t"
+        "mov	r6, #252\n\t"
+        "1:\n\t"
+        "ldr	r4, [%[a], r6]\n\t"
+        "ldr	r5, [%[b], r6]\n\t"
+        "and	r4, r4, r3\n\t"
+        "and	r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "subs	r6, r6, #4\n\t"
+        "bcs	1b\n\t"
+        "eor	%[r], %[r], r3\n\t"
+        : [r] "+r" (r)
+        : [a] "r" (a), [b] "r" (b), [one] "r" (one)
+        : "r3", "r4", "r5", "r6", "r7"
+    );
+#else
+    __asm__ __volatile__ (
+        "mov	r7, #0\n\t"
+        "mov	r3, #-1\n\t"
+        "ldr		r4, [%[a], #252]\n\t"
+        "ldr		r5, [%[b], #252]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #248]\n\t"
+        "ldr		r5, [%[b], #248]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #244]\n\t"
+        "ldr		r5, [%[b], #244]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #240]\n\t"
+        "ldr		r5, [%[b], #240]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #236]\n\t"
+        "ldr		r5, [%[b], #236]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #232]\n\t"
+        "ldr		r5, [%[b], #232]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #228]\n\t"
+        "ldr		r5, [%[b], #228]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #224]\n\t"
+        "ldr		r5, [%[b], #224]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #220]\n\t"
+        "ldr		r5, [%[b], #220]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #216]\n\t"
+        "ldr		r5, [%[b], #216]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #212]\n\t"
+        "ldr		r5, [%[b], #212]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #208]\n\t"
+        "ldr		r5, [%[b], #208]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #204]\n\t"
+        "ldr		r5, [%[b], #204]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #200]\n\t"
+        "ldr		r5, [%[b], #200]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #196]\n\t"
+        "ldr		r5, [%[b], #196]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #192]\n\t"
+        "ldr		r5, [%[b], #192]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #188]\n\t"
+        "ldr		r5, [%[b], #188]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #184]\n\t"
+        "ldr		r5, [%[b], #184]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #180]\n\t"
+        "ldr		r5, [%[b], #180]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #176]\n\t"
+        "ldr		r5, [%[b], #176]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #172]\n\t"
+        "ldr		r5, [%[b], #172]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #168]\n\t"
+        "ldr		r5, [%[b], #168]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #164]\n\t"
+        "ldr		r5, [%[b], #164]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #160]\n\t"
+        "ldr		r5, [%[b], #160]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #156]\n\t"
+        "ldr		r5, [%[b], #156]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #152]\n\t"
+        "ldr		r5, [%[b], #152]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #148]\n\t"
+        "ldr		r5, [%[b], #148]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #144]\n\t"
+        "ldr		r5, [%[b], #144]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #140]\n\t"
+        "ldr		r5, [%[b], #140]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #136]\n\t"
+        "ldr		r5, [%[b], #136]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #132]\n\t"
+        "ldr		r5, [%[b], #132]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #128]\n\t"
+        "ldr		r5, [%[b], #128]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #124]\n\t"
+        "ldr		r5, [%[b], #124]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #120]\n\t"
+        "ldr		r5, [%[b], #120]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #116]\n\t"
+        "ldr		r5, [%[b], #116]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #112]\n\t"
+        "ldr		r5, [%[b], #112]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #108]\n\t"
+        "ldr		r5, [%[b], #108]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #104]\n\t"
+        "ldr		r5, [%[b], #104]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #100]\n\t"
+        "ldr		r5, [%[b], #100]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #96]\n\t"
+        "ldr		r5, [%[b], #96]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #92]\n\t"
+        "ldr		r5, [%[b], #92]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #88]\n\t"
+        "ldr		r5, [%[b], #88]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #84]\n\t"
+        "ldr		r5, [%[b], #84]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #80]\n\t"
+        "ldr		r5, [%[b], #80]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #76]\n\t"
+        "ldr		r5, [%[b], #76]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #72]\n\t"
+        "ldr		r5, [%[b], #72]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #68]\n\t"
+        "ldr		r5, [%[b], #68]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #64]\n\t"
+        "ldr		r5, [%[b], #64]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #60]\n\t"
+        "ldr		r5, [%[b], #60]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #56]\n\t"
+        "ldr		r5, [%[b], #56]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #52]\n\t"
+        "ldr		r5, [%[b], #52]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #48]\n\t"
+        "ldr		r5, [%[b], #48]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #44]\n\t"
+        "ldr		r5, [%[b], #44]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #40]\n\t"
+        "ldr		r5, [%[b], #40]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #36]\n\t"
+        "ldr		r5, [%[b], #36]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #32]\n\t"
+        "ldr		r5, [%[b], #32]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #28]\n\t"
+        "ldr		r5, [%[b], #28]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #24]\n\t"
+        "ldr		r5, [%[b], #24]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #20]\n\t"
+        "ldr		r5, [%[b], #20]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #16]\n\t"
+        "ldr		r5, [%[b], #16]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #12]\n\t"
+        "ldr		r5, [%[b], #12]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #8]\n\t"
+        "ldr		r5, [%[b], #8]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #4]\n\t"
+        "ldr		r5, [%[b], #4]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #0]\n\t"
+        "ldr		r5, [%[b], #0]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "eor	%[r], %[r], r3\n\t"
+        : [r] "+r" (r)
+        : [a] "r" (a), [b] "r" (b), [one] "r" (one)
+        : "r3", "r4", "r5", "r6", "r7"
+    );
+#endif
+
+    return r;
+}
+
+/* Divide d in a and put remainder into r (m*d + r = a)
+ * m is not calculated as it is not needed at this time.
+ *
+ * a  Nmber to be divided.
+ * d  Number to divide with.
+ * m  Multiplier result.
+ * r  Remainder from the division.
+ * returns MP_OKAY indicating success.
+ */
+static WC_INLINE int sp_2048_div_64(const sp_digit* a, const sp_digit* d, sp_digit* m,
+        sp_digit* r)
+{
+    sp_digit t1[128], t2[65];
+    sp_digit div, r1;
+    int i;
+
+    (void)m;
+
+
+    div = d[63];
+    XMEMCPY(t1, a, sizeof(*t1) * 2 * 64);
+    for (i=63; i>=0; i--) {
+        r1 = div_2048_word_64(t1[64 + i], t1[64 + i - 1], div);
+
+        sp_2048_mul_d_64(t2, d, r1);
+        t1[64 + i] += sp_2048_sub_in_place_64(&t1[i], t2);
+        t1[64 + i] -= t2[64];
+        sp_2048_mask_64(t2, d, t1[64 + i]);
+        t1[64 + i] += sp_2048_add_64(&t1[i], &t1[i], t2);
+        sp_2048_mask_64(t2, d, t1[64 + i]);
+        t1[64 + i] += sp_2048_add_64(&t1[i], &t1[i], t2);
+    }
+
+    r1 = sp_2048_cmp_64(t1, d) >= 0;
+    sp_2048_cond_sub_64(r, t1, d, (sp_digit)0 - r1);
+
+    return MP_OKAY;
+}
+
+/* Reduce a modulo m into r. (r = a mod m)
+ *
+ * r  A single precision number that is the reduced result.
+ * a  A single precision number that is to be reduced.
+ * m  A single precision number that is the modulus to reduce with.
+ * returns MP_OKAY indicating success.
+ */
+static WC_INLINE int sp_2048_mod_64(sp_digit* r, const sp_digit* a, const sp_digit* m)
+{
+    return sp_2048_div_64(a, m, NULL, r);
+}
+
+#endif /* WOLFSSL_RSA_PUBLIC_ONLY */
+/* Divide d in a and put remainder into r (m*d + r = a)
+ * m is not calculated as it is not needed at this time.
+ *
+ * a  Nmber to be divided.
+ * d  Number to divide with.
+ * m  Multiplier result.
+ * r  Remainder from the division.
+ * returns MP_OKAY indicating success.
+ */
+static WC_INLINE int sp_2048_div_64_cond(const sp_digit* a, const sp_digit* d, sp_digit* m,
+        sp_digit* r)
+{
+    sp_digit t1[128], t2[65];
+    sp_digit div, r1;
+    int i;
+
+    (void)m;
+
+
+    div = d[63];
+    XMEMCPY(t1, a, sizeof(*t1) * 2 * 64);
+    for (i=63; i>=0; i--) {
+        r1 = div_2048_word_64(t1[64 + i], t1[64 + i - 1], div);
+
+        sp_2048_mul_d_64(t2, d, r1);
+        t1[64 + i] += sp_2048_sub_in_place_64(&t1[i], t2);
+        t1[64 + i] -= t2[64];
+        if (t1[64 + i] != 0) {
+            t1[64 + i] += sp_2048_add_64(&t1[i], &t1[i], d);
+            if (t1[64 + i] != 0)
+                t1[64 + i] += sp_2048_add_64(&t1[i], &t1[i], d);
+        }
+    }
+
+    r1 = sp_2048_cmp_64(t1, d) >= 0;
+    sp_2048_cond_sub_64(r, t1, d, (sp_digit)0 - r1);
+
+    return MP_OKAY;
+}
+
+/* Reduce a modulo m into r. (r = a mod m)
+ *
+ * r  A single precision number that is the reduced result.
+ * a  A single precision number that is to be reduced.
+ * m  A single precision number that is the modulus to reduce with.
+ * returns MP_OKAY indicating success.
+ */
+static WC_INLINE int sp_2048_mod_64_cond(sp_digit* r, const sp_digit* a, const sp_digit* m)
+{
+    return sp_2048_div_64_cond(a, m, NULL, r);
+}
+
+#if (defined(WOLFSSL_HAVE_SP_RSA) && !defined(WOLFSSL_RSA_PUBLIC_ONLY)) || \
+                                                     defined(WOLFSSL_HAVE_SP_DH)
+#ifdef WOLFSSL_SP_SMALL
+/* Modular exponentiate a to the e mod m. (r = a^e mod m)
+ *
+ * r     A single precision number that is the result of the operation.
+ * a     A single precision number being exponentiated.
+ * e     A single precision number that is the exponent.
+ * bits  The number of bits in the exponent.
+ * m     A single precision number that is the modulus.
+ * returns 0 on success and MEMORY_E on dynamic memory allocation failure.
+ */
+static int sp_2048_mod_exp_64(sp_digit* r, const sp_digit* a, const sp_digit* e,
+        int bits, const sp_digit* m, int reduceA)
+{
+#ifndef WOLFSSL_SMALL_STACK
+    sp_digit t[16][128];
+#else
+    sp_digit* t[16];
+    sp_digit* td;
+#endif
+    sp_digit* norm;
+    sp_digit mp = 1;
+    sp_digit n;
+    sp_digit mask;
+    int i;
+    int c, y;
+    int err = MP_OKAY;
+
+#ifdef WOLFSSL_SMALL_STACK
+    td = (sp_digit*)XMALLOC(sizeof(sp_digit) * 16 * 128, NULL,
+                            DYNAMIC_TYPE_TMP_BUFFER);
+    if (td == NULL) {
+        err = MEMORY_E;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#ifdef WOLFSSL_SMALL_STACK
+        for (i=0; i<16; i++) {
+            t[i] = td + i * 128;
+        }
+#endif
+        norm = t[0];
+
+        sp_2048_mont_setup(m, &mp);
+        sp_2048_mont_norm_64(norm, m);
+
+        XMEMSET(t[1], 0, sizeof(sp_digit) * 64U);
+        if (reduceA != 0) {
+            err = sp_2048_mod_64(t[1] + 64, a, m);
+            if (err == MP_OKAY) {
+                err = sp_2048_mod_64(t[1], t[1], m);
+            }
+        }
+        else {
+            XMEMCPY(t[1] + 64, a, sizeof(sp_digit) * 64);
+            err = sp_2048_mod_64(t[1], t[1], m);
+        }
+    }
+
+    if (err == MP_OKAY) {
+        sp_2048_mont_sqr_64(t[ 2], t[ 1], m, mp);
+        sp_2048_mont_mul_64(t[ 3], t[ 2], t[ 1], m, mp);
+        sp_2048_mont_sqr_64(t[ 4], t[ 2], m, mp);
+        sp_2048_mont_mul_64(t[ 5], t[ 3], t[ 2], m, mp);
+        sp_2048_mont_sqr_64(t[ 6], t[ 3], m, mp);
+        sp_2048_mont_mul_64(t[ 7], t[ 4], t[ 3], m, mp);
+        sp_2048_mont_sqr_64(t[ 8], t[ 4], m, mp);
+        sp_2048_mont_mul_64(t[ 9], t[ 5], t[ 4], m, mp);
+        sp_2048_mont_sqr_64(t[10], t[ 5], m, mp);
+        sp_2048_mont_mul_64(t[11], t[ 6], t[ 5], m, mp);
+        sp_2048_mont_sqr_64(t[12], t[ 6], m, mp);
+        sp_2048_mont_mul_64(t[13], t[ 7], t[ 6], m, mp);
+        sp_2048_mont_sqr_64(t[14], t[ 7], m, mp);
+        sp_2048_mont_mul_64(t[15], t[ 8], t[ 7], m, mp);
+
+        i = (bits - 1) / 32;
+        n = e[i--];
+        c = bits & 31;
+        if (c == 0) {
+            c = 32;
+        }
+        c -= bits % 4;
+        if (c == 32) {
+            c = 28;
+        }
+        y = (int)(n >> c);
+        n <<= 32 - c;
+        XMEMCPY(r, t[y], sizeof(sp_digit) * 64);
+        for (; i>=0 || c>=4; ) {
+            if (c == 0) {
+                n = e[i--];
+                y = n >> 28;
+                n <<= 4;
+                c = 28;
+            }
+            else if (c < 4) {
+                y = n >> 28;
+                n = e[i--];
+                c = 4 - c;
+                y |= n >> (32 - c);
+                n <<= c;
+                c = 32 - c;
+            }
+            else {
+                y = (n >> 28) & 0xf;
+                n <<= 4;
+                c -= 4;
+            }
+
+            sp_2048_mont_sqr_64(r, r, m, mp);
+            sp_2048_mont_sqr_64(r, r, m, mp);
+            sp_2048_mont_sqr_64(r, r, m, mp);
+            sp_2048_mont_sqr_64(r, r, m, mp);
+
+            sp_2048_mont_mul_64(r, r, t[y], m, mp);
+        }
+
+        XMEMSET(&r[64], 0, sizeof(sp_digit) * 64U);
+        sp_2048_mont_reduce_64(r, m, mp);
+
+        mask = 0 - (sp_2048_cmp_64(r, m) >= 0);
+        sp_2048_cond_sub_64(r, r, m, mask);
+    }
+
+#ifdef WOLFSSL_SMALL_STACK
+    if (td != NULL) {
+        XFREE(td, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    }
+#endif
+
+    return err;
+}
+#else
+/* Modular exponentiate a to the e mod m. (r = a^e mod m)
+ *
+ * r     A single precision number that is the result of the operation.
+ * a     A single precision number being exponentiated.
+ * e     A single precision number that is the exponent.
+ * bits  The number of bits in the exponent.
+ * m     A single precision number that is the modulus.
+ * returns 0 on success and MEMORY_E on dynamic memory allocation failure.
+ */
+static int sp_2048_mod_exp_64(sp_digit* r, const sp_digit* a, const sp_digit* e,
+        int bits, const sp_digit* m, int reduceA)
+{
+#ifndef WOLFSSL_SMALL_STACK
+    sp_digit t[32][128];
+#else
+    sp_digit* t[32];
+    sp_digit* td;
+#endif
+    sp_digit* norm;
+    sp_digit mp = 1;
+    sp_digit n;
+    sp_digit mask;
+    int i;
+    int c, y;
+    int err = MP_OKAY;
+
+#ifdef WOLFSSL_SMALL_STACK
+    td = (sp_digit*)XMALLOC(sizeof(sp_digit) * 32 * 128, NULL,
+                            DYNAMIC_TYPE_TMP_BUFFER);
+    if (td == NULL) {
+        err = MEMORY_E;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#ifdef WOLFSSL_SMALL_STACK
+        for (i=0; i<32; i++) {
+            t[i] = td + i * 128;
+        }
+#endif
+        norm = t[0];
+
+        sp_2048_mont_setup(m, &mp);
+        sp_2048_mont_norm_64(norm, m);
+
+        XMEMSET(t[1], 0, sizeof(sp_digit) * 64U);
+        if (reduceA != 0) {
+            err = sp_2048_mod_64(t[1] + 64, a, m);
+            if (err == MP_OKAY) {
+                err = sp_2048_mod_64(t[1], t[1], m);
+            }
+        }
+        else {
+            XMEMCPY(t[1] + 64, a, sizeof(sp_digit) * 64);
+            err = sp_2048_mod_64(t[1], t[1], m);
+        }
+    }
+
+    if (err == MP_OKAY) {
+        sp_2048_mont_sqr_64(t[ 2], t[ 1], m, mp);
+        sp_2048_mont_mul_64(t[ 3], t[ 2], t[ 1], m, mp);
+        sp_2048_mont_sqr_64(t[ 4], t[ 2], m, mp);
+        sp_2048_mont_mul_64(t[ 5], t[ 3], t[ 2], m, mp);
+        sp_2048_mont_sqr_64(t[ 6], t[ 3], m, mp);
+        sp_2048_mont_mul_64(t[ 7], t[ 4], t[ 3], m, mp);
+        sp_2048_mont_sqr_64(t[ 8], t[ 4], m, mp);
+        sp_2048_mont_mul_64(t[ 9], t[ 5], t[ 4], m, mp);
+        sp_2048_mont_sqr_64(t[10], t[ 5], m, mp);
+        sp_2048_mont_mul_64(t[11], t[ 6], t[ 5], m, mp);
+        sp_2048_mont_sqr_64(t[12], t[ 6], m, mp);
+        sp_2048_mont_mul_64(t[13], t[ 7], t[ 6], m, mp);
+        sp_2048_mont_sqr_64(t[14], t[ 7], m, mp);
+        sp_2048_mont_mul_64(t[15], t[ 8], t[ 7], m, mp);
+        sp_2048_mont_sqr_64(t[16], t[ 8], m, mp);
+        sp_2048_mont_mul_64(t[17], t[ 9], t[ 8], m, mp);
+        sp_2048_mont_sqr_64(t[18], t[ 9], m, mp);
+        sp_2048_mont_mul_64(t[19], t[10], t[ 9], m, mp);
+        sp_2048_mont_sqr_64(t[20], t[10], m, mp);
+        sp_2048_mont_mul_64(t[21], t[11], t[10], m, mp);
+        sp_2048_mont_sqr_64(t[22], t[11], m, mp);
+        sp_2048_mont_mul_64(t[23], t[12], t[11], m, mp);
+        sp_2048_mont_sqr_64(t[24], t[12], m, mp);
+        sp_2048_mont_mul_64(t[25], t[13], t[12], m, mp);
+        sp_2048_mont_sqr_64(t[26], t[13], m, mp);
+        sp_2048_mont_mul_64(t[27], t[14], t[13], m, mp);
+        sp_2048_mont_sqr_64(t[28], t[14], m, mp);
+        sp_2048_mont_mul_64(t[29], t[15], t[14], m, mp);
+        sp_2048_mont_sqr_64(t[30], t[15], m, mp);
+        sp_2048_mont_mul_64(t[31], t[16], t[15], m, mp);
+
+        i = (bits - 1) / 32;
+        n = e[i--];
+        c = bits & 31;
+        if (c == 0) {
+            c = 32;
+        }
+        c -= bits % 5;
+        if (c == 32) {
+            c = 27;
+        }
+        y = (int)(n >> c);
+        n <<= 32 - c;
+        XMEMCPY(r, t[y], sizeof(sp_digit) * 64);
+        for (; i>=0 || c>=5; ) {
+            if (c == 0) {
+                n = e[i--];
+                y = n >> 27;
+                n <<= 5;
+                c = 27;
+            }
+            else if (c < 5) {
+                y = n >> 27;
+                n = e[i--];
+                c = 5 - c;
+                y |= n >> (32 - c);
+                n <<= c;
+                c = 32 - c;
+            }
+            else {
+                y = (n >> 27) & 0x1f;
+                n <<= 5;
+                c -= 5;
+            }
+
+            sp_2048_mont_sqr_64(r, r, m, mp);
+            sp_2048_mont_sqr_64(r, r, m, mp);
+            sp_2048_mont_sqr_64(r, r, m, mp);
+            sp_2048_mont_sqr_64(r, r, m, mp);
+            sp_2048_mont_sqr_64(r, r, m, mp);
+
+            sp_2048_mont_mul_64(r, r, t[y], m, mp);
+        }
+
+        XMEMSET(&r[64], 0, sizeof(sp_digit) * 64U);
+        sp_2048_mont_reduce_64(r, m, mp);
+
+        mask = 0 - (sp_2048_cmp_64(r, m) >= 0);
+        sp_2048_cond_sub_64(r, r, m, mask);
+    }
+
+#ifdef WOLFSSL_SMALL_STACK
+    if (td != NULL) {
+        XFREE(td, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    }
+#endif
+
+    return err;
+}
+#endif /* WOLFSSL_SP_SMALL */
+#endif /* (WOLFSSL_HAVE_SP_RSA && !WOLFSSL_RSA_PUBLIC_ONLY) || WOLFSSL_HAVE_SP_DH */
+
+#ifdef WOLFSSL_HAVE_SP_RSA
+/* RSA public key operation.
+ *
+ * in      Array of bytes representing the number to exponentiate, base.
+ * inLen   Number of bytes in base.
+ * em      Public exponent.
+ * mm      Modulus.
+ * out     Buffer to hold big-endian bytes of exponentiation result.
+ *         Must be at least 256 bytes long.
+ * outLen  Number of bytes in result.
+ * returns 0 on success, MP_TO_E when the outLen is too small, MP_READ_E when
+ * an array is too long and MEMORY_E when dynamic memory allocation fails.
+ */
+int sp_RsaPublic_2048(const byte* in, word32 inLen, mp_int* em, mp_int* mm,
+    byte* out, word32* outLen)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit a[128], m[64], r[128];
+#else
+    sp_digit* d = NULL;
+    sp_digit* a;
+    sp_digit* m;
+    sp_digit* r;
+#endif
+    sp_digit *ah;
+    sp_digit e[1];
+    int err = MP_OKAY;
+
+    if (*outLen < 256)
+        err = MP_TO_E;
+    if (err == MP_OKAY && (mp_count_bits(em) > 32 || inLen > 256 ||
+                                                     mp_count_bits(mm) != 2048))
+        err = MP_READ_E;
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        d = (sp_digit*)XMALLOC(sizeof(sp_digit) * 64 * 5, NULL,
+                                                              DYNAMIC_TYPE_RSA);
+        if (d == NULL)
+            err = MEMORY_E;
+    }
+
+    if (err == MP_OKAY) {
+        a = d;
+        r = a + 64 * 2;
+        m = r + 64 * 2;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+        ah = a + 64;
+
+        sp_2048_from_bin(ah, 64, in, inLen);
+#if DIGIT_BIT >= 32
+        e[0] = em->dp[0];
+#else
+        e[0] = em->dp[0];
+        if (em->used > 1) {
+            e[0] |= ((sp_digit)em->dp[1]) << DIGIT_BIT;
+        }
+#endif
+        if (e[0] == 0) {
+            err = MP_EXPTMOD_E;
+        }
+    }
+    if (err == MP_OKAY) {
+        sp_2048_from_mp(m, 64, mm);
+
+        if (e[0] == 0x3) {
+            if (err == MP_OKAY) {
+                sp_2048_sqr_64(r, ah);
+                err = sp_2048_mod_64_cond(r, r, m);
+            }
+            if (err == MP_OKAY) {
+                sp_2048_mul_64(r, ah, r);
+                err = sp_2048_mod_64_cond(r, r, m);
+            }
+        }
+        else {
+            int i;
+            sp_digit mp;
+
+            sp_2048_mont_setup(m, &mp);
+
+            /* Convert to Montgomery form. */
+            XMEMSET(a, 0, sizeof(sp_digit) * 64);
+            err = sp_2048_mod_64_cond(a, a, m);
+
+            if (err == MP_OKAY) {
+                for (i = 31; i >= 0; i--) {
+                    if (e[0] >> i) {
+                        break;
+                    }
+                }
+
+                XMEMCPY(r, a, sizeof(sp_digit) * 64);
+                for (i--; i>=0; i--) {
+                    sp_2048_mont_sqr_64(r, r, m, mp);
+                    if (((e[0] >> i) & 1) == 1) {
+                        sp_2048_mont_mul_64(r, r, a, m, mp);
+                    }
+                }
+                XMEMSET(&r[64], 0, sizeof(sp_digit) * 64);
+                sp_2048_mont_reduce_64(r, m, mp);
+
+                for (i = 63; i > 0; i--) {
+                    if (r[i] != m[i]) {
+                        break;
+                    }
+                }
+                if (r[i] >= m[i]) {
+                    sp_2048_sub_in_place_64(r, m);
+                }
+            }
+        }
+    }
+
+    if (err == MP_OKAY) {
+        sp_2048_to_bin(r, out);
+        *outLen = 256;
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (d != NULL) {
+        XFREE(d, NULL, DYNAMIC_TYPE_RSA);
+    }
+#endif
+
+    return err;
+}
+
+#if defined(SP_RSA_PRIVATE_EXP_D) || defined(RSA_LOW_MEM)
+    sp_digit* a;
+    sp_digit* d = NULL;
+    sp_digit* m;
+    sp_digit* r;
+    int err = MP_OKAY;
+
+    (void)pm;
+    (void)qm;
+    (void)dpm;
+    (void)dqm;
+    (void)qim;
+
+    if (*outLen < 256U) {
+        err = MP_TO_E;
+    }
+    if (err == MP_OKAY) {
+        if (mp_count_bits(dm) > 2048) {
+           err = MP_READ_E;
+        }
+        if (inLen > 256) {
+            err = MP_READ_E;
+        }
+        if (mp_count_bits(mm) != 2048) {
+            err = MP_READ_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        d = (sp_digit*)XMALLOC(sizeof(sp_digit) * 64 * 4, NULL,
+                                                              DYNAMIC_TYPE_RSA);
+        if (d == NULL) {
+            err = MEMORY_E;
+        }
+    }
+    if (err == MP_OKAY) {
+        a = d + 64;
+        m = a + 128;
+        r = a;
+
+        sp_2048_from_bin(a, 64, in, inLen);
+        sp_2048_from_mp(d, 64, dm);
+        sp_2048_from_mp(m, 64, mm);
+        err = sp_2048_mod_exp_64(r, a, d, 2048, m, 0);
+    }
+    if (err == MP_OKAY) {
+        sp_2048_to_bin(r, out);
+        *outLen = 256;
+    }
+
+    if (d != NULL) {
+        XMEMSET(d, 0, sizeof(sp_digit) * 64);
+        XFREE(d, NULL, DYNAMIC_TYPE_RSA);
+    }
+
+    return err;
+#else
+#ifndef WOLFSSL_RSA_PUBLIC_ONLY
+/* Conditionally add a and b using the mask m.
+ * m is -1 to add and 0 when not.
+ *
+ * r  A single precision number representing conditional add result.
+ * a  A single precision number to add with.
+ * b  A single precision number to add.
+ * m  Mask value to apply.
+ */
+static sp_digit sp_2048_cond_add_32(sp_digit* r, const sp_digit* a, const sp_digit* b,
+        sp_digit m)
+{
+    sp_digit c = 0;
+
+#ifdef WOLFSSL_SP_SMALL
+    __asm__ __volatile__ (
+        "mov	r9, #0\n\t"
+        "mov	r8, #0\n\t"
+        "1:\n\t"
+        "adds	%[c], %[c], #-1\n\t"
+        "ldr	r4, [%[a], r8]\n\t"
+        "ldr	r5, [%[b], r8]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "adcs	r4, r4, r5\n\t"
+        "adc	%[c], r9, r9\n\t"
+        "str	r4, [%[r], r8]\n\t"
+        "add	r8, r8, #4\n\t"
+        "cmp	r8, #128\n\t"
+        "blt	1b\n\t"
+        : [c] "+r" (c)
+        : [r] "r" (r), [a] "r" (a), [b] "r" (b), [m] "r" (m)
+        : "memory", "r4", "r6", "r5", "r7", "r8", "r9"
+    );
+#else
+    __asm__ __volatile__ (
+
+        "mov	r9, #0\n\t"
+        "ldr	r4, [%[a], #0]\n\t"
+        "ldr	r6, [%[a], #4]\n\t"
+        "ldr	r5, [%[b], #0]\n\t"
+        "ldr	r7, [%[b], #4]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "adds	r4, r4, r5\n\t"
+        "adcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #0]\n\t"
+        "str	r6, [%[r], #4]\n\t"
+        "ldr	r4, [%[a], #8]\n\t"
+        "ldr	r6, [%[a], #12]\n\t"
+        "ldr	r5, [%[b], #8]\n\t"
+        "ldr	r7, [%[b], #12]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "adcs	r4, r4, r5\n\t"
+        "adcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #8]\n\t"
+        "str	r6, [%[r], #12]\n\t"
+        "ldr	r4, [%[a], #16]\n\t"
+        "ldr	r6, [%[a], #20]\n\t"
+        "ldr	r5, [%[b], #16]\n\t"
+        "ldr	r7, [%[b], #20]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "adcs	r4, r4, r5\n\t"
+        "adcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #16]\n\t"
+        "str	r6, [%[r], #20]\n\t"
+        "ldr	r4, [%[a], #24]\n\t"
+        "ldr	r6, [%[a], #28]\n\t"
+        "ldr	r5, [%[b], #24]\n\t"
+        "ldr	r7, [%[b], #28]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "adcs	r4, r4, r5\n\t"
+        "adcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #24]\n\t"
+        "str	r6, [%[r], #28]\n\t"
+        "ldr	r4, [%[a], #32]\n\t"
+        "ldr	r6, [%[a], #36]\n\t"
+        "ldr	r5, [%[b], #32]\n\t"
+        "ldr	r7, [%[b], #36]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "adcs	r4, r4, r5\n\t"
+        "adcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #32]\n\t"
+        "str	r6, [%[r], #36]\n\t"
+        "ldr	r4, [%[a], #40]\n\t"
+        "ldr	r6, [%[a], #44]\n\t"
+        "ldr	r5, [%[b], #40]\n\t"
+        "ldr	r7, [%[b], #44]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "adcs	r4, r4, r5\n\t"
+        "adcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #40]\n\t"
+        "str	r6, [%[r], #44]\n\t"
+        "ldr	r4, [%[a], #48]\n\t"
+        "ldr	r6, [%[a], #52]\n\t"
+        "ldr	r5, [%[b], #48]\n\t"
+        "ldr	r7, [%[b], #52]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "adcs	r4, r4, r5\n\t"
+        "adcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #48]\n\t"
+        "str	r6, [%[r], #52]\n\t"
+        "ldr	r4, [%[a], #56]\n\t"
+        "ldr	r6, [%[a], #60]\n\t"
+        "ldr	r5, [%[b], #56]\n\t"
+        "ldr	r7, [%[b], #60]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "adcs	r4, r4, r5\n\t"
+        "adcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #56]\n\t"
+        "str	r6, [%[r], #60]\n\t"
+        "ldr	r4, [%[a], #64]\n\t"
+        "ldr	r6, [%[a], #68]\n\t"
+        "ldr	r5, [%[b], #64]\n\t"
+        "ldr	r7, [%[b], #68]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "adcs	r4, r4, r5\n\t"
+        "adcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #64]\n\t"
+        "str	r6, [%[r], #68]\n\t"
+        "ldr	r4, [%[a], #72]\n\t"
+        "ldr	r6, [%[a], #76]\n\t"
+        "ldr	r5, [%[b], #72]\n\t"
+        "ldr	r7, [%[b], #76]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "adcs	r4, r4, r5\n\t"
+        "adcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #72]\n\t"
+        "str	r6, [%[r], #76]\n\t"
+        "ldr	r4, [%[a], #80]\n\t"
+        "ldr	r6, [%[a], #84]\n\t"
+        "ldr	r5, [%[b], #80]\n\t"
+        "ldr	r7, [%[b], #84]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "adcs	r4, r4, r5\n\t"
+        "adcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #80]\n\t"
+        "str	r6, [%[r], #84]\n\t"
+        "ldr	r4, [%[a], #88]\n\t"
+        "ldr	r6, [%[a], #92]\n\t"
+        "ldr	r5, [%[b], #88]\n\t"
+        "ldr	r7, [%[b], #92]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "adcs	r4, r4, r5\n\t"
+        "adcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #88]\n\t"
+        "str	r6, [%[r], #92]\n\t"
+        "ldr	r4, [%[a], #96]\n\t"
+        "ldr	r6, [%[a], #100]\n\t"
+        "ldr	r5, [%[b], #96]\n\t"
+        "ldr	r7, [%[b], #100]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "adcs	r4, r4, r5\n\t"
+        "adcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #96]\n\t"
+        "str	r6, [%[r], #100]\n\t"
+        "ldr	r4, [%[a], #104]\n\t"
+        "ldr	r6, [%[a], #108]\n\t"
+        "ldr	r5, [%[b], #104]\n\t"
+        "ldr	r7, [%[b], #108]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "adcs	r4, r4, r5\n\t"
+        "adcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #104]\n\t"
+        "str	r6, [%[r], #108]\n\t"
+        "ldr	r4, [%[a], #112]\n\t"
+        "ldr	r6, [%[a], #116]\n\t"
+        "ldr	r5, [%[b], #112]\n\t"
+        "ldr	r7, [%[b], #116]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "adcs	r4, r4, r5\n\t"
+        "adcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #112]\n\t"
+        "str	r6, [%[r], #116]\n\t"
+        "ldr	r4, [%[a], #120]\n\t"
+        "ldr	r6, [%[a], #124]\n\t"
+        "ldr	r5, [%[b], #120]\n\t"
+        "ldr	r7, [%[b], #124]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "adcs	r4, r4, r5\n\t"
+        "adcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #120]\n\t"
+        "str	r6, [%[r], #124]\n\t"
+        "adc	%[c], r9, r9\n\t"
+        : [c] "+r" (c)
+        : [r] "r" (r), [a] "r" (a), [b] "r" (b), [m] "r" (m)
+        : "memory", "r4", "r6", "r5", "r7", "r8", "r9"
+    );
+#endif /* WOLFSSL_SP_SMALL */
+
+    return c;
+}
+
+/* RSA private key operation.
+ *
+ * in      Array of bytes representing the number to exponentiate, base.
+ * inLen   Number of bytes in base.
+ * dm      Private exponent.
+ * pm      First prime.
+ * qm      Second prime.
+ * dpm     First prime's CRT exponent.
+ * dqm     Second prime's CRT exponent.
+ * qim     Inverse of second prime mod p.
+ * mm      Modulus.
+ * out     Buffer to hold big-endian bytes of exponentiation result.
+ *         Must be at least 256 bytes long.
+ * outLen  Number of bytes in result.
+ * returns 0 on success, MP_TO_E when the outLen is too small, MP_READ_E when
+ * an array is too long and MEMORY_E when dynamic memory allocation fails.
+ */
+int sp_RsaPrivate_2048(const byte* in, word32 inLen, mp_int* dm,
+    mp_int* pm, mp_int* qm, mp_int* dpm, mp_int* dqm, mp_int* qim, mp_int* mm,
+    byte* out, word32* outLen)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit a[64 * 2];
+    sp_digit p[32], q[32], dp[32];
+    sp_digit tmpa[64], tmpb[64];
+#else
+    sp_digit* t = NULL;
+    sp_digit* a;
+    sp_digit* p;
+    sp_digit* q;
+    sp_digit* dp;
+    sp_digit* tmpa;
+    sp_digit* tmpb;
+#endif
+    sp_digit* r;
+    sp_digit* qi;
+    sp_digit* dq;
+    sp_digit c;
+    int err = MP_OKAY;
+
+    (void)dm;
+    (void)mm;
+
+    if (*outLen < 256)
+        err = MP_TO_E;
+    if (err == MP_OKAY && (inLen > 256 || mp_count_bits(mm) != 2048))
+        err = MP_READ_E;
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        t = (sp_digit*)XMALLOC(sizeof(sp_digit) * 32 * 11, NULL,
+                                                              DYNAMIC_TYPE_RSA);
+        if (t == NULL)
+            err = MEMORY_E;
+    }
+    if (err == MP_OKAY) {
+        a = t;
+        p = a + 64 * 2;
+        q = p + 32;
+        qi = dq = dp = q + 32;
+        tmpa = qi + 32;
+        tmpb = tmpa + 64;
+
+        r = t + 64;
+    }
+#else
+#endif
+
+    if (err == MP_OKAY) {
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+        r = a;
+        qi = dq = dp;
+#endif
+        sp_2048_from_bin(a, 64, in, inLen);
+        sp_2048_from_mp(p, 32, pm);
+        sp_2048_from_mp(q, 32, qm);
+        sp_2048_from_mp(dp, 32, dpm);
+
+        err = sp_2048_mod_exp_32(tmpa, a, dp, 1024, p, 1);
+    }
+    if (err == MP_OKAY) {
+        sp_2048_from_mp(dq, 32, dqm);
+        err = sp_2048_mod_exp_32(tmpb, a, dq, 1024, q, 1);
+    }
+
+    if (err == MP_OKAY) {
+        c = sp_2048_sub_in_place_32(tmpa, tmpb);
+        c += sp_2048_cond_add_32(tmpa, tmpa, p, c);
+        sp_2048_cond_add_32(tmpa, tmpa, p, c);
+
+        sp_2048_from_mp(qi, 32, qim);
+        sp_2048_mul_32(tmpa, tmpa, qi);
+        err = sp_2048_mod_32(tmpa, tmpa, p);
+    }
+
+    if (err == MP_OKAY) {
+        sp_2048_mul_32(tmpa, q, tmpa);
+        XMEMSET(&tmpb[32], 0, sizeof(sp_digit) * 32);
+        sp_2048_add_64(r, tmpb, tmpa);
+
+        sp_2048_to_bin(r, out);
+        *outLen = 256;
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (t != NULL) {
+        XMEMSET(t, 0, sizeof(sp_digit) * 32 * 11);
+        XFREE(t, NULL, DYNAMIC_TYPE_RSA);
+    }
+#else
+    XMEMSET(tmpa, 0, sizeof(tmpa));
+    XMEMSET(tmpb, 0, sizeof(tmpb));
+    XMEMSET(p,    0, sizeof(p));
+    XMEMSET(q,    0, sizeof(q));
+    XMEMSET(dp,   0, sizeof(dp));
+#endif
+
+    return err;
+}
+#endif /* WOLFSSL_RSA_PUBLIC_ONLY */
+#endif /* SP_RSA_PRIVATE_EXP_D || RSA_LOW_MEM */
+#endif /* WOLFSSL_HAVE_SP_RSA */
+#if defined(WOLFSSL_HAVE_SP_DH) || (defined(WOLFSSL_HAVE_SP_RSA) && \
+                                              !defined(WOLFSSL_RSA_PUBLIC_ONLY))
+/* Convert an array of sp_digit to an mp_int.
+ *
+ * a  A single precision integer.
+ * r  A multi-precision integer.
+ */
+static int sp_2048_to_mp(const sp_digit* a, mp_int* r)
+{
+    int err;
+
+    err = mp_grow(r, (2048 + DIGIT_BIT - 1) / DIGIT_BIT);
+    if (err == MP_OKAY) { /*lint !e774 case where err is always MP_OKAY*/
+#if DIGIT_BIT == 32
+        XMEMCPY(r->dp, a, sizeof(sp_digit) * 64);
+        r->used = 64;
+        mp_clamp(r);
+#elif DIGIT_BIT < 32
+        int i, j = 0, s = 0;
+
+        r->dp[0] = 0;
+        for (i = 0; i < 64; i++) {
+            r->dp[j] |= (mp_digit)(a[i] << s);
+            r->dp[j] &= (1L << DIGIT_BIT) - 1;
+            s = DIGIT_BIT - s;
+            r->dp[++j] = (mp_digit)(a[i] >> s);
+            while (s + DIGIT_BIT <= 32) {
+                s += DIGIT_BIT;
+                r->dp[j++] &= (1L << DIGIT_BIT) - 1;
+                if (s == SP_WORD_SIZE) {
+                    r->dp[j] = 0;
+                }
+                else {
+                    r->dp[j] = (mp_digit)(a[i] >> s);
+                }
+            }
+            s = 32 - s;
+        }
+        r->used = (2048 + DIGIT_BIT - 1) / DIGIT_BIT;
+        mp_clamp(r);
+#else
+        int i, j = 0, s = 0;
+
+        r->dp[0] = 0;
+        for (i = 0; i < 64; i++) {
+            r->dp[j] |= ((mp_digit)a[i]) << s;
+            if (s + 32 >= DIGIT_BIT) {
+    #if DIGIT_BIT != 32 && DIGIT_BIT != 64
+                r->dp[j] &= (1L << DIGIT_BIT) - 1;
+    #endif
+                s = DIGIT_BIT - s;
+                r->dp[++j] = a[i] >> s;
+                s = 32 - s;
+            }
+            else {
+                s += 32;
+            }
+        }
+        r->used = (2048 + DIGIT_BIT - 1) / DIGIT_BIT;
+        mp_clamp(r);
+#endif
+    }
+
+    return err;
+}
+
+/* Perform the modular exponentiation for Diffie-Hellman.
+ *
+ * base  Base. MP integer.
+ * exp   Exponent. MP integer.
+ * mod   Modulus. MP integer.
+ * res   Result. MP integer.
+ * returns 0 on success, MP_READ_E if there are too many bytes in an array
+ * and MEMORY_E if memory allocation fails.
+ */
+int sp_ModExp_2048(mp_int* base, mp_int* exp, mp_int* mod, mp_int* res)
+{
+    int err = MP_OKAY;
+    sp_digit b[128], e[64], m[64];
+    sp_digit* r = b;
+    int expBits = mp_count_bits(exp);
+
+    if (mp_count_bits(base) > 2048) {
+        err = MP_READ_E;
+    }
+
+    if (err == MP_OKAY) {
+        if (expBits > 2048) {
+            err = MP_READ_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        if (mp_count_bits(mod) != 2048) {
+            err = MP_READ_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        sp_2048_from_mp(b, 64, base);
+        sp_2048_from_mp(e, 64, exp);
+        sp_2048_from_mp(m, 64, mod);
+
+        err = sp_2048_mod_exp_64(r, b, e, expBits, m, 0);
+    }
+
+    if (err == MP_OKAY) {
+        err = sp_2048_to_mp(r, res);
+    }
+
+    XMEMSET(e, 0, sizeof(e));
+
+    return err;
+}
+
+#ifdef WOLFSSL_HAVE_SP_DH
+
+#ifdef HAVE_FFDHE_2048
+static void sp_2048_lshift_64(sp_digit* r, sp_digit* a, byte n)
+{
+    __asm__ __volatile__ (
+        "mov	r6, #31\n\t"
+        "sub	r6, r6, %[n]\n\t"
+        "ldr	r3, [%[a], #252]\n\t"
+        "lsr	r4, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r4, r4, r6\n\t"
+        "ldr	r2, [%[a], #248]\n\t"
+        "str	r4, [%[r], #256]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #244]\n\t"
+        "str	r3, [%[r], #252]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #240]\n\t"
+        "str	r2, [%[r], #248]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #236]\n\t"
+        "str	r4, [%[r], #244]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #232]\n\t"
+        "str	r3, [%[r], #240]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #228]\n\t"
+        "str	r2, [%[r], #236]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #224]\n\t"
+        "str	r4, [%[r], #232]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #220]\n\t"
+        "str	r3, [%[r], #228]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #216]\n\t"
+        "str	r2, [%[r], #224]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #212]\n\t"
+        "str	r4, [%[r], #220]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #208]\n\t"
+        "str	r3, [%[r], #216]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #204]\n\t"
+        "str	r2, [%[r], #212]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #200]\n\t"
+        "str	r4, [%[r], #208]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #196]\n\t"
+        "str	r3, [%[r], #204]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #192]\n\t"
+        "str	r2, [%[r], #200]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #188]\n\t"
+        "str	r4, [%[r], #196]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #184]\n\t"
+        "str	r3, [%[r], #192]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #180]\n\t"
+        "str	r2, [%[r], #188]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #176]\n\t"
+        "str	r4, [%[r], #184]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #172]\n\t"
+        "str	r3, [%[r], #180]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #168]\n\t"
+        "str	r2, [%[r], #176]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #164]\n\t"
+        "str	r4, [%[r], #172]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #160]\n\t"
+        "str	r3, [%[r], #168]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #156]\n\t"
+        "str	r2, [%[r], #164]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #152]\n\t"
+        "str	r4, [%[r], #160]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #148]\n\t"
+        "str	r3, [%[r], #156]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #144]\n\t"
+        "str	r2, [%[r], #152]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #140]\n\t"
+        "str	r4, [%[r], #148]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #136]\n\t"
+        "str	r3, [%[r], #144]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #132]\n\t"
+        "str	r2, [%[r], #140]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #128]\n\t"
+        "str	r4, [%[r], #136]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #124]\n\t"
+        "str	r3, [%[r], #132]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #120]\n\t"
+        "str	r2, [%[r], #128]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #116]\n\t"
+        "str	r4, [%[r], #124]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #112]\n\t"
+        "str	r3, [%[r], #120]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #108]\n\t"
+        "str	r2, [%[r], #116]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #104]\n\t"
+        "str	r4, [%[r], #112]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #100]\n\t"
+        "str	r3, [%[r], #108]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #96]\n\t"
+        "str	r2, [%[r], #104]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #92]\n\t"
+        "str	r4, [%[r], #100]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #88]\n\t"
+        "str	r3, [%[r], #96]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #84]\n\t"
+        "str	r2, [%[r], #92]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #80]\n\t"
+        "str	r4, [%[r], #88]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #76]\n\t"
+        "str	r3, [%[r], #84]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #72]\n\t"
+        "str	r2, [%[r], #80]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #68]\n\t"
+        "str	r4, [%[r], #76]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #64]\n\t"
+        "str	r3, [%[r], #72]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #60]\n\t"
+        "str	r2, [%[r], #68]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #56]\n\t"
+        "str	r4, [%[r], #64]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #52]\n\t"
+        "str	r3, [%[r], #60]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #48]\n\t"
+        "str	r2, [%[r], #56]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #44]\n\t"
+        "str	r4, [%[r], #52]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #40]\n\t"
+        "str	r3, [%[r], #48]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #36]\n\t"
+        "str	r2, [%[r], #44]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #32]\n\t"
+        "str	r4, [%[r], #40]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #28]\n\t"
+        "str	r3, [%[r], #36]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #24]\n\t"
+        "str	r2, [%[r], #32]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #20]\n\t"
+        "str	r4, [%[r], #28]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #16]\n\t"
+        "str	r3, [%[r], #24]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #12]\n\t"
+        "str	r2, [%[r], #20]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #8]\n\t"
+        "str	r4, [%[r], #16]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #4]\n\t"
+        "str	r3, [%[r], #12]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #0]\n\t"
+        "str	r2, [%[r], #8]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "str	r3, [%[r]]\n\t"
+        "str	r4, [%[r], #4]\n\t"
+        :
+        : [r] "r" (r), [a] "r" (a), [n] "r" (n)
+        : "memory", "r2", "r3", "r4", "r5", "r6"
+    );
+}
+
+/* Modular exponentiate 2 to the e mod m. (r = 2^e mod m)
+ *
+ * r     A single precision number that is the result of the operation.
+ * e     A single precision number that is the exponent.
+ * bits  The number of bits in the exponent.
+ * m     A single precision number that is the modulus.
+ * returns 0 on success and MEMORY_E on dynamic memory allocation failure.
+ */
+static int sp_2048_mod_exp_2_64(sp_digit* r, const sp_digit* e, int bits,
+        const sp_digit* m)
+{
+#ifndef WOLFSSL_SMALL_STACK
+    sp_digit nd[128];
+    sp_digit td[65];
+#else
+    sp_digit* td;
+#endif
+    sp_digit* norm;
+    sp_digit* tmp;
+    sp_digit mp = 1;
+    sp_digit n, o;
+    sp_digit mask;
+    int i;
+    int c, y;
+    int err = MP_OKAY;
+
+#ifdef WOLFSSL_SMALL_STACK
+    td = (sp_digit*)XMALLOC(sizeof(sp_digit) * 193, NULL,
+                            DYNAMIC_TYPE_TMP_BUFFER);
+    if (td == NULL) {
+        err = MEMORY_E;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#ifdef WOLFSSL_SMALL_STACK
+        norm = td;
+        tmp  = td + 128;
+#else
+        norm = nd;
+        tmp  = td;
+#endif
+
+        sp_2048_mont_setup(m, &mp);
+        sp_2048_mont_norm_64(norm, m);
+
+        i = (bits - 1) / 32;
+        n = e[i--];
+        c = bits & 31;
+        if (c == 0) {
+            c = 32;
+        }
+        c -= bits % 5;
+        if (c == 32) {
+            c = 27;
+        }
+        y = (int)(n >> c);
+        n <<= 32 - c;
+        sp_2048_lshift_64(r, norm, y);
+        for (; i>=0 || c>=5; ) {
+            if (c == 0) {
+                n = e[i--];
+                y = n >> 27;
+                n <<= 5;
+                c = 27;
+            }
+            else if (c < 5) {
+                y = n >> 27;
+                n = e[i--];
+                c = 5 - c;
+                y |= n >> (32 - c);
+                n <<= c;
+                c = 32 - c;
+            }
+            else {
+                y = (n >> 27) & 0x1f;
+                n <<= 5;
+                c -= 5;
+            }
+
+            sp_2048_mont_sqr_64(r, r, m, mp);
+            sp_2048_mont_sqr_64(r, r, m, mp);
+            sp_2048_mont_sqr_64(r, r, m, mp);
+            sp_2048_mont_sqr_64(r, r, m, mp);
+            sp_2048_mont_sqr_64(r, r, m, mp);
+
+            sp_2048_lshift_64(r, r, y);
+            sp_2048_mul_d_64(tmp, norm, r[64]);
+            r[64] = 0;
+            o = sp_2048_add_64(r, r, tmp);
+            sp_2048_cond_sub_64(r, r, m, (sp_digit)0 - o);
+        }
+
+        XMEMSET(&r[64], 0, sizeof(sp_digit) * 64U);
+        sp_2048_mont_reduce_64(r, m, mp);
+
+        mask = 0 - (sp_2048_cmp_64(r, m) >= 0);
+        sp_2048_cond_sub_64(r, r, m, mask);
+    }
+
+#ifdef WOLFSSL_SMALL_STACK
+    if (td != NULL) {
+        XFREE(td, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    }
+#endif
+
+    return err;
+}
+#endif /* HAVE_FFDHE_2048 */
+
+/* Perform the modular exponentiation for Diffie-Hellman.
+ *
+ * base     Base.
+ * exp      Array of bytes that is the exponent.
+ * expLen   Length of data, in bytes, in exponent.
+ * mod      Modulus.
+ * out      Buffer to hold big-endian bytes of exponentiation result.
+ *          Must be at least 256 bytes long.
+ * outLen   Length, in bytes, of exponentiation result.
+ * returns 0 on success, MP_READ_E if there are too many bytes in an array
+ * and MEMORY_E if memory allocation fails.
+ */
+int sp_DhExp_2048(mp_int* base, const byte* exp, word32 expLen,
+    mp_int* mod, byte* out, word32* outLen)
+{
+    int err = MP_OKAY;
+    sp_digit b[128], e[64], m[64];
+    sp_digit* r = b;
+    word32 i;
+
+    if (mp_count_bits(base) > 2048) {
+        err = MP_READ_E;
+    }
+
+    if (err == MP_OKAY) {
+        if (expLen > 256) {
+            err = MP_READ_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        if (mp_count_bits(mod) != 2048) {
+            err = MP_READ_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        sp_2048_from_mp(b, 64, base);
+        sp_2048_from_bin(e, 64, exp, expLen);
+        sp_2048_from_mp(m, 64, mod);
+
+    #ifdef HAVE_FFDHE_2048
+        if (base->used == 1 && base->dp[0] == 2 && m[63] == (sp_digit)-1)
+            err = sp_2048_mod_exp_2_64(r, e, expLen * 8, m);
+        else
+    #endif
+            err = sp_2048_mod_exp_64(r, b, e, expLen * 8, m, 0);
+
+    }
+
+    if (err == MP_OKAY) {
+        sp_2048_to_bin(r, out);
+        *outLen = 256;
+        for (i=0; i<256 && out[i] == 0; i++) {
+        }
+        *outLen -= i;
+        XMEMMOVE(out, out + i, *outLen);
+
+    }
+
+    XMEMSET(e, 0, sizeof(e));
+
+    return err;
+}
+#endif /* WOLFSSL_HAVE_SP_DH */
+
+/* Perform the modular exponentiation for Diffie-Hellman.
+ *
+ * base  Base. MP integer.
+ * exp   Exponent. MP integer.
+ * mod   Modulus. MP integer.
+ * res   Result. MP integer.
+ * returns 0 on success, MP_READ_E if there are too many bytes in an array
+ * and MEMORY_E if memory allocation fails.
+ */
+int sp_ModExp_1024(mp_int* base, mp_int* exp, mp_int* mod, mp_int* res)
+{
+    int err = MP_OKAY;
+    sp_digit b[64], e[32], m[32];
+    sp_digit* r = b;
+    int expBits = mp_count_bits(exp);
+
+    if (mp_count_bits(base) > 1024) {
+        err = MP_READ_E;
+    }
+
+    if (err == MP_OKAY) {
+        if (expBits > 1024) {
+            err = MP_READ_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        if (mp_count_bits(mod) != 1024) {
+            err = MP_READ_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        sp_2048_from_mp(b, 32, base);
+        sp_2048_from_mp(e, 32, exp);
+        sp_2048_from_mp(m, 32, mod);
+
+        err = sp_2048_mod_exp_32(r, b, e, expBits, m, 0);
+    }
+
+    if (err == MP_OKAY) {
+        XMEMSET(r + 32, 0, sizeof(*r) * 32U);
+        err = sp_2048_to_mp(r, res);
+        res->used = mod->used;
+        mp_clamp(res);
+    }
+
+    XMEMSET(e, 0, sizeof(e));
+
+    return err;
+}
+
+#endif /* WOLFSSL_HAVE_SP_DH || (WOLFSSL_HAVE_SP_RSA && !WOLFSSL_RSA_PUBLIC_ONLY) */
+
+#endif /* !WOLFSSL_SP_NO_2048 */
+
+#ifndef WOLFSSL_SP_NO_3072
+/* Read big endian unsigned byte array into r.
+ *
+ * r  A single precision integer.
+ * size  Maximum number of bytes to convert
+ * a  Byte array.
+ * n  Number of bytes in array to read.
+ */
+static void sp_3072_from_bin(sp_digit* r, int size, const byte* a, int n)
+{
+    int i, j = 0;
+    word32 s = 0;
+
+    r[0] = 0;
+    for (i = n-1; i >= 0; i--) {
+        r[j] |= (((sp_digit)a[i]) << s);
+        if (s >= 24U) {
+            r[j] &= 0xffffffff;
+            s = 32U - s;
+            if (j + 1 >= size) {
+                break;
+            }
+            r[++j] = (sp_digit)a[i] >> s;
+            s = 8U - s;
+        }
+        else {
+            s += 8U;
+        }
+    }
+
+    for (j++; j < size; j++) {
+        r[j] = 0;
+    }
+}
+
+/* Convert an mp_int to an array of sp_digit.
+ *
+ * r  A single precision integer.
+ * size  Maximum number of bytes to convert
+ * a  A multi-precision integer.
+ */
+static void sp_3072_from_mp(sp_digit* r, int size, const mp_int* a)
+{
+#if DIGIT_BIT == 32
+    int j;
+
+    XMEMCPY(r, a->dp, sizeof(sp_digit) * a->used);
+
+    for (j = a->used; j < size; j++) {
+        r[j] = 0;
+    }
+#elif DIGIT_BIT > 32
+    int i, j = 0;
+    word32 s = 0;
+
+    r[0] = 0;
+    for (i = 0; i < a->used && j < size; i++) {
+        r[j] |= ((sp_digit)a->dp[i] << s);
+        r[j] &= 0xffffffff;
+        s = 32U - s;
+        if (j + 1 >= size) {
+            break;
+        }
+        /* lint allow cast of mismatch word32 and mp_digit */
+        r[++j] = (sp_digit)(a->dp[i] >> s); /*lint !e9033*/
+        while ((s + 32U) <= (word32)DIGIT_BIT) {
+            s += 32U;
+            r[j] &= 0xffffffff;
+            if (j + 1 >= size) {
+                break;
+            }
+            if (s < (word32)DIGIT_BIT) {
+                /* lint allow cast of mismatch word32 and mp_digit */
+                r[++j] = (sp_digit)(a->dp[i] >> s); /*lint !e9033*/
+            }
+            else {
+                r[++j] = 0L;
+            }
+        }
+        s = (word32)DIGIT_BIT - s;
+    }
+
+    for (j++; j < size; j++) {
+        r[j] = 0;
+    }
+#else
+    int i, j = 0, s = 0;
+
+    r[0] = 0;
+    for (i = 0; i < a->used && j < size; i++) {
+        r[j] |= ((sp_digit)a->dp[i]) << s;
+        if (s + DIGIT_BIT >= 32) {
+            r[j] &= 0xffffffff;
+            if (j + 1 >= size) {
+                break;
+            }
+            s = 32 - s;
+            if (s == DIGIT_BIT) {
+                r[++j] = 0;
+                s = 0;
+            }
+            else {
+                r[++j] = a->dp[i] >> s;
+                s = DIGIT_BIT - s;
+            }
+        }
+        else {
+            s += DIGIT_BIT;
+        }
+    }
+
+    for (j++; j < size; j++) {
+        r[j] = 0;
+    }
+#endif
+}
+
+/* Write r as big endian to byte array.
+ * Fixed length number of bytes written: 384
+ *
+ * r  A single precision integer.
+ * a  Byte array.
+ */
+static void sp_3072_to_bin(sp_digit* r, byte* a)
+{
+    int i, j, s = 0, b;
+
+    j = 3072 / 8 - 1;
+    a[j] = 0;
+    for (i=0; i<96 && j>=0; i++) {
+        b = 0;
+        /* lint allow cast of mismatch sp_digit and int */
+        a[j--] |= (byte)(r[i] << s); /*lint !e9033*/
+        b += 8 - s;
+        if (j < 0) {
+            break;
+        }
+        while (b < 32) {
+            a[j--] = (byte)(r[i] >> b);
+            b += 8;
+            if (j < 0) {
+                break;
+            }
+        }
+        s = 8 - (b - 32);
+        if (j >= 0) {
+            a[j] = 0;
+        }
+        if (s != 0) {
+            j++;
+        }
+    }
+}
+
+#ifndef WOLFSSL_SP_SMALL
+/* Multiply a and b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+static void sp_3072_mul_12(sp_digit* r, const sp_digit* a, const sp_digit* b)
+{
+    __asm__ __volatile__ (
+        "sub	sp, sp, #48\n\t"
+        "mov	r10, #0\n\t"
+        "#  A[0] * B[0]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "ldr	r9, [%[b], #0]\n\t"
+        "umull	r3, r4, r8, r9\n\t"
+        "mov	r5, #0\n\t"
+        "str	r3, [sp]\n\t"
+        "#  A[0] * B[1]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "ldr	r9, [%[b], #4]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r10, r10\n\t"
+        "#  A[1] * B[0]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "ldr	r9, [%[b], #0]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [sp, #4]\n\t"
+        "#  A[0] * B[2]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "ldr	r9, [%[b], #8]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r10, r10\n\t"
+        "#  A[1] * B[1]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "ldr	r9, [%[b], #4]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[2] * B[0]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "ldr	r9, [%[b], #0]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [sp, #8]\n\t"
+        "#  A[0] * B[3]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "ldr	r9, [%[b], #12]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r10, r10\n\t"
+        "#  A[1] * B[2]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "ldr	r9, [%[b], #8]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[2] * B[1]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "ldr	r9, [%[b], #4]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[3] * B[0]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "ldr	r9, [%[b], #0]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [sp, #12]\n\t"
+        "#  A[0] * B[4]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "ldr	r9, [%[b], #16]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r10, r10\n\t"
+        "#  A[1] * B[3]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "ldr	r9, [%[b], #12]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[2] * B[2]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "ldr	r9, [%[b], #8]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[3] * B[1]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "ldr	r9, [%[b], #4]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[4] * B[0]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "ldr	r9, [%[b], #0]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [sp, #16]\n\t"
+        "#  A[0] * B[5]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "ldr	r9, [%[b], #20]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r10, r10\n\t"
+        "#  A[1] * B[4]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "ldr	r9, [%[b], #16]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[2] * B[3]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "ldr	r9, [%[b], #12]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[3] * B[2]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "ldr	r9, [%[b], #8]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[4] * B[1]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "ldr	r9, [%[b], #4]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[5] * B[0]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "ldr	r9, [%[b], #0]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [sp, #20]\n\t"
+        "#  A[0] * B[6]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "ldr	r9, [%[b], #24]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r10, r10\n\t"
+        "#  A[1] * B[5]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "ldr	r9, [%[b], #20]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[2] * B[4]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "ldr	r9, [%[b], #16]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[3] * B[3]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "ldr	r9, [%[b], #12]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[4] * B[2]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "ldr	r9, [%[b], #8]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[5] * B[1]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "ldr	r9, [%[b], #4]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[6] * B[0]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "ldr	r9, [%[b], #0]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [sp, #24]\n\t"
+        "#  A[0] * B[7]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "ldr	r9, [%[b], #28]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r10, r10\n\t"
+        "#  A[1] * B[6]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "ldr	r9, [%[b], #24]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[2] * B[5]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "ldr	r9, [%[b], #20]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[3] * B[4]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "ldr	r9, [%[b], #16]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[4] * B[3]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "ldr	r9, [%[b], #12]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[5] * B[2]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "ldr	r9, [%[b], #8]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[6] * B[1]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "ldr	r9, [%[b], #4]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[7] * B[0]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "ldr	r9, [%[b], #0]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [sp, #28]\n\t"
+        "#  A[0] * B[8]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "ldr	r9, [%[b], #32]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r10, r10\n\t"
+        "#  A[1] * B[7]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "ldr	r9, [%[b], #28]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[2] * B[6]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "ldr	r9, [%[b], #24]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[3] * B[5]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "ldr	r9, [%[b], #20]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[4] * B[4]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "ldr	r9, [%[b], #16]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[5] * B[3]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "ldr	r9, [%[b], #12]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[6] * B[2]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "ldr	r9, [%[b], #8]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[7] * B[1]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "ldr	r9, [%[b], #4]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[8] * B[0]\n\t"
+        "ldr	r8, [%[a], #32]\n\t"
+        "ldr	r9, [%[b], #0]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [sp, #32]\n\t"
+        "#  A[0] * B[9]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "ldr	r9, [%[b], #36]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r10, r10\n\t"
+        "#  A[1] * B[8]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "ldr	r9, [%[b], #32]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[2] * B[7]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "ldr	r9, [%[b], #28]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[3] * B[6]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "ldr	r9, [%[b], #24]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[4] * B[5]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "ldr	r9, [%[b], #20]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[5] * B[4]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "ldr	r9, [%[b], #16]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[6] * B[3]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "ldr	r9, [%[b], #12]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[7] * B[2]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "ldr	r9, [%[b], #8]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[8] * B[1]\n\t"
+        "ldr	r8, [%[a], #32]\n\t"
+        "ldr	r9, [%[b], #4]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[9] * B[0]\n\t"
+        "ldr	r8, [%[a], #36]\n\t"
+        "ldr	r9, [%[b], #0]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [sp, #36]\n\t"
+        "#  A[0] * B[10]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "ldr	r9, [%[b], #40]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r10, r10\n\t"
+        "#  A[1] * B[9]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "ldr	r9, [%[b], #36]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[2] * B[8]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "ldr	r9, [%[b], #32]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[3] * B[7]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "ldr	r9, [%[b], #28]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[4] * B[6]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "ldr	r9, [%[b], #24]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[5] * B[5]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "ldr	r9, [%[b], #20]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[6] * B[4]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "ldr	r9, [%[b], #16]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[7] * B[3]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "ldr	r9, [%[b], #12]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[8] * B[2]\n\t"
+        "ldr	r8, [%[a], #32]\n\t"
+        "ldr	r9, [%[b], #8]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[9] * B[1]\n\t"
+        "ldr	r8, [%[a], #36]\n\t"
+        "ldr	r9, [%[b], #4]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[10] * B[0]\n\t"
+        "ldr	r8, [%[a], #40]\n\t"
+        "ldr	r9, [%[b], #0]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [sp, #40]\n\t"
+        "#  A[0] * B[11]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "ldr	r9, [%[b], #44]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r10, r10\n\t"
+        "#  A[1] * B[10]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "ldr	r9, [%[b], #40]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[2] * B[9]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "ldr	r9, [%[b], #36]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[3] * B[8]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "ldr	r9, [%[b], #32]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[4] * B[7]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "ldr	r9, [%[b], #28]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[5] * B[6]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "ldr	r9, [%[b], #24]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[6] * B[5]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "ldr	r9, [%[b], #20]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[7] * B[4]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "ldr	r9, [%[b], #16]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[8] * B[3]\n\t"
+        "ldr	r8, [%[a], #32]\n\t"
+        "ldr	r9, [%[b], #12]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[9] * B[2]\n\t"
+        "ldr	r8, [%[a], #36]\n\t"
+        "ldr	r9, [%[b], #8]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[10] * B[1]\n\t"
+        "ldr	r8, [%[a], #40]\n\t"
+        "ldr	r9, [%[b], #4]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[11] * B[0]\n\t"
+        "ldr	r8, [%[a], #44]\n\t"
+        "ldr	r9, [%[b], #0]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [sp, #44]\n\t"
+        "#  A[1] * B[11]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "ldr	r9, [%[b], #44]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r10, r10\n\t"
+        "#  A[2] * B[10]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "ldr	r9, [%[b], #40]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[3] * B[9]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "ldr	r9, [%[b], #36]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[4] * B[8]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "ldr	r9, [%[b], #32]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[5] * B[7]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "ldr	r9, [%[b], #28]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[6] * B[6]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "ldr	r9, [%[b], #24]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[7] * B[5]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "ldr	r9, [%[b], #20]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[8] * B[4]\n\t"
+        "ldr	r8, [%[a], #32]\n\t"
+        "ldr	r9, [%[b], #16]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[9] * B[3]\n\t"
+        "ldr	r8, [%[a], #36]\n\t"
+        "ldr	r9, [%[b], #12]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[10] * B[2]\n\t"
+        "ldr	r8, [%[a], #40]\n\t"
+        "ldr	r9, [%[b], #8]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[11] * B[1]\n\t"
+        "ldr	r8, [%[a], #44]\n\t"
+        "ldr	r9, [%[b], #4]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [%[r], #48]\n\t"
+        "#  A[2] * B[11]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "ldr	r9, [%[b], #44]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r10, r10\n\t"
+        "#  A[3] * B[10]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "ldr	r9, [%[b], #40]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[4] * B[9]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "ldr	r9, [%[b], #36]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[5] * B[8]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "ldr	r9, [%[b], #32]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[6] * B[7]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "ldr	r9, [%[b], #28]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[7] * B[6]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "ldr	r9, [%[b], #24]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[8] * B[5]\n\t"
+        "ldr	r8, [%[a], #32]\n\t"
+        "ldr	r9, [%[b], #20]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[9] * B[4]\n\t"
+        "ldr	r8, [%[a], #36]\n\t"
+        "ldr	r9, [%[b], #16]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[10] * B[3]\n\t"
+        "ldr	r8, [%[a], #40]\n\t"
+        "ldr	r9, [%[b], #12]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[11] * B[2]\n\t"
+        "ldr	r8, [%[a], #44]\n\t"
+        "ldr	r9, [%[b], #8]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [%[r], #52]\n\t"
+        "#  A[3] * B[11]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "ldr	r9, [%[b], #44]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r10, r10\n\t"
+        "#  A[4] * B[10]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "ldr	r9, [%[b], #40]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[5] * B[9]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "ldr	r9, [%[b], #36]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[6] * B[8]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "ldr	r9, [%[b], #32]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[7] * B[7]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "ldr	r9, [%[b], #28]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[8] * B[6]\n\t"
+        "ldr	r8, [%[a], #32]\n\t"
+        "ldr	r9, [%[b], #24]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[9] * B[5]\n\t"
+        "ldr	r8, [%[a], #36]\n\t"
+        "ldr	r9, [%[b], #20]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[10] * B[4]\n\t"
+        "ldr	r8, [%[a], #40]\n\t"
+        "ldr	r9, [%[b], #16]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[11] * B[3]\n\t"
+        "ldr	r8, [%[a], #44]\n\t"
+        "ldr	r9, [%[b], #12]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [%[r], #56]\n\t"
+        "#  A[4] * B[11]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "ldr	r9, [%[b], #44]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r10, r10\n\t"
+        "#  A[5] * B[10]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "ldr	r9, [%[b], #40]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[6] * B[9]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "ldr	r9, [%[b], #36]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[7] * B[8]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "ldr	r9, [%[b], #32]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[8] * B[7]\n\t"
+        "ldr	r8, [%[a], #32]\n\t"
+        "ldr	r9, [%[b], #28]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[9] * B[6]\n\t"
+        "ldr	r8, [%[a], #36]\n\t"
+        "ldr	r9, [%[b], #24]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[10] * B[5]\n\t"
+        "ldr	r8, [%[a], #40]\n\t"
+        "ldr	r9, [%[b], #20]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[11] * B[4]\n\t"
+        "ldr	r8, [%[a], #44]\n\t"
+        "ldr	r9, [%[b], #16]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [%[r], #60]\n\t"
+        "#  A[5] * B[11]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "ldr	r9, [%[b], #44]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r10, r10\n\t"
+        "#  A[6] * B[10]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "ldr	r9, [%[b], #40]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[7] * B[9]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "ldr	r9, [%[b], #36]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[8] * B[8]\n\t"
+        "ldr	r8, [%[a], #32]\n\t"
+        "ldr	r9, [%[b], #32]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[9] * B[7]\n\t"
+        "ldr	r8, [%[a], #36]\n\t"
+        "ldr	r9, [%[b], #28]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[10] * B[6]\n\t"
+        "ldr	r8, [%[a], #40]\n\t"
+        "ldr	r9, [%[b], #24]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[11] * B[5]\n\t"
+        "ldr	r8, [%[a], #44]\n\t"
+        "ldr	r9, [%[b], #20]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [%[r], #64]\n\t"
+        "#  A[6] * B[11]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "ldr	r9, [%[b], #44]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r10, r10\n\t"
+        "#  A[7] * B[10]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "ldr	r9, [%[b], #40]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[8] * B[9]\n\t"
+        "ldr	r8, [%[a], #32]\n\t"
+        "ldr	r9, [%[b], #36]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[9] * B[8]\n\t"
+        "ldr	r8, [%[a], #36]\n\t"
+        "ldr	r9, [%[b], #32]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[10] * B[7]\n\t"
+        "ldr	r8, [%[a], #40]\n\t"
+        "ldr	r9, [%[b], #28]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[11] * B[6]\n\t"
+        "ldr	r8, [%[a], #44]\n\t"
+        "ldr	r9, [%[b], #24]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [%[r], #68]\n\t"
+        "#  A[7] * B[11]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "ldr	r9, [%[b], #44]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r10, r10\n\t"
+        "#  A[8] * B[10]\n\t"
+        "ldr	r8, [%[a], #32]\n\t"
+        "ldr	r9, [%[b], #40]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[9] * B[9]\n\t"
+        "ldr	r8, [%[a], #36]\n\t"
+        "ldr	r9, [%[b], #36]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[10] * B[8]\n\t"
+        "ldr	r8, [%[a], #40]\n\t"
+        "ldr	r9, [%[b], #32]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[11] * B[7]\n\t"
+        "ldr	r8, [%[a], #44]\n\t"
+        "ldr	r9, [%[b], #28]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [%[r], #72]\n\t"
+        "#  A[8] * B[11]\n\t"
+        "ldr	r8, [%[a], #32]\n\t"
+        "ldr	r9, [%[b], #44]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r10, r10\n\t"
+        "#  A[9] * B[10]\n\t"
+        "ldr	r8, [%[a], #36]\n\t"
+        "ldr	r9, [%[b], #40]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[10] * B[9]\n\t"
+        "ldr	r8, [%[a], #40]\n\t"
+        "ldr	r9, [%[b], #36]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[11] * B[8]\n\t"
+        "ldr	r8, [%[a], #44]\n\t"
+        "ldr	r9, [%[b], #32]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [%[r], #76]\n\t"
+        "#  A[9] * B[11]\n\t"
+        "ldr	r8, [%[a], #36]\n\t"
+        "ldr	r9, [%[b], #44]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r10, r10\n\t"
+        "#  A[10] * B[10]\n\t"
+        "ldr	r8, [%[a], #40]\n\t"
+        "ldr	r9, [%[b], #40]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[11] * B[9]\n\t"
+        "ldr	r8, [%[a], #44]\n\t"
+        "ldr	r9, [%[b], #36]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [%[r], #80]\n\t"
+        "#  A[10] * B[11]\n\t"
+        "ldr	r8, [%[a], #40]\n\t"
+        "ldr	r9, [%[b], #44]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r10, r10\n\t"
+        "#  A[11] * B[10]\n\t"
+        "ldr	r8, [%[a], #44]\n\t"
+        "ldr	r9, [%[b], #40]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [%[r], #84]\n\t"
+        "#  A[11] * B[11]\n\t"
+        "ldr	r8, [%[a], #44]\n\t"
+        "ldr	r9, [%[b], #44]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adc	r5, r5, r7\n\t"
+        "str	r4, [%[r], #88]\n\t"
+        "str	r5, [%[r], #92]\n\t"
+        "ldr	r3, [sp, #0]\n\t"
+        "ldr	r4, [sp, #4]\n\t"
+        "ldr	r5, [sp, #8]\n\t"
+        "ldr	r6, [sp, #12]\n\t"
+        "str	r3, [%[r], #0]\n\t"
+        "str	r4, [%[r], #4]\n\t"
+        "str	r5, [%[r], #8]\n\t"
+        "str	r6, [%[r], #12]\n\t"
+        "ldr	r3, [sp, #16]\n\t"
+        "ldr	r4, [sp, #20]\n\t"
+        "ldr	r5, [sp, #24]\n\t"
+        "ldr	r6, [sp, #28]\n\t"
+        "str	r3, [%[r], #16]\n\t"
+        "str	r4, [%[r], #20]\n\t"
+        "str	r5, [%[r], #24]\n\t"
+        "str	r6, [%[r], #28]\n\t"
+        "ldr	r3, [sp, #32]\n\t"
+        "ldr	r4, [sp, #36]\n\t"
+        "ldr	r5, [sp, #40]\n\t"
+        "ldr	r6, [sp, #44]\n\t"
+        "str	r3, [%[r], #32]\n\t"
+        "str	r4, [%[r], #36]\n\t"
+        "str	r5, [%[r], #40]\n\t"
+        "str	r6, [%[r], #44]\n\t"
+        "add	sp, sp, #48\n\t"
+        :
+        : [r] "r" (r), [a] "r" (a), [b] "r" (b)
+        : "memory", "r3", "r4", "r5", "r6", "r7", "r8", "r9", "r10"
+    );
+}
+
+/* Square a and put result in r. (r = a * a)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ */
+static void sp_3072_sqr_12(sp_digit* r, const sp_digit* a)
+{
+    __asm__ __volatile__ (
+        "sub	sp, sp, #48\n\t"
+        "mov	r14, #0\n\t"
+        "#  A[0] * A[0]\n\t"
+        "ldr	r10, [%[a], #0]\n\t"
+        "umull	r8, r3, r10, r10\n\t"
+        "mov	r4, #0\n\t"
+        "str	r8, [sp]\n\t"
+        "#  A[0] * A[1]\n\t"
+        "ldr	r10, [%[a], #4]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r3, r3, r8\n\t"
+        "adcs	r4, r4, r9\n\t"
+        "adc	r2, r14, r14\n\t"
+        "adds	r3, r3, r8\n\t"
+        "adcs	r4, r4, r9\n\t"
+        "adc	r2, r2, r14\n\t"
+        "str	r3, [sp, #4]\n\t"
+        "#  A[0] * A[2]\n\t"
+        "ldr	r10, [%[a], #8]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r4, r4, r8\n\t"
+        "adcs	r2, r2, r9\n\t"
+        "adc	r3, r14, r14\n\t"
+        "adds	r4, r4, r8\n\t"
+        "adcs	r2, r2, r9\n\t"
+        "adc	r3, r3, r14\n\t"
+        "#  A[1] * A[1]\n\t"
+        "ldr	r10, [%[a], #4]\n\t"
+        "umull	r8, r9, r10, r10\n\t"
+        "adds	r4, r4, r8\n\t"
+        "adcs	r2, r2, r9\n\t"
+        "adc	r3, r3, r14\n\t"
+        "str	r4, [sp, #8]\n\t"
+        "#  A[0] * A[3]\n\t"
+        "ldr	r10, [%[a], #12]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r2, r2, r8\n\t"
+        "adcs	r3, r3, r9\n\t"
+        "adc	r4, r14, r14\n\t"
+        "adds	r2, r2, r8\n\t"
+        "adcs	r3, r3, r9\n\t"
+        "adc	r4, r4, r14\n\t"
+        "#  A[1] * A[2]\n\t"
+        "ldr	r10, [%[a], #8]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r2, r2, r8\n\t"
+        "adcs	r3, r3, r9\n\t"
+        "adc	r4, r4, r14\n\t"
+        "adds	r2, r2, r8\n\t"
+        "adcs	r3, r3, r9\n\t"
+        "adc	r4, r4, r14\n\t"
+        "str	r2, [sp, #12]\n\t"
+        "#  A[0] * A[4]\n\t"
+        "ldr	r10, [%[a], #16]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r3, r3, r8\n\t"
+        "adcs	r4, r4, r9\n\t"
+        "adc	r2, r14, r14\n\t"
+        "adds	r3, r3, r8\n\t"
+        "adcs	r4, r4, r9\n\t"
+        "adc	r2, r2, r14\n\t"
+        "#  A[1] * A[3]\n\t"
+        "ldr	r10, [%[a], #12]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r3, r3, r8\n\t"
+        "adcs	r4, r4, r9\n\t"
+        "adc	r2, r2, r14\n\t"
+        "adds	r3, r3, r8\n\t"
+        "adcs	r4, r4, r9\n\t"
+        "adc	r2, r2, r14\n\t"
+        "#  A[2] * A[2]\n\t"
+        "ldr	r10, [%[a], #8]\n\t"
+        "umull	r8, r9, r10, r10\n\t"
+        "adds	r3, r3, r8\n\t"
+        "adcs	r4, r4, r9\n\t"
+        "adc	r2, r2, r14\n\t"
+        "str	r3, [sp, #16]\n\t"
+        "#  A[0] * A[5]\n\t"
+        "ldr	r10, [%[a], #20]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "umull	r5, r6, r10, r8\n\t"
+        "mov	r3, #0\n\t"
+        "mov	r7, #0\n\t"
+        "#  A[1] * A[4]\n\t"
+        "ldr	r10, [%[a], #16]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[2] * A[3]\n\t"
+        "ldr	r10, [%[a], #12]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "adds	r5, r5, r5\n\t"
+        "adcs	r6, r6, r6\n\t"
+        "adc	r7, r7, r7\n\t"
+        "adds	r4, r4, r5\n\t"
+        "adcs	r2, r2, r6\n\t"
+        "adc	r3, r3, r7\n\t"
+        "str	r4, [sp, #20]\n\t"
+        "#  A[0] * A[6]\n\t"
+        "ldr	r10, [%[a], #24]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "umull	r5, r6, r10, r8\n\t"
+        "mov	r4, #0\n\t"
+        "mov	r7, #0\n\t"
+        "#  A[1] * A[5]\n\t"
+        "ldr	r10, [%[a], #20]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[2] * A[4]\n\t"
+        "ldr	r10, [%[a], #16]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[3] * A[3]\n\t"
+        "ldr	r10, [%[a], #12]\n\t"
+        "umull	r8, r9, r10, r10\n\t"
+        "adds	r5, r5, r5\n\t"
+        "adcs	r6, r6, r6\n\t"
+        "adc	r7, r7, r7\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "adds	r2, r2, r5\n\t"
+        "adcs	r3, r3, r6\n\t"
+        "adc	r4, r4, r7\n\t"
+        "str	r2, [sp, #24]\n\t"
+        "#  A[0] * A[7]\n\t"
+        "ldr	r10, [%[a], #28]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "umull	r5, r6, r10, r8\n\t"
+        "mov	r2, #0\n\t"
+        "mov	r7, #0\n\t"
+        "#  A[1] * A[6]\n\t"
+        "ldr	r10, [%[a], #24]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[2] * A[5]\n\t"
+        "ldr	r10, [%[a], #20]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[3] * A[4]\n\t"
+        "ldr	r10, [%[a], #16]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "adds	r5, r5, r5\n\t"
+        "adcs	r6, r6, r6\n\t"
+        "adc	r7, r7, r7\n\t"
+        "adds	r3, r3, r5\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adc	r2, r2, r7\n\t"
+        "str	r3, [sp, #28]\n\t"
+        "#  A[0] * A[8]\n\t"
+        "ldr	r10, [%[a], #32]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "umull	r5, r6, r10, r8\n\t"
+        "mov	r3, #0\n\t"
+        "mov	r7, #0\n\t"
+        "#  A[1] * A[7]\n\t"
+        "ldr	r10, [%[a], #28]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[2] * A[6]\n\t"
+        "ldr	r10, [%[a], #24]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[3] * A[5]\n\t"
+        "ldr	r10, [%[a], #20]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[4] * A[4]\n\t"
+        "ldr	r10, [%[a], #16]\n\t"
+        "umull	r8, r9, r10, r10\n\t"
+        "adds	r5, r5, r5\n\t"
+        "adcs	r6, r6, r6\n\t"
+        "adc	r7, r7, r7\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "adds	r4, r4, r5\n\t"
+        "adcs	r2, r2, r6\n\t"
+        "adc	r3, r3, r7\n\t"
+        "str	r4, [sp, #32]\n\t"
+        "#  A[0] * A[9]\n\t"
+        "ldr	r10, [%[a], #36]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "umull	r5, r6, r10, r8\n\t"
+        "mov	r4, #0\n\t"
+        "mov	r7, #0\n\t"
+        "#  A[1] * A[8]\n\t"
+        "ldr	r10, [%[a], #32]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[2] * A[7]\n\t"
+        "ldr	r10, [%[a], #28]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[3] * A[6]\n\t"
+        "ldr	r10, [%[a], #24]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[4] * A[5]\n\t"
+        "ldr	r10, [%[a], #20]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "adds	r5, r5, r5\n\t"
+        "adcs	r6, r6, r6\n\t"
+        "adc	r7, r7, r7\n\t"
+        "adds	r2, r2, r5\n\t"
+        "adcs	r3, r3, r6\n\t"
+        "adc	r4, r4, r7\n\t"
+        "str	r2, [sp, #36]\n\t"
+        "#  A[0] * A[10]\n\t"
+        "ldr	r10, [%[a], #40]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "umull	r5, r6, r10, r8\n\t"
+        "mov	r2, #0\n\t"
+        "mov	r7, #0\n\t"
+        "#  A[1] * A[9]\n\t"
+        "ldr	r10, [%[a], #36]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[2] * A[8]\n\t"
+        "ldr	r10, [%[a], #32]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[3] * A[7]\n\t"
+        "ldr	r10, [%[a], #28]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[4] * A[6]\n\t"
+        "ldr	r10, [%[a], #24]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[5] * A[5]\n\t"
+        "ldr	r10, [%[a], #20]\n\t"
+        "umull	r8, r9, r10, r10\n\t"
+        "adds	r5, r5, r5\n\t"
+        "adcs	r6, r6, r6\n\t"
+        "adc	r7, r7, r7\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "adds	r3, r3, r5\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adc	r2, r2, r7\n\t"
+        "str	r3, [sp, #40]\n\t"
+        "#  A[0] * A[11]\n\t"
+        "ldr	r10, [%[a], #44]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "umull	r5, r6, r10, r8\n\t"
+        "mov	r3, #0\n\t"
+        "mov	r7, #0\n\t"
+        "#  A[1] * A[10]\n\t"
+        "ldr	r10, [%[a], #40]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[2] * A[9]\n\t"
+        "ldr	r10, [%[a], #36]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[3] * A[8]\n\t"
+        "ldr	r10, [%[a], #32]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[4] * A[7]\n\t"
+        "ldr	r10, [%[a], #28]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[5] * A[6]\n\t"
+        "ldr	r10, [%[a], #24]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "adds	r5, r5, r5\n\t"
+        "adcs	r6, r6, r6\n\t"
+        "adc	r7, r7, r7\n\t"
+        "adds	r4, r4, r5\n\t"
+        "adcs	r2, r2, r6\n\t"
+        "adc	r3, r3, r7\n\t"
+        "str	r4, [sp, #44]\n\t"
+        "#  A[1] * A[11]\n\t"
+        "ldr	r10, [%[a], #44]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "umull	r5, r6, r10, r8\n\t"
+        "mov	r4, #0\n\t"
+        "mov	r7, #0\n\t"
+        "#  A[2] * A[10]\n\t"
+        "ldr	r10, [%[a], #40]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[3] * A[9]\n\t"
+        "ldr	r10, [%[a], #36]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[4] * A[8]\n\t"
+        "ldr	r10, [%[a], #32]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[5] * A[7]\n\t"
+        "ldr	r10, [%[a], #28]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[6] * A[6]\n\t"
+        "ldr	r10, [%[a], #24]\n\t"
+        "umull	r8, r9, r10, r10\n\t"
+        "adds	r5, r5, r5\n\t"
+        "adcs	r6, r6, r6\n\t"
+        "adc	r7, r7, r7\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "adds	r2, r2, r5\n\t"
+        "adcs	r3, r3, r6\n\t"
+        "adc	r4, r4, r7\n\t"
+        "str	r2, [%[r], #48]\n\t"
+        "#  A[2] * A[11]\n\t"
+        "ldr	r10, [%[a], #44]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "umull	r5, r6, r10, r8\n\t"
+        "mov	r2, #0\n\t"
+        "mov	r7, #0\n\t"
+        "#  A[3] * A[10]\n\t"
+        "ldr	r10, [%[a], #40]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[4] * A[9]\n\t"
+        "ldr	r10, [%[a], #36]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[5] * A[8]\n\t"
+        "ldr	r10, [%[a], #32]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[6] * A[7]\n\t"
+        "ldr	r10, [%[a], #28]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "adds	r5, r5, r5\n\t"
+        "adcs	r6, r6, r6\n\t"
+        "adc	r7, r7, r7\n\t"
+        "adds	r3, r3, r5\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adc	r2, r2, r7\n\t"
+        "str	r3, [%[r], #52]\n\t"
+        "#  A[3] * A[11]\n\t"
+        "ldr	r10, [%[a], #44]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "umull	r5, r6, r10, r8\n\t"
+        "mov	r3, #0\n\t"
+        "mov	r7, #0\n\t"
+        "#  A[4] * A[10]\n\t"
+        "ldr	r10, [%[a], #40]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[5] * A[9]\n\t"
+        "ldr	r10, [%[a], #36]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[6] * A[8]\n\t"
+        "ldr	r10, [%[a], #32]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[7] * A[7]\n\t"
+        "ldr	r10, [%[a], #28]\n\t"
+        "umull	r8, r9, r10, r10\n\t"
+        "adds	r5, r5, r5\n\t"
+        "adcs	r6, r6, r6\n\t"
+        "adc	r7, r7, r7\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "adds	r4, r4, r5\n\t"
+        "adcs	r2, r2, r6\n\t"
+        "adc	r3, r3, r7\n\t"
+        "str	r4, [%[r], #56]\n\t"
+        "#  A[4] * A[11]\n\t"
+        "ldr	r10, [%[a], #44]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "umull	r5, r6, r10, r8\n\t"
+        "mov	r4, #0\n\t"
+        "mov	r7, #0\n\t"
+        "#  A[5] * A[10]\n\t"
+        "ldr	r10, [%[a], #40]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[6] * A[9]\n\t"
+        "ldr	r10, [%[a], #36]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[7] * A[8]\n\t"
+        "ldr	r10, [%[a], #32]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "adds	r5, r5, r5\n\t"
+        "adcs	r6, r6, r6\n\t"
+        "adc	r7, r7, r7\n\t"
+        "adds	r2, r2, r5\n\t"
+        "adcs	r3, r3, r6\n\t"
+        "adc	r4, r4, r7\n\t"
+        "str	r2, [%[r], #60]\n\t"
+        "#  A[5] * A[11]\n\t"
+        "ldr	r10, [%[a], #44]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "umull	r5, r6, r10, r8\n\t"
+        "mov	r2, #0\n\t"
+        "mov	r7, #0\n\t"
+        "#  A[6] * A[10]\n\t"
+        "ldr	r10, [%[a], #40]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[7] * A[9]\n\t"
+        "ldr	r10, [%[a], #36]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[8] * A[8]\n\t"
+        "ldr	r10, [%[a], #32]\n\t"
+        "umull	r8, r9, r10, r10\n\t"
+        "adds	r5, r5, r5\n\t"
+        "adcs	r6, r6, r6\n\t"
+        "adc	r7, r7, r7\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "adds	r3, r3, r5\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adc	r2, r2, r7\n\t"
+        "str	r3, [%[r], #64]\n\t"
+        "#  A[6] * A[11]\n\t"
+        "ldr	r10, [%[a], #44]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "umull	r5, r6, r10, r8\n\t"
+        "mov	r3, #0\n\t"
+        "mov	r7, #0\n\t"
+        "#  A[7] * A[10]\n\t"
+        "ldr	r10, [%[a], #40]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[8] * A[9]\n\t"
+        "ldr	r10, [%[a], #36]\n\t"
+        "ldr	r8, [%[a], #32]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "adds	r5, r5, r5\n\t"
+        "adcs	r6, r6, r6\n\t"
+        "adc	r7, r7, r7\n\t"
+        "adds	r4, r4, r5\n\t"
+        "adcs	r2, r2, r6\n\t"
+        "adc	r3, r3, r7\n\t"
+        "str	r4, [%[r], #68]\n\t"
+        "#  A[7] * A[11]\n\t"
+        "ldr	r10, [%[a], #44]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r2, r2, r8\n\t"
+        "adcs	r3, r3, r9\n\t"
+        "adc	r4, r14, r14\n\t"
+        "adds	r2, r2, r8\n\t"
+        "adcs	r3, r3, r9\n\t"
+        "adc	r4, r4, r14\n\t"
+        "#  A[8] * A[10]\n\t"
+        "ldr	r10, [%[a], #40]\n\t"
+        "ldr	r8, [%[a], #32]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r2, r2, r8\n\t"
+        "adcs	r3, r3, r9\n\t"
+        "adc	r4, r4, r14\n\t"
+        "adds	r2, r2, r8\n\t"
+        "adcs	r3, r3, r9\n\t"
+        "adc	r4, r4, r14\n\t"
+        "#  A[9] * A[9]\n\t"
+        "ldr	r10, [%[a], #36]\n\t"
+        "umull	r8, r9, r10, r10\n\t"
+        "adds	r2, r2, r8\n\t"
+        "adcs	r3, r3, r9\n\t"
+        "adc	r4, r4, r14\n\t"
+        "str	r2, [%[r], #72]\n\t"
+        "#  A[8] * A[11]\n\t"
+        "ldr	r10, [%[a], #44]\n\t"
+        "ldr	r8, [%[a], #32]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r3, r3, r8\n\t"
+        "adcs	r4, r4, r9\n\t"
+        "adc	r2, r14, r14\n\t"
+        "adds	r3, r3, r8\n\t"
+        "adcs	r4, r4, r9\n\t"
+        "adc	r2, r2, r14\n\t"
+        "#  A[9] * A[10]\n\t"
+        "ldr	r10, [%[a], #40]\n\t"
+        "ldr	r8, [%[a], #36]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r3, r3, r8\n\t"
+        "adcs	r4, r4, r9\n\t"
+        "adc	r2, r2, r14\n\t"
+        "adds	r3, r3, r8\n\t"
+        "adcs	r4, r4, r9\n\t"
+        "adc	r2, r2, r14\n\t"
+        "str	r3, [%[r], #76]\n\t"
+        "#  A[9] * A[11]\n\t"
+        "ldr	r10, [%[a], #44]\n\t"
+        "ldr	r8, [%[a], #36]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r4, r4, r8\n\t"
+        "adcs	r2, r2, r9\n\t"
+        "adc	r3, r14, r14\n\t"
+        "adds	r4, r4, r8\n\t"
+        "adcs	r2, r2, r9\n\t"
+        "adc	r3, r3, r14\n\t"
+        "#  A[10] * A[10]\n\t"
+        "ldr	r10, [%[a], #40]\n\t"
+        "umull	r8, r9, r10, r10\n\t"
+        "adds	r4, r4, r8\n\t"
+        "adcs	r2, r2, r9\n\t"
+        "adc	r3, r3, r14\n\t"
+        "str	r4, [%[r], #80]\n\t"
+        "#  A[10] * A[11]\n\t"
+        "ldr	r10, [%[a], #44]\n\t"
+        "ldr	r8, [%[a], #40]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r2, r2, r8\n\t"
+        "adcs	r3, r3, r9\n\t"
+        "adc	r4, r14, r14\n\t"
+        "adds	r2, r2, r8\n\t"
+        "adcs	r3, r3, r9\n\t"
+        "adc	r4, r4, r14\n\t"
+        "str	r2, [%[r], #84]\n\t"
+        "#  A[11] * A[11]\n\t"
+        "ldr	r10, [%[a], #44]\n\t"
+        "umull	r8, r9, r10, r10\n\t"
+        "adds	r3, r3, r8\n\t"
+        "adc	r4, r4, r9\n\t"
+        "str	r3, [%[r], #88]\n\t"
+        "str	r4, [%[r], #92]\n\t"
+        "ldr	r2, [sp, #0]\n\t"
+        "ldr	r3, [sp, #4]\n\t"
+        "ldr	r4, [sp, #8]\n\t"
+        "ldr	r8, [sp, #12]\n\t"
+        "str	r2, [%[r], #0]\n\t"
+        "str	r3, [%[r], #4]\n\t"
+        "str	r4, [%[r], #8]\n\t"
+        "str	r8, [%[r], #12]\n\t"
+        "ldr	r2, [sp, #16]\n\t"
+        "ldr	r3, [sp, #20]\n\t"
+        "ldr	r4, [sp, #24]\n\t"
+        "ldr	r8, [sp, #28]\n\t"
+        "str	r2, [%[r], #16]\n\t"
+        "str	r3, [%[r], #20]\n\t"
+        "str	r4, [%[r], #24]\n\t"
+        "str	r8, [%[r], #28]\n\t"
+        "ldr	r2, [sp, #32]\n\t"
+        "ldr	r3, [sp, #36]\n\t"
+        "ldr	r4, [sp, #40]\n\t"
+        "ldr	r8, [sp, #44]\n\t"
+        "str	r2, [%[r], #32]\n\t"
+        "str	r3, [%[r], #36]\n\t"
+        "str	r4, [%[r], #40]\n\t"
+        "str	r8, [%[r], #44]\n\t"
+        "add	sp, sp, #48\n\t"
+        :
+        : [r] "r" (r), [a] "r" (a)
+        : "memory", "r2", "r3", "r4", "r8", "r9", "r10", "r8", "r5", "r6", "r7", "r14"
+    );
+}
+
+/* Add b to a into r. (r = a + b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+static sp_digit sp_3072_add_12(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    sp_digit c = 0;
+
+    __asm__ __volatile__ (
+        "mov	r12, #0\n\t"
+        "ldr	r4, [%[a], #0]\n\t"
+        "ldr	r5, [%[a], #4]\n\t"
+        "ldr	r6, [%[a], #8]\n\t"
+        "ldr	r7, [%[a], #12]\n\t"
+        "ldr	r8, [%[b], #0]\n\t"
+        "ldr	r9, [%[b], #4]\n\t"
+        "ldr	r10, [%[b], #8]\n\t"
+        "ldr	r14, [%[b], #12]\n\t"
+        "adds	r4, r4, r8\n\t"
+        "adcs	r5, r5, r9\n\t"
+        "adcs	r6, r6, r10\n\t"
+        "adcs	r7, r7, r14\n\t"
+        "str	r4, [%[r], #0]\n\t"
+        "str	r5, [%[r], #4]\n\t"
+        "str	r6, [%[r], #8]\n\t"
+        "str	r7, [%[r], #12]\n\t"
+        "ldr	r4, [%[a], #16]\n\t"
+        "ldr	r5, [%[a], #20]\n\t"
+        "ldr	r6, [%[a], #24]\n\t"
+        "ldr	r7, [%[a], #28]\n\t"
+        "ldr	r8, [%[b], #16]\n\t"
+        "ldr	r9, [%[b], #20]\n\t"
+        "ldr	r10, [%[b], #24]\n\t"
+        "ldr	r14, [%[b], #28]\n\t"
+        "adcs	r4, r4, r8\n\t"
+        "adcs	r5, r5, r9\n\t"
+        "adcs	r6, r6, r10\n\t"
+        "adcs	r7, r7, r14\n\t"
+        "str	r4, [%[r], #16]\n\t"
+        "str	r5, [%[r], #20]\n\t"
+        "str	r6, [%[r], #24]\n\t"
+        "str	r7, [%[r], #28]\n\t"
+        "ldr	r4, [%[a], #32]\n\t"
+        "ldr	r5, [%[a], #36]\n\t"
+        "ldr	r6, [%[a], #40]\n\t"
+        "ldr	r7, [%[a], #44]\n\t"
+        "ldr	r8, [%[b], #32]\n\t"
+        "ldr	r9, [%[b], #36]\n\t"
+        "ldr	r10, [%[b], #40]\n\t"
+        "ldr	r14, [%[b], #44]\n\t"
+        "adcs	r4, r4, r8\n\t"
+        "adcs	r5, r5, r9\n\t"
+        "adcs	r6, r6, r10\n\t"
+        "adcs	r7, r7, r14\n\t"
+        "str	r4, [%[r], #32]\n\t"
+        "str	r5, [%[r], #36]\n\t"
+        "str	r6, [%[r], #40]\n\t"
+        "str	r7, [%[r], #44]\n\t"
+        "adc	%[c], r12, r12\n\t"
+        : [c] "+r" (c)
+        : [r] "r" (r), [a] "r" (a), [b] "r" (b)
+        : "memory", "r4", "r5", "r6", "r7", "r8", "r9", "r10", "r14", "r12"
+    );
+
+    return c;
+}
+
+/* Sub b from a into a. (a -= b)
+ *
+ * a  A single precision integer and result.
+ * b  A single precision integer.
+ */
+static sp_digit sp_3072_sub_in_place_24(sp_digit* a, const sp_digit* b)
+{
+    sp_digit c = 0;
+
+    __asm__ __volatile__ (
+        "ldr	r2, [%[a], #0]\n\t"
+        "ldr	r3, [%[a], #4]\n\t"
+        "ldr	r4, [%[a], #8]\n\t"
+        "ldr	r5, [%[a], #12]\n\t"
+        "ldr	r6, [%[b], #0]\n\t"
+        "ldr	r7, [%[b], #4]\n\t"
+        "ldr	r8, [%[b], #8]\n\t"
+        "ldr	r9, [%[b], #12]\n\t"
+        "subs	r2, r2, r6\n\t"
+        "sbcs	r3, r3, r7\n\t"
+        "sbcs	r4, r4, r8\n\t"
+        "sbcs	r5, r5, r9\n\t"
+        "str	r2, [%[a], #0]\n\t"
+        "str	r3, [%[a], #4]\n\t"
+        "str	r4, [%[a], #8]\n\t"
+        "str	r5, [%[a], #12]\n\t"
+        "ldr	r2, [%[a], #16]\n\t"
+        "ldr	r3, [%[a], #20]\n\t"
+        "ldr	r4, [%[a], #24]\n\t"
+        "ldr	r5, [%[a], #28]\n\t"
+        "ldr	r6, [%[b], #16]\n\t"
+        "ldr	r7, [%[b], #20]\n\t"
+        "ldr	r8, [%[b], #24]\n\t"
+        "ldr	r9, [%[b], #28]\n\t"
+        "sbcs	r2, r2, r6\n\t"
+        "sbcs	r3, r3, r7\n\t"
+        "sbcs	r4, r4, r8\n\t"
+        "sbcs	r5, r5, r9\n\t"
+        "str	r2, [%[a], #16]\n\t"
+        "str	r3, [%[a], #20]\n\t"
+        "str	r4, [%[a], #24]\n\t"
+        "str	r5, [%[a], #28]\n\t"
+        "ldr	r2, [%[a], #32]\n\t"
+        "ldr	r3, [%[a], #36]\n\t"
+        "ldr	r4, [%[a], #40]\n\t"
+        "ldr	r5, [%[a], #44]\n\t"
+        "ldr	r6, [%[b], #32]\n\t"
+        "ldr	r7, [%[b], #36]\n\t"
+        "ldr	r8, [%[b], #40]\n\t"
+        "ldr	r9, [%[b], #44]\n\t"
+        "sbcs	r2, r2, r6\n\t"
+        "sbcs	r3, r3, r7\n\t"
+        "sbcs	r4, r4, r8\n\t"
+        "sbcs	r5, r5, r9\n\t"
+        "str	r2, [%[a], #32]\n\t"
+        "str	r3, [%[a], #36]\n\t"
+        "str	r4, [%[a], #40]\n\t"
+        "str	r5, [%[a], #44]\n\t"
+        "ldr	r2, [%[a], #48]\n\t"
+        "ldr	r3, [%[a], #52]\n\t"
+        "ldr	r4, [%[a], #56]\n\t"
+        "ldr	r5, [%[a], #60]\n\t"
+        "ldr	r6, [%[b], #48]\n\t"
+        "ldr	r7, [%[b], #52]\n\t"
+        "ldr	r8, [%[b], #56]\n\t"
+        "ldr	r9, [%[b], #60]\n\t"
+        "sbcs	r2, r2, r6\n\t"
+        "sbcs	r3, r3, r7\n\t"
+        "sbcs	r4, r4, r8\n\t"
+        "sbcs	r5, r5, r9\n\t"
+        "str	r2, [%[a], #48]\n\t"
+        "str	r3, [%[a], #52]\n\t"
+        "str	r4, [%[a], #56]\n\t"
+        "str	r5, [%[a], #60]\n\t"
+        "ldr	r2, [%[a], #64]\n\t"
+        "ldr	r3, [%[a], #68]\n\t"
+        "ldr	r4, [%[a], #72]\n\t"
+        "ldr	r5, [%[a], #76]\n\t"
+        "ldr	r6, [%[b], #64]\n\t"
+        "ldr	r7, [%[b], #68]\n\t"
+        "ldr	r8, [%[b], #72]\n\t"
+        "ldr	r9, [%[b], #76]\n\t"
+        "sbcs	r2, r2, r6\n\t"
+        "sbcs	r3, r3, r7\n\t"
+        "sbcs	r4, r4, r8\n\t"
+        "sbcs	r5, r5, r9\n\t"
+        "str	r2, [%[a], #64]\n\t"
+        "str	r3, [%[a], #68]\n\t"
+        "str	r4, [%[a], #72]\n\t"
+        "str	r5, [%[a], #76]\n\t"
+        "ldr	r2, [%[a], #80]\n\t"
+        "ldr	r3, [%[a], #84]\n\t"
+        "ldr	r4, [%[a], #88]\n\t"
+        "ldr	r5, [%[a], #92]\n\t"
+        "ldr	r6, [%[b], #80]\n\t"
+        "ldr	r7, [%[b], #84]\n\t"
+        "ldr	r8, [%[b], #88]\n\t"
+        "ldr	r9, [%[b], #92]\n\t"
+        "sbcs	r2, r2, r6\n\t"
+        "sbcs	r3, r3, r7\n\t"
+        "sbcs	r4, r4, r8\n\t"
+        "sbcs	r5, r5, r9\n\t"
+        "str	r2, [%[a], #80]\n\t"
+        "str	r3, [%[a], #84]\n\t"
+        "str	r4, [%[a], #88]\n\t"
+        "str	r5, [%[a], #92]\n\t"
+        "sbc	%[c], r9, r9\n\t"
+        : [c] "+r" (c)
+        : [a] "r" (a), [b] "r" (b)
+        : "memory", "r2", "r3", "r4", "r5", "r6", "r7", "r8", "r9"
+    );
+
+    return c;
+}
+
+/* Add b to a into r. (r = a + b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+static sp_digit sp_3072_add_24(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    sp_digit c = 0;
+
+    __asm__ __volatile__ (
+        "mov	r12, #0\n\t"
+        "ldr	r4, [%[a], #0]\n\t"
+        "ldr	r5, [%[a], #4]\n\t"
+        "ldr	r6, [%[a], #8]\n\t"
+        "ldr	r7, [%[a], #12]\n\t"
+        "ldr	r8, [%[b], #0]\n\t"
+        "ldr	r9, [%[b], #4]\n\t"
+        "ldr	r10, [%[b], #8]\n\t"
+        "ldr	r14, [%[b], #12]\n\t"
+        "adds	r4, r4, r8\n\t"
+        "adcs	r5, r5, r9\n\t"
+        "adcs	r6, r6, r10\n\t"
+        "adcs	r7, r7, r14\n\t"
+        "str	r4, [%[r], #0]\n\t"
+        "str	r5, [%[r], #4]\n\t"
+        "str	r6, [%[r], #8]\n\t"
+        "str	r7, [%[r], #12]\n\t"
+        "ldr	r4, [%[a], #16]\n\t"
+        "ldr	r5, [%[a], #20]\n\t"
+        "ldr	r6, [%[a], #24]\n\t"
+        "ldr	r7, [%[a], #28]\n\t"
+        "ldr	r8, [%[b], #16]\n\t"
+        "ldr	r9, [%[b], #20]\n\t"
+        "ldr	r10, [%[b], #24]\n\t"
+        "ldr	r14, [%[b], #28]\n\t"
+        "adcs	r4, r4, r8\n\t"
+        "adcs	r5, r5, r9\n\t"
+        "adcs	r6, r6, r10\n\t"
+        "adcs	r7, r7, r14\n\t"
+        "str	r4, [%[r], #16]\n\t"
+        "str	r5, [%[r], #20]\n\t"
+        "str	r6, [%[r], #24]\n\t"
+        "str	r7, [%[r], #28]\n\t"
+        "ldr	r4, [%[a], #32]\n\t"
+        "ldr	r5, [%[a], #36]\n\t"
+        "ldr	r6, [%[a], #40]\n\t"
+        "ldr	r7, [%[a], #44]\n\t"
+        "ldr	r8, [%[b], #32]\n\t"
+        "ldr	r9, [%[b], #36]\n\t"
+        "ldr	r10, [%[b], #40]\n\t"
+        "ldr	r14, [%[b], #44]\n\t"
+        "adcs	r4, r4, r8\n\t"
+        "adcs	r5, r5, r9\n\t"
+        "adcs	r6, r6, r10\n\t"
+        "adcs	r7, r7, r14\n\t"
+        "str	r4, [%[r], #32]\n\t"
+        "str	r5, [%[r], #36]\n\t"
+        "str	r6, [%[r], #40]\n\t"
+        "str	r7, [%[r], #44]\n\t"
+        "ldr	r4, [%[a], #48]\n\t"
+        "ldr	r5, [%[a], #52]\n\t"
+        "ldr	r6, [%[a], #56]\n\t"
+        "ldr	r7, [%[a], #60]\n\t"
+        "ldr	r8, [%[b], #48]\n\t"
+        "ldr	r9, [%[b], #52]\n\t"
+        "ldr	r10, [%[b], #56]\n\t"
+        "ldr	r14, [%[b], #60]\n\t"
+        "adcs	r4, r4, r8\n\t"
+        "adcs	r5, r5, r9\n\t"
+        "adcs	r6, r6, r10\n\t"
+        "adcs	r7, r7, r14\n\t"
+        "str	r4, [%[r], #48]\n\t"
+        "str	r5, [%[r], #52]\n\t"
+        "str	r6, [%[r], #56]\n\t"
+        "str	r7, [%[r], #60]\n\t"
+        "ldr	r4, [%[a], #64]\n\t"
+        "ldr	r5, [%[a], #68]\n\t"
+        "ldr	r6, [%[a], #72]\n\t"
+        "ldr	r7, [%[a], #76]\n\t"
+        "ldr	r8, [%[b], #64]\n\t"
+        "ldr	r9, [%[b], #68]\n\t"
+        "ldr	r10, [%[b], #72]\n\t"
+        "ldr	r14, [%[b], #76]\n\t"
+        "adcs	r4, r4, r8\n\t"
+        "adcs	r5, r5, r9\n\t"
+        "adcs	r6, r6, r10\n\t"
+        "adcs	r7, r7, r14\n\t"
+        "str	r4, [%[r], #64]\n\t"
+        "str	r5, [%[r], #68]\n\t"
+        "str	r6, [%[r], #72]\n\t"
+        "str	r7, [%[r], #76]\n\t"
+        "ldr	r4, [%[a], #80]\n\t"
+        "ldr	r5, [%[a], #84]\n\t"
+        "ldr	r6, [%[a], #88]\n\t"
+        "ldr	r7, [%[a], #92]\n\t"
+        "ldr	r8, [%[b], #80]\n\t"
+        "ldr	r9, [%[b], #84]\n\t"
+        "ldr	r10, [%[b], #88]\n\t"
+        "ldr	r14, [%[b], #92]\n\t"
+        "adcs	r4, r4, r8\n\t"
+        "adcs	r5, r5, r9\n\t"
+        "adcs	r6, r6, r10\n\t"
+        "adcs	r7, r7, r14\n\t"
+        "str	r4, [%[r], #80]\n\t"
+        "str	r5, [%[r], #84]\n\t"
+        "str	r6, [%[r], #88]\n\t"
+        "str	r7, [%[r], #92]\n\t"
+        "adc	%[c], r12, r12\n\t"
+        : [c] "+r" (c)
+        : [r] "r" (r), [a] "r" (a), [b] "r" (b)
+        : "memory", "r4", "r5", "r6", "r7", "r8", "r9", "r10", "r14", "r12"
+    );
+
+    return c;
+}
+
+/* AND m into each word of a and store in r.
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * m  Mask to AND against each digit.
+ */
+static void sp_3072_mask_12(sp_digit* r, const sp_digit* a, sp_digit m)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int i;
+
+    for (i=0; i<12; i++) {
+        r[i] = a[i] & m;
+    }
+#else
+    r[0] = a[0] & m;
+    r[1] = a[1] & m;
+    r[2] = a[2] & m;
+    r[3] = a[3] & m;
+    r[4] = a[4] & m;
+    r[5] = a[5] & m;
+    r[6] = a[6] & m;
+    r[7] = a[7] & m;
+    r[8] = a[8] & m;
+    r[9] = a[9] & m;
+    r[10] = a[10] & m;
+    r[11] = a[11] & m;
+#endif
+}
+
+/* Multiply a and b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static void sp_3072_mul_24(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    sp_digit* z0 = r;
+    sp_digit z1[24];
+    sp_digit a1[12];
+    sp_digit b1[12];
+    sp_digit z2[24];
+    sp_digit u, ca, cb;
+
+    ca = sp_3072_add_12(a1, a, &a[12]);
+    cb = sp_3072_add_12(b1, b, &b[12]);
+    u  = ca & cb;
+    sp_3072_mul_12(z1, a1, b1);
+    sp_3072_mul_12(z2, &a[12], &b[12]);
+    sp_3072_mul_12(z0, a, b);
+    sp_3072_mask_12(r + 24, a1, 0 - cb);
+    sp_3072_mask_12(b1, b1, 0 - ca);
+    u += sp_3072_add_12(r + 24, r + 24, b1);
+    u += sp_3072_sub_in_place_24(z1, z2);
+    u += sp_3072_sub_in_place_24(z1, z0);
+    u += sp_3072_add_24(r + 12, r + 12, z1);
+    r[36] = u;
+    XMEMSET(r + 36 + 1, 0, sizeof(sp_digit) * (12 - 1));
+    (void)sp_3072_add_24(r + 24, r + 24, z2);
+}
+
+/* Square a and put result in r. (r = a * a)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ */
+SP_NOINLINE static void sp_3072_sqr_24(sp_digit* r, const sp_digit* a)
+{
+    sp_digit* z0 = r;
+    sp_digit z2[24];
+    sp_digit z1[24];
+    sp_digit a1[12];
+    sp_digit u;
+
+    u = sp_3072_add_12(a1, a, &a[12]);
+    sp_3072_sqr_12(z1, a1);
+    sp_3072_sqr_12(z2, &a[12]);
+    sp_3072_sqr_12(z0, a);
+    sp_3072_mask_12(r + 24, a1, 0 - u);
+    u += sp_3072_add_12(r + 24, r + 24, r + 24);
+    u += sp_3072_sub_in_place_24(z1, z2);
+    u += sp_3072_sub_in_place_24(z1, z0);
+    u += sp_3072_add_24(r + 12, r + 12, z1);
+    r[36] = u;
+    XMEMSET(r + 36 + 1, 0, sizeof(sp_digit) * (12 - 1));
+    (void)sp_3072_add_24(r + 24, r + 24, z2);
+}
+
+/* Sub b from a into a. (a -= b)
+ *
+ * a  A single precision integer and result.
+ * b  A single precision integer.
+ */
+static sp_digit sp_3072_sub_in_place_48(sp_digit* a, const sp_digit* b)
+{
+    sp_digit c = 0;
+
+    __asm__ __volatile__ (
+        "ldr	r2, [%[a], #0]\n\t"
+        "ldr	r3, [%[a], #4]\n\t"
+        "ldr	r4, [%[a], #8]\n\t"
+        "ldr	r5, [%[a], #12]\n\t"
+        "ldr	r6, [%[b], #0]\n\t"
+        "ldr	r7, [%[b], #4]\n\t"
+        "ldr	r8, [%[b], #8]\n\t"
+        "ldr	r9, [%[b], #12]\n\t"
+        "subs	r2, r2, r6\n\t"
+        "sbcs	r3, r3, r7\n\t"
+        "sbcs	r4, r4, r8\n\t"
+        "sbcs	r5, r5, r9\n\t"
+        "str	r2, [%[a], #0]\n\t"
+        "str	r3, [%[a], #4]\n\t"
+        "str	r4, [%[a], #8]\n\t"
+        "str	r5, [%[a], #12]\n\t"
+        "ldr	r2, [%[a], #16]\n\t"
+        "ldr	r3, [%[a], #20]\n\t"
+        "ldr	r4, [%[a], #24]\n\t"
+        "ldr	r5, [%[a], #28]\n\t"
+        "ldr	r6, [%[b], #16]\n\t"
+        "ldr	r7, [%[b], #20]\n\t"
+        "ldr	r8, [%[b], #24]\n\t"
+        "ldr	r9, [%[b], #28]\n\t"
+        "sbcs	r2, r2, r6\n\t"
+        "sbcs	r3, r3, r7\n\t"
+        "sbcs	r4, r4, r8\n\t"
+        "sbcs	r5, r5, r9\n\t"
+        "str	r2, [%[a], #16]\n\t"
+        "str	r3, [%[a], #20]\n\t"
+        "str	r4, [%[a], #24]\n\t"
+        "str	r5, [%[a], #28]\n\t"
+        "ldr	r2, [%[a], #32]\n\t"
+        "ldr	r3, [%[a], #36]\n\t"
+        "ldr	r4, [%[a], #40]\n\t"
+        "ldr	r5, [%[a], #44]\n\t"
+        "ldr	r6, [%[b], #32]\n\t"
+        "ldr	r7, [%[b], #36]\n\t"
+        "ldr	r8, [%[b], #40]\n\t"
+        "ldr	r9, [%[b], #44]\n\t"
+        "sbcs	r2, r2, r6\n\t"
+        "sbcs	r3, r3, r7\n\t"
+        "sbcs	r4, r4, r8\n\t"
+        "sbcs	r5, r5, r9\n\t"
+        "str	r2, [%[a], #32]\n\t"
+        "str	r3, [%[a], #36]\n\t"
+        "str	r4, [%[a], #40]\n\t"
+        "str	r5, [%[a], #44]\n\t"
+        "ldr	r2, [%[a], #48]\n\t"
+        "ldr	r3, [%[a], #52]\n\t"
+        "ldr	r4, [%[a], #56]\n\t"
+        "ldr	r5, [%[a], #60]\n\t"
+        "ldr	r6, [%[b], #48]\n\t"
+        "ldr	r7, [%[b], #52]\n\t"
+        "ldr	r8, [%[b], #56]\n\t"
+        "ldr	r9, [%[b], #60]\n\t"
+        "sbcs	r2, r2, r6\n\t"
+        "sbcs	r3, r3, r7\n\t"
+        "sbcs	r4, r4, r8\n\t"
+        "sbcs	r5, r5, r9\n\t"
+        "str	r2, [%[a], #48]\n\t"
+        "str	r3, [%[a], #52]\n\t"
+        "str	r4, [%[a], #56]\n\t"
+        "str	r5, [%[a], #60]\n\t"
+        "ldr	r2, [%[a], #64]\n\t"
+        "ldr	r3, [%[a], #68]\n\t"
+        "ldr	r4, [%[a], #72]\n\t"
+        "ldr	r5, [%[a], #76]\n\t"
+        "ldr	r6, [%[b], #64]\n\t"
+        "ldr	r7, [%[b], #68]\n\t"
+        "ldr	r8, [%[b], #72]\n\t"
+        "ldr	r9, [%[b], #76]\n\t"
+        "sbcs	r2, r2, r6\n\t"
+        "sbcs	r3, r3, r7\n\t"
+        "sbcs	r4, r4, r8\n\t"
+        "sbcs	r5, r5, r9\n\t"
+        "str	r2, [%[a], #64]\n\t"
+        "str	r3, [%[a], #68]\n\t"
+        "str	r4, [%[a], #72]\n\t"
+        "str	r5, [%[a], #76]\n\t"
+        "ldr	r2, [%[a], #80]\n\t"
+        "ldr	r3, [%[a], #84]\n\t"
+        "ldr	r4, [%[a], #88]\n\t"
+        "ldr	r5, [%[a], #92]\n\t"
+        "ldr	r6, [%[b], #80]\n\t"
+        "ldr	r7, [%[b], #84]\n\t"
+        "ldr	r8, [%[b], #88]\n\t"
+        "ldr	r9, [%[b], #92]\n\t"
+        "sbcs	r2, r2, r6\n\t"
+        "sbcs	r3, r3, r7\n\t"
+        "sbcs	r4, r4, r8\n\t"
+        "sbcs	r5, r5, r9\n\t"
+        "str	r2, [%[a], #80]\n\t"
+        "str	r3, [%[a], #84]\n\t"
+        "str	r4, [%[a], #88]\n\t"
+        "str	r5, [%[a], #92]\n\t"
+        "ldr	r2, [%[a], #96]\n\t"
+        "ldr	r3, [%[a], #100]\n\t"
+        "ldr	r4, [%[a], #104]\n\t"
+        "ldr	r5, [%[a], #108]\n\t"
+        "ldr	r6, [%[b], #96]\n\t"
+        "ldr	r7, [%[b], #100]\n\t"
+        "ldr	r8, [%[b], #104]\n\t"
+        "ldr	r9, [%[b], #108]\n\t"
+        "sbcs	r2, r2, r6\n\t"
+        "sbcs	r3, r3, r7\n\t"
+        "sbcs	r4, r4, r8\n\t"
+        "sbcs	r5, r5, r9\n\t"
+        "str	r2, [%[a], #96]\n\t"
+        "str	r3, [%[a], #100]\n\t"
+        "str	r4, [%[a], #104]\n\t"
+        "str	r5, [%[a], #108]\n\t"
+        "ldr	r2, [%[a], #112]\n\t"
+        "ldr	r3, [%[a], #116]\n\t"
+        "ldr	r4, [%[a], #120]\n\t"
+        "ldr	r5, [%[a], #124]\n\t"
+        "ldr	r6, [%[b], #112]\n\t"
+        "ldr	r7, [%[b], #116]\n\t"
+        "ldr	r8, [%[b], #120]\n\t"
+        "ldr	r9, [%[b], #124]\n\t"
+        "sbcs	r2, r2, r6\n\t"
+        "sbcs	r3, r3, r7\n\t"
+        "sbcs	r4, r4, r8\n\t"
+        "sbcs	r5, r5, r9\n\t"
+        "str	r2, [%[a], #112]\n\t"
+        "str	r3, [%[a], #116]\n\t"
+        "str	r4, [%[a], #120]\n\t"
+        "str	r5, [%[a], #124]\n\t"
+        "ldr	r2, [%[a], #128]\n\t"
+        "ldr	r3, [%[a], #132]\n\t"
+        "ldr	r4, [%[a], #136]\n\t"
+        "ldr	r5, [%[a], #140]\n\t"
+        "ldr	r6, [%[b], #128]\n\t"
+        "ldr	r7, [%[b], #132]\n\t"
+        "ldr	r8, [%[b], #136]\n\t"
+        "ldr	r9, [%[b], #140]\n\t"
+        "sbcs	r2, r2, r6\n\t"
+        "sbcs	r3, r3, r7\n\t"
+        "sbcs	r4, r4, r8\n\t"
+        "sbcs	r5, r5, r9\n\t"
+        "str	r2, [%[a], #128]\n\t"
+        "str	r3, [%[a], #132]\n\t"
+        "str	r4, [%[a], #136]\n\t"
+        "str	r5, [%[a], #140]\n\t"
+        "ldr	r2, [%[a], #144]\n\t"
+        "ldr	r3, [%[a], #148]\n\t"
+        "ldr	r4, [%[a], #152]\n\t"
+        "ldr	r5, [%[a], #156]\n\t"
+        "ldr	r6, [%[b], #144]\n\t"
+        "ldr	r7, [%[b], #148]\n\t"
+        "ldr	r8, [%[b], #152]\n\t"
+        "ldr	r9, [%[b], #156]\n\t"
+        "sbcs	r2, r2, r6\n\t"
+        "sbcs	r3, r3, r7\n\t"
+        "sbcs	r4, r4, r8\n\t"
+        "sbcs	r5, r5, r9\n\t"
+        "str	r2, [%[a], #144]\n\t"
+        "str	r3, [%[a], #148]\n\t"
+        "str	r4, [%[a], #152]\n\t"
+        "str	r5, [%[a], #156]\n\t"
+        "ldr	r2, [%[a], #160]\n\t"
+        "ldr	r3, [%[a], #164]\n\t"
+        "ldr	r4, [%[a], #168]\n\t"
+        "ldr	r5, [%[a], #172]\n\t"
+        "ldr	r6, [%[b], #160]\n\t"
+        "ldr	r7, [%[b], #164]\n\t"
+        "ldr	r8, [%[b], #168]\n\t"
+        "ldr	r9, [%[b], #172]\n\t"
+        "sbcs	r2, r2, r6\n\t"
+        "sbcs	r3, r3, r7\n\t"
+        "sbcs	r4, r4, r8\n\t"
+        "sbcs	r5, r5, r9\n\t"
+        "str	r2, [%[a], #160]\n\t"
+        "str	r3, [%[a], #164]\n\t"
+        "str	r4, [%[a], #168]\n\t"
+        "str	r5, [%[a], #172]\n\t"
+        "ldr	r2, [%[a], #176]\n\t"
+        "ldr	r3, [%[a], #180]\n\t"
+        "ldr	r4, [%[a], #184]\n\t"
+        "ldr	r5, [%[a], #188]\n\t"
+        "ldr	r6, [%[b], #176]\n\t"
+        "ldr	r7, [%[b], #180]\n\t"
+        "ldr	r8, [%[b], #184]\n\t"
+        "ldr	r9, [%[b], #188]\n\t"
+        "sbcs	r2, r2, r6\n\t"
+        "sbcs	r3, r3, r7\n\t"
+        "sbcs	r4, r4, r8\n\t"
+        "sbcs	r5, r5, r9\n\t"
+        "str	r2, [%[a], #176]\n\t"
+        "str	r3, [%[a], #180]\n\t"
+        "str	r4, [%[a], #184]\n\t"
+        "str	r5, [%[a], #188]\n\t"
+        "sbc	%[c], r9, r9\n\t"
+        : [c] "+r" (c)
+        : [a] "r" (a), [b] "r" (b)
+        : "memory", "r2", "r3", "r4", "r5", "r6", "r7", "r8", "r9"
+    );
+
+    return c;
+}
+
+/* Add b to a into r. (r = a + b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+static sp_digit sp_3072_add_48(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    sp_digit c = 0;
+
+    __asm__ __volatile__ (
+        "mov	r12, #0\n\t"
+        "ldr	r4, [%[a], #0]\n\t"
+        "ldr	r5, [%[a], #4]\n\t"
+        "ldr	r6, [%[a], #8]\n\t"
+        "ldr	r7, [%[a], #12]\n\t"
+        "ldr	r8, [%[b], #0]\n\t"
+        "ldr	r9, [%[b], #4]\n\t"
+        "ldr	r10, [%[b], #8]\n\t"
+        "ldr	r14, [%[b], #12]\n\t"
+        "adds	r4, r4, r8\n\t"
+        "adcs	r5, r5, r9\n\t"
+        "adcs	r6, r6, r10\n\t"
+        "adcs	r7, r7, r14\n\t"
+        "str	r4, [%[r], #0]\n\t"
+        "str	r5, [%[r], #4]\n\t"
+        "str	r6, [%[r], #8]\n\t"
+        "str	r7, [%[r], #12]\n\t"
+        "ldr	r4, [%[a], #16]\n\t"
+        "ldr	r5, [%[a], #20]\n\t"
+        "ldr	r6, [%[a], #24]\n\t"
+        "ldr	r7, [%[a], #28]\n\t"
+        "ldr	r8, [%[b], #16]\n\t"
+        "ldr	r9, [%[b], #20]\n\t"
+        "ldr	r10, [%[b], #24]\n\t"
+        "ldr	r14, [%[b], #28]\n\t"
+        "adcs	r4, r4, r8\n\t"
+        "adcs	r5, r5, r9\n\t"
+        "adcs	r6, r6, r10\n\t"
+        "adcs	r7, r7, r14\n\t"
+        "str	r4, [%[r], #16]\n\t"
+        "str	r5, [%[r], #20]\n\t"
+        "str	r6, [%[r], #24]\n\t"
+        "str	r7, [%[r], #28]\n\t"
+        "ldr	r4, [%[a], #32]\n\t"
+        "ldr	r5, [%[a], #36]\n\t"
+        "ldr	r6, [%[a], #40]\n\t"
+        "ldr	r7, [%[a], #44]\n\t"
+        "ldr	r8, [%[b], #32]\n\t"
+        "ldr	r9, [%[b], #36]\n\t"
+        "ldr	r10, [%[b], #40]\n\t"
+        "ldr	r14, [%[b], #44]\n\t"
+        "adcs	r4, r4, r8\n\t"
+        "adcs	r5, r5, r9\n\t"
+        "adcs	r6, r6, r10\n\t"
+        "adcs	r7, r7, r14\n\t"
+        "str	r4, [%[r], #32]\n\t"
+        "str	r5, [%[r], #36]\n\t"
+        "str	r6, [%[r], #40]\n\t"
+        "str	r7, [%[r], #44]\n\t"
+        "ldr	r4, [%[a], #48]\n\t"
+        "ldr	r5, [%[a], #52]\n\t"
+        "ldr	r6, [%[a], #56]\n\t"
+        "ldr	r7, [%[a], #60]\n\t"
+        "ldr	r8, [%[b], #48]\n\t"
+        "ldr	r9, [%[b], #52]\n\t"
+        "ldr	r10, [%[b], #56]\n\t"
+        "ldr	r14, [%[b], #60]\n\t"
+        "adcs	r4, r4, r8\n\t"
+        "adcs	r5, r5, r9\n\t"
+        "adcs	r6, r6, r10\n\t"
+        "adcs	r7, r7, r14\n\t"
+        "str	r4, [%[r], #48]\n\t"
+        "str	r5, [%[r], #52]\n\t"
+        "str	r6, [%[r], #56]\n\t"
+        "str	r7, [%[r], #60]\n\t"
+        "ldr	r4, [%[a], #64]\n\t"
+        "ldr	r5, [%[a], #68]\n\t"
+        "ldr	r6, [%[a], #72]\n\t"
+        "ldr	r7, [%[a], #76]\n\t"
+        "ldr	r8, [%[b], #64]\n\t"
+        "ldr	r9, [%[b], #68]\n\t"
+        "ldr	r10, [%[b], #72]\n\t"
+        "ldr	r14, [%[b], #76]\n\t"
+        "adcs	r4, r4, r8\n\t"
+        "adcs	r5, r5, r9\n\t"
+        "adcs	r6, r6, r10\n\t"
+        "adcs	r7, r7, r14\n\t"
+        "str	r4, [%[r], #64]\n\t"
+        "str	r5, [%[r], #68]\n\t"
+        "str	r6, [%[r], #72]\n\t"
+        "str	r7, [%[r], #76]\n\t"
+        "ldr	r4, [%[a], #80]\n\t"
+        "ldr	r5, [%[a], #84]\n\t"
+        "ldr	r6, [%[a], #88]\n\t"
+        "ldr	r7, [%[a], #92]\n\t"
+        "ldr	r8, [%[b], #80]\n\t"
+        "ldr	r9, [%[b], #84]\n\t"
+        "ldr	r10, [%[b], #88]\n\t"
+        "ldr	r14, [%[b], #92]\n\t"
+        "adcs	r4, r4, r8\n\t"
+        "adcs	r5, r5, r9\n\t"
+        "adcs	r6, r6, r10\n\t"
+        "adcs	r7, r7, r14\n\t"
+        "str	r4, [%[r], #80]\n\t"
+        "str	r5, [%[r], #84]\n\t"
+        "str	r6, [%[r], #88]\n\t"
+        "str	r7, [%[r], #92]\n\t"
+        "ldr	r4, [%[a], #96]\n\t"
+        "ldr	r5, [%[a], #100]\n\t"
+        "ldr	r6, [%[a], #104]\n\t"
+        "ldr	r7, [%[a], #108]\n\t"
+        "ldr	r8, [%[b], #96]\n\t"
+        "ldr	r9, [%[b], #100]\n\t"
+        "ldr	r10, [%[b], #104]\n\t"
+        "ldr	r14, [%[b], #108]\n\t"
+        "adcs	r4, r4, r8\n\t"
+        "adcs	r5, r5, r9\n\t"
+        "adcs	r6, r6, r10\n\t"
+        "adcs	r7, r7, r14\n\t"
+        "str	r4, [%[r], #96]\n\t"
+        "str	r5, [%[r], #100]\n\t"
+        "str	r6, [%[r], #104]\n\t"
+        "str	r7, [%[r], #108]\n\t"
+        "ldr	r4, [%[a], #112]\n\t"
+        "ldr	r5, [%[a], #116]\n\t"
+        "ldr	r6, [%[a], #120]\n\t"
+        "ldr	r7, [%[a], #124]\n\t"
+        "ldr	r8, [%[b], #112]\n\t"
+        "ldr	r9, [%[b], #116]\n\t"
+        "ldr	r10, [%[b], #120]\n\t"
+        "ldr	r14, [%[b], #124]\n\t"
+        "adcs	r4, r4, r8\n\t"
+        "adcs	r5, r5, r9\n\t"
+        "adcs	r6, r6, r10\n\t"
+        "adcs	r7, r7, r14\n\t"
+        "str	r4, [%[r], #112]\n\t"
+        "str	r5, [%[r], #116]\n\t"
+        "str	r6, [%[r], #120]\n\t"
+        "str	r7, [%[r], #124]\n\t"
+        "ldr	r4, [%[a], #128]\n\t"
+        "ldr	r5, [%[a], #132]\n\t"
+        "ldr	r6, [%[a], #136]\n\t"
+        "ldr	r7, [%[a], #140]\n\t"
+        "ldr	r8, [%[b], #128]\n\t"
+        "ldr	r9, [%[b], #132]\n\t"
+        "ldr	r10, [%[b], #136]\n\t"
+        "ldr	r14, [%[b], #140]\n\t"
+        "adcs	r4, r4, r8\n\t"
+        "adcs	r5, r5, r9\n\t"
+        "adcs	r6, r6, r10\n\t"
+        "adcs	r7, r7, r14\n\t"
+        "str	r4, [%[r], #128]\n\t"
+        "str	r5, [%[r], #132]\n\t"
+        "str	r6, [%[r], #136]\n\t"
+        "str	r7, [%[r], #140]\n\t"
+        "ldr	r4, [%[a], #144]\n\t"
+        "ldr	r5, [%[a], #148]\n\t"
+        "ldr	r6, [%[a], #152]\n\t"
+        "ldr	r7, [%[a], #156]\n\t"
+        "ldr	r8, [%[b], #144]\n\t"
+        "ldr	r9, [%[b], #148]\n\t"
+        "ldr	r10, [%[b], #152]\n\t"
+        "ldr	r14, [%[b], #156]\n\t"
+        "adcs	r4, r4, r8\n\t"
+        "adcs	r5, r5, r9\n\t"
+        "adcs	r6, r6, r10\n\t"
+        "adcs	r7, r7, r14\n\t"
+        "str	r4, [%[r], #144]\n\t"
+        "str	r5, [%[r], #148]\n\t"
+        "str	r6, [%[r], #152]\n\t"
+        "str	r7, [%[r], #156]\n\t"
+        "ldr	r4, [%[a], #160]\n\t"
+        "ldr	r5, [%[a], #164]\n\t"
+        "ldr	r6, [%[a], #168]\n\t"
+        "ldr	r7, [%[a], #172]\n\t"
+        "ldr	r8, [%[b], #160]\n\t"
+        "ldr	r9, [%[b], #164]\n\t"
+        "ldr	r10, [%[b], #168]\n\t"
+        "ldr	r14, [%[b], #172]\n\t"
+        "adcs	r4, r4, r8\n\t"
+        "adcs	r5, r5, r9\n\t"
+        "adcs	r6, r6, r10\n\t"
+        "adcs	r7, r7, r14\n\t"
+        "str	r4, [%[r], #160]\n\t"
+        "str	r5, [%[r], #164]\n\t"
+        "str	r6, [%[r], #168]\n\t"
+        "str	r7, [%[r], #172]\n\t"
+        "ldr	r4, [%[a], #176]\n\t"
+        "ldr	r5, [%[a], #180]\n\t"
+        "ldr	r6, [%[a], #184]\n\t"
+        "ldr	r7, [%[a], #188]\n\t"
+        "ldr	r8, [%[b], #176]\n\t"
+        "ldr	r9, [%[b], #180]\n\t"
+        "ldr	r10, [%[b], #184]\n\t"
+        "ldr	r14, [%[b], #188]\n\t"
+        "adcs	r4, r4, r8\n\t"
+        "adcs	r5, r5, r9\n\t"
+        "adcs	r6, r6, r10\n\t"
+        "adcs	r7, r7, r14\n\t"
+        "str	r4, [%[r], #176]\n\t"
+        "str	r5, [%[r], #180]\n\t"
+        "str	r6, [%[r], #184]\n\t"
+        "str	r7, [%[r], #188]\n\t"
+        "adc	%[c], r12, r12\n\t"
+        : [c] "+r" (c)
+        : [r] "r" (r), [a] "r" (a), [b] "r" (b)
+        : "memory", "r4", "r5", "r6", "r7", "r8", "r9", "r10", "r14", "r12"
+    );
+
+    return c;
+}
+
+/* AND m into each word of a and store in r.
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * m  Mask to AND against each digit.
+ */
+static void sp_3072_mask_24(sp_digit* r, const sp_digit* a, sp_digit m)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int i;
+
+    for (i=0; i<24; i++) {
+        r[i] = a[i] & m;
+    }
+#else
+    int i;
+
+    for (i = 0; i < 24; i += 8) {
+        r[i+0] = a[i+0] & m;
+        r[i+1] = a[i+1] & m;
+        r[i+2] = a[i+2] & m;
+        r[i+3] = a[i+3] & m;
+        r[i+4] = a[i+4] & m;
+        r[i+5] = a[i+5] & m;
+        r[i+6] = a[i+6] & m;
+        r[i+7] = a[i+7] & m;
+    }
+#endif
+}
+
+/* Multiply a and b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static void sp_3072_mul_48(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    sp_digit* z0 = r;
+    sp_digit z1[48];
+    sp_digit a1[24];
+    sp_digit b1[24];
+    sp_digit z2[48];
+    sp_digit u, ca, cb;
+
+    ca = sp_3072_add_24(a1, a, &a[24]);
+    cb = sp_3072_add_24(b1, b, &b[24]);
+    u  = ca & cb;
+    sp_3072_mul_24(z1, a1, b1);
+    sp_3072_mul_24(z2, &a[24], &b[24]);
+    sp_3072_mul_24(z0, a, b);
+    sp_3072_mask_24(r + 48, a1, 0 - cb);
+    sp_3072_mask_24(b1, b1, 0 - ca);
+    u += sp_3072_add_24(r + 48, r + 48, b1);
+    u += sp_3072_sub_in_place_48(z1, z2);
+    u += sp_3072_sub_in_place_48(z1, z0);
+    u += sp_3072_add_48(r + 24, r + 24, z1);
+    r[72] = u;
+    XMEMSET(r + 72 + 1, 0, sizeof(sp_digit) * (24 - 1));
+    (void)sp_3072_add_48(r + 48, r + 48, z2);
+}
+
+/* Square a and put result in r. (r = a * a)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ */
+SP_NOINLINE static void sp_3072_sqr_48(sp_digit* r, const sp_digit* a)
+{
+    sp_digit* z0 = r;
+    sp_digit z2[48];
+    sp_digit z1[48];
+    sp_digit a1[24];
+    sp_digit u;
+
+    u = sp_3072_add_24(a1, a, &a[24]);
+    sp_3072_sqr_24(z1, a1);
+    sp_3072_sqr_24(z2, &a[24]);
+    sp_3072_sqr_24(z0, a);
+    sp_3072_mask_24(r + 48, a1, 0 - u);
+    u += sp_3072_add_24(r + 48, r + 48, r + 48);
+    u += sp_3072_sub_in_place_48(z1, z2);
+    u += sp_3072_sub_in_place_48(z1, z0);
+    u += sp_3072_add_48(r + 24, r + 24, z1);
+    r[72] = u;
+    XMEMSET(r + 72 + 1, 0, sizeof(sp_digit) * (24 - 1));
+    (void)sp_3072_add_48(r + 48, r + 48, z2);
+}
+
+/* Sub b from a into a. (a -= b)
+ *
+ * a  A single precision integer and result.
+ * b  A single precision integer.
+ */
+static sp_digit sp_3072_sub_in_place_96(sp_digit* a, const sp_digit* b)
+{
+    sp_digit c = 0;
+
+    __asm__ __volatile__ (
+        "ldr	r2, [%[a], #0]\n\t"
+        "ldr	r3, [%[a], #4]\n\t"
+        "ldr	r4, [%[a], #8]\n\t"
+        "ldr	r5, [%[a], #12]\n\t"
+        "ldr	r6, [%[b], #0]\n\t"
+        "ldr	r7, [%[b], #4]\n\t"
+        "ldr	r8, [%[b], #8]\n\t"
+        "ldr	r9, [%[b], #12]\n\t"
+        "subs	r2, r2, r6\n\t"
+        "sbcs	r3, r3, r7\n\t"
+        "sbcs	r4, r4, r8\n\t"
+        "sbcs	r5, r5, r9\n\t"
+        "str	r2, [%[a], #0]\n\t"
+        "str	r3, [%[a], #4]\n\t"
+        "str	r4, [%[a], #8]\n\t"
+        "str	r5, [%[a], #12]\n\t"
+        "ldr	r2, [%[a], #16]\n\t"
+        "ldr	r3, [%[a], #20]\n\t"
+        "ldr	r4, [%[a], #24]\n\t"
+        "ldr	r5, [%[a], #28]\n\t"
+        "ldr	r6, [%[b], #16]\n\t"
+        "ldr	r7, [%[b], #20]\n\t"
+        "ldr	r8, [%[b], #24]\n\t"
+        "ldr	r9, [%[b], #28]\n\t"
+        "sbcs	r2, r2, r6\n\t"
+        "sbcs	r3, r3, r7\n\t"
+        "sbcs	r4, r4, r8\n\t"
+        "sbcs	r5, r5, r9\n\t"
+        "str	r2, [%[a], #16]\n\t"
+        "str	r3, [%[a], #20]\n\t"
+        "str	r4, [%[a], #24]\n\t"
+        "str	r5, [%[a], #28]\n\t"
+        "ldr	r2, [%[a], #32]\n\t"
+        "ldr	r3, [%[a], #36]\n\t"
+        "ldr	r4, [%[a], #40]\n\t"
+        "ldr	r5, [%[a], #44]\n\t"
+        "ldr	r6, [%[b], #32]\n\t"
+        "ldr	r7, [%[b], #36]\n\t"
+        "ldr	r8, [%[b], #40]\n\t"
+        "ldr	r9, [%[b], #44]\n\t"
+        "sbcs	r2, r2, r6\n\t"
+        "sbcs	r3, r3, r7\n\t"
+        "sbcs	r4, r4, r8\n\t"
+        "sbcs	r5, r5, r9\n\t"
+        "str	r2, [%[a], #32]\n\t"
+        "str	r3, [%[a], #36]\n\t"
+        "str	r4, [%[a], #40]\n\t"
+        "str	r5, [%[a], #44]\n\t"
+        "ldr	r2, [%[a], #48]\n\t"
+        "ldr	r3, [%[a], #52]\n\t"
+        "ldr	r4, [%[a], #56]\n\t"
+        "ldr	r5, [%[a], #60]\n\t"
+        "ldr	r6, [%[b], #48]\n\t"
+        "ldr	r7, [%[b], #52]\n\t"
+        "ldr	r8, [%[b], #56]\n\t"
+        "ldr	r9, [%[b], #60]\n\t"
+        "sbcs	r2, r2, r6\n\t"
+        "sbcs	r3, r3, r7\n\t"
+        "sbcs	r4, r4, r8\n\t"
+        "sbcs	r5, r5, r9\n\t"
+        "str	r2, [%[a], #48]\n\t"
+        "str	r3, [%[a], #52]\n\t"
+        "str	r4, [%[a], #56]\n\t"
+        "str	r5, [%[a], #60]\n\t"
+        "ldr	r2, [%[a], #64]\n\t"
+        "ldr	r3, [%[a], #68]\n\t"
+        "ldr	r4, [%[a], #72]\n\t"
+        "ldr	r5, [%[a], #76]\n\t"
+        "ldr	r6, [%[b], #64]\n\t"
+        "ldr	r7, [%[b], #68]\n\t"
+        "ldr	r8, [%[b], #72]\n\t"
+        "ldr	r9, [%[b], #76]\n\t"
+        "sbcs	r2, r2, r6\n\t"
+        "sbcs	r3, r3, r7\n\t"
+        "sbcs	r4, r4, r8\n\t"
+        "sbcs	r5, r5, r9\n\t"
+        "str	r2, [%[a], #64]\n\t"
+        "str	r3, [%[a], #68]\n\t"
+        "str	r4, [%[a], #72]\n\t"
+        "str	r5, [%[a], #76]\n\t"
+        "ldr	r2, [%[a], #80]\n\t"
+        "ldr	r3, [%[a], #84]\n\t"
+        "ldr	r4, [%[a], #88]\n\t"
+        "ldr	r5, [%[a], #92]\n\t"
+        "ldr	r6, [%[b], #80]\n\t"
+        "ldr	r7, [%[b], #84]\n\t"
+        "ldr	r8, [%[b], #88]\n\t"
+        "ldr	r9, [%[b], #92]\n\t"
+        "sbcs	r2, r2, r6\n\t"
+        "sbcs	r3, r3, r7\n\t"
+        "sbcs	r4, r4, r8\n\t"
+        "sbcs	r5, r5, r9\n\t"
+        "str	r2, [%[a], #80]\n\t"
+        "str	r3, [%[a], #84]\n\t"
+        "str	r4, [%[a], #88]\n\t"
+        "str	r5, [%[a], #92]\n\t"
+        "ldr	r2, [%[a], #96]\n\t"
+        "ldr	r3, [%[a], #100]\n\t"
+        "ldr	r4, [%[a], #104]\n\t"
+        "ldr	r5, [%[a], #108]\n\t"
+        "ldr	r6, [%[b], #96]\n\t"
+        "ldr	r7, [%[b], #100]\n\t"
+        "ldr	r8, [%[b], #104]\n\t"
+        "ldr	r9, [%[b], #108]\n\t"
+        "sbcs	r2, r2, r6\n\t"
+        "sbcs	r3, r3, r7\n\t"
+        "sbcs	r4, r4, r8\n\t"
+        "sbcs	r5, r5, r9\n\t"
+        "str	r2, [%[a], #96]\n\t"
+        "str	r3, [%[a], #100]\n\t"
+        "str	r4, [%[a], #104]\n\t"
+        "str	r5, [%[a], #108]\n\t"
+        "ldr	r2, [%[a], #112]\n\t"
+        "ldr	r3, [%[a], #116]\n\t"
+        "ldr	r4, [%[a], #120]\n\t"
+        "ldr	r5, [%[a], #124]\n\t"
+        "ldr	r6, [%[b], #112]\n\t"
+        "ldr	r7, [%[b], #116]\n\t"
+        "ldr	r8, [%[b], #120]\n\t"
+        "ldr	r9, [%[b], #124]\n\t"
+        "sbcs	r2, r2, r6\n\t"
+        "sbcs	r3, r3, r7\n\t"
+        "sbcs	r4, r4, r8\n\t"
+        "sbcs	r5, r5, r9\n\t"
+        "str	r2, [%[a], #112]\n\t"
+        "str	r3, [%[a], #116]\n\t"
+        "str	r4, [%[a], #120]\n\t"
+        "str	r5, [%[a], #124]\n\t"
+        "ldr	r2, [%[a], #128]\n\t"
+        "ldr	r3, [%[a], #132]\n\t"
+        "ldr	r4, [%[a], #136]\n\t"
+        "ldr	r5, [%[a], #140]\n\t"
+        "ldr	r6, [%[b], #128]\n\t"
+        "ldr	r7, [%[b], #132]\n\t"
+        "ldr	r8, [%[b], #136]\n\t"
+        "ldr	r9, [%[b], #140]\n\t"
+        "sbcs	r2, r2, r6\n\t"
+        "sbcs	r3, r3, r7\n\t"
+        "sbcs	r4, r4, r8\n\t"
+        "sbcs	r5, r5, r9\n\t"
+        "str	r2, [%[a], #128]\n\t"
+        "str	r3, [%[a], #132]\n\t"
+        "str	r4, [%[a], #136]\n\t"
+        "str	r5, [%[a], #140]\n\t"
+        "ldr	r2, [%[a], #144]\n\t"
+        "ldr	r3, [%[a], #148]\n\t"
+        "ldr	r4, [%[a], #152]\n\t"
+        "ldr	r5, [%[a], #156]\n\t"
+        "ldr	r6, [%[b], #144]\n\t"
+        "ldr	r7, [%[b], #148]\n\t"
+        "ldr	r8, [%[b], #152]\n\t"
+        "ldr	r9, [%[b], #156]\n\t"
+        "sbcs	r2, r2, r6\n\t"
+        "sbcs	r3, r3, r7\n\t"
+        "sbcs	r4, r4, r8\n\t"
+        "sbcs	r5, r5, r9\n\t"
+        "str	r2, [%[a], #144]\n\t"
+        "str	r3, [%[a], #148]\n\t"
+        "str	r4, [%[a], #152]\n\t"
+        "str	r5, [%[a], #156]\n\t"
+        "ldr	r2, [%[a], #160]\n\t"
+        "ldr	r3, [%[a], #164]\n\t"
+        "ldr	r4, [%[a], #168]\n\t"
+        "ldr	r5, [%[a], #172]\n\t"
+        "ldr	r6, [%[b], #160]\n\t"
+        "ldr	r7, [%[b], #164]\n\t"
+        "ldr	r8, [%[b], #168]\n\t"
+        "ldr	r9, [%[b], #172]\n\t"
+        "sbcs	r2, r2, r6\n\t"
+        "sbcs	r3, r3, r7\n\t"
+        "sbcs	r4, r4, r8\n\t"
+        "sbcs	r5, r5, r9\n\t"
+        "str	r2, [%[a], #160]\n\t"
+        "str	r3, [%[a], #164]\n\t"
+        "str	r4, [%[a], #168]\n\t"
+        "str	r5, [%[a], #172]\n\t"
+        "ldr	r2, [%[a], #176]\n\t"
+        "ldr	r3, [%[a], #180]\n\t"
+        "ldr	r4, [%[a], #184]\n\t"
+        "ldr	r5, [%[a], #188]\n\t"
+        "ldr	r6, [%[b], #176]\n\t"
+        "ldr	r7, [%[b], #180]\n\t"
+        "ldr	r8, [%[b], #184]\n\t"
+        "ldr	r9, [%[b], #188]\n\t"
+        "sbcs	r2, r2, r6\n\t"
+        "sbcs	r3, r3, r7\n\t"
+        "sbcs	r4, r4, r8\n\t"
+        "sbcs	r5, r5, r9\n\t"
+        "str	r2, [%[a], #176]\n\t"
+        "str	r3, [%[a], #180]\n\t"
+        "str	r4, [%[a], #184]\n\t"
+        "str	r5, [%[a], #188]\n\t"
+        "ldr	r2, [%[a], #192]\n\t"
+        "ldr	r3, [%[a], #196]\n\t"
+        "ldr	r4, [%[a], #200]\n\t"
+        "ldr	r5, [%[a], #204]\n\t"
+        "ldr	r6, [%[b], #192]\n\t"
+        "ldr	r7, [%[b], #196]\n\t"
+        "ldr	r8, [%[b], #200]\n\t"
+        "ldr	r9, [%[b], #204]\n\t"
+        "sbcs	r2, r2, r6\n\t"
+        "sbcs	r3, r3, r7\n\t"
+        "sbcs	r4, r4, r8\n\t"
+        "sbcs	r5, r5, r9\n\t"
+        "str	r2, [%[a], #192]\n\t"
+        "str	r3, [%[a], #196]\n\t"
+        "str	r4, [%[a], #200]\n\t"
+        "str	r5, [%[a], #204]\n\t"
+        "ldr	r2, [%[a], #208]\n\t"
+        "ldr	r3, [%[a], #212]\n\t"
+        "ldr	r4, [%[a], #216]\n\t"
+        "ldr	r5, [%[a], #220]\n\t"
+        "ldr	r6, [%[b], #208]\n\t"
+        "ldr	r7, [%[b], #212]\n\t"
+        "ldr	r8, [%[b], #216]\n\t"
+        "ldr	r9, [%[b], #220]\n\t"
+        "sbcs	r2, r2, r6\n\t"
+        "sbcs	r3, r3, r7\n\t"
+        "sbcs	r4, r4, r8\n\t"
+        "sbcs	r5, r5, r9\n\t"
+        "str	r2, [%[a], #208]\n\t"
+        "str	r3, [%[a], #212]\n\t"
+        "str	r4, [%[a], #216]\n\t"
+        "str	r5, [%[a], #220]\n\t"
+        "ldr	r2, [%[a], #224]\n\t"
+        "ldr	r3, [%[a], #228]\n\t"
+        "ldr	r4, [%[a], #232]\n\t"
+        "ldr	r5, [%[a], #236]\n\t"
+        "ldr	r6, [%[b], #224]\n\t"
+        "ldr	r7, [%[b], #228]\n\t"
+        "ldr	r8, [%[b], #232]\n\t"
+        "ldr	r9, [%[b], #236]\n\t"
+        "sbcs	r2, r2, r6\n\t"
+        "sbcs	r3, r3, r7\n\t"
+        "sbcs	r4, r4, r8\n\t"
+        "sbcs	r5, r5, r9\n\t"
+        "str	r2, [%[a], #224]\n\t"
+        "str	r3, [%[a], #228]\n\t"
+        "str	r4, [%[a], #232]\n\t"
+        "str	r5, [%[a], #236]\n\t"
+        "ldr	r2, [%[a], #240]\n\t"
+        "ldr	r3, [%[a], #244]\n\t"
+        "ldr	r4, [%[a], #248]\n\t"
+        "ldr	r5, [%[a], #252]\n\t"
+        "ldr	r6, [%[b], #240]\n\t"
+        "ldr	r7, [%[b], #244]\n\t"
+        "ldr	r8, [%[b], #248]\n\t"
+        "ldr	r9, [%[b], #252]\n\t"
+        "sbcs	r2, r2, r6\n\t"
+        "sbcs	r3, r3, r7\n\t"
+        "sbcs	r4, r4, r8\n\t"
+        "sbcs	r5, r5, r9\n\t"
+        "str	r2, [%[a], #240]\n\t"
+        "str	r3, [%[a], #244]\n\t"
+        "str	r4, [%[a], #248]\n\t"
+        "str	r5, [%[a], #252]\n\t"
+        "ldr	r2, [%[a], #256]\n\t"
+        "ldr	r3, [%[a], #260]\n\t"
+        "ldr	r4, [%[a], #264]\n\t"
+        "ldr	r5, [%[a], #268]\n\t"
+        "ldr	r6, [%[b], #256]\n\t"
+        "ldr	r7, [%[b], #260]\n\t"
+        "ldr	r8, [%[b], #264]\n\t"
+        "ldr	r9, [%[b], #268]\n\t"
+        "sbcs	r2, r2, r6\n\t"
+        "sbcs	r3, r3, r7\n\t"
+        "sbcs	r4, r4, r8\n\t"
+        "sbcs	r5, r5, r9\n\t"
+        "str	r2, [%[a], #256]\n\t"
+        "str	r3, [%[a], #260]\n\t"
+        "str	r4, [%[a], #264]\n\t"
+        "str	r5, [%[a], #268]\n\t"
+        "ldr	r2, [%[a], #272]\n\t"
+        "ldr	r3, [%[a], #276]\n\t"
+        "ldr	r4, [%[a], #280]\n\t"
+        "ldr	r5, [%[a], #284]\n\t"
+        "ldr	r6, [%[b], #272]\n\t"
+        "ldr	r7, [%[b], #276]\n\t"
+        "ldr	r8, [%[b], #280]\n\t"
+        "ldr	r9, [%[b], #284]\n\t"
+        "sbcs	r2, r2, r6\n\t"
+        "sbcs	r3, r3, r7\n\t"
+        "sbcs	r4, r4, r8\n\t"
+        "sbcs	r5, r5, r9\n\t"
+        "str	r2, [%[a], #272]\n\t"
+        "str	r3, [%[a], #276]\n\t"
+        "str	r4, [%[a], #280]\n\t"
+        "str	r5, [%[a], #284]\n\t"
+        "ldr	r2, [%[a], #288]\n\t"
+        "ldr	r3, [%[a], #292]\n\t"
+        "ldr	r4, [%[a], #296]\n\t"
+        "ldr	r5, [%[a], #300]\n\t"
+        "ldr	r6, [%[b], #288]\n\t"
+        "ldr	r7, [%[b], #292]\n\t"
+        "ldr	r8, [%[b], #296]\n\t"
+        "ldr	r9, [%[b], #300]\n\t"
+        "sbcs	r2, r2, r6\n\t"
+        "sbcs	r3, r3, r7\n\t"
+        "sbcs	r4, r4, r8\n\t"
+        "sbcs	r5, r5, r9\n\t"
+        "str	r2, [%[a], #288]\n\t"
+        "str	r3, [%[a], #292]\n\t"
+        "str	r4, [%[a], #296]\n\t"
+        "str	r5, [%[a], #300]\n\t"
+        "ldr	r2, [%[a], #304]\n\t"
+        "ldr	r3, [%[a], #308]\n\t"
+        "ldr	r4, [%[a], #312]\n\t"
+        "ldr	r5, [%[a], #316]\n\t"
+        "ldr	r6, [%[b], #304]\n\t"
+        "ldr	r7, [%[b], #308]\n\t"
+        "ldr	r8, [%[b], #312]\n\t"
+        "ldr	r9, [%[b], #316]\n\t"
+        "sbcs	r2, r2, r6\n\t"
+        "sbcs	r3, r3, r7\n\t"
+        "sbcs	r4, r4, r8\n\t"
+        "sbcs	r5, r5, r9\n\t"
+        "str	r2, [%[a], #304]\n\t"
+        "str	r3, [%[a], #308]\n\t"
+        "str	r4, [%[a], #312]\n\t"
+        "str	r5, [%[a], #316]\n\t"
+        "ldr	r2, [%[a], #320]\n\t"
+        "ldr	r3, [%[a], #324]\n\t"
+        "ldr	r4, [%[a], #328]\n\t"
+        "ldr	r5, [%[a], #332]\n\t"
+        "ldr	r6, [%[b], #320]\n\t"
+        "ldr	r7, [%[b], #324]\n\t"
+        "ldr	r8, [%[b], #328]\n\t"
+        "ldr	r9, [%[b], #332]\n\t"
+        "sbcs	r2, r2, r6\n\t"
+        "sbcs	r3, r3, r7\n\t"
+        "sbcs	r4, r4, r8\n\t"
+        "sbcs	r5, r5, r9\n\t"
+        "str	r2, [%[a], #320]\n\t"
+        "str	r3, [%[a], #324]\n\t"
+        "str	r4, [%[a], #328]\n\t"
+        "str	r5, [%[a], #332]\n\t"
+        "ldr	r2, [%[a], #336]\n\t"
+        "ldr	r3, [%[a], #340]\n\t"
+        "ldr	r4, [%[a], #344]\n\t"
+        "ldr	r5, [%[a], #348]\n\t"
+        "ldr	r6, [%[b], #336]\n\t"
+        "ldr	r7, [%[b], #340]\n\t"
+        "ldr	r8, [%[b], #344]\n\t"
+        "ldr	r9, [%[b], #348]\n\t"
+        "sbcs	r2, r2, r6\n\t"
+        "sbcs	r3, r3, r7\n\t"
+        "sbcs	r4, r4, r8\n\t"
+        "sbcs	r5, r5, r9\n\t"
+        "str	r2, [%[a], #336]\n\t"
+        "str	r3, [%[a], #340]\n\t"
+        "str	r4, [%[a], #344]\n\t"
+        "str	r5, [%[a], #348]\n\t"
+        "ldr	r2, [%[a], #352]\n\t"
+        "ldr	r3, [%[a], #356]\n\t"
+        "ldr	r4, [%[a], #360]\n\t"
+        "ldr	r5, [%[a], #364]\n\t"
+        "ldr	r6, [%[b], #352]\n\t"
+        "ldr	r7, [%[b], #356]\n\t"
+        "ldr	r8, [%[b], #360]\n\t"
+        "ldr	r9, [%[b], #364]\n\t"
+        "sbcs	r2, r2, r6\n\t"
+        "sbcs	r3, r3, r7\n\t"
+        "sbcs	r4, r4, r8\n\t"
+        "sbcs	r5, r5, r9\n\t"
+        "str	r2, [%[a], #352]\n\t"
+        "str	r3, [%[a], #356]\n\t"
+        "str	r4, [%[a], #360]\n\t"
+        "str	r5, [%[a], #364]\n\t"
+        "ldr	r2, [%[a], #368]\n\t"
+        "ldr	r3, [%[a], #372]\n\t"
+        "ldr	r4, [%[a], #376]\n\t"
+        "ldr	r5, [%[a], #380]\n\t"
+        "ldr	r6, [%[b], #368]\n\t"
+        "ldr	r7, [%[b], #372]\n\t"
+        "ldr	r8, [%[b], #376]\n\t"
+        "ldr	r9, [%[b], #380]\n\t"
+        "sbcs	r2, r2, r6\n\t"
+        "sbcs	r3, r3, r7\n\t"
+        "sbcs	r4, r4, r8\n\t"
+        "sbcs	r5, r5, r9\n\t"
+        "str	r2, [%[a], #368]\n\t"
+        "str	r3, [%[a], #372]\n\t"
+        "str	r4, [%[a], #376]\n\t"
+        "str	r5, [%[a], #380]\n\t"
+        "sbc	%[c], r9, r9\n\t"
+        : [c] "+r" (c)
+        : [a] "r" (a), [b] "r" (b)
+        : "memory", "r2", "r3", "r4", "r5", "r6", "r7", "r8", "r9"
+    );
+
+    return c;
+}
+
+/* Add b to a into r. (r = a + b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+static sp_digit sp_3072_add_96(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    sp_digit c = 0;
+
+    __asm__ __volatile__ (
+        "mov	r12, #0\n\t"
+        "ldr	r4, [%[a], #0]\n\t"
+        "ldr	r5, [%[a], #4]\n\t"
+        "ldr	r6, [%[a], #8]\n\t"
+        "ldr	r7, [%[a], #12]\n\t"
+        "ldr	r8, [%[b], #0]\n\t"
+        "ldr	r9, [%[b], #4]\n\t"
+        "ldr	r10, [%[b], #8]\n\t"
+        "ldr	r14, [%[b], #12]\n\t"
+        "adds	r4, r4, r8\n\t"
+        "adcs	r5, r5, r9\n\t"
+        "adcs	r6, r6, r10\n\t"
+        "adcs	r7, r7, r14\n\t"
+        "str	r4, [%[r], #0]\n\t"
+        "str	r5, [%[r], #4]\n\t"
+        "str	r6, [%[r], #8]\n\t"
+        "str	r7, [%[r], #12]\n\t"
+        "ldr	r4, [%[a], #16]\n\t"
+        "ldr	r5, [%[a], #20]\n\t"
+        "ldr	r6, [%[a], #24]\n\t"
+        "ldr	r7, [%[a], #28]\n\t"
+        "ldr	r8, [%[b], #16]\n\t"
+        "ldr	r9, [%[b], #20]\n\t"
+        "ldr	r10, [%[b], #24]\n\t"
+        "ldr	r14, [%[b], #28]\n\t"
+        "adcs	r4, r4, r8\n\t"
+        "adcs	r5, r5, r9\n\t"
+        "adcs	r6, r6, r10\n\t"
+        "adcs	r7, r7, r14\n\t"
+        "str	r4, [%[r], #16]\n\t"
+        "str	r5, [%[r], #20]\n\t"
+        "str	r6, [%[r], #24]\n\t"
+        "str	r7, [%[r], #28]\n\t"
+        "ldr	r4, [%[a], #32]\n\t"
+        "ldr	r5, [%[a], #36]\n\t"
+        "ldr	r6, [%[a], #40]\n\t"
+        "ldr	r7, [%[a], #44]\n\t"
+        "ldr	r8, [%[b], #32]\n\t"
+        "ldr	r9, [%[b], #36]\n\t"
+        "ldr	r10, [%[b], #40]\n\t"
+        "ldr	r14, [%[b], #44]\n\t"
+        "adcs	r4, r4, r8\n\t"
+        "adcs	r5, r5, r9\n\t"
+        "adcs	r6, r6, r10\n\t"
+        "adcs	r7, r7, r14\n\t"
+        "str	r4, [%[r], #32]\n\t"
+        "str	r5, [%[r], #36]\n\t"
+        "str	r6, [%[r], #40]\n\t"
+        "str	r7, [%[r], #44]\n\t"
+        "ldr	r4, [%[a], #48]\n\t"
+        "ldr	r5, [%[a], #52]\n\t"
+        "ldr	r6, [%[a], #56]\n\t"
+        "ldr	r7, [%[a], #60]\n\t"
+        "ldr	r8, [%[b], #48]\n\t"
+        "ldr	r9, [%[b], #52]\n\t"
+        "ldr	r10, [%[b], #56]\n\t"
+        "ldr	r14, [%[b], #60]\n\t"
+        "adcs	r4, r4, r8\n\t"
+        "adcs	r5, r5, r9\n\t"
+        "adcs	r6, r6, r10\n\t"
+        "adcs	r7, r7, r14\n\t"
+        "str	r4, [%[r], #48]\n\t"
+        "str	r5, [%[r], #52]\n\t"
+        "str	r6, [%[r], #56]\n\t"
+        "str	r7, [%[r], #60]\n\t"
+        "ldr	r4, [%[a], #64]\n\t"
+        "ldr	r5, [%[a], #68]\n\t"
+        "ldr	r6, [%[a], #72]\n\t"
+        "ldr	r7, [%[a], #76]\n\t"
+        "ldr	r8, [%[b], #64]\n\t"
+        "ldr	r9, [%[b], #68]\n\t"
+        "ldr	r10, [%[b], #72]\n\t"
+        "ldr	r14, [%[b], #76]\n\t"
+        "adcs	r4, r4, r8\n\t"
+        "adcs	r5, r5, r9\n\t"
+        "adcs	r6, r6, r10\n\t"
+        "adcs	r7, r7, r14\n\t"
+        "str	r4, [%[r], #64]\n\t"
+        "str	r5, [%[r], #68]\n\t"
+        "str	r6, [%[r], #72]\n\t"
+        "str	r7, [%[r], #76]\n\t"
+        "ldr	r4, [%[a], #80]\n\t"
+        "ldr	r5, [%[a], #84]\n\t"
+        "ldr	r6, [%[a], #88]\n\t"
+        "ldr	r7, [%[a], #92]\n\t"
+        "ldr	r8, [%[b], #80]\n\t"
+        "ldr	r9, [%[b], #84]\n\t"
+        "ldr	r10, [%[b], #88]\n\t"
+        "ldr	r14, [%[b], #92]\n\t"
+        "adcs	r4, r4, r8\n\t"
+        "adcs	r5, r5, r9\n\t"
+        "adcs	r6, r6, r10\n\t"
+        "adcs	r7, r7, r14\n\t"
+        "str	r4, [%[r], #80]\n\t"
+        "str	r5, [%[r], #84]\n\t"
+        "str	r6, [%[r], #88]\n\t"
+        "str	r7, [%[r], #92]\n\t"
+        "ldr	r4, [%[a], #96]\n\t"
+        "ldr	r5, [%[a], #100]\n\t"
+        "ldr	r6, [%[a], #104]\n\t"
+        "ldr	r7, [%[a], #108]\n\t"
+        "ldr	r8, [%[b], #96]\n\t"
+        "ldr	r9, [%[b], #100]\n\t"
+        "ldr	r10, [%[b], #104]\n\t"
+        "ldr	r14, [%[b], #108]\n\t"
+        "adcs	r4, r4, r8\n\t"
+        "adcs	r5, r5, r9\n\t"
+        "adcs	r6, r6, r10\n\t"
+        "adcs	r7, r7, r14\n\t"
+        "str	r4, [%[r], #96]\n\t"
+        "str	r5, [%[r], #100]\n\t"
+        "str	r6, [%[r], #104]\n\t"
+        "str	r7, [%[r], #108]\n\t"
+        "ldr	r4, [%[a], #112]\n\t"
+        "ldr	r5, [%[a], #116]\n\t"
+        "ldr	r6, [%[a], #120]\n\t"
+        "ldr	r7, [%[a], #124]\n\t"
+        "ldr	r8, [%[b], #112]\n\t"
+        "ldr	r9, [%[b], #116]\n\t"
+        "ldr	r10, [%[b], #120]\n\t"
+        "ldr	r14, [%[b], #124]\n\t"
+        "adcs	r4, r4, r8\n\t"
+        "adcs	r5, r5, r9\n\t"
+        "adcs	r6, r6, r10\n\t"
+        "adcs	r7, r7, r14\n\t"
+        "str	r4, [%[r], #112]\n\t"
+        "str	r5, [%[r], #116]\n\t"
+        "str	r6, [%[r], #120]\n\t"
+        "str	r7, [%[r], #124]\n\t"
+        "ldr	r4, [%[a], #128]\n\t"
+        "ldr	r5, [%[a], #132]\n\t"
+        "ldr	r6, [%[a], #136]\n\t"
+        "ldr	r7, [%[a], #140]\n\t"
+        "ldr	r8, [%[b], #128]\n\t"
+        "ldr	r9, [%[b], #132]\n\t"
+        "ldr	r10, [%[b], #136]\n\t"
+        "ldr	r14, [%[b], #140]\n\t"
+        "adcs	r4, r4, r8\n\t"
+        "adcs	r5, r5, r9\n\t"
+        "adcs	r6, r6, r10\n\t"
+        "adcs	r7, r7, r14\n\t"
+        "str	r4, [%[r], #128]\n\t"
+        "str	r5, [%[r], #132]\n\t"
+        "str	r6, [%[r], #136]\n\t"
+        "str	r7, [%[r], #140]\n\t"
+        "ldr	r4, [%[a], #144]\n\t"
+        "ldr	r5, [%[a], #148]\n\t"
+        "ldr	r6, [%[a], #152]\n\t"
+        "ldr	r7, [%[a], #156]\n\t"
+        "ldr	r8, [%[b], #144]\n\t"
+        "ldr	r9, [%[b], #148]\n\t"
+        "ldr	r10, [%[b], #152]\n\t"
+        "ldr	r14, [%[b], #156]\n\t"
+        "adcs	r4, r4, r8\n\t"
+        "adcs	r5, r5, r9\n\t"
+        "adcs	r6, r6, r10\n\t"
+        "adcs	r7, r7, r14\n\t"
+        "str	r4, [%[r], #144]\n\t"
+        "str	r5, [%[r], #148]\n\t"
+        "str	r6, [%[r], #152]\n\t"
+        "str	r7, [%[r], #156]\n\t"
+        "ldr	r4, [%[a], #160]\n\t"
+        "ldr	r5, [%[a], #164]\n\t"
+        "ldr	r6, [%[a], #168]\n\t"
+        "ldr	r7, [%[a], #172]\n\t"
+        "ldr	r8, [%[b], #160]\n\t"
+        "ldr	r9, [%[b], #164]\n\t"
+        "ldr	r10, [%[b], #168]\n\t"
+        "ldr	r14, [%[b], #172]\n\t"
+        "adcs	r4, r4, r8\n\t"
+        "adcs	r5, r5, r9\n\t"
+        "adcs	r6, r6, r10\n\t"
+        "adcs	r7, r7, r14\n\t"
+        "str	r4, [%[r], #160]\n\t"
+        "str	r5, [%[r], #164]\n\t"
+        "str	r6, [%[r], #168]\n\t"
+        "str	r7, [%[r], #172]\n\t"
+        "ldr	r4, [%[a], #176]\n\t"
+        "ldr	r5, [%[a], #180]\n\t"
+        "ldr	r6, [%[a], #184]\n\t"
+        "ldr	r7, [%[a], #188]\n\t"
+        "ldr	r8, [%[b], #176]\n\t"
+        "ldr	r9, [%[b], #180]\n\t"
+        "ldr	r10, [%[b], #184]\n\t"
+        "ldr	r14, [%[b], #188]\n\t"
+        "adcs	r4, r4, r8\n\t"
+        "adcs	r5, r5, r9\n\t"
+        "adcs	r6, r6, r10\n\t"
+        "adcs	r7, r7, r14\n\t"
+        "str	r4, [%[r], #176]\n\t"
+        "str	r5, [%[r], #180]\n\t"
+        "str	r6, [%[r], #184]\n\t"
+        "str	r7, [%[r], #188]\n\t"
+        "ldr	r4, [%[a], #192]\n\t"
+        "ldr	r5, [%[a], #196]\n\t"
+        "ldr	r6, [%[a], #200]\n\t"
+        "ldr	r7, [%[a], #204]\n\t"
+        "ldr	r8, [%[b], #192]\n\t"
+        "ldr	r9, [%[b], #196]\n\t"
+        "ldr	r10, [%[b], #200]\n\t"
+        "ldr	r14, [%[b], #204]\n\t"
+        "adcs	r4, r4, r8\n\t"
+        "adcs	r5, r5, r9\n\t"
+        "adcs	r6, r6, r10\n\t"
+        "adcs	r7, r7, r14\n\t"
+        "str	r4, [%[r], #192]\n\t"
+        "str	r5, [%[r], #196]\n\t"
+        "str	r6, [%[r], #200]\n\t"
+        "str	r7, [%[r], #204]\n\t"
+        "ldr	r4, [%[a], #208]\n\t"
+        "ldr	r5, [%[a], #212]\n\t"
+        "ldr	r6, [%[a], #216]\n\t"
+        "ldr	r7, [%[a], #220]\n\t"
+        "ldr	r8, [%[b], #208]\n\t"
+        "ldr	r9, [%[b], #212]\n\t"
+        "ldr	r10, [%[b], #216]\n\t"
+        "ldr	r14, [%[b], #220]\n\t"
+        "adcs	r4, r4, r8\n\t"
+        "adcs	r5, r5, r9\n\t"
+        "adcs	r6, r6, r10\n\t"
+        "adcs	r7, r7, r14\n\t"
+        "str	r4, [%[r], #208]\n\t"
+        "str	r5, [%[r], #212]\n\t"
+        "str	r6, [%[r], #216]\n\t"
+        "str	r7, [%[r], #220]\n\t"
+        "ldr	r4, [%[a], #224]\n\t"
+        "ldr	r5, [%[a], #228]\n\t"
+        "ldr	r6, [%[a], #232]\n\t"
+        "ldr	r7, [%[a], #236]\n\t"
+        "ldr	r8, [%[b], #224]\n\t"
+        "ldr	r9, [%[b], #228]\n\t"
+        "ldr	r10, [%[b], #232]\n\t"
+        "ldr	r14, [%[b], #236]\n\t"
+        "adcs	r4, r4, r8\n\t"
+        "adcs	r5, r5, r9\n\t"
+        "adcs	r6, r6, r10\n\t"
+        "adcs	r7, r7, r14\n\t"
+        "str	r4, [%[r], #224]\n\t"
+        "str	r5, [%[r], #228]\n\t"
+        "str	r6, [%[r], #232]\n\t"
+        "str	r7, [%[r], #236]\n\t"
+        "ldr	r4, [%[a], #240]\n\t"
+        "ldr	r5, [%[a], #244]\n\t"
+        "ldr	r6, [%[a], #248]\n\t"
+        "ldr	r7, [%[a], #252]\n\t"
+        "ldr	r8, [%[b], #240]\n\t"
+        "ldr	r9, [%[b], #244]\n\t"
+        "ldr	r10, [%[b], #248]\n\t"
+        "ldr	r14, [%[b], #252]\n\t"
+        "adcs	r4, r4, r8\n\t"
+        "adcs	r5, r5, r9\n\t"
+        "adcs	r6, r6, r10\n\t"
+        "adcs	r7, r7, r14\n\t"
+        "str	r4, [%[r], #240]\n\t"
+        "str	r5, [%[r], #244]\n\t"
+        "str	r6, [%[r], #248]\n\t"
+        "str	r7, [%[r], #252]\n\t"
+        "ldr	r4, [%[a], #256]\n\t"
+        "ldr	r5, [%[a], #260]\n\t"
+        "ldr	r6, [%[a], #264]\n\t"
+        "ldr	r7, [%[a], #268]\n\t"
+        "ldr	r8, [%[b], #256]\n\t"
+        "ldr	r9, [%[b], #260]\n\t"
+        "ldr	r10, [%[b], #264]\n\t"
+        "ldr	r14, [%[b], #268]\n\t"
+        "adcs	r4, r4, r8\n\t"
+        "adcs	r5, r5, r9\n\t"
+        "adcs	r6, r6, r10\n\t"
+        "adcs	r7, r7, r14\n\t"
+        "str	r4, [%[r], #256]\n\t"
+        "str	r5, [%[r], #260]\n\t"
+        "str	r6, [%[r], #264]\n\t"
+        "str	r7, [%[r], #268]\n\t"
+        "ldr	r4, [%[a], #272]\n\t"
+        "ldr	r5, [%[a], #276]\n\t"
+        "ldr	r6, [%[a], #280]\n\t"
+        "ldr	r7, [%[a], #284]\n\t"
+        "ldr	r8, [%[b], #272]\n\t"
+        "ldr	r9, [%[b], #276]\n\t"
+        "ldr	r10, [%[b], #280]\n\t"
+        "ldr	r14, [%[b], #284]\n\t"
+        "adcs	r4, r4, r8\n\t"
+        "adcs	r5, r5, r9\n\t"
+        "adcs	r6, r6, r10\n\t"
+        "adcs	r7, r7, r14\n\t"
+        "str	r4, [%[r], #272]\n\t"
+        "str	r5, [%[r], #276]\n\t"
+        "str	r6, [%[r], #280]\n\t"
+        "str	r7, [%[r], #284]\n\t"
+        "ldr	r4, [%[a], #288]\n\t"
+        "ldr	r5, [%[a], #292]\n\t"
+        "ldr	r6, [%[a], #296]\n\t"
+        "ldr	r7, [%[a], #300]\n\t"
+        "ldr	r8, [%[b], #288]\n\t"
+        "ldr	r9, [%[b], #292]\n\t"
+        "ldr	r10, [%[b], #296]\n\t"
+        "ldr	r14, [%[b], #300]\n\t"
+        "adcs	r4, r4, r8\n\t"
+        "adcs	r5, r5, r9\n\t"
+        "adcs	r6, r6, r10\n\t"
+        "adcs	r7, r7, r14\n\t"
+        "str	r4, [%[r], #288]\n\t"
+        "str	r5, [%[r], #292]\n\t"
+        "str	r6, [%[r], #296]\n\t"
+        "str	r7, [%[r], #300]\n\t"
+        "ldr	r4, [%[a], #304]\n\t"
+        "ldr	r5, [%[a], #308]\n\t"
+        "ldr	r6, [%[a], #312]\n\t"
+        "ldr	r7, [%[a], #316]\n\t"
+        "ldr	r8, [%[b], #304]\n\t"
+        "ldr	r9, [%[b], #308]\n\t"
+        "ldr	r10, [%[b], #312]\n\t"
+        "ldr	r14, [%[b], #316]\n\t"
+        "adcs	r4, r4, r8\n\t"
+        "adcs	r5, r5, r9\n\t"
+        "adcs	r6, r6, r10\n\t"
+        "adcs	r7, r7, r14\n\t"
+        "str	r4, [%[r], #304]\n\t"
+        "str	r5, [%[r], #308]\n\t"
+        "str	r6, [%[r], #312]\n\t"
+        "str	r7, [%[r], #316]\n\t"
+        "ldr	r4, [%[a], #320]\n\t"
+        "ldr	r5, [%[a], #324]\n\t"
+        "ldr	r6, [%[a], #328]\n\t"
+        "ldr	r7, [%[a], #332]\n\t"
+        "ldr	r8, [%[b], #320]\n\t"
+        "ldr	r9, [%[b], #324]\n\t"
+        "ldr	r10, [%[b], #328]\n\t"
+        "ldr	r14, [%[b], #332]\n\t"
+        "adcs	r4, r4, r8\n\t"
+        "adcs	r5, r5, r9\n\t"
+        "adcs	r6, r6, r10\n\t"
+        "adcs	r7, r7, r14\n\t"
+        "str	r4, [%[r], #320]\n\t"
+        "str	r5, [%[r], #324]\n\t"
+        "str	r6, [%[r], #328]\n\t"
+        "str	r7, [%[r], #332]\n\t"
+        "ldr	r4, [%[a], #336]\n\t"
+        "ldr	r5, [%[a], #340]\n\t"
+        "ldr	r6, [%[a], #344]\n\t"
+        "ldr	r7, [%[a], #348]\n\t"
+        "ldr	r8, [%[b], #336]\n\t"
+        "ldr	r9, [%[b], #340]\n\t"
+        "ldr	r10, [%[b], #344]\n\t"
+        "ldr	r14, [%[b], #348]\n\t"
+        "adcs	r4, r4, r8\n\t"
+        "adcs	r5, r5, r9\n\t"
+        "adcs	r6, r6, r10\n\t"
+        "adcs	r7, r7, r14\n\t"
+        "str	r4, [%[r], #336]\n\t"
+        "str	r5, [%[r], #340]\n\t"
+        "str	r6, [%[r], #344]\n\t"
+        "str	r7, [%[r], #348]\n\t"
+        "ldr	r4, [%[a], #352]\n\t"
+        "ldr	r5, [%[a], #356]\n\t"
+        "ldr	r6, [%[a], #360]\n\t"
+        "ldr	r7, [%[a], #364]\n\t"
+        "ldr	r8, [%[b], #352]\n\t"
+        "ldr	r9, [%[b], #356]\n\t"
+        "ldr	r10, [%[b], #360]\n\t"
+        "ldr	r14, [%[b], #364]\n\t"
+        "adcs	r4, r4, r8\n\t"
+        "adcs	r5, r5, r9\n\t"
+        "adcs	r6, r6, r10\n\t"
+        "adcs	r7, r7, r14\n\t"
+        "str	r4, [%[r], #352]\n\t"
+        "str	r5, [%[r], #356]\n\t"
+        "str	r6, [%[r], #360]\n\t"
+        "str	r7, [%[r], #364]\n\t"
+        "ldr	r4, [%[a], #368]\n\t"
+        "ldr	r5, [%[a], #372]\n\t"
+        "ldr	r6, [%[a], #376]\n\t"
+        "ldr	r7, [%[a], #380]\n\t"
+        "ldr	r8, [%[b], #368]\n\t"
+        "ldr	r9, [%[b], #372]\n\t"
+        "ldr	r10, [%[b], #376]\n\t"
+        "ldr	r14, [%[b], #380]\n\t"
+        "adcs	r4, r4, r8\n\t"
+        "adcs	r5, r5, r9\n\t"
+        "adcs	r6, r6, r10\n\t"
+        "adcs	r7, r7, r14\n\t"
+        "str	r4, [%[r], #368]\n\t"
+        "str	r5, [%[r], #372]\n\t"
+        "str	r6, [%[r], #376]\n\t"
+        "str	r7, [%[r], #380]\n\t"
+        "adc	%[c], r12, r12\n\t"
+        : [c] "+r" (c)
+        : [r] "r" (r), [a] "r" (a), [b] "r" (b)
+        : "memory", "r4", "r5", "r6", "r7", "r8", "r9", "r10", "r14", "r12"
+    );
+
+    return c;
+}
+
+/* AND m into each word of a and store in r.
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * m  Mask to AND against each digit.
+ */
+static void sp_3072_mask_48(sp_digit* r, const sp_digit* a, sp_digit m)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int i;
+
+    for (i=0; i<48; i++) {
+        r[i] = a[i] & m;
+    }
+#else
+    int i;
+
+    for (i = 0; i < 48; i += 8) {
+        r[i+0] = a[i+0] & m;
+        r[i+1] = a[i+1] & m;
+        r[i+2] = a[i+2] & m;
+        r[i+3] = a[i+3] & m;
+        r[i+4] = a[i+4] & m;
+        r[i+5] = a[i+5] & m;
+        r[i+6] = a[i+6] & m;
+        r[i+7] = a[i+7] & m;
+    }
+#endif
+}
+
+/* Multiply a and b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static void sp_3072_mul_96(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    sp_digit* z0 = r;
+    sp_digit z1[96];
+    sp_digit a1[48];
+    sp_digit b1[48];
+    sp_digit z2[96];
+    sp_digit u, ca, cb;
+
+    ca = sp_3072_add_48(a1, a, &a[48]);
+    cb = sp_3072_add_48(b1, b, &b[48]);
+    u  = ca & cb;
+    sp_3072_mul_48(z1, a1, b1);
+    sp_3072_mul_48(z2, &a[48], &b[48]);
+    sp_3072_mul_48(z0, a, b);
+    sp_3072_mask_48(r + 96, a1, 0 - cb);
+    sp_3072_mask_48(b1, b1, 0 - ca);
+    u += sp_3072_add_48(r + 96, r + 96, b1);
+    u += sp_3072_sub_in_place_96(z1, z2);
+    u += sp_3072_sub_in_place_96(z1, z0);
+    u += sp_3072_add_96(r + 48, r + 48, z1);
+    r[144] = u;
+    XMEMSET(r + 144 + 1, 0, sizeof(sp_digit) * (48 - 1));
+    (void)sp_3072_add_96(r + 96, r + 96, z2);
+}
+
+/* Square a and put result in r. (r = a * a)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ */
+SP_NOINLINE static void sp_3072_sqr_96(sp_digit* r, const sp_digit* a)
+{
+    sp_digit* z0 = r;
+    sp_digit z2[96];
+    sp_digit z1[96];
+    sp_digit a1[48];
+    sp_digit u;
+
+    u = sp_3072_add_48(a1, a, &a[48]);
+    sp_3072_sqr_48(z1, a1);
+    sp_3072_sqr_48(z2, &a[48]);
+    sp_3072_sqr_48(z0, a);
+    sp_3072_mask_48(r + 96, a1, 0 - u);
+    u += sp_3072_add_48(r + 96, r + 96, r + 96);
+    u += sp_3072_sub_in_place_96(z1, z2);
+    u += sp_3072_sub_in_place_96(z1, z0);
+    u += sp_3072_add_96(r + 48, r + 48, z1);
+    r[144] = u;
+    XMEMSET(r + 144 + 1, 0, sizeof(sp_digit) * (48 - 1));
+    (void)sp_3072_add_96(r + 96, r + 96, z2);
+}
+
+#endif /* !WOLFSSL_SP_SMALL */
+#ifdef WOLFSSL_SP_SMALL
+/* Add b to a into r. (r = a + b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+static sp_digit sp_3072_add_96(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    sp_digit c = 0;
+
+    __asm__ __volatile__ (
+        "add	r12, %[a], #384\n\t"
+        "\n1:\n\t"
+        "adds	%[c], %[c], #-1\n\t"
+        "ldr	r4, [%[a]], #4\n\t"
+        "ldr	r5, [%[a]], #4\n\t"
+        "ldr	r6, [%[a]], #4\n\t"
+        "ldr	r7, [%[a]], #4\n\t"
+        "ldr	r8, [%[b]], #4\n\t"
+        "ldr	r9, [%[b]], #4\n\t"
+        "ldr	r10, [%[b]], #4\n\t"
+        "ldr	r14, [%[b]], #4\n\t"
+        "adcs	r4, r4, r8\n\t"
+        "adcs	r5, r5, r9\n\t"
+        "adcs	r6, r6, r10\n\t"
+        "adcs	r7, r7, r14\n\t"
+        "str	r4, [%[r]], #4\n\t"
+        "str	r5, [%[r]], #4\n\t"
+        "str	r6, [%[r]], #4\n\t"
+        "str	r7, [%[r]], #4\n\t"
+        "mov	r4, #0\n\t"
+        "adc	%[c], r4, #0\n\t"
+        "cmp	%[a], r12\n\t"
+        "bne	1b\n\t"
+        : [c] "+r" (c), [r] "+r" (r), [a] "+r" (a), [b] "+r" (b)
+        :
+        : "memory", "r4", "r5", "r6", "r7", "r8", "r9", "r10", "r14", "r12"
+    );
+
+    return c;
+}
+
+#endif /* WOLFSSL_SP_SMALL */
+#ifdef WOLFSSL_SP_SMALL
+/* Sub b from a into a. (a -= b)
+ *
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+static sp_digit sp_3072_sub_in_place_96(sp_digit* a, const sp_digit* b)
+{
+    sp_digit c = 0;
+
+    __asm__ __volatile__ (
+        "mov	r14, #0\n\t"
+        "add	r12, %[a], #384\n\t"
+        "\n1:\n\t"
+        "subs	%[c], r14, %[c]\n\t"
+        "ldr	r3, [%[a]]\n\t"
+        "ldr	r4, [%[a], #4]\n\t"
+        "ldr	r5, [%[a], #8]\n\t"
+        "ldr	r6, [%[a], #12]\n\t"
+        "ldr	r7, [%[b]], #4\n\t"
+        "ldr	r8, [%[b]], #4\n\t"
+        "ldr	r9, [%[b]], #4\n\t"
+        "ldr	r10, [%[b]], #4\n\t"
+        "sbcs	r3, r3, r7\n\t"
+        "sbcs	r4, r4, r8\n\t"
+        "sbcs	r5, r5, r9\n\t"
+        "sbcs	r6, r6, r10\n\t"
+        "str	r3, [%[a]], #4\n\t"
+        "str	r4, [%[a]], #4\n\t"
+        "str	r5, [%[a]], #4\n\t"
+        "str	r6, [%[a]], #4\n\t"
+        "sbc	%[c], r14, r14\n\t"
+        "cmp	%[a], r12\n\t"
+        "bne	1b\n\t"
+        : [c] "+r" (c), [a] "+r" (a), [b] "+r" (b)
+        :
+        : "memory", "r3", "r4", "r5", "r6", "r7", "r8", "r9", "r10", "r12", "r14"
+    );
+
+    return c;
+}
+
+#endif /* WOLFSSL_SP_SMALL */
+#ifdef WOLFSSL_SP_SMALL
+/* Multiply a and b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+static void sp_3072_mul_96(sp_digit* r, const sp_digit* a, const sp_digit* b)
+{
+    __asm__ __volatile__ (
+        "sub	sp, sp, #768\n\t"
+        "mov	r5, #0\n\t"
+        "mov	r6, #0\n\t"
+        "mov	r7, #0\n\t"
+        "mov	r8, #0\n\t"
+        "\n1:\n\t"
+        "subs	r3, r5, #380\n\t"
+        "it	cc\n\t"
+        "movcc	r3, #0\n\t"
+        "sub	r4, r5, r3\n\t"
+        "\n2:\n\t"
+        "ldr	r14, [%[a], r3]\n\t"
+        "ldr	r12, [%[b], r4]\n\t"
+        "umull	r9, r10, r14, r12\n\t"
+        "adds	r6, r6, r9\n\t"
+        "adcs	r7, r7, r10\n\t"
+        "adc	r8, r8, #0\n\t"
+        "add	r3, r3, #4\n\t"
+        "sub	r4, r4, #4\n\t"
+        "cmp	r3, #384\n\t"
+        "beq	3f\n\t"
+        "cmp	r3, r5\n\t"
+        "ble	2b\n\t"
+        "\n3:\n\t"
+        "str	r6, [sp, r5]\n\t"
+        "mov	r6, r7\n\t"
+        "mov	r7, r8\n\t"
+        "mov	r8, #0\n\t"
+        "add	r5, r5, #4\n\t"
+        "cmp	r5, #760\n\t"
+        "ble	1b\n\t"
+        "str	r6, [sp, r5]\n\t"
+        "\n4:\n\t"
+        "ldr	r6, [sp, #0]\n\t"
+        "ldr	r7, [sp, #4]\n\t"
+        "ldr	r8, [sp, #8]\n\t"
+        "ldr	r3, [sp, #12]\n\t"
+        "str	r6, [%[r], #0]\n\t"
+        "str	r7, [%[r], #4]\n\t"
+        "str	r8, [%[r], #8]\n\t"
+        "str	r3, [%[r], #12]\n\t"
+        "add	sp, sp, #16\n\t"
+        "add	%[r], %[r], #16\n\t"
+        "subs	r5, r5, #16\n\t"
+        "bgt	4b\n\t"
+        : [r] "+r" (r)
+        : [a] "r" (a), [b] "r" (b)
+        : "memory", "r3", "r4", "r5", "r6", "r7", "r8", "r9", "r10", "r14", "r12"
+    );
+}
+
+/* Square a and put result in r. (r = a * a)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ */
+static void sp_3072_sqr_96(sp_digit* r, const sp_digit* a)
+{
+    __asm__ __volatile__ (
+        "sub	sp, sp, #768\n\t"
+        "mov	r12, #0\n\t"
+        "mov	r6, #0\n\t"
+        "mov	r7, #0\n\t"
+        "mov	r8, #0\n\t"
+        "mov	r5, #0\n\t"
+        "\n1:\n\t"
+        "subs	r3, r5, #380\n\t"
+        "it	cc\n\t"
+        "movcc	r3, r12\n\t"
+        "sub	r4, r5, r3\n\t"
+        "\n2:\n\t"
+        "cmp	r4, r3\n\t"
+        "beq	4f\n\t"
+        "ldr	r14, [%[a], r3]\n\t"
+        "ldr	r9, [%[a], r4]\n\t"
+        "umull	r9, r10, r14, r9\n\t"
+        "adds	r6, r6, r9\n\t"
+        "adcs	r7, r7, r10\n\t"
+        "adc	r8, r8, r12\n\t"
+        "adds	r6, r6, r9\n\t"
+        "adcs	r7, r7, r10\n\t"
+        "adc	r8, r8, r12\n\t"
+        "bal	5f\n\t"
+        "\n4:\n\t"
+        "ldr	r14, [%[a], r3]\n\t"
+        "umull	r9, r10, r14, r14\n\t"
+        "adds	r6, r6, r9\n\t"
+        "adcs	r7, r7, r10\n\t"
+        "adc	r8, r8, r12\n\t"
+        "\n5:\n\t"
+        "add	r3, r3, #4\n\t"
+        "sub	r4, r4, #4\n\t"
+        "cmp	r3, #384\n\t"
+        "beq	3f\n\t"
+        "cmp	r3, r4\n\t"
+        "bgt	3f\n\t"
+        "cmp	r3, r5\n\t"
+        "ble	2b\n\t"
+        "\n3:\n\t"
+        "str	r6, [sp, r5]\n\t"
+        "mov	r6, r7\n\t"
+        "mov	r7, r8\n\t"
+        "mov	r8, #0\n\t"
+        "add	r5, r5, #4\n\t"
+        "cmp	r5, #760\n\t"
+        "ble	1b\n\t"
+        "str	r6, [sp, r5]\n\t"
+        "\n4:\n\t"
+        "ldr	r6, [sp, #0]\n\t"
+        "ldr	r7, [sp, #4]\n\t"
+        "ldr	r8, [sp, #8]\n\t"
+        "ldr	r3, [sp, #12]\n\t"
+        "str	r6, [%[r], #0]\n\t"
+        "str	r7, [%[r], #4]\n\t"
+        "str	r8, [%[r], #8]\n\t"
+        "str	r3, [%[r], #12]\n\t"
+        "add	sp, sp, #16\n\t"
+        "add	%[r], %[r], #16\n\t"
+        "subs	r5, r5, #16\n\t"
+        "bgt	4b\n\t"
+        : [r] "+r" (r)
+        : [a] "r" (a)
+        : "memory", "r3", "r4", "r5", "r6", "r7", "r8", "r9", "r10", "r14", "r9", "r12"
+    );
+}
+
+#endif /* WOLFSSL_SP_SMALL */
+#if (defined(WOLFSSL_HAVE_SP_RSA) || defined(WOLFSSL_HAVE_SP_DH)) && !defined(WOLFSSL_RSA_PUBLIC_ONLY)
+#ifdef WOLFSSL_SP_SMALL
+/* AND m into each word of a and store in r.
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * m  Mask to AND against each digit.
+ */
+static void sp_3072_mask_48(sp_digit* r, const sp_digit* a, sp_digit m)
+{
+    int i;
+
+    for (i=0; i<48; i++) {
+        r[i] = a[i] & m;
+    }
+}
+
+#endif /* WOLFSSL_SP_SMALL */
+#ifdef WOLFSSL_SP_SMALL
+/* Add b to a into r. (r = a + b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+static sp_digit sp_3072_add_48(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    sp_digit c = 0;
+
+    __asm__ __volatile__ (
+        "add	r12, %[a], #192\n\t"
+        "\n1:\n\t"
+        "adds	%[c], %[c], #-1\n\t"
+        "ldr	r4, [%[a]], #4\n\t"
+        "ldr	r5, [%[a]], #4\n\t"
+        "ldr	r6, [%[a]], #4\n\t"
+        "ldr	r7, [%[a]], #4\n\t"
+        "ldr	r8, [%[b]], #4\n\t"
+        "ldr	r9, [%[b]], #4\n\t"
+        "ldr	r10, [%[b]], #4\n\t"
+        "ldr	r14, [%[b]], #4\n\t"
+        "adcs	r4, r4, r8\n\t"
+        "adcs	r5, r5, r9\n\t"
+        "adcs	r6, r6, r10\n\t"
+        "adcs	r7, r7, r14\n\t"
+        "str	r4, [%[r]], #4\n\t"
+        "str	r5, [%[r]], #4\n\t"
+        "str	r6, [%[r]], #4\n\t"
+        "str	r7, [%[r]], #4\n\t"
+        "mov	r4, #0\n\t"
+        "adc	%[c], r4, #0\n\t"
+        "cmp	%[a], r12\n\t"
+        "bne	1b\n\t"
+        : [c] "+r" (c), [r] "+r" (r), [a] "+r" (a), [b] "+r" (b)
+        :
+        : "memory", "r4", "r5", "r6", "r7", "r8", "r9", "r10", "r14", "r12"
+    );
+
+    return c;
+}
+
+#endif /* WOLFSSL_SP_SMALL */
+#ifdef WOLFSSL_SP_SMALL
+/* Sub b from a into a. (a -= b)
+ *
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+static sp_digit sp_3072_sub_in_place_48(sp_digit* a, const sp_digit* b)
+{
+    sp_digit c = 0;
+
+    __asm__ __volatile__ (
+        "mov	r14, #0\n\t"
+        "add	r12, %[a], #192\n\t"
+        "\n1:\n\t"
+        "subs	%[c], r14, %[c]\n\t"
+        "ldr	r3, [%[a]]\n\t"
+        "ldr	r4, [%[a], #4]\n\t"
+        "ldr	r5, [%[a], #8]\n\t"
+        "ldr	r6, [%[a], #12]\n\t"
+        "ldr	r7, [%[b]], #4\n\t"
+        "ldr	r8, [%[b]], #4\n\t"
+        "ldr	r9, [%[b]], #4\n\t"
+        "ldr	r10, [%[b]], #4\n\t"
+        "sbcs	r3, r3, r7\n\t"
+        "sbcs	r4, r4, r8\n\t"
+        "sbcs	r5, r5, r9\n\t"
+        "sbcs	r6, r6, r10\n\t"
+        "str	r3, [%[a]], #4\n\t"
+        "str	r4, [%[a]], #4\n\t"
+        "str	r5, [%[a]], #4\n\t"
+        "str	r6, [%[a]], #4\n\t"
+        "sbc	%[c], r14, r14\n\t"
+        "cmp	%[a], r12\n\t"
+        "bne	1b\n\t"
+        : [c] "+r" (c), [a] "+r" (a), [b] "+r" (b)
+        :
+        : "memory", "r3", "r4", "r5", "r6", "r7", "r8", "r9", "r10", "r12", "r14"
+    );
+
+    return c;
+}
+
+#endif /* WOLFSSL_SP_SMALL */
+#ifdef WOLFSSL_SP_SMALL
+/* Multiply a and b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+static void sp_3072_mul_48(sp_digit* r, const sp_digit* a, const sp_digit* b)
+{
+    __asm__ __volatile__ (
+        "sub	sp, sp, #384\n\t"
+        "mov	r5, #0\n\t"
+        "mov	r6, #0\n\t"
+        "mov	r7, #0\n\t"
+        "mov	r8, #0\n\t"
+        "\n1:\n\t"
+        "subs	r3, r5, #188\n\t"
+        "it	cc\n\t"
+        "movcc	r3, #0\n\t"
+        "sub	r4, r5, r3\n\t"
+        "\n2:\n\t"
+        "ldr	r14, [%[a], r3]\n\t"
+        "ldr	r12, [%[b], r4]\n\t"
+        "umull	r9, r10, r14, r12\n\t"
+        "adds	r6, r6, r9\n\t"
+        "adcs	r7, r7, r10\n\t"
+        "adc	r8, r8, #0\n\t"
+        "add	r3, r3, #4\n\t"
+        "sub	r4, r4, #4\n\t"
+        "cmp	r3, #192\n\t"
+        "beq	3f\n\t"
+        "cmp	r3, r5\n\t"
+        "ble	2b\n\t"
+        "\n3:\n\t"
+        "str	r6, [sp, r5]\n\t"
+        "mov	r6, r7\n\t"
+        "mov	r7, r8\n\t"
+        "mov	r8, #0\n\t"
+        "add	r5, r5, #4\n\t"
+        "cmp	r5, #376\n\t"
+        "ble	1b\n\t"
+        "str	r6, [sp, r5]\n\t"
+        "\n4:\n\t"
+        "ldr	r6, [sp, #0]\n\t"
+        "ldr	r7, [sp, #4]\n\t"
+        "ldr	r8, [sp, #8]\n\t"
+        "ldr	r3, [sp, #12]\n\t"
+        "str	r6, [%[r], #0]\n\t"
+        "str	r7, [%[r], #4]\n\t"
+        "str	r8, [%[r], #8]\n\t"
+        "str	r3, [%[r], #12]\n\t"
+        "add	sp, sp, #16\n\t"
+        "add	%[r], %[r], #16\n\t"
+        "subs	r5, r5, #16\n\t"
+        "bgt	4b\n\t"
+        : [r] "+r" (r)
+        : [a] "r" (a), [b] "r" (b)
+        : "memory", "r3", "r4", "r5", "r6", "r7", "r8", "r9", "r10", "r14", "r12"
+    );
+}
+
+/* Square a and put result in r. (r = a * a)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ */
+static void sp_3072_sqr_48(sp_digit* r, const sp_digit* a)
+{
+    __asm__ __volatile__ (
+        "sub	sp, sp, #384\n\t"
+        "mov	r12, #0\n\t"
+        "mov	r6, #0\n\t"
+        "mov	r7, #0\n\t"
+        "mov	r8, #0\n\t"
+        "mov	r5, #0\n\t"
+        "\n1:\n\t"
+        "subs	r3, r5, #188\n\t"
+        "it	cc\n\t"
+        "movcc	r3, r12\n\t"
+        "sub	r4, r5, r3\n\t"
+        "\n2:\n\t"
+        "cmp	r4, r3\n\t"
+        "beq	4f\n\t"
+        "ldr	r14, [%[a], r3]\n\t"
+        "ldr	r9, [%[a], r4]\n\t"
+        "umull	r9, r10, r14, r9\n\t"
+        "adds	r6, r6, r9\n\t"
+        "adcs	r7, r7, r10\n\t"
+        "adc	r8, r8, r12\n\t"
+        "adds	r6, r6, r9\n\t"
+        "adcs	r7, r7, r10\n\t"
+        "adc	r8, r8, r12\n\t"
+        "bal	5f\n\t"
+        "\n4:\n\t"
+        "ldr	r14, [%[a], r3]\n\t"
+        "umull	r9, r10, r14, r14\n\t"
+        "adds	r6, r6, r9\n\t"
+        "adcs	r7, r7, r10\n\t"
+        "adc	r8, r8, r12\n\t"
+        "\n5:\n\t"
+        "add	r3, r3, #4\n\t"
+        "sub	r4, r4, #4\n\t"
+        "cmp	r3, #192\n\t"
+        "beq	3f\n\t"
+        "cmp	r3, r4\n\t"
+        "bgt	3f\n\t"
+        "cmp	r3, r5\n\t"
+        "ble	2b\n\t"
+        "\n3:\n\t"
+        "str	r6, [sp, r5]\n\t"
+        "mov	r6, r7\n\t"
+        "mov	r7, r8\n\t"
+        "mov	r8, #0\n\t"
+        "add	r5, r5, #4\n\t"
+        "cmp	r5, #376\n\t"
+        "ble	1b\n\t"
+        "str	r6, [sp, r5]\n\t"
+        "\n4:\n\t"
+        "ldr	r6, [sp, #0]\n\t"
+        "ldr	r7, [sp, #4]\n\t"
+        "ldr	r8, [sp, #8]\n\t"
+        "ldr	r3, [sp, #12]\n\t"
+        "str	r6, [%[r], #0]\n\t"
+        "str	r7, [%[r], #4]\n\t"
+        "str	r8, [%[r], #8]\n\t"
+        "str	r3, [%[r], #12]\n\t"
+        "add	sp, sp, #16\n\t"
+        "add	%[r], %[r], #16\n\t"
+        "subs	r5, r5, #16\n\t"
+        "bgt	4b\n\t"
+        : [r] "+r" (r)
+        : [a] "r" (a)
+        : "memory", "r3", "r4", "r5", "r6", "r7", "r8", "r9", "r10", "r14", "r9", "r12"
+    );
+}
+
+#endif /* WOLFSSL_SP_SMALL */
+#endif /* (WOLFSSL_HAVE_SP_RSA || WOLFSSL_HAVE_SP_DH) && !WOLFSSL_RSA_PUBLIC_ONLY */
+
+/* Caclulate the bottom digit of -1/a mod 2^n.
+ *
+ * a    A single precision number.
+ * rho  Bottom word of inverse.
+ */
+static void sp_3072_mont_setup(const sp_digit* a, sp_digit* rho)
+{
+    sp_digit x, b;
+
+    b = a[0];
+    x = (((b + 2) & 4) << 1) + b; /* here x*a==1 mod 2**4 */
+    x *= 2 - b * x;               /* here x*a==1 mod 2**8 */
+    x *= 2 - b * x;               /* here x*a==1 mod 2**16 */
+    x *= 2 - b * x;               /* here x*a==1 mod 2**32 */
+
+    /* rho = -1/m mod b */
+    *rho = -x;
+}
+
+/* Mul a by digit b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision digit.
+ */
+static void sp_3072_mul_d_96(sp_digit* r, const sp_digit* a,
+        sp_digit b)
+{
+#ifdef WOLFSSL_SP_SMALL
+    __asm__ __volatile__ (
+        "mov	r10, #0\n\t"
+        "# A[0] * B\n\t"
+        "ldr	r8, [%[a]]\n\t"
+        "umull	r5, r3, %[b], r8\n\t"
+        "mov	r4, #0\n\t"
+        "str	r5, [%[r]]\n\t"
+        "mov	r5, #0\n\t"
+        "mov	r9, #4\n\t"
+        "1:\n\t"
+        "ldr	r8, [%[a], r9]\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [%[r], r9]\n\t"
+        "mov	r3, r4\n\t"
+        "mov	r4, r5\n\t"
+        "mov	r5, #0\n\t"
+        "add	r9, r9, #4\n\t"
+        "cmp	r9, #384\n\t"
+        "blt	1b\n\t"
+        "str	r3, [%[r], #384]\n\t"
+        :
+        : [r] "r" (r), [a] "r" (a), [b] "r" (b)
+        : "memory", "r3", "r4", "r5", "r6", "r7", "r8", "r9", "r10"
+    );
+#else
+    __asm__ __volatile__ (
+        "mov	r10, #0\n\t"
+        "# A[0] * B\n\t"
+        "ldr	r8, [%[a]]\n\t"
+        "umull	r3, r4, %[b], r8\n\t"
+        "mov	r5, #0\n\t"
+        "str	r3, [%[r]]\n\t"
+        "# A[1] * B\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "mov	r3, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [%[r], #4]\n\t"
+        "# A[2] * B\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "mov	r4, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [%[r], #8]\n\t"
+        "# A[3] * B\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "mov	r5, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [%[r], #12]\n\t"
+        "# A[4] * B\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "mov	r3, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [%[r], #16]\n\t"
+        "# A[5] * B\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "mov	r4, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [%[r], #20]\n\t"
+        "# A[6] * B\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "mov	r5, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [%[r], #24]\n\t"
+        "# A[7] * B\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "mov	r3, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [%[r], #28]\n\t"
+        "# A[8] * B\n\t"
+        "ldr	r8, [%[a], #32]\n\t"
+        "mov	r4, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [%[r], #32]\n\t"
+        "# A[9] * B\n\t"
+        "ldr	r8, [%[a], #36]\n\t"
+        "mov	r5, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [%[r], #36]\n\t"
+        "# A[10] * B\n\t"
+        "ldr	r8, [%[a], #40]\n\t"
+        "mov	r3, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [%[r], #40]\n\t"
+        "# A[11] * B\n\t"
+        "ldr	r8, [%[a], #44]\n\t"
+        "mov	r4, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [%[r], #44]\n\t"
+        "# A[12] * B\n\t"
+        "ldr	r8, [%[a], #48]\n\t"
+        "mov	r5, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [%[r], #48]\n\t"
+        "# A[13] * B\n\t"
+        "ldr	r8, [%[a], #52]\n\t"
+        "mov	r3, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [%[r], #52]\n\t"
+        "# A[14] * B\n\t"
+        "ldr	r8, [%[a], #56]\n\t"
+        "mov	r4, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [%[r], #56]\n\t"
+        "# A[15] * B\n\t"
+        "ldr	r8, [%[a], #60]\n\t"
+        "mov	r5, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [%[r], #60]\n\t"
+        "# A[16] * B\n\t"
+        "ldr	r8, [%[a], #64]\n\t"
+        "mov	r3, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [%[r], #64]\n\t"
+        "# A[17] * B\n\t"
+        "ldr	r8, [%[a], #68]\n\t"
+        "mov	r4, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [%[r], #68]\n\t"
+        "# A[18] * B\n\t"
+        "ldr	r8, [%[a], #72]\n\t"
+        "mov	r5, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [%[r], #72]\n\t"
+        "# A[19] * B\n\t"
+        "ldr	r8, [%[a], #76]\n\t"
+        "mov	r3, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [%[r], #76]\n\t"
+        "# A[20] * B\n\t"
+        "ldr	r8, [%[a], #80]\n\t"
+        "mov	r4, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [%[r], #80]\n\t"
+        "# A[21] * B\n\t"
+        "ldr	r8, [%[a], #84]\n\t"
+        "mov	r5, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [%[r], #84]\n\t"
+        "# A[22] * B\n\t"
+        "ldr	r8, [%[a], #88]\n\t"
+        "mov	r3, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [%[r], #88]\n\t"
+        "# A[23] * B\n\t"
+        "ldr	r8, [%[a], #92]\n\t"
+        "mov	r4, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [%[r], #92]\n\t"
+        "# A[24] * B\n\t"
+        "ldr	r8, [%[a], #96]\n\t"
+        "mov	r5, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [%[r], #96]\n\t"
+        "# A[25] * B\n\t"
+        "ldr	r8, [%[a], #100]\n\t"
+        "mov	r3, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [%[r], #100]\n\t"
+        "# A[26] * B\n\t"
+        "ldr	r8, [%[a], #104]\n\t"
+        "mov	r4, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [%[r], #104]\n\t"
+        "# A[27] * B\n\t"
+        "ldr	r8, [%[a], #108]\n\t"
+        "mov	r5, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [%[r], #108]\n\t"
+        "# A[28] * B\n\t"
+        "ldr	r8, [%[a], #112]\n\t"
+        "mov	r3, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [%[r], #112]\n\t"
+        "# A[29] * B\n\t"
+        "ldr	r8, [%[a], #116]\n\t"
+        "mov	r4, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [%[r], #116]\n\t"
+        "# A[30] * B\n\t"
+        "ldr	r8, [%[a], #120]\n\t"
+        "mov	r5, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [%[r], #120]\n\t"
+        "# A[31] * B\n\t"
+        "ldr	r8, [%[a], #124]\n\t"
+        "mov	r3, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [%[r], #124]\n\t"
+        "# A[32] * B\n\t"
+        "ldr	r8, [%[a], #128]\n\t"
+        "mov	r4, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [%[r], #128]\n\t"
+        "# A[33] * B\n\t"
+        "ldr	r8, [%[a], #132]\n\t"
+        "mov	r5, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [%[r], #132]\n\t"
+        "# A[34] * B\n\t"
+        "ldr	r8, [%[a], #136]\n\t"
+        "mov	r3, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [%[r], #136]\n\t"
+        "# A[35] * B\n\t"
+        "ldr	r8, [%[a], #140]\n\t"
+        "mov	r4, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [%[r], #140]\n\t"
+        "# A[36] * B\n\t"
+        "ldr	r8, [%[a], #144]\n\t"
+        "mov	r5, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [%[r], #144]\n\t"
+        "# A[37] * B\n\t"
+        "ldr	r8, [%[a], #148]\n\t"
+        "mov	r3, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [%[r], #148]\n\t"
+        "# A[38] * B\n\t"
+        "ldr	r8, [%[a], #152]\n\t"
+        "mov	r4, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [%[r], #152]\n\t"
+        "# A[39] * B\n\t"
+        "ldr	r8, [%[a], #156]\n\t"
+        "mov	r5, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [%[r], #156]\n\t"
+        "# A[40] * B\n\t"
+        "ldr	r8, [%[a], #160]\n\t"
+        "mov	r3, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [%[r], #160]\n\t"
+        "# A[41] * B\n\t"
+        "ldr	r8, [%[a], #164]\n\t"
+        "mov	r4, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [%[r], #164]\n\t"
+        "# A[42] * B\n\t"
+        "ldr	r8, [%[a], #168]\n\t"
+        "mov	r5, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [%[r], #168]\n\t"
+        "# A[43] * B\n\t"
+        "ldr	r8, [%[a], #172]\n\t"
+        "mov	r3, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [%[r], #172]\n\t"
+        "# A[44] * B\n\t"
+        "ldr	r8, [%[a], #176]\n\t"
+        "mov	r4, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [%[r], #176]\n\t"
+        "# A[45] * B\n\t"
+        "ldr	r8, [%[a], #180]\n\t"
+        "mov	r5, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [%[r], #180]\n\t"
+        "# A[46] * B\n\t"
+        "ldr	r8, [%[a], #184]\n\t"
+        "mov	r3, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [%[r], #184]\n\t"
+        "# A[47] * B\n\t"
+        "ldr	r8, [%[a], #188]\n\t"
+        "mov	r4, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [%[r], #188]\n\t"
+        "# A[48] * B\n\t"
+        "ldr	r8, [%[a], #192]\n\t"
+        "mov	r5, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [%[r], #192]\n\t"
+        "# A[49] * B\n\t"
+        "ldr	r8, [%[a], #196]\n\t"
+        "mov	r3, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [%[r], #196]\n\t"
+        "# A[50] * B\n\t"
+        "ldr	r8, [%[a], #200]\n\t"
+        "mov	r4, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [%[r], #200]\n\t"
+        "# A[51] * B\n\t"
+        "ldr	r8, [%[a], #204]\n\t"
+        "mov	r5, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [%[r], #204]\n\t"
+        "# A[52] * B\n\t"
+        "ldr	r8, [%[a], #208]\n\t"
+        "mov	r3, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [%[r], #208]\n\t"
+        "# A[53] * B\n\t"
+        "ldr	r8, [%[a], #212]\n\t"
+        "mov	r4, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [%[r], #212]\n\t"
+        "# A[54] * B\n\t"
+        "ldr	r8, [%[a], #216]\n\t"
+        "mov	r5, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [%[r], #216]\n\t"
+        "# A[55] * B\n\t"
+        "ldr	r8, [%[a], #220]\n\t"
+        "mov	r3, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [%[r], #220]\n\t"
+        "# A[56] * B\n\t"
+        "ldr	r8, [%[a], #224]\n\t"
+        "mov	r4, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [%[r], #224]\n\t"
+        "# A[57] * B\n\t"
+        "ldr	r8, [%[a], #228]\n\t"
+        "mov	r5, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [%[r], #228]\n\t"
+        "# A[58] * B\n\t"
+        "ldr	r8, [%[a], #232]\n\t"
+        "mov	r3, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [%[r], #232]\n\t"
+        "# A[59] * B\n\t"
+        "ldr	r8, [%[a], #236]\n\t"
+        "mov	r4, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [%[r], #236]\n\t"
+        "# A[60] * B\n\t"
+        "ldr	r8, [%[a], #240]\n\t"
+        "mov	r5, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [%[r], #240]\n\t"
+        "# A[61] * B\n\t"
+        "ldr	r8, [%[a], #244]\n\t"
+        "mov	r3, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [%[r], #244]\n\t"
+        "# A[62] * B\n\t"
+        "ldr	r8, [%[a], #248]\n\t"
+        "mov	r4, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [%[r], #248]\n\t"
+        "# A[63] * B\n\t"
+        "ldr	r8, [%[a], #252]\n\t"
+        "mov	r5, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [%[r], #252]\n\t"
+        "# A[64] * B\n\t"
+        "ldr	r8, [%[a], #256]\n\t"
+        "mov	r3, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [%[r], #256]\n\t"
+        "# A[65] * B\n\t"
+        "ldr	r8, [%[a], #260]\n\t"
+        "mov	r4, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [%[r], #260]\n\t"
+        "# A[66] * B\n\t"
+        "ldr	r8, [%[a], #264]\n\t"
+        "mov	r5, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [%[r], #264]\n\t"
+        "# A[67] * B\n\t"
+        "ldr	r8, [%[a], #268]\n\t"
+        "mov	r3, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [%[r], #268]\n\t"
+        "# A[68] * B\n\t"
+        "ldr	r8, [%[a], #272]\n\t"
+        "mov	r4, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [%[r], #272]\n\t"
+        "# A[69] * B\n\t"
+        "ldr	r8, [%[a], #276]\n\t"
+        "mov	r5, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [%[r], #276]\n\t"
+        "# A[70] * B\n\t"
+        "ldr	r8, [%[a], #280]\n\t"
+        "mov	r3, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [%[r], #280]\n\t"
+        "# A[71] * B\n\t"
+        "ldr	r8, [%[a], #284]\n\t"
+        "mov	r4, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [%[r], #284]\n\t"
+        "# A[72] * B\n\t"
+        "ldr	r8, [%[a], #288]\n\t"
+        "mov	r5, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [%[r], #288]\n\t"
+        "# A[73] * B\n\t"
+        "ldr	r8, [%[a], #292]\n\t"
+        "mov	r3, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [%[r], #292]\n\t"
+        "# A[74] * B\n\t"
+        "ldr	r8, [%[a], #296]\n\t"
+        "mov	r4, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [%[r], #296]\n\t"
+        "# A[75] * B\n\t"
+        "ldr	r8, [%[a], #300]\n\t"
+        "mov	r5, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [%[r], #300]\n\t"
+        "# A[76] * B\n\t"
+        "ldr	r8, [%[a], #304]\n\t"
+        "mov	r3, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [%[r], #304]\n\t"
+        "# A[77] * B\n\t"
+        "ldr	r8, [%[a], #308]\n\t"
+        "mov	r4, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [%[r], #308]\n\t"
+        "# A[78] * B\n\t"
+        "ldr	r8, [%[a], #312]\n\t"
+        "mov	r5, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [%[r], #312]\n\t"
+        "# A[79] * B\n\t"
+        "ldr	r8, [%[a], #316]\n\t"
+        "mov	r3, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [%[r], #316]\n\t"
+        "# A[80] * B\n\t"
+        "ldr	r8, [%[a], #320]\n\t"
+        "mov	r4, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [%[r], #320]\n\t"
+        "# A[81] * B\n\t"
+        "ldr	r8, [%[a], #324]\n\t"
+        "mov	r5, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [%[r], #324]\n\t"
+        "# A[82] * B\n\t"
+        "ldr	r8, [%[a], #328]\n\t"
+        "mov	r3, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [%[r], #328]\n\t"
+        "# A[83] * B\n\t"
+        "ldr	r8, [%[a], #332]\n\t"
+        "mov	r4, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [%[r], #332]\n\t"
+        "# A[84] * B\n\t"
+        "ldr	r8, [%[a], #336]\n\t"
+        "mov	r5, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [%[r], #336]\n\t"
+        "# A[85] * B\n\t"
+        "ldr	r8, [%[a], #340]\n\t"
+        "mov	r3, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [%[r], #340]\n\t"
+        "# A[86] * B\n\t"
+        "ldr	r8, [%[a], #344]\n\t"
+        "mov	r4, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [%[r], #344]\n\t"
+        "# A[87] * B\n\t"
+        "ldr	r8, [%[a], #348]\n\t"
+        "mov	r5, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [%[r], #348]\n\t"
+        "# A[88] * B\n\t"
+        "ldr	r8, [%[a], #352]\n\t"
+        "mov	r3, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [%[r], #352]\n\t"
+        "# A[89] * B\n\t"
+        "ldr	r8, [%[a], #356]\n\t"
+        "mov	r4, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [%[r], #356]\n\t"
+        "# A[90] * B\n\t"
+        "ldr	r8, [%[a], #360]\n\t"
+        "mov	r5, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [%[r], #360]\n\t"
+        "# A[91] * B\n\t"
+        "ldr	r8, [%[a], #364]\n\t"
+        "mov	r3, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [%[r], #364]\n\t"
+        "# A[92] * B\n\t"
+        "ldr	r8, [%[a], #368]\n\t"
+        "mov	r4, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [%[r], #368]\n\t"
+        "# A[93] * B\n\t"
+        "ldr	r8, [%[a], #372]\n\t"
+        "mov	r5, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [%[r], #372]\n\t"
+        "# A[94] * B\n\t"
+        "ldr	r8, [%[a], #376]\n\t"
+        "mov	r3, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [%[r], #376]\n\t"
+        "# A[95] * B\n\t"
+        "ldr	r8, [%[a], #380]\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adc	r3, r3, r7\n\t"
+        "str	r5, [%[r], #380]\n\t"
+        "str	r3, [%[r], #384]\n\t"
+        :
+        : [r] "r" (r), [a] "r" (a), [b] "r" (b)
+        : "memory", "r3", "r4", "r5", "r6", "r7", "r8", "r9", "r10"
+    );
+#endif
+}
+
+#if (defined(WOLFSSL_HAVE_SP_RSA) || defined(WOLFSSL_HAVE_SP_DH)) && !defined(WOLFSSL_RSA_PUBLIC_ONLY)
+/* r = 2^n mod m where n is the number of bits to reduce by.
+ * Given m must be 3072 bits, just need to subtract.
+ *
+ * r  A single precision number.
+ * m  A single precision number.
+ */
+static void sp_3072_mont_norm_48(sp_digit* r, const sp_digit* m)
+{
+    XMEMSET(r, 0, sizeof(sp_digit) * 48);
+
+    /* r = 2^n mod m */
+    sp_3072_sub_in_place_48(r, m);
+}
+
+/* Conditionally subtract b from a using the mask m.
+ * m is -1 to subtract and 0 when not copying.
+ *
+ * r  A single precision number representing condition subtract result.
+ * a  A single precision number to subtract from.
+ * b  A single precision number to subtract.
+ * m  Mask value to apply.
+ */
+static sp_digit sp_3072_cond_sub_48(sp_digit* r, const sp_digit* a, const sp_digit* b,
+        sp_digit m)
+{
+    sp_digit c = 0;
+
+#ifdef WOLFSSL_SP_SMALL
+    __asm__ __volatile__ (
+        "mov	r9, #0\n\t"
+        "mov	r8, #0\n\t"
+        "1:\n\t"
+        "subs	%[c], r9, %[c]\n\t"
+        "ldr	r4, [%[a], r8]\n\t"
+        "ldr	r5, [%[b], r8]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbc	%[c], r9, r9\n\t"
+        "str	r4, [%[r], r8]\n\t"
+        "add	r8, r8, #4\n\t"
+        "cmp	r8, #192\n\t"
+        "blt	1b\n\t"
+        : [c] "+r" (c)
+        : [r] "r" (r), [a] "r" (a), [b] "r" (b), [m] "r" (m)
+        : "memory", "r4", "r6", "r5", "r7", "r8", "r9"
+    );
+#else
+    __asm__ __volatile__ (
+
+        "mov	r9, #0\n\t"
+        "ldr	r4, [%[a], #0]\n\t"
+        "ldr	r6, [%[a], #4]\n\t"
+        "ldr	r5, [%[b], #0]\n\t"
+        "ldr	r7, [%[b], #4]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "subs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #0]\n\t"
+        "str	r6, [%[r], #4]\n\t"
+        "ldr	r4, [%[a], #8]\n\t"
+        "ldr	r6, [%[a], #12]\n\t"
+        "ldr	r5, [%[b], #8]\n\t"
+        "ldr	r7, [%[b], #12]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #8]\n\t"
+        "str	r6, [%[r], #12]\n\t"
+        "ldr	r4, [%[a], #16]\n\t"
+        "ldr	r6, [%[a], #20]\n\t"
+        "ldr	r5, [%[b], #16]\n\t"
+        "ldr	r7, [%[b], #20]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #16]\n\t"
+        "str	r6, [%[r], #20]\n\t"
+        "ldr	r4, [%[a], #24]\n\t"
+        "ldr	r6, [%[a], #28]\n\t"
+        "ldr	r5, [%[b], #24]\n\t"
+        "ldr	r7, [%[b], #28]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #24]\n\t"
+        "str	r6, [%[r], #28]\n\t"
+        "ldr	r4, [%[a], #32]\n\t"
+        "ldr	r6, [%[a], #36]\n\t"
+        "ldr	r5, [%[b], #32]\n\t"
+        "ldr	r7, [%[b], #36]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #32]\n\t"
+        "str	r6, [%[r], #36]\n\t"
+        "ldr	r4, [%[a], #40]\n\t"
+        "ldr	r6, [%[a], #44]\n\t"
+        "ldr	r5, [%[b], #40]\n\t"
+        "ldr	r7, [%[b], #44]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #40]\n\t"
+        "str	r6, [%[r], #44]\n\t"
+        "ldr	r4, [%[a], #48]\n\t"
+        "ldr	r6, [%[a], #52]\n\t"
+        "ldr	r5, [%[b], #48]\n\t"
+        "ldr	r7, [%[b], #52]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #48]\n\t"
+        "str	r6, [%[r], #52]\n\t"
+        "ldr	r4, [%[a], #56]\n\t"
+        "ldr	r6, [%[a], #60]\n\t"
+        "ldr	r5, [%[b], #56]\n\t"
+        "ldr	r7, [%[b], #60]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #56]\n\t"
+        "str	r6, [%[r], #60]\n\t"
+        "ldr	r4, [%[a], #64]\n\t"
+        "ldr	r6, [%[a], #68]\n\t"
+        "ldr	r5, [%[b], #64]\n\t"
+        "ldr	r7, [%[b], #68]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #64]\n\t"
+        "str	r6, [%[r], #68]\n\t"
+        "ldr	r4, [%[a], #72]\n\t"
+        "ldr	r6, [%[a], #76]\n\t"
+        "ldr	r5, [%[b], #72]\n\t"
+        "ldr	r7, [%[b], #76]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #72]\n\t"
+        "str	r6, [%[r], #76]\n\t"
+        "ldr	r4, [%[a], #80]\n\t"
+        "ldr	r6, [%[a], #84]\n\t"
+        "ldr	r5, [%[b], #80]\n\t"
+        "ldr	r7, [%[b], #84]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #80]\n\t"
+        "str	r6, [%[r], #84]\n\t"
+        "ldr	r4, [%[a], #88]\n\t"
+        "ldr	r6, [%[a], #92]\n\t"
+        "ldr	r5, [%[b], #88]\n\t"
+        "ldr	r7, [%[b], #92]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #88]\n\t"
+        "str	r6, [%[r], #92]\n\t"
+        "ldr	r4, [%[a], #96]\n\t"
+        "ldr	r6, [%[a], #100]\n\t"
+        "ldr	r5, [%[b], #96]\n\t"
+        "ldr	r7, [%[b], #100]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #96]\n\t"
+        "str	r6, [%[r], #100]\n\t"
+        "ldr	r4, [%[a], #104]\n\t"
+        "ldr	r6, [%[a], #108]\n\t"
+        "ldr	r5, [%[b], #104]\n\t"
+        "ldr	r7, [%[b], #108]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #104]\n\t"
+        "str	r6, [%[r], #108]\n\t"
+        "ldr	r4, [%[a], #112]\n\t"
+        "ldr	r6, [%[a], #116]\n\t"
+        "ldr	r5, [%[b], #112]\n\t"
+        "ldr	r7, [%[b], #116]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #112]\n\t"
+        "str	r6, [%[r], #116]\n\t"
+        "ldr	r4, [%[a], #120]\n\t"
+        "ldr	r6, [%[a], #124]\n\t"
+        "ldr	r5, [%[b], #120]\n\t"
+        "ldr	r7, [%[b], #124]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #120]\n\t"
+        "str	r6, [%[r], #124]\n\t"
+        "ldr	r4, [%[a], #128]\n\t"
+        "ldr	r6, [%[a], #132]\n\t"
+        "ldr	r5, [%[b], #128]\n\t"
+        "ldr	r7, [%[b], #132]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #128]\n\t"
+        "str	r6, [%[r], #132]\n\t"
+        "ldr	r4, [%[a], #136]\n\t"
+        "ldr	r6, [%[a], #140]\n\t"
+        "ldr	r5, [%[b], #136]\n\t"
+        "ldr	r7, [%[b], #140]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #136]\n\t"
+        "str	r6, [%[r], #140]\n\t"
+        "ldr	r4, [%[a], #144]\n\t"
+        "ldr	r6, [%[a], #148]\n\t"
+        "ldr	r5, [%[b], #144]\n\t"
+        "ldr	r7, [%[b], #148]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #144]\n\t"
+        "str	r6, [%[r], #148]\n\t"
+        "ldr	r4, [%[a], #152]\n\t"
+        "ldr	r6, [%[a], #156]\n\t"
+        "ldr	r5, [%[b], #152]\n\t"
+        "ldr	r7, [%[b], #156]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #152]\n\t"
+        "str	r6, [%[r], #156]\n\t"
+        "ldr	r4, [%[a], #160]\n\t"
+        "ldr	r6, [%[a], #164]\n\t"
+        "ldr	r5, [%[b], #160]\n\t"
+        "ldr	r7, [%[b], #164]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #160]\n\t"
+        "str	r6, [%[r], #164]\n\t"
+        "ldr	r4, [%[a], #168]\n\t"
+        "ldr	r6, [%[a], #172]\n\t"
+        "ldr	r5, [%[b], #168]\n\t"
+        "ldr	r7, [%[b], #172]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #168]\n\t"
+        "str	r6, [%[r], #172]\n\t"
+        "ldr	r4, [%[a], #176]\n\t"
+        "ldr	r6, [%[a], #180]\n\t"
+        "ldr	r5, [%[b], #176]\n\t"
+        "ldr	r7, [%[b], #180]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #176]\n\t"
+        "str	r6, [%[r], #180]\n\t"
+        "ldr	r4, [%[a], #184]\n\t"
+        "ldr	r6, [%[a], #188]\n\t"
+        "ldr	r5, [%[b], #184]\n\t"
+        "ldr	r7, [%[b], #188]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #184]\n\t"
+        "str	r6, [%[r], #188]\n\t"
+        "sbc	%[c], r9, r9\n\t"
+        : [c] "+r" (c)
+        : [r] "r" (r), [a] "r" (a), [b] "r" (b), [m] "r" (m)
+        : "memory", "r4", "r6", "r5", "r7", "r8", "r9"
+    );
+#endif /* WOLFSSL_SP_SMALL */
+
+    return c;
+}
+
+/* Reduce the number back to 3072 bits using Montgomery reduction.
+ *
+ * a   A single precision number to reduce in place.
+ * m   The single precision number representing the modulus.
+ * mp  The digit representing the negative inverse of m mod 2^n.
+ */
+SP_NOINLINE static void sp_3072_mont_reduce_48(sp_digit* a, const sp_digit* m,
+        sp_digit mp)
+{
+    sp_digit ca = 0;
+
+    __asm__ __volatile__ (
+        "# i = 0\n\t"
+        "mov	r12, #0\n\t"
+        "ldr	r10, [%[a], #0]\n\t"
+        "ldr	r14, [%[a], #4]\n\t"
+        "\n1:\n\t"
+        "# mu = a[i] * mp\n\t"
+        "mul	r8, %[mp], r10\n\t"
+        "# a[i+0] += m[0] * mu\n\t"
+        "ldr	r7, [%[m], #0]\n\t"
+        "ldr	r9, [%[a], #0]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r10, r10, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "# a[i+1] += m[1] * mu\n\t"
+        "ldr	r7, [%[m], #4]\n\t"
+        "ldr	r9, [%[a], #4]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r10, r14, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r10, r10, r5\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+2] += m[2] * mu\n\t"
+        "ldr	r7, [%[m], #8]\n\t"
+        "ldr	r14, [%[a], #8]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r14, r14, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r14, r14, r4\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+3] += m[3] * mu\n\t"
+        "ldr	r7, [%[m], #12]\n\t"
+        "ldr	r9, [%[a], #12]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #12]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+4] += m[4] * mu\n\t"
+        "ldr	r7, [%[m], #16]\n\t"
+        "ldr	r9, [%[a], #16]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #16]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+5] += m[5] * mu\n\t"
+        "ldr	r7, [%[m], #20]\n\t"
+        "ldr	r9, [%[a], #20]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #20]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+6] += m[6] * mu\n\t"
+        "ldr	r7, [%[m], #24]\n\t"
+        "ldr	r9, [%[a], #24]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #24]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+7] += m[7] * mu\n\t"
+        "ldr	r7, [%[m], #28]\n\t"
+        "ldr	r9, [%[a], #28]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #28]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+8] += m[8] * mu\n\t"
+        "ldr	r7, [%[m], #32]\n\t"
+        "ldr	r9, [%[a], #32]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #32]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+9] += m[9] * mu\n\t"
+        "ldr	r7, [%[m], #36]\n\t"
+        "ldr	r9, [%[a], #36]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #36]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+10] += m[10] * mu\n\t"
+        "ldr	r7, [%[m], #40]\n\t"
+        "ldr	r9, [%[a], #40]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #40]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+11] += m[11] * mu\n\t"
+        "ldr	r7, [%[m], #44]\n\t"
+        "ldr	r9, [%[a], #44]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #44]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+12] += m[12] * mu\n\t"
+        "ldr	r7, [%[m], #48]\n\t"
+        "ldr	r9, [%[a], #48]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #48]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+13] += m[13] * mu\n\t"
+        "ldr	r7, [%[m], #52]\n\t"
+        "ldr	r9, [%[a], #52]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #52]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+14] += m[14] * mu\n\t"
+        "ldr	r7, [%[m], #56]\n\t"
+        "ldr	r9, [%[a], #56]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #56]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+15] += m[15] * mu\n\t"
+        "ldr	r7, [%[m], #60]\n\t"
+        "ldr	r9, [%[a], #60]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #60]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+16] += m[16] * mu\n\t"
+        "ldr	r7, [%[m], #64]\n\t"
+        "ldr	r9, [%[a], #64]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #64]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+17] += m[17] * mu\n\t"
+        "ldr	r7, [%[m], #68]\n\t"
+        "ldr	r9, [%[a], #68]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #68]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+18] += m[18] * mu\n\t"
+        "ldr	r7, [%[m], #72]\n\t"
+        "ldr	r9, [%[a], #72]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #72]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+19] += m[19] * mu\n\t"
+        "ldr	r7, [%[m], #76]\n\t"
+        "ldr	r9, [%[a], #76]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #76]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+20] += m[20] * mu\n\t"
+        "ldr	r7, [%[m], #80]\n\t"
+        "ldr	r9, [%[a], #80]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #80]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+21] += m[21] * mu\n\t"
+        "ldr	r7, [%[m], #84]\n\t"
+        "ldr	r9, [%[a], #84]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #84]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+22] += m[22] * mu\n\t"
+        "ldr	r7, [%[m], #88]\n\t"
+        "ldr	r9, [%[a], #88]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #88]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+23] += m[23] * mu\n\t"
+        "ldr	r7, [%[m], #92]\n\t"
+        "ldr	r9, [%[a], #92]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #92]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+24] += m[24] * mu\n\t"
+        "ldr	r7, [%[m], #96]\n\t"
+        "ldr	r9, [%[a], #96]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #96]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+25] += m[25] * mu\n\t"
+        "ldr	r7, [%[m], #100]\n\t"
+        "ldr	r9, [%[a], #100]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #100]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+26] += m[26] * mu\n\t"
+        "ldr	r7, [%[m], #104]\n\t"
+        "ldr	r9, [%[a], #104]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #104]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+27] += m[27] * mu\n\t"
+        "ldr	r7, [%[m], #108]\n\t"
+        "ldr	r9, [%[a], #108]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #108]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+28] += m[28] * mu\n\t"
+        "ldr	r7, [%[m], #112]\n\t"
+        "ldr	r9, [%[a], #112]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #112]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+29] += m[29] * mu\n\t"
+        "ldr	r7, [%[m], #116]\n\t"
+        "ldr	r9, [%[a], #116]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #116]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+30] += m[30] * mu\n\t"
+        "ldr	r7, [%[m], #120]\n\t"
+        "ldr	r9, [%[a], #120]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #120]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+31] += m[31] * mu\n\t"
+        "ldr	r7, [%[m], #124]\n\t"
+        "ldr	r9, [%[a], #124]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #124]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+32] += m[32] * mu\n\t"
+        "ldr	r7, [%[m], #128]\n\t"
+        "ldr	r9, [%[a], #128]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #128]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+33] += m[33] * mu\n\t"
+        "ldr	r7, [%[m], #132]\n\t"
+        "ldr	r9, [%[a], #132]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #132]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+34] += m[34] * mu\n\t"
+        "ldr	r7, [%[m], #136]\n\t"
+        "ldr	r9, [%[a], #136]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #136]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+35] += m[35] * mu\n\t"
+        "ldr	r7, [%[m], #140]\n\t"
+        "ldr	r9, [%[a], #140]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #140]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+36] += m[36] * mu\n\t"
+        "ldr	r7, [%[m], #144]\n\t"
+        "ldr	r9, [%[a], #144]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #144]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+37] += m[37] * mu\n\t"
+        "ldr	r7, [%[m], #148]\n\t"
+        "ldr	r9, [%[a], #148]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #148]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+38] += m[38] * mu\n\t"
+        "ldr	r7, [%[m], #152]\n\t"
+        "ldr	r9, [%[a], #152]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #152]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+39] += m[39] * mu\n\t"
+        "ldr	r7, [%[m], #156]\n\t"
+        "ldr	r9, [%[a], #156]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #156]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+40] += m[40] * mu\n\t"
+        "ldr	r7, [%[m], #160]\n\t"
+        "ldr	r9, [%[a], #160]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #160]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+41] += m[41] * mu\n\t"
+        "ldr	r7, [%[m], #164]\n\t"
+        "ldr	r9, [%[a], #164]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #164]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+42] += m[42] * mu\n\t"
+        "ldr	r7, [%[m], #168]\n\t"
+        "ldr	r9, [%[a], #168]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #168]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+43] += m[43] * mu\n\t"
+        "ldr	r7, [%[m], #172]\n\t"
+        "ldr	r9, [%[a], #172]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #172]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+44] += m[44] * mu\n\t"
+        "ldr	r7, [%[m], #176]\n\t"
+        "ldr	r9, [%[a], #176]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #176]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+45] += m[45] * mu\n\t"
+        "ldr	r7, [%[m], #180]\n\t"
+        "ldr	r9, [%[a], #180]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #180]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+46] += m[46] * mu\n\t"
+        "ldr	r7, [%[m], #184]\n\t"
+        "ldr	r9, [%[a], #184]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #184]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+47] += m[47] * mu\n\t"
+        "ldr	r7, [%[m], #188]\n\t"
+        "ldr   r9, [%[a], #188]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r7, r7, %[ca]\n\t"
+        "mov	%[ca], #0\n\t"
+        "adc	%[ca], %[ca], %[ca]\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #188]\n\t"
+        "ldr	r9, [%[a], #192]\n\t"
+        "adcs	r9, r9, r7\n\t"
+        "str	r9, [%[a], #192]\n\t"
+        "adc	%[ca], %[ca], #0\n\t"
+        "# i += 1\n\t"
+        "add	%[a], %[a], #4\n\t"
+        "add	r12, r12, #4\n\t"
+        "cmp	r12, #192\n\t"
+        "blt	1b\n\t"
+        "str	r10, [%[a], #0]\n\t"
+        "str	r14, [%[a], #4]\n\t"
+        : [ca] "+r" (ca), [a] "+r" (a)
+        : [m] "r" (m), [mp] "r" (mp)
+        : "memory", "r4", "r5", "r6", "r7", "r8", "r9", "r10", "r14", "r12"
+    );
+
+    sp_3072_cond_sub_48(a - 48, a, m, (sp_digit)0 - ca);
+}
+
+/* Multiply two Montogmery form numbers mod the modulus (prime).
+ * (r = a * b mod m)
+ *
+ * r   Result of multiplication.
+ * a   First number to multiply in Montogmery form.
+ * b   Second number to multiply in Montogmery form.
+ * m   Modulus (prime).
+ * mp  Montogmery mulitplier.
+ */
+static void sp_3072_mont_mul_48(sp_digit* r, const sp_digit* a, const sp_digit* b,
+        const sp_digit* m, sp_digit mp)
+{
+    sp_3072_mul_48(r, a, b);
+    sp_3072_mont_reduce_48(r, m, mp);
+}
+
+/* Square the Montgomery form number. (r = a * a mod m)
+ *
+ * r   Result of squaring.
+ * a   Number to square in Montogmery form.
+ * m   Modulus (prime).
+ * mp  Montogmery mulitplier.
+ */
+static void sp_3072_mont_sqr_48(sp_digit* r, const sp_digit* a, const sp_digit* m,
+        sp_digit mp)
+{
+    sp_3072_sqr_48(r, a);
+    sp_3072_mont_reduce_48(r, m, mp);
+}
+
+/* Mul a by digit b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision digit.
+ */
+static void sp_3072_mul_d_48(sp_digit* r, const sp_digit* a,
+        sp_digit b)
+{
+#ifdef WOLFSSL_SP_SMALL
+    __asm__ __volatile__ (
+        "mov	r10, #0\n\t"
+        "# A[0] * B\n\t"
+        "ldr	r8, [%[a]]\n\t"
+        "umull	r5, r3, %[b], r8\n\t"
+        "mov	r4, #0\n\t"
+        "str	r5, [%[r]]\n\t"
+        "mov	r5, #0\n\t"
+        "mov	r9, #4\n\t"
+        "1:\n\t"
+        "ldr	r8, [%[a], r9]\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [%[r], r9]\n\t"
+        "mov	r3, r4\n\t"
+        "mov	r4, r5\n\t"
+        "mov	r5, #0\n\t"
+        "add	r9, r9, #4\n\t"
+        "cmp	r9, #192\n\t"
+        "blt	1b\n\t"
+        "str	r3, [%[r], #192]\n\t"
+        :
+        : [r] "r" (r), [a] "r" (a), [b] "r" (b)
+        : "memory", "r3", "r4", "r5", "r6", "r7", "r8", "r9", "r10"
+    );
+#else
+    __asm__ __volatile__ (
+        "mov	r10, #0\n\t"
+        "# A[0] * B\n\t"
+        "ldr	r8, [%[a]]\n\t"
+        "umull	r3, r4, %[b], r8\n\t"
+        "mov	r5, #0\n\t"
+        "str	r3, [%[r]]\n\t"
+        "# A[1] * B\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "mov	r3, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [%[r], #4]\n\t"
+        "# A[2] * B\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "mov	r4, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [%[r], #8]\n\t"
+        "# A[3] * B\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "mov	r5, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [%[r], #12]\n\t"
+        "# A[4] * B\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "mov	r3, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [%[r], #16]\n\t"
+        "# A[5] * B\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "mov	r4, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [%[r], #20]\n\t"
+        "# A[6] * B\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "mov	r5, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [%[r], #24]\n\t"
+        "# A[7] * B\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "mov	r3, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [%[r], #28]\n\t"
+        "# A[8] * B\n\t"
+        "ldr	r8, [%[a], #32]\n\t"
+        "mov	r4, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [%[r], #32]\n\t"
+        "# A[9] * B\n\t"
+        "ldr	r8, [%[a], #36]\n\t"
+        "mov	r5, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [%[r], #36]\n\t"
+        "# A[10] * B\n\t"
+        "ldr	r8, [%[a], #40]\n\t"
+        "mov	r3, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [%[r], #40]\n\t"
+        "# A[11] * B\n\t"
+        "ldr	r8, [%[a], #44]\n\t"
+        "mov	r4, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [%[r], #44]\n\t"
+        "# A[12] * B\n\t"
+        "ldr	r8, [%[a], #48]\n\t"
+        "mov	r5, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [%[r], #48]\n\t"
+        "# A[13] * B\n\t"
+        "ldr	r8, [%[a], #52]\n\t"
+        "mov	r3, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [%[r], #52]\n\t"
+        "# A[14] * B\n\t"
+        "ldr	r8, [%[a], #56]\n\t"
+        "mov	r4, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [%[r], #56]\n\t"
+        "# A[15] * B\n\t"
+        "ldr	r8, [%[a], #60]\n\t"
+        "mov	r5, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [%[r], #60]\n\t"
+        "# A[16] * B\n\t"
+        "ldr	r8, [%[a], #64]\n\t"
+        "mov	r3, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [%[r], #64]\n\t"
+        "# A[17] * B\n\t"
+        "ldr	r8, [%[a], #68]\n\t"
+        "mov	r4, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [%[r], #68]\n\t"
+        "# A[18] * B\n\t"
+        "ldr	r8, [%[a], #72]\n\t"
+        "mov	r5, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [%[r], #72]\n\t"
+        "# A[19] * B\n\t"
+        "ldr	r8, [%[a], #76]\n\t"
+        "mov	r3, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [%[r], #76]\n\t"
+        "# A[20] * B\n\t"
+        "ldr	r8, [%[a], #80]\n\t"
+        "mov	r4, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [%[r], #80]\n\t"
+        "# A[21] * B\n\t"
+        "ldr	r8, [%[a], #84]\n\t"
+        "mov	r5, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [%[r], #84]\n\t"
+        "# A[22] * B\n\t"
+        "ldr	r8, [%[a], #88]\n\t"
+        "mov	r3, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [%[r], #88]\n\t"
+        "# A[23] * B\n\t"
+        "ldr	r8, [%[a], #92]\n\t"
+        "mov	r4, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [%[r], #92]\n\t"
+        "# A[24] * B\n\t"
+        "ldr	r8, [%[a], #96]\n\t"
+        "mov	r5, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [%[r], #96]\n\t"
+        "# A[25] * B\n\t"
+        "ldr	r8, [%[a], #100]\n\t"
+        "mov	r3, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [%[r], #100]\n\t"
+        "# A[26] * B\n\t"
+        "ldr	r8, [%[a], #104]\n\t"
+        "mov	r4, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [%[r], #104]\n\t"
+        "# A[27] * B\n\t"
+        "ldr	r8, [%[a], #108]\n\t"
+        "mov	r5, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [%[r], #108]\n\t"
+        "# A[28] * B\n\t"
+        "ldr	r8, [%[a], #112]\n\t"
+        "mov	r3, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [%[r], #112]\n\t"
+        "# A[29] * B\n\t"
+        "ldr	r8, [%[a], #116]\n\t"
+        "mov	r4, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [%[r], #116]\n\t"
+        "# A[30] * B\n\t"
+        "ldr	r8, [%[a], #120]\n\t"
+        "mov	r5, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [%[r], #120]\n\t"
+        "# A[31] * B\n\t"
+        "ldr	r8, [%[a], #124]\n\t"
+        "mov	r3, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [%[r], #124]\n\t"
+        "# A[32] * B\n\t"
+        "ldr	r8, [%[a], #128]\n\t"
+        "mov	r4, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [%[r], #128]\n\t"
+        "# A[33] * B\n\t"
+        "ldr	r8, [%[a], #132]\n\t"
+        "mov	r5, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [%[r], #132]\n\t"
+        "# A[34] * B\n\t"
+        "ldr	r8, [%[a], #136]\n\t"
+        "mov	r3, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [%[r], #136]\n\t"
+        "# A[35] * B\n\t"
+        "ldr	r8, [%[a], #140]\n\t"
+        "mov	r4, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [%[r], #140]\n\t"
+        "# A[36] * B\n\t"
+        "ldr	r8, [%[a], #144]\n\t"
+        "mov	r5, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [%[r], #144]\n\t"
+        "# A[37] * B\n\t"
+        "ldr	r8, [%[a], #148]\n\t"
+        "mov	r3, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [%[r], #148]\n\t"
+        "# A[38] * B\n\t"
+        "ldr	r8, [%[a], #152]\n\t"
+        "mov	r4, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [%[r], #152]\n\t"
+        "# A[39] * B\n\t"
+        "ldr	r8, [%[a], #156]\n\t"
+        "mov	r5, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [%[r], #156]\n\t"
+        "# A[40] * B\n\t"
+        "ldr	r8, [%[a], #160]\n\t"
+        "mov	r3, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [%[r], #160]\n\t"
+        "# A[41] * B\n\t"
+        "ldr	r8, [%[a], #164]\n\t"
+        "mov	r4, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [%[r], #164]\n\t"
+        "# A[42] * B\n\t"
+        "ldr	r8, [%[a], #168]\n\t"
+        "mov	r5, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [%[r], #168]\n\t"
+        "# A[43] * B\n\t"
+        "ldr	r8, [%[a], #172]\n\t"
+        "mov	r3, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [%[r], #172]\n\t"
+        "# A[44] * B\n\t"
+        "ldr	r8, [%[a], #176]\n\t"
+        "mov	r4, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [%[r], #176]\n\t"
+        "# A[45] * B\n\t"
+        "ldr	r8, [%[a], #180]\n\t"
+        "mov	r5, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [%[r], #180]\n\t"
+        "# A[46] * B\n\t"
+        "ldr	r8, [%[a], #184]\n\t"
+        "mov	r3, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [%[r], #184]\n\t"
+        "# A[47] * B\n\t"
+        "ldr	r8, [%[a], #188]\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adc	r3, r3, r7\n\t"
+        "str	r5, [%[r], #188]\n\t"
+        "str	r3, [%[r], #192]\n\t"
+        :
+        : [r] "r" (r), [a] "r" (a), [b] "r" (b)
+        : "memory", "r3", "r4", "r5", "r6", "r7", "r8", "r9", "r10"
+    );
+#endif
+}
+
+/* Divide the double width number (d1|d0) by the dividend. (d1|d0 / div)
+ *
+ * d1   The high order half of the number to divide.
+ * d0   The low order half of the number to divide.
+ * div  The dividend.
+ * returns the result of the division.
+ *
+ * Note that this is an approximate div. It may give an answer 1 larger.
+ */
+static sp_digit div_3072_word_48(sp_digit d1, sp_digit d0, sp_digit div)
+{
+    sp_digit r = 0;
+
+    __asm__ __volatile__ (
+        "lsr	r5, %[div], #1\n\t"
+        "add	r5, r5, #1\n\t"
+        "mov	r6, %[d0]\n\t"
+        "mov	r7, %[d1]\n\t"
+        "# Do top 32\n\t"
+        "subs	r8, r5, r7\n\t"
+        "sbc	r8, r8, r8\n\t"
+        "add	%[r], %[r], %[r]\n\t"
+        "sub	%[r], %[r], r8\n\t"
+        "and	r8, r8, r5\n\t"
+        "subs	r7, r7, r8\n\t"
+        "# Next 30 bits\n\t"
+        "mov	r4, #29\n\t"
+        "1:\n\t"
+        "movs	r6, r6, lsl #1\n\t"
+        "adc	r7, r7, r7\n\t"
+        "subs	r8, r5, r7\n\t"
+        "sbc	r8, r8, r8\n\t"
+        "add	%[r], %[r], %[r]\n\t"
+        "sub	%[r], %[r], r8\n\t"
+        "and	r8, r8, r5\n\t"
+        "subs	r7, r7, r8\n\t"
+        "subs	r4, r4, #1\n\t"
+        "bpl	1b\n\t"
+        "add	%[r], %[r], %[r]\n\t"
+        "add	%[r], %[r], #1\n\t"
+        "umull	r4, r5, %[r], %[div]\n\t"
+        "subs	r4, %[d0], r4\n\t"
+        "sbc	r5, %[d1], r5\n\t"
+        "add	%[r], %[r], r5\n\t"
+        "umull	r4, r5, %[r], %[div]\n\t"
+        "subs	r4, %[d0], r4\n\t"
+        "sbc	r5, %[d1], r5\n\t"
+        "add	%[r], %[r], r5\n\t"
+        "subs	r8, %[div], r4\n\t"
+        "sbc	r8, r8, r8\n\t"
+        "sub	%[r], %[r], r8\n\t"
+        : [r] "+r" (r)
+        : [d1] "r" (d1), [d0] "r" (d0), [div] "r" (div)
+        : "r4", "r5", "r6", "r7", "r8"
+    );
+    return r;
+}
+
+/* Compare a with b in constant time.
+ *
+ * a  A single precision integer.
+ * b  A single precision integer.
+ * return -ve, 0 or +ve if a is less than, equal to or greater than b
+ * respectively.
+ */
+static int32_t sp_3072_cmp_48(const sp_digit* a, const sp_digit* b)
+{
+    sp_digit r = -1;
+    sp_digit one = 1;
+
+
+#ifdef WOLFSSL_SP_SMALL
+    __asm__ __volatile__ (
+        "mov	r7, #0\n\t"
+        "mov	r3, #-1\n\t"
+        "mov	r6, #188\n\t"
+        "1:\n\t"
+        "ldr	r4, [%[a], r6]\n\t"
+        "ldr	r5, [%[b], r6]\n\t"
+        "and	r4, r4, r3\n\t"
+        "and	r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "subs	r6, r6, #4\n\t"
+        "bcs	1b\n\t"
+        "eor	%[r], %[r], r3\n\t"
+        : [r] "+r" (r)
+        : [a] "r" (a), [b] "r" (b), [one] "r" (one)
+        : "r3", "r4", "r5", "r6", "r7"
+    );
+#else
+    __asm__ __volatile__ (
+        "mov	r7, #0\n\t"
+        "mov	r3, #-1\n\t"
+        "ldr		r4, [%[a], #188]\n\t"
+        "ldr		r5, [%[b], #188]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #184]\n\t"
+        "ldr		r5, [%[b], #184]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #180]\n\t"
+        "ldr		r5, [%[b], #180]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #176]\n\t"
+        "ldr		r5, [%[b], #176]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #172]\n\t"
+        "ldr		r5, [%[b], #172]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #168]\n\t"
+        "ldr		r5, [%[b], #168]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #164]\n\t"
+        "ldr		r5, [%[b], #164]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #160]\n\t"
+        "ldr		r5, [%[b], #160]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #156]\n\t"
+        "ldr		r5, [%[b], #156]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #152]\n\t"
+        "ldr		r5, [%[b], #152]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #148]\n\t"
+        "ldr		r5, [%[b], #148]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #144]\n\t"
+        "ldr		r5, [%[b], #144]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #140]\n\t"
+        "ldr		r5, [%[b], #140]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #136]\n\t"
+        "ldr		r5, [%[b], #136]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #132]\n\t"
+        "ldr		r5, [%[b], #132]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #128]\n\t"
+        "ldr		r5, [%[b], #128]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #124]\n\t"
+        "ldr		r5, [%[b], #124]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #120]\n\t"
+        "ldr		r5, [%[b], #120]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #116]\n\t"
+        "ldr		r5, [%[b], #116]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #112]\n\t"
+        "ldr		r5, [%[b], #112]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #108]\n\t"
+        "ldr		r5, [%[b], #108]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #104]\n\t"
+        "ldr		r5, [%[b], #104]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #100]\n\t"
+        "ldr		r5, [%[b], #100]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #96]\n\t"
+        "ldr		r5, [%[b], #96]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #92]\n\t"
+        "ldr		r5, [%[b], #92]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #88]\n\t"
+        "ldr		r5, [%[b], #88]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #84]\n\t"
+        "ldr		r5, [%[b], #84]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #80]\n\t"
+        "ldr		r5, [%[b], #80]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #76]\n\t"
+        "ldr		r5, [%[b], #76]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #72]\n\t"
+        "ldr		r5, [%[b], #72]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #68]\n\t"
+        "ldr		r5, [%[b], #68]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #64]\n\t"
+        "ldr		r5, [%[b], #64]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #60]\n\t"
+        "ldr		r5, [%[b], #60]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #56]\n\t"
+        "ldr		r5, [%[b], #56]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #52]\n\t"
+        "ldr		r5, [%[b], #52]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #48]\n\t"
+        "ldr		r5, [%[b], #48]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #44]\n\t"
+        "ldr		r5, [%[b], #44]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #40]\n\t"
+        "ldr		r5, [%[b], #40]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #36]\n\t"
+        "ldr		r5, [%[b], #36]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #32]\n\t"
+        "ldr		r5, [%[b], #32]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #28]\n\t"
+        "ldr		r5, [%[b], #28]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #24]\n\t"
+        "ldr		r5, [%[b], #24]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #20]\n\t"
+        "ldr		r5, [%[b], #20]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #16]\n\t"
+        "ldr		r5, [%[b], #16]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #12]\n\t"
+        "ldr		r5, [%[b], #12]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #8]\n\t"
+        "ldr		r5, [%[b], #8]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #4]\n\t"
+        "ldr		r5, [%[b], #4]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #0]\n\t"
+        "ldr		r5, [%[b], #0]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "eor	%[r], %[r], r3\n\t"
+        : [r] "+r" (r)
+        : [a] "r" (a), [b] "r" (b), [one] "r" (one)
+        : "r3", "r4", "r5", "r6", "r7"
+    );
+#endif
+
+    return r;
+}
+
+/* Divide d in a and put remainder into r (m*d + r = a)
+ * m is not calculated as it is not needed at this time.
+ *
+ * a  Nmber to be divided.
+ * d  Number to divide with.
+ * m  Multiplier result.
+ * r  Remainder from the division.
+ * returns MP_OKAY indicating success.
+ */
+static WC_INLINE int sp_3072_div_48(const sp_digit* a, const sp_digit* d, sp_digit* m,
+        sp_digit* r)
+{
+    sp_digit t1[96], t2[49];
+    sp_digit div, r1;
+    int i;
+
+    (void)m;
+
+
+    div = d[47];
+    XMEMCPY(t1, a, sizeof(*t1) * 2 * 48);
+    for (i=47; i>=0; i--) {
+        r1 = div_3072_word_48(t1[48 + i], t1[48 + i - 1], div);
+
+        sp_3072_mul_d_48(t2, d, r1);
+        t1[48 + i] += sp_3072_sub_in_place_48(&t1[i], t2);
+        t1[48 + i] -= t2[48];
+        sp_3072_mask_48(t2, d, t1[48 + i]);
+        t1[48 + i] += sp_3072_add_48(&t1[i], &t1[i], t2);
+        sp_3072_mask_48(t2, d, t1[48 + i]);
+        t1[48 + i] += sp_3072_add_48(&t1[i], &t1[i], t2);
+    }
+
+    r1 = sp_3072_cmp_48(t1, d) >= 0;
+    sp_3072_cond_sub_48(r, t1, d, (sp_digit)0 - r1);
+
+    return MP_OKAY;
+}
+
+/* Reduce a modulo m into r. (r = a mod m)
+ *
+ * r  A single precision number that is the reduced result.
+ * a  A single precision number that is to be reduced.
+ * m  A single precision number that is the modulus to reduce with.
+ * returns MP_OKAY indicating success.
+ */
+static WC_INLINE int sp_3072_mod_48(sp_digit* r, const sp_digit* a, const sp_digit* m)
+{
+    return sp_3072_div_48(a, m, NULL, r);
+}
+
+#ifdef WOLFSSL_SP_SMALL
+/* Modular exponentiate a to the e mod m. (r = a^e mod m)
+ *
+ * r     A single precision number that is the result of the operation.
+ * a     A single precision number being exponentiated.
+ * e     A single precision number that is the exponent.
+ * bits  The number of bits in the exponent.
+ * m     A single precision number that is the modulus.
+ * returns 0 on success and MEMORY_E on dynamic memory allocation failure.
+ */
+static int sp_3072_mod_exp_48(sp_digit* r, const sp_digit* a, const sp_digit* e,
+        int bits, const sp_digit* m, int reduceA)
+{
+#ifndef WOLFSSL_SMALL_STACK
+    sp_digit t[16][96];
+#else
+    sp_digit* t[16];
+    sp_digit* td;
+#endif
+    sp_digit* norm;
+    sp_digit mp = 1;
+    sp_digit n;
+    sp_digit mask;
+    int i;
+    int c, y;
+    int err = MP_OKAY;
+
+#ifdef WOLFSSL_SMALL_STACK
+    td = (sp_digit*)XMALLOC(sizeof(sp_digit) * 16 * 96, NULL,
+                            DYNAMIC_TYPE_TMP_BUFFER);
+    if (td == NULL) {
+        err = MEMORY_E;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#ifdef WOLFSSL_SMALL_STACK
+        for (i=0; i<16; i++) {
+            t[i] = td + i * 96;
+        }
+#endif
+        norm = t[0];
+
+        sp_3072_mont_setup(m, &mp);
+        sp_3072_mont_norm_48(norm, m);
+
+        XMEMSET(t[1], 0, sizeof(sp_digit) * 48U);
+        if (reduceA != 0) {
+            err = sp_3072_mod_48(t[1] + 48, a, m);
+            if (err == MP_OKAY) {
+                err = sp_3072_mod_48(t[1], t[1], m);
+            }
+        }
+        else {
+            XMEMCPY(t[1] + 48, a, sizeof(sp_digit) * 48);
+            err = sp_3072_mod_48(t[1], t[1], m);
+        }
+    }
+
+    if (err == MP_OKAY) {
+        sp_3072_mont_sqr_48(t[ 2], t[ 1], m, mp);
+        sp_3072_mont_mul_48(t[ 3], t[ 2], t[ 1], m, mp);
+        sp_3072_mont_sqr_48(t[ 4], t[ 2], m, mp);
+        sp_3072_mont_mul_48(t[ 5], t[ 3], t[ 2], m, mp);
+        sp_3072_mont_sqr_48(t[ 6], t[ 3], m, mp);
+        sp_3072_mont_mul_48(t[ 7], t[ 4], t[ 3], m, mp);
+        sp_3072_mont_sqr_48(t[ 8], t[ 4], m, mp);
+        sp_3072_mont_mul_48(t[ 9], t[ 5], t[ 4], m, mp);
+        sp_3072_mont_sqr_48(t[10], t[ 5], m, mp);
+        sp_3072_mont_mul_48(t[11], t[ 6], t[ 5], m, mp);
+        sp_3072_mont_sqr_48(t[12], t[ 6], m, mp);
+        sp_3072_mont_mul_48(t[13], t[ 7], t[ 6], m, mp);
+        sp_3072_mont_sqr_48(t[14], t[ 7], m, mp);
+        sp_3072_mont_mul_48(t[15], t[ 8], t[ 7], m, mp);
+
+        i = (bits - 1) / 32;
+        n = e[i--];
+        c = bits & 31;
+        if (c == 0) {
+            c = 32;
+        }
+        c -= bits % 4;
+        if (c == 32) {
+            c = 28;
+        }
+        y = (int)(n >> c);
+        n <<= 32 - c;
+        XMEMCPY(r, t[y], sizeof(sp_digit) * 48);
+        for (; i>=0 || c>=4; ) {
+            if (c == 0) {
+                n = e[i--];
+                y = n >> 28;
+                n <<= 4;
+                c = 28;
+            }
+            else if (c < 4) {
+                y = n >> 28;
+                n = e[i--];
+                c = 4 - c;
+                y |= n >> (32 - c);
+                n <<= c;
+                c = 32 - c;
+            }
+            else {
+                y = (n >> 28) & 0xf;
+                n <<= 4;
+                c -= 4;
+            }
+
+            sp_3072_mont_sqr_48(r, r, m, mp);
+            sp_3072_mont_sqr_48(r, r, m, mp);
+            sp_3072_mont_sqr_48(r, r, m, mp);
+            sp_3072_mont_sqr_48(r, r, m, mp);
+
+            sp_3072_mont_mul_48(r, r, t[y], m, mp);
+        }
+
+        XMEMSET(&r[48], 0, sizeof(sp_digit) * 48U);
+        sp_3072_mont_reduce_48(r, m, mp);
+
+        mask = 0 - (sp_3072_cmp_48(r, m) >= 0);
+        sp_3072_cond_sub_48(r, r, m, mask);
+    }
+
+#ifdef WOLFSSL_SMALL_STACK
+    if (td != NULL) {
+        XFREE(td, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    }
+#endif
+
+    return err;
+}
+#else
+/* Modular exponentiate a to the e mod m. (r = a^e mod m)
+ *
+ * r     A single precision number that is the result of the operation.
+ * a     A single precision number being exponentiated.
+ * e     A single precision number that is the exponent.
+ * bits  The number of bits in the exponent.
+ * m     A single precision number that is the modulus.
+ * returns 0 on success and MEMORY_E on dynamic memory allocation failure.
+ */
+static int sp_3072_mod_exp_48(sp_digit* r, const sp_digit* a, const sp_digit* e,
+        int bits, const sp_digit* m, int reduceA)
+{
+#ifndef WOLFSSL_SMALL_STACK
+    sp_digit t[32][96];
+#else
+    sp_digit* t[32];
+    sp_digit* td;
+#endif
+    sp_digit* norm;
+    sp_digit mp = 1;
+    sp_digit n;
+    sp_digit mask;
+    int i;
+    int c, y;
+    int err = MP_OKAY;
+
+#ifdef WOLFSSL_SMALL_STACK
+    td = (sp_digit*)XMALLOC(sizeof(sp_digit) * 32 * 96, NULL,
+                            DYNAMIC_TYPE_TMP_BUFFER);
+    if (td == NULL) {
+        err = MEMORY_E;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#ifdef WOLFSSL_SMALL_STACK
+        for (i=0; i<32; i++) {
+            t[i] = td + i * 96;
+        }
+#endif
+        norm = t[0];
+
+        sp_3072_mont_setup(m, &mp);
+        sp_3072_mont_norm_48(norm, m);
+
+        XMEMSET(t[1], 0, sizeof(sp_digit) * 48U);
+        if (reduceA != 0) {
+            err = sp_3072_mod_48(t[1] + 48, a, m);
+            if (err == MP_OKAY) {
+                err = sp_3072_mod_48(t[1], t[1], m);
+            }
+        }
+        else {
+            XMEMCPY(t[1] + 48, a, sizeof(sp_digit) * 48);
+            err = sp_3072_mod_48(t[1], t[1], m);
+        }
+    }
+
+    if (err == MP_OKAY) {
+        sp_3072_mont_sqr_48(t[ 2], t[ 1], m, mp);
+        sp_3072_mont_mul_48(t[ 3], t[ 2], t[ 1], m, mp);
+        sp_3072_mont_sqr_48(t[ 4], t[ 2], m, mp);
+        sp_3072_mont_mul_48(t[ 5], t[ 3], t[ 2], m, mp);
+        sp_3072_mont_sqr_48(t[ 6], t[ 3], m, mp);
+        sp_3072_mont_mul_48(t[ 7], t[ 4], t[ 3], m, mp);
+        sp_3072_mont_sqr_48(t[ 8], t[ 4], m, mp);
+        sp_3072_mont_mul_48(t[ 9], t[ 5], t[ 4], m, mp);
+        sp_3072_mont_sqr_48(t[10], t[ 5], m, mp);
+        sp_3072_mont_mul_48(t[11], t[ 6], t[ 5], m, mp);
+        sp_3072_mont_sqr_48(t[12], t[ 6], m, mp);
+        sp_3072_mont_mul_48(t[13], t[ 7], t[ 6], m, mp);
+        sp_3072_mont_sqr_48(t[14], t[ 7], m, mp);
+        sp_3072_mont_mul_48(t[15], t[ 8], t[ 7], m, mp);
+        sp_3072_mont_sqr_48(t[16], t[ 8], m, mp);
+        sp_3072_mont_mul_48(t[17], t[ 9], t[ 8], m, mp);
+        sp_3072_mont_sqr_48(t[18], t[ 9], m, mp);
+        sp_3072_mont_mul_48(t[19], t[10], t[ 9], m, mp);
+        sp_3072_mont_sqr_48(t[20], t[10], m, mp);
+        sp_3072_mont_mul_48(t[21], t[11], t[10], m, mp);
+        sp_3072_mont_sqr_48(t[22], t[11], m, mp);
+        sp_3072_mont_mul_48(t[23], t[12], t[11], m, mp);
+        sp_3072_mont_sqr_48(t[24], t[12], m, mp);
+        sp_3072_mont_mul_48(t[25], t[13], t[12], m, mp);
+        sp_3072_mont_sqr_48(t[26], t[13], m, mp);
+        sp_3072_mont_mul_48(t[27], t[14], t[13], m, mp);
+        sp_3072_mont_sqr_48(t[28], t[14], m, mp);
+        sp_3072_mont_mul_48(t[29], t[15], t[14], m, mp);
+        sp_3072_mont_sqr_48(t[30], t[15], m, mp);
+        sp_3072_mont_mul_48(t[31], t[16], t[15], m, mp);
+
+        i = (bits - 1) / 32;
+        n = e[i--];
+        c = bits & 31;
+        if (c == 0) {
+            c = 32;
+        }
+        c -= bits % 5;
+        if (c == 32) {
+            c = 27;
+        }
+        y = (int)(n >> c);
+        n <<= 32 - c;
+        XMEMCPY(r, t[y], sizeof(sp_digit) * 48);
+        for (; i>=0 || c>=5; ) {
+            if (c == 0) {
+                n = e[i--];
+                y = n >> 27;
+                n <<= 5;
+                c = 27;
+            }
+            else if (c < 5) {
+                y = n >> 27;
+                n = e[i--];
+                c = 5 - c;
+                y |= n >> (32 - c);
+                n <<= c;
+                c = 32 - c;
+            }
+            else {
+                y = (n >> 27) & 0x1f;
+                n <<= 5;
+                c -= 5;
+            }
+
+            sp_3072_mont_sqr_48(r, r, m, mp);
+            sp_3072_mont_sqr_48(r, r, m, mp);
+            sp_3072_mont_sqr_48(r, r, m, mp);
+            sp_3072_mont_sqr_48(r, r, m, mp);
+            sp_3072_mont_sqr_48(r, r, m, mp);
+
+            sp_3072_mont_mul_48(r, r, t[y], m, mp);
+        }
+
+        XMEMSET(&r[48], 0, sizeof(sp_digit) * 48U);
+        sp_3072_mont_reduce_48(r, m, mp);
+
+        mask = 0 - (sp_3072_cmp_48(r, m) >= 0);
+        sp_3072_cond_sub_48(r, r, m, mask);
+    }
+
+#ifdef WOLFSSL_SMALL_STACK
+    if (td != NULL) {
+        XFREE(td, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    }
+#endif
+
+    return err;
+}
+#endif /* WOLFSSL_SP_SMALL */
+
+#endif /* (WOLFSSL_HAVE_SP_RSA || WOLFSSL_HAVE_SP_DH) && !WOLFSSL_RSA_PUBLIC_ONLY */
+
+#if defined(WOLFSSL_HAVE_SP_RSA) || defined(WOLFSSL_HAVE_SP_DH)
+/* r = 2^n mod m where n is the number of bits to reduce by.
+ * Given m must be 3072 bits, just need to subtract.
+ *
+ * r  A single precision number.
+ * m  A single precision number.
+ */
+static void sp_3072_mont_norm_96(sp_digit* r, const sp_digit* m)
+{
+    XMEMSET(r, 0, sizeof(sp_digit) * 96);
+
+    /* r = 2^n mod m */
+    sp_3072_sub_in_place_96(r, m);
+}
+
+#endif /* WOLFSSL_HAVE_SP_RSA || WOLFSSL_HAVE_SP_DH */
+/* Conditionally subtract b from a using the mask m.
+ * m is -1 to subtract and 0 when not copying.
+ *
+ * r  A single precision number representing condition subtract result.
+ * a  A single precision number to subtract from.
+ * b  A single precision number to subtract.
+ * m  Mask value to apply.
+ */
+static sp_digit sp_3072_cond_sub_96(sp_digit* r, const sp_digit* a, const sp_digit* b,
+        sp_digit m)
+{
+    sp_digit c = 0;
+
+#ifdef WOLFSSL_SP_SMALL
+    __asm__ __volatile__ (
+        "mov	r9, #0\n\t"
+        "mov	r8, #0\n\t"
+        "1:\n\t"
+        "subs	%[c], r9, %[c]\n\t"
+        "ldr	r4, [%[a], r8]\n\t"
+        "ldr	r5, [%[b], r8]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbc	%[c], r9, r9\n\t"
+        "str	r4, [%[r], r8]\n\t"
+        "add	r8, r8, #4\n\t"
+        "cmp	r8, #384\n\t"
+        "blt	1b\n\t"
+        : [c] "+r" (c)
+        : [r] "r" (r), [a] "r" (a), [b] "r" (b), [m] "r" (m)
+        : "memory", "r4", "r6", "r5", "r7", "r8", "r9"
+    );
+#else
+    __asm__ __volatile__ (
+
+        "mov	r9, #0\n\t"
+        "ldr	r4, [%[a], #0]\n\t"
+        "ldr	r6, [%[a], #4]\n\t"
+        "ldr	r5, [%[b], #0]\n\t"
+        "ldr	r7, [%[b], #4]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "subs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #0]\n\t"
+        "str	r6, [%[r], #4]\n\t"
+        "ldr	r4, [%[a], #8]\n\t"
+        "ldr	r6, [%[a], #12]\n\t"
+        "ldr	r5, [%[b], #8]\n\t"
+        "ldr	r7, [%[b], #12]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #8]\n\t"
+        "str	r6, [%[r], #12]\n\t"
+        "ldr	r4, [%[a], #16]\n\t"
+        "ldr	r6, [%[a], #20]\n\t"
+        "ldr	r5, [%[b], #16]\n\t"
+        "ldr	r7, [%[b], #20]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #16]\n\t"
+        "str	r6, [%[r], #20]\n\t"
+        "ldr	r4, [%[a], #24]\n\t"
+        "ldr	r6, [%[a], #28]\n\t"
+        "ldr	r5, [%[b], #24]\n\t"
+        "ldr	r7, [%[b], #28]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #24]\n\t"
+        "str	r6, [%[r], #28]\n\t"
+        "ldr	r4, [%[a], #32]\n\t"
+        "ldr	r6, [%[a], #36]\n\t"
+        "ldr	r5, [%[b], #32]\n\t"
+        "ldr	r7, [%[b], #36]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #32]\n\t"
+        "str	r6, [%[r], #36]\n\t"
+        "ldr	r4, [%[a], #40]\n\t"
+        "ldr	r6, [%[a], #44]\n\t"
+        "ldr	r5, [%[b], #40]\n\t"
+        "ldr	r7, [%[b], #44]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #40]\n\t"
+        "str	r6, [%[r], #44]\n\t"
+        "ldr	r4, [%[a], #48]\n\t"
+        "ldr	r6, [%[a], #52]\n\t"
+        "ldr	r5, [%[b], #48]\n\t"
+        "ldr	r7, [%[b], #52]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #48]\n\t"
+        "str	r6, [%[r], #52]\n\t"
+        "ldr	r4, [%[a], #56]\n\t"
+        "ldr	r6, [%[a], #60]\n\t"
+        "ldr	r5, [%[b], #56]\n\t"
+        "ldr	r7, [%[b], #60]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #56]\n\t"
+        "str	r6, [%[r], #60]\n\t"
+        "ldr	r4, [%[a], #64]\n\t"
+        "ldr	r6, [%[a], #68]\n\t"
+        "ldr	r5, [%[b], #64]\n\t"
+        "ldr	r7, [%[b], #68]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #64]\n\t"
+        "str	r6, [%[r], #68]\n\t"
+        "ldr	r4, [%[a], #72]\n\t"
+        "ldr	r6, [%[a], #76]\n\t"
+        "ldr	r5, [%[b], #72]\n\t"
+        "ldr	r7, [%[b], #76]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #72]\n\t"
+        "str	r6, [%[r], #76]\n\t"
+        "ldr	r4, [%[a], #80]\n\t"
+        "ldr	r6, [%[a], #84]\n\t"
+        "ldr	r5, [%[b], #80]\n\t"
+        "ldr	r7, [%[b], #84]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #80]\n\t"
+        "str	r6, [%[r], #84]\n\t"
+        "ldr	r4, [%[a], #88]\n\t"
+        "ldr	r6, [%[a], #92]\n\t"
+        "ldr	r5, [%[b], #88]\n\t"
+        "ldr	r7, [%[b], #92]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #88]\n\t"
+        "str	r6, [%[r], #92]\n\t"
+        "ldr	r4, [%[a], #96]\n\t"
+        "ldr	r6, [%[a], #100]\n\t"
+        "ldr	r5, [%[b], #96]\n\t"
+        "ldr	r7, [%[b], #100]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #96]\n\t"
+        "str	r6, [%[r], #100]\n\t"
+        "ldr	r4, [%[a], #104]\n\t"
+        "ldr	r6, [%[a], #108]\n\t"
+        "ldr	r5, [%[b], #104]\n\t"
+        "ldr	r7, [%[b], #108]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #104]\n\t"
+        "str	r6, [%[r], #108]\n\t"
+        "ldr	r4, [%[a], #112]\n\t"
+        "ldr	r6, [%[a], #116]\n\t"
+        "ldr	r5, [%[b], #112]\n\t"
+        "ldr	r7, [%[b], #116]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #112]\n\t"
+        "str	r6, [%[r], #116]\n\t"
+        "ldr	r4, [%[a], #120]\n\t"
+        "ldr	r6, [%[a], #124]\n\t"
+        "ldr	r5, [%[b], #120]\n\t"
+        "ldr	r7, [%[b], #124]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #120]\n\t"
+        "str	r6, [%[r], #124]\n\t"
+        "ldr	r4, [%[a], #128]\n\t"
+        "ldr	r6, [%[a], #132]\n\t"
+        "ldr	r5, [%[b], #128]\n\t"
+        "ldr	r7, [%[b], #132]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #128]\n\t"
+        "str	r6, [%[r], #132]\n\t"
+        "ldr	r4, [%[a], #136]\n\t"
+        "ldr	r6, [%[a], #140]\n\t"
+        "ldr	r5, [%[b], #136]\n\t"
+        "ldr	r7, [%[b], #140]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #136]\n\t"
+        "str	r6, [%[r], #140]\n\t"
+        "ldr	r4, [%[a], #144]\n\t"
+        "ldr	r6, [%[a], #148]\n\t"
+        "ldr	r5, [%[b], #144]\n\t"
+        "ldr	r7, [%[b], #148]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #144]\n\t"
+        "str	r6, [%[r], #148]\n\t"
+        "ldr	r4, [%[a], #152]\n\t"
+        "ldr	r6, [%[a], #156]\n\t"
+        "ldr	r5, [%[b], #152]\n\t"
+        "ldr	r7, [%[b], #156]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #152]\n\t"
+        "str	r6, [%[r], #156]\n\t"
+        "ldr	r4, [%[a], #160]\n\t"
+        "ldr	r6, [%[a], #164]\n\t"
+        "ldr	r5, [%[b], #160]\n\t"
+        "ldr	r7, [%[b], #164]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #160]\n\t"
+        "str	r6, [%[r], #164]\n\t"
+        "ldr	r4, [%[a], #168]\n\t"
+        "ldr	r6, [%[a], #172]\n\t"
+        "ldr	r5, [%[b], #168]\n\t"
+        "ldr	r7, [%[b], #172]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #168]\n\t"
+        "str	r6, [%[r], #172]\n\t"
+        "ldr	r4, [%[a], #176]\n\t"
+        "ldr	r6, [%[a], #180]\n\t"
+        "ldr	r5, [%[b], #176]\n\t"
+        "ldr	r7, [%[b], #180]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #176]\n\t"
+        "str	r6, [%[r], #180]\n\t"
+        "ldr	r4, [%[a], #184]\n\t"
+        "ldr	r6, [%[a], #188]\n\t"
+        "ldr	r5, [%[b], #184]\n\t"
+        "ldr	r7, [%[b], #188]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #184]\n\t"
+        "str	r6, [%[r], #188]\n\t"
+        "ldr	r4, [%[a], #192]\n\t"
+        "ldr	r6, [%[a], #196]\n\t"
+        "ldr	r5, [%[b], #192]\n\t"
+        "ldr	r7, [%[b], #196]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #192]\n\t"
+        "str	r6, [%[r], #196]\n\t"
+        "ldr	r4, [%[a], #200]\n\t"
+        "ldr	r6, [%[a], #204]\n\t"
+        "ldr	r5, [%[b], #200]\n\t"
+        "ldr	r7, [%[b], #204]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #200]\n\t"
+        "str	r6, [%[r], #204]\n\t"
+        "ldr	r4, [%[a], #208]\n\t"
+        "ldr	r6, [%[a], #212]\n\t"
+        "ldr	r5, [%[b], #208]\n\t"
+        "ldr	r7, [%[b], #212]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #208]\n\t"
+        "str	r6, [%[r], #212]\n\t"
+        "ldr	r4, [%[a], #216]\n\t"
+        "ldr	r6, [%[a], #220]\n\t"
+        "ldr	r5, [%[b], #216]\n\t"
+        "ldr	r7, [%[b], #220]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #216]\n\t"
+        "str	r6, [%[r], #220]\n\t"
+        "ldr	r4, [%[a], #224]\n\t"
+        "ldr	r6, [%[a], #228]\n\t"
+        "ldr	r5, [%[b], #224]\n\t"
+        "ldr	r7, [%[b], #228]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #224]\n\t"
+        "str	r6, [%[r], #228]\n\t"
+        "ldr	r4, [%[a], #232]\n\t"
+        "ldr	r6, [%[a], #236]\n\t"
+        "ldr	r5, [%[b], #232]\n\t"
+        "ldr	r7, [%[b], #236]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #232]\n\t"
+        "str	r6, [%[r], #236]\n\t"
+        "ldr	r4, [%[a], #240]\n\t"
+        "ldr	r6, [%[a], #244]\n\t"
+        "ldr	r5, [%[b], #240]\n\t"
+        "ldr	r7, [%[b], #244]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #240]\n\t"
+        "str	r6, [%[r], #244]\n\t"
+        "ldr	r4, [%[a], #248]\n\t"
+        "ldr	r6, [%[a], #252]\n\t"
+        "ldr	r5, [%[b], #248]\n\t"
+        "ldr	r7, [%[b], #252]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #248]\n\t"
+        "str	r6, [%[r], #252]\n\t"
+        "ldr	r4, [%[a], #256]\n\t"
+        "ldr	r6, [%[a], #260]\n\t"
+        "ldr	r5, [%[b], #256]\n\t"
+        "ldr	r7, [%[b], #260]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #256]\n\t"
+        "str	r6, [%[r], #260]\n\t"
+        "ldr	r4, [%[a], #264]\n\t"
+        "ldr	r6, [%[a], #268]\n\t"
+        "ldr	r5, [%[b], #264]\n\t"
+        "ldr	r7, [%[b], #268]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #264]\n\t"
+        "str	r6, [%[r], #268]\n\t"
+        "ldr	r4, [%[a], #272]\n\t"
+        "ldr	r6, [%[a], #276]\n\t"
+        "ldr	r5, [%[b], #272]\n\t"
+        "ldr	r7, [%[b], #276]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #272]\n\t"
+        "str	r6, [%[r], #276]\n\t"
+        "ldr	r4, [%[a], #280]\n\t"
+        "ldr	r6, [%[a], #284]\n\t"
+        "ldr	r5, [%[b], #280]\n\t"
+        "ldr	r7, [%[b], #284]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #280]\n\t"
+        "str	r6, [%[r], #284]\n\t"
+        "ldr	r4, [%[a], #288]\n\t"
+        "ldr	r6, [%[a], #292]\n\t"
+        "ldr	r5, [%[b], #288]\n\t"
+        "ldr	r7, [%[b], #292]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #288]\n\t"
+        "str	r6, [%[r], #292]\n\t"
+        "ldr	r4, [%[a], #296]\n\t"
+        "ldr	r6, [%[a], #300]\n\t"
+        "ldr	r5, [%[b], #296]\n\t"
+        "ldr	r7, [%[b], #300]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #296]\n\t"
+        "str	r6, [%[r], #300]\n\t"
+        "ldr	r4, [%[a], #304]\n\t"
+        "ldr	r6, [%[a], #308]\n\t"
+        "ldr	r5, [%[b], #304]\n\t"
+        "ldr	r7, [%[b], #308]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #304]\n\t"
+        "str	r6, [%[r], #308]\n\t"
+        "ldr	r4, [%[a], #312]\n\t"
+        "ldr	r6, [%[a], #316]\n\t"
+        "ldr	r5, [%[b], #312]\n\t"
+        "ldr	r7, [%[b], #316]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #312]\n\t"
+        "str	r6, [%[r], #316]\n\t"
+        "ldr	r4, [%[a], #320]\n\t"
+        "ldr	r6, [%[a], #324]\n\t"
+        "ldr	r5, [%[b], #320]\n\t"
+        "ldr	r7, [%[b], #324]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #320]\n\t"
+        "str	r6, [%[r], #324]\n\t"
+        "ldr	r4, [%[a], #328]\n\t"
+        "ldr	r6, [%[a], #332]\n\t"
+        "ldr	r5, [%[b], #328]\n\t"
+        "ldr	r7, [%[b], #332]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #328]\n\t"
+        "str	r6, [%[r], #332]\n\t"
+        "ldr	r4, [%[a], #336]\n\t"
+        "ldr	r6, [%[a], #340]\n\t"
+        "ldr	r5, [%[b], #336]\n\t"
+        "ldr	r7, [%[b], #340]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #336]\n\t"
+        "str	r6, [%[r], #340]\n\t"
+        "ldr	r4, [%[a], #344]\n\t"
+        "ldr	r6, [%[a], #348]\n\t"
+        "ldr	r5, [%[b], #344]\n\t"
+        "ldr	r7, [%[b], #348]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #344]\n\t"
+        "str	r6, [%[r], #348]\n\t"
+        "ldr	r4, [%[a], #352]\n\t"
+        "ldr	r6, [%[a], #356]\n\t"
+        "ldr	r5, [%[b], #352]\n\t"
+        "ldr	r7, [%[b], #356]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #352]\n\t"
+        "str	r6, [%[r], #356]\n\t"
+        "ldr	r4, [%[a], #360]\n\t"
+        "ldr	r6, [%[a], #364]\n\t"
+        "ldr	r5, [%[b], #360]\n\t"
+        "ldr	r7, [%[b], #364]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #360]\n\t"
+        "str	r6, [%[r], #364]\n\t"
+        "ldr	r4, [%[a], #368]\n\t"
+        "ldr	r6, [%[a], #372]\n\t"
+        "ldr	r5, [%[b], #368]\n\t"
+        "ldr	r7, [%[b], #372]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #368]\n\t"
+        "str	r6, [%[r], #372]\n\t"
+        "ldr	r4, [%[a], #376]\n\t"
+        "ldr	r6, [%[a], #380]\n\t"
+        "ldr	r5, [%[b], #376]\n\t"
+        "ldr	r7, [%[b], #380]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #376]\n\t"
+        "str	r6, [%[r], #380]\n\t"
+        "sbc	%[c], r9, r9\n\t"
+        : [c] "+r" (c)
+        : [r] "r" (r), [a] "r" (a), [b] "r" (b), [m] "r" (m)
+        : "memory", "r4", "r6", "r5", "r7", "r8", "r9"
+    );
+#endif /* WOLFSSL_SP_SMALL */
+
+    return c;
+}
+
+/* Reduce the number back to 3072 bits using Montgomery reduction.
+ *
+ * a   A single precision number to reduce in place.
+ * m   The single precision number representing the modulus.
+ * mp  The digit representing the negative inverse of m mod 2^n.
+ */
+SP_NOINLINE static void sp_3072_mont_reduce_96(sp_digit* a, const sp_digit* m,
+        sp_digit mp)
+{
+    sp_digit ca = 0;
+
+    __asm__ __volatile__ (
+        "# i = 0\n\t"
+        "mov	r12, #0\n\t"
+        "ldr	r10, [%[a], #0]\n\t"
+        "ldr	r14, [%[a], #4]\n\t"
+        "\n1:\n\t"
+        "# mu = a[i] * mp\n\t"
+        "mul	r8, %[mp], r10\n\t"
+        "# a[i+0] += m[0] * mu\n\t"
+        "ldr	r7, [%[m], #0]\n\t"
+        "ldr	r9, [%[a], #0]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r10, r10, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "# a[i+1] += m[1] * mu\n\t"
+        "ldr	r7, [%[m], #4]\n\t"
+        "ldr	r9, [%[a], #4]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r10, r14, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r10, r10, r5\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+2] += m[2] * mu\n\t"
+        "ldr	r7, [%[m], #8]\n\t"
+        "ldr	r14, [%[a], #8]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r14, r14, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r14, r14, r4\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+3] += m[3] * mu\n\t"
+        "ldr	r7, [%[m], #12]\n\t"
+        "ldr	r9, [%[a], #12]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #12]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+4] += m[4] * mu\n\t"
+        "ldr	r7, [%[m], #16]\n\t"
+        "ldr	r9, [%[a], #16]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #16]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+5] += m[5] * mu\n\t"
+        "ldr	r7, [%[m], #20]\n\t"
+        "ldr	r9, [%[a], #20]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #20]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+6] += m[6] * mu\n\t"
+        "ldr	r7, [%[m], #24]\n\t"
+        "ldr	r9, [%[a], #24]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #24]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+7] += m[7] * mu\n\t"
+        "ldr	r7, [%[m], #28]\n\t"
+        "ldr	r9, [%[a], #28]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #28]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+8] += m[8] * mu\n\t"
+        "ldr	r7, [%[m], #32]\n\t"
+        "ldr	r9, [%[a], #32]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #32]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+9] += m[9] * mu\n\t"
+        "ldr	r7, [%[m], #36]\n\t"
+        "ldr	r9, [%[a], #36]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #36]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+10] += m[10] * mu\n\t"
+        "ldr	r7, [%[m], #40]\n\t"
+        "ldr	r9, [%[a], #40]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #40]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+11] += m[11] * mu\n\t"
+        "ldr	r7, [%[m], #44]\n\t"
+        "ldr	r9, [%[a], #44]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #44]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+12] += m[12] * mu\n\t"
+        "ldr	r7, [%[m], #48]\n\t"
+        "ldr	r9, [%[a], #48]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #48]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+13] += m[13] * mu\n\t"
+        "ldr	r7, [%[m], #52]\n\t"
+        "ldr	r9, [%[a], #52]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #52]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+14] += m[14] * mu\n\t"
+        "ldr	r7, [%[m], #56]\n\t"
+        "ldr	r9, [%[a], #56]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #56]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+15] += m[15] * mu\n\t"
+        "ldr	r7, [%[m], #60]\n\t"
+        "ldr	r9, [%[a], #60]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #60]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+16] += m[16] * mu\n\t"
+        "ldr	r7, [%[m], #64]\n\t"
+        "ldr	r9, [%[a], #64]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #64]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+17] += m[17] * mu\n\t"
+        "ldr	r7, [%[m], #68]\n\t"
+        "ldr	r9, [%[a], #68]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #68]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+18] += m[18] * mu\n\t"
+        "ldr	r7, [%[m], #72]\n\t"
+        "ldr	r9, [%[a], #72]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #72]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+19] += m[19] * mu\n\t"
+        "ldr	r7, [%[m], #76]\n\t"
+        "ldr	r9, [%[a], #76]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #76]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+20] += m[20] * mu\n\t"
+        "ldr	r7, [%[m], #80]\n\t"
+        "ldr	r9, [%[a], #80]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #80]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+21] += m[21] * mu\n\t"
+        "ldr	r7, [%[m], #84]\n\t"
+        "ldr	r9, [%[a], #84]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #84]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+22] += m[22] * mu\n\t"
+        "ldr	r7, [%[m], #88]\n\t"
+        "ldr	r9, [%[a], #88]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #88]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+23] += m[23] * mu\n\t"
+        "ldr	r7, [%[m], #92]\n\t"
+        "ldr	r9, [%[a], #92]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #92]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+24] += m[24] * mu\n\t"
+        "ldr	r7, [%[m], #96]\n\t"
+        "ldr	r9, [%[a], #96]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #96]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+25] += m[25] * mu\n\t"
+        "ldr	r7, [%[m], #100]\n\t"
+        "ldr	r9, [%[a], #100]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #100]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+26] += m[26] * mu\n\t"
+        "ldr	r7, [%[m], #104]\n\t"
+        "ldr	r9, [%[a], #104]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #104]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+27] += m[27] * mu\n\t"
+        "ldr	r7, [%[m], #108]\n\t"
+        "ldr	r9, [%[a], #108]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #108]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+28] += m[28] * mu\n\t"
+        "ldr	r7, [%[m], #112]\n\t"
+        "ldr	r9, [%[a], #112]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #112]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+29] += m[29] * mu\n\t"
+        "ldr	r7, [%[m], #116]\n\t"
+        "ldr	r9, [%[a], #116]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #116]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+30] += m[30] * mu\n\t"
+        "ldr	r7, [%[m], #120]\n\t"
+        "ldr	r9, [%[a], #120]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #120]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+31] += m[31] * mu\n\t"
+        "ldr	r7, [%[m], #124]\n\t"
+        "ldr	r9, [%[a], #124]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #124]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+32] += m[32] * mu\n\t"
+        "ldr	r7, [%[m], #128]\n\t"
+        "ldr	r9, [%[a], #128]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #128]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+33] += m[33] * mu\n\t"
+        "ldr	r7, [%[m], #132]\n\t"
+        "ldr	r9, [%[a], #132]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #132]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+34] += m[34] * mu\n\t"
+        "ldr	r7, [%[m], #136]\n\t"
+        "ldr	r9, [%[a], #136]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #136]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+35] += m[35] * mu\n\t"
+        "ldr	r7, [%[m], #140]\n\t"
+        "ldr	r9, [%[a], #140]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #140]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+36] += m[36] * mu\n\t"
+        "ldr	r7, [%[m], #144]\n\t"
+        "ldr	r9, [%[a], #144]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #144]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+37] += m[37] * mu\n\t"
+        "ldr	r7, [%[m], #148]\n\t"
+        "ldr	r9, [%[a], #148]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #148]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+38] += m[38] * mu\n\t"
+        "ldr	r7, [%[m], #152]\n\t"
+        "ldr	r9, [%[a], #152]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #152]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+39] += m[39] * mu\n\t"
+        "ldr	r7, [%[m], #156]\n\t"
+        "ldr	r9, [%[a], #156]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #156]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+40] += m[40] * mu\n\t"
+        "ldr	r7, [%[m], #160]\n\t"
+        "ldr	r9, [%[a], #160]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #160]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+41] += m[41] * mu\n\t"
+        "ldr	r7, [%[m], #164]\n\t"
+        "ldr	r9, [%[a], #164]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #164]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+42] += m[42] * mu\n\t"
+        "ldr	r7, [%[m], #168]\n\t"
+        "ldr	r9, [%[a], #168]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #168]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+43] += m[43] * mu\n\t"
+        "ldr	r7, [%[m], #172]\n\t"
+        "ldr	r9, [%[a], #172]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #172]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+44] += m[44] * mu\n\t"
+        "ldr	r7, [%[m], #176]\n\t"
+        "ldr	r9, [%[a], #176]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #176]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+45] += m[45] * mu\n\t"
+        "ldr	r7, [%[m], #180]\n\t"
+        "ldr	r9, [%[a], #180]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #180]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+46] += m[46] * mu\n\t"
+        "ldr	r7, [%[m], #184]\n\t"
+        "ldr	r9, [%[a], #184]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #184]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+47] += m[47] * mu\n\t"
+        "ldr	r7, [%[m], #188]\n\t"
+        "ldr	r9, [%[a], #188]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #188]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+48] += m[48] * mu\n\t"
+        "ldr	r7, [%[m], #192]\n\t"
+        "ldr	r9, [%[a], #192]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #192]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+49] += m[49] * mu\n\t"
+        "ldr	r7, [%[m], #196]\n\t"
+        "ldr	r9, [%[a], #196]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #196]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+50] += m[50] * mu\n\t"
+        "ldr	r7, [%[m], #200]\n\t"
+        "ldr	r9, [%[a], #200]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #200]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+51] += m[51] * mu\n\t"
+        "ldr	r7, [%[m], #204]\n\t"
+        "ldr	r9, [%[a], #204]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #204]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+52] += m[52] * mu\n\t"
+        "ldr	r7, [%[m], #208]\n\t"
+        "ldr	r9, [%[a], #208]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #208]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+53] += m[53] * mu\n\t"
+        "ldr	r7, [%[m], #212]\n\t"
+        "ldr	r9, [%[a], #212]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #212]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+54] += m[54] * mu\n\t"
+        "ldr	r7, [%[m], #216]\n\t"
+        "ldr	r9, [%[a], #216]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #216]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+55] += m[55] * mu\n\t"
+        "ldr	r7, [%[m], #220]\n\t"
+        "ldr	r9, [%[a], #220]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #220]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+56] += m[56] * mu\n\t"
+        "ldr	r7, [%[m], #224]\n\t"
+        "ldr	r9, [%[a], #224]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #224]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+57] += m[57] * mu\n\t"
+        "ldr	r7, [%[m], #228]\n\t"
+        "ldr	r9, [%[a], #228]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #228]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+58] += m[58] * mu\n\t"
+        "ldr	r7, [%[m], #232]\n\t"
+        "ldr	r9, [%[a], #232]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #232]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+59] += m[59] * mu\n\t"
+        "ldr	r7, [%[m], #236]\n\t"
+        "ldr	r9, [%[a], #236]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #236]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+60] += m[60] * mu\n\t"
+        "ldr	r7, [%[m], #240]\n\t"
+        "ldr	r9, [%[a], #240]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #240]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+61] += m[61] * mu\n\t"
+        "ldr	r7, [%[m], #244]\n\t"
+        "ldr	r9, [%[a], #244]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #244]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+62] += m[62] * mu\n\t"
+        "ldr	r7, [%[m], #248]\n\t"
+        "ldr	r9, [%[a], #248]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #248]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+63] += m[63] * mu\n\t"
+        "ldr	r7, [%[m], #252]\n\t"
+        "ldr	r9, [%[a], #252]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #252]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+64] += m[64] * mu\n\t"
+        "ldr	r7, [%[m], #256]\n\t"
+        "ldr	r9, [%[a], #256]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #256]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+65] += m[65] * mu\n\t"
+        "ldr	r7, [%[m], #260]\n\t"
+        "ldr	r9, [%[a], #260]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #260]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+66] += m[66] * mu\n\t"
+        "ldr	r7, [%[m], #264]\n\t"
+        "ldr	r9, [%[a], #264]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #264]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+67] += m[67] * mu\n\t"
+        "ldr	r7, [%[m], #268]\n\t"
+        "ldr	r9, [%[a], #268]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #268]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+68] += m[68] * mu\n\t"
+        "ldr	r7, [%[m], #272]\n\t"
+        "ldr	r9, [%[a], #272]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #272]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+69] += m[69] * mu\n\t"
+        "ldr	r7, [%[m], #276]\n\t"
+        "ldr	r9, [%[a], #276]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #276]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+70] += m[70] * mu\n\t"
+        "ldr	r7, [%[m], #280]\n\t"
+        "ldr	r9, [%[a], #280]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #280]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+71] += m[71] * mu\n\t"
+        "ldr	r7, [%[m], #284]\n\t"
+        "ldr	r9, [%[a], #284]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #284]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+72] += m[72] * mu\n\t"
+        "ldr	r7, [%[m], #288]\n\t"
+        "ldr	r9, [%[a], #288]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #288]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+73] += m[73] * mu\n\t"
+        "ldr	r7, [%[m], #292]\n\t"
+        "ldr	r9, [%[a], #292]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #292]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+74] += m[74] * mu\n\t"
+        "ldr	r7, [%[m], #296]\n\t"
+        "ldr	r9, [%[a], #296]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #296]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+75] += m[75] * mu\n\t"
+        "ldr	r7, [%[m], #300]\n\t"
+        "ldr	r9, [%[a], #300]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #300]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+76] += m[76] * mu\n\t"
+        "ldr	r7, [%[m], #304]\n\t"
+        "ldr	r9, [%[a], #304]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #304]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+77] += m[77] * mu\n\t"
+        "ldr	r7, [%[m], #308]\n\t"
+        "ldr	r9, [%[a], #308]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #308]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+78] += m[78] * mu\n\t"
+        "ldr	r7, [%[m], #312]\n\t"
+        "ldr	r9, [%[a], #312]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #312]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+79] += m[79] * mu\n\t"
+        "ldr	r7, [%[m], #316]\n\t"
+        "ldr	r9, [%[a], #316]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #316]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+80] += m[80] * mu\n\t"
+        "ldr	r7, [%[m], #320]\n\t"
+        "ldr	r9, [%[a], #320]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #320]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+81] += m[81] * mu\n\t"
+        "ldr	r7, [%[m], #324]\n\t"
+        "ldr	r9, [%[a], #324]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #324]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+82] += m[82] * mu\n\t"
+        "ldr	r7, [%[m], #328]\n\t"
+        "ldr	r9, [%[a], #328]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #328]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+83] += m[83] * mu\n\t"
+        "ldr	r7, [%[m], #332]\n\t"
+        "ldr	r9, [%[a], #332]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #332]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+84] += m[84] * mu\n\t"
+        "ldr	r7, [%[m], #336]\n\t"
+        "ldr	r9, [%[a], #336]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #336]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+85] += m[85] * mu\n\t"
+        "ldr	r7, [%[m], #340]\n\t"
+        "ldr	r9, [%[a], #340]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #340]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+86] += m[86] * mu\n\t"
+        "ldr	r7, [%[m], #344]\n\t"
+        "ldr	r9, [%[a], #344]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #344]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+87] += m[87] * mu\n\t"
+        "ldr	r7, [%[m], #348]\n\t"
+        "ldr	r9, [%[a], #348]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #348]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+88] += m[88] * mu\n\t"
+        "ldr	r7, [%[m], #352]\n\t"
+        "ldr	r9, [%[a], #352]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #352]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+89] += m[89] * mu\n\t"
+        "ldr	r7, [%[m], #356]\n\t"
+        "ldr	r9, [%[a], #356]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #356]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+90] += m[90] * mu\n\t"
+        "ldr	r7, [%[m], #360]\n\t"
+        "ldr	r9, [%[a], #360]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #360]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+91] += m[91] * mu\n\t"
+        "ldr	r7, [%[m], #364]\n\t"
+        "ldr	r9, [%[a], #364]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #364]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+92] += m[92] * mu\n\t"
+        "ldr	r7, [%[m], #368]\n\t"
+        "ldr	r9, [%[a], #368]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #368]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+93] += m[93] * mu\n\t"
+        "ldr	r7, [%[m], #372]\n\t"
+        "ldr	r9, [%[a], #372]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #372]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+94] += m[94] * mu\n\t"
+        "ldr	r7, [%[m], #376]\n\t"
+        "ldr	r9, [%[a], #376]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #376]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+95] += m[95] * mu\n\t"
+        "ldr	r7, [%[m], #380]\n\t"
+        "ldr   r9, [%[a], #380]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r7, r7, %[ca]\n\t"
+        "mov	%[ca], #0\n\t"
+        "adc	%[ca], %[ca], %[ca]\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #380]\n\t"
+        "ldr	r9, [%[a], #384]\n\t"
+        "adcs	r9, r9, r7\n\t"
+        "str	r9, [%[a], #384]\n\t"
+        "adc	%[ca], %[ca], #0\n\t"
+        "# i += 1\n\t"
+        "add	%[a], %[a], #4\n\t"
+        "add	r12, r12, #4\n\t"
+        "cmp	r12, #384\n\t"
+        "blt	1b\n\t"
+        "str	r10, [%[a], #0]\n\t"
+        "str	r14, [%[a], #4]\n\t"
+        : [ca] "+r" (ca), [a] "+r" (a)
+        : [m] "r" (m), [mp] "r" (mp)
+        : "memory", "r4", "r5", "r6", "r7", "r8", "r9", "r10", "r14", "r12"
+    );
+
+    sp_3072_cond_sub_96(a - 96, a, m, (sp_digit)0 - ca);
+}
+
+/* Multiply two Montogmery form numbers mod the modulus (prime).
+ * (r = a * b mod m)
+ *
+ * r   Result of multiplication.
+ * a   First number to multiply in Montogmery form.
+ * b   Second number to multiply in Montogmery form.
+ * m   Modulus (prime).
+ * mp  Montogmery mulitplier.
+ */
+static void sp_3072_mont_mul_96(sp_digit* r, const sp_digit* a, const sp_digit* b,
+        const sp_digit* m, sp_digit mp)
+{
+    sp_3072_mul_96(r, a, b);
+    sp_3072_mont_reduce_96(r, m, mp);
+}
+
+/* Square the Montgomery form number. (r = a * a mod m)
+ *
+ * r   Result of squaring.
+ * a   Number to square in Montogmery form.
+ * m   Modulus (prime).
+ * mp  Montogmery mulitplier.
+ */
+static void sp_3072_mont_sqr_96(sp_digit* r, const sp_digit* a, const sp_digit* m,
+        sp_digit mp)
+{
+    sp_3072_sqr_96(r, a);
+    sp_3072_mont_reduce_96(r, m, mp);
+}
+
+#ifndef WOLFSSL_RSA_PUBLIC_ONLY
+/* Divide the double width number (d1|d0) by the dividend. (d1|d0 / div)
+ *
+ * d1   The high order half of the number to divide.
+ * d0   The low order half of the number to divide.
+ * div  The dividend.
+ * returns the result of the division.
+ *
+ * Note that this is an approximate div. It may give an answer 1 larger.
+ */
+static sp_digit div_3072_word_96(sp_digit d1, sp_digit d0, sp_digit div)
+{
+    sp_digit r = 0;
+
+    __asm__ __volatile__ (
+        "lsr	r5, %[div], #1\n\t"
+        "add	r5, r5, #1\n\t"
+        "mov	r6, %[d0]\n\t"
+        "mov	r7, %[d1]\n\t"
+        "# Do top 32\n\t"
+        "subs	r8, r5, r7\n\t"
+        "sbc	r8, r8, r8\n\t"
+        "add	%[r], %[r], %[r]\n\t"
+        "sub	%[r], %[r], r8\n\t"
+        "and	r8, r8, r5\n\t"
+        "subs	r7, r7, r8\n\t"
+        "# Next 30 bits\n\t"
+        "mov	r4, #29\n\t"
+        "1:\n\t"
+        "movs	r6, r6, lsl #1\n\t"
+        "adc	r7, r7, r7\n\t"
+        "subs	r8, r5, r7\n\t"
+        "sbc	r8, r8, r8\n\t"
+        "add	%[r], %[r], %[r]\n\t"
+        "sub	%[r], %[r], r8\n\t"
+        "and	r8, r8, r5\n\t"
+        "subs	r7, r7, r8\n\t"
+        "subs	r4, r4, #1\n\t"
+        "bpl	1b\n\t"
+        "add	%[r], %[r], %[r]\n\t"
+        "add	%[r], %[r], #1\n\t"
+        "umull	r4, r5, %[r], %[div]\n\t"
+        "subs	r4, %[d0], r4\n\t"
+        "sbc	r5, %[d1], r5\n\t"
+        "add	%[r], %[r], r5\n\t"
+        "umull	r4, r5, %[r], %[div]\n\t"
+        "subs	r4, %[d0], r4\n\t"
+        "sbc	r5, %[d1], r5\n\t"
+        "add	%[r], %[r], r5\n\t"
+        "subs	r8, %[div], r4\n\t"
+        "sbc	r8, r8, r8\n\t"
+        "sub	%[r], %[r], r8\n\t"
+        : [r] "+r" (r)
+        : [d1] "r" (d1), [d0] "r" (d0), [div] "r" (div)
+        : "r4", "r5", "r6", "r7", "r8"
+    );
+    return r;
+}
+
+/* AND m into each word of a and store in r.
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * m  Mask to AND against each digit.
+ */
+static void sp_3072_mask_96(sp_digit* r, const sp_digit* a, sp_digit m)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int i;
+
+    for (i=0; i<96; i++) {
+        r[i] = a[i] & m;
+    }
+#else
+    int i;
+
+    for (i = 0; i < 96; i += 8) {
+        r[i+0] = a[i+0] & m;
+        r[i+1] = a[i+1] & m;
+        r[i+2] = a[i+2] & m;
+        r[i+3] = a[i+3] & m;
+        r[i+4] = a[i+4] & m;
+        r[i+5] = a[i+5] & m;
+        r[i+6] = a[i+6] & m;
+        r[i+7] = a[i+7] & m;
+    }
+#endif
+}
+
+/* Compare a with b in constant time.
+ *
+ * a  A single precision integer.
+ * b  A single precision integer.
+ * return -ve, 0 or +ve if a is less than, equal to or greater than b
+ * respectively.
+ */
+static int32_t sp_3072_cmp_96(const sp_digit* a, const sp_digit* b)
+{
+    sp_digit r = -1;
+    sp_digit one = 1;
+
+
+#ifdef WOLFSSL_SP_SMALL
+    __asm__ __volatile__ (
+        "mov	r7, #0\n\t"
+        "mov	r3, #-1\n\t"
+        "mov	r6, #380\n\t"
+        "1:\n\t"
+        "ldr	r4, [%[a], r6]\n\t"
+        "ldr	r5, [%[b], r6]\n\t"
+        "and	r4, r4, r3\n\t"
+        "and	r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "subs	r6, r6, #4\n\t"
+        "bcs	1b\n\t"
+        "eor	%[r], %[r], r3\n\t"
+        : [r] "+r" (r)
+        : [a] "r" (a), [b] "r" (b), [one] "r" (one)
+        : "r3", "r4", "r5", "r6", "r7"
+    );
+#else
+    __asm__ __volatile__ (
+        "mov	r7, #0\n\t"
+        "mov	r3, #-1\n\t"
+        "ldr		r4, [%[a], #380]\n\t"
+        "ldr		r5, [%[b], #380]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #376]\n\t"
+        "ldr		r5, [%[b], #376]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #372]\n\t"
+        "ldr		r5, [%[b], #372]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #368]\n\t"
+        "ldr		r5, [%[b], #368]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #364]\n\t"
+        "ldr		r5, [%[b], #364]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #360]\n\t"
+        "ldr		r5, [%[b], #360]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #356]\n\t"
+        "ldr		r5, [%[b], #356]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #352]\n\t"
+        "ldr		r5, [%[b], #352]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #348]\n\t"
+        "ldr		r5, [%[b], #348]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #344]\n\t"
+        "ldr		r5, [%[b], #344]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #340]\n\t"
+        "ldr		r5, [%[b], #340]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #336]\n\t"
+        "ldr		r5, [%[b], #336]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #332]\n\t"
+        "ldr		r5, [%[b], #332]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #328]\n\t"
+        "ldr		r5, [%[b], #328]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #324]\n\t"
+        "ldr		r5, [%[b], #324]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #320]\n\t"
+        "ldr		r5, [%[b], #320]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #316]\n\t"
+        "ldr		r5, [%[b], #316]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #312]\n\t"
+        "ldr		r5, [%[b], #312]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #308]\n\t"
+        "ldr		r5, [%[b], #308]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #304]\n\t"
+        "ldr		r5, [%[b], #304]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #300]\n\t"
+        "ldr		r5, [%[b], #300]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #296]\n\t"
+        "ldr		r5, [%[b], #296]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #292]\n\t"
+        "ldr		r5, [%[b], #292]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #288]\n\t"
+        "ldr		r5, [%[b], #288]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #284]\n\t"
+        "ldr		r5, [%[b], #284]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #280]\n\t"
+        "ldr		r5, [%[b], #280]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #276]\n\t"
+        "ldr		r5, [%[b], #276]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #272]\n\t"
+        "ldr		r5, [%[b], #272]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #268]\n\t"
+        "ldr		r5, [%[b], #268]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #264]\n\t"
+        "ldr		r5, [%[b], #264]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #260]\n\t"
+        "ldr		r5, [%[b], #260]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #256]\n\t"
+        "ldr		r5, [%[b], #256]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #252]\n\t"
+        "ldr		r5, [%[b], #252]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #248]\n\t"
+        "ldr		r5, [%[b], #248]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #244]\n\t"
+        "ldr		r5, [%[b], #244]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #240]\n\t"
+        "ldr		r5, [%[b], #240]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #236]\n\t"
+        "ldr		r5, [%[b], #236]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #232]\n\t"
+        "ldr		r5, [%[b], #232]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #228]\n\t"
+        "ldr		r5, [%[b], #228]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #224]\n\t"
+        "ldr		r5, [%[b], #224]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #220]\n\t"
+        "ldr		r5, [%[b], #220]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #216]\n\t"
+        "ldr		r5, [%[b], #216]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #212]\n\t"
+        "ldr		r5, [%[b], #212]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #208]\n\t"
+        "ldr		r5, [%[b], #208]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #204]\n\t"
+        "ldr		r5, [%[b], #204]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #200]\n\t"
+        "ldr		r5, [%[b], #200]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #196]\n\t"
+        "ldr		r5, [%[b], #196]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #192]\n\t"
+        "ldr		r5, [%[b], #192]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #188]\n\t"
+        "ldr		r5, [%[b], #188]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #184]\n\t"
+        "ldr		r5, [%[b], #184]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #180]\n\t"
+        "ldr		r5, [%[b], #180]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #176]\n\t"
+        "ldr		r5, [%[b], #176]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #172]\n\t"
+        "ldr		r5, [%[b], #172]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #168]\n\t"
+        "ldr		r5, [%[b], #168]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #164]\n\t"
+        "ldr		r5, [%[b], #164]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #160]\n\t"
+        "ldr		r5, [%[b], #160]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #156]\n\t"
+        "ldr		r5, [%[b], #156]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #152]\n\t"
+        "ldr		r5, [%[b], #152]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #148]\n\t"
+        "ldr		r5, [%[b], #148]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #144]\n\t"
+        "ldr		r5, [%[b], #144]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #140]\n\t"
+        "ldr		r5, [%[b], #140]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #136]\n\t"
+        "ldr		r5, [%[b], #136]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #132]\n\t"
+        "ldr		r5, [%[b], #132]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #128]\n\t"
+        "ldr		r5, [%[b], #128]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #124]\n\t"
+        "ldr		r5, [%[b], #124]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #120]\n\t"
+        "ldr		r5, [%[b], #120]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #116]\n\t"
+        "ldr		r5, [%[b], #116]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #112]\n\t"
+        "ldr		r5, [%[b], #112]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #108]\n\t"
+        "ldr		r5, [%[b], #108]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #104]\n\t"
+        "ldr		r5, [%[b], #104]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #100]\n\t"
+        "ldr		r5, [%[b], #100]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #96]\n\t"
+        "ldr		r5, [%[b], #96]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #92]\n\t"
+        "ldr		r5, [%[b], #92]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #88]\n\t"
+        "ldr		r5, [%[b], #88]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #84]\n\t"
+        "ldr		r5, [%[b], #84]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #80]\n\t"
+        "ldr		r5, [%[b], #80]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #76]\n\t"
+        "ldr		r5, [%[b], #76]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #72]\n\t"
+        "ldr		r5, [%[b], #72]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #68]\n\t"
+        "ldr		r5, [%[b], #68]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #64]\n\t"
+        "ldr		r5, [%[b], #64]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #60]\n\t"
+        "ldr		r5, [%[b], #60]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #56]\n\t"
+        "ldr		r5, [%[b], #56]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #52]\n\t"
+        "ldr		r5, [%[b], #52]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #48]\n\t"
+        "ldr		r5, [%[b], #48]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #44]\n\t"
+        "ldr		r5, [%[b], #44]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #40]\n\t"
+        "ldr		r5, [%[b], #40]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #36]\n\t"
+        "ldr		r5, [%[b], #36]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #32]\n\t"
+        "ldr		r5, [%[b], #32]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #28]\n\t"
+        "ldr		r5, [%[b], #28]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #24]\n\t"
+        "ldr		r5, [%[b], #24]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #20]\n\t"
+        "ldr		r5, [%[b], #20]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #16]\n\t"
+        "ldr		r5, [%[b], #16]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #12]\n\t"
+        "ldr		r5, [%[b], #12]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #8]\n\t"
+        "ldr		r5, [%[b], #8]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #4]\n\t"
+        "ldr		r5, [%[b], #4]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #0]\n\t"
+        "ldr		r5, [%[b], #0]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "eor	%[r], %[r], r3\n\t"
+        : [r] "+r" (r)
+        : [a] "r" (a), [b] "r" (b), [one] "r" (one)
+        : "r3", "r4", "r5", "r6", "r7"
+    );
+#endif
+
+    return r;
+}
+
+/* Divide d in a and put remainder into r (m*d + r = a)
+ * m is not calculated as it is not needed at this time.
+ *
+ * a  Nmber to be divided.
+ * d  Number to divide with.
+ * m  Multiplier result.
+ * r  Remainder from the division.
+ * returns MP_OKAY indicating success.
+ */
+static WC_INLINE int sp_3072_div_96(const sp_digit* a, const sp_digit* d, sp_digit* m,
+        sp_digit* r)
+{
+    sp_digit t1[192], t2[97];
+    sp_digit div, r1;
+    int i;
+
+    (void)m;
+
+
+    div = d[95];
+    XMEMCPY(t1, a, sizeof(*t1) * 2 * 96);
+    for (i=95; i>=0; i--) {
+        r1 = div_3072_word_96(t1[96 + i], t1[96 + i - 1], div);
+
+        sp_3072_mul_d_96(t2, d, r1);
+        t1[96 + i] += sp_3072_sub_in_place_96(&t1[i], t2);
+        t1[96 + i] -= t2[96];
+        sp_3072_mask_96(t2, d, t1[96 + i]);
+        t1[96 + i] += sp_3072_add_96(&t1[i], &t1[i], t2);
+        sp_3072_mask_96(t2, d, t1[96 + i]);
+        t1[96 + i] += sp_3072_add_96(&t1[i], &t1[i], t2);
+    }
+
+    r1 = sp_3072_cmp_96(t1, d) >= 0;
+    sp_3072_cond_sub_96(r, t1, d, (sp_digit)0 - r1);
+
+    return MP_OKAY;
+}
+
+/* Reduce a modulo m into r. (r = a mod m)
+ *
+ * r  A single precision number that is the reduced result.
+ * a  A single precision number that is to be reduced.
+ * m  A single precision number that is the modulus to reduce with.
+ * returns MP_OKAY indicating success.
+ */
+static WC_INLINE int sp_3072_mod_96(sp_digit* r, const sp_digit* a, const sp_digit* m)
+{
+    return sp_3072_div_96(a, m, NULL, r);
+}
+
+#endif /* WOLFSSL_RSA_PUBLIC_ONLY */
+/* Divide d in a and put remainder into r (m*d + r = a)
+ * m is not calculated as it is not needed at this time.
+ *
+ * a  Nmber to be divided.
+ * d  Number to divide with.
+ * m  Multiplier result.
+ * r  Remainder from the division.
+ * returns MP_OKAY indicating success.
+ */
+static WC_INLINE int sp_3072_div_96_cond(const sp_digit* a, const sp_digit* d, sp_digit* m,
+        sp_digit* r)
+{
+    sp_digit t1[192], t2[97];
+    sp_digit div, r1;
+    int i;
+
+    (void)m;
+
+
+    div = d[95];
+    XMEMCPY(t1, a, sizeof(*t1) * 2 * 96);
+    for (i=95; i>=0; i--) {
+        r1 = div_3072_word_96(t1[96 + i], t1[96 + i - 1], div);
+
+        sp_3072_mul_d_96(t2, d, r1);
+        t1[96 + i] += sp_3072_sub_in_place_96(&t1[i], t2);
+        t1[96 + i] -= t2[96];
+        if (t1[96 + i] != 0) {
+            t1[96 + i] += sp_3072_add_96(&t1[i], &t1[i], d);
+            if (t1[96 + i] != 0)
+                t1[96 + i] += sp_3072_add_96(&t1[i], &t1[i], d);
+        }
+    }
+
+    r1 = sp_3072_cmp_96(t1, d) >= 0;
+    sp_3072_cond_sub_96(r, t1, d, (sp_digit)0 - r1);
+
+    return MP_OKAY;
+}
+
+/* Reduce a modulo m into r. (r = a mod m)
+ *
+ * r  A single precision number that is the reduced result.
+ * a  A single precision number that is to be reduced.
+ * m  A single precision number that is the modulus to reduce with.
+ * returns MP_OKAY indicating success.
+ */
+static WC_INLINE int sp_3072_mod_96_cond(sp_digit* r, const sp_digit* a, const sp_digit* m)
+{
+    return sp_3072_div_96_cond(a, m, NULL, r);
+}
+
+#if (defined(WOLFSSL_HAVE_SP_RSA) && !defined(WOLFSSL_RSA_PUBLIC_ONLY)) || \
+                                                     defined(WOLFSSL_HAVE_SP_DH)
+#ifdef WOLFSSL_SP_SMALL
+/* Modular exponentiate a to the e mod m. (r = a^e mod m)
+ *
+ * r     A single precision number that is the result of the operation.
+ * a     A single precision number being exponentiated.
+ * e     A single precision number that is the exponent.
+ * bits  The number of bits in the exponent.
+ * m     A single precision number that is the modulus.
+ * returns 0 on success and MEMORY_E on dynamic memory allocation failure.
+ */
+static int sp_3072_mod_exp_96(sp_digit* r, const sp_digit* a, const sp_digit* e,
+        int bits, const sp_digit* m, int reduceA)
+{
+#ifndef WOLFSSL_SMALL_STACK
+    sp_digit t[16][192];
+#else
+    sp_digit* t[16];
+    sp_digit* td;
+#endif
+    sp_digit* norm;
+    sp_digit mp = 1;
+    sp_digit n;
+    sp_digit mask;
+    int i;
+    int c, y;
+    int err = MP_OKAY;
+
+#ifdef WOLFSSL_SMALL_STACK
+    td = (sp_digit*)XMALLOC(sizeof(sp_digit) * 16 * 192, NULL,
+                            DYNAMIC_TYPE_TMP_BUFFER);
+    if (td == NULL) {
+        err = MEMORY_E;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#ifdef WOLFSSL_SMALL_STACK
+        for (i=0; i<16; i++) {
+            t[i] = td + i * 192;
+        }
+#endif
+        norm = t[0];
+
+        sp_3072_mont_setup(m, &mp);
+        sp_3072_mont_norm_96(norm, m);
+
+        XMEMSET(t[1], 0, sizeof(sp_digit) * 96U);
+        if (reduceA != 0) {
+            err = sp_3072_mod_96(t[1] + 96, a, m);
+            if (err == MP_OKAY) {
+                err = sp_3072_mod_96(t[1], t[1], m);
+            }
+        }
+        else {
+            XMEMCPY(t[1] + 96, a, sizeof(sp_digit) * 96);
+            err = sp_3072_mod_96(t[1], t[1], m);
+        }
+    }
+
+    if (err == MP_OKAY) {
+        sp_3072_mont_sqr_96(t[ 2], t[ 1], m, mp);
+        sp_3072_mont_mul_96(t[ 3], t[ 2], t[ 1], m, mp);
+        sp_3072_mont_sqr_96(t[ 4], t[ 2], m, mp);
+        sp_3072_mont_mul_96(t[ 5], t[ 3], t[ 2], m, mp);
+        sp_3072_mont_sqr_96(t[ 6], t[ 3], m, mp);
+        sp_3072_mont_mul_96(t[ 7], t[ 4], t[ 3], m, mp);
+        sp_3072_mont_sqr_96(t[ 8], t[ 4], m, mp);
+        sp_3072_mont_mul_96(t[ 9], t[ 5], t[ 4], m, mp);
+        sp_3072_mont_sqr_96(t[10], t[ 5], m, mp);
+        sp_3072_mont_mul_96(t[11], t[ 6], t[ 5], m, mp);
+        sp_3072_mont_sqr_96(t[12], t[ 6], m, mp);
+        sp_3072_mont_mul_96(t[13], t[ 7], t[ 6], m, mp);
+        sp_3072_mont_sqr_96(t[14], t[ 7], m, mp);
+        sp_3072_mont_mul_96(t[15], t[ 8], t[ 7], m, mp);
+
+        i = (bits - 1) / 32;
+        n = e[i--];
+        c = bits & 31;
+        if (c == 0) {
+            c = 32;
+        }
+        c -= bits % 4;
+        if (c == 32) {
+            c = 28;
+        }
+        y = (int)(n >> c);
+        n <<= 32 - c;
+        XMEMCPY(r, t[y], sizeof(sp_digit) * 96);
+        for (; i>=0 || c>=4; ) {
+            if (c == 0) {
+                n = e[i--];
+                y = n >> 28;
+                n <<= 4;
+                c = 28;
+            }
+            else if (c < 4) {
+                y = n >> 28;
+                n = e[i--];
+                c = 4 - c;
+                y |= n >> (32 - c);
+                n <<= c;
+                c = 32 - c;
+            }
+            else {
+                y = (n >> 28) & 0xf;
+                n <<= 4;
+                c -= 4;
+            }
+
+            sp_3072_mont_sqr_96(r, r, m, mp);
+            sp_3072_mont_sqr_96(r, r, m, mp);
+            sp_3072_mont_sqr_96(r, r, m, mp);
+            sp_3072_mont_sqr_96(r, r, m, mp);
+
+            sp_3072_mont_mul_96(r, r, t[y], m, mp);
+        }
+
+        XMEMSET(&r[96], 0, sizeof(sp_digit) * 96U);
+        sp_3072_mont_reduce_96(r, m, mp);
+
+        mask = 0 - (sp_3072_cmp_96(r, m) >= 0);
+        sp_3072_cond_sub_96(r, r, m, mask);
+    }
+
+#ifdef WOLFSSL_SMALL_STACK
+    if (td != NULL) {
+        XFREE(td, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    }
+#endif
+
+    return err;
+}
+#else
+/* Modular exponentiate a to the e mod m. (r = a^e mod m)
+ *
+ * r     A single precision number that is the result of the operation.
+ * a     A single precision number being exponentiated.
+ * e     A single precision number that is the exponent.
+ * bits  The number of bits in the exponent.
+ * m     A single precision number that is the modulus.
+ * returns 0 on success and MEMORY_E on dynamic memory allocation failure.
+ */
+static int sp_3072_mod_exp_96(sp_digit* r, const sp_digit* a, const sp_digit* e,
+        int bits, const sp_digit* m, int reduceA)
+{
+#ifndef WOLFSSL_SMALL_STACK
+    sp_digit t[32][192];
+#else
+    sp_digit* t[32];
+    sp_digit* td;
+#endif
+    sp_digit* norm;
+    sp_digit mp = 1;
+    sp_digit n;
+    sp_digit mask;
+    int i;
+    int c, y;
+    int err = MP_OKAY;
+
+#ifdef WOLFSSL_SMALL_STACK
+    td = (sp_digit*)XMALLOC(sizeof(sp_digit) * 32 * 192, NULL,
+                            DYNAMIC_TYPE_TMP_BUFFER);
+    if (td == NULL) {
+        err = MEMORY_E;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#ifdef WOLFSSL_SMALL_STACK
+        for (i=0; i<32; i++) {
+            t[i] = td + i * 192;
+        }
+#endif
+        norm = t[0];
+
+        sp_3072_mont_setup(m, &mp);
+        sp_3072_mont_norm_96(norm, m);
+
+        XMEMSET(t[1], 0, sizeof(sp_digit) * 96U);
+        if (reduceA != 0) {
+            err = sp_3072_mod_96(t[1] + 96, a, m);
+            if (err == MP_OKAY) {
+                err = sp_3072_mod_96(t[1], t[1], m);
+            }
+        }
+        else {
+            XMEMCPY(t[1] + 96, a, sizeof(sp_digit) * 96);
+            err = sp_3072_mod_96(t[1], t[1], m);
+        }
+    }
+
+    if (err == MP_OKAY) {
+        sp_3072_mont_sqr_96(t[ 2], t[ 1], m, mp);
+        sp_3072_mont_mul_96(t[ 3], t[ 2], t[ 1], m, mp);
+        sp_3072_mont_sqr_96(t[ 4], t[ 2], m, mp);
+        sp_3072_mont_mul_96(t[ 5], t[ 3], t[ 2], m, mp);
+        sp_3072_mont_sqr_96(t[ 6], t[ 3], m, mp);
+        sp_3072_mont_mul_96(t[ 7], t[ 4], t[ 3], m, mp);
+        sp_3072_mont_sqr_96(t[ 8], t[ 4], m, mp);
+        sp_3072_mont_mul_96(t[ 9], t[ 5], t[ 4], m, mp);
+        sp_3072_mont_sqr_96(t[10], t[ 5], m, mp);
+        sp_3072_mont_mul_96(t[11], t[ 6], t[ 5], m, mp);
+        sp_3072_mont_sqr_96(t[12], t[ 6], m, mp);
+        sp_3072_mont_mul_96(t[13], t[ 7], t[ 6], m, mp);
+        sp_3072_mont_sqr_96(t[14], t[ 7], m, mp);
+        sp_3072_mont_mul_96(t[15], t[ 8], t[ 7], m, mp);
+        sp_3072_mont_sqr_96(t[16], t[ 8], m, mp);
+        sp_3072_mont_mul_96(t[17], t[ 9], t[ 8], m, mp);
+        sp_3072_mont_sqr_96(t[18], t[ 9], m, mp);
+        sp_3072_mont_mul_96(t[19], t[10], t[ 9], m, mp);
+        sp_3072_mont_sqr_96(t[20], t[10], m, mp);
+        sp_3072_mont_mul_96(t[21], t[11], t[10], m, mp);
+        sp_3072_mont_sqr_96(t[22], t[11], m, mp);
+        sp_3072_mont_mul_96(t[23], t[12], t[11], m, mp);
+        sp_3072_mont_sqr_96(t[24], t[12], m, mp);
+        sp_3072_mont_mul_96(t[25], t[13], t[12], m, mp);
+        sp_3072_mont_sqr_96(t[26], t[13], m, mp);
+        sp_3072_mont_mul_96(t[27], t[14], t[13], m, mp);
+        sp_3072_mont_sqr_96(t[28], t[14], m, mp);
+        sp_3072_mont_mul_96(t[29], t[15], t[14], m, mp);
+        sp_3072_mont_sqr_96(t[30], t[15], m, mp);
+        sp_3072_mont_mul_96(t[31], t[16], t[15], m, mp);
+
+        i = (bits - 1) / 32;
+        n = e[i--];
+        c = bits & 31;
+        if (c == 0) {
+            c = 32;
+        }
+        c -= bits % 5;
+        if (c == 32) {
+            c = 27;
+        }
+        y = (int)(n >> c);
+        n <<= 32 - c;
+        XMEMCPY(r, t[y], sizeof(sp_digit) * 96);
+        for (; i>=0 || c>=5; ) {
+            if (c == 0) {
+                n = e[i--];
+                y = n >> 27;
+                n <<= 5;
+                c = 27;
+            }
+            else if (c < 5) {
+                y = n >> 27;
+                n = e[i--];
+                c = 5 - c;
+                y |= n >> (32 - c);
+                n <<= c;
+                c = 32 - c;
+            }
+            else {
+                y = (n >> 27) & 0x1f;
+                n <<= 5;
+                c -= 5;
+            }
+
+            sp_3072_mont_sqr_96(r, r, m, mp);
+            sp_3072_mont_sqr_96(r, r, m, mp);
+            sp_3072_mont_sqr_96(r, r, m, mp);
+            sp_3072_mont_sqr_96(r, r, m, mp);
+            sp_3072_mont_sqr_96(r, r, m, mp);
+
+            sp_3072_mont_mul_96(r, r, t[y], m, mp);
+        }
+
+        XMEMSET(&r[96], 0, sizeof(sp_digit) * 96U);
+        sp_3072_mont_reduce_96(r, m, mp);
+
+        mask = 0 - (sp_3072_cmp_96(r, m) >= 0);
+        sp_3072_cond_sub_96(r, r, m, mask);
+    }
+
+#ifdef WOLFSSL_SMALL_STACK
+    if (td != NULL) {
+        XFREE(td, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    }
+#endif
+
+    return err;
+}
+#endif /* WOLFSSL_SP_SMALL */
+#endif /* (WOLFSSL_HAVE_SP_RSA && !WOLFSSL_RSA_PUBLIC_ONLY) || WOLFSSL_HAVE_SP_DH */
+
+#ifdef WOLFSSL_HAVE_SP_RSA
+/* RSA public key operation.
+ *
+ * in      Array of bytes representing the number to exponentiate, base.
+ * inLen   Number of bytes in base.
+ * em      Public exponent.
+ * mm      Modulus.
+ * out     Buffer to hold big-endian bytes of exponentiation result.
+ *         Must be at least 384 bytes long.
+ * outLen  Number of bytes in result.
+ * returns 0 on success, MP_TO_E when the outLen is too small, MP_READ_E when
+ * an array is too long and MEMORY_E when dynamic memory allocation fails.
+ */
+int sp_RsaPublic_3072(const byte* in, word32 inLen, mp_int* em, mp_int* mm,
+    byte* out, word32* outLen)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit a[192], m[96], r[192];
+#else
+    sp_digit* d = NULL;
+    sp_digit* a;
+    sp_digit* m;
+    sp_digit* r;
+#endif
+    sp_digit *ah;
+    sp_digit e[1];
+    int err = MP_OKAY;
+
+    if (*outLen < 384)
+        err = MP_TO_E;
+    if (err == MP_OKAY && (mp_count_bits(em) > 32 || inLen > 384 ||
+                                                     mp_count_bits(mm) != 3072))
+        err = MP_READ_E;
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        d = (sp_digit*)XMALLOC(sizeof(sp_digit) * 96 * 5, NULL,
+                                                              DYNAMIC_TYPE_RSA);
+        if (d == NULL)
+            err = MEMORY_E;
+    }
+
+    if (err == MP_OKAY) {
+        a = d;
+        r = a + 96 * 2;
+        m = r + 96 * 2;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+        ah = a + 96;
+
+        sp_3072_from_bin(ah, 96, in, inLen);
+#if DIGIT_BIT >= 32
+        e[0] = em->dp[0];
+#else
+        e[0] = em->dp[0];
+        if (em->used > 1) {
+            e[0] |= ((sp_digit)em->dp[1]) << DIGIT_BIT;
+        }
+#endif
+        if (e[0] == 0) {
+            err = MP_EXPTMOD_E;
+        }
+    }
+    if (err == MP_OKAY) {
+        sp_3072_from_mp(m, 96, mm);
+
+        if (e[0] == 0x3) {
+            if (err == MP_OKAY) {
+                sp_3072_sqr_96(r, ah);
+                err = sp_3072_mod_96_cond(r, r, m);
+            }
+            if (err == MP_OKAY) {
+                sp_3072_mul_96(r, ah, r);
+                err = sp_3072_mod_96_cond(r, r, m);
+            }
+        }
+        else {
+            int i;
+            sp_digit mp;
+
+            sp_3072_mont_setup(m, &mp);
+
+            /* Convert to Montgomery form. */
+            XMEMSET(a, 0, sizeof(sp_digit) * 96);
+            err = sp_3072_mod_96_cond(a, a, m);
+
+            if (err == MP_OKAY) {
+                for (i = 31; i >= 0; i--) {
+                    if (e[0] >> i) {
+                        break;
+                    }
+                }
+
+                XMEMCPY(r, a, sizeof(sp_digit) * 96);
+                for (i--; i>=0; i--) {
+                    sp_3072_mont_sqr_96(r, r, m, mp);
+                    if (((e[0] >> i) & 1) == 1) {
+                        sp_3072_mont_mul_96(r, r, a, m, mp);
+                    }
+                }
+                XMEMSET(&r[96], 0, sizeof(sp_digit) * 96);
+                sp_3072_mont_reduce_96(r, m, mp);
+
+                for (i = 95; i > 0; i--) {
+                    if (r[i] != m[i]) {
+                        break;
+                    }
+                }
+                if (r[i] >= m[i]) {
+                    sp_3072_sub_in_place_96(r, m);
+                }
+            }
+        }
+    }
+
+    if (err == MP_OKAY) {
+        sp_3072_to_bin(r, out);
+        *outLen = 384;
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (d != NULL) {
+        XFREE(d, NULL, DYNAMIC_TYPE_RSA);
+    }
+#endif
+
+    return err;
+}
+
+#if defined(SP_RSA_PRIVATE_EXP_D) || defined(RSA_LOW_MEM)
+    sp_digit* a;
+    sp_digit* d = NULL;
+    sp_digit* m;
+    sp_digit* r;
+    int err = MP_OKAY;
+
+    (void)pm;
+    (void)qm;
+    (void)dpm;
+    (void)dqm;
+    (void)qim;
+
+    if (*outLen < 384U) {
+        err = MP_TO_E;
+    }
+    if (err == MP_OKAY) {
+        if (mp_count_bits(dm) > 3072) {
+           err = MP_READ_E;
+        }
+        if (inLen > 384) {
+            err = MP_READ_E;
+        }
+        if (mp_count_bits(mm) != 3072) {
+            err = MP_READ_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        d = (sp_digit*)XMALLOC(sizeof(sp_digit) * 96 * 4, NULL,
+                                                              DYNAMIC_TYPE_RSA);
+        if (d == NULL) {
+            err = MEMORY_E;
+        }
+    }
+    if (err == MP_OKAY) {
+        a = d + 96;
+        m = a + 192;
+        r = a;
+
+        sp_3072_from_bin(a, 96, in, inLen);
+        sp_3072_from_mp(d, 96, dm);
+        sp_3072_from_mp(m, 96, mm);
+        err = sp_3072_mod_exp_96(r, a, d, 3072, m, 0);
+    }
+    if (err == MP_OKAY) {
+        sp_3072_to_bin(r, out);
+        *outLen = 384;
+    }
+
+    if (d != NULL) {
+        XMEMSET(d, 0, sizeof(sp_digit) * 96);
+        XFREE(d, NULL, DYNAMIC_TYPE_RSA);
+    }
+
+    return err;
+#else
+#ifndef WOLFSSL_RSA_PUBLIC_ONLY
+/* Conditionally add a and b using the mask m.
+ * m is -1 to add and 0 when not.
+ *
+ * r  A single precision number representing conditional add result.
+ * a  A single precision number to add with.
+ * b  A single precision number to add.
+ * m  Mask value to apply.
+ */
+static sp_digit sp_3072_cond_add_48(sp_digit* r, const sp_digit* a, const sp_digit* b,
+        sp_digit m)
+{
+    sp_digit c = 0;
+
+#ifdef WOLFSSL_SP_SMALL
+    __asm__ __volatile__ (
+        "mov	r9, #0\n\t"
+        "mov	r8, #0\n\t"
+        "1:\n\t"
+        "adds	%[c], %[c], #-1\n\t"
+        "ldr	r4, [%[a], r8]\n\t"
+        "ldr	r5, [%[b], r8]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "adcs	r4, r4, r5\n\t"
+        "adc	%[c], r9, r9\n\t"
+        "str	r4, [%[r], r8]\n\t"
+        "add	r8, r8, #4\n\t"
+        "cmp	r8, #192\n\t"
+        "blt	1b\n\t"
+        : [c] "+r" (c)
+        : [r] "r" (r), [a] "r" (a), [b] "r" (b), [m] "r" (m)
+        : "memory", "r4", "r6", "r5", "r7", "r8", "r9"
+    );
+#else
+    __asm__ __volatile__ (
+
+        "mov	r9, #0\n\t"
+        "ldr	r4, [%[a], #0]\n\t"
+        "ldr	r6, [%[a], #4]\n\t"
+        "ldr	r5, [%[b], #0]\n\t"
+        "ldr	r7, [%[b], #4]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "adds	r4, r4, r5\n\t"
+        "adcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #0]\n\t"
+        "str	r6, [%[r], #4]\n\t"
+        "ldr	r4, [%[a], #8]\n\t"
+        "ldr	r6, [%[a], #12]\n\t"
+        "ldr	r5, [%[b], #8]\n\t"
+        "ldr	r7, [%[b], #12]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "adcs	r4, r4, r5\n\t"
+        "adcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #8]\n\t"
+        "str	r6, [%[r], #12]\n\t"
+        "ldr	r4, [%[a], #16]\n\t"
+        "ldr	r6, [%[a], #20]\n\t"
+        "ldr	r5, [%[b], #16]\n\t"
+        "ldr	r7, [%[b], #20]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "adcs	r4, r4, r5\n\t"
+        "adcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #16]\n\t"
+        "str	r6, [%[r], #20]\n\t"
+        "ldr	r4, [%[a], #24]\n\t"
+        "ldr	r6, [%[a], #28]\n\t"
+        "ldr	r5, [%[b], #24]\n\t"
+        "ldr	r7, [%[b], #28]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "adcs	r4, r4, r5\n\t"
+        "adcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #24]\n\t"
+        "str	r6, [%[r], #28]\n\t"
+        "ldr	r4, [%[a], #32]\n\t"
+        "ldr	r6, [%[a], #36]\n\t"
+        "ldr	r5, [%[b], #32]\n\t"
+        "ldr	r7, [%[b], #36]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "adcs	r4, r4, r5\n\t"
+        "adcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #32]\n\t"
+        "str	r6, [%[r], #36]\n\t"
+        "ldr	r4, [%[a], #40]\n\t"
+        "ldr	r6, [%[a], #44]\n\t"
+        "ldr	r5, [%[b], #40]\n\t"
+        "ldr	r7, [%[b], #44]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "adcs	r4, r4, r5\n\t"
+        "adcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #40]\n\t"
+        "str	r6, [%[r], #44]\n\t"
+        "ldr	r4, [%[a], #48]\n\t"
+        "ldr	r6, [%[a], #52]\n\t"
+        "ldr	r5, [%[b], #48]\n\t"
+        "ldr	r7, [%[b], #52]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "adcs	r4, r4, r5\n\t"
+        "adcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #48]\n\t"
+        "str	r6, [%[r], #52]\n\t"
+        "ldr	r4, [%[a], #56]\n\t"
+        "ldr	r6, [%[a], #60]\n\t"
+        "ldr	r5, [%[b], #56]\n\t"
+        "ldr	r7, [%[b], #60]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "adcs	r4, r4, r5\n\t"
+        "adcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #56]\n\t"
+        "str	r6, [%[r], #60]\n\t"
+        "ldr	r4, [%[a], #64]\n\t"
+        "ldr	r6, [%[a], #68]\n\t"
+        "ldr	r5, [%[b], #64]\n\t"
+        "ldr	r7, [%[b], #68]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "adcs	r4, r4, r5\n\t"
+        "adcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #64]\n\t"
+        "str	r6, [%[r], #68]\n\t"
+        "ldr	r4, [%[a], #72]\n\t"
+        "ldr	r6, [%[a], #76]\n\t"
+        "ldr	r5, [%[b], #72]\n\t"
+        "ldr	r7, [%[b], #76]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "adcs	r4, r4, r5\n\t"
+        "adcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #72]\n\t"
+        "str	r6, [%[r], #76]\n\t"
+        "ldr	r4, [%[a], #80]\n\t"
+        "ldr	r6, [%[a], #84]\n\t"
+        "ldr	r5, [%[b], #80]\n\t"
+        "ldr	r7, [%[b], #84]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "adcs	r4, r4, r5\n\t"
+        "adcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #80]\n\t"
+        "str	r6, [%[r], #84]\n\t"
+        "ldr	r4, [%[a], #88]\n\t"
+        "ldr	r6, [%[a], #92]\n\t"
+        "ldr	r5, [%[b], #88]\n\t"
+        "ldr	r7, [%[b], #92]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "adcs	r4, r4, r5\n\t"
+        "adcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #88]\n\t"
+        "str	r6, [%[r], #92]\n\t"
+        "ldr	r4, [%[a], #96]\n\t"
+        "ldr	r6, [%[a], #100]\n\t"
+        "ldr	r5, [%[b], #96]\n\t"
+        "ldr	r7, [%[b], #100]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "adcs	r4, r4, r5\n\t"
+        "adcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #96]\n\t"
+        "str	r6, [%[r], #100]\n\t"
+        "ldr	r4, [%[a], #104]\n\t"
+        "ldr	r6, [%[a], #108]\n\t"
+        "ldr	r5, [%[b], #104]\n\t"
+        "ldr	r7, [%[b], #108]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "adcs	r4, r4, r5\n\t"
+        "adcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #104]\n\t"
+        "str	r6, [%[r], #108]\n\t"
+        "ldr	r4, [%[a], #112]\n\t"
+        "ldr	r6, [%[a], #116]\n\t"
+        "ldr	r5, [%[b], #112]\n\t"
+        "ldr	r7, [%[b], #116]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "adcs	r4, r4, r5\n\t"
+        "adcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #112]\n\t"
+        "str	r6, [%[r], #116]\n\t"
+        "ldr	r4, [%[a], #120]\n\t"
+        "ldr	r6, [%[a], #124]\n\t"
+        "ldr	r5, [%[b], #120]\n\t"
+        "ldr	r7, [%[b], #124]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "adcs	r4, r4, r5\n\t"
+        "adcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #120]\n\t"
+        "str	r6, [%[r], #124]\n\t"
+        "ldr	r4, [%[a], #128]\n\t"
+        "ldr	r6, [%[a], #132]\n\t"
+        "ldr	r5, [%[b], #128]\n\t"
+        "ldr	r7, [%[b], #132]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "adcs	r4, r4, r5\n\t"
+        "adcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #128]\n\t"
+        "str	r6, [%[r], #132]\n\t"
+        "ldr	r4, [%[a], #136]\n\t"
+        "ldr	r6, [%[a], #140]\n\t"
+        "ldr	r5, [%[b], #136]\n\t"
+        "ldr	r7, [%[b], #140]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "adcs	r4, r4, r5\n\t"
+        "adcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #136]\n\t"
+        "str	r6, [%[r], #140]\n\t"
+        "ldr	r4, [%[a], #144]\n\t"
+        "ldr	r6, [%[a], #148]\n\t"
+        "ldr	r5, [%[b], #144]\n\t"
+        "ldr	r7, [%[b], #148]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "adcs	r4, r4, r5\n\t"
+        "adcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #144]\n\t"
+        "str	r6, [%[r], #148]\n\t"
+        "ldr	r4, [%[a], #152]\n\t"
+        "ldr	r6, [%[a], #156]\n\t"
+        "ldr	r5, [%[b], #152]\n\t"
+        "ldr	r7, [%[b], #156]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "adcs	r4, r4, r5\n\t"
+        "adcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #152]\n\t"
+        "str	r6, [%[r], #156]\n\t"
+        "ldr	r4, [%[a], #160]\n\t"
+        "ldr	r6, [%[a], #164]\n\t"
+        "ldr	r5, [%[b], #160]\n\t"
+        "ldr	r7, [%[b], #164]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "adcs	r4, r4, r5\n\t"
+        "adcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #160]\n\t"
+        "str	r6, [%[r], #164]\n\t"
+        "ldr	r4, [%[a], #168]\n\t"
+        "ldr	r6, [%[a], #172]\n\t"
+        "ldr	r5, [%[b], #168]\n\t"
+        "ldr	r7, [%[b], #172]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "adcs	r4, r4, r5\n\t"
+        "adcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #168]\n\t"
+        "str	r6, [%[r], #172]\n\t"
+        "ldr	r4, [%[a], #176]\n\t"
+        "ldr	r6, [%[a], #180]\n\t"
+        "ldr	r5, [%[b], #176]\n\t"
+        "ldr	r7, [%[b], #180]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "adcs	r4, r4, r5\n\t"
+        "adcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #176]\n\t"
+        "str	r6, [%[r], #180]\n\t"
+        "ldr	r4, [%[a], #184]\n\t"
+        "ldr	r6, [%[a], #188]\n\t"
+        "ldr	r5, [%[b], #184]\n\t"
+        "ldr	r7, [%[b], #188]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "adcs	r4, r4, r5\n\t"
+        "adcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #184]\n\t"
+        "str	r6, [%[r], #188]\n\t"
+        "adc	%[c], r9, r9\n\t"
+        : [c] "+r" (c)
+        : [r] "r" (r), [a] "r" (a), [b] "r" (b), [m] "r" (m)
+        : "memory", "r4", "r6", "r5", "r7", "r8", "r9"
+    );
+#endif /* WOLFSSL_SP_SMALL */
+
+    return c;
+}
+
+/* RSA private key operation.
+ *
+ * in      Array of bytes representing the number to exponentiate, base.
+ * inLen   Number of bytes in base.
+ * dm      Private exponent.
+ * pm      First prime.
+ * qm      Second prime.
+ * dpm     First prime's CRT exponent.
+ * dqm     Second prime's CRT exponent.
+ * qim     Inverse of second prime mod p.
+ * mm      Modulus.
+ * out     Buffer to hold big-endian bytes of exponentiation result.
+ *         Must be at least 384 bytes long.
+ * outLen  Number of bytes in result.
+ * returns 0 on success, MP_TO_E when the outLen is too small, MP_READ_E when
+ * an array is too long and MEMORY_E when dynamic memory allocation fails.
+ */
+int sp_RsaPrivate_3072(const byte* in, word32 inLen, mp_int* dm,
+    mp_int* pm, mp_int* qm, mp_int* dpm, mp_int* dqm, mp_int* qim, mp_int* mm,
+    byte* out, word32* outLen)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit a[96 * 2];
+    sp_digit p[48], q[48], dp[48];
+    sp_digit tmpa[96], tmpb[96];
+#else
+    sp_digit* t = NULL;
+    sp_digit* a;
+    sp_digit* p;
+    sp_digit* q;
+    sp_digit* dp;
+    sp_digit* tmpa;
+    sp_digit* tmpb;
+#endif
+    sp_digit* r;
+    sp_digit* qi;
+    sp_digit* dq;
+    sp_digit c;
+    int err = MP_OKAY;
+
+    (void)dm;
+    (void)mm;
+
+    if (*outLen < 384)
+        err = MP_TO_E;
+    if (err == MP_OKAY && (inLen > 384 || mp_count_bits(mm) != 3072))
+        err = MP_READ_E;
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        t = (sp_digit*)XMALLOC(sizeof(sp_digit) * 48 * 11, NULL,
+                                                              DYNAMIC_TYPE_RSA);
+        if (t == NULL)
+            err = MEMORY_E;
+    }
+    if (err == MP_OKAY) {
+        a = t;
+        p = a + 96 * 2;
+        q = p + 48;
+        qi = dq = dp = q + 48;
+        tmpa = qi + 48;
+        tmpb = tmpa + 96;
+
+        r = t + 96;
+    }
+#else
+#endif
+
+    if (err == MP_OKAY) {
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+        r = a;
+        qi = dq = dp;
+#endif
+        sp_3072_from_bin(a, 96, in, inLen);
+        sp_3072_from_mp(p, 48, pm);
+        sp_3072_from_mp(q, 48, qm);
+        sp_3072_from_mp(dp, 48, dpm);
+
+        err = sp_3072_mod_exp_48(tmpa, a, dp, 1536, p, 1);
+    }
+    if (err == MP_OKAY) {
+        sp_3072_from_mp(dq, 48, dqm);
+        err = sp_3072_mod_exp_48(tmpb, a, dq, 1536, q, 1);
+    }
+
+    if (err == MP_OKAY) {
+        c = sp_3072_sub_in_place_48(tmpa, tmpb);
+        c += sp_3072_cond_add_48(tmpa, tmpa, p, c);
+        sp_3072_cond_add_48(tmpa, tmpa, p, c);
+
+        sp_3072_from_mp(qi, 48, qim);
+        sp_3072_mul_48(tmpa, tmpa, qi);
+        err = sp_3072_mod_48(tmpa, tmpa, p);
+    }
+
+    if (err == MP_OKAY) {
+        sp_3072_mul_48(tmpa, q, tmpa);
+        XMEMSET(&tmpb[48], 0, sizeof(sp_digit) * 48);
+        sp_3072_add_96(r, tmpb, tmpa);
+
+        sp_3072_to_bin(r, out);
+        *outLen = 384;
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (t != NULL) {
+        XMEMSET(t, 0, sizeof(sp_digit) * 48 * 11);
+        XFREE(t, NULL, DYNAMIC_TYPE_RSA);
+    }
+#else
+    XMEMSET(tmpa, 0, sizeof(tmpa));
+    XMEMSET(tmpb, 0, sizeof(tmpb));
+    XMEMSET(p,    0, sizeof(p));
+    XMEMSET(q,    0, sizeof(q));
+    XMEMSET(dp,   0, sizeof(dp));
+#endif
+
+    return err;
+}
+#endif /* WOLFSSL_RSA_PUBLIC_ONLY */
+#endif /* SP_RSA_PRIVATE_EXP_D || RSA_LOW_MEM */
+#endif /* WOLFSSL_HAVE_SP_RSA */
+#if defined(WOLFSSL_HAVE_SP_DH) || (defined(WOLFSSL_HAVE_SP_RSA) && \
+                                              !defined(WOLFSSL_RSA_PUBLIC_ONLY))
+/* Convert an array of sp_digit to an mp_int.
+ *
+ * a  A single precision integer.
+ * r  A multi-precision integer.
+ */
+static int sp_3072_to_mp(const sp_digit* a, mp_int* r)
+{
+    int err;
+
+    err = mp_grow(r, (3072 + DIGIT_BIT - 1) / DIGIT_BIT);
+    if (err == MP_OKAY) { /*lint !e774 case where err is always MP_OKAY*/
+#if DIGIT_BIT == 32
+        XMEMCPY(r->dp, a, sizeof(sp_digit) * 96);
+        r->used = 96;
+        mp_clamp(r);
+#elif DIGIT_BIT < 32
+        int i, j = 0, s = 0;
+
+        r->dp[0] = 0;
+        for (i = 0; i < 96; i++) {
+            r->dp[j] |= (mp_digit)(a[i] << s);
+            r->dp[j] &= (1L << DIGIT_BIT) - 1;
+            s = DIGIT_BIT - s;
+            r->dp[++j] = (mp_digit)(a[i] >> s);
+            while (s + DIGIT_BIT <= 32) {
+                s += DIGIT_BIT;
+                r->dp[j++] &= (1L << DIGIT_BIT) - 1;
+                if (s == SP_WORD_SIZE) {
+                    r->dp[j] = 0;
+                }
+                else {
+                    r->dp[j] = (mp_digit)(a[i] >> s);
+                }
+            }
+            s = 32 - s;
+        }
+        r->used = (3072 + DIGIT_BIT - 1) / DIGIT_BIT;
+        mp_clamp(r);
+#else
+        int i, j = 0, s = 0;
+
+        r->dp[0] = 0;
+        for (i = 0; i < 96; i++) {
+            r->dp[j] |= ((mp_digit)a[i]) << s;
+            if (s + 32 >= DIGIT_BIT) {
+    #if DIGIT_BIT != 32 && DIGIT_BIT != 64
+                r->dp[j] &= (1L << DIGIT_BIT) - 1;
+    #endif
+                s = DIGIT_BIT - s;
+                r->dp[++j] = a[i] >> s;
+                s = 32 - s;
+            }
+            else {
+                s += 32;
+            }
+        }
+        r->used = (3072 + DIGIT_BIT - 1) / DIGIT_BIT;
+        mp_clamp(r);
+#endif
+    }
+
+    return err;
+}
+
+/* Perform the modular exponentiation for Diffie-Hellman.
+ *
+ * base  Base. MP integer.
+ * exp   Exponent. MP integer.
+ * mod   Modulus. MP integer.
+ * res   Result. MP integer.
+ * returns 0 on success, MP_READ_E if there are too many bytes in an array
+ * and MEMORY_E if memory allocation fails.
+ */
+int sp_ModExp_3072(mp_int* base, mp_int* exp, mp_int* mod, mp_int* res)
+{
+    int err = MP_OKAY;
+    sp_digit b[192], e[96], m[96];
+    sp_digit* r = b;
+    int expBits = mp_count_bits(exp);
+
+    if (mp_count_bits(base) > 3072) {
+        err = MP_READ_E;
+    }
+
+    if (err == MP_OKAY) {
+        if (expBits > 3072) {
+            err = MP_READ_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        if (mp_count_bits(mod) != 3072) {
+            err = MP_READ_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        sp_3072_from_mp(b, 96, base);
+        sp_3072_from_mp(e, 96, exp);
+        sp_3072_from_mp(m, 96, mod);
+
+        err = sp_3072_mod_exp_96(r, b, e, expBits, m, 0);
+    }
+
+    if (err == MP_OKAY) {
+        err = sp_3072_to_mp(r, res);
+    }
+
+    XMEMSET(e, 0, sizeof(e));
+
+    return err;
+}
+
+#ifdef WOLFSSL_HAVE_SP_DH
+
+#ifdef HAVE_FFDHE_3072
+static void sp_3072_lshift_96(sp_digit* r, sp_digit* a, byte n)
+{
+    __asm__ __volatile__ (
+        "mov	r6, #31\n\t"
+        "sub	r6, r6, %[n]\n\t"
+        "ldr	r3, [%[a], #380]\n\t"
+        "lsr	r4, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r4, r4, r6\n\t"
+        "ldr	r2, [%[a], #376]\n\t"
+        "str	r4, [%[r], #384]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #372]\n\t"
+        "str	r3, [%[r], #380]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #368]\n\t"
+        "str	r2, [%[r], #376]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #364]\n\t"
+        "str	r4, [%[r], #372]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #360]\n\t"
+        "str	r3, [%[r], #368]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #356]\n\t"
+        "str	r2, [%[r], #364]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #352]\n\t"
+        "str	r4, [%[r], #360]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #348]\n\t"
+        "str	r3, [%[r], #356]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #344]\n\t"
+        "str	r2, [%[r], #352]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #340]\n\t"
+        "str	r4, [%[r], #348]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #336]\n\t"
+        "str	r3, [%[r], #344]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #332]\n\t"
+        "str	r2, [%[r], #340]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #328]\n\t"
+        "str	r4, [%[r], #336]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #324]\n\t"
+        "str	r3, [%[r], #332]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #320]\n\t"
+        "str	r2, [%[r], #328]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #316]\n\t"
+        "str	r4, [%[r], #324]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #312]\n\t"
+        "str	r3, [%[r], #320]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #308]\n\t"
+        "str	r2, [%[r], #316]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #304]\n\t"
+        "str	r4, [%[r], #312]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #300]\n\t"
+        "str	r3, [%[r], #308]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #296]\n\t"
+        "str	r2, [%[r], #304]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #292]\n\t"
+        "str	r4, [%[r], #300]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #288]\n\t"
+        "str	r3, [%[r], #296]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #284]\n\t"
+        "str	r2, [%[r], #292]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #280]\n\t"
+        "str	r4, [%[r], #288]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #276]\n\t"
+        "str	r3, [%[r], #284]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #272]\n\t"
+        "str	r2, [%[r], #280]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #268]\n\t"
+        "str	r4, [%[r], #276]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #264]\n\t"
+        "str	r3, [%[r], #272]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #260]\n\t"
+        "str	r2, [%[r], #268]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #256]\n\t"
+        "str	r4, [%[r], #264]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #252]\n\t"
+        "str	r3, [%[r], #260]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #248]\n\t"
+        "str	r2, [%[r], #256]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #244]\n\t"
+        "str	r4, [%[r], #252]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #240]\n\t"
+        "str	r3, [%[r], #248]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #236]\n\t"
+        "str	r2, [%[r], #244]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #232]\n\t"
+        "str	r4, [%[r], #240]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #228]\n\t"
+        "str	r3, [%[r], #236]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #224]\n\t"
+        "str	r2, [%[r], #232]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #220]\n\t"
+        "str	r4, [%[r], #228]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #216]\n\t"
+        "str	r3, [%[r], #224]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #212]\n\t"
+        "str	r2, [%[r], #220]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #208]\n\t"
+        "str	r4, [%[r], #216]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #204]\n\t"
+        "str	r3, [%[r], #212]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #200]\n\t"
+        "str	r2, [%[r], #208]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #196]\n\t"
+        "str	r4, [%[r], #204]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #192]\n\t"
+        "str	r3, [%[r], #200]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #188]\n\t"
+        "str	r2, [%[r], #196]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #184]\n\t"
+        "str	r4, [%[r], #192]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #180]\n\t"
+        "str	r3, [%[r], #188]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #176]\n\t"
+        "str	r2, [%[r], #184]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #172]\n\t"
+        "str	r4, [%[r], #180]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #168]\n\t"
+        "str	r3, [%[r], #176]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #164]\n\t"
+        "str	r2, [%[r], #172]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #160]\n\t"
+        "str	r4, [%[r], #168]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #156]\n\t"
+        "str	r3, [%[r], #164]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #152]\n\t"
+        "str	r2, [%[r], #160]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #148]\n\t"
+        "str	r4, [%[r], #156]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #144]\n\t"
+        "str	r3, [%[r], #152]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #140]\n\t"
+        "str	r2, [%[r], #148]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #136]\n\t"
+        "str	r4, [%[r], #144]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #132]\n\t"
+        "str	r3, [%[r], #140]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #128]\n\t"
+        "str	r2, [%[r], #136]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #124]\n\t"
+        "str	r4, [%[r], #132]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #120]\n\t"
+        "str	r3, [%[r], #128]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #116]\n\t"
+        "str	r2, [%[r], #124]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #112]\n\t"
+        "str	r4, [%[r], #120]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #108]\n\t"
+        "str	r3, [%[r], #116]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #104]\n\t"
+        "str	r2, [%[r], #112]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #100]\n\t"
+        "str	r4, [%[r], #108]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #96]\n\t"
+        "str	r3, [%[r], #104]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #92]\n\t"
+        "str	r2, [%[r], #100]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #88]\n\t"
+        "str	r4, [%[r], #96]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #84]\n\t"
+        "str	r3, [%[r], #92]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #80]\n\t"
+        "str	r2, [%[r], #88]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #76]\n\t"
+        "str	r4, [%[r], #84]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #72]\n\t"
+        "str	r3, [%[r], #80]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #68]\n\t"
+        "str	r2, [%[r], #76]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #64]\n\t"
+        "str	r4, [%[r], #72]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #60]\n\t"
+        "str	r3, [%[r], #68]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #56]\n\t"
+        "str	r2, [%[r], #64]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #52]\n\t"
+        "str	r4, [%[r], #60]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #48]\n\t"
+        "str	r3, [%[r], #56]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #44]\n\t"
+        "str	r2, [%[r], #52]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #40]\n\t"
+        "str	r4, [%[r], #48]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #36]\n\t"
+        "str	r3, [%[r], #44]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #32]\n\t"
+        "str	r2, [%[r], #40]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #28]\n\t"
+        "str	r4, [%[r], #36]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #24]\n\t"
+        "str	r3, [%[r], #32]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #20]\n\t"
+        "str	r2, [%[r], #28]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #16]\n\t"
+        "str	r4, [%[r], #24]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #12]\n\t"
+        "str	r3, [%[r], #20]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #8]\n\t"
+        "str	r2, [%[r], #16]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #4]\n\t"
+        "str	r4, [%[r], #12]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #0]\n\t"
+        "str	r3, [%[r], #8]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "str	r4, [%[r]]\n\t"
+        "str	r2, [%[r], #4]\n\t"
+        :
+        : [r] "r" (r), [a] "r" (a), [n] "r" (n)
+        : "memory", "r2", "r3", "r4", "r5", "r6"
+    );
+}
+
+/* Modular exponentiate 2 to the e mod m. (r = 2^e mod m)
+ *
+ * r     A single precision number that is the result of the operation.
+ * e     A single precision number that is the exponent.
+ * bits  The number of bits in the exponent.
+ * m     A single precision number that is the modulus.
+ * returns 0 on success and MEMORY_E on dynamic memory allocation failure.
+ */
+static int sp_3072_mod_exp_2_96(sp_digit* r, const sp_digit* e, int bits,
+        const sp_digit* m)
+{
+#ifndef WOLFSSL_SMALL_STACK
+    sp_digit nd[192];
+    sp_digit td[97];
+#else
+    sp_digit* td;
+#endif
+    sp_digit* norm;
+    sp_digit* tmp;
+    sp_digit mp = 1;
+    sp_digit n, o;
+    sp_digit mask;
+    int i;
+    int c, y;
+    int err = MP_OKAY;
+
+#ifdef WOLFSSL_SMALL_STACK
+    td = (sp_digit*)XMALLOC(sizeof(sp_digit) * 289, NULL,
+                            DYNAMIC_TYPE_TMP_BUFFER);
+    if (td == NULL) {
+        err = MEMORY_E;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#ifdef WOLFSSL_SMALL_STACK
+        norm = td;
+        tmp  = td + 192;
+#else
+        norm = nd;
+        tmp  = td;
+#endif
+
+        sp_3072_mont_setup(m, &mp);
+        sp_3072_mont_norm_96(norm, m);
+
+        i = (bits - 1) / 32;
+        n = e[i--];
+        c = bits & 31;
+        if (c == 0) {
+            c = 32;
+        }
+        c -= bits % 5;
+        if (c == 32) {
+            c = 27;
+        }
+        y = (int)(n >> c);
+        n <<= 32 - c;
+        sp_3072_lshift_96(r, norm, y);
+        for (; i>=0 || c>=5; ) {
+            if (c == 0) {
+                n = e[i--];
+                y = n >> 27;
+                n <<= 5;
+                c = 27;
+            }
+            else if (c < 5) {
+                y = n >> 27;
+                n = e[i--];
+                c = 5 - c;
+                y |= n >> (32 - c);
+                n <<= c;
+                c = 32 - c;
+            }
+            else {
+                y = (n >> 27) & 0x1f;
+                n <<= 5;
+                c -= 5;
+            }
+
+            sp_3072_mont_sqr_96(r, r, m, mp);
+            sp_3072_mont_sqr_96(r, r, m, mp);
+            sp_3072_mont_sqr_96(r, r, m, mp);
+            sp_3072_mont_sqr_96(r, r, m, mp);
+            sp_3072_mont_sqr_96(r, r, m, mp);
+
+            sp_3072_lshift_96(r, r, y);
+            sp_3072_mul_d_96(tmp, norm, r[96]);
+            r[96] = 0;
+            o = sp_3072_add_96(r, r, tmp);
+            sp_3072_cond_sub_96(r, r, m, (sp_digit)0 - o);
+        }
+
+        XMEMSET(&r[96], 0, sizeof(sp_digit) * 96U);
+        sp_3072_mont_reduce_96(r, m, mp);
+
+        mask = 0 - (sp_3072_cmp_96(r, m) >= 0);
+        sp_3072_cond_sub_96(r, r, m, mask);
+    }
+
+#ifdef WOLFSSL_SMALL_STACK
+    if (td != NULL) {
+        XFREE(td, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    }
+#endif
+
+    return err;
+}
+#endif /* HAVE_FFDHE_3072 */
+
+/* Perform the modular exponentiation for Diffie-Hellman.
+ *
+ * base     Base.
+ * exp      Array of bytes that is the exponent.
+ * expLen   Length of data, in bytes, in exponent.
+ * mod      Modulus.
+ * out      Buffer to hold big-endian bytes of exponentiation result.
+ *          Must be at least 384 bytes long.
+ * outLen   Length, in bytes, of exponentiation result.
+ * returns 0 on success, MP_READ_E if there are too many bytes in an array
+ * and MEMORY_E if memory allocation fails.
+ */
+int sp_DhExp_3072(mp_int* base, const byte* exp, word32 expLen,
+    mp_int* mod, byte* out, word32* outLen)
+{
+    int err = MP_OKAY;
+    sp_digit b[192], e[96], m[96];
+    sp_digit* r = b;
+    word32 i;
+
+    if (mp_count_bits(base) > 3072) {
+        err = MP_READ_E;
+    }
+
+    if (err == MP_OKAY) {
+        if (expLen > 384) {
+            err = MP_READ_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        if (mp_count_bits(mod) != 3072) {
+            err = MP_READ_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        sp_3072_from_mp(b, 96, base);
+        sp_3072_from_bin(e, 96, exp, expLen);
+        sp_3072_from_mp(m, 96, mod);
+
+    #ifdef HAVE_FFDHE_3072
+        if (base->used == 1 && base->dp[0] == 2 && m[95] == (sp_digit)-1)
+            err = sp_3072_mod_exp_2_96(r, e, expLen * 8, m);
+        else
+    #endif
+            err = sp_3072_mod_exp_96(r, b, e, expLen * 8, m, 0);
+
+    }
+
+    if (err == MP_OKAY) {
+        sp_3072_to_bin(r, out);
+        *outLen = 384;
+        for (i=0; i<384 && out[i] == 0; i++) {
+        }
+        *outLen -= i;
+        XMEMMOVE(out, out + i, *outLen);
+
+    }
+
+    XMEMSET(e, 0, sizeof(e));
+
+    return err;
+}
+#endif /* WOLFSSL_HAVE_SP_DH */
+
+/* Perform the modular exponentiation for Diffie-Hellman.
+ *
+ * base  Base. MP integer.
+ * exp   Exponent. MP integer.
+ * mod   Modulus. MP integer.
+ * res   Result. MP integer.
+ * returns 0 on success, MP_READ_E if there are too many bytes in an array
+ * and MEMORY_E if memory allocation fails.
+ */
+int sp_ModExp_1536(mp_int* base, mp_int* exp, mp_int* mod, mp_int* res)
+{
+    int err = MP_OKAY;
+    sp_digit b[96], e[48], m[48];
+    sp_digit* r = b;
+    int expBits = mp_count_bits(exp);
+
+    if (mp_count_bits(base) > 1536) {
+        err = MP_READ_E;
+    }
+
+    if (err == MP_OKAY) {
+        if (expBits > 1536) {
+            err = MP_READ_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        if (mp_count_bits(mod) != 1536) {
+            err = MP_READ_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        sp_3072_from_mp(b, 48, base);
+        sp_3072_from_mp(e, 48, exp);
+        sp_3072_from_mp(m, 48, mod);
+
+        err = sp_3072_mod_exp_48(r, b, e, expBits, m, 0);
+    }
+
+    if (err == MP_OKAY) {
+        XMEMSET(r + 48, 0, sizeof(*r) * 48U);
+        err = sp_3072_to_mp(r, res);
+        res->used = mod->used;
+        mp_clamp(res);
+    }
+
+    XMEMSET(e, 0, sizeof(e));
+
+    return err;
+}
+
+#endif /* WOLFSSL_HAVE_SP_DH || (WOLFSSL_HAVE_SP_RSA && !WOLFSSL_RSA_PUBLIC_ONLY) */
+
+#endif /* !WOLFSSL_SP_NO_3072 */
+
+#ifdef WOLFSSL_SP_4096
+/* Read big endian unsigned byte array into r.
+ *
+ * r  A single precision integer.
+ * size  Maximum number of bytes to convert
+ * a  Byte array.
+ * n  Number of bytes in array to read.
+ */
+static void sp_4096_from_bin(sp_digit* r, int size, const byte* a, int n)
+{
+    int i, j = 0;
+    word32 s = 0;
+
+    r[0] = 0;
+    for (i = n-1; i >= 0; i--) {
+        r[j] |= (((sp_digit)a[i]) << s);
+        if (s >= 24U) {
+            r[j] &= 0xffffffff;
+            s = 32U - s;
+            if (j + 1 >= size) {
+                break;
+            }
+            r[++j] = (sp_digit)a[i] >> s;
+            s = 8U - s;
+        }
+        else {
+            s += 8U;
+        }
+    }
+
+    for (j++; j < size; j++) {
+        r[j] = 0;
+    }
+}
+
+/* Convert an mp_int to an array of sp_digit.
+ *
+ * r  A single precision integer.
+ * size  Maximum number of bytes to convert
+ * a  A multi-precision integer.
+ */
+static void sp_4096_from_mp(sp_digit* r, int size, const mp_int* a)
+{
+#if DIGIT_BIT == 32
+    int j;
+
+    XMEMCPY(r, a->dp, sizeof(sp_digit) * a->used);
+
+    for (j = a->used; j < size; j++) {
+        r[j] = 0;
+    }
+#elif DIGIT_BIT > 32
+    int i, j = 0;
+    word32 s = 0;
+
+    r[0] = 0;
+    for (i = 0; i < a->used && j < size; i++) {
+        r[j] |= ((sp_digit)a->dp[i] << s);
+        r[j] &= 0xffffffff;
+        s = 32U - s;
+        if (j + 1 >= size) {
+            break;
+        }
+        /* lint allow cast of mismatch word32 and mp_digit */
+        r[++j] = (sp_digit)(a->dp[i] >> s); /*lint !e9033*/
+        while ((s + 32U) <= (word32)DIGIT_BIT) {
+            s += 32U;
+            r[j] &= 0xffffffff;
+            if (j + 1 >= size) {
+                break;
+            }
+            if (s < (word32)DIGIT_BIT) {
+                /* lint allow cast of mismatch word32 and mp_digit */
+                r[++j] = (sp_digit)(a->dp[i] >> s); /*lint !e9033*/
+            }
+            else {
+                r[++j] = 0L;
+            }
+        }
+        s = (word32)DIGIT_BIT - s;
+    }
+
+    for (j++; j < size; j++) {
+        r[j] = 0;
+    }
+#else
+    int i, j = 0, s = 0;
+
+    r[0] = 0;
+    for (i = 0; i < a->used && j < size; i++) {
+        r[j] |= ((sp_digit)a->dp[i]) << s;
+        if (s + DIGIT_BIT >= 32) {
+            r[j] &= 0xffffffff;
+            if (j + 1 >= size) {
+                break;
+            }
+            s = 32 - s;
+            if (s == DIGIT_BIT) {
+                r[++j] = 0;
+                s = 0;
+            }
+            else {
+                r[++j] = a->dp[i] >> s;
+                s = DIGIT_BIT - s;
+            }
+        }
+        else {
+            s += DIGIT_BIT;
+        }
+    }
+
+    for (j++; j < size; j++) {
+        r[j] = 0;
+    }
+#endif
+}
+
+/* Write r as big endian to byte array.
+ * Fixed length number of bytes written: 512
+ *
+ * r  A single precision integer.
+ * a  Byte array.
+ */
+static void sp_4096_to_bin(sp_digit* r, byte* a)
+{
+    int i, j, s = 0, b;
+
+    j = 4096 / 8 - 1;
+    a[j] = 0;
+    for (i=0; i<128 && j>=0; i++) {
+        b = 0;
+        /* lint allow cast of mismatch sp_digit and int */
+        a[j--] |= (byte)(r[i] << s); /*lint !e9033*/
+        b += 8 - s;
+        if (j < 0) {
+            break;
+        }
+        while (b < 32) {
+            a[j--] = (byte)(r[i] >> b);
+            b += 8;
+            if (j < 0) {
+                break;
+            }
+        }
+        s = 8 - (b - 32);
+        if (j >= 0) {
+            a[j] = 0;
+        }
+        if (s != 0) {
+            j++;
+        }
+    }
+}
+
+#ifndef WOLFSSL_SP_SMALL
+/* Add b to a into r. (r = a + b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+static sp_digit sp_4096_add_64(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    sp_digit c = 0;
+
+    __asm__ __volatile__ (
+        "mov	r12, #0\n\t"
+        "ldr	r4, [%[a], #0]\n\t"
+        "ldr	r5, [%[a], #4]\n\t"
+        "ldr	r6, [%[a], #8]\n\t"
+        "ldr	r7, [%[a], #12]\n\t"
+        "ldr	r8, [%[b], #0]\n\t"
+        "ldr	r9, [%[b], #4]\n\t"
+        "ldr	r10, [%[b], #8]\n\t"
+        "ldr	r14, [%[b], #12]\n\t"
+        "adds	r4, r4, r8\n\t"
+        "adcs	r5, r5, r9\n\t"
+        "adcs	r6, r6, r10\n\t"
+        "adcs	r7, r7, r14\n\t"
+        "str	r4, [%[r], #0]\n\t"
+        "str	r5, [%[r], #4]\n\t"
+        "str	r6, [%[r], #8]\n\t"
+        "str	r7, [%[r], #12]\n\t"
+        "ldr	r4, [%[a], #16]\n\t"
+        "ldr	r5, [%[a], #20]\n\t"
+        "ldr	r6, [%[a], #24]\n\t"
+        "ldr	r7, [%[a], #28]\n\t"
+        "ldr	r8, [%[b], #16]\n\t"
+        "ldr	r9, [%[b], #20]\n\t"
+        "ldr	r10, [%[b], #24]\n\t"
+        "ldr	r14, [%[b], #28]\n\t"
+        "adcs	r4, r4, r8\n\t"
+        "adcs	r5, r5, r9\n\t"
+        "adcs	r6, r6, r10\n\t"
+        "adcs	r7, r7, r14\n\t"
+        "str	r4, [%[r], #16]\n\t"
+        "str	r5, [%[r], #20]\n\t"
+        "str	r6, [%[r], #24]\n\t"
+        "str	r7, [%[r], #28]\n\t"
+        "ldr	r4, [%[a], #32]\n\t"
+        "ldr	r5, [%[a], #36]\n\t"
+        "ldr	r6, [%[a], #40]\n\t"
+        "ldr	r7, [%[a], #44]\n\t"
+        "ldr	r8, [%[b], #32]\n\t"
+        "ldr	r9, [%[b], #36]\n\t"
+        "ldr	r10, [%[b], #40]\n\t"
+        "ldr	r14, [%[b], #44]\n\t"
+        "adcs	r4, r4, r8\n\t"
+        "adcs	r5, r5, r9\n\t"
+        "adcs	r6, r6, r10\n\t"
+        "adcs	r7, r7, r14\n\t"
+        "str	r4, [%[r], #32]\n\t"
+        "str	r5, [%[r], #36]\n\t"
+        "str	r6, [%[r], #40]\n\t"
+        "str	r7, [%[r], #44]\n\t"
+        "ldr	r4, [%[a], #48]\n\t"
+        "ldr	r5, [%[a], #52]\n\t"
+        "ldr	r6, [%[a], #56]\n\t"
+        "ldr	r7, [%[a], #60]\n\t"
+        "ldr	r8, [%[b], #48]\n\t"
+        "ldr	r9, [%[b], #52]\n\t"
+        "ldr	r10, [%[b], #56]\n\t"
+        "ldr	r14, [%[b], #60]\n\t"
+        "adcs	r4, r4, r8\n\t"
+        "adcs	r5, r5, r9\n\t"
+        "adcs	r6, r6, r10\n\t"
+        "adcs	r7, r7, r14\n\t"
+        "str	r4, [%[r], #48]\n\t"
+        "str	r5, [%[r], #52]\n\t"
+        "str	r6, [%[r], #56]\n\t"
+        "str	r7, [%[r], #60]\n\t"
+        "ldr	r4, [%[a], #64]\n\t"
+        "ldr	r5, [%[a], #68]\n\t"
+        "ldr	r6, [%[a], #72]\n\t"
+        "ldr	r7, [%[a], #76]\n\t"
+        "ldr	r8, [%[b], #64]\n\t"
+        "ldr	r9, [%[b], #68]\n\t"
+        "ldr	r10, [%[b], #72]\n\t"
+        "ldr	r14, [%[b], #76]\n\t"
+        "adcs	r4, r4, r8\n\t"
+        "adcs	r5, r5, r9\n\t"
+        "adcs	r6, r6, r10\n\t"
+        "adcs	r7, r7, r14\n\t"
+        "str	r4, [%[r], #64]\n\t"
+        "str	r5, [%[r], #68]\n\t"
+        "str	r6, [%[r], #72]\n\t"
+        "str	r7, [%[r], #76]\n\t"
+        "ldr	r4, [%[a], #80]\n\t"
+        "ldr	r5, [%[a], #84]\n\t"
+        "ldr	r6, [%[a], #88]\n\t"
+        "ldr	r7, [%[a], #92]\n\t"
+        "ldr	r8, [%[b], #80]\n\t"
+        "ldr	r9, [%[b], #84]\n\t"
+        "ldr	r10, [%[b], #88]\n\t"
+        "ldr	r14, [%[b], #92]\n\t"
+        "adcs	r4, r4, r8\n\t"
+        "adcs	r5, r5, r9\n\t"
+        "adcs	r6, r6, r10\n\t"
+        "adcs	r7, r7, r14\n\t"
+        "str	r4, [%[r], #80]\n\t"
+        "str	r5, [%[r], #84]\n\t"
+        "str	r6, [%[r], #88]\n\t"
+        "str	r7, [%[r], #92]\n\t"
+        "ldr	r4, [%[a], #96]\n\t"
+        "ldr	r5, [%[a], #100]\n\t"
+        "ldr	r6, [%[a], #104]\n\t"
+        "ldr	r7, [%[a], #108]\n\t"
+        "ldr	r8, [%[b], #96]\n\t"
+        "ldr	r9, [%[b], #100]\n\t"
+        "ldr	r10, [%[b], #104]\n\t"
+        "ldr	r14, [%[b], #108]\n\t"
+        "adcs	r4, r4, r8\n\t"
+        "adcs	r5, r5, r9\n\t"
+        "adcs	r6, r6, r10\n\t"
+        "adcs	r7, r7, r14\n\t"
+        "str	r4, [%[r], #96]\n\t"
+        "str	r5, [%[r], #100]\n\t"
+        "str	r6, [%[r], #104]\n\t"
+        "str	r7, [%[r], #108]\n\t"
+        "ldr	r4, [%[a], #112]\n\t"
+        "ldr	r5, [%[a], #116]\n\t"
+        "ldr	r6, [%[a], #120]\n\t"
+        "ldr	r7, [%[a], #124]\n\t"
+        "ldr	r8, [%[b], #112]\n\t"
+        "ldr	r9, [%[b], #116]\n\t"
+        "ldr	r10, [%[b], #120]\n\t"
+        "ldr	r14, [%[b], #124]\n\t"
+        "adcs	r4, r4, r8\n\t"
+        "adcs	r5, r5, r9\n\t"
+        "adcs	r6, r6, r10\n\t"
+        "adcs	r7, r7, r14\n\t"
+        "str	r4, [%[r], #112]\n\t"
+        "str	r5, [%[r], #116]\n\t"
+        "str	r6, [%[r], #120]\n\t"
+        "str	r7, [%[r], #124]\n\t"
+        "ldr	r4, [%[a], #128]\n\t"
+        "ldr	r5, [%[a], #132]\n\t"
+        "ldr	r6, [%[a], #136]\n\t"
+        "ldr	r7, [%[a], #140]\n\t"
+        "ldr	r8, [%[b], #128]\n\t"
+        "ldr	r9, [%[b], #132]\n\t"
+        "ldr	r10, [%[b], #136]\n\t"
+        "ldr	r14, [%[b], #140]\n\t"
+        "adcs	r4, r4, r8\n\t"
+        "adcs	r5, r5, r9\n\t"
+        "adcs	r6, r6, r10\n\t"
+        "adcs	r7, r7, r14\n\t"
+        "str	r4, [%[r], #128]\n\t"
+        "str	r5, [%[r], #132]\n\t"
+        "str	r6, [%[r], #136]\n\t"
+        "str	r7, [%[r], #140]\n\t"
+        "ldr	r4, [%[a], #144]\n\t"
+        "ldr	r5, [%[a], #148]\n\t"
+        "ldr	r6, [%[a], #152]\n\t"
+        "ldr	r7, [%[a], #156]\n\t"
+        "ldr	r8, [%[b], #144]\n\t"
+        "ldr	r9, [%[b], #148]\n\t"
+        "ldr	r10, [%[b], #152]\n\t"
+        "ldr	r14, [%[b], #156]\n\t"
+        "adcs	r4, r4, r8\n\t"
+        "adcs	r5, r5, r9\n\t"
+        "adcs	r6, r6, r10\n\t"
+        "adcs	r7, r7, r14\n\t"
+        "str	r4, [%[r], #144]\n\t"
+        "str	r5, [%[r], #148]\n\t"
+        "str	r6, [%[r], #152]\n\t"
+        "str	r7, [%[r], #156]\n\t"
+        "ldr	r4, [%[a], #160]\n\t"
+        "ldr	r5, [%[a], #164]\n\t"
+        "ldr	r6, [%[a], #168]\n\t"
+        "ldr	r7, [%[a], #172]\n\t"
+        "ldr	r8, [%[b], #160]\n\t"
+        "ldr	r9, [%[b], #164]\n\t"
+        "ldr	r10, [%[b], #168]\n\t"
+        "ldr	r14, [%[b], #172]\n\t"
+        "adcs	r4, r4, r8\n\t"
+        "adcs	r5, r5, r9\n\t"
+        "adcs	r6, r6, r10\n\t"
+        "adcs	r7, r7, r14\n\t"
+        "str	r4, [%[r], #160]\n\t"
+        "str	r5, [%[r], #164]\n\t"
+        "str	r6, [%[r], #168]\n\t"
+        "str	r7, [%[r], #172]\n\t"
+        "ldr	r4, [%[a], #176]\n\t"
+        "ldr	r5, [%[a], #180]\n\t"
+        "ldr	r6, [%[a], #184]\n\t"
+        "ldr	r7, [%[a], #188]\n\t"
+        "ldr	r8, [%[b], #176]\n\t"
+        "ldr	r9, [%[b], #180]\n\t"
+        "ldr	r10, [%[b], #184]\n\t"
+        "ldr	r14, [%[b], #188]\n\t"
+        "adcs	r4, r4, r8\n\t"
+        "adcs	r5, r5, r9\n\t"
+        "adcs	r6, r6, r10\n\t"
+        "adcs	r7, r7, r14\n\t"
+        "str	r4, [%[r], #176]\n\t"
+        "str	r5, [%[r], #180]\n\t"
+        "str	r6, [%[r], #184]\n\t"
+        "str	r7, [%[r], #188]\n\t"
+        "ldr	r4, [%[a], #192]\n\t"
+        "ldr	r5, [%[a], #196]\n\t"
+        "ldr	r6, [%[a], #200]\n\t"
+        "ldr	r7, [%[a], #204]\n\t"
+        "ldr	r8, [%[b], #192]\n\t"
+        "ldr	r9, [%[b], #196]\n\t"
+        "ldr	r10, [%[b], #200]\n\t"
+        "ldr	r14, [%[b], #204]\n\t"
+        "adcs	r4, r4, r8\n\t"
+        "adcs	r5, r5, r9\n\t"
+        "adcs	r6, r6, r10\n\t"
+        "adcs	r7, r7, r14\n\t"
+        "str	r4, [%[r], #192]\n\t"
+        "str	r5, [%[r], #196]\n\t"
+        "str	r6, [%[r], #200]\n\t"
+        "str	r7, [%[r], #204]\n\t"
+        "ldr	r4, [%[a], #208]\n\t"
+        "ldr	r5, [%[a], #212]\n\t"
+        "ldr	r6, [%[a], #216]\n\t"
+        "ldr	r7, [%[a], #220]\n\t"
+        "ldr	r8, [%[b], #208]\n\t"
+        "ldr	r9, [%[b], #212]\n\t"
+        "ldr	r10, [%[b], #216]\n\t"
+        "ldr	r14, [%[b], #220]\n\t"
+        "adcs	r4, r4, r8\n\t"
+        "adcs	r5, r5, r9\n\t"
+        "adcs	r6, r6, r10\n\t"
+        "adcs	r7, r7, r14\n\t"
+        "str	r4, [%[r], #208]\n\t"
+        "str	r5, [%[r], #212]\n\t"
+        "str	r6, [%[r], #216]\n\t"
+        "str	r7, [%[r], #220]\n\t"
+        "ldr	r4, [%[a], #224]\n\t"
+        "ldr	r5, [%[a], #228]\n\t"
+        "ldr	r6, [%[a], #232]\n\t"
+        "ldr	r7, [%[a], #236]\n\t"
+        "ldr	r8, [%[b], #224]\n\t"
+        "ldr	r9, [%[b], #228]\n\t"
+        "ldr	r10, [%[b], #232]\n\t"
+        "ldr	r14, [%[b], #236]\n\t"
+        "adcs	r4, r4, r8\n\t"
+        "adcs	r5, r5, r9\n\t"
+        "adcs	r6, r6, r10\n\t"
+        "adcs	r7, r7, r14\n\t"
+        "str	r4, [%[r], #224]\n\t"
+        "str	r5, [%[r], #228]\n\t"
+        "str	r6, [%[r], #232]\n\t"
+        "str	r7, [%[r], #236]\n\t"
+        "ldr	r4, [%[a], #240]\n\t"
+        "ldr	r5, [%[a], #244]\n\t"
+        "ldr	r6, [%[a], #248]\n\t"
+        "ldr	r7, [%[a], #252]\n\t"
+        "ldr	r8, [%[b], #240]\n\t"
+        "ldr	r9, [%[b], #244]\n\t"
+        "ldr	r10, [%[b], #248]\n\t"
+        "ldr	r14, [%[b], #252]\n\t"
+        "adcs	r4, r4, r8\n\t"
+        "adcs	r5, r5, r9\n\t"
+        "adcs	r6, r6, r10\n\t"
+        "adcs	r7, r7, r14\n\t"
+        "str	r4, [%[r], #240]\n\t"
+        "str	r5, [%[r], #244]\n\t"
+        "str	r6, [%[r], #248]\n\t"
+        "str	r7, [%[r], #252]\n\t"
+        "adc	%[c], r12, r12\n\t"
+        : [c] "+r" (c)
+        : [r] "r" (r), [a] "r" (a), [b] "r" (b)
+        : "memory", "r4", "r5", "r6", "r7", "r8", "r9", "r10", "r14", "r12"
+    );
+
+    return c;
+}
+
+/* Sub b from a into a. (a -= b)
+ *
+ * a  A single precision integer and result.
+ * b  A single precision integer.
+ */
+static sp_digit sp_4096_sub_in_place_128(sp_digit* a, const sp_digit* b)
+{
+    sp_digit c = 0;
+
+    __asm__ __volatile__ (
+        "ldr	r2, [%[a], #0]\n\t"
+        "ldr	r3, [%[a], #4]\n\t"
+        "ldr	r4, [%[a], #8]\n\t"
+        "ldr	r5, [%[a], #12]\n\t"
+        "ldr	r6, [%[b], #0]\n\t"
+        "ldr	r7, [%[b], #4]\n\t"
+        "ldr	r8, [%[b], #8]\n\t"
+        "ldr	r9, [%[b], #12]\n\t"
+        "subs	r2, r2, r6\n\t"
+        "sbcs	r3, r3, r7\n\t"
+        "sbcs	r4, r4, r8\n\t"
+        "sbcs	r5, r5, r9\n\t"
+        "str	r2, [%[a], #0]\n\t"
+        "str	r3, [%[a], #4]\n\t"
+        "str	r4, [%[a], #8]\n\t"
+        "str	r5, [%[a], #12]\n\t"
+        "ldr	r2, [%[a], #16]\n\t"
+        "ldr	r3, [%[a], #20]\n\t"
+        "ldr	r4, [%[a], #24]\n\t"
+        "ldr	r5, [%[a], #28]\n\t"
+        "ldr	r6, [%[b], #16]\n\t"
+        "ldr	r7, [%[b], #20]\n\t"
+        "ldr	r8, [%[b], #24]\n\t"
+        "ldr	r9, [%[b], #28]\n\t"
+        "sbcs	r2, r2, r6\n\t"
+        "sbcs	r3, r3, r7\n\t"
+        "sbcs	r4, r4, r8\n\t"
+        "sbcs	r5, r5, r9\n\t"
+        "str	r2, [%[a], #16]\n\t"
+        "str	r3, [%[a], #20]\n\t"
+        "str	r4, [%[a], #24]\n\t"
+        "str	r5, [%[a], #28]\n\t"
+        "ldr	r2, [%[a], #32]\n\t"
+        "ldr	r3, [%[a], #36]\n\t"
+        "ldr	r4, [%[a], #40]\n\t"
+        "ldr	r5, [%[a], #44]\n\t"
+        "ldr	r6, [%[b], #32]\n\t"
+        "ldr	r7, [%[b], #36]\n\t"
+        "ldr	r8, [%[b], #40]\n\t"
+        "ldr	r9, [%[b], #44]\n\t"
+        "sbcs	r2, r2, r6\n\t"
+        "sbcs	r3, r3, r7\n\t"
+        "sbcs	r4, r4, r8\n\t"
+        "sbcs	r5, r5, r9\n\t"
+        "str	r2, [%[a], #32]\n\t"
+        "str	r3, [%[a], #36]\n\t"
+        "str	r4, [%[a], #40]\n\t"
+        "str	r5, [%[a], #44]\n\t"
+        "ldr	r2, [%[a], #48]\n\t"
+        "ldr	r3, [%[a], #52]\n\t"
+        "ldr	r4, [%[a], #56]\n\t"
+        "ldr	r5, [%[a], #60]\n\t"
+        "ldr	r6, [%[b], #48]\n\t"
+        "ldr	r7, [%[b], #52]\n\t"
+        "ldr	r8, [%[b], #56]\n\t"
+        "ldr	r9, [%[b], #60]\n\t"
+        "sbcs	r2, r2, r6\n\t"
+        "sbcs	r3, r3, r7\n\t"
+        "sbcs	r4, r4, r8\n\t"
+        "sbcs	r5, r5, r9\n\t"
+        "str	r2, [%[a], #48]\n\t"
+        "str	r3, [%[a], #52]\n\t"
+        "str	r4, [%[a], #56]\n\t"
+        "str	r5, [%[a], #60]\n\t"
+        "ldr	r2, [%[a], #64]\n\t"
+        "ldr	r3, [%[a], #68]\n\t"
+        "ldr	r4, [%[a], #72]\n\t"
+        "ldr	r5, [%[a], #76]\n\t"
+        "ldr	r6, [%[b], #64]\n\t"
+        "ldr	r7, [%[b], #68]\n\t"
+        "ldr	r8, [%[b], #72]\n\t"
+        "ldr	r9, [%[b], #76]\n\t"
+        "sbcs	r2, r2, r6\n\t"
+        "sbcs	r3, r3, r7\n\t"
+        "sbcs	r4, r4, r8\n\t"
+        "sbcs	r5, r5, r9\n\t"
+        "str	r2, [%[a], #64]\n\t"
+        "str	r3, [%[a], #68]\n\t"
+        "str	r4, [%[a], #72]\n\t"
+        "str	r5, [%[a], #76]\n\t"
+        "ldr	r2, [%[a], #80]\n\t"
+        "ldr	r3, [%[a], #84]\n\t"
+        "ldr	r4, [%[a], #88]\n\t"
+        "ldr	r5, [%[a], #92]\n\t"
+        "ldr	r6, [%[b], #80]\n\t"
+        "ldr	r7, [%[b], #84]\n\t"
+        "ldr	r8, [%[b], #88]\n\t"
+        "ldr	r9, [%[b], #92]\n\t"
+        "sbcs	r2, r2, r6\n\t"
+        "sbcs	r3, r3, r7\n\t"
+        "sbcs	r4, r4, r8\n\t"
+        "sbcs	r5, r5, r9\n\t"
+        "str	r2, [%[a], #80]\n\t"
+        "str	r3, [%[a], #84]\n\t"
+        "str	r4, [%[a], #88]\n\t"
+        "str	r5, [%[a], #92]\n\t"
+        "ldr	r2, [%[a], #96]\n\t"
+        "ldr	r3, [%[a], #100]\n\t"
+        "ldr	r4, [%[a], #104]\n\t"
+        "ldr	r5, [%[a], #108]\n\t"
+        "ldr	r6, [%[b], #96]\n\t"
+        "ldr	r7, [%[b], #100]\n\t"
+        "ldr	r8, [%[b], #104]\n\t"
+        "ldr	r9, [%[b], #108]\n\t"
+        "sbcs	r2, r2, r6\n\t"
+        "sbcs	r3, r3, r7\n\t"
+        "sbcs	r4, r4, r8\n\t"
+        "sbcs	r5, r5, r9\n\t"
+        "str	r2, [%[a], #96]\n\t"
+        "str	r3, [%[a], #100]\n\t"
+        "str	r4, [%[a], #104]\n\t"
+        "str	r5, [%[a], #108]\n\t"
+        "ldr	r2, [%[a], #112]\n\t"
+        "ldr	r3, [%[a], #116]\n\t"
+        "ldr	r4, [%[a], #120]\n\t"
+        "ldr	r5, [%[a], #124]\n\t"
+        "ldr	r6, [%[b], #112]\n\t"
+        "ldr	r7, [%[b], #116]\n\t"
+        "ldr	r8, [%[b], #120]\n\t"
+        "ldr	r9, [%[b], #124]\n\t"
+        "sbcs	r2, r2, r6\n\t"
+        "sbcs	r3, r3, r7\n\t"
+        "sbcs	r4, r4, r8\n\t"
+        "sbcs	r5, r5, r9\n\t"
+        "str	r2, [%[a], #112]\n\t"
+        "str	r3, [%[a], #116]\n\t"
+        "str	r4, [%[a], #120]\n\t"
+        "str	r5, [%[a], #124]\n\t"
+        "ldr	r2, [%[a], #128]\n\t"
+        "ldr	r3, [%[a], #132]\n\t"
+        "ldr	r4, [%[a], #136]\n\t"
+        "ldr	r5, [%[a], #140]\n\t"
+        "ldr	r6, [%[b], #128]\n\t"
+        "ldr	r7, [%[b], #132]\n\t"
+        "ldr	r8, [%[b], #136]\n\t"
+        "ldr	r9, [%[b], #140]\n\t"
+        "sbcs	r2, r2, r6\n\t"
+        "sbcs	r3, r3, r7\n\t"
+        "sbcs	r4, r4, r8\n\t"
+        "sbcs	r5, r5, r9\n\t"
+        "str	r2, [%[a], #128]\n\t"
+        "str	r3, [%[a], #132]\n\t"
+        "str	r4, [%[a], #136]\n\t"
+        "str	r5, [%[a], #140]\n\t"
+        "ldr	r2, [%[a], #144]\n\t"
+        "ldr	r3, [%[a], #148]\n\t"
+        "ldr	r4, [%[a], #152]\n\t"
+        "ldr	r5, [%[a], #156]\n\t"
+        "ldr	r6, [%[b], #144]\n\t"
+        "ldr	r7, [%[b], #148]\n\t"
+        "ldr	r8, [%[b], #152]\n\t"
+        "ldr	r9, [%[b], #156]\n\t"
+        "sbcs	r2, r2, r6\n\t"
+        "sbcs	r3, r3, r7\n\t"
+        "sbcs	r4, r4, r8\n\t"
+        "sbcs	r5, r5, r9\n\t"
+        "str	r2, [%[a], #144]\n\t"
+        "str	r3, [%[a], #148]\n\t"
+        "str	r4, [%[a], #152]\n\t"
+        "str	r5, [%[a], #156]\n\t"
+        "ldr	r2, [%[a], #160]\n\t"
+        "ldr	r3, [%[a], #164]\n\t"
+        "ldr	r4, [%[a], #168]\n\t"
+        "ldr	r5, [%[a], #172]\n\t"
+        "ldr	r6, [%[b], #160]\n\t"
+        "ldr	r7, [%[b], #164]\n\t"
+        "ldr	r8, [%[b], #168]\n\t"
+        "ldr	r9, [%[b], #172]\n\t"
+        "sbcs	r2, r2, r6\n\t"
+        "sbcs	r3, r3, r7\n\t"
+        "sbcs	r4, r4, r8\n\t"
+        "sbcs	r5, r5, r9\n\t"
+        "str	r2, [%[a], #160]\n\t"
+        "str	r3, [%[a], #164]\n\t"
+        "str	r4, [%[a], #168]\n\t"
+        "str	r5, [%[a], #172]\n\t"
+        "ldr	r2, [%[a], #176]\n\t"
+        "ldr	r3, [%[a], #180]\n\t"
+        "ldr	r4, [%[a], #184]\n\t"
+        "ldr	r5, [%[a], #188]\n\t"
+        "ldr	r6, [%[b], #176]\n\t"
+        "ldr	r7, [%[b], #180]\n\t"
+        "ldr	r8, [%[b], #184]\n\t"
+        "ldr	r9, [%[b], #188]\n\t"
+        "sbcs	r2, r2, r6\n\t"
+        "sbcs	r3, r3, r7\n\t"
+        "sbcs	r4, r4, r8\n\t"
+        "sbcs	r5, r5, r9\n\t"
+        "str	r2, [%[a], #176]\n\t"
+        "str	r3, [%[a], #180]\n\t"
+        "str	r4, [%[a], #184]\n\t"
+        "str	r5, [%[a], #188]\n\t"
+        "ldr	r2, [%[a], #192]\n\t"
+        "ldr	r3, [%[a], #196]\n\t"
+        "ldr	r4, [%[a], #200]\n\t"
+        "ldr	r5, [%[a], #204]\n\t"
+        "ldr	r6, [%[b], #192]\n\t"
+        "ldr	r7, [%[b], #196]\n\t"
+        "ldr	r8, [%[b], #200]\n\t"
+        "ldr	r9, [%[b], #204]\n\t"
+        "sbcs	r2, r2, r6\n\t"
+        "sbcs	r3, r3, r7\n\t"
+        "sbcs	r4, r4, r8\n\t"
+        "sbcs	r5, r5, r9\n\t"
+        "str	r2, [%[a], #192]\n\t"
+        "str	r3, [%[a], #196]\n\t"
+        "str	r4, [%[a], #200]\n\t"
+        "str	r5, [%[a], #204]\n\t"
+        "ldr	r2, [%[a], #208]\n\t"
+        "ldr	r3, [%[a], #212]\n\t"
+        "ldr	r4, [%[a], #216]\n\t"
+        "ldr	r5, [%[a], #220]\n\t"
+        "ldr	r6, [%[b], #208]\n\t"
+        "ldr	r7, [%[b], #212]\n\t"
+        "ldr	r8, [%[b], #216]\n\t"
+        "ldr	r9, [%[b], #220]\n\t"
+        "sbcs	r2, r2, r6\n\t"
+        "sbcs	r3, r3, r7\n\t"
+        "sbcs	r4, r4, r8\n\t"
+        "sbcs	r5, r5, r9\n\t"
+        "str	r2, [%[a], #208]\n\t"
+        "str	r3, [%[a], #212]\n\t"
+        "str	r4, [%[a], #216]\n\t"
+        "str	r5, [%[a], #220]\n\t"
+        "ldr	r2, [%[a], #224]\n\t"
+        "ldr	r3, [%[a], #228]\n\t"
+        "ldr	r4, [%[a], #232]\n\t"
+        "ldr	r5, [%[a], #236]\n\t"
+        "ldr	r6, [%[b], #224]\n\t"
+        "ldr	r7, [%[b], #228]\n\t"
+        "ldr	r8, [%[b], #232]\n\t"
+        "ldr	r9, [%[b], #236]\n\t"
+        "sbcs	r2, r2, r6\n\t"
+        "sbcs	r3, r3, r7\n\t"
+        "sbcs	r4, r4, r8\n\t"
+        "sbcs	r5, r5, r9\n\t"
+        "str	r2, [%[a], #224]\n\t"
+        "str	r3, [%[a], #228]\n\t"
+        "str	r4, [%[a], #232]\n\t"
+        "str	r5, [%[a], #236]\n\t"
+        "ldr	r2, [%[a], #240]\n\t"
+        "ldr	r3, [%[a], #244]\n\t"
+        "ldr	r4, [%[a], #248]\n\t"
+        "ldr	r5, [%[a], #252]\n\t"
+        "ldr	r6, [%[b], #240]\n\t"
+        "ldr	r7, [%[b], #244]\n\t"
+        "ldr	r8, [%[b], #248]\n\t"
+        "ldr	r9, [%[b], #252]\n\t"
+        "sbcs	r2, r2, r6\n\t"
+        "sbcs	r3, r3, r7\n\t"
+        "sbcs	r4, r4, r8\n\t"
+        "sbcs	r5, r5, r9\n\t"
+        "str	r2, [%[a], #240]\n\t"
+        "str	r3, [%[a], #244]\n\t"
+        "str	r4, [%[a], #248]\n\t"
+        "str	r5, [%[a], #252]\n\t"
+        "ldr	r2, [%[a], #256]\n\t"
+        "ldr	r3, [%[a], #260]\n\t"
+        "ldr	r4, [%[a], #264]\n\t"
+        "ldr	r5, [%[a], #268]\n\t"
+        "ldr	r6, [%[b], #256]\n\t"
+        "ldr	r7, [%[b], #260]\n\t"
+        "ldr	r8, [%[b], #264]\n\t"
+        "ldr	r9, [%[b], #268]\n\t"
+        "sbcs	r2, r2, r6\n\t"
+        "sbcs	r3, r3, r7\n\t"
+        "sbcs	r4, r4, r8\n\t"
+        "sbcs	r5, r5, r9\n\t"
+        "str	r2, [%[a], #256]\n\t"
+        "str	r3, [%[a], #260]\n\t"
+        "str	r4, [%[a], #264]\n\t"
+        "str	r5, [%[a], #268]\n\t"
+        "ldr	r2, [%[a], #272]\n\t"
+        "ldr	r3, [%[a], #276]\n\t"
+        "ldr	r4, [%[a], #280]\n\t"
+        "ldr	r5, [%[a], #284]\n\t"
+        "ldr	r6, [%[b], #272]\n\t"
+        "ldr	r7, [%[b], #276]\n\t"
+        "ldr	r8, [%[b], #280]\n\t"
+        "ldr	r9, [%[b], #284]\n\t"
+        "sbcs	r2, r2, r6\n\t"
+        "sbcs	r3, r3, r7\n\t"
+        "sbcs	r4, r4, r8\n\t"
+        "sbcs	r5, r5, r9\n\t"
+        "str	r2, [%[a], #272]\n\t"
+        "str	r3, [%[a], #276]\n\t"
+        "str	r4, [%[a], #280]\n\t"
+        "str	r5, [%[a], #284]\n\t"
+        "ldr	r2, [%[a], #288]\n\t"
+        "ldr	r3, [%[a], #292]\n\t"
+        "ldr	r4, [%[a], #296]\n\t"
+        "ldr	r5, [%[a], #300]\n\t"
+        "ldr	r6, [%[b], #288]\n\t"
+        "ldr	r7, [%[b], #292]\n\t"
+        "ldr	r8, [%[b], #296]\n\t"
+        "ldr	r9, [%[b], #300]\n\t"
+        "sbcs	r2, r2, r6\n\t"
+        "sbcs	r3, r3, r7\n\t"
+        "sbcs	r4, r4, r8\n\t"
+        "sbcs	r5, r5, r9\n\t"
+        "str	r2, [%[a], #288]\n\t"
+        "str	r3, [%[a], #292]\n\t"
+        "str	r4, [%[a], #296]\n\t"
+        "str	r5, [%[a], #300]\n\t"
+        "ldr	r2, [%[a], #304]\n\t"
+        "ldr	r3, [%[a], #308]\n\t"
+        "ldr	r4, [%[a], #312]\n\t"
+        "ldr	r5, [%[a], #316]\n\t"
+        "ldr	r6, [%[b], #304]\n\t"
+        "ldr	r7, [%[b], #308]\n\t"
+        "ldr	r8, [%[b], #312]\n\t"
+        "ldr	r9, [%[b], #316]\n\t"
+        "sbcs	r2, r2, r6\n\t"
+        "sbcs	r3, r3, r7\n\t"
+        "sbcs	r4, r4, r8\n\t"
+        "sbcs	r5, r5, r9\n\t"
+        "str	r2, [%[a], #304]\n\t"
+        "str	r3, [%[a], #308]\n\t"
+        "str	r4, [%[a], #312]\n\t"
+        "str	r5, [%[a], #316]\n\t"
+        "ldr	r2, [%[a], #320]\n\t"
+        "ldr	r3, [%[a], #324]\n\t"
+        "ldr	r4, [%[a], #328]\n\t"
+        "ldr	r5, [%[a], #332]\n\t"
+        "ldr	r6, [%[b], #320]\n\t"
+        "ldr	r7, [%[b], #324]\n\t"
+        "ldr	r8, [%[b], #328]\n\t"
+        "ldr	r9, [%[b], #332]\n\t"
+        "sbcs	r2, r2, r6\n\t"
+        "sbcs	r3, r3, r7\n\t"
+        "sbcs	r4, r4, r8\n\t"
+        "sbcs	r5, r5, r9\n\t"
+        "str	r2, [%[a], #320]\n\t"
+        "str	r3, [%[a], #324]\n\t"
+        "str	r4, [%[a], #328]\n\t"
+        "str	r5, [%[a], #332]\n\t"
+        "ldr	r2, [%[a], #336]\n\t"
+        "ldr	r3, [%[a], #340]\n\t"
+        "ldr	r4, [%[a], #344]\n\t"
+        "ldr	r5, [%[a], #348]\n\t"
+        "ldr	r6, [%[b], #336]\n\t"
+        "ldr	r7, [%[b], #340]\n\t"
+        "ldr	r8, [%[b], #344]\n\t"
+        "ldr	r9, [%[b], #348]\n\t"
+        "sbcs	r2, r2, r6\n\t"
+        "sbcs	r3, r3, r7\n\t"
+        "sbcs	r4, r4, r8\n\t"
+        "sbcs	r5, r5, r9\n\t"
+        "str	r2, [%[a], #336]\n\t"
+        "str	r3, [%[a], #340]\n\t"
+        "str	r4, [%[a], #344]\n\t"
+        "str	r5, [%[a], #348]\n\t"
+        "ldr	r2, [%[a], #352]\n\t"
+        "ldr	r3, [%[a], #356]\n\t"
+        "ldr	r4, [%[a], #360]\n\t"
+        "ldr	r5, [%[a], #364]\n\t"
+        "ldr	r6, [%[b], #352]\n\t"
+        "ldr	r7, [%[b], #356]\n\t"
+        "ldr	r8, [%[b], #360]\n\t"
+        "ldr	r9, [%[b], #364]\n\t"
+        "sbcs	r2, r2, r6\n\t"
+        "sbcs	r3, r3, r7\n\t"
+        "sbcs	r4, r4, r8\n\t"
+        "sbcs	r5, r5, r9\n\t"
+        "str	r2, [%[a], #352]\n\t"
+        "str	r3, [%[a], #356]\n\t"
+        "str	r4, [%[a], #360]\n\t"
+        "str	r5, [%[a], #364]\n\t"
+        "ldr	r2, [%[a], #368]\n\t"
+        "ldr	r3, [%[a], #372]\n\t"
+        "ldr	r4, [%[a], #376]\n\t"
+        "ldr	r5, [%[a], #380]\n\t"
+        "ldr	r6, [%[b], #368]\n\t"
+        "ldr	r7, [%[b], #372]\n\t"
+        "ldr	r8, [%[b], #376]\n\t"
+        "ldr	r9, [%[b], #380]\n\t"
+        "sbcs	r2, r2, r6\n\t"
+        "sbcs	r3, r3, r7\n\t"
+        "sbcs	r4, r4, r8\n\t"
+        "sbcs	r5, r5, r9\n\t"
+        "str	r2, [%[a], #368]\n\t"
+        "str	r3, [%[a], #372]\n\t"
+        "str	r4, [%[a], #376]\n\t"
+        "str	r5, [%[a], #380]\n\t"
+        "ldr	r2, [%[a], #384]\n\t"
+        "ldr	r3, [%[a], #388]\n\t"
+        "ldr	r4, [%[a], #392]\n\t"
+        "ldr	r5, [%[a], #396]\n\t"
+        "ldr	r6, [%[b], #384]\n\t"
+        "ldr	r7, [%[b], #388]\n\t"
+        "ldr	r8, [%[b], #392]\n\t"
+        "ldr	r9, [%[b], #396]\n\t"
+        "sbcs	r2, r2, r6\n\t"
+        "sbcs	r3, r3, r7\n\t"
+        "sbcs	r4, r4, r8\n\t"
+        "sbcs	r5, r5, r9\n\t"
+        "str	r2, [%[a], #384]\n\t"
+        "str	r3, [%[a], #388]\n\t"
+        "str	r4, [%[a], #392]\n\t"
+        "str	r5, [%[a], #396]\n\t"
+        "ldr	r2, [%[a], #400]\n\t"
+        "ldr	r3, [%[a], #404]\n\t"
+        "ldr	r4, [%[a], #408]\n\t"
+        "ldr	r5, [%[a], #412]\n\t"
+        "ldr	r6, [%[b], #400]\n\t"
+        "ldr	r7, [%[b], #404]\n\t"
+        "ldr	r8, [%[b], #408]\n\t"
+        "ldr	r9, [%[b], #412]\n\t"
+        "sbcs	r2, r2, r6\n\t"
+        "sbcs	r3, r3, r7\n\t"
+        "sbcs	r4, r4, r8\n\t"
+        "sbcs	r5, r5, r9\n\t"
+        "str	r2, [%[a], #400]\n\t"
+        "str	r3, [%[a], #404]\n\t"
+        "str	r4, [%[a], #408]\n\t"
+        "str	r5, [%[a], #412]\n\t"
+        "ldr	r2, [%[a], #416]\n\t"
+        "ldr	r3, [%[a], #420]\n\t"
+        "ldr	r4, [%[a], #424]\n\t"
+        "ldr	r5, [%[a], #428]\n\t"
+        "ldr	r6, [%[b], #416]\n\t"
+        "ldr	r7, [%[b], #420]\n\t"
+        "ldr	r8, [%[b], #424]\n\t"
+        "ldr	r9, [%[b], #428]\n\t"
+        "sbcs	r2, r2, r6\n\t"
+        "sbcs	r3, r3, r7\n\t"
+        "sbcs	r4, r4, r8\n\t"
+        "sbcs	r5, r5, r9\n\t"
+        "str	r2, [%[a], #416]\n\t"
+        "str	r3, [%[a], #420]\n\t"
+        "str	r4, [%[a], #424]\n\t"
+        "str	r5, [%[a], #428]\n\t"
+        "ldr	r2, [%[a], #432]\n\t"
+        "ldr	r3, [%[a], #436]\n\t"
+        "ldr	r4, [%[a], #440]\n\t"
+        "ldr	r5, [%[a], #444]\n\t"
+        "ldr	r6, [%[b], #432]\n\t"
+        "ldr	r7, [%[b], #436]\n\t"
+        "ldr	r8, [%[b], #440]\n\t"
+        "ldr	r9, [%[b], #444]\n\t"
+        "sbcs	r2, r2, r6\n\t"
+        "sbcs	r3, r3, r7\n\t"
+        "sbcs	r4, r4, r8\n\t"
+        "sbcs	r5, r5, r9\n\t"
+        "str	r2, [%[a], #432]\n\t"
+        "str	r3, [%[a], #436]\n\t"
+        "str	r4, [%[a], #440]\n\t"
+        "str	r5, [%[a], #444]\n\t"
+        "ldr	r2, [%[a], #448]\n\t"
+        "ldr	r3, [%[a], #452]\n\t"
+        "ldr	r4, [%[a], #456]\n\t"
+        "ldr	r5, [%[a], #460]\n\t"
+        "ldr	r6, [%[b], #448]\n\t"
+        "ldr	r7, [%[b], #452]\n\t"
+        "ldr	r8, [%[b], #456]\n\t"
+        "ldr	r9, [%[b], #460]\n\t"
+        "sbcs	r2, r2, r6\n\t"
+        "sbcs	r3, r3, r7\n\t"
+        "sbcs	r4, r4, r8\n\t"
+        "sbcs	r5, r5, r9\n\t"
+        "str	r2, [%[a], #448]\n\t"
+        "str	r3, [%[a], #452]\n\t"
+        "str	r4, [%[a], #456]\n\t"
+        "str	r5, [%[a], #460]\n\t"
+        "ldr	r2, [%[a], #464]\n\t"
+        "ldr	r3, [%[a], #468]\n\t"
+        "ldr	r4, [%[a], #472]\n\t"
+        "ldr	r5, [%[a], #476]\n\t"
+        "ldr	r6, [%[b], #464]\n\t"
+        "ldr	r7, [%[b], #468]\n\t"
+        "ldr	r8, [%[b], #472]\n\t"
+        "ldr	r9, [%[b], #476]\n\t"
+        "sbcs	r2, r2, r6\n\t"
+        "sbcs	r3, r3, r7\n\t"
+        "sbcs	r4, r4, r8\n\t"
+        "sbcs	r5, r5, r9\n\t"
+        "str	r2, [%[a], #464]\n\t"
+        "str	r3, [%[a], #468]\n\t"
+        "str	r4, [%[a], #472]\n\t"
+        "str	r5, [%[a], #476]\n\t"
+        "ldr	r2, [%[a], #480]\n\t"
+        "ldr	r3, [%[a], #484]\n\t"
+        "ldr	r4, [%[a], #488]\n\t"
+        "ldr	r5, [%[a], #492]\n\t"
+        "ldr	r6, [%[b], #480]\n\t"
+        "ldr	r7, [%[b], #484]\n\t"
+        "ldr	r8, [%[b], #488]\n\t"
+        "ldr	r9, [%[b], #492]\n\t"
+        "sbcs	r2, r2, r6\n\t"
+        "sbcs	r3, r3, r7\n\t"
+        "sbcs	r4, r4, r8\n\t"
+        "sbcs	r5, r5, r9\n\t"
+        "str	r2, [%[a], #480]\n\t"
+        "str	r3, [%[a], #484]\n\t"
+        "str	r4, [%[a], #488]\n\t"
+        "str	r5, [%[a], #492]\n\t"
+        "ldr	r2, [%[a], #496]\n\t"
+        "ldr	r3, [%[a], #500]\n\t"
+        "ldr	r4, [%[a], #504]\n\t"
+        "ldr	r5, [%[a], #508]\n\t"
+        "ldr	r6, [%[b], #496]\n\t"
+        "ldr	r7, [%[b], #500]\n\t"
+        "ldr	r8, [%[b], #504]\n\t"
+        "ldr	r9, [%[b], #508]\n\t"
+        "sbcs	r2, r2, r6\n\t"
+        "sbcs	r3, r3, r7\n\t"
+        "sbcs	r4, r4, r8\n\t"
+        "sbcs	r5, r5, r9\n\t"
+        "str	r2, [%[a], #496]\n\t"
+        "str	r3, [%[a], #500]\n\t"
+        "str	r4, [%[a], #504]\n\t"
+        "str	r5, [%[a], #508]\n\t"
+        "sbc	%[c], r9, r9\n\t"
+        : [c] "+r" (c)
+        : [a] "r" (a), [b] "r" (b)
+        : "memory", "r2", "r3", "r4", "r5", "r6", "r7", "r8", "r9"
+    );
+
+    return c;
+}
+
+/* Add b to a into r. (r = a + b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+static sp_digit sp_4096_add_128(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    sp_digit c = 0;
+
+    __asm__ __volatile__ (
+        "mov	r12, #0\n\t"
+        "ldr	r4, [%[a], #0]\n\t"
+        "ldr	r5, [%[a], #4]\n\t"
+        "ldr	r6, [%[a], #8]\n\t"
+        "ldr	r7, [%[a], #12]\n\t"
+        "ldr	r8, [%[b], #0]\n\t"
+        "ldr	r9, [%[b], #4]\n\t"
+        "ldr	r10, [%[b], #8]\n\t"
+        "ldr	r14, [%[b], #12]\n\t"
+        "adds	r4, r4, r8\n\t"
+        "adcs	r5, r5, r9\n\t"
+        "adcs	r6, r6, r10\n\t"
+        "adcs	r7, r7, r14\n\t"
+        "str	r4, [%[r], #0]\n\t"
+        "str	r5, [%[r], #4]\n\t"
+        "str	r6, [%[r], #8]\n\t"
+        "str	r7, [%[r], #12]\n\t"
+        "ldr	r4, [%[a], #16]\n\t"
+        "ldr	r5, [%[a], #20]\n\t"
+        "ldr	r6, [%[a], #24]\n\t"
+        "ldr	r7, [%[a], #28]\n\t"
+        "ldr	r8, [%[b], #16]\n\t"
+        "ldr	r9, [%[b], #20]\n\t"
+        "ldr	r10, [%[b], #24]\n\t"
+        "ldr	r14, [%[b], #28]\n\t"
+        "adcs	r4, r4, r8\n\t"
+        "adcs	r5, r5, r9\n\t"
+        "adcs	r6, r6, r10\n\t"
+        "adcs	r7, r7, r14\n\t"
+        "str	r4, [%[r], #16]\n\t"
+        "str	r5, [%[r], #20]\n\t"
+        "str	r6, [%[r], #24]\n\t"
+        "str	r7, [%[r], #28]\n\t"
+        "ldr	r4, [%[a], #32]\n\t"
+        "ldr	r5, [%[a], #36]\n\t"
+        "ldr	r6, [%[a], #40]\n\t"
+        "ldr	r7, [%[a], #44]\n\t"
+        "ldr	r8, [%[b], #32]\n\t"
+        "ldr	r9, [%[b], #36]\n\t"
+        "ldr	r10, [%[b], #40]\n\t"
+        "ldr	r14, [%[b], #44]\n\t"
+        "adcs	r4, r4, r8\n\t"
+        "adcs	r5, r5, r9\n\t"
+        "adcs	r6, r6, r10\n\t"
+        "adcs	r7, r7, r14\n\t"
+        "str	r4, [%[r], #32]\n\t"
+        "str	r5, [%[r], #36]\n\t"
+        "str	r6, [%[r], #40]\n\t"
+        "str	r7, [%[r], #44]\n\t"
+        "ldr	r4, [%[a], #48]\n\t"
+        "ldr	r5, [%[a], #52]\n\t"
+        "ldr	r6, [%[a], #56]\n\t"
+        "ldr	r7, [%[a], #60]\n\t"
+        "ldr	r8, [%[b], #48]\n\t"
+        "ldr	r9, [%[b], #52]\n\t"
+        "ldr	r10, [%[b], #56]\n\t"
+        "ldr	r14, [%[b], #60]\n\t"
+        "adcs	r4, r4, r8\n\t"
+        "adcs	r5, r5, r9\n\t"
+        "adcs	r6, r6, r10\n\t"
+        "adcs	r7, r7, r14\n\t"
+        "str	r4, [%[r], #48]\n\t"
+        "str	r5, [%[r], #52]\n\t"
+        "str	r6, [%[r], #56]\n\t"
+        "str	r7, [%[r], #60]\n\t"
+        "ldr	r4, [%[a], #64]\n\t"
+        "ldr	r5, [%[a], #68]\n\t"
+        "ldr	r6, [%[a], #72]\n\t"
+        "ldr	r7, [%[a], #76]\n\t"
+        "ldr	r8, [%[b], #64]\n\t"
+        "ldr	r9, [%[b], #68]\n\t"
+        "ldr	r10, [%[b], #72]\n\t"
+        "ldr	r14, [%[b], #76]\n\t"
+        "adcs	r4, r4, r8\n\t"
+        "adcs	r5, r5, r9\n\t"
+        "adcs	r6, r6, r10\n\t"
+        "adcs	r7, r7, r14\n\t"
+        "str	r4, [%[r], #64]\n\t"
+        "str	r5, [%[r], #68]\n\t"
+        "str	r6, [%[r], #72]\n\t"
+        "str	r7, [%[r], #76]\n\t"
+        "ldr	r4, [%[a], #80]\n\t"
+        "ldr	r5, [%[a], #84]\n\t"
+        "ldr	r6, [%[a], #88]\n\t"
+        "ldr	r7, [%[a], #92]\n\t"
+        "ldr	r8, [%[b], #80]\n\t"
+        "ldr	r9, [%[b], #84]\n\t"
+        "ldr	r10, [%[b], #88]\n\t"
+        "ldr	r14, [%[b], #92]\n\t"
+        "adcs	r4, r4, r8\n\t"
+        "adcs	r5, r5, r9\n\t"
+        "adcs	r6, r6, r10\n\t"
+        "adcs	r7, r7, r14\n\t"
+        "str	r4, [%[r], #80]\n\t"
+        "str	r5, [%[r], #84]\n\t"
+        "str	r6, [%[r], #88]\n\t"
+        "str	r7, [%[r], #92]\n\t"
+        "ldr	r4, [%[a], #96]\n\t"
+        "ldr	r5, [%[a], #100]\n\t"
+        "ldr	r6, [%[a], #104]\n\t"
+        "ldr	r7, [%[a], #108]\n\t"
+        "ldr	r8, [%[b], #96]\n\t"
+        "ldr	r9, [%[b], #100]\n\t"
+        "ldr	r10, [%[b], #104]\n\t"
+        "ldr	r14, [%[b], #108]\n\t"
+        "adcs	r4, r4, r8\n\t"
+        "adcs	r5, r5, r9\n\t"
+        "adcs	r6, r6, r10\n\t"
+        "adcs	r7, r7, r14\n\t"
+        "str	r4, [%[r], #96]\n\t"
+        "str	r5, [%[r], #100]\n\t"
+        "str	r6, [%[r], #104]\n\t"
+        "str	r7, [%[r], #108]\n\t"
+        "ldr	r4, [%[a], #112]\n\t"
+        "ldr	r5, [%[a], #116]\n\t"
+        "ldr	r6, [%[a], #120]\n\t"
+        "ldr	r7, [%[a], #124]\n\t"
+        "ldr	r8, [%[b], #112]\n\t"
+        "ldr	r9, [%[b], #116]\n\t"
+        "ldr	r10, [%[b], #120]\n\t"
+        "ldr	r14, [%[b], #124]\n\t"
+        "adcs	r4, r4, r8\n\t"
+        "adcs	r5, r5, r9\n\t"
+        "adcs	r6, r6, r10\n\t"
+        "adcs	r7, r7, r14\n\t"
+        "str	r4, [%[r], #112]\n\t"
+        "str	r5, [%[r], #116]\n\t"
+        "str	r6, [%[r], #120]\n\t"
+        "str	r7, [%[r], #124]\n\t"
+        "ldr	r4, [%[a], #128]\n\t"
+        "ldr	r5, [%[a], #132]\n\t"
+        "ldr	r6, [%[a], #136]\n\t"
+        "ldr	r7, [%[a], #140]\n\t"
+        "ldr	r8, [%[b], #128]\n\t"
+        "ldr	r9, [%[b], #132]\n\t"
+        "ldr	r10, [%[b], #136]\n\t"
+        "ldr	r14, [%[b], #140]\n\t"
+        "adcs	r4, r4, r8\n\t"
+        "adcs	r5, r5, r9\n\t"
+        "adcs	r6, r6, r10\n\t"
+        "adcs	r7, r7, r14\n\t"
+        "str	r4, [%[r], #128]\n\t"
+        "str	r5, [%[r], #132]\n\t"
+        "str	r6, [%[r], #136]\n\t"
+        "str	r7, [%[r], #140]\n\t"
+        "ldr	r4, [%[a], #144]\n\t"
+        "ldr	r5, [%[a], #148]\n\t"
+        "ldr	r6, [%[a], #152]\n\t"
+        "ldr	r7, [%[a], #156]\n\t"
+        "ldr	r8, [%[b], #144]\n\t"
+        "ldr	r9, [%[b], #148]\n\t"
+        "ldr	r10, [%[b], #152]\n\t"
+        "ldr	r14, [%[b], #156]\n\t"
+        "adcs	r4, r4, r8\n\t"
+        "adcs	r5, r5, r9\n\t"
+        "adcs	r6, r6, r10\n\t"
+        "adcs	r7, r7, r14\n\t"
+        "str	r4, [%[r], #144]\n\t"
+        "str	r5, [%[r], #148]\n\t"
+        "str	r6, [%[r], #152]\n\t"
+        "str	r7, [%[r], #156]\n\t"
+        "ldr	r4, [%[a], #160]\n\t"
+        "ldr	r5, [%[a], #164]\n\t"
+        "ldr	r6, [%[a], #168]\n\t"
+        "ldr	r7, [%[a], #172]\n\t"
+        "ldr	r8, [%[b], #160]\n\t"
+        "ldr	r9, [%[b], #164]\n\t"
+        "ldr	r10, [%[b], #168]\n\t"
+        "ldr	r14, [%[b], #172]\n\t"
+        "adcs	r4, r4, r8\n\t"
+        "adcs	r5, r5, r9\n\t"
+        "adcs	r6, r6, r10\n\t"
+        "adcs	r7, r7, r14\n\t"
+        "str	r4, [%[r], #160]\n\t"
+        "str	r5, [%[r], #164]\n\t"
+        "str	r6, [%[r], #168]\n\t"
+        "str	r7, [%[r], #172]\n\t"
+        "ldr	r4, [%[a], #176]\n\t"
+        "ldr	r5, [%[a], #180]\n\t"
+        "ldr	r6, [%[a], #184]\n\t"
+        "ldr	r7, [%[a], #188]\n\t"
+        "ldr	r8, [%[b], #176]\n\t"
+        "ldr	r9, [%[b], #180]\n\t"
+        "ldr	r10, [%[b], #184]\n\t"
+        "ldr	r14, [%[b], #188]\n\t"
+        "adcs	r4, r4, r8\n\t"
+        "adcs	r5, r5, r9\n\t"
+        "adcs	r6, r6, r10\n\t"
+        "adcs	r7, r7, r14\n\t"
+        "str	r4, [%[r], #176]\n\t"
+        "str	r5, [%[r], #180]\n\t"
+        "str	r6, [%[r], #184]\n\t"
+        "str	r7, [%[r], #188]\n\t"
+        "ldr	r4, [%[a], #192]\n\t"
+        "ldr	r5, [%[a], #196]\n\t"
+        "ldr	r6, [%[a], #200]\n\t"
+        "ldr	r7, [%[a], #204]\n\t"
+        "ldr	r8, [%[b], #192]\n\t"
+        "ldr	r9, [%[b], #196]\n\t"
+        "ldr	r10, [%[b], #200]\n\t"
+        "ldr	r14, [%[b], #204]\n\t"
+        "adcs	r4, r4, r8\n\t"
+        "adcs	r5, r5, r9\n\t"
+        "adcs	r6, r6, r10\n\t"
+        "adcs	r7, r7, r14\n\t"
+        "str	r4, [%[r], #192]\n\t"
+        "str	r5, [%[r], #196]\n\t"
+        "str	r6, [%[r], #200]\n\t"
+        "str	r7, [%[r], #204]\n\t"
+        "ldr	r4, [%[a], #208]\n\t"
+        "ldr	r5, [%[a], #212]\n\t"
+        "ldr	r6, [%[a], #216]\n\t"
+        "ldr	r7, [%[a], #220]\n\t"
+        "ldr	r8, [%[b], #208]\n\t"
+        "ldr	r9, [%[b], #212]\n\t"
+        "ldr	r10, [%[b], #216]\n\t"
+        "ldr	r14, [%[b], #220]\n\t"
+        "adcs	r4, r4, r8\n\t"
+        "adcs	r5, r5, r9\n\t"
+        "adcs	r6, r6, r10\n\t"
+        "adcs	r7, r7, r14\n\t"
+        "str	r4, [%[r], #208]\n\t"
+        "str	r5, [%[r], #212]\n\t"
+        "str	r6, [%[r], #216]\n\t"
+        "str	r7, [%[r], #220]\n\t"
+        "ldr	r4, [%[a], #224]\n\t"
+        "ldr	r5, [%[a], #228]\n\t"
+        "ldr	r6, [%[a], #232]\n\t"
+        "ldr	r7, [%[a], #236]\n\t"
+        "ldr	r8, [%[b], #224]\n\t"
+        "ldr	r9, [%[b], #228]\n\t"
+        "ldr	r10, [%[b], #232]\n\t"
+        "ldr	r14, [%[b], #236]\n\t"
+        "adcs	r4, r4, r8\n\t"
+        "adcs	r5, r5, r9\n\t"
+        "adcs	r6, r6, r10\n\t"
+        "adcs	r7, r7, r14\n\t"
+        "str	r4, [%[r], #224]\n\t"
+        "str	r5, [%[r], #228]\n\t"
+        "str	r6, [%[r], #232]\n\t"
+        "str	r7, [%[r], #236]\n\t"
+        "ldr	r4, [%[a], #240]\n\t"
+        "ldr	r5, [%[a], #244]\n\t"
+        "ldr	r6, [%[a], #248]\n\t"
+        "ldr	r7, [%[a], #252]\n\t"
+        "ldr	r8, [%[b], #240]\n\t"
+        "ldr	r9, [%[b], #244]\n\t"
+        "ldr	r10, [%[b], #248]\n\t"
+        "ldr	r14, [%[b], #252]\n\t"
+        "adcs	r4, r4, r8\n\t"
+        "adcs	r5, r5, r9\n\t"
+        "adcs	r6, r6, r10\n\t"
+        "adcs	r7, r7, r14\n\t"
+        "str	r4, [%[r], #240]\n\t"
+        "str	r5, [%[r], #244]\n\t"
+        "str	r6, [%[r], #248]\n\t"
+        "str	r7, [%[r], #252]\n\t"
+        "ldr	r4, [%[a], #256]\n\t"
+        "ldr	r5, [%[a], #260]\n\t"
+        "ldr	r6, [%[a], #264]\n\t"
+        "ldr	r7, [%[a], #268]\n\t"
+        "ldr	r8, [%[b], #256]\n\t"
+        "ldr	r9, [%[b], #260]\n\t"
+        "ldr	r10, [%[b], #264]\n\t"
+        "ldr	r14, [%[b], #268]\n\t"
+        "adcs	r4, r4, r8\n\t"
+        "adcs	r5, r5, r9\n\t"
+        "adcs	r6, r6, r10\n\t"
+        "adcs	r7, r7, r14\n\t"
+        "str	r4, [%[r], #256]\n\t"
+        "str	r5, [%[r], #260]\n\t"
+        "str	r6, [%[r], #264]\n\t"
+        "str	r7, [%[r], #268]\n\t"
+        "ldr	r4, [%[a], #272]\n\t"
+        "ldr	r5, [%[a], #276]\n\t"
+        "ldr	r6, [%[a], #280]\n\t"
+        "ldr	r7, [%[a], #284]\n\t"
+        "ldr	r8, [%[b], #272]\n\t"
+        "ldr	r9, [%[b], #276]\n\t"
+        "ldr	r10, [%[b], #280]\n\t"
+        "ldr	r14, [%[b], #284]\n\t"
+        "adcs	r4, r4, r8\n\t"
+        "adcs	r5, r5, r9\n\t"
+        "adcs	r6, r6, r10\n\t"
+        "adcs	r7, r7, r14\n\t"
+        "str	r4, [%[r], #272]\n\t"
+        "str	r5, [%[r], #276]\n\t"
+        "str	r6, [%[r], #280]\n\t"
+        "str	r7, [%[r], #284]\n\t"
+        "ldr	r4, [%[a], #288]\n\t"
+        "ldr	r5, [%[a], #292]\n\t"
+        "ldr	r6, [%[a], #296]\n\t"
+        "ldr	r7, [%[a], #300]\n\t"
+        "ldr	r8, [%[b], #288]\n\t"
+        "ldr	r9, [%[b], #292]\n\t"
+        "ldr	r10, [%[b], #296]\n\t"
+        "ldr	r14, [%[b], #300]\n\t"
+        "adcs	r4, r4, r8\n\t"
+        "adcs	r5, r5, r9\n\t"
+        "adcs	r6, r6, r10\n\t"
+        "adcs	r7, r7, r14\n\t"
+        "str	r4, [%[r], #288]\n\t"
+        "str	r5, [%[r], #292]\n\t"
+        "str	r6, [%[r], #296]\n\t"
+        "str	r7, [%[r], #300]\n\t"
+        "ldr	r4, [%[a], #304]\n\t"
+        "ldr	r5, [%[a], #308]\n\t"
+        "ldr	r6, [%[a], #312]\n\t"
+        "ldr	r7, [%[a], #316]\n\t"
+        "ldr	r8, [%[b], #304]\n\t"
+        "ldr	r9, [%[b], #308]\n\t"
+        "ldr	r10, [%[b], #312]\n\t"
+        "ldr	r14, [%[b], #316]\n\t"
+        "adcs	r4, r4, r8\n\t"
+        "adcs	r5, r5, r9\n\t"
+        "adcs	r6, r6, r10\n\t"
+        "adcs	r7, r7, r14\n\t"
+        "str	r4, [%[r], #304]\n\t"
+        "str	r5, [%[r], #308]\n\t"
+        "str	r6, [%[r], #312]\n\t"
+        "str	r7, [%[r], #316]\n\t"
+        "ldr	r4, [%[a], #320]\n\t"
+        "ldr	r5, [%[a], #324]\n\t"
+        "ldr	r6, [%[a], #328]\n\t"
+        "ldr	r7, [%[a], #332]\n\t"
+        "ldr	r8, [%[b], #320]\n\t"
+        "ldr	r9, [%[b], #324]\n\t"
+        "ldr	r10, [%[b], #328]\n\t"
+        "ldr	r14, [%[b], #332]\n\t"
+        "adcs	r4, r4, r8\n\t"
+        "adcs	r5, r5, r9\n\t"
+        "adcs	r6, r6, r10\n\t"
+        "adcs	r7, r7, r14\n\t"
+        "str	r4, [%[r], #320]\n\t"
+        "str	r5, [%[r], #324]\n\t"
+        "str	r6, [%[r], #328]\n\t"
+        "str	r7, [%[r], #332]\n\t"
+        "ldr	r4, [%[a], #336]\n\t"
+        "ldr	r5, [%[a], #340]\n\t"
+        "ldr	r6, [%[a], #344]\n\t"
+        "ldr	r7, [%[a], #348]\n\t"
+        "ldr	r8, [%[b], #336]\n\t"
+        "ldr	r9, [%[b], #340]\n\t"
+        "ldr	r10, [%[b], #344]\n\t"
+        "ldr	r14, [%[b], #348]\n\t"
+        "adcs	r4, r4, r8\n\t"
+        "adcs	r5, r5, r9\n\t"
+        "adcs	r6, r6, r10\n\t"
+        "adcs	r7, r7, r14\n\t"
+        "str	r4, [%[r], #336]\n\t"
+        "str	r5, [%[r], #340]\n\t"
+        "str	r6, [%[r], #344]\n\t"
+        "str	r7, [%[r], #348]\n\t"
+        "ldr	r4, [%[a], #352]\n\t"
+        "ldr	r5, [%[a], #356]\n\t"
+        "ldr	r6, [%[a], #360]\n\t"
+        "ldr	r7, [%[a], #364]\n\t"
+        "ldr	r8, [%[b], #352]\n\t"
+        "ldr	r9, [%[b], #356]\n\t"
+        "ldr	r10, [%[b], #360]\n\t"
+        "ldr	r14, [%[b], #364]\n\t"
+        "adcs	r4, r4, r8\n\t"
+        "adcs	r5, r5, r9\n\t"
+        "adcs	r6, r6, r10\n\t"
+        "adcs	r7, r7, r14\n\t"
+        "str	r4, [%[r], #352]\n\t"
+        "str	r5, [%[r], #356]\n\t"
+        "str	r6, [%[r], #360]\n\t"
+        "str	r7, [%[r], #364]\n\t"
+        "ldr	r4, [%[a], #368]\n\t"
+        "ldr	r5, [%[a], #372]\n\t"
+        "ldr	r6, [%[a], #376]\n\t"
+        "ldr	r7, [%[a], #380]\n\t"
+        "ldr	r8, [%[b], #368]\n\t"
+        "ldr	r9, [%[b], #372]\n\t"
+        "ldr	r10, [%[b], #376]\n\t"
+        "ldr	r14, [%[b], #380]\n\t"
+        "adcs	r4, r4, r8\n\t"
+        "adcs	r5, r5, r9\n\t"
+        "adcs	r6, r6, r10\n\t"
+        "adcs	r7, r7, r14\n\t"
+        "str	r4, [%[r], #368]\n\t"
+        "str	r5, [%[r], #372]\n\t"
+        "str	r6, [%[r], #376]\n\t"
+        "str	r7, [%[r], #380]\n\t"
+        "ldr	r4, [%[a], #384]\n\t"
+        "ldr	r5, [%[a], #388]\n\t"
+        "ldr	r6, [%[a], #392]\n\t"
+        "ldr	r7, [%[a], #396]\n\t"
+        "ldr	r8, [%[b], #384]\n\t"
+        "ldr	r9, [%[b], #388]\n\t"
+        "ldr	r10, [%[b], #392]\n\t"
+        "ldr	r14, [%[b], #396]\n\t"
+        "adcs	r4, r4, r8\n\t"
+        "adcs	r5, r5, r9\n\t"
+        "adcs	r6, r6, r10\n\t"
+        "adcs	r7, r7, r14\n\t"
+        "str	r4, [%[r], #384]\n\t"
+        "str	r5, [%[r], #388]\n\t"
+        "str	r6, [%[r], #392]\n\t"
+        "str	r7, [%[r], #396]\n\t"
+        "ldr	r4, [%[a], #400]\n\t"
+        "ldr	r5, [%[a], #404]\n\t"
+        "ldr	r6, [%[a], #408]\n\t"
+        "ldr	r7, [%[a], #412]\n\t"
+        "ldr	r8, [%[b], #400]\n\t"
+        "ldr	r9, [%[b], #404]\n\t"
+        "ldr	r10, [%[b], #408]\n\t"
+        "ldr	r14, [%[b], #412]\n\t"
+        "adcs	r4, r4, r8\n\t"
+        "adcs	r5, r5, r9\n\t"
+        "adcs	r6, r6, r10\n\t"
+        "adcs	r7, r7, r14\n\t"
+        "str	r4, [%[r], #400]\n\t"
+        "str	r5, [%[r], #404]\n\t"
+        "str	r6, [%[r], #408]\n\t"
+        "str	r7, [%[r], #412]\n\t"
+        "ldr	r4, [%[a], #416]\n\t"
+        "ldr	r5, [%[a], #420]\n\t"
+        "ldr	r6, [%[a], #424]\n\t"
+        "ldr	r7, [%[a], #428]\n\t"
+        "ldr	r8, [%[b], #416]\n\t"
+        "ldr	r9, [%[b], #420]\n\t"
+        "ldr	r10, [%[b], #424]\n\t"
+        "ldr	r14, [%[b], #428]\n\t"
+        "adcs	r4, r4, r8\n\t"
+        "adcs	r5, r5, r9\n\t"
+        "adcs	r6, r6, r10\n\t"
+        "adcs	r7, r7, r14\n\t"
+        "str	r4, [%[r], #416]\n\t"
+        "str	r5, [%[r], #420]\n\t"
+        "str	r6, [%[r], #424]\n\t"
+        "str	r7, [%[r], #428]\n\t"
+        "ldr	r4, [%[a], #432]\n\t"
+        "ldr	r5, [%[a], #436]\n\t"
+        "ldr	r6, [%[a], #440]\n\t"
+        "ldr	r7, [%[a], #444]\n\t"
+        "ldr	r8, [%[b], #432]\n\t"
+        "ldr	r9, [%[b], #436]\n\t"
+        "ldr	r10, [%[b], #440]\n\t"
+        "ldr	r14, [%[b], #444]\n\t"
+        "adcs	r4, r4, r8\n\t"
+        "adcs	r5, r5, r9\n\t"
+        "adcs	r6, r6, r10\n\t"
+        "adcs	r7, r7, r14\n\t"
+        "str	r4, [%[r], #432]\n\t"
+        "str	r5, [%[r], #436]\n\t"
+        "str	r6, [%[r], #440]\n\t"
+        "str	r7, [%[r], #444]\n\t"
+        "ldr	r4, [%[a], #448]\n\t"
+        "ldr	r5, [%[a], #452]\n\t"
+        "ldr	r6, [%[a], #456]\n\t"
+        "ldr	r7, [%[a], #460]\n\t"
+        "ldr	r8, [%[b], #448]\n\t"
+        "ldr	r9, [%[b], #452]\n\t"
+        "ldr	r10, [%[b], #456]\n\t"
+        "ldr	r14, [%[b], #460]\n\t"
+        "adcs	r4, r4, r8\n\t"
+        "adcs	r5, r5, r9\n\t"
+        "adcs	r6, r6, r10\n\t"
+        "adcs	r7, r7, r14\n\t"
+        "str	r4, [%[r], #448]\n\t"
+        "str	r5, [%[r], #452]\n\t"
+        "str	r6, [%[r], #456]\n\t"
+        "str	r7, [%[r], #460]\n\t"
+        "ldr	r4, [%[a], #464]\n\t"
+        "ldr	r5, [%[a], #468]\n\t"
+        "ldr	r6, [%[a], #472]\n\t"
+        "ldr	r7, [%[a], #476]\n\t"
+        "ldr	r8, [%[b], #464]\n\t"
+        "ldr	r9, [%[b], #468]\n\t"
+        "ldr	r10, [%[b], #472]\n\t"
+        "ldr	r14, [%[b], #476]\n\t"
+        "adcs	r4, r4, r8\n\t"
+        "adcs	r5, r5, r9\n\t"
+        "adcs	r6, r6, r10\n\t"
+        "adcs	r7, r7, r14\n\t"
+        "str	r4, [%[r], #464]\n\t"
+        "str	r5, [%[r], #468]\n\t"
+        "str	r6, [%[r], #472]\n\t"
+        "str	r7, [%[r], #476]\n\t"
+        "ldr	r4, [%[a], #480]\n\t"
+        "ldr	r5, [%[a], #484]\n\t"
+        "ldr	r6, [%[a], #488]\n\t"
+        "ldr	r7, [%[a], #492]\n\t"
+        "ldr	r8, [%[b], #480]\n\t"
+        "ldr	r9, [%[b], #484]\n\t"
+        "ldr	r10, [%[b], #488]\n\t"
+        "ldr	r14, [%[b], #492]\n\t"
+        "adcs	r4, r4, r8\n\t"
+        "adcs	r5, r5, r9\n\t"
+        "adcs	r6, r6, r10\n\t"
+        "adcs	r7, r7, r14\n\t"
+        "str	r4, [%[r], #480]\n\t"
+        "str	r5, [%[r], #484]\n\t"
+        "str	r6, [%[r], #488]\n\t"
+        "str	r7, [%[r], #492]\n\t"
+        "ldr	r4, [%[a], #496]\n\t"
+        "ldr	r5, [%[a], #500]\n\t"
+        "ldr	r6, [%[a], #504]\n\t"
+        "ldr	r7, [%[a], #508]\n\t"
+        "ldr	r8, [%[b], #496]\n\t"
+        "ldr	r9, [%[b], #500]\n\t"
+        "ldr	r10, [%[b], #504]\n\t"
+        "ldr	r14, [%[b], #508]\n\t"
+        "adcs	r4, r4, r8\n\t"
+        "adcs	r5, r5, r9\n\t"
+        "adcs	r6, r6, r10\n\t"
+        "adcs	r7, r7, r14\n\t"
+        "str	r4, [%[r], #496]\n\t"
+        "str	r5, [%[r], #500]\n\t"
+        "str	r6, [%[r], #504]\n\t"
+        "str	r7, [%[r], #508]\n\t"
+        "adc	%[c], r12, r12\n\t"
+        : [c] "+r" (c)
+        : [r] "r" (r), [a] "r" (a), [b] "r" (b)
+        : "memory", "r4", "r5", "r6", "r7", "r8", "r9", "r10", "r14", "r12"
+    );
+
+    return c;
+}
+
+/* Multiply a and b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+static void sp_4096_mul_64(sp_digit* r, const sp_digit* a, const sp_digit* b)
+{
+    __asm__ __volatile__ (
+        "sub	sp, sp, #256\n\t"
+        "mov	r10, #0\n\t"
+        "#  A[0] * B[0]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "ldr	r9, [%[b], #0]\n\t"
+        "umull	r3, r4, r8, r9\n\t"
+        "mov	r5, #0\n\t"
+        "str	r3, [sp]\n\t"
+        "#  A[0] * B[1]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "ldr	r9, [%[b], #4]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r10, r10\n\t"
+        "#  A[1] * B[0]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "ldr	r9, [%[b], #0]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [sp, #4]\n\t"
+        "#  A[0] * B[2]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "ldr	r9, [%[b], #8]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r10, r10\n\t"
+        "#  A[1] * B[1]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "ldr	r9, [%[b], #4]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[2] * B[0]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "ldr	r9, [%[b], #0]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [sp, #8]\n\t"
+        "#  A[0] * B[3]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "ldr	r9, [%[b], #12]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r10, r10\n\t"
+        "#  A[1] * B[2]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "ldr	r9, [%[b], #8]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[2] * B[1]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "ldr	r9, [%[b], #4]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[3] * B[0]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "ldr	r9, [%[b], #0]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [sp, #12]\n\t"
+        "#  A[0] * B[4]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "ldr	r9, [%[b], #16]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r10, r10\n\t"
+        "#  A[1] * B[3]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "ldr	r9, [%[b], #12]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[2] * B[2]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "ldr	r9, [%[b], #8]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[3] * B[1]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "ldr	r9, [%[b], #4]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[4] * B[0]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "ldr	r9, [%[b], #0]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [sp, #16]\n\t"
+        "#  A[0] * B[5]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "ldr	r9, [%[b], #20]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r10, r10\n\t"
+        "#  A[1] * B[4]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "ldr	r9, [%[b], #16]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[2] * B[3]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "ldr	r9, [%[b], #12]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[3] * B[2]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "ldr	r9, [%[b], #8]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[4] * B[1]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "ldr	r9, [%[b], #4]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[5] * B[0]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "ldr	r9, [%[b], #0]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [sp, #20]\n\t"
+        "#  A[0] * B[6]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "ldr	r9, [%[b], #24]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r10, r10\n\t"
+        "#  A[1] * B[5]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "ldr	r9, [%[b], #20]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[2] * B[4]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "ldr	r9, [%[b], #16]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[3] * B[3]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "ldr	r9, [%[b], #12]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[4] * B[2]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "ldr	r9, [%[b], #8]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[5] * B[1]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "ldr	r9, [%[b], #4]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[6] * B[0]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "ldr	r9, [%[b], #0]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [sp, #24]\n\t"
+        "#  A[0] * B[7]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "ldr	r9, [%[b], #28]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r10, r10\n\t"
+        "#  A[1] * B[6]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "ldr	r9, [%[b], #24]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[2] * B[5]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "ldr	r9, [%[b], #20]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[3] * B[4]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "ldr	r9, [%[b], #16]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[4] * B[3]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "ldr	r9, [%[b], #12]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[5] * B[2]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "ldr	r9, [%[b], #8]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[6] * B[1]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "ldr	r9, [%[b], #4]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[7] * B[0]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "ldr	r9, [%[b], #0]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [sp, #28]\n\t"
+        "#  A[0] * B[8]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "ldr	r9, [%[b], #32]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r10, r10\n\t"
+        "#  A[1] * B[7]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "ldr	r9, [%[b], #28]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[2] * B[6]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "ldr	r9, [%[b], #24]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[3] * B[5]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "ldr	r9, [%[b], #20]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[4] * B[4]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "ldr	r9, [%[b], #16]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[5] * B[3]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "ldr	r9, [%[b], #12]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[6] * B[2]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "ldr	r9, [%[b], #8]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[7] * B[1]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "ldr	r9, [%[b], #4]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[8] * B[0]\n\t"
+        "ldr	r8, [%[a], #32]\n\t"
+        "ldr	r9, [%[b], #0]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [sp, #32]\n\t"
+        "#  A[0] * B[9]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "ldr	r9, [%[b], #36]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r10, r10\n\t"
+        "#  A[1] * B[8]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "ldr	r9, [%[b], #32]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[2] * B[7]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "ldr	r9, [%[b], #28]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[3] * B[6]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "ldr	r9, [%[b], #24]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[4] * B[5]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "ldr	r9, [%[b], #20]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[5] * B[4]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "ldr	r9, [%[b], #16]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[6] * B[3]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "ldr	r9, [%[b], #12]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[7] * B[2]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "ldr	r9, [%[b], #8]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[8] * B[1]\n\t"
+        "ldr	r8, [%[a], #32]\n\t"
+        "ldr	r9, [%[b], #4]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[9] * B[0]\n\t"
+        "ldr	r8, [%[a], #36]\n\t"
+        "ldr	r9, [%[b], #0]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [sp, #36]\n\t"
+        "#  A[0] * B[10]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "ldr	r9, [%[b], #40]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r10, r10\n\t"
+        "#  A[1] * B[9]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "ldr	r9, [%[b], #36]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[2] * B[8]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "ldr	r9, [%[b], #32]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[3] * B[7]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "ldr	r9, [%[b], #28]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[4] * B[6]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "ldr	r9, [%[b], #24]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[5] * B[5]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "ldr	r9, [%[b], #20]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[6] * B[4]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "ldr	r9, [%[b], #16]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[7] * B[3]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "ldr	r9, [%[b], #12]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[8] * B[2]\n\t"
+        "ldr	r8, [%[a], #32]\n\t"
+        "ldr	r9, [%[b], #8]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[9] * B[1]\n\t"
+        "ldr	r8, [%[a], #36]\n\t"
+        "ldr	r9, [%[b], #4]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[10] * B[0]\n\t"
+        "ldr	r8, [%[a], #40]\n\t"
+        "ldr	r9, [%[b], #0]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [sp, #40]\n\t"
+        "#  A[0] * B[11]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "ldr	r9, [%[b], #44]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r10, r10\n\t"
+        "#  A[1] * B[10]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "ldr	r9, [%[b], #40]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[2] * B[9]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "ldr	r9, [%[b], #36]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[3] * B[8]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "ldr	r9, [%[b], #32]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[4] * B[7]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "ldr	r9, [%[b], #28]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[5] * B[6]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "ldr	r9, [%[b], #24]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[6] * B[5]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "ldr	r9, [%[b], #20]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[7] * B[4]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "ldr	r9, [%[b], #16]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[8] * B[3]\n\t"
+        "ldr	r8, [%[a], #32]\n\t"
+        "ldr	r9, [%[b], #12]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[9] * B[2]\n\t"
+        "ldr	r8, [%[a], #36]\n\t"
+        "ldr	r9, [%[b], #8]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[10] * B[1]\n\t"
+        "ldr	r8, [%[a], #40]\n\t"
+        "ldr	r9, [%[b], #4]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[11] * B[0]\n\t"
+        "ldr	r8, [%[a], #44]\n\t"
+        "ldr	r9, [%[b], #0]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [sp, #44]\n\t"
+        "#  A[0] * B[12]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "ldr	r9, [%[b], #48]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r10, r10\n\t"
+        "#  A[1] * B[11]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "ldr	r9, [%[b], #44]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[2] * B[10]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "ldr	r9, [%[b], #40]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[3] * B[9]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "ldr	r9, [%[b], #36]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[4] * B[8]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "ldr	r9, [%[b], #32]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[5] * B[7]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "ldr	r9, [%[b], #28]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[6] * B[6]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "ldr	r9, [%[b], #24]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[7] * B[5]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "ldr	r9, [%[b], #20]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[8] * B[4]\n\t"
+        "ldr	r8, [%[a], #32]\n\t"
+        "ldr	r9, [%[b], #16]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[9] * B[3]\n\t"
+        "ldr	r8, [%[a], #36]\n\t"
+        "ldr	r9, [%[b], #12]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[10] * B[2]\n\t"
+        "ldr	r8, [%[a], #40]\n\t"
+        "ldr	r9, [%[b], #8]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[11] * B[1]\n\t"
+        "ldr	r8, [%[a], #44]\n\t"
+        "ldr	r9, [%[b], #4]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[12] * B[0]\n\t"
+        "ldr	r8, [%[a], #48]\n\t"
+        "ldr	r9, [%[b], #0]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [sp, #48]\n\t"
+        "#  A[0] * B[13]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "ldr	r9, [%[b], #52]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r10, r10\n\t"
+        "#  A[1] * B[12]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "ldr	r9, [%[b], #48]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[2] * B[11]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "ldr	r9, [%[b], #44]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[3] * B[10]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "ldr	r9, [%[b], #40]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[4] * B[9]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "ldr	r9, [%[b], #36]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[5] * B[8]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "ldr	r9, [%[b], #32]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[6] * B[7]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "ldr	r9, [%[b], #28]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[7] * B[6]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "ldr	r9, [%[b], #24]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[8] * B[5]\n\t"
+        "ldr	r8, [%[a], #32]\n\t"
+        "ldr	r9, [%[b], #20]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[9] * B[4]\n\t"
+        "ldr	r8, [%[a], #36]\n\t"
+        "ldr	r9, [%[b], #16]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[10] * B[3]\n\t"
+        "ldr	r8, [%[a], #40]\n\t"
+        "ldr	r9, [%[b], #12]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[11] * B[2]\n\t"
+        "ldr	r8, [%[a], #44]\n\t"
+        "ldr	r9, [%[b], #8]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[12] * B[1]\n\t"
+        "ldr	r8, [%[a], #48]\n\t"
+        "ldr	r9, [%[b], #4]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[13] * B[0]\n\t"
+        "ldr	r8, [%[a], #52]\n\t"
+        "ldr	r9, [%[b], #0]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [sp, #52]\n\t"
+        "#  A[0] * B[14]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "ldr	r9, [%[b], #56]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r10, r10\n\t"
+        "#  A[1] * B[13]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "ldr	r9, [%[b], #52]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[2] * B[12]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "ldr	r9, [%[b], #48]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[3] * B[11]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "ldr	r9, [%[b], #44]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[4] * B[10]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "ldr	r9, [%[b], #40]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[5] * B[9]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "ldr	r9, [%[b], #36]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[6] * B[8]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "ldr	r9, [%[b], #32]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[7] * B[7]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "ldr	r9, [%[b], #28]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[8] * B[6]\n\t"
+        "ldr	r8, [%[a], #32]\n\t"
+        "ldr	r9, [%[b], #24]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[9] * B[5]\n\t"
+        "ldr	r8, [%[a], #36]\n\t"
+        "ldr	r9, [%[b], #20]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[10] * B[4]\n\t"
+        "ldr	r8, [%[a], #40]\n\t"
+        "ldr	r9, [%[b], #16]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[11] * B[3]\n\t"
+        "ldr	r8, [%[a], #44]\n\t"
+        "ldr	r9, [%[b], #12]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[12] * B[2]\n\t"
+        "ldr	r8, [%[a], #48]\n\t"
+        "ldr	r9, [%[b], #8]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[13] * B[1]\n\t"
+        "ldr	r8, [%[a], #52]\n\t"
+        "ldr	r9, [%[b], #4]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[14] * B[0]\n\t"
+        "ldr	r8, [%[a], #56]\n\t"
+        "ldr	r9, [%[b], #0]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [sp, #56]\n\t"
+        "#  A[0] * B[15]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "ldr	r9, [%[b], #60]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r10, r10\n\t"
+        "#  A[1] * B[14]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "ldr	r9, [%[b], #56]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[2] * B[13]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "ldr	r9, [%[b], #52]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[3] * B[12]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "ldr	r9, [%[b], #48]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[4] * B[11]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "ldr	r9, [%[b], #44]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[5] * B[10]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "ldr	r9, [%[b], #40]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[6] * B[9]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "ldr	r9, [%[b], #36]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[7] * B[8]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "ldr	r9, [%[b], #32]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[8] * B[7]\n\t"
+        "ldr	r8, [%[a], #32]\n\t"
+        "ldr	r9, [%[b], #28]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[9] * B[6]\n\t"
+        "ldr	r8, [%[a], #36]\n\t"
+        "ldr	r9, [%[b], #24]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[10] * B[5]\n\t"
+        "ldr	r8, [%[a], #40]\n\t"
+        "ldr	r9, [%[b], #20]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[11] * B[4]\n\t"
+        "ldr	r8, [%[a], #44]\n\t"
+        "ldr	r9, [%[b], #16]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[12] * B[3]\n\t"
+        "ldr	r8, [%[a], #48]\n\t"
+        "ldr	r9, [%[b], #12]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[13] * B[2]\n\t"
+        "ldr	r8, [%[a], #52]\n\t"
+        "ldr	r9, [%[b], #8]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[14] * B[1]\n\t"
+        "ldr	r8, [%[a], #56]\n\t"
+        "ldr	r9, [%[b], #4]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[15] * B[0]\n\t"
+        "ldr	r8, [%[a], #60]\n\t"
+        "ldr	r9, [%[b], #0]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [sp, #60]\n\t"
+        "#  A[0] * B[16]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "ldr	r9, [%[b], #64]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r10, r10\n\t"
+        "#  A[1] * B[15]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "ldr	r9, [%[b], #60]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[2] * B[14]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "ldr	r9, [%[b], #56]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[3] * B[13]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "ldr	r9, [%[b], #52]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[4] * B[12]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "ldr	r9, [%[b], #48]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[5] * B[11]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "ldr	r9, [%[b], #44]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[6] * B[10]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "ldr	r9, [%[b], #40]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[7] * B[9]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "ldr	r9, [%[b], #36]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[8] * B[8]\n\t"
+        "ldr	r8, [%[a], #32]\n\t"
+        "ldr	r9, [%[b], #32]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[9] * B[7]\n\t"
+        "ldr	r8, [%[a], #36]\n\t"
+        "ldr	r9, [%[b], #28]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[10] * B[6]\n\t"
+        "ldr	r8, [%[a], #40]\n\t"
+        "ldr	r9, [%[b], #24]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[11] * B[5]\n\t"
+        "ldr	r8, [%[a], #44]\n\t"
+        "ldr	r9, [%[b], #20]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[12] * B[4]\n\t"
+        "ldr	r8, [%[a], #48]\n\t"
+        "ldr	r9, [%[b], #16]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[13] * B[3]\n\t"
+        "ldr	r8, [%[a], #52]\n\t"
+        "ldr	r9, [%[b], #12]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[14] * B[2]\n\t"
+        "ldr	r8, [%[a], #56]\n\t"
+        "ldr	r9, [%[b], #8]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[15] * B[1]\n\t"
+        "ldr	r8, [%[a], #60]\n\t"
+        "ldr	r9, [%[b], #4]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[16] * B[0]\n\t"
+        "ldr	r8, [%[a], #64]\n\t"
+        "ldr	r9, [%[b], #0]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [sp, #64]\n\t"
+        "#  A[0] * B[17]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "ldr	r9, [%[b], #68]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r10, r10\n\t"
+        "#  A[1] * B[16]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "ldr	r9, [%[b], #64]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[2] * B[15]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "ldr	r9, [%[b], #60]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[3] * B[14]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "ldr	r9, [%[b], #56]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[4] * B[13]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "ldr	r9, [%[b], #52]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[5] * B[12]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "ldr	r9, [%[b], #48]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[6] * B[11]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "ldr	r9, [%[b], #44]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[7] * B[10]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "ldr	r9, [%[b], #40]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[8] * B[9]\n\t"
+        "ldr	r8, [%[a], #32]\n\t"
+        "ldr	r9, [%[b], #36]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[9] * B[8]\n\t"
+        "ldr	r8, [%[a], #36]\n\t"
+        "ldr	r9, [%[b], #32]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[10] * B[7]\n\t"
+        "ldr	r8, [%[a], #40]\n\t"
+        "ldr	r9, [%[b], #28]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[11] * B[6]\n\t"
+        "ldr	r8, [%[a], #44]\n\t"
+        "ldr	r9, [%[b], #24]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[12] * B[5]\n\t"
+        "ldr	r8, [%[a], #48]\n\t"
+        "ldr	r9, [%[b], #20]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[13] * B[4]\n\t"
+        "ldr	r8, [%[a], #52]\n\t"
+        "ldr	r9, [%[b], #16]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[14] * B[3]\n\t"
+        "ldr	r8, [%[a], #56]\n\t"
+        "ldr	r9, [%[b], #12]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[15] * B[2]\n\t"
+        "ldr	r8, [%[a], #60]\n\t"
+        "ldr	r9, [%[b], #8]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[16] * B[1]\n\t"
+        "ldr	r8, [%[a], #64]\n\t"
+        "ldr	r9, [%[b], #4]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[17] * B[0]\n\t"
+        "ldr	r8, [%[a], #68]\n\t"
+        "ldr	r9, [%[b], #0]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [sp, #68]\n\t"
+        "#  A[0] * B[18]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "ldr	r9, [%[b], #72]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r10, r10\n\t"
+        "#  A[1] * B[17]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "ldr	r9, [%[b], #68]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[2] * B[16]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "ldr	r9, [%[b], #64]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[3] * B[15]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "ldr	r9, [%[b], #60]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[4] * B[14]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "ldr	r9, [%[b], #56]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[5] * B[13]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "ldr	r9, [%[b], #52]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[6] * B[12]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "ldr	r9, [%[b], #48]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[7] * B[11]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "ldr	r9, [%[b], #44]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[8] * B[10]\n\t"
+        "ldr	r8, [%[a], #32]\n\t"
+        "ldr	r9, [%[b], #40]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[9] * B[9]\n\t"
+        "ldr	r8, [%[a], #36]\n\t"
+        "ldr	r9, [%[b], #36]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[10] * B[8]\n\t"
+        "ldr	r8, [%[a], #40]\n\t"
+        "ldr	r9, [%[b], #32]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[11] * B[7]\n\t"
+        "ldr	r8, [%[a], #44]\n\t"
+        "ldr	r9, [%[b], #28]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[12] * B[6]\n\t"
+        "ldr	r8, [%[a], #48]\n\t"
+        "ldr	r9, [%[b], #24]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[13] * B[5]\n\t"
+        "ldr	r8, [%[a], #52]\n\t"
+        "ldr	r9, [%[b], #20]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[14] * B[4]\n\t"
+        "ldr	r8, [%[a], #56]\n\t"
+        "ldr	r9, [%[b], #16]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[15] * B[3]\n\t"
+        "ldr	r8, [%[a], #60]\n\t"
+        "ldr	r9, [%[b], #12]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[16] * B[2]\n\t"
+        "ldr	r8, [%[a], #64]\n\t"
+        "ldr	r9, [%[b], #8]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[17] * B[1]\n\t"
+        "ldr	r8, [%[a], #68]\n\t"
+        "ldr	r9, [%[b], #4]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[18] * B[0]\n\t"
+        "ldr	r8, [%[a], #72]\n\t"
+        "ldr	r9, [%[b], #0]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [sp, #72]\n\t"
+        "#  A[0] * B[19]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "ldr	r9, [%[b], #76]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r10, r10\n\t"
+        "#  A[1] * B[18]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "ldr	r9, [%[b], #72]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[2] * B[17]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "ldr	r9, [%[b], #68]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[3] * B[16]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "ldr	r9, [%[b], #64]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[4] * B[15]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "ldr	r9, [%[b], #60]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[5] * B[14]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "ldr	r9, [%[b], #56]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[6] * B[13]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "ldr	r9, [%[b], #52]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[7] * B[12]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "ldr	r9, [%[b], #48]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[8] * B[11]\n\t"
+        "ldr	r8, [%[a], #32]\n\t"
+        "ldr	r9, [%[b], #44]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[9] * B[10]\n\t"
+        "ldr	r8, [%[a], #36]\n\t"
+        "ldr	r9, [%[b], #40]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[10] * B[9]\n\t"
+        "ldr	r8, [%[a], #40]\n\t"
+        "ldr	r9, [%[b], #36]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[11] * B[8]\n\t"
+        "ldr	r8, [%[a], #44]\n\t"
+        "ldr	r9, [%[b], #32]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[12] * B[7]\n\t"
+        "ldr	r8, [%[a], #48]\n\t"
+        "ldr	r9, [%[b], #28]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[13] * B[6]\n\t"
+        "ldr	r8, [%[a], #52]\n\t"
+        "ldr	r9, [%[b], #24]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[14] * B[5]\n\t"
+        "ldr	r8, [%[a], #56]\n\t"
+        "ldr	r9, [%[b], #20]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[15] * B[4]\n\t"
+        "ldr	r8, [%[a], #60]\n\t"
+        "ldr	r9, [%[b], #16]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[16] * B[3]\n\t"
+        "ldr	r8, [%[a], #64]\n\t"
+        "ldr	r9, [%[b], #12]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[17] * B[2]\n\t"
+        "ldr	r8, [%[a], #68]\n\t"
+        "ldr	r9, [%[b], #8]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[18] * B[1]\n\t"
+        "ldr	r8, [%[a], #72]\n\t"
+        "ldr	r9, [%[b], #4]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[19] * B[0]\n\t"
+        "ldr	r8, [%[a], #76]\n\t"
+        "ldr	r9, [%[b], #0]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [sp, #76]\n\t"
+        "#  A[0] * B[20]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "ldr	r9, [%[b], #80]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r10, r10\n\t"
+        "#  A[1] * B[19]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "ldr	r9, [%[b], #76]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[2] * B[18]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "ldr	r9, [%[b], #72]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[3] * B[17]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "ldr	r9, [%[b], #68]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[4] * B[16]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "ldr	r9, [%[b], #64]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[5] * B[15]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "ldr	r9, [%[b], #60]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[6] * B[14]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "ldr	r9, [%[b], #56]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[7] * B[13]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "ldr	r9, [%[b], #52]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[8] * B[12]\n\t"
+        "ldr	r8, [%[a], #32]\n\t"
+        "ldr	r9, [%[b], #48]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[9] * B[11]\n\t"
+        "ldr	r8, [%[a], #36]\n\t"
+        "ldr	r9, [%[b], #44]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[10] * B[10]\n\t"
+        "ldr	r8, [%[a], #40]\n\t"
+        "ldr	r9, [%[b], #40]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[11] * B[9]\n\t"
+        "ldr	r8, [%[a], #44]\n\t"
+        "ldr	r9, [%[b], #36]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[12] * B[8]\n\t"
+        "ldr	r8, [%[a], #48]\n\t"
+        "ldr	r9, [%[b], #32]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[13] * B[7]\n\t"
+        "ldr	r8, [%[a], #52]\n\t"
+        "ldr	r9, [%[b], #28]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[14] * B[6]\n\t"
+        "ldr	r8, [%[a], #56]\n\t"
+        "ldr	r9, [%[b], #24]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[15] * B[5]\n\t"
+        "ldr	r8, [%[a], #60]\n\t"
+        "ldr	r9, [%[b], #20]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[16] * B[4]\n\t"
+        "ldr	r8, [%[a], #64]\n\t"
+        "ldr	r9, [%[b], #16]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[17] * B[3]\n\t"
+        "ldr	r8, [%[a], #68]\n\t"
+        "ldr	r9, [%[b], #12]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[18] * B[2]\n\t"
+        "ldr	r8, [%[a], #72]\n\t"
+        "ldr	r9, [%[b], #8]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[19] * B[1]\n\t"
+        "ldr	r8, [%[a], #76]\n\t"
+        "ldr	r9, [%[b], #4]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[20] * B[0]\n\t"
+        "ldr	r8, [%[a], #80]\n\t"
+        "ldr	r9, [%[b], #0]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [sp, #80]\n\t"
+        "#  A[0] * B[21]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "ldr	r9, [%[b], #84]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r10, r10\n\t"
+        "#  A[1] * B[20]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "ldr	r9, [%[b], #80]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[2] * B[19]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "ldr	r9, [%[b], #76]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[3] * B[18]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "ldr	r9, [%[b], #72]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[4] * B[17]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "ldr	r9, [%[b], #68]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[5] * B[16]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "ldr	r9, [%[b], #64]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[6] * B[15]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "ldr	r9, [%[b], #60]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[7] * B[14]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "ldr	r9, [%[b], #56]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[8] * B[13]\n\t"
+        "ldr	r8, [%[a], #32]\n\t"
+        "ldr	r9, [%[b], #52]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[9] * B[12]\n\t"
+        "ldr	r8, [%[a], #36]\n\t"
+        "ldr	r9, [%[b], #48]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[10] * B[11]\n\t"
+        "ldr	r8, [%[a], #40]\n\t"
+        "ldr	r9, [%[b], #44]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[11] * B[10]\n\t"
+        "ldr	r8, [%[a], #44]\n\t"
+        "ldr	r9, [%[b], #40]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[12] * B[9]\n\t"
+        "ldr	r8, [%[a], #48]\n\t"
+        "ldr	r9, [%[b], #36]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[13] * B[8]\n\t"
+        "ldr	r8, [%[a], #52]\n\t"
+        "ldr	r9, [%[b], #32]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[14] * B[7]\n\t"
+        "ldr	r8, [%[a], #56]\n\t"
+        "ldr	r9, [%[b], #28]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[15] * B[6]\n\t"
+        "ldr	r8, [%[a], #60]\n\t"
+        "ldr	r9, [%[b], #24]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[16] * B[5]\n\t"
+        "ldr	r8, [%[a], #64]\n\t"
+        "ldr	r9, [%[b], #20]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[17] * B[4]\n\t"
+        "ldr	r8, [%[a], #68]\n\t"
+        "ldr	r9, [%[b], #16]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[18] * B[3]\n\t"
+        "ldr	r8, [%[a], #72]\n\t"
+        "ldr	r9, [%[b], #12]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[19] * B[2]\n\t"
+        "ldr	r8, [%[a], #76]\n\t"
+        "ldr	r9, [%[b], #8]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[20] * B[1]\n\t"
+        "ldr	r8, [%[a], #80]\n\t"
+        "ldr	r9, [%[b], #4]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[21] * B[0]\n\t"
+        "ldr	r8, [%[a], #84]\n\t"
+        "ldr	r9, [%[b], #0]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [sp, #84]\n\t"
+        "#  A[0] * B[22]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "ldr	r9, [%[b], #88]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r10, r10\n\t"
+        "#  A[1] * B[21]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "ldr	r9, [%[b], #84]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[2] * B[20]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "ldr	r9, [%[b], #80]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[3] * B[19]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "ldr	r9, [%[b], #76]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[4] * B[18]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "ldr	r9, [%[b], #72]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[5] * B[17]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "ldr	r9, [%[b], #68]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[6] * B[16]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "ldr	r9, [%[b], #64]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[7] * B[15]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "ldr	r9, [%[b], #60]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[8] * B[14]\n\t"
+        "ldr	r8, [%[a], #32]\n\t"
+        "ldr	r9, [%[b], #56]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[9] * B[13]\n\t"
+        "ldr	r8, [%[a], #36]\n\t"
+        "ldr	r9, [%[b], #52]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[10] * B[12]\n\t"
+        "ldr	r8, [%[a], #40]\n\t"
+        "ldr	r9, [%[b], #48]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[11] * B[11]\n\t"
+        "ldr	r8, [%[a], #44]\n\t"
+        "ldr	r9, [%[b], #44]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[12] * B[10]\n\t"
+        "ldr	r8, [%[a], #48]\n\t"
+        "ldr	r9, [%[b], #40]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[13] * B[9]\n\t"
+        "ldr	r8, [%[a], #52]\n\t"
+        "ldr	r9, [%[b], #36]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[14] * B[8]\n\t"
+        "ldr	r8, [%[a], #56]\n\t"
+        "ldr	r9, [%[b], #32]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[15] * B[7]\n\t"
+        "ldr	r8, [%[a], #60]\n\t"
+        "ldr	r9, [%[b], #28]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[16] * B[6]\n\t"
+        "ldr	r8, [%[a], #64]\n\t"
+        "ldr	r9, [%[b], #24]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[17] * B[5]\n\t"
+        "ldr	r8, [%[a], #68]\n\t"
+        "ldr	r9, [%[b], #20]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[18] * B[4]\n\t"
+        "ldr	r8, [%[a], #72]\n\t"
+        "ldr	r9, [%[b], #16]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[19] * B[3]\n\t"
+        "ldr	r8, [%[a], #76]\n\t"
+        "ldr	r9, [%[b], #12]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[20] * B[2]\n\t"
+        "ldr	r8, [%[a], #80]\n\t"
+        "ldr	r9, [%[b], #8]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[21] * B[1]\n\t"
+        "ldr	r8, [%[a], #84]\n\t"
+        "ldr	r9, [%[b], #4]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[22] * B[0]\n\t"
+        "ldr	r8, [%[a], #88]\n\t"
+        "ldr	r9, [%[b], #0]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [sp, #88]\n\t"
+        "#  A[0] * B[23]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "ldr	r9, [%[b], #92]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r10, r10\n\t"
+        "#  A[1] * B[22]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "ldr	r9, [%[b], #88]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[2] * B[21]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "ldr	r9, [%[b], #84]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[3] * B[20]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "ldr	r9, [%[b], #80]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[4] * B[19]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "ldr	r9, [%[b], #76]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[5] * B[18]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "ldr	r9, [%[b], #72]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[6] * B[17]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "ldr	r9, [%[b], #68]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[7] * B[16]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "ldr	r9, [%[b], #64]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[8] * B[15]\n\t"
+        "ldr	r8, [%[a], #32]\n\t"
+        "ldr	r9, [%[b], #60]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[9] * B[14]\n\t"
+        "ldr	r8, [%[a], #36]\n\t"
+        "ldr	r9, [%[b], #56]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[10] * B[13]\n\t"
+        "ldr	r8, [%[a], #40]\n\t"
+        "ldr	r9, [%[b], #52]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[11] * B[12]\n\t"
+        "ldr	r8, [%[a], #44]\n\t"
+        "ldr	r9, [%[b], #48]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[12] * B[11]\n\t"
+        "ldr	r8, [%[a], #48]\n\t"
+        "ldr	r9, [%[b], #44]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[13] * B[10]\n\t"
+        "ldr	r8, [%[a], #52]\n\t"
+        "ldr	r9, [%[b], #40]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[14] * B[9]\n\t"
+        "ldr	r8, [%[a], #56]\n\t"
+        "ldr	r9, [%[b], #36]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[15] * B[8]\n\t"
+        "ldr	r8, [%[a], #60]\n\t"
+        "ldr	r9, [%[b], #32]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[16] * B[7]\n\t"
+        "ldr	r8, [%[a], #64]\n\t"
+        "ldr	r9, [%[b], #28]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[17] * B[6]\n\t"
+        "ldr	r8, [%[a], #68]\n\t"
+        "ldr	r9, [%[b], #24]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[18] * B[5]\n\t"
+        "ldr	r8, [%[a], #72]\n\t"
+        "ldr	r9, [%[b], #20]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[19] * B[4]\n\t"
+        "ldr	r8, [%[a], #76]\n\t"
+        "ldr	r9, [%[b], #16]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[20] * B[3]\n\t"
+        "ldr	r8, [%[a], #80]\n\t"
+        "ldr	r9, [%[b], #12]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[21] * B[2]\n\t"
+        "ldr	r8, [%[a], #84]\n\t"
+        "ldr	r9, [%[b], #8]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[22] * B[1]\n\t"
+        "ldr	r8, [%[a], #88]\n\t"
+        "ldr	r9, [%[b], #4]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[23] * B[0]\n\t"
+        "ldr	r8, [%[a], #92]\n\t"
+        "ldr	r9, [%[b], #0]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [sp, #92]\n\t"
+        "#  A[0] * B[24]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "ldr	r9, [%[b], #96]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r10, r10\n\t"
+        "#  A[1] * B[23]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "ldr	r9, [%[b], #92]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[2] * B[22]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "ldr	r9, [%[b], #88]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[3] * B[21]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "ldr	r9, [%[b], #84]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[4] * B[20]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "ldr	r9, [%[b], #80]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[5] * B[19]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "ldr	r9, [%[b], #76]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[6] * B[18]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "ldr	r9, [%[b], #72]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[7] * B[17]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "ldr	r9, [%[b], #68]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[8] * B[16]\n\t"
+        "ldr	r8, [%[a], #32]\n\t"
+        "ldr	r9, [%[b], #64]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[9] * B[15]\n\t"
+        "ldr	r8, [%[a], #36]\n\t"
+        "ldr	r9, [%[b], #60]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[10] * B[14]\n\t"
+        "ldr	r8, [%[a], #40]\n\t"
+        "ldr	r9, [%[b], #56]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[11] * B[13]\n\t"
+        "ldr	r8, [%[a], #44]\n\t"
+        "ldr	r9, [%[b], #52]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[12] * B[12]\n\t"
+        "ldr	r8, [%[a], #48]\n\t"
+        "ldr	r9, [%[b], #48]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[13] * B[11]\n\t"
+        "ldr	r8, [%[a], #52]\n\t"
+        "ldr	r9, [%[b], #44]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[14] * B[10]\n\t"
+        "ldr	r8, [%[a], #56]\n\t"
+        "ldr	r9, [%[b], #40]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[15] * B[9]\n\t"
+        "ldr	r8, [%[a], #60]\n\t"
+        "ldr	r9, [%[b], #36]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[16] * B[8]\n\t"
+        "ldr	r8, [%[a], #64]\n\t"
+        "ldr	r9, [%[b], #32]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[17] * B[7]\n\t"
+        "ldr	r8, [%[a], #68]\n\t"
+        "ldr	r9, [%[b], #28]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[18] * B[6]\n\t"
+        "ldr	r8, [%[a], #72]\n\t"
+        "ldr	r9, [%[b], #24]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[19] * B[5]\n\t"
+        "ldr	r8, [%[a], #76]\n\t"
+        "ldr	r9, [%[b], #20]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[20] * B[4]\n\t"
+        "ldr	r8, [%[a], #80]\n\t"
+        "ldr	r9, [%[b], #16]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[21] * B[3]\n\t"
+        "ldr	r8, [%[a], #84]\n\t"
+        "ldr	r9, [%[b], #12]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[22] * B[2]\n\t"
+        "ldr	r8, [%[a], #88]\n\t"
+        "ldr	r9, [%[b], #8]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[23] * B[1]\n\t"
+        "ldr	r8, [%[a], #92]\n\t"
+        "ldr	r9, [%[b], #4]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[24] * B[0]\n\t"
+        "ldr	r8, [%[a], #96]\n\t"
+        "ldr	r9, [%[b], #0]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [sp, #96]\n\t"
+        "#  A[0] * B[25]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "ldr	r9, [%[b], #100]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r10, r10\n\t"
+        "#  A[1] * B[24]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "ldr	r9, [%[b], #96]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[2] * B[23]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "ldr	r9, [%[b], #92]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[3] * B[22]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "ldr	r9, [%[b], #88]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[4] * B[21]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "ldr	r9, [%[b], #84]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[5] * B[20]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "ldr	r9, [%[b], #80]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[6] * B[19]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "ldr	r9, [%[b], #76]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[7] * B[18]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "ldr	r9, [%[b], #72]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[8] * B[17]\n\t"
+        "ldr	r8, [%[a], #32]\n\t"
+        "ldr	r9, [%[b], #68]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[9] * B[16]\n\t"
+        "ldr	r8, [%[a], #36]\n\t"
+        "ldr	r9, [%[b], #64]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[10] * B[15]\n\t"
+        "ldr	r8, [%[a], #40]\n\t"
+        "ldr	r9, [%[b], #60]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[11] * B[14]\n\t"
+        "ldr	r8, [%[a], #44]\n\t"
+        "ldr	r9, [%[b], #56]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[12] * B[13]\n\t"
+        "ldr	r8, [%[a], #48]\n\t"
+        "ldr	r9, [%[b], #52]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[13] * B[12]\n\t"
+        "ldr	r8, [%[a], #52]\n\t"
+        "ldr	r9, [%[b], #48]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[14] * B[11]\n\t"
+        "ldr	r8, [%[a], #56]\n\t"
+        "ldr	r9, [%[b], #44]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[15] * B[10]\n\t"
+        "ldr	r8, [%[a], #60]\n\t"
+        "ldr	r9, [%[b], #40]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[16] * B[9]\n\t"
+        "ldr	r8, [%[a], #64]\n\t"
+        "ldr	r9, [%[b], #36]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[17] * B[8]\n\t"
+        "ldr	r8, [%[a], #68]\n\t"
+        "ldr	r9, [%[b], #32]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[18] * B[7]\n\t"
+        "ldr	r8, [%[a], #72]\n\t"
+        "ldr	r9, [%[b], #28]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[19] * B[6]\n\t"
+        "ldr	r8, [%[a], #76]\n\t"
+        "ldr	r9, [%[b], #24]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[20] * B[5]\n\t"
+        "ldr	r8, [%[a], #80]\n\t"
+        "ldr	r9, [%[b], #20]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[21] * B[4]\n\t"
+        "ldr	r8, [%[a], #84]\n\t"
+        "ldr	r9, [%[b], #16]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[22] * B[3]\n\t"
+        "ldr	r8, [%[a], #88]\n\t"
+        "ldr	r9, [%[b], #12]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[23] * B[2]\n\t"
+        "ldr	r8, [%[a], #92]\n\t"
+        "ldr	r9, [%[b], #8]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[24] * B[1]\n\t"
+        "ldr	r8, [%[a], #96]\n\t"
+        "ldr	r9, [%[b], #4]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[25] * B[0]\n\t"
+        "ldr	r8, [%[a], #100]\n\t"
+        "ldr	r9, [%[b], #0]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [sp, #100]\n\t"
+        "#  A[0] * B[26]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "ldr	r9, [%[b], #104]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r10, r10\n\t"
+        "#  A[1] * B[25]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "ldr	r9, [%[b], #100]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[2] * B[24]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "ldr	r9, [%[b], #96]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[3] * B[23]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "ldr	r9, [%[b], #92]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[4] * B[22]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "ldr	r9, [%[b], #88]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[5] * B[21]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "ldr	r9, [%[b], #84]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[6] * B[20]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "ldr	r9, [%[b], #80]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[7] * B[19]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "ldr	r9, [%[b], #76]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[8] * B[18]\n\t"
+        "ldr	r8, [%[a], #32]\n\t"
+        "ldr	r9, [%[b], #72]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[9] * B[17]\n\t"
+        "ldr	r8, [%[a], #36]\n\t"
+        "ldr	r9, [%[b], #68]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[10] * B[16]\n\t"
+        "ldr	r8, [%[a], #40]\n\t"
+        "ldr	r9, [%[b], #64]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[11] * B[15]\n\t"
+        "ldr	r8, [%[a], #44]\n\t"
+        "ldr	r9, [%[b], #60]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[12] * B[14]\n\t"
+        "ldr	r8, [%[a], #48]\n\t"
+        "ldr	r9, [%[b], #56]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[13] * B[13]\n\t"
+        "ldr	r8, [%[a], #52]\n\t"
+        "ldr	r9, [%[b], #52]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[14] * B[12]\n\t"
+        "ldr	r8, [%[a], #56]\n\t"
+        "ldr	r9, [%[b], #48]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[15] * B[11]\n\t"
+        "ldr	r8, [%[a], #60]\n\t"
+        "ldr	r9, [%[b], #44]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[16] * B[10]\n\t"
+        "ldr	r8, [%[a], #64]\n\t"
+        "ldr	r9, [%[b], #40]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[17] * B[9]\n\t"
+        "ldr	r8, [%[a], #68]\n\t"
+        "ldr	r9, [%[b], #36]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[18] * B[8]\n\t"
+        "ldr	r8, [%[a], #72]\n\t"
+        "ldr	r9, [%[b], #32]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[19] * B[7]\n\t"
+        "ldr	r8, [%[a], #76]\n\t"
+        "ldr	r9, [%[b], #28]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[20] * B[6]\n\t"
+        "ldr	r8, [%[a], #80]\n\t"
+        "ldr	r9, [%[b], #24]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[21] * B[5]\n\t"
+        "ldr	r8, [%[a], #84]\n\t"
+        "ldr	r9, [%[b], #20]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[22] * B[4]\n\t"
+        "ldr	r8, [%[a], #88]\n\t"
+        "ldr	r9, [%[b], #16]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[23] * B[3]\n\t"
+        "ldr	r8, [%[a], #92]\n\t"
+        "ldr	r9, [%[b], #12]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[24] * B[2]\n\t"
+        "ldr	r8, [%[a], #96]\n\t"
+        "ldr	r9, [%[b], #8]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[25] * B[1]\n\t"
+        "ldr	r8, [%[a], #100]\n\t"
+        "ldr	r9, [%[b], #4]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[26] * B[0]\n\t"
+        "ldr	r8, [%[a], #104]\n\t"
+        "ldr	r9, [%[b], #0]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [sp, #104]\n\t"
+        "#  A[0] * B[27]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "ldr	r9, [%[b], #108]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r10, r10\n\t"
+        "#  A[1] * B[26]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "ldr	r9, [%[b], #104]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[2] * B[25]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "ldr	r9, [%[b], #100]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[3] * B[24]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "ldr	r9, [%[b], #96]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[4] * B[23]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "ldr	r9, [%[b], #92]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[5] * B[22]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "ldr	r9, [%[b], #88]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[6] * B[21]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "ldr	r9, [%[b], #84]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[7] * B[20]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "ldr	r9, [%[b], #80]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[8] * B[19]\n\t"
+        "ldr	r8, [%[a], #32]\n\t"
+        "ldr	r9, [%[b], #76]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[9] * B[18]\n\t"
+        "ldr	r8, [%[a], #36]\n\t"
+        "ldr	r9, [%[b], #72]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[10] * B[17]\n\t"
+        "ldr	r8, [%[a], #40]\n\t"
+        "ldr	r9, [%[b], #68]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[11] * B[16]\n\t"
+        "ldr	r8, [%[a], #44]\n\t"
+        "ldr	r9, [%[b], #64]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[12] * B[15]\n\t"
+        "ldr	r8, [%[a], #48]\n\t"
+        "ldr	r9, [%[b], #60]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[13] * B[14]\n\t"
+        "ldr	r8, [%[a], #52]\n\t"
+        "ldr	r9, [%[b], #56]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[14] * B[13]\n\t"
+        "ldr	r8, [%[a], #56]\n\t"
+        "ldr	r9, [%[b], #52]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[15] * B[12]\n\t"
+        "ldr	r8, [%[a], #60]\n\t"
+        "ldr	r9, [%[b], #48]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[16] * B[11]\n\t"
+        "ldr	r8, [%[a], #64]\n\t"
+        "ldr	r9, [%[b], #44]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[17] * B[10]\n\t"
+        "ldr	r8, [%[a], #68]\n\t"
+        "ldr	r9, [%[b], #40]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[18] * B[9]\n\t"
+        "ldr	r8, [%[a], #72]\n\t"
+        "ldr	r9, [%[b], #36]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[19] * B[8]\n\t"
+        "ldr	r8, [%[a], #76]\n\t"
+        "ldr	r9, [%[b], #32]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[20] * B[7]\n\t"
+        "ldr	r8, [%[a], #80]\n\t"
+        "ldr	r9, [%[b], #28]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[21] * B[6]\n\t"
+        "ldr	r8, [%[a], #84]\n\t"
+        "ldr	r9, [%[b], #24]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[22] * B[5]\n\t"
+        "ldr	r8, [%[a], #88]\n\t"
+        "ldr	r9, [%[b], #20]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[23] * B[4]\n\t"
+        "ldr	r8, [%[a], #92]\n\t"
+        "ldr	r9, [%[b], #16]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[24] * B[3]\n\t"
+        "ldr	r8, [%[a], #96]\n\t"
+        "ldr	r9, [%[b], #12]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[25] * B[2]\n\t"
+        "ldr	r8, [%[a], #100]\n\t"
+        "ldr	r9, [%[b], #8]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[26] * B[1]\n\t"
+        "ldr	r8, [%[a], #104]\n\t"
+        "ldr	r9, [%[b], #4]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[27] * B[0]\n\t"
+        "ldr	r8, [%[a], #108]\n\t"
+        "ldr	r9, [%[b], #0]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [sp, #108]\n\t"
+        "#  A[0] * B[28]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "ldr	r9, [%[b], #112]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r10, r10\n\t"
+        "#  A[1] * B[27]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "ldr	r9, [%[b], #108]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[2] * B[26]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "ldr	r9, [%[b], #104]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[3] * B[25]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "ldr	r9, [%[b], #100]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[4] * B[24]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "ldr	r9, [%[b], #96]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[5] * B[23]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "ldr	r9, [%[b], #92]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[6] * B[22]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "ldr	r9, [%[b], #88]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[7] * B[21]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "ldr	r9, [%[b], #84]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[8] * B[20]\n\t"
+        "ldr	r8, [%[a], #32]\n\t"
+        "ldr	r9, [%[b], #80]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[9] * B[19]\n\t"
+        "ldr	r8, [%[a], #36]\n\t"
+        "ldr	r9, [%[b], #76]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[10] * B[18]\n\t"
+        "ldr	r8, [%[a], #40]\n\t"
+        "ldr	r9, [%[b], #72]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[11] * B[17]\n\t"
+        "ldr	r8, [%[a], #44]\n\t"
+        "ldr	r9, [%[b], #68]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[12] * B[16]\n\t"
+        "ldr	r8, [%[a], #48]\n\t"
+        "ldr	r9, [%[b], #64]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[13] * B[15]\n\t"
+        "ldr	r8, [%[a], #52]\n\t"
+        "ldr	r9, [%[b], #60]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[14] * B[14]\n\t"
+        "ldr	r8, [%[a], #56]\n\t"
+        "ldr	r9, [%[b], #56]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[15] * B[13]\n\t"
+        "ldr	r8, [%[a], #60]\n\t"
+        "ldr	r9, [%[b], #52]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[16] * B[12]\n\t"
+        "ldr	r8, [%[a], #64]\n\t"
+        "ldr	r9, [%[b], #48]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[17] * B[11]\n\t"
+        "ldr	r8, [%[a], #68]\n\t"
+        "ldr	r9, [%[b], #44]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[18] * B[10]\n\t"
+        "ldr	r8, [%[a], #72]\n\t"
+        "ldr	r9, [%[b], #40]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[19] * B[9]\n\t"
+        "ldr	r8, [%[a], #76]\n\t"
+        "ldr	r9, [%[b], #36]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[20] * B[8]\n\t"
+        "ldr	r8, [%[a], #80]\n\t"
+        "ldr	r9, [%[b], #32]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[21] * B[7]\n\t"
+        "ldr	r8, [%[a], #84]\n\t"
+        "ldr	r9, [%[b], #28]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[22] * B[6]\n\t"
+        "ldr	r8, [%[a], #88]\n\t"
+        "ldr	r9, [%[b], #24]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[23] * B[5]\n\t"
+        "ldr	r8, [%[a], #92]\n\t"
+        "ldr	r9, [%[b], #20]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[24] * B[4]\n\t"
+        "ldr	r8, [%[a], #96]\n\t"
+        "ldr	r9, [%[b], #16]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[25] * B[3]\n\t"
+        "ldr	r8, [%[a], #100]\n\t"
+        "ldr	r9, [%[b], #12]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[26] * B[2]\n\t"
+        "ldr	r8, [%[a], #104]\n\t"
+        "ldr	r9, [%[b], #8]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[27] * B[1]\n\t"
+        "ldr	r8, [%[a], #108]\n\t"
+        "ldr	r9, [%[b], #4]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[28] * B[0]\n\t"
+        "ldr	r8, [%[a], #112]\n\t"
+        "ldr	r9, [%[b], #0]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [sp, #112]\n\t"
+        "#  A[0] * B[29]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "ldr	r9, [%[b], #116]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r10, r10\n\t"
+        "#  A[1] * B[28]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "ldr	r9, [%[b], #112]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[2] * B[27]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "ldr	r9, [%[b], #108]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[3] * B[26]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "ldr	r9, [%[b], #104]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[4] * B[25]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "ldr	r9, [%[b], #100]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[5] * B[24]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "ldr	r9, [%[b], #96]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[6] * B[23]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "ldr	r9, [%[b], #92]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[7] * B[22]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "ldr	r9, [%[b], #88]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[8] * B[21]\n\t"
+        "ldr	r8, [%[a], #32]\n\t"
+        "ldr	r9, [%[b], #84]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[9] * B[20]\n\t"
+        "ldr	r8, [%[a], #36]\n\t"
+        "ldr	r9, [%[b], #80]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[10] * B[19]\n\t"
+        "ldr	r8, [%[a], #40]\n\t"
+        "ldr	r9, [%[b], #76]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[11] * B[18]\n\t"
+        "ldr	r8, [%[a], #44]\n\t"
+        "ldr	r9, [%[b], #72]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[12] * B[17]\n\t"
+        "ldr	r8, [%[a], #48]\n\t"
+        "ldr	r9, [%[b], #68]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[13] * B[16]\n\t"
+        "ldr	r8, [%[a], #52]\n\t"
+        "ldr	r9, [%[b], #64]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[14] * B[15]\n\t"
+        "ldr	r8, [%[a], #56]\n\t"
+        "ldr	r9, [%[b], #60]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[15] * B[14]\n\t"
+        "ldr	r8, [%[a], #60]\n\t"
+        "ldr	r9, [%[b], #56]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[16] * B[13]\n\t"
+        "ldr	r8, [%[a], #64]\n\t"
+        "ldr	r9, [%[b], #52]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[17] * B[12]\n\t"
+        "ldr	r8, [%[a], #68]\n\t"
+        "ldr	r9, [%[b], #48]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[18] * B[11]\n\t"
+        "ldr	r8, [%[a], #72]\n\t"
+        "ldr	r9, [%[b], #44]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[19] * B[10]\n\t"
+        "ldr	r8, [%[a], #76]\n\t"
+        "ldr	r9, [%[b], #40]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[20] * B[9]\n\t"
+        "ldr	r8, [%[a], #80]\n\t"
+        "ldr	r9, [%[b], #36]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[21] * B[8]\n\t"
+        "ldr	r8, [%[a], #84]\n\t"
+        "ldr	r9, [%[b], #32]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[22] * B[7]\n\t"
+        "ldr	r8, [%[a], #88]\n\t"
+        "ldr	r9, [%[b], #28]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[23] * B[6]\n\t"
+        "ldr	r8, [%[a], #92]\n\t"
+        "ldr	r9, [%[b], #24]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[24] * B[5]\n\t"
+        "ldr	r8, [%[a], #96]\n\t"
+        "ldr	r9, [%[b], #20]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[25] * B[4]\n\t"
+        "ldr	r8, [%[a], #100]\n\t"
+        "ldr	r9, [%[b], #16]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[26] * B[3]\n\t"
+        "ldr	r8, [%[a], #104]\n\t"
+        "ldr	r9, [%[b], #12]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[27] * B[2]\n\t"
+        "ldr	r8, [%[a], #108]\n\t"
+        "ldr	r9, [%[b], #8]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[28] * B[1]\n\t"
+        "ldr	r8, [%[a], #112]\n\t"
+        "ldr	r9, [%[b], #4]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[29] * B[0]\n\t"
+        "ldr	r8, [%[a], #116]\n\t"
+        "ldr	r9, [%[b], #0]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [sp, #116]\n\t"
+        "#  A[0] * B[30]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "ldr	r9, [%[b], #120]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r10, r10\n\t"
+        "#  A[1] * B[29]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "ldr	r9, [%[b], #116]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[2] * B[28]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "ldr	r9, [%[b], #112]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[3] * B[27]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "ldr	r9, [%[b], #108]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[4] * B[26]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "ldr	r9, [%[b], #104]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[5] * B[25]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "ldr	r9, [%[b], #100]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[6] * B[24]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "ldr	r9, [%[b], #96]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[7] * B[23]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "ldr	r9, [%[b], #92]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[8] * B[22]\n\t"
+        "ldr	r8, [%[a], #32]\n\t"
+        "ldr	r9, [%[b], #88]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[9] * B[21]\n\t"
+        "ldr	r8, [%[a], #36]\n\t"
+        "ldr	r9, [%[b], #84]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[10] * B[20]\n\t"
+        "ldr	r8, [%[a], #40]\n\t"
+        "ldr	r9, [%[b], #80]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[11] * B[19]\n\t"
+        "ldr	r8, [%[a], #44]\n\t"
+        "ldr	r9, [%[b], #76]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[12] * B[18]\n\t"
+        "ldr	r8, [%[a], #48]\n\t"
+        "ldr	r9, [%[b], #72]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[13] * B[17]\n\t"
+        "ldr	r8, [%[a], #52]\n\t"
+        "ldr	r9, [%[b], #68]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[14] * B[16]\n\t"
+        "ldr	r8, [%[a], #56]\n\t"
+        "ldr	r9, [%[b], #64]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[15] * B[15]\n\t"
+        "ldr	r8, [%[a], #60]\n\t"
+        "ldr	r9, [%[b], #60]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[16] * B[14]\n\t"
+        "ldr	r8, [%[a], #64]\n\t"
+        "ldr	r9, [%[b], #56]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[17] * B[13]\n\t"
+        "ldr	r8, [%[a], #68]\n\t"
+        "ldr	r9, [%[b], #52]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[18] * B[12]\n\t"
+        "ldr	r8, [%[a], #72]\n\t"
+        "ldr	r9, [%[b], #48]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[19] * B[11]\n\t"
+        "ldr	r8, [%[a], #76]\n\t"
+        "ldr	r9, [%[b], #44]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[20] * B[10]\n\t"
+        "ldr	r8, [%[a], #80]\n\t"
+        "ldr	r9, [%[b], #40]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[21] * B[9]\n\t"
+        "ldr	r8, [%[a], #84]\n\t"
+        "ldr	r9, [%[b], #36]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[22] * B[8]\n\t"
+        "ldr	r8, [%[a], #88]\n\t"
+        "ldr	r9, [%[b], #32]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[23] * B[7]\n\t"
+        "ldr	r8, [%[a], #92]\n\t"
+        "ldr	r9, [%[b], #28]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[24] * B[6]\n\t"
+        "ldr	r8, [%[a], #96]\n\t"
+        "ldr	r9, [%[b], #24]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[25] * B[5]\n\t"
+        "ldr	r8, [%[a], #100]\n\t"
+        "ldr	r9, [%[b], #20]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[26] * B[4]\n\t"
+        "ldr	r8, [%[a], #104]\n\t"
+        "ldr	r9, [%[b], #16]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[27] * B[3]\n\t"
+        "ldr	r8, [%[a], #108]\n\t"
+        "ldr	r9, [%[b], #12]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[28] * B[2]\n\t"
+        "ldr	r8, [%[a], #112]\n\t"
+        "ldr	r9, [%[b], #8]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[29] * B[1]\n\t"
+        "ldr	r8, [%[a], #116]\n\t"
+        "ldr	r9, [%[b], #4]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[30] * B[0]\n\t"
+        "ldr	r8, [%[a], #120]\n\t"
+        "ldr	r9, [%[b], #0]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [sp, #120]\n\t"
+        "#  A[0] * B[31]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "ldr	r9, [%[b], #124]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r10, r10\n\t"
+        "#  A[1] * B[30]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "ldr	r9, [%[b], #120]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[2] * B[29]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "ldr	r9, [%[b], #116]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[3] * B[28]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "ldr	r9, [%[b], #112]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[4] * B[27]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "ldr	r9, [%[b], #108]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[5] * B[26]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "ldr	r9, [%[b], #104]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[6] * B[25]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "ldr	r9, [%[b], #100]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[7] * B[24]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "ldr	r9, [%[b], #96]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[8] * B[23]\n\t"
+        "ldr	r8, [%[a], #32]\n\t"
+        "ldr	r9, [%[b], #92]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[9] * B[22]\n\t"
+        "ldr	r8, [%[a], #36]\n\t"
+        "ldr	r9, [%[b], #88]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[10] * B[21]\n\t"
+        "ldr	r8, [%[a], #40]\n\t"
+        "ldr	r9, [%[b], #84]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[11] * B[20]\n\t"
+        "ldr	r8, [%[a], #44]\n\t"
+        "ldr	r9, [%[b], #80]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[12] * B[19]\n\t"
+        "ldr	r8, [%[a], #48]\n\t"
+        "ldr	r9, [%[b], #76]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[13] * B[18]\n\t"
+        "ldr	r8, [%[a], #52]\n\t"
+        "ldr	r9, [%[b], #72]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[14] * B[17]\n\t"
+        "ldr	r8, [%[a], #56]\n\t"
+        "ldr	r9, [%[b], #68]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[15] * B[16]\n\t"
+        "ldr	r8, [%[a], #60]\n\t"
+        "ldr	r9, [%[b], #64]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[16] * B[15]\n\t"
+        "ldr	r8, [%[a], #64]\n\t"
+        "ldr	r9, [%[b], #60]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[17] * B[14]\n\t"
+        "ldr	r8, [%[a], #68]\n\t"
+        "ldr	r9, [%[b], #56]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[18] * B[13]\n\t"
+        "ldr	r8, [%[a], #72]\n\t"
+        "ldr	r9, [%[b], #52]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[19] * B[12]\n\t"
+        "ldr	r8, [%[a], #76]\n\t"
+        "ldr	r9, [%[b], #48]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[20] * B[11]\n\t"
+        "ldr	r8, [%[a], #80]\n\t"
+        "ldr	r9, [%[b], #44]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[21] * B[10]\n\t"
+        "ldr	r8, [%[a], #84]\n\t"
+        "ldr	r9, [%[b], #40]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[22] * B[9]\n\t"
+        "ldr	r8, [%[a], #88]\n\t"
+        "ldr	r9, [%[b], #36]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[23] * B[8]\n\t"
+        "ldr	r8, [%[a], #92]\n\t"
+        "ldr	r9, [%[b], #32]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[24] * B[7]\n\t"
+        "ldr	r8, [%[a], #96]\n\t"
+        "ldr	r9, [%[b], #28]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[25] * B[6]\n\t"
+        "ldr	r8, [%[a], #100]\n\t"
+        "ldr	r9, [%[b], #24]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[26] * B[5]\n\t"
+        "ldr	r8, [%[a], #104]\n\t"
+        "ldr	r9, [%[b], #20]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[27] * B[4]\n\t"
+        "ldr	r8, [%[a], #108]\n\t"
+        "ldr	r9, [%[b], #16]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[28] * B[3]\n\t"
+        "ldr	r8, [%[a], #112]\n\t"
+        "ldr	r9, [%[b], #12]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[29] * B[2]\n\t"
+        "ldr	r8, [%[a], #116]\n\t"
+        "ldr	r9, [%[b], #8]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[30] * B[1]\n\t"
+        "ldr	r8, [%[a], #120]\n\t"
+        "ldr	r9, [%[b], #4]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[31] * B[0]\n\t"
+        "ldr	r8, [%[a], #124]\n\t"
+        "ldr	r9, [%[b], #0]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [sp, #124]\n\t"
+        "#  A[0] * B[32]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "ldr	r9, [%[b], #128]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r10, r10\n\t"
+        "#  A[1] * B[31]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "ldr	r9, [%[b], #124]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[2] * B[30]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "ldr	r9, [%[b], #120]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[3] * B[29]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "ldr	r9, [%[b], #116]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[4] * B[28]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "ldr	r9, [%[b], #112]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[5] * B[27]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "ldr	r9, [%[b], #108]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[6] * B[26]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "ldr	r9, [%[b], #104]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[7] * B[25]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "ldr	r9, [%[b], #100]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[8] * B[24]\n\t"
+        "ldr	r8, [%[a], #32]\n\t"
+        "ldr	r9, [%[b], #96]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[9] * B[23]\n\t"
+        "ldr	r8, [%[a], #36]\n\t"
+        "ldr	r9, [%[b], #92]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[10] * B[22]\n\t"
+        "ldr	r8, [%[a], #40]\n\t"
+        "ldr	r9, [%[b], #88]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[11] * B[21]\n\t"
+        "ldr	r8, [%[a], #44]\n\t"
+        "ldr	r9, [%[b], #84]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[12] * B[20]\n\t"
+        "ldr	r8, [%[a], #48]\n\t"
+        "ldr	r9, [%[b], #80]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[13] * B[19]\n\t"
+        "ldr	r8, [%[a], #52]\n\t"
+        "ldr	r9, [%[b], #76]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[14] * B[18]\n\t"
+        "ldr	r8, [%[a], #56]\n\t"
+        "ldr	r9, [%[b], #72]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[15] * B[17]\n\t"
+        "ldr	r8, [%[a], #60]\n\t"
+        "ldr	r9, [%[b], #68]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[16] * B[16]\n\t"
+        "ldr	r8, [%[a], #64]\n\t"
+        "ldr	r9, [%[b], #64]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[17] * B[15]\n\t"
+        "ldr	r8, [%[a], #68]\n\t"
+        "ldr	r9, [%[b], #60]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[18] * B[14]\n\t"
+        "ldr	r8, [%[a], #72]\n\t"
+        "ldr	r9, [%[b], #56]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[19] * B[13]\n\t"
+        "ldr	r8, [%[a], #76]\n\t"
+        "ldr	r9, [%[b], #52]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[20] * B[12]\n\t"
+        "ldr	r8, [%[a], #80]\n\t"
+        "ldr	r9, [%[b], #48]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[21] * B[11]\n\t"
+        "ldr	r8, [%[a], #84]\n\t"
+        "ldr	r9, [%[b], #44]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[22] * B[10]\n\t"
+        "ldr	r8, [%[a], #88]\n\t"
+        "ldr	r9, [%[b], #40]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[23] * B[9]\n\t"
+        "ldr	r8, [%[a], #92]\n\t"
+        "ldr	r9, [%[b], #36]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[24] * B[8]\n\t"
+        "ldr	r8, [%[a], #96]\n\t"
+        "ldr	r9, [%[b], #32]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[25] * B[7]\n\t"
+        "ldr	r8, [%[a], #100]\n\t"
+        "ldr	r9, [%[b], #28]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[26] * B[6]\n\t"
+        "ldr	r8, [%[a], #104]\n\t"
+        "ldr	r9, [%[b], #24]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[27] * B[5]\n\t"
+        "ldr	r8, [%[a], #108]\n\t"
+        "ldr	r9, [%[b], #20]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[28] * B[4]\n\t"
+        "ldr	r8, [%[a], #112]\n\t"
+        "ldr	r9, [%[b], #16]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[29] * B[3]\n\t"
+        "ldr	r8, [%[a], #116]\n\t"
+        "ldr	r9, [%[b], #12]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[30] * B[2]\n\t"
+        "ldr	r8, [%[a], #120]\n\t"
+        "ldr	r9, [%[b], #8]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[31] * B[1]\n\t"
+        "ldr	r8, [%[a], #124]\n\t"
+        "ldr	r9, [%[b], #4]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[32] * B[0]\n\t"
+        "ldr	r8, [%[a], #128]\n\t"
+        "ldr	r9, [%[b], #0]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [sp, #128]\n\t"
+        "#  A[0] * B[33]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "ldr	r9, [%[b], #132]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r10, r10\n\t"
+        "#  A[1] * B[32]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "ldr	r9, [%[b], #128]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[2] * B[31]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "ldr	r9, [%[b], #124]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[3] * B[30]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "ldr	r9, [%[b], #120]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[4] * B[29]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "ldr	r9, [%[b], #116]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[5] * B[28]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "ldr	r9, [%[b], #112]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[6] * B[27]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "ldr	r9, [%[b], #108]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[7] * B[26]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "ldr	r9, [%[b], #104]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[8] * B[25]\n\t"
+        "ldr	r8, [%[a], #32]\n\t"
+        "ldr	r9, [%[b], #100]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[9] * B[24]\n\t"
+        "ldr	r8, [%[a], #36]\n\t"
+        "ldr	r9, [%[b], #96]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[10] * B[23]\n\t"
+        "ldr	r8, [%[a], #40]\n\t"
+        "ldr	r9, [%[b], #92]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[11] * B[22]\n\t"
+        "ldr	r8, [%[a], #44]\n\t"
+        "ldr	r9, [%[b], #88]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[12] * B[21]\n\t"
+        "ldr	r8, [%[a], #48]\n\t"
+        "ldr	r9, [%[b], #84]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[13] * B[20]\n\t"
+        "ldr	r8, [%[a], #52]\n\t"
+        "ldr	r9, [%[b], #80]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[14] * B[19]\n\t"
+        "ldr	r8, [%[a], #56]\n\t"
+        "ldr	r9, [%[b], #76]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[15] * B[18]\n\t"
+        "ldr	r8, [%[a], #60]\n\t"
+        "ldr	r9, [%[b], #72]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[16] * B[17]\n\t"
+        "ldr	r8, [%[a], #64]\n\t"
+        "ldr	r9, [%[b], #68]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[17] * B[16]\n\t"
+        "ldr	r8, [%[a], #68]\n\t"
+        "ldr	r9, [%[b], #64]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[18] * B[15]\n\t"
+        "ldr	r8, [%[a], #72]\n\t"
+        "ldr	r9, [%[b], #60]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[19] * B[14]\n\t"
+        "ldr	r8, [%[a], #76]\n\t"
+        "ldr	r9, [%[b], #56]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[20] * B[13]\n\t"
+        "ldr	r8, [%[a], #80]\n\t"
+        "ldr	r9, [%[b], #52]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[21] * B[12]\n\t"
+        "ldr	r8, [%[a], #84]\n\t"
+        "ldr	r9, [%[b], #48]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[22] * B[11]\n\t"
+        "ldr	r8, [%[a], #88]\n\t"
+        "ldr	r9, [%[b], #44]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[23] * B[10]\n\t"
+        "ldr	r8, [%[a], #92]\n\t"
+        "ldr	r9, [%[b], #40]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[24] * B[9]\n\t"
+        "ldr	r8, [%[a], #96]\n\t"
+        "ldr	r9, [%[b], #36]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[25] * B[8]\n\t"
+        "ldr	r8, [%[a], #100]\n\t"
+        "ldr	r9, [%[b], #32]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[26] * B[7]\n\t"
+        "ldr	r8, [%[a], #104]\n\t"
+        "ldr	r9, [%[b], #28]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[27] * B[6]\n\t"
+        "ldr	r8, [%[a], #108]\n\t"
+        "ldr	r9, [%[b], #24]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[28] * B[5]\n\t"
+        "ldr	r8, [%[a], #112]\n\t"
+        "ldr	r9, [%[b], #20]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[29] * B[4]\n\t"
+        "ldr	r8, [%[a], #116]\n\t"
+        "ldr	r9, [%[b], #16]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[30] * B[3]\n\t"
+        "ldr	r8, [%[a], #120]\n\t"
+        "ldr	r9, [%[b], #12]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[31] * B[2]\n\t"
+        "ldr	r8, [%[a], #124]\n\t"
+        "ldr	r9, [%[b], #8]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[32] * B[1]\n\t"
+        "ldr	r8, [%[a], #128]\n\t"
+        "ldr	r9, [%[b], #4]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[33] * B[0]\n\t"
+        "ldr	r8, [%[a], #132]\n\t"
+        "ldr	r9, [%[b], #0]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [sp, #132]\n\t"
+        "#  A[0] * B[34]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "ldr	r9, [%[b], #136]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r10, r10\n\t"
+        "#  A[1] * B[33]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "ldr	r9, [%[b], #132]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[2] * B[32]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "ldr	r9, [%[b], #128]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[3] * B[31]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "ldr	r9, [%[b], #124]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[4] * B[30]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "ldr	r9, [%[b], #120]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[5] * B[29]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "ldr	r9, [%[b], #116]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[6] * B[28]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "ldr	r9, [%[b], #112]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[7] * B[27]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "ldr	r9, [%[b], #108]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[8] * B[26]\n\t"
+        "ldr	r8, [%[a], #32]\n\t"
+        "ldr	r9, [%[b], #104]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[9] * B[25]\n\t"
+        "ldr	r8, [%[a], #36]\n\t"
+        "ldr	r9, [%[b], #100]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[10] * B[24]\n\t"
+        "ldr	r8, [%[a], #40]\n\t"
+        "ldr	r9, [%[b], #96]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[11] * B[23]\n\t"
+        "ldr	r8, [%[a], #44]\n\t"
+        "ldr	r9, [%[b], #92]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[12] * B[22]\n\t"
+        "ldr	r8, [%[a], #48]\n\t"
+        "ldr	r9, [%[b], #88]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[13] * B[21]\n\t"
+        "ldr	r8, [%[a], #52]\n\t"
+        "ldr	r9, [%[b], #84]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[14] * B[20]\n\t"
+        "ldr	r8, [%[a], #56]\n\t"
+        "ldr	r9, [%[b], #80]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[15] * B[19]\n\t"
+        "ldr	r8, [%[a], #60]\n\t"
+        "ldr	r9, [%[b], #76]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[16] * B[18]\n\t"
+        "ldr	r8, [%[a], #64]\n\t"
+        "ldr	r9, [%[b], #72]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[17] * B[17]\n\t"
+        "ldr	r8, [%[a], #68]\n\t"
+        "ldr	r9, [%[b], #68]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[18] * B[16]\n\t"
+        "ldr	r8, [%[a], #72]\n\t"
+        "ldr	r9, [%[b], #64]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[19] * B[15]\n\t"
+        "ldr	r8, [%[a], #76]\n\t"
+        "ldr	r9, [%[b], #60]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[20] * B[14]\n\t"
+        "ldr	r8, [%[a], #80]\n\t"
+        "ldr	r9, [%[b], #56]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[21] * B[13]\n\t"
+        "ldr	r8, [%[a], #84]\n\t"
+        "ldr	r9, [%[b], #52]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[22] * B[12]\n\t"
+        "ldr	r8, [%[a], #88]\n\t"
+        "ldr	r9, [%[b], #48]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[23] * B[11]\n\t"
+        "ldr	r8, [%[a], #92]\n\t"
+        "ldr	r9, [%[b], #44]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[24] * B[10]\n\t"
+        "ldr	r8, [%[a], #96]\n\t"
+        "ldr	r9, [%[b], #40]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[25] * B[9]\n\t"
+        "ldr	r8, [%[a], #100]\n\t"
+        "ldr	r9, [%[b], #36]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[26] * B[8]\n\t"
+        "ldr	r8, [%[a], #104]\n\t"
+        "ldr	r9, [%[b], #32]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[27] * B[7]\n\t"
+        "ldr	r8, [%[a], #108]\n\t"
+        "ldr	r9, [%[b], #28]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[28] * B[6]\n\t"
+        "ldr	r8, [%[a], #112]\n\t"
+        "ldr	r9, [%[b], #24]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[29] * B[5]\n\t"
+        "ldr	r8, [%[a], #116]\n\t"
+        "ldr	r9, [%[b], #20]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[30] * B[4]\n\t"
+        "ldr	r8, [%[a], #120]\n\t"
+        "ldr	r9, [%[b], #16]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[31] * B[3]\n\t"
+        "ldr	r8, [%[a], #124]\n\t"
+        "ldr	r9, [%[b], #12]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[32] * B[2]\n\t"
+        "ldr	r8, [%[a], #128]\n\t"
+        "ldr	r9, [%[b], #8]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[33] * B[1]\n\t"
+        "ldr	r8, [%[a], #132]\n\t"
+        "ldr	r9, [%[b], #4]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[34] * B[0]\n\t"
+        "ldr	r8, [%[a], #136]\n\t"
+        "ldr	r9, [%[b], #0]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [sp, #136]\n\t"
+        "#  A[0] * B[35]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "ldr	r9, [%[b], #140]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r10, r10\n\t"
+        "#  A[1] * B[34]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "ldr	r9, [%[b], #136]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[2] * B[33]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "ldr	r9, [%[b], #132]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[3] * B[32]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "ldr	r9, [%[b], #128]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[4] * B[31]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "ldr	r9, [%[b], #124]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[5] * B[30]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "ldr	r9, [%[b], #120]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[6] * B[29]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "ldr	r9, [%[b], #116]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[7] * B[28]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "ldr	r9, [%[b], #112]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[8] * B[27]\n\t"
+        "ldr	r8, [%[a], #32]\n\t"
+        "ldr	r9, [%[b], #108]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[9] * B[26]\n\t"
+        "ldr	r8, [%[a], #36]\n\t"
+        "ldr	r9, [%[b], #104]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[10] * B[25]\n\t"
+        "ldr	r8, [%[a], #40]\n\t"
+        "ldr	r9, [%[b], #100]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[11] * B[24]\n\t"
+        "ldr	r8, [%[a], #44]\n\t"
+        "ldr	r9, [%[b], #96]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[12] * B[23]\n\t"
+        "ldr	r8, [%[a], #48]\n\t"
+        "ldr	r9, [%[b], #92]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[13] * B[22]\n\t"
+        "ldr	r8, [%[a], #52]\n\t"
+        "ldr	r9, [%[b], #88]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[14] * B[21]\n\t"
+        "ldr	r8, [%[a], #56]\n\t"
+        "ldr	r9, [%[b], #84]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[15] * B[20]\n\t"
+        "ldr	r8, [%[a], #60]\n\t"
+        "ldr	r9, [%[b], #80]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[16] * B[19]\n\t"
+        "ldr	r8, [%[a], #64]\n\t"
+        "ldr	r9, [%[b], #76]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[17] * B[18]\n\t"
+        "ldr	r8, [%[a], #68]\n\t"
+        "ldr	r9, [%[b], #72]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[18] * B[17]\n\t"
+        "ldr	r8, [%[a], #72]\n\t"
+        "ldr	r9, [%[b], #68]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[19] * B[16]\n\t"
+        "ldr	r8, [%[a], #76]\n\t"
+        "ldr	r9, [%[b], #64]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[20] * B[15]\n\t"
+        "ldr	r8, [%[a], #80]\n\t"
+        "ldr	r9, [%[b], #60]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[21] * B[14]\n\t"
+        "ldr	r8, [%[a], #84]\n\t"
+        "ldr	r9, [%[b], #56]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[22] * B[13]\n\t"
+        "ldr	r8, [%[a], #88]\n\t"
+        "ldr	r9, [%[b], #52]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[23] * B[12]\n\t"
+        "ldr	r8, [%[a], #92]\n\t"
+        "ldr	r9, [%[b], #48]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[24] * B[11]\n\t"
+        "ldr	r8, [%[a], #96]\n\t"
+        "ldr	r9, [%[b], #44]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[25] * B[10]\n\t"
+        "ldr	r8, [%[a], #100]\n\t"
+        "ldr	r9, [%[b], #40]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[26] * B[9]\n\t"
+        "ldr	r8, [%[a], #104]\n\t"
+        "ldr	r9, [%[b], #36]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[27] * B[8]\n\t"
+        "ldr	r8, [%[a], #108]\n\t"
+        "ldr	r9, [%[b], #32]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[28] * B[7]\n\t"
+        "ldr	r8, [%[a], #112]\n\t"
+        "ldr	r9, [%[b], #28]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[29] * B[6]\n\t"
+        "ldr	r8, [%[a], #116]\n\t"
+        "ldr	r9, [%[b], #24]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[30] * B[5]\n\t"
+        "ldr	r8, [%[a], #120]\n\t"
+        "ldr	r9, [%[b], #20]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[31] * B[4]\n\t"
+        "ldr	r8, [%[a], #124]\n\t"
+        "ldr	r9, [%[b], #16]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[32] * B[3]\n\t"
+        "ldr	r8, [%[a], #128]\n\t"
+        "ldr	r9, [%[b], #12]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[33] * B[2]\n\t"
+        "ldr	r8, [%[a], #132]\n\t"
+        "ldr	r9, [%[b], #8]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[34] * B[1]\n\t"
+        "ldr	r8, [%[a], #136]\n\t"
+        "ldr	r9, [%[b], #4]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[35] * B[0]\n\t"
+        "ldr	r8, [%[a], #140]\n\t"
+        "ldr	r9, [%[b], #0]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [sp, #140]\n\t"
+        "#  A[0] * B[36]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "ldr	r9, [%[b], #144]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r10, r10\n\t"
+        "#  A[1] * B[35]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "ldr	r9, [%[b], #140]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[2] * B[34]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "ldr	r9, [%[b], #136]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[3] * B[33]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "ldr	r9, [%[b], #132]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[4] * B[32]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "ldr	r9, [%[b], #128]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[5] * B[31]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "ldr	r9, [%[b], #124]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[6] * B[30]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "ldr	r9, [%[b], #120]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[7] * B[29]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "ldr	r9, [%[b], #116]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[8] * B[28]\n\t"
+        "ldr	r8, [%[a], #32]\n\t"
+        "ldr	r9, [%[b], #112]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[9] * B[27]\n\t"
+        "ldr	r8, [%[a], #36]\n\t"
+        "ldr	r9, [%[b], #108]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[10] * B[26]\n\t"
+        "ldr	r8, [%[a], #40]\n\t"
+        "ldr	r9, [%[b], #104]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[11] * B[25]\n\t"
+        "ldr	r8, [%[a], #44]\n\t"
+        "ldr	r9, [%[b], #100]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[12] * B[24]\n\t"
+        "ldr	r8, [%[a], #48]\n\t"
+        "ldr	r9, [%[b], #96]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[13] * B[23]\n\t"
+        "ldr	r8, [%[a], #52]\n\t"
+        "ldr	r9, [%[b], #92]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[14] * B[22]\n\t"
+        "ldr	r8, [%[a], #56]\n\t"
+        "ldr	r9, [%[b], #88]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[15] * B[21]\n\t"
+        "ldr	r8, [%[a], #60]\n\t"
+        "ldr	r9, [%[b], #84]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[16] * B[20]\n\t"
+        "ldr	r8, [%[a], #64]\n\t"
+        "ldr	r9, [%[b], #80]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[17] * B[19]\n\t"
+        "ldr	r8, [%[a], #68]\n\t"
+        "ldr	r9, [%[b], #76]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[18] * B[18]\n\t"
+        "ldr	r8, [%[a], #72]\n\t"
+        "ldr	r9, [%[b], #72]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[19] * B[17]\n\t"
+        "ldr	r8, [%[a], #76]\n\t"
+        "ldr	r9, [%[b], #68]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[20] * B[16]\n\t"
+        "ldr	r8, [%[a], #80]\n\t"
+        "ldr	r9, [%[b], #64]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[21] * B[15]\n\t"
+        "ldr	r8, [%[a], #84]\n\t"
+        "ldr	r9, [%[b], #60]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[22] * B[14]\n\t"
+        "ldr	r8, [%[a], #88]\n\t"
+        "ldr	r9, [%[b], #56]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[23] * B[13]\n\t"
+        "ldr	r8, [%[a], #92]\n\t"
+        "ldr	r9, [%[b], #52]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[24] * B[12]\n\t"
+        "ldr	r8, [%[a], #96]\n\t"
+        "ldr	r9, [%[b], #48]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[25] * B[11]\n\t"
+        "ldr	r8, [%[a], #100]\n\t"
+        "ldr	r9, [%[b], #44]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[26] * B[10]\n\t"
+        "ldr	r8, [%[a], #104]\n\t"
+        "ldr	r9, [%[b], #40]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[27] * B[9]\n\t"
+        "ldr	r8, [%[a], #108]\n\t"
+        "ldr	r9, [%[b], #36]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[28] * B[8]\n\t"
+        "ldr	r8, [%[a], #112]\n\t"
+        "ldr	r9, [%[b], #32]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[29] * B[7]\n\t"
+        "ldr	r8, [%[a], #116]\n\t"
+        "ldr	r9, [%[b], #28]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[30] * B[6]\n\t"
+        "ldr	r8, [%[a], #120]\n\t"
+        "ldr	r9, [%[b], #24]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[31] * B[5]\n\t"
+        "ldr	r8, [%[a], #124]\n\t"
+        "ldr	r9, [%[b], #20]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[32] * B[4]\n\t"
+        "ldr	r8, [%[a], #128]\n\t"
+        "ldr	r9, [%[b], #16]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[33] * B[3]\n\t"
+        "ldr	r8, [%[a], #132]\n\t"
+        "ldr	r9, [%[b], #12]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[34] * B[2]\n\t"
+        "ldr	r8, [%[a], #136]\n\t"
+        "ldr	r9, [%[b], #8]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[35] * B[1]\n\t"
+        "ldr	r8, [%[a], #140]\n\t"
+        "ldr	r9, [%[b], #4]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[36] * B[0]\n\t"
+        "ldr	r8, [%[a], #144]\n\t"
+        "ldr	r9, [%[b], #0]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [sp, #144]\n\t"
+        "#  A[0] * B[37]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "ldr	r9, [%[b], #148]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r10, r10\n\t"
+        "#  A[1] * B[36]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "ldr	r9, [%[b], #144]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[2] * B[35]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "ldr	r9, [%[b], #140]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[3] * B[34]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "ldr	r9, [%[b], #136]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[4] * B[33]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "ldr	r9, [%[b], #132]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[5] * B[32]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "ldr	r9, [%[b], #128]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[6] * B[31]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "ldr	r9, [%[b], #124]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[7] * B[30]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "ldr	r9, [%[b], #120]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[8] * B[29]\n\t"
+        "ldr	r8, [%[a], #32]\n\t"
+        "ldr	r9, [%[b], #116]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[9] * B[28]\n\t"
+        "ldr	r8, [%[a], #36]\n\t"
+        "ldr	r9, [%[b], #112]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[10] * B[27]\n\t"
+        "ldr	r8, [%[a], #40]\n\t"
+        "ldr	r9, [%[b], #108]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[11] * B[26]\n\t"
+        "ldr	r8, [%[a], #44]\n\t"
+        "ldr	r9, [%[b], #104]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[12] * B[25]\n\t"
+        "ldr	r8, [%[a], #48]\n\t"
+        "ldr	r9, [%[b], #100]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[13] * B[24]\n\t"
+        "ldr	r8, [%[a], #52]\n\t"
+        "ldr	r9, [%[b], #96]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[14] * B[23]\n\t"
+        "ldr	r8, [%[a], #56]\n\t"
+        "ldr	r9, [%[b], #92]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[15] * B[22]\n\t"
+        "ldr	r8, [%[a], #60]\n\t"
+        "ldr	r9, [%[b], #88]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[16] * B[21]\n\t"
+        "ldr	r8, [%[a], #64]\n\t"
+        "ldr	r9, [%[b], #84]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[17] * B[20]\n\t"
+        "ldr	r8, [%[a], #68]\n\t"
+        "ldr	r9, [%[b], #80]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[18] * B[19]\n\t"
+        "ldr	r8, [%[a], #72]\n\t"
+        "ldr	r9, [%[b], #76]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[19] * B[18]\n\t"
+        "ldr	r8, [%[a], #76]\n\t"
+        "ldr	r9, [%[b], #72]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[20] * B[17]\n\t"
+        "ldr	r8, [%[a], #80]\n\t"
+        "ldr	r9, [%[b], #68]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[21] * B[16]\n\t"
+        "ldr	r8, [%[a], #84]\n\t"
+        "ldr	r9, [%[b], #64]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[22] * B[15]\n\t"
+        "ldr	r8, [%[a], #88]\n\t"
+        "ldr	r9, [%[b], #60]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[23] * B[14]\n\t"
+        "ldr	r8, [%[a], #92]\n\t"
+        "ldr	r9, [%[b], #56]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[24] * B[13]\n\t"
+        "ldr	r8, [%[a], #96]\n\t"
+        "ldr	r9, [%[b], #52]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[25] * B[12]\n\t"
+        "ldr	r8, [%[a], #100]\n\t"
+        "ldr	r9, [%[b], #48]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[26] * B[11]\n\t"
+        "ldr	r8, [%[a], #104]\n\t"
+        "ldr	r9, [%[b], #44]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[27] * B[10]\n\t"
+        "ldr	r8, [%[a], #108]\n\t"
+        "ldr	r9, [%[b], #40]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[28] * B[9]\n\t"
+        "ldr	r8, [%[a], #112]\n\t"
+        "ldr	r9, [%[b], #36]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[29] * B[8]\n\t"
+        "ldr	r8, [%[a], #116]\n\t"
+        "ldr	r9, [%[b], #32]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[30] * B[7]\n\t"
+        "ldr	r8, [%[a], #120]\n\t"
+        "ldr	r9, [%[b], #28]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[31] * B[6]\n\t"
+        "ldr	r8, [%[a], #124]\n\t"
+        "ldr	r9, [%[b], #24]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[32] * B[5]\n\t"
+        "ldr	r8, [%[a], #128]\n\t"
+        "ldr	r9, [%[b], #20]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[33] * B[4]\n\t"
+        "ldr	r8, [%[a], #132]\n\t"
+        "ldr	r9, [%[b], #16]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[34] * B[3]\n\t"
+        "ldr	r8, [%[a], #136]\n\t"
+        "ldr	r9, [%[b], #12]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[35] * B[2]\n\t"
+        "ldr	r8, [%[a], #140]\n\t"
+        "ldr	r9, [%[b], #8]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[36] * B[1]\n\t"
+        "ldr	r8, [%[a], #144]\n\t"
+        "ldr	r9, [%[b], #4]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[37] * B[0]\n\t"
+        "ldr	r8, [%[a], #148]\n\t"
+        "ldr	r9, [%[b], #0]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [sp, #148]\n\t"
+        "#  A[0] * B[38]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "ldr	r9, [%[b], #152]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r10, r10\n\t"
+        "#  A[1] * B[37]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "ldr	r9, [%[b], #148]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[2] * B[36]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "ldr	r9, [%[b], #144]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[3] * B[35]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "ldr	r9, [%[b], #140]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[4] * B[34]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "ldr	r9, [%[b], #136]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[5] * B[33]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "ldr	r9, [%[b], #132]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[6] * B[32]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "ldr	r9, [%[b], #128]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[7] * B[31]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "ldr	r9, [%[b], #124]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[8] * B[30]\n\t"
+        "ldr	r8, [%[a], #32]\n\t"
+        "ldr	r9, [%[b], #120]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[9] * B[29]\n\t"
+        "ldr	r8, [%[a], #36]\n\t"
+        "ldr	r9, [%[b], #116]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[10] * B[28]\n\t"
+        "ldr	r8, [%[a], #40]\n\t"
+        "ldr	r9, [%[b], #112]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[11] * B[27]\n\t"
+        "ldr	r8, [%[a], #44]\n\t"
+        "ldr	r9, [%[b], #108]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[12] * B[26]\n\t"
+        "ldr	r8, [%[a], #48]\n\t"
+        "ldr	r9, [%[b], #104]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[13] * B[25]\n\t"
+        "ldr	r8, [%[a], #52]\n\t"
+        "ldr	r9, [%[b], #100]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[14] * B[24]\n\t"
+        "ldr	r8, [%[a], #56]\n\t"
+        "ldr	r9, [%[b], #96]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[15] * B[23]\n\t"
+        "ldr	r8, [%[a], #60]\n\t"
+        "ldr	r9, [%[b], #92]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[16] * B[22]\n\t"
+        "ldr	r8, [%[a], #64]\n\t"
+        "ldr	r9, [%[b], #88]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[17] * B[21]\n\t"
+        "ldr	r8, [%[a], #68]\n\t"
+        "ldr	r9, [%[b], #84]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[18] * B[20]\n\t"
+        "ldr	r8, [%[a], #72]\n\t"
+        "ldr	r9, [%[b], #80]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[19] * B[19]\n\t"
+        "ldr	r8, [%[a], #76]\n\t"
+        "ldr	r9, [%[b], #76]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[20] * B[18]\n\t"
+        "ldr	r8, [%[a], #80]\n\t"
+        "ldr	r9, [%[b], #72]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[21] * B[17]\n\t"
+        "ldr	r8, [%[a], #84]\n\t"
+        "ldr	r9, [%[b], #68]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[22] * B[16]\n\t"
+        "ldr	r8, [%[a], #88]\n\t"
+        "ldr	r9, [%[b], #64]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[23] * B[15]\n\t"
+        "ldr	r8, [%[a], #92]\n\t"
+        "ldr	r9, [%[b], #60]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[24] * B[14]\n\t"
+        "ldr	r8, [%[a], #96]\n\t"
+        "ldr	r9, [%[b], #56]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[25] * B[13]\n\t"
+        "ldr	r8, [%[a], #100]\n\t"
+        "ldr	r9, [%[b], #52]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[26] * B[12]\n\t"
+        "ldr	r8, [%[a], #104]\n\t"
+        "ldr	r9, [%[b], #48]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[27] * B[11]\n\t"
+        "ldr	r8, [%[a], #108]\n\t"
+        "ldr	r9, [%[b], #44]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[28] * B[10]\n\t"
+        "ldr	r8, [%[a], #112]\n\t"
+        "ldr	r9, [%[b], #40]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[29] * B[9]\n\t"
+        "ldr	r8, [%[a], #116]\n\t"
+        "ldr	r9, [%[b], #36]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[30] * B[8]\n\t"
+        "ldr	r8, [%[a], #120]\n\t"
+        "ldr	r9, [%[b], #32]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[31] * B[7]\n\t"
+        "ldr	r8, [%[a], #124]\n\t"
+        "ldr	r9, [%[b], #28]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[32] * B[6]\n\t"
+        "ldr	r8, [%[a], #128]\n\t"
+        "ldr	r9, [%[b], #24]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[33] * B[5]\n\t"
+        "ldr	r8, [%[a], #132]\n\t"
+        "ldr	r9, [%[b], #20]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[34] * B[4]\n\t"
+        "ldr	r8, [%[a], #136]\n\t"
+        "ldr	r9, [%[b], #16]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[35] * B[3]\n\t"
+        "ldr	r8, [%[a], #140]\n\t"
+        "ldr	r9, [%[b], #12]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[36] * B[2]\n\t"
+        "ldr	r8, [%[a], #144]\n\t"
+        "ldr	r9, [%[b], #8]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[37] * B[1]\n\t"
+        "ldr	r8, [%[a], #148]\n\t"
+        "ldr	r9, [%[b], #4]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[38] * B[0]\n\t"
+        "ldr	r8, [%[a], #152]\n\t"
+        "ldr	r9, [%[b], #0]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [sp, #152]\n\t"
+        "#  A[0] * B[39]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "ldr	r9, [%[b], #156]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r10, r10\n\t"
+        "#  A[1] * B[38]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "ldr	r9, [%[b], #152]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[2] * B[37]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "ldr	r9, [%[b], #148]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[3] * B[36]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "ldr	r9, [%[b], #144]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[4] * B[35]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "ldr	r9, [%[b], #140]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[5] * B[34]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "ldr	r9, [%[b], #136]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[6] * B[33]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "ldr	r9, [%[b], #132]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[7] * B[32]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "ldr	r9, [%[b], #128]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[8] * B[31]\n\t"
+        "ldr	r8, [%[a], #32]\n\t"
+        "ldr	r9, [%[b], #124]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[9] * B[30]\n\t"
+        "ldr	r8, [%[a], #36]\n\t"
+        "ldr	r9, [%[b], #120]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[10] * B[29]\n\t"
+        "ldr	r8, [%[a], #40]\n\t"
+        "ldr	r9, [%[b], #116]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[11] * B[28]\n\t"
+        "ldr	r8, [%[a], #44]\n\t"
+        "ldr	r9, [%[b], #112]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[12] * B[27]\n\t"
+        "ldr	r8, [%[a], #48]\n\t"
+        "ldr	r9, [%[b], #108]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[13] * B[26]\n\t"
+        "ldr	r8, [%[a], #52]\n\t"
+        "ldr	r9, [%[b], #104]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[14] * B[25]\n\t"
+        "ldr	r8, [%[a], #56]\n\t"
+        "ldr	r9, [%[b], #100]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[15] * B[24]\n\t"
+        "ldr	r8, [%[a], #60]\n\t"
+        "ldr	r9, [%[b], #96]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[16] * B[23]\n\t"
+        "ldr	r8, [%[a], #64]\n\t"
+        "ldr	r9, [%[b], #92]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[17] * B[22]\n\t"
+        "ldr	r8, [%[a], #68]\n\t"
+        "ldr	r9, [%[b], #88]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[18] * B[21]\n\t"
+        "ldr	r8, [%[a], #72]\n\t"
+        "ldr	r9, [%[b], #84]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[19] * B[20]\n\t"
+        "ldr	r8, [%[a], #76]\n\t"
+        "ldr	r9, [%[b], #80]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[20] * B[19]\n\t"
+        "ldr	r8, [%[a], #80]\n\t"
+        "ldr	r9, [%[b], #76]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[21] * B[18]\n\t"
+        "ldr	r8, [%[a], #84]\n\t"
+        "ldr	r9, [%[b], #72]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[22] * B[17]\n\t"
+        "ldr	r8, [%[a], #88]\n\t"
+        "ldr	r9, [%[b], #68]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[23] * B[16]\n\t"
+        "ldr	r8, [%[a], #92]\n\t"
+        "ldr	r9, [%[b], #64]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[24] * B[15]\n\t"
+        "ldr	r8, [%[a], #96]\n\t"
+        "ldr	r9, [%[b], #60]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[25] * B[14]\n\t"
+        "ldr	r8, [%[a], #100]\n\t"
+        "ldr	r9, [%[b], #56]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[26] * B[13]\n\t"
+        "ldr	r8, [%[a], #104]\n\t"
+        "ldr	r9, [%[b], #52]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[27] * B[12]\n\t"
+        "ldr	r8, [%[a], #108]\n\t"
+        "ldr	r9, [%[b], #48]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[28] * B[11]\n\t"
+        "ldr	r8, [%[a], #112]\n\t"
+        "ldr	r9, [%[b], #44]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[29] * B[10]\n\t"
+        "ldr	r8, [%[a], #116]\n\t"
+        "ldr	r9, [%[b], #40]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[30] * B[9]\n\t"
+        "ldr	r8, [%[a], #120]\n\t"
+        "ldr	r9, [%[b], #36]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[31] * B[8]\n\t"
+        "ldr	r8, [%[a], #124]\n\t"
+        "ldr	r9, [%[b], #32]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[32] * B[7]\n\t"
+        "ldr	r8, [%[a], #128]\n\t"
+        "ldr	r9, [%[b], #28]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[33] * B[6]\n\t"
+        "ldr	r8, [%[a], #132]\n\t"
+        "ldr	r9, [%[b], #24]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[34] * B[5]\n\t"
+        "ldr	r8, [%[a], #136]\n\t"
+        "ldr	r9, [%[b], #20]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[35] * B[4]\n\t"
+        "ldr	r8, [%[a], #140]\n\t"
+        "ldr	r9, [%[b], #16]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[36] * B[3]\n\t"
+        "ldr	r8, [%[a], #144]\n\t"
+        "ldr	r9, [%[b], #12]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[37] * B[2]\n\t"
+        "ldr	r8, [%[a], #148]\n\t"
+        "ldr	r9, [%[b], #8]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[38] * B[1]\n\t"
+        "ldr	r8, [%[a], #152]\n\t"
+        "ldr	r9, [%[b], #4]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[39] * B[0]\n\t"
+        "ldr	r8, [%[a], #156]\n\t"
+        "ldr	r9, [%[b], #0]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [sp, #156]\n\t"
+        "#  A[0] * B[40]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "ldr	r9, [%[b], #160]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r10, r10\n\t"
+        "#  A[1] * B[39]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "ldr	r9, [%[b], #156]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[2] * B[38]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "ldr	r9, [%[b], #152]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[3] * B[37]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "ldr	r9, [%[b], #148]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[4] * B[36]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "ldr	r9, [%[b], #144]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[5] * B[35]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "ldr	r9, [%[b], #140]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[6] * B[34]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "ldr	r9, [%[b], #136]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[7] * B[33]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "ldr	r9, [%[b], #132]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[8] * B[32]\n\t"
+        "ldr	r8, [%[a], #32]\n\t"
+        "ldr	r9, [%[b], #128]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[9] * B[31]\n\t"
+        "ldr	r8, [%[a], #36]\n\t"
+        "ldr	r9, [%[b], #124]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[10] * B[30]\n\t"
+        "ldr	r8, [%[a], #40]\n\t"
+        "ldr	r9, [%[b], #120]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[11] * B[29]\n\t"
+        "ldr	r8, [%[a], #44]\n\t"
+        "ldr	r9, [%[b], #116]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[12] * B[28]\n\t"
+        "ldr	r8, [%[a], #48]\n\t"
+        "ldr	r9, [%[b], #112]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[13] * B[27]\n\t"
+        "ldr	r8, [%[a], #52]\n\t"
+        "ldr	r9, [%[b], #108]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[14] * B[26]\n\t"
+        "ldr	r8, [%[a], #56]\n\t"
+        "ldr	r9, [%[b], #104]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[15] * B[25]\n\t"
+        "ldr	r8, [%[a], #60]\n\t"
+        "ldr	r9, [%[b], #100]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[16] * B[24]\n\t"
+        "ldr	r8, [%[a], #64]\n\t"
+        "ldr	r9, [%[b], #96]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[17] * B[23]\n\t"
+        "ldr	r8, [%[a], #68]\n\t"
+        "ldr	r9, [%[b], #92]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[18] * B[22]\n\t"
+        "ldr	r8, [%[a], #72]\n\t"
+        "ldr	r9, [%[b], #88]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[19] * B[21]\n\t"
+        "ldr	r8, [%[a], #76]\n\t"
+        "ldr	r9, [%[b], #84]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[20] * B[20]\n\t"
+        "ldr	r8, [%[a], #80]\n\t"
+        "ldr	r9, [%[b], #80]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[21] * B[19]\n\t"
+        "ldr	r8, [%[a], #84]\n\t"
+        "ldr	r9, [%[b], #76]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[22] * B[18]\n\t"
+        "ldr	r8, [%[a], #88]\n\t"
+        "ldr	r9, [%[b], #72]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[23] * B[17]\n\t"
+        "ldr	r8, [%[a], #92]\n\t"
+        "ldr	r9, [%[b], #68]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[24] * B[16]\n\t"
+        "ldr	r8, [%[a], #96]\n\t"
+        "ldr	r9, [%[b], #64]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[25] * B[15]\n\t"
+        "ldr	r8, [%[a], #100]\n\t"
+        "ldr	r9, [%[b], #60]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[26] * B[14]\n\t"
+        "ldr	r8, [%[a], #104]\n\t"
+        "ldr	r9, [%[b], #56]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[27] * B[13]\n\t"
+        "ldr	r8, [%[a], #108]\n\t"
+        "ldr	r9, [%[b], #52]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[28] * B[12]\n\t"
+        "ldr	r8, [%[a], #112]\n\t"
+        "ldr	r9, [%[b], #48]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[29] * B[11]\n\t"
+        "ldr	r8, [%[a], #116]\n\t"
+        "ldr	r9, [%[b], #44]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[30] * B[10]\n\t"
+        "ldr	r8, [%[a], #120]\n\t"
+        "ldr	r9, [%[b], #40]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[31] * B[9]\n\t"
+        "ldr	r8, [%[a], #124]\n\t"
+        "ldr	r9, [%[b], #36]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[32] * B[8]\n\t"
+        "ldr	r8, [%[a], #128]\n\t"
+        "ldr	r9, [%[b], #32]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[33] * B[7]\n\t"
+        "ldr	r8, [%[a], #132]\n\t"
+        "ldr	r9, [%[b], #28]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[34] * B[6]\n\t"
+        "ldr	r8, [%[a], #136]\n\t"
+        "ldr	r9, [%[b], #24]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[35] * B[5]\n\t"
+        "ldr	r8, [%[a], #140]\n\t"
+        "ldr	r9, [%[b], #20]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[36] * B[4]\n\t"
+        "ldr	r8, [%[a], #144]\n\t"
+        "ldr	r9, [%[b], #16]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[37] * B[3]\n\t"
+        "ldr	r8, [%[a], #148]\n\t"
+        "ldr	r9, [%[b], #12]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[38] * B[2]\n\t"
+        "ldr	r8, [%[a], #152]\n\t"
+        "ldr	r9, [%[b], #8]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[39] * B[1]\n\t"
+        "ldr	r8, [%[a], #156]\n\t"
+        "ldr	r9, [%[b], #4]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[40] * B[0]\n\t"
+        "ldr	r8, [%[a], #160]\n\t"
+        "ldr	r9, [%[b], #0]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [sp, #160]\n\t"
+        "#  A[0] * B[41]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "ldr	r9, [%[b], #164]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r10, r10\n\t"
+        "#  A[1] * B[40]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "ldr	r9, [%[b], #160]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[2] * B[39]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "ldr	r9, [%[b], #156]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[3] * B[38]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "ldr	r9, [%[b], #152]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[4] * B[37]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "ldr	r9, [%[b], #148]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[5] * B[36]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "ldr	r9, [%[b], #144]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[6] * B[35]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "ldr	r9, [%[b], #140]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[7] * B[34]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "ldr	r9, [%[b], #136]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[8] * B[33]\n\t"
+        "ldr	r8, [%[a], #32]\n\t"
+        "ldr	r9, [%[b], #132]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[9] * B[32]\n\t"
+        "ldr	r8, [%[a], #36]\n\t"
+        "ldr	r9, [%[b], #128]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[10] * B[31]\n\t"
+        "ldr	r8, [%[a], #40]\n\t"
+        "ldr	r9, [%[b], #124]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[11] * B[30]\n\t"
+        "ldr	r8, [%[a], #44]\n\t"
+        "ldr	r9, [%[b], #120]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[12] * B[29]\n\t"
+        "ldr	r8, [%[a], #48]\n\t"
+        "ldr	r9, [%[b], #116]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[13] * B[28]\n\t"
+        "ldr	r8, [%[a], #52]\n\t"
+        "ldr	r9, [%[b], #112]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[14] * B[27]\n\t"
+        "ldr	r8, [%[a], #56]\n\t"
+        "ldr	r9, [%[b], #108]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[15] * B[26]\n\t"
+        "ldr	r8, [%[a], #60]\n\t"
+        "ldr	r9, [%[b], #104]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[16] * B[25]\n\t"
+        "ldr	r8, [%[a], #64]\n\t"
+        "ldr	r9, [%[b], #100]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[17] * B[24]\n\t"
+        "ldr	r8, [%[a], #68]\n\t"
+        "ldr	r9, [%[b], #96]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[18] * B[23]\n\t"
+        "ldr	r8, [%[a], #72]\n\t"
+        "ldr	r9, [%[b], #92]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[19] * B[22]\n\t"
+        "ldr	r8, [%[a], #76]\n\t"
+        "ldr	r9, [%[b], #88]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[20] * B[21]\n\t"
+        "ldr	r8, [%[a], #80]\n\t"
+        "ldr	r9, [%[b], #84]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[21] * B[20]\n\t"
+        "ldr	r8, [%[a], #84]\n\t"
+        "ldr	r9, [%[b], #80]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[22] * B[19]\n\t"
+        "ldr	r8, [%[a], #88]\n\t"
+        "ldr	r9, [%[b], #76]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[23] * B[18]\n\t"
+        "ldr	r8, [%[a], #92]\n\t"
+        "ldr	r9, [%[b], #72]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[24] * B[17]\n\t"
+        "ldr	r8, [%[a], #96]\n\t"
+        "ldr	r9, [%[b], #68]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[25] * B[16]\n\t"
+        "ldr	r8, [%[a], #100]\n\t"
+        "ldr	r9, [%[b], #64]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[26] * B[15]\n\t"
+        "ldr	r8, [%[a], #104]\n\t"
+        "ldr	r9, [%[b], #60]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[27] * B[14]\n\t"
+        "ldr	r8, [%[a], #108]\n\t"
+        "ldr	r9, [%[b], #56]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[28] * B[13]\n\t"
+        "ldr	r8, [%[a], #112]\n\t"
+        "ldr	r9, [%[b], #52]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[29] * B[12]\n\t"
+        "ldr	r8, [%[a], #116]\n\t"
+        "ldr	r9, [%[b], #48]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[30] * B[11]\n\t"
+        "ldr	r8, [%[a], #120]\n\t"
+        "ldr	r9, [%[b], #44]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[31] * B[10]\n\t"
+        "ldr	r8, [%[a], #124]\n\t"
+        "ldr	r9, [%[b], #40]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[32] * B[9]\n\t"
+        "ldr	r8, [%[a], #128]\n\t"
+        "ldr	r9, [%[b], #36]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[33] * B[8]\n\t"
+        "ldr	r8, [%[a], #132]\n\t"
+        "ldr	r9, [%[b], #32]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[34] * B[7]\n\t"
+        "ldr	r8, [%[a], #136]\n\t"
+        "ldr	r9, [%[b], #28]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[35] * B[6]\n\t"
+        "ldr	r8, [%[a], #140]\n\t"
+        "ldr	r9, [%[b], #24]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[36] * B[5]\n\t"
+        "ldr	r8, [%[a], #144]\n\t"
+        "ldr	r9, [%[b], #20]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[37] * B[4]\n\t"
+        "ldr	r8, [%[a], #148]\n\t"
+        "ldr	r9, [%[b], #16]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[38] * B[3]\n\t"
+        "ldr	r8, [%[a], #152]\n\t"
+        "ldr	r9, [%[b], #12]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[39] * B[2]\n\t"
+        "ldr	r8, [%[a], #156]\n\t"
+        "ldr	r9, [%[b], #8]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[40] * B[1]\n\t"
+        "ldr	r8, [%[a], #160]\n\t"
+        "ldr	r9, [%[b], #4]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[41] * B[0]\n\t"
+        "ldr	r8, [%[a], #164]\n\t"
+        "ldr	r9, [%[b], #0]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [sp, #164]\n\t"
+        "#  A[0] * B[42]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "ldr	r9, [%[b], #168]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r10, r10\n\t"
+        "#  A[1] * B[41]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "ldr	r9, [%[b], #164]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[2] * B[40]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "ldr	r9, [%[b], #160]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[3] * B[39]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "ldr	r9, [%[b], #156]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[4] * B[38]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "ldr	r9, [%[b], #152]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[5] * B[37]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "ldr	r9, [%[b], #148]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[6] * B[36]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "ldr	r9, [%[b], #144]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[7] * B[35]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "ldr	r9, [%[b], #140]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[8] * B[34]\n\t"
+        "ldr	r8, [%[a], #32]\n\t"
+        "ldr	r9, [%[b], #136]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[9] * B[33]\n\t"
+        "ldr	r8, [%[a], #36]\n\t"
+        "ldr	r9, [%[b], #132]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[10] * B[32]\n\t"
+        "ldr	r8, [%[a], #40]\n\t"
+        "ldr	r9, [%[b], #128]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[11] * B[31]\n\t"
+        "ldr	r8, [%[a], #44]\n\t"
+        "ldr	r9, [%[b], #124]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[12] * B[30]\n\t"
+        "ldr	r8, [%[a], #48]\n\t"
+        "ldr	r9, [%[b], #120]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[13] * B[29]\n\t"
+        "ldr	r8, [%[a], #52]\n\t"
+        "ldr	r9, [%[b], #116]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[14] * B[28]\n\t"
+        "ldr	r8, [%[a], #56]\n\t"
+        "ldr	r9, [%[b], #112]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[15] * B[27]\n\t"
+        "ldr	r8, [%[a], #60]\n\t"
+        "ldr	r9, [%[b], #108]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[16] * B[26]\n\t"
+        "ldr	r8, [%[a], #64]\n\t"
+        "ldr	r9, [%[b], #104]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[17] * B[25]\n\t"
+        "ldr	r8, [%[a], #68]\n\t"
+        "ldr	r9, [%[b], #100]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[18] * B[24]\n\t"
+        "ldr	r8, [%[a], #72]\n\t"
+        "ldr	r9, [%[b], #96]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[19] * B[23]\n\t"
+        "ldr	r8, [%[a], #76]\n\t"
+        "ldr	r9, [%[b], #92]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[20] * B[22]\n\t"
+        "ldr	r8, [%[a], #80]\n\t"
+        "ldr	r9, [%[b], #88]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[21] * B[21]\n\t"
+        "ldr	r8, [%[a], #84]\n\t"
+        "ldr	r9, [%[b], #84]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[22] * B[20]\n\t"
+        "ldr	r8, [%[a], #88]\n\t"
+        "ldr	r9, [%[b], #80]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[23] * B[19]\n\t"
+        "ldr	r8, [%[a], #92]\n\t"
+        "ldr	r9, [%[b], #76]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[24] * B[18]\n\t"
+        "ldr	r8, [%[a], #96]\n\t"
+        "ldr	r9, [%[b], #72]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[25] * B[17]\n\t"
+        "ldr	r8, [%[a], #100]\n\t"
+        "ldr	r9, [%[b], #68]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[26] * B[16]\n\t"
+        "ldr	r8, [%[a], #104]\n\t"
+        "ldr	r9, [%[b], #64]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[27] * B[15]\n\t"
+        "ldr	r8, [%[a], #108]\n\t"
+        "ldr	r9, [%[b], #60]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[28] * B[14]\n\t"
+        "ldr	r8, [%[a], #112]\n\t"
+        "ldr	r9, [%[b], #56]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[29] * B[13]\n\t"
+        "ldr	r8, [%[a], #116]\n\t"
+        "ldr	r9, [%[b], #52]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[30] * B[12]\n\t"
+        "ldr	r8, [%[a], #120]\n\t"
+        "ldr	r9, [%[b], #48]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[31] * B[11]\n\t"
+        "ldr	r8, [%[a], #124]\n\t"
+        "ldr	r9, [%[b], #44]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[32] * B[10]\n\t"
+        "ldr	r8, [%[a], #128]\n\t"
+        "ldr	r9, [%[b], #40]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[33] * B[9]\n\t"
+        "ldr	r8, [%[a], #132]\n\t"
+        "ldr	r9, [%[b], #36]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[34] * B[8]\n\t"
+        "ldr	r8, [%[a], #136]\n\t"
+        "ldr	r9, [%[b], #32]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[35] * B[7]\n\t"
+        "ldr	r8, [%[a], #140]\n\t"
+        "ldr	r9, [%[b], #28]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[36] * B[6]\n\t"
+        "ldr	r8, [%[a], #144]\n\t"
+        "ldr	r9, [%[b], #24]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[37] * B[5]\n\t"
+        "ldr	r8, [%[a], #148]\n\t"
+        "ldr	r9, [%[b], #20]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[38] * B[4]\n\t"
+        "ldr	r8, [%[a], #152]\n\t"
+        "ldr	r9, [%[b], #16]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[39] * B[3]\n\t"
+        "ldr	r8, [%[a], #156]\n\t"
+        "ldr	r9, [%[b], #12]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[40] * B[2]\n\t"
+        "ldr	r8, [%[a], #160]\n\t"
+        "ldr	r9, [%[b], #8]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[41] * B[1]\n\t"
+        "ldr	r8, [%[a], #164]\n\t"
+        "ldr	r9, [%[b], #4]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[42] * B[0]\n\t"
+        "ldr	r8, [%[a], #168]\n\t"
+        "ldr	r9, [%[b], #0]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [sp, #168]\n\t"
+        "#  A[0] * B[43]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "ldr	r9, [%[b], #172]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r10, r10\n\t"
+        "#  A[1] * B[42]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "ldr	r9, [%[b], #168]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[2] * B[41]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "ldr	r9, [%[b], #164]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[3] * B[40]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "ldr	r9, [%[b], #160]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[4] * B[39]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "ldr	r9, [%[b], #156]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[5] * B[38]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "ldr	r9, [%[b], #152]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[6] * B[37]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "ldr	r9, [%[b], #148]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[7] * B[36]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "ldr	r9, [%[b], #144]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[8] * B[35]\n\t"
+        "ldr	r8, [%[a], #32]\n\t"
+        "ldr	r9, [%[b], #140]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[9] * B[34]\n\t"
+        "ldr	r8, [%[a], #36]\n\t"
+        "ldr	r9, [%[b], #136]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[10] * B[33]\n\t"
+        "ldr	r8, [%[a], #40]\n\t"
+        "ldr	r9, [%[b], #132]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[11] * B[32]\n\t"
+        "ldr	r8, [%[a], #44]\n\t"
+        "ldr	r9, [%[b], #128]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[12] * B[31]\n\t"
+        "ldr	r8, [%[a], #48]\n\t"
+        "ldr	r9, [%[b], #124]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[13] * B[30]\n\t"
+        "ldr	r8, [%[a], #52]\n\t"
+        "ldr	r9, [%[b], #120]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[14] * B[29]\n\t"
+        "ldr	r8, [%[a], #56]\n\t"
+        "ldr	r9, [%[b], #116]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[15] * B[28]\n\t"
+        "ldr	r8, [%[a], #60]\n\t"
+        "ldr	r9, [%[b], #112]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[16] * B[27]\n\t"
+        "ldr	r8, [%[a], #64]\n\t"
+        "ldr	r9, [%[b], #108]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[17] * B[26]\n\t"
+        "ldr	r8, [%[a], #68]\n\t"
+        "ldr	r9, [%[b], #104]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[18] * B[25]\n\t"
+        "ldr	r8, [%[a], #72]\n\t"
+        "ldr	r9, [%[b], #100]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[19] * B[24]\n\t"
+        "ldr	r8, [%[a], #76]\n\t"
+        "ldr	r9, [%[b], #96]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[20] * B[23]\n\t"
+        "ldr	r8, [%[a], #80]\n\t"
+        "ldr	r9, [%[b], #92]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[21] * B[22]\n\t"
+        "ldr	r8, [%[a], #84]\n\t"
+        "ldr	r9, [%[b], #88]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[22] * B[21]\n\t"
+        "ldr	r8, [%[a], #88]\n\t"
+        "ldr	r9, [%[b], #84]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[23] * B[20]\n\t"
+        "ldr	r8, [%[a], #92]\n\t"
+        "ldr	r9, [%[b], #80]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[24] * B[19]\n\t"
+        "ldr	r8, [%[a], #96]\n\t"
+        "ldr	r9, [%[b], #76]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[25] * B[18]\n\t"
+        "ldr	r8, [%[a], #100]\n\t"
+        "ldr	r9, [%[b], #72]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[26] * B[17]\n\t"
+        "ldr	r8, [%[a], #104]\n\t"
+        "ldr	r9, [%[b], #68]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[27] * B[16]\n\t"
+        "ldr	r8, [%[a], #108]\n\t"
+        "ldr	r9, [%[b], #64]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[28] * B[15]\n\t"
+        "ldr	r8, [%[a], #112]\n\t"
+        "ldr	r9, [%[b], #60]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[29] * B[14]\n\t"
+        "ldr	r8, [%[a], #116]\n\t"
+        "ldr	r9, [%[b], #56]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[30] * B[13]\n\t"
+        "ldr	r8, [%[a], #120]\n\t"
+        "ldr	r9, [%[b], #52]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[31] * B[12]\n\t"
+        "ldr	r8, [%[a], #124]\n\t"
+        "ldr	r9, [%[b], #48]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[32] * B[11]\n\t"
+        "ldr	r8, [%[a], #128]\n\t"
+        "ldr	r9, [%[b], #44]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[33] * B[10]\n\t"
+        "ldr	r8, [%[a], #132]\n\t"
+        "ldr	r9, [%[b], #40]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[34] * B[9]\n\t"
+        "ldr	r8, [%[a], #136]\n\t"
+        "ldr	r9, [%[b], #36]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[35] * B[8]\n\t"
+        "ldr	r8, [%[a], #140]\n\t"
+        "ldr	r9, [%[b], #32]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[36] * B[7]\n\t"
+        "ldr	r8, [%[a], #144]\n\t"
+        "ldr	r9, [%[b], #28]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[37] * B[6]\n\t"
+        "ldr	r8, [%[a], #148]\n\t"
+        "ldr	r9, [%[b], #24]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[38] * B[5]\n\t"
+        "ldr	r8, [%[a], #152]\n\t"
+        "ldr	r9, [%[b], #20]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[39] * B[4]\n\t"
+        "ldr	r8, [%[a], #156]\n\t"
+        "ldr	r9, [%[b], #16]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[40] * B[3]\n\t"
+        "ldr	r8, [%[a], #160]\n\t"
+        "ldr	r9, [%[b], #12]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[41] * B[2]\n\t"
+        "ldr	r8, [%[a], #164]\n\t"
+        "ldr	r9, [%[b], #8]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[42] * B[1]\n\t"
+        "ldr	r8, [%[a], #168]\n\t"
+        "ldr	r9, [%[b], #4]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[43] * B[0]\n\t"
+        "ldr	r8, [%[a], #172]\n\t"
+        "ldr	r9, [%[b], #0]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [sp, #172]\n\t"
+        "#  A[0] * B[44]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "ldr	r9, [%[b], #176]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r10, r10\n\t"
+        "#  A[1] * B[43]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "ldr	r9, [%[b], #172]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[2] * B[42]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "ldr	r9, [%[b], #168]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[3] * B[41]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "ldr	r9, [%[b], #164]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[4] * B[40]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "ldr	r9, [%[b], #160]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[5] * B[39]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "ldr	r9, [%[b], #156]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[6] * B[38]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "ldr	r9, [%[b], #152]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[7] * B[37]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "ldr	r9, [%[b], #148]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[8] * B[36]\n\t"
+        "ldr	r8, [%[a], #32]\n\t"
+        "ldr	r9, [%[b], #144]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[9] * B[35]\n\t"
+        "ldr	r8, [%[a], #36]\n\t"
+        "ldr	r9, [%[b], #140]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[10] * B[34]\n\t"
+        "ldr	r8, [%[a], #40]\n\t"
+        "ldr	r9, [%[b], #136]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[11] * B[33]\n\t"
+        "ldr	r8, [%[a], #44]\n\t"
+        "ldr	r9, [%[b], #132]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[12] * B[32]\n\t"
+        "ldr	r8, [%[a], #48]\n\t"
+        "ldr	r9, [%[b], #128]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[13] * B[31]\n\t"
+        "ldr	r8, [%[a], #52]\n\t"
+        "ldr	r9, [%[b], #124]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[14] * B[30]\n\t"
+        "ldr	r8, [%[a], #56]\n\t"
+        "ldr	r9, [%[b], #120]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[15] * B[29]\n\t"
+        "ldr	r8, [%[a], #60]\n\t"
+        "ldr	r9, [%[b], #116]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[16] * B[28]\n\t"
+        "ldr	r8, [%[a], #64]\n\t"
+        "ldr	r9, [%[b], #112]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[17] * B[27]\n\t"
+        "ldr	r8, [%[a], #68]\n\t"
+        "ldr	r9, [%[b], #108]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[18] * B[26]\n\t"
+        "ldr	r8, [%[a], #72]\n\t"
+        "ldr	r9, [%[b], #104]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[19] * B[25]\n\t"
+        "ldr	r8, [%[a], #76]\n\t"
+        "ldr	r9, [%[b], #100]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[20] * B[24]\n\t"
+        "ldr	r8, [%[a], #80]\n\t"
+        "ldr	r9, [%[b], #96]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[21] * B[23]\n\t"
+        "ldr	r8, [%[a], #84]\n\t"
+        "ldr	r9, [%[b], #92]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[22] * B[22]\n\t"
+        "ldr	r8, [%[a], #88]\n\t"
+        "ldr	r9, [%[b], #88]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[23] * B[21]\n\t"
+        "ldr	r8, [%[a], #92]\n\t"
+        "ldr	r9, [%[b], #84]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[24] * B[20]\n\t"
+        "ldr	r8, [%[a], #96]\n\t"
+        "ldr	r9, [%[b], #80]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[25] * B[19]\n\t"
+        "ldr	r8, [%[a], #100]\n\t"
+        "ldr	r9, [%[b], #76]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[26] * B[18]\n\t"
+        "ldr	r8, [%[a], #104]\n\t"
+        "ldr	r9, [%[b], #72]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[27] * B[17]\n\t"
+        "ldr	r8, [%[a], #108]\n\t"
+        "ldr	r9, [%[b], #68]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[28] * B[16]\n\t"
+        "ldr	r8, [%[a], #112]\n\t"
+        "ldr	r9, [%[b], #64]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[29] * B[15]\n\t"
+        "ldr	r8, [%[a], #116]\n\t"
+        "ldr	r9, [%[b], #60]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[30] * B[14]\n\t"
+        "ldr	r8, [%[a], #120]\n\t"
+        "ldr	r9, [%[b], #56]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[31] * B[13]\n\t"
+        "ldr	r8, [%[a], #124]\n\t"
+        "ldr	r9, [%[b], #52]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[32] * B[12]\n\t"
+        "ldr	r8, [%[a], #128]\n\t"
+        "ldr	r9, [%[b], #48]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[33] * B[11]\n\t"
+        "ldr	r8, [%[a], #132]\n\t"
+        "ldr	r9, [%[b], #44]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[34] * B[10]\n\t"
+        "ldr	r8, [%[a], #136]\n\t"
+        "ldr	r9, [%[b], #40]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[35] * B[9]\n\t"
+        "ldr	r8, [%[a], #140]\n\t"
+        "ldr	r9, [%[b], #36]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[36] * B[8]\n\t"
+        "ldr	r8, [%[a], #144]\n\t"
+        "ldr	r9, [%[b], #32]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[37] * B[7]\n\t"
+        "ldr	r8, [%[a], #148]\n\t"
+        "ldr	r9, [%[b], #28]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[38] * B[6]\n\t"
+        "ldr	r8, [%[a], #152]\n\t"
+        "ldr	r9, [%[b], #24]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[39] * B[5]\n\t"
+        "ldr	r8, [%[a], #156]\n\t"
+        "ldr	r9, [%[b], #20]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[40] * B[4]\n\t"
+        "ldr	r8, [%[a], #160]\n\t"
+        "ldr	r9, [%[b], #16]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[41] * B[3]\n\t"
+        "ldr	r8, [%[a], #164]\n\t"
+        "ldr	r9, [%[b], #12]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[42] * B[2]\n\t"
+        "ldr	r8, [%[a], #168]\n\t"
+        "ldr	r9, [%[b], #8]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[43] * B[1]\n\t"
+        "ldr	r8, [%[a], #172]\n\t"
+        "ldr	r9, [%[b], #4]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[44] * B[0]\n\t"
+        "ldr	r8, [%[a], #176]\n\t"
+        "ldr	r9, [%[b], #0]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [sp, #176]\n\t"
+        "#  A[0] * B[45]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "ldr	r9, [%[b], #180]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r10, r10\n\t"
+        "#  A[1] * B[44]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "ldr	r9, [%[b], #176]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[2] * B[43]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "ldr	r9, [%[b], #172]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[3] * B[42]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "ldr	r9, [%[b], #168]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[4] * B[41]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "ldr	r9, [%[b], #164]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[5] * B[40]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "ldr	r9, [%[b], #160]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[6] * B[39]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "ldr	r9, [%[b], #156]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[7] * B[38]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "ldr	r9, [%[b], #152]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[8] * B[37]\n\t"
+        "ldr	r8, [%[a], #32]\n\t"
+        "ldr	r9, [%[b], #148]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[9] * B[36]\n\t"
+        "ldr	r8, [%[a], #36]\n\t"
+        "ldr	r9, [%[b], #144]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[10] * B[35]\n\t"
+        "ldr	r8, [%[a], #40]\n\t"
+        "ldr	r9, [%[b], #140]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[11] * B[34]\n\t"
+        "ldr	r8, [%[a], #44]\n\t"
+        "ldr	r9, [%[b], #136]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[12] * B[33]\n\t"
+        "ldr	r8, [%[a], #48]\n\t"
+        "ldr	r9, [%[b], #132]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[13] * B[32]\n\t"
+        "ldr	r8, [%[a], #52]\n\t"
+        "ldr	r9, [%[b], #128]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[14] * B[31]\n\t"
+        "ldr	r8, [%[a], #56]\n\t"
+        "ldr	r9, [%[b], #124]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[15] * B[30]\n\t"
+        "ldr	r8, [%[a], #60]\n\t"
+        "ldr	r9, [%[b], #120]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[16] * B[29]\n\t"
+        "ldr	r8, [%[a], #64]\n\t"
+        "ldr	r9, [%[b], #116]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[17] * B[28]\n\t"
+        "ldr	r8, [%[a], #68]\n\t"
+        "ldr	r9, [%[b], #112]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[18] * B[27]\n\t"
+        "ldr	r8, [%[a], #72]\n\t"
+        "ldr	r9, [%[b], #108]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[19] * B[26]\n\t"
+        "ldr	r8, [%[a], #76]\n\t"
+        "ldr	r9, [%[b], #104]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[20] * B[25]\n\t"
+        "ldr	r8, [%[a], #80]\n\t"
+        "ldr	r9, [%[b], #100]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[21] * B[24]\n\t"
+        "ldr	r8, [%[a], #84]\n\t"
+        "ldr	r9, [%[b], #96]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[22] * B[23]\n\t"
+        "ldr	r8, [%[a], #88]\n\t"
+        "ldr	r9, [%[b], #92]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[23] * B[22]\n\t"
+        "ldr	r8, [%[a], #92]\n\t"
+        "ldr	r9, [%[b], #88]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[24] * B[21]\n\t"
+        "ldr	r8, [%[a], #96]\n\t"
+        "ldr	r9, [%[b], #84]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[25] * B[20]\n\t"
+        "ldr	r8, [%[a], #100]\n\t"
+        "ldr	r9, [%[b], #80]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[26] * B[19]\n\t"
+        "ldr	r8, [%[a], #104]\n\t"
+        "ldr	r9, [%[b], #76]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[27] * B[18]\n\t"
+        "ldr	r8, [%[a], #108]\n\t"
+        "ldr	r9, [%[b], #72]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[28] * B[17]\n\t"
+        "ldr	r8, [%[a], #112]\n\t"
+        "ldr	r9, [%[b], #68]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[29] * B[16]\n\t"
+        "ldr	r8, [%[a], #116]\n\t"
+        "ldr	r9, [%[b], #64]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[30] * B[15]\n\t"
+        "ldr	r8, [%[a], #120]\n\t"
+        "ldr	r9, [%[b], #60]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[31] * B[14]\n\t"
+        "ldr	r8, [%[a], #124]\n\t"
+        "ldr	r9, [%[b], #56]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[32] * B[13]\n\t"
+        "ldr	r8, [%[a], #128]\n\t"
+        "ldr	r9, [%[b], #52]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[33] * B[12]\n\t"
+        "ldr	r8, [%[a], #132]\n\t"
+        "ldr	r9, [%[b], #48]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[34] * B[11]\n\t"
+        "ldr	r8, [%[a], #136]\n\t"
+        "ldr	r9, [%[b], #44]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[35] * B[10]\n\t"
+        "ldr	r8, [%[a], #140]\n\t"
+        "ldr	r9, [%[b], #40]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[36] * B[9]\n\t"
+        "ldr	r8, [%[a], #144]\n\t"
+        "ldr	r9, [%[b], #36]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[37] * B[8]\n\t"
+        "ldr	r8, [%[a], #148]\n\t"
+        "ldr	r9, [%[b], #32]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[38] * B[7]\n\t"
+        "ldr	r8, [%[a], #152]\n\t"
+        "ldr	r9, [%[b], #28]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[39] * B[6]\n\t"
+        "ldr	r8, [%[a], #156]\n\t"
+        "ldr	r9, [%[b], #24]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[40] * B[5]\n\t"
+        "ldr	r8, [%[a], #160]\n\t"
+        "ldr	r9, [%[b], #20]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[41] * B[4]\n\t"
+        "ldr	r8, [%[a], #164]\n\t"
+        "ldr	r9, [%[b], #16]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[42] * B[3]\n\t"
+        "ldr	r8, [%[a], #168]\n\t"
+        "ldr	r9, [%[b], #12]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[43] * B[2]\n\t"
+        "ldr	r8, [%[a], #172]\n\t"
+        "ldr	r9, [%[b], #8]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[44] * B[1]\n\t"
+        "ldr	r8, [%[a], #176]\n\t"
+        "ldr	r9, [%[b], #4]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[45] * B[0]\n\t"
+        "ldr	r8, [%[a], #180]\n\t"
+        "ldr	r9, [%[b], #0]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [sp, #180]\n\t"
+        "#  A[0] * B[46]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "ldr	r9, [%[b], #184]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r10, r10\n\t"
+        "#  A[1] * B[45]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "ldr	r9, [%[b], #180]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[2] * B[44]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "ldr	r9, [%[b], #176]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[3] * B[43]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "ldr	r9, [%[b], #172]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[4] * B[42]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "ldr	r9, [%[b], #168]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[5] * B[41]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "ldr	r9, [%[b], #164]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[6] * B[40]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "ldr	r9, [%[b], #160]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[7] * B[39]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "ldr	r9, [%[b], #156]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[8] * B[38]\n\t"
+        "ldr	r8, [%[a], #32]\n\t"
+        "ldr	r9, [%[b], #152]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[9] * B[37]\n\t"
+        "ldr	r8, [%[a], #36]\n\t"
+        "ldr	r9, [%[b], #148]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[10] * B[36]\n\t"
+        "ldr	r8, [%[a], #40]\n\t"
+        "ldr	r9, [%[b], #144]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[11] * B[35]\n\t"
+        "ldr	r8, [%[a], #44]\n\t"
+        "ldr	r9, [%[b], #140]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[12] * B[34]\n\t"
+        "ldr	r8, [%[a], #48]\n\t"
+        "ldr	r9, [%[b], #136]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[13] * B[33]\n\t"
+        "ldr	r8, [%[a], #52]\n\t"
+        "ldr	r9, [%[b], #132]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[14] * B[32]\n\t"
+        "ldr	r8, [%[a], #56]\n\t"
+        "ldr	r9, [%[b], #128]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[15] * B[31]\n\t"
+        "ldr	r8, [%[a], #60]\n\t"
+        "ldr	r9, [%[b], #124]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[16] * B[30]\n\t"
+        "ldr	r8, [%[a], #64]\n\t"
+        "ldr	r9, [%[b], #120]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[17] * B[29]\n\t"
+        "ldr	r8, [%[a], #68]\n\t"
+        "ldr	r9, [%[b], #116]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[18] * B[28]\n\t"
+        "ldr	r8, [%[a], #72]\n\t"
+        "ldr	r9, [%[b], #112]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[19] * B[27]\n\t"
+        "ldr	r8, [%[a], #76]\n\t"
+        "ldr	r9, [%[b], #108]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[20] * B[26]\n\t"
+        "ldr	r8, [%[a], #80]\n\t"
+        "ldr	r9, [%[b], #104]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[21] * B[25]\n\t"
+        "ldr	r8, [%[a], #84]\n\t"
+        "ldr	r9, [%[b], #100]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[22] * B[24]\n\t"
+        "ldr	r8, [%[a], #88]\n\t"
+        "ldr	r9, [%[b], #96]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[23] * B[23]\n\t"
+        "ldr	r8, [%[a], #92]\n\t"
+        "ldr	r9, [%[b], #92]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[24] * B[22]\n\t"
+        "ldr	r8, [%[a], #96]\n\t"
+        "ldr	r9, [%[b], #88]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[25] * B[21]\n\t"
+        "ldr	r8, [%[a], #100]\n\t"
+        "ldr	r9, [%[b], #84]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[26] * B[20]\n\t"
+        "ldr	r8, [%[a], #104]\n\t"
+        "ldr	r9, [%[b], #80]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[27] * B[19]\n\t"
+        "ldr	r8, [%[a], #108]\n\t"
+        "ldr	r9, [%[b], #76]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[28] * B[18]\n\t"
+        "ldr	r8, [%[a], #112]\n\t"
+        "ldr	r9, [%[b], #72]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[29] * B[17]\n\t"
+        "ldr	r8, [%[a], #116]\n\t"
+        "ldr	r9, [%[b], #68]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[30] * B[16]\n\t"
+        "ldr	r8, [%[a], #120]\n\t"
+        "ldr	r9, [%[b], #64]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[31] * B[15]\n\t"
+        "ldr	r8, [%[a], #124]\n\t"
+        "ldr	r9, [%[b], #60]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[32] * B[14]\n\t"
+        "ldr	r8, [%[a], #128]\n\t"
+        "ldr	r9, [%[b], #56]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[33] * B[13]\n\t"
+        "ldr	r8, [%[a], #132]\n\t"
+        "ldr	r9, [%[b], #52]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[34] * B[12]\n\t"
+        "ldr	r8, [%[a], #136]\n\t"
+        "ldr	r9, [%[b], #48]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[35] * B[11]\n\t"
+        "ldr	r8, [%[a], #140]\n\t"
+        "ldr	r9, [%[b], #44]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[36] * B[10]\n\t"
+        "ldr	r8, [%[a], #144]\n\t"
+        "ldr	r9, [%[b], #40]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[37] * B[9]\n\t"
+        "ldr	r8, [%[a], #148]\n\t"
+        "ldr	r9, [%[b], #36]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[38] * B[8]\n\t"
+        "ldr	r8, [%[a], #152]\n\t"
+        "ldr	r9, [%[b], #32]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[39] * B[7]\n\t"
+        "ldr	r8, [%[a], #156]\n\t"
+        "ldr	r9, [%[b], #28]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[40] * B[6]\n\t"
+        "ldr	r8, [%[a], #160]\n\t"
+        "ldr	r9, [%[b], #24]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[41] * B[5]\n\t"
+        "ldr	r8, [%[a], #164]\n\t"
+        "ldr	r9, [%[b], #20]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[42] * B[4]\n\t"
+        "ldr	r8, [%[a], #168]\n\t"
+        "ldr	r9, [%[b], #16]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[43] * B[3]\n\t"
+        "ldr	r8, [%[a], #172]\n\t"
+        "ldr	r9, [%[b], #12]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[44] * B[2]\n\t"
+        "ldr	r8, [%[a], #176]\n\t"
+        "ldr	r9, [%[b], #8]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[45] * B[1]\n\t"
+        "ldr	r8, [%[a], #180]\n\t"
+        "ldr	r9, [%[b], #4]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[46] * B[0]\n\t"
+        "ldr	r8, [%[a], #184]\n\t"
+        "ldr	r9, [%[b], #0]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [sp, #184]\n\t"
+        "#  A[0] * B[47]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "ldr	r9, [%[b], #188]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r10, r10\n\t"
+        "#  A[1] * B[46]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "ldr	r9, [%[b], #184]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[2] * B[45]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "ldr	r9, [%[b], #180]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[3] * B[44]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "ldr	r9, [%[b], #176]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[4] * B[43]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "ldr	r9, [%[b], #172]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[5] * B[42]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "ldr	r9, [%[b], #168]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[6] * B[41]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "ldr	r9, [%[b], #164]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[7] * B[40]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "ldr	r9, [%[b], #160]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[8] * B[39]\n\t"
+        "ldr	r8, [%[a], #32]\n\t"
+        "ldr	r9, [%[b], #156]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[9] * B[38]\n\t"
+        "ldr	r8, [%[a], #36]\n\t"
+        "ldr	r9, [%[b], #152]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[10] * B[37]\n\t"
+        "ldr	r8, [%[a], #40]\n\t"
+        "ldr	r9, [%[b], #148]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[11] * B[36]\n\t"
+        "ldr	r8, [%[a], #44]\n\t"
+        "ldr	r9, [%[b], #144]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[12] * B[35]\n\t"
+        "ldr	r8, [%[a], #48]\n\t"
+        "ldr	r9, [%[b], #140]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[13] * B[34]\n\t"
+        "ldr	r8, [%[a], #52]\n\t"
+        "ldr	r9, [%[b], #136]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[14] * B[33]\n\t"
+        "ldr	r8, [%[a], #56]\n\t"
+        "ldr	r9, [%[b], #132]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[15] * B[32]\n\t"
+        "ldr	r8, [%[a], #60]\n\t"
+        "ldr	r9, [%[b], #128]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[16] * B[31]\n\t"
+        "ldr	r8, [%[a], #64]\n\t"
+        "ldr	r9, [%[b], #124]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[17] * B[30]\n\t"
+        "ldr	r8, [%[a], #68]\n\t"
+        "ldr	r9, [%[b], #120]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[18] * B[29]\n\t"
+        "ldr	r8, [%[a], #72]\n\t"
+        "ldr	r9, [%[b], #116]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[19] * B[28]\n\t"
+        "ldr	r8, [%[a], #76]\n\t"
+        "ldr	r9, [%[b], #112]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[20] * B[27]\n\t"
+        "ldr	r8, [%[a], #80]\n\t"
+        "ldr	r9, [%[b], #108]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[21] * B[26]\n\t"
+        "ldr	r8, [%[a], #84]\n\t"
+        "ldr	r9, [%[b], #104]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[22] * B[25]\n\t"
+        "ldr	r8, [%[a], #88]\n\t"
+        "ldr	r9, [%[b], #100]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[23] * B[24]\n\t"
+        "ldr	r8, [%[a], #92]\n\t"
+        "ldr	r9, [%[b], #96]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[24] * B[23]\n\t"
+        "ldr	r8, [%[a], #96]\n\t"
+        "ldr	r9, [%[b], #92]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[25] * B[22]\n\t"
+        "ldr	r8, [%[a], #100]\n\t"
+        "ldr	r9, [%[b], #88]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[26] * B[21]\n\t"
+        "ldr	r8, [%[a], #104]\n\t"
+        "ldr	r9, [%[b], #84]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[27] * B[20]\n\t"
+        "ldr	r8, [%[a], #108]\n\t"
+        "ldr	r9, [%[b], #80]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[28] * B[19]\n\t"
+        "ldr	r8, [%[a], #112]\n\t"
+        "ldr	r9, [%[b], #76]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[29] * B[18]\n\t"
+        "ldr	r8, [%[a], #116]\n\t"
+        "ldr	r9, [%[b], #72]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[30] * B[17]\n\t"
+        "ldr	r8, [%[a], #120]\n\t"
+        "ldr	r9, [%[b], #68]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[31] * B[16]\n\t"
+        "ldr	r8, [%[a], #124]\n\t"
+        "ldr	r9, [%[b], #64]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[32] * B[15]\n\t"
+        "ldr	r8, [%[a], #128]\n\t"
+        "ldr	r9, [%[b], #60]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[33] * B[14]\n\t"
+        "ldr	r8, [%[a], #132]\n\t"
+        "ldr	r9, [%[b], #56]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[34] * B[13]\n\t"
+        "ldr	r8, [%[a], #136]\n\t"
+        "ldr	r9, [%[b], #52]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[35] * B[12]\n\t"
+        "ldr	r8, [%[a], #140]\n\t"
+        "ldr	r9, [%[b], #48]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[36] * B[11]\n\t"
+        "ldr	r8, [%[a], #144]\n\t"
+        "ldr	r9, [%[b], #44]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[37] * B[10]\n\t"
+        "ldr	r8, [%[a], #148]\n\t"
+        "ldr	r9, [%[b], #40]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[38] * B[9]\n\t"
+        "ldr	r8, [%[a], #152]\n\t"
+        "ldr	r9, [%[b], #36]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[39] * B[8]\n\t"
+        "ldr	r8, [%[a], #156]\n\t"
+        "ldr	r9, [%[b], #32]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[40] * B[7]\n\t"
+        "ldr	r8, [%[a], #160]\n\t"
+        "ldr	r9, [%[b], #28]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[41] * B[6]\n\t"
+        "ldr	r8, [%[a], #164]\n\t"
+        "ldr	r9, [%[b], #24]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[42] * B[5]\n\t"
+        "ldr	r8, [%[a], #168]\n\t"
+        "ldr	r9, [%[b], #20]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[43] * B[4]\n\t"
+        "ldr	r8, [%[a], #172]\n\t"
+        "ldr	r9, [%[b], #16]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[44] * B[3]\n\t"
+        "ldr	r8, [%[a], #176]\n\t"
+        "ldr	r9, [%[b], #12]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[45] * B[2]\n\t"
+        "ldr	r8, [%[a], #180]\n\t"
+        "ldr	r9, [%[b], #8]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[46] * B[1]\n\t"
+        "ldr	r8, [%[a], #184]\n\t"
+        "ldr	r9, [%[b], #4]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[47] * B[0]\n\t"
+        "ldr	r8, [%[a], #188]\n\t"
+        "ldr	r9, [%[b], #0]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [sp, #188]\n\t"
+        "#  A[0] * B[48]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "ldr	r9, [%[b], #192]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r10, r10\n\t"
+        "#  A[1] * B[47]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "ldr	r9, [%[b], #188]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[2] * B[46]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "ldr	r9, [%[b], #184]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[3] * B[45]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "ldr	r9, [%[b], #180]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[4] * B[44]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "ldr	r9, [%[b], #176]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[5] * B[43]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "ldr	r9, [%[b], #172]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[6] * B[42]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "ldr	r9, [%[b], #168]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[7] * B[41]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "ldr	r9, [%[b], #164]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[8] * B[40]\n\t"
+        "ldr	r8, [%[a], #32]\n\t"
+        "ldr	r9, [%[b], #160]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[9] * B[39]\n\t"
+        "ldr	r8, [%[a], #36]\n\t"
+        "ldr	r9, [%[b], #156]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[10] * B[38]\n\t"
+        "ldr	r8, [%[a], #40]\n\t"
+        "ldr	r9, [%[b], #152]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[11] * B[37]\n\t"
+        "ldr	r8, [%[a], #44]\n\t"
+        "ldr	r9, [%[b], #148]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[12] * B[36]\n\t"
+        "ldr	r8, [%[a], #48]\n\t"
+        "ldr	r9, [%[b], #144]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[13] * B[35]\n\t"
+        "ldr	r8, [%[a], #52]\n\t"
+        "ldr	r9, [%[b], #140]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[14] * B[34]\n\t"
+        "ldr	r8, [%[a], #56]\n\t"
+        "ldr	r9, [%[b], #136]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[15] * B[33]\n\t"
+        "ldr	r8, [%[a], #60]\n\t"
+        "ldr	r9, [%[b], #132]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[16] * B[32]\n\t"
+        "ldr	r8, [%[a], #64]\n\t"
+        "ldr	r9, [%[b], #128]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[17] * B[31]\n\t"
+        "ldr	r8, [%[a], #68]\n\t"
+        "ldr	r9, [%[b], #124]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[18] * B[30]\n\t"
+        "ldr	r8, [%[a], #72]\n\t"
+        "ldr	r9, [%[b], #120]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[19] * B[29]\n\t"
+        "ldr	r8, [%[a], #76]\n\t"
+        "ldr	r9, [%[b], #116]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[20] * B[28]\n\t"
+        "ldr	r8, [%[a], #80]\n\t"
+        "ldr	r9, [%[b], #112]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[21] * B[27]\n\t"
+        "ldr	r8, [%[a], #84]\n\t"
+        "ldr	r9, [%[b], #108]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[22] * B[26]\n\t"
+        "ldr	r8, [%[a], #88]\n\t"
+        "ldr	r9, [%[b], #104]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[23] * B[25]\n\t"
+        "ldr	r8, [%[a], #92]\n\t"
+        "ldr	r9, [%[b], #100]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[24] * B[24]\n\t"
+        "ldr	r8, [%[a], #96]\n\t"
+        "ldr	r9, [%[b], #96]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[25] * B[23]\n\t"
+        "ldr	r8, [%[a], #100]\n\t"
+        "ldr	r9, [%[b], #92]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[26] * B[22]\n\t"
+        "ldr	r8, [%[a], #104]\n\t"
+        "ldr	r9, [%[b], #88]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[27] * B[21]\n\t"
+        "ldr	r8, [%[a], #108]\n\t"
+        "ldr	r9, [%[b], #84]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[28] * B[20]\n\t"
+        "ldr	r8, [%[a], #112]\n\t"
+        "ldr	r9, [%[b], #80]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[29] * B[19]\n\t"
+        "ldr	r8, [%[a], #116]\n\t"
+        "ldr	r9, [%[b], #76]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[30] * B[18]\n\t"
+        "ldr	r8, [%[a], #120]\n\t"
+        "ldr	r9, [%[b], #72]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[31] * B[17]\n\t"
+        "ldr	r8, [%[a], #124]\n\t"
+        "ldr	r9, [%[b], #68]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[32] * B[16]\n\t"
+        "ldr	r8, [%[a], #128]\n\t"
+        "ldr	r9, [%[b], #64]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[33] * B[15]\n\t"
+        "ldr	r8, [%[a], #132]\n\t"
+        "ldr	r9, [%[b], #60]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[34] * B[14]\n\t"
+        "ldr	r8, [%[a], #136]\n\t"
+        "ldr	r9, [%[b], #56]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[35] * B[13]\n\t"
+        "ldr	r8, [%[a], #140]\n\t"
+        "ldr	r9, [%[b], #52]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[36] * B[12]\n\t"
+        "ldr	r8, [%[a], #144]\n\t"
+        "ldr	r9, [%[b], #48]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[37] * B[11]\n\t"
+        "ldr	r8, [%[a], #148]\n\t"
+        "ldr	r9, [%[b], #44]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[38] * B[10]\n\t"
+        "ldr	r8, [%[a], #152]\n\t"
+        "ldr	r9, [%[b], #40]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[39] * B[9]\n\t"
+        "ldr	r8, [%[a], #156]\n\t"
+        "ldr	r9, [%[b], #36]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[40] * B[8]\n\t"
+        "ldr	r8, [%[a], #160]\n\t"
+        "ldr	r9, [%[b], #32]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[41] * B[7]\n\t"
+        "ldr	r8, [%[a], #164]\n\t"
+        "ldr	r9, [%[b], #28]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[42] * B[6]\n\t"
+        "ldr	r8, [%[a], #168]\n\t"
+        "ldr	r9, [%[b], #24]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[43] * B[5]\n\t"
+        "ldr	r8, [%[a], #172]\n\t"
+        "ldr	r9, [%[b], #20]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[44] * B[4]\n\t"
+        "ldr	r8, [%[a], #176]\n\t"
+        "ldr	r9, [%[b], #16]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[45] * B[3]\n\t"
+        "ldr	r8, [%[a], #180]\n\t"
+        "ldr	r9, [%[b], #12]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[46] * B[2]\n\t"
+        "ldr	r8, [%[a], #184]\n\t"
+        "ldr	r9, [%[b], #8]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[47] * B[1]\n\t"
+        "ldr	r8, [%[a], #188]\n\t"
+        "ldr	r9, [%[b], #4]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[48] * B[0]\n\t"
+        "ldr	r8, [%[a], #192]\n\t"
+        "ldr	r9, [%[b], #0]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [sp, #192]\n\t"
+        "#  A[0] * B[49]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "ldr	r9, [%[b], #196]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r10, r10\n\t"
+        "#  A[1] * B[48]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "ldr	r9, [%[b], #192]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[2] * B[47]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "ldr	r9, [%[b], #188]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[3] * B[46]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "ldr	r9, [%[b], #184]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[4] * B[45]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "ldr	r9, [%[b], #180]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[5] * B[44]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "ldr	r9, [%[b], #176]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[6] * B[43]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "ldr	r9, [%[b], #172]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[7] * B[42]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "ldr	r9, [%[b], #168]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[8] * B[41]\n\t"
+        "ldr	r8, [%[a], #32]\n\t"
+        "ldr	r9, [%[b], #164]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[9] * B[40]\n\t"
+        "ldr	r8, [%[a], #36]\n\t"
+        "ldr	r9, [%[b], #160]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[10] * B[39]\n\t"
+        "ldr	r8, [%[a], #40]\n\t"
+        "ldr	r9, [%[b], #156]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[11] * B[38]\n\t"
+        "ldr	r8, [%[a], #44]\n\t"
+        "ldr	r9, [%[b], #152]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[12] * B[37]\n\t"
+        "ldr	r8, [%[a], #48]\n\t"
+        "ldr	r9, [%[b], #148]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[13] * B[36]\n\t"
+        "ldr	r8, [%[a], #52]\n\t"
+        "ldr	r9, [%[b], #144]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[14] * B[35]\n\t"
+        "ldr	r8, [%[a], #56]\n\t"
+        "ldr	r9, [%[b], #140]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[15] * B[34]\n\t"
+        "ldr	r8, [%[a], #60]\n\t"
+        "ldr	r9, [%[b], #136]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[16] * B[33]\n\t"
+        "ldr	r8, [%[a], #64]\n\t"
+        "ldr	r9, [%[b], #132]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[17] * B[32]\n\t"
+        "ldr	r8, [%[a], #68]\n\t"
+        "ldr	r9, [%[b], #128]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[18] * B[31]\n\t"
+        "ldr	r8, [%[a], #72]\n\t"
+        "ldr	r9, [%[b], #124]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[19] * B[30]\n\t"
+        "ldr	r8, [%[a], #76]\n\t"
+        "ldr	r9, [%[b], #120]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[20] * B[29]\n\t"
+        "ldr	r8, [%[a], #80]\n\t"
+        "ldr	r9, [%[b], #116]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[21] * B[28]\n\t"
+        "ldr	r8, [%[a], #84]\n\t"
+        "ldr	r9, [%[b], #112]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[22] * B[27]\n\t"
+        "ldr	r8, [%[a], #88]\n\t"
+        "ldr	r9, [%[b], #108]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[23] * B[26]\n\t"
+        "ldr	r8, [%[a], #92]\n\t"
+        "ldr	r9, [%[b], #104]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[24] * B[25]\n\t"
+        "ldr	r8, [%[a], #96]\n\t"
+        "ldr	r9, [%[b], #100]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[25] * B[24]\n\t"
+        "ldr	r8, [%[a], #100]\n\t"
+        "ldr	r9, [%[b], #96]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[26] * B[23]\n\t"
+        "ldr	r8, [%[a], #104]\n\t"
+        "ldr	r9, [%[b], #92]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[27] * B[22]\n\t"
+        "ldr	r8, [%[a], #108]\n\t"
+        "ldr	r9, [%[b], #88]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[28] * B[21]\n\t"
+        "ldr	r8, [%[a], #112]\n\t"
+        "ldr	r9, [%[b], #84]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[29] * B[20]\n\t"
+        "ldr	r8, [%[a], #116]\n\t"
+        "ldr	r9, [%[b], #80]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[30] * B[19]\n\t"
+        "ldr	r8, [%[a], #120]\n\t"
+        "ldr	r9, [%[b], #76]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[31] * B[18]\n\t"
+        "ldr	r8, [%[a], #124]\n\t"
+        "ldr	r9, [%[b], #72]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[32] * B[17]\n\t"
+        "ldr	r8, [%[a], #128]\n\t"
+        "ldr	r9, [%[b], #68]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[33] * B[16]\n\t"
+        "ldr	r8, [%[a], #132]\n\t"
+        "ldr	r9, [%[b], #64]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[34] * B[15]\n\t"
+        "ldr	r8, [%[a], #136]\n\t"
+        "ldr	r9, [%[b], #60]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[35] * B[14]\n\t"
+        "ldr	r8, [%[a], #140]\n\t"
+        "ldr	r9, [%[b], #56]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[36] * B[13]\n\t"
+        "ldr	r8, [%[a], #144]\n\t"
+        "ldr	r9, [%[b], #52]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[37] * B[12]\n\t"
+        "ldr	r8, [%[a], #148]\n\t"
+        "ldr	r9, [%[b], #48]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[38] * B[11]\n\t"
+        "ldr	r8, [%[a], #152]\n\t"
+        "ldr	r9, [%[b], #44]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[39] * B[10]\n\t"
+        "ldr	r8, [%[a], #156]\n\t"
+        "ldr	r9, [%[b], #40]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[40] * B[9]\n\t"
+        "ldr	r8, [%[a], #160]\n\t"
+        "ldr	r9, [%[b], #36]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[41] * B[8]\n\t"
+        "ldr	r8, [%[a], #164]\n\t"
+        "ldr	r9, [%[b], #32]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[42] * B[7]\n\t"
+        "ldr	r8, [%[a], #168]\n\t"
+        "ldr	r9, [%[b], #28]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[43] * B[6]\n\t"
+        "ldr	r8, [%[a], #172]\n\t"
+        "ldr	r9, [%[b], #24]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[44] * B[5]\n\t"
+        "ldr	r8, [%[a], #176]\n\t"
+        "ldr	r9, [%[b], #20]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[45] * B[4]\n\t"
+        "ldr	r8, [%[a], #180]\n\t"
+        "ldr	r9, [%[b], #16]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[46] * B[3]\n\t"
+        "ldr	r8, [%[a], #184]\n\t"
+        "ldr	r9, [%[b], #12]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[47] * B[2]\n\t"
+        "ldr	r8, [%[a], #188]\n\t"
+        "ldr	r9, [%[b], #8]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[48] * B[1]\n\t"
+        "ldr	r8, [%[a], #192]\n\t"
+        "ldr	r9, [%[b], #4]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[49] * B[0]\n\t"
+        "ldr	r8, [%[a], #196]\n\t"
+        "ldr	r9, [%[b], #0]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [sp, #196]\n\t"
+        "#  A[0] * B[50]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "ldr	r9, [%[b], #200]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r10, r10\n\t"
+        "#  A[1] * B[49]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "ldr	r9, [%[b], #196]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[2] * B[48]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "ldr	r9, [%[b], #192]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[3] * B[47]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "ldr	r9, [%[b], #188]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[4] * B[46]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "ldr	r9, [%[b], #184]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[5] * B[45]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "ldr	r9, [%[b], #180]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[6] * B[44]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "ldr	r9, [%[b], #176]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[7] * B[43]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "ldr	r9, [%[b], #172]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[8] * B[42]\n\t"
+        "ldr	r8, [%[a], #32]\n\t"
+        "ldr	r9, [%[b], #168]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[9] * B[41]\n\t"
+        "ldr	r8, [%[a], #36]\n\t"
+        "ldr	r9, [%[b], #164]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[10] * B[40]\n\t"
+        "ldr	r8, [%[a], #40]\n\t"
+        "ldr	r9, [%[b], #160]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[11] * B[39]\n\t"
+        "ldr	r8, [%[a], #44]\n\t"
+        "ldr	r9, [%[b], #156]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[12] * B[38]\n\t"
+        "ldr	r8, [%[a], #48]\n\t"
+        "ldr	r9, [%[b], #152]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[13] * B[37]\n\t"
+        "ldr	r8, [%[a], #52]\n\t"
+        "ldr	r9, [%[b], #148]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[14] * B[36]\n\t"
+        "ldr	r8, [%[a], #56]\n\t"
+        "ldr	r9, [%[b], #144]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[15] * B[35]\n\t"
+        "ldr	r8, [%[a], #60]\n\t"
+        "ldr	r9, [%[b], #140]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[16] * B[34]\n\t"
+        "ldr	r8, [%[a], #64]\n\t"
+        "ldr	r9, [%[b], #136]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[17] * B[33]\n\t"
+        "ldr	r8, [%[a], #68]\n\t"
+        "ldr	r9, [%[b], #132]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[18] * B[32]\n\t"
+        "ldr	r8, [%[a], #72]\n\t"
+        "ldr	r9, [%[b], #128]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[19] * B[31]\n\t"
+        "ldr	r8, [%[a], #76]\n\t"
+        "ldr	r9, [%[b], #124]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[20] * B[30]\n\t"
+        "ldr	r8, [%[a], #80]\n\t"
+        "ldr	r9, [%[b], #120]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[21] * B[29]\n\t"
+        "ldr	r8, [%[a], #84]\n\t"
+        "ldr	r9, [%[b], #116]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[22] * B[28]\n\t"
+        "ldr	r8, [%[a], #88]\n\t"
+        "ldr	r9, [%[b], #112]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[23] * B[27]\n\t"
+        "ldr	r8, [%[a], #92]\n\t"
+        "ldr	r9, [%[b], #108]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[24] * B[26]\n\t"
+        "ldr	r8, [%[a], #96]\n\t"
+        "ldr	r9, [%[b], #104]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[25] * B[25]\n\t"
+        "ldr	r8, [%[a], #100]\n\t"
+        "ldr	r9, [%[b], #100]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[26] * B[24]\n\t"
+        "ldr	r8, [%[a], #104]\n\t"
+        "ldr	r9, [%[b], #96]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[27] * B[23]\n\t"
+        "ldr	r8, [%[a], #108]\n\t"
+        "ldr	r9, [%[b], #92]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[28] * B[22]\n\t"
+        "ldr	r8, [%[a], #112]\n\t"
+        "ldr	r9, [%[b], #88]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[29] * B[21]\n\t"
+        "ldr	r8, [%[a], #116]\n\t"
+        "ldr	r9, [%[b], #84]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[30] * B[20]\n\t"
+        "ldr	r8, [%[a], #120]\n\t"
+        "ldr	r9, [%[b], #80]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[31] * B[19]\n\t"
+        "ldr	r8, [%[a], #124]\n\t"
+        "ldr	r9, [%[b], #76]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[32] * B[18]\n\t"
+        "ldr	r8, [%[a], #128]\n\t"
+        "ldr	r9, [%[b], #72]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[33] * B[17]\n\t"
+        "ldr	r8, [%[a], #132]\n\t"
+        "ldr	r9, [%[b], #68]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[34] * B[16]\n\t"
+        "ldr	r8, [%[a], #136]\n\t"
+        "ldr	r9, [%[b], #64]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[35] * B[15]\n\t"
+        "ldr	r8, [%[a], #140]\n\t"
+        "ldr	r9, [%[b], #60]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[36] * B[14]\n\t"
+        "ldr	r8, [%[a], #144]\n\t"
+        "ldr	r9, [%[b], #56]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[37] * B[13]\n\t"
+        "ldr	r8, [%[a], #148]\n\t"
+        "ldr	r9, [%[b], #52]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[38] * B[12]\n\t"
+        "ldr	r8, [%[a], #152]\n\t"
+        "ldr	r9, [%[b], #48]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[39] * B[11]\n\t"
+        "ldr	r8, [%[a], #156]\n\t"
+        "ldr	r9, [%[b], #44]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[40] * B[10]\n\t"
+        "ldr	r8, [%[a], #160]\n\t"
+        "ldr	r9, [%[b], #40]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[41] * B[9]\n\t"
+        "ldr	r8, [%[a], #164]\n\t"
+        "ldr	r9, [%[b], #36]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[42] * B[8]\n\t"
+        "ldr	r8, [%[a], #168]\n\t"
+        "ldr	r9, [%[b], #32]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[43] * B[7]\n\t"
+        "ldr	r8, [%[a], #172]\n\t"
+        "ldr	r9, [%[b], #28]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[44] * B[6]\n\t"
+        "ldr	r8, [%[a], #176]\n\t"
+        "ldr	r9, [%[b], #24]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[45] * B[5]\n\t"
+        "ldr	r8, [%[a], #180]\n\t"
+        "ldr	r9, [%[b], #20]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[46] * B[4]\n\t"
+        "ldr	r8, [%[a], #184]\n\t"
+        "ldr	r9, [%[b], #16]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[47] * B[3]\n\t"
+        "ldr	r8, [%[a], #188]\n\t"
+        "ldr	r9, [%[b], #12]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[48] * B[2]\n\t"
+        "ldr	r8, [%[a], #192]\n\t"
+        "ldr	r9, [%[b], #8]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[49] * B[1]\n\t"
+        "ldr	r8, [%[a], #196]\n\t"
+        "ldr	r9, [%[b], #4]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[50] * B[0]\n\t"
+        "ldr	r8, [%[a], #200]\n\t"
+        "ldr	r9, [%[b], #0]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [sp, #200]\n\t"
+        "#  A[0] * B[51]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "ldr	r9, [%[b], #204]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r10, r10\n\t"
+        "#  A[1] * B[50]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "ldr	r9, [%[b], #200]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[2] * B[49]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "ldr	r9, [%[b], #196]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[3] * B[48]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "ldr	r9, [%[b], #192]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[4] * B[47]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "ldr	r9, [%[b], #188]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[5] * B[46]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "ldr	r9, [%[b], #184]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[6] * B[45]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "ldr	r9, [%[b], #180]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[7] * B[44]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "ldr	r9, [%[b], #176]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[8] * B[43]\n\t"
+        "ldr	r8, [%[a], #32]\n\t"
+        "ldr	r9, [%[b], #172]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[9] * B[42]\n\t"
+        "ldr	r8, [%[a], #36]\n\t"
+        "ldr	r9, [%[b], #168]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[10] * B[41]\n\t"
+        "ldr	r8, [%[a], #40]\n\t"
+        "ldr	r9, [%[b], #164]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[11] * B[40]\n\t"
+        "ldr	r8, [%[a], #44]\n\t"
+        "ldr	r9, [%[b], #160]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[12] * B[39]\n\t"
+        "ldr	r8, [%[a], #48]\n\t"
+        "ldr	r9, [%[b], #156]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[13] * B[38]\n\t"
+        "ldr	r8, [%[a], #52]\n\t"
+        "ldr	r9, [%[b], #152]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[14] * B[37]\n\t"
+        "ldr	r8, [%[a], #56]\n\t"
+        "ldr	r9, [%[b], #148]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[15] * B[36]\n\t"
+        "ldr	r8, [%[a], #60]\n\t"
+        "ldr	r9, [%[b], #144]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[16] * B[35]\n\t"
+        "ldr	r8, [%[a], #64]\n\t"
+        "ldr	r9, [%[b], #140]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[17] * B[34]\n\t"
+        "ldr	r8, [%[a], #68]\n\t"
+        "ldr	r9, [%[b], #136]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[18] * B[33]\n\t"
+        "ldr	r8, [%[a], #72]\n\t"
+        "ldr	r9, [%[b], #132]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[19] * B[32]\n\t"
+        "ldr	r8, [%[a], #76]\n\t"
+        "ldr	r9, [%[b], #128]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[20] * B[31]\n\t"
+        "ldr	r8, [%[a], #80]\n\t"
+        "ldr	r9, [%[b], #124]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[21] * B[30]\n\t"
+        "ldr	r8, [%[a], #84]\n\t"
+        "ldr	r9, [%[b], #120]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[22] * B[29]\n\t"
+        "ldr	r8, [%[a], #88]\n\t"
+        "ldr	r9, [%[b], #116]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[23] * B[28]\n\t"
+        "ldr	r8, [%[a], #92]\n\t"
+        "ldr	r9, [%[b], #112]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[24] * B[27]\n\t"
+        "ldr	r8, [%[a], #96]\n\t"
+        "ldr	r9, [%[b], #108]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[25] * B[26]\n\t"
+        "ldr	r8, [%[a], #100]\n\t"
+        "ldr	r9, [%[b], #104]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[26] * B[25]\n\t"
+        "ldr	r8, [%[a], #104]\n\t"
+        "ldr	r9, [%[b], #100]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[27] * B[24]\n\t"
+        "ldr	r8, [%[a], #108]\n\t"
+        "ldr	r9, [%[b], #96]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[28] * B[23]\n\t"
+        "ldr	r8, [%[a], #112]\n\t"
+        "ldr	r9, [%[b], #92]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[29] * B[22]\n\t"
+        "ldr	r8, [%[a], #116]\n\t"
+        "ldr	r9, [%[b], #88]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[30] * B[21]\n\t"
+        "ldr	r8, [%[a], #120]\n\t"
+        "ldr	r9, [%[b], #84]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[31] * B[20]\n\t"
+        "ldr	r8, [%[a], #124]\n\t"
+        "ldr	r9, [%[b], #80]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[32] * B[19]\n\t"
+        "ldr	r8, [%[a], #128]\n\t"
+        "ldr	r9, [%[b], #76]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[33] * B[18]\n\t"
+        "ldr	r8, [%[a], #132]\n\t"
+        "ldr	r9, [%[b], #72]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[34] * B[17]\n\t"
+        "ldr	r8, [%[a], #136]\n\t"
+        "ldr	r9, [%[b], #68]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[35] * B[16]\n\t"
+        "ldr	r8, [%[a], #140]\n\t"
+        "ldr	r9, [%[b], #64]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[36] * B[15]\n\t"
+        "ldr	r8, [%[a], #144]\n\t"
+        "ldr	r9, [%[b], #60]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[37] * B[14]\n\t"
+        "ldr	r8, [%[a], #148]\n\t"
+        "ldr	r9, [%[b], #56]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[38] * B[13]\n\t"
+        "ldr	r8, [%[a], #152]\n\t"
+        "ldr	r9, [%[b], #52]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[39] * B[12]\n\t"
+        "ldr	r8, [%[a], #156]\n\t"
+        "ldr	r9, [%[b], #48]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[40] * B[11]\n\t"
+        "ldr	r8, [%[a], #160]\n\t"
+        "ldr	r9, [%[b], #44]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[41] * B[10]\n\t"
+        "ldr	r8, [%[a], #164]\n\t"
+        "ldr	r9, [%[b], #40]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[42] * B[9]\n\t"
+        "ldr	r8, [%[a], #168]\n\t"
+        "ldr	r9, [%[b], #36]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[43] * B[8]\n\t"
+        "ldr	r8, [%[a], #172]\n\t"
+        "ldr	r9, [%[b], #32]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[44] * B[7]\n\t"
+        "ldr	r8, [%[a], #176]\n\t"
+        "ldr	r9, [%[b], #28]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[45] * B[6]\n\t"
+        "ldr	r8, [%[a], #180]\n\t"
+        "ldr	r9, [%[b], #24]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[46] * B[5]\n\t"
+        "ldr	r8, [%[a], #184]\n\t"
+        "ldr	r9, [%[b], #20]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[47] * B[4]\n\t"
+        "ldr	r8, [%[a], #188]\n\t"
+        "ldr	r9, [%[b], #16]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[48] * B[3]\n\t"
+        "ldr	r8, [%[a], #192]\n\t"
+        "ldr	r9, [%[b], #12]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[49] * B[2]\n\t"
+        "ldr	r8, [%[a], #196]\n\t"
+        "ldr	r9, [%[b], #8]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[50] * B[1]\n\t"
+        "ldr	r8, [%[a], #200]\n\t"
+        "ldr	r9, [%[b], #4]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[51] * B[0]\n\t"
+        "ldr	r8, [%[a], #204]\n\t"
+        "ldr	r9, [%[b], #0]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [sp, #204]\n\t"
+        "#  A[0] * B[52]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "ldr	r9, [%[b], #208]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r10, r10\n\t"
+        "#  A[1] * B[51]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "ldr	r9, [%[b], #204]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[2] * B[50]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "ldr	r9, [%[b], #200]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[3] * B[49]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "ldr	r9, [%[b], #196]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[4] * B[48]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "ldr	r9, [%[b], #192]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[5] * B[47]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "ldr	r9, [%[b], #188]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[6] * B[46]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "ldr	r9, [%[b], #184]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[7] * B[45]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "ldr	r9, [%[b], #180]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[8] * B[44]\n\t"
+        "ldr	r8, [%[a], #32]\n\t"
+        "ldr	r9, [%[b], #176]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[9] * B[43]\n\t"
+        "ldr	r8, [%[a], #36]\n\t"
+        "ldr	r9, [%[b], #172]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[10] * B[42]\n\t"
+        "ldr	r8, [%[a], #40]\n\t"
+        "ldr	r9, [%[b], #168]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[11] * B[41]\n\t"
+        "ldr	r8, [%[a], #44]\n\t"
+        "ldr	r9, [%[b], #164]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[12] * B[40]\n\t"
+        "ldr	r8, [%[a], #48]\n\t"
+        "ldr	r9, [%[b], #160]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[13] * B[39]\n\t"
+        "ldr	r8, [%[a], #52]\n\t"
+        "ldr	r9, [%[b], #156]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[14] * B[38]\n\t"
+        "ldr	r8, [%[a], #56]\n\t"
+        "ldr	r9, [%[b], #152]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[15] * B[37]\n\t"
+        "ldr	r8, [%[a], #60]\n\t"
+        "ldr	r9, [%[b], #148]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[16] * B[36]\n\t"
+        "ldr	r8, [%[a], #64]\n\t"
+        "ldr	r9, [%[b], #144]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[17] * B[35]\n\t"
+        "ldr	r8, [%[a], #68]\n\t"
+        "ldr	r9, [%[b], #140]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[18] * B[34]\n\t"
+        "ldr	r8, [%[a], #72]\n\t"
+        "ldr	r9, [%[b], #136]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[19] * B[33]\n\t"
+        "ldr	r8, [%[a], #76]\n\t"
+        "ldr	r9, [%[b], #132]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[20] * B[32]\n\t"
+        "ldr	r8, [%[a], #80]\n\t"
+        "ldr	r9, [%[b], #128]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[21] * B[31]\n\t"
+        "ldr	r8, [%[a], #84]\n\t"
+        "ldr	r9, [%[b], #124]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[22] * B[30]\n\t"
+        "ldr	r8, [%[a], #88]\n\t"
+        "ldr	r9, [%[b], #120]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[23] * B[29]\n\t"
+        "ldr	r8, [%[a], #92]\n\t"
+        "ldr	r9, [%[b], #116]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[24] * B[28]\n\t"
+        "ldr	r8, [%[a], #96]\n\t"
+        "ldr	r9, [%[b], #112]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[25] * B[27]\n\t"
+        "ldr	r8, [%[a], #100]\n\t"
+        "ldr	r9, [%[b], #108]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[26] * B[26]\n\t"
+        "ldr	r8, [%[a], #104]\n\t"
+        "ldr	r9, [%[b], #104]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[27] * B[25]\n\t"
+        "ldr	r8, [%[a], #108]\n\t"
+        "ldr	r9, [%[b], #100]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[28] * B[24]\n\t"
+        "ldr	r8, [%[a], #112]\n\t"
+        "ldr	r9, [%[b], #96]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[29] * B[23]\n\t"
+        "ldr	r8, [%[a], #116]\n\t"
+        "ldr	r9, [%[b], #92]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[30] * B[22]\n\t"
+        "ldr	r8, [%[a], #120]\n\t"
+        "ldr	r9, [%[b], #88]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[31] * B[21]\n\t"
+        "ldr	r8, [%[a], #124]\n\t"
+        "ldr	r9, [%[b], #84]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[32] * B[20]\n\t"
+        "ldr	r8, [%[a], #128]\n\t"
+        "ldr	r9, [%[b], #80]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[33] * B[19]\n\t"
+        "ldr	r8, [%[a], #132]\n\t"
+        "ldr	r9, [%[b], #76]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[34] * B[18]\n\t"
+        "ldr	r8, [%[a], #136]\n\t"
+        "ldr	r9, [%[b], #72]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[35] * B[17]\n\t"
+        "ldr	r8, [%[a], #140]\n\t"
+        "ldr	r9, [%[b], #68]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[36] * B[16]\n\t"
+        "ldr	r8, [%[a], #144]\n\t"
+        "ldr	r9, [%[b], #64]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[37] * B[15]\n\t"
+        "ldr	r8, [%[a], #148]\n\t"
+        "ldr	r9, [%[b], #60]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[38] * B[14]\n\t"
+        "ldr	r8, [%[a], #152]\n\t"
+        "ldr	r9, [%[b], #56]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[39] * B[13]\n\t"
+        "ldr	r8, [%[a], #156]\n\t"
+        "ldr	r9, [%[b], #52]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[40] * B[12]\n\t"
+        "ldr	r8, [%[a], #160]\n\t"
+        "ldr	r9, [%[b], #48]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[41] * B[11]\n\t"
+        "ldr	r8, [%[a], #164]\n\t"
+        "ldr	r9, [%[b], #44]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[42] * B[10]\n\t"
+        "ldr	r8, [%[a], #168]\n\t"
+        "ldr	r9, [%[b], #40]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[43] * B[9]\n\t"
+        "ldr	r8, [%[a], #172]\n\t"
+        "ldr	r9, [%[b], #36]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[44] * B[8]\n\t"
+        "ldr	r8, [%[a], #176]\n\t"
+        "ldr	r9, [%[b], #32]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[45] * B[7]\n\t"
+        "ldr	r8, [%[a], #180]\n\t"
+        "ldr	r9, [%[b], #28]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[46] * B[6]\n\t"
+        "ldr	r8, [%[a], #184]\n\t"
+        "ldr	r9, [%[b], #24]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[47] * B[5]\n\t"
+        "ldr	r8, [%[a], #188]\n\t"
+        "ldr	r9, [%[b], #20]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[48] * B[4]\n\t"
+        "ldr	r8, [%[a], #192]\n\t"
+        "ldr	r9, [%[b], #16]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[49] * B[3]\n\t"
+        "ldr	r8, [%[a], #196]\n\t"
+        "ldr	r9, [%[b], #12]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[50] * B[2]\n\t"
+        "ldr	r8, [%[a], #200]\n\t"
+        "ldr	r9, [%[b], #8]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[51] * B[1]\n\t"
+        "ldr	r8, [%[a], #204]\n\t"
+        "ldr	r9, [%[b], #4]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[52] * B[0]\n\t"
+        "ldr	r8, [%[a], #208]\n\t"
+        "ldr	r9, [%[b], #0]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [sp, #208]\n\t"
+        "#  A[0] * B[53]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "ldr	r9, [%[b], #212]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r10, r10\n\t"
+        "#  A[1] * B[52]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "ldr	r9, [%[b], #208]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[2] * B[51]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "ldr	r9, [%[b], #204]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[3] * B[50]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "ldr	r9, [%[b], #200]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[4] * B[49]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "ldr	r9, [%[b], #196]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[5] * B[48]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "ldr	r9, [%[b], #192]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[6] * B[47]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "ldr	r9, [%[b], #188]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[7] * B[46]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "ldr	r9, [%[b], #184]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[8] * B[45]\n\t"
+        "ldr	r8, [%[a], #32]\n\t"
+        "ldr	r9, [%[b], #180]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[9] * B[44]\n\t"
+        "ldr	r8, [%[a], #36]\n\t"
+        "ldr	r9, [%[b], #176]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[10] * B[43]\n\t"
+        "ldr	r8, [%[a], #40]\n\t"
+        "ldr	r9, [%[b], #172]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[11] * B[42]\n\t"
+        "ldr	r8, [%[a], #44]\n\t"
+        "ldr	r9, [%[b], #168]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[12] * B[41]\n\t"
+        "ldr	r8, [%[a], #48]\n\t"
+        "ldr	r9, [%[b], #164]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[13] * B[40]\n\t"
+        "ldr	r8, [%[a], #52]\n\t"
+        "ldr	r9, [%[b], #160]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[14] * B[39]\n\t"
+        "ldr	r8, [%[a], #56]\n\t"
+        "ldr	r9, [%[b], #156]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[15] * B[38]\n\t"
+        "ldr	r8, [%[a], #60]\n\t"
+        "ldr	r9, [%[b], #152]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[16] * B[37]\n\t"
+        "ldr	r8, [%[a], #64]\n\t"
+        "ldr	r9, [%[b], #148]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[17] * B[36]\n\t"
+        "ldr	r8, [%[a], #68]\n\t"
+        "ldr	r9, [%[b], #144]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[18] * B[35]\n\t"
+        "ldr	r8, [%[a], #72]\n\t"
+        "ldr	r9, [%[b], #140]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[19] * B[34]\n\t"
+        "ldr	r8, [%[a], #76]\n\t"
+        "ldr	r9, [%[b], #136]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[20] * B[33]\n\t"
+        "ldr	r8, [%[a], #80]\n\t"
+        "ldr	r9, [%[b], #132]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[21] * B[32]\n\t"
+        "ldr	r8, [%[a], #84]\n\t"
+        "ldr	r9, [%[b], #128]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[22] * B[31]\n\t"
+        "ldr	r8, [%[a], #88]\n\t"
+        "ldr	r9, [%[b], #124]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[23] * B[30]\n\t"
+        "ldr	r8, [%[a], #92]\n\t"
+        "ldr	r9, [%[b], #120]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[24] * B[29]\n\t"
+        "ldr	r8, [%[a], #96]\n\t"
+        "ldr	r9, [%[b], #116]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[25] * B[28]\n\t"
+        "ldr	r8, [%[a], #100]\n\t"
+        "ldr	r9, [%[b], #112]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[26] * B[27]\n\t"
+        "ldr	r8, [%[a], #104]\n\t"
+        "ldr	r9, [%[b], #108]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[27] * B[26]\n\t"
+        "ldr	r8, [%[a], #108]\n\t"
+        "ldr	r9, [%[b], #104]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[28] * B[25]\n\t"
+        "ldr	r8, [%[a], #112]\n\t"
+        "ldr	r9, [%[b], #100]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[29] * B[24]\n\t"
+        "ldr	r8, [%[a], #116]\n\t"
+        "ldr	r9, [%[b], #96]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[30] * B[23]\n\t"
+        "ldr	r8, [%[a], #120]\n\t"
+        "ldr	r9, [%[b], #92]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[31] * B[22]\n\t"
+        "ldr	r8, [%[a], #124]\n\t"
+        "ldr	r9, [%[b], #88]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[32] * B[21]\n\t"
+        "ldr	r8, [%[a], #128]\n\t"
+        "ldr	r9, [%[b], #84]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[33] * B[20]\n\t"
+        "ldr	r8, [%[a], #132]\n\t"
+        "ldr	r9, [%[b], #80]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[34] * B[19]\n\t"
+        "ldr	r8, [%[a], #136]\n\t"
+        "ldr	r9, [%[b], #76]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[35] * B[18]\n\t"
+        "ldr	r8, [%[a], #140]\n\t"
+        "ldr	r9, [%[b], #72]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[36] * B[17]\n\t"
+        "ldr	r8, [%[a], #144]\n\t"
+        "ldr	r9, [%[b], #68]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[37] * B[16]\n\t"
+        "ldr	r8, [%[a], #148]\n\t"
+        "ldr	r9, [%[b], #64]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[38] * B[15]\n\t"
+        "ldr	r8, [%[a], #152]\n\t"
+        "ldr	r9, [%[b], #60]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[39] * B[14]\n\t"
+        "ldr	r8, [%[a], #156]\n\t"
+        "ldr	r9, [%[b], #56]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[40] * B[13]\n\t"
+        "ldr	r8, [%[a], #160]\n\t"
+        "ldr	r9, [%[b], #52]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[41] * B[12]\n\t"
+        "ldr	r8, [%[a], #164]\n\t"
+        "ldr	r9, [%[b], #48]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[42] * B[11]\n\t"
+        "ldr	r8, [%[a], #168]\n\t"
+        "ldr	r9, [%[b], #44]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[43] * B[10]\n\t"
+        "ldr	r8, [%[a], #172]\n\t"
+        "ldr	r9, [%[b], #40]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[44] * B[9]\n\t"
+        "ldr	r8, [%[a], #176]\n\t"
+        "ldr	r9, [%[b], #36]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[45] * B[8]\n\t"
+        "ldr	r8, [%[a], #180]\n\t"
+        "ldr	r9, [%[b], #32]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[46] * B[7]\n\t"
+        "ldr	r8, [%[a], #184]\n\t"
+        "ldr	r9, [%[b], #28]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[47] * B[6]\n\t"
+        "ldr	r8, [%[a], #188]\n\t"
+        "ldr	r9, [%[b], #24]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[48] * B[5]\n\t"
+        "ldr	r8, [%[a], #192]\n\t"
+        "ldr	r9, [%[b], #20]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[49] * B[4]\n\t"
+        "ldr	r8, [%[a], #196]\n\t"
+        "ldr	r9, [%[b], #16]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[50] * B[3]\n\t"
+        "ldr	r8, [%[a], #200]\n\t"
+        "ldr	r9, [%[b], #12]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[51] * B[2]\n\t"
+        "ldr	r8, [%[a], #204]\n\t"
+        "ldr	r9, [%[b], #8]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[52] * B[1]\n\t"
+        "ldr	r8, [%[a], #208]\n\t"
+        "ldr	r9, [%[b], #4]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[53] * B[0]\n\t"
+        "ldr	r8, [%[a], #212]\n\t"
+        "ldr	r9, [%[b], #0]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [sp, #212]\n\t"
+        "#  A[0] * B[54]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "ldr	r9, [%[b], #216]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r10, r10\n\t"
+        "#  A[1] * B[53]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "ldr	r9, [%[b], #212]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[2] * B[52]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "ldr	r9, [%[b], #208]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[3] * B[51]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "ldr	r9, [%[b], #204]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[4] * B[50]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "ldr	r9, [%[b], #200]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[5] * B[49]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "ldr	r9, [%[b], #196]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[6] * B[48]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "ldr	r9, [%[b], #192]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[7] * B[47]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "ldr	r9, [%[b], #188]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[8] * B[46]\n\t"
+        "ldr	r8, [%[a], #32]\n\t"
+        "ldr	r9, [%[b], #184]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[9] * B[45]\n\t"
+        "ldr	r8, [%[a], #36]\n\t"
+        "ldr	r9, [%[b], #180]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[10] * B[44]\n\t"
+        "ldr	r8, [%[a], #40]\n\t"
+        "ldr	r9, [%[b], #176]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[11] * B[43]\n\t"
+        "ldr	r8, [%[a], #44]\n\t"
+        "ldr	r9, [%[b], #172]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[12] * B[42]\n\t"
+        "ldr	r8, [%[a], #48]\n\t"
+        "ldr	r9, [%[b], #168]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[13] * B[41]\n\t"
+        "ldr	r8, [%[a], #52]\n\t"
+        "ldr	r9, [%[b], #164]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[14] * B[40]\n\t"
+        "ldr	r8, [%[a], #56]\n\t"
+        "ldr	r9, [%[b], #160]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[15] * B[39]\n\t"
+        "ldr	r8, [%[a], #60]\n\t"
+        "ldr	r9, [%[b], #156]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[16] * B[38]\n\t"
+        "ldr	r8, [%[a], #64]\n\t"
+        "ldr	r9, [%[b], #152]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[17] * B[37]\n\t"
+        "ldr	r8, [%[a], #68]\n\t"
+        "ldr	r9, [%[b], #148]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[18] * B[36]\n\t"
+        "ldr	r8, [%[a], #72]\n\t"
+        "ldr	r9, [%[b], #144]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[19] * B[35]\n\t"
+        "ldr	r8, [%[a], #76]\n\t"
+        "ldr	r9, [%[b], #140]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[20] * B[34]\n\t"
+        "ldr	r8, [%[a], #80]\n\t"
+        "ldr	r9, [%[b], #136]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[21] * B[33]\n\t"
+        "ldr	r8, [%[a], #84]\n\t"
+        "ldr	r9, [%[b], #132]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[22] * B[32]\n\t"
+        "ldr	r8, [%[a], #88]\n\t"
+        "ldr	r9, [%[b], #128]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[23] * B[31]\n\t"
+        "ldr	r8, [%[a], #92]\n\t"
+        "ldr	r9, [%[b], #124]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[24] * B[30]\n\t"
+        "ldr	r8, [%[a], #96]\n\t"
+        "ldr	r9, [%[b], #120]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[25] * B[29]\n\t"
+        "ldr	r8, [%[a], #100]\n\t"
+        "ldr	r9, [%[b], #116]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[26] * B[28]\n\t"
+        "ldr	r8, [%[a], #104]\n\t"
+        "ldr	r9, [%[b], #112]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[27] * B[27]\n\t"
+        "ldr	r8, [%[a], #108]\n\t"
+        "ldr	r9, [%[b], #108]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[28] * B[26]\n\t"
+        "ldr	r8, [%[a], #112]\n\t"
+        "ldr	r9, [%[b], #104]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[29] * B[25]\n\t"
+        "ldr	r8, [%[a], #116]\n\t"
+        "ldr	r9, [%[b], #100]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[30] * B[24]\n\t"
+        "ldr	r8, [%[a], #120]\n\t"
+        "ldr	r9, [%[b], #96]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[31] * B[23]\n\t"
+        "ldr	r8, [%[a], #124]\n\t"
+        "ldr	r9, [%[b], #92]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[32] * B[22]\n\t"
+        "ldr	r8, [%[a], #128]\n\t"
+        "ldr	r9, [%[b], #88]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[33] * B[21]\n\t"
+        "ldr	r8, [%[a], #132]\n\t"
+        "ldr	r9, [%[b], #84]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[34] * B[20]\n\t"
+        "ldr	r8, [%[a], #136]\n\t"
+        "ldr	r9, [%[b], #80]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[35] * B[19]\n\t"
+        "ldr	r8, [%[a], #140]\n\t"
+        "ldr	r9, [%[b], #76]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[36] * B[18]\n\t"
+        "ldr	r8, [%[a], #144]\n\t"
+        "ldr	r9, [%[b], #72]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[37] * B[17]\n\t"
+        "ldr	r8, [%[a], #148]\n\t"
+        "ldr	r9, [%[b], #68]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[38] * B[16]\n\t"
+        "ldr	r8, [%[a], #152]\n\t"
+        "ldr	r9, [%[b], #64]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[39] * B[15]\n\t"
+        "ldr	r8, [%[a], #156]\n\t"
+        "ldr	r9, [%[b], #60]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[40] * B[14]\n\t"
+        "ldr	r8, [%[a], #160]\n\t"
+        "ldr	r9, [%[b], #56]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[41] * B[13]\n\t"
+        "ldr	r8, [%[a], #164]\n\t"
+        "ldr	r9, [%[b], #52]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[42] * B[12]\n\t"
+        "ldr	r8, [%[a], #168]\n\t"
+        "ldr	r9, [%[b], #48]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[43] * B[11]\n\t"
+        "ldr	r8, [%[a], #172]\n\t"
+        "ldr	r9, [%[b], #44]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[44] * B[10]\n\t"
+        "ldr	r8, [%[a], #176]\n\t"
+        "ldr	r9, [%[b], #40]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[45] * B[9]\n\t"
+        "ldr	r8, [%[a], #180]\n\t"
+        "ldr	r9, [%[b], #36]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[46] * B[8]\n\t"
+        "ldr	r8, [%[a], #184]\n\t"
+        "ldr	r9, [%[b], #32]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[47] * B[7]\n\t"
+        "ldr	r8, [%[a], #188]\n\t"
+        "ldr	r9, [%[b], #28]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[48] * B[6]\n\t"
+        "ldr	r8, [%[a], #192]\n\t"
+        "ldr	r9, [%[b], #24]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[49] * B[5]\n\t"
+        "ldr	r8, [%[a], #196]\n\t"
+        "ldr	r9, [%[b], #20]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[50] * B[4]\n\t"
+        "ldr	r8, [%[a], #200]\n\t"
+        "ldr	r9, [%[b], #16]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[51] * B[3]\n\t"
+        "ldr	r8, [%[a], #204]\n\t"
+        "ldr	r9, [%[b], #12]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[52] * B[2]\n\t"
+        "ldr	r8, [%[a], #208]\n\t"
+        "ldr	r9, [%[b], #8]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[53] * B[1]\n\t"
+        "ldr	r8, [%[a], #212]\n\t"
+        "ldr	r9, [%[b], #4]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[54] * B[0]\n\t"
+        "ldr	r8, [%[a], #216]\n\t"
+        "ldr	r9, [%[b], #0]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [sp, #216]\n\t"
+        "#  A[0] * B[55]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "ldr	r9, [%[b], #220]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r10, r10\n\t"
+        "#  A[1] * B[54]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "ldr	r9, [%[b], #216]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[2] * B[53]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "ldr	r9, [%[b], #212]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[3] * B[52]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "ldr	r9, [%[b], #208]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[4] * B[51]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "ldr	r9, [%[b], #204]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[5] * B[50]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "ldr	r9, [%[b], #200]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[6] * B[49]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "ldr	r9, [%[b], #196]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[7] * B[48]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "ldr	r9, [%[b], #192]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[8] * B[47]\n\t"
+        "ldr	r8, [%[a], #32]\n\t"
+        "ldr	r9, [%[b], #188]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[9] * B[46]\n\t"
+        "ldr	r8, [%[a], #36]\n\t"
+        "ldr	r9, [%[b], #184]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[10] * B[45]\n\t"
+        "ldr	r8, [%[a], #40]\n\t"
+        "ldr	r9, [%[b], #180]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[11] * B[44]\n\t"
+        "ldr	r8, [%[a], #44]\n\t"
+        "ldr	r9, [%[b], #176]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[12] * B[43]\n\t"
+        "ldr	r8, [%[a], #48]\n\t"
+        "ldr	r9, [%[b], #172]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[13] * B[42]\n\t"
+        "ldr	r8, [%[a], #52]\n\t"
+        "ldr	r9, [%[b], #168]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[14] * B[41]\n\t"
+        "ldr	r8, [%[a], #56]\n\t"
+        "ldr	r9, [%[b], #164]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[15] * B[40]\n\t"
+        "ldr	r8, [%[a], #60]\n\t"
+        "ldr	r9, [%[b], #160]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[16] * B[39]\n\t"
+        "ldr	r8, [%[a], #64]\n\t"
+        "ldr	r9, [%[b], #156]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[17] * B[38]\n\t"
+        "ldr	r8, [%[a], #68]\n\t"
+        "ldr	r9, [%[b], #152]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[18] * B[37]\n\t"
+        "ldr	r8, [%[a], #72]\n\t"
+        "ldr	r9, [%[b], #148]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[19] * B[36]\n\t"
+        "ldr	r8, [%[a], #76]\n\t"
+        "ldr	r9, [%[b], #144]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[20] * B[35]\n\t"
+        "ldr	r8, [%[a], #80]\n\t"
+        "ldr	r9, [%[b], #140]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[21] * B[34]\n\t"
+        "ldr	r8, [%[a], #84]\n\t"
+        "ldr	r9, [%[b], #136]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[22] * B[33]\n\t"
+        "ldr	r8, [%[a], #88]\n\t"
+        "ldr	r9, [%[b], #132]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[23] * B[32]\n\t"
+        "ldr	r8, [%[a], #92]\n\t"
+        "ldr	r9, [%[b], #128]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[24] * B[31]\n\t"
+        "ldr	r8, [%[a], #96]\n\t"
+        "ldr	r9, [%[b], #124]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[25] * B[30]\n\t"
+        "ldr	r8, [%[a], #100]\n\t"
+        "ldr	r9, [%[b], #120]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[26] * B[29]\n\t"
+        "ldr	r8, [%[a], #104]\n\t"
+        "ldr	r9, [%[b], #116]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[27] * B[28]\n\t"
+        "ldr	r8, [%[a], #108]\n\t"
+        "ldr	r9, [%[b], #112]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[28] * B[27]\n\t"
+        "ldr	r8, [%[a], #112]\n\t"
+        "ldr	r9, [%[b], #108]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[29] * B[26]\n\t"
+        "ldr	r8, [%[a], #116]\n\t"
+        "ldr	r9, [%[b], #104]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[30] * B[25]\n\t"
+        "ldr	r8, [%[a], #120]\n\t"
+        "ldr	r9, [%[b], #100]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[31] * B[24]\n\t"
+        "ldr	r8, [%[a], #124]\n\t"
+        "ldr	r9, [%[b], #96]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[32] * B[23]\n\t"
+        "ldr	r8, [%[a], #128]\n\t"
+        "ldr	r9, [%[b], #92]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[33] * B[22]\n\t"
+        "ldr	r8, [%[a], #132]\n\t"
+        "ldr	r9, [%[b], #88]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[34] * B[21]\n\t"
+        "ldr	r8, [%[a], #136]\n\t"
+        "ldr	r9, [%[b], #84]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[35] * B[20]\n\t"
+        "ldr	r8, [%[a], #140]\n\t"
+        "ldr	r9, [%[b], #80]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[36] * B[19]\n\t"
+        "ldr	r8, [%[a], #144]\n\t"
+        "ldr	r9, [%[b], #76]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[37] * B[18]\n\t"
+        "ldr	r8, [%[a], #148]\n\t"
+        "ldr	r9, [%[b], #72]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[38] * B[17]\n\t"
+        "ldr	r8, [%[a], #152]\n\t"
+        "ldr	r9, [%[b], #68]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[39] * B[16]\n\t"
+        "ldr	r8, [%[a], #156]\n\t"
+        "ldr	r9, [%[b], #64]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[40] * B[15]\n\t"
+        "ldr	r8, [%[a], #160]\n\t"
+        "ldr	r9, [%[b], #60]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[41] * B[14]\n\t"
+        "ldr	r8, [%[a], #164]\n\t"
+        "ldr	r9, [%[b], #56]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[42] * B[13]\n\t"
+        "ldr	r8, [%[a], #168]\n\t"
+        "ldr	r9, [%[b], #52]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[43] * B[12]\n\t"
+        "ldr	r8, [%[a], #172]\n\t"
+        "ldr	r9, [%[b], #48]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[44] * B[11]\n\t"
+        "ldr	r8, [%[a], #176]\n\t"
+        "ldr	r9, [%[b], #44]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[45] * B[10]\n\t"
+        "ldr	r8, [%[a], #180]\n\t"
+        "ldr	r9, [%[b], #40]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[46] * B[9]\n\t"
+        "ldr	r8, [%[a], #184]\n\t"
+        "ldr	r9, [%[b], #36]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[47] * B[8]\n\t"
+        "ldr	r8, [%[a], #188]\n\t"
+        "ldr	r9, [%[b], #32]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[48] * B[7]\n\t"
+        "ldr	r8, [%[a], #192]\n\t"
+        "ldr	r9, [%[b], #28]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[49] * B[6]\n\t"
+        "ldr	r8, [%[a], #196]\n\t"
+        "ldr	r9, [%[b], #24]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[50] * B[5]\n\t"
+        "ldr	r8, [%[a], #200]\n\t"
+        "ldr	r9, [%[b], #20]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[51] * B[4]\n\t"
+        "ldr	r8, [%[a], #204]\n\t"
+        "ldr	r9, [%[b], #16]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[52] * B[3]\n\t"
+        "ldr	r8, [%[a], #208]\n\t"
+        "ldr	r9, [%[b], #12]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[53] * B[2]\n\t"
+        "ldr	r8, [%[a], #212]\n\t"
+        "ldr	r9, [%[b], #8]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[54] * B[1]\n\t"
+        "ldr	r8, [%[a], #216]\n\t"
+        "ldr	r9, [%[b], #4]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[55] * B[0]\n\t"
+        "ldr	r8, [%[a], #220]\n\t"
+        "ldr	r9, [%[b], #0]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [sp, #220]\n\t"
+        "#  A[0] * B[56]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "ldr	r9, [%[b], #224]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r10, r10\n\t"
+        "#  A[1] * B[55]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "ldr	r9, [%[b], #220]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[2] * B[54]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "ldr	r9, [%[b], #216]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[3] * B[53]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "ldr	r9, [%[b], #212]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[4] * B[52]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "ldr	r9, [%[b], #208]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[5] * B[51]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "ldr	r9, [%[b], #204]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[6] * B[50]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "ldr	r9, [%[b], #200]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[7] * B[49]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "ldr	r9, [%[b], #196]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[8] * B[48]\n\t"
+        "ldr	r8, [%[a], #32]\n\t"
+        "ldr	r9, [%[b], #192]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[9] * B[47]\n\t"
+        "ldr	r8, [%[a], #36]\n\t"
+        "ldr	r9, [%[b], #188]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[10] * B[46]\n\t"
+        "ldr	r8, [%[a], #40]\n\t"
+        "ldr	r9, [%[b], #184]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[11] * B[45]\n\t"
+        "ldr	r8, [%[a], #44]\n\t"
+        "ldr	r9, [%[b], #180]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[12] * B[44]\n\t"
+        "ldr	r8, [%[a], #48]\n\t"
+        "ldr	r9, [%[b], #176]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[13] * B[43]\n\t"
+        "ldr	r8, [%[a], #52]\n\t"
+        "ldr	r9, [%[b], #172]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[14] * B[42]\n\t"
+        "ldr	r8, [%[a], #56]\n\t"
+        "ldr	r9, [%[b], #168]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[15] * B[41]\n\t"
+        "ldr	r8, [%[a], #60]\n\t"
+        "ldr	r9, [%[b], #164]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[16] * B[40]\n\t"
+        "ldr	r8, [%[a], #64]\n\t"
+        "ldr	r9, [%[b], #160]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[17] * B[39]\n\t"
+        "ldr	r8, [%[a], #68]\n\t"
+        "ldr	r9, [%[b], #156]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[18] * B[38]\n\t"
+        "ldr	r8, [%[a], #72]\n\t"
+        "ldr	r9, [%[b], #152]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[19] * B[37]\n\t"
+        "ldr	r8, [%[a], #76]\n\t"
+        "ldr	r9, [%[b], #148]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[20] * B[36]\n\t"
+        "ldr	r8, [%[a], #80]\n\t"
+        "ldr	r9, [%[b], #144]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[21] * B[35]\n\t"
+        "ldr	r8, [%[a], #84]\n\t"
+        "ldr	r9, [%[b], #140]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[22] * B[34]\n\t"
+        "ldr	r8, [%[a], #88]\n\t"
+        "ldr	r9, [%[b], #136]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[23] * B[33]\n\t"
+        "ldr	r8, [%[a], #92]\n\t"
+        "ldr	r9, [%[b], #132]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[24] * B[32]\n\t"
+        "ldr	r8, [%[a], #96]\n\t"
+        "ldr	r9, [%[b], #128]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[25] * B[31]\n\t"
+        "ldr	r8, [%[a], #100]\n\t"
+        "ldr	r9, [%[b], #124]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[26] * B[30]\n\t"
+        "ldr	r8, [%[a], #104]\n\t"
+        "ldr	r9, [%[b], #120]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[27] * B[29]\n\t"
+        "ldr	r8, [%[a], #108]\n\t"
+        "ldr	r9, [%[b], #116]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[28] * B[28]\n\t"
+        "ldr	r8, [%[a], #112]\n\t"
+        "ldr	r9, [%[b], #112]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[29] * B[27]\n\t"
+        "ldr	r8, [%[a], #116]\n\t"
+        "ldr	r9, [%[b], #108]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[30] * B[26]\n\t"
+        "ldr	r8, [%[a], #120]\n\t"
+        "ldr	r9, [%[b], #104]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[31] * B[25]\n\t"
+        "ldr	r8, [%[a], #124]\n\t"
+        "ldr	r9, [%[b], #100]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[32] * B[24]\n\t"
+        "ldr	r8, [%[a], #128]\n\t"
+        "ldr	r9, [%[b], #96]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[33] * B[23]\n\t"
+        "ldr	r8, [%[a], #132]\n\t"
+        "ldr	r9, [%[b], #92]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[34] * B[22]\n\t"
+        "ldr	r8, [%[a], #136]\n\t"
+        "ldr	r9, [%[b], #88]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[35] * B[21]\n\t"
+        "ldr	r8, [%[a], #140]\n\t"
+        "ldr	r9, [%[b], #84]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[36] * B[20]\n\t"
+        "ldr	r8, [%[a], #144]\n\t"
+        "ldr	r9, [%[b], #80]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[37] * B[19]\n\t"
+        "ldr	r8, [%[a], #148]\n\t"
+        "ldr	r9, [%[b], #76]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[38] * B[18]\n\t"
+        "ldr	r8, [%[a], #152]\n\t"
+        "ldr	r9, [%[b], #72]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[39] * B[17]\n\t"
+        "ldr	r8, [%[a], #156]\n\t"
+        "ldr	r9, [%[b], #68]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[40] * B[16]\n\t"
+        "ldr	r8, [%[a], #160]\n\t"
+        "ldr	r9, [%[b], #64]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[41] * B[15]\n\t"
+        "ldr	r8, [%[a], #164]\n\t"
+        "ldr	r9, [%[b], #60]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[42] * B[14]\n\t"
+        "ldr	r8, [%[a], #168]\n\t"
+        "ldr	r9, [%[b], #56]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[43] * B[13]\n\t"
+        "ldr	r8, [%[a], #172]\n\t"
+        "ldr	r9, [%[b], #52]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[44] * B[12]\n\t"
+        "ldr	r8, [%[a], #176]\n\t"
+        "ldr	r9, [%[b], #48]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[45] * B[11]\n\t"
+        "ldr	r8, [%[a], #180]\n\t"
+        "ldr	r9, [%[b], #44]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[46] * B[10]\n\t"
+        "ldr	r8, [%[a], #184]\n\t"
+        "ldr	r9, [%[b], #40]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[47] * B[9]\n\t"
+        "ldr	r8, [%[a], #188]\n\t"
+        "ldr	r9, [%[b], #36]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[48] * B[8]\n\t"
+        "ldr	r8, [%[a], #192]\n\t"
+        "ldr	r9, [%[b], #32]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[49] * B[7]\n\t"
+        "ldr	r8, [%[a], #196]\n\t"
+        "ldr	r9, [%[b], #28]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[50] * B[6]\n\t"
+        "ldr	r8, [%[a], #200]\n\t"
+        "ldr	r9, [%[b], #24]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[51] * B[5]\n\t"
+        "ldr	r8, [%[a], #204]\n\t"
+        "ldr	r9, [%[b], #20]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[52] * B[4]\n\t"
+        "ldr	r8, [%[a], #208]\n\t"
+        "ldr	r9, [%[b], #16]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[53] * B[3]\n\t"
+        "ldr	r8, [%[a], #212]\n\t"
+        "ldr	r9, [%[b], #12]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[54] * B[2]\n\t"
+        "ldr	r8, [%[a], #216]\n\t"
+        "ldr	r9, [%[b], #8]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[55] * B[1]\n\t"
+        "ldr	r8, [%[a], #220]\n\t"
+        "ldr	r9, [%[b], #4]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[56] * B[0]\n\t"
+        "ldr	r8, [%[a], #224]\n\t"
+        "ldr	r9, [%[b], #0]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [sp, #224]\n\t"
+        "#  A[0] * B[57]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "ldr	r9, [%[b], #228]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r10, r10\n\t"
+        "#  A[1] * B[56]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "ldr	r9, [%[b], #224]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[2] * B[55]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "ldr	r9, [%[b], #220]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[3] * B[54]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "ldr	r9, [%[b], #216]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[4] * B[53]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "ldr	r9, [%[b], #212]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[5] * B[52]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "ldr	r9, [%[b], #208]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[6] * B[51]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "ldr	r9, [%[b], #204]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[7] * B[50]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "ldr	r9, [%[b], #200]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[8] * B[49]\n\t"
+        "ldr	r8, [%[a], #32]\n\t"
+        "ldr	r9, [%[b], #196]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[9] * B[48]\n\t"
+        "ldr	r8, [%[a], #36]\n\t"
+        "ldr	r9, [%[b], #192]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[10] * B[47]\n\t"
+        "ldr	r8, [%[a], #40]\n\t"
+        "ldr	r9, [%[b], #188]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[11] * B[46]\n\t"
+        "ldr	r8, [%[a], #44]\n\t"
+        "ldr	r9, [%[b], #184]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[12] * B[45]\n\t"
+        "ldr	r8, [%[a], #48]\n\t"
+        "ldr	r9, [%[b], #180]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[13] * B[44]\n\t"
+        "ldr	r8, [%[a], #52]\n\t"
+        "ldr	r9, [%[b], #176]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[14] * B[43]\n\t"
+        "ldr	r8, [%[a], #56]\n\t"
+        "ldr	r9, [%[b], #172]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[15] * B[42]\n\t"
+        "ldr	r8, [%[a], #60]\n\t"
+        "ldr	r9, [%[b], #168]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[16] * B[41]\n\t"
+        "ldr	r8, [%[a], #64]\n\t"
+        "ldr	r9, [%[b], #164]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[17] * B[40]\n\t"
+        "ldr	r8, [%[a], #68]\n\t"
+        "ldr	r9, [%[b], #160]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[18] * B[39]\n\t"
+        "ldr	r8, [%[a], #72]\n\t"
+        "ldr	r9, [%[b], #156]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[19] * B[38]\n\t"
+        "ldr	r8, [%[a], #76]\n\t"
+        "ldr	r9, [%[b], #152]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[20] * B[37]\n\t"
+        "ldr	r8, [%[a], #80]\n\t"
+        "ldr	r9, [%[b], #148]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[21] * B[36]\n\t"
+        "ldr	r8, [%[a], #84]\n\t"
+        "ldr	r9, [%[b], #144]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[22] * B[35]\n\t"
+        "ldr	r8, [%[a], #88]\n\t"
+        "ldr	r9, [%[b], #140]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[23] * B[34]\n\t"
+        "ldr	r8, [%[a], #92]\n\t"
+        "ldr	r9, [%[b], #136]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[24] * B[33]\n\t"
+        "ldr	r8, [%[a], #96]\n\t"
+        "ldr	r9, [%[b], #132]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[25] * B[32]\n\t"
+        "ldr	r8, [%[a], #100]\n\t"
+        "ldr	r9, [%[b], #128]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[26] * B[31]\n\t"
+        "ldr	r8, [%[a], #104]\n\t"
+        "ldr	r9, [%[b], #124]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[27] * B[30]\n\t"
+        "ldr	r8, [%[a], #108]\n\t"
+        "ldr	r9, [%[b], #120]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[28] * B[29]\n\t"
+        "ldr	r8, [%[a], #112]\n\t"
+        "ldr	r9, [%[b], #116]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[29] * B[28]\n\t"
+        "ldr	r8, [%[a], #116]\n\t"
+        "ldr	r9, [%[b], #112]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[30] * B[27]\n\t"
+        "ldr	r8, [%[a], #120]\n\t"
+        "ldr	r9, [%[b], #108]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[31] * B[26]\n\t"
+        "ldr	r8, [%[a], #124]\n\t"
+        "ldr	r9, [%[b], #104]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[32] * B[25]\n\t"
+        "ldr	r8, [%[a], #128]\n\t"
+        "ldr	r9, [%[b], #100]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[33] * B[24]\n\t"
+        "ldr	r8, [%[a], #132]\n\t"
+        "ldr	r9, [%[b], #96]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[34] * B[23]\n\t"
+        "ldr	r8, [%[a], #136]\n\t"
+        "ldr	r9, [%[b], #92]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[35] * B[22]\n\t"
+        "ldr	r8, [%[a], #140]\n\t"
+        "ldr	r9, [%[b], #88]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[36] * B[21]\n\t"
+        "ldr	r8, [%[a], #144]\n\t"
+        "ldr	r9, [%[b], #84]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[37] * B[20]\n\t"
+        "ldr	r8, [%[a], #148]\n\t"
+        "ldr	r9, [%[b], #80]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[38] * B[19]\n\t"
+        "ldr	r8, [%[a], #152]\n\t"
+        "ldr	r9, [%[b], #76]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[39] * B[18]\n\t"
+        "ldr	r8, [%[a], #156]\n\t"
+        "ldr	r9, [%[b], #72]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[40] * B[17]\n\t"
+        "ldr	r8, [%[a], #160]\n\t"
+        "ldr	r9, [%[b], #68]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[41] * B[16]\n\t"
+        "ldr	r8, [%[a], #164]\n\t"
+        "ldr	r9, [%[b], #64]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[42] * B[15]\n\t"
+        "ldr	r8, [%[a], #168]\n\t"
+        "ldr	r9, [%[b], #60]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[43] * B[14]\n\t"
+        "ldr	r8, [%[a], #172]\n\t"
+        "ldr	r9, [%[b], #56]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[44] * B[13]\n\t"
+        "ldr	r8, [%[a], #176]\n\t"
+        "ldr	r9, [%[b], #52]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[45] * B[12]\n\t"
+        "ldr	r8, [%[a], #180]\n\t"
+        "ldr	r9, [%[b], #48]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[46] * B[11]\n\t"
+        "ldr	r8, [%[a], #184]\n\t"
+        "ldr	r9, [%[b], #44]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[47] * B[10]\n\t"
+        "ldr	r8, [%[a], #188]\n\t"
+        "ldr	r9, [%[b], #40]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[48] * B[9]\n\t"
+        "ldr	r8, [%[a], #192]\n\t"
+        "ldr	r9, [%[b], #36]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[49] * B[8]\n\t"
+        "ldr	r8, [%[a], #196]\n\t"
+        "ldr	r9, [%[b], #32]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[50] * B[7]\n\t"
+        "ldr	r8, [%[a], #200]\n\t"
+        "ldr	r9, [%[b], #28]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[51] * B[6]\n\t"
+        "ldr	r8, [%[a], #204]\n\t"
+        "ldr	r9, [%[b], #24]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[52] * B[5]\n\t"
+        "ldr	r8, [%[a], #208]\n\t"
+        "ldr	r9, [%[b], #20]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[53] * B[4]\n\t"
+        "ldr	r8, [%[a], #212]\n\t"
+        "ldr	r9, [%[b], #16]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[54] * B[3]\n\t"
+        "ldr	r8, [%[a], #216]\n\t"
+        "ldr	r9, [%[b], #12]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[55] * B[2]\n\t"
+        "ldr	r8, [%[a], #220]\n\t"
+        "ldr	r9, [%[b], #8]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[56] * B[1]\n\t"
+        "ldr	r8, [%[a], #224]\n\t"
+        "ldr	r9, [%[b], #4]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[57] * B[0]\n\t"
+        "ldr	r8, [%[a], #228]\n\t"
+        "ldr	r9, [%[b], #0]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [sp, #228]\n\t"
+        "#  A[0] * B[58]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "ldr	r9, [%[b], #232]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r10, r10\n\t"
+        "#  A[1] * B[57]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "ldr	r9, [%[b], #228]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[2] * B[56]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "ldr	r9, [%[b], #224]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[3] * B[55]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "ldr	r9, [%[b], #220]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[4] * B[54]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "ldr	r9, [%[b], #216]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[5] * B[53]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "ldr	r9, [%[b], #212]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[6] * B[52]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "ldr	r9, [%[b], #208]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[7] * B[51]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "ldr	r9, [%[b], #204]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[8] * B[50]\n\t"
+        "ldr	r8, [%[a], #32]\n\t"
+        "ldr	r9, [%[b], #200]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[9] * B[49]\n\t"
+        "ldr	r8, [%[a], #36]\n\t"
+        "ldr	r9, [%[b], #196]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[10] * B[48]\n\t"
+        "ldr	r8, [%[a], #40]\n\t"
+        "ldr	r9, [%[b], #192]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[11] * B[47]\n\t"
+        "ldr	r8, [%[a], #44]\n\t"
+        "ldr	r9, [%[b], #188]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[12] * B[46]\n\t"
+        "ldr	r8, [%[a], #48]\n\t"
+        "ldr	r9, [%[b], #184]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[13] * B[45]\n\t"
+        "ldr	r8, [%[a], #52]\n\t"
+        "ldr	r9, [%[b], #180]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[14] * B[44]\n\t"
+        "ldr	r8, [%[a], #56]\n\t"
+        "ldr	r9, [%[b], #176]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[15] * B[43]\n\t"
+        "ldr	r8, [%[a], #60]\n\t"
+        "ldr	r9, [%[b], #172]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[16] * B[42]\n\t"
+        "ldr	r8, [%[a], #64]\n\t"
+        "ldr	r9, [%[b], #168]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[17] * B[41]\n\t"
+        "ldr	r8, [%[a], #68]\n\t"
+        "ldr	r9, [%[b], #164]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[18] * B[40]\n\t"
+        "ldr	r8, [%[a], #72]\n\t"
+        "ldr	r9, [%[b], #160]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[19] * B[39]\n\t"
+        "ldr	r8, [%[a], #76]\n\t"
+        "ldr	r9, [%[b], #156]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[20] * B[38]\n\t"
+        "ldr	r8, [%[a], #80]\n\t"
+        "ldr	r9, [%[b], #152]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[21] * B[37]\n\t"
+        "ldr	r8, [%[a], #84]\n\t"
+        "ldr	r9, [%[b], #148]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[22] * B[36]\n\t"
+        "ldr	r8, [%[a], #88]\n\t"
+        "ldr	r9, [%[b], #144]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[23] * B[35]\n\t"
+        "ldr	r8, [%[a], #92]\n\t"
+        "ldr	r9, [%[b], #140]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[24] * B[34]\n\t"
+        "ldr	r8, [%[a], #96]\n\t"
+        "ldr	r9, [%[b], #136]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[25] * B[33]\n\t"
+        "ldr	r8, [%[a], #100]\n\t"
+        "ldr	r9, [%[b], #132]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[26] * B[32]\n\t"
+        "ldr	r8, [%[a], #104]\n\t"
+        "ldr	r9, [%[b], #128]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[27] * B[31]\n\t"
+        "ldr	r8, [%[a], #108]\n\t"
+        "ldr	r9, [%[b], #124]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[28] * B[30]\n\t"
+        "ldr	r8, [%[a], #112]\n\t"
+        "ldr	r9, [%[b], #120]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[29] * B[29]\n\t"
+        "ldr	r8, [%[a], #116]\n\t"
+        "ldr	r9, [%[b], #116]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[30] * B[28]\n\t"
+        "ldr	r8, [%[a], #120]\n\t"
+        "ldr	r9, [%[b], #112]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[31] * B[27]\n\t"
+        "ldr	r8, [%[a], #124]\n\t"
+        "ldr	r9, [%[b], #108]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[32] * B[26]\n\t"
+        "ldr	r8, [%[a], #128]\n\t"
+        "ldr	r9, [%[b], #104]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[33] * B[25]\n\t"
+        "ldr	r8, [%[a], #132]\n\t"
+        "ldr	r9, [%[b], #100]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[34] * B[24]\n\t"
+        "ldr	r8, [%[a], #136]\n\t"
+        "ldr	r9, [%[b], #96]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[35] * B[23]\n\t"
+        "ldr	r8, [%[a], #140]\n\t"
+        "ldr	r9, [%[b], #92]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[36] * B[22]\n\t"
+        "ldr	r8, [%[a], #144]\n\t"
+        "ldr	r9, [%[b], #88]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[37] * B[21]\n\t"
+        "ldr	r8, [%[a], #148]\n\t"
+        "ldr	r9, [%[b], #84]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[38] * B[20]\n\t"
+        "ldr	r8, [%[a], #152]\n\t"
+        "ldr	r9, [%[b], #80]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[39] * B[19]\n\t"
+        "ldr	r8, [%[a], #156]\n\t"
+        "ldr	r9, [%[b], #76]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[40] * B[18]\n\t"
+        "ldr	r8, [%[a], #160]\n\t"
+        "ldr	r9, [%[b], #72]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[41] * B[17]\n\t"
+        "ldr	r8, [%[a], #164]\n\t"
+        "ldr	r9, [%[b], #68]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[42] * B[16]\n\t"
+        "ldr	r8, [%[a], #168]\n\t"
+        "ldr	r9, [%[b], #64]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[43] * B[15]\n\t"
+        "ldr	r8, [%[a], #172]\n\t"
+        "ldr	r9, [%[b], #60]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[44] * B[14]\n\t"
+        "ldr	r8, [%[a], #176]\n\t"
+        "ldr	r9, [%[b], #56]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[45] * B[13]\n\t"
+        "ldr	r8, [%[a], #180]\n\t"
+        "ldr	r9, [%[b], #52]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[46] * B[12]\n\t"
+        "ldr	r8, [%[a], #184]\n\t"
+        "ldr	r9, [%[b], #48]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[47] * B[11]\n\t"
+        "ldr	r8, [%[a], #188]\n\t"
+        "ldr	r9, [%[b], #44]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[48] * B[10]\n\t"
+        "ldr	r8, [%[a], #192]\n\t"
+        "ldr	r9, [%[b], #40]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[49] * B[9]\n\t"
+        "ldr	r8, [%[a], #196]\n\t"
+        "ldr	r9, [%[b], #36]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[50] * B[8]\n\t"
+        "ldr	r8, [%[a], #200]\n\t"
+        "ldr	r9, [%[b], #32]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[51] * B[7]\n\t"
+        "ldr	r8, [%[a], #204]\n\t"
+        "ldr	r9, [%[b], #28]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[52] * B[6]\n\t"
+        "ldr	r8, [%[a], #208]\n\t"
+        "ldr	r9, [%[b], #24]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[53] * B[5]\n\t"
+        "ldr	r8, [%[a], #212]\n\t"
+        "ldr	r9, [%[b], #20]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[54] * B[4]\n\t"
+        "ldr	r8, [%[a], #216]\n\t"
+        "ldr	r9, [%[b], #16]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[55] * B[3]\n\t"
+        "ldr	r8, [%[a], #220]\n\t"
+        "ldr	r9, [%[b], #12]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[56] * B[2]\n\t"
+        "ldr	r8, [%[a], #224]\n\t"
+        "ldr	r9, [%[b], #8]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[57] * B[1]\n\t"
+        "ldr	r8, [%[a], #228]\n\t"
+        "ldr	r9, [%[b], #4]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[58] * B[0]\n\t"
+        "ldr	r8, [%[a], #232]\n\t"
+        "ldr	r9, [%[b], #0]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [sp, #232]\n\t"
+        "#  A[0] * B[59]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "ldr	r9, [%[b], #236]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r10, r10\n\t"
+        "#  A[1] * B[58]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "ldr	r9, [%[b], #232]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[2] * B[57]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "ldr	r9, [%[b], #228]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[3] * B[56]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "ldr	r9, [%[b], #224]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[4] * B[55]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "ldr	r9, [%[b], #220]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[5] * B[54]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "ldr	r9, [%[b], #216]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[6] * B[53]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "ldr	r9, [%[b], #212]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[7] * B[52]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "ldr	r9, [%[b], #208]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[8] * B[51]\n\t"
+        "ldr	r8, [%[a], #32]\n\t"
+        "ldr	r9, [%[b], #204]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[9] * B[50]\n\t"
+        "ldr	r8, [%[a], #36]\n\t"
+        "ldr	r9, [%[b], #200]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[10] * B[49]\n\t"
+        "ldr	r8, [%[a], #40]\n\t"
+        "ldr	r9, [%[b], #196]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[11] * B[48]\n\t"
+        "ldr	r8, [%[a], #44]\n\t"
+        "ldr	r9, [%[b], #192]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[12] * B[47]\n\t"
+        "ldr	r8, [%[a], #48]\n\t"
+        "ldr	r9, [%[b], #188]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[13] * B[46]\n\t"
+        "ldr	r8, [%[a], #52]\n\t"
+        "ldr	r9, [%[b], #184]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[14] * B[45]\n\t"
+        "ldr	r8, [%[a], #56]\n\t"
+        "ldr	r9, [%[b], #180]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[15] * B[44]\n\t"
+        "ldr	r8, [%[a], #60]\n\t"
+        "ldr	r9, [%[b], #176]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[16] * B[43]\n\t"
+        "ldr	r8, [%[a], #64]\n\t"
+        "ldr	r9, [%[b], #172]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[17] * B[42]\n\t"
+        "ldr	r8, [%[a], #68]\n\t"
+        "ldr	r9, [%[b], #168]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[18] * B[41]\n\t"
+        "ldr	r8, [%[a], #72]\n\t"
+        "ldr	r9, [%[b], #164]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[19] * B[40]\n\t"
+        "ldr	r8, [%[a], #76]\n\t"
+        "ldr	r9, [%[b], #160]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[20] * B[39]\n\t"
+        "ldr	r8, [%[a], #80]\n\t"
+        "ldr	r9, [%[b], #156]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[21] * B[38]\n\t"
+        "ldr	r8, [%[a], #84]\n\t"
+        "ldr	r9, [%[b], #152]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[22] * B[37]\n\t"
+        "ldr	r8, [%[a], #88]\n\t"
+        "ldr	r9, [%[b], #148]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[23] * B[36]\n\t"
+        "ldr	r8, [%[a], #92]\n\t"
+        "ldr	r9, [%[b], #144]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[24] * B[35]\n\t"
+        "ldr	r8, [%[a], #96]\n\t"
+        "ldr	r9, [%[b], #140]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[25] * B[34]\n\t"
+        "ldr	r8, [%[a], #100]\n\t"
+        "ldr	r9, [%[b], #136]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[26] * B[33]\n\t"
+        "ldr	r8, [%[a], #104]\n\t"
+        "ldr	r9, [%[b], #132]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[27] * B[32]\n\t"
+        "ldr	r8, [%[a], #108]\n\t"
+        "ldr	r9, [%[b], #128]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[28] * B[31]\n\t"
+        "ldr	r8, [%[a], #112]\n\t"
+        "ldr	r9, [%[b], #124]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[29] * B[30]\n\t"
+        "ldr	r8, [%[a], #116]\n\t"
+        "ldr	r9, [%[b], #120]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[30] * B[29]\n\t"
+        "ldr	r8, [%[a], #120]\n\t"
+        "ldr	r9, [%[b], #116]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[31] * B[28]\n\t"
+        "ldr	r8, [%[a], #124]\n\t"
+        "ldr	r9, [%[b], #112]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[32] * B[27]\n\t"
+        "ldr	r8, [%[a], #128]\n\t"
+        "ldr	r9, [%[b], #108]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[33] * B[26]\n\t"
+        "ldr	r8, [%[a], #132]\n\t"
+        "ldr	r9, [%[b], #104]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[34] * B[25]\n\t"
+        "ldr	r8, [%[a], #136]\n\t"
+        "ldr	r9, [%[b], #100]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[35] * B[24]\n\t"
+        "ldr	r8, [%[a], #140]\n\t"
+        "ldr	r9, [%[b], #96]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[36] * B[23]\n\t"
+        "ldr	r8, [%[a], #144]\n\t"
+        "ldr	r9, [%[b], #92]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[37] * B[22]\n\t"
+        "ldr	r8, [%[a], #148]\n\t"
+        "ldr	r9, [%[b], #88]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[38] * B[21]\n\t"
+        "ldr	r8, [%[a], #152]\n\t"
+        "ldr	r9, [%[b], #84]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[39] * B[20]\n\t"
+        "ldr	r8, [%[a], #156]\n\t"
+        "ldr	r9, [%[b], #80]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[40] * B[19]\n\t"
+        "ldr	r8, [%[a], #160]\n\t"
+        "ldr	r9, [%[b], #76]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[41] * B[18]\n\t"
+        "ldr	r8, [%[a], #164]\n\t"
+        "ldr	r9, [%[b], #72]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[42] * B[17]\n\t"
+        "ldr	r8, [%[a], #168]\n\t"
+        "ldr	r9, [%[b], #68]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[43] * B[16]\n\t"
+        "ldr	r8, [%[a], #172]\n\t"
+        "ldr	r9, [%[b], #64]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[44] * B[15]\n\t"
+        "ldr	r8, [%[a], #176]\n\t"
+        "ldr	r9, [%[b], #60]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[45] * B[14]\n\t"
+        "ldr	r8, [%[a], #180]\n\t"
+        "ldr	r9, [%[b], #56]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[46] * B[13]\n\t"
+        "ldr	r8, [%[a], #184]\n\t"
+        "ldr	r9, [%[b], #52]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[47] * B[12]\n\t"
+        "ldr	r8, [%[a], #188]\n\t"
+        "ldr	r9, [%[b], #48]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[48] * B[11]\n\t"
+        "ldr	r8, [%[a], #192]\n\t"
+        "ldr	r9, [%[b], #44]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[49] * B[10]\n\t"
+        "ldr	r8, [%[a], #196]\n\t"
+        "ldr	r9, [%[b], #40]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[50] * B[9]\n\t"
+        "ldr	r8, [%[a], #200]\n\t"
+        "ldr	r9, [%[b], #36]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[51] * B[8]\n\t"
+        "ldr	r8, [%[a], #204]\n\t"
+        "ldr	r9, [%[b], #32]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[52] * B[7]\n\t"
+        "ldr	r8, [%[a], #208]\n\t"
+        "ldr	r9, [%[b], #28]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[53] * B[6]\n\t"
+        "ldr	r8, [%[a], #212]\n\t"
+        "ldr	r9, [%[b], #24]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[54] * B[5]\n\t"
+        "ldr	r8, [%[a], #216]\n\t"
+        "ldr	r9, [%[b], #20]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[55] * B[4]\n\t"
+        "ldr	r8, [%[a], #220]\n\t"
+        "ldr	r9, [%[b], #16]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[56] * B[3]\n\t"
+        "ldr	r8, [%[a], #224]\n\t"
+        "ldr	r9, [%[b], #12]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[57] * B[2]\n\t"
+        "ldr	r8, [%[a], #228]\n\t"
+        "ldr	r9, [%[b], #8]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[58] * B[1]\n\t"
+        "ldr	r8, [%[a], #232]\n\t"
+        "ldr	r9, [%[b], #4]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[59] * B[0]\n\t"
+        "ldr	r8, [%[a], #236]\n\t"
+        "ldr	r9, [%[b], #0]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [sp, #236]\n\t"
+        "#  A[0] * B[60]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "ldr	r9, [%[b], #240]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r10, r10\n\t"
+        "#  A[1] * B[59]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "ldr	r9, [%[b], #236]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[2] * B[58]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "ldr	r9, [%[b], #232]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[3] * B[57]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "ldr	r9, [%[b], #228]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[4] * B[56]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "ldr	r9, [%[b], #224]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[5] * B[55]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "ldr	r9, [%[b], #220]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[6] * B[54]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "ldr	r9, [%[b], #216]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[7] * B[53]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "ldr	r9, [%[b], #212]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[8] * B[52]\n\t"
+        "ldr	r8, [%[a], #32]\n\t"
+        "ldr	r9, [%[b], #208]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[9] * B[51]\n\t"
+        "ldr	r8, [%[a], #36]\n\t"
+        "ldr	r9, [%[b], #204]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[10] * B[50]\n\t"
+        "ldr	r8, [%[a], #40]\n\t"
+        "ldr	r9, [%[b], #200]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[11] * B[49]\n\t"
+        "ldr	r8, [%[a], #44]\n\t"
+        "ldr	r9, [%[b], #196]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[12] * B[48]\n\t"
+        "ldr	r8, [%[a], #48]\n\t"
+        "ldr	r9, [%[b], #192]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[13] * B[47]\n\t"
+        "ldr	r8, [%[a], #52]\n\t"
+        "ldr	r9, [%[b], #188]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[14] * B[46]\n\t"
+        "ldr	r8, [%[a], #56]\n\t"
+        "ldr	r9, [%[b], #184]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[15] * B[45]\n\t"
+        "ldr	r8, [%[a], #60]\n\t"
+        "ldr	r9, [%[b], #180]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[16] * B[44]\n\t"
+        "ldr	r8, [%[a], #64]\n\t"
+        "ldr	r9, [%[b], #176]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[17] * B[43]\n\t"
+        "ldr	r8, [%[a], #68]\n\t"
+        "ldr	r9, [%[b], #172]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[18] * B[42]\n\t"
+        "ldr	r8, [%[a], #72]\n\t"
+        "ldr	r9, [%[b], #168]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[19] * B[41]\n\t"
+        "ldr	r8, [%[a], #76]\n\t"
+        "ldr	r9, [%[b], #164]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[20] * B[40]\n\t"
+        "ldr	r8, [%[a], #80]\n\t"
+        "ldr	r9, [%[b], #160]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[21] * B[39]\n\t"
+        "ldr	r8, [%[a], #84]\n\t"
+        "ldr	r9, [%[b], #156]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[22] * B[38]\n\t"
+        "ldr	r8, [%[a], #88]\n\t"
+        "ldr	r9, [%[b], #152]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[23] * B[37]\n\t"
+        "ldr	r8, [%[a], #92]\n\t"
+        "ldr	r9, [%[b], #148]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[24] * B[36]\n\t"
+        "ldr	r8, [%[a], #96]\n\t"
+        "ldr	r9, [%[b], #144]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[25] * B[35]\n\t"
+        "ldr	r8, [%[a], #100]\n\t"
+        "ldr	r9, [%[b], #140]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[26] * B[34]\n\t"
+        "ldr	r8, [%[a], #104]\n\t"
+        "ldr	r9, [%[b], #136]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[27] * B[33]\n\t"
+        "ldr	r8, [%[a], #108]\n\t"
+        "ldr	r9, [%[b], #132]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[28] * B[32]\n\t"
+        "ldr	r8, [%[a], #112]\n\t"
+        "ldr	r9, [%[b], #128]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[29] * B[31]\n\t"
+        "ldr	r8, [%[a], #116]\n\t"
+        "ldr	r9, [%[b], #124]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[30] * B[30]\n\t"
+        "ldr	r8, [%[a], #120]\n\t"
+        "ldr	r9, [%[b], #120]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[31] * B[29]\n\t"
+        "ldr	r8, [%[a], #124]\n\t"
+        "ldr	r9, [%[b], #116]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[32] * B[28]\n\t"
+        "ldr	r8, [%[a], #128]\n\t"
+        "ldr	r9, [%[b], #112]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[33] * B[27]\n\t"
+        "ldr	r8, [%[a], #132]\n\t"
+        "ldr	r9, [%[b], #108]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[34] * B[26]\n\t"
+        "ldr	r8, [%[a], #136]\n\t"
+        "ldr	r9, [%[b], #104]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[35] * B[25]\n\t"
+        "ldr	r8, [%[a], #140]\n\t"
+        "ldr	r9, [%[b], #100]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[36] * B[24]\n\t"
+        "ldr	r8, [%[a], #144]\n\t"
+        "ldr	r9, [%[b], #96]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[37] * B[23]\n\t"
+        "ldr	r8, [%[a], #148]\n\t"
+        "ldr	r9, [%[b], #92]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[38] * B[22]\n\t"
+        "ldr	r8, [%[a], #152]\n\t"
+        "ldr	r9, [%[b], #88]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[39] * B[21]\n\t"
+        "ldr	r8, [%[a], #156]\n\t"
+        "ldr	r9, [%[b], #84]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[40] * B[20]\n\t"
+        "ldr	r8, [%[a], #160]\n\t"
+        "ldr	r9, [%[b], #80]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[41] * B[19]\n\t"
+        "ldr	r8, [%[a], #164]\n\t"
+        "ldr	r9, [%[b], #76]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[42] * B[18]\n\t"
+        "ldr	r8, [%[a], #168]\n\t"
+        "ldr	r9, [%[b], #72]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[43] * B[17]\n\t"
+        "ldr	r8, [%[a], #172]\n\t"
+        "ldr	r9, [%[b], #68]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[44] * B[16]\n\t"
+        "ldr	r8, [%[a], #176]\n\t"
+        "ldr	r9, [%[b], #64]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[45] * B[15]\n\t"
+        "ldr	r8, [%[a], #180]\n\t"
+        "ldr	r9, [%[b], #60]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[46] * B[14]\n\t"
+        "ldr	r8, [%[a], #184]\n\t"
+        "ldr	r9, [%[b], #56]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[47] * B[13]\n\t"
+        "ldr	r8, [%[a], #188]\n\t"
+        "ldr	r9, [%[b], #52]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[48] * B[12]\n\t"
+        "ldr	r8, [%[a], #192]\n\t"
+        "ldr	r9, [%[b], #48]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[49] * B[11]\n\t"
+        "ldr	r8, [%[a], #196]\n\t"
+        "ldr	r9, [%[b], #44]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[50] * B[10]\n\t"
+        "ldr	r8, [%[a], #200]\n\t"
+        "ldr	r9, [%[b], #40]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[51] * B[9]\n\t"
+        "ldr	r8, [%[a], #204]\n\t"
+        "ldr	r9, [%[b], #36]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[52] * B[8]\n\t"
+        "ldr	r8, [%[a], #208]\n\t"
+        "ldr	r9, [%[b], #32]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[53] * B[7]\n\t"
+        "ldr	r8, [%[a], #212]\n\t"
+        "ldr	r9, [%[b], #28]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[54] * B[6]\n\t"
+        "ldr	r8, [%[a], #216]\n\t"
+        "ldr	r9, [%[b], #24]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[55] * B[5]\n\t"
+        "ldr	r8, [%[a], #220]\n\t"
+        "ldr	r9, [%[b], #20]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[56] * B[4]\n\t"
+        "ldr	r8, [%[a], #224]\n\t"
+        "ldr	r9, [%[b], #16]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[57] * B[3]\n\t"
+        "ldr	r8, [%[a], #228]\n\t"
+        "ldr	r9, [%[b], #12]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[58] * B[2]\n\t"
+        "ldr	r8, [%[a], #232]\n\t"
+        "ldr	r9, [%[b], #8]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[59] * B[1]\n\t"
+        "ldr	r8, [%[a], #236]\n\t"
+        "ldr	r9, [%[b], #4]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[60] * B[0]\n\t"
+        "ldr	r8, [%[a], #240]\n\t"
+        "ldr	r9, [%[b], #0]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [sp, #240]\n\t"
+        "#  A[0] * B[61]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "ldr	r9, [%[b], #244]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r10, r10\n\t"
+        "#  A[1] * B[60]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "ldr	r9, [%[b], #240]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[2] * B[59]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "ldr	r9, [%[b], #236]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[3] * B[58]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "ldr	r9, [%[b], #232]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[4] * B[57]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "ldr	r9, [%[b], #228]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[5] * B[56]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "ldr	r9, [%[b], #224]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[6] * B[55]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "ldr	r9, [%[b], #220]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[7] * B[54]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "ldr	r9, [%[b], #216]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[8] * B[53]\n\t"
+        "ldr	r8, [%[a], #32]\n\t"
+        "ldr	r9, [%[b], #212]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[9] * B[52]\n\t"
+        "ldr	r8, [%[a], #36]\n\t"
+        "ldr	r9, [%[b], #208]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[10] * B[51]\n\t"
+        "ldr	r8, [%[a], #40]\n\t"
+        "ldr	r9, [%[b], #204]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[11] * B[50]\n\t"
+        "ldr	r8, [%[a], #44]\n\t"
+        "ldr	r9, [%[b], #200]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[12] * B[49]\n\t"
+        "ldr	r8, [%[a], #48]\n\t"
+        "ldr	r9, [%[b], #196]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[13] * B[48]\n\t"
+        "ldr	r8, [%[a], #52]\n\t"
+        "ldr	r9, [%[b], #192]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[14] * B[47]\n\t"
+        "ldr	r8, [%[a], #56]\n\t"
+        "ldr	r9, [%[b], #188]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[15] * B[46]\n\t"
+        "ldr	r8, [%[a], #60]\n\t"
+        "ldr	r9, [%[b], #184]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[16] * B[45]\n\t"
+        "ldr	r8, [%[a], #64]\n\t"
+        "ldr	r9, [%[b], #180]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[17] * B[44]\n\t"
+        "ldr	r8, [%[a], #68]\n\t"
+        "ldr	r9, [%[b], #176]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[18] * B[43]\n\t"
+        "ldr	r8, [%[a], #72]\n\t"
+        "ldr	r9, [%[b], #172]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[19] * B[42]\n\t"
+        "ldr	r8, [%[a], #76]\n\t"
+        "ldr	r9, [%[b], #168]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[20] * B[41]\n\t"
+        "ldr	r8, [%[a], #80]\n\t"
+        "ldr	r9, [%[b], #164]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[21] * B[40]\n\t"
+        "ldr	r8, [%[a], #84]\n\t"
+        "ldr	r9, [%[b], #160]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[22] * B[39]\n\t"
+        "ldr	r8, [%[a], #88]\n\t"
+        "ldr	r9, [%[b], #156]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[23] * B[38]\n\t"
+        "ldr	r8, [%[a], #92]\n\t"
+        "ldr	r9, [%[b], #152]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[24] * B[37]\n\t"
+        "ldr	r8, [%[a], #96]\n\t"
+        "ldr	r9, [%[b], #148]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[25] * B[36]\n\t"
+        "ldr	r8, [%[a], #100]\n\t"
+        "ldr	r9, [%[b], #144]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[26] * B[35]\n\t"
+        "ldr	r8, [%[a], #104]\n\t"
+        "ldr	r9, [%[b], #140]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[27] * B[34]\n\t"
+        "ldr	r8, [%[a], #108]\n\t"
+        "ldr	r9, [%[b], #136]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[28] * B[33]\n\t"
+        "ldr	r8, [%[a], #112]\n\t"
+        "ldr	r9, [%[b], #132]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[29] * B[32]\n\t"
+        "ldr	r8, [%[a], #116]\n\t"
+        "ldr	r9, [%[b], #128]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[30] * B[31]\n\t"
+        "ldr	r8, [%[a], #120]\n\t"
+        "ldr	r9, [%[b], #124]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[31] * B[30]\n\t"
+        "ldr	r8, [%[a], #124]\n\t"
+        "ldr	r9, [%[b], #120]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[32] * B[29]\n\t"
+        "ldr	r8, [%[a], #128]\n\t"
+        "ldr	r9, [%[b], #116]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[33] * B[28]\n\t"
+        "ldr	r8, [%[a], #132]\n\t"
+        "ldr	r9, [%[b], #112]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[34] * B[27]\n\t"
+        "ldr	r8, [%[a], #136]\n\t"
+        "ldr	r9, [%[b], #108]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[35] * B[26]\n\t"
+        "ldr	r8, [%[a], #140]\n\t"
+        "ldr	r9, [%[b], #104]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[36] * B[25]\n\t"
+        "ldr	r8, [%[a], #144]\n\t"
+        "ldr	r9, [%[b], #100]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[37] * B[24]\n\t"
+        "ldr	r8, [%[a], #148]\n\t"
+        "ldr	r9, [%[b], #96]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[38] * B[23]\n\t"
+        "ldr	r8, [%[a], #152]\n\t"
+        "ldr	r9, [%[b], #92]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[39] * B[22]\n\t"
+        "ldr	r8, [%[a], #156]\n\t"
+        "ldr	r9, [%[b], #88]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[40] * B[21]\n\t"
+        "ldr	r8, [%[a], #160]\n\t"
+        "ldr	r9, [%[b], #84]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[41] * B[20]\n\t"
+        "ldr	r8, [%[a], #164]\n\t"
+        "ldr	r9, [%[b], #80]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[42] * B[19]\n\t"
+        "ldr	r8, [%[a], #168]\n\t"
+        "ldr	r9, [%[b], #76]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[43] * B[18]\n\t"
+        "ldr	r8, [%[a], #172]\n\t"
+        "ldr	r9, [%[b], #72]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[44] * B[17]\n\t"
+        "ldr	r8, [%[a], #176]\n\t"
+        "ldr	r9, [%[b], #68]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[45] * B[16]\n\t"
+        "ldr	r8, [%[a], #180]\n\t"
+        "ldr	r9, [%[b], #64]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[46] * B[15]\n\t"
+        "ldr	r8, [%[a], #184]\n\t"
+        "ldr	r9, [%[b], #60]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[47] * B[14]\n\t"
+        "ldr	r8, [%[a], #188]\n\t"
+        "ldr	r9, [%[b], #56]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[48] * B[13]\n\t"
+        "ldr	r8, [%[a], #192]\n\t"
+        "ldr	r9, [%[b], #52]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[49] * B[12]\n\t"
+        "ldr	r8, [%[a], #196]\n\t"
+        "ldr	r9, [%[b], #48]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[50] * B[11]\n\t"
+        "ldr	r8, [%[a], #200]\n\t"
+        "ldr	r9, [%[b], #44]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[51] * B[10]\n\t"
+        "ldr	r8, [%[a], #204]\n\t"
+        "ldr	r9, [%[b], #40]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[52] * B[9]\n\t"
+        "ldr	r8, [%[a], #208]\n\t"
+        "ldr	r9, [%[b], #36]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[53] * B[8]\n\t"
+        "ldr	r8, [%[a], #212]\n\t"
+        "ldr	r9, [%[b], #32]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[54] * B[7]\n\t"
+        "ldr	r8, [%[a], #216]\n\t"
+        "ldr	r9, [%[b], #28]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[55] * B[6]\n\t"
+        "ldr	r8, [%[a], #220]\n\t"
+        "ldr	r9, [%[b], #24]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[56] * B[5]\n\t"
+        "ldr	r8, [%[a], #224]\n\t"
+        "ldr	r9, [%[b], #20]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[57] * B[4]\n\t"
+        "ldr	r8, [%[a], #228]\n\t"
+        "ldr	r9, [%[b], #16]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[58] * B[3]\n\t"
+        "ldr	r8, [%[a], #232]\n\t"
+        "ldr	r9, [%[b], #12]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[59] * B[2]\n\t"
+        "ldr	r8, [%[a], #236]\n\t"
+        "ldr	r9, [%[b], #8]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[60] * B[1]\n\t"
+        "ldr	r8, [%[a], #240]\n\t"
+        "ldr	r9, [%[b], #4]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[61] * B[0]\n\t"
+        "ldr	r8, [%[a], #244]\n\t"
+        "ldr	r9, [%[b], #0]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [sp, #244]\n\t"
+        "#  A[0] * B[62]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "ldr	r9, [%[b], #248]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r10, r10\n\t"
+        "#  A[1] * B[61]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "ldr	r9, [%[b], #244]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[2] * B[60]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "ldr	r9, [%[b], #240]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[3] * B[59]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "ldr	r9, [%[b], #236]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[4] * B[58]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "ldr	r9, [%[b], #232]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[5] * B[57]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "ldr	r9, [%[b], #228]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[6] * B[56]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "ldr	r9, [%[b], #224]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[7] * B[55]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "ldr	r9, [%[b], #220]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[8] * B[54]\n\t"
+        "ldr	r8, [%[a], #32]\n\t"
+        "ldr	r9, [%[b], #216]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[9] * B[53]\n\t"
+        "ldr	r8, [%[a], #36]\n\t"
+        "ldr	r9, [%[b], #212]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[10] * B[52]\n\t"
+        "ldr	r8, [%[a], #40]\n\t"
+        "ldr	r9, [%[b], #208]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[11] * B[51]\n\t"
+        "ldr	r8, [%[a], #44]\n\t"
+        "ldr	r9, [%[b], #204]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[12] * B[50]\n\t"
+        "ldr	r8, [%[a], #48]\n\t"
+        "ldr	r9, [%[b], #200]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[13] * B[49]\n\t"
+        "ldr	r8, [%[a], #52]\n\t"
+        "ldr	r9, [%[b], #196]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[14] * B[48]\n\t"
+        "ldr	r8, [%[a], #56]\n\t"
+        "ldr	r9, [%[b], #192]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[15] * B[47]\n\t"
+        "ldr	r8, [%[a], #60]\n\t"
+        "ldr	r9, [%[b], #188]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[16] * B[46]\n\t"
+        "ldr	r8, [%[a], #64]\n\t"
+        "ldr	r9, [%[b], #184]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[17] * B[45]\n\t"
+        "ldr	r8, [%[a], #68]\n\t"
+        "ldr	r9, [%[b], #180]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[18] * B[44]\n\t"
+        "ldr	r8, [%[a], #72]\n\t"
+        "ldr	r9, [%[b], #176]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[19] * B[43]\n\t"
+        "ldr	r8, [%[a], #76]\n\t"
+        "ldr	r9, [%[b], #172]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[20] * B[42]\n\t"
+        "ldr	r8, [%[a], #80]\n\t"
+        "ldr	r9, [%[b], #168]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[21] * B[41]\n\t"
+        "ldr	r8, [%[a], #84]\n\t"
+        "ldr	r9, [%[b], #164]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[22] * B[40]\n\t"
+        "ldr	r8, [%[a], #88]\n\t"
+        "ldr	r9, [%[b], #160]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[23] * B[39]\n\t"
+        "ldr	r8, [%[a], #92]\n\t"
+        "ldr	r9, [%[b], #156]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[24] * B[38]\n\t"
+        "ldr	r8, [%[a], #96]\n\t"
+        "ldr	r9, [%[b], #152]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[25] * B[37]\n\t"
+        "ldr	r8, [%[a], #100]\n\t"
+        "ldr	r9, [%[b], #148]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[26] * B[36]\n\t"
+        "ldr	r8, [%[a], #104]\n\t"
+        "ldr	r9, [%[b], #144]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[27] * B[35]\n\t"
+        "ldr	r8, [%[a], #108]\n\t"
+        "ldr	r9, [%[b], #140]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[28] * B[34]\n\t"
+        "ldr	r8, [%[a], #112]\n\t"
+        "ldr	r9, [%[b], #136]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[29] * B[33]\n\t"
+        "ldr	r8, [%[a], #116]\n\t"
+        "ldr	r9, [%[b], #132]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[30] * B[32]\n\t"
+        "ldr	r8, [%[a], #120]\n\t"
+        "ldr	r9, [%[b], #128]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[31] * B[31]\n\t"
+        "ldr	r8, [%[a], #124]\n\t"
+        "ldr	r9, [%[b], #124]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[32] * B[30]\n\t"
+        "ldr	r8, [%[a], #128]\n\t"
+        "ldr	r9, [%[b], #120]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[33] * B[29]\n\t"
+        "ldr	r8, [%[a], #132]\n\t"
+        "ldr	r9, [%[b], #116]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[34] * B[28]\n\t"
+        "ldr	r8, [%[a], #136]\n\t"
+        "ldr	r9, [%[b], #112]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[35] * B[27]\n\t"
+        "ldr	r8, [%[a], #140]\n\t"
+        "ldr	r9, [%[b], #108]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[36] * B[26]\n\t"
+        "ldr	r8, [%[a], #144]\n\t"
+        "ldr	r9, [%[b], #104]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[37] * B[25]\n\t"
+        "ldr	r8, [%[a], #148]\n\t"
+        "ldr	r9, [%[b], #100]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[38] * B[24]\n\t"
+        "ldr	r8, [%[a], #152]\n\t"
+        "ldr	r9, [%[b], #96]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[39] * B[23]\n\t"
+        "ldr	r8, [%[a], #156]\n\t"
+        "ldr	r9, [%[b], #92]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[40] * B[22]\n\t"
+        "ldr	r8, [%[a], #160]\n\t"
+        "ldr	r9, [%[b], #88]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[41] * B[21]\n\t"
+        "ldr	r8, [%[a], #164]\n\t"
+        "ldr	r9, [%[b], #84]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[42] * B[20]\n\t"
+        "ldr	r8, [%[a], #168]\n\t"
+        "ldr	r9, [%[b], #80]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[43] * B[19]\n\t"
+        "ldr	r8, [%[a], #172]\n\t"
+        "ldr	r9, [%[b], #76]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[44] * B[18]\n\t"
+        "ldr	r8, [%[a], #176]\n\t"
+        "ldr	r9, [%[b], #72]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[45] * B[17]\n\t"
+        "ldr	r8, [%[a], #180]\n\t"
+        "ldr	r9, [%[b], #68]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[46] * B[16]\n\t"
+        "ldr	r8, [%[a], #184]\n\t"
+        "ldr	r9, [%[b], #64]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[47] * B[15]\n\t"
+        "ldr	r8, [%[a], #188]\n\t"
+        "ldr	r9, [%[b], #60]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[48] * B[14]\n\t"
+        "ldr	r8, [%[a], #192]\n\t"
+        "ldr	r9, [%[b], #56]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[49] * B[13]\n\t"
+        "ldr	r8, [%[a], #196]\n\t"
+        "ldr	r9, [%[b], #52]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[50] * B[12]\n\t"
+        "ldr	r8, [%[a], #200]\n\t"
+        "ldr	r9, [%[b], #48]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[51] * B[11]\n\t"
+        "ldr	r8, [%[a], #204]\n\t"
+        "ldr	r9, [%[b], #44]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[52] * B[10]\n\t"
+        "ldr	r8, [%[a], #208]\n\t"
+        "ldr	r9, [%[b], #40]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[53] * B[9]\n\t"
+        "ldr	r8, [%[a], #212]\n\t"
+        "ldr	r9, [%[b], #36]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[54] * B[8]\n\t"
+        "ldr	r8, [%[a], #216]\n\t"
+        "ldr	r9, [%[b], #32]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[55] * B[7]\n\t"
+        "ldr	r8, [%[a], #220]\n\t"
+        "ldr	r9, [%[b], #28]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[56] * B[6]\n\t"
+        "ldr	r8, [%[a], #224]\n\t"
+        "ldr	r9, [%[b], #24]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[57] * B[5]\n\t"
+        "ldr	r8, [%[a], #228]\n\t"
+        "ldr	r9, [%[b], #20]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[58] * B[4]\n\t"
+        "ldr	r8, [%[a], #232]\n\t"
+        "ldr	r9, [%[b], #16]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[59] * B[3]\n\t"
+        "ldr	r8, [%[a], #236]\n\t"
+        "ldr	r9, [%[b], #12]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[60] * B[2]\n\t"
+        "ldr	r8, [%[a], #240]\n\t"
+        "ldr	r9, [%[b], #8]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[61] * B[1]\n\t"
+        "ldr	r8, [%[a], #244]\n\t"
+        "ldr	r9, [%[b], #4]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[62] * B[0]\n\t"
+        "ldr	r8, [%[a], #248]\n\t"
+        "ldr	r9, [%[b], #0]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [sp, #248]\n\t"
+        "#  A[0] * B[63]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "ldr	r9, [%[b], #252]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r10, r10\n\t"
+        "#  A[1] * B[62]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "ldr	r9, [%[b], #248]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[2] * B[61]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "ldr	r9, [%[b], #244]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[3] * B[60]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "ldr	r9, [%[b], #240]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[4] * B[59]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "ldr	r9, [%[b], #236]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[5] * B[58]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "ldr	r9, [%[b], #232]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[6] * B[57]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "ldr	r9, [%[b], #228]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[7] * B[56]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "ldr	r9, [%[b], #224]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[8] * B[55]\n\t"
+        "ldr	r8, [%[a], #32]\n\t"
+        "ldr	r9, [%[b], #220]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[9] * B[54]\n\t"
+        "ldr	r8, [%[a], #36]\n\t"
+        "ldr	r9, [%[b], #216]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[10] * B[53]\n\t"
+        "ldr	r8, [%[a], #40]\n\t"
+        "ldr	r9, [%[b], #212]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[11] * B[52]\n\t"
+        "ldr	r8, [%[a], #44]\n\t"
+        "ldr	r9, [%[b], #208]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[12] * B[51]\n\t"
+        "ldr	r8, [%[a], #48]\n\t"
+        "ldr	r9, [%[b], #204]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[13] * B[50]\n\t"
+        "ldr	r8, [%[a], #52]\n\t"
+        "ldr	r9, [%[b], #200]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[14] * B[49]\n\t"
+        "ldr	r8, [%[a], #56]\n\t"
+        "ldr	r9, [%[b], #196]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[15] * B[48]\n\t"
+        "ldr	r8, [%[a], #60]\n\t"
+        "ldr	r9, [%[b], #192]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[16] * B[47]\n\t"
+        "ldr	r8, [%[a], #64]\n\t"
+        "ldr	r9, [%[b], #188]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[17] * B[46]\n\t"
+        "ldr	r8, [%[a], #68]\n\t"
+        "ldr	r9, [%[b], #184]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[18] * B[45]\n\t"
+        "ldr	r8, [%[a], #72]\n\t"
+        "ldr	r9, [%[b], #180]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[19] * B[44]\n\t"
+        "ldr	r8, [%[a], #76]\n\t"
+        "ldr	r9, [%[b], #176]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[20] * B[43]\n\t"
+        "ldr	r8, [%[a], #80]\n\t"
+        "ldr	r9, [%[b], #172]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[21] * B[42]\n\t"
+        "ldr	r8, [%[a], #84]\n\t"
+        "ldr	r9, [%[b], #168]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[22] * B[41]\n\t"
+        "ldr	r8, [%[a], #88]\n\t"
+        "ldr	r9, [%[b], #164]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[23] * B[40]\n\t"
+        "ldr	r8, [%[a], #92]\n\t"
+        "ldr	r9, [%[b], #160]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[24] * B[39]\n\t"
+        "ldr	r8, [%[a], #96]\n\t"
+        "ldr	r9, [%[b], #156]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[25] * B[38]\n\t"
+        "ldr	r8, [%[a], #100]\n\t"
+        "ldr	r9, [%[b], #152]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[26] * B[37]\n\t"
+        "ldr	r8, [%[a], #104]\n\t"
+        "ldr	r9, [%[b], #148]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[27] * B[36]\n\t"
+        "ldr	r8, [%[a], #108]\n\t"
+        "ldr	r9, [%[b], #144]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[28] * B[35]\n\t"
+        "ldr	r8, [%[a], #112]\n\t"
+        "ldr	r9, [%[b], #140]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[29] * B[34]\n\t"
+        "ldr	r8, [%[a], #116]\n\t"
+        "ldr	r9, [%[b], #136]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[30] * B[33]\n\t"
+        "ldr	r8, [%[a], #120]\n\t"
+        "ldr	r9, [%[b], #132]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[31] * B[32]\n\t"
+        "ldr	r8, [%[a], #124]\n\t"
+        "ldr	r9, [%[b], #128]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[32] * B[31]\n\t"
+        "ldr	r8, [%[a], #128]\n\t"
+        "ldr	r9, [%[b], #124]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[33] * B[30]\n\t"
+        "ldr	r8, [%[a], #132]\n\t"
+        "ldr	r9, [%[b], #120]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[34] * B[29]\n\t"
+        "ldr	r8, [%[a], #136]\n\t"
+        "ldr	r9, [%[b], #116]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[35] * B[28]\n\t"
+        "ldr	r8, [%[a], #140]\n\t"
+        "ldr	r9, [%[b], #112]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[36] * B[27]\n\t"
+        "ldr	r8, [%[a], #144]\n\t"
+        "ldr	r9, [%[b], #108]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[37] * B[26]\n\t"
+        "ldr	r8, [%[a], #148]\n\t"
+        "ldr	r9, [%[b], #104]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[38] * B[25]\n\t"
+        "ldr	r8, [%[a], #152]\n\t"
+        "ldr	r9, [%[b], #100]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[39] * B[24]\n\t"
+        "ldr	r8, [%[a], #156]\n\t"
+        "ldr	r9, [%[b], #96]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[40] * B[23]\n\t"
+        "ldr	r8, [%[a], #160]\n\t"
+        "ldr	r9, [%[b], #92]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[41] * B[22]\n\t"
+        "ldr	r8, [%[a], #164]\n\t"
+        "ldr	r9, [%[b], #88]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[42] * B[21]\n\t"
+        "ldr	r8, [%[a], #168]\n\t"
+        "ldr	r9, [%[b], #84]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[43] * B[20]\n\t"
+        "ldr	r8, [%[a], #172]\n\t"
+        "ldr	r9, [%[b], #80]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[44] * B[19]\n\t"
+        "ldr	r8, [%[a], #176]\n\t"
+        "ldr	r9, [%[b], #76]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[45] * B[18]\n\t"
+        "ldr	r8, [%[a], #180]\n\t"
+        "ldr	r9, [%[b], #72]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[46] * B[17]\n\t"
+        "ldr	r8, [%[a], #184]\n\t"
+        "ldr	r9, [%[b], #68]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[47] * B[16]\n\t"
+        "ldr	r8, [%[a], #188]\n\t"
+        "ldr	r9, [%[b], #64]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[48] * B[15]\n\t"
+        "ldr	r8, [%[a], #192]\n\t"
+        "ldr	r9, [%[b], #60]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[49] * B[14]\n\t"
+        "ldr	r8, [%[a], #196]\n\t"
+        "ldr	r9, [%[b], #56]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[50] * B[13]\n\t"
+        "ldr	r8, [%[a], #200]\n\t"
+        "ldr	r9, [%[b], #52]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[51] * B[12]\n\t"
+        "ldr	r8, [%[a], #204]\n\t"
+        "ldr	r9, [%[b], #48]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[52] * B[11]\n\t"
+        "ldr	r8, [%[a], #208]\n\t"
+        "ldr	r9, [%[b], #44]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[53] * B[10]\n\t"
+        "ldr	r8, [%[a], #212]\n\t"
+        "ldr	r9, [%[b], #40]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[54] * B[9]\n\t"
+        "ldr	r8, [%[a], #216]\n\t"
+        "ldr	r9, [%[b], #36]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[55] * B[8]\n\t"
+        "ldr	r8, [%[a], #220]\n\t"
+        "ldr	r9, [%[b], #32]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[56] * B[7]\n\t"
+        "ldr	r8, [%[a], #224]\n\t"
+        "ldr	r9, [%[b], #28]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[57] * B[6]\n\t"
+        "ldr	r8, [%[a], #228]\n\t"
+        "ldr	r9, [%[b], #24]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[58] * B[5]\n\t"
+        "ldr	r8, [%[a], #232]\n\t"
+        "ldr	r9, [%[b], #20]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[59] * B[4]\n\t"
+        "ldr	r8, [%[a], #236]\n\t"
+        "ldr	r9, [%[b], #16]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[60] * B[3]\n\t"
+        "ldr	r8, [%[a], #240]\n\t"
+        "ldr	r9, [%[b], #12]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[61] * B[2]\n\t"
+        "ldr	r8, [%[a], #244]\n\t"
+        "ldr	r9, [%[b], #8]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[62] * B[1]\n\t"
+        "ldr	r8, [%[a], #248]\n\t"
+        "ldr	r9, [%[b], #4]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[63] * B[0]\n\t"
+        "ldr	r8, [%[a], #252]\n\t"
+        "ldr	r9, [%[b], #0]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [sp, #252]\n\t"
+        "#  A[1] * B[63]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "ldr	r9, [%[b], #252]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r10, r10\n\t"
+        "#  A[2] * B[62]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "ldr	r9, [%[b], #248]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[3] * B[61]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "ldr	r9, [%[b], #244]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[4] * B[60]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "ldr	r9, [%[b], #240]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[5] * B[59]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "ldr	r9, [%[b], #236]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[6] * B[58]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "ldr	r9, [%[b], #232]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[7] * B[57]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "ldr	r9, [%[b], #228]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[8] * B[56]\n\t"
+        "ldr	r8, [%[a], #32]\n\t"
+        "ldr	r9, [%[b], #224]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[9] * B[55]\n\t"
+        "ldr	r8, [%[a], #36]\n\t"
+        "ldr	r9, [%[b], #220]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[10] * B[54]\n\t"
+        "ldr	r8, [%[a], #40]\n\t"
+        "ldr	r9, [%[b], #216]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[11] * B[53]\n\t"
+        "ldr	r8, [%[a], #44]\n\t"
+        "ldr	r9, [%[b], #212]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[12] * B[52]\n\t"
+        "ldr	r8, [%[a], #48]\n\t"
+        "ldr	r9, [%[b], #208]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[13] * B[51]\n\t"
+        "ldr	r8, [%[a], #52]\n\t"
+        "ldr	r9, [%[b], #204]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[14] * B[50]\n\t"
+        "ldr	r8, [%[a], #56]\n\t"
+        "ldr	r9, [%[b], #200]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[15] * B[49]\n\t"
+        "ldr	r8, [%[a], #60]\n\t"
+        "ldr	r9, [%[b], #196]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[16] * B[48]\n\t"
+        "ldr	r8, [%[a], #64]\n\t"
+        "ldr	r9, [%[b], #192]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[17] * B[47]\n\t"
+        "ldr	r8, [%[a], #68]\n\t"
+        "ldr	r9, [%[b], #188]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[18] * B[46]\n\t"
+        "ldr	r8, [%[a], #72]\n\t"
+        "ldr	r9, [%[b], #184]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[19] * B[45]\n\t"
+        "ldr	r8, [%[a], #76]\n\t"
+        "ldr	r9, [%[b], #180]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[20] * B[44]\n\t"
+        "ldr	r8, [%[a], #80]\n\t"
+        "ldr	r9, [%[b], #176]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[21] * B[43]\n\t"
+        "ldr	r8, [%[a], #84]\n\t"
+        "ldr	r9, [%[b], #172]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[22] * B[42]\n\t"
+        "ldr	r8, [%[a], #88]\n\t"
+        "ldr	r9, [%[b], #168]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[23] * B[41]\n\t"
+        "ldr	r8, [%[a], #92]\n\t"
+        "ldr	r9, [%[b], #164]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[24] * B[40]\n\t"
+        "ldr	r8, [%[a], #96]\n\t"
+        "ldr	r9, [%[b], #160]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[25] * B[39]\n\t"
+        "ldr	r8, [%[a], #100]\n\t"
+        "ldr	r9, [%[b], #156]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[26] * B[38]\n\t"
+        "ldr	r8, [%[a], #104]\n\t"
+        "ldr	r9, [%[b], #152]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[27] * B[37]\n\t"
+        "ldr	r8, [%[a], #108]\n\t"
+        "ldr	r9, [%[b], #148]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[28] * B[36]\n\t"
+        "ldr	r8, [%[a], #112]\n\t"
+        "ldr	r9, [%[b], #144]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[29] * B[35]\n\t"
+        "ldr	r8, [%[a], #116]\n\t"
+        "ldr	r9, [%[b], #140]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[30] * B[34]\n\t"
+        "ldr	r8, [%[a], #120]\n\t"
+        "ldr	r9, [%[b], #136]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[31] * B[33]\n\t"
+        "ldr	r8, [%[a], #124]\n\t"
+        "ldr	r9, [%[b], #132]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[32] * B[32]\n\t"
+        "ldr	r8, [%[a], #128]\n\t"
+        "ldr	r9, [%[b], #128]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[33] * B[31]\n\t"
+        "ldr	r8, [%[a], #132]\n\t"
+        "ldr	r9, [%[b], #124]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[34] * B[30]\n\t"
+        "ldr	r8, [%[a], #136]\n\t"
+        "ldr	r9, [%[b], #120]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[35] * B[29]\n\t"
+        "ldr	r8, [%[a], #140]\n\t"
+        "ldr	r9, [%[b], #116]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[36] * B[28]\n\t"
+        "ldr	r8, [%[a], #144]\n\t"
+        "ldr	r9, [%[b], #112]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[37] * B[27]\n\t"
+        "ldr	r8, [%[a], #148]\n\t"
+        "ldr	r9, [%[b], #108]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[38] * B[26]\n\t"
+        "ldr	r8, [%[a], #152]\n\t"
+        "ldr	r9, [%[b], #104]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[39] * B[25]\n\t"
+        "ldr	r8, [%[a], #156]\n\t"
+        "ldr	r9, [%[b], #100]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[40] * B[24]\n\t"
+        "ldr	r8, [%[a], #160]\n\t"
+        "ldr	r9, [%[b], #96]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[41] * B[23]\n\t"
+        "ldr	r8, [%[a], #164]\n\t"
+        "ldr	r9, [%[b], #92]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[42] * B[22]\n\t"
+        "ldr	r8, [%[a], #168]\n\t"
+        "ldr	r9, [%[b], #88]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[43] * B[21]\n\t"
+        "ldr	r8, [%[a], #172]\n\t"
+        "ldr	r9, [%[b], #84]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[44] * B[20]\n\t"
+        "ldr	r8, [%[a], #176]\n\t"
+        "ldr	r9, [%[b], #80]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[45] * B[19]\n\t"
+        "ldr	r8, [%[a], #180]\n\t"
+        "ldr	r9, [%[b], #76]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[46] * B[18]\n\t"
+        "ldr	r8, [%[a], #184]\n\t"
+        "ldr	r9, [%[b], #72]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[47] * B[17]\n\t"
+        "ldr	r8, [%[a], #188]\n\t"
+        "ldr	r9, [%[b], #68]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[48] * B[16]\n\t"
+        "ldr	r8, [%[a], #192]\n\t"
+        "ldr	r9, [%[b], #64]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[49] * B[15]\n\t"
+        "ldr	r8, [%[a], #196]\n\t"
+        "ldr	r9, [%[b], #60]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[50] * B[14]\n\t"
+        "ldr	r8, [%[a], #200]\n\t"
+        "ldr	r9, [%[b], #56]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[51] * B[13]\n\t"
+        "ldr	r8, [%[a], #204]\n\t"
+        "ldr	r9, [%[b], #52]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[52] * B[12]\n\t"
+        "ldr	r8, [%[a], #208]\n\t"
+        "ldr	r9, [%[b], #48]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[53] * B[11]\n\t"
+        "ldr	r8, [%[a], #212]\n\t"
+        "ldr	r9, [%[b], #44]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[54] * B[10]\n\t"
+        "ldr	r8, [%[a], #216]\n\t"
+        "ldr	r9, [%[b], #40]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[55] * B[9]\n\t"
+        "ldr	r8, [%[a], #220]\n\t"
+        "ldr	r9, [%[b], #36]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[56] * B[8]\n\t"
+        "ldr	r8, [%[a], #224]\n\t"
+        "ldr	r9, [%[b], #32]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[57] * B[7]\n\t"
+        "ldr	r8, [%[a], #228]\n\t"
+        "ldr	r9, [%[b], #28]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[58] * B[6]\n\t"
+        "ldr	r8, [%[a], #232]\n\t"
+        "ldr	r9, [%[b], #24]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[59] * B[5]\n\t"
+        "ldr	r8, [%[a], #236]\n\t"
+        "ldr	r9, [%[b], #20]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[60] * B[4]\n\t"
+        "ldr	r8, [%[a], #240]\n\t"
+        "ldr	r9, [%[b], #16]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[61] * B[3]\n\t"
+        "ldr	r8, [%[a], #244]\n\t"
+        "ldr	r9, [%[b], #12]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[62] * B[2]\n\t"
+        "ldr	r8, [%[a], #248]\n\t"
+        "ldr	r9, [%[b], #8]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[63] * B[1]\n\t"
+        "ldr	r8, [%[a], #252]\n\t"
+        "ldr	r9, [%[b], #4]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [%[r], #256]\n\t"
+        "#  A[2] * B[63]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "ldr	r9, [%[b], #252]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r10, r10\n\t"
+        "#  A[3] * B[62]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "ldr	r9, [%[b], #248]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[4] * B[61]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "ldr	r9, [%[b], #244]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[5] * B[60]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "ldr	r9, [%[b], #240]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[6] * B[59]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "ldr	r9, [%[b], #236]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[7] * B[58]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "ldr	r9, [%[b], #232]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[8] * B[57]\n\t"
+        "ldr	r8, [%[a], #32]\n\t"
+        "ldr	r9, [%[b], #228]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[9] * B[56]\n\t"
+        "ldr	r8, [%[a], #36]\n\t"
+        "ldr	r9, [%[b], #224]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[10] * B[55]\n\t"
+        "ldr	r8, [%[a], #40]\n\t"
+        "ldr	r9, [%[b], #220]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[11] * B[54]\n\t"
+        "ldr	r8, [%[a], #44]\n\t"
+        "ldr	r9, [%[b], #216]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[12] * B[53]\n\t"
+        "ldr	r8, [%[a], #48]\n\t"
+        "ldr	r9, [%[b], #212]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[13] * B[52]\n\t"
+        "ldr	r8, [%[a], #52]\n\t"
+        "ldr	r9, [%[b], #208]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[14] * B[51]\n\t"
+        "ldr	r8, [%[a], #56]\n\t"
+        "ldr	r9, [%[b], #204]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[15] * B[50]\n\t"
+        "ldr	r8, [%[a], #60]\n\t"
+        "ldr	r9, [%[b], #200]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[16] * B[49]\n\t"
+        "ldr	r8, [%[a], #64]\n\t"
+        "ldr	r9, [%[b], #196]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[17] * B[48]\n\t"
+        "ldr	r8, [%[a], #68]\n\t"
+        "ldr	r9, [%[b], #192]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[18] * B[47]\n\t"
+        "ldr	r8, [%[a], #72]\n\t"
+        "ldr	r9, [%[b], #188]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[19] * B[46]\n\t"
+        "ldr	r8, [%[a], #76]\n\t"
+        "ldr	r9, [%[b], #184]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[20] * B[45]\n\t"
+        "ldr	r8, [%[a], #80]\n\t"
+        "ldr	r9, [%[b], #180]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[21] * B[44]\n\t"
+        "ldr	r8, [%[a], #84]\n\t"
+        "ldr	r9, [%[b], #176]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[22] * B[43]\n\t"
+        "ldr	r8, [%[a], #88]\n\t"
+        "ldr	r9, [%[b], #172]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[23] * B[42]\n\t"
+        "ldr	r8, [%[a], #92]\n\t"
+        "ldr	r9, [%[b], #168]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[24] * B[41]\n\t"
+        "ldr	r8, [%[a], #96]\n\t"
+        "ldr	r9, [%[b], #164]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[25] * B[40]\n\t"
+        "ldr	r8, [%[a], #100]\n\t"
+        "ldr	r9, [%[b], #160]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[26] * B[39]\n\t"
+        "ldr	r8, [%[a], #104]\n\t"
+        "ldr	r9, [%[b], #156]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[27] * B[38]\n\t"
+        "ldr	r8, [%[a], #108]\n\t"
+        "ldr	r9, [%[b], #152]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[28] * B[37]\n\t"
+        "ldr	r8, [%[a], #112]\n\t"
+        "ldr	r9, [%[b], #148]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[29] * B[36]\n\t"
+        "ldr	r8, [%[a], #116]\n\t"
+        "ldr	r9, [%[b], #144]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[30] * B[35]\n\t"
+        "ldr	r8, [%[a], #120]\n\t"
+        "ldr	r9, [%[b], #140]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[31] * B[34]\n\t"
+        "ldr	r8, [%[a], #124]\n\t"
+        "ldr	r9, [%[b], #136]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[32] * B[33]\n\t"
+        "ldr	r8, [%[a], #128]\n\t"
+        "ldr	r9, [%[b], #132]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[33] * B[32]\n\t"
+        "ldr	r8, [%[a], #132]\n\t"
+        "ldr	r9, [%[b], #128]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[34] * B[31]\n\t"
+        "ldr	r8, [%[a], #136]\n\t"
+        "ldr	r9, [%[b], #124]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[35] * B[30]\n\t"
+        "ldr	r8, [%[a], #140]\n\t"
+        "ldr	r9, [%[b], #120]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[36] * B[29]\n\t"
+        "ldr	r8, [%[a], #144]\n\t"
+        "ldr	r9, [%[b], #116]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[37] * B[28]\n\t"
+        "ldr	r8, [%[a], #148]\n\t"
+        "ldr	r9, [%[b], #112]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[38] * B[27]\n\t"
+        "ldr	r8, [%[a], #152]\n\t"
+        "ldr	r9, [%[b], #108]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[39] * B[26]\n\t"
+        "ldr	r8, [%[a], #156]\n\t"
+        "ldr	r9, [%[b], #104]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[40] * B[25]\n\t"
+        "ldr	r8, [%[a], #160]\n\t"
+        "ldr	r9, [%[b], #100]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[41] * B[24]\n\t"
+        "ldr	r8, [%[a], #164]\n\t"
+        "ldr	r9, [%[b], #96]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[42] * B[23]\n\t"
+        "ldr	r8, [%[a], #168]\n\t"
+        "ldr	r9, [%[b], #92]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[43] * B[22]\n\t"
+        "ldr	r8, [%[a], #172]\n\t"
+        "ldr	r9, [%[b], #88]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[44] * B[21]\n\t"
+        "ldr	r8, [%[a], #176]\n\t"
+        "ldr	r9, [%[b], #84]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[45] * B[20]\n\t"
+        "ldr	r8, [%[a], #180]\n\t"
+        "ldr	r9, [%[b], #80]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[46] * B[19]\n\t"
+        "ldr	r8, [%[a], #184]\n\t"
+        "ldr	r9, [%[b], #76]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[47] * B[18]\n\t"
+        "ldr	r8, [%[a], #188]\n\t"
+        "ldr	r9, [%[b], #72]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[48] * B[17]\n\t"
+        "ldr	r8, [%[a], #192]\n\t"
+        "ldr	r9, [%[b], #68]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[49] * B[16]\n\t"
+        "ldr	r8, [%[a], #196]\n\t"
+        "ldr	r9, [%[b], #64]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[50] * B[15]\n\t"
+        "ldr	r8, [%[a], #200]\n\t"
+        "ldr	r9, [%[b], #60]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[51] * B[14]\n\t"
+        "ldr	r8, [%[a], #204]\n\t"
+        "ldr	r9, [%[b], #56]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[52] * B[13]\n\t"
+        "ldr	r8, [%[a], #208]\n\t"
+        "ldr	r9, [%[b], #52]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[53] * B[12]\n\t"
+        "ldr	r8, [%[a], #212]\n\t"
+        "ldr	r9, [%[b], #48]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[54] * B[11]\n\t"
+        "ldr	r8, [%[a], #216]\n\t"
+        "ldr	r9, [%[b], #44]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[55] * B[10]\n\t"
+        "ldr	r8, [%[a], #220]\n\t"
+        "ldr	r9, [%[b], #40]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[56] * B[9]\n\t"
+        "ldr	r8, [%[a], #224]\n\t"
+        "ldr	r9, [%[b], #36]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[57] * B[8]\n\t"
+        "ldr	r8, [%[a], #228]\n\t"
+        "ldr	r9, [%[b], #32]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[58] * B[7]\n\t"
+        "ldr	r8, [%[a], #232]\n\t"
+        "ldr	r9, [%[b], #28]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[59] * B[6]\n\t"
+        "ldr	r8, [%[a], #236]\n\t"
+        "ldr	r9, [%[b], #24]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[60] * B[5]\n\t"
+        "ldr	r8, [%[a], #240]\n\t"
+        "ldr	r9, [%[b], #20]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[61] * B[4]\n\t"
+        "ldr	r8, [%[a], #244]\n\t"
+        "ldr	r9, [%[b], #16]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[62] * B[3]\n\t"
+        "ldr	r8, [%[a], #248]\n\t"
+        "ldr	r9, [%[b], #12]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[63] * B[2]\n\t"
+        "ldr	r8, [%[a], #252]\n\t"
+        "ldr	r9, [%[b], #8]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [%[r], #260]\n\t"
+        "#  A[3] * B[63]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "ldr	r9, [%[b], #252]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r10, r10\n\t"
+        "#  A[4] * B[62]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "ldr	r9, [%[b], #248]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[5] * B[61]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "ldr	r9, [%[b], #244]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[6] * B[60]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "ldr	r9, [%[b], #240]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[7] * B[59]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "ldr	r9, [%[b], #236]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[8] * B[58]\n\t"
+        "ldr	r8, [%[a], #32]\n\t"
+        "ldr	r9, [%[b], #232]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[9] * B[57]\n\t"
+        "ldr	r8, [%[a], #36]\n\t"
+        "ldr	r9, [%[b], #228]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[10] * B[56]\n\t"
+        "ldr	r8, [%[a], #40]\n\t"
+        "ldr	r9, [%[b], #224]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[11] * B[55]\n\t"
+        "ldr	r8, [%[a], #44]\n\t"
+        "ldr	r9, [%[b], #220]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[12] * B[54]\n\t"
+        "ldr	r8, [%[a], #48]\n\t"
+        "ldr	r9, [%[b], #216]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[13] * B[53]\n\t"
+        "ldr	r8, [%[a], #52]\n\t"
+        "ldr	r9, [%[b], #212]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[14] * B[52]\n\t"
+        "ldr	r8, [%[a], #56]\n\t"
+        "ldr	r9, [%[b], #208]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[15] * B[51]\n\t"
+        "ldr	r8, [%[a], #60]\n\t"
+        "ldr	r9, [%[b], #204]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[16] * B[50]\n\t"
+        "ldr	r8, [%[a], #64]\n\t"
+        "ldr	r9, [%[b], #200]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[17] * B[49]\n\t"
+        "ldr	r8, [%[a], #68]\n\t"
+        "ldr	r9, [%[b], #196]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[18] * B[48]\n\t"
+        "ldr	r8, [%[a], #72]\n\t"
+        "ldr	r9, [%[b], #192]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[19] * B[47]\n\t"
+        "ldr	r8, [%[a], #76]\n\t"
+        "ldr	r9, [%[b], #188]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[20] * B[46]\n\t"
+        "ldr	r8, [%[a], #80]\n\t"
+        "ldr	r9, [%[b], #184]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[21] * B[45]\n\t"
+        "ldr	r8, [%[a], #84]\n\t"
+        "ldr	r9, [%[b], #180]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[22] * B[44]\n\t"
+        "ldr	r8, [%[a], #88]\n\t"
+        "ldr	r9, [%[b], #176]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[23] * B[43]\n\t"
+        "ldr	r8, [%[a], #92]\n\t"
+        "ldr	r9, [%[b], #172]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[24] * B[42]\n\t"
+        "ldr	r8, [%[a], #96]\n\t"
+        "ldr	r9, [%[b], #168]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[25] * B[41]\n\t"
+        "ldr	r8, [%[a], #100]\n\t"
+        "ldr	r9, [%[b], #164]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[26] * B[40]\n\t"
+        "ldr	r8, [%[a], #104]\n\t"
+        "ldr	r9, [%[b], #160]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[27] * B[39]\n\t"
+        "ldr	r8, [%[a], #108]\n\t"
+        "ldr	r9, [%[b], #156]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[28] * B[38]\n\t"
+        "ldr	r8, [%[a], #112]\n\t"
+        "ldr	r9, [%[b], #152]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[29] * B[37]\n\t"
+        "ldr	r8, [%[a], #116]\n\t"
+        "ldr	r9, [%[b], #148]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[30] * B[36]\n\t"
+        "ldr	r8, [%[a], #120]\n\t"
+        "ldr	r9, [%[b], #144]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[31] * B[35]\n\t"
+        "ldr	r8, [%[a], #124]\n\t"
+        "ldr	r9, [%[b], #140]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[32] * B[34]\n\t"
+        "ldr	r8, [%[a], #128]\n\t"
+        "ldr	r9, [%[b], #136]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[33] * B[33]\n\t"
+        "ldr	r8, [%[a], #132]\n\t"
+        "ldr	r9, [%[b], #132]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[34] * B[32]\n\t"
+        "ldr	r8, [%[a], #136]\n\t"
+        "ldr	r9, [%[b], #128]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[35] * B[31]\n\t"
+        "ldr	r8, [%[a], #140]\n\t"
+        "ldr	r9, [%[b], #124]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[36] * B[30]\n\t"
+        "ldr	r8, [%[a], #144]\n\t"
+        "ldr	r9, [%[b], #120]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[37] * B[29]\n\t"
+        "ldr	r8, [%[a], #148]\n\t"
+        "ldr	r9, [%[b], #116]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[38] * B[28]\n\t"
+        "ldr	r8, [%[a], #152]\n\t"
+        "ldr	r9, [%[b], #112]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[39] * B[27]\n\t"
+        "ldr	r8, [%[a], #156]\n\t"
+        "ldr	r9, [%[b], #108]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[40] * B[26]\n\t"
+        "ldr	r8, [%[a], #160]\n\t"
+        "ldr	r9, [%[b], #104]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[41] * B[25]\n\t"
+        "ldr	r8, [%[a], #164]\n\t"
+        "ldr	r9, [%[b], #100]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[42] * B[24]\n\t"
+        "ldr	r8, [%[a], #168]\n\t"
+        "ldr	r9, [%[b], #96]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[43] * B[23]\n\t"
+        "ldr	r8, [%[a], #172]\n\t"
+        "ldr	r9, [%[b], #92]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[44] * B[22]\n\t"
+        "ldr	r8, [%[a], #176]\n\t"
+        "ldr	r9, [%[b], #88]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[45] * B[21]\n\t"
+        "ldr	r8, [%[a], #180]\n\t"
+        "ldr	r9, [%[b], #84]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[46] * B[20]\n\t"
+        "ldr	r8, [%[a], #184]\n\t"
+        "ldr	r9, [%[b], #80]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[47] * B[19]\n\t"
+        "ldr	r8, [%[a], #188]\n\t"
+        "ldr	r9, [%[b], #76]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[48] * B[18]\n\t"
+        "ldr	r8, [%[a], #192]\n\t"
+        "ldr	r9, [%[b], #72]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[49] * B[17]\n\t"
+        "ldr	r8, [%[a], #196]\n\t"
+        "ldr	r9, [%[b], #68]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[50] * B[16]\n\t"
+        "ldr	r8, [%[a], #200]\n\t"
+        "ldr	r9, [%[b], #64]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[51] * B[15]\n\t"
+        "ldr	r8, [%[a], #204]\n\t"
+        "ldr	r9, [%[b], #60]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[52] * B[14]\n\t"
+        "ldr	r8, [%[a], #208]\n\t"
+        "ldr	r9, [%[b], #56]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[53] * B[13]\n\t"
+        "ldr	r8, [%[a], #212]\n\t"
+        "ldr	r9, [%[b], #52]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[54] * B[12]\n\t"
+        "ldr	r8, [%[a], #216]\n\t"
+        "ldr	r9, [%[b], #48]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[55] * B[11]\n\t"
+        "ldr	r8, [%[a], #220]\n\t"
+        "ldr	r9, [%[b], #44]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[56] * B[10]\n\t"
+        "ldr	r8, [%[a], #224]\n\t"
+        "ldr	r9, [%[b], #40]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[57] * B[9]\n\t"
+        "ldr	r8, [%[a], #228]\n\t"
+        "ldr	r9, [%[b], #36]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[58] * B[8]\n\t"
+        "ldr	r8, [%[a], #232]\n\t"
+        "ldr	r9, [%[b], #32]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[59] * B[7]\n\t"
+        "ldr	r8, [%[a], #236]\n\t"
+        "ldr	r9, [%[b], #28]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[60] * B[6]\n\t"
+        "ldr	r8, [%[a], #240]\n\t"
+        "ldr	r9, [%[b], #24]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[61] * B[5]\n\t"
+        "ldr	r8, [%[a], #244]\n\t"
+        "ldr	r9, [%[b], #20]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[62] * B[4]\n\t"
+        "ldr	r8, [%[a], #248]\n\t"
+        "ldr	r9, [%[b], #16]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[63] * B[3]\n\t"
+        "ldr	r8, [%[a], #252]\n\t"
+        "ldr	r9, [%[b], #12]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [%[r], #264]\n\t"
+        "#  A[4] * B[63]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "ldr	r9, [%[b], #252]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r10, r10\n\t"
+        "#  A[5] * B[62]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "ldr	r9, [%[b], #248]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[6] * B[61]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "ldr	r9, [%[b], #244]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[7] * B[60]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "ldr	r9, [%[b], #240]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[8] * B[59]\n\t"
+        "ldr	r8, [%[a], #32]\n\t"
+        "ldr	r9, [%[b], #236]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[9] * B[58]\n\t"
+        "ldr	r8, [%[a], #36]\n\t"
+        "ldr	r9, [%[b], #232]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[10] * B[57]\n\t"
+        "ldr	r8, [%[a], #40]\n\t"
+        "ldr	r9, [%[b], #228]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[11] * B[56]\n\t"
+        "ldr	r8, [%[a], #44]\n\t"
+        "ldr	r9, [%[b], #224]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[12] * B[55]\n\t"
+        "ldr	r8, [%[a], #48]\n\t"
+        "ldr	r9, [%[b], #220]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[13] * B[54]\n\t"
+        "ldr	r8, [%[a], #52]\n\t"
+        "ldr	r9, [%[b], #216]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[14] * B[53]\n\t"
+        "ldr	r8, [%[a], #56]\n\t"
+        "ldr	r9, [%[b], #212]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[15] * B[52]\n\t"
+        "ldr	r8, [%[a], #60]\n\t"
+        "ldr	r9, [%[b], #208]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[16] * B[51]\n\t"
+        "ldr	r8, [%[a], #64]\n\t"
+        "ldr	r9, [%[b], #204]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[17] * B[50]\n\t"
+        "ldr	r8, [%[a], #68]\n\t"
+        "ldr	r9, [%[b], #200]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[18] * B[49]\n\t"
+        "ldr	r8, [%[a], #72]\n\t"
+        "ldr	r9, [%[b], #196]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[19] * B[48]\n\t"
+        "ldr	r8, [%[a], #76]\n\t"
+        "ldr	r9, [%[b], #192]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[20] * B[47]\n\t"
+        "ldr	r8, [%[a], #80]\n\t"
+        "ldr	r9, [%[b], #188]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[21] * B[46]\n\t"
+        "ldr	r8, [%[a], #84]\n\t"
+        "ldr	r9, [%[b], #184]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[22] * B[45]\n\t"
+        "ldr	r8, [%[a], #88]\n\t"
+        "ldr	r9, [%[b], #180]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[23] * B[44]\n\t"
+        "ldr	r8, [%[a], #92]\n\t"
+        "ldr	r9, [%[b], #176]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[24] * B[43]\n\t"
+        "ldr	r8, [%[a], #96]\n\t"
+        "ldr	r9, [%[b], #172]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[25] * B[42]\n\t"
+        "ldr	r8, [%[a], #100]\n\t"
+        "ldr	r9, [%[b], #168]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[26] * B[41]\n\t"
+        "ldr	r8, [%[a], #104]\n\t"
+        "ldr	r9, [%[b], #164]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[27] * B[40]\n\t"
+        "ldr	r8, [%[a], #108]\n\t"
+        "ldr	r9, [%[b], #160]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[28] * B[39]\n\t"
+        "ldr	r8, [%[a], #112]\n\t"
+        "ldr	r9, [%[b], #156]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[29] * B[38]\n\t"
+        "ldr	r8, [%[a], #116]\n\t"
+        "ldr	r9, [%[b], #152]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[30] * B[37]\n\t"
+        "ldr	r8, [%[a], #120]\n\t"
+        "ldr	r9, [%[b], #148]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[31] * B[36]\n\t"
+        "ldr	r8, [%[a], #124]\n\t"
+        "ldr	r9, [%[b], #144]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[32] * B[35]\n\t"
+        "ldr	r8, [%[a], #128]\n\t"
+        "ldr	r9, [%[b], #140]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[33] * B[34]\n\t"
+        "ldr	r8, [%[a], #132]\n\t"
+        "ldr	r9, [%[b], #136]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[34] * B[33]\n\t"
+        "ldr	r8, [%[a], #136]\n\t"
+        "ldr	r9, [%[b], #132]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[35] * B[32]\n\t"
+        "ldr	r8, [%[a], #140]\n\t"
+        "ldr	r9, [%[b], #128]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[36] * B[31]\n\t"
+        "ldr	r8, [%[a], #144]\n\t"
+        "ldr	r9, [%[b], #124]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[37] * B[30]\n\t"
+        "ldr	r8, [%[a], #148]\n\t"
+        "ldr	r9, [%[b], #120]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[38] * B[29]\n\t"
+        "ldr	r8, [%[a], #152]\n\t"
+        "ldr	r9, [%[b], #116]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[39] * B[28]\n\t"
+        "ldr	r8, [%[a], #156]\n\t"
+        "ldr	r9, [%[b], #112]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[40] * B[27]\n\t"
+        "ldr	r8, [%[a], #160]\n\t"
+        "ldr	r9, [%[b], #108]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[41] * B[26]\n\t"
+        "ldr	r8, [%[a], #164]\n\t"
+        "ldr	r9, [%[b], #104]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[42] * B[25]\n\t"
+        "ldr	r8, [%[a], #168]\n\t"
+        "ldr	r9, [%[b], #100]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[43] * B[24]\n\t"
+        "ldr	r8, [%[a], #172]\n\t"
+        "ldr	r9, [%[b], #96]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[44] * B[23]\n\t"
+        "ldr	r8, [%[a], #176]\n\t"
+        "ldr	r9, [%[b], #92]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[45] * B[22]\n\t"
+        "ldr	r8, [%[a], #180]\n\t"
+        "ldr	r9, [%[b], #88]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[46] * B[21]\n\t"
+        "ldr	r8, [%[a], #184]\n\t"
+        "ldr	r9, [%[b], #84]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[47] * B[20]\n\t"
+        "ldr	r8, [%[a], #188]\n\t"
+        "ldr	r9, [%[b], #80]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[48] * B[19]\n\t"
+        "ldr	r8, [%[a], #192]\n\t"
+        "ldr	r9, [%[b], #76]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[49] * B[18]\n\t"
+        "ldr	r8, [%[a], #196]\n\t"
+        "ldr	r9, [%[b], #72]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[50] * B[17]\n\t"
+        "ldr	r8, [%[a], #200]\n\t"
+        "ldr	r9, [%[b], #68]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[51] * B[16]\n\t"
+        "ldr	r8, [%[a], #204]\n\t"
+        "ldr	r9, [%[b], #64]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[52] * B[15]\n\t"
+        "ldr	r8, [%[a], #208]\n\t"
+        "ldr	r9, [%[b], #60]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[53] * B[14]\n\t"
+        "ldr	r8, [%[a], #212]\n\t"
+        "ldr	r9, [%[b], #56]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[54] * B[13]\n\t"
+        "ldr	r8, [%[a], #216]\n\t"
+        "ldr	r9, [%[b], #52]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[55] * B[12]\n\t"
+        "ldr	r8, [%[a], #220]\n\t"
+        "ldr	r9, [%[b], #48]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[56] * B[11]\n\t"
+        "ldr	r8, [%[a], #224]\n\t"
+        "ldr	r9, [%[b], #44]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[57] * B[10]\n\t"
+        "ldr	r8, [%[a], #228]\n\t"
+        "ldr	r9, [%[b], #40]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[58] * B[9]\n\t"
+        "ldr	r8, [%[a], #232]\n\t"
+        "ldr	r9, [%[b], #36]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[59] * B[8]\n\t"
+        "ldr	r8, [%[a], #236]\n\t"
+        "ldr	r9, [%[b], #32]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[60] * B[7]\n\t"
+        "ldr	r8, [%[a], #240]\n\t"
+        "ldr	r9, [%[b], #28]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[61] * B[6]\n\t"
+        "ldr	r8, [%[a], #244]\n\t"
+        "ldr	r9, [%[b], #24]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[62] * B[5]\n\t"
+        "ldr	r8, [%[a], #248]\n\t"
+        "ldr	r9, [%[b], #20]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[63] * B[4]\n\t"
+        "ldr	r8, [%[a], #252]\n\t"
+        "ldr	r9, [%[b], #16]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [%[r], #268]\n\t"
+        "#  A[5] * B[63]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "ldr	r9, [%[b], #252]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r10, r10\n\t"
+        "#  A[6] * B[62]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "ldr	r9, [%[b], #248]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[7] * B[61]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "ldr	r9, [%[b], #244]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[8] * B[60]\n\t"
+        "ldr	r8, [%[a], #32]\n\t"
+        "ldr	r9, [%[b], #240]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[9] * B[59]\n\t"
+        "ldr	r8, [%[a], #36]\n\t"
+        "ldr	r9, [%[b], #236]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[10] * B[58]\n\t"
+        "ldr	r8, [%[a], #40]\n\t"
+        "ldr	r9, [%[b], #232]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[11] * B[57]\n\t"
+        "ldr	r8, [%[a], #44]\n\t"
+        "ldr	r9, [%[b], #228]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[12] * B[56]\n\t"
+        "ldr	r8, [%[a], #48]\n\t"
+        "ldr	r9, [%[b], #224]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[13] * B[55]\n\t"
+        "ldr	r8, [%[a], #52]\n\t"
+        "ldr	r9, [%[b], #220]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[14] * B[54]\n\t"
+        "ldr	r8, [%[a], #56]\n\t"
+        "ldr	r9, [%[b], #216]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[15] * B[53]\n\t"
+        "ldr	r8, [%[a], #60]\n\t"
+        "ldr	r9, [%[b], #212]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[16] * B[52]\n\t"
+        "ldr	r8, [%[a], #64]\n\t"
+        "ldr	r9, [%[b], #208]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[17] * B[51]\n\t"
+        "ldr	r8, [%[a], #68]\n\t"
+        "ldr	r9, [%[b], #204]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[18] * B[50]\n\t"
+        "ldr	r8, [%[a], #72]\n\t"
+        "ldr	r9, [%[b], #200]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[19] * B[49]\n\t"
+        "ldr	r8, [%[a], #76]\n\t"
+        "ldr	r9, [%[b], #196]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[20] * B[48]\n\t"
+        "ldr	r8, [%[a], #80]\n\t"
+        "ldr	r9, [%[b], #192]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[21] * B[47]\n\t"
+        "ldr	r8, [%[a], #84]\n\t"
+        "ldr	r9, [%[b], #188]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[22] * B[46]\n\t"
+        "ldr	r8, [%[a], #88]\n\t"
+        "ldr	r9, [%[b], #184]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[23] * B[45]\n\t"
+        "ldr	r8, [%[a], #92]\n\t"
+        "ldr	r9, [%[b], #180]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[24] * B[44]\n\t"
+        "ldr	r8, [%[a], #96]\n\t"
+        "ldr	r9, [%[b], #176]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[25] * B[43]\n\t"
+        "ldr	r8, [%[a], #100]\n\t"
+        "ldr	r9, [%[b], #172]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[26] * B[42]\n\t"
+        "ldr	r8, [%[a], #104]\n\t"
+        "ldr	r9, [%[b], #168]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[27] * B[41]\n\t"
+        "ldr	r8, [%[a], #108]\n\t"
+        "ldr	r9, [%[b], #164]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[28] * B[40]\n\t"
+        "ldr	r8, [%[a], #112]\n\t"
+        "ldr	r9, [%[b], #160]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[29] * B[39]\n\t"
+        "ldr	r8, [%[a], #116]\n\t"
+        "ldr	r9, [%[b], #156]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[30] * B[38]\n\t"
+        "ldr	r8, [%[a], #120]\n\t"
+        "ldr	r9, [%[b], #152]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[31] * B[37]\n\t"
+        "ldr	r8, [%[a], #124]\n\t"
+        "ldr	r9, [%[b], #148]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[32] * B[36]\n\t"
+        "ldr	r8, [%[a], #128]\n\t"
+        "ldr	r9, [%[b], #144]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[33] * B[35]\n\t"
+        "ldr	r8, [%[a], #132]\n\t"
+        "ldr	r9, [%[b], #140]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[34] * B[34]\n\t"
+        "ldr	r8, [%[a], #136]\n\t"
+        "ldr	r9, [%[b], #136]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[35] * B[33]\n\t"
+        "ldr	r8, [%[a], #140]\n\t"
+        "ldr	r9, [%[b], #132]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[36] * B[32]\n\t"
+        "ldr	r8, [%[a], #144]\n\t"
+        "ldr	r9, [%[b], #128]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[37] * B[31]\n\t"
+        "ldr	r8, [%[a], #148]\n\t"
+        "ldr	r9, [%[b], #124]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[38] * B[30]\n\t"
+        "ldr	r8, [%[a], #152]\n\t"
+        "ldr	r9, [%[b], #120]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[39] * B[29]\n\t"
+        "ldr	r8, [%[a], #156]\n\t"
+        "ldr	r9, [%[b], #116]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[40] * B[28]\n\t"
+        "ldr	r8, [%[a], #160]\n\t"
+        "ldr	r9, [%[b], #112]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[41] * B[27]\n\t"
+        "ldr	r8, [%[a], #164]\n\t"
+        "ldr	r9, [%[b], #108]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[42] * B[26]\n\t"
+        "ldr	r8, [%[a], #168]\n\t"
+        "ldr	r9, [%[b], #104]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[43] * B[25]\n\t"
+        "ldr	r8, [%[a], #172]\n\t"
+        "ldr	r9, [%[b], #100]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[44] * B[24]\n\t"
+        "ldr	r8, [%[a], #176]\n\t"
+        "ldr	r9, [%[b], #96]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[45] * B[23]\n\t"
+        "ldr	r8, [%[a], #180]\n\t"
+        "ldr	r9, [%[b], #92]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[46] * B[22]\n\t"
+        "ldr	r8, [%[a], #184]\n\t"
+        "ldr	r9, [%[b], #88]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[47] * B[21]\n\t"
+        "ldr	r8, [%[a], #188]\n\t"
+        "ldr	r9, [%[b], #84]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[48] * B[20]\n\t"
+        "ldr	r8, [%[a], #192]\n\t"
+        "ldr	r9, [%[b], #80]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[49] * B[19]\n\t"
+        "ldr	r8, [%[a], #196]\n\t"
+        "ldr	r9, [%[b], #76]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[50] * B[18]\n\t"
+        "ldr	r8, [%[a], #200]\n\t"
+        "ldr	r9, [%[b], #72]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[51] * B[17]\n\t"
+        "ldr	r8, [%[a], #204]\n\t"
+        "ldr	r9, [%[b], #68]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[52] * B[16]\n\t"
+        "ldr	r8, [%[a], #208]\n\t"
+        "ldr	r9, [%[b], #64]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[53] * B[15]\n\t"
+        "ldr	r8, [%[a], #212]\n\t"
+        "ldr	r9, [%[b], #60]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[54] * B[14]\n\t"
+        "ldr	r8, [%[a], #216]\n\t"
+        "ldr	r9, [%[b], #56]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[55] * B[13]\n\t"
+        "ldr	r8, [%[a], #220]\n\t"
+        "ldr	r9, [%[b], #52]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[56] * B[12]\n\t"
+        "ldr	r8, [%[a], #224]\n\t"
+        "ldr	r9, [%[b], #48]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[57] * B[11]\n\t"
+        "ldr	r8, [%[a], #228]\n\t"
+        "ldr	r9, [%[b], #44]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[58] * B[10]\n\t"
+        "ldr	r8, [%[a], #232]\n\t"
+        "ldr	r9, [%[b], #40]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[59] * B[9]\n\t"
+        "ldr	r8, [%[a], #236]\n\t"
+        "ldr	r9, [%[b], #36]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[60] * B[8]\n\t"
+        "ldr	r8, [%[a], #240]\n\t"
+        "ldr	r9, [%[b], #32]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[61] * B[7]\n\t"
+        "ldr	r8, [%[a], #244]\n\t"
+        "ldr	r9, [%[b], #28]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[62] * B[6]\n\t"
+        "ldr	r8, [%[a], #248]\n\t"
+        "ldr	r9, [%[b], #24]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[63] * B[5]\n\t"
+        "ldr	r8, [%[a], #252]\n\t"
+        "ldr	r9, [%[b], #20]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [%[r], #272]\n\t"
+        "#  A[6] * B[63]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "ldr	r9, [%[b], #252]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r10, r10\n\t"
+        "#  A[7] * B[62]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "ldr	r9, [%[b], #248]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[8] * B[61]\n\t"
+        "ldr	r8, [%[a], #32]\n\t"
+        "ldr	r9, [%[b], #244]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[9] * B[60]\n\t"
+        "ldr	r8, [%[a], #36]\n\t"
+        "ldr	r9, [%[b], #240]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[10] * B[59]\n\t"
+        "ldr	r8, [%[a], #40]\n\t"
+        "ldr	r9, [%[b], #236]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[11] * B[58]\n\t"
+        "ldr	r8, [%[a], #44]\n\t"
+        "ldr	r9, [%[b], #232]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[12] * B[57]\n\t"
+        "ldr	r8, [%[a], #48]\n\t"
+        "ldr	r9, [%[b], #228]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[13] * B[56]\n\t"
+        "ldr	r8, [%[a], #52]\n\t"
+        "ldr	r9, [%[b], #224]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[14] * B[55]\n\t"
+        "ldr	r8, [%[a], #56]\n\t"
+        "ldr	r9, [%[b], #220]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[15] * B[54]\n\t"
+        "ldr	r8, [%[a], #60]\n\t"
+        "ldr	r9, [%[b], #216]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[16] * B[53]\n\t"
+        "ldr	r8, [%[a], #64]\n\t"
+        "ldr	r9, [%[b], #212]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[17] * B[52]\n\t"
+        "ldr	r8, [%[a], #68]\n\t"
+        "ldr	r9, [%[b], #208]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[18] * B[51]\n\t"
+        "ldr	r8, [%[a], #72]\n\t"
+        "ldr	r9, [%[b], #204]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[19] * B[50]\n\t"
+        "ldr	r8, [%[a], #76]\n\t"
+        "ldr	r9, [%[b], #200]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[20] * B[49]\n\t"
+        "ldr	r8, [%[a], #80]\n\t"
+        "ldr	r9, [%[b], #196]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[21] * B[48]\n\t"
+        "ldr	r8, [%[a], #84]\n\t"
+        "ldr	r9, [%[b], #192]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[22] * B[47]\n\t"
+        "ldr	r8, [%[a], #88]\n\t"
+        "ldr	r9, [%[b], #188]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[23] * B[46]\n\t"
+        "ldr	r8, [%[a], #92]\n\t"
+        "ldr	r9, [%[b], #184]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[24] * B[45]\n\t"
+        "ldr	r8, [%[a], #96]\n\t"
+        "ldr	r9, [%[b], #180]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[25] * B[44]\n\t"
+        "ldr	r8, [%[a], #100]\n\t"
+        "ldr	r9, [%[b], #176]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[26] * B[43]\n\t"
+        "ldr	r8, [%[a], #104]\n\t"
+        "ldr	r9, [%[b], #172]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[27] * B[42]\n\t"
+        "ldr	r8, [%[a], #108]\n\t"
+        "ldr	r9, [%[b], #168]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[28] * B[41]\n\t"
+        "ldr	r8, [%[a], #112]\n\t"
+        "ldr	r9, [%[b], #164]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[29] * B[40]\n\t"
+        "ldr	r8, [%[a], #116]\n\t"
+        "ldr	r9, [%[b], #160]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[30] * B[39]\n\t"
+        "ldr	r8, [%[a], #120]\n\t"
+        "ldr	r9, [%[b], #156]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[31] * B[38]\n\t"
+        "ldr	r8, [%[a], #124]\n\t"
+        "ldr	r9, [%[b], #152]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[32] * B[37]\n\t"
+        "ldr	r8, [%[a], #128]\n\t"
+        "ldr	r9, [%[b], #148]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[33] * B[36]\n\t"
+        "ldr	r8, [%[a], #132]\n\t"
+        "ldr	r9, [%[b], #144]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[34] * B[35]\n\t"
+        "ldr	r8, [%[a], #136]\n\t"
+        "ldr	r9, [%[b], #140]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[35] * B[34]\n\t"
+        "ldr	r8, [%[a], #140]\n\t"
+        "ldr	r9, [%[b], #136]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[36] * B[33]\n\t"
+        "ldr	r8, [%[a], #144]\n\t"
+        "ldr	r9, [%[b], #132]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[37] * B[32]\n\t"
+        "ldr	r8, [%[a], #148]\n\t"
+        "ldr	r9, [%[b], #128]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[38] * B[31]\n\t"
+        "ldr	r8, [%[a], #152]\n\t"
+        "ldr	r9, [%[b], #124]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[39] * B[30]\n\t"
+        "ldr	r8, [%[a], #156]\n\t"
+        "ldr	r9, [%[b], #120]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[40] * B[29]\n\t"
+        "ldr	r8, [%[a], #160]\n\t"
+        "ldr	r9, [%[b], #116]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[41] * B[28]\n\t"
+        "ldr	r8, [%[a], #164]\n\t"
+        "ldr	r9, [%[b], #112]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[42] * B[27]\n\t"
+        "ldr	r8, [%[a], #168]\n\t"
+        "ldr	r9, [%[b], #108]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[43] * B[26]\n\t"
+        "ldr	r8, [%[a], #172]\n\t"
+        "ldr	r9, [%[b], #104]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[44] * B[25]\n\t"
+        "ldr	r8, [%[a], #176]\n\t"
+        "ldr	r9, [%[b], #100]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[45] * B[24]\n\t"
+        "ldr	r8, [%[a], #180]\n\t"
+        "ldr	r9, [%[b], #96]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[46] * B[23]\n\t"
+        "ldr	r8, [%[a], #184]\n\t"
+        "ldr	r9, [%[b], #92]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[47] * B[22]\n\t"
+        "ldr	r8, [%[a], #188]\n\t"
+        "ldr	r9, [%[b], #88]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[48] * B[21]\n\t"
+        "ldr	r8, [%[a], #192]\n\t"
+        "ldr	r9, [%[b], #84]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[49] * B[20]\n\t"
+        "ldr	r8, [%[a], #196]\n\t"
+        "ldr	r9, [%[b], #80]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[50] * B[19]\n\t"
+        "ldr	r8, [%[a], #200]\n\t"
+        "ldr	r9, [%[b], #76]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[51] * B[18]\n\t"
+        "ldr	r8, [%[a], #204]\n\t"
+        "ldr	r9, [%[b], #72]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[52] * B[17]\n\t"
+        "ldr	r8, [%[a], #208]\n\t"
+        "ldr	r9, [%[b], #68]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[53] * B[16]\n\t"
+        "ldr	r8, [%[a], #212]\n\t"
+        "ldr	r9, [%[b], #64]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[54] * B[15]\n\t"
+        "ldr	r8, [%[a], #216]\n\t"
+        "ldr	r9, [%[b], #60]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[55] * B[14]\n\t"
+        "ldr	r8, [%[a], #220]\n\t"
+        "ldr	r9, [%[b], #56]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[56] * B[13]\n\t"
+        "ldr	r8, [%[a], #224]\n\t"
+        "ldr	r9, [%[b], #52]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[57] * B[12]\n\t"
+        "ldr	r8, [%[a], #228]\n\t"
+        "ldr	r9, [%[b], #48]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[58] * B[11]\n\t"
+        "ldr	r8, [%[a], #232]\n\t"
+        "ldr	r9, [%[b], #44]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[59] * B[10]\n\t"
+        "ldr	r8, [%[a], #236]\n\t"
+        "ldr	r9, [%[b], #40]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[60] * B[9]\n\t"
+        "ldr	r8, [%[a], #240]\n\t"
+        "ldr	r9, [%[b], #36]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[61] * B[8]\n\t"
+        "ldr	r8, [%[a], #244]\n\t"
+        "ldr	r9, [%[b], #32]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[62] * B[7]\n\t"
+        "ldr	r8, [%[a], #248]\n\t"
+        "ldr	r9, [%[b], #28]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[63] * B[6]\n\t"
+        "ldr	r8, [%[a], #252]\n\t"
+        "ldr	r9, [%[b], #24]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [%[r], #276]\n\t"
+        "#  A[7] * B[63]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "ldr	r9, [%[b], #252]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r10, r10\n\t"
+        "#  A[8] * B[62]\n\t"
+        "ldr	r8, [%[a], #32]\n\t"
+        "ldr	r9, [%[b], #248]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[9] * B[61]\n\t"
+        "ldr	r8, [%[a], #36]\n\t"
+        "ldr	r9, [%[b], #244]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[10] * B[60]\n\t"
+        "ldr	r8, [%[a], #40]\n\t"
+        "ldr	r9, [%[b], #240]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[11] * B[59]\n\t"
+        "ldr	r8, [%[a], #44]\n\t"
+        "ldr	r9, [%[b], #236]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[12] * B[58]\n\t"
+        "ldr	r8, [%[a], #48]\n\t"
+        "ldr	r9, [%[b], #232]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[13] * B[57]\n\t"
+        "ldr	r8, [%[a], #52]\n\t"
+        "ldr	r9, [%[b], #228]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[14] * B[56]\n\t"
+        "ldr	r8, [%[a], #56]\n\t"
+        "ldr	r9, [%[b], #224]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[15] * B[55]\n\t"
+        "ldr	r8, [%[a], #60]\n\t"
+        "ldr	r9, [%[b], #220]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[16] * B[54]\n\t"
+        "ldr	r8, [%[a], #64]\n\t"
+        "ldr	r9, [%[b], #216]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[17] * B[53]\n\t"
+        "ldr	r8, [%[a], #68]\n\t"
+        "ldr	r9, [%[b], #212]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[18] * B[52]\n\t"
+        "ldr	r8, [%[a], #72]\n\t"
+        "ldr	r9, [%[b], #208]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[19] * B[51]\n\t"
+        "ldr	r8, [%[a], #76]\n\t"
+        "ldr	r9, [%[b], #204]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[20] * B[50]\n\t"
+        "ldr	r8, [%[a], #80]\n\t"
+        "ldr	r9, [%[b], #200]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[21] * B[49]\n\t"
+        "ldr	r8, [%[a], #84]\n\t"
+        "ldr	r9, [%[b], #196]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[22] * B[48]\n\t"
+        "ldr	r8, [%[a], #88]\n\t"
+        "ldr	r9, [%[b], #192]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[23] * B[47]\n\t"
+        "ldr	r8, [%[a], #92]\n\t"
+        "ldr	r9, [%[b], #188]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[24] * B[46]\n\t"
+        "ldr	r8, [%[a], #96]\n\t"
+        "ldr	r9, [%[b], #184]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[25] * B[45]\n\t"
+        "ldr	r8, [%[a], #100]\n\t"
+        "ldr	r9, [%[b], #180]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[26] * B[44]\n\t"
+        "ldr	r8, [%[a], #104]\n\t"
+        "ldr	r9, [%[b], #176]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[27] * B[43]\n\t"
+        "ldr	r8, [%[a], #108]\n\t"
+        "ldr	r9, [%[b], #172]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[28] * B[42]\n\t"
+        "ldr	r8, [%[a], #112]\n\t"
+        "ldr	r9, [%[b], #168]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[29] * B[41]\n\t"
+        "ldr	r8, [%[a], #116]\n\t"
+        "ldr	r9, [%[b], #164]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[30] * B[40]\n\t"
+        "ldr	r8, [%[a], #120]\n\t"
+        "ldr	r9, [%[b], #160]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[31] * B[39]\n\t"
+        "ldr	r8, [%[a], #124]\n\t"
+        "ldr	r9, [%[b], #156]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[32] * B[38]\n\t"
+        "ldr	r8, [%[a], #128]\n\t"
+        "ldr	r9, [%[b], #152]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[33] * B[37]\n\t"
+        "ldr	r8, [%[a], #132]\n\t"
+        "ldr	r9, [%[b], #148]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[34] * B[36]\n\t"
+        "ldr	r8, [%[a], #136]\n\t"
+        "ldr	r9, [%[b], #144]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[35] * B[35]\n\t"
+        "ldr	r8, [%[a], #140]\n\t"
+        "ldr	r9, [%[b], #140]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[36] * B[34]\n\t"
+        "ldr	r8, [%[a], #144]\n\t"
+        "ldr	r9, [%[b], #136]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[37] * B[33]\n\t"
+        "ldr	r8, [%[a], #148]\n\t"
+        "ldr	r9, [%[b], #132]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[38] * B[32]\n\t"
+        "ldr	r8, [%[a], #152]\n\t"
+        "ldr	r9, [%[b], #128]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[39] * B[31]\n\t"
+        "ldr	r8, [%[a], #156]\n\t"
+        "ldr	r9, [%[b], #124]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[40] * B[30]\n\t"
+        "ldr	r8, [%[a], #160]\n\t"
+        "ldr	r9, [%[b], #120]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[41] * B[29]\n\t"
+        "ldr	r8, [%[a], #164]\n\t"
+        "ldr	r9, [%[b], #116]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[42] * B[28]\n\t"
+        "ldr	r8, [%[a], #168]\n\t"
+        "ldr	r9, [%[b], #112]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[43] * B[27]\n\t"
+        "ldr	r8, [%[a], #172]\n\t"
+        "ldr	r9, [%[b], #108]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[44] * B[26]\n\t"
+        "ldr	r8, [%[a], #176]\n\t"
+        "ldr	r9, [%[b], #104]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[45] * B[25]\n\t"
+        "ldr	r8, [%[a], #180]\n\t"
+        "ldr	r9, [%[b], #100]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[46] * B[24]\n\t"
+        "ldr	r8, [%[a], #184]\n\t"
+        "ldr	r9, [%[b], #96]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[47] * B[23]\n\t"
+        "ldr	r8, [%[a], #188]\n\t"
+        "ldr	r9, [%[b], #92]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[48] * B[22]\n\t"
+        "ldr	r8, [%[a], #192]\n\t"
+        "ldr	r9, [%[b], #88]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[49] * B[21]\n\t"
+        "ldr	r8, [%[a], #196]\n\t"
+        "ldr	r9, [%[b], #84]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[50] * B[20]\n\t"
+        "ldr	r8, [%[a], #200]\n\t"
+        "ldr	r9, [%[b], #80]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[51] * B[19]\n\t"
+        "ldr	r8, [%[a], #204]\n\t"
+        "ldr	r9, [%[b], #76]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[52] * B[18]\n\t"
+        "ldr	r8, [%[a], #208]\n\t"
+        "ldr	r9, [%[b], #72]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[53] * B[17]\n\t"
+        "ldr	r8, [%[a], #212]\n\t"
+        "ldr	r9, [%[b], #68]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[54] * B[16]\n\t"
+        "ldr	r8, [%[a], #216]\n\t"
+        "ldr	r9, [%[b], #64]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[55] * B[15]\n\t"
+        "ldr	r8, [%[a], #220]\n\t"
+        "ldr	r9, [%[b], #60]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[56] * B[14]\n\t"
+        "ldr	r8, [%[a], #224]\n\t"
+        "ldr	r9, [%[b], #56]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[57] * B[13]\n\t"
+        "ldr	r8, [%[a], #228]\n\t"
+        "ldr	r9, [%[b], #52]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[58] * B[12]\n\t"
+        "ldr	r8, [%[a], #232]\n\t"
+        "ldr	r9, [%[b], #48]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[59] * B[11]\n\t"
+        "ldr	r8, [%[a], #236]\n\t"
+        "ldr	r9, [%[b], #44]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[60] * B[10]\n\t"
+        "ldr	r8, [%[a], #240]\n\t"
+        "ldr	r9, [%[b], #40]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[61] * B[9]\n\t"
+        "ldr	r8, [%[a], #244]\n\t"
+        "ldr	r9, [%[b], #36]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[62] * B[8]\n\t"
+        "ldr	r8, [%[a], #248]\n\t"
+        "ldr	r9, [%[b], #32]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[63] * B[7]\n\t"
+        "ldr	r8, [%[a], #252]\n\t"
+        "ldr	r9, [%[b], #28]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [%[r], #280]\n\t"
+        "#  A[8] * B[63]\n\t"
+        "ldr	r8, [%[a], #32]\n\t"
+        "ldr	r9, [%[b], #252]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r10, r10\n\t"
+        "#  A[9] * B[62]\n\t"
+        "ldr	r8, [%[a], #36]\n\t"
+        "ldr	r9, [%[b], #248]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[10] * B[61]\n\t"
+        "ldr	r8, [%[a], #40]\n\t"
+        "ldr	r9, [%[b], #244]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[11] * B[60]\n\t"
+        "ldr	r8, [%[a], #44]\n\t"
+        "ldr	r9, [%[b], #240]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[12] * B[59]\n\t"
+        "ldr	r8, [%[a], #48]\n\t"
+        "ldr	r9, [%[b], #236]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[13] * B[58]\n\t"
+        "ldr	r8, [%[a], #52]\n\t"
+        "ldr	r9, [%[b], #232]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[14] * B[57]\n\t"
+        "ldr	r8, [%[a], #56]\n\t"
+        "ldr	r9, [%[b], #228]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[15] * B[56]\n\t"
+        "ldr	r8, [%[a], #60]\n\t"
+        "ldr	r9, [%[b], #224]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[16] * B[55]\n\t"
+        "ldr	r8, [%[a], #64]\n\t"
+        "ldr	r9, [%[b], #220]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[17] * B[54]\n\t"
+        "ldr	r8, [%[a], #68]\n\t"
+        "ldr	r9, [%[b], #216]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[18] * B[53]\n\t"
+        "ldr	r8, [%[a], #72]\n\t"
+        "ldr	r9, [%[b], #212]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[19] * B[52]\n\t"
+        "ldr	r8, [%[a], #76]\n\t"
+        "ldr	r9, [%[b], #208]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[20] * B[51]\n\t"
+        "ldr	r8, [%[a], #80]\n\t"
+        "ldr	r9, [%[b], #204]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[21] * B[50]\n\t"
+        "ldr	r8, [%[a], #84]\n\t"
+        "ldr	r9, [%[b], #200]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[22] * B[49]\n\t"
+        "ldr	r8, [%[a], #88]\n\t"
+        "ldr	r9, [%[b], #196]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[23] * B[48]\n\t"
+        "ldr	r8, [%[a], #92]\n\t"
+        "ldr	r9, [%[b], #192]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[24] * B[47]\n\t"
+        "ldr	r8, [%[a], #96]\n\t"
+        "ldr	r9, [%[b], #188]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[25] * B[46]\n\t"
+        "ldr	r8, [%[a], #100]\n\t"
+        "ldr	r9, [%[b], #184]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[26] * B[45]\n\t"
+        "ldr	r8, [%[a], #104]\n\t"
+        "ldr	r9, [%[b], #180]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[27] * B[44]\n\t"
+        "ldr	r8, [%[a], #108]\n\t"
+        "ldr	r9, [%[b], #176]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[28] * B[43]\n\t"
+        "ldr	r8, [%[a], #112]\n\t"
+        "ldr	r9, [%[b], #172]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[29] * B[42]\n\t"
+        "ldr	r8, [%[a], #116]\n\t"
+        "ldr	r9, [%[b], #168]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[30] * B[41]\n\t"
+        "ldr	r8, [%[a], #120]\n\t"
+        "ldr	r9, [%[b], #164]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[31] * B[40]\n\t"
+        "ldr	r8, [%[a], #124]\n\t"
+        "ldr	r9, [%[b], #160]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[32] * B[39]\n\t"
+        "ldr	r8, [%[a], #128]\n\t"
+        "ldr	r9, [%[b], #156]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[33] * B[38]\n\t"
+        "ldr	r8, [%[a], #132]\n\t"
+        "ldr	r9, [%[b], #152]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[34] * B[37]\n\t"
+        "ldr	r8, [%[a], #136]\n\t"
+        "ldr	r9, [%[b], #148]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[35] * B[36]\n\t"
+        "ldr	r8, [%[a], #140]\n\t"
+        "ldr	r9, [%[b], #144]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[36] * B[35]\n\t"
+        "ldr	r8, [%[a], #144]\n\t"
+        "ldr	r9, [%[b], #140]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[37] * B[34]\n\t"
+        "ldr	r8, [%[a], #148]\n\t"
+        "ldr	r9, [%[b], #136]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[38] * B[33]\n\t"
+        "ldr	r8, [%[a], #152]\n\t"
+        "ldr	r9, [%[b], #132]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[39] * B[32]\n\t"
+        "ldr	r8, [%[a], #156]\n\t"
+        "ldr	r9, [%[b], #128]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[40] * B[31]\n\t"
+        "ldr	r8, [%[a], #160]\n\t"
+        "ldr	r9, [%[b], #124]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[41] * B[30]\n\t"
+        "ldr	r8, [%[a], #164]\n\t"
+        "ldr	r9, [%[b], #120]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[42] * B[29]\n\t"
+        "ldr	r8, [%[a], #168]\n\t"
+        "ldr	r9, [%[b], #116]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[43] * B[28]\n\t"
+        "ldr	r8, [%[a], #172]\n\t"
+        "ldr	r9, [%[b], #112]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[44] * B[27]\n\t"
+        "ldr	r8, [%[a], #176]\n\t"
+        "ldr	r9, [%[b], #108]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[45] * B[26]\n\t"
+        "ldr	r8, [%[a], #180]\n\t"
+        "ldr	r9, [%[b], #104]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[46] * B[25]\n\t"
+        "ldr	r8, [%[a], #184]\n\t"
+        "ldr	r9, [%[b], #100]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[47] * B[24]\n\t"
+        "ldr	r8, [%[a], #188]\n\t"
+        "ldr	r9, [%[b], #96]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[48] * B[23]\n\t"
+        "ldr	r8, [%[a], #192]\n\t"
+        "ldr	r9, [%[b], #92]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[49] * B[22]\n\t"
+        "ldr	r8, [%[a], #196]\n\t"
+        "ldr	r9, [%[b], #88]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[50] * B[21]\n\t"
+        "ldr	r8, [%[a], #200]\n\t"
+        "ldr	r9, [%[b], #84]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[51] * B[20]\n\t"
+        "ldr	r8, [%[a], #204]\n\t"
+        "ldr	r9, [%[b], #80]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[52] * B[19]\n\t"
+        "ldr	r8, [%[a], #208]\n\t"
+        "ldr	r9, [%[b], #76]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[53] * B[18]\n\t"
+        "ldr	r8, [%[a], #212]\n\t"
+        "ldr	r9, [%[b], #72]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[54] * B[17]\n\t"
+        "ldr	r8, [%[a], #216]\n\t"
+        "ldr	r9, [%[b], #68]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[55] * B[16]\n\t"
+        "ldr	r8, [%[a], #220]\n\t"
+        "ldr	r9, [%[b], #64]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[56] * B[15]\n\t"
+        "ldr	r8, [%[a], #224]\n\t"
+        "ldr	r9, [%[b], #60]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[57] * B[14]\n\t"
+        "ldr	r8, [%[a], #228]\n\t"
+        "ldr	r9, [%[b], #56]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[58] * B[13]\n\t"
+        "ldr	r8, [%[a], #232]\n\t"
+        "ldr	r9, [%[b], #52]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[59] * B[12]\n\t"
+        "ldr	r8, [%[a], #236]\n\t"
+        "ldr	r9, [%[b], #48]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[60] * B[11]\n\t"
+        "ldr	r8, [%[a], #240]\n\t"
+        "ldr	r9, [%[b], #44]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[61] * B[10]\n\t"
+        "ldr	r8, [%[a], #244]\n\t"
+        "ldr	r9, [%[b], #40]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[62] * B[9]\n\t"
+        "ldr	r8, [%[a], #248]\n\t"
+        "ldr	r9, [%[b], #36]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[63] * B[8]\n\t"
+        "ldr	r8, [%[a], #252]\n\t"
+        "ldr	r9, [%[b], #32]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [%[r], #284]\n\t"
+        "#  A[9] * B[63]\n\t"
+        "ldr	r8, [%[a], #36]\n\t"
+        "ldr	r9, [%[b], #252]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r10, r10\n\t"
+        "#  A[10] * B[62]\n\t"
+        "ldr	r8, [%[a], #40]\n\t"
+        "ldr	r9, [%[b], #248]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[11] * B[61]\n\t"
+        "ldr	r8, [%[a], #44]\n\t"
+        "ldr	r9, [%[b], #244]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[12] * B[60]\n\t"
+        "ldr	r8, [%[a], #48]\n\t"
+        "ldr	r9, [%[b], #240]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[13] * B[59]\n\t"
+        "ldr	r8, [%[a], #52]\n\t"
+        "ldr	r9, [%[b], #236]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[14] * B[58]\n\t"
+        "ldr	r8, [%[a], #56]\n\t"
+        "ldr	r9, [%[b], #232]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[15] * B[57]\n\t"
+        "ldr	r8, [%[a], #60]\n\t"
+        "ldr	r9, [%[b], #228]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[16] * B[56]\n\t"
+        "ldr	r8, [%[a], #64]\n\t"
+        "ldr	r9, [%[b], #224]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[17] * B[55]\n\t"
+        "ldr	r8, [%[a], #68]\n\t"
+        "ldr	r9, [%[b], #220]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[18] * B[54]\n\t"
+        "ldr	r8, [%[a], #72]\n\t"
+        "ldr	r9, [%[b], #216]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[19] * B[53]\n\t"
+        "ldr	r8, [%[a], #76]\n\t"
+        "ldr	r9, [%[b], #212]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[20] * B[52]\n\t"
+        "ldr	r8, [%[a], #80]\n\t"
+        "ldr	r9, [%[b], #208]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[21] * B[51]\n\t"
+        "ldr	r8, [%[a], #84]\n\t"
+        "ldr	r9, [%[b], #204]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[22] * B[50]\n\t"
+        "ldr	r8, [%[a], #88]\n\t"
+        "ldr	r9, [%[b], #200]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[23] * B[49]\n\t"
+        "ldr	r8, [%[a], #92]\n\t"
+        "ldr	r9, [%[b], #196]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[24] * B[48]\n\t"
+        "ldr	r8, [%[a], #96]\n\t"
+        "ldr	r9, [%[b], #192]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[25] * B[47]\n\t"
+        "ldr	r8, [%[a], #100]\n\t"
+        "ldr	r9, [%[b], #188]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[26] * B[46]\n\t"
+        "ldr	r8, [%[a], #104]\n\t"
+        "ldr	r9, [%[b], #184]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[27] * B[45]\n\t"
+        "ldr	r8, [%[a], #108]\n\t"
+        "ldr	r9, [%[b], #180]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[28] * B[44]\n\t"
+        "ldr	r8, [%[a], #112]\n\t"
+        "ldr	r9, [%[b], #176]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[29] * B[43]\n\t"
+        "ldr	r8, [%[a], #116]\n\t"
+        "ldr	r9, [%[b], #172]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[30] * B[42]\n\t"
+        "ldr	r8, [%[a], #120]\n\t"
+        "ldr	r9, [%[b], #168]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[31] * B[41]\n\t"
+        "ldr	r8, [%[a], #124]\n\t"
+        "ldr	r9, [%[b], #164]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[32] * B[40]\n\t"
+        "ldr	r8, [%[a], #128]\n\t"
+        "ldr	r9, [%[b], #160]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[33] * B[39]\n\t"
+        "ldr	r8, [%[a], #132]\n\t"
+        "ldr	r9, [%[b], #156]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[34] * B[38]\n\t"
+        "ldr	r8, [%[a], #136]\n\t"
+        "ldr	r9, [%[b], #152]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[35] * B[37]\n\t"
+        "ldr	r8, [%[a], #140]\n\t"
+        "ldr	r9, [%[b], #148]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[36] * B[36]\n\t"
+        "ldr	r8, [%[a], #144]\n\t"
+        "ldr	r9, [%[b], #144]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[37] * B[35]\n\t"
+        "ldr	r8, [%[a], #148]\n\t"
+        "ldr	r9, [%[b], #140]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[38] * B[34]\n\t"
+        "ldr	r8, [%[a], #152]\n\t"
+        "ldr	r9, [%[b], #136]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[39] * B[33]\n\t"
+        "ldr	r8, [%[a], #156]\n\t"
+        "ldr	r9, [%[b], #132]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[40] * B[32]\n\t"
+        "ldr	r8, [%[a], #160]\n\t"
+        "ldr	r9, [%[b], #128]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[41] * B[31]\n\t"
+        "ldr	r8, [%[a], #164]\n\t"
+        "ldr	r9, [%[b], #124]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[42] * B[30]\n\t"
+        "ldr	r8, [%[a], #168]\n\t"
+        "ldr	r9, [%[b], #120]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[43] * B[29]\n\t"
+        "ldr	r8, [%[a], #172]\n\t"
+        "ldr	r9, [%[b], #116]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[44] * B[28]\n\t"
+        "ldr	r8, [%[a], #176]\n\t"
+        "ldr	r9, [%[b], #112]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[45] * B[27]\n\t"
+        "ldr	r8, [%[a], #180]\n\t"
+        "ldr	r9, [%[b], #108]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[46] * B[26]\n\t"
+        "ldr	r8, [%[a], #184]\n\t"
+        "ldr	r9, [%[b], #104]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[47] * B[25]\n\t"
+        "ldr	r8, [%[a], #188]\n\t"
+        "ldr	r9, [%[b], #100]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[48] * B[24]\n\t"
+        "ldr	r8, [%[a], #192]\n\t"
+        "ldr	r9, [%[b], #96]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[49] * B[23]\n\t"
+        "ldr	r8, [%[a], #196]\n\t"
+        "ldr	r9, [%[b], #92]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[50] * B[22]\n\t"
+        "ldr	r8, [%[a], #200]\n\t"
+        "ldr	r9, [%[b], #88]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[51] * B[21]\n\t"
+        "ldr	r8, [%[a], #204]\n\t"
+        "ldr	r9, [%[b], #84]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[52] * B[20]\n\t"
+        "ldr	r8, [%[a], #208]\n\t"
+        "ldr	r9, [%[b], #80]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[53] * B[19]\n\t"
+        "ldr	r8, [%[a], #212]\n\t"
+        "ldr	r9, [%[b], #76]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[54] * B[18]\n\t"
+        "ldr	r8, [%[a], #216]\n\t"
+        "ldr	r9, [%[b], #72]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[55] * B[17]\n\t"
+        "ldr	r8, [%[a], #220]\n\t"
+        "ldr	r9, [%[b], #68]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[56] * B[16]\n\t"
+        "ldr	r8, [%[a], #224]\n\t"
+        "ldr	r9, [%[b], #64]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[57] * B[15]\n\t"
+        "ldr	r8, [%[a], #228]\n\t"
+        "ldr	r9, [%[b], #60]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[58] * B[14]\n\t"
+        "ldr	r8, [%[a], #232]\n\t"
+        "ldr	r9, [%[b], #56]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[59] * B[13]\n\t"
+        "ldr	r8, [%[a], #236]\n\t"
+        "ldr	r9, [%[b], #52]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[60] * B[12]\n\t"
+        "ldr	r8, [%[a], #240]\n\t"
+        "ldr	r9, [%[b], #48]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[61] * B[11]\n\t"
+        "ldr	r8, [%[a], #244]\n\t"
+        "ldr	r9, [%[b], #44]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[62] * B[10]\n\t"
+        "ldr	r8, [%[a], #248]\n\t"
+        "ldr	r9, [%[b], #40]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[63] * B[9]\n\t"
+        "ldr	r8, [%[a], #252]\n\t"
+        "ldr	r9, [%[b], #36]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [%[r], #288]\n\t"
+        "#  A[10] * B[63]\n\t"
+        "ldr	r8, [%[a], #40]\n\t"
+        "ldr	r9, [%[b], #252]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r10, r10\n\t"
+        "#  A[11] * B[62]\n\t"
+        "ldr	r8, [%[a], #44]\n\t"
+        "ldr	r9, [%[b], #248]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[12] * B[61]\n\t"
+        "ldr	r8, [%[a], #48]\n\t"
+        "ldr	r9, [%[b], #244]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[13] * B[60]\n\t"
+        "ldr	r8, [%[a], #52]\n\t"
+        "ldr	r9, [%[b], #240]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[14] * B[59]\n\t"
+        "ldr	r8, [%[a], #56]\n\t"
+        "ldr	r9, [%[b], #236]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[15] * B[58]\n\t"
+        "ldr	r8, [%[a], #60]\n\t"
+        "ldr	r9, [%[b], #232]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[16] * B[57]\n\t"
+        "ldr	r8, [%[a], #64]\n\t"
+        "ldr	r9, [%[b], #228]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[17] * B[56]\n\t"
+        "ldr	r8, [%[a], #68]\n\t"
+        "ldr	r9, [%[b], #224]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[18] * B[55]\n\t"
+        "ldr	r8, [%[a], #72]\n\t"
+        "ldr	r9, [%[b], #220]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[19] * B[54]\n\t"
+        "ldr	r8, [%[a], #76]\n\t"
+        "ldr	r9, [%[b], #216]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[20] * B[53]\n\t"
+        "ldr	r8, [%[a], #80]\n\t"
+        "ldr	r9, [%[b], #212]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[21] * B[52]\n\t"
+        "ldr	r8, [%[a], #84]\n\t"
+        "ldr	r9, [%[b], #208]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[22] * B[51]\n\t"
+        "ldr	r8, [%[a], #88]\n\t"
+        "ldr	r9, [%[b], #204]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[23] * B[50]\n\t"
+        "ldr	r8, [%[a], #92]\n\t"
+        "ldr	r9, [%[b], #200]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[24] * B[49]\n\t"
+        "ldr	r8, [%[a], #96]\n\t"
+        "ldr	r9, [%[b], #196]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[25] * B[48]\n\t"
+        "ldr	r8, [%[a], #100]\n\t"
+        "ldr	r9, [%[b], #192]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[26] * B[47]\n\t"
+        "ldr	r8, [%[a], #104]\n\t"
+        "ldr	r9, [%[b], #188]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[27] * B[46]\n\t"
+        "ldr	r8, [%[a], #108]\n\t"
+        "ldr	r9, [%[b], #184]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[28] * B[45]\n\t"
+        "ldr	r8, [%[a], #112]\n\t"
+        "ldr	r9, [%[b], #180]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[29] * B[44]\n\t"
+        "ldr	r8, [%[a], #116]\n\t"
+        "ldr	r9, [%[b], #176]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[30] * B[43]\n\t"
+        "ldr	r8, [%[a], #120]\n\t"
+        "ldr	r9, [%[b], #172]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[31] * B[42]\n\t"
+        "ldr	r8, [%[a], #124]\n\t"
+        "ldr	r9, [%[b], #168]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[32] * B[41]\n\t"
+        "ldr	r8, [%[a], #128]\n\t"
+        "ldr	r9, [%[b], #164]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[33] * B[40]\n\t"
+        "ldr	r8, [%[a], #132]\n\t"
+        "ldr	r9, [%[b], #160]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[34] * B[39]\n\t"
+        "ldr	r8, [%[a], #136]\n\t"
+        "ldr	r9, [%[b], #156]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[35] * B[38]\n\t"
+        "ldr	r8, [%[a], #140]\n\t"
+        "ldr	r9, [%[b], #152]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[36] * B[37]\n\t"
+        "ldr	r8, [%[a], #144]\n\t"
+        "ldr	r9, [%[b], #148]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[37] * B[36]\n\t"
+        "ldr	r8, [%[a], #148]\n\t"
+        "ldr	r9, [%[b], #144]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[38] * B[35]\n\t"
+        "ldr	r8, [%[a], #152]\n\t"
+        "ldr	r9, [%[b], #140]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[39] * B[34]\n\t"
+        "ldr	r8, [%[a], #156]\n\t"
+        "ldr	r9, [%[b], #136]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[40] * B[33]\n\t"
+        "ldr	r8, [%[a], #160]\n\t"
+        "ldr	r9, [%[b], #132]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[41] * B[32]\n\t"
+        "ldr	r8, [%[a], #164]\n\t"
+        "ldr	r9, [%[b], #128]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[42] * B[31]\n\t"
+        "ldr	r8, [%[a], #168]\n\t"
+        "ldr	r9, [%[b], #124]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[43] * B[30]\n\t"
+        "ldr	r8, [%[a], #172]\n\t"
+        "ldr	r9, [%[b], #120]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[44] * B[29]\n\t"
+        "ldr	r8, [%[a], #176]\n\t"
+        "ldr	r9, [%[b], #116]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[45] * B[28]\n\t"
+        "ldr	r8, [%[a], #180]\n\t"
+        "ldr	r9, [%[b], #112]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[46] * B[27]\n\t"
+        "ldr	r8, [%[a], #184]\n\t"
+        "ldr	r9, [%[b], #108]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[47] * B[26]\n\t"
+        "ldr	r8, [%[a], #188]\n\t"
+        "ldr	r9, [%[b], #104]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[48] * B[25]\n\t"
+        "ldr	r8, [%[a], #192]\n\t"
+        "ldr	r9, [%[b], #100]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[49] * B[24]\n\t"
+        "ldr	r8, [%[a], #196]\n\t"
+        "ldr	r9, [%[b], #96]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[50] * B[23]\n\t"
+        "ldr	r8, [%[a], #200]\n\t"
+        "ldr	r9, [%[b], #92]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[51] * B[22]\n\t"
+        "ldr	r8, [%[a], #204]\n\t"
+        "ldr	r9, [%[b], #88]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[52] * B[21]\n\t"
+        "ldr	r8, [%[a], #208]\n\t"
+        "ldr	r9, [%[b], #84]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[53] * B[20]\n\t"
+        "ldr	r8, [%[a], #212]\n\t"
+        "ldr	r9, [%[b], #80]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[54] * B[19]\n\t"
+        "ldr	r8, [%[a], #216]\n\t"
+        "ldr	r9, [%[b], #76]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[55] * B[18]\n\t"
+        "ldr	r8, [%[a], #220]\n\t"
+        "ldr	r9, [%[b], #72]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[56] * B[17]\n\t"
+        "ldr	r8, [%[a], #224]\n\t"
+        "ldr	r9, [%[b], #68]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[57] * B[16]\n\t"
+        "ldr	r8, [%[a], #228]\n\t"
+        "ldr	r9, [%[b], #64]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[58] * B[15]\n\t"
+        "ldr	r8, [%[a], #232]\n\t"
+        "ldr	r9, [%[b], #60]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[59] * B[14]\n\t"
+        "ldr	r8, [%[a], #236]\n\t"
+        "ldr	r9, [%[b], #56]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[60] * B[13]\n\t"
+        "ldr	r8, [%[a], #240]\n\t"
+        "ldr	r9, [%[b], #52]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[61] * B[12]\n\t"
+        "ldr	r8, [%[a], #244]\n\t"
+        "ldr	r9, [%[b], #48]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[62] * B[11]\n\t"
+        "ldr	r8, [%[a], #248]\n\t"
+        "ldr	r9, [%[b], #44]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[63] * B[10]\n\t"
+        "ldr	r8, [%[a], #252]\n\t"
+        "ldr	r9, [%[b], #40]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [%[r], #292]\n\t"
+        "#  A[11] * B[63]\n\t"
+        "ldr	r8, [%[a], #44]\n\t"
+        "ldr	r9, [%[b], #252]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r10, r10\n\t"
+        "#  A[12] * B[62]\n\t"
+        "ldr	r8, [%[a], #48]\n\t"
+        "ldr	r9, [%[b], #248]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[13] * B[61]\n\t"
+        "ldr	r8, [%[a], #52]\n\t"
+        "ldr	r9, [%[b], #244]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[14] * B[60]\n\t"
+        "ldr	r8, [%[a], #56]\n\t"
+        "ldr	r9, [%[b], #240]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[15] * B[59]\n\t"
+        "ldr	r8, [%[a], #60]\n\t"
+        "ldr	r9, [%[b], #236]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[16] * B[58]\n\t"
+        "ldr	r8, [%[a], #64]\n\t"
+        "ldr	r9, [%[b], #232]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[17] * B[57]\n\t"
+        "ldr	r8, [%[a], #68]\n\t"
+        "ldr	r9, [%[b], #228]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[18] * B[56]\n\t"
+        "ldr	r8, [%[a], #72]\n\t"
+        "ldr	r9, [%[b], #224]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[19] * B[55]\n\t"
+        "ldr	r8, [%[a], #76]\n\t"
+        "ldr	r9, [%[b], #220]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[20] * B[54]\n\t"
+        "ldr	r8, [%[a], #80]\n\t"
+        "ldr	r9, [%[b], #216]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[21] * B[53]\n\t"
+        "ldr	r8, [%[a], #84]\n\t"
+        "ldr	r9, [%[b], #212]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[22] * B[52]\n\t"
+        "ldr	r8, [%[a], #88]\n\t"
+        "ldr	r9, [%[b], #208]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[23] * B[51]\n\t"
+        "ldr	r8, [%[a], #92]\n\t"
+        "ldr	r9, [%[b], #204]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[24] * B[50]\n\t"
+        "ldr	r8, [%[a], #96]\n\t"
+        "ldr	r9, [%[b], #200]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[25] * B[49]\n\t"
+        "ldr	r8, [%[a], #100]\n\t"
+        "ldr	r9, [%[b], #196]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[26] * B[48]\n\t"
+        "ldr	r8, [%[a], #104]\n\t"
+        "ldr	r9, [%[b], #192]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[27] * B[47]\n\t"
+        "ldr	r8, [%[a], #108]\n\t"
+        "ldr	r9, [%[b], #188]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[28] * B[46]\n\t"
+        "ldr	r8, [%[a], #112]\n\t"
+        "ldr	r9, [%[b], #184]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[29] * B[45]\n\t"
+        "ldr	r8, [%[a], #116]\n\t"
+        "ldr	r9, [%[b], #180]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[30] * B[44]\n\t"
+        "ldr	r8, [%[a], #120]\n\t"
+        "ldr	r9, [%[b], #176]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[31] * B[43]\n\t"
+        "ldr	r8, [%[a], #124]\n\t"
+        "ldr	r9, [%[b], #172]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[32] * B[42]\n\t"
+        "ldr	r8, [%[a], #128]\n\t"
+        "ldr	r9, [%[b], #168]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[33] * B[41]\n\t"
+        "ldr	r8, [%[a], #132]\n\t"
+        "ldr	r9, [%[b], #164]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[34] * B[40]\n\t"
+        "ldr	r8, [%[a], #136]\n\t"
+        "ldr	r9, [%[b], #160]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[35] * B[39]\n\t"
+        "ldr	r8, [%[a], #140]\n\t"
+        "ldr	r9, [%[b], #156]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[36] * B[38]\n\t"
+        "ldr	r8, [%[a], #144]\n\t"
+        "ldr	r9, [%[b], #152]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[37] * B[37]\n\t"
+        "ldr	r8, [%[a], #148]\n\t"
+        "ldr	r9, [%[b], #148]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[38] * B[36]\n\t"
+        "ldr	r8, [%[a], #152]\n\t"
+        "ldr	r9, [%[b], #144]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[39] * B[35]\n\t"
+        "ldr	r8, [%[a], #156]\n\t"
+        "ldr	r9, [%[b], #140]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[40] * B[34]\n\t"
+        "ldr	r8, [%[a], #160]\n\t"
+        "ldr	r9, [%[b], #136]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[41] * B[33]\n\t"
+        "ldr	r8, [%[a], #164]\n\t"
+        "ldr	r9, [%[b], #132]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[42] * B[32]\n\t"
+        "ldr	r8, [%[a], #168]\n\t"
+        "ldr	r9, [%[b], #128]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[43] * B[31]\n\t"
+        "ldr	r8, [%[a], #172]\n\t"
+        "ldr	r9, [%[b], #124]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[44] * B[30]\n\t"
+        "ldr	r8, [%[a], #176]\n\t"
+        "ldr	r9, [%[b], #120]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[45] * B[29]\n\t"
+        "ldr	r8, [%[a], #180]\n\t"
+        "ldr	r9, [%[b], #116]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[46] * B[28]\n\t"
+        "ldr	r8, [%[a], #184]\n\t"
+        "ldr	r9, [%[b], #112]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[47] * B[27]\n\t"
+        "ldr	r8, [%[a], #188]\n\t"
+        "ldr	r9, [%[b], #108]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[48] * B[26]\n\t"
+        "ldr	r8, [%[a], #192]\n\t"
+        "ldr	r9, [%[b], #104]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[49] * B[25]\n\t"
+        "ldr	r8, [%[a], #196]\n\t"
+        "ldr	r9, [%[b], #100]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[50] * B[24]\n\t"
+        "ldr	r8, [%[a], #200]\n\t"
+        "ldr	r9, [%[b], #96]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[51] * B[23]\n\t"
+        "ldr	r8, [%[a], #204]\n\t"
+        "ldr	r9, [%[b], #92]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[52] * B[22]\n\t"
+        "ldr	r8, [%[a], #208]\n\t"
+        "ldr	r9, [%[b], #88]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[53] * B[21]\n\t"
+        "ldr	r8, [%[a], #212]\n\t"
+        "ldr	r9, [%[b], #84]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[54] * B[20]\n\t"
+        "ldr	r8, [%[a], #216]\n\t"
+        "ldr	r9, [%[b], #80]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[55] * B[19]\n\t"
+        "ldr	r8, [%[a], #220]\n\t"
+        "ldr	r9, [%[b], #76]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[56] * B[18]\n\t"
+        "ldr	r8, [%[a], #224]\n\t"
+        "ldr	r9, [%[b], #72]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[57] * B[17]\n\t"
+        "ldr	r8, [%[a], #228]\n\t"
+        "ldr	r9, [%[b], #68]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[58] * B[16]\n\t"
+        "ldr	r8, [%[a], #232]\n\t"
+        "ldr	r9, [%[b], #64]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[59] * B[15]\n\t"
+        "ldr	r8, [%[a], #236]\n\t"
+        "ldr	r9, [%[b], #60]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[60] * B[14]\n\t"
+        "ldr	r8, [%[a], #240]\n\t"
+        "ldr	r9, [%[b], #56]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[61] * B[13]\n\t"
+        "ldr	r8, [%[a], #244]\n\t"
+        "ldr	r9, [%[b], #52]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[62] * B[12]\n\t"
+        "ldr	r8, [%[a], #248]\n\t"
+        "ldr	r9, [%[b], #48]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[63] * B[11]\n\t"
+        "ldr	r8, [%[a], #252]\n\t"
+        "ldr	r9, [%[b], #44]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [%[r], #296]\n\t"
+        "#  A[12] * B[63]\n\t"
+        "ldr	r8, [%[a], #48]\n\t"
+        "ldr	r9, [%[b], #252]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r10, r10\n\t"
+        "#  A[13] * B[62]\n\t"
+        "ldr	r8, [%[a], #52]\n\t"
+        "ldr	r9, [%[b], #248]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[14] * B[61]\n\t"
+        "ldr	r8, [%[a], #56]\n\t"
+        "ldr	r9, [%[b], #244]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[15] * B[60]\n\t"
+        "ldr	r8, [%[a], #60]\n\t"
+        "ldr	r9, [%[b], #240]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[16] * B[59]\n\t"
+        "ldr	r8, [%[a], #64]\n\t"
+        "ldr	r9, [%[b], #236]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[17] * B[58]\n\t"
+        "ldr	r8, [%[a], #68]\n\t"
+        "ldr	r9, [%[b], #232]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[18] * B[57]\n\t"
+        "ldr	r8, [%[a], #72]\n\t"
+        "ldr	r9, [%[b], #228]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[19] * B[56]\n\t"
+        "ldr	r8, [%[a], #76]\n\t"
+        "ldr	r9, [%[b], #224]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[20] * B[55]\n\t"
+        "ldr	r8, [%[a], #80]\n\t"
+        "ldr	r9, [%[b], #220]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[21] * B[54]\n\t"
+        "ldr	r8, [%[a], #84]\n\t"
+        "ldr	r9, [%[b], #216]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[22] * B[53]\n\t"
+        "ldr	r8, [%[a], #88]\n\t"
+        "ldr	r9, [%[b], #212]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[23] * B[52]\n\t"
+        "ldr	r8, [%[a], #92]\n\t"
+        "ldr	r9, [%[b], #208]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[24] * B[51]\n\t"
+        "ldr	r8, [%[a], #96]\n\t"
+        "ldr	r9, [%[b], #204]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[25] * B[50]\n\t"
+        "ldr	r8, [%[a], #100]\n\t"
+        "ldr	r9, [%[b], #200]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[26] * B[49]\n\t"
+        "ldr	r8, [%[a], #104]\n\t"
+        "ldr	r9, [%[b], #196]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[27] * B[48]\n\t"
+        "ldr	r8, [%[a], #108]\n\t"
+        "ldr	r9, [%[b], #192]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[28] * B[47]\n\t"
+        "ldr	r8, [%[a], #112]\n\t"
+        "ldr	r9, [%[b], #188]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[29] * B[46]\n\t"
+        "ldr	r8, [%[a], #116]\n\t"
+        "ldr	r9, [%[b], #184]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[30] * B[45]\n\t"
+        "ldr	r8, [%[a], #120]\n\t"
+        "ldr	r9, [%[b], #180]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[31] * B[44]\n\t"
+        "ldr	r8, [%[a], #124]\n\t"
+        "ldr	r9, [%[b], #176]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[32] * B[43]\n\t"
+        "ldr	r8, [%[a], #128]\n\t"
+        "ldr	r9, [%[b], #172]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[33] * B[42]\n\t"
+        "ldr	r8, [%[a], #132]\n\t"
+        "ldr	r9, [%[b], #168]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[34] * B[41]\n\t"
+        "ldr	r8, [%[a], #136]\n\t"
+        "ldr	r9, [%[b], #164]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[35] * B[40]\n\t"
+        "ldr	r8, [%[a], #140]\n\t"
+        "ldr	r9, [%[b], #160]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[36] * B[39]\n\t"
+        "ldr	r8, [%[a], #144]\n\t"
+        "ldr	r9, [%[b], #156]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[37] * B[38]\n\t"
+        "ldr	r8, [%[a], #148]\n\t"
+        "ldr	r9, [%[b], #152]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[38] * B[37]\n\t"
+        "ldr	r8, [%[a], #152]\n\t"
+        "ldr	r9, [%[b], #148]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[39] * B[36]\n\t"
+        "ldr	r8, [%[a], #156]\n\t"
+        "ldr	r9, [%[b], #144]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[40] * B[35]\n\t"
+        "ldr	r8, [%[a], #160]\n\t"
+        "ldr	r9, [%[b], #140]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[41] * B[34]\n\t"
+        "ldr	r8, [%[a], #164]\n\t"
+        "ldr	r9, [%[b], #136]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[42] * B[33]\n\t"
+        "ldr	r8, [%[a], #168]\n\t"
+        "ldr	r9, [%[b], #132]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[43] * B[32]\n\t"
+        "ldr	r8, [%[a], #172]\n\t"
+        "ldr	r9, [%[b], #128]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[44] * B[31]\n\t"
+        "ldr	r8, [%[a], #176]\n\t"
+        "ldr	r9, [%[b], #124]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[45] * B[30]\n\t"
+        "ldr	r8, [%[a], #180]\n\t"
+        "ldr	r9, [%[b], #120]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[46] * B[29]\n\t"
+        "ldr	r8, [%[a], #184]\n\t"
+        "ldr	r9, [%[b], #116]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[47] * B[28]\n\t"
+        "ldr	r8, [%[a], #188]\n\t"
+        "ldr	r9, [%[b], #112]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[48] * B[27]\n\t"
+        "ldr	r8, [%[a], #192]\n\t"
+        "ldr	r9, [%[b], #108]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[49] * B[26]\n\t"
+        "ldr	r8, [%[a], #196]\n\t"
+        "ldr	r9, [%[b], #104]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[50] * B[25]\n\t"
+        "ldr	r8, [%[a], #200]\n\t"
+        "ldr	r9, [%[b], #100]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[51] * B[24]\n\t"
+        "ldr	r8, [%[a], #204]\n\t"
+        "ldr	r9, [%[b], #96]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[52] * B[23]\n\t"
+        "ldr	r8, [%[a], #208]\n\t"
+        "ldr	r9, [%[b], #92]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[53] * B[22]\n\t"
+        "ldr	r8, [%[a], #212]\n\t"
+        "ldr	r9, [%[b], #88]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[54] * B[21]\n\t"
+        "ldr	r8, [%[a], #216]\n\t"
+        "ldr	r9, [%[b], #84]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[55] * B[20]\n\t"
+        "ldr	r8, [%[a], #220]\n\t"
+        "ldr	r9, [%[b], #80]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[56] * B[19]\n\t"
+        "ldr	r8, [%[a], #224]\n\t"
+        "ldr	r9, [%[b], #76]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[57] * B[18]\n\t"
+        "ldr	r8, [%[a], #228]\n\t"
+        "ldr	r9, [%[b], #72]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[58] * B[17]\n\t"
+        "ldr	r8, [%[a], #232]\n\t"
+        "ldr	r9, [%[b], #68]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[59] * B[16]\n\t"
+        "ldr	r8, [%[a], #236]\n\t"
+        "ldr	r9, [%[b], #64]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[60] * B[15]\n\t"
+        "ldr	r8, [%[a], #240]\n\t"
+        "ldr	r9, [%[b], #60]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[61] * B[14]\n\t"
+        "ldr	r8, [%[a], #244]\n\t"
+        "ldr	r9, [%[b], #56]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[62] * B[13]\n\t"
+        "ldr	r8, [%[a], #248]\n\t"
+        "ldr	r9, [%[b], #52]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[63] * B[12]\n\t"
+        "ldr	r8, [%[a], #252]\n\t"
+        "ldr	r9, [%[b], #48]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [%[r], #300]\n\t"
+        "#  A[13] * B[63]\n\t"
+        "ldr	r8, [%[a], #52]\n\t"
+        "ldr	r9, [%[b], #252]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r10, r10\n\t"
+        "#  A[14] * B[62]\n\t"
+        "ldr	r8, [%[a], #56]\n\t"
+        "ldr	r9, [%[b], #248]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[15] * B[61]\n\t"
+        "ldr	r8, [%[a], #60]\n\t"
+        "ldr	r9, [%[b], #244]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[16] * B[60]\n\t"
+        "ldr	r8, [%[a], #64]\n\t"
+        "ldr	r9, [%[b], #240]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[17] * B[59]\n\t"
+        "ldr	r8, [%[a], #68]\n\t"
+        "ldr	r9, [%[b], #236]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[18] * B[58]\n\t"
+        "ldr	r8, [%[a], #72]\n\t"
+        "ldr	r9, [%[b], #232]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[19] * B[57]\n\t"
+        "ldr	r8, [%[a], #76]\n\t"
+        "ldr	r9, [%[b], #228]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[20] * B[56]\n\t"
+        "ldr	r8, [%[a], #80]\n\t"
+        "ldr	r9, [%[b], #224]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[21] * B[55]\n\t"
+        "ldr	r8, [%[a], #84]\n\t"
+        "ldr	r9, [%[b], #220]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[22] * B[54]\n\t"
+        "ldr	r8, [%[a], #88]\n\t"
+        "ldr	r9, [%[b], #216]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[23] * B[53]\n\t"
+        "ldr	r8, [%[a], #92]\n\t"
+        "ldr	r9, [%[b], #212]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[24] * B[52]\n\t"
+        "ldr	r8, [%[a], #96]\n\t"
+        "ldr	r9, [%[b], #208]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[25] * B[51]\n\t"
+        "ldr	r8, [%[a], #100]\n\t"
+        "ldr	r9, [%[b], #204]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[26] * B[50]\n\t"
+        "ldr	r8, [%[a], #104]\n\t"
+        "ldr	r9, [%[b], #200]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[27] * B[49]\n\t"
+        "ldr	r8, [%[a], #108]\n\t"
+        "ldr	r9, [%[b], #196]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[28] * B[48]\n\t"
+        "ldr	r8, [%[a], #112]\n\t"
+        "ldr	r9, [%[b], #192]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[29] * B[47]\n\t"
+        "ldr	r8, [%[a], #116]\n\t"
+        "ldr	r9, [%[b], #188]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[30] * B[46]\n\t"
+        "ldr	r8, [%[a], #120]\n\t"
+        "ldr	r9, [%[b], #184]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[31] * B[45]\n\t"
+        "ldr	r8, [%[a], #124]\n\t"
+        "ldr	r9, [%[b], #180]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[32] * B[44]\n\t"
+        "ldr	r8, [%[a], #128]\n\t"
+        "ldr	r9, [%[b], #176]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[33] * B[43]\n\t"
+        "ldr	r8, [%[a], #132]\n\t"
+        "ldr	r9, [%[b], #172]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[34] * B[42]\n\t"
+        "ldr	r8, [%[a], #136]\n\t"
+        "ldr	r9, [%[b], #168]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[35] * B[41]\n\t"
+        "ldr	r8, [%[a], #140]\n\t"
+        "ldr	r9, [%[b], #164]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[36] * B[40]\n\t"
+        "ldr	r8, [%[a], #144]\n\t"
+        "ldr	r9, [%[b], #160]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[37] * B[39]\n\t"
+        "ldr	r8, [%[a], #148]\n\t"
+        "ldr	r9, [%[b], #156]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[38] * B[38]\n\t"
+        "ldr	r8, [%[a], #152]\n\t"
+        "ldr	r9, [%[b], #152]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[39] * B[37]\n\t"
+        "ldr	r8, [%[a], #156]\n\t"
+        "ldr	r9, [%[b], #148]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[40] * B[36]\n\t"
+        "ldr	r8, [%[a], #160]\n\t"
+        "ldr	r9, [%[b], #144]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[41] * B[35]\n\t"
+        "ldr	r8, [%[a], #164]\n\t"
+        "ldr	r9, [%[b], #140]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[42] * B[34]\n\t"
+        "ldr	r8, [%[a], #168]\n\t"
+        "ldr	r9, [%[b], #136]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[43] * B[33]\n\t"
+        "ldr	r8, [%[a], #172]\n\t"
+        "ldr	r9, [%[b], #132]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[44] * B[32]\n\t"
+        "ldr	r8, [%[a], #176]\n\t"
+        "ldr	r9, [%[b], #128]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[45] * B[31]\n\t"
+        "ldr	r8, [%[a], #180]\n\t"
+        "ldr	r9, [%[b], #124]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[46] * B[30]\n\t"
+        "ldr	r8, [%[a], #184]\n\t"
+        "ldr	r9, [%[b], #120]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[47] * B[29]\n\t"
+        "ldr	r8, [%[a], #188]\n\t"
+        "ldr	r9, [%[b], #116]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[48] * B[28]\n\t"
+        "ldr	r8, [%[a], #192]\n\t"
+        "ldr	r9, [%[b], #112]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[49] * B[27]\n\t"
+        "ldr	r8, [%[a], #196]\n\t"
+        "ldr	r9, [%[b], #108]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[50] * B[26]\n\t"
+        "ldr	r8, [%[a], #200]\n\t"
+        "ldr	r9, [%[b], #104]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[51] * B[25]\n\t"
+        "ldr	r8, [%[a], #204]\n\t"
+        "ldr	r9, [%[b], #100]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[52] * B[24]\n\t"
+        "ldr	r8, [%[a], #208]\n\t"
+        "ldr	r9, [%[b], #96]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[53] * B[23]\n\t"
+        "ldr	r8, [%[a], #212]\n\t"
+        "ldr	r9, [%[b], #92]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[54] * B[22]\n\t"
+        "ldr	r8, [%[a], #216]\n\t"
+        "ldr	r9, [%[b], #88]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[55] * B[21]\n\t"
+        "ldr	r8, [%[a], #220]\n\t"
+        "ldr	r9, [%[b], #84]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[56] * B[20]\n\t"
+        "ldr	r8, [%[a], #224]\n\t"
+        "ldr	r9, [%[b], #80]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[57] * B[19]\n\t"
+        "ldr	r8, [%[a], #228]\n\t"
+        "ldr	r9, [%[b], #76]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[58] * B[18]\n\t"
+        "ldr	r8, [%[a], #232]\n\t"
+        "ldr	r9, [%[b], #72]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[59] * B[17]\n\t"
+        "ldr	r8, [%[a], #236]\n\t"
+        "ldr	r9, [%[b], #68]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[60] * B[16]\n\t"
+        "ldr	r8, [%[a], #240]\n\t"
+        "ldr	r9, [%[b], #64]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[61] * B[15]\n\t"
+        "ldr	r8, [%[a], #244]\n\t"
+        "ldr	r9, [%[b], #60]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[62] * B[14]\n\t"
+        "ldr	r8, [%[a], #248]\n\t"
+        "ldr	r9, [%[b], #56]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[63] * B[13]\n\t"
+        "ldr	r8, [%[a], #252]\n\t"
+        "ldr	r9, [%[b], #52]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [%[r], #304]\n\t"
+        "#  A[14] * B[63]\n\t"
+        "ldr	r8, [%[a], #56]\n\t"
+        "ldr	r9, [%[b], #252]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r10, r10\n\t"
+        "#  A[15] * B[62]\n\t"
+        "ldr	r8, [%[a], #60]\n\t"
+        "ldr	r9, [%[b], #248]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[16] * B[61]\n\t"
+        "ldr	r8, [%[a], #64]\n\t"
+        "ldr	r9, [%[b], #244]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[17] * B[60]\n\t"
+        "ldr	r8, [%[a], #68]\n\t"
+        "ldr	r9, [%[b], #240]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[18] * B[59]\n\t"
+        "ldr	r8, [%[a], #72]\n\t"
+        "ldr	r9, [%[b], #236]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[19] * B[58]\n\t"
+        "ldr	r8, [%[a], #76]\n\t"
+        "ldr	r9, [%[b], #232]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[20] * B[57]\n\t"
+        "ldr	r8, [%[a], #80]\n\t"
+        "ldr	r9, [%[b], #228]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[21] * B[56]\n\t"
+        "ldr	r8, [%[a], #84]\n\t"
+        "ldr	r9, [%[b], #224]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[22] * B[55]\n\t"
+        "ldr	r8, [%[a], #88]\n\t"
+        "ldr	r9, [%[b], #220]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[23] * B[54]\n\t"
+        "ldr	r8, [%[a], #92]\n\t"
+        "ldr	r9, [%[b], #216]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[24] * B[53]\n\t"
+        "ldr	r8, [%[a], #96]\n\t"
+        "ldr	r9, [%[b], #212]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[25] * B[52]\n\t"
+        "ldr	r8, [%[a], #100]\n\t"
+        "ldr	r9, [%[b], #208]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[26] * B[51]\n\t"
+        "ldr	r8, [%[a], #104]\n\t"
+        "ldr	r9, [%[b], #204]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[27] * B[50]\n\t"
+        "ldr	r8, [%[a], #108]\n\t"
+        "ldr	r9, [%[b], #200]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[28] * B[49]\n\t"
+        "ldr	r8, [%[a], #112]\n\t"
+        "ldr	r9, [%[b], #196]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[29] * B[48]\n\t"
+        "ldr	r8, [%[a], #116]\n\t"
+        "ldr	r9, [%[b], #192]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[30] * B[47]\n\t"
+        "ldr	r8, [%[a], #120]\n\t"
+        "ldr	r9, [%[b], #188]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[31] * B[46]\n\t"
+        "ldr	r8, [%[a], #124]\n\t"
+        "ldr	r9, [%[b], #184]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[32] * B[45]\n\t"
+        "ldr	r8, [%[a], #128]\n\t"
+        "ldr	r9, [%[b], #180]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[33] * B[44]\n\t"
+        "ldr	r8, [%[a], #132]\n\t"
+        "ldr	r9, [%[b], #176]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[34] * B[43]\n\t"
+        "ldr	r8, [%[a], #136]\n\t"
+        "ldr	r9, [%[b], #172]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[35] * B[42]\n\t"
+        "ldr	r8, [%[a], #140]\n\t"
+        "ldr	r9, [%[b], #168]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[36] * B[41]\n\t"
+        "ldr	r8, [%[a], #144]\n\t"
+        "ldr	r9, [%[b], #164]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[37] * B[40]\n\t"
+        "ldr	r8, [%[a], #148]\n\t"
+        "ldr	r9, [%[b], #160]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[38] * B[39]\n\t"
+        "ldr	r8, [%[a], #152]\n\t"
+        "ldr	r9, [%[b], #156]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[39] * B[38]\n\t"
+        "ldr	r8, [%[a], #156]\n\t"
+        "ldr	r9, [%[b], #152]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[40] * B[37]\n\t"
+        "ldr	r8, [%[a], #160]\n\t"
+        "ldr	r9, [%[b], #148]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[41] * B[36]\n\t"
+        "ldr	r8, [%[a], #164]\n\t"
+        "ldr	r9, [%[b], #144]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[42] * B[35]\n\t"
+        "ldr	r8, [%[a], #168]\n\t"
+        "ldr	r9, [%[b], #140]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[43] * B[34]\n\t"
+        "ldr	r8, [%[a], #172]\n\t"
+        "ldr	r9, [%[b], #136]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[44] * B[33]\n\t"
+        "ldr	r8, [%[a], #176]\n\t"
+        "ldr	r9, [%[b], #132]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[45] * B[32]\n\t"
+        "ldr	r8, [%[a], #180]\n\t"
+        "ldr	r9, [%[b], #128]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[46] * B[31]\n\t"
+        "ldr	r8, [%[a], #184]\n\t"
+        "ldr	r9, [%[b], #124]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[47] * B[30]\n\t"
+        "ldr	r8, [%[a], #188]\n\t"
+        "ldr	r9, [%[b], #120]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[48] * B[29]\n\t"
+        "ldr	r8, [%[a], #192]\n\t"
+        "ldr	r9, [%[b], #116]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[49] * B[28]\n\t"
+        "ldr	r8, [%[a], #196]\n\t"
+        "ldr	r9, [%[b], #112]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[50] * B[27]\n\t"
+        "ldr	r8, [%[a], #200]\n\t"
+        "ldr	r9, [%[b], #108]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[51] * B[26]\n\t"
+        "ldr	r8, [%[a], #204]\n\t"
+        "ldr	r9, [%[b], #104]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[52] * B[25]\n\t"
+        "ldr	r8, [%[a], #208]\n\t"
+        "ldr	r9, [%[b], #100]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[53] * B[24]\n\t"
+        "ldr	r8, [%[a], #212]\n\t"
+        "ldr	r9, [%[b], #96]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[54] * B[23]\n\t"
+        "ldr	r8, [%[a], #216]\n\t"
+        "ldr	r9, [%[b], #92]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[55] * B[22]\n\t"
+        "ldr	r8, [%[a], #220]\n\t"
+        "ldr	r9, [%[b], #88]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[56] * B[21]\n\t"
+        "ldr	r8, [%[a], #224]\n\t"
+        "ldr	r9, [%[b], #84]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[57] * B[20]\n\t"
+        "ldr	r8, [%[a], #228]\n\t"
+        "ldr	r9, [%[b], #80]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[58] * B[19]\n\t"
+        "ldr	r8, [%[a], #232]\n\t"
+        "ldr	r9, [%[b], #76]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[59] * B[18]\n\t"
+        "ldr	r8, [%[a], #236]\n\t"
+        "ldr	r9, [%[b], #72]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[60] * B[17]\n\t"
+        "ldr	r8, [%[a], #240]\n\t"
+        "ldr	r9, [%[b], #68]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[61] * B[16]\n\t"
+        "ldr	r8, [%[a], #244]\n\t"
+        "ldr	r9, [%[b], #64]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[62] * B[15]\n\t"
+        "ldr	r8, [%[a], #248]\n\t"
+        "ldr	r9, [%[b], #60]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[63] * B[14]\n\t"
+        "ldr	r8, [%[a], #252]\n\t"
+        "ldr	r9, [%[b], #56]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [%[r], #308]\n\t"
+        "#  A[15] * B[63]\n\t"
+        "ldr	r8, [%[a], #60]\n\t"
+        "ldr	r9, [%[b], #252]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r10, r10\n\t"
+        "#  A[16] * B[62]\n\t"
+        "ldr	r8, [%[a], #64]\n\t"
+        "ldr	r9, [%[b], #248]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[17] * B[61]\n\t"
+        "ldr	r8, [%[a], #68]\n\t"
+        "ldr	r9, [%[b], #244]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[18] * B[60]\n\t"
+        "ldr	r8, [%[a], #72]\n\t"
+        "ldr	r9, [%[b], #240]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[19] * B[59]\n\t"
+        "ldr	r8, [%[a], #76]\n\t"
+        "ldr	r9, [%[b], #236]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[20] * B[58]\n\t"
+        "ldr	r8, [%[a], #80]\n\t"
+        "ldr	r9, [%[b], #232]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[21] * B[57]\n\t"
+        "ldr	r8, [%[a], #84]\n\t"
+        "ldr	r9, [%[b], #228]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[22] * B[56]\n\t"
+        "ldr	r8, [%[a], #88]\n\t"
+        "ldr	r9, [%[b], #224]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[23] * B[55]\n\t"
+        "ldr	r8, [%[a], #92]\n\t"
+        "ldr	r9, [%[b], #220]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[24] * B[54]\n\t"
+        "ldr	r8, [%[a], #96]\n\t"
+        "ldr	r9, [%[b], #216]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[25] * B[53]\n\t"
+        "ldr	r8, [%[a], #100]\n\t"
+        "ldr	r9, [%[b], #212]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[26] * B[52]\n\t"
+        "ldr	r8, [%[a], #104]\n\t"
+        "ldr	r9, [%[b], #208]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[27] * B[51]\n\t"
+        "ldr	r8, [%[a], #108]\n\t"
+        "ldr	r9, [%[b], #204]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[28] * B[50]\n\t"
+        "ldr	r8, [%[a], #112]\n\t"
+        "ldr	r9, [%[b], #200]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[29] * B[49]\n\t"
+        "ldr	r8, [%[a], #116]\n\t"
+        "ldr	r9, [%[b], #196]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[30] * B[48]\n\t"
+        "ldr	r8, [%[a], #120]\n\t"
+        "ldr	r9, [%[b], #192]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[31] * B[47]\n\t"
+        "ldr	r8, [%[a], #124]\n\t"
+        "ldr	r9, [%[b], #188]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[32] * B[46]\n\t"
+        "ldr	r8, [%[a], #128]\n\t"
+        "ldr	r9, [%[b], #184]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[33] * B[45]\n\t"
+        "ldr	r8, [%[a], #132]\n\t"
+        "ldr	r9, [%[b], #180]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[34] * B[44]\n\t"
+        "ldr	r8, [%[a], #136]\n\t"
+        "ldr	r9, [%[b], #176]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[35] * B[43]\n\t"
+        "ldr	r8, [%[a], #140]\n\t"
+        "ldr	r9, [%[b], #172]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[36] * B[42]\n\t"
+        "ldr	r8, [%[a], #144]\n\t"
+        "ldr	r9, [%[b], #168]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[37] * B[41]\n\t"
+        "ldr	r8, [%[a], #148]\n\t"
+        "ldr	r9, [%[b], #164]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[38] * B[40]\n\t"
+        "ldr	r8, [%[a], #152]\n\t"
+        "ldr	r9, [%[b], #160]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[39] * B[39]\n\t"
+        "ldr	r8, [%[a], #156]\n\t"
+        "ldr	r9, [%[b], #156]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[40] * B[38]\n\t"
+        "ldr	r8, [%[a], #160]\n\t"
+        "ldr	r9, [%[b], #152]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[41] * B[37]\n\t"
+        "ldr	r8, [%[a], #164]\n\t"
+        "ldr	r9, [%[b], #148]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[42] * B[36]\n\t"
+        "ldr	r8, [%[a], #168]\n\t"
+        "ldr	r9, [%[b], #144]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[43] * B[35]\n\t"
+        "ldr	r8, [%[a], #172]\n\t"
+        "ldr	r9, [%[b], #140]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[44] * B[34]\n\t"
+        "ldr	r8, [%[a], #176]\n\t"
+        "ldr	r9, [%[b], #136]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[45] * B[33]\n\t"
+        "ldr	r8, [%[a], #180]\n\t"
+        "ldr	r9, [%[b], #132]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[46] * B[32]\n\t"
+        "ldr	r8, [%[a], #184]\n\t"
+        "ldr	r9, [%[b], #128]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[47] * B[31]\n\t"
+        "ldr	r8, [%[a], #188]\n\t"
+        "ldr	r9, [%[b], #124]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[48] * B[30]\n\t"
+        "ldr	r8, [%[a], #192]\n\t"
+        "ldr	r9, [%[b], #120]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[49] * B[29]\n\t"
+        "ldr	r8, [%[a], #196]\n\t"
+        "ldr	r9, [%[b], #116]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[50] * B[28]\n\t"
+        "ldr	r8, [%[a], #200]\n\t"
+        "ldr	r9, [%[b], #112]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[51] * B[27]\n\t"
+        "ldr	r8, [%[a], #204]\n\t"
+        "ldr	r9, [%[b], #108]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[52] * B[26]\n\t"
+        "ldr	r8, [%[a], #208]\n\t"
+        "ldr	r9, [%[b], #104]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[53] * B[25]\n\t"
+        "ldr	r8, [%[a], #212]\n\t"
+        "ldr	r9, [%[b], #100]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[54] * B[24]\n\t"
+        "ldr	r8, [%[a], #216]\n\t"
+        "ldr	r9, [%[b], #96]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[55] * B[23]\n\t"
+        "ldr	r8, [%[a], #220]\n\t"
+        "ldr	r9, [%[b], #92]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[56] * B[22]\n\t"
+        "ldr	r8, [%[a], #224]\n\t"
+        "ldr	r9, [%[b], #88]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[57] * B[21]\n\t"
+        "ldr	r8, [%[a], #228]\n\t"
+        "ldr	r9, [%[b], #84]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[58] * B[20]\n\t"
+        "ldr	r8, [%[a], #232]\n\t"
+        "ldr	r9, [%[b], #80]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[59] * B[19]\n\t"
+        "ldr	r8, [%[a], #236]\n\t"
+        "ldr	r9, [%[b], #76]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[60] * B[18]\n\t"
+        "ldr	r8, [%[a], #240]\n\t"
+        "ldr	r9, [%[b], #72]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[61] * B[17]\n\t"
+        "ldr	r8, [%[a], #244]\n\t"
+        "ldr	r9, [%[b], #68]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[62] * B[16]\n\t"
+        "ldr	r8, [%[a], #248]\n\t"
+        "ldr	r9, [%[b], #64]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[63] * B[15]\n\t"
+        "ldr	r8, [%[a], #252]\n\t"
+        "ldr	r9, [%[b], #60]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [%[r], #312]\n\t"
+        "#  A[16] * B[63]\n\t"
+        "ldr	r8, [%[a], #64]\n\t"
+        "ldr	r9, [%[b], #252]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r10, r10\n\t"
+        "#  A[17] * B[62]\n\t"
+        "ldr	r8, [%[a], #68]\n\t"
+        "ldr	r9, [%[b], #248]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[18] * B[61]\n\t"
+        "ldr	r8, [%[a], #72]\n\t"
+        "ldr	r9, [%[b], #244]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[19] * B[60]\n\t"
+        "ldr	r8, [%[a], #76]\n\t"
+        "ldr	r9, [%[b], #240]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[20] * B[59]\n\t"
+        "ldr	r8, [%[a], #80]\n\t"
+        "ldr	r9, [%[b], #236]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[21] * B[58]\n\t"
+        "ldr	r8, [%[a], #84]\n\t"
+        "ldr	r9, [%[b], #232]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[22] * B[57]\n\t"
+        "ldr	r8, [%[a], #88]\n\t"
+        "ldr	r9, [%[b], #228]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[23] * B[56]\n\t"
+        "ldr	r8, [%[a], #92]\n\t"
+        "ldr	r9, [%[b], #224]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[24] * B[55]\n\t"
+        "ldr	r8, [%[a], #96]\n\t"
+        "ldr	r9, [%[b], #220]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[25] * B[54]\n\t"
+        "ldr	r8, [%[a], #100]\n\t"
+        "ldr	r9, [%[b], #216]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[26] * B[53]\n\t"
+        "ldr	r8, [%[a], #104]\n\t"
+        "ldr	r9, [%[b], #212]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[27] * B[52]\n\t"
+        "ldr	r8, [%[a], #108]\n\t"
+        "ldr	r9, [%[b], #208]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[28] * B[51]\n\t"
+        "ldr	r8, [%[a], #112]\n\t"
+        "ldr	r9, [%[b], #204]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[29] * B[50]\n\t"
+        "ldr	r8, [%[a], #116]\n\t"
+        "ldr	r9, [%[b], #200]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[30] * B[49]\n\t"
+        "ldr	r8, [%[a], #120]\n\t"
+        "ldr	r9, [%[b], #196]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[31] * B[48]\n\t"
+        "ldr	r8, [%[a], #124]\n\t"
+        "ldr	r9, [%[b], #192]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[32] * B[47]\n\t"
+        "ldr	r8, [%[a], #128]\n\t"
+        "ldr	r9, [%[b], #188]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[33] * B[46]\n\t"
+        "ldr	r8, [%[a], #132]\n\t"
+        "ldr	r9, [%[b], #184]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[34] * B[45]\n\t"
+        "ldr	r8, [%[a], #136]\n\t"
+        "ldr	r9, [%[b], #180]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[35] * B[44]\n\t"
+        "ldr	r8, [%[a], #140]\n\t"
+        "ldr	r9, [%[b], #176]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[36] * B[43]\n\t"
+        "ldr	r8, [%[a], #144]\n\t"
+        "ldr	r9, [%[b], #172]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[37] * B[42]\n\t"
+        "ldr	r8, [%[a], #148]\n\t"
+        "ldr	r9, [%[b], #168]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[38] * B[41]\n\t"
+        "ldr	r8, [%[a], #152]\n\t"
+        "ldr	r9, [%[b], #164]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[39] * B[40]\n\t"
+        "ldr	r8, [%[a], #156]\n\t"
+        "ldr	r9, [%[b], #160]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[40] * B[39]\n\t"
+        "ldr	r8, [%[a], #160]\n\t"
+        "ldr	r9, [%[b], #156]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[41] * B[38]\n\t"
+        "ldr	r8, [%[a], #164]\n\t"
+        "ldr	r9, [%[b], #152]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[42] * B[37]\n\t"
+        "ldr	r8, [%[a], #168]\n\t"
+        "ldr	r9, [%[b], #148]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[43] * B[36]\n\t"
+        "ldr	r8, [%[a], #172]\n\t"
+        "ldr	r9, [%[b], #144]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[44] * B[35]\n\t"
+        "ldr	r8, [%[a], #176]\n\t"
+        "ldr	r9, [%[b], #140]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[45] * B[34]\n\t"
+        "ldr	r8, [%[a], #180]\n\t"
+        "ldr	r9, [%[b], #136]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[46] * B[33]\n\t"
+        "ldr	r8, [%[a], #184]\n\t"
+        "ldr	r9, [%[b], #132]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[47] * B[32]\n\t"
+        "ldr	r8, [%[a], #188]\n\t"
+        "ldr	r9, [%[b], #128]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[48] * B[31]\n\t"
+        "ldr	r8, [%[a], #192]\n\t"
+        "ldr	r9, [%[b], #124]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[49] * B[30]\n\t"
+        "ldr	r8, [%[a], #196]\n\t"
+        "ldr	r9, [%[b], #120]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[50] * B[29]\n\t"
+        "ldr	r8, [%[a], #200]\n\t"
+        "ldr	r9, [%[b], #116]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[51] * B[28]\n\t"
+        "ldr	r8, [%[a], #204]\n\t"
+        "ldr	r9, [%[b], #112]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[52] * B[27]\n\t"
+        "ldr	r8, [%[a], #208]\n\t"
+        "ldr	r9, [%[b], #108]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[53] * B[26]\n\t"
+        "ldr	r8, [%[a], #212]\n\t"
+        "ldr	r9, [%[b], #104]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[54] * B[25]\n\t"
+        "ldr	r8, [%[a], #216]\n\t"
+        "ldr	r9, [%[b], #100]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[55] * B[24]\n\t"
+        "ldr	r8, [%[a], #220]\n\t"
+        "ldr	r9, [%[b], #96]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[56] * B[23]\n\t"
+        "ldr	r8, [%[a], #224]\n\t"
+        "ldr	r9, [%[b], #92]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[57] * B[22]\n\t"
+        "ldr	r8, [%[a], #228]\n\t"
+        "ldr	r9, [%[b], #88]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[58] * B[21]\n\t"
+        "ldr	r8, [%[a], #232]\n\t"
+        "ldr	r9, [%[b], #84]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[59] * B[20]\n\t"
+        "ldr	r8, [%[a], #236]\n\t"
+        "ldr	r9, [%[b], #80]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[60] * B[19]\n\t"
+        "ldr	r8, [%[a], #240]\n\t"
+        "ldr	r9, [%[b], #76]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[61] * B[18]\n\t"
+        "ldr	r8, [%[a], #244]\n\t"
+        "ldr	r9, [%[b], #72]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[62] * B[17]\n\t"
+        "ldr	r8, [%[a], #248]\n\t"
+        "ldr	r9, [%[b], #68]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[63] * B[16]\n\t"
+        "ldr	r8, [%[a], #252]\n\t"
+        "ldr	r9, [%[b], #64]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [%[r], #316]\n\t"
+        "#  A[17] * B[63]\n\t"
+        "ldr	r8, [%[a], #68]\n\t"
+        "ldr	r9, [%[b], #252]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r10, r10\n\t"
+        "#  A[18] * B[62]\n\t"
+        "ldr	r8, [%[a], #72]\n\t"
+        "ldr	r9, [%[b], #248]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[19] * B[61]\n\t"
+        "ldr	r8, [%[a], #76]\n\t"
+        "ldr	r9, [%[b], #244]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[20] * B[60]\n\t"
+        "ldr	r8, [%[a], #80]\n\t"
+        "ldr	r9, [%[b], #240]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[21] * B[59]\n\t"
+        "ldr	r8, [%[a], #84]\n\t"
+        "ldr	r9, [%[b], #236]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[22] * B[58]\n\t"
+        "ldr	r8, [%[a], #88]\n\t"
+        "ldr	r9, [%[b], #232]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[23] * B[57]\n\t"
+        "ldr	r8, [%[a], #92]\n\t"
+        "ldr	r9, [%[b], #228]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[24] * B[56]\n\t"
+        "ldr	r8, [%[a], #96]\n\t"
+        "ldr	r9, [%[b], #224]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[25] * B[55]\n\t"
+        "ldr	r8, [%[a], #100]\n\t"
+        "ldr	r9, [%[b], #220]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[26] * B[54]\n\t"
+        "ldr	r8, [%[a], #104]\n\t"
+        "ldr	r9, [%[b], #216]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[27] * B[53]\n\t"
+        "ldr	r8, [%[a], #108]\n\t"
+        "ldr	r9, [%[b], #212]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[28] * B[52]\n\t"
+        "ldr	r8, [%[a], #112]\n\t"
+        "ldr	r9, [%[b], #208]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[29] * B[51]\n\t"
+        "ldr	r8, [%[a], #116]\n\t"
+        "ldr	r9, [%[b], #204]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[30] * B[50]\n\t"
+        "ldr	r8, [%[a], #120]\n\t"
+        "ldr	r9, [%[b], #200]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[31] * B[49]\n\t"
+        "ldr	r8, [%[a], #124]\n\t"
+        "ldr	r9, [%[b], #196]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[32] * B[48]\n\t"
+        "ldr	r8, [%[a], #128]\n\t"
+        "ldr	r9, [%[b], #192]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[33] * B[47]\n\t"
+        "ldr	r8, [%[a], #132]\n\t"
+        "ldr	r9, [%[b], #188]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[34] * B[46]\n\t"
+        "ldr	r8, [%[a], #136]\n\t"
+        "ldr	r9, [%[b], #184]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[35] * B[45]\n\t"
+        "ldr	r8, [%[a], #140]\n\t"
+        "ldr	r9, [%[b], #180]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[36] * B[44]\n\t"
+        "ldr	r8, [%[a], #144]\n\t"
+        "ldr	r9, [%[b], #176]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[37] * B[43]\n\t"
+        "ldr	r8, [%[a], #148]\n\t"
+        "ldr	r9, [%[b], #172]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[38] * B[42]\n\t"
+        "ldr	r8, [%[a], #152]\n\t"
+        "ldr	r9, [%[b], #168]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[39] * B[41]\n\t"
+        "ldr	r8, [%[a], #156]\n\t"
+        "ldr	r9, [%[b], #164]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[40] * B[40]\n\t"
+        "ldr	r8, [%[a], #160]\n\t"
+        "ldr	r9, [%[b], #160]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[41] * B[39]\n\t"
+        "ldr	r8, [%[a], #164]\n\t"
+        "ldr	r9, [%[b], #156]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[42] * B[38]\n\t"
+        "ldr	r8, [%[a], #168]\n\t"
+        "ldr	r9, [%[b], #152]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[43] * B[37]\n\t"
+        "ldr	r8, [%[a], #172]\n\t"
+        "ldr	r9, [%[b], #148]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[44] * B[36]\n\t"
+        "ldr	r8, [%[a], #176]\n\t"
+        "ldr	r9, [%[b], #144]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[45] * B[35]\n\t"
+        "ldr	r8, [%[a], #180]\n\t"
+        "ldr	r9, [%[b], #140]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[46] * B[34]\n\t"
+        "ldr	r8, [%[a], #184]\n\t"
+        "ldr	r9, [%[b], #136]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[47] * B[33]\n\t"
+        "ldr	r8, [%[a], #188]\n\t"
+        "ldr	r9, [%[b], #132]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[48] * B[32]\n\t"
+        "ldr	r8, [%[a], #192]\n\t"
+        "ldr	r9, [%[b], #128]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[49] * B[31]\n\t"
+        "ldr	r8, [%[a], #196]\n\t"
+        "ldr	r9, [%[b], #124]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[50] * B[30]\n\t"
+        "ldr	r8, [%[a], #200]\n\t"
+        "ldr	r9, [%[b], #120]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[51] * B[29]\n\t"
+        "ldr	r8, [%[a], #204]\n\t"
+        "ldr	r9, [%[b], #116]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[52] * B[28]\n\t"
+        "ldr	r8, [%[a], #208]\n\t"
+        "ldr	r9, [%[b], #112]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[53] * B[27]\n\t"
+        "ldr	r8, [%[a], #212]\n\t"
+        "ldr	r9, [%[b], #108]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[54] * B[26]\n\t"
+        "ldr	r8, [%[a], #216]\n\t"
+        "ldr	r9, [%[b], #104]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[55] * B[25]\n\t"
+        "ldr	r8, [%[a], #220]\n\t"
+        "ldr	r9, [%[b], #100]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[56] * B[24]\n\t"
+        "ldr	r8, [%[a], #224]\n\t"
+        "ldr	r9, [%[b], #96]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[57] * B[23]\n\t"
+        "ldr	r8, [%[a], #228]\n\t"
+        "ldr	r9, [%[b], #92]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[58] * B[22]\n\t"
+        "ldr	r8, [%[a], #232]\n\t"
+        "ldr	r9, [%[b], #88]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[59] * B[21]\n\t"
+        "ldr	r8, [%[a], #236]\n\t"
+        "ldr	r9, [%[b], #84]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[60] * B[20]\n\t"
+        "ldr	r8, [%[a], #240]\n\t"
+        "ldr	r9, [%[b], #80]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[61] * B[19]\n\t"
+        "ldr	r8, [%[a], #244]\n\t"
+        "ldr	r9, [%[b], #76]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[62] * B[18]\n\t"
+        "ldr	r8, [%[a], #248]\n\t"
+        "ldr	r9, [%[b], #72]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[63] * B[17]\n\t"
+        "ldr	r8, [%[a], #252]\n\t"
+        "ldr	r9, [%[b], #68]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [%[r], #320]\n\t"
+        "#  A[18] * B[63]\n\t"
+        "ldr	r8, [%[a], #72]\n\t"
+        "ldr	r9, [%[b], #252]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r10, r10\n\t"
+        "#  A[19] * B[62]\n\t"
+        "ldr	r8, [%[a], #76]\n\t"
+        "ldr	r9, [%[b], #248]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[20] * B[61]\n\t"
+        "ldr	r8, [%[a], #80]\n\t"
+        "ldr	r9, [%[b], #244]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[21] * B[60]\n\t"
+        "ldr	r8, [%[a], #84]\n\t"
+        "ldr	r9, [%[b], #240]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[22] * B[59]\n\t"
+        "ldr	r8, [%[a], #88]\n\t"
+        "ldr	r9, [%[b], #236]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[23] * B[58]\n\t"
+        "ldr	r8, [%[a], #92]\n\t"
+        "ldr	r9, [%[b], #232]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[24] * B[57]\n\t"
+        "ldr	r8, [%[a], #96]\n\t"
+        "ldr	r9, [%[b], #228]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[25] * B[56]\n\t"
+        "ldr	r8, [%[a], #100]\n\t"
+        "ldr	r9, [%[b], #224]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[26] * B[55]\n\t"
+        "ldr	r8, [%[a], #104]\n\t"
+        "ldr	r9, [%[b], #220]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[27] * B[54]\n\t"
+        "ldr	r8, [%[a], #108]\n\t"
+        "ldr	r9, [%[b], #216]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[28] * B[53]\n\t"
+        "ldr	r8, [%[a], #112]\n\t"
+        "ldr	r9, [%[b], #212]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[29] * B[52]\n\t"
+        "ldr	r8, [%[a], #116]\n\t"
+        "ldr	r9, [%[b], #208]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[30] * B[51]\n\t"
+        "ldr	r8, [%[a], #120]\n\t"
+        "ldr	r9, [%[b], #204]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[31] * B[50]\n\t"
+        "ldr	r8, [%[a], #124]\n\t"
+        "ldr	r9, [%[b], #200]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[32] * B[49]\n\t"
+        "ldr	r8, [%[a], #128]\n\t"
+        "ldr	r9, [%[b], #196]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[33] * B[48]\n\t"
+        "ldr	r8, [%[a], #132]\n\t"
+        "ldr	r9, [%[b], #192]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[34] * B[47]\n\t"
+        "ldr	r8, [%[a], #136]\n\t"
+        "ldr	r9, [%[b], #188]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[35] * B[46]\n\t"
+        "ldr	r8, [%[a], #140]\n\t"
+        "ldr	r9, [%[b], #184]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[36] * B[45]\n\t"
+        "ldr	r8, [%[a], #144]\n\t"
+        "ldr	r9, [%[b], #180]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[37] * B[44]\n\t"
+        "ldr	r8, [%[a], #148]\n\t"
+        "ldr	r9, [%[b], #176]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[38] * B[43]\n\t"
+        "ldr	r8, [%[a], #152]\n\t"
+        "ldr	r9, [%[b], #172]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[39] * B[42]\n\t"
+        "ldr	r8, [%[a], #156]\n\t"
+        "ldr	r9, [%[b], #168]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[40] * B[41]\n\t"
+        "ldr	r8, [%[a], #160]\n\t"
+        "ldr	r9, [%[b], #164]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[41] * B[40]\n\t"
+        "ldr	r8, [%[a], #164]\n\t"
+        "ldr	r9, [%[b], #160]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[42] * B[39]\n\t"
+        "ldr	r8, [%[a], #168]\n\t"
+        "ldr	r9, [%[b], #156]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[43] * B[38]\n\t"
+        "ldr	r8, [%[a], #172]\n\t"
+        "ldr	r9, [%[b], #152]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[44] * B[37]\n\t"
+        "ldr	r8, [%[a], #176]\n\t"
+        "ldr	r9, [%[b], #148]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[45] * B[36]\n\t"
+        "ldr	r8, [%[a], #180]\n\t"
+        "ldr	r9, [%[b], #144]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[46] * B[35]\n\t"
+        "ldr	r8, [%[a], #184]\n\t"
+        "ldr	r9, [%[b], #140]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[47] * B[34]\n\t"
+        "ldr	r8, [%[a], #188]\n\t"
+        "ldr	r9, [%[b], #136]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[48] * B[33]\n\t"
+        "ldr	r8, [%[a], #192]\n\t"
+        "ldr	r9, [%[b], #132]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[49] * B[32]\n\t"
+        "ldr	r8, [%[a], #196]\n\t"
+        "ldr	r9, [%[b], #128]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[50] * B[31]\n\t"
+        "ldr	r8, [%[a], #200]\n\t"
+        "ldr	r9, [%[b], #124]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[51] * B[30]\n\t"
+        "ldr	r8, [%[a], #204]\n\t"
+        "ldr	r9, [%[b], #120]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[52] * B[29]\n\t"
+        "ldr	r8, [%[a], #208]\n\t"
+        "ldr	r9, [%[b], #116]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[53] * B[28]\n\t"
+        "ldr	r8, [%[a], #212]\n\t"
+        "ldr	r9, [%[b], #112]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[54] * B[27]\n\t"
+        "ldr	r8, [%[a], #216]\n\t"
+        "ldr	r9, [%[b], #108]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[55] * B[26]\n\t"
+        "ldr	r8, [%[a], #220]\n\t"
+        "ldr	r9, [%[b], #104]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[56] * B[25]\n\t"
+        "ldr	r8, [%[a], #224]\n\t"
+        "ldr	r9, [%[b], #100]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[57] * B[24]\n\t"
+        "ldr	r8, [%[a], #228]\n\t"
+        "ldr	r9, [%[b], #96]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[58] * B[23]\n\t"
+        "ldr	r8, [%[a], #232]\n\t"
+        "ldr	r9, [%[b], #92]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[59] * B[22]\n\t"
+        "ldr	r8, [%[a], #236]\n\t"
+        "ldr	r9, [%[b], #88]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[60] * B[21]\n\t"
+        "ldr	r8, [%[a], #240]\n\t"
+        "ldr	r9, [%[b], #84]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[61] * B[20]\n\t"
+        "ldr	r8, [%[a], #244]\n\t"
+        "ldr	r9, [%[b], #80]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[62] * B[19]\n\t"
+        "ldr	r8, [%[a], #248]\n\t"
+        "ldr	r9, [%[b], #76]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[63] * B[18]\n\t"
+        "ldr	r8, [%[a], #252]\n\t"
+        "ldr	r9, [%[b], #72]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [%[r], #324]\n\t"
+        "#  A[19] * B[63]\n\t"
+        "ldr	r8, [%[a], #76]\n\t"
+        "ldr	r9, [%[b], #252]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r10, r10\n\t"
+        "#  A[20] * B[62]\n\t"
+        "ldr	r8, [%[a], #80]\n\t"
+        "ldr	r9, [%[b], #248]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[21] * B[61]\n\t"
+        "ldr	r8, [%[a], #84]\n\t"
+        "ldr	r9, [%[b], #244]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[22] * B[60]\n\t"
+        "ldr	r8, [%[a], #88]\n\t"
+        "ldr	r9, [%[b], #240]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[23] * B[59]\n\t"
+        "ldr	r8, [%[a], #92]\n\t"
+        "ldr	r9, [%[b], #236]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[24] * B[58]\n\t"
+        "ldr	r8, [%[a], #96]\n\t"
+        "ldr	r9, [%[b], #232]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[25] * B[57]\n\t"
+        "ldr	r8, [%[a], #100]\n\t"
+        "ldr	r9, [%[b], #228]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[26] * B[56]\n\t"
+        "ldr	r8, [%[a], #104]\n\t"
+        "ldr	r9, [%[b], #224]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[27] * B[55]\n\t"
+        "ldr	r8, [%[a], #108]\n\t"
+        "ldr	r9, [%[b], #220]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[28] * B[54]\n\t"
+        "ldr	r8, [%[a], #112]\n\t"
+        "ldr	r9, [%[b], #216]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[29] * B[53]\n\t"
+        "ldr	r8, [%[a], #116]\n\t"
+        "ldr	r9, [%[b], #212]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[30] * B[52]\n\t"
+        "ldr	r8, [%[a], #120]\n\t"
+        "ldr	r9, [%[b], #208]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[31] * B[51]\n\t"
+        "ldr	r8, [%[a], #124]\n\t"
+        "ldr	r9, [%[b], #204]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[32] * B[50]\n\t"
+        "ldr	r8, [%[a], #128]\n\t"
+        "ldr	r9, [%[b], #200]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[33] * B[49]\n\t"
+        "ldr	r8, [%[a], #132]\n\t"
+        "ldr	r9, [%[b], #196]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[34] * B[48]\n\t"
+        "ldr	r8, [%[a], #136]\n\t"
+        "ldr	r9, [%[b], #192]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[35] * B[47]\n\t"
+        "ldr	r8, [%[a], #140]\n\t"
+        "ldr	r9, [%[b], #188]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[36] * B[46]\n\t"
+        "ldr	r8, [%[a], #144]\n\t"
+        "ldr	r9, [%[b], #184]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[37] * B[45]\n\t"
+        "ldr	r8, [%[a], #148]\n\t"
+        "ldr	r9, [%[b], #180]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[38] * B[44]\n\t"
+        "ldr	r8, [%[a], #152]\n\t"
+        "ldr	r9, [%[b], #176]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[39] * B[43]\n\t"
+        "ldr	r8, [%[a], #156]\n\t"
+        "ldr	r9, [%[b], #172]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[40] * B[42]\n\t"
+        "ldr	r8, [%[a], #160]\n\t"
+        "ldr	r9, [%[b], #168]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[41] * B[41]\n\t"
+        "ldr	r8, [%[a], #164]\n\t"
+        "ldr	r9, [%[b], #164]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[42] * B[40]\n\t"
+        "ldr	r8, [%[a], #168]\n\t"
+        "ldr	r9, [%[b], #160]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[43] * B[39]\n\t"
+        "ldr	r8, [%[a], #172]\n\t"
+        "ldr	r9, [%[b], #156]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[44] * B[38]\n\t"
+        "ldr	r8, [%[a], #176]\n\t"
+        "ldr	r9, [%[b], #152]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[45] * B[37]\n\t"
+        "ldr	r8, [%[a], #180]\n\t"
+        "ldr	r9, [%[b], #148]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[46] * B[36]\n\t"
+        "ldr	r8, [%[a], #184]\n\t"
+        "ldr	r9, [%[b], #144]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[47] * B[35]\n\t"
+        "ldr	r8, [%[a], #188]\n\t"
+        "ldr	r9, [%[b], #140]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[48] * B[34]\n\t"
+        "ldr	r8, [%[a], #192]\n\t"
+        "ldr	r9, [%[b], #136]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[49] * B[33]\n\t"
+        "ldr	r8, [%[a], #196]\n\t"
+        "ldr	r9, [%[b], #132]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[50] * B[32]\n\t"
+        "ldr	r8, [%[a], #200]\n\t"
+        "ldr	r9, [%[b], #128]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[51] * B[31]\n\t"
+        "ldr	r8, [%[a], #204]\n\t"
+        "ldr	r9, [%[b], #124]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[52] * B[30]\n\t"
+        "ldr	r8, [%[a], #208]\n\t"
+        "ldr	r9, [%[b], #120]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[53] * B[29]\n\t"
+        "ldr	r8, [%[a], #212]\n\t"
+        "ldr	r9, [%[b], #116]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[54] * B[28]\n\t"
+        "ldr	r8, [%[a], #216]\n\t"
+        "ldr	r9, [%[b], #112]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[55] * B[27]\n\t"
+        "ldr	r8, [%[a], #220]\n\t"
+        "ldr	r9, [%[b], #108]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[56] * B[26]\n\t"
+        "ldr	r8, [%[a], #224]\n\t"
+        "ldr	r9, [%[b], #104]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[57] * B[25]\n\t"
+        "ldr	r8, [%[a], #228]\n\t"
+        "ldr	r9, [%[b], #100]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[58] * B[24]\n\t"
+        "ldr	r8, [%[a], #232]\n\t"
+        "ldr	r9, [%[b], #96]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[59] * B[23]\n\t"
+        "ldr	r8, [%[a], #236]\n\t"
+        "ldr	r9, [%[b], #92]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[60] * B[22]\n\t"
+        "ldr	r8, [%[a], #240]\n\t"
+        "ldr	r9, [%[b], #88]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[61] * B[21]\n\t"
+        "ldr	r8, [%[a], #244]\n\t"
+        "ldr	r9, [%[b], #84]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[62] * B[20]\n\t"
+        "ldr	r8, [%[a], #248]\n\t"
+        "ldr	r9, [%[b], #80]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[63] * B[19]\n\t"
+        "ldr	r8, [%[a], #252]\n\t"
+        "ldr	r9, [%[b], #76]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [%[r], #328]\n\t"
+        "#  A[20] * B[63]\n\t"
+        "ldr	r8, [%[a], #80]\n\t"
+        "ldr	r9, [%[b], #252]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r10, r10\n\t"
+        "#  A[21] * B[62]\n\t"
+        "ldr	r8, [%[a], #84]\n\t"
+        "ldr	r9, [%[b], #248]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[22] * B[61]\n\t"
+        "ldr	r8, [%[a], #88]\n\t"
+        "ldr	r9, [%[b], #244]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[23] * B[60]\n\t"
+        "ldr	r8, [%[a], #92]\n\t"
+        "ldr	r9, [%[b], #240]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[24] * B[59]\n\t"
+        "ldr	r8, [%[a], #96]\n\t"
+        "ldr	r9, [%[b], #236]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[25] * B[58]\n\t"
+        "ldr	r8, [%[a], #100]\n\t"
+        "ldr	r9, [%[b], #232]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[26] * B[57]\n\t"
+        "ldr	r8, [%[a], #104]\n\t"
+        "ldr	r9, [%[b], #228]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[27] * B[56]\n\t"
+        "ldr	r8, [%[a], #108]\n\t"
+        "ldr	r9, [%[b], #224]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[28] * B[55]\n\t"
+        "ldr	r8, [%[a], #112]\n\t"
+        "ldr	r9, [%[b], #220]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[29] * B[54]\n\t"
+        "ldr	r8, [%[a], #116]\n\t"
+        "ldr	r9, [%[b], #216]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[30] * B[53]\n\t"
+        "ldr	r8, [%[a], #120]\n\t"
+        "ldr	r9, [%[b], #212]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[31] * B[52]\n\t"
+        "ldr	r8, [%[a], #124]\n\t"
+        "ldr	r9, [%[b], #208]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[32] * B[51]\n\t"
+        "ldr	r8, [%[a], #128]\n\t"
+        "ldr	r9, [%[b], #204]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[33] * B[50]\n\t"
+        "ldr	r8, [%[a], #132]\n\t"
+        "ldr	r9, [%[b], #200]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[34] * B[49]\n\t"
+        "ldr	r8, [%[a], #136]\n\t"
+        "ldr	r9, [%[b], #196]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[35] * B[48]\n\t"
+        "ldr	r8, [%[a], #140]\n\t"
+        "ldr	r9, [%[b], #192]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[36] * B[47]\n\t"
+        "ldr	r8, [%[a], #144]\n\t"
+        "ldr	r9, [%[b], #188]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[37] * B[46]\n\t"
+        "ldr	r8, [%[a], #148]\n\t"
+        "ldr	r9, [%[b], #184]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[38] * B[45]\n\t"
+        "ldr	r8, [%[a], #152]\n\t"
+        "ldr	r9, [%[b], #180]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[39] * B[44]\n\t"
+        "ldr	r8, [%[a], #156]\n\t"
+        "ldr	r9, [%[b], #176]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[40] * B[43]\n\t"
+        "ldr	r8, [%[a], #160]\n\t"
+        "ldr	r9, [%[b], #172]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[41] * B[42]\n\t"
+        "ldr	r8, [%[a], #164]\n\t"
+        "ldr	r9, [%[b], #168]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[42] * B[41]\n\t"
+        "ldr	r8, [%[a], #168]\n\t"
+        "ldr	r9, [%[b], #164]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[43] * B[40]\n\t"
+        "ldr	r8, [%[a], #172]\n\t"
+        "ldr	r9, [%[b], #160]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[44] * B[39]\n\t"
+        "ldr	r8, [%[a], #176]\n\t"
+        "ldr	r9, [%[b], #156]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[45] * B[38]\n\t"
+        "ldr	r8, [%[a], #180]\n\t"
+        "ldr	r9, [%[b], #152]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[46] * B[37]\n\t"
+        "ldr	r8, [%[a], #184]\n\t"
+        "ldr	r9, [%[b], #148]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[47] * B[36]\n\t"
+        "ldr	r8, [%[a], #188]\n\t"
+        "ldr	r9, [%[b], #144]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[48] * B[35]\n\t"
+        "ldr	r8, [%[a], #192]\n\t"
+        "ldr	r9, [%[b], #140]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[49] * B[34]\n\t"
+        "ldr	r8, [%[a], #196]\n\t"
+        "ldr	r9, [%[b], #136]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[50] * B[33]\n\t"
+        "ldr	r8, [%[a], #200]\n\t"
+        "ldr	r9, [%[b], #132]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[51] * B[32]\n\t"
+        "ldr	r8, [%[a], #204]\n\t"
+        "ldr	r9, [%[b], #128]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[52] * B[31]\n\t"
+        "ldr	r8, [%[a], #208]\n\t"
+        "ldr	r9, [%[b], #124]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[53] * B[30]\n\t"
+        "ldr	r8, [%[a], #212]\n\t"
+        "ldr	r9, [%[b], #120]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[54] * B[29]\n\t"
+        "ldr	r8, [%[a], #216]\n\t"
+        "ldr	r9, [%[b], #116]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[55] * B[28]\n\t"
+        "ldr	r8, [%[a], #220]\n\t"
+        "ldr	r9, [%[b], #112]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[56] * B[27]\n\t"
+        "ldr	r8, [%[a], #224]\n\t"
+        "ldr	r9, [%[b], #108]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[57] * B[26]\n\t"
+        "ldr	r8, [%[a], #228]\n\t"
+        "ldr	r9, [%[b], #104]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[58] * B[25]\n\t"
+        "ldr	r8, [%[a], #232]\n\t"
+        "ldr	r9, [%[b], #100]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[59] * B[24]\n\t"
+        "ldr	r8, [%[a], #236]\n\t"
+        "ldr	r9, [%[b], #96]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[60] * B[23]\n\t"
+        "ldr	r8, [%[a], #240]\n\t"
+        "ldr	r9, [%[b], #92]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[61] * B[22]\n\t"
+        "ldr	r8, [%[a], #244]\n\t"
+        "ldr	r9, [%[b], #88]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[62] * B[21]\n\t"
+        "ldr	r8, [%[a], #248]\n\t"
+        "ldr	r9, [%[b], #84]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[63] * B[20]\n\t"
+        "ldr	r8, [%[a], #252]\n\t"
+        "ldr	r9, [%[b], #80]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [%[r], #332]\n\t"
+        "#  A[21] * B[63]\n\t"
+        "ldr	r8, [%[a], #84]\n\t"
+        "ldr	r9, [%[b], #252]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r10, r10\n\t"
+        "#  A[22] * B[62]\n\t"
+        "ldr	r8, [%[a], #88]\n\t"
+        "ldr	r9, [%[b], #248]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[23] * B[61]\n\t"
+        "ldr	r8, [%[a], #92]\n\t"
+        "ldr	r9, [%[b], #244]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[24] * B[60]\n\t"
+        "ldr	r8, [%[a], #96]\n\t"
+        "ldr	r9, [%[b], #240]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[25] * B[59]\n\t"
+        "ldr	r8, [%[a], #100]\n\t"
+        "ldr	r9, [%[b], #236]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[26] * B[58]\n\t"
+        "ldr	r8, [%[a], #104]\n\t"
+        "ldr	r9, [%[b], #232]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[27] * B[57]\n\t"
+        "ldr	r8, [%[a], #108]\n\t"
+        "ldr	r9, [%[b], #228]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[28] * B[56]\n\t"
+        "ldr	r8, [%[a], #112]\n\t"
+        "ldr	r9, [%[b], #224]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[29] * B[55]\n\t"
+        "ldr	r8, [%[a], #116]\n\t"
+        "ldr	r9, [%[b], #220]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[30] * B[54]\n\t"
+        "ldr	r8, [%[a], #120]\n\t"
+        "ldr	r9, [%[b], #216]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[31] * B[53]\n\t"
+        "ldr	r8, [%[a], #124]\n\t"
+        "ldr	r9, [%[b], #212]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[32] * B[52]\n\t"
+        "ldr	r8, [%[a], #128]\n\t"
+        "ldr	r9, [%[b], #208]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[33] * B[51]\n\t"
+        "ldr	r8, [%[a], #132]\n\t"
+        "ldr	r9, [%[b], #204]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[34] * B[50]\n\t"
+        "ldr	r8, [%[a], #136]\n\t"
+        "ldr	r9, [%[b], #200]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[35] * B[49]\n\t"
+        "ldr	r8, [%[a], #140]\n\t"
+        "ldr	r9, [%[b], #196]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[36] * B[48]\n\t"
+        "ldr	r8, [%[a], #144]\n\t"
+        "ldr	r9, [%[b], #192]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[37] * B[47]\n\t"
+        "ldr	r8, [%[a], #148]\n\t"
+        "ldr	r9, [%[b], #188]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[38] * B[46]\n\t"
+        "ldr	r8, [%[a], #152]\n\t"
+        "ldr	r9, [%[b], #184]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[39] * B[45]\n\t"
+        "ldr	r8, [%[a], #156]\n\t"
+        "ldr	r9, [%[b], #180]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[40] * B[44]\n\t"
+        "ldr	r8, [%[a], #160]\n\t"
+        "ldr	r9, [%[b], #176]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[41] * B[43]\n\t"
+        "ldr	r8, [%[a], #164]\n\t"
+        "ldr	r9, [%[b], #172]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[42] * B[42]\n\t"
+        "ldr	r8, [%[a], #168]\n\t"
+        "ldr	r9, [%[b], #168]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[43] * B[41]\n\t"
+        "ldr	r8, [%[a], #172]\n\t"
+        "ldr	r9, [%[b], #164]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[44] * B[40]\n\t"
+        "ldr	r8, [%[a], #176]\n\t"
+        "ldr	r9, [%[b], #160]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[45] * B[39]\n\t"
+        "ldr	r8, [%[a], #180]\n\t"
+        "ldr	r9, [%[b], #156]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[46] * B[38]\n\t"
+        "ldr	r8, [%[a], #184]\n\t"
+        "ldr	r9, [%[b], #152]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[47] * B[37]\n\t"
+        "ldr	r8, [%[a], #188]\n\t"
+        "ldr	r9, [%[b], #148]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[48] * B[36]\n\t"
+        "ldr	r8, [%[a], #192]\n\t"
+        "ldr	r9, [%[b], #144]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[49] * B[35]\n\t"
+        "ldr	r8, [%[a], #196]\n\t"
+        "ldr	r9, [%[b], #140]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[50] * B[34]\n\t"
+        "ldr	r8, [%[a], #200]\n\t"
+        "ldr	r9, [%[b], #136]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[51] * B[33]\n\t"
+        "ldr	r8, [%[a], #204]\n\t"
+        "ldr	r9, [%[b], #132]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[52] * B[32]\n\t"
+        "ldr	r8, [%[a], #208]\n\t"
+        "ldr	r9, [%[b], #128]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[53] * B[31]\n\t"
+        "ldr	r8, [%[a], #212]\n\t"
+        "ldr	r9, [%[b], #124]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[54] * B[30]\n\t"
+        "ldr	r8, [%[a], #216]\n\t"
+        "ldr	r9, [%[b], #120]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[55] * B[29]\n\t"
+        "ldr	r8, [%[a], #220]\n\t"
+        "ldr	r9, [%[b], #116]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[56] * B[28]\n\t"
+        "ldr	r8, [%[a], #224]\n\t"
+        "ldr	r9, [%[b], #112]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[57] * B[27]\n\t"
+        "ldr	r8, [%[a], #228]\n\t"
+        "ldr	r9, [%[b], #108]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[58] * B[26]\n\t"
+        "ldr	r8, [%[a], #232]\n\t"
+        "ldr	r9, [%[b], #104]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[59] * B[25]\n\t"
+        "ldr	r8, [%[a], #236]\n\t"
+        "ldr	r9, [%[b], #100]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[60] * B[24]\n\t"
+        "ldr	r8, [%[a], #240]\n\t"
+        "ldr	r9, [%[b], #96]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[61] * B[23]\n\t"
+        "ldr	r8, [%[a], #244]\n\t"
+        "ldr	r9, [%[b], #92]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[62] * B[22]\n\t"
+        "ldr	r8, [%[a], #248]\n\t"
+        "ldr	r9, [%[b], #88]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[63] * B[21]\n\t"
+        "ldr	r8, [%[a], #252]\n\t"
+        "ldr	r9, [%[b], #84]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [%[r], #336]\n\t"
+        "#  A[22] * B[63]\n\t"
+        "ldr	r8, [%[a], #88]\n\t"
+        "ldr	r9, [%[b], #252]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r10, r10\n\t"
+        "#  A[23] * B[62]\n\t"
+        "ldr	r8, [%[a], #92]\n\t"
+        "ldr	r9, [%[b], #248]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[24] * B[61]\n\t"
+        "ldr	r8, [%[a], #96]\n\t"
+        "ldr	r9, [%[b], #244]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[25] * B[60]\n\t"
+        "ldr	r8, [%[a], #100]\n\t"
+        "ldr	r9, [%[b], #240]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[26] * B[59]\n\t"
+        "ldr	r8, [%[a], #104]\n\t"
+        "ldr	r9, [%[b], #236]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[27] * B[58]\n\t"
+        "ldr	r8, [%[a], #108]\n\t"
+        "ldr	r9, [%[b], #232]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[28] * B[57]\n\t"
+        "ldr	r8, [%[a], #112]\n\t"
+        "ldr	r9, [%[b], #228]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[29] * B[56]\n\t"
+        "ldr	r8, [%[a], #116]\n\t"
+        "ldr	r9, [%[b], #224]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[30] * B[55]\n\t"
+        "ldr	r8, [%[a], #120]\n\t"
+        "ldr	r9, [%[b], #220]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[31] * B[54]\n\t"
+        "ldr	r8, [%[a], #124]\n\t"
+        "ldr	r9, [%[b], #216]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[32] * B[53]\n\t"
+        "ldr	r8, [%[a], #128]\n\t"
+        "ldr	r9, [%[b], #212]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[33] * B[52]\n\t"
+        "ldr	r8, [%[a], #132]\n\t"
+        "ldr	r9, [%[b], #208]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[34] * B[51]\n\t"
+        "ldr	r8, [%[a], #136]\n\t"
+        "ldr	r9, [%[b], #204]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[35] * B[50]\n\t"
+        "ldr	r8, [%[a], #140]\n\t"
+        "ldr	r9, [%[b], #200]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[36] * B[49]\n\t"
+        "ldr	r8, [%[a], #144]\n\t"
+        "ldr	r9, [%[b], #196]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[37] * B[48]\n\t"
+        "ldr	r8, [%[a], #148]\n\t"
+        "ldr	r9, [%[b], #192]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[38] * B[47]\n\t"
+        "ldr	r8, [%[a], #152]\n\t"
+        "ldr	r9, [%[b], #188]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[39] * B[46]\n\t"
+        "ldr	r8, [%[a], #156]\n\t"
+        "ldr	r9, [%[b], #184]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[40] * B[45]\n\t"
+        "ldr	r8, [%[a], #160]\n\t"
+        "ldr	r9, [%[b], #180]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[41] * B[44]\n\t"
+        "ldr	r8, [%[a], #164]\n\t"
+        "ldr	r9, [%[b], #176]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[42] * B[43]\n\t"
+        "ldr	r8, [%[a], #168]\n\t"
+        "ldr	r9, [%[b], #172]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[43] * B[42]\n\t"
+        "ldr	r8, [%[a], #172]\n\t"
+        "ldr	r9, [%[b], #168]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[44] * B[41]\n\t"
+        "ldr	r8, [%[a], #176]\n\t"
+        "ldr	r9, [%[b], #164]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[45] * B[40]\n\t"
+        "ldr	r8, [%[a], #180]\n\t"
+        "ldr	r9, [%[b], #160]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[46] * B[39]\n\t"
+        "ldr	r8, [%[a], #184]\n\t"
+        "ldr	r9, [%[b], #156]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[47] * B[38]\n\t"
+        "ldr	r8, [%[a], #188]\n\t"
+        "ldr	r9, [%[b], #152]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[48] * B[37]\n\t"
+        "ldr	r8, [%[a], #192]\n\t"
+        "ldr	r9, [%[b], #148]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[49] * B[36]\n\t"
+        "ldr	r8, [%[a], #196]\n\t"
+        "ldr	r9, [%[b], #144]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[50] * B[35]\n\t"
+        "ldr	r8, [%[a], #200]\n\t"
+        "ldr	r9, [%[b], #140]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[51] * B[34]\n\t"
+        "ldr	r8, [%[a], #204]\n\t"
+        "ldr	r9, [%[b], #136]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[52] * B[33]\n\t"
+        "ldr	r8, [%[a], #208]\n\t"
+        "ldr	r9, [%[b], #132]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[53] * B[32]\n\t"
+        "ldr	r8, [%[a], #212]\n\t"
+        "ldr	r9, [%[b], #128]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[54] * B[31]\n\t"
+        "ldr	r8, [%[a], #216]\n\t"
+        "ldr	r9, [%[b], #124]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[55] * B[30]\n\t"
+        "ldr	r8, [%[a], #220]\n\t"
+        "ldr	r9, [%[b], #120]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[56] * B[29]\n\t"
+        "ldr	r8, [%[a], #224]\n\t"
+        "ldr	r9, [%[b], #116]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[57] * B[28]\n\t"
+        "ldr	r8, [%[a], #228]\n\t"
+        "ldr	r9, [%[b], #112]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[58] * B[27]\n\t"
+        "ldr	r8, [%[a], #232]\n\t"
+        "ldr	r9, [%[b], #108]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[59] * B[26]\n\t"
+        "ldr	r8, [%[a], #236]\n\t"
+        "ldr	r9, [%[b], #104]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[60] * B[25]\n\t"
+        "ldr	r8, [%[a], #240]\n\t"
+        "ldr	r9, [%[b], #100]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[61] * B[24]\n\t"
+        "ldr	r8, [%[a], #244]\n\t"
+        "ldr	r9, [%[b], #96]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[62] * B[23]\n\t"
+        "ldr	r8, [%[a], #248]\n\t"
+        "ldr	r9, [%[b], #92]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[63] * B[22]\n\t"
+        "ldr	r8, [%[a], #252]\n\t"
+        "ldr	r9, [%[b], #88]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [%[r], #340]\n\t"
+        "#  A[23] * B[63]\n\t"
+        "ldr	r8, [%[a], #92]\n\t"
+        "ldr	r9, [%[b], #252]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r10, r10\n\t"
+        "#  A[24] * B[62]\n\t"
+        "ldr	r8, [%[a], #96]\n\t"
+        "ldr	r9, [%[b], #248]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[25] * B[61]\n\t"
+        "ldr	r8, [%[a], #100]\n\t"
+        "ldr	r9, [%[b], #244]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[26] * B[60]\n\t"
+        "ldr	r8, [%[a], #104]\n\t"
+        "ldr	r9, [%[b], #240]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[27] * B[59]\n\t"
+        "ldr	r8, [%[a], #108]\n\t"
+        "ldr	r9, [%[b], #236]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[28] * B[58]\n\t"
+        "ldr	r8, [%[a], #112]\n\t"
+        "ldr	r9, [%[b], #232]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[29] * B[57]\n\t"
+        "ldr	r8, [%[a], #116]\n\t"
+        "ldr	r9, [%[b], #228]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[30] * B[56]\n\t"
+        "ldr	r8, [%[a], #120]\n\t"
+        "ldr	r9, [%[b], #224]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[31] * B[55]\n\t"
+        "ldr	r8, [%[a], #124]\n\t"
+        "ldr	r9, [%[b], #220]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[32] * B[54]\n\t"
+        "ldr	r8, [%[a], #128]\n\t"
+        "ldr	r9, [%[b], #216]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[33] * B[53]\n\t"
+        "ldr	r8, [%[a], #132]\n\t"
+        "ldr	r9, [%[b], #212]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[34] * B[52]\n\t"
+        "ldr	r8, [%[a], #136]\n\t"
+        "ldr	r9, [%[b], #208]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[35] * B[51]\n\t"
+        "ldr	r8, [%[a], #140]\n\t"
+        "ldr	r9, [%[b], #204]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[36] * B[50]\n\t"
+        "ldr	r8, [%[a], #144]\n\t"
+        "ldr	r9, [%[b], #200]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[37] * B[49]\n\t"
+        "ldr	r8, [%[a], #148]\n\t"
+        "ldr	r9, [%[b], #196]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[38] * B[48]\n\t"
+        "ldr	r8, [%[a], #152]\n\t"
+        "ldr	r9, [%[b], #192]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[39] * B[47]\n\t"
+        "ldr	r8, [%[a], #156]\n\t"
+        "ldr	r9, [%[b], #188]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[40] * B[46]\n\t"
+        "ldr	r8, [%[a], #160]\n\t"
+        "ldr	r9, [%[b], #184]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[41] * B[45]\n\t"
+        "ldr	r8, [%[a], #164]\n\t"
+        "ldr	r9, [%[b], #180]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[42] * B[44]\n\t"
+        "ldr	r8, [%[a], #168]\n\t"
+        "ldr	r9, [%[b], #176]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[43] * B[43]\n\t"
+        "ldr	r8, [%[a], #172]\n\t"
+        "ldr	r9, [%[b], #172]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[44] * B[42]\n\t"
+        "ldr	r8, [%[a], #176]\n\t"
+        "ldr	r9, [%[b], #168]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[45] * B[41]\n\t"
+        "ldr	r8, [%[a], #180]\n\t"
+        "ldr	r9, [%[b], #164]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[46] * B[40]\n\t"
+        "ldr	r8, [%[a], #184]\n\t"
+        "ldr	r9, [%[b], #160]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[47] * B[39]\n\t"
+        "ldr	r8, [%[a], #188]\n\t"
+        "ldr	r9, [%[b], #156]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[48] * B[38]\n\t"
+        "ldr	r8, [%[a], #192]\n\t"
+        "ldr	r9, [%[b], #152]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[49] * B[37]\n\t"
+        "ldr	r8, [%[a], #196]\n\t"
+        "ldr	r9, [%[b], #148]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[50] * B[36]\n\t"
+        "ldr	r8, [%[a], #200]\n\t"
+        "ldr	r9, [%[b], #144]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[51] * B[35]\n\t"
+        "ldr	r8, [%[a], #204]\n\t"
+        "ldr	r9, [%[b], #140]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[52] * B[34]\n\t"
+        "ldr	r8, [%[a], #208]\n\t"
+        "ldr	r9, [%[b], #136]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[53] * B[33]\n\t"
+        "ldr	r8, [%[a], #212]\n\t"
+        "ldr	r9, [%[b], #132]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[54] * B[32]\n\t"
+        "ldr	r8, [%[a], #216]\n\t"
+        "ldr	r9, [%[b], #128]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[55] * B[31]\n\t"
+        "ldr	r8, [%[a], #220]\n\t"
+        "ldr	r9, [%[b], #124]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[56] * B[30]\n\t"
+        "ldr	r8, [%[a], #224]\n\t"
+        "ldr	r9, [%[b], #120]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[57] * B[29]\n\t"
+        "ldr	r8, [%[a], #228]\n\t"
+        "ldr	r9, [%[b], #116]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[58] * B[28]\n\t"
+        "ldr	r8, [%[a], #232]\n\t"
+        "ldr	r9, [%[b], #112]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[59] * B[27]\n\t"
+        "ldr	r8, [%[a], #236]\n\t"
+        "ldr	r9, [%[b], #108]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[60] * B[26]\n\t"
+        "ldr	r8, [%[a], #240]\n\t"
+        "ldr	r9, [%[b], #104]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[61] * B[25]\n\t"
+        "ldr	r8, [%[a], #244]\n\t"
+        "ldr	r9, [%[b], #100]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[62] * B[24]\n\t"
+        "ldr	r8, [%[a], #248]\n\t"
+        "ldr	r9, [%[b], #96]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[63] * B[23]\n\t"
+        "ldr	r8, [%[a], #252]\n\t"
+        "ldr	r9, [%[b], #92]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [%[r], #344]\n\t"
+        "#  A[24] * B[63]\n\t"
+        "ldr	r8, [%[a], #96]\n\t"
+        "ldr	r9, [%[b], #252]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r10, r10\n\t"
+        "#  A[25] * B[62]\n\t"
+        "ldr	r8, [%[a], #100]\n\t"
+        "ldr	r9, [%[b], #248]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[26] * B[61]\n\t"
+        "ldr	r8, [%[a], #104]\n\t"
+        "ldr	r9, [%[b], #244]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[27] * B[60]\n\t"
+        "ldr	r8, [%[a], #108]\n\t"
+        "ldr	r9, [%[b], #240]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[28] * B[59]\n\t"
+        "ldr	r8, [%[a], #112]\n\t"
+        "ldr	r9, [%[b], #236]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[29] * B[58]\n\t"
+        "ldr	r8, [%[a], #116]\n\t"
+        "ldr	r9, [%[b], #232]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[30] * B[57]\n\t"
+        "ldr	r8, [%[a], #120]\n\t"
+        "ldr	r9, [%[b], #228]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[31] * B[56]\n\t"
+        "ldr	r8, [%[a], #124]\n\t"
+        "ldr	r9, [%[b], #224]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[32] * B[55]\n\t"
+        "ldr	r8, [%[a], #128]\n\t"
+        "ldr	r9, [%[b], #220]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[33] * B[54]\n\t"
+        "ldr	r8, [%[a], #132]\n\t"
+        "ldr	r9, [%[b], #216]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[34] * B[53]\n\t"
+        "ldr	r8, [%[a], #136]\n\t"
+        "ldr	r9, [%[b], #212]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[35] * B[52]\n\t"
+        "ldr	r8, [%[a], #140]\n\t"
+        "ldr	r9, [%[b], #208]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[36] * B[51]\n\t"
+        "ldr	r8, [%[a], #144]\n\t"
+        "ldr	r9, [%[b], #204]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[37] * B[50]\n\t"
+        "ldr	r8, [%[a], #148]\n\t"
+        "ldr	r9, [%[b], #200]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[38] * B[49]\n\t"
+        "ldr	r8, [%[a], #152]\n\t"
+        "ldr	r9, [%[b], #196]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[39] * B[48]\n\t"
+        "ldr	r8, [%[a], #156]\n\t"
+        "ldr	r9, [%[b], #192]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[40] * B[47]\n\t"
+        "ldr	r8, [%[a], #160]\n\t"
+        "ldr	r9, [%[b], #188]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[41] * B[46]\n\t"
+        "ldr	r8, [%[a], #164]\n\t"
+        "ldr	r9, [%[b], #184]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[42] * B[45]\n\t"
+        "ldr	r8, [%[a], #168]\n\t"
+        "ldr	r9, [%[b], #180]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[43] * B[44]\n\t"
+        "ldr	r8, [%[a], #172]\n\t"
+        "ldr	r9, [%[b], #176]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[44] * B[43]\n\t"
+        "ldr	r8, [%[a], #176]\n\t"
+        "ldr	r9, [%[b], #172]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[45] * B[42]\n\t"
+        "ldr	r8, [%[a], #180]\n\t"
+        "ldr	r9, [%[b], #168]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[46] * B[41]\n\t"
+        "ldr	r8, [%[a], #184]\n\t"
+        "ldr	r9, [%[b], #164]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[47] * B[40]\n\t"
+        "ldr	r8, [%[a], #188]\n\t"
+        "ldr	r9, [%[b], #160]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[48] * B[39]\n\t"
+        "ldr	r8, [%[a], #192]\n\t"
+        "ldr	r9, [%[b], #156]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[49] * B[38]\n\t"
+        "ldr	r8, [%[a], #196]\n\t"
+        "ldr	r9, [%[b], #152]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[50] * B[37]\n\t"
+        "ldr	r8, [%[a], #200]\n\t"
+        "ldr	r9, [%[b], #148]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[51] * B[36]\n\t"
+        "ldr	r8, [%[a], #204]\n\t"
+        "ldr	r9, [%[b], #144]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[52] * B[35]\n\t"
+        "ldr	r8, [%[a], #208]\n\t"
+        "ldr	r9, [%[b], #140]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[53] * B[34]\n\t"
+        "ldr	r8, [%[a], #212]\n\t"
+        "ldr	r9, [%[b], #136]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[54] * B[33]\n\t"
+        "ldr	r8, [%[a], #216]\n\t"
+        "ldr	r9, [%[b], #132]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[55] * B[32]\n\t"
+        "ldr	r8, [%[a], #220]\n\t"
+        "ldr	r9, [%[b], #128]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[56] * B[31]\n\t"
+        "ldr	r8, [%[a], #224]\n\t"
+        "ldr	r9, [%[b], #124]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[57] * B[30]\n\t"
+        "ldr	r8, [%[a], #228]\n\t"
+        "ldr	r9, [%[b], #120]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[58] * B[29]\n\t"
+        "ldr	r8, [%[a], #232]\n\t"
+        "ldr	r9, [%[b], #116]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[59] * B[28]\n\t"
+        "ldr	r8, [%[a], #236]\n\t"
+        "ldr	r9, [%[b], #112]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[60] * B[27]\n\t"
+        "ldr	r8, [%[a], #240]\n\t"
+        "ldr	r9, [%[b], #108]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[61] * B[26]\n\t"
+        "ldr	r8, [%[a], #244]\n\t"
+        "ldr	r9, [%[b], #104]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[62] * B[25]\n\t"
+        "ldr	r8, [%[a], #248]\n\t"
+        "ldr	r9, [%[b], #100]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[63] * B[24]\n\t"
+        "ldr	r8, [%[a], #252]\n\t"
+        "ldr	r9, [%[b], #96]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [%[r], #348]\n\t"
+        "#  A[25] * B[63]\n\t"
+        "ldr	r8, [%[a], #100]\n\t"
+        "ldr	r9, [%[b], #252]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r10, r10\n\t"
+        "#  A[26] * B[62]\n\t"
+        "ldr	r8, [%[a], #104]\n\t"
+        "ldr	r9, [%[b], #248]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[27] * B[61]\n\t"
+        "ldr	r8, [%[a], #108]\n\t"
+        "ldr	r9, [%[b], #244]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[28] * B[60]\n\t"
+        "ldr	r8, [%[a], #112]\n\t"
+        "ldr	r9, [%[b], #240]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[29] * B[59]\n\t"
+        "ldr	r8, [%[a], #116]\n\t"
+        "ldr	r9, [%[b], #236]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[30] * B[58]\n\t"
+        "ldr	r8, [%[a], #120]\n\t"
+        "ldr	r9, [%[b], #232]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[31] * B[57]\n\t"
+        "ldr	r8, [%[a], #124]\n\t"
+        "ldr	r9, [%[b], #228]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[32] * B[56]\n\t"
+        "ldr	r8, [%[a], #128]\n\t"
+        "ldr	r9, [%[b], #224]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[33] * B[55]\n\t"
+        "ldr	r8, [%[a], #132]\n\t"
+        "ldr	r9, [%[b], #220]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[34] * B[54]\n\t"
+        "ldr	r8, [%[a], #136]\n\t"
+        "ldr	r9, [%[b], #216]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[35] * B[53]\n\t"
+        "ldr	r8, [%[a], #140]\n\t"
+        "ldr	r9, [%[b], #212]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[36] * B[52]\n\t"
+        "ldr	r8, [%[a], #144]\n\t"
+        "ldr	r9, [%[b], #208]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[37] * B[51]\n\t"
+        "ldr	r8, [%[a], #148]\n\t"
+        "ldr	r9, [%[b], #204]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[38] * B[50]\n\t"
+        "ldr	r8, [%[a], #152]\n\t"
+        "ldr	r9, [%[b], #200]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[39] * B[49]\n\t"
+        "ldr	r8, [%[a], #156]\n\t"
+        "ldr	r9, [%[b], #196]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[40] * B[48]\n\t"
+        "ldr	r8, [%[a], #160]\n\t"
+        "ldr	r9, [%[b], #192]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[41] * B[47]\n\t"
+        "ldr	r8, [%[a], #164]\n\t"
+        "ldr	r9, [%[b], #188]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[42] * B[46]\n\t"
+        "ldr	r8, [%[a], #168]\n\t"
+        "ldr	r9, [%[b], #184]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[43] * B[45]\n\t"
+        "ldr	r8, [%[a], #172]\n\t"
+        "ldr	r9, [%[b], #180]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[44] * B[44]\n\t"
+        "ldr	r8, [%[a], #176]\n\t"
+        "ldr	r9, [%[b], #176]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[45] * B[43]\n\t"
+        "ldr	r8, [%[a], #180]\n\t"
+        "ldr	r9, [%[b], #172]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[46] * B[42]\n\t"
+        "ldr	r8, [%[a], #184]\n\t"
+        "ldr	r9, [%[b], #168]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[47] * B[41]\n\t"
+        "ldr	r8, [%[a], #188]\n\t"
+        "ldr	r9, [%[b], #164]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[48] * B[40]\n\t"
+        "ldr	r8, [%[a], #192]\n\t"
+        "ldr	r9, [%[b], #160]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[49] * B[39]\n\t"
+        "ldr	r8, [%[a], #196]\n\t"
+        "ldr	r9, [%[b], #156]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[50] * B[38]\n\t"
+        "ldr	r8, [%[a], #200]\n\t"
+        "ldr	r9, [%[b], #152]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[51] * B[37]\n\t"
+        "ldr	r8, [%[a], #204]\n\t"
+        "ldr	r9, [%[b], #148]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[52] * B[36]\n\t"
+        "ldr	r8, [%[a], #208]\n\t"
+        "ldr	r9, [%[b], #144]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[53] * B[35]\n\t"
+        "ldr	r8, [%[a], #212]\n\t"
+        "ldr	r9, [%[b], #140]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[54] * B[34]\n\t"
+        "ldr	r8, [%[a], #216]\n\t"
+        "ldr	r9, [%[b], #136]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[55] * B[33]\n\t"
+        "ldr	r8, [%[a], #220]\n\t"
+        "ldr	r9, [%[b], #132]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[56] * B[32]\n\t"
+        "ldr	r8, [%[a], #224]\n\t"
+        "ldr	r9, [%[b], #128]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[57] * B[31]\n\t"
+        "ldr	r8, [%[a], #228]\n\t"
+        "ldr	r9, [%[b], #124]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[58] * B[30]\n\t"
+        "ldr	r8, [%[a], #232]\n\t"
+        "ldr	r9, [%[b], #120]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[59] * B[29]\n\t"
+        "ldr	r8, [%[a], #236]\n\t"
+        "ldr	r9, [%[b], #116]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[60] * B[28]\n\t"
+        "ldr	r8, [%[a], #240]\n\t"
+        "ldr	r9, [%[b], #112]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[61] * B[27]\n\t"
+        "ldr	r8, [%[a], #244]\n\t"
+        "ldr	r9, [%[b], #108]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[62] * B[26]\n\t"
+        "ldr	r8, [%[a], #248]\n\t"
+        "ldr	r9, [%[b], #104]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[63] * B[25]\n\t"
+        "ldr	r8, [%[a], #252]\n\t"
+        "ldr	r9, [%[b], #100]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [%[r], #352]\n\t"
+        "#  A[26] * B[63]\n\t"
+        "ldr	r8, [%[a], #104]\n\t"
+        "ldr	r9, [%[b], #252]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r10, r10\n\t"
+        "#  A[27] * B[62]\n\t"
+        "ldr	r8, [%[a], #108]\n\t"
+        "ldr	r9, [%[b], #248]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[28] * B[61]\n\t"
+        "ldr	r8, [%[a], #112]\n\t"
+        "ldr	r9, [%[b], #244]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[29] * B[60]\n\t"
+        "ldr	r8, [%[a], #116]\n\t"
+        "ldr	r9, [%[b], #240]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[30] * B[59]\n\t"
+        "ldr	r8, [%[a], #120]\n\t"
+        "ldr	r9, [%[b], #236]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[31] * B[58]\n\t"
+        "ldr	r8, [%[a], #124]\n\t"
+        "ldr	r9, [%[b], #232]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[32] * B[57]\n\t"
+        "ldr	r8, [%[a], #128]\n\t"
+        "ldr	r9, [%[b], #228]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[33] * B[56]\n\t"
+        "ldr	r8, [%[a], #132]\n\t"
+        "ldr	r9, [%[b], #224]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[34] * B[55]\n\t"
+        "ldr	r8, [%[a], #136]\n\t"
+        "ldr	r9, [%[b], #220]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[35] * B[54]\n\t"
+        "ldr	r8, [%[a], #140]\n\t"
+        "ldr	r9, [%[b], #216]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[36] * B[53]\n\t"
+        "ldr	r8, [%[a], #144]\n\t"
+        "ldr	r9, [%[b], #212]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[37] * B[52]\n\t"
+        "ldr	r8, [%[a], #148]\n\t"
+        "ldr	r9, [%[b], #208]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[38] * B[51]\n\t"
+        "ldr	r8, [%[a], #152]\n\t"
+        "ldr	r9, [%[b], #204]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[39] * B[50]\n\t"
+        "ldr	r8, [%[a], #156]\n\t"
+        "ldr	r9, [%[b], #200]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[40] * B[49]\n\t"
+        "ldr	r8, [%[a], #160]\n\t"
+        "ldr	r9, [%[b], #196]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[41] * B[48]\n\t"
+        "ldr	r8, [%[a], #164]\n\t"
+        "ldr	r9, [%[b], #192]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[42] * B[47]\n\t"
+        "ldr	r8, [%[a], #168]\n\t"
+        "ldr	r9, [%[b], #188]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[43] * B[46]\n\t"
+        "ldr	r8, [%[a], #172]\n\t"
+        "ldr	r9, [%[b], #184]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[44] * B[45]\n\t"
+        "ldr	r8, [%[a], #176]\n\t"
+        "ldr	r9, [%[b], #180]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[45] * B[44]\n\t"
+        "ldr	r8, [%[a], #180]\n\t"
+        "ldr	r9, [%[b], #176]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[46] * B[43]\n\t"
+        "ldr	r8, [%[a], #184]\n\t"
+        "ldr	r9, [%[b], #172]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[47] * B[42]\n\t"
+        "ldr	r8, [%[a], #188]\n\t"
+        "ldr	r9, [%[b], #168]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[48] * B[41]\n\t"
+        "ldr	r8, [%[a], #192]\n\t"
+        "ldr	r9, [%[b], #164]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[49] * B[40]\n\t"
+        "ldr	r8, [%[a], #196]\n\t"
+        "ldr	r9, [%[b], #160]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[50] * B[39]\n\t"
+        "ldr	r8, [%[a], #200]\n\t"
+        "ldr	r9, [%[b], #156]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[51] * B[38]\n\t"
+        "ldr	r8, [%[a], #204]\n\t"
+        "ldr	r9, [%[b], #152]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[52] * B[37]\n\t"
+        "ldr	r8, [%[a], #208]\n\t"
+        "ldr	r9, [%[b], #148]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[53] * B[36]\n\t"
+        "ldr	r8, [%[a], #212]\n\t"
+        "ldr	r9, [%[b], #144]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[54] * B[35]\n\t"
+        "ldr	r8, [%[a], #216]\n\t"
+        "ldr	r9, [%[b], #140]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[55] * B[34]\n\t"
+        "ldr	r8, [%[a], #220]\n\t"
+        "ldr	r9, [%[b], #136]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[56] * B[33]\n\t"
+        "ldr	r8, [%[a], #224]\n\t"
+        "ldr	r9, [%[b], #132]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[57] * B[32]\n\t"
+        "ldr	r8, [%[a], #228]\n\t"
+        "ldr	r9, [%[b], #128]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[58] * B[31]\n\t"
+        "ldr	r8, [%[a], #232]\n\t"
+        "ldr	r9, [%[b], #124]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[59] * B[30]\n\t"
+        "ldr	r8, [%[a], #236]\n\t"
+        "ldr	r9, [%[b], #120]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[60] * B[29]\n\t"
+        "ldr	r8, [%[a], #240]\n\t"
+        "ldr	r9, [%[b], #116]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[61] * B[28]\n\t"
+        "ldr	r8, [%[a], #244]\n\t"
+        "ldr	r9, [%[b], #112]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[62] * B[27]\n\t"
+        "ldr	r8, [%[a], #248]\n\t"
+        "ldr	r9, [%[b], #108]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[63] * B[26]\n\t"
+        "ldr	r8, [%[a], #252]\n\t"
+        "ldr	r9, [%[b], #104]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [%[r], #356]\n\t"
+        "#  A[27] * B[63]\n\t"
+        "ldr	r8, [%[a], #108]\n\t"
+        "ldr	r9, [%[b], #252]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r10, r10\n\t"
+        "#  A[28] * B[62]\n\t"
+        "ldr	r8, [%[a], #112]\n\t"
+        "ldr	r9, [%[b], #248]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[29] * B[61]\n\t"
+        "ldr	r8, [%[a], #116]\n\t"
+        "ldr	r9, [%[b], #244]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[30] * B[60]\n\t"
+        "ldr	r8, [%[a], #120]\n\t"
+        "ldr	r9, [%[b], #240]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[31] * B[59]\n\t"
+        "ldr	r8, [%[a], #124]\n\t"
+        "ldr	r9, [%[b], #236]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[32] * B[58]\n\t"
+        "ldr	r8, [%[a], #128]\n\t"
+        "ldr	r9, [%[b], #232]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[33] * B[57]\n\t"
+        "ldr	r8, [%[a], #132]\n\t"
+        "ldr	r9, [%[b], #228]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[34] * B[56]\n\t"
+        "ldr	r8, [%[a], #136]\n\t"
+        "ldr	r9, [%[b], #224]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[35] * B[55]\n\t"
+        "ldr	r8, [%[a], #140]\n\t"
+        "ldr	r9, [%[b], #220]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[36] * B[54]\n\t"
+        "ldr	r8, [%[a], #144]\n\t"
+        "ldr	r9, [%[b], #216]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[37] * B[53]\n\t"
+        "ldr	r8, [%[a], #148]\n\t"
+        "ldr	r9, [%[b], #212]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[38] * B[52]\n\t"
+        "ldr	r8, [%[a], #152]\n\t"
+        "ldr	r9, [%[b], #208]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[39] * B[51]\n\t"
+        "ldr	r8, [%[a], #156]\n\t"
+        "ldr	r9, [%[b], #204]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[40] * B[50]\n\t"
+        "ldr	r8, [%[a], #160]\n\t"
+        "ldr	r9, [%[b], #200]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[41] * B[49]\n\t"
+        "ldr	r8, [%[a], #164]\n\t"
+        "ldr	r9, [%[b], #196]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[42] * B[48]\n\t"
+        "ldr	r8, [%[a], #168]\n\t"
+        "ldr	r9, [%[b], #192]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[43] * B[47]\n\t"
+        "ldr	r8, [%[a], #172]\n\t"
+        "ldr	r9, [%[b], #188]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[44] * B[46]\n\t"
+        "ldr	r8, [%[a], #176]\n\t"
+        "ldr	r9, [%[b], #184]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[45] * B[45]\n\t"
+        "ldr	r8, [%[a], #180]\n\t"
+        "ldr	r9, [%[b], #180]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[46] * B[44]\n\t"
+        "ldr	r8, [%[a], #184]\n\t"
+        "ldr	r9, [%[b], #176]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[47] * B[43]\n\t"
+        "ldr	r8, [%[a], #188]\n\t"
+        "ldr	r9, [%[b], #172]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[48] * B[42]\n\t"
+        "ldr	r8, [%[a], #192]\n\t"
+        "ldr	r9, [%[b], #168]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[49] * B[41]\n\t"
+        "ldr	r8, [%[a], #196]\n\t"
+        "ldr	r9, [%[b], #164]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[50] * B[40]\n\t"
+        "ldr	r8, [%[a], #200]\n\t"
+        "ldr	r9, [%[b], #160]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[51] * B[39]\n\t"
+        "ldr	r8, [%[a], #204]\n\t"
+        "ldr	r9, [%[b], #156]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[52] * B[38]\n\t"
+        "ldr	r8, [%[a], #208]\n\t"
+        "ldr	r9, [%[b], #152]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[53] * B[37]\n\t"
+        "ldr	r8, [%[a], #212]\n\t"
+        "ldr	r9, [%[b], #148]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[54] * B[36]\n\t"
+        "ldr	r8, [%[a], #216]\n\t"
+        "ldr	r9, [%[b], #144]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[55] * B[35]\n\t"
+        "ldr	r8, [%[a], #220]\n\t"
+        "ldr	r9, [%[b], #140]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[56] * B[34]\n\t"
+        "ldr	r8, [%[a], #224]\n\t"
+        "ldr	r9, [%[b], #136]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[57] * B[33]\n\t"
+        "ldr	r8, [%[a], #228]\n\t"
+        "ldr	r9, [%[b], #132]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[58] * B[32]\n\t"
+        "ldr	r8, [%[a], #232]\n\t"
+        "ldr	r9, [%[b], #128]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[59] * B[31]\n\t"
+        "ldr	r8, [%[a], #236]\n\t"
+        "ldr	r9, [%[b], #124]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[60] * B[30]\n\t"
+        "ldr	r8, [%[a], #240]\n\t"
+        "ldr	r9, [%[b], #120]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[61] * B[29]\n\t"
+        "ldr	r8, [%[a], #244]\n\t"
+        "ldr	r9, [%[b], #116]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[62] * B[28]\n\t"
+        "ldr	r8, [%[a], #248]\n\t"
+        "ldr	r9, [%[b], #112]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[63] * B[27]\n\t"
+        "ldr	r8, [%[a], #252]\n\t"
+        "ldr	r9, [%[b], #108]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [%[r], #360]\n\t"
+        "#  A[28] * B[63]\n\t"
+        "ldr	r8, [%[a], #112]\n\t"
+        "ldr	r9, [%[b], #252]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r10, r10\n\t"
+        "#  A[29] * B[62]\n\t"
+        "ldr	r8, [%[a], #116]\n\t"
+        "ldr	r9, [%[b], #248]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[30] * B[61]\n\t"
+        "ldr	r8, [%[a], #120]\n\t"
+        "ldr	r9, [%[b], #244]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[31] * B[60]\n\t"
+        "ldr	r8, [%[a], #124]\n\t"
+        "ldr	r9, [%[b], #240]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[32] * B[59]\n\t"
+        "ldr	r8, [%[a], #128]\n\t"
+        "ldr	r9, [%[b], #236]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[33] * B[58]\n\t"
+        "ldr	r8, [%[a], #132]\n\t"
+        "ldr	r9, [%[b], #232]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[34] * B[57]\n\t"
+        "ldr	r8, [%[a], #136]\n\t"
+        "ldr	r9, [%[b], #228]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[35] * B[56]\n\t"
+        "ldr	r8, [%[a], #140]\n\t"
+        "ldr	r9, [%[b], #224]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[36] * B[55]\n\t"
+        "ldr	r8, [%[a], #144]\n\t"
+        "ldr	r9, [%[b], #220]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[37] * B[54]\n\t"
+        "ldr	r8, [%[a], #148]\n\t"
+        "ldr	r9, [%[b], #216]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[38] * B[53]\n\t"
+        "ldr	r8, [%[a], #152]\n\t"
+        "ldr	r9, [%[b], #212]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[39] * B[52]\n\t"
+        "ldr	r8, [%[a], #156]\n\t"
+        "ldr	r9, [%[b], #208]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[40] * B[51]\n\t"
+        "ldr	r8, [%[a], #160]\n\t"
+        "ldr	r9, [%[b], #204]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[41] * B[50]\n\t"
+        "ldr	r8, [%[a], #164]\n\t"
+        "ldr	r9, [%[b], #200]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[42] * B[49]\n\t"
+        "ldr	r8, [%[a], #168]\n\t"
+        "ldr	r9, [%[b], #196]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[43] * B[48]\n\t"
+        "ldr	r8, [%[a], #172]\n\t"
+        "ldr	r9, [%[b], #192]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[44] * B[47]\n\t"
+        "ldr	r8, [%[a], #176]\n\t"
+        "ldr	r9, [%[b], #188]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[45] * B[46]\n\t"
+        "ldr	r8, [%[a], #180]\n\t"
+        "ldr	r9, [%[b], #184]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[46] * B[45]\n\t"
+        "ldr	r8, [%[a], #184]\n\t"
+        "ldr	r9, [%[b], #180]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[47] * B[44]\n\t"
+        "ldr	r8, [%[a], #188]\n\t"
+        "ldr	r9, [%[b], #176]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[48] * B[43]\n\t"
+        "ldr	r8, [%[a], #192]\n\t"
+        "ldr	r9, [%[b], #172]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[49] * B[42]\n\t"
+        "ldr	r8, [%[a], #196]\n\t"
+        "ldr	r9, [%[b], #168]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[50] * B[41]\n\t"
+        "ldr	r8, [%[a], #200]\n\t"
+        "ldr	r9, [%[b], #164]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[51] * B[40]\n\t"
+        "ldr	r8, [%[a], #204]\n\t"
+        "ldr	r9, [%[b], #160]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[52] * B[39]\n\t"
+        "ldr	r8, [%[a], #208]\n\t"
+        "ldr	r9, [%[b], #156]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[53] * B[38]\n\t"
+        "ldr	r8, [%[a], #212]\n\t"
+        "ldr	r9, [%[b], #152]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[54] * B[37]\n\t"
+        "ldr	r8, [%[a], #216]\n\t"
+        "ldr	r9, [%[b], #148]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[55] * B[36]\n\t"
+        "ldr	r8, [%[a], #220]\n\t"
+        "ldr	r9, [%[b], #144]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[56] * B[35]\n\t"
+        "ldr	r8, [%[a], #224]\n\t"
+        "ldr	r9, [%[b], #140]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[57] * B[34]\n\t"
+        "ldr	r8, [%[a], #228]\n\t"
+        "ldr	r9, [%[b], #136]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[58] * B[33]\n\t"
+        "ldr	r8, [%[a], #232]\n\t"
+        "ldr	r9, [%[b], #132]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[59] * B[32]\n\t"
+        "ldr	r8, [%[a], #236]\n\t"
+        "ldr	r9, [%[b], #128]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[60] * B[31]\n\t"
+        "ldr	r8, [%[a], #240]\n\t"
+        "ldr	r9, [%[b], #124]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[61] * B[30]\n\t"
+        "ldr	r8, [%[a], #244]\n\t"
+        "ldr	r9, [%[b], #120]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[62] * B[29]\n\t"
+        "ldr	r8, [%[a], #248]\n\t"
+        "ldr	r9, [%[b], #116]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[63] * B[28]\n\t"
+        "ldr	r8, [%[a], #252]\n\t"
+        "ldr	r9, [%[b], #112]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [%[r], #364]\n\t"
+        "#  A[29] * B[63]\n\t"
+        "ldr	r8, [%[a], #116]\n\t"
+        "ldr	r9, [%[b], #252]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r10, r10\n\t"
+        "#  A[30] * B[62]\n\t"
+        "ldr	r8, [%[a], #120]\n\t"
+        "ldr	r9, [%[b], #248]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[31] * B[61]\n\t"
+        "ldr	r8, [%[a], #124]\n\t"
+        "ldr	r9, [%[b], #244]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[32] * B[60]\n\t"
+        "ldr	r8, [%[a], #128]\n\t"
+        "ldr	r9, [%[b], #240]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[33] * B[59]\n\t"
+        "ldr	r8, [%[a], #132]\n\t"
+        "ldr	r9, [%[b], #236]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[34] * B[58]\n\t"
+        "ldr	r8, [%[a], #136]\n\t"
+        "ldr	r9, [%[b], #232]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[35] * B[57]\n\t"
+        "ldr	r8, [%[a], #140]\n\t"
+        "ldr	r9, [%[b], #228]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[36] * B[56]\n\t"
+        "ldr	r8, [%[a], #144]\n\t"
+        "ldr	r9, [%[b], #224]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[37] * B[55]\n\t"
+        "ldr	r8, [%[a], #148]\n\t"
+        "ldr	r9, [%[b], #220]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[38] * B[54]\n\t"
+        "ldr	r8, [%[a], #152]\n\t"
+        "ldr	r9, [%[b], #216]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[39] * B[53]\n\t"
+        "ldr	r8, [%[a], #156]\n\t"
+        "ldr	r9, [%[b], #212]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[40] * B[52]\n\t"
+        "ldr	r8, [%[a], #160]\n\t"
+        "ldr	r9, [%[b], #208]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[41] * B[51]\n\t"
+        "ldr	r8, [%[a], #164]\n\t"
+        "ldr	r9, [%[b], #204]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[42] * B[50]\n\t"
+        "ldr	r8, [%[a], #168]\n\t"
+        "ldr	r9, [%[b], #200]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[43] * B[49]\n\t"
+        "ldr	r8, [%[a], #172]\n\t"
+        "ldr	r9, [%[b], #196]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[44] * B[48]\n\t"
+        "ldr	r8, [%[a], #176]\n\t"
+        "ldr	r9, [%[b], #192]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[45] * B[47]\n\t"
+        "ldr	r8, [%[a], #180]\n\t"
+        "ldr	r9, [%[b], #188]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[46] * B[46]\n\t"
+        "ldr	r8, [%[a], #184]\n\t"
+        "ldr	r9, [%[b], #184]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[47] * B[45]\n\t"
+        "ldr	r8, [%[a], #188]\n\t"
+        "ldr	r9, [%[b], #180]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[48] * B[44]\n\t"
+        "ldr	r8, [%[a], #192]\n\t"
+        "ldr	r9, [%[b], #176]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[49] * B[43]\n\t"
+        "ldr	r8, [%[a], #196]\n\t"
+        "ldr	r9, [%[b], #172]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[50] * B[42]\n\t"
+        "ldr	r8, [%[a], #200]\n\t"
+        "ldr	r9, [%[b], #168]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[51] * B[41]\n\t"
+        "ldr	r8, [%[a], #204]\n\t"
+        "ldr	r9, [%[b], #164]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[52] * B[40]\n\t"
+        "ldr	r8, [%[a], #208]\n\t"
+        "ldr	r9, [%[b], #160]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[53] * B[39]\n\t"
+        "ldr	r8, [%[a], #212]\n\t"
+        "ldr	r9, [%[b], #156]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[54] * B[38]\n\t"
+        "ldr	r8, [%[a], #216]\n\t"
+        "ldr	r9, [%[b], #152]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[55] * B[37]\n\t"
+        "ldr	r8, [%[a], #220]\n\t"
+        "ldr	r9, [%[b], #148]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[56] * B[36]\n\t"
+        "ldr	r8, [%[a], #224]\n\t"
+        "ldr	r9, [%[b], #144]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[57] * B[35]\n\t"
+        "ldr	r8, [%[a], #228]\n\t"
+        "ldr	r9, [%[b], #140]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[58] * B[34]\n\t"
+        "ldr	r8, [%[a], #232]\n\t"
+        "ldr	r9, [%[b], #136]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[59] * B[33]\n\t"
+        "ldr	r8, [%[a], #236]\n\t"
+        "ldr	r9, [%[b], #132]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[60] * B[32]\n\t"
+        "ldr	r8, [%[a], #240]\n\t"
+        "ldr	r9, [%[b], #128]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[61] * B[31]\n\t"
+        "ldr	r8, [%[a], #244]\n\t"
+        "ldr	r9, [%[b], #124]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[62] * B[30]\n\t"
+        "ldr	r8, [%[a], #248]\n\t"
+        "ldr	r9, [%[b], #120]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[63] * B[29]\n\t"
+        "ldr	r8, [%[a], #252]\n\t"
+        "ldr	r9, [%[b], #116]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [%[r], #368]\n\t"
+        "#  A[30] * B[63]\n\t"
+        "ldr	r8, [%[a], #120]\n\t"
+        "ldr	r9, [%[b], #252]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r10, r10\n\t"
+        "#  A[31] * B[62]\n\t"
+        "ldr	r8, [%[a], #124]\n\t"
+        "ldr	r9, [%[b], #248]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[32] * B[61]\n\t"
+        "ldr	r8, [%[a], #128]\n\t"
+        "ldr	r9, [%[b], #244]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[33] * B[60]\n\t"
+        "ldr	r8, [%[a], #132]\n\t"
+        "ldr	r9, [%[b], #240]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[34] * B[59]\n\t"
+        "ldr	r8, [%[a], #136]\n\t"
+        "ldr	r9, [%[b], #236]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[35] * B[58]\n\t"
+        "ldr	r8, [%[a], #140]\n\t"
+        "ldr	r9, [%[b], #232]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[36] * B[57]\n\t"
+        "ldr	r8, [%[a], #144]\n\t"
+        "ldr	r9, [%[b], #228]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[37] * B[56]\n\t"
+        "ldr	r8, [%[a], #148]\n\t"
+        "ldr	r9, [%[b], #224]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[38] * B[55]\n\t"
+        "ldr	r8, [%[a], #152]\n\t"
+        "ldr	r9, [%[b], #220]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[39] * B[54]\n\t"
+        "ldr	r8, [%[a], #156]\n\t"
+        "ldr	r9, [%[b], #216]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[40] * B[53]\n\t"
+        "ldr	r8, [%[a], #160]\n\t"
+        "ldr	r9, [%[b], #212]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[41] * B[52]\n\t"
+        "ldr	r8, [%[a], #164]\n\t"
+        "ldr	r9, [%[b], #208]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[42] * B[51]\n\t"
+        "ldr	r8, [%[a], #168]\n\t"
+        "ldr	r9, [%[b], #204]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[43] * B[50]\n\t"
+        "ldr	r8, [%[a], #172]\n\t"
+        "ldr	r9, [%[b], #200]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[44] * B[49]\n\t"
+        "ldr	r8, [%[a], #176]\n\t"
+        "ldr	r9, [%[b], #196]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[45] * B[48]\n\t"
+        "ldr	r8, [%[a], #180]\n\t"
+        "ldr	r9, [%[b], #192]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[46] * B[47]\n\t"
+        "ldr	r8, [%[a], #184]\n\t"
+        "ldr	r9, [%[b], #188]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[47] * B[46]\n\t"
+        "ldr	r8, [%[a], #188]\n\t"
+        "ldr	r9, [%[b], #184]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[48] * B[45]\n\t"
+        "ldr	r8, [%[a], #192]\n\t"
+        "ldr	r9, [%[b], #180]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[49] * B[44]\n\t"
+        "ldr	r8, [%[a], #196]\n\t"
+        "ldr	r9, [%[b], #176]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[50] * B[43]\n\t"
+        "ldr	r8, [%[a], #200]\n\t"
+        "ldr	r9, [%[b], #172]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[51] * B[42]\n\t"
+        "ldr	r8, [%[a], #204]\n\t"
+        "ldr	r9, [%[b], #168]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[52] * B[41]\n\t"
+        "ldr	r8, [%[a], #208]\n\t"
+        "ldr	r9, [%[b], #164]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[53] * B[40]\n\t"
+        "ldr	r8, [%[a], #212]\n\t"
+        "ldr	r9, [%[b], #160]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[54] * B[39]\n\t"
+        "ldr	r8, [%[a], #216]\n\t"
+        "ldr	r9, [%[b], #156]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[55] * B[38]\n\t"
+        "ldr	r8, [%[a], #220]\n\t"
+        "ldr	r9, [%[b], #152]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[56] * B[37]\n\t"
+        "ldr	r8, [%[a], #224]\n\t"
+        "ldr	r9, [%[b], #148]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[57] * B[36]\n\t"
+        "ldr	r8, [%[a], #228]\n\t"
+        "ldr	r9, [%[b], #144]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[58] * B[35]\n\t"
+        "ldr	r8, [%[a], #232]\n\t"
+        "ldr	r9, [%[b], #140]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[59] * B[34]\n\t"
+        "ldr	r8, [%[a], #236]\n\t"
+        "ldr	r9, [%[b], #136]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[60] * B[33]\n\t"
+        "ldr	r8, [%[a], #240]\n\t"
+        "ldr	r9, [%[b], #132]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[61] * B[32]\n\t"
+        "ldr	r8, [%[a], #244]\n\t"
+        "ldr	r9, [%[b], #128]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[62] * B[31]\n\t"
+        "ldr	r8, [%[a], #248]\n\t"
+        "ldr	r9, [%[b], #124]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[63] * B[30]\n\t"
+        "ldr	r8, [%[a], #252]\n\t"
+        "ldr	r9, [%[b], #120]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [%[r], #372]\n\t"
+        "#  A[31] * B[63]\n\t"
+        "ldr	r8, [%[a], #124]\n\t"
+        "ldr	r9, [%[b], #252]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r10, r10\n\t"
+        "#  A[32] * B[62]\n\t"
+        "ldr	r8, [%[a], #128]\n\t"
+        "ldr	r9, [%[b], #248]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[33] * B[61]\n\t"
+        "ldr	r8, [%[a], #132]\n\t"
+        "ldr	r9, [%[b], #244]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[34] * B[60]\n\t"
+        "ldr	r8, [%[a], #136]\n\t"
+        "ldr	r9, [%[b], #240]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[35] * B[59]\n\t"
+        "ldr	r8, [%[a], #140]\n\t"
+        "ldr	r9, [%[b], #236]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[36] * B[58]\n\t"
+        "ldr	r8, [%[a], #144]\n\t"
+        "ldr	r9, [%[b], #232]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[37] * B[57]\n\t"
+        "ldr	r8, [%[a], #148]\n\t"
+        "ldr	r9, [%[b], #228]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[38] * B[56]\n\t"
+        "ldr	r8, [%[a], #152]\n\t"
+        "ldr	r9, [%[b], #224]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[39] * B[55]\n\t"
+        "ldr	r8, [%[a], #156]\n\t"
+        "ldr	r9, [%[b], #220]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[40] * B[54]\n\t"
+        "ldr	r8, [%[a], #160]\n\t"
+        "ldr	r9, [%[b], #216]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[41] * B[53]\n\t"
+        "ldr	r8, [%[a], #164]\n\t"
+        "ldr	r9, [%[b], #212]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[42] * B[52]\n\t"
+        "ldr	r8, [%[a], #168]\n\t"
+        "ldr	r9, [%[b], #208]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[43] * B[51]\n\t"
+        "ldr	r8, [%[a], #172]\n\t"
+        "ldr	r9, [%[b], #204]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[44] * B[50]\n\t"
+        "ldr	r8, [%[a], #176]\n\t"
+        "ldr	r9, [%[b], #200]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[45] * B[49]\n\t"
+        "ldr	r8, [%[a], #180]\n\t"
+        "ldr	r9, [%[b], #196]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[46] * B[48]\n\t"
+        "ldr	r8, [%[a], #184]\n\t"
+        "ldr	r9, [%[b], #192]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[47] * B[47]\n\t"
+        "ldr	r8, [%[a], #188]\n\t"
+        "ldr	r9, [%[b], #188]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[48] * B[46]\n\t"
+        "ldr	r8, [%[a], #192]\n\t"
+        "ldr	r9, [%[b], #184]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[49] * B[45]\n\t"
+        "ldr	r8, [%[a], #196]\n\t"
+        "ldr	r9, [%[b], #180]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[50] * B[44]\n\t"
+        "ldr	r8, [%[a], #200]\n\t"
+        "ldr	r9, [%[b], #176]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[51] * B[43]\n\t"
+        "ldr	r8, [%[a], #204]\n\t"
+        "ldr	r9, [%[b], #172]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[52] * B[42]\n\t"
+        "ldr	r8, [%[a], #208]\n\t"
+        "ldr	r9, [%[b], #168]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[53] * B[41]\n\t"
+        "ldr	r8, [%[a], #212]\n\t"
+        "ldr	r9, [%[b], #164]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[54] * B[40]\n\t"
+        "ldr	r8, [%[a], #216]\n\t"
+        "ldr	r9, [%[b], #160]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[55] * B[39]\n\t"
+        "ldr	r8, [%[a], #220]\n\t"
+        "ldr	r9, [%[b], #156]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[56] * B[38]\n\t"
+        "ldr	r8, [%[a], #224]\n\t"
+        "ldr	r9, [%[b], #152]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[57] * B[37]\n\t"
+        "ldr	r8, [%[a], #228]\n\t"
+        "ldr	r9, [%[b], #148]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[58] * B[36]\n\t"
+        "ldr	r8, [%[a], #232]\n\t"
+        "ldr	r9, [%[b], #144]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[59] * B[35]\n\t"
+        "ldr	r8, [%[a], #236]\n\t"
+        "ldr	r9, [%[b], #140]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[60] * B[34]\n\t"
+        "ldr	r8, [%[a], #240]\n\t"
+        "ldr	r9, [%[b], #136]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[61] * B[33]\n\t"
+        "ldr	r8, [%[a], #244]\n\t"
+        "ldr	r9, [%[b], #132]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[62] * B[32]\n\t"
+        "ldr	r8, [%[a], #248]\n\t"
+        "ldr	r9, [%[b], #128]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[63] * B[31]\n\t"
+        "ldr	r8, [%[a], #252]\n\t"
+        "ldr	r9, [%[b], #124]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [%[r], #376]\n\t"
+        "#  A[32] * B[63]\n\t"
+        "ldr	r8, [%[a], #128]\n\t"
+        "ldr	r9, [%[b], #252]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r10, r10\n\t"
+        "#  A[33] * B[62]\n\t"
+        "ldr	r8, [%[a], #132]\n\t"
+        "ldr	r9, [%[b], #248]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[34] * B[61]\n\t"
+        "ldr	r8, [%[a], #136]\n\t"
+        "ldr	r9, [%[b], #244]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[35] * B[60]\n\t"
+        "ldr	r8, [%[a], #140]\n\t"
+        "ldr	r9, [%[b], #240]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[36] * B[59]\n\t"
+        "ldr	r8, [%[a], #144]\n\t"
+        "ldr	r9, [%[b], #236]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[37] * B[58]\n\t"
+        "ldr	r8, [%[a], #148]\n\t"
+        "ldr	r9, [%[b], #232]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[38] * B[57]\n\t"
+        "ldr	r8, [%[a], #152]\n\t"
+        "ldr	r9, [%[b], #228]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[39] * B[56]\n\t"
+        "ldr	r8, [%[a], #156]\n\t"
+        "ldr	r9, [%[b], #224]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[40] * B[55]\n\t"
+        "ldr	r8, [%[a], #160]\n\t"
+        "ldr	r9, [%[b], #220]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[41] * B[54]\n\t"
+        "ldr	r8, [%[a], #164]\n\t"
+        "ldr	r9, [%[b], #216]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[42] * B[53]\n\t"
+        "ldr	r8, [%[a], #168]\n\t"
+        "ldr	r9, [%[b], #212]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[43] * B[52]\n\t"
+        "ldr	r8, [%[a], #172]\n\t"
+        "ldr	r9, [%[b], #208]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[44] * B[51]\n\t"
+        "ldr	r8, [%[a], #176]\n\t"
+        "ldr	r9, [%[b], #204]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[45] * B[50]\n\t"
+        "ldr	r8, [%[a], #180]\n\t"
+        "ldr	r9, [%[b], #200]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[46] * B[49]\n\t"
+        "ldr	r8, [%[a], #184]\n\t"
+        "ldr	r9, [%[b], #196]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[47] * B[48]\n\t"
+        "ldr	r8, [%[a], #188]\n\t"
+        "ldr	r9, [%[b], #192]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[48] * B[47]\n\t"
+        "ldr	r8, [%[a], #192]\n\t"
+        "ldr	r9, [%[b], #188]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[49] * B[46]\n\t"
+        "ldr	r8, [%[a], #196]\n\t"
+        "ldr	r9, [%[b], #184]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[50] * B[45]\n\t"
+        "ldr	r8, [%[a], #200]\n\t"
+        "ldr	r9, [%[b], #180]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[51] * B[44]\n\t"
+        "ldr	r8, [%[a], #204]\n\t"
+        "ldr	r9, [%[b], #176]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[52] * B[43]\n\t"
+        "ldr	r8, [%[a], #208]\n\t"
+        "ldr	r9, [%[b], #172]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[53] * B[42]\n\t"
+        "ldr	r8, [%[a], #212]\n\t"
+        "ldr	r9, [%[b], #168]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[54] * B[41]\n\t"
+        "ldr	r8, [%[a], #216]\n\t"
+        "ldr	r9, [%[b], #164]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[55] * B[40]\n\t"
+        "ldr	r8, [%[a], #220]\n\t"
+        "ldr	r9, [%[b], #160]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[56] * B[39]\n\t"
+        "ldr	r8, [%[a], #224]\n\t"
+        "ldr	r9, [%[b], #156]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[57] * B[38]\n\t"
+        "ldr	r8, [%[a], #228]\n\t"
+        "ldr	r9, [%[b], #152]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[58] * B[37]\n\t"
+        "ldr	r8, [%[a], #232]\n\t"
+        "ldr	r9, [%[b], #148]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[59] * B[36]\n\t"
+        "ldr	r8, [%[a], #236]\n\t"
+        "ldr	r9, [%[b], #144]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[60] * B[35]\n\t"
+        "ldr	r8, [%[a], #240]\n\t"
+        "ldr	r9, [%[b], #140]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[61] * B[34]\n\t"
+        "ldr	r8, [%[a], #244]\n\t"
+        "ldr	r9, [%[b], #136]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[62] * B[33]\n\t"
+        "ldr	r8, [%[a], #248]\n\t"
+        "ldr	r9, [%[b], #132]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[63] * B[32]\n\t"
+        "ldr	r8, [%[a], #252]\n\t"
+        "ldr	r9, [%[b], #128]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [%[r], #380]\n\t"
+        "#  A[33] * B[63]\n\t"
+        "ldr	r8, [%[a], #132]\n\t"
+        "ldr	r9, [%[b], #252]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r10, r10\n\t"
+        "#  A[34] * B[62]\n\t"
+        "ldr	r8, [%[a], #136]\n\t"
+        "ldr	r9, [%[b], #248]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[35] * B[61]\n\t"
+        "ldr	r8, [%[a], #140]\n\t"
+        "ldr	r9, [%[b], #244]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[36] * B[60]\n\t"
+        "ldr	r8, [%[a], #144]\n\t"
+        "ldr	r9, [%[b], #240]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[37] * B[59]\n\t"
+        "ldr	r8, [%[a], #148]\n\t"
+        "ldr	r9, [%[b], #236]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[38] * B[58]\n\t"
+        "ldr	r8, [%[a], #152]\n\t"
+        "ldr	r9, [%[b], #232]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[39] * B[57]\n\t"
+        "ldr	r8, [%[a], #156]\n\t"
+        "ldr	r9, [%[b], #228]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[40] * B[56]\n\t"
+        "ldr	r8, [%[a], #160]\n\t"
+        "ldr	r9, [%[b], #224]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[41] * B[55]\n\t"
+        "ldr	r8, [%[a], #164]\n\t"
+        "ldr	r9, [%[b], #220]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[42] * B[54]\n\t"
+        "ldr	r8, [%[a], #168]\n\t"
+        "ldr	r9, [%[b], #216]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[43] * B[53]\n\t"
+        "ldr	r8, [%[a], #172]\n\t"
+        "ldr	r9, [%[b], #212]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[44] * B[52]\n\t"
+        "ldr	r8, [%[a], #176]\n\t"
+        "ldr	r9, [%[b], #208]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[45] * B[51]\n\t"
+        "ldr	r8, [%[a], #180]\n\t"
+        "ldr	r9, [%[b], #204]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[46] * B[50]\n\t"
+        "ldr	r8, [%[a], #184]\n\t"
+        "ldr	r9, [%[b], #200]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[47] * B[49]\n\t"
+        "ldr	r8, [%[a], #188]\n\t"
+        "ldr	r9, [%[b], #196]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[48] * B[48]\n\t"
+        "ldr	r8, [%[a], #192]\n\t"
+        "ldr	r9, [%[b], #192]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[49] * B[47]\n\t"
+        "ldr	r8, [%[a], #196]\n\t"
+        "ldr	r9, [%[b], #188]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[50] * B[46]\n\t"
+        "ldr	r8, [%[a], #200]\n\t"
+        "ldr	r9, [%[b], #184]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[51] * B[45]\n\t"
+        "ldr	r8, [%[a], #204]\n\t"
+        "ldr	r9, [%[b], #180]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[52] * B[44]\n\t"
+        "ldr	r8, [%[a], #208]\n\t"
+        "ldr	r9, [%[b], #176]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[53] * B[43]\n\t"
+        "ldr	r8, [%[a], #212]\n\t"
+        "ldr	r9, [%[b], #172]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[54] * B[42]\n\t"
+        "ldr	r8, [%[a], #216]\n\t"
+        "ldr	r9, [%[b], #168]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[55] * B[41]\n\t"
+        "ldr	r8, [%[a], #220]\n\t"
+        "ldr	r9, [%[b], #164]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[56] * B[40]\n\t"
+        "ldr	r8, [%[a], #224]\n\t"
+        "ldr	r9, [%[b], #160]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[57] * B[39]\n\t"
+        "ldr	r8, [%[a], #228]\n\t"
+        "ldr	r9, [%[b], #156]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[58] * B[38]\n\t"
+        "ldr	r8, [%[a], #232]\n\t"
+        "ldr	r9, [%[b], #152]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[59] * B[37]\n\t"
+        "ldr	r8, [%[a], #236]\n\t"
+        "ldr	r9, [%[b], #148]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[60] * B[36]\n\t"
+        "ldr	r8, [%[a], #240]\n\t"
+        "ldr	r9, [%[b], #144]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[61] * B[35]\n\t"
+        "ldr	r8, [%[a], #244]\n\t"
+        "ldr	r9, [%[b], #140]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[62] * B[34]\n\t"
+        "ldr	r8, [%[a], #248]\n\t"
+        "ldr	r9, [%[b], #136]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[63] * B[33]\n\t"
+        "ldr	r8, [%[a], #252]\n\t"
+        "ldr	r9, [%[b], #132]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [%[r], #384]\n\t"
+        "#  A[34] * B[63]\n\t"
+        "ldr	r8, [%[a], #136]\n\t"
+        "ldr	r9, [%[b], #252]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r10, r10\n\t"
+        "#  A[35] * B[62]\n\t"
+        "ldr	r8, [%[a], #140]\n\t"
+        "ldr	r9, [%[b], #248]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[36] * B[61]\n\t"
+        "ldr	r8, [%[a], #144]\n\t"
+        "ldr	r9, [%[b], #244]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[37] * B[60]\n\t"
+        "ldr	r8, [%[a], #148]\n\t"
+        "ldr	r9, [%[b], #240]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[38] * B[59]\n\t"
+        "ldr	r8, [%[a], #152]\n\t"
+        "ldr	r9, [%[b], #236]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[39] * B[58]\n\t"
+        "ldr	r8, [%[a], #156]\n\t"
+        "ldr	r9, [%[b], #232]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[40] * B[57]\n\t"
+        "ldr	r8, [%[a], #160]\n\t"
+        "ldr	r9, [%[b], #228]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[41] * B[56]\n\t"
+        "ldr	r8, [%[a], #164]\n\t"
+        "ldr	r9, [%[b], #224]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[42] * B[55]\n\t"
+        "ldr	r8, [%[a], #168]\n\t"
+        "ldr	r9, [%[b], #220]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[43] * B[54]\n\t"
+        "ldr	r8, [%[a], #172]\n\t"
+        "ldr	r9, [%[b], #216]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[44] * B[53]\n\t"
+        "ldr	r8, [%[a], #176]\n\t"
+        "ldr	r9, [%[b], #212]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[45] * B[52]\n\t"
+        "ldr	r8, [%[a], #180]\n\t"
+        "ldr	r9, [%[b], #208]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[46] * B[51]\n\t"
+        "ldr	r8, [%[a], #184]\n\t"
+        "ldr	r9, [%[b], #204]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[47] * B[50]\n\t"
+        "ldr	r8, [%[a], #188]\n\t"
+        "ldr	r9, [%[b], #200]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[48] * B[49]\n\t"
+        "ldr	r8, [%[a], #192]\n\t"
+        "ldr	r9, [%[b], #196]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[49] * B[48]\n\t"
+        "ldr	r8, [%[a], #196]\n\t"
+        "ldr	r9, [%[b], #192]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[50] * B[47]\n\t"
+        "ldr	r8, [%[a], #200]\n\t"
+        "ldr	r9, [%[b], #188]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[51] * B[46]\n\t"
+        "ldr	r8, [%[a], #204]\n\t"
+        "ldr	r9, [%[b], #184]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[52] * B[45]\n\t"
+        "ldr	r8, [%[a], #208]\n\t"
+        "ldr	r9, [%[b], #180]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[53] * B[44]\n\t"
+        "ldr	r8, [%[a], #212]\n\t"
+        "ldr	r9, [%[b], #176]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[54] * B[43]\n\t"
+        "ldr	r8, [%[a], #216]\n\t"
+        "ldr	r9, [%[b], #172]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[55] * B[42]\n\t"
+        "ldr	r8, [%[a], #220]\n\t"
+        "ldr	r9, [%[b], #168]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[56] * B[41]\n\t"
+        "ldr	r8, [%[a], #224]\n\t"
+        "ldr	r9, [%[b], #164]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[57] * B[40]\n\t"
+        "ldr	r8, [%[a], #228]\n\t"
+        "ldr	r9, [%[b], #160]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[58] * B[39]\n\t"
+        "ldr	r8, [%[a], #232]\n\t"
+        "ldr	r9, [%[b], #156]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[59] * B[38]\n\t"
+        "ldr	r8, [%[a], #236]\n\t"
+        "ldr	r9, [%[b], #152]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[60] * B[37]\n\t"
+        "ldr	r8, [%[a], #240]\n\t"
+        "ldr	r9, [%[b], #148]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[61] * B[36]\n\t"
+        "ldr	r8, [%[a], #244]\n\t"
+        "ldr	r9, [%[b], #144]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[62] * B[35]\n\t"
+        "ldr	r8, [%[a], #248]\n\t"
+        "ldr	r9, [%[b], #140]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[63] * B[34]\n\t"
+        "ldr	r8, [%[a], #252]\n\t"
+        "ldr	r9, [%[b], #136]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [%[r], #388]\n\t"
+        "#  A[35] * B[63]\n\t"
+        "ldr	r8, [%[a], #140]\n\t"
+        "ldr	r9, [%[b], #252]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r10, r10\n\t"
+        "#  A[36] * B[62]\n\t"
+        "ldr	r8, [%[a], #144]\n\t"
+        "ldr	r9, [%[b], #248]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[37] * B[61]\n\t"
+        "ldr	r8, [%[a], #148]\n\t"
+        "ldr	r9, [%[b], #244]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[38] * B[60]\n\t"
+        "ldr	r8, [%[a], #152]\n\t"
+        "ldr	r9, [%[b], #240]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[39] * B[59]\n\t"
+        "ldr	r8, [%[a], #156]\n\t"
+        "ldr	r9, [%[b], #236]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[40] * B[58]\n\t"
+        "ldr	r8, [%[a], #160]\n\t"
+        "ldr	r9, [%[b], #232]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[41] * B[57]\n\t"
+        "ldr	r8, [%[a], #164]\n\t"
+        "ldr	r9, [%[b], #228]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[42] * B[56]\n\t"
+        "ldr	r8, [%[a], #168]\n\t"
+        "ldr	r9, [%[b], #224]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[43] * B[55]\n\t"
+        "ldr	r8, [%[a], #172]\n\t"
+        "ldr	r9, [%[b], #220]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[44] * B[54]\n\t"
+        "ldr	r8, [%[a], #176]\n\t"
+        "ldr	r9, [%[b], #216]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[45] * B[53]\n\t"
+        "ldr	r8, [%[a], #180]\n\t"
+        "ldr	r9, [%[b], #212]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[46] * B[52]\n\t"
+        "ldr	r8, [%[a], #184]\n\t"
+        "ldr	r9, [%[b], #208]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[47] * B[51]\n\t"
+        "ldr	r8, [%[a], #188]\n\t"
+        "ldr	r9, [%[b], #204]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[48] * B[50]\n\t"
+        "ldr	r8, [%[a], #192]\n\t"
+        "ldr	r9, [%[b], #200]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[49] * B[49]\n\t"
+        "ldr	r8, [%[a], #196]\n\t"
+        "ldr	r9, [%[b], #196]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[50] * B[48]\n\t"
+        "ldr	r8, [%[a], #200]\n\t"
+        "ldr	r9, [%[b], #192]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[51] * B[47]\n\t"
+        "ldr	r8, [%[a], #204]\n\t"
+        "ldr	r9, [%[b], #188]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[52] * B[46]\n\t"
+        "ldr	r8, [%[a], #208]\n\t"
+        "ldr	r9, [%[b], #184]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[53] * B[45]\n\t"
+        "ldr	r8, [%[a], #212]\n\t"
+        "ldr	r9, [%[b], #180]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[54] * B[44]\n\t"
+        "ldr	r8, [%[a], #216]\n\t"
+        "ldr	r9, [%[b], #176]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[55] * B[43]\n\t"
+        "ldr	r8, [%[a], #220]\n\t"
+        "ldr	r9, [%[b], #172]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[56] * B[42]\n\t"
+        "ldr	r8, [%[a], #224]\n\t"
+        "ldr	r9, [%[b], #168]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[57] * B[41]\n\t"
+        "ldr	r8, [%[a], #228]\n\t"
+        "ldr	r9, [%[b], #164]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[58] * B[40]\n\t"
+        "ldr	r8, [%[a], #232]\n\t"
+        "ldr	r9, [%[b], #160]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[59] * B[39]\n\t"
+        "ldr	r8, [%[a], #236]\n\t"
+        "ldr	r9, [%[b], #156]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[60] * B[38]\n\t"
+        "ldr	r8, [%[a], #240]\n\t"
+        "ldr	r9, [%[b], #152]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[61] * B[37]\n\t"
+        "ldr	r8, [%[a], #244]\n\t"
+        "ldr	r9, [%[b], #148]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[62] * B[36]\n\t"
+        "ldr	r8, [%[a], #248]\n\t"
+        "ldr	r9, [%[b], #144]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[63] * B[35]\n\t"
+        "ldr	r8, [%[a], #252]\n\t"
+        "ldr	r9, [%[b], #140]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [%[r], #392]\n\t"
+        "#  A[36] * B[63]\n\t"
+        "ldr	r8, [%[a], #144]\n\t"
+        "ldr	r9, [%[b], #252]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r10, r10\n\t"
+        "#  A[37] * B[62]\n\t"
+        "ldr	r8, [%[a], #148]\n\t"
+        "ldr	r9, [%[b], #248]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[38] * B[61]\n\t"
+        "ldr	r8, [%[a], #152]\n\t"
+        "ldr	r9, [%[b], #244]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[39] * B[60]\n\t"
+        "ldr	r8, [%[a], #156]\n\t"
+        "ldr	r9, [%[b], #240]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[40] * B[59]\n\t"
+        "ldr	r8, [%[a], #160]\n\t"
+        "ldr	r9, [%[b], #236]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[41] * B[58]\n\t"
+        "ldr	r8, [%[a], #164]\n\t"
+        "ldr	r9, [%[b], #232]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[42] * B[57]\n\t"
+        "ldr	r8, [%[a], #168]\n\t"
+        "ldr	r9, [%[b], #228]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[43] * B[56]\n\t"
+        "ldr	r8, [%[a], #172]\n\t"
+        "ldr	r9, [%[b], #224]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[44] * B[55]\n\t"
+        "ldr	r8, [%[a], #176]\n\t"
+        "ldr	r9, [%[b], #220]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[45] * B[54]\n\t"
+        "ldr	r8, [%[a], #180]\n\t"
+        "ldr	r9, [%[b], #216]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[46] * B[53]\n\t"
+        "ldr	r8, [%[a], #184]\n\t"
+        "ldr	r9, [%[b], #212]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[47] * B[52]\n\t"
+        "ldr	r8, [%[a], #188]\n\t"
+        "ldr	r9, [%[b], #208]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[48] * B[51]\n\t"
+        "ldr	r8, [%[a], #192]\n\t"
+        "ldr	r9, [%[b], #204]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[49] * B[50]\n\t"
+        "ldr	r8, [%[a], #196]\n\t"
+        "ldr	r9, [%[b], #200]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[50] * B[49]\n\t"
+        "ldr	r8, [%[a], #200]\n\t"
+        "ldr	r9, [%[b], #196]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[51] * B[48]\n\t"
+        "ldr	r8, [%[a], #204]\n\t"
+        "ldr	r9, [%[b], #192]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[52] * B[47]\n\t"
+        "ldr	r8, [%[a], #208]\n\t"
+        "ldr	r9, [%[b], #188]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[53] * B[46]\n\t"
+        "ldr	r8, [%[a], #212]\n\t"
+        "ldr	r9, [%[b], #184]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[54] * B[45]\n\t"
+        "ldr	r8, [%[a], #216]\n\t"
+        "ldr	r9, [%[b], #180]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[55] * B[44]\n\t"
+        "ldr	r8, [%[a], #220]\n\t"
+        "ldr	r9, [%[b], #176]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[56] * B[43]\n\t"
+        "ldr	r8, [%[a], #224]\n\t"
+        "ldr	r9, [%[b], #172]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[57] * B[42]\n\t"
+        "ldr	r8, [%[a], #228]\n\t"
+        "ldr	r9, [%[b], #168]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[58] * B[41]\n\t"
+        "ldr	r8, [%[a], #232]\n\t"
+        "ldr	r9, [%[b], #164]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[59] * B[40]\n\t"
+        "ldr	r8, [%[a], #236]\n\t"
+        "ldr	r9, [%[b], #160]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[60] * B[39]\n\t"
+        "ldr	r8, [%[a], #240]\n\t"
+        "ldr	r9, [%[b], #156]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[61] * B[38]\n\t"
+        "ldr	r8, [%[a], #244]\n\t"
+        "ldr	r9, [%[b], #152]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[62] * B[37]\n\t"
+        "ldr	r8, [%[a], #248]\n\t"
+        "ldr	r9, [%[b], #148]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[63] * B[36]\n\t"
+        "ldr	r8, [%[a], #252]\n\t"
+        "ldr	r9, [%[b], #144]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [%[r], #396]\n\t"
+        "#  A[37] * B[63]\n\t"
+        "ldr	r8, [%[a], #148]\n\t"
+        "ldr	r9, [%[b], #252]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r10, r10\n\t"
+        "#  A[38] * B[62]\n\t"
+        "ldr	r8, [%[a], #152]\n\t"
+        "ldr	r9, [%[b], #248]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[39] * B[61]\n\t"
+        "ldr	r8, [%[a], #156]\n\t"
+        "ldr	r9, [%[b], #244]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[40] * B[60]\n\t"
+        "ldr	r8, [%[a], #160]\n\t"
+        "ldr	r9, [%[b], #240]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[41] * B[59]\n\t"
+        "ldr	r8, [%[a], #164]\n\t"
+        "ldr	r9, [%[b], #236]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[42] * B[58]\n\t"
+        "ldr	r8, [%[a], #168]\n\t"
+        "ldr	r9, [%[b], #232]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[43] * B[57]\n\t"
+        "ldr	r8, [%[a], #172]\n\t"
+        "ldr	r9, [%[b], #228]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[44] * B[56]\n\t"
+        "ldr	r8, [%[a], #176]\n\t"
+        "ldr	r9, [%[b], #224]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[45] * B[55]\n\t"
+        "ldr	r8, [%[a], #180]\n\t"
+        "ldr	r9, [%[b], #220]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[46] * B[54]\n\t"
+        "ldr	r8, [%[a], #184]\n\t"
+        "ldr	r9, [%[b], #216]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[47] * B[53]\n\t"
+        "ldr	r8, [%[a], #188]\n\t"
+        "ldr	r9, [%[b], #212]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[48] * B[52]\n\t"
+        "ldr	r8, [%[a], #192]\n\t"
+        "ldr	r9, [%[b], #208]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[49] * B[51]\n\t"
+        "ldr	r8, [%[a], #196]\n\t"
+        "ldr	r9, [%[b], #204]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[50] * B[50]\n\t"
+        "ldr	r8, [%[a], #200]\n\t"
+        "ldr	r9, [%[b], #200]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[51] * B[49]\n\t"
+        "ldr	r8, [%[a], #204]\n\t"
+        "ldr	r9, [%[b], #196]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[52] * B[48]\n\t"
+        "ldr	r8, [%[a], #208]\n\t"
+        "ldr	r9, [%[b], #192]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[53] * B[47]\n\t"
+        "ldr	r8, [%[a], #212]\n\t"
+        "ldr	r9, [%[b], #188]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[54] * B[46]\n\t"
+        "ldr	r8, [%[a], #216]\n\t"
+        "ldr	r9, [%[b], #184]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[55] * B[45]\n\t"
+        "ldr	r8, [%[a], #220]\n\t"
+        "ldr	r9, [%[b], #180]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[56] * B[44]\n\t"
+        "ldr	r8, [%[a], #224]\n\t"
+        "ldr	r9, [%[b], #176]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[57] * B[43]\n\t"
+        "ldr	r8, [%[a], #228]\n\t"
+        "ldr	r9, [%[b], #172]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[58] * B[42]\n\t"
+        "ldr	r8, [%[a], #232]\n\t"
+        "ldr	r9, [%[b], #168]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[59] * B[41]\n\t"
+        "ldr	r8, [%[a], #236]\n\t"
+        "ldr	r9, [%[b], #164]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[60] * B[40]\n\t"
+        "ldr	r8, [%[a], #240]\n\t"
+        "ldr	r9, [%[b], #160]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[61] * B[39]\n\t"
+        "ldr	r8, [%[a], #244]\n\t"
+        "ldr	r9, [%[b], #156]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[62] * B[38]\n\t"
+        "ldr	r8, [%[a], #248]\n\t"
+        "ldr	r9, [%[b], #152]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[63] * B[37]\n\t"
+        "ldr	r8, [%[a], #252]\n\t"
+        "ldr	r9, [%[b], #148]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [%[r], #400]\n\t"
+        "#  A[38] * B[63]\n\t"
+        "ldr	r8, [%[a], #152]\n\t"
+        "ldr	r9, [%[b], #252]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r10, r10\n\t"
+        "#  A[39] * B[62]\n\t"
+        "ldr	r8, [%[a], #156]\n\t"
+        "ldr	r9, [%[b], #248]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[40] * B[61]\n\t"
+        "ldr	r8, [%[a], #160]\n\t"
+        "ldr	r9, [%[b], #244]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[41] * B[60]\n\t"
+        "ldr	r8, [%[a], #164]\n\t"
+        "ldr	r9, [%[b], #240]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[42] * B[59]\n\t"
+        "ldr	r8, [%[a], #168]\n\t"
+        "ldr	r9, [%[b], #236]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[43] * B[58]\n\t"
+        "ldr	r8, [%[a], #172]\n\t"
+        "ldr	r9, [%[b], #232]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[44] * B[57]\n\t"
+        "ldr	r8, [%[a], #176]\n\t"
+        "ldr	r9, [%[b], #228]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[45] * B[56]\n\t"
+        "ldr	r8, [%[a], #180]\n\t"
+        "ldr	r9, [%[b], #224]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[46] * B[55]\n\t"
+        "ldr	r8, [%[a], #184]\n\t"
+        "ldr	r9, [%[b], #220]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[47] * B[54]\n\t"
+        "ldr	r8, [%[a], #188]\n\t"
+        "ldr	r9, [%[b], #216]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[48] * B[53]\n\t"
+        "ldr	r8, [%[a], #192]\n\t"
+        "ldr	r9, [%[b], #212]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[49] * B[52]\n\t"
+        "ldr	r8, [%[a], #196]\n\t"
+        "ldr	r9, [%[b], #208]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[50] * B[51]\n\t"
+        "ldr	r8, [%[a], #200]\n\t"
+        "ldr	r9, [%[b], #204]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[51] * B[50]\n\t"
+        "ldr	r8, [%[a], #204]\n\t"
+        "ldr	r9, [%[b], #200]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[52] * B[49]\n\t"
+        "ldr	r8, [%[a], #208]\n\t"
+        "ldr	r9, [%[b], #196]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[53] * B[48]\n\t"
+        "ldr	r8, [%[a], #212]\n\t"
+        "ldr	r9, [%[b], #192]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[54] * B[47]\n\t"
+        "ldr	r8, [%[a], #216]\n\t"
+        "ldr	r9, [%[b], #188]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[55] * B[46]\n\t"
+        "ldr	r8, [%[a], #220]\n\t"
+        "ldr	r9, [%[b], #184]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[56] * B[45]\n\t"
+        "ldr	r8, [%[a], #224]\n\t"
+        "ldr	r9, [%[b], #180]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[57] * B[44]\n\t"
+        "ldr	r8, [%[a], #228]\n\t"
+        "ldr	r9, [%[b], #176]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[58] * B[43]\n\t"
+        "ldr	r8, [%[a], #232]\n\t"
+        "ldr	r9, [%[b], #172]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[59] * B[42]\n\t"
+        "ldr	r8, [%[a], #236]\n\t"
+        "ldr	r9, [%[b], #168]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[60] * B[41]\n\t"
+        "ldr	r8, [%[a], #240]\n\t"
+        "ldr	r9, [%[b], #164]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[61] * B[40]\n\t"
+        "ldr	r8, [%[a], #244]\n\t"
+        "ldr	r9, [%[b], #160]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[62] * B[39]\n\t"
+        "ldr	r8, [%[a], #248]\n\t"
+        "ldr	r9, [%[b], #156]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[63] * B[38]\n\t"
+        "ldr	r8, [%[a], #252]\n\t"
+        "ldr	r9, [%[b], #152]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [%[r], #404]\n\t"
+        "#  A[39] * B[63]\n\t"
+        "ldr	r8, [%[a], #156]\n\t"
+        "ldr	r9, [%[b], #252]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r10, r10\n\t"
+        "#  A[40] * B[62]\n\t"
+        "ldr	r8, [%[a], #160]\n\t"
+        "ldr	r9, [%[b], #248]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[41] * B[61]\n\t"
+        "ldr	r8, [%[a], #164]\n\t"
+        "ldr	r9, [%[b], #244]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[42] * B[60]\n\t"
+        "ldr	r8, [%[a], #168]\n\t"
+        "ldr	r9, [%[b], #240]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[43] * B[59]\n\t"
+        "ldr	r8, [%[a], #172]\n\t"
+        "ldr	r9, [%[b], #236]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[44] * B[58]\n\t"
+        "ldr	r8, [%[a], #176]\n\t"
+        "ldr	r9, [%[b], #232]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[45] * B[57]\n\t"
+        "ldr	r8, [%[a], #180]\n\t"
+        "ldr	r9, [%[b], #228]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[46] * B[56]\n\t"
+        "ldr	r8, [%[a], #184]\n\t"
+        "ldr	r9, [%[b], #224]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[47] * B[55]\n\t"
+        "ldr	r8, [%[a], #188]\n\t"
+        "ldr	r9, [%[b], #220]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[48] * B[54]\n\t"
+        "ldr	r8, [%[a], #192]\n\t"
+        "ldr	r9, [%[b], #216]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[49] * B[53]\n\t"
+        "ldr	r8, [%[a], #196]\n\t"
+        "ldr	r9, [%[b], #212]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[50] * B[52]\n\t"
+        "ldr	r8, [%[a], #200]\n\t"
+        "ldr	r9, [%[b], #208]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[51] * B[51]\n\t"
+        "ldr	r8, [%[a], #204]\n\t"
+        "ldr	r9, [%[b], #204]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[52] * B[50]\n\t"
+        "ldr	r8, [%[a], #208]\n\t"
+        "ldr	r9, [%[b], #200]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[53] * B[49]\n\t"
+        "ldr	r8, [%[a], #212]\n\t"
+        "ldr	r9, [%[b], #196]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[54] * B[48]\n\t"
+        "ldr	r8, [%[a], #216]\n\t"
+        "ldr	r9, [%[b], #192]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[55] * B[47]\n\t"
+        "ldr	r8, [%[a], #220]\n\t"
+        "ldr	r9, [%[b], #188]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[56] * B[46]\n\t"
+        "ldr	r8, [%[a], #224]\n\t"
+        "ldr	r9, [%[b], #184]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[57] * B[45]\n\t"
+        "ldr	r8, [%[a], #228]\n\t"
+        "ldr	r9, [%[b], #180]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[58] * B[44]\n\t"
+        "ldr	r8, [%[a], #232]\n\t"
+        "ldr	r9, [%[b], #176]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[59] * B[43]\n\t"
+        "ldr	r8, [%[a], #236]\n\t"
+        "ldr	r9, [%[b], #172]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[60] * B[42]\n\t"
+        "ldr	r8, [%[a], #240]\n\t"
+        "ldr	r9, [%[b], #168]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[61] * B[41]\n\t"
+        "ldr	r8, [%[a], #244]\n\t"
+        "ldr	r9, [%[b], #164]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[62] * B[40]\n\t"
+        "ldr	r8, [%[a], #248]\n\t"
+        "ldr	r9, [%[b], #160]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[63] * B[39]\n\t"
+        "ldr	r8, [%[a], #252]\n\t"
+        "ldr	r9, [%[b], #156]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [%[r], #408]\n\t"
+        "#  A[40] * B[63]\n\t"
+        "ldr	r8, [%[a], #160]\n\t"
+        "ldr	r9, [%[b], #252]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r10, r10\n\t"
+        "#  A[41] * B[62]\n\t"
+        "ldr	r8, [%[a], #164]\n\t"
+        "ldr	r9, [%[b], #248]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[42] * B[61]\n\t"
+        "ldr	r8, [%[a], #168]\n\t"
+        "ldr	r9, [%[b], #244]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[43] * B[60]\n\t"
+        "ldr	r8, [%[a], #172]\n\t"
+        "ldr	r9, [%[b], #240]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[44] * B[59]\n\t"
+        "ldr	r8, [%[a], #176]\n\t"
+        "ldr	r9, [%[b], #236]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[45] * B[58]\n\t"
+        "ldr	r8, [%[a], #180]\n\t"
+        "ldr	r9, [%[b], #232]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[46] * B[57]\n\t"
+        "ldr	r8, [%[a], #184]\n\t"
+        "ldr	r9, [%[b], #228]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[47] * B[56]\n\t"
+        "ldr	r8, [%[a], #188]\n\t"
+        "ldr	r9, [%[b], #224]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[48] * B[55]\n\t"
+        "ldr	r8, [%[a], #192]\n\t"
+        "ldr	r9, [%[b], #220]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[49] * B[54]\n\t"
+        "ldr	r8, [%[a], #196]\n\t"
+        "ldr	r9, [%[b], #216]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[50] * B[53]\n\t"
+        "ldr	r8, [%[a], #200]\n\t"
+        "ldr	r9, [%[b], #212]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[51] * B[52]\n\t"
+        "ldr	r8, [%[a], #204]\n\t"
+        "ldr	r9, [%[b], #208]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[52] * B[51]\n\t"
+        "ldr	r8, [%[a], #208]\n\t"
+        "ldr	r9, [%[b], #204]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[53] * B[50]\n\t"
+        "ldr	r8, [%[a], #212]\n\t"
+        "ldr	r9, [%[b], #200]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[54] * B[49]\n\t"
+        "ldr	r8, [%[a], #216]\n\t"
+        "ldr	r9, [%[b], #196]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[55] * B[48]\n\t"
+        "ldr	r8, [%[a], #220]\n\t"
+        "ldr	r9, [%[b], #192]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[56] * B[47]\n\t"
+        "ldr	r8, [%[a], #224]\n\t"
+        "ldr	r9, [%[b], #188]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[57] * B[46]\n\t"
+        "ldr	r8, [%[a], #228]\n\t"
+        "ldr	r9, [%[b], #184]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[58] * B[45]\n\t"
+        "ldr	r8, [%[a], #232]\n\t"
+        "ldr	r9, [%[b], #180]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[59] * B[44]\n\t"
+        "ldr	r8, [%[a], #236]\n\t"
+        "ldr	r9, [%[b], #176]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[60] * B[43]\n\t"
+        "ldr	r8, [%[a], #240]\n\t"
+        "ldr	r9, [%[b], #172]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[61] * B[42]\n\t"
+        "ldr	r8, [%[a], #244]\n\t"
+        "ldr	r9, [%[b], #168]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[62] * B[41]\n\t"
+        "ldr	r8, [%[a], #248]\n\t"
+        "ldr	r9, [%[b], #164]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[63] * B[40]\n\t"
+        "ldr	r8, [%[a], #252]\n\t"
+        "ldr	r9, [%[b], #160]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [%[r], #412]\n\t"
+        "#  A[41] * B[63]\n\t"
+        "ldr	r8, [%[a], #164]\n\t"
+        "ldr	r9, [%[b], #252]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r10, r10\n\t"
+        "#  A[42] * B[62]\n\t"
+        "ldr	r8, [%[a], #168]\n\t"
+        "ldr	r9, [%[b], #248]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[43] * B[61]\n\t"
+        "ldr	r8, [%[a], #172]\n\t"
+        "ldr	r9, [%[b], #244]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[44] * B[60]\n\t"
+        "ldr	r8, [%[a], #176]\n\t"
+        "ldr	r9, [%[b], #240]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[45] * B[59]\n\t"
+        "ldr	r8, [%[a], #180]\n\t"
+        "ldr	r9, [%[b], #236]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[46] * B[58]\n\t"
+        "ldr	r8, [%[a], #184]\n\t"
+        "ldr	r9, [%[b], #232]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[47] * B[57]\n\t"
+        "ldr	r8, [%[a], #188]\n\t"
+        "ldr	r9, [%[b], #228]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[48] * B[56]\n\t"
+        "ldr	r8, [%[a], #192]\n\t"
+        "ldr	r9, [%[b], #224]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[49] * B[55]\n\t"
+        "ldr	r8, [%[a], #196]\n\t"
+        "ldr	r9, [%[b], #220]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[50] * B[54]\n\t"
+        "ldr	r8, [%[a], #200]\n\t"
+        "ldr	r9, [%[b], #216]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[51] * B[53]\n\t"
+        "ldr	r8, [%[a], #204]\n\t"
+        "ldr	r9, [%[b], #212]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[52] * B[52]\n\t"
+        "ldr	r8, [%[a], #208]\n\t"
+        "ldr	r9, [%[b], #208]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[53] * B[51]\n\t"
+        "ldr	r8, [%[a], #212]\n\t"
+        "ldr	r9, [%[b], #204]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[54] * B[50]\n\t"
+        "ldr	r8, [%[a], #216]\n\t"
+        "ldr	r9, [%[b], #200]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[55] * B[49]\n\t"
+        "ldr	r8, [%[a], #220]\n\t"
+        "ldr	r9, [%[b], #196]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[56] * B[48]\n\t"
+        "ldr	r8, [%[a], #224]\n\t"
+        "ldr	r9, [%[b], #192]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[57] * B[47]\n\t"
+        "ldr	r8, [%[a], #228]\n\t"
+        "ldr	r9, [%[b], #188]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[58] * B[46]\n\t"
+        "ldr	r8, [%[a], #232]\n\t"
+        "ldr	r9, [%[b], #184]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[59] * B[45]\n\t"
+        "ldr	r8, [%[a], #236]\n\t"
+        "ldr	r9, [%[b], #180]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[60] * B[44]\n\t"
+        "ldr	r8, [%[a], #240]\n\t"
+        "ldr	r9, [%[b], #176]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[61] * B[43]\n\t"
+        "ldr	r8, [%[a], #244]\n\t"
+        "ldr	r9, [%[b], #172]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[62] * B[42]\n\t"
+        "ldr	r8, [%[a], #248]\n\t"
+        "ldr	r9, [%[b], #168]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[63] * B[41]\n\t"
+        "ldr	r8, [%[a], #252]\n\t"
+        "ldr	r9, [%[b], #164]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [%[r], #416]\n\t"
+        "#  A[42] * B[63]\n\t"
+        "ldr	r8, [%[a], #168]\n\t"
+        "ldr	r9, [%[b], #252]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r10, r10\n\t"
+        "#  A[43] * B[62]\n\t"
+        "ldr	r8, [%[a], #172]\n\t"
+        "ldr	r9, [%[b], #248]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[44] * B[61]\n\t"
+        "ldr	r8, [%[a], #176]\n\t"
+        "ldr	r9, [%[b], #244]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[45] * B[60]\n\t"
+        "ldr	r8, [%[a], #180]\n\t"
+        "ldr	r9, [%[b], #240]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[46] * B[59]\n\t"
+        "ldr	r8, [%[a], #184]\n\t"
+        "ldr	r9, [%[b], #236]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[47] * B[58]\n\t"
+        "ldr	r8, [%[a], #188]\n\t"
+        "ldr	r9, [%[b], #232]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[48] * B[57]\n\t"
+        "ldr	r8, [%[a], #192]\n\t"
+        "ldr	r9, [%[b], #228]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[49] * B[56]\n\t"
+        "ldr	r8, [%[a], #196]\n\t"
+        "ldr	r9, [%[b], #224]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[50] * B[55]\n\t"
+        "ldr	r8, [%[a], #200]\n\t"
+        "ldr	r9, [%[b], #220]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[51] * B[54]\n\t"
+        "ldr	r8, [%[a], #204]\n\t"
+        "ldr	r9, [%[b], #216]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[52] * B[53]\n\t"
+        "ldr	r8, [%[a], #208]\n\t"
+        "ldr	r9, [%[b], #212]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[53] * B[52]\n\t"
+        "ldr	r8, [%[a], #212]\n\t"
+        "ldr	r9, [%[b], #208]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[54] * B[51]\n\t"
+        "ldr	r8, [%[a], #216]\n\t"
+        "ldr	r9, [%[b], #204]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[55] * B[50]\n\t"
+        "ldr	r8, [%[a], #220]\n\t"
+        "ldr	r9, [%[b], #200]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[56] * B[49]\n\t"
+        "ldr	r8, [%[a], #224]\n\t"
+        "ldr	r9, [%[b], #196]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[57] * B[48]\n\t"
+        "ldr	r8, [%[a], #228]\n\t"
+        "ldr	r9, [%[b], #192]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[58] * B[47]\n\t"
+        "ldr	r8, [%[a], #232]\n\t"
+        "ldr	r9, [%[b], #188]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[59] * B[46]\n\t"
+        "ldr	r8, [%[a], #236]\n\t"
+        "ldr	r9, [%[b], #184]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[60] * B[45]\n\t"
+        "ldr	r8, [%[a], #240]\n\t"
+        "ldr	r9, [%[b], #180]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[61] * B[44]\n\t"
+        "ldr	r8, [%[a], #244]\n\t"
+        "ldr	r9, [%[b], #176]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[62] * B[43]\n\t"
+        "ldr	r8, [%[a], #248]\n\t"
+        "ldr	r9, [%[b], #172]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[63] * B[42]\n\t"
+        "ldr	r8, [%[a], #252]\n\t"
+        "ldr	r9, [%[b], #168]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [%[r], #420]\n\t"
+        "#  A[43] * B[63]\n\t"
+        "ldr	r8, [%[a], #172]\n\t"
+        "ldr	r9, [%[b], #252]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r10, r10\n\t"
+        "#  A[44] * B[62]\n\t"
+        "ldr	r8, [%[a], #176]\n\t"
+        "ldr	r9, [%[b], #248]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[45] * B[61]\n\t"
+        "ldr	r8, [%[a], #180]\n\t"
+        "ldr	r9, [%[b], #244]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[46] * B[60]\n\t"
+        "ldr	r8, [%[a], #184]\n\t"
+        "ldr	r9, [%[b], #240]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[47] * B[59]\n\t"
+        "ldr	r8, [%[a], #188]\n\t"
+        "ldr	r9, [%[b], #236]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[48] * B[58]\n\t"
+        "ldr	r8, [%[a], #192]\n\t"
+        "ldr	r9, [%[b], #232]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[49] * B[57]\n\t"
+        "ldr	r8, [%[a], #196]\n\t"
+        "ldr	r9, [%[b], #228]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[50] * B[56]\n\t"
+        "ldr	r8, [%[a], #200]\n\t"
+        "ldr	r9, [%[b], #224]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[51] * B[55]\n\t"
+        "ldr	r8, [%[a], #204]\n\t"
+        "ldr	r9, [%[b], #220]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[52] * B[54]\n\t"
+        "ldr	r8, [%[a], #208]\n\t"
+        "ldr	r9, [%[b], #216]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[53] * B[53]\n\t"
+        "ldr	r8, [%[a], #212]\n\t"
+        "ldr	r9, [%[b], #212]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[54] * B[52]\n\t"
+        "ldr	r8, [%[a], #216]\n\t"
+        "ldr	r9, [%[b], #208]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[55] * B[51]\n\t"
+        "ldr	r8, [%[a], #220]\n\t"
+        "ldr	r9, [%[b], #204]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[56] * B[50]\n\t"
+        "ldr	r8, [%[a], #224]\n\t"
+        "ldr	r9, [%[b], #200]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[57] * B[49]\n\t"
+        "ldr	r8, [%[a], #228]\n\t"
+        "ldr	r9, [%[b], #196]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[58] * B[48]\n\t"
+        "ldr	r8, [%[a], #232]\n\t"
+        "ldr	r9, [%[b], #192]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[59] * B[47]\n\t"
+        "ldr	r8, [%[a], #236]\n\t"
+        "ldr	r9, [%[b], #188]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[60] * B[46]\n\t"
+        "ldr	r8, [%[a], #240]\n\t"
+        "ldr	r9, [%[b], #184]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[61] * B[45]\n\t"
+        "ldr	r8, [%[a], #244]\n\t"
+        "ldr	r9, [%[b], #180]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[62] * B[44]\n\t"
+        "ldr	r8, [%[a], #248]\n\t"
+        "ldr	r9, [%[b], #176]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[63] * B[43]\n\t"
+        "ldr	r8, [%[a], #252]\n\t"
+        "ldr	r9, [%[b], #172]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [%[r], #424]\n\t"
+        "#  A[44] * B[63]\n\t"
+        "ldr	r8, [%[a], #176]\n\t"
+        "ldr	r9, [%[b], #252]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r10, r10\n\t"
+        "#  A[45] * B[62]\n\t"
+        "ldr	r8, [%[a], #180]\n\t"
+        "ldr	r9, [%[b], #248]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[46] * B[61]\n\t"
+        "ldr	r8, [%[a], #184]\n\t"
+        "ldr	r9, [%[b], #244]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[47] * B[60]\n\t"
+        "ldr	r8, [%[a], #188]\n\t"
+        "ldr	r9, [%[b], #240]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[48] * B[59]\n\t"
+        "ldr	r8, [%[a], #192]\n\t"
+        "ldr	r9, [%[b], #236]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[49] * B[58]\n\t"
+        "ldr	r8, [%[a], #196]\n\t"
+        "ldr	r9, [%[b], #232]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[50] * B[57]\n\t"
+        "ldr	r8, [%[a], #200]\n\t"
+        "ldr	r9, [%[b], #228]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[51] * B[56]\n\t"
+        "ldr	r8, [%[a], #204]\n\t"
+        "ldr	r9, [%[b], #224]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[52] * B[55]\n\t"
+        "ldr	r8, [%[a], #208]\n\t"
+        "ldr	r9, [%[b], #220]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[53] * B[54]\n\t"
+        "ldr	r8, [%[a], #212]\n\t"
+        "ldr	r9, [%[b], #216]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[54] * B[53]\n\t"
+        "ldr	r8, [%[a], #216]\n\t"
+        "ldr	r9, [%[b], #212]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[55] * B[52]\n\t"
+        "ldr	r8, [%[a], #220]\n\t"
+        "ldr	r9, [%[b], #208]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[56] * B[51]\n\t"
+        "ldr	r8, [%[a], #224]\n\t"
+        "ldr	r9, [%[b], #204]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[57] * B[50]\n\t"
+        "ldr	r8, [%[a], #228]\n\t"
+        "ldr	r9, [%[b], #200]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[58] * B[49]\n\t"
+        "ldr	r8, [%[a], #232]\n\t"
+        "ldr	r9, [%[b], #196]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[59] * B[48]\n\t"
+        "ldr	r8, [%[a], #236]\n\t"
+        "ldr	r9, [%[b], #192]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[60] * B[47]\n\t"
+        "ldr	r8, [%[a], #240]\n\t"
+        "ldr	r9, [%[b], #188]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[61] * B[46]\n\t"
+        "ldr	r8, [%[a], #244]\n\t"
+        "ldr	r9, [%[b], #184]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[62] * B[45]\n\t"
+        "ldr	r8, [%[a], #248]\n\t"
+        "ldr	r9, [%[b], #180]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[63] * B[44]\n\t"
+        "ldr	r8, [%[a], #252]\n\t"
+        "ldr	r9, [%[b], #176]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [%[r], #428]\n\t"
+        "#  A[45] * B[63]\n\t"
+        "ldr	r8, [%[a], #180]\n\t"
+        "ldr	r9, [%[b], #252]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r10, r10\n\t"
+        "#  A[46] * B[62]\n\t"
+        "ldr	r8, [%[a], #184]\n\t"
+        "ldr	r9, [%[b], #248]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[47] * B[61]\n\t"
+        "ldr	r8, [%[a], #188]\n\t"
+        "ldr	r9, [%[b], #244]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[48] * B[60]\n\t"
+        "ldr	r8, [%[a], #192]\n\t"
+        "ldr	r9, [%[b], #240]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[49] * B[59]\n\t"
+        "ldr	r8, [%[a], #196]\n\t"
+        "ldr	r9, [%[b], #236]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[50] * B[58]\n\t"
+        "ldr	r8, [%[a], #200]\n\t"
+        "ldr	r9, [%[b], #232]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[51] * B[57]\n\t"
+        "ldr	r8, [%[a], #204]\n\t"
+        "ldr	r9, [%[b], #228]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[52] * B[56]\n\t"
+        "ldr	r8, [%[a], #208]\n\t"
+        "ldr	r9, [%[b], #224]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[53] * B[55]\n\t"
+        "ldr	r8, [%[a], #212]\n\t"
+        "ldr	r9, [%[b], #220]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[54] * B[54]\n\t"
+        "ldr	r8, [%[a], #216]\n\t"
+        "ldr	r9, [%[b], #216]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[55] * B[53]\n\t"
+        "ldr	r8, [%[a], #220]\n\t"
+        "ldr	r9, [%[b], #212]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[56] * B[52]\n\t"
+        "ldr	r8, [%[a], #224]\n\t"
+        "ldr	r9, [%[b], #208]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[57] * B[51]\n\t"
+        "ldr	r8, [%[a], #228]\n\t"
+        "ldr	r9, [%[b], #204]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[58] * B[50]\n\t"
+        "ldr	r8, [%[a], #232]\n\t"
+        "ldr	r9, [%[b], #200]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[59] * B[49]\n\t"
+        "ldr	r8, [%[a], #236]\n\t"
+        "ldr	r9, [%[b], #196]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[60] * B[48]\n\t"
+        "ldr	r8, [%[a], #240]\n\t"
+        "ldr	r9, [%[b], #192]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[61] * B[47]\n\t"
+        "ldr	r8, [%[a], #244]\n\t"
+        "ldr	r9, [%[b], #188]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[62] * B[46]\n\t"
+        "ldr	r8, [%[a], #248]\n\t"
+        "ldr	r9, [%[b], #184]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[63] * B[45]\n\t"
+        "ldr	r8, [%[a], #252]\n\t"
+        "ldr	r9, [%[b], #180]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [%[r], #432]\n\t"
+        "#  A[46] * B[63]\n\t"
+        "ldr	r8, [%[a], #184]\n\t"
+        "ldr	r9, [%[b], #252]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r10, r10\n\t"
+        "#  A[47] * B[62]\n\t"
+        "ldr	r8, [%[a], #188]\n\t"
+        "ldr	r9, [%[b], #248]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[48] * B[61]\n\t"
+        "ldr	r8, [%[a], #192]\n\t"
+        "ldr	r9, [%[b], #244]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[49] * B[60]\n\t"
+        "ldr	r8, [%[a], #196]\n\t"
+        "ldr	r9, [%[b], #240]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[50] * B[59]\n\t"
+        "ldr	r8, [%[a], #200]\n\t"
+        "ldr	r9, [%[b], #236]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[51] * B[58]\n\t"
+        "ldr	r8, [%[a], #204]\n\t"
+        "ldr	r9, [%[b], #232]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[52] * B[57]\n\t"
+        "ldr	r8, [%[a], #208]\n\t"
+        "ldr	r9, [%[b], #228]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[53] * B[56]\n\t"
+        "ldr	r8, [%[a], #212]\n\t"
+        "ldr	r9, [%[b], #224]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[54] * B[55]\n\t"
+        "ldr	r8, [%[a], #216]\n\t"
+        "ldr	r9, [%[b], #220]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[55] * B[54]\n\t"
+        "ldr	r8, [%[a], #220]\n\t"
+        "ldr	r9, [%[b], #216]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[56] * B[53]\n\t"
+        "ldr	r8, [%[a], #224]\n\t"
+        "ldr	r9, [%[b], #212]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[57] * B[52]\n\t"
+        "ldr	r8, [%[a], #228]\n\t"
+        "ldr	r9, [%[b], #208]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[58] * B[51]\n\t"
+        "ldr	r8, [%[a], #232]\n\t"
+        "ldr	r9, [%[b], #204]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[59] * B[50]\n\t"
+        "ldr	r8, [%[a], #236]\n\t"
+        "ldr	r9, [%[b], #200]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[60] * B[49]\n\t"
+        "ldr	r8, [%[a], #240]\n\t"
+        "ldr	r9, [%[b], #196]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[61] * B[48]\n\t"
+        "ldr	r8, [%[a], #244]\n\t"
+        "ldr	r9, [%[b], #192]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[62] * B[47]\n\t"
+        "ldr	r8, [%[a], #248]\n\t"
+        "ldr	r9, [%[b], #188]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[63] * B[46]\n\t"
+        "ldr	r8, [%[a], #252]\n\t"
+        "ldr	r9, [%[b], #184]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [%[r], #436]\n\t"
+        "#  A[47] * B[63]\n\t"
+        "ldr	r8, [%[a], #188]\n\t"
+        "ldr	r9, [%[b], #252]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r10, r10\n\t"
+        "#  A[48] * B[62]\n\t"
+        "ldr	r8, [%[a], #192]\n\t"
+        "ldr	r9, [%[b], #248]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[49] * B[61]\n\t"
+        "ldr	r8, [%[a], #196]\n\t"
+        "ldr	r9, [%[b], #244]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[50] * B[60]\n\t"
+        "ldr	r8, [%[a], #200]\n\t"
+        "ldr	r9, [%[b], #240]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[51] * B[59]\n\t"
+        "ldr	r8, [%[a], #204]\n\t"
+        "ldr	r9, [%[b], #236]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[52] * B[58]\n\t"
+        "ldr	r8, [%[a], #208]\n\t"
+        "ldr	r9, [%[b], #232]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[53] * B[57]\n\t"
+        "ldr	r8, [%[a], #212]\n\t"
+        "ldr	r9, [%[b], #228]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[54] * B[56]\n\t"
+        "ldr	r8, [%[a], #216]\n\t"
+        "ldr	r9, [%[b], #224]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[55] * B[55]\n\t"
+        "ldr	r8, [%[a], #220]\n\t"
+        "ldr	r9, [%[b], #220]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[56] * B[54]\n\t"
+        "ldr	r8, [%[a], #224]\n\t"
+        "ldr	r9, [%[b], #216]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[57] * B[53]\n\t"
+        "ldr	r8, [%[a], #228]\n\t"
+        "ldr	r9, [%[b], #212]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[58] * B[52]\n\t"
+        "ldr	r8, [%[a], #232]\n\t"
+        "ldr	r9, [%[b], #208]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[59] * B[51]\n\t"
+        "ldr	r8, [%[a], #236]\n\t"
+        "ldr	r9, [%[b], #204]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[60] * B[50]\n\t"
+        "ldr	r8, [%[a], #240]\n\t"
+        "ldr	r9, [%[b], #200]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[61] * B[49]\n\t"
+        "ldr	r8, [%[a], #244]\n\t"
+        "ldr	r9, [%[b], #196]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[62] * B[48]\n\t"
+        "ldr	r8, [%[a], #248]\n\t"
+        "ldr	r9, [%[b], #192]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[63] * B[47]\n\t"
+        "ldr	r8, [%[a], #252]\n\t"
+        "ldr	r9, [%[b], #188]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [%[r], #440]\n\t"
+        "#  A[48] * B[63]\n\t"
+        "ldr	r8, [%[a], #192]\n\t"
+        "ldr	r9, [%[b], #252]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r10, r10\n\t"
+        "#  A[49] * B[62]\n\t"
+        "ldr	r8, [%[a], #196]\n\t"
+        "ldr	r9, [%[b], #248]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[50] * B[61]\n\t"
+        "ldr	r8, [%[a], #200]\n\t"
+        "ldr	r9, [%[b], #244]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[51] * B[60]\n\t"
+        "ldr	r8, [%[a], #204]\n\t"
+        "ldr	r9, [%[b], #240]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[52] * B[59]\n\t"
+        "ldr	r8, [%[a], #208]\n\t"
+        "ldr	r9, [%[b], #236]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[53] * B[58]\n\t"
+        "ldr	r8, [%[a], #212]\n\t"
+        "ldr	r9, [%[b], #232]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[54] * B[57]\n\t"
+        "ldr	r8, [%[a], #216]\n\t"
+        "ldr	r9, [%[b], #228]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[55] * B[56]\n\t"
+        "ldr	r8, [%[a], #220]\n\t"
+        "ldr	r9, [%[b], #224]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[56] * B[55]\n\t"
+        "ldr	r8, [%[a], #224]\n\t"
+        "ldr	r9, [%[b], #220]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[57] * B[54]\n\t"
+        "ldr	r8, [%[a], #228]\n\t"
+        "ldr	r9, [%[b], #216]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[58] * B[53]\n\t"
+        "ldr	r8, [%[a], #232]\n\t"
+        "ldr	r9, [%[b], #212]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[59] * B[52]\n\t"
+        "ldr	r8, [%[a], #236]\n\t"
+        "ldr	r9, [%[b], #208]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[60] * B[51]\n\t"
+        "ldr	r8, [%[a], #240]\n\t"
+        "ldr	r9, [%[b], #204]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[61] * B[50]\n\t"
+        "ldr	r8, [%[a], #244]\n\t"
+        "ldr	r9, [%[b], #200]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[62] * B[49]\n\t"
+        "ldr	r8, [%[a], #248]\n\t"
+        "ldr	r9, [%[b], #196]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[63] * B[48]\n\t"
+        "ldr	r8, [%[a], #252]\n\t"
+        "ldr	r9, [%[b], #192]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [%[r], #444]\n\t"
+        "#  A[49] * B[63]\n\t"
+        "ldr	r8, [%[a], #196]\n\t"
+        "ldr	r9, [%[b], #252]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r10, r10\n\t"
+        "#  A[50] * B[62]\n\t"
+        "ldr	r8, [%[a], #200]\n\t"
+        "ldr	r9, [%[b], #248]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[51] * B[61]\n\t"
+        "ldr	r8, [%[a], #204]\n\t"
+        "ldr	r9, [%[b], #244]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[52] * B[60]\n\t"
+        "ldr	r8, [%[a], #208]\n\t"
+        "ldr	r9, [%[b], #240]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[53] * B[59]\n\t"
+        "ldr	r8, [%[a], #212]\n\t"
+        "ldr	r9, [%[b], #236]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[54] * B[58]\n\t"
+        "ldr	r8, [%[a], #216]\n\t"
+        "ldr	r9, [%[b], #232]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[55] * B[57]\n\t"
+        "ldr	r8, [%[a], #220]\n\t"
+        "ldr	r9, [%[b], #228]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[56] * B[56]\n\t"
+        "ldr	r8, [%[a], #224]\n\t"
+        "ldr	r9, [%[b], #224]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[57] * B[55]\n\t"
+        "ldr	r8, [%[a], #228]\n\t"
+        "ldr	r9, [%[b], #220]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[58] * B[54]\n\t"
+        "ldr	r8, [%[a], #232]\n\t"
+        "ldr	r9, [%[b], #216]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[59] * B[53]\n\t"
+        "ldr	r8, [%[a], #236]\n\t"
+        "ldr	r9, [%[b], #212]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[60] * B[52]\n\t"
+        "ldr	r8, [%[a], #240]\n\t"
+        "ldr	r9, [%[b], #208]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[61] * B[51]\n\t"
+        "ldr	r8, [%[a], #244]\n\t"
+        "ldr	r9, [%[b], #204]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[62] * B[50]\n\t"
+        "ldr	r8, [%[a], #248]\n\t"
+        "ldr	r9, [%[b], #200]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[63] * B[49]\n\t"
+        "ldr	r8, [%[a], #252]\n\t"
+        "ldr	r9, [%[b], #196]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [%[r], #448]\n\t"
+        "#  A[50] * B[63]\n\t"
+        "ldr	r8, [%[a], #200]\n\t"
+        "ldr	r9, [%[b], #252]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r10, r10\n\t"
+        "#  A[51] * B[62]\n\t"
+        "ldr	r8, [%[a], #204]\n\t"
+        "ldr	r9, [%[b], #248]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[52] * B[61]\n\t"
+        "ldr	r8, [%[a], #208]\n\t"
+        "ldr	r9, [%[b], #244]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[53] * B[60]\n\t"
+        "ldr	r8, [%[a], #212]\n\t"
+        "ldr	r9, [%[b], #240]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[54] * B[59]\n\t"
+        "ldr	r8, [%[a], #216]\n\t"
+        "ldr	r9, [%[b], #236]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[55] * B[58]\n\t"
+        "ldr	r8, [%[a], #220]\n\t"
+        "ldr	r9, [%[b], #232]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[56] * B[57]\n\t"
+        "ldr	r8, [%[a], #224]\n\t"
+        "ldr	r9, [%[b], #228]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[57] * B[56]\n\t"
+        "ldr	r8, [%[a], #228]\n\t"
+        "ldr	r9, [%[b], #224]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[58] * B[55]\n\t"
+        "ldr	r8, [%[a], #232]\n\t"
+        "ldr	r9, [%[b], #220]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[59] * B[54]\n\t"
+        "ldr	r8, [%[a], #236]\n\t"
+        "ldr	r9, [%[b], #216]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[60] * B[53]\n\t"
+        "ldr	r8, [%[a], #240]\n\t"
+        "ldr	r9, [%[b], #212]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[61] * B[52]\n\t"
+        "ldr	r8, [%[a], #244]\n\t"
+        "ldr	r9, [%[b], #208]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[62] * B[51]\n\t"
+        "ldr	r8, [%[a], #248]\n\t"
+        "ldr	r9, [%[b], #204]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[63] * B[50]\n\t"
+        "ldr	r8, [%[a], #252]\n\t"
+        "ldr	r9, [%[b], #200]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [%[r], #452]\n\t"
+        "#  A[51] * B[63]\n\t"
+        "ldr	r8, [%[a], #204]\n\t"
+        "ldr	r9, [%[b], #252]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r10, r10\n\t"
+        "#  A[52] * B[62]\n\t"
+        "ldr	r8, [%[a], #208]\n\t"
+        "ldr	r9, [%[b], #248]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[53] * B[61]\n\t"
+        "ldr	r8, [%[a], #212]\n\t"
+        "ldr	r9, [%[b], #244]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[54] * B[60]\n\t"
+        "ldr	r8, [%[a], #216]\n\t"
+        "ldr	r9, [%[b], #240]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[55] * B[59]\n\t"
+        "ldr	r8, [%[a], #220]\n\t"
+        "ldr	r9, [%[b], #236]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[56] * B[58]\n\t"
+        "ldr	r8, [%[a], #224]\n\t"
+        "ldr	r9, [%[b], #232]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[57] * B[57]\n\t"
+        "ldr	r8, [%[a], #228]\n\t"
+        "ldr	r9, [%[b], #228]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[58] * B[56]\n\t"
+        "ldr	r8, [%[a], #232]\n\t"
+        "ldr	r9, [%[b], #224]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[59] * B[55]\n\t"
+        "ldr	r8, [%[a], #236]\n\t"
+        "ldr	r9, [%[b], #220]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[60] * B[54]\n\t"
+        "ldr	r8, [%[a], #240]\n\t"
+        "ldr	r9, [%[b], #216]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[61] * B[53]\n\t"
+        "ldr	r8, [%[a], #244]\n\t"
+        "ldr	r9, [%[b], #212]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[62] * B[52]\n\t"
+        "ldr	r8, [%[a], #248]\n\t"
+        "ldr	r9, [%[b], #208]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[63] * B[51]\n\t"
+        "ldr	r8, [%[a], #252]\n\t"
+        "ldr	r9, [%[b], #204]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [%[r], #456]\n\t"
+        "#  A[52] * B[63]\n\t"
+        "ldr	r8, [%[a], #208]\n\t"
+        "ldr	r9, [%[b], #252]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r10, r10\n\t"
+        "#  A[53] * B[62]\n\t"
+        "ldr	r8, [%[a], #212]\n\t"
+        "ldr	r9, [%[b], #248]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[54] * B[61]\n\t"
+        "ldr	r8, [%[a], #216]\n\t"
+        "ldr	r9, [%[b], #244]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[55] * B[60]\n\t"
+        "ldr	r8, [%[a], #220]\n\t"
+        "ldr	r9, [%[b], #240]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[56] * B[59]\n\t"
+        "ldr	r8, [%[a], #224]\n\t"
+        "ldr	r9, [%[b], #236]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[57] * B[58]\n\t"
+        "ldr	r8, [%[a], #228]\n\t"
+        "ldr	r9, [%[b], #232]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[58] * B[57]\n\t"
+        "ldr	r8, [%[a], #232]\n\t"
+        "ldr	r9, [%[b], #228]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[59] * B[56]\n\t"
+        "ldr	r8, [%[a], #236]\n\t"
+        "ldr	r9, [%[b], #224]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[60] * B[55]\n\t"
+        "ldr	r8, [%[a], #240]\n\t"
+        "ldr	r9, [%[b], #220]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[61] * B[54]\n\t"
+        "ldr	r8, [%[a], #244]\n\t"
+        "ldr	r9, [%[b], #216]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[62] * B[53]\n\t"
+        "ldr	r8, [%[a], #248]\n\t"
+        "ldr	r9, [%[b], #212]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[63] * B[52]\n\t"
+        "ldr	r8, [%[a], #252]\n\t"
+        "ldr	r9, [%[b], #208]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [%[r], #460]\n\t"
+        "#  A[53] * B[63]\n\t"
+        "ldr	r8, [%[a], #212]\n\t"
+        "ldr	r9, [%[b], #252]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r10, r10\n\t"
+        "#  A[54] * B[62]\n\t"
+        "ldr	r8, [%[a], #216]\n\t"
+        "ldr	r9, [%[b], #248]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[55] * B[61]\n\t"
+        "ldr	r8, [%[a], #220]\n\t"
+        "ldr	r9, [%[b], #244]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[56] * B[60]\n\t"
+        "ldr	r8, [%[a], #224]\n\t"
+        "ldr	r9, [%[b], #240]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[57] * B[59]\n\t"
+        "ldr	r8, [%[a], #228]\n\t"
+        "ldr	r9, [%[b], #236]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[58] * B[58]\n\t"
+        "ldr	r8, [%[a], #232]\n\t"
+        "ldr	r9, [%[b], #232]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[59] * B[57]\n\t"
+        "ldr	r8, [%[a], #236]\n\t"
+        "ldr	r9, [%[b], #228]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[60] * B[56]\n\t"
+        "ldr	r8, [%[a], #240]\n\t"
+        "ldr	r9, [%[b], #224]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[61] * B[55]\n\t"
+        "ldr	r8, [%[a], #244]\n\t"
+        "ldr	r9, [%[b], #220]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[62] * B[54]\n\t"
+        "ldr	r8, [%[a], #248]\n\t"
+        "ldr	r9, [%[b], #216]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[63] * B[53]\n\t"
+        "ldr	r8, [%[a], #252]\n\t"
+        "ldr	r9, [%[b], #212]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [%[r], #464]\n\t"
+        "#  A[54] * B[63]\n\t"
+        "ldr	r8, [%[a], #216]\n\t"
+        "ldr	r9, [%[b], #252]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r10, r10\n\t"
+        "#  A[55] * B[62]\n\t"
+        "ldr	r8, [%[a], #220]\n\t"
+        "ldr	r9, [%[b], #248]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[56] * B[61]\n\t"
+        "ldr	r8, [%[a], #224]\n\t"
+        "ldr	r9, [%[b], #244]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[57] * B[60]\n\t"
+        "ldr	r8, [%[a], #228]\n\t"
+        "ldr	r9, [%[b], #240]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[58] * B[59]\n\t"
+        "ldr	r8, [%[a], #232]\n\t"
+        "ldr	r9, [%[b], #236]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[59] * B[58]\n\t"
+        "ldr	r8, [%[a], #236]\n\t"
+        "ldr	r9, [%[b], #232]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[60] * B[57]\n\t"
+        "ldr	r8, [%[a], #240]\n\t"
+        "ldr	r9, [%[b], #228]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[61] * B[56]\n\t"
+        "ldr	r8, [%[a], #244]\n\t"
+        "ldr	r9, [%[b], #224]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[62] * B[55]\n\t"
+        "ldr	r8, [%[a], #248]\n\t"
+        "ldr	r9, [%[b], #220]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[63] * B[54]\n\t"
+        "ldr	r8, [%[a], #252]\n\t"
+        "ldr	r9, [%[b], #216]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [%[r], #468]\n\t"
+        "#  A[55] * B[63]\n\t"
+        "ldr	r8, [%[a], #220]\n\t"
+        "ldr	r9, [%[b], #252]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r10, r10\n\t"
+        "#  A[56] * B[62]\n\t"
+        "ldr	r8, [%[a], #224]\n\t"
+        "ldr	r9, [%[b], #248]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[57] * B[61]\n\t"
+        "ldr	r8, [%[a], #228]\n\t"
+        "ldr	r9, [%[b], #244]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[58] * B[60]\n\t"
+        "ldr	r8, [%[a], #232]\n\t"
+        "ldr	r9, [%[b], #240]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[59] * B[59]\n\t"
+        "ldr	r8, [%[a], #236]\n\t"
+        "ldr	r9, [%[b], #236]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[60] * B[58]\n\t"
+        "ldr	r8, [%[a], #240]\n\t"
+        "ldr	r9, [%[b], #232]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[61] * B[57]\n\t"
+        "ldr	r8, [%[a], #244]\n\t"
+        "ldr	r9, [%[b], #228]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[62] * B[56]\n\t"
+        "ldr	r8, [%[a], #248]\n\t"
+        "ldr	r9, [%[b], #224]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[63] * B[55]\n\t"
+        "ldr	r8, [%[a], #252]\n\t"
+        "ldr	r9, [%[b], #220]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [%[r], #472]\n\t"
+        "#  A[56] * B[63]\n\t"
+        "ldr	r8, [%[a], #224]\n\t"
+        "ldr	r9, [%[b], #252]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r10, r10\n\t"
+        "#  A[57] * B[62]\n\t"
+        "ldr	r8, [%[a], #228]\n\t"
+        "ldr	r9, [%[b], #248]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[58] * B[61]\n\t"
+        "ldr	r8, [%[a], #232]\n\t"
+        "ldr	r9, [%[b], #244]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[59] * B[60]\n\t"
+        "ldr	r8, [%[a], #236]\n\t"
+        "ldr	r9, [%[b], #240]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[60] * B[59]\n\t"
+        "ldr	r8, [%[a], #240]\n\t"
+        "ldr	r9, [%[b], #236]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[61] * B[58]\n\t"
+        "ldr	r8, [%[a], #244]\n\t"
+        "ldr	r9, [%[b], #232]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[62] * B[57]\n\t"
+        "ldr	r8, [%[a], #248]\n\t"
+        "ldr	r9, [%[b], #228]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[63] * B[56]\n\t"
+        "ldr	r8, [%[a], #252]\n\t"
+        "ldr	r9, [%[b], #224]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [%[r], #476]\n\t"
+        "#  A[57] * B[63]\n\t"
+        "ldr	r8, [%[a], #228]\n\t"
+        "ldr	r9, [%[b], #252]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r10, r10\n\t"
+        "#  A[58] * B[62]\n\t"
+        "ldr	r8, [%[a], #232]\n\t"
+        "ldr	r9, [%[b], #248]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[59] * B[61]\n\t"
+        "ldr	r8, [%[a], #236]\n\t"
+        "ldr	r9, [%[b], #244]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[60] * B[60]\n\t"
+        "ldr	r8, [%[a], #240]\n\t"
+        "ldr	r9, [%[b], #240]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[61] * B[59]\n\t"
+        "ldr	r8, [%[a], #244]\n\t"
+        "ldr	r9, [%[b], #236]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[62] * B[58]\n\t"
+        "ldr	r8, [%[a], #248]\n\t"
+        "ldr	r9, [%[b], #232]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[63] * B[57]\n\t"
+        "ldr	r8, [%[a], #252]\n\t"
+        "ldr	r9, [%[b], #228]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [%[r], #480]\n\t"
+        "#  A[58] * B[63]\n\t"
+        "ldr	r8, [%[a], #232]\n\t"
+        "ldr	r9, [%[b], #252]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r10, r10\n\t"
+        "#  A[59] * B[62]\n\t"
+        "ldr	r8, [%[a], #236]\n\t"
+        "ldr	r9, [%[b], #248]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[60] * B[61]\n\t"
+        "ldr	r8, [%[a], #240]\n\t"
+        "ldr	r9, [%[b], #244]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[61] * B[60]\n\t"
+        "ldr	r8, [%[a], #244]\n\t"
+        "ldr	r9, [%[b], #240]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[62] * B[59]\n\t"
+        "ldr	r8, [%[a], #248]\n\t"
+        "ldr	r9, [%[b], #236]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[63] * B[58]\n\t"
+        "ldr	r8, [%[a], #252]\n\t"
+        "ldr	r9, [%[b], #232]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [%[r], #484]\n\t"
+        "#  A[59] * B[63]\n\t"
+        "ldr	r8, [%[a], #236]\n\t"
+        "ldr	r9, [%[b], #252]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r10, r10\n\t"
+        "#  A[60] * B[62]\n\t"
+        "ldr	r8, [%[a], #240]\n\t"
+        "ldr	r9, [%[b], #248]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[61] * B[61]\n\t"
+        "ldr	r8, [%[a], #244]\n\t"
+        "ldr	r9, [%[b], #244]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[62] * B[60]\n\t"
+        "ldr	r8, [%[a], #248]\n\t"
+        "ldr	r9, [%[b], #240]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[63] * B[59]\n\t"
+        "ldr	r8, [%[a], #252]\n\t"
+        "ldr	r9, [%[b], #236]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [%[r], #488]\n\t"
+        "#  A[60] * B[63]\n\t"
+        "ldr	r8, [%[a], #240]\n\t"
+        "ldr	r9, [%[b], #252]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r10, r10\n\t"
+        "#  A[61] * B[62]\n\t"
+        "ldr	r8, [%[a], #244]\n\t"
+        "ldr	r9, [%[b], #248]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[62] * B[61]\n\t"
+        "ldr	r8, [%[a], #248]\n\t"
+        "ldr	r9, [%[b], #244]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[63] * B[60]\n\t"
+        "ldr	r8, [%[a], #252]\n\t"
+        "ldr	r9, [%[b], #240]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [%[r], #492]\n\t"
+        "#  A[61] * B[63]\n\t"
+        "ldr	r8, [%[a], #244]\n\t"
+        "ldr	r9, [%[b], #252]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r10, r10\n\t"
+        "#  A[62] * B[62]\n\t"
+        "ldr	r8, [%[a], #248]\n\t"
+        "ldr	r9, [%[b], #248]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[63] * B[61]\n\t"
+        "ldr	r8, [%[a], #252]\n\t"
+        "ldr	r9, [%[b], #244]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [%[r], #496]\n\t"
+        "#  A[62] * B[63]\n\t"
+        "ldr	r8, [%[a], #248]\n\t"
+        "ldr	r9, [%[b], #252]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r10, r10\n\t"
+        "#  A[63] * B[62]\n\t"
+        "ldr	r8, [%[a], #252]\n\t"
+        "ldr	r9, [%[b], #248]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [%[r], #500]\n\t"
+        "#  A[63] * B[63]\n\t"
+        "ldr	r8, [%[a], #252]\n\t"
+        "ldr	r9, [%[b], #252]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adc	r4, r4, r7\n\t"
+        "str	r3, [%[r], #504]\n\t"
+        "str	r4, [%[r], #508]\n\t"
+        "ldr	r3, [sp, #0]\n\t"
+        "ldr	r4, [sp, #4]\n\t"
+        "ldr	r5, [sp, #8]\n\t"
+        "ldr	r6, [sp, #12]\n\t"
+        "str	r3, [%[r], #0]\n\t"
+        "str	r4, [%[r], #4]\n\t"
+        "str	r5, [%[r], #8]\n\t"
+        "str	r6, [%[r], #12]\n\t"
+        "ldr	r3, [sp, #16]\n\t"
+        "ldr	r4, [sp, #20]\n\t"
+        "ldr	r5, [sp, #24]\n\t"
+        "ldr	r6, [sp, #28]\n\t"
+        "str	r3, [%[r], #16]\n\t"
+        "str	r4, [%[r], #20]\n\t"
+        "str	r5, [%[r], #24]\n\t"
+        "str	r6, [%[r], #28]\n\t"
+        "ldr	r3, [sp, #32]\n\t"
+        "ldr	r4, [sp, #36]\n\t"
+        "ldr	r5, [sp, #40]\n\t"
+        "ldr	r6, [sp, #44]\n\t"
+        "str	r3, [%[r], #32]\n\t"
+        "str	r4, [%[r], #36]\n\t"
+        "str	r5, [%[r], #40]\n\t"
+        "str	r6, [%[r], #44]\n\t"
+        "ldr	r3, [sp, #48]\n\t"
+        "ldr	r4, [sp, #52]\n\t"
+        "ldr	r5, [sp, #56]\n\t"
+        "ldr	r6, [sp, #60]\n\t"
+        "str	r3, [%[r], #48]\n\t"
+        "str	r4, [%[r], #52]\n\t"
+        "str	r5, [%[r], #56]\n\t"
+        "str	r6, [%[r], #60]\n\t"
+        "ldr	r3, [sp, #64]\n\t"
+        "ldr	r4, [sp, #68]\n\t"
+        "ldr	r5, [sp, #72]\n\t"
+        "ldr	r6, [sp, #76]\n\t"
+        "str	r3, [%[r], #64]\n\t"
+        "str	r4, [%[r], #68]\n\t"
+        "str	r5, [%[r], #72]\n\t"
+        "str	r6, [%[r], #76]\n\t"
+        "ldr	r3, [sp, #80]\n\t"
+        "ldr	r4, [sp, #84]\n\t"
+        "ldr	r5, [sp, #88]\n\t"
+        "ldr	r6, [sp, #92]\n\t"
+        "str	r3, [%[r], #80]\n\t"
+        "str	r4, [%[r], #84]\n\t"
+        "str	r5, [%[r], #88]\n\t"
+        "str	r6, [%[r], #92]\n\t"
+        "ldr	r3, [sp, #96]\n\t"
+        "ldr	r4, [sp, #100]\n\t"
+        "ldr	r5, [sp, #104]\n\t"
+        "ldr	r6, [sp, #108]\n\t"
+        "str	r3, [%[r], #96]\n\t"
+        "str	r4, [%[r], #100]\n\t"
+        "str	r5, [%[r], #104]\n\t"
+        "str	r6, [%[r], #108]\n\t"
+        "ldr	r3, [sp, #112]\n\t"
+        "ldr	r4, [sp, #116]\n\t"
+        "ldr	r5, [sp, #120]\n\t"
+        "ldr	r6, [sp, #124]\n\t"
+        "str	r3, [%[r], #112]\n\t"
+        "str	r4, [%[r], #116]\n\t"
+        "str	r5, [%[r], #120]\n\t"
+        "str	r6, [%[r], #124]\n\t"
+        "ldr	r3, [sp, #128]\n\t"
+        "ldr	r4, [sp, #132]\n\t"
+        "ldr	r5, [sp, #136]\n\t"
+        "ldr	r6, [sp, #140]\n\t"
+        "str	r3, [%[r], #128]\n\t"
+        "str	r4, [%[r], #132]\n\t"
+        "str	r5, [%[r], #136]\n\t"
+        "str	r6, [%[r], #140]\n\t"
+        "ldr	r3, [sp, #144]\n\t"
+        "ldr	r4, [sp, #148]\n\t"
+        "ldr	r5, [sp, #152]\n\t"
+        "ldr	r6, [sp, #156]\n\t"
+        "str	r3, [%[r], #144]\n\t"
+        "str	r4, [%[r], #148]\n\t"
+        "str	r5, [%[r], #152]\n\t"
+        "str	r6, [%[r], #156]\n\t"
+        "ldr	r3, [sp, #160]\n\t"
+        "ldr	r4, [sp, #164]\n\t"
+        "ldr	r5, [sp, #168]\n\t"
+        "ldr	r6, [sp, #172]\n\t"
+        "str	r3, [%[r], #160]\n\t"
+        "str	r4, [%[r], #164]\n\t"
+        "str	r5, [%[r], #168]\n\t"
+        "str	r6, [%[r], #172]\n\t"
+        "ldr	r3, [sp, #176]\n\t"
+        "ldr	r4, [sp, #180]\n\t"
+        "ldr	r5, [sp, #184]\n\t"
+        "ldr	r6, [sp, #188]\n\t"
+        "str	r3, [%[r], #176]\n\t"
+        "str	r4, [%[r], #180]\n\t"
+        "str	r5, [%[r], #184]\n\t"
+        "str	r6, [%[r], #188]\n\t"
+        "ldr	r3, [sp, #192]\n\t"
+        "ldr	r4, [sp, #196]\n\t"
+        "ldr	r5, [sp, #200]\n\t"
+        "ldr	r6, [sp, #204]\n\t"
+        "str	r3, [%[r], #192]\n\t"
+        "str	r4, [%[r], #196]\n\t"
+        "str	r5, [%[r], #200]\n\t"
+        "str	r6, [%[r], #204]\n\t"
+        "ldr	r3, [sp, #208]\n\t"
+        "ldr	r4, [sp, #212]\n\t"
+        "ldr	r5, [sp, #216]\n\t"
+        "ldr	r6, [sp, #220]\n\t"
+        "str	r3, [%[r], #208]\n\t"
+        "str	r4, [%[r], #212]\n\t"
+        "str	r5, [%[r], #216]\n\t"
+        "str	r6, [%[r], #220]\n\t"
+        "ldr	r3, [sp, #224]\n\t"
+        "ldr	r4, [sp, #228]\n\t"
+        "ldr	r5, [sp, #232]\n\t"
+        "ldr	r6, [sp, #236]\n\t"
+        "str	r3, [%[r], #224]\n\t"
+        "str	r4, [%[r], #228]\n\t"
+        "str	r5, [%[r], #232]\n\t"
+        "str	r6, [%[r], #236]\n\t"
+        "ldr	r3, [sp, #240]\n\t"
+        "ldr	r4, [sp, #244]\n\t"
+        "ldr	r5, [sp, #248]\n\t"
+        "ldr	r6, [sp, #252]\n\t"
+        "str	r3, [%[r], #240]\n\t"
+        "str	r4, [%[r], #244]\n\t"
+        "str	r5, [%[r], #248]\n\t"
+        "str	r6, [%[r], #252]\n\t"
+        "add	sp, sp, #256\n\t"
+        :
+        : [r] "r" (r), [a] "r" (a), [b] "r" (b)
+        : "memory", "r3", "r4", "r5", "r6", "r7", "r8", "r9", "r10"
+    );
+}
+
+/* AND m into each word of a and store in r.
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * m  Mask to AND against each digit.
+ */
+static void sp_4096_mask_64(sp_digit* r, const sp_digit* a, sp_digit m)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int i;
+
+    for (i=0; i<64; i++) {
+        r[i] = a[i] & m;
+    }
+#else
+    int i;
+
+    for (i = 0; i < 64; i += 8) {
+        r[i+0] = a[i+0] & m;
+        r[i+1] = a[i+1] & m;
+        r[i+2] = a[i+2] & m;
+        r[i+3] = a[i+3] & m;
+        r[i+4] = a[i+4] & m;
+        r[i+5] = a[i+5] & m;
+        r[i+6] = a[i+6] & m;
+        r[i+7] = a[i+7] & m;
+    }
+#endif
+}
+
+/* Multiply a and b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static void sp_4096_mul_128(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    sp_digit* z0 = r;
+    sp_digit z1[128];
+    sp_digit a1[64];
+    sp_digit b1[64];
+    sp_digit z2[128];
+    sp_digit u, ca, cb;
+
+    ca = sp_2048_add_64(a1, a, &a[64]);
+    cb = sp_2048_add_64(b1, b, &b[64]);
+    u  = ca & cb;
+    sp_2048_mul_64(z1, a1, b1);
+    sp_2048_mul_64(z2, &a[64], &b[64]);
+    sp_2048_mul_64(z0, a, b);
+    sp_2048_mask_64(r + 128, a1, 0 - cb);
+    sp_2048_mask_64(b1, b1, 0 - ca);
+    u += sp_2048_add_64(r + 128, r + 128, b1);
+    u += sp_4096_sub_in_place_128(z1, z2);
+    u += sp_4096_sub_in_place_128(z1, z0);
+    u += sp_4096_add_128(r + 64, r + 64, z1);
+    r[192] = u;
+    XMEMSET(r + 192 + 1, 0, sizeof(sp_digit) * (64 - 1));
+    (void)sp_4096_add_128(r + 128, r + 128, z2);
+}
+
+/* Square a and put result in r. (r = a * a)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ */
+static void sp_4096_sqr_64(sp_digit* r, const sp_digit* a)
+{
+    __asm__ __volatile__ (
+        "sub	sp, sp, #256\n\t"
+        "mov	r14, #0\n\t"
+        "#  A[0] * A[0]\n\t"
+        "ldr	r10, [%[a], #0]\n\t"
+        "umull	r8, r3, r10, r10\n\t"
+        "mov	r4, #0\n\t"
+        "str	r8, [sp]\n\t"
+        "#  A[0] * A[1]\n\t"
+        "ldr	r10, [%[a], #4]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r3, r3, r8\n\t"
+        "adcs	r4, r4, r9\n\t"
+        "adc	r2, r14, r14\n\t"
+        "adds	r3, r3, r8\n\t"
+        "adcs	r4, r4, r9\n\t"
+        "adc	r2, r2, r14\n\t"
+        "str	r3, [sp, #4]\n\t"
+        "#  A[0] * A[2]\n\t"
+        "ldr	r10, [%[a], #8]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r4, r4, r8\n\t"
+        "adcs	r2, r2, r9\n\t"
+        "adc	r3, r14, r14\n\t"
+        "adds	r4, r4, r8\n\t"
+        "adcs	r2, r2, r9\n\t"
+        "adc	r3, r3, r14\n\t"
+        "#  A[1] * A[1]\n\t"
+        "ldr	r10, [%[a], #4]\n\t"
+        "umull	r8, r9, r10, r10\n\t"
+        "adds	r4, r4, r8\n\t"
+        "adcs	r2, r2, r9\n\t"
+        "adc	r3, r3, r14\n\t"
+        "str	r4, [sp, #8]\n\t"
+        "#  A[0] * A[3]\n\t"
+        "ldr	r10, [%[a], #12]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r2, r2, r8\n\t"
+        "adcs	r3, r3, r9\n\t"
+        "adc	r4, r14, r14\n\t"
+        "adds	r2, r2, r8\n\t"
+        "adcs	r3, r3, r9\n\t"
+        "adc	r4, r4, r14\n\t"
+        "#  A[1] * A[2]\n\t"
+        "ldr	r10, [%[a], #8]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r2, r2, r8\n\t"
+        "adcs	r3, r3, r9\n\t"
+        "adc	r4, r4, r14\n\t"
+        "adds	r2, r2, r8\n\t"
+        "adcs	r3, r3, r9\n\t"
+        "adc	r4, r4, r14\n\t"
+        "str	r2, [sp, #12]\n\t"
+        "#  A[0] * A[4]\n\t"
+        "ldr	r10, [%[a], #16]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r3, r3, r8\n\t"
+        "adcs	r4, r4, r9\n\t"
+        "adc	r2, r14, r14\n\t"
+        "adds	r3, r3, r8\n\t"
+        "adcs	r4, r4, r9\n\t"
+        "adc	r2, r2, r14\n\t"
+        "#  A[1] * A[3]\n\t"
+        "ldr	r10, [%[a], #12]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r3, r3, r8\n\t"
+        "adcs	r4, r4, r9\n\t"
+        "adc	r2, r2, r14\n\t"
+        "adds	r3, r3, r8\n\t"
+        "adcs	r4, r4, r9\n\t"
+        "adc	r2, r2, r14\n\t"
+        "#  A[2] * A[2]\n\t"
+        "ldr	r10, [%[a], #8]\n\t"
+        "umull	r8, r9, r10, r10\n\t"
+        "adds	r3, r3, r8\n\t"
+        "adcs	r4, r4, r9\n\t"
+        "adc	r2, r2, r14\n\t"
+        "str	r3, [sp, #16]\n\t"
+        "#  A[0] * A[5]\n\t"
+        "ldr	r10, [%[a], #20]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "umull	r5, r6, r10, r8\n\t"
+        "mov	r3, #0\n\t"
+        "mov	r7, #0\n\t"
+        "#  A[1] * A[4]\n\t"
+        "ldr	r10, [%[a], #16]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[2] * A[3]\n\t"
+        "ldr	r10, [%[a], #12]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "adds	r5, r5, r5\n\t"
+        "adcs	r6, r6, r6\n\t"
+        "adc	r7, r7, r7\n\t"
+        "adds	r4, r4, r5\n\t"
+        "adcs	r2, r2, r6\n\t"
+        "adc	r3, r3, r7\n\t"
+        "str	r4, [sp, #20]\n\t"
+        "#  A[0] * A[6]\n\t"
+        "ldr	r10, [%[a], #24]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "umull	r5, r6, r10, r8\n\t"
+        "mov	r4, #0\n\t"
+        "mov	r7, #0\n\t"
+        "#  A[1] * A[5]\n\t"
+        "ldr	r10, [%[a], #20]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[2] * A[4]\n\t"
+        "ldr	r10, [%[a], #16]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[3] * A[3]\n\t"
+        "ldr	r10, [%[a], #12]\n\t"
+        "umull	r8, r9, r10, r10\n\t"
+        "adds	r5, r5, r5\n\t"
+        "adcs	r6, r6, r6\n\t"
+        "adc	r7, r7, r7\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "adds	r2, r2, r5\n\t"
+        "adcs	r3, r3, r6\n\t"
+        "adc	r4, r4, r7\n\t"
+        "str	r2, [sp, #24]\n\t"
+        "#  A[0] * A[7]\n\t"
+        "ldr	r10, [%[a], #28]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "umull	r5, r6, r10, r8\n\t"
+        "mov	r2, #0\n\t"
+        "mov	r7, #0\n\t"
+        "#  A[1] * A[6]\n\t"
+        "ldr	r10, [%[a], #24]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[2] * A[5]\n\t"
+        "ldr	r10, [%[a], #20]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[3] * A[4]\n\t"
+        "ldr	r10, [%[a], #16]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "adds	r5, r5, r5\n\t"
+        "adcs	r6, r6, r6\n\t"
+        "adc	r7, r7, r7\n\t"
+        "adds	r3, r3, r5\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adc	r2, r2, r7\n\t"
+        "str	r3, [sp, #28]\n\t"
+        "#  A[0] * A[8]\n\t"
+        "ldr	r10, [%[a], #32]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "umull	r5, r6, r10, r8\n\t"
+        "mov	r3, #0\n\t"
+        "mov	r7, #0\n\t"
+        "#  A[1] * A[7]\n\t"
+        "ldr	r10, [%[a], #28]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[2] * A[6]\n\t"
+        "ldr	r10, [%[a], #24]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[3] * A[5]\n\t"
+        "ldr	r10, [%[a], #20]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[4] * A[4]\n\t"
+        "ldr	r10, [%[a], #16]\n\t"
+        "umull	r8, r9, r10, r10\n\t"
+        "adds	r5, r5, r5\n\t"
+        "adcs	r6, r6, r6\n\t"
+        "adc	r7, r7, r7\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "adds	r4, r4, r5\n\t"
+        "adcs	r2, r2, r6\n\t"
+        "adc	r3, r3, r7\n\t"
+        "str	r4, [sp, #32]\n\t"
+        "#  A[0] * A[9]\n\t"
+        "ldr	r10, [%[a], #36]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "umull	r5, r6, r10, r8\n\t"
+        "mov	r4, #0\n\t"
+        "mov	r7, #0\n\t"
+        "#  A[1] * A[8]\n\t"
+        "ldr	r10, [%[a], #32]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[2] * A[7]\n\t"
+        "ldr	r10, [%[a], #28]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[3] * A[6]\n\t"
+        "ldr	r10, [%[a], #24]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[4] * A[5]\n\t"
+        "ldr	r10, [%[a], #20]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "adds	r5, r5, r5\n\t"
+        "adcs	r6, r6, r6\n\t"
+        "adc	r7, r7, r7\n\t"
+        "adds	r2, r2, r5\n\t"
+        "adcs	r3, r3, r6\n\t"
+        "adc	r4, r4, r7\n\t"
+        "str	r2, [sp, #36]\n\t"
+        "#  A[0] * A[10]\n\t"
+        "ldr	r10, [%[a], #40]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "umull	r5, r6, r10, r8\n\t"
+        "mov	r2, #0\n\t"
+        "mov	r7, #0\n\t"
+        "#  A[1] * A[9]\n\t"
+        "ldr	r10, [%[a], #36]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[2] * A[8]\n\t"
+        "ldr	r10, [%[a], #32]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[3] * A[7]\n\t"
+        "ldr	r10, [%[a], #28]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[4] * A[6]\n\t"
+        "ldr	r10, [%[a], #24]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[5] * A[5]\n\t"
+        "ldr	r10, [%[a], #20]\n\t"
+        "umull	r8, r9, r10, r10\n\t"
+        "adds	r5, r5, r5\n\t"
+        "adcs	r6, r6, r6\n\t"
+        "adc	r7, r7, r7\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "adds	r3, r3, r5\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adc	r2, r2, r7\n\t"
+        "str	r3, [sp, #40]\n\t"
+        "#  A[0] * A[11]\n\t"
+        "ldr	r10, [%[a], #44]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "umull	r5, r6, r10, r8\n\t"
+        "mov	r3, #0\n\t"
+        "mov	r7, #0\n\t"
+        "#  A[1] * A[10]\n\t"
+        "ldr	r10, [%[a], #40]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[2] * A[9]\n\t"
+        "ldr	r10, [%[a], #36]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[3] * A[8]\n\t"
+        "ldr	r10, [%[a], #32]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[4] * A[7]\n\t"
+        "ldr	r10, [%[a], #28]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[5] * A[6]\n\t"
+        "ldr	r10, [%[a], #24]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "adds	r5, r5, r5\n\t"
+        "adcs	r6, r6, r6\n\t"
+        "adc	r7, r7, r7\n\t"
+        "adds	r4, r4, r5\n\t"
+        "adcs	r2, r2, r6\n\t"
+        "adc	r3, r3, r7\n\t"
+        "str	r4, [sp, #44]\n\t"
+        "#  A[0] * A[12]\n\t"
+        "ldr	r10, [%[a], #48]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "umull	r5, r6, r10, r8\n\t"
+        "mov	r4, #0\n\t"
+        "mov	r7, #0\n\t"
+        "#  A[1] * A[11]\n\t"
+        "ldr	r10, [%[a], #44]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[2] * A[10]\n\t"
+        "ldr	r10, [%[a], #40]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[3] * A[9]\n\t"
+        "ldr	r10, [%[a], #36]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[4] * A[8]\n\t"
+        "ldr	r10, [%[a], #32]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[5] * A[7]\n\t"
+        "ldr	r10, [%[a], #28]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[6] * A[6]\n\t"
+        "ldr	r10, [%[a], #24]\n\t"
+        "umull	r8, r9, r10, r10\n\t"
+        "adds	r5, r5, r5\n\t"
+        "adcs	r6, r6, r6\n\t"
+        "adc	r7, r7, r7\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "adds	r2, r2, r5\n\t"
+        "adcs	r3, r3, r6\n\t"
+        "adc	r4, r4, r7\n\t"
+        "str	r2, [sp, #48]\n\t"
+        "#  A[0] * A[13]\n\t"
+        "ldr	r10, [%[a], #52]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "umull	r5, r6, r10, r8\n\t"
+        "mov	r2, #0\n\t"
+        "mov	r7, #0\n\t"
+        "#  A[1] * A[12]\n\t"
+        "ldr	r10, [%[a], #48]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[2] * A[11]\n\t"
+        "ldr	r10, [%[a], #44]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[3] * A[10]\n\t"
+        "ldr	r10, [%[a], #40]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[4] * A[9]\n\t"
+        "ldr	r10, [%[a], #36]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[5] * A[8]\n\t"
+        "ldr	r10, [%[a], #32]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[6] * A[7]\n\t"
+        "ldr	r10, [%[a], #28]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "adds	r5, r5, r5\n\t"
+        "adcs	r6, r6, r6\n\t"
+        "adc	r7, r7, r7\n\t"
+        "adds	r3, r3, r5\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adc	r2, r2, r7\n\t"
+        "str	r3, [sp, #52]\n\t"
+        "#  A[0] * A[14]\n\t"
+        "ldr	r10, [%[a], #56]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "umull	r5, r6, r10, r8\n\t"
+        "mov	r3, #0\n\t"
+        "mov	r7, #0\n\t"
+        "#  A[1] * A[13]\n\t"
+        "ldr	r10, [%[a], #52]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[2] * A[12]\n\t"
+        "ldr	r10, [%[a], #48]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[3] * A[11]\n\t"
+        "ldr	r10, [%[a], #44]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[4] * A[10]\n\t"
+        "ldr	r10, [%[a], #40]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[5] * A[9]\n\t"
+        "ldr	r10, [%[a], #36]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[6] * A[8]\n\t"
+        "ldr	r10, [%[a], #32]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[7] * A[7]\n\t"
+        "ldr	r10, [%[a], #28]\n\t"
+        "umull	r8, r9, r10, r10\n\t"
+        "adds	r5, r5, r5\n\t"
+        "adcs	r6, r6, r6\n\t"
+        "adc	r7, r7, r7\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "adds	r4, r4, r5\n\t"
+        "adcs	r2, r2, r6\n\t"
+        "adc	r3, r3, r7\n\t"
+        "str	r4, [sp, #56]\n\t"
+        "#  A[0] * A[15]\n\t"
+        "ldr	r10, [%[a], #60]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "umull	r5, r6, r10, r8\n\t"
+        "mov	r4, #0\n\t"
+        "mov	r7, #0\n\t"
+        "#  A[1] * A[14]\n\t"
+        "ldr	r10, [%[a], #56]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[2] * A[13]\n\t"
+        "ldr	r10, [%[a], #52]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[3] * A[12]\n\t"
+        "ldr	r10, [%[a], #48]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[4] * A[11]\n\t"
+        "ldr	r10, [%[a], #44]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[5] * A[10]\n\t"
+        "ldr	r10, [%[a], #40]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[6] * A[9]\n\t"
+        "ldr	r10, [%[a], #36]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[7] * A[8]\n\t"
+        "ldr	r10, [%[a], #32]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "adds	r5, r5, r5\n\t"
+        "adcs	r6, r6, r6\n\t"
+        "adc	r7, r7, r7\n\t"
+        "adds	r2, r2, r5\n\t"
+        "adcs	r3, r3, r6\n\t"
+        "adc	r4, r4, r7\n\t"
+        "str	r2, [sp, #60]\n\t"
+        "#  A[0] * A[16]\n\t"
+        "ldr	r10, [%[a], #64]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "umull	r5, r6, r10, r8\n\t"
+        "mov	r2, #0\n\t"
+        "mov	r7, #0\n\t"
+        "#  A[1] * A[15]\n\t"
+        "ldr	r10, [%[a], #60]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[2] * A[14]\n\t"
+        "ldr	r10, [%[a], #56]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[3] * A[13]\n\t"
+        "ldr	r10, [%[a], #52]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[4] * A[12]\n\t"
+        "ldr	r10, [%[a], #48]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[5] * A[11]\n\t"
+        "ldr	r10, [%[a], #44]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[6] * A[10]\n\t"
+        "ldr	r10, [%[a], #40]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[7] * A[9]\n\t"
+        "ldr	r10, [%[a], #36]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[8] * A[8]\n\t"
+        "ldr	r10, [%[a], #32]\n\t"
+        "umull	r8, r9, r10, r10\n\t"
+        "adds	r5, r5, r5\n\t"
+        "adcs	r6, r6, r6\n\t"
+        "adc	r7, r7, r7\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "adds	r3, r3, r5\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adc	r2, r2, r7\n\t"
+        "str	r3, [sp, #64]\n\t"
+        "#  A[0] * A[17]\n\t"
+        "ldr	r10, [%[a], #68]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "umull	r5, r6, r10, r8\n\t"
+        "mov	r3, #0\n\t"
+        "mov	r7, #0\n\t"
+        "#  A[1] * A[16]\n\t"
+        "ldr	r10, [%[a], #64]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[2] * A[15]\n\t"
+        "ldr	r10, [%[a], #60]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[3] * A[14]\n\t"
+        "ldr	r10, [%[a], #56]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[4] * A[13]\n\t"
+        "ldr	r10, [%[a], #52]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[5] * A[12]\n\t"
+        "ldr	r10, [%[a], #48]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[6] * A[11]\n\t"
+        "ldr	r10, [%[a], #44]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[7] * A[10]\n\t"
+        "ldr	r10, [%[a], #40]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[8] * A[9]\n\t"
+        "ldr	r10, [%[a], #36]\n\t"
+        "ldr	r8, [%[a], #32]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "adds	r5, r5, r5\n\t"
+        "adcs	r6, r6, r6\n\t"
+        "adc	r7, r7, r7\n\t"
+        "adds	r4, r4, r5\n\t"
+        "adcs	r2, r2, r6\n\t"
+        "adc	r3, r3, r7\n\t"
+        "str	r4, [sp, #68]\n\t"
+        "#  A[0] * A[18]\n\t"
+        "ldr	r10, [%[a], #72]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "umull	r5, r6, r10, r8\n\t"
+        "mov	r4, #0\n\t"
+        "mov	r7, #0\n\t"
+        "#  A[1] * A[17]\n\t"
+        "ldr	r10, [%[a], #68]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[2] * A[16]\n\t"
+        "ldr	r10, [%[a], #64]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[3] * A[15]\n\t"
+        "ldr	r10, [%[a], #60]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[4] * A[14]\n\t"
+        "ldr	r10, [%[a], #56]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[5] * A[13]\n\t"
+        "ldr	r10, [%[a], #52]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[6] * A[12]\n\t"
+        "ldr	r10, [%[a], #48]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[7] * A[11]\n\t"
+        "ldr	r10, [%[a], #44]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[8] * A[10]\n\t"
+        "ldr	r10, [%[a], #40]\n\t"
+        "ldr	r8, [%[a], #32]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[9] * A[9]\n\t"
+        "ldr	r10, [%[a], #36]\n\t"
+        "umull	r8, r9, r10, r10\n\t"
+        "adds	r5, r5, r5\n\t"
+        "adcs	r6, r6, r6\n\t"
+        "adc	r7, r7, r7\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "adds	r2, r2, r5\n\t"
+        "adcs	r3, r3, r6\n\t"
+        "adc	r4, r4, r7\n\t"
+        "str	r2, [sp, #72]\n\t"
+        "#  A[0] * A[19]\n\t"
+        "ldr	r10, [%[a], #76]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "umull	r5, r6, r10, r8\n\t"
+        "mov	r2, #0\n\t"
+        "mov	r7, #0\n\t"
+        "#  A[1] * A[18]\n\t"
+        "ldr	r10, [%[a], #72]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[2] * A[17]\n\t"
+        "ldr	r10, [%[a], #68]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[3] * A[16]\n\t"
+        "ldr	r10, [%[a], #64]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[4] * A[15]\n\t"
+        "ldr	r10, [%[a], #60]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[5] * A[14]\n\t"
+        "ldr	r10, [%[a], #56]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[6] * A[13]\n\t"
+        "ldr	r10, [%[a], #52]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[7] * A[12]\n\t"
+        "ldr	r10, [%[a], #48]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[8] * A[11]\n\t"
+        "ldr	r10, [%[a], #44]\n\t"
+        "ldr	r8, [%[a], #32]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[9] * A[10]\n\t"
+        "ldr	r10, [%[a], #40]\n\t"
+        "ldr	r8, [%[a], #36]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "adds	r5, r5, r5\n\t"
+        "adcs	r6, r6, r6\n\t"
+        "adc	r7, r7, r7\n\t"
+        "adds	r3, r3, r5\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adc	r2, r2, r7\n\t"
+        "str	r3, [sp, #76]\n\t"
+        "#  A[0] * A[20]\n\t"
+        "ldr	r10, [%[a], #80]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "umull	r5, r6, r10, r8\n\t"
+        "mov	r3, #0\n\t"
+        "mov	r7, #0\n\t"
+        "#  A[1] * A[19]\n\t"
+        "ldr	r10, [%[a], #76]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[2] * A[18]\n\t"
+        "ldr	r10, [%[a], #72]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[3] * A[17]\n\t"
+        "ldr	r10, [%[a], #68]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[4] * A[16]\n\t"
+        "ldr	r10, [%[a], #64]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[5] * A[15]\n\t"
+        "ldr	r10, [%[a], #60]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[6] * A[14]\n\t"
+        "ldr	r10, [%[a], #56]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[7] * A[13]\n\t"
+        "ldr	r10, [%[a], #52]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[8] * A[12]\n\t"
+        "ldr	r10, [%[a], #48]\n\t"
+        "ldr	r8, [%[a], #32]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[9] * A[11]\n\t"
+        "ldr	r10, [%[a], #44]\n\t"
+        "ldr	r8, [%[a], #36]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[10] * A[10]\n\t"
+        "ldr	r10, [%[a], #40]\n\t"
+        "umull	r8, r9, r10, r10\n\t"
+        "adds	r5, r5, r5\n\t"
+        "adcs	r6, r6, r6\n\t"
+        "adc	r7, r7, r7\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "adds	r4, r4, r5\n\t"
+        "adcs	r2, r2, r6\n\t"
+        "adc	r3, r3, r7\n\t"
+        "str	r4, [sp, #80]\n\t"
+        "#  A[0] * A[21]\n\t"
+        "ldr	r10, [%[a], #84]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "umull	r5, r6, r10, r8\n\t"
+        "mov	r4, #0\n\t"
+        "mov	r7, #0\n\t"
+        "#  A[1] * A[20]\n\t"
+        "ldr	r10, [%[a], #80]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[2] * A[19]\n\t"
+        "ldr	r10, [%[a], #76]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[3] * A[18]\n\t"
+        "ldr	r10, [%[a], #72]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[4] * A[17]\n\t"
+        "ldr	r10, [%[a], #68]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[5] * A[16]\n\t"
+        "ldr	r10, [%[a], #64]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[6] * A[15]\n\t"
+        "ldr	r10, [%[a], #60]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[7] * A[14]\n\t"
+        "ldr	r10, [%[a], #56]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[8] * A[13]\n\t"
+        "ldr	r10, [%[a], #52]\n\t"
+        "ldr	r8, [%[a], #32]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[9] * A[12]\n\t"
+        "ldr	r10, [%[a], #48]\n\t"
+        "ldr	r8, [%[a], #36]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[10] * A[11]\n\t"
+        "ldr	r10, [%[a], #44]\n\t"
+        "ldr	r8, [%[a], #40]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "adds	r5, r5, r5\n\t"
+        "adcs	r6, r6, r6\n\t"
+        "adc	r7, r7, r7\n\t"
+        "adds	r2, r2, r5\n\t"
+        "adcs	r3, r3, r6\n\t"
+        "adc	r4, r4, r7\n\t"
+        "str	r2, [sp, #84]\n\t"
+        "#  A[0] * A[22]\n\t"
+        "ldr	r10, [%[a], #88]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "umull	r5, r6, r10, r8\n\t"
+        "mov	r2, #0\n\t"
+        "mov	r7, #0\n\t"
+        "#  A[1] * A[21]\n\t"
+        "ldr	r10, [%[a], #84]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[2] * A[20]\n\t"
+        "ldr	r10, [%[a], #80]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[3] * A[19]\n\t"
+        "ldr	r10, [%[a], #76]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[4] * A[18]\n\t"
+        "ldr	r10, [%[a], #72]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[5] * A[17]\n\t"
+        "ldr	r10, [%[a], #68]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[6] * A[16]\n\t"
+        "ldr	r10, [%[a], #64]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[7] * A[15]\n\t"
+        "ldr	r10, [%[a], #60]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[8] * A[14]\n\t"
+        "ldr	r10, [%[a], #56]\n\t"
+        "ldr	r8, [%[a], #32]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[9] * A[13]\n\t"
+        "ldr	r10, [%[a], #52]\n\t"
+        "ldr	r8, [%[a], #36]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[10] * A[12]\n\t"
+        "ldr	r10, [%[a], #48]\n\t"
+        "ldr	r8, [%[a], #40]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[11] * A[11]\n\t"
+        "ldr	r10, [%[a], #44]\n\t"
+        "umull	r8, r9, r10, r10\n\t"
+        "adds	r5, r5, r5\n\t"
+        "adcs	r6, r6, r6\n\t"
+        "adc	r7, r7, r7\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "adds	r3, r3, r5\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adc	r2, r2, r7\n\t"
+        "str	r3, [sp, #88]\n\t"
+        "#  A[0] * A[23]\n\t"
+        "ldr	r10, [%[a], #92]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "umull	r5, r6, r10, r8\n\t"
+        "mov	r3, #0\n\t"
+        "mov	r7, #0\n\t"
+        "#  A[1] * A[22]\n\t"
+        "ldr	r10, [%[a], #88]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[2] * A[21]\n\t"
+        "ldr	r10, [%[a], #84]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[3] * A[20]\n\t"
+        "ldr	r10, [%[a], #80]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[4] * A[19]\n\t"
+        "ldr	r10, [%[a], #76]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[5] * A[18]\n\t"
+        "ldr	r10, [%[a], #72]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[6] * A[17]\n\t"
+        "ldr	r10, [%[a], #68]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[7] * A[16]\n\t"
+        "ldr	r10, [%[a], #64]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[8] * A[15]\n\t"
+        "ldr	r10, [%[a], #60]\n\t"
+        "ldr	r8, [%[a], #32]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[9] * A[14]\n\t"
+        "ldr	r10, [%[a], #56]\n\t"
+        "ldr	r8, [%[a], #36]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[10] * A[13]\n\t"
+        "ldr	r10, [%[a], #52]\n\t"
+        "ldr	r8, [%[a], #40]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[11] * A[12]\n\t"
+        "ldr	r10, [%[a], #48]\n\t"
+        "ldr	r8, [%[a], #44]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "adds	r5, r5, r5\n\t"
+        "adcs	r6, r6, r6\n\t"
+        "adc	r7, r7, r7\n\t"
+        "adds	r4, r4, r5\n\t"
+        "adcs	r2, r2, r6\n\t"
+        "adc	r3, r3, r7\n\t"
+        "str	r4, [sp, #92]\n\t"
+        "#  A[0] * A[24]\n\t"
+        "ldr	r10, [%[a], #96]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "umull	r5, r6, r10, r8\n\t"
+        "mov	r4, #0\n\t"
+        "mov	r7, #0\n\t"
+        "#  A[1] * A[23]\n\t"
+        "ldr	r10, [%[a], #92]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[2] * A[22]\n\t"
+        "ldr	r10, [%[a], #88]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[3] * A[21]\n\t"
+        "ldr	r10, [%[a], #84]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[4] * A[20]\n\t"
+        "ldr	r10, [%[a], #80]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[5] * A[19]\n\t"
+        "ldr	r10, [%[a], #76]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[6] * A[18]\n\t"
+        "ldr	r10, [%[a], #72]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[7] * A[17]\n\t"
+        "ldr	r10, [%[a], #68]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[8] * A[16]\n\t"
+        "ldr	r10, [%[a], #64]\n\t"
+        "ldr	r8, [%[a], #32]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[9] * A[15]\n\t"
+        "ldr	r10, [%[a], #60]\n\t"
+        "ldr	r8, [%[a], #36]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[10] * A[14]\n\t"
+        "ldr	r10, [%[a], #56]\n\t"
+        "ldr	r8, [%[a], #40]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[11] * A[13]\n\t"
+        "ldr	r10, [%[a], #52]\n\t"
+        "ldr	r8, [%[a], #44]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[12] * A[12]\n\t"
+        "ldr	r10, [%[a], #48]\n\t"
+        "umull	r8, r9, r10, r10\n\t"
+        "adds	r5, r5, r5\n\t"
+        "adcs	r6, r6, r6\n\t"
+        "adc	r7, r7, r7\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "adds	r2, r2, r5\n\t"
+        "adcs	r3, r3, r6\n\t"
+        "adc	r4, r4, r7\n\t"
+        "str	r2, [sp, #96]\n\t"
+        "#  A[0] * A[25]\n\t"
+        "ldr	r10, [%[a], #100]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "umull	r5, r6, r10, r8\n\t"
+        "mov	r2, #0\n\t"
+        "mov	r7, #0\n\t"
+        "#  A[1] * A[24]\n\t"
+        "ldr	r10, [%[a], #96]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[2] * A[23]\n\t"
+        "ldr	r10, [%[a], #92]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[3] * A[22]\n\t"
+        "ldr	r10, [%[a], #88]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[4] * A[21]\n\t"
+        "ldr	r10, [%[a], #84]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[5] * A[20]\n\t"
+        "ldr	r10, [%[a], #80]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[6] * A[19]\n\t"
+        "ldr	r10, [%[a], #76]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[7] * A[18]\n\t"
+        "ldr	r10, [%[a], #72]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[8] * A[17]\n\t"
+        "ldr	r10, [%[a], #68]\n\t"
+        "ldr	r8, [%[a], #32]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[9] * A[16]\n\t"
+        "ldr	r10, [%[a], #64]\n\t"
+        "ldr	r8, [%[a], #36]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[10] * A[15]\n\t"
+        "ldr	r10, [%[a], #60]\n\t"
+        "ldr	r8, [%[a], #40]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[11] * A[14]\n\t"
+        "ldr	r10, [%[a], #56]\n\t"
+        "ldr	r8, [%[a], #44]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[12] * A[13]\n\t"
+        "ldr	r10, [%[a], #52]\n\t"
+        "ldr	r8, [%[a], #48]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "adds	r5, r5, r5\n\t"
+        "adcs	r6, r6, r6\n\t"
+        "adc	r7, r7, r7\n\t"
+        "adds	r3, r3, r5\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adc	r2, r2, r7\n\t"
+        "str	r3, [sp, #100]\n\t"
+        "#  A[0] * A[26]\n\t"
+        "ldr	r10, [%[a], #104]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "umull	r5, r6, r10, r8\n\t"
+        "mov	r3, #0\n\t"
+        "mov	r7, #0\n\t"
+        "#  A[1] * A[25]\n\t"
+        "ldr	r10, [%[a], #100]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[2] * A[24]\n\t"
+        "ldr	r10, [%[a], #96]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[3] * A[23]\n\t"
+        "ldr	r10, [%[a], #92]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[4] * A[22]\n\t"
+        "ldr	r10, [%[a], #88]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[5] * A[21]\n\t"
+        "ldr	r10, [%[a], #84]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[6] * A[20]\n\t"
+        "ldr	r10, [%[a], #80]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[7] * A[19]\n\t"
+        "ldr	r10, [%[a], #76]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[8] * A[18]\n\t"
+        "ldr	r10, [%[a], #72]\n\t"
+        "ldr	r8, [%[a], #32]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[9] * A[17]\n\t"
+        "ldr	r10, [%[a], #68]\n\t"
+        "ldr	r8, [%[a], #36]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[10] * A[16]\n\t"
+        "ldr	r10, [%[a], #64]\n\t"
+        "ldr	r8, [%[a], #40]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[11] * A[15]\n\t"
+        "ldr	r10, [%[a], #60]\n\t"
+        "ldr	r8, [%[a], #44]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[12] * A[14]\n\t"
+        "ldr	r10, [%[a], #56]\n\t"
+        "ldr	r8, [%[a], #48]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[13] * A[13]\n\t"
+        "ldr	r10, [%[a], #52]\n\t"
+        "umull	r8, r9, r10, r10\n\t"
+        "adds	r5, r5, r5\n\t"
+        "adcs	r6, r6, r6\n\t"
+        "adc	r7, r7, r7\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "adds	r4, r4, r5\n\t"
+        "adcs	r2, r2, r6\n\t"
+        "adc	r3, r3, r7\n\t"
+        "str	r4, [sp, #104]\n\t"
+        "#  A[0] * A[27]\n\t"
+        "ldr	r10, [%[a], #108]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "umull	r5, r6, r10, r8\n\t"
+        "mov	r4, #0\n\t"
+        "mov	r7, #0\n\t"
+        "#  A[1] * A[26]\n\t"
+        "ldr	r10, [%[a], #104]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[2] * A[25]\n\t"
+        "ldr	r10, [%[a], #100]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[3] * A[24]\n\t"
+        "ldr	r10, [%[a], #96]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[4] * A[23]\n\t"
+        "ldr	r10, [%[a], #92]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[5] * A[22]\n\t"
+        "ldr	r10, [%[a], #88]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[6] * A[21]\n\t"
+        "ldr	r10, [%[a], #84]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[7] * A[20]\n\t"
+        "ldr	r10, [%[a], #80]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[8] * A[19]\n\t"
+        "ldr	r10, [%[a], #76]\n\t"
+        "ldr	r8, [%[a], #32]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[9] * A[18]\n\t"
+        "ldr	r10, [%[a], #72]\n\t"
+        "ldr	r8, [%[a], #36]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[10] * A[17]\n\t"
+        "ldr	r10, [%[a], #68]\n\t"
+        "ldr	r8, [%[a], #40]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[11] * A[16]\n\t"
+        "ldr	r10, [%[a], #64]\n\t"
+        "ldr	r8, [%[a], #44]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[12] * A[15]\n\t"
+        "ldr	r10, [%[a], #60]\n\t"
+        "ldr	r8, [%[a], #48]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[13] * A[14]\n\t"
+        "ldr	r10, [%[a], #56]\n\t"
+        "ldr	r8, [%[a], #52]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "adds	r5, r5, r5\n\t"
+        "adcs	r6, r6, r6\n\t"
+        "adc	r7, r7, r7\n\t"
+        "adds	r2, r2, r5\n\t"
+        "adcs	r3, r3, r6\n\t"
+        "adc	r4, r4, r7\n\t"
+        "str	r2, [sp, #108]\n\t"
+        "#  A[0] * A[28]\n\t"
+        "ldr	r10, [%[a], #112]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "umull	r5, r6, r10, r8\n\t"
+        "mov	r2, #0\n\t"
+        "mov	r7, #0\n\t"
+        "#  A[1] * A[27]\n\t"
+        "ldr	r10, [%[a], #108]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[2] * A[26]\n\t"
+        "ldr	r10, [%[a], #104]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[3] * A[25]\n\t"
+        "ldr	r10, [%[a], #100]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[4] * A[24]\n\t"
+        "ldr	r10, [%[a], #96]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[5] * A[23]\n\t"
+        "ldr	r10, [%[a], #92]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[6] * A[22]\n\t"
+        "ldr	r10, [%[a], #88]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[7] * A[21]\n\t"
+        "ldr	r10, [%[a], #84]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[8] * A[20]\n\t"
+        "ldr	r10, [%[a], #80]\n\t"
+        "ldr	r8, [%[a], #32]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[9] * A[19]\n\t"
+        "ldr	r10, [%[a], #76]\n\t"
+        "ldr	r8, [%[a], #36]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[10] * A[18]\n\t"
+        "ldr	r10, [%[a], #72]\n\t"
+        "ldr	r8, [%[a], #40]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[11] * A[17]\n\t"
+        "ldr	r10, [%[a], #68]\n\t"
+        "ldr	r8, [%[a], #44]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[12] * A[16]\n\t"
+        "ldr	r10, [%[a], #64]\n\t"
+        "ldr	r8, [%[a], #48]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[13] * A[15]\n\t"
+        "ldr	r10, [%[a], #60]\n\t"
+        "ldr	r8, [%[a], #52]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[14] * A[14]\n\t"
+        "ldr	r10, [%[a], #56]\n\t"
+        "umull	r8, r9, r10, r10\n\t"
+        "adds	r5, r5, r5\n\t"
+        "adcs	r6, r6, r6\n\t"
+        "adc	r7, r7, r7\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "adds	r3, r3, r5\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adc	r2, r2, r7\n\t"
+        "str	r3, [sp, #112]\n\t"
+        "#  A[0] * A[29]\n\t"
+        "ldr	r10, [%[a], #116]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "umull	r5, r6, r10, r8\n\t"
+        "mov	r3, #0\n\t"
+        "mov	r7, #0\n\t"
+        "#  A[1] * A[28]\n\t"
+        "ldr	r10, [%[a], #112]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[2] * A[27]\n\t"
+        "ldr	r10, [%[a], #108]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[3] * A[26]\n\t"
+        "ldr	r10, [%[a], #104]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[4] * A[25]\n\t"
+        "ldr	r10, [%[a], #100]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[5] * A[24]\n\t"
+        "ldr	r10, [%[a], #96]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[6] * A[23]\n\t"
+        "ldr	r10, [%[a], #92]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[7] * A[22]\n\t"
+        "ldr	r10, [%[a], #88]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[8] * A[21]\n\t"
+        "ldr	r10, [%[a], #84]\n\t"
+        "ldr	r8, [%[a], #32]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[9] * A[20]\n\t"
+        "ldr	r10, [%[a], #80]\n\t"
+        "ldr	r8, [%[a], #36]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[10] * A[19]\n\t"
+        "ldr	r10, [%[a], #76]\n\t"
+        "ldr	r8, [%[a], #40]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[11] * A[18]\n\t"
+        "ldr	r10, [%[a], #72]\n\t"
+        "ldr	r8, [%[a], #44]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[12] * A[17]\n\t"
+        "ldr	r10, [%[a], #68]\n\t"
+        "ldr	r8, [%[a], #48]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[13] * A[16]\n\t"
+        "ldr	r10, [%[a], #64]\n\t"
+        "ldr	r8, [%[a], #52]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[14] * A[15]\n\t"
+        "ldr	r10, [%[a], #60]\n\t"
+        "ldr	r8, [%[a], #56]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "adds	r5, r5, r5\n\t"
+        "adcs	r6, r6, r6\n\t"
+        "adc	r7, r7, r7\n\t"
+        "adds	r4, r4, r5\n\t"
+        "adcs	r2, r2, r6\n\t"
+        "adc	r3, r3, r7\n\t"
+        "str	r4, [sp, #116]\n\t"
+        "#  A[0] * A[30]\n\t"
+        "ldr	r10, [%[a], #120]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "umull	r5, r6, r10, r8\n\t"
+        "mov	r4, #0\n\t"
+        "mov	r7, #0\n\t"
+        "#  A[1] * A[29]\n\t"
+        "ldr	r10, [%[a], #116]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[2] * A[28]\n\t"
+        "ldr	r10, [%[a], #112]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[3] * A[27]\n\t"
+        "ldr	r10, [%[a], #108]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[4] * A[26]\n\t"
+        "ldr	r10, [%[a], #104]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[5] * A[25]\n\t"
+        "ldr	r10, [%[a], #100]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[6] * A[24]\n\t"
+        "ldr	r10, [%[a], #96]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[7] * A[23]\n\t"
+        "ldr	r10, [%[a], #92]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[8] * A[22]\n\t"
+        "ldr	r10, [%[a], #88]\n\t"
+        "ldr	r8, [%[a], #32]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[9] * A[21]\n\t"
+        "ldr	r10, [%[a], #84]\n\t"
+        "ldr	r8, [%[a], #36]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[10] * A[20]\n\t"
+        "ldr	r10, [%[a], #80]\n\t"
+        "ldr	r8, [%[a], #40]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[11] * A[19]\n\t"
+        "ldr	r10, [%[a], #76]\n\t"
+        "ldr	r8, [%[a], #44]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[12] * A[18]\n\t"
+        "ldr	r10, [%[a], #72]\n\t"
+        "ldr	r8, [%[a], #48]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[13] * A[17]\n\t"
+        "ldr	r10, [%[a], #68]\n\t"
+        "ldr	r8, [%[a], #52]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[14] * A[16]\n\t"
+        "ldr	r10, [%[a], #64]\n\t"
+        "ldr	r8, [%[a], #56]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[15] * A[15]\n\t"
+        "ldr	r10, [%[a], #60]\n\t"
+        "umull	r8, r9, r10, r10\n\t"
+        "adds	r5, r5, r5\n\t"
+        "adcs	r6, r6, r6\n\t"
+        "adc	r7, r7, r7\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "adds	r2, r2, r5\n\t"
+        "adcs	r3, r3, r6\n\t"
+        "adc	r4, r4, r7\n\t"
+        "str	r2, [sp, #120]\n\t"
+        "#  A[0] * A[31]\n\t"
+        "ldr	r10, [%[a], #124]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "umull	r5, r6, r10, r8\n\t"
+        "mov	r2, #0\n\t"
+        "mov	r7, #0\n\t"
+        "#  A[1] * A[30]\n\t"
+        "ldr	r10, [%[a], #120]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[2] * A[29]\n\t"
+        "ldr	r10, [%[a], #116]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[3] * A[28]\n\t"
+        "ldr	r10, [%[a], #112]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[4] * A[27]\n\t"
+        "ldr	r10, [%[a], #108]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[5] * A[26]\n\t"
+        "ldr	r10, [%[a], #104]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[6] * A[25]\n\t"
+        "ldr	r10, [%[a], #100]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[7] * A[24]\n\t"
+        "ldr	r10, [%[a], #96]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[8] * A[23]\n\t"
+        "ldr	r10, [%[a], #92]\n\t"
+        "ldr	r8, [%[a], #32]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[9] * A[22]\n\t"
+        "ldr	r10, [%[a], #88]\n\t"
+        "ldr	r8, [%[a], #36]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[10] * A[21]\n\t"
+        "ldr	r10, [%[a], #84]\n\t"
+        "ldr	r8, [%[a], #40]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[11] * A[20]\n\t"
+        "ldr	r10, [%[a], #80]\n\t"
+        "ldr	r8, [%[a], #44]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[12] * A[19]\n\t"
+        "ldr	r10, [%[a], #76]\n\t"
+        "ldr	r8, [%[a], #48]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[13] * A[18]\n\t"
+        "ldr	r10, [%[a], #72]\n\t"
+        "ldr	r8, [%[a], #52]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[14] * A[17]\n\t"
+        "ldr	r10, [%[a], #68]\n\t"
+        "ldr	r8, [%[a], #56]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[15] * A[16]\n\t"
+        "ldr	r10, [%[a], #64]\n\t"
+        "ldr	r8, [%[a], #60]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "adds	r5, r5, r5\n\t"
+        "adcs	r6, r6, r6\n\t"
+        "adc	r7, r7, r7\n\t"
+        "adds	r3, r3, r5\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adc	r2, r2, r7\n\t"
+        "str	r3, [sp, #124]\n\t"
+        "#  A[0] * A[32]\n\t"
+        "ldr	r10, [%[a], #128]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "umull	r5, r6, r10, r8\n\t"
+        "mov	r3, #0\n\t"
+        "mov	r7, #0\n\t"
+        "#  A[1] * A[31]\n\t"
+        "ldr	r10, [%[a], #124]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[2] * A[30]\n\t"
+        "ldr	r10, [%[a], #120]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[3] * A[29]\n\t"
+        "ldr	r10, [%[a], #116]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[4] * A[28]\n\t"
+        "ldr	r10, [%[a], #112]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[5] * A[27]\n\t"
+        "ldr	r10, [%[a], #108]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[6] * A[26]\n\t"
+        "ldr	r10, [%[a], #104]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[7] * A[25]\n\t"
+        "ldr	r10, [%[a], #100]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[8] * A[24]\n\t"
+        "ldr	r10, [%[a], #96]\n\t"
+        "ldr	r8, [%[a], #32]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[9] * A[23]\n\t"
+        "ldr	r10, [%[a], #92]\n\t"
+        "ldr	r8, [%[a], #36]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[10] * A[22]\n\t"
+        "ldr	r10, [%[a], #88]\n\t"
+        "ldr	r8, [%[a], #40]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[11] * A[21]\n\t"
+        "ldr	r10, [%[a], #84]\n\t"
+        "ldr	r8, [%[a], #44]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[12] * A[20]\n\t"
+        "ldr	r10, [%[a], #80]\n\t"
+        "ldr	r8, [%[a], #48]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[13] * A[19]\n\t"
+        "ldr	r10, [%[a], #76]\n\t"
+        "ldr	r8, [%[a], #52]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[14] * A[18]\n\t"
+        "ldr	r10, [%[a], #72]\n\t"
+        "ldr	r8, [%[a], #56]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[15] * A[17]\n\t"
+        "ldr	r10, [%[a], #68]\n\t"
+        "ldr	r8, [%[a], #60]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[16] * A[16]\n\t"
+        "ldr	r10, [%[a], #64]\n\t"
+        "umull	r8, r9, r10, r10\n\t"
+        "adds	r5, r5, r5\n\t"
+        "adcs	r6, r6, r6\n\t"
+        "adc	r7, r7, r7\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "adds	r4, r4, r5\n\t"
+        "adcs	r2, r2, r6\n\t"
+        "adc	r3, r3, r7\n\t"
+        "str	r4, [sp, #128]\n\t"
+        "#  A[0] * A[33]\n\t"
+        "ldr	r10, [%[a], #132]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "umull	r5, r6, r10, r8\n\t"
+        "mov	r4, #0\n\t"
+        "mov	r7, #0\n\t"
+        "#  A[1] * A[32]\n\t"
+        "ldr	r10, [%[a], #128]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[2] * A[31]\n\t"
+        "ldr	r10, [%[a], #124]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[3] * A[30]\n\t"
+        "ldr	r10, [%[a], #120]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[4] * A[29]\n\t"
+        "ldr	r10, [%[a], #116]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[5] * A[28]\n\t"
+        "ldr	r10, [%[a], #112]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[6] * A[27]\n\t"
+        "ldr	r10, [%[a], #108]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[7] * A[26]\n\t"
+        "ldr	r10, [%[a], #104]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[8] * A[25]\n\t"
+        "ldr	r10, [%[a], #100]\n\t"
+        "ldr	r8, [%[a], #32]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[9] * A[24]\n\t"
+        "ldr	r10, [%[a], #96]\n\t"
+        "ldr	r8, [%[a], #36]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[10] * A[23]\n\t"
+        "ldr	r10, [%[a], #92]\n\t"
+        "ldr	r8, [%[a], #40]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[11] * A[22]\n\t"
+        "ldr	r10, [%[a], #88]\n\t"
+        "ldr	r8, [%[a], #44]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[12] * A[21]\n\t"
+        "ldr	r10, [%[a], #84]\n\t"
+        "ldr	r8, [%[a], #48]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[13] * A[20]\n\t"
+        "ldr	r10, [%[a], #80]\n\t"
+        "ldr	r8, [%[a], #52]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[14] * A[19]\n\t"
+        "ldr	r10, [%[a], #76]\n\t"
+        "ldr	r8, [%[a], #56]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[15] * A[18]\n\t"
+        "ldr	r10, [%[a], #72]\n\t"
+        "ldr	r8, [%[a], #60]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[16] * A[17]\n\t"
+        "ldr	r10, [%[a], #68]\n\t"
+        "ldr	r8, [%[a], #64]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "adds	r5, r5, r5\n\t"
+        "adcs	r6, r6, r6\n\t"
+        "adc	r7, r7, r7\n\t"
+        "adds	r2, r2, r5\n\t"
+        "adcs	r3, r3, r6\n\t"
+        "adc	r4, r4, r7\n\t"
+        "str	r2, [sp, #132]\n\t"
+        "#  A[0] * A[34]\n\t"
+        "ldr	r10, [%[a], #136]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "umull	r5, r6, r10, r8\n\t"
+        "mov	r2, #0\n\t"
+        "mov	r7, #0\n\t"
+        "#  A[1] * A[33]\n\t"
+        "ldr	r10, [%[a], #132]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[2] * A[32]\n\t"
+        "ldr	r10, [%[a], #128]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[3] * A[31]\n\t"
+        "ldr	r10, [%[a], #124]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[4] * A[30]\n\t"
+        "ldr	r10, [%[a], #120]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[5] * A[29]\n\t"
+        "ldr	r10, [%[a], #116]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[6] * A[28]\n\t"
+        "ldr	r10, [%[a], #112]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[7] * A[27]\n\t"
+        "ldr	r10, [%[a], #108]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[8] * A[26]\n\t"
+        "ldr	r10, [%[a], #104]\n\t"
+        "ldr	r8, [%[a], #32]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[9] * A[25]\n\t"
+        "ldr	r10, [%[a], #100]\n\t"
+        "ldr	r8, [%[a], #36]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[10] * A[24]\n\t"
+        "ldr	r10, [%[a], #96]\n\t"
+        "ldr	r8, [%[a], #40]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[11] * A[23]\n\t"
+        "ldr	r10, [%[a], #92]\n\t"
+        "ldr	r8, [%[a], #44]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[12] * A[22]\n\t"
+        "ldr	r10, [%[a], #88]\n\t"
+        "ldr	r8, [%[a], #48]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[13] * A[21]\n\t"
+        "ldr	r10, [%[a], #84]\n\t"
+        "ldr	r8, [%[a], #52]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[14] * A[20]\n\t"
+        "ldr	r10, [%[a], #80]\n\t"
+        "ldr	r8, [%[a], #56]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[15] * A[19]\n\t"
+        "ldr	r10, [%[a], #76]\n\t"
+        "ldr	r8, [%[a], #60]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[16] * A[18]\n\t"
+        "ldr	r10, [%[a], #72]\n\t"
+        "ldr	r8, [%[a], #64]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[17] * A[17]\n\t"
+        "ldr	r10, [%[a], #68]\n\t"
+        "umull	r8, r9, r10, r10\n\t"
+        "adds	r5, r5, r5\n\t"
+        "adcs	r6, r6, r6\n\t"
+        "adc	r7, r7, r7\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "adds	r3, r3, r5\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adc	r2, r2, r7\n\t"
+        "str	r3, [sp, #136]\n\t"
+        "#  A[0] * A[35]\n\t"
+        "ldr	r10, [%[a], #140]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "umull	r5, r6, r10, r8\n\t"
+        "mov	r3, #0\n\t"
+        "mov	r7, #0\n\t"
+        "#  A[1] * A[34]\n\t"
+        "ldr	r10, [%[a], #136]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[2] * A[33]\n\t"
+        "ldr	r10, [%[a], #132]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[3] * A[32]\n\t"
+        "ldr	r10, [%[a], #128]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[4] * A[31]\n\t"
+        "ldr	r10, [%[a], #124]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[5] * A[30]\n\t"
+        "ldr	r10, [%[a], #120]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[6] * A[29]\n\t"
+        "ldr	r10, [%[a], #116]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[7] * A[28]\n\t"
+        "ldr	r10, [%[a], #112]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[8] * A[27]\n\t"
+        "ldr	r10, [%[a], #108]\n\t"
+        "ldr	r8, [%[a], #32]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[9] * A[26]\n\t"
+        "ldr	r10, [%[a], #104]\n\t"
+        "ldr	r8, [%[a], #36]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[10] * A[25]\n\t"
+        "ldr	r10, [%[a], #100]\n\t"
+        "ldr	r8, [%[a], #40]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[11] * A[24]\n\t"
+        "ldr	r10, [%[a], #96]\n\t"
+        "ldr	r8, [%[a], #44]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[12] * A[23]\n\t"
+        "ldr	r10, [%[a], #92]\n\t"
+        "ldr	r8, [%[a], #48]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[13] * A[22]\n\t"
+        "ldr	r10, [%[a], #88]\n\t"
+        "ldr	r8, [%[a], #52]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[14] * A[21]\n\t"
+        "ldr	r10, [%[a], #84]\n\t"
+        "ldr	r8, [%[a], #56]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[15] * A[20]\n\t"
+        "ldr	r10, [%[a], #80]\n\t"
+        "ldr	r8, [%[a], #60]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[16] * A[19]\n\t"
+        "ldr	r10, [%[a], #76]\n\t"
+        "ldr	r8, [%[a], #64]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[17] * A[18]\n\t"
+        "ldr	r10, [%[a], #72]\n\t"
+        "ldr	r8, [%[a], #68]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "adds	r5, r5, r5\n\t"
+        "adcs	r6, r6, r6\n\t"
+        "adc	r7, r7, r7\n\t"
+        "adds	r4, r4, r5\n\t"
+        "adcs	r2, r2, r6\n\t"
+        "adc	r3, r3, r7\n\t"
+        "str	r4, [sp, #140]\n\t"
+        "#  A[0] * A[36]\n\t"
+        "ldr	r10, [%[a], #144]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "umull	r5, r6, r10, r8\n\t"
+        "mov	r4, #0\n\t"
+        "mov	r7, #0\n\t"
+        "#  A[1] * A[35]\n\t"
+        "ldr	r10, [%[a], #140]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[2] * A[34]\n\t"
+        "ldr	r10, [%[a], #136]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[3] * A[33]\n\t"
+        "ldr	r10, [%[a], #132]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[4] * A[32]\n\t"
+        "ldr	r10, [%[a], #128]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[5] * A[31]\n\t"
+        "ldr	r10, [%[a], #124]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[6] * A[30]\n\t"
+        "ldr	r10, [%[a], #120]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[7] * A[29]\n\t"
+        "ldr	r10, [%[a], #116]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[8] * A[28]\n\t"
+        "ldr	r10, [%[a], #112]\n\t"
+        "ldr	r8, [%[a], #32]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[9] * A[27]\n\t"
+        "ldr	r10, [%[a], #108]\n\t"
+        "ldr	r8, [%[a], #36]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[10] * A[26]\n\t"
+        "ldr	r10, [%[a], #104]\n\t"
+        "ldr	r8, [%[a], #40]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[11] * A[25]\n\t"
+        "ldr	r10, [%[a], #100]\n\t"
+        "ldr	r8, [%[a], #44]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[12] * A[24]\n\t"
+        "ldr	r10, [%[a], #96]\n\t"
+        "ldr	r8, [%[a], #48]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[13] * A[23]\n\t"
+        "ldr	r10, [%[a], #92]\n\t"
+        "ldr	r8, [%[a], #52]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[14] * A[22]\n\t"
+        "ldr	r10, [%[a], #88]\n\t"
+        "ldr	r8, [%[a], #56]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[15] * A[21]\n\t"
+        "ldr	r10, [%[a], #84]\n\t"
+        "ldr	r8, [%[a], #60]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[16] * A[20]\n\t"
+        "ldr	r10, [%[a], #80]\n\t"
+        "ldr	r8, [%[a], #64]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[17] * A[19]\n\t"
+        "ldr	r10, [%[a], #76]\n\t"
+        "ldr	r8, [%[a], #68]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[18] * A[18]\n\t"
+        "ldr	r10, [%[a], #72]\n\t"
+        "umull	r8, r9, r10, r10\n\t"
+        "adds	r5, r5, r5\n\t"
+        "adcs	r6, r6, r6\n\t"
+        "adc	r7, r7, r7\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "adds	r2, r2, r5\n\t"
+        "adcs	r3, r3, r6\n\t"
+        "adc	r4, r4, r7\n\t"
+        "str	r2, [sp, #144]\n\t"
+        "#  A[0] * A[37]\n\t"
+        "ldr	r10, [%[a], #148]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "umull	r5, r6, r10, r8\n\t"
+        "mov	r2, #0\n\t"
+        "mov	r7, #0\n\t"
+        "#  A[1] * A[36]\n\t"
+        "ldr	r10, [%[a], #144]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[2] * A[35]\n\t"
+        "ldr	r10, [%[a], #140]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[3] * A[34]\n\t"
+        "ldr	r10, [%[a], #136]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[4] * A[33]\n\t"
+        "ldr	r10, [%[a], #132]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[5] * A[32]\n\t"
+        "ldr	r10, [%[a], #128]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[6] * A[31]\n\t"
+        "ldr	r10, [%[a], #124]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[7] * A[30]\n\t"
+        "ldr	r10, [%[a], #120]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[8] * A[29]\n\t"
+        "ldr	r10, [%[a], #116]\n\t"
+        "ldr	r8, [%[a], #32]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[9] * A[28]\n\t"
+        "ldr	r10, [%[a], #112]\n\t"
+        "ldr	r8, [%[a], #36]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[10] * A[27]\n\t"
+        "ldr	r10, [%[a], #108]\n\t"
+        "ldr	r8, [%[a], #40]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[11] * A[26]\n\t"
+        "ldr	r10, [%[a], #104]\n\t"
+        "ldr	r8, [%[a], #44]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[12] * A[25]\n\t"
+        "ldr	r10, [%[a], #100]\n\t"
+        "ldr	r8, [%[a], #48]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[13] * A[24]\n\t"
+        "ldr	r10, [%[a], #96]\n\t"
+        "ldr	r8, [%[a], #52]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[14] * A[23]\n\t"
+        "ldr	r10, [%[a], #92]\n\t"
+        "ldr	r8, [%[a], #56]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[15] * A[22]\n\t"
+        "ldr	r10, [%[a], #88]\n\t"
+        "ldr	r8, [%[a], #60]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[16] * A[21]\n\t"
+        "ldr	r10, [%[a], #84]\n\t"
+        "ldr	r8, [%[a], #64]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[17] * A[20]\n\t"
+        "ldr	r10, [%[a], #80]\n\t"
+        "ldr	r8, [%[a], #68]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[18] * A[19]\n\t"
+        "ldr	r10, [%[a], #76]\n\t"
+        "ldr	r8, [%[a], #72]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "adds	r5, r5, r5\n\t"
+        "adcs	r6, r6, r6\n\t"
+        "adc	r7, r7, r7\n\t"
+        "adds	r3, r3, r5\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adc	r2, r2, r7\n\t"
+        "str	r3, [sp, #148]\n\t"
+        "#  A[0] * A[38]\n\t"
+        "ldr	r10, [%[a], #152]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "umull	r5, r6, r10, r8\n\t"
+        "mov	r3, #0\n\t"
+        "mov	r7, #0\n\t"
+        "#  A[1] * A[37]\n\t"
+        "ldr	r10, [%[a], #148]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[2] * A[36]\n\t"
+        "ldr	r10, [%[a], #144]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[3] * A[35]\n\t"
+        "ldr	r10, [%[a], #140]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[4] * A[34]\n\t"
+        "ldr	r10, [%[a], #136]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[5] * A[33]\n\t"
+        "ldr	r10, [%[a], #132]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[6] * A[32]\n\t"
+        "ldr	r10, [%[a], #128]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[7] * A[31]\n\t"
+        "ldr	r10, [%[a], #124]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[8] * A[30]\n\t"
+        "ldr	r10, [%[a], #120]\n\t"
+        "ldr	r8, [%[a], #32]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[9] * A[29]\n\t"
+        "ldr	r10, [%[a], #116]\n\t"
+        "ldr	r8, [%[a], #36]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[10] * A[28]\n\t"
+        "ldr	r10, [%[a], #112]\n\t"
+        "ldr	r8, [%[a], #40]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[11] * A[27]\n\t"
+        "ldr	r10, [%[a], #108]\n\t"
+        "ldr	r8, [%[a], #44]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[12] * A[26]\n\t"
+        "ldr	r10, [%[a], #104]\n\t"
+        "ldr	r8, [%[a], #48]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[13] * A[25]\n\t"
+        "ldr	r10, [%[a], #100]\n\t"
+        "ldr	r8, [%[a], #52]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[14] * A[24]\n\t"
+        "ldr	r10, [%[a], #96]\n\t"
+        "ldr	r8, [%[a], #56]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[15] * A[23]\n\t"
+        "ldr	r10, [%[a], #92]\n\t"
+        "ldr	r8, [%[a], #60]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[16] * A[22]\n\t"
+        "ldr	r10, [%[a], #88]\n\t"
+        "ldr	r8, [%[a], #64]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[17] * A[21]\n\t"
+        "ldr	r10, [%[a], #84]\n\t"
+        "ldr	r8, [%[a], #68]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[18] * A[20]\n\t"
+        "ldr	r10, [%[a], #80]\n\t"
+        "ldr	r8, [%[a], #72]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[19] * A[19]\n\t"
+        "ldr	r10, [%[a], #76]\n\t"
+        "umull	r8, r9, r10, r10\n\t"
+        "adds	r5, r5, r5\n\t"
+        "adcs	r6, r6, r6\n\t"
+        "adc	r7, r7, r7\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "adds	r4, r4, r5\n\t"
+        "adcs	r2, r2, r6\n\t"
+        "adc	r3, r3, r7\n\t"
+        "str	r4, [sp, #152]\n\t"
+        "#  A[0] * A[39]\n\t"
+        "ldr	r10, [%[a], #156]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "umull	r5, r6, r10, r8\n\t"
+        "mov	r4, #0\n\t"
+        "mov	r7, #0\n\t"
+        "#  A[1] * A[38]\n\t"
+        "ldr	r10, [%[a], #152]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[2] * A[37]\n\t"
+        "ldr	r10, [%[a], #148]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[3] * A[36]\n\t"
+        "ldr	r10, [%[a], #144]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[4] * A[35]\n\t"
+        "ldr	r10, [%[a], #140]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[5] * A[34]\n\t"
+        "ldr	r10, [%[a], #136]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[6] * A[33]\n\t"
+        "ldr	r10, [%[a], #132]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[7] * A[32]\n\t"
+        "ldr	r10, [%[a], #128]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[8] * A[31]\n\t"
+        "ldr	r10, [%[a], #124]\n\t"
+        "ldr	r8, [%[a], #32]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[9] * A[30]\n\t"
+        "ldr	r10, [%[a], #120]\n\t"
+        "ldr	r8, [%[a], #36]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[10] * A[29]\n\t"
+        "ldr	r10, [%[a], #116]\n\t"
+        "ldr	r8, [%[a], #40]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[11] * A[28]\n\t"
+        "ldr	r10, [%[a], #112]\n\t"
+        "ldr	r8, [%[a], #44]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[12] * A[27]\n\t"
+        "ldr	r10, [%[a], #108]\n\t"
+        "ldr	r8, [%[a], #48]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[13] * A[26]\n\t"
+        "ldr	r10, [%[a], #104]\n\t"
+        "ldr	r8, [%[a], #52]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[14] * A[25]\n\t"
+        "ldr	r10, [%[a], #100]\n\t"
+        "ldr	r8, [%[a], #56]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[15] * A[24]\n\t"
+        "ldr	r10, [%[a], #96]\n\t"
+        "ldr	r8, [%[a], #60]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[16] * A[23]\n\t"
+        "ldr	r10, [%[a], #92]\n\t"
+        "ldr	r8, [%[a], #64]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[17] * A[22]\n\t"
+        "ldr	r10, [%[a], #88]\n\t"
+        "ldr	r8, [%[a], #68]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[18] * A[21]\n\t"
+        "ldr	r10, [%[a], #84]\n\t"
+        "ldr	r8, [%[a], #72]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[19] * A[20]\n\t"
+        "ldr	r10, [%[a], #80]\n\t"
+        "ldr	r8, [%[a], #76]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "adds	r5, r5, r5\n\t"
+        "adcs	r6, r6, r6\n\t"
+        "adc	r7, r7, r7\n\t"
+        "adds	r2, r2, r5\n\t"
+        "adcs	r3, r3, r6\n\t"
+        "adc	r4, r4, r7\n\t"
+        "str	r2, [sp, #156]\n\t"
+        "#  A[0] * A[40]\n\t"
+        "ldr	r10, [%[a], #160]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "umull	r5, r6, r10, r8\n\t"
+        "mov	r2, #0\n\t"
+        "mov	r7, #0\n\t"
+        "#  A[1] * A[39]\n\t"
+        "ldr	r10, [%[a], #156]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[2] * A[38]\n\t"
+        "ldr	r10, [%[a], #152]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[3] * A[37]\n\t"
+        "ldr	r10, [%[a], #148]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[4] * A[36]\n\t"
+        "ldr	r10, [%[a], #144]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[5] * A[35]\n\t"
+        "ldr	r10, [%[a], #140]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[6] * A[34]\n\t"
+        "ldr	r10, [%[a], #136]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[7] * A[33]\n\t"
+        "ldr	r10, [%[a], #132]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[8] * A[32]\n\t"
+        "ldr	r10, [%[a], #128]\n\t"
+        "ldr	r8, [%[a], #32]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[9] * A[31]\n\t"
+        "ldr	r10, [%[a], #124]\n\t"
+        "ldr	r8, [%[a], #36]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[10] * A[30]\n\t"
+        "ldr	r10, [%[a], #120]\n\t"
+        "ldr	r8, [%[a], #40]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[11] * A[29]\n\t"
+        "ldr	r10, [%[a], #116]\n\t"
+        "ldr	r8, [%[a], #44]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[12] * A[28]\n\t"
+        "ldr	r10, [%[a], #112]\n\t"
+        "ldr	r8, [%[a], #48]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[13] * A[27]\n\t"
+        "ldr	r10, [%[a], #108]\n\t"
+        "ldr	r8, [%[a], #52]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[14] * A[26]\n\t"
+        "ldr	r10, [%[a], #104]\n\t"
+        "ldr	r8, [%[a], #56]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[15] * A[25]\n\t"
+        "ldr	r10, [%[a], #100]\n\t"
+        "ldr	r8, [%[a], #60]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[16] * A[24]\n\t"
+        "ldr	r10, [%[a], #96]\n\t"
+        "ldr	r8, [%[a], #64]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[17] * A[23]\n\t"
+        "ldr	r10, [%[a], #92]\n\t"
+        "ldr	r8, [%[a], #68]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[18] * A[22]\n\t"
+        "ldr	r10, [%[a], #88]\n\t"
+        "ldr	r8, [%[a], #72]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[19] * A[21]\n\t"
+        "ldr	r10, [%[a], #84]\n\t"
+        "ldr	r8, [%[a], #76]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[20] * A[20]\n\t"
+        "ldr	r10, [%[a], #80]\n\t"
+        "umull	r8, r9, r10, r10\n\t"
+        "adds	r5, r5, r5\n\t"
+        "adcs	r6, r6, r6\n\t"
+        "adc	r7, r7, r7\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "adds	r3, r3, r5\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adc	r2, r2, r7\n\t"
+        "str	r3, [sp, #160]\n\t"
+        "#  A[0] * A[41]\n\t"
+        "ldr	r10, [%[a], #164]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "umull	r5, r6, r10, r8\n\t"
+        "mov	r3, #0\n\t"
+        "mov	r7, #0\n\t"
+        "#  A[1] * A[40]\n\t"
+        "ldr	r10, [%[a], #160]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[2] * A[39]\n\t"
+        "ldr	r10, [%[a], #156]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[3] * A[38]\n\t"
+        "ldr	r10, [%[a], #152]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[4] * A[37]\n\t"
+        "ldr	r10, [%[a], #148]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[5] * A[36]\n\t"
+        "ldr	r10, [%[a], #144]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[6] * A[35]\n\t"
+        "ldr	r10, [%[a], #140]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[7] * A[34]\n\t"
+        "ldr	r10, [%[a], #136]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[8] * A[33]\n\t"
+        "ldr	r10, [%[a], #132]\n\t"
+        "ldr	r8, [%[a], #32]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[9] * A[32]\n\t"
+        "ldr	r10, [%[a], #128]\n\t"
+        "ldr	r8, [%[a], #36]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[10] * A[31]\n\t"
+        "ldr	r10, [%[a], #124]\n\t"
+        "ldr	r8, [%[a], #40]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[11] * A[30]\n\t"
+        "ldr	r10, [%[a], #120]\n\t"
+        "ldr	r8, [%[a], #44]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[12] * A[29]\n\t"
+        "ldr	r10, [%[a], #116]\n\t"
+        "ldr	r8, [%[a], #48]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[13] * A[28]\n\t"
+        "ldr	r10, [%[a], #112]\n\t"
+        "ldr	r8, [%[a], #52]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[14] * A[27]\n\t"
+        "ldr	r10, [%[a], #108]\n\t"
+        "ldr	r8, [%[a], #56]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[15] * A[26]\n\t"
+        "ldr	r10, [%[a], #104]\n\t"
+        "ldr	r8, [%[a], #60]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[16] * A[25]\n\t"
+        "ldr	r10, [%[a], #100]\n\t"
+        "ldr	r8, [%[a], #64]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[17] * A[24]\n\t"
+        "ldr	r10, [%[a], #96]\n\t"
+        "ldr	r8, [%[a], #68]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[18] * A[23]\n\t"
+        "ldr	r10, [%[a], #92]\n\t"
+        "ldr	r8, [%[a], #72]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[19] * A[22]\n\t"
+        "ldr	r10, [%[a], #88]\n\t"
+        "ldr	r8, [%[a], #76]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[20] * A[21]\n\t"
+        "ldr	r10, [%[a], #84]\n\t"
+        "ldr	r8, [%[a], #80]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "adds	r5, r5, r5\n\t"
+        "adcs	r6, r6, r6\n\t"
+        "adc	r7, r7, r7\n\t"
+        "adds	r4, r4, r5\n\t"
+        "adcs	r2, r2, r6\n\t"
+        "adc	r3, r3, r7\n\t"
+        "str	r4, [sp, #164]\n\t"
+        "#  A[0] * A[42]\n\t"
+        "ldr	r10, [%[a], #168]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "umull	r5, r6, r10, r8\n\t"
+        "mov	r4, #0\n\t"
+        "mov	r7, #0\n\t"
+        "#  A[1] * A[41]\n\t"
+        "ldr	r10, [%[a], #164]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[2] * A[40]\n\t"
+        "ldr	r10, [%[a], #160]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[3] * A[39]\n\t"
+        "ldr	r10, [%[a], #156]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[4] * A[38]\n\t"
+        "ldr	r10, [%[a], #152]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[5] * A[37]\n\t"
+        "ldr	r10, [%[a], #148]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[6] * A[36]\n\t"
+        "ldr	r10, [%[a], #144]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[7] * A[35]\n\t"
+        "ldr	r10, [%[a], #140]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[8] * A[34]\n\t"
+        "ldr	r10, [%[a], #136]\n\t"
+        "ldr	r8, [%[a], #32]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[9] * A[33]\n\t"
+        "ldr	r10, [%[a], #132]\n\t"
+        "ldr	r8, [%[a], #36]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[10] * A[32]\n\t"
+        "ldr	r10, [%[a], #128]\n\t"
+        "ldr	r8, [%[a], #40]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[11] * A[31]\n\t"
+        "ldr	r10, [%[a], #124]\n\t"
+        "ldr	r8, [%[a], #44]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[12] * A[30]\n\t"
+        "ldr	r10, [%[a], #120]\n\t"
+        "ldr	r8, [%[a], #48]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[13] * A[29]\n\t"
+        "ldr	r10, [%[a], #116]\n\t"
+        "ldr	r8, [%[a], #52]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[14] * A[28]\n\t"
+        "ldr	r10, [%[a], #112]\n\t"
+        "ldr	r8, [%[a], #56]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[15] * A[27]\n\t"
+        "ldr	r10, [%[a], #108]\n\t"
+        "ldr	r8, [%[a], #60]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[16] * A[26]\n\t"
+        "ldr	r10, [%[a], #104]\n\t"
+        "ldr	r8, [%[a], #64]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[17] * A[25]\n\t"
+        "ldr	r10, [%[a], #100]\n\t"
+        "ldr	r8, [%[a], #68]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[18] * A[24]\n\t"
+        "ldr	r10, [%[a], #96]\n\t"
+        "ldr	r8, [%[a], #72]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[19] * A[23]\n\t"
+        "ldr	r10, [%[a], #92]\n\t"
+        "ldr	r8, [%[a], #76]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[20] * A[22]\n\t"
+        "ldr	r10, [%[a], #88]\n\t"
+        "ldr	r8, [%[a], #80]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[21] * A[21]\n\t"
+        "ldr	r10, [%[a], #84]\n\t"
+        "umull	r8, r9, r10, r10\n\t"
+        "adds	r5, r5, r5\n\t"
+        "adcs	r6, r6, r6\n\t"
+        "adc	r7, r7, r7\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "adds	r2, r2, r5\n\t"
+        "adcs	r3, r3, r6\n\t"
+        "adc	r4, r4, r7\n\t"
+        "str	r2, [sp, #168]\n\t"
+        "#  A[0] * A[43]\n\t"
+        "ldr	r10, [%[a], #172]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "umull	r5, r6, r10, r8\n\t"
+        "mov	r2, #0\n\t"
+        "mov	r7, #0\n\t"
+        "#  A[1] * A[42]\n\t"
+        "ldr	r10, [%[a], #168]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[2] * A[41]\n\t"
+        "ldr	r10, [%[a], #164]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[3] * A[40]\n\t"
+        "ldr	r10, [%[a], #160]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[4] * A[39]\n\t"
+        "ldr	r10, [%[a], #156]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[5] * A[38]\n\t"
+        "ldr	r10, [%[a], #152]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[6] * A[37]\n\t"
+        "ldr	r10, [%[a], #148]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[7] * A[36]\n\t"
+        "ldr	r10, [%[a], #144]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[8] * A[35]\n\t"
+        "ldr	r10, [%[a], #140]\n\t"
+        "ldr	r8, [%[a], #32]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[9] * A[34]\n\t"
+        "ldr	r10, [%[a], #136]\n\t"
+        "ldr	r8, [%[a], #36]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[10] * A[33]\n\t"
+        "ldr	r10, [%[a], #132]\n\t"
+        "ldr	r8, [%[a], #40]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[11] * A[32]\n\t"
+        "ldr	r10, [%[a], #128]\n\t"
+        "ldr	r8, [%[a], #44]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[12] * A[31]\n\t"
+        "ldr	r10, [%[a], #124]\n\t"
+        "ldr	r8, [%[a], #48]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[13] * A[30]\n\t"
+        "ldr	r10, [%[a], #120]\n\t"
+        "ldr	r8, [%[a], #52]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[14] * A[29]\n\t"
+        "ldr	r10, [%[a], #116]\n\t"
+        "ldr	r8, [%[a], #56]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[15] * A[28]\n\t"
+        "ldr	r10, [%[a], #112]\n\t"
+        "ldr	r8, [%[a], #60]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[16] * A[27]\n\t"
+        "ldr	r10, [%[a], #108]\n\t"
+        "ldr	r8, [%[a], #64]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[17] * A[26]\n\t"
+        "ldr	r10, [%[a], #104]\n\t"
+        "ldr	r8, [%[a], #68]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[18] * A[25]\n\t"
+        "ldr	r10, [%[a], #100]\n\t"
+        "ldr	r8, [%[a], #72]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[19] * A[24]\n\t"
+        "ldr	r10, [%[a], #96]\n\t"
+        "ldr	r8, [%[a], #76]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[20] * A[23]\n\t"
+        "ldr	r10, [%[a], #92]\n\t"
+        "ldr	r8, [%[a], #80]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[21] * A[22]\n\t"
+        "ldr	r10, [%[a], #88]\n\t"
+        "ldr	r8, [%[a], #84]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "adds	r5, r5, r5\n\t"
+        "adcs	r6, r6, r6\n\t"
+        "adc	r7, r7, r7\n\t"
+        "adds	r3, r3, r5\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adc	r2, r2, r7\n\t"
+        "str	r3, [sp, #172]\n\t"
+        "#  A[0] * A[44]\n\t"
+        "ldr	r10, [%[a], #176]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "umull	r5, r6, r10, r8\n\t"
+        "mov	r3, #0\n\t"
+        "mov	r7, #0\n\t"
+        "#  A[1] * A[43]\n\t"
+        "ldr	r10, [%[a], #172]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[2] * A[42]\n\t"
+        "ldr	r10, [%[a], #168]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[3] * A[41]\n\t"
+        "ldr	r10, [%[a], #164]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[4] * A[40]\n\t"
+        "ldr	r10, [%[a], #160]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[5] * A[39]\n\t"
+        "ldr	r10, [%[a], #156]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[6] * A[38]\n\t"
+        "ldr	r10, [%[a], #152]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[7] * A[37]\n\t"
+        "ldr	r10, [%[a], #148]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[8] * A[36]\n\t"
+        "ldr	r10, [%[a], #144]\n\t"
+        "ldr	r8, [%[a], #32]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[9] * A[35]\n\t"
+        "ldr	r10, [%[a], #140]\n\t"
+        "ldr	r8, [%[a], #36]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[10] * A[34]\n\t"
+        "ldr	r10, [%[a], #136]\n\t"
+        "ldr	r8, [%[a], #40]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[11] * A[33]\n\t"
+        "ldr	r10, [%[a], #132]\n\t"
+        "ldr	r8, [%[a], #44]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[12] * A[32]\n\t"
+        "ldr	r10, [%[a], #128]\n\t"
+        "ldr	r8, [%[a], #48]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[13] * A[31]\n\t"
+        "ldr	r10, [%[a], #124]\n\t"
+        "ldr	r8, [%[a], #52]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[14] * A[30]\n\t"
+        "ldr	r10, [%[a], #120]\n\t"
+        "ldr	r8, [%[a], #56]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[15] * A[29]\n\t"
+        "ldr	r10, [%[a], #116]\n\t"
+        "ldr	r8, [%[a], #60]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[16] * A[28]\n\t"
+        "ldr	r10, [%[a], #112]\n\t"
+        "ldr	r8, [%[a], #64]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[17] * A[27]\n\t"
+        "ldr	r10, [%[a], #108]\n\t"
+        "ldr	r8, [%[a], #68]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[18] * A[26]\n\t"
+        "ldr	r10, [%[a], #104]\n\t"
+        "ldr	r8, [%[a], #72]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[19] * A[25]\n\t"
+        "ldr	r10, [%[a], #100]\n\t"
+        "ldr	r8, [%[a], #76]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[20] * A[24]\n\t"
+        "ldr	r10, [%[a], #96]\n\t"
+        "ldr	r8, [%[a], #80]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[21] * A[23]\n\t"
+        "ldr	r10, [%[a], #92]\n\t"
+        "ldr	r8, [%[a], #84]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[22] * A[22]\n\t"
+        "ldr	r10, [%[a], #88]\n\t"
+        "umull	r8, r9, r10, r10\n\t"
+        "adds	r5, r5, r5\n\t"
+        "adcs	r6, r6, r6\n\t"
+        "adc	r7, r7, r7\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "adds	r4, r4, r5\n\t"
+        "adcs	r2, r2, r6\n\t"
+        "adc	r3, r3, r7\n\t"
+        "str	r4, [sp, #176]\n\t"
+        "#  A[0] * A[45]\n\t"
+        "ldr	r10, [%[a], #180]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "umull	r5, r6, r10, r8\n\t"
+        "mov	r4, #0\n\t"
+        "mov	r7, #0\n\t"
+        "#  A[1] * A[44]\n\t"
+        "ldr	r10, [%[a], #176]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[2] * A[43]\n\t"
+        "ldr	r10, [%[a], #172]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[3] * A[42]\n\t"
+        "ldr	r10, [%[a], #168]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[4] * A[41]\n\t"
+        "ldr	r10, [%[a], #164]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[5] * A[40]\n\t"
+        "ldr	r10, [%[a], #160]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[6] * A[39]\n\t"
+        "ldr	r10, [%[a], #156]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[7] * A[38]\n\t"
+        "ldr	r10, [%[a], #152]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[8] * A[37]\n\t"
+        "ldr	r10, [%[a], #148]\n\t"
+        "ldr	r8, [%[a], #32]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[9] * A[36]\n\t"
+        "ldr	r10, [%[a], #144]\n\t"
+        "ldr	r8, [%[a], #36]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[10] * A[35]\n\t"
+        "ldr	r10, [%[a], #140]\n\t"
+        "ldr	r8, [%[a], #40]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[11] * A[34]\n\t"
+        "ldr	r10, [%[a], #136]\n\t"
+        "ldr	r8, [%[a], #44]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[12] * A[33]\n\t"
+        "ldr	r10, [%[a], #132]\n\t"
+        "ldr	r8, [%[a], #48]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[13] * A[32]\n\t"
+        "ldr	r10, [%[a], #128]\n\t"
+        "ldr	r8, [%[a], #52]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[14] * A[31]\n\t"
+        "ldr	r10, [%[a], #124]\n\t"
+        "ldr	r8, [%[a], #56]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[15] * A[30]\n\t"
+        "ldr	r10, [%[a], #120]\n\t"
+        "ldr	r8, [%[a], #60]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[16] * A[29]\n\t"
+        "ldr	r10, [%[a], #116]\n\t"
+        "ldr	r8, [%[a], #64]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[17] * A[28]\n\t"
+        "ldr	r10, [%[a], #112]\n\t"
+        "ldr	r8, [%[a], #68]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[18] * A[27]\n\t"
+        "ldr	r10, [%[a], #108]\n\t"
+        "ldr	r8, [%[a], #72]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[19] * A[26]\n\t"
+        "ldr	r10, [%[a], #104]\n\t"
+        "ldr	r8, [%[a], #76]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[20] * A[25]\n\t"
+        "ldr	r10, [%[a], #100]\n\t"
+        "ldr	r8, [%[a], #80]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[21] * A[24]\n\t"
+        "ldr	r10, [%[a], #96]\n\t"
+        "ldr	r8, [%[a], #84]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[22] * A[23]\n\t"
+        "ldr	r10, [%[a], #92]\n\t"
+        "ldr	r8, [%[a], #88]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "adds	r5, r5, r5\n\t"
+        "adcs	r6, r6, r6\n\t"
+        "adc	r7, r7, r7\n\t"
+        "adds	r2, r2, r5\n\t"
+        "adcs	r3, r3, r6\n\t"
+        "adc	r4, r4, r7\n\t"
+        "str	r2, [sp, #180]\n\t"
+        "#  A[0] * A[46]\n\t"
+        "ldr	r10, [%[a], #184]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "umull	r5, r6, r10, r8\n\t"
+        "mov	r2, #0\n\t"
+        "mov	r7, #0\n\t"
+        "#  A[1] * A[45]\n\t"
+        "ldr	r10, [%[a], #180]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[2] * A[44]\n\t"
+        "ldr	r10, [%[a], #176]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[3] * A[43]\n\t"
+        "ldr	r10, [%[a], #172]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[4] * A[42]\n\t"
+        "ldr	r10, [%[a], #168]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[5] * A[41]\n\t"
+        "ldr	r10, [%[a], #164]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[6] * A[40]\n\t"
+        "ldr	r10, [%[a], #160]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[7] * A[39]\n\t"
+        "ldr	r10, [%[a], #156]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[8] * A[38]\n\t"
+        "ldr	r10, [%[a], #152]\n\t"
+        "ldr	r8, [%[a], #32]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[9] * A[37]\n\t"
+        "ldr	r10, [%[a], #148]\n\t"
+        "ldr	r8, [%[a], #36]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[10] * A[36]\n\t"
+        "ldr	r10, [%[a], #144]\n\t"
+        "ldr	r8, [%[a], #40]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[11] * A[35]\n\t"
+        "ldr	r10, [%[a], #140]\n\t"
+        "ldr	r8, [%[a], #44]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[12] * A[34]\n\t"
+        "ldr	r10, [%[a], #136]\n\t"
+        "ldr	r8, [%[a], #48]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[13] * A[33]\n\t"
+        "ldr	r10, [%[a], #132]\n\t"
+        "ldr	r8, [%[a], #52]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[14] * A[32]\n\t"
+        "ldr	r10, [%[a], #128]\n\t"
+        "ldr	r8, [%[a], #56]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[15] * A[31]\n\t"
+        "ldr	r10, [%[a], #124]\n\t"
+        "ldr	r8, [%[a], #60]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[16] * A[30]\n\t"
+        "ldr	r10, [%[a], #120]\n\t"
+        "ldr	r8, [%[a], #64]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[17] * A[29]\n\t"
+        "ldr	r10, [%[a], #116]\n\t"
+        "ldr	r8, [%[a], #68]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[18] * A[28]\n\t"
+        "ldr	r10, [%[a], #112]\n\t"
+        "ldr	r8, [%[a], #72]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[19] * A[27]\n\t"
+        "ldr	r10, [%[a], #108]\n\t"
+        "ldr	r8, [%[a], #76]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[20] * A[26]\n\t"
+        "ldr	r10, [%[a], #104]\n\t"
+        "ldr	r8, [%[a], #80]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[21] * A[25]\n\t"
+        "ldr	r10, [%[a], #100]\n\t"
+        "ldr	r8, [%[a], #84]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[22] * A[24]\n\t"
+        "ldr	r10, [%[a], #96]\n\t"
+        "ldr	r8, [%[a], #88]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[23] * A[23]\n\t"
+        "ldr	r10, [%[a], #92]\n\t"
+        "umull	r8, r9, r10, r10\n\t"
+        "adds	r5, r5, r5\n\t"
+        "adcs	r6, r6, r6\n\t"
+        "adc	r7, r7, r7\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "adds	r3, r3, r5\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adc	r2, r2, r7\n\t"
+        "str	r3, [sp, #184]\n\t"
+        "#  A[0] * A[47]\n\t"
+        "ldr	r10, [%[a], #188]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "umull	r5, r6, r10, r8\n\t"
+        "mov	r3, #0\n\t"
+        "mov	r7, #0\n\t"
+        "#  A[1] * A[46]\n\t"
+        "ldr	r10, [%[a], #184]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[2] * A[45]\n\t"
+        "ldr	r10, [%[a], #180]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[3] * A[44]\n\t"
+        "ldr	r10, [%[a], #176]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[4] * A[43]\n\t"
+        "ldr	r10, [%[a], #172]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[5] * A[42]\n\t"
+        "ldr	r10, [%[a], #168]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[6] * A[41]\n\t"
+        "ldr	r10, [%[a], #164]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[7] * A[40]\n\t"
+        "ldr	r10, [%[a], #160]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[8] * A[39]\n\t"
+        "ldr	r10, [%[a], #156]\n\t"
+        "ldr	r8, [%[a], #32]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[9] * A[38]\n\t"
+        "ldr	r10, [%[a], #152]\n\t"
+        "ldr	r8, [%[a], #36]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[10] * A[37]\n\t"
+        "ldr	r10, [%[a], #148]\n\t"
+        "ldr	r8, [%[a], #40]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[11] * A[36]\n\t"
+        "ldr	r10, [%[a], #144]\n\t"
+        "ldr	r8, [%[a], #44]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[12] * A[35]\n\t"
+        "ldr	r10, [%[a], #140]\n\t"
+        "ldr	r8, [%[a], #48]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[13] * A[34]\n\t"
+        "ldr	r10, [%[a], #136]\n\t"
+        "ldr	r8, [%[a], #52]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[14] * A[33]\n\t"
+        "ldr	r10, [%[a], #132]\n\t"
+        "ldr	r8, [%[a], #56]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[15] * A[32]\n\t"
+        "ldr	r10, [%[a], #128]\n\t"
+        "ldr	r8, [%[a], #60]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[16] * A[31]\n\t"
+        "ldr	r10, [%[a], #124]\n\t"
+        "ldr	r8, [%[a], #64]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[17] * A[30]\n\t"
+        "ldr	r10, [%[a], #120]\n\t"
+        "ldr	r8, [%[a], #68]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[18] * A[29]\n\t"
+        "ldr	r10, [%[a], #116]\n\t"
+        "ldr	r8, [%[a], #72]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[19] * A[28]\n\t"
+        "ldr	r10, [%[a], #112]\n\t"
+        "ldr	r8, [%[a], #76]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[20] * A[27]\n\t"
+        "ldr	r10, [%[a], #108]\n\t"
+        "ldr	r8, [%[a], #80]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[21] * A[26]\n\t"
+        "ldr	r10, [%[a], #104]\n\t"
+        "ldr	r8, [%[a], #84]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[22] * A[25]\n\t"
+        "ldr	r10, [%[a], #100]\n\t"
+        "ldr	r8, [%[a], #88]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[23] * A[24]\n\t"
+        "ldr	r10, [%[a], #96]\n\t"
+        "ldr	r8, [%[a], #92]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "adds	r5, r5, r5\n\t"
+        "adcs	r6, r6, r6\n\t"
+        "adc	r7, r7, r7\n\t"
+        "adds	r4, r4, r5\n\t"
+        "adcs	r2, r2, r6\n\t"
+        "adc	r3, r3, r7\n\t"
+        "str	r4, [sp, #188]\n\t"
+        "#  A[0] * A[48]\n\t"
+        "ldr	r10, [%[a], #192]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "umull	r5, r6, r10, r8\n\t"
+        "mov	r4, #0\n\t"
+        "mov	r7, #0\n\t"
+        "#  A[1] * A[47]\n\t"
+        "ldr	r10, [%[a], #188]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[2] * A[46]\n\t"
+        "ldr	r10, [%[a], #184]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[3] * A[45]\n\t"
+        "ldr	r10, [%[a], #180]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[4] * A[44]\n\t"
+        "ldr	r10, [%[a], #176]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[5] * A[43]\n\t"
+        "ldr	r10, [%[a], #172]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[6] * A[42]\n\t"
+        "ldr	r10, [%[a], #168]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[7] * A[41]\n\t"
+        "ldr	r10, [%[a], #164]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[8] * A[40]\n\t"
+        "ldr	r10, [%[a], #160]\n\t"
+        "ldr	r8, [%[a], #32]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[9] * A[39]\n\t"
+        "ldr	r10, [%[a], #156]\n\t"
+        "ldr	r8, [%[a], #36]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[10] * A[38]\n\t"
+        "ldr	r10, [%[a], #152]\n\t"
+        "ldr	r8, [%[a], #40]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[11] * A[37]\n\t"
+        "ldr	r10, [%[a], #148]\n\t"
+        "ldr	r8, [%[a], #44]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[12] * A[36]\n\t"
+        "ldr	r10, [%[a], #144]\n\t"
+        "ldr	r8, [%[a], #48]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[13] * A[35]\n\t"
+        "ldr	r10, [%[a], #140]\n\t"
+        "ldr	r8, [%[a], #52]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[14] * A[34]\n\t"
+        "ldr	r10, [%[a], #136]\n\t"
+        "ldr	r8, [%[a], #56]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[15] * A[33]\n\t"
+        "ldr	r10, [%[a], #132]\n\t"
+        "ldr	r8, [%[a], #60]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[16] * A[32]\n\t"
+        "ldr	r10, [%[a], #128]\n\t"
+        "ldr	r8, [%[a], #64]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[17] * A[31]\n\t"
+        "ldr	r10, [%[a], #124]\n\t"
+        "ldr	r8, [%[a], #68]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[18] * A[30]\n\t"
+        "ldr	r10, [%[a], #120]\n\t"
+        "ldr	r8, [%[a], #72]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[19] * A[29]\n\t"
+        "ldr	r10, [%[a], #116]\n\t"
+        "ldr	r8, [%[a], #76]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[20] * A[28]\n\t"
+        "ldr	r10, [%[a], #112]\n\t"
+        "ldr	r8, [%[a], #80]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[21] * A[27]\n\t"
+        "ldr	r10, [%[a], #108]\n\t"
+        "ldr	r8, [%[a], #84]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[22] * A[26]\n\t"
+        "ldr	r10, [%[a], #104]\n\t"
+        "ldr	r8, [%[a], #88]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[23] * A[25]\n\t"
+        "ldr	r10, [%[a], #100]\n\t"
+        "ldr	r8, [%[a], #92]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[24] * A[24]\n\t"
+        "ldr	r10, [%[a], #96]\n\t"
+        "umull	r8, r9, r10, r10\n\t"
+        "adds	r5, r5, r5\n\t"
+        "adcs	r6, r6, r6\n\t"
+        "adc	r7, r7, r7\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "adds	r2, r2, r5\n\t"
+        "adcs	r3, r3, r6\n\t"
+        "adc	r4, r4, r7\n\t"
+        "str	r2, [sp, #192]\n\t"
+        "#  A[0] * A[49]\n\t"
+        "ldr	r10, [%[a], #196]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "umull	r5, r6, r10, r8\n\t"
+        "mov	r2, #0\n\t"
+        "mov	r7, #0\n\t"
+        "#  A[1] * A[48]\n\t"
+        "ldr	r10, [%[a], #192]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[2] * A[47]\n\t"
+        "ldr	r10, [%[a], #188]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[3] * A[46]\n\t"
+        "ldr	r10, [%[a], #184]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[4] * A[45]\n\t"
+        "ldr	r10, [%[a], #180]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[5] * A[44]\n\t"
+        "ldr	r10, [%[a], #176]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[6] * A[43]\n\t"
+        "ldr	r10, [%[a], #172]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[7] * A[42]\n\t"
+        "ldr	r10, [%[a], #168]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[8] * A[41]\n\t"
+        "ldr	r10, [%[a], #164]\n\t"
+        "ldr	r8, [%[a], #32]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[9] * A[40]\n\t"
+        "ldr	r10, [%[a], #160]\n\t"
+        "ldr	r8, [%[a], #36]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[10] * A[39]\n\t"
+        "ldr	r10, [%[a], #156]\n\t"
+        "ldr	r8, [%[a], #40]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[11] * A[38]\n\t"
+        "ldr	r10, [%[a], #152]\n\t"
+        "ldr	r8, [%[a], #44]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[12] * A[37]\n\t"
+        "ldr	r10, [%[a], #148]\n\t"
+        "ldr	r8, [%[a], #48]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[13] * A[36]\n\t"
+        "ldr	r10, [%[a], #144]\n\t"
+        "ldr	r8, [%[a], #52]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[14] * A[35]\n\t"
+        "ldr	r10, [%[a], #140]\n\t"
+        "ldr	r8, [%[a], #56]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[15] * A[34]\n\t"
+        "ldr	r10, [%[a], #136]\n\t"
+        "ldr	r8, [%[a], #60]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[16] * A[33]\n\t"
+        "ldr	r10, [%[a], #132]\n\t"
+        "ldr	r8, [%[a], #64]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[17] * A[32]\n\t"
+        "ldr	r10, [%[a], #128]\n\t"
+        "ldr	r8, [%[a], #68]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[18] * A[31]\n\t"
+        "ldr	r10, [%[a], #124]\n\t"
+        "ldr	r8, [%[a], #72]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[19] * A[30]\n\t"
+        "ldr	r10, [%[a], #120]\n\t"
+        "ldr	r8, [%[a], #76]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[20] * A[29]\n\t"
+        "ldr	r10, [%[a], #116]\n\t"
+        "ldr	r8, [%[a], #80]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[21] * A[28]\n\t"
+        "ldr	r10, [%[a], #112]\n\t"
+        "ldr	r8, [%[a], #84]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[22] * A[27]\n\t"
+        "ldr	r10, [%[a], #108]\n\t"
+        "ldr	r8, [%[a], #88]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[23] * A[26]\n\t"
+        "ldr	r10, [%[a], #104]\n\t"
+        "ldr	r8, [%[a], #92]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[24] * A[25]\n\t"
+        "ldr	r10, [%[a], #100]\n\t"
+        "ldr	r8, [%[a], #96]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "adds	r5, r5, r5\n\t"
+        "adcs	r6, r6, r6\n\t"
+        "adc	r7, r7, r7\n\t"
+        "adds	r3, r3, r5\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adc	r2, r2, r7\n\t"
+        "str	r3, [sp, #196]\n\t"
+        "#  A[0] * A[50]\n\t"
+        "ldr	r10, [%[a], #200]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "umull	r5, r6, r10, r8\n\t"
+        "mov	r3, #0\n\t"
+        "mov	r7, #0\n\t"
+        "#  A[1] * A[49]\n\t"
+        "ldr	r10, [%[a], #196]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[2] * A[48]\n\t"
+        "ldr	r10, [%[a], #192]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[3] * A[47]\n\t"
+        "ldr	r10, [%[a], #188]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[4] * A[46]\n\t"
+        "ldr	r10, [%[a], #184]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[5] * A[45]\n\t"
+        "ldr	r10, [%[a], #180]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[6] * A[44]\n\t"
+        "ldr	r10, [%[a], #176]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[7] * A[43]\n\t"
+        "ldr	r10, [%[a], #172]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[8] * A[42]\n\t"
+        "ldr	r10, [%[a], #168]\n\t"
+        "ldr	r8, [%[a], #32]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[9] * A[41]\n\t"
+        "ldr	r10, [%[a], #164]\n\t"
+        "ldr	r8, [%[a], #36]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[10] * A[40]\n\t"
+        "ldr	r10, [%[a], #160]\n\t"
+        "ldr	r8, [%[a], #40]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[11] * A[39]\n\t"
+        "ldr	r10, [%[a], #156]\n\t"
+        "ldr	r8, [%[a], #44]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[12] * A[38]\n\t"
+        "ldr	r10, [%[a], #152]\n\t"
+        "ldr	r8, [%[a], #48]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[13] * A[37]\n\t"
+        "ldr	r10, [%[a], #148]\n\t"
+        "ldr	r8, [%[a], #52]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[14] * A[36]\n\t"
+        "ldr	r10, [%[a], #144]\n\t"
+        "ldr	r8, [%[a], #56]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[15] * A[35]\n\t"
+        "ldr	r10, [%[a], #140]\n\t"
+        "ldr	r8, [%[a], #60]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[16] * A[34]\n\t"
+        "ldr	r10, [%[a], #136]\n\t"
+        "ldr	r8, [%[a], #64]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[17] * A[33]\n\t"
+        "ldr	r10, [%[a], #132]\n\t"
+        "ldr	r8, [%[a], #68]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[18] * A[32]\n\t"
+        "ldr	r10, [%[a], #128]\n\t"
+        "ldr	r8, [%[a], #72]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[19] * A[31]\n\t"
+        "ldr	r10, [%[a], #124]\n\t"
+        "ldr	r8, [%[a], #76]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[20] * A[30]\n\t"
+        "ldr	r10, [%[a], #120]\n\t"
+        "ldr	r8, [%[a], #80]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[21] * A[29]\n\t"
+        "ldr	r10, [%[a], #116]\n\t"
+        "ldr	r8, [%[a], #84]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[22] * A[28]\n\t"
+        "ldr	r10, [%[a], #112]\n\t"
+        "ldr	r8, [%[a], #88]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[23] * A[27]\n\t"
+        "ldr	r10, [%[a], #108]\n\t"
+        "ldr	r8, [%[a], #92]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[24] * A[26]\n\t"
+        "ldr	r10, [%[a], #104]\n\t"
+        "ldr	r8, [%[a], #96]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[25] * A[25]\n\t"
+        "ldr	r10, [%[a], #100]\n\t"
+        "umull	r8, r9, r10, r10\n\t"
+        "adds	r5, r5, r5\n\t"
+        "adcs	r6, r6, r6\n\t"
+        "adc	r7, r7, r7\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "adds	r4, r4, r5\n\t"
+        "adcs	r2, r2, r6\n\t"
+        "adc	r3, r3, r7\n\t"
+        "str	r4, [sp, #200]\n\t"
+        "#  A[0] * A[51]\n\t"
+        "ldr	r10, [%[a], #204]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "umull	r5, r6, r10, r8\n\t"
+        "mov	r4, #0\n\t"
+        "mov	r7, #0\n\t"
+        "#  A[1] * A[50]\n\t"
+        "ldr	r10, [%[a], #200]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[2] * A[49]\n\t"
+        "ldr	r10, [%[a], #196]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[3] * A[48]\n\t"
+        "ldr	r10, [%[a], #192]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[4] * A[47]\n\t"
+        "ldr	r10, [%[a], #188]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[5] * A[46]\n\t"
+        "ldr	r10, [%[a], #184]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[6] * A[45]\n\t"
+        "ldr	r10, [%[a], #180]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[7] * A[44]\n\t"
+        "ldr	r10, [%[a], #176]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[8] * A[43]\n\t"
+        "ldr	r10, [%[a], #172]\n\t"
+        "ldr	r8, [%[a], #32]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[9] * A[42]\n\t"
+        "ldr	r10, [%[a], #168]\n\t"
+        "ldr	r8, [%[a], #36]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[10] * A[41]\n\t"
+        "ldr	r10, [%[a], #164]\n\t"
+        "ldr	r8, [%[a], #40]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[11] * A[40]\n\t"
+        "ldr	r10, [%[a], #160]\n\t"
+        "ldr	r8, [%[a], #44]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[12] * A[39]\n\t"
+        "ldr	r10, [%[a], #156]\n\t"
+        "ldr	r8, [%[a], #48]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[13] * A[38]\n\t"
+        "ldr	r10, [%[a], #152]\n\t"
+        "ldr	r8, [%[a], #52]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[14] * A[37]\n\t"
+        "ldr	r10, [%[a], #148]\n\t"
+        "ldr	r8, [%[a], #56]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[15] * A[36]\n\t"
+        "ldr	r10, [%[a], #144]\n\t"
+        "ldr	r8, [%[a], #60]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[16] * A[35]\n\t"
+        "ldr	r10, [%[a], #140]\n\t"
+        "ldr	r8, [%[a], #64]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[17] * A[34]\n\t"
+        "ldr	r10, [%[a], #136]\n\t"
+        "ldr	r8, [%[a], #68]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[18] * A[33]\n\t"
+        "ldr	r10, [%[a], #132]\n\t"
+        "ldr	r8, [%[a], #72]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[19] * A[32]\n\t"
+        "ldr	r10, [%[a], #128]\n\t"
+        "ldr	r8, [%[a], #76]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[20] * A[31]\n\t"
+        "ldr	r10, [%[a], #124]\n\t"
+        "ldr	r8, [%[a], #80]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[21] * A[30]\n\t"
+        "ldr	r10, [%[a], #120]\n\t"
+        "ldr	r8, [%[a], #84]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[22] * A[29]\n\t"
+        "ldr	r10, [%[a], #116]\n\t"
+        "ldr	r8, [%[a], #88]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[23] * A[28]\n\t"
+        "ldr	r10, [%[a], #112]\n\t"
+        "ldr	r8, [%[a], #92]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[24] * A[27]\n\t"
+        "ldr	r10, [%[a], #108]\n\t"
+        "ldr	r8, [%[a], #96]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[25] * A[26]\n\t"
+        "ldr	r10, [%[a], #104]\n\t"
+        "ldr	r8, [%[a], #100]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "adds	r5, r5, r5\n\t"
+        "adcs	r6, r6, r6\n\t"
+        "adc	r7, r7, r7\n\t"
+        "adds	r2, r2, r5\n\t"
+        "adcs	r3, r3, r6\n\t"
+        "adc	r4, r4, r7\n\t"
+        "str	r2, [sp, #204]\n\t"
+        "#  A[0] * A[52]\n\t"
+        "ldr	r10, [%[a], #208]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "umull	r5, r6, r10, r8\n\t"
+        "mov	r2, #0\n\t"
+        "mov	r7, #0\n\t"
+        "#  A[1] * A[51]\n\t"
+        "ldr	r10, [%[a], #204]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[2] * A[50]\n\t"
+        "ldr	r10, [%[a], #200]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[3] * A[49]\n\t"
+        "ldr	r10, [%[a], #196]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[4] * A[48]\n\t"
+        "ldr	r10, [%[a], #192]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[5] * A[47]\n\t"
+        "ldr	r10, [%[a], #188]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[6] * A[46]\n\t"
+        "ldr	r10, [%[a], #184]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[7] * A[45]\n\t"
+        "ldr	r10, [%[a], #180]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[8] * A[44]\n\t"
+        "ldr	r10, [%[a], #176]\n\t"
+        "ldr	r8, [%[a], #32]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[9] * A[43]\n\t"
+        "ldr	r10, [%[a], #172]\n\t"
+        "ldr	r8, [%[a], #36]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[10] * A[42]\n\t"
+        "ldr	r10, [%[a], #168]\n\t"
+        "ldr	r8, [%[a], #40]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[11] * A[41]\n\t"
+        "ldr	r10, [%[a], #164]\n\t"
+        "ldr	r8, [%[a], #44]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[12] * A[40]\n\t"
+        "ldr	r10, [%[a], #160]\n\t"
+        "ldr	r8, [%[a], #48]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[13] * A[39]\n\t"
+        "ldr	r10, [%[a], #156]\n\t"
+        "ldr	r8, [%[a], #52]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[14] * A[38]\n\t"
+        "ldr	r10, [%[a], #152]\n\t"
+        "ldr	r8, [%[a], #56]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[15] * A[37]\n\t"
+        "ldr	r10, [%[a], #148]\n\t"
+        "ldr	r8, [%[a], #60]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[16] * A[36]\n\t"
+        "ldr	r10, [%[a], #144]\n\t"
+        "ldr	r8, [%[a], #64]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[17] * A[35]\n\t"
+        "ldr	r10, [%[a], #140]\n\t"
+        "ldr	r8, [%[a], #68]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[18] * A[34]\n\t"
+        "ldr	r10, [%[a], #136]\n\t"
+        "ldr	r8, [%[a], #72]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[19] * A[33]\n\t"
+        "ldr	r10, [%[a], #132]\n\t"
+        "ldr	r8, [%[a], #76]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[20] * A[32]\n\t"
+        "ldr	r10, [%[a], #128]\n\t"
+        "ldr	r8, [%[a], #80]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[21] * A[31]\n\t"
+        "ldr	r10, [%[a], #124]\n\t"
+        "ldr	r8, [%[a], #84]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[22] * A[30]\n\t"
+        "ldr	r10, [%[a], #120]\n\t"
+        "ldr	r8, [%[a], #88]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[23] * A[29]\n\t"
+        "ldr	r10, [%[a], #116]\n\t"
+        "ldr	r8, [%[a], #92]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[24] * A[28]\n\t"
+        "ldr	r10, [%[a], #112]\n\t"
+        "ldr	r8, [%[a], #96]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[25] * A[27]\n\t"
+        "ldr	r10, [%[a], #108]\n\t"
+        "ldr	r8, [%[a], #100]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[26] * A[26]\n\t"
+        "ldr	r10, [%[a], #104]\n\t"
+        "umull	r8, r9, r10, r10\n\t"
+        "adds	r5, r5, r5\n\t"
+        "adcs	r6, r6, r6\n\t"
+        "adc	r7, r7, r7\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "adds	r3, r3, r5\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adc	r2, r2, r7\n\t"
+        "str	r3, [sp, #208]\n\t"
+        "#  A[0] * A[53]\n\t"
+        "ldr	r10, [%[a], #212]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "umull	r5, r6, r10, r8\n\t"
+        "mov	r3, #0\n\t"
+        "mov	r7, #0\n\t"
+        "#  A[1] * A[52]\n\t"
+        "ldr	r10, [%[a], #208]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[2] * A[51]\n\t"
+        "ldr	r10, [%[a], #204]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[3] * A[50]\n\t"
+        "ldr	r10, [%[a], #200]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[4] * A[49]\n\t"
+        "ldr	r10, [%[a], #196]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[5] * A[48]\n\t"
+        "ldr	r10, [%[a], #192]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[6] * A[47]\n\t"
+        "ldr	r10, [%[a], #188]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[7] * A[46]\n\t"
+        "ldr	r10, [%[a], #184]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[8] * A[45]\n\t"
+        "ldr	r10, [%[a], #180]\n\t"
+        "ldr	r8, [%[a], #32]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[9] * A[44]\n\t"
+        "ldr	r10, [%[a], #176]\n\t"
+        "ldr	r8, [%[a], #36]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[10] * A[43]\n\t"
+        "ldr	r10, [%[a], #172]\n\t"
+        "ldr	r8, [%[a], #40]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[11] * A[42]\n\t"
+        "ldr	r10, [%[a], #168]\n\t"
+        "ldr	r8, [%[a], #44]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[12] * A[41]\n\t"
+        "ldr	r10, [%[a], #164]\n\t"
+        "ldr	r8, [%[a], #48]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[13] * A[40]\n\t"
+        "ldr	r10, [%[a], #160]\n\t"
+        "ldr	r8, [%[a], #52]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[14] * A[39]\n\t"
+        "ldr	r10, [%[a], #156]\n\t"
+        "ldr	r8, [%[a], #56]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[15] * A[38]\n\t"
+        "ldr	r10, [%[a], #152]\n\t"
+        "ldr	r8, [%[a], #60]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[16] * A[37]\n\t"
+        "ldr	r10, [%[a], #148]\n\t"
+        "ldr	r8, [%[a], #64]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[17] * A[36]\n\t"
+        "ldr	r10, [%[a], #144]\n\t"
+        "ldr	r8, [%[a], #68]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[18] * A[35]\n\t"
+        "ldr	r10, [%[a], #140]\n\t"
+        "ldr	r8, [%[a], #72]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[19] * A[34]\n\t"
+        "ldr	r10, [%[a], #136]\n\t"
+        "ldr	r8, [%[a], #76]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[20] * A[33]\n\t"
+        "ldr	r10, [%[a], #132]\n\t"
+        "ldr	r8, [%[a], #80]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[21] * A[32]\n\t"
+        "ldr	r10, [%[a], #128]\n\t"
+        "ldr	r8, [%[a], #84]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[22] * A[31]\n\t"
+        "ldr	r10, [%[a], #124]\n\t"
+        "ldr	r8, [%[a], #88]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[23] * A[30]\n\t"
+        "ldr	r10, [%[a], #120]\n\t"
+        "ldr	r8, [%[a], #92]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[24] * A[29]\n\t"
+        "ldr	r10, [%[a], #116]\n\t"
+        "ldr	r8, [%[a], #96]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[25] * A[28]\n\t"
+        "ldr	r10, [%[a], #112]\n\t"
+        "ldr	r8, [%[a], #100]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[26] * A[27]\n\t"
+        "ldr	r10, [%[a], #108]\n\t"
+        "ldr	r8, [%[a], #104]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "adds	r5, r5, r5\n\t"
+        "adcs	r6, r6, r6\n\t"
+        "adc	r7, r7, r7\n\t"
+        "adds	r4, r4, r5\n\t"
+        "adcs	r2, r2, r6\n\t"
+        "adc	r3, r3, r7\n\t"
+        "str	r4, [sp, #212]\n\t"
+        "#  A[0] * A[54]\n\t"
+        "ldr	r10, [%[a], #216]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "umull	r5, r6, r10, r8\n\t"
+        "mov	r4, #0\n\t"
+        "mov	r7, #0\n\t"
+        "#  A[1] * A[53]\n\t"
+        "ldr	r10, [%[a], #212]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[2] * A[52]\n\t"
+        "ldr	r10, [%[a], #208]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[3] * A[51]\n\t"
+        "ldr	r10, [%[a], #204]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[4] * A[50]\n\t"
+        "ldr	r10, [%[a], #200]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[5] * A[49]\n\t"
+        "ldr	r10, [%[a], #196]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[6] * A[48]\n\t"
+        "ldr	r10, [%[a], #192]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[7] * A[47]\n\t"
+        "ldr	r10, [%[a], #188]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[8] * A[46]\n\t"
+        "ldr	r10, [%[a], #184]\n\t"
+        "ldr	r8, [%[a], #32]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[9] * A[45]\n\t"
+        "ldr	r10, [%[a], #180]\n\t"
+        "ldr	r8, [%[a], #36]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[10] * A[44]\n\t"
+        "ldr	r10, [%[a], #176]\n\t"
+        "ldr	r8, [%[a], #40]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[11] * A[43]\n\t"
+        "ldr	r10, [%[a], #172]\n\t"
+        "ldr	r8, [%[a], #44]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[12] * A[42]\n\t"
+        "ldr	r10, [%[a], #168]\n\t"
+        "ldr	r8, [%[a], #48]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[13] * A[41]\n\t"
+        "ldr	r10, [%[a], #164]\n\t"
+        "ldr	r8, [%[a], #52]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[14] * A[40]\n\t"
+        "ldr	r10, [%[a], #160]\n\t"
+        "ldr	r8, [%[a], #56]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[15] * A[39]\n\t"
+        "ldr	r10, [%[a], #156]\n\t"
+        "ldr	r8, [%[a], #60]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[16] * A[38]\n\t"
+        "ldr	r10, [%[a], #152]\n\t"
+        "ldr	r8, [%[a], #64]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[17] * A[37]\n\t"
+        "ldr	r10, [%[a], #148]\n\t"
+        "ldr	r8, [%[a], #68]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[18] * A[36]\n\t"
+        "ldr	r10, [%[a], #144]\n\t"
+        "ldr	r8, [%[a], #72]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[19] * A[35]\n\t"
+        "ldr	r10, [%[a], #140]\n\t"
+        "ldr	r8, [%[a], #76]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[20] * A[34]\n\t"
+        "ldr	r10, [%[a], #136]\n\t"
+        "ldr	r8, [%[a], #80]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[21] * A[33]\n\t"
+        "ldr	r10, [%[a], #132]\n\t"
+        "ldr	r8, [%[a], #84]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[22] * A[32]\n\t"
+        "ldr	r10, [%[a], #128]\n\t"
+        "ldr	r8, [%[a], #88]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[23] * A[31]\n\t"
+        "ldr	r10, [%[a], #124]\n\t"
+        "ldr	r8, [%[a], #92]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[24] * A[30]\n\t"
+        "ldr	r10, [%[a], #120]\n\t"
+        "ldr	r8, [%[a], #96]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[25] * A[29]\n\t"
+        "ldr	r10, [%[a], #116]\n\t"
+        "ldr	r8, [%[a], #100]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[26] * A[28]\n\t"
+        "ldr	r10, [%[a], #112]\n\t"
+        "ldr	r8, [%[a], #104]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[27] * A[27]\n\t"
+        "ldr	r10, [%[a], #108]\n\t"
+        "umull	r8, r9, r10, r10\n\t"
+        "adds	r5, r5, r5\n\t"
+        "adcs	r6, r6, r6\n\t"
+        "adc	r7, r7, r7\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "adds	r2, r2, r5\n\t"
+        "adcs	r3, r3, r6\n\t"
+        "adc	r4, r4, r7\n\t"
+        "str	r2, [sp, #216]\n\t"
+        "#  A[0] * A[55]\n\t"
+        "ldr	r10, [%[a], #220]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "umull	r5, r6, r10, r8\n\t"
+        "mov	r2, #0\n\t"
+        "mov	r7, #0\n\t"
+        "#  A[1] * A[54]\n\t"
+        "ldr	r10, [%[a], #216]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[2] * A[53]\n\t"
+        "ldr	r10, [%[a], #212]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[3] * A[52]\n\t"
+        "ldr	r10, [%[a], #208]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[4] * A[51]\n\t"
+        "ldr	r10, [%[a], #204]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[5] * A[50]\n\t"
+        "ldr	r10, [%[a], #200]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[6] * A[49]\n\t"
+        "ldr	r10, [%[a], #196]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[7] * A[48]\n\t"
+        "ldr	r10, [%[a], #192]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[8] * A[47]\n\t"
+        "ldr	r10, [%[a], #188]\n\t"
+        "ldr	r8, [%[a], #32]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[9] * A[46]\n\t"
+        "ldr	r10, [%[a], #184]\n\t"
+        "ldr	r8, [%[a], #36]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[10] * A[45]\n\t"
+        "ldr	r10, [%[a], #180]\n\t"
+        "ldr	r8, [%[a], #40]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[11] * A[44]\n\t"
+        "ldr	r10, [%[a], #176]\n\t"
+        "ldr	r8, [%[a], #44]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[12] * A[43]\n\t"
+        "ldr	r10, [%[a], #172]\n\t"
+        "ldr	r8, [%[a], #48]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[13] * A[42]\n\t"
+        "ldr	r10, [%[a], #168]\n\t"
+        "ldr	r8, [%[a], #52]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[14] * A[41]\n\t"
+        "ldr	r10, [%[a], #164]\n\t"
+        "ldr	r8, [%[a], #56]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[15] * A[40]\n\t"
+        "ldr	r10, [%[a], #160]\n\t"
+        "ldr	r8, [%[a], #60]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[16] * A[39]\n\t"
+        "ldr	r10, [%[a], #156]\n\t"
+        "ldr	r8, [%[a], #64]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[17] * A[38]\n\t"
+        "ldr	r10, [%[a], #152]\n\t"
+        "ldr	r8, [%[a], #68]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[18] * A[37]\n\t"
+        "ldr	r10, [%[a], #148]\n\t"
+        "ldr	r8, [%[a], #72]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[19] * A[36]\n\t"
+        "ldr	r10, [%[a], #144]\n\t"
+        "ldr	r8, [%[a], #76]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[20] * A[35]\n\t"
+        "ldr	r10, [%[a], #140]\n\t"
+        "ldr	r8, [%[a], #80]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[21] * A[34]\n\t"
+        "ldr	r10, [%[a], #136]\n\t"
+        "ldr	r8, [%[a], #84]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[22] * A[33]\n\t"
+        "ldr	r10, [%[a], #132]\n\t"
+        "ldr	r8, [%[a], #88]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[23] * A[32]\n\t"
+        "ldr	r10, [%[a], #128]\n\t"
+        "ldr	r8, [%[a], #92]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[24] * A[31]\n\t"
+        "ldr	r10, [%[a], #124]\n\t"
+        "ldr	r8, [%[a], #96]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[25] * A[30]\n\t"
+        "ldr	r10, [%[a], #120]\n\t"
+        "ldr	r8, [%[a], #100]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[26] * A[29]\n\t"
+        "ldr	r10, [%[a], #116]\n\t"
+        "ldr	r8, [%[a], #104]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[27] * A[28]\n\t"
+        "ldr	r10, [%[a], #112]\n\t"
+        "ldr	r8, [%[a], #108]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "adds	r5, r5, r5\n\t"
+        "adcs	r6, r6, r6\n\t"
+        "adc	r7, r7, r7\n\t"
+        "adds	r3, r3, r5\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adc	r2, r2, r7\n\t"
+        "str	r3, [sp, #220]\n\t"
+        "#  A[0] * A[56]\n\t"
+        "ldr	r10, [%[a], #224]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "umull	r5, r6, r10, r8\n\t"
+        "mov	r3, #0\n\t"
+        "mov	r7, #0\n\t"
+        "#  A[1] * A[55]\n\t"
+        "ldr	r10, [%[a], #220]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[2] * A[54]\n\t"
+        "ldr	r10, [%[a], #216]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[3] * A[53]\n\t"
+        "ldr	r10, [%[a], #212]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[4] * A[52]\n\t"
+        "ldr	r10, [%[a], #208]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[5] * A[51]\n\t"
+        "ldr	r10, [%[a], #204]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[6] * A[50]\n\t"
+        "ldr	r10, [%[a], #200]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[7] * A[49]\n\t"
+        "ldr	r10, [%[a], #196]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[8] * A[48]\n\t"
+        "ldr	r10, [%[a], #192]\n\t"
+        "ldr	r8, [%[a], #32]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[9] * A[47]\n\t"
+        "ldr	r10, [%[a], #188]\n\t"
+        "ldr	r8, [%[a], #36]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[10] * A[46]\n\t"
+        "ldr	r10, [%[a], #184]\n\t"
+        "ldr	r8, [%[a], #40]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[11] * A[45]\n\t"
+        "ldr	r10, [%[a], #180]\n\t"
+        "ldr	r8, [%[a], #44]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[12] * A[44]\n\t"
+        "ldr	r10, [%[a], #176]\n\t"
+        "ldr	r8, [%[a], #48]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[13] * A[43]\n\t"
+        "ldr	r10, [%[a], #172]\n\t"
+        "ldr	r8, [%[a], #52]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[14] * A[42]\n\t"
+        "ldr	r10, [%[a], #168]\n\t"
+        "ldr	r8, [%[a], #56]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[15] * A[41]\n\t"
+        "ldr	r10, [%[a], #164]\n\t"
+        "ldr	r8, [%[a], #60]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[16] * A[40]\n\t"
+        "ldr	r10, [%[a], #160]\n\t"
+        "ldr	r8, [%[a], #64]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[17] * A[39]\n\t"
+        "ldr	r10, [%[a], #156]\n\t"
+        "ldr	r8, [%[a], #68]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[18] * A[38]\n\t"
+        "ldr	r10, [%[a], #152]\n\t"
+        "ldr	r8, [%[a], #72]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[19] * A[37]\n\t"
+        "ldr	r10, [%[a], #148]\n\t"
+        "ldr	r8, [%[a], #76]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[20] * A[36]\n\t"
+        "ldr	r10, [%[a], #144]\n\t"
+        "ldr	r8, [%[a], #80]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[21] * A[35]\n\t"
+        "ldr	r10, [%[a], #140]\n\t"
+        "ldr	r8, [%[a], #84]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[22] * A[34]\n\t"
+        "ldr	r10, [%[a], #136]\n\t"
+        "ldr	r8, [%[a], #88]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[23] * A[33]\n\t"
+        "ldr	r10, [%[a], #132]\n\t"
+        "ldr	r8, [%[a], #92]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[24] * A[32]\n\t"
+        "ldr	r10, [%[a], #128]\n\t"
+        "ldr	r8, [%[a], #96]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[25] * A[31]\n\t"
+        "ldr	r10, [%[a], #124]\n\t"
+        "ldr	r8, [%[a], #100]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[26] * A[30]\n\t"
+        "ldr	r10, [%[a], #120]\n\t"
+        "ldr	r8, [%[a], #104]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[27] * A[29]\n\t"
+        "ldr	r10, [%[a], #116]\n\t"
+        "ldr	r8, [%[a], #108]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[28] * A[28]\n\t"
+        "ldr	r10, [%[a], #112]\n\t"
+        "umull	r8, r9, r10, r10\n\t"
+        "adds	r5, r5, r5\n\t"
+        "adcs	r6, r6, r6\n\t"
+        "adc	r7, r7, r7\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "adds	r4, r4, r5\n\t"
+        "adcs	r2, r2, r6\n\t"
+        "adc	r3, r3, r7\n\t"
+        "str	r4, [sp, #224]\n\t"
+        "#  A[0] * A[57]\n\t"
+        "ldr	r10, [%[a], #228]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "umull	r5, r6, r10, r8\n\t"
+        "mov	r4, #0\n\t"
+        "mov	r7, #0\n\t"
+        "#  A[1] * A[56]\n\t"
+        "ldr	r10, [%[a], #224]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[2] * A[55]\n\t"
+        "ldr	r10, [%[a], #220]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[3] * A[54]\n\t"
+        "ldr	r10, [%[a], #216]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[4] * A[53]\n\t"
+        "ldr	r10, [%[a], #212]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[5] * A[52]\n\t"
+        "ldr	r10, [%[a], #208]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[6] * A[51]\n\t"
+        "ldr	r10, [%[a], #204]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[7] * A[50]\n\t"
+        "ldr	r10, [%[a], #200]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[8] * A[49]\n\t"
+        "ldr	r10, [%[a], #196]\n\t"
+        "ldr	r8, [%[a], #32]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[9] * A[48]\n\t"
+        "ldr	r10, [%[a], #192]\n\t"
+        "ldr	r8, [%[a], #36]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[10] * A[47]\n\t"
+        "ldr	r10, [%[a], #188]\n\t"
+        "ldr	r8, [%[a], #40]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[11] * A[46]\n\t"
+        "ldr	r10, [%[a], #184]\n\t"
+        "ldr	r8, [%[a], #44]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[12] * A[45]\n\t"
+        "ldr	r10, [%[a], #180]\n\t"
+        "ldr	r8, [%[a], #48]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[13] * A[44]\n\t"
+        "ldr	r10, [%[a], #176]\n\t"
+        "ldr	r8, [%[a], #52]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[14] * A[43]\n\t"
+        "ldr	r10, [%[a], #172]\n\t"
+        "ldr	r8, [%[a], #56]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[15] * A[42]\n\t"
+        "ldr	r10, [%[a], #168]\n\t"
+        "ldr	r8, [%[a], #60]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[16] * A[41]\n\t"
+        "ldr	r10, [%[a], #164]\n\t"
+        "ldr	r8, [%[a], #64]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[17] * A[40]\n\t"
+        "ldr	r10, [%[a], #160]\n\t"
+        "ldr	r8, [%[a], #68]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[18] * A[39]\n\t"
+        "ldr	r10, [%[a], #156]\n\t"
+        "ldr	r8, [%[a], #72]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[19] * A[38]\n\t"
+        "ldr	r10, [%[a], #152]\n\t"
+        "ldr	r8, [%[a], #76]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[20] * A[37]\n\t"
+        "ldr	r10, [%[a], #148]\n\t"
+        "ldr	r8, [%[a], #80]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[21] * A[36]\n\t"
+        "ldr	r10, [%[a], #144]\n\t"
+        "ldr	r8, [%[a], #84]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[22] * A[35]\n\t"
+        "ldr	r10, [%[a], #140]\n\t"
+        "ldr	r8, [%[a], #88]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[23] * A[34]\n\t"
+        "ldr	r10, [%[a], #136]\n\t"
+        "ldr	r8, [%[a], #92]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[24] * A[33]\n\t"
+        "ldr	r10, [%[a], #132]\n\t"
+        "ldr	r8, [%[a], #96]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[25] * A[32]\n\t"
+        "ldr	r10, [%[a], #128]\n\t"
+        "ldr	r8, [%[a], #100]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[26] * A[31]\n\t"
+        "ldr	r10, [%[a], #124]\n\t"
+        "ldr	r8, [%[a], #104]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[27] * A[30]\n\t"
+        "ldr	r10, [%[a], #120]\n\t"
+        "ldr	r8, [%[a], #108]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[28] * A[29]\n\t"
+        "ldr	r10, [%[a], #116]\n\t"
+        "ldr	r8, [%[a], #112]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "adds	r5, r5, r5\n\t"
+        "adcs	r6, r6, r6\n\t"
+        "adc	r7, r7, r7\n\t"
+        "adds	r2, r2, r5\n\t"
+        "adcs	r3, r3, r6\n\t"
+        "adc	r4, r4, r7\n\t"
+        "str	r2, [sp, #228]\n\t"
+        "#  A[0] * A[58]\n\t"
+        "ldr	r10, [%[a], #232]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "umull	r5, r6, r10, r8\n\t"
+        "mov	r2, #0\n\t"
+        "mov	r7, #0\n\t"
+        "#  A[1] * A[57]\n\t"
+        "ldr	r10, [%[a], #228]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[2] * A[56]\n\t"
+        "ldr	r10, [%[a], #224]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[3] * A[55]\n\t"
+        "ldr	r10, [%[a], #220]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[4] * A[54]\n\t"
+        "ldr	r10, [%[a], #216]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[5] * A[53]\n\t"
+        "ldr	r10, [%[a], #212]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[6] * A[52]\n\t"
+        "ldr	r10, [%[a], #208]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[7] * A[51]\n\t"
+        "ldr	r10, [%[a], #204]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[8] * A[50]\n\t"
+        "ldr	r10, [%[a], #200]\n\t"
+        "ldr	r8, [%[a], #32]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[9] * A[49]\n\t"
+        "ldr	r10, [%[a], #196]\n\t"
+        "ldr	r8, [%[a], #36]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[10] * A[48]\n\t"
+        "ldr	r10, [%[a], #192]\n\t"
+        "ldr	r8, [%[a], #40]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[11] * A[47]\n\t"
+        "ldr	r10, [%[a], #188]\n\t"
+        "ldr	r8, [%[a], #44]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[12] * A[46]\n\t"
+        "ldr	r10, [%[a], #184]\n\t"
+        "ldr	r8, [%[a], #48]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[13] * A[45]\n\t"
+        "ldr	r10, [%[a], #180]\n\t"
+        "ldr	r8, [%[a], #52]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[14] * A[44]\n\t"
+        "ldr	r10, [%[a], #176]\n\t"
+        "ldr	r8, [%[a], #56]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[15] * A[43]\n\t"
+        "ldr	r10, [%[a], #172]\n\t"
+        "ldr	r8, [%[a], #60]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[16] * A[42]\n\t"
+        "ldr	r10, [%[a], #168]\n\t"
+        "ldr	r8, [%[a], #64]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[17] * A[41]\n\t"
+        "ldr	r10, [%[a], #164]\n\t"
+        "ldr	r8, [%[a], #68]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[18] * A[40]\n\t"
+        "ldr	r10, [%[a], #160]\n\t"
+        "ldr	r8, [%[a], #72]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[19] * A[39]\n\t"
+        "ldr	r10, [%[a], #156]\n\t"
+        "ldr	r8, [%[a], #76]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[20] * A[38]\n\t"
+        "ldr	r10, [%[a], #152]\n\t"
+        "ldr	r8, [%[a], #80]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[21] * A[37]\n\t"
+        "ldr	r10, [%[a], #148]\n\t"
+        "ldr	r8, [%[a], #84]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[22] * A[36]\n\t"
+        "ldr	r10, [%[a], #144]\n\t"
+        "ldr	r8, [%[a], #88]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[23] * A[35]\n\t"
+        "ldr	r10, [%[a], #140]\n\t"
+        "ldr	r8, [%[a], #92]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[24] * A[34]\n\t"
+        "ldr	r10, [%[a], #136]\n\t"
+        "ldr	r8, [%[a], #96]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[25] * A[33]\n\t"
+        "ldr	r10, [%[a], #132]\n\t"
+        "ldr	r8, [%[a], #100]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[26] * A[32]\n\t"
+        "ldr	r10, [%[a], #128]\n\t"
+        "ldr	r8, [%[a], #104]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[27] * A[31]\n\t"
+        "ldr	r10, [%[a], #124]\n\t"
+        "ldr	r8, [%[a], #108]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[28] * A[30]\n\t"
+        "ldr	r10, [%[a], #120]\n\t"
+        "ldr	r8, [%[a], #112]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[29] * A[29]\n\t"
+        "ldr	r10, [%[a], #116]\n\t"
+        "umull	r8, r9, r10, r10\n\t"
+        "adds	r5, r5, r5\n\t"
+        "adcs	r6, r6, r6\n\t"
+        "adc	r7, r7, r7\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "adds	r3, r3, r5\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adc	r2, r2, r7\n\t"
+        "str	r3, [sp, #232]\n\t"
+        "#  A[0] * A[59]\n\t"
+        "ldr	r10, [%[a], #236]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "umull	r5, r6, r10, r8\n\t"
+        "mov	r3, #0\n\t"
+        "mov	r7, #0\n\t"
+        "#  A[1] * A[58]\n\t"
+        "ldr	r10, [%[a], #232]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[2] * A[57]\n\t"
+        "ldr	r10, [%[a], #228]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[3] * A[56]\n\t"
+        "ldr	r10, [%[a], #224]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[4] * A[55]\n\t"
+        "ldr	r10, [%[a], #220]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[5] * A[54]\n\t"
+        "ldr	r10, [%[a], #216]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[6] * A[53]\n\t"
+        "ldr	r10, [%[a], #212]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[7] * A[52]\n\t"
+        "ldr	r10, [%[a], #208]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[8] * A[51]\n\t"
+        "ldr	r10, [%[a], #204]\n\t"
+        "ldr	r8, [%[a], #32]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[9] * A[50]\n\t"
+        "ldr	r10, [%[a], #200]\n\t"
+        "ldr	r8, [%[a], #36]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[10] * A[49]\n\t"
+        "ldr	r10, [%[a], #196]\n\t"
+        "ldr	r8, [%[a], #40]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[11] * A[48]\n\t"
+        "ldr	r10, [%[a], #192]\n\t"
+        "ldr	r8, [%[a], #44]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[12] * A[47]\n\t"
+        "ldr	r10, [%[a], #188]\n\t"
+        "ldr	r8, [%[a], #48]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[13] * A[46]\n\t"
+        "ldr	r10, [%[a], #184]\n\t"
+        "ldr	r8, [%[a], #52]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[14] * A[45]\n\t"
+        "ldr	r10, [%[a], #180]\n\t"
+        "ldr	r8, [%[a], #56]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[15] * A[44]\n\t"
+        "ldr	r10, [%[a], #176]\n\t"
+        "ldr	r8, [%[a], #60]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[16] * A[43]\n\t"
+        "ldr	r10, [%[a], #172]\n\t"
+        "ldr	r8, [%[a], #64]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[17] * A[42]\n\t"
+        "ldr	r10, [%[a], #168]\n\t"
+        "ldr	r8, [%[a], #68]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[18] * A[41]\n\t"
+        "ldr	r10, [%[a], #164]\n\t"
+        "ldr	r8, [%[a], #72]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[19] * A[40]\n\t"
+        "ldr	r10, [%[a], #160]\n\t"
+        "ldr	r8, [%[a], #76]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[20] * A[39]\n\t"
+        "ldr	r10, [%[a], #156]\n\t"
+        "ldr	r8, [%[a], #80]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[21] * A[38]\n\t"
+        "ldr	r10, [%[a], #152]\n\t"
+        "ldr	r8, [%[a], #84]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[22] * A[37]\n\t"
+        "ldr	r10, [%[a], #148]\n\t"
+        "ldr	r8, [%[a], #88]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[23] * A[36]\n\t"
+        "ldr	r10, [%[a], #144]\n\t"
+        "ldr	r8, [%[a], #92]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[24] * A[35]\n\t"
+        "ldr	r10, [%[a], #140]\n\t"
+        "ldr	r8, [%[a], #96]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[25] * A[34]\n\t"
+        "ldr	r10, [%[a], #136]\n\t"
+        "ldr	r8, [%[a], #100]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[26] * A[33]\n\t"
+        "ldr	r10, [%[a], #132]\n\t"
+        "ldr	r8, [%[a], #104]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[27] * A[32]\n\t"
+        "ldr	r10, [%[a], #128]\n\t"
+        "ldr	r8, [%[a], #108]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[28] * A[31]\n\t"
+        "ldr	r10, [%[a], #124]\n\t"
+        "ldr	r8, [%[a], #112]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[29] * A[30]\n\t"
+        "ldr	r10, [%[a], #120]\n\t"
+        "ldr	r8, [%[a], #116]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "adds	r5, r5, r5\n\t"
+        "adcs	r6, r6, r6\n\t"
+        "adc	r7, r7, r7\n\t"
+        "adds	r4, r4, r5\n\t"
+        "adcs	r2, r2, r6\n\t"
+        "adc	r3, r3, r7\n\t"
+        "str	r4, [sp, #236]\n\t"
+        "#  A[0] * A[60]\n\t"
+        "ldr	r10, [%[a], #240]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "umull	r5, r6, r10, r8\n\t"
+        "mov	r4, #0\n\t"
+        "mov	r7, #0\n\t"
+        "#  A[1] * A[59]\n\t"
+        "ldr	r10, [%[a], #236]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[2] * A[58]\n\t"
+        "ldr	r10, [%[a], #232]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[3] * A[57]\n\t"
+        "ldr	r10, [%[a], #228]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[4] * A[56]\n\t"
+        "ldr	r10, [%[a], #224]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[5] * A[55]\n\t"
+        "ldr	r10, [%[a], #220]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[6] * A[54]\n\t"
+        "ldr	r10, [%[a], #216]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[7] * A[53]\n\t"
+        "ldr	r10, [%[a], #212]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[8] * A[52]\n\t"
+        "ldr	r10, [%[a], #208]\n\t"
+        "ldr	r8, [%[a], #32]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[9] * A[51]\n\t"
+        "ldr	r10, [%[a], #204]\n\t"
+        "ldr	r8, [%[a], #36]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[10] * A[50]\n\t"
+        "ldr	r10, [%[a], #200]\n\t"
+        "ldr	r8, [%[a], #40]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[11] * A[49]\n\t"
+        "ldr	r10, [%[a], #196]\n\t"
+        "ldr	r8, [%[a], #44]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[12] * A[48]\n\t"
+        "ldr	r10, [%[a], #192]\n\t"
+        "ldr	r8, [%[a], #48]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[13] * A[47]\n\t"
+        "ldr	r10, [%[a], #188]\n\t"
+        "ldr	r8, [%[a], #52]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[14] * A[46]\n\t"
+        "ldr	r10, [%[a], #184]\n\t"
+        "ldr	r8, [%[a], #56]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[15] * A[45]\n\t"
+        "ldr	r10, [%[a], #180]\n\t"
+        "ldr	r8, [%[a], #60]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[16] * A[44]\n\t"
+        "ldr	r10, [%[a], #176]\n\t"
+        "ldr	r8, [%[a], #64]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[17] * A[43]\n\t"
+        "ldr	r10, [%[a], #172]\n\t"
+        "ldr	r8, [%[a], #68]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[18] * A[42]\n\t"
+        "ldr	r10, [%[a], #168]\n\t"
+        "ldr	r8, [%[a], #72]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[19] * A[41]\n\t"
+        "ldr	r10, [%[a], #164]\n\t"
+        "ldr	r8, [%[a], #76]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[20] * A[40]\n\t"
+        "ldr	r10, [%[a], #160]\n\t"
+        "ldr	r8, [%[a], #80]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[21] * A[39]\n\t"
+        "ldr	r10, [%[a], #156]\n\t"
+        "ldr	r8, [%[a], #84]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[22] * A[38]\n\t"
+        "ldr	r10, [%[a], #152]\n\t"
+        "ldr	r8, [%[a], #88]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[23] * A[37]\n\t"
+        "ldr	r10, [%[a], #148]\n\t"
+        "ldr	r8, [%[a], #92]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[24] * A[36]\n\t"
+        "ldr	r10, [%[a], #144]\n\t"
+        "ldr	r8, [%[a], #96]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[25] * A[35]\n\t"
+        "ldr	r10, [%[a], #140]\n\t"
+        "ldr	r8, [%[a], #100]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[26] * A[34]\n\t"
+        "ldr	r10, [%[a], #136]\n\t"
+        "ldr	r8, [%[a], #104]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[27] * A[33]\n\t"
+        "ldr	r10, [%[a], #132]\n\t"
+        "ldr	r8, [%[a], #108]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[28] * A[32]\n\t"
+        "ldr	r10, [%[a], #128]\n\t"
+        "ldr	r8, [%[a], #112]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[29] * A[31]\n\t"
+        "ldr	r10, [%[a], #124]\n\t"
+        "ldr	r8, [%[a], #116]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[30] * A[30]\n\t"
+        "ldr	r10, [%[a], #120]\n\t"
+        "umull	r8, r9, r10, r10\n\t"
+        "adds	r5, r5, r5\n\t"
+        "adcs	r6, r6, r6\n\t"
+        "adc	r7, r7, r7\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "adds	r2, r2, r5\n\t"
+        "adcs	r3, r3, r6\n\t"
+        "adc	r4, r4, r7\n\t"
+        "str	r2, [sp, #240]\n\t"
+        "#  A[0] * A[61]\n\t"
+        "ldr	r10, [%[a], #244]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "umull	r5, r6, r10, r8\n\t"
+        "mov	r2, #0\n\t"
+        "mov	r7, #0\n\t"
+        "#  A[1] * A[60]\n\t"
+        "ldr	r10, [%[a], #240]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[2] * A[59]\n\t"
+        "ldr	r10, [%[a], #236]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[3] * A[58]\n\t"
+        "ldr	r10, [%[a], #232]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[4] * A[57]\n\t"
+        "ldr	r10, [%[a], #228]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[5] * A[56]\n\t"
+        "ldr	r10, [%[a], #224]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[6] * A[55]\n\t"
+        "ldr	r10, [%[a], #220]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[7] * A[54]\n\t"
+        "ldr	r10, [%[a], #216]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[8] * A[53]\n\t"
+        "ldr	r10, [%[a], #212]\n\t"
+        "ldr	r8, [%[a], #32]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[9] * A[52]\n\t"
+        "ldr	r10, [%[a], #208]\n\t"
+        "ldr	r8, [%[a], #36]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[10] * A[51]\n\t"
+        "ldr	r10, [%[a], #204]\n\t"
+        "ldr	r8, [%[a], #40]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[11] * A[50]\n\t"
+        "ldr	r10, [%[a], #200]\n\t"
+        "ldr	r8, [%[a], #44]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[12] * A[49]\n\t"
+        "ldr	r10, [%[a], #196]\n\t"
+        "ldr	r8, [%[a], #48]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[13] * A[48]\n\t"
+        "ldr	r10, [%[a], #192]\n\t"
+        "ldr	r8, [%[a], #52]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[14] * A[47]\n\t"
+        "ldr	r10, [%[a], #188]\n\t"
+        "ldr	r8, [%[a], #56]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[15] * A[46]\n\t"
+        "ldr	r10, [%[a], #184]\n\t"
+        "ldr	r8, [%[a], #60]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[16] * A[45]\n\t"
+        "ldr	r10, [%[a], #180]\n\t"
+        "ldr	r8, [%[a], #64]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[17] * A[44]\n\t"
+        "ldr	r10, [%[a], #176]\n\t"
+        "ldr	r8, [%[a], #68]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[18] * A[43]\n\t"
+        "ldr	r10, [%[a], #172]\n\t"
+        "ldr	r8, [%[a], #72]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[19] * A[42]\n\t"
+        "ldr	r10, [%[a], #168]\n\t"
+        "ldr	r8, [%[a], #76]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[20] * A[41]\n\t"
+        "ldr	r10, [%[a], #164]\n\t"
+        "ldr	r8, [%[a], #80]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[21] * A[40]\n\t"
+        "ldr	r10, [%[a], #160]\n\t"
+        "ldr	r8, [%[a], #84]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[22] * A[39]\n\t"
+        "ldr	r10, [%[a], #156]\n\t"
+        "ldr	r8, [%[a], #88]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[23] * A[38]\n\t"
+        "ldr	r10, [%[a], #152]\n\t"
+        "ldr	r8, [%[a], #92]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[24] * A[37]\n\t"
+        "ldr	r10, [%[a], #148]\n\t"
+        "ldr	r8, [%[a], #96]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[25] * A[36]\n\t"
+        "ldr	r10, [%[a], #144]\n\t"
+        "ldr	r8, [%[a], #100]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[26] * A[35]\n\t"
+        "ldr	r10, [%[a], #140]\n\t"
+        "ldr	r8, [%[a], #104]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[27] * A[34]\n\t"
+        "ldr	r10, [%[a], #136]\n\t"
+        "ldr	r8, [%[a], #108]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[28] * A[33]\n\t"
+        "ldr	r10, [%[a], #132]\n\t"
+        "ldr	r8, [%[a], #112]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[29] * A[32]\n\t"
+        "ldr	r10, [%[a], #128]\n\t"
+        "ldr	r8, [%[a], #116]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[30] * A[31]\n\t"
+        "ldr	r10, [%[a], #124]\n\t"
+        "ldr	r8, [%[a], #120]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "adds	r5, r5, r5\n\t"
+        "adcs	r6, r6, r6\n\t"
+        "adc	r7, r7, r7\n\t"
+        "adds	r3, r3, r5\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adc	r2, r2, r7\n\t"
+        "str	r3, [sp, #244]\n\t"
+        "#  A[0] * A[62]\n\t"
+        "ldr	r10, [%[a], #248]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "umull	r5, r6, r10, r8\n\t"
+        "mov	r3, #0\n\t"
+        "mov	r7, #0\n\t"
+        "#  A[1] * A[61]\n\t"
+        "ldr	r10, [%[a], #244]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[2] * A[60]\n\t"
+        "ldr	r10, [%[a], #240]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[3] * A[59]\n\t"
+        "ldr	r10, [%[a], #236]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[4] * A[58]\n\t"
+        "ldr	r10, [%[a], #232]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[5] * A[57]\n\t"
+        "ldr	r10, [%[a], #228]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[6] * A[56]\n\t"
+        "ldr	r10, [%[a], #224]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[7] * A[55]\n\t"
+        "ldr	r10, [%[a], #220]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[8] * A[54]\n\t"
+        "ldr	r10, [%[a], #216]\n\t"
+        "ldr	r8, [%[a], #32]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[9] * A[53]\n\t"
+        "ldr	r10, [%[a], #212]\n\t"
+        "ldr	r8, [%[a], #36]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[10] * A[52]\n\t"
+        "ldr	r10, [%[a], #208]\n\t"
+        "ldr	r8, [%[a], #40]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[11] * A[51]\n\t"
+        "ldr	r10, [%[a], #204]\n\t"
+        "ldr	r8, [%[a], #44]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[12] * A[50]\n\t"
+        "ldr	r10, [%[a], #200]\n\t"
+        "ldr	r8, [%[a], #48]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[13] * A[49]\n\t"
+        "ldr	r10, [%[a], #196]\n\t"
+        "ldr	r8, [%[a], #52]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[14] * A[48]\n\t"
+        "ldr	r10, [%[a], #192]\n\t"
+        "ldr	r8, [%[a], #56]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[15] * A[47]\n\t"
+        "ldr	r10, [%[a], #188]\n\t"
+        "ldr	r8, [%[a], #60]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[16] * A[46]\n\t"
+        "ldr	r10, [%[a], #184]\n\t"
+        "ldr	r8, [%[a], #64]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[17] * A[45]\n\t"
+        "ldr	r10, [%[a], #180]\n\t"
+        "ldr	r8, [%[a], #68]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[18] * A[44]\n\t"
+        "ldr	r10, [%[a], #176]\n\t"
+        "ldr	r8, [%[a], #72]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[19] * A[43]\n\t"
+        "ldr	r10, [%[a], #172]\n\t"
+        "ldr	r8, [%[a], #76]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[20] * A[42]\n\t"
+        "ldr	r10, [%[a], #168]\n\t"
+        "ldr	r8, [%[a], #80]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[21] * A[41]\n\t"
+        "ldr	r10, [%[a], #164]\n\t"
+        "ldr	r8, [%[a], #84]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[22] * A[40]\n\t"
+        "ldr	r10, [%[a], #160]\n\t"
+        "ldr	r8, [%[a], #88]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[23] * A[39]\n\t"
+        "ldr	r10, [%[a], #156]\n\t"
+        "ldr	r8, [%[a], #92]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[24] * A[38]\n\t"
+        "ldr	r10, [%[a], #152]\n\t"
+        "ldr	r8, [%[a], #96]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[25] * A[37]\n\t"
+        "ldr	r10, [%[a], #148]\n\t"
+        "ldr	r8, [%[a], #100]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[26] * A[36]\n\t"
+        "ldr	r10, [%[a], #144]\n\t"
+        "ldr	r8, [%[a], #104]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[27] * A[35]\n\t"
+        "ldr	r10, [%[a], #140]\n\t"
+        "ldr	r8, [%[a], #108]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[28] * A[34]\n\t"
+        "ldr	r10, [%[a], #136]\n\t"
+        "ldr	r8, [%[a], #112]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[29] * A[33]\n\t"
+        "ldr	r10, [%[a], #132]\n\t"
+        "ldr	r8, [%[a], #116]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[30] * A[32]\n\t"
+        "ldr	r10, [%[a], #128]\n\t"
+        "ldr	r8, [%[a], #120]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[31] * A[31]\n\t"
+        "ldr	r10, [%[a], #124]\n\t"
+        "umull	r8, r9, r10, r10\n\t"
+        "adds	r5, r5, r5\n\t"
+        "adcs	r6, r6, r6\n\t"
+        "adc	r7, r7, r7\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "adds	r4, r4, r5\n\t"
+        "adcs	r2, r2, r6\n\t"
+        "adc	r3, r3, r7\n\t"
+        "str	r4, [sp, #248]\n\t"
+        "#  A[0] * A[63]\n\t"
+        "ldr	r10, [%[a], #252]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "umull	r5, r6, r10, r8\n\t"
+        "mov	r4, #0\n\t"
+        "mov	r7, #0\n\t"
+        "#  A[1] * A[62]\n\t"
+        "ldr	r10, [%[a], #248]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[2] * A[61]\n\t"
+        "ldr	r10, [%[a], #244]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[3] * A[60]\n\t"
+        "ldr	r10, [%[a], #240]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[4] * A[59]\n\t"
+        "ldr	r10, [%[a], #236]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[5] * A[58]\n\t"
+        "ldr	r10, [%[a], #232]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[6] * A[57]\n\t"
+        "ldr	r10, [%[a], #228]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[7] * A[56]\n\t"
+        "ldr	r10, [%[a], #224]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[8] * A[55]\n\t"
+        "ldr	r10, [%[a], #220]\n\t"
+        "ldr	r8, [%[a], #32]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[9] * A[54]\n\t"
+        "ldr	r10, [%[a], #216]\n\t"
+        "ldr	r8, [%[a], #36]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[10] * A[53]\n\t"
+        "ldr	r10, [%[a], #212]\n\t"
+        "ldr	r8, [%[a], #40]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[11] * A[52]\n\t"
+        "ldr	r10, [%[a], #208]\n\t"
+        "ldr	r8, [%[a], #44]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[12] * A[51]\n\t"
+        "ldr	r10, [%[a], #204]\n\t"
+        "ldr	r8, [%[a], #48]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[13] * A[50]\n\t"
+        "ldr	r10, [%[a], #200]\n\t"
+        "ldr	r8, [%[a], #52]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[14] * A[49]\n\t"
+        "ldr	r10, [%[a], #196]\n\t"
+        "ldr	r8, [%[a], #56]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[15] * A[48]\n\t"
+        "ldr	r10, [%[a], #192]\n\t"
+        "ldr	r8, [%[a], #60]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[16] * A[47]\n\t"
+        "ldr	r10, [%[a], #188]\n\t"
+        "ldr	r8, [%[a], #64]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[17] * A[46]\n\t"
+        "ldr	r10, [%[a], #184]\n\t"
+        "ldr	r8, [%[a], #68]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[18] * A[45]\n\t"
+        "ldr	r10, [%[a], #180]\n\t"
+        "ldr	r8, [%[a], #72]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[19] * A[44]\n\t"
+        "ldr	r10, [%[a], #176]\n\t"
+        "ldr	r8, [%[a], #76]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[20] * A[43]\n\t"
+        "ldr	r10, [%[a], #172]\n\t"
+        "ldr	r8, [%[a], #80]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[21] * A[42]\n\t"
+        "ldr	r10, [%[a], #168]\n\t"
+        "ldr	r8, [%[a], #84]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[22] * A[41]\n\t"
+        "ldr	r10, [%[a], #164]\n\t"
+        "ldr	r8, [%[a], #88]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[23] * A[40]\n\t"
+        "ldr	r10, [%[a], #160]\n\t"
+        "ldr	r8, [%[a], #92]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[24] * A[39]\n\t"
+        "ldr	r10, [%[a], #156]\n\t"
+        "ldr	r8, [%[a], #96]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[25] * A[38]\n\t"
+        "ldr	r10, [%[a], #152]\n\t"
+        "ldr	r8, [%[a], #100]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[26] * A[37]\n\t"
+        "ldr	r10, [%[a], #148]\n\t"
+        "ldr	r8, [%[a], #104]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[27] * A[36]\n\t"
+        "ldr	r10, [%[a], #144]\n\t"
+        "ldr	r8, [%[a], #108]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[28] * A[35]\n\t"
+        "ldr	r10, [%[a], #140]\n\t"
+        "ldr	r8, [%[a], #112]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[29] * A[34]\n\t"
+        "ldr	r10, [%[a], #136]\n\t"
+        "ldr	r8, [%[a], #116]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[30] * A[33]\n\t"
+        "ldr	r10, [%[a], #132]\n\t"
+        "ldr	r8, [%[a], #120]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[31] * A[32]\n\t"
+        "ldr	r10, [%[a], #128]\n\t"
+        "ldr	r8, [%[a], #124]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "adds	r5, r5, r5\n\t"
+        "adcs	r6, r6, r6\n\t"
+        "adc	r7, r7, r7\n\t"
+        "adds	r2, r2, r5\n\t"
+        "adcs	r3, r3, r6\n\t"
+        "adc	r4, r4, r7\n\t"
+        "str	r2, [sp, #252]\n\t"
+        "#  A[1] * A[63]\n\t"
+        "ldr	r10, [%[a], #252]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "umull	r5, r6, r10, r8\n\t"
+        "mov	r2, #0\n\t"
+        "mov	r7, #0\n\t"
+        "#  A[2] * A[62]\n\t"
+        "ldr	r10, [%[a], #248]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[3] * A[61]\n\t"
+        "ldr	r10, [%[a], #244]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[4] * A[60]\n\t"
+        "ldr	r10, [%[a], #240]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[5] * A[59]\n\t"
+        "ldr	r10, [%[a], #236]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[6] * A[58]\n\t"
+        "ldr	r10, [%[a], #232]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[7] * A[57]\n\t"
+        "ldr	r10, [%[a], #228]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[8] * A[56]\n\t"
+        "ldr	r10, [%[a], #224]\n\t"
+        "ldr	r8, [%[a], #32]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[9] * A[55]\n\t"
+        "ldr	r10, [%[a], #220]\n\t"
+        "ldr	r8, [%[a], #36]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[10] * A[54]\n\t"
+        "ldr	r10, [%[a], #216]\n\t"
+        "ldr	r8, [%[a], #40]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[11] * A[53]\n\t"
+        "ldr	r10, [%[a], #212]\n\t"
+        "ldr	r8, [%[a], #44]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[12] * A[52]\n\t"
+        "ldr	r10, [%[a], #208]\n\t"
+        "ldr	r8, [%[a], #48]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[13] * A[51]\n\t"
+        "ldr	r10, [%[a], #204]\n\t"
+        "ldr	r8, [%[a], #52]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[14] * A[50]\n\t"
+        "ldr	r10, [%[a], #200]\n\t"
+        "ldr	r8, [%[a], #56]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[15] * A[49]\n\t"
+        "ldr	r10, [%[a], #196]\n\t"
+        "ldr	r8, [%[a], #60]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[16] * A[48]\n\t"
+        "ldr	r10, [%[a], #192]\n\t"
+        "ldr	r8, [%[a], #64]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[17] * A[47]\n\t"
+        "ldr	r10, [%[a], #188]\n\t"
+        "ldr	r8, [%[a], #68]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[18] * A[46]\n\t"
+        "ldr	r10, [%[a], #184]\n\t"
+        "ldr	r8, [%[a], #72]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[19] * A[45]\n\t"
+        "ldr	r10, [%[a], #180]\n\t"
+        "ldr	r8, [%[a], #76]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[20] * A[44]\n\t"
+        "ldr	r10, [%[a], #176]\n\t"
+        "ldr	r8, [%[a], #80]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[21] * A[43]\n\t"
+        "ldr	r10, [%[a], #172]\n\t"
+        "ldr	r8, [%[a], #84]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[22] * A[42]\n\t"
+        "ldr	r10, [%[a], #168]\n\t"
+        "ldr	r8, [%[a], #88]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[23] * A[41]\n\t"
+        "ldr	r10, [%[a], #164]\n\t"
+        "ldr	r8, [%[a], #92]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[24] * A[40]\n\t"
+        "ldr	r10, [%[a], #160]\n\t"
+        "ldr	r8, [%[a], #96]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[25] * A[39]\n\t"
+        "ldr	r10, [%[a], #156]\n\t"
+        "ldr	r8, [%[a], #100]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[26] * A[38]\n\t"
+        "ldr	r10, [%[a], #152]\n\t"
+        "ldr	r8, [%[a], #104]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[27] * A[37]\n\t"
+        "ldr	r10, [%[a], #148]\n\t"
+        "ldr	r8, [%[a], #108]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[28] * A[36]\n\t"
+        "ldr	r10, [%[a], #144]\n\t"
+        "ldr	r8, [%[a], #112]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[29] * A[35]\n\t"
+        "ldr	r10, [%[a], #140]\n\t"
+        "ldr	r8, [%[a], #116]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[30] * A[34]\n\t"
+        "ldr	r10, [%[a], #136]\n\t"
+        "ldr	r8, [%[a], #120]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[31] * A[33]\n\t"
+        "ldr	r10, [%[a], #132]\n\t"
+        "ldr	r8, [%[a], #124]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[32] * A[32]\n\t"
+        "ldr	r10, [%[a], #128]\n\t"
+        "umull	r8, r9, r10, r10\n\t"
+        "adds	r5, r5, r5\n\t"
+        "adcs	r6, r6, r6\n\t"
+        "adc	r7, r7, r7\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "adds	r3, r3, r5\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adc	r2, r2, r7\n\t"
+        "str	r3, [%[r], #256]\n\t"
+        "#  A[2] * A[63]\n\t"
+        "ldr	r10, [%[a], #252]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "umull	r5, r6, r10, r8\n\t"
+        "mov	r3, #0\n\t"
+        "mov	r7, #0\n\t"
+        "#  A[3] * A[62]\n\t"
+        "ldr	r10, [%[a], #248]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[4] * A[61]\n\t"
+        "ldr	r10, [%[a], #244]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[5] * A[60]\n\t"
+        "ldr	r10, [%[a], #240]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[6] * A[59]\n\t"
+        "ldr	r10, [%[a], #236]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[7] * A[58]\n\t"
+        "ldr	r10, [%[a], #232]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[8] * A[57]\n\t"
+        "ldr	r10, [%[a], #228]\n\t"
+        "ldr	r8, [%[a], #32]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[9] * A[56]\n\t"
+        "ldr	r10, [%[a], #224]\n\t"
+        "ldr	r8, [%[a], #36]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[10] * A[55]\n\t"
+        "ldr	r10, [%[a], #220]\n\t"
+        "ldr	r8, [%[a], #40]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[11] * A[54]\n\t"
+        "ldr	r10, [%[a], #216]\n\t"
+        "ldr	r8, [%[a], #44]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[12] * A[53]\n\t"
+        "ldr	r10, [%[a], #212]\n\t"
+        "ldr	r8, [%[a], #48]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[13] * A[52]\n\t"
+        "ldr	r10, [%[a], #208]\n\t"
+        "ldr	r8, [%[a], #52]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[14] * A[51]\n\t"
+        "ldr	r10, [%[a], #204]\n\t"
+        "ldr	r8, [%[a], #56]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[15] * A[50]\n\t"
+        "ldr	r10, [%[a], #200]\n\t"
+        "ldr	r8, [%[a], #60]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[16] * A[49]\n\t"
+        "ldr	r10, [%[a], #196]\n\t"
+        "ldr	r8, [%[a], #64]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[17] * A[48]\n\t"
+        "ldr	r10, [%[a], #192]\n\t"
+        "ldr	r8, [%[a], #68]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[18] * A[47]\n\t"
+        "ldr	r10, [%[a], #188]\n\t"
+        "ldr	r8, [%[a], #72]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[19] * A[46]\n\t"
+        "ldr	r10, [%[a], #184]\n\t"
+        "ldr	r8, [%[a], #76]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[20] * A[45]\n\t"
+        "ldr	r10, [%[a], #180]\n\t"
+        "ldr	r8, [%[a], #80]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[21] * A[44]\n\t"
+        "ldr	r10, [%[a], #176]\n\t"
+        "ldr	r8, [%[a], #84]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[22] * A[43]\n\t"
+        "ldr	r10, [%[a], #172]\n\t"
+        "ldr	r8, [%[a], #88]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[23] * A[42]\n\t"
+        "ldr	r10, [%[a], #168]\n\t"
+        "ldr	r8, [%[a], #92]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[24] * A[41]\n\t"
+        "ldr	r10, [%[a], #164]\n\t"
+        "ldr	r8, [%[a], #96]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[25] * A[40]\n\t"
+        "ldr	r10, [%[a], #160]\n\t"
+        "ldr	r8, [%[a], #100]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[26] * A[39]\n\t"
+        "ldr	r10, [%[a], #156]\n\t"
+        "ldr	r8, [%[a], #104]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[27] * A[38]\n\t"
+        "ldr	r10, [%[a], #152]\n\t"
+        "ldr	r8, [%[a], #108]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[28] * A[37]\n\t"
+        "ldr	r10, [%[a], #148]\n\t"
+        "ldr	r8, [%[a], #112]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[29] * A[36]\n\t"
+        "ldr	r10, [%[a], #144]\n\t"
+        "ldr	r8, [%[a], #116]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[30] * A[35]\n\t"
+        "ldr	r10, [%[a], #140]\n\t"
+        "ldr	r8, [%[a], #120]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[31] * A[34]\n\t"
+        "ldr	r10, [%[a], #136]\n\t"
+        "ldr	r8, [%[a], #124]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[32] * A[33]\n\t"
+        "ldr	r10, [%[a], #132]\n\t"
+        "ldr	r8, [%[a], #128]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "adds	r5, r5, r5\n\t"
+        "adcs	r6, r6, r6\n\t"
+        "adc	r7, r7, r7\n\t"
+        "adds	r4, r4, r5\n\t"
+        "adcs	r2, r2, r6\n\t"
+        "adc	r3, r3, r7\n\t"
+        "str	r4, [%[r], #260]\n\t"
+        "#  A[3] * A[63]\n\t"
+        "ldr	r10, [%[a], #252]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "umull	r5, r6, r10, r8\n\t"
+        "mov	r4, #0\n\t"
+        "mov	r7, #0\n\t"
+        "#  A[4] * A[62]\n\t"
+        "ldr	r10, [%[a], #248]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[5] * A[61]\n\t"
+        "ldr	r10, [%[a], #244]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[6] * A[60]\n\t"
+        "ldr	r10, [%[a], #240]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[7] * A[59]\n\t"
+        "ldr	r10, [%[a], #236]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[8] * A[58]\n\t"
+        "ldr	r10, [%[a], #232]\n\t"
+        "ldr	r8, [%[a], #32]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[9] * A[57]\n\t"
+        "ldr	r10, [%[a], #228]\n\t"
+        "ldr	r8, [%[a], #36]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[10] * A[56]\n\t"
+        "ldr	r10, [%[a], #224]\n\t"
+        "ldr	r8, [%[a], #40]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[11] * A[55]\n\t"
+        "ldr	r10, [%[a], #220]\n\t"
+        "ldr	r8, [%[a], #44]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[12] * A[54]\n\t"
+        "ldr	r10, [%[a], #216]\n\t"
+        "ldr	r8, [%[a], #48]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[13] * A[53]\n\t"
+        "ldr	r10, [%[a], #212]\n\t"
+        "ldr	r8, [%[a], #52]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[14] * A[52]\n\t"
+        "ldr	r10, [%[a], #208]\n\t"
+        "ldr	r8, [%[a], #56]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[15] * A[51]\n\t"
+        "ldr	r10, [%[a], #204]\n\t"
+        "ldr	r8, [%[a], #60]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[16] * A[50]\n\t"
+        "ldr	r10, [%[a], #200]\n\t"
+        "ldr	r8, [%[a], #64]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[17] * A[49]\n\t"
+        "ldr	r10, [%[a], #196]\n\t"
+        "ldr	r8, [%[a], #68]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[18] * A[48]\n\t"
+        "ldr	r10, [%[a], #192]\n\t"
+        "ldr	r8, [%[a], #72]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[19] * A[47]\n\t"
+        "ldr	r10, [%[a], #188]\n\t"
+        "ldr	r8, [%[a], #76]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[20] * A[46]\n\t"
+        "ldr	r10, [%[a], #184]\n\t"
+        "ldr	r8, [%[a], #80]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[21] * A[45]\n\t"
+        "ldr	r10, [%[a], #180]\n\t"
+        "ldr	r8, [%[a], #84]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[22] * A[44]\n\t"
+        "ldr	r10, [%[a], #176]\n\t"
+        "ldr	r8, [%[a], #88]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[23] * A[43]\n\t"
+        "ldr	r10, [%[a], #172]\n\t"
+        "ldr	r8, [%[a], #92]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[24] * A[42]\n\t"
+        "ldr	r10, [%[a], #168]\n\t"
+        "ldr	r8, [%[a], #96]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[25] * A[41]\n\t"
+        "ldr	r10, [%[a], #164]\n\t"
+        "ldr	r8, [%[a], #100]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[26] * A[40]\n\t"
+        "ldr	r10, [%[a], #160]\n\t"
+        "ldr	r8, [%[a], #104]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[27] * A[39]\n\t"
+        "ldr	r10, [%[a], #156]\n\t"
+        "ldr	r8, [%[a], #108]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[28] * A[38]\n\t"
+        "ldr	r10, [%[a], #152]\n\t"
+        "ldr	r8, [%[a], #112]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[29] * A[37]\n\t"
+        "ldr	r10, [%[a], #148]\n\t"
+        "ldr	r8, [%[a], #116]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[30] * A[36]\n\t"
+        "ldr	r10, [%[a], #144]\n\t"
+        "ldr	r8, [%[a], #120]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[31] * A[35]\n\t"
+        "ldr	r10, [%[a], #140]\n\t"
+        "ldr	r8, [%[a], #124]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[32] * A[34]\n\t"
+        "ldr	r10, [%[a], #136]\n\t"
+        "ldr	r8, [%[a], #128]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[33] * A[33]\n\t"
+        "ldr	r10, [%[a], #132]\n\t"
+        "umull	r8, r9, r10, r10\n\t"
+        "adds	r5, r5, r5\n\t"
+        "adcs	r6, r6, r6\n\t"
+        "adc	r7, r7, r7\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "adds	r2, r2, r5\n\t"
+        "adcs	r3, r3, r6\n\t"
+        "adc	r4, r4, r7\n\t"
+        "str	r2, [%[r], #264]\n\t"
+        "#  A[4] * A[63]\n\t"
+        "ldr	r10, [%[a], #252]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "umull	r5, r6, r10, r8\n\t"
+        "mov	r2, #0\n\t"
+        "mov	r7, #0\n\t"
+        "#  A[5] * A[62]\n\t"
+        "ldr	r10, [%[a], #248]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[6] * A[61]\n\t"
+        "ldr	r10, [%[a], #244]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[7] * A[60]\n\t"
+        "ldr	r10, [%[a], #240]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[8] * A[59]\n\t"
+        "ldr	r10, [%[a], #236]\n\t"
+        "ldr	r8, [%[a], #32]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[9] * A[58]\n\t"
+        "ldr	r10, [%[a], #232]\n\t"
+        "ldr	r8, [%[a], #36]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[10] * A[57]\n\t"
+        "ldr	r10, [%[a], #228]\n\t"
+        "ldr	r8, [%[a], #40]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[11] * A[56]\n\t"
+        "ldr	r10, [%[a], #224]\n\t"
+        "ldr	r8, [%[a], #44]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[12] * A[55]\n\t"
+        "ldr	r10, [%[a], #220]\n\t"
+        "ldr	r8, [%[a], #48]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[13] * A[54]\n\t"
+        "ldr	r10, [%[a], #216]\n\t"
+        "ldr	r8, [%[a], #52]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[14] * A[53]\n\t"
+        "ldr	r10, [%[a], #212]\n\t"
+        "ldr	r8, [%[a], #56]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[15] * A[52]\n\t"
+        "ldr	r10, [%[a], #208]\n\t"
+        "ldr	r8, [%[a], #60]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[16] * A[51]\n\t"
+        "ldr	r10, [%[a], #204]\n\t"
+        "ldr	r8, [%[a], #64]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[17] * A[50]\n\t"
+        "ldr	r10, [%[a], #200]\n\t"
+        "ldr	r8, [%[a], #68]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[18] * A[49]\n\t"
+        "ldr	r10, [%[a], #196]\n\t"
+        "ldr	r8, [%[a], #72]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[19] * A[48]\n\t"
+        "ldr	r10, [%[a], #192]\n\t"
+        "ldr	r8, [%[a], #76]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[20] * A[47]\n\t"
+        "ldr	r10, [%[a], #188]\n\t"
+        "ldr	r8, [%[a], #80]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[21] * A[46]\n\t"
+        "ldr	r10, [%[a], #184]\n\t"
+        "ldr	r8, [%[a], #84]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[22] * A[45]\n\t"
+        "ldr	r10, [%[a], #180]\n\t"
+        "ldr	r8, [%[a], #88]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[23] * A[44]\n\t"
+        "ldr	r10, [%[a], #176]\n\t"
+        "ldr	r8, [%[a], #92]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[24] * A[43]\n\t"
+        "ldr	r10, [%[a], #172]\n\t"
+        "ldr	r8, [%[a], #96]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[25] * A[42]\n\t"
+        "ldr	r10, [%[a], #168]\n\t"
+        "ldr	r8, [%[a], #100]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[26] * A[41]\n\t"
+        "ldr	r10, [%[a], #164]\n\t"
+        "ldr	r8, [%[a], #104]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[27] * A[40]\n\t"
+        "ldr	r10, [%[a], #160]\n\t"
+        "ldr	r8, [%[a], #108]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[28] * A[39]\n\t"
+        "ldr	r10, [%[a], #156]\n\t"
+        "ldr	r8, [%[a], #112]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[29] * A[38]\n\t"
+        "ldr	r10, [%[a], #152]\n\t"
+        "ldr	r8, [%[a], #116]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[30] * A[37]\n\t"
+        "ldr	r10, [%[a], #148]\n\t"
+        "ldr	r8, [%[a], #120]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[31] * A[36]\n\t"
+        "ldr	r10, [%[a], #144]\n\t"
+        "ldr	r8, [%[a], #124]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[32] * A[35]\n\t"
+        "ldr	r10, [%[a], #140]\n\t"
+        "ldr	r8, [%[a], #128]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[33] * A[34]\n\t"
+        "ldr	r10, [%[a], #136]\n\t"
+        "ldr	r8, [%[a], #132]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "adds	r5, r5, r5\n\t"
+        "adcs	r6, r6, r6\n\t"
+        "adc	r7, r7, r7\n\t"
+        "adds	r3, r3, r5\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adc	r2, r2, r7\n\t"
+        "str	r3, [%[r], #268]\n\t"
+        "#  A[5] * A[63]\n\t"
+        "ldr	r10, [%[a], #252]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "umull	r5, r6, r10, r8\n\t"
+        "mov	r3, #0\n\t"
+        "mov	r7, #0\n\t"
+        "#  A[6] * A[62]\n\t"
+        "ldr	r10, [%[a], #248]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[7] * A[61]\n\t"
+        "ldr	r10, [%[a], #244]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[8] * A[60]\n\t"
+        "ldr	r10, [%[a], #240]\n\t"
+        "ldr	r8, [%[a], #32]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[9] * A[59]\n\t"
+        "ldr	r10, [%[a], #236]\n\t"
+        "ldr	r8, [%[a], #36]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[10] * A[58]\n\t"
+        "ldr	r10, [%[a], #232]\n\t"
+        "ldr	r8, [%[a], #40]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[11] * A[57]\n\t"
+        "ldr	r10, [%[a], #228]\n\t"
+        "ldr	r8, [%[a], #44]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[12] * A[56]\n\t"
+        "ldr	r10, [%[a], #224]\n\t"
+        "ldr	r8, [%[a], #48]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[13] * A[55]\n\t"
+        "ldr	r10, [%[a], #220]\n\t"
+        "ldr	r8, [%[a], #52]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[14] * A[54]\n\t"
+        "ldr	r10, [%[a], #216]\n\t"
+        "ldr	r8, [%[a], #56]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[15] * A[53]\n\t"
+        "ldr	r10, [%[a], #212]\n\t"
+        "ldr	r8, [%[a], #60]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[16] * A[52]\n\t"
+        "ldr	r10, [%[a], #208]\n\t"
+        "ldr	r8, [%[a], #64]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[17] * A[51]\n\t"
+        "ldr	r10, [%[a], #204]\n\t"
+        "ldr	r8, [%[a], #68]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[18] * A[50]\n\t"
+        "ldr	r10, [%[a], #200]\n\t"
+        "ldr	r8, [%[a], #72]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[19] * A[49]\n\t"
+        "ldr	r10, [%[a], #196]\n\t"
+        "ldr	r8, [%[a], #76]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[20] * A[48]\n\t"
+        "ldr	r10, [%[a], #192]\n\t"
+        "ldr	r8, [%[a], #80]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[21] * A[47]\n\t"
+        "ldr	r10, [%[a], #188]\n\t"
+        "ldr	r8, [%[a], #84]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[22] * A[46]\n\t"
+        "ldr	r10, [%[a], #184]\n\t"
+        "ldr	r8, [%[a], #88]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[23] * A[45]\n\t"
+        "ldr	r10, [%[a], #180]\n\t"
+        "ldr	r8, [%[a], #92]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[24] * A[44]\n\t"
+        "ldr	r10, [%[a], #176]\n\t"
+        "ldr	r8, [%[a], #96]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[25] * A[43]\n\t"
+        "ldr	r10, [%[a], #172]\n\t"
+        "ldr	r8, [%[a], #100]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[26] * A[42]\n\t"
+        "ldr	r10, [%[a], #168]\n\t"
+        "ldr	r8, [%[a], #104]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[27] * A[41]\n\t"
+        "ldr	r10, [%[a], #164]\n\t"
+        "ldr	r8, [%[a], #108]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[28] * A[40]\n\t"
+        "ldr	r10, [%[a], #160]\n\t"
+        "ldr	r8, [%[a], #112]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[29] * A[39]\n\t"
+        "ldr	r10, [%[a], #156]\n\t"
+        "ldr	r8, [%[a], #116]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[30] * A[38]\n\t"
+        "ldr	r10, [%[a], #152]\n\t"
+        "ldr	r8, [%[a], #120]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[31] * A[37]\n\t"
+        "ldr	r10, [%[a], #148]\n\t"
+        "ldr	r8, [%[a], #124]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[32] * A[36]\n\t"
+        "ldr	r10, [%[a], #144]\n\t"
+        "ldr	r8, [%[a], #128]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[33] * A[35]\n\t"
+        "ldr	r10, [%[a], #140]\n\t"
+        "ldr	r8, [%[a], #132]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[34] * A[34]\n\t"
+        "ldr	r10, [%[a], #136]\n\t"
+        "umull	r8, r9, r10, r10\n\t"
+        "adds	r5, r5, r5\n\t"
+        "adcs	r6, r6, r6\n\t"
+        "adc	r7, r7, r7\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "adds	r4, r4, r5\n\t"
+        "adcs	r2, r2, r6\n\t"
+        "adc	r3, r3, r7\n\t"
+        "str	r4, [%[r], #272]\n\t"
+        "#  A[6] * A[63]\n\t"
+        "ldr	r10, [%[a], #252]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "umull	r5, r6, r10, r8\n\t"
+        "mov	r4, #0\n\t"
+        "mov	r7, #0\n\t"
+        "#  A[7] * A[62]\n\t"
+        "ldr	r10, [%[a], #248]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[8] * A[61]\n\t"
+        "ldr	r10, [%[a], #244]\n\t"
+        "ldr	r8, [%[a], #32]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[9] * A[60]\n\t"
+        "ldr	r10, [%[a], #240]\n\t"
+        "ldr	r8, [%[a], #36]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[10] * A[59]\n\t"
+        "ldr	r10, [%[a], #236]\n\t"
+        "ldr	r8, [%[a], #40]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[11] * A[58]\n\t"
+        "ldr	r10, [%[a], #232]\n\t"
+        "ldr	r8, [%[a], #44]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[12] * A[57]\n\t"
+        "ldr	r10, [%[a], #228]\n\t"
+        "ldr	r8, [%[a], #48]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[13] * A[56]\n\t"
+        "ldr	r10, [%[a], #224]\n\t"
+        "ldr	r8, [%[a], #52]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[14] * A[55]\n\t"
+        "ldr	r10, [%[a], #220]\n\t"
+        "ldr	r8, [%[a], #56]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[15] * A[54]\n\t"
+        "ldr	r10, [%[a], #216]\n\t"
+        "ldr	r8, [%[a], #60]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[16] * A[53]\n\t"
+        "ldr	r10, [%[a], #212]\n\t"
+        "ldr	r8, [%[a], #64]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[17] * A[52]\n\t"
+        "ldr	r10, [%[a], #208]\n\t"
+        "ldr	r8, [%[a], #68]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[18] * A[51]\n\t"
+        "ldr	r10, [%[a], #204]\n\t"
+        "ldr	r8, [%[a], #72]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[19] * A[50]\n\t"
+        "ldr	r10, [%[a], #200]\n\t"
+        "ldr	r8, [%[a], #76]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[20] * A[49]\n\t"
+        "ldr	r10, [%[a], #196]\n\t"
+        "ldr	r8, [%[a], #80]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[21] * A[48]\n\t"
+        "ldr	r10, [%[a], #192]\n\t"
+        "ldr	r8, [%[a], #84]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[22] * A[47]\n\t"
+        "ldr	r10, [%[a], #188]\n\t"
+        "ldr	r8, [%[a], #88]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[23] * A[46]\n\t"
+        "ldr	r10, [%[a], #184]\n\t"
+        "ldr	r8, [%[a], #92]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[24] * A[45]\n\t"
+        "ldr	r10, [%[a], #180]\n\t"
+        "ldr	r8, [%[a], #96]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[25] * A[44]\n\t"
+        "ldr	r10, [%[a], #176]\n\t"
+        "ldr	r8, [%[a], #100]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[26] * A[43]\n\t"
+        "ldr	r10, [%[a], #172]\n\t"
+        "ldr	r8, [%[a], #104]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[27] * A[42]\n\t"
+        "ldr	r10, [%[a], #168]\n\t"
+        "ldr	r8, [%[a], #108]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[28] * A[41]\n\t"
+        "ldr	r10, [%[a], #164]\n\t"
+        "ldr	r8, [%[a], #112]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[29] * A[40]\n\t"
+        "ldr	r10, [%[a], #160]\n\t"
+        "ldr	r8, [%[a], #116]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[30] * A[39]\n\t"
+        "ldr	r10, [%[a], #156]\n\t"
+        "ldr	r8, [%[a], #120]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[31] * A[38]\n\t"
+        "ldr	r10, [%[a], #152]\n\t"
+        "ldr	r8, [%[a], #124]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[32] * A[37]\n\t"
+        "ldr	r10, [%[a], #148]\n\t"
+        "ldr	r8, [%[a], #128]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[33] * A[36]\n\t"
+        "ldr	r10, [%[a], #144]\n\t"
+        "ldr	r8, [%[a], #132]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[34] * A[35]\n\t"
+        "ldr	r10, [%[a], #140]\n\t"
+        "ldr	r8, [%[a], #136]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "adds	r5, r5, r5\n\t"
+        "adcs	r6, r6, r6\n\t"
+        "adc	r7, r7, r7\n\t"
+        "adds	r2, r2, r5\n\t"
+        "adcs	r3, r3, r6\n\t"
+        "adc	r4, r4, r7\n\t"
+        "str	r2, [%[r], #276]\n\t"
+        "#  A[7] * A[63]\n\t"
+        "ldr	r10, [%[a], #252]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "umull	r5, r6, r10, r8\n\t"
+        "mov	r2, #0\n\t"
+        "mov	r7, #0\n\t"
+        "#  A[8] * A[62]\n\t"
+        "ldr	r10, [%[a], #248]\n\t"
+        "ldr	r8, [%[a], #32]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[9] * A[61]\n\t"
+        "ldr	r10, [%[a], #244]\n\t"
+        "ldr	r8, [%[a], #36]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[10] * A[60]\n\t"
+        "ldr	r10, [%[a], #240]\n\t"
+        "ldr	r8, [%[a], #40]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[11] * A[59]\n\t"
+        "ldr	r10, [%[a], #236]\n\t"
+        "ldr	r8, [%[a], #44]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[12] * A[58]\n\t"
+        "ldr	r10, [%[a], #232]\n\t"
+        "ldr	r8, [%[a], #48]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[13] * A[57]\n\t"
+        "ldr	r10, [%[a], #228]\n\t"
+        "ldr	r8, [%[a], #52]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[14] * A[56]\n\t"
+        "ldr	r10, [%[a], #224]\n\t"
+        "ldr	r8, [%[a], #56]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[15] * A[55]\n\t"
+        "ldr	r10, [%[a], #220]\n\t"
+        "ldr	r8, [%[a], #60]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[16] * A[54]\n\t"
+        "ldr	r10, [%[a], #216]\n\t"
+        "ldr	r8, [%[a], #64]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[17] * A[53]\n\t"
+        "ldr	r10, [%[a], #212]\n\t"
+        "ldr	r8, [%[a], #68]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[18] * A[52]\n\t"
+        "ldr	r10, [%[a], #208]\n\t"
+        "ldr	r8, [%[a], #72]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[19] * A[51]\n\t"
+        "ldr	r10, [%[a], #204]\n\t"
+        "ldr	r8, [%[a], #76]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[20] * A[50]\n\t"
+        "ldr	r10, [%[a], #200]\n\t"
+        "ldr	r8, [%[a], #80]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[21] * A[49]\n\t"
+        "ldr	r10, [%[a], #196]\n\t"
+        "ldr	r8, [%[a], #84]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[22] * A[48]\n\t"
+        "ldr	r10, [%[a], #192]\n\t"
+        "ldr	r8, [%[a], #88]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[23] * A[47]\n\t"
+        "ldr	r10, [%[a], #188]\n\t"
+        "ldr	r8, [%[a], #92]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[24] * A[46]\n\t"
+        "ldr	r10, [%[a], #184]\n\t"
+        "ldr	r8, [%[a], #96]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[25] * A[45]\n\t"
+        "ldr	r10, [%[a], #180]\n\t"
+        "ldr	r8, [%[a], #100]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[26] * A[44]\n\t"
+        "ldr	r10, [%[a], #176]\n\t"
+        "ldr	r8, [%[a], #104]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[27] * A[43]\n\t"
+        "ldr	r10, [%[a], #172]\n\t"
+        "ldr	r8, [%[a], #108]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[28] * A[42]\n\t"
+        "ldr	r10, [%[a], #168]\n\t"
+        "ldr	r8, [%[a], #112]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[29] * A[41]\n\t"
+        "ldr	r10, [%[a], #164]\n\t"
+        "ldr	r8, [%[a], #116]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[30] * A[40]\n\t"
+        "ldr	r10, [%[a], #160]\n\t"
+        "ldr	r8, [%[a], #120]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[31] * A[39]\n\t"
+        "ldr	r10, [%[a], #156]\n\t"
+        "ldr	r8, [%[a], #124]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[32] * A[38]\n\t"
+        "ldr	r10, [%[a], #152]\n\t"
+        "ldr	r8, [%[a], #128]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[33] * A[37]\n\t"
+        "ldr	r10, [%[a], #148]\n\t"
+        "ldr	r8, [%[a], #132]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[34] * A[36]\n\t"
+        "ldr	r10, [%[a], #144]\n\t"
+        "ldr	r8, [%[a], #136]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[35] * A[35]\n\t"
+        "ldr	r10, [%[a], #140]\n\t"
+        "umull	r8, r9, r10, r10\n\t"
+        "adds	r5, r5, r5\n\t"
+        "adcs	r6, r6, r6\n\t"
+        "adc	r7, r7, r7\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "adds	r3, r3, r5\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adc	r2, r2, r7\n\t"
+        "str	r3, [%[r], #280]\n\t"
+        "#  A[8] * A[63]\n\t"
+        "ldr	r10, [%[a], #252]\n\t"
+        "ldr	r8, [%[a], #32]\n\t"
+        "umull	r5, r6, r10, r8\n\t"
+        "mov	r3, #0\n\t"
+        "mov	r7, #0\n\t"
+        "#  A[9] * A[62]\n\t"
+        "ldr	r10, [%[a], #248]\n\t"
+        "ldr	r8, [%[a], #36]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[10] * A[61]\n\t"
+        "ldr	r10, [%[a], #244]\n\t"
+        "ldr	r8, [%[a], #40]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[11] * A[60]\n\t"
+        "ldr	r10, [%[a], #240]\n\t"
+        "ldr	r8, [%[a], #44]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[12] * A[59]\n\t"
+        "ldr	r10, [%[a], #236]\n\t"
+        "ldr	r8, [%[a], #48]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[13] * A[58]\n\t"
+        "ldr	r10, [%[a], #232]\n\t"
+        "ldr	r8, [%[a], #52]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[14] * A[57]\n\t"
+        "ldr	r10, [%[a], #228]\n\t"
+        "ldr	r8, [%[a], #56]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[15] * A[56]\n\t"
+        "ldr	r10, [%[a], #224]\n\t"
+        "ldr	r8, [%[a], #60]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[16] * A[55]\n\t"
+        "ldr	r10, [%[a], #220]\n\t"
+        "ldr	r8, [%[a], #64]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[17] * A[54]\n\t"
+        "ldr	r10, [%[a], #216]\n\t"
+        "ldr	r8, [%[a], #68]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[18] * A[53]\n\t"
+        "ldr	r10, [%[a], #212]\n\t"
+        "ldr	r8, [%[a], #72]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[19] * A[52]\n\t"
+        "ldr	r10, [%[a], #208]\n\t"
+        "ldr	r8, [%[a], #76]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[20] * A[51]\n\t"
+        "ldr	r10, [%[a], #204]\n\t"
+        "ldr	r8, [%[a], #80]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[21] * A[50]\n\t"
+        "ldr	r10, [%[a], #200]\n\t"
+        "ldr	r8, [%[a], #84]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[22] * A[49]\n\t"
+        "ldr	r10, [%[a], #196]\n\t"
+        "ldr	r8, [%[a], #88]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[23] * A[48]\n\t"
+        "ldr	r10, [%[a], #192]\n\t"
+        "ldr	r8, [%[a], #92]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[24] * A[47]\n\t"
+        "ldr	r10, [%[a], #188]\n\t"
+        "ldr	r8, [%[a], #96]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[25] * A[46]\n\t"
+        "ldr	r10, [%[a], #184]\n\t"
+        "ldr	r8, [%[a], #100]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[26] * A[45]\n\t"
+        "ldr	r10, [%[a], #180]\n\t"
+        "ldr	r8, [%[a], #104]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[27] * A[44]\n\t"
+        "ldr	r10, [%[a], #176]\n\t"
+        "ldr	r8, [%[a], #108]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[28] * A[43]\n\t"
+        "ldr	r10, [%[a], #172]\n\t"
+        "ldr	r8, [%[a], #112]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[29] * A[42]\n\t"
+        "ldr	r10, [%[a], #168]\n\t"
+        "ldr	r8, [%[a], #116]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[30] * A[41]\n\t"
+        "ldr	r10, [%[a], #164]\n\t"
+        "ldr	r8, [%[a], #120]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[31] * A[40]\n\t"
+        "ldr	r10, [%[a], #160]\n\t"
+        "ldr	r8, [%[a], #124]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[32] * A[39]\n\t"
+        "ldr	r10, [%[a], #156]\n\t"
+        "ldr	r8, [%[a], #128]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[33] * A[38]\n\t"
+        "ldr	r10, [%[a], #152]\n\t"
+        "ldr	r8, [%[a], #132]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[34] * A[37]\n\t"
+        "ldr	r10, [%[a], #148]\n\t"
+        "ldr	r8, [%[a], #136]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[35] * A[36]\n\t"
+        "ldr	r10, [%[a], #144]\n\t"
+        "ldr	r8, [%[a], #140]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "adds	r5, r5, r5\n\t"
+        "adcs	r6, r6, r6\n\t"
+        "adc	r7, r7, r7\n\t"
+        "adds	r4, r4, r5\n\t"
+        "adcs	r2, r2, r6\n\t"
+        "adc	r3, r3, r7\n\t"
+        "str	r4, [%[r], #284]\n\t"
+        "#  A[9] * A[63]\n\t"
+        "ldr	r10, [%[a], #252]\n\t"
+        "ldr	r8, [%[a], #36]\n\t"
+        "umull	r5, r6, r10, r8\n\t"
+        "mov	r4, #0\n\t"
+        "mov	r7, #0\n\t"
+        "#  A[10] * A[62]\n\t"
+        "ldr	r10, [%[a], #248]\n\t"
+        "ldr	r8, [%[a], #40]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[11] * A[61]\n\t"
+        "ldr	r10, [%[a], #244]\n\t"
+        "ldr	r8, [%[a], #44]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[12] * A[60]\n\t"
+        "ldr	r10, [%[a], #240]\n\t"
+        "ldr	r8, [%[a], #48]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[13] * A[59]\n\t"
+        "ldr	r10, [%[a], #236]\n\t"
+        "ldr	r8, [%[a], #52]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[14] * A[58]\n\t"
+        "ldr	r10, [%[a], #232]\n\t"
+        "ldr	r8, [%[a], #56]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[15] * A[57]\n\t"
+        "ldr	r10, [%[a], #228]\n\t"
+        "ldr	r8, [%[a], #60]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[16] * A[56]\n\t"
+        "ldr	r10, [%[a], #224]\n\t"
+        "ldr	r8, [%[a], #64]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[17] * A[55]\n\t"
+        "ldr	r10, [%[a], #220]\n\t"
+        "ldr	r8, [%[a], #68]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[18] * A[54]\n\t"
+        "ldr	r10, [%[a], #216]\n\t"
+        "ldr	r8, [%[a], #72]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[19] * A[53]\n\t"
+        "ldr	r10, [%[a], #212]\n\t"
+        "ldr	r8, [%[a], #76]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[20] * A[52]\n\t"
+        "ldr	r10, [%[a], #208]\n\t"
+        "ldr	r8, [%[a], #80]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[21] * A[51]\n\t"
+        "ldr	r10, [%[a], #204]\n\t"
+        "ldr	r8, [%[a], #84]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[22] * A[50]\n\t"
+        "ldr	r10, [%[a], #200]\n\t"
+        "ldr	r8, [%[a], #88]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[23] * A[49]\n\t"
+        "ldr	r10, [%[a], #196]\n\t"
+        "ldr	r8, [%[a], #92]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[24] * A[48]\n\t"
+        "ldr	r10, [%[a], #192]\n\t"
+        "ldr	r8, [%[a], #96]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[25] * A[47]\n\t"
+        "ldr	r10, [%[a], #188]\n\t"
+        "ldr	r8, [%[a], #100]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[26] * A[46]\n\t"
+        "ldr	r10, [%[a], #184]\n\t"
+        "ldr	r8, [%[a], #104]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[27] * A[45]\n\t"
+        "ldr	r10, [%[a], #180]\n\t"
+        "ldr	r8, [%[a], #108]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[28] * A[44]\n\t"
+        "ldr	r10, [%[a], #176]\n\t"
+        "ldr	r8, [%[a], #112]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[29] * A[43]\n\t"
+        "ldr	r10, [%[a], #172]\n\t"
+        "ldr	r8, [%[a], #116]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[30] * A[42]\n\t"
+        "ldr	r10, [%[a], #168]\n\t"
+        "ldr	r8, [%[a], #120]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[31] * A[41]\n\t"
+        "ldr	r10, [%[a], #164]\n\t"
+        "ldr	r8, [%[a], #124]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[32] * A[40]\n\t"
+        "ldr	r10, [%[a], #160]\n\t"
+        "ldr	r8, [%[a], #128]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[33] * A[39]\n\t"
+        "ldr	r10, [%[a], #156]\n\t"
+        "ldr	r8, [%[a], #132]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[34] * A[38]\n\t"
+        "ldr	r10, [%[a], #152]\n\t"
+        "ldr	r8, [%[a], #136]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[35] * A[37]\n\t"
+        "ldr	r10, [%[a], #148]\n\t"
+        "ldr	r8, [%[a], #140]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[36] * A[36]\n\t"
+        "ldr	r10, [%[a], #144]\n\t"
+        "umull	r8, r9, r10, r10\n\t"
+        "adds	r5, r5, r5\n\t"
+        "adcs	r6, r6, r6\n\t"
+        "adc	r7, r7, r7\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "adds	r2, r2, r5\n\t"
+        "adcs	r3, r3, r6\n\t"
+        "adc	r4, r4, r7\n\t"
+        "str	r2, [%[r], #288]\n\t"
+        "#  A[10] * A[63]\n\t"
+        "ldr	r10, [%[a], #252]\n\t"
+        "ldr	r8, [%[a], #40]\n\t"
+        "umull	r5, r6, r10, r8\n\t"
+        "mov	r2, #0\n\t"
+        "mov	r7, #0\n\t"
+        "#  A[11] * A[62]\n\t"
+        "ldr	r10, [%[a], #248]\n\t"
+        "ldr	r8, [%[a], #44]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[12] * A[61]\n\t"
+        "ldr	r10, [%[a], #244]\n\t"
+        "ldr	r8, [%[a], #48]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[13] * A[60]\n\t"
+        "ldr	r10, [%[a], #240]\n\t"
+        "ldr	r8, [%[a], #52]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[14] * A[59]\n\t"
+        "ldr	r10, [%[a], #236]\n\t"
+        "ldr	r8, [%[a], #56]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[15] * A[58]\n\t"
+        "ldr	r10, [%[a], #232]\n\t"
+        "ldr	r8, [%[a], #60]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[16] * A[57]\n\t"
+        "ldr	r10, [%[a], #228]\n\t"
+        "ldr	r8, [%[a], #64]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[17] * A[56]\n\t"
+        "ldr	r10, [%[a], #224]\n\t"
+        "ldr	r8, [%[a], #68]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[18] * A[55]\n\t"
+        "ldr	r10, [%[a], #220]\n\t"
+        "ldr	r8, [%[a], #72]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[19] * A[54]\n\t"
+        "ldr	r10, [%[a], #216]\n\t"
+        "ldr	r8, [%[a], #76]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[20] * A[53]\n\t"
+        "ldr	r10, [%[a], #212]\n\t"
+        "ldr	r8, [%[a], #80]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[21] * A[52]\n\t"
+        "ldr	r10, [%[a], #208]\n\t"
+        "ldr	r8, [%[a], #84]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[22] * A[51]\n\t"
+        "ldr	r10, [%[a], #204]\n\t"
+        "ldr	r8, [%[a], #88]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[23] * A[50]\n\t"
+        "ldr	r10, [%[a], #200]\n\t"
+        "ldr	r8, [%[a], #92]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[24] * A[49]\n\t"
+        "ldr	r10, [%[a], #196]\n\t"
+        "ldr	r8, [%[a], #96]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[25] * A[48]\n\t"
+        "ldr	r10, [%[a], #192]\n\t"
+        "ldr	r8, [%[a], #100]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[26] * A[47]\n\t"
+        "ldr	r10, [%[a], #188]\n\t"
+        "ldr	r8, [%[a], #104]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[27] * A[46]\n\t"
+        "ldr	r10, [%[a], #184]\n\t"
+        "ldr	r8, [%[a], #108]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[28] * A[45]\n\t"
+        "ldr	r10, [%[a], #180]\n\t"
+        "ldr	r8, [%[a], #112]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[29] * A[44]\n\t"
+        "ldr	r10, [%[a], #176]\n\t"
+        "ldr	r8, [%[a], #116]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[30] * A[43]\n\t"
+        "ldr	r10, [%[a], #172]\n\t"
+        "ldr	r8, [%[a], #120]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[31] * A[42]\n\t"
+        "ldr	r10, [%[a], #168]\n\t"
+        "ldr	r8, [%[a], #124]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[32] * A[41]\n\t"
+        "ldr	r10, [%[a], #164]\n\t"
+        "ldr	r8, [%[a], #128]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[33] * A[40]\n\t"
+        "ldr	r10, [%[a], #160]\n\t"
+        "ldr	r8, [%[a], #132]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[34] * A[39]\n\t"
+        "ldr	r10, [%[a], #156]\n\t"
+        "ldr	r8, [%[a], #136]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[35] * A[38]\n\t"
+        "ldr	r10, [%[a], #152]\n\t"
+        "ldr	r8, [%[a], #140]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[36] * A[37]\n\t"
+        "ldr	r10, [%[a], #148]\n\t"
+        "ldr	r8, [%[a], #144]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "adds	r5, r5, r5\n\t"
+        "adcs	r6, r6, r6\n\t"
+        "adc	r7, r7, r7\n\t"
+        "adds	r3, r3, r5\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adc	r2, r2, r7\n\t"
+        "str	r3, [%[r], #292]\n\t"
+        "#  A[11] * A[63]\n\t"
+        "ldr	r10, [%[a], #252]\n\t"
+        "ldr	r8, [%[a], #44]\n\t"
+        "umull	r5, r6, r10, r8\n\t"
+        "mov	r3, #0\n\t"
+        "mov	r7, #0\n\t"
+        "#  A[12] * A[62]\n\t"
+        "ldr	r10, [%[a], #248]\n\t"
+        "ldr	r8, [%[a], #48]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[13] * A[61]\n\t"
+        "ldr	r10, [%[a], #244]\n\t"
+        "ldr	r8, [%[a], #52]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[14] * A[60]\n\t"
+        "ldr	r10, [%[a], #240]\n\t"
+        "ldr	r8, [%[a], #56]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[15] * A[59]\n\t"
+        "ldr	r10, [%[a], #236]\n\t"
+        "ldr	r8, [%[a], #60]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[16] * A[58]\n\t"
+        "ldr	r10, [%[a], #232]\n\t"
+        "ldr	r8, [%[a], #64]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[17] * A[57]\n\t"
+        "ldr	r10, [%[a], #228]\n\t"
+        "ldr	r8, [%[a], #68]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[18] * A[56]\n\t"
+        "ldr	r10, [%[a], #224]\n\t"
+        "ldr	r8, [%[a], #72]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[19] * A[55]\n\t"
+        "ldr	r10, [%[a], #220]\n\t"
+        "ldr	r8, [%[a], #76]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[20] * A[54]\n\t"
+        "ldr	r10, [%[a], #216]\n\t"
+        "ldr	r8, [%[a], #80]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[21] * A[53]\n\t"
+        "ldr	r10, [%[a], #212]\n\t"
+        "ldr	r8, [%[a], #84]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[22] * A[52]\n\t"
+        "ldr	r10, [%[a], #208]\n\t"
+        "ldr	r8, [%[a], #88]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[23] * A[51]\n\t"
+        "ldr	r10, [%[a], #204]\n\t"
+        "ldr	r8, [%[a], #92]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[24] * A[50]\n\t"
+        "ldr	r10, [%[a], #200]\n\t"
+        "ldr	r8, [%[a], #96]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[25] * A[49]\n\t"
+        "ldr	r10, [%[a], #196]\n\t"
+        "ldr	r8, [%[a], #100]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[26] * A[48]\n\t"
+        "ldr	r10, [%[a], #192]\n\t"
+        "ldr	r8, [%[a], #104]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[27] * A[47]\n\t"
+        "ldr	r10, [%[a], #188]\n\t"
+        "ldr	r8, [%[a], #108]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[28] * A[46]\n\t"
+        "ldr	r10, [%[a], #184]\n\t"
+        "ldr	r8, [%[a], #112]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[29] * A[45]\n\t"
+        "ldr	r10, [%[a], #180]\n\t"
+        "ldr	r8, [%[a], #116]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[30] * A[44]\n\t"
+        "ldr	r10, [%[a], #176]\n\t"
+        "ldr	r8, [%[a], #120]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[31] * A[43]\n\t"
+        "ldr	r10, [%[a], #172]\n\t"
+        "ldr	r8, [%[a], #124]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[32] * A[42]\n\t"
+        "ldr	r10, [%[a], #168]\n\t"
+        "ldr	r8, [%[a], #128]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[33] * A[41]\n\t"
+        "ldr	r10, [%[a], #164]\n\t"
+        "ldr	r8, [%[a], #132]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[34] * A[40]\n\t"
+        "ldr	r10, [%[a], #160]\n\t"
+        "ldr	r8, [%[a], #136]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[35] * A[39]\n\t"
+        "ldr	r10, [%[a], #156]\n\t"
+        "ldr	r8, [%[a], #140]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[36] * A[38]\n\t"
+        "ldr	r10, [%[a], #152]\n\t"
+        "ldr	r8, [%[a], #144]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[37] * A[37]\n\t"
+        "ldr	r10, [%[a], #148]\n\t"
+        "umull	r8, r9, r10, r10\n\t"
+        "adds	r5, r5, r5\n\t"
+        "adcs	r6, r6, r6\n\t"
+        "adc	r7, r7, r7\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "adds	r4, r4, r5\n\t"
+        "adcs	r2, r2, r6\n\t"
+        "adc	r3, r3, r7\n\t"
+        "str	r4, [%[r], #296]\n\t"
+        "#  A[12] * A[63]\n\t"
+        "ldr	r10, [%[a], #252]\n\t"
+        "ldr	r8, [%[a], #48]\n\t"
+        "umull	r5, r6, r10, r8\n\t"
+        "mov	r4, #0\n\t"
+        "mov	r7, #0\n\t"
+        "#  A[13] * A[62]\n\t"
+        "ldr	r10, [%[a], #248]\n\t"
+        "ldr	r8, [%[a], #52]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[14] * A[61]\n\t"
+        "ldr	r10, [%[a], #244]\n\t"
+        "ldr	r8, [%[a], #56]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[15] * A[60]\n\t"
+        "ldr	r10, [%[a], #240]\n\t"
+        "ldr	r8, [%[a], #60]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[16] * A[59]\n\t"
+        "ldr	r10, [%[a], #236]\n\t"
+        "ldr	r8, [%[a], #64]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[17] * A[58]\n\t"
+        "ldr	r10, [%[a], #232]\n\t"
+        "ldr	r8, [%[a], #68]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[18] * A[57]\n\t"
+        "ldr	r10, [%[a], #228]\n\t"
+        "ldr	r8, [%[a], #72]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[19] * A[56]\n\t"
+        "ldr	r10, [%[a], #224]\n\t"
+        "ldr	r8, [%[a], #76]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[20] * A[55]\n\t"
+        "ldr	r10, [%[a], #220]\n\t"
+        "ldr	r8, [%[a], #80]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[21] * A[54]\n\t"
+        "ldr	r10, [%[a], #216]\n\t"
+        "ldr	r8, [%[a], #84]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[22] * A[53]\n\t"
+        "ldr	r10, [%[a], #212]\n\t"
+        "ldr	r8, [%[a], #88]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[23] * A[52]\n\t"
+        "ldr	r10, [%[a], #208]\n\t"
+        "ldr	r8, [%[a], #92]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[24] * A[51]\n\t"
+        "ldr	r10, [%[a], #204]\n\t"
+        "ldr	r8, [%[a], #96]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[25] * A[50]\n\t"
+        "ldr	r10, [%[a], #200]\n\t"
+        "ldr	r8, [%[a], #100]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[26] * A[49]\n\t"
+        "ldr	r10, [%[a], #196]\n\t"
+        "ldr	r8, [%[a], #104]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[27] * A[48]\n\t"
+        "ldr	r10, [%[a], #192]\n\t"
+        "ldr	r8, [%[a], #108]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[28] * A[47]\n\t"
+        "ldr	r10, [%[a], #188]\n\t"
+        "ldr	r8, [%[a], #112]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[29] * A[46]\n\t"
+        "ldr	r10, [%[a], #184]\n\t"
+        "ldr	r8, [%[a], #116]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[30] * A[45]\n\t"
+        "ldr	r10, [%[a], #180]\n\t"
+        "ldr	r8, [%[a], #120]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[31] * A[44]\n\t"
+        "ldr	r10, [%[a], #176]\n\t"
+        "ldr	r8, [%[a], #124]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[32] * A[43]\n\t"
+        "ldr	r10, [%[a], #172]\n\t"
+        "ldr	r8, [%[a], #128]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[33] * A[42]\n\t"
+        "ldr	r10, [%[a], #168]\n\t"
+        "ldr	r8, [%[a], #132]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[34] * A[41]\n\t"
+        "ldr	r10, [%[a], #164]\n\t"
+        "ldr	r8, [%[a], #136]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[35] * A[40]\n\t"
+        "ldr	r10, [%[a], #160]\n\t"
+        "ldr	r8, [%[a], #140]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[36] * A[39]\n\t"
+        "ldr	r10, [%[a], #156]\n\t"
+        "ldr	r8, [%[a], #144]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[37] * A[38]\n\t"
+        "ldr	r10, [%[a], #152]\n\t"
+        "ldr	r8, [%[a], #148]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "adds	r5, r5, r5\n\t"
+        "adcs	r6, r6, r6\n\t"
+        "adc	r7, r7, r7\n\t"
+        "adds	r2, r2, r5\n\t"
+        "adcs	r3, r3, r6\n\t"
+        "adc	r4, r4, r7\n\t"
+        "str	r2, [%[r], #300]\n\t"
+        "#  A[13] * A[63]\n\t"
+        "ldr	r10, [%[a], #252]\n\t"
+        "ldr	r8, [%[a], #52]\n\t"
+        "umull	r5, r6, r10, r8\n\t"
+        "mov	r2, #0\n\t"
+        "mov	r7, #0\n\t"
+        "#  A[14] * A[62]\n\t"
+        "ldr	r10, [%[a], #248]\n\t"
+        "ldr	r8, [%[a], #56]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[15] * A[61]\n\t"
+        "ldr	r10, [%[a], #244]\n\t"
+        "ldr	r8, [%[a], #60]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[16] * A[60]\n\t"
+        "ldr	r10, [%[a], #240]\n\t"
+        "ldr	r8, [%[a], #64]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[17] * A[59]\n\t"
+        "ldr	r10, [%[a], #236]\n\t"
+        "ldr	r8, [%[a], #68]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[18] * A[58]\n\t"
+        "ldr	r10, [%[a], #232]\n\t"
+        "ldr	r8, [%[a], #72]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[19] * A[57]\n\t"
+        "ldr	r10, [%[a], #228]\n\t"
+        "ldr	r8, [%[a], #76]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[20] * A[56]\n\t"
+        "ldr	r10, [%[a], #224]\n\t"
+        "ldr	r8, [%[a], #80]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[21] * A[55]\n\t"
+        "ldr	r10, [%[a], #220]\n\t"
+        "ldr	r8, [%[a], #84]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[22] * A[54]\n\t"
+        "ldr	r10, [%[a], #216]\n\t"
+        "ldr	r8, [%[a], #88]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[23] * A[53]\n\t"
+        "ldr	r10, [%[a], #212]\n\t"
+        "ldr	r8, [%[a], #92]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[24] * A[52]\n\t"
+        "ldr	r10, [%[a], #208]\n\t"
+        "ldr	r8, [%[a], #96]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[25] * A[51]\n\t"
+        "ldr	r10, [%[a], #204]\n\t"
+        "ldr	r8, [%[a], #100]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[26] * A[50]\n\t"
+        "ldr	r10, [%[a], #200]\n\t"
+        "ldr	r8, [%[a], #104]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[27] * A[49]\n\t"
+        "ldr	r10, [%[a], #196]\n\t"
+        "ldr	r8, [%[a], #108]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[28] * A[48]\n\t"
+        "ldr	r10, [%[a], #192]\n\t"
+        "ldr	r8, [%[a], #112]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[29] * A[47]\n\t"
+        "ldr	r10, [%[a], #188]\n\t"
+        "ldr	r8, [%[a], #116]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[30] * A[46]\n\t"
+        "ldr	r10, [%[a], #184]\n\t"
+        "ldr	r8, [%[a], #120]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[31] * A[45]\n\t"
+        "ldr	r10, [%[a], #180]\n\t"
+        "ldr	r8, [%[a], #124]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[32] * A[44]\n\t"
+        "ldr	r10, [%[a], #176]\n\t"
+        "ldr	r8, [%[a], #128]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[33] * A[43]\n\t"
+        "ldr	r10, [%[a], #172]\n\t"
+        "ldr	r8, [%[a], #132]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[34] * A[42]\n\t"
+        "ldr	r10, [%[a], #168]\n\t"
+        "ldr	r8, [%[a], #136]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[35] * A[41]\n\t"
+        "ldr	r10, [%[a], #164]\n\t"
+        "ldr	r8, [%[a], #140]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[36] * A[40]\n\t"
+        "ldr	r10, [%[a], #160]\n\t"
+        "ldr	r8, [%[a], #144]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[37] * A[39]\n\t"
+        "ldr	r10, [%[a], #156]\n\t"
+        "ldr	r8, [%[a], #148]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[38] * A[38]\n\t"
+        "ldr	r10, [%[a], #152]\n\t"
+        "umull	r8, r9, r10, r10\n\t"
+        "adds	r5, r5, r5\n\t"
+        "adcs	r6, r6, r6\n\t"
+        "adc	r7, r7, r7\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "adds	r3, r3, r5\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adc	r2, r2, r7\n\t"
+        "str	r3, [%[r], #304]\n\t"
+        "#  A[14] * A[63]\n\t"
+        "ldr	r10, [%[a], #252]\n\t"
+        "ldr	r8, [%[a], #56]\n\t"
+        "umull	r5, r6, r10, r8\n\t"
+        "mov	r3, #0\n\t"
+        "mov	r7, #0\n\t"
+        "#  A[15] * A[62]\n\t"
+        "ldr	r10, [%[a], #248]\n\t"
+        "ldr	r8, [%[a], #60]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[16] * A[61]\n\t"
+        "ldr	r10, [%[a], #244]\n\t"
+        "ldr	r8, [%[a], #64]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[17] * A[60]\n\t"
+        "ldr	r10, [%[a], #240]\n\t"
+        "ldr	r8, [%[a], #68]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[18] * A[59]\n\t"
+        "ldr	r10, [%[a], #236]\n\t"
+        "ldr	r8, [%[a], #72]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[19] * A[58]\n\t"
+        "ldr	r10, [%[a], #232]\n\t"
+        "ldr	r8, [%[a], #76]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[20] * A[57]\n\t"
+        "ldr	r10, [%[a], #228]\n\t"
+        "ldr	r8, [%[a], #80]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[21] * A[56]\n\t"
+        "ldr	r10, [%[a], #224]\n\t"
+        "ldr	r8, [%[a], #84]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[22] * A[55]\n\t"
+        "ldr	r10, [%[a], #220]\n\t"
+        "ldr	r8, [%[a], #88]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[23] * A[54]\n\t"
+        "ldr	r10, [%[a], #216]\n\t"
+        "ldr	r8, [%[a], #92]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[24] * A[53]\n\t"
+        "ldr	r10, [%[a], #212]\n\t"
+        "ldr	r8, [%[a], #96]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[25] * A[52]\n\t"
+        "ldr	r10, [%[a], #208]\n\t"
+        "ldr	r8, [%[a], #100]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[26] * A[51]\n\t"
+        "ldr	r10, [%[a], #204]\n\t"
+        "ldr	r8, [%[a], #104]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[27] * A[50]\n\t"
+        "ldr	r10, [%[a], #200]\n\t"
+        "ldr	r8, [%[a], #108]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[28] * A[49]\n\t"
+        "ldr	r10, [%[a], #196]\n\t"
+        "ldr	r8, [%[a], #112]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[29] * A[48]\n\t"
+        "ldr	r10, [%[a], #192]\n\t"
+        "ldr	r8, [%[a], #116]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[30] * A[47]\n\t"
+        "ldr	r10, [%[a], #188]\n\t"
+        "ldr	r8, [%[a], #120]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[31] * A[46]\n\t"
+        "ldr	r10, [%[a], #184]\n\t"
+        "ldr	r8, [%[a], #124]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[32] * A[45]\n\t"
+        "ldr	r10, [%[a], #180]\n\t"
+        "ldr	r8, [%[a], #128]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[33] * A[44]\n\t"
+        "ldr	r10, [%[a], #176]\n\t"
+        "ldr	r8, [%[a], #132]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[34] * A[43]\n\t"
+        "ldr	r10, [%[a], #172]\n\t"
+        "ldr	r8, [%[a], #136]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[35] * A[42]\n\t"
+        "ldr	r10, [%[a], #168]\n\t"
+        "ldr	r8, [%[a], #140]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[36] * A[41]\n\t"
+        "ldr	r10, [%[a], #164]\n\t"
+        "ldr	r8, [%[a], #144]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[37] * A[40]\n\t"
+        "ldr	r10, [%[a], #160]\n\t"
+        "ldr	r8, [%[a], #148]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[38] * A[39]\n\t"
+        "ldr	r10, [%[a], #156]\n\t"
+        "ldr	r8, [%[a], #152]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "adds	r5, r5, r5\n\t"
+        "adcs	r6, r6, r6\n\t"
+        "adc	r7, r7, r7\n\t"
+        "adds	r4, r4, r5\n\t"
+        "adcs	r2, r2, r6\n\t"
+        "adc	r3, r3, r7\n\t"
+        "str	r4, [%[r], #308]\n\t"
+        "#  A[15] * A[63]\n\t"
+        "ldr	r10, [%[a], #252]\n\t"
+        "ldr	r8, [%[a], #60]\n\t"
+        "umull	r5, r6, r10, r8\n\t"
+        "mov	r4, #0\n\t"
+        "mov	r7, #0\n\t"
+        "#  A[16] * A[62]\n\t"
+        "ldr	r10, [%[a], #248]\n\t"
+        "ldr	r8, [%[a], #64]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[17] * A[61]\n\t"
+        "ldr	r10, [%[a], #244]\n\t"
+        "ldr	r8, [%[a], #68]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[18] * A[60]\n\t"
+        "ldr	r10, [%[a], #240]\n\t"
+        "ldr	r8, [%[a], #72]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[19] * A[59]\n\t"
+        "ldr	r10, [%[a], #236]\n\t"
+        "ldr	r8, [%[a], #76]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[20] * A[58]\n\t"
+        "ldr	r10, [%[a], #232]\n\t"
+        "ldr	r8, [%[a], #80]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[21] * A[57]\n\t"
+        "ldr	r10, [%[a], #228]\n\t"
+        "ldr	r8, [%[a], #84]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[22] * A[56]\n\t"
+        "ldr	r10, [%[a], #224]\n\t"
+        "ldr	r8, [%[a], #88]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[23] * A[55]\n\t"
+        "ldr	r10, [%[a], #220]\n\t"
+        "ldr	r8, [%[a], #92]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[24] * A[54]\n\t"
+        "ldr	r10, [%[a], #216]\n\t"
+        "ldr	r8, [%[a], #96]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[25] * A[53]\n\t"
+        "ldr	r10, [%[a], #212]\n\t"
+        "ldr	r8, [%[a], #100]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[26] * A[52]\n\t"
+        "ldr	r10, [%[a], #208]\n\t"
+        "ldr	r8, [%[a], #104]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[27] * A[51]\n\t"
+        "ldr	r10, [%[a], #204]\n\t"
+        "ldr	r8, [%[a], #108]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[28] * A[50]\n\t"
+        "ldr	r10, [%[a], #200]\n\t"
+        "ldr	r8, [%[a], #112]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[29] * A[49]\n\t"
+        "ldr	r10, [%[a], #196]\n\t"
+        "ldr	r8, [%[a], #116]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[30] * A[48]\n\t"
+        "ldr	r10, [%[a], #192]\n\t"
+        "ldr	r8, [%[a], #120]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[31] * A[47]\n\t"
+        "ldr	r10, [%[a], #188]\n\t"
+        "ldr	r8, [%[a], #124]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[32] * A[46]\n\t"
+        "ldr	r10, [%[a], #184]\n\t"
+        "ldr	r8, [%[a], #128]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[33] * A[45]\n\t"
+        "ldr	r10, [%[a], #180]\n\t"
+        "ldr	r8, [%[a], #132]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[34] * A[44]\n\t"
+        "ldr	r10, [%[a], #176]\n\t"
+        "ldr	r8, [%[a], #136]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[35] * A[43]\n\t"
+        "ldr	r10, [%[a], #172]\n\t"
+        "ldr	r8, [%[a], #140]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[36] * A[42]\n\t"
+        "ldr	r10, [%[a], #168]\n\t"
+        "ldr	r8, [%[a], #144]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[37] * A[41]\n\t"
+        "ldr	r10, [%[a], #164]\n\t"
+        "ldr	r8, [%[a], #148]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[38] * A[40]\n\t"
+        "ldr	r10, [%[a], #160]\n\t"
+        "ldr	r8, [%[a], #152]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[39] * A[39]\n\t"
+        "ldr	r10, [%[a], #156]\n\t"
+        "umull	r8, r9, r10, r10\n\t"
+        "adds	r5, r5, r5\n\t"
+        "adcs	r6, r6, r6\n\t"
+        "adc	r7, r7, r7\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "adds	r2, r2, r5\n\t"
+        "adcs	r3, r3, r6\n\t"
+        "adc	r4, r4, r7\n\t"
+        "str	r2, [%[r], #312]\n\t"
+        "#  A[16] * A[63]\n\t"
+        "ldr	r10, [%[a], #252]\n\t"
+        "ldr	r8, [%[a], #64]\n\t"
+        "umull	r5, r6, r10, r8\n\t"
+        "mov	r2, #0\n\t"
+        "mov	r7, #0\n\t"
+        "#  A[17] * A[62]\n\t"
+        "ldr	r10, [%[a], #248]\n\t"
+        "ldr	r8, [%[a], #68]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[18] * A[61]\n\t"
+        "ldr	r10, [%[a], #244]\n\t"
+        "ldr	r8, [%[a], #72]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[19] * A[60]\n\t"
+        "ldr	r10, [%[a], #240]\n\t"
+        "ldr	r8, [%[a], #76]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[20] * A[59]\n\t"
+        "ldr	r10, [%[a], #236]\n\t"
+        "ldr	r8, [%[a], #80]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[21] * A[58]\n\t"
+        "ldr	r10, [%[a], #232]\n\t"
+        "ldr	r8, [%[a], #84]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[22] * A[57]\n\t"
+        "ldr	r10, [%[a], #228]\n\t"
+        "ldr	r8, [%[a], #88]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[23] * A[56]\n\t"
+        "ldr	r10, [%[a], #224]\n\t"
+        "ldr	r8, [%[a], #92]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[24] * A[55]\n\t"
+        "ldr	r10, [%[a], #220]\n\t"
+        "ldr	r8, [%[a], #96]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[25] * A[54]\n\t"
+        "ldr	r10, [%[a], #216]\n\t"
+        "ldr	r8, [%[a], #100]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[26] * A[53]\n\t"
+        "ldr	r10, [%[a], #212]\n\t"
+        "ldr	r8, [%[a], #104]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[27] * A[52]\n\t"
+        "ldr	r10, [%[a], #208]\n\t"
+        "ldr	r8, [%[a], #108]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[28] * A[51]\n\t"
+        "ldr	r10, [%[a], #204]\n\t"
+        "ldr	r8, [%[a], #112]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[29] * A[50]\n\t"
+        "ldr	r10, [%[a], #200]\n\t"
+        "ldr	r8, [%[a], #116]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[30] * A[49]\n\t"
+        "ldr	r10, [%[a], #196]\n\t"
+        "ldr	r8, [%[a], #120]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[31] * A[48]\n\t"
+        "ldr	r10, [%[a], #192]\n\t"
+        "ldr	r8, [%[a], #124]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[32] * A[47]\n\t"
+        "ldr	r10, [%[a], #188]\n\t"
+        "ldr	r8, [%[a], #128]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[33] * A[46]\n\t"
+        "ldr	r10, [%[a], #184]\n\t"
+        "ldr	r8, [%[a], #132]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[34] * A[45]\n\t"
+        "ldr	r10, [%[a], #180]\n\t"
+        "ldr	r8, [%[a], #136]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[35] * A[44]\n\t"
+        "ldr	r10, [%[a], #176]\n\t"
+        "ldr	r8, [%[a], #140]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[36] * A[43]\n\t"
+        "ldr	r10, [%[a], #172]\n\t"
+        "ldr	r8, [%[a], #144]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[37] * A[42]\n\t"
+        "ldr	r10, [%[a], #168]\n\t"
+        "ldr	r8, [%[a], #148]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[38] * A[41]\n\t"
+        "ldr	r10, [%[a], #164]\n\t"
+        "ldr	r8, [%[a], #152]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[39] * A[40]\n\t"
+        "ldr	r10, [%[a], #160]\n\t"
+        "ldr	r8, [%[a], #156]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "adds	r5, r5, r5\n\t"
+        "adcs	r6, r6, r6\n\t"
+        "adc	r7, r7, r7\n\t"
+        "adds	r3, r3, r5\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adc	r2, r2, r7\n\t"
+        "str	r3, [%[r], #316]\n\t"
+        "#  A[17] * A[63]\n\t"
+        "ldr	r10, [%[a], #252]\n\t"
+        "ldr	r8, [%[a], #68]\n\t"
+        "umull	r5, r6, r10, r8\n\t"
+        "mov	r3, #0\n\t"
+        "mov	r7, #0\n\t"
+        "#  A[18] * A[62]\n\t"
+        "ldr	r10, [%[a], #248]\n\t"
+        "ldr	r8, [%[a], #72]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[19] * A[61]\n\t"
+        "ldr	r10, [%[a], #244]\n\t"
+        "ldr	r8, [%[a], #76]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[20] * A[60]\n\t"
+        "ldr	r10, [%[a], #240]\n\t"
+        "ldr	r8, [%[a], #80]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[21] * A[59]\n\t"
+        "ldr	r10, [%[a], #236]\n\t"
+        "ldr	r8, [%[a], #84]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[22] * A[58]\n\t"
+        "ldr	r10, [%[a], #232]\n\t"
+        "ldr	r8, [%[a], #88]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[23] * A[57]\n\t"
+        "ldr	r10, [%[a], #228]\n\t"
+        "ldr	r8, [%[a], #92]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[24] * A[56]\n\t"
+        "ldr	r10, [%[a], #224]\n\t"
+        "ldr	r8, [%[a], #96]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[25] * A[55]\n\t"
+        "ldr	r10, [%[a], #220]\n\t"
+        "ldr	r8, [%[a], #100]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[26] * A[54]\n\t"
+        "ldr	r10, [%[a], #216]\n\t"
+        "ldr	r8, [%[a], #104]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[27] * A[53]\n\t"
+        "ldr	r10, [%[a], #212]\n\t"
+        "ldr	r8, [%[a], #108]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[28] * A[52]\n\t"
+        "ldr	r10, [%[a], #208]\n\t"
+        "ldr	r8, [%[a], #112]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[29] * A[51]\n\t"
+        "ldr	r10, [%[a], #204]\n\t"
+        "ldr	r8, [%[a], #116]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[30] * A[50]\n\t"
+        "ldr	r10, [%[a], #200]\n\t"
+        "ldr	r8, [%[a], #120]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[31] * A[49]\n\t"
+        "ldr	r10, [%[a], #196]\n\t"
+        "ldr	r8, [%[a], #124]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[32] * A[48]\n\t"
+        "ldr	r10, [%[a], #192]\n\t"
+        "ldr	r8, [%[a], #128]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[33] * A[47]\n\t"
+        "ldr	r10, [%[a], #188]\n\t"
+        "ldr	r8, [%[a], #132]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[34] * A[46]\n\t"
+        "ldr	r10, [%[a], #184]\n\t"
+        "ldr	r8, [%[a], #136]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[35] * A[45]\n\t"
+        "ldr	r10, [%[a], #180]\n\t"
+        "ldr	r8, [%[a], #140]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[36] * A[44]\n\t"
+        "ldr	r10, [%[a], #176]\n\t"
+        "ldr	r8, [%[a], #144]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[37] * A[43]\n\t"
+        "ldr	r10, [%[a], #172]\n\t"
+        "ldr	r8, [%[a], #148]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[38] * A[42]\n\t"
+        "ldr	r10, [%[a], #168]\n\t"
+        "ldr	r8, [%[a], #152]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[39] * A[41]\n\t"
+        "ldr	r10, [%[a], #164]\n\t"
+        "ldr	r8, [%[a], #156]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[40] * A[40]\n\t"
+        "ldr	r10, [%[a], #160]\n\t"
+        "umull	r8, r9, r10, r10\n\t"
+        "adds	r5, r5, r5\n\t"
+        "adcs	r6, r6, r6\n\t"
+        "adc	r7, r7, r7\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "adds	r4, r4, r5\n\t"
+        "adcs	r2, r2, r6\n\t"
+        "adc	r3, r3, r7\n\t"
+        "str	r4, [%[r], #320]\n\t"
+        "#  A[18] * A[63]\n\t"
+        "ldr	r10, [%[a], #252]\n\t"
+        "ldr	r8, [%[a], #72]\n\t"
+        "umull	r5, r6, r10, r8\n\t"
+        "mov	r4, #0\n\t"
+        "mov	r7, #0\n\t"
+        "#  A[19] * A[62]\n\t"
+        "ldr	r10, [%[a], #248]\n\t"
+        "ldr	r8, [%[a], #76]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[20] * A[61]\n\t"
+        "ldr	r10, [%[a], #244]\n\t"
+        "ldr	r8, [%[a], #80]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[21] * A[60]\n\t"
+        "ldr	r10, [%[a], #240]\n\t"
+        "ldr	r8, [%[a], #84]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[22] * A[59]\n\t"
+        "ldr	r10, [%[a], #236]\n\t"
+        "ldr	r8, [%[a], #88]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[23] * A[58]\n\t"
+        "ldr	r10, [%[a], #232]\n\t"
+        "ldr	r8, [%[a], #92]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[24] * A[57]\n\t"
+        "ldr	r10, [%[a], #228]\n\t"
+        "ldr	r8, [%[a], #96]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[25] * A[56]\n\t"
+        "ldr	r10, [%[a], #224]\n\t"
+        "ldr	r8, [%[a], #100]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[26] * A[55]\n\t"
+        "ldr	r10, [%[a], #220]\n\t"
+        "ldr	r8, [%[a], #104]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[27] * A[54]\n\t"
+        "ldr	r10, [%[a], #216]\n\t"
+        "ldr	r8, [%[a], #108]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[28] * A[53]\n\t"
+        "ldr	r10, [%[a], #212]\n\t"
+        "ldr	r8, [%[a], #112]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[29] * A[52]\n\t"
+        "ldr	r10, [%[a], #208]\n\t"
+        "ldr	r8, [%[a], #116]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[30] * A[51]\n\t"
+        "ldr	r10, [%[a], #204]\n\t"
+        "ldr	r8, [%[a], #120]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[31] * A[50]\n\t"
+        "ldr	r10, [%[a], #200]\n\t"
+        "ldr	r8, [%[a], #124]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[32] * A[49]\n\t"
+        "ldr	r10, [%[a], #196]\n\t"
+        "ldr	r8, [%[a], #128]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[33] * A[48]\n\t"
+        "ldr	r10, [%[a], #192]\n\t"
+        "ldr	r8, [%[a], #132]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[34] * A[47]\n\t"
+        "ldr	r10, [%[a], #188]\n\t"
+        "ldr	r8, [%[a], #136]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[35] * A[46]\n\t"
+        "ldr	r10, [%[a], #184]\n\t"
+        "ldr	r8, [%[a], #140]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[36] * A[45]\n\t"
+        "ldr	r10, [%[a], #180]\n\t"
+        "ldr	r8, [%[a], #144]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[37] * A[44]\n\t"
+        "ldr	r10, [%[a], #176]\n\t"
+        "ldr	r8, [%[a], #148]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[38] * A[43]\n\t"
+        "ldr	r10, [%[a], #172]\n\t"
+        "ldr	r8, [%[a], #152]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[39] * A[42]\n\t"
+        "ldr	r10, [%[a], #168]\n\t"
+        "ldr	r8, [%[a], #156]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[40] * A[41]\n\t"
+        "ldr	r10, [%[a], #164]\n\t"
+        "ldr	r8, [%[a], #160]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "adds	r5, r5, r5\n\t"
+        "adcs	r6, r6, r6\n\t"
+        "adc	r7, r7, r7\n\t"
+        "adds	r2, r2, r5\n\t"
+        "adcs	r3, r3, r6\n\t"
+        "adc	r4, r4, r7\n\t"
+        "str	r2, [%[r], #324]\n\t"
+        "#  A[19] * A[63]\n\t"
+        "ldr	r10, [%[a], #252]\n\t"
+        "ldr	r8, [%[a], #76]\n\t"
+        "umull	r5, r6, r10, r8\n\t"
+        "mov	r2, #0\n\t"
+        "mov	r7, #0\n\t"
+        "#  A[20] * A[62]\n\t"
+        "ldr	r10, [%[a], #248]\n\t"
+        "ldr	r8, [%[a], #80]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[21] * A[61]\n\t"
+        "ldr	r10, [%[a], #244]\n\t"
+        "ldr	r8, [%[a], #84]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[22] * A[60]\n\t"
+        "ldr	r10, [%[a], #240]\n\t"
+        "ldr	r8, [%[a], #88]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[23] * A[59]\n\t"
+        "ldr	r10, [%[a], #236]\n\t"
+        "ldr	r8, [%[a], #92]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[24] * A[58]\n\t"
+        "ldr	r10, [%[a], #232]\n\t"
+        "ldr	r8, [%[a], #96]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[25] * A[57]\n\t"
+        "ldr	r10, [%[a], #228]\n\t"
+        "ldr	r8, [%[a], #100]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[26] * A[56]\n\t"
+        "ldr	r10, [%[a], #224]\n\t"
+        "ldr	r8, [%[a], #104]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[27] * A[55]\n\t"
+        "ldr	r10, [%[a], #220]\n\t"
+        "ldr	r8, [%[a], #108]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[28] * A[54]\n\t"
+        "ldr	r10, [%[a], #216]\n\t"
+        "ldr	r8, [%[a], #112]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[29] * A[53]\n\t"
+        "ldr	r10, [%[a], #212]\n\t"
+        "ldr	r8, [%[a], #116]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[30] * A[52]\n\t"
+        "ldr	r10, [%[a], #208]\n\t"
+        "ldr	r8, [%[a], #120]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[31] * A[51]\n\t"
+        "ldr	r10, [%[a], #204]\n\t"
+        "ldr	r8, [%[a], #124]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[32] * A[50]\n\t"
+        "ldr	r10, [%[a], #200]\n\t"
+        "ldr	r8, [%[a], #128]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[33] * A[49]\n\t"
+        "ldr	r10, [%[a], #196]\n\t"
+        "ldr	r8, [%[a], #132]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[34] * A[48]\n\t"
+        "ldr	r10, [%[a], #192]\n\t"
+        "ldr	r8, [%[a], #136]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[35] * A[47]\n\t"
+        "ldr	r10, [%[a], #188]\n\t"
+        "ldr	r8, [%[a], #140]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[36] * A[46]\n\t"
+        "ldr	r10, [%[a], #184]\n\t"
+        "ldr	r8, [%[a], #144]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[37] * A[45]\n\t"
+        "ldr	r10, [%[a], #180]\n\t"
+        "ldr	r8, [%[a], #148]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[38] * A[44]\n\t"
+        "ldr	r10, [%[a], #176]\n\t"
+        "ldr	r8, [%[a], #152]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[39] * A[43]\n\t"
+        "ldr	r10, [%[a], #172]\n\t"
+        "ldr	r8, [%[a], #156]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[40] * A[42]\n\t"
+        "ldr	r10, [%[a], #168]\n\t"
+        "ldr	r8, [%[a], #160]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[41] * A[41]\n\t"
+        "ldr	r10, [%[a], #164]\n\t"
+        "umull	r8, r9, r10, r10\n\t"
+        "adds	r5, r5, r5\n\t"
+        "adcs	r6, r6, r6\n\t"
+        "adc	r7, r7, r7\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "adds	r3, r3, r5\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adc	r2, r2, r7\n\t"
+        "str	r3, [%[r], #328]\n\t"
+        "#  A[20] * A[63]\n\t"
+        "ldr	r10, [%[a], #252]\n\t"
+        "ldr	r8, [%[a], #80]\n\t"
+        "umull	r5, r6, r10, r8\n\t"
+        "mov	r3, #0\n\t"
+        "mov	r7, #0\n\t"
+        "#  A[21] * A[62]\n\t"
+        "ldr	r10, [%[a], #248]\n\t"
+        "ldr	r8, [%[a], #84]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[22] * A[61]\n\t"
+        "ldr	r10, [%[a], #244]\n\t"
+        "ldr	r8, [%[a], #88]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[23] * A[60]\n\t"
+        "ldr	r10, [%[a], #240]\n\t"
+        "ldr	r8, [%[a], #92]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[24] * A[59]\n\t"
+        "ldr	r10, [%[a], #236]\n\t"
+        "ldr	r8, [%[a], #96]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[25] * A[58]\n\t"
+        "ldr	r10, [%[a], #232]\n\t"
+        "ldr	r8, [%[a], #100]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[26] * A[57]\n\t"
+        "ldr	r10, [%[a], #228]\n\t"
+        "ldr	r8, [%[a], #104]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[27] * A[56]\n\t"
+        "ldr	r10, [%[a], #224]\n\t"
+        "ldr	r8, [%[a], #108]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[28] * A[55]\n\t"
+        "ldr	r10, [%[a], #220]\n\t"
+        "ldr	r8, [%[a], #112]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[29] * A[54]\n\t"
+        "ldr	r10, [%[a], #216]\n\t"
+        "ldr	r8, [%[a], #116]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[30] * A[53]\n\t"
+        "ldr	r10, [%[a], #212]\n\t"
+        "ldr	r8, [%[a], #120]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[31] * A[52]\n\t"
+        "ldr	r10, [%[a], #208]\n\t"
+        "ldr	r8, [%[a], #124]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[32] * A[51]\n\t"
+        "ldr	r10, [%[a], #204]\n\t"
+        "ldr	r8, [%[a], #128]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[33] * A[50]\n\t"
+        "ldr	r10, [%[a], #200]\n\t"
+        "ldr	r8, [%[a], #132]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[34] * A[49]\n\t"
+        "ldr	r10, [%[a], #196]\n\t"
+        "ldr	r8, [%[a], #136]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[35] * A[48]\n\t"
+        "ldr	r10, [%[a], #192]\n\t"
+        "ldr	r8, [%[a], #140]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[36] * A[47]\n\t"
+        "ldr	r10, [%[a], #188]\n\t"
+        "ldr	r8, [%[a], #144]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[37] * A[46]\n\t"
+        "ldr	r10, [%[a], #184]\n\t"
+        "ldr	r8, [%[a], #148]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[38] * A[45]\n\t"
+        "ldr	r10, [%[a], #180]\n\t"
+        "ldr	r8, [%[a], #152]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[39] * A[44]\n\t"
+        "ldr	r10, [%[a], #176]\n\t"
+        "ldr	r8, [%[a], #156]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[40] * A[43]\n\t"
+        "ldr	r10, [%[a], #172]\n\t"
+        "ldr	r8, [%[a], #160]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[41] * A[42]\n\t"
+        "ldr	r10, [%[a], #168]\n\t"
+        "ldr	r8, [%[a], #164]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "adds	r5, r5, r5\n\t"
+        "adcs	r6, r6, r6\n\t"
+        "adc	r7, r7, r7\n\t"
+        "adds	r4, r4, r5\n\t"
+        "adcs	r2, r2, r6\n\t"
+        "adc	r3, r3, r7\n\t"
+        "str	r4, [%[r], #332]\n\t"
+        "#  A[21] * A[63]\n\t"
+        "ldr	r10, [%[a], #252]\n\t"
+        "ldr	r8, [%[a], #84]\n\t"
+        "umull	r5, r6, r10, r8\n\t"
+        "mov	r4, #0\n\t"
+        "mov	r7, #0\n\t"
+        "#  A[22] * A[62]\n\t"
+        "ldr	r10, [%[a], #248]\n\t"
+        "ldr	r8, [%[a], #88]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[23] * A[61]\n\t"
+        "ldr	r10, [%[a], #244]\n\t"
+        "ldr	r8, [%[a], #92]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[24] * A[60]\n\t"
+        "ldr	r10, [%[a], #240]\n\t"
+        "ldr	r8, [%[a], #96]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[25] * A[59]\n\t"
+        "ldr	r10, [%[a], #236]\n\t"
+        "ldr	r8, [%[a], #100]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[26] * A[58]\n\t"
+        "ldr	r10, [%[a], #232]\n\t"
+        "ldr	r8, [%[a], #104]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[27] * A[57]\n\t"
+        "ldr	r10, [%[a], #228]\n\t"
+        "ldr	r8, [%[a], #108]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[28] * A[56]\n\t"
+        "ldr	r10, [%[a], #224]\n\t"
+        "ldr	r8, [%[a], #112]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[29] * A[55]\n\t"
+        "ldr	r10, [%[a], #220]\n\t"
+        "ldr	r8, [%[a], #116]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[30] * A[54]\n\t"
+        "ldr	r10, [%[a], #216]\n\t"
+        "ldr	r8, [%[a], #120]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[31] * A[53]\n\t"
+        "ldr	r10, [%[a], #212]\n\t"
+        "ldr	r8, [%[a], #124]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[32] * A[52]\n\t"
+        "ldr	r10, [%[a], #208]\n\t"
+        "ldr	r8, [%[a], #128]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[33] * A[51]\n\t"
+        "ldr	r10, [%[a], #204]\n\t"
+        "ldr	r8, [%[a], #132]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[34] * A[50]\n\t"
+        "ldr	r10, [%[a], #200]\n\t"
+        "ldr	r8, [%[a], #136]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[35] * A[49]\n\t"
+        "ldr	r10, [%[a], #196]\n\t"
+        "ldr	r8, [%[a], #140]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[36] * A[48]\n\t"
+        "ldr	r10, [%[a], #192]\n\t"
+        "ldr	r8, [%[a], #144]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[37] * A[47]\n\t"
+        "ldr	r10, [%[a], #188]\n\t"
+        "ldr	r8, [%[a], #148]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[38] * A[46]\n\t"
+        "ldr	r10, [%[a], #184]\n\t"
+        "ldr	r8, [%[a], #152]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[39] * A[45]\n\t"
+        "ldr	r10, [%[a], #180]\n\t"
+        "ldr	r8, [%[a], #156]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[40] * A[44]\n\t"
+        "ldr	r10, [%[a], #176]\n\t"
+        "ldr	r8, [%[a], #160]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[41] * A[43]\n\t"
+        "ldr	r10, [%[a], #172]\n\t"
+        "ldr	r8, [%[a], #164]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[42] * A[42]\n\t"
+        "ldr	r10, [%[a], #168]\n\t"
+        "umull	r8, r9, r10, r10\n\t"
+        "adds	r5, r5, r5\n\t"
+        "adcs	r6, r6, r6\n\t"
+        "adc	r7, r7, r7\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "adds	r2, r2, r5\n\t"
+        "adcs	r3, r3, r6\n\t"
+        "adc	r4, r4, r7\n\t"
+        "str	r2, [%[r], #336]\n\t"
+        "#  A[22] * A[63]\n\t"
+        "ldr	r10, [%[a], #252]\n\t"
+        "ldr	r8, [%[a], #88]\n\t"
+        "umull	r5, r6, r10, r8\n\t"
+        "mov	r2, #0\n\t"
+        "mov	r7, #0\n\t"
+        "#  A[23] * A[62]\n\t"
+        "ldr	r10, [%[a], #248]\n\t"
+        "ldr	r8, [%[a], #92]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[24] * A[61]\n\t"
+        "ldr	r10, [%[a], #244]\n\t"
+        "ldr	r8, [%[a], #96]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[25] * A[60]\n\t"
+        "ldr	r10, [%[a], #240]\n\t"
+        "ldr	r8, [%[a], #100]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[26] * A[59]\n\t"
+        "ldr	r10, [%[a], #236]\n\t"
+        "ldr	r8, [%[a], #104]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[27] * A[58]\n\t"
+        "ldr	r10, [%[a], #232]\n\t"
+        "ldr	r8, [%[a], #108]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[28] * A[57]\n\t"
+        "ldr	r10, [%[a], #228]\n\t"
+        "ldr	r8, [%[a], #112]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[29] * A[56]\n\t"
+        "ldr	r10, [%[a], #224]\n\t"
+        "ldr	r8, [%[a], #116]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[30] * A[55]\n\t"
+        "ldr	r10, [%[a], #220]\n\t"
+        "ldr	r8, [%[a], #120]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[31] * A[54]\n\t"
+        "ldr	r10, [%[a], #216]\n\t"
+        "ldr	r8, [%[a], #124]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[32] * A[53]\n\t"
+        "ldr	r10, [%[a], #212]\n\t"
+        "ldr	r8, [%[a], #128]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[33] * A[52]\n\t"
+        "ldr	r10, [%[a], #208]\n\t"
+        "ldr	r8, [%[a], #132]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[34] * A[51]\n\t"
+        "ldr	r10, [%[a], #204]\n\t"
+        "ldr	r8, [%[a], #136]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[35] * A[50]\n\t"
+        "ldr	r10, [%[a], #200]\n\t"
+        "ldr	r8, [%[a], #140]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[36] * A[49]\n\t"
+        "ldr	r10, [%[a], #196]\n\t"
+        "ldr	r8, [%[a], #144]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[37] * A[48]\n\t"
+        "ldr	r10, [%[a], #192]\n\t"
+        "ldr	r8, [%[a], #148]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[38] * A[47]\n\t"
+        "ldr	r10, [%[a], #188]\n\t"
+        "ldr	r8, [%[a], #152]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[39] * A[46]\n\t"
+        "ldr	r10, [%[a], #184]\n\t"
+        "ldr	r8, [%[a], #156]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[40] * A[45]\n\t"
+        "ldr	r10, [%[a], #180]\n\t"
+        "ldr	r8, [%[a], #160]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[41] * A[44]\n\t"
+        "ldr	r10, [%[a], #176]\n\t"
+        "ldr	r8, [%[a], #164]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[42] * A[43]\n\t"
+        "ldr	r10, [%[a], #172]\n\t"
+        "ldr	r8, [%[a], #168]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "adds	r5, r5, r5\n\t"
+        "adcs	r6, r6, r6\n\t"
+        "adc	r7, r7, r7\n\t"
+        "adds	r3, r3, r5\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adc	r2, r2, r7\n\t"
+        "str	r3, [%[r], #340]\n\t"
+        "#  A[23] * A[63]\n\t"
+        "ldr	r10, [%[a], #252]\n\t"
+        "ldr	r8, [%[a], #92]\n\t"
+        "umull	r5, r6, r10, r8\n\t"
+        "mov	r3, #0\n\t"
+        "mov	r7, #0\n\t"
+        "#  A[24] * A[62]\n\t"
+        "ldr	r10, [%[a], #248]\n\t"
+        "ldr	r8, [%[a], #96]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[25] * A[61]\n\t"
+        "ldr	r10, [%[a], #244]\n\t"
+        "ldr	r8, [%[a], #100]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[26] * A[60]\n\t"
+        "ldr	r10, [%[a], #240]\n\t"
+        "ldr	r8, [%[a], #104]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[27] * A[59]\n\t"
+        "ldr	r10, [%[a], #236]\n\t"
+        "ldr	r8, [%[a], #108]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[28] * A[58]\n\t"
+        "ldr	r10, [%[a], #232]\n\t"
+        "ldr	r8, [%[a], #112]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[29] * A[57]\n\t"
+        "ldr	r10, [%[a], #228]\n\t"
+        "ldr	r8, [%[a], #116]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[30] * A[56]\n\t"
+        "ldr	r10, [%[a], #224]\n\t"
+        "ldr	r8, [%[a], #120]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[31] * A[55]\n\t"
+        "ldr	r10, [%[a], #220]\n\t"
+        "ldr	r8, [%[a], #124]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[32] * A[54]\n\t"
+        "ldr	r10, [%[a], #216]\n\t"
+        "ldr	r8, [%[a], #128]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[33] * A[53]\n\t"
+        "ldr	r10, [%[a], #212]\n\t"
+        "ldr	r8, [%[a], #132]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[34] * A[52]\n\t"
+        "ldr	r10, [%[a], #208]\n\t"
+        "ldr	r8, [%[a], #136]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[35] * A[51]\n\t"
+        "ldr	r10, [%[a], #204]\n\t"
+        "ldr	r8, [%[a], #140]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[36] * A[50]\n\t"
+        "ldr	r10, [%[a], #200]\n\t"
+        "ldr	r8, [%[a], #144]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[37] * A[49]\n\t"
+        "ldr	r10, [%[a], #196]\n\t"
+        "ldr	r8, [%[a], #148]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[38] * A[48]\n\t"
+        "ldr	r10, [%[a], #192]\n\t"
+        "ldr	r8, [%[a], #152]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[39] * A[47]\n\t"
+        "ldr	r10, [%[a], #188]\n\t"
+        "ldr	r8, [%[a], #156]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[40] * A[46]\n\t"
+        "ldr	r10, [%[a], #184]\n\t"
+        "ldr	r8, [%[a], #160]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[41] * A[45]\n\t"
+        "ldr	r10, [%[a], #180]\n\t"
+        "ldr	r8, [%[a], #164]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[42] * A[44]\n\t"
+        "ldr	r10, [%[a], #176]\n\t"
+        "ldr	r8, [%[a], #168]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[43] * A[43]\n\t"
+        "ldr	r10, [%[a], #172]\n\t"
+        "umull	r8, r9, r10, r10\n\t"
+        "adds	r5, r5, r5\n\t"
+        "adcs	r6, r6, r6\n\t"
+        "adc	r7, r7, r7\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "adds	r4, r4, r5\n\t"
+        "adcs	r2, r2, r6\n\t"
+        "adc	r3, r3, r7\n\t"
+        "str	r4, [%[r], #344]\n\t"
+        "#  A[24] * A[63]\n\t"
+        "ldr	r10, [%[a], #252]\n\t"
+        "ldr	r8, [%[a], #96]\n\t"
+        "umull	r5, r6, r10, r8\n\t"
+        "mov	r4, #0\n\t"
+        "mov	r7, #0\n\t"
+        "#  A[25] * A[62]\n\t"
+        "ldr	r10, [%[a], #248]\n\t"
+        "ldr	r8, [%[a], #100]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[26] * A[61]\n\t"
+        "ldr	r10, [%[a], #244]\n\t"
+        "ldr	r8, [%[a], #104]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[27] * A[60]\n\t"
+        "ldr	r10, [%[a], #240]\n\t"
+        "ldr	r8, [%[a], #108]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[28] * A[59]\n\t"
+        "ldr	r10, [%[a], #236]\n\t"
+        "ldr	r8, [%[a], #112]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[29] * A[58]\n\t"
+        "ldr	r10, [%[a], #232]\n\t"
+        "ldr	r8, [%[a], #116]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[30] * A[57]\n\t"
+        "ldr	r10, [%[a], #228]\n\t"
+        "ldr	r8, [%[a], #120]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[31] * A[56]\n\t"
+        "ldr	r10, [%[a], #224]\n\t"
+        "ldr	r8, [%[a], #124]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[32] * A[55]\n\t"
+        "ldr	r10, [%[a], #220]\n\t"
+        "ldr	r8, [%[a], #128]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[33] * A[54]\n\t"
+        "ldr	r10, [%[a], #216]\n\t"
+        "ldr	r8, [%[a], #132]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[34] * A[53]\n\t"
+        "ldr	r10, [%[a], #212]\n\t"
+        "ldr	r8, [%[a], #136]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[35] * A[52]\n\t"
+        "ldr	r10, [%[a], #208]\n\t"
+        "ldr	r8, [%[a], #140]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[36] * A[51]\n\t"
+        "ldr	r10, [%[a], #204]\n\t"
+        "ldr	r8, [%[a], #144]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[37] * A[50]\n\t"
+        "ldr	r10, [%[a], #200]\n\t"
+        "ldr	r8, [%[a], #148]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[38] * A[49]\n\t"
+        "ldr	r10, [%[a], #196]\n\t"
+        "ldr	r8, [%[a], #152]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[39] * A[48]\n\t"
+        "ldr	r10, [%[a], #192]\n\t"
+        "ldr	r8, [%[a], #156]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[40] * A[47]\n\t"
+        "ldr	r10, [%[a], #188]\n\t"
+        "ldr	r8, [%[a], #160]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[41] * A[46]\n\t"
+        "ldr	r10, [%[a], #184]\n\t"
+        "ldr	r8, [%[a], #164]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[42] * A[45]\n\t"
+        "ldr	r10, [%[a], #180]\n\t"
+        "ldr	r8, [%[a], #168]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[43] * A[44]\n\t"
+        "ldr	r10, [%[a], #176]\n\t"
+        "ldr	r8, [%[a], #172]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "adds	r5, r5, r5\n\t"
+        "adcs	r6, r6, r6\n\t"
+        "adc	r7, r7, r7\n\t"
+        "adds	r2, r2, r5\n\t"
+        "adcs	r3, r3, r6\n\t"
+        "adc	r4, r4, r7\n\t"
+        "str	r2, [%[r], #348]\n\t"
+        "#  A[25] * A[63]\n\t"
+        "ldr	r10, [%[a], #252]\n\t"
+        "ldr	r8, [%[a], #100]\n\t"
+        "umull	r5, r6, r10, r8\n\t"
+        "mov	r2, #0\n\t"
+        "mov	r7, #0\n\t"
+        "#  A[26] * A[62]\n\t"
+        "ldr	r10, [%[a], #248]\n\t"
+        "ldr	r8, [%[a], #104]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[27] * A[61]\n\t"
+        "ldr	r10, [%[a], #244]\n\t"
+        "ldr	r8, [%[a], #108]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[28] * A[60]\n\t"
+        "ldr	r10, [%[a], #240]\n\t"
+        "ldr	r8, [%[a], #112]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[29] * A[59]\n\t"
+        "ldr	r10, [%[a], #236]\n\t"
+        "ldr	r8, [%[a], #116]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[30] * A[58]\n\t"
+        "ldr	r10, [%[a], #232]\n\t"
+        "ldr	r8, [%[a], #120]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[31] * A[57]\n\t"
+        "ldr	r10, [%[a], #228]\n\t"
+        "ldr	r8, [%[a], #124]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[32] * A[56]\n\t"
+        "ldr	r10, [%[a], #224]\n\t"
+        "ldr	r8, [%[a], #128]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[33] * A[55]\n\t"
+        "ldr	r10, [%[a], #220]\n\t"
+        "ldr	r8, [%[a], #132]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[34] * A[54]\n\t"
+        "ldr	r10, [%[a], #216]\n\t"
+        "ldr	r8, [%[a], #136]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[35] * A[53]\n\t"
+        "ldr	r10, [%[a], #212]\n\t"
+        "ldr	r8, [%[a], #140]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[36] * A[52]\n\t"
+        "ldr	r10, [%[a], #208]\n\t"
+        "ldr	r8, [%[a], #144]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[37] * A[51]\n\t"
+        "ldr	r10, [%[a], #204]\n\t"
+        "ldr	r8, [%[a], #148]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[38] * A[50]\n\t"
+        "ldr	r10, [%[a], #200]\n\t"
+        "ldr	r8, [%[a], #152]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[39] * A[49]\n\t"
+        "ldr	r10, [%[a], #196]\n\t"
+        "ldr	r8, [%[a], #156]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[40] * A[48]\n\t"
+        "ldr	r10, [%[a], #192]\n\t"
+        "ldr	r8, [%[a], #160]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[41] * A[47]\n\t"
+        "ldr	r10, [%[a], #188]\n\t"
+        "ldr	r8, [%[a], #164]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[42] * A[46]\n\t"
+        "ldr	r10, [%[a], #184]\n\t"
+        "ldr	r8, [%[a], #168]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[43] * A[45]\n\t"
+        "ldr	r10, [%[a], #180]\n\t"
+        "ldr	r8, [%[a], #172]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[44] * A[44]\n\t"
+        "ldr	r10, [%[a], #176]\n\t"
+        "umull	r8, r9, r10, r10\n\t"
+        "adds	r5, r5, r5\n\t"
+        "adcs	r6, r6, r6\n\t"
+        "adc	r7, r7, r7\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "adds	r3, r3, r5\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adc	r2, r2, r7\n\t"
+        "str	r3, [%[r], #352]\n\t"
+        "#  A[26] * A[63]\n\t"
+        "ldr	r10, [%[a], #252]\n\t"
+        "ldr	r8, [%[a], #104]\n\t"
+        "umull	r5, r6, r10, r8\n\t"
+        "mov	r3, #0\n\t"
+        "mov	r7, #0\n\t"
+        "#  A[27] * A[62]\n\t"
+        "ldr	r10, [%[a], #248]\n\t"
+        "ldr	r8, [%[a], #108]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[28] * A[61]\n\t"
+        "ldr	r10, [%[a], #244]\n\t"
+        "ldr	r8, [%[a], #112]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[29] * A[60]\n\t"
+        "ldr	r10, [%[a], #240]\n\t"
+        "ldr	r8, [%[a], #116]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[30] * A[59]\n\t"
+        "ldr	r10, [%[a], #236]\n\t"
+        "ldr	r8, [%[a], #120]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[31] * A[58]\n\t"
+        "ldr	r10, [%[a], #232]\n\t"
+        "ldr	r8, [%[a], #124]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[32] * A[57]\n\t"
+        "ldr	r10, [%[a], #228]\n\t"
+        "ldr	r8, [%[a], #128]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[33] * A[56]\n\t"
+        "ldr	r10, [%[a], #224]\n\t"
+        "ldr	r8, [%[a], #132]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[34] * A[55]\n\t"
+        "ldr	r10, [%[a], #220]\n\t"
+        "ldr	r8, [%[a], #136]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[35] * A[54]\n\t"
+        "ldr	r10, [%[a], #216]\n\t"
+        "ldr	r8, [%[a], #140]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[36] * A[53]\n\t"
+        "ldr	r10, [%[a], #212]\n\t"
+        "ldr	r8, [%[a], #144]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[37] * A[52]\n\t"
+        "ldr	r10, [%[a], #208]\n\t"
+        "ldr	r8, [%[a], #148]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[38] * A[51]\n\t"
+        "ldr	r10, [%[a], #204]\n\t"
+        "ldr	r8, [%[a], #152]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[39] * A[50]\n\t"
+        "ldr	r10, [%[a], #200]\n\t"
+        "ldr	r8, [%[a], #156]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[40] * A[49]\n\t"
+        "ldr	r10, [%[a], #196]\n\t"
+        "ldr	r8, [%[a], #160]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[41] * A[48]\n\t"
+        "ldr	r10, [%[a], #192]\n\t"
+        "ldr	r8, [%[a], #164]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[42] * A[47]\n\t"
+        "ldr	r10, [%[a], #188]\n\t"
+        "ldr	r8, [%[a], #168]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[43] * A[46]\n\t"
+        "ldr	r10, [%[a], #184]\n\t"
+        "ldr	r8, [%[a], #172]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[44] * A[45]\n\t"
+        "ldr	r10, [%[a], #180]\n\t"
+        "ldr	r8, [%[a], #176]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "adds	r5, r5, r5\n\t"
+        "adcs	r6, r6, r6\n\t"
+        "adc	r7, r7, r7\n\t"
+        "adds	r4, r4, r5\n\t"
+        "adcs	r2, r2, r6\n\t"
+        "adc	r3, r3, r7\n\t"
+        "str	r4, [%[r], #356]\n\t"
+        "#  A[27] * A[63]\n\t"
+        "ldr	r10, [%[a], #252]\n\t"
+        "ldr	r8, [%[a], #108]\n\t"
+        "umull	r5, r6, r10, r8\n\t"
+        "mov	r4, #0\n\t"
+        "mov	r7, #0\n\t"
+        "#  A[28] * A[62]\n\t"
+        "ldr	r10, [%[a], #248]\n\t"
+        "ldr	r8, [%[a], #112]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[29] * A[61]\n\t"
+        "ldr	r10, [%[a], #244]\n\t"
+        "ldr	r8, [%[a], #116]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[30] * A[60]\n\t"
+        "ldr	r10, [%[a], #240]\n\t"
+        "ldr	r8, [%[a], #120]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[31] * A[59]\n\t"
+        "ldr	r10, [%[a], #236]\n\t"
+        "ldr	r8, [%[a], #124]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[32] * A[58]\n\t"
+        "ldr	r10, [%[a], #232]\n\t"
+        "ldr	r8, [%[a], #128]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[33] * A[57]\n\t"
+        "ldr	r10, [%[a], #228]\n\t"
+        "ldr	r8, [%[a], #132]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[34] * A[56]\n\t"
+        "ldr	r10, [%[a], #224]\n\t"
+        "ldr	r8, [%[a], #136]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[35] * A[55]\n\t"
+        "ldr	r10, [%[a], #220]\n\t"
+        "ldr	r8, [%[a], #140]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[36] * A[54]\n\t"
+        "ldr	r10, [%[a], #216]\n\t"
+        "ldr	r8, [%[a], #144]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[37] * A[53]\n\t"
+        "ldr	r10, [%[a], #212]\n\t"
+        "ldr	r8, [%[a], #148]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[38] * A[52]\n\t"
+        "ldr	r10, [%[a], #208]\n\t"
+        "ldr	r8, [%[a], #152]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[39] * A[51]\n\t"
+        "ldr	r10, [%[a], #204]\n\t"
+        "ldr	r8, [%[a], #156]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[40] * A[50]\n\t"
+        "ldr	r10, [%[a], #200]\n\t"
+        "ldr	r8, [%[a], #160]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[41] * A[49]\n\t"
+        "ldr	r10, [%[a], #196]\n\t"
+        "ldr	r8, [%[a], #164]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[42] * A[48]\n\t"
+        "ldr	r10, [%[a], #192]\n\t"
+        "ldr	r8, [%[a], #168]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[43] * A[47]\n\t"
+        "ldr	r10, [%[a], #188]\n\t"
+        "ldr	r8, [%[a], #172]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[44] * A[46]\n\t"
+        "ldr	r10, [%[a], #184]\n\t"
+        "ldr	r8, [%[a], #176]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[45] * A[45]\n\t"
+        "ldr	r10, [%[a], #180]\n\t"
+        "umull	r8, r9, r10, r10\n\t"
+        "adds	r5, r5, r5\n\t"
+        "adcs	r6, r6, r6\n\t"
+        "adc	r7, r7, r7\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "adds	r2, r2, r5\n\t"
+        "adcs	r3, r3, r6\n\t"
+        "adc	r4, r4, r7\n\t"
+        "str	r2, [%[r], #360]\n\t"
+        "#  A[28] * A[63]\n\t"
+        "ldr	r10, [%[a], #252]\n\t"
+        "ldr	r8, [%[a], #112]\n\t"
+        "umull	r5, r6, r10, r8\n\t"
+        "mov	r2, #0\n\t"
+        "mov	r7, #0\n\t"
+        "#  A[29] * A[62]\n\t"
+        "ldr	r10, [%[a], #248]\n\t"
+        "ldr	r8, [%[a], #116]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[30] * A[61]\n\t"
+        "ldr	r10, [%[a], #244]\n\t"
+        "ldr	r8, [%[a], #120]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[31] * A[60]\n\t"
+        "ldr	r10, [%[a], #240]\n\t"
+        "ldr	r8, [%[a], #124]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[32] * A[59]\n\t"
+        "ldr	r10, [%[a], #236]\n\t"
+        "ldr	r8, [%[a], #128]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[33] * A[58]\n\t"
+        "ldr	r10, [%[a], #232]\n\t"
+        "ldr	r8, [%[a], #132]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[34] * A[57]\n\t"
+        "ldr	r10, [%[a], #228]\n\t"
+        "ldr	r8, [%[a], #136]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[35] * A[56]\n\t"
+        "ldr	r10, [%[a], #224]\n\t"
+        "ldr	r8, [%[a], #140]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[36] * A[55]\n\t"
+        "ldr	r10, [%[a], #220]\n\t"
+        "ldr	r8, [%[a], #144]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[37] * A[54]\n\t"
+        "ldr	r10, [%[a], #216]\n\t"
+        "ldr	r8, [%[a], #148]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[38] * A[53]\n\t"
+        "ldr	r10, [%[a], #212]\n\t"
+        "ldr	r8, [%[a], #152]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[39] * A[52]\n\t"
+        "ldr	r10, [%[a], #208]\n\t"
+        "ldr	r8, [%[a], #156]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[40] * A[51]\n\t"
+        "ldr	r10, [%[a], #204]\n\t"
+        "ldr	r8, [%[a], #160]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[41] * A[50]\n\t"
+        "ldr	r10, [%[a], #200]\n\t"
+        "ldr	r8, [%[a], #164]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[42] * A[49]\n\t"
+        "ldr	r10, [%[a], #196]\n\t"
+        "ldr	r8, [%[a], #168]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[43] * A[48]\n\t"
+        "ldr	r10, [%[a], #192]\n\t"
+        "ldr	r8, [%[a], #172]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[44] * A[47]\n\t"
+        "ldr	r10, [%[a], #188]\n\t"
+        "ldr	r8, [%[a], #176]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[45] * A[46]\n\t"
+        "ldr	r10, [%[a], #184]\n\t"
+        "ldr	r8, [%[a], #180]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "adds	r5, r5, r5\n\t"
+        "adcs	r6, r6, r6\n\t"
+        "adc	r7, r7, r7\n\t"
+        "adds	r3, r3, r5\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adc	r2, r2, r7\n\t"
+        "str	r3, [%[r], #364]\n\t"
+        "#  A[29] * A[63]\n\t"
+        "ldr	r10, [%[a], #252]\n\t"
+        "ldr	r8, [%[a], #116]\n\t"
+        "umull	r5, r6, r10, r8\n\t"
+        "mov	r3, #0\n\t"
+        "mov	r7, #0\n\t"
+        "#  A[30] * A[62]\n\t"
+        "ldr	r10, [%[a], #248]\n\t"
+        "ldr	r8, [%[a], #120]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[31] * A[61]\n\t"
+        "ldr	r10, [%[a], #244]\n\t"
+        "ldr	r8, [%[a], #124]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[32] * A[60]\n\t"
+        "ldr	r10, [%[a], #240]\n\t"
+        "ldr	r8, [%[a], #128]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[33] * A[59]\n\t"
+        "ldr	r10, [%[a], #236]\n\t"
+        "ldr	r8, [%[a], #132]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[34] * A[58]\n\t"
+        "ldr	r10, [%[a], #232]\n\t"
+        "ldr	r8, [%[a], #136]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[35] * A[57]\n\t"
+        "ldr	r10, [%[a], #228]\n\t"
+        "ldr	r8, [%[a], #140]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[36] * A[56]\n\t"
+        "ldr	r10, [%[a], #224]\n\t"
+        "ldr	r8, [%[a], #144]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[37] * A[55]\n\t"
+        "ldr	r10, [%[a], #220]\n\t"
+        "ldr	r8, [%[a], #148]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[38] * A[54]\n\t"
+        "ldr	r10, [%[a], #216]\n\t"
+        "ldr	r8, [%[a], #152]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[39] * A[53]\n\t"
+        "ldr	r10, [%[a], #212]\n\t"
+        "ldr	r8, [%[a], #156]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[40] * A[52]\n\t"
+        "ldr	r10, [%[a], #208]\n\t"
+        "ldr	r8, [%[a], #160]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[41] * A[51]\n\t"
+        "ldr	r10, [%[a], #204]\n\t"
+        "ldr	r8, [%[a], #164]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[42] * A[50]\n\t"
+        "ldr	r10, [%[a], #200]\n\t"
+        "ldr	r8, [%[a], #168]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[43] * A[49]\n\t"
+        "ldr	r10, [%[a], #196]\n\t"
+        "ldr	r8, [%[a], #172]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[44] * A[48]\n\t"
+        "ldr	r10, [%[a], #192]\n\t"
+        "ldr	r8, [%[a], #176]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[45] * A[47]\n\t"
+        "ldr	r10, [%[a], #188]\n\t"
+        "ldr	r8, [%[a], #180]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[46] * A[46]\n\t"
+        "ldr	r10, [%[a], #184]\n\t"
+        "umull	r8, r9, r10, r10\n\t"
+        "adds	r5, r5, r5\n\t"
+        "adcs	r6, r6, r6\n\t"
+        "adc	r7, r7, r7\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "adds	r4, r4, r5\n\t"
+        "adcs	r2, r2, r6\n\t"
+        "adc	r3, r3, r7\n\t"
+        "str	r4, [%[r], #368]\n\t"
+        "#  A[30] * A[63]\n\t"
+        "ldr	r10, [%[a], #252]\n\t"
+        "ldr	r8, [%[a], #120]\n\t"
+        "umull	r5, r6, r10, r8\n\t"
+        "mov	r4, #0\n\t"
+        "mov	r7, #0\n\t"
+        "#  A[31] * A[62]\n\t"
+        "ldr	r10, [%[a], #248]\n\t"
+        "ldr	r8, [%[a], #124]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[32] * A[61]\n\t"
+        "ldr	r10, [%[a], #244]\n\t"
+        "ldr	r8, [%[a], #128]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[33] * A[60]\n\t"
+        "ldr	r10, [%[a], #240]\n\t"
+        "ldr	r8, [%[a], #132]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[34] * A[59]\n\t"
+        "ldr	r10, [%[a], #236]\n\t"
+        "ldr	r8, [%[a], #136]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[35] * A[58]\n\t"
+        "ldr	r10, [%[a], #232]\n\t"
+        "ldr	r8, [%[a], #140]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[36] * A[57]\n\t"
+        "ldr	r10, [%[a], #228]\n\t"
+        "ldr	r8, [%[a], #144]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[37] * A[56]\n\t"
+        "ldr	r10, [%[a], #224]\n\t"
+        "ldr	r8, [%[a], #148]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[38] * A[55]\n\t"
+        "ldr	r10, [%[a], #220]\n\t"
+        "ldr	r8, [%[a], #152]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[39] * A[54]\n\t"
+        "ldr	r10, [%[a], #216]\n\t"
+        "ldr	r8, [%[a], #156]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[40] * A[53]\n\t"
+        "ldr	r10, [%[a], #212]\n\t"
+        "ldr	r8, [%[a], #160]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[41] * A[52]\n\t"
+        "ldr	r10, [%[a], #208]\n\t"
+        "ldr	r8, [%[a], #164]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[42] * A[51]\n\t"
+        "ldr	r10, [%[a], #204]\n\t"
+        "ldr	r8, [%[a], #168]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[43] * A[50]\n\t"
+        "ldr	r10, [%[a], #200]\n\t"
+        "ldr	r8, [%[a], #172]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[44] * A[49]\n\t"
+        "ldr	r10, [%[a], #196]\n\t"
+        "ldr	r8, [%[a], #176]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[45] * A[48]\n\t"
+        "ldr	r10, [%[a], #192]\n\t"
+        "ldr	r8, [%[a], #180]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[46] * A[47]\n\t"
+        "ldr	r10, [%[a], #188]\n\t"
+        "ldr	r8, [%[a], #184]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "adds	r5, r5, r5\n\t"
+        "adcs	r6, r6, r6\n\t"
+        "adc	r7, r7, r7\n\t"
+        "adds	r2, r2, r5\n\t"
+        "adcs	r3, r3, r6\n\t"
+        "adc	r4, r4, r7\n\t"
+        "str	r2, [%[r], #372]\n\t"
+        "#  A[31] * A[63]\n\t"
+        "ldr	r10, [%[a], #252]\n\t"
+        "ldr	r8, [%[a], #124]\n\t"
+        "umull	r5, r6, r10, r8\n\t"
+        "mov	r2, #0\n\t"
+        "mov	r7, #0\n\t"
+        "#  A[32] * A[62]\n\t"
+        "ldr	r10, [%[a], #248]\n\t"
+        "ldr	r8, [%[a], #128]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[33] * A[61]\n\t"
+        "ldr	r10, [%[a], #244]\n\t"
+        "ldr	r8, [%[a], #132]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[34] * A[60]\n\t"
+        "ldr	r10, [%[a], #240]\n\t"
+        "ldr	r8, [%[a], #136]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[35] * A[59]\n\t"
+        "ldr	r10, [%[a], #236]\n\t"
+        "ldr	r8, [%[a], #140]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[36] * A[58]\n\t"
+        "ldr	r10, [%[a], #232]\n\t"
+        "ldr	r8, [%[a], #144]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[37] * A[57]\n\t"
+        "ldr	r10, [%[a], #228]\n\t"
+        "ldr	r8, [%[a], #148]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[38] * A[56]\n\t"
+        "ldr	r10, [%[a], #224]\n\t"
+        "ldr	r8, [%[a], #152]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[39] * A[55]\n\t"
+        "ldr	r10, [%[a], #220]\n\t"
+        "ldr	r8, [%[a], #156]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[40] * A[54]\n\t"
+        "ldr	r10, [%[a], #216]\n\t"
+        "ldr	r8, [%[a], #160]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[41] * A[53]\n\t"
+        "ldr	r10, [%[a], #212]\n\t"
+        "ldr	r8, [%[a], #164]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[42] * A[52]\n\t"
+        "ldr	r10, [%[a], #208]\n\t"
+        "ldr	r8, [%[a], #168]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[43] * A[51]\n\t"
+        "ldr	r10, [%[a], #204]\n\t"
+        "ldr	r8, [%[a], #172]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[44] * A[50]\n\t"
+        "ldr	r10, [%[a], #200]\n\t"
+        "ldr	r8, [%[a], #176]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[45] * A[49]\n\t"
+        "ldr	r10, [%[a], #196]\n\t"
+        "ldr	r8, [%[a], #180]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[46] * A[48]\n\t"
+        "ldr	r10, [%[a], #192]\n\t"
+        "ldr	r8, [%[a], #184]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[47] * A[47]\n\t"
+        "ldr	r10, [%[a], #188]\n\t"
+        "umull	r8, r9, r10, r10\n\t"
+        "adds	r5, r5, r5\n\t"
+        "adcs	r6, r6, r6\n\t"
+        "adc	r7, r7, r7\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "adds	r3, r3, r5\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adc	r2, r2, r7\n\t"
+        "str	r3, [%[r], #376]\n\t"
+        "#  A[32] * A[63]\n\t"
+        "ldr	r10, [%[a], #252]\n\t"
+        "ldr	r8, [%[a], #128]\n\t"
+        "umull	r5, r6, r10, r8\n\t"
+        "mov	r3, #0\n\t"
+        "mov	r7, #0\n\t"
+        "#  A[33] * A[62]\n\t"
+        "ldr	r10, [%[a], #248]\n\t"
+        "ldr	r8, [%[a], #132]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[34] * A[61]\n\t"
+        "ldr	r10, [%[a], #244]\n\t"
+        "ldr	r8, [%[a], #136]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[35] * A[60]\n\t"
+        "ldr	r10, [%[a], #240]\n\t"
+        "ldr	r8, [%[a], #140]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[36] * A[59]\n\t"
+        "ldr	r10, [%[a], #236]\n\t"
+        "ldr	r8, [%[a], #144]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[37] * A[58]\n\t"
+        "ldr	r10, [%[a], #232]\n\t"
+        "ldr	r8, [%[a], #148]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[38] * A[57]\n\t"
+        "ldr	r10, [%[a], #228]\n\t"
+        "ldr	r8, [%[a], #152]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[39] * A[56]\n\t"
+        "ldr	r10, [%[a], #224]\n\t"
+        "ldr	r8, [%[a], #156]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[40] * A[55]\n\t"
+        "ldr	r10, [%[a], #220]\n\t"
+        "ldr	r8, [%[a], #160]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[41] * A[54]\n\t"
+        "ldr	r10, [%[a], #216]\n\t"
+        "ldr	r8, [%[a], #164]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[42] * A[53]\n\t"
+        "ldr	r10, [%[a], #212]\n\t"
+        "ldr	r8, [%[a], #168]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[43] * A[52]\n\t"
+        "ldr	r10, [%[a], #208]\n\t"
+        "ldr	r8, [%[a], #172]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[44] * A[51]\n\t"
+        "ldr	r10, [%[a], #204]\n\t"
+        "ldr	r8, [%[a], #176]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[45] * A[50]\n\t"
+        "ldr	r10, [%[a], #200]\n\t"
+        "ldr	r8, [%[a], #180]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[46] * A[49]\n\t"
+        "ldr	r10, [%[a], #196]\n\t"
+        "ldr	r8, [%[a], #184]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[47] * A[48]\n\t"
+        "ldr	r10, [%[a], #192]\n\t"
+        "ldr	r8, [%[a], #188]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "adds	r5, r5, r5\n\t"
+        "adcs	r6, r6, r6\n\t"
+        "adc	r7, r7, r7\n\t"
+        "adds	r4, r4, r5\n\t"
+        "adcs	r2, r2, r6\n\t"
+        "adc	r3, r3, r7\n\t"
+        "str	r4, [%[r], #380]\n\t"
+        "#  A[33] * A[63]\n\t"
+        "ldr	r10, [%[a], #252]\n\t"
+        "ldr	r8, [%[a], #132]\n\t"
+        "umull	r5, r6, r10, r8\n\t"
+        "mov	r4, #0\n\t"
+        "mov	r7, #0\n\t"
+        "#  A[34] * A[62]\n\t"
+        "ldr	r10, [%[a], #248]\n\t"
+        "ldr	r8, [%[a], #136]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[35] * A[61]\n\t"
+        "ldr	r10, [%[a], #244]\n\t"
+        "ldr	r8, [%[a], #140]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[36] * A[60]\n\t"
+        "ldr	r10, [%[a], #240]\n\t"
+        "ldr	r8, [%[a], #144]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[37] * A[59]\n\t"
+        "ldr	r10, [%[a], #236]\n\t"
+        "ldr	r8, [%[a], #148]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[38] * A[58]\n\t"
+        "ldr	r10, [%[a], #232]\n\t"
+        "ldr	r8, [%[a], #152]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[39] * A[57]\n\t"
+        "ldr	r10, [%[a], #228]\n\t"
+        "ldr	r8, [%[a], #156]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[40] * A[56]\n\t"
+        "ldr	r10, [%[a], #224]\n\t"
+        "ldr	r8, [%[a], #160]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[41] * A[55]\n\t"
+        "ldr	r10, [%[a], #220]\n\t"
+        "ldr	r8, [%[a], #164]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[42] * A[54]\n\t"
+        "ldr	r10, [%[a], #216]\n\t"
+        "ldr	r8, [%[a], #168]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[43] * A[53]\n\t"
+        "ldr	r10, [%[a], #212]\n\t"
+        "ldr	r8, [%[a], #172]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[44] * A[52]\n\t"
+        "ldr	r10, [%[a], #208]\n\t"
+        "ldr	r8, [%[a], #176]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[45] * A[51]\n\t"
+        "ldr	r10, [%[a], #204]\n\t"
+        "ldr	r8, [%[a], #180]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[46] * A[50]\n\t"
+        "ldr	r10, [%[a], #200]\n\t"
+        "ldr	r8, [%[a], #184]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[47] * A[49]\n\t"
+        "ldr	r10, [%[a], #196]\n\t"
+        "ldr	r8, [%[a], #188]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[48] * A[48]\n\t"
+        "ldr	r10, [%[a], #192]\n\t"
+        "umull	r8, r9, r10, r10\n\t"
+        "adds	r5, r5, r5\n\t"
+        "adcs	r6, r6, r6\n\t"
+        "adc	r7, r7, r7\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "adds	r2, r2, r5\n\t"
+        "adcs	r3, r3, r6\n\t"
+        "adc	r4, r4, r7\n\t"
+        "str	r2, [%[r], #384]\n\t"
+        "#  A[34] * A[63]\n\t"
+        "ldr	r10, [%[a], #252]\n\t"
+        "ldr	r8, [%[a], #136]\n\t"
+        "umull	r5, r6, r10, r8\n\t"
+        "mov	r2, #0\n\t"
+        "mov	r7, #0\n\t"
+        "#  A[35] * A[62]\n\t"
+        "ldr	r10, [%[a], #248]\n\t"
+        "ldr	r8, [%[a], #140]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[36] * A[61]\n\t"
+        "ldr	r10, [%[a], #244]\n\t"
+        "ldr	r8, [%[a], #144]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[37] * A[60]\n\t"
+        "ldr	r10, [%[a], #240]\n\t"
+        "ldr	r8, [%[a], #148]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[38] * A[59]\n\t"
+        "ldr	r10, [%[a], #236]\n\t"
+        "ldr	r8, [%[a], #152]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[39] * A[58]\n\t"
+        "ldr	r10, [%[a], #232]\n\t"
+        "ldr	r8, [%[a], #156]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[40] * A[57]\n\t"
+        "ldr	r10, [%[a], #228]\n\t"
+        "ldr	r8, [%[a], #160]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[41] * A[56]\n\t"
+        "ldr	r10, [%[a], #224]\n\t"
+        "ldr	r8, [%[a], #164]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[42] * A[55]\n\t"
+        "ldr	r10, [%[a], #220]\n\t"
+        "ldr	r8, [%[a], #168]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[43] * A[54]\n\t"
+        "ldr	r10, [%[a], #216]\n\t"
+        "ldr	r8, [%[a], #172]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[44] * A[53]\n\t"
+        "ldr	r10, [%[a], #212]\n\t"
+        "ldr	r8, [%[a], #176]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[45] * A[52]\n\t"
+        "ldr	r10, [%[a], #208]\n\t"
+        "ldr	r8, [%[a], #180]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[46] * A[51]\n\t"
+        "ldr	r10, [%[a], #204]\n\t"
+        "ldr	r8, [%[a], #184]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[47] * A[50]\n\t"
+        "ldr	r10, [%[a], #200]\n\t"
+        "ldr	r8, [%[a], #188]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[48] * A[49]\n\t"
+        "ldr	r10, [%[a], #196]\n\t"
+        "ldr	r8, [%[a], #192]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "adds	r5, r5, r5\n\t"
+        "adcs	r6, r6, r6\n\t"
+        "adc	r7, r7, r7\n\t"
+        "adds	r3, r3, r5\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adc	r2, r2, r7\n\t"
+        "str	r3, [%[r], #388]\n\t"
+        "#  A[35] * A[63]\n\t"
+        "ldr	r10, [%[a], #252]\n\t"
+        "ldr	r8, [%[a], #140]\n\t"
+        "umull	r5, r6, r10, r8\n\t"
+        "mov	r3, #0\n\t"
+        "mov	r7, #0\n\t"
+        "#  A[36] * A[62]\n\t"
+        "ldr	r10, [%[a], #248]\n\t"
+        "ldr	r8, [%[a], #144]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[37] * A[61]\n\t"
+        "ldr	r10, [%[a], #244]\n\t"
+        "ldr	r8, [%[a], #148]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[38] * A[60]\n\t"
+        "ldr	r10, [%[a], #240]\n\t"
+        "ldr	r8, [%[a], #152]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[39] * A[59]\n\t"
+        "ldr	r10, [%[a], #236]\n\t"
+        "ldr	r8, [%[a], #156]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[40] * A[58]\n\t"
+        "ldr	r10, [%[a], #232]\n\t"
+        "ldr	r8, [%[a], #160]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[41] * A[57]\n\t"
+        "ldr	r10, [%[a], #228]\n\t"
+        "ldr	r8, [%[a], #164]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[42] * A[56]\n\t"
+        "ldr	r10, [%[a], #224]\n\t"
+        "ldr	r8, [%[a], #168]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[43] * A[55]\n\t"
+        "ldr	r10, [%[a], #220]\n\t"
+        "ldr	r8, [%[a], #172]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[44] * A[54]\n\t"
+        "ldr	r10, [%[a], #216]\n\t"
+        "ldr	r8, [%[a], #176]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[45] * A[53]\n\t"
+        "ldr	r10, [%[a], #212]\n\t"
+        "ldr	r8, [%[a], #180]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[46] * A[52]\n\t"
+        "ldr	r10, [%[a], #208]\n\t"
+        "ldr	r8, [%[a], #184]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[47] * A[51]\n\t"
+        "ldr	r10, [%[a], #204]\n\t"
+        "ldr	r8, [%[a], #188]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[48] * A[50]\n\t"
+        "ldr	r10, [%[a], #200]\n\t"
+        "ldr	r8, [%[a], #192]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[49] * A[49]\n\t"
+        "ldr	r10, [%[a], #196]\n\t"
+        "umull	r8, r9, r10, r10\n\t"
+        "adds	r5, r5, r5\n\t"
+        "adcs	r6, r6, r6\n\t"
+        "adc	r7, r7, r7\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "adds	r4, r4, r5\n\t"
+        "adcs	r2, r2, r6\n\t"
+        "adc	r3, r3, r7\n\t"
+        "str	r4, [%[r], #392]\n\t"
+        "#  A[36] * A[63]\n\t"
+        "ldr	r10, [%[a], #252]\n\t"
+        "ldr	r8, [%[a], #144]\n\t"
+        "umull	r5, r6, r10, r8\n\t"
+        "mov	r4, #0\n\t"
+        "mov	r7, #0\n\t"
+        "#  A[37] * A[62]\n\t"
+        "ldr	r10, [%[a], #248]\n\t"
+        "ldr	r8, [%[a], #148]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[38] * A[61]\n\t"
+        "ldr	r10, [%[a], #244]\n\t"
+        "ldr	r8, [%[a], #152]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[39] * A[60]\n\t"
+        "ldr	r10, [%[a], #240]\n\t"
+        "ldr	r8, [%[a], #156]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[40] * A[59]\n\t"
+        "ldr	r10, [%[a], #236]\n\t"
+        "ldr	r8, [%[a], #160]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[41] * A[58]\n\t"
+        "ldr	r10, [%[a], #232]\n\t"
+        "ldr	r8, [%[a], #164]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[42] * A[57]\n\t"
+        "ldr	r10, [%[a], #228]\n\t"
+        "ldr	r8, [%[a], #168]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[43] * A[56]\n\t"
+        "ldr	r10, [%[a], #224]\n\t"
+        "ldr	r8, [%[a], #172]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[44] * A[55]\n\t"
+        "ldr	r10, [%[a], #220]\n\t"
+        "ldr	r8, [%[a], #176]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[45] * A[54]\n\t"
+        "ldr	r10, [%[a], #216]\n\t"
+        "ldr	r8, [%[a], #180]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[46] * A[53]\n\t"
+        "ldr	r10, [%[a], #212]\n\t"
+        "ldr	r8, [%[a], #184]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[47] * A[52]\n\t"
+        "ldr	r10, [%[a], #208]\n\t"
+        "ldr	r8, [%[a], #188]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[48] * A[51]\n\t"
+        "ldr	r10, [%[a], #204]\n\t"
+        "ldr	r8, [%[a], #192]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[49] * A[50]\n\t"
+        "ldr	r10, [%[a], #200]\n\t"
+        "ldr	r8, [%[a], #196]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "adds	r5, r5, r5\n\t"
+        "adcs	r6, r6, r6\n\t"
+        "adc	r7, r7, r7\n\t"
+        "adds	r2, r2, r5\n\t"
+        "adcs	r3, r3, r6\n\t"
+        "adc	r4, r4, r7\n\t"
+        "str	r2, [%[r], #396]\n\t"
+        "#  A[37] * A[63]\n\t"
+        "ldr	r10, [%[a], #252]\n\t"
+        "ldr	r8, [%[a], #148]\n\t"
+        "umull	r5, r6, r10, r8\n\t"
+        "mov	r2, #0\n\t"
+        "mov	r7, #0\n\t"
+        "#  A[38] * A[62]\n\t"
+        "ldr	r10, [%[a], #248]\n\t"
+        "ldr	r8, [%[a], #152]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[39] * A[61]\n\t"
+        "ldr	r10, [%[a], #244]\n\t"
+        "ldr	r8, [%[a], #156]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[40] * A[60]\n\t"
+        "ldr	r10, [%[a], #240]\n\t"
+        "ldr	r8, [%[a], #160]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[41] * A[59]\n\t"
+        "ldr	r10, [%[a], #236]\n\t"
+        "ldr	r8, [%[a], #164]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[42] * A[58]\n\t"
+        "ldr	r10, [%[a], #232]\n\t"
+        "ldr	r8, [%[a], #168]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[43] * A[57]\n\t"
+        "ldr	r10, [%[a], #228]\n\t"
+        "ldr	r8, [%[a], #172]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[44] * A[56]\n\t"
+        "ldr	r10, [%[a], #224]\n\t"
+        "ldr	r8, [%[a], #176]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[45] * A[55]\n\t"
+        "ldr	r10, [%[a], #220]\n\t"
+        "ldr	r8, [%[a], #180]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[46] * A[54]\n\t"
+        "ldr	r10, [%[a], #216]\n\t"
+        "ldr	r8, [%[a], #184]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[47] * A[53]\n\t"
+        "ldr	r10, [%[a], #212]\n\t"
+        "ldr	r8, [%[a], #188]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[48] * A[52]\n\t"
+        "ldr	r10, [%[a], #208]\n\t"
+        "ldr	r8, [%[a], #192]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[49] * A[51]\n\t"
+        "ldr	r10, [%[a], #204]\n\t"
+        "ldr	r8, [%[a], #196]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[50] * A[50]\n\t"
+        "ldr	r10, [%[a], #200]\n\t"
+        "umull	r8, r9, r10, r10\n\t"
+        "adds	r5, r5, r5\n\t"
+        "adcs	r6, r6, r6\n\t"
+        "adc	r7, r7, r7\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "adds	r3, r3, r5\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adc	r2, r2, r7\n\t"
+        "str	r3, [%[r], #400]\n\t"
+        "#  A[38] * A[63]\n\t"
+        "ldr	r10, [%[a], #252]\n\t"
+        "ldr	r8, [%[a], #152]\n\t"
+        "umull	r5, r6, r10, r8\n\t"
+        "mov	r3, #0\n\t"
+        "mov	r7, #0\n\t"
+        "#  A[39] * A[62]\n\t"
+        "ldr	r10, [%[a], #248]\n\t"
+        "ldr	r8, [%[a], #156]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[40] * A[61]\n\t"
+        "ldr	r10, [%[a], #244]\n\t"
+        "ldr	r8, [%[a], #160]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[41] * A[60]\n\t"
+        "ldr	r10, [%[a], #240]\n\t"
+        "ldr	r8, [%[a], #164]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[42] * A[59]\n\t"
+        "ldr	r10, [%[a], #236]\n\t"
+        "ldr	r8, [%[a], #168]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[43] * A[58]\n\t"
+        "ldr	r10, [%[a], #232]\n\t"
+        "ldr	r8, [%[a], #172]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[44] * A[57]\n\t"
+        "ldr	r10, [%[a], #228]\n\t"
+        "ldr	r8, [%[a], #176]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[45] * A[56]\n\t"
+        "ldr	r10, [%[a], #224]\n\t"
+        "ldr	r8, [%[a], #180]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[46] * A[55]\n\t"
+        "ldr	r10, [%[a], #220]\n\t"
+        "ldr	r8, [%[a], #184]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[47] * A[54]\n\t"
+        "ldr	r10, [%[a], #216]\n\t"
+        "ldr	r8, [%[a], #188]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[48] * A[53]\n\t"
+        "ldr	r10, [%[a], #212]\n\t"
+        "ldr	r8, [%[a], #192]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[49] * A[52]\n\t"
+        "ldr	r10, [%[a], #208]\n\t"
+        "ldr	r8, [%[a], #196]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[50] * A[51]\n\t"
+        "ldr	r10, [%[a], #204]\n\t"
+        "ldr	r8, [%[a], #200]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "adds	r5, r5, r5\n\t"
+        "adcs	r6, r6, r6\n\t"
+        "adc	r7, r7, r7\n\t"
+        "adds	r4, r4, r5\n\t"
+        "adcs	r2, r2, r6\n\t"
+        "adc	r3, r3, r7\n\t"
+        "str	r4, [%[r], #404]\n\t"
+        "#  A[39] * A[63]\n\t"
+        "ldr	r10, [%[a], #252]\n\t"
+        "ldr	r8, [%[a], #156]\n\t"
+        "umull	r5, r6, r10, r8\n\t"
+        "mov	r4, #0\n\t"
+        "mov	r7, #0\n\t"
+        "#  A[40] * A[62]\n\t"
+        "ldr	r10, [%[a], #248]\n\t"
+        "ldr	r8, [%[a], #160]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[41] * A[61]\n\t"
+        "ldr	r10, [%[a], #244]\n\t"
+        "ldr	r8, [%[a], #164]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[42] * A[60]\n\t"
+        "ldr	r10, [%[a], #240]\n\t"
+        "ldr	r8, [%[a], #168]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[43] * A[59]\n\t"
+        "ldr	r10, [%[a], #236]\n\t"
+        "ldr	r8, [%[a], #172]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[44] * A[58]\n\t"
+        "ldr	r10, [%[a], #232]\n\t"
+        "ldr	r8, [%[a], #176]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[45] * A[57]\n\t"
+        "ldr	r10, [%[a], #228]\n\t"
+        "ldr	r8, [%[a], #180]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[46] * A[56]\n\t"
+        "ldr	r10, [%[a], #224]\n\t"
+        "ldr	r8, [%[a], #184]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[47] * A[55]\n\t"
+        "ldr	r10, [%[a], #220]\n\t"
+        "ldr	r8, [%[a], #188]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[48] * A[54]\n\t"
+        "ldr	r10, [%[a], #216]\n\t"
+        "ldr	r8, [%[a], #192]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[49] * A[53]\n\t"
+        "ldr	r10, [%[a], #212]\n\t"
+        "ldr	r8, [%[a], #196]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[50] * A[52]\n\t"
+        "ldr	r10, [%[a], #208]\n\t"
+        "ldr	r8, [%[a], #200]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[51] * A[51]\n\t"
+        "ldr	r10, [%[a], #204]\n\t"
+        "umull	r8, r9, r10, r10\n\t"
+        "adds	r5, r5, r5\n\t"
+        "adcs	r6, r6, r6\n\t"
+        "adc	r7, r7, r7\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "adds	r2, r2, r5\n\t"
+        "adcs	r3, r3, r6\n\t"
+        "adc	r4, r4, r7\n\t"
+        "str	r2, [%[r], #408]\n\t"
+        "#  A[40] * A[63]\n\t"
+        "ldr	r10, [%[a], #252]\n\t"
+        "ldr	r8, [%[a], #160]\n\t"
+        "umull	r5, r6, r10, r8\n\t"
+        "mov	r2, #0\n\t"
+        "mov	r7, #0\n\t"
+        "#  A[41] * A[62]\n\t"
+        "ldr	r10, [%[a], #248]\n\t"
+        "ldr	r8, [%[a], #164]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[42] * A[61]\n\t"
+        "ldr	r10, [%[a], #244]\n\t"
+        "ldr	r8, [%[a], #168]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[43] * A[60]\n\t"
+        "ldr	r10, [%[a], #240]\n\t"
+        "ldr	r8, [%[a], #172]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[44] * A[59]\n\t"
+        "ldr	r10, [%[a], #236]\n\t"
+        "ldr	r8, [%[a], #176]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[45] * A[58]\n\t"
+        "ldr	r10, [%[a], #232]\n\t"
+        "ldr	r8, [%[a], #180]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[46] * A[57]\n\t"
+        "ldr	r10, [%[a], #228]\n\t"
+        "ldr	r8, [%[a], #184]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[47] * A[56]\n\t"
+        "ldr	r10, [%[a], #224]\n\t"
+        "ldr	r8, [%[a], #188]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[48] * A[55]\n\t"
+        "ldr	r10, [%[a], #220]\n\t"
+        "ldr	r8, [%[a], #192]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[49] * A[54]\n\t"
+        "ldr	r10, [%[a], #216]\n\t"
+        "ldr	r8, [%[a], #196]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[50] * A[53]\n\t"
+        "ldr	r10, [%[a], #212]\n\t"
+        "ldr	r8, [%[a], #200]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[51] * A[52]\n\t"
+        "ldr	r10, [%[a], #208]\n\t"
+        "ldr	r8, [%[a], #204]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "adds	r5, r5, r5\n\t"
+        "adcs	r6, r6, r6\n\t"
+        "adc	r7, r7, r7\n\t"
+        "adds	r3, r3, r5\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adc	r2, r2, r7\n\t"
+        "str	r3, [%[r], #412]\n\t"
+        "#  A[41] * A[63]\n\t"
+        "ldr	r10, [%[a], #252]\n\t"
+        "ldr	r8, [%[a], #164]\n\t"
+        "umull	r5, r6, r10, r8\n\t"
+        "mov	r3, #0\n\t"
+        "mov	r7, #0\n\t"
+        "#  A[42] * A[62]\n\t"
+        "ldr	r10, [%[a], #248]\n\t"
+        "ldr	r8, [%[a], #168]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[43] * A[61]\n\t"
+        "ldr	r10, [%[a], #244]\n\t"
+        "ldr	r8, [%[a], #172]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[44] * A[60]\n\t"
+        "ldr	r10, [%[a], #240]\n\t"
+        "ldr	r8, [%[a], #176]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[45] * A[59]\n\t"
+        "ldr	r10, [%[a], #236]\n\t"
+        "ldr	r8, [%[a], #180]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[46] * A[58]\n\t"
+        "ldr	r10, [%[a], #232]\n\t"
+        "ldr	r8, [%[a], #184]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[47] * A[57]\n\t"
+        "ldr	r10, [%[a], #228]\n\t"
+        "ldr	r8, [%[a], #188]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[48] * A[56]\n\t"
+        "ldr	r10, [%[a], #224]\n\t"
+        "ldr	r8, [%[a], #192]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[49] * A[55]\n\t"
+        "ldr	r10, [%[a], #220]\n\t"
+        "ldr	r8, [%[a], #196]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[50] * A[54]\n\t"
+        "ldr	r10, [%[a], #216]\n\t"
+        "ldr	r8, [%[a], #200]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[51] * A[53]\n\t"
+        "ldr	r10, [%[a], #212]\n\t"
+        "ldr	r8, [%[a], #204]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[52] * A[52]\n\t"
+        "ldr	r10, [%[a], #208]\n\t"
+        "umull	r8, r9, r10, r10\n\t"
+        "adds	r5, r5, r5\n\t"
+        "adcs	r6, r6, r6\n\t"
+        "adc	r7, r7, r7\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "adds	r4, r4, r5\n\t"
+        "adcs	r2, r2, r6\n\t"
+        "adc	r3, r3, r7\n\t"
+        "str	r4, [%[r], #416]\n\t"
+        "#  A[42] * A[63]\n\t"
+        "ldr	r10, [%[a], #252]\n\t"
+        "ldr	r8, [%[a], #168]\n\t"
+        "umull	r5, r6, r10, r8\n\t"
+        "mov	r4, #0\n\t"
+        "mov	r7, #0\n\t"
+        "#  A[43] * A[62]\n\t"
+        "ldr	r10, [%[a], #248]\n\t"
+        "ldr	r8, [%[a], #172]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[44] * A[61]\n\t"
+        "ldr	r10, [%[a], #244]\n\t"
+        "ldr	r8, [%[a], #176]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[45] * A[60]\n\t"
+        "ldr	r10, [%[a], #240]\n\t"
+        "ldr	r8, [%[a], #180]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[46] * A[59]\n\t"
+        "ldr	r10, [%[a], #236]\n\t"
+        "ldr	r8, [%[a], #184]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[47] * A[58]\n\t"
+        "ldr	r10, [%[a], #232]\n\t"
+        "ldr	r8, [%[a], #188]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[48] * A[57]\n\t"
+        "ldr	r10, [%[a], #228]\n\t"
+        "ldr	r8, [%[a], #192]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[49] * A[56]\n\t"
+        "ldr	r10, [%[a], #224]\n\t"
+        "ldr	r8, [%[a], #196]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[50] * A[55]\n\t"
+        "ldr	r10, [%[a], #220]\n\t"
+        "ldr	r8, [%[a], #200]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[51] * A[54]\n\t"
+        "ldr	r10, [%[a], #216]\n\t"
+        "ldr	r8, [%[a], #204]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[52] * A[53]\n\t"
+        "ldr	r10, [%[a], #212]\n\t"
+        "ldr	r8, [%[a], #208]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "adds	r5, r5, r5\n\t"
+        "adcs	r6, r6, r6\n\t"
+        "adc	r7, r7, r7\n\t"
+        "adds	r2, r2, r5\n\t"
+        "adcs	r3, r3, r6\n\t"
+        "adc	r4, r4, r7\n\t"
+        "str	r2, [%[r], #420]\n\t"
+        "#  A[43] * A[63]\n\t"
+        "ldr	r10, [%[a], #252]\n\t"
+        "ldr	r8, [%[a], #172]\n\t"
+        "umull	r5, r6, r10, r8\n\t"
+        "mov	r2, #0\n\t"
+        "mov	r7, #0\n\t"
+        "#  A[44] * A[62]\n\t"
+        "ldr	r10, [%[a], #248]\n\t"
+        "ldr	r8, [%[a], #176]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[45] * A[61]\n\t"
+        "ldr	r10, [%[a], #244]\n\t"
+        "ldr	r8, [%[a], #180]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[46] * A[60]\n\t"
+        "ldr	r10, [%[a], #240]\n\t"
+        "ldr	r8, [%[a], #184]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[47] * A[59]\n\t"
+        "ldr	r10, [%[a], #236]\n\t"
+        "ldr	r8, [%[a], #188]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[48] * A[58]\n\t"
+        "ldr	r10, [%[a], #232]\n\t"
+        "ldr	r8, [%[a], #192]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[49] * A[57]\n\t"
+        "ldr	r10, [%[a], #228]\n\t"
+        "ldr	r8, [%[a], #196]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[50] * A[56]\n\t"
+        "ldr	r10, [%[a], #224]\n\t"
+        "ldr	r8, [%[a], #200]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[51] * A[55]\n\t"
+        "ldr	r10, [%[a], #220]\n\t"
+        "ldr	r8, [%[a], #204]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[52] * A[54]\n\t"
+        "ldr	r10, [%[a], #216]\n\t"
+        "ldr	r8, [%[a], #208]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[53] * A[53]\n\t"
+        "ldr	r10, [%[a], #212]\n\t"
+        "umull	r8, r9, r10, r10\n\t"
+        "adds	r5, r5, r5\n\t"
+        "adcs	r6, r6, r6\n\t"
+        "adc	r7, r7, r7\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "adds	r3, r3, r5\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adc	r2, r2, r7\n\t"
+        "str	r3, [%[r], #424]\n\t"
+        "#  A[44] * A[63]\n\t"
+        "ldr	r10, [%[a], #252]\n\t"
+        "ldr	r8, [%[a], #176]\n\t"
+        "umull	r5, r6, r10, r8\n\t"
+        "mov	r3, #0\n\t"
+        "mov	r7, #0\n\t"
+        "#  A[45] * A[62]\n\t"
+        "ldr	r10, [%[a], #248]\n\t"
+        "ldr	r8, [%[a], #180]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[46] * A[61]\n\t"
+        "ldr	r10, [%[a], #244]\n\t"
+        "ldr	r8, [%[a], #184]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[47] * A[60]\n\t"
+        "ldr	r10, [%[a], #240]\n\t"
+        "ldr	r8, [%[a], #188]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[48] * A[59]\n\t"
+        "ldr	r10, [%[a], #236]\n\t"
+        "ldr	r8, [%[a], #192]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[49] * A[58]\n\t"
+        "ldr	r10, [%[a], #232]\n\t"
+        "ldr	r8, [%[a], #196]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[50] * A[57]\n\t"
+        "ldr	r10, [%[a], #228]\n\t"
+        "ldr	r8, [%[a], #200]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[51] * A[56]\n\t"
+        "ldr	r10, [%[a], #224]\n\t"
+        "ldr	r8, [%[a], #204]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[52] * A[55]\n\t"
+        "ldr	r10, [%[a], #220]\n\t"
+        "ldr	r8, [%[a], #208]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[53] * A[54]\n\t"
+        "ldr	r10, [%[a], #216]\n\t"
+        "ldr	r8, [%[a], #212]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "adds	r5, r5, r5\n\t"
+        "adcs	r6, r6, r6\n\t"
+        "adc	r7, r7, r7\n\t"
+        "adds	r4, r4, r5\n\t"
+        "adcs	r2, r2, r6\n\t"
+        "adc	r3, r3, r7\n\t"
+        "str	r4, [%[r], #428]\n\t"
+        "#  A[45] * A[63]\n\t"
+        "ldr	r10, [%[a], #252]\n\t"
+        "ldr	r8, [%[a], #180]\n\t"
+        "umull	r5, r6, r10, r8\n\t"
+        "mov	r4, #0\n\t"
+        "mov	r7, #0\n\t"
+        "#  A[46] * A[62]\n\t"
+        "ldr	r10, [%[a], #248]\n\t"
+        "ldr	r8, [%[a], #184]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[47] * A[61]\n\t"
+        "ldr	r10, [%[a], #244]\n\t"
+        "ldr	r8, [%[a], #188]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[48] * A[60]\n\t"
+        "ldr	r10, [%[a], #240]\n\t"
+        "ldr	r8, [%[a], #192]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[49] * A[59]\n\t"
+        "ldr	r10, [%[a], #236]\n\t"
+        "ldr	r8, [%[a], #196]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[50] * A[58]\n\t"
+        "ldr	r10, [%[a], #232]\n\t"
+        "ldr	r8, [%[a], #200]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[51] * A[57]\n\t"
+        "ldr	r10, [%[a], #228]\n\t"
+        "ldr	r8, [%[a], #204]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[52] * A[56]\n\t"
+        "ldr	r10, [%[a], #224]\n\t"
+        "ldr	r8, [%[a], #208]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[53] * A[55]\n\t"
+        "ldr	r10, [%[a], #220]\n\t"
+        "ldr	r8, [%[a], #212]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[54] * A[54]\n\t"
+        "ldr	r10, [%[a], #216]\n\t"
+        "umull	r8, r9, r10, r10\n\t"
+        "adds	r5, r5, r5\n\t"
+        "adcs	r6, r6, r6\n\t"
+        "adc	r7, r7, r7\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "adds	r2, r2, r5\n\t"
+        "adcs	r3, r3, r6\n\t"
+        "adc	r4, r4, r7\n\t"
+        "str	r2, [%[r], #432]\n\t"
+        "#  A[46] * A[63]\n\t"
+        "ldr	r10, [%[a], #252]\n\t"
+        "ldr	r8, [%[a], #184]\n\t"
+        "umull	r5, r6, r10, r8\n\t"
+        "mov	r2, #0\n\t"
+        "mov	r7, #0\n\t"
+        "#  A[47] * A[62]\n\t"
+        "ldr	r10, [%[a], #248]\n\t"
+        "ldr	r8, [%[a], #188]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[48] * A[61]\n\t"
+        "ldr	r10, [%[a], #244]\n\t"
+        "ldr	r8, [%[a], #192]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[49] * A[60]\n\t"
+        "ldr	r10, [%[a], #240]\n\t"
+        "ldr	r8, [%[a], #196]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[50] * A[59]\n\t"
+        "ldr	r10, [%[a], #236]\n\t"
+        "ldr	r8, [%[a], #200]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[51] * A[58]\n\t"
+        "ldr	r10, [%[a], #232]\n\t"
+        "ldr	r8, [%[a], #204]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[52] * A[57]\n\t"
+        "ldr	r10, [%[a], #228]\n\t"
+        "ldr	r8, [%[a], #208]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[53] * A[56]\n\t"
+        "ldr	r10, [%[a], #224]\n\t"
+        "ldr	r8, [%[a], #212]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[54] * A[55]\n\t"
+        "ldr	r10, [%[a], #220]\n\t"
+        "ldr	r8, [%[a], #216]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "adds	r5, r5, r5\n\t"
+        "adcs	r6, r6, r6\n\t"
+        "adc	r7, r7, r7\n\t"
+        "adds	r3, r3, r5\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adc	r2, r2, r7\n\t"
+        "str	r3, [%[r], #436]\n\t"
+        "#  A[47] * A[63]\n\t"
+        "ldr	r10, [%[a], #252]\n\t"
+        "ldr	r8, [%[a], #188]\n\t"
+        "umull	r5, r6, r10, r8\n\t"
+        "mov	r3, #0\n\t"
+        "mov	r7, #0\n\t"
+        "#  A[48] * A[62]\n\t"
+        "ldr	r10, [%[a], #248]\n\t"
+        "ldr	r8, [%[a], #192]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[49] * A[61]\n\t"
+        "ldr	r10, [%[a], #244]\n\t"
+        "ldr	r8, [%[a], #196]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[50] * A[60]\n\t"
+        "ldr	r10, [%[a], #240]\n\t"
+        "ldr	r8, [%[a], #200]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[51] * A[59]\n\t"
+        "ldr	r10, [%[a], #236]\n\t"
+        "ldr	r8, [%[a], #204]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[52] * A[58]\n\t"
+        "ldr	r10, [%[a], #232]\n\t"
+        "ldr	r8, [%[a], #208]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[53] * A[57]\n\t"
+        "ldr	r10, [%[a], #228]\n\t"
+        "ldr	r8, [%[a], #212]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[54] * A[56]\n\t"
+        "ldr	r10, [%[a], #224]\n\t"
+        "ldr	r8, [%[a], #216]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[55] * A[55]\n\t"
+        "ldr	r10, [%[a], #220]\n\t"
+        "umull	r8, r9, r10, r10\n\t"
+        "adds	r5, r5, r5\n\t"
+        "adcs	r6, r6, r6\n\t"
+        "adc	r7, r7, r7\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "adds	r4, r4, r5\n\t"
+        "adcs	r2, r2, r6\n\t"
+        "adc	r3, r3, r7\n\t"
+        "str	r4, [%[r], #440]\n\t"
+        "#  A[48] * A[63]\n\t"
+        "ldr	r10, [%[a], #252]\n\t"
+        "ldr	r8, [%[a], #192]\n\t"
+        "umull	r5, r6, r10, r8\n\t"
+        "mov	r4, #0\n\t"
+        "mov	r7, #0\n\t"
+        "#  A[49] * A[62]\n\t"
+        "ldr	r10, [%[a], #248]\n\t"
+        "ldr	r8, [%[a], #196]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[50] * A[61]\n\t"
+        "ldr	r10, [%[a], #244]\n\t"
+        "ldr	r8, [%[a], #200]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[51] * A[60]\n\t"
+        "ldr	r10, [%[a], #240]\n\t"
+        "ldr	r8, [%[a], #204]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[52] * A[59]\n\t"
+        "ldr	r10, [%[a], #236]\n\t"
+        "ldr	r8, [%[a], #208]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[53] * A[58]\n\t"
+        "ldr	r10, [%[a], #232]\n\t"
+        "ldr	r8, [%[a], #212]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[54] * A[57]\n\t"
+        "ldr	r10, [%[a], #228]\n\t"
+        "ldr	r8, [%[a], #216]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[55] * A[56]\n\t"
+        "ldr	r10, [%[a], #224]\n\t"
+        "ldr	r8, [%[a], #220]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "adds	r5, r5, r5\n\t"
+        "adcs	r6, r6, r6\n\t"
+        "adc	r7, r7, r7\n\t"
+        "adds	r2, r2, r5\n\t"
+        "adcs	r3, r3, r6\n\t"
+        "adc	r4, r4, r7\n\t"
+        "str	r2, [%[r], #444]\n\t"
+        "#  A[49] * A[63]\n\t"
+        "ldr	r10, [%[a], #252]\n\t"
+        "ldr	r8, [%[a], #196]\n\t"
+        "umull	r5, r6, r10, r8\n\t"
+        "mov	r2, #0\n\t"
+        "mov	r7, #0\n\t"
+        "#  A[50] * A[62]\n\t"
+        "ldr	r10, [%[a], #248]\n\t"
+        "ldr	r8, [%[a], #200]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[51] * A[61]\n\t"
+        "ldr	r10, [%[a], #244]\n\t"
+        "ldr	r8, [%[a], #204]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[52] * A[60]\n\t"
+        "ldr	r10, [%[a], #240]\n\t"
+        "ldr	r8, [%[a], #208]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[53] * A[59]\n\t"
+        "ldr	r10, [%[a], #236]\n\t"
+        "ldr	r8, [%[a], #212]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[54] * A[58]\n\t"
+        "ldr	r10, [%[a], #232]\n\t"
+        "ldr	r8, [%[a], #216]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[55] * A[57]\n\t"
+        "ldr	r10, [%[a], #228]\n\t"
+        "ldr	r8, [%[a], #220]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[56] * A[56]\n\t"
+        "ldr	r10, [%[a], #224]\n\t"
+        "umull	r8, r9, r10, r10\n\t"
+        "adds	r5, r5, r5\n\t"
+        "adcs	r6, r6, r6\n\t"
+        "adc	r7, r7, r7\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "adds	r3, r3, r5\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adc	r2, r2, r7\n\t"
+        "str	r3, [%[r], #448]\n\t"
+        "#  A[50] * A[63]\n\t"
+        "ldr	r10, [%[a], #252]\n\t"
+        "ldr	r8, [%[a], #200]\n\t"
+        "umull	r5, r6, r10, r8\n\t"
+        "mov	r3, #0\n\t"
+        "mov	r7, #0\n\t"
+        "#  A[51] * A[62]\n\t"
+        "ldr	r10, [%[a], #248]\n\t"
+        "ldr	r8, [%[a], #204]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[52] * A[61]\n\t"
+        "ldr	r10, [%[a], #244]\n\t"
+        "ldr	r8, [%[a], #208]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[53] * A[60]\n\t"
+        "ldr	r10, [%[a], #240]\n\t"
+        "ldr	r8, [%[a], #212]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[54] * A[59]\n\t"
+        "ldr	r10, [%[a], #236]\n\t"
+        "ldr	r8, [%[a], #216]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[55] * A[58]\n\t"
+        "ldr	r10, [%[a], #232]\n\t"
+        "ldr	r8, [%[a], #220]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[56] * A[57]\n\t"
+        "ldr	r10, [%[a], #228]\n\t"
+        "ldr	r8, [%[a], #224]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "adds	r5, r5, r5\n\t"
+        "adcs	r6, r6, r6\n\t"
+        "adc	r7, r7, r7\n\t"
+        "adds	r4, r4, r5\n\t"
+        "adcs	r2, r2, r6\n\t"
+        "adc	r3, r3, r7\n\t"
+        "str	r4, [%[r], #452]\n\t"
+        "#  A[51] * A[63]\n\t"
+        "ldr	r10, [%[a], #252]\n\t"
+        "ldr	r8, [%[a], #204]\n\t"
+        "umull	r5, r6, r10, r8\n\t"
+        "mov	r4, #0\n\t"
+        "mov	r7, #0\n\t"
+        "#  A[52] * A[62]\n\t"
+        "ldr	r10, [%[a], #248]\n\t"
+        "ldr	r8, [%[a], #208]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[53] * A[61]\n\t"
+        "ldr	r10, [%[a], #244]\n\t"
+        "ldr	r8, [%[a], #212]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[54] * A[60]\n\t"
+        "ldr	r10, [%[a], #240]\n\t"
+        "ldr	r8, [%[a], #216]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[55] * A[59]\n\t"
+        "ldr	r10, [%[a], #236]\n\t"
+        "ldr	r8, [%[a], #220]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[56] * A[58]\n\t"
+        "ldr	r10, [%[a], #232]\n\t"
+        "ldr	r8, [%[a], #224]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[57] * A[57]\n\t"
+        "ldr	r10, [%[a], #228]\n\t"
+        "umull	r8, r9, r10, r10\n\t"
+        "adds	r5, r5, r5\n\t"
+        "adcs	r6, r6, r6\n\t"
+        "adc	r7, r7, r7\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "adds	r2, r2, r5\n\t"
+        "adcs	r3, r3, r6\n\t"
+        "adc	r4, r4, r7\n\t"
+        "str	r2, [%[r], #456]\n\t"
+        "#  A[52] * A[63]\n\t"
+        "ldr	r10, [%[a], #252]\n\t"
+        "ldr	r8, [%[a], #208]\n\t"
+        "umull	r5, r6, r10, r8\n\t"
+        "mov	r2, #0\n\t"
+        "mov	r7, #0\n\t"
+        "#  A[53] * A[62]\n\t"
+        "ldr	r10, [%[a], #248]\n\t"
+        "ldr	r8, [%[a], #212]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[54] * A[61]\n\t"
+        "ldr	r10, [%[a], #244]\n\t"
+        "ldr	r8, [%[a], #216]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[55] * A[60]\n\t"
+        "ldr	r10, [%[a], #240]\n\t"
+        "ldr	r8, [%[a], #220]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[56] * A[59]\n\t"
+        "ldr	r10, [%[a], #236]\n\t"
+        "ldr	r8, [%[a], #224]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[57] * A[58]\n\t"
+        "ldr	r10, [%[a], #232]\n\t"
+        "ldr	r8, [%[a], #228]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "adds	r5, r5, r5\n\t"
+        "adcs	r6, r6, r6\n\t"
+        "adc	r7, r7, r7\n\t"
+        "adds	r3, r3, r5\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adc	r2, r2, r7\n\t"
+        "str	r3, [%[r], #460]\n\t"
+        "#  A[53] * A[63]\n\t"
+        "ldr	r10, [%[a], #252]\n\t"
+        "ldr	r8, [%[a], #212]\n\t"
+        "umull	r5, r6, r10, r8\n\t"
+        "mov	r3, #0\n\t"
+        "mov	r7, #0\n\t"
+        "#  A[54] * A[62]\n\t"
+        "ldr	r10, [%[a], #248]\n\t"
+        "ldr	r8, [%[a], #216]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[55] * A[61]\n\t"
+        "ldr	r10, [%[a], #244]\n\t"
+        "ldr	r8, [%[a], #220]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[56] * A[60]\n\t"
+        "ldr	r10, [%[a], #240]\n\t"
+        "ldr	r8, [%[a], #224]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[57] * A[59]\n\t"
+        "ldr	r10, [%[a], #236]\n\t"
+        "ldr	r8, [%[a], #228]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[58] * A[58]\n\t"
+        "ldr	r10, [%[a], #232]\n\t"
+        "umull	r8, r9, r10, r10\n\t"
+        "adds	r5, r5, r5\n\t"
+        "adcs	r6, r6, r6\n\t"
+        "adc	r7, r7, r7\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "adds	r4, r4, r5\n\t"
+        "adcs	r2, r2, r6\n\t"
+        "adc	r3, r3, r7\n\t"
+        "str	r4, [%[r], #464]\n\t"
+        "#  A[54] * A[63]\n\t"
+        "ldr	r10, [%[a], #252]\n\t"
+        "ldr	r8, [%[a], #216]\n\t"
+        "umull	r5, r6, r10, r8\n\t"
+        "mov	r4, #0\n\t"
+        "mov	r7, #0\n\t"
+        "#  A[55] * A[62]\n\t"
+        "ldr	r10, [%[a], #248]\n\t"
+        "ldr	r8, [%[a], #220]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[56] * A[61]\n\t"
+        "ldr	r10, [%[a], #244]\n\t"
+        "ldr	r8, [%[a], #224]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[57] * A[60]\n\t"
+        "ldr	r10, [%[a], #240]\n\t"
+        "ldr	r8, [%[a], #228]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[58] * A[59]\n\t"
+        "ldr	r10, [%[a], #236]\n\t"
+        "ldr	r8, [%[a], #232]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "adds	r5, r5, r5\n\t"
+        "adcs	r6, r6, r6\n\t"
+        "adc	r7, r7, r7\n\t"
+        "adds	r2, r2, r5\n\t"
+        "adcs	r3, r3, r6\n\t"
+        "adc	r4, r4, r7\n\t"
+        "str	r2, [%[r], #468]\n\t"
+        "#  A[55] * A[63]\n\t"
+        "ldr	r10, [%[a], #252]\n\t"
+        "ldr	r8, [%[a], #220]\n\t"
+        "umull	r5, r6, r10, r8\n\t"
+        "mov	r2, #0\n\t"
+        "mov	r7, #0\n\t"
+        "#  A[56] * A[62]\n\t"
+        "ldr	r10, [%[a], #248]\n\t"
+        "ldr	r8, [%[a], #224]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[57] * A[61]\n\t"
+        "ldr	r10, [%[a], #244]\n\t"
+        "ldr	r8, [%[a], #228]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[58] * A[60]\n\t"
+        "ldr	r10, [%[a], #240]\n\t"
+        "ldr	r8, [%[a], #232]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[59] * A[59]\n\t"
+        "ldr	r10, [%[a], #236]\n\t"
+        "umull	r8, r9, r10, r10\n\t"
+        "adds	r5, r5, r5\n\t"
+        "adcs	r6, r6, r6\n\t"
+        "adc	r7, r7, r7\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "adds	r3, r3, r5\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adc	r2, r2, r7\n\t"
+        "str	r3, [%[r], #472]\n\t"
+        "#  A[56] * A[63]\n\t"
+        "ldr	r10, [%[a], #252]\n\t"
+        "ldr	r8, [%[a], #224]\n\t"
+        "umull	r5, r6, r10, r8\n\t"
+        "mov	r3, #0\n\t"
+        "mov	r7, #0\n\t"
+        "#  A[57] * A[62]\n\t"
+        "ldr	r10, [%[a], #248]\n\t"
+        "ldr	r8, [%[a], #228]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[58] * A[61]\n\t"
+        "ldr	r10, [%[a], #244]\n\t"
+        "ldr	r8, [%[a], #232]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[59] * A[60]\n\t"
+        "ldr	r10, [%[a], #240]\n\t"
+        "ldr	r8, [%[a], #236]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "adds	r5, r5, r5\n\t"
+        "adcs	r6, r6, r6\n\t"
+        "adc	r7, r7, r7\n\t"
+        "adds	r4, r4, r5\n\t"
+        "adcs	r2, r2, r6\n\t"
+        "adc	r3, r3, r7\n\t"
+        "str	r4, [%[r], #476]\n\t"
+        "#  A[57] * A[63]\n\t"
+        "ldr	r10, [%[a], #252]\n\t"
+        "ldr	r8, [%[a], #228]\n\t"
+        "umull	r5, r6, r10, r8\n\t"
+        "mov	r4, #0\n\t"
+        "mov	r7, #0\n\t"
+        "#  A[58] * A[62]\n\t"
+        "ldr	r10, [%[a], #248]\n\t"
+        "ldr	r8, [%[a], #232]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[59] * A[61]\n\t"
+        "ldr	r10, [%[a], #244]\n\t"
+        "ldr	r8, [%[a], #236]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[60] * A[60]\n\t"
+        "ldr	r10, [%[a], #240]\n\t"
+        "umull	r8, r9, r10, r10\n\t"
+        "adds	r5, r5, r5\n\t"
+        "adcs	r6, r6, r6\n\t"
+        "adc	r7, r7, r7\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "adds	r2, r2, r5\n\t"
+        "adcs	r3, r3, r6\n\t"
+        "adc	r4, r4, r7\n\t"
+        "str	r2, [%[r], #480]\n\t"
+        "#  A[58] * A[63]\n\t"
+        "ldr	r10, [%[a], #252]\n\t"
+        "ldr	r8, [%[a], #232]\n\t"
+        "umull	r5, r6, r10, r8\n\t"
+        "mov	r2, #0\n\t"
+        "mov	r7, #0\n\t"
+        "#  A[59] * A[62]\n\t"
+        "ldr	r10, [%[a], #248]\n\t"
+        "ldr	r8, [%[a], #236]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[60] * A[61]\n\t"
+        "ldr	r10, [%[a], #244]\n\t"
+        "ldr	r8, [%[a], #240]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "adds	r5, r5, r5\n\t"
+        "adcs	r6, r6, r6\n\t"
+        "adc	r7, r7, r7\n\t"
+        "adds	r3, r3, r5\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adc	r2, r2, r7\n\t"
+        "str	r3, [%[r], #484]\n\t"
+        "#  A[59] * A[63]\n\t"
+        "ldr	r10, [%[a], #252]\n\t"
+        "ldr	r8, [%[a], #236]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r4, r4, r8\n\t"
+        "adcs	r2, r2, r9\n\t"
+        "adc	r3, r14, r14\n\t"
+        "adds	r4, r4, r8\n\t"
+        "adcs	r2, r2, r9\n\t"
+        "adc	r3, r3, r14\n\t"
+        "#  A[60] * A[62]\n\t"
+        "ldr	r10, [%[a], #248]\n\t"
+        "ldr	r8, [%[a], #240]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r4, r4, r8\n\t"
+        "adcs	r2, r2, r9\n\t"
+        "adc	r3, r3, r14\n\t"
+        "adds	r4, r4, r8\n\t"
+        "adcs	r2, r2, r9\n\t"
+        "adc	r3, r3, r14\n\t"
+        "#  A[61] * A[61]\n\t"
+        "ldr	r10, [%[a], #244]\n\t"
+        "umull	r8, r9, r10, r10\n\t"
+        "adds	r4, r4, r8\n\t"
+        "adcs	r2, r2, r9\n\t"
+        "adc	r3, r3, r14\n\t"
+        "str	r4, [%[r], #488]\n\t"
+        "#  A[60] * A[63]\n\t"
+        "ldr	r10, [%[a], #252]\n\t"
+        "ldr	r8, [%[a], #240]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r2, r2, r8\n\t"
+        "adcs	r3, r3, r9\n\t"
+        "adc	r4, r14, r14\n\t"
+        "adds	r2, r2, r8\n\t"
+        "adcs	r3, r3, r9\n\t"
+        "adc	r4, r4, r14\n\t"
+        "#  A[61] * A[62]\n\t"
+        "ldr	r10, [%[a], #248]\n\t"
+        "ldr	r8, [%[a], #244]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r2, r2, r8\n\t"
+        "adcs	r3, r3, r9\n\t"
+        "adc	r4, r4, r14\n\t"
+        "adds	r2, r2, r8\n\t"
+        "adcs	r3, r3, r9\n\t"
+        "adc	r4, r4, r14\n\t"
+        "str	r2, [%[r], #492]\n\t"
+        "#  A[61] * A[63]\n\t"
+        "ldr	r10, [%[a], #252]\n\t"
+        "ldr	r8, [%[a], #244]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r3, r3, r8\n\t"
+        "adcs	r4, r4, r9\n\t"
+        "adc	r2, r14, r14\n\t"
+        "adds	r3, r3, r8\n\t"
+        "adcs	r4, r4, r9\n\t"
+        "adc	r2, r2, r14\n\t"
+        "#  A[62] * A[62]\n\t"
+        "ldr	r10, [%[a], #248]\n\t"
+        "umull	r8, r9, r10, r10\n\t"
+        "adds	r3, r3, r8\n\t"
+        "adcs	r4, r4, r9\n\t"
+        "adc	r2, r2, r14\n\t"
+        "str	r3, [%[r], #496]\n\t"
+        "#  A[62] * A[63]\n\t"
+        "ldr	r10, [%[a], #252]\n\t"
+        "ldr	r8, [%[a], #248]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r4, r4, r8\n\t"
+        "adcs	r2, r2, r9\n\t"
+        "adc	r3, r14, r14\n\t"
+        "adds	r4, r4, r8\n\t"
+        "adcs	r2, r2, r9\n\t"
+        "adc	r3, r3, r14\n\t"
+        "str	r4, [%[r], #500]\n\t"
+        "#  A[63] * A[63]\n\t"
+        "ldr	r10, [%[a], #252]\n\t"
+        "umull	r8, r9, r10, r10\n\t"
+        "adds	r2, r2, r8\n\t"
+        "adc	r3, r3, r9\n\t"
+        "str	r2, [%[r], #504]\n\t"
+        "str	r3, [%[r], #508]\n\t"
+        "ldr	r2, [sp, #0]\n\t"
+        "ldr	r3, [sp, #4]\n\t"
+        "ldr	r4, [sp, #8]\n\t"
+        "ldr	r8, [sp, #12]\n\t"
+        "str	r2, [%[r], #0]\n\t"
+        "str	r3, [%[r], #4]\n\t"
+        "str	r4, [%[r], #8]\n\t"
+        "str	r8, [%[r], #12]\n\t"
+        "ldr	r2, [sp, #16]\n\t"
+        "ldr	r3, [sp, #20]\n\t"
+        "ldr	r4, [sp, #24]\n\t"
+        "ldr	r8, [sp, #28]\n\t"
+        "str	r2, [%[r], #16]\n\t"
+        "str	r3, [%[r], #20]\n\t"
+        "str	r4, [%[r], #24]\n\t"
+        "str	r8, [%[r], #28]\n\t"
+        "ldr	r2, [sp, #32]\n\t"
+        "ldr	r3, [sp, #36]\n\t"
+        "ldr	r4, [sp, #40]\n\t"
+        "ldr	r8, [sp, #44]\n\t"
+        "str	r2, [%[r], #32]\n\t"
+        "str	r3, [%[r], #36]\n\t"
+        "str	r4, [%[r], #40]\n\t"
+        "str	r8, [%[r], #44]\n\t"
+        "ldr	r2, [sp, #48]\n\t"
+        "ldr	r3, [sp, #52]\n\t"
+        "ldr	r4, [sp, #56]\n\t"
+        "ldr	r8, [sp, #60]\n\t"
+        "str	r2, [%[r], #48]\n\t"
+        "str	r3, [%[r], #52]\n\t"
+        "str	r4, [%[r], #56]\n\t"
+        "str	r8, [%[r], #60]\n\t"
+        "ldr	r2, [sp, #64]\n\t"
+        "ldr	r3, [sp, #68]\n\t"
+        "ldr	r4, [sp, #72]\n\t"
+        "ldr	r8, [sp, #76]\n\t"
+        "str	r2, [%[r], #64]\n\t"
+        "str	r3, [%[r], #68]\n\t"
+        "str	r4, [%[r], #72]\n\t"
+        "str	r8, [%[r], #76]\n\t"
+        "ldr	r2, [sp, #80]\n\t"
+        "ldr	r3, [sp, #84]\n\t"
+        "ldr	r4, [sp, #88]\n\t"
+        "ldr	r8, [sp, #92]\n\t"
+        "str	r2, [%[r], #80]\n\t"
+        "str	r3, [%[r], #84]\n\t"
+        "str	r4, [%[r], #88]\n\t"
+        "str	r8, [%[r], #92]\n\t"
+        "ldr	r2, [sp, #96]\n\t"
+        "ldr	r3, [sp, #100]\n\t"
+        "ldr	r4, [sp, #104]\n\t"
+        "ldr	r8, [sp, #108]\n\t"
+        "str	r2, [%[r], #96]\n\t"
+        "str	r3, [%[r], #100]\n\t"
+        "str	r4, [%[r], #104]\n\t"
+        "str	r8, [%[r], #108]\n\t"
+        "ldr	r2, [sp, #112]\n\t"
+        "ldr	r3, [sp, #116]\n\t"
+        "ldr	r4, [sp, #120]\n\t"
+        "ldr	r8, [sp, #124]\n\t"
+        "str	r2, [%[r], #112]\n\t"
+        "str	r3, [%[r], #116]\n\t"
+        "str	r4, [%[r], #120]\n\t"
+        "str	r8, [%[r], #124]\n\t"
+        "ldr	r2, [sp, #128]\n\t"
+        "ldr	r3, [sp, #132]\n\t"
+        "ldr	r4, [sp, #136]\n\t"
+        "ldr	r8, [sp, #140]\n\t"
+        "str	r2, [%[r], #128]\n\t"
+        "str	r3, [%[r], #132]\n\t"
+        "str	r4, [%[r], #136]\n\t"
+        "str	r8, [%[r], #140]\n\t"
+        "ldr	r2, [sp, #144]\n\t"
+        "ldr	r3, [sp, #148]\n\t"
+        "ldr	r4, [sp, #152]\n\t"
+        "ldr	r8, [sp, #156]\n\t"
+        "str	r2, [%[r], #144]\n\t"
+        "str	r3, [%[r], #148]\n\t"
+        "str	r4, [%[r], #152]\n\t"
+        "str	r8, [%[r], #156]\n\t"
+        "ldr	r2, [sp, #160]\n\t"
+        "ldr	r3, [sp, #164]\n\t"
+        "ldr	r4, [sp, #168]\n\t"
+        "ldr	r8, [sp, #172]\n\t"
+        "str	r2, [%[r], #160]\n\t"
+        "str	r3, [%[r], #164]\n\t"
+        "str	r4, [%[r], #168]\n\t"
+        "str	r8, [%[r], #172]\n\t"
+        "ldr	r2, [sp, #176]\n\t"
+        "ldr	r3, [sp, #180]\n\t"
+        "ldr	r4, [sp, #184]\n\t"
+        "ldr	r8, [sp, #188]\n\t"
+        "str	r2, [%[r], #176]\n\t"
+        "str	r3, [%[r], #180]\n\t"
+        "str	r4, [%[r], #184]\n\t"
+        "str	r8, [%[r], #188]\n\t"
+        "ldr	r2, [sp, #192]\n\t"
+        "ldr	r3, [sp, #196]\n\t"
+        "ldr	r4, [sp, #200]\n\t"
+        "ldr	r8, [sp, #204]\n\t"
+        "str	r2, [%[r], #192]\n\t"
+        "str	r3, [%[r], #196]\n\t"
+        "str	r4, [%[r], #200]\n\t"
+        "str	r8, [%[r], #204]\n\t"
+        "ldr	r2, [sp, #208]\n\t"
+        "ldr	r3, [sp, #212]\n\t"
+        "ldr	r4, [sp, #216]\n\t"
+        "ldr	r8, [sp, #220]\n\t"
+        "str	r2, [%[r], #208]\n\t"
+        "str	r3, [%[r], #212]\n\t"
+        "str	r4, [%[r], #216]\n\t"
+        "str	r8, [%[r], #220]\n\t"
+        "ldr	r2, [sp, #224]\n\t"
+        "ldr	r3, [sp, #228]\n\t"
+        "ldr	r4, [sp, #232]\n\t"
+        "ldr	r8, [sp, #236]\n\t"
+        "str	r2, [%[r], #224]\n\t"
+        "str	r3, [%[r], #228]\n\t"
+        "str	r4, [%[r], #232]\n\t"
+        "str	r8, [%[r], #236]\n\t"
+        "ldr	r2, [sp, #240]\n\t"
+        "ldr	r3, [sp, #244]\n\t"
+        "ldr	r4, [sp, #248]\n\t"
+        "ldr	r8, [sp, #252]\n\t"
+        "str	r2, [%[r], #240]\n\t"
+        "str	r3, [%[r], #244]\n\t"
+        "str	r4, [%[r], #248]\n\t"
+        "str	r8, [%[r], #252]\n\t"
+        "add	sp, sp, #256\n\t"
+        :
+        : [r] "r" (r), [a] "r" (a)
+        : "memory", "r2", "r3", "r4", "r8", "r9", "r10", "r8", "r5", "r6", "r7", "r14"
+    );
+}
+
+/* Square a and put result in r. (r = a * a)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ */
+SP_NOINLINE static void sp_4096_sqr_128(sp_digit* r, const sp_digit* a)
+{
+    sp_digit* z0 = r;
+    sp_digit z2[128];
+    sp_digit z1[128];
+    sp_digit a1[64];
+    sp_digit u;
+
+    u = sp_2048_add_64(a1, a, &a[64]);
+    sp_2048_sqr_64(z1, a1);
+    sp_2048_sqr_64(z2, &a[64]);
+    sp_2048_sqr_64(z0, a);
+    sp_2048_mask_64(r + 128, a1, 0 - u);
+    u += sp_2048_add_64(r + 128, r + 128, r + 128);
+    u += sp_4096_sub_in_place_128(z1, z2);
+    u += sp_4096_sub_in_place_128(z1, z0);
+    u += sp_4096_add_128(r + 64, r + 64, z1);
+    r[192] = u;
+    XMEMSET(r + 192 + 1, 0, sizeof(sp_digit) * (64 - 1));
+    (void)sp_4096_add_128(r + 128, r + 128, z2);
+}
+
+#endif /* !WOLFSSL_SP_SMALL */
+#ifdef WOLFSSL_SP_SMALL
+/* Add b to a into r. (r = a + b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+static sp_digit sp_4096_add_128(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    sp_digit c = 0;
+
+    __asm__ __volatile__ (
+        "add	r12, %[a], #512\n\t"
+        "\n1:\n\t"
+        "adds	%[c], %[c], #-1\n\t"
+        "ldr	r4, [%[a]], #4\n\t"
+        "ldr	r5, [%[a]], #4\n\t"
+        "ldr	r6, [%[a]], #4\n\t"
+        "ldr	r7, [%[a]], #4\n\t"
+        "ldr	r8, [%[b]], #4\n\t"
+        "ldr	r9, [%[b]], #4\n\t"
+        "ldr	r10, [%[b]], #4\n\t"
+        "ldr	r14, [%[b]], #4\n\t"
+        "adcs	r4, r4, r8\n\t"
+        "adcs	r5, r5, r9\n\t"
+        "adcs	r6, r6, r10\n\t"
+        "adcs	r7, r7, r14\n\t"
+        "str	r4, [%[r]], #4\n\t"
+        "str	r5, [%[r]], #4\n\t"
+        "str	r6, [%[r]], #4\n\t"
+        "str	r7, [%[r]], #4\n\t"
+        "mov	r4, #0\n\t"
+        "adc	%[c], r4, #0\n\t"
+        "cmp	%[a], r12\n\t"
+        "bne	1b\n\t"
+        : [c] "+r" (c), [r] "+r" (r), [a] "+r" (a), [b] "+r" (b)
+        :
+        : "memory", "r4", "r5", "r6", "r7", "r8", "r9", "r10", "r14", "r12"
+    );
+
+    return c;
+}
+
+#endif /* WOLFSSL_SP_SMALL */
+#ifdef WOLFSSL_SP_SMALL
+/* Sub b from a into a. (a -= b)
+ *
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+static sp_digit sp_4096_sub_in_place_128(sp_digit* a, const sp_digit* b)
+{
+    sp_digit c = 0;
+
+    __asm__ __volatile__ (
+        "mov	r14, #0\n\t"
+        "add	r12, %[a], #512\n\t"
+        "\n1:\n\t"
+        "subs	%[c], r14, %[c]\n\t"
+        "ldr	r3, [%[a]]\n\t"
+        "ldr	r4, [%[a], #4]\n\t"
+        "ldr	r5, [%[a], #8]\n\t"
+        "ldr	r6, [%[a], #12]\n\t"
+        "ldr	r7, [%[b]], #4\n\t"
+        "ldr	r8, [%[b]], #4\n\t"
+        "ldr	r9, [%[b]], #4\n\t"
+        "ldr	r10, [%[b]], #4\n\t"
+        "sbcs	r3, r3, r7\n\t"
+        "sbcs	r4, r4, r8\n\t"
+        "sbcs	r5, r5, r9\n\t"
+        "sbcs	r6, r6, r10\n\t"
+        "str	r3, [%[a]], #4\n\t"
+        "str	r4, [%[a]], #4\n\t"
+        "str	r5, [%[a]], #4\n\t"
+        "str	r6, [%[a]], #4\n\t"
+        "sbc	%[c], r14, r14\n\t"
+        "cmp	%[a], r12\n\t"
+        "bne	1b\n\t"
+        : [c] "+r" (c), [a] "+r" (a), [b] "+r" (b)
+        :
+        : "memory", "r3", "r4", "r5", "r6", "r7", "r8", "r9", "r10", "r12", "r14"
+    );
+
+    return c;
+}
+
+#endif /* WOLFSSL_SP_SMALL */
+#ifdef WOLFSSL_SP_SMALL
+/* Multiply a and b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+static void sp_4096_mul_128(sp_digit* r, const sp_digit* a, const sp_digit* b)
+{
+    __asm__ __volatile__ (
+        "sub	sp, sp, #1024\n\t"
+        "mov	r5, #0\n\t"
+        "mov	r6, #0\n\t"
+        "mov	r7, #0\n\t"
+        "mov	r8, #0\n\t"
+        "\n1:\n\t"
+        "subs	r3, r5, #508\n\t"
+        "it	cc\n\t"
+        "movcc	r3, #0\n\t"
+        "sub	r4, r5, r3\n\t"
+        "\n2:\n\t"
+        "ldr	r14, [%[a], r3]\n\t"
+        "ldr	r12, [%[b], r4]\n\t"
+        "umull	r9, r10, r14, r12\n\t"
+        "adds	r6, r6, r9\n\t"
+        "adcs	r7, r7, r10\n\t"
+        "adc	r8, r8, #0\n\t"
+        "add	r3, r3, #4\n\t"
+        "sub	r4, r4, #4\n\t"
+        "cmp	r3, #512\n\t"
+        "beq	3f\n\t"
+        "cmp	r3, r5\n\t"
+        "ble	2b\n\t"
+        "\n3:\n\t"
+        "str	r6, [sp, r5]\n\t"
+        "mov	r6, r7\n\t"
+        "mov	r7, r8\n\t"
+        "mov	r8, #0\n\t"
+        "add	r5, r5, #4\n\t"
+        "cmp	r5, #1016\n\t"
+        "ble	1b\n\t"
+        "str	r6, [sp, r5]\n\t"
+        "\n4:\n\t"
+        "ldr	r6, [sp, #0]\n\t"
+        "ldr	r7, [sp, #4]\n\t"
+        "ldr	r8, [sp, #8]\n\t"
+        "ldr	r3, [sp, #12]\n\t"
+        "str	r6, [%[r], #0]\n\t"
+        "str	r7, [%[r], #4]\n\t"
+        "str	r8, [%[r], #8]\n\t"
+        "str	r3, [%[r], #12]\n\t"
+        "add	sp, sp, #16\n\t"
+        "add	%[r], %[r], #16\n\t"
+        "subs	r5, r5, #16\n\t"
+        "bgt	4b\n\t"
+        : [r] "+r" (r)
+        : [a] "r" (a), [b] "r" (b)
+        : "memory", "r3", "r4", "r5", "r6", "r7", "r8", "r9", "r10", "r14", "r12"
+    );
+}
+
+/* Square a and put result in r. (r = a * a)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ */
+static void sp_4096_sqr_128(sp_digit* r, const sp_digit* a)
+{
+    __asm__ __volatile__ (
+        "sub	sp, sp, #1024\n\t"
+        "mov	r12, #0\n\t"
+        "mov	r6, #0\n\t"
+        "mov	r7, #0\n\t"
+        "mov	r8, #0\n\t"
+        "mov	r5, #0\n\t"
+        "\n1:\n\t"
+        "subs	r3, r5, #508\n\t"
+        "it	cc\n\t"
+        "movcc	r3, r12\n\t"
+        "sub	r4, r5, r3\n\t"
+        "\n2:\n\t"
+        "cmp	r4, r3\n\t"
+        "beq	4f\n\t"
+        "ldr	r14, [%[a], r3]\n\t"
+        "ldr	r9, [%[a], r4]\n\t"
+        "umull	r9, r10, r14, r9\n\t"
+        "adds	r6, r6, r9\n\t"
+        "adcs	r7, r7, r10\n\t"
+        "adc	r8, r8, r12\n\t"
+        "adds	r6, r6, r9\n\t"
+        "adcs	r7, r7, r10\n\t"
+        "adc	r8, r8, r12\n\t"
+        "bal	5f\n\t"
+        "\n4:\n\t"
+        "ldr	r14, [%[a], r3]\n\t"
+        "umull	r9, r10, r14, r14\n\t"
+        "adds	r6, r6, r9\n\t"
+        "adcs	r7, r7, r10\n\t"
+        "adc	r8, r8, r12\n\t"
+        "\n5:\n\t"
+        "add	r3, r3, #4\n\t"
+        "sub	r4, r4, #4\n\t"
+        "cmp	r3, #512\n\t"
+        "beq	3f\n\t"
+        "cmp	r3, r4\n\t"
+        "bgt	3f\n\t"
+        "cmp	r3, r5\n\t"
+        "ble	2b\n\t"
+        "\n3:\n\t"
+        "str	r6, [sp, r5]\n\t"
+        "mov	r6, r7\n\t"
+        "mov	r7, r8\n\t"
+        "mov	r8, #0\n\t"
+        "add	r5, r5, #4\n\t"
+        "cmp	r5, #1016\n\t"
+        "ble	1b\n\t"
+        "str	r6, [sp, r5]\n\t"
+        "\n4:\n\t"
+        "ldr	r6, [sp, #0]\n\t"
+        "ldr	r7, [sp, #4]\n\t"
+        "ldr	r8, [sp, #8]\n\t"
+        "ldr	r3, [sp, #12]\n\t"
+        "str	r6, [%[r], #0]\n\t"
+        "str	r7, [%[r], #4]\n\t"
+        "str	r8, [%[r], #8]\n\t"
+        "str	r3, [%[r], #12]\n\t"
+        "add	sp, sp, #16\n\t"
+        "add	%[r], %[r], #16\n\t"
+        "subs	r5, r5, #16\n\t"
+        "bgt	4b\n\t"
+        : [r] "+r" (r)
+        : [a] "r" (a)
+        : "memory", "r3", "r4", "r5", "r6", "r7", "r8", "r9", "r10", "r14", "r9", "r12"
+    );
+}
+
+#endif /* WOLFSSL_SP_SMALL */
+/* Caclulate the bottom digit of -1/a mod 2^n.
+ *
+ * a    A single precision number.
+ * rho  Bottom word of inverse.
+ */
+static void sp_4096_mont_setup(const sp_digit* a, sp_digit* rho)
+{
+    sp_digit x, b;
+
+    b = a[0];
+    x = (((b + 2) & 4) << 1) + b; /* here x*a==1 mod 2**4 */
+    x *= 2 - b * x;               /* here x*a==1 mod 2**8 */
+    x *= 2 - b * x;               /* here x*a==1 mod 2**16 */
+    x *= 2 - b * x;               /* here x*a==1 mod 2**32 */
+
+    /* rho = -1/m mod b */
+    *rho = -x;
+}
+
+/* Mul a by digit b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision digit.
+ */
+static void sp_4096_mul_d_128(sp_digit* r, const sp_digit* a,
+        sp_digit b)
+{
+#ifdef WOLFSSL_SP_SMALL
+    __asm__ __volatile__ (
+        "mov	r10, #0\n\t"
+        "# A[0] * B\n\t"
+        "ldr	r8, [%[a]]\n\t"
+        "umull	r5, r3, %[b], r8\n\t"
+        "mov	r4, #0\n\t"
+        "str	r5, [%[r]]\n\t"
+        "mov	r5, #0\n\t"
+        "mov	r9, #4\n\t"
+        "1:\n\t"
+        "ldr	r8, [%[a], r9]\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [%[r], r9]\n\t"
+        "mov	r3, r4\n\t"
+        "mov	r4, r5\n\t"
+        "mov	r5, #0\n\t"
+        "add	r9, r9, #4\n\t"
+        "cmp	r9, #512\n\t"
+        "blt	1b\n\t"
+        "str	r3, [%[r], #512]\n\t"
+        :
+        : [r] "r" (r), [a] "r" (a), [b] "r" (b)
+        : "memory", "r3", "r4", "r5", "r6", "r7", "r8", "r9", "r10"
+    );
+#else
+    __asm__ __volatile__ (
+        "mov	r10, #0\n\t"
+        "# A[0] * B\n\t"
+        "ldr	r8, [%[a]]\n\t"
+        "umull	r3, r4, %[b], r8\n\t"
+        "mov	r5, #0\n\t"
+        "str	r3, [%[r]]\n\t"
+        "# A[1] * B\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "mov	r3, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [%[r], #4]\n\t"
+        "# A[2] * B\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "mov	r4, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [%[r], #8]\n\t"
+        "# A[3] * B\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "mov	r5, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [%[r], #12]\n\t"
+        "# A[4] * B\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "mov	r3, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [%[r], #16]\n\t"
+        "# A[5] * B\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "mov	r4, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [%[r], #20]\n\t"
+        "# A[6] * B\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "mov	r5, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [%[r], #24]\n\t"
+        "# A[7] * B\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "mov	r3, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [%[r], #28]\n\t"
+        "# A[8] * B\n\t"
+        "ldr	r8, [%[a], #32]\n\t"
+        "mov	r4, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [%[r], #32]\n\t"
+        "# A[9] * B\n\t"
+        "ldr	r8, [%[a], #36]\n\t"
+        "mov	r5, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [%[r], #36]\n\t"
+        "# A[10] * B\n\t"
+        "ldr	r8, [%[a], #40]\n\t"
+        "mov	r3, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [%[r], #40]\n\t"
+        "# A[11] * B\n\t"
+        "ldr	r8, [%[a], #44]\n\t"
+        "mov	r4, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [%[r], #44]\n\t"
+        "# A[12] * B\n\t"
+        "ldr	r8, [%[a], #48]\n\t"
+        "mov	r5, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [%[r], #48]\n\t"
+        "# A[13] * B\n\t"
+        "ldr	r8, [%[a], #52]\n\t"
+        "mov	r3, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [%[r], #52]\n\t"
+        "# A[14] * B\n\t"
+        "ldr	r8, [%[a], #56]\n\t"
+        "mov	r4, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [%[r], #56]\n\t"
+        "# A[15] * B\n\t"
+        "ldr	r8, [%[a], #60]\n\t"
+        "mov	r5, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [%[r], #60]\n\t"
+        "# A[16] * B\n\t"
+        "ldr	r8, [%[a], #64]\n\t"
+        "mov	r3, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [%[r], #64]\n\t"
+        "# A[17] * B\n\t"
+        "ldr	r8, [%[a], #68]\n\t"
+        "mov	r4, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [%[r], #68]\n\t"
+        "# A[18] * B\n\t"
+        "ldr	r8, [%[a], #72]\n\t"
+        "mov	r5, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [%[r], #72]\n\t"
+        "# A[19] * B\n\t"
+        "ldr	r8, [%[a], #76]\n\t"
+        "mov	r3, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [%[r], #76]\n\t"
+        "# A[20] * B\n\t"
+        "ldr	r8, [%[a], #80]\n\t"
+        "mov	r4, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [%[r], #80]\n\t"
+        "# A[21] * B\n\t"
+        "ldr	r8, [%[a], #84]\n\t"
+        "mov	r5, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [%[r], #84]\n\t"
+        "# A[22] * B\n\t"
+        "ldr	r8, [%[a], #88]\n\t"
+        "mov	r3, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [%[r], #88]\n\t"
+        "# A[23] * B\n\t"
+        "ldr	r8, [%[a], #92]\n\t"
+        "mov	r4, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [%[r], #92]\n\t"
+        "# A[24] * B\n\t"
+        "ldr	r8, [%[a], #96]\n\t"
+        "mov	r5, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [%[r], #96]\n\t"
+        "# A[25] * B\n\t"
+        "ldr	r8, [%[a], #100]\n\t"
+        "mov	r3, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [%[r], #100]\n\t"
+        "# A[26] * B\n\t"
+        "ldr	r8, [%[a], #104]\n\t"
+        "mov	r4, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [%[r], #104]\n\t"
+        "# A[27] * B\n\t"
+        "ldr	r8, [%[a], #108]\n\t"
+        "mov	r5, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [%[r], #108]\n\t"
+        "# A[28] * B\n\t"
+        "ldr	r8, [%[a], #112]\n\t"
+        "mov	r3, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [%[r], #112]\n\t"
+        "# A[29] * B\n\t"
+        "ldr	r8, [%[a], #116]\n\t"
+        "mov	r4, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [%[r], #116]\n\t"
+        "# A[30] * B\n\t"
+        "ldr	r8, [%[a], #120]\n\t"
+        "mov	r5, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [%[r], #120]\n\t"
+        "# A[31] * B\n\t"
+        "ldr	r8, [%[a], #124]\n\t"
+        "mov	r3, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [%[r], #124]\n\t"
+        "# A[32] * B\n\t"
+        "ldr	r8, [%[a], #128]\n\t"
+        "mov	r4, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [%[r], #128]\n\t"
+        "# A[33] * B\n\t"
+        "ldr	r8, [%[a], #132]\n\t"
+        "mov	r5, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [%[r], #132]\n\t"
+        "# A[34] * B\n\t"
+        "ldr	r8, [%[a], #136]\n\t"
+        "mov	r3, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [%[r], #136]\n\t"
+        "# A[35] * B\n\t"
+        "ldr	r8, [%[a], #140]\n\t"
+        "mov	r4, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [%[r], #140]\n\t"
+        "# A[36] * B\n\t"
+        "ldr	r8, [%[a], #144]\n\t"
+        "mov	r5, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [%[r], #144]\n\t"
+        "# A[37] * B\n\t"
+        "ldr	r8, [%[a], #148]\n\t"
+        "mov	r3, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [%[r], #148]\n\t"
+        "# A[38] * B\n\t"
+        "ldr	r8, [%[a], #152]\n\t"
+        "mov	r4, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [%[r], #152]\n\t"
+        "# A[39] * B\n\t"
+        "ldr	r8, [%[a], #156]\n\t"
+        "mov	r5, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [%[r], #156]\n\t"
+        "# A[40] * B\n\t"
+        "ldr	r8, [%[a], #160]\n\t"
+        "mov	r3, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [%[r], #160]\n\t"
+        "# A[41] * B\n\t"
+        "ldr	r8, [%[a], #164]\n\t"
+        "mov	r4, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [%[r], #164]\n\t"
+        "# A[42] * B\n\t"
+        "ldr	r8, [%[a], #168]\n\t"
+        "mov	r5, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [%[r], #168]\n\t"
+        "# A[43] * B\n\t"
+        "ldr	r8, [%[a], #172]\n\t"
+        "mov	r3, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [%[r], #172]\n\t"
+        "# A[44] * B\n\t"
+        "ldr	r8, [%[a], #176]\n\t"
+        "mov	r4, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [%[r], #176]\n\t"
+        "# A[45] * B\n\t"
+        "ldr	r8, [%[a], #180]\n\t"
+        "mov	r5, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [%[r], #180]\n\t"
+        "# A[46] * B\n\t"
+        "ldr	r8, [%[a], #184]\n\t"
+        "mov	r3, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [%[r], #184]\n\t"
+        "# A[47] * B\n\t"
+        "ldr	r8, [%[a], #188]\n\t"
+        "mov	r4, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [%[r], #188]\n\t"
+        "# A[48] * B\n\t"
+        "ldr	r8, [%[a], #192]\n\t"
+        "mov	r5, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [%[r], #192]\n\t"
+        "# A[49] * B\n\t"
+        "ldr	r8, [%[a], #196]\n\t"
+        "mov	r3, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [%[r], #196]\n\t"
+        "# A[50] * B\n\t"
+        "ldr	r8, [%[a], #200]\n\t"
+        "mov	r4, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [%[r], #200]\n\t"
+        "# A[51] * B\n\t"
+        "ldr	r8, [%[a], #204]\n\t"
+        "mov	r5, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [%[r], #204]\n\t"
+        "# A[52] * B\n\t"
+        "ldr	r8, [%[a], #208]\n\t"
+        "mov	r3, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [%[r], #208]\n\t"
+        "# A[53] * B\n\t"
+        "ldr	r8, [%[a], #212]\n\t"
+        "mov	r4, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [%[r], #212]\n\t"
+        "# A[54] * B\n\t"
+        "ldr	r8, [%[a], #216]\n\t"
+        "mov	r5, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [%[r], #216]\n\t"
+        "# A[55] * B\n\t"
+        "ldr	r8, [%[a], #220]\n\t"
+        "mov	r3, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [%[r], #220]\n\t"
+        "# A[56] * B\n\t"
+        "ldr	r8, [%[a], #224]\n\t"
+        "mov	r4, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [%[r], #224]\n\t"
+        "# A[57] * B\n\t"
+        "ldr	r8, [%[a], #228]\n\t"
+        "mov	r5, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [%[r], #228]\n\t"
+        "# A[58] * B\n\t"
+        "ldr	r8, [%[a], #232]\n\t"
+        "mov	r3, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [%[r], #232]\n\t"
+        "# A[59] * B\n\t"
+        "ldr	r8, [%[a], #236]\n\t"
+        "mov	r4, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [%[r], #236]\n\t"
+        "# A[60] * B\n\t"
+        "ldr	r8, [%[a], #240]\n\t"
+        "mov	r5, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [%[r], #240]\n\t"
+        "# A[61] * B\n\t"
+        "ldr	r8, [%[a], #244]\n\t"
+        "mov	r3, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [%[r], #244]\n\t"
+        "# A[62] * B\n\t"
+        "ldr	r8, [%[a], #248]\n\t"
+        "mov	r4, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [%[r], #248]\n\t"
+        "# A[63] * B\n\t"
+        "ldr	r8, [%[a], #252]\n\t"
+        "mov	r5, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [%[r], #252]\n\t"
+        "# A[64] * B\n\t"
+        "ldr	r8, [%[a], #256]\n\t"
+        "mov	r3, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [%[r], #256]\n\t"
+        "# A[65] * B\n\t"
+        "ldr	r8, [%[a], #260]\n\t"
+        "mov	r4, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [%[r], #260]\n\t"
+        "# A[66] * B\n\t"
+        "ldr	r8, [%[a], #264]\n\t"
+        "mov	r5, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [%[r], #264]\n\t"
+        "# A[67] * B\n\t"
+        "ldr	r8, [%[a], #268]\n\t"
+        "mov	r3, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [%[r], #268]\n\t"
+        "# A[68] * B\n\t"
+        "ldr	r8, [%[a], #272]\n\t"
+        "mov	r4, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [%[r], #272]\n\t"
+        "# A[69] * B\n\t"
+        "ldr	r8, [%[a], #276]\n\t"
+        "mov	r5, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [%[r], #276]\n\t"
+        "# A[70] * B\n\t"
+        "ldr	r8, [%[a], #280]\n\t"
+        "mov	r3, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [%[r], #280]\n\t"
+        "# A[71] * B\n\t"
+        "ldr	r8, [%[a], #284]\n\t"
+        "mov	r4, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [%[r], #284]\n\t"
+        "# A[72] * B\n\t"
+        "ldr	r8, [%[a], #288]\n\t"
+        "mov	r5, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [%[r], #288]\n\t"
+        "# A[73] * B\n\t"
+        "ldr	r8, [%[a], #292]\n\t"
+        "mov	r3, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [%[r], #292]\n\t"
+        "# A[74] * B\n\t"
+        "ldr	r8, [%[a], #296]\n\t"
+        "mov	r4, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [%[r], #296]\n\t"
+        "# A[75] * B\n\t"
+        "ldr	r8, [%[a], #300]\n\t"
+        "mov	r5, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [%[r], #300]\n\t"
+        "# A[76] * B\n\t"
+        "ldr	r8, [%[a], #304]\n\t"
+        "mov	r3, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [%[r], #304]\n\t"
+        "# A[77] * B\n\t"
+        "ldr	r8, [%[a], #308]\n\t"
+        "mov	r4, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [%[r], #308]\n\t"
+        "# A[78] * B\n\t"
+        "ldr	r8, [%[a], #312]\n\t"
+        "mov	r5, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [%[r], #312]\n\t"
+        "# A[79] * B\n\t"
+        "ldr	r8, [%[a], #316]\n\t"
+        "mov	r3, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [%[r], #316]\n\t"
+        "# A[80] * B\n\t"
+        "ldr	r8, [%[a], #320]\n\t"
+        "mov	r4, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [%[r], #320]\n\t"
+        "# A[81] * B\n\t"
+        "ldr	r8, [%[a], #324]\n\t"
+        "mov	r5, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [%[r], #324]\n\t"
+        "# A[82] * B\n\t"
+        "ldr	r8, [%[a], #328]\n\t"
+        "mov	r3, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [%[r], #328]\n\t"
+        "# A[83] * B\n\t"
+        "ldr	r8, [%[a], #332]\n\t"
+        "mov	r4, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [%[r], #332]\n\t"
+        "# A[84] * B\n\t"
+        "ldr	r8, [%[a], #336]\n\t"
+        "mov	r5, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [%[r], #336]\n\t"
+        "# A[85] * B\n\t"
+        "ldr	r8, [%[a], #340]\n\t"
+        "mov	r3, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [%[r], #340]\n\t"
+        "# A[86] * B\n\t"
+        "ldr	r8, [%[a], #344]\n\t"
+        "mov	r4, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [%[r], #344]\n\t"
+        "# A[87] * B\n\t"
+        "ldr	r8, [%[a], #348]\n\t"
+        "mov	r5, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [%[r], #348]\n\t"
+        "# A[88] * B\n\t"
+        "ldr	r8, [%[a], #352]\n\t"
+        "mov	r3, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [%[r], #352]\n\t"
+        "# A[89] * B\n\t"
+        "ldr	r8, [%[a], #356]\n\t"
+        "mov	r4, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [%[r], #356]\n\t"
+        "# A[90] * B\n\t"
+        "ldr	r8, [%[a], #360]\n\t"
+        "mov	r5, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [%[r], #360]\n\t"
+        "# A[91] * B\n\t"
+        "ldr	r8, [%[a], #364]\n\t"
+        "mov	r3, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [%[r], #364]\n\t"
+        "# A[92] * B\n\t"
+        "ldr	r8, [%[a], #368]\n\t"
+        "mov	r4, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [%[r], #368]\n\t"
+        "# A[93] * B\n\t"
+        "ldr	r8, [%[a], #372]\n\t"
+        "mov	r5, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [%[r], #372]\n\t"
+        "# A[94] * B\n\t"
+        "ldr	r8, [%[a], #376]\n\t"
+        "mov	r3, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [%[r], #376]\n\t"
+        "# A[95] * B\n\t"
+        "ldr	r8, [%[a], #380]\n\t"
+        "mov	r4, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [%[r], #380]\n\t"
+        "# A[96] * B\n\t"
+        "ldr	r8, [%[a], #384]\n\t"
+        "mov	r5, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [%[r], #384]\n\t"
+        "# A[97] * B\n\t"
+        "ldr	r8, [%[a], #388]\n\t"
+        "mov	r3, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [%[r], #388]\n\t"
+        "# A[98] * B\n\t"
+        "ldr	r8, [%[a], #392]\n\t"
+        "mov	r4, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [%[r], #392]\n\t"
+        "# A[99] * B\n\t"
+        "ldr	r8, [%[a], #396]\n\t"
+        "mov	r5, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [%[r], #396]\n\t"
+        "# A[100] * B\n\t"
+        "ldr	r8, [%[a], #400]\n\t"
+        "mov	r3, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [%[r], #400]\n\t"
+        "# A[101] * B\n\t"
+        "ldr	r8, [%[a], #404]\n\t"
+        "mov	r4, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [%[r], #404]\n\t"
+        "# A[102] * B\n\t"
+        "ldr	r8, [%[a], #408]\n\t"
+        "mov	r5, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [%[r], #408]\n\t"
+        "# A[103] * B\n\t"
+        "ldr	r8, [%[a], #412]\n\t"
+        "mov	r3, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [%[r], #412]\n\t"
+        "# A[104] * B\n\t"
+        "ldr	r8, [%[a], #416]\n\t"
+        "mov	r4, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [%[r], #416]\n\t"
+        "# A[105] * B\n\t"
+        "ldr	r8, [%[a], #420]\n\t"
+        "mov	r5, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [%[r], #420]\n\t"
+        "# A[106] * B\n\t"
+        "ldr	r8, [%[a], #424]\n\t"
+        "mov	r3, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [%[r], #424]\n\t"
+        "# A[107] * B\n\t"
+        "ldr	r8, [%[a], #428]\n\t"
+        "mov	r4, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [%[r], #428]\n\t"
+        "# A[108] * B\n\t"
+        "ldr	r8, [%[a], #432]\n\t"
+        "mov	r5, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [%[r], #432]\n\t"
+        "# A[109] * B\n\t"
+        "ldr	r8, [%[a], #436]\n\t"
+        "mov	r3, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [%[r], #436]\n\t"
+        "# A[110] * B\n\t"
+        "ldr	r8, [%[a], #440]\n\t"
+        "mov	r4, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [%[r], #440]\n\t"
+        "# A[111] * B\n\t"
+        "ldr	r8, [%[a], #444]\n\t"
+        "mov	r5, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [%[r], #444]\n\t"
+        "# A[112] * B\n\t"
+        "ldr	r8, [%[a], #448]\n\t"
+        "mov	r3, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [%[r], #448]\n\t"
+        "# A[113] * B\n\t"
+        "ldr	r8, [%[a], #452]\n\t"
+        "mov	r4, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [%[r], #452]\n\t"
+        "# A[114] * B\n\t"
+        "ldr	r8, [%[a], #456]\n\t"
+        "mov	r5, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [%[r], #456]\n\t"
+        "# A[115] * B\n\t"
+        "ldr	r8, [%[a], #460]\n\t"
+        "mov	r3, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [%[r], #460]\n\t"
+        "# A[116] * B\n\t"
+        "ldr	r8, [%[a], #464]\n\t"
+        "mov	r4, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [%[r], #464]\n\t"
+        "# A[117] * B\n\t"
+        "ldr	r8, [%[a], #468]\n\t"
+        "mov	r5, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [%[r], #468]\n\t"
+        "# A[118] * B\n\t"
+        "ldr	r8, [%[a], #472]\n\t"
+        "mov	r3, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [%[r], #472]\n\t"
+        "# A[119] * B\n\t"
+        "ldr	r8, [%[a], #476]\n\t"
+        "mov	r4, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [%[r], #476]\n\t"
+        "# A[120] * B\n\t"
+        "ldr	r8, [%[a], #480]\n\t"
+        "mov	r5, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [%[r], #480]\n\t"
+        "# A[121] * B\n\t"
+        "ldr	r8, [%[a], #484]\n\t"
+        "mov	r3, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [%[r], #484]\n\t"
+        "# A[122] * B\n\t"
+        "ldr	r8, [%[a], #488]\n\t"
+        "mov	r4, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [%[r], #488]\n\t"
+        "# A[123] * B\n\t"
+        "ldr	r8, [%[a], #492]\n\t"
+        "mov	r5, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [%[r], #492]\n\t"
+        "# A[124] * B\n\t"
+        "ldr	r8, [%[a], #496]\n\t"
+        "mov	r3, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [%[r], #496]\n\t"
+        "# A[125] * B\n\t"
+        "ldr	r8, [%[a], #500]\n\t"
+        "mov	r4, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [%[r], #500]\n\t"
+        "# A[126] * B\n\t"
+        "ldr	r8, [%[a], #504]\n\t"
+        "mov	r5, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [%[r], #504]\n\t"
+        "# A[127] * B\n\t"
+        "ldr	r8, [%[a], #508]\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adc	r5, r5, r7\n\t"
+        "str	r4, [%[r], #508]\n\t"
+        "str	r5, [%[r], #512]\n\t"
+        :
+        : [r] "r" (r), [a] "r" (a), [b] "r" (b)
+        : "memory", "r3", "r4", "r5", "r6", "r7", "r8", "r9", "r10"
+    );
+#endif
+}
+
+#if defined(WOLFSSL_HAVE_SP_RSA) || defined(WOLFSSL_HAVE_SP_DH)
+/* r = 2^n mod m where n is the number of bits to reduce by.
+ * Given m must be 4096 bits, just need to subtract.
+ *
+ * r  A single precision number.
+ * m  A single precision number.
+ */
+static void sp_4096_mont_norm_128(sp_digit* r, const sp_digit* m)
+{
+    XMEMSET(r, 0, sizeof(sp_digit) * 128);
+
+    /* r = 2^n mod m */
+    sp_4096_sub_in_place_128(r, m);
+}
+
+#endif /* WOLFSSL_HAVE_SP_RSA || WOLFSSL_HAVE_SP_DH */
+/* Conditionally subtract b from a using the mask m.
+ * m is -1 to subtract and 0 when not copying.
+ *
+ * r  A single precision number representing condition subtract result.
+ * a  A single precision number to subtract from.
+ * b  A single precision number to subtract.
+ * m  Mask value to apply.
+ */
+static sp_digit sp_4096_cond_sub_128(sp_digit* r, const sp_digit* a, const sp_digit* b,
+        sp_digit m)
+{
+    sp_digit c = 0;
+
+#ifdef WOLFSSL_SP_SMALL
+    __asm__ __volatile__ (
+        "mov	r9, #0\n\t"
+        "mov	r8, #0\n\t"
+        "1:\n\t"
+        "subs	%[c], r9, %[c]\n\t"
+        "ldr	r4, [%[a], r8]\n\t"
+        "ldr	r5, [%[b], r8]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbc	%[c], r9, r9\n\t"
+        "str	r4, [%[r], r8]\n\t"
+        "add	r8, r8, #4\n\t"
+        "cmp	r8, #512\n\t"
+        "blt	1b\n\t"
+        : [c] "+r" (c)
+        : [r] "r" (r), [a] "r" (a), [b] "r" (b), [m] "r" (m)
+        : "memory", "r4", "r6", "r5", "r7", "r8", "r9"
+    );
+#else
+    __asm__ __volatile__ (
+
+        "mov	r9, #0\n\t"
+        "ldr	r4, [%[a], #0]\n\t"
+        "ldr	r6, [%[a], #4]\n\t"
+        "ldr	r5, [%[b], #0]\n\t"
+        "ldr	r7, [%[b], #4]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "subs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #0]\n\t"
+        "str	r6, [%[r], #4]\n\t"
+        "ldr	r4, [%[a], #8]\n\t"
+        "ldr	r6, [%[a], #12]\n\t"
+        "ldr	r5, [%[b], #8]\n\t"
+        "ldr	r7, [%[b], #12]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #8]\n\t"
+        "str	r6, [%[r], #12]\n\t"
+        "ldr	r4, [%[a], #16]\n\t"
+        "ldr	r6, [%[a], #20]\n\t"
+        "ldr	r5, [%[b], #16]\n\t"
+        "ldr	r7, [%[b], #20]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #16]\n\t"
+        "str	r6, [%[r], #20]\n\t"
+        "ldr	r4, [%[a], #24]\n\t"
+        "ldr	r6, [%[a], #28]\n\t"
+        "ldr	r5, [%[b], #24]\n\t"
+        "ldr	r7, [%[b], #28]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #24]\n\t"
+        "str	r6, [%[r], #28]\n\t"
+        "ldr	r4, [%[a], #32]\n\t"
+        "ldr	r6, [%[a], #36]\n\t"
+        "ldr	r5, [%[b], #32]\n\t"
+        "ldr	r7, [%[b], #36]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #32]\n\t"
+        "str	r6, [%[r], #36]\n\t"
+        "ldr	r4, [%[a], #40]\n\t"
+        "ldr	r6, [%[a], #44]\n\t"
+        "ldr	r5, [%[b], #40]\n\t"
+        "ldr	r7, [%[b], #44]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #40]\n\t"
+        "str	r6, [%[r], #44]\n\t"
+        "ldr	r4, [%[a], #48]\n\t"
+        "ldr	r6, [%[a], #52]\n\t"
+        "ldr	r5, [%[b], #48]\n\t"
+        "ldr	r7, [%[b], #52]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #48]\n\t"
+        "str	r6, [%[r], #52]\n\t"
+        "ldr	r4, [%[a], #56]\n\t"
+        "ldr	r6, [%[a], #60]\n\t"
+        "ldr	r5, [%[b], #56]\n\t"
+        "ldr	r7, [%[b], #60]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #56]\n\t"
+        "str	r6, [%[r], #60]\n\t"
+        "ldr	r4, [%[a], #64]\n\t"
+        "ldr	r6, [%[a], #68]\n\t"
+        "ldr	r5, [%[b], #64]\n\t"
+        "ldr	r7, [%[b], #68]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #64]\n\t"
+        "str	r6, [%[r], #68]\n\t"
+        "ldr	r4, [%[a], #72]\n\t"
+        "ldr	r6, [%[a], #76]\n\t"
+        "ldr	r5, [%[b], #72]\n\t"
+        "ldr	r7, [%[b], #76]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #72]\n\t"
+        "str	r6, [%[r], #76]\n\t"
+        "ldr	r4, [%[a], #80]\n\t"
+        "ldr	r6, [%[a], #84]\n\t"
+        "ldr	r5, [%[b], #80]\n\t"
+        "ldr	r7, [%[b], #84]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #80]\n\t"
+        "str	r6, [%[r], #84]\n\t"
+        "ldr	r4, [%[a], #88]\n\t"
+        "ldr	r6, [%[a], #92]\n\t"
+        "ldr	r5, [%[b], #88]\n\t"
+        "ldr	r7, [%[b], #92]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #88]\n\t"
+        "str	r6, [%[r], #92]\n\t"
+        "ldr	r4, [%[a], #96]\n\t"
+        "ldr	r6, [%[a], #100]\n\t"
+        "ldr	r5, [%[b], #96]\n\t"
+        "ldr	r7, [%[b], #100]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #96]\n\t"
+        "str	r6, [%[r], #100]\n\t"
+        "ldr	r4, [%[a], #104]\n\t"
+        "ldr	r6, [%[a], #108]\n\t"
+        "ldr	r5, [%[b], #104]\n\t"
+        "ldr	r7, [%[b], #108]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #104]\n\t"
+        "str	r6, [%[r], #108]\n\t"
+        "ldr	r4, [%[a], #112]\n\t"
+        "ldr	r6, [%[a], #116]\n\t"
+        "ldr	r5, [%[b], #112]\n\t"
+        "ldr	r7, [%[b], #116]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #112]\n\t"
+        "str	r6, [%[r], #116]\n\t"
+        "ldr	r4, [%[a], #120]\n\t"
+        "ldr	r6, [%[a], #124]\n\t"
+        "ldr	r5, [%[b], #120]\n\t"
+        "ldr	r7, [%[b], #124]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #120]\n\t"
+        "str	r6, [%[r], #124]\n\t"
+        "ldr	r4, [%[a], #128]\n\t"
+        "ldr	r6, [%[a], #132]\n\t"
+        "ldr	r5, [%[b], #128]\n\t"
+        "ldr	r7, [%[b], #132]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #128]\n\t"
+        "str	r6, [%[r], #132]\n\t"
+        "ldr	r4, [%[a], #136]\n\t"
+        "ldr	r6, [%[a], #140]\n\t"
+        "ldr	r5, [%[b], #136]\n\t"
+        "ldr	r7, [%[b], #140]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #136]\n\t"
+        "str	r6, [%[r], #140]\n\t"
+        "ldr	r4, [%[a], #144]\n\t"
+        "ldr	r6, [%[a], #148]\n\t"
+        "ldr	r5, [%[b], #144]\n\t"
+        "ldr	r7, [%[b], #148]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #144]\n\t"
+        "str	r6, [%[r], #148]\n\t"
+        "ldr	r4, [%[a], #152]\n\t"
+        "ldr	r6, [%[a], #156]\n\t"
+        "ldr	r5, [%[b], #152]\n\t"
+        "ldr	r7, [%[b], #156]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #152]\n\t"
+        "str	r6, [%[r], #156]\n\t"
+        "ldr	r4, [%[a], #160]\n\t"
+        "ldr	r6, [%[a], #164]\n\t"
+        "ldr	r5, [%[b], #160]\n\t"
+        "ldr	r7, [%[b], #164]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #160]\n\t"
+        "str	r6, [%[r], #164]\n\t"
+        "ldr	r4, [%[a], #168]\n\t"
+        "ldr	r6, [%[a], #172]\n\t"
+        "ldr	r5, [%[b], #168]\n\t"
+        "ldr	r7, [%[b], #172]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #168]\n\t"
+        "str	r6, [%[r], #172]\n\t"
+        "ldr	r4, [%[a], #176]\n\t"
+        "ldr	r6, [%[a], #180]\n\t"
+        "ldr	r5, [%[b], #176]\n\t"
+        "ldr	r7, [%[b], #180]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #176]\n\t"
+        "str	r6, [%[r], #180]\n\t"
+        "ldr	r4, [%[a], #184]\n\t"
+        "ldr	r6, [%[a], #188]\n\t"
+        "ldr	r5, [%[b], #184]\n\t"
+        "ldr	r7, [%[b], #188]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #184]\n\t"
+        "str	r6, [%[r], #188]\n\t"
+        "ldr	r4, [%[a], #192]\n\t"
+        "ldr	r6, [%[a], #196]\n\t"
+        "ldr	r5, [%[b], #192]\n\t"
+        "ldr	r7, [%[b], #196]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #192]\n\t"
+        "str	r6, [%[r], #196]\n\t"
+        "ldr	r4, [%[a], #200]\n\t"
+        "ldr	r6, [%[a], #204]\n\t"
+        "ldr	r5, [%[b], #200]\n\t"
+        "ldr	r7, [%[b], #204]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #200]\n\t"
+        "str	r6, [%[r], #204]\n\t"
+        "ldr	r4, [%[a], #208]\n\t"
+        "ldr	r6, [%[a], #212]\n\t"
+        "ldr	r5, [%[b], #208]\n\t"
+        "ldr	r7, [%[b], #212]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #208]\n\t"
+        "str	r6, [%[r], #212]\n\t"
+        "ldr	r4, [%[a], #216]\n\t"
+        "ldr	r6, [%[a], #220]\n\t"
+        "ldr	r5, [%[b], #216]\n\t"
+        "ldr	r7, [%[b], #220]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #216]\n\t"
+        "str	r6, [%[r], #220]\n\t"
+        "ldr	r4, [%[a], #224]\n\t"
+        "ldr	r6, [%[a], #228]\n\t"
+        "ldr	r5, [%[b], #224]\n\t"
+        "ldr	r7, [%[b], #228]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #224]\n\t"
+        "str	r6, [%[r], #228]\n\t"
+        "ldr	r4, [%[a], #232]\n\t"
+        "ldr	r6, [%[a], #236]\n\t"
+        "ldr	r5, [%[b], #232]\n\t"
+        "ldr	r7, [%[b], #236]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #232]\n\t"
+        "str	r6, [%[r], #236]\n\t"
+        "ldr	r4, [%[a], #240]\n\t"
+        "ldr	r6, [%[a], #244]\n\t"
+        "ldr	r5, [%[b], #240]\n\t"
+        "ldr	r7, [%[b], #244]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #240]\n\t"
+        "str	r6, [%[r], #244]\n\t"
+        "ldr	r4, [%[a], #248]\n\t"
+        "ldr	r6, [%[a], #252]\n\t"
+        "ldr	r5, [%[b], #248]\n\t"
+        "ldr	r7, [%[b], #252]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #248]\n\t"
+        "str	r6, [%[r], #252]\n\t"
+        "ldr	r4, [%[a], #256]\n\t"
+        "ldr	r6, [%[a], #260]\n\t"
+        "ldr	r5, [%[b], #256]\n\t"
+        "ldr	r7, [%[b], #260]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #256]\n\t"
+        "str	r6, [%[r], #260]\n\t"
+        "ldr	r4, [%[a], #264]\n\t"
+        "ldr	r6, [%[a], #268]\n\t"
+        "ldr	r5, [%[b], #264]\n\t"
+        "ldr	r7, [%[b], #268]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #264]\n\t"
+        "str	r6, [%[r], #268]\n\t"
+        "ldr	r4, [%[a], #272]\n\t"
+        "ldr	r6, [%[a], #276]\n\t"
+        "ldr	r5, [%[b], #272]\n\t"
+        "ldr	r7, [%[b], #276]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #272]\n\t"
+        "str	r6, [%[r], #276]\n\t"
+        "ldr	r4, [%[a], #280]\n\t"
+        "ldr	r6, [%[a], #284]\n\t"
+        "ldr	r5, [%[b], #280]\n\t"
+        "ldr	r7, [%[b], #284]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #280]\n\t"
+        "str	r6, [%[r], #284]\n\t"
+        "ldr	r4, [%[a], #288]\n\t"
+        "ldr	r6, [%[a], #292]\n\t"
+        "ldr	r5, [%[b], #288]\n\t"
+        "ldr	r7, [%[b], #292]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #288]\n\t"
+        "str	r6, [%[r], #292]\n\t"
+        "ldr	r4, [%[a], #296]\n\t"
+        "ldr	r6, [%[a], #300]\n\t"
+        "ldr	r5, [%[b], #296]\n\t"
+        "ldr	r7, [%[b], #300]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #296]\n\t"
+        "str	r6, [%[r], #300]\n\t"
+        "ldr	r4, [%[a], #304]\n\t"
+        "ldr	r6, [%[a], #308]\n\t"
+        "ldr	r5, [%[b], #304]\n\t"
+        "ldr	r7, [%[b], #308]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #304]\n\t"
+        "str	r6, [%[r], #308]\n\t"
+        "ldr	r4, [%[a], #312]\n\t"
+        "ldr	r6, [%[a], #316]\n\t"
+        "ldr	r5, [%[b], #312]\n\t"
+        "ldr	r7, [%[b], #316]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #312]\n\t"
+        "str	r6, [%[r], #316]\n\t"
+        "ldr	r4, [%[a], #320]\n\t"
+        "ldr	r6, [%[a], #324]\n\t"
+        "ldr	r5, [%[b], #320]\n\t"
+        "ldr	r7, [%[b], #324]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #320]\n\t"
+        "str	r6, [%[r], #324]\n\t"
+        "ldr	r4, [%[a], #328]\n\t"
+        "ldr	r6, [%[a], #332]\n\t"
+        "ldr	r5, [%[b], #328]\n\t"
+        "ldr	r7, [%[b], #332]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #328]\n\t"
+        "str	r6, [%[r], #332]\n\t"
+        "ldr	r4, [%[a], #336]\n\t"
+        "ldr	r6, [%[a], #340]\n\t"
+        "ldr	r5, [%[b], #336]\n\t"
+        "ldr	r7, [%[b], #340]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #336]\n\t"
+        "str	r6, [%[r], #340]\n\t"
+        "ldr	r4, [%[a], #344]\n\t"
+        "ldr	r6, [%[a], #348]\n\t"
+        "ldr	r5, [%[b], #344]\n\t"
+        "ldr	r7, [%[b], #348]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #344]\n\t"
+        "str	r6, [%[r], #348]\n\t"
+        "ldr	r4, [%[a], #352]\n\t"
+        "ldr	r6, [%[a], #356]\n\t"
+        "ldr	r5, [%[b], #352]\n\t"
+        "ldr	r7, [%[b], #356]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #352]\n\t"
+        "str	r6, [%[r], #356]\n\t"
+        "ldr	r4, [%[a], #360]\n\t"
+        "ldr	r6, [%[a], #364]\n\t"
+        "ldr	r5, [%[b], #360]\n\t"
+        "ldr	r7, [%[b], #364]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #360]\n\t"
+        "str	r6, [%[r], #364]\n\t"
+        "ldr	r4, [%[a], #368]\n\t"
+        "ldr	r6, [%[a], #372]\n\t"
+        "ldr	r5, [%[b], #368]\n\t"
+        "ldr	r7, [%[b], #372]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #368]\n\t"
+        "str	r6, [%[r], #372]\n\t"
+        "ldr	r4, [%[a], #376]\n\t"
+        "ldr	r6, [%[a], #380]\n\t"
+        "ldr	r5, [%[b], #376]\n\t"
+        "ldr	r7, [%[b], #380]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #376]\n\t"
+        "str	r6, [%[r], #380]\n\t"
+        "ldr	r4, [%[a], #384]\n\t"
+        "ldr	r6, [%[a], #388]\n\t"
+        "ldr	r5, [%[b], #384]\n\t"
+        "ldr	r7, [%[b], #388]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #384]\n\t"
+        "str	r6, [%[r], #388]\n\t"
+        "ldr	r4, [%[a], #392]\n\t"
+        "ldr	r6, [%[a], #396]\n\t"
+        "ldr	r5, [%[b], #392]\n\t"
+        "ldr	r7, [%[b], #396]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #392]\n\t"
+        "str	r6, [%[r], #396]\n\t"
+        "ldr	r4, [%[a], #400]\n\t"
+        "ldr	r6, [%[a], #404]\n\t"
+        "ldr	r5, [%[b], #400]\n\t"
+        "ldr	r7, [%[b], #404]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #400]\n\t"
+        "str	r6, [%[r], #404]\n\t"
+        "ldr	r4, [%[a], #408]\n\t"
+        "ldr	r6, [%[a], #412]\n\t"
+        "ldr	r5, [%[b], #408]\n\t"
+        "ldr	r7, [%[b], #412]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #408]\n\t"
+        "str	r6, [%[r], #412]\n\t"
+        "ldr	r4, [%[a], #416]\n\t"
+        "ldr	r6, [%[a], #420]\n\t"
+        "ldr	r5, [%[b], #416]\n\t"
+        "ldr	r7, [%[b], #420]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #416]\n\t"
+        "str	r6, [%[r], #420]\n\t"
+        "ldr	r4, [%[a], #424]\n\t"
+        "ldr	r6, [%[a], #428]\n\t"
+        "ldr	r5, [%[b], #424]\n\t"
+        "ldr	r7, [%[b], #428]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #424]\n\t"
+        "str	r6, [%[r], #428]\n\t"
+        "ldr	r4, [%[a], #432]\n\t"
+        "ldr	r6, [%[a], #436]\n\t"
+        "ldr	r5, [%[b], #432]\n\t"
+        "ldr	r7, [%[b], #436]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #432]\n\t"
+        "str	r6, [%[r], #436]\n\t"
+        "ldr	r4, [%[a], #440]\n\t"
+        "ldr	r6, [%[a], #444]\n\t"
+        "ldr	r5, [%[b], #440]\n\t"
+        "ldr	r7, [%[b], #444]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #440]\n\t"
+        "str	r6, [%[r], #444]\n\t"
+        "ldr	r4, [%[a], #448]\n\t"
+        "ldr	r6, [%[a], #452]\n\t"
+        "ldr	r5, [%[b], #448]\n\t"
+        "ldr	r7, [%[b], #452]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #448]\n\t"
+        "str	r6, [%[r], #452]\n\t"
+        "ldr	r4, [%[a], #456]\n\t"
+        "ldr	r6, [%[a], #460]\n\t"
+        "ldr	r5, [%[b], #456]\n\t"
+        "ldr	r7, [%[b], #460]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #456]\n\t"
+        "str	r6, [%[r], #460]\n\t"
+        "ldr	r4, [%[a], #464]\n\t"
+        "ldr	r6, [%[a], #468]\n\t"
+        "ldr	r5, [%[b], #464]\n\t"
+        "ldr	r7, [%[b], #468]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #464]\n\t"
+        "str	r6, [%[r], #468]\n\t"
+        "ldr	r4, [%[a], #472]\n\t"
+        "ldr	r6, [%[a], #476]\n\t"
+        "ldr	r5, [%[b], #472]\n\t"
+        "ldr	r7, [%[b], #476]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #472]\n\t"
+        "str	r6, [%[r], #476]\n\t"
+        "ldr	r4, [%[a], #480]\n\t"
+        "ldr	r6, [%[a], #484]\n\t"
+        "ldr	r5, [%[b], #480]\n\t"
+        "ldr	r7, [%[b], #484]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #480]\n\t"
+        "str	r6, [%[r], #484]\n\t"
+        "ldr	r4, [%[a], #488]\n\t"
+        "ldr	r6, [%[a], #492]\n\t"
+        "ldr	r5, [%[b], #488]\n\t"
+        "ldr	r7, [%[b], #492]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #488]\n\t"
+        "str	r6, [%[r], #492]\n\t"
+        "ldr	r4, [%[a], #496]\n\t"
+        "ldr	r6, [%[a], #500]\n\t"
+        "ldr	r5, [%[b], #496]\n\t"
+        "ldr	r7, [%[b], #500]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #496]\n\t"
+        "str	r6, [%[r], #500]\n\t"
+        "ldr	r4, [%[a], #504]\n\t"
+        "ldr	r6, [%[a], #508]\n\t"
+        "ldr	r5, [%[b], #504]\n\t"
+        "ldr	r7, [%[b], #508]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #504]\n\t"
+        "str	r6, [%[r], #508]\n\t"
+        "sbc	%[c], r9, r9\n\t"
+        : [c] "+r" (c)
+        : [r] "r" (r), [a] "r" (a), [b] "r" (b), [m] "r" (m)
+        : "memory", "r4", "r6", "r5", "r7", "r8", "r9"
+    );
+#endif /* WOLFSSL_SP_SMALL */
+
+    return c;
+}
+
+/* Reduce the number back to 4096 bits using Montgomery reduction.
+ *
+ * a   A single precision number to reduce in place.
+ * m   The single precision number representing the modulus.
+ * mp  The digit representing the negative inverse of m mod 2^n.
+ */
+SP_NOINLINE static void sp_4096_mont_reduce_128(sp_digit* a, const sp_digit* m,
+        sp_digit mp)
+{
+    sp_digit ca = 0;
+
+    __asm__ __volatile__ (
+        "# i = 0\n\t"
+        "mov	r12, #0\n\t"
+        "ldr	r10, [%[a], #0]\n\t"
+        "ldr	r14, [%[a], #4]\n\t"
+        "\n1:\n\t"
+        "# mu = a[i] * mp\n\t"
+        "mul	r8, %[mp], r10\n\t"
+        "# a[i+0] += m[0] * mu\n\t"
+        "ldr	r7, [%[m], #0]\n\t"
+        "ldr	r9, [%[a], #0]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r10, r10, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "# a[i+1] += m[1] * mu\n\t"
+        "ldr	r7, [%[m], #4]\n\t"
+        "ldr	r9, [%[a], #4]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r10, r14, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r10, r10, r5\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+2] += m[2] * mu\n\t"
+        "ldr	r7, [%[m], #8]\n\t"
+        "ldr	r14, [%[a], #8]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r14, r14, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r14, r14, r4\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+3] += m[3] * mu\n\t"
+        "ldr	r7, [%[m], #12]\n\t"
+        "ldr	r9, [%[a], #12]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #12]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+4] += m[4] * mu\n\t"
+        "ldr	r7, [%[m], #16]\n\t"
+        "ldr	r9, [%[a], #16]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #16]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+5] += m[5] * mu\n\t"
+        "ldr	r7, [%[m], #20]\n\t"
+        "ldr	r9, [%[a], #20]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #20]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+6] += m[6] * mu\n\t"
+        "ldr	r7, [%[m], #24]\n\t"
+        "ldr	r9, [%[a], #24]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #24]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+7] += m[7] * mu\n\t"
+        "ldr	r7, [%[m], #28]\n\t"
+        "ldr	r9, [%[a], #28]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #28]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+8] += m[8] * mu\n\t"
+        "ldr	r7, [%[m], #32]\n\t"
+        "ldr	r9, [%[a], #32]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #32]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+9] += m[9] * mu\n\t"
+        "ldr	r7, [%[m], #36]\n\t"
+        "ldr	r9, [%[a], #36]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #36]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+10] += m[10] * mu\n\t"
+        "ldr	r7, [%[m], #40]\n\t"
+        "ldr	r9, [%[a], #40]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #40]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+11] += m[11] * mu\n\t"
+        "ldr	r7, [%[m], #44]\n\t"
+        "ldr	r9, [%[a], #44]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #44]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+12] += m[12] * mu\n\t"
+        "ldr	r7, [%[m], #48]\n\t"
+        "ldr	r9, [%[a], #48]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #48]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+13] += m[13] * mu\n\t"
+        "ldr	r7, [%[m], #52]\n\t"
+        "ldr	r9, [%[a], #52]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #52]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+14] += m[14] * mu\n\t"
+        "ldr	r7, [%[m], #56]\n\t"
+        "ldr	r9, [%[a], #56]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #56]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+15] += m[15] * mu\n\t"
+        "ldr	r7, [%[m], #60]\n\t"
+        "ldr	r9, [%[a], #60]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #60]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+16] += m[16] * mu\n\t"
+        "ldr	r7, [%[m], #64]\n\t"
+        "ldr	r9, [%[a], #64]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #64]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+17] += m[17] * mu\n\t"
+        "ldr	r7, [%[m], #68]\n\t"
+        "ldr	r9, [%[a], #68]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #68]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+18] += m[18] * mu\n\t"
+        "ldr	r7, [%[m], #72]\n\t"
+        "ldr	r9, [%[a], #72]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #72]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+19] += m[19] * mu\n\t"
+        "ldr	r7, [%[m], #76]\n\t"
+        "ldr	r9, [%[a], #76]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #76]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+20] += m[20] * mu\n\t"
+        "ldr	r7, [%[m], #80]\n\t"
+        "ldr	r9, [%[a], #80]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #80]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+21] += m[21] * mu\n\t"
+        "ldr	r7, [%[m], #84]\n\t"
+        "ldr	r9, [%[a], #84]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #84]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+22] += m[22] * mu\n\t"
+        "ldr	r7, [%[m], #88]\n\t"
+        "ldr	r9, [%[a], #88]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #88]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+23] += m[23] * mu\n\t"
+        "ldr	r7, [%[m], #92]\n\t"
+        "ldr	r9, [%[a], #92]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #92]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+24] += m[24] * mu\n\t"
+        "ldr	r7, [%[m], #96]\n\t"
+        "ldr	r9, [%[a], #96]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #96]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+25] += m[25] * mu\n\t"
+        "ldr	r7, [%[m], #100]\n\t"
+        "ldr	r9, [%[a], #100]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #100]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+26] += m[26] * mu\n\t"
+        "ldr	r7, [%[m], #104]\n\t"
+        "ldr	r9, [%[a], #104]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #104]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+27] += m[27] * mu\n\t"
+        "ldr	r7, [%[m], #108]\n\t"
+        "ldr	r9, [%[a], #108]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #108]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+28] += m[28] * mu\n\t"
+        "ldr	r7, [%[m], #112]\n\t"
+        "ldr	r9, [%[a], #112]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #112]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+29] += m[29] * mu\n\t"
+        "ldr	r7, [%[m], #116]\n\t"
+        "ldr	r9, [%[a], #116]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #116]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+30] += m[30] * mu\n\t"
+        "ldr	r7, [%[m], #120]\n\t"
+        "ldr	r9, [%[a], #120]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #120]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+31] += m[31] * mu\n\t"
+        "ldr	r7, [%[m], #124]\n\t"
+        "ldr	r9, [%[a], #124]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #124]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+32] += m[32] * mu\n\t"
+        "ldr	r7, [%[m], #128]\n\t"
+        "ldr	r9, [%[a], #128]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #128]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+33] += m[33] * mu\n\t"
+        "ldr	r7, [%[m], #132]\n\t"
+        "ldr	r9, [%[a], #132]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #132]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+34] += m[34] * mu\n\t"
+        "ldr	r7, [%[m], #136]\n\t"
+        "ldr	r9, [%[a], #136]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #136]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+35] += m[35] * mu\n\t"
+        "ldr	r7, [%[m], #140]\n\t"
+        "ldr	r9, [%[a], #140]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #140]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+36] += m[36] * mu\n\t"
+        "ldr	r7, [%[m], #144]\n\t"
+        "ldr	r9, [%[a], #144]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #144]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+37] += m[37] * mu\n\t"
+        "ldr	r7, [%[m], #148]\n\t"
+        "ldr	r9, [%[a], #148]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #148]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+38] += m[38] * mu\n\t"
+        "ldr	r7, [%[m], #152]\n\t"
+        "ldr	r9, [%[a], #152]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #152]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+39] += m[39] * mu\n\t"
+        "ldr	r7, [%[m], #156]\n\t"
+        "ldr	r9, [%[a], #156]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #156]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+40] += m[40] * mu\n\t"
+        "ldr	r7, [%[m], #160]\n\t"
+        "ldr	r9, [%[a], #160]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #160]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+41] += m[41] * mu\n\t"
+        "ldr	r7, [%[m], #164]\n\t"
+        "ldr	r9, [%[a], #164]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #164]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+42] += m[42] * mu\n\t"
+        "ldr	r7, [%[m], #168]\n\t"
+        "ldr	r9, [%[a], #168]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #168]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+43] += m[43] * mu\n\t"
+        "ldr	r7, [%[m], #172]\n\t"
+        "ldr	r9, [%[a], #172]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #172]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+44] += m[44] * mu\n\t"
+        "ldr	r7, [%[m], #176]\n\t"
+        "ldr	r9, [%[a], #176]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #176]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+45] += m[45] * mu\n\t"
+        "ldr	r7, [%[m], #180]\n\t"
+        "ldr	r9, [%[a], #180]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #180]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+46] += m[46] * mu\n\t"
+        "ldr	r7, [%[m], #184]\n\t"
+        "ldr	r9, [%[a], #184]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #184]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+47] += m[47] * mu\n\t"
+        "ldr	r7, [%[m], #188]\n\t"
+        "ldr	r9, [%[a], #188]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #188]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+48] += m[48] * mu\n\t"
+        "ldr	r7, [%[m], #192]\n\t"
+        "ldr	r9, [%[a], #192]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #192]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+49] += m[49] * mu\n\t"
+        "ldr	r7, [%[m], #196]\n\t"
+        "ldr	r9, [%[a], #196]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #196]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+50] += m[50] * mu\n\t"
+        "ldr	r7, [%[m], #200]\n\t"
+        "ldr	r9, [%[a], #200]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #200]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+51] += m[51] * mu\n\t"
+        "ldr	r7, [%[m], #204]\n\t"
+        "ldr	r9, [%[a], #204]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #204]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+52] += m[52] * mu\n\t"
+        "ldr	r7, [%[m], #208]\n\t"
+        "ldr	r9, [%[a], #208]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #208]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+53] += m[53] * mu\n\t"
+        "ldr	r7, [%[m], #212]\n\t"
+        "ldr	r9, [%[a], #212]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #212]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+54] += m[54] * mu\n\t"
+        "ldr	r7, [%[m], #216]\n\t"
+        "ldr	r9, [%[a], #216]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #216]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+55] += m[55] * mu\n\t"
+        "ldr	r7, [%[m], #220]\n\t"
+        "ldr	r9, [%[a], #220]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #220]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+56] += m[56] * mu\n\t"
+        "ldr	r7, [%[m], #224]\n\t"
+        "ldr	r9, [%[a], #224]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #224]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+57] += m[57] * mu\n\t"
+        "ldr	r7, [%[m], #228]\n\t"
+        "ldr	r9, [%[a], #228]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #228]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+58] += m[58] * mu\n\t"
+        "ldr	r7, [%[m], #232]\n\t"
+        "ldr	r9, [%[a], #232]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #232]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+59] += m[59] * mu\n\t"
+        "ldr	r7, [%[m], #236]\n\t"
+        "ldr	r9, [%[a], #236]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #236]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+60] += m[60] * mu\n\t"
+        "ldr	r7, [%[m], #240]\n\t"
+        "ldr	r9, [%[a], #240]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #240]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+61] += m[61] * mu\n\t"
+        "ldr	r7, [%[m], #244]\n\t"
+        "ldr	r9, [%[a], #244]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #244]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+62] += m[62] * mu\n\t"
+        "ldr	r7, [%[m], #248]\n\t"
+        "ldr	r9, [%[a], #248]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #248]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+63] += m[63] * mu\n\t"
+        "ldr	r7, [%[m], #252]\n\t"
+        "ldr	r9, [%[a], #252]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #252]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+64] += m[64] * mu\n\t"
+        "ldr	r7, [%[m], #256]\n\t"
+        "ldr	r9, [%[a], #256]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #256]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+65] += m[65] * mu\n\t"
+        "ldr	r7, [%[m], #260]\n\t"
+        "ldr	r9, [%[a], #260]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #260]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+66] += m[66] * mu\n\t"
+        "ldr	r7, [%[m], #264]\n\t"
+        "ldr	r9, [%[a], #264]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #264]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+67] += m[67] * mu\n\t"
+        "ldr	r7, [%[m], #268]\n\t"
+        "ldr	r9, [%[a], #268]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #268]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+68] += m[68] * mu\n\t"
+        "ldr	r7, [%[m], #272]\n\t"
+        "ldr	r9, [%[a], #272]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #272]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+69] += m[69] * mu\n\t"
+        "ldr	r7, [%[m], #276]\n\t"
+        "ldr	r9, [%[a], #276]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #276]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+70] += m[70] * mu\n\t"
+        "ldr	r7, [%[m], #280]\n\t"
+        "ldr	r9, [%[a], #280]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #280]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+71] += m[71] * mu\n\t"
+        "ldr	r7, [%[m], #284]\n\t"
+        "ldr	r9, [%[a], #284]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #284]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+72] += m[72] * mu\n\t"
+        "ldr	r7, [%[m], #288]\n\t"
+        "ldr	r9, [%[a], #288]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #288]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+73] += m[73] * mu\n\t"
+        "ldr	r7, [%[m], #292]\n\t"
+        "ldr	r9, [%[a], #292]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #292]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+74] += m[74] * mu\n\t"
+        "ldr	r7, [%[m], #296]\n\t"
+        "ldr	r9, [%[a], #296]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #296]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+75] += m[75] * mu\n\t"
+        "ldr	r7, [%[m], #300]\n\t"
+        "ldr	r9, [%[a], #300]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #300]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+76] += m[76] * mu\n\t"
+        "ldr	r7, [%[m], #304]\n\t"
+        "ldr	r9, [%[a], #304]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #304]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+77] += m[77] * mu\n\t"
+        "ldr	r7, [%[m], #308]\n\t"
+        "ldr	r9, [%[a], #308]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #308]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+78] += m[78] * mu\n\t"
+        "ldr	r7, [%[m], #312]\n\t"
+        "ldr	r9, [%[a], #312]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #312]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+79] += m[79] * mu\n\t"
+        "ldr	r7, [%[m], #316]\n\t"
+        "ldr	r9, [%[a], #316]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #316]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+80] += m[80] * mu\n\t"
+        "ldr	r7, [%[m], #320]\n\t"
+        "ldr	r9, [%[a], #320]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #320]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+81] += m[81] * mu\n\t"
+        "ldr	r7, [%[m], #324]\n\t"
+        "ldr	r9, [%[a], #324]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #324]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+82] += m[82] * mu\n\t"
+        "ldr	r7, [%[m], #328]\n\t"
+        "ldr	r9, [%[a], #328]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #328]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+83] += m[83] * mu\n\t"
+        "ldr	r7, [%[m], #332]\n\t"
+        "ldr	r9, [%[a], #332]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #332]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+84] += m[84] * mu\n\t"
+        "ldr	r7, [%[m], #336]\n\t"
+        "ldr	r9, [%[a], #336]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #336]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+85] += m[85] * mu\n\t"
+        "ldr	r7, [%[m], #340]\n\t"
+        "ldr	r9, [%[a], #340]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #340]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+86] += m[86] * mu\n\t"
+        "ldr	r7, [%[m], #344]\n\t"
+        "ldr	r9, [%[a], #344]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #344]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+87] += m[87] * mu\n\t"
+        "ldr	r7, [%[m], #348]\n\t"
+        "ldr	r9, [%[a], #348]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #348]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+88] += m[88] * mu\n\t"
+        "ldr	r7, [%[m], #352]\n\t"
+        "ldr	r9, [%[a], #352]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #352]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+89] += m[89] * mu\n\t"
+        "ldr	r7, [%[m], #356]\n\t"
+        "ldr	r9, [%[a], #356]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #356]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+90] += m[90] * mu\n\t"
+        "ldr	r7, [%[m], #360]\n\t"
+        "ldr	r9, [%[a], #360]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #360]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+91] += m[91] * mu\n\t"
+        "ldr	r7, [%[m], #364]\n\t"
+        "ldr	r9, [%[a], #364]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #364]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+92] += m[92] * mu\n\t"
+        "ldr	r7, [%[m], #368]\n\t"
+        "ldr	r9, [%[a], #368]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #368]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+93] += m[93] * mu\n\t"
+        "ldr	r7, [%[m], #372]\n\t"
+        "ldr	r9, [%[a], #372]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #372]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+94] += m[94] * mu\n\t"
+        "ldr	r7, [%[m], #376]\n\t"
+        "ldr	r9, [%[a], #376]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #376]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+95] += m[95] * mu\n\t"
+        "ldr	r7, [%[m], #380]\n\t"
+        "ldr	r9, [%[a], #380]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #380]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+96] += m[96] * mu\n\t"
+        "ldr	r7, [%[m], #384]\n\t"
+        "ldr	r9, [%[a], #384]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #384]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+97] += m[97] * mu\n\t"
+        "ldr	r7, [%[m], #388]\n\t"
+        "ldr	r9, [%[a], #388]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #388]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+98] += m[98] * mu\n\t"
+        "ldr	r7, [%[m], #392]\n\t"
+        "ldr	r9, [%[a], #392]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #392]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+99] += m[99] * mu\n\t"
+        "ldr	r7, [%[m], #396]\n\t"
+        "ldr	r9, [%[a], #396]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #396]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+100] += m[100] * mu\n\t"
+        "ldr	r7, [%[m], #400]\n\t"
+        "ldr	r9, [%[a], #400]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #400]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+101] += m[101] * mu\n\t"
+        "ldr	r7, [%[m], #404]\n\t"
+        "ldr	r9, [%[a], #404]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #404]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+102] += m[102] * mu\n\t"
+        "ldr	r7, [%[m], #408]\n\t"
+        "ldr	r9, [%[a], #408]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #408]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+103] += m[103] * mu\n\t"
+        "ldr	r7, [%[m], #412]\n\t"
+        "ldr	r9, [%[a], #412]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #412]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+104] += m[104] * mu\n\t"
+        "ldr	r7, [%[m], #416]\n\t"
+        "ldr	r9, [%[a], #416]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #416]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+105] += m[105] * mu\n\t"
+        "ldr	r7, [%[m], #420]\n\t"
+        "ldr	r9, [%[a], #420]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #420]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+106] += m[106] * mu\n\t"
+        "ldr	r7, [%[m], #424]\n\t"
+        "ldr	r9, [%[a], #424]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #424]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+107] += m[107] * mu\n\t"
+        "ldr	r7, [%[m], #428]\n\t"
+        "ldr	r9, [%[a], #428]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #428]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+108] += m[108] * mu\n\t"
+        "ldr	r7, [%[m], #432]\n\t"
+        "ldr	r9, [%[a], #432]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #432]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+109] += m[109] * mu\n\t"
+        "ldr	r7, [%[m], #436]\n\t"
+        "ldr	r9, [%[a], #436]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #436]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+110] += m[110] * mu\n\t"
+        "ldr	r7, [%[m], #440]\n\t"
+        "ldr	r9, [%[a], #440]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #440]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+111] += m[111] * mu\n\t"
+        "ldr	r7, [%[m], #444]\n\t"
+        "ldr	r9, [%[a], #444]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #444]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+112] += m[112] * mu\n\t"
+        "ldr	r7, [%[m], #448]\n\t"
+        "ldr	r9, [%[a], #448]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #448]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+113] += m[113] * mu\n\t"
+        "ldr	r7, [%[m], #452]\n\t"
+        "ldr	r9, [%[a], #452]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #452]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+114] += m[114] * mu\n\t"
+        "ldr	r7, [%[m], #456]\n\t"
+        "ldr	r9, [%[a], #456]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #456]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+115] += m[115] * mu\n\t"
+        "ldr	r7, [%[m], #460]\n\t"
+        "ldr	r9, [%[a], #460]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #460]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+116] += m[116] * mu\n\t"
+        "ldr	r7, [%[m], #464]\n\t"
+        "ldr	r9, [%[a], #464]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #464]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+117] += m[117] * mu\n\t"
+        "ldr	r7, [%[m], #468]\n\t"
+        "ldr	r9, [%[a], #468]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #468]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+118] += m[118] * mu\n\t"
+        "ldr	r7, [%[m], #472]\n\t"
+        "ldr	r9, [%[a], #472]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #472]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+119] += m[119] * mu\n\t"
+        "ldr	r7, [%[m], #476]\n\t"
+        "ldr	r9, [%[a], #476]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #476]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+120] += m[120] * mu\n\t"
+        "ldr	r7, [%[m], #480]\n\t"
+        "ldr	r9, [%[a], #480]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #480]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+121] += m[121] * mu\n\t"
+        "ldr	r7, [%[m], #484]\n\t"
+        "ldr	r9, [%[a], #484]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #484]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+122] += m[122] * mu\n\t"
+        "ldr	r7, [%[m], #488]\n\t"
+        "ldr	r9, [%[a], #488]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #488]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+123] += m[123] * mu\n\t"
+        "ldr	r7, [%[m], #492]\n\t"
+        "ldr	r9, [%[a], #492]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #492]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+124] += m[124] * mu\n\t"
+        "ldr	r7, [%[m], #496]\n\t"
+        "ldr	r9, [%[a], #496]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #496]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+125] += m[125] * mu\n\t"
+        "ldr	r7, [%[m], #500]\n\t"
+        "ldr	r9, [%[a], #500]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #500]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+126] += m[126] * mu\n\t"
+        "ldr	r7, [%[m], #504]\n\t"
+        "ldr	r9, [%[a], #504]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #504]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+127] += m[127] * mu\n\t"
+        "ldr	r7, [%[m], #508]\n\t"
+        "ldr   r9, [%[a], #508]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r7, r7, %[ca]\n\t"
+        "mov	%[ca], #0\n\t"
+        "adc	%[ca], %[ca], %[ca]\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #508]\n\t"
+        "ldr	r9, [%[a], #512]\n\t"
+        "adcs	r9, r9, r7\n\t"
+        "str	r9, [%[a], #512]\n\t"
+        "adc	%[ca], %[ca], #0\n\t"
+        "# i += 1\n\t"
+        "add	%[a], %[a], #4\n\t"
+        "add	r12, r12, #4\n\t"
+        "cmp	r12, #512\n\t"
+        "blt	1b\n\t"
+        "str	r10, [%[a], #0]\n\t"
+        "str	r14, [%[a], #4]\n\t"
+        : [ca] "+r" (ca), [a] "+r" (a)
+        : [m] "r" (m), [mp] "r" (mp)
+        : "memory", "r4", "r5", "r6", "r7", "r8", "r9", "r10", "r14", "r12"
+    );
+
+    sp_4096_cond_sub_128(a - 128, a, m, (sp_digit)0 - ca);
+}
+
+/* Multiply two Montogmery form numbers mod the modulus (prime).
+ * (r = a * b mod m)
+ *
+ * r   Result of multiplication.
+ * a   First number to multiply in Montogmery form.
+ * b   Second number to multiply in Montogmery form.
+ * m   Modulus (prime).
+ * mp  Montogmery mulitplier.
+ */
+static void sp_4096_mont_mul_128(sp_digit* r, const sp_digit* a, const sp_digit* b,
+        const sp_digit* m, sp_digit mp)
+{
+    sp_4096_mul_128(r, a, b);
+    sp_4096_mont_reduce_128(r, m, mp);
+}
+
+/* Square the Montgomery form number. (r = a * a mod m)
+ *
+ * r   Result of squaring.
+ * a   Number to square in Montogmery form.
+ * m   Modulus (prime).
+ * mp  Montogmery mulitplier.
+ */
+static void sp_4096_mont_sqr_128(sp_digit* r, const sp_digit* a, const sp_digit* m,
+        sp_digit mp)
+{
+    sp_4096_sqr_128(r, a);
+    sp_4096_mont_reduce_128(r, m, mp);
+}
+
+#ifndef WOLFSSL_RSA_PUBLIC_ONLY
+/* Divide the double width number (d1|d0) by the dividend. (d1|d0 / div)
+ *
+ * d1   The high order half of the number to divide.
+ * d0   The low order half of the number to divide.
+ * div  The dividend.
+ * returns the result of the division.
+ *
+ * Note that this is an approximate div. It may give an answer 1 larger.
+ */
+static sp_digit div_4096_word_128(sp_digit d1, sp_digit d0, sp_digit div)
+{
+    sp_digit r = 0;
+
+    __asm__ __volatile__ (
+        "lsr	r5, %[div], #1\n\t"
+        "add	r5, r5, #1\n\t"
+        "mov	r6, %[d0]\n\t"
+        "mov	r7, %[d1]\n\t"
+        "# Do top 32\n\t"
+        "subs	r8, r5, r7\n\t"
+        "sbc	r8, r8, r8\n\t"
+        "add	%[r], %[r], %[r]\n\t"
+        "sub	%[r], %[r], r8\n\t"
+        "and	r8, r8, r5\n\t"
+        "subs	r7, r7, r8\n\t"
+        "# Next 30 bits\n\t"
+        "mov	r4, #29\n\t"
+        "1:\n\t"
+        "movs	r6, r6, lsl #1\n\t"
+        "adc	r7, r7, r7\n\t"
+        "subs	r8, r5, r7\n\t"
+        "sbc	r8, r8, r8\n\t"
+        "add	%[r], %[r], %[r]\n\t"
+        "sub	%[r], %[r], r8\n\t"
+        "and	r8, r8, r5\n\t"
+        "subs	r7, r7, r8\n\t"
+        "subs	r4, r4, #1\n\t"
+        "bpl	1b\n\t"
+        "add	%[r], %[r], %[r]\n\t"
+        "add	%[r], %[r], #1\n\t"
+        "umull	r4, r5, %[r], %[div]\n\t"
+        "subs	r4, %[d0], r4\n\t"
+        "sbc	r5, %[d1], r5\n\t"
+        "add	%[r], %[r], r5\n\t"
+        "umull	r4, r5, %[r], %[div]\n\t"
+        "subs	r4, %[d0], r4\n\t"
+        "sbc	r5, %[d1], r5\n\t"
+        "add	%[r], %[r], r5\n\t"
+        "subs	r8, %[div], r4\n\t"
+        "sbc	r8, r8, r8\n\t"
+        "sub	%[r], %[r], r8\n\t"
+        : [r] "+r" (r)
+        : [d1] "r" (d1), [d0] "r" (d0), [div] "r" (div)
+        : "r4", "r5", "r6", "r7", "r8"
+    );
+    return r;
+}
+
+/* AND m into each word of a and store in r.
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * m  Mask to AND against each digit.
+ */
+static void sp_4096_mask_128(sp_digit* r, const sp_digit* a, sp_digit m)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int i;
+
+    for (i=0; i<128; i++) {
+        r[i] = a[i] & m;
+    }
+#else
+    int i;
+
+    for (i = 0; i < 128; i += 8) {
+        r[i+0] = a[i+0] & m;
+        r[i+1] = a[i+1] & m;
+        r[i+2] = a[i+2] & m;
+        r[i+3] = a[i+3] & m;
+        r[i+4] = a[i+4] & m;
+        r[i+5] = a[i+5] & m;
+        r[i+6] = a[i+6] & m;
+        r[i+7] = a[i+7] & m;
+    }
+#endif
+}
+
+/* Compare a with b in constant time.
+ *
+ * a  A single precision integer.
+ * b  A single precision integer.
+ * return -ve, 0 or +ve if a is less than, equal to or greater than b
+ * respectively.
+ */
+static int32_t sp_4096_cmp_128(const sp_digit* a, const sp_digit* b)
+{
+    sp_digit r = -1;
+    sp_digit one = 1;
+
+
+#ifdef WOLFSSL_SP_SMALL
+    __asm__ __volatile__ (
+        "mov	r7, #0\n\t"
+        "mov	r3, #-1\n\t"
+        "mov	r6, #508\n\t"
+        "1:\n\t"
+        "ldr	r4, [%[a], r6]\n\t"
+        "ldr	r5, [%[b], r6]\n\t"
+        "and	r4, r4, r3\n\t"
+        "and	r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "subs	r6, r6, #4\n\t"
+        "bcs	1b\n\t"
+        "eor	%[r], %[r], r3\n\t"
+        : [r] "+r" (r)
+        : [a] "r" (a), [b] "r" (b), [one] "r" (one)
+        : "r3", "r4", "r5", "r6", "r7"
+    );
+#else
+    __asm__ __volatile__ (
+        "mov	r7, #0\n\t"
+        "mov	r3, #-1\n\t"
+        "ldr		r4, [%[a], #508]\n\t"
+        "ldr		r5, [%[b], #508]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #504]\n\t"
+        "ldr		r5, [%[b], #504]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #500]\n\t"
+        "ldr		r5, [%[b], #500]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #496]\n\t"
+        "ldr		r5, [%[b], #496]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #492]\n\t"
+        "ldr		r5, [%[b], #492]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #488]\n\t"
+        "ldr		r5, [%[b], #488]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #484]\n\t"
+        "ldr		r5, [%[b], #484]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #480]\n\t"
+        "ldr		r5, [%[b], #480]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #476]\n\t"
+        "ldr		r5, [%[b], #476]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #472]\n\t"
+        "ldr		r5, [%[b], #472]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #468]\n\t"
+        "ldr		r5, [%[b], #468]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #464]\n\t"
+        "ldr		r5, [%[b], #464]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #460]\n\t"
+        "ldr		r5, [%[b], #460]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #456]\n\t"
+        "ldr		r5, [%[b], #456]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #452]\n\t"
+        "ldr		r5, [%[b], #452]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #448]\n\t"
+        "ldr		r5, [%[b], #448]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #444]\n\t"
+        "ldr		r5, [%[b], #444]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #440]\n\t"
+        "ldr		r5, [%[b], #440]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #436]\n\t"
+        "ldr		r5, [%[b], #436]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #432]\n\t"
+        "ldr		r5, [%[b], #432]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #428]\n\t"
+        "ldr		r5, [%[b], #428]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #424]\n\t"
+        "ldr		r5, [%[b], #424]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #420]\n\t"
+        "ldr		r5, [%[b], #420]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #416]\n\t"
+        "ldr		r5, [%[b], #416]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #412]\n\t"
+        "ldr		r5, [%[b], #412]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #408]\n\t"
+        "ldr		r5, [%[b], #408]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #404]\n\t"
+        "ldr		r5, [%[b], #404]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #400]\n\t"
+        "ldr		r5, [%[b], #400]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #396]\n\t"
+        "ldr		r5, [%[b], #396]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #392]\n\t"
+        "ldr		r5, [%[b], #392]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #388]\n\t"
+        "ldr		r5, [%[b], #388]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #384]\n\t"
+        "ldr		r5, [%[b], #384]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #380]\n\t"
+        "ldr		r5, [%[b], #380]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #376]\n\t"
+        "ldr		r5, [%[b], #376]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #372]\n\t"
+        "ldr		r5, [%[b], #372]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #368]\n\t"
+        "ldr		r5, [%[b], #368]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #364]\n\t"
+        "ldr		r5, [%[b], #364]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #360]\n\t"
+        "ldr		r5, [%[b], #360]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #356]\n\t"
+        "ldr		r5, [%[b], #356]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #352]\n\t"
+        "ldr		r5, [%[b], #352]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #348]\n\t"
+        "ldr		r5, [%[b], #348]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #344]\n\t"
+        "ldr		r5, [%[b], #344]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #340]\n\t"
+        "ldr		r5, [%[b], #340]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #336]\n\t"
+        "ldr		r5, [%[b], #336]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #332]\n\t"
+        "ldr		r5, [%[b], #332]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #328]\n\t"
+        "ldr		r5, [%[b], #328]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #324]\n\t"
+        "ldr		r5, [%[b], #324]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #320]\n\t"
+        "ldr		r5, [%[b], #320]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #316]\n\t"
+        "ldr		r5, [%[b], #316]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #312]\n\t"
+        "ldr		r5, [%[b], #312]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #308]\n\t"
+        "ldr		r5, [%[b], #308]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #304]\n\t"
+        "ldr		r5, [%[b], #304]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #300]\n\t"
+        "ldr		r5, [%[b], #300]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #296]\n\t"
+        "ldr		r5, [%[b], #296]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #292]\n\t"
+        "ldr		r5, [%[b], #292]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #288]\n\t"
+        "ldr		r5, [%[b], #288]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #284]\n\t"
+        "ldr		r5, [%[b], #284]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #280]\n\t"
+        "ldr		r5, [%[b], #280]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #276]\n\t"
+        "ldr		r5, [%[b], #276]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #272]\n\t"
+        "ldr		r5, [%[b], #272]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #268]\n\t"
+        "ldr		r5, [%[b], #268]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #264]\n\t"
+        "ldr		r5, [%[b], #264]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #260]\n\t"
+        "ldr		r5, [%[b], #260]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #256]\n\t"
+        "ldr		r5, [%[b], #256]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #252]\n\t"
+        "ldr		r5, [%[b], #252]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #248]\n\t"
+        "ldr		r5, [%[b], #248]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #244]\n\t"
+        "ldr		r5, [%[b], #244]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #240]\n\t"
+        "ldr		r5, [%[b], #240]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #236]\n\t"
+        "ldr		r5, [%[b], #236]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #232]\n\t"
+        "ldr		r5, [%[b], #232]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #228]\n\t"
+        "ldr		r5, [%[b], #228]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #224]\n\t"
+        "ldr		r5, [%[b], #224]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #220]\n\t"
+        "ldr		r5, [%[b], #220]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #216]\n\t"
+        "ldr		r5, [%[b], #216]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #212]\n\t"
+        "ldr		r5, [%[b], #212]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #208]\n\t"
+        "ldr		r5, [%[b], #208]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #204]\n\t"
+        "ldr		r5, [%[b], #204]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #200]\n\t"
+        "ldr		r5, [%[b], #200]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #196]\n\t"
+        "ldr		r5, [%[b], #196]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #192]\n\t"
+        "ldr		r5, [%[b], #192]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #188]\n\t"
+        "ldr		r5, [%[b], #188]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #184]\n\t"
+        "ldr		r5, [%[b], #184]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #180]\n\t"
+        "ldr		r5, [%[b], #180]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #176]\n\t"
+        "ldr		r5, [%[b], #176]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #172]\n\t"
+        "ldr		r5, [%[b], #172]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #168]\n\t"
+        "ldr		r5, [%[b], #168]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #164]\n\t"
+        "ldr		r5, [%[b], #164]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #160]\n\t"
+        "ldr		r5, [%[b], #160]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #156]\n\t"
+        "ldr		r5, [%[b], #156]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #152]\n\t"
+        "ldr		r5, [%[b], #152]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #148]\n\t"
+        "ldr		r5, [%[b], #148]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #144]\n\t"
+        "ldr		r5, [%[b], #144]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #140]\n\t"
+        "ldr		r5, [%[b], #140]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #136]\n\t"
+        "ldr		r5, [%[b], #136]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #132]\n\t"
+        "ldr		r5, [%[b], #132]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #128]\n\t"
+        "ldr		r5, [%[b], #128]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #124]\n\t"
+        "ldr		r5, [%[b], #124]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #120]\n\t"
+        "ldr		r5, [%[b], #120]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #116]\n\t"
+        "ldr		r5, [%[b], #116]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #112]\n\t"
+        "ldr		r5, [%[b], #112]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #108]\n\t"
+        "ldr		r5, [%[b], #108]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #104]\n\t"
+        "ldr		r5, [%[b], #104]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #100]\n\t"
+        "ldr		r5, [%[b], #100]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #96]\n\t"
+        "ldr		r5, [%[b], #96]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #92]\n\t"
+        "ldr		r5, [%[b], #92]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #88]\n\t"
+        "ldr		r5, [%[b], #88]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #84]\n\t"
+        "ldr		r5, [%[b], #84]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #80]\n\t"
+        "ldr		r5, [%[b], #80]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #76]\n\t"
+        "ldr		r5, [%[b], #76]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #72]\n\t"
+        "ldr		r5, [%[b], #72]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #68]\n\t"
+        "ldr		r5, [%[b], #68]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #64]\n\t"
+        "ldr		r5, [%[b], #64]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #60]\n\t"
+        "ldr		r5, [%[b], #60]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #56]\n\t"
+        "ldr		r5, [%[b], #56]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #52]\n\t"
+        "ldr		r5, [%[b], #52]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #48]\n\t"
+        "ldr		r5, [%[b], #48]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #44]\n\t"
+        "ldr		r5, [%[b], #44]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #40]\n\t"
+        "ldr		r5, [%[b], #40]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #36]\n\t"
+        "ldr		r5, [%[b], #36]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #32]\n\t"
+        "ldr		r5, [%[b], #32]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #28]\n\t"
+        "ldr		r5, [%[b], #28]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #24]\n\t"
+        "ldr		r5, [%[b], #24]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #20]\n\t"
+        "ldr		r5, [%[b], #20]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #16]\n\t"
+        "ldr		r5, [%[b], #16]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #12]\n\t"
+        "ldr		r5, [%[b], #12]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #8]\n\t"
+        "ldr		r5, [%[b], #8]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #4]\n\t"
+        "ldr		r5, [%[b], #4]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #0]\n\t"
+        "ldr		r5, [%[b], #0]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "eor	%[r], %[r], r3\n\t"
+        : [r] "+r" (r)
+        : [a] "r" (a), [b] "r" (b), [one] "r" (one)
+        : "r3", "r4", "r5", "r6", "r7"
+    );
+#endif
+
+    return r;
+}
+
+/* Divide d in a and put remainder into r (m*d + r = a)
+ * m is not calculated as it is not needed at this time.
+ *
+ * a  Nmber to be divided.
+ * d  Number to divide with.
+ * m  Multiplier result.
+ * r  Remainder from the division.
+ * returns MP_OKAY indicating success.
+ */
+static WC_INLINE int sp_4096_div_128(const sp_digit* a, const sp_digit* d, sp_digit* m,
+        sp_digit* r)
+{
+    sp_digit t1[256], t2[129];
+    sp_digit div, r1;
+    int i;
+
+    (void)m;
+
+
+    div = d[127];
+    XMEMCPY(t1, a, sizeof(*t1) * 2 * 128);
+    for (i=127; i>=0; i--) {
+        r1 = div_4096_word_128(t1[128 + i], t1[128 + i - 1], div);
+
+        sp_4096_mul_d_128(t2, d, r1);
+        t1[128 + i] += sp_4096_sub_in_place_128(&t1[i], t2);
+        t1[128 + i] -= t2[128];
+        sp_4096_mask_128(t2, d, t1[128 + i]);
+        t1[128 + i] += sp_4096_add_128(&t1[i], &t1[i], t2);
+        sp_4096_mask_128(t2, d, t1[128 + i]);
+        t1[128 + i] += sp_4096_add_128(&t1[i], &t1[i], t2);
+    }
+
+    r1 = sp_4096_cmp_128(t1, d) >= 0;
+    sp_4096_cond_sub_128(r, t1, d, (sp_digit)0 - r1);
+
+    return MP_OKAY;
+}
+
+/* Reduce a modulo m into r. (r = a mod m)
+ *
+ * r  A single precision number that is the reduced result.
+ * a  A single precision number that is to be reduced.
+ * m  A single precision number that is the modulus to reduce with.
+ * returns MP_OKAY indicating success.
+ */
+static WC_INLINE int sp_4096_mod_128(sp_digit* r, const sp_digit* a, const sp_digit* m)
+{
+    return sp_4096_div_128(a, m, NULL, r);
+}
+
+#endif /* WOLFSSL_RSA_PUBLIC_ONLY */
+/* Divide d in a and put remainder into r (m*d + r = a)
+ * m is not calculated as it is not needed at this time.
+ *
+ * a  Nmber to be divided.
+ * d  Number to divide with.
+ * m  Multiplier result.
+ * r  Remainder from the division.
+ * returns MP_OKAY indicating success.
+ */
+static WC_INLINE int sp_4096_div_128_cond(const sp_digit* a, const sp_digit* d, sp_digit* m,
+        sp_digit* r)
+{
+    sp_digit t1[256], t2[129];
+    sp_digit div, r1;
+    int i;
+
+    (void)m;
+
+
+    div = d[127];
+    XMEMCPY(t1, a, sizeof(*t1) * 2 * 128);
+    for (i=127; i>=0; i--) {
+        r1 = div_4096_word_128(t1[128 + i], t1[128 + i - 1], div);
+
+        sp_4096_mul_d_128(t2, d, r1);
+        t1[128 + i] += sp_4096_sub_in_place_128(&t1[i], t2);
+        t1[128 + i] -= t2[128];
+        if (t1[128 + i] != 0) {
+            t1[128 + i] += sp_4096_add_128(&t1[i], &t1[i], d);
+            if (t1[128 + i] != 0)
+                t1[128 + i] += sp_4096_add_128(&t1[i], &t1[i], d);
+        }
+    }
+
+    r1 = sp_4096_cmp_128(t1, d) >= 0;
+    sp_4096_cond_sub_128(r, t1, d, (sp_digit)0 - r1);
+
+    return MP_OKAY;
+}
+
+/* Reduce a modulo m into r. (r = a mod m)
+ *
+ * r  A single precision number that is the reduced result.
+ * a  A single precision number that is to be reduced.
+ * m  A single precision number that is the modulus to reduce with.
+ * returns MP_OKAY indicating success.
+ */
+static WC_INLINE int sp_4096_mod_128_cond(sp_digit* r, const sp_digit* a, const sp_digit* m)
+{
+    return sp_4096_div_128_cond(a, m, NULL, r);
+}
+
+#if (defined(WOLFSSL_HAVE_SP_RSA) && !defined(WOLFSSL_RSA_PUBLIC_ONLY)) || \
+                                                     defined(WOLFSSL_HAVE_SP_DH)
+#ifdef WOLFSSL_SP_SMALL
+/* Modular exponentiate a to the e mod m. (r = a^e mod m)
+ *
+ * r     A single precision number that is the result of the operation.
+ * a     A single precision number being exponentiated.
+ * e     A single precision number that is the exponent.
+ * bits  The number of bits in the exponent.
+ * m     A single precision number that is the modulus.
+ * returns 0 on success and MEMORY_E on dynamic memory allocation failure.
+ */
+static int sp_4096_mod_exp_128(sp_digit* r, const sp_digit* a, const sp_digit* e,
+        int bits, const sp_digit* m, int reduceA)
+{
+#ifndef WOLFSSL_SMALL_STACK
+    sp_digit t[16][256];
+#else
+    sp_digit* t[16];
+    sp_digit* td;
+#endif
+    sp_digit* norm;
+    sp_digit mp = 1;
+    sp_digit n;
+    sp_digit mask;
+    int i;
+    int c, y;
+    int err = MP_OKAY;
+
+#ifdef WOLFSSL_SMALL_STACK
+    td = (sp_digit*)XMALLOC(sizeof(sp_digit) * 16 * 256, NULL,
+                            DYNAMIC_TYPE_TMP_BUFFER);
+    if (td == NULL) {
+        err = MEMORY_E;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#ifdef WOLFSSL_SMALL_STACK
+        for (i=0; i<16; i++) {
+            t[i] = td + i * 256;
+        }
+#endif
+        norm = t[0];
+
+        sp_4096_mont_setup(m, &mp);
+        sp_4096_mont_norm_128(norm, m);
+
+        XMEMSET(t[1], 0, sizeof(sp_digit) * 128U);
+        if (reduceA != 0) {
+            err = sp_4096_mod_128(t[1] + 128, a, m);
+            if (err == MP_OKAY) {
+                err = sp_4096_mod_128(t[1], t[1], m);
+            }
+        }
+        else {
+            XMEMCPY(t[1] + 128, a, sizeof(sp_digit) * 128);
+            err = sp_4096_mod_128(t[1], t[1], m);
+        }
+    }
+
+    if (err == MP_OKAY) {
+        sp_4096_mont_sqr_128(t[ 2], t[ 1], m, mp);
+        sp_4096_mont_mul_128(t[ 3], t[ 2], t[ 1], m, mp);
+        sp_4096_mont_sqr_128(t[ 4], t[ 2], m, mp);
+        sp_4096_mont_mul_128(t[ 5], t[ 3], t[ 2], m, mp);
+        sp_4096_mont_sqr_128(t[ 6], t[ 3], m, mp);
+        sp_4096_mont_mul_128(t[ 7], t[ 4], t[ 3], m, mp);
+        sp_4096_mont_sqr_128(t[ 8], t[ 4], m, mp);
+        sp_4096_mont_mul_128(t[ 9], t[ 5], t[ 4], m, mp);
+        sp_4096_mont_sqr_128(t[10], t[ 5], m, mp);
+        sp_4096_mont_mul_128(t[11], t[ 6], t[ 5], m, mp);
+        sp_4096_mont_sqr_128(t[12], t[ 6], m, mp);
+        sp_4096_mont_mul_128(t[13], t[ 7], t[ 6], m, mp);
+        sp_4096_mont_sqr_128(t[14], t[ 7], m, mp);
+        sp_4096_mont_mul_128(t[15], t[ 8], t[ 7], m, mp);
+
+        i = (bits - 1) / 32;
+        n = e[i--];
+        c = bits & 31;
+        if (c == 0) {
+            c = 32;
+        }
+        c -= bits % 4;
+        if (c == 32) {
+            c = 28;
+        }
+        y = (int)(n >> c);
+        n <<= 32 - c;
+        XMEMCPY(r, t[y], sizeof(sp_digit) * 128);
+        for (; i>=0 || c>=4; ) {
+            if (c == 0) {
+                n = e[i--];
+                y = n >> 28;
+                n <<= 4;
+                c = 28;
+            }
+            else if (c < 4) {
+                y = n >> 28;
+                n = e[i--];
+                c = 4 - c;
+                y |= n >> (32 - c);
+                n <<= c;
+                c = 32 - c;
+            }
+            else {
+                y = (n >> 28) & 0xf;
+                n <<= 4;
+                c -= 4;
+            }
+
+            sp_4096_mont_sqr_128(r, r, m, mp);
+            sp_4096_mont_sqr_128(r, r, m, mp);
+            sp_4096_mont_sqr_128(r, r, m, mp);
+            sp_4096_mont_sqr_128(r, r, m, mp);
+
+            sp_4096_mont_mul_128(r, r, t[y], m, mp);
+        }
+
+        XMEMSET(&r[128], 0, sizeof(sp_digit) * 128U);
+        sp_4096_mont_reduce_128(r, m, mp);
+
+        mask = 0 - (sp_4096_cmp_128(r, m) >= 0);
+        sp_4096_cond_sub_128(r, r, m, mask);
+    }
+
+#ifdef WOLFSSL_SMALL_STACK
+    if (td != NULL) {
+        XFREE(td, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    }
+#endif
+
+    return err;
+}
+#else
+/* Modular exponentiate a to the e mod m. (r = a^e mod m)
+ *
+ * r     A single precision number that is the result of the operation.
+ * a     A single precision number being exponentiated.
+ * e     A single precision number that is the exponent.
+ * bits  The number of bits in the exponent.
+ * m     A single precision number that is the modulus.
+ * returns 0 on success and MEMORY_E on dynamic memory allocation failure.
+ */
+static int sp_4096_mod_exp_128(sp_digit* r, const sp_digit* a, const sp_digit* e,
+        int bits, const sp_digit* m, int reduceA)
+{
+#ifndef WOLFSSL_SMALL_STACK
+    sp_digit t[32][256];
+#else
+    sp_digit* t[32];
+    sp_digit* td;
+#endif
+    sp_digit* norm;
+    sp_digit mp = 1;
+    sp_digit n;
+    sp_digit mask;
+    int i;
+    int c, y;
+    int err = MP_OKAY;
+
+#ifdef WOLFSSL_SMALL_STACK
+    td = (sp_digit*)XMALLOC(sizeof(sp_digit) * 32 * 256, NULL,
+                            DYNAMIC_TYPE_TMP_BUFFER);
+    if (td == NULL) {
+        err = MEMORY_E;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#ifdef WOLFSSL_SMALL_STACK
+        for (i=0; i<32; i++) {
+            t[i] = td + i * 256;
+        }
+#endif
+        norm = t[0];
+
+        sp_4096_mont_setup(m, &mp);
+        sp_4096_mont_norm_128(norm, m);
+
+        XMEMSET(t[1], 0, sizeof(sp_digit) * 128U);
+        if (reduceA != 0) {
+            err = sp_4096_mod_128(t[1] + 128, a, m);
+            if (err == MP_OKAY) {
+                err = sp_4096_mod_128(t[1], t[1], m);
+            }
+        }
+        else {
+            XMEMCPY(t[1] + 128, a, sizeof(sp_digit) * 128);
+            err = sp_4096_mod_128(t[1], t[1], m);
+        }
+    }
+
+    if (err == MP_OKAY) {
+        sp_4096_mont_sqr_128(t[ 2], t[ 1], m, mp);
+        sp_4096_mont_mul_128(t[ 3], t[ 2], t[ 1], m, mp);
+        sp_4096_mont_sqr_128(t[ 4], t[ 2], m, mp);
+        sp_4096_mont_mul_128(t[ 5], t[ 3], t[ 2], m, mp);
+        sp_4096_mont_sqr_128(t[ 6], t[ 3], m, mp);
+        sp_4096_mont_mul_128(t[ 7], t[ 4], t[ 3], m, mp);
+        sp_4096_mont_sqr_128(t[ 8], t[ 4], m, mp);
+        sp_4096_mont_mul_128(t[ 9], t[ 5], t[ 4], m, mp);
+        sp_4096_mont_sqr_128(t[10], t[ 5], m, mp);
+        sp_4096_mont_mul_128(t[11], t[ 6], t[ 5], m, mp);
+        sp_4096_mont_sqr_128(t[12], t[ 6], m, mp);
+        sp_4096_mont_mul_128(t[13], t[ 7], t[ 6], m, mp);
+        sp_4096_mont_sqr_128(t[14], t[ 7], m, mp);
+        sp_4096_mont_mul_128(t[15], t[ 8], t[ 7], m, mp);
+        sp_4096_mont_sqr_128(t[16], t[ 8], m, mp);
+        sp_4096_mont_mul_128(t[17], t[ 9], t[ 8], m, mp);
+        sp_4096_mont_sqr_128(t[18], t[ 9], m, mp);
+        sp_4096_mont_mul_128(t[19], t[10], t[ 9], m, mp);
+        sp_4096_mont_sqr_128(t[20], t[10], m, mp);
+        sp_4096_mont_mul_128(t[21], t[11], t[10], m, mp);
+        sp_4096_mont_sqr_128(t[22], t[11], m, mp);
+        sp_4096_mont_mul_128(t[23], t[12], t[11], m, mp);
+        sp_4096_mont_sqr_128(t[24], t[12], m, mp);
+        sp_4096_mont_mul_128(t[25], t[13], t[12], m, mp);
+        sp_4096_mont_sqr_128(t[26], t[13], m, mp);
+        sp_4096_mont_mul_128(t[27], t[14], t[13], m, mp);
+        sp_4096_mont_sqr_128(t[28], t[14], m, mp);
+        sp_4096_mont_mul_128(t[29], t[15], t[14], m, mp);
+        sp_4096_mont_sqr_128(t[30], t[15], m, mp);
+        sp_4096_mont_mul_128(t[31], t[16], t[15], m, mp);
+
+        i = (bits - 1) / 32;
+        n = e[i--];
+        c = bits & 31;
+        if (c == 0) {
+            c = 32;
+        }
+        c -= bits % 5;
+        if (c == 32) {
+            c = 27;
+        }
+        y = (int)(n >> c);
+        n <<= 32 - c;
+        XMEMCPY(r, t[y], sizeof(sp_digit) * 128);
+        for (; i>=0 || c>=5; ) {
+            if (c == 0) {
+                n = e[i--];
+                y = n >> 27;
+                n <<= 5;
+                c = 27;
+            }
+            else if (c < 5) {
+                y = n >> 27;
+                n = e[i--];
+                c = 5 - c;
+                y |= n >> (32 - c);
+                n <<= c;
+                c = 32 - c;
+            }
+            else {
+                y = (n >> 27) & 0x1f;
+                n <<= 5;
+                c -= 5;
+            }
+
+            sp_4096_mont_sqr_128(r, r, m, mp);
+            sp_4096_mont_sqr_128(r, r, m, mp);
+            sp_4096_mont_sqr_128(r, r, m, mp);
+            sp_4096_mont_sqr_128(r, r, m, mp);
+            sp_4096_mont_sqr_128(r, r, m, mp);
+
+            sp_4096_mont_mul_128(r, r, t[y], m, mp);
+        }
+
+        XMEMSET(&r[128], 0, sizeof(sp_digit) * 128U);
+        sp_4096_mont_reduce_128(r, m, mp);
+
+        mask = 0 - (sp_4096_cmp_128(r, m) >= 0);
+        sp_4096_cond_sub_128(r, r, m, mask);
+    }
+
+#ifdef WOLFSSL_SMALL_STACK
+    if (td != NULL) {
+        XFREE(td, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    }
+#endif
+
+    return err;
+}
+#endif /* WOLFSSL_SP_SMALL */
+#endif /* (WOLFSSL_HAVE_SP_RSA && !WOLFSSL_RSA_PUBLIC_ONLY) || WOLFSSL_HAVE_SP_DH */
+
+#ifdef WOLFSSL_HAVE_SP_RSA
+/* RSA public key operation.
+ *
+ * in      Array of bytes representing the number to exponentiate, base.
+ * inLen   Number of bytes in base.
+ * em      Public exponent.
+ * mm      Modulus.
+ * out     Buffer to hold big-endian bytes of exponentiation result.
+ *         Must be at least 512 bytes long.
+ * outLen  Number of bytes in result.
+ * returns 0 on success, MP_TO_E when the outLen is too small, MP_READ_E when
+ * an array is too long and MEMORY_E when dynamic memory allocation fails.
+ */
+int sp_RsaPublic_4096(const byte* in, word32 inLen, mp_int* em, mp_int* mm,
+    byte* out, word32* outLen)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit a[256], m[128], r[256];
+#else
+    sp_digit* d = NULL;
+    sp_digit* a;
+    sp_digit* m;
+    sp_digit* r;
+#endif
+    sp_digit *ah;
+    sp_digit e[1];
+    int err = MP_OKAY;
+
+    if (*outLen < 512)
+        err = MP_TO_E;
+    if (err == MP_OKAY && (mp_count_bits(em) > 32 || inLen > 512 ||
+                                                     mp_count_bits(mm) != 4096))
+        err = MP_READ_E;
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        d = (sp_digit*)XMALLOC(sizeof(sp_digit) * 128 * 5, NULL,
+                                                              DYNAMIC_TYPE_RSA);
+        if (d == NULL)
+            err = MEMORY_E;
+    }
+
+    if (err == MP_OKAY) {
+        a = d;
+        r = a + 128 * 2;
+        m = r + 128 * 2;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+        ah = a + 128;
+
+        sp_4096_from_bin(ah, 128, in, inLen);
+#if DIGIT_BIT >= 32
+        e[0] = em->dp[0];
+#else
+        e[0] = em->dp[0];
+        if (em->used > 1) {
+            e[0] |= ((sp_digit)em->dp[1]) << DIGIT_BIT;
+        }
+#endif
+        if (e[0] == 0) {
+            err = MP_EXPTMOD_E;
+        }
+    }
+    if (err == MP_OKAY) {
+        sp_4096_from_mp(m, 128, mm);
+
+        if (e[0] == 0x3) {
+            if (err == MP_OKAY) {
+                sp_4096_sqr_128(r, ah);
+                err = sp_4096_mod_128_cond(r, r, m);
+            }
+            if (err == MP_OKAY) {
+                sp_4096_mul_128(r, ah, r);
+                err = sp_4096_mod_128_cond(r, r, m);
+            }
+        }
+        else {
+            int i;
+            sp_digit mp;
+
+            sp_4096_mont_setup(m, &mp);
+
+            /* Convert to Montgomery form. */
+            XMEMSET(a, 0, sizeof(sp_digit) * 128);
+            err = sp_4096_mod_128_cond(a, a, m);
+
+            if (err == MP_OKAY) {
+                for (i = 31; i >= 0; i--) {
+                    if (e[0] >> i) {
+                        break;
+                    }
+                }
+
+                XMEMCPY(r, a, sizeof(sp_digit) * 128);
+                for (i--; i>=0; i--) {
+                    sp_4096_mont_sqr_128(r, r, m, mp);
+                    if (((e[0] >> i) & 1) == 1) {
+                        sp_4096_mont_mul_128(r, r, a, m, mp);
+                    }
+                }
+                XMEMSET(&r[128], 0, sizeof(sp_digit) * 128);
+                sp_4096_mont_reduce_128(r, m, mp);
+
+                for (i = 127; i > 0; i--) {
+                    if (r[i] != m[i]) {
+                        break;
+                    }
+                }
+                if (r[i] >= m[i]) {
+                    sp_4096_sub_in_place_128(r, m);
+                }
+            }
+        }
+    }
+
+    if (err == MP_OKAY) {
+        sp_4096_to_bin(r, out);
+        *outLen = 512;
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (d != NULL) {
+        XFREE(d, NULL, DYNAMIC_TYPE_RSA);
+    }
+#endif
+
+    return err;
+}
+
+#if defined(SP_RSA_PRIVATE_EXP_D) || defined(RSA_LOW_MEM)
+    sp_digit* a;
+    sp_digit* d = NULL;
+    sp_digit* m;
+    sp_digit* r;
+    int err = MP_OKAY;
+
+    (void)pm;
+    (void)qm;
+    (void)dpm;
+    (void)dqm;
+    (void)qim;
+
+    if (*outLen < 512U) {
+        err = MP_TO_E;
+    }
+    if (err == MP_OKAY) {
+        if (mp_count_bits(dm) > 4096) {
+           err = MP_READ_E;
+        }
+        if (inLen > 512) {
+            err = MP_READ_E;
+        }
+        if (mp_count_bits(mm) != 4096) {
+            err = MP_READ_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        d = (sp_digit*)XMALLOC(sizeof(sp_digit) * 128 * 4, NULL,
+                                                              DYNAMIC_TYPE_RSA);
+        if (d == NULL) {
+            err = MEMORY_E;
+        }
+    }
+    if (err == MP_OKAY) {
+        a = d + 128;
+        m = a + 256;
+        r = a;
+
+        sp_4096_from_bin(a, 128, in, inLen);
+        sp_4096_from_mp(d, 128, dm);
+        sp_4096_from_mp(m, 128, mm);
+        err = sp_4096_mod_exp_128(r, a, d, 4096, m, 0);
+    }
+    if (err == MP_OKAY) {
+        sp_4096_to_bin(r, out);
+        *outLen = 512;
+    }
+
+    if (d != NULL) {
+        XMEMSET(d, 0, sizeof(sp_digit) * 128);
+        XFREE(d, NULL, DYNAMIC_TYPE_RSA);
+    }
+
+    return err;
+#else
+#ifndef WOLFSSL_RSA_PUBLIC_ONLY
+/* Conditionally add a and b using the mask m.
+ * m is -1 to add and 0 when not.
+ *
+ * r  A single precision number representing conditional add result.
+ * a  A single precision number to add with.
+ * b  A single precision number to add.
+ * m  Mask value to apply.
+ */
+static sp_digit sp_4096_cond_add_64(sp_digit* r, const sp_digit* a, const sp_digit* b,
+        sp_digit m)
+{
+    sp_digit c = 0;
+
+#ifdef WOLFSSL_SP_SMALL
+    __asm__ __volatile__ (
+        "mov	r9, #0\n\t"
+        "mov	r8, #0\n\t"
+        "1:\n\t"
+        "adds	%[c], %[c], #-1\n\t"
+        "ldr	r4, [%[a], r8]\n\t"
+        "ldr	r5, [%[b], r8]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "adcs	r4, r4, r5\n\t"
+        "adc	%[c], r9, r9\n\t"
+        "str	r4, [%[r], r8]\n\t"
+        "add	r8, r8, #4\n\t"
+        "cmp	r8, #256\n\t"
+        "blt	1b\n\t"
+        : [c] "+r" (c)
+        : [r] "r" (r), [a] "r" (a), [b] "r" (b), [m] "r" (m)
+        : "memory", "r4", "r6", "r5", "r7", "r8", "r9"
+    );
+#else
+    __asm__ __volatile__ (
+
+        "mov	r9, #0\n\t"
+        "ldr	r4, [%[a], #0]\n\t"
+        "ldr	r6, [%[a], #4]\n\t"
+        "ldr	r5, [%[b], #0]\n\t"
+        "ldr	r7, [%[b], #4]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "adds	r4, r4, r5\n\t"
+        "adcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #0]\n\t"
+        "str	r6, [%[r], #4]\n\t"
+        "ldr	r4, [%[a], #8]\n\t"
+        "ldr	r6, [%[a], #12]\n\t"
+        "ldr	r5, [%[b], #8]\n\t"
+        "ldr	r7, [%[b], #12]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "adcs	r4, r4, r5\n\t"
+        "adcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #8]\n\t"
+        "str	r6, [%[r], #12]\n\t"
+        "ldr	r4, [%[a], #16]\n\t"
+        "ldr	r6, [%[a], #20]\n\t"
+        "ldr	r5, [%[b], #16]\n\t"
+        "ldr	r7, [%[b], #20]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "adcs	r4, r4, r5\n\t"
+        "adcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #16]\n\t"
+        "str	r6, [%[r], #20]\n\t"
+        "ldr	r4, [%[a], #24]\n\t"
+        "ldr	r6, [%[a], #28]\n\t"
+        "ldr	r5, [%[b], #24]\n\t"
+        "ldr	r7, [%[b], #28]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "adcs	r4, r4, r5\n\t"
+        "adcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #24]\n\t"
+        "str	r6, [%[r], #28]\n\t"
+        "ldr	r4, [%[a], #32]\n\t"
+        "ldr	r6, [%[a], #36]\n\t"
+        "ldr	r5, [%[b], #32]\n\t"
+        "ldr	r7, [%[b], #36]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "adcs	r4, r4, r5\n\t"
+        "adcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #32]\n\t"
+        "str	r6, [%[r], #36]\n\t"
+        "ldr	r4, [%[a], #40]\n\t"
+        "ldr	r6, [%[a], #44]\n\t"
+        "ldr	r5, [%[b], #40]\n\t"
+        "ldr	r7, [%[b], #44]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "adcs	r4, r4, r5\n\t"
+        "adcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #40]\n\t"
+        "str	r6, [%[r], #44]\n\t"
+        "ldr	r4, [%[a], #48]\n\t"
+        "ldr	r6, [%[a], #52]\n\t"
+        "ldr	r5, [%[b], #48]\n\t"
+        "ldr	r7, [%[b], #52]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "adcs	r4, r4, r5\n\t"
+        "adcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #48]\n\t"
+        "str	r6, [%[r], #52]\n\t"
+        "ldr	r4, [%[a], #56]\n\t"
+        "ldr	r6, [%[a], #60]\n\t"
+        "ldr	r5, [%[b], #56]\n\t"
+        "ldr	r7, [%[b], #60]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "adcs	r4, r4, r5\n\t"
+        "adcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #56]\n\t"
+        "str	r6, [%[r], #60]\n\t"
+        "ldr	r4, [%[a], #64]\n\t"
+        "ldr	r6, [%[a], #68]\n\t"
+        "ldr	r5, [%[b], #64]\n\t"
+        "ldr	r7, [%[b], #68]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "adcs	r4, r4, r5\n\t"
+        "adcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #64]\n\t"
+        "str	r6, [%[r], #68]\n\t"
+        "ldr	r4, [%[a], #72]\n\t"
+        "ldr	r6, [%[a], #76]\n\t"
+        "ldr	r5, [%[b], #72]\n\t"
+        "ldr	r7, [%[b], #76]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "adcs	r4, r4, r5\n\t"
+        "adcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #72]\n\t"
+        "str	r6, [%[r], #76]\n\t"
+        "ldr	r4, [%[a], #80]\n\t"
+        "ldr	r6, [%[a], #84]\n\t"
+        "ldr	r5, [%[b], #80]\n\t"
+        "ldr	r7, [%[b], #84]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "adcs	r4, r4, r5\n\t"
+        "adcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #80]\n\t"
+        "str	r6, [%[r], #84]\n\t"
+        "ldr	r4, [%[a], #88]\n\t"
+        "ldr	r6, [%[a], #92]\n\t"
+        "ldr	r5, [%[b], #88]\n\t"
+        "ldr	r7, [%[b], #92]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "adcs	r4, r4, r5\n\t"
+        "adcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #88]\n\t"
+        "str	r6, [%[r], #92]\n\t"
+        "ldr	r4, [%[a], #96]\n\t"
+        "ldr	r6, [%[a], #100]\n\t"
+        "ldr	r5, [%[b], #96]\n\t"
+        "ldr	r7, [%[b], #100]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "adcs	r4, r4, r5\n\t"
+        "adcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #96]\n\t"
+        "str	r6, [%[r], #100]\n\t"
+        "ldr	r4, [%[a], #104]\n\t"
+        "ldr	r6, [%[a], #108]\n\t"
+        "ldr	r5, [%[b], #104]\n\t"
+        "ldr	r7, [%[b], #108]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "adcs	r4, r4, r5\n\t"
+        "adcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #104]\n\t"
+        "str	r6, [%[r], #108]\n\t"
+        "ldr	r4, [%[a], #112]\n\t"
+        "ldr	r6, [%[a], #116]\n\t"
+        "ldr	r5, [%[b], #112]\n\t"
+        "ldr	r7, [%[b], #116]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "adcs	r4, r4, r5\n\t"
+        "adcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #112]\n\t"
+        "str	r6, [%[r], #116]\n\t"
+        "ldr	r4, [%[a], #120]\n\t"
+        "ldr	r6, [%[a], #124]\n\t"
+        "ldr	r5, [%[b], #120]\n\t"
+        "ldr	r7, [%[b], #124]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "adcs	r4, r4, r5\n\t"
+        "adcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #120]\n\t"
+        "str	r6, [%[r], #124]\n\t"
+        "ldr	r4, [%[a], #128]\n\t"
+        "ldr	r6, [%[a], #132]\n\t"
+        "ldr	r5, [%[b], #128]\n\t"
+        "ldr	r7, [%[b], #132]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "adcs	r4, r4, r5\n\t"
+        "adcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #128]\n\t"
+        "str	r6, [%[r], #132]\n\t"
+        "ldr	r4, [%[a], #136]\n\t"
+        "ldr	r6, [%[a], #140]\n\t"
+        "ldr	r5, [%[b], #136]\n\t"
+        "ldr	r7, [%[b], #140]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "adcs	r4, r4, r5\n\t"
+        "adcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #136]\n\t"
+        "str	r6, [%[r], #140]\n\t"
+        "ldr	r4, [%[a], #144]\n\t"
+        "ldr	r6, [%[a], #148]\n\t"
+        "ldr	r5, [%[b], #144]\n\t"
+        "ldr	r7, [%[b], #148]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "adcs	r4, r4, r5\n\t"
+        "adcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #144]\n\t"
+        "str	r6, [%[r], #148]\n\t"
+        "ldr	r4, [%[a], #152]\n\t"
+        "ldr	r6, [%[a], #156]\n\t"
+        "ldr	r5, [%[b], #152]\n\t"
+        "ldr	r7, [%[b], #156]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "adcs	r4, r4, r5\n\t"
+        "adcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #152]\n\t"
+        "str	r6, [%[r], #156]\n\t"
+        "ldr	r4, [%[a], #160]\n\t"
+        "ldr	r6, [%[a], #164]\n\t"
+        "ldr	r5, [%[b], #160]\n\t"
+        "ldr	r7, [%[b], #164]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "adcs	r4, r4, r5\n\t"
+        "adcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #160]\n\t"
+        "str	r6, [%[r], #164]\n\t"
+        "ldr	r4, [%[a], #168]\n\t"
+        "ldr	r6, [%[a], #172]\n\t"
+        "ldr	r5, [%[b], #168]\n\t"
+        "ldr	r7, [%[b], #172]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "adcs	r4, r4, r5\n\t"
+        "adcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #168]\n\t"
+        "str	r6, [%[r], #172]\n\t"
+        "ldr	r4, [%[a], #176]\n\t"
+        "ldr	r6, [%[a], #180]\n\t"
+        "ldr	r5, [%[b], #176]\n\t"
+        "ldr	r7, [%[b], #180]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "adcs	r4, r4, r5\n\t"
+        "adcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #176]\n\t"
+        "str	r6, [%[r], #180]\n\t"
+        "ldr	r4, [%[a], #184]\n\t"
+        "ldr	r6, [%[a], #188]\n\t"
+        "ldr	r5, [%[b], #184]\n\t"
+        "ldr	r7, [%[b], #188]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "adcs	r4, r4, r5\n\t"
+        "adcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #184]\n\t"
+        "str	r6, [%[r], #188]\n\t"
+        "ldr	r4, [%[a], #192]\n\t"
+        "ldr	r6, [%[a], #196]\n\t"
+        "ldr	r5, [%[b], #192]\n\t"
+        "ldr	r7, [%[b], #196]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "adcs	r4, r4, r5\n\t"
+        "adcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #192]\n\t"
+        "str	r6, [%[r], #196]\n\t"
+        "ldr	r4, [%[a], #200]\n\t"
+        "ldr	r6, [%[a], #204]\n\t"
+        "ldr	r5, [%[b], #200]\n\t"
+        "ldr	r7, [%[b], #204]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "adcs	r4, r4, r5\n\t"
+        "adcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #200]\n\t"
+        "str	r6, [%[r], #204]\n\t"
+        "ldr	r4, [%[a], #208]\n\t"
+        "ldr	r6, [%[a], #212]\n\t"
+        "ldr	r5, [%[b], #208]\n\t"
+        "ldr	r7, [%[b], #212]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "adcs	r4, r4, r5\n\t"
+        "adcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #208]\n\t"
+        "str	r6, [%[r], #212]\n\t"
+        "ldr	r4, [%[a], #216]\n\t"
+        "ldr	r6, [%[a], #220]\n\t"
+        "ldr	r5, [%[b], #216]\n\t"
+        "ldr	r7, [%[b], #220]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "adcs	r4, r4, r5\n\t"
+        "adcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #216]\n\t"
+        "str	r6, [%[r], #220]\n\t"
+        "ldr	r4, [%[a], #224]\n\t"
+        "ldr	r6, [%[a], #228]\n\t"
+        "ldr	r5, [%[b], #224]\n\t"
+        "ldr	r7, [%[b], #228]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "adcs	r4, r4, r5\n\t"
+        "adcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #224]\n\t"
+        "str	r6, [%[r], #228]\n\t"
+        "ldr	r4, [%[a], #232]\n\t"
+        "ldr	r6, [%[a], #236]\n\t"
+        "ldr	r5, [%[b], #232]\n\t"
+        "ldr	r7, [%[b], #236]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "adcs	r4, r4, r5\n\t"
+        "adcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #232]\n\t"
+        "str	r6, [%[r], #236]\n\t"
+        "ldr	r4, [%[a], #240]\n\t"
+        "ldr	r6, [%[a], #244]\n\t"
+        "ldr	r5, [%[b], #240]\n\t"
+        "ldr	r7, [%[b], #244]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "adcs	r4, r4, r5\n\t"
+        "adcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #240]\n\t"
+        "str	r6, [%[r], #244]\n\t"
+        "ldr	r4, [%[a], #248]\n\t"
+        "ldr	r6, [%[a], #252]\n\t"
+        "ldr	r5, [%[b], #248]\n\t"
+        "ldr	r7, [%[b], #252]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "adcs	r4, r4, r5\n\t"
+        "adcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #248]\n\t"
+        "str	r6, [%[r], #252]\n\t"
+        "adc	%[c], r9, r9\n\t"
+        : [c] "+r" (c)
+        : [r] "r" (r), [a] "r" (a), [b] "r" (b), [m] "r" (m)
+        : "memory", "r4", "r6", "r5", "r7", "r8", "r9"
+    );
+#endif /* WOLFSSL_SP_SMALL */
+
+    return c;
+}
+
+/* RSA private key operation.
+ *
+ * in      Array of bytes representing the number to exponentiate, base.
+ * inLen   Number of bytes in base.
+ * dm      Private exponent.
+ * pm      First prime.
+ * qm      Second prime.
+ * dpm     First prime's CRT exponent.
+ * dqm     Second prime's CRT exponent.
+ * qim     Inverse of second prime mod p.
+ * mm      Modulus.
+ * out     Buffer to hold big-endian bytes of exponentiation result.
+ *         Must be at least 512 bytes long.
+ * outLen  Number of bytes in result.
+ * returns 0 on success, MP_TO_E when the outLen is too small, MP_READ_E when
+ * an array is too long and MEMORY_E when dynamic memory allocation fails.
+ */
+int sp_RsaPrivate_4096(const byte* in, word32 inLen, mp_int* dm,
+    mp_int* pm, mp_int* qm, mp_int* dpm, mp_int* dqm, mp_int* qim, mp_int* mm,
+    byte* out, word32* outLen)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit a[128 * 2];
+    sp_digit p[64], q[64], dp[64];
+    sp_digit tmpa[128], tmpb[128];
+#else
+    sp_digit* t = NULL;
+    sp_digit* a;
+    sp_digit* p;
+    sp_digit* q;
+    sp_digit* dp;
+    sp_digit* tmpa;
+    sp_digit* tmpb;
+#endif
+    sp_digit* r;
+    sp_digit* qi;
+    sp_digit* dq;
+    sp_digit c;
+    int err = MP_OKAY;
+
+    (void)dm;
+    (void)mm;
+
+    if (*outLen < 512)
+        err = MP_TO_E;
+    if (err == MP_OKAY && (inLen > 512 || mp_count_bits(mm) != 4096))
+        err = MP_READ_E;
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        t = (sp_digit*)XMALLOC(sizeof(sp_digit) * 64 * 11, NULL,
+                                                              DYNAMIC_TYPE_RSA);
+        if (t == NULL)
+            err = MEMORY_E;
+    }
+    if (err == MP_OKAY) {
+        a = t;
+        p = a + 128 * 2;
+        q = p + 64;
+        qi = dq = dp = q + 64;
+        tmpa = qi + 64;
+        tmpb = tmpa + 128;
+
+        r = t + 128;
+    }
+#else
+#endif
+
+    if (err == MP_OKAY) {
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+        r = a;
+        qi = dq = dp;
+#endif
+        sp_4096_from_bin(a, 128, in, inLen);
+        sp_4096_from_mp(p, 64, pm);
+        sp_4096_from_mp(q, 64, qm);
+        sp_4096_from_mp(dp, 64, dpm);
+
+        err = sp_2048_mod_exp_64(tmpa, a, dp, 2048, p, 1);
+    }
+    if (err == MP_OKAY) {
+        sp_4096_from_mp(dq, 64, dqm);
+        err = sp_2048_mod_exp_64(tmpb, a, dq, 2048, q, 1);
+    }
+
+    if (err == MP_OKAY) {
+        c = sp_2048_sub_in_place_64(tmpa, tmpb);
+        c += sp_4096_cond_add_64(tmpa, tmpa, p, c);
+        sp_4096_cond_add_64(tmpa, tmpa, p, c);
+
+        sp_2048_from_mp(qi, 64, qim);
+        sp_2048_mul_64(tmpa, tmpa, qi);
+        err = sp_2048_mod_64(tmpa, tmpa, p);
+    }
+
+    if (err == MP_OKAY) {
+        sp_2048_mul_64(tmpa, q, tmpa);
+        XMEMSET(&tmpb[64], 0, sizeof(sp_digit) * 64);
+        sp_4096_add_128(r, tmpb, tmpa);
+
+        sp_4096_to_bin(r, out);
+        *outLen = 512;
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (t != NULL) {
+        XMEMSET(t, 0, sizeof(sp_digit) * 64 * 11);
+        XFREE(t, NULL, DYNAMIC_TYPE_RSA);
+    }
+#else
+    XMEMSET(tmpa, 0, sizeof(tmpa));
+    XMEMSET(tmpb, 0, sizeof(tmpb));
+    XMEMSET(p,    0, sizeof(p));
+    XMEMSET(q,    0, sizeof(q));
+    XMEMSET(dp,   0, sizeof(dp));
+#endif
+
+    return err;
+}
+#endif /* WOLFSSL_RSA_PUBLIC_ONLY */
+#endif /* SP_RSA_PRIVATE_EXP_D || RSA_LOW_MEM */
+#endif /* WOLFSSL_HAVE_SP_RSA */
+#if defined(WOLFSSL_HAVE_SP_DH) || (defined(WOLFSSL_HAVE_SP_RSA) && \
+                                              !defined(WOLFSSL_RSA_PUBLIC_ONLY))
+/* Convert an array of sp_digit to an mp_int.
+ *
+ * a  A single precision integer.
+ * r  A multi-precision integer.
+ */
+static int sp_4096_to_mp(const sp_digit* a, mp_int* r)
+{
+    int err;
+
+    err = mp_grow(r, (4096 + DIGIT_BIT - 1) / DIGIT_BIT);
+    if (err == MP_OKAY) { /*lint !e774 case where err is always MP_OKAY*/
+#if DIGIT_BIT == 32
+        XMEMCPY(r->dp, a, sizeof(sp_digit) * 128);
+        r->used = 128;
+        mp_clamp(r);
+#elif DIGIT_BIT < 32
+        int i, j = 0, s = 0;
+
+        r->dp[0] = 0;
+        for (i = 0; i < 128; i++) {
+            r->dp[j] |= (mp_digit)(a[i] << s);
+            r->dp[j] &= (1L << DIGIT_BIT) - 1;
+            s = DIGIT_BIT - s;
+            r->dp[++j] = (mp_digit)(a[i] >> s);
+            while (s + DIGIT_BIT <= 32) {
+                s += DIGIT_BIT;
+                r->dp[j++] &= (1L << DIGIT_BIT) - 1;
+                if (s == SP_WORD_SIZE) {
+                    r->dp[j] = 0;
+                }
+                else {
+                    r->dp[j] = (mp_digit)(a[i] >> s);
+                }
+            }
+            s = 32 - s;
+        }
+        r->used = (4096 + DIGIT_BIT - 1) / DIGIT_BIT;
+        mp_clamp(r);
+#else
+        int i, j = 0, s = 0;
+
+        r->dp[0] = 0;
+        for (i = 0; i < 128; i++) {
+            r->dp[j] |= ((mp_digit)a[i]) << s;
+            if (s + 32 >= DIGIT_BIT) {
+    #if DIGIT_BIT != 32 && DIGIT_BIT != 64
+                r->dp[j] &= (1L << DIGIT_BIT) - 1;
+    #endif
+                s = DIGIT_BIT - s;
+                r->dp[++j] = a[i] >> s;
+                s = 32 - s;
+            }
+            else {
+                s += 32;
+            }
+        }
+        r->used = (4096 + DIGIT_BIT - 1) / DIGIT_BIT;
+        mp_clamp(r);
+#endif
+    }
+
+    return err;
+}
+
+/* Perform the modular exponentiation for Diffie-Hellman.
+ *
+ * base  Base. MP integer.
+ * exp   Exponent. MP integer.
+ * mod   Modulus. MP integer.
+ * res   Result. MP integer.
+ * returns 0 on success, MP_READ_E if there are too many bytes in an array
+ * and MEMORY_E if memory allocation fails.
+ */
+int sp_ModExp_4096(mp_int* base, mp_int* exp, mp_int* mod, mp_int* res)
+{
+    int err = MP_OKAY;
+    sp_digit b[256], e[128], m[128];
+    sp_digit* r = b;
+    int expBits = mp_count_bits(exp);
+
+    if (mp_count_bits(base) > 4096) {
+        err = MP_READ_E;
+    }
+
+    if (err == MP_OKAY) {
+        if (expBits > 4096) {
+            err = MP_READ_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        if (mp_count_bits(mod) != 4096) {
+            err = MP_READ_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        sp_4096_from_mp(b, 128, base);
+        sp_4096_from_mp(e, 128, exp);
+        sp_4096_from_mp(m, 128, mod);
+
+        err = sp_4096_mod_exp_128(r, b, e, expBits, m, 0);
+    }
+
+    if (err == MP_OKAY) {
+        err = sp_4096_to_mp(r, res);
+    }
+
+    XMEMSET(e, 0, sizeof(e));
+
+    return err;
+}
+
+#ifdef WOLFSSL_HAVE_SP_DH
+
+#ifdef HAVE_FFDHE_4096
+static void sp_4096_lshift_128(sp_digit* r, sp_digit* a, byte n)
+{
+    __asm__ __volatile__ (
+        "mov	r6, #31\n\t"
+        "sub	r6, r6, %[n]\n\t"
+        "ldr	r3, [%[a], #508]\n\t"
+        "lsr	r4, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r4, r4, r6\n\t"
+        "ldr	r2, [%[a], #504]\n\t"
+        "str	r4, [%[r], #512]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #500]\n\t"
+        "str	r3, [%[r], #508]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #496]\n\t"
+        "str	r2, [%[r], #504]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #492]\n\t"
+        "str	r4, [%[r], #500]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #488]\n\t"
+        "str	r3, [%[r], #496]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #484]\n\t"
+        "str	r2, [%[r], #492]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #480]\n\t"
+        "str	r4, [%[r], #488]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #476]\n\t"
+        "str	r3, [%[r], #484]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #472]\n\t"
+        "str	r2, [%[r], #480]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #468]\n\t"
+        "str	r4, [%[r], #476]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #464]\n\t"
+        "str	r3, [%[r], #472]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #460]\n\t"
+        "str	r2, [%[r], #468]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #456]\n\t"
+        "str	r4, [%[r], #464]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #452]\n\t"
+        "str	r3, [%[r], #460]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #448]\n\t"
+        "str	r2, [%[r], #456]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #444]\n\t"
+        "str	r4, [%[r], #452]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #440]\n\t"
+        "str	r3, [%[r], #448]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #436]\n\t"
+        "str	r2, [%[r], #444]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #432]\n\t"
+        "str	r4, [%[r], #440]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #428]\n\t"
+        "str	r3, [%[r], #436]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #424]\n\t"
+        "str	r2, [%[r], #432]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #420]\n\t"
+        "str	r4, [%[r], #428]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #416]\n\t"
+        "str	r3, [%[r], #424]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #412]\n\t"
+        "str	r2, [%[r], #420]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #408]\n\t"
+        "str	r4, [%[r], #416]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #404]\n\t"
+        "str	r3, [%[r], #412]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #400]\n\t"
+        "str	r2, [%[r], #408]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #396]\n\t"
+        "str	r4, [%[r], #404]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #392]\n\t"
+        "str	r3, [%[r], #400]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #388]\n\t"
+        "str	r2, [%[r], #396]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #384]\n\t"
+        "str	r4, [%[r], #392]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #380]\n\t"
+        "str	r3, [%[r], #388]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #376]\n\t"
+        "str	r2, [%[r], #384]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #372]\n\t"
+        "str	r4, [%[r], #380]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #368]\n\t"
+        "str	r3, [%[r], #376]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #364]\n\t"
+        "str	r2, [%[r], #372]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #360]\n\t"
+        "str	r4, [%[r], #368]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #356]\n\t"
+        "str	r3, [%[r], #364]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #352]\n\t"
+        "str	r2, [%[r], #360]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #348]\n\t"
+        "str	r4, [%[r], #356]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #344]\n\t"
+        "str	r3, [%[r], #352]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #340]\n\t"
+        "str	r2, [%[r], #348]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #336]\n\t"
+        "str	r4, [%[r], #344]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #332]\n\t"
+        "str	r3, [%[r], #340]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #328]\n\t"
+        "str	r2, [%[r], #336]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #324]\n\t"
+        "str	r4, [%[r], #332]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #320]\n\t"
+        "str	r3, [%[r], #328]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #316]\n\t"
+        "str	r2, [%[r], #324]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #312]\n\t"
+        "str	r4, [%[r], #320]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #308]\n\t"
+        "str	r3, [%[r], #316]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #304]\n\t"
+        "str	r2, [%[r], #312]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #300]\n\t"
+        "str	r4, [%[r], #308]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #296]\n\t"
+        "str	r3, [%[r], #304]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #292]\n\t"
+        "str	r2, [%[r], #300]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #288]\n\t"
+        "str	r4, [%[r], #296]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #284]\n\t"
+        "str	r3, [%[r], #292]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #280]\n\t"
+        "str	r2, [%[r], #288]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #276]\n\t"
+        "str	r4, [%[r], #284]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #272]\n\t"
+        "str	r3, [%[r], #280]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #268]\n\t"
+        "str	r2, [%[r], #276]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #264]\n\t"
+        "str	r4, [%[r], #272]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #260]\n\t"
+        "str	r3, [%[r], #268]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #256]\n\t"
+        "str	r2, [%[r], #264]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #252]\n\t"
+        "str	r4, [%[r], #260]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #248]\n\t"
+        "str	r3, [%[r], #256]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #244]\n\t"
+        "str	r2, [%[r], #252]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #240]\n\t"
+        "str	r4, [%[r], #248]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #236]\n\t"
+        "str	r3, [%[r], #244]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #232]\n\t"
+        "str	r2, [%[r], #240]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #228]\n\t"
+        "str	r4, [%[r], #236]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #224]\n\t"
+        "str	r3, [%[r], #232]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #220]\n\t"
+        "str	r2, [%[r], #228]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #216]\n\t"
+        "str	r4, [%[r], #224]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #212]\n\t"
+        "str	r3, [%[r], #220]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #208]\n\t"
+        "str	r2, [%[r], #216]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #204]\n\t"
+        "str	r4, [%[r], #212]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #200]\n\t"
+        "str	r3, [%[r], #208]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #196]\n\t"
+        "str	r2, [%[r], #204]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #192]\n\t"
+        "str	r4, [%[r], #200]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #188]\n\t"
+        "str	r3, [%[r], #196]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #184]\n\t"
+        "str	r2, [%[r], #192]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #180]\n\t"
+        "str	r4, [%[r], #188]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #176]\n\t"
+        "str	r3, [%[r], #184]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #172]\n\t"
+        "str	r2, [%[r], #180]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #168]\n\t"
+        "str	r4, [%[r], #176]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #164]\n\t"
+        "str	r3, [%[r], #172]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #160]\n\t"
+        "str	r2, [%[r], #168]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #156]\n\t"
+        "str	r4, [%[r], #164]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #152]\n\t"
+        "str	r3, [%[r], #160]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #148]\n\t"
+        "str	r2, [%[r], #156]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #144]\n\t"
+        "str	r4, [%[r], #152]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #140]\n\t"
+        "str	r3, [%[r], #148]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #136]\n\t"
+        "str	r2, [%[r], #144]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #132]\n\t"
+        "str	r4, [%[r], #140]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #128]\n\t"
+        "str	r3, [%[r], #136]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #124]\n\t"
+        "str	r2, [%[r], #132]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #120]\n\t"
+        "str	r4, [%[r], #128]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #116]\n\t"
+        "str	r3, [%[r], #124]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #112]\n\t"
+        "str	r2, [%[r], #120]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #108]\n\t"
+        "str	r4, [%[r], #116]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #104]\n\t"
+        "str	r3, [%[r], #112]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #100]\n\t"
+        "str	r2, [%[r], #108]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #96]\n\t"
+        "str	r4, [%[r], #104]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #92]\n\t"
+        "str	r3, [%[r], #100]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #88]\n\t"
+        "str	r2, [%[r], #96]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #84]\n\t"
+        "str	r4, [%[r], #92]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #80]\n\t"
+        "str	r3, [%[r], #88]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #76]\n\t"
+        "str	r2, [%[r], #84]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #72]\n\t"
+        "str	r4, [%[r], #80]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #68]\n\t"
+        "str	r3, [%[r], #76]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #64]\n\t"
+        "str	r2, [%[r], #72]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #60]\n\t"
+        "str	r4, [%[r], #68]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #56]\n\t"
+        "str	r3, [%[r], #64]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #52]\n\t"
+        "str	r2, [%[r], #60]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #48]\n\t"
+        "str	r4, [%[r], #56]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #44]\n\t"
+        "str	r3, [%[r], #52]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #40]\n\t"
+        "str	r2, [%[r], #48]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #36]\n\t"
+        "str	r4, [%[r], #44]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #32]\n\t"
+        "str	r3, [%[r], #40]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #28]\n\t"
+        "str	r2, [%[r], #36]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #24]\n\t"
+        "str	r4, [%[r], #32]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #20]\n\t"
+        "str	r3, [%[r], #28]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #16]\n\t"
+        "str	r2, [%[r], #24]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #12]\n\t"
+        "str	r4, [%[r], #20]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #8]\n\t"
+        "str	r3, [%[r], #16]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #4]\n\t"
+        "str	r2, [%[r], #12]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #0]\n\t"
+        "str	r4, [%[r], #8]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "str	r2, [%[r]]\n\t"
+        "str	r3, [%[r], #4]\n\t"
+        :
+        : [r] "r" (r), [a] "r" (a), [n] "r" (n)
+        : "memory", "r2", "r3", "r4", "r5", "r6"
+    );
+}
+
+/* Modular exponentiate 2 to the e mod m. (r = 2^e mod m)
+ *
+ * r     A single precision number that is the result of the operation.
+ * e     A single precision number that is the exponent.
+ * bits  The number of bits in the exponent.
+ * m     A single precision number that is the modulus.
+ * returns 0 on success and MEMORY_E on dynamic memory allocation failure.
+ */
+static int sp_4096_mod_exp_2_128(sp_digit* r, const sp_digit* e, int bits,
+        const sp_digit* m)
+{
+#ifndef WOLFSSL_SMALL_STACK
+    sp_digit nd[256];
+    sp_digit td[129];
+#else
+    sp_digit* td;
+#endif
+    sp_digit* norm;
+    sp_digit* tmp;
+    sp_digit mp = 1;
+    sp_digit n, o;
+    sp_digit mask;
+    int i;
+    int c, y;
+    int err = MP_OKAY;
+
+#ifdef WOLFSSL_SMALL_STACK
+    td = (sp_digit*)XMALLOC(sizeof(sp_digit) * 385, NULL,
+                            DYNAMIC_TYPE_TMP_BUFFER);
+    if (td == NULL) {
+        err = MEMORY_E;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#ifdef WOLFSSL_SMALL_STACK
+        norm = td;
+        tmp  = td + 256;
+#else
+        norm = nd;
+        tmp  = td;
+#endif
+
+        sp_4096_mont_setup(m, &mp);
+        sp_4096_mont_norm_128(norm, m);
+
+        i = (bits - 1) / 32;
+        n = e[i--];
+        c = bits & 31;
+        if (c == 0) {
+            c = 32;
+        }
+        c -= bits % 5;
+        if (c == 32) {
+            c = 27;
+        }
+        y = (int)(n >> c);
+        n <<= 32 - c;
+        sp_4096_lshift_128(r, norm, y);
+        for (; i>=0 || c>=5; ) {
+            if (c == 0) {
+                n = e[i--];
+                y = n >> 27;
+                n <<= 5;
+                c = 27;
+            }
+            else if (c < 5) {
+                y = n >> 27;
+                n = e[i--];
+                c = 5 - c;
+                y |= n >> (32 - c);
+                n <<= c;
+                c = 32 - c;
+            }
+            else {
+                y = (n >> 27) & 0x1f;
+                n <<= 5;
+                c -= 5;
+            }
+
+            sp_4096_mont_sqr_128(r, r, m, mp);
+            sp_4096_mont_sqr_128(r, r, m, mp);
+            sp_4096_mont_sqr_128(r, r, m, mp);
+            sp_4096_mont_sqr_128(r, r, m, mp);
+            sp_4096_mont_sqr_128(r, r, m, mp);
+
+            sp_4096_lshift_128(r, r, y);
+            sp_4096_mul_d_128(tmp, norm, r[128]);
+            r[128] = 0;
+            o = sp_4096_add_128(r, r, tmp);
+            sp_4096_cond_sub_128(r, r, m, (sp_digit)0 - o);
+        }
+
+        XMEMSET(&r[128], 0, sizeof(sp_digit) * 128U);
+        sp_4096_mont_reduce_128(r, m, mp);
+
+        mask = 0 - (sp_4096_cmp_128(r, m) >= 0);
+        sp_4096_cond_sub_128(r, r, m, mask);
+    }
+
+#ifdef WOLFSSL_SMALL_STACK
+    if (td != NULL) {
+        XFREE(td, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    }
+#endif
+
+    return err;
+}
+#endif /* HAVE_FFDHE_4096 */
+
+/* Perform the modular exponentiation for Diffie-Hellman.
+ *
+ * base     Base.
+ * exp      Array of bytes that is the exponent.
+ * expLen   Length of data, in bytes, in exponent.
+ * mod      Modulus.
+ * out      Buffer to hold big-endian bytes of exponentiation result.
+ *          Must be at least 512 bytes long.
+ * outLen   Length, in bytes, of exponentiation result.
+ * returns 0 on success, MP_READ_E if there are too many bytes in an array
+ * and MEMORY_E if memory allocation fails.
+ */
+int sp_DhExp_4096(mp_int* base, const byte* exp, word32 expLen,
+    mp_int* mod, byte* out, word32* outLen)
+{
+    int err = MP_OKAY;
+    sp_digit b[256], e[128], m[128];
+    sp_digit* r = b;
+    word32 i;
+
+    if (mp_count_bits(base) > 4096) {
+        err = MP_READ_E;
+    }
+
+    if (err == MP_OKAY) {
+        if (expLen > 512) {
+            err = MP_READ_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        if (mp_count_bits(mod) != 4096) {
+            err = MP_READ_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        sp_4096_from_mp(b, 128, base);
+        sp_4096_from_bin(e, 128, exp, expLen);
+        sp_4096_from_mp(m, 128, mod);
+
+    #ifdef HAVE_FFDHE_4096
+        if (base->used == 1 && base->dp[0] == 2 && m[127] == (sp_digit)-1)
+            err = sp_4096_mod_exp_2_128(r, e, expLen * 8, m);
+        else
+    #endif
+            err = sp_4096_mod_exp_128(r, b, e, expLen * 8, m, 0);
+
+    }
+
+    if (err == MP_OKAY) {
+        sp_4096_to_bin(r, out);
+        *outLen = 512;
+        for (i=0; i<512 && out[i] == 0; i++) {
+        }
+        *outLen -= i;
+        XMEMMOVE(out, out + i, *outLen);
+
+    }
+
+    XMEMSET(e, 0, sizeof(e));
+
+    return err;
+}
+#endif /* WOLFSSL_HAVE_SP_DH */
+
+#endif /* WOLFSSL_HAVE_SP_DH || (WOLFSSL_HAVE_SP_RSA && !WOLFSSL_RSA_PUBLIC_ONLY) */
+
+#endif /* WOLFSSL_SP_4096 */
+
+#endif /* WOLFSSL_HAVE_SP_RSA || WOLFSSL_HAVE_SP_DH */
+#ifdef WOLFSSL_HAVE_SP_ECC
+#ifndef WOLFSSL_SP_NO_256
+
+/* Point structure to use. */
+typedef struct sp_point_256 {
+    sp_digit x[2 * 8];
+    sp_digit y[2 * 8];
+    sp_digit z[2 * 8];
+    int infinity;
+} sp_point_256;
+
+/* The modulus (prime) of the curve P256. */
+static const sp_digit p256_mod[8] = {
+    0xffffffff,0xffffffff,0xffffffff,0x00000000,0x00000000,0x00000000,
+    0x00000001,0xffffffff
+};
+/* The Montogmery normalizer for modulus of the curve P256. */
+static const sp_digit p256_norm_mod[8] = {
+    0x00000001,0x00000000,0x00000000,0xffffffff,0xffffffff,0xffffffff,
+    0xfffffffe,0x00000000
+};
+/* The Montogmery multiplier for modulus of the curve P256. */
+static const sp_digit p256_mp_mod = 0x00000001;
+#if defined(WOLFSSL_VALIDATE_ECC_KEYGEN) || defined(HAVE_ECC_SIGN) || \
+                                            defined(HAVE_ECC_VERIFY)
+/* The order of the curve P256. */
+static const sp_digit p256_order[8] = {
+    0xfc632551,0xf3b9cac2,0xa7179e84,0xbce6faad,0xffffffff,0xffffffff,
+    0x00000000,0xffffffff
+};
+#endif
+/* The order of the curve P256 minus 2. */
+static const sp_digit p256_order2[8] = {
+    0xfc63254f,0xf3b9cac2,0xa7179e84,0xbce6faad,0xffffffff,0xffffffff,
+    0x00000000,0xffffffff
+};
+#if defined(HAVE_ECC_SIGN) || defined(HAVE_ECC_VERIFY)
+/* The Montogmery normalizer for order of the curve P256. */
+static const sp_digit p256_norm_order[8] = {
+    0x039cdaaf,0x0c46353d,0x58e8617b,0x43190552,0x00000000,0x00000000,
+    0xffffffff,0x00000000
+};
+#endif
+#if defined(HAVE_ECC_SIGN) || defined(HAVE_ECC_VERIFY)
+/* The Montogmery multiplier for order of the curve P256. */
+static const sp_digit p256_mp_order = 0xee00bc4f;
+#endif
+/* The base point of curve P256. */
+static const sp_point_256 p256_base = {
+    /* X ordinate */
+    {
+        0xd898c296,0xf4a13945,0x2deb33a0,0x77037d81,0x63a440f2,0xf8bce6e5,
+        0xe12c4247,0x6b17d1f2,
+        0L, 0L, 0L, 0L, 0L, 0L, 0L, 0L
+    },
+    /* Y ordinate */
+    {
+        0x37bf51f5,0xcbb64068,0x6b315ece,0x2bce3357,0x7c0f9e16,0x8ee7eb4a,
+        0xfe1a7f9b,0x4fe342e2,
+        0L, 0L, 0L, 0L, 0L, 0L, 0L, 0L
+    },
+    /* Z ordinate */
+    {
+        0x00000001,0x00000000,0x00000000,0x00000000,0x00000000,0x00000000,
+        0x00000000,0x00000000,
+        0L, 0L, 0L, 0L, 0L, 0L, 0L, 0L
+    },
+    /* infinity */
+    0
+};
+#if defined(HAVE_ECC_CHECK_KEY) || defined(HAVE_COMP_KEY)
+static const sp_digit p256_b[8] = {
+    0x27d2604b,0x3bce3c3e,0xcc53b0f6,0x651d06b0,0x769886bc,0xb3ebbd55,
+    0xaa3a93e7,0x5ac635d8
+};
+#endif
+
+static int sp_256_point_new_ex_8(void* heap, sp_point_256* sp, sp_point_256** p)
+{
+    int ret = MP_OKAY;
+    (void)heap;
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    (void)sp;
+    *p = (sp_point_256*)XMALLOC(sizeof(sp_point_256), heap, DYNAMIC_TYPE_ECC);
+#else
+    *p = sp;
+#endif
+    if (*p == NULL) {
+        ret = MEMORY_E;
+    }
+    return ret;
+}
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+/* Allocate memory for point and return error. */
+#define sp_256_point_new_8(heap, sp, p) sp_256_point_new_ex_8((heap), NULL, &(p))
+#else
+/* Set pointer to data and return no error. */
+#define sp_256_point_new_8(heap, sp, p) sp_256_point_new_ex_8((heap), &(sp), &(p))
+#endif
+
+
+static void sp_256_point_free_8(sp_point_256* p, int clear, void* heap)
+{
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+/* If valid pointer then clear point data if requested and free data. */
+    if (p != NULL) {
+        if (clear != 0) {
+            XMEMSET(p, 0, sizeof(*p));
+        }
+        XFREE(p, heap, DYNAMIC_TYPE_ECC);
+    }
+#else
+/* Clear point data if requested. */
+    if (clear != 0) {
+        XMEMSET(p, 0, sizeof(*p));
+    }
+#endif
+    (void)heap;
+}
+
+/* Multiply a number by Montogmery normalizer mod modulus (prime).
+ *
+ * r  The resulting Montgomery form number.
+ * a  The number to convert.
+ * m  The modulus (prime).
+ */
+static int sp_256_mod_mul_norm_8(sp_digit* r, const sp_digit* a, const sp_digit* m)
+{
+    (void)m;
+
+    __asm__ __volatile__ (
+        "sub	sp, sp, #24\n\t"
+        "ldr	r2, [%[a], #0]\n\t"
+        "ldr	r3, [%[a], #4]\n\t"
+        "ldr	r4, [%[a], #8]\n\t"
+        "ldr	r5, [%[a], #12]\n\t"
+        "ldr	r6, [%[a], #16]\n\t"
+        "ldr	r7, [%[a], #20]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "ldr	r9, [%[a], #28]\n\t"
+        "# Clear overflow and underflow\n\t"
+        "mov	r14, #0\n\t"
+        "mov	r12, #0\n\t"
+        "# t[0] =  1  1  0 -1 -1 -1 -1  0\n\t"
+        "adds	r10, r2, r3\n\t"
+        "adc	r14, r14, #0\n\t"
+        "subs	r10, r10, r5\n\t"
+        "sbc	r12, r12, #0\n\t"
+        "subs	r10, r10, r6\n\t"
+        "sbc	r12, r12, #0\n\t"
+        "subs	r10, r10, r7\n\t"
+        "sbc	r12, r12, #0\n\t"
+        "subs	r10, r10, r8\n\t"
+        "sbc	r12, r12, #0\n\t"
+        "# Store t[0]\n\t"
+        "str	r10, [sp, #0]\n\t"
+        "neg	r12, r12\n\t"
+        "mov	r10, #0\n\t"
+        "# t[1] =  0  1  1  0 -1 -1 -1 -1\n\t"
+        "adds	r14, r14, r3\n\t"
+        "adc	r10, r10, #0\n\t"
+        "adds	r14, r14, r4\n\t"
+        "adc	r10, r10, #0\n\t"
+        "subs	r14, r14, r12\n\t"
+        "mov	r12, #0\n\t"
+        "sbc	r12, r12, #0\n\t"
+        "subs	r14, r14, r6\n\t"
+        "sbc	r12, r12, #0\n\t"
+        "subs	r14, r14, r7\n\t"
+        "sbc	r12, r12, #0\n\t"
+        "subs	r14, r14, r8\n\t"
+        "sbc	r12, r12, #0\n\t"
+        "subs	r14, r14, r9\n\t"
+        "sbc	r12, r12, #0\n\t"
+        "# Store t[1]\n\t"
+        "str	r14, [sp, #4]\n\t"
+        "neg	r12, r12\n\t"
+        "mov	r14, #0\n\t"
+        "# t[2] =  0  0  1  1  0 -1 -1 -1\n\t"
+        "adds	r10, r10, r4\n\t"
+        "adc	r14, r14, #0\n\t"
+        "adds	r10, r10, r5\n\t"
+        "adc	r14, r14, #0\n\t"
+        "subs	r10, r10, r12\n\t"
+        "mov	r12, #0\n\t"
+        "sbc	r12, r12, #0\n\t"
+        "subs	r10, r10, r7\n\t"
+        "sbc	r12, r12, #0\n\t"
+        "subs	r10, r10, r8\n\t"
+        "sbc	r12, r12, #0\n\t"
+        "subs	r10, r10, r9\n\t"
+        "sbc	r12, r12, #0\n\t"
+        "# Store t[2]\n\t"
+        "str	r10, [sp, #8]\n\t"
+        "neg	r12, r12\n\t"
+        "mov	r10, #0\n\t"
+        "# t[3] = -1 -1  0  2  2  1  0 -1\n\t"
+        "adds	r14, r14, r5\n\t"
+        "adc	r10, r10, #0\n\t"
+        "adds	r14, r14, r5\n\t"
+        "adc	r10, r10, #0\n\t"
+        "adds	r14, r14, r6\n\t"
+        "adc	r10, r10, #0\n\t"
+        "adds	r14, r14, r6\n\t"
+        "adc	r10, r10, #0\n\t"
+        "adds	r14, r14, r7\n\t"
+        "adc	r10, r10, #0\n\t"
+        "subs	r14, r14, r12\n\t"
+        "mov	r12, #0\n\t"
+        "sbc	r12, r12, #0\n\t"
+        "subs	r14, r14, r2\n\t"
+        "sbc	r12, r12, #0\n\t"
+        "subs	r14, r14, r3\n\t"
+        "sbc	r12, r12, #0\n\t"
+        "subs	r14, r14, r9\n\t"
+        "sbc	r12, r12, #0\n\t"
+        "# Store t[3]\n\t"
+        "str	r14, [sp, #12]\n\t"
+        "neg	r12, r12\n\t"
+        "mov	r14, #0\n\t"
+        "# t[4] =  0 -1 -1  0  2  2  1  0\n\t"
+        "adds	r10, r10, r6\n\t"
+        "adc	r14, r14, #0\n\t"
+        "adds	r10, r10, r6\n\t"
+        "adc	r14, r14, #0\n\t"
+        "adds	r10, r10, r7\n\t"
+        "adc	r14, r14, #0\n\t"
+        "adds	r10, r10, r7\n\t"
+        "adc	r14, r14, #0\n\t"
+        "adds	r10, r10, r8\n\t"
+        "adc	r14, r14, #0\n\t"
+        "subs	r10, r10, r12\n\t"
+        "mov	r12, #0\n\t"
+        "sbc	r12, r12, #0\n\t"
+        "subs	r10, r10, r3\n\t"
+        "sbc	r12, r12, #0\n\t"
+        "subs	r10, r10, r4\n\t"
+        "sbc	r12, r12, #0\n\t"
+        "# Store t[4]\n\t"
+        "str	r10, [sp, #16]\n\t"
+        "neg	r12, r12\n\t"
+        "mov	r10, #0\n\t"
+        "# t[5] =  0  0 -1 -1  0  2  2  1\n\t"
+        "adds	r14, r14, r7\n\t"
+        "adc	r10, r10, #0\n\t"
+        "adds	r14, r14, r7\n\t"
+        "adc	r10, r10, #0\n\t"
+        "adds	r14, r14, r8\n\t"
+        "adc	r10, r10, #0\n\t"
+        "adds	r14, r14, r8\n\t"
+        "adc	r10, r10, #0\n\t"
+        "adds	r14, r14, r9\n\t"
+        "adc	r10, r10, #0\n\t"
+        "subs	r14, r14, r12\n\t"
+        "mov	r12, #0\n\t"
+        "sbc	r12, r12, #0\n\t"
+        "subs	r14, r14, r4\n\t"
+        "sbc	r12, r12, #0\n\t"
+        "subs	r14, r14, r5\n\t"
+        "sbc	r12, r12, #0\n\t"
+        "# Store t[5]\n\t"
+        "str	r14, [sp, #20]\n\t"
+        "neg	r12, r12\n\t"
+        "mov	r14, #0\n\t"
+        "# t[6] = -1 -1  0  0  0  1  3  2\n\t"
+        "adds	r10, r10, r7\n\t"
+        "adc	r14, r14, #0\n\t"
+        "adds	r10, r10, r8\n\t"
+        "adc	r14, r14, #0\n\t"
+        "adds	r10, r10, r8\n\t"
+        "adc	r14, r14, #0\n\t"
+        "adds	r10, r10, r8\n\t"
+        "adc	r14, r14, #0\n\t"
+        "adds	r10, r10, r9\n\t"
+        "adc	r14, r14, #0\n\t"
+        "adds	r10, r10, r9\n\t"
+        "adc	r14, r14, #0\n\t"
+        "subs	r10, r10, r12\n\t"
+        "mov	r12, #0\n\t"
+        "sbc	r12, r12, #0\n\t"
+        "subs	r10, r10, r2\n\t"
+        "sbc	r12, r12, #0\n\t"
+        "subs	r10, r10, r3\n\t"
+        "sbc	r12, r12, #0\n\t"
+        "# Store t[6]\n\t"
+        "mov	r8, r10\n\t"
+        "neg	r12, r12\n\t"
+        "mov	r10, #0\n\t"
+        "# t[7] =  1  0 -1 -1 -1 -1  0  3\n\t"
+        "adds	r14, r14, r2\n\t"
+        "adc	r10, r10, #0\n\t"
+        "adds	r14, r14, r9\n\t"
+        "adc	r10, r10, #0\n\t"
+        "adds	r14, r14, r9\n\t"
+        "adc	r10, r10, #0\n\t"
+        "adds	r14, r14, r9\n\t"
+        "adc	r10, r10, #0\n\t"
+        "subs	r14, r14, r12\n\t"
+        "mov	r12, #0\n\t"
+        "sbc	r12, r12, #0\n\t"
+        "subs	r14, r14, r4\n\t"
+        "sbc	r12, r12, #0\n\t"
+        "subs	r14, r14, r5\n\t"
+        "sbc	r12, r12, #0\n\t"
+        "subs	r14, r14, r6\n\t"
+        "sbc	r12, r12, #0\n\t"
+        "subs	r14, r14, r7\n\t"
+        "sbc	r12, r12, #0\n\t"
+        "# Store t[7]\n\t"
+        "# Load intermediate\n\t"
+        "ldr	r2, [sp, #0]\n\t"
+        "ldr	r3, [sp, #4]\n\t"
+        "ldr	r4, [sp, #8]\n\t"
+        "ldr	r5, [sp, #12]\n\t"
+        "ldr	r6, [sp, #16]\n\t"
+        "ldr	r7, [sp, #20]\n\t"
+        "neg	r12, r12\n\t"
+        "# Add overflow\n\t"
+        "# Subtract underflow - add neg underflow\n\t"
+        "adds	r2, r2, r10\n\t"
+        "adcs	r3, r3, #0\n\t"
+        "adcs	r4, r4, #0\n\t"
+        "adds	r5, r5, r12\n\t"
+        "adcs	r6, r6, #0\n\t"
+        "adcs	r7, r7, #0\n\t"
+        "adcs	r8, r8, r12\n\t"
+        "adc	r14, r14, r10\n\t"
+        "# Subtract overflow\n\t"
+        "# Add underflow - subtract neg underflow\n\t"
+        "subs	r2, r2, r12\n\t"
+        "sbcs	r3, r3, #0\n\t"
+        "sbcs	r4, r4, #0\n\t"
+        "subs	r5, r5, r10\n\t"
+        "sbcs	r6, r6, #0\n\t"
+        "sbcs	r7, r7, #0\n\t"
+        "sbcs	r8, r8, r10\n\t"
+        "sbc	r14, r14, r12\n\t"
+        "# Store result\n\t"
+        "str	r2, [%[r], #0]\n\t"
+        "str	r3, [%[r], #4]\n\t"
+        "str	r4, [%[r], #8]\n\t"
+        "str	r5, [%[r], #12]\n\t"
+        "str	r6, [%[r], #16]\n\t"
+        "str	r7, [%[r], #20]\n\t"
+        "str	r8, [%[r], #24]\n\t"
+        "str	r14, [%[r], #28]\n\t"
+        "add	sp, sp, #24\n\t"
+        :
+        : [r] "r" (r), [a] "r" (a)
+        : "r2", "r3", "r4", "r5", "r6", "r7", "r8", "r9", "r10", "r14", "r12"
+    );
+
+    return MP_OKAY;
+}
+
+/* Convert an mp_int to an array of sp_digit.
+ *
+ * r  A single precision integer.
+ * size  Maximum number of bytes to convert
+ * a  A multi-precision integer.
+ */
+static void sp_256_from_mp(sp_digit* r, int size, const mp_int* a)
+{
+#if DIGIT_BIT == 32
+    int j;
+
+    XMEMCPY(r, a->dp, sizeof(sp_digit) * a->used);
+
+    for (j = a->used; j < size; j++) {
+        r[j] = 0;
+    }
+#elif DIGIT_BIT > 32
+    int i, j = 0;
+    word32 s = 0;
+
+    r[0] = 0;
+    for (i = 0; i < a->used && j < size; i++) {
+        r[j] |= ((sp_digit)a->dp[i] << s);
+        r[j] &= 0xffffffff;
+        s = 32U - s;
+        if (j + 1 >= size) {
+            break;
+        }
+        /* lint allow cast of mismatch word32 and mp_digit */
+        r[++j] = (sp_digit)(a->dp[i] >> s); /*lint !e9033*/
+        while ((s + 32U) <= (word32)DIGIT_BIT) {
+            s += 32U;
+            r[j] &= 0xffffffff;
+            if (j + 1 >= size) {
+                break;
+            }
+            if (s < (word32)DIGIT_BIT) {
+                /* lint allow cast of mismatch word32 and mp_digit */
+                r[++j] = (sp_digit)(a->dp[i] >> s); /*lint !e9033*/
+            }
+            else {
+                r[++j] = 0L;
+            }
+        }
+        s = (word32)DIGIT_BIT - s;
+    }
+
+    for (j++; j < size; j++) {
+        r[j] = 0;
+    }
+#else
+    int i, j = 0, s = 0;
+
+    r[0] = 0;
+    for (i = 0; i < a->used && j < size; i++) {
+        r[j] |= ((sp_digit)a->dp[i]) << s;
+        if (s + DIGIT_BIT >= 32) {
+            r[j] &= 0xffffffff;
+            if (j + 1 >= size) {
+                break;
+            }
+            s = 32 - s;
+            if (s == DIGIT_BIT) {
+                r[++j] = 0;
+                s = 0;
+            }
+            else {
+                r[++j] = a->dp[i] >> s;
+                s = DIGIT_BIT - s;
+            }
+        }
+        else {
+            s += DIGIT_BIT;
+        }
+    }
+
+    for (j++; j < size; j++) {
+        r[j] = 0;
+    }
+#endif
+}
+
+/* Convert a point of type ecc_point to type sp_point_256.
+ *
+ * p   Point of type sp_point_256 (result).
+ * pm  Point of type ecc_point.
+ */
+static void sp_256_point_from_ecc_point_8(sp_point_256* p, const ecc_point* pm)
+{
+    XMEMSET(p->x, 0, sizeof(p->x));
+    XMEMSET(p->y, 0, sizeof(p->y));
+    XMEMSET(p->z, 0, sizeof(p->z));
+    sp_256_from_mp(p->x, 8, pm->x);
+    sp_256_from_mp(p->y, 8, pm->y);
+    sp_256_from_mp(p->z, 8, pm->z);
+    p->infinity = 0;
+}
+
+/* Convert an array of sp_digit to an mp_int.
+ *
+ * a  A single precision integer.
+ * r  A multi-precision integer.
+ */
+static int sp_256_to_mp(const sp_digit* a, mp_int* r)
+{
+    int err;
+
+    err = mp_grow(r, (256 + DIGIT_BIT - 1) / DIGIT_BIT);
+    if (err == MP_OKAY) { /*lint !e774 case where err is always MP_OKAY*/
+#if DIGIT_BIT == 32
+        XMEMCPY(r->dp, a, sizeof(sp_digit) * 8);
+        r->used = 8;
+        mp_clamp(r);
+#elif DIGIT_BIT < 32
+        int i, j = 0, s = 0;
+
+        r->dp[0] = 0;
+        for (i = 0; i < 8; i++) {
+            r->dp[j] |= (mp_digit)(a[i] << s);
+            r->dp[j] &= (1L << DIGIT_BIT) - 1;
+            s = DIGIT_BIT - s;
+            r->dp[++j] = (mp_digit)(a[i] >> s);
+            while (s + DIGIT_BIT <= 32) {
+                s += DIGIT_BIT;
+                r->dp[j++] &= (1L << DIGIT_BIT) - 1;
+                if (s == SP_WORD_SIZE) {
+                    r->dp[j] = 0;
+                }
+                else {
+                    r->dp[j] = (mp_digit)(a[i] >> s);
+                }
+            }
+            s = 32 - s;
+        }
+        r->used = (256 + DIGIT_BIT - 1) / DIGIT_BIT;
+        mp_clamp(r);
+#else
+        int i, j = 0, s = 0;
+
+        r->dp[0] = 0;
+        for (i = 0; i < 8; i++) {
+            r->dp[j] |= ((mp_digit)a[i]) << s;
+            if (s + 32 >= DIGIT_BIT) {
+    #if DIGIT_BIT != 32 && DIGIT_BIT != 64
+                r->dp[j] &= (1L << DIGIT_BIT) - 1;
+    #endif
+                s = DIGIT_BIT - s;
+                r->dp[++j] = a[i] >> s;
+                s = 32 - s;
+            }
+            else {
+                s += 32;
+            }
+        }
+        r->used = (256 + DIGIT_BIT - 1) / DIGIT_BIT;
+        mp_clamp(r);
+#endif
+    }
+
+    return err;
+}
+
+/* Convert a point of type sp_point_256 to type ecc_point.
+ *
+ * p   Point of type sp_point_256.
+ * pm  Point of type ecc_point (result).
+ * returns MEMORY_E when allocation of memory in ecc_point fails otherwise
+ * MP_OKAY.
+ */
+static int sp_256_point_to_ecc_point_8(const sp_point_256* p, ecc_point* pm)
+{
+    int err;
+
+    err = sp_256_to_mp(p->x, pm->x);
+    if (err == MP_OKAY) {
+        err = sp_256_to_mp(p->y, pm->y);
+    }
+    if (err == MP_OKAY) {
+        err = sp_256_to_mp(p->z, pm->z);
+    }
+
+    return err;
+}
+
+/* Multiply two Montogmery form numbers mod the modulus (prime).
+ * (r = a * b mod m)
+ *
+ * r   Result of multiplication.
+ * a   First number to multiply in Montogmery form.
+ * b   Second number to multiply in Montogmery form.
+ * m   Modulus (prime).
+ * mp  Montogmery mulitplier.
+ */
+SP_NOINLINE static void sp_256_mont_mul_8(sp_digit* r, const sp_digit* a, const sp_digit* b,
+        const sp_digit* m, sp_digit mp)
+{
+    (void)mp;
+    (void)m;
+
+    __asm__ __volatile__ (
+        "sub	sp, sp, #68\n\t"
+        "mov	r5, #0\n\t"
+        "#  A[0] * B[0]\n\t"
+        "ldr	r6, [%[a], #0]\n\t"
+        "ldr	r7, [%[b], #0]\n\t"
+        "umull	r8, r9, r6, r7\n\t"
+        "str	r8, [sp, #0]\n\t"
+        "#  A[0] * B[1]\n\t"
+        "ldr	r6, [%[a], #0]\n\t"
+        "ldr	r7, [%[b], #4]\n\t"
+        "umull	r3, r4, r6, r7\n\t"
+        "adds	r9, r3, r9\n\t"
+        "adc	r10, r4, #0\n\t"
+        "#  A[1] * B[0]\n\t"
+        "ldr	r6, [%[a], #4]\n\t"
+        "ldr	r7, [%[b], #0]\n\t"
+        "umull	r3, r4, r6, r7\n\t"
+        "adds	r9, r3, r9\n\t"
+        "adcs	r10, r4, r10\n\t"
+        "adc	r14, r5, #0\n\t"
+        "str	r9, [sp, #4]\n\t"
+        "#  A[0] * B[2]\n\t"
+        "ldr	r6, [%[a], #0]\n\t"
+        "ldr	r7, [%[b], #8]\n\t"
+        "umull	r3, r4, r6, r7\n\t"
+        "adds	r10, r3, r10\n\t"
+        "adc	r14, r4, r14\n\t"
+        "#  A[1] * B[1]\n\t"
+        "ldr	r6, [%[a], #4]\n\t"
+        "ldr	r7, [%[b], #4]\n\t"
+        "umull	r3, r4, r6, r7\n\t"
+        "adds	r10, r3, r10\n\t"
+        "adcs	r14, r4, r14\n\t"
+        "adc	r8, r5, #0\n\t"
+        "#  A[2] * B[0]\n\t"
+        "ldr	r6, [%[a], #8]\n\t"
+        "ldr	r7, [%[b], #0]\n\t"
+        "umull	r3, r4, r6, r7\n\t"
+        "adds	r10, r3, r10\n\t"
+        "adcs	r14, r4, r14\n\t"
+        "adc	r8, r5, r8\n\t"
+        "str	r10, [sp, #8]\n\t"
+        "#  A[0] * B[3]\n\t"
+        "ldr	r6, [%[a], #0]\n\t"
+        "ldr	r7, [%[b], #12]\n\t"
+        "umull	r3, r4, r6, r7\n\t"
+        "adds	r14, r3, r14\n\t"
+        "adcs	r8, r4, r8\n\t"
+        "adc	r9, r5, #0\n\t"
+        "#  A[1] * B[2]\n\t"
+        "ldr	r6, [%[a], #4]\n\t"
+        "ldr	r7, [%[b], #8]\n\t"
+        "umull	r3, r4, r6, r7\n\t"
+        "adds	r14, r3, r14\n\t"
+        "adcs	r8, r4, r8\n\t"
+        "adc	r9, r5, r9\n\t"
+        "#  A[2] * B[1]\n\t"
+        "ldr	r6, [%[a], #8]\n\t"
+        "ldr	r7, [%[b], #4]\n\t"
+        "umull	r3, r4, r6, r7\n\t"
+        "adds	r14, r3, r14\n\t"
+        "adcs	r8, r4, r8\n\t"
+        "adc	r9, r5, r9\n\t"
+        "#  A[3] * B[0]\n\t"
+        "ldr	r6, [%[a], #12]\n\t"
+        "ldr	r7, [%[b], #0]\n\t"
+        "umull	r3, r4, r6, r7\n\t"
+        "adds	r14, r3, r14\n\t"
+        "adcs	r8, r4, r8\n\t"
+        "adc	r9, r5, r9\n\t"
+        "str	r14, [sp, #12]\n\t"
+        "#  A[0] * B[4]\n\t"
+        "ldr	r6, [%[a], #0]\n\t"
+        "ldr	r7, [%[b], #16]\n\t"
+        "umull	r3, r4, r6, r7\n\t"
+        "adds	r8, r3, r8\n\t"
+        "adcs	r9, r4, r9\n\t"
+        "adc	r10, r5, #0\n\t"
+        "#  A[1] * B[3]\n\t"
+        "ldr	r6, [%[a], #4]\n\t"
+        "ldr	r7, [%[b], #12]\n\t"
+        "umull	r3, r4, r6, r7\n\t"
+        "adds	r8, r3, r8\n\t"
+        "adcs	r9, r4, r9\n\t"
+        "adc	r10, r5, r10\n\t"
+        "#  A[2] * B[2]\n\t"
+        "ldr	r6, [%[a], #8]\n\t"
+        "ldr	r7, [%[b], #8]\n\t"
+        "umull	r3, r4, r6, r7\n\t"
+        "adds	r8, r3, r8\n\t"
+        "adcs	r9, r4, r9\n\t"
+        "adc	r10, r5, r10\n\t"
+        "#  A[3] * B[1]\n\t"
+        "ldr	r6, [%[a], #12]\n\t"
+        "ldr	r7, [%[b], #4]\n\t"
+        "umull	r3, r4, r6, r7\n\t"
+        "adds	r8, r3, r8\n\t"
+        "adcs	r9, r4, r9\n\t"
+        "adc	r10, r5, r10\n\t"
+        "#  A[4] * B[0]\n\t"
+        "ldr	r6, [%[a], #16]\n\t"
+        "ldr	r7, [%[b], #0]\n\t"
+        "umull	r3, r4, r6, r7\n\t"
+        "adds	r8, r3, r8\n\t"
+        "adcs	r9, r4, r9\n\t"
+        "adc	r10, r5, r10\n\t"
+        "str	r8, [sp, #16]\n\t"
+        "#  A[0] * B[5]\n\t"
+        "ldr	r6, [%[a], #0]\n\t"
+        "ldr	r7, [%[b], #20]\n\t"
+        "umull	r3, r4, r6, r7\n\t"
+        "adds	r9, r3, r9\n\t"
+        "adcs	r10, r4, r10\n\t"
+        "adc	r14, r5, #0\n\t"
+        "#  A[1] * B[4]\n\t"
+        "ldr	r6, [%[a], #4]\n\t"
+        "ldr	r7, [%[b], #16]\n\t"
+        "umull	r3, r4, r6, r7\n\t"
+        "adds	r9, r3, r9\n\t"
+        "adcs	r10, r4, r10\n\t"
+        "adc	r14, r5, r14\n\t"
+        "#  A[2] * B[3]\n\t"
+        "ldr	r6, [%[a], #8]\n\t"
+        "ldr	r7, [%[b], #12]\n\t"
+        "umull	r3, r4, r6, r7\n\t"
+        "adds	r9, r3, r9\n\t"
+        "adcs	r10, r4, r10\n\t"
+        "adc	r14, r5, r14\n\t"
+        "#  A[3] * B[2]\n\t"
+        "ldr	r6, [%[a], #12]\n\t"
+        "ldr	r7, [%[b], #8]\n\t"
+        "umull	r3, r4, r6, r7\n\t"
+        "adds	r9, r3, r9\n\t"
+        "adcs	r10, r4, r10\n\t"
+        "adc	r14, r5, r14\n\t"
+        "#  A[4] * B[1]\n\t"
+        "ldr	r6, [%[a], #16]\n\t"
+        "ldr	r7, [%[b], #4]\n\t"
+        "umull	r3, r4, r6, r7\n\t"
+        "adds	r9, r3, r9\n\t"
+        "adcs	r10, r4, r10\n\t"
+        "adc	r14, r5, r14\n\t"
+        "#  A[5] * B[0]\n\t"
+        "ldr	r6, [%[a], #20]\n\t"
+        "ldr	r7, [%[b], #0]\n\t"
+        "umull	r3, r4, r6, r7\n\t"
+        "adds	r9, r3, r9\n\t"
+        "adcs	r10, r4, r10\n\t"
+        "adc	r14, r5, r14\n\t"
+        "str	r9, [sp, #20]\n\t"
+        "#  A[0] * B[6]\n\t"
+        "ldr	r6, [%[a], #0]\n\t"
+        "ldr	r7, [%[b], #24]\n\t"
+        "umull	r3, r4, r6, r7\n\t"
+        "adds	r10, r3, r10\n\t"
+        "adcs	r14, r4, r14\n\t"
+        "adc	r8, r5, #0\n\t"
+        "#  A[1] * B[5]\n\t"
+        "ldr	r6, [%[a], #4]\n\t"
+        "ldr	r7, [%[b], #20]\n\t"
+        "umull	r3, r4, r6, r7\n\t"
+        "adds	r10, r3, r10\n\t"
+        "adcs	r14, r4, r14\n\t"
+        "adc	r8, r5, r8\n\t"
+        "#  A[2] * B[4]\n\t"
+        "ldr	r6, [%[a], #8]\n\t"
+        "ldr	r7, [%[b], #16]\n\t"
+        "umull	r3, r4, r6, r7\n\t"
+        "adds	r10, r3, r10\n\t"
+        "adcs	r14, r4, r14\n\t"
+        "adc	r8, r5, r8\n\t"
+        "#  A[3] * B[3]\n\t"
+        "ldr	r6, [%[a], #12]\n\t"
+        "ldr	r7, [%[b], #12]\n\t"
+        "umull	r3, r4, r6, r7\n\t"
+        "adds	r10, r3, r10\n\t"
+        "adcs	r14, r4, r14\n\t"
+        "adc	r8, r5, r8\n\t"
+        "#  A[4] * B[2]\n\t"
+        "ldr	r6, [%[a], #16]\n\t"
+        "ldr	r7, [%[b], #8]\n\t"
+        "umull	r3, r4, r6, r7\n\t"
+        "adds	r10, r3, r10\n\t"
+        "adcs	r14, r4, r14\n\t"
+        "adc	r8, r5, r8\n\t"
+        "#  A[5] * B[1]\n\t"
+        "ldr	r6, [%[a], #20]\n\t"
+        "ldr	r7, [%[b], #4]\n\t"
+        "umull	r3, r4, r6, r7\n\t"
+        "adds	r10, r3, r10\n\t"
+        "adcs	r14, r4, r14\n\t"
+        "adc	r8, r5, r8\n\t"
+        "#  A[6] * B[0]\n\t"
+        "ldr	r6, [%[a], #24]\n\t"
+        "ldr	r7, [%[b], #0]\n\t"
+        "umull	r3, r4, r6, r7\n\t"
+        "adds	r10, r3, r10\n\t"
+        "adcs	r14, r4, r14\n\t"
+        "adc	r8, r5, r8\n\t"
+        "str	r10, [sp, #24]\n\t"
+        "#  A[0] * B[7]\n\t"
+        "ldr	r6, [%[a], #0]\n\t"
+        "ldr	r7, [%[b], #28]\n\t"
+        "umull	r3, r4, r6, r7\n\t"
+        "adds	r14, r3, r14\n\t"
+        "adcs	r8, r4, r8\n\t"
+        "adc	r9, r5, #0\n\t"
+        "#  A[1] * B[6]\n\t"
+        "ldr	r6, [%[a], #4]\n\t"
+        "ldr	r7, [%[b], #24]\n\t"
+        "umull	r3, r4, r6, r7\n\t"
+        "adds	r14, r3, r14\n\t"
+        "adcs	r8, r4, r8\n\t"
+        "adc	r9, r5, r9\n\t"
+        "#  A[2] * B[5]\n\t"
+        "ldr	r6, [%[a], #8]\n\t"
+        "ldr	r7, [%[b], #20]\n\t"
+        "umull	r3, r4, r6, r7\n\t"
+        "adds	r14, r3, r14\n\t"
+        "adcs	r8, r4, r8\n\t"
+        "adc	r9, r5, r9\n\t"
+        "#  A[3] * B[4]\n\t"
+        "ldr	r6, [%[a], #12]\n\t"
+        "ldr	r7, [%[b], #16]\n\t"
+        "umull	r3, r4, r6, r7\n\t"
+        "adds	r14, r3, r14\n\t"
+        "adcs	r8, r4, r8\n\t"
+        "adc	r9, r5, r9\n\t"
+        "#  A[4] * B[3]\n\t"
+        "ldr	r6, [%[a], #16]\n\t"
+        "ldr	r7, [%[b], #12]\n\t"
+        "umull	r3, r4, r6, r7\n\t"
+        "adds	r14, r3, r14\n\t"
+        "adcs	r8, r4, r8\n\t"
+        "adc	r9, r5, r9\n\t"
+        "#  A[5] * B[2]\n\t"
+        "ldr	r6, [%[a], #20]\n\t"
+        "ldr	r7, [%[b], #8]\n\t"
+        "umull	r3, r4, r6, r7\n\t"
+        "adds	r14, r3, r14\n\t"
+        "adcs	r8, r4, r8\n\t"
+        "adc	r9, r5, r9\n\t"
+        "#  A[6] * B[1]\n\t"
+        "ldr	r6, [%[a], #24]\n\t"
+        "ldr	r7, [%[b], #4]\n\t"
+        "umull	r3, r4, r6, r7\n\t"
+        "adds	r14, r3, r14\n\t"
+        "adcs	r8, r4, r8\n\t"
+        "adc	r9, r5, r9\n\t"
+        "#  A[7] * B[0]\n\t"
+        "ldr	r6, [%[a], #28]\n\t"
+        "ldr	r7, [%[b], #0]\n\t"
+        "umull	r3, r4, r6, r7\n\t"
+        "adds	r14, r3, r14\n\t"
+        "adcs	r8, r4, r8\n\t"
+        "adc	r9, r5, r9\n\t"
+        "str	r14, [sp, #28]\n\t"
+        "#  A[1] * B[7]\n\t"
+        "ldr	r6, [%[a], #4]\n\t"
+        "ldr	r7, [%[b], #28]\n\t"
+        "umull	r3, r4, r6, r7\n\t"
+        "adds	r8, r3, r8\n\t"
+        "adcs	r9, r4, r9\n\t"
+        "adc	r10, r5, #0\n\t"
+        "#  A[2] * B[6]\n\t"
+        "ldr	r6, [%[a], #8]\n\t"
+        "ldr	r7, [%[b], #24]\n\t"
+        "umull	r3, r4, r6, r7\n\t"
+        "adds	r8, r3, r8\n\t"
+        "adcs	r9, r4, r9\n\t"
+        "adc	r10, r5, r10\n\t"
+        "#  A[3] * B[5]\n\t"
+        "ldr	r6, [%[a], #12]\n\t"
+        "ldr	r7, [%[b], #20]\n\t"
+        "umull	r3, r4, r6, r7\n\t"
+        "adds	r8, r3, r8\n\t"
+        "adcs	r9, r4, r9\n\t"
+        "adc	r10, r5, r10\n\t"
+        "#  A[4] * B[4]\n\t"
+        "ldr	r6, [%[a], #16]\n\t"
+        "ldr	r7, [%[b], #16]\n\t"
+        "umull	r3, r4, r6, r7\n\t"
+        "adds	r8, r3, r8\n\t"
+        "adcs	r9, r4, r9\n\t"
+        "adc	r10, r5, r10\n\t"
+        "#  A[5] * B[3]\n\t"
+        "ldr	r6, [%[a], #20]\n\t"
+        "ldr	r7, [%[b], #12]\n\t"
+        "umull	r3, r4, r6, r7\n\t"
+        "adds	r8, r3, r8\n\t"
+        "adcs	r9, r4, r9\n\t"
+        "adc	r10, r5, r10\n\t"
+        "#  A[6] * B[2]\n\t"
+        "ldr	r6, [%[a], #24]\n\t"
+        "ldr	r7, [%[b], #8]\n\t"
+        "umull	r3, r4, r6, r7\n\t"
+        "adds	r8, r3, r8\n\t"
+        "adcs	r9, r4, r9\n\t"
+        "adc	r10, r5, r10\n\t"
+        "#  A[7] * B[1]\n\t"
+        "ldr	r6, [%[a], #28]\n\t"
+        "ldr	r7, [%[b], #4]\n\t"
+        "umull	r3, r4, r6, r7\n\t"
+        "adds	r8, r3, r8\n\t"
+        "adcs	r9, r4, r9\n\t"
+        "adc	r10, r5, r10\n\t"
+        "str	r8, [sp, #32]\n\t"
+        "#  A[2] * B[7]\n\t"
+        "ldr	r6, [%[a], #8]\n\t"
+        "ldr	r7, [%[b], #28]\n\t"
+        "umull	r3, r4, r6, r7\n\t"
+        "adds	r9, r3, r9\n\t"
+        "adcs	r10, r4, r10\n\t"
+        "adc	r14, r5, #0\n\t"
+        "#  A[3] * B[6]\n\t"
+        "ldr	r6, [%[a], #12]\n\t"
+        "ldr	r7, [%[b], #24]\n\t"
+        "umull	r3, r4, r6, r7\n\t"
+        "adds	r9, r3, r9\n\t"
+        "adcs	r10, r4, r10\n\t"
+        "adc	r14, r5, r14\n\t"
+        "#  A[4] * B[5]\n\t"
+        "ldr	r6, [%[a], #16]\n\t"
+        "ldr	r7, [%[b], #20]\n\t"
+        "umull	r3, r4, r6, r7\n\t"
+        "adds	r9, r3, r9\n\t"
+        "adcs	r10, r4, r10\n\t"
+        "adc	r14, r5, r14\n\t"
+        "#  A[5] * B[4]\n\t"
+        "ldr	r6, [%[a], #20]\n\t"
+        "ldr	r7, [%[b], #16]\n\t"
+        "umull	r3, r4, r6, r7\n\t"
+        "adds	r9, r3, r9\n\t"
+        "adcs	r10, r4, r10\n\t"
+        "adc	r14, r5, r14\n\t"
+        "#  A[6] * B[3]\n\t"
+        "ldr	r6, [%[a], #24]\n\t"
+        "ldr	r7, [%[b], #12]\n\t"
+        "umull	r3, r4, r6, r7\n\t"
+        "adds	r9, r3, r9\n\t"
+        "adcs	r10, r4, r10\n\t"
+        "adc	r14, r5, r14\n\t"
+        "#  A[7] * B[2]\n\t"
+        "ldr	r6, [%[a], #28]\n\t"
+        "ldr	r7, [%[b], #8]\n\t"
+        "umull	r3, r4, r6, r7\n\t"
+        "adds	r9, r3, r9\n\t"
+        "adcs	r10, r4, r10\n\t"
+        "adc	r14, r5, r14\n\t"
+        "str	r9, [sp, #36]\n\t"
+        "#  A[3] * B[7]\n\t"
+        "ldr	r6, [%[a], #12]\n\t"
+        "ldr	r7, [%[b], #28]\n\t"
+        "umull	r3, r4, r6, r7\n\t"
+        "adds	r10, r3, r10\n\t"
+        "adcs	r14, r4, r14\n\t"
+        "adc	r8, r5, #0\n\t"
+        "#  A[4] * B[6]\n\t"
+        "ldr	r6, [%[a], #16]\n\t"
+        "ldr	r7, [%[b], #24]\n\t"
+        "umull	r3, r4, r6, r7\n\t"
+        "adds	r10, r3, r10\n\t"
+        "adcs	r14, r4, r14\n\t"
+        "adc	r8, r5, r8\n\t"
+        "#  A[5] * B[5]\n\t"
+        "ldr	r6, [%[a], #20]\n\t"
+        "ldr	r7, [%[b], #20]\n\t"
+        "umull	r3, r4, r6, r7\n\t"
+        "adds	r10, r3, r10\n\t"
+        "adcs	r14, r4, r14\n\t"
+        "adc	r8, r5, r8\n\t"
+        "#  A[6] * B[4]\n\t"
+        "ldr	r6, [%[a], #24]\n\t"
+        "ldr	r7, [%[b], #16]\n\t"
+        "umull	r3, r4, r6, r7\n\t"
+        "adds	r10, r3, r10\n\t"
+        "adcs	r14, r4, r14\n\t"
+        "adc	r8, r5, r8\n\t"
+        "#  A[7] * B[3]\n\t"
+        "ldr	r6, [%[a], #28]\n\t"
+        "ldr	r7, [%[b], #12]\n\t"
+        "umull	r3, r4, r6, r7\n\t"
+        "adds	r10, r3, r10\n\t"
+        "adcs	r14, r4, r14\n\t"
+        "adc	r8, r5, r8\n\t"
+        "str	r10, [sp, #40]\n\t"
+        "#  A[4] * B[7]\n\t"
+        "ldr	r6, [%[a], #16]\n\t"
+        "ldr	r7, [%[b], #28]\n\t"
+        "umull	r3, r4, r6, r7\n\t"
+        "adds	r14, r3, r14\n\t"
+        "adcs	r8, r4, r8\n\t"
+        "adc	r9, r5, #0\n\t"
+        "#  A[5] * B[6]\n\t"
+        "ldr	r6, [%[a], #20]\n\t"
+        "ldr	r7, [%[b], #24]\n\t"
+        "umull	r3, r4, r6, r7\n\t"
+        "adds	r14, r3, r14\n\t"
+        "adcs	r8, r4, r8\n\t"
+        "adc	r9, r5, r9\n\t"
+        "#  A[6] * B[5]\n\t"
+        "ldr	r6, [%[a], #24]\n\t"
+        "ldr	r7, [%[b], #20]\n\t"
+        "umull	r3, r4, r6, r7\n\t"
+        "adds	r14, r3, r14\n\t"
+        "adcs	r8, r4, r8\n\t"
+        "adc	r9, r5, r9\n\t"
+        "#  A[7] * B[4]\n\t"
+        "ldr	r6, [%[a], #28]\n\t"
+        "ldr	r7, [%[b], #16]\n\t"
+        "umull	r3, r4, r6, r7\n\t"
+        "adds	r14, r3, r14\n\t"
+        "adcs	r8, r4, r8\n\t"
+        "adc	r9, r5, r9\n\t"
+        "str	r14, [sp, #44]\n\t"
+        "#  A[5] * B[7]\n\t"
+        "ldr	r6, [%[a], #20]\n\t"
+        "ldr	r7, [%[b], #28]\n\t"
+        "umull	r3, r4, r6, r7\n\t"
+        "adds	r8, r3, r8\n\t"
+        "adcs	r9, r4, r9\n\t"
+        "adc	r10, r5, #0\n\t"
+        "#  A[6] * B[6]\n\t"
+        "ldr	r6, [%[a], #24]\n\t"
+        "ldr	r7, [%[b], #24]\n\t"
+        "umull	r3, r4, r6, r7\n\t"
+        "adds	r8, r3, r8\n\t"
+        "adcs	r9, r4, r9\n\t"
+        "adc	r10, r5, r10\n\t"
+        "#  A[7] * B[5]\n\t"
+        "ldr	r6, [%[a], #28]\n\t"
+        "ldr	r7, [%[b], #20]\n\t"
+        "umull	r3, r4, r6, r7\n\t"
+        "adds	r8, r3, r8\n\t"
+        "adcs	r9, r4, r9\n\t"
+        "adc	r10, r5, r10\n\t"
+        "#  A[6] * B[7]\n\t"
+        "ldr	r6, [%[a], #24]\n\t"
+        "ldr	r7, [%[b], #28]\n\t"
+        "umull	r3, r4, r6, r7\n\t"
+        "adds	r9, r3, r9\n\t"
+        "adcs	r10, r4, r10\n\t"
+        "adc	r14, r5, #0\n\t"
+        "#  A[7] * B[6]\n\t"
+        "ldr	r6, [%[a], #28]\n\t"
+        "ldr	r7, [%[b], #24]\n\t"
+        "umull	r3, r4, r6, r7\n\t"
+        "adds	r9, r3, r9\n\t"
+        "adcs	r10, r4, r10\n\t"
+        "adc	r14, r5, r14\n\t"
+        "#  A[7] * B[7]\n\t"
+        "ldr	r6, [%[a], #28]\n\t"
+        "ldr	r7, [%[b], #28]\n\t"
+        "umull	r3, r4, r6, r7\n\t"
+        "adds	r10, r3, r10\n\t"
+        "adc	r14, r4, r14\n\t"
+        "str	r8, [sp, #48]\n\t"
+        "str	r9, [sp, #52]\n\t"
+        "str	r10, [sp, #56]\n\t"
+        "str	r14, [sp, #60]\n\t"
+        "# Start Reduction\n\t"
+        "ldr	r4, [sp, #0]\n\t"
+        "ldr	r5, [sp, #4]\n\t"
+        "ldr	r6, [sp, #8]\n\t"
+        "ldr	r7, [sp, #12]\n\t"
+        "ldr	r8, [sp, #16]\n\t"
+        "ldr	r9, [sp, #20]\n\t"
+        "ldr	r10, [sp, #24]\n\t"
+        "ldr	r14, [sp, #28]\n\t"
+        "# mu = a[0]-a[7] + a[0]-a[4] << 96 + (a[0]-a[1] * 2) << 192\n\t"
+        "#    - a[0] << 224\n\t"
+        "#   + (a[0]-a[1] * 2) << (6 * 32)\n\t"
+        "adds	r10, r10, r4\n\t"
+        "adc	r14, r14, r5\n\t"
+        "adds	r10, r10, r4\n\t"
+        "adc	r14, r14, r5\n\t"
+        "#   - a[0] << (7 * 32)\n\t"
+        "sub	r14, r14, r4\n\t"
+        "#   + a[0]-a[4] << (3 * 32)\n\t"
+        "mov	%[a], r7\n\t"
+        "mov	%[b], r8\n\t"
+        "adds	r7, r7, r4\n\t"
+        "adcs	r8, r8, r5\n\t"
+        "adcs	r9, r9, r6\n\t"
+        "adcs	r10, r10, %[a]\n\t"
+        "adc	r14, r14, %[b]\n\t"
+        "str	r4, [sp, #0]\n\t"
+        "str	r5, [sp, #4]\n\t"
+        "str	r6, [sp, #8]\n\t"
+        "str	r7, [sp, #12]\n\t"
+        "str	r8, [sp, #16]\n\t"
+        "str	r9, [sp, #20]\n\t"
+        "# a += mu * m\n\t"
+        "#   += mu * ((1 << 256) - (1 << 224) + (1 << 192) + (1 << 96) - 1)\n\t"
+        "mov	%[a], #0\n\t"
+        "# a[6] +=        t[0] + t[3]\n\t"
+        "ldr	r3, [sp, #24]\n\t"
+        "adds	r3, r3, r4\n\t"
+        "adc	%[b], %[a], #0\n\t"
+        "adds	r3, r3, r7\n\t"
+        "adc	%[b], %[b], #0\n\t"
+        "str	r10, [sp, #24]\n\t"
+        "# a[7] +=        t[1] + t[4]\n\t"
+        "ldr	r3, [sp, #28]\n\t"
+        "adds	r3, r3, %[b]\n\t"
+        "adc	%[b], %[a], #0\n\t"
+        "adds	r3, r3, r5\n\t"
+        "adc	%[b], %[b], #0\n\t"
+        "adds	r3, r3, r8\n\t"
+        "adc	%[b], %[b], #0\n\t"
+        "str	r14, [sp, #28]\n\t"
+        "str	r3, [sp, #64]\n\t"
+        "# a[8] += t[0] + t[2] + t[5]\n\t"
+        "ldr	r3, [sp, #32]\n\t"
+        "adds	r3, r3, %[b]\n\t"
+        "adc	%[b], %[a], #0\n\t"
+        "adds	r3, r3, r4\n\t"
+        "adc	%[b], %[b], #0\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adc	%[b], %[b], #0\n\t"
+        "adds	r3, r3, r9\n\t"
+        "adc	%[b], %[b], #0\n\t"
+        "str	r3, [sp, #32]\n\t"
+        "# a[9]  += t[1] + t[3] + t[6]\n\t"
+        "# a[10] += t[2] + t[4] + t[7]\n\t"
+        "ldr	r3, [sp, #36]\n\t"
+        "ldr	r4, [sp, #40]\n\t"
+        "adds	r3, r3, %[b]\n\t"
+        "adcs	r4, r4, #0\n\t"
+        "adc	%[b], %[a], #0\n\t"
+        "adds	r3, r3, r5\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adc	%[b], %[b], #0\n\t"
+        "adds	r3, r3, r7\n\t"
+        "adcs	r4, r4, r8\n\t"
+        "adc	%[b], %[b], #0\n\t"
+        "adds	r3, r3, r10\n\t"
+        "adcs	r4, r4, r14\n\t"
+        "adc	%[b], %[b], #0\n\t"
+        "str	r3, [sp, #36]\n\t"
+        "str	r4, [sp, #40]\n\t"
+        "# a[11] += t[3] + t[5]\n\t"
+        "# a[12] += t[4] + t[6]\n\t"
+        "# a[13] += t[5] + t[7]\n\t"
+        "# a[14] += t[6]\n\t"
+        "ldr	r3, [sp, #44]\n\t"
+        "ldr	r4, [sp, #48]\n\t"
+        "ldr	r5, [sp, #52]\n\t"
+        "ldr	r6, [sp, #56]\n\t"
+        "adds	r3, r3, %[b]\n\t"
+        "adcs	r4, r4, #0\n\t"
+        "adcs	r5, r5, #0\n\t"
+        "adcs	r6, r6, #0\n\t"
+        "adc	%[b], %[a], #0\n\t"
+        "adds	r3, r3, r7\n\t"
+        "adcs	r4, r4, r8\n\t"
+        "adcs	r5, r5, r9\n\t"
+        "adcs	r6, r6, r10\n\t"
+        "adc	%[b], %[b], #0\n\t"
+        "adds	r3, r3, r9\n\t"
+        "adcs	r4, r4, r10\n\t"
+        "adcs	r5, r5, r14\n\t"
+        "adcs	r6, r6, #0\n\t"
+        "adc	%[b], %[b], #0\n\t"
+        "str	r3, [sp, #44]\n\t"
+        "str	r4, [sp, #48]\n\t"
+        "str	r5, [sp, #52]\n\t"
+        "str	r6, [sp, #56]\n\t"
+        "# a[15] += t[7]\n\t"
+        "ldr	r3, [sp, #60]\n\t"
+        "adds	r3, r3, %[b]\n\t"
+        "adc	%[b], %[a], #0\n\t"
+        "adds	r3, r3, r14\n\t"
+        "adc	%[b], %[b], #0\n\t"
+        "str	r3, [sp, #60]\n\t"
+        "ldr	r3, [sp, #64]\n\t"
+        "ldr	r4, [sp, #32]\n\t"
+        "ldr	r5, [sp, #36]\n\t"
+        "ldr	r6, [sp, #40]\n\t"
+        "ldr	r8, [sp, #0]\n\t"
+        "ldr	r9, [sp, #4]\n\t"
+        "ldr	r10, [sp, #8]\n\t"
+        "ldr	r14, [sp, #12]\n\t"
+        "subs	r3, r3, r8\n\t"
+        "sbcs	r4, r4, r9\n\t"
+        "sbcs	r5, r5, r10\n\t"
+        "sbcs	r6, r6, r14\n\t"
+        "str	r4, [sp, #32]\n\t"
+        "str	r5, [sp, #36]\n\t"
+        "str	r6, [sp, #40]\n\t"
+        "ldr	r3, [sp, #44]\n\t"
+        "ldr	r4, [sp, #48]\n\t"
+        "ldr	r5, [sp, #52]\n\t"
+        "ldr	r6, [sp, #56]\n\t"
+        "ldr	r7, [sp, #60]\n\t"
+        "ldr	r8, [sp, #16]\n\t"
+        "ldr	r9, [sp, #20]\n\t"
+        "ldr	r10, [sp, #24]\n\t"
+        "ldr	r14, [sp, #28]\n\t"
+        "sbcs	r3, r3, r8\n\t"
+        "sbcs	r4, r4, r9\n\t"
+        "sbcs	r5, r5, r10\n\t"
+        "sbcs	r6, r6, r14\n\t"
+        "sbc	r7, r7, #0\n\t"
+        "str	r3, [sp, #44]\n\t"
+        "str	r4, [sp, #48]\n\t"
+        "str	r5, [sp, #52]\n\t"
+        "str	r6, [sp, #56]\n\t"
+        "str	r7, [sp, #60]\n\t"
+        "# mask m and sub from result if overflow\n\t"
+        "sub	%[b], %[a], %[b]\n\t"
+        "and	%[a], %[b], #1\n\t"
+        "ldr	r3, [sp, #32]\n\t"
+        "ldr	r4, [sp, #36]\n\t"
+        "ldr	r5, [sp, #40]\n\t"
+        "ldr	r6, [sp, #44]\n\t"
+        "ldr	r7, [sp, #48]\n\t"
+        "ldr	r8, [sp, #52]\n\t"
+        "ldr	r9, [sp, #56]\n\t"
+        "ldr	r10, [sp, #60]\n\t"
+        "subs	r3, r3, %[b]\n\t"
+        "sbcs	r4, r4, %[b]\n\t"
+        "sbcs	r5, r5, %[b]\n\t"
+        "sbcs	r6, r6, #0\n\t"
+        "sbcs	r7, r7, #0\n\t"
+        "sbcs	r8, r8, #0\n\t"
+        "sbcs	r9, r9, %[a]\n\t"
+        "sbc	r10, r10, %[b]\n\t"
+        "str	r3, [%[r], #0]\n\t"
+        "str	r4, [%[r], #4]\n\t"
+        "str	r5, [%[r], #8]\n\t"
+        "str	r6, [%[r], #12]\n\t"
+        "str	r7, [%[r], #16]\n\t"
+        "str	r8, [%[r], #20]\n\t"
+        "str	r9, [%[r], #24]\n\t"
+        "str	r10, [%[r], #28]\n\t"
+        "add	sp, sp, #68\n\t"
+        : [a] "+r" (a), [b] "+r" (b)
+        : [r] "r" (r)
+        : "memory", "r8", "r9", "r10", "r14", "r3", "r4", "r5", "r6", "r7"
+    );
+}
+
+/* Square the Montgomery form number mod the modulus (prime). (r = a * a mod m)
+ *
+ * r   Result of squaring.
+ * a   Number to square in Montogmery form.
+ * m   Modulus (prime).
+ * mp  Montogmery mulitplier.
+ */
+SP_NOINLINE static void sp_256_mont_sqr_8(sp_digit* r, const sp_digit* a, const sp_digit* m,
+        sp_digit mp)
+{
+    (void)mp;
+    (void)m;
+
+    __asm__ __volatile__ (
+        "sub	sp, sp, #68\n\t"
+        "mov	r5, #0\n\t"
+        "#  A[0] * A[1]\n\t"
+        "ldr	r6, [%[a], #0]\n\t"
+        "ldr	r7, [%[a], #4]\n\t"
+        "umull	r9, r10, r6, r7\n\t"
+        "str	r9, [sp, #4]\n\t"
+        "#  A[0] * A[2]\n\t"
+        "ldr	r6, [%[a], #0]\n\t"
+        "ldr	r7, [%[a], #8]\n\t"
+        "umull	r3, r4, r6, r7\n\t"
+        "adds	r10, r3, r10\n\t"
+        "adc	r14, r4, #0\n\t"
+        "str	r10, [sp, #8]\n\t"
+        "#  A[0] * A[3]\n\t"
+        "ldr	r6, [%[a], #0]\n\t"
+        "ldr	r7, [%[a], #12]\n\t"
+        "umull	r3, r4, r6, r7\n\t"
+        "adds	r14, r3, r14\n\t"
+        "adc	r8, r4, #0\n\t"
+        "#  A[1] * A[2]\n\t"
+        "ldr	r6, [%[a], #4]\n\t"
+        "ldr	r7, [%[a], #8]\n\t"
+        "umull	r3, r4, r6, r7\n\t"
+        "adds	r14, r3, r14\n\t"
+        "adcs	r8, r4, r8\n\t"
+        "adc	r9, r5, #0\n\t"
+        "str	r14, [sp, #12]\n\t"
+        "#  A[0] * A[4]\n\t"
+        "ldr	r6, [%[a], #0]\n\t"
+        "ldr	r7, [%[a], #16]\n\t"
+        "umull	r3, r4, r6, r7\n\t"
+        "adds	r8, r3, r8\n\t"
+        "adc	r9, r4, r9\n\t"
+        "#  A[1] * A[3]\n\t"
+        "ldr	r6, [%[a], #4]\n\t"
+        "ldr	r7, [%[a], #12]\n\t"
+        "umull	r3, r4, r6, r7\n\t"
+        "adds	r8, r3, r8\n\t"
+        "adcs	r9, r4, r9\n\t"
+        "adc	r10, r5, #0\n\t"
+        "str	r8, [sp, #16]\n\t"
+        "#  A[0] * A[5]\n\t"
+        "ldr	r6, [%[a], #0]\n\t"
+        "ldr	r7, [%[a], #20]\n\t"
+        "umull	r3, r4, r6, r7\n\t"
+        "adds	r9, r3, r9\n\t"
+        "adc	r10, r4, r10\n\t"
+        "#  A[1] * A[4]\n\t"
+        "ldr	r6, [%[a], #4]\n\t"
+        "ldr	r7, [%[a], #16]\n\t"
+        "umull	r3, r4, r6, r7\n\t"
+        "adds	r9, r3, r9\n\t"
+        "adcs	r10, r4, r10\n\t"
+        "adc	r14, r5, #0\n\t"
+        "#  A[2] * A[3]\n\t"
+        "ldr	r6, [%[a], #8]\n\t"
+        "ldr	r7, [%[a], #12]\n\t"
+        "umull	r3, r4, r6, r7\n\t"
+        "adds	r9, r3, r9\n\t"
+        "adcs	r10, r4, r10\n\t"
+        "adc	r14, r5, r14\n\t"
+        "str	r9, [sp, #20]\n\t"
+        "#  A[0] * A[6]\n\t"
+        "ldr	r6, [%[a], #0]\n\t"
+        "ldr	r7, [%[a], #24]\n\t"
+        "umull	r3, r4, r6, r7\n\t"
+        "adds	r10, r3, r10\n\t"
+        "adcs	r14, r4, r14\n\t"
+        "adc	r8, r5, #0\n\t"
+        "#  A[1] * A[5]\n\t"
+        "ldr	r6, [%[a], #4]\n\t"
+        "ldr	r7, [%[a], #20]\n\t"
+        "umull	r3, r4, r6, r7\n\t"
+        "adds	r10, r3, r10\n\t"
+        "adcs	r14, r4, r14\n\t"
+        "adc	r8, r5, r8\n\t"
+        "#  A[2] * A[4]\n\t"
+        "ldr	r6, [%[a], #8]\n\t"
+        "ldr	r7, [%[a], #16]\n\t"
+        "umull	r3, r4, r6, r7\n\t"
+        "adds	r10, r3, r10\n\t"
+        "adcs	r14, r4, r14\n\t"
+        "adc	r8, r5, r8\n\t"
+        "str	r10, [sp, #24]\n\t"
+        "#  A[0] * A[7]\n\t"
+        "ldr	r6, [%[a], #0]\n\t"
+        "ldr	r7, [%[a], #28]\n\t"
+        "umull	r3, r4, r6, r7\n\t"
+        "adds	r14, r3, r14\n\t"
+        "adcs	r8, r4, r8\n\t"
+        "adc	r9, r5, #0\n\t"
+        "#  A[1] * A[6]\n\t"
+        "ldr	r6, [%[a], #4]\n\t"
+        "ldr	r7, [%[a], #24]\n\t"
+        "umull	r3, r4, r6, r7\n\t"
+        "adds	r14, r3, r14\n\t"
+        "adcs	r8, r4, r8\n\t"
+        "adc	r9, r5, r9\n\t"
+        "#  A[2] * A[5]\n\t"
+        "ldr	r6, [%[a], #8]\n\t"
+        "ldr	r7, [%[a], #20]\n\t"
+        "umull	r3, r4, r6, r7\n\t"
+        "adds	r14, r3, r14\n\t"
+        "adcs	r8, r4, r8\n\t"
+        "adc	r9, r5, r9\n\t"
+        "#  A[3] * A[4]\n\t"
+        "ldr	r6, [%[a], #12]\n\t"
+        "ldr	r7, [%[a], #16]\n\t"
+        "umull	r3, r4, r6, r7\n\t"
+        "adds	r14, r3, r14\n\t"
+        "adcs	r8, r4, r8\n\t"
+        "adc	r9, r5, r9\n\t"
+        "str	r14, [sp, #28]\n\t"
+        "#  A[1] * A[7]\n\t"
+        "ldr	r6, [%[a], #4]\n\t"
+        "ldr	r7, [%[a], #28]\n\t"
+        "umull	r3, r4, r6, r7\n\t"
+        "adds	r8, r3, r8\n\t"
+        "adcs	r9, r4, r9\n\t"
+        "adc	r10, r5, #0\n\t"
+        "#  A[2] * A[6]\n\t"
+        "ldr	r6, [%[a], #8]\n\t"
+        "ldr	r7, [%[a], #24]\n\t"
+        "umull	r3, r4, r6, r7\n\t"
+        "adds	r8, r3, r8\n\t"
+        "adcs	r9, r4, r9\n\t"
+        "adc	r10, r5, r10\n\t"
+        "#  A[3] * A[5]\n\t"
+        "ldr	r6, [%[a], #12]\n\t"
+        "ldr	r7, [%[a], #20]\n\t"
+        "umull	r3, r4, r6, r7\n\t"
+        "adds	r8, r3, r8\n\t"
+        "adcs	r9, r4, r9\n\t"
+        "adc	r10, r5, r10\n\t"
+        "str	r8, [sp, #32]\n\t"
+        "#  A[2] * A[7]\n\t"
+        "ldr	r6, [%[a], #8]\n\t"
+        "ldr	r7, [%[a], #28]\n\t"
+        "umull	r3, r4, r6, r7\n\t"
+        "adds	r9, r3, r9\n\t"
+        "adcs	r10, r4, r10\n\t"
+        "adc	r14, r5, #0\n\t"
+        "#  A[3] * A[6]\n\t"
+        "ldr	r6, [%[a], #12]\n\t"
+        "ldr	r7, [%[a], #24]\n\t"
+        "umull	r3, r4, r6, r7\n\t"
+        "adds	r9, r3, r9\n\t"
+        "adcs	r10, r4, r10\n\t"
+        "adc	r14, r5, r14\n\t"
+        "#  A[4] * A[5]\n\t"
+        "ldr	r6, [%[a], #16]\n\t"
+        "ldr	r7, [%[a], #20]\n\t"
+        "umull	r3, r4, r6, r7\n\t"
+        "adds	r9, r3, r9\n\t"
+        "adcs	r10, r4, r10\n\t"
+        "adc	r14, r5, r14\n\t"
+        "str	r9, [sp, #36]\n\t"
+        "#  A[3] * A[7]\n\t"
+        "ldr	r6, [%[a], #12]\n\t"
+        "ldr	r7, [%[a], #28]\n\t"
+        "umull	r3, r4, r6, r7\n\t"
+        "adds	r10, r3, r10\n\t"
+        "adcs	r14, r4, r14\n\t"
+        "adc	r8, r5, #0\n\t"
+        "#  A[4] * A[6]\n\t"
+        "ldr	r6, [%[a], #16]\n\t"
+        "ldr	r7, [%[a], #24]\n\t"
+        "umull	r3, r4, r6, r7\n\t"
+        "adds	r10, r3, r10\n\t"
+        "adcs	r14, r4, r14\n\t"
+        "adc	r8, r5, r8\n\t"
+        "str	r10, [sp, #40]\n\t"
+        "#  A[4] * A[7]\n\t"
+        "ldr	r6, [%[a], #16]\n\t"
+        "ldr	r7, [%[a], #28]\n\t"
+        "umull	r3, r4, r6, r7\n\t"
+        "adds	r14, r3, r14\n\t"
+        "adcs	r8, r4, r8\n\t"
+        "adc	r9, r5, #0\n\t"
+        "#  A[5] * A[6]\n\t"
+        "ldr	r6, [%[a], #20]\n\t"
+        "ldr	r7, [%[a], #24]\n\t"
+        "umull	r3, r4, r6, r7\n\t"
+        "adds	r14, r3, r14\n\t"
+        "adcs	r8, r4, r8\n\t"
+        "adc	r9, r5, r9\n\t"
+        "str	r14, [sp, #44]\n\t"
+        "#  A[5] * A[7]\n\t"
+        "ldr	r6, [%[a], #20]\n\t"
+        "ldr	r7, [%[a], #28]\n\t"
+        "umull	r3, r4, r6, r7\n\t"
+        "adds	r8, r3, r8\n\t"
+        "adcs	r9, r4, r9\n\t"
+        "adc	r10, r5, #0\n\t"
+        "str	r8, [sp, #48]\n\t"
+        "#  A[6] * A[7]\n\t"
+        "ldr	r6, [%[a], #24]\n\t"
+        "ldr	r7, [%[a], #28]\n\t"
+        "umull	r3, r4, r6, r7\n\t"
+        "adds	r9, r3, r9\n\t"
+        "adc	r10, r4, r10\n\t"
+        "str	r9, [sp, #52]\n\t"
+        "str	r10, [sp, #56]\n\t"
+        "# Double\n\t"
+        "ldr	r4, [sp, #4]\n\t"
+        "ldr	r6, [sp, #8]\n\t"
+        "ldr	r7, [sp, #12]\n\t"
+        "ldr	r8, [sp, #16]\n\t"
+        "ldr	r9, [sp, #20]\n\t"
+        "ldr	r10, [sp, #24]\n\t"
+        "ldr	r14, [sp, #28]\n\t"
+        "ldr	r12, [sp, #32]\n\t"
+        "ldr	r3, [sp, #36]\n\t"
+        "adds	r4, r4, r4\n\t"
+        "adcs	r6, r6, r6\n\t"
+        "adcs	r7, r7, r7\n\t"
+        "adcs	r8, r8, r8\n\t"
+        "adcs	r9, r9, r9\n\t"
+        "adcs	r10, r10, r10\n\t"
+        "adcs	r14, r14, r14\n\t"
+        "adcs	r12, r12, r12\n\t"
+        "adcs	r3, r3, r3\n\t"
+        "str	r4, [sp, #4]\n\t"
+        "str	r6, [sp, #8]\n\t"
+        "str	r7, [sp, #12]\n\t"
+        "str	r8, [sp, #16]\n\t"
+        "str	r9, [sp, #20]\n\t"
+        "str	r10, [sp, #24]\n\t"
+        "str	r14, [sp, #28]\n\t"
+        "str	r12, [sp, #32]\n\t"
+        "str	r3, [sp, #36]\n\t"
+        "ldr	r4, [sp, #40]\n\t"
+        "ldr	r6, [sp, #44]\n\t"
+        "ldr	r7, [sp, #48]\n\t"
+        "ldr	r8, [sp, #52]\n\t"
+        "ldr	r9, [sp, #56]\n\t"
+        "adcs	r4, r4, r4\n\t"
+        "adcs	r6, r6, r6\n\t"
+        "adcs	r7, r7, r7\n\t"
+        "adcs	r8, r8, r8\n\t"
+        "adcs	r9, r9, r9\n\t"
+        "str	r4, [sp, #40]\n\t"
+        "str	r6, [sp, #44]\n\t"
+        "str	r7, [sp, #48]\n\t"
+        "str	r8, [sp, #52]\n\t"
+        "str	r9, [sp, #56]\n\t"
+        "adc	r10, r5, #0\n\t"
+        "str	r10, [sp, #60]\n\t"
+        "ldr	r4, [sp, #4]\n\t"
+        "ldr	r5, [sp, #8]\n\t"
+        "ldr	r12, [sp, #12]\n\t"
+        "#  A[0] * A[0]\n\t"
+        "ldr	r6, [%[a], #0]\n\t"
+        "umull	r8, r9, r6, r6\n\t"
+        "#  A[1] * A[1]\n\t"
+        "ldr	r6, [%[a], #4]\n\t"
+        "umull	r10, r14, r6, r6\n\t"
+        "adds	r9, r9, r4\n\t"
+        "adcs	r10, r10, r5\n\t"
+        "adcs	r14, r14, r12\n\t"
+        "str	r8, [sp, #0]\n\t"
+        "str	r9, [sp, #4]\n\t"
+        "str	r10, [sp, #8]\n\t"
+        "str	r14, [sp, #12]\n\t"
+        "ldr	r3, [sp, #16]\n\t"
+        "ldr	r4, [sp, #20]\n\t"
+        "ldr	r5, [sp, #24]\n\t"
+        "ldr	r12, [sp, #28]\n\t"
+        "#  A[2] * A[2]\n\t"
+        "ldr	r6, [%[a], #8]\n\t"
+        "umull	r8, r9, r6, r6\n\t"
+        "#  A[3] * A[3]\n\t"
+        "ldr	r6, [%[a], #12]\n\t"
+        "umull	r10, r14, r6, r6\n\t"
+        "adcs	r8, r8, r3\n\t"
+        "adcs	r9, r9, r4\n\t"
+        "adcs	r10, r10, r5\n\t"
+        "adcs	r14, r14, r12\n\t"
+        "str	r8, [sp, #16]\n\t"
+        "str	r9, [sp, #20]\n\t"
+        "str	r10, [sp, #24]\n\t"
+        "str	r14, [sp, #28]\n\t"
+        "ldr	r3, [sp, #32]\n\t"
+        "ldr	r4, [sp, #36]\n\t"
+        "ldr	r5, [sp, #40]\n\t"
+        "ldr	r12, [sp, #44]\n\t"
+        "#  A[4] * A[4]\n\t"
+        "ldr	r6, [%[a], #16]\n\t"
+        "umull	r8, r9, r6, r6\n\t"
+        "#  A[5] * A[5]\n\t"
+        "ldr	r6, [%[a], #20]\n\t"
+        "umull	r10, r14, r6, r6\n\t"
+        "adcs	r8, r8, r3\n\t"
+        "adcs	r9, r9, r4\n\t"
+        "adcs	r10, r10, r5\n\t"
+        "adcs	r14, r14, r12\n\t"
+        "str	r8, [sp, #32]\n\t"
+        "str	r9, [sp, #36]\n\t"
+        "str	r10, [sp, #40]\n\t"
+        "str	r14, [sp, #44]\n\t"
+        "ldr	r3, [sp, #48]\n\t"
+        "ldr	r4, [sp, #52]\n\t"
+        "ldr	r5, [sp, #56]\n\t"
+        "ldr	r12, [sp, #60]\n\t"
+        "#  A[6] * A[6]\n\t"
+        "ldr	r6, [%[a], #24]\n\t"
+        "umull	r8, r9, r6, r6\n\t"
+        "#  A[7] * A[7]\n\t"
+        "ldr	r6, [%[a], #28]\n\t"
+        "umull	r10, r14, r6, r6\n\t"
+        "adcs	r8, r8, r3\n\t"
+        "adcs	r9, r9, r4\n\t"
+        "adcs	r10, r10, r5\n\t"
+        "adc	r14, r14, r12\n\t"
+        "str	r8, [sp, #48]\n\t"
+        "str	r9, [sp, #52]\n\t"
+        "str	r10, [sp, #56]\n\t"
+        "str	r14, [sp, #60]\n\t"
+        "# Start Reduction\n\t"
+        "ldr	r4, [sp, #0]\n\t"
+        "ldr	r5, [sp, #4]\n\t"
+        "ldr	r6, [sp, #8]\n\t"
+        "ldr	r7, [sp, #12]\n\t"
+        "ldr	r8, [sp, #16]\n\t"
+        "ldr	r9, [sp, #20]\n\t"
+        "ldr	r10, [sp, #24]\n\t"
+        "ldr	r14, [sp, #28]\n\t"
+        "# mu = a[0]-a[7] + a[0]-a[4] << 96 + (a[0]-a[1] * 2) << 192\n\t"
+        "#    - a[0] << 224\n\t"
+        "#   + (a[0]-a[1] * 2) << (6 * 32)\n\t"
+        "adds	r10, r10, r4\n\t"
+        "adc	r14, r14, r5\n\t"
+        "adds	r10, r10, r4\n\t"
+        "adc	r14, r14, r5\n\t"
+        "#   - a[0] << (7 * 32)\n\t"
+        "sub	r14, r14, r4\n\t"
+        "#   + a[0]-a[4] << (3 * 32)\n\t"
+        "mov	%[a], r7\n\t"
+        "mov	r12, r8\n\t"
+        "adds	r7, r7, r4\n\t"
+        "adcs	r8, r8, r5\n\t"
+        "adcs	r9, r9, r6\n\t"
+        "adcs	r10, r10, %[a]\n\t"
+        "adc	r14, r14, r12\n\t"
+        "str	r4, [sp, #0]\n\t"
+        "str	r5, [sp, #4]\n\t"
+        "str	r6, [sp, #8]\n\t"
+        "str	r7, [sp, #12]\n\t"
+        "str	r8, [sp, #16]\n\t"
+        "str	r9, [sp, #20]\n\t"
+        "# a += mu * m\n\t"
+        "#   += mu * ((1 << 256) - (1 << 224) + (1 << 192) + (1 << 96) - 1)\n\t"
+        "mov	%[a], #0\n\t"
+        "# a[6] +=        t[0] + t[3]\n\t"
+        "ldr	r3, [sp, #24]\n\t"
+        "adds	r3, r3, r4\n\t"
+        "adc	r12, %[a], #0\n\t"
+        "adds	r3, r3, r7\n\t"
+        "adc	r12, r12, #0\n\t"
+        "str	r10, [sp, #24]\n\t"
+        "# a[7] +=        t[1] + t[4]\n\t"
+        "ldr	r3, [sp, #28]\n\t"
+        "adds	r3, r3, r12\n\t"
+        "adc	r12, %[a], #0\n\t"
+        "adds	r3, r3, r5\n\t"
+        "adc	r12, r12, #0\n\t"
+        "adds	r3, r3, r8\n\t"
+        "adc	r12, r12, #0\n\t"
+        "str	r14, [sp, #28]\n\t"
+        "str	r3, [sp, #64]\n\t"
+        "# a[8] += t[0] + t[2] + t[5]\n\t"
+        "ldr	r3, [sp, #32]\n\t"
+        "adds	r3, r3, r12\n\t"
+        "adc	r12, %[a], #0\n\t"
+        "adds	r3, r3, r4\n\t"
+        "adc	r12, r12, #0\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adc	r12, r12, #0\n\t"
+        "adds	r3, r3, r9\n\t"
+        "adc	r12, r12, #0\n\t"
+        "str	r3, [sp, #32]\n\t"
+        "# a[9]  += t[1] + t[3] + t[6]\n\t"
+        "# a[10] += t[2] + t[4] + t[7]\n\t"
+        "ldr	r3, [sp, #36]\n\t"
+        "ldr	r4, [sp, #40]\n\t"
+        "adds	r3, r3, r12\n\t"
+        "adcs	r4, r4, #0\n\t"
+        "adc	r12, %[a], #0\n\t"
+        "adds	r3, r3, r5\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adc	r12, r12, #0\n\t"
+        "adds	r3, r3, r7\n\t"
+        "adcs	r4, r4, r8\n\t"
+        "adc	r12, r12, #0\n\t"
+        "adds	r3, r3, r10\n\t"
+        "adcs	r4, r4, r14\n\t"
+        "adc	r12, r12, #0\n\t"
+        "str	r3, [sp, #36]\n\t"
+        "str	r4, [sp, #40]\n\t"
+        "# a[11] += t[3] + t[5]\n\t"
+        "# a[12] += t[4] + t[6]\n\t"
+        "# a[13] += t[5] + t[7]\n\t"
+        "# a[14] += t[6]\n\t"
+        "ldr	r3, [sp, #44]\n\t"
+        "ldr	r4, [sp, #48]\n\t"
+        "ldr	r5, [sp, #52]\n\t"
+        "ldr	r6, [sp, #56]\n\t"
+        "adds	r3, r3, r12\n\t"
+        "adcs	r4, r4, #0\n\t"
+        "adcs	r5, r5, #0\n\t"
+        "adcs	r6, r6, #0\n\t"
+        "adc	r12, %[a], #0\n\t"
+        "adds	r3, r3, r7\n\t"
+        "adcs	r4, r4, r8\n\t"
+        "adcs	r5, r5, r9\n\t"
+        "adcs	r6, r6, r10\n\t"
+        "adc	r12, r12, #0\n\t"
+        "adds	r3, r3, r9\n\t"
+        "adcs	r4, r4, r10\n\t"
+        "adcs	r5, r5, r14\n\t"
+        "adcs	r6, r6, #0\n\t"
+        "adc	r12, r12, #0\n\t"
+        "str	r3, [sp, #44]\n\t"
+        "str	r4, [sp, #48]\n\t"
+        "str	r5, [sp, #52]\n\t"
+        "str	r6, [sp, #56]\n\t"
+        "# a[15] += t[7]\n\t"
+        "ldr	r3, [sp, #60]\n\t"
+        "adds	r3, r3, r12\n\t"
+        "adc	r12, %[a], #0\n\t"
+        "adds	r3, r3, r14\n\t"
+        "adc	r12, r12, #0\n\t"
+        "str	r3, [sp, #60]\n\t"
+        "ldr	r3, [sp, #64]\n\t"
+        "ldr	r4, [sp, #32]\n\t"
+        "ldr	r5, [sp, #36]\n\t"
+        "ldr	r6, [sp, #40]\n\t"
+        "ldr	r8, [sp, #0]\n\t"
+        "ldr	r9, [sp, #4]\n\t"
+        "ldr	r10, [sp, #8]\n\t"
+        "ldr	r14, [sp, #12]\n\t"
+        "subs	r3, r3, r8\n\t"
+        "sbcs	r4, r4, r9\n\t"
+        "sbcs	r5, r5, r10\n\t"
+        "sbcs	r6, r6, r14\n\t"
+        "str	r4, [sp, #32]\n\t"
+        "str	r5, [sp, #36]\n\t"
+        "str	r6, [sp, #40]\n\t"
+        "ldr	r3, [sp, #44]\n\t"
+        "ldr	r4, [sp, #48]\n\t"
+        "ldr	r5, [sp, #52]\n\t"
+        "ldr	r6, [sp, #56]\n\t"
+        "ldr	r7, [sp, #60]\n\t"
+        "ldr	r8, [sp, #16]\n\t"
+        "ldr	r9, [sp, #20]\n\t"
+        "ldr	r10, [sp, #24]\n\t"
+        "ldr	r14, [sp, #28]\n\t"
+        "sbcs	r3, r3, r8\n\t"
+        "sbcs	r4, r4, r9\n\t"
+        "sbcs	r5, r5, r10\n\t"
+        "sbcs	r6, r6, r14\n\t"
+        "sbc	r7, r7, #0\n\t"
+        "str	r3, [sp, #44]\n\t"
+        "str	r4, [sp, #48]\n\t"
+        "str	r5, [sp, #52]\n\t"
+        "str	r6, [sp, #56]\n\t"
+        "str	r7, [sp, #60]\n\t"
+        "# mask m and sub from result if overflow\n\t"
+        "sub	r12, %[a], r12\n\t"
+        "and	%[a], r12, #1\n\t"
+        "ldr	r3, [sp, #32]\n\t"
+        "ldr	r4, [sp, #36]\n\t"
+        "ldr	r5, [sp, #40]\n\t"
+        "ldr	r6, [sp, #44]\n\t"
+        "ldr	r7, [sp, #48]\n\t"
+        "ldr	r8, [sp, #52]\n\t"
+        "ldr	r9, [sp, #56]\n\t"
+        "ldr	r10, [sp, #60]\n\t"
+        "subs	r3, r3, r12\n\t"
+        "sbcs	r4, r4, r12\n\t"
+        "sbcs	r5, r5, r12\n\t"
+        "sbcs	r6, r6, #0\n\t"
+        "sbcs	r7, r7, #0\n\t"
+        "sbcs	r8, r8, #0\n\t"
+        "sbcs	r9, r9, %[a]\n\t"
+        "sbc	r10, r10, r12\n\t"
+        "str	r3, [%[r], #0]\n\t"
+        "str	r4, [%[r], #4]\n\t"
+        "str	r5, [%[r], #8]\n\t"
+        "str	r6, [%[r], #12]\n\t"
+        "str	r7, [%[r], #16]\n\t"
+        "str	r8, [%[r], #20]\n\t"
+        "str	r9, [%[r], #24]\n\t"
+        "str	r10, [%[r], #28]\n\t"
+        "add	sp, sp, #68\n\t"
+        : [a] "+r" (a)
+        : [r] "r" (r)
+        : "memory", "r8", "r9", "r10", "r14", "r3", "r4", "r5", "r6", "r7", "r12"
+    );
+}
+
+#if !defined(WOLFSSL_SP_SMALL) || defined(HAVE_COMP_KEY)
+/* Square the Montgomery form number a number of times. (r = a ^ n mod m)
+ *
+ * r   Result of squaring.
+ * a   Number to square in Montogmery form.
+ * n   Number of times to square.
+ * m   Modulus (prime).
+ * mp  Montogmery mulitplier.
+ */
+static void sp_256_mont_sqr_n_8(sp_digit* r, const sp_digit* a, int n,
+        const sp_digit* m, sp_digit mp)
+{
+    sp_256_mont_sqr_8(r, a, m, mp);
+    for (; n > 1; n--) {
+        sp_256_mont_sqr_8(r, r, m, mp);
+    }
+}
+
+#endif /* !WOLFSSL_SP_SMALL || HAVE_COMP_KEY */
+#ifdef WOLFSSL_SP_SMALL
+/* Mod-2 for the P256 curve. */
+static const uint32_t p256_mod_minus_2[8] = {
+    0xfffffffdU,0xffffffffU,0xffffffffU,0x00000000U,0x00000000U,0x00000000U,
+    0x00000001U,0xffffffffU
+};
+#endif /* !WOLFSSL_SP_SMALL */
+
+/* Invert the number, in Montgomery form, modulo the modulus (prime) of the
+ * P256 curve. (r = 1 / a mod m)
+ *
+ * r   Inverse result.
+ * a   Number to invert.
+ * td  Temporary data.
+ */
+static void sp_256_mont_inv_8(sp_digit* r, const sp_digit* a, sp_digit* td)
+{
+#ifdef WOLFSSL_SP_SMALL
+    sp_digit* t = td;
+    int i;
+
+    XMEMCPY(t, a, sizeof(sp_digit) * 8);
+    for (i=254; i>=0; i--) {
+        sp_256_mont_sqr_8(t, t, p256_mod, p256_mp_mod);
+        if (p256_mod_minus_2[i / 32] & ((sp_digit)1 << (i % 32)))
+            sp_256_mont_mul_8(t, t, a, p256_mod, p256_mp_mod);
+    }
+    XMEMCPY(r, t, sizeof(sp_digit) * 8);
+#else
+    sp_digit* t1 = td;
+    sp_digit* t2 = td + 2 * 8;
+    sp_digit* t3 = td + 4 * 8;
+    /* 0x2 */
+    sp_256_mont_sqr_8(t1, a, p256_mod, p256_mp_mod);
+    /* 0x3 */
+    sp_256_mont_mul_8(t2, t1, a, p256_mod, p256_mp_mod);
+    /* 0xc */
+    sp_256_mont_sqr_n_8(t1, t2, 2, p256_mod, p256_mp_mod);
+    /* 0xd */
+    sp_256_mont_mul_8(t3, t1, a, p256_mod, p256_mp_mod);
+    /* 0xf */
+    sp_256_mont_mul_8(t2, t2, t1, p256_mod, p256_mp_mod);
+    /* 0xf0 */
+    sp_256_mont_sqr_n_8(t1, t2, 4, p256_mod, p256_mp_mod);
+    /* 0xfd */
+    sp_256_mont_mul_8(t3, t3, t1, p256_mod, p256_mp_mod);
+    /* 0xff */
+    sp_256_mont_mul_8(t2, t2, t1, p256_mod, p256_mp_mod);
+    /* 0xff00 */
+    sp_256_mont_sqr_n_8(t1, t2, 8, p256_mod, p256_mp_mod);
+    /* 0xfffd */
+    sp_256_mont_mul_8(t3, t3, t1, p256_mod, p256_mp_mod);
+    /* 0xffff */
+    sp_256_mont_mul_8(t2, t2, t1, p256_mod, p256_mp_mod);
+    /* 0xffff0000 */
+    sp_256_mont_sqr_n_8(t1, t2, 16, p256_mod, p256_mp_mod);
+    /* 0xfffffffd */
+    sp_256_mont_mul_8(t3, t3, t1, p256_mod, p256_mp_mod);
+    /* 0xffffffff */
+    sp_256_mont_mul_8(t2, t2, t1, p256_mod, p256_mp_mod);
+    /* 0xffffffff00000000 */
+    sp_256_mont_sqr_n_8(t1, t2, 32, p256_mod, p256_mp_mod);
+    /* 0xffffffffffffffff */
+    sp_256_mont_mul_8(t2, t2, t1, p256_mod, p256_mp_mod);
+    /* 0xffffffff00000001 */
+    sp_256_mont_mul_8(r, t1, a, p256_mod, p256_mp_mod);
+    /* 0xffffffff000000010000000000000000000000000000000000000000 */
+    sp_256_mont_sqr_n_8(r, r, 160, p256_mod, p256_mp_mod);
+    /* 0xffffffff00000001000000000000000000000000ffffffffffffffff */
+    sp_256_mont_mul_8(r, r, t2, p256_mod, p256_mp_mod);
+    /* 0xffffffff00000001000000000000000000000000ffffffffffffffff00000000 */
+    sp_256_mont_sqr_n_8(r, r, 32, p256_mod, p256_mp_mod);
+    /* 0xffffffff00000001000000000000000000000000fffffffffffffffffffffffd */
+    sp_256_mont_mul_8(r, r, t3, p256_mod, p256_mp_mod);
+#endif /* WOLFSSL_SP_SMALL */
+}
+
+/* Compare a with b in constant time.
+ *
+ * a  A single precision integer.
+ * b  A single precision integer.
+ * return -ve, 0 or +ve if a is less than, equal to or greater than b
+ * respectively.
+ */
+static int32_t sp_256_cmp_8(const sp_digit* a, const sp_digit* b)
+{
+    sp_digit r = -1;
+    sp_digit one = 1;
+
+
+#ifdef WOLFSSL_SP_SMALL
+    __asm__ __volatile__ (
+        "mov	r7, #0\n\t"
+        "mov	r3, #-1\n\t"
+        "mov	r6, #28\n\t"
+        "1:\n\t"
+        "ldr	r4, [%[a], r6]\n\t"
+        "ldr	r5, [%[b], r6]\n\t"
+        "and	r4, r4, r3\n\t"
+        "and	r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "subs	r6, r6, #4\n\t"
+        "bcs	1b\n\t"
+        "eor	%[r], %[r], r3\n\t"
+        : [r] "+r" (r)
+        : [a] "r" (a), [b] "r" (b), [one] "r" (one)
+        : "r3", "r4", "r5", "r6", "r7"
+    );
+#else
+    __asm__ __volatile__ (
+        "mov	r7, #0\n\t"
+        "mov	r3, #-1\n\t"
+        "ldr		r4, [%[a], #28]\n\t"
+        "ldr		r5, [%[b], #28]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #24]\n\t"
+        "ldr		r5, [%[b], #24]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #20]\n\t"
+        "ldr		r5, [%[b], #20]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #16]\n\t"
+        "ldr		r5, [%[b], #16]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #12]\n\t"
+        "ldr		r5, [%[b], #12]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #8]\n\t"
+        "ldr		r5, [%[b], #8]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #4]\n\t"
+        "ldr		r5, [%[b], #4]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #0]\n\t"
+        "ldr		r5, [%[b], #0]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "eor	%[r], %[r], r3\n\t"
+        : [r] "+r" (r)
+        : [a] "r" (a), [b] "r" (b), [one] "r" (one)
+        : "r3", "r4", "r5", "r6", "r7"
+    );
+#endif
+
+    return r;
+}
+
+/* Normalize the values in each word to 32.
+ *
+ * a  Array of sp_digit to normalize.
+ */
+#define sp_256_norm_8(a)
+
+/* Conditionally subtract b from a using the mask m.
+ * m is -1 to subtract and 0 when not copying.
+ *
+ * r  A single precision number representing condition subtract result.
+ * a  A single precision number to subtract from.
+ * b  A single precision number to subtract.
+ * m  Mask value to apply.
+ */
+static sp_digit sp_256_cond_sub_8(sp_digit* r, const sp_digit* a, const sp_digit* b,
+        sp_digit m)
+{
+    sp_digit c = 0;
+
+#ifdef WOLFSSL_SP_SMALL
+    __asm__ __volatile__ (
+        "mov	r9, #0\n\t"
+        "mov	r8, #0\n\t"
+        "1:\n\t"
+        "subs	%[c], r9, %[c]\n\t"
+        "ldr	r4, [%[a], r8]\n\t"
+        "ldr	r5, [%[b], r8]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbc	%[c], r9, r9\n\t"
+        "str	r4, [%[r], r8]\n\t"
+        "add	r8, r8, #4\n\t"
+        "cmp	r8, #32\n\t"
+        "blt	1b\n\t"
+        : [c] "+r" (c)
+        : [r] "r" (r), [a] "r" (a), [b] "r" (b), [m] "r" (m)
+        : "memory", "r4", "r6", "r5", "r7", "r8", "r9"
+    );
+#else
+    __asm__ __volatile__ (
+
+        "mov	r9, #0\n\t"
+        "ldr	r4, [%[a], #0]\n\t"
+        "ldr	r6, [%[a], #4]\n\t"
+        "ldr	r5, [%[b], #0]\n\t"
+        "ldr	r7, [%[b], #4]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "subs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #0]\n\t"
+        "str	r6, [%[r], #4]\n\t"
+        "ldr	r4, [%[a], #8]\n\t"
+        "ldr	r6, [%[a], #12]\n\t"
+        "ldr	r5, [%[b], #8]\n\t"
+        "ldr	r7, [%[b], #12]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #8]\n\t"
+        "str	r6, [%[r], #12]\n\t"
+        "ldr	r4, [%[a], #16]\n\t"
+        "ldr	r6, [%[a], #20]\n\t"
+        "ldr	r5, [%[b], #16]\n\t"
+        "ldr	r7, [%[b], #20]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #16]\n\t"
+        "str	r6, [%[r], #20]\n\t"
+        "ldr	r4, [%[a], #24]\n\t"
+        "ldr	r6, [%[a], #28]\n\t"
+        "ldr	r5, [%[b], #24]\n\t"
+        "ldr	r7, [%[b], #28]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #24]\n\t"
+        "str	r6, [%[r], #28]\n\t"
+        "sbc	%[c], r9, r9\n\t"
+        : [c] "+r" (c)
+        : [r] "r" (r), [a] "r" (a), [b] "r" (b), [m] "r" (m)
+        : "memory", "r4", "r6", "r5", "r7", "r8", "r9"
+    );
+#endif /* WOLFSSL_SP_SMALL */
+
+    return c;
+}
+
+#define sp_256_mont_reduce_order_8    sp_256_mont_reduce_8
+
+/* Reduce the number back to 256 bits using Montgomery reduction.
+ *
+ * a   A single precision number to reduce in place.
+ * m   The single precision number representing the modulus.
+ * mp  The digit representing the negative inverse of m mod 2^n.
+ */
+SP_NOINLINE static void sp_256_mont_reduce_8(sp_digit* a, const sp_digit* m,
+        sp_digit mp)
+{
+    sp_digit ca = 0;
+
+    __asm__ __volatile__ (
+        "# i = 0\n\t"
+        "mov	r12, #0\n\t"
+        "ldr	r10, [%[a], #0]\n\t"
+        "ldr	r14, [%[a], #4]\n\t"
+        "\n1:\n\t"
+        "# mu = a[i] * mp\n\t"
+        "mul	r8, %[mp], r10\n\t"
+        "# a[i+0] += m[0] * mu\n\t"
+        "ldr	r7, [%[m], #0]\n\t"
+        "ldr	r9, [%[a], #0]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r10, r10, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "# a[i+1] += m[1] * mu\n\t"
+        "ldr	r7, [%[m], #4]\n\t"
+        "ldr	r9, [%[a], #4]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r10, r14, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r10, r10, r5\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+2] += m[2] * mu\n\t"
+        "ldr	r7, [%[m], #8]\n\t"
+        "ldr	r14, [%[a], #8]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r14, r14, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r14, r14, r4\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+3] += m[3] * mu\n\t"
+        "ldr	r7, [%[m], #12]\n\t"
+        "ldr	r9, [%[a], #12]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #12]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+4] += m[4] * mu\n\t"
+        "ldr	r7, [%[m], #16]\n\t"
+        "ldr	r9, [%[a], #16]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #16]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+5] += m[5] * mu\n\t"
+        "ldr	r7, [%[m], #20]\n\t"
+        "ldr	r9, [%[a], #20]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #20]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+6] += m[6] * mu\n\t"
+        "ldr	r7, [%[m], #24]\n\t"
+        "ldr	r9, [%[a], #24]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #24]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+7] += m[7] * mu\n\t"
+        "ldr	r7, [%[m], #28]\n\t"
+        "ldr   r9, [%[a], #28]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r7, r7, %[ca]\n\t"
+        "mov	%[ca], #0\n\t"
+        "adc	%[ca], %[ca], %[ca]\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #28]\n\t"
+        "ldr	r9, [%[a], #32]\n\t"
+        "adcs	r9, r9, r7\n\t"
+        "str	r9, [%[a], #32]\n\t"
+        "adc	%[ca], %[ca], #0\n\t"
+        "# i += 1\n\t"
+        "add	%[a], %[a], #4\n\t"
+        "add	r12, r12, #4\n\t"
+        "cmp	r12, #32\n\t"
+        "blt	1b\n\t"
+        "str	r10, [%[a], #0]\n\t"
+        "str	r14, [%[a], #4]\n\t"
+        : [ca] "+r" (ca), [a] "+r" (a)
+        : [m] "r" (m), [mp] "r" (mp)
+        : "memory", "r4", "r5", "r6", "r7", "r8", "r9", "r10", "r14", "r12"
+    );
+
+    sp_256_cond_sub_8(a - 8, a, m, (sp_digit)0 - ca);
+}
+
+/* Map the Montgomery form projective coordinate point to an affine point.
+ *
+ * r  Resulting affine coordinate point.
+ * p  Montgomery form projective coordinate point.
+ * t  Temporary ordinate data.
+ */
+static void sp_256_map_8(sp_point_256* r, const sp_point_256* p, sp_digit* t)
+{
+    sp_digit* t1 = t;
+    sp_digit* t2 = t + 2*8;
+    int32_t n;
+
+    sp_256_mont_inv_8(t1, p->z, t + 2*8);
+
+    sp_256_mont_sqr_8(t2, t1, p256_mod, p256_mp_mod);
+    sp_256_mont_mul_8(t1, t2, t1, p256_mod, p256_mp_mod);
+
+    /* x /= z^2 */
+    sp_256_mont_mul_8(r->x, p->x, t2, p256_mod, p256_mp_mod);
+    XMEMSET(r->x + 8, 0, sizeof(r->x) / 2U);
+    sp_256_mont_reduce_8(r->x, p256_mod, p256_mp_mod);
+    /* Reduce x to less than modulus */
+    n = sp_256_cmp_8(r->x, p256_mod);
+    sp_256_cond_sub_8(r->x, r->x, p256_mod, 0 - ((n >= 0) ?
+                (sp_digit)1 : (sp_digit)0));
+    sp_256_norm_8(r->x);
+
+    /* y /= z^3 */
+    sp_256_mont_mul_8(r->y, p->y, t1, p256_mod, p256_mp_mod);
+    XMEMSET(r->y + 8, 0, sizeof(r->y) / 2U);
+    sp_256_mont_reduce_8(r->y, p256_mod, p256_mp_mod);
+    /* Reduce y to less than modulus */
+    n = sp_256_cmp_8(r->y, p256_mod);
+    sp_256_cond_sub_8(r->y, r->y, p256_mod, 0 - ((n >= 0) ?
+                (sp_digit)1 : (sp_digit)0));
+    sp_256_norm_8(r->y);
+
+    XMEMSET(r->z, 0, sizeof(r->z));
+    r->z[0] = 1;
+
+}
+
+#ifdef WOLFSSL_SP_SMALL
+/* Add b to a into r. (r = a + b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+static sp_digit sp_256_add_8(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    sp_digit c = 0;
+
+    __asm__ __volatile__ (
+        "add	r12, %[a], #32\n\t"
+        "\n1:\n\t"
+        "adds	%[c], %[c], #-1\n\t"
+        "ldr	r4, [%[a]], #4\n\t"
+        "ldr	r5, [%[a]], #4\n\t"
+        "ldr	r6, [%[a]], #4\n\t"
+        "ldr	r7, [%[a]], #4\n\t"
+        "ldr	r8, [%[b]], #4\n\t"
+        "ldr	r9, [%[b]], #4\n\t"
+        "ldr	r10, [%[b]], #4\n\t"
+        "ldr	r14, [%[b]], #4\n\t"
+        "adcs	r4, r4, r8\n\t"
+        "adcs	r5, r5, r9\n\t"
+        "adcs	r6, r6, r10\n\t"
+        "adcs	r7, r7, r14\n\t"
+        "str	r4, [%[r]], #4\n\t"
+        "str	r5, [%[r]], #4\n\t"
+        "str	r6, [%[r]], #4\n\t"
+        "str	r7, [%[r]], #4\n\t"
+        "mov	r4, #0\n\t"
+        "adc	%[c], r4, #0\n\t"
+        "cmp	%[a], r12\n\t"
+        "bne	1b\n\t"
+        : [c] "+r" (c), [r] "+r" (r), [a] "+r" (a), [b] "+r" (b)
+        :
+        : "memory", "r4", "r5", "r6", "r7", "r8", "r9", "r10", "r14", "r12"
+    );
+
+    return c;
+}
+
+#else
+/* Add b to a into r. (r = a + b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+static sp_digit sp_256_add_8(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    sp_digit c = 0;
+
+    __asm__ __volatile__ (
+        "mov	r12, #0\n\t"
+        "ldr	r4, [%[a], #0]\n\t"
+        "ldr	r5, [%[a], #4]\n\t"
+        "ldr	r6, [%[a], #8]\n\t"
+        "ldr	r7, [%[a], #12]\n\t"
+        "ldr	r8, [%[b], #0]\n\t"
+        "ldr	r9, [%[b], #4]\n\t"
+        "ldr	r10, [%[b], #8]\n\t"
+        "ldr	r14, [%[b], #12]\n\t"
+        "adds	r4, r4, r8\n\t"
+        "adcs	r5, r5, r9\n\t"
+        "adcs	r6, r6, r10\n\t"
+        "adcs	r7, r7, r14\n\t"
+        "str	r4, [%[r], #0]\n\t"
+        "str	r5, [%[r], #4]\n\t"
+        "str	r6, [%[r], #8]\n\t"
+        "str	r7, [%[r], #12]\n\t"
+        "ldr	r4, [%[a], #16]\n\t"
+        "ldr	r5, [%[a], #20]\n\t"
+        "ldr	r6, [%[a], #24]\n\t"
+        "ldr	r7, [%[a], #28]\n\t"
+        "ldr	r8, [%[b], #16]\n\t"
+        "ldr	r9, [%[b], #20]\n\t"
+        "ldr	r10, [%[b], #24]\n\t"
+        "ldr	r14, [%[b], #28]\n\t"
+        "adcs	r4, r4, r8\n\t"
+        "adcs	r5, r5, r9\n\t"
+        "adcs	r6, r6, r10\n\t"
+        "adcs	r7, r7, r14\n\t"
+        "str	r4, [%[r], #16]\n\t"
+        "str	r5, [%[r], #20]\n\t"
+        "str	r6, [%[r], #24]\n\t"
+        "str	r7, [%[r], #28]\n\t"
+        "adc	%[c], r12, r12\n\t"
+        : [c] "+r" (c)
+        : [r] "r" (r), [a] "r" (a), [b] "r" (b)
+        : "memory", "r4", "r5", "r6", "r7", "r8", "r9", "r10", "r14", "r12"
+    );
+
+    return c;
+}
+
+#endif /* WOLFSSL_SP_SMALL */
+/* Add two Montgomery form numbers (r = a + b % m).
+ *
+ * r   Result of addition.
+ * a   First number to add in Montogmery form.
+ * b   Second number to add in Montogmery form.
+ * m   Modulus (prime).
+ */
+static void sp_256_mont_add_8(sp_digit* r, const sp_digit* a, const sp_digit* b,
+        const sp_digit* m)
+{
+    (void)m;
+
+    __asm__ __volatile__ (
+        "mov	r12, #0\n\t"
+        "ldr	r4, [%[a],#0]\n\t"
+        "ldr	r5, [%[a],#4]\n\t"
+        "ldr	r6, [%[a],#8]\n\t"
+        "ldr	r7, [%[a],#12]\n\t"
+        "ldr	r8, [%[b],#0]\n\t"
+        "ldr	r9, [%[b],#4]\n\t"
+        "ldr	r10, [%[b],#8]\n\t"
+        "ldr	r14, [%[b],#12]\n\t"
+        "adds	r4, r4, r8\n\t"
+        "adcs	r5, r5, r9\n\t"
+        "adcs	r6, r6, r10\n\t"
+        "adcs	r7, r7, r14\n\t"
+        "str	r4, [%[r],#0]\n\t"
+        "str	r5, [%[r],#4]\n\t"
+        "str	r6, [%[r],#8]\n\t"
+        "str	r7, [%[r],#12]\n\t"
+        "ldr	r4, [%[a],#16]\n\t"
+        "ldr	r5, [%[a],#20]\n\t"
+        "ldr	r6, [%[a],#24]\n\t"
+        "ldr	r7, [%[a],#28]\n\t"
+        "ldr	r8, [%[b],#16]\n\t"
+        "ldr	r9, [%[b],#20]\n\t"
+        "ldr	r10, [%[b],#24]\n\t"
+        "ldr	r14, [%[b],#28]\n\t"
+        "adcs	r4, r4, r8\n\t"
+        "adcs	r5, r5, r9\n\t"
+        "adcs	r6, r6, r10\n\t"
+        "adcs	r7, r7, r14\n\t"
+        "adc	r3, r12, #0\n\t"
+        "sub	r3, r12, r3\n\t"
+        "and	r12, r3, #1\n\t"
+        "ldr	r8, [%[r],#0]\n\t"
+        "ldr	r9, [%[r],#4]\n\t"
+        "ldr	r10, [%[r],#8]\n\t"
+        "ldr	r14, [%[r],#12]\n\t"
+        "subs	r8, r8, r3\n\t"
+        "sbcs	r9, r9, r3\n\t"
+        "sbcs	r10, r10, r3\n\t"
+        "sbcs	r14, r14, #0\n\t"
+        "sbcs	r4, r4, #0\n\t"
+        "sbcs	r5, r5, #0\n\t"
+        "sbcs	r6, r6, r12\n\t"
+        "sbc	r7, r7, r3\n\t"
+        "str	r8, [%[r],#0]\n\t"
+        "str	r9, [%[r],#4]\n\t"
+        "str	r10, [%[r],#8]\n\t"
+        "str	r14, [%[r],#12]\n\t"
+        "str	r4, [%[r],#16]\n\t"
+        "str	r5, [%[r],#20]\n\t"
+        "str	r6, [%[r],#24]\n\t"
+        "str	r7, [%[r],#28]\n\t"
+        :
+        : [r] "r" (r), [a] "r" (a), [b] "r" (b)
+        : "memory", "r4", "r5", "r6", "r7", "r8", "r9", "r10", "r14", "r3", "r12"
+    );
+}
+
+/* Double a Montgomery form number (r = a + a % m).
+ *
+ * r   Result of doubling.
+ * a   Number to double in Montogmery form.
+ * m   Modulus (prime).
+ */
+static void sp_256_mont_dbl_8(sp_digit* r, const sp_digit* a, const sp_digit* m)
+{
+    (void)m;
+
+    __asm__ __volatile__ (
+        "mov	r12, #0\n\t"
+        "ldr	r4, [%[a],#0]\n\t"
+        "ldr	r5, [%[a],#4]\n\t"
+        "ldr	r6, [%[a],#8]\n\t"
+        "ldr	r7, [%[a],#12]\n\t"
+        "ldr	r8, [%[a],#16]\n\t"
+        "ldr	r9, [%[a],#20]\n\t"
+        "ldr	r10, [%[a],#24]\n\t"
+        "ldr	r14, [%[a],#28]\n\t"
+        "adds	r4, r4, r4\n\t"
+        "adcs	r5, r5, r5\n\t"
+        "adcs	r6, r6, r6\n\t"
+        "adcs	r7, r7, r7\n\t"
+        "adcs	r8, r8, r8\n\t"
+        "adcs	r9, r9, r9\n\t"
+        "adcs	r10, r10, r10\n\t"
+        "adcs	r14, r14, r14\n\t"
+        "adc	r3, r12, #0\n\t"
+        "sub	r3, r12, r3\n\t"
+        "and	r12, r3, #1\n\t"
+        "subs	r4, r4, r3\n\t"
+        "sbcs	r5, r5, r3\n\t"
+        "sbcs	r6, r6, r3\n\t"
+        "sbcs	r7, r7, #0\n\t"
+        "sbcs	r8, r8, #0\n\t"
+        "sbcs	r9, r9, #0\n\t"
+        "sbcs	r10, r10, r12\n\t"
+        "sbc	r14, r14, r3\n\t"
+        "str	r4, [%[r],#0]\n\t"
+        "str	r5, [%[r],#4]\n\t"
+        "str	r6, [%[r],#8]\n\t"
+        "str	r7, [%[r],#12]\n\t"
+        "str	r8, [%[r],#16]\n\t"
+        "str	r9, [%[r],#20]\n\t"
+        "str	r10, [%[r],#24]\n\t"
+        "str	r14, [%[r],#28]\n\t"
+        :
+        : [r] "r" (r), [a] "r" (a)
+        : "memory", "r4", "r5", "r6", "r7", "r8", "r9", "r10", "r14", "r3", "r12"
+    );
+}
+
+/* Triple a Montgomery form number (r = a + a + a % m).
+ *
+ * r   Result of Tripling.
+ * a   Number to triple in Montogmery form.
+ * m   Modulus (prime).
+ */
+static void sp_256_mont_tpl_8(sp_digit* r, const sp_digit* a, const sp_digit* m)
+{
+    (void)m;
+
+    __asm__ __volatile__ (
+        "mov	r12, #0\n\t"
+        "ldr	r4, [%[a],#0]\n\t"
+        "ldr	r5, [%[a],#4]\n\t"
+        "ldr	r6, [%[a],#8]\n\t"
+        "ldr	r7, [%[a],#12]\n\t"
+        "ldr	r8, [%[a],#16]\n\t"
+        "ldr	r9, [%[a],#20]\n\t"
+        "ldr	r10, [%[a],#24]\n\t"
+        "ldr	r14, [%[a],#28]\n\t"
+        "adds	r4, r4, r4\n\t"
+        "adcs	r5, r5, r5\n\t"
+        "adcs	r6, r6, r6\n\t"
+        "adcs	r7, r7, r7\n\t"
+        "adcs	r8, r8, r8\n\t"
+        "adcs	r9, r9, r9\n\t"
+        "adcs	r10, r10, r10\n\t"
+        "adcs	r14, r14, r14\n\t"
+        "adc	r3, r12, #0\n\t"
+        "sub	r3, r12, r3\n\t"
+        "and	r12, r3, #1\n\t"
+        "subs	r4, r4, r3\n\t"
+        "sbcs	r5, r5, r3\n\t"
+        "sbcs	r6, r6, r3\n\t"
+        "sbcs	r7, r7, #0\n\t"
+        "sbcs	r8, r8, #0\n\t"
+        "sbcs	r9, r9, #0\n\t"
+        "sbcs	r10, r10, r12\n\t"
+        "sbc	r14, r14, r3\n\t"
+        "str	r8, [%[r],#16]\n\t"
+        "str	r9, [%[r],#20]\n\t"
+        "str	r10, [%[r],#24]\n\t"
+        "str	r14, [%[r],#28]\n\t"
+        "mov	r12, #0\n\t"
+        "ldr	r8, [%[a],#0]\n\t"
+        "ldr	r9, [%[a],#4]\n\t"
+        "ldr	r10, [%[a],#8]\n\t"
+        "ldr	r14, [%[a],#12]\n\t"
+        "adds	r8, r8, r4\n\t"
+        "adcs	r9, r9, r5\n\t"
+        "adcs	r10, r10, r6\n\t"
+        "adcs	r14, r14, r7\n\t"
+        "str	r8, [%[r],#0]\n\t"
+        "str	r9, [%[r],#4]\n\t"
+        "str	r10, [%[r],#8]\n\t"
+        "str	r14, [%[r],#12]\n\t"
+        "ldr	r8, [%[a],#16]\n\t"
+        "ldr	r9, [%[a],#20]\n\t"
+        "ldr	r10, [%[a],#24]\n\t"
+        "ldr	r14, [%[a],#28]\n\t"
+        "ldr	r4, [%[r],#16]\n\t"
+        "ldr	r5, [%[r],#20]\n\t"
+        "ldr	r6, [%[r],#24]\n\t"
+        "ldr	r7, [%[r],#28]\n\t"
+        "adcs	r8, r8, r4\n\t"
+        "adcs	r9, r9, r5\n\t"
+        "adcs	r10, r10, r6\n\t"
+        "adcs	r14, r14, r7\n\t"
+        "adc	r3, r12, #0\n\t"
+        "sub	r3, r12, r3\n\t"
+        "and	r12, r3, #1\n\t"
+        "ldr	r4, [%[r],#0]\n\t"
+        "ldr	r5, [%[r],#4]\n\t"
+        "ldr	r6, [%[r],#8]\n\t"
+        "ldr	r7, [%[r],#12]\n\t"
+        "subs	r4, r4, r3\n\t"
+        "sbcs	r5, r5, r3\n\t"
+        "sbcs	r6, r6, r3\n\t"
+        "sbcs	r7, r7, #0\n\t"
+        "sbcs	r8, r8, #0\n\t"
+        "sbcs	r9, r9, #0\n\t"
+        "sbcs	r10, r10, r12\n\t"
+        "sbc	r14, r14, r3\n\t"
+        "str	r4, [%[r],#0]\n\t"
+        "str	r5, [%[r],#4]\n\t"
+        "str	r6, [%[r],#8]\n\t"
+        "str	r7, [%[r],#12]\n\t"
+        "str	r8, [%[r],#16]\n\t"
+        "str	r9, [%[r],#20]\n\t"
+        "str	r10, [%[r],#24]\n\t"
+        "str	r14, [%[r],#28]\n\t"
+        :
+        : [r] "r" (r), [a] "r" (a)
+        : "memory", "r4", "r5", "r6", "r7", "r8", "r9", "r10", "r14", "r3", "r12"
+    );
+}
+
+/* Subtract two Montgomery form numbers (r = a - b % m).
+ *
+ * r   Result of subtration.
+ * a   Number to subtract from in Montogmery form.
+ * b   Number to subtract with in Montogmery form.
+ * m   Modulus (prime).
+ */
+static void sp_256_mont_sub_8(sp_digit* r, const sp_digit* a, const sp_digit* b,
+        const sp_digit* m)
+{
+    (void)m;
+
+    __asm__ __volatile__ (
+        "mov	r12, #0\n\t"
+        "ldr	r4, [%[a],#0]\n\t"
+        "ldr	r5, [%[a],#4]\n\t"
+        "ldr	r6, [%[a],#8]\n\t"
+        "ldr	r7, [%[a],#12]\n\t"
+        "ldr	r8, [%[b],#0]\n\t"
+        "ldr	r9, [%[b],#4]\n\t"
+        "ldr	r10, [%[b],#8]\n\t"
+        "ldr	r14, [%[b],#12]\n\t"
+        "subs	r4, r4, r8\n\t"
+        "sbcs	r5, r5, r9\n\t"
+        "sbcs	r6, r6, r10\n\t"
+        "sbcs	r7, r7, r14\n\t"
+        "str	r4, [%[r],#0]\n\t"
+        "str	r5, [%[r],#4]\n\t"
+        "str	r6, [%[r],#8]\n\t"
+        "str	r7, [%[r],#12]\n\t"
+        "ldr	r4, [%[a],#16]\n\t"
+        "ldr	r5, [%[a],#20]\n\t"
+        "ldr	r6, [%[a],#24]\n\t"
+        "ldr	r7, [%[a],#28]\n\t"
+        "ldr	r8, [%[b],#16]\n\t"
+        "ldr	r9, [%[b],#20]\n\t"
+        "ldr	r10, [%[b],#24]\n\t"
+        "ldr	r14, [%[b],#28]\n\t"
+        "sbcs	r4, r4, r8\n\t"
+        "sbcs	r5, r5, r9\n\t"
+        "sbcs	r6, r6, r10\n\t"
+        "sbcs	r7, r7, r14\n\t"
+        "sbc	r3, r12, #0\n\t"
+        "and	r12, r3, #1\n\t"
+        "ldr	r8, [%[r],#0]\n\t"
+        "ldr	r9, [%[r],#4]\n\t"
+        "ldr	r10, [%[r],#8]\n\t"
+        "ldr	r14, [%[r],#12]\n\t"
+        "adds	r8, r8, r3\n\t"
+        "adcs	r9, r9, r3\n\t"
+        "adcs	r10, r10, r3\n\t"
+        "adcs	r14, r14, #0\n\t"
+        "adcs	r4, r4, #0\n\t"
+        "adcs	r5, r5, #0\n\t"
+        "adcs	r6, r6, r12\n\t"
+        "adc	r7, r7, r3\n\t"
+        "str	r8, [%[r],#0]\n\t"
+        "str	r9, [%[r],#4]\n\t"
+        "str	r10, [%[r],#8]\n\t"
+        "str	r14, [%[r],#12]\n\t"
+        "str	r4, [%[r],#16]\n\t"
+        "str	r5, [%[r],#20]\n\t"
+        "str	r6, [%[r],#24]\n\t"
+        "str	r7, [%[r],#28]\n\t"
+        :
+        : [r] "r" (r), [a] "r" (a), [b] "r" (b)
+        : "memory", "r4", "r5", "r6", "r7", "r8", "r9", "r10", "r14", "r3", "r12"
+    );
+}
+
+/* Divide the number by 2 mod the modulus (prime). (r = a / 2 % m)
+ *
+ * r  Result of division by 2.
+ * a  Number to divide.
+ * m  Modulus (prime).
+ */
+static void sp_256_div2_8(sp_digit* r, const sp_digit* a, const sp_digit* m)
+{
+    __asm__ __volatile__ (
+        "mov	r10, #0\n\t"
+        "ldr	r3, [%[a], #0]\n\t"
+        "ldr	r4, [%[a], #4]\n\t"
+        "ldr	r5, [%[a], #8]\n\t"
+        "ldr	r6, [%[a], #12]\n\t"
+        "and	r9, r3, #1\n\t"
+        "sub	r7, r10, r9\n\t"
+        "and	r8, r7, #1\n\t"
+        "adds	r3, r3, r7\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adcs	r6, r6, r10\n\t"
+        "str	r3, [%[r], #0]\n\t"
+        "str	r4, [%[r], #4]\n\t"
+        "str	r5, [%[r], #8]\n\t"
+        "str	r6, [%[r], #12]\n\t"
+        "ldr	r3, [%[a], #16]\n\t"
+        "ldr	r4, [%[a], #20]\n\t"
+        "ldr	r5, [%[a], #24]\n\t"
+        "ldr	r6, [%[a], #28]\n\t"
+        "adcs	r3, r3, r10\n\t"
+        "adcs	r4, r4, r10\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "adcs	r6, r6, r7\n\t"
+        "adc	r9, r10, r10\n\t"
+        "lsr	r7, r3, #1\n\t"
+        "and	r3, r3, #1\n\t"
+        "lsr	r8, r4, #1\n\t"
+        "lsr	r10, r5, #1\n\t"
+        "lsr	r14, r6, #1\n\t"
+        "orr	r7, r7, r4, lsl #31\n\t"
+        "orr	r8, r8, r5, lsl #31\n\t"
+        "orr	r10, r10, r6, lsl #31\n\t"
+        "orr	r14, r14, r9, lsl #31\n\t"
+        "mov	r9, r3\n\t"
+        "str	r7, [%[r], #16]\n\t"
+        "str	r8, [%[r], #20]\n\t"
+        "str	r10, [%[r], #24]\n\t"
+        "str	r14, [%[r], #28]\n\t"
+        "ldr	r3, [%[r], #0]\n\t"
+        "ldr	r4, [%[r], #4]\n\t"
+        "ldr	r5, [%[r], #8]\n\t"
+        "ldr	r6, [%[r], #12]\n\t"
+        "lsr	r7, r3, #1\n\t"
+        "lsr	r8, r4, #1\n\t"
+        "lsr	r10, r5, #1\n\t"
+        "lsr	r14, r6, #1\n\t"
+        "orr	r7, r7, r4, lsl #31\n\t"
+        "orr	r8, r8, r5, lsl #31\n\t"
+        "orr	r10, r10, r6, lsl #31\n\t"
+        "orr	r14, r14, r9, lsl #31\n\t"
+        "str	r7, [%[r], #0]\n\t"
+        "str	r8, [%[r], #4]\n\t"
+        "str	r10, [%[r], #8]\n\t"
+        "str	r14, [%[r], #12]\n\t"
+        :
+        : [r] "r" (r), [a] "r" (a), [m] "r" (m)
+        : "memory", "r3", "r4", "r5", "r6", "r7", "r8", "r10", "r14", "r9"
+    );
+
+}
+
+/* Double the Montgomery form projective point p.
+ *
+ * r  Result of doubling point.
+ * p  Point to double.
+ * t  Temporary ordinate data.
+ */
+static void sp_256_proj_point_dbl_8(sp_point_256* r, const sp_point_256* p, sp_digit* t)
+{
+    sp_digit* t1 = t;
+    sp_digit* t2 = t + 2*8;
+    sp_digit* x;
+    sp_digit* y;
+    sp_digit* z;
+
+    x = r->x;
+    y = r->y;
+    z = r->z;
+    /* Put infinity into result. */
+    if (r != p) {
+        r->infinity = p->infinity;
+    }
+
+    /* T1 = Z * Z */
+    sp_256_mont_sqr_8(t1, p->z, p256_mod, p256_mp_mod);
+    /* Z = Y * Z */
+    sp_256_mont_mul_8(z, p->y, p->z, p256_mod, p256_mp_mod);
+    /* Z = 2Z */
+    sp_256_mont_dbl_8(z, z, p256_mod);
+    /* T2 = X - T1 */
+    sp_256_mont_sub_8(t2, p->x, t1, p256_mod);
+    /* T1 = X + T1 */
+    sp_256_mont_add_8(t1, p->x, t1, p256_mod);
+    /* T2 = T1 * T2 */
+    sp_256_mont_mul_8(t2, t1, t2, p256_mod, p256_mp_mod);
+    /* T1 = 3T2 */
+    sp_256_mont_tpl_8(t1, t2, p256_mod);
+    /* Y = 2Y */
+    sp_256_mont_dbl_8(y, p->y, p256_mod);
+    /* Y = Y * Y */
+    sp_256_mont_sqr_8(y, y, p256_mod, p256_mp_mod);
+    /* T2 = Y * Y */
+    sp_256_mont_sqr_8(t2, y, p256_mod, p256_mp_mod);
+    /* T2 = T2/2 */
+    sp_256_div2_8(t2, t2, p256_mod);
+    /* Y = Y * X */
+    sp_256_mont_mul_8(y, y, p->x, p256_mod, p256_mp_mod);
+    /* X = T1 * T1 */
+    sp_256_mont_sqr_8(x, t1, p256_mod, p256_mp_mod);
+    /* X = X - Y */
+    sp_256_mont_sub_8(x, x, y, p256_mod);
+    /* X = X - Y */
+    sp_256_mont_sub_8(x, x, y, p256_mod);
+    /* Y = Y - X */
+    sp_256_mont_sub_8(y, y, x, p256_mod);
+    /* Y = Y * T1 */
+    sp_256_mont_mul_8(y, y, t1, p256_mod, p256_mp_mod);
+    /* Y = Y - T2 */
+    sp_256_mont_sub_8(y, y, t2, p256_mod);
+}
+
+#ifdef WOLFSSL_SP_SMALL
+/* Sub b from a into r. (r = a - b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+static sp_digit sp_256_sub_8(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    sp_digit c = 0;
+
+    __asm__ __volatile__ (
+        "add	r12, %[a], #32\n\t"
+        "\n1:\n\t"
+        "rsbs	%[c], %[c], #0\n\t"
+        "ldr	r4, [%[a]], #4\n\t"
+        "ldr	r5, [%[a]], #4\n\t"
+        "ldr	r6, [%[a]], #4\n\t"
+        "ldr	r7, [%[a]], #4\n\t"
+        "ldr	r8, [%[b]], #4\n\t"
+        "ldr	r9, [%[b]], #4\n\t"
+        "ldr	r10, [%[b]], #4\n\t"
+        "ldr	r14, [%[b]], #4\n\t"
+        "sbcs	r4, r4, r8\n\t"
+        "sbcs	r5, r5, r9\n\t"
+        "sbcs	r6, r6, r10\n\t"
+        "sbcs	r7, r7, r14\n\t"
+        "str	r4, [%[r]], #4\n\t"
+        "str	r5, [%[r]], #4\n\t"
+        "str	r6, [%[r]], #4\n\t"
+        "str	r7, [%[r]], #4\n\t"
+        "sbc	%[c], r4, r4\n\t"
+        "cmp	%[a], r12\n\t"
+        "bne	1b\n\t"
+        : [c] "+r" (c), [r] "+r" (r), [a] "+r" (a), [b] "+r" (b)
+        :
+        : "memory", "r4", "r5", "r6", "r7", "r8", "r9", "r10", "r14", "r12"
+    );
+
+    return c;
+}
+
+#else
+/* Sub b from a into r. (r = a - b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+static sp_digit sp_256_sub_8(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    sp_digit c = 0;
+
+    __asm__ __volatile__ (
+        "ldr	r3, [%[a], #0]\n\t"
+        "ldr	r4, [%[a], #4]\n\t"
+        "ldr	r5, [%[a], #8]\n\t"
+        "ldr	r6, [%[a], #12]\n\t"
+        "ldr	r7, [%[b], #0]\n\t"
+        "ldr	r8, [%[b], #4]\n\t"
+        "ldr	r9, [%[b], #8]\n\t"
+        "ldr	r10, [%[b], #12]\n\t"
+        "subs	r3, r3, r7\n\t"
+        "sbcs	r4, r4, r8\n\t"
+        "sbcs	r5, r5, r9\n\t"
+        "sbcs	r6, r6, r10\n\t"
+        "str	r3, [%[r], #0]\n\t"
+        "str	r4, [%[r], #4]\n\t"
+        "str	r5, [%[r], #8]\n\t"
+        "str	r6, [%[r], #12]\n\t"
+        "ldr	r3, [%[a], #16]\n\t"
+        "ldr	r4, [%[a], #20]\n\t"
+        "ldr	r5, [%[a], #24]\n\t"
+        "ldr	r6, [%[a], #28]\n\t"
+        "ldr	r7, [%[b], #16]\n\t"
+        "ldr	r8, [%[b], #20]\n\t"
+        "ldr	r9, [%[b], #24]\n\t"
+        "ldr	r10, [%[b], #28]\n\t"
+        "sbcs	r3, r3, r7\n\t"
+        "sbcs	r4, r4, r8\n\t"
+        "sbcs	r5, r5, r9\n\t"
+        "sbcs	r6, r6, r10\n\t"
+        "str	r3, [%[r], #16]\n\t"
+        "str	r4, [%[r], #20]\n\t"
+        "str	r5, [%[r], #24]\n\t"
+        "str	r6, [%[r], #28]\n\t"
+        "sbc	%[c], %[c], #0\n\t"
+        : [c] "+r" (c)
+        : [r] "r" (r), [a] "r" (a), [b] "r" (b)
+        : "memory", "r3", "r4", "r5", "r6", "r7", "r8", "r9", "r10"
+    );
+
+    return c;
+}
+
+#endif /* WOLFSSL_SP_SMALL */
+/* Compare two numbers to determine if they are equal.
+ * Constant time implementation.
+ *
+ * a  First number to compare.
+ * b  Second number to compare.
+ * returns 1 when equal and 0 otherwise.
+ */
+static int sp_256_cmp_equal_8(const sp_digit* a, const sp_digit* b)
+{
+    return ((a[0] ^ b[0]) | (a[1] ^ b[1]) | (a[2] ^ b[2]) | (a[3] ^ b[3]) |
+            (a[4] ^ b[4]) | (a[5] ^ b[5]) | (a[6] ^ b[6]) | (a[7] ^ b[7])) == 0;
+}
+
+/* Add two Montgomery form projective points.
+ *
+ * r  Result of addition.
+ * p  First point to add.
+ * q  Second point to add.
+ * t  Temporary ordinate data.
+ */
+static void sp_256_proj_point_add_8(sp_point_256* r, const sp_point_256* p, const sp_point_256* q,
+        sp_digit* t)
+{
+    const sp_point_256* ap[2];
+    sp_point_256* rp[2];
+    sp_digit* t1 = t;
+    sp_digit* t2 = t + 2*8;
+    sp_digit* t3 = t + 4*8;
+    sp_digit* t4 = t + 6*8;
+    sp_digit* t5 = t + 8*8;
+    sp_digit* x;
+    sp_digit* y;
+    sp_digit* z;
+    int i;
+
+    /* Ensure only the first point is the same as the result. */
+    if (q == r) {
+        const sp_point_256* a = p;
+        p = q;
+        q = a;
+    }
+
+    /* Check double */
+    (void)sp_256_sub_8(t1, p256_mod, q->y);
+    sp_256_norm_8(t1);
+    if ((sp_256_cmp_equal_8(p->x, q->x) & sp_256_cmp_equal_8(p->z, q->z) &
+        (sp_256_cmp_equal_8(p->y, q->y) | sp_256_cmp_equal_8(p->y, t1))) != 0) {
+        sp_256_proj_point_dbl_8(r, p, t);
+    }
+    else {
+        rp[0] = r;
+
+        /*lint allow cast to different type of pointer*/
+        rp[1] = (sp_point_256*)t; /*lint !e9087 !e740*/
+        XMEMSET(rp[1], 0, sizeof(sp_point_256));
+        x = rp[p->infinity | q->infinity]->x;
+        y = rp[p->infinity | q->infinity]->y;
+        z = rp[p->infinity | q->infinity]->z;
+
+        ap[0] = p;
+        ap[1] = q;
+        for (i=0; i<8; i++) {
+            r->x[i] = ap[p->infinity]->x[i];
+        }
+        for (i=0; i<8; i++) {
+            r->y[i] = ap[p->infinity]->y[i];
+        }
+        for (i=0; i<8; i++) {
+            r->z[i] = ap[p->infinity]->z[i];
+        }
+        r->infinity = ap[p->infinity]->infinity;
+
+        /* U1 = X1*Z2^2 */
+        sp_256_mont_sqr_8(t1, q->z, p256_mod, p256_mp_mod);
+        sp_256_mont_mul_8(t3, t1, q->z, p256_mod, p256_mp_mod);
+        sp_256_mont_mul_8(t1, t1, x, p256_mod, p256_mp_mod);
+        /* U2 = X2*Z1^2 */
+        sp_256_mont_sqr_8(t2, z, p256_mod, p256_mp_mod);
+        sp_256_mont_mul_8(t4, t2, z, p256_mod, p256_mp_mod);
+        sp_256_mont_mul_8(t2, t2, q->x, p256_mod, p256_mp_mod);
+        /* S1 = Y1*Z2^3 */
+        sp_256_mont_mul_8(t3, t3, y, p256_mod, p256_mp_mod);
+        /* S2 = Y2*Z1^3 */
+        sp_256_mont_mul_8(t4, t4, q->y, p256_mod, p256_mp_mod);
+        /* H = U2 - U1 */
+        sp_256_mont_sub_8(t2, t2, t1, p256_mod);
+        /* R = S2 - S1 */
+        sp_256_mont_sub_8(t4, t4, t3, p256_mod);
+        /* Z3 = H*Z1*Z2 */
+        sp_256_mont_mul_8(z, z, q->z, p256_mod, p256_mp_mod);
+        sp_256_mont_mul_8(z, z, t2, p256_mod, p256_mp_mod);
+        /* X3 = R^2 - H^3 - 2*U1*H^2 */
+        sp_256_mont_sqr_8(x, t4, p256_mod, p256_mp_mod);
+        sp_256_mont_sqr_8(t5, t2, p256_mod, p256_mp_mod);
+        sp_256_mont_mul_8(y, t1, t5, p256_mod, p256_mp_mod);
+        sp_256_mont_mul_8(t5, t5, t2, p256_mod, p256_mp_mod);
+        sp_256_mont_sub_8(x, x, t5, p256_mod);
+        sp_256_mont_dbl_8(t1, y, p256_mod);
+        sp_256_mont_sub_8(x, x, t1, p256_mod);
+        /* Y3 = R*(U1*H^2 - X3) - S1*H^3 */
+        sp_256_mont_sub_8(y, y, x, p256_mod);
+        sp_256_mont_mul_8(y, y, t4, p256_mod, p256_mp_mod);
+        sp_256_mont_mul_8(t5, t5, t3, p256_mod, p256_mp_mod);
+        sp_256_mont_sub_8(y, y, t5, p256_mod);
+    }
+}
+
+/* Multiply the point by the scalar and return the result.
+ * If map is true then convert result to affine coordinates.
+ *
+ * r     Resulting point.
+ * g     Point to multiply.
+ * k     Scalar to multiply by.
+ * map   Indicates whether to convert result to affine.
+ * heap  Heap to use for allocation.
+ * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
+ */
+static int sp_256_ecc_mulmod_fast_8(sp_point_256* r, const sp_point_256* g, const sp_digit* k,
+        int map, void* heap)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_point_256 td[16];
+    sp_point_256 rtd;
+    sp_digit tmpd[2 * 8 * 5];
+#endif
+    sp_point_256* t;
+    sp_point_256* rt;
+    sp_digit* tmp;
+    sp_digit n;
+    int i;
+    int c, y;
+    int err;
+
+    (void)heap;
+
+    err = sp_256_point_new_8(heap, rtd, rt);
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    t = (sp_point_256*)XMALLOC(sizeof(sp_point_256) * 16, heap, DYNAMIC_TYPE_ECC);
+    if (t == NULL)
+        err = MEMORY_E;
+    tmp = (sp_digit*)XMALLOC(sizeof(sp_digit) * 2 * 8 * 5, heap,
+                             DYNAMIC_TYPE_ECC);
+    if (tmp == NULL)
+        err = MEMORY_E;
+#else
+    t = td;
+    tmp = tmpd;
+#endif
+
+    if (err == MP_OKAY) {
+        /* t[0] = {0, 0, 1} * norm */
+        XMEMSET(&t[0], 0, sizeof(t[0]));
+        t[0].infinity = 1;
+        /* t[1] = {g->x, g->y, g->z} * norm */
+        (void)sp_256_mod_mul_norm_8(t[1].x, g->x, p256_mod);
+        (void)sp_256_mod_mul_norm_8(t[1].y, g->y, p256_mod);
+        (void)sp_256_mod_mul_norm_8(t[1].z, g->z, p256_mod);
+        t[1].infinity = 0;
+        sp_256_proj_point_dbl_8(&t[ 2], &t[ 1], tmp);
+        t[ 2].infinity = 0;
+        sp_256_proj_point_add_8(&t[ 3], &t[ 2], &t[ 1], tmp);
+        t[ 3].infinity = 0;
+        sp_256_proj_point_dbl_8(&t[ 4], &t[ 2], tmp);
+        t[ 4].infinity = 0;
+        sp_256_proj_point_add_8(&t[ 5], &t[ 3], &t[ 2], tmp);
+        t[ 5].infinity = 0;
+        sp_256_proj_point_dbl_8(&t[ 6], &t[ 3], tmp);
+        t[ 6].infinity = 0;
+        sp_256_proj_point_add_8(&t[ 7], &t[ 4], &t[ 3], tmp);
+        t[ 7].infinity = 0;
+        sp_256_proj_point_dbl_8(&t[ 8], &t[ 4], tmp);
+        t[ 8].infinity = 0;
+        sp_256_proj_point_add_8(&t[ 9], &t[ 5], &t[ 4], tmp);
+        t[ 9].infinity = 0;
+        sp_256_proj_point_dbl_8(&t[10], &t[ 5], tmp);
+        t[10].infinity = 0;
+        sp_256_proj_point_add_8(&t[11], &t[ 6], &t[ 5], tmp);
+        t[11].infinity = 0;
+        sp_256_proj_point_dbl_8(&t[12], &t[ 6], tmp);
+        t[12].infinity = 0;
+        sp_256_proj_point_add_8(&t[13], &t[ 7], &t[ 6], tmp);
+        t[13].infinity = 0;
+        sp_256_proj_point_dbl_8(&t[14], &t[ 7], tmp);
+        t[14].infinity = 0;
+        sp_256_proj_point_add_8(&t[15], &t[ 8], &t[ 7], tmp);
+        t[15].infinity = 0;
+
+        i = 6;
+        n = k[i+1] << 0;
+        c = 28;
+        y = n >> 28;
+        XMEMCPY(rt, &t[y], sizeof(sp_point_256));
+        n <<= 4;
+        for (; i>=0 || c>=4; ) {
+            if (c < 4) {
+                n |= k[i--];
+                c += 32;
+            }
+            y = (n >> 28) & 0xf;
+            n <<= 4;
+            c -= 4;
+
+            sp_256_proj_point_dbl_8(rt, rt, tmp);
+            sp_256_proj_point_dbl_8(rt, rt, tmp);
+            sp_256_proj_point_dbl_8(rt, rt, tmp);
+            sp_256_proj_point_dbl_8(rt, rt, tmp);
+
+            sp_256_proj_point_add_8(rt, rt, &t[y], tmp);
+        }
+
+        if (map != 0) {
+            sp_256_map_8(r, rt, tmp);
+        }
+        else {
+            XMEMCPY(r, rt, sizeof(sp_point_256));
+        }
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (tmp != NULL) {
+        XMEMSET(tmp, 0, sizeof(sp_digit) * 2 * 8 * 5);
+        XFREE(tmp, heap, DYNAMIC_TYPE_ECC);
+    }
+    if (t != NULL) {
+        XMEMSET(t, 0, sizeof(sp_point_256) * 16);
+        XFREE(t, heap, DYNAMIC_TYPE_ECC);
+    }
+#else
+    ForceZero(tmpd, sizeof(tmpd));
+    ForceZero(td, sizeof(td));
+#endif
+    sp_256_point_free_8(rt, 1, heap);
+
+    return err;
+}
+
+/* A table entry for pre-computed points. */
+typedef struct sp_table_entry_256 {
+    sp_digit x[8];
+    sp_digit y[8];
+} sp_table_entry_256;
+
+#ifdef FP_ECC
+/* Double the Montgomery form projective point p a number of times.
+ *
+ * r  Result of repeated doubling of point.
+ * p  Point to double.
+ * n  Number of times to double
+ * t  Temporary ordinate data.
+ */
+static void sp_256_proj_point_dbl_n_8(sp_point_256* p, int n, sp_digit* t)
+{
+    sp_digit* w = t;
+    sp_digit* a = t + 2*8;
+    sp_digit* b = t + 4*8;
+    sp_digit* t1 = t + 6*8;
+    sp_digit* t2 = t + 8*8;
+    sp_digit* x;
+    sp_digit* y;
+    sp_digit* z;
+
+    x = p->x;
+    y = p->y;
+    z = p->z;
+
+    /* Y = 2*Y */
+    sp_256_mont_dbl_8(y, y, p256_mod);
+    /* W = Z^4 */
+    sp_256_mont_sqr_8(w, z, p256_mod, p256_mp_mod);
+    sp_256_mont_sqr_8(w, w, p256_mod, p256_mp_mod);
+
+#ifndef WOLFSSL_SP_SMALL
+    while (--n > 0)
+#else
+    while (--n >= 0)
+#endif
+    {
+        /* A = 3*(X^2 - W) */
+        sp_256_mont_sqr_8(t1, x, p256_mod, p256_mp_mod);
+        sp_256_mont_sub_8(t1, t1, w, p256_mod);
+        sp_256_mont_tpl_8(a, t1, p256_mod);
+        /* B = X*Y^2 */
+        sp_256_mont_sqr_8(t1, y, p256_mod, p256_mp_mod);
+        sp_256_mont_mul_8(b, t1, x, p256_mod, p256_mp_mod);
+        /* X = A^2 - 2B */
+        sp_256_mont_sqr_8(x, a, p256_mod, p256_mp_mod);
+        sp_256_mont_dbl_8(t2, b, p256_mod);
+        sp_256_mont_sub_8(x, x, t2, p256_mod);
+        /* Z = Z*Y */
+        sp_256_mont_mul_8(z, z, y, p256_mod, p256_mp_mod);
+        /* t2 = Y^4 */
+        sp_256_mont_sqr_8(t1, t1, p256_mod, p256_mp_mod);
+#ifdef WOLFSSL_SP_SMALL
+        if (n != 0)
+#endif
+        {
+            /* W = W*Y^4 */
+            sp_256_mont_mul_8(w, w, t1, p256_mod, p256_mp_mod);
+        }
+        /* y = 2*A*(B - X) - Y^4 */
+        sp_256_mont_sub_8(y, b, x, p256_mod);
+        sp_256_mont_mul_8(y, y, a, p256_mod, p256_mp_mod);
+        sp_256_mont_dbl_8(y, y, p256_mod);
+        sp_256_mont_sub_8(y, y, t1, p256_mod);
+    }
+#ifndef WOLFSSL_SP_SMALL
+    /* A = 3*(X^2 - W) */
+    sp_256_mont_sqr_8(t1, x, p256_mod, p256_mp_mod);
+    sp_256_mont_sub_8(t1, t1, w, p256_mod);
+    sp_256_mont_tpl_8(a, t1, p256_mod);
+    /* B = X*Y^2 */
+    sp_256_mont_sqr_8(t1, y, p256_mod, p256_mp_mod);
+    sp_256_mont_mul_8(b, t1, x, p256_mod, p256_mp_mod);
+    /* X = A^2 - 2B */
+    sp_256_mont_sqr_8(x, a, p256_mod, p256_mp_mod);
+    sp_256_mont_dbl_8(t2, b, p256_mod);
+    sp_256_mont_sub_8(x, x, t2, p256_mod);
+    /* Z = Z*Y */
+    sp_256_mont_mul_8(z, z, y, p256_mod, p256_mp_mod);
+    /* t2 = Y^4 */
+    sp_256_mont_sqr_8(t1, t1, p256_mod, p256_mp_mod);
+    /* y = 2*A*(B - X) - Y^4 */
+    sp_256_mont_sub_8(y, b, x, p256_mod);
+    sp_256_mont_mul_8(y, y, a, p256_mod, p256_mp_mod);
+    sp_256_mont_dbl_8(y, y, p256_mod);
+    sp_256_mont_sub_8(y, y, t1, p256_mod);
+#endif
+    /* Y = Y/2 */
+    sp_256_div2_8(y, y, p256_mod);
+}
+
+#endif /* FP_ECC */
+/* Add two Montgomery form projective points. The second point has a q value of
+ * one.
+ * Only the first point can be the same pointer as the result point.
+ *
+ * r  Result of addition.
+ * p  First point to add.
+ * q  Second point to add.
+ * t  Temporary ordinate data.
+ */
+static void sp_256_proj_point_add_qz1_8(sp_point_256* r, const sp_point_256* p,
+        const sp_point_256* q, sp_digit* t)
+{
+    const sp_point_256* ap[2];
+    sp_point_256* rp[2];
+    sp_digit* t1 = t;
+    sp_digit* t2 = t + 2*8;
+    sp_digit* t3 = t + 4*8;
+    sp_digit* t4 = t + 6*8;
+    sp_digit* t5 = t + 8*8;
+    sp_digit* x;
+    sp_digit* y;
+    sp_digit* z;
+    int i;
+
+    /* Check double */
+    (void)sp_256_sub_8(t1, p256_mod, q->y);
+    sp_256_norm_8(t1);
+    if ((sp_256_cmp_equal_8(p->x, q->x) & sp_256_cmp_equal_8(p->z, q->z) &
+        (sp_256_cmp_equal_8(p->y, q->y) | sp_256_cmp_equal_8(p->y, t1))) != 0) {
+        sp_256_proj_point_dbl_8(r, p, t);
+    }
+    else {
+        rp[0] = r;
+
+        /*lint allow cast to different type of pointer*/
+        rp[1] = (sp_point_256*)t; /*lint !e9087 !e740*/
+        XMEMSET(rp[1], 0, sizeof(sp_point_256));
+        x = rp[p->infinity | q->infinity]->x;
+        y = rp[p->infinity | q->infinity]->y;
+        z = rp[p->infinity | q->infinity]->z;
+
+        ap[0] = p;
+        ap[1] = q;
+        for (i=0; i<8; i++) {
+            r->x[i] = ap[p->infinity]->x[i];
+        }
+        for (i=0; i<8; i++) {
+            r->y[i] = ap[p->infinity]->y[i];
+        }
+        for (i=0; i<8; i++) {
+            r->z[i] = ap[p->infinity]->z[i];
+        }
+        r->infinity = ap[p->infinity]->infinity;
+
+        /* U2 = X2*Z1^2 */
+        sp_256_mont_sqr_8(t2, z, p256_mod, p256_mp_mod);
+        sp_256_mont_mul_8(t4, t2, z, p256_mod, p256_mp_mod);
+        sp_256_mont_mul_8(t2, t2, q->x, p256_mod, p256_mp_mod);
+        /* S2 = Y2*Z1^3 */
+        sp_256_mont_mul_8(t4, t4, q->y, p256_mod, p256_mp_mod);
+        /* H = U2 - X1 */
+        sp_256_mont_sub_8(t2, t2, x, p256_mod);
+        /* R = S2 - Y1 */
+        sp_256_mont_sub_8(t4, t4, y, p256_mod);
+        /* Z3 = H*Z1 */
+        sp_256_mont_mul_8(z, z, t2, p256_mod, p256_mp_mod);
+        /* X3 = R^2 - H^3 - 2*X1*H^2 */
+        sp_256_mont_sqr_8(t1, t4, p256_mod, p256_mp_mod);
+        sp_256_mont_sqr_8(t5, t2, p256_mod, p256_mp_mod);
+        sp_256_mont_mul_8(t3, x, t5, p256_mod, p256_mp_mod);
+        sp_256_mont_mul_8(t5, t5, t2, p256_mod, p256_mp_mod);
+        sp_256_mont_sub_8(x, t1, t5, p256_mod);
+        sp_256_mont_dbl_8(t1, t3, p256_mod);
+        sp_256_mont_sub_8(x, x, t1, p256_mod);
+        /* Y3 = R*(X1*H^2 - X3) - Y1*H^3 */
+        sp_256_mont_sub_8(t3, t3, x, p256_mod);
+        sp_256_mont_mul_8(t3, t3, t4, p256_mod, p256_mp_mod);
+        sp_256_mont_mul_8(t5, t5, y, p256_mod, p256_mp_mod);
+        sp_256_mont_sub_8(y, t3, t5, p256_mod);
+    }
+}
+
+#ifdef WOLFSSL_SP_SMALL
+#ifdef FP_ECC
+/* Convert the projective point to affine.
+ * Ordinates are in Montgomery form.
+ *
+ * a  Point to convert.
+ * t  Temporary data.
+ */
+static void sp_256_proj_to_affine_8(sp_point_256* a, sp_digit* t)
+{
+    sp_digit* t1 = t;
+    sp_digit* t2 = t + 2 * 8;
+    sp_digit* tmp = t + 4 * 8;
+
+    sp_256_mont_inv_8(t1, a->z, tmp);
+
+    sp_256_mont_sqr_8(t2, t1, p256_mod, p256_mp_mod);
+    sp_256_mont_mul_8(t1, t2, t1, p256_mod, p256_mp_mod);
+
+    sp_256_mont_mul_8(a->x, a->x, t2, p256_mod, p256_mp_mod);
+    sp_256_mont_mul_8(a->y, a->y, t1, p256_mod, p256_mp_mod);
+    XMEMCPY(a->z, p256_norm_mod, sizeof(p256_norm_mod));
+}
+
+/* Generate the pre-computed table of points for the base point.
+ *
+ * a      The base point.
+ * table  Place to store generated point data.
+ * tmp    Temporary data.
+ * heap  Heap to use for allocation.
+ */
+static int sp_256_gen_stripe_table_8(const sp_point_256* a,
+        sp_table_entry_256* table, sp_digit* tmp, void* heap)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_point_256 td, s1d, s2d;
+#endif
+    sp_point_256* t;
+    sp_point_256* s1 = NULL;
+    sp_point_256* s2 = NULL;
+    int i, j;
+    int err;
+
+    (void)heap;
+
+    err = sp_256_point_new_8(heap, td, t);
+    if (err == MP_OKAY) {
+        err = sp_256_point_new_8(heap, s1d, s1);
+    }
+    if (err == MP_OKAY) {
+        err = sp_256_point_new_8(heap, s2d, s2);
+    }
+
+    if (err == MP_OKAY) {
+        err = sp_256_mod_mul_norm_8(t->x, a->x, p256_mod);
+    }
+    if (err == MP_OKAY) {
+        err = sp_256_mod_mul_norm_8(t->y, a->y, p256_mod);
+    }
+    if (err == MP_OKAY) {
+        err = sp_256_mod_mul_norm_8(t->z, a->z, p256_mod);
+    }
+    if (err == MP_OKAY) {
+        t->infinity = 0;
+        sp_256_proj_to_affine_8(t, tmp);
+
+        XMEMCPY(s1->z, p256_norm_mod, sizeof(p256_norm_mod));
+        s1->infinity = 0;
+        XMEMCPY(s2->z, p256_norm_mod, sizeof(p256_norm_mod));
+        s2->infinity = 0;
+
+        /* table[0] = {0, 0, infinity} */
+        XMEMSET(&table[0], 0, sizeof(sp_table_entry_256));
+        /* table[1] = Affine version of 'a' in Montgomery form */
+        XMEMCPY(table[1].x, t->x, sizeof(table->x));
+        XMEMCPY(table[1].y, t->y, sizeof(table->y));
+
+        for (i=1; i<4; i++) {
+            sp_256_proj_point_dbl_n_8(t, 64, tmp);
+            sp_256_proj_to_affine_8(t, tmp);
+            XMEMCPY(table[1<<i].x, t->x, sizeof(table->x));
+            XMEMCPY(table[1<<i].y, t->y, sizeof(table->y));
+        }
+
+        for (i=1; i<4; i++) {
+            XMEMCPY(s1->x, table[1<<i].x, sizeof(table->x));
+            XMEMCPY(s1->y, table[1<<i].y, sizeof(table->y));
+            for (j=(1<<i)+1; j<(1<<(i+1)); j++) {
+                XMEMCPY(s2->x, table[j-(1<<i)].x, sizeof(table->x));
+                XMEMCPY(s2->y, table[j-(1<<i)].y, sizeof(table->y));
+                sp_256_proj_point_add_qz1_8(t, s1, s2, tmp);
+                sp_256_proj_to_affine_8(t, tmp);
+                XMEMCPY(table[j].x, t->x, sizeof(table->x));
+                XMEMCPY(table[j].y, t->y, sizeof(table->y));
+            }
+        }
+    }
+
+    sp_256_point_free_8(s2, 0, heap);
+    sp_256_point_free_8(s1, 0, heap);
+    sp_256_point_free_8( t, 0, heap);
+
+    return err;
+}
+
+#endif /* FP_ECC */
+/* Multiply the point by the scalar and return the result.
+ * If map is true then convert result to affine coordinates.
+ *
+ * r     Resulting point.
+ * k     Scalar to multiply by.
+ * map   Indicates whether to convert result to affine.
+ * heap  Heap to use for allocation.
+ * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
+ */
+static int sp_256_ecc_mulmod_stripe_8(sp_point_256* r, const sp_point_256* g,
+        const sp_table_entry_256* table, const sp_digit* k, int map, void* heap)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_point_256 rtd;
+    sp_point_256 pd;
+    sp_digit td[2 * 8 * 5];
+#endif
+    sp_point_256* rt;
+    sp_point_256* p = NULL;
+    sp_digit* t;
+    int i, j;
+    int y, x;
+    int err;
+
+    (void)g;
+    (void)heap;
+
+
+    err = sp_256_point_new_8(heap, rtd, rt);
+    if (err == MP_OKAY) {
+        err = sp_256_point_new_8(heap, pd, p);
+    }
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    t = (sp_digit*)XMALLOC(sizeof(sp_digit) * 2 * 8 * 5, heap,
+                           DYNAMIC_TYPE_ECC);
+    if (t == NULL) {
+        err = MEMORY_E;
+    }
+#else
+    t = td;
+#endif
+
+    if (err == MP_OKAY) {
+        XMEMCPY(p->z, p256_norm_mod, sizeof(p256_norm_mod));
+        XMEMCPY(rt->z, p256_norm_mod, sizeof(p256_norm_mod));
+
+        y = 0;
+        for (j=0,x=63; j<4; j++,x+=64) {
+            y |= ((k[x / 32] >> (x % 32)) & 1) << j;
+        }
+        XMEMCPY(rt->x, table[y].x, sizeof(table[y].x));
+        XMEMCPY(rt->y, table[y].y, sizeof(table[y].y));
+        rt->infinity = !y;
+        for (i=62; i>=0; i--) {
+            y = 0;
+            for (j=0,x=i; j<4; j++,x+=64) {
+                y |= ((k[x / 32] >> (x % 32)) & 1) << j;
+            }
+
+            sp_256_proj_point_dbl_8(rt, rt, t);
+            XMEMCPY(p->x, table[y].x, sizeof(table[y].x));
+            XMEMCPY(p->y, table[y].y, sizeof(table[y].y));
+            p->infinity = !y;
+            sp_256_proj_point_add_qz1_8(rt, rt, p, t);
+        }
+
+        if (map != 0) {
+            sp_256_map_8(r, rt, t);
+        }
+        else {
+            XMEMCPY(r, rt, sizeof(sp_point_256));
+        }
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (t != NULL) {
+        XFREE(t, heap, DYNAMIC_TYPE_ECC);
+    }
+#endif
+    sp_256_point_free_8(p, 0, heap);
+    sp_256_point_free_8(rt, 0, heap);
+
+    return err;
+}
+
+#ifdef FP_ECC
+#ifndef FP_ENTRIES
+    #define FP_ENTRIES 16
+#endif
+
+typedef struct sp_cache_256_t {
+    sp_digit x[8];
+    sp_digit y[8];
+    sp_table_entry_256 table[16];
+    uint32_t cnt;
+    int set;
+} sp_cache_256_t;
+
+static THREAD_LS_T sp_cache_256_t sp_cache_256[FP_ENTRIES];
+static THREAD_LS_T int sp_cache_256_last = -1;
+static THREAD_LS_T int sp_cache_256_inited = 0;
+
+#ifndef HAVE_THREAD_LS
+    static volatile int initCacheMutex_256 = 0;
+    static wolfSSL_Mutex sp_cache_256_lock;
+#endif
+
+static void sp_ecc_get_cache_256(const sp_point_256* g, sp_cache_256_t** cache)
+{
+    int i, j;
+    uint32_t least;
+
+    if (sp_cache_256_inited == 0) {
+        for (i=0; i<FP_ENTRIES; i++) {
+            sp_cache_256[i].set = 0;
+        }
+        sp_cache_256_inited = 1;
+    }
+
+    /* Compare point with those in cache. */
+    for (i=0; i<FP_ENTRIES; i++) {
+        if (!sp_cache_256[i].set)
+            continue;
+
+        if (sp_256_cmp_equal_8(g->x, sp_cache_256[i].x) &
+                           sp_256_cmp_equal_8(g->y, sp_cache_256[i].y)) {
+            sp_cache_256[i].cnt++;
+            break;
+        }
+    }
+
+    /* No match. */
+    if (i == FP_ENTRIES) {
+        /* Find empty entry. */
+        i = (sp_cache_256_last + 1) % FP_ENTRIES;
+        for (; i != sp_cache_256_last; i=(i+1)%FP_ENTRIES) {
+            if (!sp_cache_256[i].set) {
+                break;
+            }
+        }
+
+        /* Evict least used. */
+        if (i == sp_cache_256_last) {
+            least = sp_cache_256[0].cnt;
+            for (j=1; j<FP_ENTRIES; j++) {
+                if (sp_cache_256[j].cnt < least) {
+                    i = j;
+                    least = sp_cache_256[i].cnt;
+                }
+            }
+        }
+
+        XMEMCPY(sp_cache_256[i].x, g->x, sizeof(sp_cache_256[i].x));
+        XMEMCPY(sp_cache_256[i].y, g->y, sizeof(sp_cache_256[i].y));
+        sp_cache_256[i].set = 1;
+        sp_cache_256[i].cnt = 1;
+    }
+
+    *cache = &sp_cache_256[i];
+    sp_cache_256_last = i;
+}
+#endif /* FP_ECC */
+
+/* Multiply the base point of P256 by the scalar and return the result.
+ * If map is true then convert result to affine coordinates.
+ *
+ * r     Resulting point.
+ * g     Point to multiply.
+ * k     Scalar to multiply by.
+ * map   Indicates whether to convert result to affine.
+ * heap  Heap to use for allocation.
+ * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
+ */
+static int sp_256_ecc_mulmod_8(sp_point_256* r, const sp_point_256* g, const sp_digit* k,
+        int map, void* heap)
+{
+#ifndef FP_ECC
+    return sp_256_ecc_mulmod_fast_8(r, g, k, map, heap);
+#else
+    sp_digit tmp[2 * 8 * 5];
+    sp_cache_256_t* cache;
+    int err = MP_OKAY;
+
+#ifndef HAVE_THREAD_LS
+    if (initCacheMutex_256 == 0) {
+         wc_InitMutex(&sp_cache_256_lock);
+         initCacheMutex_256 = 1;
+    }
+    if (wc_LockMutex(&sp_cache_256_lock) != 0)
+       err = BAD_MUTEX_E;
+#endif /* HAVE_THREAD_LS */
+
+    if (err == MP_OKAY) {
+        sp_ecc_get_cache_256(g, &cache);
+        if (cache->cnt == 2)
+            sp_256_gen_stripe_table_8(g, cache->table, tmp, heap);
+
+#ifndef HAVE_THREAD_LS
+        wc_UnLockMutex(&sp_cache_256_lock);
+#endif /* HAVE_THREAD_LS */
+
+        if (cache->cnt < 2) {
+            err = sp_256_ecc_mulmod_fast_8(r, g, k, map, heap);
+        }
+        else {
+            err = sp_256_ecc_mulmod_stripe_8(r, g, cache->table, k,
+                    map, heap);
+        }
+    }
+
+    return err;
+#endif
+}
+
+#else
+#ifdef FP_ECC
+/* Generate the pre-computed table of points for the base point.
+ *
+ * a      The base point.
+ * table  Place to store generated point data.
+ * tmp    Temporary data.
+ * heap  Heap to use for allocation.
+ */
+static int sp_256_gen_stripe_table_8(const sp_point_256* a,
+        sp_table_entry_256* table, sp_digit* tmp, void* heap)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_point_256 td, s1d, s2d;
+#endif
+    sp_point_256* t;
+    sp_point_256* s1 = NULL;
+    sp_point_256* s2 = NULL;
+    int i, j;
+    int err;
+
+    (void)heap;
+
+    err = sp_256_point_new_8(heap, td, t);
+    if (err == MP_OKAY) {
+        err = sp_256_point_new_8(heap, s1d, s1);
+    }
+    if (err == MP_OKAY) {
+        err = sp_256_point_new_8(heap, s2d, s2);
+    }
+
+    if (err == MP_OKAY) {
+        err = sp_256_mod_mul_norm_8(t->x, a->x, p256_mod);
+    }
+    if (err == MP_OKAY) {
+        err = sp_256_mod_mul_norm_8(t->y, a->y, p256_mod);
+    }
+    if (err == MP_OKAY) {
+        err = sp_256_mod_mul_norm_8(t->z, a->z, p256_mod);
+    }
+    if (err == MP_OKAY) {
+        t->infinity = 0;
+        sp_256_proj_to_affine_8(t, tmp);
+
+        XMEMCPY(s1->z, p256_norm_mod, sizeof(p256_norm_mod));
+        s1->infinity = 0;
+        XMEMCPY(s2->z, p256_norm_mod, sizeof(p256_norm_mod));
+        s2->infinity = 0;
+
+        /* table[0] = {0, 0, infinity} */
+        XMEMSET(&table[0], 0, sizeof(sp_table_entry_256));
+        /* table[1] = Affine version of 'a' in Montgomery form */
+        XMEMCPY(table[1].x, t->x, sizeof(table->x));
+        XMEMCPY(table[1].y, t->y, sizeof(table->y));
+
+        for (i=1; i<8; i++) {
+            sp_256_proj_point_dbl_n_8(t, 32, tmp);
+            sp_256_proj_to_affine_8(t, tmp);
+            XMEMCPY(table[1<<i].x, t->x, sizeof(table->x));
+            XMEMCPY(table[1<<i].y, t->y, sizeof(table->y));
+        }
+
+        for (i=1; i<8; i++) {
+            XMEMCPY(s1->x, table[1<<i].x, sizeof(table->x));
+            XMEMCPY(s1->y, table[1<<i].y, sizeof(table->y));
+            for (j=(1<<i)+1; j<(1<<(i+1)); j++) {
+                XMEMCPY(s2->x, table[j-(1<<i)].x, sizeof(table->x));
+                XMEMCPY(s2->y, table[j-(1<<i)].y, sizeof(table->y));
+                sp_256_proj_point_add_qz1_8(t, s1, s2, tmp);
+                sp_256_proj_to_affine_8(t, tmp);
+                XMEMCPY(table[j].x, t->x, sizeof(table->x));
+                XMEMCPY(table[j].y, t->y, sizeof(table->y));
+            }
+        }
+    }
+
+    sp_256_point_free_8(s2, 0, heap);
+    sp_256_point_free_8(s1, 0, heap);
+    sp_256_point_free_8( t, 0, heap);
+
+    return err;
+}
+
+#endif /* FP_ECC */
+/* Multiply the point by the scalar and return the result.
+ * If map is true then convert result to affine coordinates.
+ *
+ * r     Resulting point.
+ * k     Scalar to multiply by.
+ * map   Indicates whether to convert result to affine.
+ * heap  Heap to use for allocation.
+ * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
+ */
+static int sp_256_ecc_mulmod_stripe_8(sp_point_256* r, const sp_point_256* g,
+        const sp_table_entry_256* table, const sp_digit* k, int map, void* heap)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_point_256 rtd;
+    sp_point_256 pd;
+    sp_digit td[2 * 8 * 5];
+#endif
+    sp_point_256* rt;
+    sp_point_256* p = NULL;
+    sp_digit* t;
+    int i, j;
+    int y, x;
+    int err;
+
+    (void)g;
+    (void)heap;
+
+
+    err = sp_256_point_new_8(heap, rtd, rt);
+    if (err == MP_OKAY) {
+        err = sp_256_point_new_8(heap, pd, p);
+    }
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    t = (sp_digit*)XMALLOC(sizeof(sp_digit) * 2 * 8 * 5, heap,
+                           DYNAMIC_TYPE_ECC);
+    if (t == NULL) {
+        err = MEMORY_E;
+    }
+#else
+    t = td;
+#endif
+
+    if (err == MP_OKAY) {
+        XMEMCPY(p->z, p256_norm_mod, sizeof(p256_norm_mod));
+        XMEMCPY(rt->z, p256_norm_mod, sizeof(p256_norm_mod));
+
+        y = 0;
+        for (j=0,x=31; j<8; j++,x+=32) {
+            y |= ((k[x / 32] >> (x % 32)) & 1) << j;
+        }
+        XMEMCPY(rt->x, table[y].x, sizeof(table[y].x));
+        XMEMCPY(rt->y, table[y].y, sizeof(table[y].y));
+        rt->infinity = !y;
+        for (i=30; i>=0; i--) {
+            y = 0;
+            for (j=0,x=i; j<8; j++,x+=32) {
+                y |= ((k[x / 32] >> (x % 32)) & 1) << j;
+            }
+
+            sp_256_proj_point_dbl_8(rt, rt, t);
+            XMEMCPY(p->x, table[y].x, sizeof(table[y].x));
+            XMEMCPY(p->y, table[y].y, sizeof(table[y].y));
+            p->infinity = !y;
+            sp_256_proj_point_add_qz1_8(rt, rt, p, t);
+        }
+
+        if (map != 0) {
+            sp_256_map_8(r, rt, t);
+        }
+        else {
+            XMEMCPY(r, rt, sizeof(sp_point_256));
+        }
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (t != NULL) {
+        XFREE(t, heap, DYNAMIC_TYPE_ECC);
+    }
+#endif
+    sp_256_point_free_8(p, 0, heap);
+    sp_256_point_free_8(rt, 0, heap);
+
+    return err;
+}
+
+#ifdef FP_ECC
+#ifndef FP_ENTRIES
+    #define FP_ENTRIES 16
+#endif
+
+typedef struct sp_cache_256_t {
+    sp_digit x[8];
+    sp_digit y[8];
+    sp_table_entry_256 table[256];
+    uint32_t cnt;
+    int set;
+} sp_cache_256_t;
+
+static THREAD_LS_T sp_cache_256_t sp_cache_256[FP_ENTRIES];
+static THREAD_LS_T int sp_cache_256_last = -1;
+static THREAD_LS_T int sp_cache_256_inited = 0;
+
+#ifndef HAVE_THREAD_LS
+    static volatile int initCacheMutex_256 = 0;
+    static wolfSSL_Mutex sp_cache_256_lock;
+#endif
+
+static void sp_ecc_get_cache_256(const sp_point_256* g, sp_cache_256_t** cache)
+{
+    int i, j;
+    uint32_t least;
+
+    if (sp_cache_256_inited == 0) {
+        for (i=0; i<FP_ENTRIES; i++) {
+            sp_cache_256[i].set = 0;
+        }
+        sp_cache_256_inited = 1;
+    }
+
+    /* Compare point with those in cache. */
+    for (i=0; i<FP_ENTRIES; i++) {
+        if (!sp_cache_256[i].set)
+            continue;
+
+        if (sp_256_cmp_equal_8(g->x, sp_cache_256[i].x) &
+                           sp_256_cmp_equal_8(g->y, sp_cache_256[i].y)) {
+            sp_cache_256[i].cnt++;
+            break;
+        }
+    }
+
+    /* No match. */
+    if (i == FP_ENTRIES) {
+        /* Find empty entry. */
+        i = (sp_cache_256_last + 1) % FP_ENTRIES;
+        for (; i != sp_cache_256_last; i=(i+1)%FP_ENTRIES) {
+            if (!sp_cache_256[i].set) {
+                break;
+            }
+        }
+
+        /* Evict least used. */
+        if (i == sp_cache_256_last) {
+            least = sp_cache_256[0].cnt;
+            for (j=1; j<FP_ENTRIES; j++) {
+                if (sp_cache_256[j].cnt < least) {
+                    i = j;
+                    least = sp_cache_256[i].cnt;
+                }
+            }
+        }
+
+        XMEMCPY(sp_cache_256[i].x, g->x, sizeof(sp_cache_256[i].x));
+        XMEMCPY(sp_cache_256[i].y, g->y, sizeof(sp_cache_256[i].y));
+        sp_cache_256[i].set = 1;
+        sp_cache_256[i].cnt = 1;
+    }
+
+    *cache = &sp_cache_256[i];
+    sp_cache_256_last = i;
+}
+#endif /* FP_ECC */
+
+/* Multiply the base point of P256 by the scalar and return the result.
+ * If map is true then convert result to affine coordinates.
+ *
+ * r     Resulting point.
+ * g     Point to multiply.
+ * k     Scalar to multiply by.
+ * map   Indicates whether to convert result to affine.
+ * heap  Heap to use for allocation.
+ * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
+ */
+static int sp_256_ecc_mulmod_8(sp_point_256* r, const sp_point_256* g, const sp_digit* k,
+        int map, void* heap)
+{
+#ifndef FP_ECC
+    return sp_256_ecc_mulmod_fast_8(r, g, k, map, heap);
+#else
+    sp_digit tmp[2 * 8 * 5];
+    sp_cache_256_t* cache;
+    int err = MP_OKAY;
+
+#ifndef HAVE_THREAD_LS
+    if (initCacheMutex_256 == 0) {
+         wc_InitMutex(&sp_cache_256_lock);
+         initCacheMutex_256 = 1;
+    }
+    if (wc_LockMutex(&sp_cache_256_lock) != 0)
+       err = BAD_MUTEX_E;
+#endif /* HAVE_THREAD_LS */
+
+    if (err == MP_OKAY) {
+        sp_ecc_get_cache_256(g, &cache);
+        if (cache->cnt == 2)
+            sp_256_gen_stripe_table_8(g, cache->table, tmp, heap);
+
+#ifndef HAVE_THREAD_LS
+        wc_UnLockMutex(&sp_cache_256_lock);
+#endif /* HAVE_THREAD_LS */
+
+        if (cache->cnt < 2) {
+            err = sp_256_ecc_mulmod_fast_8(r, g, k, map, heap);
+        }
+        else {
+            err = sp_256_ecc_mulmod_stripe_8(r, g, cache->table, k,
+                    map, heap);
+        }
+    }
+
+    return err;
+#endif
+}
+
+#endif /* WOLFSSL_SP_SMALL */
+/* Multiply the point by the scalar and return the result.
+ * If map is true then convert result to affine coordinates.
+ *
+ * km    Scalar to multiply by.
+ * p     Point to multiply.
+ * r     Resulting point.
+ * map   Indicates whether to convert result to affine.
+ * heap  Heap to use for allocation.
+ * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
+ */
+int sp_ecc_mulmod_256(mp_int* km, ecc_point* gm, ecc_point* r, int map,
+        void* heap)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_point_256 p;
+    sp_digit kd[8];
+#endif
+    sp_point_256* point;
+    sp_digit* k = NULL;
+    int err = MP_OKAY;
+
+    err = sp_256_point_new_8(heap, p, point);
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        k = (sp_digit*)XMALLOC(sizeof(sp_digit) * 8, heap,
+                                                              DYNAMIC_TYPE_ECC);
+        if (k == NULL)
+            err = MEMORY_E;
+    }
+#else
+    k = kd;
+#endif
+    if (err == MP_OKAY) {
+        sp_256_from_mp(k, 8, km);
+        sp_256_point_from_ecc_point_8(point, gm);
+
+            err = sp_256_ecc_mulmod_8(point, point, k, map, heap);
+    }
+    if (err == MP_OKAY) {
+        err = sp_256_point_to_ecc_point_8(point, r);
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (k != NULL) {
+        XFREE(k, heap, DYNAMIC_TYPE_ECC);
+    }
+#endif
+    sp_256_point_free_8(point, 0, heap);
+
+    return err;
+}
+
+#ifdef WOLFSSL_SP_SMALL
+static const sp_table_entry_256 p256_table[16] = {
+    /* 0 */
+    { { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
+      { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 } },
+    /* 1 */
+    { { 0x18a9143c,0x79e730d4,0x5fedb601,0x75ba95fc,0x77622510,0x79fb732b,
+        0xa53755c6,0x18905f76 },
+      { 0xce95560a,0xddf25357,0xba19e45c,0x8b4ab8e4,0xdd21f325,0xd2e88688,
+        0x25885d85,0x8571ff18 } },
+    /* 2 */
+    { { 0x16a0d2bb,0x4f922fc5,0x1a623499,0x0d5cc16c,0x57c62c8b,0x9241cf3a,
+        0xfd1b667f,0x2f5e6961 },
+      { 0xf5a01797,0x5c15c70b,0x60956192,0x3d20b44d,0x071fdb52,0x04911b37,
+        0x8d6f0f7b,0xf648f916 } },
+    /* 3 */
+    { { 0xe137bbbc,0x9e566847,0x8a6a0bec,0xe434469e,0x79d73463,0xb1c42761,
+        0x133d0015,0x5abe0285 },
+      { 0xc04c7dab,0x92aa837c,0x43260c07,0x573d9f4c,0x78e6cc37,0x0c931562,
+        0x6b6f7383,0x94bb725b } },
+    /* 4 */
+    { { 0xbfe20925,0x62a8c244,0x8fdce867,0x91c19ac3,0xdd387063,0x5a96a5d5,
+        0x21d324f6,0x61d587d4 },
+      { 0xa37173ea,0xe87673a2,0x53778b65,0x23848008,0x05bab43e,0x10f8441e,
+        0x4621efbe,0xfa11fe12 } },
+    /* 5 */
+    { { 0x2cb19ffd,0x1c891f2b,0xb1923c23,0x01ba8d5b,0x8ac5ca8e,0xb6d03d67,
+        0x1f13bedc,0x586eb04c },
+      { 0x27e8ed09,0x0c35c6e5,0x1819ede2,0x1e81a33c,0x56c652fa,0x278fd6c0,
+        0x70864f11,0x19d5ac08 } },
+    /* 6 */
+    { { 0xd2b533d5,0x62577734,0xa1bdddc0,0x673b8af6,0xa79ec293,0x577e7c9a,
+        0xc3b266b1,0xbb6de651 },
+      { 0xb65259b3,0xe7e9303a,0xd03a7480,0xd6a0afd3,0x9b3cfc27,0xc5ac83d1,
+        0x5d18b99b,0x60b4619a } },
+    /* 7 */
+    { { 0x1ae5aa1c,0xbd6a38e1,0x49e73658,0xb8b7652b,0xee5f87ed,0x0b130014,
+        0xaeebffcd,0x9d0f27b2 },
+      { 0x7a730a55,0xca924631,0xddbbc83a,0x9c955b2f,0xac019a71,0x07c1dfe0,
+        0x356ec48d,0x244a566d } },
+    /* 8 */
+    { { 0xf4f8b16a,0x56f8410e,0xc47b266a,0x97241afe,0x6d9c87c1,0x0a406b8e,
+        0xcd42ab1b,0x803f3e02 },
+      { 0x04dbec69,0x7f0309a8,0x3bbad05f,0xa83b85f7,0xad8e197f,0xc6097273,
+        0x5067adc1,0xc097440e } },
+    /* 9 */
+    { { 0xc379ab34,0x846a56f2,0x841df8d1,0xa8ee068b,0x176c68ef,0x20314459,
+        0x915f1f30,0xf1af32d5 },
+      { 0x5d75bd50,0x99c37531,0xf72f67bc,0x837cffba,0x48d7723f,0x0613a418,
+        0xe2d41c8b,0x23d0f130 } },
+    /* 10 */
+    { { 0xd5be5a2b,0xed93e225,0x5934f3c6,0x6fe79983,0x22626ffc,0x43140926,
+        0x7990216a,0x50bbb4d9 },
+      { 0xe57ec63e,0x378191c6,0x181dcdb2,0x65422c40,0x0236e0f6,0x41a8099b,
+        0x01fe49c3,0x2b100118 } },
+    /* 11 */
+    { { 0x9b391593,0xfc68b5c5,0x598270fc,0xc385f5a2,0xd19adcbb,0x7144f3aa,
+        0x83fbae0c,0xdd558999 },
+      { 0x74b82ff4,0x93b88b8e,0x71e734c9,0xd2e03c40,0x43c0322a,0x9a7a9eaf,
+        0x149d6041,0xe6e4c551 } },
+    /* 12 */
+    { { 0x80ec21fe,0x5fe14bfe,0xc255be82,0xf6ce116a,0x2f4a5d67,0x98bc5a07,
+        0xdb7e63af,0xfad27148 },
+      { 0x29ab05b3,0x90c0b6ac,0x4e251ae6,0x37a9a83c,0xc2aade7d,0x0a7dc875,
+        0x9f0e1a84,0x77387de3 } },
+    /* 13 */
+    { { 0xa56c0dd7,0x1e9ecc49,0x46086c74,0xa5cffcd8,0xf505aece,0x8f7a1408,
+        0xbef0c47e,0xb37b85c0 },
+      { 0xcc0e6a8f,0x3596b6e4,0x6b388f23,0xfd6d4bbf,0xc39cef4e,0xaba453fa,
+        0xf9f628d5,0x9c135ac8 } },
+    /* 14 */
+    { { 0x95c8f8be,0x0a1c7294,0x3bf362bf,0x2961c480,0xdf63d4ac,0x9e418403,
+        0x91ece900,0xc109f9cb },
+      { 0x58945705,0xc2d095d0,0xddeb85c0,0xb9083d96,0x7a40449b,0x84692b8d,
+        0x2eee1ee1,0x9bc3344f } },
+    /* 15 */
+    { { 0x42913074,0x0d5ae356,0x48a542b1,0x55491b27,0xb310732a,0x469ca665,
+        0x5f1a4cc1,0x29591d52 },
+      { 0xb84f983f,0xe76f5b6b,0x9f5f84e1,0xbe7eef41,0x80baa189,0x1200d496,
+        0x18ef332c,0x6376551f } },
+};
+
+/* Multiply the base point of P256 by the scalar and return the result.
+ * If map is true then convert result to affine coordinates.
+ *
+ * r     Resulting point.
+ * k     Scalar to multiply by.
+ * map   Indicates whether to convert result to affine.
+ * heap  Heap to use for allocation.
+ * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
+ */
+static int sp_256_ecc_mulmod_base_8(sp_point_256* r, const sp_digit* k,
+        int map, void* heap)
+{
+    return sp_256_ecc_mulmod_stripe_8(r, &p256_base, p256_table,
+                                      k, map, heap);
+}
+
+#else
+static const sp_table_entry_256 p256_table[256] = {
+    /* 0 */
+    { { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
+      { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 } },
+    /* 1 */
+    { { 0x18a9143c,0x79e730d4,0x5fedb601,0x75ba95fc,0x77622510,0x79fb732b,
+        0xa53755c6,0x18905f76 },
+      { 0xce95560a,0xddf25357,0xba19e45c,0x8b4ab8e4,0xdd21f325,0xd2e88688,
+        0x25885d85,0x8571ff18 } },
+    /* 2 */
+    { { 0x4147519a,0x20288602,0x26b372f0,0xd0981eac,0xa785ebc8,0xa9d4a7ca,
+        0xdbdf58e9,0xd953c50d },
+      { 0xfd590f8f,0x9d6361cc,0x44e6c917,0x72e9626b,0x22eb64cf,0x7fd96110,
+        0x9eb288f3,0x863ebb7e } },
+    /* 3 */
+    { { 0x5cdb6485,0x7856b623,0x2f0a2f97,0x808f0ea2,0x4f7e300b,0x3e68d954,
+        0xb5ff80a0,0x00076055 },
+      { 0x838d2010,0x7634eb9b,0x3243708a,0x54014fbb,0x842a6606,0xe0e47d39,
+        0x34373ee0,0x83087761 } },
+    /* 4 */
+    { { 0x16a0d2bb,0x4f922fc5,0x1a623499,0x0d5cc16c,0x57c62c8b,0x9241cf3a,
+        0xfd1b667f,0x2f5e6961 },
+      { 0xf5a01797,0x5c15c70b,0x60956192,0x3d20b44d,0x071fdb52,0x04911b37,
+        0x8d6f0f7b,0xf648f916 } },
+    /* 5 */
+    { { 0xe137bbbc,0x9e566847,0x8a6a0bec,0xe434469e,0x79d73463,0xb1c42761,
+        0x133d0015,0x5abe0285 },
+      { 0xc04c7dab,0x92aa837c,0x43260c07,0x573d9f4c,0x78e6cc37,0x0c931562,
+        0x6b6f7383,0x94bb725b } },
+    /* 6 */
+    { { 0x720f141c,0xbbf9b48f,0x2df5bc74,0x6199b3cd,0x411045c4,0xdc3f6129,
+        0x2f7dc4ef,0xcdd6bbcb },
+      { 0xeaf436fd,0xcca6700b,0xb99326be,0x6f647f6d,0x014f2522,0x0c0fa792,
+        0x4bdae5f6,0xa361bebd } },
+    /* 7 */
+    { { 0x597c13c7,0x28aa2558,0x50b7c3e1,0xc38d635f,0xf3c09d1d,0x07039aec,
+        0xc4b5292c,0xba12ca09 },
+      { 0x59f91dfd,0x9e408fa4,0xceea07fb,0x3af43b66,0x9d780b29,0x1eceb089,
+        0x701fef4b,0x53ebb99d } },
+    /* 8 */
+    { { 0xb0e63d34,0x4fe7ee31,0xa9e54fab,0xf4600572,0xd5e7b5a4,0xc0493334,
+        0x06d54831,0x8589fb92 },
+      { 0x6583553a,0xaa70f5cc,0xe25649e5,0x0879094a,0x10044652,0xcc904507,
+        0x02541c4f,0xebb0696d } },
+    /* 9 */
+    { { 0xac1647c5,0x4616ca15,0xc4cf5799,0xb8127d47,0x764dfbac,0xdc666aa3,
+        0xd1b27da3,0xeb2820cb },
+      { 0x6a87e008,0x9406f8d8,0x922378f3,0xd87dfa9d,0x80ccecb2,0x56ed2e42,
+        0x55a7da1d,0x1f28289b } },
+    /* 10 */
+    { { 0x3b89da99,0xabbaa0c0,0xb8284022,0xa6f2d79e,0xb81c05e8,0x27847862,
+        0x05e54d63,0x337a4b59 },
+      { 0x21f7794a,0x3c67500d,0x7d6d7f61,0x207005b7,0x04cfd6e8,0x0a5a3781,
+        0xf4c2fbd6,0x0d65e0d5 } },
+    /* 11 */
+    { { 0xb5275d38,0xd9d09bbe,0x0be0a358,0x4268a745,0x973eb265,0xf0762ff4,
+        0x52f4a232,0xc23da242 },
+      { 0x0b94520c,0x5da1b84f,0xb05bd78e,0x09666763,0x94d29ea1,0x3a4dcb86,
+        0xc790cff1,0x19de3b8c } },
+    /* 12 */
+    { { 0x26c5fe04,0x183a716c,0x3bba1bdb,0x3b28de0b,0xa4cb712c,0x7432c586,
+        0x91fccbfd,0xe34dcbd4 },
+      { 0xaaa58403,0xb408d46b,0x82e97a53,0x9a697486,0x36aaa8af,0x9e390127,
+        0x7b4e0f7f,0xe7641f44 } },
+    /* 13 */
+    { { 0xdf64ba59,0x7d753941,0x0b0242fc,0xd33f10ec,0xa1581859,0x4f06dfc6,
+        0x052a57bf,0x4a12df57 },
+      { 0x9439dbd0,0xbfa6338f,0xbde53e1f,0xd3c24bd4,0x21f1b314,0xfd5e4ffa,
+        0xbb5bea46,0x6af5aa93 } },
+    /* 14 */
+    { { 0x10c91999,0xda10b699,0x2a580491,0x0a24b440,0xb8cc2090,0x3e0094b4,
+        0x66a44013,0x5fe3475a },
+      { 0xf93e7b4b,0xb0f8cabd,0x7c23f91a,0x292b501a,0xcd1e6263,0x42e889ae,
+        0xecfea916,0xb544e308 } },
+    /* 15 */
+    { { 0x16ddfdce,0x6478c6e9,0xf89179e6,0x2c329166,0x4d4e67e1,0x4e8d6e76,
+        0xa6b0c20b,0xe0b6b2bd },
+      { 0xbb7efb57,0x0d312df2,0x790c4007,0x1aac0dde,0x679bc944,0xf90336ad,
+        0x25a63774,0x71c023de } },
+    /* 16 */
+    { { 0xbfe20925,0x62a8c244,0x8fdce867,0x91c19ac3,0xdd387063,0x5a96a5d5,
+        0x21d324f6,0x61d587d4 },
+      { 0xa37173ea,0xe87673a2,0x53778b65,0x23848008,0x05bab43e,0x10f8441e,
+        0x4621efbe,0xfa11fe12 } },
+    /* 17 */
+    { { 0x2cb19ffd,0x1c891f2b,0xb1923c23,0x01ba8d5b,0x8ac5ca8e,0xb6d03d67,
+        0x1f13bedc,0x586eb04c },
+      { 0x27e8ed09,0x0c35c6e5,0x1819ede2,0x1e81a33c,0x56c652fa,0x278fd6c0,
+        0x70864f11,0x19d5ac08 } },
+    /* 18 */
+    { { 0x309a4e1f,0x1e99f581,0xe9270074,0xab7de71b,0xefd28d20,0x26a5ef0b,
+        0x7f9c563f,0xe7c0073f },
+      { 0x0ef59f76,0x1f6d663a,0x20fcb050,0x669b3b54,0x7a6602d4,0xc08c1f7a,
+        0xc65b3c0a,0xe08504fe } },
+    /* 19 */
+    { { 0xa031b3ca,0xf098f68d,0xe6da6d66,0x6d1cab9e,0x94f246e8,0x5bfd81fa,
+        0x5b0996b4,0x78f01882 },
+      { 0x3a25787f,0xb7eefde4,0x1dccac9b,0x8016f80d,0xb35bfc36,0x0cea4877,
+        0x7e94747a,0x43a773b8 } },
+    /* 20 */
+    { { 0xd2b533d5,0x62577734,0xa1bdddc0,0x673b8af6,0xa79ec293,0x577e7c9a,
+        0xc3b266b1,0xbb6de651 },
+      { 0xb65259b3,0xe7e9303a,0xd03a7480,0xd6a0afd3,0x9b3cfc27,0xc5ac83d1,
+        0x5d18b99b,0x60b4619a } },
+    /* 21 */
+    { { 0x1ae5aa1c,0xbd6a38e1,0x49e73658,0xb8b7652b,0xee5f87ed,0x0b130014,
+        0xaeebffcd,0x9d0f27b2 },
+      { 0x7a730a55,0xca924631,0xddbbc83a,0x9c955b2f,0xac019a71,0x07c1dfe0,
+        0x356ec48d,0x244a566d } },
+    /* 22 */
+    { { 0xeacf1f96,0x6db0394a,0x024c271c,0x9f2122a9,0x82cbd3b9,0x2626ac1b,
+        0x3581ef69,0x45e58c87 },
+      { 0xa38f9dbc,0xd3ff479d,0xe888a040,0xa8aaf146,0x46e0bed7,0x945adfb2,
+        0xc1e4b7a4,0xc040e21c } },
+    /* 23 */
+    { { 0x6f8117b6,0x847af000,0x73a35433,0x651969ff,0x1d9475eb,0x482b3576,
+        0x682c6ec7,0x1cdf5c97 },
+      { 0x11f04839,0x7db775b4,0x48de1698,0x7dbeacf4,0xb70b3219,0xb2921dd1,
+        0xa92dff3d,0x046755f8 } },
+    /* 24 */
+    { { 0xbce8ffcd,0xcc8ac5d2,0x2fe61a82,0x0d53c48b,0x7202d6c7,0xf6f16172,
+        0x3b83a5f3,0x046e5e11 },
+      { 0xd8007f01,0xe7b8ff64,0x5af43183,0x7fb1ef12,0x35e1a03c,0x045c5ea6,
+        0x303d005b,0x6e0106c3 } },
+    /* 25 */
+    { { 0x88dd73b1,0x48c73584,0x995ed0d9,0x7670708f,0xc56a2ab7,0x38385ea8,
+        0xe901cf1f,0x442594ed },
+      { 0x12d4b65b,0xf8faa2c9,0x96c90c37,0x94c2343b,0x5e978d1f,0xd326e4a1,
+        0x4c2ee68e,0xa796fa51 } },
+    /* 26 */
+    { { 0x823addd7,0x359fb604,0xe56693b3,0x9e2a6183,0x3cbf3c80,0xf885b78e,
+        0xc69766e9,0xe4ad2da9 },
+      { 0x8e048a61,0x357f7f42,0xc092d9a0,0x082d198c,0xc03ed8ef,0xfc3a1af4,
+        0xc37b5143,0xc5e94046 } },
+    /* 27 */
+    { { 0x2be75f9e,0x476a538c,0xcb123a78,0x6fd1a9e8,0xb109c04b,0xd85e4df0,
+        0xdb464747,0x63283daf },
+      { 0xbaf2df15,0xce728cf7,0x0ad9a7f4,0xe592c455,0xe834bcc3,0xfab226ad,
+        0x1981a938,0x68bd19ab } },
+    /* 28 */
+    { { 0x1887d659,0xc08ead51,0xb359305a,0x3374d5f4,0xcfe74fe3,0x96986981,
+        0x3c6fdfd6,0x495292f5 },
+      { 0x1acec896,0x4a878c9e,0xec5b4484,0xd964b210,0x664d60a7,0x6696f7e2,
+        0x26036837,0x0ec7530d } },
+    /* 29 */
+    { { 0xad2687bb,0x2da13a05,0xf32e21fa,0xa1f83b6a,0x1dd4607b,0x390f5ef5,
+        0x64863f0b,0x0f6207a6 },
+      { 0x0f138233,0xbd67e3bb,0x272aa718,0xdd66b96c,0x26ec88ae,0x8ed00407,
+        0x08ed6dcf,0xff0db072 } },
+    /* 30 */
+    { { 0x4c95d553,0x749fa101,0x5d680a8a,0xa44052fd,0xff3b566f,0x183b4317,
+        0x88740ea3,0x313b513c },
+      { 0x08d11549,0xb402e2ac,0xb4dee21c,0x071ee10b,0x47f2320e,0x26b987dd,
+        0x86f19f81,0x2d3abcf9 } },
+    /* 31 */
+    { { 0x815581a2,0x4c288501,0x632211af,0x9a0a6d56,0x0cab2e99,0x19ba7a0f,
+        0xded98cdf,0xc036fa10 },
+      { 0xc1fbd009,0x29ae08ba,0x06d15816,0x0b68b190,0x9b9e0d8f,0xc2eb3277,
+        0xb6d40194,0xa6b2a2c4 } },
+    /* 32 */
+    { { 0x6d3549cf,0xd433e50f,0xfacd665e,0x6f33696f,0xce11fcb4,0x695bfdac,
+        0xaf7c9860,0x810ee252 },
+      { 0x7159bb2c,0x65450fe1,0x758b357b,0xf7dfbebe,0xd69fea72,0x2b057e74,
+        0x92731745,0xd485717a } },
+    /* 33 */
+    { { 0xf0cb5a98,0x11741a8a,0x1f3110bf,0xd3da8f93,0xab382adf,0x1994e2cb,
+        0x2f9a604e,0x6a6045a7 },
+      { 0xa2b2411d,0x170c0d3f,0x510e96e0,0xbe0eb83e,0x8865b3cc,0x3bcc9f73,
+        0xf9e15790,0xd3e45cfa } },
+    /* 34 */
+    { { 0xe83f7669,0xce1f69bb,0x72877d6b,0x09f8ae82,0x3244278d,0x9548ae54,
+        0xe3c2c19c,0x207755de },
+      { 0x6fef1945,0x87bd61d9,0xb12d28c3,0x18813cef,0x72df64aa,0x9fbcd1d6,
+        0x7154b00d,0x48dc5ee5 } },
+    /* 35 */
+    { { 0xf7e5a199,0x123790bf,0x989ccbb7,0xe0efb8cf,0x0a519c79,0xc27a2bfe,
+        0xdff6f445,0xf2fb0aed },
+      { 0xf0b5025f,0x41c09575,0x40fa9f22,0x550543d7,0x380bfbd0,0x8fa3c8ad,
+        0xdb28d525,0xa13e9015 } },
+    /* 36 */
+    { { 0xa2b65cbc,0xf9f7a350,0x2a464226,0x0b04b972,0xe23f07a1,0x265ce241,
+        0x1497526f,0x2bf0d6b0 },
+      { 0x4b216fb7,0xd3d4dd3f,0xfbdda26a,0xf7d7b867,0x6708505c,0xaeb7b83f,
+        0x162fe89f,0x42a94a5a } },
+    /* 37 */
+    { { 0xeaadf191,0x5846ad0b,0x25a268d7,0x0f8a4890,0x494dc1f6,0xe8603050,
+        0xc65ede3d,0x2c2dd969 },
+      { 0x93849c17,0x6d02171d,0x1da250dd,0x460488ba,0x3c3a5485,0x4810c706,
+        0x42c56dbc,0xf437fa1f } },
+    /* 38 */
+    { { 0x4a0f7dab,0x6aa0d714,0x1776e9ac,0x0f049793,0xf5f39786,0x52c0a050,
+        0x54707aa8,0xaaf45b33 },
+      { 0xc18d364a,0x85e37c33,0x3e497165,0xd40b9b06,0x15ec5444,0xf4171681,
+        0xf4f272bc,0xcdf6310d } },
+    /* 39 */
+    { { 0x8ea8b7ef,0x7473c623,0x85bc2287,0x08e93518,0x2bda8e34,0x41956772,
+        0xda9e2ff2,0xf0d008ba },
+      { 0x2414d3b1,0x2912671d,0xb019ea76,0xb3754985,0x453bcbdb,0x5c61b96d,
+        0xca887b8b,0x5bd5c2f5 } },
+    /* 40 */
+    { { 0xf49a3154,0xef0f469e,0x6e2b2e9a,0x3e85a595,0xaa924a9c,0x45aaec1e,
+        0xa09e4719,0xaa12dfc8 },
+      { 0x4df69f1d,0x26f27227,0xa2ff5e73,0xe0e4c82c,0xb7a9dd44,0xb9d8ce73,
+        0xe48ca901,0x6c036e73 } },
+    /* 41 */
+    { { 0x0f6e3138,0x5cfae12a,0x25ad345a,0x6966ef00,0x45672bc5,0x8993c64b,
+        0x96afbe24,0x292ff658 },
+      { 0x5e213402,0xd5250d44,0x4392c9fe,0xf6580e27,0xda1c72e8,0x097b397f,
+        0x311b7276,0x644e0c90 } },
+    /* 42 */
+    { { 0xa47153f0,0xe1e421e1,0x920418c9,0xb86c3b79,0x705d7672,0x93bdce87,
+        0xcab79a77,0xf25ae793 },
+      { 0x6d869d0c,0x1f3194a3,0x4986c264,0x9d55c882,0x096e945e,0x49fb5ea3,
+        0x13db0a3e,0x39b8e653 } },
+    /* 43 */
+    { { 0xb6fd2e59,0x37754200,0x9255c98f,0x35e2c066,0x0e2a5739,0xd9dab21a,
+        0x0f19db06,0x39122f2f },
+      { 0x03cad53c,0xcfbce1e0,0xe65c17e3,0x225b2c0f,0x9aa13877,0x72baf1d2,
+        0xce80ff8d,0x8de80af8 } },
+    /* 44 */
+    { { 0x207bbb76,0xafbea8d9,0x21782758,0x921c7e7c,0x1c0436b1,0xdfa2b74b,
+        0x2e368c04,0x87194906 },
+      { 0xa3993df5,0xb5f928bb,0xf3b3d26a,0x639d75b5,0x85b55050,0x011aa78a,
+        0x5b74fde1,0xfc315e6a } },
+    /* 45 */
+    { { 0xe8d6ecfa,0x561fd41a,0x1aec7f86,0x5f8c44f6,0x4924741d,0x98452a7b,
+        0xee389088,0xe6d4a7ad },
+      { 0x4593c75d,0x60552ed1,0xdd271162,0x70a70da4,0x7ba2c7db,0xd2aede93,
+        0x9be2ae57,0x35dfaf9a } },
+    /* 46 */
+    { { 0xaa736636,0x6b956fcd,0xae2cab7e,0x09f51d97,0x0f349966,0xfb10bf41,
+        0x1c830d2b,0x1da5c7d7 },
+      { 0x3cce6825,0x5c41e483,0xf9573c3b,0x15ad118f,0xf23036b8,0xa28552c7,
+        0xdbf4b9d6,0x7077c0fd } },
+    /* 47 */
+    { { 0x46b9661c,0xbf63ff8d,0x0d2cfd71,0xa1dfd36b,0xa847f8f7,0x0373e140,
+        0xe50efe44,0x53a8632e },
+      { 0x696d8051,0x0976ff68,0xc74f468a,0xdaec0c95,0x5e4e26bd,0x62994dc3,
+        0x34e1fcc1,0x028ca76d } },
+    /* 48 */
+    { { 0xfc9877ee,0xd11d47dc,0x801d0002,0xc8b36210,0x54c260b6,0xd002c117,
+        0x6962f046,0x04c17cd8 },
+      { 0xb0daddf5,0x6d9bd094,0x24ce55c0,0xbea23575,0x72da03b5,0x663356e6,
+        0xfed97474,0xf7ba4de9 } },
+    /* 49 */
+    { { 0xebe1263f,0xd0dbfa34,0x71ae7ce6,0x55763735,0x82a6f523,0xd2440553,
+        0x52131c41,0xe31f9600 },
+      { 0xea6b6ec6,0xd1bb9216,0x73c2fc44,0x37a1d12e,0x89d0a294,0xc10e7eac,
+        0xce34d47b,0xaa3a6259 } },
+    /* 50 */
+    { { 0x36f3dcd3,0xfbcf9df5,0xd2bf7360,0x6ceded50,0xdf504f5b,0x491710fa,
+        0x7e79daee,0x2398dd62 },
+      { 0x6d09569e,0xcf4705a3,0x5149f769,0xea0619bb,0x35f6034c,0xff9c0377,
+        0x1c046210,0x5717f5b2 } },
+    /* 51 */
+    { { 0x21dd895e,0x9fe229c9,0x40c28451,0x8e518500,0x1d637ecd,0xfa13d239,
+        0x0e3c28de,0x660a2c56 },
+      { 0xd67fcbd0,0x9cca88ae,0x0ea9f096,0xc8472478,0x72e92b4d,0x32b2f481,
+        0x4f522453,0x624ee54c } },
+    /* 52 */
+    { { 0xd897eccc,0x09549ce4,0x3f9880aa,0x4d49d1d9,0x043a7c20,0x723c2423,
+        0x92bdfbc0,0x4f392afb },
+      { 0x7de44fd9,0x6969f8fa,0x57b32156,0xb66cfbe4,0x368ebc3c,0xdb2fa803,
+        0xccdb399c,0x8a3e7977 } },
+    /* 53 */
+    { { 0x06c4b125,0xdde1881f,0xf6e3ca8c,0xae34e300,0x5c7a13e9,0xef6999de,
+        0x70c24404,0x3888d023 },
+      { 0x44f91081,0x76280356,0x5f015504,0x3d9fcf61,0x632cd36e,0x1827edc8,
+        0x18102336,0xa5e62e47 } },
+    /* 54 */
+    { { 0x2facd6c8,0x1a825ee3,0x54bcbc66,0x699c6354,0x98df9931,0x0ce3edf7,
+        0x466a5adc,0x2c4768e6 },
+      { 0x90a64bc9,0xb346ff8c,0xe4779f5c,0x630a6020,0xbc05e884,0xd949d064,
+        0xf9e652a0,0x7b5e6441 } },
+    /* 55 */
+    { { 0x1d28444a,0x2169422c,0xbe136a39,0xe996c5d8,0xfb0c7fce,0x2387afe5,
+        0x0c8d744a,0xb8af73cb },
+      { 0x338b86fd,0x5fde83aa,0xa58a5cff,0xfee3f158,0x20ac9433,0xc9ee8f6f,
+        0x7f3f0895,0xa036395f } },
+    /* 56 */
+    { { 0xa10f7770,0x8c73c6bb,0xa12a0e24,0xa6f16d81,0x51bc2b9f,0x100df682,
+        0x875fb533,0x4be36b01 },
+      { 0x9fb56dbb,0x9226086e,0x07e7a4f8,0x306fef8b,0x66d52f20,0xeeaccc05,
+        0x1bdc00c0,0x8cbc9a87 } },
+    /* 57 */
+    { { 0xc0dac4ab,0xe131895c,0x712ff112,0xa874a440,0x6a1cee57,0x6332ae7c,
+        0x0c0835f8,0x44e7553e },
+      { 0x7734002d,0x6d503fff,0x0b34425c,0x9d35cb8b,0x0e8738b5,0x95f70276,
+        0x5eb8fc18,0x470a683a } },
+    /* 58 */
+    { { 0x90513482,0x81b761dc,0x01e9276a,0x0287202a,0x0ce73083,0xcda441ee,
+        0xc63dc6ef,0x16410690 },
+      { 0x6d06a2ed,0xf5034a06,0x189b100b,0xdd4d7745,0xab8218c9,0xd914ae72,
+        0x7abcbb4f,0xd73479fd } },
+    /* 59 */
+    { { 0x5ad4c6e5,0x7edefb16,0x5b06d04d,0x262cf08f,0x8575cb14,0x12ed5bb1,
+        0x0771666b,0x816469e3 },
+      { 0x561e291e,0xd7ab9d79,0xc1de1661,0xeb9daf22,0x135e0513,0xf49827eb,
+        0xf0dd3f9c,0x0a36dd23 } },
+    /* 60 */
+    { { 0x41d5533c,0x098d32c7,0x8684628f,0x7c5f5a9e,0xe349bd11,0x39a228ad,
+        0xfdbab118,0xe331dfd6 },
+      { 0x6bcc6ed8,0x5100ab68,0xef7a260e,0x7160c3bd,0xbce850d7,0x9063d9a7,
+        0x492e3389,0xd3b4782a } },
+    /* 61 */
+    { { 0xf3821f90,0xa149b6e8,0x66eb7aad,0x92edd9ed,0x1a013116,0x0bb66953,
+        0x4c86a5bd,0x7281275a },
+      { 0xd3ff47e5,0x503858f7,0x61016441,0x5e1616bc,0x7dfd9bb1,0x62b0f11a,
+        0xce145059,0x2c062e7e } },
+    /* 62 */
+    { { 0x0159ac2e,0xa76f996f,0xcbdb2713,0x281e7736,0x08e46047,0x2ad6d288,
+        0x2c4e7ef1,0x282a35f9 },
+      { 0xc0ce5cd2,0x9c354b1e,0x1379c229,0xcf99efc9,0x3e82c11e,0x992caf38,
+        0x554d2abd,0xc71cd513 } },
+    /* 63 */
+    { { 0x09b578f4,0x4885de9c,0xe3affa7a,0x1884e258,0x59182f1f,0x8f76b1b7,
+        0xcf47f3a3,0xc50f6740 },
+      { 0x374b68ea,0xa9c4adf3,0x69965fe2,0xa406f323,0x85a53050,0x2f86a222,
+        0x212958dc,0xb9ecb3a7 } },
+    /* 64 */
+    { { 0xf4f8b16a,0x56f8410e,0xc47b266a,0x97241afe,0x6d9c87c1,0x0a406b8e,
+        0xcd42ab1b,0x803f3e02 },
+      { 0x04dbec69,0x7f0309a8,0x3bbad05f,0xa83b85f7,0xad8e197f,0xc6097273,
+        0x5067adc1,0xc097440e } },
+    /* 65 */
+    { { 0xc379ab34,0x846a56f2,0x841df8d1,0xa8ee068b,0x176c68ef,0x20314459,
+        0x915f1f30,0xf1af32d5 },
+      { 0x5d75bd50,0x99c37531,0xf72f67bc,0x837cffba,0x48d7723f,0x0613a418,
+        0xe2d41c8b,0x23d0f130 } },
+    /* 66 */
+    { { 0xf41500d9,0x857ab6ed,0xfcbeada8,0x0d890ae5,0x89725951,0x52fe8648,
+        0xc0a3fadd,0xb0288dd6 },
+      { 0x650bcb08,0x85320f30,0x695d6e16,0x71af6313,0xb989aa76,0x31f520a7,
+        0xf408c8d2,0xffd3724f } },
+    /* 67 */
+    { { 0xb458e6cb,0x53968e64,0x317a5d28,0x992dad20,0x7aa75f56,0x3814ae0b,
+        0xd78c26df,0xf5590f4a },
+      { 0xcf0ba55a,0x0fc24bd3,0x0c778bae,0x0fc4724a,0x683b674a,0x1ce9864f,
+        0xf6f74a20,0x18d6da54 } },
+    /* 68 */
+    { { 0xd5be5a2b,0xed93e225,0x5934f3c6,0x6fe79983,0x22626ffc,0x43140926,
+        0x7990216a,0x50bbb4d9 },
+      { 0xe57ec63e,0x378191c6,0x181dcdb2,0x65422c40,0x0236e0f6,0x41a8099b,
+        0x01fe49c3,0x2b100118 } },
+    /* 69 */
+    { { 0x9b391593,0xfc68b5c5,0x598270fc,0xc385f5a2,0xd19adcbb,0x7144f3aa,
+        0x83fbae0c,0xdd558999 },
+      { 0x74b82ff4,0x93b88b8e,0x71e734c9,0xd2e03c40,0x43c0322a,0x9a7a9eaf,
+        0x149d6041,0xe6e4c551 } },
+    /* 70 */
+    { { 0x1e9af288,0x55f655bb,0xf7ada931,0x647e1a64,0xcb2820e5,0x43697e4b,
+        0x07ed56ff,0x51e00db1 },
+      { 0x771c327e,0x43d169b8,0x4a96c2ad,0x29cdb20b,0x3deb4779,0xc07d51f5,
+        0x49829177,0xe22f4241 } },
+    /* 71 */
+    { { 0x635f1abb,0xcd45e8f4,0x68538874,0x7edc0cb5,0xb5a8034d,0xc9472c1f,
+        0x52dc48c9,0xf709373d },
+      { 0xa8af30d6,0x401966bb,0xf137b69c,0x95bf5f4a,0x9361c47e,0x3966162a,
+        0xe7275b11,0xbd52d288 } },
+    /* 72 */
+    { { 0x9c5fa877,0xab155c7a,0x7d3a3d48,0x17dad672,0x73d189d8,0x43f43f9e,
+        0xc8aa77a6,0xa0d0f8e4 },
+      { 0xcc94f92d,0x0bbeafd8,0x0c4ddb3a,0xd818c8be,0xb82eba14,0x22cc65f8,
+        0x946d6a00,0xa56c78c7 } },
+    /* 73 */
+    { { 0x0dd09529,0x2962391b,0x3daddfcf,0x803e0ea6,0x5b5bf481,0x2c77351f,
+        0x731a367a,0xd8befdf8 },
+      { 0xfc0157f4,0xab919d42,0xfec8e650,0xf51caed7,0x02d48b0a,0xcdf9cb40,
+        0xce9f6478,0x854a68a5 } },
+    /* 74 */
+    { { 0x63506ea5,0xdc35f67b,0xa4fe0d66,0x9286c489,0xfe95cd4d,0x3f101d3b,
+        0x98846a95,0x5cacea0b },
+      { 0x9ceac44d,0xa90df60c,0x354d1c3a,0x3db29af4,0xad5dbabe,0x08dd3de8,
+        0x35e4efa9,0xe4982d12 } },
+    /* 75 */
+    { { 0xc34cd55e,0x23104a22,0x2680d132,0x58695bb3,0x1fa1d943,0xfb345afa,
+        0x16b20499,0x8046b7f6 },
+      { 0x38e7d098,0xb533581e,0xf46f0b70,0xd7f61e8d,0x44cb78c4,0x30dea9ea,
+        0x9082af55,0xeb17ca7b } },
+    /* 76 */
+    { { 0x76a145b9,0x1751b598,0xc1bc71ec,0xa5cf6b0f,0x392715bb,0xd3e03565,
+        0xfab5e131,0x097b00ba },
+      { 0x565f69e1,0xaa66c8e9,0xb5be5199,0x77e8f75a,0xda4fd984,0x6033ba11,
+        0xafdbcc9e,0xf95c747b } },
+    /* 77 */
+    { { 0xbebae45e,0x558f01d3,0xc4bc6955,0xa8ebe9f0,0xdbc64fc6,0xaeb705b1,
+        0x566ed837,0x3512601e },
+      { 0xfa1161cd,0x9336f1e1,0x4c65ef87,0x328ab8d5,0x724f21e5,0x4757eee2,
+        0x6068ab6b,0x0ef97123 } },
+    /* 78 */
+    { { 0x54ca4226,0x02598cf7,0xf8642c8e,0x5eede138,0x468e1790,0x48963f74,
+        0x3b4fbc95,0xfc16d933 },
+      { 0xe7c800ca,0xbe96fb31,0x2678adaa,0x13806331,0x6ff3e8b5,0x3d624497,
+        0xb95d7a17,0x14ca4af1 } },
+    /* 79 */
+    { { 0xbd2f81d5,0x7a4771ba,0x01f7d196,0x1a5f9d69,0xcad9c907,0xd898bef7,
+        0xf59c231d,0x4057b063 },
+      { 0x89c05c0a,0xbffd82fe,0x1dc0df85,0xe4911c6f,0xa35a16db,0x3befccae,
+        0xf1330b13,0x1c3b5d64 } },
+    /* 80 */
+    { { 0x80ec21fe,0x5fe14bfe,0xc255be82,0xf6ce116a,0x2f4a5d67,0x98bc5a07,
+        0xdb7e63af,0xfad27148 },
+      { 0x29ab05b3,0x90c0b6ac,0x4e251ae6,0x37a9a83c,0xc2aade7d,0x0a7dc875,
+        0x9f0e1a84,0x77387de3 } },
+    /* 81 */
+    { { 0xa56c0dd7,0x1e9ecc49,0x46086c74,0xa5cffcd8,0xf505aece,0x8f7a1408,
+        0xbef0c47e,0xb37b85c0 },
+      { 0xcc0e6a8f,0x3596b6e4,0x6b388f23,0xfd6d4bbf,0xc39cef4e,0xaba453fa,
+        0xf9f628d5,0x9c135ac8 } },
+    /* 82 */
+    { { 0x84e35743,0x32aa3202,0x85a3cdef,0x320d6ab1,0x1df19819,0xb821b176,
+        0xc433851f,0x5721361f },
+      { 0x71fc9168,0x1f0db36a,0x5e5c403c,0x5f98ba73,0x37bcd8f5,0xf64ca87e,
+        0xe6bb11bd,0xdcbac3c9 } },
+    /* 83 */
+    { { 0x4518cbe2,0xf01d9968,0x9c9eb04e,0xd242fc18,0xe47feebf,0x727663c7,
+        0x2d626862,0xb8c1c89e },
+      { 0xc8e1d569,0x51a58bdd,0xb7d88cd0,0x563809c8,0xf11f31eb,0x26c27fd9,
+        0x2f9422d4,0x5d23bbda } },
+    /* 84 */
+    { { 0x95c8f8be,0x0a1c7294,0x3bf362bf,0x2961c480,0xdf63d4ac,0x9e418403,
+        0x91ece900,0xc109f9cb },
+      { 0x58945705,0xc2d095d0,0xddeb85c0,0xb9083d96,0x7a40449b,0x84692b8d,
+        0x2eee1ee1,0x9bc3344f } },
+    /* 85 */
+    { { 0x42913074,0x0d5ae356,0x48a542b1,0x55491b27,0xb310732a,0x469ca665,
+        0x5f1a4cc1,0x29591d52 },
+      { 0xb84f983f,0xe76f5b6b,0x9f5f84e1,0xbe7eef41,0x80baa189,0x1200d496,
+        0x18ef332c,0x6376551f } },
+    /* 86 */
+    { { 0x562976cc,0xbda5f14e,0x0ef12c38,0x22bca3e6,0x6cca9852,0xbbfa3064,
+        0x08e2987a,0xbdb79dc8 },
+      { 0xcb06a772,0xfd2cb5c9,0xfe536dce,0x38f475aa,0x7c2b5db8,0xc2a3e022,
+        0xadd3c14a,0x8ee86001 } },
+    /* 87 */
+    { { 0xa4ade873,0xcbe96981,0xc4fba48c,0x7ee9aa4d,0x5a054ba5,0x2cee2899,
+        0x6f77aa4b,0x92e51d7a },
+      { 0x7190a34d,0x948bafa8,0xf6bd1ed1,0xd698f75b,0x0caf1144,0xd00ee6e3,
+        0x0a56aaaa,0x5182f86f } },
+    /* 88 */
+    { { 0x7a4cc99c,0xfba6212c,0x3e6d9ca1,0xff609b68,0x5ac98c5a,0x5dbb27cb,
+        0x4073a6f2,0x91dcab5d },
+      { 0x5f575a70,0x01b6cc3d,0x6f8d87fa,0x0cb36139,0x89981736,0x165d4e8c,
+        0x97974f2b,0x17a0cedb } },
+    /* 89 */
+    { { 0x076c8d3a,0x38861e2a,0x210f924b,0x701aad39,0x13a835d9,0x94d0eae4,
+        0x7f4cdf41,0x2e8ce36c },
+      { 0x037a862b,0x91273dab,0x60e4c8fa,0x01ba9bb7,0x33baf2dd,0xf9645388,
+        0x34f668f3,0xf4ccc6cb } },
+    /* 90 */
+    { { 0xf1f79687,0x44ef525c,0x92efa815,0x7c595495,0xa5c78d29,0xe1231741,
+        0x9a0df3c9,0xac0db488 },
+      { 0xdf01747f,0x86bfc711,0xef17df13,0x592b9358,0x5ccb6bb5,0xe5880e4f,
+        0x94c974a2,0x95a64a61 } },
+    /* 91 */
+    { { 0xc15a4c93,0x72c1efda,0x82585141,0x40269b73,0x16cb0bad,0x6a8dfb1c,
+        0x29210677,0x231e54ba },
+      { 0x8ae6d2dc,0xa70df917,0x39112918,0x4d6aa63f,0x5e5b7223,0xf627726b,
+        0xd8a731e1,0xab0be032 } },
+    /* 92 */
+    { { 0x8d131f2d,0x097ad0e9,0x3b04f101,0x637f09e3,0xd5e9a748,0x1ac86196,
+        0x2cf6a679,0xf1bcc880 },
+      { 0xe8daacb4,0x25c69140,0x60f65009,0x3c4e4055,0x477937a6,0x591cc8fc,
+        0x5aebb271,0x85169469 } },
+    /* 93 */
+    { { 0xf1dcf593,0xde35c143,0xb018be3b,0x78202b29,0x9bdd9d3d,0xe9cdadc2,
+        0xdaad55d8,0x8f67d9d2 },
+      { 0x7481ea5f,0x84111656,0xe34c590c,0xe7d2dde9,0x05053fa8,0xffdd43f4,
+        0xc0728b5d,0xf84572b9 } },
+    /* 94 */
+    { { 0x97af71c9,0x5e1a7a71,0x7a736565,0xa1449444,0x0e1d5063,0xa1b4ae07,
+        0x616b2c19,0xedee2710 },
+      { 0x11734121,0xb2f034f5,0x4a25e9f0,0x1cac6e55,0xa40c2ecf,0x8dc148f3,
+        0x44ebd7f4,0x9fd27e9b } },
+    /* 95 */
+    { { 0xf6e2cb16,0x3cc7658a,0xfe5919b6,0xe3eb7d2c,0x168d5583,0x5a8c5816,
+        0x958ff387,0xa40c2fb6 },
+      { 0xfedcc158,0x8c9ec560,0x55f23056,0x7ad804c6,0x9a307e12,0xd9396704,
+        0x7dc6decf,0x99bc9bb8 } },
+    /* 96 */
+    { { 0x927dafc6,0x84a9521d,0x5c09cd19,0x52c1fb69,0xf9366dde,0x9d9581a0,
+        0xa16d7e64,0x9abe210b },
+      { 0x48915220,0x480af84a,0x4dd816c6,0xfa73176a,0x1681ca5a,0xc7d53987,
+        0x87f344b0,0x7881c257 } },
+    /* 97 */
+    { { 0xe0bcf3ff,0x93399b51,0x127f74f6,0x0d02cbc5,0xdd01d968,0x8fb465a2,
+        0xa30e8940,0x15e6e319 },
+      { 0x3e0e05f4,0x646d6e0d,0x43588404,0xfad7bddc,0xc4f850d3,0xbe61c7d1,
+        0x191172ce,0x0e55facf } },
+    /* 98 */
+    { { 0xf8787564,0x7e9d9806,0x31e85ce6,0x1a331721,0xb819e8d6,0x6b0158ca,
+        0x6fe96577,0xd73d0976 },
+      { 0x1eb7206e,0x42483425,0xc618bb42,0xa519290f,0x5e30a520,0x5dcbb859,
+        0x8f15a50b,0x9250a374 } },
+    /* 99 */
+    { { 0xbe577410,0xcaff08f8,0x5077a8c6,0xfd408a03,0xec0a63a4,0xf1f63289,
+        0xc1cc8c0b,0x77414082 },
+      { 0xeb0991cd,0x05a40fa6,0x49fdc296,0xc1ca0866,0xb324fd40,0x3a68a3c7,
+        0x12eb20b9,0x8cb04f4d } },
+    /* 100 */
+    { { 0x6906171c,0xb1c2d055,0xb0240c3f,0x9073e9cd,0xd8906841,0xdb8e6b4f,
+        0x47123b51,0xe4e429ef },
+      { 0x38ec36f4,0x0b8dd53c,0xff4b6a27,0xf9d2dc01,0x879a9a48,0x5d066e07,
+        0x3c6e6552,0x37bca2ff } },
+    /* 101 */
+    { { 0xdf562470,0x4cd2e3c7,0xc0964ac9,0x44f272a2,0x80c793be,0x7c6d5df9,
+        0x3002b22a,0x59913edc },
+      { 0x5750592a,0x7a139a83,0xe783de02,0x99e01d80,0xea05d64f,0xcf8c0375,
+        0xb013e226,0x43786e4a } },
+    /* 102 */
+    { { 0x9e56b5a6,0xff32b0ed,0xd9fc68f9,0x0750d9a6,0x597846a7,0xec15e845,
+        0xb7e79e7a,0x8638ca98 },
+      { 0x0afc24b2,0x2f5ae096,0x4dace8f2,0x05398eaf,0xaecba78f,0x3b765dd0,
+        0x7b3aa6f0,0x1ecdd36a } },
+    /* 103 */
+    { { 0x6c5ff2f3,0x5d3acd62,0x2873a978,0xa2d516c0,0xd2110d54,0xad94c9fa,
+        0xd459f32d,0xd85d0f85 },
+      { 0x10b11da3,0x9f700b8d,0xa78318c4,0xd2c22c30,0x9208decd,0x556988f4,
+        0xb4ed3c62,0xa04f19c3 } },
+    /* 104 */
+    { { 0xed7f93bd,0x087924c8,0x392f51f6,0xcb64ac5d,0x821b71af,0x7cae330a,
+        0x5c0950b0,0x92b2eeea },
+      { 0x85b6e235,0x85ac4c94,0x2936c0f0,0xab2ca4a9,0xe0508891,0x80faa6b3,
+        0x5834276c,0x1ee78221 } },
+    /* 105 */
+    { { 0xe63e79f7,0xa60a2e00,0xf399d906,0xf590e7b2,0x6607c09d,0x9021054a,
+        0x57a6e150,0xf3f2ced8 },
+      { 0xf10d9b55,0x200510f3,0xd8642648,0x9d2fcfac,0xe8bd0e7c,0xe5631aa7,
+        0x3da3e210,0x0f56a454 } },
+    /* 106 */
+    { { 0x1043e0df,0x5b21bffa,0x9c007e6d,0x6c74b6cc,0xd4a8517a,0x1a656ec0,
+        0x1969e263,0xbd8f1741 },
+      { 0xbeb7494a,0x8a9bbb86,0x45f3b838,0x1567d46f,0xa4e5a79a,0xdf7a12a7,
+        0x30ccfa09,0x2d1a1c35 } },
+    /* 107 */
+    { { 0x506508da,0x192e3813,0xa1d795a7,0x336180c4,0x7a9944b3,0xcddb5949,
+        0xb91fba46,0xa107a65e },
+      { 0x0f94d639,0xe6d1d1c5,0x8a58b7d7,0x8b4af375,0xbd37ca1c,0x1a7c5584,
+        0xf87a9af2,0x183d760a } },
+    /* 108 */
+    { { 0x0dde59a4,0x29d69711,0x0e8bef87,0xf1ad8d07,0x4f2ebe78,0x229b4963,
+        0xc269d754,0x1d44179d },
+      { 0x8390d30e,0xb32dc0cf,0x0de8110c,0x0a3b2753,0x2bc0339a,0x31af1dc5,
+        0x9606d262,0x771f9cc2 } },
+    /* 109 */
+    { { 0x85040739,0x99993e77,0x8026a939,0x44539db9,0xf5f8fc26,0xcf40f6f2,
+        0x0362718e,0x64427a31 },
+      { 0x85428aa8,0x4f4f2d87,0xebfb49a8,0x7b7adc3f,0xf23d01ac,0x201b2c6d,
+        0x6ae90d6d,0x49d9b749 } },
+    /* 110 */
+    { { 0x435d1099,0xcc78d8bc,0x8e8d1a08,0x2adbcd4e,0x2cb68a41,0x02c2e2a0,
+        0x3f605445,0x9037d81b },
+      { 0x074c7b61,0x7cdbac27,0x57bfd72e,0xfe2031ab,0x596d5352,0x61ccec96,
+        0x7cc0639c,0x08c3de6a } },
+    /* 111 */
+    { { 0xf6d552ab,0x20fdd020,0x05cd81f1,0x56baff98,0x91351291,0x06fb7c3e,
+        0x45796b2f,0xc6909442 },
+      { 0x41231bd1,0x17b3ae9c,0x5cc58205,0x1eac6e87,0xf9d6a122,0x208837ab,
+        0xcafe3ac0,0x3fa3db02 } },
+    /* 112 */
+    { { 0x05058880,0xd75a3e65,0x643943f2,0x7da365ef,0xfab24925,0x4147861c,
+        0xfdb808ff,0xc5c4bdb0 },
+      { 0xb272b56b,0x73513e34,0x11b9043a,0xc8327e95,0xf8844969,0xfd8ce37d,
+        0x46c2b6b5,0x2d56db94 } },
+    /* 113 */
+    { { 0xff46ac6b,0x2461782f,0x07a2e425,0xd19f7926,0x09a48de1,0xfafea3c4,
+        0xe503ba42,0x0f56bd9d },
+      { 0x345cda49,0x137d4ed1,0x816f299d,0x821158fc,0xaeb43402,0xe7c6a54a,
+        0x1173b5f1,0x4003bb9d } },
+    /* 114 */
+    { { 0xa0803387,0x3b8e8189,0x39cbd404,0xece115f5,0xd2877f21,0x4297208d,
+        0xa07f2f9e,0x53765522 },
+      { 0xa8a4182d,0xa4980a21,0x3219df79,0xa2bbd07a,0x1a19a2d4,0x674d0a2e,
+        0x6c5d4549,0x7a056f58 } },
+    /* 115 */
+    { { 0x9d8a2a47,0x646b2558,0xc3df2773,0x5b582948,0xabf0d539,0x51ec000e,
+        0x7a1a2675,0x77d482f1 },
+      { 0x87853948,0xb8a1bd95,0x6cfbffee,0xa6f817bd,0x80681e47,0xab6ec057,
+        0x2b38b0e4,0x4115012b } },
+    /* 116 */
+    { { 0x6de28ced,0x3c73f0f4,0x9b13ec47,0x1d5da760,0x6e5c6392,0x61b8ce9e,
+        0xfbea0946,0xcdf04572 },
+      { 0x6c53c3b0,0x1cb3c58b,0x447b843c,0x97fe3c10,0x2cb9780e,0xfb2b8ae1,
+        0x97383109,0xee703dda } },
+    /* 117 */
+    { { 0xff57e43a,0x34515140,0xb1b811b8,0xd44660d3,0x8f42b986,0x2b3b5dff,
+        0xa162ce21,0x2a0ad89d },
+      { 0x6bc277ba,0x64e4a694,0xc141c276,0xc788c954,0xcabf6274,0x141aa64c,
+        0xac2b4659,0xd62d0b67 } },
+    /* 118 */
+    { { 0x2c054ac4,0x39c5d87b,0xf27df788,0x57005859,0xb18128d6,0xedf7cbf3,
+        0x991c2426,0xb39a23f2 },
+      { 0xf0b16ae5,0x95284a15,0xa136f51b,0x0c6a05b1,0xf2700783,0x1d63c137,
+        0xc0674cc5,0x04ed0092 } },
+    /* 119 */
+    { { 0x9ae90393,0x1f4185d1,0x4a3d64e6,0x3047b429,0x9854fc14,0xae0001a6,
+        0x0177c387,0xa0a91fc1 },
+      { 0xae2c831e,0xff0a3f01,0x2b727e16,0xbb76ae82,0x5a3075b4,0x8f12c8a1,
+        0x9ed20c41,0x084cf988 } },
+    /* 120 */
+    { { 0xfca6becf,0xd98509de,0x7dffb328,0x2fceae80,0x4778e8b9,0x5d8a15c4,
+        0x73abf77e,0xd57955b2 },
+      { 0x31b5d4f1,0x210da79e,0x3cfa7a1c,0xaa52f04b,0xdc27c20b,0xd4d12089,
+        0x02d141f1,0x8e14ea42 } },
+    /* 121 */
+    { { 0xf2897042,0xeed50345,0x43402c4a,0x8d05331f,0xc8bdfb21,0xc8d9c194,
+        0x2aa4d158,0x597e1a37 },
+      { 0xcf0bd68c,0x0327ec1a,0xab024945,0x6d4be0dc,0xc9fe3e84,0x5b9c8d7a,
+        0x199b4dea,0xca3f0236 } },
+    /* 122 */
+    { { 0x6170bd20,0x592a10b5,0x6d3f5de7,0x0ea897f1,0x44b2ade2,0xa3363ff1,
+        0x309c07e4,0xbde7fd7e },
+      { 0xb8f5432c,0x516bb6d2,0xe043444b,0x210dc1cb,0xf8f95b5a,0x3db01e6f,
+        0x0a7dd198,0xb623ad0e } },
+    /* 123 */
+    { { 0x60c7b65b,0xa75bd675,0x23a4a289,0xab8c5590,0xd7b26795,0xf8220fd0,
+        0x58ec137b,0xd6aa2e46 },
+      { 0x5138bb85,0x10abc00b,0xd833a95c,0x8c31d121,0x1702a32e,0xb24ff00b,
+        0x2dcc513a,0x111662e0 } },
+    /* 124 */
+    { { 0xefb42b87,0x78114015,0x1b6c4dff,0xbd9f5d70,0xa7d7c129,0x66ecccd7,
+        0x94b750f8,0xdb3ee1cb },
+      { 0xf34837cf,0xb26f3db0,0xb9578d4f,0xe7eed18b,0x7c56657d,0x5d2cdf93,
+        0x52206a59,0x886a6442 } },
+    /* 125 */
+    { { 0x65b569ea,0x3c234cfb,0xf72119c1,0x20011141,0xa15a619e,0x8badc85d,
+        0x018a17bc,0xa70cf4eb },
+      { 0x8c4a6a65,0x224f97ae,0x0134378f,0x36e5cf27,0x4f7e0960,0xbe3a609e,
+        0xd1747b77,0xaa4772ab } },
+    /* 126 */
+    { { 0x7aa60cc0,0x67676131,0x0368115f,0xc7916361,0xbbc1bb5a,0xded98bb4,
+        0x30faf974,0x611a6ddc },
+      { 0xc15ee47a,0x30e78cbc,0x4e0d96a5,0x2e896282,0x3dd9ed88,0x36f35adf,
+        0x16429c88,0x5cfffaf8 } },
+    /* 127 */
+    { { 0x9b7a99cd,0xc0d54cff,0x843c45a1,0x7bf3b99d,0x62c739e1,0x038a908f,
+        0x7dc1994c,0x6e5a6b23 },
+      { 0x0ba5db77,0xef8b454e,0xacf60d63,0xb7b8807f,0x76608378,0xe591c0c6,
+        0x242dabcc,0x481a238d } },
+    /* 128 */
+    { { 0x35d0b34a,0xe3417bc0,0x8327c0a7,0x440b386b,0xac0362d1,0x8fb7262d,
+        0xe0cdf943,0x2c41114c },
+      { 0xad95a0b1,0x2ba5cef1,0x67d54362,0xc09b37a8,0x01e486c9,0x26d6cdd2,
+        0x42ff9297,0x20477abf } },
+    /* 129 */
+    { { 0x18d65dbf,0x2f75173c,0x339edad8,0x77bf940e,0xdcf1001c,0x7022d26b,
+        0xc77396b6,0xac66409a },
+      { 0xc6261cc3,0x8b0bb36f,0x190e7e90,0x213f7bc9,0xa45e6c10,0x6541ceba,
+        0xcc122f85,0xce8e6975 } },
+    /* 130 */
+    { { 0xbc0a67d2,0x0f121b41,0x444d248a,0x62d4760a,0x659b4737,0x0e044f1d,
+        0x250bb4a8,0x08fde365 },
+      { 0x848bf287,0xaceec3da,0xd3369d6e,0xc2a62182,0x92449482,0x3582dfdc,
+        0x565d6cd7,0x2f7e2fd2 } },
+    /* 131 */
+    { { 0xc3770fa7,0xae4b92db,0x379043f9,0x095e8d5c,0x17761171,0x54f34e9d,
+        0x907702ae,0xc65be92e },
+      { 0xf6fd0a40,0x2758a303,0xbcce784b,0xe7d822e3,0x4f9767bf,0x7ae4f585,
+        0xd1193b3a,0x4bff8e47 } },
+    /* 132 */
+    { { 0x00ff1480,0xcd41d21f,0x0754db16,0x2ab8fb7d,0xbbe0f3ea,0xac81d2ef,
+        0x5772967d,0x3e4e4ae6 },
+      { 0x3c5303e6,0x7e18f36d,0x92262397,0x3bd9994b,0x1324c3c0,0x9ed70e26,
+        0x58ec6028,0x5388aefd } },
+    /* 133 */
+    { { 0x5e5d7713,0xad1317eb,0x75de49da,0x09b985ee,0xc74fb261,0x32f5bc4f,
+        0x4f75be0e,0x5cf908d1 },
+      { 0x8e657b12,0x76043510,0xb96ed9e6,0xbfd421a5,0x8970ccc2,0x0e29f51f,
+        0x60f00ce2,0xa698ba40 } },
+    /* 134 */
+    { { 0xef748fec,0x73db1686,0x7e9d2cf9,0xe6e755a2,0xce265eff,0x630b6544,
+        0x7aebad8d,0xb142ef8a },
+      { 0x17d5770a,0xad31af9f,0x2cb3412f,0x66af3b67,0xdf3359de,0x6bd60d1b,
+        0x58515075,0xd1896a96 } },
+    /* 135 */
+    { { 0x33c41c08,0xec5957ab,0x5468e2e1,0x87de94ac,0xac472f6c,0x18816b73,
+        0x7981da39,0x267b0e0b },
+      { 0x8e62b988,0x6e554e5d,0x116d21e7,0xd8ddc755,0x3d2a6f99,0x4610faf0,
+        0xa1119393,0xb54e287a } },
+    /* 136 */
+    { { 0x178a876b,0x0a0122b5,0x085104b4,0x51ff96ff,0x14f29f76,0x050b31ab,
+        0x5f87d4e6,0x84abb28b },
+      { 0x8270790a,0xd5ed439f,0x85e3f46b,0x2d6cb59d,0x6c1e2212,0x75f55c1b,
+        0x17655640,0xe5436f67 } },
+    /* 137 */
+    { { 0x2286e8d5,0x53f9025e,0x864453be,0x353c95b4,0xe408e3a0,0xd832f5bd,
+        0x5b9ce99e,0x0404f68b },
+      { 0xa781e8e5,0xcad33bde,0x163c2f5b,0x3cdf5018,0x0119caa3,0x57576960,
+        0x0ac1c701,0x3a4263df } },
+    /* 138 */
+    { { 0x9aeb596d,0xc2965ecc,0x023c92b4,0x01ea03e7,0x2e013961,0x4704b4b6,
+        0x905ea367,0x0ca8fd3f },
+      { 0x551b2b61,0x92523a42,0x390fcd06,0x1eb7a89c,0x0392a63e,0xe7f1d2be,
+        0x4ddb0c33,0x96dca264 } },
+    /* 139 */
+    { { 0x387510af,0x203bb43a,0xa9a36a01,0x846feaa8,0x2f950378,0xd23a5770,
+        0x3aad59dc,0x4363e212 },
+      { 0x40246a47,0xca43a1c7,0xe55dd24d,0xb362b8d2,0x5d8faf96,0xf9b08604,
+        0xd8bb98c4,0x840e115c } },
+    /* 140 */
+    { { 0x1023e8a7,0xf12205e2,0xd8dc7a0b,0xc808a8cd,0x163a5ddf,0xe292a272,
+        0x30ded6d4,0x5e0d6abd },
+      { 0x7cfc0f64,0x07a721c2,0x0e55ed88,0x42eec01d,0x1d1f9db2,0x26a7bef9,
+        0x2945a25a,0x7dea48f4 } },
+    /* 141 */
+    { { 0xe5060a81,0xabdf6f1c,0xf8f95615,0xe79f9c72,0x06ac268b,0xcfd36c54,
+        0xebfd16d1,0xabc2a2be },
+      { 0xd3e2eac7,0x8ac66f91,0xd2dd0466,0x6f10ba63,0x0282d31b,0x6790e377,
+        0x6c7eefc1,0x4ea35394 } },
+    /* 142 */
+    { { 0x5266309d,0xed8a2f8d,0x81945a3e,0x0a51c6c0,0x578c5dc1,0xcecaf45a,
+        0x1c94ffc3,0x3a76e689 },
+      { 0x7d7b0d0f,0x9aace8a4,0x8f584a5f,0x963ace96,0x4e697fbe,0x51a30c72,
+        0x465e6464,0x8212a10a } },
+    /* 143 */
+    { { 0xcfab8caa,0xef7c61c3,0x0e142390,0x18eb8e84,0x7e9733ca,0xcd1dff67,
+        0x599cb164,0xaa7cab71 },
+      { 0xbc837bd1,0x02fc9273,0xc36af5d7,0xc06407d0,0xf423da49,0x17621292,
+        0xfe0617c3,0x40e38073 } },
+    /* 144 */
+    { { 0xa7bf9b7c,0xf4f80824,0x3fbe30d0,0x365d2320,0x97cf9ce3,0xbfbe5320,
+        0xb3055526,0xe3604700 },
+      { 0x6cc6c2c7,0x4dcb9911,0xba4cbee6,0x72683708,0x637ad9ec,0xdcded434,
+        0xa3dee15f,0x6542d677 } },
+    /* 145 */
+    { { 0x7b6c377a,0x3f32b6d0,0x903448be,0x6cb03847,0x20da8af7,0xd6fdd3a8,
+        0x09bb6f21,0xa6534aee },
+      { 0x1035facf,0x30a1780d,0x9dcb47e6,0x35e55a33,0xc447f393,0x6ea50fe1,
+        0xdc9aef22,0xf3cb672f } },
+    /* 146 */
+    { { 0x3b55fd83,0xeb3719fe,0x875ddd10,0xe0d7a46c,0x05cea784,0x33ac9fa9,
+        0xaae870e7,0x7cafaa2e },
+      { 0x1d53b338,0x9b814d04,0xef87e6c6,0xe0acc0a0,0x11672b0f,0xfb93d108,
+        0xb9bd522e,0x0aab13c1 } },
+    /* 147 */
+    { { 0xd2681297,0xddcce278,0xb509546a,0xcb350eb1,0x7661aaf2,0x2dc43173,
+        0x847012e9,0x4b91a602 },
+      { 0x72f8ddcf,0xdcff1095,0x9a911af4,0x08ebf61e,0xc372430e,0x48f4360a,
+        0x72321cab,0x49534c53 } },
+    /* 148 */
+    { { 0xf07b7e9d,0x83df7d71,0x13cd516f,0xa478efa3,0x6c047ee3,0x78ef264b,
+        0xd65ac5ee,0xcaf46c4f },
+      { 0x92aa8266,0xa04d0c77,0x913684bb,0xedf45466,0xae4b16b0,0x56e65168,
+        0x04c6770f,0x14ce9e57 } },
+    /* 149 */
+    { { 0x965e8f91,0x99445e3e,0xcb0f2492,0xd3aca1ba,0x90c8a0a0,0xd31cc70f,
+        0x3e4c9a71,0x1bb708a5 },
+      { 0x558bdd7a,0xd5ca9e69,0x018a26b1,0x734a0508,0x4c9cf1ec,0xb093aa71,
+        0xda300102,0xf9d126f2 } },
+    /* 150 */
+    { { 0xaff9563e,0x749bca7a,0xb49914a0,0xdd077afe,0xbf5f1671,0xe27a0311,
+        0x729ecc69,0x807afcb9 },
+      { 0xc9b08b77,0x7f8a9337,0x443c7e38,0x86c3a785,0x476fd8ba,0x85fafa59,
+        0x6568cd8c,0x751adcd1 } },
+    /* 151 */
+    { { 0x10715c0d,0x8aea38b4,0x8f7697f7,0xd113ea71,0x93fbf06d,0x665eab14,
+        0x2537743f,0x29ec4468 },
+      { 0xb50bebbc,0x3d94719c,0xe4505422,0x399ee5bf,0x8d2dedb1,0x90cd5b3a,
+        0x92a4077d,0xff9370e3 } },
+    /* 152 */
+    { { 0xc6b75b65,0x59a2d69b,0x266651c5,0x4188f8d5,0x3de9d7d2,0x28a9f33e,
+        0xa2a9d01a,0x9776478b },
+      { 0x929af2c7,0x8852622d,0x4e690923,0x334f5d6d,0xa89a51e9,0xce6cc7e5,
+        0xac2f82fa,0x74a6313f } },
+    /* 153 */
+    { { 0xb75f079c,0xb2f4dfdd,0x18e36fbb,0x85b07c95,0xe7cd36dd,0x1b6cfcf0,
+        0x0ff4863d,0xab75be15 },
+      { 0x173fc9b7,0x81b367c0,0xd2594fd0,0xb90a7420,0xc4091236,0x15fdbf03,
+        0x0b4459f6,0x4ebeac2e } },
+    /* 154 */
+    { { 0x5c9f2c53,0xeb6c5fe7,0x8eae9411,0xd2522011,0xf95ac5d8,0xc8887633,
+        0x2c1baffc,0xdf99887b },
+      { 0x850aaecb,0xbb78eed2,0x01d6a272,0x9d49181b,0xb1cdbcac,0x978dd511,
+        0x779f4058,0x27b040a7 } },
+    /* 155 */
+    { { 0xf73b2eb2,0x90405db7,0x8e1b2118,0xe0df8508,0x5962327e,0x501b7152,
+        0xe4cfa3f5,0xb393dd37 },
+      { 0x3fd75165,0xa1230e7b,0xbcd33554,0xd66344c2,0x0f7b5022,0x6c36f1be,
+        0xd0463419,0x09588c12 } },
+    /* 156 */
+    { { 0x02601c3b,0xe086093f,0xcf5c335f,0xfb0252f8,0x894aff28,0x955cf280,
+        0xdb9f648b,0x81c879a9 },
+      { 0xc6f56c51,0x040e687c,0x3f17618c,0xfed47169,0x9059353b,0x44f88a41,
+        0x5fc11bc4,0xfa0d48f5 } },
+    /* 157 */
+    { { 0xe1608e4d,0xbc6e1c9d,0x3582822c,0x010dda11,0x157ec2d7,0xf6b7ddc1,
+        0xb6a367d6,0x8ea0e156 },
+      { 0x2383b3b4,0xa354e02f,0x3f01f53c,0x69966b94,0x2de03ca5,0x4ff6632b,
+        0xfa00b5ac,0x3f5ab924 } },
+    /* 158 */
+    { { 0x59739efb,0x337bb0d9,0xe7ebec0d,0xc751b0f4,0x411a67d1,0x2da52dd6,
+        0x2b74256e,0x8bc76887 },
+      { 0x82d3d253,0xa5be3b72,0xf58d779f,0xa9f679a1,0xe16767bb,0xa1cac168,
+        0x60fcf34f,0xb386f190 } },
+    /* 159 */
+    { { 0x2fedcfc2,0x31f3c135,0x62f8af0d,0x5396bf62,0xe57288c2,0x9a02b4ea,
+        0x1b069c4d,0x4cb460f7 },
+      { 0x5b8095ea,0xae67b4d3,0x6fc07603,0x92bbf859,0xb614a165,0xe1475f66,
+        0x95ef5223,0x52c0d508 } },
+    /* 160 */
+    { { 0x15339848,0x231c210e,0x70778c8d,0xe87a28e8,0x6956e170,0x9d1de661,
+        0x2bb09c0b,0x4ac3c938 },
+      { 0x6998987d,0x19be0551,0xae09f4d6,0x8b2376c4,0x1a3f933d,0x1de0b765,
+        0xe39705f4,0x380d94c7 } },
+    /* 161 */
+    { { 0x81542e75,0x01a355aa,0xee01b9b7,0x96c724a1,0x624d7087,0x6b3a2977,
+        0xde2637af,0x2ce3e171 },
+      { 0xf5d5bc1a,0xcfefeb49,0x2777e2b5,0xa655607e,0x9513756c,0x4feaac2f,
+        0x0b624e4d,0x2e6cd852 } },
+    /* 162 */
+    { { 0x8c31c31d,0x3685954b,0x5bf21a0c,0x68533d00,0x75c79ec9,0x0bd7626e,
+        0x42c69d54,0xca177547 },
+      { 0xf6d2dbb2,0xcc6edaff,0x174a9d18,0xfd0d8cbd,0xaa4578e8,0x875e8793,
+        0x9cab2ce6,0xa976a713 } },
+    /* 163 */
+    { { 0x93fb353d,0x0a651f1b,0x57fcfa72,0xd75cab8b,0x31b15281,0xaa88cfa7,
+        0x0a1f4999,0x8720a717 },
+      { 0x693e1b90,0x8c3e8d37,0x16f6dfc3,0xd345dc0b,0xb52a8742,0x8ea8d00a,
+        0xc769893c,0x9719ef29 } },
+    /* 164 */
+    { { 0x58e35909,0x820eed8d,0x33ddc116,0x9366d8dc,0x6e205026,0xd7f999d0,
+        0xe15704c1,0xa5072976 },
+      { 0xc4e70b2e,0x002a37ea,0x6890aa8a,0x84dcf657,0x645b2a5c,0xcd71bf18,
+        0xf7b77725,0x99389c9d } },
+    /* 165 */
+    { { 0x7ada7a4b,0x238c08f2,0xfd389366,0x3abe9d03,0x766f512c,0x6b672e89,
+        0x202c82e4,0xa88806aa },
+      { 0xd380184e,0x6602044a,0x126a8b85,0xa8cb78c4,0xad844f17,0x79d670c0,
+        0x4738dcfe,0x0043bffb } },
+    /* 166 */
+    { { 0x36d5192e,0x8d59b5dc,0x4590b2af,0xacf885d3,0x11601781,0x83566d0a,
+        0xba6c4866,0x52f3ef01 },
+      { 0x0edcb64d,0x3986732a,0x8068379f,0x0a482c23,0x7040f309,0x16cbe5fa,
+        0x9ef27e75,0x3296bd89 } },
+    /* 167 */
+    { { 0x454d81d7,0x476aba89,0x51eb9b3c,0x9eade7ef,0x81c57986,0x619a21cd,
+        0xaee571e9,0x3b90febf },
+      { 0x5496f7cb,0x9393023e,0x7fb51bc4,0x55be41d8,0x99beb5ce,0x03f1dd48,
+        0x9f810b18,0x6e88069d } },
+    /* 168 */
+    { { 0xb43ea1db,0xce37ab11,0x5259d292,0x0a7ff1a9,0x8f84f186,0x851b0221,
+        0xdefaad13,0xa7222bea },
+      { 0x2b0a9144,0xa2ac78ec,0xf2fa59c5,0x5a024051,0x6147ce38,0x91d1eca5,
+        0xbc2ac690,0xbe94d523 } },
+    /* 169 */
+    { { 0x0b226ce7,0x72f4945e,0x967e8b70,0xb8afd747,0x85a6c63e,0xedea46f1,
+        0x9be8c766,0x7782defe },
+      { 0x3db38626,0x760d2aa4,0x76f67ad1,0x460ae787,0x54499cdb,0x341b86fc,
+        0xa2892e4b,0x03838567 } },
+    /* 170 */
+    { { 0x79ec1a0f,0x2d8daefd,0xceb39c97,0x3bbcd6fd,0x58f61a95,0xf5575ffc,
+        0xadf7b420,0xdbd986c4 },
+      { 0x15f39eb7,0x81aa8814,0xb98d976c,0x6ee2fcf5,0xcf2f717d,0x5465475d,
+        0x6860bbd0,0x8e24d3c4 } },
+    /* 171 */
+    { { 0x9a587390,0x749d8e54,0x0cbec588,0x12bb194f,0xb25983c6,0x46e07da4,
+        0x407bafc8,0x541a99c4 },
+      { 0x624c8842,0xdb241692,0xd86c05ff,0x6044c12a,0x4f7fcf62,0xc59d14b4,
+        0xf57d35d1,0xc0092c49 } },
+    /* 172 */
+    { { 0xdf2e61ef,0xd3cc75c3,0x2e1b35ca,0x7e8841c8,0x909f29f4,0xc62d30d1,
+        0x7286944d,0x75e40634 },
+      { 0xbbc237d0,0xe7d41fc5,0xec4f01c9,0xc9537bf0,0x282bd534,0x91c51a16,
+        0xc7848586,0x5b7cb658 } },
+    /* 173 */
+    { { 0x8a28ead1,0x964a7084,0xfd3b47f6,0x802dc508,0x767e5b39,0x9ae4bfd1,
+        0x8df097a1,0x7ae13eba },
+      { 0xeadd384e,0xfd216ef8,0xb6b2ff06,0x0361a2d9,0x4bcdb5f3,0x204b9878,
+        0xe2a8e3fd,0x787d8074 } },
+    /* 174 */
+    { { 0x757fbb1c,0xc5e25d6b,0xca201deb,0xe47bddb2,0x6d2233ff,0x4a55e9a3,
+        0x9ef28484,0x5c222819 },
+      { 0x88315250,0x773d4a85,0x827097c1,0x21b21a2b,0xdef5d33f,0xab7c4ea1,
+        0xbaf0f2b0,0xe45d37ab } },
+    /* 175 */
+    { { 0x28511c8a,0xd2df1e34,0xbdca6cd3,0xebb229c8,0x627c39a7,0x578a71a7,
+        0x84dfb9d3,0xed7bc122 },
+      { 0x93dea561,0xcf22a6df,0xd48f0ed1,0x5443f18d,0x5bad23e8,0xd8b86140,
+        0x45ca6d27,0xaac97cc9 } },
+    /* 176 */
+    { { 0xa16bd00a,0xeb54ea74,0xf5c0bcc1,0xd839e9ad,0x1f9bfc06,0x092bb7f1,
+        0x1163dc4e,0x318f97b3 },
+      { 0xc30d7138,0xecc0c5be,0xabc30220,0x44e8df23,0xb0223606,0x2bb7972f,
+        0x9a84ff4d,0xfa41faa1 } },
+    /* 177 */
+    { { 0xa6642269,0x4402d974,0x9bb783bd,0xc81814ce,0x7941e60b,0x398d38e4,
+        0x1d26e9e2,0x38bb6b2c },
+      { 0x6a577f87,0xc64e4a25,0xdc11fe1c,0x8b52d253,0x62280728,0xff336abf,
+        0xce7601a5,0x94dd0905 } },
+    /* 178 */
+    { { 0xde93f92a,0x156cf7dc,0x89b5f315,0xa01333cb,0xc995e750,0x02404df9,
+        0xd25c2ae9,0x92077867 },
+      { 0x0bf39d44,0xe2471e01,0x96bb53d7,0x5f2c9020,0x5c9c3d8f,0x4c44b7b3,
+        0xd29beb51,0x81e8428b } },
+    /* 179 */
+    { { 0xc477199f,0x6dd9c2ba,0x6b5ecdd9,0x8cb8eeee,0xee40fd0e,0x8af7db3f,
+        0xdbbfa4b1,0x1b94ab62 },
+      { 0xce47f143,0x44f0d8b3,0x63f46163,0x51e623fc,0xcc599383,0xf18f270f,
+        0x055590ee,0x06a38e28 } },
+    /* 180 */
+    { { 0xb3355b49,0x2e5b0139,0xb4ebf99b,0x20e26560,0xd269f3dc,0xc08ffa6b,
+        0x83d9d4f8,0xa7b36c20 },
+      { 0x1b3e8830,0x64d15c3a,0xa89f9c0b,0xd5fceae1,0xe2d16930,0xcfeee4a2,
+        0xa2822a20,0xbe54c6b4 } },
+    /* 181 */
+    { { 0x8d91167c,0xd6cdb3df,0xe7a6625e,0x517c3f79,0x346ac7f4,0x7105648f,
+        0xeae022bb,0xbf30a5ab },
+      { 0x93828a68,0x8e7785be,0x7f3ef036,0x5161c332,0x592146b2,0xe11b5feb,
+        0x2732d13a,0xd1c820de } },
+    /* 182 */
+    { { 0x9038b363,0x043e1347,0x6b05e519,0x58c11f54,0x6026cad1,0x4fe57abe,
+        0x68a18da3,0xb7d17bed },
+      { 0xe29c2559,0x44ca5891,0x5bfffd84,0x4f7a0376,0x74e46948,0x498de4af,
+        0x6412cc64,0x3997fd5e } },
+    /* 183 */
+    { { 0x8bd61507,0xf2074682,0x34a64d2a,0x29e132d5,0x8a8a15e3,0xffeddfb0,
+        0x3c6c13e8,0x0eeb8929 },
+      { 0xa7e259f8,0xe9b69a3e,0xd13e7e67,0xce1db7e6,0xad1fa685,0x277318f6,
+        0xc922b6ef,0x228916f8 } },
+    /* 184 */
+    { { 0x0a12ab5b,0x959ae25b,0x957bc136,0xcc11171f,0xd16e2b0c,0x8058429e,
+        0x6e93097e,0xec05ad1d },
+      { 0xac3f3708,0x157ba5be,0x30b59d77,0x31baf935,0x118234e5,0x47b55237,
+        0x7ff11b37,0x7d314156 } },
+    /* 185 */
+    { { 0xf6dfefab,0x7bd9c05c,0xdcb37707,0xbe2f2268,0x3a38bb95,0xe53ead97,
+        0x9bc1d7a3,0xe9ce66fc },
+      { 0x6f6a02a1,0x75aa1576,0x60e600ed,0x38c087df,0x68cdc1b9,0xf8947f34,
+        0x72280651,0xd9650b01 } },
+    /* 186 */
+    { { 0x5a057e60,0x504b4c4a,0x8def25e4,0xcbccc3be,0x17c1ccbd,0xa6353208,
+        0x804eb7a2,0x14d6699a },
+      { 0xdb1f411a,0x2c8a8415,0xf80d769c,0x09fbaf0b,0x1c2f77ad,0xb4deef90,
+        0x0d43598a,0x6f4c6841 } },
+    /* 187 */
+    { { 0x96c24a96,0x8726df4e,0xfcbd99a3,0x534dbc85,0x8b2ae30a,0x3c466ef2,
+        0x61189abb,0x4c4350fd },
+      { 0xf855b8da,0x2967f716,0x463c38a1,0x41a42394,0xeae93343,0xc37e1413,
+        0x5a3118b5,0xa726d242 } },
+    /* 188 */
+    { { 0x948c1086,0xdae6b3ee,0xcbd3a2e1,0xf1de503d,0x03d022f3,0x3f35ed3f,
+        0xcc6cf392,0x13639e82 },
+      { 0xcdafaa86,0x9ac938fb,0x2654a258,0xf45bc5fb,0x45051329,0x1963b26e,
+        0xc1a335a3,0xca9365e1 } },
+    /* 189 */
+    { { 0x4c3b2d20,0x3615ac75,0x904e241b,0x742a5417,0xcc9d071d,0xb08521c4,
+        0x970b72a5,0x9ce29c34 },
+      { 0x6d3e0ad6,0x8cc81f73,0xf2f8434c,0x8060da9e,0x6ce862d9,0x35ed1d1a,
+        0xab42af98,0x48c4abd7 } },
+    /* 190 */
+    { { 0x40c7485a,0xd221b0cc,0xe5274dbf,0xead455bb,0x9263d2e8,0x493c7698,
+        0xf67b33cb,0x78017c32 },
+      { 0x930cb5ee,0xb9d35769,0x0c408ed2,0xc0d14e94,0x272f1a4d,0xf8b7bf55,
+        0xde5c1c04,0x53cd0454 } },
+    /* 191 */
+    { { 0x5d28ccac,0xbcd585fa,0x005b746e,0x5f823e56,0xcd0123aa,0x7c79f0a1,
+        0xd3d7fa8f,0xeea465c1 },
+      { 0x0551803b,0x7810659f,0x7ce6af70,0x6c0b599f,0x29288e70,0x4195a770,
+        0x7ae69193,0x1b6e42a4 } },
+    /* 192 */
+    { { 0xf67d04c3,0x2e80937c,0x89eeb811,0x1e312be2,0x92594d60,0x56b5d887,
+        0x187fbd3d,0x0224da14 },
+      { 0x0c5fe36f,0x87abb863,0x4ef51f5f,0x580f3c60,0xb3b429ec,0x964fb1bf,
+        0x42bfff33,0x60838ef0 } },
+    /* 193 */
+    { { 0x7e0bbe99,0x432cb2f2,0x04aa39ee,0x7bda44f3,0x9fa93903,0x5f497c7a,
+        0x2d331643,0x636eb202 },
+      { 0x93ae00aa,0xfcfd0e61,0x31ae6d2f,0x875a00fe,0x9f93901c,0xf43658a2,
+        0x39218bac,0x8844eeb6 } },
+    /* 194 */
+    { { 0x6b3bae58,0x114171d2,0x17e39f3e,0x7db3df71,0x81a8eada,0xcd37bc7f,
+        0x51fb789e,0x27ba83dc },
+      { 0xfbf54de5,0xa7df439f,0xb5fe1a71,0x7277030b,0xdb297a48,0x42ee8e35,
+        0x87f3a4ab,0xadb62d34 } },
+    /* 195 */
+    { { 0xa175df2a,0x9b1168a2,0x618c32e9,0x082aa04f,0x146b0916,0xc9e4f2e7,
+        0x75e7c8b2,0xb990fd76 },
+      { 0x4df37313,0x0829d96b,0xd0b40789,0x1c205579,0x78087711,0x66c9ae4a,
+        0x4d10d18d,0x81707ef9 } },
+    /* 196 */
+    { { 0x03d6ff96,0x97d7cab2,0x0d843360,0x5b851bfc,0xd042db4b,0x268823c4,
+        0xd5a8aa5c,0x3792daea },
+      { 0x941afa0b,0x52818865,0x42d83671,0xf3e9e741,0x5be4e0a7,0x17c82527,
+        0x94b001ba,0x5abd635e } },
+    /* 197 */
+    { { 0x0ac4927c,0x727fa84e,0xa7c8cf23,0xe3886035,0x4adca0df,0xa4bcd5ea,
+        0x846ab610,0x5995bf21 },
+      { 0x829dfa33,0xe90f860b,0x958fc18b,0xcaafe2ae,0x78630366,0x9b3baf44,
+        0xd483411e,0x44c32ca2 } },
+    /* 198 */
+    { { 0xe40ed80c,0xa74a97f1,0x31d2ca82,0x5f938cb1,0x7c2d6ad9,0x53f2124b,
+        0x8082a54c,0x1f2162fb },
+      { 0x720b173e,0x7e467cc5,0x085f12f9,0x40e8a666,0x4c9d65dc,0x8cebc20e,
+        0xc3e907c9,0x8f1d402b } },
+    /* 199 */
+    { { 0xfbc4058a,0x4f592f9c,0x292f5670,0xb15e14b6,0xbc1d8c57,0xc55cfe37,
+        0x926edbf9,0xb1980f43 },
+      { 0x32c76b09,0x98c33e09,0x33b07f78,0x1df5279d,0x863bb461,0x6f08ead4,
+        0x37448e45,0x2828ad9b } },
+    /* 200 */
+    { { 0xc4cf4ac5,0x696722c4,0xdde64afb,0xf5ac1a3f,0xe0890832,0x0551baa2,
+        0x5a14b390,0x4973f127 },
+      { 0x322eac5d,0xe59d8335,0x0bd9b568,0x5e07eef5,0xa2588393,0xab36720f,
+        0xdb168ac7,0x6dac8ed0 } },
+    /* 201 */
+    { { 0xeda835ef,0xf7b545ae,0x1d10ed51,0x4aa113d2,0x13741b09,0x035a65e0,
+        0x20b9de4c,0x4b23ef59 },
+      { 0x3c4c7341,0xe82bb680,0x3f58bc37,0xd457706d,0xa51e3ee8,0x73527863,
+        0xddf49a4e,0x4dd71534 } },
+    /* 202 */
+    { { 0x95476cd9,0xbf944672,0xe31a725b,0x648d072f,0xfc4b67e0,0x1441c8b8,
+        0x2f4a4dbb,0xfd317000 },
+      { 0x8995d0e1,0x1cb43ff4,0x0ef729aa,0x76e695d1,0x41798982,0xe0d5f976,
+        0x9569f365,0x14fac58c } },
+    /* 203 */
+    { { 0xf312ae18,0xad9a0065,0xfcc93fc9,0x51958dc0,0x8a7d2846,0xd9a14240,
+        0x36abda50,0xed7c7651 },
+      { 0x25d4abbc,0x46270f1a,0xf1a113ea,0x9b5dd8f3,0x5b51952f,0xc609b075,
+        0x4d2e9f53,0xfefcb7f7 } },
+    /* 204 */
+    { { 0xba119185,0xbd09497a,0xaac45ba4,0xd54e8c30,0xaa521179,0x492479de,
+        0x87e0d80b,0x1801a57e },
+      { 0xfcafffb0,0x073d3f8d,0xae255240,0x6cf33c0b,0x5b5fdfbc,0x781d763b,
+        0x1ead1064,0x9f8fc11e } },
+    /* 205 */
+    { { 0x5e69544c,0x1583a171,0xf04b7813,0x0eaf8567,0x278a4c32,0x1e22a8fd,
+        0x3d3a69a9,0xa9d3809d },
+      { 0x59a2da3b,0x936c2c2c,0x1895c847,0x38ccbcf6,0x63d50869,0x5e65244e,
+        0xe1178ef7,0x3006b9ae } },
+    /* 206 */
+    { { 0xc9eead28,0x0bb1f2b0,0x89f4dfbc,0x7eef635d,0xb2ce8939,0x074757fd,
+        0x45f8f761,0x0ab85fd7 },
+      { 0x3e5b4549,0xecda7c93,0x97922f21,0x4be2bb5c,0xb43b8040,0x261a1274,
+        0x11e942c2,0xb122d675 } },
+    /* 207 */
+    { { 0x66a5ae7a,0x3be607be,0x76adcbe3,0x01e703fa,0x4eb6e5c5,0xaf904301,
+        0x097dbaec,0x9f599dc1 },
+      { 0x0ff250ed,0x6d75b718,0x349a20dc,0x8eb91574,0x10b227a3,0x425605a4,
+        0x8a294b78,0x7d5528e0 } },
+    /* 208 */
+    { { 0x20c26def,0xf0f58f66,0x582b2d1e,0x025585ea,0x01ce3881,0xfbe7d79b,
+        0x303f1730,0x28ccea01 },
+      { 0x79644ba5,0xd1dabcd1,0x06fff0b8,0x1fc643e8,0x66b3e17b,0xa60a76fc,
+        0xa1d013bf,0xc18baf48 } },
+    /* 209 */
+    { { 0x5dc4216d,0x34e638c8,0x206142ac,0x00c01067,0x95f5064a,0xd453a171,
+        0xb7a9596b,0x9def809d },
+      { 0x67ab8d2c,0x41e8642e,0x6237a2b6,0xb4240433,0x64c4218b,0x7d506a6d,
+        0x68808ce5,0x0357f8b0 } },
+    /* 210 */
+    { { 0x4cd2cc88,0x8e9dbe64,0xf0b8f39d,0xcc61c28d,0xcd30a0c8,0x4a309874,
+        0x1b489887,0xe4a01add },
+      { 0xf57cd8f9,0x2ed1eeac,0xbd594c48,0x1b767d3e,0x7bd2f787,0xa7295c71,
+        0xce10cc30,0x466d7d79 } },
+    /* 211 */
+    { { 0x9dada2c7,0x47d31892,0x8f9aa27d,0x4fa0a6c3,0x820a59e1,0x90e4fd28,
+        0x451ead1a,0xc672a522 },
+      { 0x5d86b655,0x30607cc8,0xf9ad4af1,0xf0235d3b,0x571172a6,0x99a08680,
+        0xf2a67513,0x5e3d64fa } },
+    /* 212 */
+    { { 0x9b3b4416,0xaa6410c7,0xeab26d99,0xcd8fcf85,0xdb656a74,0x5ebff74a,
+        0xeb8e42fc,0x6c8a7a95 },
+      { 0xb02a63bd,0x10c60ba7,0x8b8f0047,0x6b2f2303,0x312d90b0,0x8c6c3738,
+        0xad82ca91,0x348ae422 } },
+    /* 213 */
+    { { 0x5ccda2fb,0x7f474663,0x8e0726d2,0x22accaa1,0x492b1f20,0x85adf782,
+        0xd9ef2d2e,0xc1074de0 },
+      { 0xae9a65b3,0xfcf3ce44,0x05d7151b,0xfd71e4ac,0xce6a9788,0xd4711f50,
+        0xc9e54ffc,0xfbadfbdb } },
+    /* 214 */
+    { { 0x20a99363,0x1713f1cd,0x6cf22775,0xb915658f,0x24d359b2,0x968175cd,
+        0x83716fcd,0xb7f976b4 },
+      { 0x5d6dbf74,0x5758e24d,0x71c3af36,0x8d23bafd,0x0243dfe3,0x48f47760,
+        0xcafcc805,0xf4d41b2e } },
+    /* 215 */
+    { { 0xfdabd48d,0x51f1cf28,0x32c078a4,0xce81be36,0x117146e9,0x6ace2974,
+        0xe0160f10,0x180824ea },
+      { 0x66e58358,0x0387698b,0xce6ca358,0x63568752,0x5e41e6c5,0x82380e34,
+        0x83cf6d25,0x67e5f639 } },
+    /* 216 */
+    { { 0xcf4899ef,0xf89ccb8d,0x9ebb44c0,0x949015f0,0xb2598ec9,0x546f9276,
+        0x04c11fc6,0x9fef789a },
+      { 0x53d2a071,0x6d367ecf,0xa4519b09,0xb10e1a7f,0x611e2eef,0xca6b3fb0,
+        0xa99c4e20,0xbc80c181 } },
+    /* 217 */
+    { { 0xe5eb82e6,0x972536f8,0xf56cb920,0x1a484fc7,0x50b5da5e,0xc78e2171,
+        0x9f8cdf10,0x49270e62 },
+      { 0xea6b50ad,0x1a39b7bb,0xa2388ffc,0x9a0284c1,0x8107197b,0x5403eb17,
+        0x61372f7f,0xd2ee52f9 } },
+    /* 218 */
+    { { 0x88e0362a,0xd37cd285,0x8fa5d94d,0x442fa8a7,0xa434a526,0xaff836e5,
+        0xe5abb733,0xdfb478be },
+      { 0x673eede6,0xa91f1ce7,0x2b5b2f04,0xa5390ad4,0x5530da2f,0x5e66f7bf,
+        0x08df473a,0xd9a140b4 } },
+    /* 219 */
+    { { 0x6e8ea498,0x0e0221b5,0x3563ee09,0x62347829,0x335d2ade,0xe06b8391,
+        0x623f4b1a,0x760c058d },
+      { 0xc198aa79,0x0b89b58c,0xf07aba7f,0xf74890d2,0xfde2556a,0x4e204110,
+        0x8f190409,0x7141982d } },
+    /* 220 */
+    { { 0x4d4b0f45,0x6f0a0e33,0x392a94e1,0xd9280b38,0xb3c61d5e,0x3af324c6,
+        0x89d54e47,0x3af9d1ce },
+      { 0x20930371,0xfd8f7981,0x21c17097,0xeda2664c,0xdc42309b,0x0e9545dc,
+        0x73957dd6,0xb1f815c3 } },
+    /* 221 */
+    { { 0x89fec44a,0x84faa78e,0x3caa4caf,0xc8c2ae47,0xc1b6a624,0x691c807d,
+        0x1543f052,0xa41aed14 },
+      { 0x7d5ffe04,0x42435399,0x625b6e20,0x8bacb2df,0x87817775,0x85d660be,
+        0x86fb60ef,0xd6e9c1dd } },
+    /* 222 */
+    { { 0xc6853264,0x3aa2e97e,0xe2304a0b,0x771533b7,0xb8eae9be,0x1b912bb7,
+        0xae9bf8c2,0x9c9c6e10 },
+      { 0xe030b74c,0xa2309a59,0x6a631e90,0x4ed7494d,0xa49b79f2,0x89f44b23,
+        0x40fa61b6,0x566bd596 } },
+    /* 223 */
+    { { 0xc18061f3,0x066c0118,0x7c83fc70,0x190b25d3,0x27273245,0xf05fc8e0,
+        0xf525345e,0xcf2c7390 },
+      { 0x10eb30cf,0xa09bceb4,0x0d77703a,0xcfd2ebba,0x150ff255,0xe842c43a,
+        0x8aa20979,0x02f51755 } },
+    /* 224 */
+    { { 0xaddb7d07,0x396ef794,0x24455500,0x0b4fc742,0xc78aa3ce,0xfaff8eac,
+        0xe8d4d97d,0x14e9ada5 },
+      { 0x2f7079e2,0xdaa480a1,0xe4b0800e,0x45baa3cd,0x7838157d,0x01765e2d,
+        0x8e9d9ae8,0xa0ad4fab } },
+    /* 225 */
+    { { 0x4a653618,0x0bfb7621,0x31eaaa5f,0x1872813c,0x44949d5e,0x1553e737,
+        0x6e56ed1e,0xbcd530b8 },
+      { 0x32e9c47b,0x169be853,0xb50059ab,0xdc2776fe,0x192bfbb4,0xcdba9761,
+        0x6979341d,0x909283cf } },
+    /* 226 */
+    { { 0x76e81a13,0x67b00324,0x62171239,0x9bee1a99,0xd32e19d6,0x08ed361b,
+        0xace1549a,0x35eeb7c9 },
+      { 0x7e4e5bdc,0x1280ae5a,0xb6ceec6e,0x2dcd2cd3,0x6e266bc1,0x52e4224c,
+        0x448ae864,0x9a8b2cf4 } },
+    /* 227 */
+    { { 0x09d03b59,0xf6471bf2,0xb65af2ab,0xc90e62a3,0xebd5eec9,0xff7ff168,
+        0xd4491379,0x6bdb60f4 },
+      { 0x8a55bc30,0xdadafebc,0x10097fe0,0xc79ead16,0x4c1e3bdd,0x42e19741,
+        0x94ba08a9,0x01ec3cfd } },
+    /* 228 */
+    { { 0xdc9485c2,0xba6277eb,0x22fb10c7,0x48cc9a79,0x70a28d8a,0x4f61d60f,
+        0x475464f6,0xd1acb1c0 },
+      { 0x26f36612,0xd26902b1,0xe0618d8b,0x59c3a44e,0x308357ee,0x4df8a813,
+        0x405626c2,0x7dcd079d } },
+    /* 229 */
+    { { 0xf05a4b48,0x5ce7d4d3,0x37230772,0xadcd2952,0x812a915a,0xd18f7971,
+        0x377d19b8,0x0bf53589 },
+      { 0x6c68ea73,0x35ecd95a,0x823a584d,0xc7f3bbca,0xf473a723,0x9fb674c6,
+        0xe16686fc,0xd28be4d9 } },
+    /* 230 */
+    { { 0x38fa8e4b,0x5d2b9906,0x893fd8fc,0x559f186e,0x436fb6fc,0x3a6de2aa,
+        0x510f88ce,0xd76007aa },
+      { 0x523a4988,0x2d10aab6,0x74dd0273,0xb455cf44,0xa3407278,0x7f467082,
+        0xb303bb01,0xf2b52f68 } },
+    /* 231 */
+    { { 0x9835b4ca,0x0d57eafa,0xbb669cbc,0x2d2232fc,0xc6643198,0x8eeeb680,
+        0xcc5aed3a,0xd8dbe98e },
+      { 0xc5a02709,0xcba9be3f,0xf5ba1fa8,0x30be68e5,0xf10ea852,0xfebd43cd,
+        0xee559705,0xe01593a3 } },
+    /* 232 */
+    { { 0xea75a0a6,0xd3e5af50,0x57858033,0x512226ac,0xd0176406,0x6fe6d50f,
+        0xaeb8ef06,0xafec07b1 },
+      { 0x80bb0a31,0x7fb99567,0x37309aae,0x6f1af3cc,0x01abf389,0x9153a15a,
+        0x6e2dbfdd,0xa71b9354 } },
+    /* 233 */
+    { { 0x18f593d2,0xbf8e12e0,0xa078122b,0xd1a90428,0x0ba4f2ad,0x150505db,
+        0x628523d9,0x53a2005c },
+      { 0xe7f2b935,0x07c8b639,0xc182961a,0x2bff975a,0x7518ca2c,0x86bceea7,
+        0x3d588e3d,0xbf47d19b } },
+    /* 234 */
+    { { 0xdd7665d5,0x672967a7,0x2f2f4de5,0x4e303057,0x80d4903f,0x144005ae,
+        0x39c9a1b6,0x001c2c7f },
+      { 0x69efc6d6,0x143a8014,0x7bc7a724,0xc810bdaa,0xa78150a4,0x5f65670b,
+        0x86ffb99b,0xfdadf8e7 } },
+    /* 235 */
+    { { 0xffc00785,0xfd38cb88,0x3b48eb67,0x77fa7591,0xbf368fbc,0x0454d055,
+        0x5aa43c94,0x3a838e4d },
+      { 0x3e97bb9a,0x56166329,0x441d94d9,0x9eb93363,0x0adb2a83,0x515591a6,
+        0x873e1da3,0x3cdb8257 } },
+    /* 236 */
+    { { 0x7de77eab,0x137140a9,0x41648109,0xf7e1c50d,0xceb1d0df,0x762dcad2,
+        0xf1f57fba,0x5a60cc89 },
+      { 0x40d45673,0x80b36382,0x5913c655,0x1b82be19,0xdd64b741,0x057284b8,
+        0xdbfd8fc0,0x922ff56f } },
+    /* 237 */
+    { { 0xc9a129a1,0x1b265dee,0xcc284e04,0xa5b1ce57,0xcebfbe3c,0x04380c46,
+        0xf6c5cd62,0x72919a7d },
+      { 0x8fb90f9a,0x298f453a,0x88e4031b,0xd719c00b,0x796f1856,0xe32c0e77,
+        0x3624089a,0x5e791780 } },
+    /* 238 */
+    { { 0x7f63cdfb,0x5c16ec55,0xf1cae4fd,0x8e6a3571,0x560597ca,0xfce26bea,
+        0xe24c2fab,0x4e0a5371 },
+      { 0xa5765357,0x276a40d3,0x0d73a2b4,0x3c89af44,0x41d11a32,0xb8f370ae,
+        0xd56604ee,0xf5ff7818 } },
+    /* 239 */
+    { { 0x1a09df21,0xfbf3e3fe,0xe66e8e47,0x26d5d28e,0x29c89015,0x2096bd0a,
+        0x533f5e64,0xe41df0e9 },
+      { 0xb3ba9e3f,0x305fda40,0x2604d895,0xf2340ceb,0x7f0367c7,0x0866e192,
+        0xac4f155f,0x8edd7d6e } },
+    /* 240 */
+    { { 0x0bfc8ff3,0xc9a1dc0e,0xe936f42f,0x14efd82b,0xcca381ef,0x67016f7c,
+        0xed8aee96,0x1432c1ca },
+      { 0x70b23c26,0xec684829,0x0735b273,0xa64fe873,0xeaef0f5a,0xe389f6e5,
+        0x5ac8d2c6,0xcaef480b } },
+    /* 241 */
+    { { 0x75315922,0x5245c978,0x3063cca5,0xd8295171,0xb64ef2cb,0xf3ce60d0,
+        0x8efae236,0xd0ba177e },
+      { 0xb1b3af60,0x53a9ae8f,0x3d2da20e,0x1a796ae5,0xdf9eef28,0x01d63605,
+        0x1c54ae16,0xf31c957c } },
+    /* 242 */
+    { { 0x49cc4597,0xc0f58d52,0xbae0a028,0xdc5015b0,0x734a814a,0xefc5fc55,
+        0x96e17c3a,0x013404cb },
+      { 0xc9a824bf,0xb29e2585,0x001eaed7,0xd593185e,0x61ef68ac,0x8d6ee682,
+        0x91933e6c,0x6f377c4b } },
+    /* 243 */
+    { { 0xa8333fd2,0x9f93bad1,0x5a2a95b8,0xa8930202,0xeaf75ace,0x211e5037,
+        0xd2d09506,0x6dba3e4e },
+      { 0xd04399cd,0xa48ef98c,0xe6b73ade,0x1811c66e,0xc17ecaf3,0x72f60752,
+        0x3becf4a7,0xf13cf342 } },
+    /* 244 */
+    { { 0xa919e2eb,0xceeb9ec0,0xf62c0f68,0x83a9a195,0x7aba2299,0xcfba3bb6,
+        0x274bbad3,0xc83fa9a9 },
+      { 0x62fa1ce0,0x0d7d1b0b,0x3418efbf,0xe58b60f5,0x52706f04,0xbfa8ef9e,
+        0x5d702683,0xb49d70f4 } },
+    /* 245 */
+    { { 0xfad5513b,0x914c7510,0xb1751e2d,0x05f32eec,0xd9fb9d59,0x6d850418,
+        0x0c30f1cf,0x59cfadbb },
+      { 0x55cb7fd6,0xe167ac23,0x820426a3,0x249367b8,0x90a78864,0xeaeec58c,
+        0x354a4b67,0x5babf362 } },
+    /* 246 */
+    { { 0xee424865,0x37c981d1,0xf2e5577f,0x8b002878,0xb9e0c058,0x702970f1,
+        0x9026c8f0,0x6188c6a7 },
+      { 0xd0f244da,0x06f9a19b,0xfb080873,0x1ecced5c,0x9f213637,0x35470f9b,
+        0xdf50b9d9,0x993fe475 } },
+    /* 247 */
+    { { 0x9b2c3609,0x68e31cdf,0x2c46d4ea,0x84eb19c0,0x9a775101,0x7ac9ec1a,
+        0x4c80616b,0x81f76466 },
+      { 0x75fbe978,0x1d7c2a5a,0xf183b356,0x6743fed3,0x501dd2bf,0x838d1f04,
+        0x5fe9060d,0x564a812a } },
+    /* 248 */
+    { { 0xfa817d1d,0x7a5a64f4,0xbea82e0f,0x55f96844,0xcd57f9aa,0xb5ff5a0f,
+        0x00e51d6c,0x226bf3cf },
+      { 0x2f2833cf,0xd6d1a9f9,0x4f4f89a8,0x20a0a35a,0x8f3f7f77,0x11536c49,
+        0xff257836,0x68779f47 } },
+    /* 249 */
+    { { 0x73043d08,0x79b0c1c1,0x1fc020fa,0xa5446774,0x9a6d26d0,0xd3767e28,
+        0xeb092e0b,0x97bcb0d1 },
+      { 0xf32ed3c3,0x2ab6eaa8,0xb281bc48,0xc8a4f151,0xbfa178f3,0x4d1bf4f3,
+        0x0a784655,0xa872ffe8 } },
+    /* 250 */
+    { { 0xa32b2086,0xb1ab7935,0x8160f486,0xe1eb710e,0x3b6ae6be,0x9bd0cd91,
+        0xb732a36a,0x02812bfc },
+      { 0xcf605318,0xa63fd7ca,0xfdfd6d1d,0x646e5d50,0x2102d619,0xa1d68398,
+        0xfe5396af,0x07391cc9 } },
+    /* 251 */
+    { { 0x8b80d02b,0xc50157f0,0x62877f7f,0x6b8333d1,0x78d542ae,0x7aca1af8,
+        0x7e6d2a08,0x355d2adc },
+      { 0x287386e1,0xb41f335a,0xf8e43275,0xfd272a94,0xe79989ea,0x286ca2cd,
+        0x7c2a3a79,0x3dc2b1e3 } },
+    /* 252 */
+    { { 0x04581352,0xd689d21c,0x376782be,0x0a00c825,0x9fed701f,0x203bd590,
+        0x3ccd846b,0xc4786910 },
+      { 0x24c768ed,0x5dba7708,0x6841f657,0x72feea02,0x6accce0e,0x73313ed5,
+        0xd5bb4d32,0xccc42968 } },
+    /* 253 */
+    { { 0x3d7620b9,0x94e50de1,0x5992a56a,0xd89a5c8a,0x675487c9,0xdc007640,
+        0xaa4871cf,0xe147eb42 },
+      { 0xacf3ae46,0x274ab4ee,0x50350fbe,0xfd4936fb,0x48c840ea,0xdf2afe47,
+        0x080e96e3,0x239ac047 } },
+    /* 254 */
+    { { 0x2bfee8d4,0x481d1f35,0xfa7b0fec,0xce80b5cf,0x2ce9af3c,0x105c4c9e,
+        0xf5f7e59d,0xc55fa1a3 },
+      { 0x8257c227,0x3186f14e,0x342be00b,0xc5b1653f,0xaa904fb2,0x09afc998,
+        0xd4f4b699,0x094cd99c } },
+    /* 255 */
+    { { 0xd703beba,0x8a981c84,0x32ceb291,0x8631d150,0xe3bd49ec,0xa445f2c9,
+        0x42abad33,0xb90a30b6 },
+      { 0xb4a5abf9,0xb465404f,0x75db7603,0x004750c3,0xca35d89f,0x6f9a42cc,
+        0x1b7924f7,0x019f8b9a } },
+};
+
+/* Multiply the base point of P256 by the scalar and return the result.
+ * If map is true then convert result to affine coordinates.
+ *
+ * r     Resulting point.
+ * k     Scalar to multiply by.
+ * map   Indicates whether to convert result to affine.
+ * heap  Heap to use for allocation.
+ * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
+ */
+static int sp_256_ecc_mulmod_base_8(sp_point_256* r, const sp_digit* k,
+        int map, void* heap)
+{
+    return sp_256_ecc_mulmod_stripe_8(r, &p256_base, p256_table,
+                                      k, map, heap);
+}
+
+#endif
+
+/* Multiply the base point of P256 by the scalar and return the result.
+ * If map is true then convert result to affine coordinates.
+ *
+ * km    Scalar to multiply by.
+ * r     Resulting point.
+ * map   Indicates whether to convert result to affine.
+ * heap  Heap to use for allocation.
+ * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
+ */
+int sp_ecc_mulmod_base_256(mp_int* km, ecc_point* r, int map, void* heap)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_point_256 p;
+    sp_digit kd[8];
+#endif
+    sp_point_256* point;
+    sp_digit* k = NULL;
+    int err = MP_OKAY;
+
+    err = sp_256_point_new_8(heap, p, point);
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        k = (sp_digit*)XMALLOC(sizeof(sp_digit) * 8, heap,
+                                                              DYNAMIC_TYPE_ECC);
+        if (k == NULL) {
+            err = MEMORY_E;
+        }
+    }
+#else
+    k = kd;
+#endif
+    if (err == MP_OKAY) {
+        sp_256_from_mp(k, 8, km);
+
+            err = sp_256_ecc_mulmod_base_8(point, k, map, heap);
+    }
+    if (err == MP_OKAY) {
+        err = sp_256_point_to_ecc_point_8(point, r);
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (k != NULL) {
+        XFREE(k, heap, DYNAMIC_TYPE_ECC);
+    }
+#endif
+    sp_256_point_free_8(point, 0, heap);
+
+    return err;
+}
+
+#if defined(WOLFSSL_VALIDATE_ECC_KEYGEN) || defined(HAVE_ECC_SIGN) || \
+                                                        defined(HAVE_ECC_VERIFY)
+/* Returns 1 if the number of zero.
+ * Implementation is constant time.
+ *
+ * a  Number to check.
+ * returns 1 if the number is zero and 0 otherwise.
+ */
+static int sp_256_iszero_8(const sp_digit* a)
+{
+    return (a[0] | a[1] | a[2] | a[3] | a[4] | a[5] | a[6] | a[7]) == 0;
+}
+
+#endif /* WOLFSSL_VALIDATE_ECC_KEYGEN || HAVE_ECC_SIGN || HAVE_ECC_VERIFY */
+/* Add 1 to a. (a = a + 1)
+ *
+ * a  A single precision integer.
+ */
+static void sp_256_add_one_8(sp_digit* a)
+{
+    __asm__ __volatile__ (
+        "ldr	r1, [%[a], #0]\n\t"
+        "ldr	r2, [%[a], #4]\n\t"
+        "ldr	r3, [%[a], #8]\n\t"
+        "ldr	r4, [%[a], #12]\n\t"
+        "adds	r1, r1, #1\n\t"
+        "adcs	r2, r2, #0\n\t"
+        "adcs	r3, r3, #0\n\t"
+        "adcs	r4, r4, #0\n\t"
+        "str	r1, [%[a], #0]\n\t"
+        "str	r2, [%[a], #4]\n\t"
+        "str	r3, [%[a], #8]\n\t"
+        "str	r4, [%[a], #12]\n\t"
+        "ldr	r1, [%[a], #16]\n\t"
+        "ldr	r2, [%[a], #20]\n\t"
+        "ldr	r3, [%[a], #24]\n\t"
+        "ldr	r4, [%[a], #28]\n\t"
+        "adcs	r1, r1, #0\n\t"
+        "adcs	r2, r2, #0\n\t"
+        "adcs	r3, r3, #0\n\t"
+        "adcs	r4, r4, #0\n\t"
+        "str	r1, [%[a], #16]\n\t"
+        "str	r2, [%[a], #20]\n\t"
+        "str	r3, [%[a], #24]\n\t"
+        "str	r4, [%[a], #28]\n\t"
+        :
+        : [a] "r" (a)
+        : "memory", "r1", "r2", "r3", "r4"
+    );
+}
+
+/* Read big endian unsigned byte array into r.
+ *
+ * r  A single precision integer.
+ * size  Maximum number of bytes to convert
+ * a  Byte array.
+ * n  Number of bytes in array to read.
+ */
+static void sp_256_from_bin(sp_digit* r, int size, const byte* a, int n)
+{
+    int i, j = 0;
+    word32 s = 0;
+
+    r[0] = 0;
+    for (i = n-1; i >= 0; i--) {
+        r[j] |= (((sp_digit)a[i]) << s);
+        if (s >= 24U) {
+            r[j] &= 0xffffffff;
+            s = 32U - s;
+            if (j + 1 >= size) {
+                break;
+            }
+            r[++j] = (sp_digit)a[i] >> s;
+            s = 8U - s;
+        }
+        else {
+            s += 8U;
+        }
+    }
+
+    for (j++; j < size; j++) {
+        r[j] = 0;
+    }
+}
+
+/* Generates a scalar that is in the range 1..order-1.
+ *
+ * rng  Random number generator.
+ * k    Scalar value.
+ * returns RNG failures, MEMORY_E when memory allocation fails and
+ * MP_OKAY on success.
+ */
+static int sp_256_ecc_gen_k_8(WC_RNG* rng, sp_digit* k)
+{
+    int err;
+    byte buf[32];
+
+    do {
+        err = wc_RNG_GenerateBlock(rng, buf, sizeof(buf));
+        if (err == 0) {
+            sp_256_from_bin(k, 8, buf, (int)sizeof(buf));
+            if (sp_256_cmp_8(k, p256_order2) < 0) {
+                sp_256_add_one_8(k);
+                break;
+            }
+        }
+    }
+    while (err == 0);
+
+    return err;
+}
+
+/* Makes a random EC key pair.
+ *
+ * rng   Random number generator.
+ * priv  Generated private value.
+ * pub   Generated public point.
+ * heap  Heap to use for allocation.
+ * returns ECC_INF_E when the point does not have the correct order, RNG
+ * failures, MEMORY_E when memory allocation fails and MP_OKAY on success.
+ */
+int sp_ecc_make_key_256(WC_RNG* rng, mp_int* priv, ecc_point* pub, void* heap)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_point_256 p;
+    sp_digit kd[8];
+#ifdef WOLFSSL_VALIDATE_ECC_KEYGEN
+    sp_point_256 inf;
+#endif
+#endif
+    sp_point_256* point;
+    sp_digit* k = NULL;
+#ifdef WOLFSSL_VALIDATE_ECC_KEYGEN
+    sp_point_256* infinity;
+#endif
+    int err;
+
+    (void)heap;
+
+    err = sp_256_point_new_8(heap, p, point);
+#ifdef WOLFSSL_VALIDATE_ECC_KEYGEN
+    if (err == MP_OKAY) {
+        err = sp_256_point_new_8(heap, inf, infinity);
+    }
+#endif
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        k = (sp_digit*)XMALLOC(sizeof(sp_digit) * 8, heap,
+                                                              DYNAMIC_TYPE_ECC);
+        if (k == NULL) {
+            err = MEMORY_E;
+        }
+    }
+#else
+    k = kd;
+#endif
+
+    if (err == MP_OKAY) {
+        err = sp_256_ecc_gen_k_8(rng, k);
+    }
+    if (err == MP_OKAY) {
+            err = sp_256_ecc_mulmod_base_8(point, k, 1, NULL);
+    }
+
+#ifdef WOLFSSL_VALIDATE_ECC_KEYGEN
+    if (err == MP_OKAY) {
+            err = sp_256_ecc_mulmod_8(infinity, point, p256_order, 1, NULL);
+    }
+    if (err == MP_OKAY) {
+        if ((sp_256_iszero_8(point->x) == 0) || (sp_256_iszero_8(point->y) == 0)) {
+            err = ECC_INF_E;
+        }
+    }
+#endif
+
+    if (err == MP_OKAY) {
+        err = sp_256_to_mp(k, priv);
+    }
+    if (err == MP_OKAY) {
+        err = sp_256_point_to_ecc_point_8(point, pub);
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (k != NULL) {
+        XFREE(k, heap, DYNAMIC_TYPE_ECC);
+    }
+#endif
+#ifdef WOLFSSL_VALIDATE_ECC_KEYGEN
+    sp_256_point_free_8(infinity, 1, heap);
+#endif
+    sp_256_point_free_8(point, 1, heap);
+
+    return err;
+}
+
+#ifdef HAVE_ECC_DHE
+/* Write r as big endian to byte array.
+ * Fixed length number of bytes written: 32
+ *
+ * r  A single precision integer.
+ * a  Byte array.
+ */
+static void sp_256_to_bin(sp_digit* r, byte* a)
+{
+    int i, j, s = 0, b;
+
+    j = 256 / 8 - 1;
+    a[j] = 0;
+    for (i=0; i<8 && j>=0; i++) {
+        b = 0;
+        /* lint allow cast of mismatch sp_digit and int */
+        a[j--] |= (byte)(r[i] << s); /*lint !e9033*/
+        b += 8 - s;
+        if (j < 0) {
+            break;
+        }
+        while (b < 32) {
+            a[j--] = (byte)(r[i] >> b);
+            b += 8;
+            if (j < 0) {
+                break;
+            }
+        }
+        s = 8 - (b - 32);
+        if (j >= 0) {
+            a[j] = 0;
+        }
+        if (s != 0) {
+            j++;
+        }
+    }
+}
+
+/* Multiply the point by the scalar and serialize the X ordinate.
+ * The number is 0 padded to maximum size on output.
+ *
+ * priv    Scalar to multiply the point by.
+ * pub     Point to multiply.
+ * out     Buffer to hold X ordinate.
+ * outLen  On entry, size of the buffer in bytes.
+ *         On exit, length of data in buffer in bytes.
+ * heap    Heap to use for allocation.
+ * returns BUFFER_E if the buffer is to small for output size,
+ * MEMORY_E when memory allocation fails and MP_OKAY on success.
+ */
+int sp_ecc_secret_gen_256(mp_int* priv, ecc_point* pub, byte* out,
+                          word32* outLen, void* heap)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_point_256 p;
+    sp_digit kd[8];
+#endif
+    sp_point_256* point = NULL;
+    sp_digit* k = NULL;
+    int err = MP_OKAY;
+
+    if (*outLen < 32U) {
+        err = BUFFER_E;
+    }
+
+    if (err == MP_OKAY) {
+        err = sp_256_point_new_8(heap, p, point);
+    }
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        k = (sp_digit*)XMALLOC(sizeof(sp_digit) * 8, heap,
+                                                              DYNAMIC_TYPE_ECC);
+        if (k == NULL)
+            err = MEMORY_E;
+    }
+#else
+    k = kd;
+#endif
+
+    if (err == MP_OKAY) {
+        sp_256_from_mp(k, 8, priv);
+        sp_256_point_from_ecc_point_8(point, pub);
+            err = sp_256_ecc_mulmod_8(point, point, k, 1, heap);
+    }
+    if (err == MP_OKAY) {
+        sp_256_to_bin(point->x, out);
+        *outLen = 32;
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (k != NULL) {
+        XFREE(k, heap, DYNAMIC_TYPE_ECC);
+    }
+#endif
+    sp_256_point_free_8(point, 0, heap);
+
+    return err;
+}
+#endif /* HAVE_ECC_DHE */
+
+#if defined(HAVE_ECC_SIGN) || defined(HAVE_ECC_VERIFY)
+#ifdef WOLFSSL_SP_SMALL
+/* Multiply a and b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+static void sp_256_mul_8(sp_digit* r, const sp_digit* a, const sp_digit* b)
+{
+    __asm__ __volatile__ (
+        "sub	sp, sp, #64\n\t"
+        "mov	r5, #0\n\t"
+        "mov	r6, #0\n\t"
+        "mov	r7, #0\n\t"
+        "mov	r8, #0\n\t"
+        "\n1:\n\t"
+        "subs	r3, r5, #28\n\t"
+        "it	cc\n\t"
+        "movcc	r3, #0\n\t"
+        "sub	r4, r5, r3\n\t"
+        "\n2:\n\t"
+        "ldr	r14, [%[a], r3]\n\t"
+        "ldr	r12, [%[b], r4]\n\t"
+        "umull	r9, r10, r14, r12\n\t"
+        "adds	r6, r6, r9\n\t"
+        "adcs	r7, r7, r10\n\t"
+        "adc	r8, r8, #0\n\t"
+        "add	r3, r3, #4\n\t"
+        "sub	r4, r4, #4\n\t"
+        "cmp	r3, #32\n\t"
+        "beq	3f\n\t"
+        "cmp	r3, r5\n\t"
+        "ble	2b\n\t"
+        "\n3:\n\t"
+        "str	r6, [sp, r5]\n\t"
+        "mov	r6, r7\n\t"
+        "mov	r7, r8\n\t"
+        "mov	r8, #0\n\t"
+        "add	r5, r5, #4\n\t"
+        "cmp	r5, #56\n\t"
+        "ble	1b\n\t"
+        "str	r6, [sp, r5]\n\t"
+        "\n4:\n\t"
+        "ldr	r6, [sp, #0]\n\t"
+        "ldr	r7, [sp, #4]\n\t"
+        "ldr	r8, [sp, #8]\n\t"
+        "ldr	r3, [sp, #12]\n\t"
+        "str	r6, [%[r], #0]\n\t"
+        "str	r7, [%[r], #4]\n\t"
+        "str	r8, [%[r], #8]\n\t"
+        "str	r3, [%[r], #12]\n\t"
+        "add	sp, sp, #16\n\t"
+        "add	%[r], %[r], #16\n\t"
+        "subs	r5, r5, #16\n\t"
+        "bgt	4b\n\t"
+        : [r] "+r" (r)
+        : [a] "r" (a), [b] "r" (b)
+        : "memory", "r3", "r4", "r5", "r6", "r7", "r8", "r9", "r10", "r14", "r12"
+    );
+}
+
+#else
+/* Multiply a and b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+static void sp_256_mul_8(sp_digit* r, const sp_digit* a, const sp_digit* b)
+{
+    __asm__ __volatile__ (
+        "sub	sp, sp, #32\n\t"
+        "mov	r10, #0\n\t"
+        "#  A[0] * B[0]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "ldr	r9, [%[b], #0]\n\t"
+        "umull	r3, r4, r8, r9\n\t"
+        "mov	r5, #0\n\t"
+        "str	r3, [sp]\n\t"
+        "#  A[0] * B[1]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "ldr	r9, [%[b], #4]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r10, r10\n\t"
+        "#  A[1] * B[0]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "ldr	r9, [%[b], #0]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [sp, #4]\n\t"
+        "#  A[0] * B[2]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "ldr	r9, [%[b], #8]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r10, r10\n\t"
+        "#  A[1] * B[1]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "ldr	r9, [%[b], #4]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[2] * B[0]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "ldr	r9, [%[b], #0]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [sp, #8]\n\t"
+        "#  A[0] * B[3]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "ldr	r9, [%[b], #12]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r10, r10\n\t"
+        "#  A[1] * B[2]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "ldr	r9, [%[b], #8]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[2] * B[1]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "ldr	r9, [%[b], #4]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[3] * B[0]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "ldr	r9, [%[b], #0]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [sp, #12]\n\t"
+        "#  A[0] * B[4]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "ldr	r9, [%[b], #16]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r10, r10\n\t"
+        "#  A[1] * B[3]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "ldr	r9, [%[b], #12]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[2] * B[2]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "ldr	r9, [%[b], #8]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[3] * B[1]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "ldr	r9, [%[b], #4]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[4] * B[0]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "ldr	r9, [%[b], #0]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [sp, #16]\n\t"
+        "#  A[0] * B[5]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "ldr	r9, [%[b], #20]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r10, r10\n\t"
+        "#  A[1] * B[4]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "ldr	r9, [%[b], #16]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[2] * B[3]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "ldr	r9, [%[b], #12]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[3] * B[2]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "ldr	r9, [%[b], #8]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[4] * B[1]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "ldr	r9, [%[b], #4]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[5] * B[0]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "ldr	r9, [%[b], #0]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [sp, #20]\n\t"
+        "#  A[0] * B[6]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "ldr	r9, [%[b], #24]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r10, r10\n\t"
+        "#  A[1] * B[5]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "ldr	r9, [%[b], #20]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[2] * B[4]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "ldr	r9, [%[b], #16]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[3] * B[3]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "ldr	r9, [%[b], #12]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[4] * B[2]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "ldr	r9, [%[b], #8]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[5] * B[1]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "ldr	r9, [%[b], #4]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[6] * B[0]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "ldr	r9, [%[b], #0]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [sp, #24]\n\t"
+        "#  A[0] * B[7]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "ldr	r9, [%[b], #28]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r10, r10\n\t"
+        "#  A[1] * B[6]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "ldr	r9, [%[b], #24]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[2] * B[5]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "ldr	r9, [%[b], #20]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[3] * B[4]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "ldr	r9, [%[b], #16]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[4] * B[3]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "ldr	r9, [%[b], #12]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[5] * B[2]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "ldr	r9, [%[b], #8]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[6] * B[1]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "ldr	r9, [%[b], #4]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[7] * B[0]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "ldr	r9, [%[b], #0]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [sp, #28]\n\t"
+        "#  A[1] * B[7]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "ldr	r9, [%[b], #28]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r10, r10\n\t"
+        "#  A[2] * B[6]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "ldr	r9, [%[b], #24]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[3] * B[5]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "ldr	r9, [%[b], #20]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[4] * B[4]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "ldr	r9, [%[b], #16]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[5] * B[3]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "ldr	r9, [%[b], #12]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[6] * B[2]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "ldr	r9, [%[b], #8]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[7] * B[1]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "ldr	r9, [%[b], #4]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [%[r], #32]\n\t"
+        "#  A[2] * B[7]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "ldr	r9, [%[b], #28]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r10, r10\n\t"
+        "#  A[3] * B[6]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "ldr	r9, [%[b], #24]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[4] * B[5]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "ldr	r9, [%[b], #20]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[5] * B[4]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "ldr	r9, [%[b], #16]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[6] * B[3]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "ldr	r9, [%[b], #12]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[7] * B[2]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "ldr	r9, [%[b], #8]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [%[r], #36]\n\t"
+        "#  A[3] * B[7]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "ldr	r9, [%[b], #28]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r10, r10\n\t"
+        "#  A[4] * B[6]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "ldr	r9, [%[b], #24]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[5] * B[5]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "ldr	r9, [%[b], #20]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[6] * B[4]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "ldr	r9, [%[b], #16]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[7] * B[3]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "ldr	r9, [%[b], #12]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [%[r], #40]\n\t"
+        "#  A[4] * B[7]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "ldr	r9, [%[b], #28]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r10, r10\n\t"
+        "#  A[5] * B[6]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "ldr	r9, [%[b], #24]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[6] * B[5]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "ldr	r9, [%[b], #20]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[7] * B[4]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "ldr	r9, [%[b], #16]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [%[r], #44]\n\t"
+        "#  A[5] * B[7]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "ldr	r9, [%[b], #28]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r10, r10\n\t"
+        "#  A[6] * B[6]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "ldr	r9, [%[b], #24]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[7] * B[5]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "ldr	r9, [%[b], #20]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [%[r], #48]\n\t"
+        "#  A[6] * B[7]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "ldr	r9, [%[b], #28]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r10, r10\n\t"
+        "#  A[7] * B[6]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "ldr	r9, [%[b], #24]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [%[r], #52]\n\t"
+        "#  A[7] * B[7]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "ldr	r9, [%[b], #28]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adc	r3, r3, r7\n\t"
+        "str	r5, [%[r], #56]\n\t"
+        "str	r3, [%[r], #60]\n\t"
+        "ldr	r3, [sp, #0]\n\t"
+        "ldr	r4, [sp, #4]\n\t"
+        "ldr	r5, [sp, #8]\n\t"
+        "ldr	r6, [sp, #12]\n\t"
+        "str	r3, [%[r], #0]\n\t"
+        "str	r4, [%[r], #4]\n\t"
+        "str	r5, [%[r], #8]\n\t"
+        "str	r6, [%[r], #12]\n\t"
+        "ldr	r3, [sp, #16]\n\t"
+        "ldr	r4, [sp, #20]\n\t"
+        "ldr	r5, [sp, #24]\n\t"
+        "ldr	r6, [sp, #28]\n\t"
+        "str	r3, [%[r], #16]\n\t"
+        "str	r4, [%[r], #20]\n\t"
+        "str	r5, [%[r], #24]\n\t"
+        "str	r6, [%[r], #28]\n\t"
+        "add	sp, sp, #32\n\t"
+        :
+        : [r] "r" (r), [a] "r" (a), [b] "r" (b)
+        : "memory", "r3", "r4", "r5", "r6", "r7", "r8", "r9", "r10"
+    );
+}
+
+#endif /* WOLFSSL_SP_SMALL */
+#endif
+#if defined(HAVE_ECC_SIGN) || defined(HAVE_ECC_VERIFY)
+#ifdef WOLFSSL_SP_SMALL
+/* Sub b from a into a. (a -= b)
+ *
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+static sp_digit sp_256_sub_in_place_8(sp_digit* a, const sp_digit* b)
+{
+    sp_digit c = 0;
+
+    __asm__ __volatile__ (
+        "mov	r14, #0\n\t"
+        "add	r12, %[a], #32\n\t"
+        "\n1:\n\t"
+        "subs	%[c], r14, %[c]\n\t"
+        "ldr	r3, [%[a]]\n\t"
+        "ldr	r4, [%[a], #4]\n\t"
+        "ldr	r5, [%[a], #8]\n\t"
+        "ldr	r6, [%[a], #12]\n\t"
+        "ldr	r7, [%[b]], #4\n\t"
+        "ldr	r8, [%[b]], #4\n\t"
+        "ldr	r9, [%[b]], #4\n\t"
+        "ldr	r10, [%[b]], #4\n\t"
+        "sbcs	r3, r3, r7\n\t"
+        "sbcs	r4, r4, r8\n\t"
+        "sbcs	r5, r5, r9\n\t"
+        "sbcs	r6, r6, r10\n\t"
+        "str	r3, [%[a]], #4\n\t"
+        "str	r4, [%[a]], #4\n\t"
+        "str	r5, [%[a]], #4\n\t"
+        "str	r6, [%[a]], #4\n\t"
+        "sbc	%[c], r14, r14\n\t"
+        "cmp	%[a], r12\n\t"
+        "bne	1b\n\t"
+        : [c] "+r" (c), [a] "+r" (a), [b] "+r" (b)
+        :
+        : "memory", "r3", "r4", "r5", "r6", "r7", "r8", "r9", "r10", "r12", "r14"
+    );
+
+    return c;
+}
+
+#else
+/* Sub b from a into a. (a -= b)
+ *
+ * a  A single precision integer and result.
+ * b  A single precision integer.
+ */
+static sp_digit sp_256_sub_in_place_8(sp_digit* a, const sp_digit* b)
+{
+    sp_digit c = 0;
+
+    __asm__ __volatile__ (
+        "ldr	r2, [%[a], #0]\n\t"
+        "ldr	r3, [%[a], #4]\n\t"
+        "ldr	r4, [%[a], #8]\n\t"
+        "ldr	r5, [%[a], #12]\n\t"
+        "ldr	r6, [%[b], #0]\n\t"
+        "ldr	r7, [%[b], #4]\n\t"
+        "ldr	r8, [%[b], #8]\n\t"
+        "ldr	r9, [%[b], #12]\n\t"
+        "subs	r2, r2, r6\n\t"
+        "sbcs	r3, r3, r7\n\t"
+        "sbcs	r4, r4, r8\n\t"
+        "sbcs	r5, r5, r9\n\t"
+        "str	r2, [%[a], #0]\n\t"
+        "str	r3, [%[a], #4]\n\t"
+        "str	r4, [%[a], #8]\n\t"
+        "str	r5, [%[a], #12]\n\t"
+        "ldr	r2, [%[a], #16]\n\t"
+        "ldr	r3, [%[a], #20]\n\t"
+        "ldr	r4, [%[a], #24]\n\t"
+        "ldr	r5, [%[a], #28]\n\t"
+        "ldr	r6, [%[b], #16]\n\t"
+        "ldr	r7, [%[b], #20]\n\t"
+        "ldr	r8, [%[b], #24]\n\t"
+        "ldr	r9, [%[b], #28]\n\t"
+        "sbcs	r2, r2, r6\n\t"
+        "sbcs	r3, r3, r7\n\t"
+        "sbcs	r4, r4, r8\n\t"
+        "sbcs	r5, r5, r9\n\t"
+        "str	r2, [%[a], #16]\n\t"
+        "str	r3, [%[a], #20]\n\t"
+        "str	r4, [%[a], #24]\n\t"
+        "str	r5, [%[a], #28]\n\t"
+        "sbc	%[c], r9, r9\n\t"
+        : [c] "+r" (c)
+        : [a] "r" (a), [b] "r" (b)
+        : "memory", "r2", "r3", "r4", "r5", "r6", "r7", "r8", "r9"
+    );
+
+    return c;
+}
+
+#endif /* WOLFSSL_SP_SMALL */
+/* Mul a by digit b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision digit.
+ */
+static void sp_256_mul_d_8(sp_digit* r, const sp_digit* a,
+        sp_digit b)
+{
+#ifdef WOLFSSL_SP_SMALL
+    __asm__ __volatile__ (
+        "mov	r10, #0\n\t"
+        "# A[0] * B\n\t"
+        "ldr	r8, [%[a]]\n\t"
+        "umull	r5, r3, %[b], r8\n\t"
+        "mov	r4, #0\n\t"
+        "str	r5, [%[r]]\n\t"
+        "mov	r5, #0\n\t"
+        "mov	r9, #4\n\t"
+        "1:\n\t"
+        "ldr	r8, [%[a], r9]\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [%[r], r9]\n\t"
+        "mov	r3, r4\n\t"
+        "mov	r4, r5\n\t"
+        "mov	r5, #0\n\t"
+        "add	r9, r9, #4\n\t"
+        "cmp	r9, #32\n\t"
+        "blt	1b\n\t"
+        "str	r3, [%[r], #32]\n\t"
+        :
+        : [r] "r" (r), [a] "r" (a), [b] "r" (b)
+        : "memory", "r3", "r4", "r5", "r6", "r7", "r8", "r9", "r10"
+    );
+#else
+    __asm__ __volatile__ (
+        "mov	r10, #0\n\t"
+        "# A[0] * B\n\t"
+        "ldr	r8, [%[a]]\n\t"
+        "umull	r3, r4, %[b], r8\n\t"
+        "mov	r5, #0\n\t"
+        "str	r3, [%[r]]\n\t"
+        "# A[1] * B\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "mov	r3, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [%[r], #4]\n\t"
+        "# A[2] * B\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "mov	r4, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [%[r], #8]\n\t"
+        "# A[3] * B\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "mov	r5, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [%[r], #12]\n\t"
+        "# A[4] * B\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "mov	r3, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [%[r], #16]\n\t"
+        "# A[5] * B\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "mov	r4, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [%[r], #20]\n\t"
+        "# A[6] * B\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "mov	r5, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [%[r], #24]\n\t"
+        "# A[7] * B\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adc	r5, r5, r7\n\t"
+        "str	r4, [%[r], #28]\n\t"
+        "str	r5, [%[r], #32]\n\t"
+        :
+        : [r] "r" (r), [a] "r" (a), [b] "r" (b)
+        : "memory", "r3", "r4", "r5", "r6", "r7", "r8", "r9", "r10"
+    );
+#endif
+}
+
+/* Divide the double width number (d1|d0) by the dividend. (d1|d0 / div)
+ *
+ * d1   The high order half of the number to divide.
+ * d0   The low order half of the number to divide.
+ * div  The dividend.
+ * returns the result of the division.
+ *
+ * Note that this is an approximate div. It may give an answer 1 larger.
+ */
+static sp_digit div_256_word_8(sp_digit d1, sp_digit d0, sp_digit div)
+{
+    sp_digit r = 0;
+
+    __asm__ __volatile__ (
+        "lsr	r5, %[div], #1\n\t"
+        "add	r5, r5, #1\n\t"
+        "mov	r6, %[d0]\n\t"
+        "mov	r7, %[d1]\n\t"
+        "# Do top 32\n\t"
+        "subs	r8, r5, r7\n\t"
+        "sbc	r8, r8, r8\n\t"
+        "add	%[r], %[r], %[r]\n\t"
+        "sub	%[r], %[r], r8\n\t"
+        "and	r8, r8, r5\n\t"
+        "subs	r7, r7, r8\n\t"
+        "# Next 30 bits\n\t"
+        "mov	r4, #29\n\t"
+        "1:\n\t"
+        "movs	r6, r6, lsl #1\n\t"
+        "adc	r7, r7, r7\n\t"
+        "subs	r8, r5, r7\n\t"
+        "sbc	r8, r8, r8\n\t"
+        "add	%[r], %[r], %[r]\n\t"
+        "sub	%[r], %[r], r8\n\t"
+        "and	r8, r8, r5\n\t"
+        "subs	r7, r7, r8\n\t"
+        "subs	r4, r4, #1\n\t"
+        "bpl	1b\n\t"
+        "add	%[r], %[r], %[r]\n\t"
+        "add	%[r], %[r], #1\n\t"
+        "umull	r4, r5, %[r], %[div]\n\t"
+        "subs	r4, %[d0], r4\n\t"
+        "sbc	r5, %[d1], r5\n\t"
+        "add	%[r], %[r], r5\n\t"
+        "umull	r4, r5, %[r], %[div]\n\t"
+        "subs	r4, %[d0], r4\n\t"
+        "sbc	r5, %[d1], r5\n\t"
+        "add	%[r], %[r], r5\n\t"
+        "subs	r8, %[div], r4\n\t"
+        "sbc	r8, r8, r8\n\t"
+        "sub	%[r], %[r], r8\n\t"
+        : [r] "+r" (r)
+        : [d1] "r" (d1), [d0] "r" (d0), [div] "r" (div)
+        : "r4", "r5", "r6", "r7", "r8"
+    );
+    return r;
+}
+
+/* AND m into each word of a and store in r.
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * m  Mask to AND against each digit.
+ */
+static void sp_256_mask_8(sp_digit* r, const sp_digit* a, sp_digit m)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int i;
+
+    for (i=0; i<8; i++) {
+        r[i] = a[i] & m;
+    }
+#else
+    r[0] = a[0] & m;
+    r[1] = a[1] & m;
+    r[2] = a[2] & m;
+    r[3] = a[3] & m;
+    r[4] = a[4] & m;
+    r[5] = a[5] & m;
+    r[6] = a[6] & m;
+    r[7] = a[7] & m;
+#endif
+}
+
+/* Divide d in a and put remainder into r (m*d + r = a)
+ * m is not calculated as it is not needed at this time.
+ *
+ * a  Nmber to be divided.
+ * d  Number to divide with.
+ * m  Multiplier result.
+ * r  Remainder from the division.
+ * returns MP_OKAY indicating success.
+ */
+static WC_INLINE int sp_256_div_8(const sp_digit* a, const sp_digit* d, sp_digit* m,
+        sp_digit* r)
+{
+    sp_digit t1[16], t2[9];
+    sp_digit div, r1;
+    int i;
+
+    (void)m;
+
+
+    div = d[7];
+    XMEMCPY(t1, a, sizeof(*t1) * 2 * 8);
+    for (i=7; i>=0; i--) {
+        r1 = div_256_word_8(t1[8 + i], t1[8 + i - 1], div);
+
+        sp_256_mul_d_8(t2, d, r1);
+        t1[8 + i] += sp_256_sub_in_place_8(&t1[i], t2);
+        t1[8 + i] -= t2[8];
+        sp_256_mask_8(t2, d, t1[8 + i]);
+        t1[8 + i] += sp_256_add_8(&t1[i], &t1[i], t2);
+        sp_256_mask_8(t2, d, t1[8 + i]);
+        t1[8 + i] += sp_256_add_8(&t1[i], &t1[i], t2);
+    }
+
+    r1 = sp_256_cmp_8(t1, d) >= 0;
+    sp_256_cond_sub_8(r, t1, d, (sp_digit)0 - r1);
+
+    return MP_OKAY;
+}
+
+/* Reduce a modulo m into r. (r = a mod m)
+ *
+ * r  A single precision number that is the reduced result.
+ * a  A single precision number that is to be reduced.
+ * m  A single precision number that is the modulus to reduce with.
+ * returns MP_OKAY indicating success.
+ */
+static WC_INLINE int sp_256_mod_8(sp_digit* r, const sp_digit* a, const sp_digit* m)
+{
+    return sp_256_div_8(a, m, NULL, r);
+}
+
+#endif
+#if defined(HAVE_ECC_SIGN) || defined(HAVE_ECC_VERIFY)
+#ifdef WOLFSSL_SP_SMALL
+/* Square a and put result in r. (r = a * a)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ */
+static void sp_256_sqr_8(sp_digit* r, const sp_digit* a)
+{
+    __asm__ __volatile__ (
+        "sub	sp, sp, #64\n\t"
+        "mov	r12, #0\n\t"
+        "mov	r6, #0\n\t"
+        "mov	r7, #0\n\t"
+        "mov	r8, #0\n\t"
+        "mov	r5, #0\n\t"
+        "\n1:\n\t"
+        "subs	r3, r5, #28\n\t"
+        "it	cc\n\t"
+        "movcc	r3, r12\n\t"
+        "sub	r4, r5, r3\n\t"
+        "\n2:\n\t"
+        "cmp	r4, r3\n\t"
+        "beq	4f\n\t"
+        "ldr	r14, [%[a], r3]\n\t"
+        "ldr	r9, [%[a], r4]\n\t"
+        "umull	r9, r10, r14, r9\n\t"
+        "adds	r6, r6, r9\n\t"
+        "adcs	r7, r7, r10\n\t"
+        "adc	r8, r8, r12\n\t"
+        "adds	r6, r6, r9\n\t"
+        "adcs	r7, r7, r10\n\t"
+        "adc	r8, r8, r12\n\t"
+        "bal	5f\n\t"
+        "\n4:\n\t"
+        "ldr	r14, [%[a], r3]\n\t"
+        "umull	r9, r10, r14, r14\n\t"
+        "adds	r6, r6, r9\n\t"
+        "adcs	r7, r7, r10\n\t"
+        "adc	r8, r8, r12\n\t"
+        "\n5:\n\t"
+        "add	r3, r3, #4\n\t"
+        "sub	r4, r4, #4\n\t"
+        "cmp	r3, #32\n\t"
+        "beq	3f\n\t"
+        "cmp	r3, r4\n\t"
+        "bgt	3f\n\t"
+        "cmp	r3, r5\n\t"
+        "ble	2b\n\t"
+        "\n3:\n\t"
+        "str	r6, [sp, r5]\n\t"
+        "mov	r6, r7\n\t"
+        "mov	r7, r8\n\t"
+        "mov	r8, #0\n\t"
+        "add	r5, r5, #4\n\t"
+        "cmp	r5, #56\n\t"
+        "ble	1b\n\t"
+        "str	r6, [sp, r5]\n\t"
+        "\n4:\n\t"
+        "ldr	r6, [sp, #0]\n\t"
+        "ldr	r7, [sp, #4]\n\t"
+        "ldr	r8, [sp, #8]\n\t"
+        "ldr	r3, [sp, #12]\n\t"
+        "str	r6, [%[r], #0]\n\t"
+        "str	r7, [%[r], #4]\n\t"
+        "str	r8, [%[r], #8]\n\t"
+        "str	r3, [%[r], #12]\n\t"
+        "add	sp, sp, #16\n\t"
+        "add	%[r], %[r], #16\n\t"
+        "subs	r5, r5, #16\n\t"
+        "bgt	4b\n\t"
+        : [r] "+r" (r)
+        : [a] "r" (a)
+        : "memory", "r3", "r4", "r5", "r6", "r7", "r8", "r9", "r10", "r14", "r9", "r12"
+    );
+}
+
+#else
+/* Square a and put result in r. (r = a * a)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ */
+static void sp_256_sqr_8(sp_digit* r, const sp_digit* a)
+{
+    __asm__ __volatile__ (
+        "sub	sp, sp, #32\n\t"
+        "mov	r14, #0\n\t"
+        "#  A[0] * A[0]\n\t"
+        "ldr	r10, [%[a], #0]\n\t"
+        "umull	r8, r3, r10, r10\n\t"
+        "mov	r4, #0\n\t"
+        "str	r8, [sp]\n\t"
+        "#  A[0] * A[1]\n\t"
+        "ldr	r10, [%[a], #4]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r3, r3, r8\n\t"
+        "adcs	r4, r4, r9\n\t"
+        "adc	r2, r14, r14\n\t"
+        "adds	r3, r3, r8\n\t"
+        "adcs	r4, r4, r9\n\t"
+        "adc	r2, r2, r14\n\t"
+        "str	r3, [sp, #4]\n\t"
+        "#  A[0] * A[2]\n\t"
+        "ldr	r10, [%[a], #8]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r4, r4, r8\n\t"
+        "adcs	r2, r2, r9\n\t"
+        "adc	r3, r14, r14\n\t"
+        "adds	r4, r4, r8\n\t"
+        "adcs	r2, r2, r9\n\t"
+        "adc	r3, r3, r14\n\t"
+        "#  A[1] * A[1]\n\t"
+        "ldr	r10, [%[a], #4]\n\t"
+        "umull	r8, r9, r10, r10\n\t"
+        "adds	r4, r4, r8\n\t"
+        "adcs	r2, r2, r9\n\t"
+        "adc	r3, r3, r14\n\t"
+        "str	r4, [sp, #8]\n\t"
+        "#  A[0] * A[3]\n\t"
+        "ldr	r10, [%[a], #12]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r2, r2, r8\n\t"
+        "adcs	r3, r3, r9\n\t"
+        "adc	r4, r14, r14\n\t"
+        "adds	r2, r2, r8\n\t"
+        "adcs	r3, r3, r9\n\t"
+        "adc	r4, r4, r14\n\t"
+        "#  A[1] * A[2]\n\t"
+        "ldr	r10, [%[a], #8]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r2, r2, r8\n\t"
+        "adcs	r3, r3, r9\n\t"
+        "adc	r4, r4, r14\n\t"
+        "adds	r2, r2, r8\n\t"
+        "adcs	r3, r3, r9\n\t"
+        "adc	r4, r4, r14\n\t"
+        "str	r2, [sp, #12]\n\t"
+        "#  A[0] * A[4]\n\t"
+        "ldr	r10, [%[a], #16]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r3, r3, r8\n\t"
+        "adcs	r4, r4, r9\n\t"
+        "adc	r2, r14, r14\n\t"
+        "adds	r3, r3, r8\n\t"
+        "adcs	r4, r4, r9\n\t"
+        "adc	r2, r2, r14\n\t"
+        "#  A[1] * A[3]\n\t"
+        "ldr	r10, [%[a], #12]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r3, r3, r8\n\t"
+        "adcs	r4, r4, r9\n\t"
+        "adc	r2, r2, r14\n\t"
+        "adds	r3, r3, r8\n\t"
+        "adcs	r4, r4, r9\n\t"
+        "adc	r2, r2, r14\n\t"
+        "#  A[2] * A[2]\n\t"
+        "ldr	r10, [%[a], #8]\n\t"
+        "umull	r8, r9, r10, r10\n\t"
+        "adds	r3, r3, r8\n\t"
+        "adcs	r4, r4, r9\n\t"
+        "adc	r2, r2, r14\n\t"
+        "str	r3, [sp, #16]\n\t"
+        "#  A[0] * A[5]\n\t"
+        "ldr	r10, [%[a], #20]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "umull	r5, r6, r10, r8\n\t"
+        "mov	r3, #0\n\t"
+        "mov	r7, #0\n\t"
+        "#  A[1] * A[4]\n\t"
+        "ldr	r10, [%[a], #16]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[2] * A[3]\n\t"
+        "ldr	r10, [%[a], #12]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "adds	r5, r5, r5\n\t"
+        "adcs	r6, r6, r6\n\t"
+        "adc	r7, r7, r7\n\t"
+        "adds	r4, r4, r5\n\t"
+        "adcs	r2, r2, r6\n\t"
+        "adc	r3, r3, r7\n\t"
+        "str	r4, [sp, #20]\n\t"
+        "#  A[0] * A[6]\n\t"
+        "ldr	r10, [%[a], #24]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "umull	r5, r6, r10, r8\n\t"
+        "mov	r4, #0\n\t"
+        "mov	r7, #0\n\t"
+        "#  A[1] * A[5]\n\t"
+        "ldr	r10, [%[a], #20]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[2] * A[4]\n\t"
+        "ldr	r10, [%[a], #16]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[3] * A[3]\n\t"
+        "ldr	r10, [%[a], #12]\n\t"
+        "umull	r8, r9, r10, r10\n\t"
+        "adds	r5, r5, r5\n\t"
+        "adcs	r6, r6, r6\n\t"
+        "adc	r7, r7, r7\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "adds	r2, r2, r5\n\t"
+        "adcs	r3, r3, r6\n\t"
+        "adc	r4, r4, r7\n\t"
+        "str	r2, [sp, #24]\n\t"
+        "#  A[0] * A[7]\n\t"
+        "ldr	r10, [%[a], #28]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "umull	r5, r6, r10, r8\n\t"
+        "mov	r2, #0\n\t"
+        "mov	r7, #0\n\t"
+        "#  A[1] * A[6]\n\t"
+        "ldr	r10, [%[a], #24]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[2] * A[5]\n\t"
+        "ldr	r10, [%[a], #20]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[3] * A[4]\n\t"
+        "ldr	r10, [%[a], #16]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "adds	r5, r5, r5\n\t"
+        "adcs	r6, r6, r6\n\t"
+        "adc	r7, r7, r7\n\t"
+        "adds	r3, r3, r5\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adc	r2, r2, r7\n\t"
+        "str	r3, [sp, #28]\n\t"
+        "#  A[1] * A[7]\n\t"
+        "ldr	r10, [%[a], #28]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "umull	r5, r6, r10, r8\n\t"
+        "mov	r3, #0\n\t"
+        "mov	r7, #0\n\t"
+        "#  A[2] * A[6]\n\t"
+        "ldr	r10, [%[a], #24]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[3] * A[5]\n\t"
+        "ldr	r10, [%[a], #20]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[4] * A[4]\n\t"
+        "ldr	r10, [%[a], #16]\n\t"
+        "umull	r8, r9, r10, r10\n\t"
+        "adds	r5, r5, r5\n\t"
+        "adcs	r6, r6, r6\n\t"
+        "adc	r7, r7, r7\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "adds	r4, r4, r5\n\t"
+        "adcs	r2, r2, r6\n\t"
+        "adc	r3, r3, r7\n\t"
+        "str	r4, [%[r], #32]\n\t"
+        "#  A[2] * A[7]\n\t"
+        "ldr	r10, [%[a], #28]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "umull	r5, r6, r10, r8\n\t"
+        "mov	r4, #0\n\t"
+        "mov	r7, #0\n\t"
+        "#  A[3] * A[6]\n\t"
+        "ldr	r10, [%[a], #24]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[4] * A[5]\n\t"
+        "ldr	r10, [%[a], #20]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "adds	r5, r5, r5\n\t"
+        "adcs	r6, r6, r6\n\t"
+        "adc	r7, r7, r7\n\t"
+        "adds	r2, r2, r5\n\t"
+        "adcs	r3, r3, r6\n\t"
+        "adc	r4, r4, r7\n\t"
+        "str	r2, [%[r], #36]\n\t"
+        "#  A[3] * A[7]\n\t"
+        "ldr	r10, [%[a], #28]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r3, r3, r8\n\t"
+        "adcs	r4, r4, r9\n\t"
+        "adc	r2, r14, r14\n\t"
+        "adds	r3, r3, r8\n\t"
+        "adcs	r4, r4, r9\n\t"
+        "adc	r2, r2, r14\n\t"
+        "#  A[4] * A[6]\n\t"
+        "ldr	r10, [%[a], #24]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r3, r3, r8\n\t"
+        "adcs	r4, r4, r9\n\t"
+        "adc	r2, r2, r14\n\t"
+        "adds	r3, r3, r8\n\t"
+        "adcs	r4, r4, r9\n\t"
+        "adc	r2, r2, r14\n\t"
+        "#  A[5] * A[5]\n\t"
+        "ldr	r10, [%[a], #20]\n\t"
+        "umull	r8, r9, r10, r10\n\t"
+        "adds	r3, r3, r8\n\t"
+        "adcs	r4, r4, r9\n\t"
+        "adc	r2, r2, r14\n\t"
+        "str	r3, [%[r], #40]\n\t"
+        "#  A[4] * A[7]\n\t"
+        "ldr	r10, [%[a], #28]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r4, r4, r8\n\t"
+        "adcs	r2, r2, r9\n\t"
+        "adc	r3, r14, r14\n\t"
+        "adds	r4, r4, r8\n\t"
+        "adcs	r2, r2, r9\n\t"
+        "adc	r3, r3, r14\n\t"
+        "#  A[5] * A[6]\n\t"
+        "ldr	r10, [%[a], #24]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r4, r4, r8\n\t"
+        "adcs	r2, r2, r9\n\t"
+        "adc	r3, r3, r14\n\t"
+        "adds	r4, r4, r8\n\t"
+        "adcs	r2, r2, r9\n\t"
+        "adc	r3, r3, r14\n\t"
+        "str	r4, [%[r], #44]\n\t"
+        "#  A[5] * A[7]\n\t"
+        "ldr	r10, [%[a], #28]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r2, r2, r8\n\t"
+        "adcs	r3, r3, r9\n\t"
+        "adc	r4, r14, r14\n\t"
+        "adds	r2, r2, r8\n\t"
+        "adcs	r3, r3, r9\n\t"
+        "adc	r4, r4, r14\n\t"
+        "#  A[6] * A[6]\n\t"
+        "ldr	r10, [%[a], #24]\n\t"
+        "umull	r8, r9, r10, r10\n\t"
+        "adds	r2, r2, r8\n\t"
+        "adcs	r3, r3, r9\n\t"
+        "adc	r4, r4, r14\n\t"
+        "str	r2, [%[r], #48]\n\t"
+        "#  A[6] * A[7]\n\t"
+        "ldr	r10, [%[a], #28]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r3, r3, r8\n\t"
+        "adcs	r4, r4, r9\n\t"
+        "adc	r2, r14, r14\n\t"
+        "adds	r3, r3, r8\n\t"
+        "adcs	r4, r4, r9\n\t"
+        "adc	r2, r2, r14\n\t"
+        "str	r3, [%[r], #52]\n\t"
+        "#  A[7] * A[7]\n\t"
+        "ldr	r10, [%[a], #28]\n\t"
+        "umull	r8, r9, r10, r10\n\t"
+        "adds	r4, r4, r8\n\t"
+        "adc	r2, r2, r9\n\t"
+        "str	r4, [%[r], #56]\n\t"
+        "str	r2, [%[r], #60]\n\t"
+        "ldr	r2, [sp, #0]\n\t"
+        "ldr	r3, [sp, #4]\n\t"
+        "ldr	r4, [sp, #8]\n\t"
+        "ldr	r8, [sp, #12]\n\t"
+        "str	r2, [%[r], #0]\n\t"
+        "str	r3, [%[r], #4]\n\t"
+        "str	r4, [%[r], #8]\n\t"
+        "str	r8, [%[r], #12]\n\t"
+        "ldr	r2, [sp, #16]\n\t"
+        "ldr	r3, [sp, #20]\n\t"
+        "ldr	r4, [sp, #24]\n\t"
+        "ldr	r8, [sp, #28]\n\t"
+        "str	r2, [%[r], #16]\n\t"
+        "str	r3, [%[r], #20]\n\t"
+        "str	r4, [%[r], #24]\n\t"
+        "str	r8, [%[r], #28]\n\t"
+        "add	sp, sp, #32\n\t"
+        :
+        : [r] "r" (r), [a] "r" (a)
+        : "memory", "r2", "r3", "r4", "r8", "r9", "r10", "r8", "r5", "r6", "r7", "r14"
+    );
+}
+
+#endif /* WOLFSSL_SP_SMALL */
+#ifdef WOLFSSL_SP_SMALL
+/* Order-2 for the P256 curve. */
+static const uint32_t p256_order_minus_2[8] = {
+    0xfc63254fU,0xf3b9cac2U,0xa7179e84U,0xbce6faadU,0xffffffffU,0xffffffffU,
+    0x00000000U,0xffffffffU
+};
+#else
+/* The low half of the order-2 of the P256 curve. */
+static const uint32_t p256_order_low[4] = {
+    0xfc63254fU,0xf3b9cac2U,0xa7179e84U,0xbce6faadU
+};
+#endif /* WOLFSSL_SP_SMALL */
+
+/* Multiply two number mod the order of P256 curve. (r = a * b mod order)
+ *
+ * r  Result of the multiplication.
+ * a  First operand of the multiplication.
+ * b  Second operand of the multiplication.
+ */
+static void sp_256_mont_mul_order_8(sp_digit* r, const sp_digit* a, const sp_digit* b)
+{
+    sp_256_mul_8(r, a, b);
+    sp_256_mont_reduce_order_8(r, p256_order, p256_mp_order);
+}
+
+/* Square number mod the order of P256 curve. (r = a * a mod order)
+ *
+ * r  Result of the squaring.
+ * a  Number to square.
+ */
+static void sp_256_mont_sqr_order_8(sp_digit* r, const sp_digit* a)
+{
+    sp_256_sqr_8(r, a);
+    sp_256_mont_reduce_order_8(r, p256_order, p256_mp_order);
+}
+
+#ifndef WOLFSSL_SP_SMALL
+/* Square number mod the order of P256 curve a number of times.
+ * (r = a ^ n mod order)
+ *
+ * r  Result of the squaring.
+ * a  Number to square.
+ */
+static void sp_256_mont_sqr_n_order_8(sp_digit* r, const sp_digit* a, int n)
+{
+    int i;
+
+    sp_256_mont_sqr_order_8(r, a);
+    for (i=1; i<n; i++) {
+        sp_256_mont_sqr_order_8(r, r);
+    }
+}
+#endif /* !WOLFSSL_SP_SMALL */
+
+/* Invert the number, in Montgomery form, modulo the order of the P256 curve.
+ * (r = 1 / a mod order)
+ *
+ * r   Inverse result.
+ * a   Number to invert.
+ * td  Temporary data.
+ */
+static void sp_256_mont_inv_order_8(sp_digit* r, const sp_digit* a,
+        sp_digit* td)
+{
+#ifdef WOLFSSL_SP_SMALL
+    sp_digit* t = td;
+    int i;
+
+    XMEMCPY(t, a, sizeof(sp_digit) * 8);
+    for (i=254; i>=0; i--) {
+        sp_256_mont_sqr_order_8(t, t);
+        if ((p256_order_minus_2[i / 32] & ((sp_int_digit)1 << (i % 32))) != 0) {
+            sp_256_mont_mul_order_8(t, t, a);
+        }
+    }
+    XMEMCPY(r, t, sizeof(sp_digit) * 8U);
+#else
+    sp_digit* t = td;
+    sp_digit* t2 = td + 2 * 8;
+    sp_digit* t3 = td + 4 * 8;
+    int i;
+
+    /* t = a^2 */
+    sp_256_mont_sqr_order_8(t, a);
+    /* t = a^3 = t * a */
+    sp_256_mont_mul_order_8(t, t, a);
+    /* t2= a^c = t ^ 2 ^ 2 */
+    sp_256_mont_sqr_n_order_8(t2, t, 2);
+    /* t3= a^f = t2 * t */
+    sp_256_mont_mul_order_8(t3, t2, t);
+    /* t2= a^f0 = t3 ^ 2 ^ 4 */
+    sp_256_mont_sqr_n_order_8(t2, t3, 4);
+    /* t = a^ff = t2 * t3 */
+    sp_256_mont_mul_order_8(t, t2, t3);
+    /* t3= a^ff00 = t ^ 2 ^ 8 */
+    sp_256_mont_sqr_n_order_8(t2, t, 8);
+    /* t = a^ffff = t2 * t */
+    sp_256_mont_mul_order_8(t, t2, t);
+    /* t2= a^ffff0000 = t ^ 2 ^ 16 */
+    sp_256_mont_sqr_n_order_8(t2, t, 16);
+    /* t = a^ffffffff = t2 * t */
+    sp_256_mont_mul_order_8(t, t2, t);
+    /* t2= a^ffffffff0000000000000000 = t ^ 2 ^ 64  */
+    sp_256_mont_sqr_n_order_8(t2, t, 64);
+    /* t2= a^ffffffff00000000ffffffff = t2 * t */
+    sp_256_mont_mul_order_8(t2, t2, t);
+    /* t2= a^ffffffff00000000ffffffff00000000 = t2 ^ 2 ^ 32  */
+    sp_256_mont_sqr_n_order_8(t2, t2, 32);
+    /* t2= a^ffffffff00000000ffffffffffffffff = t2 * t */
+    sp_256_mont_mul_order_8(t2, t2, t);
+    /* t2= a^ffffffff00000000ffffffffffffffffbce6 */
+    for (i=127; i>=112; i--) {
+        sp_256_mont_sqr_order_8(t2, t2);
+        if (((sp_digit)p256_order_low[i / 32] & ((sp_int_digit)1 << (i % 32))) != 0) {
+            sp_256_mont_mul_order_8(t2, t2, a);
+        }
+    }
+    /* t2= a^ffffffff00000000ffffffffffffffffbce6f */
+    sp_256_mont_sqr_n_order_8(t2, t2, 4);
+    sp_256_mont_mul_order_8(t2, t2, t3);
+    /* t2= a^ffffffff00000000ffffffffffffffffbce6faada7179e84 */
+    for (i=107; i>=64; i--) {
+        sp_256_mont_sqr_order_8(t2, t2);
+        if (((sp_digit)p256_order_low[i / 32] & ((sp_int_digit)1 << (i % 32))) != 0) {
+            sp_256_mont_mul_order_8(t2, t2, a);
+        }
+    }
+    /* t2= a^ffffffff00000000ffffffffffffffffbce6faada7179e84f */
+    sp_256_mont_sqr_n_order_8(t2, t2, 4);
+    sp_256_mont_mul_order_8(t2, t2, t3);
+    /* t2= a^ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2 */
+    for (i=59; i>=32; i--) {
+        sp_256_mont_sqr_order_8(t2, t2);
+        if (((sp_digit)p256_order_low[i / 32] & ((sp_int_digit)1 << (i % 32))) != 0) {
+            sp_256_mont_mul_order_8(t2, t2, a);
+        }
+    }
+    /* t2= a^ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2f */
+    sp_256_mont_sqr_n_order_8(t2, t2, 4);
+    sp_256_mont_mul_order_8(t2, t2, t3);
+    /* t2= a^ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc63254 */
+    for (i=27; i>=0; i--) {
+        sp_256_mont_sqr_order_8(t2, t2);
+        if (((sp_digit)p256_order_low[i / 32] & ((sp_int_digit)1 << (i % 32))) != 0) {
+            sp_256_mont_mul_order_8(t2, t2, a);
+        }
+    }
+    /* t2= a^ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632540 */
+    sp_256_mont_sqr_n_order_8(t2, t2, 4);
+    /* r = a^ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc63254f */
+    sp_256_mont_mul_order_8(r, t2, t3);
+#endif /* WOLFSSL_SP_SMALL */
+}
+
+#endif /* HAVE_ECC_SIGN || HAVE_ECC_VERIFY */
+#ifdef HAVE_ECC_SIGN
+#ifndef SP_ECC_MAX_SIG_GEN
+#define SP_ECC_MAX_SIG_GEN  64
+#endif
+
+/* Sign the hash using the private key.
+ *   e = [hash, 256 bits] from binary
+ *   r = (k.G)->x mod order
+ *   s = (r * x + e) / k mod order
+ * The hash is truncated to the first 256 bits.
+ *
+ * hash     Hash to sign.
+ * hashLen  Length of the hash data.
+ * rng      Random number generator.
+ * priv     Private part of key - scalar.
+ * rm       First part of result as an mp_int.
+ * sm       Sirst part of result as an mp_int.
+ * heap     Heap to use for allocation.
+ * returns RNG failures, MEMORY_E when memory allocation fails and
+ * MP_OKAY on success.
+ */
+int sp_ecc_sign_256(const byte* hash, word32 hashLen, WC_RNG* rng, mp_int* priv,
+                    mp_int* rm, mp_int* sm, mp_int* km, void* heap)
+{
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit* d = NULL;
+#else
+    sp_digit ed[2*8];
+    sp_digit xd[2*8];
+    sp_digit kd[2*8];
+    sp_digit rd[2*8];
+    sp_digit td[3 * 2*8];
+    sp_point_256 p;
+#endif
+    sp_digit* e = NULL;
+    sp_digit* x = NULL;
+    sp_digit* k = NULL;
+    sp_digit* r = NULL;
+    sp_digit* tmp = NULL;
+    sp_point_256* point = NULL;
+    sp_digit carry;
+    sp_digit* s = NULL;
+    sp_digit* kInv = NULL;
+    int err = MP_OKAY;
+    int32_t c;
+    int i;
+
+    (void)heap;
+
+    err = sp_256_point_new_8(heap, p, point);
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        d = (sp_digit*)XMALLOC(sizeof(sp_digit) * 7 * 2 * 8, heap,
+                                                              DYNAMIC_TYPE_ECC);
+        if (d == NULL) {
+            err = MEMORY_E;
+        }
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+        e = d + 0 * 8;
+        x = d + 2 * 8;
+        k = d + 4 * 8;
+        r = d + 6 * 8;
+        tmp = d + 8 * 8;
+#else
+        e = ed;
+        x = xd;
+        k = kd;
+        r = rd;
+        tmp = td;
+#endif
+        s = e;
+        kInv = k;
+
+        if (hashLen > 32U) {
+            hashLen = 32U;
+        }
+
+        sp_256_from_bin(e, 8, hash, (int)hashLen);
+    }
+
+    for (i = SP_ECC_MAX_SIG_GEN; err == MP_OKAY && i > 0; i--) {
+        sp_256_from_mp(x, 8, priv);
+
+        /* New random point. */
+        if (km == NULL || mp_iszero(km)) {
+            err = sp_256_ecc_gen_k_8(rng, k);
+        }
+        else {
+            sp_256_from_mp(k, 8, km);
+            mp_zero(km);
+        }
+        if (err == MP_OKAY) {
+                err = sp_256_ecc_mulmod_base_8(point, k, 1, NULL);
+        }
+
+        if (err == MP_OKAY) {
+            /* r = point->x mod order */
+            XMEMCPY(r, point->x, sizeof(sp_digit) * 8U);
+            sp_256_norm_8(r);
+            c = sp_256_cmp_8(r, p256_order);
+            sp_256_cond_sub_8(r, r, p256_order, 0L - (sp_digit)(c >= 0));
+            sp_256_norm_8(r);
+
+            /* Conv k to Montgomery form (mod order) */
+                sp_256_mul_8(k, k, p256_norm_order);
+            err = sp_256_mod_8(k, k, p256_order);
+        }
+        if (err == MP_OKAY) {
+            sp_256_norm_8(k);
+            /* kInv = 1/k mod order */
+                sp_256_mont_inv_order_8(kInv, k, tmp);
+            sp_256_norm_8(kInv);
+
+            /* s = r * x + e */
+                sp_256_mul_8(x, x, r);
+            err = sp_256_mod_8(x, x, p256_order);
+        }
+        if (err == MP_OKAY) {
+            sp_256_norm_8(x);
+            carry = sp_256_add_8(s, e, x);
+            sp_256_cond_sub_8(s, s, p256_order, 0 - carry);
+            sp_256_norm_8(s);
+            c = sp_256_cmp_8(s, p256_order);
+            sp_256_cond_sub_8(s, s, p256_order, 0L - (sp_digit)(c >= 0));
+            sp_256_norm_8(s);
+
+            /* s = s * k^-1 mod order */
+                sp_256_mont_mul_order_8(s, s, kInv);
+            sp_256_norm_8(s);
+
+            /* Check that signature is usable. */
+            if (sp_256_iszero_8(s) == 0) {
+                break;
+            }
+        }
+    }
+
+    if (i == 0) {
+        err = RNG_FAILURE_E;
+    }
+
+    if (err == MP_OKAY) {
+        err = sp_256_to_mp(r, rm);
+    }
+    if (err == MP_OKAY) {
+        err = sp_256_to_mp(s, sm);
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (d != NULL) {
+        XMEMSET(d, 0, sizeof(sp_digit) * 8 * 8);
+        XFREE(d, heap, DYNAMIC_TYPE_ECC);
+    }
+#else
+    XMEMSET(e, 0, sizeof(sp_digit) * 2U * 8U);
+    XMEMSET(x, 0, sizeof(sp_digit) * 2U * 8U);
+    XMEMSET(k, 0, sizeof(sp_digit) * 2U * 8U);
+    XMEMSET(r, 0, sizeof(sp_digit) * 2U * 8U);
+    XMEMSET(r, 0, sizeof(sp_digit) * 2U * 8U);
+    XMEMSET(tmp, 0, sizeof(sp_digit) * 3U * 2U * 8U);
+#endif
+    sp_256_point_free_8(point, 1, heap);
+
+    return err;
+}
+#endif /* HAVE_ECC_SIGN */
+
+#ifdef HAVE_ECC_VERIFY
+/* Verify the signature values with the hash and public key.
+ *   e = Truncate(hash, 256)
+ *   u1 = e/s mod order
+ *   u2 = r/s mod order
+ *   r == (u1.G + u2.Q)->x mod order
+ * Optimization: Leave point in projective form.
+ *   (x, y, 1) == (x' / z'*z', y' / z'*z'*z', z' / z')
+ *   (r + n*order).z'.z' mod prime == (u1.G + u2.Q)->x'
+ * The hash is truncated to the first 256 bits.
+ *
+ * hash     Hash to sign.
+ * hashLen  Length of the hash data.
+ * rng      Random number generator.
+ * priv     Private part of key - scalar.
+ * rm       First part of result as an mp_int.
+ * sm       Sirst part of result as an mp_int.
+ * heap     Heap to use for allocation.
+ * returns RNG failures, MEMORY_E when memory allocation fails and
+ * MP_OKAY on success.
+ */
+int sp_ecc_verify_256(const byte* hash, word32 hashLen, mp_int* pX,
+    mp_int* pY, mp_int* pZ, mp_int* r, mp_int* sm, int* res, void* heap)
+{
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit* d = NULL;
+#else
+    sp_digit u1d[2*8];
+    sp_digit u2d[2*8];
+    sp_digit sd[2*8];
+    sp_digit tmpd[2*8 * 5];
+    sp_point_256 p1d;
+    sp_point_256 p2d;
+#endif
+    sp_digit* u1 = NULL;
+    sp_digit* u2 = NULL;
+    sp_digit* s = NULL;
+    sp_digit* tmp = NULL;
+    sp_point_256* p1;
+    sp_point_256* p2 = NULL;
+    sp_digit carry;
+    int32_t c;
+    int err;
+
+    err = sp_256_point_new_8(heap, p1d, p1);
+    if (err == MP_OKAY) {
+        err = sp_256_point_new_8(heap, p2d, p2);
+    }
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        d = (sp_digit*)XMALLOC(sizeof(sp_digit) * 16 * 8, heap,
+                                                              DYNAMIC_TYPE_ECC);
+        if (d == NULL) {
+            err = MEMORY_E;
+        }
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+        u1  = d + 0 * 8;
+        u2  = d + 2 * 8;
+        s   = d + 4 * 8;
+        tmp = d + 6 * 8;
+#else
+        u1 = u1d;
+        u2 = u2d;
+        s  = sd;
+        tmp = tmpd;
+#endif
+
+        if (hashLen > 32U) {
+            hashLen = 32U;
+        }
+
+        sp_256_from_bin(u1, 8, hash, (int)hashLen);
+        sp_256_from_mp(u2, 8, r);
+        sp_256_from_mp(s, 8, sm);
+        sp_256_from_mp(p2->x, 8, pX);
+        sp_256_from_mp(p2->y, 8, pY);
+        sp_256_from_mp(p2->z, 8, pZ);
+
+        {
+            sp_256_mul_8(s, s, p256_norm_order);
+        }
+        err = sp_256_mod_8(s, s, p256_order);
+    }
+    if (err == MP_OKAY) {
+        sp_256_norm_8(s);
+        {
+            sp_256_mont_inv_order_8(s, s, tmp);
+            sp_256_mont_mul_order_8(u1, u1, s);
+            sp_256_mont_mul_order_8(u2, u2, s);
+        }
+
+            err = sp_256_ecc_mulmod_base_8(p1, u1, 0, heap);
+    }
+    if (err == MP_OKAY) {
+            err = sp_256_ecc_mulmod_8(p2, p2, u2, 0, heap);
+    }
+
+    if (err == MP_OKAY) {
+        {
+            sp_256_proj_point_add_8(p1, p1, p2, tmp);
+            if (sp_256_iszero_8(p1->z)) {
+                if (sp_256_iszero_8(p1->x) && sp_256_iszero_8(p1->y)) {
+                    sp_256_proj_point_dbl_8(p1, p2, tmp);
+                }
+                else {
+                    /* Y ordinate is not used from here - don't set. */
+                    p1->x[0] = 0;
+                    p1->x[1] = 0;
+                    p1->x[2] = 0;
+                    p1->x[3] = 0;
+                    p1->x[4] = 0;
+                    p1->x[5] = 0;
+                    p1->x[6] = 0;
+                    p1->x[7] = 0;
+                    XMEMCPY(p1->z, p256_norm_mod, sizeof(p256_norm_mod));
+                }
+            }
+        }
+
+        /* (r + n*order).z'.z' mod prime == (u1.G + u2.Q)->x' */
+        /* Reload r and convert to Montgomery form. */
+        sp_256_from_mp(u2, 8, r);
+        err = sp_256_mod_mul_norm_8(u2, u2, p256_mod);
+    }
+
+    if (err == MP_OKAY) {
+        /* u1 = r.z'.z' mod prime */
+        sp_256_mont_sqr_8(p1->z, p1->z, p256_mod, p256_mp_mod);
+        sp_256_mont_mul_8(u1, u2, p1->z, p256_mod, p256_mp_mod);
+        *res = (int)(sp_256_cmp_8(p1->x, u1) == 0);
+        if (*res == 0) {
+            /* Reload r and add order. */
+            sp_256_from_mp(u2, 8, r);
+            carry = sp_256_add_8(u2, u2, p256_order);
+            /* Carry means result is greater than mod and is not valid. */
+            if (carry == 0) {
+                sp_256_norm_8(u2);
+
+                /* Compare with mod and if greater or equal then not valid. */
+                c = sp_256_cmp_8(u2, p256_mod);
+                if (c < 0) {
+                    /* Convert to Montogomery form */
+                    err = sp_256_mod_mul_norm_8(u2, u2, p256_mod);
+                    if (err == MP_OKAY) {
+                        /* u1 = (r + 1*order).z'.z' mod prime */
+                        sp_256_mont_mul_8(u1, u2, p1->z, p256_mod,
+                                                                  p256_mp_mod);
+                        *res = (int)(sp_256_cmp_8(p1->x, u1) == 0);
+                    }
+                }
+            }
+        }
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (d != NULL)
+        XFREE(d, heap, DYNAMIC_TYPE_ECC);
+#endif
+    sp_256_point_free_8(p1, 0, heap);
+    sp_256_point_free_8(p2, 0, heap);
+
+    return err;
+}
+#endif /* HAVE_ECC_VERIFY */
+
+#ifdef HAVE_ECC_CHECK_KEY
+/* Check that the x and y oridinates are a valid point on the curve.
+ *
+ * point  EC point.
+ * heap   Heap to use if dynamically allocating.
+ * returns MEMORY_E if dynamic memory allocation fails, MP_VAL if the point is
+ * not on the curve and MP_OKAY otherwise.
+ */
+static int sp_256_ecc_is_point_8(sp_point_256* point, void* heap)
+{
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit* d = NULL;
+#else
+    sp_digit t1d[2*8];
+    sp_digit t2d[2*8];
+#endif
+    sp_digit* t1;
+    sp_digit* t2;
+    int err = MP_OKAY;
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    d = (sp_digit*)XMALLOC(sizeof(sp_digit) * 8 * 4, heap, DYNAMIC_TYPE_ECC);
+    if (d == NULL) {
+        err = MEMORY_E;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+        t1 = d + 0 * 8;
+        t2 = d + 2 * 8;
+#else
+        (void)heap;
+
+        t1 = t1d;
+        t2 = t2d;
+#endif
+
+        sp_256_sqr_8(t1, point->y);
+        (void)sp_256_mod_8(t1, t1, p256_mod);
+        sp_256_sqr_8(t2, point->x);
+        (void)sp_256_mod_8(t2, t2, p256_mod);
+        sp_256_mul_8(t2, t2, point->x);
+        (void)sp_256_mod_8(t2, t2, p256_mod);
+        (void)sp_256_sub_8(t2, p256_mod, t2);
+        sp_256_mont_add_8(t1, t1, t2, p256_mod);
+
+        sp_256_mont_add_8(t1, t1, point->x, p256_mod);
+        sp_256_mont_add_8(t1, t1, point->x, p256_mod);
+        sp_256_mont_add_8(t1, t1, point->x, p256_mod);
+
+        if (sp_256_cmp_8(t1, p256_b) != 0) {
+            err = MP_VAL;
+        }
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (d != NULL) {
+        XFREE(d, heap, DYNAMIC_TYPE_ECC);
+    }
+#endif
+
+    return err;
+}
+
+/* Check that the x and y oridinates are a valid point on the curve.
+ *
+ * pX  X ordinate of EC point.
+ * pY  Y ordinate of EC point.
+ * returns MEMORY_E if dynamic memory allocation fails, MP_VAL if the point is
+ * not on the curve and MP_OKAY otherwise.
+ */
+int sp_ecc_is_point_256(mp_int* pX, mp_int* pY)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_point_256 pubd;
+#endif
+    sp_point_256* pub;
+    byte one[1] = { 1 };
+    int err;
+
+    err = sp_256_point_new_8(NULL, pubd, pub);
+    if (err == MP_OKAY) {
+        sp_256_from_mp(pub->x, 8, pX);
+        sp_256_from_mp(pub->y, 8, pY);
+        sp_256_from_bin(pub->z, 8, one, (int)sizeof(one));
+
+        err = sp_256_ecc_is_point_8(pub, NULL);
+    }
+
+    sp_256_point_free_8(pub, 0, NULL);
+
+    return err;
+}
+
+/* Check that the private scalar generates the EC point (px, py), the point is
+ * on the curve and the point has the correct order.
+ *
+ * pX     X ordinate of EC point.
+ * pY     Y ordinate of EC point.
+ * privm  Private scalar that generates EC point.
+ * returns MEMORY_E if dynamic memory allocation fails, MP_VAL if the point is
+ * not on the curve, ECC_INF_E if the point does not have the correct order,
+ * ECC_PRIV_KEY_E when the private scalar doesn't generate the EC point and
+ * MP_OKAY otherwise.
+ */
+int sp_ecc_check_key_256(mp_int* pX, mp_int* pY, mp_int* privm, void* heap)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit privd[8];
+    sp_point_256 pubd;
+    sp_point_256 pd;
+#endif
+    sp_digit* priv = NULL;
+    sp_point_256* pub;
+    sp_point_256* p = NULL;
+    byte one[1] = { 1 };
+    int err;
+
+    err = sp_256_point_new_8(heap, pubd, pub);
+    if (err == MP_OKAY) {
+        err = sp_256_point_new_8(heap, pd, p);
+    }
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        priv = (sp_digit*)XMALLOC(sizeof(sp_digit) * 8, heap,
+                                                              DYNAMIC_TYPE_ECC);
+        if (priv == NULL) {
+            err = MEMORY_E;
+        }
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+        priv = privd;
+#endif
+
+        sp_256_from_mp(pub->x, 8, pX);
+        sp_256_from_mp(pub->y, 8, pY);
+        sp_256_from_bin(pub->z, 8, one, (int)sizeof(one));
+        sp_256_from_mp(priv, 8, privm);
+
+        /* Check point at infinitiy. */
+        if ((sp_256_iszero_8(pub->x) != 0) &&
+            (sp_256_iszero_8(pub->y) != 0)) {
+            err = ECC_INF_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        /* Check range of X and Y */
+        if (sp_256_cmp_8(pub->x, p256_mod) >= 0 ||
+            sp_256_cmp_8(pub->y, p256_mod) >= 0) {
+            err = ECC_OUT_OF_RANGE_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        /* Check point is on curve */
+        err = sp_256_ecc_is_point_8(pub, heap);
+    }
+
+    if (err == MP_OKAY) {
+        /* Point * order = infinity */
+            err = sp_256_ecc_mulmod_8(p, pub, p256_order, 1, heap);
+    }
+    if (err == MP_OKAY) {
+        /* Check result is infinity */
+        if ((sp_256_iszero_8(p->x) == 0) ||
+            (sp_256_iszero_8(p->y) == 0)) {
+            err = ECC_INF_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        /* Base * private = point */
+            err = sp_256_ecc_mulmod_base_8(p, priv, 1, heap);
+    }
+    if (err == MP_OKAY) {
+        /* Check result is public key */
+        if (sp_256_cmp_8(p->x, pub->x) != 0 ||
+            sp_256_cmp_8(p->y, pub->y) != 0) {
+            err = ECC_PRIV_KEY_E;
+        }
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (priv != NULL) {
+        XFREE(priv, heap, DYNAMIC_TYPE_ECC);
+    }
+#endif
+    sp_256_point_free_8(p, 0, heap);
+    sp_256_point_free_8(pub, 0, heap);
+
+    return err;
+}
+#endif
+#ifdef WOLFSSL_PUBLIC_ECC_ADD_DBL
+/* Add two projective EC points together.
+ * (pX, pY, pZ) + (qX, qY, qZ) = (rX, rY, rZ)
+ *
+ * pX   First EC point's X ordinate.
+ * pY   First EC point's Y ordinate.
+ * pZ   First EC point's Z ordinate.
+ * qX   Second EC point's X ordinate.
+ * qY   Second EC point's Y ordinate.
+ * qZ   Second EC point's Z ordinate.
+ * rX   Resultant EC point's X ordinate.
+ * rY   Resultant EC point's Y ordinate.
+ * rZ   Resultant EC point's Z ordinate.
+ * returns MEMORY_E if dynamic memory allocation fails and MP_OKAY otherwise.
+ */
+int sp_ecc_proj_add_point_256(mp_int* pX, mp_int* pY, mp_int* pZ,
+                              mp_int* qX, mp_int* qY, mp_int* qZ,
+                              mp_int* rX, mp_int* rY, mp_int* rZ)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit tmpd[2 * 8 * 5];
+    sp_point_256 pd;
+    sp_point_256 qd;
+#endif
+    sp_digit* tmp;
+    sp_point_256* p;
+    sp_point_256* q = NULL;
+    int err;
+
+    err = sp_256_point_new_8(NULL, pd, p);
+    if (err == MP_OKAY) {
+        err = sp_256_point_new_8(NULL, qd, q);
+    }
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        tmp = (sp_digit*)XMALLOC(sizeof(sp_digit) * 2 * 8 * 5, NULL,
+                                                              DYNAMIC_TYPE_ECC);
+        if (tmp == NULL) {
+            err = MEMORY_E;
+        }
+    }
+#else
+    tmp = tmpd;
+#endif
+
+    if (err == MP_OKAY) {
+        sp_256_from_mp(p->x, 8, pX);
+        sp_256_from_mp(p->y, 8, pY);
+        sp_256_from_mp(p->z, 8, pZ);
+        sp_256_from_mp(q->x, 8, qX);
+        sp_256_from_mp(q->y, 8, qY);
+        sp_256_from_mp(q->z, 8, qZ);
+
+            sp_256_proj_point_add_8(p, p, q, tmp);
+    }
+
+    if (err == MP_OKAY) {
+        err = sp_256_to_mp(p->x, rX);
+    }
+    if (err == MP_OKAY) {
+        err = sp_256_to_mp(p->y, rY);
+    }
+    if (err == MP_OKAY) {
+        err = sp_256_to_mp(p->z, rZ);
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (tmp != NULL) {
+        XFREE(tmp, NULL, DYNAMIC_TYPE_ECC);
+    }
+#endif
+    sp_256_point_free_8(q, 0, NULL);
+    sp_256_point_free_8(p, 0, NULL);
+
+    return err;
+}
+
+/* Double a projective EC point.
+ * (pX, pY, pZ) + (pX, pY, pZ) = (rX, rY, rZ)
+ *
+ * pX   EC point's X ordinate.
+ * pY   EC point's Y ordinate.
+ * pZ   EC point's Z ordinate.
+ * rX   Resultant EC point's X ordinate.
+ * rY   Resultant EC point's Y ordinate.
+ * rZ   Resultant EC point's Z ordinate.
+ * returns MEMORY_E if dynamic memory allocation fails and MP_OKAY otherwise.
+ */
+int sp_ecc_proj_dbl_point_256(mp_int* pX, mp_int* pY, mp_int* pZ,
+                              mp_int* rX, mp_int* rY, mp_int* rZ)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit tmpd[2 * 8 * 2];
+    sp_point_256 pd;
+#endif
+    sp_digit* tmp;
+    sp_point_256* p;
+    int err;
+
+    err = sp_256_point_new_8(NULL, pd, p);
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        tmp = (sp_digit*)XMALLOC(sizeof(sp_digit) * 2 * 8 * 2, NULL,
+                                                              DYNAMIC_TYPE_ECC);
+        if (tmp == NULL) {
+            err = MEMORY_E;
+        }
+    }
+#else
+    tmp = tmpd;
+#endif
+
+    if (err == MP_OKAY) {
+        sp_256_from_mp(p->x, 8, pX);
+        sp_256_from_mp(p->y, 8, pY);
+        sp_256_from_mp(p->z, 8, pZ);
+
+            sp_256_proj_point_dbl_8(p, p, tmp);
+    }
+
+    if (err == MP_OKAY) {
+        err = sp_256_to_mp(p->x, rX);
+    }
+    if (err == MP_OKAY) {
+        err = sp_256_to_mp(p->y, rY);
+    }
+    if (err == MP_OKAY) {
+        err = sp_256_to_mp(p->z, rZ);
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (tmp != NULL) {
+        XFREE(tmp, NULL, DYNAMIC_TYPE_ECC);
+    }
+#endif
+    sp_256_point_free_8(p, 0, NULL);
+
+    return err;
+}
+
+/* Map a projective EC point to affine in place.
+ * pZ will be one.
+ *
+ * pX   EC point's X ordinate.
+ * pY   EC point's Y ordinate.
+ * pZ   EC point's Z ordinate.
+ * returns MEMORY_E if dynamic memory allocation fails and MP_OKAY otherwise.
+ */
+int sp_ecc_map_256(mp_int* pX, mp_int* pY, mp_int* pZ)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit tmpd[2 * 8 * 4];
+    sp_point_256 pd;
+#endif
+    sp_digit* tmp;
+    sp_point_256* p;
+    int err;
+
+    err = sp_256_point_new_8(NULL, pd, p);
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        tmp = (sp_digit*)XMALLOC(sizeof(sp_digit) * 2 * 8 * 4, NULL,
+                                                              DYNAMIC_TYPE_ECC);
+        if (tmp == NULL) {
+            err = MEMORY_E;
+        }
+    }
+#else
+    tmp = tmpd;
+#endif
+    if (err == MP_OKAY) {
+        sp_256_from_mp(p->x, 8, pX);
+        sp_256_from_mp(p->y, 8, pY);
+        sp_256_from_mp(p->z, 8, pZ);
+
+        sp_256_map_8(p, p, tmp);
+    }
+
+    if (err == MP_OKAY) {
+        err = sp_256_to_mp(p->x, pX);
+    }
+    if (err == MP_OKAY) {
+        err = sp_256_to_mp(p->y, pY);
+    }
+    if (err == MP_OKAY) {
+        err = sp_256_to_mp(p->z, pZ);
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (tmp != NULL) {
+        XFREE(tmp, NULL, DYNAMIC_TYPE_ECC);
+    }
+#endif
+    sp_256_point_free_8(p, 0, NULL);
+
+    return err;
+}
+#endif /* WOLFSSL_PUBLIC_ECC_ADD_DBL */
+#ifdef HAVE_COMP_KEY
+/* Find the square root of a number mod the prime of the curve.
+ *
+ * y  The number to operate on and the result.
+ * returns MEMORY_E if dynamic memory allocation fails and MP_OKAY otherwise.
+ */
+static int sp_256_mont_sqrt_8(sp_digit* y)
+{
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit* d;
+#else
+    sp_digit t1d[2 * 8];
+    sp_digit t2d[2 * 8];
+#endif
+    sp_digit* t1;
+    sp_digit* t2;
+    int err = MP_OKAY;
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    d = (sp_digit*)XMALLOC(sizeof(sp_digit) * 4 * 8, NULL, DYNAMIC_TYPE_ECC);
+    if (d == NULL) {
+        err = MEMORY_E;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+        t1 = d + 0 * 8;
+        t2 = d + 2 * 8;
+#else
+        t1 = t1d;
+        t2 = t2d;
+#endif
+
+        {
+            /* t2 = y ^ 0x2 */
+            sp_256_mont_sqr_8(t2, y, p256_mod, p256_mp_mod);
+            /* t1 = y ^ 0x3 */
+            sp_256_mont_mul_8(t1, t2, y, p256_mod, p256_mp_mod);
+            /* t2 = y ^ 0xc */
+            sp_256_mont_sqr_n_8(t2, t1, 2, p256_mod, p256_mp_mod);
+            /* t1 = y ^ 0xf */
+            sp_256_mont_mul_8(t1, t1, t2, p256_mod, p256_mp_mod);
+            /* t2 = y ^ 0xf0 */
+            sp_256_mont_sqr_n_8(t2, t1, 4, p256_mod, p256_mp_mod);
+            /* t1 = y ^ 0xff */
+            sp_256_mont_mul_8(t1, t1, t2, p256_mod, p256_mp_mod);
+            /* t2 = y ^ 0xff00 */
+            sp_256_mont_sqr_n_8(t2, t1, 8, p256_mod, p256_mp_mod);
+            /* t1 = y ^ 0xffff */
+            sp_256_mont_mul_8(t1, t1, t2, p256_mod, p256_mp_mod);
+            /* t2 = y ^ 0xffff0000 */
+            sp_256_mont_sqr_n_8(t2, t1, 16, p256_mod, p256_mp_mod);
+            /* t1 = y ^ 0xffffffff */
+            sp_256_mont_mul_8(t1, t1, t2, p256_mod, p256_mp_mod);
+            /* t1 = y ^ 0xffffffff00000000 */
+            sp_256_mont_sqr_n_8(t1, t1, 32, p256_mod, p256_mp_mod);
+            /* t1 = y ^ 0xffffffff00000001 */
+            sp_256_mont_mul_8(t1, t1, y, p256_mod, p256_mp_mod);
+            /* t1 = y ^ 0xffffffff00000001000000000000000000000000 */
+            sp_256_mont_sqr_n_8(t1, t1, 96, p256_mod, p256_mp_mod);
+            /* t1 = y ^ 0xffffffff00000001000000000000000000000001 */
+            sp_256_mont_mul_8(t1, t1, y, p256_mod, p256_mp_mod);
+            sp_256_mont_sqr_n_8(y, t1, 94, p256_mod, p256_mp_mod);
+        }
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (d != NULL) {
+        XFREE(d, NULL, DYNAMIC_TYPE_ECC);
+    }
+#endif
+
+    return err;
+}
+
+
+/* Uncompress the point given the X ordinate.
+ *
+ * xm    X ordinate.
+ * odd   Whether the Y ordinate is odd.
+ * ym    Calculated Y ordinate.
+ * returns MEMORY_E if dynamic memory allocation fails and MP_OKAY otherwise.
+ */
+int sp_ecc_uncompress_256(mp_int* xm, int odd, mp_int* ym)
+{
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit* d;
+#else
+    sp_digit xd[2 * 8];
+    sp_digit yd[2 * 8];
+#endif
+    sp_digit* x = NULL;
+    sp_digit* y = NULL;
+    int err = MP_OKAY;
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    d = (sp_digit*)XMALLOC(sizeof(sp_digit) * 4 * 8, NULL, DYNAMIC_TYPE_ECC);
+    if (d == NULL) {
+        err = MEMORY_E;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+        x = d + 0 * 8;
+        y = d + 2 * 8;
+#else
+        x = xd;
+        y = yd;
+#endif
+
+        sp_256_from_mp(x, 8, xm);
+        err = sp_256_mod_mul_norm_8(x, x, p256_mod);
+    }
+    if (err == MP_OKAY) {
+        /* y = x^3 */
+        {
+            sp_256_mont_sqr_8(y, x, p256_mod, p256_mp_mod);
+            sp_256_mont_mul_8(y, y, x, p256_mod, p256_mp_mod);
+        }
+        /* y = x^3 - 3x */
+        sp_256_mont_sub_8(y, y, x, p256_mod);
+        sp_256_mont_sub_8(y, y, x, p256_mod);
+        sp_256_mont_sub_8(y, y, x, p256_mod);
+        /* y = x^3 - 3x + b */
+        err = sp_256_mod_mul_norm_8(x, p256_b, p256_mod);
+    }
+    if (err == MP_OKAY) {
+        sp_256_mont_add_8(y, y, x, p256_mod);
+        /* y = sqrt(x^3 - 3x + b) */
+        err = sp_256_mont_sqrt_8(y);
+    }
+    if (err == MP_OKAY) {
+        XMEMSET(y + 8, 0, 8U * sizeof(sp_digit));
+        sp_256_mont_reduce_8(y, p256_mod, p256_mp_mod);
+        if ((((word32)y[0] ^ (word32)odd) & 1U) != 0U) {
+            sp_256_mont_sub_8(y, p256_mod, y, p256_mod);
+        }
+
+        err = sp_256_to_mp(y, ym);
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (d != NULL) {
+        XFREE(d, NULL, DYNAMIC_TYPE_ECC);
+    }
+#endif
+
+    return err;
+}
+#endif
+#endif /* !WOLFSSL_SP_NO_256 */
+#ifdef WOLFSSL_SP_384
+
+/* Point structure to use. */
+typedef struct sp_point_384 {
+    sp_digit x[2 * 12];
+    sp_digit y[2 * 12];
+    sp_digit z[2 * 12];
+    int infinity;
+} sp_point_384;
+
+/* The modulus (prime) of the curve P384. */
+static const sp_digit p384_mod[12] = {
+    0xffffffff,0x00000000,0x00000000,0xffffffff,0xfffffffe,0xffffffff,
+    0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff
+};
+/* The Montogmery normalizer for modulus of the curve P384. */
+static const sp_digit p384_norm_mod[12] = {
+    0x00000001,0xffffffff,0xffffffff,0x00000000,0x00000001,0x00000000,
+    0x00000000,0x00000000,0x00000000,0x00000000,0x00000000,0x00000000
+};
+/* The Montogmery multiplier for modulus of the curve P384. */
+static sp_digit p384_mp_mod = 0x00000001;
+#if defined(WOLFSSL_VALIDATE_ECC_KEYGEN) || defined(HAVE_ECC_SIGN) || \
+                                            defined(HAVE_ECC_VERIFY)
+/* The order of the curve P384. */
+static const sp_digit p384_order[12] = {
+    0xccc52973,0xecec196a,0x48b0a77a,0x581a0db2,0xf4372ddf,0xc7634d81,
+    0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff
+};
+#endif
+/* The order of the curve P384 minus 2. */
+static const sp_digit p384_order2[12] = {
+    0xccc52971,0xecec196a,0x48b0a77a,0x581a0db2,0xf4372ddf,0xc7634d81,
+    0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff
+};
+#if defined(HAVE_ECC_SIGN) || defined(HAVE_ECC_VERIFY)
+/* The Montogmery normalizer for order of the curve P384. */
+static const sp_digit p384_norm_order[12] = {
+    0x333ad68d,0x1313e695,0xb74f5885,0xa7e5f24d,0x0bc8d220,0x389cb27e,
+    0x00000000,0x00000000,0x00000000,0x00000000,0x00000000,0x00000000
+};
+#endif
+#if defined(HAVE_ECC_SIGN) || defined(HAVE_ECC_VERIFY)
+/* The Montogmery multiplier for order of the curve P384. */
+static sp_digit p384_mp_order = 0xe88fdc45;
+#endif
+/* The base point of curve P384. */
+static const sp_point_384 p384_base = {
+    /* X ordinate */
+    {
+        0x72760ab7,0x3a545e38,0xbf55296c,0x5502f25d,0x82542a38,0x59f741e0,
+        0x8ba79b98,0x6e1d3b62,0xf320ad74,0x8eb1c71e,0xbe8b0537,0xaa87ca22,
+        0L, 0L, 0L, 0L, 0L, 0L, 0L, 0L, 0L, 0L, 0L, 0L
+    },
+    /* Y ordinate */
+    {
+        0x90ea0e5f,0x7a431d7c,0x1d7e819d,0x0a60b1ce,0xb5f0b8c0,0xe9da3113,
+        0x289a147c,0xf8f41dbd,0x9292dc29,0x5d9e98bf,0x96262c6f,0x3617de4a,
+        0L, 0L, 0L, 0L, 0L, 0L, 0L, 0L, 0L, 0L, 0L, 0L
+    },
+    /* Z ordinate */
+    {
+        0x00000001,0x00000000,0x00000000,0x00000000,0x00000000,0x00000000,
+        0x00000000,0x00000000,0x00000000,0x00000000,0x00000000,0x00000000,
+        0L, 0L, 0L, 0L, 0L, 0L, 0L, 0L, 0L, 0L, 0L, 0L
+    },
+    /* infinity */
+    0
+};
+#if defined(HAVE_ECC_CHECK_KEY) || defined(HAVE_COMP_KEY)
+static const sp_digit p384_b[12] = {
+    0xd3ec2aef,0x2a85c8ed,0x8a2ed19d,0xc656398d,0x5013875a,0x0314088f,
+    0xfe814112,0x181d9c6e,0xe3f82d19,0x988e056b,0xe23ee7e4,0xb3312fa7
+};
+#endif
+
+static int sp_384_point_new_ex_12(void* heap, sp_point_384* sp, sp_point_384** p)
+{
+    int ret = MP_OKAY;
+    (void)heap;
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    (void)sp;
+    *p = (sp_point_384*)XMALLOC(sizeof(sp_point_384), heap, DYNAMIC_TYPE_ECC);
+#else
+    *p = sp;
+#endif
+    if (*p == NULL) {
+        ret = MEMORY_E;
+    }
+    return ret;
+}
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+/* Allocate memory for point and return error. */
+#define sp_384_point_new_12(heap, sp, p) sp_384_point_new_ex_12((heap), NULL, &(p))
+#else
+/* Set pointer to data and return no error. */
+#define sp_384_point_new_12(heap, sp, p) sp_384_point_new_ex_12((heap), &(sp), &(p))
+#endif
+
+
+static void sp_384_point_free_12(sp_point_384* p, int clear, void* heap)
+{
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+/* If valid pointer then clear point data if requested and free data. */
+    if (p != NULL) {
+        if (clear != 0) {
+            XMEMSET(p, 0, sizeof(*p));
+        }
+        XFREE(p, heap, DYNAMIC_TYPE_ECC);
+    }
+#else
+/* Clear point data if requested. */
+    if (clear != 0) {
+        XMEMSET(p, 0, sizeof(*p));
+    }
+#endif
+    (void)heap;
+}
+
+/* Multiply a number by Montogmery normalizer mod modulus (prime).
+ *
+ * r  The resulting Montgomery form number.
+ * a  The number to convert.
+ * m  The modulus (prime).
+ * returns MEMORY_E when memory allocation fails and MP_OKAY otherwise.
+ */
+static int sp_384_mod_mul_norm_12(sp_digit* r, const sp_digit* a, const sp_digit* m)
+{
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    int64_t* t;
+#else
+    int64_t t[12];
+#endif
+    int64_t o;
+    int err = MP_OKAY;
+
+    (void)m;
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    t = (int64_t*)XMALLOC(sizeof(int64_t) * 12, NULL, DYNAMIC_TYPE_ECC);
+    if (t == NULL) {
+        err = MEMORY_E;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+        /*  1  0  0  0  0  0  0  0  1  1  0 -1 */
+        t[0] = 0 + (uint64_t)a[0] + (uint64_t)a[8] + (uint64_t)a[9] - (uint64_t)a[11];
+        /* -1  1  0  0  0  0  0  0 -1  0  1  1 */
+        t[1] = 0 - (uint64_t)a[0] + (uint64_t)a[1] - (uint64_t)a[8] + (uint64_t)a[10] + (uint64_t)a[11];
+        /*  0 -1  1  0  0  0  0  0  0 -1  0  1 */
+        t[2] = 0 - (uint64_t)a[1] + (uint64_t)a[2] - (uint64_t)a[9] + (uint64_t)a[11];
+        /*  1  0 -1  1  0  0  0  0  1  1 -1 -1 */
+        t[3] = 0 + (uint64_t)a[0] - (uint64_t)a[2] + (uint64_t)a[3] + (uint64_t)a[8] + (uint64_t)a[9] - (uint64_t)a[10] - (uint64_t)a[11];
+        /*  1  1  0 -1  1  0  0  0  1  2  1 -2 */
+        t[4] = 0 + (uint64_t)a[0] + (uint64_t)a[1] - (uint64_t)a[3] + (uint64_t)a[4] + (uint64_t)a[8] + 2 * (uint64_t)a[9] + (uint64_t)a[10] -  2 * (uint64_t)a[11];
+        /*  0  1  1  0 -1  1  0  0  0  1  2  1 */
+        t[5] = 0 + (uint64_t)a[1] + (uint64_t)a[2] - (uint64_t)a[4] + (uint64_t)a[5] + (uint64_t)a[9] + 2 * (uint64_t)a[10] + (uint64_t)a[11];
+        /*  0  0  1  1  0 -1  1  0  0  0  1  2 */
+        t[6] = 0 + (uint64_t)a[2] + (uint64_t)a[3] - (uint64_t)a[5] + (uint64_t)a[6] + (uint64_t)a[10] + 2 * (uint64_t)a[11];
+        /*  0  0  0  1  1  0 -1  1  0  0  0  1 */
+        t[7] = 0 + (uint64_t)a[3] + (uint64_t)a[4] - (uint64_t)a[6] + (uint64_t)a[7] + (uint64_t)a[11];
+        /*  0  0  0  0  1  1  0 -1  1  0  0  0 */
+        t[8] = 0 + (uint64_t)a[4] + (uint64_t)a[5] - (uint64_t)a[7] + (uint64_t)a[8];
+        /*  0  0  0  0  0  1  1  0 -1  1  0  0 */
+        t[9] = 0 + (uint64_t)a[5] + (uint64_t)a[6] - (uint64_t)a[8] + (uint64_t)a[9];
+        /*  0  0  0  0  0  0  1  1  0 -1  1  0 */
+        t[10] = 0 + (uint64_t)a[6] + (uint64_t)a[7] - (uint64_t)a[9] + (uint64_t)a[10];
+        /*  0  0  0  0  0  0  0  1  1  0 -1  1 */
+        t[11] = 0 + (uint64_t)a[7] + (uint64_t)a[8] - (uint64_t)a[10] + (uint64_t)a[11];
+
+        t[1] += t[0] >> 32; t[0] &= 0xffffffff;
+        t[2] += t[1] >> 32; t[1] &= 0xffffffff;
+        t[3] += t[2] >> 32; t[2] &= 0xffffffff;
+        t[4] += t[3] >> 32; t[3] &= 0xffffffff;
+        t[5] += t[4] >> 32; t[4] &= 0xffffffff;
+        t[6] += t[5] >> 32; t[5] &= 0xffffffff;
+        t[7] += t[6] >> 32; t[6] &= 0xffffffff;
+        t[8] += t[7] >> 32; t[7] &= 0xffffffff;
+        t[9] += t[8] >> 32; t[8] &= 0xffffffff;
+        t[10] += t[9] >> 32; t[9] &= 0xffffffff;
+        t[11] += t[10] >> 32; t[10] &= 0xffffffff;
+        o     = t[11] >> 32; t[11] &= 0xffffffff;
+        t[0] += o;
+        t[1] -= o;
+        t[3] += o;
+        t[4] += o;
+        t[1] += t[0] >> 32; t[0] &= 0xffffffff;
+        t[2] += t[1] >> 32; t[1] &= 0xffffffff;
+        t[3] += t[2] >> 32; t[2] &= 0xffffffff;
+        t[4] += t[3] >> 32; t[3] &= 0xffffffff;
+        t[5] += t[4] >> 32; t[4] &= 0xffffffff;
+        t[6] += t[5] >> 32; t[5] &= 0xffffffff;
+        t[7] += t[6] >> 32; t[6] &= 0xffffffff;
+        t[8] += t[7] >> 32; t[7] &= 0xffffffff;
+        t[9] += t[8] >> 32; t[8] &= 0xffffffff;
+        t[10] += t[9] >> 32; t[9] &= 0xffffffff;
+        t[11] += t[10] >> 32; t[10] &= 0xffffffff;
+
+        r[0] = t[0];
+        r[1] = t[1];
+        r[2] = t[2];
+        r[3] = t[3];
+        r[4] = t[4];
+        r[5] = t[5];
+        r[6] = t[6];
+        r[7] = t[7];
+        r[8] = t[8];
+        r[9] = t[9];
+        r[10] = t[10];
+        r[11] = t[11];
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (t != NULL)
+        XFREE(t, NULL, DYNAMIC_TYPE_ECC);
+#endif
+
+    return err;
+}
+
+/* Convert an mp_int to an array of sp_digit.
+ *
+ * r  A single precision integer.
+ * size  Maximum number of bytes to convert
+ * a  A multi-precision integer.
+ */
+static void sp_384_from_mp(sp_digit* r, int size, const mp_int* a)
+{
+#if DIGIT_BIT == 32
+    int j;
+
+    XMEMCPY(r, a->dp, sizeof(sp_digit) * a->used);
+
+    for (j = a->used; j < size; j++) {
+        r[j] = 0;
+    }
+#elif DIGIT_BIT > 32
+    int i, j = 0;
+    word32 s = 0;
+
+    r[0] = 0;
+    for (i = 0; i < a->used && j < size; i++) {
+        r[j] |= ((sp_digit)a->dp[i] << s);
+        r[j] &= 0xffffffff;
+        s = 32U - s;
+        if (j + 1 >= size) {
+            break;
+        }
+        /* lint allow cast of mismatch word32 and mp_digit */
+        r[++j] = (sp_digit)(a->dp[i] >> s); /*lint !e9033*/
+        while ((s + 32U) <= (word32)DIGIT_BIT) {
+            s += 32U;
+            r[j] &= 0xffffffff;
+            if (j + 1 >= size) {
+                break;
+            }
+            if (s < (word32)DIGIT_BIT) {
+                /* lint allow cast of mismatch word32 and mp_digit */
+                r[++j] = (sp_digit)(a->dp[i] >> s); /*lint !e9033*/
+            }
+            else {
+                r[++j] = 0L;
+            }
+        }
+        s = (word32)DIGIT_BIT - s;
+    }
+
+    for (j++; j < size; j++) {
+        r[j] = 0;
+    }
+#else
+    int i, j = 0, s = 0;
+
+    r[0] = 0;
+    for (i = 0; i < a->used && j < size; i++) {
+        r[j] |= ((sp_digit)a->dp[i]) << s;
+        if (s + DIGIT_BIT >= 32) {
+            r[j] &= 0xffffffff;
+            if (j + 1 >= size) {
+                break;
+            }
+            s = 32 - s;
+            if (s == DIGIT_BIT) {
+                r[++j] = 0;
+                s = 0;
+            }
+            else {
+                r[++j] = a->dp[i] >> s;
+                s = DIGIT_BIT - s;
+            }
+        }
+        else {
+            s += DIGIT_BIT;
+        }
+    }
+
+    for (j++; j < size; j++) {
+        r[j] = 0;
+    }
+#endif
+}
+
+/* Convert a point of type ecc_point to type sp_point_384.
+ *
+ * p   Point of type sp_point_384 (result).
+ * pm  Point of type ecc_point.
+ */
+static void sp_384_point_from_ecc_point_12(sp_point_384* p, const ecc_point* pm)
+{
+    XMEMSET(p->x, 0, sizeof(p->x));
+    XMEMSET(p->y, 0, sizeof(p->y));
+    XMEMSET(p->z, 0, sizeof(p->z));
+    sp_384_from_mp(p->x, 12, pm->x);
+    sp_384_from_mp(p->y, 12, pm->y);
+    sp_384_from_mp(p->z, 12, pm->z);
+    p->infinity = 0;
+}
+
+/* Convert an array of sp_digit to an mp_int.
+ *
+ * a  A single precision integer.
+ * r  A multi-precision integer.
+ */
+static int sp_384_to_mp(const sp_digit* a, mp_int* r)
+{
+    int err;
+
+    err = mp_grow(r, (384 + DIGIT_BIT - 1) / DIGIT_BIT);
+    if (err == MP_OKAY) { /*lint !e774 case where err is always MP_OKAY*/
+#if DIGIT_BIT == 32
+        XMEMCPY(r->dp, a, sizeof(sp_digit) * 12);
+        r->used = 12;
+        mp_clamp(r);
+#elif DIGIT_BIT < 32
+        int i, j = 0, s = 0;
+
+        r->dp[0] = 0;
+        for (i = 0; i < 12; i++) {
+            r->dp[j] |= (mp_digit)(a[i] << s);
+            r->dp[j] &= (1L << DIGIT_BIT) - 1;
+            s = DIGIT_BIT - s;
+            r->dp[++j] = (mp_digit)(a[i] >> s);
+            while (s + DIGIT_BIT <= 32) {
+                s += DIGIT_BIT;
+                r->dp[j++] &= (1L << DIGIT_BIT) - 1;
+                if (s == SP_WORD_SIZE) {
+                    r->dp[j] = 0;
+                }
+                else {
+                    r->dp[j] = (mp_digit)(a[i] >> s);
+                }
+            }
+            s = 32 - s;
+        }
+        r->used = (384 + DIGIT_BIT - 1) / DIGIT_BIT;
+        mp_clamp(r);
+#else
+        int i, j = 0, s = 0;
+
+        r->dp[0] = 0;
+        for (i = 0; i < 12; i++) {
+            r->dp[j] |= ((mp_digit)a[i]) << s;
+            if (s + 32 >= DIGIT_BIT) {
+    #if DIGIT_BIT != 32 && DIGIT_BIT != 64
+                r->dp[j] &= (1L << DIGIT_BIT) - 1;
+    #endif
+                s = DIGIT_BIT - s;
+                r->dp[++j] = a[i] >> s;
+                s = 32 - s;
+            }
+            else {
+                s += 32;
+            }
+        }
+        r->used = (384 + DIGIT_BIT - 1) / DIGIT_BIT;
+        mp_clamp(r);
+#endif
+    }
+
+    return err;
+}
+
+/* Convert a point of type sp_point_384 to type ecc_point.
+ *
+ * p   Point of type sp_point_384.
+ * pm  Point of type ecc_point (result).
+ * returns MEMORY_E when allocation of memory in ecc_point fails otherwise
+ * MP_OKAY.
+ */
+static int sp_384_point_to_ecc_point_12(const sp_point_384* p, ecc_point* pm)
+{
+    int err;
+
+    err = sp_384_to_mp(p->x, pm->x);
+    if (err == MP_OKAY) {
+        err = sp_384_to_mp(p->y, pm->y);
+    }
+    if (err == MP_OKAY) {
+        err = sp_384_to_mp(p->z, pm->z);
+    }
+
+    return err;
+}
+
+#ifdef WOLFSSL_SP_SMALL
+/* Multiply a and b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+static void sp_384_mul_12(sp_digit* r, const sp_digit* a, const sp_digit* b)
+{
+    __asm__ __volatile__ (
+        "sub	sp, sp, #96\n\t"
+        "mov	r5, #0\n\t"
+        "mov	r6, #0\n\t"
+        "mov	r7, #0\n\t"
+        "mov	r8, #0\n\t"
+        "\n1:\n\t"
+        "subs	r3, r5, #44\n\t"
+        "it	cc\n\t"
+        "movcc	r3, #0\n\t"
+        "sub	r4, r5, r3\n\t"
+        "\n2:\n\t"
+        "ldr	r14, [%[a], r3]\n\t"
+        "ldr	r12, [%[b], r4]\n\t"
+        "umull	r9, r10, r14, r12\n\t"
+        "adds	r6, r6, r9\n\t"
+        "adcs	r7, r7, r10\n\t"
+        "adc	r8, r8, #0\n\t"
+        "add	r3, r3, #4\n\t"
+        "sub	r4, r4, #4\n\t"
+        "cmp	r3, #48\n\t"
+        "beq	3f\n\t"
+        "cmp	r3, r5\n\t"
+        "ble	2b\n\t"
+        "\n3:\n\t"
+        "str	r6, [sp, r5]\n\t"
+        "mov	r6, r7\n\t"
+        "mov	r7, r8\n\t"
+        "mov	r8, #0\n\t"
+        "add	r5, r5, #4\n\t"
+        "cmp	r5, #88\n\t"
+        "ble	1b\n\t"
+        "str	r6, [sp, r5]\n\t"
+        "\n4:\n\t"
+        "ldr	r6, [sp, #0]\n\t"
+        "ldr	r7, [sp, #4]\n\t"
+        "ldr	r8, [sp, #8]\n\t"
+        "ldr	r3, [sp, #12]\n\t"
+        "str	r6, [%[r], #0]\n\t"
+        "str	r7, [%[r], #4]\n\t"
+        "str	r8, [%[r], #8]\n\t"
+        "str	r3, [%[r], #12]\n\t"
+        "add	sp, sp, #16\n\t"
+        "add	%[r], %[r], #16\n\t"
+        "subs	r5, r5, #16\n\t"
+        "bgt	4b\n\t"
+        : [r] "+r" (r)
+        : [a] "r" (a), [b] "r" (b)
+        : "memory", "r3", "r4", "r5", "r6", "r7", "r8", "r9", "r10", "r14", "r12"
+    );
+}
+
+#else
+/* Multiply a and b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+static void sp_384_mul_12(sp_digit* r, const sp_digit* a, const sp_digit* b)
+{
+    __asm__ __volatile__ (
+        "sub	sp, sp, #48\n\t"
+        "mov	r10, #0\n\t"
+        "#  A[0] * B[0]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "ldr	r9, [%[b], #0]\n\t"
+        "umull	r3, r4, r8, r9\n\t"
+        "mov	r5, #0\n\t"
+        "str	r3, [sp]\n\t"
+        "#  A[0] * B[1]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "ldr	r9, [%[b], #4]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r10, r10\n\t"
+        "#  A[1] * B[0]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "ldr	r9, [%[b], #0]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [sp, #4]\n\t"
+        "#  A[0] * B[2]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "ldr	r9, [%[b], #8]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r10, r10\n\t"
+        "#  A[1] * B[1]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "ldr	r9, [%[b], #4]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[2] * B[0]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "ldr	r9, [%[b], #0]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [sp, #8]\n\t"
+        "#  A[0] * B[3]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "ldr	r9, [%[b], #12]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r10, r10\n\t"
+        "#  A[1] * B[2]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "ldr	r9, [%[b], #8]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[2] * B[1]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "ldr	r9, [%[b], #4]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[3] * B[0]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "ldr	r9, [%[b], #0]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [sp, #12]\n\t"
+        "#  A[0] * B[4]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "ldr	r9, [%[b], #16]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r10, r10\n\t"
+        "#  A[1] * B[3]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "ldr	r9, [%[b], #12]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[2] * B[2]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "ldr	r9, [%[b], #8]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[3] * B[1]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "ldr	r9, [%[b], #4]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[4] * B[0]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "ldr	r9, [%[b], #0]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [sp, #16]\n\t"
+        "#  A[0] * B[5]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "ldr	r9, [%[b], #20]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r10, r10\n\t"
+        "#  A[1] * B[4]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "ldr	r9, [%[b], #16]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[2] * B[3]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "ldr	r9, [%[b], #12]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[3] * B[2]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "ldr	r9, [%[b], #8]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[4] * B[1]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "ldr	r9, [%[b], #4]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[5] * B[0]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "ldr	r9, [%[b], #0]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [sp, #20]\n\t"
+        "#  A[0] * B[6]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "ldr	r9, [%[b], #24]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r10, r10\n\t"
+        "#  A[1] * B[5]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "ldr	r9, [%[b], #20]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[2] * B[4]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "ldr	r9, [%[b], #16]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[3] * B[3]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "ldr	r9, [%[b], #12]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[4] * B[2]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "ldr	r9, [%[b], #8]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[5] * B[1]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "ldr	r9, [%[b], #4]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[6] * B[0]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "ldr	r9, [%[b], #0]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [sp, #24]\n\t"
+        "#  A[0] * B[7]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "ldr	r9, [%[b], #28]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r10, r10\n\t"
+        "#  A[1] * B[6]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "ldr	r9, [%[b], #24]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[2] * B[5]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "ldr	r9, [%[b], #20]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[3] * B[4]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "ldr	r9, [%[b], #16]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[4] * B[3]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "ldr	r9, [%[b], #12]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[5] * B[2]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "ldr	r9, [%[b], #8]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[6] * B[1]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "ldr	r9, [%[b], #4]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[7] * B[0]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "ldr	r9, [%[b], #0]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [sp, #28]\n\t"
+        "#  A[0] * B[8]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "ldr	r9, [%[b], #32]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r10, r10\n\t"
+        "#  A[1] * B[7]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "ldr	r9, [%[b], #28]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[2] * B[6]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "ldr	r9, [%[b], #24]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[3] * B[5]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "ldr	r9, [%[b], #20]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[4] * B[4]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "ldr	r9, [%[b], #16]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[5] * B[3]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "ldr	r9, [%[b], #12]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[6] * B[2]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "ldr	r9, [%[b], #8]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[7] * B[1]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "ldr	r9, [%[b], #4]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[8] * B[0]\n\t"
+        "ldr	r8, [%[a], #32]\n\t"
+        "ldr	r9, [%[b], #0]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [sp, #32]\n\t"
+        "#  A[0] * B[9]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "ldr	r9, [%[b], #36]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r10, r10\n\t"
+        "#  A[1] * B[8]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "ldr	r9, [%[b], #32]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[2] * B[7]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "ldr	r9, [%[b], #28]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[3] * B[6]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "ldr	r9, [%[b], #24]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[4] * B[5]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "ldr	r9, [%[b], #20]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[5] * B[4]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "ldr	r9, [%[b], #16]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[6] * B[3]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "ldr	r9, [%[b], #12]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[7] * B[2]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "ldr	r9, [%[b], #8]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[8] * B[1]\n\t"
+        "ldr	r8, [%[a], #32]\n\t"
+        "ldr	r9, [%[b], #4]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[9] * B[0]\n\t"
+        "ldr	r8, [%[a], #36]\n\t"
+        "ldr	r9, [%[b], #0]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [sp, #36]\n\t"
+        "#  A[0] * B[10]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "ldr	r9, [%[b], #40]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r10, r10\n\t"
+        "#  A[1] * B[9]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "ldr	r9, [%[b], #36]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[2] * B[8]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "ldr	r9, [%[b], #32]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[3] * B[7]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "ldr	r9, [%[b], #28]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[4] * B[6]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "ldr	r9, [%[b], #24]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[5] * B[5]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "ldr	r9, [%[b], #20]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[6] * B[4]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "ldr	r9, [%[b], #16]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[7] * B[3]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "ldr	r9, [%[b], #12]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[8] * B[2]\n\t"
+        "ldr	r8, [%[a], #32]\n\t"
+        "ldr	r9, [%[b], #8]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[9] * B[1]\n\t"
+        "ldr	r8, [%[a], #36]\n\t"
+        "ldr	r9, [%[b], #4]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[10] * B[0]\n\t"
+        "ldr	r8, [%[a], #40]\n\t"
+        "ldr	r9, [%[b], #0]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [sp, #40]\n\t"
+        "#  A[0] * B[11]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "ldr	r9, [%[b], #44]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r10, r10\n\t"
+        "#  A[1] * B[10]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "ldr	r9, [%[b], #40]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[2] * B[9]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "ldr	r9, [%[b], #36]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[3] * B[8]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "ldr	r9, [%[b], #32]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[4] * B[7]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "ldr	r9, [%[b], #28]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[5] * B[6]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "ldr	r9, [%[b], #24]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[6] * B[5]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "ldr	r9, [%[b], #20]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[7] * B[4]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "ldr	r9, [%[b], #16]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[8] * B[3]\n\t"
+        "ldr	r8, [%[a], #32]\n\t"
+        "ldr	r9, [%[b], #12]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[9] * B[2]\n\t"
+        "ldr	r8, [%[a], #36]\n\t"
+        "ldr	r9, [%[b], #8]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[10] * B[1]\n\t"
+        "ldr	r8, [%[a], #40]\n\t"
+        "ldr	r9, [%[b], #4]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[11] * B[0]\n\t"
+        "ldr	r8, [%[a], #44]\n\t"
+        "ldr	r9, [%[b], #0]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [sp, #44]\n\t"
+        "#  A[1] * B[11]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "ldr	r9, [%[b], #44]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r10, r10\n\t"
+        "#  A[2] * B[10]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "ldr	r9, [%[b], #40]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[3] * B[9]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "ldr	r9, [%[b], #36]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[4] * B[8]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "ldr	r9, [%[b], #32]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[5] * B[7]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "ldr	r9, [%[b], #28]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[6] * B[6]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "ldr	r9, [%[b], #24]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[7] * B[5]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "ldr	r9, [%[b], #20]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[8] * B[4]\n\t"
+        "ldr	r8, [%[a], #32]\n\t"
+        "ldr	r9, [%[b], #16]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[9] * B[3]\n\t"
+        "ldr	r8, [%[a], #36]\n\t"
+        "ldr	r9, [%[b], #12]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[10] * B[2]\n\t"
+        "ldr	r8, [%[a], #40]\n\t"
+        "ldr	r9, [%[b], #8]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[11] * B[1]\n\t"
+        "ldr	r8, [%[a], #44]\n\t"
+        "ldr	r9, [%[b], #4]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [%[r], #48]\n\t"
+        "#  A[2] * B[11]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "ldr	r9, [%[b], #44]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r10, r10\n\t"
+        "#  A[3] * B[10]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "ldr	r9, [%[b], #40]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[4] * B[9]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "ldr	r9, [%[b], #36]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[5] * B[8]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "ldr	r9, [%[b], #32]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[6] * B[7]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "ldr	r9, [%[b], #28]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[7] * B[6]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "ldr	r9, [%[b], #24]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[8] * B[5]\n\t"
+        "ldr	r8, [%[a], #32]\n\t"
+        "ldr	r9, [%[b], #20]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[9] * B[4]\n\t"
+        "ldr	r8, [%[a], #36]\n\t"
+        "ldr	r9, [%[b], #16]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[10] * B[3]\n\t"
+        "ldr	r8, [%[a], #40]\n\t"
+        "ldr	r9, [%[b], #12]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[11] * B[2]\n\t"
+        "ldr	r8, [%[a], #44]\n\t"
+        "ldr	r9, [%[b], #8]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [%[r], #52]\n\t"
+        "#  A[3] * B[11]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "ldr	r9, [%[b], #44]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r10, r10\n\t"
+        "#  A[4] * B[10]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "ldr	r9, [%[b], #40]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[5] * B[9]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "ldr	r9, [%[b], #36]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[6] * B[8]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "ldr	r9, [%[b], #32]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[7] * B[7]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "ldr	r9, [%[b], #28]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[8] * B[6]\n\t"
+        "ldr	r8, [%[a], #32]\n\t"
+        "ldr	r9, [%[b], #24]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[9] * B[5]\n\t"
+        "ldr	r8, [%[a], #36]\n\t"
+        "ldr	r9, [%[b], #20]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[10] * B[4]\n\t"
+        "ldr	r8, [%[a], #40]\n\t"
+        "ldr	r9, [%[b], #16]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[11] * B[3]\n\t"
+        "ldr	r8, [%[a], #44]\n\t"
+        "ldr	r9, [%[b], #12]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [%[r], #56]\n\t"
+        "#  A[4] * B[11]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "ldr	r9, [%[b], #44]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r10, r10\n\t"
+        "#  A[5] * B[10]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "ldr	r9, [%[b], #40]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[6] * B[9]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "ldr	r9, [%[b], #36]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[7] * B[8]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "ldr	r9, [%[b], #32]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[8] * B[7]\n\t"
+        "ldr	r8, [%[a], #32]\n\t"
+        "ldr	r9, [%[b], #28]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[9] * B[6]\n\t"
+        "ldr	r8, [%[a], #36]\n\t"
+        "ldr	r9, [%[b], #24]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[10] * B[5]\n\t"
+        "ldr	r8, [%[a], #40]\n\t"
+        "ldr	r9, [%[b], #20]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[11] * B[4]\n\t"
+        "ldr	r8, [%[a], #44]\n\t"
+        "ldr	r9, [%[b], #16]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [%[r], #60]\n\t"
+        "#  A[5] * B[11]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "ldr	r9, [%[b], #44]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r10, r10\n\t"
+        "#  A[6] * B[10]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "ldr	r9, [%[b], #40]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[7] * B[9]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "ldr	r9, [%[b], #36]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[8] * B[8]\n\t"
+        "ldr	r8, [%[a], #32]\n\t"
+        "ldr	r9, [%[b], #32]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[9] * B[7]\n\t"
+        "ldr	r8, [%[a], #36]\n\t"
+        "ldr	r9, [%[b], #28]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[10] * B[6]\n\t"
+        "ldr	r8, [%[a], #40]\n\t"
+        "ldr	r9, [%[b], #24]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[11] * B[5]\n\t"
+        "ldr	r8, [%[a], #44]\n\t"
+        "ldr	r9, [%[b], #20]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [%[r], #64]\n\t"
+        "#  A[6] * B[11]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "ldr	r9, [%[b], #44]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r10, r10\n\t"
+        "#  A[7] * B[10]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "ldr	r9, [%[b], #40]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[8] * B[9]\n\t"
+        "ldr	r8, [%[a], #32]\n\t"
+        "ldr	r9, [%[b], #36]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[9] * B[8]\n\t"
+        "ldr	r8, [%[a], #36]\n\t"
+        "ldr	r9, [%[b], #32]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[10] * B[7]\n\t"
+        "ldr	r8, [%[a], #40]\n\t"
+        "ldr	r9, [%[b], #28]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[11] * B[6]\n\t"
+        "ldr	r8, [%[a], #44]\n\t"
+        "ldr	r9, [%[b], #24]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [%[r], #68]\n\t"
+        "#  A[7] * B[11]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "ldr	r9, [%[b], #44]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r10, r10\n\t"
+        "#  A[8] * B[10]\n\t"
+        "ldr	r8, [%[a], #32]\n\t"
+        "ldr	r9, [%[b], #40]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[9] * B[9]\n\t"
+        "ldr	r8, [%[a], #36]\n\t"
+        "ldr	r9, [%[b], #36]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[10] * B[8]\n\t"
+        "ldr	r8, [%[a], #40]\n\t"
+        "ldr	r9, [%[b], #32]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "#  A[11] * B[7]\n\t"
+        "ldr	r8, [%[a], #44]\n\t"
+        "ldr	r9, [%[b], #28]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [%[r], #72]\n\t"
+        "#  A[8] * B[11]\n\t"
+        "ldr	r8, [%[a], #32]\n\t"
+        "ldr	r9, [%[b], #44]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r10, r10\n\t"
+        "#  A[9] * B[10]\n\t"
+        "ldr	r8, [%[a], #36]\n\t"
+        "ldr	r9, [%[b], #40]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[10] * B[9]\n\t"
+        "ldr	r8, [%[a], #40]\n\t"
+        "ldr	r9, [%[b], #36]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "#  A[11] * B[8]\n\t"
+        "ldr	r8, [%[a], #44]\n\t"
+        "ldr	r9, [%[b], #32]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [%[r], #76]\n\t"
+        "#  A[9] * B[11]\n\t"
+        "ldr	r8, [%[a], #36]\n\t"
+        "ldr	r9, [%[b], #44]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r10, r10\n\t"
+        "#  A[10] * B[10]\n\t"
+        "ldr	r8, [%[a], #40]\n\t"
+        "ldr	r9, [%[b], #40]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "#  A[11] * B[9]\n\t"
+        "ldr	r8, [%[a], #44]\n\t"
+        "ldr	r9, [%[b], #36]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [%[r], #80]\n\t"
+        "#  A[10] * B[11]\n\t"
+        "ldr	r8, [%[a], #40]\n\t"
+        "ldr	r9, [%[b], #44]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r10, r10\n\t"
+        "#  A[11] * B[10]\n\t"
+        "ldr	r8, [%[a], #44]\n\t"
+        "ldr	r9, [%[b], #40]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [%[r], #84]\n\t"
+        "#  A[11] * B[11]\n\t"
+        "ldr	r8, [%[a], #44]\n\t"
+        "ldr	r9, [%[b], #44]\n\t"
+        "umull	r6, r7, r8, r9\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adc	r5, r5, r7\n\t"
+        "str	r4, [%[r], #88]\n\t"
+        "str	r5, [%[r], #92]\n\t"
+        "ldr	r3, [sp, #0]\n\t"
+        "ldr	r4, [sp, #4]\n\t"
+        "ldr	r5, [sp, #8]\n\t"
+        "ldr	r6, [sp, #12]\n\t"
+        "str	r3, [%[r], #0]\n\t"
+        "str	r4, [%[r], #4]\n\t"
+        "str	r5, [%[r], #8]\n\t"
+        "str	r6, [%[r], #12]\n\t"
+        "ldr	r3, [sp, #16]\n\t"
+        "ldr	r4, [sp, #20]\n\t"
+        "ldr	r5, [sp, #24]\n\t"
+        "ldr	r6, [sp, #28]\n\t"
+        "str	r3, [%[r], #16]\n\t"
+        "str	r4, [%[r], #20]\n\t"
+        "str	r5, [%[r], #24]\n\t"
+        "str	r6, [%[r], #28]\n\t"
+        "ldr	r3, [sp, #32]\n\t"
+        "ldr	r4, [sp, #36]\n\t"
+        "ldr	r5, [sp, #40]\n\t"
+        "ldr	r6, [sp, #44]\n\t"
+        "str	r3, [%[r], #32]\n\t"
+        "str	r4, [%[r], #36]\n\t"
+        "str	r5, [%[r], #40]\n\t"
+        "str	r6, [%[r], #44]\n\t"
+        "add	sp, sp, #48\n\t"
+        :
+        : [r] "r" (r), [a] "r" (a), [b] "r" (b)
+        : "memory", "r3", "r4", "r5", "r6", "r7", "r8", "r9", "r10"
+    );
+}
+
+#endif /* WOLFSSL_SP_SMALL */
+/* Conditionally subtract b from a using the mask m.
+ * m is -1 to subtract and 0 when not copying.
+ *
+ * r  A single precision number representing condition subtract result.
+ * a  A single precision number to subtract from.
+ * b  A single precision number to subtract.
+ * m  Mask value to apply.
+ */
+static sp_digit sp_384_cond_sub_12(sp_digit* r, const sp_digit* a, const sp_digit* b,
+        sp_digit m)
+{
+    sp_digit c = 0;
+
+#ifdef WOLFSSL_SP_SMALL
+    __asm__ __volatile__ (
+        "mov	r9, #0\n\t"
+        "mov	r8, #0\n\t"
+        "1:\n\t"
+        "subs	%[c], r9, %[c]\n\t"
+        "ldr	r4, [%[a], r8]\n\t"
+        "ldr	r5, [%[b], r8]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbc	%[c], r9, r9\n\t"
+        "str	r4, [%[r], r8]\n\t"
+        "add	r8, r8, #4\n\t"
+        "cmp	r8, #48\n\t"
+        "blt	1b\n\t"
+        : [c] "+r" (c)
+        : [r] "r" (r), [a] "r" (a), [b] "r" (b), [m] "r" (m)
+        : "memory", "r4", "r6", "r5", "r7", "r8", "r9"
+    );
+#else
+    __asm__ __volatile__ (
+
+        "mov	r9, #0\n\t"
+        "ldr	r4, [%[a], #0]\n\t"
+        "ldr	r6, [%[a], #4]\n\t"
+        "ldr	r5, [%[b], #0]\n\t"
+        "ldr	r7, [%[b], #4]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "subs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #0]\n\t"
+        "str	r6, [%[r], #4]\n\t"
+        "ldr	r4, [%[a], #8]\n\t"
+        "ldr	r6, [%[a], #12]\n\t"
+        "ldr	r5, [%[b], #8]\n\t"
+        "ldr	r7, [%[b], #12]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #8]\n\t"
+        "str	r6, [%[r], #12]\n\t"
+        "ldr	r4, [%[a], #16]\n\t"
+        "ldr	r6, [%[a], #20]\n\t"
+        "ldr	r5, [%[b], #16]\n\t"
+        "ldr	r7, [%[b], #20]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #16]\n\t"
+        "str	r6, [%[r], #20]\n\t"
+        "ldr	r4, [%[a], #24]\n\t"
+        "ldr	r6, [%[a], #28]\n\t"
+        "ldr	r5, [%[b], #24]\n\t"
+        "ldr	r7, [%[b], #28]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #24]\n\t"
+        "str	r6, [%[r], #28]\n\t"
+        "ldr	r4, [%[a], #32]\n\t"
+        "ldr	r6, [%[a], #36]\n\t"
+        "ldr	r5, [%[b], #32]\n\t"
+        "ldr	r7, [%[b], #36]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #32]\n\t"
+        "str	r6, [%[r], #36]\n\t"
+        "ldr	r4, [%[a], #40]\n\t"
+        "ldr	r6, [%[a], #44]\n\t"
+        "ldr	r5, [%[b], #40]\n\t"
+        "ldr	r7, [%[b], #44]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "sbcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #40]\n\t"
+        "str	r6, [%[r], #44]\n\t"
+        "sbc	%[c], r9, r9\n\t"
+        : [c] "+r" (c)
+        : [r] "r" (r), [a] "r" (a), [b] "r" (b), [m] "r" (m)
+        : "memory", "r4", "r6", "r5", "r7", "r8", "r9"
+    );
+#endif /* WOLFSSL_SP_SMALL */
+
+    return c;
+}
+
+#define sp_384_mont_reduce_order_12   sp_384_mont_reduce_12
+
+/* Reduce the number back to 384 bits using Montgomery reduction.
+ *
+ * a   A single precision number to reduce in place.
+ * m   The single precision number representing the modulus.
+ * mp  The digit representing the negative inverse of m mod 2^n.
+ */
+SP_NOINLINE static void sp_384_mont_reduce_12(sp_digit* a, const sp_digit* m,
+        sp_digit mp)
+{
+    sp_digit ca = 0;
+
+    __asm__ __volatile__ (
+        "# i = 0\n\t"
+        "mov	r12, #0\n\t"
+        "ldr	r10, [%[a], #0]\n\t"
+        "ldr	r14, [%[a], #4]\n\t"
+        "\n1:\n\t"
+        "# mu = a[i] * mp\n\t"
+        "mul	r8, %[mp], r10\n\t"
+        "# a[i+0] += m[0] * mu\n\t"
+        "ldr	r7, [%[m], #0]\n\t"
+        "ldr	r9, [%[a], #0]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r10, r10, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "# a[i+1] += m[1] * mu\n\t"
+        "ldr	r7, [%[m], #4]\n\t"
+        "ldr	r9, [%[a], #4]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r10, r14, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r10, r10, r5\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+2] += m[2] * mu\n\t"
+        "ldr	r7, [%[m], #8]\n\t"
+        "ldr	r14, [%[a], #8]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r14, r14, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r14, r14, r4\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+3] += m[3] * mu\n\t"
+        "ldr	r7, [%[m], #12]\n\t"
+        "ldr	r9, [%[a], #12]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #12]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+4] += m[4] * mu\n\t"
+        "ldr	r7, [%[m], #16]\n\t"
+        "ldr	r9, [%[a], #16]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #16]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+5] += m[5] * mu\n\t"
+        "ldr	r7, [%[m], #20]\n\t"
+        "ldr	r9, [%[a], #20]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #20]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+6] += m[6] * mu\n\t"
+        "ldr	r7, [%[m], #24]\n\t"
+        "ldr	r9, [%[a], #24]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #24]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+7] += m[7] * mu\n\t"
+        "ldr	r7, [%[m], #28]\n\t"
+        "ldr	r9, [%[a], #28]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #28]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+8] += m[8] * mu\n\t"
+        "ldr	r7, [%[m], #32]\n\t"
+        "ldr	r9, [%[a], #32]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #32]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+9] += m[9] * mu\n\t"
+        "ldr	r7, [%[m], #36]\n\t"
+        "ldr	r9, [%[a], #36]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r4, r7, #0\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #36]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "# a[i+10] += m[10] * mu\n\t"
+        "ldr	r7, [%[m], #40]\n\t"
+        "ldr	r9, [%[a], #40]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adc	r5, r7, #0\n\t"
+        "adds	r9, r9, r4\n\t"
+        "str	r9, [%[a], #40]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "# a[i+11] += m[11] * mu\n\t"
+        "ldr	r7, [%[m], #44]\n\t"
+        "ldr   r9, [%[a], #44]\n\t"
+        "umull	r6, r7, r8, r7\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r7, r7, %[ca]\n\t"
+        "mov	%[ca], #0\n\t"
+        "adc	%[ca], %[ca], %[ca]\n\t"
+        "adds	r9, r9, r5\n\t"
+        "str	r9, [%[a], #44]\n\t"
+        "ldr	r9, [%[a], #48]\n\t"
+        "adcs	r9, r9, r7\n\t"
+        "str	r9, [%[a], #48]\n\t"
+        "adc	%[ca], %[ca], #0\n\t"
+        "# i += 1\n\t"
+        "add	%[a], %[a], #4\n\t"
+        "add	r12, r12, #4\n\t"
+        "cmp	r12, #48\n\t"
+        "blt	1b\n\t"
+        "str	r10, [%[a], #0]\n\t"
+        "str	r14, [%[a], #4]\n\t"
+        : [ca] "+r" (ca), [a] "+r" (a)
+        : [m] "r" (m), [mp] "r" (mp)
+        : "memory", "r4", "r5", "r6", "r7", "r8", "r9", "r10", "r14", "r12"
+    );
+
+    sp_384_cond_sub_12(a - 12, a, m, (sp_digit)0 - ca);
+}
+
+/* Multiply two Montogmery form numbers mod the modulus (prime).
+ * (r = a * b mod m)
+ *
+ * r   Result of multiplication.
+ * a   First number to multiply in Montogmery form.
+ * b   Second number to multiply in Montogmery form.
+ * m   Modulus (prime).
+ * mp  Montogmery mulitplier.
+ */
+static void sp_384_mont_mul_12(sp_digit* r, const sp_digit* a, const sp_digit* b,
+        const sp_digit* m, sp_digit mp)
+{
+    sp_384_mul_12(r, a, b);
+    sp_384_mont_reduce_12(r, m, mp);
+}
+
+#ifdef WOLFSSL_SP_SMALL
+/* Square a and put result in r. (r = a * a)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ */
+static void sp_384_sqr_12(sp_digit* r, const sp_digit* a)
+{
+    __asm__ __volatile__ (
+        "sub	sp, sp, #96\n\t"
+        "mov	r12, #0\n\t"
+        "mov	r6, #0\n\t"
+        "mov	r7, #0\n\t"
+        "mov	r8, #0\n\t"
+        "mov	r5, #0\n\t"
+        "\n1:\n\t"
+        "subs	r3, r5, #44\n\t"
+        "it	cc\n\t"
+        "movcc	r3, r12\n\t"
+        "sub	r4, r5, r3\n\t"
+        "\n2:\n\t"
+        "cmp	r4, r3\n\t"
+        "beq	4f\n\t"
+        "ldr	r14, [%[a], r3]\n\t"
+        "ldr	r9, [%[a], r4]\n\t"
+        "umull	r9, r10, r14, r9\n\t"
+        "adds	r6, r6, r9\n\t"
+        "adcs	r7, r7, r10\n\t"
+        "adc	r8, r8, r12\n\t"
+        "adds	r6, r6, r9\n\t"
+        "adcs	r7, r7, r10\n\t"
+        "adc	r8, r8, r12\n\t"
+        "bal	5f\n\t"
+        "\n4:\n\t"
+        "ldr	r14, [%[a], r3]\n\t"
+        "umull	r9, r10, r14, r14\n\t"
+        "adds	r6, r6, r9\n\t"
+        "adcs	r7, r7, r10\n\t"
+        "adc	r8, r8, r12\n\t"
+        "\n5:\n\t"
+        "add	r3, r3, #4\n\t"
+        "sub	r4, r4, #4\n\t"
+        "cmp	r3, #48\n\t"
+        "beq	3f\n\t"
+        "cmp	r3, r4\n\t"
+        "bgt	3f\n\t"
+        "cmp	r3, r5\n\t"
+        "ble	2b\n\t"
+        "\n3:\n\t"
+        "str	r6, [sp, r5]\n\t"
+        "mov	r6, r7\n\t"
+        "mov	r7, r8\n\t"
+        "mov	r8, #0\n\t"
+        "add	r5, r5, #4\n\t"
+        "cmp	r5, #88\n\t"
+        "ble	1b\n\t"
+        "str	r6, [sp, r5]\n\t"
+        "\n4:\n\t"
+        "ldr	r6, [sp, #0]\n\t"
+        "ldr	r7, [sp, #4]\n\t"
+        "ldr	r8, [sp, #8]\n\t"
+        "ldr	r3, [sp, #12]\n\t"
+        "str	r6, [%[r], #0]\n\t"
+        "str	r7, [%[r], #4]\n\t"
+        "str	r8, [%[r], #8]\n\t"
+        "str	r3, [%[r], #12]\n\t"
+        "add	sp, sp, #16\n\t"
+        "add	%[r], %[r], #16\n\t"
+        "subs	r5, r5, #16\n\t"
+        "bgt	4b\n\t"
+        : [r] "+r" (r)
+        : [a] "r" (a)
+        : "memory", "r3", "r4", "r5", "r6", "r7", "r8", "r9", "r10", "r14", "r9", "r12"
+    );
+}
+
+#else
+/* Square a and put result in r. (r = a * a)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ */
+static void sp_384_sqr_12(sp_digit* r, const sp_digit* a)
+{
+    __asm__ __volatile__ (
+        "sub	sp, sp, #48\n\t"
+        "mov	r14, #0\n\t"
+        "#  A[0] * A[0]\n\t"
+        "ldr	r10, [%[a], #0]\n\t"
+        "umull	r8, r3, r10, r10\n\t"
+        "mov	r4, #0\n\t"
+        "str	r8, [sp]\n\t"
+        "#  A[0] * A[1]\n\t"
+        "ldr	r10, [%[a], #4]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r3, r3, r8\n\t"
+        "adcs	r4, r4, r9\n\t"
+        "adc	r2, r14, r14\n\t"
+        "adds	r3, r3, r8\n\t"
+        "adcs	r4, r4, r9\n\t"
+        "adc	r2, r2, r14\n\t"
+        "str	r3, [sp, #4]\n\t"
+        "#  A[0] * A[2]\n\t"
+        "ldr	r10, [%[a], #8]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r4, r4, r8\n\t"
+        "adcs	r2, r2, r9\n\t"
+        "adc	r3, r14, r14\n\t"
+        "adds	r4, r4, r8\n\t"
+        "adcs	r2, r2, r9\n\t"
+        "adc	r3, r3, r14\n\t"
+        "#  A[1] * A[1]\n\t"
+        "ldr	r10, [%[a], #4]\n\t"
+        "umull	r8, r9, r10, r10\n\t"
+        "adds	r4, r4, r8\n\t"
+        "adcs	r2, r2, r9\n\t"
+        "adc	r3, r3, r14\n\t"
+        "str	r4, [sp, #8]\n\t"
+        "#  A[0] * A[3]\n\t"
+        "ldr	r10, [%[a], #12]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r2, r2, r8\n\t"
+        "adcs	r3, r3, r9\n\t"
+        "adc	r4, r14, r14\n\t"
+        "adds	r2, r2, r8\n\t"
+        "adcs	r3, r3, r9\n\t"
+        "adc	r4, r4, r14\n\t"
+        "#  A[1] * A[2]\n\t"
+        "ldr	r10, [%[a], #8]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r2, r2, r8\n\t"
+        "adcs	r3, r3, r9\n\t"
+        "adc	r4, r4, r14\n\t"
+        "adds	r2, r2, r8\n\t"
+        "adcs	r3, r3, r9\n\t"
+        "adc	r4, r4, r14\n\t"
+        "str	r2, [sp, #12]\n\t"
+        "#  A[0] * A[4]\n\t"
+        "ldr	r10, [%[a], #16]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r3, r3, r8\n\t"
+        "adcs	r4, r4, r9\n\t"
+        "adc	r2, r14, r14\n\t"
+        "adds	r3, r3, r8\n\t"
+        "adcs	r4, r4, r9\n\t"
+        "adc	r2, r2, r14\n\t"
+        "#  A[1] * A[3]\n\t"
+        "ldr	r10, [%[a], #12]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r3, r3, r8\n\t"
+        "adcs	r4, r4, r9\n\t"
+        "adc	r2, r2, r14\n\t"
+        "adds	r3, r3, r8\n\t"
+        "adcs	r4, r4, r9\n\t"
+        "adc	r2, r2, r14\n\t"
+        "#  A[2] * A[2]\n\t"
+        "ldr	r10, [%[a], #8]\n\t"
+        "umull	r8, r9, r10, r10\n\t"
+        "adds	r3, r3, r8\n\t"
+        "adcs	r4, r4, r9\n\t"
+        "adc	r2, r2, r14\n\t"
+        "str	r3, [sp, #16]\n\t"
+        "#  A[0] * A[5]\n\t"
+        "ldr	r10, [%[a], #20]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "umull	r5, r6, r10, r8\n\t"
+        "mov	r3, #0\n\t"
+        "mov	r7, #0\n\t"
+        "#  A[1] * A[4]\n\t"
+        "ldr	r10, [%[a], #16]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[2] * A[3]\n\t"
+        "ldr	r10, [%[a], #12]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "adds	r5, r5, r5\n\t"
+        "adcs	r6, r6, r6\n\t"
+        "adc	r7, r7, r7\n\t"
+        "adds	r4, r4, r5\n\t"
+        "adcs	r2, r2, r6\n\t"
+        "adc	r3, r3, r7\n\t"
+        "str	r4, [sp, #20]\n\t"
+        "#  A[0] * A[6]\n\t"
+        "ldr	r10, [%[a], #24]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "umull	r5, r6, r10, r8\n\t"
+        "mov	r4, #0\n\t"
+        "mov	r7, #0\n\t"
+        "#  A[1] * A[5]\n\t"
+        "ldr	r10, [%[a], #20]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[2] * A[4]\n\t"
+        "ldr	r10, [%[a], #16]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[3] * A[3]\n\t"
+        "ldr	r10, [%[a], #12]\n\t"
+        "umull	r8, r9, r10, r10\n\t"
+        "adds	r5, r5, r5\n\t"
+        "adcs	r6, r6, r6\n\t"
+        "adc	r7, r7, r7\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "adds	r2, r2, r5\n\t"
+        "adcs	r3, r3, r6\n\t"
+        "adc	r4, r4, r7\n\t"
+        "str	r2, [sp, #24]\n\t"
+        "#  A[0] * A[7]\n\t"
+        "ldr	r10, [%[a], #28]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "umull	r5, r6, r10, r8\n\t"
+        "mov	r2, #0\n\t"
+        "mov	r7, #0\n\t"
+        "#  A[1] * A[6]\n\t"
+        "ldr	r10, [%[a], #24]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[2] * A[5]\n\t"
+        "ldr	r10, [%[a], #20]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[3] * A[4]\n\t"
+        "ldr	r10, [%[a], #16]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "adds	r5, r5, r5\n\t"
+        "adcs	r6, r6, r6\n\t"
+        "adc	r7, r7, r7\n\t"
+        "adds	r3, r3, r5\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adc	r2, r2, r7\n\t"
+        "str	r3, [sp, #28]\n\t"
+        "#  A[0] * A[8]\n\t"
+        "ldr	r10, [%[a], #32]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "umull	r5, r6, r10, r8\n\t"
+        "mov	r3, #0\n\t"
+        "mov	r7, #0\n\t"
+        "#  A[1] * A[7]\n\t"
+        "ldr	r10, [%[a], #28]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[2] * A[6]\n\t"
+        "ldr	r10, [%[a], #24]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[3] * A[5]\n\t"
+        "ldr	r10, [%[a], #20]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[4] * A[4]\n\t"
+        "ldr	r10, [%[a], #16]\n\t"
+        "umull	r8, r9, r10, r10\n\t"
+        "adds	r5, r5, r5\n\t"
+        "adcs	r6, r6, r6\n\t"
+        "adc	r7, r7, r7\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "adds	r4, r4, r5\n\t"
+        "adcs	r2, r2, r6\n\t"
+        "adc	r3, r3, r7\n\t"
+        "str	r4, [sp, #32]\n\t"
+        "#  A[0] * A[9]\n\t"
+        "ldr	r10, [%[a], #36]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "umull	r5, r6, r10, r8\n\t"
+        "mov	r4, #0\n\t"
+        "mov	r7, #0\n\t"
+        "#  A[1] * A[8]\n\t"
+        "ldr	r10, [%[a], #32]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[2] * A[7]\n\t"
+        "ldr	r10, [%[a], #28]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[3] * A[6]\n\t"
+        "ldr	r10, [%[a], #24]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[4] * A[5]\n\t"
+        "ldr	r10, [%[a], #20]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "adds	r5, r5, r5\n\t"
+        "adcs	r6, r6, r6\n\t"
+        "adc	r7, r7, r7\n\t"
+        "adds	r2, r2, r5\n\t"
+        "adcs	r3, r3, r6\n\t"
+        "adc	r4, r4, r7\n\t"
+        "str	r2, [sp, #36]\n\t"
+        "#  A[0] * A[10]\n\t"
+        "ldr	r10, [%[a], #40]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "umull	r5, r6, r10, r8\n\t"
+        "mov	r2, #0\n\t"
+        "mov	r7, #0\n\t"
+        "#  A[1] * A[9]\n\t"
+        "ldr	r10, [%[a], #36]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[2] * A[8]\n\t"
+        "ldr	r10, [%[a], #32]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[3] * A[7]\n\t"
+        "ldr	r10, [%[a], #28]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[4] * A[6]\n\t"
+        "ldr	r10, [%[a], #24]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[5] * A[5]\n\t"
+        "ldr	r10, [%[a], #20]\n\t"
+        "umull	r8, r9, r10, r10\n\t"
+        "adds	r5, r5, r5\n\t"
+        "adcs	r6, r6, r6\n\t"
+        "adc	r7, r7, r7\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "adds	r3, r3, r5\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adc	r2, r2, r7\n\t"
+        "str	r3, [sp, #40]\n\t"
+        "#  A[0] * A[11]\n\t"
+        "ldr	r10, [%[a], #44]\n\t"
+        "ldr	r8, [%[a], #0]\n\t"
+        "umull	r5, r6, r10, r8\n\t"
+        "mov	r3, #0\n\t"
+        "mov	r7, #0\n\t"
+        "#  A[1] * A[10]\n\t"
+        "ldr	r10, [%[a], #40]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[2] * A[9]\n\t"
+        "ldr	r10, [%[a], #36]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[3] * A[8]\n\t"
+        "ldr	r10, [%[a], #32]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[4] * A[7]\n\t"
+        "ldr	r10, [%[a], #28]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[5] * A[6]\n\t"
+        "ldr	r10, [%[a], #24]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "adds	r5, r5, r5\n\t"
+        "adcs	r6, r6, r6\n\t"
+        "adc	r7, r7, r7\n\t"
+        "adds	r4, r4, r5\n\t"
+        "adcs	r2, r2, r6\n\t"
+        "adc	r3, r3, r7\n\t"
+        "str	r4, [sp, #44]\n\t"
+        "#  A[1] * A[11]\n\t"
+        "ldr	r10, [%[a], #44]\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "umull	r5, r6, r10, r8\n\t"
+        "mov	r4, #0\n\t"
+        "mov	r7, #0\n\t"
+        "#  A[2] * A[10]\n\t"
+        "ldr	r10, [%[a], #40]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[3] * A[9]\n\t"
+        "ldr	r10, [%[a], #36]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[4] * A[8]\n\t"
+        "ldr	r10, [%[a], #32]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[5] * A[7]\n\t"
+        "ldr	r10, [%[a], #28]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[6] * A[6]\n\t"
+        "ldr	r10, [%[a], #24]\n\t"
+        "umull	r8, r9, r10, r10\n\t"
+        "adds	r5, r5, r5\n\t"
+        "adcs	r6, r6, r6\n\t"
+        "adc	r7, r7, r7\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "adds	r2, r2, r5\n\t"
+        "adcs	r3, r3, r6\n\t"
+        "adc	r4, r4, r7\n\t"
+        "str	r2, [%[r], #48]\n\t"
+        "#  A[2] * A[11]\n\t"
+        "ldr	r10, [%[a], #44]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "umull	r5, r6, r10, r8\n\t"
+        "mov	r2, #0\n\t"
+        "mov	r7, #0\n\t"
+        "#  A[3] * A[10]\n\t"
+        "ldr	r10, [%[a], #40]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[4] * A[9]\n\t"
+        "ldr	r10, [%[a], #36]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[5] * A[8]\n\t"
+        "ldr	r10, [%[a], #32]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[6] * A[7]\n\t"
+        "ldr	r10, [%[a], #28]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "adds	r5, r5, r5\n\t"
+        "adcs	r6, r6, r6\n\t"
+        "adc	r7, r7, r7\n\t"
+        "adds	r3, r3, r5\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adc	r2, r2, r7\n\t"
+        "str	r3, [%[r], #52]\n\t"
+        "#  A[3] * A[11]\n\t"
+        "ldr	r10, [%[a], #44]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "umull	r5, r6, r10, r8\n\t"
+        "mov	r3, #0\n\t"
+        "mov	r7, #0\n\t"
+        "#  A[4] * A[10]\n\t"
+        "ldr	r10, [%[a], #40]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[5] * A[9]\n\t"
+        "ldr	r10, [%[a], #36]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[6] * A[8]\n\t"
+        "ldr	r10, [%[a], #32]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[7] * A[7]\n\t"
+        "ldr	r10, [%[a], #28]\n\t"
+        "umull	r8, r9, r10, r10\n\t"
+        "adds	r5, r5, r5\n\t"
+        "adcs	r6, r6, r6\n\t"
+        "adc	r7, r7, r7\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "adds	r4, r4, r5\n\t"
+        "adcs	r2, r2, r6\n\t"
+        "adc	r3, r3, r7\n\t"
+        "str	r4, [%[r], #56]\n\t"
+        "#  A[4] * A[11]\n\t"
+        "ldr	r10, [%[a], #44]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "umull	r5, r6, r10, r8\n\t"
+        "mov	r4, #0\n\t"
+        "mov	r7, #0\n\t"
+        "#  A[5] * A[10]\n\t"
+        "ldr	r10, [%[a], #40]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[6] * A[9]\n\t"
+        "ldr	r10, [%[a], #36]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[7] * A[8]\n\t"
+        "ldr	r10, [%[a], #32]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "adds	r5, r5, r5\n\t"
+        "adcs	r6, r6, r6\n\t"
+        "adc	r7, r7, r7\n\t"
+        "adds	r2, r2, r5\n\t"
+        "adcs	r3, r3, r6\n\t"
+        "adc	r4, r4, r7\n\t"
+        "str	r2, [%[r], #60]\n\t"
+        "#  A[5] * A[11]\n\t"
+        "ldr	r10, [%[a], #44]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "umull	r5, r6, r10, r8\n\t"
+        "mov	r2, #0\n\t"
+        "mov	r7, #0\n\t"
+        "#  A[6] * A[10]\n\t"
+        "ldr	r10, [%[a], #40]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[7] * A[9]\n\t"
+        "ldr	r10, [%[a], #36]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[8] * A[8]\n\t"
+        "ldr	r10, [%[a], #32]\n\t"
+        "umull	r8, r9, r10, r10\n\t"
+        "adds	r5, r5, r5\n\t"
+        "adcs	r6, r6, r6\n\t"
+        "adc	r7, r7, r7\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "adds	r3, r3, r5\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adc	r2, r2, r7\n\t"
+        "str	r3, [%[r], #64]\n\t"
+        "#  A[6] * A[11]\n\t"
+        "ldr	r10, [%[a], #44]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "umull	r5, r6, r10, r8\n\t"
+        "mov	r3, #0\n\t"
+        "mov	r7, #0\n\t"
+        "#  A[7] * A[10]\n\t"
+        "ldr	r10, [%[a], #40]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "#  A[8] * A[9]\n\t"
+        "ldr	r10, [%[a], #36]\n\t"
+        "ldr	r8, [%[a], #32]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r5, r5, r8\n\t"
+        "adcs	r6, r6, r9\n\t"
+        "adc	r7, r7, r14\n\t"
+        "adds	r5, r5, r5\n\t"
+        "adcs	r6, r6, r6\n\t"
+        "adc	r7, r7, r7\n\t"
+        "adds	r4, r4, r5\n\t"
+        "adcs	r2, r2, r6\n\t"
+        "adc	r3, r3, r7\n\t"
+        "str	r4, [%[r], #68]\n\t"
+        "#  A[7] * A[11]\n\t"
+        "ldr	r10, [%[a], #44]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r2, r2, r8\n\t"
+        "adcs	r3, r3, r9\n\t"
+        "adc	r4, r14, r14\n\t"
+        "adds	r2, r2, r8\n\t"
+        "adcs	r3, r3, r9\n\t"
+        "adc	r4, r4, r14\n\t"
+        "#  A[8] * A[10]\n\t"
+        "ldr	r10, [%[a], #40]\n\t"
+        "ldr	r8, [%[a], #32]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r2, r2, r8\n\t"
+        "adcs	r3, r3, r9\n\t"
+        "adc	r4, r4, r14\n\t"
+        "adds	r2, r2, r8\n\t"
+        "adcs	r3, r3, r9\n\t"
+        "adc	r4, r4, r14\n\t"
+        "#  A[9] * A[9]\n\t"
+        "ldr	r10, [%[a], #36]\n\t"
+        "umull	r8, r9, r10, r10\n\t"
+        "adds	r2, r2, r8\n\t"
+        "adcs	r3, r3, r9\n\t"
+        "adc	r4, r4, r14\n\t"
+        "str	r2, [%[r], #72]\n\t"
+        "#  A[8] * A[11]\n\t"
+        "ldr	r10, [%[a], #44]\n\t"
+        "ldr	r8, [%[a], #32]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r3, r3, r8\n\t"
+        "adcs	r4, r4, r9\n\t"
+        "adc	r2, r14, r14\n\t"
+        "adds	r3, r3, r8\n\t"
+        "adcs	r4, r4, r9\n\t"
+        "adc	r2, r2, r14\n\t"
+        "#  A[9] * A[10]\n\t"
+        "ldr	r10, [%[a], #40]\n\t"
+        "ldr	r8, [%[a], #36]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r3, r3, r8\n\t"
+        "adcs	r4, r4, r9\n\t"
+        "adc	r2, r2, r14\n\t"
+        "adds	r3, r3, r8\n\t"
+        "adcs	r4, r4, r9\n\t"
+        "adc	r2, r2, r14\n\t"
+        "str	r3, [%[r], #76]\n\t"
+        "#  A[9] * A[11]\n\t"
+        "ldr	r10, [%[a], #44]\n\t"
+        "ldr	r8, [%[a], #36]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r4, r4, r8\n\t"
+        "adcs	r2, r2, r9\n\t"
+        "adc	r3, r14, r14\n\t"
+        "adds	r4, r4, r8\n\t"
+        "adcs	r2, r2, r9\n\t"
+        "adc	r3, r3, r14\n\t"
+        "#  A[10] * A[10]\n\t"
+        "ldr	r10, [%[a], #40]\n\t"
+        "umull	r8, r9, r10, r10\n\t"
+        "adds	r4, r4, r8\n\t"
+        "adcs	r2, r2, r9\n\t"
+        "adc	r3, r3, r14\n\t"
+        "str	r4, [%[r], #80]\n\t"
+        "#  A[10] * A[11]\n\t"
+        "ldr	r10, [%[a], #44]\n\t"
+        "ldr	r8, [%[a], #40]\n\t"
+        "umull	r8, r9, r10, r8\n\t"
+        "adds	r2, r2, r8\n\t"
+        "adcs	r3, r3, r9\n\t"
+        "adc	r4, r14, r14\n\t"
+        "adds	r2, r2, r8\n\t"
+        "adcs	r3, r3, r9\n\t"
+        "adc	r4, r4, r14\n\t"
+        "str	r2, [%[r], #84]\n\t"
+        "#  A[11] * A[11]\n\t"
+        "ldr	r10, [%[a], #44]\n\t"
+        "umull	r8, r9, r10, r10\n\t"
+        "adds	r3, r3, r8\n\t"
+        "adc	r4, r4, r9\n\t"
+        "str	r3, [%[r], #88]\n\t"
+        "str	r4, [%[r], #92]\n\t"
+        "ldr	r2, [sp, #0]\n\t"
+        "ldr	r3, [sp, #4]\n\t"
+        "ldr	r4, [sp, #8]\n\t"
+        "ldr	r8, [sp, #12]\n\t"
+        "str	r2, [%[r], #0]\n\t"
+        "str	r3, [%[r], #4]\n\t"
+        "str	r4, [%[r], #8]\n\t"
+        "str	r8, [%[r], #12]\n\t"
+        "ldr	r2, [sp, #16]\n\t"
+        "ldr	r3, [sp, #20]\n\t"
+        "ldr	r4, [sp, #24]\n\t"
+        "ldr	r8, [sp, #28]\n\t"
+        "str	r2, [%[r], #16]\n\t"
+        "str	r3, [%[r], #20]\n\t"
+        "str	r4, [%[r], #24]\n\t"
+        "str	r8, [%[r], #28]\n\t"
+        "ldr	r2, [sp, #32]\n\t"
+        "ldr	r3, [sp, #36]\n\t"
+        "ldr	r4, [sp, #40]\n\t"
+        "ldr	r8, [sp, #44]\n\t"
+        "str	r2, [%[r], #32]\n\t"
+        "str	r3, [%[r], #36]\n\t"
+        "str	r4, [%[r], #40]\n\t"
+        "str	r8, [%[r], #44]\n\t"
+        "add	sp, sp, #48\n\t"
+        :
+        : [r] "r" (r), [a] "r" (a)
+        : "memory", "r2", "r3", "r4", "r8", "r9", "r10", "r8", "r5", "r6", "r7", "r14"
+    );
+}
+
+#endif /* WOLFSSL_SP_SMALL */
+/* Square the Montgomery form number. (r = a * a mod m)
+ *
+ * r   Result of squaring.
+ * a   Number to square in Montogmery form.
+ * m   Modulus (prime).
+ * mp  Montogmery mulitplier.
+ */
+static void sp_384_mont_sqr_12(sp_digit* r, const sp_digit* a, const sp_digit* m,
+        sp_digit mp)
+{
+    sp_384_sqr_12(r, a);
+    sp_384_mont_reduce_12(r, m, mp);
+}
+
+#if !defined(WOLFSSL_SP_SMALL) || defined(HAVE_COMP_KEY)
+/* Square the Montgomery form number a number of times. (r = a ^ n mod m)
+ *
+ * r   Result of squaring.
+ * a   Number to square in Montogmery form.
+ * n   Number of times to square.
+ * m   Modulus (prime).
+ * mp  Montogmery mulitplier.
+ */
+static void sp_384_mont_sqr_n_12(sp_digit* r, const sp_digit* a, int n,
+        const sp_digit* m, sp_digit mp)
+{
+    sp_384_mont_sqr_12(r, a, m, mp);
+    for (; n > 1; n--) {
+        sp_384_mont_sqr_12(r, r, m, mp);
+    }
+}
+
+#endif /* !WOLFSSL_SP_SMALL || HAVE_COMP_KEY */
+#ifdef WOLFSSL_SP_SMALL
+/* Mod-2 for the P384 curve. */
+static const uint32_t p384_mod_minus_2[12] = {
+    0xfffffffdU,0x00000000U,0x00000000U,0xffffffffU,0xfffffffeU,0xffffffffU,
+    0xffffffffU,0xffffffffU,0xffffffffU,0xffffffffU,0xffffffffU,0xffffffffU
+};
+#endif /* !WOLFSSL_SP_SMALL */
+
+/* Invert the number, in Montgomery form, modulo the modulus (prime) of the
+ * P384 curve. (r = 1 / a mod m)
+ *
+ * r   Inverse result.
+ * a   Number to invert.
+ * td  Temporary data.
+ */
+static void sp_384_mont_inv_12(sp_digit* r, const sp_digit* a, sp_digit* td)
+{
+#ifdef WOLFSSL_SP_SMALL
+    sp_digit* t = td;
+    int i;
+
+    XMEMCPY(t, a, sizeof(sp_digit) * 12);
+    for (i=382; i>=0; i--) {
+        sp_384_mont_sqr_12(t, t, p384_mod, p384_mp_mod);
+        if (p384_mod_minus_2[i / 32] & ((sp_digit)1 << (i % 32)))
+            sp_384_mont_mul_12(t, t, a, p384_mod, p384_mp_mod);
+    }
+    XMEMCPY(r, t, sizeof(sp_digit) * 12);
+#else
+    sp_digit* t1 = td;
+    sp_digit* t2 = td + 2 * 12;
+    sp_digit* t3 = td + 4 * 12;
+    sp_digit* t4 = td + 6 * 12;
+    sp_digit* t5 = td + 8 * 12;
+
+    /* 0x2 */
+    sp_384_mont_sqr_12(t1, a, p384_mod, p384_mp_mod);
+    /* 0x3 */
+    sp_384_mont_mul_12(t5, t1, a, p384_mod, p384_mp_mod);
+    /* 0xc */
+    sp_384_mont_sqr_n_12(t1, t5, 2, p384_mod, p384_mp_mod);
+    /* 0xf */
+    sp_384_mont_mul_12(t2, t5, t1, p384_mod, p384_mp_mod);
+    /* 0x1e */
+    sp_384_mont_sqr_12(t1, t2, p384_mod, p384_mp_mod);
+    /* 0x1f */
+    sp_384_mont_mul_12(t4, t1, a, p384_mod, p384_mp_mod);
+    /* 0x3e0 */
+    sp_384_mont_sqr_n_12(t1, t4, 5, p384_mod, p384_mp_mod);
+    /* 0x3ff */
+    sp_384_mont_mul_12(t2, t4, t1, p384_mod, p384_mp_mod);
+    /* 0x7fe0 */
+    sp_384_mont_sqr_n_12(t1, t2, 5, p384_mod, p384_mp_mod);
+    /* 0x7fff */
+    sp_384_mont_mul_12(t4, t4, t1, p384_mod, p384_mp_mod);
+    /* 0x3fff8000 */
+    sp_384_mont_sqr_n_12(t1, t4, 15, p384_mod, p384_mp_mod);
+    /* 0x3fffffff */
+    sp_384_mont_mul_12(t2, t4, t1, p384_mod, p384_mp_mod);
+    /* 0xfffffffc */
+    sp_384_mont_sqr_n_12(t3, t2, 2, p384_mod, p384_mp_mod);
+    /* 0xfffffffd */
+    sp_384_mont_mul_12(r, t3, a, p384_mod, p384_mp_mod);
+    /* 0xffffffff */
+    sp_384_mont_mul_12(t3, t5, t3, p384_mod, p384_mp_mod);
+    /* 0xfffffffc0000000 */
+    sp_384_mont_sqr_n_12(t1, t2, 30, p384_mod, p384_mp_mod);
+    /* 0xfffffffffffffff */
+    sp_384_mont_mul_12(t2, t2, t1, p384_mod, p384_mp_mod);
+    /* 0xfffffffffffffff000000000000000 */
+    sp_384_mont_sqr_n_12(t1, t2, 60, p384_mod, p384_mp_mod);
+    /* 0xffffffffffffffffffffffffffffff */
+    sp_384_mont_mul_12(t2, t2, t1, p384_mod, p384_mp_mod);
+    /* 0xffffffffffffffffffffffffffffff000000000000000000000000000000 */
+    sp_384_mont_sqr_n_12(t1, t2, 120, p384_mod, p384_mp_mod);
+    /* 0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff */
+    sp_384_mont_mul_12(t2, t2, t1, p384_mod, p384_mp_mod);
+    /* 0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffff8000 */
+    sp_384_mont_sqr_n_12(t1, t2, 15, p384_mod, p384_mp_mod);
+    /* 0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff */
+    sp_384_mont_mul_12(t2, t4, t1, p384_mod, p384_mp_mod);
+    /* 0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffe00000000 */
+    sp_384_mont_sqr_n_12(t1, t2, 33, p384_mod, p384_mp_mod);
+    /* 0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff */
+    sp_384_mont_mul_12(t2, t3, t1, p384_mod, p384_mp_mod);
+    /* 0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff000000000000000000000000 */
+    sp_384_mont_sqr_n_12(t1, t2, 96, p384_mod, p384_mp_mod);
+    /* 0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000fffffffd */
+    sp_384_mont_mul_12(r, r, t1, p384_mod, p384_mp_mod);
+
+#endif /* WOLFSSL_SP_SMALL */
+}
+
+/* Compare a with b in constant time.
+ *
+ * a  A single precision integer.
+ * b  A single precision integer.
+ * return -ve, 0 or +ve if a is less than, equal to or greater than b
+ * respectively.
+ */
+static int32_t sp_384_cmp_12(const sp_digit* a, const sp_digit* b)
+{
+    sp_digit r = -1;
+    sp_digit one = 1;
+
+
+#ifdef WOLFSSL_SP_SMALL
+    __asm__ __volatile__ (
+        "mov	r7, #0\n\t"
+        "mov	r3, #-1\n\t"
+        "mov	r6, #44\n\t"
+        "1:\n\t"
+        "ldr	r4, [%[a], r6]\n\t"
+        "ldr	r5, [%[b], r6]\n\t"
+        "and	r4, r4, r3\n\t"
+        "and	r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "subs	r6, r6, #4\n\t"
+        "bcs	1b\n\t"
+        "eor	%[r], %[r], r3\n\t"
+        : [r] "+r" (r)
+        : [a] "r" (a), [b] "r" (b), [one] "r" (one)
+        : "r3", "r4", "r5", "r6", "r7"
+    );
+#else
+    __asm__ __volatile__ (
+        "mov	r7, #0\n\t"
+        "mov	r3, #-1\n\t"
+        "ldr		r4, [%[a], #44]\n\t"
+        "ldr		r5, [%[b], #44]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #40]\n\t"
+        "ldr		r5, [%[b], #40]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #36]\n\t"
+        "ldr		r5, [%[b], #36]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #32]\n\t"
+        "ldr		r5, [%[b], #32]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #28]\n\t"
+        "ldr		r5, [%[b], #28]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #24]\n\t"
+        "ldr		r5, [%[b], #24]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #20]\n\t"
+        "ldr		r5, [%[b], #20]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #16]\n\t"
+        "ldr		r5, [%[b], #16]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #12]\n\t"
+        "ldr		r5, [%[b], #12]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #8]\n\t"
+        "ldr		r5, [%[b], #8]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #4]\n\t"
+        "ldr		r5, [%[b], #4]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "ldr		r4, [%[a], #0]\n\t"
+        "ldr		r5, [%[b], #0]\n\t"
+        "and		r4, r4, r3\n\t"
+        "and		r5, r5, r3\n\t"
+        "subs	r4, r4, r5\n\t"
+        "it	hi\n\t"
+        "movhi	%[r], %[one]\n\t"
+        "it	lo\n\t"
+        "movlo	%[r], r3\n\t"
+        "it	ne\n\t"
+        "movne	r3, r7\n\t"
+        "eor	%[r], %[r], r3\n\t"
+        : [r] "+r" (r)
+        : [a] "r" (a), [b] "r" (b), [one] "r" (one)
+        : "r3", "r4", "r5", "r6", "r7"
+    );
+#endif
+
+    return r;
+}
+
+/* Normalize the values in each word to 32.
+ *
+ * a  Array of sp_digit to normalize.
+ */
+#define sp_384_norm_12(a)
+
+/* Map the Montgomery form projective coordinate point to an affine point.
+ *
+ * r  Resulting affine coordinate point.
+ * p  Montgomery form projective coordinate point.
+ * t  Temporary ordinate data.
+ */
+static void sp_384_map_12(sp_point_384* r, const sp_point_384* p, sp_digit* t)
+{
+    sp_digit* t1 = t;
+    sp_digit* t2 = t + 2*12;
+    int32_t n;
+
+    sp_384_mont_inv_12(t1, p->z, t + 2*12);
+
+    sp_384_mont_sqr_12(t2, t1, p384_mod, p384_mp_mod);
+    sp_384_mont_mul_12(t1, t2, t1, p384_mod, p384_mp_mod);
+
+    /* x /= z^2 */
+    sp_384_mont_mul_12(r->x, p->x, t2, p384_mod, p384_mp_mod);
+    XMEMSET(r->x + 12, 0, sizeof(r->x) / 2U);
+    sp_384_mont_reduce_12(r->x, p384_mod, p384_mp_mod);
+    /* Reduce x to less than modulus */
+    n = sp_384_cmp_12(r->x, p384_mod);
+    sp_384_cond_sub_12(r->x, r->x, p384_mod, 0 - ((n >= 0) ?
+                (sp_digit)1 : (sp_digit)0));
+    sp_384_norm_12(r->x);
+
+    /* y /= z^3 */
+    sp_384_mont_mul_12(r->y, p->y, t1, p384_mod, p384_mp_mod);
+    XMEMSET(r->y + 12, 0, sizeof(r->y) / 2U);
+    sp_384_mont_reduce_12(r->y, p384_mod, p384_mp_mod);
+    /* Reduce y to less than modulus */
+    n = sp_384_cmp_12(r->y, p384_mod);
+    sp_384_cond_sub_12(r->y, r->y, p384_mod, 0 - ((n >= 0) ?
+                (sp_digit)1 : (sp_digit)0));
+    sp_384_norm_12(r->y);
+
+    XMEMSET(r->z, 0, sizeof(r->z));
+    r->z[0] = 1;
+
+}
+
+#ifdef WOLFSSL_SP_SMALL
+/* Add b to a into r. (r = a + b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+static sp_digit sp_384_add_12(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    sp_digit c = 0;
+
+    __asm__ __volatile__ (
+        "add	r12, %[a], #48\n\t"
+        "\n1:\n\t"
+        "adds	%[c], %[c], #-1\n\t"
+        "ldr	r4, [%[a]], #4\n\t"
+        "ldr	r5, [%[a]], #4\n\t"
+        "ldr	r6, [%[a]], #4\n\t"
+        "ldr	r7, [%[a]], #4\n\t"
+        "ldr	r8, [%[b]], #4\n\t"
+        "ldr	r9, [%[b]], #4\n\t"
+        "ldr	r10, [%[b]], #4\n\t"
+        "ldr	r14, [%[b]], #4\n\t"
+        "adcs	r4, r4, r8\n\t"
+        "adcs	r5, r5, r9\n\t"
+        "adcs	r6, r6, r10\n\t"
+        "adcs	r7, r7, r14\n\t"
+        "str	r4, [%[r]], #4\n\t"
+        "str	r5, [%[r]], #4\n\t"
+        "str	r6, [%[r]], #4\n\t"
+        "str	r7, [%[r]], #4\n\t"
+        "mov	r4, #0\n\t"
+        "adc	%[c], r4, #0\n\t"
+        "cmp	%[a], r12\n\t"
+        "bne	1b\n\t"
+        : [c] "+r" (c), [r] "+r" (r), [a] "+r" (a), [b] "+r" (b)
+        :
+        : "memory", "r4", "r5", "r6", "r7", "r8", "r9", "r10", "r14", "r12"
+    );
+
+    return c;
+}
+
+#else
+/* Add b to a into r. (r = a + b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+static sp_digit sp_384_add_12(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    sp_digit c = 0;
+
+    __asm__ __volatile__ (
+        "mov	r12, #0\n\t"
+        "ldr	r4, [%[a], #0]\n\t"
+        "ldr	r5, [%[a], #4]\n\t"
+        "ldr	r6, [%[a], #8]\n\t"
+        "ldr	r7, [%[a], #12]\n\t"
+        "ldr	r8, [%[b], #0]\n\t"
+        "ldr	r9, [%[b], #4]\n\t"
+        "ldr	r10, [%[b], #8]\n\t"
+        "ldr	r14, [%[b], #12]\n\t"
+        "adds	r4, r4, r8\n\t"
+        "adcs	r5, r5, r9\n\t"
+        "adcs	r6, r6, r10\n\t"
+        "adcs	r7, r7, r14\n\t"
+        "str	r4, [%[r], #0]\n\t"
+        "str	r5, [%[r], #4]\n\t"
+        "str	r6, [%[r], #8]\n\t"
+        "str	r7, [%[r], #12]\n\t"
+        "ldr	r4, [%[a], #16]\n\t"
+        "ldr	r5, [%[a], #20]\n\t"
+        "ldr	r6, [%[a], #24]\n\t"
+        "ldr	r7, [%[a], #28]\n\t"
+        "ldr	r8, [%[b], #16]\n\t"
+        "ldr	r9, [%[b], #20]\n\t"
+        "ldr	r10, [%[b], #24]\n\t"
+        "ldr	r14, [%[b], #28]\n\t"
+        "adcs	r4, r4, r8\n\t"
+        "adcs	r5, r5, r9\n\t"
+        "adcs	r6, r6, r10\n\t"
+        "adcs	r7, r7, r14\n\t"
+        "str	r4, [%[r], #16]\n\t"
+        "str	r5, [%[r], #20]\n\t"
+        "str	r6, [%[r], #24]\n\t"
+        "str	r7, [%[r], #28]\n\t"
+        "ldr	r4, [%[a], #32]\n\t"
+        "ldr	r5, [%[a], #36]\n\t"
+        "ldr	r6, [%[a], #40]\n\t"
+        "ldr	r7, [%[a], #44]\n\t"
+        "ldr	r8, [%[b], #32]\n\t"
+        "ldr	r9, [%[b], #36]\n\t"
+        "ldr	r10, [%[b], #40]\n\t"
+        "ldr	r14, [%[b], #44]\n\t"
+        "adcs	r4, r4, r8\n\t"
+        "adcs	r5, r5, r9\n\t"
+        "adcs	r6, r6, r10\n\t"
+        "adcs	r7, r7, r14\n\t"
+        "str	r4, [%[r], #32]\n\t"
+        "str	r5, [%[r], #36]\n\t"
+        "str	r6, [%[r], #40]\n\t"
+        "str	r7, [%[r], #44]\n\t"
+        "adc	%[c], r12, r12\n\t"
+        : [c] "+r" (c)
+        : [r] "r" (r), [a] "r" (a), [b] "r" (b)
+        : "memory", "r4", "r5", "r6", "r7", "r8", "r9", "r10", "r14", "r12"
+    );
+
+    return c;
+}
+
+#endif /* WOLFSSL_SP_SMALL */
+/* Add two Montgomery form numbers (r = a + b % m).
+ *
+ * r   Result of addition.
+ * a   First number to add in Montogmery form.
+ * b   Second number to add in Montogmery form.
+ * m   Modulus (prime).
+ */
+static void sp_384_mont_add_12(sp_digit* r, const sp_digit* a, const sp_digit* b,
+        const sp_digit* m)
+{
+    sp_digit o;
+
+    o = sp_384_add_12(r, a, b);
+    sp_384_cond_sub_12(r, r, m, 0 - o);
+}
+
+/* Double a Montgomery form number (r = a + a % m).
+ *
+ * r   Result of doubling.
+ * a   Number to double in Montogmery form.
+ * m   Modulus (prime).
+ */
+static void sp_384_mont_dbl_12(sp_digit* r, const sp_digit* a, const sp_digit* m)
+{
+    sp_digit o;
+
+    o = sp_384_add_12(r, a, a);
+    sp_384_cond_sub_12(r, r, m, 0 - o);
+}
+
+/* Triple a Montgomery form number (r = a + a + a % m).
+ *
+ * r   Result of Tripling.
+ * a   Number to triple in Montogmery form.
+ * m   Modulus (prime).
+ */
+static void sp_384_mont_tpl_12(sp_digit* r, const sp_digit* a, const sp_digit* m)
+{
+    sp_digit o;
+
+    o = sp_384_add_12(r, a, a);
+    sp_384_cond_sub_12(r, r, m, 0 - o);
+    o = sp_384_add_12(r, r, a);
+    sp_384_cond_sub_12(r, r, m, 0 - o);
+}
+
+#ifdef WOLFSSL_SP_SMALL
+/* Sub b from a into r. (r = a - b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+static sp_digit sp_384_sub_12(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    sp_digit c = 0;
+
+    __asm__ __volatile__ (
+        "add	r12, %[a], #48\n\t"
+        "\n1:\n\t"
+        "rsbs	%[c], %[c], #0\n\t"
+        "ldr	r4, [%[a]], #4\n\t"
+        "ldr	r5, [%[a]], #4\n\t"
+        "ldr	r6, [%[a]], #4\n\t"
+        "ldr	r7, [%[a]], #4\n\t"
+        "ldr	r8, [%[b]], #4\n\t"
+        "ldr	r9, [%[b]], #4\n\t"
+        "ldr	r10, [%[b]], #4\n\t"
+        "ldr	r14, [%[b]], #4\n\t"
+        "sbcs	r4, r4, r8\n\t"
+        "sbcs	r5, r5, r9\n\t"
+        "sbcs	r6, r6, r10\n\t"
+        "sbcs	r7, r7, r14\n\t"
+        "str	r4, [%[r]], #4\n\t"
+        "str	r5, [%[r]], #4\n\t"
+        "str	r6, [%[r]], #4\n\t"
+        "str	r7, [%[r]], #4\n\t"
+        "sbc	%[c], r4, r4\n\t"
+        "cmp	%[a], r12\n\t"
+        "bne	1b\n\t"
+        : [c] "+r" (c), [r] "+r" (r), [a] "+r" (a), [b] "+r" (b)
+        :
+        : "memory", "r4", "r5", "r6", "r7", "r8", "r9", "r10", "r14", "r12"
+    );
+
+    return c;
+}
+
+#else
+/* Sub b from a into r. (r = a - b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+static sp_digit sp_384_sub_12(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    sp_digit c = 0;
+
+    __asm__ __volatile__ (
+        "ldr	r3, [%[a], #0]\n\t"
+        "ldr	r4, [%[a], #4]\n\t"
+        "ldr	r5, [%[a], #8]\n\t"
+        "ldr	r6, [%[a], #12]\n\t"
+        "ldr	r7, [%[b], #0]\n\t"
+        "ldr	r8, [%[b], #4]\n\t"
+        "ldr	r9, [%[b], #8]\n\t"
+        "ldr	r10, [%[b], #12]\n\t"
+        "subs	r3, r3, r7\n\t"
+        "sbcs	r4, r4, r8\n\t"
+        "sbcs	r5, r5, r9\n\t"
+        "sbcs	r6, r6, r10\n\t"
+        "str	r3, [%[r], #0]\n\t"
+        "str	r4, [%[r], #4]\n\t"
+        "str	r5, [%[r], #8]\n\t"
+        "str	r6, [%[r], #12]\n\t"
+        "ldr	r3, [%[a], #16]\n\t"
+        "ldr	r4, [%[a], #20]\n\t"
+        "ldr	r5, [%[a], #24]\n\t"
+        "ldr	r6, [%[a], #28]\n\t"
+        "ldr	r7, [%[b], #16]\n\t"
+        "ldr	r8, [%[b], #20]\n\t"
+        "ldr	r9, [%[b], #24]\n\t"
+        "ldr	r10, [%[b], #28]\n\t"
+        "sbcs	r3, r3, r7\n\t"
+        "sbcs	r4, r4, r8\n\t"
+        "sbcs	r5, r5, r9\n\t"
+        "sbcs	r6, r6, r10\n\t"
+        "str	r3, [%[r], #16]\n\t"
+        "str	r4, [%[r], #20]\n\t"
+        "str	r5, [%[r], #24]\n\t"
+        "str	r6, [%[r], #28]\n\t"
+        "ldr	r3, [%[a], #32]\n\t"
+        "ldr	r4, [%[a], #36]\n\t"
+        "ldr	r5, [%[a], #40]\n\t"
+        "ldr	r6, [%[a], #44]\n\t"
+        "ldr	r7, [%[b], #32]\n\t"
+        "ldr	r8, [%[b], #36]\n\t"
+        "ldr	r9, [%[b], #40]\n\t"
+        "ldr	r10, [%[b], #44]\n\t"
+        "sbcs	r3, r3, r7\n\t"
+        "sbcs	r4, r4, r8\n\t"
+        "sbcs	r5, r5, r9\n\t"
+        "sbcs	r6, r6, r10\n\t"
+        "str	r3, [%[r], #32]\n\t"
+        "str	r4, [%[r], #36]\n\t"
+        "str	r5, [%[r], #40]\n\t"
+        "str	r6, [%[r], #44]\n\t"
+        "sbc	%[c], %[c], #0\n\t"
+        : [c] "+r" (c)
+        : [r] "r" (r), [a] "r" (a), [b] "r" (b)
+        : "memory", "r3", "r4", "r5", "r6", "r7", "r8", "r9", "r10"
+    );
+
+    return c;
+}
+
+#endif /* WOLFSSL_SP_SMALL */
+/* Conditionally add a and b using the mask m.
+ * m is -1 to add and 0 when not.
+ *
+ * r  A single precision number representing conditional add result.
+ * a  A single precision number to add with.
+ * b  A single precision number to add.
+ * m  Mask value to apply.
+ */
+static sp_digit sp_384_cond_add_12(sp_digit* r, const sp_digit* a, const sp_digit* b,
+        sp_digit m)
+{
+    sp_digit c = 0;
+
+#ifdef WOLFSSL_SP_SMALL
+    __asm__ __volatile__ (
+        "mov	r9, #0\n\t"
+        "mov	r8, #0\n\t"
+        "1:\n\t"
+        "adds	%[c], %[c], #-1\n\t"
+        "ldr	r4, [%[a], r8]\n\t"
+        "ldr	r5, [%[b], r8]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "adcs	r4, r4, r5\n\t"
+        "adc	%[c], r9, r9\n\t"
+        "str	r4, [%[r], r8]\n\t"
+        "add	r8, r8, #4\n\t"
+        "cmp	r8, #48\n\t"
+        "blt	1b\n\t"
+        : [c] "+r" (c)
+        : [r] "r" (r), [a] "r" (a), [b] "r" (b), [m] "r" (m)
+        : "memory", "r4", "r6", "r5", "r7", "r8", "r9"
+    );
+#else
+    __asm__ __volatile__ (
+
+        "mov	r9, #0\n\t"
+        "ldr	r4, [%[a], #0]\n\t"
+        "ldr	r6, [%[a], #4]\n\t"
+        "ldr	r5, [%[b], #0]\n\t"
+        "ldr	r7, [%[b], #4]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "adds	r4, r4, r5\n\t"
+        "adcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #0]\n\t"
+        "str	r6, [%[r], #4]\n\t"
+        "ldr	r4, [%[a], #8]\n\t"
+        "ldr	r6, [%[a], #12]\n\t"
+        "ldr	r5, [%[b], #8]\n\t"
+        "ldr	r7, [%[b], #12]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "adcs	r4, r4, r5\n\t"
+        "adcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #8]\n\t"
+        "str	r6, [%[r], #12]\n\t"
+        "ldr	r4, [%[a], #16]\n\t"
+        "ldr	r6, [%[a], #20]\n\t"
+        "ldr	r5, [%[b], #16]\n\t"
+        "ldr	r7, [%[b], #20]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "adcs	r4, r4, r5\n\t"
+        "adcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #16]\n\t"
+        "str	r6, [%[r], #20]\n\t"
+        "ldr	r4, [%[a], #24]\n\t"
+        "ldr	r6, [%[a], #28]\n\t"
+        "ldr	r5, [%[b], #24]\n\t"
+        "ldr	r7, [%[b], #28]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "adcs	r4, r4, r5\n\t"
+        "adcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #24]\n\t"
+        "str	r6, [%[r], #28]\n\t"
+        "ldr	r4, [%[a], #32]\n\t"
+        "ldr	r6, [%[a], #36]\n\t"
+        "ldr	r5, [%[b], #32]\n\t"
+        "ldr	r7, [%[b], #36]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "adcs	r4, r4, r5\n\t"
+        "adcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #32]\n\t"
+        "str	r6, [%[r], #36]\n\t"
+        "ldr	r4, [%[a], #40]\n\t"
+        "ldr	r6, [%[a], #44]\n\t"
+        "ldr	r5, [%[b], #40]\n\t"
+        "ldr	r7, [%[b], #44]\n\t"
+        "and	r5, r5, %[m]\n\t"
+        "and	r7, r7, %[m]\n\t"
+        "adcs	r4, r4, r5\n\t"
+        "adcs	r6, r6, r7\n\t"
+        "str	r4, [%[r], #40]\n\t"
+        "str	r6, [%[r], #44]\n\t"
+        "adc	%[c], r9, r9\n\t"
+        : [c] "+r" (c)
+        : [r] "r" (r), [a] "r" (a), [b] "r" (b), [m] "r" (m)
+        : "memory", "r4", "r6", "r5", "r7", "r8", "r9"
+    );
+#endif /* WOLFSSL_SP_SMALL */
+
+    return c;
+}
+
+/* Subtract two Montgomery form numbers (r = a - b % m).
+ *
+ * r   Result of subtration.
+ * a   Number to subtract from in Montogmery form.
+ * b   Number to subtract with in Montogmery form.
+ * m   Modulus (prime).
+ */
+static void sp_384_mont_sub_12(sp_digit* r, const sp_digit* a, const sp_digit* b,
+        const sp_digit* m)
+{
+    sp_digit o;
+
+    o = sp_384_sub_12(r, a, b);
+    sp_384_cond_add_12(r, r, m, o);
+}
+
+static void sp_384_rshift1_12(sp_digit* r, sp_digit* a)
+{
+    __asm__ __volatile__ (
+        "ldr	r2, [%[a]]\n\t"
+        "ldr	r3, [%[a], #4]\n\t"
+        "lsr	r2, r2, #1\n\t"
+        "orr	r2, r2, r3, lsl #31\n\t"
+        "lsr	r3, r3, #1\n\t"
+        "ldr	r4, [%[a], #8]\n\t"
+        "str	r2, [%[r], #0]\n\t"
+        "orr	r3, r3, r4, lsl #31\n\t"
+        "lsr	r4, r4, #1\n\t"
+        "ldr	r2, [%[a], #12]\n\t"
+        "str	r3, [%[r], #4]\n\t"
+        "orr	r4, r4, r2, lsl #31\n\t"
+        "lsr	r2, r2, #1\n\t"
+        "ldr	r3, [%[a], #16]\n\t"
+        "str	r4, [%[r], #8]\n\t"
+        "orr	r2, r2, r3, lsl #31\n\t"
+        "lsr	r3, r3, #1\n\t"
+        "ldr	r4, [%[a], #20]\n\t"
+        "str	r2, [%[r], #12]\n\t"
+        "orr	r3, r3, r4, lsl #31\n\t"
+        "lsr	r4, r4, #1\n\t"
+        "ldr	r2, [%[a], #24]\n\t"
+        "str	r3, [%[r], #16]\n\t"
+        "orr	r4, r4, r2, lsl #31\n\t"
+        "lsr	r2, r2, #1\n\t"
+        "ldr	r3, [%[a], #28]\n\t"
+        "str	r4, [%[r], #20]\n\t"
+        "orr	r2, r2, r3, lsl #31\n\t"
+        "lsr	r3, r3, #1\n\t"
+        "ldr	r4, [%[a], #32]\n\t"
+        "str	r2, [%[r], #24]\n\t"
+        "orr	r3, r3, r4, lsl #31\n\t"
+        "lsr	r4, r4, #1\n\t"
+        "ldr	r2, [%[a], #36]\n\t"
+        "str	r3, [%[r], #28]\n\t"
+        "orr	r4, r4, r2, lsl #31\n\t"
+        "lsr	r2, r2, #1\n\t"
+        "ldr	r3, [%[a], #40]\n\t"
+        "str	r4, [%[r], #32]\n\t"
+        "orr	r2, r2, r3, lsl #31\n\t"
+        "lsr	r3, r3, #1\n\t"
+        "ldr	r4, [%[a], #44]\n\t"
+        "str	r2, [%[r], #36]\n\t"
+        "orr	r3, r3, r4, lsl #31\n\t"
+        "lsr	r4, r4, #1\n\t"
+        "str	r3, [%[r], #40]\n\t"
+        "str	r4, [%[r], #44]\n\t"
+        :
+        : [r] "r" (r), [a] "r" (a)
+        : "memory", "r2", "r3", "r4"
+    );
+}
+
+/* Divide the number by 2 mod the modulus (prime). (r = a / 2 % m)
+ *
+ * r  Result of division by 2.
+ * a  Number to divide.
+ * m  Modulus (prime).
+ */
+static void sp_384_div2_12(sp_digit* r, const sp_digit* a, const sp_digit* m)
+{
+    sp_digit o;
+
+    o = sp_384_cond_add_12(r, a, m, 0 - (a[0] & 1));
+    sp_384_rshift1_12(r, r);
+    r[11] |= o << 31;
+}
+
+/* Double the Montgomery form projective point p.
+ *
+ * r  Result of doubling point.
+ * p  Point to double.
+ * t  Temporary ordinate data.
+ */
+static void sp_384_proj_point_dbl_12(sp_point_384* r, const sp_point_384* p, sp_digit* t)
+{
+    sp_digit* t1 = t;
+    sp_digit* t2 = t + 2*12;
+    sp_digit* x;
+    sp_digit* y;
+    sp_digit* z;
+
+    x = r->x;
+    y = r->y;
+    z = r->z;
+    /* Put infinity into result. */
+    if (r != p) {
+        r->infinity = p->infinity;
+    }
+
+    /* T1 = Z * Z */
+    sp_384_mont_sqr_12(t1, p->z, p384_mod, p384_mp_mod);
+    /* Z = Y * Z */
+    sp_384_mont_mul_12(z, p->y, p->z, p384_mod, p384_mp_mod);
+    /* Z = 2Z */
+    sp_384_mont_dbl_12(z, z, p384_mod);
+    /* T2 = X - T1 */
+    sp_384_mont_sub_12(t2, p->x, t1, p384_mod);
+    /* T1 = X + T1 */
+    sp_384_mont_add_12(t1, p->x, t1, p384_mod);
+    /* T2 = T1 * T2 */
+    sp_384_mont_mul_12(t2, t1, t2, p384_mod, p384_mp_mod);
+    /* T1 = 3T2 */
+    sp_384_mont_tpl_12(t1, t2, p384_mod);
+    /* Y = 2Y */
+    sp_384_mont_dbl_12(y, p->y, p384_mod);
+    /* Y = Y * Y */
+    sp_384_mont_sqr_12(y, y, p384_mod, p384_mp_mod);
+    /* T2 = Y * Y */
+    sp_384_mont_sqr_12(t2, y, p384_mod, p384_mp_mod);
+    /* T2 = T2/2 */
+    sp_384_div2_12(t2, t2, p384_mod);
+    /* Y = Y * X */
+    sp_384_mont_mul_12(y, y, p->x, p384_mod, p384_mp_mod);
+    /* X = T1 * T1 */
+    sp_384_mont_sqr_12(x, t1, p384_mod, p384_mp_mod);
+    /* X = X - Y */
+    sp_384_mont_sub_12(x, x, y, p384_mod);
+    /* X = X - Y */
+    sp_384_mont_sub_12(x, x, y, p384_mod);
+    /* Y = Y - X */
+    sp_384_mont_sub_12(y, y, x, p384_mod);
+    /* Y = Y * T1 */
+    sp_384_mont_mul_12(y, y, t1, p384_mod, p384_mp_mod);
+    /* Y = Y - T2 */
+    sp_384_mont_sub_12(y, y, t2, p384_mod);
+}
+
+/* Compare two numbers to determine if they are equal.
+ * Constant time implementation.
+ *
+ * a  First number to compare.
+ * b  Second number to compare.
+ * returns 1 when equal and 0 otherwise.
+ */
+static int sp_384_cmp_equal_12(const sp_digit* a, const sp_digit* b)
+{
+    return ((a[0] ^ b[0]) | (a[1] ^ b[1]) | (a[2] ^ b[2]) | (a[3] ^ b[3]) |
+            (a[4] ^ b[4]) | (a[5] ^ b[5]) | (a[6] ^ b[6]) | (a[7] ^ b[7]) |
+            (a[8] ^ b[8]) | (a[9] ^ b[9]) | (a[10] ^ b[10]) | (a[11] ^ b[11])) == 0;
+}
+
+/* Add two Montgomery form projective points.
+ *
+ * r  Result of addition.
+ * p  First point to add.
+ * q  Second point to add.
+ * t  Temporary ordinate data.
+ */
+static void sp_384_proj_point_add_12(sp_point_384* r, const sp_point_384* p, const sp_point_384* q,
+        sp_digit* t)
+{
+    const sp_point_384* ap[2];
+    sp_point_384* rp[2];
+    sp_digit* t1 = t;
+    sp_digit* t2 = t + 2*12;
+    sp_digit* t3 = t + 4*12;
+    sp_digit* t4 = t + 6*12;
+    sp_digit* t5 = t + 8*12;
+    sp_digit* x;
+    sp_digit* y;
+    sp_digit* z;
+    int i;
+
+    /* Ensure only the first point is the same as the result. */
+    if (q == r) {
+        const sp_point_384* a = p;
+        p = q;
+        q = a;
+    }
+
+    /* Check double */
+    (void)sp_384_sub_12(t1, p384_mod, q->y);
+    sp_384_norm_12(t1);
+    if ((sp_384_cmp_equal_12(p->x, q->x) & sp_384_cmp_equal_12(p->z, q->z) &
+        (sp_384_cmp_equal_12(p->y, q->y) | sp_384_cmp_equal_12(p->y, t1))) != 0) {
+        sp_384_proj_point_dbl_12(r, p, t);
+    }
+    else {
+        rp[0] = r;
+
+        /*lint allow cast to different type of pointer*/
+        rp[1] = (sp_point_384*)t; /*lint !e9087 !e740*/
+        XMEMSET(rp[1], 0, sizeof(sp_point_384));
+        x = rp[p->infinity | q->infinity]->x;
+        y = rp[p->infinity | q->infinity]->y;
+        z = rp[p->infinity | q->infinity]->z;
+
+        ap[0] = p;
+        ap[1] = q;
+        for (i=0; i<12; i++) {
+            r->x[i] = ap[p->infinity]->x[i];
+        }
+        for (i=0; i<12; i++) {
+            r->y[i] = ap[p->infinity]->y[i];
+        }
+        for (i=0; i<12; i++) {
+            r->z[i] = ap[p->infinity]->z[i];
+        }
+        r->infinity = ap[p->infinity]->infinity;
+
+        /* U1 = X1*Z2^2 */
+        sp_384_mont_sqr_12(t1, q->z, p384_mod, p384_mp_mod);
+        sp_384_mont_mul_12(t3, t1, q->z, p384_mod, p384_mp_mod);
+        sp_384_mont_mul_12(t1, t1, x, p384_mod, p384_mp_mod);
+        /* U2 = X2*Z1^2 */
+        sp_384_mont_sqr_12(t2, z, p384_mod, p384_mp_mod);
+        sp_384_mont_mul_12(t4, t2, z, p384_mod, p384_mp_mod);
+        sp_384_mont_mul_12(t2, t2, q->x, p384_mod, p384_mp_mod);
+        /* S1 = Y1*Z2^3 */
+        sp_384_mont_mul_12(t3, t3, y, p384_mod, p384_mp_mod);
+        /* S2 = Y2*Z1^3 */
+        sp_384_mont_mul_12(t4, t4, q->y, p384_mod, p384_mp_mod);
+        /* H = U2 - U1 */
+        sp_384_mont_sub_12(t2, t2, t1, p384_mod);
+        /* R = S2 - S1 */
+        sp_384_mont_sub_12(t4, t4, t3, p384_mod);
+        /* Z3 = H*Z1*Z2 */
+        sp_384_mont_mul_12(z, z, q->z, p384_mod, p384_mp_mod);
+        sp_384_mont_mul_12(z, z, t2, p384_mod, p384_mp_mod);
+        /* X3 = R^2 - H^3 - 2*U1*H^2 */
+        sp_384_mont_sqr_12(x, t4, p384_mod, p384_mp_mod);
+        sp_384_mont_sqr_12(t5, t2, p384_mod, p384_mp_mod);
+        sp_384_mont_mul_12(y, t1, t5, p384_mod, p384_mp_mod);
+        sp_384_mont_mul_12(t5, t5, t2, p384_mod, p384_mp_mod);
+        sp_384_mont_sub_12(x, x, t5, p384_mod);
+        sp_384_mont_dbl_12(t1, y, p384_mod);
+        sp_384_mont_sub_12(x, x, t1, p384_mod);
+        /* Y3 = R*(U1*H^2 - X3) - S1*H^3 */
+        sp_384_mont_sub_12(y, y, x, p384_mod);
+        sp_384_mont_mul_12(y, y, t4, p384_mod, p384_mp_mod);
+        sp_384_mont_mul_12(t5, t5, t3, p384_mod, p384_mp_mod);
+        sp_384_mont_sub_12(y, y, t5, p384_mod);
+    }
+}
+
+/* Multiply the point by the scalar and return the result.
+ * If map is true then convert result to affine coordinates.
+ *
+ * r     Resulting point.
+ * g     Point to multiply.
+ * k     Scalar to multiply by.
+ * map   Indicates whether to convert result to affine.
+ * heap  Heap to use for allocation.
+ * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
+ */
+static int sp_384_ecc_mulmod_fast_12(sp_point_384* r, const sp_point_384* g, const sp_digit* k,
+        int map, void* heap)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_point_384 td[16];
+    sp_point_384 rtd;
+    sp_digit tmpd[2 * 12 * 6];
+#endif
+    sp_point_384* t;
+    sp_point_384* rt;
+    sp_digit* tmp;
+    sp_digit n;
+    int i;
+    int c, y;
+    int err;
+
+    (void)heap;
+
+    err = sp_384_point_new_12(heap, rtd, rt);
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    t = (sp_point_384*)XMALLOC(sizeof(sp_point_384) * 16, heap, DYNAMIC_TYPE_ECC);
+    if (t == NULL)
+        err = MEMORY_E;
+    tmp = (sp_digit*)XMALLOC(sizeof(sp_digit) * 2 * 12 * 6, heap,
+                             DYNAMIC_TYPE_ECC);
+    if (tmp == NULL)
+        err = MEMORY_E;
+#else
+    t = td;
+    tmp = tmpd;
+#endif
+
+    if (err == MP_OKAY) {
+        /* t[0] = {0, 0, 1} * norm */
+        XMEMSET(&t[0], 0, sizeof(t[0]));
+        t[0].infinity = 1;
+        /* t[1] = {g->x, g->y, g->z} * norm */
+        (void)sp_384_mod_mul_norm_12(t[1].x, g->x, p384_mod);
+        (void)sp_384_mod_mul_norm_12(t[1].y, g->y, p384_mod);
+        (void)sp_384_mod_mul_norm_12(t[1].z, g->z, p384_mod);
+        t[1].infinity = 0;
+        sp_384_proj_point_dbl_12(&t[ 2], &t[ 1], tmp);
+        t[ 2].infinity = 0;
+        sp_384_proj_point_add_12(&t[ 3], &t[ 2], &t[ 1], tmp);
+        t[ 3].infinity = 0;
+        sp_384_proj_point_dbl_12(&t[ 4], &t[ 2], tmp);
+        t[ 4].infinity = 0;
+        sp_384_proj_point_add_12(&t[ 5], &t[ 3], &t[ 2], tmp);
+        t[ 5].infinity = 0;
+        sp_384_proj_point_dbl_12(&t[ 6], &t[ 3], tmp);
+        t[ 6].infinity = 0;
+        sp_384_proj_point_add_12(&t[ 7], &t[ 4], &t[ 3], tmp);
+        t[ 7].infinity = 0;
+        sp_384_proj_point_dbl_12(&t[ 8], &t[ 4], tmp);
+        t[ 8].infinity = 0;
+        sp_384_proj_point_add_12(&t[ 9], &t[ 5], &t[ 4], tmp);
+        t[ 9].infinity = 0;
+        sp_384_proj_point_dbl_12(&t[10], &t[ 5], tmp);
+        t[10].infinity = 0;
+        sp_384_proj_point_add_12(&t[11], &t[ 6], &t[ 5], tmp);
+        t[11].infinity = 0;
+        sp_384_proj_point_dbl_12(&t[12], &t[ 6], tmp);
+        t[12].infinity = 0;
+        sp_384_proj_point_add_12(&t[13], &t[ 7], &t[ 6], tmp);
+        t[13].infinity = 0;
+        sp_384_proj_point_dbl_12(&t[14], &t[ 7], tmp);
+        t[14].infinity = 0;
+        sp_384_proj_point_add_12(&t[15], &t[ 8], &t[ 7], tmp);
+        t[15].infinity = 0;
+
+        i = 10;
+        n = k[i+1] << 0;
+        c = 28;
+        y = n >> 28;
+        XMEMCPY(rt, &t[y], sizeof(sp_point_384));
+        n <<= 4;
+        for (; i>=0 || c>=4; ) {
+            if (c < 4) {
+                n |= k[i--];
+                c += 32;
+            }
+            y = (n >> 28) & 0xf;
+            n <<= 4;
+            c -= 4;
+
+            sp_384_proj_point_dbl_12(rt, rt, tmp);
+            sp_384_proj_point_dbl_12(rt, rt, tmp);
+            sp_384_proj_point_dbl_12(rt, rt, tmp);
+            sp_384_proj_point_dbl_12(rt, rt, tmp);
+
+            sp_384_proj_point_add_12(rt, rt, &t[y], tmp);
+        }
+
+        if (map != 0) {
+            sp_384_map_12(r, rt, tmp);
+        }
+        else {
+            XMEMCPY(r, rt, sizeof(sp_point_384));
+        }
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (tmp != NULL) {
+        XMEMSET(tmp, 0, sizeof(sp_digit) * 2 * 12 * 6);
+        XFREE(tmp, heap, DYNAMIC_TYPE_ECC);
+    }
+    if (t != NULL) {
+        XMEMSET(t, 0, sizeof(sp_point_384) * 16);
+        XFREE(t, heap, DYNAMIC_TYPE_ECC);
+    }
+#else
+    ForceZero(tmpd, sizeof(tmpd));
+    ForceZero(td, sizeof(td));
+#endif
+    sp_384_point_free_12(rt, 1, heap);
+
+    return err;
+}
+
+/* A table entry for pre-computed points. */
+typedef struct sp_table_entry_384 {
+    sp_digit x[12];
+    sp_digit y[12];
+} sp_table_entry_384;
+
+#ifdef FP_ECC
+/* Double the Montgomery form projective point p a number of times.
+ *
+ * r  Result of repeated doubling of point.
+ * p  Point to double.
+ * n  Number of times to double
+ * t  Temporary ordinate data.
+ */
+static void sp_384_proj_point_dbl_n_12(sp_point_384* p, int n, sp_digit* t)
+{
+    sp_digit* w = t;
+    sp_digit* a = t + 2*12;
+    sp_digit* b = t + 4*12;
+    sp_digit* t1 = t + 6*12;
+    sp_digit* t2 = t + 8*12;
+    sp_digit* x;
+    sp_digit* y;
+    sp_digit* z;
+
+    x = p->x;
+    y = p->y;
+    z = p->z;
+
+    /* Y = 2*Y */
+    sp_384_mont_dbl_12(y, y, p384_mod);
+    /* W = Z^4 */
+    sp_384_mont_sqr_12(w, z, p384_mod, p384_mp_mod);
+    sp_384_mont_sqr_12(w, w, p384_mod, p384_mp_mod);
+
+#ifndef WOLFSSL_SP_SMALL
+    while (--n > 0)
+#else
+    while (--n >= 0)
+#endif
+    {
+        /* A = 3*(X^2 - W) */
+        sp_384_mont_sqr_12(t1, x, p384_mod, p384_mp_mod);
+        sp_384_mont_sub_12(t1, t1, w, p384_mod);
+        sp_384_mont_tpl_12(a, t1, p384_mod);
+        /* B = X*Y^2 */
+        sp_384_mont_sqr_12(t1, y, p384_mod, p384_mp_mod);
+        sp_384_mont_mul_12(b, t1, x, p384_mod, p384_mp_mod);
+        /* X = A^2 - 2B */
+        sp_384_mont_sqr_12(x, a, p384_mod, p384_mp_mod);
+        sp_384_mont_dbl_12(t2, b, p384_mod);
+        sp_384_mont_sub_12(x, x, t2, p384_mod);
+        /* Z = Z*Y */
+        sp_384_mont_mul_12(z, z, y, p384_mod, p384_mp_mod);
+        /* t2 = Y^4 */
+        sp_384_mont_sqr_12(t1, t1, p384_mod, p384_mp_mod);
+#ifdef WOLFSSL_SP_SMALL
+        if (n != 0)
+#endif
+        {
+            /* W = W*Y^4 */
+            sp_384_mont_mul_12(w, w, t1, p384_mod, p384_mp_mod);
+        }
+        /* y = 2*A*(B - X) - Y^4 */
+        sp_384_mont_sub_12(y, b, x, p384_mod);
+        sp_384_mont_mul_12(y, y, a, p384_mod, p384_mp_mod);
+        sp_384_mont_dbl_12(y, y, p384_mod);
+        sp_384_mont_sub_12(y, y, t1, p384_mod);
+    }
+#ifndef WOLFSSL_SP_SMALL
+    /* A = 3*(X^2 - W) */
+    sp_384_mont_sqr_12(t1, x, p384_mod, p384_mp_mod);
+    sp_384_mont_sub_12(t1, t1, w, p384_mod);
+    sp_384_mont_tpl_12(a, t1, p384_mod);
+    /* B = X*Y^2 */
+    sp_384_mont_sqr_12(t1, y, p384_mod, p384_mp_mod);
+    sp_384_mont_mul_12(b, t1, x, p384_mod, p384_mp_mod);
+    /* X = A^2 - 2B */
+    sp_384_mont_sqr_12(x, a, p384_mod, p384_mp_mod);
+    sp_384_mont_dbl_12(t2, b, p384_mod);
+    sp_384_mont_sub_12(x, x, t2, p384_mod);
+    /* Z = Z*Y */
+    sp_384_mont_mul_12(z, z, y, p384_mod, p384_mp_mod);
+    /* t2 = Y^4 */
+    sp_384_mont_sqr_12(t1, t1, p384_mod, p384_mp_mod);
+    /* y = 2*A*(B - X) - Y^4 */
+    sp_384_mont_sub_12(y, b, x, p384_mod);
+    sp_384_mont_mul_12(y, y, a, p384_mod, p384_mp_mod);
+    sp_384_mont_dbl_12(y, y, p384_mod);
+    sp_384_mont_sub_12(y, y, t1, p384_mod);
+#endif
+    /* Y = Y/2 */
+    sp_384_div2_12(y, y, p384_mod);
+}
+
+#endif /* FP_ECC */
+/* Add two Montgomery form projective points. The second point has a q value of
+ * one.
+ * Only the first point can be the same pointer as the result point.
+ *
+ * r  Result of addition.
+ * p  First point to add.
+ * q  Second point to add.
+ * t  Temporary ordinate data.
+ */
+static void sp_384_proj_point_add_qz1_12(sp_point_384* r, const sp_point_384* p,
+        const sp_point_384* q, sp_digit* t)
+{
+    const sp_point_384* ap[2];
+    sp_point_384* rp[2];
+    sp_digit* t1 = t;
+    sp_digit* t2 = t + 2*12;
+    sp_digit* t3 = t + 4*12;
+    sp_digit* t4 = t + 6*12;
+    sp_digit* t5 = t + 8*12;
+    sp_digit* x;
+    sp_digit* y;
+    sp_digit* z;
+    int i;
+
+    /* Check double */
+    (void)sp_384_sub_12(t1, p384_mod, q->y);
+    sp_384_norm_12(t1);
+    if ((sp_384_cmp_equal_12(p->x, q->x) & sp_384_cmp_equal_12(p->z, q->z) &
+        (sp_384_cmp_equal_12(p->y, q->y) | sp_384_cmp_equal_12(p->y, t1))) != 0) {
+        sp_384_proj_point_dbl_12(r, p, t);
+    }
+    else {
+        rp[0] = r;
+
+        /*lint allow cast to different type of pointer*/
+        rp[1] = (sp_point_384*)t; /*lint !e9087 !e740*/
+        XMEMSET(rp[1], 0, sizeof(sp_point_384));
+        x = rp[p->infinity | q->infinity]->x;
+        y = rp[p->infinity | q->infinity]->y;
+        z = rp[p->infinity | q->infinity]->z;
+
+        ap[0] = p;
+        ap[1] = q;
+        for (i=0; i<12; i++) {
+            r->x[i] = ap[p->infinity]->x[i];
+        }
+        for (i=0; i<12; i++) {
+            r->y[i] = ap[p->infinity]->y[i];
+        }
+        for (i=0; i<12; i++) {
+            r->z[i] = ap[p->infinity]->z[i];
+        }
+        r->infinity = ap[p->infinity]->infinity;
+
+        /* U2 = X2*Z1^2 */
+        sp_384_mont_sqr_12(t2, z, p384_mod, p384_mp_mod);
+        sp_384_mont_mul_12(t4, t2, z, p384_mod, p384_mp_mod);
+        sp_384_mont_mul_12(t2, t2, q->x, p384_mod, p384_mp_mod);
+        /* S2 = Y2*Z1^3 */
+        sp_384_mont_mul_12(t4, t4, q->y, p384_mod, p384_mp_mod);
+        /* H = U2 - X1 */
+        sp_384_mont_sub_12(t2, t2, x, p384_mod);
+        /* R = S2 - Y1 */
+        sp_384_mont_sub_12(t4, t4, y, p384_mod);
+        /* Z3 = H*Z1 */
+        sp_384_mont_mul_12(z, z, t2, p384_mod, p384_mp_mod);
+        /* X3 = R^2 - H^3 - 2*X1*H^2 */
+        sp_384_mont_sqr_12(t1, t4, p384_mod, p384_mp_mod);
+        sp_384_mont_sqr_12(t5, t2, p384_mod, p384_mp_mod);
+        sp_384_mont_mul_12(t3, x, t5, p384_mod, p384_mp_mod);
+        sp_384_mont_mul_12(t5, t5, t2, p384_mod, p384_mp_mod);
+        sp_384_mont_sub_12(x, t1, t5, p384_mod);
+        sp_384_mont_dbl_12(t1, t3, p384_mod);
+        sp_384_mont_sub_12(x, x, t1, p384_mod);
+        /* Y3 = R*(X1*H^2 - X3) - Y1*H^3 */
+        sp_384_mont_sub_12(t3, t3, x, p384_mod);
+        sp_384_mont_mul_12(t3, t3, t4, p384_mod, p384_mp_mod);
+        sp_384_mont_mul_12(t5, t5, y, p384_mod, p384_mp_mod);
+        sp_384_mont_sub_12(y, t3, t5, p384_mod);
+    }
+}
+
+#ifdef WOLFSSL_SP_SMALL
+#ifdef FP_ECC
+/* Convert the projective point to affine.
+ * Ordinates are in Montgomery form.
+ *
+ * a  Point to convert.
+ * t  Temporary data.
+ */
+static void sp_384_proj_to_affine_12(sp_point_384* a, sp_digit* t)
+{
+    sp_digit* t1 = t;
+    sp_digit* t2 = t + 2 * 12;
+    sp_digit* tmp = t + 4 * 12;
+
+    sp_384_mont_inv_12(t1, a->z, tmp);
+
+    sp_384_mont_sqr_12(t2, t1, p384_mod, p384_mp_mod);
+    sp_384_mont_mul_12(t1, t2, t1, p384_mod, p384_mp_mod);
+
+    sp_384_mont_mul_12(a->x, a->x, t2, p384_mod, p384_mp_mod);
+    sp_384_mont_mul_12(a->y, a->y, t1, p384_mod, p384_mp_mod);
+    XMEMCPY(a->z, p384_norm_mod, sizeof(p384_norm_mod));
+}
+
+/* Generate the pre-computed table of points for the base point.
+ *
+ * a      The base point.
+ * table  Place to store generated point data.
+ * tmp    Temporary data.
+ * heap  Heap to use for allocation.
+ */
+static int sp_384_gen_stripe_table_12(const sp_point_384* a,
+        sp_table_entry_384* table, sp_digit* tmp, void* heap)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_point_384 td, s1d, s2d;
+#endif
+    sp_point_384* t;
+    sp_point_384* s1 = NULL;
+    sp_point_384* s2 = NULL;
+    int i, j;
+    int err;
+
+    (void)heap;
+
+    err = sp_384_point_new_12(heap, td, t);
+    if (err == MP_OKAY) {
+        err = sp_384_point_new_12(heap, s1d, s1);
+    }
+    if (err == MP_OKAY) {
+        err = sp_384_point_new_12(heap, s2d, s2);
+    }
+
+    if (err == MP_OKAY) {
+        err = sp_384_mod_mul_norm_12(t->x, a->x, p384_mod);
+    }
+    if (err == MP_OKAY) {
+        err = sp_384_mod_mul_norm_12(t->y, a->y, p384_mod);
+    }
+    if (err == MP_OKAY) {
+        err = sp_384_mod_mul_norm_12(t->z, a->z, p384_mod);
+    }
+    if (err == MP_OKAY) {
+        t->infinity = 0;
+        sp_384_proj_to_affine_12(t, tmp);
+
+        XMEMCPY(s1->z, p384_norm_mod, sizeof(p384_norm_mod));
+        s1->infinity = 0;
+        XMEMCPY(s2->z, p384_norm_mod, sizeof(p384_norm_mod));
+        s2->infinity = 0;
+
+        /* table[0] = {0, 0, infinity} */
+        XMEMSET(&table[0], 0, sizeof(sp_table_entry_384));
+        /* table[1] = Affine version of 'a' in Montgomery form */
+        XMEMCPY(table[1].x, t->x, sizeof(table->x));
+        XMEMCPY(table[1].y, t->y, sizeof(table->y));
+
+        for (i=1; i<4; i++) {
+            sp_384_proj_point_dbl_n_12(t, 96, tmp);
+            sp_384_proj_to_affine_12(t, tmp);
+            XMEMCPY(table[1<<i].x, t->x, sizeof(table->x));
+            XMEMCPY(table[1<<i].y, t->y, sizeof(table->y));
+        }
+
+        for (i=1; i<4; i++) {
+            XMEMCPY(s1->x, table[1<<i].x, sizeof(table->x));
+            XMEMCPY(s1->y, table[1<<i].y, sizeof(table->y));
+            for (j=(1<<i)+1; j<(1<<(i+1)); j++) {
+                XMEMCPY(s2->x, table[j-(1<<i)].x, sizeof(table->x));
+                XMEMCPY(s2->y, table[j-(1<<i)].y, sizeof(table->y));
+                sp_384_proj_point_add_qz1_12(t, s1, s2, tmp);
+                sp_384_proj_to_affine_12(t, tmp);
+                XMEMCPY(table[j].x, t->x, sizeof(table->x));
+                XMEMCPY(table[j].y, t->y, sizeof(table->y));
+            }
+        }
+    }
+
+    sp_384_point_free_12(s2, 0, heap);
+    sp_384_point_free_12(s1, 0, heap);
+    sp_384_point_free_12( t, 0, heap);
+
+    return err;
+}
+
+#endif /* FP_ECC */
+/* Multiply the point by the scalar and return the result.
+ * If map is true then convert result to affine coordinates.
+ *
+ * r     Resulting point.
+ * k     Scalar to multiply by.
+ * map   Indicates whether to convert result to affine.
+ * heap  Heap to use for allocation.
+ * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
+ */
+static int sp_384_ecc_mulmod_stripe_12(sp_point_384* r, const sp_point_384* g,
+        const sp_table_entry_384* table, const sp_digit* k, int map, void* heap)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_point_384 rtd;
+    sp_point_384 pd;
+    sp_digit td[2 * 12 * 6];
+#endif
+    sp_point_384* rt;
+    sp_point_384* p = NULL;
+    sp_digit* t;
+    int i, j;
+    int y, x;
+    int err;
+
+    (void)g;
+    (void)heap;
+
+
+    err = sp_384_point_new_12(heap, rtd, rt);
+    if (err == MP_OKAY) {
+        err = sp_384_point_new_12(heap, pd, p);
+    }
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    t = (sp_digit*)XMALLOC(sizeof(sp_digit) * 2 * 12 * 6, heap,
+                           DYNAMIC_TYPE_ECC);
+    if (t == NULL) {
+        err = MEMORY_E;
+    }
+#else
+    t = td;
+#endif
+
+    if (err == MP_OKAY) {
+        XMEMCPY(p->z, p384_norm_mod, sizeof(p384_norm_mod));
+        XMEMCPY(rt->z, p384_norm_mod, sizeof(p384_norm_mod));
+
+        y = 0;
+        for (j=0,x=95; j<4; j++,x+=96) {
+            y |= ((k[x / 32] >> (x % 32)) & 1) << j;
+        }
+        XMEMCPY(rt->x, table[y].x, sizeof(table[y].x));
+        XMEMCPY(rt->y, table[y].y, sizeof(table[y].y));
+        rt->infinity = !y;
+        for (i=94; i>=0; i--) {
+            y = 0;
+            for (j=0,x=i; j<4; j++,x+=96) {
+                y |= ((k[x / 32] >> (x % 32)) & 1) << j;
+            }
+
+            sp_384_proj_point_dbl_12(rt, rt, t);
+            XMEMCPY(p->x, table[y].x, sizeof(table[y].x));
+            XMEMCPY(p->y, table[y].y, sizeof(table[y].y));
+            p->infinity = !y;
+            sp_384_proj_point_add_qz1_12(rt, rt, p, t);
+        }
+
+        if (map != 0) {
+            sp_384_map_12(r, rt, t);
+        }
+        else {
+            XMEMCPY(r, rt, sizeof(sp_point_384));
+        }
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (t != NULL) {
+        XFREE(t, heap, DYNAMIC_TYPE_ECC);
+    }
+#endif
+    sp_384_point_free_12(p, 0, heap);
+    sp_384_point_free_12(rt, 0, heap);
+
+    return err;
+}
+
+#ifdef FP_ECC
+#ifndef FP_ENTRIES
+    #define FP_ENTRIES 16
+#endif
+
+typedef struct sp_cache_384_t {
+    sp_digit x[12];
+    sp_digit y[12];
+    sp_table_entry_384 table[16];
+    uint32_t cnt;
+    int set;
+} sp_cache_384_t;
+
+static THREAD_LS_T sp_cache_384_t sp_cache_384[FP_ENTRIES];
+static THREAD_LS_T int sp_cache_384_last = -1;
+static THREAD_LS_T int sp_cache_384_inited = 0;
+
+#ifndef HAVE_THREAD_LS
+    static volatile int initCacheMutex_384 = 0;
+    static wolfSSL_Mutex sp_cache_384_lock;
+#endif
+
+static void sp_ecc_get_cache_384(const sp_point_384* g, sp_cache_384_t** cache)
+{
+    int i, j;
+    uint32_t least;
+
+    if (sp_cache_384_inited == 0) {
+        for (i=0; i<FP_ENTRIES; i++) {
+            sp_cache_384[i].set = 0;
+        }
+        sp_cache_384_inited = 1;
+    }
+
+    /* Compare point with those in cache. */
+    for (i=0; i<FP_ENTRIES; i++) {
+        if (!sp_cache_384[i].set)
+            continue;
+
+        if (sp_384_cmp_equal_12(g->x, sp_cache_384[i].x) &
+                           sp_384_cmp_equal_12(g->y, sp_cache_384[i].y)) {
+            sp_cache_384[i].cnt++;
+            break;
+        }
+    }
+
+    /* No match. */
+    if (i == FP_ENTRIES) {
+        /* Find empty entry. */
+        i = (sp_cache_384_last + 1) % FP_ENTRIES;
+        for (; i != sp_cache_384_last; i=(i+1)%FP_ENTRIES) {
+            if (!sp_cache_384[i].set) {
+                break;
+            }
+        }
+
+        /* Evict least used. */
+        if (i == sp_cache_384_last) {
+            least = sp_cache_384[0].cnt;
+            for (j=1; j<FP_ENTRIES; j++) {
+                if (sp_cache_384[j].cnt < least) {
+                    i = j;
+                    least = sp_cache_384[i].cnt;
+                }
+            }
+        }
+
+        XMEMCPY(sp_cache_384[i].x, g->x, sizeof(sp_cache_384[i].x));
+        XMEMCPY(sp_cache_384[i].y, g->y, sizeof(sp_cache_384[i].y));
+        sp_cache_384[i].set = 1;
+        sp_cache_384[i].cnt = 1;
+    }
+
+    *cache = &sp_cache_384[i];
+    sp_cache_384_last = i;
+}
+#endif /* FP_ECC */
+
+/* Multiply the base point of P384 by the scalar and return the result.
+ * If map is true then convert result to affine coordinates.
+ *
+ * r     Resulting point.
+ * g     Point to multiply.
+ * k     Scalar to multiply by.
+ * map   Indicates whether to convert result to affine.
+ * heap  Heap to use for allocation.
+ * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
+ */
+static int sp_384_ecc_mulmod_12(sp_point_384* r, const sp_point_384* g, const sp_digit* k,
+        int map, void* heap)
+{
+#ifndef FP_ECC
+    return sp_384_ecc_mulmod_fast_12(r, g, k, map, heap);
+#else
+    sp_digit tmp[2 * 12 * 7];
+    sp_cache_384_t* cache;
+    int err = MP_OKAY;
+
+#ifndef HAVE_THREAD_LS
+    if (initCacheMutex_384 == 0) {
+         wc_InitMutex(&sp_cache_384_lock);
+         initCacheMutex_384 = 1;
+    }
+    if (wc_LockMutex(&sp_cache_384_lock) != 0)
+       err = BAD_MUTEX_E;
+#endif /* HAVE_THREAD_LS */
+
+    if (err == MP_OKAY) {
+        sp_ecc_get_cache_384(g, &cache);
+        if (cache->cnt == 2)
+            sp_384_gen_stripe_table_12(g, cache->table, tmp, heap);
+
+#ifndef HAVE_THREAD_LS
+        wc_UnLockMutex(&sp_cache_384_lock);
+#endif /* HAVE_THREAD_LS */
+
+        if (cache->cnt < 2) {
+            err = sp_384_ecc_mulmod_fast_12(r, g, k, map, heap);
+        }
+        else {
+            err = sp_384_ecc_mulmod_stripe_12(r, g, cache->table, k,
+                    map, heap);
+        }
+    }
+
+    return err;
+#endif
+}
+
+#else
+#ifdef FP_ECC
+/* Generate the pre-computed table of points for the base point.
+ *
+ * a      The base point.
+ * table  Place to store generated point data.
+ * tmp    Temporary data.
+ * heap  Heap to use for allocation.
+ */
+static int sp_384_gen_stripe_table_12(const sp_point_384* a,
+        sp_table_entry_384* table, sp_digit* tmp, void* heap)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_point_384 td, s1d, s2d;
+#endif
+    sp_point_384* t;
+    sp_point_384* s1 = NULL;
+    sp_point_384* s2 = NULL;
+    int i, j;
+    int err;
+
+    (void)heap;
+
+    err = sp_384_point_new_12(heap, td, t);
+    if (err == MP_OKAY) {
+        err = sp_384_point_new_12(heap, s1d, s1);
+    }
+    if (err == MP_OKAY) {
+        err = sp_384_point_new_12(heap, s2d, s2);
+    }
+
+    if (err == MP_OKAY) {
+        err = sp_384_mod_mul_norm_12(t->x, a->x, p384_mod);
+    }
+    if (err == MP_OKAY) {
+        err = sp_384_mod_mul_norm_12(t->y, a->y, p384_mod);
+    }
+    if (err == MP_OKAY) {
+        err = sp_384_mod_mul_norm_12(t->z, a->z, p384_mod);
+    }
+    if (err == MP_OKAY) {
+        t->infinity = 0;
+        sp_384_proj_to_affine_12(t, tmp);
+
+        XMEMCPY(s1->z, p384_norm_mod, sizeof(p384_norm_mod));
+        s1->infinity = 0;
+        XMEMCPY(s2->z, p384_norm_mod, sizeof(p384_norm_mod));
+        s2->infinity = 0;
+
+        /* table[0] = {0, 0, infinity} */
+        XMEMSET(&table[0], 0, sizeof(sp_table_entry_384));
+        /* table[1] = Affine version of 'a' in Montgomery form */
+        XMEMCPY(table[1].x, t->x, sizeof(table->x));
+        XMEMCPY(table[1].y, t->y, sizeof(table->y));
+
+        for (i=1; i<8; i++) {
+            sp_384_proj_point_dbl_n_12(t, 48, tmp);
+            sp_384_proj_to_affine_12(t, tmp);
+            XMEMCPY(table[1<<i].x, t->x, sizeof(table->x));
+            XMEMCPY(table[1<<i].y, t->y, sizeof(table->y));
+        }
+
+        for (i=1; i<8; i++) {
+            XMEMCPY(s1->x, table[1<<i].x, sizeof(table->x));
+            XMEMCPY(s1->y, table[1<<i].y, sizeof(table->y));
+            for (j=(1<<i)+1; j<(1<<(i+1)); j++) {
+                XMEMCPY(s2->x, table[j-(1<<i)].x, sizeof(table->x));
+                XMEMCPY(s2->y, table[j-(1<<i)].y, sizeof(table->y));
+                sp_384_proj_point_add_qz1_12(t, s1, s2, tmp);
+                sp_384_proj_to_affine_12(t, tmp);
+                XMEMCPY(table[j].x, t->x, sizeof(table->x));
+                XMEMCPY(table[j].y, t->y, sizeof(table->y));
+            }
+        }
+    }
+
+    sp_384_point_free_12(s2, 0, heap);
+    sp_384_point_free_12(s1, 0, heap);
+    sp_384_point_free_12( t, 0, heap);
+
+    return err;
+}
+
+#endif /* FP_ECC */
+/* Multiply the point by the scalar and return the result.
+ * If map is true then convert result to affine coordinates.
+ *
+ * r     Resulting point.
+ * k     Scalar to multiply by.
+ * map   Indicates whether to convert result to affine.
+ * heap  Heap to use for allocation.
+ * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
+ */
+static int sp_384_ecc_mulmod_stripe_12(sp_point_384* r, const sp_point_384* g,
+        const sp_table_entry_384* table, const sp_digit* k, int map, void* heap)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_point_384 rtd;
+    sp_point_384 pd;
+    sp_digit td[2 * 12 * 6];
+#endif
+    sp_point_384* rt;
+    sp_point_384* p = NULL;
+    sp_digit* t;
+    int i, j;
+    int y, x;
+    int err;
+
+    (void)g;
+    (void)heap;
+
+
+    err = sp_384_point_new_12(heap, rtd, rt);
+    if (err == MP_OKAY) {
+        err = sp_384_point_new_12(heap, pd, p);
+    }
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    t = (sp_digit*)XMALLOC(sizeof(sp_digit) * 2 * 12 * 6, heap,
+                           DYNAMIC_TYPE_ECC);
+    if (t == NULL) {
+        err = MEMORY_E;
+    }
+#else
+    t = td;
+#endif
+
+    if (err == MP_OKAY) {
+        XMEMCPY(p->z, p384_norm_mod, sizeof(p384_norm_mod));
+        XMEMCPY(rt->z, p384_norm_mod, sizeof(p384_norm_mod));
+
+        y = 0;
+        for (j=0,x=47; j<8; j++,x+=48) {
+            y |= ((k[x / 32] >> (x % 32)) & 1) << j;
+        }
+        XMEMCPY(rt->x, table[y].x, sizeof(table[y].x));
+        XMEMCPY(rt->y, table[y].y, sizeof(table[y].y));
+        rt->infinity = !y;
+        for (i=46; i>=0; i--) {
+            y = 0;
+            for (j=0,x=i; j<8; j++,x+=48) {
+                y |= ((k[x / 32] >> (x % 32)) & 1) << j;
+            }
+
+            sp_384_proj_point_dbl_12(rt, rt, t);
+            XMEMCPY(p->x, table[y].x, sizeof(table[y].x));
+            XMEMCPY(p->y, table[y].y, sizeof(table[y].y));
+            p->infinity = !y;
+            sp_384_proj_point_add_qz1_12(rt, rt, p, t);
+        }
+
+        if (map != 0) {
+            sp_384_map_12(r, rt, t);
+        }
+        else {
+            XMEMCPY(r, rt, sizeof(sp_point_384));
+        }
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (t != NULL) {
+        XFREE(t, heap, DYNAMIC_TYPE_ECC);
+    }
+#endif
+    sp_384_point_free_12(p, 0, heap);
+    sp_384_point_free_12(rt, 0, heap);
+
+    return err;
+}
+
+#ifdef FP_ECC
+#ifndef FP_ENTRIES
+    #define FP_ENTRIES 16
+#endif
+
+typedef struct sp_cache_384_t {
+    sp_digit x[12];
+    sp_digit y[12];
+    sp_table_entry_384 table[256];
+    uint32_t cnt;
+    int set;
+} sp_cache_384_t;
+
+static THREAD_LS_T sp_cache_384_t sp_cache_384[FP_ENTRIES];
+static THREAD_LS_T int sp_cache_384_last = -1;
+static THREAD_LS_T int sp_cache_384_inited = 0;
+
+#ifndef HAVE_THREAD_LS
+    static volatile int initCacheMutex_384 = 0;
+    static wolfSSL_Mutex sp_cache_384_lock;
+#endif
+
+static void sp_ecc_get_cache_384(const sp_point_384* g, sp_cache_384_t** cache)
+{
+    int i, j;
+    uint32_t least;
+
+    if (sp_cache_384_inited == 0) {
+        for (i=0; i<FP_ENTRIES; i++) {
+            sp_cache_384[i].set = 0;
+        }
+        sp_cache_384_inited = 1;
+    }
+
+    /* Compare point with those in cache. */
+    for (i=0; i<FP_ENTRIES; i++) {
+        if (!sp_cache_384[i].set)
+            continue;
+
+        if (sp_384_cmp_equal_12(g->x, sp_cache_384[i].x) &
+                           sp_384_cmp_equal_12(g->y, sp_cache_384[i].y)) {
+            sp_cache_384[i].cnt++;
+            break;
+        }
+    }
+
+    /* No match. */
+    if (i == FP_ENTRIES) {
+        /* Find empty entry. */
+        i = (sp_cache_384_last + 1) % FP_ENTRIES;
+        for (; i != sp_cache_384_last; i=(i+1)%FP_ENTRIES) {
+            if (!sp_cache_384[i].set) {
+                break;
+            }
+        }
+
+        /* Evict least used. */
+        if (i == sp_cache_384_last) {
+            least = sp_cache_384[0].cnt;
+            for (j=1; j<FP_ENTRIES; j++) {
+                if (sp_cache_384[j].cnt < least) {
+                    i = j;
+                    least = sp_cache_384[i].cnt;
+                }
+            }
+        }
+
+        XMEMCPY(sp_cache_384[i].x, g->x, sizeof(sp_cache_384[i].x));
+        XMEMCPY(sp_cache_384[i].y, g->y, sizeof(sp_cache_384[i].y));
+        sp_cache_384[i].set = 1;
+        sp_cache_384[i].cnt = 1;
+    }
+
+    *cache = &sp_cache_384[i];
+    sp_cache_384_last = i;
+}
+#endif /* FP_ECC */
+
+/* Multiply the base point of P384 by the scalar and return the result.
+ * If map is true then convert result to affine coordinates.
+ *
+ * r     Resulting point.
+ * g     Point to multiply.
+ * k     Scalar to multiply by.
+ * map   Indicates whether to convert result to affine.
+ * heap  Heap to use for allocation.
+ * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
+ */
+static int sp_384_ecc_mulmod_12(sp_point_384* r, const sp_point_384* g, const sp_digit* k,
+        int map, void* heap)
+{
+#ifndef FP_ECC
+    return sp_384_ecc_mulmod_fast_12(r, g, k, map, heap);
+#else
+    sp_digit tmp[2 * 12 * 7];
+    sp_cache_384_t* cache;
+    int err = MP_OKAY;
+
+#ifndef HAVE_THREAD_LS
+    if (initCacheMutex_384 == 0) {
+         wc_InitMutex(&sp_cache_384_lock);
+         initCacheMutex_384 = 1;
+    }
+    if (wc_LockMutex(&sp_cache_384_lock) != 0)
+       err = BAD_MUTEX_E;
+#endif /* HAVE_THREAD_LS */
+
+    if (err == MP_OKAY) {
+        sp_ecc_get_cache_384(g, &cache);
+        if (cache->cnt == 2)
+            sp_384_gen_stripe_table_12(g, cache->table, tmp, heap);
+
+#ifndef HAVE_THREAD_LS
+        wc_UnLockMutex(&sp_cache_384_lock);
+#endif /* HAVE_THREAD_LS */
+
+        if (cache->cnt < 2) {
+            err = sp_384_ecc_mulmod_fast_12(r, g, k, map, heap);
+        }
+        else {
+            err = sp_384_ecc_mulmod_stripe_12(r, g, cache->table, k,
+                    map, heap);
+        }
+    }
+
+    return err;
+#endif
+}
+
+#endif /* WOLFSSL_SP_SMALL */
+/* Multiply the point by the scalar and return the result.
+ * If map is true then convert result to affine coordinates.
+ *
+ * km    Scalar to multiply by.
+ * p     Point to multiply.
+ * r     Resulting point.
+ * map   Indicates whether to convert result to affine.
+ * heap  Heap to use for allocation.
+ * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
+ */
+int sp_ecc_mulmod_384(mp_int* km, ecc_point* gm, ecc_point* r, int map,
+        void* heap)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_point_384 p;
+    sp_digit kd[12];
+#endif
+    sp_point_384* point;
+    sp_digit* k = NULL;
+    int err = MP_OKAY;
+
+    err = sp_384_point_new_12(heap, p, point);
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        k = (sp_digit*)XMALLOC(sizeof(sp_digit) * 12, heap,
+                                                              DYNAMIC_TYPE_ECC);
+        if (k == NULL)
+            err = MEMORY_E;
+    }
+#else
+    k = kd;
+#endif
+    if (err == MP_OKAY) {
+        sp_384_from_mp(k, 12, km);
+        sp_384_point_from_ecc_point_12(point, gm);
+
+            err = sp_384_ecc_mulmod_12(point, point, k, map, heap);
+    }
+    if (err == MP_OKAY) {
+        err = sp_384_point_to_ecc_point_12(point, r);
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (k != NULL) {
+        XFREE(k, heap, DYNAMIC_TYPE_ECC);
+    }
+#endif
+    sp_384_point_free_12(point, 0, heap);
+
+    return err;
+}
+
+#ifdef WOLFSSL_SP_SMALL
+static const sp_table_entry_384 p384_table[16] = {
+    /* 0 */
+    { { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
+      { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 } },
+    /* 1 */
+    { { 0x49c0b528,0x3dd07566,0xa0d6ce38,0x20e378e2,0x541b4d6e,0x879c3afc,
+        0x59a30eff,0x64548684,0x614ede2b,0x812ff723,0x299e1513,0x4d3aadc2 },
+      { 0x4b03a4fe,0x23043dad,0x7bb4a9ac,0xa1bfa8bf,0x2e83b050,0x8bade756,
+        0x68f4ffd9,0xc6c35219,0x3969a840,0xdd800226,0x5a15c5e9,0x2b78abc2 } },
+    /* 2 */
+    { { 0xf26feef9,0x24480c57,0x3a0e1240,0xc31a2694,0x273e2bc7,0x735002c3,
+        0x3ef1ed4c,0x8c42e9c5,0x7f4948e8,0x028babf6,0x8a978632,0x6a502f43 },
+      { 0xb74536fe,0xf5f13a46,0xd8a9f0eb,0x1d218bab,0x37232768,0x30f36bcc,
+        0x576e8c18,0xc5317b31,0x9bbcb766,0xef1d57a6,0xb3e3d4dc,0x917c4930 } },
+    /* 3 */
+    { { 0xe349ddd0,0x11426e2e,0x9b2fc250,0x9f117ef9,0xec0174a6,0xff36b480,
+        0x18458466,0x4f4bde76,0x05806049,0x2f2edb6d,0x19dfca92,0x8adc75d1 },
+      { 0xb7d5a7ce,0xa619d097,0xa34411e9,0x874275e5,0x0da4b4ef,0x5403e047,
+        0x77901d8f,0x2ebaafd9,0xa747170f,0x5e63ebce,0x7f9d8036,0x12a36944 } },
+    /* 4 */
+    { { 0x2f9fbe67,0x378205de,0x7f728e44,0xc4afcb83,0x682e00f1,0xdbcec06c,
+        0x114d5423,0xf2a145c3,0x7a52463e,0xa01d9874,0x7d717b0a,0xfc0935b1 },
+      { 0xd4d01f95,0x9653bc4f,0x9560ad34,0x9aa83ea8,0xaf8e3f3f,0xf77943dc,
+        0xe86fe16e,0x70774a10,0xbf9ffdcf,0x6b62e6f1,0x588745c9,0x8a72f39e } },
+    /* 5 */
+    { { 0x2341c342,0x73ade4da,0xea704422,0xdd326e54,0x3741cef3,0x336c7d98,
+        0x59e61549,0x1eafa00d,0xbd9a3efd,0xcd3ed892,0xc5c6c7e4,0x03faf26c },
+      { 0x3045f8ac,0x087e2fcf,0x174f1e73,0x14a65532,0xfe0af9a7,0x2cf84f28,
+        0x2cdc935b,0xddfd7a84,0x6929c895,0x4c0f117b,0x4c8bcfcc,0x356572d6 } },
+    /* 6 */
+    { { 0x3f3b236f,0xfab08607,0x81e221da,0x19e9d41d,0x3927b428,0xf3f6571e,
+        0x7550f1f6,0x4348a933,0xa85e62f0,0x7167b996,0x7f5452bf,0x62d43759 },
+      { 0xf2955926,0xd85feb9e,0x6df78353,0x440a561f,0x9ca36b59,0x389668ec,
+        0xa22da016,0x052bf1a1,0xf6093254,0xbdfbff72,0xe22209f3,0x94e50f28 } },
+    /* 7 */
+    { { 0x3062e8af,0x90b2e5b3,0xe8a3d369,0xa8572375,0x201db7b1,0x3fe1b00b,
+        0xee651aa2,0xe926def0,0xb9b10ad7,0x6542c9be,0xa2fcbe74,0x098e309b },
+      { 0xfff1d63f,0x779deeb3,0x20bfd374,0x23d0e80a,0x8768f797,0x8452bb3b,
+        0x1f952856,0xcf75bb4d,0x29ea3faa,0x8fe6b400,0x81373a53,0x12bd3e40 } },
+    /* 8 */
+    { { 0x16973cf4,0x070d34e1,0x7e4f34f7,0x20aee08b,0x5eb8ad29,0x269af9b9,
+        0xa6a45dda,0xdde0a036,0x63df41e0,0xa18b528e,0xa260df2a,0x03cc71b2 },
+      { 0xa06b1dd7,0x24a6770a,0x9d2675d3,0x5bfa9c11,0x96844432,0x73c1e2a1,
+        0x131a6cf0,0x3660558d,0x2ee79454,0xb0289c83,0xc6d8ddcd,0xa6aefb01 } },
+    /* 9 */
+    { { 0x01ab5245,0xba1464b4,0xc48d93ff,0x9b8d0b6d,0x93ad272c,0x939867dc,
+        0xae9fdc77,0xbebe085e,0x894ea8bd,0x73ae5103,0x39ac22e1,0x740fc89a },
+      { 0x28e23b23,0x5e28b0a3,0xe13104d0,0x2352722e,0xb0a2640d,0xf4667a18,
+        0x49bb37c3,0xac74a72e,0xe81e183a,0x79f734f0,0x3fd9c0eb,0xbffe5b6c } },
+    /* 10 */
+    { { 0x00623f3b,0x03cf2922,0x5f29ebff,0x095c7111,0x80aa6823,0x42d72247,
+        0x7458c0b0,0x044c7ba1,0x0959ec20,0xca62f7ef,0xf8ca929f,0x40ae2ab7 },
+      { 0xa927b102,0xb8c5377a,0xdc031771,0x398a86a0,0xc216a406,0x04908f9d,
+        0x918d3300,0xb423a73a,0xe0b94739,0x634b0ff1,0x2d69f697,0xe29de725 } },
+    /* 11 */
+    { { 0x8435af04,0x744d1400,0xfec192da,0x5f255b1d,0x336dc542,0x1f17dc12,
+        0x636a68a8,0x5c90c2a7,0x7704ca1e,0x960c9eb7,0x6fb3d65a,0x9de8cf1e },
+      { 0x511d3d06,0xc60fee0d,0xf9eb52c7,0x466e2313,0x206b0914,0x743c0f5f,
+        0x2191aa4d,0x42f55bac,0xffebdbc2,0xcefc7c8f,0xe6e8ed1c,0xd4fa6081 } },
+    /* 12 */
+    { { 0x98683186,0x867db639,0xddcc4ea9,0xfb5cf424,0xd4f0e7bd,0xcc9a7ffe,
+        0x7a779f7e,0x7c57f71c,0xd6b25ef2,0x90774079,0xb4081680,0x90eae903 },
+      { 0x0ee1fceb,0xdf2aae5e,0xe86c1a1f,0x3ff1da24,0xca193edf,0x80f587d6,
+        0xdc9b9d6a,0xa5695523,0x85920303,0x7b840900,0xba6dbdef,0x1efa4dfc } },
+    /* 13 */
+    { { 0xe0540015,0xfbd838f9,0xc39077dc,0x2c323946,0xad619124,0x8b1fb9e6,
+        0x0ca62ea8,0x9612440c,0x2dbe00ff,0x9ad9b52c,0xae197643,0xf52abaa1 },
+      { 0x2cac32ad,0xd0e89894,0x62a98f91,0xdfb79e42,0x276f55cb,0x65452ecf,
+        0x7ad23e12,0xdb1ac0d2,0xde4986f0,0xf68c5f6a,0x82ce327d,0x389ac37b } },
+    /* 14 */
+    { { 0xb8a9e8c9,0xcd96866d,0x5bb8091e,0xa11963b8,0x045b3cd2,0xc7f90d53,
+        0x80f36504,0x755a72b5,0x21d3751c,0x46f8b399,0x53c193de,0x4bffdc91 },
+      { 0xb89554e7,0xcd15c049,0xf7a26be6,0x353c6754,0xbd41d970,0x79602370,
+        0x12b176c0,0xde16470b,0x40c8809d,0x56ba1175,0xe435fb1e,0xe2db35c3 } },
+    /* 15 */
+    { { 0x6328e33f,0xd71e4aab,0xaf8136d1,0x5486782b,0x86d57231,0x07a4995f,
+        0x1651a968,0xf1f0a5bd,0x76803b6d,0xa5dc5b24,0x42dda935,0x5c587cbc },
+      { 0xbae8b4c0,0x2b6cdb32,0xb1331138,0x66d1598b,0x5d7e9614,0x4a23b2d2,
+        0x74a8c05d,0x93e402a6,0xda7ce82e,0x45ac94e6,0xe463d465,0xeb9f8281 } },
+};
+
+/* Multiply the base point of P384 by the scalar and return the result.
+ * If map is true then convert result to affine coordinates.
+ *
+ * r     Resulting point.
+ * k     Scalar to multiply by.
+ * map   Indicates whether to convert result to affine.
+ * heap  Heap to use for allocation.
+ * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
+ */
+static int sp_384_ecc_mulmod_base_12(sp_point_384* r, const sp_digit* k,
+        int map, void* heap)
+{
+    return sp_384_ecc_mulmod_stripe_12(r, &p384_base, p384_table,
+                                      k, map, heap);
+}
+
+#else
+static const sp_table_entry_384 p384_table[256] = {
+    /* 0 */
+    { { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
+      { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 } },
+    /* 1 */
+    { { 0x49c0b528,0x3dd07566,0xa0d6ce38,0x20e378e2,0x541b4d6e,0x879c3afc,
+        0x59a30eff,0x64548684,0x614ede2b,0x812ff723,0x299e1513,0x4d3aadc2 },
+      { 0x4b03a4fe,0x23043dad,0x7bb4a9ac,0xa1bfa8bf,0x2e83b050,0x8bade756,
+        0x68f4ffd9,0xc6c35219,0x3969a840,0xdd800226,0x5a15c5e9,0x2b78abc2 } },
+    /* 2 */
+    { { 0x2b0c535b,0x29864753,0x70506296,0x90dd6953,0x216ab9ac,0x038cd6b4,
+        0xbe12d76a,0x3df9b7b7,0x5f347bdb,0x13f4d978,0x13e94489,0x222c5c9c },
+      { 0x2680dc64,0x5f8e796f,0x58352417,0x120e7cb7,0xd10740b8,0x254b5d8a,
+        0x5337dee6,0xc38b8efb,0x94f02247,0xf688c2e1,0x6c25bc4c,0x7b5c75f3 } },
+    /* 3 */
+    { { 0x9edffea5,0xe26a3cc3,0x37d7e9fc,0x35bbfd1c,0x9bde3ef6,0xf0e7700d,
+        0x1a538f5a,0x0380eb47,0x05bf9eb3,0x2e9da8bb,0x1a460c3e,0xdbb93c73 },
+      { 0xf526b605,0x37dba260,0xfd785537,0x95d4978e,0xed72a04a,0x24ed793a,
+        0x76005b1a,0x26948377,0x9e681f82,0x99f557b9,0xd64954ef,0xae5f9557 } },
+    /* 4 */
+    { { 0xf26feef9,0x24480c57,0x3a0e1240,0xc31a2694,0x273e2bc7,0x735002c3,
+        0x3ef1ed4c,0x8c42e9c5,0x7f4948e8,0x028babf6,0x8a978632,0x6a502f43 },
+      { 0xb74536fe,0xf5f13a46,0xd8a9f0eb,0x1d218bab,0x37232768,0x30f36bcc,
+        0x576e8c18,0xc5317b31,0x9bbcb766,0xef1d57a6,0xb3e3d4dc,0x917c4930 } },
+    /* 5 */
+    { { 0xe349ddd0,0x11426e2e,0x9b2fc250,0x9f117ef9,0xec0174a6,0xff36b480,
+        0x18458466,0x4f4bde76,0x05806049,0x2f2edb6d,0x19dfca92,0x8adc75d1 },
+      { 0xb7d5a7ce,0xa619d097,0xa34411e9,0x874275e5,0x0da4b4ef,0x5403e047,
+        0x77901d8f,0x2ebaafd9,0xa747170f,0x5e63ebce,0x7f9d8036,0x12a36944 } },
+    /* 6 */
+    { { 0x4fc52870,0x28f9c07a,0x1a53a961,0xce0b3748,0x0e1828d9,0xd550fa18,
+        0x6adb225a,0xa24abaf7,0x6e58a348,0xd11ed0a5,0x948acb62,0xf3d811e6 },
+      { 0x4c61ed22,0x8618dd77,0x80b47c9d,0x0bb747f9,0xde6b8559,0x22bf796f,
+        0x680a21e9,0xfdfd1c6d,0x2af2c9dd,0xc0db1577,0xc1e90f3d,0xa09379e6 } },
+    /* 7 */
+    { { 0xe085c629,0x386c66ef,0x095bc89a,0x5fc2a461,0x203f4b41,0x1353d631,
+        0x7e4bd8f5,0x7ca1972b,0xa7df8ce9,0xb077380a,0xee7e4ea3,0xd8a90389 },
+      { 0xe7b14461,0x1bc74dc7,0x0c9c4f78,0xdc2cb014,0x84ef0a10,0x52b4b3a6,
+        0x20327fe2,0xbde6ea5d,0x660f9615,0xb71ec435,0xb8ad8173,0xeede5a04 } },
+    /* 8 */
+    { { 0x893b9a2d,0x5584cbb3,0x00850c5d,0x820c660b,0x7df2d43d,0x4126d826,
+        0x0109e801,0xdd5bbbf0,0x38172f1c,0x85b92ee3,0xf31430d9,0x609d4f93 },
+      { 0xeadaf9d6,0x1e059a07,0x0f125fb0,0x70e6536c,0x560f20e7,0xd6220751,
+        0x7aaf3a9a,0xa59489ae,0x64bae14e,0x7b70e2f6,0x76d08249,0x0dd03701 } },
+    /* 9 */
+    { { 0x8510521f,0x4cc13be8,0xf724cc17,0x87315ba9,0x353dc263,0xb49d83bb,
+        0x0c279257,0x8b677efe,0xc93c9537,0x510a1c1c,0xa4702c99,0x33e30cd8 },
+      { 0x2208353f,0xf0ffc89d,0xced42b2b,0x0170fa8d,0x26e2a5f5,0x090851ed,
+        0xecb52c96,0x81276455,0x7fe1adf4,0x0646c4e1,0xb0868eab,0x513f047e } },
+    /* 10 */
+    { { 0xdf5bdf53,0xc07611f4,0x58b11a6d,0x45d331a7,0x1c4ee394,0x58965daf,
+        0x5a5878d1,0xba8bebe7,0x82dd3025,0xaecc0a18,0xa923eb8b,0xcf2a3899 },
+      { 0xd24fd048,0xf98c9281,0x8bbb025d,0x841bfb59,0xc9ab9d53,0xb8ddf8ce,
+        0x7fef044e,0x538a4cb6,0x23236662,0x092ac21f,0x0b66f065,0xa919d385 } },
+    /* 11 */
+    { { 0x85d480d8,0x3db03b40,0x1b287a7d,0x8cd9f479,0x4a8f3bae,0x8f24dc75,
+        0x3db41892,0x482eb800,0x9c56e0f5,0x38bf9eb3,0x9a91dc6f,0x8b977320 },
+      { 0x7209cfc2,0xa31b05b2,0x05b2db70,0x4c49bf85,0xd619527b,0x56462498,
+        0x1fac51ba,0x3fe51039,0xab4b8342,0xfb04f55e,0x04c6eabf,0xc07c10dc } },
+    /* 12 */
+    { { 0xdb32f048,0xad22fe4c,0x475ed6df,0x5f23bf91,0xaa66b6cb,0xa50ce0c0,
+        0xf03405c0,0xdf627a89,0xf95e2d6a,0x3674837d,0xba42e64e,0x081c95b6 },
+      { 0xe71d6ceb,0xeba3e036,0x6c6b0271,0xb45bcccf,0x0684701d,0x67b47e63,
+        0xe712523f,0x60f8f942,0x5cd47adc,0x82423472,0x87649cbb,0x83027d79 } },
+    /* 13 */
+    { { 0x3615b0b8,0xb3929ea6,0xa54dac41,0xb41441fd,0xb5b6a368,0x8995d556,
+        0x167ef05e,0xa80d4529,0x6d25a27f,0xf6bcb4a1,0x7bd55b68,0x210d6a4c },
+      { 0x25351130,0xf3804abb,0x903e37eb,0x1d2df699,0x084c25c8,0x5f201efc,
+        0xa1c68e91,0x31a28c87,0x563f62a5,0x81dad253,0xd6c415d4,0x5dd6de70 } },
+    /* 14 */
+    { { 0x846612ce,0x29f470fd,0xda18d997,0x986f3eec,0x2f34af86,0x6b84c161,
+        0x46ddaf8b,0x5ef0a408,0xe49e795f,0x14405a00,0xaa2f7a37,0x5f491b16 },
+      { 0xdb41b38d,0xc7f07ae4,0x18fbfcaa,0xef7d119e,0x14443b19,0x3a18e076,
+        0x79a19926,0x4356841a,0xe2226fbe,0x91f4a91c,0x3cc88721,0xdc77248c } },
+    /* 15 */
+    { { 0xe4b1ec9d,0xd570ff1a,0xe7eef706,0x21d23e0e,0xca19e086,0x3cde40f4,
+        0xcd4bb270,0x7d6523c4,0xbf13aa6c,0x16c1f06c,0xd14c4b60,0x5aa7245a },
+      { 0x44b74de8,0x37f81467,0x620a934e,0x839e7a17,0xde8b1aa1,0xf74d14e8,
+        0xf30d75e2,0x8789fa51,0xc81c261e,0x09b24052,0x33c565ee,0x654e2678 } },
+    /* 16 */
+    { { 0x2f9fbe67,0x378205de,0x7f728e44,0xc4afcb83,0x682e00f1,0xdbcec06c,
+        0x114d5423,0xf2a145c3,0x7a52463e,0xa01d9874,0x7d717b0a,0xfc0935b1 },
+      { 0xd4d01f95,0x9653bc4f,0x9560ad34,0x9aa83ea8,0xaf8e3f3f,0xf77943dc,
+        0xe86fe16e,0x70774a10,0xbf9ffdcf,0x6b62e6f1,0x588745c9,0x8a72f39e } },
+    /* 17 */
+    { { 0x2341c342,0x73ade4da,0xea704422,0xdd326e54,0x3741cef3,0x336c7d98,
+        0x59e61549,0x1eafa00d,0xbd9a3efd,0xcd3ed892,0xc5c6c7e4,0x03faf26c },
+      { 0x3045f8ac,0x087e2fcf,0x174f1e73,0x14a65532,0xfe0af9a7,0x2cf84f28,
+        0x2cdc935b,0xddfd7a84,0x6929c895,0x4c0f117b,0x4c8bcfcc,0x356572d6 } },
+    /* 18 */
+    { { 0x7d8c1bba,0x7ecbac01,0x90b0f3d5,0x6058f9c3,0xf6197d0f,0xaee116e3,
+        0x4033b128,0xc4dd7068,0xc209b983,0xf084dba6,0x831dbc4a,0x97c7c2cf },
+      { 0xf96010e8,0x2f4e61dd,0x529faa17,0xd97e4e20,0x69d37f20,0x4ee66660,
+        0x3d366d72,0xccc139ed,0x13488e0f,0x690b6ee2,0xf3a6d533,0x7cad1dc5 } },
+    /* 19 */
+    { { 0xda57a41f,0x660a9a81,0xec0039b6,0xe74a0412,0x5e1dad15,0x42343c6b,
+        0x46681d4c,0x284f3ff5,0x63749e89,0xb51087f1,0x6f9f2f13,0x070f23cc },
+      { 0x5d186e14,0x542211da,0xfddb0dff,0x84748f37,0xdb1f4180,0x41a3aab4,
+        0xa6402d0e,0x25ed667b,0x02f58355,0x2f2924a9,0xfa44a689,0x5844ee7c } },
+    /* 20 */
+    { { 0x3f3b236f,0xfab08607,0x81e221da,0x19e9d41d,0x3927b428,0xf3f6571e,
+        0x7550f1f6,0x4348a933,0xa85e62f0,0x7167b996,0x7f5452bf,0x62d43759 },
+      { 0xf2955926,0xd85feb9e,0x6df78353,0x440a561f,0x9ca36b59,0x389668ec,
+        0xa22da016,0x052bf1a1,0xf6093254,0xbdfbff72,0xe22209f3,0x94e50f28 } },
+    /* 21 */
+    { { 0x3062e8af,0x90b2e5b3,0xe8a3d369,0xa8572375,0x201db7b1,0x3fe1b00b,
+        0xee651aa2,0xe926def0,0xb9b10ad7,0x6542c9be,0xa2fcbe74,0x098e309b },
+      { 0xfff1d63f,0x779deeb3,0x20bfd374,0x23d0e80a,0x8768f797,0x8452bb3b,
+        0x1f952856,0xcf75bb4d,0x29ea3faa,0x8fe6b400,0x81373a53,0x12bd3e40 } },
+    /* 22 */
+    { { 0x104cbba5,0xc023780d,0xfa35dd4c,0x6207e747,0x1ca9b6a3,0x35c23928,
+        0x97987b10,0x4ff19be8,0x8022eee8,0xb8476bbf,0xd3bbe74d,0xaa0a4a14 },
+      { 0x187d4543,0x20f94331,0x79f6e066,0x32153870,0xac7e82e1,0x83b0f74e,
+        0x828f06ab,0xa7748ba2,0xc26ef35f,0xc5f0298a,0x8e9a7dbd,0x0f0c5070 } },
+    /* 23 */
+    { { 0xdef029dd,0x0c5c244c,0x850661b8,0x3dabc687,0xfe11d981,0x9992b865,
+        0x6274dbad,0xe9801b8f,0x098da242,0xe54e6319,0x91a53d08,0x9929a91a },
+      { 0x35285887,0x37bffd72,0xf1418102,0xbc759425,0xfd2e6e20,0x9280cc35,
+        0xfbc42ee5,0x735c600c,0x8837619a,0xb7ad2864,0xa778c57b,0xa3627231 } },
+    /* 24 */
+    { { 0x91361ed8,0xae799b5c,0x6c63366c,0x47d71b75,0x1b265a6a,0x54cdd521,
+        0x98d77b74,0xe0215a59,0xbab29db0,0x4424d9b7,0x7fd9e536,0x8b0ffacc },
+      { 0x37b5d9ef,0x46d85d12,0xbfa91747,0x5b106d62,0x5f99ba2d,0xed0479f8,
+        0x1d104de4,0x0e6f3923,0x25e8983f,0x83a84c84,0xf8105a70,0xa9507e0a } },
+    /* 25 */
+    { { 0x14cf381c,0xf6c68a6e,0xc22e31cc,0xaf9d27bd,0xaa8a5ccb,0x23568d4d,
+        0xe338e4d2,0xe431eec0,0x8f52ad1f,0xf1a828fe,0xe86acd80,0xdb6a0579 },
+      { 0x4507832a,0x2885672e,0x887e5289,0x73fc275f,0x05610d08,0x65f80278,
+        0x075ff5b0,0x8d9b4554,0x09f712b5,0x3a8e8fb1,0x2ebe9cf2,0x39f0ac86 } },
+    /* 26 */
+    { { 0x4c52edf5,0xd8fabf78,0xa589ae53,0xdcd737e5,0xd791ab17,0x94918bf0,
+        0xbcff06c9,0xb5fbd956,0xdca46d45,0xf6d3032e,0x41a3e486,0x2cdff7e1 },
+      { 0x61f47ec8,0x6674b3ba,0xeef84608,0x8a882163,0x4c687f90,0xa257c705,
+        0xf6cdf227,0xe30cb2ed,0x7f6ea846,0x2c4c64ca,0xcc6bcd3c,0x186fa17c } },
+    /* 27 */
+    { { 0x1dfcb91e,0x48a3f536,0x646d358a,0x83595e13,0x91128798,0xbd15827b,
+        0x2187757a,0x3ce612b8,0x61bd7372,0x873150a1,0xb662f568,0xf4684530 },
+      { 0x401896f6,0x8833950b,0x77f3e090,0xe11cb89a,0x48e7f4a5,0xb2f12cac,
+        0xf606677e,0x313dd769,0x16579f93,0xfdcf08b3,0x46b8f22b,0x6429cec9 } },
+    /* 28 */
+    { { 0xbb75f9a4,0x4984dd54,0x29d3b570,0x4aef06b9,0x3d6e4c1e,0xb5f84ca2,
+        0xb083ef35,0x24c61c11,0x392ca9ff,0xce4a7392,0x6730a800,0x865d6517 },
+      { 0x722b4a2b,0xca3dfe76,0x7b083e0e,0x12c04bf9,0x1b86b8a5,0x803ce5b5,
+        0x6a7e3e0c,0x3fc7632d,0xc81adbe4,0xc89970c2,0x120e16b1,0x3cbcd3ad } },
+    /* 29 */
+    { { 0xec30ce93,0xfbfb4cc7,0xb72720a2,0x10ed6c7d,0x47b55500,0xec675bf7,
+        0x333ff7c3,0x90725903,0x5075bfc0,0xc7c3973e,0x07acf31b,0xb049ecb0 },
+      { 0x4f58839c,0xb4076eaf,0xa2b05e4f,0x101896da,0xab40c66e,0x3f6033b0,
+        0xc8d864ba,0x19ee9eeb,0x47bf6d2a,0xeb6cf155,0xf826477d,0x8e5a9663 } },
+    /* 30 */
+    { { 0xf7fbd5e1,0x69e62fdd,0x76912b1d,0x38ecfe54,0xd1da3bfb,0x845a3d56,
+        0x1c86f0d4,0x0494950e,0x3bc36ce8,0x83cadbf9,0x4fccc8d1,0x41fce572 },
+      { 0x8332c144,0x05f939c2,0x0871e46e,0xb17f248b,0x66e8aff6,0x3d8534e2,
+        0x3b85c629,0x1d06f1dc,0xa3131b73,0xdb06a32e,0x8b3f64e5,0xf295184d } },
+    /* 31 */
+    { { 0x36ddc103,0xd9653ff7,0x95ef606f,0x25f43e37,0xfe06dce8,0x09e301fc,
+        0x30b6eebf,0x85af2341,0x0ff56b20,0x79b12b53,0xfe9a3c6b,0x9b4fb499 },
+      { 0x51d27ac2,0x0154f892,0x56ca5389,0xd33167e3,0xafc065a6,0x7828ec1f,
+        0x7f746c9b,0x0959a258,0x0c44f837,0xb18f1be3,0xc4132fdb,0xa7946117 } },
+    /* 32 */
+    { { 0x5e3c647b,0xc0426b77,0x8cf05348,0xbfcbd939,0x172c0d3d,0x31d312e3,
+        0xee754737,0x5f49fde6,0x6da7ee61,0x895530f0,0xe8b3a5fb,0xcf281b0a },
+      { 0x41b8a543,0xfd149735,0x3080dd30,0x41a625a7,0x653908cf,0xe2baae07,
+        0xba02a278,0xc3d01436,0x7b21b8f8,0xa0d0222e,0xd7ec1297,0xfdc270e9 } },
+    /* 33 */
+    { { 0xbc7f41d6,0x00873c0c,0x1b7ad641,0xd976113e,0x238443fb,0x2a536ff4,
+        0x41e62e45,0x030d00e2,0x5f545fc6,0x532e9867,0x8e91208c,0xcd033108 },
+      { 0x9797612c,0xd1a04c99,0xeea674e2,0xd4393e02,0xe19742a1,0xd56fa69e,
+        0x85f0590e,0xdd2ab480,0x48a2243d,0xa5cefc52,0x54383f41,0x48cc67b6 } },
+    /* 34 */
+    { { 0xfc14ab48,0x4e50430e,0x26706a74,0x195b7f4f,0xcc881ff6,0x2fe8a228,
+        0xd945013d,0xb1b968e2,0x4b92162b,0x936aa579,0x364e754a,0x4fb766b7 },
+      { 0x31e1ff7f,0x13f93bca,0xce4f2691,0x696eb5ca,0xa2b09e02,0xff754bf8,
+        0xe58e3ff8,0x58f13c9c,0x1678c0b0,0xb757346f,0xa86692b3,0xd54200db } },
+    /* 35 */
+    { { 0x6dda1265,0x9a030bbd,0xe89718dd,0xf7b4f3fc,0x936065b8,0xa6a4931f,
+        0x5f72241c,0xbce72d87,0x65775857,0x6cbb51cb,0x4e993675,0xc7161815 },
+      { 0x2ee32189,0xe81a0f79,0x277dc0b2,0xef2fab26,0xb71f469f,0x9e64f6fe,
+        0xdfdaf859,0xb448ce33,0xbe6b5df1,0x3f5c1c4c,0x1de45f7b,0xfb8dfb00 } },
+    /* 36 */
+    { { 0x4d5bb921,0xc7345fa7,0x4d2b667e,0x5c7e04be,0x282d7a3e,0x47ed3a80,
+        0x7e47b2a4,0x5c2777f8,0x08488e2e,0x89b3b100,0xb2eb5b45,0x9aad77c2 },
+      { 0xdaac34ae,0xd681bca7,0x26afb326,0x2452e4e5,0x41a1ee14,0x0c887924,
+        0xc2407ade,0x743b04d4,0xfc17a2ac,0xcb5e999b,0x4a701a06,0x4dca2f82 } },
+    /* 37 */
+    { { 0x1127bc1a,0x68e31ca6,0x17ead3be,0xa3edd59b,0xe25f5a15,0x67b6b645,
+        0xa420e15e,0x76221794,0x4b1e872e,0x794fd83b,0xb2dece1b,0x7cab3f03 },
+      { 0xca9b3586,0x7119bf15,0x4d250bd7,0xa5545924,0xcc6bcf24,0x173633ea,
+        0xb1b6f884,0x9bd308c2,0x447d38c3,0x3bae06f5,0xf341fe1c,0x54dcc135 } },
+    /* 38 */
+    { { 0x943caf0d,0x56d3598d,0x225ff133,0xce044ea9,0x563fadea,0x9edf6a7c,
+        0x73e8dc27,0x632eb944,0x3190dcab,0x814b467e,0x6dbb1e31,0x2d4f4f31 },
+      { 0xa143b7ca,0x8d69811c,0xde7cf950,0x4ec1ac32,0x37b5fe82,0x223ab5fd,
+        0x9390f1d9,0xe82616e4,0x75804610,0xabff4b20,0x875b08f0,0x11b9be15 } },
+    /* 39 */
+    { { 0x3bbe682c,0x4ae31a3d,0x74eef2dd,0xbc7c5d26,0x3c47dd40,0x92afd10a,
+        0xc14ab9e1,0xec7e0a3b,0xb2e495e4,0x6a6c3dd1,0x309bcd85,0x085ee5e9 },
+      { 0x8c2e67fd,0xf381a908,0xe261eaf2,0x32083a80,0x96deee15,0x0fcd6a49,
+        0x5e524c79,0xe3b8fb03,0x1d5b08b9,0x8dc360d9,0x7f26719f,0x3a06e2c8 } },
+    /* 40 */
+    { { 0x7237cac0,0x5cd9f5a8,0x43586794,0x93f0b59d,0xe94f6c4e,0x4384a764,
+        0xb62782d3,0x8304ed2b,0xcde06015,0x0b8db8b3,0x5dbe190f,0x4336dd53 },
+      { 0x92ab473a,0x57443553,0xbe5ed046,0x031c7275,0x21909aa4,0x3e78678c,
+        0x99202ddb,0x4ab7e04f,0x6977e635,0x2648d206,0x093198be,0xd427d184 } },
+    /* 41 */
+    { { 0x0f9b5a31,0x822848f5,0xbaadb62a,0xbb003468,0x3357559c,0x233a0472,
+        0x79aee843,0x49ef6880,0xaeb9e1e3,0xa89867a0,0x1f6f9a55,0xc151931b },
+      { 0xad74251e,0xd264eb0b,0x4abf295e,0x37b9b263,0x04960d10,0xb600921b,
+        0x4da77dc0,0x0de53dbc,0xd2b18697,0x01d9bab3,0xf7156ddf,0xad54ec7a } },
+    /* 42 */
+    { { 0x79efdc58,0x8e74dc35,0x4ff68ddb,0x456bd369,0xd32096a5,0x724e74cc,
+        0x386783d0,0xe41cff42,0x7c70d8a4,0xa04c7f21,0xe61a19a2,0x41199d2f },
+      { 0x29c05dd2,0xd389a3e0,0xe7e3fda9,0x535f2a6b,0x7c2b4df8,0x26ecf72d,
+        0xfe745294,0x678275f4,0x9d23f519,0x6319c9cc,0x88048fc4,0x1e05a02d } },
+    /* 43 */
+    { { 0xd4d5ffe8,0x75cc8e2e,0xdbea17f2,0xf8bb4896,0xcee3cb4a,0x35059790,
+        0xa47c6165,0x4c06ee85,0x92935d2f,0xf98fff25,0x32ffd7c7,0x34c4a572 },
+      { 0xea0376a2,0xc4b14806,0x4f115e02,0x2ea5e750,0x1e55d7c0,0x532d76e2,
+        0xf31044da,0x68dc9411,0x71b77993,0x9272e465,0x93a8cfd5,0xadaa38bb } },
+    /* 44 */
+    { { 0x7d4ed72a,0x4bf0c712,0xba1f79a3,0xda0e9264,0xf4c39ea4,0x48c0258b,
+        0x2a715138,0xa5394ed8,0xbf06c660,0x4af511ce,0xec5c37cd,0xfcebceef },
+      { 0x779ae8c1,0xf23b75aa,0xad1e606e,0xdeff59cc,0x22755c82,0xf3f526fd,
+        0xbb32cefd,0x64c5ab44,0x915bdefd,0xa96e11a2,0x1143813e,0xab19746a } },
+    /* 45 */
+    { { 0xec837d7d,0x43c78585,0xb8ee0ba4,0xca5b6fbc,0xd5dbb5ee,0x34e924d9,
+        0xbb4f1ca5,0x3f4fa104,0x398640f7,0x15458b72,0xd7f407ea,0x4231faa9 },
+      { 0xf96e6896,0x53e0661e,0xd03b0f9d,0x554e4c69,0x9c7858d1,0xd4fcb07b,
+        0x52cb04fa,0x7e952793,0x8974e7f7,0x5f5f1574,0x6b6d57c8,0x2e3fa558 } },
+    /* 46 */
+    { { 0x6a9951a8,0x42cd4803,0x42792ad0,0xa8b15b88,0xabb29a73,0x18e8bcf9,
+        0x409933e8,0xbfd9a092,0xefb88dc4,0x760a3594,0x40724458,0x14418863 },
+      { 0x99caedc7,0x162a56ee,0x91d101c9,0x8fb12ecd,0x393202da,0xea671967,
+        0xa4ccd796,0x1aac8c4a,0x1cf185a8,0x7db05036,0x8cfd095a,0x0c9f86cd } },
+    /* 47 */
+    { { 0x10b2a556,0x9a728147,0x327b70b2,0x767ca964,0x5e3799b7,0x04ed9e12,
+        0x22a3eb2a,0x6781d2dc,0x0d9450ac,0x5bd116eb,0xa7ebe08a,0xeccac1fc },
+      { 0xdc2d6e94,0xde68444f,0x35ecf21b,0x3621f429,0x29e03a2c,0x14e2d543,
+        0x7d3e7f0a,0x53e42cd5,0x73ed00b9,0xbba26c09,0xc57d2272,0x00297c39 } },
+    /* 48 */
+    { { 0xb8243a7d,0x3aaaab10,0x8fa58c5b,0x6eeef93e,0x9ae7f764,0xf866fca3,
+        0x61ab04d3,0x64105a26,0x03945d66,0xa3578d8a,0x791b848c,0xb08cd3e4 },
+      { 0x756d2411,0x45edc5f8,0xa755128c,0xd4a790d9,0x49e5f6a0,0xc2cf0963,
+        0xf649beaa,0xc66d267d,0x8467039e,0x3ce6d968,0x42f7816f,0x50046c6b } },
+    /* 49 */
+    { { 0x66425043,0x92ae1602,0xf08db890,0x1ff66afd,0x8f162ce5,0x386f5a7f,
+        0xfcf5598f,0x18d2dea0,0x1a8ca18e,0x78372b3a,0x8cd0e6f7,0xdf0d20eb },
+      { 0x75bb4045,0x7edd5e1d,0xb96d94b7,0x252a47ce,0x2c626776,0xbdb29358,
+        0x40dd1031,0x853c3943,0x7d5f47fd,0x9dc9becf,0xbae4044a,0x27c2302f } },
+    /* 50 */
+    { { 0x8f2d49ce,0x2d1d208a,0x162df0a2,0x0d91aa02,0x09a07f65,0x9c5cce87,
+        0x84339012,0xdf07238b,0x419442cd,0x5028e2c8,0x72062aba,0x2dcbd358 },
+      { 0xe4680967,0xb5fbc3cb,0x9f92d72c,0x2a7bc645,0x116c369d,0x806c76e1,
+        0x3177e8d8,0x5c50677a,0x4569df57,0x753739eb,0x36c3f40b,0x2d481ef6 } },
+    /* 51 */
+    { { 0xfea1103e,0x1a2d39fd,0x95f81b17,0xeaae5592,0xf59b264a,0xdbd0aa18,
+        0xcb592ee0,0x90c39c1a,0x9750cca3,0xdf62f80d,0xdf97cc6c,0xda4d8283 },
+      { 0x1e201067,0x0a6dd346,0x69fb1f6b,0x1531f859,0x1d60121f,0x4895e552,
+        0x4c041c91,0x0b21aab0,0xbcc1ccf8,0x9d896c46,0x3141bde7,0xd24da3b3 } },
+    /* 52 */
+    { { 0x53b0a354,0x575a0537,0x0c6ddcd8,0x392ff2f4,0x56157b94,0x0b8e8cff,
+        0x3b1b80d1,0x073e57bd,0x3fedee15,0x2a75e0f0,0xaa8e6f19,0x752380e4 },
+      { 0x6558ffe9,0x1f4e227c,0x19ec5415,0x3a348618,0xf7997085,0xab382d5e,
+        0xddc46ac2,0x5e6deaff,0xfc8d094c,0xe5144078,0xf60e37c6,0xf674fe51 } },
+    /* 53 */
+    { { 0xaf63408f,0x6fb87ae5,0xcd75a737,0xa39c36a9,0xcf4c618d,0x7833313f,
+        0xf034c88d,0xfbcd4482,0x39b35288,0x4469a761,0x66b5d9c9,0x77a711c5 },
+      { 0x944f8d65,0x4a695dc7,0x161aaba8,0xe6da5f65,0x24601669,0x8654e9c3,
+        0x28ae7491,0xbc8b93f5,0x8f5580d8,0x5f1d1e83,0xcea32cc8,0x8ccf9a1a } },
+    /* 54 */
+    { { 0x7196fee2,0x28ab110c,0x874c8945,0x75799d63,0x29aedadd,0xa2629348,
+        0x2be88ff4,0x9714cc7b,0xd58d60d6,0xf71293cf,0x32a564e9,0xda6b6cb3 },
+      { 0x3dd821c2,0xf43fddb1,0x90dd323d,0xf2f2785f,0x048489f8,0x91246419,
+        0xd24c6749,0x61660f26,0xc803c15c,0x961d9e8c,0xfaadc4c9,0x631c6158 } },
+    /* 55 */
+    { { 0xfd752366,0xacf2ebe0,0x139be88b,0xb93c340e,0x0f20179e,0x98f66485,
+        0xff1da785,0x14820254,0x4f85c16e,0x5278e276,0x7aab1913,0xa246ee45 },
+      { 0x53763b33,0x43861eb4,0x45c0bc0d,0xc49f03fc,0xad6b1ea1,0xafff16bc,
+        0x6fd49c99,0xce33908b,0xf7fde8c3,0x5c51e9bf,0xff142c5e,0x076a7a39 } },
+    /* 56 */
+    { { 0x9e338d10,0x04639dfe,0xf42b411b,0x8ee6996f,0xa875cef2,0x960461d1,
+        0x95b4d0ba,0x1057b6d6,0xa906e0bc,0x27639252,0xe1c20f8a,0x2c19f09a },
+      { 0xeef4c43d,0x5b8fc3f0,0x07a84aa9,0xe2e1b1a8,0x835d2bdb,0x5f455528,
+        0x207132dd,0x0f4aee4d,0x3907f675,0xe9f8338c,0x0e0531f0,0x7a874dc9 } },
+    /* 57 */
+    { { 0x97c27050,0x84b22d45,0x59e70bf8,0xbd0b8df7,0x79738b9b,0xb4d67405,
+        0xcd917c4f,0x47f4d5f5,0x13ce6e33,0x9099c4ce,0x521d0f8b,0x942bfd39 },
+      { 0xa43b566d,0x5028f0f6,0x21bff7de,0xaf6e8669,0xc44232cd,0x83f6f856,
+        0xf915069a,0x65680579,0xecfecb85,0xd12095a2,0xdb01ba16,0xcf7f06ae } },
+    /* 58 */
+    { { 0x8ef96c80,0x0f56e3c4,0x3ddb609c,0xd521f2b3,0x7dc1450d,0x2be94102,
+        0x02a91fe2,0x2d21a071,0x1efa37de,0x2e6f74fa,0x156c28a1,0x9a9a90b8 },
+      { 0x9dc7dfcb,0xc54ea9ea,0x2c2c1d62,0xc74e66fc,0x49d3e067,0x9f23f967,
+        0x54dd38ad,0x1c7c3a46,0x5946cee3,0xc7005884,0x45cc045d,0x89856368 } },
+    /* 59 */
+    { { 0xfce73946,0x29da7cd4,0x23168563,0x8f697db5,0xcba92ec6,0x8e235e9c,
+        0x9f91d3ea,0x55d4655f,0xaa50a6cd,0xf3689f23,0x21e6a1a0,0xdcf21c26 },
+      { 0x61b818bf,0xcffbc82e,0xda47a243,0xc74a2f96,0x8bc1a0cf,0x234e980a,
+        0x7929cb6d,0xf35fd6b5,0xefe17d6c,0x81468e12,0x58b2dafb,0xddea6ae5 } },
+    /* 60 */
+    { { 0x7e787b2e,0x294de887,0x39a9310d,0x258acc1f,0xac14265d,0x92d9714a,
+        0x708b48a0,0x18b5591c,0xe1abbf71,0x27cc6bb0,0x568307b9,0xc0581fa3 },
+      { 0xf24d4d58,0x9e0f58a3,0xe0ce2327,0xfebe9bb8,0x9d1be702,0x91fd6a41,
+        0xfacac993,0x9a7d8a45,0x9e50d66d,0xabc0a08c,0x06498201,0x02c342f7 } },
+    /* 61 */
+    { { 0x157bdbc2,0xccd71407,0xad0e1605,0x72fa89c6,0xb92a015f,0xb1d3da2b,
+        0xa0a3fe56,0x8ad9e7cd,0x24f06737,0x160edcbd,0x61275be6,0x79d4db33 },
+      { 0x5f3497c4,0xd3d31fd9,0x04192fb0,0x8cafeaee,0x13a50af3,0xe13ca745,
+        0x8c85aae5,0x18826167,0x9eb556ff,0xce06cea8,0xbdb549f3,0x2eef1995 } },
+    /* 62 */
+    { { 0x50596edc,0x8ed7d3eb,0x905243a2,0xaa359362,0xa4b6d02b,0xa212c2c2,
+        0xc4fbec68,0x611fd727,0xb84f733d,0x8a0b8ff7,0x5f0daf0e,0xd85a6b90 },
+      { 0xd4091cf7,0x60e899f5,0x2eff2768,0x4fef2b67,0x10c33964,0xc1f195cb,
+        0x93626a8f,0x8275d369,0x0d6c840a,0xc77904f4,0x7a868acd,0x88d8b7fd } },
+    /* 63 */
+    { { 0x7bd98425,0x85f23723,0xc70b154e,0xd4463992,0x96687a2e,0xcbb00ee2,
+        0xc83214fd,0x905fdbf7,0x13593684,0x2019d293,0xef51218e,0x0428c393 },
+      { 0x981e909a,0x40c7623f,0x7be192da,0x92513385,0x4010907e,0x48fe480f,
+        0x3120b459,0xdd7a187c,0xa1fd8f3c,0xc9d7702d,0xe358efc5,0x66e4753b } },
+    /* 64 */
+    { { 0x16973cf4,0x070d34e1,0x7e4f34f7,0x20aee08b,0x5eb8ad29,0x269af9b9,
+        0xa6a45dda,0xdde0a036,0x63df41e0,0xa18b528e,0xa260df2a,0x03cc71b2 },
+      { 0xa06b1dd7,0x24a6770a,0x9d2675d3,0x5bfa9c11,0x96844432,0x73c1e2a1,
+        0x131a6cf0,0x3660558d,0x2ee79454,0xb0289c83,0xc6d8ddcd,0xa6aefb01 } },
+    /* 65 */
+    { { 0x01ab5245,0xba1464b4,0xc48d93ff,0x9b8d0b6d,0x93ad272c,0x939867dc,
+        0xae9fdc77,0xbebe085e,0x894ea8bd,0x73ae5103,0x39ac22e1,0x740fc89a },
+      { 0x28e23b23,0x5e28b0a3,0xe13104d0,0x2352722e,0xb0a2640d,0xf4667a18,
+        0x49bb37c3,0xac74a72e,0xe81e183a,0x79f734f0,0x3fd9c0eb,0xbffe5b6c } },
+    /* 66 */
+    { { 0xc6a2123f,0xb1a358f5,0xfe28df6d,0x927b2d95,0xf199d2f9,0x89702753,
+        0x1a3f82dc,0x0a73754c,0x777affe1,0x063d029d,0xdae6d34d,0x5439817e },
+      { 0x6b8b83c4,0xf7979eef,0x9d945682,0x615cb214,0xc5e57eae,0x8f0e4fac,
+        0x113047dd,0x042b89b8,0x93f36508,0x888356dc,0x5fd1f32f,0xbf008d18 } },
+    /* 67 */
+    { { 0x4e8068db,0x8012aa24,0xa5729a47,0xc72cc641,0x43f0691d,0x3c33df2c,
+        0x1d92145f,0xfa057347,0xb97f7946,0xaefc0f2f,0x2f8121bf,0x813d75cb },
+      { 0x4383bba6,0x05613c72,0xa4224b3f,0xa924ce70,0x5f2179a6,0xe59cecbe,
+        0x79f62b61,0x78e2e8aa,0x53ad8079,0x3ac2cc3b,0xd8f4fa96,0x55518d71 } },
+    /* 68 */
+    { { 0x00623f3b,0x03cf2922,0x5f29ebff,0x095c7111,0x80aa6823,0x42d72247,
+        0x7458c0b0,0x044c7ba1,0x0959ec20,0xca62f7ef,0xf8ca929f,0x40ae2ab7 },
+      { 0xa927b102,0xb8c5377a,0xdc031771,0x398a86a0,0xc216a406,0x04908f9d,
+        0x918d3300,0xb423a73a,0xe0b94739,0x634b0ff1,0x2d69f697,0xe29de725 } },
+    /* 69 */
+    { { 0x8435af04,0x744d1400,0xfec192da,0x5f255b1d,0x336dc542,0x1f17dc12,
+        0x636a68a8,0x5c90c2a7,0x7704ca1e,0x960c9eb7,0x6fb3d65a,0x9de8cf1e },
+      { 0x511d3d06,0xc60fee0d,0xf9eb52c7,0x466e2313,0x206b0914,0x743c0f5f,
+        0x2191aa4d,0x42f55bac,0xffebdbc2,0xcefc7c8f,0xe6e8ed1c,0xd4fa6081 } },
+    /* 70 */
+    { { 0xb0ab9645,0xb5e405d3,0xd5f1f711,0xaeec7f98,0x585c2a6e,0x8ad42311,
+        0x512c6944,0x045acb9e,0xa90db1c6,0xae106c4e,0x898e6563,0xb89f33d5 },
+      { 0x7fed2ce4,0x43b07cd9,0xdd815b20,0xf9934e17,0x0a81a349,0x6778d4d5,
+        0x52918061,0x9e616ade,0xd7e67112,0xfa06db06,0x88488091,0x1da23cf1 } },
+    /* 71 */
+    { { 0x42f2c4b5,0x821c46b3,0x66059e47,0x931513ef,0x66f50cd1,0x7030ae43,
+        0x43e7b127,0x43b536c9,0x5fca5360,0x006258cf,0x6b557abf,0xe4e3ee79 },
+      { 0x24c8b22f,0xbb6b3900,0xfcbf1054,0x2eb5e2c1,0x567492af,0x937b18c9,
+        0xacf53957,0xf09432e4,0x1dbf3a56,0x585f5a9d,0xbe0887cf,0xf86751fd } },
+    /* 72 */
+    { { 0x9d10e0b2,0x157399cb,0x60dc51b7,0x1c0d5956,0x1f583090,0x1d496b8a,
+        0x88590484,0x6658bc26,0x03213f28,0x88c08ab7,0x7ae58de4,0x8d2e0f73 },
+      { 0x486cfee6,0x9b79bc95,0xe9e5bc57,0x036a26c7,0xcd8ae97a,0x1ad03601,
+        0xff3a0494,0x06907f87,0x2c7eb584,0x078f4bbf,0x7e8d0a5a,0xe3731bf5 } },
+    /* 73 */
+    { { 0xe1cd0abe,0x72f2282b,0x87efefa2,0xd4f9015e,0x6c3834bd,0x9d189806,
+        0xb8a29ced,0x9c8cdcc1,0xfee82ebc,0x0601b9f4,0x7206a756,0x371052bc },
+      { 0x46f32562,0x76fa1092,0x17351bb4,0xdaad534c,0xb3636bb5,0xc3d64c37,
+        0x45d54e00,0x038a8c51,0x32c09e7c,0x301e6180,0x95735151,0x9764eae7 } },
+    /* 74 */
+    { { 0xcbd5256a,0x8791b19f,0x6ca13a3b,0x4007e0f2,0x4cf06904,0x03b79460,
+        0xb6c17589,0xb18a9c22,0x81d45908,0xa1cb7d7d,0x21bb68f1,0x6e13fa9d },
+      { 0xa71e6e16,0x47183c62,0xe18749ed,0x5cf0ef8e,0x2e5ed409,0x2c9c7f9b,
+        0xe6e117e1,0x042eeacc,0x13fb5a7f,0xb86d4816,0xc9e5feb1,0xea1cf0ed } },
+    /* 75 */
+    { { 0xcea4cc9b,0x6e6573c9,0xafcec8f3,0x5417961d,0xa438b6f6,0x804bf02a,
+        0xdcd4ea88,0xb894b03c,0x3799571f,0xd0f807e9,0x862156e8,0x3466a7f5 },
+      { 0x56515664,0x51e59acd,0xa3c5eb0b,0x55b0f93c,0x6a4279db,0x84a06b02,
+        0xc5fae08e,0x5c850579,0xa663a1a2,0xcf07b8db,0xf46ffc8d,0x49a36bbc } },
+    /* 76 */
+    { { 0x46d93106,0xe47f5acc,0xaa897c9c,0x65b7ade0,0x12d7e4be,0x37cf4c94,
+        0xd4b2caa9,0xa2ae9b80,0xe60357a3,0x5e7ce09c,0xc8ecd5f9,0x29f77667 },
+      { 0xa8a0b1c5,0xdf6868f5,0x62978ad8,0x240858cf,0xdc0002a1,0x0f7ac101,
+        0xffe9aa05,0x1d28a9d7,0x5b962c97,0x744984d6,0x3d28c8b2,0xa8a7c00b } },
+    /* 77 */
+    { { 0xae11a338,0x7c58a852,0xd1af96e7,0xa78613f1,0x5355cc73,0x7e9767d2,
+        0x792a2de6,0x6ba37009,0x124386b2,0x7d60f618,0x11157674,0xab09b531 },
+      { 0x98eb9dd0,0x95a04841,0x15070328,0xe6c17acc,0x489c6e49,0xafc6da45,
+        0xbb211530,0xab45a60a,0x7d7ea933,0xc58d6592,0x095642c6,0xa3ef3c65 } },
+    /* 78 */
+    { { 0xdf010879,0x89d420e9,0x39576179,0x9d25255d,0xe39513b6,0x9cdefd50,
+        0xd5d1c313,0xe4efe45b,0x3f7af771,0xc0149de7,0x340ab06b,0x55a6b4f4 },
+      { 0xebeaf771,0xf1325251,0x878d4288,0x2ab44128,0x18e05afe,0xfcd5832e,
+        0xcc1fb62b,0xef52a348,0xc1c4792a,0x2bd08274,0x877c6dc7,0x345c5846 } },
+    /* 79 */
+    { { 0xbea65e90,0xde15ceb0,0x2416d99c,0x0987f72b,0xfd863dec,0x44db578d,
+        0xac6a3578,0xf617b74b,0xdb48e999,0x9e62bd7a,0xeab1a1be,0x877cae61 },
+      { 0x3a358610,0x23adddaa,0x325e2b07,0x2fc4d6d1,0x1585754e,0x897198f5,
+        0xb392b584,0xf741852c,0xb55f7de1,0x9927804c,0x1aa8efae,0xe9e6c4ed } },
+    /* 80 */
+    { { 0x98683186,0x867db639,0xddcc4ea9,0xfb5cf424,0xd4f0e7bd,0xcc9a7ffe,
+        0x7a779f7e,0x7c57f71c,0xd6b25ef2,0x90774079,0xb4081680,0x90eae903 },
+      { 0x0ee1fceb,0xdf2aae5e,0xe86c1a1f,0x3ff1da24,0xca193edf,0x80f587d6,
+        0xdc9b9d6a,0xa5695523,0x85920303,0x7b840900,0xba6dbdef,0x1efa4dfc } },
+    /* 81 */
+    { { 0xe0540015,0xfbd838f9,0xc39077dc,0x2c323946,0xad619124,0x8b1fb9e6,
+        0x0ca62ea8,0x9612440c,0x2dbe00ff,0x9ad9b52c,0xae197643,0xf52abaa1 },
+      { 0x2cac32ad,0xd0e89894,0x62a98f91,0xdfb79e42,0x276f55cb,0x65452ecf,
+        0x7ad23e12,0xdb1ac0d2,0xde4986f0,0xf68c5f6a,0x82ce327d,0x389ac37b } },
+    /* 82 */
+    { { 0xf8e60f5b,0x511188b4,0x48aa2ada,0x7fe67015,0x381abca2,0xdb333cb8,
+        0xdaf3fc97,0xb15e6d9d,0x36aabc03,0x4b24f6eb,0x72a748b4,0xc59789df },
+      { 0x29cf5279,0x26fcb8a5,0x01ad9a6c,0x7a3c6bfc,0x4b8bac9b,0x866cf88d,
+        0x9c80d041,0xf4c89989,0x70add148,0xf0a04241,0x45d81a41,0x5a02f479 } },
+    /* 83 */
+    { { 0xc1c90202,0xfa5c877c,0xf8ac7570,0xd099d440,0xd17881f7,0x428a5b1b,
+        0x5b2501d7,0x61e267db,0xf2e4465b,0xf889bf04,0x76aa4cb8,0x4da3ae08 },
+      { 0xe3e66861,0x3ef0fe26,0x3318b86d,0x5e772953,0x747396df,0xc3c35fbc,
+        0x439ffd37,0x5115a29c,0xb2d70374,0xbfc4bd97,0x56246b9d,0x088630ea } },
+    /* 84 */
+    { { 0xb8a9e8c9,0xcd96866d,0x5bb8091e,0xa11963b8,0x045b3cd2,0xc7f90d53,
+        0x80f36504,0x755a72b5,0x21d3751c,0x46f8b399,0x53c193de,0x4bffdc91 },
+      { 0xb89554e7,0xcd15c049,0xf7a26be6,0x353c6754,0xbd41d970,0x79602370,
+        0x12b176c0,0xde16470b,0x40c8809d,0x56ba1175,0xe435fb1e,0xe2db35c3 } },
+    /* 85 */
+    { { 0x6328e33f,0xd71e4aab,0xaf8136d1,0x5486782b,0x86d57231,0x07a4995f,
+        0x1651a968,0xf1f0a5bd,0x76803b6d,0xa5dc5b24,0x42dda935,0x5c587cbc },
+      { 0xbae8b4c0,0x2b6cdb32,0xb1331138,0x66d1598b,0x5d7e9614,0x4a23b2d2,
+        0x74a8c05d,0x93e402a6,0xda7ce82e,0x45ac94e6,0xe463d465,0xeb9f8281 } },
+    /* 86 */
+    { { 0xfecf5b9b,0x34e0f9d1,0xf206966a,0xa115b12b,0x1eaa0534,0x5591cf3b,
+        0xfb1558f9,0x5f0293cb,0x1bc703a5,0x1c8507a4,0x862c1f81,0x92e6b81c },
+      { 0xcdaf24e3,0xcc9ebc66,0x72fcfc70,0x68917ecd,0x8157ba48,0x6dc9a930,
+        0xb06ab2b2,0x5d425c08,0x36e929c4,0x362f8ce7,0x62e89324,0x09f6f57c } },
+    /* 87 */
+    { { 0xd29375fb,0x1c7d6b78,0xe35d1157,0xfabd851e,0x4243ea47,0xf6f62dcd,
+        0x8fe30b0f,0x1dd92460,0xffc6e709,0x08166dfa,0x0881e6a7,0xc6c4c693 },
+      { 0xd6a53fb0,0x20368f87,0x9eb4d1f9,0x38718e9f,0xafd7e790,0x03f08acd,
+        0x72fe2a1c,0x0835eb44,0x88076e5d,0x7e050903,0xa638e731,0x538f765e } },
+    /* 88 */
+    { { 0xc2663b4b,0x0e0249d9,0x47cd38dd,0xe700ab5b,0x2c46559f,0xb192559d,
+        0x4bcde66d,0x8f9f74a8,0x3e2aced5,0xad161523,0x3dd03a5b,0xc155c047 },
+      { 0x3be454eb,0x346a8799,0x83b7dccd,0x66ee94db,0xab9d2abe,0x1f6d8378,
+        0x7733f355,0x4a396dd2,0xf53553c2,0x419bd40a,0x731dd943,0xd0ead98d } },
+    /* 89 */
+    { { 0xec142408,0x908e0b0e,0x4114b310,0x98943cb9,0x1742b1d7,0x03dbf7d8,
+        0x693412f4,0xd270df6b,0x8f69e20c,0xc5065494,0x697e43a1,0xa76a90c3 },
+      { 0x4624825a,0xe0fa3384,0x8acc34c2,0x82e48c0b,0xe9a14f2b,0x7b24bd14,
+        0x4db30803,0x4f5dd5e2,0x932da0a3,0x0c77a9e7,0x74c653dc,0x20db90f2 } },
+    /* 90 */
+    { { 0x0e6c5fd9,0x261179b7,0x6c982eea,0xf8bec123,0xd4957b7e,0x47683338,
+        0x0a72f66a,0xcc47e664,0x1bad9350,0xbd54bf6a,0xf454e95a,0xdfbf4c6a },
+      { 0x6907f4fa,0x3f7a7afa,0x865ca735,0x7311fae0,0x2a496ada,0x24737ab8,
+        0x15feb79b,0x13e425f1,0xa1b93c21,0xe9e97c50,0x4ddd3eb5,0xb26b6eac } },
+    /* 91 */
+    { { 0x2a2e5f2b,0x81cab9f5,0xbf385ac4,0xf93caf29,0xc909963a,0xf4bf35c3,
+        0x74c9143c,0x081e7300,0xc281b4c5,0x3ea57fa8,0x9b340741,0xe497905c },
+      { 0x55ab3cfb,0xf556dd8a,0x518db6ad,0xd444b96b,0x5ef4b955,0x34f5425a,
+        0xecd26aa3,0xdda7a3ac,0xda655e97,0xb57da11b,0xc2024c70,0x02da3eff } },
+    /* 92 */
+    { { 0x6481d0d9,0xe24b0036,0x818fdfe2,0x3740dbe5,0x190fda00,0xc1fc1f45,
+        0x3cf27fde,0x329c9280,0x6934f43e,0x7435cb53,0x7884e8fe,0x2b505a5d },
+      { 0x711adcc9,0x6cfcc6a6,0x531e21e1,0xf034325c,0x9b2a8a99,0xa2f4a967,
+        0x3c21bdff,0x9d5f3842,0x31b57d66,0xb25c7811,0x0b8093b9,0xdb5344d8 } },
+    /* 93 */
+    { { 0xae50a2f5,0x0d72e667,0xe4a861d1,0x9b7f8d8a,0x330df1cb,0xa129f70f,
+        0xe04fefc3,0xe90aa5d7,0xe72c3ae1,0xff561ecb,0xcdb955fa,0x0d8fb428 },
+      { 0xd7663784,0xd2235f73,0x7e2c456a,0xc05baec6,0x2adbfccc,0xe5c292e4,
+        0xefb110d5,0x4fd17988,0xd19d49f3,0x27e57734,0x84f679fe,0x188ac4ce } },
+    /* 94 */
+    { { 0xa796c53e,0x7ee344cf,0x0868009b,0xbbf6074d,0x474a1295,0x1f1594f7,
+        0xac11632d,0x66776edc,0x04e2fa5a,0x1862278b,0xc854a89a,0x52665cf2 },
+      { 0x8104ab58,0x7e376464,0x7204fd6d,0x16775913,0x44ea1199,0x86ca06a5,
+        0x1c9240dd,0xaa3f765b,0x24746149,0x5f8501a9,0xdcd251d7,0x7b982e30 } },
+    /* 95 */
+    { { 0xc15f3060,0xe44e9efc,0xa87ebbe6,0x5ad62f2e,0xc79500d4,0x36499d41,
+        0x336fa9d1,0xa66d6dc0,0x5afd3b1f,0xf8afc495,0xe5c9822b,0x1d8ccb24 },
+      { 0x79d7584b,0x4031422b,0xea3f20dd,0xc54a0580,0x958468c5,0x3f837c8f,
+        0xfbea7735,0x3d82f110,0x7dffe2fc,0x679a8778,0x20704803,0x48eba63b } },
+    /* 96 */
+    { { 0xdf46e2f6,0x89b10d41,0x19514367,0x13ab57f8,0x1d469c87,0x067372b9,
+        0x4f6c5798,0x0c195afa,0x272c9acf,0xea43a12a,0x678abdac,0x9dadd8cb },
+      { 0xe182579a,0xcce56c6b,0x2d26c2d8,0x86febadb,0x2a44745c,0x1c668ee1,
+        0x98dc047a,0x580acd86,0x51b9ec2d,0x5a2b79cc,0x4054f6a0,0x007da608 } },
+    /* 97 */
+    { { 0x17b00dd0,0x9e3ca352,0x0e81a7a6,0x046779cb,0xd482d871,0xb999fef3,
+        0xd9233fbc,0xe6f38134,0xf48cd0e0,0x112c3001,0x3c6c66ae,0x934e7576 },
+      { 0xd73234dc,0xb44d4fc3,0x864eafc1,0xfcae2062,0x26bef21a,0x843afe25,
+        0xf3b75fdf,0x61355107,0x794c2e6b,0x8367a5aa,0x8548a372,0x3d2629b1 } },
+    /* 98 */
+    { { 0x437cfaf8,0x6230618f,0x2032c299,0x5b8742cb,0x2293643a,0x949f7247,
+        0x09464f79,0xb8040f1a,0x4f254143,0x049462d2,0x366c7e76,0xabd6b522 },
+      { 0xd5338f55,0x119b392b,0x01495a0c,0x1a80a9ce,0xf8d7537e,0xf3118ca7,
+        0x6bf4b762,0xb715adc2,0xa8482b6c,0x24506165,0x96a7c84d,0xd958d7c6 } },
+    /* 99 */
+    { { 0xbdc21f31,0x9ad8aa87,0x8063e58c,0xadb3cab4,0xb07dd7b8,0xefd86283,
+        0x1be7c6b4,0xc7b9b762,0x015582de,0x2ef58741,0x299addf3,0xc970c52e },
+      { 0x22f24d66,0x78f02e2a,0x74cc100a,0xefec1d10,0x09316e1a,0xaf2a6a39,
+        0x5849dd49,0xce7c2205,0x96bffc4c,0x9c1fe75c,0x7ba06ec0,0xcad98fd2 } },
+    /* 100 */
+    { { 0xb648b73e,0xed76e2d0,0x1cfd285e,0xa9f92ce5,0x2ed13de1,0xa8c86c06,
+        0xa5191a93,0x1d3a574e,0x1ad1b8bf,0x385cdf8b,0x47d2cfe3,0xbbecc28a },
+      { 0x69cec548,0x98d326c0,0xf240a0b2,0x4f5bc1dd,0x29057236,0x241a7062,
+        0xc68294a4,0x0fc6e9c5,0xa319f17a,0x4d04838b,0x9ffc1c6f,0x8b612cf1 } },
+    /* 101 */
+    { { 0x4c3830eb,0x9bb0b501,0x8ee0d0c5,0x3d08f83c,0x79ba9389,0xa4a62642,
+        0x9cbc2914,0x5d5d4044,0x074c46f0,0xae9eb83e,0x74ead7d6,0x63bb758f },
+      { 0xc6bb29e0,0x1c40d2ea,0x4b02f41e,0x95aa2d87,0x53cb199a,0x92989175,
+        0x51584f6d,0xdd91bafe,0x31a1aaec,0x3715efb9,0x46780f9e,0xc1b6ae5b } },
+    /* 102 */
+    { { 0x42772f41,0xcded3e4b,0x3bcb79d1,0x3a700d5d,0x80feee60,0x4430d50e,
+        0xf5e5d4bb,0x444ef1fc,0xe6e358ff,0xc660194f,0x6a91b43c,0xe68a2f32 },
+      { 0x977fe4d2,0x5842775c,0x7e2a41eb,0x78fdef5c,0xff8df00e,0x5f3bec02,
+        0x5852525d,0xf4b840cd,0x4e6988bd,0x0870483a,0xcc64b837,0x39499e39 } },
+    /* 103 */
+    { { 0xb08df5fe,0xfc05de80,0x63ba0362,0x0c12957c,0xd5cf1428,0xea379414,
+        0x54ef6216,0xc559132a,0xb9e65cf8,0x33d5f12f,0x1695d663,0x09c60278 },
+      { 0x61f7a2fb,0x3ac1ced4,0xd4f5eeb8,0xdd838444,0x8318fcad,0x82a38c6c,
+        0xe9f1a864,0x315be2e5,0x442daf47,0x317b5771,0x95aa5f9e,0x81b5904a } },
+    /* 104 */
+    { { 0x8b21d232,0x6b6b1c50,0x8c2cba75,0x87f3dbc0,0xae9f0faf,0xa7e74b46,
+        0xbb7b8079,0x036a0985,0x8d974a25,0x4f185b90,0xd9af5ec9,0x5aa7cef0 },
+      { 0x57dcfffc,0xe0566a70,0xb8453225,0x6ea311da,0x23368aa9,0x72ea1a8d,
+        0x48cd552d,0xed9b2083,0xc80ea435,0xb987967c,0x6c104173,0xad735c75 } },
+    /* 105 */
+    { { 0xcee76ef4,0xaea85ab3,0xaf1d2b93,0x44997444,0xeacb923f,0x0851929b,
+        0x51e3bc0c,0xb080b590,0x59be68a2,0xc4ee1d86,0x64b26cda,0xf00de219 },
+      { 0xf2e90d4d,0x8d7fb5c0,0x77d9ec64,0x00e219a7,0x5d1c491c,0xc4e6febd,
+        0x1a8f4585,0x080e3754,0x48d2af9c,0x4a9b86c8,0xb6679851,0x2ed70db6 } },
+    /* 106 */
+    { { 0x586f25cb,0xaee44116,0xa0fcf70f,0xf7b6861f,0x18a350e8,0x55d2cd20,
+        0x92dc286f,0x861bf3e5,0x6226aba7,0x9ab18ffa,0xa9857b03,0xd15827be },
+      { 0x92e6acef,0x26c1f547,0xac1fbac3,0x422c63c8,0xfcbfd71d,0xa2d8760d,
+        0xb2511224,0x35f6a539,0x048d1a21,0xbaa88fa1,0xebf999db,0x49f1abe9 } },
+    /* 107 */
+    { { 0xf7492b73,0x16f9f4f4,0xcb392b1a,0xcf28ec1e,0x69ca6ffc,0x45b130d4,
+        0xb72efa58,0x28ba8d40,0x5ca066f5,0xace987c7,0x4ad022eb,0x3e399246 },
+      { 0x752555bb,0x63a2d84e,0x9c2ae394,0xaaa93b4a,0xc89539ca,0xcd80424e,
+        0xaa119a99,0x6d6b5a6d,0x379f2629,0xbd50334c,0xef3cc7d3,0x899e925e } },
+    /* 108 */
+    { { 0xbf825dc4,0xb7ff3651,0x40b9c462,0x0f741cc4,0x5cc4fb5b,0x771ff5a9,
+        0x47fd56fe,0xcb9e9c9b,0x5626c0d3,0xbdf053db,0xf7e14098,0xa97ce675 },
+      { 0x6c934f5e,0x68afe5a3,0xccefc46f,0x6cd5e148,0xd7a88586,0xc7758570,
+        0xdd558d40,0x49978f5e,0x64ae00c1,0xa1d5088a,0xf1d65bb2,0x58f2a720 } },
+    /* 109 */
+    { { 0x3e4daedb,0x66fdda4a,0x65d1b052,0x38318c12,0x4c4bbf5c,0x28d910a2,
+        0x78a9cd14,0x762fe5c4,0xd2cc0aee,0x08e5ebaa,0xca0c654c,0xd2cdf257 },
+      { 0x08b717d2,0x48f7c58b,0x386cd07a,0x3807184a,0xae7d0112,0x3240f626,
+        0xc43917b0,0x03e9361b,0x20aea018,0xf261a876,0x7e1e6372,0x53f556a4 } },
+    /* 110 */
+    { { 0x2f512a90,0xc84cee56,0x1b0ea9f1,0x24b3c004,0xe26cc1ea,0x0ee15d2d,
+        0xf0c9ef7d,0xd848762c,0xd5341435,0x1026e9c5,0xfdb16b31,0x8f5b73dc },
+      { 0xd2c75d95,0x1f69bef2,0xbe064dda,0x8d33d581,0x57ed35e6,0x8c024c12,
+        0xc309c281,0xf8d435f9,0xd6960193,0xfd295061,0xe9e49541,0x66618d78 } },
+    /* 111 */
+    { { 0x8ce382de,0x571cfd45,0xde900dde,0x175806ee,0x34aba3b5,0x61849965,
+        0xde7aec95,0xe899778a,0xff4aa97f,0xe8f00f6e,0x010b0c6d,0xae971cb5 },
+      { 0x3af788f1,0x1827eebc,0xe413fe2d,0xd46229ff,0x4741c9b4,0x8a15455b,
+        0xf8e424eb,0x5f02e690,0xdae87712,0x40a1202e,0x64944f6d,0x49b3bda2 } },
+    /* 112 */
+    { { 0x035b2d69,0xd63c6067,0x6bed91b0,0xb507150d,0x7afb39b2,0x1f35f82f,
+        0x16012b66,0xb9bd9c01,0xed0a5f50,0x00d97960,0x2716f7c9,0xed705451 },
+      { 0x127abdb4,0x1576eff4,0xf01e701c,0x6850d698,0x3fc87e2f,0x9fa7d749,
+        0xb0ce3e48,0x0b6bcc6f,0xf7d8c1c0,0xf4fbe1f5,0x02719cc6,0xcf75230e } },
+    /* 113 */
+    { { 0x722d94ed,0x6761d6c2,0x3718820e,0xd1ec3f21,0x25d0e7c6,0x65a40b70,
+        0xbaf3cf31,0xd67f830e,0xb93ea430,0x633b3807,0x0bc96c69,0x17faa0ea },
+      { 0xdf866b98,0xe6bf3482,0xa9db52d4,0x205c1ee9,0xff9ab869,0x51ef9bbd,
+        0x75eeb985,0x3863dad1,0xd3cf442a,0xef216c3b,0xf9c8e321,0x3fb228e3 } },
+    /* 114 */
+    { { 0x0760ac07,0x94f9b70c,0x9d79bf4d,0xf3c9ccae,0xc5ffc83d,0x73cea084,
+        0xdc49c38e,0xef50f943,0xbc9e7330,0xf467a2ae,0x44ea7fba,0x5ee534b6 },
+      { 0x03609e7f,0x20cb6272,0x62fdc9f0,0x09844355,0x0f1457f7,0xaf5c8e58,
+        0xb4b25941,0xd1f50a6c,0x2ec82395,0x77cb247c,0xda3dca33,0xa5f3e1e5 } },
+    /* 115 */
+    { { 0x7d85fa94,0x023489d6,0x2db9ce47,0x0ba40537,0xaed7aad1,0x0fdf7a1f,
+        0x9a4ccb40,0xa57b0d73,0x5b18967c,0x48fcec99,0xb7274d24,0xf30b5b6e },
+      { 0xc81c5338,0x7ccb4773,0xa3ed6bd0,0xb85639e6,0x1d56eada,0x7d9df95f,
+        0x0a1607ad,0xe256d57f,0x957574d6,0x6da7ffdc,0x01c7a8c4,0x65f84046 } },
+    /* 116 */
+    { { 0xcba1e7f1,0x8d45d0cb,0x02b55f64,0xef0a08c0,0x17e19892,0x771ca31b,
+        0x4885907e,0xe1843ecb,0x364ce16a,0x67797ebc,0x8df4b338,0x816d2b2d },
+      { 0x39aa8671,0xe870b0e5,0xc102b5f5,0x9f0db3e4,0x1720c697,0x34296659,
+        0x613c0d2a,0x0ad4c89e,0x418ddd61,0x1af900b2,0xd336e20e,0xe087ca72 } },
+    /* 117 */
+    { { 0xaba10079,0x222831ff,0x6d64fff2,0x0dc5f87b,0x3e8cb330,0x44547907,
+        0x702a33fb,0xe815aaa2,0x5fba3215,0x338d6b2e,0x79f549c8,0x0f7535cb },
+      { 0x2ee95923,0x471ecd97,0xc6d1c09f,0x1e868b37,0xc666ef4e,0x2bc7b8ec,
+        0x808a4bfc,0xf5416589,0x3fbc4d2e,0xf23e9ee2,0x2d75125b,0x4357236c } },
+    /* 118 */
+    { { 0xba9cdb1b,0xfe176d95,0x2f82791e,0x45a1ca01,0x4de4cca2,0x97654af2,
+        0x5cc4bcb9,0xbdbf9d0e,0xad97ac0a,0xf6a7df50,0x61359fd6,0xc52112b0 },
+      { 0x4f05eae3,0x696d9ce3,0xe943ac2b,0x903adc02,0x0848be17,0xa9075347,
+        0x2a3973e5,0x1e20f170,0x6feb67e9,0xe1aacc1c,0xe16bc6b9,0x2ca0ac32 } },
+    /* 119 */
+    { { 0xef871eb5,0xffea12e4,0xa8bf0a7a,0x94c2f25d,0x78134eaa,0x4d1e4c2a,
+        0x0360fb10,0x11ed16fb,0x85fc11be,0x4029b6db,0xf4d390fa,0x5e9f7ab7 },
+      { 0x30646612,0x5076d72f,0xdda1d0d8,0xa0afed1d,0x85a1d103,0x29022257,
+        0x4e276bcd,0xcb499e17,0x51246c3d,0x16d1da71,0x589a0443,0xc72d56d3 } },
+    /* 120 */
+    { { 0xdae5bb45,0xdf5ffc74,0x261bd6dc,0x99068c4a,0xaa98ec7b,0xdc0afa7a,
+        0xf121e96d,0xedd2ee00,0x1414045c,0x163cc7be,0x335af50e,0xb0b1bbce },
+      { 0x01a06293,0xd440d785,0x6552e644,0xcdebab7c,0x8c757e46,0x48cb8dbc,
+        0x3cabe3cb,0x81f9cf78,0xb123f59a,0xddd02611,0xeeb3784d,0x3dc7b88e } },
+    /* 121 */
+    { { 0xc4741456,0xe1b8d398,0x6032a121,0xa9dfa902,0x1263245b,0x1cbfc86d,
+        0x5244718c,0xf411c762,0x05b0fc54,0x96521d54,0xdbaa4985,0x1afab46e },
+      { 0x8674b4ad,0xa75902ba,0x5ad87d12,0x486b43ad,0x36e0d099,0x72b1c736,
+        0xbb6cd6d6,0x39890e07,0x59bace4e,0x8128999c,0x7b535e33,0xd8da430b } },
+    /* 122 */
+    { { 0xc6b75791,0x39f65642,0x21806bfb,0x050947a6,0x1362ef84,0x0ca3e370,
+        0x8c3d2391,0x9bc60aed,0x732e1ddc,0x9b488671,0xa98ee077,0x12d10d9e },
+      { 0x3651b7dc,0xb6f2822d,0x80abd138,0x6345a5ba,0x472d3c84,0x62033262,
+        0xacc57527,0xd54a1d40,0x424447cb,0x6ea46b3a,0x2fb1a496,0x5bc41057 } },
+    /* 123 */
+    { { 0xa751cd0e,0xe70c57a3,0xeba3c7d6,0x190d8419,0x9d47d55a,0xb1c3bee7,
+        0xf912c6d8,0xda941266,0x407a6ad6,0x12e9aacc,0x6e838911,0xd6ce5f11 },
+      { 0x70e1f2ce,0x063ca97b,0x8213d434,0xa3e47c72,0x84df810a,0xa016e241,
+        0xdfd881a4,0x688ad7b0,0xa89bf0ad,0xa37d99fc,0xa23c2d23,0xd8e3f339 } },
+    /* 124 */
+    { { 0x750bed6f,0xbdf53163,0x83e68b0a,0x808abc32,0x5bb08a33,0x85a36627,
+        0x6b0e4abe,0xf72a3a0f,0xfaf0c6ad,0xf7716d19,0x5379b25f,0x22dcc020 },
+      { 0xf9a56e11,0x7400bf8d,0x56a47f21,0x6cb8bad7,0x7a6eb644,0x7c97176f,
+        0xd1f5b646,0xe8fd84f7,0x44ddb054,0x98320a94,0x1dde86f5,0x07071ba3 } },
+    /* 125 */
+    { { 0x98f8fcb9,0x6fdfa0e5,0x94d0d70c,0x89cec8e0,0x106d20a8,0xa0899397,
+        0xba8acc9c,0x915bfb9a,0x5507e01c,0x1370c94b,0x8a821ffb,0x83246a60 },
+      { 0xbe3c378f,0xa8273a9f,0x35a25be9,0x7e544789,0x4dd929d7,0x6cfa4972,
+        0x365bd878,0x987fed9d,0x5c29a7ae,0x4982ac94,0x5ddd7ec5,0x4589a5d7 } },
+    /* 126 */
+    { { 0xa95540a9,0x9fabb174,0x0162c5b0,0x7cfb886f,0xea3dee18,0x17be766b,
+        0xe88e624c,0xff7da41f,0x8b919c38,0xad0b71eb,0xf31ff9a9,0x86a522e0 },
+      { 0x868bc259,0xbc8e6f72,0x3ccef9e4,0x6130c638,0x9a466555,0x09f1f454,
+        0x19b2bfb4,0x8e6c0f09,0x0ca7bb22,0x945c46c9,0x4dafb67b,0xacd87168 } },
+    /* 127 */
+    { { 0x10c53841,0x090c72ca,0x55a4fced,0xc20ae01b,0xe10234ad,0x03f7ebd5,
+        0x85892064,0xb3f42a6a,0xb4a14722,0xbdbc30c0,0x8ca124cc,0x971bc437 },
+      { 0x517ff2ff,0x6f79f46d,0xecba947b,0x6a9c96e2,0x62925122,0x5e79f2f4,
+        0x6a4e91f1,0x30a96bb1,0x2d4c72da,0x1147c923,0x5811e4df,0x65bc311f } },
+    /* 128 */
+    { { 0x139b3239,0x87c7dd7d,0x4d833bae,0x8b57824e,0x9fff0015,0xbcbc4878,
+        0x909eaf1a,0x8ffcef8b,0xf1443a78,0x9905f4ee,0xe15cbfed,0x020dd4a2 },
+      { 0xa306d695,0xca2969ec,0xb93caf60,0xdf940cad,0x87ea6e39,0x67f7fab7,
+        0xf98c4fe5,0x0d0ee10f,0xc19cb91e,0xc646879a,0x7d1d7ab4,0x4b4ea50c } },
+    /* 129 */
+    { { 0x7a0db57e,0x19e40945,0x9a8c9702,0xe6017cad,0x1be5cff9,0xdbf739e5,
+        0xa7a938a2,0x3646b3cd,0x68350dfc,0x04511085,0x56e098b5,0xad3bd6f3 },
+      { 0xee2e3e3e,0x935ebabf,0x473926cb,0xfbd01702,0x9e9fb5aa,0x7c735b02,
+        0x2e3feff0,0xc52a1b85,0x046b405a,0x9199abd3,0x39039971,0xe306fcec } },
+    /* 130 */
+    { { 0x23e4712c,0xd6d9aec8,0xc3c198ee,0x7ca8376c,0x31bebd8a,0xe6d83187,
+        0xd88bfef3,0xed57aff3,0xcf44edc7,0x72a645ee,0x5cbb1517,0xd4e63d0b },
+      { 0xceee0ecf,0x98ce7a1c,0x5383ee8e,0x8f012633,0xa6b455e8,0x3b879078,
+        0xc7658c06,0xcbcd3d96,0x0783336a,0x721d6fe7,0x5a677136,0xf21a7263 } },
+    /* 131 */
+    { { 0x9586ba11,0x19d8b3cd,0x8a5c0480,0xd9e0aeb2,0x2230ef5c,0xe4261dbf,
+        0x02e6bf09,0x095a9dee,0x80dc7784,0x8963723c,0x145157b1,0x5c97dbaf },
+      { 0x4bc4503e,0x97e74434,0x85a6b370,0x0fb1cb31,0xcd205d4b,0x3e8df2be,
+        0xf8f765da,0x497dd1bc,0x6c988a1a,0x92ef95c7,0x64dc4cfa,0x3f924baa } },
+    /* 132 */
+    { { 0x7268b448,0x6bf1b8dd,0xefd79b94,0xd4c28ba1,0xe4e3551f,0x2fa1f8c8,
+        0x5c9187a9,0x769e3ad4,0x40326c0d,0x28843b4d,0x50d5d669,0xfefc8094 },
+      { 0x90339366,0x30c85bfd,0x5ccf6c3a,0x4eeb56f1,0x28ccd1dc,0x0e72b149,
+        0xf2ce978e,0x73ee85b5,0x3165bb23,0xcdeb2bf3,0x4e410abf,0x8106c923 } },
+    /* 133 */
+    { { 0x7d02f4ee,0xc8df0161,0x18e21225,0x8a781547,0x6acf9e40,0x4ea895eb,
+        0x6e5a633d,0x8b000cb5,0x7e981ffb,0xf31d86d5,0x4475bc32,0xf5c8029c },
+      { 0x1b568973,0x764561ce,0xa62996ec,0x2f809b81,0xda085408,0x9e513d64,
+        0xe61ce309,0xc27d815d,0x272999e0,0x0da6ff99,0xfead73f7,0xbd284779 } },
+    /* 134 */
+    { { 0x9b1cdf2b,0x6033c2f9,0xbc5fa151,0x2a99cf06,0x12177b3b,0x7d27d259,
+        0xc4485483,0xb1f15273,0x102e2297,0x5fd57d81,0xc7f6acb7,0x3d43e017 },
+      { 0x3a70eb28,0x41a8bb0b,0x3e80b06b,0x67de2d8e,0x70c28de5,0x09245a41,
+        0xa7b26023,0xad7dbcb1,0x2cbc6c1e,0x70b08a35,0x9b33041f,0xb504fb66 } },
+    /* 135 */
+    { { 0xf97a27c2,0xa8e85ab5,0xc10a011b,0x6ac5ec8b,0xffbcf161,0x55745533,
+        0x65790a60,0x01780e85,0x99ee75b0,0xe451bf85,0x39c29881,0x8907a63b },
+      { 0x260189ed,0x76d46738,0x47bd35cb,0x284a4436,0x20cab61e,0xd74e8c40,
+        0x416cf20a,0x6264bf8c,0x5fd820ce,0xfa5a6c95,0xf24bb5fc,0xfa7154d0 } },
+    /* 136 */
+    { { 0x9b3f5034,0x18482cec,0xcd9e68fd,0x962d445a,0x95746f23,0x266fb1d6,
+        0x58c94a4b,0xc66ade5a,0xed68a5b6,0xdbbda826,0x7ab0d6ae,0x05664a4d },
+      { 0x025e32fc,0xbcd4fe51,0xa96df252,0x61a5aebf,0x31592a31,0xd88a07e2,
+        0x98905517,0x5d9d94de,0x5fd440e7,0x96bb4010,0xe807db4c,0x1b0c47a2 } },
+    /* 137 */
+    { { 0x08223878,0x5c2a6ac8,0xe65a5558,0xba08c269,0x9bbc27fd,0xd22b1b9b,
+        0x72b9607d,0x919171bf,0xe588dc58,0x9ab455f9,0x23662d93,0x6d54916e },
+      { 0x3b1de0c1,0x8da8e938,0x804f278f,0xa84d186a,0xd3461695,0xbf4988cc,
+        0xe10eb0cb,0xf5eae3be,0xbf2a66ed,0x1ff8b68f,0xc305b570,0xa68daf67 } },
+    /* 138 */
+    { { 0x44b2e045,0xc1004cff,0x4b1c05d4,0x91b5e136,0x88a48a07,0x53ae4090,
+        0xea11bb1a,0x73fb2995,0x3d93a4ea,0x32048570,0x3bfc8a5f,0xcce45de8 },
+      { 0xc2b3106e,0xaff4a97e,0xb6848b4f,0x9069c630,0xed76241c,0xeda837a6,
+        0x6cc3f6cf,0x8a0daf13,0x3da018a8,0x199d049d,0xd9093ba3,0xf867c6b1 } },
+    /* 139 */
+    { { 0x56527296,0xe4d42a56,0xce71178d,0xae26c73d,0x6c251664,0x70a0adac,
+        0x5dc0ae1d,0x813483ae,0xdaab2daf,0x7574eacd,0xc2d55f4f,0xc56b52dc },
+      { 0x95f32923,0x872bc167,0x5bdd2a89,0x4be17581,0xa7699f00,0x9b57f1e7,
+        0x3ac2de02,0x5fcd9c72,0x92377739,0x83af3ba1,0xfc50b97f,0xa64d4e2b } },
+    /* 140 */
+    { { 0x0e552b40,0x2172dae2,0xd34d52e8,0x62f49725,0x07958f98,0x7930ee40,
+        0x751fdd74,0x56da2a90,0xf53e48c3,0xf1192834,0x8e53c343,0x34d2ac26 },
+      { 0x13111286,0x1073c218,0xda9d9827,0x201dac14,0xee95d378,0xec2c29db,
+        0x1f3ee0b1,0x9316f119,0x544ce71c,0x7890c9f0,0x27612127,0xd77138af } },
+    /* 141 */
+    { { 0x3b4ad1cd,0x78045e6d,0x4aa49bc1,0xcd86b94e,0xfd677a16,0x57e51f1d,
+        0xfa613697,0xd9290935,0x34f4d893,0x7a3f9593,0x5d5fcf9b,0x8c9c248b },
+      { 0x6f70d4e9,0x9f23a482,0x63190ae9,0x17273454,0x5b081a48,0x4bdd7c13,
+        0x28d65271,0x1e2de389,0xe5841d1f,0x0bbaaa25,0x746772e5,0xc4c18a79 } },
+    /* 142 */
+    { { 0x593375ac,0x10ee2681,0x7dd5e113,0x4f3288be,0x240f3538,0x9a97b2fb,
+        0x1de6b1e2,0xfa11089f,0x1351bc58,0x516da562,0x2dfa85b5,0x573b6119 },
+      { 0x6cba7df5,0x89e96683,0x8c28ab40,0xf299be15,0xad43fcbf,0xe91c9348,
+        0x9a1cefb3,0xe9bbc7cc,0x738b2775,0xc8add876,0x775eaa01,0x6e3b1f2e } },
+    /* 143 */
+    { { 0xb677788b,0x0365a888,0x3fd6173c,0x634ae8c4,0x9e498dbe,0x30498761,
+        0xc8f779ab,0x08c43e6d,0x4c09aca9,0x068ae384,0x2018d170,0x2380c70b },
+      { 0xa297c5ec,0xcf77fbc3,0xca457948,0xdacbc853,0x336bec7e,0x3690de04,
+        0x14eec461,0x26bbac64,0x1f713abf,0xd1c23c7e,0xe6fd569e,0xf08bbfcd } },
+    /* 144 */
+    { { 0x84770ee3,0x5f8163f4,0x744a1706,0x0e0c7f94,0xe1b2d46d,0x9c8f05f7,
+        0xd01fd99a,0x417eafe7,0x11440e5b,0x2ba15df5,0x91a6fbcf,0xdc5c552a },
+      { 0xa270f721,0x86271d74,0xa004485b,0x32c0a075,0x8defa075,0x9d1a87e3,
+        0xbf0d20fe,0xb590a7ac,0x8feda1f5,0x430c41c2,0x58f6ec24,0x454d2879 } },
+    /* 145 */
+    { { 0x7c525435,0x52b7a635,0x37c4bdbc,0x3d9ef57f,0xdffcc475,0x2bb93e9e,
+        0x7710f3be,0xf7b8ba98,0x21b727de,0x42ee86da,0x2e490d01,0x55ac3f19 },
+      { 0xc0c1c390,0x487e3a6e,0x446cde7b,0x036fb345,0x496ae951,0x089eb276,
+        0x71ed1234,0xedfed4d9,0x900f0b46,0x661b0dd5,0x8582f0d3,0x11bd6f1b } },
+    /* 146 */
+    { { 0x076bc9d1,0x5cf9350f,0xcf3cd2c3,0x15d903be,0x25af031c,0x21cfc8c2,
+        0x8b1cc657,0xe0ad3248,0x70014e87,0xdd9fb963,0x297f1658,0xf0f3a5a1 },
+      { 0xf1f703aa,0xbb908fba,0x2f6760ba,0x2f9cc420,0x66a38b51,0x00ceec66,
+        0x05d645da,0x4deda330,0xf7de3394,0xb9cf5c72,0x1ad4c906,0xaeef6502 } },
+    /* 147 */
+    { { 0x7a19045d,0x0583c8b1,0xd052824c,0xae7c3102,0xff6cfa58,0x2a234979,
+        0x62c733c0,0xfe9dffc9,0x9c0c4b09,0x3a7fa250,0x4fe21805,0x516437bb },
+      { 0xc2a23ddb,0x9454e3d5,0x289c104e,0x0726d887,0x4fd15243,0x8977d918,
+        0x6d7790ba,0xc559e73f,0x465af85f,0x8fd3e87d,0x5feee46b,0xa2615c74 } },
+    /* 148 */
+    { { 0x4335167d,0xc8d607a8,0xe0f5c887,0x8b42d804,0x398d11f9,0x5f9f13df,
+        0x20740c67,0x5aaa5087,0xa3d9234b,0x83da9a6a,0x2a54bad1,0xbd3a5c4e },
+      { 0x2db0f658,0xdd13914c,0x5a3f373a,0x29dcb66e,0x5245a72b,0xbfd62df5,
+        0x91e40847,0x19d18023,0xb136b1ae,0xd9df74db,0x3f93bc5b,0x72a06b6b } },
+    /* 149 */
+    { { 0xad19d96f,0x6da19ec3,0xfb2a4099,0xb342daa4,0x662271ea,0x0e61633a,
+        0xce8c054b,0x3bcece81,0x8bd62dc6,0x7cc8e061,0xee578d8b,0xae189e19 },
+      { 0xdced1eed,0x73e7a25d,0x7875d3ab,0xc1257f0a,0x1cfef026,0x2cb2d5a2,
+        0xb1fdf61c,0xd98ef39b,0x24e83e6c,0xcd8e6f69,0xc7b7088b,0xd71e7076 } },
+    /* 150 */
+    { { 0x9d4245bf,0x33936830,0x2ac2953b,0x22d96217,0x56c3c3cd,0xb3bf5a82,
+        0x0d0699e8,0x50c9be91,0x8f366459,0xec094463,0x513b7c35,0x6c056dba },
+      { 0x045ab0e3,0x687a6a83,0x445c9295,0x8d40b57f,0xa16f5954,0x0f345048,
+        0x3d8f0a87,0x64b5c639,0x9f71c5e2,0x106353a2,0x874f0dd4,0xdd58b475 } },
+    /* 151 */
+    { { 0x62230c72,0x67ec084f,0x481385e3,0xf14f6cca,0x4cda7774,0xf58bb407,
+        0xaa2dbb6b,0xe15011b1,0x0c035ab1,0xd488369d,0x8245f2fd,0xef83c24a },
+      { 0x9fdc2538,0xfb57328f,0x191fe46a,0x79808293,0x32ede548,0xe28f5c44,
+        0xea1a022c,0x1b3cda99,0x3df2ec7f,0x39e639b7,0x760e9a18,0x77b6272b } },
+    /* 152 */
+    { { 0xa65d56d5,0x2b1d51bd,0x7ea696e0,0x3a9b71f9,0x9904f4c4,0x95250ecc,
+        0xe75774b7,0x8bc4d6eb,0xeaeeb9aa,0x0e343f8a,0x930e04cb,0xc473c1d1 },
+      { 0x064cd8ae,0x282321b1,0x5562221c,0xf4b4371e,0xd1bf1221,0xc1cc81ec,
+        0xe2c8082f,0xa52a07a9,0xba64a958,0x350d8e59,0x6fb32c9a,0x29e4f3de } },
+    /* 153 */
+    { { 0xba89aaa5,0x0aa9d56c,0xc4c6059e,0xf0208ac0,0xbd6ddca4,0x7400d9c6,
+        0xf2c2f74a,0xb384e475,0xb1562dd3,0x4c1061fc,0x2e153b8d,0x3924e248 },
+      { 0x849808ab,0xf38b8d98,0xa491aa36,0x29bf3260,0x88220ede,0x85159ada,
+        0xbe5bc422,0x8b47915b,0xd7300967,0xa934d72e,0x2e515d0d,0xc4f30398 } },
+    /* 154 */
+    { { 0x1b1de38b,0xe3e9ee42,0x42636760,0xa124e25a,0x90165b1a,0x90bf73c0,
+        0x146434c5,0x21802a34,0x2e1fa109,0x54aa83f2,0xed9c51e9,0x1d4bd03c },
+      { 0x798751e6,0xc2d96a38,0x8c3507f5,0xed27235f,0xc8c24f88,0xb5fb80e2,
+        0xd37f4f78,0xf873eefa,0xf224ba96,0x7229fd74,0x9edd7149,0x9dcd9199 } },
+    /* 155 */
+    { { 0x4e94f22a,0xee9f81a6,0xf71ec341,0xe5609892,0xa998284e,0x6c818ddd,
+        0x3b54b098,0x9fd47295,0x0e8a7cc9,0x47a6ac03,0xb207a382,0xde684e5e },
+      { 0x2b6b956b,0x4bdd1ecd,0xf01b3583,0x09084414,0x55233b14,0xe2f80b32,
+        0xef5ebc5e,0x5a0fec54,0xbf8b29a2,0x74cf25e6,0x7f29e014,0x1c757fa0 } },
+    /* 156 */
+    { { 0xeb0fdfe4,0x1bcb5c4a,0xf0899367,0xd7c649b3,0x05bc083b,0xaef68e3f,
+        0xa78aa607,0x57a06e46,0x21223a44,0xa2136ecc,0x52f5a50b,0x89bd6484 },
+      { 0x4455f15a,0x724411b9,0x08a9c0fd,0x23dfa970,0x6db63bef,0x7b0da4d1,
+        0xfb162443,0x6f8a7ec1,0xe98284fb,0xc1ac9cee,0x33566022,0x085a582b } },
+    /* 157 */
+    { { 0xec1f138a,0x15cb61f9,0x668f0c28,0x11c9a230,0xdf93f38f,0xac829729,
+        0x4048848d,0xcef25698,0x2bba8fbf,0x3f686da0,0x111c619a,0xed5fea78 },
+      { 0xd6d1c833,0x9b4f73bc,0x86e7bf80,0x50951606,0x042b1d51,0xa2a73508,
+        0x5fb89ec2,0x9ef6ea49,0x5ef8b892,0xf1008ce9,0x9ae8568b,0x78a7e684 } },
+    /* 158 */
+    { { 0x10470cd8,0x3fe83a7c,0xf86df000,0x92734682,0xda9409b5,0xb5dac06b,
+        0x94939c5f,0x1e7a9660,0x5cc116dc,0xdec6c150,0x66bac8cc,0x1a52b408 },
+      { 0x6e864045,0x5303a365,0x9139efc1,0x45eae72a,0x6f31d54f,0x83bec646,
+        0x6e958a6d,0x2fb4a86f,0x4ff44030,0x6760718e,0xe91ae0df,0x008117e3 } },
+    /* 159 */
+    { { 0x384310a2,0x5d5833ba,0x1fd6c9fc,0xbdfb4edc,0x849c4fb8,0xb9a4f102,
+        0x581c1e1f,0xe5fb239a,0xd0a9746d,0xba44b2e7,0x3bd942b9,0x78f7b768 },
+      { 0xc87607ae,0x076c8ca1,0xd5caaa7e,0x82b23c2e,0x2763e461,0x6a581f39,
+        0x3886df11,0xca8a5e4a,0x264e7f22,0xc87e90cf,0x215cfcfc,0x04f74870 } },
+    /* 160 */
+    { { 0x141d161c,0x5285d116,0x93c4ed17,0x67cd2e0e,0x7c36187e,0x12c62a64,
+        0xed2584ca,0xf5329539,0x42fbbd69,0xc4c777c4,0x1bdfc50a,0x107de776 },
+      { 0xe96beebd,0x9976dcc5,0xa865a151,0xbe2aff95,0x9d8872af,0x0e0a9da1,
+        0xa63c17cc,0x5e357a3d,0xe15cc67c,0xd31fdfd8,0x7970c6d8,0xc44bbefd } },
+    /* 161 */
+    { { 0x4c0c62f1,0x703f83e2,0x4e195572,0x9b1e28ee,0xfe26cced,0x6a82858b,
+        0xc43638fa,0xd381c84b,0xa5ba43d8,0x94f72867,0x10b82743,0x3b4a783d },
+      { 0x7576451e,0xee1ad7b5,0x14b6b5c8,0xc3d0b597,0xfcacc1b8,0x3dc30954,
+        0x472c9d7b,0x55df110e,0x02f8a328,0x97c86ed7,0x88dc098f,0xd0433413 } },
+    /* 162 */
+    { { 0x2ca8f2fe,0x1a60d152,0x491bd41f,0x61640948,0x58dfe035,0x6dae29a5,
+        0x278e4863,0x9a615bea,0x9ad7c8e5,0xbbdb4477,0x2ceac2fc,0x1c706630 },
+      { 0x99699b4b,0x5e2b54c6,0x239e17e8,0xb509ca6d,0xea063a82,0x728165fe,
+        0xb6a22e02,0x6b5e609d,0xb26ee1df,0x12813905,0x439491fa,0x07b9f722 } },
+    /* 163 */
+    { { 0x48ff4e49,0x1592ec14,0x6d644129,0x3e4e9f17,0x1156acc0,0x7acf8288,
+        0xbb092b0b,0x5aa34ba8,0x7d38393d,0xcd0f9022,0xea4f8187,0x416724dd },
+      { 0xc0139e73,0x3c4e641c,0x91e4d87d,0xe0fe46cf,0xcab61f8a,0xedb3c792,
+        0xd3868753,0x4cb46de4,0x20f1098a,0xe449c21d,0xf5b8ea6e,0x5e5fd059 } },
+    /* 164 */
+    { { 0x75856031,0x7fcadd46,0xeaf2fbd0,0x89c7a4cd,0x7a87c480,0x1af523ce,
+        0x61d9ae90,0xe5fc1095,0xbcdb95f5,0x3fb5864f,0xbb5b2c7d,0xbeb5188e },
+      { 0x3ae65825,0x3d1563c3,0x0e57d641,0x116854c4,0x1942ebd3,0x11f73d34,
+        0xc06955b3,0x24dc5904,0x995a0a62,0x8a0d4c83,0x5d577b7d,0xfb26b86d } },
+    /* 165 */
+    { { 0xc686ae17,0xc53108e7,0xd1c1da56,0x9090d739,0x9aec50ae,0x4583b013,
+        0xa49a6ab2,0xdd9a088b,0xf382f850,0x28192eea,0xf5fe910e,0xcc8df756 },
+      { 0x9cab7630,0x877823a3,0xfb8e7fc1,0x64984a9a,0x364bfc16,0x5448ef9c,
+        0xc44e2a9a,0xbbb4f871,0x435c95e9,0x901a41ab,0xaaa50a06,0xc6c23e5f } },
+    /* 166 */
+    { { 0x9034d8dd,0xb78016c1,0x0b13e79b,0x856bb44b,0xb3241a05,0x85c6409a,
+        0x2d78ed21,0x8d2fe19a,0x726eddf2,0xdcc7c26d,0x25104f04,0x3ccaff5f },
+      { 0x6b21f843,0x397d7edc,0xe975de4c,0xda88e4dd,0x4f5ab69e,0x5273d396,
+        0x9aae6cc0,0x537680e3,0x3e6f9461,0xf749cce5,0x957bffd3,0x021ddbd9 } },
+    /* 167 */
+    { { 0x777233cf,0x7b64585f,0x0942a6f0,0xfe6771f6,0xdfe6eef0,0x636aba7a,
+        0x86038029,0x63bbeb56,0xde8fcf36,0xacee5842,0xd4a20524,0x48d9aa99 },
+      { 0x0da5e57a,0xcff7a74c,0xe549d6c9,0xc232593c,0xf0f2287b,0x68504bcc,
+        0xbc8360b5,0x6d7d098d,0x5b402f41,0xeac5f149,0xb87d1bf1,0x61936f11 } },
+    /* 168 */
+    { { 0xb8153a9d,0xaa9da167,0x9e83ecf0,0xa49fe3ac,0x1b661384,0x14c18f8e,
+        0x38434de1,0x61c24dab,0x283dae96,0x3d973c3a,0x82754fc9,0xc99baa01 },
+      { 0x4c26b1e3,0x477d198f,0xa7516202,0x12e8e186,0x362addfa,0x386e52f6,
+        0xc3962853,0x31e8f695,0x6aaedb60,0xdec2af13,0x29cf74ac,0xfcfdb4c6 } },
+    /* 169 */
+    { { 0xcca40298,0x6b3ee958,0xf2f5d195,0xc3878153,0xed2eae5b,0x0c565630,
+        0x3a697cf2,0xd089b37e,0xad5029ea,0xc2ed2ac7,0x0f0dda6a,0x7e5cdfad },
+      { 0xd9b86202,0xf98426df,0x4335e054,0xed1960b1,0x3f14639e,0x1fdb0246,
+        0x0db6c670,0x17f709c3,0x773421e1,0xbfc687ae,0x26c1a8ac,0x13fefc4a } },
+    /* 170 */
+    { { 0x7ffa0a5f,0xe361a198,0xc63fe109,0xf4b26102,0x6c74e111,0x264acbc5,
+        0x77abebaf,0x4af445fa,0x24cddb75,0x448c4fdd,0x44506eea,0x0b13157d },
+      { 0x72e9993d,0x22a6b159,0x85e5ecbe,0x2c3c57e4,0xfd83e1a1,0xa673560b,
+        0xc3b8c83b,0x6be23f82,0x40bbe38e,0x40b13a96,0xad17399b,0x66eea033 } },
+    /* 171 */
+    { { 0xb4c6c693,0x49fc6e95,0x36af7d38,0xefc735de,0x35fe42fc,0xe053343d,
+        0x6a9ab7c3,0xf0aa427c,0x4a0fcb24,0xc79f0436,0x93ebbc50,0x16287243 },
+      { 0x16927e1e,0x5c3d6bd0,0x673b984c,0x40158ed2,0x4cd48b9a,0xa7f86fc8,
+        0x60ea282d,0x1643eda6,0xe2a1beed,0x45b393ea,0x19571a94,0x664c839e } },
+    /* 172 */
+    { { 0x27eeaf94,0x57745750,0xea99e1e7,0x2875c925,0x5086adea,0xc127e7ba,
+        0x86fe424f,0x765252a0,0x2b6c0281,0x1143cc6c,0xd671312d,0xc9bb2989 },
+      { 0x51acb0a5,0x880c337c,0xd3c60f78,0xa3710915,0x9262b6ed,0x496113c0,
+        0x9ce48182,0x5d25d9f8,0xb3813586,0x53b6ad72,0x4c0e159c,0x0ea3bebc } },
+    /* 173 */
+    { { 0xc5e49bea,0xcaba450a,0x7c05da59,0x684e5415,0xde7ac36c,0xa2e9cab9,
+        0x2e6f957b,0x4ca79b5f,0x09b817b1,0xef7b0247,0x7d89df0f,0xeb304990 },
+      { 0x46fe5096,0x508f7307,0x2e04eaaf,0x695810e8,0x3512f76c,0x88ef1bd9,
+        0x3ebca06b,0x77661351,0xccf158b7,0xf7d4863a,0x94ee57da,0xb2a81e44 } },
+    /* 174 */
+    { { 0x6d53e6ba,0xff288e5b,0x14484ea2,0xa90de1a9,0xed33c8ec,0x2fadb60c,
+        0x28b66a40,0x579d6ef3,0xec24372d,0x4f2dd6dd,0x1d66ec7d,0xe9e33fc9 },
+      { 0x039eab6e,0x110899d2,0x3e97bb5e,0xa31a667a,0xcfdce68e,0x6200166d,
+        0x5137d54b,0xbe83ebae,0x4800acdf,0x085f7d87,0x0c6f8c86,0xcf4ab133 } },
+    /* 175 */
+    { { 0x931e08fb,0x03f65845,0x1506e2c0,0x6438551e,0x9c36961f,0x5791f0dc,
+        0xe3dcc916,0x68107b29,0xf495d2ca,0x83242374,0x6ee5895b,0xd8cfb663 },
+      { 0xa0349b1b,0x525e0f16,0x4a0fab86,0x33cd2c6c,0x2af8dda9,0x46c12ee8,
+        0x71e97ad3,0x7cc424ba,0x37621eb0,0x69766ddf,0xa5f0d390,0x95565f56 } },
+    /* 176 */
+    { { 0x1a0f5e94,0xe0e7bbf2,0x1d82d327,0xf771e115,0xceb111fa,0x10033e3d,
+        0xd3426638,0xd269744d,0x00d01ef6,0xbdf2d9da,0xa049ceaf,0x1cb80c71 },
+      { 0x9e21c677,0x17f18328,0x19c8f98b,0x6452af05,0x80b67997,0x35b9c5f7,
+        0x40f8f3d4,0x5c2e1cbe,0x66d667ca,0x43f91656,0xcf9d6e79,0x9faaa059 } },
+    /* 177 */
+    { { 0x0a078fe6,0x8ad24618,0x464fd1dd,0xf6cc73e6,0xc3e37448,0x4d2ce34d,
+        0xe3271b5f,0x624950c5,0xefc5af72,0x62910f5e,0xaa132bc6,0x8b585bf8 },
+      { 0xa839327f,0x11723985,0x4aac252f,0x34e2d27d,0x6296cc4e,0x402f59ef,
+        0x47053de9,0x00ae055c,0x28b4f09b,0xfc22a972,0xfa0c180e,0xa9e86264 } },
+    /* 178 */
+    { { 0xbc310ecc,0x0b7b6224,0x67fa14ed,0x8a1a74f1,0x7214395c,0x87dd0960,
+        0xf5c91128,0xdf1b3d09,0x86b264a8,0x39ff23c6,0x3e58d4c5,0xdc2d49d0 },
+      { 0xa9d6f501,0x2152b7d3,0xc04094f7,0xf4c32e24,0xd938990f,0xc6366596,
+        0x94fb207f,0x084d078f,0x328594cb,0xfd99f1d7,0xcb2d96b3,0x36defa64 } },
+    /* 179 */
+    { { 0x13ed7cbe,0x4619b781,0x9784bd0e,0x95e50015,0x2c7705fe,0x2a32251c,
+        0x5f0dd083,0xa376af99,0x0361a45b,0x55425c6c,0x1f291e7b,0x812d2cef },
+      { 0x5fd94972,0xccf581a0,0xe56dc383,0x26e20e39,0x63dbfbf0,0x0093685d,
+        0x36b8c575,0x1fc164cc,0x390ef5e7,0xb9c5ab81,0x26908c66,0x40086beb } },
+    /* 180 */
+    { { 0x37e3c115,0xe5e54f79,0xc1445a8a,0x69b8ee8c,0xb7659709,0x79aedff2,
+        0x1b46fbe6,0xe288e163,0xd18d7bb7,0xdb4844f0,0x48aa6424,0xe0ea23d0 },
+      { 0xf3d80a73,0x714c0e4e,0x3bd64f98,0x87a0aa9e,0x2ec63080,0x8844b8a8,
+        0x255d81a3,0xe0ac9c30,0x455397fc,0x86151237,0x2f820155,0x0b979464 } },
+    /* 181 */
+    { { 0x4ae03080,0x127a255a,0x580a89fb,0x232306b4,0x6416f539,0x04e8cd6a,
+        0x13b02a0e,0xaeb70dee,0x4c09684a,0xa3038cf8,0x28e433ee,0xa710ec3c },
+      { 0x681b1f7d,0x77a72567,0x2fc28170,0x86fbce95,0xf5735ac8,0xd3408683,
+        0x6bd68e93,0x3a324e2a,0xc027d155,0x7ec74353,0xd4427177,0xab60354c } },
+    /* 182 */
+    { { 0xef4c209d,0x32a5342a,0x08d62704,0x2ba75274,0xc825d5fe,0x4bb4af6f,
+        0xd28e7ff1,0x1c3919ce,0xde0340f6,0x1dfc2fdc,0x29f33ba9,0xc6580baf },
+      { 0x41d442cb,0xae121e75,0x3a4724e4,0x4c7727fd,0x524f3474,0xe556d6a4,
+        0x785642a2,0x87e13cc7,0xa17845fd,0x182efbb1,0x4e144857,0xdcec0cf1 } },
+    /* 183 */
+    { { 0xe9539819,0x1cb89541,0x9d94dbf1,0xc8cb3b4f,0x417da578,0x1d353f63,
+        0x8053a09e,0xb7a697fb,0xc35d8b78,0x8d841731,0xb656a7a9,0x85748d6f },
+      { 0xc1859c5d,0x1fd03947,0x535d22a2,0x6ce965c1,0x0ca3aadc,0x1966a13e,
+        0x4fb14eff,0x9802e41d,0x76dd3fcd,0xa9048cbb,0xe9455bba,0x89b182b5 } },
+    /* 184 */
+    { { 0x43360710,0xd777ad6a,0x55e9936b,0x841287ef,0x04a21b24,0xbaf5c670,
+        0x35ad86f1,0xf2c0725f,0xc707e72e,0x338fa650,0xd8883e52,0x2bf8ed2e },
+      { 0xb56e0d6a,0xb0212cf4,0x6843290c,0x50537e12,0x98b3dc6f,0xd8b184a1,
+        0x0210b722,0xd2be9a35,0x559781ee,0x407406db,0x0bc18534,0x5a78d591 } },
+    /* 185 */
+    { { 0xd748b02c,0x4d57aa2a,0xa12b3b95,0xbe5b3451,0x64711258,0xadca7a45,
+        0x322153db,0x597e091a,0x32eb1eab,0xf3271006,0x2873f301,0xbd9adcba },
+      { 0x38543f7f,0xd1dc79d1,0x921b1fef,0x00022092,0x1e5df8ed,0x86db3ef5,
+        0x9e6b944a,0x888cae04,0x791a32b4,0x71bd29ec,0xa6d1c13e,0xd3516206 } },
+    /* 186 */
+    { { 0x55924f43,0x2ef6b952,0x4f9de8d5,0xd2f401ae,0xadc68042,0xfc73e8d7,
+        0x0d9d1bb4,0x627ea70c,0xbbf35679,0xc3bb3e3e,0xd882dee4,0x7e8a254a },
+      { 0xb5924407,0x08906f50,0xa1ad444a,0xf14a0e61,0x65f3738e,0xaa0efa21,
+        0xae71f161,0xd60c7dd6,0xf175894d,0x9e8390fa,0x149f4c00,0xd115cd20 } },
+    /* 187 */
+    { { 0xa52abf77,0x2f2e2c1d,0x54232568,0xc2a0dca5,0x54966dcc,0xed423ea2,
+        0xcd0dd039,0xe48c93c7,0x176405c7,0x1e54a225,0x70d58f2e,0x1efb5b16 },
+      { 0x94fb1471,0xa751f9d9,0x67d2941d,0xfdb31e1f,0x53733698,0xa6c74eb2,
+        0x89a0f64a,0xd3155d11,0xa4b8d2b6,0x4414cfe4,0xf7a8e9e3,0x8d5a4be8 } },
+    /* 188 */
+    { { 0x52669e98,0x5c96b4d4,0x8fd42a03,0x4547f922,0xd285174e,0xcf5c1319,
+        0x064bffa0,0x805cd1ae,0x246d27e7,0x50e8bc4f,0xd5781e11,0xf89ef98f },
+      { 0xdee0b63f,0xb4ff95f6,0x222663a4,0xad850047,0x4d23ce9c,0x02691860,
+        0x50019f59,0x3e5309ce,0x69a508ae,0x27e6f722,0x267ba52c,0xe9376652 } },
+    /* 189 */
+    { { 0xc0368708,0xa04d289c,0x5e306e1d,0xc458872f,0x33112fea,0x76fa23de,
+        0x6efde42e,0x718e3974,0x1d206091,0xf0c98cdc,0x14a71987,0x5fa3ca62 },
+      { 0xdcaa9f2a,0xeee8188b,0x589a860d,0x312cc732,0xc63aeb1f,0xf9808dd6,
+        0x4ea62b53,0x70fd43db,0x890b6e97,0x2c2bfe34,0xfa426aa6,0x105f863c } },
+    /* 190 */
+    { { 0xb38059ad,0x0b29795d,0x90647ea0,0x5686b77e,0xdb473a3e,0xeff0470e,
+        0xf9b6d1e2,0x278d2340,0xbd594ec7,0xebbff95b,0xd3a7f23d,0xf4b72334 },
+      { 0xa5a83f0b,0x2a285980,0x9716a8b3,0x0786c41a,0x22511812,0x138901bd,
+        0xe2fede6e,0xd1b55221,0xdf4eb590,0x0806e264,0x762e462e,0x6c4c897e } },
+    /* 191 */
+    { { 0xb4b41d9d,0xd10b905f,0x4523a65b,0x826ca466,0xb699fa37,0x535bbd13,
+        0x73bc8f90,0x5b9933d7,0xcd2118ad,0x9332d61f,0xd4a65fd0,0x158c693e },
+      { 0xe6806e63,0x4ddfb2a8,0xb5de651b,0xe31ed3ec,0x819bc69a,0xf9460e51,
+        0x2c76b1f8,0x6229c0d6,0x901970a3,0xbb78f231,0x9cee72b8,0x31f3820f } },
+    /* 192 */
+    { { 0xc09e1c72,0xe931caf2,0x12990cf4,0x0715f298,0x943262d8,0x33aad81d,
+        0x73048d3f,0x5d292b7a,0xdc7415f6,0xb152aaa4,0x0fd19587,0xc3d10fd9 },
+      { 0x75ddadd0,0xf76b35c5,0x1e7b694c,0x9f5f4a51,0xc0663025,0x2f1ab7eb,
+        0x920260b0,0x01c9cc87,0x05d39da6,0xc4b1f61a,0xeb4a9c4e,0x6dcd76c4 } },
+    /* 193 */
+    { { 0xfdc83f01,0x0ba0916f,0x9553e4f9,0x354c8b44,0xffc5e622,0xa6cc511a,
+        0xe95be787,0xb954726a,0x75b41a62,0xcb048115,0xebfde989,0xfa2ae6cd },
+      { 0x0f24659a,0x6376bbc7,0x4c289c43,0x13a999fd,0xec9abd8b,0xc7134184,
+        0xa789ab04,0x28c02bf6,0xd3e526ec,0xff841ebc,0x640893a8,0x442b191e } },
+    /* 194 */
+    { { 0xfa2b6e20,0x4cac6c62,0xf6d69861,0x97f29e9b,0xbc96d12d,0x228ab1db,
+        0x5e8e108d,0x6eb91327,0x40771245,0xd4b3d4d1,0xca8a803a,0x61b20623 },
+      { 0xa6a560b1,0x2c2f3b41,0x3859fcf4,0x879e1d40,0x024dbfc3,0x7cdb5145,
+        0x3bfa5315,0x55d08f15,0xaa93823a,0x2f57d773,0xc6a2c9a2,0xa97f259c } },
+    /* 195 */
+    { { 0xe58edbbb,0xc306317b,0x79dfdf13,0x25ade51c,0x16d83dd6,0x6b5beaf1,
+        0x1dd8f925,0xe8038a44,0xb2a87b6b,0x7f00143c,0xf5b438de,0xa885d00d },
+      { 0xcf9e48bd,0xe9f76790,0xa5162768,0xf0bdf9f0,0xad7b57cb,0x0436709f,
+        0xf7c15db7,0x7e151c12,0x5d90ee3b,0x3514f022,0x2c361a8d,0x2e84e803 } },
+    /* 196 */
+    { { 0x563ec8d8,0x2277607d,0xe3934cb7,0xa661811f,0xf58fd5de,0x3ca72e7a,
+        0x62294c6a,0x7989da04,0xf6bbefe9,0x88b3708b,0x53ed7c82,0x0d524cf7 },
+      { 0x2f30c073,0x69f699ca,0x9dc1dcf3,0xf0fa264b,0x05f0aaf6,0x44ca4568,
+        0xd19b9baf,0x0f5b23c7,0xeabd1107,0x39193f41,0x2a7c9b83,0x9e3e10ad } },
+    /* 197 */
+    { { 0xd4ae972f,0xa90824f0,0xc6e846e7,0x43eef02b,0x29d2160a,0x7e460612,
+        0xfe604e91,0x29a178ac,0x4eb184b2,0x23056f04,0xeb54cdf4,0x4fcad55f },
+      { 0xae728d15,0xa0ff96f3,0xc6a00331,0x8a2680c6,0x7ee52556,0x5f84cae0,
+        0xc5a65dad,0x5e462c3a,0xe2d23f4f,0x5d2b81df,0xc5b1eb07,0x6e47301b } },
+    /* 198 */
+    { { 0xaf8219b9,0x77411d68,0x51b1907a,0xcb883ce6,0x101383b5,0x25c87e57,
+        0x982f970d,0x9c7d9859,0x118305d2,0xaa6abca5,0x9013a5db,0x725fed2f },
+      { 0xababd109,0x487cdbaf,0x87586528,0xc0f8cf56,0x8ad58254,0xa02591e6,
+        0xdebbd526,0xc071b1d1,0x961e7e31,0x927dfe8b,0x9263dfe1,0x55f895f9 } },
+    /* 199 */
+    { { 0xb175645b,0xf899b00d,0xb65b4b92,0x51f3a627,0xb67399ef,0xa2f3ac8d,
+        0xe400bc20,0xe717867f,0x1967b952,0x42cc9020,0x3ecd1de1,0x3d596751 },
+      { 0xdb979775,0xd41ebcde,0x6a2e7e88,0x99ba61bc,0x321504f2,0x039149a5,
+        0x27ba2fad,0xe7dc2314,0xb57d8368,0x9f556308,0x57da80a7,0x2b6d16c9 } },
+    /* 200 */
+    { { 0x279ad982,0x84af5e76,0x9c8b81a6,0x9bb4c92d,0x0e698e67,0xd79ad44e,
+        0x265fc167,0xe8be9048,0x0c3a4ccc,0xf135f7e6,0xb8863a33,0xa0a10d38 },
+      { 0xd386efd9,0xe197247c,0xb52346c2,0x0eefd3f9,0x78607bc8,0xc22415f9,
+        0x508674ce,0xa2a8f862,0xc8c9d607,0xa72ad09e,0x50fa764f,0xcd9f0ede } },
+    /* 201 */
+    { { 0xd1a46d4d,0x063391c7,0x9eb01693,0x2df51c11,0x849e83de,0xc5849800,
+        0x8ad08382,0x48fd09aa,0xaa742736,0xa405d873,0xe1f9600c,0xee49e61e },
+      { 0x48c76f73,0xd76676be,0x01274b2a,0xd9c100f6,0x83f8718d,0x110bb67c,
+        0x02fc0d73,0xec85a420,0x744656ad,0xc0449e1e,0x37d9939b,0x28ce7376 } },
+    /* 202 */
+    { { 0x44544ac7,0x97e9af72,0xba010426,0xf2c658d5,0xfb3adfbd,0x732dec39,
+        0xa2df0b07,0xd12faf91,0x2171e208,0x8ac26725,0x5b24fa54,0xf820cdc8 },
+      { 0x94f4cf77,0x307a6eea,0x944a33c6,0x18c783d2,0x0b741ac5,0x4b939d4c,
+        0x3ffbb6e4,0x1d7acd15,0x7a255e44,0x06a24858,0xce336d50,0x14fbc494 } },
+    /* 203 */
+    { { 0x51584e3c,0x9b920c0c,0xf7e54027,0xc7733c59,0x88422bbe,0xe24ce139,
+        0x523bd6ab,0x11ada812,0xb88e6def,0xde068800,0xfe8c582d,0x7b872671 },
+      { 0x7de53510,0x4e746f28,0xf7971968,0x492f8b99,0x7d928ac2,0x1ec80bc7,
+        0x432eb1b5,0xb3913e48,0x32028f6e,0xad084866,0x8fc2f38b,0x122bb835 } },
+    /* 204 */
+    { { 0x3b0b29c3,0x0a9f3b1e,0x4fa44151,0x837b6432,0x17b28ea7,0xb9905c92,
+        0x98451750,0xf39bc937,0xce8b6da1,0xcd383c24,0x010620b2,0x299f57db },
+      { 0x58afdce3,0x7b6ac396,0x3d05ef47,0xa15206b3,0xb9bb02ff,0xa0ae37e2,
+        0x9db3964c,0x107760ab,0x67954bea,0xe29de9a0,0x431c3f82,0x446a1ad8 } },
+    /* 205 */
+    { { 0x5c6b8195,0xc6fecea0,0xf49e71b9,0xd744a7c5,0x177a7ae7,0xa8e96acc,
+        0x358773a7,0x1a05746c,0x37567369,0xa4162146,0x87d1c971,0xaa0217f7 },
+      { 0x77fd3226,0x61e9d158,0xe4f600be,0x0f6f2304,0x7a6dff07,0xa9c4cebc,
+        0x09f12a24,0xd15afa01,0x8c863ee9,0x2bbadb22,0xe5eb8c78,0xa28290e4 } },
+    /* 206 */
+    { { 0x3e9de330,0x55b87fa0,0x195c145b,0x12b26066,0xa920bef0,0xe08536e0,
+        0x4d195adc,0x7bff6f2c,0x945f4187,0x7f319e9d,0xf892ce47,0xf9848863 },
+      { 0x4fe37657,0xd0efc1d3,0x5cf0e45a,0x3c58de82,0x8b0ccbbe,0x626ad21a,
+        0xaf952fc5,0xd2a31208,0xeb437357,0x81791995,0x98e95d4f,0x5f19d30f } },
+    /* 207 */
+    { { 0x0e6865bb,0x72e83d9a,0xf63456a6,0x22f5af3b,0x463c8d9e,0x409e9c73,
+        0xdfe6970e,0x40e9e578,0x711b91ca,0x876b6efa,0x942625a3,0x895512cf },
+      { 0xcb4e462b,0x84c8eda8,0x4412e7c8,0x84c0154a,0xceb7b71f,0x04325db1,
+        0x66f70877,0x1537dde3,0x1992b9ac,0xf3a09399,0xd498ae77,0xa7316606 } },
+    /* 208 */
+    { { 0xcad260f5,0x13990d2f,0xeec0e8c0,0x76c3be29,0x0f7bd7d5,0x7dc5bee0,
+        0xefebda4b,0x9be167d2,0x9122b87e,0xcce3dde6,0x82b5415c,0x75a28b09 },
+      { 0xe84607a6,0xf6810bcd,0x6f4dbf0d,0xc6d58128,0x1b4dafeb,0xfead577d,
+        0x066b28eb,0x9bc440b2,0x8b17e84b,0x53f1da97,0xcda9a575,0x0459504b } },
+    /* 209 */
+    { { 0x329e5836,0x13e39a02,0xf717269d,0x2c9e7d51,0xf26c963b,0xc5ac58d6,
+        0x79967bf5,0x3b0c6c43,0x55908d9d,0x60bbea3f,0xf07c9ad1,0xd84811e7 },
+      { 0x5bd20e4a,0xfe7609a7,0x0a70baa8,0xe4325dd2,0xb3600386,0x3711f370,
+        0xd0924302,0x97f9562f,0x4acc4436,0x040dc0c3,0xde79cdd4,0xfd6d725c } },
+    /* 210 */
+    { { 0xcf13eafb,0xb3efd0e3,0x5aa0ae5f,0x21009cbb,0x79022279,0xe480c553,
+        0xb2fc9a6d,0x755cf334,0x07096ae7,0x8564a5bf,0xbd238139,0xddd649d0 },
+      { 0x8a045041,0xd0de10b1,0xc957d572,0x6e05b413,0x4e0fb25c,0x5c5ff806,
+        0x641162fb,0xd933179b,0xe57439f9,0x42d48485,0x8a8d72aa,0x70c5bd0a } },
+    /* 211 */
+    { { 0x97bdf646,0xa7671738,0xab329f7c,0xaa1485b4,0xf8f25fdf,0xce3e11d6,
+        0xc6221824,0x76a3fc7e,0xf3924740,0x045f281f,0x96d13a9a,0x24557d4e },
+      { 0xdd4c27cd,0x875c804b,0x0f5c7fea,0x11c5f0f4,0xdc55ff7e,0xac8c880b,
+        0x1103f101,0x2acddec5,0xf99faa89,0x38341a21,0xce9d6b57,0xc7b67a2c } },
+    /* 212 */
+    { { 0x8e357586,0x9a0d724f,0xdf648da0,0x1d7f4ff5,0xfdee62a5,0x9c3e6c9b,
+        0x0389b372,0x0499cef0,0x98eab879,0xe904050d,0x6c051617,0xe8eef1b6 },
+      { 0xc37e3ca9,0xebf5bfeb,0xa4e0b91d,0x7c5e946d,0x2c4bea28,0x79097314,
+        0xee67b2b7,0x81f6c109,0xdafc5ede,0xaf237d9b,0x2abb04c7,0xd2e60201 } },
+    /* 213 */
+    { { 0x8a4f57bf,0x6156060c,0xff11182a,0xf9758696,0x6296ef00,0x8336773c,
+        0xff666899,0x9c054bce,0x719cd11c,0xd6a11611,0xdbe1acfa,0x9824a641 },
+      { 0xba89fd01,0x0b7b7a5f,0x889f79d8,0xf8d3b809,0xf578285c,0xc5e1ea08,
+        0xae6d8288,0x7ac74536,0x7521ef5f,0x5d37a200,0xb260a25d,0x5ecc4184 } },
+    /* 214 */
+    { { 0xa708c8d3,0xddcebb19,0xc63f81ec,0xe63ed04f,0x11873f95,0xd045f5a0,
+        0x79f276d5,0x3b5ad544,0x425ae5b3,0x81272a3d,0x10ce1605,0x8bfeb501 },
+      { 0x888228bf,0x4233809c,0xb2aff7df,0x4bd82acf,0x0cbd4a7f,0x9c68f180,
+        0x6b44323d,0xfcd77124,0x891db957,0x60c0fcf6,0x04da8f7f,0xcfbb4d89 } },
+    /* 215 */
+    { { 0x3b26139a,0x9a6a5df9,0xb2cc7eb8,0x3e076a83,0x5a964bcd,0x47a8e82d,
+        0xb9278d6b,0x8a4e2a39,0xe4443549,0x93506c98,0xf1e0d566,0x06497a8f },
+      { 0x2b1efa05,0x3dee8d99,0x45393e33,0x2da63ca8,0xcf0579ad,0xa4af7277,
+        0x3236d8ea,0xaf4b4639,0x32b617f5,0x6ccad95b,0xb88bb124,0xce76d8b8 } },
+    /* 216 */
+    { { 0x083843dc,0x63d2537a,0x1e4153b4,0x89eb3514,0xea9afc94,0x5175ebc4,
+        0x8ed1aed7,0x7a652580,0xd85e8297,0x67295611,0xb584b73d,0x8dd2d68b },
+      { 0x0133c3a4,0x237139e6,0x4bd278ea,0x9de838ab,0xc062fcd9,0xe829b072,
+        0x63ba8706,0x70730d4f,0xd3cd05ec,0x6080483f,0x0c85f84d,0x872ab5b8 } },
+    /* 217 */
+    { { 0x999d4d49,0xfc0776d3,0xec3f45e7,0xa3eb59de,0x0dae1fc1,0xbc990e44,
+        0xa15371ff,0x33596b1e,0x9bc7ab25,0xd447dcb2,0x35979582,0xcd5b63e9 },
+      { 0x77d1ff11,0xae3366fa,0xedee6903,0x59f28f05,0xa4433bf2,0x6f43fed1,
+        0xdf9ce00e,0x15409c9b,0xaca9c5dc,0x21b5cded,0x82d7bdb4,0xf9f33595 } },
+    /* 218 */
+    { { 0x9422c792,0x95944378,0xc958b8bf,0x239ea923,0xdf076541,0x4b61a247,
+        0xbb9fc544,0x4d29ce85,0x0b424559,0x9a692a67,0x0e486900,0x6e0ca5a0 },
+      { 0x85b3bece,0x6b79a782,0xc61f9892,0x41f35e39,0xae747f82,0xff82099a,
+        0xd0ca59d6,0x58c8ae3f,0x99406b5f,0x4ac930e2,0x9df24243,0x2ce04eb9 } },
+    /* 219 */
+    { { 0x1ac37b82,0x4366b994,0x25b04d83,0xff0c728d,0x19c47b7c,0x1f551361,
+        0xbeff13e7,0xdbf2d5ed,0xe12a683d,0xf78efd51,0x989cf9c4,0x82cd85b9 },
+      { 0xe0cb5d37,0xe23c6db6,0x72ee1a15,0x818aeebd,0x28771b14,0x8212aafd,
+        0x1def817d,0x7bc221d9,0x9445c51f,0xdac403a2,0x12c3746b,0x711b0517 } },
+    /* 220 */
+    { { 0x5ea99ecc,0x0ed9ed48,0xb8cab5e1,0xf799500d,0xb570cbdc,0xa8ec87dc,
+        0xd35dfaec,0x52cfb2c2,0x6e4d80a4,0x8d31fae2,0xdcdeabe5,0xe6a37dc9 },
+      { 0x1deca452,0x5d365a34,0x0d68b44e,0x09a5f8a5,0xa60744b1,0x59238ea5,
+        0xbb4249e9,0xf2fedc0d,0xa909b2e3,0xe395c74e,0x39388250,0xe156d1a5 } },
+    /* 221 */
+    { { 0x47181ae9,0xd796b3d0,0x44197808,0xbaf44ba8,0x34cf3fac,0xe6933094,
+        0xc3bd5c46,0x41aa6ade,0xeed947c6,0x4fda75d8,0x9ea5a525,0xacd9d412 },
+      { 0xd430301b,0x65cc55a3,0x7b52ea49,0x3c9a5bcf,0x159507f0,0x22d319cf,
+        0xde74a8dd,0x2ee0b9b5,0x877ac2b6,0x20c26a1e,0x92e7c314,0x387d73da } },
+    /* 222 */
+    { { 0x8cd3fdac,0x13c4833e,0x332e5b8e,0x76fcd473,0xe2fe1fd3,0xff671b4b,
+        0x5d98d8ec,0x4d734e8b,0x514bbc11,0xb1ead3c6,0x7b390494,0xd14ca858 },
+      { 0x5d2d37e9,0x95a443af,0x00464622,0x73c6ea73,0x15755044,0xa44aeb4b,
+        0xfab58fee,0xba3f8575,0xdc680a6f,0x9779dbc9,0x7b37ddfc,0xe1ee5f5a } },
+    /* 223 */
+    { { 0x12d29f46,0xcd0b4648,0x0ed53137,0x93295b0b,0x80bef6c9,0xbfe26094,
+        0x54248b00,0xa6565788,0x80e7f9c4,0x69c43fca,0xbe141ea1,0x2190837b },
+      { 0xa1b26cfb,0x875e159a,0x7affe852,0x90ca9f87,0x92ca598e,0x15e6550d,
+        0x1938ad11,0xe3e0945d,0x366ef937,0xef7636bb,0xb39869e5,0xb6034d0b } },
+    /* 224 */
+    { { 0x26d8356e,0x4d255e30,0xd314626f,0xf83666ed,0xd0c8ed64,0x421ddf61,
+        0x26677b61,0x96e473c5,0x9e9b18b3,0xdad4af7e,0xa9393f75,0xfceffd4a },
+      { 0x11c731d5,0x843138a1,0xb2f141d9,0x05bcb3a1,0x617b7671,0x20e1fa95,
+        0x88ccec7b,0xbefce812,0x90f1b568,0x582073dc,0x1f055cb7,0xf572261a } },
+    /* 225 */
+    { { 0x36973088,0xf3148277,0x86a9f980,0xc008e708,0xe046c261,0x1b795947,
+        0xca76bca0,0xdf1e6a7d,0x71acddf0,0xabafd886,0x1364d8f4,0xff7054d9 },
+      { 0xe2260594,0x2cf63547,0xd73b277e,0x468a5372,0xef9bd35e,0xc7419e24,
+        0x24043cc3,0x2b4a1c20,0x890b39cd,0xa28f047a,0x46f9a2e3,0xdca2cea1 } },
+    /* 226 */
+    { { 0x53277538,0xab788736,0xcf697738,0xa734e225,0x6b22e2c1,0x66ee1d1e,
+        0xebe1d212,0x2c615389,0x02bb0766,0xf36cad40,0x3e64f207,0x120885c3 },
+      { 0x90fbfec2,0x59e77d56,0xd7a574ae,0xf9e781aa,0x5d045e53,0x801410b0,
+        0xa91b5f0e,0xd3b5f0aa,0x7fbb3521,0xb3d1df00,0xc72bee9a,0x11c4b33e } },
+    /* 227 */
+    { { 0x83c3a7f3,0xd32b9832,0x88d8a354,0x8083abcf,0x50f4ec5a,0xdeb16404,
+        0x641e2907,0x18d747f0,0xf1bbf03e,0x4e8978ae,0x88a0cd89,0x932447dc },
+      { 0xcf3d5897,0x561e0feb,0x13600e6d,0xfc3a682f,0xd16a6b73,0xc78b9d73,
+        0xd29bf580,0xe713fede,0x08d69e5c,0x0a225223,0x1ff7fda4,0x3a924a57 } },
+    /* 228 */
+    { { 0xb4093bee,0xfb64554c,0xa58c6ec0,0xa6d65a25,0x43d0ed37,0x4126994d,
+        0x55152d44,0xa5689a51,0x284caa8d,0xb8e5ea8c,0xd1f25538,0x33f05d4f },
+      { 0x1b615d6e,0xe0fdfe09,0x705507da,0x2ded7e8f,0x17bbcc80,0xdd5631e5,
+        0x267fd11f,0x4f87453e,0xff89d62d,0xc6da723f,0xe3cda21d,0x55cbcae2 } },
+    /* 229 */
+    { { 0x6b4e84f3,0x336bc94e,0x4ef72c35,0x72863031,0xeeb57f99,0x6d85fdee,
+        0xa42ece1b,0x7f4e3272,0x36f0320a,0x7f86cbb5,0x923331e6,0xf09b6a2b },
+      { 0x56778435,0x21d3ecf1,0x8323b2d2,0x2977ba99,0x1704bc0f,0x6a1b57fb,
+        0x389f048a,0xd777cf8b,0xac6b42cd,0x9ce2174f,0x09e6c55a,0x404e2bff } },
+    /* 230 */
+    { { 0x204c5ddb,0x9b9b135e,0x3eff550e,0x9dbfe044,0xec3be0f6,0x35eab4bf,
+        0x0a43e56f,0x8b4c3f0d,0x0e73f9b3,0x4c1c6673,0x2c78c905,0x92ed38bd },
+      { 0xa386e27c,0xc7003f6a,0xaced8507,0xb9c4f46f,0x59df5464,0xea024ec8,
+        0x429572ea,0x4af96152,0xe1fc1194,0x279cd5e2,0x281e358c,0xaa376a03 } },
+    /* 231 */
+    { { 0x3cdbc95c,0x07859223,0xef2e337a,0xaae1aa6a,0x472a8544,0xc040108d,
+        0x8d037b7d,0x80c853e6,0x8c7eee24,0xd221315c,0x8ee47752,0x195d3856 },
+      { 0xdacd7fbe,0xd4b1ba03,0xd3e0c52b,0x4b5ac61e,0x6aab7b52,0x68d3c052,
+        0x660e3fea,0xf0d7248c,0x3145efb4,0xafdb3f89,0x8f40936d,0xa73fd9a3 } },
+    /* 232 */
+    { { 0xbb1b17ce,0x891b9ef3,0xc6127f31,0x14023667,0x305521fd,0x12b2e58d,
+        0xe3508088,0x3a47e449,0xff751507,0xe49fc84b,0x5310d16e,0x4023f722 },
+      { 0xb73399fa,0xa608e5ed,0xd532aa3e,0xf12632d8,0x845e8415,0x13a2758e,
+        0x1fc2d861,0xae4b6f85,0x339d02f2,0x3879f5b1,0x80d99ebd,0x446d22a6 } },
+    /* 233 */
+    { { 0x4be164f1,0x0f502302,0x88b81920,0x8d09d2d6,0x984aceff,0x514056f1,
+        0x75e9e80d,0xa5c4ddf0,0xdf496a93,0x38cb47e6,0x38df6bf7,0x899e1d6b },
+      { 0xb59eb2a6,0x69e87e88,0x9b47f38b,0x280d9d63,0x3654e955,0x599411ea,
+        0x969aa581,0xcf8dd4fd,0x530742a7,0xff5c2baf,0x1a373085,0xa4391536 } },
+    /* 234 */
+    { { 0xa8a4bdd2,0x6ace72a3,0xb68ef702,0xc656cdd1,0x90c4dad8,0xd4a33e7e,
+        0x9d951c50,0x4aece08a,0x085d68e6,0xea8005ae,0x6f7502b8,0xfdd7a7d7 },
+      { 0x98d6fa45,0xce6fb0a6,0x1104eb8c,0x228f8672,0xda09d7dc,0xd23d8787,
+        0x2ae93065,0x5521428b,0xea56c366,0x95faba3d,0x0a88aca5,0xedbe5039 } },
+    /* 235 */
+    { { 0xbfb26c82,0xd64da0ad,0x952c2f9c,0xe5d70b3c,0xf7e77f68,0xf5e8f365,
+        0x08f2d695,0x7234e002,0xd12e7be6,0xfaf900ee,0x4acf734e,0x27dc6934 },
+      { 0xc260a46a,0x80e4ff5e,0x2dc31c28,0x7da5ebce,0xca69f552,0x485c5d73,
+        0x69cc84c2,0xcdfb6b29,0xed6d4eca,0x031c5afe,0x22247637,0xc7bbf4c8 } },
+    /* 236 */
+    { { 0x49fe01b2,0x9d5b72c7,0x793a91b8,0x34785186,0xcf460438,0xa3ba3c54,
+        0x3ab21b6f,0x73e8e43d,0xbe57b8ab,0x50cde8e0,0xdd204264,0x6488b3a7 },
+      { 0xdddc4582,0xa9e398b3,0x5bec46fe,0x1698c1a9,0x156d3843,0x7f1446ef,
+        0x770329a2,0x3fd25dd8,0x2c710668,0x05b1221a,0xa72ee6cf,0x65b2dc2a } },
+    /* 237 */
+    { { 0xcd021d63,0x21a885f7,0xfea61f08,0x3f344b15,0xc5cf73e6,0xad5ba6dd,
+        0x227a8b23,0x154d0d8f,0xdc559311,0x9b74373c,0x98620fa1,0x4feab715 },
+      { 0x7d9ec924,0x5098938e,0x6d47e550,0x84d54a5e,0x1b617506,0x1a2d1bdc,
+        0x615868a4,0x99fe1782,0x3005a924,0x171da780,0x7d8f79b6,0xa70bf5ed } },
+    /* 238 */
+    { { 0xfe2216c5,0x0bc1250d,0x7601b351,0x2c37e250,0xd6f06b7e,0xb6300175,
+        0x8bfeb9b7,0x4dde8ca1,0xb82f843d,0x4f210432,0xb1ac0afd,0x8d70e2f9 },
+      { 0xaae91abb,0x25c73b78,0x863028f2,0x0230dca3,0xe5cf30b7,0x8b923ecf,
+        0x5506f265,0xed754ec2,0x729a5e39,0x8e41b88c,0xbabf889b,0xee67cec2 } },
+    /* 239 */
+    { { 0x1be46c65,0xe183acf5,0xe7565d7a,0x9789538f,0xd9627b4e,0x87873391,
+        0x9f1d9187,0xbf4ac4c1,0x4691f5c8,0x5db99f63,0x74a1fb98,0xa68df803 },
+      { 0xbf92b5fa,0x3c448ed1,0x3e0bdc32,0xa098c841,0x79bf016c,0x8e74cd55,
+        0x115e244d,0x5df0d09c,0x3410b66e,0x9418ad01,0x17a02130,0x8b6124cb } },
+    /* 240 */
+    { { 0xc26e3392,0x425ec3af,0xa1722e00,0xc07f8470,0xe2356b43,0xdcc28190,
+        0xb1ef59a6,0x4ed97dff,0xc63028c1,0xc22b3ad1,0x68c18988,0x070723c2 },
+      { 0x4cf49e7d,0x70da302f,0x3f12a522,0xc5e87c93,0x18594148,0x74acdd1d,
+        0xca74124c,0xad5f73ab,0xd69fd478,0xe72e4a3e,0x7b117cc3,0x61593868 } },
+    /* 241 */
+    { { 0xa9aa0486,0x7b7b9577,0xa063d557,0x6e41fb35,0xda9047d7,0xb017d5c7,
+        0x68a87ba9,0x8c748280,0xdf08ad93,0xab45fa5c,0x4c288a28,0xcd9fb217 },
+      { 0x5747843d,0x59544642,0xa56111e3,0x34d64c6c,0x4bfce8d5,0x12e47ea1,
+        0x6169267f,0x17740e05,0xeed03fb5,0x5c49438e,0x4fc3f513,0x9da30add } },
+    /* 242 */
+    { { 0xccfa5200,0xc4e85282,0x6a19b13d,0x2707608f,0xf5726e2f,0xdcb9a53d,
+        0xe9427de5,0x612407c9,0xd54d582a,0x3e5a17e1,0x655ae118,0xb99877de },
+      { 0x015254de,0x6f0e972b,0xf0a6f7c5,0x92a56db1,0xa656f8b2,0xd297e4e1,
+        0xad981983,0x99fe0052,0x07cfed84,0xd3652d2f,0x843c1738,0xc784352e } },
+    /* 243 */
+    { { 0x7e9b2d8a,0x6ee90af0,0x57cf1964,0xac8d7018,0x71f28efc,0xf6ed9031,
+        0x6812b20e,0x7f70d5a9,0xf1c61eee,0x27b557f4,0xc6263758,0xf1c9bd57 },
+      { 0x2a1a6194,0x5cf7d014,0x1890ab84,0xdd614e0b,0x0e93c2a6,0x3ef9de10,
+        0xe0cd91c5,0xf98cf575,0x14befc32,0x504ec0c6,0x6279d68c,0xd0513a66 } },
+    /* 244 */
+    { { 0xa859fb6a,0xa8eadbad,0xdb283666,0xcf8346e7,0x3e22e355,0x7b35e61a,
+        0x99639c6b,0x293ece2c,0x56f241c8,0xfa0162e2,0xbf7a1dda,0xd2e6c7b9 },
+      { 0x40075e63,0xd0de6253,0xf9ec8286,0x2405aa61,0x8fe45494,0x2237830a,
+        0x364e9c8c,0x4fd01ac7,0x904ba750,0x4d9c3d21,0xaf1b520b,0xd589be14 } },
+    /* 245 */
+    { { 0x4662e53b,0x13576a4f,0xf9077676,0x35ec2f51,0x97c0af97,0x66297d13,
+        0x9e598b58,0xed3201fe,0x5e70f604,0x49bc752a,0xbb12d951,0xb54af535 },
+      { 0x212c1c76,0x36ea4c2b,0xeb250dfd,0x18f5bbc7,0x9a0a1a46,0xa0d466cc,
+        0xdac2d917,0x52564da4,0x8e95fab5,0x206559f4,0x9ca67a33,0x7487c190 } },
+    /* 246 */
+    { { 0xdde98e9c,0x75abfe37,0x2a411199,0x99b90b26,0xdcdb1f7c,0x1b410996,
+        0x8b3b5675,0xab346f11,0xf1f8ae1e,0x04852193,0x6b8b98c1,0x1ec4d227 },
+      { 0x45452baa,0xba3bc926,0xacc4a572,0x387d1858,0xe51f171e,0x9478eff6,
+        0x931e1c00,0xf357077d,0xe54c8ca8,0xffee77cd,0x551dc9a4,0xfb4892ff } },
+    /* 247 */
+    { { 0x2db8dff8,0x5b1bdad0,0x5a2285a2,0xd462f4fd,0xda00b461,0x1d6aad8e,
+        0x41306d1b,0x43fbefcf,0x6a13fe19,0x428e86f3,0x17f89404,0xc8b2f118 },
+      { 0xf0d51afb,0x762528aa,0x549b1d06,0xa3e2fea4,0xea3ddf66,0x86fad8f2,
+        0x4fbdd206,0x0d9ccc4b,0xc189ff5a,0xcde97d4c,0x199f19a6,0xc36793d6 } },
+    /* 248 */
+    { { 0x51b85197,0xea38909b,0xb4c92895,0xffb17dd0,0x1ddb3f3f,0x0eb0878b,
+        0xc57cf0f2,0xb05d28ff,0x1abd57e2,0xd8bde2e7,0xc40c1b20,0x7f2be28d },
+      { 0x299a2d48,0x6554dca2,0x8377982d,0x5130ba2e,0x1071971a,0x8863205f,
+        0x7cf2825d,0x15ee6282,0x03748f2b,0xd4b6c57f,0x430385a0,0xa9e3f4da } },
+    /* 249 */
+    { { 0x83fbc9c6,0x33eb7cec,0x4541777e,0x24a311c7,0x4f0767fc,0xc81377f7,
+        0x4ab702da,0x12adae36,0x2a779696,0xb7fcb6db,0x01cea6ad,0x4a6fb284 },
+      { 0xcdfc73de,0x5e8b1d2a,0x1b02fd32,0xd0efae8d,0xd81d8519,0x3f99c190,
+        0xfc808971,0x3c18f7fa,0x51b7ae7b,0x41f713e7,0xf07fc3f8,0x0a4b3435 } },
+    /* 250 */
+    { { 0x019b7d2e,0x7dda3c4c,0xd4dc4b89,0x631c8d1a,0x1cdb313c,0x5489cd6e,
+        0x4c07bb06,0xd44aed10,0x75f000d1,0x8f97e13a,0xdda5df4d,0x0e9ee64f },
+      { 0x3e346910,0xeaa99f3b,0xfa294ad7,0x622f6921,0x0d0b2fe9,0x22aaa20d,
+        0x1e5881ba,0x4fed2f99,0xc1571802,0x9af3b2d6,0xdc7ee17c,0x919e67a8 } },
+    /* 251 */
+    { { 0x76250533,0xc724fe4c,0x7d817ef8,0x8a2080e5,0x172c9751,0xa2afb0f4,
+        0x17c0702e,0x9b10cdeb,0xc9b7e3e9,0xbf3975e3,0x1cd0cdc5,0x206117df },
+      { 0xbe05ebd5,0xfb049e61,0x16c782c0,0xeb0bb55c,0xab7fed09,0x13a331b8,
+        0x632863f0,0xf6c58b1d,0x4d3b6195,0x6264ef6e,0x9a53f116,0x92c51b63 } },
+    /* 252 */
+    { { 0x288b364d,0xa57c7bc8,0x7b41e5c4,0x4a562e08,0x698a9a11,0x699d21c6,
+        0xf3f849b9,0xa4ed9581,0x9eb726ba,0xa223eef3,0xcc2884f9,0x13159c23 },
+      { 0x3a3f4963,0x73931e58,0x0ada6a81,0x96500389,0x5ab2950b,0x3ee8a1c6,
+        0x775fab52,0xeedf4949,0x4f2671b6,0x63d652e1,0x3c4e2f55,0xfed4491c } },
+    /* 253 */
+    { { 0xf4eb453e,0x335eadc3,0xcadd1a5b,0x5ff74b63,0x5d84a91a,0x6933d0d7,
+        0xb49ba337,0x9ca3eeb9,0xc04c15b8,0x1f6facce,0xdc09a7e4,0x4ef19326 },
+      { 0x3dca3233,0x53d2d324,0xa2259d4b,0x0ee40590,0x5546f002,0x18c22edb,
+        0x09ea6b71,0x92429801,0xb0e91e61,0xaada0add,0x99963c50,0x5fe53ef4 } },
+    /* 254 */
+    { { 0x90c28c65,0x372dd06b,0x119ce47d,0x1765242c,0x6b22fc82,0xc041fb80,
+        0xb0a7ccc1,0x667edf07,0x1261bece,0xc79599e7,0x19cff22a,0xbc69d9ba },
+      { 0x13c06819,0x009d77cd,0xe282b79d,0x635a66ae,0x225b1be8,0x4edac4a6,
+        0x524008f9,0x57d4f4e4,0xb056af84,0xee299ac5,0x3a0bc386,0xcc38444c } },
+    /* 255 */
+    { { 0xcd4c2356,0x490643b1,0x750547be,0x740a4851,0xd4944c04,0x643eaf29,
+        0x299a98a0,0xba572479,0xee05fdf9,0x48b29f16,0x089b2d7b,0x33fb4f61 },
+      { 0xa950f955,0x86704902,0xfedc3ddf,0x97e1034d,0x05fbb6a2,0x211320b6,
+        0x432299bb,0x23d7b93f,0x8590e4a3,0x1fe1a057,0xf58c0ce6,0x8e1d0586 } },
+};
+
+/* Multiply the base point of P384 by the scalar and return the result.
+ * If map is true then convert result to affine coordinates.
+ *
+ * r     Resulting point.
+ * k     Scalar to multiply by.
+ * map   Indicates whether to convert result to affine.
+ * heap  Heap to use for allocation.
+ * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
+ */
+static int sp_384_ecc_mulmod_base_12(sp_point_384* r, const sp_digit* k,
+        int map, void* heap)
+{
+    return sp_384_ecc_mulmod_stripe_12(r, &p384_base, p384_table,
+                                      k, map, heap);
+}
+
+#endif
+
+/* Multiply the base point of P384 by the scalar and return the result.
+ * If map is true then convert result to affine coordinates.
+ *
+ * km    Scalar to multiply by.
+ * r     Resulting point.
+ * map   Indicates whether to convert result to affine.
+ * heap  Heap to use for allocation.
+ * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
+ */
+int sp_ecc_mulmod_base_384(mp_int* km, ecc_point* r, int map, void* heap)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_point_384 p;
+    sp_digit kd[12];
+#endif
+    sp_point_384* point;
+    sp_digit* k = NULL;
+    int err = MP_OKAY;
+
+    err = sp_384_point_new_12(heap, p, point);
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        k = (sp_digit*)XMALLOC(sizeof(sp_digit) * 12, heap,
+                                                              DYNAMIC_TYPE_ECC);
+        if (k == NULL) {
+            err = MEMORY_E;
+        }
+    }
+#else
+    k = kd;
+#endif
+    if (err == MP_OKAY) {
+        sp_384_from_mp(k, 12, km);
+
+            err = sp_384_ecc_mulmod_base_12(point, k, map, heap);
+    }
+    if (err == MP_OKAY) {
+        err = sp_384_point_to_ecc_point_12(point, r);
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (k != NULL) {
+        XFREE(k, heap, DYNAMIC_TYPE_ECC);
+    }
+#endif
+    sp_384_point_free_12(point, 0, heap);
+
+    return err;
+}
+
+#if defined(WOLFSSL_VALIDATE_ECC_KEYGEN) || defined(HAVE_ECC_SIGN) || \
+                                                        defined(HAVE_ECC_VERIFY)
+/* Returns 1 if the number of zero.
+ * Implementation is constant time.
+ *
+ * a  Number to check.
+ * returns 1 if the number is zero and 0 otherwise.
+ */
+static int sp_384_iszero_12(const sp_digit* a)
+{
+    return (a[0] | a[1] | a[2] | a[3] | a[4] | a[5] | a[6] | a[7] |
+            a[8] | a[9] | a[10] | a[11]) == 0;
+}
+
+#endif /* WOLFSSL_VALIDATE_ECC_KEYGEN || HAVE_ECC_SIGN || HAVE_ECC_VERIFY */
+/* Add 1 to a. (a = a + 1)
+ *
+ * a  A single precision integer.
+ */
+static void sp_384_add_one_12(sp_digit* a)
+{
+    __asm__ __volatile__ (
+        "ldr	r1, [%[a], #0]\n\t"
+        "ldr	r2, [%[a], #4]\n\t"
+        "ldr	r3, [%[a], #8]\n\t"
+        "ldr	r4, [%[a], #12]\n\t"
+        "adds	r1, r1, #1\n\t"
+        "adcs	r2, r2, #0\n\t"
+        "adcs	r3, r3, #0\n\t"
+        "adcs	r4, r4, #0\n\t"
+        "str	r1, [%[a], #0]\n\t"
+        "str	r2, [%[a], #4]\n\t"
+        "str	r3, [%[a], #8]\n\t"
+        "str	r4, [%[a], #12]\n\t"
+        "ldr	r1, [%[a], #16]\n\t"
+        "ldr	r2, [%[a], #20]\n\t"
+        "ldr	r3, [%[a], #24]\n\t"
+        "ldr	r4, [%[a], #28]\n\t"
+        "adcs	r1, r1, #0\n\t"
+        "adcs	r2, r2, #0\n\t"
+        "adcs	r3, r3, #0\n\t"
+        "adcs	r4, r4, #0\n\t"
+        "str	r1, [%[a], #16]\n\t"
+        "str	r2, [%[a], #20]\n\t"
+        "str	r3, [%[a], #24]\n\t"
+        "str	r4, [%[a], #28]\n\t"
+        "ldr	r1, [%[a], #32]\n\t"
+        "ldr	r2, [%[a], #36]\n\t"
+        "ldr	r3, [%[a], #40]\n\t"
+        "ldr	r4, [%[a], #44]\n\t"
+        "adcs	r1, r1, #0\n\t"
+        "adcs	r2, r2, #0\n\t"
+        "adcs	r3, r3, #0\n\t"
+        "adcs	r4, r4, #0\n\t"
+        "str	r1, [%[a], #32]\n\t"
+        "str	r2, [%[a], #36]\n\t"
+        "str	r3, [%[a], #40]\n\t"
+        "str	r4, [%[a], #44]\n\t"
+        :
+        : [a] "r" (a)
+        : "memory", "r1", "r2", "r3", "r4"
+    );
+}
+
+/* Read big endian unsigned byte array into r.
+ *
+ * r  A single precision integer.
+ * size  Maximum number of bytes to convert
+ * a  Byte array.
+ * n  Number of bytes in array to read.
+ */
+static void sp_384_from_bin(sp_digit* r, int size, const byte* a, int n)
+{
+    int i, j = 0;
+    word32 s = 0;
+
+    r[0] = 0;
+    for (i = n-1; i >= 0; i--) {
+        r[j] |= (((sp_digit)a[i]) << s);
+        if (s >= 24U) {
+            r[j] &= 0xffffffff;
+            s = 32U - s;
+            if (j + 1 >= size) {
+                break;
+            }
+            r[++j] = (sp_digit)a[i] >> s;
+            s = 8U - s;
+        }
+        else {
+            s += 8U;
+        }
+    }
+
+    for (j++; j < size; j++) {
+        r[j] = 0;
+    }
+}
+
+/* Generates a scalar that is in the range 1..order-1.
+ *
+ * rng  Random number generator.
+ * k    Scalar value.
+ * returns RNG failures, MEMORY_E when memory allocation fails and
+ * MP_OKAY on success.
+ */
+static int sp_384_ecc_gen_k_12(WC_RNG* rng, sp_digit* k)
+{
+    int err;
+    byte buf[48];
+
+    do {
+        err = wc_RNG_GenerateBlock(rng, buf, sizeof(buf));
+        if (err == 0) {
+            sp_384_from_bin(k, 12, buf, (int)sizeof(buf));
+            if (sp_384_cmp_12(k, p384_order2) < 0) {
+                sp_384_add_one_12(k);
+                break;
+            }
+        }
+    }
+    while (err == 0);
+
+    return err;
+}
+
+/* Makes a random EC key pair.
+ *
+ * rng   Random number generator.
+ * priv  Generated private value.
+ * pub   Generated public point.
+ * heap  Heap to use for allocation.
+ * returns ECC_INF_E when the point does not have the correct order, RNG
+ * failures, MEMORY_E when memory allocation fails and MP_OKAY on success.
+ */
+int sp_ecc_make_key_384(WC_RNG* rng, mp_int* priv, ecc_point* pub, void* heap)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_point_384 p;
+    sp_digit kd[12];
+#ifdef WOLFSSL_VALIDATE_ECC_KEYGEN
+    sp_point_384 inf;
+#endif
+#endif
+    sp_point_384* point;
+    sp_digit* k = NULL;
+#ifdef WOLFSSL_VALIDATE_ECC_KEYGEN
+    sp_point_384* infinity;
+#endif
+    int err;
+
+    (void)heap;
+
+    err = sp_384_point_new_12(heap, p, point);
+#ifdef WOLFSSL_VALIDATE_ECC_KEYGEN
+    if (err == MP_OKAY) {
+        err = sp_384_point_new_12(heap, inf, infinity);
+    }
+#endif
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        k = (sp_digit*)XMALLOC(sizeof(sp_digit) * 12, heap,
+                                                              DYNAMIC_TYPE_ECC);
+        if (k == NULL) {
+            err = MEMORY_E;
+        }
+    }
+#else
+    k = kd;
+#endif
+
+    if (err == MP_OKAY) {
+        err = sp_384_ecc_gen_k_12(rng, k);
+    }
+    if (err == MP_OKAY) {
+            err = sp_384_ecc_mulmod_base_12(point, k, 1, NULL);
+    }
+
+#ifdef WOLFSSL_VALIDATE_ECC_KEYGEN
+    if (err == MP_OKAY) {
+            err = sp_384_ecc_mulmod_12(infinity, point, p384_order, 1, NULL);
+    }
+    if (err == MP_OKAY) {
+        if ((sp_384_iszero_12(point->x) == 0) || (sp_384_iszero_12(point->y) == 0)) {
+            err = ECC_INF_E;
+        }
+    }
+#endif
+
+    if (err == MP_OKAY) {
+        err = sp_384_to_mp(k, priv);
+    }
+    if (err == MP_OKAY) {
+        err = sp_384_point_to_ecc_point_12(point, pub);
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (k != NULL) {
+        XFREE(k, heap, DYNAMIC_TYPE_ECC);
+    }
+#endif
+#ifdef WOLFSSL_VALIDATE_ECC_KEYGEN
+    sp_384_point_free_12(infinity, 1, heap);
+#endif
+    sp_384_point_free_12(point, 1, heap);
+
+    return err;
+}
+
+#ifdef HAVE_ECC_DHE
+/* Write r as big endian to byte array.
+ * Fixed length number of bytes written: 48
+ *
+ * r  A single precision integer.
+ * a  Byte array.
+ */
+static void sp_384_to_bin(sp_digit* r, byte* a)
+{
+    int i, j, s = 0, b;
+
+    j = 384 / 8 - 1;
+    a[j] = 0;
+    for (i=0; i<12 && j>=0; i++) {
+        b = 0;
+        /* lint allow cast of mismatch sp_digit and int */
+        a[j--] |= (byte)(r[i] << s); /*lint !e9033*/
+        b += 8 - s;
+        if (j < 0) {
+            break;
+        }
+        while (b < 32) {
+            a[j--] = (byte)(r[i] >> b);
+            b += 8;
+            if (j < 0) {
+                break;
+            }
+        }
+        s = 8 - (b - 32);
+        if (j >= 0) {
+            a[j] = 0;
+        }
+        if (s != 0) {
+            j++;
+        }
+    }
+}
+
+/* Multiply the point by the scalar and serialize the X ordinate.
+ * The number is 0 padded to maximum size on output.
+ *
+ * priv    Scalar to multiply the point by.
+ * pub     Point to multiply.
+ * out     Buffer to hold X ordinate.
+ * outLen  On entry, size of the buffer in bytes.
+ *         On exit, length of data in buffer in bytes.
+ * heap    Heap to use for allocation.
+ * returns BUFFER_E if the buffer is to small for output size,
+ * MEMORY_E when memory allocation fails and MP_OKAY on success.
+ */
+int sp_ecc_secret_gen_384(mp_int* priv, ecc_point* pub, byte* out,
+                          word32* outLen, void* heap)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_point_384 p;
+    sp_digit kd[12];
+#endif
+    sp_point_384* point = NULL;
+    sp_digit* k = NULL;
+    int err = MP_OKAY;
+
+    if (*outLen < 48U) {
+        err = BUFFER_E;
+    }
+
+    if (err == MP_OKAY) {
+        err = sp_384_point_new_12(heap, p, point);
+    }
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        k = (sp_digit*)XMALLOC(sizeof(sp_digit) * 12, heap,
+                                                              DYNAMIC_TYPE_ECC);
+        if (k == NULL)
+            err = MEMORY_E;
+    }
+#else
+    k = kd;
+#endif
+
+    if (err == MP_OKAY) {
+        sp_384_from_mp(k, 12, priv);
+        sp_384_point_from_ecc_point_12(point, pub);
+            err = sp_384_ecc_mulmod_12(point, point, k, 1, heap);
+    }
+    if (err == MP_OKAY) {
+        sp_384_to_bin(point->x, out);
+        *outLen = 48;
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (k != NULL) {
+        XFREE(k, heap, DYNAMIC_TYPE_ECC);
+    }
+#endif
+    sp_384_point_free_12(point, 0, heap);
+
+    return err;
+}
+#endif /* HAVE_ECC_DHE */
+
+#if defined(HAVE_ECC_SIGN) || defined(HAVE_ECC_VERIFY)
+#endif
+#if defined(HAVE_ECC_SIGN) || defined(HAVE_ECC_VERIFY)
+#ifdef WOLFSSL_SP_SMALL
+/* Sub b from a into a. (a -= b)
+ *
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+static sp_digit sp_384_sub_in_place_12(sp_digit* a, const sp_digit* b)
+{
+    sp_digit c = 0;
+
+    __asm__ __volatile__ (
+        "mov	r14, #0\n\t"
+        "add	r12, %[a], #48\n\t"
+        "\n1:\n\t"
+        "subs	%[c], r14, %[c]\n\t"
+        "ldr	r3, [%[a]]\n\t"
+        "ldr	r4, [%[a], #4]\n\t"
+        "ldr	r5, [%[a], #8]\n\t"
+        "ldr	r6, [%[a], #12]\n\t"
+        "ldr	r7, [%[b]], #4\n\t"
+        "ldr	r8, [%[b]], #4\n\t"
+        "ldr	r9, [%[b]], #4\n\t"
+        "ldr	r10, [%[b]], #4\n\t"
+        "sbcs	r3, r3, r7\n\t"
+        "sbcs	r4, r4, r8\n\t"
+        "sbcs	r5, r5, r9\n\t"
+        "sbcs	r6, r6, r10\n\t"
+        "str	r3, [%[a]], #4\n\t"
+        "str	r4, [%[a]], #4\n\t"
+        "str	r5, [%[a]], #4\n\t"
+        "str	r6, [%[a]], #4\n\t"
+        "sbc	%[c], r14, r14\n\t"
+        "cmp	%[a], r12\n\t"
+        "bne	1b\n\t"
+        : [c] "+r" (c), [a] "+r" (a), [b] "+r" (b)
+        :
+        : "memory", "r3", "r4", "r5", "r6", "r7", "r8", "r9", "r10", "r12", "r14"
+    );
+
+    return c;
+}
+
+#else
+/* Sub b from a into a. (a -= b)
+ *
+ * a  A single precision integer and result.
+ * b  A single precision integer.
+ */
+static sp_digit sp_384_sub_in_place_12(sp_digit* a, const sp_digit* b)
+{
+    sp_digit c = 0;
+
+    __asm__ __volatile__ (
+        "ldr	r2, [%[a], #0]\n\t"
+        "ldr	r3, [%[a], #4]\n\t"
+        "ldr	r4, [%[a], #8]\n\t"
+        "ldr	r5, [%[a], #12]\n\t"
+        "ldr	r6, [%[b], #0]\n\t"
+        "ldr	r7, [%[b], #4]\n\t"
+        "ldr	r8, [%[b], #8]\n\t"
+        "ldr	r9, [%[b], #12]\n\t"
+        "subs	r2, r2, r6\n\t"
+        "sbcs	r3, r3, r7\n\t"
+        "sbcs	r4, r4, r8\n\t"
+        "sbcs	r5, r5, r9\n\t"
+        "str	r2, [%[a], #0]\n\t"
+        "str	r3, [%[a], #4]\n\t"
+        "str	r4, [%[a], #8]\n\t"
+        "str	r5, [%[a], #12]\n\t"
+        "ldr	r2, [%[a], #16]\n\t"
+        "ldr	r3, [%[a], #20]\n\t"
+        "ldr	r4, [%[a], #24]\n\t"
+        "ldr	r5, [%[a], #28]\n\t"
+        "ldr	r6, [%[b], #16]\n\t"
+        "ldr	r7, [%[b], #20]\n\t"
+        "ldr	r8, [%[b], #24]\n\t"
+        "ldr	r9, [%[b], #28]\n\t"
+        "sbcs	r2, r2, r6\n\t"
+        "sbcs	r3, r3, r7\n\t"
+        "sbcs	r4, r4, r8\n\t"
+        "sbcs	r5, r5, r9\n\t"
+        "str	r2, [%[a], #16]\n\t"
+        "str	r3, [%[a], #20]\n\t"
+        "str	r4, [%[a], #24]\n\t"
+        "str	r5, [%[a], #28]\n\t"
+        "ldr	r2, [%[a], #32]\n\t"
+        "ldr	r3, [%[a], #36]\n\t"
+        "ldr	r4, [%[a], #40]\n\t"
+        "ldr	r5, [%[a], #44]\n\t"
+        "ldr	r6, [%[b], #32]\n\t"
+        "ldr	r7, [%[b], #36]\n\t"
+        "ldr	r8, [%[b], #40]\n\t"
+        "ldr	r9, [%[b], #44]\n\t"
+        "sbcs	r2, r2, r6\n\t"
+        "sbcs	r3, r3, r7\n\t"
+        "sbcs	r4, r4, r8\n\t"
+        "sbcs	r5, r5, r9\n\t"
+        "str	r2, [%[a], #32]\n\t"
+        "str	r3, [%[a], #36]\n\t"
+        "str	r4, [%[a], #40]\n\t"
+        "str	r5, [%[a], #44]\n\t"
+        "sbc	%[c], r9, r9\n\t"
+        : [c] "+r" (c)
+        : [a] "r" (a), [b] "r" (b)
+        : "memory", "r2", "r3", "r4", "r5", "r6", "r7", "r8", "r9"
+    );
+
+    return c;
+}
+
+#endif /* WOLFSSL_SP_SMALL */
+/* Mul a by digit b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision digit.
+ */
+static void sp_384_mul_d_12(sp_digit* r, const sp_digit* a,
+        sp_digit b)
+{
+#ifdef WOLFSSL_SP_SMALL
+    __asm__ __volatile__ (
+        "mov	r10, #0\n\t"
+        "# A[0] * B\n\t"
+        "ldr	r8, [%[a]]\n\t"
+        "umull	r5, r3, %[b], r8\n\t"
+        "mov	r4, #0\n\t"
+        "str	r5, [%[r]]\n\t"
+        "mov	r5, #0\n\t"
+        "mov	r9, #4\n\t"
+        "1:\n\t"
+        "ldr	r8, [%[a], r9]\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [%[r], r9]\n\t"
+        "mov	r3, r4\n\t"
+        "mov	r4, r5\n\t"
+        "mov	r5, #0\n\t"
+        "add	r9, r9, #4\n\t"
+        "cmp	r9, #48\n\t"
+        "blt	1b\n\t"
+        "str	r3, [%[r], #48]\n\t"
+        :
+        : [r] "r" (r), [a] "r" (a), [b] "r" (b)
+        : "memory", "r3", "r4", "r5", "r6", "r7", "r8", "r9", "r10"
+    );
+#else
+    __asm__ __volatile__ (
+        "mov	r10, #0\n\t"
+        "# A[0] * B\n\t"
+        "ldr	r8, [%[a]]\n\t"
+        "umull	r3, r4, %[b], r8\n\t"
+        "mov	r5, #0\n\t"
+        "str	r3, [%[r]]\n\t"
+        "# A[1] * B\n\t"
+        "ldr	r8, [%[a], #4]\n\t"
+        "mov	r3, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [%[r], #4]\n\t"
+        "# A[2] * B\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "mov	r4, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [%[r], #8]\n\t"
+        "# A[3] * B\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "mov	r5, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [%[r], #12]\n\t"
+        "# A[4] * B\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "mov	r3, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [%[r], #16]\n\t"
+        "# A[5] * B\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "mov	r4, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [%[r], #20]\n\t"
+        "# A[6] * B\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "mov	r5, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [%[r], #24]\n\t"
+        "# A[7] * B\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "mov	r3, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [%[r], #28]\n\t"
+        "# A[8] * B\n\t"
+        "ldr	r8, [%[a], #32]\n\t"
+        "mov	r4, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r7\n\t"
+        "adc	r4, r4, r10\n\t"
+        "str	r5, [%[r], #32]\n\t"
+        "# A[9] * B\n\t"
+        "ldr	r8, [%[a], #36]\n\t"
+        "mov	r5, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r7\n\t"
+        "adc	r5, r5, r10\n\t"
+        "str	r3, [%[r], #36]\n\t"
+        "# A[10] * B\n\t"
+        "ldr	r8, [%[a], #40]\n\t"
+        "mov	r3, #0\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r7\n\t"
+        "adc	r3, r3, r10\n\t"
+        "str	r4, [%[r], #40]\n\t"
+        "# A[11] * B\n\t"
+        "ldr	r8, [%[a], #44]\n\t"
+        "umull	r6, r7, %[b], r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adc	r3, r3, r7\n\t"
+        "str	r5, [%[r], #44]\n\t"
+        "str	r3, [%[r], #48]\n\t"
+        :
+        : [r] "r" (r), [a] "r" (a), [b] "r" (b)
+        : "memory", "r3", "r4", "r5", "r6", "r7", "r8", "r9", "r10"
+    );
+#endif
+}
+
+/* Divide the double width number (d1|d0) by the dividend. (d1|d0 / div)
+ *
+ * d1   The high order half of the number to divide.
+ * d0   The low order half of the number to divide.
+ * div  The dividend.
+ * returns the result of the division.
+ *
+ * Note that this is an approximate div. It may give an answer 1 larger.
+ */
+static sp_digit div_384_word_12(sp_digit d1, sp_digit d0, sp_digit div)
+{
+    sp_digit r = 0;
+
+    __asm__ __volatile__ (
+        "lsr	r5, %[div], #1\n\t"
+        "add	r5, r5, #1\n\t"
+        "mov	r6, %[d0]\n\t"
+        "mov	r7, %[d1]\n\t"
+        "# Do top 32\n\t"
+        "subs	r8, r5, r7\n\t"
+        "sbc	r8, r8, r8\n\t"
+        "add	%[r], %[r], %[r]\n\t"
+        "sub	%[r], %[r], r8\n\t"
+        "and	r8, r8, r5\n\t"
+        "subs	r7, r7, r8\n\t"
+        "# Next 30 bits\n\t"
+        "mov	r4, #29\n\t"
+        "1:\n\t"
+        "movs	r6, r6, lsl #1\n\t"
+        "adc	r7, r7, r7\n\t"
+        "subs	r8, r5, r7\n\t"
+        "sbc	r8, r8, r8\n\t"
+        "add	%[r], %[r], %[r]\n\t"
+        "sub	%[r], %[r], r8\n\t"
+        "and	r8, r8, r5\n\t"
+        "subs	r7, r7, r8\n\t"
+        "subs	r4, r4, #1\n\t"
+        "bpl	1b\n\t"
+        "add	%[r], %[r], %[r]\n\t"
+        "add	%[r], %[r], #1\n\t"
+        "umull	r4, r5, %[r], %[div]\n\t"
+        "subs	r4, %[d0], r4\n\t"
+        "sbc	r5, %[d1], r5\n\t"
+        "add	%[r], %[r], r5\n\t"
+        "umull	r4, r5, %[r], %[div]\n\t"
+        "subs	r4, %[d0], r4\n\t"
+        "sbc	r5, %[d1], r5\n\t"
+        "add	%[r], %[r], r5\n\t"
+        "subs	r8, %[div], r4\n\t"
+        "sbc	r8, r8, r8\n\t"
+        "sub	%[r], %[r], r8\n\t"
+        : [r] "+r" (r)
+        : [d1] "r" (d1), [d0] "r" (d0), [div] "r" (div)
+        : "r4", "r5", "r6", "r7", "r8"
+    );
+    return r;
+}
+
+/* AND m into each word of a and store in r.
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * m  Mask to AND against each digit.
+ */
+static void sp_384_mask_12(sp_digit* r, const sp_digit* a, sp_digit m)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int i;
+
+    for (i=0; i<12; i++) {
+        r[i] = a[i] & m;
+    }
+#else
+    r[0] = a[0] & m;
+    r[1] = a[1] & m;
+    r[2] = a[2] & m;
+    r[3] = a[3] & m;
+    r[4] = a[4] & m;
+    r[5] = a[5] & m;
+    r[6] = a[6] & m;
+    r[7] = a[7] & m;
+    r[8] = a[8] & m;
+    r[9] = a[9] & m;
+    r[10] = a[10] & m;
+    r[11] = a[11] & m;
+#endif
+}
+
+/* Divide d in a and put remainder into r (m*d + r = a)
+ * m is not calculated as it is not needed at this time.
+ *
+ * a  Nmber to be divided.
+ * d  Number to divide with.
+ * m  Multiplier result.
+ * r  Remainder from the division.
+ * returns MP_OKAY indicating success.
+ */
+static WC_INLINE int sp_384_div_12(const sp_digit* a, const sp_digit* d, sp_digit* m,
+        sp_digit* r)
+{
+    sp_digit t1[24], t2[13];
+    sp_digit div, r1;
+    int i;
+
+    (void)m;
+
+
+    div = d[11];
+    XMEMCPY(t1, a, sizeof(*t1) * 2 * 12);
+    for (i=11; i>=0; i--) {
+        r1 = div_384_word_12(t1[12 + i], t1[12 + i - 1], div);
+
+        sp_384_mul_d_12(t2, d, r1);
+        t1[12 + i] += sp_384_sub_in_place_12(&t1[i], t2);
+        t1[12 + i] -= t2[12];
+        sp_384_mask_12(t2, d, t1[12 + i]);
+        t1[12 + i] += sp_384_add_12(&t1[i], &t1[i], t2);
+        sp_384_mask_12(t2, d, t1[12 + i]);
+        t1[12 + i] += sp_384_add_12(&t1[i], &t1[i], t2);
+    }
+
+    r1 = sp_384_cmp_12(t1, d) >= 0;
+    sp_384_cond_sub_12(r, t1, d, (sp_digit)0 - r1);
+
+    return MP_OKAY;
+}
+
+/* Reduce a modulo m into r. (r = a mod m)
+ *
+ * r  A single precision number that is the reduced result.
+ * a  A single precision number that is to be reduced.
+ * m  A single precision number that is the modulus to reduce with.
+ * returns MP_OKAY indicating success.
+ */
+static WC_INLINE int sp_384_mod_12(sp_digit* r, const sp_digit* a, const sp_digit* m)
+{
+    return sp_384_div_12(a, m, NULL, r);
+}
+
+#endif
+#if defined(HAVE_ECC_SIGN) || defined(HAVE_ECC_VERIFY)
+#ifdef WOLFSSL_SP_SMALL
+/* Order-2 for the P384 curve. */
+static const uint32_t p384_order_minus_2[12] = {
+    0xccc52971U,0xecec196aU,0x48b0a77aU,0x581a0db2U,0xf4372ddfU,0xc7634d81U,
+    0xffffffffU,0xffffffffU,0xffffffffU,0xffffffffU,0xffffffffU,0xffffffffU
+};
+#else
+/* The low half of the order-2 of the P384 curve. */
+static const uint32_t p384_order_low[6] = {
+    0xccc52971U,0xecec196aU,0x48b0a77aU,0x581a0db2U,0xf4372ddfU,0xc7634d81U
+    
+};
+#endif /* WOLFSSL_SP_SMALL */
+
+/* Multiply two number mod the order of P384 curve. (r = a * b mod order)
+ *
+ * r  Result of the multiplication.
+ * a  First operand of the multiplication.
+ * b  Second operand of the multiplication.
+ */
+static void sp_384_mont_mul_order_12(sp_digit* r, const sp_digit* a, const sp_digit* b)
+{
+    sp_384_mul_12(r, a, b);
+    sp_384_mont_reduce_order_12(r, p384_order, p384_mp_order);
+}
+
+/* Square number mod the order of P384 curve. (r = a * a mod order)
+ *
+ * r  Result of the squaring.
+ * a  Number to square.
+ */
+static void sp_384_mont_sqr_order_12(sp_digit* r, const sp_digit* a)
+{
+    sp_384_sqr_12(r, a);
+    sp_384_mont_reduce_order_12(r, p384_order, p384_mp_order);
+}
+
+#ifndef WOLFSSL_SP_SMALL
+/* Square number mod the order of P384 curve a number of times.
+ * (r = a ^ n mod order)
+ *
+ * r  Result of the squaring.
+ * a  Number to square.
+ */
+static void sp_384_mont_sqr_n_order_12(sp_digit* r, const sp_digit* a, int n)
+{
+    int i;
+
+    sp_384_mont_sqr_order_12(r, a);
+    for (i=1; i<n; i++) {
+        sp_384_mont_sqr_order_12(r, r);
+    }
+}
+#endif /* !WOLFSSL_SP_SMALL */
+
+/* Invert the number, in Montgomery form, modulo the order of the P384 curve.
+ * (r = 1 / a mod order)
+ *
+ * r   Inverse result.
+ * a   Number to invert.
+ * td  Temporary data.
+ */
+static void sp_384_mont_inv_order_12(sp_digit* r, const sp_digit* a,
+        sp_digit* td)
+{
+#ifdef WOLFSSL_SP_SMALL
+    sp_digit* t = td;
+    int i;
+
+    XMEMCPY(t, a, sizeof(sp_digit) * 12);
+    for (i=382; i>=0; i--) {
+        sp_384_mont_sqr_order_12(t, t);
+        if ((p384_order_minus_2[i / 32] & ((sp_int_digit)1 << (i % 32))) != 0) {
+            sp_384_mont_mul_order_12(t, t, a);
+        }
+    }
+    XMEMCPY(r, t, sizeof(sp_digit) * 12U);
+#else
+    sp_digit* t = td;
+    sp_digit* t2 = td + 2 * 12;
+    sp_digit* t3 = td + 4 * 12;
+    int i;
+
+    /* t = a^2 */
+    sp_384_mont_sqr_order_12(t, a);
+    /* t = a^3 = t * a */
+    sp_384_mont_mul_order_12(t, t, a);
+    /* t2= a^c = t ^ 2 ^ 2 */
+    sp_384_mont_sqr_n_order_12(t2, t, 2);
+    /* t = a^f = t2 * t */
+    sp_384_mont_mul_order_12(t, t2, t);
+    /* t2= a^f0 = t ^ 2 ^ 4 */
+    sp_384_mont_sqr_n_order_12(t2, t, 4);
+    /* t = a^ff = t2 * t */
+    sp_384_mont_mul_order_12(t, t2, t);
+    /* t2= a^ff00 = t ^ 2 ^ 8 */
+    sp_384_mont_sqr_n_order_12(t2, t, 8);
+    /* t3= a^ffff = t2 * t */
+    sp_384_mont_mul_order_12(t3, t2, t);
+    /* t2= a^ffff0000 = t3 ^ 2 ^ 16 */
+    sp_384_mont_sqr_n_order_12(t2, t3, 16);
+    /* t = a^ffffffff = t2 * t3 */
+    sp_384_mont_mul_order_12(t, t2, t3);
+    /* t2= a^ffffffff0000 = t ^ 2 ^ 16  */
+    sp_384_mont_sqr_n_order_12(t2, t, 16);
+    /* t = a^ffffffffffff = t2 * t3 */
+    sp_384_mont_mul_order_12(t, t2, t3);
+    /* t2= a^ffffffffffff000000000000 = t ^ 2 ^ 48  */
+    sp_384_mont_sqr_n_order_12(t2, t, 48);
+    /* t= a^fffffffffffffffffffffffff = t2 * t */
+    sp_384_mont_mul_order_12(t, t2, t);
+    /* t2= a^ffffffffffffffffffffffff000000000000000000000000 */
+    sp_384_mont_sqr_n_order_12(t2, t, 96);
+    /* t2= a^ffffffffffffffffffffffffffffffffffffffffffffffff = t2 * t */
+    sp_384_mont_mul_order_12(t2, t2, t);
+    for (i=191; i>=1; i--) {
+        sp_384_mont_sqr_order_12(t2, t2);
+        if (((sp_digit)p384_order_low[i / 32] & ((sp_int_digit)1 << (i % 32))) != 0) {
+            sp_384_mont_mul_order_12(t2, t2, a);
+        }
+    }
+    sp_384_mont_sqr_order_12(t2, t2);
+    sp_384_mont_mul_order_12(r, t2, a);
+#endif /* WOLFSSL_SP_SMALL */
+}
+
+#endif /* HAVE_ECC_SIGN || HAVE_ECC_VERIFY */
+#ifdef HAVE_ECC_SIGN
+#ifndef SP_ECC_MAX_SIG_GEN
+#define SP_ECC_MAX_SIG_GEN  64
+#endif
+
+/* Sign the hash using the private key.
+ *   e = [hash, 384 bits] from binary
+ *   r = (k.G)->x mod order
+ *   s = (r * x + e) / k mod order
+ * The hash is truncated to the first 384 bits.
+ *
+ * hash     Hash to sign.
+ * hashLen  Length of the hash data.
+ * rng      Random number generator.
+ * priv     Private part of key - scalar.
+ * rm       First part of result as an mp_int.
+ * sm       Sirst part of result as an mp_int.
+ * heap     Heap to use for allocation.
+ * returns RNG failures, MEMORY_E when memory allocation fails and
+ * MP_OKAY on success.
+ */
+int sp_ecc_sign_384(const byte* hash, word32 hashLen, WC_RNG* rng, mp_int* priv,
+                    mp_int* rm, mp_int* sm, mp_int* km, void* heap)
+{
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit* d = NULL;
+#else
+    sp_digit ed[2*12];
+    sp_digit xd[2*12];
+    sp_digit kd[2*12];
+    sp_digit rd[2*12];
+    sp_digit td[3 * 2*12];
+    sp_point_384 p;
+#endif
+    sp_digit* e = NULL;
+    sp_digit* x = NULL;
+    sp_digit* k = NULL;
+    sp_digit* r = NULL;
+    sp_digit* tmp = NULL;
+    sp_point_384* point = NULL;
+    sp_digit carry;
+    sp_digit* s = NULL;
+    sp_digit* kInv = NULL;
+    int err = MP_OKAY;
+    int32_t c;
+    int i;
+
+    (void)heap;
+
+    err = sp_384_point_new_12(heap, p, point);
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        d = (sp_digit*)XMALLOC(sizeof(sp_digit) * 7 * 2 * 12, heap,
+                                                              DYNAMIC_TYPE_ECC);
+        if (d == NULL) {
+            err = MEMORY_E;
+        }
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+        e = d + 0 * 12;
+        x = d + 2 * 12;
+        k = d + 4 * 12;
+        r = d + 6 * 12;
+        tmp = d + 8 * 12;
+#else
+        e = ed;
+        x = xd;
+        k = kd;
+        r = rd;
+        tmp = td;
+#endif
+        s = e;
+        kInv = k;
+
+        if (hashLen > 48U) {
+            hashLen = 48U;
+        }
+
+        sp_384_from_bin(e, 12, hash, (int)hashLen);
+    }
+
+    for (i = SP_ECC_MAX_SIG_GEN; err == MP_OKAY && i > 0; i--) {
+        sp_384_from_mp(x, 12, priv);
+
+        /* New random point. */
+        if (km == NULL || mp_iszero(km)) {
+            err = sp_384_ecc_gen_k_12(rng, k);
+        }
+        else {
+            sp_384_from_mp(k, 12, km);
+            mp_zero(km);
+        }
+        if (err == MP_OKAY) {
+                err = sp_384_ecc_mulmod_base_12(point, k, 1, NULL);
+        }
+
+        if (err == MP_OKAY) {
+            /* r = point->x mod order */
+            XMEMCPY(r, point->x, sizeof(sp_digit) * 12U);
+            sp_384_norm_12(r);
+            c = sp_384_cmp_12(r, p384_order);
+            sp_384_cond_sub_12(r, r, p384_order, 0L - (sp_digit)(c >= 0));
+            sp_384_norm_12(r);
+
+            /* Conv k to Montgomery form (mod order) */
+                sp_384_mul_12(k, k, p384_norm_order);
+            err = sp_384_mod_12(k, k, p384_order);
+        }
+        if (err == MP_OKAY) {
+            sp_384_norm_12(k);
+            /* kInv = 1/k mod order */
+                sp_384_mont_inv_order_12(kInv, k, tmp);
+            sp_384_norm_12(kInv);
+
+            /* s = r * x + e */
+                sp_384_mul_12(x, x, r);
+            err = sp_384_mod_12(x, x, p384_order);
+        }
+        if (err == MP_OKAY) {
+            sp_384_norm_12(x);
+            carry = sp_384_add_12(s, e, x);
+            sp_384_cond_sub_12(s, s, p384_order, 0 - carry);
+            sp_384_norm_12(s);
+            c = sp_384_cmp_12(s, p384_order);
+            sp_384_cond_sub_12(s, s, p384_order, 0L - (sp_digit)(c >= 0));
+            sp_384_norm_12(s);
+
+            /* s = s * k^-1 mod order */
+                sp_384_mont_mul_order_12(s, s, kInv);
+            sp_384_norm_12(s);
+
+            /* Check that signature is usable. */
+            if (sp_384_iszero_12(s) == 0) {
+                break;
+            }
+        }
+    }
+
+    if (i == 0) {
+        err = RNG_FAILURE_E;
+    }
+
+    if (err == MP_OKAY) {
+        err = sp_384_to_mp(r, rm);
+    }
+    if (err == MP_OKAY) {
+        err = sp_384_to_mp(s, sm);
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (d != NULL) {
+        XMEMSET(d, 0, sizeof(sp_digit) * 8 * 12);
+        XFREE(d, heap, DYNAMIC_TYPE_ECC);
+    }
+#else
+    XMEMSET(e, 0, sizeof(sp_digit) * 2U * 12U);
+    XMEMSET(x, 0, sizeof(sp_digit) * 2U * 12U);
+    XMEMSET(k, 0, sizeof(sp_digit) * 2U * 12U);
+    XMEMSET(r, 0, sizeof(sp_digit) * 2U * 12U);
+    XMEMSET(r, 0, sizeof(sp_digit) * 2U * 12U);
+    XMEMSET(tmp, 0, sizeof(sp_digit) * 3U * 2U * 12U);
+#endif
+    sp_384_point_free_12(point, 1, heap);
+
+    return err;
+}
+#endif /* HAVE_ECC_SIGN */
+
+#ifdef HAVE_ECC_VERIFY
+/* Verify the signature values with the hash and public key.
+ *   e = Truncate(hash, 384)
+ *   u1 = e/s mod order
+ *   u2 = r/s mod order
+ *   r == (u1.G + u2.Q)->x mod order
+ * Optimization: Leave point in projective form.
+ *   (x, y, 1) == (x' / z'*z', y' / z'*z'*z', z' / z')
+ *   (r + n*order).z'.z' mod prime == (u1.G + u2.Q)->x'
+ * The hash is truncated to the first 384 bits.
+ *
+ * hash     Hash to sign.
+ * hashLen  Length of the hash data.
+ * rng      Random number generator.
+ * priv     Private part of key - scalar.
+ * rm       First part of result as an mp_int.
+ * sm       Sirst part of result as an mp_int.
+ * heap     Heap to use for allocation.
+ * returns RNG failures, MEMORY_E when memory allocation fails and
+ * MP_OKAY on success.
+ */
+int sp_ecc_verify_384(const byte* hash, word32 hashLen, mp_int* pX,
+    mp_int* pY, mp_int* pZ, mp_int* r, mp_int* sm, int* res, void* heap)
+{
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit* d = NULL;
+#else
+    sp_digit u1d[2*12];
+    sp_digit u2d[2*12];
+    sp_digit sd[2*12];
+    sp_digit tmpd[2*12 * 5];
+    sp_point_384 p1d;
+    sp_point_384 p2d;
+#endif
+    sp_digit* u1 = NULL;
+    sp_digit* u2 = NULL;
+    sp_digit* s = NULL;
+    sp_digit* tmp = NULL;
+    sp_point_384* p1;
+    sp_point_384* p2 = NULL;
+    sp_digit carry;
+    int32_t c;
+    int err;
+
+    err = sp_384_point_new_12(heap, p1d, p1);
+    if (err == MP_OKAY) {
+        err = sp_384_point_new_12(heap, p2d, p2);
+    }
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        d = (sp_digit*)XMALLOC(sizeof(sp_digit) * 16 * 12, heap,
+                                                              DYNAMIC_TYPE_ECC);
+        if (d == NULL) {
+            err = MEMORY_E;
+        }
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+        u1  = d + 0 * 12;
+        u2  = d + 2 * 12;
+        s   = d + 4 * 12;
+        tmp = d + 6 * 12;
+#else
+        u1 = u1d;
+        u2 = u2d;
+        s  = sd;
+        tmp = tmpd;
+#endif
+
+        if (hashLen > 48U) {
+            hashLen = 48U;
+        }
+
+        sp_384_from_bin(u1, 12, hash, (int)hashLen);
+        sp_384_from_mp(u2, 12, r);
+        sp_384_from_mp(s, 12, sm);
+        sp_384_from_mp(p2->x, 12, pX);
+        sp_384_from_mp(p2->y, 12, pY);
+        sp_384_from_mp(p2->z, 12, pZ);
+
+        {
+            sp_384_mul_12(s, s, p384_norm_order);
+        }
+        err = sp_384_mod_12(s, s, p384_order);
+    }
+    if (err == MP_OKAY) {
+        sp_384_norm_12(s);
+        {
+            sp_384_mont_inv_order_12(s, s, tmp);
+            sp_384_mont_mul_order_12(u1, u1, s);
+            sp_384_mont_mul_order_12(u2, u2, s);
+        }
+
+            err = sp_384_ecc_mulmod_base_12(p1, u1, 0, heap);
+    }
+    if (err == MP_OKAY) {
+            err = sp_384_ecc_mulmod_12(p2, p2, u2, 0, heap);
+    }
+
+    if (err == MP_OKAY) {
+        {
+            sp_384_proj_point_add_12(p1, p1, p2, tmp);
+            if (sp_384_iszero_12(p1->z)) {
+                if (sp_384_iszero_12(p1->x) && sp_384_iszero_12(p1->y)) {
+                    sp_384_proj_point_dbl_12(p1, p2, tmp);
+                }
+                else {
+                    /* Y ordinate is not used from here - don't set. */
+                    p1->x[0] = 0;
+                    p1->x[1] = 0;
+                    p1->x[2] = 0;
+                    p1->x[3] = 0;
+                    p1->x[4] = 0;
+                    p1->x[5] = 0;
+                    p1->x[6] = 0;
+                    p1->x[7] = 0;
+                    p1->x[8] = 0;
+                    p1->x[9] = 0;
+                    p1->x[10] = 0;
+                    p1->x[11] = 0;
+                    XMEMCPY(p1->z, p384_norm_mod, sizeof(p384_norm_mod));
+                }
+            }
+        }
+
+        /* (r + n*order).z'.z' mod prime == (u1.G + u2.Q)->x' */
+        /* Reload r and convert to Montgomery form. */
+        sp_384_from_mp(u2, 12, r);
+        err = sp_384_mod_mul_norm_12(u2, u2, p384_mod);
+    }
+
+    if (err == MP_OKAY) {
+        /* u1 = r.z'.z' mod prime */
+        sp_384_mont_sqr_12(p1->z, p1->z, p384_mod, p384_mp_mod);
+        sp_384_mont_mul_12(u1, u2, p1->z, p384_mod, p384_mp_mod);
+        *res = (int)(sp_384_cmp_12(p1->x, u1) == 0);
+        if (*res == 0) {
+            /* Reload r and add order. */
+            sp_384_from_mp(u2, 12, r);
+            carry = sp_384_add_12(u2, u2, p384_order);
+            /* Carry means result is greater than mod and is not valid. */
+            if (carry == 0) {
+                sp_384_norm_12(u2);
+
+                /* Compare with mod and if greater or equal then not valid. */
+                c = sp_384_cmp_12(u2, p384_mod);
+                if (c < 0) {
+                    /* Convert to Montogomery form */
+                    err = sp_384_mod_mul_norm_12(u2, u2, p384_mod);
+                    if (err == MP_OKAY) {
+                        /* u1 = (r + 1*order).z'.z' mod prime */
+                        sp_384_mont_mul_12(u1, u2, p1->z, p384_mod,
+                                                                  p384_mp_mod);
+                        *res = (int)(sp_384_cmp_12(p1->x, u1) == 0);
+                    }
+                }
+            }
+        }
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (d != NULL)
+        XFREE(d, heap, DYNAMIC_TYPE_ECC);
+#endif
+    sp_384_point_free_12(p1, 0, heap);
+    sp_384_point_free_12(p2, 0, heap);
+
+    return err;
+}
+#endif /* HAVE_ECC_VERIFY */
+
+#ifdef HAVE_ECC_CHECK_KEY
+/* Check that the x and y oridinates are a valid point on the curve.
+ *
+ * point  EC point.
+ * heap   Heap to use if dynamically allocating.
+ * returns MEMORY_E if dynamic memory allocation fails, MP_VAL if the point is
+ * not on the curve and MP_OKAY otherwise.
+ */
+static int sp_384_ecc_is_point_12(sp_point_384* point, void* heap)
+{
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit* d = NULL;
+#else
+    sp_digit t1d[2*12];
+    sp_digit t2d[2*12];
+#endif
+    sp_digit* t1;
+    sp_digit* t2;
+    int err = MP_OKAY;
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    d = (sp_digit*)XMALLOC(sizeof(sp_digit) * 12 * 4, heap, DYNAMIC_TYPE_ECC);
+    if (d == NULL) {
+        err = MEMORY_E;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+        t1 = d + 0 * 12;
+        t2 = d + 2 * 12;
+#else
+        (void)heap;
+
+        t1 = t1d;
+        t2 = t2d;
+#endif
+
+        sp_384_sqr_12(t1, point->y);
+        (void)sp_384_mod_12(t1, t1, p384_mod);
+        sp_384_sqr_12(t2, point->x);
+        (void)sp_384_mod_12(t2, t2, p384_mod);
+        sp_384_mul_12(t2, t2, point->x);
+        (void)sp_384_mod_12(t2, t2, p384_mod);
+        (void)sp_384_sub_12(t2, p384_mod, t2);
+        sp_384_mont_add_12(t1, t1, t2, p384_mod);
+
+        sp_384_mont_add_12(t1, t1, point->x, p384_mod);
+        sp_384_mont_add_12(t1, t1, point->x, p384_mod);
+        sp_384_mont_add_12(t1, t1, point->x, p384_mod);
+
+        if (sp_384_cmp_12(t1, p384_b) != 0) {
+            err = MP_VAL;
+        }
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (d != NULL) {
+        XFREE(d, heap, DYNAMIC_TYPE_ECC);
+    }
+#endif
+
+    return err;
+}
+
+/* Check that the x and y oridinates are a valid point on the curve.
+ *
+ * pX  X ordinate of EC point.
+ * pY  Y ordinate of EC point.
+ * returns MEMORY_E if dynamic memory allocation fails, MP_VAL if the point is
+ * not on the curve and MP_OKAY otherwise.
+ */
+int sp_ecc_is_point_384(mp_int* pX, mp_int* pY)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_point_384 pubd;
+#endif
+    sp_point_384* pub;
+    byte one[1] = { 1 };
+    int err;
+
+    err = sp_384_point_new_12(NULL, pubd, pub);
+    if (err == MP_OKAY) {
+        sp_384_from_mp(pub->x, 12, pX);
+        sp_384_from_mp(pub->y, 12, pY);
+        sp_384_from_bin(pub->z, 12, one, (int)sizeof(one));
+
+        err = sp_384_ecc_is_point_12(pub, NULL);
+    }
+
+    sp_384_point_free_12(pub, 0, NULL);
+
+    return err;
+}
+
+/* Check that the private scalar generates the EC point (px, py), the point is
+ * on the curve and the point has the correct order.
+ *
+ * pX     X ordinate of EC point.
+ * pY     Y ordinate of EC point.
+ * privm  Private scalar that generates EC point.
+ * returns MEMORY_E if dynamic memory allocation fails, MP_VAL if the point is
+ * not on the curve, ECC_INF_E if the point does not have the correct order,
+ * ECC_PRIV_KEY_E when the private scalar doesn't generate the EC point and
+ * MP_OKAY otherwise.
+ */
+int sp_ecc_check_key_384(mp_int* pX, mp_int* pY, mp_int* privm, void* heap)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit privd[12];
+    sp_point_384 pubd;
+    sp_point_384 pd;
+#endif
+    sp_digit* priv = NULL;
+    sp_point_384* pub;
+    sp_point_384* p = NULL;
+    byte one[1] = { 1 };
+    int err;
+
+    err = sp_384_point_new_12(heap, pubd, pub);
+    if (err == MP_OKAY) {
+        err = sp_384_point_new_12(heap, pd, p);
+    }
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        priv = (sp_digit*)XMALLOC(sizeof(sp_digit) * 12, heap,
+                                                              DYNAMIC_TYPE_ECC);
+        if (priv == NULL) {
+            err = MEMORY_E;
+        }
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+        priv = privd;
+#endif
+
+        sp_384_from_mp(pub->x, 12, pX);
+        sp_384_from_mp(pub->y, 12, pY);
+        sp_384_from_bin(pub->z, 12, one, (int)sizeof(one));
+        sp_384_from_mp(priv, 12, privm);
+
+        /* Check point at infinitiy. */
+        if ((sp_384_iszero_12(pub->x) != 0) &&
+            (sp_384_iszero_12(pub->y) != 0)) {
+            err = ECC_INF_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        /* Check range of X and Y */
+        if (sp_384_cmp_12(pub->x, p384_mod) >= 0 ||
+            sp_384_cmp_12(pub->y, p384_mod) >= 0) {
+            err = ECC_OUT_OF_RANGE_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        /* Check point is on curve */
+        err = sp_384_ecc_is_point_12(pub, heap);
+    }
+
+    if (err == MP_OKAY) {
+        /* Point * order = infinity */
+            err = sp_384_ecc_mulmod_12(p, pub, p384_order, 1, heap);
+    }
+    if (err == MP_OKAY) {
+        /* Check result is infinity */
+        if ((sp_384_iszero_12(p->x) == 0) ||
+            (sp_384_iszero_12(p->y) == 0)) {
+            err = ECC_INF_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        /* Base * private = point */
+            err = sp_384_ecc_mulmod_base_12(p, priv, 1, heap);
+    }
+    if (err == MP_OKAY) {
+        /* Check result is public key */
+        if (sp_384_cmp_12(p->x, pub->x) != 0 ||
+            sp_384_cmp_12(p->y, pub->y) != 0) {
+            err = ECC_PRIV_KEY_E;
+        }
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (priv != NULL) {
+        XFREE(priv, heap, DYNAMIC_TYPE_ECC);
+    }
+#endif
+    sp_384_point_free_12(p, 0, heap);
+    sp_384_point_free_12(pub, 0, heap);
+
+    return err;
+}
+#endif
+#ifdef WOLFSSL_PUBLIC_ECC_ADD_DBL
+/* Add two projective EC points together.
+ * (pX, pY, pZ) + (qX, qY, qZ) = (rX, rY, rZ)
+ *
+ * pX   First EC point's X ordinate.
+ * pY   First EC point's Y ordinate.
+ * pZ   First EC point's Z ordinate.
+ * qX   Second EC point's X ordinate.
+ * qY   Second EC point's Y ordinate.
+ * qZ   Second EC point's Z ordinate.
+ * rX   Resultant EC point's X ordinate.
+ * rY   Resultant EC point's Y ordinate.
+ * rZ   Resultant EC point's Z ordinate.
+ * returns MEMORY_E if dynamic memory allocation fails and MP_OKAY otherwise.
+ */
+int sp_ecc_proj_add_point_384(mp_int* pX, mp_int* pY, mp_int* pZ,
+                              mp_int* qX, mp_int* qY, mp_int* qZ,
+                              mp_int* rX, mp_int* rY, mp_int* rZ)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit tmpd[2 * 12 * 5];
+    sp_point_384 pd;
+    sp_point_384 qd;
+#endif
+    sp_digit* tmp;
+    sp_point_384* p;
+    sp_point_384* q = NULL;
+    int err;
+
+    err = sp_384_point_new_12(NULL, pd, p);
+    if (err == MP_OKAY) {
+        err = sp_384_point_new_12(NULL, qd, q);
+    }
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        tmp = (sp_digit*)XMALLOC(sizeof(sp_digit) * 2 * 12 * 5, NULL,
+                                                              DYNAMIC_TYPE_ECC);
+        if (tmp == NULL) {
+            err = MEMORY_E;
+        }
+    }
+#else
+    tmp = tmpd;
+#endif
+
+    if (err == MP_OKAY) {
+        sp_384_from_mp(p->x, 12, pX);
+        sp_384_from_mp(p->y, 12, pY);
+        sp_384_from_mp(p->z, 12, pZ);
+        sp_384_from_mp(q->x, 12, qX);
+        sp_384_from_mp(q->y, 12, qY);
+        sp_384_from_mp(q->z, 12, qZ);
+
+            sp_384_proj_point_add_12(p, p, q, tmp);
+    }
+
+    if (err == MP_OKAY) {
+        err = sp_384_to_mp(p->x, rX);
+    }
+    if (err == MP_OKAY) {
+        err = sp_384_to_mp(p->y, rY);
+    }
+    if (err == MP_OKAY) {
+        err = sp_384_to_mp(p->z, rZ);
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (tmp != NULL) {
+        XFREE(tmp, NULL, DYNAMIC_TYPE_ECC);
+    }
+#endif
+    sp_384_point_free_12(q, 0, NULL);
+    sp_384_point_free_12(p, 0, NULL);
+
+    return err;
+}
+
+/* Double a projective EC point.
+ * (pX, pY, pZ) + (pX, pY, pZ) = (rX, rY, rZ)
+ *
+ * pX   EC point's X ordinate.
+ * pY   EC point's Y ordinate.
+ * pZ   EC point's Z ordinate.
+ * rX   Resultant EC point's X ordinate.
+ * rY   Resultant EC point's Y ordinate.
+ * rZ   Resultant EC point's Z ordinate.
+ * returns MEMORY_E if dynamic memory allocation fails and MP_OKAY otherwise.
+ */
+int sp_ecc_proj_dbl_point_384(mp_int* pX, mp_int* pY, mp_int* pZ,
+                              mp_int* rX, mp_int* rY, mp_int* rZ)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit tmpd[2 * 12 * 2];
+    sp_point_384 pd;
+#endif
+    sp_digit* tmp;
+    sp_point_384* p;
+    int err;
+
+    err = sp_384_point_new_12(NULL, pd, p);
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        tmp = (sp_digit*)XMALLOC(sizeof(sp_digit) * 2 * 12 * 2, NULL,
+                                                              DYNAMIC_TYPE_ECC);
+        if (tmp == NULL) {
+            err = MEMORY_E;
+        }
+    }
+#else
+    tmp = tmpd;
+#endif
+
+    if (err == MP_OKAY) {
+        sp_384_from_mp(p->x, 12, pX);
+        sp_384_from_mp(p->y, 12, pY);
+        sp_384_from_mp(p->z, 12, pZ);
+
+            sp_384_proj_point_dbl_12(p, p, tmp);
+    }
+
+    if (err == MP_OKAY) {
+        err = sp_384_to_mp(p->x, rX);
+    }
+    if (err == MP_OKAY) {
+        err = sp_384_to_mp(p->y, rY);
+    }
+    if (err == MP_OKAY) {
+        err = sp_384_to_mp(p->z, rZ);
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (tmp != NULL) {
+        XFREE(tmp, NULL, DYNAMIC_TYPE_ECC);
+    }
+#endif
+    sp_384_point_free_12(p, 0, NULL);
+
+    return err;
+}
+
+/* Map a projective EC point to affine in place.
+ * pZ will be one.
+ *
+ * pX   EC point's X ordinate.
+ * pY   EC point's Y ordinate.
+ * pZ   EC point's Z ordinate.
+ * returns MEMORY_E if dynamic memory allocation fails and MP_OKAY otherwise.
+ */
+int sp_ecc_map_384(mp_int* pX, mp_int* pY, mp_int* pZ)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit tmpd[2 * 12 * 6];
+    sp_point_384 pd;
+#endif
+    sp_digit* tmp;
+    sp_point_384* p;
+    int err;
+
+    err = sp_384_point_new_12(NULL, pd, p);
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        tmp = (sp_digit*)XMALLOC(sizeof(sp_digit) * 2 * 12 * 6, NULL,
+                                                              DYNAMIC_TYPE_ECC);
+        if (tmp == NULL) {
+            err = MEMORY_E;
+        }
+    }
+#else
+    tmp = tmpd;
+#endif
+    if (err == MP_OKAY) {
+        sp_384_from_mp(p->x, 12, pX);
+        sp_384_from_mp(p->y, 12, pY);
+        sp_384_from_mp(p->z, 12, pZ);
+
+        sp_384_map_12(p, p, tmp);
+    }
+
+    if (err == MP_OKAY) {
+        err = sp_384_to_mp(p->x, pX);
+    }
+    if (err == MP_OKAY) {
+        err = sp_384_to_mp(p->y, pY);
+    }
+    if (err == MP_OKAY) {
+        err = sp_384_to_mp(p->z, pZ);
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (tmp != NULL) {
+        XFREE(tmp, NULL, DYNAMIC_TYPE_ECC);
+    }
+#endif
+    sp_384_point_free_12(p, 0, NULL);
+
+    return err;
+}
+#endif /* WOLFSSL_PUBLIC_ECC_ADD_DBL */
+#ifdef HAVE_COMP_KEY
+/* Find the square root of a number mod the prime of the curve.
+ *
+ * y  The number to operate on and the result.
+ * returns MEMORY_E if dynamic memory allocation fails and MP_OKAY otherwise.
+ */
+static int sp_384_mont_sqrt_12(sp_digit* y)
+{
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit* d;
+#else
+    sp_digit t1d[2 * 12];
+    sp_digit t2d[2 * 12];
+    sp_digit t3d[2 * 12];
+    sp_digit t4d[2 * 12];
+    sp_digit t5d[2 * 12];
+#endif
+    sp_digit* t1;
+    sp_digit* t2;
+    sp_digit* t3;
+    sp_digit* t4;
+    sp_digit* t5;
+    int err = MP_OKAY;
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    d = (sp_digit*)XMALLOC(sizeof(sp_digit) * 5 * 2 * 12, NULL, DYNAMIC_TYPE_ECC);
+    if (d == NULL) {
+        err = MEMORY_E;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+        t1 = d + 0 * 12;
+        t2 = d + 2 * 12;
+        t3 = d + 4 * 12;
+        t4 = d + 6 * 12;
+        t5 = d + 8 * 12;
+#else
+        t1 = t1d;
+        t2 = t2d;
+        t3 = t3d;
+        t4 = t4d;
+        t5 = t5d;
+#endif
+
+        {
+            /* t2 = y ^ 0x2 */
+            sp_384_mont_sqr_12(t2, y, p384_mod, p384_mp_mod);
+            /* t1 = y ^ 0x3 */
+            sp_384_mont_mul_12(t1, t2, y, p384_mod, p384_mp_mod);
+            /* t5 = y ^ 0xc */
+            sp_384_mont_sqr_n_12(t5, t1, 2, p384_mod, p384_mp_mod);
+            /* t1 = y ^ 0xf */
+            sp_384_mont_mul_12(t1, t1, t5, p384_mod, p384_mp_mod);
+            /* t2 = y ^ 0x1e */
+            sp_384_mont_sqr_12(t2, t1, p384_mod, p384_mp_mod);
+            /* t3 = y ^ 0x1f */
+            sp_384_mont_mul_12(t3, t2, y, p384_mod, p384_mp_mod);
+            /* t2 = y ^ 0x3e0 */
+            sp_384_mont_sqr_n_12(t2, t3, 5, p384_mod, p384_mp_mod);
+            /* t1 = y ^ 0x3ff */
+            sp_384_mont_mul_12(t1, t3, t2, p384_mod, p384_mp_mod);
+            /* t2 = y ^ 0x7fe0 */
+            sp_384_mont_sqr_n_12(t2, t1, 5, p384_mod, p384_mp_mod);
+            /* t3 = y ^ 0x7fff */
+            sp_384_mont_mul_12(t3, t3, t2, p384_mod, p384_mp_mod);
+            /* t2 = y ^ 0x3fff800 */
+            sp_384_mont_sqr_n_12(t2, t3, 15, p384_mod, p384_mp_mod);
+            /* t4 = y ^ 0x3ffffff */
+            sp_384_mont_mul_12(t4, t3, t2, p384_mod, p384_mp_mod);
+            /* t2 = y ^ 0xffffffc000000 */
+            sp_384_mont_sqr_n_12(t2, t4, 30, p384_mod, p384_mp_mod);
+            /* t1 = y ^ 0xfffffffffffff */
+            sp_384_mont_mul_12(t1, t4, t2, p384_mod, p384_mp_mod);
+            /* t2 = y ^ 0xfffffffffffffff000000000000000 */
+            sp_384_mont_sqr_n_12(t2, t1, 60, p384_mod, p384_mp_mod);
+            /* t1 = y ^ 0xffffffffffffffffffffffffffffff */
+            sp_384_mont_mul_12(t1, t1, t2, p384_mod, p384_mp_mod);
+            /* t2 = y ^ 0xffffffffffffffffffffffffffffff000000000000000000000000000000 */
+            sp_384_mont_sqr_n_12(t2, t1, 120, p384_mod, p384_mp_mod);
+            /* t1 = y ^ 0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff */
+            sp_384_mont_mul_12(t1, t1, t2, p384_mod, p384_mp_mod);
+            /* t2 = y ^ 0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffff8000 */
+            sp_384_mont_sqr_n_12(t2, t1, 15, p384_mod, p384_mp_mod);
+            /* t1 = y ^ 0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff */
+            sp_384_mont_mul_12(t1, t3, t2, p384_mod, p384_mp_mod);
+            /* t2 = y ^ 0x3fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff80000000 */
+            sp_384_mont_sqr_n_12(t2, t1, 31, p384_mod, p384_mp_mod);
+            /* t1 = y ^ 0x3fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffbfffffff */
+            sp_384_mont_mul_12(t1, t4, t2, p384_mod, p384_mp_mod);
+            /* t2 = y ^ 0x3fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffbfffffff0 */
+            sp_384_mont_sqr_n_12(t2, t1, 4, p384_mod, p384_mp_mod);
+            /* t1 = y ^ 0x3fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffbfffffffc */
+            sp_384_mont_mul_12(t1, t5, t2, p384_mod, p384_mp_mod);
+            /* t2 = y ^ 0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000 */
+            sp_384_mont_sqr_n_12(t2, t1, 62, p384_mod, p384_mp_mod);
+            /* t1 = y ^ 0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000001 */
+            sp_384_mont_mul_12(t1, y, t2, p384_mod, p384_mp_mod);
+            /* t2 = y ^ 0x3fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffbfffffffc00000000000000040000000 */
+            sp_384_mont_sqr_n_12(y, t1, 30, p384_mod, p384_mp_mod);
+        }
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (d != NULL) {
+        XFREE(d, NULL, DYNAMIC_TYPE_ECC);
+    }
+#endif
+
+    return err;
+}
+
+
+/* Uncompress the point given the X ordinate.
+ *
+ * xm    X ordinate.
+ * odd   Whether the Y ordinate is odd.
+ * ym    Calculated Y ordinate.
+ * returns MEMORY_E if dynamic memory allocation fails and MP_OKAY otherwise.
+ */
+int sp_ecc_uncompress_384(mp_int* xm, int odd, mp_int* ym)
+{
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit* d;
+#else
+    sp_digit xd[2 * 12];
+    sp_digit yd[2 * 12];
+#endif
+    sp_digit* x = NULL;
+    sp_digit* y = NULL;
+    int err = MP_OKAY;
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    d = (sp_digit*)XMALLOC(sizeof(sp_digit) * 4 * 12, NULL, DYNAMIC_TYPE_ECC);
+    if (d == NULL) {
+        err = MEMORY_E;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+        x = d + 0 * 12;
+        y = d + 2 * 12;
+#else
+        x = xd;
+        y = yd;
+#endif
+
+        sp_384_from_mp(x, 12, xm);
+        err = sp_384_mod_mul_norm_12(x, x, p384_mod);
+    }
+    if (err == MP_OKAY) {
+        /* y = x^3 */
+        {
+            sp_384_mont_sqr_12(y, x, p384_mod, p384_mp_mod);
+            sp_384_mont_mul_12(y, y, x, p384_mod, p384_mp_mod);
+        }
+        /* y = x^3 - 3x */
+        sp_384_mont_sub_12(y, y, x, p384_mod);
+        sp_384_mont_sub_12(y, y, x, p384_mod);
+        sp_384_mont_sub_12(y, y, x, p384_mod);
+        /* y = x^3 - 3x + b */
+        err = sp_384_mod_mul_norm_12(x, p384_b, p384_mod);
+    }
+    if (err == MP_OKAY) {
+        sp_384_mont_add_12(y, y, x, p384_mod);
+        /* y = sqrt(x^3 - 3x + b) */
+        err = sp_384_mont_sqrt_12(y);
+    }
+    if (err == MP_OKAY) {
+        XMEMSET(y + 12, 0, 12U * sizeof(sp_digit));
+        sp_384_mont_reduce_12(y, p384_mod, p384_mp_mod);
+        if ((((word32)y[0] ^ (word32)odd) & 1U) != 0U) {
+            sp_384_mont_sub_12(y, p384_mod, y, p384_mod);
+        }
+
+        err = sp_384_to_mp(y, ym);
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (d != NULL) {
+        XFREE(d, NULL, DYNAMIC_TYPE_ECC);
+    }
+#endif
+
+    return err;
+}
+#endif
+#endif /* WOLFSSL_SP_384 */
+#endif /* WOLFSSL_HAVE_SP_ECC */
+#endif /* WOLFSSL_SP_ARM32_ASM */
+#endif /* WOLFSSL_HAVE_SP_RSA || WOLFSSL_HAVE_SP_DH || WOLFSSL_HAVE_SP_ECC */
diff --git a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/sp_arm64.c b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/sp_arm64.c
new file mode 100644
index 000000000..ebebe2a55
--- /dev/null
+++ b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/sp_arm64.c
@@ -0,0 +1,42082 @@
+/* sp.c
+ *
+ * Copyright (C) 2006-2020 wolfSSL Inc.
+ *
+ * This file is part of wolfSSL.
+ *
+ * wolfSSL is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * wolfSSL is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
+ */
+
+/* Implementation by Sean Parkinson. */
+
+#ifdef HAVE_CONFIG_H
+    #include <config.h>
+#endif
+
+#include <wolfssl/wolfcrypt/settings.h>
+#include <wolfssl/wolfcrypt/error-crypt.h>
+#include <wolfssl/wolfcrypt/cpuid.h>
+#ifdef NO_INLINE
+    #include <wolfssl/wolfcrypt/misc.h>
+#else
+    #define WOLFSSL_MISC_INCLUDED
+    #include <wolfcrypt/src/misc.c>
+#endif
+
+#if defined(WOLFSSL_HAVE_SP_RSA) || defined(WOLFSSL_HAVE_SP_DH) || \
+                                    defined(WOLFSSL_HAVE_SP_ECC)
+
+#ifdef RSA_LOW_MEM
+#ifndef WOLFSSL_SP_SMALL
+#define WOLFSSL_SP_SMALL
+#endif
+#endif
+
+#include <wolfssl/wolfcrypt/sp.h>
+
+#ifdef WOLFSSL_SP_ARM64_ASM
+#if defined(WOLFSSL_HAVE_SP_RSA) || defined(WOLFSSL_HAVE_SP_DH)
+#ifndef WOLFSSL_SP_NO_2048
+/* Read big endian unsigned byte array into r.
+ *
+ * r  A single precision integer.
+ * size  Maximum number of bytes to convert
+ * a  Byte array.
+ * n  Number of bytes in array to read.
+ */
+static void sp_2048_from_bin(sp_digit* r, int size, const byte* a, int n)
+{
+    int i, j;
+    byte* d;
+
+    for (i = n - 1,j = 0; i >= 7; i -= 8) {
+        r[j]  = ((sp_digit)a[i - 0] <<  0) |
+                ((sp_digit)a[i - 1] <<  8) |
+                ((sp_digit)a[i - 2] << 16) |
+                ((sp_digit)a[i - 3] << 24) |
+                ((sp_digit)a[i - 4] << 32) |
+                ((sp_digit)a[i - 5] << 40) |
+                ((sp_digit)a[i - 6] << 48) |
+                ((sp_digit)a[i - 7] << 56);
+        j++;
+    }
+
+    if (i >= 0) {
+        r[j] = 0;
+
+        d = (byte*)r;
+        switch (i) {
+            case 6: d[n - 1 - 6] = a[6]; //fallthrough
+            case 5: d[n - 1 - 5] = a[5]; //fallthrough
+            case 4: d[n - 1 - 4] = a[4]; //fallthrough
+            case 3: d[n - 1 - 3] = a[3]; //fallthrough
+            case 2: d[n - 1 - 2] = a[2]; //fallthrough
+            case 1: d[n - 1 - 1] = a[1]; //fallthrough
+            case 0: d[n - 1 - 0] = a[0]; //fallthrough
+        }
+        j++;
+    }
+
+    for (; j < size; j++) {
+        r[j] = 0;
+    }
+}
+
+/* Convert an mp_int to an array of sp_digit.
+ *
+ * r  A single precision integer.
+ * size  Maximum number of bytes to convert
+ * a  A multi-precision integer.
+ */
+static void sp_2048_from_mp(sp_digit* r, int size, const mp_int* a)
+{
+#if DIGIT_BIT == 64
+    int j;
+
+    XMEMCPY(r, a->dp, sizeof(sp_digit) * a->used);
+
+    for (j = a->used; j < size; j++) {
+        r[j] = 0;
+    }
+#elif DIGIT_BIT > 64
+    int i, j = 0;
+    word32 s = 0;
+
+    r[0] = 0;
+    for (i = 0; i < a->used && j < size; i++) {
+        r[j] |= ((sp_digit)a->dp[i] << s);
+        r[j] &= 0xffffffffffffffffl;
+        s = 64U - s;
+        if (j + 1 >= size) {
+            break;
+        }
+        /* lint allow cast of mismatch word32 and mp_digit */
+        r[++j] = (sp_digit)(a->dp[i] >> s); /*lint !e9033*/
+        while ((s + 64U) <= (word32)DIGIT_BIT) {
+            s += 64U;
+            r[j] &= 0xffffffffffffffffl;
+            if (j + 1 >= size) {
+                break;
+            }
+            if (s < (word32)DIGIT_BIT) {
+                /* lint allow cast of mismatch word32 and mp_digit */
+                r[++j] = (sp_digit)(a->dp[i] >> s); /*lint !e9033*/
+            }
+            else {
+                r[++j] = 0L;
+            }
+        }
+        s = (word32)DIGIT_BIT - s;
+    }
+
+    for (j++; j < size; j++) {
+        r[j] = 0;
+    }
+#else
+    int i, j = 0, s = 0;
+
+    r[0] = 0;
+    for (i = 0; i < a->used && j < size; i++) {
+        r[j] |= ((sp_digit)a->dp[i]) << s;
+        if (s + DIGIT_BIT >= 64) {
+            r[j] &= 0xffffffffffffffffl;
+            if (j + 1 >= size) {
+                break;
+            }
+            s = 64 - s;
+            if (s == DIGIT_BIT) {
+                r[++j] = 0;
+                s = 0;
+            }
+            else {
+                r[++j] = a->dp[i] >> s;
+                s = DIGIT_BIT - s;
+            }
+        }
+        else {
+            s += DIGIT_BIT;
+        }
+    }
+
+    for (j++; j < size; j++) {
+        r[j] = 0;
+    }
+#endif
+}
+
+/* Write r as big endian to byte array.
+ * Fixed length number of bytes written: 256
+ *
+ * r  A single precision integer.
+ * a  Byte array.
+ */
+static void sp_2048_to_bin(sp_digit* r, byte* a)
+{
+    int i, j;
+
+    for (i = 31, j = 0; i >= 0; i--) {
+        a[j++] = r[i] >> 56;
+        a[j++] = r[i] >> 48;
+        a[j++] = r[i] >> 40;
+        a[j++] = r[i] >> 32;
+        a[j++] = r[i] >> 24;
+        a[j++] = r[i] >> 16;
+        a[j++] = r[i] >> 8;
+        a[j++] = r[i] >> 0;
+    }
+}
+
+#ifndef WOLFSSL_SP_SMALL
+/* Multiply a and b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+static void sp_2048_mul_8(sp_digit* r, const sp_digit* a, const sp_digit* b)
+{
+    sp_digit tmp[8];
+
+    __asm__ __volatile__ (
+        "ldp	x9, x10, [%[a], 0]\n\t"
+        "ldp	x11, x12, [%[a], 16]\n\t"
+        "ldp	x13, x14, [%[a], 32]\n\t"
+        "ldp	x15, x16, [%[a], 48]\n\t"
+        "ldp	x17, x19, [%[b], 0]\n\t"
+        "ldp	x20, x21, [%[b], 16]\n\t"
+        "ldp	x22, x23, [%[b], 32]\n\t"
+        "ldp	x24, x25, [%[b], 48]\n\t"
+        "#  A[0] * B[0]\n\t"
+        "mul	x4, x9, x17\n\t"
+        "umulh	x5, x9, x17\n\t"
+        "str	x4, [%[tmp]]\n\t"
+        "#  A[0] * B[1]\n\t"
+        "mul	x7, x9, x19\n\t"
+        "umulh	x8, x9, x19\n\t"
+        "adds	x5, x5, x7\n\t"
+        "#  A[1] * B[0]\n\t"
+        "mul	x7, x10, x17\n\t"
+        "adc	x6, xzr, x8\n\t"
+        "umulh	x8, x10, x17\n\t"
+        "adds	x5, x5, x7\n\t"
+        "adcs	x6, x6, x8\n\t"
+        "str	x5, [%[tmp], 8]\n\t"
+        "adc	x4, xzr, xzr\n\t"
+        "#  A[0] * B[2]\n\t"
+        "mul	x7, x9, x20\n\t"
+        "umulh	x8, x9, x20\n\t"
+        "adds	x6, x6, x7\n\t"
+        "#  A[1] * B[1]\n\t"
+        "mul	x7, x10, x19\n\t"
+        "adcs	x4, x4, x8\n\t"
+        "umulh	x8, x10, x19\n\t"
+        "adc	x5, xzr, xzr\n\t"
+        "adds	x6, x6, x7\n\t"
+        "#  A[2] * B[0]\n\t"
+        "mul	x7, x11, x17\n\t"
+        "adcs	x4, x4, x8\n\t"
+        "umulh	x8, x11, x17\n\t"
+        "adc	x5, x5, xzr\n\t"
+        "adds	x6, x6, x7\n\t"
+        "adcs	x4, x4, x8\n\t"
+        "str	x6, [%[tmp], 16]\n\t"
+        "adc	x5, x5, xzr\n\t"
+        "#  A[0] * B[3]\n\t"
+        "mul	x7, x9, x21\n\t"
+        "umulh	x8, x9, x21\n\t"
+        "adds	x4, x4, x7\n\t"
+        "#  A[1] * B[2]\n\t"
+        "mul	x7, x10, x20\n\t"
+        "adcs	x5, x5, x8\n\t"
+        "umulh	x8, x10, x20\n\t"
+        "adc	x6, xzr, xzr\n\t"
+        "adds	x4, x4, x7\n\t"
+        "#  A[2] * B[1]\n\t"
+        "mul	x7, x11, x19\n\t"
+        "adcs	x5, x5, x8\n\t"
+        "umulh	x8, x11, x19\n\t"
+        "adc	x6, x6, xzr\n\t"
+        "adds	x4, x4, x7\n\t"
+        "#  A[3] * B[0]\n\t"
+        "mul	x7, x12, x17\n\t"
+        "adcs	x5, x5, x8\n\t"
+        "umulh	x8, x12, x17\n\t"
+        "adc	x6, x6, xzr\n\t"
+        "adds	x4, x4, x7\n\t"
+        "adcs	x5, x5, x8\n\t"
+        "str	x4, [%[tmp], 24]\n\t"
+        "adc	x6, x6, xzr\n\t"
+        "#  A[0] * B[4]\n\t"
+        "mul	x7, x9, x22\n\t"
+        "umulh	x8, x9, x22\n\t"
+        "adds	x5, x5, x7\n\t"
+        "#  A[1] * B[3]\n\t"
+        "mul	x7, x10, x21\n\t"
+        "adcs	x6, x6, x8\n\t"
+        "umulh	x8, x10, x21\n\t"
+        "adc	x4, xzr, xzr\n\t"
+        "adds	x5, x5, x7\n\t"
+        "#  A[2] * B[2]\n\t"
+        "mul	x7, x11, x20\n\t"
+        "adcs	x6, x6, x8\n\t"
+        "umulh	x8, x11, x20\n\t"
+        "adc	x4, x4, xzr\n\t"
+        "adds	x5, x5, x7\n\t"
+        "#  A[3] * B[1]\n\t"
+        "mul	x7, x12, x19\n\t"
+        "adcs	x6, x6, x8\n\t"
+        "umulh	x8, x12, x19\n\t"
+        "adc	x4, x4, xzr\n\t"
+        "adds	x5, x5, x7\n\t"
+        "#  A[4] * B[0]\n\t"
+        "mul	x7, x13, x17\n\t"
+        "adcs	x6, x6, x8\n\t"
+        "umulh	x8, x13, x17\n\t"
+        "adc	x4, x4, xzr\n\t"
+        "adds	x5, x5, x7\n\t"
+        "adcs	x6, x6, x8\n\t"
+        "str	x5, [%[tmp], 32]\n\t"
+        "adc	x4, x4, xzr\n\t"
+        "#  A[0] * B[5]\n\t"
+        "mul	x7, x9, x23\n\t"
+        "umulh	x8, x9, x23\n\t"
+        "adds	x6, x6, x7\n\t"
+        "#  A[1] * B[4]\n\t"
+        "mul	x7, x10, x22\n\t"
+        "adcs	x4, x4, x8\n\t"
+        "umulh	x8, x10, x22\n\t"
+        "adc	x5, xzr, xzr\n\t"
+        "adds	x6, x6, x7\n\t"
+        "#  A[2] * B[3]\n\t"
+        "mul	x7, x11, x21\n\t"
+        "adcs	x4, x4, x8\n\t"
+        "umulh	x8, x11, x21\n\t"
+        "adc	x5, x5, xzr\n\t"
+        "adds	x6, x6, x7\n\t"
+        "#  A[3] * B[2]\n\t"
+        "mul	x7, x12, x20\n\t"
+        "adcs	x4, x4, x8\n\t"
+        "umulh	x8, x12, x20\n\t"
+        "adc	x5, x5, xzr\n\t"
+        "adds	x6, x6, x7\n\t"
+        "#  A[4] * B[1]\n\t"
+        "mul	x7, x13, x19\n\t"
+        "adcs	x4, x4, x8\n\t"
+        "umulh	x8, x13, x19\n\t"
+        "adc	x5, x5, xzr\n\t"
+        "adds	x6, x6, x7\n\t"
+        "#  A[5] * B[0]\n\t"
+        "mul	x7, x14, x17\n\t"
+        "adcs	x4, x4, x8\n\t"
+        "umulh	x8, x14, x17\n\t"
+        "adc	x5, x5, xzr\n\t"
+        "adds	x6, x6, x7\n\t"
+        "adcs	x4, x4, x8\n\t"
+        "str	x6, [%[tmp], 40]\n\t"
+        "adc	x5, x5, xzr\n\t"
+        "#  A[0] * B[6]\n\t"
+        "mul	x7, x9, x24\n\t"
+        "umulh	x8, x9, x24\n\t"
+        "adds	x4, x4, x7\n\t"
+        "#  A[1] * B[5]\n\t"
+        "mul	x7, x10, x23\n\t"
+        "adcs	x5, x5, x8\n\t"
+        "umulh	x8, x10, x23\n\t"
+        "adc	x6, xzr, xzr\n\t"
+        "adds	x4, x4, x7\n\t"
+        "#  A[2] * B[4]\n\t"
+        "mul	x7, x11, x22\n\t"
+        "adcs	x5, x5, x8\n\t"
+        "umulh	x8, x11, x22\n\t"
+        "adc	x6, x6, xzr\n\t"
+        "adds	x4, x4, x7\n\t"
+        "#  A[3] * B[3]\n\t"
+        "mul	x7, x12, x21\n\t"
+        "adcs	x5, x5, x8\n\t"
+        "umulh	x8, x12, x21\n\t"
+        "adc	x6, x6, xzr\n\t"
+        "adds	x4, x4, x7\n\t"
+        "#  A[4] * B[2]\n\t"
+        "mul	x7, x13, x20\n\t"
+        "adcs	x5, x5, x8\n\t"
+        "umulh	x8, x13, x20\n\t"
+        "adc	x6, x6, xzr\n\t"
+        "adds	x4, x4, x7\n\t"
+        "#  A[5] * B[1]\n\t"
+        "mul	x7, x14, x19\n\t"
+        "adcs	x5, x5, x8\n\t"
+        "umulh	x8, x14, x19\n\t"
+        "adc	x6, x6, xzr\n\t"
+        "adds	x4, x4, x7\n\t"
+        "#  A[6] * B[0]\n\t"
+        "mul	x7, x15, x17\n\t"
+        "adcs	x5, x5, x8\n\t"
+        "umulh	x8, x15, x17\n\t"
+        "adc	x6, x6, xzr\n\t"
+        "adds	x4, x4, x7\n\t"
+        "adcs	x5, x5, x8\n\t"
+        "str	x4, [%[tmp], 48]\n\t"
+        "adc	x6, x6, xzr\n\t"
+        "#  A[0] * B[7]\n\t"
+        "mul	x7, x9, x25\n\t"
+        "umulh	x8, x9, x25\n\t"
+        "adds	x5, x5, x7\n\t"
+        "#  A[1] * B[6]\n\t"
+        "mul	x7, x10, x24\n\t"
+        "adcs	x6, x6, x8\n\t"
+        "umulh	x8, x10, x24\n\t"
+        "adc	x4, xzr, xzr\n\t"
+        "adds	x5, x5, x7\n\t"
+        "#  A[2] * B[5]\n\t"
+        "mul	x7, x11, x23\n\t"
+        "adcs	x6, x6, x8\n\t"
+        "umulh	x8, x11, x23\n\t"
+        "adc	x4, x4, xzr\n\t"
+        "adds	x5, x5, x7\n\t"
+        "#  A[3] * B[4]\n\t"
+        "mul	x7, x12, x22\n\t"
+        "adcs	x6, x6, x8\n\t"
+        "umulh	x8, x12, x22\n\t"
+        "adc	x4, x4, xzr\n\t"
+        "adds	x5, x5, x7\n\t"
+        "#  A[4] * B[3]\n\t"
+        "mul	x7, x13, x21\n\t"
+        "adcs	x6, x6, x8\n\t"
+        "umulh	x8, x13, x21\n\t"
+        "adc	x4, x4, xzr\n\t"
+        "adds	x5, x5, x7\n\t"
+        "#  A[5] * B[2]\n\t"
+        "mul	x7, x14, x20\n\t"
+        "adcs	x6, x6, x8\n\t"
+        "umulh	x8, x14, x20\n\t"
+        "adc	x4, x4, xzr\n\t"
+        "adds	x5, x5, x7\n\t"
+        "#  A[6] * B[1]\n\t"
+        "mul	x7, x15, x19\n\t"
+        "adcs	x6, x6, x8\n\t"
+        "umulh	x8, x15, x19\n\t"
+        "adc	x4, x4, xzr\n\t"
+        "adds	x5, x5, x7\n\t"
+        "#  A[7] * B[0]\n\t"
+        "mul	x7, x16, x17\n\t"
+        "adcs	x6, x6, x8\n\t"
+        "umulh	x8, x16, x17\n\t"
+        "adc	x4, x4, xzr\n\t"
+        "adds	x5, x5, x7\n\t"
+        "adcs	x6, x6, x8\n\t"
+        "str	x5, [%[tmp], 56]\n\t"
+        "adc	x4, x4, xzr\n\t"
+        "#  A[1] * B[7]\n\t"
+        "mul	x7, x10, x25\n\t"
+        "umulh	x8, x10, x25\n\t"
+        "adds	x6, x6, x7\n\t"
+        "#  A[2] * B[6]\n\t"
+        "mul	x7, x11, x24\n\t"
+        "adcs	x4, x4, x8\n\t"
+        "umulh	x8, x11, x24\n\t"
+        "adc	x5, xzr, xzr\n\t"
+        "adds	x6, x6, x7\n\t"
+        "#  A[3] * B[5]\n\t"
+        "mul	x7, x12, x23\n\t"
+        "adcs	x4, x4, x8\n\t"
+        "umulh	x8, x12, x23\n\t"
+        "adc	x5, x5, xzr\n\t"
+        "adds	x6, x6, x7\n\t"
+        "#  A[4] * B[4]\n\t"
+        "mul	x7, x13, x22\n\t"
+        "adcs	x4, x4, x8\n\t"
+        "umulh	x8, x13, x22\n\t"
+        "adc	x5, x5, xzr\n\t"
+        "adds	x6, x6, x7\n\t"
+        "#  A[5] * B[3]\n\t"
+        "mul	x7, x14, x21\n\t"
+        "adcs	x4, x4, x8\n\t"
+        "umulh	x8, x14, x21\n\t"
+        "adc	x5, x5, xzr\n\t"
+        "adds	x6, x6, x7\n\t"
+        "#  A[6] * B[2]\n\t"
+        "mul	x7, x15, x20\n\t"
+        "adcs	x4, x4, x8\n\t"
+        "umulh	x8, x15, x20\n\t"
+        "adc	x5, x5, xzr\n\t"
+        "adds	x6, x6, x7\n\t"
+        "#  A[7] * B[1]\n\t"
+        "mul	x7, x16, x19\n\t"
+        "adcs	x4, x4, x8\n\t"
+        "umulh	x8, x16, x19\n\t"
+        "adc	x5, x5, xzr\n\t"
+        "adds	x6, x6, x7\n\t"
+        "adcs	x4, x4, x8\n\t"
+        "str	x6, [%[r], 64]\n\t"
+        "adc	x5, x5, xzr\n\t"
+        "#  A[2] * B[7]\n\t"
+        "mul	x7, x11, x25\n\t"
+        "umulh	x8, x11, x25\n\t"
+        "adds	x4, x4, x7\n\t"
+        "#  A[3] * B[6]\n\t"
+        "mul	x7, x12, x24\n\t"
+        "adcs	x5, x5, x8\n\t"
+        "umulh	x8, x12, x24\n\t"
+        "adc	x6, xzr, xzr\n\t"
+        "adds	x4, x4, x7\n\t"
+        "#  A[4] * B[5]\n\t"
+        "mul	x7, x13, x23\n\t"
+        "adcs	x5, x5, x8\n\t"
+        "umulh	x8, x13, x23\n\t"
+        "adc	x6, x6, xzr\n\t"
+        "adds	x4, x4, x7\n\t"
+        "#  A[5] * B[4]\n\t"
+        "mul	x7, x14, x22\n\t"
+        "adcs	x5, x5, x8\n\t"
+        "umulh	x8, x14, x22\n\t"
+        "adc	x6, x6, xzr\n\t"
+        "adds	x4, x4, x7\n\t"
+        "#  A[6] * B[3]\n\t"
+        "mul	x7, x15, x21\n\t"
+        "adcs	x5, x5, x8\n\t"
+        "umulh	x8, x15, x21\n\t"
+        "adc	x6, x6, xzr\n\t"
+        "adds	x4, x4, x7\n\t"
+        "#  A[7] * B[2]\n\t"
+        "mul	x7, x16, x20\n\t"
+        "adcs	x5, x5, x8\n\t"
+        "umulh	x8, x16, x20\n\t"
+        "adc	x6, x6, xzr\n\t"
+        "adds	x4, x4, x7\n\t"
+        "adcs	x5, x5, x8\n\t"
+        "str	x4, [%[r], 72]\n\t"
+        "adc	x6, x6, xzr\n\t"
+        "#  A[3] * B[7]\n\t"
+        "mul	x7, x12, x25\n\t"
+        "umulh	x8, x12, x25\n\t"
+        "adds	x5, x5, x7\n\t"
+        "#  A[4] * B[6]\n\t"
+        "mul	x7, x13, x24\n\t"
+        "adcs	x6, x6, x8\n\t"
+        "umulh	x8, x13, x24\n\t"
+        "adc	x4, xzr, xzr\n\t"
+        "adds	x5, x5, x7\n\t"
+        "#  A[5] * B[5]\n\t"
+        "mul	x7, x14, x23\n\t"
+        "adcs	x6, x6, x8\n\t"
+        "umulh	x8, x14, x23\n\t"
+        "adc	x4, x4, xzr\n\t"
+        "adds	x5, x5, x7\n\t"
+        "#  A[6] * B[4]\n\t"
+        "mul	x7, x15, x22\n\t"
+        "adcs	x6, x6, x8\n\t"
+        "umulh	x8, x15, x22\n\t"
+        "adc	x4, x4, xzr\n\t"
+        "adds	x5, x5, x7\n\t"
+        "#  A[7] * B[3]\n\t"
+        "mul	x7, x16, x21\n\t"
+        "adcs	x6, x6, x8\n\t"
+        "umulh	x8, x16, x21\n\t"
+        "adc	x4, x4, xzr\n\t"
+        "adds	x5, x5, x7\n\t"
+        "adcs	x6, x6, x8\n\t"
+        "str	x5, [%[r], 80]\n\t"
+        "adc	x4, x4, xzr\n\t"
+        "#  A[4] * B[7]\n\t"
+        "mul	x7, x13, x25\n\t"
+        "umulh	x8, x13, x25\n\t"
+        "adds	x6, x6, x7\n\t"
+        "#  A[5] * B[6]\n\t"
+        "mul	x7, x14, x24\n\t"
+        "adcs	x4, x4, x8\n\t"
+        "umulh	x8, x14, x24\n\t"
+        "adc	x5, xzr, xzr\n\t"
+        "adds	x6, x6, x7\n\t"
+        "#  A[6] * B[5]\n\t"
+        "mul	x7, x15, x23\n\t"
+        "adcs	x4, x4, x8\n\t"
+        "umulh	x8, x15, x23\n\t"
+        "adc	x5, x5, xzr\n\t"
+        "adds	x6, x6, x7\n\t"
+        "#  A[7] * B[4]\n\t"
+        "mul	x7, x16, x22\n\t"
+        "adcs	x4, x4, x8\n\t"
+        "umulh	x8, x16, x22\n\t"
+        "adc	x5, x5, xzr\n\t"
+        "adds	x6, x6, x7\n\t"
+        "adcs	x4, x4, x8\n\t"
+        "str	x6, [%[r], 88]\n\t"
+        "adc	x5, x5, xzr\n\t"
+        "#  A[5] * B[7]\n\t"
+        "mul	x7, x14, x25\n\t"
+        "umulh	x8, x14, x25\n\t"
+        "adds	x4, x4, x7\n\t"
+        "#  A[6] * B[6]\n\t"
+        "mul	x7, x15, x24\n\t"
+        "adcs	x5, x5, x8\n\t"
+        "umulh	x8, x15, x24\n\t"
+        "adc	x6, xzr, xzr\n\t"
+        "adds	x4, x4, x7\n\t"
+        "#  A[7] * B[5]\n\t"
+        "mul	x7, x16, x23\n\t"
+        "adcs	x5, x5, x8\n\t"
+        "umulh	x8, x16, x23\n\t"
+        "adc	x6, x6, xzr\n\t"
+        "adds	x4, x4, x7\n\t"
+        "adcs	x5, x5, x8\n\t"
+        "str	x4, [%[r], 96]\n\t"
+        "adc	x6, x6, xzr\n\t"
+        "#  A[6] * B[7]\n\t"
+        "mul	x7, x15, x25\n\t"
+        "umulh	x8, x15, x25\n\t"
+        "adds	x5, x5, x7\n\t"
+        "#  A[7] * B[6]\n\t"
+        "mul	x7, x16, x24\n\t"
+        "adcs	x6, x6, x8\n\t"
+        "umulh	x8, x16, x24\n\t"
+        "adc	x4, xzr, xzr\n\t"
+        "adds	x5, x5, x7\n\t"
+        "adcs	x6, x6, x8\n\t"
+        "str	x5, [%[r], 104]\n\t"
+        "adc	x4, x4, xzr\n\t"
+        "#  A[7] * B[7]\n\t"
+        "mul	x7, x16, x25\n\t"
+        "umulh	x8, x16, x25\n\t"
+        "adds	x6, x6, x7\n\t"
+        "adc	x4, x4, x8\n\t"
+        "stp	x6, x4, [%[r], 112]\n\t"
+        "ldp	x9, x10, [%[tmp], 0]\n\t"
+        "ldp	x11, x12, [%[tmp], 16]\n\t"
+        "ldp	x13, x14, [%[tmp], 32]\n\t"
+        "ldp	x15, x16, [%[tmp], 48]\n\t"
+        "stp	x9, x10, [%[r], 0]\n\t"
+        "stp	x11, x12, [%[r], 16]\n\t"
+        "stp	x13, x14, [%[r], 32]\n\t"
+        "stp	x15, x16, [%[r], 48]\n\t"
+        :
+        : [r] "r" (r), [a] "r" (a), [b] "r" (b), [tmp] "r" (tmp)
+        : "memory", "x4", "x5", "x6", "x7", "x8", "x9", "x9", "x10", "x11", "x12", "x13", "x14", "x15", "x16", "x17", "x19", "x20", "x21", "x22", "x23", "x24", "x25"
+    );
+}
+
+/* Square a and put result in r. (r = a * a)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ */
+static void sp_2048_sqr_8(sp_digit* r, const sp_digit* a)
+{
+    __asm__ __volatile__ (
+        "ldp       x22, x23, [%[a], 0]\n\t"
+        "ldp       x24, x25, [%[a], 16]\n\t"
+        "ldp       x26, x27, [%[a], 32]\n\t"
+        "ldp       x28, x29, [%[a], 48]\n\t"
+        "#  A[0] * A[1]\n\t"
+        "mul	x3, x22, x23\n\t"
+        "umulh	x7, x22, x23\n\t"
+        "#  A[0] * A[2]\n\t"
+        "mul	x4, x22, x24\n\t"
+        "umulh	x5, x22, x24\n\t"
+        "adds	x7, x7, x4\n\t"
+        "#  A[0] * A[3]\n\t"
+        "mul	x4, x22, x25\n\t"
+        "adc	x8, xzr, x5\n\t"
+        "umulh	x5, x22, x25\n\t"
+        "adds	x8, x8, x4\n\t"
+        "#  A[1] * A[2]\n\t"
+        "mul	x4, x23, x24\n\t"
+        "adc	x9, xzr, x5\n\t"
+        "umulh	x5, x23, x24\n\t"
+        "adds	x8, x8, x4\n\t"
+        "#  A[0] * A[4]\n\t"
+        "mul	x4, x22, x26\n\t"
+        "adcs	x9, x9, x5\n\t"
+        "umulh	x5, x22, x26\n\t"
+        "adc	x10, xzr, xzr\n\t"
+        "adds	x9, x9, x4\n\t"
+        "#  A[1] * A[3]\n\t"
+        "mul	x4, x23, x25\n\t"
+        "adc	x10, x10, x5\n\t"
+        "umulh	x5, x23, x25\n\t"
+        "adds	x9, x9, x4\n\t"
+        "#  A[0] * A[5]\n\t"
+        "mul	x4, x22, x27\n\t"
+        "adcs	x10, x10, x5\n\t"
+        "umulh	x5, x22, x27\n\t"
+        "adc	x11, xzr, xzr\n\t"
+        "adds	x10, x10, x4\n\t"
+        "#  A[1] * A[4]\n\t"
+        "mul	x4, x23, x26\n\t"
+        "adc	x11, x11, x5\n\t"
+        "umulh	x5, x23, x26\n\t"
+        "adds	x10, x10, x4\n\t"
+        "#  A[2] * A[3]\n\t"
+        "mul	x4, x24, x25\n\t"
+        "adcs	x11, x11, x5\n\t"
+        "umulh	x5, x24, x25\n\t"
+        "adc	x12, xzr, xzr\n\t"
+        "adds	x10, x10, x4\n\t"
+        "#  A[0] * A[6]\n\t"
+        "mul	x4, x22, x28\n\t"
+        "adcs	x11, x11, x5\n\t"
+        "umulh	x5, x22, x28\n\t"
+        "adc	x12, x12, xzr\n\t"
+        "adds	x11, x11, x4\n\t"
+        "#  A[1] * A[5]\n\t"
+        "mul	x4, x23, x27\n\t"
+        "adcs	x12, x12, x5\n\t"
+        "umulh	x5, x23, x27\n\t"
+        "adc	x13, xzr, xzr\n\t"
+        "adds	x11, x11, x4\n\t"
+        "#  A[2] * A[4]\n\t"
+        "mul	x4, x24, x26\n\t"
+        "adcs	x12, x12, x5\n\t"
+        "umulh	x5, x24, x26\n\t"
+        "adc	x13, x13, xzr\n\t"
+        "adds	x11, x11, x4\n\t"
+        "#  A[0] * A[7]\n\t"
+        "mul	x4, x22, x29\n\t"
+        "adcs	x12, x12, x5\n\t"
+        "umulh	x5, x22, x29\n\t"
+        "adc	x13, x13, xzr\n\t"
+        "adds	x12, x12, x4\n\t"
+        "#  A[1] * A[6]\n\t"
+        "mul	x4, x23, x28\n\t"
+        "adcs	x13, x13, x5\n\t"
+        "umulh	x5, x23, x28\n\t"
+        "adc	x14, xzr, xzr\n\t"
+        "adds	x12, x12, x4\n\t"
+        "#  A[2] * A[5]\n\t"
+        "mul	x4, x24, x27\n\t"
+        "adcs	x13, x13, x5\n\t"
+        "umulh	x5, x24, x27\n\t"
+        "adc	x14, x14, xzr\n\t"
+        "adds	x12, x12, x4\n\t"
+        "#  A[3] * A[4]\n\t"
+        "mul	x4, x25, x26\n\t"
+        "adcs	x13, x13, x5\n\t"
+        "umulh	x5, x25, x26\n\t"
+        "adc	x14, x14, xzr\n\t"
+        "adds	x12, x12, x4\n\t"
+        "#  A[1] * A[7]\n\t"
+        "mul	x4, x23, x29\n\t"
+        "adcs	x13, x13, x5\n\t"
+        "umulh	x5, x23, x29\n\t"
+        "adc	x14, x14, xzr\n\t"
+        "adds	x13, x13, x4\n\t"
+        "#  A[2] * A[6]\n\t"
+        "mul	x4, x24, x28\n\t"
+        "adcs	x14, x14, x5\n\t"
+        "umulh	x5, x24, x28\n\t"
+        "adc	x15, xzr, xzr\n\t"
+        "adds	x13, x13, x4\n\t"
+        "#  A[3] * A[5]\n\t"
+        "mul	x4, x25, x27\n\t"
+        "adcs	x14, x14, x5\n\t"
+        "umulh	x5, x25, x27\n\t"
+        "adc	x15, x15, xzr\n\t"
+        "adds	x13, x13, x4\n\t"
+        "#  A[2] * A[7]\n\t"
+        "mul	x4, x24, x29\n\t"
+        "adcs	x14, x14, x5\n\t"
+        "umulh	x5, x24, x29\n\t"
+        "adc	x15, x15, xzr\n\t"
+        "adds	x14, x14, x4\n\t"
+        "#  A[3] * A[6]\n\t"
+        "mul	x4, x25, x28\n\t"
+        "adcs	x15, x15, x5\n\t"
+        "umulh	x5, x25, x28\n\t"
+        "adc	x16, xzr, xzr\n\t"
+        "adds	x14, x14, x4\n\t"
+        "#  A[4] * A[5]\n\t"
+        "mul	x4, x26, x27\n\t"
+        "adcs	x15, x15, x5\n\t"
+        "umulh	x5, x26, x27\n\t"
+        "adc	x16, x16, xzr\n\t"
+        "adds	x14, x14, x4\n\t"
+        "#  A[3] * A[7]\n\t"
+        "mul	x4, x25, x29\n\t"
+        "adcs	x15, x15, x5\n\t"
+        "umulh	x5, x25, x29\n\t"
+        "adc	x16, x16, xzr\n\t"
+        "adds	x15, x15, x4\n\t"
+        "#  A[4] * A[6]\n\t"
+        "mul	x4, x26, x28\n\t"
+        "adcs	x16, x16, x5\n\t"
+        "umulh	x5, x26, x28\n\t"
+        "adc	x17, xzr, xzr\n\t"
+        "adds	x15, x15, x4\n\t"
+        "#  A[4] * A[7]\n\t"
+        "mul	x4, x26, x29\n\t"
+        "adcs	x16, x16, x5\n\t"
+        "umulh	x5, x26, x29\n\t"
+        "adc	x17, x17, xzr\n\t"
+        "adds	x16, x16, x4\n\t"
+        "#  A[5] * A[6]\n\t"
+        "mul	x4, x27, x28\n\t"
+        "adcs	x17, x17, x5\n\t"
+        "umulh	x5, x27, x28\n\t"
+        "adc	x19, xzr, xzr\n\t"
+        "adds	x16, x16, x4\n\t"
+        "#  A[5] * A[7]\n\t"
+        "mul	x4, x27, x29\n\t"
+        "adcs	x17, x17, x5\n\t"
+        "umulh	x5, x27, x29\n\t"
+        "adc	x19, x19, xzr\n\t"
+        "adds	x17, x17, x4\n\t"
+        "#  A[6] * A[7]\n\t"
+        "mul	x4, x28, x29\n\t"
+        "adcs	x19, x19, x5\n\t"
+        "umulh	x5, x28, x29\n\t"
+        "adc	x20, xzr, xzr\n\t"
+        "adds	x19, x19, x4\n\t"
+        "adc	x20, x20, x5\n\t"
+        "# Double\n\t"
+        "adds	x3, x3, x3\n\t"
+        "adcs	x7, x7, x7\n\t"
+        "adcs	x8, x8, x8\n\t"
+        "adcs	x9, x9, x9\n\t"
+        "adcs	x10, x10, x10\n\t"
+        "adcs	x11, x11, x11\n\t"
+        "adcs	x12, x12, x12\n\t"
+        "adcs	x13, x13, x13\n\t"
+        "adcs	x14, x14, x14\n\t"
+        "adcs	x15, x15, x15\n\t"
+        "adcs	x16, x16, x16\n\t"
+        "adcs	x17, x17, x17\n\t"
+        "adcs	x19, x19, x19\n\t"
+        "#  A[0] * A[0]\n\t"
+        "mul	x2, x22, x22\n\t"
+        "adcs	x20, x20, x20\n\t"
+        "umulh	x4, x22, x22\n\t"
+        "cset  x21, cs\n\t"
+        "#  A[1] * A[1]\n\t"
+        "mul	x5, x23, x23\n\t"
+        "adds	x3, x3, x4\n\t"
+        "umulh	x6, x23, x23\n\t"
+        "adcs	x7, x7, x5\n\t"
+        "#  A[2] * A[2]\n\t"
+        "mul	x4, x24, x24\n\t"
+        "adcs	x8, x8, x6\n\t"
+        "umulh	x5, x24, x24\n\t"
+        "adcs	x9, x9, x4\n\t"
+        "#  A[3] * A[3]\n\t"
+        "mul	x6, x25, x25\n\t"
+        "adcs	x10, x10, x5\n\t"
+        "umulh	x4, x25, x25\n\t"
+        "adcs	x11, x11, x6\n\t"
+        "#  A[4] * A[4]\n\t"
+        "mul	x5, x26, x26\n\t"
+        "adcs	x12, x12, x4\n\t"
+        "umulh	x6, x26, x26\n\t"
+        "adcs	x13, x13, x5\n\t"
+        "#  A[5] * A[5]\n\t"
+        "mul	x4, x27, x27\n\t"
+        "adcs	x14, x14, x6\n\t"
+        "umulh	x5, x27, x27\n\t"
+        "adcs	x15, x15, x4\n\t"
+        "#  A[6] * A[6]\n\t"
+        "mul	x6, x28, x28\n\t"
+        "adcs	x16, x16, x5\n\t"
+        "umulh	x4, x28, x28\n\t"
+        "adcs	x17, x17, x6\n\t"
+        "#  A[7] * A[7]\n\t"
+        "mul	x5, x29, x29\n\t"
+        "adcs	x19, x19, x4\n\t"
+        "umulh	x6, x29, x29\n\t"
+        "adcs	x20, x20, x5\n\t"
+        "stp	x2, x3, [%[r], 0]\n\t"
+        "adc	x21, x21, x6\n\t"
+        "stp	x7, x8, [%[r], 16]\n\t"
+        "stp	x9, x10, [%[r], 32]\n\t"
+        "stp	x11, x12, [%[r], 48]\n\t"
+        "stp	x13, x14, [%[r], 64]\n\t"
+        "stp	x15, x16, [%[r], 80]\n\t"
+        "stp	x17, x19, [%[r], 96]\n\t"
+        "stp	x20, x21, [%[r], 112]\n\t"
+        :
+        : [r] "r" (r), [a] "r" (a)
+        : "memory", "x4", "x5", "x6", "x2", "x3", "x7", "x8", "x9", "x10", "x11", "x12", "x13", "x14", "x15", "x16", "x17", "x19", "x20", "x21", "x22", "x23", "x24", "x25", "x26", "x27", "x28", "x29"
+    );
+}
+
+/* Add b to a into r. (r = a + b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+static sp_digit sp_2048_add_8(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    __asm__ __volatile__ (
+        "ldp	x3, x4, [%[a], 0]\n\t"
+        "ldp	x7, x8, [%[b], 0]\n\t"
+        "adds	x3, x3, x7\n\t"
+        "ldp	x5, x6, [%[a], 16]\n\t"
+        "adcs	x4, x4, x8\n\t"
+        "ldp	x9, x10, [%[b], 16]\n\t"
+        "adcs	x5, x5, x9\n\t"
+        "stp	x3, x4, [%[r], 0]\n\t"
+        "adcs	x6, x6, x10\n\t"
+        "stp	x5, x6, [%[r], 16]\n\t"
+        "ldp	x3, x4, [%[a], 32]\n\t"
+        "ldp	x7, x8, [%[b], 32]\n\t"
+        "adcs	x3, x3, x7\n\t"
+        "ldp	x5, x6, [%[a], 48]\n\t"
+        "adcs	x4, x4, x8\n\t"
+        "ldp	x9, x10, [%[b], 48]\n\t"
+        "adcs	x5, x5, x9\n\t"
+        "stp	x3, x4, [%[r], 32]\n\t"
+        "adcs	x6, x6, x10\n\t"
+        "stp	x5, x6, [%[r], 48]\n\t"
+        "cset	%[r], cs\n\t"
+        : [r] "+r" (r)
+        : [a] "r" (a), [b] "r" (b)
+        : "memory", "x3", "x4", "x5", "x6", "x7", "x8", "x9", "x10"
+    );
+
+    return (sp_digit)r;
+}
+
+/* Sub b from a into a. (a -= b)
+ *
+ * a  A single precision integer and result.
+ * b  A single precision integer.
+ */
+static sp_digit sp_2048_sub_in_place_16(sp_digit* a, const sp_digit* b)
+{
+    __asm__ __volatile__ (
+        "ldp	x2, x3, [%[a], 0]\n\t"
+        "ldp	x6, x7, [%[b], 0]\n\t"
+        "subs	x2, x2, x6\n\t"
+        "ldp	x4, x5, [%[a], 16]\n\t"
+        "sbcs	x3, x3, x7\n\t"
+        "ldp	x8, x9, [%[b], 16]\n\t"
+        "sbcs	x4, x4, x8\n\t"
+        "stp	x2, x3, [%[a], 0]\n\t"
+        "sbcs	x5, x5, x9\n\t"
+        "stp	x4, x5, [%[a], 16]\n\t"
+        "ldp	x2, x3, [%[a], 32]\n\t"
+        "ldp	x6, x7, [%[b], 32]\n\t"
+        "sbcs	x2, x2, x6\n\t"
+        "ldp	x4, x5, [%[a], 48]\n\t"
+        "sbcs	x3, x3, x7\n\t"
+        "ldp	x8, x9, [%[b], 48]\n\t"
+        "sbcs	x4, x4, x8\n\t"
+        "stp	x2, x3, [%[a], 32]\n\t"
+        "sbcs	x5, x5, x9\n\t"
+        "stp	x4, x5, [%[a], 48]\n\t"
+        "ldp	x2, x3, [%[a], 64]\n\t"
+        "ldp	x6, x7, [%[b], 64]\n\t"
+        "sbcs	x2, x2, x6\n\t"
+        "ldp	x4, x5, [%[a], 80]\n\t"
+        "sbcs	x3, x3, x7\n\t"
+        "ldp	x8, x9, [%[b], 80]\n\t"
+        "sbcs	x4, x4, x8\n\t"
+        "stp	x2, x3, [%[a], 64]\n\t"
+        "sbcs	x5, x5, x9\n\t"
+        "stp	x4, x5, [%[a], 80]\n\t"
+        "ldp	x2, x3, [%[a], 96]\n\t"
+        "ldp	x6, x7, [%[b], 96]\n\t"
+        "sbcs	x2, x2, x6\n\t"
+        "ldp	x4, x5, [%[a], 112]\n\t"
+        "sbcs	x3, x3, x7\n\t"
+        "ldp	x8, x9, [%[b], 112]\n\t"
+        "sbcs	x4, x4, x8\n\t"
+        "stp	x2, x3, [%[a], 96]\n\t"
+        "sbcs	x5, x5, x9\n\t"
+        "stp	x4, x5, [%[a], 112]\n\t"
+        "csetm	%[a], cc\n\t"
+        : [a] "+r" (a)
+        : [b] "r" (b)
+        : "memory", "x2", "x3", "x4", "x5", "x6", "x7", "x8", "x9"
+    );
+
+    return (sp_digit)a;
+}
+
+/* Add b to a into r. (r = a + b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+static sp_digit sp_2048_add_16(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    __asm__ __volatile__ (
+        "ldp	x3, x4, [%[a], 0]\n\t"
+        "ldp	x7, x8, [%[b], 0]\n\t"
+        "adds	x3, x3, x7\n\t"
+        "ldp	x5, x6, [%[a], 16]\n\t"
+        "adcs	x4, x4, x8\n\t"
+        "ldp	x9, x10, [%[b], 16]\n\t"
+        "adcs	x5, x5, x9\n\t"
+        "stp	x3, x4, [%[r], 0]\n\t"
+        "adcs	x6, x6, x10\n\t"
+        "stp	x5, x6, [%[r], 16]\n\t"
+        "ldp	x3, x4, [%[a], 32]\n\t"
+        "ldp	x7, x8, [%[b], 32]\n\t"
+        "adcs	x3, x3, x7\n\t"
+        "ldp	x5, x6, [%[a], 48]\n\t"
+        "adcs	x4, x4, x8\n\t"
+        "ldp	x9, x10, [%[b], 48]\n\t"
+        "adcs	x5, x5, x9\n\t"
+        "stp	x3, x4, [%[r], 32]\n\t"
+        "adcs	x6, x6, x10\n\t"
+        "stp	x5, x6, [%[r], 48]\n\t"
+        "ldp	x3, x4, [%[a], 64]\n\t"
+        "ldp	x7, x8, [%[b], 64]\n\t"
+        "adcs	x3, x3, x7\n\t"
+        "ldp	x5, x6, [%[a], 80]\n\t"
+        "adcs	x4, x4, x8\n\t"
+        "ldp	x9, x10, [%[b], 80]\n\t"
+        "adcs	x5, x5, x9\n\t"
+        "stp	x3, x4, [%[r], 64]\n\t"
+        "adcs	x6, x6, x10\n\t"
+        "stp	x5, x6, [%[r], 80]\n\t"
+        "ldp	x3, x4, [%[a], 96]\n\t"
+        "ldp	x7, x8, [%[b], 96]\n\t"
+        "adcs	x3, x3, x7\n\t"
+        "ldp	x5, x6, [%[a], 112]\n\t"
+        "adcs	x4, x4, x8\n\t"
+        "ldp	x9, x10, [%[b], 112]\n\t"
+        "adcs	x5, x5, x9\n\t"
+        "stp	x3, x4, [%[r], 96]\n\t"
+        "adcs	x6, x6, x10\n\t"
+        "stp	x5, x6, [%[r], 112]\n\t"
+        "cset	%[r], cs\n\t"
+        : [r] "+r" (r)
+        : [a] "r" (a), [b] "r" (b)
+        : "memory", "x3", "x4", "x5", "x6", "x7", "x8", "x9", "x10"
+    );
+
+    return (sp_digit)r;
+}
+
+/* AND m into each word of a and store in r.
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * m  Mask to AND against each digit.
+ */
+static void sp_2048_mask_8(sp_digit* r, const sp_digit* a, sp_digit m)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int i;
+
+    for (i=0; i<8; i++) {
+        r[i] = a[i] & m;
+    }
+#else
+    r[0] = a[0] & m;
+    r[1] = a[1] & m;
+    r[2] = a[2] & m;
+    r[3] = a[3] & m;
+    r[4] = a[4] & m;
+    r[5] = a[5] & m;
+    r[6] = a[6] & m;
+    r[7] = a[7] & m;
+#endif
+}
+
+/* Add digit to a into r. (r = a + b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+static void sp_2048_add_zero_8(sp_digit* r, const sp_digit* a,
+        const sp_digit d)
+{
+    __asm__ __volatile__ (
+        "ldp	x3, x4, [%[a], 0]\n\t"
+        "ldp	x5, x6, [%[a], 16]\n\t"
+        "adds	x3, x3, %[d]\n\t"
+        "adcs	x4, x4, xzr\n\t"
+        "adcs	x5, x5, xzr\n\t"
+        "stp	x3, x4, [%[r], 0]\n\t"
+        "adcs	x6, x6, xzr\n\t"
+        "stp	x5, x6, [%[r], 16]\n\t"
+        "ldp	x3, x4, [%[a], 32]\n\t"
+        "ldp	x5, x6, [%[a], 48]\n\t"
+        "adcs	x3, x3, xzr\n\t"
+        "adcs	x4, x4, xzr\n\t"
+        "adcs	x5, x5, xzr\n\t"
+        "stp	x3, x4, [%[r], 32]\n\t"
+        "adcs	x6, x6, xzr\n\t"
+        "stp	x5, x6, [%[r], 48]\n\t"
+        :
+        : [r] "r" (r), [a] "r" (a), [d] "r" (d)
+        : "memory", "x3", "x4", "x5", "x6"
+    );
+}
+
+/* Multiply a and b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static void sp_2048_mul_16(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    sp_digit* z0 = r;
+    sp_digit z1[16];
+    sp_digit a1[8];
+    sp_digit b1[8];
+    sp_digit z2[16];
+    sp_digit u, ca, cb;
+
+    ca = sp_2048_add_8(a1, a, &a[8]);
+    cb = sp_2048_add_8(b1, b, &b[8]);
+    u  = ca & cb;
+    sp_2048_mul_8(z1, a1, b1);
+    sp_2048_mul_8(z2, &a[8], &b[8]);
+    sp_2048_mul_8(z0, a, b);
+    sp_2048_mask_8(r + 16, a1, 0 - cb);
+    sp_2048_mask_8(b1, b1, 0 - ca);
+    u += sp_2048_add_8(r + 16, r + 16, b1);
+    u += sp_2048_sub_in_place_16(z1, z2);
+    u += sp_2048_sub_in_place_16(z1, z0);
+    u += sp_2048_add_16(r + 8, r + 8, z1);
+    u += sp_2048_add_8(r + 16, r + 16, z2);
+    sp_2048_add_zero_8(r + 24, z2 + 8, u);
+}
+
+#ifdef WOLFSSL_SP_SMALL
+/* Double a into r. (r = a + a)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ */
+static sp_digit sp_2048_dbl_8(sp_digit* r, const sp_digit* a)
+{
+    sp_digit c = 0;
+
+    __asm__ __volatile__ (
+        "add	x11, %[a], 64\n\t"
+        "\n1:\n\t"
+        "adds	%[c], %[c], #-1\n\t"
+        "ldp	x3, x4, [%[a]], #16\n\t"
+        "ldp	x5, x6, [%[a]], #16\n\t"
+        "adcs	x3, x3, x3\n\t"
+        "adcs	x4, x4, x4\n\t"
+        "adcs	x5, x5, x5\n\t"
+        "stp	x3, x4, [%[r]], #16\n\t"
+        "adcs	x6, x6, x6\n\t"
+        "stp	x5, x6, [%[r]], #16\n\t"
+        "cset	%[c], cs\n\t"
+        "cmp	%[a], x11\n\t"
+        "b.ne	1b\n\t"
+        : [c] "+r" (c), [r] "+r" (r), [a] "+r" (a)
+        :
+        : "memory", "x3", "x4", "x5", "x6", "x11"
+    );
+
+    return c;
+}
+
+#else
+/* Double a into r. (r = a + a)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ */
+static sp_digit sp_2048_dbl_8(sp_digit* r, const sp_digit* a)
+{
+    __asm__ __volatile__ (
+        "ldp	x3, x4, [%[a], 0]\n\t"
+        "adds	x3, x3, x3\n\t"
+        "ldr	x5, [%[a], 16]\n\t"
+        "adcs	x4, x4, x4\n\t"
+        "ldr	x6, [%[a], 24]\n\t"
+        "adcs	x5, x5, x5\n\t"
+        "stp	x3, x4, [%[r], 0]\n\t"
+        "adcs	x6, x6, x6\n\t"
+        "stp	x5, x6, [%[r], 16]\n\t"
+        "ldp	x3, x4, [%[a], 32]\n\t"
+        "adcs	x3, x3, x3\n\t"
+        "ldr	x5, [%[a], 48]\n\t"
+        "adcs	x4, x4, x4\n\t"
+        "ldr	x6, [%[a], 56]\n\t"
+        "adcs	x5, x5, x5\n\t"
+        "stp	x3, x4, [%[r], 32]\n\t"
+        "adcs	x6, x6, x6\n\t"
+        "stp	x5, x6, [%[r], 48]\n\t"
+        "cset	%[r], cs\n\t"
+        : [r] "+r" (r)
+        : [a] "r" (a)
+        : "memory", "x3", "x4", "x5", "x6"
+    );
+
+    return (sp_digit)r;
+}
+
+#endif /* WOLFSSL_SP_SMALL */
+/* Square a and put result in r. (r = a * a)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ */
+SP_NOINLINE static void sp_2048_sqr_16(sp_digit* r, const sp_digit* a)
+{
+    sp_digit* z0 = r;
+    sp_digit z2[16];
+    sp_digit z1[16];
+    sp_digit a1[8];
+    sp_digit u;
+
+    u = sp_2048_add_8(a1, a, &a[8]);
+    sp_2048_sqr_8(z1, a1);
+    sp_2048_sqr_8(z2, &a[8]);
+    sp_2048_sqr_8(z0, a);
+    sp_2048_mask_8(r + 16, a1, 0 - u);
+    u += sp_2048_dbl_8(r + 16, r + 16);
+    u += sp_2048_sub_in_place_16(z1, z2);
+    u += sp_2048_sub_in_place_16(z1, z0);
+    u += sp_2048_add_16(r + 8, r + 8, z1);
+    u += sp_2048_add_8(r + 16, r + 16, z2);
+    sp_2048_add_zero_8(r + 24, z2 + 8, u);
+    
+}
+
+/* Sub b from a into a. (a -= b)
+ *
+ * a  A single precision integer and result.
+ * b  A single precision integer.
+ */
+static sp_digit sp_2048_sub_in_place_32(sp_digit* a, const sp_digit* b)
+{
+    __asm__ __volatile__ (
+        "ldp	x2, x3, [%[a], 0]\n\t"
+        "ldp	x6, x7, [%[b], 0]\n\t"
+        "subs	x2, x2, x6\n\t"
+        "ldp	x4, x5, [%[a], 16]\n\t"
+        "sbcs	x3, x3, x7\n\t"
+        "ldp	x8, x9, [%[b], 16]\n\t"
+        "sbcs	x4, x4, x8\n\t"
+        "stp	x2, x3, [%[a], 0]\n\t"
+        "sbcs	x5, x5, x9\n\t"
+        "stp	x4, x5, [%[a], 16]\n\t"
+        "ldp	x2, x3, [%[a], 32]\n\t"
+        "ldp	x6, x7, [%[b], 32]\n\t"
+        "sbcs	x2, x2, x6\n\t"
+        "ldp	x4, x5, [%[a], 48]\n\t"
+        "sbcs	x3, x3, x7\n\t"
+        "ldp	x8, x9, [%[b], 48]\n\t"
+        "sbcs	x4, x4, x8\n\t"
+        "stp	x2, x3, [%[a], 32]\n\t"
+        "sbcs	x5, x5, x9\n\t"
+        "stp	x4, x5, [%[a], 48]\n\t"
+        "ldp	x2, x3, [%[a], 64]\n\t"
+        "ldp	x6, x7, [%[b], 64]\n\t"
+        "sbcs	x2, x2, x6\n\t"
+        "ldp	x4, x5, [%[a], 80]\n\t"
+        "sbcs	x3, x3, x7\n\t"
+        "ldp	x8, x9, [%[b], 80]\n\t"
+        "sbcs	x4, x4, x8\n\t"
+        "stp	x2, x3, [%[a], 64]\n\t"
+        "sbcs	x5, x5, x9\n\t"
+        "stp	x4, x5, [%[a], 80]\n\t"
+        "ldp	x2, x3, [%[a], 96]\n\t"
+        "ldp	x6, x7, [%[b], 96]\n\t"
+        "sbcs	x2, x2, x6\n\t"
+        "ldp	x4, x5, [%[a], 112]\n\t"
+        "sbcs	x3, x3, x7\n\t"
+        "ldp	x8, x9, [%[b], 112]\n\t"
+        "sbcs	x4, x4, x8\n\t"
+        "stp	x2, x3, [%[a], 96]\n\t"
+        "sbcs	x5, x5, x9\n\t"
+        "stp	x4, x5, [%[a], 112]\n\t"
+        "ldp	x2, x3, [%[a], 128]\n\t"
+        "ldp	x6, x7, [%[b], 128]\n\t"
+        "sbcs	x2, x2, x6\n\t"
+        "ldp	x4, x5, [%[a], 144]\n\t"
+        "sbcs	x3, x3, x7\n\t"
+        "ldp	x8, x9, [%[b], 144]\n\t"
+        "sbcs	x4, x4, x8\n\t"
+        "stp	x2, x3, [%[a], 128]\n\t"
+        "sbcs	x5, x5, x9\n\t"
+        "stp	x4, x5, [%[a], 144]\n\t"
+        "ldp	x2, x3, [%[a], 160]\n\t"
+        "ldp	x6, x7, [%[b], 160]\n\t"
+        "sbcs	x2, x2, x6\n\t"
+        "ldp	x4, x5, [%[a], 176]\n\t"
+        "sbcs	x3, x3, x7\n\t"
+        "ldp	x8, x9, [%[b], 176]\n\t"
+        "sbcs	x4, x4, x8\n\t"
+        "stp	x2, x3, [%[a], 160]\n\t"
+        "sbcs	x5, x5, x9\n\t"
+        "stp	x4, x5, [%[a], 176]\n\t"
+        "ldp	x2, x3, [%[a], 192]\n\t"
+        "ldp	x6, x7, [%[b], 192]\n\t"
+        "sbcs	x2, x2, x6\n\t"
+        "ldp	x4, x5, [%[a], 208]\n\t"
+        "sbcs	x3, x3, x7\n\t"
+        "ldp	x8, x9, [%[b], 208]\n\t"
+        "sbcs	x4, x4, x8\n\t"
+        "stp	x2, x3, [%[a], 192]\n\t"
+        "sbcs	x5, x5, x9\n\t"
+        "stp	x4, x5, [%[a], 208]\n\t"
+        "ldp	x2, x3, [%[a], 224]\n\t"
+        "ldp	x6, x7, [%[b], 224]\n\t"
+        "sbcs	x2, x2, x6\n\t"
+        "ldp	x4, x5, [%[a], 240]\n\t"
+        "sbcs	x3, x3, x7\n\t"
+        "ldp	x8, x9, [%[b], 240]\n\t"
+        "sbcs	x4, x4, x8\n\t"
+        "stp	x2, x3, [%[a], 224]\n\t"
+        "sbcs	x5, x5, x9\n\t"
+        "stp	x4, x5, [%[a], 240]\n\t"
+        "csetm	%[a], cc\n\t"
+        : [a] "+r" (a)
+        : [b] "r" (b)
+        : "memory", "x2", "x3", "x4", "x5", "x6", "x7", "x8", "x9"
+    );
+
+    return (sp_digit)a;
+}
+
+/* Add b to a into r. (r = a + b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+static sp_digit sp_2048_add_32(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    __asm__ __volatile__ (
+        "ldp	x3, x4, [%[a], 0]\n\t"
+        "ldp	x7, x8, [%[b], 0]\n\t"
+        "adds	x3, x3, x7\n\t"
+        "ldp	x5, x6, [%[a], 16]\n\t"
+        "adcs	x4, x4, x8\n\t"
+        "ldp	x9, x10, [%[b], 16]\n\t"
+        "adcs	x5, x5, x9\n\t"
+        "stp	x3, x4, [%[r], 0]\n\t"
+        "adcs	x6, x6, x10\n\t"
+        "stp	x5, x6, [%[r], 16]\n\t"
+        "ldp	x3, x4, [%[a], 32]\n\t"
+        "ldp	x7, x8, [%[b], 32]\n\t"
+        "adcs	x3, x3, x7\n\t"
+        "ldp	x5, x6, [%[a], 48]\n\t"
+        "adcs	x4, x4, x8\n\t"
+        "ldp	x9, x10, [%[b], 48]\n\t"
+        "adcs	x5, x5, x9\n\t"
+        "stp	x3, x4, [%[r], 32]\n\t"
+        "adcs	x6, x6, x10\n\t"
+        "stp	x5, x6, [%[r], 48]\n\t"
+        "ldp	x3, x4, [%[a], 64]\n\t"
+        "ldp	x7, x8, [%[b], 64]\n\t"
+        "adcs	x3, x3, x7\n\t"
+        "ldp	x5, x6, [%[a], 80]\n\t"
+        "adcs	x4, x4, x8\n\t"
+        "ldp	x9, x10, [%[b], 80]\n\t"
+        "adcs	x5, x5, x9\n\t"
+        "stp	x3, x4, [%[r], 64]\n\t"
+        "adcs	x6, x6, x10\n\t"
+        "stp	x5, x6, [%[r], 80]\n\t"
+        "ldp	x3, x4, [%[a], 96]\n\t"
+        "ldp	x7, x8, [%[b], 96]\n\t"
+        "adcs	x3, x3, x7\n\t"
+        "ldp	x5, x6, [%[a], 112]\n\t"
+        "adcs	x4, x4, x8\n\t"
+        "ldp	x9, x10, [%[b], 112]\n\t"
+        "adcs	x5, x5, x9\n\t"
+        "stp	x3, x4, [%[r], 96]\n\t"
+        "adcs	x6, x6, x10\n\t"
+        "stp	x5, x6, [%[r], 112]\n\t"
+        "ldp	x3, x4, [%[a], 128]\n\t"
+        "ldp	x7, x8, [%[b], 128]\n\t"
+        "adcs	x3, x3, x7\n\t"
+        "ldp	x5, x6, [%[a], 144]\n\t"
+        "adcs	x4, x4, x8\n\t"
+        "ldp	x9, x10, [%[b], 144]\n\t"
+        "adcs	x5, x5, x9\n\t"
+        "stp	x3, x4, [%[r], 128]\n\t"
+        "adcs	x6, x6, x10\n\t"
+        "stp	x5, x6, [%[r], 144]\n\t"
+        "ldp	x3, x4, [%[a], 160]\n\t"
+        "ldp	x7, x8, [%[b], 160]\n\t"
+        "adcs	x3, x3, x7\n\t"
+        "ldp	x5, x6, [%[a], 176]\n\t"
+        "adcs	x4, x4, x8\n\t"
+        "ldp	x9, x10, [%[b], 176]\n\t"
+        "adcs	x5, x5, x9\n\t"
+        "stp	x3, x4, [%[r], 160]\n\t"
+        "adcs	x6, x6, x10\n\t"
+        "stp	x5, x6, [%[r], 176]\n\t"
+        "ldp	x3, x4, [%[a], 192]\n\t"
+        "ldp	x7, x8, [%[b], 192]\n\t"
+        "adcs	x3, x3, x7\n\t"
+        "ldp	x5, x6, [%[a], 208]\n\t"
+        "adcs	x4, x4, x8\n\t"
+        "ldp	x9, x10, [%[b], 208]\n\t"
+        "adcs	x5, x5, x9\n\t"
+        "stp	x3, x4, [%[r], 192]\n\t"
+        "adcs	x6, x6, x10\n\t"
+        "stp	x5, x6, [%[r], 208]\n\t"
+        "ldp	x3, x4, [%[a], 224]\n\t"
+        "ldp	x7, x8, [%[b], 224]\n\t"
+        "adcs	x3, x3, x7\n\t"
+        "ldp	x5, x6, [%[a], 240]\n\t"
+        "adcs	x4, x4, x8\n\t"
+        "ldp	x9, x10, [%[b], 240]\n\t"
+        "adcs	x5, x5, x9\n\t"
+        "stp	x3, x4, [%[r], 224]\n\t"
+        "adcs	x6, x6, x10\n\t"
+        "stp	x5, x6, [%[r], 240]\n\t"
+        "cset	%[r], cs\n\t"
+        : [r] "+r" (r)
+        : [a] "r" (a), [b] "r" (b)
+        : "memory", "x3", "x4", "x5", "x6", "x7", "x8", "x9", "x10"
+    );
+
+    return (sp_digit)r;
+}
+
+/* AND m into each word of a and store in r.
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * m  Mask to AND against each digit.
+ */
+static void sp_2048_mask_16(sp_digit* r, const sp_digit* a, sp_digit m)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int i;
+
+    for (i=0; i<16; i++) {
+        r[i] = a[i] & m;
+    }
+#else
+    int i;
+
+    for (i = 0; i < 16; i += 8) {
+        r[i+0] = a[i+0] & m;
+        r[i+1] = a[i+1] & m;
+        r[i+2] = a[i+2] & m;
+        r[i+3] = a[i+3] & m;
+        r[i+4] = a[i+4] & m;
+        r[i+5] = a[i+5] & m;
+        r[i+6] = a[i+6] & m;
+        r[i+7] = a[i+7] & m;
+    }
+#endif
+}
+
+/* Add digit to a into r. (r = a + b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+static void sp_2048_add_zero_16(sp_digit* r, const sp_digit* a,
+        const sp_digit d)
+{
+    __asm__ __volatile__ (
+        "ldp	x3, x4, [%[a], 0]\n\t"
+        "ldp	x5, x6, [%[a], 16]\n\t"
+        "adds	x3, x3, %[d]\n\t"
+        "adcs	x4, x4, xzr\n\t"
+        "adcs	x5, x5, xzr\n\t"
+        "stp	x3, x4, [%[r], 0]\n\t"
+        "adcs	x6, x6, xzr\n\t"
+        "stp	x5, x6, [%[r], 16]\n\t"
+        "ldp	x3, x4, [%[a], 32]\n\t"
+        "ldp	x5, x6, [%[a], 48]\n\t"
+        "adcs	x3, x3, xzr\n\t"
+        "adcs	x4, x4, xzr\n\t"
+        "adcs	x5, x5, xzr\n\t"
+        "stp	x3, x4, [%[r], 32]\n\t"
+        "adcs	x6, x6, xzr\n\t"
+        "stp	x5, x6, [%[r], 48]\n\t"
+        "ldp	x3, x4, [%[a], 64]\n\t"
+        "ldp	x5, x6, [%[a], 80]\n\t"
+        "adcs	x3, x3, xzr\n\t"
+        "adcs	x4, x4, xzr\n\t"
+        "adcs	x5, x5, xzr\n\t"
+        "stp	x3, x4, [%[r], 64]\n\t"
+        "adcs	x6, x6, xzr\n\t"
+        "stp	x5, x6, [%[r], 80]\n\t"
+        "ldp	x3, x4, [%[a], 96]\n\t"
+        "ldp	x5, x6, [%[a], 112]\n\t"
+        "adcs	x3, x3, xzr\n\t"
+        "adcs	x4, x4, xzr\n\t"
+        "adcs	x5, x5, xzr\n\t"
+        "stp	x3, x4, [%[r], 96]\n\t"
+        "adcs	x6, x6, xzr\n\t"
+        "stp	x5, x6, [%[r], 112]\n\t"
+        :
+        : [r] "r" (r), [a] "r" (a), [d] "r" (d)
+        : "memory", "x3", "x4", "x5", "x6"
+    );
+}
+
+/* Multiply a and b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static void sp_2048_mul_32(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    sp_digit* z0 = r;
+    sp_digit z1[32];
+    sp_digit a1[16];
+    sp_digit b1[16];
+    sp_digit z2[32];
+    sp_digit u, ca, cb;
+
+    ca = sp_2048_add_16(a1, a, &a[16]);
+    cb = sp_2048_add_16(b1, b, &b[16]);
+    u  = ca & cb;
+    sp_2048_mul_16(z1, a1, b1);
+    sp_2048_mul_16(z2, &a[16], &b[16]);
+    sp_2048_mul_16(z0, a, b);
+    sp_2048_mask_16(r + 32, a1, 0 - cb);
+    sp_2048_mask_16(b1, b1, 0 - ca);
+    u += sp_2048_add_16(r + 32, r + 32, b1);
+    u += sp_2048_sub_in_place_32(z1, z2);
+    u += sp_2048_sub_in_place_32(z1, z0);
+    u += sp_2048_add_32(r + 16, r + 16, z1);
+    u += sp_2048_add_16(r + 32, r + 32, z2);
+    sp_2048_add_zero_16(r + 48, z2 + 16, u);
+}
+
+#ifdef WOLFSSL_SP_SMALL
+/* Double a into r. (r = a + a)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ */
+static sp_digit sp_2048_dbl_16(sp_digit* r, const sp_digit* a)
+{
+    sp_digit c = 0;
+
+    __asm__ __volatile__ (
+        "add	x11, %[a], 128\n\t"
+        "\n1:\n\t"
+        "adds	%[c], %[c], #-1\n\t"
+        "ldp	x3, x4, [%[a]], #16\n\t"
+        "ldp	x5, x6, [%[a]], #16\n\t"
+        "adcs	x3, x3, x3\n\t"
+        "adcs	x4, x4, x4\n\t"
+        "adcs	x5, x5, x5\n\t"
+        "stp	x3, x4, [%[r]], #16\n\t"
+        "adcs	x6, x6, x6\n\t"
+        "stp	x5, x6, [%[r]], #16\n\t"
+        "cset	%[c], cs\n\t"
+        "cmp	%[a], x11\n\t"
+        "b.ne	1b\n\t"
+        : [c] "+r" (c), [r] "+r" (r), [a] "+r" (a)
+        :
+        : "memory", "x3", "x4", "x5", "x6", "x11"
+    );
+
+    return c;
+}
+
+#else
+/* Double a into r. (r = a + a)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ */
+static sp_digit sp_2048_dbl_16(sp_digit* r, const sp_digit* a)
+{
+    __asm__ __volatile__ (
+        "ldp	x3, x4, [%[a], 0]\n\t"
+        "adds	x3, x3, x3\n\t"
+        "ldr	x5, [%[a], 16]\n\t"
+        "adcs	x4, x4, x4\n\t"
+        "ldr	x6, [%[a], 24]\n\t"
+        "adcs	x5, x5, x5\n\t"
+        "stp	x3, x4, [%[r], 0]\n\t"
+        "adcs	x6, x6, x6\n\t"
+        "stp	x5, x6, [%[r], 16]\n\t"
+        "ldp	x3, x4, [%[a], 32]\n\t"
+        "adcs	x3, x3, x3\n\t"
+        "ldr	x5, [%[a], 48]\n\t"
+        "adcs	x4, x4, x4\n\t"
+        "ldr	x6, [%[a], 56]\n\t"
+        "adcs	x5, x5, x5\n\t"
+        "stp	x3, x4, [%[r], 32]\n\t"
+        "adcs	x6, x6, x6\n\t"
+        "stp	x5, x6, [%[r], 48]\n\t"
+        "ldp	x3, x4, [%[a], 64]\n\t"
+        "adcs	x3, x3, x3\n\t"
+        "ldr	x5, [%[a], 80]\n\t"
+        "adcs	x4, x4, x4\n\t"
+        "ldr	x6, [%[a], 88]\n\t"
+        "adcs	x5, x5, x5\n\t"
+        "stp	x3, x4, [%[r], 64]\n\t"
+        "adcs	x6, x6, x6\n\t"
+        "stp	x5, x6, [%[r], 80]\n\t"
+        "ldp	x3, x4, [%[a], 96]\n\t"
+        "adcs	x3, x3, x3\n\t"
+        "ldr	x5, [%[a], 112]\n\t"
+        "adcs	x4, x4, x4\n\t"
+        "ldr	x6, [%[a], 120]\n\t"
+        "adcs	x5, x5, x5\n\t"
+        "stp	x3, x4, [%[r], 96]\n\t"
+        "adcs	x6, x6, x6\n\t"
+        "stp	x5, x6, [%[r], 112]\n\t"
+        "cset	%[r], cs\n\t"
+        : [r] "+r" (r)
+        : [a] "r" (a)
+        : "memory", "x3", "x4", "x5", "x6"
+    );
+
+    return (sp_digit)r;
+}
+
+#endif /* WOLFSSL_SP_SMALL */
+/* Square a and put result in r. (r = a * a)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ */
+SP_NOINLINE static void sp_2048_sqr_32(sp_digit* r, const sp_digit* a)
+{
+    sp_digit* z0 = r;
+    sp_digit z2[32];
+    sp_digit z1[32];
+    sp_digit a1[16];
+    sp_digit u;
+
+    u = sp_2048_add_16(a1, a, &a[16]);
+    sp_2048_sqr_16(z1, a1);
+    sp_2048_sqr_16(z2, &a[16]);
+    sp_2048_sqr_16(z0, a);
+    sp_2048_mask_16(r + 32, a1, 0 - u);
+    u += sp_2048_dbl_16(r + 32, r + 32);
+    u += sp_2048_sub_in_place_32(z1, z2);
+    u += sp_2048_sub_in_place_32(z1, z0);
+    u += sp_2048_add_32(r + 16, r + 16, z1);
+    u += sp_2048_add_16(r + 32, r + 32, z2);
+    sp_2048_add_zero_16(r + 48, z2 + 16, u);
+    
+}
+
+#endif /* !WOLFSSL_SP_SMALL */
+#ifdef WOLFSSL_SP_SMALL
+/* Add b to a into r. (r = a + b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+static sp_digit sp_2048_add_32(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    sp_digit c = 0;
+
+    __asm__ __volatile__ (
+        "add	x11, %[a], 256\n\t"
+        "\n1:\n\t"
+        "adds	%[c], %[c], #-1\n\t"
+        "ldp	x3, x4, [%[a]], #16\n\t"
+        "ldp	x5, x6, [%[a]], #16\n\t"
+        "ldp	x7, x8, [%[b]], #16\n\t"
+        "adcs	x3, x3, x7\n\t"
+        "ldp	x9, x10, [%[b]], #16\n\t"
+        "adcs	x4, x4, x8\n\t"
+        "adcs	x5, x5, x9\n\t"
+        "stp	x3, x4, [%[r]], #16\n\t"
+        "adcs	x6, x6, x10\n\t"
+        "stp	x5, x6, [%[r]], #16\n\t"
+        "cset	%[c], cs\n\t"
+        "cmp	%[a], x11\n\t"
+        "b.ne	1b\n\t"
+        : [c] "+r" (c), [r] "+r" (r), [a] "+r" (a), [b] "+r" (b)
+        :
+        : "memory", "x3", "x4", "x5", "x6", "x7", "x8", "x9", "x10", "x11"
+    );
+
+    return c;
+}
+
+#endif /* WOLFSSL_SP_SMALL */
+#ifdef WOLFSSL_SP_SMALL
+/* Sub b from a into a. (a -= b)
+ *
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+static sp_digit sp_2048_sub_in_place_32(sp_digit* a, const sp_digit* b)
+{
+    sp_digit c = 0;
+
+    __asm__ __volatile__ (
+        "add	x10, %[a], 256\n\t"
+        "\n1:\n\t"
+        "subs	%[c], xzr, %[c]\n\t"
+        "ldp	x2, x3, [%[a]]\n\t"
+        "ldp	x4, x5, [%[a], #16]\n\t"
+        "ldp	x6, x7, [%[b]], #16\n\t"
+        "sbcs	x2, x2, x6\n\t"
+        "ldp	x8, x9, [%[b]], #16\n\t"
+        "sbcs	x3, x3, x7\n\t"
+        "sbcs	x4, x4, x8\n\t"
+        "stp	x2, x3, [%[a]], #16\n\t"
+        "sbcs	x5, x5, x9\n\t"
+        "stp	x4, x5, [%[a]], #16\n\t"
+        "csetm	%[c], cc\n\t"
+        "cmp	%[a], x10\n\t"
+        "b.ne	1b\n\t"
+        : [c] "+r" (c), [a] "+r" (a), [b] "+r" (b)
+        :
+        : "memory", "x2", "x3", "x4", "x5", "x6", "x7", "x8", "x9", "x10"
+    );
+
+    return c;
+}
+
+#endif /* WOLFSSL_SP_SMALL */
+#ifdef WOLFSSL_SP_SMALL
+/* Multiply a and b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+static void sp_2048_mul_32(sp_digit* r, const sp_digit* a, const sp_digit* b)
+{
+    sp_digit tmp[64];
+
+    __asm__ __volatile__ (
+        "mov	x5, 0\n\t"
+        "mov	x6, 0\n\t"
+        "mov	x7, 0\n\t"
+        "mov	x8, 0\n\t"
+        "\n1:\n\t"
+        "subs	x3, x5, 248\n\t"
+        "csel	x3, xzr, x3, cc\n\t"
+        "sub	x4, x5, x3\n\t"
+        "\n2:\n\t"
+        "ldr	x10, [%[a], x3]\n\t"
+        "ldr	x11, [%[b], x4]\n\t"
+        "mul	x9, x10, x11\n\t"
+        "umulh	x10, x10, x11\n\t"
+        "adds	x6, x6, x9\n\t"
+        "adcs	x7, x7, x10\n\t"
+        "adc	x8, x8, xzr\n\t"
+        "add	x3, x3, #8\n\t"
+        "sub	x4, x4, #8\n\t"
+        "cmp	x3, 256\n\t"
+        "b.eq	3f\n\t"
+        "cmp	x3, x5\n\t"
+        "b.le	2b\n\t"
+        "\n3:\n\t"
+        "str	x6, [%[r], x5]\n\t"
+        "mov	x6, x7\n\t"
+        "mov	x7, x8\n\t"
+        "mov	x8, #0\n\t"
+        "add	x5, x5, #8\n\t"
+        "cmp	x5, 496\n\t"
+        "b.le	1b\n\t"
+        "str	x6, [%[r], x5]\n\t"
+        :
+        : [r] "r" (tmp), [a] "r" (a), [b] "r" (b)
+        : "memory", "x3", "x4", "x5", "x6", "x7", "x8", "x9", "x10", "x11"
+    );
+
+    XMEMCPY(r, tmp, sizeof(tmp));
+}
+
+/* Square a and put result in r. (r = a * a)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ */
+static void sp_2048_sqr_32(sp_digit* r, const sp_digit* a)
+{
+    sp_digit tmp[64];
+
+    __asm__ __volatile__ (
+        "mov	x6, 0\n\t"
+        "mov	x7, 0\n\t"
+        "mov	x8, 0\n\t"
+        "mov	x5, 0\n\t"
+        "\n1:\n\t"
+        "subs	x3, x5, 248\n\t"
+        "csel	x3, xzr, x3, cc\n\t"
+        "sub	x4, x5, x3\n\t"
+        "\n2:\n\t"
+        "cmp	x4, x3\n\t"
+        "b.eq	4f\n\t"
+        "ldr	x10, [%[a], x3]\n\t"
+        "ldr	x11, [%[a], x4]\n\t"
+        "mul	x9, x10, x11\n\t"
+        "umulh	x10, x10, x11\n\t"
+        "adds	x6, x6, x9\n\t"
+        "adcs	x7, x7, x10\n\t"
+        "adc	x8, x8, xzr\n\t"
+        "adds	x6, x6, x9\n\t"
+        "adcs	x7, x7, x10\n\t"
+        "adc	x8, x8, xzr\n\t"
+        "b.al	5f\n\t"
+        "\n4:\n\t"
+        "ldr	x10, [%[a], x3]\n\t"
+        "mul	x9, x10, x10\n\t"
+        "umulh	x10, x10, x10\n\t"
+        "adds	x6, x6, x9\n\t"
+        "adcs	x7, x7, x10\n\t"
+        "adc	x8, x8, xzr\n\t"
+        "\n5:\n\t"
+        "add	x3, x3, #8\n\t"
+        "sub	x4, x4, #8\n\t"
+        "cmp	x3, 256\n\t"
+        "b.eq	3f\n\t"
+        "cmp	x3, x4\n\t"
+        "b.gt	3f\n\t"
+        "cmp	x3, x5\n\t"
+        "b.le	2b\n\t"
+        "\n3:\n\t"
+        "str	x6, [%[r], x5]\n\t"
+        "mov	x6, x7\n\t"
+        "mov	x7, x8\n\t"
+        "mov	x8, #0\n\t"
+        "add	x5, x5, #8\n\t"
+        "cmp	x5, 496\n\t"
+        "b.le	1b\n\t"
+        "str	x6, [%[r], x5]\n\t"
+        :
+        : [r] "r" (tmp), [a] "r" (a)
+        : "memory", "x3", "x4", "x5", "x6", "x7", "x8", "x9", "x10", "x11"
+    );
+
+    XMEMCPY(r, tmp, sizeof(tmp));
+}
+
+#endif /* WOLFSSL_SP_SMALL */
+#if (defined(WOLFSSL_HAVE_SP_RSA) || defined(WOLFSSL_HAVE_SP_DH)) && !defined(WOLFSSL_RSA_PUBLIC_ONLY)
+#ifdef WOLFSSL_SP_SMALL
+/* AND m into each word of a and store in r.
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * m  Mask to AND against each digit.
+ */
+static void sp_2048_mask_16(sp_digit* r, const sp_digit* a, sp_digit m)
+{
+    int i;
+
+    for (i=0; i<16; i++) {
+        r[i] = a[i] & m;
+    }
+}
+
+#endif /* WOLFSSL_SP_SMALL */
+#ifdef WOLFSSL_SP_SMALL
+/* Add b to a into r. (r = a + b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+static sp_digit sp_2048_add_16(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    sp_digit c = 0;
+
+    __asm__ __volatile__ (
+        "add	x11, %[a], 128\n\t"
+        "\n1:\n\t"
+        "adds	%[c], %[c], #-1\n\t"
+        "ldp	x3, x4, [%[a]], #16\n\t"
+        "ldp	x5, x6, [%[a]], #16\n\t"
+        "ldp	x7, x8, [%[b]], #16\n\t"
+        "adcs	x3, x3, x7\n\t"
+        "ldp	x9, x10, [%[b]], #16\n\t"
+        "adcs	x4, x4, x8\n\t"
+        "adcs	x5, x5, x9\n\t"
+        "stp	x3, x4, [%[r]], #16\n\t"
+        "adcs	x6, x6, x10\n\t"
+        "stp	x5, x6, [%[r]], #16\n\t"
+        "cset	%[c], cs\n\t"
+        "cmp	%[a], x11\n\t"
+        "b.ne	1b\n\t"
+        : [c] "+r" (c), [r] "+r" (r), [a] "+r" (a), [b] "+r" (b)
+        :
+        : "memory", "x3", "x4", "x5", "x6", "x7", "x8", "x9", "x10", "x11"
+    );
+
+    return c;
+}
+
+#endif /* WOLFSSL_SP_SMALL */
+#ifdef WOLFSSL_SP_SMALL
+/* Sub b from a into a. (a -= b)
+ *
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+static sp_digit sp_2048_sub_in_place_16(sp_digit* a, const sp_digit* b)
+{
+    sp_digit c = 0;
+
+    __asm__ __volatile__ (
+        "add	x10, %[a], 128\n\t"
+        "\n1:\n\t"
+        "subs	%[c], xzr, %[c]\n\t"
+        "ldp	x2, x3, [%[a]]\n\t"
+        "ldp	x4, x5, [%[a], #16]\n\t"
+        "ldp	x6, x7, [%[b]], #16\n\t"
+        "sbcs	x2, x2, x6\n\t"
+        "ldp	x8, x9, [%[b]], #16\n\t"
+        "sbcs	x3, x3, x7\n\t"
+        "sbcs	x4, x4, x8\n\t"
+        "stp	x2, x3, [%[a]], #16\n\t"
+        "sbcs	x5, x5, x9\n\t"
+        "stp	x4, x5, [%[a]], #16\n\t"
+        "csetm	%[c], cc\n\t"
+        "cmp	%[a], x10\n\t"
+        "b.ne	1b\n\t"
+        : [c] "+r" (c), [a] "+r" (a), [b] "+r" (b)
+        :
+        : "memory", "x2", "x3", "x4", "x5", "x6", "x7", "x8", "x9", "x10"
+    );
+
+    return c;
+}
+
+#endif /* WOLFSSL_SP_SMALL */
+#ifdef WOLFSSL_SP_SMALL
+/* Multiply a and b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+static void sp_2048_mul_16(sp_digit* r, const sp_digit* a, const sp_digit* b)
+{
+    sp_digit tmp[32];
+
+    __asm__ __volatile__ (
+        "mov	x5, 0\n\t"
+        "mov	x6, 0\n\t"
+        "mov	x7, 0\n\t"
+        "mov	x8, 0\n\t"
+        "\n1:\n\t"
+        "subs	x3, x5, 120\n\t"
+        "csel	x3, xzr, x3, cc\n\t"
+        "sub	x4, x5, x3\n\t"
+        "\n2:\n\t"
+        "ldr	x10, [%[a], x3]\n\t"
+        "ldr	x11, [%[b], x4]\n\t"
+        "mul	x9, x10, x11\n\t"
+        "umulh	x10, x10, x11\n\t"
+        "adds	x6, x6, x9\n\t"
+        "adcs	x7, x7, x10\n\t"
+        "adc	x8, x8, xzr\n\t"
+        "add	x3, x3, #8\n\t"
+        "sub	x4, x4, #8\n\t"
+        "cmp	x3, 128\n\t"
+        "b.eq	3f\n\t"
+        "cmp	x3, x5\n\t"
+        "b.le	2b\n\t"
+        "\n3:\n\t"
+        "str	x6, [%[r], x5]\n\t"
+        "mov	x6, x7\n\t"
+        "mov	x7, x8\n\t"
+        "mov	x8, #0\n\t"
+        "add	x5, x5, #8\n\t"
+        "cmp	x5, 240\n\t"
+        "b.le	1b\n\t"
+        "str	x6, [%[r], x5]\n\t"
+        :
+        : [r] "r" (tmp), [a] "r" (a), [b] "r" (b)
+        : "memory", "x3", "x4", "x5", "x6", "x7", "x8", "x9", "x10", "x11"
+    );
+
+    XMEMCPY(r, tmp, sizeof(tmp));
+}
+
+/* Square a and put result in r. (r = a * a)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ */
+static void sp_2048_sqr_16(sp_digit* r, const sp_digit* a)
+{
+    sp_digit tmp[32];
+
+    __asm__ __volatile__ (
+        "mov	x6, 0\n\t"
+        "mov	x7, 0\n\t"
+        "mov	x8, 0\n\t"
+        "mov	x5, 0\n\t"
+        "\n1:\n\t"
+        "subs	x3, x5, 120\n\t"
+        "csel	x3, xzr, x3, cc\n\t"
+        "sub	x4, x5, x3\n\t"
+        "\n2:\n\t"
+        "cmp	x4, x3\n\t"
+        "b.eq	4f\n\t"
+        "ldr	x10, [%[a], x3]\n\t"
+        "ldr	x11, [%[a], x4]\n\t"
+        "mul	x9, x10, x11\n\t"
+        "umulh	x10, x10, x11\n\t"
+        "adds	x6, x6, x9\n\t"
+        "adcs	x7, x7, x10\n\t"
+        "adc	x8, x8, xzr\n\t"
+        "adds	x6, x6, x9\n\t"
+        "adcs	x7, x7, x10\n\t"
+        "adc	x8, x8, xzr\n\t"
+        "b.al	5f\n\t"
+        "\n4:\n\t"
+        "ldr	x10, [%[a], x3]\n\t"
+        "mul	x9, x10, x10\n\t"
+        "umulh	x10, x10, x10\n\t"
+        "adds	x6, x6, x9\n\t"
+        "adcs	x7, x7, x10\n\t"
+        "adc	x8, x8, xzr\n\t"
+        "\n5:\n\t"
+        "add	x3, x3, #8\n\t"
+        "sub	x4, x4, #8\n\t"
+        "cmp	x3, 128\n\t"
+        "b.eq	3f\n\t"
+        "cmp	x3, x4\n\t"
+        "b.gt	3f\n\t"
+        "cmp	x3, x5\n\t"
+        "b.le	2b\n\t"
+        "\n3:\n\t"
+        "str	x6, [%[r], x5]\n\t"
+        "mov	x6, x7\n\t"
+        "mov	x7, x8\n\t"
+        "mov	x8, #0\n\t"
+        "add	x5, x5, #8\n\t"
+        "cmp	x5, 240\n\t"
+        "b.le	1b\n\t"
+        "str	x6, [%[r], x5]\n\t"
+        :
+        : [r] "r" (tmp), [a] "r" (a)
+        : "memory", "x3", "x4", "x5", "x6", "x7", "x8", "x9", "x10", "x11"
+    );
+
+    XMEMCPY(r, tmp, sizeof(tmp));
+}
+
+#endif /* WOLFSSL_SP_SMALL */
+#endif /* (WOLFSSL_HAVE_SP_RSA || WOLFSSL_HAVE_SP_DH) && !WOLFSSL_RSA_PUBLIC_ONLY */
+
+/* Caclulate the bottom digit of -1/a mod 2^n.
+ *
+ * a    A single precision number.
+ * rho  Bottom word of inverse.
+ */
+static void sp_2048_mont_setup(const sp_digit* a, sp_digit* rho)
+{
+    sp_digit x, b;
+
+    b = a[0];
+    x = (((b + 2) & 4) << 1) + b; /* here x*a==1 mod 2**4 */
+    x *= 2 - b * x;               /* here x*a==1 mod 2**8 */
+    x *= 2 - b * x;               /* here x*a==1 mod 2**16 */
+    x *= 2 - b * x;               /* here x*a==1 mod 2**32 */
+    x *= 2 - b * x;               /* here x*a==1 mod 2**64 */
+
+    /* rho = -1/m mod b */
+    *rho = -x;
+}
+
+/* Mul a by digit b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision digit.
+ */
+static void sp_2048_mul_d_32(sp_digit* r, const sp_digit* a,
+        sp_digit b)
+{
+#ifdef WOLFSSL_SP_SMALL
+    __asm__ __volatile__ (
+        "# A[0] * B\n\t"
+        "ldr	x8, [%[a]]\n\t"
+        "mul	x5, %[b], x8\n\t"
+        "umulh	x3, %[b], x8\n\t"
+        "mov	x4, 0\n\t"
+        "str	x5, [%[r]]\n\t"
+        "mov	x5, 0\n\t"
+        "mov	x9, #8\n\t"
+        "1:\n\t"
+        "ldr	x8, [%[a], x9]\n\t"
+        "mul	x6, %[b], x8\n\t"
+        "umulh	x7, %[b], x8\n\t"
+        "adds	x3, x3, x6\n\t"
+        "adcs	x4, x4, x7\n\t"
+        "adc	x5, xzr, xzr\n\t"
+        "str	x3, [%[r], x9]\n\t"
+        "mov	x3, x4\n\t"
+        "mov	x4, x5\n\t"
+        "mov	x5, #0\n\t"
+        "add	x9, x9, #8\n\t"
+        "cmp	x9, 256\n\t"
+        "b.lt	1b\n\t"
+        "str	x3, [%[r], 256]\n\t"
+        :
+        : [r] "r" (r), [a] "r" (a), [b] "r" (b)
+        : "memory", "x3", "x4", "x5", "x6", "x7", "x8", "x9"
+    );
+#else
+    __asm__ __volatile__ (
+        "# A[0] * B\n\t"
+        "ldp	x8, x9, [%[a]]\n\t"
+        "mul	x3, %[b], x8\n\t"
+        "umulh	x4, %[b], x8\n\t"
+        "mov	x5, 0\n\t"
+        "# A[1] * B\n\t"
+        "str	x3, [%[r]]\n\t"
+        "mov	x3, 0\n\t"
+        "mul	x6, %[b], x9\n\t"
+        "umulh	x7, %[b], x9\n\t"
+        "adds	x4, x4, x6\n\t"
+        "# A[2] * B\n\t"
+        "ldp	x8, x9, [%[a], 16]\n\t"
+        "str	x4, [%[r], 8]\n\t"
+        "mov	x4, 0\n\t"
+        "mul	x6, %[b], x8\n\t"
+        "adcs	x5, x5, x7\n\t"
+        "umulh	x7, %[b], x8\n\t"
+        "adc	x3, xzr, xzr\n\t"
+        "adds	x5, x5, x6\n\t"
+        "# A[3] * B\n\t"
+        "str	x5, [%[r], 16]\n\t"
+        "mov	x5, 0\n\t"
+        "mul	x6, %[b], x9\n\t"
+        "adcs	x3, x3, x7\n\t"
+        "umulh	x7, %[b], x9\n\t"
+        "adc	x4, xzr, xzr\n\t"
+        "adds	x3, x3, x6\n\t"
+        "# A[4] * B\n\t"
+        "ldp	x8, x9, [%[a], 32]\n\t"
+        "str	x3, [%[r], 24]\n\t"
+        "mov	x3, 0\n\t"
+        "mul	x6, %[b], x8\n\t"
+        "adcs	x4, x4, x7\n\t"
+        "umulh	x7, %[b], x8\n\t"
+        "adc	x5, xzr, xzr\n\t"
+        "adds	x4, x4, x6\n\t"
+        "# A[5] * B\n\t"
+        "str	x4, [%[r], 32]\n\t"
+        "mov	x4, 0\n\t"
+        "mul	x6, %[b], x9\n\t"
+        "adcs	x5, x5, x7\n\t"
+        "umulh	x7, %[b], x9\n\t"
+        "adc	x3, xzr, xzr\n\t"
+        "adds	x5, x5, x6\n\t"
+        "# A[6] * B\n\t"
+        "ldp	x8, x9, [%[a], 48]\n\t"
+        "str	x5, [%[r], 40]\n\t"
+        "mov	x5, 0\n\t"
+        "mul	x6, %[b], x8\n\t"
+        "adcs	x3, x3, x7\n\t"
+        "umulh	x7, %[b], x8\n\t"
+        "adc	x4, xzr, xzr\n\t"
+        "adds	x3, x3, x6\n\t"
+        "# A[7] * B\n\t"
+        "str	x3, [%[r], 48]\n\t"
+        "mov	x3, 0\n\t"
+        "mul	x6, %[b], x9\n\t"
+        "adcs	x4, x4, x7\n\t"
+        "umulh	x7, %[b], x9\n\t"
+        "adc	x5, xzr, xzr\n\t"
+        "adds	x4, x4, x6\n\t"
+        "# A[8] * B\n\t"
+        "ldp	x8, x9, [%[a], 64]\n\t"
+        "str	x4, [%[r], 56]\n\t"
+        "mov	x4, 0\n\t"
+        "mul	x6, %[b], x8\n\t"
+        "adcs	x5, x5, x7\n\t"
+        "umulh	x7, %[b], x8\n\t"
+        "adc	x3, xzr, xzr\n\t"
+        "adds	x5, x5, x6\n\t"
+        "# A[9] * B\n\t"
+        "str	x5, [%[r], 64]\n\t"
+        "mov	x5, 0\n\t"
+        "mul	x6, %[b], x9\n\t"
+        "adcs	x3, x3, x7\n\t"
+        "umulh	x7, %[b], x9\n\t"
+        "adc	x4, xzr, xzr\n\t"
+        "adds	x3, x3, x6\n\t"
+        "# A[10] * B\n\t"
+        "ldp	x8, x9, [%[a], 80]\n\t"
+        "str	x3, [%[r], 72]\n\t"
+        "mov	x3, 0\n\t"
+        "mul	x6, %[b], x8\n\t"
+        "adcs	x4, x4, x7\n\t"
+        "umulh	x7, %[b], x8\n\t"
+        "adc	x5, xzr, xzr\n\t"
+        "adds	x4, x4, x6\n\t"
+        "# A[11] * B\n\t"
+        "str	x4, [%[r], 80]\n\t"
+        "mov	x4, 0\n\t"
+        "mul	x6, %[b], x9\n\t"
+        "adcs	x5, x5, x7\n\t"
+        "umulh	x7, %[b], x9\n\t"
+        "adc	x3, xzr, xzr\n\t"
+        "adds	x5, x5, x6\n\t"
+        "# A[12] * B\n\t"
+        "ldp	x8, x9, [%[a], 96]\n\t"
+        "str	x5, [%[r], 88]\n\t"
+        "mov	x5, 0\n\t"
+        "mul	x6, %[b], x8\n\t"
+        "adcs	x3, x3, x7\n\t"
+        "umulh	x7, %[b], x8\n\t"
+        "adc	x4, xzr, xzr\n\t"
+        "adds	x3, x3, x6\n\t"
+        "# A[13] * B\n\t"
+        "str	x3, [%[r], 96]\n\t"
+        "mov	x3, 0\n\t"
+        "mul	x6, %[b], x9\n\t"
+        "adcs	x4, x4, x7\n\t"
+        "umulh	x7, %[b], x9\n\t"
+        "adc	x5, xzr, xzr\n\t"
+        "adds	x4, x4, x6\n\t"
+        "# A[14] * B\n\t"
+        "ldp	x8, x9, [%[a], 112]\n\t"
+        "str	x4, [%[r], 104]\n\t"
+        "mov	x4, 0\n\t"
+        "mul	x6, %[b], x8\n\t"
+        "adcs	x5, x5, x7\n\t"
+        "umulh	x7, %[b], x8\n\t"
+        "adc	x3, xzr, xzr\n\t"
+        "adds	x5, x5, x6\n\t"
+        "# A[15] * B\n\t"
+        "str	x5, [%[r], 112]\n\t"
+        "mov	x5, 0\n\t"
+        "mul	x6, %[b], x9\n\t"
+        "adcs	x3, x3, x7\n\t"
+        "umulh	x7, %[b], x9\n\t"
+        "adc	x4, xzr, xzr\n\t"
+        "adds	x3, x3, x6\n\t"
+        "# A[16] * B\n\t"
+        "ldp	x8, x9, [%[a], 128]\n\t"
+        "str	x3, [%[r], 120]\n\t"
+        "mov	x3, 0\n\t"
+        "mul	x6, %[b], x8\n\t"
+        "adcs	x4, x4, x7\n\t"
+        "umulh	x7, %[b], x8\n\t"
+        "adc	x5, xzr, xzr\n\t"
+        "adds	x4, x4, x6\n\t"
+        "# A[17] * B\n\t"
+        "str	x4, [%[r], 128]\n\t"
+        "mov	x4, 0\n\t"
+        "mul	x6, %[b], x9\n\t"
+        "adcs	x5, x5, x7\n\t"
+        "umulh	x7, %[b], x9\n\t"
+        "adc	x3, xzr, xzr\n\t"
+        "adds	x5, x5, x6\n\t"
+        "# A[18] * B\n\t"
+        "ldp	x8, x9, [%[a], 144]\n\t"
+        "str	x5, [%[r], 136]\n\t"
+        "mov	x5, 0\n\t"
+        "mul	x6, %[b], x8\n\t"
+        "adcs	x3, x3, x7\n\t"
+        "umulh	x7, %[b], x8\n\t"
+        "adc	x4, xzr, xzr\n\t"
+        "adds	x3, x3, x6\n\t"
+        "# A[19] * B\n\t"
+        "str	x3, [%[r], 144]\n\t"
+        "mov	x3, 0\n\t"
+        "mul	x6, %[b], x9\n\t"
+        "adcs	x4, x4, x7\n\t"
+        "umulh	x7, %[b], x9\n\t"
+        "adc	x5, xzr, xzr\n\t"
+        "adds	x4, x4, x6\n\t"
+        "# A[20] * B\n\t"
+        "ldp	x8, x9, [%[a], 160]\n\t"
+        "str	x4, [%[r], 152]\n\t"
+        "mov	x4, 0\n\t"
+        "mul	x6, %[b], x8\n\t"
+        "adcs	x5, x5, x7\n\t"
+        "umulh	x7, %[b], x8\n\t"
+        "adc	x3, xzr, xzr\n\t"
+        "adds	x5, x5, x6\n\t"
+        "# A[21] * B\n\t"
+        "str	x5, [%[r], 160]\n\t"
+        "mov	x5, 0\n\t"
+        "mul	x6, %[b], x9\n\t"
+        "adcs	x3, x3, x7\n\t"
+        "umulh	x7, %[b], x9\n\t"
+        "adc	x4, xzr, xzr\n\t"
+        "adds	x3, x3, x6\n\t"
+        "# A[22] * B\n\t"
+        "ldp	x8, x9, [%[a], 176]\n\t"
+        "str	x3, [%[r], 168]\n\t"
+        "mov	x3, 0\n\t"
+        "mul	x6, %[b], x8\n\t"
+        "adcs	x4, x4, x7\n\t"
+        "umulh	x7, %[b], x8\n\t"
+        "adc	x5, xzr, xzr\n\t"
+        "adds	x4, x4, x6\n\t"
+        "# A[23] * B\n\t"
+        "str	x4, [%[r], 176]\n\t"
+        "mov	x4, 0\n\t"
+        "mul	x6, %[b], x9\n\t"
+        "adcs	x5, x5, x7\n\t"
+        "umulh	x7, %[b], x9\n\t"
+        "adc	x3, xzr, xzr\n\t"
+        "adds	x5, x5, x6\n\t"
+        "# A[24] * B\n\t"
+        "ldp	x8, x9, [%[a], 192]\n\t"
+        "str	x5, [%[r], 184]\n\t"
+        "mov	x5, 0\n\t"
+        "mul	x6, %[b], x8\n\t"
+        "adcs	x3, x3, x7\n\t"
+        "umulh	x7, %[b], x8\n\t"
+        "adc	x4, xzr, xzr\n\t"
+        "adds	x3, x3, x6\n\t"
+        "# A[25] * B\n\t"
+        "str	x3, [%[r], 192]\n\t"
+        "mov	x3, 0\n\t"
+        "mul	x6, %[b], x9\n\t"
+        "adcs	x4, x4, x7\n\t"
+        "umulh	x7, %[b], x9\n\t"
+        "adc	x5, xzr, xzr\n\t"
+        "adds	x4, x4, x6\n\t"
+        "# A[26] * B\n\t"
+        "ldp	x8, x9, [%[a], 208]\n\t"
+        "str	x4, [%[r], 200]\n\t"
+        "mov	x4, 0\n\t"
+        "mul	x6, %[b], x8\n\t"
+        "adcs	x5, x5, x7\n\t"
+        "umulh	x7, %[b], x8\n\t"
+        "adc	x3, xzr, xzr\n\t"
+        "adds	x5, x5, x6\n\t"
+        "# A[27] * B\n\t"
+        "str	x5, [%[r], 208]\n\t"
+        "mov	x5, 0\n\t"
+        "mul	x6, %[b], x9\n\t"
+        "adcs	x3, x3, x7\n\t"
+        "umulh	x7, %[b], x9\n\t"
+        "adc	x4, xzr, xzr\n\t"
+        "adds	x3, x3, x6\n\t"
+        "# A[28] * B\n\t"
+        "ldp	x8, x9, [%[a], 224]\n\t"
+        "str	x3, [%[r], 216]\n\t"
+        "mov	x3, 0\n\t"
+        "mul	x6, %[b], x8\n\t"
+        "adcs	x4, x4, x7\n\t"
+        "umulh	x7, %[b], x8\n\t"
+        "adc	x5, xzr, xzr\n\t"
+        "adds	x4, x4, x6\n\t"
+        "# A[29] * B\n\t"
+        "str	x4, [%[r], 224]\n\t"
+        "mov	x4, 0\n\t"
+        "mul	x6, %[b], x9\n\t"
+        "adcs	x5, x5, x7\n\t"
+        "umulh	x7, %[b], x9\n\t"
+        "adc	x3, xzr, xzr\n\t"
+        "adds	x5, x5, x6\n\t"
+        "# A[30] * B\n\t"
+        "ldp	x8, x9, [%[a], 240]\n\t"
+        "str	x5, [%[r], 232]\n\t"
+        "mov	x5, 0\n\t"
+        "mul	x6, %[b], x8\n\t"
+        "adcs	x3, x3, x7\n\t"
+        "umulh	x7, %[b], x8\n\t"
+        "adc	x4, xzr, xzr\n\t"
+        "adds	x3, x3, x6\n\t"
+        "# A[31] * B\n\t"
+        "str	x3, [%[r], 240]\n\t"
+        "mul	x6, %[b], x9\n\t"
+        "adcs	x4, x4, x7\n\t"
+        "umulh	x7, %[b], x9\n\t"
+        "adc	x5, xzr, xzr\n\t"
+        "adds	x4, x4, x6\n\t"
+        "adc	x5, x5, x7\n\t"
+        "stp	x4, x5, [%[r], 248]\n\t"
+        :
+        : [r] "r" (r), [a] "r" (a), [b] "r" (b)
+        : "memory", "x3", "x4", "x5", "x6", "x7", "x8", "x9"
+    );
+#endif
+}
+
+#if (defined(WOLFSSL_HAVE_SP_RSA) || defined(WOLFSSL_HAVE_SP_DH)) && !defined(WOLFSSL_RSA_PUBLIC_ONLY)
+/* r = 2^n mod m where n is the number of bits to reduce by.
+ * Given m must be 2048 bits, just need to subtract.
+ *
+ * r  A single precision number.
+ * m  A single precision number.
+ */
+static void sp_2048_mont_norm_16(sp_digit* r, const sp_digit* m)
+{
+    XMEMSET(r, 0, sizeof(sp_digit) * 16);
+
+    /* r = 2^n mod m */
+    sp_2048_sub_in_place_16(r, m);
+}
+
+/* Conditionally subtract b from a using the mask m.
+ * m is -1 to subtract and 0 when not copying.
+ *
+ * r  A single precision number representing condition subtract result.
+ * a  A single precision number to subtract from.
+ * b  A single precision number to subtract.
+ * m  Mask value to apply.
+ */
+static sp_digit sp_2048_cond_sub_16(sp_digit* r, const sp_digit* a, const sp_digit* b,
+        sp_digit m)
+{
+#ifdef WOLFSSL_SP_SMALL
+    sp_digit c = 0;
+
+    __asm__ __volatile__ (
+        "mov	x8, #0\n\t"
+        "1:\n\t"
+        "subs	%[c], xzr, %[c]\n\t"
+        "ldr	x4, [%[a], x8]\n\t"
+        "ldr	x5, [%[b], x8]\n\t"
+        "and	x5, x5, %[m]\n\t"
+        "sbcs	x4, x4, x5\n\t"
+        "csetm	%[c], cc\n\t"
+        "str	x4, [%[r], x8]\n\t"
+        "add	x8, x8, #8\n\t"
+        "cmp	x8, 128\n\t"
+        "b.lt	1b\n\t"
+        : [c] "+r" (c)
+        : [r] "r" (r), [a] "r" (a), [b] "r" (b), [m] "r" (m)
+        : "memory", "x4", "x6", "x5", "x7", "x8", "x9", "x10", "x11", "x12"
+    );
+
+    return c;
+#else
+    __asm__ __volatile__ (
+
+        "ldp	x5, x7, [%[b], 0]\n\t"
+        "ldp	x11, x12, [%[b], 16]\n\t"
+        "ldp	x4, x6, [%[a], 0]\n\t"
+        "and	x5, x5, %[m]\n\t"
+        "ldp	x9, x10, [%[a], 16]\n\t"
+        "and	x7, x7, %[m]\n\t"
+        "subs	x4, x4, x5\n\t"
+        "and	x11, x11, %[m]\n\t"
+        "sbcs	x6, x6, x7\n\t"
+        "and	x12, x12, %[m]\n\t"
+        "sbcs	x9, x9, x11\n\t"
+        "stp	x4, x6, [%[r], 0]\n\t"
+        "sbcs	x10, x10, x12\n\t"
+        "stp	x9, x10, [%[r], 16]\n\t"
+        "ldp	x5, x7, [%[b], 32]\n\t"
+        "ldp	x11, x12, [%[b], 48]\n\t"
+        "ldp	x4, x6, [%[a], 32]\n\t"
+        "and	x5, x5, %[m]\n\t"
+        "ldp	x9, x10, [%[a], 48]\n\t"
+        "and	x7, x7, %[m]\n\t"
+        "sbcs	x4, x4, x5\n\t"
+        "and	x11, x11, %[m]\n\t"
+        "sbcs	x6, x6, x7\n\t"
+        "and	x12, x12, %[m]\n\t"
+        "sbcs	x9, x9, x11\n\t"
+        "stp	x4, x6, [%[r], 32]\n\t"
+        "sbcs	x10, x10, x12\n\t"
+        "stp	x9, x10, [%[r], 48]\n\t"
+        "ldp	x5, x7, [%[b], 64]\n\t"
+        "ldp	x11, x12, [%[b], 80]\n\t"
+        "ldp	x4, x6, [%[a], 64]\n\t"
+        "and	x5, x5, %[m]\n\t"
+        "ldp	x9, x10, [%[a], 80]\n\t"
+        "and	x7, x7, %[m]\n\t"
+        "sbcs	x4, x4, x5\n\t"
+        "and	x11, x11, %[m]\n\t"
+        "sbcs	x6, x6, x7\n\t"
+        "and	x12, x12, %[m]\n\t"
+        "sbcs	x9, x9, x11\n\t"
+        "stp	x4, x6, [%[r], 64]\n\t"
+        "sbcs	x10, x10, x12\n\t"
+        "stp	x9, x10, [%[r], 80]\n\t"
+        "ldp	x5, x7, [%[b], 96]\n\t"
+        "ldp	x11, x12, [%[b], 112]\n\t"
+        "ldp	x4, x6, [%[a], 96]\n\t"
+        "and	x5, x5, %[m]\n\t"
+        "ldp	x9, x10, [%[a], 112]\n\t"
+        "and	x7, x7, %[m]\n\t"
+        "sbcs	x4, x4, x5\n\t"
+        "and	x11, x11, %[m]\n\t"
+        "sbcs	x6, x6, x7\n\t"
+        "and	x12, x12, %[m]\n\t"
+        "sbcs	x9, x9, x11\n\t"
+        "stp	x4, x6, [%[r], 96]\n\t"
+        "sbcs	x10, x10, x12\n\t"
+        "stp	x9, x10, [%[r], 112]\n\t"
+        "csetm	%[r], cc\n\t"
+        : [r] "+r" (r)
+        : [a] "r" (a), [b] "r" (b), [m] "r" (m)
+        : "memory", "x4", "x6", "x5", "x7", "x8", "x9", "x10", "x11", "x12"
+    );
+
+    return (sp_digit)r;
+#endif /* WOLFSSL_SP_SMALL */
+}
+
+/* Reduce the number back to 2048 bits using Montgomery reduction.
+ *
+ * a   A single precision number to reduce in place.
+ * m   The single precision number representing the modulus.
+ * mp  The digit representing the negative inverse of m mod 2^n.
+ */
+SP_NOINLINE static void sp_2048_mont_reduce_16(sp_digit* a, const sp_digit* m,
+        sp_digit mp)
+{
+    sp_digit ca = 0;
+
+    __asm__ __volatile__ (
+        "ldp	x14, x15, [%[m], 0]\n\t"
+        "ldp	x16, x17, [%[m], 16]\n\t"
+        "ldp	x19, x20, [%[m], 32]\n\t"
+        "ldp	x21, x22, [%[m], 48]\n\t"
+        "ldp	x23, x24, [%[m], 64]\n\t"
+        "ldp	x25, x26, [%[m], 80]\n\t"
+        "ldp	x27, x28, [%[m], 96]\n\t"
+        "# i = 16\n\t"
+        "mov	x4, 16\n\t"
+        "ldp	x12, x13, [%[a], 0]\n\t"
+        "\n1:\n\t"
+        "# mu = a[i] * mp\n\t"
+        "mul	x9, %[mp], x12\n\t"
+        "# a[i+0] += m[0] * mu\n\t"
+        "mul	x7, x14, x9\n\t"
+        "umulh	x8, x14, x9\n\t"
+        "adds	x12, x12, x7\n\t"
+        "# a[i+1] += m[1] * mu\n\t"
+        "mul	x7, x15, x9\n\t"
+        "adc	x6, x8, xzr\n\t"
+        "umulh	x8, x15, x9\n\t"
+        "adds	x12, x13, x7\n\t"
+        "# a[i+2] += m[2] * mu\n\t"
+        "ldr	x13, [%[a], 16]\n\t"
+        "adc	x5, x8, xzr\n\t"
+        "mul	x7, x16, x9\n\t"
+        "adds	x12, x12, x6\n\t"
+        "umulh	x8, x16, x9\n\t"
+        "adc	x5, x5, xzr\n\t"
+        "adds	x13, x13, x7\n\t"
+        "# a[i+3] += m[3] * mu\n\t"
+        "ldr	x10, [%[a], 24]\n\t"
+        "adc	x6, x8, xzr\n\t"
+        "mul	x7, x17, x9\n\t"
+        "adds	x13, x13, x5\n\t"
+        "umulh	x8, x17, x9\n\t"
+        "adc	x6, x6, xzr\n\t"
+        "adds	x10, x10, x7\n\t"
+        "# a[i+4] += m[4] * mu\n\t"
+        "ldr	x11, [%[a], 32]\n\t"
+        "adc	x5, x8, xzr\n\t"
+        "adds	x10, x10, x6\n\t"
+        "mul	x7, x19, x9\n\t"
+        "adc	x5, x5, xzr\n\t"
+        "umulh	x8, x19, x9\n\t"
+        "str	x10, [%[a], 24]\n\t"
+        "adds	x11, x11, x7\n\t"
+        "# a[i+5] += m[5] * mu\n\t"
+        "ldr	x10, [%[a], 40]\n\t"
+        "adc	x6, x8, xzr\n\t"
+        "adds	x11, x11, x5\n\t"
+        "mul	x7, x20, x9\n\t"
+        "adc	x6, x6, xzr\n\t"
+        "umulh	x8, x20, x9\n\t"
+        "str	x11, [%[a], 32]\n\t"
+        "adds	x10, x10, x7\n\t"
+        "# a[i+6] += m[6] * mu\n\t"
+        "ldr	x11, [%[a], 48]\n\t"
+        "adc	x5, x8, xzr\n\t"
+        "adds	x10, x10, x6\n\t"
+        "mul	x7, x21, x9\n\t"
+        "adc	x5, x5, xzr\n\t"
+        "umulh	x8, x21, x9\n\t"
+        "str	x10, [%[a], 40]\n\t"
+        "adds	x11, x11, x7\n\t"
+        "# a[i+7] += m[7] * mu\n\t"
+        "ldr	x10, [%[a], 56]\n\t"
+        "adc	x6, x8, xzr\n\t"
+        "adds	x11, x11, x5\n\t"
+        "mul	x7, x22, x9\n\t"
+        "adc	x6, x6, xzr\n\t"
+        "umulh	x8, x22, x9\n\t"
+        "str	x11, [%[a], 48]\n\t"
+        "adds	x10, x10, x7\n\t"
+        "# a[i+8] += m[8] * mu\n\t"
+        "ldr	x11, [%[a], 64]\n\t"
+        "adc	x5, x8, xzr\n\t"
+        "adds	x10, x10, x6\n\t"
+        "mul	x7, x23, x9\n\t"
+        "adc	x5, x5, xzr\n\t"
+        "umulh	x8, x23, x9\n\t"
+        "str	x10, [%[a], 56]\n\t"
+        "adds	x11, x11, x7\n\t"
+        "# a[i+9] += m[9] * mu\n\t"
+        "ldr	x10, [%[a], 72]\n\t"
+        "adc	x6, x8, xzr\n\t"
+        "adds	x11, x11, x5\n\t"
+        "mul	x7, x24, x9\n\t"
+        "adc	x6, x6, xzr\n\t"
+        "umulh	x8, x24, x9\n\t"
+        "str	x11, [%[a], 64]\n\t"
+        "adds	x10, x10, x7\n\t"
+        "# a[i+10] += m[10] * mu\n\t"
+        "ldr	x11, [%[a], 80]\n\t"
+        "adc	x5, x8, xzr\n\t"
+        "adds	x10, x10, x6\n\t"
+        "mul	x7, x25, x9\n\t"
+        "adc	x5, x5, xzr\n\t"
+        "umulh	x8, x25, x9\n\t"
+        "str	x10, [%[a], 72]\n\t"
+        "adds	x11, x11, x7\n\t"
+        "# a[i+11] += m[11] * mu\n\t"
+        "ldr	x10, [%[a], 88]\n\t"
+        "adc	x6, x8, xzr\n\t"
+        "adds	x11, x11, x5\n\t"
+        "mul	x7, x26, x9\n\t"
+        "adc	x6, x6, xzr\n\t"
+        "umulh	x8, x26, x9\n\t"
+        "str	x11, [%[a], 80]\n\t"
+        "adds	x10, x10, x7\n\t"
+        "# a[i+12] += m[12] * mu\n\t"
+        "ldr	x11, [%[a], 96]\n\t"
+        "adc	x5, x8, xzr\n\t"
+        "adds	x10, x10, x6\n\t"
+        "mul	x7, x27, x9\n\t"
+        "adc	x5, x5, xzr\n\t"
+        "umulh	x8, x27, x9\n\t"
+        "str	x10, [%[a], 88]\n\t"
+        "adds	x11, x11, x7\n\t"
+        "# a[i+13] += m[13] * mu\n\t"
+        "ldr	x10, [%[a], 104]\n\t"
+        "adc	x6, x8, xzr\n\t"
+        "adds	x11, x11, x5\n\t"
+        "mul	x7, x28, x9\n\t"
+        "adc	x6, x6, xzr\n\t"
+        "umulh	x8, x28, x9\n\t"
+        "str	x11, [%[a], 96]\n\t"
+        "adds	x10, x10, x7\n\t"
+        "# a[i+14] += m[14] * mu\n\t"
+        "ldr	x11, [%[a], 112]\n\t"
+        "adc	x5, x8, xzr\n\t"
+        "ldr	x8, [%[m], 112]\n\t"
+        "adds	x10, x10, x6\n\t"
+        "mul	x7, x8, x9\n\t"
+        "adc	x5, x5, xzr\n\t"
+        "umulh	x8, x8, x9\n\t"
+        "str	x10, [%[a], 104]\n\t"
+        "adds	x11, x11, x7\n\t"
+        "# a[i+15] += m[15] * mu\n\t"
+        "ldr	x10, [%[a], 120]\n\t"
+        "adc	x6, x8, xzr\n\t"
+        "ldr	x8, [%[m], 120]\n\t"
+        "adds	x11, x11, x5\n\t"
+        "mul	x7, x8, x9\n\t"
+        "adc	x6, x6, xzr\n\t"
+        "umulh	x8, x8, x9\n\t"
+        "adds	x6, x6, x7\n\t"
+        "adcs	x8, x8, %[ca]\n\t"
+        "str	x11, [%[a], 112]\n\t"
+        "cset  %[ca], cs\n\t"
+        "adds	x10, x10, x6\n\t"
+        "ldr	x11, [%[a], 128]\n\t"
+        "str	x10, [%[a], 120]\n\t"
+        "adcs	x11, x11, x8\n\t"
+        "str	x11, [%[a], 128]\n\t"
+        "adc	%[ca], %[ca], xzr\n\t"
+        "subs	x4, x4, 1\n\t"
+        "add	%[a], %[a], 8\n\t"
+        "bne	1b\n\t"
+        "stp	x12, x13, [%[a], 0]\n\t"
+        : [ca] "+r" (ca), [a] "+r" (a)
+        : [m] "r" (m), [mp] "r" (mp)
+        : "memory", "x4", "x5", "x6", "x7", "x8", "x9", "x10", "x11", "x12", "x13", "x14", "x15", "x16", "x17", "x19", "x20", "x21", "x22", "x23", "x24", "x25", "x26", "x27", "x28"
+    );
+
+    sp_2048_cond_sub_16(a - 16, a, m, (sp_digit)0 - ca);
+}
+
+/* Multiply two Montogmery form numbers mod the modulus (prime).
+ * (r = a * b mod m)
+ *
+ * r   Result of multiplication.
+ * a   First number to multiply in Montogmery form.
+ * b   Second number to multiply in Montogmery form.
+ * m   Modulus (prime).
+ * mp  Montogmery mulitplier.
+ */
+static void sp_2048_mont_mul_16(sp_digit* r, const sp_digit* a, const sp_digit* b,
+        const sp_digit* m, sp_digit mp)
+{
+    sp_2048_mul_16(r, a, b);
+    sp_2048_mont_reduce_16(r, m, mp);
+}
+
+/* Square the Montgomery form number. (r = a * a mod m)
+ *
+ * r   Result of squaring.
+ * a   Number to square in Montogmery form.
+ * m   Modulus (prime).
+ * mp  Montogmery mulitplier.
+ */
+static void sp_2048_mont_sqr_16(sp_digit* r, const sp_digit* a, const sp_digit* m,
+        sp_digit mp)
+{
+    sp_2048_sqr_16(r, a);
+    sp_2048_mont_reduce_16(r, m, mp);
+}
+
+/* Mul a by digit b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision digit.
+ */
+static void sp_2048_mul_d_16(sp_digit* r, const sp_digit* a,
+        sp_digit b)
+{
+#ifdef WOLFSSL_SP_SMALL
+    __asm__ __volatile__ (
+        "# A[0] * B\n\t"
+        "ldr	x8, [%[a]]\n\t"
+        "mul	x5, %[b], x8\n\t"
+        "umulh	x3, %[b], x8\n\t"
+        "mov	x4, 0\n\t"
+        "str	x5, [%[r]]\n\t"
+        "mov	x5, 0\n\t"
+        "mov	x9, #8\n\t"
+        "1:\n\t"
+        "ldr	x8, [%[a], x9]\n\t"
+        "mul	x6, %[b], x8\n\t"
+        "umulh	x7, %[b], x8\n\t"
+        "adds	x3, x3, x6\n\t"
+        "adcs	x4, x4, x7\n\t"
+        "adc	x5, xzr, xzr\n\t"
+        "str	x3, [%[r], x9]\n\t"
+        "mov	x3, x4\n\t"
+        "mov	x4, x5\n\t"
+        "mov	x5, #0\n\t"
+        "add	x9, x9, #8\n\t"
+        "cmp	x9, 128\n\t"
+        "b.lt	1b\n\t"
+        "str	x3, [%[r], 128]\n\t"
+        :
+        : [r] "r" (r), [a] "r" (a), [b] "r" (b)
+        : "memory", "x3", "x4", "x5", "x6", "x7", "x8", "x9"
+    );
+#else
+    __asm__ __volatile__ (
+        "# A[0] * B\n\t"
+        "ldp	x8, x9, [%[a]]\n\t"
+        "mul	x3, %[b], x8\n\t"
+        "umulh	x4, %[b], x8\n\t"
+        "mov	x5, 0\n\t"
+        "# A[1] * B\n\t"
+        "str	x3, [%[r]]\n\t"
+        "mov	x3, 0\n\t"
+        "mul	x6, %[b], x9\n\t"
+        "umulh	x7, %[b], x9\n\t"
+        "adds	x4, x4, x6\n\t"
+        "# A[2] * B\n\t"
+        "ldp	x8, x9, [%[a], 16]\n\t"
+        "str	x4, [%[r], 8]\n\t"
+        "mov	x4, 0\n\t"
+        "mul	x6, %[b], x8\n\t"
+        "adcs	x5, x5, x7\n\t"
+        "umulh	x7, %[b], x8\n\t"
+        "adc	x3, xzr, xzr\n\t"
+        "adds	x5, x5, x6\n\t"
+        "# A[3] * B\n\t"
+        "str	x5, [%[r], 16]\n\t"
+        "mov	x5, 0\n\t"
+        "mul	x6, %[b], x9\n\t"
+        "adcs	x3, x3, x7\n\t"
+        "umulh	x7, %[b], x9\n\t"
+        "adc	x4, xzr, xzr\n\t"
+        "adds	x3, x3, x6\n\t"
+        "# A[4] * B\n\t"
+        "ldp	x8, x9, [%[a], 32]\n\t"
+        "str	x3, [%[r], 24]\n\t"
+        "mov	x3, 0\n\t"
+        "mul	x6, %[b], x8\n\t"
+        "adcs	x4, x4, x7\n\t"
+        "umulh	x7, %[b], x8\n\t"
+        "adc	x5, xzr, xzr\n\t"
+        "adds	x4, x4, x6\n\t"
+        "# A[5] * B\n\t"
+        "str	x4, [%[r], 32]\n\t"
+        "mov	x4, 0\n\t"
+        "mul	x6, %[b], x9\n\t"
+        "adcs	x5, x5, x7\n\t"
+        "umulh	x7, %[b], x9\n\t"
+        "adc	x3, xzr, xzr\n\t"
+        "adds	x5, x5, x6\n\t"
+        "# A[6] * B\n\t"
+        "ldp	x8, x9, [%[a], 48]\n\t"
+        "str	x5, [%[r], 40]\n\t"
+        "mov	x5, 0\n\t"
+        "mul	x6, %[b], x8\n\t"
+        "adcs	x3, x3, x7\n\t"
+        "umulh	x7, %[b], x8\n\t"
+        "adc	x4, xzr, xzr\n\t"
+        "adds	x3, x3, x6\n\t"
+        "# A[7] * B\n\t"
+        "str	x3, [%[r], 48]\n\t"
+        "mov	x3, 0\n\t"
+        "mul	x6, %[b], x9\n\t"
+        "adcs	x4, x4, x7\n\t"
+        "umulh	x7, %[b], x9\n\t"
+        "adc	x5, xzr, xzr\n\t"
+        "adds	x4, x4, x6\n\t"
+        "# A[8] * B\n\t"
+        "ldp	x8, x9, [%[a], 64]\n\t"
+        "str	x4, [%[r], 56]\n\t"
+        "mov	x4, 0\n\t"
+        "mul	x6, %[b], x8\n\t"
+        "adcs	x5, x5, x7\n\t"
+        "umulh	x7, %[b], x8\n\t"
+        "adc	x3, xzr, xzr\n\t"
+        "adds	x5, x5, x6\n\t"
+        "# A[9] * B\n\t"
+        "str	x5, [%[r], 64]\n\t"
+        "mov	x5, 0\n\t"
+        "mul	x6, %[b], x9\n\t"
+        "adcs	x3, x3, x7\n\t"
+        "umulh	x7, %[b], x9\n\t"
+        "adc	x4, xzr, xzr\n\t"
+        "adds	x3, x3, x6\n\t"
+        "# A[10] * B\n\t"
+        "ldp	x8, x9, [%[a], 80]\n\t"
+        "str	x3, [%[r], 72]\n\t"
+        "mov	x3, 0\n\t"
+        "mul	x6, %[b], x8\n\t"
+        "adcs	x4, x4, x7\n\t"
+        "umulh	x7, %[b], x8\n\t"
+        "adc	x5, xzr, xzr\n\t"
+        "adds	x4, x4, x6\n\t"
+        "# A[11] * B\n\t"
+        "str	x4, [%[r], 80]\n\t"
+        "mov	x4, 0\n\t"
+        "mul	x6, %[b], x9\n\t"
+        "adcs	x5, x5, x7\n\t"
+        "umulh	x7, %[b], x9\n\t"
+        "adc	x3, xzr, xzr\n\t"
+        "adds	x5, x5, x6\n\t"
+        "# A[12] * B\n\t"
+        "ldp	x8, x9, [%[a], 96]\n\t"
+        "str	x5, [%[r], 88]\n\t"
+        "mov	x5, 0\n\t"
+        "mul	x6, %[b], x8\n\t"
+        "adcs	x3, x3, x7\n\t"
+        "umulh	x7, %[b], x8\n\t"
+        "adc	x4, xzr, xzr\n\t"
+        "adds	x3, x3, x6\n\t"
+        "# A[13] * B\n\t"
+        "str	x3, [%[r], 96]\n\t"
+        "mov	x3, 0\n\t"
+        "mul	x6, %[b], x9\n\t"
+        "adcs	x4, x4, x7\n\t"
+        "umulh	x7, %[b], x9\n\t"
+        "adc	x5, xzr, xzr\n\t"
+        "adds	x4, x4, x6\n\t"
+        "# A[14] * B\n\t"
+        "ldp	x8, x9, [%[a], 112]\n\t"
+        "str	x4, [%[r], 104]\n\t"
+        "mov	x4, 0\n\t"
+        "mul	x6, %[b], x8\n\t"
+        "adcs	x5, x5, x7\n\t"
+        "umulh	x7, %[b], x8\n\t"
+        "adc	x3, xzr, xzr\n\t"
+        "adds	x5, x5, x6\n\t"
+        "# A[15] * B\n\t"
+        "str	x5, [%[r], 112]\n\t"
+        "mul	x6, %[b], x9\n\t"
+        "adcs	x3, x3, x7\n\t"
+        "umulh	x7, %[b], x9\n\t"
+        "adc	x4, xzr, xzr\n\t"
+        "adds	x3, x3, x6\n\t"
+        "adc	x4, x4, x7\n\t"
+        "stp	x3, x4, [%[r], 120]\n\t"
+        :
+        : [r] "r" (r), [a] "r" (a), [b] "r" (b)
+        : "memory", "x3", "x4", "x5", "x6", "x7", "x8", "x9"
+    );
+#endif
+}
+
+/* Divide the double width number (d1|d0) by the dividend. (d1|d0 / div)
+ *
+ * d1   The high order half of the number to divide.
+ * d0   The low order half of the number to divide.
+ * div  The dividend.
+ * returns the result of the division.
+ */
+static sp_digit div_2048_word_16(sp_digit d1, sp_digit d0, sp_digit div)
+{
+    sp_digit r;
+
+    __asm__ __volatile__ (
+        "lsr	x5, %[div], 32\n\t"
+        "add	x5, x5, 1\n\t"
+
+        "udiv	x3, %[d1], x5\n\t"
+        "lsl	x6, x3, 32\n\t"
+        "mul	x4, %[div], x6\n\t"
+        "umulh	x3, %[div], x6\n\t"
+        "subs	%[d0], %[d0], x4\n\t"
+        "sbc	%[d1], %[d1], x3\n\t"
+
+        "udiv	x3, %[d1], x5\n\t"
+        "lsl	x3, x3, 32\n\t"
+        "add	x6, x6, x3\n\t"
+        "mul	x4, %[div], x3\n\t"
+        "umulh	x3, %[div], x3\n\t"
+        "subs	%[d0], %[d0], x4\n\t"
+        "sbc	%[d1], %[d1], x3\n\t"
+
+        "lsr	x3, %[d0], 32\n\t"
+        "orr	x3, x3, %[d1], lsl 32\n\t"
+
+        "udiv	x3, x3, x5\n\t"
+        "add	x6, x6, x3\n\t"
+        "mul	x4, %[div], x3\n\t"
+        "umulh	x3, %[div], x3\n\t"
+        "subs	%[d0], %[d0], x4\n\t"
+        "sbc	%[d1], %[d1], x3\n\t"
+
+        "lsr	x3, %[d0], 32\n\t"
+        "orr	x3, x3, %[d1], lsl 32\n\t"
+
+        "udiv	x3, x3, x5\n\t"
+        "add	x6, x6, x3\n\t"
+        "mul	x4, %[div], x3\n\t"
+        "sub	%[d0], %[d0], x4\n\t"
+
+        "udiv	x3, %[d0], %[div]\n\t"
+        "add	%[r], x6, x3\n\t"
+
+        : [r] "=r" (r)
+        : [d1] "r" (d1), [d0] "r" (d0), [div] "r" (div)
+        : "x3", "x4", "x5", "x6"
+    );
+
+    return r;
+}
+
+/* Compare a with b in constant time.
+ *
+ * a  A single precision integer.
+ * b  A single precision integer.
+ * return -ve, 0 or +ve if a is less than, equal to or greater than b
+ * respectively.
+ */
+static int64_t sp_2048_cmp_16(const sp_digit* a, const sp_digit* b)
+{
+#ifdef WOLFSSL_SP_SMALL
+    __asm__ __volatile__ (
+        "mov	x2, -1\n\t"
+        "mov	x3, 1\n\t"
+        "mov	x4, -1\n\t"
+        "mov	x5, 120\n\t"
+        "1:\n\t"
+        "ldr	x6, [%[a], x5]\n\t"
+        "ldr	x7, [%[b], x5]\n\t"
+        "and	x6, x6, x4\n\t"
+        "and	x7, x7, x4\n\t"
+        "subs	x6, x6, x7\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "subs	x5, x5, #8\n\t"
+        "b.cs	1b\n\t"
+        "eor	%[a], x2, x4\n\t"
+        : [a] "+r" (a)
+        : [b] "r" (b)
+        : "x2", "x3", "x4", "x5", "x6", "x7", "x8"
+    );
+#else
+    __asm__ __volatile__ (
+        "mov	x2, -1\n\t"
+        "mov	x3, 1\n\t"
+        "mov  x4, -1\n\t"
+        "ldp	x5, x6, [%[a], 112]\n\t"
+        "ldp	x7, x8, [%[b], 112]\n\t"
+        "and	x6, x6, x4\n\t"
+        "and	x8, x8, x4\n\t"
+        "subs	x6, x6, x8\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "and	x5, x5, x4\n\t"
+        "and	x7, x7, x4\n\t"
+        "subs	x5, x5, x7\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "ldp	x5, x6, [%[a], 96]\n\t"
+        "ldp	x7, x8, [%[b], 96]\n\t"
+        "and	x6, x6, x4\n\t"
+        "and	x8, x8, x4\n\t"
+        "subs	x6, x6, x8\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "and	x5, x5, x4\n\t"
+        "and	x7, x7, x4\n\t"
+        "subs	x5, x5, x7\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "ldp	x5, x6, [%[a], 80]\n\t"
+        "ldp	x7, x8, [%[b], 80]\n\t"
+        "and	x6, x6, x4\n\t"
+        "and	x8, x8, x4\n\t"
+        "subs	x6, x6, x8\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "and	x5, x5, x4\n\t"
+        "and	x7, x7, x4\n\t"
+        "subs	x5, x5, x7\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "ldp	x5, x6, [%[a], 64]\n\t"
+        "ldp	x7, x8, [%[b], 64]\n\t"
+        "and	x6, x6, x4\n\t"
+        "and	x8, x8, x4\n\t"
+        "subs	x6, x6, x8\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "and	x5, x5, x4\n\t"
+        "and	x7, x7, x4\n\t"
+        "subs	x5, x5, x7\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "ldp	x5, x6, [%[a], 48]\n\t"
+        "ldp	x7, x8, [%[b], 48]\n\t"
+        "and	x6, x6, x4\n\t"
+        "and	x8, x8, x4\n\t"
+        "subs	x6, x6, x8\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "and	x5, x5, x4\n\t"
+        "and	x7, x7, x4\n\t"
+        "subs	x5, x5, x7\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "ldp	x5, x6, [%[a], 32]\n\t"
+        "ldp	x7, x8, [%[b], 32]\n\t"
+        "and	x6, x6, x4\n\t"
+        "and	x8, x8, x4\n\t"
+        "subs	x6, x6, x8\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "and	x5, x5, x4\n\t"
+        "and	x7, x7, x4\n\t"
+        "subs	x5, x5, x7\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "ldp	x5, x6, [%[a], 16]\n\t"
+        "ldp	x7, x8, [%[b], 16]\n\t"
+        "and	x6, x6, x4\n\t"
+        "and	x8, x8, x4\n\t"
+        "subs	x6, x6, x8\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "and	x5, x5, x4\n\t"
+        "and	x7, x7, x4\n\t"
+        "subs	x5, x5, x7\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "ldp	x5, x6, [%[a], 0]\n\t"
+        "ldp	x7, x8, [%[b], 0]\n\t"
+        "and	x6, x6, x4\n\t"
+        "and	x8, x8, x4\n\t"
+        "subs	x6, x6, x8\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "and	x5, x5, x4\n\t"
+        "and	x7, x7, x4\n\t"
+        "subs	x5, x5, x7\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "eor	%[a], x2, x4\n\t"
+        : [a] "+r" (a)
+        : [b] "r" (b)
+        : "x2", "x3", "x4", "x5", "x6", "x7", "x8"
+    );
+#endif
+
+    return (int64_t)a;
+}
+
+/* Divide d in a and put remainder into r (m*d + r = a)
+ * m is not calculated as it is not needed at this time.
+ *
+ * a  Nmber to be divided.
+ * d  Number to divide with.
+ * m  Multiplier result.
+ * r  Remainder from the division.
+ * returns MP_OKAY indicating success.
+ */
+static WC_INLINE int sp_2048_div_16(const sp_digit* a, const sp_digit* d, sp_digit* m,
+        sp_digit* r)
+{
+    sp_digit t1[32], t2[17];
+    sp_digit div, r1;
+    int i;
+
+    (void)m;
+
+    div = d[15];
+    XMEMCPY(t1, a, sizeof(*t1) * 2 * 16);
+    for (i=15; i>=0; i--) {
+        r1 = div_2048_word_16(t1[16 + i], t1[16 + i - 1], div);
+
+        sp_2048_mul_d_16(t2, d, r1);
+        t1[16 + i] += sp_2048_sub_in_place_16(&t1[i], t2);
+        t1[16 + i] -= t2[16];
+        sp_2048_mask_16(t2, d, t1[16 + i]);
+        t1[16 + i] += sp_2048_add_16(&t1[i], &t1[i], t2);
+        sp_2048_mask_16(t2, d, t1[16 + i]);
+        t1[16 + i] += sp_2048_add_16(&t1[i], &t1[i], t2);
+    }
+
+    r1 = sp_2048_cmp_16(t1, d) >= 0;
+    sp_2048_cond_sub_16(r, t1, d, (sp_digit)0 - r1);
+
+    return MP_OKAY;
+}
+
+/* Reduce a modulo m into r. (r = a mod m)
+ *
+ * r  A single precision number that is the reduced result.
+ * a  A single precision number that is to be reduced.
+ * m  A single precision number that is the modulus to reduce with.
+ * returns MP_OKAY indicating success.
+ */
+static WC_INLINE int sp_2048_mod_16(sp_digit* r, const sp_digit* a, const sp_digit* m)
+{
+    return sp_2048_div_16(a, m, NULL, r);
+}
+
+#ifdef WOLFSSL_SP_SMALL
+/* Modular exponentiate a to the e mod m. (r = a^e mod m)
+ *
+ * r     A single precision number that is the result of the operation.
+ * a     A single precision number being exponentiated.
+ * e     A single precision number that is the exponent.
+ * bits  The number of bits in the exponent.
+ * m     A single precision number that is the modulus.
+ * returns 0 on success and MEMORY_E on dynamic memory allocation failure.
+ */
+static int sp_2048_mod_exp_16(sp_digit* r, const sp_digit* a, const sp_digit* e,
+        int bits, const sp_digit* m, int reduceA)
+{
+#ifndef WOLFSSL_SMALL_STACK
+    sp_digit t[16][32];
+#else
+    sp_digit* t[16];
+    sp_digit* td;
+#endif
+    sp_digit* norm;
+    sp_digit mp = 1;
+    sp_digit n;
+    sp_digit mask;
+    int i;
+    int c, y;
+    int err = MP_OKAY;
+
+#ifdef WOLFSSL_SMALL_STACK
+    td = (sp_digit*)XMALLOC(sizeof(sp_digit) * 16 * 32, NULL,
+                            DYNAMIC_TYPE_TMP_BUFFER);
+    if (td == NULL) {
+        err = MEMORY_E;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#ifdef WOLFSSL_SMALL_STACK
+        for (i=0; i<16; i++) {
+            t[i] = td + i * 32;
+        }
+#endif
+        norm = t[0];
+
+        sp_2048_mont_setup(m, &mp);
+        sp_2048_mont_norm_16(norm, m);
+
+        XMEMSET(t[1], 0, sizeof(sp_digit) * 16U);
+        if (reduceA != 0) {
+            err = sp_2048_mod_16(t[1] + 16, a, m);
+            if (err == MP_OKAY) {
+                err = sp_2048_mod_16(t[1], t[1], m);
+            }
+        }
+        else {
+            XMEMCPY(t[1] + 16, a, sizeof(sp_digit) * 16);
+            err = sp_2048_mod_16(t[1], t[1], m);
+        }
+    }
+
+    if (err == MP_OKAY) {
+        sp_2048_mont_sqr_16(t[ 2], t[ 1], m, mp);
+        sp_2048_mont_mul_16(t[ 3], t[ 2], t[ 1], m, mp);
+        sp_2048_mont_sqr_16(t[ 4], t[ 2], m, mp);
+        sp_2048_mont_mul_16(t[ 5], t[ 3], t[ 2], m, mp);
+        sp_2048_mont_sqr_16(t[ 6], t[ 3], m, mp);
+        sp_2048_mont_mul_16(t[ 7], t[ 4], t[ 3], m, mp);
+        sp_2048_mont_sqr_16(t[ 8], t[ 4], m, mp);
+        sp_2048_mont_mul_16(t[ 9], t[ 5], t[ 4], m, mp);
+        sp_2048_mont_sqr_16(t[10], t[ 5], m, mp);
+        sp_2048_mont_mul_16(t[11], t[ 6], t[ 5], m, mp);
+        sp_2048_mont_sqr_16(t[12], t[ 6], m, mp);
+        sp_2048_mont_mul_16(t[13], t[ 7], t[ 6], m, mp);
+        sp_2048_mont_sqr_16(t[14], t[ 7], m, mp);
+        sp_2048_mont_mul_16(t[15], t[ 8], t[ 7], m, mp);
+
+        i = (bits - 1) / 64;
+        n = e[i--];
+        c = bits & 63;
+        if (c == 0) {
+            c = 64;
+        }
+        c -= bits % 4;
+        if (c == 64) {
+            c = 60;
+        }
+        y = (int)(n >> c);
+        n <<= 64 - c;
+        XMEMCPY(r, t[y], sizeof(sp_digit) * 16);
+        for (; i>=0 || c>=4; ) {
+            if (c == 0) {
+                n = e[i--];
+                y = n >> 60;
+                n <<= 4;
+                c = 60;
+            }
+            else if (c < 4) {
+                y = n >> 60;
+                n = e[i--];
+                c = 4 - c;
+                y |= n >> (64 - c);
+                n <<= c;
+                c = 64 - c;
+            }
+            else {
+                y = (n >> 60) & 0xf;
+                n <<= 4;
+                c -= 4;
+            }
+
+            sp_2048_mont_sqr_16(r, r, m, mp);
+            sp_2048_mont_sqr_16(r, r, m, mp);
+            sp_2048_mont_sqr_16(r, r, m, mp);
+            sp_2048_mont_sqr_16(r, r, m, mp);
+
+            sp_2048_mont_mul_16(r, r, t[y], m, mp);
+        }
+
+        XMEMSET(&r[16], 0, sizeof(sp_digit) * 16U);
+        sp_2048_mont_reduce_16(r, m, mp);
+
+        mask = 0 - (sp_2048_cmp_16(r, m) >= 0);
+        sp_2048_cond_sub_16(r, r, m, mask);
+    }
+
+#ifdef WOLFSSL_SMALL_STACK
+    if (td != NULL) {
+        XFREE(td, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    }
+#endif
+
+    return err;
+}
+#else
+/* Modular exponentiate a to the e mod m. (r = a^e mod m)
+ *
+ * r     A single precision number that is the result of the operation.
+ * a     A single precision number being exponentiated.
+ * e     A single precision number that is the exponent.
+ * bits  The number of bits in the exponent.
+ * m     A single precision number that is the modulus.
+ * returns 0 on success and MEMORY_E on dynamic memory allocation failure.
+ */
+static int sp_2048_mod_exp_16(sp_digit* r, const sp_digit* a, const sp_digit* e,
+        int bits, const sp_digit* m, int reduceA)
+{
+#ifndef WOLFSSL_SMALL_STACK
+    sp_digit t[32][32];
+#else
+    sp_digit* t[32];
+    sp_digit* td;
+#endif
+    sp_digit* norm;
+    sp_digit mp = 1;
+    sp_digit n;
+    sp_digit mask;
+    int i;
+    int c, y;
+    int err = MP_OKAY;
+
+#ifdef WOLFSSL_SMALL_STACK
+    td = (sp_digit*)XMALLOC(sizeof(sp_digit) * 32 * 32, NULL,
+                            DYNAMIC_TYPE_TMP_BUFFER);
+    if (td == NULL) {
+        err = MEMORY_E;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#ifdef WOLFSSL_SMALL_STACK
+        for (i=0; i<32; i++) {
+            t[i] = td + i * 32;
+        }
+#endif
+        norm = t[0];
+
+        sp_2048_mont_setup(m, &mp);
+        sp_2048_mont_norm_16(norm, m);
+
+        XMEMSET(t[1], 0, sizeof(sp_digit) * 16U);
+        if (reduceA != 0) {
+            err = sp_2048_mod_16(t[1] + 16, a, m);
+            if (err == MP_OKAY) {
+                err = sp_2048_mod_16(t[1], t[1], m);
+            }
+        }
+        else {
+            XMEMCPY(t[1] + 16, a, sizeof(sp_digit) * 16);
+            err = sp_2048_mod_16(t[1], t[1], m);
+        }
+    }
+
+    if (err == MP_OKAY) {
+        sp_2048_mont_sqr_16(t[ 2], t[ 1], m, mp);
+        sp_2048_mont_mul_16(t[ 3], t[ 2], t[ 1], m, mp);
+        sp_2048_mont_sqr_16(t[ 4], t[ 2], m, mp);
+        sp_2048_mont_mul_16(t[ 5], t[ 3], t[ 2], m, mp);
+        sp_2048_mont_sqr_16(t[ 6], t[ 3], m, mp);
+        sp_2048_mont_mul_16(t[ 7], t[ 4], t[ 3], m, mp);
+        sp_2048_mont_sqr_16(t[ 8], t[ 4], m, mp);
+        sp_2048_mont_mul_16(t[ 9], t[ 5], t[ 4], m, mp);
+        sp_2048_mont_sqr_16(t[10], t[ 5], m, mp);
+        sp_2048_mont_mul_16(t[11], t[ 6], t[ 5], m, mp);
+        sp_2048_mont_sqr_16(t[12], t[ 6], m, mp);
+        sp_2048_mont_mul_16(t[13], t[ 7], t[ 6], m, mp);
+        sp_2048_mont_sqr_16(t[14], t[ 7], m, mp);
+        sp_2048_mont_mul_16(t[15], t[ 8], t[ 7], m, mp);
+        sp_2048_mont_sqr_16(t[16], t[ 8], m, mp);
+        sp_2048_mont_mul_16(t[17], t[ 9], t[ 8], m, mp);
+        sp_2048_mont_sqr_16(t[18], t[ 9], m, mp);
+        sp_2048_mont_mul_16(t[19], t[10], t[ 9], m, mp);
+        sp_2048_mont_sqr_16(t[20], t[10], m, mp);
+        sp_2048_mont_mul_16(t[21], t[11], t[10], m, mp);
+        sp_2048_mont_sqr_16(t[22], t[11], m, mp);
+        sp_2048_mont_mul_16(t[23], t[12], t[11], m, mp);
+        sp_2048_mont_sqr_16(t[24], t[12], m, mp);
+        sp_2048_mont_mul_16(t[25], t[13], t[12], m, mp);
+        sp_2048_mont_sqr_16(t[26], t[13], m, mp);
+        sp_2048_mont_mul_16(t[27], t[14], t[13], m, mp);
+        sp_2048_mont_sqr_16(t[28], t[14], m, mp);
+        sp_2048_mont_mul_16(t[29], t[15], t[14], m, mp);
+        sp_2048_mont_sqr_16(t[30], t[15], m, mp);
+        sp_2048_mont_mul_16(t[31], t[16], t[15], m, mp);
+
+        i = (bits - 1) / 64;
+        n = e[i--];
+        c = bits & 63;
+        if (c == 0) {
+            c = 64;
+        }
+        c -= bits % 5;
+        if (c == 64) {
+            c = 59;
+        }
+        y = (int)(n >> c);
+        n <<= 64 - c;
+        XMEMCPY(r, t[y], sizeof(sp_digit) * 16);
+        for (; i>=0 || c>=5; ) {
+            if (c == 0) {
+                n = e[i--];
+                y = n >> 59;
+                n <<= 5;
+                c = 59;
+            }
+            else if (c < 5) {
+                y = n >> 59;
+                n = e[i--];
+                c = 5 - c;
+                y |= n >> (64 - c);
+                n <<= c;
+                c = 64 - c;
+            }
+            else {
+                y = (n >> 59) & 0x1f;
+                n <<= 5;
+                c -= 5;
+            }
+
+            sp_2048_mont_sqr_16(r, r, m, mp);
+            sp_2048_mont_sqr_16(r, r, m, mp);
+            sp_2048_mont_sqr_16(r, r, m, mp);
+            sp_2048_mont_sqr_16(r, r, m, mp);
+            sp_2048_mont_sqr_16(r, r, m, mp);
+
+            sp_2048_mont_mul_16(r, r, t[y], m, mp);
+        }
+
+        XMEMSET(&r[16], 0, sizeof(sp_digit) * 16U);
+        sp_2048_mont_reduce_16(r, m, mp);
+
+        mask = 0 - (sp_2048_cmp_16(r, m) >= 0);
+        sp_2048_cond_sub_16(r, r, m, mask);
+    }
+
+#ifdef WOLFSSL_SMALL_STACK
+    if (td != NULL) {
+        XFREE(td, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    }
+#endif
+
+    return err;
+}
+#endif /* WOLFSSL_SP_SMALL */
+
+#endif /* (WOLFSSL_HAVE_SP_RSA || WOLFSSL_HAVE_SP_DH) && !WOLFSSL_RSA_PUBLIC_ONLY */
+
+#if defined(WOLFSSL_HAVE_SP_RSA) || defined(WOLFSSL_HAVE_SP_DH)
+/* r = 2^n mod m where n is the number of bits to reduce by.
+ * Given m must be 2048 bits, just need to subtract.
+ *
+ * r  A single precision number.
+ * m  A single precision number.
+ */
+static void sp_2048_mont_norm_32(sp_digit* r, const sp_digit* m)
+{
+    XMEMSET(r, 0, sizeof(sp_digit) * 32);
+
+    /* r = 2^n mod m */
+    sp_2048_sub_in_place_32(r, m);
+}
+
+#endif /* WOLFSSL_HAVE_SP_RSA || WOLFSSL_HAVE_SP_DH */
+/* Conditionally subtract b from a using the mask m.
+ * m is -1 to subtract and 0 when not copying.
+ *
+ * r  A single precision number representing condition subtract result.
+ * a  A single precision number to subtract from.
+ * b  A single precision number to subtract.
+ * m  Mask value to apply.
+ */
+static sp_digit sp_2048_cond_sub_32(sp_digit* r, const sp_digit* a, const sp_digit* b,
+        sp_digit m)
+{
+#ifdef WOLFSSL_SP_SMALL
+    sp_digit c = 0;
+
+    __asm__ __volatile__ (
+        "mov	x8, #0\n\t"
+        "1:\n\t"
+        "subs	%[c], xzr, %[c]\n\t"
+        "ldr	x4, [%[a], x8]\n\t"
+        "ldr	x5, [%[b], x8]\n\t"
+        "and	x5, x5, %[m]\n\t"
+        "sbcs	x4, x4, x5\n\t"
+        "csetm	%[c], cc\n\t"
+        "str	x4, [%[r], x8]\n\t"
+        "add	x8, x8, #8\n\t"
+        "cmp	x8, 256\n\t"
+        "b.lt	1b\n\t"
+        : [c] "+r" (c)
+        : [r] "r" (r), [a] "r" (a), [b] "r" (b), [m] "r" (m)
+        : "memory", "x4", "x6", "x5", "x7", "x8", "x9", "x10", "x11", "x12"
+    );
+
+    return c;
+#else
+    __asm__ __volatile__ (
+
+        "ldp	x5, x7, [%[b], 0]\n\t"
+        "ldp	x11, x12, [%[b], 16]\n\t"
+        "ldp	x4, x6, [%[a], 0]\n\t"
+        "and	x5, x5, %[m]\n\t"
+        "ldp	x9, x10, [%[a], 16]\n\t"
+        "and	x7, x7, %[m]\n\t"
+        "subs	x4, x4, x5\n\t"
+        "and	x11, x11, %[m]\n\t"
+        "sbcs	x6, x6, x7\n\t"
+        "and	x12, x12, %[m]\n\t"
+        "sbcs	x9, x9, x11\n\t"
+        "stp	x4, x6, [%[r], 0]\n\t"
+        "sbcs	x10, x10, x12\n\t"
+        "stp	x9, x10, [%[r], 16]\n\t"
+        "ldp	x5, x7, [%[b], 32]\n\t"
+        "ldp	x11, x12, [%[b], 48]\n\t"
+        "ldp	x4, x6, [%[a], 32]\n\t"
+        "and	x5, x5, %[m]\n\t"
+        "ldp	x9, x10, [%[a], 48]\n\t"
+        "and	x7, x7, %[m]\n\t"
+        "sbcs	x4, x4, x5\n\t"
+        "and	x11, x11, %[m]\n\t"
+        "sbcs	x6, x6, x7\n\t"
+        "and	x12, x12, %[m]\n\t"
+        "sbcs	x9, x9, x11\n\t"
+        "stp	x4, x6, [%[r], 32]\n\t"
+        "sbcs	x10, x10, x12\n\t"
+        "stp	x9, x10, [%[r], 48]\n\t"
+        "ldp	x5, x7, [%[b], 64]\n\t"
+        "ldp	x11, x12, [%[b], 80]\n\t"
+        "ldp	x4, x6, [%[a], 64]\n\t"
+        "and	x5, x5, %[m]\n\t"
+        "ldp	x9, x10, [%[a], 80]\n\t"
+        "and	x7, x7, %[m]\n\t"
+        "sbcs	x4, x4, x5\n\t"
+        "and	x11, x11, %[m]\n\t"
+        "sbcs	x6, x6, x7\n\t"
+        "and	x12, x12, %[m]\n\t"
+        "sbcs	x9, x9, x11\n\t"
+        "stp	x4, x6, [%[r], 64]\n\t"
+        "sbcs	x10, x10, x12\n\t"
+        "stp	x9, x10, [%[r], 80]\n\t"
+        "ldp	x5, x7, [%[b], 96]\n\t"
+        "ldp	x11, x12, [%[b], 112]\n\t"
+        "ldp	x4, x6, [%[a], 96]\n\t"
+        "and	x5, x5, %[m]\n\t"
+        "ldp	x9, x10, [%[a], 112]\n\t"
+        "and	x7, x7, %[m]\n\t"
+        "sbcs	x4, x4, x5\n\t"
+        "and	x11, x11, %[m]\n\t"
+        "sbcs	x6, x6, x7\n\t"
+        "and	x12, x12, %[m]\n\t"
+        "sbcs	x9, x9, x11\n\t"
+        "stp	x4, x6, [%[r], 96]\n\t"
+        "sbcs	x10, x10, x12\n\t"
+        "stp	x9, x10, [%[r], 112]\n\t"
+        "ldp	x5, x7, [%[b], 128]\n\t"
+        "ldp	x11, x12, [%[b], 144]\n\t"
+        "ldp	x4, x6, [%[a], 128]\n\t"
+        "and	x5, x5, %[m]\n\t"
+        "ldp	x9, x10, [%[a], 144]\n\t"
+        "and	x7, x7, %[m]\n\t"
+        "sbcs	x4, x4, x5\n\t"
+        "and	x11, x11, %[m]\n\t"
+        "sbcs	x6, x6, x7\n\t"
+        "and	x12, x12, %[m]\n\t"
+        "sbcs	x9, x9, x11\n\t"
+        "stp	x4, x6, [%[r], 128]\n\t"
+        "sbcs	x10, x10, x12\n\t"
+        "stp	x9, x10, [%[r], 144]\n\t"
+        "ldp	x5, x7, [%[b], 160]\n\t"
+        "ldp	x11, x12, [%[b], 176]\n\t"
+        "ldp	x4, x6, [%[a], 160]\n\t"
+        "and	x5, x5, %[m]\n\t"
+        "ldp	x9, x10, [%[a], 176]\n\t"
+        "and	x7, x7, %[m]\n\t"
+        "sbcs	x4, x4, x5\n\t"
+        "and	x11, x11, %[m]\n\t"
+        "sbcs	x6, x6, x7\n\t"
+        "and	x12, x12, %[m]\n\t"
+        "sbcs	x9, x9, x11\n\t"
+        "stp	x4, x6, [%[r], 160]\n\t"
+        "sbcs	x10, x10, x12\n\t"
+        "stp	x9, x10, [%[r], 176]\n\t"
+        "ldp	x5, x7, [%[b], 192]\n\t"
+        "ldp	x11, x12, [%[b], 208]\n\t"
+        "ldp	x4, x6, [%[a], 192]\n\t"
+        "and	x5, x5, %[m]\n\t"
+        "ldp	x9, x10, [%[a], 208]\n\t"
+        "and	x7, x7, %[m]\n\t"
+        "sbcs	x4, x4, x5\n\t"
+        "and	x11, x11, %[m]\n\t"
+        "sbcs	x6, x6, x7\n\t"
+        "and	x12, x12, %[m]\n\t"
+        "sbcs	x9, x9, x11\n\t"
+        "stp	x4, x6, [%[r], 192]\n\t"
+        "sbcs	x10, x10, x12\n\t"
+        "stp	x9, x10, [%[r], 208]\n\t"
+        "ldp	x5, x7, [%[b], 224]\n\t"
+        "ldp	x11, x12, [%[b], 240]\n\t"
+        "ldp	x4, x6, [%[a], 224]\n\t"
+        "and	x5, x5, %[m]\n\t"
+        "ldp	x9, x10, [%[a], 240]\n\t"
+        "and	x7, x7, %[m]\n\t"
+        "sbcs	x4, x4, x5\n\t"
+        "and	x11, x11, %[m]\n\t"
+        "sbcs	x6, x6, x7\n\t"
+        "and	x12, x12, %[m]\n\t"
+        "sbcs	x9, x9, x11\n\t"
+        "stp	x4, x6, [%[r], 224]\n\t"
+        "sbcs	x10, x10, x12\n\t"
+        "stp	x9, x10, [%[r], 240]\n\t"
+        "csetm	%[r], cc\n\t"
+        : [r] "+r" (r)
+        : [a] "r" (a), [b] "r" (b), [m] "r" (m)
+        : "memory", "x4", "x6", "x5", "x7", "x8", "x9", "x10", "x11", "x12"
+    );
+
+    return (sp_digit)r;
+#endif /* WOLFSSL_SP_SMALL */
+}
+
+/* Reduce the number back to 2048 bits using Montgomery reduction.
+ *
+ * a   A single precision number to reduce in place.
+ * m   The single precision number representing the modulus.
+ * mp  The digit representing the negative inverse of m mod 2^n.
+ */
+SP_NOINLINE static void sp_2048_mont_reduce_32(sp_digit* a, const sp_digit* m,
+        sp_digit mp)
+{
+    sp_digit ca = 0;
+
+    __asm__ __volatile__ (
+        "ldp	x14, x15, [%[m], 0]\n\t"
+        "ldp	x16, x17, [%[m], 16]\n\t"
+        "ldp	x19, x20, [%[m], 32]\n\t"
+        "ldp	x21, x22, [%[m], 48]\n\t"
+        "ldp	x23, x24, [%[m], 64]\n\t"
+        "ldp	x25, x26, [%[m], 80]\n\t"
+        "ldp	x27, x28, [%[m], 96]\n\t"
+        "# i = 32\n\t"
+        "mov	x4, 32\n\t"
+        "ldp	x12, x13, [%[a], 0]\n\t"
+        "\n1:\n\t"
+        "# mu = a[i] * mp\n\t"
+        "mul	x9, %[mp], x12\n\t"
+        "# a[i+0] += m[0] * mu\n\t"
+        "mul	x7, x14, x9\n\t"
+        "umulh	x8, x14, x9\n\t"
+        "adds	x12, x12, x7\n\t"
+        "# a[i+1] += m[1] * mu\n\t"
+        "mul	x7, x15, x9\n\t"
+        "adc	x6, x8, xzr\n\t"
+        "umulh	x8, x15, x9\n\t"
+        "adds	x12, x13, x7\n\t"
+        "# a[i+2] += m[2] * mu\n\t"
+        "ldr	x13, [%[a], 16]\n\t"
+        "adc	x5, x8, xzr\n\t"
+        "mul	x7, x16, x9\n\t"
+        "adds	x12, x12, x6\n\t"
+        "umulh	x8, x16, x9\n\t"
+        "adc	x5, x5, xzr\n\t"
+        "adds	x13, x13, x7\n\t"
+        "# a[i+3] += m[3] * mu\n\t"
+        "ldr	x10, [%[a], 24]\n\t"
+        "adc	x6, x8, xzr\n\t"
+        "mul	x7, x17, x9\n\t"
+        "adds	x13, x13, x5\n\t"
+        "umulh	x8, x17, x9\n\t"
+        "adc	x6, x6, xzr\n\t"
+        "adds	x10, x10, x7\n\t"
+        "# a[i+4] += m[4] * mu\n\t"
+        "ldr	x11, [%[a], 32]\n\t"
+        "adc	x5, x8, xzr\n\t"
+        "adds	x10, x10, x6\n\t"
+        "mul	x7, x19, x9\n\t"
+        "adc	x5, x5, xzr\n\t"
+        "umulh	x8, x19, x9\n\t"
+        "str	x10, [%[a], 24]\n\t"
+        "adds	x11, x11, x7\n\t"
+        "# a[i+5] += m[5] * mu\n\t"
+        "ldr	x10, [%[a], 40]\n\t"
+        "adc	x6, x8, xzr\n\t"
+        "adds	x11, x11, x5\n\t"
+        "mul	x7, x20, x9\n\t"
+        "adc	x6, x6, xzr\n\t"
+        "umulh	x8, x20, x9\n\t"
+        "str	x11, [%[a], 32]\n\t"
+        "adds	x10, x10, x7\n\t"
+        "# a[i+6] += m[6] * mu\n\t"
+        "ldr	x11, [%[a], 48]\n\t"
+        "adc	x5, x8, xzr\n\t"
+        "adds	x10, x10, x6\n\t"
+        "mul	x7, x21, x9\n\t"
+        "adc	x5, x5, xzr\n\t"
+        "umulh	x8, x21, x9\n\t"
+        "str	x10, [%[a], 40]\n\t"
+        "adds	x11, x11, x7\n\t"
+        "# a[i+7] += m[7] * mu\n\t"
+        "ldr	x10, [%[a], 56]\n\t"
+        "adc	x6, x8, xzr\n\t"
+        "adds	x11, x11, x5\n\t"
+        "mul	x7, x22, x9\n\t"
+        "adc	x6, x6, xzr\n\t"
+        "umulh	x8, x22, x9\n\t"
+        "str	x11, [%[a], 48]\n\t"
+        "adds	x10, x10, x7\n\t"
+        "# a[i+8] += m[8] * mu\n\t"
+        "ldr	x11, [%[a], 64]\n\t"
+        "adc	x5, x8, xzr\n\t"
+        "adds	x10, x10, x6\n\t"
+        "mul	x7, x23, x9\n\t"
+        "adc	x5, x5, xzr\n\t"
+        "umulh	x8, x23, x9\n\t"
+        "str	x10, [%[a], 56]\n\t"
+        "adds	x11, x11, x7\n\t"
+        "# a[i+9] += m[9] * mu\n\t"
+        "ldr	x10, [%[a], 72]\n\t"
+        "adc	x6, x8, xzr\n\t"
+        "adds	x11, x11, x5\n\t"
+        "mul	x7, x24, x9\n\t"
+        "adc	x6, x6, xzr\n\t"
+        "umulh	x8, x24, x9\n\t"
+        "str	x11, [%[a], 64]\n\t"
+        "adds	x10, x10, x7\n\t"
+        "# a[i+10] += m[10] * mu\n\t"
+        "ldr	x11, [%[a], 80]\n\t"
+        "adc	x5, x8, xzr\n\t"
+        "adds	x10, x10, x6\n\t"
+        "mul	x7, x25, x9\n\t"
+        "adc	x5, x5, xzr\n\t"
+        "umulh	x8, x25, x9\n\t"
+        "str	x10, [%[a], 72]\n\t"
+        "adds	x11, x11, x7\n\t"
+        "# a[i+11] += m[11] * mu\n\t"
+        "ldr	x10, [%[a], 88]\n\t"
+        "adc	x6, x8, xzr\n\t"
+        "adds	x11, x11, x5\n\t"
+        "mul	x7, x26, x9\n\t"
+        "adc	x6, x6, xzr\n\t"
+        "umulh	x8, x26, x9\n\t"
+        "str	x11, [%[a], 80]\n\t"
+        "adds	x10, x10, x7\n\t"
+        "# a[i+12] += m[12] * mu\n\t"
+        "ldr	x11, [%[a], 96]\n\t"
+        "adc	x5, x8, xzr\n\t"
+        "adds	x10, x10, x6\n\t"
+        "mul	x7, x27, x9\n\t"
+        "adc	x5, x5, xzr\n\t"
+        "umulh	x8, x27, x9\n\t"
+        "str	x10, [%[a], 88]\n\t"
+        "adds	x11, x11, x7\n\t"
+        "# a[i+13] += m[13] * mu\n\t"
+        "ldr	x10, [%[a], 104]\n\t"
+        "adc	x6, x8, xzr\n\t"
+        "adds	x11, x11, x5\n\t"
+        "mul	x7, x28, x9\n\t"
+        "adc	x6, x6, xzr\n\t"
+        "umulh	x8, x28, x9\n\t"
+        "str	x11, [%[a], 96]\n\t"
+        "adds	x10, x10, x7\n\t"
+        "# a[i+14] += m[14] * mu\n\t"
+        "ldr	x11, [%[a], 112]\n\t"
+        "adc	x5, x8, xzr\n\t"
+        "ldr	x8, [%[m], 112]\n\t"
+        "adds	x10, x10, x6\n\t"
+        "mul	x7, x8, x9\n\t"
+        "adc	x5, x5, xzr\n\t"
+        "umulh	x8, x8, x9\n\t"
+        "str	x10, [%[a], 104]\n\t"
+        "adds	x11, x11, x7\n\t"
+        "# a[i+15] += m[15] * mu\n\t"
+        "ldr	x10, [%[a], 120]\n\t"
+        "adc	x6, x8, xzr\n\t"
+        "ldr	x8, [%[m], 120]\n\t"
+        "adds	x11, x11, x5\n\t"
+        "mul	x7, x8, x9\n\t"
+        "adc	x6, x6, xzr\n\t"
+        "umulh	x8, x8, x9\n\t"
+        "str	x11, [%[a], 112]\n\t"
+        "adds	x10, x10, x7\n\t"
+        "# a[i+16] += m[16] * mu\n\t"
+        "ldr	x11, [%[a], 128]\n\t"
+        "adc	x5, x8, xzr\n\t"
+        "ldr	x8, [%[m], 128]\n\t"
+        "adds	x10, x10, x6\n\t"
+        "mul	x7, x8, x9\n\t"
+        "adc	x5, x5, xzr\n\t"
+        "umulh	x8, x8, x9\n\t"
+        "str	x10, [%[a], 120]\n\t"
+        "adds	x11, x11, x7\n\t"
+        "# a[i+17] += m[17] * mu\n\t"
+        "ldr	x10, [%[a], 136]\n\t"
+        "adc	x6, x8, xzr\n\t"
+        "ldr	x8, [%[m], 136]\n\t"
+        "adds	x11, x11, x5\n\t"
+        "mul	x7, x8, x9\n\t"
+        "adc	x6, x6, xzr\n\t"
+        "umulh	x8, x8, x9\n\t"
+        "str	x11, [%[a], 128]\n\t"
+        "adds	x10, x10, x7\n\t"
+        "# a[i+18] += m[18] * mu\n\t"
+        "ldr	x11, [%[a], 144]\n\t"
+        "adc	x5, x8, xzr\n\t"
+        "ldr	x8, [%[m], 144]\n\t"
+        "adds	x10, x10, x6\n\t"
+        "mul	x7, x8, x9\n\t"
+        "adc	x5, x5, xzr\n\t"
+        "umulh	x8, x8, x9\n\t"
+        "str	x10, [%[a], 136]\n\t"
+        "adds	x11, x11, x7\n\t"
+        "# a[i+19] += m[19] * mu\n\t"
+        "ldr	x10, [%[a], 152]\n\t"
+        "adc	x6, x8, xzr\n\t"
+        "ldr	x8, [%[m], 152]\n\t"
+        "adds	x11, x11, x5\n\t"
+        "mul	x7, x8, x9\n\t"
+        "adc	x6, x6, xzr\n\t"
+        "umulh	x8, x8, x9\n\t"
+        "str	x11, [%[a], 144]\n\t"
+        "adds	x10, x10, x7\n\t"
+        "# a[i+20] += m[20] * mu\n\t"
+        "ldr	x11, [%[a], 160]\n\t"
+        "adc	x5, x8, xzr\n\t"
+        "ldr	x8, [%[m], 160]\n\t"
+        "adds	x10, x10, x6\n\t"
+        "mul	x7, x8, x9\n\t"
+        "adc	x5, x5, xzr\n\t"
+        "umulh	x8, x8, x9\n\t"
+        "str	x10, [%[a], 152]\n\t"
+        "adds	x11, x11, x7\n\t"
+        "# a[i+21] += m[21] * mu\n\t"
+        "ldr	x10, [%[a], 168]\n\t"
+        "adc	x6, x8, xzr\n\t"
+        "ldr	x8, [%[m], 168]\n\t"
+        "adds	x11, x11, x5\n\t"
+        "mul	x7, x8, x9\n\t"
+        "adc	x6, x6, xzr\n\t"
+        "umulh	x8, x8, x9\n\t"
+        "str	x11, [%[a], 160]\n\t"
+        "adds	x10, x10, x7\n\t"
+        "# a[i+22] += m[22] * mu\n\t"
+        "ldr	x11, [%[a], 176]\n\t"
+        "adc	x5, x8, xzr\n\t"
+        "ldr	x8, [%[m], 176]\n\t"
+        "adds	x10, x10, x6\n\t"
+        "mul	x7, x8, x9\n\t"
+        "adc	x5, x5, xzr\n\t"
+        "umulh	x8, x8, x9\n\t"
+        "str	x10, [%[a], 168]\n\t"
+        "adds	x11, x11, x7\n\t"
+        "# a[i+23] += m[23] * mu\n\t"
+        "ldr	x10, [%[a], 184]\n\t"
+        "adc	x6, x8, xzr\n\t"
+        "ldr	x8, [%[m], 184]\n\t"
+        "adds	x11, x11, x5\n\t"
+        "mul	x7, x8, x9\n\t"
+        "adc	x6, x6, xzr\n\t"
+        "umulh	x8, x8, x9\n\t"
+        "str	x11, [%[a], 176]\n\t"
+        "adds	x10, x10, x7\n\t"
+        "# a[i+24] += m[24] * mu\n\t"
+        "ldr	x11, [%[a], 192]\n\t"
+        "adc	x5, x8, xzr\n\t"
+        "ldr	x8, [%[m], 192]\n\t"
+        "adds	x10, x10, x6\n\t"
+        "mul	x7, x8, x9\n\t"
+        "adc	x5, x5, xzr\n\t"
+        "umulh	x8, x8, x9\n\t"
+        "str	x10, [%[a], 184]\n\t"
+        "adds	x11, x11, x7\n\t"
+        "# a[i+25] += m[25] * mu\n\t"
+        "ldr	x10, [%[a], 200]\n\t"
+        "adc	x6, x8, xzr\n\t"
+        "ldr	x8, [%[m], 200]\n\t"
+        "adds	x11, x11, x5\n\t"
+        "mul	x7, x8, x9\n\t"
+        "adc	x6, x6, xzr\n\t"
+        "umulh	x8, x8, x9\n\t"
+        "str	x11, [%[a], 192]\n\t"
+        "adds	x10, x10, x7\n\t"
+        "# a[i+26] += m[26] * mu\n\t"
+        "ldr	x11, [%[a], 208]\n\t"
+        "adc	x5, x8, xzr\n\t"
+        "ldr	x8, [%[m], 208]\n\t"
+        "adds	x10, x10, x6\n\t"
+        "mul	x7, x8, x9\n\t"
+        "adc	x5, x5, xzr\n\t"
+        "umulh	x8, x8, x9\n\t"
+        "str	x10, [%[a], 200]\n\t"
+        "adds	x11, x11, x7\n\t"
+        "# a[i+27] += m[27] * mu\n\t"
+        "ldr	x10, [%[a], 216]\n\t"
+        "adc	x6, x8, xzr\n\t"
+        "ldr	x8, [%[m], 216]\n\t"
+        "adds	x11, x11, x5\n\t"
+        "mul	x7, x8, x9\n\t"
+        "adc	x6, x6, xzr\n\t"
+        "umulh	x8, x8, x9\n\t"
+        "str	x11, [%[a], 208]\n\t"
+        "adds	x10, x10, x7\n\t"
+        "# a[i+28] += m[28] * mu\n\t"
+        "ldr	x11, [%[a], 224]\n\t"
+        "adc	x5, x8, xzr\n\t"
+        "ldr	x8, [%[m], 224]\n\t"
+        "adds	x10, x10, x6\n\t"
+        "mul	x7, x8, x9\n\t"
+        "adc	x5, x5, xzr\n\t"
+        "umulh	x8, x8, x9\n\t"
+        "str	x10, [%[a], 216]\n\t"
+        "adds	x11, x11, x7\n\t"
+        "# a[i+29] += m[29] * mu\n\t"
+        "ldr	x10, [%[a], 232]\n\t"
+        "adc	x6, x8, xzr\n\t"
+        "ldr	x8, [%[m], 232]\n\t"
+        "adds	x11, x11, x5\n\t"
+        "mul	x7, x8, x9\n\t"
+        "adc	x6, x6, xzr\n\t"
+        "umulh	x8, x8, x9\n\t"
+        "str	x11, [%[a], 224]\n\t"
+        "adds	x10, x10, x7\n\t"
+        "# a[i+30] += m[30] * mu\n\t"
+        "ldr	x11, [%[a], 240]\n\t"
+        "adc	x5, x8, xzr\n\t"
+        "ldr	x8, [%[m], 240]\n\t"
+        "adds	x10, x10, x6\n\t"
+        "mul	x7, x8, x9\n\t"
+        "adc	x5, x5, xzr\n\t"
+        "umulh	x8, x8, x9\n\t"
+        "str	x10, [%[a], 232]\n\t"
+        "adds	x11, x11, x7\n\t"
+        "# a[i+31] += m[31] * mu\n\t"
+        "ldr	x10, [%[a], 248]\n\t"
+        "adc	x6, x8, xzr\n\t"
+        "ldr	x8, [%[m], 248]\n\t"
+        "adds	x11, x11, x5\n\t"
+        "mul	x7, x8, x9\n\t"
+        "adc	x6, x6, xzr\n\t"
+        "umulh	x8, x8, x9\n\t"
+        "adds	x6, x6, x7\n\t"
+        "adcs	x8, x8, %[ca]\n\t"
+        "str	x11, [%[a], 240]\n\t"
+        "cset  %[ca], cs\n\t"
+        "adds	x10, x10, x6\n\t"
+        "ldr	x11, [%[a], 256]\n\t"
+        "str	x10, [%[a], 248]\n\t"
+        "adcs	x11, x11, x8\n\t"
+        "str	x11, [%[a], 256]\n\t"
+        "adc	%[ca], %[ca], xzr\n\t"
+        "subs	x4, x4, 1\n\t"
+        "add	%[a], %[a], 8\n\t"
+        "bne	1b\n\t"
+        "stp	x12, x13, [%[a], 0]\n\t"
+        : [ca] "+r" (ca), [a] "+r" (a)
+        : [m] "r" (m), [mp] "r" (mp)
+        : "memory", "x4", "x5", "x6", "x7", "x8", "x9", "x10", "x11", "x12", "x13", "x14", "x15", "x16", "x17", "x19", "x20", "x21", "x22", "x23", "x24", "x25", "x26", "x27", "x28"
+    );
+
+    sp_2048_cond_sub_32(a - 32, a, m, (sp_digit)0 - ca);
+}
+
+/* Multiply two Montogmery form numbers mod the modulus (prime).
+ * (r = a * b mod m)
+ *
+ * r   Result of multiplication.
+ * a   First number to multiply in Montogmery form.
+ * b   Second number to multiply in Montogmery form.
+ * m   Modulus (prime).
+ * mp  Montogmery mulitplier.
+ */
+static void sp_2048_mont_mul_32(sp_digit* r, const sp_digit* a, const sp_digit* b,
+        const sp_digit* m, sp_digit mp)
+{
+    sp_2048_mul_32(r, a, b);
+    sp_2048_mont_reduce_32(r, m, mp);
+}
+
+/* Square the Montgomery form number. (r = a * a mod m)
+ *
+ * r   Result of squaring.
+ * a   Number to square in Montogmery form.
+ * m   Modulus (prime).
+ * mp  Montogmery mulitplier.
+ */
+static void sp_2048_mont_sqr_32(sp_digit* r, const sp_digit* a, const sp_digit* m,
+        sp_digit mp)
+{
+    sp_2048_sqr_32(r, a);
+    sp_2048_mont_reduce_32(r, m, mp);
+}
+
+/* Divide the double width number (d1|d0) by the dividend. (d1|d0 / div)
+ *
+ * d1   The high order half of the number to divide.
+ * d0   The low order half of the number to divide.
+ * div  The dividend.
+ * returns the result of the division.
+ */
+static sp_digit div_2048_word_32(sp_digit d1, sp_digit d0, sp_digit div)
+{
+    sp_digit r;
+
+    __asm__ __volatile__ (
+        "lsr	x5, %[div], 32\n\t"
+        "add	x5, x5, 1\n\t"
+
+        "udiv	x3, %[d1], x5\n\t"
+        "lsl	x6, x3, 32\n\t"
+        "mul	x4, %[div], x6\n\t"
+        "umulh	x3, %[div], x6\n\t"
+        "subs	%[d0], %[d0], x4\n\t"
+        "sbc	%[d1], %[d1], x3\n\t"
+
+        "udiv	x3, %[d1], x5\n\t"
+        "lsl	x3, x3, 32\n\t"
+        "add	x6, x6, x3\n\t"
+        "mul	x4, %[div], x3\n\t"
+        "umulh	x3, %[div], x3\n\t"
+        "subs	%[d0], %[d0], x4\n\t"
+        "sbc	%[d1], %[d1], x3\n\t"
+
+        "lsr	x3, %[d0], 32\n\t"
+        "orr	x3, x3, %[d1], lsl 32\n\t"
+
+        "udiv	x3, x3, x5\n\t"
+        "add	x6, x6, x3\n\t"
+        "mul	x4, %[div], x3\n\t"
+        "umulh	x3, %[div], x3\n\t"
+        "subs	%[d0], %[d0], x4\n\t"
+        "sbc	%[d1], %[d1], x3\n\t"
+
+        "lsr	x3, %[d0], 32\n\t"
+        "orr	x3, x3, %[d1], lsl 32\n\t"
+
+        "udiv	x3, x3, x5\n\t"
+        "add	x6, x6, x3\n\t"
+        "mul	x4, %[div], x3\n\t"
+        "sub	%[d0], %[d0], x4\n\t"
+
+        "udiv	x3, %[d0], %[div]\n\t"
+        "add	%[r], x6, x3\n\t"
+
+        : [r] "=r" (r)
+        : [d1] "r" (d1), [d0] "r" (d0), [div] "r" (div)
+        : "x3", "x4", "x5", "x6"
+    );
+
+    return r;
+}
+
+/* AND m into each word of a and store in r.
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * m  Mask to AND against each digit.
+ */
+static void sp_2048_mask_32(sp_digit* r, const sp_digit* a, sp_digit m)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int i;
+
+    for (i=0; i<32; i++) {
+        r[i] = a[i] & m;
+    }
+#else
+    int i;
+
+    for (i = 0; i < 32; i += 8) {
+        r[i+0] = a[i+0] & m;
+        r[i+1] = a[i+1] & m;
+        r[i+2] = a[i+2] & m;
+        r[i+3] = a[i+3] & m;
+        r[i+4] = a[i+4] & m;
+        r[i+5] = a[i+5] & m;
+        r[i+6] = a[i+6] & m;
+        r[i+7] = a[i+7] & m;
+    }
+#endif
+}
+
+/* Compare a with b in constant time.
+ *
+ * a  A single precision integer.
+ * b  A single precision integer.
+ * return -ve, 0 or +ve if a is less than, equal to or greater than b
+ * respectively.
+ */
+static int64_t sp_2048_cmp_32(const sp_digit* a, const sp_digit* b)
+{
+#ifdef WOLFSSL_SP_SMALL
+    __asm__ __volatile__ (
+        "mov	x2, -1\n\t"
+        "mov	x3, 1\n\t"
+        "mov	x4, -1\n\t"
+        "mov	x5, 248\n\t"
+        "1:\n\t"
+        "ldr	x6, [%[a], x5]\n\t"
+        "ldr	x7, [%[b], x5]\n\t"
+        "and	x6, x6, x4\n\t"
+        "and	x7, x7, x4\n\t"
+        "subs	x6, x6, x7\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "subs	x5, x5, #8\n\t"
+        "b.cs	1b\n\t"
+        "eor	%[a], x2, x4\n\t"
+        : [a] "+r" (a)
+        : [b] "r" (b)
+        : "x2", "x3", "x4", "x5", "x6", "x7", "x8"
+    );
+#else
+    __asm__ __volatile__ (
+        "mov	x2, -1\n\t"
+        "mov	x3, 1\n\t"
+        "mov  x4, -1\n\t"
+        "ldp	x5, x6, [%[a], 240]\n\t"
+        "ldp	x7, x8, [%[b], 240]\n\t"
+        "and	x6, x6, x4\n\t"
+        "and	x8, x8, x4\n\t"
+        "subs	x6, x6, x8\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "and	x5, x5, x4\n\t"
+        "and	x7, x7, x4\n\t"
+        "subs	x5, x5, x7\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "ldp	x5, x6, [%[a], 224]\n\t"
+        "ldp	x7, x8, [%[b], 224]\n\t"
+        "and	x6, x6, x4\n\t"
+        "and	x8, x8, x4\n\t"
+        "subs	x6, x6, x8\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "and	x5, x5, x4\n\t"
+        "and	x7, x7, x4\n\t"
+        "subs	x5, x5, x7\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "ldp	x5, x6, [%[a], 208]\n\t"
+        "ldp	x7, x8, [%[b], 208]\n\t"
+        "and	x6, x6, x4\n\t"
+        "and	x8, x8, x4\n\t"
+        "subs	x6, x6, x8\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "and	x5, x5, x4\n\t"
+        "and	x7, x7, x4\n\t"
+        "subs	x5, x5, x7\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "ldp	x5, x6, [%[a], 192]\n\t"
+        "ldp	x7, x8, [%[b], 192]\n\t"
+        "and	x6, x6, x4\n\t"
+        "and	x8, x8, x4\n\t"
+        "subs	x6, x6, x8\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "and	x5, x5, x4\n\t"
+        "and	x7, x7, x4\n\t"
+        "subs	x5, x5, x7\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "ldp	x5, x6, [%[a], 176]\n\t"
+        "ldp	x7, x8, [%[b], 176]\n\t"
+        "and	x6, x6, x4\n\t"
+        "and	x8, x8, x4\n\t"
+        "subs	x6, x6, x8\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "and	x5, x5, x4\n\t"
+        "and	x7, x7, x4\n\t"
+        "subs	x5, x5, x7\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "ldp	x5, x6, [%[a], 160]\n\t"
+        "ldp	x7, x8, [%[b], 160]\n\t"
+        "and	x6, x6, x4\n\t"
+        "and	x8, x8, x4\n\t"
+        "subs	x6, x6, x8\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "and	x5, x5, x4\n\t"
+        "and	x7, x7, x4\n\t"
+        "subs	x5, x5, x7\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "ldp	x5, x6, [%[a], 144]\n\t"
+        "ldp	x7, x8, [%[b], 144]\n\t"
+        "and	x6, x6, x4\n\t"
+        "and	x8, x8, x4\n\t"
+        "subs	x6, x6, x8\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "and	x5, x5, x4\n\t"
+        "and	x7, x7, x4\n\t"
+        "subs	x5, x5, x7\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "ldp	x5, x6, [%[a], 128]\n\t"
+        "ldp	x7, x8, [%[b], 128]\n\t"
+        "and	x6, x6, x4\n\t"
+        "and	x8, x8, x4\n\t"
+        "subs	x6, x6, x8\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "and	x5, x5, x4\n\t"
+        "and	x7, x7, x4\n\t"
+        "subs	x5, x5, x7\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "ldp	x5, x6, [%[a], 112]\n\t"
+        "ldp	x7, x8, [%[b], 112]\n\t"
+        "and	x6, x6, x4\n\t"
+        "and	x8, x8, x4\n\t"
+        "subs	x6, x6, x8\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "and	x5, x5, x4\n\t"
+        "and	x7, x7, x4\n\t"
+        "subs	x5, x5, x7\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "ldp	x5, x6, [%[a], 96]\n\t"
+        "ldp	x7, x8, [%[b], 96]\n\t"
+        "and	x6, x6, x4\n\t"
+        "and	x8, x8, x4\n\t"
+        "subs	x6, x6, x8\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "and	x5, x5, x4\n\t"
+        "and	x7, x7, x4\n\t"
+        "subs	x5, x5, x7\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "ldp	x5, x6, [%[a], 80]\n\t"
+        "ldp	x7, x8, [%[b], 80]\n\t"
+        "and	x6, x6, x4\n\t"
+        "and	x8, x8, x4\n\t"
+        "subs	x6, x6, x8\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "and	x5, x5, x4\n\t"
+        "and	x7, x7, x4\n\t"
+        "subs	x5, x5, x7\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "ldp	x5, x6, [%[a], 64]\n\t"
+        "ldp	x7, x8, [%[b], 64]\n\t"
+        "and	x6, x6, x4\n\t"
+        "and	x8, x8, x4\n\t"
+        "subs	x6, x6, x8\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "and	x5, x5, x4\n\t"
+        "and	x7, x7, x4\n\t"
+        "subs	x5, x5, x7\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "ldp	x5, x6, [%[a], 48]\n\t"
+        "ldp	x7, x8, [%[b], 48]\n\t"
+        "and	x6, x6, x4\n\t"
+        "and	x8, x8, x4\n\t"
+        "subs	x6, x6, x8\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "and	x5, x5, x4\n\t"
+        "and	x7, x7, x4\n\t"
+        "subs	x5, x5, x7\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "ldp	x5, x6, [%[a], 32]\n\t"
+        "ldp	x7, x8, [%[b], 32]\n\t"
+        "and	x6, x6, x4\n\t"
+        "and	x8, x8, x4\n\t"
+        "subs	x6, x6, x8\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "and	x5, x5, x4\n\t"
+        "and	x7, x7, x4\n\t"
+        "subs	x5, x5, x7\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "ldp	x5, x6, [%[a], 16]\n\t"
+        "ldp	x7, x8, [%[b], 16]\n\t"
+        "and	x6, x6, x4\n\t"
+        "and	x8, x8, x4\n\t"
+        "subs	x6, x6, x8\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "and	x5, x5, x4\n\t"
+        "and	x7, x7, x4\n\t"
+        "subs	x5, x5, x7\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "ldp	x5, x6, [%[a], 0]\n\t"
+        "ldp	x7, x8, [%[b], 0]\n\t"
+        "and	x6, x6, x4\n\t"
+        "and	x8, x8, x4\n\t"
+        "subs	x6, x6, x8\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "and	x5, x5, x4\n\t"
+        "and	x7, x7, x4\n\t"
+        "subs	x5, x5, x7\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "eor	%[a], x2, x4\n\t"
+        : [a] "+r" (a)
+        : [b] "r" (b)
+        : "x2", "x3", "x4", "x5", "x6", "x7", "x8"
+    );
+#endif
+
+    return (int64_t)a;
+}
+
+/* Divide d in a and put remainder into r (m*d + r = a)
+ * m is not calculated as it is not needed at this time.
+ *
+ * a  Nmber to be divided.
+ * d  Number to divide with.
+ * m  Multiplier result.
+ * r  Remainder from the division.
+ * returns MP_OKAY indicating success.
+ */
+static WC_INLINE int sp_2048_div_32(const sp_digit* a, const sp_digit* d, sp_digit* m,
+        sp_digit* r)
+{
+    sp_digit t1[64], t2[33];
+    sp_digit div, r1;
+    int i;
+
+    (void)m;
+
+    div = d[31];
+    XMEMCPY(t1, a, sizeof(*t1) * 2 * 32);
+    for (i=31; i>=0; i--) {
+        r1 = div_2048_word_32(t1[32 + i], t1[32 + i - 1], div);
+
+        sp_2048_mul_d_32(t2, d, r1);
+        t1[32 + i] += sp_2048_sub_in_place_32(&t1[i], t2);
+        t1[32 + i] -= t2[32];
+        sp_2048_mask_32(t2, d, t1[32 + i]);
+        t1[32 + i] += sp_2048_add_32(&t1[i], &t1[i], t2);
+        sp_2048_mask_32(t2, d, t1[32 + i]);
+        t1[32 + i] += sp_2048_add_32(&t1[i], &t1[i], t2);
+    }
+
+    r1 = sp_2048_cmp_32(t1, d) >= 0;
+    sp_2048_cond_sub_32(r, t1, d, (sp_digit)0 - r1);
+
+    return MP_OKAY;
+}
+
+/* Reduce a modulo m into r. (r = a mod m)
+ *
+ * r  A single precision number that is the reduced result.
+ * a  A single precision number that is to be reduced.
+ * m  A single precision number that is the modulus to reduce with.
+ * returns MP_OKAY indicating success.
+ */
+static WC_INLINE int sp_2048_mod_32(sp_digit* r, const sp_digit* a, const sp_digit* m)
+{
+    return sp_2048_div_32(a, m, NULL, r);
+}
+
+#ifdef WOLFSSL_SP_SMALL
+/* Sub b from a into r. (r = a - b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+static sp_digit sp_2048_sub_32(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    sp_digit c = 0;
+
+    __asm__ __volatile__ (
+        "add	x11, %[a], 256\n\t"
+        "\n1:\n\t"
+        "subs	%[c], xzr, %[c]\n\t"
+        "ldp	x3, x4, [%[a]], #16\n\t"
+        "ldp	x5, x6, [%[a]], #16\n\t"
+        "ldp	x7, x8, [%[b]], #16\n\t"
+        "sbcs	x3, x3, x7\n\t"
+        "ldp	x9, x10, [%[b]], #16\n\t"
+        "sbcs	x4, x4, x8\n\t"
+        "sbcs	x5, x5, x9\n\t"
+        "stp	x3, x4, [%[r]], #16\n\t"
+        "sbcs	x6, x6, x10\n\t"
+        "stp	x5, x6, [%[r]], #16\n\t"
+        "csetm	%[c], cc\n\t"
+        "cmp	%[a], x11\n\t"
+        "b.ne	1b\n\t"
+        : [c] "+r" (c), [r] "+r" (r), [a] "+r" (a), [b] "+r" (b)
+        :
+        : "memory", "x3", "x4", "x5", "x6", "x7", "x8", "x9", "x10", "x11"
+    );
+
+    return c;
+}
+
+#else
+/* Sub b from a into r. (r = a - b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+static sp_digit sp_2048_sub_32(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    __asm__ __volatile__ (
+        "ldp	x3, x4, [%[a], 0]\n\t"
+        "ldp	x7, x8, [%[b], 0]\n\t"
+        "subs	x3, x3, x7\n\t"
+        "ldp	x5, x6, [%[a], 16]\n\t"
+        "sbcs	x4, x4, x8\n\t"
+        "ldp	x9, x10, [%[b], 16]\n\t"
+        "sbcs	x5, x5, x9\n\t"
+        "stp	x3, x4, [%[r], 0]\n\t"
+        "sbcs	x6, x6, x10\n\t"
+        "stp	x5, x6, [%[r], 16]\n\t"
+        "ldp	x3, x4, [%[a], 32]\n\t"
+        "ldp	x7, x8, [%[b], 32]\n\t"
+        "sbcs	x3, x3, x7\n\t"
+        "ldp	x5, x6, [%[a], 48]\n\t"
+        "sbcs	x4, x4, x8\n\t"
+        "ldp	x9, x10, [%[b], 48]\n\t"
+        "sbcs	x5, x5, x9\n\t"
+        "stp	x3, x4, [%[r], 32]\n\t"
+        "sbcs	x6, x6, x10\n\t"
+        "stp	x5, x6, [%[r], 48]\n\t"
+        "ldp	x3, x4, [%[a], 64]\n\t"
+        "ldp	x7, x8, [%[b], 64]\n\t"
+        "sbcs	x3, x3, x7\n\t"
+        "ldp	x5, x6, [%[a], 80]\n\t"
+        "sbcs	x4, x4, x8\n\t"
+        "ldp	x9, x10, [%[b], 80]\n\t"
+        "sbcs	x5, x5, x9\n\t"
+        "stp	x3, x4, [%[r], 64]\n\t"
+        "sbcs	x6, x6, x10\n\t"
+        "stp	x5, x6, [%[r], 80]\n\t"
+        "ldp	x3, x4, [%[a], 96]\n\t"
+        "ldp	x7, x8, [%[b], 96]\n\t"
+        "sbcs	x3, x3, x7\n\t"
+        "ldp	x5, x6, [%[a], 112]\n\t"
+        "sbcs	x4, x4, x8\n\t"
+        "ldp	x9, x10, [%[b], 112]\n\t"
+        "sbcs	x5, x5, x9\n\t"
+        "stp	x3, x4, [%[r], 96]\n\t"
+        "sbcs	x6, x6, x10\n\t"
+        "stp	x5, x6, [%[r], 112]\n\t"
+        "ldp	x3, x4, [%[a], 128]\n\t"
+        "ldp	x7, x8, [%[b], 128]\n\t"
+        "sbcs	x3, x3, x7\n\t"
+        "ldp	x5, x6, [%[a], 144]\n\t"
+        "sbcs	x4, x4, x8\n\t"
+        "ldp	x9, x10, [%[b], 144]\n\t"
+        "sbcs	x5, x5, x9\n\t"
+        "stp	x3, x4, [%[r], 128]\n\t"
+        "sbcs	x6, x6, x10\n\t"
+        "stp	x5, x6, [%[r], 144]\n\t"
+        "ldp	x3, x4, [%[a], 160]\n\t"
+        "ldp	x7, x8, [%[b], 160]\n\t"
+        "sbcs	x3, x3, x7\n\t"
+        "ldp	x5, x6, [%[a], 176]\n\t"
+        "sbcs	x4, x4, x8\n\t"
+        "ldp	x9, x10, [%[b], 176]\n\t"
+        "sbcs	x5, x5, x9\n\t"
+        "stp	x3, x4, [%[r], 160]\n\t"
+        "sbcs	x6, x6, x10\n\t"
+        "stp	x5, x6, [%[r], 176]\n\t"
+        "ldp	x3, x4, [%[a], 192]\n\t"
+        "ldp	x7, x8, [%[b], 192]\n\t"
+        "sbcs	x3, x3, x7\n\t"
+        "ldp	x5, x6, [%[a], 208]\n\t"
+        "sbcs	x4, x4, x8\n\t"
+        "ldp	x9, x10, [%[b], 208]\n\t"
+        "sbcs	x5, x5, x9\n\t"
+        "stp	x3, x4, [%[r], 192]\n\t"
+        "sbcs	x6, x6, x10\n\t"
+        "stp	x5, x6, [%[r], 208]\n\t"
+        "ldp	x3, x4, [%[a], 224]\n\t"
+        "ldp	x7, x8, [%[b], 224]\n\t"
+        "sbcs	x3, x3, x7\n\t"
+        "ldp	x5, x6, [%[a], 240]\n\t"
+        "sbcs	x4, x4, x8\n\t"
+        "ldp	x9, x10, [%[b], 240]\n\t"
+        "sbcs	x5, x5, x9\n\t"
+        "stp	x3, x4, [%[r], 224]\n\t"
+        "sbcs	x6, x6, x10\n\t"
+        "stp	x5, x6, [%[r], 240]\n\t"
+        "csetm	%[r], cc\n\t"
+        : [r] "+r" (r)
+        : [a] "r" (a), [b] "r" (b)
+        : "memory", "x3", "x4", "x5", "x6", "x7", "x8", "x9", "x10"
+    );
+
+    return (sp_digit)r;
+}
+
+#endif /* WOLFSSL_SP_SMALL */
+/* Divide d in a and put remainder into r (m*d + r = a)
+ * m is not calculated as it is not needed at this time.
+ *
+ * a  Nmber to be divided.
+ * d  Number to divide with.
+ * m  Multiplier result.
+ * r  Remainder from the division.
+ * returns MP_OKAY indicating success.
+ */
+static WC_INLINE int sp_2048_div_32_cond(const sp_digit* a, const sp_digit* d, sp_digit* m,
+        sp_digit* r)
+{
+    sp_digit t1[64], t2[33];
+    sp_digit div, r1;
+    int i;
+
+    (void)m;
+
+    div = d[31];
+    XMEMCPY(t1, a, sizeof(*t1) * 2 * 32);
+    for (i=31; i>=0; i--) {
+        r1 = div_2048_word_32(t1[32 + i], t1[32 + i - 1], div);
+
+        sp_2048_mul_d_32(t2, d, r1);
+        t1[32 + i] += sp_2048_sub_in_place_32(&t1[i], t2);
+        t1[32 + i] -= t2[32];
+        if (t1[32 + i] != 0) {
+            t1[32 + i] += sp_2048_add_32(&t1[i], &t1[i], d);
+            if (t1[32 + i] != 0)
+                t1[32 + i] += sp_2048_add_32(&t1[i], &t1[i], d);
+        }
+    }
+
+    for (i = 31; i > 0; i--) {
+        if (t1[i] != d[i])
+            break;
+    }
+    if (t1[i] >= d[i]) {
+        sp_2048_sub_32(r, t1, d);
+    }
+    else {
+        XMEMCPY(r, t1, sizeof(*t1) * 32);
+    }
+
+    return MP_OKAY;
+}
+
+/* Reduce a modulo m into r. (r = a mod m)
+ *
+ * r  A single precision number that is the reduced result.
+ * a  A single precision number that is to be reduced.
+ * m  A single precision number that is the modulus to reduce with.
+ * returns MP_OKAY indicating success.
+ */
+static WC_INLINE int sp_2048_mod_32_cond(sp_digit* r, const sp_digit* a, const sp_digit* m)
+{
+    return sp_2048_div_32_cond(a, m, NULL, r);
+}
+
+#if (defined(WOLFSSL_HAVE_SP_RSA) && !defined(WOLFSSL_RSA_PUBLIC_ONLY)) || \
+                                                     defined(WOLFSSL_HAVE_SP_DH)
+#ifdef WOLFSSL_SP_SMALL
+/* Modular exponentiate a to the e mod m. (r = a^e mod m)
+ *
+ * r     A single precision number that is the result of the operation.
+ * a     A single precision number being exponentiated.
+ * e     A single precision number that is the exponent.
+ * bits  The number of bits in the exponent.
+ * m     A single precision number that is the modulus.
+ * returns 0 on success and MEMORY_E on dynamic memory allocation failure.
+ */
+static int sp_2048_mod_exp_32(sp_digit* r, const sp_digit* a, const sp_digit* e,
+        int bits, const sp_digit* m, int reduceA)
+{
+#ifndef WOLFSSL_SMALL_STACK
+    sp_digit t[16][64];
+#else
+    sp_digit* t[16];
+    sp_digit* td;
+#endif
+    sp_digit* norm;
+    sp_digit mp = 1;
+    sp_digit n;
+    sp_digit mask;
+    int i;
+    int c, y;
+    int err = MP_OKAY;
+
+#ifdef WOLFSSL_SMALL_STACK
+    td = (sp_digit*)XMALLOC(sizeof(sp_digit) * 16 * 64, NULL,
+                            DYNAMIC_TYPE_TMP_BUFFER);
+    if (td == NULL) {
+        err = MEMORY_E;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#ifdef WOLFSSL_SMALL_STACK
+        for (i=0; i<16; i++) {
+            t[i] = td + i * 64;
+        }
+#endif
+        norm = t[0];
+
+        sp_2048_mont_setup(m, &mp);
+        sp_2048_mont_norm_32(norm, m);
+
+        XMEMSET(t[1], 0, sizeof(sp_digit) * 32U);
+        if (reduceA != 0) {
+            err = sp_2048_mod_32(t[1] + 32, a, m);
+            if (err == MP_OKAY) {
+                err = sp_2048_mod_32(t[1], t[1], m);
+            }
+        }
+        else {
+            XMEMCPY(t[1] + 32, a, sizeof(sp_digit) * 32);
+            err = sp_2048_mod_32(t[1], t[1], m);
+        }
+    }
+
+    if (err == MP_OKAY) {
+        sp_2048_mont_sqr_32(t[ 2], t[ 1], m, mp);
+        sp_2048_mont_mul_32(t[ 3], t[ 2], t[ 1], m, mp);
+        sp_2048_mont_sqr_32(t[ 4], t[ 2], m, mp);
+        sp_2048_mont_mul_32(t[ 5], t[ 3], t[ 2], m, mp);
+        sp_2048_mont_sqr_32(t[ 6], t[ 3], m, mp);
+        sp_2048_mont_mul_32(t[ 7], t[ 4], t[ 3], m, mp);
+        sp_2048_mont_sqr_32(t[ 8], t[ 4], m, mp);
+        sp_2048_mont_mul_32(t[ 9], t[ 5], t[ 4], m, mp);
+        sp_2048_mont_sqr_32(t[10], t[ 5], m, mp);
+        sp_2048_mont_mul_32(t[11], t[ 6], t[ 5], m, mp);
+        sp_2048_mont_sqr_32(t[12], t[ 6], m, mp);
+        sp_2048_mont_mul_32(t[13], t[ 7], t[ 6], m, mp);
+        sp_2048_mont_sqr_32(t[14], t[ 7], m, mp);
+        sp_2048_mont_mul_32(t[15], t[ 8], t[ 7], m, mp);
+
+        i = (bits - 1) / 64;
+        n = e[i--];
+        c = bits & 63;
+        if (c == 0) {
+            c = 64;
+        }
+        c -= bits % 4;
+        if (c == 64) {
+            c = 60;
+        }
+        y = (int)(n >> c);
+        n <<= 64 - c;
+        XMEMCPY(r, t[y], sizeof(sp_digit) * 32);
+        for (; i>=0 || c>=4; ) {
+            if (c == 0) {
+                n = e[i--];
+                y = n >> 60;
+                n <<= 4;
+                c = 60;
+            }
+            else if (c < 4) {
+                y = n >> 60;
+                n = e[i--];
+                c = 4 - c;
+                y |= n >> (64 - c);
+                n <<= c;
+                c = 64 - c;
+            }
+            else {
+                y = (n >> 60) & 0xf;
+                n <<= 4;
+                c -= 4;
+            }
+
+            sp_2048_mont_sqr_32(r, r, m, mp);
+            sp_2048_mont_sqr_32(r, r, m, mp);
+            sp_2048_mont_sqr_32(r, r, m, mp);
+            sp_2048_mont_sqr_32(r, r, m, mp);
+
+            sp_2048_mont_mul_32(r, r, t[y], m, mp);
+        }
+
+        XMEMSET(&r[32], 0, sizeof(sp_digit) * 32U);
+        sp_2048_mont_reduce_32(r, m, mp);
+
+        mask = 0 - (sp_2048_cmp_32(r, m) >= 0);
+        sp_2048_cond_sub_32(r, r, m, mask);
+    }
+
+#ifdef WOLFSSL_SMALL_STACK
+    if (td != NULL) {
+        XFREE(td, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    }
+#endif
+
+    return err;
+}
+#else
+/* Modular exponentiate a to the e mod m. (r = a^e mod m)
+ *
+ * r     A single precision number that is the result of the operation.
+ * a     A single precision number being exponentiated.
+ * e     A single precision number that is the exponent.
+ * bits  The number of bits in the exponent.
+ * m     A single precision number that is the modulus.
+ * returns 0 on success and MEMORY_E on dynamic memory allocation failure.
+ */
+static int sp_2048_mod_exp_32(sp_digit* r, const sp_digit* a, const sp_digit* e,
+        int bits, const sp_digit* m, int reduceA)
+{
+#ifndef WOLFSSL_SMALL_STACK
+    sp_digit t[32][64];
+#else
+    sp_digit* t[32];
+    sp_digit* td;
+#endif
+    sp_digit* norm;
+    sp_digit mp = 1;
+    sp_digit n;
+    sp_digit mask;
+    int i;
+    int c, y;
+    int err = MP_OKAY;
+
+#ifdef WOLFSSL_SMALL_STACK
+    td = (sp_digit*)XMALLOC(sizeof(sp_digit) * 32 * 64, NULL,
+                            DYNAMIC_TYPE_TMP_BUFFER);
+    if (td == NULL) {
+        err = MEMORY_E;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#ifdef WOLFSSL_SMALL_STACK
+        for (i=0; i<32; i++) {
+            t[i] = td + i * 64;
+        }
+#endif
+        norm = t[0];
+
+        sp_2048_mont_setup(m, &mp);
+        sp_2048_mont_norm_32(norm, m);
+
+        XMEMSET(t[1], 0, sizeof(sp_digit) * 32U);
+        if (reduceA != 0) {
+            err = sp_2048_mod_32(t[1] + 32, a, m);
+            if (err == MP_OKAY) {
+                err = sp_2048_mod_32(t[1], t[1], m);
+            }
+        }
+        else {
+            XMEMCPY(t[1] + 32, a, sizeof(sp_digit) * 32);
+            err = sp_2048_mod_32(t[1], t[1], m);
+        }
+    }
+
+    if (err == MP_OKAY) {
+        sp_2048_mont_sqr_32(t[ 2], t[ 1], m, mp);
+        sp_2048_mont_mul_32(t[ 3], t[ 2], t[ 1], m, mp);
+        sp_2048_mont_sqr_32(t[ 4], t[ 2], m, mp);
+        sp_2048_mont_mul_32(t[ 5], t[ 3], t[ 2], m, mp);
+        sp_2048_mont_sqr_32(t[ 6], t[ 3], m, mp);
+        sp_2048_mont_mul_32(t[ 7], t[ 4], t[ 3], m, mp);
+        sp_2048_mont_sqr_32(t[ 8], t[ 4], m, mp);
+        sp_2048_mont_mul_32(t[ 9], t[ 5], t[ 4], m, mp);
+        sp_2048_mont_sqr_32(t[10], t[ 5], m, mp);
+        sp_2048_mont_mul_32(t[11], t[ 6], t[ 5], m, mp);
+        sp_2048_mont_sqr_32(t[12], t[ 6], m, mp);
+        sp_2048_mont_mul_32(t[13], t[ 7], t[ 6], m, mp);
+        sp_2048_mont_sqr_32(t[14], t[ 7], m, mp);
+        sp_2048_mont_mul_32(t[15], t[ 8], t[ 7], m, mp);
+        sp_2048_mont_sqr_32(t[16], t[ 8], m, mp);
+        sp_2048_mont_mul_32(t[17], t[ 9], t[ 8], m, mp);
+        sp_2048_mont_sqr_32(t[18], t[ 9], m, mp);
+        sp_2048_mont_mul_32(t[19], t[10], t[ 9], m, mp);
+        sp_2048_mont_sqr_32(t[20], t[10], m, mp);
+        sp_2048_mont_mul_32(t[21], t[11], t[10], m, mp);
+        sp_2048_mont_sqr_32(t[22], t[11], m, mp);
+        sp_2048_mont_mul_32(t[23], t[12], t[11], m, mp);
+        sp_2048_mont_sqr_32(t[24], t[12], m, mp);
+        sp_2048_mont_mul_32(t[25], t[13], t[12], m, mp);
+        sp_2048_mont_sqr_32(t[26], t[13], m, mp);
+        sp_2048_mont_mul_32(t[27], t[14], t[13], m, mp);
+        sp_2048_mont_sqr_32(t[28], t[14], m, mp);
+        sp_2048_mont_mul_32(t[29], t[15], t[14], m, mp);
+        sp_2048_mont_sqr_32(t[30], t[15], m, mp);
+        sp_2048_mont_mul_32(t[31], t[16], t[15], m, mp);
+
+        i = (bits - 1) / 64;
+        n = e[i--];
+        c = bits & 63;
+        if (c == 0) {
+            c = 64;
+        }
+        c -= bits % 5;
+        if (c == 64) {
+            c = 59;
+        }
+        y = (int)(n >> c);
+        n <<= 64 - c;
+        XMEMCPY(r, t[y], sizeof(sp_digit) * 32);
+        for (; i>=0 || c>=5; ) {
+            if (c == 0) {
+                n = e[i--];
+                y = n >> 59;
+                n <<= 5;
+                c = 59;
+            }
+            else if (c < 5) {
+                y = n >> 59;
+                n = e[i--];
+                c = 5 - c;
+                y |= n >> (64 - c);
+                n <<= c;
+                c = 64 - c;
+            }
+            else {
+                y = (n >> 59) & 0x1f;
+                n <<= 5;
+                c -= 5;
+            }
+
+            sp_2048_mont_sqr_32(r, r, m, mp);
+            sp_2048_mont_sqr_32(r, r, m, mp);
+            sp_2048_mont_sqr_32(r, r, m, mp);
+            sp_2048_mont_sqr_32(r, r, m, mp);
+            sp_2048_mont_sqr_32(r, r, m, mp);
+
+            sp_2048_mont_mul_32(r, r, t[y], m, mp);
+        }
+
+        XMEMSET(&r[32], 0, sizeof(sp_digit) * 32U);
+        sp_2048_mont_reduce_32(r, m, mp);
+
+        mask = 0 - (sp_2048_cmp_32(r, m) >= 0);
+        sp_2048_cond_sub_32(r, r, m, mask);
+    }
+
+#ifdef WOLFSSL_SMALL_STACK
+    if (td != NULL) {
+        XFREE(td, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    }
+#endif
+
+    return err;
+}
+#endif /* WOLFSSL_SP_SMALL */
+#endif /* (WOLFSSL_HAVE_SP_RSA && !WOLFSSL_RSA_PUBLIC_ONLY) || WOLFSSL_HAVE_SP_DH */
+
+#ifdef WOLFSSL_HAVE_SP_RSA
+/* RSA public key operation.
+ *
+ * in      Array of bytes representing the number to exponentiate, base.
+ * inLen   Number of bytes in base.
+ * em      Public exponent.
+ * mm      Modulus.
+ * out     Buffer to hold big-endian bytes of exponentiation result.
+ *         Must be at least 256 bytes long.
+ * outLen  Number of bytes in result.
+ * returns 0 on success, MP_TO_E when the outLen is too small, MP_READ_E when
+ * an array is too long and MEMORY_E when dynamic memory allocation fails.
+ */
+int sp_RsaPublic_2048(const byte* in, word32 inLen, mp_int* em, mp_int* mm,
+    byte* out, word32* outLen)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit a[64], m[32], r[64];
+#else
+    sp_digit* d = NULL;
+    sp_digit* a;
+    sp_digit* m;
+    sp_digit* r;
+#endif
+    sp_digit *ah;
+    sp_digit e[1];
+    int err = MP_OKAY;
+
+    if (*outLen < 256)
+        err = MP_TO_E;
+    if (err == MP_OKAY && (mp_count_bits(em) > 64 || inLen > 256 ||
+                                                     mp_count_bits(mm) != 2048))
+        err = MP_READ_E;
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        d = (sp_digit*)XMALLOC(sizeof(sp_digit) * 32 * 5, NULL,
+                                                              DYNAMIC_TYPE_RSA);
+        if (d == NULL)
+            err = MEMORY_E;
+    }
+
+    if (err == MP_OKAY) {
+        a = d;
+        r = a + 32 * 2;
+        m = r + 32 * 2;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+        ah = a + 32;
+
+        sp_2048_from_bin(ah, 32, in, inLen);
+#if DIGIT_BIT >= 64
+        e[0] = em->dp[0];
+#else
+        e[0] = em->dp[0];
+        if (em->used > 1) {
+            e[0] |= ((sp_digit)em->dp[1]) << DIGIT_BIT;
+        }
+#endif
+        if (e[0] == 0) {
+            err = MP_EXPTMOD_E;
+        }
+    }
+    if (err == MP_OKAY) {
+        sp_2048_from_mp(m, 32, mm);
+
+        if (e[0] == 0x3) {
+            if (err == MP_OKAY) {
+                sp_2048_sqr_32(r, ah);
+                err = sp_2048_mod_32_cond(r, r, m);
+            }
+            if (err == MP_OKAY) {
+                sp_2048_mul_32(r, ah, r);
+                err = sp_2048_mod_32_cond(r, r, m);
+            }
+        }
+        else {
+            int i;
+            sp_digit mp;
+
+            sp_2048_mont_setup(m, &mp);
+
+            /* Convert to Montgomery form. */
+            XMEMSET(a, 0, sizeof(sp_digit) * 32);
+            err = sp_2048_mod_32_cond(a, a, m);
+
+            if (err == MP_OKAY) {
+                for (i = 63; i >= 0; i--) {
+                    if (e[0] >> i) {
+                        break;
+                    }
+                }
+
+                XMEMCPY(r, a, sizeof(sp_digit) * 32);
+                for (i--; i>=0; i--) {
+                    sp_2048_mont_sqr_32(r, r, m, mp);
+                    if (((e[0] >> i) & 1) == 1) {
+                        sp_2048_mont_mul_32(r, r, a, m, mp);
+                    }
+                }
+                XMEMSET(&r[32], 0, sizeof(sp_digit) * 32);
+                sp_2048_mont_reduce_32(r, m, mp);
+
+                for (i = 31; i > 0; i--) {
+                    if (r[i] != m[i]) {
+                        break;
+                    }
+                }
+                if (r[i] >= m[i]) {
+                    sp_2048_sub_in_place_32(r, m);
+                }
+            }
+        }
+    }
+
+    if (err == MP_OKAY) {
+        sp_2048_to_bin(r, out);
+        *outLen = 256;
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (d != NULL) {
+        XFREE(d, NULL, DYNAMIC_TYPE_RSA);
+    }
+#endif
+
+    return err;
+}
+
+#if defined(SP_RSA_PRIVATE_EXP_D) || defined(RSA_LOW_MEM)
+    sp_digit* a;
+    sp_digit* d = NULL;
+    sp_digit* m;
+    sp_digit* r;
+    int err = MP_OKAY;
+
+    (void)pm;
+    (void)qm;
+    (void)dpm;
+    (void)dqm;
+    (void)qim;
+
+    if (*outLen < 256U) {
+        err = MP_TO_E;
+    }
+    if (err == MP_OKAY) {
+        if (mp_count_bits(dm) > 2048) {
+           err = MP_READ_E;
+        }
+        if (inLen > 256) {
+            err = MP_READ_E;
+        }
+        if (mp_count_bits(mm) != 2048) {
+            err = MP_READ_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        d = (sp_digit*)XMALLOC(sizeof(sp_digit) * 32 * 4, NULL,
+                                                              DYNAMIC_TYPE_RSA);
+        if (d == NULL) {
+            err = MEMORY_E;
+        }
+    }
+    if (err == MP_OKAY) {
+        a = d + 32;
+        m = a + 64;
+        r = a;
+
+        sp_2048_from_bin(a, 32, in, inLen);
+        sp_2048_from_mp(d, 32, dm);
+        sp_2048_from_mp(m, 32, mm);
+        err = sp_2048_mod_exp_32(r, a, d, 2048, m, 0);
+    }
+    if (err == MP_OKAY) {
+        sp_2048_to_bin(r, out);
+        *outLen = 256;
+    }
+
+    if (d != NULL) {
+        XMEMSET(d, 0, sizeof(sp_digit) * 32);
+        XFREE(d, NULL, DYNAMIC_TYPE_RSA);
+    }
+
+    return err;
+#else
+#ifndef WOLFSSL_RSA_PUBLIC_ONLY
+/* Conditionally add a and b using the mask m.
+ * m is -1 to add and 0 when not.
+ *
+ * r  A single precision number representing conditional add result.
+ * a  A single precision number to add with.
+ * b  A single precision number to add.
+ * m  Mask value to apply.
+ */
+static sp_digit sp_2048_cond_add_16(sp_digit* r, const sp_digit* a, const sp_digit* b,
+        sp_digit m)
+{
+#ifdef WOLFSSL_SP_SMALL
+    sp_digit c = 0;
+
+    __asm__ __volatile__ (
+        "mov	x8, #0\n\t"
+        "1:\n\t"
+        "adds	%[c], %[c], #-1\n\t"
+        "ldr	x4, [%[a], x8]\n\t"
+        "ldr	x5, [%[b], x8]\n\t"
+        "and	x5, x5, %[m]\n\t"
+        "adcs	x4, x4, x5\n\t"
+        "cset	%[c], cs\n\t"
+        "str	x4, [%[r], x8]\n\t"
+        "add	x8, x8, #8\n\t"
+        "cmp	x8, 128\n\t"
+        "b.lt	1b\n\t"
+        : [c] "+r" (c)
+        : [r] "r" (r), [a] "r" (a), [b] "r" (b), [m] "r" (m)
+        : "memory", "x4", "x6", "x5", "x7", "x8", "x9", "x10", "x11", "x12"
+    );
+
+    return c;
+#else
+    __asm__ __volatile__ (
+
+        "ldp	x5, x7, [%[b], 0]\n\t"
+        "ldp	x11, x12, [%[b], 16]\n\t"
+        "ldp	x4, x6, [%[a], 0]\n\t"
+        "and	x5, x5, %[m]\n\t"
+        "ldp	x9, x10, [%[a], 16]\n\t"
+        "and	x7, x7, %[m]\n\t"
+        "adds	x4, x4, x5\n\t"
+        "and	x11, x11, %[m]\n\t"
+        "adcs	x6, x6, x7\n\t"
+        "and	x12, x12, %[m]\n\t"
+        "adcs	x9, x9, x11\n\t"
+        "stp	x4, x6, [%[r], 0]\n\t"
+        "adcs	x10, x10, x12\n\t"
+        "stp	x9, x10, [%[r], 16]\n\t"
+        "ldp	x5, x7, [%[b], 32]\n\t"
+        "ldp	x11, x12, [%[b], 48]\n\t"
+        "ldp	x4, x6, [%[a], 32]\n\t"
+        "and	x5, x5, %[m]\n\t"
+        "ldp	x9, x10, [%[a], 48]\n\t"
+        "and	x7, x7, %[m]\n\t"
+        "adcs	x4, x4, x5\n\t"
+        "and	x11, x11, %[m]\n\t"
+        "adcs	x6, x6, x7\n\t"
+        "and	x12, x12, %[m]\n\t"
+        "adcs	x9, x9, x11\n\t"
+        "stp	x4, x6, [%[r], 32]\n\t"
+        "adcs	x10, x10, x12\n\t"
+        "stp	x9, x10, [%[r], 48]\n\t"
+        "ldp	x5, x7, [%[b], 64]\n\t"
+        "ldp	x11, x12, [%[b], 80]\n\t"
+        "ldp	x4, x6, [%[a], 64]\n\t"
+        "and	x5, x5, %[m]\n\t"
+        "ldp	x9, x10, [%[a], 80]\n\t"
+        "and	x7, x7, %[m]\n\t"
+        "adcs	x4, x4, x5\n\t"
+        "and	x11, x11, %[m]\n\t"
+        "adcs	x6, x6, x7\n\t"
+        "and	x12, x12, %[m]\n\t"
+        "adcs	x9, x9, x11\n\t"
+        "stp	x4, x6, [%[r], 64]\n\t"
+        "adcs	x10, x10, x12\n\t"
+        "stp	x9, x10, [%[r], 80]\n\t"
+        "ldp	x5, x7, [%[b], 96]\n\t"
+        "ldp	x11, x12, [%[b], 112]\n\t"
+        "ldp	x4, x6, [%[a], 96]\n\t"
+        "and	x5, x5, %[m]\n\t"
+        "ldp	x9, x10, [%[a], 112]\n\t"
+        "and	x7, x7, %[m]\n\t"
+        "adcs	x4, x4, x5\n\t"
+        "and	x11, x11, %[m]\n\t"
+        "adcs	x6, x6, x7\n\t"
+        "and	x12, x12, %[m]\n\t"
+        "adcs	x9, x9, x11\n\t"
+        "stp	x4, x6, [%[r], 96]\n\t"
+        "adcs	x10, x10, x12\n\t"
+        "stp	x9, x10, [%[r], 112]\n\t"
+        "cset	%[r], cs\n\t"
+        : [r] "+r" (r)
+        : [a] "r" (a), [b] "r" (b), [m] "r" (m)
+        : "memory", "x4", "x6", "x5", "x7", "x8", "x9", "x10", "x11", "x12"
+    );
+
+    return (sp_digit)r;
+#endif /* WOLFSSL_SP_SMALL */
+}
+
+/* RSA private key operation.
+ *
+ * in      Array of bytes representing the number to exponentiate, base.
+ * inLen   Number of bytes in base.
+ * dm      Private exponent.
+ * pm      First prime.
+ * qm      Second prime.
+ * dpm     First prime's CRT exponent.
+ * dqm     Second prime's CRT exponent.
+ * qim     Inverse of second prime mod p.
+ * mm      Modulus.
+ * out     Buffer to hold big-endian bytes of exponentiation result.
+ *         Must be at least 256 bytes long.
+ * outLen  Number of bytes in result.
+ * returns 0 on success, MP_TO_E when the outLen is too small, MP_READ_E when
+ * an array is too long and MEMORY_E when dynamic memory allocation fails.
+ */
+int sp_RsaPrivate_2048(const byte* in, word32 inLen, mp_int* dm,
+    mp_int* pm, mp_int* qm, mp_int* dpm, mp_int* dqm, mp_int* qim, mp_int* mm,
+    byte* out, word32* outLen)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit a[32 * 2];
+    sp_digit p[16], q[16], dp[16];
+    sp_digit tmpa[32], tmpb[32];
+#else
+    sp_digit* t = NULL;
+    sp_digit* a;
+    sp_digit* p;
+    sp_digit* q;
+    sp_digit* dp;
+    sp_digit* tmpa;
+    sp_digit* tmpb;
+#endif
+    sp_digit* r;
+    sp_digit* qi;
+    sp_digit* dq;
+    sp_digit c;
+    int err = MP_OKAY;
+
+    (void)dm;
+    (void)mm;
+
+    if (*outLen < 256)
+        err = MP_TO_E;
+    if (err == MP_OKAY && (inLen > 256 || mp_count_bits(mm) != 2048))
+        err = MP_READ_E;
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        t = (sp_digit*)XMALLOC(sizeof(sp_digit) * 16 * 11, NULL,
+                                                              DYNAMIC_TYPE_RSA);
+        if (t == NULL)
+            err = MEMORY_E;
+    }
+    if (err == MP_OKAY) {
+        a = t;
+        p = a + 32 * 2;
+        q = p + 16;
+        qi = dq = dp = q + 16;
+        tmpa = qi + 16;
+        tmpb = tmpa + 32;
+
+        r = t + 32;
+    }
+#else
+#endif
+
+    if (err == MP_OKAY) {
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+        r = a;
+        qi = dq = dp;
+#endif
+        sp_2048_from_bin(a, 32, in, inLen);
+        sp_2048_from_mp(p, 16, pm);
+        sp_2048_from_mp(q, 16, qm);
+        sp_2048_from_mp(dp, 16, dpm);
+
+        err = sp_2048_mod_exp_16(tmpa, a, dp, 1024, p, 1);
+    }
+    if (err == MP_OKAY) {
+        sp_2048_from_mp(dq, 16, dqm);
+        err = sp_2048_mod_exp_16(tmpb, a, dq, 1024, q, 1);
+    }
+
+    if (err == MP_OKAY) {
+        c = sp_2048_sub_in_place_16(tmpa, tmpb);
+        c += sp_2048_cond_add_16(tmpa, tmpa, p, c);
+        sp_2048_cond_add_16(tmpa, tmpa, p, c);
+
+        sp_2048_from_mp(qi, 16, qim);
+        sp_2048_mul_16(tmpa, tmpa, qi);
+        err = sp_2048_mod_16(tmpa, tmpa, p);
+    }
+
+    if (err == MP_OKAY) {
+        sp_2048_mul_16(tmpa, q, tmpa);
+        XMEMSET(&tmpb[16], 0, sizeof(sp_digit) * 16);
+        sp_2048_add_32(r, tmpb, tmpa);
+
+        sp_2048_to_bin(r, out);
+        *outLen = 256;
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (t != NULL) {
+        XMEMSET(t, 0, sizeof(sp_digit) * 16 * 11);
+        XFREE(t, NULL, DYNAMIC_TYPE_RSA);
+    }
+#else
+    XMEMSET(tmpa, 0, sizeof(tmpa));
+    XMEMSET(tmpb, 0, sizeof(tmpb));
+    XMEMSET(p,    0, sizeof(p));
+    XMEMSET(q,    0, sizeof(q));
+    XMEMSET(dp,   0, sizeof(dp));
+#endif
+
+    return err;
+}
+#endif /* WOLFSSL_RSA_PUBLIC_ONLY */
+#endif /* SP_RSA_PRIVATE_EXP_D || RSA_LOW_MEM */
+#endif /* WOLFSSL_HAVE_SP_RSA */
+#if defined(WOLFSSL_HAVE_SP_DH) || (defined(WOLFSSL_HAVE_SP_RSA) && \
+                                              !defined(WOLFSSL_RSA_PUBLIC_ONLY))
+/* Convert an array of sp_digit to an mp_int.
+ *
+ * a  A single precision integer.
+ * r  A multi-precision integer.
+ */
+static int sp_2048_to_mp(const sp_digit* a, mp_int* r)
+{
+    int err;
+
+    err = mp_grow(r, (2048 + DIGIT_BIT - 1) / DIGIT_BIT);
+    if (err == MP_OKAY) { /*lint !e774 case where err is always MP_OKAY*/
+#if DIGIT_BIT == 64
+        XMEMCPY(r->dp, a, sizeof(sp_digit) * 32);
+        r->used = 32;
+        mp_clamp(r);
+#elif DIGIT_BIT < 64
+        int i, j = 0, s = 0;
+
+        r->dp[0] = 0;
+        for (i = 0; i < 32; i++) {
+            r->dp[j] |= (mp_digit)(a[i] << s);
+            r->dp[j] &= (1L << DIGIT_BIT) - 1;
+            s = DIGIT_BIT - s;
+            r->dp[++j] = (mp_digit)(a[i] >> s);
+            while (s + DIGIT_BIT <= 64) {
+                s += DIGIT_BIT;
+                r->dp[j++] &= (1L << DIGIT_BIT) - 1;
+                if (s == SP_WORD_SIZE) {
+                    r->dp[j] = 0;
+                }
+                else {
+                    r->dp[j] = (mp_digit)(a[i] >> s);
+                }
+            }
+            s = 64 - s;
+        }
+        r->used = (2048 + DIGIT_BIT - 1) / DIGIT_BIT;
+        mp_clamp(r);
+#else
+        int i, j = 0, s = 0;
+
+        r->dp[0] = 0;
+        for (i = 0; i < 32; i++) {
+            r->dp[j] |= ((mp_digit)a[i]) << s;
+            if (s + 64 >= DIGIT_BIT) {
+    #if DIGIT_BIT != 32 && DIGIT_BIT != 64
+                r->dp[j] &= (1L << DIGIT_BIT) - 1;
+    #endif
+                s = DIGIT_BIT - s;
+                r->dp[++j] = a[i] >> s;
+                s = 64 - s;
+            }
+            else {
+                s += 64;
+            }
+        }
+        r->used = (2048 + DIGIT_BIT - 1) / DIGIT_BIT;
+        mp_clamp(r);
+#endif
+    }
+
+    return err;
+}
+
+/* Perform the modular exponentiation for Diffie-Hellman.
+ *
+ * base  Base. MP integer.
+ * exp   Exponent. MP integer.
+ * mod   Modulus. MP integer.
+ * res   Result. MP integer.
+ * returns 0 on success, MP_READ_E if there are too many bytes in an array
+ * and MEMORY_E if memory allocation fails.
+ */
+int sp_ModExp_2048(mp_int* base, mp_int* exp, mp_int* mod, mp_int* res)
+{
+    int err = MP_OKAY;
+    sp_digit b[64], e[32], m[32];
+    sp_digit* r = b;
+    int expBits = mp_count_bits(exp);
+
+    if (mp_count_bits(base) > 2048) {
+        err = MP_READ_E;
+    }
+
+    if (err == MP_OKAY) {
+        if (expBits > 2048) {
+            err = MP_READ_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        if (mp_count_bits(mod) != 2048) {
+            err = MP_READ_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        sp_2048_from_mp(b, 32, base);
+        sp_2048_from_mp(e, 32, exp);
+        sp_2048_from_mp(m, 32, mod);
+
+        err = sp_2048_mod_exp_32(r, b, e, expBits, m, 0);
+    }
+
+    if (err == MP_OKAY) {
+        err = sp_2048_to_mp(r, res);
+    }
+
+    XMEMSET(e, 0, sizeof(e));
+
+    return err;
+}
+
+#ifdef WOLFSSL_HAVE_SP_DH
+
+#ifdef HAVE_FFDHE_2048
+static void sp_2048_lshift_32(sp_digit* r, sp_digit* a, byte n)
+{
+    __asm__ __volatile__ (
+        "mov	x6, 63\n\t"
+        "sub	x6, x6, %[n]\n\t"
+        "ldr	x3, [%[a], 248]\n\t"
+        "lsr	x4, x3, 1\n\t"
+        "lsl	x3, x3, %[n]\n\t"
+        "lsr	x4, x4, x6\n\t"
+        "ldr	x2, [%[a], 240]\n\t"
+        "str	x4, [%[r], 256]\n\t"
+        "lsr	x5, x2, 1\n\t"
+        "lsl	x2, x2, %[n]\n\t"
+        "lsr	x5, x5, x6\n\t"
+        "orr	x3, x3, x5\n\t"
+        "ldr	x4, [%[a], 232]\n\t"
+        "str	x3, [%[r], 248]\n\t"
+        "lsr	x5, x4, 1\n\t"
+        "lsl	x4, x4, %[n]\n\t"
+        "lsr	x5, x5, x6\n\t"
+        "orr	x2, x2, x5\n\t"
+        "ldr	x3, [%[a], 224]\n\t"
+        "str	x2, [%[r], 240]\n\t"
+        "lsr	x5, x3, 1\n\t"
+        "lsl	x3, x3, %[n]\n\t"
+        "lsr	x5, x5, x6\n\t"
+        "orr	x4, x4, x5\n\t"
+        "ldr	x2, [%[a], 216]\n\t"
+        "str	x4, [%[r], 232]\n\t"
+        "lsr	x5, x2, 1\n\t"
+        "lsl	x2, x2, %[n]\n\t"
+        "lsr	x5, x5, x6\n\t"
+        "orr	x3, x3, x5\n\t"
+        "ldr	x4, [%[a], 208]\n\t"
+        "str	x3, [%[r], 224]\n\t"
+        "lsr	x5, x4, 1\n\t"
+        "lsl	x4, x4, %[n]\n\t"
+        "lsr	x5, x5, x6\n\t"
+        "orr	x2, x2, x5\n\t"
+        "ldr	x3, [%[a], 200]\n\t"
+        "str	x2, [%[r], 216]\n\t"
+        "lsr	x5, x3, 1\n\t"
+        "lsl	x3, x3, %[n]\n\t"
+        "lsr	x5, x5, x6\n\t"
+        "orr	x4, x4, x5\n\t"
+        "ldr	x2, [%[a], 192]\n\t"
+        "str	x4, [%[r], 208]\n\t"
+        "lsr	x5, x2, 1\n\t"
+        "lsl	x2, x2, %[n]\n\t"
+        "lsr	x5, x5, x6\n\t"
+        "orr	x3, x3, x5\n\t"
+        "ldr	x4, [%[a], 184]\n\t"
+        "str	x3, [%[r], 200]\n\t"
+        "lsr	x5, x4, 1\n\t"
+        "lsl	x4, x4, %[n]\n\t"
+        "lsr	x5, x5, x6\n\t"
+        "orr	x2, x2, x5\n\t"
+        "ldr	x3, [%[a], 176]\n\t"
+        "str	x2, [%[r], 192]\n\t"
+        "lsr	x5, x3, 1\n\t"
+        "lsl	x3, x3, %[n]\n\t"
+        "lsr	x5, x5, x6\n\t"
+        "orr	x4, x4, x5\n\t"
+        "ldr	x2, [%[a], 168]\n\t"
+        "str	x4, [%[r], 184]\n\t"
+        "lsr	x5, x2, 1\n\t"
+        "lsl	x2, x2, %[n]\n\t"
+        "lsr	x5, x5, x6\n\t"
+        "orr	x3, x3, x5\n\t"
+        "ldr	x4, [%[a], 160]\n\t"
+        "str	x3, [%[r], 176]\n\t"
+        "lsr	x5, x4, 1\n\t"
+        "lsl	x4, x4, %[n]\n\t"
+        "lsr	x5, x5, x6\n\t"
+        "orr	x2, x2, x5\n\t"
+        "ldr	x3, [%[a], 152]\n\t"
+        "str	x2, [%[r], 168]\n\t"
+        "lsr	x5, x3, 1\n\t"
+        "lsl	x3, x3, %[n]\n\t"
+        "lsr	x5, x5, x6\n\t"
+        "orr	x4, x4, x5\n\t"
+        "ldr	x2, [%[a], 144]\n\t"
+        "str	x4, [%[r], 160]\n\t"
+        "lsr	x5, x2, 1\n\t"
+        "lsl	x2, x2, %[n]\n\t"
+        "lsr	x5, x5, x6\n\t"
+        "orr	x3, x3, x5\n\t"
+        "ldr	x4, [%[a], 136]\n\t"
+        "str	x3, [%[r], 152]\n\t"
+        "lsr	x5, x4, 1\n\t"
+        "lsl	x4, x4, %[n]\n\t"
+        "lsr	x5, x5, x6\n\t"
+        "orr	x2, x2, x5\n\t"
+        "ldr	x3, [%[a], 128]\n\t"
+        "str	x2, [%[r], 144]\n\t"
+        "lsr	x5, x3, 1\n\t"
+        "lsl	x3, x3, %[n]\n\t"
+        "lsr	x5, x5, x6\n\t"
+        "orr	x4, x4, x5\n\t"
+        "ldr	x2, [%[a], 120]\n\t"
+        "str	x4, [%[r], 136]\n\t"
+        "lsr	x5, x2, 1\n\t"
+        "lsl	x2, x2, %[n]\n\t"
+        "lsr	x5, x5, x6\n\t"
+        "orr	x3, x3, x5\n\t"
+        "ldr	x4, [%[a], 112]\n\t"
+        "str	x3, [%[r], 128]\n\t"
+        "lsr	x5, x4, 1\n\t"
+        "lsl	x4, x4, %[n]\n\t"
+        "lsr	x5, x5, x6\n\t"
+        "orr	x2, x2, x5\n\t"
+        "ldr	x3, [%[a], 104]\n\t"
+        "str	x2, [%[r], 120]\n\t"
+        "lsr	x5, x3, 1\n\t"
+        "lsl	x3, x3, %[n]\n\t"
+        "lsr	x5, x5, x6\n\t"
+        "orr	x4, x4, x5\n\t"
+        "ldr	x2, [%[a], 96]\n\t"
+        "str	x4, [%[r], 112]\n\t"
+        "lsr	x5, x2, 1\n\t"
+        "lsl	x2, x2, %[n]\n\t"
+        "lsr	x5, x5, x6\n\t"
+        "orr	x3, x3, x5\n\t"
+        "ldr	x4, [%[a], 88]\n\t"
+        "str	x3, [%[r], 104]\n\t"
+        "lsr	x5, x4, 1\n\t"
+        "lsl	x4, x4, %[n]\n\t"
+        "lsr	x5, x5, x6\n\t"
+        "orr	x2, x2, x5\n\t"
+        "ldr	x3, [%[a], 80]\n\t"
+        "str	x2, [%[r], 96]\n\t"
+        "lsr	x5, x3, 1\n\t"
+        "lsl	x3, x3, %[n]\n\t"
+        "lsr	x5, x5, x6\n\t"
+        "orr	x4, x4, x5\n\t"
+        "ldr	x2, [%[a], 72]\n\t"
+        "str	x4, [%[r], 88]\n\t"
+        "lsr	x5, x2, 1\n\t"
+        "lsl	x2, x2, %[n]\n\t"
+        "lsr	x5, x5, x6\n\t"
+        "orr	x3, x3, x5\n\t"
+        "ldr	x4, [%[a], 64]\n\t"
+        "str	x3, [%[r], 80]\n\t"
+        "lsr	x5, x4, 1\n\t"
+        "lsl	x4, x4, %[n]\n\t"
+        "lsr	x5, x5, x6\n\t"
+        "orr	x2, x2, x5\n\t"
+        "ldr	x3, [%[a], 56]\n\t"
+        "str	x2, [%[r], 72]\n\t"
+        "lsr	x5, x3, 1\n\t"
+        "lsl	x3, x3, %[n]\n\t"
+        "lsr	x5, x5, x6\n\t"
+        "orr	x4, x4, x5\n\t"
+        "ldr	x2, [%[a], 48]\n\t"
+        "str	x4, [%[r], 64]\n\t"
+        "lsr	x5, x2, 1\n\t"
+        "lsl	x2, x2, %[n]\n\t"
+        "lsr	x5, x5, x6\n\t"
+        "orr	x3, x3, x5\n\t"
+        "ldr	x4, [%[a], 40]\n\t"
+        "str	x3, [%[r], 56]\n\t"
+        "lsr	x5, x4, 1\n\t"
+        "lsl	x4, x4, %[n]\n\t"
+        "lsr	x5, x5, x6\n\t"
+        "orr	x2, x2, x5\n\t"
+        "ldr	x3, [%[a], 32]\n\t"
+        "str	x2, [%[r], 48]\n\t"
+        "lsr	x5, x3, 1\n\t"
+        "lsl	x3, x3, %[n]\n\t"
+        "lsr	x5, x5, x6\n\t"
+        "orr	x4, x4, x5\n\t"
+        "ldr	x2, [%[a], 24]\n\t"
+        "str	x4, [%[r], 40]\n\t"
+        "lsr	x5, x2, 1\n\t"
+        "lsl	x2, x2, %[n]\n\t"
+        "lsr	x5, x5, x6\n\t"
+        "orr	x3, x3, x5\n\t"
+        "ldr	x4, [%[a], 16]\n\t"
+        "str	x3, [%[r], 32]\n\t"
+        "lsr	x5, x4, 1\n\t"
+        "lsl	x4, x4, %[n]\n\t"
+        "lsr	x5, x5, x6\n\t"
+        "orr	x2, x2, x5\n\t"
+        "ldr	x3, [%[a], 8]\n\t"
+        "str	x2, [%[r], 24]\n\t"
+        "lsr	x5, x3, 1\n\t"
+        "lsl	x3, x3, %[n]\n\t"
+        "lsr	x5, x5, x6\n\t"
+        "orr	x4, x4, x5\n\t"
+        "ldr	x2, [%[a], 0]\n\t"
+        "str	x4, [%[r], 16]\n\t"
+        "lsr	x5, x2, 1\n\t"
+        "lsl	x2, x2, %[n]\n\t"
+        "lsr	x5, x5, x6\n\t"
+        "orr	x3, x3, x5\n\t"
+        "str	x2, [%[r]]\n\t"
+        "str	x3, [%[r], 8]\n\t"
+        :
+        : [r] "r" (r), [a] "r" (a), [n] "r" (n)
+        : "memory", "x2", "x3", "x4", "x5", "x6"
+    );
+}
+
+/* Modular exponentiate 2 to the e mod m. (r = 2^e mod m)
+ *
+ * r     A single precision number that is the result of the operation.
+ * e     A single precision number that is the exponent.
+ * bits  The number of bits in the exponent.
+ * m     A single precision number that is the modulus.
+ * returns 0 on success and MEMORY_E on dynamic memory allocation failure.
+ */
+static int sp_2048_mod_exp_2_32(sp_digit* r, const sp_digit* e, int bits,
+        const sp_digit* m)
+{
+#ifndef WOLFSSL_SMALL_STACK
+    sp_digit nd[64];
+    sp_digit td[33];
+#else
+    sp_digit* td;
+#endif
+    sp_digit* norm;
+    sp_digit* tmp;
+    sp_digit mp = 1;
+    sp_digit n, o;
+    sp_digit mask;
+    int i;
+    int c, y;
+    int err = MP_OKAY;
+
+#ifdef WOLFSSL_SMALL_STACK
+    td = (sp_digit*)XMALLOC(sizeof(sp_digit) * 97, NULL,
+                            DYNAMIC_TYPE_TMP_BUFFER);
+    if (td == NULL) {
+        err = MEMORY_E;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#ifdef WOLFSSL_SMALL_STACK
+        norm = td;
+        tmp  = td + 64;
+#else
+        norm = nd;
+        tmp  = td;
+#endif
+
+        sp_2048_mont_setup(m, &mp);
+        sp_2048_mont_norm_32(norm, m);
+
+        i = (bits - 1) / 64;
+        n = e[i--];
+        c = bits & 63;
+        if (c == 0) {
+            c = 64;
+        }
+        c -= bits % 6;
+        if (c == 64) {
+            c = 58;
+        }
+        y = (int)(n >> c);
+        n <<= 64 - c;
+        sp_2048_lshift_32(r, norm, y);
+        for (; i>=0 || c>=6; ) {
+            if (c == 0) {
+                n = e[i--];
+                y = n >> 58;
+                n <<= 6;
+                c = 58;
+            }
+            else if (c < 6) {
+                y = n >> 58;
+                n = e[i--];
+                c = 6 - c;
+                y |= n >> (64 - c);
+                n <<= c;
+                c = 64 - c;
+            }
+            else {
+                y = (n >> 58) & 0x3f;
+                n <<= 6;
+                c -= 6;
+            }
+
+            sp_2048_mont_sqr_32(r, r, m, mp);
+            sp_2048_mont_sqr_32(r, r, m, mp);
+            sp_2048_mont_sqr_32(r, r, m, mp);
+            sp_2048_mont_sqr_32(r, r, m, mp);
+            sp_2048_mont_sqr_32(r, r, m, mp);
+            sp_2048_mont_sqr_32(r, r, m, mp);
+
+            sp_2048_lshift_32(r, r, y);
+            sp_2048_mul_d_32(tmp, norm, r[32]);
+            r[32] = 0;
+            o = sp_2048_add_32(r, r, tmp);
+            sp_2048_cond_sub_32(r, r, m, (sp_digit)0 - o);
+        }
+
+        XMEMSET(&r[32], 0, sizeof(sp_digit) * 32U);
+        sp_2048_mont_reduce_32(r, m, mp);
+
+        mask = 0 - (sp_2048_cmp_32(r, m) >= 0);
+        sp_2048_cond_sub_32(r, r, m, mask);
+    }
+
+#ifdef WOLFSSL_SMALL_STACK
+    if (td != NULL) {
+        XFREE(td, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    }
+#endif
+
+    return err;
+}
+#endif /* HAVE_FFDHE_2048 */
+
+/* Perform the modular exponentiation for Diffie-Hellman.
+ *
+ * base     Base.
+ * exp      Array of bytes that is the exponent.
+ * expLen   Length of data, in bytes, in exponent.
+ * mod      Modulus.
+ * out      Buffer to hold big-endian bytes of exponentiation result.
+ *          Must be at least 256 bytes long.
+ * outLen   Length, in bytes, of exponentiation result.
+ * returns 0 on success, MP_READ_E if there are too many bytes in an array
+ * and MEMORY_E if memory allocation fails.
+ */
+int sp_DhExp_2048(mp_int* base, const byte* exp, word32 expLen,
+    mp_int* mod, byte* out, word32* outLen)
+{
+    int err = MP_OKAY;
+    sp_digit b[64], e[32], m[32];
+    sp_digit* r = b;
+    word32 i;
+
+    if (mp_count_bits(base) > 2048) {
+        err = MP_READ_E;
+    }
+
+    if (err == MP_OKAY) {
+        if (expLen > 256) {
+            err = MP_READ_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        if (mp_count_bits(mod) != 2048) {
+            err = MP_READ_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        sp_2048_from_mp(b, 32, base);
+        sp_2048_from_bin(e, 32, exp, expLen);
+        sp_2048_from_mp(m, 32, mod);
+
+    #ifdef HAVE_FFDHE_2048
+        if (base->used == 1 && base->dp[0] == 2 && m[31] == (sp_digit)-1)
+            err = sp_2048_mod_exp_2_32(r, e, expLen * 8, m);
+        else
+    #endif
+            err = sp_2048_mod_exp_32(r, b, e, expLen * 8, m, 0);
+
+    }
+
+    if (err == MP_OKAY) {
+        sp_2048_to_bin(r, out);
+        *outLen = 256;
+        for (i=0; i<256 && out[i] == 0; i++) {
+        }
+        *outLen -= i;
+        XMEMMOVE(out, out + i, *outLen);
+
+    }
+
+    XMEMSET(e, 0, sizeof(e));
+
+    return err;
+}
+#endif /* WOLFSSL_HAVE_SP_DH */
+
+/* Perform the modular exponentiation for Diffie-Hellman.
+ *
+ * base  Base. MP integer.
+ * exp   Exponent. MP integer.
+ * mod   Modulus. MP integer.
+ * res   Result. MP integer.
+ * returns 0 on success, MP_READ_E if there are too many bytes in an array
+ * and MEMORY_E if memory allocation fails.
+ */
+int sp_ModExp_1024(mp_int* base, mp_int* exp, mp_int* mod, mp_int* res)
+{
+    int err = MP_OKAY;
+    sp_digit b[32], e[16], m[16];
+    sp_digit* r = b;
+    int expBits = mp_count_bits(exp);
+
+    if (mp_count_bits(base) > 1024) {
+        err = MP_READ_E;
+    }
+
+    if (err == MP_OKAY) {
+        if (expBits > 1024) {
+            err = MP_READ_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        if (mp_count_bits(mod) != 1024) {
+            err = MP_READ_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        sp_2048_from_mp(b, 16, base);
+        sp_2048_from_mp(e, 16, exp);
+        sp_2048_from_mp(m, 16, mod);
+
+        err = sp_2048_mod_exp_16(r, b, e, expBits, m, 0);
+    }
+
+    if (err == MP_OKAY) {
+        XMEMSET(r + 16, 0, sizeof(*r) * 16U);
+        err = sp_2048_to_mp(r, res);
+        res->used = mod->used;
+        mp_clamp(res);
+    }
+
+    XMEMSET(e, 0, sizeof(e));
+
+    return err;
+}
+
+#endif /* WOLFSSL_HAVE_SP_DH || (WOLFSSL_HAVE_SP_RSA && !WOLFSSL_RSA_PUBLIC_ONLY) */
+
+#endif /* !WOLFSSL_SP_NO_2048 */
+
+#ifndef WOLFSSL_SP_NO_3072
+/* Read big endian unsigned byte array into r.
+ *
+ * r  A single precision integer.
+ * size  Maximum number of bytes to convert
+ * a  Byte array.
+ * n  Number of bytes in array to read.
+ */
+static void sp_3072_from_bin(sp_digit* r, int size, const byte* a, int n)
+{
+    int i, j;
+    byte* d;
+
+    for (i = n - 1,j = 0; i >= 7; i -= 8) {
+        r[j]  = ((sp_digit)a[i - 0] <<  0) |
+                ((sp_digit)a[i - 1] <<  8) |
+                ((sp_digit)a[i - 2] << 16) |
+                ((sp_digit)a[i - 3] << 24) |
+                ((sp_digit)a[i - 4] << 32) |
+                ((sp_digit)a[i - 5] << 40) |
+                ((sp_digit)a[i - 6] << 48) |
+                ((sp_digit)a[i - 7] << 56);
+        j++;
+    }
+
+    if (i >= 0) {
+        r[j] = 0;
+
+        d = (byte*)r;
+        switch (i) {
+            case 6: d[n - 1 - 6] = a[6]; //fallthrough
+            case 5: d[n - 1 - 5] = a[5]; //fallthrough
+            case 4: d[n - 1 - 4] = a[4]; //fallthrough
+            case 3: d[n - 1 - 3] = a[3]; //fallthrough
+            case 2: d[n - 1 - 2] = a[2]; //fallthrough
+            case 1: d[n - 1 - 1] = a[1]; //fallthrough
+            case 0: d[n - 1 - 0] = a[0]; //fallthrough
+        }
+        j++;
+    }
+
+    for (; j < size; j++) {
+        r[j] = 0;
+    }
+}
+
+/* Convert an mp_int to an array of sp_digit.
+ *
+ * r  A single precision integer.
+ * size  Maximum number of bytes to convert
+ * a  A multi-precision integer.
+ */
+static void sp_3072_from_mp(sp_digit* r, int size, const mp_int* a)
+{
+#if DIGIT_BIT == 64
+    int j;
+
+    XMEMCPY(r, a->dp, sizeof(sp_digit) * a->used);
+
+    for (j = a->used; j < size; j++) {
+        r[j] = 0;
+    }
+#elif DIGIT_BIT > 64
+    int i, j = 0;
+    word32 s = 0;
+
+    r[0] = 0;
+    for (i = 0; i < a->used && j < size; i++) {
+        r[j] |= ((sp_digit)a->dp[i] << s);
+        r[j] &= 0xffffffffffffffffl;
+        s = 64U - s;
+        if (j + 1 >= size) {
+            break;
+        }
+        /* lint allow cast of mismatch word32 and mp_digit */
+        r[++j] = (sp_digit)(a->dp[i] >> s); /*lint !e9033*/
+        while ((s + 64U) <= (word32)DIGIT_BIT) {
+            s += 64U;
+            r[j] &= 0xffffffffffffffffl;
+            if (j + 1 >= size) {
+                break;
+            }
+            if (s < (word32)DIGIT_BIT) {
+                /* lint allow cast of mismatch word32 and mp_digit */
+                r[++j] = (sp_digit)(a->dp[i] >> s); /*lint !e9033*/
+            }
+            else {
+                r[++j] = 0L;
+            }
+        }
+        s = (word32)DIGIT_BIT - s;
+    }
+
+    for (j++; j < size; j++) {
+        r[j] = 0;
+    }
+#else
+    int i, j = 0, s = 0;
+
+    r[0] = 0;
+    for (i = 0; i < a->used && j < size; i++) {
+        r[j] |= ((sp_digit)a->dp[i]) << s;
+        if (s + DIGIT_BIT >= 64) {
+            r[j] &= 0xffffffffffffffffl;
+            if (j + 1 >= size) {
+                break;
+            }
+            s = 64 - s;
+            if (s == DIGIT_BIT) {
+                r[++j] = 0;
+                s = 0;
+            }
+            else {
+                r[++j] = a->dp[i] >> s;
+                s = DIGIT_BIT - s;
+            }
+        }
+        else {
+            s += DIGIT_BIT;
+        }
+    }
+
+    for (j++; j < size; j++) {
+        r[j] = 0;
+    }
+#endif
+}
+
+/* Write r as big endian to byte array.
+ * Fixed length number of bytes written: 384
+ *
+ * r  A single precision integer.
+ * a  Byte array.
+ */
+static void sp_3072_to_bin(sp_digit* r, byte* a)
+{
+    int i, j;
+
+    for (i = 47, j = 0; i >= 0; i--) {
+        a[j++] = r[i] >> 56;
+        a[j++] = r[i] >> 48;
+        a[j++] = r[i] >> 40;
+        a[j++] = r[i] >> 32;
+        a[j++] = r[i] >> 24;
+        a[j++] = r[i] >> 16;
+        a[j++] = r[i] >> 8;
+        a[j++] = r[i] >> 0;
+    }
+}
+
+#ifndef WOLFSSL_SP_SMALL
+/* Multiply a and b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+static void sp_3072_mul_12(sp_digit* r, const sp_digit* a, const sp_digit* b)
+{
+    sp_digit tmp[12];
+
+    __asm__ __volatile__ (
+        "ldp	x10, x11, [%[a], 0]\n\t"
+        "ldp	x12, x13, [%[a], 16]\n\t"
+        "ldp	x14, x15, [%[a], 32]\n\t"
+        "ldp	x16, x17, [%[a], 48]\n\t"
+        "ldp	x19, x20, [%[a], 64]\n\t"
+        "ldp	x21, x22, [%[a], 80]\n\t"
+        "#  A[0] * B[0]\n\t"
+        "ldr	x9, [%[b], 0]\n\t"
+        "mul	x4, x10, x9\n\t"
+        "umulh	x5, x10, x9\n\t"
+        "mov	x6, 0\n\t"
+        "str	x4, [%[tmp]]\n\t"
+        "#  A[0] * B[1]\n\t"
+        "ldr	x9, [%[b], 8]\n\t"
+        "mul	x7, x10, x9\n\t"
+        "umulh	x8, x10, x9\n\t"
+        "adds	x5, x5, x7\n\t"
+        "#  A[1] * B[0]\n\t"
+        "ldr	x9, [%[b], 0]\n\t"
+        "adcs	x6, x6, x8\n\t"
+        "mul	x7, x11, x9\n\t"
+        "adc	x4, xzr, xzr\n\t"
+        "umulh	x8, x11, x9\n\t"
+        "adds	x5, x5, x7\n\t"
+        "adcs	x6, x6, x8\n\t"
+        "str	x5, [%[tmp], 8]\n\t"
+        "adc	x4, x4, xzr\n\t"
+        "#  A[0] * B[2]\n\t"
+        "ldr	x9, [%[b], 16]\n\t"
+        "mul	x7, x10, x9\n\t"
+        "umulh	x8, x10, x9\n\t"
+        "adds	x6, x6, x7\n\t"
+        "#  A[1] * B[1]\n\t"
+        "ldr	x9, [%[b], 8]\n\t"
+        "adcs	x4, x4, x8\n\t"
+        "mul	x7, x11, x9\n\t"
+        "adc	x5, xzr, xzr\n\t"
+        "umulh	x8, x11, x9\n\t"
+        "adds	x6, x6, x7\n\t"
+        "#  A[2] * B[0]\n\t"
+        "ldr	x9, [%[b], 0]\n\t"
+        "adcs	x4, x4, x8\n\t"
+        "mul	x7, x12, x9\n\t"
+        "adc	x5, x5, xzr\n\t"
+        "umulh	x8, x12, x9\n\t"
+        "adds	x6, x6, x7\n\t"
+        "adcs	x4, x4, x8\n\t"
+        "str	x6, [%[tmp], 16]\n\t"
+        "adc	x5, x5, xzr\n\t"
+        "#  A[0] * B[3]\n\t"
+        "ldr	x9, [%[b], 24]\n\t"
+        "mul	x7, x10, x9\n\t"
+        "umulh	x8, x10, x9\n\t"
+        "adds	x4, x4, x7\n\t"
+        "#  A[1] * B[2]\n\t"
+        "ldr	x9, [%[b], 16]\n\t"
+        "adcs	x5, x5, x8\n\t"
+        "mul	x7, x11, x9\n\t"
+        "adc	x6, xzr, xzr\n\t"
+        "umulh	x8, x11, x9\n\t"
+        "adds	x4, x4, x7\n\t"
+        "#  A[2] * B[1]\n\t"
+        "ldr	x9, [%[b], 8]\n\t"
+        "adcs	x5, x5, x8\n\t"
+        "mul	x7, x12, x9\n\t"
+        "adc	x6, x6, xzr\n\t"
+        "umulh	x8, x12, x9\n\t"
+        "adds	x4, x4, x7\n\t"
+        "#  A[3] * B[0]\n\t"
+        "ldr	x9, [%[b], 0]\n\t"
+        "adcs	x5, x5, x8\n\t"
+        "mul	x7, x13, x9\n\t"
+        "adc	x6, x6, xzr\n\t"
+        "umulh	x8, x13, x9\n\t"
+        "adds	x4, x4, x7\n\t"
+        "adcs	x5, x5, x8\n\t"
+        "str	x4, [%[tmp], 24]\n\t"
+        "adc	x6, x6, xzr\n\t"
+        "#  A[0] * B[4]\n\t"
+        "ldr	x9, [%[b], 32]\n\t"
+        "mul	x7, x10, x9\n\t"
+        "umulh	x8, x10, x9\n\t"
+        "adds	x5, x5, x7\n\t"
+        "#  A[1] * B[3]\n\t"
+        "ldr	x9, [%[b], 24]\n\t"
+        "adcs	x6, x6, x8\n\t"
+        "mul	x7, x11, x9\n\t"
+        "adc	x4, xzr, xzr\n\t"
+        "umulh	x8, x11, x9\n\t"
+        "adds	x5, x5, x7\n\t"
+        "#  A[2] * B[2]\n\t"
+        "ldr	x9, [%[b], 16]\n\t"
+        "adcs	x6, x6, x8\n\t"
+        "mul	x7, x12, x9\n\t"
+        "adc	x4, x4, xzr\n\t"
+        "umulh	x8, x12, x9\n\t"
+        "adds	x5, x5, x7\n\t"
+        "#  A[3] * B[1]\n\t"
+        "ldr	x9, [%[b], 8]\n\t"
+        "adcs	x6, x6, x8\n\t"
+        "mul	x7, x13, x9\n\t"
+        "adc	x4, x4, xzr\n\t"
+        "umulh	x8, x13, x9\n\t"
+        "adds	x5, x5, x7\n\t"
+        "#  A[4] * B[0]\n\t"
+        "ldr	x9, [%[b], 0]\n\t"
+        "adcs	x6, x6, x8\n\t"
+        "mul	x7, x14, x9\n\t"
+        "adc	x4, x4, xzr\n\t"
+        "umulh	x8, x14, x9\n\t"
+        "adds	x5, x5, x7\n\t"
+        "adcs	x6, x6, x8\n\t"
+        "str	x5, [%[tmp], 32]\n\t"
+        "adc	x4, x4, xzr\n\t"
+        "#  A[0] * B[5]\n\t"
+        "ldr	x9, [%[b], 40]\n\t"
+        "mul	x7, x10, x9\n\t"
+        "umulh	x8, x10, x9\n\t"
+        "adds	x6, x6, x7\n\t"
+        "#  A[1] * B[4]\n\t"
+        "ldr	x9, [%[b], 32]\n\t"
+        "adcs	x4, x4, x8\n\t"
+        "mul	x7, x11, x9\n\t"
+        "adc	x5, xzr, xzr\n\t"
+        "umulh	x8, x11, x9\n\t"
+        "adds	x6, x6, x7\n\t"
+        "#  A[2] * B[3]\n\t"
+        "ldr	x9, [%[b], 24]\n\t"
+        "adcs	x4, x4, x8\n\t"
+        "mul	x7, x12, x9\n\t"
+        "adc	x5, x5, xzr\n\t"
+        "umulh	x8, x12, x9\n\t"
+        "adds	x6, x6, x7\n\t"
+        "#  A[3] * B[2]\n\t"
+        "ldr	x9, [%[b], 16]\n\t"
+        "adcs	x4, x4, x8\n\t"
+        "mul	x7, x13, x9\n\t"
+        "adc	x5, x5, xzr\n\t"
+        "umulh	x8, x13, x9\n\t"
+        "adds	x6, x6, x7\n\t"
+        "#  A[4] * B[1]\n\t"
+        "ldr	x9, [%[b], 8]\n\t"
+        "adcs	x4, x4, x8\n\t"
+        "mul	x7, x14, x9\n\t"
+        "adc	x5, x5, xzr\n\t"
+        "umulh	x8, x14, x9\n\t"
+        "adds	x6, x6, x7\n\t"
+        "#  A[5] * B[0]\n\t"
+        "ldr	x9, [%[b], 0]\n\t"
+        "adcs	x4, x4, x8\n\t"
+        "mul	x7, x15, x9\n\t"
+        "adc	x5, x5, xzr\n\t"
+        "umulh	x8, x15, x9\n\t"
+        "adds	x6, x6, x7\n\t"
+        "adcs	x4, x4, x8\n\t"
+        "str	x6, [%[tmp], 40]\n\t"
+        "adc	x5, x5, xzr\n\t"
+        "#  A[0] * B[6]\n\t"
+        "ldr	x9, [%[b], 48]\n\t"
+        "mul	x7, x10, x9\n\t"
+        "umulh	x8, x10, x9\n\t"
+        "adds	x4, x4, x7\n\t"
+        "#  A[1] * B[5]\n\t"
+        "ldr	x9, [%[b], 40]\n\t"
+        "adcs	x5, x5, x8\n\t"
+        "mul	x7, x11, x9\n\t"
+        "adc	x6, xzr, xzr\n\t"
+        "umulh	x8, x11, x9\n\t"
+        "adds	x4, x4, x7\n\t"
+        "#  A[2] * B[4]\n\t"
+        "ldr	x9, [%[b], 32]\n\t"
+        "adcs	x5, x5, x8\n\t"
+        "mul	x7, x12, x9\n\t"
+        "adc	x6, x6, xzr\n\t"
+        "umulh	x8, x12, x9\n\t"
+        "adds	x4, x4, x7\n\t"
+        "#  A[3] * B[3]\n\t"
+        "ldr	x9, [%[b], 24]\n\t"
+        "adcs	x5, x5, x8\n\t"
+        "mul	x7, x13, x9\n\t"
+        "adc	x6, x6, xzr\n\t"
+        "umulh	x8, x13, x9\n\t"
+        "adds	x4, x4, x7\n\t"
+        "#  A[4] * B[2]\n\t"
+        "ldr	x9, [%[b], 16]\n\t"
+        "adcs	x5, x5, x8\n\t"
+        "mul	x7, x14, x9\n\t"
+        "adc	x6, x6, xzr\n\t"
+        "umulh	x8, x14, x9\n\t"
+        "adds	x4, x4, x7\n\t"
+        "#  A[5] * B[1]\n\t"
+        "ldr	x9, [%[b], 8]\n\t"
+        "adcs	x5, x5, x8\n\t"
+        "mul	x7, x15, x9\n\t"
+        "adc	x6, x6, xzr\n\t"
+        "umulh	x8, x15, x9\n\t"
+        "adds	x4, x4, x7\n\t"
+        "#  A[6] * B[0]\n\t"
+        "ldr	x9, [%[b], 0]\n\t"
+        "adcs	x5, x5, x8\n\t"
+        "mul	x7, x16, x9\n\t"
+        "adc	x6, x6, xzr\n\t"
+        "umulh	x8, x16, x9\n\t"
+        "adds	x4, x4, x7\n\t"
+        "adcs	x5, x5, x8\n\t"
+        "str	x4, [%[tmp], 48]\n\t"
+        "adc	x6, x6, xzr\n\t"
+        "#  A[0] * B[7]\n\t"
+        "ldr	x9, [%[b], 56]\n\t"
+        "mul	x7, x10, x9\n\t"
+        "umulh	x8, x10, x9\n\t"
+        "adds	x5, x5, x7\n\t"
+        "#  A[1] * B[6]\n\t"
+        "ldr	x9, [%[b], 48]\n\t"
+        "adcs	x6, x6, x8\n\t"
+        "mul	x7, x11, x9\n\t"
+        "adc	x4, xzr, xzr\n\t"
+        "umulh	x8, x11, x9\n\t"
+        "adds	x5, x5, x7\n\t"
+        "#  A[2] * B[5]\n\t"
+        "ldr	x9, [%[b], 40]\n\t"
+        "adcs	x6, x6, x8\n\t"
+        "mul	x7, x12, x9\n\t"
+        "adc	x4, x4, xzr\n\t"
+        "umulh	x8, x12, x9\n\t"
+        "adds	x5, x5, x7\n\t"
+        "#  A[3] * B[4]\n\t"
+        "ldr	x9, [%[b], 32]\n\t"
+        "adcs	x6, x6, x8\n\t"
+        "mul	x7, x13, x9\n\t"
+        "adc	x4, x4, xzr\n\t"
+        "umulh	x8, x13, x9\n\t"
+        "adds	x5, x5, x7\n\t"
+        "#  A[4] * B[3]\n\t"
+        "ldr	x9, [%[b], 24]\n\t"
+        "adcs	x6, x6, x8\n\t"
+        "mul	x7, x14, x9\n\t"
+        "adc	x4, x4, xzr\n\t"
+        "umulh	x8, x14, x9\n\t"
+        "adds	x5, x5, x7\n\t"
+        "#  A[5] * B[2]\n\t"
+        "ldr	x9, [%[b], 16]\n\t"
+        "adcs	x6, x6, x8\n\t"
+        "mul	x7, x15, x9\n\t"
+        "adc	x4, x4, xzr\n\t"
+        "umulh	x8, x15, x9\n\t"
+        "adds	x5, x5, x7\n\t"
+        "#  A[6] * B[1]\n\t"
+        "ldr	x9, [%[b], 8]\n\t"
+        "adcs	x6, x6, x8\n\t"
+        "mul	x7, x16, x9\n\t"
+        "adc	x4, x4, xzr\n\t"
+        "umulh	x8, x16, x9\n\t"
+        "adds	x5, x5, x7\n\t"
+        "#  A[7] * B[0]\n\t"
+        "ldr	x9, [%[b], 0]\n\t"
+        "adcs	x6, x6, x8\n\t"
+        "mul	x7, x17, x9\n\t"
+        "adc	x4, x4, xzr\n\t"
+        "umulh	x8, x17, x9\n\t"
+        "adds	x5, x5, x7\n\t"
+        "adcs	x6, x6, x8\n\t"
+        "str	x5, [%[tmp], 56]\n\t"
+        "adc	x4, x4, xzr\n\t"
+        "#  A[0] * B[8]\n\t"
+        "ldr	x9, [%[b], 64]\n\t"
+        "mul	x7, x10, x9\n\t"
+        "umulh	x8, x10, x9\n\t"
+        "adds	x6, x6, x7\n\t"
+        "#  A[1] * B[7]\n\t"
+        "ldr	x9, [%[b], 56]\n\t"
+        "adcs	x4, x4, x8\n\t"
+        "mul	x7, x11, x9\n\t"
+        "adc	x5, xzr, xzr\n\t"
+        "umulh	x8, x11, x9\n\t"
+        "adds	x6, x6, x7\n\t"
+        "#  A[2] * B[6]\n\t"
+        "ldr	x9, [%[b], 48]\n\t"
+        "adcs	x4, x4, x8\n\t"
+        "mul	x7, x12, x9\n\t"
+        "adc	x5, x5, xzr\n\t"
+        "umulh	x8, x12, x9\n\t"
+        "adds	x6, x6, x7\n\t"
+        "#  A[3] * B[5]\n\t"
+        "ldr	x9, [%[b], 40]\n\t"
+        "adcs	x4, x4, x8\n\t"
+        "mul	x7, x13, x9\n\t"
+        "adc	x5, x5, xzr\n\t"
+        "umulh	x8, x13, x9\n\t"
+        "adds	x6, x6, x7\n\t"
+        "#  A[4] * B[4]\n\t"
+        "ldr	x9, [%[b], 32]\n\t"
+        "adcs	x4, x4, x8\n\t"
+        "mul	x7, x14, x9\n\t"
+        "adc	x5, x5, xzr\n\t"
+        "umulh	x8, x14, x9\n\t"
+        "adds	x6, x6, x7\n\t"
+        "#  A[5] * B[3]\n\t"
+        "ldr	x9, [%[b], 24]\n\t"
+        "adcs	x4, x4, x8\n\t"
+        "mul	x7, x15, x9\n\t"
+        "adc	x5, x5, xzr\n\t"
+        "umulh	x8, x15, x9\n\t"
+        "adds	x6, x6, x7\n\t"
+        "#  A[6] * B[2]\n\t"
+        "ldr	x9, [%[b], 16]\n\t"
+        "adcs	x4, x4, x8\n\t"
+        "mul	x7, x16, x9\n\t"
+        "adc	x5, x5, xzr\n\t"
+        "umulh	x8, x16, x9\n\t"
+        "adds	x6, x6, x7\n\t"
+        "#  A[7] * B[1]\n\t"
+        "ldr	x9, [%[b], 8]\n\t"
+        "adcs	x4, x4, x8\n\t"
+        "mul	x7, x17, x9\n\t"
+        "adc	x5, x5, xzr\n\t"
+        "umulh	x8, x17, x9\n\t"
+        "adds	x6, x6, x7\n\t"
+        "#  A[8] * B[0]\n\t"
+        "ldr	x9, [%[b], 0]\n\t"
+        "adcs	x4, x4, x8\n\t"
+        "mul	x7, x19, x9\n\t"
+        "adc	x5, x5, xzr\n\t"
+        "umulh	x8, x19, x9\n\t"
+        "adds	x6, x6, x7\n\t"
+        "adcs	x4, x4, x8\n\t"
+        "str	x6, [%[tmp], 64]\n\t"
+        "adc	x5, x5, xzr\n\t"
+        "#  A[0] * B[9]\n\t"
+        "ldr	x9, [%[b], 72]\n\t"
+        "mul	x7, x10, x9\n\t"
+        "umulh	x8, x10, x9\n\t"
+        "adds	x4, x4, x7\n\t"
+        "#  A[1] * B[8]\n\t"
+        "ldr	x9, [%[b], 64]\n\t"
+        "adcs	x5, x5, x8\n\t"
+        "mul	x7, x11, x9\n\t"
+        "adc	x6, xzr, xzr\n\t"
+        "umulh	x8, x11, x9\n\t"
+        "adds	x4, x4, x7\n\t"
+        "#  A[2] * B[7]\n\t"
+        "ldr	x9, [%[b], 56]\n\t"
+        "adcs	x5, x5, x8\n\t"
+        "mul	x7, x12, x9\n\t"
+        "adc	x6, x6, xzr\n\t"
+        "umulh	x8, x12, x9\n\t"
+        "adds	x4, x4, x7\n\t"
+        "#  A[3] * B[6]\n\t"
+        "ldr	x9, [%[b], 48]\n\t"
+        "adcs	x5, x5, x8\n\t"
+        "mul	x7, x13, x9\n\t"
+        "adc	x6, x6, xzr\n\t"
+        "umulh	x8, x13, x9\n\t"
+        "adds	x4, x4, x7\n\t"
+        "#  A[4] * B[5]\n\t"
+        "ldr	x9, [%[b], 40]\n\t"
+        "adcs	x5, x5, x8\n\t"
+        "mul	x7, x14, x9\n\t"
+        "adc	x6, x6, xzr\n\t"
+        "umulh	x8, x14, x9\n\t"
+        "adds	x4, x4, x7\n\t"
+        "#  A[5] * B[4]\n\t"
+        "ldr	x9, [%[b], 32]\n\t"
+        "adcs	x5, x5, x8\n\t"
+        "mul	x7, x15, x9\n\t"
+        "adc	x6, x6, xzr\n\t"
+        "umulh	x8, x15, x9\n\t"
+        "adds	x4, x4, x7\n\t"
+        "#  A[6] * B[3]\n\t"
+        "ldr	x9, [%[b], 24]\n\t"
+        "adcs	x5, x5, x8\n\t"
+        "mul	x7, x16, x9\n\t"
+        "adc	x6, x6, xzr\n\t"
+        "umulh	x8, x16, x9\n\t"
+        "adds	x4, x4, x7\n\t"
+        "#  A[7] * B[2]\n\t"
+        "ldr	x9, [%[b], 16]\n\t"
+        "adcs	x5, x5, x8\n\t"
+        "mul	x7, x17, x9\n\t"
+        "adc	x6, x6, xzr\n\t"
+        "umulh	x8, x17, x9\n\t"
+        "adds	x4, x4, x7\n\t"
+        "#  A[8] * B[1]\n\t"
+        "ldr	x9, [%[b], 8]\n\t"
+        "adcs	x5, x5, x8\n\t"
+        "mul	x7, x19, x9\n\t"
+        "adc	x6, x6, xzr\n\t"
+        "umulh	x8, x19, x9\n\t"
+        "adds	x4, x4, x7\n\t"
+        "#  A[9] * B[0]\n\t"
+        "ldr	x9, [%[b], 0]\n\t"
+        "adcs	x5, x5, x8\n\t"
+        "mul	x7, x20, x9\n\t"
+        "adc	x6, x6, xzr\n\t"
+        "umulh	x8, x20, x9\n\t"
+        "adds	x4, x4, x7\n\t"
+        "adcs	x5, x5, x8\n\t"
+        "str	x4, [%[tmp], 72]\n\t"
+        "adc	x6, x6, xzr\n\t"
+        "#  A[0] * B[10]\n\t"
+        "ldr	x9, [%[b], 80]\n\t"
+        "mul	x7, x10, x9\n\t"
+        "umulh	x8, x10, x9\n\t"
+        "adds	x5, x5, x7\n\t"
+        "#  A[1] * B[9]\n\t"
+        "ldr	x9, [%[b], 72]\n\t"
+        "adcs	x6, x6, x8\n\t"
+        "mul	x7, x11, x9\n\t"
+        "adc	x4, xzr, xzr\n\t"
+        "umulh	x8, x11, x9\n\t"
+        "adds	x5, x5, x7\n\t"
+        "#  A[2] * B[8]\n\t"
+        "ldr	x9, [%[b], 64]\n\t"
+        "adcs	x6, x6, x8\n\t"
+        "mul	x7, x12, x9\n\t"
+        "adc	x4, x4, xzr\n\t"
+        "umulh	x8, x12, x9\n\t"
+        "adds	x5, x5, x7\n\t"
+        "#  A[3] * B[7]\n\t"
+        "ldr	x9, [%[b], 56]\n\t"
+        "adcs	x6, x6, x8\n\t"
+        "mul	x7, x13, x9\n\t"
+        "adc	x4, x4, xzr\n\t"
+        "umulh	x8, x13, x9\n\t"
+        "adds	x5, x5, x7\n\t"
+        "#  A[4] * B[6]\n\t"
+        "ldr	x9, [%[b], 48]\n\t"
+        "adcs	x6, x6, x8\n\t"
+        "mul	x7, x14, x9\n\t"
+        "adc	x4, x4, xzr\n\t"
+        "umulh	x8, x14, x9\n\t"
+        "adds	x5, x5, x7\n\t"
+        "#  A[5] * B[5]\n\t"
+        "ldr	x9, [%[b], 40]\n\t"
+        "adcs	x6, x6, x8\n\t"
+        "mul	x7, x15, x9\n\t"
+        "adc	x4, x4, xzr\n\t"
+        "umulh	x8, x15, x9\n\t"
+        "adds	x5, x5, x7\n\t"
+        "#  A[6] * B[4]\n\t"
+        "ldr	x9, [%[b], 32]\n\t"
+        "adcs	x6, x6, x8\n\t"
+        "mul	x7, x16, x9\n\t"
+        "adc	x4, x4, xzr\n\t"
+        "umulh	x8, x16, x9\n\t"
+        "adds	x5, x5, x7\n\t"
+        "#  A[7] * B[3]\n\t"
+        "ldr	x9, [%[b], 24]\n\t"
+        "adcs	x6, x6, x8\n\t"
+        "mul	x7, x17, x9\n\t"
+        "adc	x4, x4, xzr\n\t"
+        "umulh	x8, x17, x9\n\t"
+        "adds	x5, x5, x7\n\t"
+        "#  A[8] * B[2]\n\t"
+        "ldr	x9, [%[b], 16]\n\t"
+        "adcs	x6, x6, x8\n\t"
+        "mul	x7, x19, x9\n\t"
+        "adc	x4, x4, xzr\n\t"
+        "umulh	x8, x19, x9\n\t"
+        "adds	x5, x5, x7\n\t"
+        "#  A[9] * B[1]\n\t"
+        "ldr	x9, [%[b], 8]\n\t"
+        "adcs	x6, x6, x8\n\t"
+        "mul	x7, x20, x9\n\t"
+        "adc	x4, x4, xzr\n\t"
+        "umulh	x8, x20, x9\n\t"
+        "adds	x5, x5, x7\n\t"
+        "#  A[10] * B[0]\n\t"
+        "ldr	x9, [%[b], 0]\n\t"
+        "adcs	x6, x6, x8\n\t"
+        "mul	x7, x21, x9\n\t"
+        "adc	x4, x4, xzr\n\t"
+        "umulh	x8, x21, x9\n\t"
+        "adds	x5, x5, x7\n\t"
+        "adcs	x6, x6, x8\n\t"
+        "str	x5, [%[tmp], 80]\n\t"
+        "adc	x4, x4, xzr\n\t"
+        "#  A[0] * B[11]\n\t"
+        "ldr	x9, [%[b], 88]\n\t"
+        "mul	x7, x10, x9\n\t"
+        "umulh	x8, x10, x9\n\t"
+        "adds	x6, x6, x7\n\t"
+        "#  A[1] * B[10]\n\t"
+        "ldr	x9, [%[b], 80]\n\t"
+        "adcs	x4, x4, x8\n\t"
+        "mul	x7, x11, x9\n\t"
+        "adc	x5, xzr, xzr\n\t"
+        "umulh	x8, x11, x9\n\t"
+        "adds	x6, x6, x7\n\t"
+        "#  A[2] * B[9]\n\t"
+        "ldr	x9, [%[b], 72]\n\t"
+        "adcs	x4, x4, x8\n\t"
+        "mul	x7, x12, x9\n\t"
+        "adc	x5, x5, xzr\n\t"
+        "umulh	x8, x12, x9\n\t"
+        "adds	x6, x6, x7\n\t"
+        "#  A[3] * B[8]\n\t"
+        "ldr	x9, [%[b], 64]\n\t"
+        "adcs	x4, x4, x8\n\t"
+        "mul	x7, x13, x9\n\t"
+        "adc	x5, x5, xzr\n\t"
+        "umulh	x8, x13, x9\n\t"
+        "adds	x6, x6, x7\n\t"
+        "#  A[4] * B[7]\n\t"
+        "ldr	x9, [%[b], 56]\n\t"
+        "adcs	x4, x4, x8\n\t"
+        "mul	x7, x14, x9\n\t"
+        "adc	x5, x5, xzr\n\t"
+        "umulh	x8, x14, x9\n\t"
+        "adds	x6, x6, x7\n\t"
+        "#  A[5] * B[6]\n\t"
+        "ldr	x9, [%[b], 48]\n\t"
+        "adcs	x4, x4, x8\n\t"
+        "mul	x7, x15, x9\n\t"
+        "adc	x5, x5, xzr\n\t"
+        "umulh	x8, x15, x9\n\t"
+        "adds	x6, x6, x7\n\t"
+        "#  A[6] * B[5]\n\t"
+        "ldr	x9, [%[b], 40]\n\t"
+        "adcs	x4, x4, x8\n\t"
+        "mul	x7, x16, x9\n\t"
+        "adc	x5, x5, xzr\n\t"
+        "umulh	x8, x16, x9\n\t"
+        "adds	x6, x6, x7\n\t"
+        "#  A[7] * B[4]\n\t"
+        "ldr	x9, [%[b], 32]\n\t"
+        "adcs	x4, x4, x8\n\t"
+        "mul	x7, x17, x9\n\t"
+        "adc	x5, x5, xzr\n\t"
+        "umulh	x8, x17, x9\n\t"
+        "adds	x6, x6, x7\n\t"
+        "#  A[8] * B[3]\n\t"
+        "ldr	x9, [%[b], 24]\n\t"
+        "adcs	x4, x4, x8\n\t"
+        "mul	x7, x19, x9\n\t"
+        "adc	x5, x5, xzr\n\t"
+        "umulh	x8, x19, x9\n\t"
+        "adds	x6, x6, x7\n\t"
+        "#  A[9] * B[2]\n\t"
+        "ldr	x9, [%[b], 16]\n\t"
+        "adcs	x4, x4, x8\n\t"
+        "mul	x7, x20, x9\n\t"
+        "adc	x5, x5, xzr\n\t"
+        "umulh	x8, x20, x9\n\t"
+        "adds	x6, x6, x7\n\t"
+        "#  A[10] * B[1]\n\t"
+        "ldr	x9, [%[b], 8]\n\t"
+        "adcs	x4, x4, x8\n\t"
+        "mul	x7, x21, x9\n\t"
+        "adc	x5, x5, xzr\n\t"
+        "umulh	x8, x21, x9\n\t"
+        "adds	x6, x6, x7\n\t"
+        "#  A[11] * B[0]\n\t"
+        "ldr	x9, [%[b], 0]\n\t"
+        "adcs	x4, x4, x8\n\t"
+        "mul	x7, x22, x9\n\t"
+        "adc	x5, x5, xzr\n\t"
+        "umulh	x8, x22, x9\n\t"
+        "adds	x6, x6, x7\n\t"
+        "adcs	x4, x4, x8\n\t"
+        "str	x6, [%[tmp], 88]\n\t"
+        "adc	x5, x5, xzr\n\t"
+        "#  A[1] * B[11]\n\t"
+        "ldr	x9, [%[b], 88]\n\t"
+        "mul	x7, x11, x9\n\t"
+        "umulh	x8, x11, x9\n\t"
+        "adds	x4, x4, x7\n\t"
+        "#  A[2] * B[10]\n\t"
+        "ldr	x9, [%[b], 80]\n\t"
+        "adcs	x5, x5, x8\n\t"
+        "mul	x7, x12, x9\n\t"
+        "adc	x6, xzr, xzr\n\t"
+        "umulh	x8, x12, x9\n\t"
+        "adds	x4, x4, x7\n\t"
+        "#  A[3] * B[9]\n\t"
+        "ldr	x9, [%[b], 72]\n\t"
+        "adcs	x5, x5, x8\n\t"
+        "mul	x7, x13, x9\n\t"
+        "adc	x6, x6, xzr\n\t"
+        "umulh	x8, x13, x9\n\t"
+        "adds	x4, x4, x7\n\t"
+        "#  A[4] * B[8]\n\t"
+        "ldr	x9, [%[b], 64]\n\t"
+        "adcs	x5, x5, x8\n\t"
+        "mul	x7, x14, x9\n\t"
+        "adc	x6, x6, xzr\n\t"
+        "umulh	x8, x14, x9\n\t"
+        "adds	x4, x4, x7\n\t"
+        "#  A[5] * B[7]\n\t"
+        "ldr	x9, [%[b], 56]\n\t"
+        "adcs	x5, x5, x8\n\t"
+        "mul	x7, x15, x9\n\t"
+        "adc	x6, x6, xzr\n\t"
+        "umulh	x8, x15, x9\n\t"
+        "adds	x4, x4, x7\n\t"
+        "#  A[6] * B[6]\n\t"
+        "ldr	x9, [%[b], 48]\n\t"
+        "adcs	x5, x5, x8\n\t"
+        "mul	x7, x16, x9\n\t"
+        "adc	x6, x6, xzr\n\t"
+        "umulh	x8, x16, x9\n\t"
+        "adds	x4, x4, x7\n\t"
+        "#  A[7] * B[5]\n\t"
+        "ldr	x9, [%[b], 40]\n\t"
+        "adcs	x5, x5, x8\n\t"
+        "mul	x7, x17, x9\n\t"
+        "adc	x6, x6, xzr\n\t"
+        "umulh	x8, x17, x9\n\t"
+        "adds	x4, x4, x7\n\t"
+        "#  A[8] * B[4]\n\t"
+        "ldr	x9, [%[b], 32]\n\t"
+        "adcs	x5, x5, x8\n\t"
+        "mul	x7, x19, x9\n\t"
+        "adc	x6, x6, xzr\n\t"
+        "umulh	x8, x19, x9\n\t"
+        "adds	x4, x4, x7\n\t"
+        "#  A[9] * B[3]\n\t"
+        "ldr	x9, [%[b], 24]\n\t"
+        "adcs	x5, x5, x8\n\t"
+        "mul	x7, x20, x9\n\t"
+        "adc	x6, x6, xzr\n\t"
+        "umulh	x8, x20, x9\n\t"
+        "adds	x4, x4, x7\n\t"
+        "#  A[10] * B[2]\n\t"
+        "ldr	x9, [%[b], 16]\n\t"
+        "adcs	x5, x5, x8\n\t"
+        "mul	x7, x21, x9\n\t"
+        "adc	x6, x6, xzr\n\t"
+        "umulh	x8, x21, x9\n\t"
+        "adds	x4, x4, x7\n\t"
+        "#  A[11] * B[1]\n\t"
+        "ldr	x9, [%[b], 8]\n\t"
+        "adcs	x5, x5, x8\n\t"
+        "mul	x7, x22, x9\n\t"
+        "adc	x6, x6, xzr\n\t"
+        "umulh	x8, x22, x9\n\t"
+        "adds	x4, x4, x7\n\t"
+        "adcs	x5, x5, x8\n\t"
+        "str	x4, [%[r], 96]\n\t"
+        "adc	x6, x6, xzr\n\t"
+        "#  A[2] * B[11]\n\t"
+        "ldr	x9, [%[b], 88]\n\t"
+        "mul	x7, x12, x9\n\t"
+        "umulh	x8, x12, x9\n\t"
+        "adds	x5, x5, x7\n\t"
+        "#  A[3] * B[10]\n\t"
+        "ldr	x9, [%[b], 80]\n\t"
+        "adcs	x6, x6, x8\n\t"
+        "mul	x7, x13, x9\n\t"
+        "adc	x4, xzr, xzr\n\t"
+        "umulh	x8, x13, x9\n\t"
+        "adds	x5, x5, x7\n\t"
+        "#  A[4] * B[9]\n\t"
+        "ldr	x9, [%[b], 72]\n\t"
+        "adcs	x6, x6, x8\n\t"
+        "mul	x7, x14, x9\n\t"
+        "adc	x4, x4, xzr\n\t"
+        "umulh	x8, x14, x9\n\t"
+        "adds	x5, x5, x7\n\t"
+        "#  A[5] * B[8]\n\t"
+        "ldr	x9, [%[b], 64]\n\t"
+        "adcs	x6, x6, x8\n\t"
+        "mul	x7, x15, x9\n\t"
+        "adc	x4, x4, xzr\n\t"
+        "umulh	x8, x15, x9\n\t"
+        "adds	x5, x5, x7\n\t"
+        "#  A[6] * B[7]\n\t"
+        "ldr	x9, [%[b], 56]\n\t"
+        "adcs	x6, x6, x8\n\t"
+        "mul	x7, x16, x9\n\t"
+        "adc	x4, x4, xzr\n\t"
+        "umulh	x8, x16, x9\n\t"
+        "adds	x5, x5, x7\n\t"
+        "#  A[7] * B[6]\n\t"
+        "ldr	x9, [%[b], 48]\n\t"
+        "adcs	x6, x6, x8\n\t"
+        "mul	x7, x17, x9\n\t"
+        "adc	x4, x4, xzr\n\t"
+        "umulh	x8, x17, x9\n\t"
+        "adds	x5, x5, x7\n\t"
+        "#  A[8] * B[5]\n\t"
+        "ldr	x9, [%[b], 40]\n\t"
+        "adcs	x6, x6, x8\n\t"
+        "mul	x7, x19, x9\n\t"
+        "adc	x4, x4, xzr\n\t"
+        "umulh	x8, x19, x9\n\t"
+        "adds	x5, x5, x7\n\t"
+        "#  A[9] * B[4]\n\t"
+        "ldr	x9, [%[b], 32]\n\t"
+        "adcs	x6, x6, x8\n\t"
+        "mul	x7, x20, x9\n\t"
+        "adc	x4, x4, xzr\n\t"
+        "umulh	x8, x20, x9\n\t"
+        "adds	x5, x5, x7\n\t"
+        "#  A[10] * B[3]\n\t"
+        "ldr	x9, [%[b], 24]\n\t"
+        "adcs	x6, x6, x8\n\t"
+        "mul	x7, x21, x9\n\t"
+        "adc	x4, x4, xzr\n\t"
+        "umulh	x8, x21, x9\n\t"
+        "adds	x5, x5, x7\n\t"
+        "#  A[11] * B[2]\n\t"
+        "ldr	x9, [%[b], 16]\n\t"
+        "adcs	x6, x6, x8\n\t"
+        "mul	x7, x22, x9\n\t"
+        "adc	x4, x4, xzr\n\t"
+        "umulh	x8, x22, x9\n\t"
+        "adds	x5, x5, x7\n\t"
+        "adcs	x6, x6, x8\n\t"
+        "str	x5, [%[r], 104]\n\t"
+        "adc	x4, x4, xzr\n\t"
+        "#  A[3] * B[11]\n\t"
+        "ldr	x9, [%[b], 88]\n\t"
+        "mul	x7, x13, x9\n\t"
+        "umulh	x8, x13, x9\n\t"
+        "adds	x6, x6, x7\n\t"
+        "#  A[4] * B[10]\n\t"
+        "ldr	x9, [%[b], 80]\n\t"
+        "adcs	x4, x4, x8\n\t"
+        "mul	x7, x14, x9\n\t"
+        "adc	x5, xzr, xzr\n\t"
+        "umulh	x8, x14, x9\n\t"
+        "adds	x6, x6, x7\n\t"
+        "#  A[5] * B[9]\n\t"
+        "ldr	x9, [%[b], 72]\n\t"
+        "adcs	x4, x4, x8\n\t"
+        "mul	x7, x15, x9\n\t"
+        "adc	x5, x5, xzr\n\t"
+        "umulh	x8, x15, x9\n\t"
+        "adds	x6, x6, x7\n\t"
+        "#  A[6] * B[8]\n\t"
+        "ldr	x9, [%[b], 64]\n\t"
+        "adcs	x4, x4, x8\n\t"
+        "mul	x7, x16, x9\n\t"
+        "adc	x5, x5, xzr\n\t"
+        "umulh	x8, x16, x9\n\t"
+        "adds	x6, x6, x7\n\t"
+        "#  A[7] * B[7]\n\t"
+        "ldr	x9, [%[b], 56]\n\t"
+        "adcs	x4, x4, x8\n\t"
+        "mul	x7, x17, x9\n\t"
+        "adc	x5, x5, xzr\n\t"
+        "umulh	x8, x17, x9\n\t"
+        "adds	x6, x6, x7\n\t"
+        "#  A[8] * B[6]\n\t"
+        "ldr	x9, [%[b], 48]\n\t"
+        "adcs	x4, x4, x8\n\t"
+        "mul	x7, x19, x9\n\t"
+        "adc	x5, x5, xzr\n\t"
+        "umulh	x8, x19, x9\n\t"
+        "adds	x6, x6, x7\n\t"
+        "#  A[9] * B[5]\n\t"
+        "ldr	x9, [%[b], 40]\n\t"
+        "adcs	x4, x4, x8\n\t"
+        "mul	x7, x20, x9\n\t"
+        "adc	x5, x5, xzr\n\t"
+        "umulh	x8, x20, x9\n\t"
+        "adds	x6, x6, x7\n\t"
+        "#  A[10] * B[4]\n\t"
+        "ldr	x9, [%[b], 32]\n\t"
+        "adcs	x4, x4, x8\n\t"
+        "mul	x7, x21, x9\n\t"
+        "adc	x5, x5, xzr\n\t"
+        "umulh	x8, x21, x9\n\t"
+        "adds	x6, x6, x7\n\t"
+        "#  A[11] * B[3]\n\t"
+        "ldr	x9, [%[b], 24]\n\t"
+        "adcs	x4, x4, x8\n\t"
+        "mul	x7, x22, x9\n\t"
+        "adc	x5, x5, xzr\n\t"
+        "umulh	x8, x22, x9\n\t"
+        "adds	x6, x6, x7\n\t"
+        "adcs	x4, x4, x8\n\t"
+        "str	x6, [%[r], 112]\n\t"
+        "adc	x5, x5, xzr\n\t"
+        "#  A[4] * B[11]\n\t"
+        "ldr	x9, [%[b], 88]\n\t"
+        "mul	x7, x14, x9\n\t"
+        "umulh	x8, x14, x9\n\t"
+        "adds	x4, x4, x7\n\t"
+        "#  A[5] * B[10]\n\t"
+        "ldr	x9, [%[b], 80]\n\t"
+        "adcs	x5, x5, x8\n\t"
+        "mul	x7, x15, x9\n\t"
+        "adc	x6, xzr, xzr\n\t"
+        "umulh	x8, x15, x9\n\t"
+        "adds	x4, x4, x7\n\t"
+        "#  A[6] * B[9]\n\t"
+        "ldr	x9, [%[b], 72]\n\t"
+        "adcs	x5, x5, x8\n\t"
+        "mul	x7, x16, x9\n\t"
+        "adc	x6, x6, xzr\n\t"
+        "umulh	x8, x16, x9\n\t"
+        "adds	x4, x4, x7\n\t"
+        "#  A[7] * B[8]\n\t"
+        "ldr	x9, [%[b], 64]\n\t"
+        "adcs	x5, x5, x8\n\t"
+        "mul	x7, x17, x9\n\t"
+        "adc	x6, x6, xzr\n\t"
+        "umulh	x8, x17, x9\n\t"
+        "adds	x4, x4, x7\n\t"
+        "#  A[8] * B[7]\n\t"
+        "ldr	x9, [%[b], 56]\n\t"
+        "adcs	x5, x5, x8\n\t"
+        "mul	x7, x19, x9\n\t"
+        "adc	x6, x6, xzr\n\t"
+        "umulh	x8, x19, x9\n\t"
+        "adds	x4, x4, x7\n\t"
+        "#  A[9] * B[6]\n\t"
+        "ldr	x9, [%[b], 48]\n\t"
+        "adcs	x5, x5, x8\n\t"
+        "mul	x7, x20, x9\n\t"
+        "adc	x6, x6, xzr\n\t"
+        "umulh	x8, x20, x9\n\t"
+        "adds	x4, x4, x7\n\t"
+        "#  A[10] * B[5]\n\t"
+        "ldr	x9, [%[b], 40]\n\t"
+        "adcs	x5, x5, x8\n\t"
+        "mul	x7, x21, x9\n\t"
+        "adc	x6, x6, xzr\n\t"
+        "umulh	x8, x21, x9\n\t"
+        "adds	x4, x4, x7\n\t"
+        "#  A[11] * B[4]\n\t"
+        "ldr	x9, [%[b], 32]\n\t"
+        "adcs	x5, x5, x8\n\t"
+        "mul	x7, x22, x9\n\t"
+        "adc	x6, x6, xzr\n\t"
+        "umulh	x8, x22, x9\n\t"
+        "adds	x4, x4, x7\n\t"
+        "adcs	x5, x5, x8\n\t"
+        "str	x4, [%[r], 120]\n\t"
+        "adc	x6, x6, xzr\n\t"
+        "#  A[5] * B[11]\n\t"
+        "ldr	x9, [%[b], 88]\n\t"
+        "mul	x7, x15, x9\n\t"
+        "umulh	x8, x15, x9\n\t"
+        "adds	x5, x5, x7\n\t"
+        "#  A[6] * B[10]\n\t"
+        "ldr	x9, [%[b], 80]\n\t"
+        "adcs	x6, x6, x8\n\t"
+        "mul	x7, x16, x9\n\t"
+        "adc	x4, xzr, xzr\n\t"
+        "umulh	x8, x16, x9\n\t"
+        "adds	x5, x5, x7\n\t"
+        "#  A[7] * B[9]\n\t"
+        "ldr	x9, [%[b], 72]\n\t"
+        "adcs	x6, x6, x8\n\t"
+        "mul	x7, x17, x9\n\t"
+        "adc	x4, x4, xzr\n\t"
+        "umulh	x8, x17, x9\n\t"
+        "adds	x5, x5, x7\n\t"
+        "#  A[8] * B[8]\n\t"
+        "ldr	x9, [%[b], 64]\n\t"
+        "adcs	x6, x6, x8\n\t"
+        "mul	x7, x19, x9\n\t"
+        "adc	x4, x4, xzr\n\t"
+        "umulh	x8, x19, x9\n\t"
+        "adds	x5, x5, x7\n\t"
+        "#  A[9] * B[7]\n\t"
+        "ldr	x9, [%[b], 56]\n\t"
+        "adcs	x6, x6, x8\n\t"
+        "mul	x7, x20, x9\n\t"
+        "adc	x4, x4, xzr\n\t"
+        "umulh	x8, x20, x9\n\t"
+        "adds	x5, x5, x7\n\t"
+        "#  A[10] * B[6]\n\t"
+        "ldr	x9, [%[b], 48]\n\t"
+        "adcs	x6, x6, x8\n\t"
+        "mul	x7, x21, x9\n\t"
+        "adc	x4, x4, xzr\n\t"
+        "umulh	x8, x21, x9\n\t"
+        "adds	x5, x5, x7\n\t"
+        "#  A[11] * B[5]\n\t"
+        "ldr	x9, [%[b], 40]\n\t"
+        "adcs	x6, x6, x8\n\t"
+        "mul	x7, x22, x9\n\t"
+        "adc	x4, x4, xzr\n\t"
+        "umulh	x8, x22, x9\n\t"
+        "adds	x5, x5, x7\n\t"
+        "adcs	x6, x6, x8\n\t"
+        "str	x5, [%[r], 128]\n\t"
+        "adc	x4, x4, xzr\n\t"
+        "#  A[6] * B[11]\n\t"
+        "ldr	x9, [%[b], 88]\n\t"
+        "mul	x7, x16, x9\n\t"
+        "umulh	x8, x16, x9\n\t"
+        "adds	x6, x6, x7\n\t"
+        "#  A[7] * B[10]\n\t"
+        "ldr	x9, [%[b], 80]\n\t"
+        "adcs	x4, x4, x8\n\t"
+        "mul	x7, x17, x9\n\t"
+        "adc	x5, xzr, xzr\n\t"
+        "umulh	x8, x17, x9\n\t"
+        "adds	x6, x6, x7\n\t"
+        "#  A[8] * B[9]\n\t"
+        "ldr	x9, [%[b], 72]\n\t"
+        "adcs	x4, x4, x8\n\t"
+        "mul	x7, x19, x9\n\t"
+        "adc	x5, x5, xzr\n\t"
+        "umulh	x8, x19, x9\n\t"
+        "adds	x6, x6, x7\n\t"
+        "#  A[9] * B[8]\n\t"
+        "ldr	x9, [%[b], 64]\n\t"
+        "adcs	x4, x4, x8\n\t"
+        "mul	x7, x20, x9\n\t"
+        "adc	x5, x5, xzr\n\t"
+        "umulh	x8, x20, x9\n\t"
+        "adds	x6, x6, x7\n\t"
+        "#  A[10] * B[7]\n\t"
+        "ldr	x9, [%[b], 56]\n\t"
+        "adcs	x4, x4, x8\n\t"
+        "mul	x7, x21, x9\n\t"
+        "adc	x5, x5, xzr\n\t"
+        "umulh	x8, x21, x9\n\t"
+        "adds	x6, x6, x7\n\t"
+        "#  A[11] * B[6]\n\t"
+        "ldr	x9, [%[b], 48]\n\t"
+        "adcs	x4, x4, x8\n\t"
+        "mul	x7, x22, x9\n\t"
+        "adc	x5, x5, xzr\n\t"
+        "umulh	x8, x22, x9\n\t"
+        "adds	x6, x6, x7\n\t"
+        "adcs	x4, x4, x8\n\t"
+        "str	x6, [%[r], 136]\n\t"
+        "adc	x5, x5, xzr\n\t"
+        "#  A[7] * B[11]\n\t"
+        "ldr	x9, [%[b], 88]\n\t"
+        "mul	x7, x17, x9\n\t"
+        "umulh	x8, x17, x9\n\t"
+        "adds	x4, x4, x7\n\t"
+        "#  A[8] * B[10]\n\t"
+        "ldr	x9, [%[b], 80]\n\t"
+        "adcs	x5, x5, x8\n\t"
+        "mul	x7, x19, x9\n\t"
+        "adc	x6, xzr, xzr\n\t"
+        "umulh	x8, x19, x9\n\t"
+        "adds	x4, x4, x7\n\t"
+        "#  A[9] * B[9]\n\t"
+        "ldr	x9, [%[b], 72]\n\t"
+        "adcs	x5, x5, x8\n\t"
+        "mul	x7, x20, x9\n\t"
+        "adc	x6, x6, xzr\n\t"
+        "umulh	x8, x20, x9\n\t"
+        "adds	x4, x4, x7\n\t"
+        "#  A[10] * B[8]\n\t"
+        "ldr	x9, [%[b], 64]\n\t"
+        "adcs	x5, x5, x8\n\t"
+        "mul	x7, x21, x9\n\t"
+        "adc	x6, x6, xzr\n\t"
+        "umulh	x8, x21, x9\n\t"
+        "adds	x4, x4, x7\n\t"
+        "#  A[11] * B[7]\n\t"
+        "ldr	x9, [%[b], 56]\n\t"
+        "adcs	x5, x5, x8\n\t"
+        "mul	x7, x22, x9\n\t"
+        "adc	x6, x6, xzr\n\t"
+        "umulh	x8, x22, x9\n\t"
+        "adds	x4, x4, x7\n\t"
+        "adcs	x5, x5, x8\n\t"
+        "str	x4, [%[r], 144]\n\t"
+        "adc	x6, x6, xzr\n\t"
+        "#  A[8] * B[11]\n\t"
+        "ldr	x9, [%[b], 88]\n\t"
+        "mul	x7, x19, x9\n\t"
+        "umulh	x8, x19, x9\n\t"
+        "adds	x5, x5, x7\n\t"
+        "#  A[9] * B[10]\n\t"
+        "ldr	x9, [%[b], 80]\n\t"
+        "adcs	x6, x6, x8\n\t"
+        "mul	x7, x20, x9\n\t"
+        "adc	x4, xzr, xzr\n\t"
+        "umulh	x8, x20, x9\n\t"
+        "adds	x5, x5, x7\n\t"
+        "#  A[10] * B[9]\n\t"
+        "ldr	x9, [%[b], 72]\n\t"
+        "adcs	x6, x6, x8\n\t"
+        "mul	x7, x21, x9\n\t"
+        "adc	x4, x4, xzr\n\t"
+        "umulh	x8, x21, x9\n\t"
+        "adds	x5, x5, x7\n\t"
+        "#  A[11] * B[8]\n\t"
+        "ldr	x9, [%[b], 64]\n\t"
+        "adcs	x6, x6, x8\n\t"
+        "mul	x7, x22, x9\n\t"
+        "adc	x4, x4, xzr\n\t"
+        "umulh	x8, x22, x9\n\t"
+        "adds	x5, x5, x7\n\t"
+        "adcs	x6, x6, x8\n\t"
+        "str	x5, [%[r], 152]\n\t"
+        "adc	x4, x4, xzr\n\t"
+        "#  A[9] * B[11]\n\t"
+        "ldr	x9, [%[b], 88]\n\t"
+        "mul	x7, x20, x9\n\t"
+        "umulh	x8, x20, x9\n\t"
+        "adds	x6, x6, x7\n\t"
+        "#  A[10] * B[10]\n\t"
+        "ldr	x9, [%[b], 80]\n\t"
+        "adcs	x4, x4, x8\n\t"
+        "mul	x7, x21, x9\n\t"
+        "adc	x5, xzr, xzr\n\t"
+        "umulh	x8, x21, x9\n\t"
+        "adds	x6, x6, x7\n\t"
+        "#  A[11] * B[9]\n\t"
+        "ldr	x9, [%[b], 72]\n\t"
+        "adcs	x4, x4, x8\n\t"
+        "mul	x7, x22, x9\n\t"
+        "adc	x5, x5, xzr\n\t"
+        "umulh	x8, x22, x9\n\t"
+        "adds	x6, x6, x7\n\t"
+        "adcs	x4, x4, x8\n\t"
+        "str	x6, [%[r], 160]\n\t"
+        "adc	x5, x5, xzr\n\t"
+        "#  A[10] * B[11]\n\t"
+        "ldr	x9, [%[b], 88]\n\t"
+        "mul	x7, x21, x9\n\t"
+        "umulh	x8, x21, x9\n\t"
+        "adds	x4, x4, x7\n\t"
+        "#  A[11] * B[10]\n\t"
+        "ldr	x9, [%[b], 80]\n\t"
+        "adcs	x5, x5, x8\n\t"
+        "mul	x7, x22, x9\n\t"
+        "adc	x6, xzr, xzr\n\t"
+        "umulh	x8, x22, x9\n\t"
+        "adds	x4, x4, x7\n\t"
+        "adcs	x5, x5, x8\n\t"
+        "str	x4, [%[r], 168]\n\t"
+        "adc	x6, x6, xzr\n\t"
+        "#  A[11] * B[11]\n\t"
+        "ldr	x9, [%[b], 88]\n\t"
+        "mul	x7, x22, x9\n\t"
+        "umulh	x8, x22, x9\n\t"
+        "adds	x5, x5, x7\n\t"
+        "adc	x6, x6, x8\n\t"
+        "stp	x5, x6, [%[r], 176]\n\t"
+        "ldp	x10, x11, [%[tmp], 0]\n\t"
+        "ldp	x12, x13, [%[tmp], 16]\n\t"
+        "ldp	x14, x15, [%[tmp], 32]\n\t"
+        "ldp	x16, x17, [%[tmp], 48]\n\t"
+        "ldp	x19, x20, [%[tmp], 64]\n\t"
+        "ldp	x21, x22, [%[tmp], 80]\n\t"
+        "stp	x10, x11, [%[r], 0]\n\t"
+        "stp	x12, x13, [%[r], 16]\n\t"
+        "stp	x14, x15, [%[r], 32]\n\t"
+        "stp	x16, x17, [%[r], 48]\n\t"
+        "stp	x19, x20, [%[r], 64]\n\t"
+        "stp	x21, x22, [%[r], 80]\n\t"
+        :
+        : [r] "r" (r), [a] "r" (a), [b] "r" (b), [tmp] "r" (tmp)
+        : "memory", "x4", "x5", "x6", "x7", "x8", "x9", "x10", "x11", "x12", "x13", "x14", "x15", "x16", "x17", "x19", "x20", "x21", "x22"
+    );
+}
+
+/* Square a and put result in r. (r = a * a)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ */
+static void sp_3072_sqr_12(sp_digit* r, const sp_digit* a)
+{
+    __asm__ __volatile__ (
+        "ldp	x10, x11, [%[a], 0]\n\t"
+        "ldp	x12, x13, [%[a], 16]\n\t"
+        "ldp	x14, x15, [%[a], 32]\n\t"
+        "ldp	x16, x17, [%[a], 48]\n\t"
+        "ldp	x19, x20, [%[a], 64]\n\t"
+        "ldp	x21, x22, [%[a], 80]\n\t"
+        "#  A[0] * A[0]\n\t"
+        "mul	x2, x10, x10\n\t"
+        "umulh	x3, x10, x10\n\t"
+        "str	x2, [%[r]]\n\t"
+        "mov	x4, 0\n\t"
+        "#  A[0] * A[1]\n\t"
+        "mul	x8, x10, x11\n\t"
+        "umulh	x9, x10, x11\n\t"
+        "adds	x3, x3, x8\n\t"
+        "adcs	x4, x4, x9\n\t"
+        "adc	x2, xzr, xzr\n\t"
+        "adds	x3, x3, x8\n\t"
+        "str	x3, [%[r], 8]\n\t"
+        "#  A[0] * A[2]\n\t"
+        "mul	x8, x10, x12\n\t"
+        "adcs	x4, x4, x9\n\t"
+        "umulh	x9, x10, x12\n\t"
+        "adc	x2, x2, xzr\n\t"
+        "adds	x4, x4, x8\n\t"
+        "adcs	x2, x2, x9\n\t"
+        "adc	x3, xzr, xzr\n\t"
+        "adds	x4, x4, x8\n\t"
+        "#  A[1] * A[1]\n\t"
+        "mul	x8, x11, x11\n\t"
+        "adcs	x2, x2, x9\n\t"
+        "umulh	x9, x11, x11\n\t"
+        "adc	x3, x3, xzr\n\t"
+        "adds	x4, x4, x8\n\t"
+        "str	x4, [%[r], 16]\n\t"
+        "#  A[0] * A[3]\n\t"
+        "mul	x8, x10, x13\n\t"
+        "adcs	x2, x2, x9\n\t"
+        "umulh	x9, x10, x13\n\t"
+        "adc	x3, x3, xzr\n\t"
+        "adds	x2, x2, x8\n\t"
+        "adcs	x3, x3, x9\n\t"
+        "adc	x4, xzr, xzr\n\t"
+        "adds	x2, x2, x8\n\t"
+        "#  A[1] * A[2]\n\t"
+        "mul	x8, x11, x12\n\t"
+        "adcs	x3, x3, x9\n\t"
+        "umulh	x9, x11, x12\n\t"
+        "adc	x4, x4, xzr\n\t"
+        "adds	x2, x2, x8\n\t"
+        "adcs	x3, x3, x9\n\t"
+        "adc	x4, x4, xzr\n\t"
+        "adds	x2, x2, x8\n\t"
+        "str	x2, [%[r], 24]\n\t"
+        "#  A[0] * A[4]\n\t"
+        "mul	x8, x10, x14\n\t"
+        "adcs	x3, x3, x9\n\t"
+        "umulh	x9, x10, x14\n\t"
+        "adc	x4, x4, xzr\n\t"
+        "adds	x3, x3, x8\n\t"
+        "adcs	x4, x4, x9\n\t"
+        "adc	x2, xzr, xzr\n\t"
+        "adds	x3, x3, x8\n\t"
+        "#  A[1] * A[3]\n\t"
+        "mul	x8, x11, x13\n\t"
+        "adcs	x4, x4, x9\n\t"
+        "umulh	x9, x11, x13\n\t"
+        "adc	x2, x2, xzr\n\t"
+        "adds	x3, x3, x8\n\t"
+        "adcs	x4, x4, x9\n\t"
+        "adc	x2, x2, xzr\n\t"
+        "adds	x3, x3, x8\n\t"
+        "#  A[2] * A[2]\n\t"
+        "mul	x8, x12, x12\n\t"
+        "adcs	x4, x4, x9\n\t"
+        "umulh	x9, x12, x12\n\t"
+        "adc	x2, x2, xzr\n\t"
+        "adds	x3, x3, x8\n\t"
+        "str	x3, [%[r], 32]\n\t"
+        "#  A[0] * A[5]\n\t"
+        "mul	x5, x10, x15\n\t"
+        "adcs	x4, x4, x9\n\t"
+        "umulh	x6, x10, x15\n\t"
+        "adc	x2, x2, xzr\n\t"
+        "mov	x3, 0\n\t"
+        "mov	x7, 0\n\t"
+        "#  A[1] * A[4]\n\t"
+        "mul	x8, x11, x14\n\t"
+        "umulh	x9, x11, x14\n\t"
+        "adds	x5, x5, x8\n\t"
+        "#  A[2] * A[3]\n\t"
+        "mul	x8, x12, x13\n\t"
+        "adcs	x6, x6, x9\n\t"
+        "umulh	x9, x12, x13\n\t"
+        "adc	x7, x7, xzr\n\t"
+        "adds	x5, x5, x8\n\t"
+        "adcs	x6, x6, x9\n\t"
+        "adc	x7, x7, xzr\n\t"
+        "adds	x5, x5, x5\n\t"
+        "adcs	x6, x6, x6\n\t"
+        "adc	x7, x7, x7\n\t"
+        "adds	x4, x4, x5\n\t"
+        "adcs	x2, x2, x6\n\t"
+        "adc	x3, x3, x7\n\t"
+        "str	x4, [%[r], 40]\n\t"
+        "#  A[0] * A[6]\n\t"
+        "mul	x5, x10, x16\n\t"
+        "umulh	x6, x10, x16\n\t"
+        "mov	x4, 0\n\t"
+        "mov	x7, 0\n\t"
+        "#  A[1] * A[5]\n\t"
+        "mul	x8, x11, x15\n\t"
+        "umulh	x9, x11, x15\n\t"
+        "adds	x5, x5, x8\n\t"
+        "#  A[2] * A[4]\n\t"
+        "mul	x8, x12, x14\n\t"
+        "adcs	x6, x6, x9\n\t"
+        "umulh	x9, x12, x14\n\t"
+        "adc	x7, x7, xzr\n\t"
+        "adds	x5, x5, x8\n\t"
+        "#  A[3] * A[3]\n\t"
+        "mul	x8, x13, x13\n\t"
+        "adcs	x6, x6, x9\n\t"
+        "umulh	x9, x13, x13\n\t"
+        "adc	x7, x7, xzr\n\t"
+        "adds	x5, x5, x5\n\t"
+        "adcs	x6, x6, x6\n\t"
+        "adc	x7, x7, x7\n\t"
+        "adds	x5, x5, x8\n\t"
+        "adcs	x6, x6, x9\n\t"
+        "adc	x7, x7, xzr\n\t"
+        "adds	x2, x2, x5\n\t"
+        "adcs	x3, x3, x6\n\t"
+        "adc	x4, x4, x7\n\t"
+        "str	x2, [%[r], 48]\n\t"
+        "#  A[0] * A[7]\n\t"
+        "mul	x5, x10, x17\n\t"
+        "umulh	x6, x10, x17\n\t"
+        "mov	x2, 0\n\t"
+        "mov	x7, 0\n\t"
+        "#  A[1] * A[6]\n\t"
+        "mul	x8, x11, x16\n\t"
+        "umulh	x9, x11, x16\n\t"
+        "adds	x5, x5, x8\n\t"
+        "#  A[2] * A[5]\n\t"
+        "mul	x8, x12, x15\n\t"
+        "adcs	x6, x6, x9\n\t"
+        "umulh	x9, x12, x15\n\t"
+        "adc	x7, x7, xzr\n\t"
+        "adds	x5, x5, x8\n\t"
+        "#  A[3] * A[4]\n\t"
+        "mul	x8, x13, x14\n\t"
+        "adcs	x6, x6, x9\n\t"
+        "umulh	x9, x13, x14\n\t"
+        "adc	x7, x7, xzr\n\t"
+        "adds	x5, x5, x8\n\t"
+        "adcs	x6, x6, x9\n\t"
+        "adc	x7, x7, xzr\n\t"
+        "adds	x5, x5, x5\n\t"
+        "adcs	x6, x6, x6\n\t"
+        "adc	x7, x7, x7\n\t"
+        "adds	x3, x3, x5\n\t"
+        "adcs	x4, x4, x6\n\t"
+        "adc	x2, x2, x7\n\t"
+        "str	x3, [%[r], 56]\n\t"
+        "#  A[0] * A[8]\n\t"
+        "mul	x5, x10, x19\n\t"
+        "umulh	x6, x10, x19\n\t"
+        "mov	x3, 0\n\t"
+        "mov	x7, 0\n\t"
+        "#  A[1] * A[7]\n\t"
+        "mul	x8, x11, x17\n\t"
+        "umulh	x9, x11, x17\n\t"
+        "adds	x5, x5, x8\n\t"
+        "#  A[2] * A[6]\n\t"
+        "mul	x8, x12, x16\n\t"
+        "adcs	x6, x6, x9\n\t"
+        "umulh	x9, x12, x16\n\t"
+        "adc	x7, x7, xzr\n\t"
+        "adds	x5, x5, x8\n\t"
+        "#  A[3] * A[5]\n\t"
+        "mul	x8, x13, x15\n\t"
+        "adcs	x6, x6, x9\n\t"
+        "umulh	x9, x13, x15\n\t"
+        "adc	x7, x7, xzr\n\t"
+        "adds	x5, x5, x8\n\t"
+        "#  A[4] * A[4]\n\t"
+        "mul	x8, x14, x14\n\t"
+        "adcs	x6, x6, x9\n\t"
+        "umulh	x9, x14, x14\n\t"
+        "adc	x7, x7, xzr\n\t"
+        "adds	x5, x5, x5\n\t"
+        "adcs	x6, x6, x6\n\t"
+        "adc	x7, x7, x7\n\t"
+        "adds	x5, x5, x8\n\t"
+        "adcs	x6, x6, x9\n\t"
+        "adc	x7, x7, xzr\n\t"
+        "adds	x4, x4, x5\n\t"
+        "adcs	x2, x2, x6\n\t"
+        "adc	x3, x3, x7\n\t"
+        "str	x4, [%[r], 64]\n\t"
+        "#  A[0] * A[9]\n\t"
+        "mul	x5, x10, x20\n\t"
+        "umulh	x6, x10, x20\n\t"
+        "mov	x4, 0\n\t"
+        "mov	x7, 0\n\t"
+        "#  A[1] * A[8]\n\t"
+        "mul	x8, x11, x19\n\t"
+        "umulh	x9, x11, x19\n\t"
+        "adds	x5, x5, x8\n\t"
+        "#  A[2] * A[7]\n\t"
+        "mul	x8, x12, x17\n\t"
+        "adcs	x6, x6, x9\n\t"
+        "umulh	x9, x12, x17\n\t"
+        "adc	x7, x7, xzr\n\t"
+        "adds	x5, x5, x8\n\t"
+        "#  A[3] * A[6]\n\t"
+        "mul	x8, x13, x16\n\t"
+        "adcs	x6, x6, x9\n\t"
+        "umulh	x9, x13, x16\n\t"
+        "adc	x7, x7, xzr\n\t"
+        "adds	x5, x5, x8\n\t"
+        "#  A[4] * A[5]\n\t"
+        "mul	x8, x14, x15\n\t"
+        "adcs	x6, x6, x9\n\t"
+        "umulh	x9, x14, x15\n\t"
+        "adc	x7, x7, xzr\n\t"
+        "adds	x5, x5, x8\n\t"
+        "adcs	x6, x6, x9\n\t"
+        "adc	x7, x7, xzr\n\t"
+        "adds	x5, x5, x5\n\t"
+        "adcs	x6, x6, x6\n\t"
+        "adc	x7, x7, x7\n\t"
+        "adds	x2, x2, x5\n\t"
+        "adcs	x3, x3, x6\n\t"
+        "adc	x4, x4, x7\n\t"
+        "str	x2, [%[r], 72]\n\t"
+        "#  A[0] * A[10]\n\t"
+        "mul	x5, x10, x21\n\t"
+        "umulh	x6, x10, x21\n\t"
+        "mov	x2, 0\n\t"
+        "mov	x7, 0\n\t"
+        "#  A[1] * A[9]\n\t"
+        "mul	x8, x11, x20\n\t"
+        "umulh	x9, x11, x20\n\t"
+        "adds	x5, x5, x8\n\t"
+        "#  A[2] * A[8]\n\t"
+        "mul	x8, x12, x19\n\t"
+        "adcs	x6, x6, x9\n\t"
+        "umulh	x9, x12, x19\n\t"
+        "adc	x7, x7, xzr\n\t"
+        "adds	x5, x5, x8\n\t"
+        "#  A[3] * A[7]\n\t"
+        "mul	x8, x13, x17\n\t"
+        "adcs	x6, x6, x9\n\t"
+        "umulh	x9, x13, x17\n\t"
+        "adc	x7, x7, xzr\n\t"
+        "adds	x5, x5, x8\n\t"
+        "#  A[4] * A[6]\n\t"
+        "mul	x8, x14, x16\n\t"
+        "adcs	x6, x6, x9\n\t"
+        "umulh	x9, x14, x16\n\t"
+        "adc	x7, x7, xzr\n\t"
+        "adds	x5, x5, x8\n\t"
+        "#  A[5] * A[5]\n\t"
+        "mul	x8, x15, x15\n\t"
+        "adcs	x6, x6, x9\n\t"
+        "umulh	x9, x15, x15\n\t"
+        "adc	x7, x7, xzr\n\t"
+        "adds	x5, x5, x5\n\t"
+        "adcs	x6, x6, x6\n\t"
+        "adc	x7, x7, x7\n\t"
+        "adds	x5, x5, x8\n\t"
+        "adcs	x6, x6, x9\n\t"
+        "adc	x7, x7, xzr\n\t"
+        "adds	x3, x3, x5\n\t"
+        "adcs	x4, x4, x6\n\t"
+        "adc	x2, x2, x7\n\t"
+        "str	x3, [%[r], 80]\n\t"
+        "#  A[0] * A[11]\n\t"
+        "mul	x5, x10, x22\n\t"
+        "umulh	x6, x10, x22\n\t"
+        "mov	x3, 0\n\t"
+        "mov	x7, 0\n\t"
+        "#  A[1] * A[10]\n\t"
+        "mul	x8, x11, x21\n\t"
+        "umulh	x9, x11, x21\n\t"
+        "adds	x5, x5, x8\n\t"
+        "#  A[2] * A[9]\n\t"
+        "mul	x8, x12, x20\n\t"
+        "adcs	x6, x6, x9\n\t"
+        "umulh	x9, x12, x20\n\t"
+        "adc	x7, x7, xzr\n\t"
+        "adds	x5, x5, x8\n\t"
+        "#  A[3] * A[8]\n\t"
+        "mul	x8, x13, x19\n\t"
+        "adcs	x6, x6, x9\n\t"
+        "umulh	x9, x13, x19\n\t"
+        "adc	x7, x7, xzr\n\t"
+        "adds	x5, x5, x8\n\t"
+        "#  A[4] * A[7]\n\t"
+        "mul	x8, x14, x17\n\t"
+        "adcs	x6, x6, x9\n\t"
+        "umulh	x9, x14, x17\n\t"
+        "adc	x7, x7, xzr\n\t"
+        "adds	x5, x5, x8\n\t"
+        "#  A[5] * A[6]\n\t"
+        "mul	x8, x15, x16\n\t"
+        "adcs	x6, x6, x9\n\t"
+        "umulh	x9, x15, x16\n\t"
+        "adc	x7, x7, xzr\n\t"
+        "adds	x5, x5, x8\n\t"
+        "adcs	x6, x6, x9\n\t"
+        "adc	x7, x7, xzr\n\t"
+        "adds	x5, x5, x5\n\t"
+        "adcs	x6, x6, x6\n\t"
+        "adc	x7, x7, x7\n\t"
+        "adds	x4, x4, x5\n\t"
+        "adcs	x2, x2, x6\n\t"
+        "adc	x3, x3, x7\n\t"
+        "str	x4, [%[r], 88]\n\t"
+        "#  A[1] * A[11]\n\t"
+        "mul	x5, x11, x22\n\t"
+        "umulh	x6, x11, x22\n\t"
+        "mov	x4, 0\n\t"
+        "mov	x7, 0\n\t"
+        "#  A[2] * A[10]\n\t"
+        "mul	x8, x12, x21\n\t"
+        "umulh	x9, x12, x21\n\t"
+        "adds	x5, x5, x8\n\t"
+        "#  A[3] * A[9]\n\t"
+        "mul	x8, x13, x20\n\t"
+        "adcs	x6, x6, x9\n\t"
+        "umulh	x9, x13, x20\n\t"
+        "adc	x7, x7, xzr\n\t"
+        "adds	x5, x5, x8\n\t"
+        "#  A[4] * A[8]\n\t"
+        "mul	x8, x14, x19\n\t"
+        "adcs	x6, x6, x9\n\t"
+        "umulh	x9, x14, x19\n\t"
+        "adc	x7, x7, xzr\n\t"
+        "adds	x5, x5, x8\n\t"
+        "#  A[5] * A[7]\n\t"
+        "mul	x8, x15, x17\n\t"
+        "adcs	x6, x6, x9\n\t"
+        "umulh	x9, x15, x17\n\t"
+        "adc	x7, x7, xzr\n\t"
+        "adds	x5, x5, x8\n\t"
+        "#  A[6] * A[6]\n\t"
+        "mul	x8, x16, x16\n\t"
+        "adcs	x6, x6, x9\n\t"
+        "umulh	x9, x16, x16\n\t"
+        "adc	x7, x7, xzr\n\t"
+        "adds	x5, x5, x5\n\t"
+        "adcs	x6, x6, x6\n\t"
+        "adc	x7, x7, x7\n\t"
+        "adds	x5, x5, x8\n\t"
+        "adcs	x6, x6, x9\n\t"
+        "adc	x7, x7, xzr\n\t"
+        "adds	x2, x2, x5\n\t"
+        "adcs	x3, x3, x6\n\t"
+        "adc	x4, x4, x7\n\t"
+        "str	x2, [%[r], 96]\n\t"
+        "#  A[2] * A[11]\n\t"
+        "mul	x5, x12, x22\n\t"
+        "umulh	x6, x12, x22\n\t"
+        "mov	x2, 0\n\t"
+        "mov	x7, 0\n\t"
+        "#  A[3] * A[10]\n\t"
+        "mul	x8, x13, x21\n\t"
+        "umulh	x9, x13, x21\n\t"
+        "adds	x5, x5, x8\n\t"
+        "#  A[4] * A[9]\n\t"
+        "mul	x8, x14, x20\n\t"
+        "adcs	x6, x6, x9\n\t"
+        "umulh	x9, x14, x20\n\t"
+        "adc	x7, x7, xzr\n\t"
+        "adds	x5, x5, x8\n\t"
+        "#  A[5] * A[8]\n\t"
+        "mul	x8, x15, x19\n\t"
+        "adcs	x6, x6, x9\n\t"
+        "umulh	x9, x15, x19\n\t"
+        "adc	x7, x7, xzr\n\t"
+        "adds	x5, x5, x8\n\t"
+        "#  A[6] * A[7]\n\t"
+        "mul	x8, x16, x17\n\t"
+        "adcs	x6, x6, x9\n\t"
+        "umulh	x9, x16, x17\n\t"
+        "adc	x7, x7, xzr\n\t"
+        "adds	x5, x5, x8\n\t"
+        "adcs	x6, x6, x9\n\t"
+        "adc	x7, x7, xzr\n\t"
+        "adds	x5, x5, x5\n\t"
+        "adcs	x6, x6, x6\n\t"
+        "adc	x7, x7, x7\n\t"
+        "adds	x3, x3, x5\n\t"
+        "adcs	x4, x4, x6\n\t"
+        "adc	x2, x2, x7\n\t"
+        "str	x3, [%[r], 104]\n\t"
+        "#  A[3] * A[11]\n\t"
+        "mul	x5, x13, x22\n\t"
+        "umulh	x6, x13, x22\n\t"
+        "mov	x3, 0\n\t"
+        "mov	x7, 0\n\t"
+        "#  A[4] * A[10]\n\t"
+        "mul	x8, x14, x21\n\t"
+        "umulh	x9, x14, x21\n\t"
+        "adds	x5, x5, x8\n\t"
+        "#  A[5] * A[9]\n\t"
+        "mul	x8, x15, x20\n\t"
+        "adcs	x6, x6, x9\n\t"
+        "umulh	x9, x15, x20\n\t"
+        "adc	x7, x7, xzr\n\t"
+        "adds	x5, x5, x8\n\t"
+        "#  A[6] * A[8]\n\t"
+        "mul	x8, x16, x19\n\t"
+        "adcs	x6, x6, x9\n\t"
+        "umulh	x9, x16, x19\n\t"
+        "adc	x7, x7, xzr\n\t"
+        "adds	x5, x5, x8\n\t"
+        "#  A[7] * A[7]\n\t"
+        "mul	x8, x17, x17\n\t"
+        "adcs	x6, x6, x9\n\t"
+        "umulh	x9, x17, x17\n\t"
+        "adc	x7, x7, xzr\n\t"
+        "adds	x5, x5, x5\n\t"
+        "adcs	x6, x6, x6\n\t"
+        "adc	x7, x7, x7\n\t"
+        "adds	x5, x5, x8\n\t"
+        "adcs	x6, x6, x9\n\t"
+        "adc	x7, x7, xzr\n\t"
+        "adds	x4, x4, x5\n\t"
+        "adcs	x2, x2, x6\n\t"
+        "adc	x3, x3, x7\n\t"
+        "str	x4, [%[r], 112]\n\t"
+        "#  A[4] * A[11]\n\t"
+        "mul	x5, x14, x22\n\t"
+        "umulh	x6, x14, x22\n\t"
+        "mov	x4, 0\n\t"
+        "mov	x7, 0\n\t"
+        "#  A[5] * A[10]\n\t"
+        "mul	x8, x15, x21\n\t"
+        "umulh	x9, x15, x21\n\t"
+        "adds	x5, x5, x8\n\t"
+        "#  A[6] * A[9]\n\t"
+        "mul	x8, x16, x20\n\t"
+        "adcs	x6, x6, x9\n\t"
+        "umulh	x9, x16, x20\n\t"
+        "adc	x7, x7, xzr\n\t"
+        "adds	x5, x5, x8\n\t"
+        "#  A[7] * A[8]\n\t"
+        "mul	x8, x17, x19\n\t"
+        "adcs	x6, x6, x9\n\t"
+        "umulh	x9, x17, x19\n\t"
+        "adc	x7, x7, xzr\n\t"
+        "adds	x5, x5, x8\n\t"
+        "adcs	x6, x6, x9\n\t"
+        "adc	x7, x7, xzr\n\t"
+        "adds	x5, x5, x5\n\t"
+        "adcs	x6, x6, x6\n\t"
+        "adc	x7, x7, x7\n\t"
+        "adds	x2, x2, x5\n\t"
+        "adcs	x3, x3, x6\n\t"
+        "adc	x4, x4, x7\n\t"
+        "str	x2, [%[r], 120]\n\t"
+        "#  A[5] * A[11]\n\t"
+        "mul	x5, x15, x22\n\t"
+        "umulh	x6, x15, x22\n\t"
+        "mov	x2, 0\n\t"
+        "mov	x7, 0\n\t"
+        "#  A[6] * A[10]\n\t"
+        "mul	x8, x16, x21\n\t"
+        "umulh	x9, x16, x21\n\t"
+        "adds	x5, x5, x8\n\t"
+        "#  A[7] * A[9]\n\t"
+        "mul	x8, x17, x20\n\t"
+        "adcs	x6, x6, x9\n\t"
+        "umulh	x9, x17, x20\n\t"
+        "adc	x7, x7, xzr\n\t"
+        "adds	x5, x5, x8\n\t"
+        "#  A[8] * A[8]\n\t"
+        "mul	x8, x19, x19\n\t"
+        "adcs	x6, x6, x9\n\t"
+        "umulh	x9, x19, x19\n\t"
+        "adc	x7, x7, xzr\n\t"
+        "adds	x5, x5, x5\n\t"
+        "adcs	x6, x6, x6\n\t"
+        "adc	x7, x7, x7\n\t"
+        "adds	x5, x5, x8\n\t"
+        "adcs	x6, x6, x9\n\t"
+        "adc	x7, x7, xzr\n\t"
+        "adds	x3, x3, x5\n\t"
+        "adcs	x4, x4, x6\n\t"
+        "adc	x2, x2, x7\n\t"
+        "str	x3, [%[r], 128]\n\t"
+        "#  A[6] * A[11]\n\t"
+        "mul	x5, x16, x22\n\t"
+        "umulh	x6, x16, x22\n\t"
+        "mov	x3, 0\n\t"
+        "mov	x7, 0\n\t"
+        "#  A[7] * A[10]\n\t"
+        "mul	x8, x17, x21\n\t"
+        "umulh	x9, x17, x21\n\t"
+        "adds	x5, x5, x8\n\t"
+        "#  A[8] * A[9]\n\t"
+        "mul	x8, x19, x20\n\t"
+        "adcs	x6, x6, x9\n\t"
+        "umulh	x9, x19, x20\n\t"
+        "adc	x7, x7, xzr\n\t"
+        "adds	x5, x5, x8\n\t"
+        "adcs	x6, x6, x9\n\t"
+        "adc	x7, x7, xzr\n\t"
+        "adds	x5, x5, x5\n\t"
+        "adcs	x6, x6, x6\n\t"
+        "adc	x7, x7, x7\n\t"
+        "adds	x4, x4, x5\n\t"
+        "adcs	x2, x2, x6\n\t"
+        "adc	x3, x3, x7\n\t"
+        "str	x4, [%[r], 136]\n\t"
+        "#  A[7] * A[11]\n\t"
+        "mul	x8, x17, x22\n\t"
+        "umulh	x9, x17, x22\n\t"
+        "adds	x2, x2, x8\n\t"
+        "adcs	x3, x3, x9\n\t"
+        "adc	x4, xzr, xzr\n\t"
+        "adds	x2, x2, x8\n\t"
+        "#  A[8] * A[10]\n\t"
+        "mul	x8, x19, x21\n\t"
+        "adcs	x3, x3, x9\n\t"
+        "umulh	x9, x19, x21\n\t"
+        "adc	x4, x4, xzr\n\t"
+        "adds	x2, x2, x8\n\t"
+        "adcs	x3, x3, x9\n\t"
+        "adc	x4, x4, xzr\n\t"
+        "adds	x2, x2, x8\n\t"
+        "#  A[9] * A[9]\n\t"
+        "mul	x8, x20, x20\n\t"
+        "adcs	x3, x3, x9\n\t"
+        "umulh	x9, x20, x20\n\t"
+        "adc	x4, x4, xzr\n\t"
+        "adds	x2, x2, x8\n\t"
+        "str	x2, [%[r], 144]\n\t"
+        "#  A[8] * A[11]\n\t"
+        "mul	x8, x19, x22\n\t"
+        "adcs	x3, x3, x9\n\t"
+        "umulh	x9, x19, x22\n\t"
+        "adc	x4, x4, xzr\n\t"
+        "adds	x3, x3, x8\n\t"
+        "adcs	x4, x4, x9\n\t"
+        "adc	x2, xzr, xzr\n\t"
+        "adds	x3, x3, x8\n\t"
+        "#  A[9] * A[10]\n\t"
+        "mul	x8, x20, x21\n\t"
+        "adcs	x4, x4, x9\n\t"
+        "umulh	x9, x20, x21\n\t"
+        "adc	x2, x2, xzr\n\t"
+        "adds	x3, x3, x8\n\t"
+        "adcs	x4, x4, x9\n\t"
+        "adc	x2, x2, xzr\n\t"
+        "adds	x3, x3, x8\n\t"
+        "str	x3, [%[r], 152]\n\t"
+        "#  A[9] * A[11]\n\t"
+        "mul	x8, x20, x22\n\t"
+        "adcs	x4, x4, x9\n\t"
+        "umulh	x9, x20, x22\n\t"
+        "adc	x2, x2, xzr\n\t"
+        "adds	x4, x4, x8\n\t"
+        "adcs	x2, x2, x9\n\t"
+        "adc	x3, xzr, xzr\n\t"
+        "adds	x4, x4, x8\n\t"
+        "#  A[10] * A[10]\n\t"
+        "mul	x8, x21, x21\n\t"
+        "adcs	x2, x2, x9\n\t"
+        "umulh	x9, x21, x21\n\t"
+        "adc	x3, x3, xzr\n\t"
+        "adds	x4, x4, x8\n\t"
+        "str	x4, [%[r], 160]\n\t"
+        "#  A[10] * A[11]\n\t"
+        "mul	x8, x21, x22\n\t"
+        "adcs	x2, x2, x9\n\t"
+        "umulh	x9, x21, x22\n\t"
+        "adc	x3, x3, xzr\n\t"
+        "adds	x2, x2, x8\n\t"
+        "adcs	x3, x3, x9\n\t"
+        "adc	x4, xzr, xzr\n\t"
+        "adds	x2, x2, x8\n\t"
+        "str	x2, [%[r], 168]\n\t"
+        "#  A[11] * A[11]\n\t"
+        "mul	x8, x22, x22\n\t"
+        "adcs	x3, x3, x9\n\t"
+        "umulh	x9, x22, x22\n\t"
+        "adc	x4, x4, xzr\n\t"
+        "adds	x3, x3, x8\n\t"
+        "adc	x4, x4, x9\n\t"
+        "stp	x3, x4, [%[r], 176]\n\t"
+        :
+        : [r] "r" (r), [a] "r" (a)
+        : "memory", "x2", "x3", "x4", "x8", "x9", "x10", "x5", "x6", "x7", "x10", "x11", "x12", "x13", "x14", "x15", "x16", "x17", "x19", "x20", "x21", "x22"
+    );
+}
+
+/* Add b to a into r. (r = a + b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+static sp_digit sp_3072_add_12(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    __asm__ __volatile__ (
+        "ldp	x3, x4, [%[a], 0]\n\t"
+        "ldp	x7, x8, [%[b], 0]\n\t"
+        "adds	x3, x3, x7\n\t"
+        "ldp	x5, x6, [%[a], 16]\n\t"
+        "adcs	x4, x4, x8\n\t"
+        "ldp	x9, x10, [%[b], 16]\n\t"
+        "adcs	x5, x5, x9\n\t"
+        "stp	x3, x4, [%[r], 0]\n\t"
+        "adcs	x6, x6, x10\n\t"
+        "stp	x5, x6, [%[r], 16]\n\t"
+        "ldp	x3, x4, [%[a], 32]\n\t"
+        "ldp	x7, x8, [%[b], 32]\n\t"
+        "adcs	x3, x3, x7\n\t"
+        "ldp	x5, x6, [%[a], 48]\n\t"
+        "adcs	x4, x4, x8\n\t"
+        "ldp	x9, x10, [%[b], 48]\n\t"
+        "adcs	x5, x5, x9\n\t"
+        "stp	x3, x4, [%[r], 32]\n\t"
+        "adcs	x6, x6, x10\n\t"
+        "stp	x5, x6, [%[r], 48]\n\t"
+        "ldp	x3, x4, [%[a], 64]\n\t"
+        "ldp	x7, x8, [%[b], 64]\n\t"
+        "adcs	x3, x3, x7\n\t"
+        "ldp	x5, x6, [%[a], 80]\n\t"
+        "adcs	x4, x4, x8\n\t"
+        "ldp	x9, x10, [%[b], 80]\n\t"
+        "adcs	x5, x5, x9\n\t"
+        "stp	x3, x4, [%[r], 64]\n\t"
+        "adcs	x6, x6, x10\n\t"
+        "stp	x5, x6, [%[r], 80]\n\t"
+        "cset	%[r], cs\n\t"
+        : [r] "+r" (r)
+        : [a] "r" (a), [b] "r" (b)
+        : "memory", "x3", "x4", "x5", "x6", "x7", "x8", "x9", "x10"
+    );
+
+    return (sp_digit)r;
+}
+
+/* Sub b from a into a. (a -= b)
+ *
+ * a  A single precision integer and result.
+ * b  A single precision integer.
+ */
+static sp_digit sp_3072_sub_in_place_24(sp_digit* a, const sp_digit* b)
+{
+    __asm__ __volatile__ (
+        "ldp	x2, x3, [%[a], 0]\n\t"
+        "ldp	x6, x7, [%[b], 0]\n\t"
+        "subs	x2, x2, x6\n\t"
+        "ldp	x4, x5, [%[a], 16]\n\t"
+        "sbcs	x3, x3, x7\n\t"
+        "ldp	x8, x9, [%[b], 16]\n\t"
+        "sbcs	x4, x4, x8\n\t"
+        "stp	x2, x3, [%[a], 0]\n\t"
+        "sbcs	x5, x5, x9\n\t"
+        "stp	x4, x5, [%[a], 16]\n\t"
+        "ldp	x2, x3, [%[a], 32]\n\t"
+        "ldp	x6, x7, [%[b], 32]\n\t"
+        "sbcs	x2, x2, x6\n\t"
+        "ldp	x4, x5, [%[a], 48]\n\t"
+        "sbcs	x3, x3, x7\n\t"
+        "ldp	x8, x9, [%[b], 48]\n\t"
+        "sbcs	x4, x4, x8\n\t"
+        "stp	x2, x3, [%[a], 32]\n\t"
+        "sbcs	x5, x5, x9\n\t"
+        "stp	x4, x5, [%[a], 48]\n\t"
+        "ldp	x2, x3, [%[a], 64]\n\t"
+        "ldp	x6, x7, [%[b], 64]\n\t"
+        "sbcs	x2, x2, x6\n\t"
+        "ldp	x4, x5, [%[a], 80]\n\t"
+        "sbcs	x3, x3, x7\n\t"
+        "ldp	x8, x9, [%[b], 80]\n\t"
+        "sbcs	x4, x4, x8\n\t"
+        "stp	x2, x3, [%[a], 64]\n\t"
+        "sbcs	x5, x5, x9\n\t"
+        "stp	x4, x5, [%[a], 80]\n\t"
+        "ldp	x2, x3, [%[a], 96]\n\t"
+        "ldp	x6, x7, [%[b], 96]\n\t"
+        "sbcs	x2, x2, x6\n\t"
+        "ldp	x4, x5, [%[a], 112]\n\t"
+        "sbcs	x3, x3, x7\n\t"
+        "ldp	x8, x9, [%[b], 112]\n\t"
+        "sbcs	x4, x4, x8\n\t"
+        "stp	x2, x3, [%[a], 96]\n\t"
+        "sbcs	x5, x5, x9\n\t"
+        "stp	x4, x5, [%[a], 112]\n\t"
+        "ldp	x2, x3, [%[a], 128]\n\t"
+        "ldp	x6, x7, [%[b], 128]\n\t"
+        "sbcs	x2, x2, x6\n\t"
+        "ldp	x4, x5, [%[a], 144]\n\t"
+        "sbcs	x3, x3, x7\n\t"
+        "ldp	x8, x9, [%[b], 144]\n\t"
+        "sbcs	x4, x4, x8\n\t"
+        "stp	x2, x3, [%[a], 128]\n\t"
+        "sbcs	x5, x5, x9\n\t"
+        "stp	x4, x5, [%[a], 144]\n\t"
+        "ldp	x2, x3, [%[a], 160]\n\t"
+        "ldp	x6, x7, [%[b], 160]\n\t"
+        "sbcs	x2, x2, x6\n\t"
+        "ldp	x4, x5, [%[a], 176]\n\t"
+        "sbcs	x3, x3, x7\n\t"
+        "ldp	x8, x9, [%[b], 176]\n\t"
+        "sbcs	x4, x4, x8\n\t"
+        "stp	x2, x3, [%[a], 160]\n\t"
+        "sbcs	x5, x5, x9\n\t"
+        "stp	x4, x5, [%[a], 176]\n\t"
+        "csetm	%[a], cc\n\t"
+        : [a] "+r" (a)
+        : [b] "r" (b)
+        : "memory", "x2", "x3", "x4", "x5", "x6", "x7", "x8", "x9"
+    );
+
+    return (sp_digit)a;
+}
+
+/* Add b to a into r. (r = a + b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+static sp_digit sp_3072_add_24(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    __asm__ __volatile__ (
+        "ldp	x3, x4, [%[a], 0]\n\t"
+        "ldp	x7, x8, [%[b], 0]\n\t"
+        "adds	x3, x3, x7\n\t"
+        "ldp	x5, x6, [%[a], 16]\n\t"
+        "adcs	x4, x4, x8\n\t"
+        "ldp	x9, x10, [%[b], 16]\n\t"
+        "adcs	x5, x5, x9\n\t"
+        "stp	x3, x4, [%[r], 0]\n\t"
+        "adcs	x6, x6, x10\n\t"
+        "stp	x5, x6, [%[r], 16]\n\t"
+        "ldp	x3, x4, [%[a], 32]\n\t"
+        "ldp	x7, x8, [%[b], 32]\n\t"
+        "adcs	x3, x3, x7\n\t"
+        "ldp	x5, x6, [%[a], 48]\n\t"
+        "adcs	x4, x4, x8\n\t"
+        "ldp	x9, x10, [%[b], 48]\n\t"
+        "adcs	x5, x5, x9\n\t"
+        "stp	x3, x4, [%[r], 32]\n\t"
+        "adcs	x6, x6, x10\n\t"
+        "stp	x5, x6, [%[r], 48]\n\t"
+        "ldp	x3, x4, [%[a], 64]\n\t"
+        "ldp	x7, x8, [%[b], 64]\n\t"
+        "adcs	x3, x3, x7\n\t"
+        "ldp	x5, x6, [%[a], 80]\n\t"
+        "adcs	x4, x4, x8\n\t"
+        "ldp	x9, x10, [%[b], 80]\n\t"
+        "adcs	x5, x5, x9\n\t"
+        "stp	x3, x4, [%[r], 64]\n\t"
+        "adcs	x6, x6, x10\n\t"
+        "stp	x5, x6, [%[r], 80]\n\t"
+        "ldp	x3, x4, [%[a], 96]\n\t"
+        "ldp	x7, x8, [%[b], 96]\n\t"
+        "adcs	x3, x3, x7\n\t"
+        "ldp	x5, x6, [%[a], 112]\n\t"
+        "adcs	x4, x4, x8\n\t"
+        "ldp	x9, x10, [%[b], 112]\n\t"
+        "adcs	x5, x5, x9\n\t"
+        "stp	x3, x4, [%[r], 96]\n\t"
+        "adcs	x6, x6, x10\n\t"
+        "stp	x5, x6, [%[r], 112]\n\t"
+        "ldp	x3, x4, [%[a], 128]\n\t"
+        "ldp	x7, x8, [%[b], 128]\n\t"
+        "adcs	x3, x3, x7\n\t"
+        "ldp	x5, x6, [%[a], 144]\n\t"
+        "adcs	x4, x4, x8\n\t"
+        "ldp	x9, x10, [%[b], 144]\n\t"
+        "adcs	x5, x5, x9\n\t"
+        "stp	x3, x4, [%[r], 128]\n\t"
+        "adcs	x6, x6, x10\n\t"
+        "stp	x5, x6, [%[r], 144]\n\t"
+        "ldp	x3, x4, [%[a], 160]\n\t"
+        "ldp	x7, x8, [%[b], 160]\n\t"
+        "adcs	x3, x3, x7\n\t"
+        "ldp	x5, x6, [%[a], 176]\n\t"
+        "adcs	x4, x4, x8\n\t"
+        "ldp	x9, x10, [%[b], 176]\n\t"
+        "adcs	x5, x5, x9\n\t"
+        "stp	x3, x4, [%[r], 160]\n\t"
+        "adcs	x6, x6, x10\n\t"
+        "stp	x5, x6, [%[r], 176]\n\t"
+        "cset	%[r], cs\n\t"
+        : [r] "+r" (r)
+        : [a] "r" (a), [b] "r" (b)
+        : "memory", "x3", "x4", "x5", "x6", "x7", "x8", "x9", "x10"
+    );
+
+    return (sp_digit)r;
+}
+
+/* AND m into each word of a and store in r.
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * m  Mask to AND against each digit.
+ */
+static void sp_3072_mask_12(sp_digit* r, const sp_digit* a, sp_digit m)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int i;
+
+    for (i=0; i<12; i++) {
+        r[i] = a[i] & m;
+    }
+#else
+    r[0] = a[0] & m;
+    r[1] = a[1] & m;
+    r[2] = a[2] & m;
+    r[3] = a[3] & m;
+    r[4] = a[4] & m;
+    r[5] = a[5] & m;
+    r[6] = a[6] & m;
+    r[7] = a[7] & m;
+    r[8] = a[8] & m;
+    r[9] = a[9] & m;
+    r[10] = a[10] & m;
+    r[11] = a[11] & m;
+#endif
+}
+
+/* Add digit to a into r. (r = a + b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+static void sp_3072_add_zero_12(sp_digit* r, const sp_digit* a,
+        const sp_digit d)
+{
+    __asm__ __volatile__ (
+        "ldp	x3, x4, [%[a], 0]\n\t"
+        "ldp	x5, x6, [%[a], 16]\n\t"
+        "adds	x3, x3, %[d]\n\t"
+        "adcs	x4, x4, xzr\n\t"
+        "adcs	x5, x5, xzr\n\t"
+        "stp	x3, x4, [%[r], 0]\n\t"
+        "adcs	x6, x6, xzr\n\t"
+        "stp	x5, x6, [%[r], 16]\n\t"
+        "ldp	x3, x4, [%[a], 32]\n\t"
+        "ldp	x5, x6, [%[a], 48]\n\t"
+        "adcs	x3, x3, xzr\n\t"
+        "adcs	x4, x4, xzr\n\t"
+        "adcs	x5, x5, xzr\n\t"
+        "stp	x3, x4, [%[r], 32]\n\t"
+        "adcs	x6, x6, xzr\n\t"
+        "stp	x5, x6, [%[r], 48]\n\t"
+        "ldp	x3, x4, [%[a], 64]\n\t"
+        "ldp	x5, x6, [%[a], 80]\n\t"
+        "adcs	x3, x3, xzr\n\t"
+        "adcs	x4, x4, xzr\n\t"
+        "adcs	x5, x5, xzr\n\t"
+        "stp	x3, x4, [%[r], 64]\n\t"
+        "adcs	x6, x6, xzr\n\t"
+        "stp	x5, x6, [%[r], 80]\n\t"
+        :
+        : [r] "r" (r), [a] "r" (a), [d] "r" (d)
+        : "memory", "x3", "x4", "x5", "x6"
+    );
+}
+
+/* Multiply a and b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static void sp_3072_mul_24(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    sp_digit* z0 = r;
+    sp_digit z1[24];
+    sp_digit a1[12];
+    sp_digit b1[12];
+    sp_digit z2[24];
+    sp_digit u, ca, cb;
+
+    ca = sp_3072_add_12(a1, a, &a[12]);
+    cb = sp_3072_add_12(b1, b, &b[12]);
+    u  = ca & cb;
+    sp_3072_mul_12(z1, a1, b1);
+    sp_3072_mul_12(z2, &a[12], &b[12]);
+    sp_3072_mul_12(z0, a, b);
+    sp_3072_mask_12(r + 24, a1, 0 - cb);
+    sp_3072_mask_12(b1, b1, 0 - ca);
+    u += sp_3072_add_12(r + 24, r + 24, b1);
+    u += sp_3072_sub_in_place_24(z1, z2);
+    u += sp_3072_sub_in_place_24(z1, z0);
+    u += sp_3072_add_24(r + 12, r + 12, z1);
+    u += sp_3072_add_12(r + 24, r + 24, z2);
+    sp_3072_add_zero_12(r + 36, z2 + 12, u);
+}
+
+#ifdef WOLFSSL_SP_SMALL
+/* Double a into r. (r = a + a)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ */
+static sp_digit sp_3072_dbl_12(sp_digit* r, const sp_digit* a)
+{
+    sp_digit c = 0;
+
+    __asm__ __volatile__ (
+        "add	x11, %[a], 96\n\t"
+        "\n1:\n\t"
+        "adds	%[c], %[c], #-1\n\t"
+        "ldp	x3, x4, [%[a]], #16\n\t"
+        "ldp	x5, x6, [%[a]], #16\n\t"
+        "adcs	x3, x3, x3\n\t"
+        "adcs	x4, x4, x4\n\t"
+        "adcs	x5, x5, x5\n\t"
+        "stp	x3, x4, [%[r]], #16\n\t"
+        "adcs	x6, x6, x6\n\t"
+        "stp	x5, x6, [%[r]], #16\n\t"
+        "cset	%[c], cs\n\t"
+        "cmp	%[a], x11\n\t"
+        "b.ne	1b\n\t"
+        : [c] "+r" (c), [r] "+r" (r), [a] "+r" (a)
+        :
+        : "memory", "x3", "x4", "x5", "x6", "x11"
+    );
+
+    return c;
+}
+
+#else
+/* Double a into r. (r = a + a)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ */
+static sp_digit sp_3072_dbl_12(sp_digit* r, const sp_digit* a)
+{
+    __asm__ __volatile__ (
+        "ldp	x3, x4, [%[a], 0]\n\t"
+        "adds	x3, x3, x3\n\t"
+        "ldr	x5, [%[a], 16]\n\t"
+        "adcs	x4, x4, x4\n\t"
+        "ldr	x6, [%[a], 24]\n\t"
+        "adcs	x5, x5, x5\n\t"
+        "stp	x3, x4, [%[r], 0]\n\t"
+        "adcs	x6, x6, x6\n\t"
+        "stp	x5, x6, [%[r], 16]\n\t"
+        "ldp	x3, x4, [%[a], 32]\n\t"
+        "adcs	x3, x3, x3\n\t"
+        "ldr	x5, [%[a], 48]\n\t"
+        "adcs	x4, x4, x4\n\t"
+        "ldr	x6, [%[a], 56]\n\t"
+        "adcs	x5, x5, x5\n\t"
+        "stp	x3, x4, [%[r], 32]\n\t"
+        "adcs	x6, x6, x6\n\t"
+        "stp	x5, x6, [%[r], 48]\n\t"
+        "ldp	x3, x4, [%[a], 64]\n\t"
+        "adcs	x3, x3, x3\n\t"
+        "ldr	x5, [%[a], 80]\n\t"
+        "adcs	x4, x4, x4\n\t"
+        "ldr	x6, [%[a], 88]\n\t"
+        "adcs	x5, x5, x5\n\t"
+        "stp	x3, x4, [%[r], 64]\n\t"
+        "adcs	x6, x6, x6\n\t"
+        "stp	x5, x6, [%[r], 80]\n\t"
+        "cset	%[r], cs\n\t"
+        : [r] "+r" (r)
+        : [a] "r" (a)
+        : "memory", "x3", "x4", "x5", "x6"
+    );
+
+    return (sp_digit)r;
+}
+
+#endif /* WOLFSSL_SP_SMALL */
+/* Square a and put result in r. (r = a * a)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ */
+SP_NOINLINE static void sp_3072_sqr_24(sp_digit* r, const sp_digit* a)
+{
+    sp_digit* z0 = r;
+    sp_digit z2[24];
+    sp_digit z1[24];
+    sp_digit a1[12];
+    sp_digit u;
+
+    u = sp_3072_add_12(a1, a, &a[12]);
+    sp_3072_sqr_12(z1, a1);
+    sp_3072_sqr_12(z2, &a[12]);
+    sp_3072_sqr_12(z0, a);
+    sp_3072_mask_12(r + 24, a1, 0 - u);
+    u += sp_3072_dbl_12(r + 24, r + 24);
+    u += sp_3072_sub_in_place_24(z1, z2);
+    u += sp_3072_sub_in_place_24(z1, z0);
+    u += sp_3072_add_24(r + 12, r + 12, z1);
+    u += sp_3072_add_12(r + 24, r + 24, z2);
+    sp_3072_add_zero_12(r + 36, z2 + 12, u);
+    
+}
+
+/* Sub b from a into a. (a -= b)
+ *
+ * a  A single precision integer and result.
+ * b  A single precision integer.
+ */
+static sp_digit sp_3072_sub_in_place_48(sp_digit* a, const sp_digit* b)
+{
+    __asm__ __volatile__ (
+        "ldp	x2, x3, [%[a], 0]\n\t"
+        "ldp	x6, x7, [%[b], 0]\n\t"
+        "subs	x2, x2, x6\n\t"
+        "ldp	x4, x5, [%[a], 16]\n\t"
+        "sbcs	x3, x3, x7\n\t"
+        "ldp	x8, x9, [%[b], 16]\n\t"
+        "sbcs	x4, x4, x8\n\t"
+        "stp	x2, x3, [%[a], 0]\n\t"
+        "sbcs	x5, x5, x9\n\t"
+        "stp	x4, x5, [%[a], 16]\n\t"
+        "ldp	x2, x3, [%[a], 32]\n\t"
+        "ldp	x6, x7, [%[b], 32]\n\t"
+        "sbcs	x2, x2, x6\n\t"
+        "ldp	x4, x5, [%[a], 48]\n\t"
+        "sbcs	x3, x3, x7\n\t"
+        "ldp	x8, x9, [%[b], 48]\n\t"
+        "sbcs	x4, x4, x8\n\t"
+        "stp	x2, x3, [%[a], 32]\n\t"
+        "sbcs	x5, x5, x9\n\t"
+        "stp	x4, x5, [%[a], 48]\n\t"
+        "ldp	x2, x3, [%[a], 64]\n\t"
+        "ldp	x6, x7, [%[b], 64]\n\t"
+        "sbcs	x2, x2, x6\n\t"
+        "ldp	x4, x5, [%[a], 80]\n\t"
+        "sbcs	x3, x3, x7\n\t"
+        "ldp	x8, x9, [%[b], 80]\n\t"
+        "sbcs	x4, x4, x8\n\t"
+        "stp	x2, x3, [%[a], 64]\n\t"
+        "sbcs	x5, x5, x9\n\t"
+        "stp	x4, x5, [%[a], 80]\n\t"
+        "ldp	x2, x3, [%[a], 96]\n\t"
+        "ldp	x6, x7, [%[b], 96]\n\t"
+        "sbcs	x2, x2, x6\n\t"
+        "ldp	x4, x5, [%[a], 112]\n\t"
+        "sbcs	x3, x3, x7\n\t"
+        "ldp	x8, x9, [%[b], 112]\n\t"
+        "sbcs	x4, x4, x8\n\t"
+        "stp	x2, x3, [%[a], 96]\n\t"
+        "sbcs	x5, x5, x9\n\t"
+        "stp	x4, x5, [%[a], 112]\n\t"
+        "ldp	x2, x3, [%[a], 128]\n\t"
+        "ldp	x6, x7, [%[b], 128]\n\t"
+        "sbcs	x2, x2, x6\n\t"
+        "ldp	x4, x5, [%[a], 144]\n\t"
+        "sbcs	x3, x3, x7\n\t"
+        "ldp	x8, x9, [%[b], 144]\n\t"
+        "sbcs	x4, x4, x8\n\t"
+        "stp	x2, x3, [%[a], 128]\n\t"
+        "sbcs	x5, x5, x9\n\t"
+        "stp	x4, x5, [%[a], 144]\n\t"
+        "ldp	x2, x3, [%[a], 160]\n\t"
+        "ldp	x6, x7, [%[b], 160]\n\t"
+        "sbcs	x2, x2, x6\n\t"
+        "ldp	x4, x5, [%[a], 176]\n\t"
+        "sbcs	x3, x3, x7\n\t"
+        "ldp	x8, x9, [%[b], 176]\n\t"
+        "sbcs	x4, x4, x8\n\t"
+        "stp	x2, x3, [%[a], 160]\n\t"
+        "sbcs	x5, x5, x9\n\t"
+        "stp	x4, x5, [%[a], 176]\n\t"
+        "ldp	x2, x3, [%[a], 192]\n\t"
+        "ldp	x6, x7, [%[b], 192]\n\t"
+        "sbcs	x2, x2, x6\n\t"
+        "ldp	x4, x5, [%[a], 208]\n\t"
+        "sbcs	x3, x3, x7\n\t"
+        "ldp	x8, x9, [%[b], 208]\n\t"
+        "sbcs	x4, x4, x8\n\t"
+        "stp	x2, x3, [%[a], 192]\n\t"
+        "sbcs	x5, x5, x9\n\t"
+        "stp	x4, x5, [%[a], 208]\n\t"
+        "ldp	x2, x3, [%[a], 224]\n\t"
+        "ldp	x6, x7, [%[b], 224]\n\t"
+        "sbcs	x2, x2, x6\n\t"
+        "ldp	x4, x5, [%[a], 240]\n\t"
+        "sbcs	x3, x3, x7\n\t"
+        "ldp	x8, x9, [%[b], 240]\n\t"
+        "sbcs	x4, x4, x8\n\t"
+        "stp	x2, x3, [%[a], 224]\n\t"
+        "sbcs	x5, x5, x9\n\t"
+        "stp	x4, x5, [%[a], 240]\n\t"
+        "ldp	x2, x3, [%[a], 256]\n\t"
+        "ldp	x6, x7, [%[b], 256]\n\t"
+        "sbcs	x2, x2, x6\n\t"
+        "ldp	x4, x5, [%[a], 272]\n\t"
+        "sbcs	x3, x3, x7\n\t"
+        "ldp	x8, x9, [%[b], 272]\n\t"
+        "sbcs	x4, x4, x8\n\t"
+        "stp	x2, x3, [%[a], 256]\n\t"
+        "sbcs	x5, x5, x9\n\t"
+        "stp	x4, x5, [%[a], 272]\n\t"
+        "ldp	x2, x3, [%[a], 288]\n\t"
+        "ldp	x6, x7, [%[b], 288]\n\t"
+        "sbcs	x2, x2, x6\n\t"
+        "ldp	x4, x5, [%[a], 304]\n\t"
+        "sbcs	x3, x3, x7\n\t"
+        "ldp	x8, x9, [%[b], 304]\n\t"
+        "sbcs	x4, x4, x8\n\t"
+        "stp	x2, x3, [%[a], 288]\n\t"
+        "sbcs	x5, x5, x9\n\t"
+        "stp	x4, x5, [%[a], 304]\n\t"
+        "ldp	x2, x3, [%[a], 320]\n\t"
+        "ldp	x6, x7, [%[b], 320]\n\t"
+        "sbcs	x2, x2, x6\n\t"
+        "ldp	x4, x5, [%[a], 336]\n\t"
+        "sbcs	x3, x3, x7\n\t"
+        "ldp	x8, x9, [%[b], 336]\n\t"
+        "sbcs	x4, x4, x8\n\t"
+        "stp	x2, x3, [%[a], 320]\n\t"
+        "sbcs	x5, x5, x9\n\t"
+        "stp	x4, x5, [%[a], 336]\n\t"
+        "ldp	x2, x3, [%[a], 352]\n\t"
+        "ldp	x6, x7, [%[b], 352]\n\t"
+        "sbcs	x2, x2, x6\n\t"
+        "ldp	x4, x5, [%[a], 368]\n\t"
+        "sbcs	x3, x3, x7\n\t"
+        "ldp	x8, x9, [%[b], 368]\n\t"
+        "sbcs	x4, x4, x8\n\t"
+        "stp	x2, x3, [%[a], 352]\n\t"
+        "sbcs	x5, x5, x9\n\t"
+        "stp	x4, x5, [%[a], 368]\n\t"
+        "csetm	%[a], cc\n\t"
+        : [a] "+r" (a)
+        : [b] "r" (b)
+        : "memory", "x2", "x3", "x4", "x5", "x6", "x7", "x8", "x9"
+    );
+
+    return (sp_digit)a;
+}
+
+/* Add b to a into r. (r = a + b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+static sp_digit sp_3072_add_48(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    __asm__ __volatile__ (
+        "ldp	x3, x4, [%[a], 0]\n\t"
+        "ldp	x7, x8, [%[b], 0]\n\t"
+        "adds	x3, x3, x7\n\t"
+        "ldp	x5, x6, [%[a], 16]\n\t"
+        "adcs	x4, x4, x8\n\t"
+        "ldp	x9, x10, [%[b], 16]\n\t"
+        "adcs	x5, x5, x9\n\t"
+        "stp	x3, x4, [%[r], 0]\n\t"
+        "adcs	x6, x6, x10\n\t"
+        "stp	x5, x6, [%[r], 16]\n\t"
+        "ldp	x3, x4, [%[a], 32]\n\t"
+        "ldp	x7, x8, [%[b], 32]\n\t"
+        "adcs	x3, x3, x7\n\t"
+        "ldp	x5, x6, [%[a], 48]\n\t"
+        "adcs	x4, x4, x8\n\t"
+        "ldp	x9, x10, [%[b], 48]\n\t"
+        "adcs	x5, x5, x9\n\t"
+        "stp	x3, x4, [%[r], 32]\n\t"
+        "adcs	x6, x6, x10\n\t"
+        "stp	x5, x6, [%[r], 48]\n\t"
+        "ldp	x3, x4, [%[a], 64]\n\t"
+        "ldp	x7, x8, [%[b], 64]\n\t"
+        "adcs	x3, x3, x7\n\t"
+        "ldp	x5, x6, [%[a], 80]\n\t"
+        "adcs	x4, x4, x8\n\t"
+        "ldp	x9, x10, [%[b], 80]\n\t"
+        "adcs	x5, x5, x9\n\t"
+        "stp	x3, x4, [%[r], 64]\n\t"
+        "adcs	x6, x6, x10\n\t"
+        "stp	x5, x6, [%[r], 80]\n\t"
+        "ldp	x3, x4, [%[a], 96]\n\t"
+        "ldp	x7, x8, [%[b], 96]\n\t"
+        "adcs	x3, x3, x7\n\t"
+        "ldp	x5, x6, [%[a], 112]\n\t"
+        "adcs	x4, x4, x8\n\t"
+        "ldp	x9, x10, [%[b], 112]\n\t"
+        "adcs	x5, x5, x9\n\t"
+        "stp	x3, x4, [%[r], 96]\n\t"
+        "adcs	x6, x6, x10\n\t"
+        "stp	x5, x6, [%[r], 112]\n\t"
+        "ldp	x3, x4, [%[a], 128]\n\t"
+        "ldp	x7, x8, [%[b], 128]\n\t"
+        "adcs	x3, x3, x7\n\t"
+        "ldp	x5, x6, [%[a], 144]\n\t"
+        "adcs	x4, x4, x8\n\t"
+        "ldp	x9, x10, [%[b], 144]\n\t"
+        "adcs	x5, x5, x9\n\t"
+        "stp	x3, x4, [%[r], 128]\n\t"
+        "adcs	x6, x6, x10\n\t"
+        "stp	x5, x6, [%[r], 144]\n\t"
+        "ldp	x3, x4, [%[a], 160]\n\t"
+        "ldp	x7, x8, [%[b], 160]\n\t"
+        "adcs	x3, x3, x7\n\t"
+        "ldp	x5, x6, [%[a], 176]\n\t"
+        "adcs	x4, x4, x8\n\t"
+        "ldp	x9, x10, [%[b], 176]\n\t"
+        "adcs	x5, x5, x9\n\t"
+        "stp	x3, x4, [%[r], 160]\n\t"
+        "adcs	x6, x6, x10\n\t"
+        "stp	x5, x6, [%[r], 176]\n\t"
+        "ldp	x3, x4, [%[a], 192]\n\t"
+        "ldp	x7, x8, [%[b], 192]\n\t"
+        "adcs	x3, x3, x7\n\t"
+        "ldp	x5, x6, [%[a], 208]\n\t"
+        "adcs	x4, x4, x8\n\t"
+        "ldp	x9, x10, [%[b], 208]\n\t"
+        "adcs	x5, x5, x9\n\t"
+        "stp	x3, x4, [%[r], 192]\n\t"
+        "adcs	x6, x6, x10\n\t"
+        "stp	x5, x6, [%[r], 208]\n\t"
+        "ldp	x3, x4, [%[a], 224]\n\t"
+        "ldp	x7, x8, [%[b], 224]\n\t"
+        "adcs	x3, x3, x7\n\t"
+        "ldp	x5, x6, [%[a], 240]\n\t"
+        "adcs	x4, x4, x8\n\t"
+        "ldp	x9, x10, [%[b], 240]\n\t"
+        "adcs	x5, x5, x9\n\t"
+        "stp	x3, x4, [%[r], 224]\n\t"
+        "adcs	x6, x6, x10\n\t"
+        "stp	x5, x6, [%[r], 240]\n\t"
+        "ldp	x3, x4, [%[a], 256]\n\t"
+        "ldp	x7, x8, [%[b], 256]\n\t"
+        "adcs	x3, x3, x7\n\t"
+        "ldp	x5, x6, [%[a], 272]\n\t"
+        "adcs	x4, x4, x8\n\t"
+        "ldp	x9, x10, [%[b], 272]\n\t"
+        "adcs	x5, x5, x9\n\t"
+        "stp	x3, x4, [%[r], 256]\n\t"
+        "adcs	x6, x6, x10\n\t"
+        "stp	x5, x6, [%[r], 272]\n\t"
+        "ldp	x3, x4, [%[a], 288]\n\t"
+        "ldp	x7, x8, [%[b], 288]\n\t"
+        "adcs	x3, x3, x7\n\t"
+        "ldp	x5, x6, [%[a], 304]\n\t"
+        "adcs	x4, x4, x8\n\t"
+        "ldp	x9, x10, [%[b], 304]\n\t"
+        "adcs	x5, x5, x9\n\t"
+        "stp	x3, x4, [%[r], 288]\n\t"
+        "adcs	x6, x6, x10\n\t"
+        "stp	x5, x6, [%[r], 304]\n\t"
+        "ldp	x3, x4, [%[a], 320]\n\t"
+        "ldp	x7, x8, [%[b], 320]\n\t"
+        "adcs	x3, x3, x7\n\t"
+        "ldp	x5, x6, [%[a], 336]\n\t"
+        "adcs	x4, x4, x8\n\t"
+        "ldp	x9, x10, [%[b], 336]\n\t"
+        "adcs	x5, x5, x9\n\t"
+        "stp	x3, x4, [%[r], 320]\n\t"
+        "adcs	x6, x6, x10\n\t"
+        "stp	x5, x6, [%[r], 336]\n\t"
+        "ldp	x3, x4, [%[a], 352]\n\t"
+        "ldp	x7, x8, [%[b], 352]\n\t"
+        "adcs	x3, x3, x7\n\t"
+        "ldp	x5, x6, [%[a], 368]\n\t"
+        "adcs	x4, x4, x8\n\t"
+        "ldp	x9, x10, [%[b], 368]\n\t"
+        "adcs	x5, x5, x9\n\t"
+        "stp	x3, x4, [%[r], 352]\n\t"
+        "adcs	x6, x6, x10\n\t"
+        "stp	x5, x6, [%[r], 368]\n\t"
+        "cset	%[r], cs\n\t"
+        : [r] "+r" (r)
+        : [a] "r" (a), [b] "r" (b)
+        : "memory", "x3", "x4", "x5", "x6", "x7", "x8", "x9", "x10"
+    );
+
+    return (sp_digit)r;
+}
+
+/* AND m into each word of a and store in r.
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * m  Mask to AND against each digit.
+ */
+static void sp_3072_mask_24(sp_digit* r, const sp_digit* a, sp_digit m)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int i;
+
+    for (i=0; i<24; i++) {
+        r[i] = a[i] & m;
+    }
+#else
+    int i;
+
+    for (i = 0; i < 24; i += 8) {
+        r[i+0] = a[i+0] & m;
+        r[i+1] = a[i+1] & m;
+        r[i+2] = a[i+2] & m;
+        r[i+3] = a[i+3] & m;
+        r[i+4] = a[i+4] & m;
+        r[i+5] = a[i+5] & m;
+        r[i+6] = a[i+6] & m;
+        r[i+7] = a[i+7] & m;
+    }
+#endif
+}
+
+/* Add digit to a into r. (r = a + b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+static void sp_3072_add_zero_24(sp_digit* r, const sp_digit* a,
+        const sp_digit d)
+{
+    __asm__ __volatile__ (
+        "ldp	x3, x4, [%[a], 0]\n\t"
+        "ldp	x5, x6, [%[a], 16]\n\t"
+        "adds	x3, x3, %[d]\n\t"
+        "adcs	x4, x4, xzr\n\t"
+        "adcs	x5, x5, xzr\n\t"
+        "stp	x3, x4, [%[r], 0]\n\t"
+        "adcs	x6, x6, xzr\n\t"
+        "stp	x5, x6, [%[r], 16]\n\t"
+        "ldp	x3, x4, [%[a], 32]\n\t"
+        "ldp	x5, x6, [%[a], 48]\n\t"
+        "adcs	x3, x3, xzr\n\t"
+        "adcs	x4, x4, xzr\n\t"
+        "adcs	x5, x5, xzr\n\t"
+        "stp	x3, x4, [%[r], 32]\n\t"
+        "adcs	x6, x6, xzr\n\t"
+        "stp	x5, x6, [%[r], 48]\n\t"
+        "ldp	x3, x4, [%[a], 64]\n\t"
+        "ldp	x5, x6, [%[a], 80]\n\t"
+        "adcs	x3, x3, xzr\n\t"
+        "adcs	x4, x4, xzr\n\t"
+        "adcs	x5, x5, xzr\n\t"
+        "stp	x3, x4, [%[r], 64]\n\t"
+        "adcs	x6, x6, xzr\n\t"
+        "stp	x5, x6, [%[r], 80]\n\t"
+        "ldp	x3, x4, [%[a], 96]\n\t"
+        "ldp	x5, x6, [%[a], 112]\n\t"
+        "adcs	x3, x3, xzr\n\t"
+        "adcs	x4, x4, xzr\n\t"
+        "adcs	x5, x5, xzr\n\t"
+        "stp	x3, x4, [%[r], 96]\n\t"
+        "adcs	x6, x6, xzr\n\t"
+        "stp	x5, x6, [%[r], 112]\n\t"
+        "ldp	x3, x4, [%[a], 128]\n\t"
+        "ldp	x5, x6, [%[a], 144]\n\t"
+        "adcs	x3, x3, xzr\n\t"
+        "adcs	x4, x4, xzr\n\t"
+        "adcs	x5, x5, xzr\n\t"
+        "stp	x3, x4, [%[r], 128]\n\t"
+        "adcs	x6, x6, xzr\n\t"
+        "stp	x5, x6, [%[r], 144]\n\t"
+        "ldp	x3, x4, [%[a], 160]\n\t"
+        "ldp	x5, x6, [%[a], 176]\n\t"
+        "adcs	x3, x3, xzr\n\t"
+        "adcs	x4, x4, xzr\n\t"
+        "adcs	x5, x5, xzr\n\t"
+        "stp	x3, x4, [%[r], 160]\n\t"
+        "adcs	x6, x6, xzr\n\t"
+        "stp	x5, x6, [%[r], 176]\n\t"
+        :
+        : [r] "r" (r), [a] "r" (a), [d] "r" (d)
+        : "memory", "x3", "x4", "x5", "x6"
+    );
+}
+
+/* Multiply a and b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static void sp_3072_mul_48(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    sp_digit* z0 = r;
+    sp_digit z1[48];
+    sp_digit a1[24];
+    sp_digit b1[24];
+    sp_digit z2[48];
+    sp_digit u, ca, cb;
+
+    ca = sp_3072_add_24(a1, a, &a[24]);
+    cb = sp_3072_add_24(b1, b, &b[24]);
+    u  = ca & cb;
+    sp_3072_mul_24(z1, a1, b1);
+    sp_3072_mul_24(z2, &a[24], &b[24]);
+    sp_3072_mul_24(z0, a, b);
+    sp_3072_mask_24(r + 48, a1, 0 - cb);
+    sp_3072_mask_24(b1, b1, 0 - ca);
+    u += sp_3072_add_24(r + 48, r + 48, b1);
+    u += sp_3072_sub_in_place_48(z1, z2);
+    u += sp_3072_sub_in_place_48(z1, z0);
+    u += sp_3072_add_48(r + 24, r + 24, z1);
+    u += sp_3072_add_24(r + 48, r + 48, z2);
+    sp_3072_add_zero_24(r + 72, z2 + 24, u);
+}
+
+#ifdef WOLFSSL_SP_SMALL
+/* Double a into r. (r = a + a)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ */
+static sp_digit sp_3072_dbl_24(sp_digit* r, const sp_digit* a)
+{
+    sp_digit c = 0;
+
+    __asm__ __volatile__ (
+        "add	x11, %[a], 192\n\t"
+        "\n1:\n\t"
+        "adds	%[c], %[c], #-1\n\t"
+        "ldp	x3, x4, [%[a]], #16\n\t"
+        "ldp	x5, x6, [%[a]], #16\n\t"
+        "adcs	x3, x3, x3\n\t"
+        "adcs	x4, x4, x4\n\t"
+        "adcs	x5, x5, x5\n\t"
+        "stp	x3, x4, [%[r]], #16\n\t"
+        "adcs	x6, x6, x6\n\t"
+        "stp	x5, x6, [%[r]], #16\n\t"
+        "cset	%[c], cs\n\t"
+        "cmp	%[a], x11\n\t"
+        "b.ne	1b\n\t"
+        : [c] "+r" (c), [r] "+r" (r), [a] "+r" (a)
+        :
+        : "memory", "x3", "x4", "x5", "x6", "x11"
+    );
+
+    return c;
+}
+
+#else
+/* Double a into r. (r = a + a)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ */
+static sp_digit sp_3072_dbl_24(sp_digit* r, const sp_digit* a)
+{
+    __asm__ __volatile__ (
+        "ldp	x3, x4, [%[a], 0]\n\t"
+        "adds	x3, x3, x3\n\t"
+        "ldr	x5, [%[a], 16]\n\t"
+        "adcs	x4, x4, x4\n\t"
+        "ldr	x6, [%[a], 24]\n\t"
+        "adcs	x5, x5, x5\n\t"
+        "stp	x3, x4, [%[r], 0]\n\t"
+        "adcs	x6, x6, x6\n\t"
+        "stp	x5, x6, [%[r], 16]\n\t"
+        "ldp	x3, x4, [%[a], 32]\n\t"
+        "adcs	x3, x3, x3\n\t"
+        "ldr	x5, [%[a], 48]\n\t"
+        "adcs	x4, x4, x4\n\t"
+        "ldr	x6, [%[a], 56]\n\t"
+        "adcs	x5, x5, x5\n\t"
+        "stp	x3, x4, [%[r], 32]\n\t"
+        "adcs	x6, x6, x6\n\t"
+        "stp	x5, x6, [%[r], 48]\n\t"
+        "ldp	x3, x4, [%[a], 64]\n\t"
+        "adcs	x3, x3, x3\n\t"
+        "ldr	x5, [%[a], 80]\n\t"
+        "adcs	x4, x4, x4\n\t"
+        "ldr	x6, [%[a], 88]\n\t"
+        "adcs	x5, x5, x5\n\t"
+        "stp	x3, x4, [%[r], 64]\n\t"
+        "adcs	x6, x6, x6\n\t"
+        "stp	x5, x6, [%[r], 80]\n\t"
+        "ldp	x3, x4, [%[a], 96]\n\t"
+        "adcs	x3, x3, x3\n\t"
+        "ldr	x5, [%[a], 112]\n\t"
+        "adcs	x4, x4, x4\n\t"
+        "ldr	x6, [%[a], 120]\n\t"
+        "adcs	x5, x5, x5\n\t"
+        "stp	x3, x4, [%[r], 96]\n\t"
+        "adcs	x6, x6, x6\n\t"
+        "stp	x5, x6, [%[r], 112]\n\t"
+        "ldp	x3, x4, [%[a], 128]\n\t"
+        "adcs	x3, x3, x3\n\t"
+        "ldr	x5, [%[a], 144]\n\t"
+        "adcs	x4, x4, x4\n\t"
+        "ldr	x6, [%[a], 152]\n\t"
+        "adcs	x5, x5, x5\n\t"
+        "stp	x3, x4, [%[r], 128]\n\t"
+        "adcs	x6, x6, x6\n\t"
+        "stp	x5, x6, [%[r], 144]\n\t"
+        "ldp	x3, x4, [%[a], 160]\n\t"
+        "adcs	x3, x3, x3\n\t"
+        "ldr	x5, [%[a], 176]\n\t"
+        "adcs	x4, x4, x4\n\t"
+        "ldr	x6, [%[a], 184]\n\t"
+        "adcs	x5, x5, x5\n\t"
+        "stp	x3, x4, [%[r], 160]\n\t"
+        "adcs	x6, x6, x6\n\t"
+        "stp	x5, x6, [%[r], 176]\n\t"
+        "cset	%[r], cs\n\t"
+        : [r] "+r" (r)
+        : [a] "r" (a)
+        : "memory", "x3", "x4", "x5", "x6"
+    );
+
+    return (sp_digit)r;
+}
+
+#endif /* WOLFSSL_SP_SMALL */
+/* Square a and put result in r. (r = a * a)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ */
+SP_NOINLINE static void sp_3072_sqr_48(sp_digit* r, const sp_digit* a)
+{
+    sp_digit* z0 = r;
+    sp_digit z2[48];
+    sp_digit z1[48];
+    sp_digit a1[24];
+    sp_digit u;
+
+    u = sp_3072_add_24(a1, a, &a[24]);
+    sp_3072_sqr_24(z1, a1);
+    sp_3072_sqr_24(z2, &a[24]);
+    sp_3072_sqr_24(z0, a);
+    sp_3072_mask_24(r + 48, a1, 0 - u);
+    u += sp_3072_dbl_24(r + 48, r + 48);
+    u += sp_3072_sub_in_place_48(z1, z2);
+    u += sp_3072_sub_in_place_48(z1, z0);
+    u += sp_3072_add_48(r + 24, r + 24, z1);
+    u += sp_3072_add_24(r + 48, r + 48, z2);
+    sp_3072_add_zero_24(r + 72, z2 + 24, u);
+    
+}
+
+#endif /* !WOLFSSL_SP_SMALL */
+#ifdef WOLFSSL_SP_SMALL
+/* Add b to a into r. (r = a + b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+static sp_digit sp_3072_add_48(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    sp_digit c = 0;
+
+    __asm__ __volatile__ (
+        "add	x11, %[a], 384\n\t"
+        "\n1:\n\t"
+        "adds	%[c], %[c], #-1\n\t"
+        "ldp	x3, x4, [%[a]], #16\n\t"
+        "ldp	x5, x6, [%[a]], #16\n\t"
+        "ldp	x7, x8, [%[b]], #16\n\t"
+        "adcs	x3, x3, x7\n\t"
+        "ldp	x9, x10, [%[b]], #16\n\t"
+        "adcs	x4, x4, x8\n\t"
+        "adcs	x5, x5, x9\n\t"
+        "stp	x3, x4, [%[r]], #16\n\t"
+        "adcs	x6, x6, x10\n\t"
+        "stp	x5, x6, [%[r]], #16\n\t"
+        "cset	%[c], cs\n\t"
+        "cmp	%[a], x11\n\t"
+        "b.ne	1b\n\t"
+        : [c] "+r" (c), [r] "+r" (r), [a] "+r" (a), [b] "+r" (b)
+        :
+        : "memory", "x3", "x4", "x5", "x6", "x7", "x8", "x9", "x10", "x11"
+    );
+
+    return c;
+}
+
+#endif /* WOLFSSL_SP_SMALL */
+#ifdef WOLFSSL_SP_SMALL
+/* Sub b from a into a. (a -= b)
+ *
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+static sp_digit sp_3072_sub_in_place_48(sp_digit* a, const sp_digit* b)
+{
+    sp_digit c = 0;
+
+    __asm__ __volatile__ (
+        "add	x10, %[a], 384\n\t"
+        "\n1:\n\t"
+        "subs	%[c], xzr, %[c]\n\t"
+        "ldp	x2, x3, [%[a]]\n\t"
+        "ldp	x4, x5, [%[a], #16]\n\t"
+        "ldp	x6, x7, [%[b]], #16\n\t"
+        "sbcs	x2, x2, x6\n\t"
+        "ldp	x8, x9, [%[b]], #16\n\t"
+        "sbcs	x3, x3, x7\n\t"
+        "sbcs	x4, x4, x8\n\t"
+        "stp	x2, x3, [%[a]], #16\n\t"
+        "sbcs	x5, x5, x9\n\t"
+        "stp	x4, x5, [%[a]], #16\n\t"
+        "csetm	%[c], cc\n\t"
+        "cmp	%[a], x10\n\t"
+        "b.ne	1b\n\t"
+        : [c] "+r" (c), [a] "+r" (a), [b] "+r" (b)
+        :
+        : "memory", "x2", "x3", "x4", "x5", "x6", "x7", "x8", "x9", "x10"
+    );
+
+    return c;
+}
+
+#endif /* WOLFSSL_SP_SMALL */
+#ifdef WOLFSSL_SP_SMALL
+/* Multiply a and b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+static void sp_3072_mul_48(sp_digit* r, const sp_digit* a, const sp_digit* b)
+{
+    sp_digit tmp[96];
+
+    __asm__ __volatile__ (
+        "mov	x5, 0\n\t"
+        "mov	x6, 0\n\t"
+        "mov	x7, 0\n\t"
+        "mov	x8, 0\n\t"
+        "\n1:\n\t"
+        "subs	x3, x5, 376\n\t"
+        "csel	x3, xzr, x3, cc\n\t"
+        "sub	x4, x5, x3\n\t"
+        "\n2:\n\t"
+        "ldr	x10, [%[a], x3]\n\t"
+        "ldr	x11, [%[b], x4]\n\t"
+        "mul	x9, x10, x11\n\t"
+        "umulh	x10, x10, x11\n\t"
+        "adds	x6, x6, x9\n\t"
+        "adcs	x7, x7, x10\n\t"
+        "adc	x8, x8, xzr\n\t"
+        "add	x3, x3, #8\n\t"
+        "sub	x4, x4, #8\n\t"
+        "cmp	x3, 384\n\t"
+        "b.eq	3f\n\t"
+        "cmp	x3, x5\n\t"
+        "b.le	2b\n\t"
+        "\n3:\n\t"
+        "str	x6, [%[r], x5]\n\t"
+        "mov	x6, x7\n\t"
+        "mov	x7, x8\n\t"
+        "mov	x8, #0\n\t"
+        "add	x5, x5, #8\n\t"
+        "cmp	x5, 752\n\t"
+        "b.le	1b\n\t"
+        "str	x6, [%[r], x5]\n\t"
+        :
+        : [r] "r" (tmp), [a] "r" (a), [b] "r" (b)
+        : "memory", "x3", "x4", "x5", "x6", "x7", "x8", "x9", "x10", "x11"
+    );
+
+    XMEMCPY(r, tmp, sizeof(tmp));
+}
+
+/* Square a and put result in r. (r = a * a)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ */
+static void sp_3072_sqr_48(sp_digit* r, const sp_digit* a)
+{
+    sp_digit tmp[96];
+
+    __asm__ __volatile__ (
+        "mov	x6, 0\n\t"
+        "mov	x7, 0\n\t"
+        "mov	x8, 0\n\t"
+        "mov	x5, 0\n\t"
+        "\n1:\n\t"
+        "subs	x3, x5, 376\n\t"
+        "csel	x3, xzr, x3, cc\n\t"
+        "sub	x4, x5, x3\n\t"
+        "\n2:\n\t"
+        "cmp	x4, x3\n\t"
+        "b.eq	4f\n\t"
+        "ldr	x10, [%[a], x3]\n\t"
+        "ldr	x11, [%[a], x4]\n\t"
+        "mul	x9, x10, x11\n\t"
+        "umulh	x10, x10, x11\n\t"
+        "adds	x6, x6, x9\n\t"
+        "adcs	x7, x7, x10\n\t"
+        "adc	x8, x8, xzr\n\t"
+        "adds	x6, x6, x9\n\t"
+        "adcs	x7, x7, x10\n\t"
+        "adc	x8, x8, xzr\n\t"
+        "b.al	5f\n\t"
+        "\n4:\n\t"
+        "ldr	x10, [%[a], x3]\n\t"
+        "mul	x9, x10, x10\n\t"
+        "umulh	x10, x10, x10\n\t"
+        "adds	x6, x6, x9\n\t"
+        "adcs	x7, x7, x10\n\t"
+        "adc	x8, x8, xzr\n\t"
+        "\n5:\n\t"
+        "add	x3, x3, #8\n\t"
+        "sub	x4, x4, #8\n\t"
+        "cmp	x3, 384\n\t"
+        "b.eq	3f\n\t"
+        "cmp	x3, x4\n\t"
+        "b.gt	3f\n\t"
+        "cmp	x3, x5\n\t"
+        "b.le	2b\n\t"
+        "\n3:\n\t"
+        "str	x6, [%[r], x5]\n\t"
+        "mov	x6, x7\n\t"
+        "mov	x7, x8\n\t"
+        "mov	x8, #0\n\t"
+        "add	x5, x5, #8\n\t"
+        "cmp	x5, 752\n\t"
+        "b.le	1b\n\t"
+        "str	x6, [%[r], x5]\n\t"
+        :
+        : [r] "r" (tmp), [a] "r" (a)
+        : "memory", "x3", "x4", "x5", "x6", "x7", "x8", "x9", "x10", "x11"
+    );
+
+    XMEMCPY(r, tmp, sizeof(tmp));
+}
+
+#endif /* WOLFSSL_SP_SMALL */
+#if (defined(WOLFSSL_HAVE_SP_RSA) || defined(WOLFSSL_HAVE_SP_DH)) && !defined(WOLFSSL_RSA_PUBLIC_ONLY)
+#ifdef WOLFSSL_SP_SMALL
+/* AND m into each word of a and store in r.
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * m  Mask to AND against each digit.
+ */
+static void sp_3072_mask_24(sp_digit* r, const sp_digit* a, sp_digit m)
+{
+    int i;
+
+    for (i=0; i<24; i++) {
+        r[i] = a[i] & m;
+    }
+}
+
+#endif /* WOLFSSL_SP_SMALL */
+#ifdef WOLFSSL_SP_SMALL
+/* Add b to a into r. (r = a + b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+static sp_digit sp_3072_add_24(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    sp_digit c = 0;
+
+    __asm__ __volatile__ (
+        "add	x11, %[a], 192\n\t"
+        "\n1:\n\t"
+        "adds	%[c], %[c], #-1\n\t"
+        "ldp	x3, x4, [%[a]], #16\n\t"
+        "ldp	x5, x6, [%[a]], #16\n\t"
+        "ldp	x7, x8, [%[b]], #16\n\t"
+        "adcs	x3, x3, x7\n\t"
+        "ldp	x9, x10, [%[b]], #16\n\t"
+        "adcs	x4, x4, x8\n\t"
+        "adcs	x5, x5, x9\n\t"
+        "stp	x3, x4, [%[r]], #16\n\t"
+        "adcs	x6, x6, x10\n\t"
+        "stp	x5, x6, [%[r]], #16\n\t"
+        "cset	%[c], cs\n\t"
+        "cmp	%[a], x11\n\t"
+        "b.ne	1b\n\t"
+        : [c] "+r" (c), [r] "+r" (r), [a] "+r" (a), [b] "+r" (b)
+        :
+        : "memory", "x3", "x4", "x5", "x6", "x7", "x8", "x9", "x10", "x11"
+    );
+
+    return c;
+}
+
+#endif /* WOLFSSL_SP_SMALL */
+#ifdef WOLFSSL_SP_SMALL
+/* Sub b from a into a. (a -= b)
+ *
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+static sp_digit sp_3072_sub_in_place_24(sp_digit* a, const sp_digit* b)
+{
+    sp_digit c = 0;
+
+    __asm__ __volatile__ (
+        "add	x10, %[a], 192\n\t"
+        "\n1:\n\t"
+        "subs	%[c], xzr, %[c]\n\t"
+        "ldp	x2, x3, [%[a]]\n\t"
+        "ldp	x4, x5, [%[a], #16]\n\t"
+        "ldp	x6, x7, [%[b]], #16\n\t"
+        "sbcs	x2, x2, x6\n\t"
+        "ldp	x8, x9, [%[b]], #16\n\t"
+        "sbcs	x3, x3, x7\n\t"
+        "sbcs	x4, x4, x8\n\t"
+        "stp	x2, x3, [%[a]], #16\n\t"
+        "sbcs	x5, x5, x9\n\t"
+        "stp	x4, x5, [%[a]], #16\n\t"
+        "csetm	%[c], cc\n\t"
+        "cmp	%[a], x10\n\t"
+        "b.ne	1b\n\t"
+        : [c] "+r" (c), [a] "+r" (a), [b] "+r" (b)
+        :
+        : "memory", "x2", "x3", "x4", "x5", "x6", "x7", "x8", "x9", "x10"
+    );
+
+    return c;
+}
+
+#endif /* WOLFSSL_SP_SMALL */
+#ifdef WOLFSSL_SP_SMALL
+/* Multiply a and b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+static void sp_3072_mul_24(sp_digit* r, const sp_digit* a, const sp_digit* b)
+{
+    sp_digit tmp[48];
+
+    __asm__ __volatile__ (
+        "mov	x5, 0\n\t"
+        "mov	x6, 0\n\t"
+        "mov	x7, 0\n\t"
+        "mov	x8, 0\n\t"
+        "\n1:\n\t"
+        "subs	x3, x5, 184\n\t"
+        "csel	x3, xzr, x3, cc\n\t"
+        "sub	x4, x5, x3\n\t"
+        "\n2:\n\t"
+        "ldr	x10, [%[a], x3]\n\t"
+        "ldr	x11, [%[b], x4]\n\t"
+        "mul	x9, x10, x11\n\t"
+        "umulh	x10, x10, x11\n\t"
+        "adds	x6, x6, x9\n\t"
+        "adcs	x7, x7, x10\n\t"
+        "adc	x8, x8, xzr\n\t"
+        "add	x3, x3, #8\n\t"
+        "sub	x4, x4, #8\n\t"
+        "cmp	x3, 192\n\t"
+        "b.eq	3f\n\t"
+        "cmp	x3, x5\n\t"
+        "b.le	2b\n\t"
+        "\n3:\n\t"
+        "str	x6, [%[r], x5]\n\t"
+        "mov	x6, x7\n\t"
+        "mov	x7, x8\n\t"
+        "mov	x8, #0\n\t"
+        "add	x5, x5, #8\n\t"
+        "cmp	x5, 368\n\t"
+        "b.le	1b\n\t"
+        "str	x6, [%[r], x5]\n\t"
+        :
+        : [r] "r" (tmp), [a] "r" (a), [b] "r" (b)
+        : "memory", "x3", "x4", "x5", "x6", "x7", "x8", "x9", "x10", "x11"
+    );
+
+    XMEMCPY(r, tmp, sizeof(tmp));
+}
+
+/* Square a and put result in r. (r = a * a)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ */
+static void sp_3072_sqr_24(sp_digit* r, const sp_digit* a)
+{
+    sp_digit tmp[48];
+
+    __asm__ __volatile__ (
+        "mov	x6, 0\n\t"
+        "mov	x7, 0\n\t"
+        "mov	x8, 0\n\t"
+        "mov	x5, 0\n\t"
+        "\n1:\n\t"
+        "subs	x3, x5, 184\n\t"
+        "csel	x3, xzr, x3, cc\n\t"
+        "sub	x4, x5, x3\n\t"
+        "\n2:\n\t"
+        "cmp	x4, x3\n\t"
+        "b.eq	4f\n\t"
+        "ldr	x10, [%[a], x3]\n\t"
+        "ldr	x11, [%[a], x4]\n\t"
+        "mul	x9, x10, x11\n\t"
+        "umulh	x10, x10, x11\n\t"
+        "adds	x6, x6, x9\n\t"
+        "adcs	x7, x7, x10\n\t"
+        "adc	x8, x8, xzr\n\t"
+        "adds	x6, x6, x9\n\t"
+        "adcs	x7, x7, x10\n\t"
+        "adc	x8, x8, xzr\n\t"
+        "b.al	5f\n\t"
+        "\n4:\n\t"
+        "ldr	x10, [%[a], x3]\n\t"
+        "mul	x9, x10, x10\n\t"
+        "umulh	x10, x10, x10\n\t"
+        "adds	x6, x6, x9\n\t"
+        "adcs	x7, x7, x10\n\t"
+        "adc	x8, x8, xzr\n\t"
+        "\n5:\n\t"
+        "add	x3, x3, #8\n\t"
+        "sub	x4, x4, #8\n\t"
+        "cmp	x3, 192\n\t"
+        "b.eq	3f\n\t"
+        "cmp	x3, x4\n\t"
+        "b.gt	3f\n\t"
+        "cmp	x3, x5\n\t"
+        "b.le	2b\n\t"
+        "\n3:\n\t"
+        "str	x6, [%[r], x5]\n\t"
+        "mov	x6, x7\n\t"
+        "mov	x7, x8\n\t"
+        "mov	x8, #0\n\t"
+        "add	x5, x5, #8\n\t"
+        "cmp	x5, 368\n\t"
+        "b.le	1b\n\t"
+        "str	x6, [%[r], x5]\n\t"
+        :
+        : [r] "r" (tmp), [a] "r" (a)
+        : "memory", "x3", "x4", "x5", "x6", "x7", "x8", "x9", "x10", "x11"
+    );
+
+    XMEMCPY(r, tmp, sizeof(tmp));
+}
+
+#endif /* WOLFSSL_SP_SMALL */
+#endif /* (WOLFSSL_HAVE_SP_RSA || WOLFSSL_HAVE_SP_DH) && !WOLFSSL_RSA_PUBLIC_ONLY */
+
+/* Caclulate the bottom digit of -1/a mod 2^n.
+ *
+ * a    A single precision number.
+ * rho  Bottom word of inverse.
+ */
+static void sp_3072_mont_setup(const sp_digit* a, sp_digit* rho)
+{
+    sp_digit x, b;
+
+    b = a[0];
+    x = (((b + 2) & 4) << 1) + b; /* here x*a==1 mod 2**4 */
+    x *= 2 - b * x;               /* here x*a==1 mod 2**8 */
+    x *= 2 - b * x;               /* here x*a==1 mod 2**16 */
+    x *= 2 - b * x;               /* here x*a==1 mod 2**32 */
+    x *= 2 - b * x;               /* here x*a==1 mod 2**64 */
+
+    /* rho = -1/m mod b */
+    *rho = -x;
+}
+
+/* Mul a by digit b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision digit.
+ */
+static void sp_3072_mul_d_48(sp_digit* r, const sp_digit* a,
+        sp_digit b)
+{
+#ifdef WOLFSSL_SP_SMALL
+    __asm__ __volatile__ (
+        "# A[0] * B\n\t"
+        "ldr	x8, [%[a]]\n\t"
+        "mul	x5, %[b], x8\n\t"
+        "umulh	x3, %[b], x8\n\t"
+        "mov	x4, 0\n\t"
+        "str	x5, [%[r]]\n\t"
+        "mov	x5, 0\n\t"
+        "mov	x9, #8\n\t"
+        "1:\n\t"
+        "ldr	x8, [%[a], x9]\n\t"
+        "mul	x6, %[b], x8\n\t"
+        "umulh	x7, %[b], x8\n\t"
+        "adds	x3, x3, x6\n\t"
+        "adcs	x4, x4, x7\n\t"
+        "adc	x5, xzr, xzr\n\t"
+        "str	x3, [%[r], x9]\n\t"
+        "mov	x3, x4\n\t"
+        "mov	x4, x5\n\t"
+        "mov	x5, #0\n\t"
+        "add	x9, x9, #8\n\t"
+        "cmp	x9, 384\n\t"
+        "b.lt	1b\n\t"
+        "str	x3, [%[r], 384]\n\t"
+        :
+        : [r] "r" (r), [a] "r" (a), [b] "r" (b)
+        : "memory", "x3", "x4", "x5", "x6", "x7", "x8", "x9"
+    );
+#else
+    __asm__ __volatile__ (
+        "# A[0] * B\n\t"
+        "ldp	x8, x9, [%[a]]\n\t"
+        "mul	x3, %[b], x8\n\t"
+        "umulh	x4, %[b], x8\n\t"
+        "mov	x5, 0\n\t"
+        "# A[1] * B\n\t"
+        "str	x3, [%[r]]\n\t"
+        "mov	x3, 0\n\t"
+        "mul	x6, %[b], x9\n\t"
+        "umulh	x7, %[b], x9\n\t"
+        "adds	x4, x4, x6\n\t"
+        "# A[2] * B\n\t"
+        "ldp	x8, x9, [%[a], 16]\n\t"
+        "str	x4, [%[r], 8]\n\t"
+        "mov	x4, 0\n\t"
+        "mul	x6, %[b], x8\n\t"
+        "adcs	x5, x5, x7\n\t"
+        "umulh	x7, %[b], x8\n\t"
+        "adc	x3, xzr, xzr\n\t"
+        "adds	x5, x5, x6\n\t"
+        "# A[3] * B\n\t"
+        "str	x5, [%[r], 16]\n\t"
+        "mov	x5, 0\n\t"
+        "mul	x6, %[b], x9\n\t"
+        "adcs	x3, x3, x7\n\t"
+        "umulh	x7, %[b], x9\n\t"
+        "adc	x4, xzr, xzr\n\t"
+        "adds	x3, x3, x6\n\t"
+        "# A[4] * B\n\t"
+        "ldp	x8, x9, [%[a], 32]\n\t"
+        "str	x3, [%[r], 24]\n\t"
+        "mov	x3, 0\n\t"
+        "mul	x6, %[b], x8\n\t"
+        "adcs	x4, x4, x7\n\t"
+        "umulh	x7, %[b], x8\n\t"
+        "adc	x5, xzr, xzr\n\t"
+        "adds	x4, x4, x6\n\t"
+        "# A[5] * B\n\t"
+        "str	x4, [%[r], 32]\n\t"
+        "mov	x4, 0\n\t"
+        "mul	x6, %[b], x9\n\t"
+        "adcs	x5, x5, x7\n\t"
+        "umulh	x7, %[b], x9\n\t"
+        "adc	x3, xzr, xzr\n\t"
+        "adds	x5, x5, x6\n\t"
+        "# A[6] * B\n\t"
+        "ldp	x8, x9, [%[a], 48]\n\t"
+        "str	x5, [%[r], 40]\n\t"
+        "mov	x5, 0\n\t"
+        "mul	x6, %[b], x8\n\t"
+        "adcs	x3, x3, x7\n\t"
+        "umulh	x7, %[b], x8\n\t"
+        "adc	x4, xzr, xzr\n\t"
+        "adds	x3, x3, x6\n\t"
+        "# A[7] * B\n\t"
+        "str	x3, [%[r], 48]\n\t"
+        "mov	x3, 0\n\t"
+        "mul	x6, %[b], x9\n\t"
+        "adcs	x4, x4, x7\n\t"
+        "umulh	x7, %[b], x9\n\t"
+        "adc	x5, xzr, xzr\n\t"
+        "adds	x4, x4, x6\n\t"
+        "# A[8] * B\n\t"
+        "ldp	x8, x9, [%[a], 64]\n\t"
+        "str	x4, [%[r], 56]\n\t"
+        "mov	x4, 0\n\t"
+        "mul	x6, %[b], x8\n\t"
+        "adcs	x5, x5, x7\n\t"
+        "umulh	x7, %[b], x8\n\t"
+        "adc	x3, xzr, xzr\n\t"
+        "adds	x5, x5, x6\n\t"
+        "# A[9] * B\n\t"
+        "str	x5, [%[r], 64]\n\t"
+        "mov	x5, 0\n\t"
+        "mul	x6, %[b], x9\n\t"
+        "adcs	x3, x3, x7\n\t"
+        "umulh	x7, %[b], x9\n\t"
+        "adc	x4, xzr, xzr\n\t"
+        "adds	x3, x3, x6\n\t"
+        "# A[10] * B\n\t"
+        "ldp	x8, x9, [%[a], 80]\n\t"
+        "str	x3, [%[r], 72]\n\t"
+        "mov	x3, 0\n\t"
+        "mul	x6, %[b], x8\n\t"
+        "adcs	x4, x4, x7\n\t"
+        "umulh	x7, %[b], x8\n\t"
+        "adc	x5, xzr, xzr\n\t"
+        "adds	x4, x4, x6\n\t"
+        "# A[11] * B\n\t"
+        "str	x4, [%[r], 80]\n\t"
+        "mov	x4, 0\n\t"
+        "mul	x6, %[b], x9\n\t"
+        "adcs	x5, x5, x7\n\t"
+        "umulh	x7, %[b], x9\n\t"
+        "adc	x3, xzr, xzr\n\t"
+        "adds	x5, x5, x6\n\t"
+        "# A[12] * B\n\t"
+        "ldp	x8, x9, [%[a], 96]\n\t"
+        "str	x5, [%[r], 88]\n\t"
+        "mov	x5, 0\n\t"
+        "mul	x6, %[b], x8\n\t"
+        "adcs	x3, x3, x7\n\t"
+        "umulh	x7, %[b], x8\n\t"
+        "adc	x4, xzr, xzr\n\t"
+        "adds	x3, x3, x6\n\t"
+        "# A[13] * B\n\t"
+        "str	x3, [%[r], 96]\n\t"
+        "mov	x3, 0\n\t"
+        "mul	x6, %[b], x9\n\t"
+        "adcs	x4, x4, x7\n\t"
+        "umulh	x7, %[b], x9\n\t"
+        "adc	x5, xzr, xzr\n\t"
+        "adds	x4, x4, x6\n\t"
+        "# A[14] * B\n\t"
+        "ldp	x8, x9, [%[a], 112]\n\t"
+        "str	x4, [%[r], 104]\n\t"
+        "mov	x4, 0\n\t"
+        "mul	x6, %[b], x8\n\t"
+        "adcs	x5, x5, x7\n\t"
+        "umulh	x7, %[b], x8\n\t"
+        "adc	x3, xzr, xzr\n\t"
+        "adds	x5, x5, x6\n\t"
+        "# A[15] * B\n\t"
+        "str	x5, [%[r], 112]\n\t"
+        "mov	x5, 0\n\t"
+        "mul	x6, %[b], x9\n\t"
+        "adcs	x3, x3, x7\n\t"
+        "umulh	x7, %[b], x9\n\t"
+        "adc	x4, xzr, xzr\n\t"
+        "adds	x3, x3, x6\n\t"
+        "# A[16] * B\n\t"
+        "ldp	x8, x9, [%[a], 128]\n\t"
+        "str	x3, [%[r], 120]\n\t"
+        "mov	x3, 0\n\t"
+        "mul	x6, %[b], x8\n\t"
+        "adcs	x4, x4, x7\n\t"
+        "umulh	x7, %[b], x8\n\t"
+        "adc	x5, xzr, xzr\n\t"
+        "adds	x4, x4, x6\n\t"
+        "# A[17] * B\n\t"
+        "str	x4, [%[r], 128]\n\t"
+        "mov	x4, 0\n\t"
+        "mul	x6, %[b], x9\n\t"
+        "adcs	x5, x5, x7\n\t"
+        "umulh	x7, %[b], x9\n\t"
+        "adc	x3, xzr, xzr\n\t"
+        "adds	x5, x5, x6\n\t"
+        "# A[18] * B\n\t"
+        "ldp	x8, x9, [%[a], 144]\n\t"
+        "str	x5, [%[r], 136]\n\t"
+        "mov	x5, 0\n\t"
+        "mul	x6, %[b], x8\n\t"
+        "adcs	x3, x3, x7\n\t"
+        "umulh	x7, %[b], x8\n\t"
+        "adc	x4, xzr, xzr\n\t"
+        "adds	x3, x3, x6\n\t"
+        "# A[19] * B\n\t"
+        "str	x3, [%[r], 144]\n\t"
+        "mov	x3, 0\n\t"
+        "mul	x6, %[b], x9\n\t"
+        "adcs	x4, x4, x7\n\t"
+        "umulh	x7, %[b], x9\n\t"
+        "adc	x5, xzr, xzr\n\t"
+        "adds	x4, x4, x6\n\t"
+        "# A[20] * B\n\t"
+        "ldp	x8, x9, [%[a], 160]\n\t"
+        "str	x4, [%[r], 152]\n\t"
+        "mov	x4, 0\n\t"
+        "mul	x6, %[b], x8\n\t"
+        "adcs	x5, x5, x7\n\t"
+        "umulh	x7, %[b], x8\n\t"
+        "adc	x3, xzr, xzr\n\t"
+        "adds	x5, x5, x6\n\t"
+        "# A[21] * B\n\t"
+        "str	x5, [%[r], 160]\n\t"
+        "mov	x5, 0\n\t"
+        "mul	x6, %[b], x9\n\t"
+        "adcs	x3, x3, x7\n\t"
+        "umulh	x7, %[b], x9\n\t"
+        "adc	x4, xzr, xzr\n\t"
+        "adds	x3, x3, x6\n\t"
+        "# A[22] * B\n\t"
+        "ldp	x8, x9, [%[a], 176]\n\t"
+        "str	x3, [%[r], 168]\n\t"
+        "mov	x3, 0\n\t"
+        "mul	x6, %[b], x8\n\t"
+        "adcs	x4, x4, x7\n\t"
+        "umulh	x7, %[b], x8\n\t"
+        "adc	x5, xzr, xzr\n\t"
+        "adds	x4, x4, x6\n\t"
+        "# A[23] * B\n\t"
+        "str	x4, [%[r], 176]\n\t"
+        "mov	x4, 0\n\t"
+        "mul	x6, %[b], x9\n\t"
+        "adcs	x5, x5, x7\n\t"
+        "umulh	x7, %[b], x9\n\t"
+        "adc	x3, xzr, xzr\n\t"
+        "adds	x5, x5, x6\n\t"
+        "# A[24] * B\n\t"
+        "ldp	x8, x9, [%[a], 192]\n\t"
+        "str	x5, [%[r], 184]\n\t"
+        "mov	x5, 0\n\t"
+        "mul	x6, %[b], x8\n\t"
+        "adcs	x3, x3, x7\n\t"
+        "umulh	x7, %[b], x8\n\t"
+        "adc	x4, xzr, xzr\n\t"
+        "adds	x3, x3, x6\n\t"
+        "# A[25] * B\n\t"
+        "str	x3, [%[r], 192]\n\t"
+        "mov	x3, 0\n\t"
+        "mul	x6, %[b], x9\n\t"
+        "adcs	x4, x4, x7\n\t"
+        "umulh	x7, %[b], x9\n\t"
+        "adc	x5, xzr, xzr\n\t"
+        "adds	x4, x4, x6\n\t"
+        "# A[26] * B\n\t"
+        "ldp	x8, x9, [%[a], 208]\n\t"
+        "str	x4, [%[r], 200]\n\t"
+        "mov	x4, 0\n\t"
+        "mul	x6, %[b], x8\n\t"
+        "adcs	x5, x5, x7\n\t"
+        "umulh	x7, %[b], x8\n\t"
+        "adc	x3, xzr, xzr\n\t"
+        "adds	x5, x5, x6\n\t"
+        "# A[27] * B\n\t"
+        "str	x5, [%[r], 208]\n\t"
+        "mov	x5, 0\n\t"
+        "mul	x6, %[b], x9\n\t"
+        "adcs	x3, x3, x7\n\t"
+        "umulh	x7, %[b], x9\n\t"
+        "adc	x4, xzr, xzr\n\t"
+        "adds	x3, x3, x6\n\t"
+        "# A[28] * B\n\t"
+        "ldp	x8, x9, [%[a], 224]\n\t"
+        "str	x3, [%[r], 216]\n\t"
+        "mov	x3, 0\n\t"
+        "mul	x6, %[b], x8\n\t"
+        "adcs	x4, x4, x7\n\t"
+        "umulh	x7, %[b], x8\n\t"
+        "adc	x5, xzr, xzr\n\t"
+        "adds	x4, x4, x6\n\t"
+        "# A[29] * B\n\t"
+        "str	x4, [%[r], 224]\n\t"
+        "mov	x4, 0\n\t"
+        "mul	x6, %[b], x9\n\t"
+        "adcs	x5, x5, x7\n\t"
+        "umulh	x7, %[b], x9\n\t"
+        "adc	x3, xzr, xzr\n\t"
+        "adds	x5, x5, x6\n\t"
+        "# A[30] * B\n\t"
+        "ldp	x8, x9, [%[a], 240]\n\t"
+        "str	x5, [%[r], 232]\n\t"
+        "mov	x5, 0\n\t"
+        "mul	x6, %[b], x8\n\t"
+        "adcs	x3, x3, x7\n\t"
+        "umulh	x7, %[b], x8\n\t"
+        "adc	x4, xzr, xzr\n\t"
+        "adds	x3, x3, x6\n\t"
+        "# A[31] * B\n\t"
+        "str	x3, [%[r], 240]\n\t"
+        "mov	x3, 0\n\t"
+        "mul	x6, %[b], x9\n\t"
+        "adcs	x4, x4, x7\n\t"
+        "umulh	x7, %[b], x9\n\t"
+        "adc	x5, xzr, xzr\n\t"
+        "adds	x4, x4, x6\n\t"
+        "# A[32] * B\n\t"
+        "ldp	x8, x9, [%[a], 256]\n\t"
+        "str	x4, [%[r], 248]\n\t"
+        "mov	x4, 0\n\t"
+        "mul	x6, %[b], x8\n\t"
+        "adcs	x5, x5, x7\n\t"
+        "umulh	x7, %[b], x8\n\t"
+        "adc	x3, xzr, xzr\n\t"
+        "adds	x5, x5, x6\n\t"
+        "# A[33] * B\n\t"
+        "str	x5, [%[r], 256]\n\t"
+        "mov	x5, 0\n\t"
+        "mul	x6, %[b], x9\n\t"
+        "adcs	x3, x3, x7\n\t"
+        "umulh	x7, %[b], x9\n\t"
+        "adc	x4, xzr, xzr\n\t"
+        "adds	x3, x3, x6\n\t"
+        "# A[34] * B\n\t"
+        "ldp	x8, x9, [%[a], 272]\n\t"
+        "str	x3, [%[r], 264]\n\t"
+        "mov	x3, 0\n\t"
+        "mul	x6, %[b], x8\n\t"
+        "adcs	x4, x4, x7\n\t"
+        "umulh	x7, %[b], x8\n\t"
+        "adc	x5, xzr, xzr\n\t"
+        "adds	x4, x4, x6\n\t"
+        "# A[35] * B\n\t"
+        "str	x4, [%[r], 272]\n\t"
+        "mov	x4, 0\n\t"
+        "mul	x6, %[b], x9\n\t"
+        "adcs	x5, x5, x7\n\t"
+        "umulh	x7, %[b], x9\n\t"
+        "adc	x3, xzr, xzr\n\t"
+        "adds	x5, x5, x6\n\t"
+        "# A[36] * B\n\t"
+        "ldp	x8, x9, [%[a], 288]\n\t"
+        "str	x5, [%[r], 280]\n\t"
+        "mov	x5, 0\n\t"
+        "mul	x6, %[b], x8\n\t"
+        "adcs	x3, x3, x7\n\t"
+        "umulh	x7, %[b], x8\n\t"
+        "adc	x4, xzr, xzr\n\t"
+        "adds	x3, x3, x6\n\t"
+        "# A[37] * B\n\t"
+        "str	x3, [%[r], 288]\n\t"
+        "mov	x3, 0\n\t"
+        "mul	x6, %[b], x9\n\t"
+        "adcs	x4, x4, x7\n\t"
+        "umulh	x7, %[b], x9\n\t"
+        "adc	x5, xzr, xzr\n\t"
+        "adds	x4, x4, x6\n\t"
+        "# A[38] * B\n\t"
+        "ldp	x8, x9, [%[a], 304]\n\t"
+        "str	x4, [%[r], 296]\n\t"
+        "mov	x4, 0\n\t"
+        "mul	x6, %[b], x8\n\t"
+        "adcs	x5, x5, x7\n\t"
+        "umulh	x7, %[b], x8\n\t"
+        "adc	x3, xzr, xzr\n\t"
+        "adds	x5, x5, x6\n\t"
+        "# A[39] * B\n\t"
+        "str	x5, [%[r], 304]\n\t"
+        "mov	x5, 0\n\t"
+        "mul	x6, %[b], x9\n\t"
+        "adcs	x3, x3, x7\n\t"
+        "umulh	x7, %[b], x9\n\t"
+        "adc	x4, xzr, xzr\n\t"
+        "adds	x3, x3, x6\n\t"
+        "# A[40] * B\n\t"
+        "ldp	x8, x9, [%[a], 320]\n\t"
+        "str	x3, [%[r], 312]\n\t"
+        "mov	x3, 0\n\t"
+        "mul	x6, %[b], x8\n\t"
+        "adcs	x4, x4, x7\n\t"
+        "umulh	x7, %[b], x8\n\t"
+        "adc	x5, xzr, xzr\n\t"
+        "adds	x4, x4, x6\n\t"
+        "# A[41] * B\n\t"
+        "str	x4, [%[r], 320]\n\t"
+        "mov	x4, 0\n\t"
+        "mul	x6, %[b], x9\n\t"
+        "adcs	x5, x5, x7\n\t"
+        "umulh	x7, %[b], x9\n\t"
+        "adc	x3, xzr, xzr\n\t"
+        "adds	x5, x5, x6\n\t"
+        "# A[42] * B\n\t"
+        "ldp	x8, x9, [%[a], 336]\n\t"
+        "str	x5, [%[r], 328]\n\t"
+        "mov	x5, 0\n\t"
+        "mul	x6, %[b], x8\n\t"
+        "adcs	x3, x3, x7\n\t"
+        "umulh	x7, %[b], x8\n\t"
+        "adc	x4, xzr, xzr\n\t"
+        "adds	x3, x3, x6\n\t"
+        "# A[43] * B\n\t"
+        "str	x3, [%[r], 336]\n\t"
+        "mov	x3, 0\n\t"
+        "mul	x6, %[b], x9\n\t"
+        "adcs	x4, x4, x7\n\t"
+        "umulh	x7, %[b], x9\n\t"
+        "adc	x5, xzr, xzr\n\t"
+        "adds	x4, x4, x6\n\t"
+        "# A[44] * B\n\t"
+        "ldp	x8, x9, [%[a], 352]\n\t"
+        "str	x4, [%[r], 344]\n\t"
+        "mov	x4, 0\n\t"
+        "mul	x6, %[b], x8\n\t"
+        "adcs	x5, x5, x7\n\t"
+        "umulh	x7, %[b], x8\n\t"
+        "adc	x3, xzr, xzr\n\t"
+        "adds	x5, x5, x6\n\t"
+        "# A[45] * B\n\t"
+        "str	x5, [%[r], 352]\n\t"
+        "mov	x5, 0\n\t"
+        "mul	x6, %[b], x9\n\t"
+        "adcs	x3, x3, x7\n\t"
+        "umulh	x7, %[b], x9\n\t"
+        "adc	x4, xzr, xzr\n\t"
+        "adds	x3, x3, x6\n\t"
+        "# A[46] * B\n\t"
+        "ldp	x8, x9, [%[a], 368]\n\t"
+        "str	x3, [%[r], 360]\n\t"
+        "mov	x3, 0\n\t"
+        "mul	x6, %[b], x8\n\t"
+        "adcs	x4, x4, x7\n\t"
+        "umulh	x7, %[b], x8\n\t"
+        "adc	x5, xzr, xzr\n\t"
+        "adds	x4, x4, x6\n\t"
+        "# A[47] * B\n\t"
+        "str	x4, [%[r], 368]\n\t"
+        "mul	x6, %[b], x9\n\t"
+        "adcs	x5, x5, x7\n\t"
+        "umulh	x7, %[b], x9\n\t"
+        "adc	x3, xzr, xzr\n\t"
+        "adds	x5, x5, x6\n\t"
+        "adc	x3, x3, x7\n\t"
+        "stp	x5, x3, [%[r], 376]\n\t"
+        :
+        : [r] "r" (r), [a] "r" (a), [b] "r" (b)
+        : "memory", "x3", "x4", "x5", "x6", "x7", "x8", "x9"
+    );
+#endif
+}
+
+#if (defined(WOLFSSL_HAVE_SP_RSA) || defined(WOLFSSL_HAVE_SP_DH)) && !defined(WOLFSSL_RSA_PUBLIC_ONLY)
+/* r = 2^n mod m where n is the number of bits to reduce by.
+ * Given m must be 3072 bits, just need to subtract.
+ *
+ * r  A single precision number.
+ * m  A single precision number.
+ */
+static void sp_3072_mont_norm_24(sp_digit* r, const sp_digit* m)
+{
+    XMEMSET(r, 0, sizeof(sp_digit) * 24);
+
+    /* r = 2^n mod m */
+    sp_3072_sub_in_place_24(r, m);
+}
+
+/* Conditionally subtract b from a using the mask m.
+ * m is -1 to subtract and 0 when not copying.
+ *
+ * r  A single precision number representing condition subtract result.
+ * a  A single precision number to subtract from.
+ * b  A single precision number to subtract.
+ * m  Mask value to apply.
+ */
+static sp_digit sp_3072_cond_sub_24(sp_digit* r, const sp_digit* a, const sp_digit* b,
+        sp_digit m)
+{
+#ifdef WOLFSSL_SP_SMALL
+    sp_digit c = 0;
+
+    __asm__ __volatile__ (
+        "mov	x8, #0\n\t"
+        "1:\n\t"
+        "subs	%[c], xzr, %[c]\n\t"
+        "ldr	x4, [%[a], x8]\n\t"
+        "ldr	x5, [%[b], x8]\n\t"
+        "and	x5, x5, %[m]\n\t"
+        "sbcs	x4, x4, x5\n\t"
+        "csetm	%[c], cc\n\t"
+        "str	x4, [%[r], x8]\n\t"
+        "add	x8, x8, #8\n\t"
+        "cmp	x8, 192\n\t"
+        "b.lt	1b\n\t"
+        : [c] "+r" (c)
+        : [r] "r" (r), [a] "r" (a), [b] "r" (b), [m] "r" (m)
+        : "memory", "x4", "x6", "x5", "x7", "x8", "x9", "x10", "x11", "x12"
+    );
+
+    return c;
+#else
+    __asm__ __volatile__ (
+
+        "ldp	x5, x7, [%[b], 0]\n\t"
+        "ldp	x11, x12, [%[b], 16]\n\t"
+        "ldp	x4, x6, [%[a], 0]\n\t"
+        "and	x5, x5, %[m]\n\t"
+        "ldp	x9, x10, [%[a], 16]\n\t"
+        "and	x7, x7, %[m]\n\t"
+        "subs	x4, x4, x5\n\t"
+        "and	x11, x11, %[m]\n\t"
+        "sbcs	x6, x6, x7\n\t"
+        "and	x12, x12, %[m]\n\t"
+        "sbcs	x9, x9, x11\n\t"
+        "stp	x4, x6, [%[r], 0]\n\t"
+        "sbcs	x10, x10, x12\n\t"
+        "stp	x9, x10, [%[r], 16]\n\t"
+        "ldp	x5, x7, [%[b], 32]\n\t"
+        "ldp	x11, x12, [%[b], 48]\n\t"
+        "ldp	x4, x6, [%[a], 32]\n\t"
+        "and	x5, x5, %[m]\n\t"
+        "ldp	x9, x10, [%[a], 48]\n\t"
+        "and	x7, x7, %[m]\n\t"
+        "sbcs	x4, x4, x5\n\t"
+        "and	x11, x11, %[m]\n\t"
+        "sbcs	x6, x6, x7\n\t"
+        "and	x12, x12, %[m]\n\t"
+        "sbcs	x9, x9, x11\n\t"
+        "stp	x4, x6, [%[r], 32]\n\t"
+        "sbcs	x10, x10, x12\n\t"
+        "stp	x9, x10, [%[r], 48]\n\t"
+        "ldp	x5, x7, [%[b], 64]\n\t"
+        "ldp	x11, x12, [%[b], 80]\n\t"
+        "ldp	x4, x6, [%[a], 64]\n\t"
+        "and	x5, x5, %[m]\n\t"
+        "ldp	x9, x10, [%[a], 80]\n\t"
+        "and	x7, x7, %[m]\n\t"
+        "sbcs	x4, x4, x5\n\t"
+        "and	x11, x11, %[m]\n\t"
+        "sbcs	x6, x6, x7\n\t"
+        "and	x12, x12, %[m]\n\t"
+        "sbcs	x9, x9, x11\n\t"
+        "stp	x4, x6, [%[r], 64]\n\t"
+        "sbcs	x10, x10, x12\n\t"
+        "stp	x9, x10, [%[r], 80]\n\t"
+        "ldp	x5, x7, [%[b], 96]\n\t"
+        "ldp	x11, x12, [%[b], 112]\n\t"
+        "ldp	x4, x6, [%[a], 96]\n\t"
+        "and	x5, x5, %[m]\n\t"
+        "ldp	x9, x10, [%[a], 112]\n\t"
+        "and	x7, x7, %[m]\n\t"
+        "sbcs	x4, x4, x5\n\t"
+        "and	x11, x11, %[m]\n\t"
+        "sbcs	x6, x6, x7\n\t"
+        "and	x12, x12, %[m]\n\t"
+        "sbcs	x9, x9, x11\n\t"
+        "stp	x4, x6, [%[r], 96]\n\t"
+        "sbcs	x10, x10, x12\n\t"
+        "stp	x9, x10, [%[r], 112]\n\t"
+        "ldp	x5, x7, [%[b], 128]\n\t"
+        "ldp	x11, x12, [%[b], 144]\n\t"
+        "ldp	x4, x6, [%[a], 128]\n\t"
+        "and	x5, x5, %[m]\n\t"
+        "ldp	x9, x10, [%[a], 144]\n\t"
+        "and	x7, x7, %[m]\n\t"
+        "sbcs	x4, x4, x5\n\t"
+        "and	x11, x11, %[m]\n\t"
+        "sbcs	x6, x6, x7\n\t"
+        "and	x12, x12, %[m]\n\t"
+        "sbcs	x9, x9, x11\n\t"
+        "stp	x4, x6, [%[r], 128]\n\t"
+        "sbcs	x10, x10, x12\n\t"
+        "stp	x9, x10, [%[r], 144]\n\t"
+        "ldp	x5, x7, [%[b], 160]\n\t"
+        "ldp	x11, x12, [%[b], 176]\n\t"
+        "ldp	x4, x6, [%[a], 160]\n\t"
+        "and	x5, x5, %[m]\n\t"
+        "ldp	x9, x10, [%[a], 176]\n\t"
+        "and	x7, x7, %[m]\n\t"
+        "sbcs	x4, x4, x5\n\t"
+        "and	x11, x11, %[m]\n\t"
+        "sbcs	x6, x6, x7\n\t"
+        "and	x12, x12, %[m]\n\t"
+        "sbcs	x9, x9, x11\n\t"
+        "stp	x4, x6, [%[r], 160]\n\t"
+        "sbcs	x10, x10, x12\n\t"
+        "stp	x9, x10, [%[r], 176]\n\t"
+        "csetm	%[r], cc\n\t"
+        : [r] "+r" (r)
+        : [a] "r" (a), [b] "r" (b), [m] "r" (m)
+        : "memory", "x4", "x6", "x5", "x7", "x8", "x9", "x10", "x11", "x12"
+    );
+
+    return (sp_digit)r;
+#endif /* WOLFSSL_SP_SMALL */
+}
+
+/* Reduce the number back to 3072 bits using Montgomery reduction.
+ *
+ * a   A single precision number to reduce in place.
+ * m   The single precision number representing the modulus.
+ * mp  The digit representing the negative inverse of m mod 2^n.
+ */
+SP_NOINLINE static void sp_3072_mont_reduce_24(sp_digit* a, const sp_digit* m,
+        sp_digit mp)
+{
+    sp_digit ca = 0;
+
+    __asm__ __volatile__ (
+        "ldp	x14, x15, [%[m], 0]\n\t"
+        "ldp	x16, x17, [%[m], 16]\n\t"
+        "ldp	x19, x20, [%[m], 32]\n\t"
+        "ldp	x21, x22, [%[m], 48]\n\t"
+        "ldp	x23, x24, [%[m], 64]\n\t"
+        "ldp	x25, x26, [%[m], 80]\n\t"
+        "ldp	x27, x28, [%[m], 96]\n\t"
+        "# i = 24\n\t"
+        "mov	x4, 24\n\t"
+        "ldp	x12, x13, [%[a], 0]\n\t"
+        "\n1:\n\t"
+        "# mu = a[i] * mp\n\t"
+        "mul	x9, %[mp], x12\n\t"
+        "# a[i+0] += m[0] * mu\n\t"
+        "mul	x7, x14, x9\n\t"
+        "umulh	x8, x14, x9\n\t"
+        "adds	x12, x12, x7\n\t"
+        "# a[i+1] += m[1] * mu\n\t"
+        "mul	x7, x15, x9\n\t"
+        "adc	x6, x8, xzr\n\t"
+        "umulh	x8, x15, x9\n\t"
+        "adds	x12, x13, x7\n\t"
+        "# a[i+2] += m[2] * mu\n\t"
+        "ldr	x13, [%[a], 16]\n\t"
+        "adc	x5, x8, xzr\n\t"
+        "mul	x7, x16, x9\n\t"
+        "adds	x12, x12, x6\n\t"
+        "umulh	x8, x16, x9\n\t"
+        "adc	x5, x5, xzr\n\t"
+        "adds	x13, x13, x7\n\t"
+        "# a[i+3] += m[3] * mu\n\t"
+        "ldr	x10, [%[a], 24]\n\t"
+        "adc	x6, x8, xzr\n\t"
+        "mul	x7, x17, x9\n\t"
+        "adds	x13, x13, x5\n\t"
+        "umulh	x8, x17, x9\n\t"
+        "adc	x6, x6, xzr\n\t"
+        "adds	x10, x10, x7\n\t"
+        "# a[i+4] += m[4] * mu\n\t"
+        "ldr	x11, [%[a], 32]\n\t"
+        "adc	x5, x8, xzr\n\t"
+        "adds	x10, x10, x6\n\t"
+        "mul	x7, x19, x9\n\t"
+        "adc	x5, x5, xzr\n\t"
+        "umulh	x8, x19, x9\n\t"
+        "str	x10, [%[a], 24]\n\t"
+        "adds	x11, x11, x7\n\t"
+        "# a[i+5] += m[5] * mu\n\t"
+        "ldr	x10, [%[a], 40]\n\t"
+        "adc	x6, x8, xzr\n\t"
+        "adds	x11, x11, x5\n\t"
+        "mul	x7, x20, x9\n\t"
+        "adc	x6, x6, xzr\n\t"
+        "umulh	x8, x20, x9\n\t"
+        "str	x11, [%[a], 32]\n\t"
+        "adds	x10, x10, x7\n\t"
+        "# a[i+6] += m[6] * mu\n\t"
+        "ldr	x11, [%[a], 48]\n\t"
+        "adc	x5, x8, xzr\n\t"
+        "adds	x10, x10, x6\n\t"
+        "mul	x7, x21, x9\n\t"
+        "adc	x5, x5, xzr\n\t"
+        "umulh	x8, x21, x9\n\t"
+        "str	x10, [%[a], 40]\n\t"
+        "adds	x11, x11, x7\n\t"
+        "# a[i+7] += m[7] * mu\n\t"
+        "ldr	x10, [%[a], 56]\n\t"
+        "adc	x6, x8, xzr\n\t"
+        "adds	x11, x11, x5\n\t"
+        "mul	x7, x22, x9\n\t"
+        "adc	x6, x6, xzr\n\t"
+        "umulh	x8, x22, x9\n\t"
+        "str	x11, [%[a], 48]\n\t"
+        "adds	x10, x10, x7\n\t"
+        "# a[i+8] += m[8] * mu\n\t"
+        "ldr	x11, [%[a], 64]\n\t"
+        "adc	x5, x8, xzr\n\t"
+        "adds	x10, x10, x6\n\t"
+        "mul	x7, x23, x9\n\t"
+        "adc	x5, x5, xzr\n\t"
+        "umulh	x8, x23, x9\n\t"
+        "str	x10, [%[a], 56]\n\t"
+        "adds	x11, x11, x7\n\t"
+        "# a[i+9] += m[9] * mu\n\t"
+        "ldr	x10, [%[a], 72]\n\t"
+        "adc	x6, x8, xzr\n\t"
+        "adds	x11, x11, x5\n\t"
+        "mul	x7, x24, x9\n\t"
+        "adc	x6, x6, xzr\n\t"
+        "umulh	x8, x24, x9\n\t"
+        "str	x11, [%[a], 64]\n\t"
+        "adds	x10, x10, x7\n\t"
+        "# a[i+10] += m[10] * mu\n\t"
+        "ldr	x11, [%[a], 80]\n\t"
+        "adc	x5, x8, xzr\n\t"
+        "adds	x10, x10, x6\n\t"
+        "mul	x7, x25, x9\n\t"
+        "adc	x5, x5, xzr\n\t"
+        "umulh	x8, x25, x9\n\t"
+        "str	x10, [%[a], 72]\n\t"
+        "adds	x11, x11, x7\n\t"
+        "# a[i+11] += m[11] * mu\n\t"
+        "ldr	x10, [%[a], 88]\n\t"
+        "adc	x6, x8, xzr\n\t"
+        "adds	x11, x11, x5\n\t"
+        "mul	x7, x26, x9\n\t"
+        "adc	x6, x6, xzr\n\t"
+        "umulh	x8, x26, x9\n\t"
+        "str	x11, [%[a], 80]\n\t"
+        "adds	x10, x10, x7\n\t"
+        "# a[i+12] += m[12] * mu\n\t"
+        "ldr	x11, [%[a], 96]\n\t"
+        "adc	x5, x8, xzr\n\t"
+        "adds	x10, x10, x6\n\t"
+        "mul	x7, x27, x9\n\t"
+        "adc	x5, x5, xzr\n\t"
+        "umulh	x8, x27, x9\n\t"
+        "str	x10, [%[a], 88]\n\t"
+        "adds	x11, x11, x7\n\t"
+        "# a[i+13] += m[13] * mu\n\t"
+        "ldr	x10, [%[a], 104]\n\t"
+        "adc	x6, x8, xzr\n\t"
+        "adds	x11, x11, x5\n\t"
+        "mul	x7, x28, x9\n\t"
+        "adc	x6, x6, xzr\n\t"
+        "umulh	x8, x28, x9\n\t"
+        "str	x11, [%[a], 96]\n\t"
+        "adds	x10, x10, x7\n\t"
+        "# a[i+14] += m[14] * mu\n\t"
+        "ldr	x11, [%[a], 112]\n\t"
+        "adc	x5, x8, xzr\n\t"
+        "ldr	x8, [%[m], 112]\n\t"
+        "adds	x10, x10, x6\n\t"
+        "mul	x7, x8, x9\n\t"
+        "adc	x5, x5, xzr\n\t"
+        "umulh	x8, x8, x9\n\t"
+        "str	x10, [%[a], 104]\n\t"
+        "adds	x11, x11, x7\n\t"
+        "# a[i+15] += m[15] * mu\n\t"
+        "ldr	x10, [%[a], 120]\n\t"
+        "adc	x6, x8, xzr\n\t"
+        "ldr	x8, [%[m], 120]\n\t"
+        "adds	x11, x11, x5\n\t"
+        "mul	x7, x8, x9\n\t"
+        "adc	x6, x6, xzr\n\t"
+        "umulh	x8, x8, x9\n\t"
+        "str	x11, [%[a], 112]\n\t"
+        "adds	x10, x10, x7\n\t"
+        "# a[i+16] += m[16] * mu\n\t"
+        "ldr	x11, [%[a], 128]\n\t"
+        "adc	x5, x8, xzr\n\t"
+        "ldr	x8, [%[m], 128]\n\t"
+        "adds	x10, x10, x6\n\t"
+        "mul	x7, x8, x9\n\t"
+        "adc	x5, x5, xzr\n\t"
+        "umulh	x8, x8, x9\n\t"
+        "str	x10, [%[a], 120]\n\t"
+        "adds	x11, x11, x7\n\t"
+        "# a[i+17] += m[17] * mu\n\t"
+        "ldr	x10, [%[a], 136]\n\t"
+        "adc	x6, x8, xzr\n\t"
+        "ldr	x8, [%[m], 136]\n\t"
+        "adds	x11, x11, x5\n\t"
+        "mul	x7, x8, x9\n\t"
+        "adc	x6, x6, xzr\n\t"
+        "umulh	x8, x8, x9\n\t"
+        "str	x11, [%[a], 128]\n\t"
+        "adds	x10, x10, x7\n\t"
+        "# a[i+18] += m[18] * mu\n\t"
+        "ldr	x11, [%[a], 144]\n\t"
+        "adc	x5, x8, xzr\n\t"
+        "ldr	x8, [%[m], 144]\n\t"
+        "adds	x10, x10, x6\n\t"
+        "mul	x7, x8, x9\n\t"
+        "adc	x5, x5, xzr\n\t"
+        "umulh	x8, x8, x9\n\t"
+        "str	x10, [%[a], 136]\n\t"
+        "adds	x11, x11, x7\n\t"
+        "# a[i+19] += m[19] * mu\n\t"
+        "ldr	x10, [%[a], 152]\n\t"
+        "adc	x6, x8, xzr\n\t"
+        "ldr	x8, [%[m], 152]\n\t"
+        "adds	x11, x11, x5\n\t"
+        "mul	x7, x8, x9\n\t"
+        "adc	x6, x6, xzr\n\t"
+        "umulh	x8, x8, x9\n\t"
+        "str	x11, [%[a], 144]\n\t"
+        "adds	x10, x10, x7\n\t"
+        "# a[i+20] += m[20] * mu\n\t"
+        "ldr	x11, [%[a], 160]\n\t"
+        "adc	x5, x8, xzr\n\t"
+        "ldr	x8, [%[m], 160]\n\t"
+        "adds	x10, x10, x6\n\t"
+        "mul	x7, x8, x9\n\t"
+        "adc	x5, x5, xzr\n\t"
+        "umulh	x8, x8, x9\n\t"
+        "str	x10, [%[a], 152]\n\t"
+        "adds	x11, x11, x7\n\t"
+        "# a[i+21] += m[21] * mu\n\t"
+        "ldr	x10, [%[a], 168]\n\t"
+        "adc	x6, x8, xzr\n\t"
+        "ldr	x8, [%[m], 168]\n\t"
+        "adds	x11, x11, x5\n\t"
+        "mul	x7, x8, x9\n\t"
+        "adc	x6, x6, xzr\n\t"
+        "umulh	x8, x8, x9\n\t"
+        "str	x11, [%[a], 160]\n\t"
+        "adds	x10, x10, x7\n\t"
+        "# a[i+22] += m[22] * mu\n\t"
+        "ldr	x11, [%[a], 176]\n\t"
+        "adc	x5, x8, xzr\n\t"
+        "ldr	x8, [%[m], 176]\n\t"
+        "adds	x10, x10, x6\n\t"
+        "mul	x7, x8, x9\n\t"
+        "adc	x5, x5, xzr\n\t"
+        "umulh	x8, x8, x9\n\t"
+        "str	x10, [%[a], 168]\n\t"
+        "adds	x11, x11, x7\n\t"
+        "# a[i+23] += m[23] * mu\n\t"
+        "ldr	x10, [%[a], 184]\n\t"
+        "adc	x6, x8, xzr\n\t"
+        "ldr	x8, [%[m], 184]\n\t"
+        "adds	x11, x11, x5\n\t"
+        "mul	x7, x8, x9\n\t"
+        "adc	x6, x6, xzr\n\t"
+        "umulh	x8, x8, x9\n\t"
+        "adds	x6, x6, x7\n\t"
+        "adcs	x8, x8, %[ca]\n\t"
+        "str	x11, [%[a], 176]\n\t"
+        "cset  %[ca], cs\n\t"
+        "adds	x10, x10, x6\n\t"
+        "ldr	x11, [%[a], 192]\n\t"
+        "str	x10, [%[a], 184]\n\t"
+        "adcs	x11, x11, x8\n\t"
+        "str	x11, [%[a], 192]\n\t"
+        "adc	%[ca], %[ca], xzr\n\t"
+        "subs	x4, x4, 1\n\t"
+        "add	%[a], %[a], 8\n\t"
+        "bne	1b\n\t"
+        "stp	x12, x13, [%[a], 0]\n\t"
+        : [ca] "+r" (ca), [a] "+r" (a)
+        : [m] "r" (m), [mp] "r" (mp)
+        : "memory", "x4", "x5", "x6", "x7", "x8", "x9", "x10", "x11", "x12", "x13", "x14", "x15", "x16", "x17", "x19", "x20", "x21", "x22", "x23", "x24", "x25", "x26", "x27", "x28"
+    );
+
+    sp_3072_cond_sub_24(a - 24, a, m, (sp_digit)0 - ca);
+}
+
+/* Multiply two Montogmery form numbers mod the modulus (prime).
+ * (r = a * b mod m)
+ *
+ * r   Result of multiplication.
+ * a   First number to multiply in Montogmery form.
+ * b   Second number to multiply in Montogmery form.
+ * m   Modulus (prime).
+ * mp  Montogmery mulitplier.
+ */
+static void sp_3072_mont_mul_24(sp_digit* r, const sp_digit* a, const sp_digit* b,
+        const sp_digit* m, sp_digit mp)
+{
+    sp_3072_mul_24(r, a, b);
+    sp_3072_mont_reduce_24(r, m, mp);
+}
+
+/* Square the Montgomery form number. (r = a * a mod m)
+ *
+ * r   Result of squaring.
+ * a   Number to square in Montogmery form.
+ * m   Modulus (prime).
+ * mp  Montogmery mulitplier.
+ */
+static void sp_3072_mont_sqr_24(sp_digit* r, const sp_digit* a, const sp_digit* m,
+        sp_digit mp)
+{
+    sp_3072_sqr_24(r, a);
+    sp_3072_mont_reduce_24(r, m, mp);
+}
+
+/* Mul a by digit b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision digit.
+ */
+static void sp_3072_mul_d_24(sp_digit* r, const sp_digit* a,
+        sp_digit b)
+{
+#ifdef WOLFSSL_SP_SMALL
+    __asm__ __volatile__ (
+        "# A[0] * B\n\t"
+        "ldr	x8, [%[a]]\n\t"
+        "mul	x5, %[b], x8\n\t"
+        "umulh	x3, %[b], x8\n\t"
+        "mov	x4, 0\n\t"
+        "str	x5, [%[r]]\n\t"
+        "mov	x5, 0\n\t"
+        "mov	x9, #8\n\t"
+        "1:\n\t"
+        "ldr	x8, [%[a], x9]\n\t"
+        "mul	x6, %[b], x8\n\t"
+        "umulh	x7, %[b], x8\n\t"
+        "adds	x3, x3, x6\n\t"
+        "adcs	x4, x4, x7\n\t"
+        "adc	x5, xzr, xzr\n\t"
+        "str	x3, [%[r], x9]\n\t"
+        "mov	x3, x4\n\t"
+        "mov	x4, x5\n\t"
+        "mov	x5, #0\n\t"
+        "add	x9, x9, #8\n\t"
+        "cmp	x9, 192\n\t"
+        "b.lt	1b\n\t"
+        "str	x3, [%[r], 192]\n\t"
+        :
+        : [r] "r" (r), [a] "r" (a), [b] "r" (b)
+        : "memory", "x3", "x4", "x5", "x6", "x7", "x8", "x9"
+    );
+#else
+    __asm__ __volatile__ (
+        "# A[0] * B\n\t"
+        "ldp	x8, x9, [%[a]]\n\t"
+        "mul	x3, %[b], x8\n\t"
+        "umulh	x4, %[b], x8\n\t"
+        "mov	x5, 0\n\t"
+        "# A[1] * B\n\t"
+        "str	x3, [%[r]]\n\t"
+        "mov	x3, 0\n\t"
+        "mul	x6, %[b], x9\n\t"
+        "umulh	x7, %[b], x9\n\t"
+        "adds	x4, x4, x6\n\t"
+        "# A[2] * B\n\t"
+        "ldp	x8, x9, [%[a], 16]\n\t"
+        "str	x4, [%[r], 8]\n\t"
+        "mov	x4, 0\n\t"
+        "mul	x6, %[b], x8\n\t"
+        "adcs	x5, x5, x7\n\t"
+        "umulh	x7, %[b], x8\n\t"
+        "adc	x3, xzr, xzr\n\t"
+        "adds	x5, x5, x6\n\t"
+        "# A[3] * B\n\t"
+        "str	x5, [%[r], 16]\n\t"
+        "mov	x5, 0\n\t"
+        "mul	x6, %[b], x9\n\t"
+        "adcs	x3, x3, x7\n\t"
+        "umulh	x7, %[b], x9\n\t"
+        "adc	x4, xzr, xzr\n\t"
+        "adds	x3, x3, x6\n\t"
+        "# A[4] * B\n\t"
+        "ldp	x8, x9, [%[a], 32]\n\t"
+        "str	x3, [%[r], 24]\n\t"
+        "mov	x3, 0\n\t"
+        "mul	x6, %[b], x8\n\t"
+        "adcs	x4, x4, x7\n\t"
+        "umulh	x7, %[b], x8\n\t"
+        "adc	x5, xzr, xzr\n\t"
+        "adds	x4, x4, x6\n\t"
+        "# A[5] * B\n\t"
+        "str	x4, [%[r], 32]\n\t"
+        "mov	x4, 0\n\t"
+        "mul	x6, %[b], x9\n\t"
+        "adcs	x5, x5, x7\n\t"
+        "umulh	x7, %[b], x9\n\t"
+        "adc	x3, xzr, xzr\n\t"
+        "adds	x5, x5, x6\n\t"
+        "# A[6] * B\n\t"
+        "ldp	x8, x9, [%[a], 48]\n\t"
+        "str	x5, [%[r], 40]\n\t"
+        "mov	x5, 0\n\t"
+        "mul	x6, %[b], x8\n\t"
+        "adcs	x3, x3, x7\n\t"
+        "umulh	x7, %[b], x8\n\t"
+        "adc	x4, xzr, xzr\n\t"
+        "adds	x3, x3, x6\n\t"
+        "# A[7] * B\n\t"
+        "str	x3, [%[r], 48]\n\t"
+        "mov	x3, 0\n\t"
+        "mul	x6, %[b], x9\n\t"
+        "adcs	x4, x4, x7\n\t"
+        "umulh	x7, %[b], x9\n\t"
+        "adc	x5, xzr, xzr\n\t"
+        "adds	x4, x4, x6\n\t"
+        "# A[8] * B\n\t"
+        "ldp	x8, x9, [%[a], 64]\n\t"
+        "str	x4, [%[r], 56]\n\t"
+        "mov	x4, 0\n\t"
+        "mul	x6, %[b], x8\n\t"
+        "adcs	x5, x5, x7\n\t"
+        "umulh	x7, %[b], x8\n\t"
+        "adc	x3, xzr, xzr\n\t"
+        "adds	x5, x5, x6\n\t"
+        "# A[9] * B\n\t"
+        "str	x5, [%[r], 64]\n\t"
+        "mov	x5, 0\n\t"
+        "mul	x6, %[b], x9\n\t"
+        "adcs	x3, x3, x7\n\t"
+        "umulh	x7, %[b], x9\n\t"
+        "adc	x4, xzr, xzr\n\t"
+        "adds	x3, x3, x6\n\t"
+        "# A[10] * B\n\t"
+        "ldp	x8, x9, [%[a], 80]\n\t"
+        "str	x3, [%[r], 72]\n\t"
+        "mov	x3, 0\n\t"
+        "mul	x6, %[b], x8\n\t"
+        "adcs	x4, x4, x7\n\t"
+        "umulh	x7, %[b], x8\n\t"
+        "adc	x5, xzr, xzr\n\t"
+        "adds	x4, x4, x6\n\t"
+        "# A[11] * B\n\t"
+        "str	x4, [%[r], 80]\n\t"
+        "mov	x4, 0\n\t"
+        "mul	x6, %[b], x9\n\t"
+        "adcs	x5, x5, x7\n\t"
+        "umulh	x7, %[b], x9\n\t"
+        "adc	x3, xzr, xzr\n\t"
+        "adds	x5, x5, x6\n\t"
+        "# A[12] * B\n\t"
+        "ldp	x8, x9, [%[a], 96]\n\t"
+        "str	x5, [%[r], 88]\n\t"
+        "mov	x5, 0\n\t"
+        "mul	x6, %[b], x8\n\t"
+        "adcs	x3, x3, x7\n\t"
+        "umulh	x7, %[b], x8\n\t"
+        "adc	x4, xzr, xzr\n\t"
+        "adds	x3, x3, x6\n\t"
+        "# A[13] * B\n\t"
+        "str	x3, [%[r], 96]\n\t"
+        "mov	x3, 0\n\t"
+        "mul	x6, %[b], x9\n\t"
+        "adcs	x4, x4, x7\n\t"
+        "umulh	x7, %[b], x9\n\t"
+        "adc	x5, xzr, xzr\n\t"
+        "adds	x4, x4, x6\n\t"
+        "# A[14] * B\n\t"
+        "ldp	x8, x9, [%[a], 112]\n\t"
+        "str	x4, [%[r], 104]\n\t"
+        "mov	x4, 0\n\t"
+        "mul	x6, %[b], x8\n\t"
+        "adcs	x5, x5, x7\n\t"
+        "umulh	x7, %[b], x8\n\t"
+        "adc	x3, xzr, xzr\n\t"
+        "adds	x5, x5, x6\n\t"
+        "# A[15] * B\n\t"
+        "str	x5, [%[r], 112]\n\t"
+        "mov	x5, 0\n\t"
+        "mul	x6, %[b], x9\n\t"
+        "adcs	x3, x3, x7\n\t"
+        "umulh	x7, %[b], x9\n\t"
+        "adc	x4, xzr, xzr\n\t"
+        "adds	x3, x3, x6\n\t"
+        "# A[16] * B\n\t"
+        "ldp	x8, x9, [%[a], 128]\n\t"
+        "str	x3, [%[r], 120]\n\t"
+        "mov	x3, 0\n\t"
+        "mul	x6, %[b], x8\n\t"
+        "adcs	x4, x4, x7\n\t"
+        "umulh	x7, %[b], x8\n\t"
+        "adc	x5, xzr, xzr\n\t"
+        "adds	x4, x4, x6\n\t"
+        "# A[17] * B\n\t"
+        "str	x4, [%[r], 128]\n\t"
+        "mov	x4, 0\n\t"
+        "mul	x6, %[b], x9\n\t"
+        "adcs	x5, x5, x7\n\t"
+        "umulh	x7, %[b], x9\n\t"
+        "adc	x3, xzr, xzr\n\t"
+        "adds	x5, x5, x6\n\t"
+        "# A[18] * B\n\t"
+        "ldp	x8, x9, [%[a], 144]\n\t"
+        "str	x5, [%[r], 136]\n\t"
+        "mov	x5, 0\n\t"
+        "mul	x6, %[b], x8\n\t"
+        "adcs	x3, x3, x7\n\t"
+        "umulh	x7, %[b], x8\n\t"
+        "adc	x4, xzr, xzr\n\t"
+        "adds	x3, x3, x6\n\t"
+        "# A[19] * B\n\t"
+        "str	x3, [%[r], 144]\n\t"
+        "mov	x3, 0\n\t"
+        "mul	x6, %[b], x9\n\t"
+        "adcs	x4, x4, x7\n\t"
+        "umulh	x7, %[b], x9\n\t"
+        "adc	x5, xzr, xzr\n\t"
+        "adds	x4, x4, x6\n\t"
+        "# A[20] * B\n\t"
+        "ldp	x8, x9, [%[a], 160]\n\t"
+        "str	x4, [%[r], 152]\n\t"
+        "mov	x4, 0\n\t"
+        "mul	x6, %[b], x8\n\t"
+        "adcs	x5, x5, x7\n\t"
+        "umulh	x7, %[b], x8\n\t"
+        "adc	x3, xzr, xzr\n\t"
+        "adds	x5, x5, x6\n\t"
+        "# A[21] * B\n\t"
+        "str	x5, [%[r], 160]\n\t"
+        "mov	x5, 0\n\t"
+        "mul	x6, %[b], x9\n\t"
+        "adcs	x3, x3, x7\n\t"
+        "umulh	x7, %[b], x9\n\t"
+        "adc	x4, xzr, xzr\n\t"
+        "adds	x3, x3, x6\n\t"
+        "# A[22] * B\n\t"
+        "ldp	x8, x9, [%[a], 176]\n\t"
+        "str	x3, [%[r], 168]\n\t"
+        "mov	x3, 0\n\t"
+        "mul	x6, %[b], x8\n\t"
+        "adcs	x4, x4, x7\n\t"
+        "umulh	x7, %[b], x8\n\t"
+        "adc	x5, xzr, xzr\n\t"
+        "adds	x4, x4, x6\n\t"
+        "# A[23] * B\n\t"
+        "str	x4, [%[r], 176]\n\t"
+        "mul	x6, %[b], x9\n\t"
+        "adcs	x5, x5, x7\n\t"
+        "umulh	x7, %[b], x9\n\t"
+        "adc	x3, xzr, xzr\n\t"
+        "adds	x5, x5, x6\n\t"
+        "adc	x3, x3, x7\n\t"
+        "stp	x5, x3, [%[r], 184]\n\t"
+        :
+        : [r] "r" (r), [a] "r" (a), [b] "r" (b)
+        : "memory", "x3", "x4", "x5", "x6", "x7", "x8", "x9"
+    );
+#endif
+}
+
+/* Divide the double width number (d1|d0) by the dividend. (d1|d0 / div)
+ *
+ * d1   The high order half of the number to divide.
+ * d0   The low order half of the number to divide.
+ * div  The dividend.
+ * returns the result of the division.
+ */
+static sp_digit div_3072_word_24(sp_digit d1, sp_digit d0, sp_digit div)
+{
+    sp_digit r;
+
+    __asm__ __volatile__ (
+        "lsr	x5, %[div], 32\n\t"
+        "add	x5, x5, 1\n\t"
+
+        "udiv	x3, %[d1], x5\n\t"
+        "lsl	x6, x3, 32\n\t"
+        "mul	x4, %[div], x6\n\t"
+        "umulh	x3, %[div], x6\n\t"
+        "subs	%[d0], %[d0], x4\n\t"
+        "sbc	%[d1], %[d1], x3\n\t"
+
+        "udiv	x3, %[d1], x5\n\t"
+        "lsl	x3, x3, 32\n\t"
+        "add	x6, x6, x3\n\t"
+        "mul	x4, %[div], x3\n\t"
+        "umulh	x3, %[div], x3\n\t"
+        "subs	%[d0], %[d0], x4\n\t"
+        "sbc	%[d1], %[d1], x3\n\t"
+
+        "lsr	x3, %[d0], 32\n\t"
+        "orr	x3, x3, %[d1], lsl 32\n\t"
+
+        "udiv	x3, x3, x5\n\t"
+        "add	x6, x6, x3\n\t"
+        "mul	x4, %[div], x3\n\t"
+        "umulh	x3, %[div], x3\n\t"
+        "subs	%[d0], %[d0], x4\n\t"
+        "sbc	%[d1], %[d1], x3\n\t"
+
+        "lsr	x3, %[d0], 32\n\t"
+        "orr	x3, x3, %[d1], lsl 32\n\t"
+
+        "udiv	x3, x3, x5\n\t"
+        "add	x6, x6, x3\n\t"
+        "mul	x4, %[div], x3\n\t"
+        "sub	%[d0], %[d0], x4\n\t"
+
+        "udiv	x3, %[d0], %[div]\n\t"
+        "add	%[r], x6, x3\n\t"
+
+        : [r] "=r" (r)
+        : [d1] "r" (d1), [d0] "r" (d0), [div] "r" (div)
+        : "x3", "x4", "x5", "x6"
+    );
+
+    return r;
+}
+
+/* Compare a with b in constant time.
+ *
+ * a  A single precision integer.
+ * b  A single precision integer.
+ * return -ve, 0 or +ve if a is less than, equal to or greater than b
+ * respectively.
+ */
+static int64_t sp_3072_cmp_24(const sp_digit* a, const sp_digit* b)
+{
+#ifdef WOLFSSL_SP_SMALL
+    __asm__ __volatile__ (
+        "mov	x2, -1\n\t"
+        "mov	x3, 1\n\t"
+        "mov	x4, -1\n\t"
+        "mov	x5, 184\n\t"
+        "1:\n\t"
+        "ldr	x6, [%[a], x5]\n\t"
+        "ldr	x7, [%[b], x5]\n\t"
+        "and	x6, x6, x4\n\t"
+        "and	x7, x7, x4\n\t"
+        "subs	x6, x6, x7\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "subs	x5, x5, #8\n\t"
+        "b.cs	1b\n\t"
+        "eor	%[a], x2, x4\n\t"
+        : [a] "+r" (a)
+        : [b] "r" (b)
+        : "x2", "x3", "x4", "x5", "x6", "x7", "x8"
+    );
+#else
+    __asm__ __volatile__ (
+        "mov	x2, -1\n\t"
+        "mov	x3, 1\n\t"
+        "mov  x4, -1\n\t"
+        "ldp	x5, x6, [%[a], 176]\n\t"
+        "ldp	x7, x8, [%[b], 176]\n\t"
+        "and	x6, x6, x4\n\t"
+        "and	x8, x8, x4\n\t"
+        "subs	x6, x6, x8\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "and	x5, x5, x4\n\t"
+        "and	x7, x7, x4\n\t"
+        "subs	x5, x5, x7\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "ldp	x5, x6, [%[a], 160]\n\t"
+        "ldp	x7, x8, [%[b], 160]\n\t"
+        "and	x6, x6, x4\n\t"
+        "and	x8, x8, x4\n\t"
+        "subs	x6, x6, x8\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "and	x5, x5, x4\n\t"
+        "and	x7, x7, x4\n\t"
+        "subs	x5, x5, x7\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "ldp	x5, x6, [%[a], 144]\n\t"
+        "ldp	x7, x8, [%[b], 144]\n\t"
+        "and	x6, x6, x4\n\t"
+        "and	x8, x8, x4\n\t"
+        "subs	x6, x6, x8\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "and	x5, x5, x4\n\t"
+        "and	x7, x7, x4\n\t"
+        "subs	x5, x5, x7\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "ldp	x5, x6, [%[a], 128]\n\t"
+        "ldp	x7, x8, [%[b], 128]\n\t"
+        "and	x6, x6, x4\n\t"
+        "and	x8, x8, x4\n\t"
+        "subs	x6, x6, x8\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "and	x5, x5, x4\n\t"
+        "and	x7, x7, x4\n\t"
+        "subs	x5, x5, x7\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "ldp	x5, x6, [%[a], 112]\n\t"
+        "ldp	x7, x8, [%[b], 112]\n\t"
+        "and	x6, x6, x4\n\t"
+        "and	x8, x8, x4\n\t"
+        "subs	x6, x6, x8\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "and	x5, x5, x4\n\t"
+        "and	x7, x7, x4\n\t"
+        "subs	x5, x5, x7\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "ldp	x5, x6, [%[a], 96]\n\t"
+        "ldp	x7, x8, [%[b], 96]\n\t"
+        "and	x6, x6, x4\n\t"
+        "and	x8, x8, x4\n\t"
+        "subs	x6, x6, x8\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "and	x5, x5, x4\n\t"
+        "and	x7, x7, x4\n\t"
+        "subs	x5, x5, x7\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "ldp	x5, x6, [%[a], 80]\n\t"
+        "ldp	x7, x8, [%[b], 80]\n\t"
+        "and	x6, x6, x4\n\t"
+        "and	x8, x8, x4\n\t"
+        "subs	x6, x6, x8\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "and	x5, x5, x4\n\t"
+        "and	x7, x7, x4\n\t"
+        "subs	x5, x5, x7\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "ldp	x5, x6, [%[a], 64]\n\t"
+        "ldp	x7, x8, [%[b], 64]\n\t"
+        "and	x6, x6, x4\n\t"
+        "and	x8, x8, x4\n\t"
+        "subs	x6, x6, x8\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "and	x5, x5, x4\n\t"
+        "and	x7, x7, x4\n\t"
+        "subs	x5, x5, x7\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "ldp	x5, x6, [%[a], 48]\n\t"
+        "ldp	x7, x8, [%[b], 48]\n\t"
+        "and	x6, x6, x4\n\t"
+        "and	x8, x8, x4\n\t"
+        "subs	x6, x6, x8\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "and	x5, x5, x4\n\t"
+        "and	x7, x7, x4\n\t"
+        "subs	x5, x5, x7\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "ldp	x5, x6, [%[a], 32]\n\t"
+        "ldp	x7, x8, [%[b], 32]\n\t"
+        "and	x6, x6, x4\n\t"
+        "and	x8, x8, x4\n\t"
+        "subs	x6, x6, x8\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "and	x5, x5, x4\n\t"
+        "and	x7, x7, x4\n\t"
+        "subs	x5, x5, x7\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "ldp	x5, x6, [%[a], 16]\n\t"
+        "ldp	x7, x8, [%[b], 16]\n\t"
+        "and	x6, x6, x4\n\t"
+        "and	x8, x8, x4\n\t"
+        "subs	x6, x6, x8\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "and	x5, x5, x4\n\t"
+        "and	x7, x7, x4\n\t"
+        "subs	x5, x5, x7\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "ldp	x5, x6, [%[a], 0]\n\t"
+        "ldp	x7, x8, [%[b], 0]\n\t"
+        "and	x6, x6, x4\n\t"
+        "and	x8, x8, x4\n\t"
+        "subs	x6, x6, x8\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "and	x5, x5, x4\n\t"
+        "and	x7, x7, x4\n\t"
+        "subs	x5, x5, x7\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "eor	%[a], x2, x4\n\t"
+        : [a] "+r" (a)
+        : [b] "r" (b)
+        : "x2", "x3", "x4", "x5", "x6", "x7", "x8"
+    );
+#endif
+
+    return (int64_t)a;
+}
+
+/* Divide d in a and put remainder into r (m*d + r = a)
+ * m is not calculated as it is not needed at this time.
+ *
+ * a  Nmber to be divided.
+ * d  Number to divide with.
+ * m  Multiplier result.
+ * r  Remainder from the division.
+ * returns MP_OKAY indicating success.
+ */
+static WC_INLINE int sp_3072_div_24(const sp_digit* a, const sp_digit* d, sp_digit* m,
+        sp_digit* r)
+{
+    sp_digit t1[48], t2[25];
+    sp_digit div, r1;
+    int i;
+
+    (void)m;
+
+    div = d[23];
+    XMEMCPY(t1, a, sizeof(*t1) * 2 * 24);
+    for (i=23; i>=0; i--) {
+        r1 = div_3072_word_24(t1[24 + i], t1[24 + i - 1], div);
+
+        sp_3072_mul_d_24(t2, d, r1);
+        t1[24 + i] += sp_3072_sub_in_place_24(&t1[i], t2);
+        t1[24 + i] -= t2[24];
+        sp_3072_mask_24(t2, d, t1[24 + i]);
+        t1[24 + i] += sp_3072_add_24(&t1[i], &t1[i], t2);
+        sp_3072_mask_24(t2, d, t1[24 + i]);
+        t1[24 + i] += sp_3072_add_24(&t1[i], &t1[i], t2);
+    }
+
+    r1 = sp_3072_cmp_24(t1, d) >= 0;
+    sp_3072_cond_sub_24(r, t1, d, (sp_digit)0 - r1);
+
+    return MP_OKAY;
+}
+
+/* Reduce a modulo m into r. (r = a mod m)
+ *
+ * r  A single precision number that is the reduced result.
+ * a  A single precision number that is to be reduced.
+ * m  A single precision number that is the modulus to reduce with.
+ * returns MP_OKAY indicating success.
+ */
+static WC_INLINE int sp_3072_mod_24(sp_digit* r, const sp_digit* a, const sp_digit* m)
+{
+    return sp_3072_div_24(a, m, NULL, r);
+}
+
+#ifdef WOLFSSL_SP_SMALL
+/* Modular exponentiate a to the e mod m. (r = a^e mod m)
+ *
+ * r     A single precision number that is the result of the operation.
+ * a     A single precision number being exponentiated.
+ * e     A single precision number that is the exponent.
+ * bits  The number of bits in the exponent.
+ * m     A single precision number that is the modulus.
+ * returns 0 on success and MEMORY_E on dynamic memory allocation failure.
+ */
+static int sp_3072_mod_exp_24(sp_digit* r, const sp_digit* a, const sp_digit* e,
+        int bits, const sp_digit* m, int reduceA)
+{
+#ifndef WOLFSSL_SMALL_STACK
+    sp_digit t[16][48];
+#else
+    sp_digit* t[16];
+    sp_digit* td;
+#endif
+    sp_digit* norm;
+    sp_digit mp = 1;
+    sp_digit n;
+    sp_digit mask;
+    int i;
+    int c, y;
+    int err = MP_OKAY;
+
+#ifdef WOLFSSL_SMALL_STACK
+    td = (sp_digit*)XMALLOC(sizeof(sp_digit) * 16 * 48, NULL,
+                            DYNAMIC_TYPE_TMP_BUFFER);
+    if (td == NULL) {
+        err = MEMORY_E;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#ifdef WOLFSSL_SMALL_STACK
+        for (i=0; i<16; i++) {
+            t[i] = td + i * 48;
+        }
+#endif
+        norm = t[0];
+
+        sp_3072_mont_setup(m, &mp);
+        sp_3072_mont_norm_24(norm, m);
+
+        XMEMSET(t[1], 0, sizeof(sp_digit) * 24U);
+        if (reduceA != 0) {
+            err = sp_3072_mod_24(t[1] + 24, a, m);
+            if (err == MP_OKAY) {
+                err = sp_3072_mod_24(t[1], t[1], m);
+            }
+        }
+        else {
+            XMEMCPY(t[1] + 24, a, sizeof(sp_digit) * 24);
+            err = sp_3072_mod_24(t[1], t[1], m);
+        }
+    }
+
+    if (err == MP_OKAY) {
+        sp_3072_mont_sqr_24(t[ 2], t[ 1], m, mp);
+        sp_3072_mont_mul_24(t[ 3], t[ 2], t[ 1], m, mp);
+        sp_3072_mont_sqr_24(t[ 4], t[ 2], m, mp);
+        sp_3072_mont_mul_24(t[ 5], t[ 3], t[ 2], m, mp);
+        sp_3072_mont_sqr_24(t[ 6], t[ 3], m, mp);
+        sp_3072_mont_mul_24(t[ 7], t[ 4], t[ 3], m, mp);
+        sp_3072_mont_sqr_24(t[ 8], t[ 4], m, mp);
+        sp_3072_mont_mul_24(t[ 9], t[ 5], t[ 4], m, mp);
+        sp_3072_mont_sqr_24(t[10], t[ 5], m, mp);
+        sp_3072_mont_mul_24(t[11], t[ 6], t[ 5], m, mp);
+        sp_3072_mont_sqr_24(t[12], t[ 6], m, mp);
+        sp_3072_mont_mul_24(t[13], t[ 7], t[ 6], m, mp);
+        sp_3072_mont_sqr_24(t[14], t[ 7], m, mp);
+        sp_3072_mont_mul_24(t[15], t[ 8], t[ 7], m, mp);
+
+        i = (bits - 1) / 64;
+        n = e[i--];
+        c = bits & 63;
+        if (c == 0) {
+            c = 64;
+        }
+        c -= bits % 4;
+        if (c == 64) {
+            c = 60;
+        }
+        y = (int)(n >> c);
+        n <<= 64 - c;
+        XMEMCPY(r, t[y], sizeof(sp_digit) * 24);
+        for (; i>=0 || c>=4; ) {
+            if (c == 0) {
+                n = e[i--];
+                y = n >> 60;
+                n <<= 4;
+                c = 60;
+            }
+            else if (c < 4) {
+                y = n >> 60;
+                n = e[i--];
+                c = 4 - c;
+                y |= n >> (64 - c);
+                n <<= c;
+                c = 64 - c;
+            }
+            else {
+                y = (n >> 60) & 0xf;
+                n <<= 4;
+                c -= 4;
+            }
+
+            sp_3072_mont_sqr_24(r, r, m, mp);
+            sp_3072_mont_sqr_24(r, r, m, mp);
+            sp_3072_mont_sqr_24(r, r, m, mp);
+            sp_3072_mont_sqr_24(r, r, m, mp);
+
+            sp_3072_mont_mul_24(r, r, t[y], m, mp);
+        }
+
+        XMEMSET(&r[24], 0, sizeof(sp_digit) * 24U);
+        sp_3072_mont_reduce_24(r, m, mp);
+
+        mask = 0 - (sp_3072_cmp_24(r, m) >= 0);
+        sp_3072_cond_sub_24(r, r, m, mask);
+    }
+
+#ifdef WOLFSSL_SMALL_STACK
+    if (td != NULL) {
+        XFREE(td, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    }
+#endif
+
+    return err;
+}
+#else
+/* Modular exponentiate a to the e mod m. (r = a^e mod m)
+ *
+ * r     A single precision number that is the result of the operation.
+ * a     A single precision number being exponentiated.
+ * e     A single precision number that is the exponent.
+ * bits  The number of bits in the exponent.
+ * m     A single precision number that is the modulus.
+ * returns 0 on success and MEMORY_E on dynamic memory allocation failure.
+ */
+static int sp_3072_mod_exp_24(sp_digit* r, const sp_digit* a, const sp_digit* e,
+        int bits, const sp_digit* m, int reduceA)
+{
+#ifndef WOLFSSL_SMALL_STACK
+    sp_digit t[32][48];
+#else
+    sp_digit* t[32];
+    sp_digit* td;
+#endif
+    sp_digit* norm;
+    sp_digit mp = 1;
+    sp_digit n;
+    sp_digit mask;
+    int i;
+    int c, y;
+    int err = MP_OKAY;
+
+#ifdef WOLFSSL_SMALL_STACK
+    td = (sp_digit*)XMALLOC(sizeof(sp_digit) * 32 * 48, NULL,
+                            DYNAMIC_TYPE_TMP_BUFFER);
+    if (td == NULL) {
+        err = MEMORY_E;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#ifdef WOLFSSL_SMALL_STACK
+        for (i=0; i<32; i++) {
+            t[i] = td + i * 48;
+        }
+#endif
+        norm = t[0];
+
+        sp_3072_mont_setup(m, &mp);
+        sp_3072_mont_norm_24(norm, m);
+
+        XMEMSET(t[1], 0, sizeof(sp_digit) * 24U);
+        if (reduceA != 0) {
+            err = sp_3072_mod_24(t[1] + 24, a, m);
+            if (err == MP_OKAY) {
+                err = sp_3072_mod_24(t[1], t[1], m);
+            }
+        }
+        else {
+            XMEMCPY(t[1] + 24, a, sizeof(sp_digit) * 24);
+            err = sp_3072_mod_24(t[1], t[1], m);
+        }
+    }
+
+    if (err == MP_OKAY) {
+        sp_3072_mont_sqr_24(t[ 2], t[ 1], m, mp);
+        sp_3072_mont_mul_24(t[ 3], t[ 2], t[ 1], m, mp);
+        sp_3072_mont_sqr_24(t[ 4], t[ 2], m, mp);
+        sp_3072_mont_mul_24(t[ 5], t[ 3], t[ 2], m, mp);
+        sp_3072_mont_sqr_24(t[ 6], t[ 3], m, mp);
+        sp_3072_mont_mul_24(t[ 7], t[ 4], t[ 3], m, mp);
+        sp_3072_mont_sqr_24(t[ 8], t[ 4], m, mp);
+        sp_3072_mont_mul_24(t[ 9], t[ 5], t[ 4], m, mp);
+        sp_3072_mont_sqr_24(t[10], t[ 5], m, mp);
+        sp_3072_mont_mul_24(t[11], t[ 6], t[ 5], m, mp);
+        sp_3072_mont_sqr_24(t[12], t[ 6], m, mp);
+        sp_3072_mont_mul_24(t[13], t[ 7], t[ 6], m, mp);
+        sp_3072_mont_sqr_24(t[14], t[ 7], m, mp);
+        sp_3072_mont_mul_24(t[15], t[ 8], t[ 7], m, mp);
+        sp_3072_mont_sqr_24(t[16], t[ 8], m, mp);
+        sp_3072_mont_mul_24(t[17], t[ 9], t[ 8], m, mp);
+        sp_3072_mont_sqr_24(t[18], t[ 9], m, mp);
+        sp_3072_mont_mul_24(t[19], t[10], t[ 9], m, mp);
+        sp_3072_mont_sqr_24(t[20], t[10], m, mp);
+        sp_3072_mont_mul_24(t[21], t[11], t[10], m, mp);
+        sp_3072_mont_sqr_24(t[22], t[11], m, mp);
+        sp_3072_mont_mul_24(t[23], t[12], t[11], m, mp);
+        sp_3072_mont_sqr_24(t[24], t[12], m, mp);
+        sp_3072_mont_mul_24(t[25], t[13], t[12], m, mp);
+        sp_3072_mont_sqr_24(t[26], t[13], m, mp);
+        sp_3072_mont_mul_24(t[27], t[14], t[13], m, mp);
+        sp_3072_mont_sqr_24(t[28], t[14], m, mp);
+        sp_3072_mont_mul_24(t[29], t[15], t[14], m, mp);
+        sp_3072_mont_sqr_24(t[30], t[15], m, mp);
+        sp_3072_mont_mul_24(t[31], t[16], t[15], m, mp);
+
+        i = (bits - 1) / 64;
+        n = e[i--];
+        c = bits & 63;
+        if (c == 0) {
+            c = 64;
+        }
+        c -= bits % 5;
+        if (c == 64) {
+            c = 59;
+        }
+        y = (int)(n >> c);
+        n <<= 64 - c;
+        XMEMCPY(r, t[y], sizeof(sp_digit) * 24);
+        for (; i>=0 || c>=5; ) {
+            if (c == 0) {
+                n = e[i--];
+                y = n >> 59;
+                n <<= 5;
+                c = 59;
+            }
+            else if (c < 5) {
+                y = n >> 59;
+                n = e[i--];
+                c = 5 - c;
+                y |= n >> (64 - c);
+                n <<= c;
+                c = 64 - c;
+            }
+            else {
+                y = (n >> 59) & 0x1f;
+                n <<= 5;
+                c -= 5;
+            }
+
+            sp_3072_mont_sqr_24(r, r, m, mp);
+            sp_3072_mont_sqr_24(r, r, m, mp);
+            sp_3072_mont_sqr_24(r, r, m, mp);
+            sp_3072_mont_sqr_24(r, r, m, mp);
+            sp_3072_mont_sqr_24(r, r, m, mp);
+
+            sp_3072_mont_mul_24(r, r, t[y], m, mp);
+        }
+
+        XMEMSET(&r[24], 0, sizeof(sp_digit) * 24U);
+        sp_3072_mont_reduce_24(r, m, mp);
+
+        mask = 0 - (sp_3072_cmp_24(r, m) >= 0);
+        sp_3072_cond_sub_24(r, r, m, mask);
+    }
+
+#ifdef WOLFSSL_SMALL_STACK
+    if (td != NULL) {
+        XFREE(td, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    }
+#endif
+
+    return err;
+}
+#endif /* WOLFSSL_SP_SMALL */
+
+#endif /* (WOLFSSL_HAVE_SP_RSA || WOLFSSL_HAVE_SP_DH) && !WOLFSSL_RSA_PUBLIC_ONLY */
+
+#if defined(WOLFSSL_HAVE_SP_RSA) || defined(WOLFSSL_HAVE_SP_DH)
+/* r = 2^n mod m where n is the number of bits to reduce by.
+ * Given m must be 3072 bits, just need to subtract.
+ *
+ * r  A single precision number.
+ * m  A single precision number.
+ */
+static void sp_3072_mont_norm_48(sp_digit* r, const sp_digit* m)
+{
+    XMEMSET(r, 0, sizeof(sp_digit) * 48);
+
+    /* r = 2^n mod m */
+    sp_3072_sub_in_place_48(r, m);
+}
+
+#endif /* WOLFSSL_HAVE_SP_RSA || WOLFSSL_HAVE_SP_DH */
+/* Conditionally subtract b from a using the mask m.
+ * m is -1 to subtract and 0 when not copying.
+ *
+ * r  A single precision number representing condition subtract result.
+ * a  A single precision number to subtract from.
+ * b  A single precision number to subtract.
+ * m  Mask value to apply.
+ */
+static sp_digit sp_3072_cond_sub_48(sp_digit* r, const sp_digit* a, const sp_digit* b,
+        sp_digit m)
+{
+#ifdef WOLFSSL_SP_SMALL
+    sp_digit c = 0;
+
+    __asm__ __volatile__ (
+        "mov	x8, #0\n\t"
+        "1:\n\t"
+        "subs	%[c], xzr, %[c]\n\t"
+        "ldr	x4, [%[a], x8]\n\t"
+        "ldr	x5, [%[b], x8]\n\t"
+        "and	x5, x5, %[m]\n\t"
+        "sbcs	x4, x4, x5\n\t"
+        "csetm	%[c], cc\n\t"
+        "str	x4, [%[r], x8]\n\t"
+        "add	x8, x8, #8\n\t"
+        "cmp	x8, 384\n\t"
+        "b.lt	1b\n\t"
+        : [c] "+r" (c)
+        : [r] "r" (r), [a] "r" (a), [b] "r" (b), [m] "r" (m)
+        : "memory", "x4", "x6", "x5", "x7", "x8", "x9", "x10", "x11", "x12"
+    );
+
+    return c;
+#else
+    __asm__ __volatile__ (
+
+        "ldp	x5, x7, [%[b], 0]\n\t"
+        "ldp	x11, x12, [%[b], 16]\n\t"
+        "ldp	x4, x6, [%[a], 0]\n\t"
+        "and	x5, x5, %[m]\n\t"
+        "ldp	x9, x10, [%[a], 16]\n\t"
+        "and	x7, x7, %[m]\n\t"
+        "subs	x4, x4, x5\n\t"
+        "and	x11, x11, %[m]\n\t"
+        "sbcs	x6, x6, x7\n\t"
+        "and	x12, x12, %[m]\n\t"
+        "sbcs	x9, x9, x11\n\t"
+        "stp	x4, x6, [%[r], 0]\n\t"
+        "sbcs	x10, x10, x12\n\t"
+        "stp	x9, x10, [%[r], 16]\n\t"
+        "ldp	x5, x7, [%[b], 32]\n\t"
+        "ldp	x11, x12, [%[b], 48]\n\t"
+        "ldp	x4, x6, [%[a], 32]\n\t"
+        "and	x5, x5, %[m]\n\t"
+        "ldp	x9, x10, [%[a], 48]\n\t"
+        "and	x7, x7, %[m]\n\t"
+        "sbcs	x4, x4, x5\n\t"
+        "and	x11, x11, %[m]\n\t"
+        "sbcs	x6, x6, x7\n\t"
+        "and	x12, x12, %[m]\n\t"
+        "sbcs	x9, x9, x11\n\t"
+        "stp	x4, x6, [%[r], 32]\n\t"
+        "sbcs	x10, x10, x12\n\t"
+        "stp	x9, x10, [%[r], 48]\n\t"
+        "ldp	x5, x7, [%[b], 64]\n\t"
+        "ldp	x11, x12, [%[b], 80]\n\t"
+        "ldp	x4, x6, [%[a], 64]\n\t"
+        "and	x5, x5, %[m]\n\t"
+        "ldp	x9, x10, [%[a], 80]\n\t"
+        "and	x7, x7, %[m]\n\t"
+        "sbcs	x4, x4, x5\n\t"
+        "and	x11, x11, %[m]\n\t"
+        "sbcs	x6, x6, x7\n\t"
+        "and	x12, x12, %[m]\n\t"
+        "sbcs	x9, x9, x11\n\t"
+        "stp	x4, x6, [%[r], 64]\n\t"
+        "sbcs	x10, x10, x12\n\t"
+        "stp	x9, x10, [%[r], 80]\n\t"
+        "ldp	x5, x7, [%[b], 96]\n\t"
+        "ldp	x11, x12, [%[b], 112]\n\t"
+        "ldp	x4, x6, [%[a], 96]\n\t"
+        "and	x5, x5, %[m]\n\t"
+        "ldp	x9, x10, [%[a], 112]\n\t"
+        "and	x7, x7, %[m]\n\t"
+        "sbcs	x4, x4, x5\n\t"
+        "and	x11, x11, %[m]\n\t"
+        "sbcs	x6, x6, x7\n\t"
+        "and	x12, x12, %[m]\n\t"
+        "sbcs	x9, x9, x11\n\t"
+        "stp	x4, x6, [%[r], 96]\n\t"
+        "sbcs	x10, x10, x12\n\t"
+        "stp	x9, x10, [%[r], 112]\n\t"
+        "ldp	x5, x7, [%[b], 128]\n\t"
+        "ldp	x11, x12, [%[b], 144]\n\t"
+        "ldp	x4, x6, [%[a], 128]\n\t"
+        "and	x5, x5, %[m]\n\t"
+        "ldp	x9, x10, [%[a], 144]\n\t"
+        "and	x7, x7, %[m]\n\t"
+        "sbcs	x4, x4, x5\n\t"
+        "and	x11, x11, %[m]\n\t"
+        "sbcs	x6, x6, x7\n\t"
+        "and	x12, x12, %[m]\n\t"
+        "sbcs	x9, x9, x11\n\t"
+        "stp	x4, x6, [%[r], 128]\n\t"
+        "sbcs	x10, x10, x12\n\t"
+        "stp	x9, x10, [%[r], 144]\n\t"
+        "ldp	x5, x7, [%[b], 160]\n\t"
+        "ldp	x11, x12, [%[b], 176]\n\t"
+        "ldp	x4, x6, [%[a], 160]\n\t"
+        "and	x5, x5, %[m]\n\t"
+        "ldp	x9, x10, [%[a], 176]\n\t"
+        "and	x7, x7, %[m]\n\t"
+        "sbcs	x4, x4, x5\n\t"
+        "and	x11, x11, %[m]\n\t"
+        "sbcs	x6, x6, x7\n\t"
+        "and	x12, x12, %[m]\n\t"
+        "sbcs	x9, x9, x11\n\t"
+        "stp	x4, x6, [%[r], 160]\n\t"
+        "sbcs	x10, x10, x12\n\t"
+        "stp	x9, x10, [%[r], 176]\n\t"
+        "ldp	x5, x7, [%[b], 192]\n\t"
+        "ldp	x11, x12, [%[b], 208]\n\t"
+        "ldp	x4, x6, [%[a], 192]\n\t"
+        "and	x5, x5, %[m]\n\t"
+        "ldp	x9, x10, [%[a], 208]\n\t"
+        "and	x7, x7, %[m]\n\t"
+        "sbcs	x4, x4, x5\n\t"
+        "and	x11, x11, %[m]\n\t"
+        "sbcs	x6, x6, x7\n\t"
+        "and	x12, x12, %[m]\n\t"
+        "sbcs	x9, x9, x11\n\t"
+        "stp	x4, x6, [%[r], 192]\n\t"
+        "sbcs	x10, x10, x12\n\t"
+        "stp	x9, x10, [%[r], 208]\n\t"
+        "ldp	x5, x7, [%[b], 224]\n\t"
+        "ldp	x11, x12, [%[b], 240]\n\t"
+        "ldp	x4, x6, [%[a], 224]\n\t"
+        "and	x5, x5, %[m]\n\t"
+        "ldp	x9, x10, [%[a], 240]\n\t"
+        "and	x7, x7, %[m]\n\t"
+        "sbcs	x4, x4, x5\n\t"
+        "and	x11, x11, %[m]\n\t"
+        "sbcs	x6, x6, x7\n\t"
+        "and	x12, x12, %[m]\n\t"
+        "sbcs	x9, x9, x11\n\t"
+        "stp	x4, x6, [%[r], 224]\n\t"
+        "sbcs	x10, x10, x12\n\t"
+        "stp	x9, x10, [%[r], 240]\n\t"
+        "ldp	x5, x7, [%[b], 256]\n\t"
+        "ldp	x11, x12, [%[b], 272]\n\t"
+        "ldp	x4, x6, [%[a], 256]\n\t"
+        "and	x5, x5, %[m]\n\t"
+        "ldp	x9, x10, [%[a], 272]\n\t"
+        "and	x7, x7, %[m]\n\t"
+        "sbcs	x4, x4, x5\n\t"
+        "and	x11, x11, %[m]\n\t"
+        "sbcs	x6, x6, x7\n\t"
+        "and	x12, x12, %[m]\n\t"
+        "sbcs	x9, x9, x11\n\t"
+        "stp	x4, x6, [%[r], 256]\n\t"
+        "sbcs	x10, x10, x12\n\t"
+        "stp	x9, x10, [%[r], 272]\n\t"
+        "ldp	x5, x7, [%[b], 288]\n\t"
+        "ldp	x11, x12, [%[b], 304]\n\t"
+        "ldp	x4, x6, [%[a], 288]\n\t"
+        "and	x5, x5, %[m]\n\t"
+        "ldp	x9, x10, [%[a], 304]\n\t"
+        "and	x7, x7, %[m]\n\t"
+        "sbcs	x4, x4, x5\n\t"
+        "and	x11, x11, %[m]\n\t"
+        "sbcs	x6, x6, x7\n\t"
+        "and	x12, x12, %[m]\n\t"
+        "sbcs	x9, x9, x11\n\t"
+        "stp	x4, x6, [%[r], 288]\n\t"
+        "sbcs	x10, x10, x12\n\t"
+        "stp	x9, x10, [%[r], 304]\n\t"
+        "ldp	x5, x7, [%[b], 320]\n\t"
+        "ldp	x11, x12, [%[b], 336]\n\t"
+        "ldp	x4, x6, [%[a], 320]\n\t"
+        "and	x5, x5, %[m]\n\t"
+        "ldp	x9, x10, [%[a], 336]\n\t"
+        "and	x7, x7, %[m]\n\t"
+        "sbcs	x4, x4, x5\n\t"
+        "and	x11, x11, %[m]\n\t"
+        "sbcs	x6, x6, x7\n\t"
+        "and	x12, x12, %[m]\n\t"
+        "sbcs	x9, x9, x11\n\t"
+        "stp	x4, x6, [%[r], 320]\n\t"
+        "sbcs	x10, x10, x12\n\t"
+        "stp	x9, x10, [%[r], 336]\n\t"
+        "ldp	x5, x7, [%[b], 352]\n\t"
+        "ldp	x11, x12, [%[b], 368]\n\t"
+        "ldp	x4, x6, [%[a], 352]\n\t"
+        "and	x5, x5, %[m]\n\t"
+        "ldp	x9, x10, [%[a], 368]\n\t"
+        "and	x7, x7, %[m]\n\t"
+        "sbcs	x4, x4, x5\n\t"
+        "and	x11, x11, %[m]\n\t"
+        "sbcs	x6, x6, x7\n\t"
+        "and	x12, x12, %[m]\n\t"
+        "sbcs	x9, x9, x11\n\t"
+        "stp	x4, x6, [%[r], 352]\n\t"
+        "sbcs	x10, x10, x12\n\t"
+        "stp	x9, x10, [%[r], 368]\n\t"
+        "csetm	%[r], cc\n\t"
+        : [r] "+r" (r)
+        : [a] "r" (a), [b] "r" (b), [m] "r" (m)
+        : "memory", "x4", "x6", "x5", "x7", "x8", "x9", "x10", "x11", "x12"
+    );
+
+    return (sp_digit)r;
+#endif /* WOLFSSL_SP_SMALL */
+}
+
+/* Reduce the number back to 3072 bits using Montgomery reduction.
+ *
+ * a   A single precision number to reduce in place.
+ * m   The single precision number representing the modulus.
+ * mp  The digit representing the negative inverse of m mod 2^n.
+ */
+SP_NOINLINE static void sp_3072_mont_reduce_48(sp_digit* a, const sp_digit* m,
+        sp_digit mp)
+{
+    sp_digit ca = 0;
+
+    __asm__ __volatile__ (
+        "ldp	x14, x15, [%[m], 0]\n\t"
+        "ldp	x16, x17, [%[m], 16]\n\t"
+        "ldp	x19, x20, [%[m], 32]\n\t"
+        "ldp	x21, x22, [%[m], 48]\n\t"
+        "ldp	x23, x24, [%[m], 64]\n\t"
+        "ldp	x25, x26, [%[m], 80]\n\t"
+        "ldp	x27, x28, [%[m], 96]\n\t"
+        "# i = 48\n\t"
+        "mov	x4, 48\n\t"
+        "ldp	x12, x13, [%[a], 0]\n\t"
+        "\n1:\n\t"
+        "# mu = a[i] * mp\n\t"
+        "mul	x9, %[mp], x12\n\t"
+        "# a[i+0] += m[0] * mu\n\t"
+        "mul	x7, x14, x9\n\t"
+        "umulh	x8, x14, x9\n\t"
+        "adds	x12, x12, x7\n\t"
+        "# a[i+1] += m[1] * mu\n\t"
+        "mul	x7, x15, x9\n\t"
+        "adc	x6, x8, xzr\n\t"
+        "umulh	x8, x15, x9\n\t"
+        "adds	x12, x13, x7\n\t"
+        "# a[i+2] += m[2] * mu\n\t"
+        "ldr	x13, [%[a], 16]\n\t"
+        "adc	x5, x8, xzr\n\t"
+        "mul	x7, x16, x9\n\t"
+        "adds	x12, x12, x6\n\t"
+        "umulh	x8, x16, x9\n\t"
+        "adc	x5, x5, xzr\n\t"
+        "adds	x13, x13, x7\n\t"
+        "# a[i+3] += m[3] * mu\n\t"
+        "ldr	x10, [%[a], 24]\n\t"
+        "adc	x6, x8, xzr\n\t"
+        "mul	x7, x17, x9\n\t"
+        "adds	x13, x13, x5\n\t"
+        "umulh	x8, x17, x9\n\t"
+        "adc	x6, x6, xzr\n\t"
+        "adds	x10, x10, x7\n\t"
+        "# a[i+4] += m[4] * mu\n\t"
+        "ldr	x11, [%[a], 32]\n\t"
+        "adc	x5, x8, xzr\n\t"
+        "adds	x10, x10, x6\n\t"
+        "mul	x7, x19, x9\n\t"
+        "adc	x5, x5, xzr\n\t"
+        "umulh	x8, x19, x9\n\t"
+        "str	x10, [%[a], 24]\n\t"
+        "adds	x11, x11, x7\n\t"
+        "# a[i+5] += m[5] * mu\n\t"
+        "ldr	x10, [%[a], 40]\n\t"
+        "adc	x6, x8, xzr\n\t"
+        "adds	x11, x11, x5\n\t"
+        "mul	x7, x20, x9\n\t"
+        "adc	x6, x6, xzr\n\t"
+        "umulh	x8, x20, x9\n\t"
+        "str	x11, [%[a], 32]\n\t"
+        "adds	x10, x10, x7\n\t"
+        "# a[i+6] += m[6] * mu\n\t"
+        "ldr	x11, [%[a], 48]\n\t"
+        "adc	x5, x8, xzr\n\t"
+        "adds	x10, x10, x6\n\t"
+        "mul	x7, x21, x9\n\t"
+        "adc	x5, x5, xzr\n\t"
+        "umulh	x8, x21, x9\n\t"
+        "str	x10, [%[a], 40]\n\t"
+        "adds	x11, x11, x7\n\t"
+        "# a[i+7] += m[7] * mu\n\t"
+        "ldr	x10, [%[a], 56]\n\t"
+        "adc	x6, x8, xzr\n\t"
+        "adds	x11, x11, x5\n\t"
+        "mul	x7, x22, x9\n\t"
+        "adc	x6, x6, xzr\n\t"
+        "umulh	x8, x22, x9\n\t"
+        "str	x11, [%[a], 48]\n\t"
+        "adds	x10, x10, x7\n\t"
+        "# a[i+8] += m[8] * mu\n\t"
+        "ldr	x11, [%[a], 64]\n\t"
+        "adc	x5, x8, xzr\n\t"
+        "adds	x10, x10, x6\n\t"
+        "mul	x7, x23, x9\n\t"
+        "adc	x5, x5, xzr\n\t"
+        "umulh	x8, x23, x9\n\t"
+        "str	x10, [%[a], 56]\n\t"
+        "adds	x11, x11, x7\n\t"
+        "# a[i+9] += m[9] * mu\n\t"
+        "ldr	x10, [%[a], 72]\n\t"
+        "adc	x6, x8, xzr\n\t"
+        "adds	x11, x11, x5\n\t"
+        "mul	x7, x24, x9\n\t"
+        "adc	x6, x6, xzr\n\t"
+        "umulh	x8, x24, x9\n\t"
+        "str	x11, [%[a], 64]\n\t"
+        "adds	x10, x10, x7\n\t"
+        "# a[i+10] += m[10] * mu\n\t"
+        "ldr	x11, [%[a], 80]\n\t"
+        "adc	x5, x8, xzr\n\t"
+        "adds	x10, x10, x6\n\t"
+        "mul	x7, x25, x9\n\t"
+        "adc	x5, x5, xzr\n\t"
+        "umulh	x8, x25, x9\n\t"
+        "str	x10, [%[a], 72]\n\t"
+        "adds	x11, x11, x7\n\t"
+        "# a[i+11] += m[11] * mu\n\t"
+        "ldr	x10, [%[a], 88]\n\t"
+        "adc	x6, x8, xzr\n\t"
+        "adds	x11, x11, x5\n\t"
+        "mul	x7, x26, x9\n\t"
+        "adc	x6, x6, xzr\n\t"
+        "umulh	x8, x26, x9\n\t"
+        "str	x11, [%[a], 80]\n\t"
+        "adds	x10, x10, x7\n\t"
+        "# a[i+12] += m[12] * mu\n\t"
+        "ldr	x11, [%[a], 96]\n\t"
+        "adc	x5, x8, xzr\n\t"
+        "adds	x10, x10, x6\n\t"
+        "mul	x7, x27, x9\n\t"
+        "adc	x5, x5, xzr\n\t"
+        "umulh	x8, x27, x9\n\t"
+        "str	x10, [%[a], 88]\n\t"
+        "adds	x11, x11, x7\n\t"
+        "# a[i+13] += m[13] * mu\n\t"
+        "ldr	x10, [%[a], 104]\n\t"
+        "adc	x6, x8, xzr\n\t"
+        "adds	x11, x11, x5\n\t"
+        "mul	x7, x28, x9\n\t"
+        "adc	x6, x6, xzr\n\t"
+        "umulh	x8, x28, x9\n\t"
+        "str	x11, [%[a], 96]\n\t"
+        "adds	x10, x10, x7\n\t"
+        "# a[i+14] += m[14] * mu\n\t"
+        "ldr	x11, [%[a], 112]\n\t"
+        "adc	x5, x8, xzr\n\t"
+        "ldr	x8, [%[m], 112]\n\t"
+        "adds	x10, x10, x6\n\t"
+        "mul	x7, x8, x9\n\t"
+        "adc	x5, x5, xzr\n\t"
+        "umulh	x8, x8, x9\n\t"
+        "str	x10, [%[a], 104]\n\t"
+        "adds	x11, x11, x7\n\t"
+        "# a[i+15] += m[15] * mu\n\t"
+        "ldr	x10, [%[a], 120]\n\t"
+        "adc	x6, x8, xzr\n\t"
+        "ldr	x8, [%[m], 120]\n\t"
+        "adds	x11, x11, x5\n\t"
+        "mul	x7, x8, x9\n\t"
+        "adc	x6, x6, xzr\n\t"
+        "umulh	x8, x8, x9\n\t"
+        "str	x11, [%[a], 112]\n\t"
+        "adds	x10, x10, x7\n\t"
+        "# a[i+16] += m[16] * mu\n\t"
+        "ldr	x11, [%[a], 128]\n\t"
+        "adc	x5, x8, xzr\n\t"
+        "ldr	x8, [%[m], 128]\n\t"
+        "adds	x10, x10, x6\n\t"
+        "mul	x7, x8, x9\n\t"
+        "adc	x5, x5, xzr\n\t"
+        "umulh	x8, x8, x9\n\t"
+        "str	x10, [%[a], 120]\n\t"
+        "adds	x11, x11, x7\n\t"
+        "# a[i+17] += m[17] * mu\n\t"
+        "ldr	x10, [%[a], 136]\n\t"
+        "adc	x6, x8, xzr\n\t"
+        "ldr	x8, [%[m], 136]\n\t"
+        "adds	x11, x11, x5\n\t"
+        "mul	x7, x8, x9\n\t"
+        "adc	x6, x6, xzr\n\t"
+        "umulh	x8, x8, x9\n\t"
+        "str	x11, [%[a], 128]\n\t"
+        "adds	x10, x10, x7\n\t"
+        "# a[i+18] += m[18] * mu\n\t"
+        "ldr	x11, [%[a], 144]\n\t"
+        "adc	x5, x8, xzr\n\t"
+        "ldr	x8, [%[m], 144]\n\t"
+        "adds	x10, x10, x6\n\t"
+        "mul	x7, x8, x9\n\t"
+        "adc	x5, x5, xzr\n\t"
+        "umulh	x8, x8, x9\n\t"
+        "str	x10, [%[a], 136]\n\t"
+        "adds	x11, x11, x7\n\t"
+        "# a[i+19] += m[19] * mu\n\t"
+        "ldr	x10, [%[a], 152]\n\t"
+        "adc	x6, x8, xzr\n\t"
+        "ldr	x8, [%[m], 152]\n\t"
+        "adds	x11, x11, x5\n\t"
+        "mul	x7, x8, x9\n\t"
+        "adc	x6, x6, xzr\n\t"
+        "umulh	x8, x8, x9\n\t"
+        "str	x11, [%[a], 144]\n\t"
+        "adds	x10, x10, x7\n\t"
+        "# a[i+20] += m[20] * mu\n\t"
+        "ldr	x11, [%[a], 160]\n\t"
+        "adc	x5, x8, xzr\n\t"
+        "ldr	x8, [%[m], 160]\n\t"
+        "adds	x10, x10, x6\n\t"
+        "mul	x7, x8, x9\n\t"
+        "adc	x5, x5, xzr\n\t"
+        "umulh	x8, x8, x9\n\t"
+        "str	x10, [%[a], 152]\n\t"
+        "adds	x11, x11, x7\n\t"
+        "# a[i+21] += m[21] * mu\n\t"
+        "ldr	x10, [%[a], 168]\n\t"
+        "adc	x6, x8, xzr\n\t"
+        "ldr	x8, [%[m], 168]\n\t"
+        "adds	x11, x11, x5\n\t"
+        "mul	x7, x8, x9\n\t"
+        "adc	x6, x6, xzr\n\t"
+        "umulh	x8, x8, x9\n\t"
+        "str	x11, [%[a], 160]\n\t"
+        "adds	x10, x10, x7\n\t"
+        "# a[i+22] += m[22] * mu\n\t"
+        "ldr	x11, [%[a], 176]\n\t"
+        "adc	x5, x8, xzr\n\t"
+        "ldr	x8, [%[m], 176]\n\t"
+        "adds	x10, x10, x6\n\t"
+        "mul	x7, x8, x9\n\t"
+        "adc	x5, x5, xzr\n\t"
+        "umulh	x8, x8, x9\n\t"
+        "str	x10, [%[a], 168]\n\t"
+        "adds	x11, x11, x7\n\t"
+        "# a[i+23] += m[23] * mu\n\t"
+        "ldr	x10, [%[a], 184]\n\t"
+        "adc	x6, x8, xzr\n\t"
+        "ldr	x8, [%[m], 184]\n\t"
+        "adds	x11, x11, x5\n\t"
+        "mul	x7, x8, x9\n\t"
+        "adc	x6, x6, xzr\n\t"
+        "umulh	x8, x8, x9\n\t"
+        "str	x11, [%[a], 176]\n\t"
+        "adds	x10, x10, x7\n\t"
+        "# a[i+24] += m[24] * mu\n\t"
+        "ldr	x11, [%[a], 192]\n\t"
+        "adc	x5, x8, xzr\n\t"
+        "ldr	x8, [%[m], 192]\n\t"
+        "adds	x10, x10, x6\n\t"
+        "mul	x7, x8, x9\n\t"
+        "adc	x5, x5, xzr\n\t"
+        "umulh	x8, x8, x9\n\t"
+        "str	x10, [%[a], 184]\n\t"
+        "adds	x11, x11, x7\n\t"
+        "# a[i+25] += m[25] * mu\n\t"
+        "ldr	x10, [%[a], 200]\n\t"
+        "adc	x6, x8, xzr\n\t"
+        "ldr	x8, [%[m], 200]\n\t"
+        "adds	x11, x11, x5\n\t"
+        "mul	x7, x8, x9\n\t"
+        "adc	x6, x6, xzr\n\t"
+        "umulh	x8, x8, x9\n\t"
+        "str	x11, [%[a], 192]\n\t"
+        "adds	x10, x10, x7\n\t"
+        "# a[i+26] += m[26] * mu\n\t"
+        "ldr	x11, [%[a], 208]\n\t"
+        "adc	x5, x8, xzr\n\t"
+        "ldr	x8, [%[m], 208]\n\t"
+        "adds	x10, x10, x6\n\t"
+        "mul	x7, x8, x9\n\t"
+        "adc	x5, x5, xzr\n\t"
+        "umulh	x8, x8, x9\n\t"
+        "str	x10, [%[a], 200]\n\t"
+        "adds	x11, x11, x7\n\t"
+        "# a[i+27] += m[27] * mu\n\t"
+        "ldr	x10, [%[a], 216]\n\t"
+        "adc	x6, x8, xzr\n\t"
+        "ldr	x8, [%[m], 216]\n\t"
+        "adds	x11, x11, x5\n\t"
+        "mul	x7, x8, x9\n\t"
+        "adc	x6, x6, xzr\n\t"
+        "umulh	x8, x8, x9\n\t"
+        "str	x11, [%[a], 208]\n\t"
+        "adds	x10, x10, x7\n\t"
+        "# a[i+28] += m[28] * mu\n\t"
+        "ldr	x11, [%[a], 224]\n\t"
+        "adc	x5, x8, xzr\n\t"
+        "ldr	x8, [%[m], 224]\n\t"
+        "adds	x10, x10, x6\n\t"
+        "mul	x7, x8, x9\n\t"
+        "adc	x5, x5, xzr\n\t"
+        "umulh	x8, x8, x9\n\t"
+        "str	x10, [%[a], 216]\n\t"
+        "adds	x11, x11, x7\n\t"
+        "# a[i+29] += m[29] * mu\n\t"
+        "ldr	x10, [%[a], 232]\n\t"
+        "adc	x6, x8, xzr\n\t"
+        "ldr	x8, [%[m], 232]\n\t"
+        "adds	x11, x11, x5\n\t"
+        "mul	x7, x8, x9\n\t"
+        "adc	x6, x6, xzr\n\t"
+        "umulh	x8, x8, x9\n\t"
+        "str	x11, [%[a], 224]\n\t"
+        "adds	x10, x10, x7\n\t"
+        "# a[i+30] += m[30] * mu\n\t"
+        "ldr	x11, [%[a], 240]\n\t"
+        "adc	x5, x8, xzr\n\t"
+        "ldr	x8, [%[m], 240]\n\t"
+        "adds	x10, x10, x6\n\t"
+        "mul	x7, x8, x9\n\t"
+        "adc	x5, x5, xzr\n\t"
+        "umulh	x8, x8, x9\n\t"
+        "str	x10, [%[a], 232]\n\t"
+        "adds	x11, x11, x7\n\t"
+        "# a[i+31] += m[31] * mu\n\t"
+        "ldr	x10, [%[a], 248]\n\t"
+        "adc	x6, x8, xzr\n\t"
+        "ldr	x8, [%[m], 248]\n\t"
+        "adds	x11, x11, x5\n\t"
+        "mul	x7, x8, x9\n\t"
+        "adc	x6, x6, xzr\n\t"
+        "umulh	x8, x8, x9\n\t"
+        "str	x11, [%[a], 240]\n\t"
+        "adds	x10, x10, x7\n\t"
+        "# a[i+32] += m[32] * mu\n\t"
+        "ldr	x11, [%[a], 256]\n\t"
+        "adc	x5, x8, xzr\n\t"
+        "ldr	x8, [%[m], 256]\n\t"
+        "adds	x10, x10, x6\n\t"
+        "mul	x7, x8, x9\n\t"
+        "adc	x5, x5, xzr\n\t"
+        "umulh	x8, x8, x9\n\t"
+        "str	x10, [%[a], 248]\n\t"
+        "adds	x11, x11, x7\n\t"
+        "# a[i+33] += m[33] * mu\n\t"
+        "ldr	x10, [%[a], 264]\n\t"
+        "adc	x6, x8, xzr\n\t"
+        "ldr	x8, [%[m], 264]\n\t"
+        "adds	x11, x11, x5\n\t"
+        "mul	x7, x8, x9\n\t"
+        "adc	x6, x6, xzr\n\t"
+        "umulh	x8, x8, x9\n\t"
+        "str	x11, [%[a], 256]\n\t"
+        "adds	x10, x10, x7\n\t"
+        "# a[i+34] += m[34] * mu\n\t"
+        "ldr	x11, [%[a], 272]\n\t"
+        "adc	x5, x8, xzr\n\t"
+        "ldr	x8, [%[m], 272]\n\t"
+        "adds	x10, x10, x6\n\t"
+        "mul	x7, x8, x9\n\t"
+        "adc	x5, x5, xzr\n\t"
+        "umulh	x8, x8, x9\n\t"
+        "str	x10, [%[a], 264]\n\t"
+        "adds	x11, x11, x7\n\t"
+        "# a[i+35] += m[35] * mu\n\t"
+        "ldr	x10, [%[a], 280]\n\t"
+        "adc	x6, x8, xzr\n\t"
+        "ldr	x8, [%[m], 280]\n\t"
+        "adds	x11, x11, x5\n\t"
+        "mul	x7, x8, x9\n\t"
+        "adc	x6, x6, xzr\n\t"
+        "umulh	x8, x8, x9\n\t"
+        "str	x11, [%[a], 272]\n\t"
+        "adds	x10, x10, x7\n\t"
+        "# a[i+36] += m[36] * mu\n\t"
+        "ldr	x11, [%[a], 288]\n\t"
+        "adc	x5, x8, xzr\n\t"
+        "ldr	x8, [%[m], 288]\n\t"
+        "adds	x10, x10, x6\n\t"
+        "mul	x7, x8, x9\n\t"
+        "adc	x5, x5, xzr\n\t"
+        "umulh	x8, x8, x9\n\t"
+        "str	x10, [%[a], 280]\n\t"
+        "adds	x11, x11, x7\n\t"
+        "# a[i+37] += m[37] * mu\n\t"
+        "ldr	x10, [%[a], 296]\n\t"
+        "adc	x6, x8, xzr\n\t"
+        "ldr	x8, [%[m], 296]\n\t"
+        "adds	x11, x11, x5\n\t"
+        "mul	x7, x8, x9\n\t"
+        "adc	x6, x6, xzr\n\t"
+        "umulh	x8, x8, x9\n\t"
+        "str	x11, [%[a], 288]\n\t"
+        "adds	x10, x10, x7\n\t"
+        "# a[i+38] += m[38] * mu\n\t"
+        "ldr	x11, [%[a], 304]\n\t"
+        "adc	x5, x8, xzr\n\t"
+        "ldr	x8, [%[m], 304]\n\t"
+        "adds	x10, x10, x6\n\t"
+        "mul	x7, x8, x9\n\t"
+        "adc	x5, x5, xzr\n\t"
+        "umulh	x8, x8, x9\n\t"
+        "str	x10, [%[a], 296]\n\t"
+        "adds	x11, x11, x7\n\t"
+        "# a[i+39] += m[39] * mu\n\t"
+        "ldr	x10, [%[a], 312]\n\t"
+        "adc	x6, x8, xzr\n\t"
+        "ldr	x8, [%[m], 312]\n\t"
+        "adds	x11, x11, x5\n\t"
+        "mul	x7, x8, x9\n\t"
+        "adc	x6, x6, xzr\n\t"
+        "umulh	x8, x8, x9\n\t"
+        "str	x11, [%[a], 304]\n\t"
+        "adds	x10, x10, x7\n\t"
+        "# a[i+40] += m[40] * mu\n\t"
+        "ldr	x11, [%[a], 320]\n\t"
+        "adc	x5, x8, xzr\n\t"
+        "ldr	x8, [%[m], 320]\n\t"
+        "adds	x10, x10, x6\n\t"
+        "mul	x7, x8, x9\n\t"
+        "adc	x5, x5, xzr\n\t"
+        "umulh	x8, x8, x9\n\t"
+        "str	x10, [%[a], 312]\n\t"
+        "adds	x11, x11, x7\n\t"
+        "# a[i+41] += m[41] * mu\n\t"
+        "ldr	x10, [%[a], 328]\n\t"
+        "adc	x6, x8, xzr\n\t"
+        "ldr	x8, [%[m], 328]\n\t"
+        "adds	x11, x11, x5\n\t"
+        "mul	x7, x8, x9\n\t"
+        "adc	x6, x6, xzr\n\t"
+        "umulh	x8, x8, x9\n\t"
+        "str	x11, [%[a], 320]\n\t"
+        "adds	x10, x10, x7\n\t"
+        "# a[i+42] += m[42] * mu\n\t"
+        "ldr	x11, [%[a], 336]\n\t"
+        "adc	x5, x8, xzr\n\t"
+        "ldr	x8, [%[m], 336]\n\t"
+        "adds	x10, x10, x6\n\t"
+        "mul	x7, x8, x9\n\t"
+        "adc	x5, x5, xzr\n\t"
+        "umulh	x8, x8, x9\n\t"
+        "str	x10, [%[a], 328]\n\t"
+        "adds	x11, x11, x7\n\t"
+        "# a[i+43] += m[43] * mu\n\t"
+        "ldr	x10, [%[a], 344]\n\t"
+        "adc	x6, x8, xzr\n\t"
+        "ldr	x8, [%[m], 344]\n\t"
+        "adds	x11, x11, x5\n\t"
+        "mul	x7, x8, x9\n\t"
+        "adc	x6, x6, xzr\n\t"
+        "umulh	x8, x8, x9\n\t"
+        "str	x11, [%[a], 336]\n\t"
+        "adds	x10, x10, x7\n\t"
+        "# a[i+44] += m[44] * mu\n\t"
+        "ldr	x11, [%[a], 352]\n\t"
+        "adc	x5, x8, xzr\n\t"
+        "ldr	x8, [%[m], 352]\n\t"
+        "adds	x10, x10, x6\n\t"
+        "mul	x7, x8, x9\n\t"
+        "adc	x5, x5, xzr\n\t"
+        "umulh	x8, x8, x9\n\t"
+        "str	x10, [%[a], 344]\n\t"
+        "adds	x11, x11, x7\n\t"
+        "# a[i+45] += m[45] * mu\n\t"
+        "ldr	x10, [%[a], 360]\n\t"
+        "adc	x6, x8, xzr\n\t"
+        "ldr	x8, [%[m], 360]\n\t"
+        "adds	x11, x11, x5\n\t"
+        "mul	x7, x8, x9\n\t"
+        "adc	x6, x6, xzr\n\t"
+        "umulh	x8, x8, x9\n\t"
+        "str	x11, [%[a], 352]\n\t"
+        "adds	x10, x10, x7\n\t"
+        "# a[i+46] += m[46] * mu\n\t"
+        "ldr	x11, [%[a], 368]\n\t"
+        "adc	x5, x8, xzr\n\t"
+        "ldr	x8, [%[m], 368]\n\t"
+        "adds	x10, x10, x6\n\t"
+        "mul	x7, x8, x9\n\t"
+        "adc	x5, x5, xzr\n\t"
+        "umulh	x8, x8, x9\n\t"
+        "str	x10, [%[a], 360]\n\t"
+        "adds	x11, x11, x7\n\t"
+        "# a[i+47] += m[47] * mu\n\t"
+        "ldr	x10, [%[a], 376]\n\t"
+        "adc	x6, x8, xzr\n\t"
+        "ldr	x8, [%[m], 376]\n\t"
+        "adds	x11, x11, x5\n\t"
+        "mul	x7, x8, x9\n\t"
+        "adc	x6, x6, xzr\n\t"
+        "umulh	x8, x8, x9\n\t"
+        "adds	x6, x6, x7\n\t"
+        "adcs	x8, x8, %[ca]\n\t"
+        "str	x11, [%[a], 368]\n\t"
+        "cset  %[ca], cs\n\t"
+        "adds	x10, x10, x6\n\t"
+        "ldr	x11, [%[a], 384]\n\t"
+        "str	x10, [%[a], 376]\n\t"
+        "adcs	x11, x11, x8\n\t"
+        "str	x11, [%[a], 384]\n\t"
+        "adc	%[ca], %[ca], xzr\n\t"
+        "subs	x4, x4, 1\n\t"
+        "add	%[a], %[a], 8\n\t"
+        "bne	1b\n\t"
+        "stp	x12, x13, [%[a], 0]\n\t"
+        : [ca] "+r" (ca), [a] "+r" (a)
+        : [m] "r" (m), [mp] "r" (mp)
+        : "memory", "x4", "x5", "x6", "x7", "x8", "x9", "x10", "x11", "x12", "x13", "x14", "x15", "x16", "x17", "x19", "x20", "x21", "x22", "x23", "x24", "x25", "x26", "x27", "x28"
+    );
+
+    sp_3072_cond_sub_48(a - 48, a, m, (sp_digit)0 - ca);
+}
+
+/* Multiply two Montogmery form numbers mod the modulus (prime).
+ * (r = a * b mod m)
+ *
+ * r   Result of multiplication.
+ * a   First number to multiply in Montogmery form.
+ * b   Second number to multiply in Montogmery form.
+ * m   Modulus (prime).
+ * mp  Montogmery mulitplier.
+ */
+static void sp_3072_mont_mul_48(sp_digit* r, const sp_digit* a, const sp_digit* b,
+        const sp_digit* m, sp_digit mp)
+{
+    sp_3072_mul_48(r, a, b);
+    sp_3072_mont_reduce_48(r, m, mp);
+}
+
+/* Square the Montgomery form number. (r = a * a mod m)
+ *
+ * r   Result of squaring.
+ * a   Number to square in Montogmery form.
+ * m   Modulus (prime).
+ * mp  Montogmery mulitplier.
+ */
+static void sp_3072_mont_sqr_48(sp_digit* r, const sp_digit* a, const sp_digit* m,
+        sp_digit mp)
+{
+    sp_3072_sqr_48(r, a);
+    sp_3072_mont_reduce_48(r, m, mp);
+}
+
+/* Divide the double width number (d1|d0) by the dividend. (d1|d0 / div)
+ *
+ * d1   The high order half of the number to divide.
+ * d0   The low order half of the number to divide.
+ * div  The dividend.
+ * returns the result of the division.
+ */
+static sp_digit div_3072_word_48(sp_digit d1, sp_digit d0, sp_digit div)
+{
+    sp_digit r;
+
+    __asm__ __volatile__ (
+        "lsr	x5, %[div], 32\n\t"
+        "add	x5, x5, 1\n\t"
+
+        "udiv	x3, %[d1], x5\n\t"
+        "lsl	x6, x3, 32\n\t"
+        "mul	x4, %[div], x6\n\t"
+        "umulh	x3, %[div], x6\n\t"
+        "subs	%[d0], %[d0], x4\n\t"
+        "sbc	%[d1], %[d1], x3\n\t"
+
+        "udiv	x3, %[d1], x5\n\t"
+        "lsl	x3, x3, 32\n\t"
+        "add	x6, x6, x3\n\t"
+        "mul	x4, %[div], x3\n\t"
+        "umulh	x3, %[div], x3\n\t"
+        "subs	%[d0], %[d0], x4\n\t"
+        "sbc	%[d1], %[d1], x3\n\t"
+
+        "lsr	x3, %[d0], 32\n\t"
+        "orr	x3, x3, %[d1], lsl 32\n\t"
+
+        "udiv	x3, x3, x5\n\t"
+        "add	x6, x6, x3\n\t"
+        "mul	x4, %[div], x3\n\t"
+        "umulh	x3, %[div], x3\n\t"
+        "subs	%[d0], %[d0], x4\n\t"
+        "sbc	%[d1], %[d1], x3\n\t"
+
+        "lsr	x3, %[d0], 32\n\t"
+        "orr	x3, x3, %[d1], lsl 32\n\t"
+
+        "udiv	x3, x3, x5\n\t"
+        "add	x6, x6, x3\n\t"
+        "mul	x4, %[div], x3\n\t"
+        "sub	%[d0], %[d0], x4\n\t"
+
+        "udiv	x3, %[d0], %[div]\n\t"
+        "add	%[r], x6, x3\n\t"
+
+        : [r] "=r" (r)
+        : [d1] "r" (d1), [d0] "r" (d0), [div] "r" (div)
+        : "x3", "x4", "x5", "x6"
+    );
+
+    return r;
+}
+
+/* AND m into each word of a and store in r.
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * m  Mask to AND against each digit.
+ */
+static void sp_3072_mask_48(sp_digit* r, const sp_digit* a, sp_digit m)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int i;
+
+    for (i=0; i<48; i++) {
+        r[i] = a[i] & m;
+    }
+#else
+    int i;
+
+    for (i = 0; i < 48; i += 8) {
+        r[i+0] = a[i+0] & m;
+        r[i+1] = a[i+1] & m;
+        r[i+2] = a[i+2] & m;
+        r[i+3] = a[i+3] & m;
+        r[i+4] = a[i+4] & m;
+        r[i+5] = a[i+5] & m;
+        r[i+6] = a[i+6] & m;
+        r[i+7] = a[i+7] & m;
+    }
+#endif
+}
+
+/* Compare a with b in constant time.
+ *
+ * a  A single precision integer.
+ * b  A single precision integer.
+ * return -ve, 0 or +ve if a is less than, equal to or greater than b
+ * respectively.
+ */
+static int64_t sp_3072_cmp_48(const sp_digit* a, const sp_digit* b)
+{
+#ifdef WOLFSSL_SP_SMALL
+    __asm__ __volatile__ (
+        "mov	x2, -1\n\t"
+        "mov	x3, 1\n\t"
+        "mov	x4, -1\n\t"
+        "mov	x5, 376\n\t"
+        "1:\n\t"
+        "ldr	x6, [%[a], x5]\n\t"
+        "ldr	x7, [%[b], x5]\n\t"
+        "and	x6, x6, x4\n\t"
+        "and	x7, x7, x4\n\t"
+        "subs	x6, x6, x7\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "subs	x5, x5, #8\n\t"
+        "b.cs	1b\n\t"
+        "eor	%[a], x2, x4\n\t"
+        : [a] "+r" (a)
+        : [b] "r" (b)
+        : "x2", "x3", "x4", "x5", "x6", "x7", "x8"
+    );
+#else
+    __asm__ __volatile__ (
+        "mov	x2, -1\n\t"
+        "mov	x3, 1\n\t"
+        "mov  x4, -1\n\t"
+        "ldp	x5, x6, [%[a], 368]\n\t"
+        "ldp	x7, x8, [%[b], 368]\n\t"
+        "and	x6, x6, x4\n\t"
+        "and	x8, x8, x4\n\t"
+        "subs	x6, x6, x8\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "and	x5, x5, x4\n\t"
+        "and	x7, x7, x4\n\t"
+        "subs	x5, x5, x7\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "ldp	x5, x6, [%[a], 352]\n\t"
+        "ldp	x7, x8, [%[b], 352]\n\t"
+        "and	x6, x6, x4\n\t"
+        "and	x8, x8, x4\n\t"
+        "subs	x6, x6, x8\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "and	x5, x5, x4\n\t"
+        "and	x7, x7, x4\n\t"
+        "subs	x5, x5, x7\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "ldp	x5, x6, [%[a], 336]\n\t"
+        "ldp	x7, x8, [%[b], 336]\n\t"
+        "and	x6, x6, x4\n\t"
+        "and	x8, x8, x4\n\t"
+        "subs	x6, x6, x8\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "and	x5, x5, x4\n\t"
+        "and	x7, x7, x4\n\t"
+        "subs	x5, x5, x7\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "ldp	x5, x6, [%[a], 320]\n\t"
+        "ldp	x7, x8, [%[b], 320]\n\t"
+        "and	x6, x6, x4\n\t"
+        "and	x8, x8, x4\n\t"
+        "subs	x6, x6, x8\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "and	x5, x5, x4\n\t"
+        "and	x7, x7, x4\n\t"
+        "subs	x5, x5, x7\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "ldp	x5, x6, [%[a], 304]\n\t"
+        "ldp	x7, x8, [%[b], 304]\n\t"
+        "and	x6, x6, x4\n\t"
+        "and	x8, x8, x4\n\t"
+        "subs	x6, x6, x8\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "and	x5, x5, x4\n\t"
+        "and	x7, x7, x4\n\t"
+        "subs	x5, x5, x7\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "ldp	x5, x6, [%[a], 288]\n\t"
+        "ldp	x7, x8, [%[b], 288]\n\t"
+        "and	x6, x6, x4\n\t"
+        "and	x8, x8, x4\n\t"
+        "subs	x6, x6, x8\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "and	x5, x5, x4\n\t"
+        "and	x7, x7, x4\n\t"
+        "subs	x5, x5, x7\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "ldp	x5, x6, [%[a], 272]\n\t"
+        "ldp	x7, x8, [%[b], 272]\n\t"
+        "and	x6, x6, x4\n\t"
+        "and	x8, x8, x4\n\t"
+        "subs	x6, x6, x8\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "and	x5, x5, x4\n\t"
+        "and	x7, x7, x4\n\t"
+        "subs	x5, x5, x7\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "ldp	x5, x6, [%[a], 256]\n\t"
+        "ldp	x7, x8, [%[b], 256]\n\t"
+        "and	x6, x6, x4\n\t"
+        "and	x8, x8, x4\n\t"
+        "subs	x6, x6, x8\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "and	x5, x5, x4\n\t"
+        "and	x7, x7, x4\n\t"
+        "subs	x5, x5, x7\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "ldp	x5, x6, [%[a], 240]\n\t"
+        "ldp	x7, x8, [%[b], 240]\n\t"
+        "and	x6, x6, x4\n\t"
+        "and	x8, x8, x4\n\t"
+        "subs	x6, x6, x8\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "and	x5, x5, x4\n\t"
+        "and	x7, x7, x4\n\t"
+        "subs	x5, x5, x7\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "ldp	x5, x6, [%[a], 224]\n\t"
+        "ldp	x7, x8, [%[b], 224]\n\t"
+        "and	x6, x6, x4\n\t"
+        "and	x8, x8, x4\n\t"
+        "subs	x6, x6, x8\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "and	x5, x5, x4\n\t"
+        "and	x7, x7, x4\n\t"
+        "subs	x5, x5, x7\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "ldp	x5, x6, [%[a], 208]\n\t"
+        "ldp	x7, x8, [%[b], 208]\n\t"
+        "and	x6, x6, x4\n\t"
+        "and	x8, x8, x4\n\t"
+        "subs	x6, x6, x8\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "and	x5, x5, x4\n\t"
+        "and	x7, x7, x4\n\t"
+        "subs	x5, x5, x7\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "ldp	x5, x6, [%[a], 192]\n\t"
+        "ldp	x7, x8, [%[b], 192]\n\t"
+        "and	x6, x6, x4\n\t"
+        "and	x8, x8, x4\n\t"
+        "subs	x6, x6, x8\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "and	x5, x5, x4\n\t"
+        "and	x7, x7, x4\n\t"
+        "subs	x5, x5, x7\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "ldp	x5, x6, [%[a], 176]\n\t"
+        "ldp	x7, x8, [%[b], 176]\n\t"
+        "and	x6, x6, x4\n\t"
+        "and	x8, x8, x4\n\t"
+        "subs	x6, x6, x8\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "and	x5, x5, x4\n\t"
+        "and	x7, x7, x4\n\t"
+        "subs	x5, x5, x7\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "ldp	x5, x6, [%[a], 160]\n\t"
+        "ldp	x7, x8, [%[b], 160]\n\t"
+        "and	x6, x6, x4\n\t"
+        "and	x8, x8, x4\n\t"
+        "subs	x6, x6, x8\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "and	x5, x5, x4\n\t"
+        "and	x7, x7, x4\n\t"
+        "subs	x5, x5, x7\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "ldp	x5, x6, [%[a], 144]\n\t"
+        "ldp	x7, x8, [%[b], 144]\n\t"
+        "and	x6, x6, x4\n\t"
+        "and	x8, x8, x4\n\t"
+        "subs	x6, x6, x8\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "and	x5, x5, x4\n\t"
+        "and	x7, x7, x4\n\t"
+        "subs	x5, x5, x7\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "ldp	x5, x6, [%[a], 128]\n\t"
+        "ldp	x7, x8, [%[b], 128]\n\t"
+        "and	x6, x6, x4\n\t"
+        "and	x8, x8, x4\n\t"
+        "subs	x6, x6, x8\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "and	x5, x5, x4\n\t"
+        "and	x7, x7, x4\n\t"
+        "subs	x5, x5, x7\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "ldp	x5, x6, [%[a], 112]\n\t"
+        "ldp	x7, x8, [%[b], 112]\n\t"
+        "and	x6, x6, x4\n\t"
+        "and	x8, x8, x4\n\t"
+        "subs	x6, x6, x8\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "and	x5, x5, x4\n\t"
+        "and	x7, x7, x4\n\t"
+        "subs	x5, x5, x7\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "ldp	x5, x6, [%[a], 96]\n\t"
+        "ldp	x7, x8, [%[b], 96]\n\t"
+        "and	x6, x6, x4\n\t"
+        "and	x8, x8, x4\n\t"
+        "subs	x6, x6, x8\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "and	x5, x5, x4\n\t"
+        "and	x7, x7, x4\n\t"
+        "subs	x5, x5, x7\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "ldp	x5, x6, [%[a], 80]\n\t"
+        "ldp	x7, x8, [%[b], 80]\n\t"
+        "and	x6, x6, x4\n\t"
+        "and	x8, x8, x4\n\t"
+        "subs	x6, x6, x8\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "and	x5, x5, x4\n\t"
+        "and	x7, x7, x4\n\t"
+        "subs	x5, x5, x7\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "ldp	x5, x6, [%[a], 64]\n\t"
+        "ldp	x7, x8, [%[b], 64]\n\t"
+        "and	x6, x6, x4\n\t"
+        "and	x8, x8, x4\n\t"
+        "subs	x6, x6, x8\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "and	x5, x5, x4\n\t"
+        "and	x7, x7, x4\n\t"
+        "subs	x5, x5, x7\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "ldp	x5, x6, [%[a], 48]\n\t"
+        "ldp	x7, x8, [%[b], 48]\n\t"
+        "and	x6, x6, x4\n\t"
+        "and	x8, x8, x4\n\t"
+        "subs	x6, x6, x8\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "and	x5, x5, x4\n\t"
+        "and	x7, x7, x4\n\t"
+        "subs	x5, x5, x7\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "ldp	x5, x6, [%[a], 32]\n\t"
+        "ldp	x7, x8, [%[b], 32]\n\t"
+        "and	x6, x6, x4\n\t"
+        "and	x8, x8, x4\n\t"
+        "subs	x6, x6, x8\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "and	x5, x5, x4\n\t"
+        "and	x7, x7, x4\n\t"
+        "subs	x5, x5, x7\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "ldp	x5, x6, [%[a], 16]\n\t"
+        "ldp	x7, x8, [%[b], 16]\n\t"
+        "and	x6, x6, x4\n\t"
+        "and	x8, x8, x4\n\t"
+        "subs	x6, x6, x8\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "and	x5, x5, x4\n\t"
+        "and	x7, x7, x4\n\t"
+        "subs	x5, x5, x7\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "ldp	x5, x6, [%[a], 0]\n\t"
+        "ldp	x7, x8, [%[b], 0]\n\t"
+        "and	x6, x6, x4\n\t"
+        "and	x8, x8, x4\n\t"
+        "subs	x6, x6, x8\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "and	x5, x5, x4\n\t"
+        "and	x7, x7, x4\n\t"
+        "subs	x5, x5, x7\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "eor	%[a], x2, x4\n\t"
+        : [a] "+r" (a)
+        : [b] "r" (b)
+        : "x2", "x3", "x4", "x5", "x6", "x7", "x8"
+    );
+#endif
+
+    return (int64_t)a;
+}
+
+/* Divide d in a and put remainder into r (m*d + r = a)
+ * m is not calculated as it is not needed at this time.
+ *
+ * a  Nmber to be divided.
+ * d  Number to divide with.
+ * m  Multiplier result.
+ * r  Remainder from the division.
+ * returns MP_OKAY indicating success.
+ */
+static WC_INLINE int sp_3072_div_48(const sp_digit* a, const sp_digit* d, sp_digit* m,
+        sp_digit* r)
+{
+    sp_digit t1[96], t2[49];
+    sp_digit div, r1;
+    int i;
+
+    (void)m;
+
+    div = d[47];
+    XMEMCPY(t1, a, sizeof(*t1) * 2 * 48);
+    for (i=47; i>=0; i--) {
+        r1 = div_3072_word_48(t1[48 + i], t1[48 + i - 1], div);
+
+        sp_3072_mul_d_48(t2, d, r1);
+        t1[48 + i] += sp_3072_sub_in_place_48(&t1[i], t2);
+        t1[48 + i] -= t2[48];
+        sp_3072_mask_48(t2, d, t1[48 + i]);
+        t1[48 + i] += sp_3072_add_48(&t1[i], &t1[i], t2);
+        sp_3072_mask_48(t2, d, t1[48 + i]);
+        t1[48 + i] += sp_3072_add_48(&t1[i], &t1[i], t2);
+    }
+
+    r1 = sp_3072_cmp_48(t1, d) >= 0;
+    sp_3072_cond_sub_48(r, t1, d, (sp_digit)0 - r1);
+
+    return MP_OKAY;
+}
+
+/* Reduce a modulo m into r. (r = a mod m)
+ *
+ * r  A single precision number that is the reduced result.
+ * a  A single precision number that is to be reduced.
+ * m  A single precision number that is the modulus to reduce with.
+ * returns MP_OKAY indicating success.
+ */
+static WC_INLINE int sp_3072_mod_48(sp_digit* r, const sp_digit* a, const sp_digit* m)
+{
+    return sp_3072_div_48(a, m, NULL, r);
+}
+
+#ifdef WOLFSSL_SP_SMALL
+/* Sub b from a into r. (r = a - b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+static sp_digit sp_3072_sub_48(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    sp_digit c = 0;
+
+    __asm__ __volatile__ (
+        "add	x11, %[a], 384\n\t"
+        "\n1:\n\t"
+        "subs	%[c], xzr, %[c]\n\t"
+        "ldp	x3, x4, [%[a]], #16\n\t"
+        "ldp	x5, x6, [%[a]], #16\n\t"
+        "ldp	x7, x8, [%[b]], #16\n\t"
+        "sbcs	x3, x3, x7\n\t"
+        "ldp	x9, x10, [%[b]], #16\n\t"
+        "sbcs	x4, x4, x8\n\t"
+        "sbcs	x5, x5, x9\n\t"
+        "stp	x3, x4, [%[r]], #16\n\t"
+        "sbcs	x6, x6, x10\n\t"
+        "stp	x5, x6, [%[r]], #16\n\t"
+        "csetm	%[c], cc\n\t"
+        "cmp	%[a], x11\n\t"
+        "b.ne	1b\n\t"
+        : [c] "+r" (c), [r] "+r" (r), [a] "+r" (a), [b] "+r" (b)
+        :
+        : "memory", "x3", "x4", "x5", "x6", "x7", "x8", "x9", "x10", "x11"
+    );
+
+    return c;
+}
+
+#else
+/* Sub b from a into r. (r = a - b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+static sp_digit sp_3072_sub_48(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    __asm__ __volatile__ (
+        "ldp	x3, x4, [%[a], 0]\n\t"
+        "ldp	x7, x8, [%[b], 0]\n\t"
+        "subs	x3, x3, x7\n\t"
+        "ldp	x5, x6, [%[a], 16]\n\t"
+        "sbcs	x4, x4, x8\n\t"
+        "ldp	x9, x10, [%[b], 16]\n\t"
+        "sbcs	x5, x5, x9\n\t"
+        "stp	x3, x4, [%[r], 0]\n\t"
+        "sbcs	x6, x6, x10\n\t"
+        "stp	x5, x6, [%[r], 16]\n\t"
+        "ldp	x3, x4, [%[a], 32]\n\t"
+        "ldp	x7, x8, [%[b], 32]\n\t"
+        "sbcs	x3, x3, x7\n\t"
+        "ldp	x5, x6, [%[a], 48]\n\t"
+        "sbcs	x4, x4, x8\n\t"
+        "ldp	x9, x10, [%[b], 48]\n\t"
+        "sbcs	x5, x5, x9\n\t"
+        "stp	x3, x4, [%[r], 32]\n\t"
+        "sbcs	x6, x6, x10\n\t"
+        "stp	x5, x6, [%[r], 48]\n\t"
+        "ldp	x3, x4, [%[a], 64]\n\t"
+        "ldp	x7, x8, [%[b], 64]\n\t"
+        "sbcs	x3, x3, x7\n\t"
+        "ldp	x5, x6, [%[a], 80]\n\t"
+        "sbcs	x4, x4, x8\n\t"
+        "ldp	x9, x10, [%[b], 80]\n\t"
+        "sbcs	x5, x5, x9\n\t"
+        "stp	x3, x4, [%[r], 64]\n\t"
+        "sbcs	x6, x6, x10\n\t"
+        "stp	x5, x6, [%[r], 80]\n\t"
+        "ldp	x3, x4, [%[a], 96]\n\t"
+        "ldp	x7, x8, [%[b], 96]\n\t"
+        "sbcs	x3, x3, x7\n\t"
+        "ldp	x5, x6, [%[a], 112]\n\t"
+        "sbcs	x4, x4, x8\n\t"
+        "ldp	x9, x10, [%[b], 112]\n\t"
+        "sbcs	x5, x5, x9\n\t"
+        "stp	x3, x4, [%[r], 96]\n\t"
+        "sbcs	x6, x6, x10\n\t"
+        "stp	x5, x6, [%[r], 112]\n\t"
+        "ldp	x3, x4, [%[a], 128]\n\t"
+        "ldp	x7, x8, [%[b], 128]\n\t"
+        "sbcs	x3, x3, x7\n\t"
+        "ldp	x5, x6, [%[a], 144]\n\t"
+        "sbcs	x4, x4, x8\n\t"
+        "ldp	x9, x10, [%[b], 144]\n\t"
+        "sbcs	x5, x5, x9\n\t"
+        "stp	x3, x4, [%[r], 128]\n\t"
+        "sbcs	x6, x6, x10\n\t"
+        "stp	x5, x6, [%[r], 144]\n\t"
+        "ldp	x3, x4, [%[a], 160]\n\t"
+        "ldp	x7, x8, [%[b], 160]\n\t"
+        "sbcs	x3, x3, x7\n\t"
+        "ldp	x5, x6, [%[a], 176]\n\t"
+        "sbcs	x4, x4, x8\n\t"
+        "ldp	x9, x10, [%[b], 176]\n\t"
+        "sbcs	x5, x5, x9\n\t"
+        "stp	x3, x4, [%[r], 160]\n\t"
+        "sbcs	x6, x6, x10\n\t"
+        "stp	x5, x6, [%[r], 176]\n\t"
+        "ldp	x3, x4, [%[a], 192]\n\t"
+        "ldp	x7, x8, [%[b], 192]\n\t"
+        "sbcs	x3, x3, x7\n\t"
+        "ldp	x5, x6, [%[a], 208]\n\t"
+        "sbcs	x4, x4, x8\n\t"
+        "ldp	x9, x10, [%[b], 208]\n\t"
+        "sbcs	x5, x5, x9\n\t"
+        "stp	x3, x4, [%[r], 192]\n\t"
+        "sbcs	x6, x6, x10\n\t"
+        "stp	x5, x6, [%[r], 208]\n\t"
+        "ldp	x3, x4, [%[a], 224]\n\t"
+        "ldp	x7, x8, [%[b], 224]\n\t"
+        "sbcs	x3, x3, x7\n\t"
+        "ldp	x5, x6, [%[a], 240]\n\t"
+        "sbcs	x4, x4, x8\n\t"
+        "ldp	x9, x10, [%[b], 240]\n\t"
+        "sbcs	x5, x5, x9\n\t"
+        "stp	x3, x4, [%[r], 224]\n\t"
+        "sbcs	x6, x6, x10\n\t"
+        "stp	x5, x6, [%[r], 240]\n\t"
+        "ldp	x3, x4, [%[a], 256]\n\t"
+        "ldp	x7, x8, [%[b], 256]\n\t"
+        "sbcs	x3, x3, x7\n\t"
+        "ldp	x5, x6, [%[a], 272]\n\t"
+        "sbcs	x4, x4, x8\n\t"
+        "ldp	x9, x10, [%[b], 272]\n\t"
+        "sbcs	x5, x5, x9\n\t"
+        "stp	x3, x4, [%[r], 256]\n\t"
+        "sbcs	x6, x6, x10\n\t"
+        "stp	x5, x6, [%[r], 272]\n\t"
+        "ldp	x3, x4, [%[a], 288]\n\t"
+        "ldp	x7, x8, [%[b], 288]\n\t"
+        "sbcs	x3, x3, x7\n\t"
+        "ldp	x5, x6, [%[a], 304]\n\t"
+        "sbcs	x4, x4, x8\n\t"
+        "ldp	x9, x10, [%[b], 304]\n\t"
+        "sbcs	x5, x5, x9\n\t"
+        "stp	x3, x4, [%[r], 288]\n\t"
+        "sbcs	x6, x6, x10\n\t"
+        "stp	x5, x6, [%[r], 304]\n\t"
+        "ldp	x3, x4, [%[a], 320]\n\t"
+        "ldp	x7, x8, [%[b], 320]\n\t"
+        "sbcs	x3, x3, x7\n\t"
+        "ldp	x5, x6, [%[a], 336]\n\t"
+        "sbcs	x4, x4, x8\n\t"
+        "ldp	x9, x10, [%[b], 336]\n\t"
+        "sbcs	x5, x5, x9\n\t"
+        "stp	x3, x4, [%[r], 320]\n\t"
+        "sbcs	x6, x6, x10\n\t"
+        "stp	x5, x6, [%[r], 336]\n\t"
+        "ldp	x3, x4, [%[a], 352]\n\t"
+        "ldp	x7, x8, [%[b], 352]\n\t"
+        "sbcs	x3, x3, x7\n\t"
+        "ldp	x5, x6, [%[a], 368]\n\t"
+        "sbcs	x4, x4, x8\n\t"
+        "ldp	x9, x10, [%[b], 368]\n\t"
+        "sbcs	x5, x5, x9\n\t"
+        "stp	x3, x4, [%[r], 352]\n\t"
+        "sbcs	x6, x6, x10\n\t"
+        "stp	x5, x6, [%[r], 368]\n\t"
+        "csetm	%[r], cc\n\t"
+        : [r] "+r" (r)
+        : [a] "r" (a), [b] "r" (b)
+        : "memory", "x3", "x4", "x5", "x6", "x7", "x8", "x9", "x10"
+    );
+
+    return (sp_digit)r;
+}
+
+#endif /* WOLFSSL_SP_SMALL */
+/* Divide d in a and put remainder into r (m*d + r = a)
+ * m is not calculated as it is not needed at this time.
+ *
+ * a  Nmber to be divided.
+ * d  Number to divide with.
+ * m  Multiplier result.
+ * r  Remainder from the division.
+ * returns MP_OKAY indicating success.
+ */
+static WC_INLINE int sp_3072_div_48_cond(const sp_digit* a, const sp_digit* d, sp_digit* m,
+        sp_digit* r)
+{
+    sp_digit t1[96], t2[49];
+    sp_digit div, r1;
+    int i;
+
+    (void)m;
+
+    div = d[47];
+    XMEMCPY(t1, a, sizeof(*t1) * 2 * 48);
+    for (i=47; i>=0; i--) {
+        r1 = div_3072_word_48(t1[48 + i], t1[48 + i - 1], div);
+
+        sp_3072_mul_d_48(t2, d, r1);
+        t1[48 + i] += sp_3072_sub_in_place_48(&t1[i], t2);
+        t1[48 + i] -= t2[48];
+        if (t1[48 + i] != 0) {
+            t1[48 + i] += sp_3072_add_48(&t1[i], &t1[i], d);
+            if (t1[48 + i] != 0)
+                t1[48 + i] += sp_3072_add_48(&t1[i], &t1[i], d);
+        }
+    }
+
+    for (i = 47; i > 0; i--) {
+        if (t1[i] != d[i])
+            break;
+    }
+    if (t1[i] >= d[i]) {
+        sp_3072_sub_48(r, t1, d);
+    }
+    else {
+        XMEMCPY(r, t1, sizeof(*t1) * 48);
+    }
+
+    return MP_OKAY;
+}
+
+/* Reduce a modulo m into r. (r = a mod m)
+ *
+ * r  A single precision number that is the reduced result.
+ * a  A single precision number that is to be reduced.
+ * m  A single precision number that is the modulus to reduce with.
+ * returns MP_OKAY indicating success.
+ */
+static WC_INLINE int sp_3072_mod_48_cond(sp_digit* r, const sp_digit* a, const sp_digit* m)
+{
+    return sp_3072_div_48_cond(a, m, NULL, r);
+}
+
+#if (defined(WOLFSSL_HAVE_SP_RSA) && !defined(WOLFSSL_RSA_PUBLIC_ONLY)) || \
+                                                     defined(WOLFSSL_HAVE_SP_DH)
+#ifdef WOLFSSL_SP_SMALL
+/* Modular exponentiate a to the e mod m. (r = a^e mod m)
+ *
+ * r     A single precision number that is the result of the operation.
+ * a     A single precision number being exponentiated.
+ * e     A single precision number that is the exponent.
+ * bits  The number of bits in the exponent.
+ * m     A single precision number that is the modulus.
+ * returns 0 on success and MEMORY_E on dynamic memory allocation failure.
+ */
+static int sp_3072_mod_exp_48(sp_digit* r, const sp_digit* a, const sp_digit* e,
+        int bits, const sp_digit* m, int reduceA)
+{
+#ifndef WOLFSSL_SMALL_STACK
+    sp_digit t[16][96];
+#else
+    sp_digit* t[16];
+    sp_digit* td;
+#endif
+    sp_digit* norm;
+    sp_digit mp = 1;
+    sp_digit n;
+    sp_digit mask;
+    int i;
+    int c, y;
+    int err = MP_OKAY;
+
+#ifdef WOLFSSL_SMALL_STACK
+    td = (sp_digit*)XMALLOC(sizeof(sp_digit) * 16 * 96, NULL,
+                            DYNAMIC_TYPE_TMP_BUFFER);
+    if (td == NULL) {
+        err = MEMORY_E;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#ifdef WOLFSSL_SMALL_STACK
+        for (i=0; i<16; i++) {
+            t[i] = td + i * 96;
+        }
+#endif
+        norm = t[0];
+
+        sp_3072_mont_setup(m, &mp);
+        sp_3072_mont_norm_48(norm, m);
+
+        XMEMSET(t[1], 0, sizeof(sp_digit) * 48U);
+        if (reduceA != 0) {
+            err = sp_3072_mod_48(t[1] + 48, a, m);
+            if (err == MP_OKAY) {
+                err = sp_3072_mod_48(t[1], t[1], m);
+            }
+        }
+        else {
+            XMEMCPY(t[1] + 48, a, sizeof(sp_digit) * 48);
+            err = sp_3072_mod_48(t[1], t[1], m);
+        }
+    }
+
+    if (err == MP_OKAY) {
+        sp_3072_mont_sqr_48(t[ 2], t[ 1], m, mp);
+        sp_3072_mont_mul_48(t[ 3], t[ 2], t[ 1], m, mp);
+        sp_3072_mont_sqr_48(t[ 4], t[ 2], m, mp);
+        sp_3072_mont_mul_48(t[ 5], t[ 3], t[ 2], m, mp);
+        sp_3072_mont_sqr_48(t[ 6], t[ 3], m, mp);
+        sp_3072_mont_mul_48(t[ 7], t[ 4], t[ 3], m, mp);
+        sp_3072_mont_sqr_48(t[ 8], t[ 4], m, mp);
+        sp_3072_mont_mul_48(t[ 9], t[ 5], t[ 4], m, mp);
+        sp_3072_mont_sqr_48(t[10], t[ 5], m, mp);
+        sp_3072_mont_mul_48(t[11], t[ 6], t[ 5], m, mp);
+        sp_3072_mont_sqr_48(t[12], t[ 6], m, mp);
+        sp_3072_mont_mul_48(t[13], t[ 7], t[ 6], m, mp);
+        sp_3072_mont_sqr_48(t[14], t[ 7], m, mp);
+        sp_3072_mont_mul_48(t[15], t[ 8], t[ 7], m, mp);
+
+        i = (bits - 1) / 64;
+        n = e[i--];
+        c = bits & 63;
+        if (c == 0) {
+            c = 64;
+        }
+        c -= bits % 4;
+        if (c == 64) {
+            c = 60;
+        }
+        y = (int)(n >> c);
+        n <<= 64 - c;
+        XMEMCPY(r, t[y], sizeof(sp_digit) * 48);
+        for (; i>=0 || c>=4; ) {
+            if (c == 0) {
+                n = e[i--];
+                y = n >> 60;
+                n <<= 4;
+                c = 60;
+            }
+            else if (c < 4) {
+                y = n >> 60;
+                n = e[i--];
+                c = 4 - c;
+                y |= n >> (64 - c);
+                n <<= c;
+                c = 64 - c;
+            }
+            else {
+                y = (n >> 60) & 0xf;
+                n <<= 4;
+                c -= 4;
+            }
+
+            sp_3072_mont_sqr_48(r, r, m, mp);
+            sp_3072_mont_sqr_48(r, r, m, mp);
+            sp_3072_mont_sqr_48(r, r, m, mp);
+            sp_3072_mont_sqr_48(r, r, m, mp);
+
+            sp_3072_mont_mul_48(r, r, t[y], m, mp);
+        }
+
+        XMEMSET(&r[48], 0, sizeof(sp_digit) * 48U);
+        sp_3072_mont_reduce_48(r, m, mp);
+
+        mask = 0 - (sp_3072_cmp_48(r, m) >= 0);
+        sp_3072_cond_sub_48(r, r, m, mask);
+    }
+
+#ifdef WOLFSSL_SMALL_STACK
+    if (td != NULL) {
+        XFREE(td, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    }
+#endif
+
+    return err;
+}
+#else
+/* Modular exponentiate a to the e mod m. (r = a^e mod m)
+ *
+ * r     A single precision number that is the result of the operation.
+ * a     A single precision number being exponentiated.
+ * e     A single precision number that is the exponent.
+ * bits  The number of bits in the exponent.
+ * m     A single precision number that is the modulus.
+ * returns 0 on success and MEMORY_E on dynamic memory allocation failure.
+ */
+static int sp_3072_mod_exp_48(sp_digit* r, const sp_digit* a, const sp_digit* e,
+        int bits, const sp_digit* m, int reduceA)
+{
+#ifndef WOLFSSL_SMALL_STACK
+    sp_digit t[32][96];
+#else
+    sp_digit* t[32];
+    sp_digit* td;
+#endif
+    sp_digit* norm;
+    sp_digit mp = 1;
+    sp_digit n;
+    sp_digit mask;
+    int i;
+    int c, y;
+    int err = MP_OKAY;
+
+#ifdef WOLFSSL_SMALL_STACK
+    td = (sp_digit*)XMALLOC(sizeof(sp_digit) * 32 * 96, NULL,
+                            DYNAMIC_TYPE_TMP_BUFFER);
+    if (td == NULL) {
+        err = MEMORY_E;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#ifdef WOLFSSL_SMALL_STACK
+        for (i=0; i<32; i++) {
+            t[i] = td + i * 96;
+        }
+#endif
+        norm = t[0];
+
+        sp_3072_mont_setup(m, &mp);
+        sp_3072_mont_norm_48(norm, m);
+
+        XMEMSET(t[1], 0, sizeof(sp_digit) * 48U);
+        if (reduceA != 0) {
+            err = sp_3072_mod_48(t[1] + 48, a, m);
+            if (err == MP_OKAY) {
+                err = sp_3072_mod_48(t[1], t[1], m);
+            }
+        }
+        else {
+            XMEMCPY(t[1] + 48, a, sizeof(sp_digit) * 48);
+            err = sp_3072_mod_48(t[1], t[1], m);
+        }
+    }
+
+    if (err == MP_OKAY) {
+        sp_3072_mont_sqr_48(t[ 2], t[ 1], m, mp);
+        sp_3072_mont_mul_48(t[ 3], t[ 2], t[ 1], m, mp);
+        sp_3072_mont_sqr_48(t[ 4], t[ 2], m, mp);
+        sp_3072_mont_mul_48(t[ 5], t[ 3], t[ 2], m, mp);
+        sp_3072_mont_sqr_48(t[ 6], t[ 3], m, mp);
+        sp_3072_mont_mul_48(t[ 7], t[ 4], t[ 3], m, mp);
+        sp_3072_mont_sqr_48(t[ 8], t[ 4], m, mp);
+        sp_3072_mont_mul_48(t[ 9], t[ 5], t[ 4], m, mp);
+        sp_3072_mont_sqr_48(t[10], t[ 5], m, mp);
+        sp_3072_mont_mul_48(t[11], t[ 6], t[ 5], m, mp);
+        sp_3072_mont_sqr_48(t[12], t[ 6], m, mp);
+        sp_3072_mont_mul_48(t[13], t[ 7], t[ 6], m, mp);
+        sp_3072_mont_sqr_48(t[14], t[ 7], m, mp);
+        sp_3072_mont_mul_48(t[15], t[ 8], t[ 7], m, mp);
+        sp_3072_mont_sqr_48(t[16], t[ 8], m, mp);
+        sp_3072_mont_mul_48(t[17], t[ 9], t[ 8], m, mp);
+        sp_3072_mont_sqr_48(t[18], t[ 9], m, mp);
+        sp_3072_mont_mul_48(t[19], t[10], t[ 9], m, mp);
+        sp_3072_mont_sqr_48(t[20], t[10], m, mp);
+        sp_3072_mont_mul_48(t[21], t[11], t[10], m, mp);
+        sp_3072_mont_sqr_48(t[22], t[11], m, mp);
+        sp_3072_mont_mul_48(t[23], t[12], t[11], m, mp);
+        sp_3072_mont_sqr_48(t[24], t[12], m, mp);
+        sp_3072_mont_mul_48(t[25], t[13], t[12], m, mp);
+        sp_3072_mont_sqr_48(t[26], t[13], m, mp);
+        sp_3072_mont_mul_48(t[27], t[14], t[13], m, mp);
+        sp_3072_mont_sqr_48(t[28], t[14], m, mp);
+        sp_3072_mont_mul_48(t[29], t[15], t[14], m, mp);
+        sp_3072_mont_sqr_48(t[30], t[15], m, mp);
+        sp_3072_mont_mul_48(t[31], t[16], t[15], m, mp);
+
+        i = (bits - 1) / 64;
+        n = e[i--];
+        c = bits & 63;
+        if (c == 0) {
+            c = 64;
+        }
+        c -= bits % 5;
+        if (c == 64) {
+            c = 59;
+        }
+        y = (int)(n >> c);
+        n <<= 64 - c;
+        XMEMCPY(r, t[y], sizeof(sp_digit) * 48);
+        for (; i>=0 || c>=5; ) {
+            if (c == 0) {
+                n = e[i--];
+                y = n >> 59;
+                n <<= 5;
+                c = 59;
+            }
+            else if (c < 5) {
+                y = n >> 59;
+                n = e[i--];
+                c = 5 - c;
+                y |= n >> (64 - c);
+                n <<= c;
+                c = 64 - c;
+            }
+            else {
+                y = (n >> 59) & 0x1f;
+                n <<= 5;
+                c -= 5;
+            }
+
+            sp_3072_mont_sqr_48(r, r, m, mp);
+            sp_3072_mont_sqr_48(r, r, m, mp);
+            sp_3072_mont_sqr_48(r, r, m, mp);
+            sp_3072_mont_sqr_48(r, r, m, mp);
+            sp_3072_mont_sqr_48(r, r, m, mp);
+
+            sp_3072_mont_mul_48(r, r, t[y], m, mp);
+        }
+
+        XMEMSET(&r[48], 0, sizeof(sp_digit) * 48U);
+        sp_3072_mont_reduce_48(r, m, mp);
+
+        mask = 0 - (sp_3072_cmp_48(r, m) >= 0);
+        sp_3072_cond_sub_48(r, r, m, mask);
+    }
+
+#ifdef WOLFSSL_SMALL_STACK
+    if (td != NULL) {
+        XFREE(td, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    }
+#endif
+
+    return err;
+}
+#endif /* WOLFSSL_SP_SMALL */
+#endif /* (WOLFSSL_HAVE_SP_RSA && !WOLFSSL_RSA_PUBLIC_ONLY) || WOLFSSL_HAVE_SP_DH */
+
+#ifdef WOLFSSL_HAVE_SP_RSA
+/* RSA public key operation.
+ *
+ * in      Array of bytes representing the number to exponentiate, base.
+ * inLen   Number of bytes in base.
+ * em      Public exponent.
+ * mm      Modulus.
+ * out     Buffer to hold big-endian bytes of exponentiation result.
+ *         Must be at least 384 bytes long.
+ * outLen  Number of bytes in result.
+ * returns 0 on success, MP_TO_E when the outLen is too small, MP_READ_E when
+ * an array is too long and MEMORY_E when dynamic memory allocation fails.
+ */
+int sp_RsaPublic_3072(const byte* in, word32 inLen, mp_int* em, mp_int* mm,
+    byte* out, word32* outLen)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit a[96], m[48], r[96];
+#else
+    sp_digit* d = NULL;
+    sp_digit* a;
+    sp_digit* m;
+    sp_digit* r;
+#endif
+    sp_digit *ah;
+    sp_digit e[1];
+    int err = MP_OKAY;
+
+    if (*outLen < 384)
+        err = MP_TO_E;
+    if (err == MP_OKAY && (mp_count_bits(em) > 64 || inLen > 384 ||
+                                                     mp_count_bits(mm) != 3072))
+        err = MP_READ_E;
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        d = (sp_digit*)XMALLOC(sizeof(sp_digit) * 48 * 5, NULL,
+                                                              DYNAMIC_TYPE_RSA);
+        if (d == NULL)
+            err = MEMORY_E;
+    }
+
+    if (err == MP_OKAY) {
+        a = d;
+        r = a + 48 * 2;
+        m = r + 48 * 2;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+        ah = a + 48;
+
+        sp_3072_from_bin(ah, 48, in, inLen);
+#if DIGIT_BIT >= 64
+        e[0] = em->dp[0];
+#else
+        e[0] = em->dp[0];
+        if (em->used > 1) {
+            e[0] |= ((sp_digit)em->dp[1]) << DIGIT_BIT;
+        }
+#endif
+        if (e[0] == 0) {
+            err = MP_EXPTMOD_E;
+        }
+    }
+    if (err == MP_OKAY) {
+        sp_3072_from_mp(m, 48, mm);
+
+        if (e[0] == 0x3) {
+            if (err == MP_OKAY) {
+                sp_3072_sqr_48(r, ah);
+                err = sp_3072_mod_48_cond(r, r, m);
+            }
+            if (err == MP_OKAY) {
+                sp_3072_mul_48(r, ah, r);
+                err = sp_3072_mod_48_cond(r, r, m);
+            }
+        }
+        else {
+            int i;
+            sp_digit mp;
+
+            sp_3072_mont_setup(m, &mp);
+
+            /* Convert to Montgomery form. */
+            XMEMSET(a, 0, sizeof(sp_digit) * 48);
+            err = sp_3072_mod_48_cond(a, a, m);
+
+            if (err == MP_OKAY) {
+                for (i = 63; i >= 0; i--) {
+                    if (e[0] >> i) {
+                        break;
+                    }
+                }
+
+                XMEMCPY(r, a, sizeof(sp_digit) * 48);
+                for (i--; i>=0; i--) {
+                    sp_3072_mont_sqr_48(r, r, m, mp);
+                    if (((e[0] >> i) & 1) == 1) {
+                        sp_3072_mont_mul_48(r, r, a, m, mp);
+                    }
+                }
+                XMEMSET(&r[48], 0, sizeof(sp_digit) * 48);
+                sp_3072_mont_reduce_48(r, m, mp);
+
+                for (i = 47; i > 0; i--) {
+                    if (r[i] != m[i]) {
+                        break;
+                    }
+                }
+                if (r[i] >= m[i]) {
+                    sp_3072_sub_in_place_48(r, m);
+                }
+            }
+        }
+    }
+
+    if (err == MP_OKAY) {
+        sp_3072_to_bin(r, out);
+        *outLen = 384;
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (d != NULL) {
+        XFREE(d, NULL, DYNAMIC_TYPE_RSA);
+    }
+#endif
+
+    return err;
+}
+
+#if defined(SP_RSA_PRIVATE_EXP_D) || defined(RSA_LOW_MEM)
+    sp_digit* a;
+    sp_digit* d = NULL;
+    sp_digit* m;
+    sp_digit* r;
+    int err = MP_OKAY;
+
+    (void)pm;
+    (void)qm;
+    (void)dpm;
+    (void)dqm;
+    (void)qim;
+
+    if (*outLen < 384U) {
+        err = MP_TO_E;
+    }
+    if (err == MP_OKAY) {
+        if (mp_count_bits(dm) > 3072) {
+           err = MP_READ_E;
+        }
+        if (inLen > 384) {
+            err = MP_READ_E;
+        }
+        if (mp_count_bits(mm) != 3072) {
+            err = MP_READ_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        d = (sp_digit*)XMALLOC(sizeof(sp_digit) * 48 * 4, NULL,
+                                                              DYNAMIC_TYPE_RSA);
+        if (d == NULL) {
+            err = MEMORY_E;
+        }
+    }
+    if (err == MP_OKAY) {
+        a = d + 48;
+        m = a + 96;
+        r = a;
+
+        sp_3072_from_bin(a, 48, in, inLen);
+        sp_3072_from_mp(d, 48, dm);
+        sp_3072_from_mp(m, 48, mm);
+        err = sp_3072_mod_exp_48(r, a, d, 3072, m, 0);
+    }
+    if (err == MP_OKAY) {
+        sp_3072_to_bin(r, out);
+        *outLen = 384;
+    }
+
+    if (d != NULL) {
+        XMEMSET(d, 0, sizeof(sp_digit) * 48);
+        XFREE(d, NULL, DYNAMIC_TYPE_RSA);
+    }
+
+    return err;
+#else
+#ifndef WOLFSSL_RSA_PUBLIC_ONLY
+/* Conditionally add a and b using the mask m.
+ * m is -1 to add and 0 when not.
+ *
+ * r  A single precision number representing conditional add result.
+ * a  A single precision number to add with.
+ * b  A single precision number to add.
+ * m  Mask value to apply.
+ */
+static sp_digit sp_3072_cond_add_24(sp_digit* r, const sp_digit* a, const sp_digit* b,
+        sp_digit m)
+{
+#ifdef WOLFSSL_SP_SMALL
+    sp_digit c = 0;
+
+    __asm__ __volatile__ (
+        "mov	x8, #0\n\t"
+        "1:\n\t"
+        "adds	%[c], %[c], #-1\n\t"
+        "ldr	x4, [%[a], x8]\n\t"
+        "ldr	x5, [%[b], x8]\n\t"
+        "and	x5, x5, %[m]\n\t"
+        "adcs	x4, x4, x5\n\t"
+        "cset	%[c], cs\n\t"
+        "str	x4, [%[r], x8]\n\t"
+        "add	x8, x8, #8\n\t"
+        "cmp	x8, 192\n\t"
+        "b.lt	1b\n\t"
+        : [c] "+r" (c)
+        : [r] "r" (r), [a] "r" (a), [b] "r" (b), [m] "r" (m)
+        : "memory", "x4", "x6", "x5", "x7", "x8", "x9", "x10", "x11", "x12"
+    );
+
+    return c;
+#else
+    __asm__ __volatile__ (
+
+        "ldp	x5, x7, [%[b], 0]\n\t"
+        "ldp	x11, x12, [%[b], 16]\n\t"
+        "ldp	x4, x6, [%[a], 0]\n\t"
+        "and	x5, x5, %[m]\n\t"
+        "ldp	x9, x10, [%[a], 16]\n\t"
+        "and	x7, x7, %[m]\n\t"
+        "adds	x4, x4, x5\n\t"
+        "and	x11, x11, %[m]\n\t"
+        "adcs	x6, x6, x7\n\t"
+        "and	x12, x12, %[m]\n\t"
+        "adcs	x9, x9, x11\n\t"
+        "stp	x4, x6, [%[r], 0]\n\t"
+        "adcs	x10, x10, x12\n\t"
+        "stp	x9, x10, [%[r], 16]\n\t"
+        "ldp	x5, x7, [%[b], 32]\n\t"
+        "ldp	x11, x12, [%[b], 48]\n\t"
+        "ldp	x4, x6, [%[a], 32]\n\t"
+        "and	x5, x5, %[m]\n\t"
+        "ldp	x9, x10, [%[a], 48]\n\t"
+        "and	x7, x7, %[m]\n\t"
+        "adcs	x4, x4, x5\n\t"
+        "and	x11, x11, %[m]\n\t"
+        "adcs	x6, x6, x7\n\t"
+        "and	x12, x12, %[m]\n\t"
+        "adcs	x9, x9, x11\n\t"
+        "stp	x4, x6, [%[r], 32]\n\t"
+        "adcs	x10, x10, x12\n\t"
+        "stp	x9, x10, [%[r], 48]\n\t"
+        "ldp	x5, x7, [%[b], 64]\n\t"
+        "ldp	x11, x12, [%[b], 80]\n\t"
+        "ldp	x4, x6, [%[a], 64]\n\t"
+        "and	x5, x5, %[m]\n\t"
+        "ldp	x9, x10, [%[a], 80]\n\t"
+        "and	x7, x7, %[m]\n\t"
+        "adcs	x4, x4, x5\n\t"
+        "and	x11, x11, %[m]\n\t"
+        "adcs	x6, x6, x7\n\t"
+        "and	x12, x12, %[m]\n\t"
+        "adcs	x9, x9, x11\n\t"
+        "stp	x4, x6, [%[r], 64]\n\t"
+        "adcs	x10, x10, x12\n\t"
+        "stp	x9, x10, [%[r], 80]\n\t"
+        "ldp	x5, x7, [%[b], 96]\n\t"
+        "ldp	x11, x12, [%[b], 112]\n\t"
+        "ldp	x4, x6, [%[a], 96]\n\t"
+        "and	x5, x5, %[m]\n\t"
+        "ldp	x9, x10, [%[a], 112]\n\t"
+        "and	x7, x7, %[m]\n\t"
+        "adcs	x4, x4, x5\n\t"
+        "and	x11, x11, %[m]\n\t"
+        "adcs	x6, x6, x7\n\t"
+        "and	x12, x12, %[m]\n\t"
+        "adcs	x9, x9, x11\n\t"
+        "stp	x4, x6, [%[r], 96]\n\t"
+        "adcs	x10, x10, x12\n\t"
+        "stp	x9, x10, [%[r], 112]\n\t"
+        "ldp	x5, x7, [%[b], 128]\n\t"
+        "ldp	x11, x12, [%[b], 144]\n\t"
+        "ldp	x4, x6, [%[a], 128]\n\t"
+        "and	x5, x5, %[m]\n\t"
+        "ldp	x9, x10, [%[a], 144]\n\t"
+        "and	x7, x7, %[m]\n\t"
+        "adcs	x4, x4, x5\n\t"
+        "and	x11, x11, %[m]\n\t"
+        "adcs	x6, x6, x7\n\t"
+        "and	x12, x12, %[m]\n\t"
+        "adcs	x9, x9, x11\n\t"
+        "stp	x4, x6, [%[r], 128]\n\t"
+        "adcs	x10, x10, x12\n\t"
+        "stp	x9, x10, [%[r], 144]\n\t"
+        "ldp	x5, x7, [%[b], 160]\n\t"
+        "ldp	x11, x12, [%[b], 176]\n\t"
+        "ldp	x4, x6, [%[a], 160]\n\t"
+        "and	x5, x5, %[m]\n\t"
+        "ldp	x9, x10, [%[a], 176]\n\t"
+        "and	x7, x7, %[m]\n\t"
+        "adcs	x4, x4, x5\n\t"
+        "and	x11, x11, %[m]\n\t"
+        "adcs	x6, x6, x7\n\t"
+        "and	x12, x12, %[m]\n\t"
+        "adcs	x9, x9, x11\n\t"
+        "stp	x4, x6, [%[r], 160]\n\t"
+        "adcs	x10, x10, x12\n\t"
+        "stp	x9, x10, [%[r], 176]\n\t"
+        "cset	%[r], cs\n\t"
+        : [r] "+r" (r)
+        : [a] "r" (a), [b] "r" (b), [m] "r" (m)
+        : "memory", "x4", "x6", "x5", "x7", "x8", "x9", "x10", "x11", "x12"
+    );
+
+    return (sp_digit)r;
+#endif /* WOLFSSL_SP_SMALL */
+}
+
+/* RSA private key operation.
+ *
+ * in      Array of bytes representing the number to exponentiate, base.
+ * inLen   Number of bytes in base.
+ * dm      Private exponent.
+ * pm      First prime.
+ * qm      Second prime.
+ * dpm     First prime's CRT exponent.
+ * dqm     Second prime's CRT exponent.
+ * qim     Inverse of second prime mod p.
+ * mm      Modulus.
+ * out     Buffer to hold big-endian bytes of exponentiation result.
+ *         Must be at least 384 bytes long.
+ * outLen  Number of bytes in result.
+ * returns 0 on success, MP_TO_E when the outLen is too small, MP_READ_E when
+ * an array is too long and MEMORY_E when dynamic memory allocation fails.
+ */
+int sp_RsaPrivate_3072(const byte* in, word32 inLen, mp_int* dm,
+    mp_int* pm, mp_int* qm, mp_int* dpm, mp_int* dqm, mp_int* qim, mp_int* mm,
+    byte* out, word32* outLen)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit a[48 * 2];
+    sp_digit p[24], q[24], dp[24];
+    sp_digit tmpa[48], tmpb[48];
+#else
+    sp_digit* t = NULL;
+    sp_digit* a;
+    sp_digit* p;
+    sp_digit* q;
+    sp_digit* dp;
+    sp_digit* tmpa;
+    sp_digit* tmpb;
+#endif
+    sp_digit* r;
+    sp_digit* qi;
+    sp_digit* dq;
+    sp_digit c;
+    int err = MP_OKAY;
+
+    (void)dm;
+    (void)mm;
+
+    if (*outLen < 384)
+        err = MP_TO_E;
+    if (err == MP_OKAY && (inLen > 384 || mp_count_bits(mm) != 3072))
+        err = MP_READ_E;
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        t = (sp_digit*)XMALLOC(sizeof(sp_digit) * 24 * 11, NULL,
+                                                              DYNAMIC_TYPE_RSA);
+        if (t == NULL)
+            err = MEMORY_E;
+    }
+    if (err == MP_OKAY) {
+        a = t;
+        p = a + 48 * 2;
+        q = p + 24;
+        qi = dq = dp = q + 24;
+        tmpa = qi + 24;
+        tmpb = tmpa + 48;
+
+        r = t + 48;
+    }
+#else
+#endif
+
+    if (err == MP_OKAY) {
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+        r = a;
+        qi = dq = dp;
+#endif
+        sp_3072_from_bin(a, 48, in, inLen);
+        sp_3072_from_mp(p, 24, pm);
+        sp_3072_from_mp(q, 24, qm);
+        sp_3072_from_mp(dp, 24, dpm);
+
+        err = sp_3072_mod_exp_24(tmpa, a, dp, 1536, p, 1);
+    }
+    if (err == MP_OKAY) {
+        sp_3072_from_mp(dq, 24, dqm);
+        err = sp_3072_mod_exp_24(tmpb, a, dq, 1536, q, 1);
+    }
+
+    if (err == MP_OKAY) {
+        c = sp_3072_sub_in_place_24(tmpa, tmpb);
+        c += sp_3072_cond_add_24(tmpa, tmpa, p, c);
+        sp_3072_cond_add_24(tmpa, tmpa, p, c);
+
+        sp_3072_from_mp(qi, 24, qim);
+        sp_3072_mul_24(tmpa, tmpa, qi);
+        err = sp_3072_mod_24(tmpa, tmpa, p);
+    }
+
+    if (err == MP_OKAY) {
+        sp_3072_mul_24(tmpa, q, tmpa);
+        XMEMSET(&tmpb[24], 0, sizeof(sp_digit) * 24);
+        sp_3072_add_48(r, tmpb, tmpa);
+
+        sp_3072_to_bin(r, out);
+        *outLen = 384;
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (t != NULL) {
+        XMEMSET(t, 0, sizeof(sp_digit) * 24 * 11);
+        XFREE(t, NULL, DYNAMIC_TYPE_RSA);
+    }
+#else
+    XMEMSET(tmpa, 0, sizeof(tmpa));
+    XMEMSET(tmpb, 0, sizeof(tmpb));
+    XMEMSET(p,    0, sizeof(p));
+    XMEMSET(q,    0, sizeof(q));
+    XMEMSET(dp,   0, sizeof(dp));
+#endif
+
+    return err;
+}
+#endif /* WOLFSSL_RSA_PUBLIC_ONLY */
+#endif /* SP_RSA_PRIVATE_EXP_D || RSA_LOW_MEM */
+#endif /* WOLFSSL_HAVE_SP_RSA */
+#if defined(WOLFSSL_HAVE_SP_DH) || (defined(WOLFSSL_HAVE_SP_RSA) && \
+                                              !defined(WOLFSSL_RSA_PUBLIC_ONLY))
+/* Convert an array of sp_digit to an mp_int.
+ *
+ * a  A single precision integer.
+ * r  A multi-precision integer.
+ */
+static int sp_3072_to_mp(const sp_digit* a, mp_int* r)
+{
+    int err;
+
+    err = mp_grow(r, (3072 + DIGIT_BIT - 1) / DIGIT_BIT);
+    if (err == MP_OKAY) { /*lint !e774 case where err is always MP_OKAY*/
+#if DIGIT_BIT == 64
+        XMEMCPY(r->dp, a, sizeof(sp_digit) * 48);
+        r->used = 48;
+        mp_clamp(r);
+#elif DIGIT_BIT < 64
+        int i, j = 0, s = 0;
+
+        r->dp[0] = 0;
+        for (i = 0; i < 48; i++) {
+            r->dp[j] |= (mp_digit)(a[i] << s);
+            r->dp[j] &= (1L << DIGIT_BIT) - 1;
+            s = DIGIT_BIT - s;
+            r->dp[++j] = (mp_digit)(a[i] >> s);
+            while (s + DIGIT_BIT <= 64) {
+                s += DIGIT_BIT;
+                r->dp[j++] &= (1L << DIGIT_BIT) - 1;
+                if (s == SP_WORD_SIZE) {
+                    r->dp[j] = 0;
+                }
+                else {
+                    r->dp[j] = (mp_digit)(a[i] >> s);
+                }
+            }
+            s = 64 - s;
+        }
+        r->used = (3072 + DIGIT_BIT - 1) / DIGIT_BIT;
+        mp_clamp(r);
+#else
+        int i, j = 0, s = 0;
+
+        r->dp[0] = 0;
+        for (i = 0; i < 48; i++) {
+            r->dp[j] |= ((mp_digit)a[i]) << s;
+            if (s + 64 >= DIGIT_BIT) {
+    #if DIGIT_BIT != 32 && DIGIT_BIT != 64
+                r->dp[j] &= (1L << DIGIT_BIT) - 1;
+    #endif
+                s = DIGIT_BIT - s;
+                r->dp[++j] = a[i] >> s;
+                s = 64 - s;
+            }
+            else {
+                s += 64;
+            }
+        }
+        r->used = (3072 + DIGIT_BIT - 1) / DIGIT_BIT;
+        mp_clamp(r);
+#endif
+    }
+
+    return err;
+}
+
+/* Perform the modular exponentiation for Diffie-Hellman.
+ *
+ * base  Base. MP integer.
+ * exp   Exponent. MP integer.
+ * mod   Modulus. MP integer.
+ * res   Result. MP integer.
+ * returns 0 on success, MP_READ_E if there are too many bytes in an array
+ * and MEMORY_E if memory allocation fails.
+ */
+int sp_ModExp_3072(mp_int* base, mp_int* exp, mp_int* mod, mp_int* res)
+{
+    int err = MP_OKAY;
+    sp_digit b[96], e[48], m[48];
+    sp_digit* r = b;
+    int expBits = mp_count_bits(exp);
+
+    if (mp_count_bits(base) > 3072) {
+        err = MP_READ_E;
+    }
+
+    if (err == MP_OKAY) {
+        if (expBits > 3072) {
+            err = MP_READ_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        if (mp_count_bits(mod) != 3072) {
+            err = MP_READ_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        sp_3072_from_mp(b, 48, base);
+        sp_3072_from_mp(e, 48, exp);
+        sp_3072_from_mp(m, 48, mod);
+
+        err = sp_3072_mod_exp_48(r, b, e, expBits, m, 0);
+    }
+
+    if (err == MP_OKAY) {
+        err = sp_3072_to_mp(r, res);
+    }
+
+    XMEMSET(e, 0, sizeof(e));
+
+    return err;
+}
+
+#ifdef WOLFSSL_HAVE_SP_DH
+
+#ifdef HAVE_FFDHE_3072
+static void sp_3072_lshift_48(sp_digit* r, sp_digit* a, byte n)
+{
+    __asm__ __volatile__ (
+        "mov	x6, 63\n\t"
+        "sub	x6, x6, %[n]\n\t"
+        "ldr	x3, [%[a], 376]\n\t"
+        "lsr	x4, x3, 1\n\t"
+        "lsl	x3, x3, %[n]\n\t"
+        "lsr	x4, x4, x6\n\t"
+        "ldr	x2, [%[a], 368]\n\t"
+        "str	x4, [%[r], 384]\n\t"
+        "lsr	x5, x2, 1\n\t"
+        "lsl	x2, x2, %[n]\n\t"
+        "lsr	x5, x5, x6\n\t"
+        "orr	x3, x3, x5\n\t"
+        "ldr	x4, [%[a], 360]\n\t"
+        "str	x3, [%[r], 376]\n\t"
+        "lsr	x5, x4, 1\n\t"
+        "lsl	x4, x4, %[n]\n\t"
+        "lsr	x5, x5, x6\n\t"
+        "orr	x2, x2, x5\n\t"
+        "ldr	x3, [%[a], 352]\n\t"
+        "str	x2, [%[r], 368]\n\t"
+        "lsr	x5, x3, 1\n\t"
+        "lsl	x3, x3, %[n]\n\t"
+        "lsr	x5, x5, x6\n\t"
+        "orr	x4, x4, x5\n\t"
+        "ldr	x2, [%[a], 344]\n\t"
+        "str	x4, [%[r], 360]\n\t"
+        "lsr	x5, x2, 1\n\t"
+        "lsl	x2, x2, %[n]\n\t"
+        "lsr	x5, x5, x6\n\t"
+        "orr	x3, x3, x5\n\t"
+        "ldr	x4, [%[a], 336]\n\t"
+        "str	x3, [%[r], 352]\n\t"
+        "lsr	x5, x4, 1\n\t"
+        "lsl	x4, x4, %[n]\n\t"
+        "lsr	x5, x5, x6\n\t"
+        "orr	x2, x2, x5\n\t"
+        "ldr	x3, [%[a], 328]\n\t"
+        "str	x2, [%[r], 344]\n\t"
+        "lsr	x5, x3, 1\n\t"
+        "lsl	x3, x3, %[n]\n\t"
+        "lsr	x5, x5, x6\n\t"
+        "orr	x4, x4, x5\n\t"
+        "ldr	x2, [%[a], 320]\n\t"
+        "str	x4, [%[r], 336]\n\t"
+        "lsr	x5, x2, 1\n\t"
+        "lsl	x2, x2, %[n]\n\t"
+        "lsr	x5, x5, x6\n\t"
+        "orr	x3, x3, x5\n\t"
+        "ldr	x4, [%[a], 312]\n\t"
+        "str	x3, [%[r], 328]\n\t"
+        "lsr	x5, x4, 1\n\t"
+        "lsl	x4, x4, %[n]\n\t"
+        "lsr	x5, x5, x6\n\t"
+        "orr	x2, x2, x5\n\t"
+        "ldr	x3, [%[a], 304]\n\t"
+        "str	x2, [%[r], 320]\n\t"
+        "lsr	x5, x3, 1\n\t"
+        "lsl	x3, x3, %[n]\n\t"
+        "lsr	x5, x5, x6\n\t"
+        "orr	x4, x4, x5\n\t"
+        "ldr	x2, [%[a], 296]\n\t"
+        "str	x4, [%[r], 312]\n\t"
+        "lsr	x5, x2, 1\n\t"
+        "lsl	x2, x2, %[n]\n\t"
+        "lsr	x5, x5, x6\n\t"
+        "orr	x3, x3, x5\n\t"
+        "ldr	x4, [%[a], 288]\n\t"
+        "str	x3, [%[r], 304]\n\t"
+        "lsr	x5, x4, 1\n\t"
+        "lsl	x4, x4, %[n]\n\t"
+        "lsr	x5, x5, x6\n\t"
+        "orr	x2, x2, x5\n\t"
+        "ldr	x3, [%[a], 280]\n\t"
+        "str	x2, [%[r], 296]\n\t"
+        "lsr	x5, x3, 1\n\t"
+        "lsl	x3, x3, %[n]\n\t"
+        "lsr	x5, x5, x6\n\t"
+        "orr	x4, x4, x5\n\t"
+        "ldr	x2, [%[a], 272]\n\t"
+        "str	x4, [%[r], 288]\n\t"
+        "lsr	x5, x2, 1\n\t"
+        "lsl	x2, x2, %[n]\n\t"
+        "lsr	x5, x5, x6\n\t"
+        "orr	x3, x3, x5\n\t"
+        "ldr	x4, [%[a], 264]\n\t"
+        "str	x3, [%[r], 280]\n\t"
+        "lsr	x5, x4, 1\n\t"
+        "lsl	x4, x4, %[n]\n\t"
+        "lsr	x5, x5, x6\n\t"
+        "orr	x2, x2, x5\n\t"
+        "ldr	x3, [%[a], 256]\n\t"
+        "str	x2, [%[r], 272]\n\t"
+        "lsr	x5, x3, 1\n\t"
+        "lsl	x3, x3, %[n]\n\t"
+        "lsr	x5, x5, x6\n\t"
+        "orr	x4, x4, x5\n\t"
+        "ldr	x2, [%[a], 248]\n\t"
+        "str	x4, [%[r], 264]\n\t"
+        "lsr	x5, x2, 1\n\t"
+        "lsl	x2, x2, %[n]\n\t"
+        "lsr	x5, x5, x6\n\t"
+        "orr	x3, x3, x5\n\t"
+        "ldr	x4, [%[a], 240]\n\t"
+        "str	x3, [%[r], 256]\n\t"
+        "lsr	x5, x4, 1\n\t"
+        "lsl	x4, x4, %[n]\n\t"
+        "lsr	x5, x5, x6\n\t"
+        "orr	x2, x2, x5\n\t"
+        "ldr	x3, [%[a], 232]\n\t"
+        "str	x2, [%[r], 248]\n\t"
+        "lsr	x5, x3, 1\n\t"
+        "lsl	x3, x3, %[n]\n\t"
+        "lsr	x5, x5, x6\n\t"
+        "orr	x4, x4, x5\n\t"
+        "ldr	x2, [%[a], 224]\n\t"
+        "str	x4, [%[r], 240]\n\t"
+        "lsr	x5, x2, 1\n\t"
+        "lsl	x2, x2, %[n]\n\t"
+        "lsr	x5, x5, x6\n\t"
+        "orr	x3, x3, x5\n\t"
+        "ldr	x4, [%[a], 216]\n\t"
+        "str	x3, [%[r], 232]\n\t"
+        "lsr	x5, x4, 1\n\t"
+        "lsl	x4, x4, %[n]\n\t"
+        "lsr	x5, x5, x6\n\t"
+        "orr	x2, x2, x5\n\t"
+        "ldr	x3, [%[a], 208]\n\t"
+        "str	x2, [%[r], 224]\n\t"
+        "lsr	x5, x3, 1\n\t"
+        "lsl	x3, x3, %[n]\n\t"
+        "lsr	x5, x5, x6\n\t"
+        "orr	x4, x4, x5\n\t"
+        "ldr	x2, [%[a], 200]\n\t"
+        "str	x4, [%[r], 216]\n\t"
+        "lsr	x5, x2, 1\n\t"
+        "lsl	x2, x2, %[n]\n\t"
+        "lsr	x5, x5, x6\n\t"
+        "orr	x3, x3, x5\n\t"
+        "ldr	x4, [%[a], 192]\n\t"
+        "str	x3, [%[r], 208]\n\t"
+        "lsr	x5, x4, 1\n\t"
+        "lsl	x4, x4, %[n]\n\t"
+        "lsr	x5, x5, x6\n\t"
+        "orr	x2, x2, x5\n\t"
+        "ldr	x3, [%[a], 184]\n\t"
+        "str	x2, [%[r], 200]\n\t"
+        "lsr	x5, x3, 1\n\t"
+        "lsl	x3, x3, %[n]\n\t"
+        "lsr	x5, x5, x6\n\t"
+        "orr	x4, x4, x5\n\t"
+        "ldr	x2, [%[a], 176]\n\t"
+        "str	x4, [%[r], 192]\n\t"
+        "lsr	x5, x2, 1\n\t"
+        "lsl	x2, x2, %[n]\n\t"
+        "lsr	x5, x5, x6\n\t"
+        "orr	x3, x3, x5\n\t"
+        "ldr	x4, [%[a], 168]\n\t"
+        "str	x3, [%[r], 184]\n\t"
+        "lsr	x5, x4, 1\n\t"
+        "lsl	x4, x4, %[n]\n\t"
+        "lsr	x5, x5, x6\n\t"
+        "orr	x2, x2, x5\n\t"
+        "ldr	x3, [%[a], 160]\n\t"
+        "str	x2, [%[r], 176]\n\t"
+        "lsr	x5, x3, 1\n\t"
+        "lsl	x3, x3, %[n]\n\t"
+        "lsr	x5, x5, x6\n\t"
+        "orr	x4, x4, x5\n\t"
+        "ldr	x2, [%[a], 152]\n\t"
+        "str	x4, [%[r], 168]\n\t"
+        "lsr	x5, x2, 1\n\t"
+        "lsl	x2, x2, %[n]\n\t"
+        "lsr	x5, x5, x6\n\t"
+        "orr	x3, x3, x5\n\t"
+        "ldr	x4, [%[a], 144]\n\t"
+        "str	x3, [%[r], 160]\n\t"
+        "lsr	x5, x4, 1\n\t"
+        "lsl	x4, x4, %[n]\n\t"
+        "lsr	x5, x5, x6\n\t"
+        "orr	x2, x2, x5\n\t"
+        "ldr	x3, [%[a], 136]\n\t"
+        "str	x2, [%[r], 152]\n\t"
+        "lsr	x5, x3, 1\n\t"
+        "lsl	x3, x3, %[n]\n\t"
+        "lsr	x5, x5, x6\n\t"
+        "orr	x4, x4, x5\n\t"
+        "ldr	x2, [%[a], 128]\n\t"
+        "str	x4, [%[r], 144]\n\t"
+        "lsr	x5, x2, 1\n\t"
+        "lsl	x2, x2, %[n]\n\t"
+        "lsr	x5, x5, x6\n\t"
+        "orr	x3, x3, x5\n\t"
+        "ldr	x4, [%[a], 120]\n\t"
+        "str	x3, [%[r], 136]\n\t"
+        "lsr	x5, x4, 1\n\t"
+        "lsl	x4, x4, %[n]\n\t"
+        "lsr	x5, x5, x6\n\t"
+        "orr	x2, x2, x5\n\t"
+        "ldr	x3, [%[a], 112]\n\t"
+        "str	x2, [%[r], 128]\n\t"
+        "lsr	x5, x3, 1\n\t"
+        "lsl	x3, x3, %[n]\n\t"
+        "lsr	x5, x5, x6\n\t"
+        "orr	x4, x4, x5\n\t"
+        "ldr	x2, [%[a], 104]\n\t"
+        "str	x4, [%[r], 120]\n\t"
+        "lsr	x5, x2, 1\n\t"
+        "lsl	x2, x2, %[n]\n\t"
+        "lsr	x5, x5, x6\n\t"
+        "orr	x3, x3, x5\n\t"
+        "ldr	x4, [%[a], 96]\n\t"
+        "str	x3, [%[r], 112]\n\t"
+        "lsr	x5, x4, 1\n\t"
+        "lsl	x4, x4, %[n]\n\t"
+        "lsr	x5, x5, x6\n\t"
+        "orr	x2, x2, x5\n\t"
+        "ldr	x3, [%[a], 88]\n\t"
+        "str	x2, [%[r], 104]\n\t"
+        "lsr	x5, x3, 1\n\t"
+        "lsl	x3, x3, %[n]\n\t"
+        "lsr	x5, x5, x6\n\t"
+        "orr	x4, x4, x5\n\t"
+        "ldr	x2, [%[a], 80]\n\t"
+        "str	x4, [%[r], 96]\n\t"
+        "lsr	x5, x2, 1\n\t"
+        "lsl	x2, x2, %[n]\n\t"
+        "lsr	x5, x5, x6\n\t"
+        "orr	x3, x3, x5\n\t"
+        "ldr	x4, [%[a], 72]\n\t"
+        "str	x3, [%[r], 88]\n\t"
+        "lsr	x5, x4, 1\n\t"
+        "lsl	x4, x4, %[n]\n\t"
+        "lsr	x5, x5, x6\n\t"
+        "orr	x2, x2, x5\n\t"
+        "ldr	x3, [%[a], 64]\n\t"
+        "str	x2, [%[r], 80]\n\t"
+        "lsr	x5, x3, 1\n\t"
+        "lsl	x3, x3, %[n]\n\t"
+        "lsr	x5, x5, x6\n\t"
+        "orr	x4, x4, x5\n\t"
+        "ldr	x2, [%[a], 56]\n\t"
+        "str	x4, [%[r], 72]\n\t"
+        "lsr	x5, x2, 1\n\t"
+        "lsl	x2, x2, %[n]\n\t"
+        "lsr	x5, x5, x6\n\t"
+        "orr	x3, x3, x5\n\t"
+        "ldr	x4, [%[a], 48]\n\t"
+        "str	x3, [%[r], 64]\n\t"
+        "lsr	x5, x4, 1\n\t"
+        "lsl	x4, x4, %[n]\n\t"
+        "lsr	x5, x5, x6\n\t"
+        "orr	x2, x2, x5\n\t"
+        "ldr	x3, [%[a], 40]\n\t"
+        "str	x2, [%[r], 56]\n\t"
+        "lsr	x5, x3, 1\n\t"
+        "lsl	x3, x3, %[n]\n\t"
+        "lsr	x5, x5, x6\n\t"
+        "orr	x4, x4, x5\n\t"
+        "ldr	x2, [%[a], 32]\n\t"
+        "str	x4, [%[r], 48]\n\t"
+        "lsr	x5, x2, 1\n\t"
+        "lsl	x2, x2, %[n]\n\t"
+        "lsr	x5, x5, x6\n\t"
+        "orr	x3, x3, x5\n\t"
+        "ldr	x4, [%[a], 24]\n\t"
+        "str	x3, [%[r], 40]\n\t"
+        "lsr	x5, x4, 1\n\t"
+        "lsl	x4, x4, %[n]\n\t"
+        "lsr	x5, x5, x6\n\t"
+        "orr	x2, x2, x5\n\t"
+        "ldr	x3, [%[a], 16]\n\t"
+        "str	x2, [%[r], 32]\n\t"
+        "lsr	x5, x3, 1\n\t"
+        "lsl	x3, x3, %[n]\n\t"
+        "lsr	x5, x5, x6\n\t"
+        "orr	x4, x4, x5\n\t"
+        "ldr	x2, [%[a], 8]\n\t"
+        "str	x4, [%[r], 24]\n\t"
+        "lsr	x5, x2, 1\n\t"
+        "lsl	x2, x2, %[n]\n\t"
+        "lsr	x5, x5, x6\n\t"
+        "orr	x3, x3, x5\n\t"
+        "ldr	x4, [%[a], 0]\n\t"
+        "str	x3, [%[r], 16]\n\t"
+        "lsr	x5, x4, 1\n\t"
+        "lsl	x4, x4, %[n]\n\t"
+        "lsr	x5, x5, x6\n\t"
+        "orr	x2, x2, x5\n\t"
+        "str	x4, [%[r]]\n\t"
+        "str	x2, [%[r], 8]\n\t"
+        :
+        : [r] "r" (r), [a] "r" (a), [n] "r" (n)
+        : "memory", "x2", "x3", "x4", "x5", "x6"
+    );
+}
+
+/* Modular exponentiate 2 to the e mod m. (r = 2^e mod m)
+ *
+ * r     A single precision number that is the result of the operation.
+ * e     A single precision number that is the exponent.
+ * bits  The number of bits in the exponent.
+ * m     A single precision number that is the modulus.
+ * returns 0 on success and MEMORY_E on dynamic memory allocation failure.
+ */
+static int sp_3072_mod_exp_2_48(sp_digit* r, const sp_digit* e, int bits,
+        const sp_digit* m)
+{
+#ifndef WOLFSSL_SMALL_STACK
+    sp_digit nd[96];
+    sp_digit td[49];
+#else
+    sp_digit* td;
+#endif
+    sp_digit* norm;
+    sp_digit* tmp;
+    sp_digit mp = 1;
+    sp_digit n, o;
+    sp_digit mask;
+    int i;
+    int c, y;
+    int err = MP_OKAY;
+
+#ifdef WOLFSSL_SMALL_STACK
+    td = (sp_digit*)XMALLOC(sizeof(sp_digit) * 145, NULL,
+                            DYNAMIC_TYPE_TMP_BUFFER);
+    if (td == NULL) {
+        err = MEMORY_E;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#ifdef WOLFSSL_SMALL_STACK
+        norm = td;
+        tmp  = td + 96;
+#else
+        norm = nd;
+        tmp  = td;
+#endif
+
+        sp_3072_mont_setup(m, &mp);
+        sp_3072_mont_norm_48(norm, m);
+
+        i = (bits - 1) / 64;
+        n = e[i--];
+        c = bits & 63;
+        if (c == 0) {
+            c = 64;
+        }
+        c -= bits % 6;
+        if (c == 64) {
+            c = 58;
+        }
+        y = (int)(n >> c);
+        n <<= 64 - c;
+        sp_3072_lshift_48(r, norm, y);
+        for (; i>=0 || c>=6; ) {
+            if (c == 0) {
+                n = e[i--];
+                y = n >> 58;
+                n <<= 6;
+                c = 58;
+            }
+            else if (c < 6) {
+                y = n >> 58;
+                n = e[i--];
+                c = 6 - c;
+                y |= n >> (64 - c);
+                n <<= c;
+                c = 64 - c;
+            }
+            else {
+                y = (n >> 58) & 0x3f;
+                n <<= 6;
+                c -= 6;
+            }
+
+            sp_3072_mont_sqr_48(r, r, m, mp);
+            sp_3072_mont_sqr_48(r, r, m, mp);
+            sp_3072_mont_sqr_48(r, r, m, mp);
+            sp_3072_mont_sqr_48(r, r, m, mp);
+            sp_3072_mont_sqr_48(r, r, m, mp);
+            sp_3072_mont_sqr_48(r, r, m, mp);
+
+            sp_3072_lshift_48(r, r, y);
+            sp_3072_mul_d_48(tmp, norm, r[48]);
+            r[48] = 0;
+            o = sp_3072_add_48(r, r, tmp);
+            sp_3072_cond_sub_48(r, r, m, (sp_digit)0 - o);
+        }
+
+        XMEMSET(&r[48], 0, sizeof(sp_digit) * 48U);
+        sp_3072_mont_reduce_48(r, m, mp);
+
+        mask = 0 - (sp_3072_cmp_48(r, m) >= 0);
+        sp_3072_cond_sub_48(r, r, m, mask);
+    }
+
+#ifdef WOLFSSL_SMALL_STACK
+    if (td != NULL) {
+        XFREE(td, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    }
+#endif
+
+    return err;
+}
+#endif /* HAVE_FFDHE_3072 */
+
+/* Perform the modular exponentiation for Diffie-Hellman.
+ *
+ * base     Base.
+ * exp      Array of bytes that is the exponent.
+ * expLen   Length of data, in bytes, in exponent.
+ * mod      Modulus.
+ * out      Buffer to hold big-endian bytes of exponentiation result.
+ *          Must be at least 384 bytes long.
+ * outLen   Length, in bytes, of exponentiation result.
+ * returns 0 on success, MP_READ_E if there are too many bytes in an array
+ * and MEMORY_E if memory allocation fails.
+ */
+int sp_DhExp_3072(mp_int* base, const byte* exp, word32 expLen,
+    mp_int* mod, byte* out, word32* outLen)
+{
+    int err = MP_OKAY;
+    sp_digit b[96], e[48], m[48];
+    sp_digit* r = b;
+    word32 i;
+
+    if (mp_count_bits(base) > 3072) {
+        err = MP_READ_E;
+    }
+
+    if (err == MP_OKAY) {
+        if (expLen > 384) {
+            err = MP_READ_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        if (mp_count_bits(mod) != 3072) {
+            err = MP_READ_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        sp_3072_from_mp(b, 48, base);
+        sp_3072_from_bin(e, 48, exp, expLen);
+        sp_3072_from_mp(m, 48, mod);
+
+    #ifdef HAVE_FFDHE_3072
+        if (base->used == 1 && base->dp[0] == 2 && m[47] == (sp_digit)-1)
+            err = sp_3072_mod_exp_2_48(r, e, expLen * 8, m);
+        else
+    #endif
+            err = sp_3072_mod_exp_48(r, b, e, expLen * 8, m, 0);
+
+    }
+
+    if (err == MP_OKAY) {
+        sp_3072_to_bin(r, out);
+        *outLen = 384;
+        for (i=0; i<384 && out[i] == 0; i++) {
+        }
+        *outLen -= i;
+        XMEMMOVE(out, out + i, *outLen);
+
+    }
+
+    XMEMSET(e, 0, sizeof(e));
+
+    return err;
+}
+#endif /* WOLFSSL_HAVE_SP_DH */
+
+/* Perform the modular exponentiation for Diffie-Hellman.
+ *
+ * base  Base. MP integer.
+ * exp   Exponent. MP integer.
+ * mod   Modulus. MP integer.
+ * res   Result. MP integer.
+ * returns 0 on success, MP_READ_E if there are too many bytes in an array
+ * and MEMORY_E if memory allocation fails.
+ */
+int sp_ModExp_1536(mp_int* base, mp_int* exp, mp_int* mod, mp_int* res)
+{
+    int err = MP_OKAY;
+    sp_digit b[48], e[24], m[24];
+    sp_digit* r = b;
+    int expBits = mp_count_bits(exp);
+
+    if (mp_count_bits(base) > 1536) {
+        err = MP_READ_E;
+    }
+
+    if (err == MP_OKAY) {
+        if (expBits > 1536) {
+            err = MP_READ_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        if (mp_count_bits(mod) != 1536) {
+            err = MP_READ_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        sp_3072_from_mp(b, 24, base);
+        sp_3072_from_mp(e, 24, exp);
+        sp_3072_from_mp(m, 24, mod);
+
+        err = sp_3072_mod_exp_24(r, b, e, expBits, m, 0);
+    }
+
+    if (err == MP_OKAY) {
+        XMEMSET(r + 24, 0, sizeof(*r) * 24U);
+        err = sp_3072_to_mp(r, res);
+        res->used = mod->used;
+        mp_clamp(res);
+    }
+
+    XMEMSET(e, 0, sizeof(e));
+
+    return err;
+}
+
+#endif /* WOLFSSL_HAVE_SP_DH || (WOLFSSL_HAVE_SP_RSA && !WOLFSSL_RSA_PUBLIC_ONLY) */
+
+#endif /* !WOLFSSL_SP_NO_3072 */
+
+#ifdef WOLFSSL_SP_4096
+/* Read big endian unsigned byte array into r.
+ *
+ * r  A single precision integer.
+ * size  Maximum number of bytes to convert
+ * a  Byte array.
+ * n  Number of bytes in array to read.
+ */
+static void sp_4096_from_bin(sp_digit* r, int size, const byte* a, int n)
+{
+    int i, j;
+    byte* d;
+
+    for (i = n - 1,j = 0; i >= 7; i -= 8) {
+        r[j]  = ((sp_digit)a[i - 0] <<  0) |
+                ((sp_digit)a[i - 1] <<  8) |
+                ((sp_digit)a[i - 2] << 16) |
+                ((sp_digit)a[i - 3] << 24) |
+                ((sp_digit)a[i - 4] << 32) |
+                ((sp_digit)a[i - 5] << 40) |
+                ((sp_digit)a[i - 6] << 48) |
+                ((sp_digit)a[i - 7] << 56);
+        j++;
+    }
+
+    if (i >= 0) {
+        r[j] = 0;
+
+        d = (byte*)r;
+        switch (i) {
+            case 6: d[n - 1 - 6] = a[6]; //fallthrough
+            case 5: d[n - 1 - 5] = a[5]; //fallthrough
+            case 4: d[n - 1 - 4] = a[4]; //fallthrough
+            case 3: d[n - 1 - 3] = a[3]; //fallthrough
+            case 2: d[n - 1 - 2] = a[2]; //fallthrough
+            case 1: d[n - 1 - 1] = a[1]; //fallthrough
+            case 0: d[n - 1 - 0] = a[0]; //fallthrough
+        }
+        j++;
+    }
+
+    for (; j < size; j++) {
+        r[j] = 0;
+    }
+}
+
+/* Convert an mp_int to an array of sp_digit.
+ *
+ * r  A single precision integer.
+ * size  Maximum number of bytes to convert
+ * a  A multi-precision integer.
+ */
+static void sp_4096_from_mp(sp_digit* r, int size, const mp_int* a)
+{
+#if DIGIT_BIT == 64
+    int j;
+
+    XMEMCPY(r, a->dp, sizeof(sp_digit) * a->used);
+
+    for (j = a->used; j < size; j++) {
+        r[j] = 0;
+    }
+#elif DIGIT_BIT > 64
+    int i, j = 0;
+    word32 s = 0;
+
+    r[0] = 0;
+    for (i = 0; i < a->used && j < size; i++) {
+        r[j] |= ((sp_digit)a->dp[i] << s);
+        r[j] &= 0xffffffffffffffffl;
+        s = 64U - s;
+        if (j + 1 >= size) {
+            break;
+        }
+        /* lint allow cast of mismatch word32 and mp_digit */
+        r[++j] = (sp_digit)(a->dp[i] >> s); /*lint !e9033*/
+        while ((s + 64U) <= (word32)DIGIT_BIT) {
+            s += 64U;
+            r[j] &= 0xffffffffffffffffl;
+            if (j + 1 >= size) {
+                break;
+            }
+            if (s < (word32)DIGIT_BIT) {
+                /* lint allow cast of mismatch word32 and mp_digit */
+                r[++j] = (sp_digit)(a->dp[i] >> s); /*lint !e9033*/
+            }
+            else {
+                r[++j] = 0L;
+            }
+        }
+        s = (word32)DIGIT_BIT - s;
+    }
+
+    for (j++; j < size; j++) {
+        r[j] = 0;
+    }
+#else
+    int i, j = 0, s = 0;
+
+    r[0] = 0;
+    for (i = 0; i < a->used && j < size; i++) {
+        r[j] |= ((sp_digit)a->dp[i]) << s;
+        if (s + DIGIT_BIT >= 64) {
+            r[j] &= 0xffffffffffffffffl;
+            if (j + 1 >= size) {
+                break;
+            }
+            s = 64 - s;
+            if (s == DIGIT_BIT) {
+                r[++j] = 0;
+                s = 0;
+            }
+            else {
+                r[++j] = a->dp[i] >> s;
+                s = DIGIT_BIT - s;
+            }
+        }
+        else {
+            s += DIGIT_BIT;
+        }
+    }
+
+    for (j++; j < size; j++) {
+        r[j] = 0;
+    }
+#endif
+}
+
+/* Write r as big endian to byte array.
+ * Fixed length number of bytes written: 512
+ *
+ * r  A single precision integer.
+ * a  Byte array.
+ */
+static void sp_4096_to_bin(sp_digit* r, byte* a)
+{
+    int i, j;
+
+    for (i = 63, j = 0; i >= 0; i--) {
+        a[j++] = r[i] >> 56;
+        a[j++] = r[i] >> 48;
+        a[j++] = r[i] >> 40;
+        a[j++] = r[i] >> 32;
+        a[j++] = r[i] >> 24;
+        a[j++] = r[i] >> 16;
+        a[j++] = r[i] >> 8;
+        a[j++] = r[i] >> 0;
+    }
+}
+
+#ifndef WOLFSSL_SP_SMALL
+/* Add b to a into r. (r = a + b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+static sp_digit sp_4096_add_32(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    __asm__ __volatile__ (
+        "ldp	x3, x4, [%[a], 0]\n\t"
+        "ldp	x7, x8, [%[b], 0]\n\t"
+        "adds	x3, x3, x7\n\t"
+        "ldp	x5, x6, [%[a], 16]\n\t"
+        "adcs	x4, x4, x8\n\t"
+        "ldp	x9, x10, [%[b], 16]\n\t"
+        "adcs	x5, x5, x9\n\t"
+        "stp	x3, x4, [%[r], 0]\n\t"
+        "adcs	x6, x6, x10\n\t"
+        "stp	x5, x6, [%[r], 16]\n\t"
+        "ldp	x3, x4, [%[a], 32]\n\t"
+        "ldp	x7, x8, [%[b], 32]\n\t"
+        "adcs	x3, x3, x7\n\t"
+        "ldp	x5, x6, [%[a], 48]\n\t"
+        "adcs	x4, x4, x8\n\t"
+        "ldp	x9, x10, [%[b], 48]\n\t"
+        "adcs	x5, x5, x9\n\t"
+        "stp	x3, x4, [%[r], 32]\n\t"
+        "adcs	x6, x6, x10\n\t"
+        "stp	x5, x6, [%[r], 48]\n\t"
+        "ldp	x3, x4, [%[a], 64]\n\t"
+        "ldp	x7, x8, [%[b], 64]\n\t"
+        "adcs	x3, x3, x7\n\t"
+        "ldp	x5, x6, [%[a], 80]\n\t"
+        "adcs	x4, x4, x8\n\t"
+        "ldp	x9, x10, [%[b], 80]\n\t"
+        "adcs	x5, x5, x9\n\t"
+        "stp	x3, x4, [%[r], 64]\n\t"
+        "adcs	x6, x6, x10\n\t"
+        "stp	x5, x6, [%[r], 80]\n\t"
+        "ldp	x3, x4, [%[a], 96]\n\t"
+        "ldp	x7, x8, [%[b], 96]\n\t"
+        "adcs	x3, x3, x7\n\t"
+        "ldp	x5, x6, [%[a], 112]\n\t"
+        "adcs	x4, x4, x8\n\t"
+        "ldp	x9, x10, [%[b], 112]\n\t"
+        "adcs	x5, x5, x9\n\t"
+        "stp	x3, x4, [%[r], 96]\n\t"
+        "adcs	x6, x6, x10\n\t"
+        "stp	x5, x6, [%[r], 112]\n\t"
+        "ldp	x3, x4, [%[a], 128]\n\t"
+        "ldp	x7, x8, [%[b], 128]\n\t"
+        "adcs	x3, x3, x7\n\t"
+        "ldp	x5, x6, [%[a], 144]\n\t"
+        "adcs	x4, x4, x8\n\t"
+        "ldp	x9, x10, [%[b], 144]\n\t"
+        "adcs	x5, x5, x9\n\t"
+        "stp	x3, x4, [%[r], 128]\n\t"
+        "adcs	x6, x6, x10\n\t"
+        "stp	x5, x6, [%[r], 144]\n\t"
+        "ldp	x3, x4, [%[a], 160]\n\t"
+        "ldp	x7, x8, [%[b], 160]\n\t"
+        "adcs	x3, x3, x7\n\t"
+        "ldp	x5, x6, [%[a], 176]\n\t"
+        "adcs	x4, x4, x8\n\t"
+        "ldp	x9, x10, [%[b], 176]\n\t"
+        "adcs	x5, x5, x9\n\t"
+        "stp	x3, x4, [%[r], 160]\n\t"
+        "adcs	x6, x6, x10\n\t"
+        "stp	x5, x6, [%[r], 176]\n\t"
+        "ldp	x3, x4, [%[a], 192]\n\t"
+        "ldp	x7, x8, [%[b], 192]\n\t"
+        "adcs	x3, x3, x7\n\t"
+        "ldp	x5, x6, [%[a], 208]\n\t"
+        "adcs	x4, x4, x8\n\t"
+        "ldp	x9, x10, [%[b], 208]\n\t"
+        "adcs	x5, x5, x9\n\t"
+        "stp	x3, x4, [%[r], 192]\n\t"
+        "adcs	x6, x6, x10\n\t"
+        "stp	x5, x6, [%[r], 208]\n\t"
+        "ldp	x3, x4, [%[a], 224]\n\t"
+        "ldp	x7, x8, [%[b], 224]\n\t"
+        "adcs	x3, x3, x7\n\t"
+        "ldp	x5, x6, [%[a], 240]\n\t"
+        "adcs	x4, x4, x8\n\t"
+        "ldp	x9, x10, [%[b], 240]\n\t"
+        "adcs	x5, x5, x9\n\t"
+        "stp	x3, x4, [%[r], 224]\n\t"
+        "adcs	x6, x6, x10\n\t"
+        "stp	x5, x6, [%[r], 240]\n\t"
+        "cset	%[r], cs\n\t"
+        : [r] "+r" (r)
+        : [a] "r" (a), [b] "r" (b)
+        : "memory", "x3", "x4", "x5", "x6", "x7", "x8", "x9", "x10"
+    );
+
+    return (sp_digit)r;
+}
+
+/* Sub b from a into a. (a -= b)
+ *
+ * a  A single precision integer and result.
+ * b  A single precision integer.
+ */
+static sp_digit sp_4096_sub_in_place_64(sp_digit* a, const sp_digit* b)
+{
+    __asm__ __volatile__ (
+        "ldp	x2, x3, [%[a], 0]\n\t"
+        "ldp	x6, x7, [%[b], 0]\n\t"
+        "subs	x2, x2, x6\n\t"
+        "ldp	x4, x5, [%[a], 16]\n\t"
+        "sbcs	x3, x3, x7\n\t"
+        "ldp	x8, x9, [%[b], 16]\n\t"
+        "sbcs	x4, x4, x8\n\t"
+        "stp	x2, x3, [%[a], 0]\n\t"
+        "sbcs	x5, x5, x9\n\t"
+        "stp	x4, x5, [%[a], 16]\n\t"
+        "ldp	x2, x3, [%[a], 32]\n\t"
+        "ldp	x6, x7, [%[b], 32]\n\t"
+        "sbcs	x2, x2, x6\n\t"
+        "ldp	x4, x5, [%[a], 48]\n\t"
+        "sbcs	x3, x3, x7\n\t"
+        "ldp	x8, x9, [%[b], 48]\n\t"
+        "sbcs	x4, x4, x8\n\t"
+        "stp	x2, x3, [%[a], 32]\n\t"
+        "sbcs	x5, x5, x9\n\t"
+        "stp	x4, x5, [%[a], 48]\n\t"
+        "ldp	x2, x3, [%[a], 64]\n\t"
+        "ldp	x6, x7, [%[b], 64]\n\t"
+        "sbcs	x2, x2, x6\n\t"
+        "ldp	x4, x5, [%[a], 80]\n\t"
+        "sbcs	x3, x3, x7\n\t"
+        "ldp	x8, x9, [%[b], 80]\n\t"
+        "sbcs	x4, x4, x8\n\t"
+        "stp	x2, x3, [%[a], 64]\n\t"
+        "sbcs	x5, x5, x9\n\t"
+        "stp	x4, x5, [%[a], 80]\n\t"
+        "ldp	x2, x3, [%[a], 96]\n\t"
+        "ldp	x6, x7, [%[b], 96]\n\t"
+        "sbcs	x2, x2, x6\n\t"
+        "ldp	x4, x5, [%[a], 112]\n\t"
+        "sbcs	x3, x3, x7\n\t"
+        "ldp	x8, x9, [%[b], 112]\n\t"
+        "sbcs	x4, x4, x8\n\t"
+        "stp	x2, x3, [%[a], 96]\n\t"
+        "sbcs	x5, x5, x9\n\t"
+        "stp	x4, x5, [%[a], 112]\n\t"
+        "ldp	x2, x3, [%[a], 128]\n\t"
+        "ldp	x6, x7, [%[b], 128]\n\t"
+        "sbcs	x2, x2, x6\n\t"
+        "ldp	x4, x5, [%[a], 144]\n\t"
+        "sbcs	x3, x3, x7\n\t"
+        "ldp	x8, x9, [%[b], 144]\n\t"
+        "sbcs	x4, x4, x8\n\t"
+        "stp	x2, x3, [%[a], 128]\n\t"
+        "sbcs	x5, x5, x9\n\t"
+        "stp	x4, x5, [%[a], 144]\n\t"
+        "ldp	x2, x3, [%[a], 160]\n\t"
+        "ldp	x6, x7, [%[b], 160]\n\t"
+        "sbcs	x2, x2, x6\n\t"
+        "ldp	x4, x5, [%[a], 176]\n\t"
+        "sbcs	x3, x3, x7\n\t"
+        "ldp	x8, x9, [%[b], 176]\n\t"
+        "sbcs	x4, x4, x8\n\t"
+        "stp	x2, x3, [%[a], 160]\n\t"
+        "sbcs	x5, x5, x9\n\t"
+        "stp	x4, x5, [%[a], 176]\n\t"
+        "ldp	x2, x3, [%[a], 192]\n\t"
+        "ldp	x6, x7, [%[b], 192]\n\t"
+        "sbcs	x2, x2, x6\n\t"
+        "ldp	x4, x5, [%[a], 208]\n\t"
+        "sbcs	x3, x3, x7\n\t"
+        "ldp	x8, x9, [%[b], 208]\n\t"
+        "sbcs	x4, x4, x8\n\t"
+        "stp	x2, x3, [%[a], 192]\n\t"
+        "sbcs	x5, x5, x9\n\t"
+        "stp	x4, x5, [%[a], 208]\n\t"
+        "ldp	x2, x3, [%[a], 224]\n\t"
+        "ldp	x6, x7, [%[b], 224]\n\t"
+        "sbcs	x2, x2, x6\n\t"
+        "ldp	x4, x5, [%[a], 240]\n\t"
+        "sbcs	x3, x3, x7\n\t"
+        "ldp	x8, x9, [%[b], 240]\n\t"
+        "sbcs	x4, x4, x8\n\t"
+        "stp	x2, x3, [%[a], 224]\n\t"
+        "sbcs	x5, x5, x9\n\t"
+        "stp	x4, x5, [%[a], 240]\n\t"
+        "ldp	x2, x3, [%[a], 256]\n\t"
+        "ldp	x6, x7, [%[b], 256]\n\t"
+        "sbcs	x2, x2, x6\n\t"
+        "ldp	x4, x5, [%[a], 272]\n\t"
+        "sbcs	x3, x3, x7\n\t"
+        "ldp	x8, x9, [%[b], 272]\n\t"
+        "sbcs	x4, x4, x8\n\t"
+        "stp	x2, x3, [%[a], 256]\n\t"
+        "sbcs	x5, x5, x9\n\t"
+        "stp	x4, x5, [%[a], 272]\n\t"
+        "ldp	x2, x3, [%[a], 288]\n\t"
+        "ldp	x6, x7, [%[b], 288]\n\t"
+        "sbcs	x2, x2, x6\n\t"
+        "ldp	x4, x5, [%[a], 304]\n\t"
+        "sbcs	x3, x3, x7\n\t"
+        "ldp	x8, x9, [%[b], 304]\n\t"
+        "sbcs	x4, x4, x8\n\t"
+        "stp	x2, x3, [%[a], 288]\n\t"
+        "sbcs	x5, x5, x9\n\t"
+        "stp	x4, x5, [%[a], 304]\n\t"
+        "ldp	x2, x3, [%[a], 320]\n\t"
+        "ldp	x6, x7, [%[b], 320]\n\t"
+        "sbcs	x2, x2, x6\n\t"
+        "ldp	x4, x5, [%[a], 336]\n\t"
+        "sbcs	x3, x3, x7\n\t"
+        "ldp	x8, x9, [%[b], 336]\n\t"
+        "sbcs	x4, x4, x8\n\t"
+        "stp	x2, x3, [%[a], 320]\n\t"
+        "sbcs	x5, x5, x9\n\t"
+        "stp	x4, x5, [%[a], 336]\n\t"
+        "ldp	x2, x3, [%[a], 352]\n\t"
+        "ldp	x6, x7, [%[b], 352]\n\t"
+        "sbcs	x2, x2, x6\n\t"
+        "ldp	x4, x5, [%[a], 368]\n\t"
+        "sbcs	x3, x3, x7\n\t"
+        "ldp	x8, x9, [%[b], 368]\n\t"
+        "sbcs	x4, x4, x8\n\t"
+        "stp	x2, x3, [%[a], 352]\n\t"
+        "sbcs	x5, x5, x9\n\t"
+        "stp	x4, x5, [%[a], 368]\n\t"
+        "ldp	x2, x3, [%[a], 384]\n\t"
+        "ldp	x6, x7, [%[b], 384]\n\t"
+        "sbcs	x2, x2, x6\n\t"
+        "ldp	x4, x5, [%[a], 400]\n\t"
+        "sbcs	x3, x3, x7\n\t"
+        "ldp	x8, x9, [%[b], 400]\n\t"
+        "sbcs	x4, x4, x8\n\t"
+        "stp	x2, x3, [%[a], 384]\n\t"
+        "sbcs	x5, x5, x9\n\t"
+        "stp	x4, x5, [%[a], 400]\n\t"
+        "ldp	x2, x3, [%[a], 416]\n\t"
+        "ldp	x6, x7, [%[b], 416]\n\t"
+        "sbcs	x2, x2, x6\n\t"
+        "ldp	x4, x5, [%[a], 432]\n\t"
+        "sbcs	x3, x3, x7\n\t"
+        "ldp	x8, x9, [%[b], 432]\n\t"
+        "sbcs	x4, x4, x8\n\t"
+        "stp	x2, x3, [%[a], 416]\n\t"
+        "sbcs	x5, x5, x9\n\t"
+        "stp	x4, x5, [%[a], 432]\n\t"
+        "ldp	x2, x3, [%[a], 448]\n\t"
+        "ldp	x6, x7, [%[b], 448]\n\t"
+        "sbcs	x2, x2, x6\n\t"
+        "ldp	x4, x5, [%[a], 464]\n\t"
+        "sbcs	x3, x3, x7\n\t"
+        "ldp	x8, x9, [%[b], 464]\n\t"
+        "sbcs	x4, x4, x8\n\t"
+        "stp	x2, x3, [%[a], 448]\n\t"
+        "sbcs	x5, x5, x9\n\t"
+        "stp	x4, x5, [%[a], 464]\n\t"
+        "ldp	x2, x3, [%[a], 480]\n\t"
+        "ldp	x6, x7, [%[b], 480]\n\t"
+        "sbcs	x2, x2, x6\n\t"
+        "ldp	x4, x5, [%[a], 496]\n\t"
+        "sbcs	x3, x3, x7\n\t"
+        "ldp	x8, x9, [%[b], 496]\n\t"
+        "sbcs	x4, x4, x8\n\t"
+        "stp	x2, x3, [%[a], 480]\n\t"
+        "sbcs	x5, x5, x9\n\t"
+        "stp	x4, x5, [%[a], 496]\n\t"
+        "csetm	%[a], cc\n\t"
+        : [a] "+r" (a)
+        : [b] "r" (b)
+        : "memory", "x2", "x3", "x4", "x5", "x6", "x7", "x8", "x9"
+    );
+
+    return (sp_digit)a;
+}
+
+/* Add b to a into r. (r = a + b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+static sp_digit sp_4096_add_64(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    __asm__ __volatile__ (
+        "ldp	x3, x4, [%[a], 0]\n\t"
+        "ldp	x7, x8, [%[b], 0]\n\t"
+        "adds	x3, x3, x7\n\t"
+        "ldp	x5, x6, [%[a], 16]\n\t"
+        "adcs	x4, x4, x8\n\t"
+        "ldp	x9, x10, [%[b], 16]\n\t"
+        "adcs	x5, x5, x9\n\t"
+        "stp	x3, x4, [%[r], 0]\n\t"
+        "adcs	x6, x6, x10\n\t"
+        "stp	x5, x6, [%[r], 16]\n\t"
+        "ldp	x3, x4, [%[a], 32]\n\t"
+        "ldp	x7, x8, [%[b], 32]\n\t"
+        "adcs	x3, x3, x7\n\t"
+        "ldp	x5, x6, [%[a], 48]\n\t"
+        "adcs	x4, x4, x8\n\t"
+        "ldp	x9, x10, [%[b], 48]\n\t"
+        "adcs	x5, x5, x9\n\t"
+        "stp	x3, x4, [%[r], 32]\n\t"
+        "adcs	x6, x6, x10\n\t"
+        "stp	x5, x6, [%[r], 48]\n\t"
+        "ldp	x3, x4, [%[a], 64]\n\t"
+        "ldp	x7, x8, [%[b], 64]\n\t"
+        "adcs	x3, x3, x7\n\t"
+        "ldp	x5, x6, [%[a], 80]\n\t"
+        "adcs	x4, x4, x8\n\t"
+        "ldp	x9, x10, [%[b], 80]\n\t"
+        "adcs	x5, x5, x9\n\t"
+        "stp	x3, x4, [%[r], 64]\n\t"
+        "adcs	x6, x6, x10\n\t"
+        "stp	x5, x6, [%[r], 80]\n\t"
+        "ldp	x3, x4, [%[a], 96]\n\t"
+        "ldp	x7, x8, [%[b], 96]\n\t"
+        "adcs	x3, x3, x7\n\t"
+        "ldp	x5, x6, [%[a], 112]\n\t"
+        "adcs	x4, x4, x8\n\t"
+        "ldp	x9, x10, [%[b], 112]\n\t"
+        "adcs	x5, x5, x9\n\t"
+        "stp	x3, x4, [%[r], 96]\n\t"
+        "adcs	x6, x6, x10\n\t"
+        "stp	x5, x6, [%[r], 112]\n\t"
+        "ldp	x3, x4, [%[a], 128]\n\t"
+        "ldp	x7, x8, [%[b], 128]\n\t"
+        "adcs	x3, x3, x7\n\t"
+        "ldp	x5, x6, [%[a], 144]\n\t"
+        "adcs	x4, x4, x8\n\t"
+        "ldp	x9, x10, [%[b], 144]\n\t"
+        "adcs	x5, x5, x9\n\t"
+        "stp	x3, x4, [%[r], 128]\n\t"
+        "adcs	x6, x6, x10\n\t"
+        "stp	x5, x6, [%[r], 144]\n\t"
+        "ldp	x3, x4, [%[a], 160]\n\t"
+        "ldp	x7, x8, [%[b], 160]\n\t"
+        "adcs	x3, x3, x7\n\t"
+        "ldp	x5, x6, [%[a], 176]\n\t"
+        "adcs	x4, x4, x8\n\t"
+        "ldp	x9, x10, [%[b], 176]\n\t"
+        "adcs	x5, x5, x9\n\t"
+        "stp	x3, x4, [%[r], 160]\n\t"
+        "adcs	x6, x6, x10\n\t"
+        "stp	x5, x6, [%[r], 176]\n\t"
+        "ldp	x3, x4, [%[a], 192]\n\t"
+        "ldp	x7, x8, [%[b], 192]\n\t"
+        "adcs	x3, x3, x7\n\t"
+        "ldp	x5, x6, [%[a], 208]\n\t"
+        "adcs	x4, x4, x8\n\t"
+        "ldp	x9, x10, [%[b], 208]\n\t"
+        "adcs	x5, x5, x9\n\t"
+        "stp	x3, x4, [%[r], 192]\n\t"
+        "adcs	x6, x6, x10\n\t"
+        "stp	x5, x6, [%[r], 208]\n\t"
+        "ldp	x3, x4, [%[a], 224]\n\t"
+        "ldp	x7, x8, [%[b], 224]\n\t"
+        "adcs	x3, x3, x7\n\t"
+        "ldp	x5, x6, [%[a], 240]\n\t"
+        "adcs	x4, x4, x8\n\t"
+        "ldp	x9, x10, [%[b], 240]\n\t"
+        "adcs	x5, x5, x9\n\t"
+        "stp	x3, x4, [%[r], 224]\n\t"
+        "adcs	x6, x6, x10\n\t"
+        "stp	x5, x6, [%[r], 240]\n\t"
+        "ldp	x3, x4, [%[a], 256]\n\t"
+        "ldp	x7, x8, [%[b], 256]\n\t"
+        "adcs	x3, x3, x7\n\t"
+        "ldp	x5, x6, [%[a], 272]\n\t"
+        "adcs	x4, x4, x8\n\t"
+        "ldp	x9, x10, [%[b], 272]\n\t"
+        "adcs	x5, x5, x9\n\t"
+        "stp	x3, x4, [%[r], 256]\n\t"
+        "adcs	x6, x6, x10\n\t"
+        "stp	x5, x6, [%[r], 272]\n\t"
+        "ldp	x3, x4, [%[a], 288]\n\t"
+        "ldp	x7, x8, [%[b], 288]\n\t"
+        "adcs	x3, x3, x7\n\t"
+        "ldp	x5, x6, [%[a], 304]\n\t"
+        "adcs	x4, x4, x8\n\t"
+        "ldp	x9, x10, [%[b], 304]\n\t"
+        "adcs	x5, x5, x9\n\t"
+        "stp	x3, x4, [%[r], 288]\n\t"
+        "adcs	x6, x6, x10\n\t"
+        "stp	x5, x6, [%[r], 304]\n\t"
+        "ldp	x3, x4, [%[a], 320]\n\t"
+        "ldp	x7, x8, [%[b], 320]\n\t"
+        "adcs	x3, x3, x7\n\t"
+        "ldp	x5, x6, [%[a], 336]\n\t"
+        "adcs	x4, x4, x8\n\t"
+        "ldp	x9, x10, [%[b], 336]\n\t"
+        "adcs	x5, x5, x9\n\t"
+        "stp	x3, x4, [%[r], 320]\n\t"
+        "adcs	x6, x6, x10\n\t"
+        "stp	x5, x6, [%[r], 336]\n\t"
+        "ldp	x3, x4, [%[a], 352]\n\t"
+        "ldp	x7, x8, [%[b], 352]\n\t"
+        "adcs	x3, x3, x7\n\t"
+        "ldp	x5, x6, [%[a], 368]\n\t"
+        "adcs	x4, x4, x8\n\t"
+        "ldp	x9, x10, [%[b], 368]\n\t"
+        "adcs	x5, x5, x9\n\t"
+        "stp	x3, x4, [%[r], 352]\n\t"
+        "adcs	x6, x6, x10\n\t"
+        "stp	x5, x6, [%[r], 368]\n\t"
+        "ldp	x3, x4, [%[a], 384]\n\t"
+        "ldp	x7, x8, [%[b], 384]\n\t"
+        "adcs	x3, x3, x7\n\t"
+        "ldp	x5, x6, [%[a], 400]\n\t"
+        "adcs	x4, x4, x8\n\t"
+        "ldp	x9, x10, [%[b], 400]\n\t"
+        "adcs	x5, x5, x9\n\t"
+        "stp	x3, x4, [%[r], 384]\n\t"
+        "adcs	x6, x6, x10\n\t"
+        "stp	x5, x6, [%[r], 400]\n\t"
+        "ldp	x3, x4, [%[a], 416]\n\t"
+        "ldp	x7, x8, [%[b], 416]\n\t"
+        "adcs	x3, x3, x7\n\t"
+        "ldp	x5, x6, [%[a], 432]\n\t"
+        "adcs	x4, x4, x8\n\t"
+        "ldp	x9, x10, [%[b], 432]\n\t"
+        "adcs	x5, x5, x9\n\t"
+        "stp	x3, x4, [%[r], 416]\n\t"
+        "adcs	x6, x6, x10\n\t"
+        "stp	x5, x6, [%[r], 432]\n\t"
+        "ldp	x3, x4, [%[a], 448]\n\t"
+        "ldp	x7, x8, [%[b], 448]\n\t"
+        "adcs	x3, x3, x7\n\t"
+        "ldp	x5, x6, [%[a], 464]\n\t"
+        "adcs	x4, x4, x8\n\t"
+        "ldp	x9, x10, [%[b], 464]\n\t"
+        "adcs	x5, x5, x9\n\t"
+        "stp	x3, x4, [%[r], 448]\n\t"
+        "adcs	x6, x6, x10\n\t"
+        "stp	x5, x6, [%[r], 464]\n\t"
+        "ldp	x3, x4, [%[a], 480]\n\t"
+        "ldp	x7, x8, [%[b], 480]\n\t"
+        "adcs	x3, x3, x7\n\t"
+        "ldp	x5, x6, [%[a], 496]\n\t"
+        "adcs	x4, x4, x8\n\t"
+        "ldp	x9, x10, [%[b], 496]\n\t"
+        "adcs	x5, x5, x9\n\t"
+        "stp	x3, x4, [%[r], 480]\n\t"
+        "adcs	x6, x6, x10\n\t"
+        "stp	x5, x6, [%[r], 496]\n\t"
+        "cset	%[r], cs\n\t"
+        : [r] "+r" (r)
+        : [a] "r" (a), [b] "r" (b)
+        : "memory", "x3", "x4", "x5", "x6", "x7", "x8", "x9", "x10"
+    );
+
+    return (sp_digit)r;
+}
+
+/* Add digit to a into r. (r = a + b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+static void sp_4096_add_zero_32(sp_digit* r, const sp_digit* a,
+        const sp_digit d)
+{
+    __asm__ __volatile__ (
+        "ldp	x3, x4, [%[a], 0]\n\t"
+        "ldp	x5, x6, [%[a], 16]\n\t"
+        "adds	x3, x3, %[d]\n\t"
+        "adcs	x4, x4, xzr\n\t"
+        "adcs	x5, x5, xzr\n\t"
+        "stp	x3, x4, [%[r], 0]\n\t"
+        "adcs	x6, x6, xzr\n\t"
+        "stp	x5, x6, [%[r], 16]\n\t"
+        "ldp	x3, x4, [%[a], 32]\n\t"
+        "ldp	x5, x6, [%[a], 48]\n\t"
+        "adcs	x3, x3, xzr\n\t"
+        "adcs	x4, x4, xzr\n\t"
+        "adcs	x5, x5, xzr\n\t"
+        "stp	x3, x4, [%[r], 32]\n\t"
+        "adcs	x6, x6, xzr\n\t"
+        "stp	x5, x6, [%[r], 48]\n\t"
+        "ldp	x3, x4, [%[a], 64]\n\t"
+        "ldp	x5, x6, [%[a], 80]\n\t"
+        "adcs	x3, x3, xzr\n\t"
+        "adcs	x4, x4, xzr\n\t"
+        "adcs	x5, x5, xzr\n\t"
+        "stp	x3, x4, [%[r], 64]\n\t"
+        "adcs	x6, x6, xzr\n\t"
+        "stp	x5, x6, [%[r], 80]\n\t"
+        "ldp	x3, x4, [%[a], 96]\n\t"
+        "ldp	x5, x6, [%[a], 112]\n\t"
+        "adcs	x3, x3, xzr\n\t"
+        "adcs	x4, x4, xzr\n\t"
+        "adcs	x5, x5, xzr\n\t"
+        "stp	x3, x4, [%[r], 96]\n\t"
+        "adcs	x6, x6, xzr\n\t"
+        "stp	x5, x6, [%[r], 112]\n\t"
+        "ldp	x3, x4, [%[a], 128]\n\t"
+        "ldp	x5, x6, [%[a], 144]\n\t"
+        "adcs	x3, x3, xzr\n\t"
+        "adcs	x4, x4, xzr\n\t"
+        "adcs	x5, x5, xzr\n\t"
+        "stp	x3, x4, [%[r], 128]\n\t"
+        "adcs	x6, x6, xzr\n\t"
+        "stp	x5, x6, [%[r], 144]\n\t"
+        "ldp	x3, x4, [%[a], 160]\n\t"
+        "ldp	x5, x6, [%[a], 176]\n\t"
+        "adcs	x3, x3, xzr\n\t"
+        "adcs	x4, x4, xzr\n\t"
+        "adcs	x5, x5, xzr\n\t"
+        "stp	x3, x4, [%[r], 160]\n\t"
+        "adcs	x6, x6, xzr\n\t"
+        "stp	x5, x6, [%[r], 176]\n\t"
+        "ldp	x3, x4, [%[a], 192]\n\t"
+        "ldp	x5, x6, [%[a], 208]\n\t"
+        "adcs	x3, x3, xzr\n\t"
+        "adcs	x4, x4, xzr\n\t"
+        "adcs	x5, x5, xzr\n\t"
+        "stp	x3, x4, [%[r], 192]\n\t"
+        "adcs	x6, x6, xzr\n\t"
+        "stp	x5, x6, [%[r], 208]\n\t"
+        "ldp	x3, x4, [%[a], 224]\n\t"
+        "ldp	x5, x6, [%[a], 240]\n\t"
+        "adcs	x3, x3, xzr\n\t"
+        "adcs	x4, x4, xzr\n\t"
+        "adcs	x5, x5, xzr\n\t"
+        "stp	x3, x4, [%[r], 224]\n\t"
+        "adcs	x6, x6, xzr\n\t"
+        "stp	x5, x6, [%[r], 240]\n\t"
+        :
+        : [r] "r" (r), [a] "r" (a), [d] "r" (d)
+        : "memory", "x3", "x4", "x5", "x6"
+    );
+}
+
+/* Multiply a and b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static void sp_4096_mul_64(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    sp_digit* z0 = r;
+    sp_digit z1[64];
+    sp_digit a1[32];
+    sp_digit b1[32];
+    sp_digit z2[64];
+    sp_digit u, ca, cb;
+
+    ca = sp_2048_add_32(a1, a, &a[32]);
+    cb = sp_2048_add_32(b1, b, &b[32]);
+    u  = ca & cb;
+    sp_2048_mul_32(z1, a1, b1);
+    sp_2048_mul_32(z2, &a[32], &b[32]);
+    sp_2048_mul_32(z0, a, b);
+    sp_2048_mask_32(r + 64, a1, 0 - cb);
+    sp_2048_mask_32(b1, b1, 0 - ca);
+    u += sp_2048_add_32(r + 64, r + 64, b1);
+    u += sp_4096_sub_in_place_64(z1, z2);
+    u += sp_4096_sub_in_place_64(z1, z0);
+    u += sp_4096_add_64(r + 32, r + 32, z1);
+    u += sp_4096_add_32(r + 64, r + 64, z2);
+    sp_4096_add_zero_32(r + 96, z2 + 32, u);
+}
+
+#ifdef WOLFSSL_SP_SMALL
+/* Double a into r. (r = a + a)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ */
+static sp_digit sp_2048_dbl_32(sp_digit* r, const sp_digit* a)
+{
+    sp_digit c = 0;
+
+    __asm__ __volatile__ (
+        "add	x11, %[a], 256\n\t"
+        "\n1:\n\t"
+        "adds	%[c], %[c], #-1\n\t"
+        "ldp	x3, x4, [%[a]], #16\n\t"
+        "ldp	x5, x6, [%[a]], #16\n\t"
+        "adcs	x3, x3, x3\n\t"
+        "adcs	x4, x4, x4\n\t"
+        "adcs	x5, x5, x5\n\t"
+        "stp	x3, x4, [%[r]], #16\n\t"
+        "adcs	x6, x6, x6\n\t"
+        "stp	x5, x6, [%[r]], #16\n\t"
+        "cset	%[c], cs\n\t"
+        "cmp	%[a], x11\n\t"
+        "b.ne	1b\n\t"
+        : [c] "+r" (c), [r] "+r" (r), [a] "+r" (a)
+        :
+        : "memory", "x3", "x4", "x5", "x6", "x11"
+    );
+
+    return c;
+}
+
+#else
+/* Double a into r. (r = a + a)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ */
+static sp_digit sp_2048_dbl_32(sp_digit* r, const sp_digit* a)
+{
+    __asm__ __volatile__ (
+        "ldp	x3, x4, [%[a], 0]\n\t"
+        "adds	x3, x3, x3\n\t"
+        "ldr	x5, [%[a], 16]\n\t"
+        "adcs	x4, x4, x4\n\t"
+        "ldr	x6, [%[a], 24]\n\t"
+        "adcs	x5, x5, x5\n\t"
+        "stp	x3, x4, [%[r], 0]\n\t"
+        "adcs	x6, x6, x6\n\t"
+        "stp	x5, x6, [%[r], 16]\n\t"
+        "ldp	x3, x4, [%[a], 32]\n\t"
+        "adcs	x3, x3, x3\n\t"
+        "ldr	x5, [%[a], 48]\n\t"
+        "adcs	x4, x4, x4\n\t"
+        "ldr	x6, [%[a], 56]\n\t"
+        "adcs	x5, x5, x5\n\t"
+        "stp	x3, x4, [%[r], 32]\n\t"
+        "adcs	x6, x6, x6\n\t"
+        "stp	x5, x6, [%[r], 48]\n\t"
+        "ldp	x3, x4, [%[a], 64]\n\t"
+        "adcs	x3, x3, x3\n\t"
+        "ldr	x5, [%[a], 80]\n\t"
+        "adcs	x4, x4, x4\n\t"
+        "ldr	x6, [%[a], 88]\n\t"
+        "adcs	x5, x5, x5\n\t"
+        "stp	x3, x4, [%[r], 64]\n\t"
+        "adcs	x6, x6, x6\n\t"
+        "stp	x5, x6, [%[r], 80]\n\t"
+        "ldp	x3, x4, [%[a], 96]\n\t"
+        "adcs	x3, x3, x3\n\t"
+        "ldr	x5, [%[a], 112]\n\t"
+        "adcs	x4, x4, x4\n\t"
+        "ldr	x6, [%[a], 120]\n\t"
+        "adcs	x5, x5, x5\n\t"
+        "stp	x3, x4, [%[r], 96]\n\t"
+        "adcs	x6, x6, x6\n\t"
+        "stp	x5, x6, [%[r], 112]\n\t"
+        "ldp	x3, x4, [%[a], 128]\n\t"
+        "adcs	x3, x3, x3\n\t"
+        "ldr	x5, [%[a], 144]\n\t"
+        "adcs	x4, x4, x4\n\t"
+        "ldr	x6, [%[a], 152]\n\t"
+        "adcs	x5, x5, x5\n\t"
+        "stp	x3, x4, [%[r], 128]\n\t"
+        "adcs	x6, x6, x6\n\t"
+        "stp	x5, x6, [%[r], 144]\n\t"
+        "ldp	x3, x4, [%[a], 160]\n\t"
+        "adcs	x3, x3, x3\n\t"
+        "ldr	x5, [%[a], 176]\n\t"
+        "adcs	x4, x4, x4\n\t"
+        "ldr	x6, [%[a], 184]\n\t"
+        "adcs	x5, x5, x5\n\t"
+        "stp	x3, x4, [%[r], 160]\n\t"
+        "adcs	x6, x6, x6\n\t"
+        "stp	x5, x6, [%[r], 176]\n\t"
+        "ldp	x3, x4, [%[a], 192]\n\t"
+        "adcs	x3, x3, x3\n\t"
+        "ldr	x5, [%[a], 208]\n\t"
+        "adcs	x4, x4, x4\n\t"
+        "ldr	x6, [%[a], 216]\n\t"
+        "adcs	x5, x5, x5\n\t"
+        "stp	x3, x4, [%[r], 192]\n\t"
+        "adcs	x6, x6, x6\n\t"
+        "stp	x5, x6, [%[r], 208]\n\t"
+        "ldp	x3, x4, [%[a], 224]\n\t"
+        "adcs	x3, x3, x3\n\t"
+        "ldr	x5, [%[a], 240]\n\t"
+        "adcs	x4, x4, x4\n\t"
+        "ldr	x6, [%[a], 248]\n\t"
+        "adcs	x5, x5, x5\n\t"
+        "stp	x3, x4, [%[r], 224]\n\t"
+        "adcs	x6, x6, x6\n\t"
+        "stp	x5, x6, [%[r], 240]\n\t"
+        "cset	%[r], cs\n\t"
+        : [r] "+r" (r)
+        : [a] "r" (a)
+        : "memory", "x3", "x4", "x5", "x6"
+    );
+
+    return (sp_digit)r;
+}
+
+#endif /* WOLFSSL_SP_SMALL */
+/* Square a and put result in r. (r = a * a)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ */
+SP_NOINLINE static void sp_4096_sqr_64(sp_digit* r, const sp_digit* a)
+{
+    sp_digit* z0 = r;
+    sp_digit z2[64];
+    sp_digit z1[64];
+    sp_digit a1[32];
+    sp_digit u;
+
+    u = sp_2048_add_32(a1, a, &a[32]);
+    sp_2048_sqr_32(z1, a1);
+    sp_2048_sqr_32(z2, &a[32]);
+    sp_2048_sqr_32(z0, a);
+    sp_2048_mask_32(r + 64, a1, 0 - u);
+    u += sp_2048_dbl_32(r + 64, r + 64);
+    u += sp_4096_sub_in_place_64(z1, z2);
+    u += sp_4096_sub_in_place_64(z1, z0);
+    u += sp_4096_add_64(r + 32, r + 32, z1);
+    u += sp_4096_add_32(r + 64, r + 64, z2);
+    sp_4096_add_zero_32(r + 96, z2 + 32, u);
+    
+}
+
+#endif /* !WOLFSSL_SP_SMALL */
+#ifdef WOLFSSL_SP_SMALL
+/* Add b to a into r. (r = a + b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+static sp_digit sp_4096_add_64(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    sp_digit c = 0;
+
+    __asm__ __volatile__ (
+        "add	x11, %[a], 512\n\t"
+        "\n1:\n\t"
+        "adds	%[c], %[c], #-1\n\t"
+        "ldp	x3, x4, [%[a]], #16\n\t"
+        "ldp	x5, x6, [%[a]], #16\n\t"
+        "ldp	x7, x8, [%[b]], #16\n\t"
+        "adcs	x3, x3, x7\n\t"
+        "ldp	x9, x10, [%[b]], #16\n\t"
+        "adcs	x4, x4, x8\n\t"
+        "adcs	x5, x5, x9\n\t"
+        "stp	x3, x4, [%[r]], #16\n\t"
+        "adcs	x6, x6, x10\n\t"
+        "stp	x5, x6, [%[r]], #16\n\t"
+        "cset	%[c], cs\n\t"
+        "cmp	%[a], x11\n\t"
+        "b.ne	1b\n\t"
+        : [c] "+r" (c), [r] "+r" (r), [a] "+r" (a), [b] "+r" (b)
+        :
+        : "memory", "x3", "x4", "x5", "x6", "x7", "x8", "x9", "x10", "x11"
+    );
+
+    return c;
+}
+
+#endif /* WOLFSSL_SP_SMALL */
+#ifdef WOLFSSL_SP_SMALL
+/* Sub b from a into a. (a -= b)
+ *
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+static sp_digit sp_4096_sub_in_place_64(sp_digit* a, const sp_digit* b)
+{
+    sp_digit c = 0;
+
+    __asm__ __volatile__ (
+        "add	x10, %[a], 512\n\t"
+        "\n1:\n\t"
+        "subs	%[c], xzr, %[c]\n\t"
+        "ldp	x2, x3, [%[a]]\n\t"
+        "ldp	x4, x5, [%[a], #16]\n\t"
+        "ldp	x6, x7, [%[b]], #16\n\t"
+        "sbcs	x2, x2, x6\n\t"
+        "ldp	x8, x9, [%[b]], #16\n\t"
+        "sbcs	x3, x3, x7\n\t"
+        "sbcs	x4, x4, x8\n\t"
+        "stp	x2, x3, [%[a]], #16\n\t"
+        "sbcs	x5, x5, x9\n\t"
+        "stp	x4, x5, [%[a]], #16\n\t"
+        "csetm	%[c], cc\n\t"
+        "cmp	%[a], x10\n\t"
+        "b.ne	1b\n\t"
+        : [c] "+r" (c), [a] "+r" (a), [b] "+r" (b)
+        :
+        : "memory", "x2", "x3", "x4", "x5", "x6", "x7", "x8", "x9", "x10"
+    );
+
+    return c;
+}
+
+#endif /* WOLFSSL_SP_SMALL */
+#ifdef WOLFSSL_SP_SMALL
+/* Multiply a and b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+static void sp_4096_mul_64(sp_digit* r, const sp_digit* a, const sp_digit* b)
+{
+    sp_digit tmp[128];
+
+    __asm__ __volatile__ (
+        "mov	x5, 0\n\t"
+        "mov	x6, 0\n\t"
+        "mov	x7, 0\n\t"
+        "mov	x8, 0\n\t"
+        "\n1:\n\t"
+        "subs	x3, x5, 504\n\t"
+        "csel	x3, xzr, x3, cc\n\t"
+        "sub	x4, x5, x3\n\t"
+        "\n2:\n\t"
+        "ldr	x10, [%[a], x3]\n\t"
+        "ldr	x11, [%[b], x4]\n\t"
+        "mul	x9, x10, x11\n\t"
+        "umulh	x10, x10, x11\n\t"
+        "adds	x6, x6, x9\n\t"
+        "adcs	x7, x7, x10\n\t"
+        "adc	x8, x8, xzr\n\t"
+        "add	x3, x3, #8\n\t"
+        "sub	x4, x4, #8\n\t"
+        "cmp	x3, 512\n\t"
+        "b.eq	3f\n\t"
+        "cmp	x3, x5\n\t"
+        "b.le	2b\n\t"
+        "\n3:\n\t"
+        "str	x6, [%[r], x5]\n\t"
+        "mov	x6, x7\n\t"
+        "mov	x7, x8\n\t"
+        "mov	x8, #0\n\t"
+        "add	x5, x5, #8\n\t"
+        "cmp	x5, 1008\n\t"
+        "b.le	1b\n\t"
+        "str	x6, [%[r], x5]\n\t"
+        :
+        : [r] "r" (tmp), [a] "r" (a), [b] "r" (b)
+        : "memory", "x3", "x4", "x5", "x6", "x7", "x8", "x9", "x10", "x11"
+    );
+
+    XMEMCPY(r, tmp, sizeof(tmp));
+}
+
+/* Square a and put result in r. (r = a * a)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ */
+static void sp_4096_sqr_64(sp_digit* r, const sp_digit* a)
+{
+    sp_digit tmp[128];
+
+    __asm__ __volatile__ (
+        "mov	x6, 0\n\t"
+        "mov	x7, 0\n\t"
+        "mov	x8, 0\n\t"
+        "mov	x5, 0\n\t"
+        "\n1:\n\t"
+        "subs	x3, x5, 504\n\t"
+        "csel	x3, xzr, x3, cc\n\t"
+        "sub	x4, x5, x3\n\t"
+        "\n2:\n\t"
+        "cmp	x4, x3\n\t"
+        "b.eq	4f\n\t"
+        "ldr	x10, [%[a], x3]\n\t"
+        "ldr	x11, [%[a], x4]\n\t"
+        "mul	x9, x10, x11\n\t"
+        "umulh	x10, x10, x11\n\t"
+        "adds	x6, x6, x9\n\t"
+        "adcs	x7, x7, x10\n\t"
+        "adc	x8, x8, xzr\n\t"
+        "adds	x6, x6, x9\n\t"
+        "adcs	x7, x7, x10\n\t"
+        "adc	x8, x8, xzr\n\t"
+        "b.al	5f\n\t"
+        "\n4:\n\t"
+        "ldr	x10, [%[a], x3]\n\t"
+        "mul	x9, x10, x10\n\t"
+        "umulh	x10, x10, x10\n\t"
+        "adds	x6, x6, x9\n\t"
+        "adcs	x7, x7, x10\n\t"
+        "adc	x8, x8, xzr\n\t"
+        "\n5:\n\t"
+        "add	x3, x3, #8\n\t"
+        "sub	x4, x4, #8\n\t"
+        "cmp	x3, 512\n\t"
+        "b.eq	3f\n\t"
+        "cmp	x3, x4\n\t"
+        "b.gt	3f\n\t"
+        "cmp	x3, x5\n\t"
+        "b.le	2b\n\t"
+        "\n3:\n\t"
+        "str	x6, [%[r], x5]\n\t"
+        "mov	x6, x7\n\t"
+        "mov	x7, x8\n\t"
+        "mov	x8, #0\n\t"
+        "add	x5, x5, #8\n\t"
+        "cmp	x5, 1008\n\t"
+        "b.le	1b\n\t"
+        "str	x6, [%[r], x5]\n\t"
+        :
+        : [r] "r" (tmp), [a] "r" (a)
+        : "memory", "x3", "x4", "x5", "x6", "x7", "x8", "x9", "x10", "x11"
+    );
+
+    XMEMCPY(r, tmp, sizeof(tmp));
+}
+
+#endif /* WOLFSSL_SP_SMALL */
+/* Caclulate the bottom digit of -1/a mod 2^n.
+ *
+ * a    A single precision number.
+ * rho  Bottom word of inverse.
+ */
+static void sp_4096_mont_setup(const sp_digit* a, sp_digit* rho)
+{
+    sp_digit x, b;
+
+    b = a[0];
+    x = (((b + 2) & 4) << 1) + b; /* here x*a==1 mod 2**4 */
+    x *= 2 - b * x;               /* here x*a==1 mod 2**8 */
+    x *= 2 - b * x;               /* here x*a==1 mod 2**16 */
+    x *= 2 - b * x;               /* here x*a==1 mod 2**32 */
+    x *= 2 - b * x;               /* here x*a==1 mod 2**64 */
+
+    /* rho = -1/m mod b */
+    *rho = -x;
+}
+
+/* Mul a by digit b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision digit.
+ */
+static void sp_4096_mul_d_64(sp_digit* r, const sp_digit* a,
+        sp_digit b)
+{
+#ifdef WOLFSSL_SP_SMALL
+    __asm__ __volatile__ (
+        "# A[0] * B\n\t"
+        "ldr	x8, [%[a]]\n\t"
+        "mul	x5, %[b], x8\n\t"
+        "umulh	x3, %[b], x8\n\t"
+        "mov	x4, 0\n\t"
+        "str	x5, [%[r]]\n\t"
+        "mov	x5, 0\n\t"
+        "mov	x9, #8\n\t"
+        "1:\n\t"
+        "ldr	x8, [%[a], x9]\n\t"
+        "mul	x6, %[b], x8\n\t"
+        "umulh	x7, %[b], x8\n\t"
+        "adds	x3, x3, x6\n\t"
+        "adcs	x4, x4, x7\n\t"
+        "adc	x5, xzr, xzr\n\t"
+        "str	x3, [%[r], x9]\n\t"
+        "mov	x3, x4\n\t"
+        "mov	x4, x5\n\t"
+        "mov	x5, #0\n\t"
+        "add	x9, x9, #8\n\t"
+        "cmp	x9, 512\n\t"
+        "b.lt	1b\n\t"
+        "str	x3, [%[r], 512]\n\t"
+        :
+        : [r] "r" (r), [a] "r" (a), [b] "r" (b)
+        : "memory", "x3", "x4", "x5", "x6", "x7", "x8", "x9"
+    );
+#else
+    __asm__ __volatile__ (
+        "# A[0] * B\n\t"
+        "ldp	x8, x9, [%[a]]\n\t"
+        "mul	x3, %[b], x8\n\t"
+        "umulh	x4, %[b], x8\n\t"
+        "mov	x5, 0\n\t"
+        "# A[1] * B\n\t"
+        "str	x3, [%[r]]\n\t"
+        "mov	x3, 0\n\t"
+        "mul	x6, %[b], x9\n\t"
+        "umulh	x7, %[b], x9\n\t"
+        "adds	x4, x4, x6\n\t"
+        "# A[2] * B\n\t"
+        "ldp	x8, x9, [%[a], 16]\n\t"
+        "str	x4, [%[r], 8]\n\t"
+        "mov	x4, 0\n\t"
+        "mul	x6, %[b], x8\n\t"
+        "adcs	x5, x5, x7\n\t"
+        "umulh	x7, %[b], x8\n\t"
+        "adc	x3, xzr, xzr\n\t"
+        "adds	x5, x5, x6\n\t"
+        "# A[3] * B\n\t"
+        "str	x5, [%[r], 16]\n\t"
+        "mov	x5, 0\n\t"
+        "mul	x6, %[b], x9\n\t"
+        "adcs	x3, x3, x7\n\t"
+        "umulh	x7, %[b], x9\n\t"
+        "adc	x4, xzr, xzr\n\t"
+        "adds	x3, x3, x6\n\t"
+        "# A[4] * B\n\t"
+        "ldp	x8, x9, [%[a], 32]\n\t"
+        "str	x3, [%[r], 24]\n\t"
+        "mov	x3, 0\n\t"
+        "mul	x6, %[b], x8\n\t"
+        "adcs	x4, x4, x7\n\t"
+        "umulh	x7, %[b], x8\n\t"
+        "adc	x5, xzr, xzr\n\t"
+        "adds	x4, x4, x6\n\t"
+        "# A[5] * B\n\t"
+        "str	x4, [%[r], 32]\n\t"
+        "mov	x4, 0\n\t"
+        "mul	x6, %[b], x9\n\t"
+        "adcs	x5, x5, x7\n\t"
+        "umulh	x7, %[b], x9\n\t"
+        "adc	x3, xzr, xzr\n\t"
+        "adds	x5, x5, x6\n\t"
+        "# A[6] * B\n\t"
+        "ldp	x8, x9, [%[a], 48]\n\t"
+        "str	x5, [%[r], 40]\n\t"
+        "mov	x5, 0\n\t"
+        "mul	x6, %[b], x8\n\t"
+        "adcs	x3, x3, x7\n\t"
+        "umulh	x7, %[b], x8\n\t"
+        "adc	x4, xzr, xzr\n\t"
+        "adds	x3, x3, x6\n\t"
+        "# A[7] * B\n\t"
+        "str	x3, [%[r], 48]\n\t"
+        "mov	x3, 0\n\t"
+        "mul	x6, %[b], x9\n\t"
+        "adcs	x4, x4, x7\n\t"
+        "umulh	x7, %[b], x9\n\t"
+        "adc	x5, xzr, xzr\n\t"
+        "adds	x4, x4, x6\n\t"
+        "# A[8] * B\n\t"
+        "ldp	x8, x9, [%[a], 64]\n\t"
+        "str	x4, [%[r], 56]\n\t"
+        "mov	x4, 0\n\t"
+        "mul	x6, %[b], x8\n\t"
+        "adcs	x5, x5, x7\n\t"
+        "umulh	x7, %[b], x8\n\t"
+        "adc	x3, xzr, xzr\n\t"
+        "adds	x5, x5, x6\n\t"
+        "# A[9] * B\n\t"
+        "str	x5, [%[r], 64]\n\t"
+        "mov	x5, 0\n\t"
+        "mul	x6, %[b], x9\n\t"
+        "adcs	x3, x3, x7\n\t"
+        "umulh	x7, %[b], x9\n\t"
+        "adc	x4, xzr, xzr\n\t"
+        "adds	x3, x3, x6\n\t"
+        "# A[10] * B\n\t"
+        "ldp	x8, x9, [%[a], 80]\n\t"
+        "str	x3, [%[r], 72]\n\t"
+        "mov	x3, 0\n\t"
+        "mul	x6, %[b], x8\n\t"
+        "adcs	x4, x4, x7\n\t"
+        "umulh	x7, %[b], x8\n\t"
+        "adc	x5, xzr, xzr\n\t"
+        "adds	x4, x4, x6\n\t"
+        "# A[11] * B\n\t"
+        "str	x4, [%[r], 80]\n\t"
+        "mov	x4, 0\n\t"
+        "mul	x6, %[b], x9\n\t"
+        "adcs	x5, x5, x7\n\t"
+        "umulh	x7, %[b], x9\n\t"
+        "adc	x3, xzr, xzr\n\t"
+        "adds	x5, x5, x6\n\t"
+        "# A[12] * B\n\t"
+        "ldp	x8, x9, [%[a], 96]\n\t"
+        "str	x5, [%[r], 88]\n\t"
+        "mov	x5, 0\n\t"
+        "mul	x6, %[b], x8\n\t"
+        "adcs	x3, x3, x7\n\t"
+        "umulh	x7, %[b], x8\n\t"
+        "adc	x4, xzr, xzr\n\t"
+        "adds	x3, x3, x6\n\t"
+        "# A[13] * B\n\t"
+        "str	x3, [%[r], 96]\n\t"
+        "mov	x3, 0\n\t"
+        "mul	x6, %[b], x9\n\t"
+        "adcs	x4, x4, x7\n\t"
+        "umulh	x7, %[b], x9\n\t"
+        "adc	x5, xzr, xzr\n\t"
+        "adds	x4, x4, x6\n\t"
+        "# A[14] * B\n\t"
+        "ldp	x8, x9, [%[a], 112]\n\t"
+        "str	x4, [%[r], 104]\n\t"
+        "mov	x4, 0\n\t"
+        "mul	x6, %[b], x8\n\t"
+        "adcs	x5, x5, x7\n\t"
+        "umulh	x7, %[b], x8\n\t"
+        "adc	x3, xzr, xzr\n\t"
+        "adds	x5, x5, x6\n\t"
+        "# A[15] * B\n\t"
+        "str	x5, [%[r], 112]\n\t"
+        "mov	x5, 0\n\t"
+        "mul	x6, %[b], x9\n\t"
+        "adcs	x3, x3, x7\n\t"
+        "umulh	x7, %[b], x9\n\t"
+        "adc	x4, xzr, xzr\n\t"
+        "adds	x3, x3, x6\n\t"
+        "# A[16] * B\n\t"
+        "ldp	x8, x9, [%[a], 128]\n\t"
+        "str	x3, [%[r], 120]\n\t"
+        "mov	x3, 0\n\t"
+        "mul	x6, %[b], x8\n\t"
+        "adcs	x4, x4, x7\n\t"
+        "umulh	x7, %[b], x8\n\t"
+        "adc	x5, xzr, xzr\n\t"
+        "adds	x4, x4, x6\n\t"
+        "# A[17] * B\n\t"
+        "str	x4, [%[r], 128]\n\t"
+        "mov	x4, 0\n\t"
+        "mul	x6, %[b], x9\n\t"
+        "adcs	x5, x5, x7\n\t"
+        "umulh	x7, %[b], x9\n\t"
+        "adc	x3, xzr, xzr\n\t"
+        "adds	x5, x5, x6\n\t"
+        "# A[18] * B\n\t"
+        "ldp	x8, x9, [%[a], 144]\n\t"
+        "str	x5, [%[r], 136]\n\t"
+        "mov	x5, 0\n\t"
+        "mul	x6, %[b], x8\n\t"
+        "adcs	x3, x3, x7\n\t"
+        "umulh	x7, %[b], x8\n\t"
+        "adc	x4, xzr, xzr\n\t"
+        "adds	x3, x3, x6\n\t"
+        "# A[19] * B\n\t"
+        "str	x3, [%[r], 144]\n\t"
+        "mov	x3, 0\n\t"
+        "mul	x6, %[b], x9\n\t"
+        "adcs	x4, x4, x7\n\t"
+        "umulh	x7, %[b], x9\n\t"
+        "adc	x5, xzr, xzr\n\t"
+        "adds	x4, x4, x6\n\t"
+        "# A[20] * B\n\t"
+        "ldp	x8, x9, [%[a], 160]\n\t"
+        "str	x4, [%[r], 152]\n\t"
+        "mov	x4, 0\n\t"
+        "mul	x6, %[b], x8\n\t"
+        "adcs	x5, x5, x7\n\t"
+        "umulh	x7, %[b], x8\n\t"
+        "adc	x3, xzr, xzr\n\t"
+        "adds	x5, x5, x6\n\t"
+        "# A[21] * B\n\t"
+        "str	x5, [%[r], 160]\n\t"
+        "mov	x5, 0\n\t"
+        "mul	x6, %[b], x9\n\t"
+        "adcs	x3, x3, x7\n\t"
+        "umulh	x7, %[b], x9\n\t"
+        "adc	x4, xzr, xzr\n\t"
+        "adds	x3, x3, x6\n\t"
+        "# A[22] * B\n\t"
+        "ldp	x8, x9, [%[a], 176]\n\t"
+        "str	x3, [%[r], 168]\n\t"
+        "mov	x3, 0\n\t"
+        "mul	x6, %[b], x8\n\t"
+        "adcs	x4, x4, x7\n\t"
+        "umulh	x7, %[b], x8\n\t"
+        "adc	x5, xzr, xzr\n\t"
+        "adds	x4, x4, x6\n\t"
+        "# A[23] * B\n\t"
+        "str	x4, [%[r], 176]\n\t"
+        "mov	x4, 0\n\t"
+        "mul	x6, %[b], x9\n\t"
+        "adcs	x5, x5, x7\n\t"
+        "umulh	x7, %[b], x9\n\t"
+        "adc	x3, xzr, xzr\n\t"
+        "adds	x5, x5, x6\n\t"
+        "# A[24] * B\n\t"
+        "ldp	x8, x9, [%[a], 192]\n\t"
+        "str	x5, [%[r], 184]\n\t"
+        "mov	x5, 0\n\t"
+        "mul	x6, %[b], x8\n\t"
+        "adcs	x3, x3, x7\n\t"
+        "umulh	x7, %[b], x8\n\t"
+        "adc	x4, xzr, xzr\n\t"
+        "adds	x3, x3, x6\n\t"
+        "# A[25] * B\n\t"
+        "str	x3, [%[r], 192]\n\t"
+        "mov	x3, 0\n\t"
+        "mul	x6, %[b], x9\n\t"
+        "adcs	x4, x4, x7\n\t"
+        "umulh	x7, %[b], x9\n\t"
+        "adc	x5, xzr, xzr\n\t"
+        "adds	x4, x4, x6\n\t"
+        "# A[26] * B\n\t"
+        "ldp	x8, x9, [%[a], 208]\n\t"
+        "str	x4, [%[r], 200]\n\t"
+        "mov	x4, 0\n\t"
+        "mul	x6, %[b], x8\n\t"
+        "adcs	x5, x5, x7\n\t"
+        "umulh	x7, %[b], x8\n\t"
+        "adc	x3, xzr, xzr\n\t"
+        "adds	x5, x5, x6\n\t"
+        "# A[27] * B\n\t"
+        "str	x5, [%[r], 208]\n\t"
+        "mov	x5, 0\n\t"
+        "mul	x6, %[b], x9\n\t"
+        "adcs	x3, x3, x7\n\t"
+        "umulh	x7, %[b], x9\n\t"
+        "adc	x4, xzr, xzr\n\t"
+        "adds	x3, x3, x6\n\t"
+        "# A[28] * B\n\t"
+        "ldp	x8, x9, [%[a], 224]\n\t"
+        "str	x3, [%[r], 216]\n\t"
+        "mov	x3, 0\n\t"
+        "mul	x6, %[b], x8\n\t"
+        "adcs	x4, x4, x7\n\t"
+        "umulh	x7, %[b], x8\n\t"
+        "adc	x5, xzr, xzr\n\t"
+        "adds	x4, x4, x6\n\t"
+        "# A[29] * B\n\t"
+        "str	x4, [%[r], 224]\n\t"
+        "mov	x4, 0\n\t"
+        "mul	x6, %[b], x9\n\t"
+        "adcs	x5, x5, x7\n\t"
+        "umulh	x7, %[b], x9\n\t"
+        "adc	x3, xzr, xzr\n\t"
+        "adds	x5, x5, x6\n\t"
+        "# A[30] * B\n\t"
+        "ldp	x8, x9, [%[a], 240]\n\t"
+        "str	x5, [%[r], 232]\n\t"
+        "mov	x5, 0\n\t"
+        "mul	x6, %[b], x8\n\t"
+        "adcs	x3, x3, x7\n\t"
+        "umulh	x7, %[b], x8\n\t"
+        "adc	x4, xzr, xzr\n\t"
+        "adds	x3, x3, x6\n\t"
+        "# A[31] * B\n\t"
+        "str	x3, [%[r], 240]\n\t"
+        "mov	x3, 0\n\t"
+        "mul	x6, %[b], x9\n\t"
+        "adcs	x4, x4, x7\n\t"
+        "umulh	x7, %[b], x9\n\t"
+        "adc	x5, xzr, xzr\n\t"
+        "adds	x4, x4, x6\n\t"
+        "# A[32] * B\n\t"
+        "ldp	x8, x9, [%[a], 256]\n\t"
+        "str	x4, [%[r], 248]\n\t"
+        "mov	x4, 0\n\t"
+        "mul	x6, %[b], x8\n\t"
+        "adcs	x5, x5, x7\n\t"
+        "umulh	x7, %[b], x8\n\t"
+        "adc	x3, xzr, xzr\n\t"
+        "adds	x5, x5, x6\n\t"
+        "# A[33] * B\n\t"
+        "str	x5, [%[r], 256]\n\t"
+        "mov	x5, 0\n\t"
+        "mul	x6, %[b], x9\n\t"
+        "adcs	x3, x3, x7\n\t"
+        "umulh	x7, %[b], x9\n\t"
+        "adc	x4, xzr, xzr\n\t"
+        "adds	x3, x3, x6\n\t"
+        "# A[34] * B\n\t"
+        "ldp	x8, x9, [%[a], 272]\n\t"
+        "str	x3, [%[r], 264]\n\t"
+        "mov	x3, 0\n\t"
+        "mul	x6, %[b], x8\n\t"
+        "adcs	x4, x4, x7\n\t"
+        "umulh	x7, %[b], x8\n\t"
+        "adc	x5, xzr, xzr\n\t"
+        "adds	x4, x4, x6\n\t"
+        "# A[35] * B\n\t"
+        "str	x4, [%[r], 272]\n\t"
+        "mov	x4, 0\n\t"
+        "mul	x6, %[b], x9\n\t"
+        "adcs	x5, x5, x7\n\t"
+        "umulh	x7, %[b], x9\n\t"
+        "adc	x3, xzr, xzr\n\t"
+        "adds	x5, x5, x6\n\t"
+        "# A[36] * B\n\t"
+        "ldp	x8, x9, [%[a], 288]\n\t"
+        "str	x5, [%[r], 280]\n\t"
+        "mov	x5, 0\n\t"
+        "mul	x6, %[b], x8\n\t"
+        "adcs	x3, x3, x7\n\t"
+        "umulh	x7, %[b], x8\n\t"
+        "adc	x4, xzr, xzr\n\t"
+        "adds	x3, x3, x6\n\t"
+        "# A[37] * B\n\t"
+        "str	x3, [%[r], 288]\n\t"
+        "mov	x3, 0\n\t"
+        "mul	x6, %[b], x9\n\t"
+        "adcs	x4, x4, x7\n\t"
+        "umulh	x7, %[b], x9\n\t"
+        "adc	x5, xzr, xzr\n\t"
+        "adds	x4, x4, x6\n\t"
+        "# A[38] * B\n\t"
+        "ldp	x8, x9, [%[a], 304]\n\t"
+        "str	x4, [%[r], 296]\n\t"
+        "mov	x4, 0\n\t"
+        "mul	x6, %[b], x8\n\t"
+        "adcs	x5, x5, x7\n\t"
+        "umulh	x7, %[b], x8\n\t"
+        "adc	x3, xzr, xzr\n\t"
+        "adds	x5, x5, x6\n\t"
+        "# A[39] * B\n\t"
+        "str	x5, [%[r], 304]\n\t"
+        "mov	x5, 0\n\t"
+        "mul	x6, %[b], x9\n\t"
+        "adcs	x3, x3, x7\n\t"
+        "umulh	x7, %[b], x9\n\t"
+        "adc	x4, xzr, xzr\n\t"
+        "adds	x3, x3, x6\n\t"
+        "# A[40] * B\n\t"
+        "ldp	x8, x9, [%[a], 320]\n\t"
+        "str	x3, [%[r], 312]\n\t"
+        "mov	x3, 0\n\t"
+        "mul	x6, %[b], x8\n\t"
+        "adcs	x4, x4, x7\n\t"
+        "umulh	x7, %[b], x8\n\t"
+        "adc	x5, xzr, xzr\n\t"
+        "adds	x4, x4, x6\n\t"
+        "# A[41] * B\n\t"
+        "str	x4, [%[r], 320]\n\t"
+        "mov	x4, 0\n\t"
+        "mul	x6, %[b], x9\n\t"
+        "adcs	x5, x5, x7\n\t"
+        "umulh	x7, %[b], x9\n\t"
+        "adc	x3, xzr, xzr\n\t"
+        "adds	x5, x5, x6\n\t"
+        "# A[42] * B\n\t"
+        "ldp	x8, x9, [%[a], 336]\n\t"
+        "str	x5, [%[r], 328]\n\t"
+        "mov	x5, 0\n\t"
+        "mul	x6, %[b], x8\n\t"
+        "adcs	x3, x3, x7\n\t"
+        "umulh	x7, %[b], x8\n\t"
+        "adc	x4, xzr, xzr\n\t"
+        "adds	x3, x3, x6\n\t"
+        "# A[43] * B\n\t"
+        "str	x3, [%[r], 336]\n\t"
+        "mov	x3, 0\n\t"
+        "mul	x6, %[b], x9\n\t"
+        "adcs	x4, x4, x7\n\t"
+        "umulh	x7, %[b], x9\n\t"
+        "adc	x5, xzr, xzr\n\t"
+        "adds	x4, x4, x6\n\t"
+        "# A[44] * B\n\t"
+        "ldp	x8, x9, [%[a], 352]\n\t"
+        "str	x4, [%[r], 344]\n\t"
+        "mov	x4, 0\n\t"
+        "mul	x6, %[b], x8\n\t"
+        "adcs	x5, x5, x7\n\t"
+        "umulh	x7, %[b], x8\n\t"
+        "adc	x3, xzr, xzr\n\t"
+        "adds	x5, x5, x6\n\t"
+        "# A[45] * B\n\t"
+        "str	x5, [%[r], 352]\n\t"
+        "mov	x5, 0\n\t"
+        "mul	x6, %[b], x9\n\t"
+        "adcs	x3, x3, x7\n\t"
+        "umulh	x7, %[b], x9\n\t"
+        "adc	x4, xzr, xzr\n\t"
+        "adds	x3, x3, x6\n\t"
+        "# A[46] * B\n\t"
+        "ldp	x8, x9, [%[a], 368]\n\t"
+        "str	x3, [%[r], 360]\n\t"
+        "mov	x3, 0\n\t"
+        "mul	x6, %[b], x8\n\t"
+        "adcs	x4, x4, x7\n\t"
+        "umulh	x7, %[b], x8\n\t"
+        "adc	x5, xzr, xzr\n\t"
+        "adds	x4, x4, x6\n\t"
+        "# A[47] * B\n\t"
+        "str	x4, [%[r], 368]\n\t"
+        "mov	x4, 0\n\t"
+        "mul	x6, %[b], x9\n\t"
+        "adcs	x5, x5, x7\n\t"
+        "umulh	x7, %[b], x9\n\t"
+        "adc	x3, xzr, xzr\n\t"
+        "adds	x5, x5, x6\n\t"
+        "# A[48] * B\n\t"
+        "ldp	x8, x9, [%[a], 384]\n\t"
+        "str	x5, [%[r], 376]\n\t"
+        "mov	x5, 0\n\t"
+        "mul	x6, %[b], x8\n\t"
+        "adcs	x3, x3, x7\n\t"
+        "umulh	x7, %[b], x8\n\t"
+        "adc	x4, xzr, xzr\n\t"
+        "adds	x3, x3, x6\n\t"
+        "# A[49] * B\n\t"
+        "str	x3, [%[r], 384]\n\t"
+        "mov	x3, 0\n\t"
+        "mul	x6, %[b], x9\n\t"
+        "adcs	x4, x4, x7\n\t"
+        "umulh	x7, %[b], x9\n\t"
+        "adc	x5, xzr, xzr\n\t"
+        "adds	x4, x4, x6\n\t"
+        "# A[50] * B\n\t"
+        "ldp	x8, x9, [%[a], 400]\n\t"
+        "str	x4, [%[r], 392]\n\t"
+        "mov	x4, 0\n\t"
+        "mul	x6, %[b], x8\n\t"
+        "adcs	x5, x5, x7\n\t"
+        "umulh	x7, %[b], x8\n\t"
+        "adc	x3, xzr, xzr\n\t"
+        "adds	x5, x5, x6\n\t"
+        "# A[51] * B\n\t"
+        "str	x5, [%[r], 400]\n\t"
+        "mov	x5, 0\n\t"
+        "mul	x6, %[b], x9\n\t"
+        "adcs	x3, x3, x7\n\t"
+        "umulh	x7, %[b], x9\n\t"
+        "adc	x4, xzr, xzr\n\t"
+        "adds	x3, x3, x6\n\t"
+        "# A[52] * B\n\t"
+        "ldp	x8, x9, [%[a], 416]\n\t"
+        "str	x3, [%[r], 408]\n\t"
+        "mov	x3, 0\n\t"
+        "mul	x6, %[b], x8\n\t"
+        "adcs	x4, x4, x7\n\t"
+        "umulh	x7, %[b], x8\n\t"
+        "adc	x5, xzr, xzr\n\t"
+        "adds	x4, x4, x6\n\t"
+        "# A[53] * B\n\t"
+        "str	x4, [%[r], 416]\n\t"
+        "mov	x4, 0\n\t"
+        "mul	x6, %[b], x9\n\t"
+        "adcs	x5, x5, x7\n\t"
+        "umulh	x7, %[b], x9\n\t"
+        "adc	x3, xzr, xzr\n\t"
+        "adds	x5, x5, x6\n\t"
+        "# A[54] * B\n\t"
+        "ldp	x8, x9, [%[a], 432]\n\t"
+        "str	x5, [%[r], 424]\n\t"
+        "mov	x5, 0\n\t"
+        "mul	x6, %[b], x8\n\t"
+        "adcs	x3, x3, x7\n\t"
+        "umulh	x7, %[b], x8\n\t"
+        "adc	x4, xzr, xzr\n\t"
+        "adds	x3, x3, x6\n\t"
+        "# A[55] * B\n\t"
+        "str	x3, [%[r], 432]\n\t"
+        "mov	x3, 0\n\t"
+        "mul	x6, %[b], x9\n\t"
+        "adcs	x4, x4, x7\n\t"
+        "umulh	x7, %[b], x9\n\t"
+        "adc	x5, xzr, xzr\n\t"
+        "adds	x4, x4, x6\n\t"
+        "# A[56] * B\n\t"
+        "ldp	x8, x9, [%[a], 448]\n\t"
+        "str	x4, [%[r], 440]\n\t"
+        "mov	x4, 0\n\t"
+        "mul	x6, %[b], x8\n\t"
+        "adcs	x5, x5, x7\n\t"
+        "umulh	x7, %[b], x8\n\t"
+        "adc	x3, xzr, xzr\n\t"
+        "adds	x5, x5, x6\n\t"
+        "# A[57] * B\n\t"
+        "str	x5, [%[r], 448]\n\t"
+        "mov	x5, 0\n\t"
+        "mul	x6, %[b], x9\n\t"
+        "adcs	x3, x3, x7\n\t"
+        "umulh	x7, %[b], x9\n\t"
+        "adc	x4, xzr, xzr\n\t"
+        "adds	x3, x3, x6\n\t"
+        "# A[58] * B\n\t"
+        "ldp	x8, x9, [%[a], 464]\n\t"
+        "str	x3, [%[r], 456]\n\t"
+        "mov	x3, 0\n\t"
+        "mul	x6, %[b], x8\n\t"
+        "adcs	x4, x4, x7\n\t"
+        "umulh	x7, %[b], x8\n\t"
+        "adc	x5, xzr, xzr\n\t"
+        "adds	x4, x4, x6\n\t"
+        "# A[59] * B\n\t"
+        "str	x4, [%[r], 464]\n\t"
+        "mov	x4, 0\n\t"
+        "mul	x6, %[b], x9\n\t"
+        "adcs	x5, x5, x7\n\t"
+        "umulh	x7, %[b], x9\n\t"
+        "adc	x3, xzr, xzr\n\t"
+        "adds	x5, x5, x6\n\t"
+        "# A[60] * B\n\t"
+        "ldp	x8, x9, [%[a], 480]\n\t"
+        "str	x5, [%[r], 472]\n\t"
+        "mov	x5, 0\n\t"
+        "mul	x6, %[b], x8\n\t"
+        "adcs	x3, x3, x7\n\t"
+        "umulh	x7, %[b], x8\n\t"
+        "adc	x4, xzr, xzr\n\t"
+        "adds	x3, x3, x6\n\t"
+        "# A[61] * B\n\t"
+        "str	x3, [%[r], 480]\n\t"
+        "mov	x3, 0\n\t"
+        "mul	x6, %[b], x9\n\t"
+        "adcs	x4, x4, x7\n\t"
+        "umulh	x7, %[b], x9\n\t"
+        "adc	x5, xzr, xzr\n\t"
+        "adds	x4, x4, x6\n\t"
+        "# A[62] * B\n\t"
+        "ldp	x8, x9, [%[a], 496]\n\t"
+        "str	x4, [%[r], 488]\n\t"
+        "mov	x4, 0\n\t"
+        "mul	x6, %[b], x8\n\t"
+        "adcs	x5, x5, x7\n\t"
+        "umulh	x7, %[b], x8\n\t"
+        "adc	x3, xzr, xzr\n\t"
+        "adds	x5, x5, x6\n\t"
+        "# A[63] * B\n\t"
+        "str	x5, [%[r], 496]\n\t"
+        "mul	x6, %[b], x9\n\t"
+        "adcs	x3, x3, x7\n\t"
+        "umulh	x7, %[b], x9\n\t"
+        "adc	x4, xzr, xzr\n\t"
+        "adds	x3, x3, x6\n\t"
+        "adc	x4, x4, x7\n\t"
+        "stp	x3, x4, [%[r], 504]\n\t"
+        :
+        : [r] "r" (r), [a] "r" (a), [b] "r" (b)
+        : "memory", "x3", "x4", "x5", "x6", "x7", "x8", "x9"
+    );
+#endif
+}
+
+#if defined(WOLFSSL_HAVE_SP_RSA) || defined(WOLFSSL_HAVE_SP_DH)
+/* r = 2^n mod m where n is the number of bits to reduce by.
+ * Given m must be 4096 bits, just need to subtract.
+ *
+ * r  A single precision number.
+ * m  A single precision number.
+ */
+static void sp_4096_mont_norm_64(sp_digit* r, const sp_digit* m)
+{
+    XMEMSET(r, 0, sizeof(sp_digit) * 64);
+
+    /* r = 2^n mod m */
+    sp_4096_sub_in_place_64(r, m);
+}
+
+#endif /* WOLFSSL_HAVE_SP_RSA || WOLFSSL_HAVE_SP_DH */
+/* Conditionally subtract b from a using the mask m.
+ * m is -1 to subtract and 0 when not copying.
+ *
+ * r  A single precision number representing condition subtract result.
+ * a  A single precision number to subtract from.
+ * b  A single precision number to subtract.
+ * m  Mask value to apply.
+ */
+static sp_digit sp_4096_cond_sub_64(sp_digit* r, const sp_digit* a, const sp_digit* b,
+        sp_digit m)
+{
+#ifdef WOLFSSL_SP_SMALL
+    sp_digit c = 0;
+
+    __asm__ __volatile__ (
+        "mov	x8, #0\n\t"
+        "1:\n\t"
+        "subs	%[c], xzr, %[c]\n\t"
+        "ldr	x4, [%[a], x8]\n\t"
+        "ldr	x5, [%[b], x8]\n\t"
+        "and	x5, x5, %[m]\n\t"
+        "sbcs	x4, x4, x5\n\t"
+        "csetm	%[c], cc\n\t"
+        "str	x4, [%[r], x8]\n\t"
+        "add	x8, x8, #8\n\t"
+        "cmp	x8, 512\n\t"
+        "b.lt	1b\n\t"
+        : [c] "+r" (c)
+        : [r] "r" (r), [a] "r" (a), [b] "r" (b), [m] "r" (m)
+        : "memory", "x4", "x6", "x5", "x7", "x8", "x9", "x10", "x11", "x12"
+    );
+
+    return c;
+#else
+    __asm__ __volatile__ (
+
+        "ldp	x5, x7, [%[b], 0]\n\t"
+        "ldp	x11, x12, [%[b], 16]\n\t"
+        "ldp	x4, x6, [%[a], 0]\n\t"
+        "and	x5, x5, %[m]\n\t"
+        "ldp	x9, x10, [%[a], 16]\n\t"
+        "and	x7, x7, %[m]\n\t"
+        "subs	x4, x4, x5\n\t"
+        "and	x11, x11, %[m]\n\t"
+        "sbcs	x6, x6, x7\n\t"
+        "and	x12, x12, %[m]\n\t"
+        "sbcs	x9, x9, x11\n\t"
+        "stp	x4, x6, [%[r], 0]\n\t"
+        "sbcs	x10, x10, x12\n\t"
+        "stp	x9, x10, [%[r], 16]\n\t"
+        "ldp	x5, x7, [%[b], 32]\n\t"
+        "ldp	x11, x12, [%[b], 48]\n\t"
+        "ldp	x4, x6, [%[a], 32]\n\t"
+        "and	x5, x5, %[m]\n\t"
+        "ldp	x9, x10, [%[a], 48]\n\t"
+        "and	x7, x7, %[m]\n\t"
+        "sbcs	x4, x4, x5\n\t"
+        "and	x11, x11, %[m]\n\t"
+        "sbcs	x6, x6, x7\n\t"
+        "and	x12, x12, %[m]\n\t"
+        "sbcs	x9, x9, x11\n\t"
+        "stp	x4, x6, [%[r], 32]\n\t"
+        "sbcs	x10, x10, x12\n\t"
+        "stp	x9, x10, [%[r], 48]\n\t"
+        "ldp	x5, x7, [%[b], 64]\n\t"
+        "ldp	x11, x12, [%[b], 80]\n\t"
+        "ldp	x4, x6, [%[a], 64]\n\t"
+        "and	x5, x5, %[m]\n\t"
+        "ldp	x9, x10, [%[a], 80]\n\t"
+        "and	x7, x7, %[m]\n\t"
+        "sbcs	x4, x4, x5\n\t"
+        "and	x11, x11, %[m]\n\t"
+        "sbcs	x6, x6, x7\n\t"
+        "and	x12, x12, %[m]\n\t"
+        "sbcs	x9, x9, x11\n\t"
+        "stp	x4, x6, [%[r], 64]\n\t"
+        "sbcs	x10, x10, x12\n\t"
+        "stp	x9, x10, [%[r], 80]\n\t"
+        "ldp	x5, x7, [%[b], 96]\n\t"
+        "ldp	x11, x12, [%[b], 112]\n\t"
+        "ldp	x4, x6, [%[a], 96]\n\t"
+        "and	x5, x5, %[m]\n\t"
+        "ldp	x9, x10, [%[a], 112]\n\t"
+        "and	x7, x7, %[m]\n\t"
+        "sbcs	x4, x4, x5\n\t"
+        "and	x11, x11, %[m]\n\t"
+        "sbcs	x6, x6, x7\n\t"
+        "and	x12, x12, %[m]\n\t"
+        "sbcs	x9, x9, x11\n\t"
+        "stp	x4, x6, [%[r], 96]\n\t"
+        "sbcs	x10, x10, x12\n\t"
+        "stp	x9, x10, [%[r], 112]\n\t"
+        "ldp	x5, x7, [%[b], 128]\n\t"
+        "ldp	x11, x12, [%[b], 144]\n\t"
+        "ldp	x4, x6, [%[a], 128]\n\t"
+        "and	x5, x5, %[m]\n\t"
+        "ldp	x9, x10, [%[a], 144]\n\t"
+        "and	x7, x7, %[m]\n\t"
+        "sbcs	x4, x4, x5\n\t"
+        "and	x11, x11, %[m]\n\t"
+        "sbcs	x6, x6, x7\n\t"
+        "and	x12, x12, %[m]\n\t"
+        "sbcs	x9, x9, x11\n\t"
+        "stp	x4, x6, [%[r], 128]\n\t"
+        "sbcs	x10, x10, x12\n\t"
+        "stp	x9, x10, [%[r], 144]\n\t"
+        "ldp	x5, x7, [%[b], 160]\n\t"
+        "ldp	x11, x12, [%[b], 176]\n\t"
+        "ldp	x4, x6, [%[a], 160]\n\t"
+        "and	x5, x5, %[m]\n\t"
+        "ldp	x9, x10, [%[a], 176]\n\t"
+        "and	x7, x7, %[m]\n\t"
+        "sbcs	x4, x4, x5\n\t"
+        "and	x11, x11, %[m]\n\t"
+        "sbcs	x6, x6, x7\n\t"
+        "and	x12, x12, %[m]\n\t"
+        "sbcs	x9, x9, x11\n\t"
+        "stp	x4, x6, [%[r], 160]\n\t"
+        "sbcs	x10, x10, x12\n\t"
+        "stp	x9, x10, [%[r], 176]\n\t"
+        "ldp	x5, x7, [%[b], 192]\n\t"
+        "ldp	x11, x12, [%[b], 208]\n\t"
+        "ldp	x4, x6, [%[a], 192]\n\t"
+        "and	x5, x5, %[m]\n\t"
+        "ldp	x9, x10, [%[a], 208]\n\t"
+        "and	x7, x7, %[m]\n\t"
+        "sbcs	x4, x4, x5\n\t"
+        "and	x11, x11, %[m]\n\t"
+        "sbcs	x6, x6, x7\n\t"
+        "and	x12, x12, %[m]\n\t"
+        "sbcs	x9, x9, x11\n\t"
+        "stp	x4, x6, [%[r], 192]\n\t"
+        "sbcs	x10, x10, x12\n\t"
+        "stp	x9, x10, [%[r], 208]\n\t"
+        "ldp	x5, x7, [%[b], 224]\n\t"
+        "ldp	x11, x12, [%[b], 240]\n\t"
+        "ldp	x4, x6, [%[a], 224]\n\t"
+        "and	x5, x5, %[m]\n\t"
+        "ldp	x9, x10, [%[a], 240]\n\t"
+        "and	x7, x7, %[m]\n\t"
+        "sbcs	x4, x4, x5\n\t"
+        "and	x11, x11, %[m]\n\t"
+        "sbcs	x6, x6, x7\n\t"
+        "and	x12, x12, %[m]\n\t"
+        "sbcs	x9, x9, x11\n\t"
+        "stp	x4, x6, [%[r], 224]\n\t"
+        "sbcs	x10, x10, x12\n\t"
+        "stp	x9, x10, [%[r], 240]\n\t"
+        "ldp	x5, x7, [%[b], 256]\n\t"
+        "ldp	x11, x12, [%[b], 272]\n\t"
+        "ldp	x4, x6, [%[a], 256]\n\t"
+        "and	x5, x5, %[m]\n\t"
+        "ldp	x9, x10, [%[a], 272]\n\t"
+        "and	x7, x7, %[m]\n\t"
+        "sbcs	x4, x4, x5\n\t"
+        "and	x11, x11, %[m]\n\t"
+        "sbcs	x6, x6, x7\n\t"
+        "and	x12, x12, %[m]\n\t"
+        "sbcs	x9, x9, x11\n\t"
+        "stp	x4, x6, [%[r], 256]\n\t"
+        "sbcs	x10, x10, x12\n\t"
+        "stp	x9, x10, [%[r], 272]\n\t"
+        "ldp	x5, x7, [%[b], 288]\n\t"
+        "ldp	x11, x12, [%[b], 304]\n\t"
+        "ldp	x4, x6, [%[a], 288]\n\t"
+        "and	x5, x5, %[m]\n\t"
+        "ldp	x9, x10, [%[a], 304]\n\t"
+        "and	x7, x7, %[m]\n\t"
+        "sbcs	x4, x4, x5\n\t"
+        "and	x11, x11, %[m]\n\t"
+        "sbcs	x6, x6, x7\n\t"
+        "and	x12, x12, %[m]\n\t"
+        "sbcs	x9, x9, x11\n\t"
+        "stp	x4, x6, [%[r], 288]\n\t"
+        "sbcs	x10, x10, x12\n\t"
+        "stp	x9, x10, [%[r], 304]\n\t"
+        "ldp	x5, x7, [%[b], 320]\n\t"
+        "ldp	x11, x12, [%[b], 336]\n\t"
+        "ldp	x4, x6, [%[a], 320]\n\t"
+        "and	x5, x5, %[m]\n\t"
+        "ldp	x9, x10, [%[a], 336]\n\t"
+        "and	x7, x7, %[m]\n\t"
+        "sbcs	x4, x4, x5\n\t"
+        "and	x11, x11, %[m]\n\t"
+        "sbcs	x6, x6, x7\n\t"
+        "and	x12, x12, %[m]\n\t"
+        "sbcs	x9, x9, x11\n\t"
+        "stp	x4, x6, [%[r], 320]\n\t"
+        "sbcs	x10, x10, x12\n\t"
+        "stp	x9, x10, [%[r], 336]\n\t"
+        "ldp	x5, x7, [%[b], 352]\n\t"
+        "ldp	x11, x12, [%[b], 368]\n\t"
+        "ldp	x4, x6, [%[a], 352]\n\t"
+        "and	x5, x5, %[m]\n\t"
+        "ldp	x9, x10, [%[a], 368]\n\t"
+        "and	x7, x7, %[m]\n\t"
+        "sbcs	x4, x4, x5\n\t"
+        "and	x11, x11, %[m]\n\t"
+        "sbcs	x6, x6, x7\n\t"
+        "and	x12, x12, %[m]\n\t"
+        "sbcs	x9, x9, x11\n\t"
+        "stp	x4, x6, [%[r], 352]\n\t"
+        "sbcs	x10, x10, x12\n\t"
+        "stp	x9, x10, [%[r], 368]\n\t"
+        "ldp	x5, x7, [%[b], 384]\n\t"
+        "ldp	x11, x12, [%[b], 400]\n\t"
+        "ldp	x4, x6, [%[a], 384]\n\t"
+        "and	x5, x5, %[m]\n\t"
+        "ldp	x9, x10, [%[a], 400]\n\t"
+        "and	x7, x7, %[m]\n\t"
+        "sbcs	x4, x4, x5\n\t"
+        "and	x11, x11, %[m]\n\t"
+        "sbcs	x6, x6, x7\n\t"
+        "and	x12, x12, %[m]\n\t"
+        "sbcs	x9, x9, x11\n\t"
+        "stp	x4, x6, [%[r], 384]\n\t"
+        "sbcs	x10, x10, x12\n\t"
+        "stp	x9, x10, [%[r], 400]\n\t"
+        "ldp	x5, x7, [%[b], 416]\n\t"
+        "ldp	x11, x12, [%[b], 432]\n\t"
+        "ldp	x4, x6, [%[a], 416]\n\t"
+        "and	x5, x5, %[m]\n\t"
+        "ldp	x9, x10, [%[a], 432]\n\t"
+        "and	x7, x7, %[m]\n\t"
+        "sbcs	x4, x4, x5\n\t"
+        "and	x11, x11, %[m]\n\t"
+        "sbcs	x6, x6, x7\n\t"
+        "and	x12, x12, %[m]\n\t"
+        "sbcs	x9, x9, x11\n\t"
+        "stp	x4, x6, [%[r], 416]\n\t"
+        "sbcs	x10, x10, x12\n\t"
+        "stp	x9, x10, [%[r], 432]\n\t"
+        "ldp	x5, x7, [%[b], 448]\n\t"
+        "ldp	x11, x12, [%[b], 464]\n\t"
+        "ldp	x4, x6, [%[a], 448]\n\t"
+        "and	x5, x5, %[m]\n\t"
+        "ldp	x9, x10, [%[a], 464]\n\t"
+        "and	x7, x7, %[m]\n\t"
+        "sbcs	x4, x4, x5\n\t"
+        "and	x11, x11, %[m]\n\t"
+        "sbcs	x6, x6, x7\n\t"
+        "and	x12, x12, %[m]\n\t"
+        "sbcs	x9, x9, x11\n\t"
+        "stp	x4, x6, [%[r], 448]\n\t"
+        "sbcs	x10, x10, x12\n\t"
+        "stp	x9, x10, [%[r], 464]\n\t"
+        "ldp	x5, x7, [%[b], 480]\n\t"
+        "ldp	x11, x12, [%[b], 496]\n\t"
+        "ldp	x4, x6, [%[a], 480]\n\t"
+        "and	x5, x5, %[m]\n\t"
+        "ldp	x9, x10, [%[a], 496]\n\t"
+        "and	x7, x7, %[m]\n\t"
+        "sbcs	x4, x4, x5\n\t"
+        "and	x11, x11, %[m]\n\t"
+        "sbcs	x6, x6, x7\n\t"
+        "and	x12, x12, %[m]\n\t"
+        "sbcs	x9, x9, x11\n\t"
+        "stp	x4, x6, [%[r], 480]\n\t"
+        "sbcs	x10, x10, x12\n\t"
+        "stp	x9, x10, [%[r], 496]\n\t"
+        "csetm	%[r], cc\n\t"
+        : [r] "+r" (r)
+        : [a] "r" (a), [b] "r" (b), [m] "r" (m)
+        : "memory", "x4", "x6", "x5", "x7", "x8", "x9", "x10", "x11", "x12"
+    );
+
+    return (sp_digit)r;
+#endif /* WOLFSSL_SP_SMALL */
+}
+
+/* Reduce the number back to 4096 bits using Montgomery reduction.
+ *
+ * a   A single precision number to reduce in place.
+ * m   The single precision number representing the modulus.
+ * mp  The digit representing the negative inverse of m mod 2^n.
+ */
+SP_NOINLINE static void sp_4096_mont_reduce_64(sp_digit* a, const sp_digit* m,
+        sp_digit mp)
+{
+    sp_digit ca = 0;
+
+    __asm__ __volatile__ (
+        "ldp	x14, x15, [%[m], 0]\n\t"
+        "ldp	x16, x17, [%[m], 16]\n\t"
+        "ldp	x19, x20, [%[m], 32]\n\t"
+        "ldp	x21, x22, [%[m], 48]\n\t"
+        "ldp	x23, x24, [%[m], 64]\n\t"
+        "ldp	x25, x26, [%[m], 80]\n\t"
+        "ldp	x27, x28, [%[m], 96]\n\t"
+        "# i = 64\n\t"
+        "mov	x4, 64\n\t"
+        "ldp	x12, x13, [%[a], 0]\n\t"
+        "\n1:\n\t"
+        "# mu = a[i] * mp\n\t"
+        "mul	x9, %[mp], x12\n\t"
+        "# a[i+0] += m[0] * mu\n\t"
+        "mul	x7, x14, x9\n\t"
+        "umulh	x8, x14, x9\n\t"
+        "adds	x12, x12, x7\n\t"
+        "# a[i+1] += m[1] * mu\n\t"
+        "mul	x7, x15, x9\n\t"
+        "adc	x6, x8, xzr\n\t"
+        "umulh	x8, x15, x9\n\t"
+        "adds	x12, x13, x7\n\t"
+        "# a[i+2] += m[2] * mu\n\t"
+        "ldr	x13, [%[a], 16]\n\t"
+        "adc	x5, x8, xzr\n\t"
+        "mul	x7, x16, x9\n\t"
+        "adds	x12, x12, x6\n\t"
+        "umulh	x8, x16, x9\n\t"
+        "adc	x5, x5, xzr\n\t"
+        "adds	x13, x13, x7\n\t"
+        "# a[i+3] += m[3] * mu\n\t"
+        "ldr	x10, [%[a], 24]\n\t"
+        "adc	x6, x8, xzr\n\t"
+        "mul	x7, x17, x9\n\t"
+        "adds	x13, x13, x5\n\t"
+        "umulh	x8, x17, x9\n\t"
+        "adc	x6, x6, xzr\n\t"
+        "adds	x10, x10, x7\n\t"
+        "# a[i+4] += m[4] * mu\n\t"
+        "ldr	x11, [%[a], 32]\n\t"
+        "adc	x5, x8, xzr\n\t"
+        "adds	x10, x10, x6\n\t"
+        "mul	x7, x19, x9\n\t"
+        "adc	x5, x5, xzr\n\t"
+        "umulh	x8, x19, x9\n\t"
+        "str	x10, [%[a], 24]\n\t"
+        "adds	x11, x11, x7\n\t"
+        "# a[i+5] += m[5] * mu\n\t"
+        "ldr	x10, [%[a], 40]\n\t"
+        "adc	x6, x8, xzr\n\t"
+        "adds	x11, x11, x5\n\t"
+        "mul	x7, x20, x9\n\t"
+        "adc	x6, x6, xzr\n\t"
+        "umulh	x8, x20, x9\n\t"
+        "str	x11, [%[a], 32]\n\t"
+        "adds	x10, x10, x7\n\t"
+        "# a[i+6] += m[6] * mu\n\t"
+        "ldr	x11, [%[a], 48]\n\t"
+        "adc	x5, x8, xzr\n\t"
+        "adds	x10, x10, x6\n\t"
+        "mul	x7, x21, x9\n\t"
+        "adc	x5, x5, xzr\n\t"
+        "umulh	x8, x21, x9\n\t"
+        "str	x10, [%[a], 40]\n\t"
+        "adds	x11, x11, x7\n\t"
+        "# a[i+7] += m[7] * mu\n\t"
+        "ldr	x10, [%[a], 56]\n\t"
+        "adc	x6, x8, xzr\n\t"
+        "adds	x11, x11, x5\n\t"
+        "mul	x7, x22, x9\n\t"
+        "adc	x6, x6, xzr\n\t"
+        "umulh	x8, x22, x9\n\t"
+        "str	x11, [%[a], 48]\n\t"
+        "adds	x10, x10, x7\n\t"
+        "# a[i+8] += m[8] * mu\n\t"
+        "ldr	x11, [%[a], 64]\n\t"
+        "adc	x5, x8, xzr\n\t"
+        "adds	x10, x10, x6\n\t"
+        "mul	x7, x23, x9\n\t"
+        "adc	x5, x5, xzr\n\t"
+        "umulh	x8, x23, x9\n\t"
+        "str	x10, [%[a], 56]\n\t"
+        "adds	x11, x11, x7\n\t"
+        "# a[i+9] += m[9] * mu\n\t"
+        "ldr	x10, [%[a], 72]\n\t"
+        "adc	x6, x8, xzr\n\t"
+        "adds	x11, x11, x5\n\t"
+        "mul	x7, x24, x9\n\t"
+        "adc	x6, x6, xzr\n\t"
+        "umulh	x8, x24, x9\n\t"
+        "str	x11, [%[a], 64]\n\t"
+        "adds	x10, x10, x7\n\t"
+        "# a[i+10] += m[10] * mu\n\t"
+        "ldr	x11, [%[a], 80]\n\t"
+        "adc	x5, x8, xzr\n\t"
+        "adds	x10, x10, x6\n\t"
+        "mul	x7, x25, x9\n\t"
+        "adc	x5, x5, xzr\n\t"
+        "umulh	x8, x25, x9\n\t"
+        "str	x10, [%[a], 72]\n\t"
+        "adds	x11, x11, x7\n\t"
+        "# a[i+11] += m[11] * mu\n\t"
+        "ldr	x10, [%[a], 88]\n\t"
+        "adc	x6, x8, xzr\n\t"
+        "adds	x11, x11, x5\n\t"
+        "mul	x7, x26, x9\n\t"
+        "adc	x6, x6, xzr\n\t"
+        "umulh	x8, x26, x9\n\t"
+        "str	x11, [%[a], 80]\n\t"
+        "adds	x10, x10, x7\n\t"
+        "# a[i+12] += m[12] * mu\n\t"
+        "ldr	x11, [%[a], 96]\n\t"
+        "adc	x5, x8, xzr\n\t"
+        "adds	x10, x10, x6\n\t"
+        "mul	x7, x27, x9\n\t"
+        "adc	x5, x5, xzr\n\t"
+        "umulh	x8, x27, x9\n\t"
+        "str	x10, [%[a], 88]\n\t"
+        "adds	x11, x11, x7\n\t"
+        "# a[i+13] += m[13] * mu\n\t"
+        "ldr	x10, [%[a], 104]\n\t"
+        "adc	x6, x8, xzr\n\t"
+        "adds	x11, x11, x5\n\t"
+        "mul	x7, x28, x9\n\t"
+        "adc	x6, x6, xzr\n\t"
+        "umulh	x8, x28, x9\n\t"
+        "str	x11, [%[a], 96]\n\t"
+        "adds	x10, x10, x7\n\t"
+        "# a[i+14] += m[14] * mu\n\t"
+        "ldr	x11, [%[a], 112]\n\t"
+        "adc	x5, x8, xzr\n\t"
+        "ldr	x8, [%[m], 112]\n\t"
+        "adds	x10, x10, x6\n\t"
+        "mul	x7, x8, x9\n\t"
+        "adc	x5, x5, xzr\n\t"
+        "umulh	x8, x8, x9\n\t"
+        "str	x10, [%[a], 104]\n\t"
+        "adds	x11, x11, x7\n\t"
+        "# a[i+15] += m[15] * mu\n\t"
+        "ldr	x10, [%[a], 120]\n\t"
+        "adc	x6, x8, xzr\n\t"
+        "ldr	x8, [%[m], 120]\n\t"
+        "adds	x11, x11, x5\n\t"
+        "mul	x7, x8, x9\n\t"
+        "adc	x6, x6, xzr\n\t"
+        "umulh	x8, x8, x9\n\t"
+        "str	x11, [%[a], 112]\n\t"
+        "adds	x10, x10, x7\n\t"
+        "# a[i+16] += m[16] * mu\n\t"
+        "ldr	x11, [%[a], 128]\n\t"
+        "adc	x5, x8, xzr\n\t"
+        "ldr	x8, [%[m], 128]\n\t"
+        "adds	x10, x10, x6\n\t"
+        "mul	x7, x8, x9\n\t"
+        "adc	x5, x5, xzr\n\t"
+        "umulh	x8, x8, x9\n\t"
+        "str	x10, [%[a], 120]\n\t"
+        "adds	x11, x11, x7\n\t"
+        "# a[i+17] += m[17] * mu\n\t"
+        "ldr	x10, [%[a], 136]\n\t"
+        "adc	x6, x8, xzr\n\t"
+        "ldr	x8, [%[m], 136]\n\t"
+        "adds	x11, x11, x5\n\t"
+        "mul	x7, x8, x9\n\t"
+        "adc	x6, x6, xzr\n\t"
+        "umulh	x8, x8, x9\n\t"
+        "str	x11, [%[a], 128]\n\t"
+        "adds	x10, x10, x7\n\t"
+        "# a[i+18] += m[18] * mu\n\t"
+        "ldr	x11, [%[a], 144]\n\t"
+        "adc	x5, x8, xzr\n\t"
+        "ldr	x8, [%[m], 144]\n\t"
+        "adds	x10, x10, x6\n\t"
+        "mul	x7, x8, x9\n\t"
+        "adc	x5, x5, xzr\n\t"
+        "umulh	x8, x8, x9\n\t"
+        "str	x10, [%[a], 136]\n\t"
+        "adds	x11, x11, x7\n\t"
+        "# a[i+19] += m[19] * mu\n\t"
+        "ldr	x10, [%[a], 152]\n\t"
+        "adc	x6, x8, xzr\n\t"
+        "ldr	x8, [%[m], 152]\n\t"
+        "adds	x11, x11, x5\n\t"
+        "mul	x7, x8, x9\n\t"
+        "adc	x6, x6, xzr\n\t"
+        "umulh	x8, x8, x9\n\t"
+        "str	x11, [%[a], 144]\n\t"
+        "adds	x10, x10, x7\n\t"
+        "# a[i+20] += m[20] * mu\n\t"
+        "ldr	x11, [%[a], 160]\n\t"
+        "adc	x5, x8, xzr\n\t"
+        "ldr	x8, [%[m], 160]\n\t"
+        "adds	x10, x10, x6\n\t"
+        "mul	x7, x8, x9\n\t"
+        "adc	x5, x5, xzr\n\t"
+        "umulh	x8, x8, x9\n\t"
+        "str	x10, [%[a], 152]\n\t"
+        "adds	x11, x11, x7\n\t"
+        "# a[i+21] += m[21] * mu\n\t"
+        "ldr	x10, [%[a], 168]\n\t"
+        "adc	x6, x8, xzr\n\t"
+        "ldr	x8, [%[m], 168]\n\t"
+        "adds	x11, x11, x5\n\t"
+        "mul	x7, x8, x9\n\t"
+        "adc	x6, x6, xzr\n\t"
+        "umulh	x8, x8, x9\n\t"
+        "str	x11, [%[a], 160]\n\t"
+        "adds	x10, x10, x7\n\t"
+        "# a[i+22] += m[22] * mu\n\t"
+        "ldr	x11, [%[a], 176]\n\t"
+        "adc	x5, x8, xzr\n\t"
+        "ldr	x8, [%[m], 176]\n\t"
+        "adds	x10, x10, x6\n\t"
+        "mul	x7, x8, x9\n\t"
+        "adc	x5, x5, xzr\n\t"
+        "umulh	x8, x8, x9\n\t"
+        "str	x10, [%[a], 168]\n\t"
+        "adds	x11, x11, x7\n\t"
+        "# a[i+23] += m[23] * mu\n\t"
+        "ldr	x10, [%[a], 184]\n\t"
+        "adc	x6, x8, xzr\n\t"
+        "ldr	x8, [%[m], 184]\n\t"
+        "adds	x11, x11, x5\n\t"
+        "mul	x7, x8, x9\n\t"
+        "adc	x6, x6, xzr\n\t"
+        "umulh	x8, x8, x9\n\t"
+        "str	x11, [%[a], 176]\n\t"
+        "adds	x10, x10, x7\n\t"
+        "# a[i+24] += m[24] * mu\n\t"
+        "ldr	x11, [%[a], 192]\n\t"
+        "adc	x5, x8, xzr\n\t"
+        "ldr	x8, [%[m], 192]\n\t"
+        "adds	x10, x10, x6\n\t"
+        "mul	x7, x8, x9\n\t"
+        "adc	x5, x5, xzr\n\t"
+        "umulh	x8, x8, x9\n\t"
+        "str	x10, [%[a], 184]\n\t"
+        "adds	x11, x11, x7\n\t"
+        "# a[i+25] += m[25] * mu\n\t"
+        "ldr	x10, [%[a], 200]\n\t"
+        "adc	x6, x8, xzr\n\t"
+        "ldr	x8, [%[m], 200]\n\t"
+        "adds	x11, x11, x5\n\t"
+        "mul	x7, x8, x9\n\t"
+        "adc	x6, x6, xzr\n\t"
+        "umulh	x8, x8, x9\n\t"
+        "str	x11, [%[a], 192]\n\t"
+        "adds	x10, x10, x7\n\t"
+        "# a[i+26] += m[26] * mu\n\t"
+        "ldr	x11, [%[a], 208]\n\t"
+        "adc	x5, x8, xzr\n\t"
+        "ldr	x8, [%[m], 208]\n\t"
+        "adds	x10, x10, x6\n\t"
+        "mul	x7, x8, x9\n\t"
+        "adc	x5, x5, xzr\n\t"
+        "umulh	x8, x8, x9\n\t"
+        "str	x10, [%[a], 200]\n\t"
+        "adds	x11, x11, x7\n\t"
+        "# a[i+27] += m[27] * mu\n\t"
+        "ldr	x10, [%[a], 216]\n\t"
+        "adc	x6, x8, xzr\n\t"
+        "ldr	x8, [%[m], 216]\n\t"
+        "adds	x11, x11, x5\n\t"
+        "mul	x7, x8, x9\n\t"
+        "adc	x6, x6, xzr\n\t"
+        "umulh	x8, x8, x9\n\t"
+        "str	x11, [%[a], 208]\n\t"
+        "adds	x10, x10, x7\n\t"
+        "# a[i+28] += m[28] * mu\n\t"
+        "ldr	x11, [%[a], 224]\n\t"
+        "adc	x5, x8, xzr\n\t"
+        "ldr	x8, [%[m], 224]\n\t"
+        "adds	x10, x10, x6\n\t"
+        "mul	x7, x8, x9\n\t"
+        "adc	x5, x5, xzr\n\t"
+        "umulh	x8, x8, x9\n\t"
+        "str	x10, [%[a], 216]\n\t"
+        "adds	x11, x11, x7\n\t"
+        "# a[i+29] += m[29] * mu\n\t"
+        "ldr	x10, [%[a], 232]\n\t"
+        "adc	x6, x8, xzr\n\t"
+        "ldr	x8, [%[m], 232]\n\t"
+        "adds	x11, x11, x5\n\t"
+        "mul	x7, x8, x9\n\t"
+        "adc	x6, x6, xzr\n\t"
+        "umulh	x8, x8, x9\n\t"
+        "str	x11, [%[a], 224]\n\t"
+        "adds	x10, x10, x7\n\t"
+        "# a[i+30] += m[30] * mu\n\t"
+        "ldr	x11, [%[a], 240]\n\t"
+        "adc	x5, x8, xzr\n\t"
+        "ldr	x8, [%[m], 240]\n\t"
+        "adds	x10, x10, x6\n\t"
+        "mul	x7, x8, x9\n\t"
+        "adc	x5, x5, xzr\n\t"
+        "umulh	x8, x8, x9\n\t"
+        "str	x10, [%[a], 232]\n\t"
+        "adds	x11, x11, x7\n\t"
+        "# a[i+31] += m[31] * mu\n\t"
+        "ldr	x10, [%[a], 248]\n\t"
+        "adc	x6, x8, xzr\n\t"
+        "ldr	x8, [%[m], 248]\n\t"
+        "adds	x11, x11, x5\n\t"
+        "mul	x7, x8, x9\n\t"
+        "adc	x6, x6, xzr\n\t"
+        "umulh	x8, x8, x9\n\t"
+        "str	x11, [%[a], 240]\n\t"
+        "adds	x10, x10, x7\n\t"
+        "# a[i+32] += m[32] * mu\n\t"
+        "ldr	x11, [%[a], 256]\n\t"
+        "adc	x5, x8, xzr\n\t"
+        "ldr	x8, [%[m], 256]\n\t"
+        "adds	x10, x10, x6\n\t"
+        "mul	x7, x8, x9\n\t"
+        "adc	x5, x5, xzr\n\t"
+        "umulh	x8, x8, x9\n\t"
+        "str	x10, [%[a], 248]\n\t"
+        "adds	x11, x11, x7\n\t"
+        "# a[i+33] += m[33] * mu\n\t"
+        "ldr	x10, [%[a], 264]\n\t"
+        "adc	x6, x8, xzr\n\t"
+        "ldr	x8, [%[m], 264]\n\t"
+        "adds	x11, x11, x5\n\t"
+        "mul	x7, x8, x9\n\t"
+        "adc	x6, x6, xzr\n\t"
+        "umulh	x8, x8, x9\n\t"
+        "str	x11, [%[a], 256]\n\t"
+        "adds	x10, x10, x7\n\t"
+        "# a[i+34] += m[34] * mu\n\t"
+        "ldr	x11, [%[a], 272]\n\t"
+        "adc	x5, x8, xzr\n\t"
+        "ldr	x8, [%[m], 272]\n\t"
+        "adds	x10, x10, x6\n\t"
+        "mul	x7, x8, x9\n\t"
+        "adc	x5, x5, xzr\n\t"
+        "umulh	x8, x8, x9\n\t"
+        "str	x10, [%[a], 264]\n\t"
+        "adds	x11, x11, x7\n\t"
+        "# a[i+35] += m[35] * mu\n\t"
+        "ldr	x10, [%[a], 280]\n\t"
+        "adc	x6, x8, xzr\n\t"
+        "ldr	x8, [%[m], 280]\n\t"
+        "adds	x11, x11, x5\n\t"
+        "mul	x7, x8, x9\n\t"
+        "adc	x6, x6, xzr\n\t"
+        "umulh	x8, x8, x9\n\t"
+        "str	x11, [%[a], 272]\n\t"
+        "adds	x10, x10, x7\n\t"
+        "# a[i+36] += m[36] * mu\n\t"
+        "ldr	x11, [%[a], 288]\n\t"
+        "adc	x5, x8, xzr\n\t"
+        "ldr	x8, [%[m], 288]\n\t"
+        "adds	x10, x10, x6\n\t"
+        "mul	x7, x8, x9\n\t"
+        "adc	x5, x5, xzr\n\t"
+        "umulh	x8, x8, x9\n\t"
+        "str	x10, [%[a], 280]\n\t"
+        "adds	x11, x11, x7\n\t"
+        "# a[i+37] += m[37] * mu\n\t"
+        "ldr	x10, [%[a], 296]\n\t"
+        "adc	x6, x8, xzr\n\t"
+        "ldr	x8, [%[m], 296]\n\t"
+        "adds	x11, x11, x5\n\t"
+        "mul	x7, x8, x9\n\t"
+        "adc	x6, x6, xzr\n\t"
+        "umulh	x8, x8, x9\n\t"
+        "str	x11, [%[a], 288]\n\t"
+        "adds	x10, x10, x7\n\t"
+        "# a[i+38] += m[38] * mu\n\t"
+        "ldr	x11, [%[a], 304]\n\t"
+        "adc	x5, x8, xzr\n\t"
+        "ldr	x8, [%[m], 304]\n\t"
+        "adds	x10, x10, x6\n\t"
+        "mul	x7, x8, x9\n\t"
+        "adc	x5, x5, xzr\n\t"
+        "umulh	x8, x8, x9\n\t"
+        "str	x10, [%[a], 296]\n\t"
+        "adds	x11, x11, x7\n\t"
+        "# a[i+39] += m[39] * mu\n\t"
+        "ldr	x10, [%[a], 312]\n\t"
+        "adc	x6, x8, xzr\n\t"
+        "ldr	x8, [%[m], 312]\n\t"
+        "adds	x11, x11, x5\n\t"
+        "mul	x7, x8, x9\n\t"
+        "adc	x6, x6, xzr\n\t"
+        "umulh	x8, x8, x9\n\t"
+        "str	x11, [%[a], 304]\n\t"
+        "adds	x10, x10, x7\n\t"
+        "# a[i+40] += m[40] * mu\n\t"
+        "ldr	x11, [%[a], 320]\n\t"
+        "adc	x5, x8, xzr\n\t"
+        "ldr	x8, [%[m], 320]\n\t"
+        "adds	x10, x10, x6\n\t"
+        "mul	x7, x8, x9\n\t"
+        "adc	x5, x5, xzr\n\t"
+        "umulh	x8, x8, x9\n\t"
+        "str	x10, [%[a], 312]\n\t"
+        "adds	x11, x11, x7\n\t"
+        "# a[i+41] += m[41] * mu\n\t"
+        "ldr	x10, [%[a], 328]\n\t"
+        "adc	x6, x8, xzr\n\t"
+        "ldr	x8, [%[m], 328]\n\t"
+        "adds	x11, x11, x5\n\t"
+        "mul	x7, x8, x9\n\t"
+        "adc	x6, x6, xzr\n\t"
+        "umulh	x8, x8, x9\n\t"
+        "str	x11, [%[a], 320]\n\t"
+        "adds	x10, x10, x7\n\t"
+        "# a[i+42] += m[42] * mu\n\t"
+        "ldr	x11, [%[a], 336]\n\t"
+        "adc	x5, x8, xzr\n\t"
+        "ldr	x8, [%[m], 336]\n\t"
+        "adds	x10, x10, x6\n\t"
+        "mul	x7, x8, x9\n\t"
+        "adc	x5, x5, xzr\n\t"
+        "umulh	x8, x8, x9\n\t"
+        "str	x10, [%[a], 328]\n\t"
+        "adds	x11, x11, x7\n\t"
+        "# a[i+43] += m[43] * mu\n\t"
+        "ldr	x10, [%[a], 344]\n\t"
+        "adc	x6, x8, xzr\n\t"
+        "ldr	x8, [%[m], 344]\n\t"
+        "adds	x11, x11, x5\n\t"
+        "mul	x7, x8, x9\n\t"
+        "adc	x6, x6, xzr\n\t"
+        "umulh	x8, x8, x9\n\t"
+        "str	x11, [%[a], 336]\n\t"
+        "adds	x10, x10, x7\n\t"
+        "# a[i+44] += m[44] * mu\n\t"
+        "ldr	x11, [%[a], 352]\n\t"
+        "adc	x5, x8, xzr\n\t"
+        "ldr	x8, [%[m], 352]\n\t"
+        "adds	x10, x10, x6\n\t"
+        "mul	x7, x8, x9\n\t"
+        "adc	x5, x5, xzr\n\t"
+        "umulh	x8, x8, x9\n\t"
+        "str	x10, [%[a], 344]\n\t"
+        "adds	x11, x11, x7\n\t"
+        "# a[i+45] += m[45] * mu\n\t"
+        "ldr	x10, [%[a], 360]\n\t"
+        "adc	x6, x8, xzr\n\t"
+        "ldr	x8, [%[m], 360]\n\t"
+        "adds	x11, x11, x5\n\t"
+        "mul	x7, x8, x9\n\t"
+        "adc	x6, x6, xzr\n\t"
+        "umulh	x8, x8, x9\n\t"
+        "str	x11, [%[a], 352]\n\t"
+        "adds	x10, x10, x7\n\t"
+        "# a[i+46] += m[46] * mu\n\t"
+        "ldr	x11, [%[a], 368]\n\t"
+        "adc	x5, x8, xzr\n\t"
+        "ldr	x8, [%[m], 368]\n\t"
+        "adds	x10, x10, x6\n\t"
+        "mul	x7, x8, x9\n\t"
+        "adc	x5, x5, xzr\n\t"
+        "umulh	x8, x8, x9\n\t"
+        "str	x10, [%[a], 360]\n\t"
+        "adds	x11, x11, x7\n\t"
+        "# a[i+47] += m[47] * mu\n\t"
+        "ldr	x10, [%[a], 376]\n\t"
+        "adc	x6, x8, xzr\n\t"
+        "ldr	x8, [%[m], 376]\n\t"
+        "adds	x11, x11, x5\n\t"
+        "mul	x7, x8, x9\n\t"
+        "adc	x6, x6, xzr\n\t"
+        "umulh	x8, x8, x9\n\t"
+        "str	x11, [%[a], 368]\n\t"
+        "adds	x10, x10, x7\n\t"
+        "# a[i+48] += m[48] * mu\n\t"
+        "ldr	x11, [%[a], 384]\n\t"
+        "adc	x5, x8, xzr\n\t"
+        "ldr	x8, [%[m], 384]\n\t"
+        "adds	x10, x10, x6\n\t"
+        "mul	x7, x8, x9\n\t"
+        "adc	x5, x5, xzr\n\t"
+        "umulh	x8, x8, x9\n\t"
+        "str	x10, [%[a], 376]\n\t"
+        "adds	x11, x11, x7\n\t"
+        "# a[i+49] += m[49] * mu\n\t"
+        "ldr	x10, [%[a], 392]\n\t"
+        "adc	x6, x8, xzr\n\t"
+        "ldr	x8, [%[m], 392]\n\t"
+        "adds	x11, x11, x5\n\t"
+        "mul	x7, x8, x9\n\t"
+        "adc	x6, x6, xzr\n\t"
+        "umulh	x8, x8, x9\n\t"
+        "str	x11, [%[a], 384]\n\t"
+        "adds	x10, x10, x7\n\t"
+        "# a[i+50] += m[50] * mu\n\t"
+        "ldr	x11, [%[a], 400]\n\t"
+        "adc	x5, x8, xzr\n\t"
+        "ldr	x8, [%[m], 400]\n\t"
+        "adds	x10, x10, x6\n\t"
+        "mul	x7, x8, x9\n\t"
+        "adc	x5, x5, xzr\n\t"
+        "umulh	x8, x8, x9\n\t"
+        "str	x10, [%[a], 392]\n\t"
+        "adds	x11, x11, x7\n\t"
+        "# a[i+51] += m[51] * mu\n\t"
+        "ldr	x10, [%[a], 408]\n\t"
+        "adc	x6, x8, xzr\n\t"
+        "ldr	x8, [%[m], 408]\n\t"
+        "adds	x11, x11, x5\n\t"
+        "mul	x7, x8, x9\n\t"
+        "adc	x6, x6, xzr\n\t"
+        "umulh	x8, x8, x9\n\t"
+        "str	x11, [%[a], 400]\n\t"
+        "adds	x10, x10, x7\n\t"
+        "# a[i+52] += m[52] * mu\n\t"
+        "ldr	x11, [%[a], 416]\n\t"
+        "adc	x5, x8, xzr\n\t"
+        "ldr	x8, [%[m], 416]\n\t"
+        "adds	x10, x10, x6\n\t"
+        "mul	x7, x8, x9\n\t"
+        "adc	x5, x5, xzr\n\t"
+        "umulh	x8, x8, x9\n\t"
+        "str	x10, [%[a], 408]\n\t"
+        "adds	x11, x11, x7\n\t"
+        "# a[i+53] += m[53] * mu\n\t"
+        "ldr	x10, [%[a], 424]\n\t"
+        "adc	x6, x8, xzr\n\t"
+        "ldr	x8, [%[m], 424]\n\t"
+        "adds	x11, x11, x5\n\t"
+        "mul	x7, x8, x9\n\t"
+        "adc	x6, x6, xzr\n\t"
+        "umulh	x8, x8, x9\n\t"
+        "str	x11, [%[a], 416]\n\t"
+        "adds	x10, x10, x7\n\t"
+        "# a[i+54] += m[54] * mu\n\t"
+        "ldr	x11, [%[a], 432]\n\t"
+        "adc	x5, x8, xzr\n\t"
+        "ldr	x8, [%[m], 432]\n\t"
+        "adds	x10, x10, x6\n\t"
+        "mul	x7, x8, x9\n\t"
+        "adc	x5, x5, xzr\n\t"
+        "umulh	x8, x8, x9\n\t"
+        "str	x10, [%[a], 424]\n\t"
+        "adds	x11, x11, x7\n\t"
+        "# a[i+55] += m[55] * mu\n\t"
+        "ldr	x10, [%[a], 440]\n\t"
+        "adc	x6, x8, xzr\n\t"
+        "ldr	x8, [%[m], 440]\n\t"
+        "adds	x11, x11, x5\n\t"
+        "mul	x7, x8, x9\n\t"
+        "adc	x6, x6, xzr\n\t"
+        "umulh	x8, x8, x9\n\t"
+        "str	x11, [%[a], 432]\n\t"
+        "adds	x10, x10, x7\n\t"
+        "# a[i+56] += m[56] * mu\n\t"
+        "ldr	x11, [%[a], 448]\n\t"
+        "adc	x5, x8, xzr\n\t"
+        "ldr	x8, [%[m], 448]\n\t"
+        "adds	x10, x10, x6\n\t"
+        "mul	x7, x8, x9\n\t"
+        "adc	x5, x5, xzr\n\t"
+        "umulh	x8, x8, x9\n\t"
+        "str	x10, [%[a], 440]\n\t"
+        "adds	x11, x11, x7\n\t"
+        "# a[i+57] += m[57] * mu\n\t"
+        "ldr	x10, [%[a], 456]\n\t"
+        "adc	x6, x8, xzr\n\t"
+        "ldr	x8, [%[m], 456]\n\t"
+        "adds	x11, x11, x5\n\t"
+        "mul	x7, x8, x9\n\t"
+        "adc	x6, x6, xzr\n\t"
+        "umulh	x8, x8, x9\n\t"
+        "str	x11, [%[a], 448]\n\t"
+        "adds	x10, x10, x7\n\t"
+        "# a[i+58] += m[58] * mu\n\t"
+        "ldr	x11, [%[a], 464]\n\t"
+        "adc	x5, x8, xzr\n\t"
+        "ldr	x8, [%[m], 464]\n\t"
+        "adds	x10, x10, x6\n\t"
+        "mul	x7, x8, x9\n\t"
+        "adc	x5, x5, xzr\n\t"
+        "umulh	x8, x8, x9\n\t"
+        "str	x10, [%[a], 456]\n\t"
+        "adds	x11, x11, x7\n\t"
+        "# a[i+59] += m[59] * mu\n\t"
+        "ldr	x10, [%[a], 472]\n\t"
+        "adc	x6, x8, xzr\n\t"
+        "ldr	x8, [%[m], 472]\n\t"
+        "adds	x11, x11, x5\n\t"
+        "mul	x7, x8, x9\n\t"
+        "adc	x6, x6, xzr\n\t"
+        "umulh	x8, x8, x9\n\t"
+        "str	x11, [%[a], 464]\n\t"
+        "adds	x10, x10, x7\n\t"
+        "# a[i+60] += m[60] * mu\n\t"
+        "ldr	x11, [%[a], 480]\n\t"
+        "adc	x5, x8, xzr\n\t"
+        "ldr	x8, [%[m], 480]\n\t"
+        "adds	x10, x10, x6\n\t"
+        "mul	x7, x8, x9\n\t"
+        "adc	x5, x5, xzr\n\t"
+        "umulh	x8, x8, x9\n\t"
+        "str	x10, [%[a], 472]\n\t"
+        "adds	x11, x11, x7\n\t"
+        "# a[i+61] += m[61] * mu\n\t"
+        "ldr	x10, [%[a], 488]\n\t"
+        "adc	x6, x8, xzr\n\t"
+        "ldr	x8, [%[m], 488]\n\t"
+        "adds	x11, x11, x5\n\t"
+        "mul	x7, x8, x9\n\t"
+        "adc	x6, x6, xzr\n\t"
+        "umulh	x8, x8, x9\n\t"
+        "str	x11, [%[a], 480]\n\t"
+        "adds	x10, x10, x7\n\t"
+        "# a[i+62] += m[62] * mu\n\t"
+        "ldr	x11, [%[a], 496]\n\t"
+        "adc	x5, x8, xzr\n\t"
+        "ldr	x8, [%[m], 496]\n\t"
+        "adds	x10, x10, x6\n\t"
+        "mul	x7, x8, x9\n\t"
+        "adc	x5, x5, xzr\n\t"
+        "umulh	x8, x8, x9\n\t"
+        "str	x10, [%[a], 488]\n\t"
+        "adds	x11, x11, x7\n\t"
+        "# a[i+63] += m[63] * mu\n\t"
+        "ldr	x10, [%[a], 504]\n\t"
+        "adc	x6, x8, xzr\n\t"
+        "ldr	x8, [%[m], 504]\n\t"
+        "adds	x11, x11, x5\n\t"
+        "mul	x7, x8, x9\n\t"
+        "adc	x6, x6, xzr\n\t"
+        "umulh	x8, x8, x9\n\t"
+        "adds	x6, x6, x7\n\t"
+        "adcs	x8, x8, %[ca]\n\t"
+        "str	x11, [%[a], 496]\n\t"
+        "cset  %[ca], cs\n\t"
+        "adds	x10, x10, x6\n\t"
+        "ldr	x11, [%[a], 512]\n\t"
+        "str	x10, [%[a], 504]\n\t"
+        "adcs	x11, x11, x8\n\t"
+        "str	x11, [%[a], 512]\n\t"
+        "adc	%[ca], %[ca], xzr\n\t"
+        "subs	x4, x4, 1\n\t"
+        "add	%[a], %[a], 8\n\t"
+        "bne	1b\n\t"
+        "stp	x12, x13, [%[a], 0]\n\t"
+        : [ca] "+r" (ca), [a] "+r" (a)
+        : [m] "r" (m), [mp] "r" (mp)
+        : "memory", "x4", "x5", "x6", "x7", "x8", "x9", "x10", "x11", "x12", "x13", "x14", "x15", "x16", "x17", "x19", "x20", "x21", "x22", "x23", "x24", "x25", "x26", "x27", "x28"
+    );
+
+    sp_4096_cond_sub_64(a - 64, a, m, (sp_digit)0 - ca);
+}
+
+/* Multiply two Montogmery form numbers mod the modulus (prime).
+ * (r = a * b mod m)
+ *
+ * r   Result of multiplication.
+ * a   First number to multiply in Montogmery form.
+ * b   Second number to multiply in Montogmery form.
+ * m   Modulus (prime).
+ * mp  Montogmery mulitplier.
+ */
+static void sp_4096_mont_mul_64(sp_digit* r, const sp_digit* a, const sp_digit* b,
+        const sp_digit* m, sp_digit mp)
+{
+    sp_4096_mul_64(r, a, b);
+    sp_4096_mont_reduce_64(r, m, mp);
+}
+
+/* Square the Montgomery form number. (r = a * a mod m)
+ *
+ * r   Result of squaring.
+ * a   Number to square in Montogmery form.
+ * m   Modulus (prime).
+ * mp  Montogmery mulitplier.
+ */
+static void sp_4096_mont_sqr_64(sp_digit* r, const sp_digit* a, const sp_digit* m,
+        sp_digit mp)
+{
+    sp_4096_sqr_64(r, a);
+    sp_4096_mont_reduce_64(r, m, mp);
+}
+
+/* Divide the double width number (d1|d0) by the dividend. (d1|d0 / div)
+ *
+ * d1   The high order half of the number to divide.
+ * d0   The low order half of the number to divide.
+ * div  The dividend.
+ * returns the result of the division.
+ */
+static sp_digit div_4096_word_64(sp_digit d1, sp_digit d0, sp_digit div)
+{
+    sp_digit r;
+
+    __asm__ __volatile__ (
+        "lsr	x5, %[div], 32\n\t"
+        "add	x5, x5, 1\n\t"
+
+        "udiv	x3, %[d1], x5\n\t"
+        "lsl	x6, x3, 32\n\t"
+        "mul	x4, %[div], x6\n\t"
+        "umulh	x3, %[div], x6\n\t"
+        "subs	%[d0], %[d0], x4\n\t"
+        "sbc	%[d1], %[d1], x3\n\t"
+
+        "udiv	x3, %[d1], x5\n\t"
+        "lsl	x3, x3, 32\n\t"
+        "add	x6, x6, x3\n\t"
+        "mul	x4, %[div], x3\n\t"
+        "umulh	x3, %[div], x3\n\t"
+        "subs	%[d0], %[d0], x4\n\t"
+        "sbc	%[d1], %[d1], x3\n\t"
+
+        "lsr	x3, %[d0], 32\n\t"
+        "orr	x3, x3, %[d1], lsl 32\n\t"
+
+        "udiv	x3, x3, x5\n\t"
+        "add	x6, x6, x3\n\t"
+        "mul	x4, %[div], x3\n\t"
+        "umulh	x3, %[div], x3\n\t"
+        "subs	%[d0], %[d0], x4\n\t"
+        "sbc	%[d1], %[d1], x3\n\t"
+
+        "lsr	x3, %[d0], 32\n\t"
+        "orr	x3, x3, %[d1], lsl 32\n\t"
+
+        "udiv	x3, x3, x5\n\t"
+        "add	x6, x6, x3\n\t"
+        "mul	x4, %[div], x3\n\t"
+        "sub	%[d0], %[d0], x4\n\t"
+
+        "udiv	x3, %[d0], %[div]\n\t"
+        "add	%[r], x6, x3\n\t"
+
+        : [r] "=r" (r)
+        : [d1] "r" (d1), [d0] "r" (d0), [div] "r" (div)
+        : "x3", "x4", "x5", "x6"
+    );
+
+    return r;
+}
+
+/* AND m into each word of a and store in r.
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * m  Mask to AND against each digit.
+ */
+static void sp_4096_mask_64(sp_digit* r, const sp_digit* a, sp_digit m)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int i;
+
+    for (i=0; i<64; i++) {
+        r[i] = a[i] & m;
+    }
+#else
+    int i;
+
+    for (i = 0; i < 64; i += 8) {
+        r[i+0] = a[i+0] & m;
+        r[i+1] = a[i+1] & m;
+        r[i+2] = a[i+2] & m;
+        r[i+3] = a[i+3] & m;
+        r[i+4] = a[i+4] & m;
+        r[i+5] = a[i+5] & m;
+        r[i+6] = a[i+6] & m;
+        r[i+7] = a[i+7] & m;
+    }
+#endif
+}
+
+/* Compare a with b in constant time.
+ *
+ * a  A single precision integer.
+ * b  A single precision integer.
+ * return -ve, 0 or +ve if a is less than, equal to or greater than b
+ * respectively.
+ */
+static int64_t sp_4096_cmp_64(const sp_digit* a, const sp_digit* b)
+{
+#ifdef WOLFSSL_SP_SMALL
+    __asm__ __volatile__ (
+        "mov	x2, -1\n\t"
+        "mov	x3, 1\n\t"
+        "mov	x4, -1\n\t"
+        "mov	x5, 504\n\t"
+        "1:\n\t"
+        "ldr	x6, [%[a], x5]\n\t"
+        "ldr	x7, [%[b], x5]\n\t"
+        "and	x6, x6, x4\n\t"
+        "and	x7, x7, x4\n\t"
+        "subs	x6, x6, x7\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "subs	x5, x5, #8\n\t"
+        "b.cs	1b\n\t"
+        "eor	%[a], x2, x4\n\t"
+        : [a] "+r" (a)
+        : [b] "r" (b)
+        : "x2", "x3", "x4", "x5", "x6", "x7", "x8"
+    );
+#else
+    __asm__ __volatile__ (
+        "mov	x2, -1\n\t"
+        "mov	x3, 1\n\t"
+        "mov  x4, -1\n\t"
+        "ldp	x5, x6, [%[a], 496]\n\t"
+        "ldp	x7, x8, [%[b], 496]\n\t"
+        "and	x6, x6, x4\n\t"
+        "and	x8, x8, x4\n\t"
+        "subs	x6, x6, x8\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "and	x5, x5, x4\n\t"
+        "and	x7, x7, x4\n\t"
+        "subs	x5, x5, x7\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "ldp	x5, x6, [%[a], 480]\n\t"
+        "ldp	x7, x8, [%[b], 480]\n\t"
+        "and	x6, x6, x4\n\t"
+        "and	x8, x8, x4\n\t"
+        "subs	x6, x6, x8\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "and	x5, x5, x4\n\t"
+        "and	x7, x7, x4\n\t"
+        "subs	x5, x5, x7\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "ldp	x5, x6, [%[a], 464]\n\t"
+        "ldp	x7, x8, [%[b], 464]\n\t"
+        "and	x6, x6, x4\n\t"
+        "and	x8, x8, x4\n\t"
+        "subs	x6, x6, x8\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "and	x5, x5, x4\n\t"
+        "and	x7, x7, x4\n\t"
+        "subs	x5, x5, x7\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "ldp	x5, x6, [%[a], 448]\n\t"
+        "ldp	x7, x8, [%[b], 448]\n\t"
+        "and	x6, x6, x4\n\t"
+        "and	x8, x8, x4\n\t"
+        "subs	x6, x6, x8\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "and	x5, x5, x4\n\t"
+        "and	x7, x7, x4\n\t"
+        "subs	x5, x5, x7\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "ldp	x5, x6, [%[a], 432]\n\t"
+        "ldp	x7, x8, [%[b], 432]\n\t"
+        "and	x6, x6, x4\n\t"
+        "and	x8, x8, x4\n\t"
+        "subs	x6, x6, x8\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "and	x5, x5, x4\n\t"
+        "and	x7, x7, x4\n\t"
+        "subs	x5, x5, x7\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "ldp	x5, x6, [%[a], 416]\n\t"
+        "ldp	x7, x8, [%[b], 416]\n\t"
+        "and	x6, x6, x4\n\t"
+        "and	x8, x8, x4\n\t"
+        "subs	x6, x6, x8\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "and	x5, x5, x4\n\t"
+        "and	x7, x7, x4\n\t"
+        "subs	x5, x5, x7\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "ldp	x5, x6, [%[a], 400]\n\t"
+        "ldp	x7, x8, [%[b], 400]\n\t"
+        "and	x6, x6, x4\n\t"
+        "and	x8, x8, x4\n\t"
+        "subs	x6, x6, x8\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "and	x5, x5, x4\n\t"
+        "and	x7, x7, x4\n\t"
+        "subs	x5, x5, x7\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "ldp	x5, x6, [%[a], 384]\n\t"
+        "ldp	x7, x8, [%[b], 384]\n\t"
+        "and	x6, x6, x4\n\t"
+        "and	x8, x8, x4\n\t"
+        "subs	x6, x6, x8\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "and	x5, x5, x4\n\t"
+        "and	x7, x7, x4\n\t"
+        "subs	x5, x5, x7\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "ldp	x5, x6, [%[a], 368]\n\t"
+        "ldp	x7, x8, [%[b], 368]\n\t"
+        "and	x6, x6, x4\n\t"
+        "and	x8, x8, x4\n\t"
+        "subs	x6, x6, x8\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "and	x5, x5, x4\n\t"
+        "and	x7, x7, x4\n\t"
+        "subs	x5, x5, x7\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "ldp	x5, x6, [%[a], 352]\n\t"
+        "ldp	x7, x8, [%[b], 352]\n\t"
+        "and	x6, x6, x4\n\t"
+        "and	x8, x8, x4\n\t"
+        "subs	x6, x6, x8\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "and	x5, x5, x4\n\t"
+        "and	x7, x7, x4\n\t"
+        "subs	x5, x5, x7\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "ldp	x5, x6, [%[a], 336]\n\t"
+        "ldp	x7, x8, [%[b], 336]\n\t"
+        "and	x6, x6, x4\n\t"
+        "and	x8, x8, x4\n\t"
+        "subs	x6, x6, x8\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "and	x5, x5, x4\n\t"
+        "and	x7, x7, x4\n\t"
+        "subs	x5, x5, x7\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "ldp	x5, x6, [%[a], 320]\n\t"
+        "ldp	x7, x8, [%[b], 320]\n\t"
+        "and	x6, x6, x4\n\t"
+        "and	x8, x8, x4\n\t"
+        "subs	x6, x6, x8\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "and	x5, x5, x4\n\t"
+        "and	x7, x7, x4\n\t"
+        "subs	x5, x5, x7\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "ldp	x5, x6, [%[a], 304]\n\t"
+        "ldp	x7, x8, [%[b], 304]\n\t"
+        "and	x6, x6, x4\n\t"
+        "and	x8, x8, x4\n\t"
+        "subs	x6, x6, x8\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "and	x5, x5, x4\n\t"
+        "and	x7, x7, x4\n\t"
+        "subs	x5, x5, x7\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "ldp	x5, x6, [%[a], 288]\n\t"
+        "ldp	x7, x8, [%[b], 288]\n\t"
+        "and	x6, x6, x4\n\t"
+        "and	x8, x8, x4\n\t"
+        "subs	x6, x6, x8\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "and	x5, x5, x4\n\t"
+        "and	x7, x7, x4\n\t"
+        "subs	x5, x5, x7\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "ldp	x5, x6, [%[a], 272]\n\t"
+        "ldp	x7, x8, [%[b], 272]\n\t"
+        "and	x6, x6, x4\n\t"
+        "and	x8, x8, x4\n\t"
+        "subs	x6, x6, x8\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "and	x5, x5, x4\n\t"
+        "and	x7, x7, x4\n\t"
+        "subs	x5, x5, x7\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "ldp	x5, x6, [%[a], 256]\n\t"
+        "ldp	x7, x8, [%[b], 256]\n\t"
+        "and	x6, x6, x4\n\t"
+        "and	x8, x8, x4\n\t"
+        "subs	x6, x6, x8\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "and	x5, x5, x4\n\t"
+        "and	x7, x7, x4\n\t"
+        "subs	x5, x5, x7\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "ldp	x5, x6, [%[a], 240]\n\t"
+        "ldp	x7, x8, [%[b], 240]\n\t"
+        "and	x6, x6, x4\n\t"
+        "and	x8, x8, x4\n\t"
+        "subs	x6, x6, x8\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "and	x5, x5, x4\n\t"
+        "and	x7, x7, x4\n\t"
+        "subs	x5, x5, x7\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "ldp	x5, x6, [%[a], 224]\n\t"
+        "ldp	x7, x8, [%[b], 224]\n\t"
+        "and	x6, x6, x4\n\t"
+        "and	x8, x8, x4\n\t"
+        "subs	x6, x6, x8\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "and	x5, x5, x4\n\t"
+        "and	x7, x7, x4\n\t"
+        "subs	x5, x5, x7\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "ldp	x5, x6, [%[a], 208]\n\t"
+        "ldp	x7, x8, [%[b], 208]\n\t"
+        "and	x6, x6, x4\n\t"
+        "and	x8, x8, x4\n\t"
+        "subs	x6, x6, x8\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "and	x5, x5, x4\n\t"
+        "and	x7, x7, x4\n\t"
+        "subs	x5, x5, x7\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "ldp	x5, x6, [%[a], 192]\n\t"
+        "ldp	x7, x8, [%[b], 192]\n\t"
+        "and	x6, x6, x4\n\t"
+        "and	x8, x8, x4\n\t"
+        "subs	x6, x6, x8\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "and	x5, x5, x4\n\t"
+        "and	x7, x7, x4\n\t"
+        "subs	x5, x5, x7\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "ldp	x5, x6, [%[a], 176]\n\t"
+        "ldp	x7, x8, [%[b], 176]\n\t"
+        "and	x6, x6, x4\n\t"
+        "and	x8, x8, x4\n\t"
+        "subs	x6, x6, x8\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "and	x5, x5, x4\n\t"
+        "and	x7, x7, x4\n\t"
+        "subs	x5, x5, x7\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "ldp	x5, x6, [%[a], 160]\n\t"
+        "ldp	x7, x8, [%[b], 160]\n\t"
+        "and	x6, x6, x4\n\t"
+        "and	x8, x8, x4\n\t"
+        "subs	x6, x6, x8\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "and	x5, x5, x4\n\t"
+        "and	x7, x7, x4\n\t"
+        "subs	x5, x5, x7\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "ldp	x5, x6, [%[a], 144]\n\t"
+        "ldp	x7, x8, [%[b], 144]\n\t"
+        "and	x6, x6, x4\n\t"
+        "and	x8, x8, x4\n\t"
+        "subs	x6, x6, x8\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "and	x5, x5, x4\n\t"
+        "and	x7, x7, x4\n\t"
+        "subs	x5, x5, x7\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "ldp	x5, x6, [%[a], 128]\n\t"
+        "ldp	x7, x8, [%[b], 128]\n\t"
+        "and	x6, x6, x4\n\t"
+        "and	x8, x8, x4\n\t"
+        "subs	x6, x6, x8\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "and	x5, x5, x4\n\t"
+        "and	x7, x7, x4\n\t"
+        "subs	x5, x5, x7\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "ldp	x5, x6, [%[a], 112]\n\t"
+        "ldp	x7, x8, [%[b], 112]\n\t"
+        "and	x6, x6, x4\n\t"
+        "and	x8, x8, x4\n\t"
+        "subs	x6, x6, x8\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "and	x5, x5, x4\n\t"
+        "and	x7, x7, x4\n\t"
+        "subs	x5, x5, x7\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "ldp	x5, x6, [%[a], 96]\n\t"
+        "ldp	x7, x8, [%[b], 96]\n\t"
+        "and	x6, x6, x4\n\t"
+        "and	x8, x8, x4\n\t"
+        "subs	x6, x6, x8\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "and	x5, x5, x4\n\t"
+        "and	x7, x7, x4\n\t"
+        "subs	x5, x5, x7\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "ldp	x5, x6, [%[a], 80]\n\t"
+        "ldp	x7, x8, [%[b], 80]\n\t"
+        "and	x6, x6, x4\n\t"
+        "and	x8, x8, x4\n\t"
+        "subs	x6, x6, x8\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "and	x5, x5, x4\n\t"
+        "and	x7, x7, x4\n\t"
+        "subs	x5, x5, x7\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "ldp	x5, x6, [%[a], 64]\n\t"
+        "ldp	x7, x8, [%[b], 64]\n\t"
+        "and	x6, x6, x4\n\t"
+        "and	x8, x8, x4\n\t"
+        "subs	x6, x6, x8\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "and	x5, x5, x4\n\t"
+        "and	x7, x7, x4\n\t"
+        "subs	x5, x5, x7\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "ldp	x5, x6, [%[a], 48]\n\t"
+        "ldp	x7, x8, [%[b], 48]\n\t"
+        "and	x6, x6, x4\n\t"
+        "and	x8, x8, x4\n\t"
+        "subs	x6, x6, x8\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "and	x5, x5, x4\n\t"
+        "and	x7, x7, x4\n\t"
+        "subs	x5, x5, x7\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "ldp	x5, x6, [%[a], 32]\n\t"
+        "ldp	x7, x8, [%[b], 32]\n\t"
+        "and	x6, x6, x4\n\t"
+        "and	x8, x8, x4\n\t"
+        "subs	x6, x6, x8\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "and	x5, x5, x4\n\t"
+        "and	x7, x7, x4\n\t"
+        "subs	x5, x5, x7\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "ldp	x5, x6, [%[a], 16]\n\t"
+        "ldp	x7, x8, [%[b], 16]\n\t"
+        "and	x6, x6, x4\n\t"
+        "and	x8, x8, x4\n\t"
+        "subs	x6, x6, x8\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "and	x5, x5, x4\n\t"
+        "and	x7, x7, x4\n\t"
+        "subs	x5, x5, x7\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "ldp	x5, x6, [%[a], 0]\n\t"
+        "ldp	x7, x8, [%[b], 0]\n\t"
+        "and	x6, x6, x4\n\t"
+        "and	x8, x8, x4\n\t"
+        "subs	x6, x6, x8\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "and	x5, x5, x4\n\t"
+        "and	x7, x7, x4\n\t"
+        "subs	x5, x5, x7\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "eor	%[a], x2, x4\n\t"
+        : [a] "+r" (a)
+        : [b] "r" (b)
+        : "x2", "x3", "x4", "x5", "x6", "x7", "x8"
+    );
+#endif
+
+    return (int64_t)a;
+}
+
+/* Divide d in a and put remainder into r (m*d + r = a)
+ * m is not calculated as it is not needed at this time.
+ *
+ * a  Nmber to be divided.
+ * d  Number to divide with.
+ * m  Multiplier result.
+ * r  Remainder from the division.
+ * returns MP_OKAY indicating success.
+ */
+static WC_INLINE int sp_4096_div_64(const sp_digit* a, const sp_digit* d, sp_digit* m,
+        sp_digit* r)
+{
+    sp_digit t1[128], t2[65];
+    sp_digit div, r1;
+    int i;
+
+    (void)m;
+
+    div = d[63];
+    XMEMCPY(t1, a, sizeof(*t1) * 2 * 64);
+    for (i=63; i>=0; i--) {
+        r1 = div_4096_word_64(t1[64 + i], t1[64 + i - 1], div);
+
+        sp_4096_mul_d_64(t2, d, r1);
+        t1[64 + i] += sp_4096_sub_in_place_64(&t1[i], t2);
+        t1[64 + i] -= t2[64];
+        sp_4096_mask_64(t2, d, t1[64 + i]);
+        t1[64 + i] += sp_4096_add_64(&t1[i], &t1[i], t2);
+        sp_4096_mask_64(t2, d, t1[64 + i]);
+        t1[64 + i] += sp_4096_add_64(&t1[i], &t1[i], t2);
+    }
+
+    r1 = sp_4096_cmp_64(t1, d) >= 0;
+    sp_4096_cond_sub_64(r, t1, d, (sp_digit)0 - r1);
+
+    return MP_OKAY;
+}
+
+/* Reduce a modulo m into r. (r = a mod m)
+ *
+ * r  A single precision number that is the reduced result.
+ * a  A single precision number that is to be reduced.
+ * m  A single precision number that is the modulus to reduce with.
+ * returns MP_OKAY indicating success.
+ */
+static WC_INLINE int sp_4096_mod_64(sp_digit* r, const sp_digit* a, const sp_digit* m)
+{
+    return sp_4096_div_64(a, m, NULL, r);
+}
+
+#ifdef WOLFSSL_SP_SMALL
+/* Sub b from a into r. (r = a - b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+static sp_digit sp_4096_sub_64(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    sp_digit c = 0;
+
+    __asm__ __volatile__ (
+        "add	x11, %[a], 512\n\t"
+        "\n1:\n\t"
+        "subs	%[c], xzr, %[c]\n\t"
+        "ldp	x3, x4, [%[a]], #16\n\t"
+        "ldp	x5, x6, [%[a]], #16\n\t"
+        "ldp	x7, x8, [%[b]], #16\n\t"
+        "sbcs	x3, x3, x7\n\t"
+        "ldp	x9, x10, [%[b]], #16\n\t"
+        "sbcs	x4, x4, x8\n\t"
+        "sbcs	x5, x5, x9\n\t"
+        "stp	x3, x4, [%[r]], #16\n\t"
+        "sbcs	x6, x6, x10\n\t"
+        "stp	x5, x6, [%[r]], #16\n\t"
+        "csetm	%[c], cc\n\t"
+        "cmp	%[a], x11\n\t"
+        "b.ne	1b\n\t"
+        : [c] "+r" (c), [r] "+r" (r), [a] "+r" (a), [b] "+r" (b)
+        :
+        : "memory", "x3", "x4", "x5", "x6", "x7", "x8", "x9", "x10", "x11"
+    );
+
+    return c;
+}
+
+#else
+/* Sub b from a into r. (r = a - b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+static sp_digit sp_4096_sub_64(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    __asm__ __volatile__ (
+        "ldp	x3, x4, [%[a], 0]\n\t"
+        "ldp	x7, x8, [%[b], 0]\n\t"
+        "subs	x3, x3, x7\n\t"
+        "ldp	x5, x6, [%[a], 16]\n\t"
+        "sbcs	x4, x4, x8\n\t"
+        "ldp	x9, x10, [%[b], 16]\n\t"
+        "sbcs	x5, x5, x9\n\t"
+        "stp	x3, x4, [%[r], 0]\n\t"
+        "sbcs	x6, x6, x10\n\t"
+        "stp	x5, x6, [%[r], 16]\n\t"
+        "ldp	x3, x4, [%[a], 32]\n\t"
+        "ldp	x7, x8, [%[b], 32]\n\t"
+        "sbcs	x3, x3, x7\n\t"
+        "ldp	x5, x6, [%[a], 48]\n\t"
+        "sbcs	x4, x4, x8\n\t"
+        "ldp	x9, x10, [%[b], 48]\n\t"
+        "sbcs	x5, x5, x9\n\t"
+        "stp	x3, x4, [%[r], 32]\n\t"
+        "sbcs	x6, x6, x10\n\t"
+        "stp	x5, x6, [%[r], 48]\n\t"
+        "ldp	x3, x4, [%[a], 64]\n\t"
+        "ldp	x7, x8, [%[b], 64]\n\t"
+        "sbcs	x3, x3, x7\n\t"
+        "ldp	x5, x6, [%[a], 80]\n\t"
+        "sbcs	x4, x4, x8\n\t"
+        "ldp	x9, x10, [%[b], 80]\n\t"
+        "sbcs	x5, x5, x9\n\t"
+        "stp	x3, x4, [%[r], 64]\n\t"
+        "sbcs	x6, x6, x10\n\t"
+        "stp	x5, x6, [%[r], 80]\n\t"
+        "ldp	x3, x4, [%[a], 96]\n\t"
+        "ldp	x7, x8, [%[b], 96]\n\t"
+        "sbcs	x3, x3, x7\n\t"
+        "ldp	x5, x6, [%[a], 112]\n\t"
+        "sbcs	x4, x4, x8\n\t"
+        "ldp	x9, x10, [%[b], 112]\n\t"
+        "sbcs	x5, x5, x9\n\t"
+        "stp	x3, x4, [%[r], 96]\n\t"
+        "sbcs	x6, x6, x10\n\t"
+        "stp	x5, x6, [%[r], 112]\n\t"
+        "ldp	x3, x4, [%[a], 128]\n\t"
+        "ldp	x7, x8, [%[b], 128]\n\t"
+        "sbcs	x3, x3, x7\n\t"
+        "ldp	x5, x6, [%[a], 144]\n\t"
+        "sbcs	x4, x4, x8\n\t"
+        "ldp	x9, x10, [%[b], 144]\n\t"
+        "sbcs	x5, x5, x9\n\t"
+        "stp	x3, x4, [%[r], 128]\n\t"
+        "sbcs	x6, x6, x10\n\t"
+        "stp	x5, x6, [%[r], 144]\n\t"
+        "ldp	x3, x4, [%[a], 160]\n\t"
+        "ldp	x7, x8, [%[b], 160]\n\t"
+        "sbcs	x3, x3, x7\n\t"
+        "ldp	x5, x6, [%[a], 176]\n\t"
+        "sbcs	x4, x4, x8\n\t"
+        "ldp	x9, x10, [%[b], 176]\n\t"
+        "sbcs	x5, x5, x9\n\t"
+        "stp	x3, x4, [%[r], 160]\n\t"
+        "sbcs	x6, x6, x10\n\t"
+        "stp	x5, x6, [%[r], 176]\n\t"
+        "ldp	x3, x4, [%[a], 192]\n\t"
+        "ldp	x7, x8, [%[b], 192]\n\t"
+        "sbcs	x3, x3, x7\n\t"
+        "ldp	x5, x6, [%[a], 208]\n\t"
+        "sbcs	x4, x4, x8\n\t"
+        "ldp	x9, x10, [%[b], 208]\n\t"
+        "sbcs	x5, x5, x9\n\t"
+        "stp	x3, x4, [%[r], 192]\n\t"
+        "sbcs	x6, x6, x10\n\t"
+        "stp	x5, x6, [%[r], 208]\n\t"
+        "ldp	x3, x4, [%[a], 224]\n\t"
+        "ldp	x7, x8, [%[b], 224]\n\t"
+        "sbcs	x3, x3, x7\n\t"
+        "ldp	x5, x6, [%[a], 240]\n\t"
+        "sbcs	x4, x4, x8\n\t"
+        "ldp	x9, x10, [%[b], 240]\n\t"
+        "sbcs	x5, x5, x9\n\t"
+        "stp	x3, x4, [%[r], 224]\n\t"
+        "sbcs	x6, x6, x10\n\t"
+        "stp	x5, x6, [%[r], 240]\n\t"
+        "ldp	x3, x4, [%[a], 256]\n\t"
+        "ldp	x7, x8, [%[b], 256]\n\t"
+        "sbcs	x3, x3, x7\n\t"
+        "ldp	x5, x6, [%[a], 272]\n\t"
+        "sbcs	x4, x4, x8\n\t"
+        "ldp	x9, x10, [%[b], 272]\n\t"
+        "sbcs	x5, x5, x9\n\t"
+        "stp	x3, x4, [%[r], 256]\n\t"
+        "sbcs	x6, x6, x10\n\t"
+        "stp	x5, x6, [%[r], 272]\n\t"
+        "ldp	x3, x4, [%[a], 288]\n\t"
+        "ldp	x7, x8, [%[b], 288]\n\t"
+        "sbcs	x3, x3, x7\n\t"
+        "ldp	x5, x6, [%[a], 304]\n\t"
+        "sbcs	x4, x4, x8\n\t"
+        "ldp	x9, x10, [%[b], 304]\n\t"
+        "sbcs	x5, x5, x9\n\t"
+        "stp	x3, x4, [%[r], 288]\n\t"
+        "sbcs	x6, x6, x10\n\t"
+        "stp	x5, x6, [%[r], 304]\n\t"
+        "ldp	x3, x4, [%[a], 320]\n\t"
+        "ldp	x7, x8, [%[b], 320]\n\t"
+        "sbcs	x3, x3, x7\n\t"
+        "ldp	x5, x6, [%[a], 336]\n\t"
+        "sbcs	x4, x4, x8\n\t"
+        "ldp	x9, x10, [%[b], 336]\n\t"
+        "sbcs	x5, x5, x9\n\t"
+        "stp	x3, x4, [%[r], 320]\n\t"
+        "sbcs	x6, x6, x10\n\t"
+        "stp	x5, x6, [%[r], 336]\n\t"
+        "ldp	x3, x4, [%[a], 352]\n\t"
+        "ldp	x7, x8, [%[b], 352]\n\t"
+        "sbcs	x3, x3, x7\n\t"
+        "ldp	x5, x6, [%[a], 368]\n\t"
+        "sbcs	x4, x4, x8\n\t"
+        "ldp	x9, x10, [%[b], 368]\n\t"
+        "sbcs	x5, x5, x9\n\t"
+        "stp	x3, x4, [%[r], 352]\n\t"
+        "sbcs	x6, x6, x10\n\t"
+        "stp	x5, x6, [%[r], 368]\n\t"
+        "ldp	x3, x4, [%[a], 384]\n\t"
+        "ldp	x7, x8, [%[b], 384]\n\t"
+        "sbcs	x3, x3, x7\n\t"
+        "ldp	x5, x6, [%[a], 400]\n\t"
+        "sbcs	x4, x4, x8\n\t"
+        "ldp	x9, x10, [%[b], 400]\n\t"
+        "sbcs	x5, x5, x9\n\t"
+        "stp	x3, x4, [%[r], 384]\n\t"
+        "sbcs	x6, x6, x10\n\t"
+        "stp	x5, x6, [%[r], 400]\n\t"
+        "ldp	x3, x4, [%[a], 416]\n\t"
+        "ldp	x7, x8, [%[b], 416]\n\t"
+        "sbcs	x3, x3, x7\n\t"
+        "ldp	x5, x6, [%[a], 432]\n\t"
+        "sbcs	x4, x4, x8\n\t"
+        "ldp	x9, x10, [%[b], 432]\n\t"
+        "sbcs	x5, x5, x9\n\t"
+        "stp	x3, x4, [%[r], 416]\n\t"
+        "sbcs	x6, x6, x10\n\t"
+        "stp	x5, x6, [%[r], 432]\n\t"
+        "ldp	x3, x4, [%[a], 448]\n\t"
+        "ldp	x7, x8, [%[b], 448]\n\t"
+        "sbcs	x3, x3, x7\n\t"
+        "ldp	x5, x6, [%[a], 464]\n\t"
+        "sbcs	x4, x4, x8\n\t"
+        "ldp	x9, x10, [%[b], 464]\n\t"
+        "sbcs	x5, x5, x9\n\t"
+        "stp	x3, x4, [%[r], 448]\n\t"
+        "sbcs	x6, x6, x10\n\t"
+        "stp	x5, x6, [%[r], 464]\n\t"
+        "ldp	x3, x4, [%[a], 480]\n\t"
+        "ldp	x7, x8, [%[b], 480]\n\t"
+        "sbcs	x3, x3, x7\n\t"
+        "ldp	x5, x6, [%[a], 496]\n\t"
+        "sbcs	x4, x4, x8\n\t"
+        "ldp	x9, x10, [%[b], 496]\n\t"
+        "sbcs	x5, x5, x9\n\t"
+        "stp	x3, x4, [%[r], 480]\n\t"
+        "sbcs	x6, x6, x10\n\t"
+        "stp	x5, x6, [%[r], 496]\n\t"
+        "csetm	%[r], cc\n\t"
+        : [r] "+r" (r)
+        : [a] "r" (a), [b] "r" (b)
+        : "memory", "x3", "x4", "x5", "x6", "x7", "x8", "x9", "x10"
+    );
+
+    return (sp_digit)r;
+}
+
+#endif /* WOLFSSL_SP_SMALL */
+/* Divide d in a and put remainder into r (m*d + r = a)
+ * m is not calculated as it is not needed at this time.
+ *
+ * a  Nmber to be divided.
+ * d  Number to divide with.
+ * m  Multiplier result.
+ * r  Remainder from the division.
+ * returns MP_OKAY indicating success.
+ */
+static WC_INLINE int sp_4096_div_64_cond(const sp_digit* a, const sp_digit* d, sp_digit* m,
+        sp_digit* r)
+{
+    sp_digit t1[128], t2[65];
+    sp_digit div, r1;
+    int i;
+
+    (void)m;
+
+    div = d[63];
+    XMEMCPY(t1, a, sizeof(*t1) * 2 * 64);
+    for (i=63; i>=0; i--) {
+        r1 = div_4096_word_64(t1[64 + i], t1[64 + i - 1], div);
+
+        sp_4096_mul_d_64(t2, d, r1);
+        t1[64 + i] += sp_4096_sub_in_place_64(&t1[i], t2);
+        t1[64 + i] -= t2[64];
+        if (t1[64 + i] != 0) {
+            t1[64 + i] += sp_4096_add_64(&t1[i], &t1[i], d);
+            if (t1[64 + i] != 0)
+                t1[64 + i] += sp_4096_add_64(&t1[i], &t1[i], d);
+        }
+    }
+
+    for (i = 63; i > 0; i--) {
+        if (t1[i] != d[i])
+            break;
+    }
+    if (t1[i] >= d[i]) {
+        sp_4096_sub_64(r, t1, d);
+    }
+    else {
+        XMEMCPY(r, t1, sizeof(*t1) * 64);
+    }
+
+    return MP_OKAY;
+}
+
+/* Reduce a modulo m into r. (r = a mod m)
+ *
+ * r  A single precision number that is the reduced result.
+ * a  A single precision number that is to be reduced.
+ * m  A single precision number that is the modulus to reduce with.
+ * returns MP_OKAY indicating success.
+ */
+static WC_INLINE int sp_4096_mod_64_cond(sp_digit* r, const sp_digit* a, const sp_digit* m)
+{
+    return sp_4096_div_64_cond(a, m, NULL, r);
+}
+
+#if (defined(WOLFSSL_HAVE_SP_RSA) && !defined(WOLFSSL_RSA_PUBLIC_ONLY)) || \
+                                                     defined(WOLFSSL_HAVE_SP_DH)
+#ifdef WOLFSSL_SP_SMALL
+/* Modular exponentiate a to the e mod m. (r = a^e mod m)
+ *
+ * r     A single precision number that is the result of the operation.
+ * a     A single precision number being exponentiated.
+ * e     A single precision number that is the exponent.
+ * bits  The number of bits in the exponent.
+ * m     A single precision number that is the modulus.
+ * returns 0 on success and MEMORY_E on dynamic memory allocation failure.
+ */
+static int sp_4096_mod_exp_64(sp_digit* r, const sp_digit* a, const sp_digit* e,
+        int bits, const sp_digit* m, int reduceA)
+{
+#ifndef WOLFSSL_SMALL_STACK
+    sp_digit t[16][128];
+#else
+    sp_digit* t[16];
+    sp_digit* td;
+#endif
+    sp_digit* norm;
+    sp_digit mp = 1;
+    sp_digit n;
+    sp_digit mask;
+    int i;
+    int c, y;
+    int err = MP_OKAY;
+
+#ifdef WOLFSSL_SMALL_STACK
+    td = (sp_digit*)XMALLOC(sizeof(sp_digit) * 16 * 128, NULL,
+                            DYNAMIC_TYPE_TMP_BUFFER);
+    if (td == NULL) {
+        err = MEMORY_E;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#ifdef WOLFSSL_SMALL_STACK
+        for (i=0; i<16; i++) {
+            t[i] = td + i * 128;
+        }
+#endif
+        norm = t[0];
+
+        sp_4096_mont_setup(m, &mp);
+        sp_4096_mont_norm_64(norm, m);
+
+        XMEMSET(t[1], 0, sizeof(sp_digit) * 64U);
+        if (reduceA != 0) {
+            err = sp_4096_mod_64(t[1] + 64, a, m);
+            if (err == MP_OKAY) {
+                err = sp_4096_mod_64(t[1], t[1], m);
+            }
+        }
+        else {
+            XMEMCPY(t[1] + 64, a, sizeof(sp_digit) * 64);
+            err = sp_4096_mod_64(t[1], t[1], m);
+        }
+    }
+
+    if (err == MP_OKAY) {
+        sp_4096_mont_sqr_64(t[ 2], t[ 1], m, mp);
+        sp_4096_mont_mul_64(t[ 3], t[ 2], t[ 1], m, mp);
+        sp_4096_mont_sqr_64(t[ 4], t[ 2], m, mp);
+        sp_4096_mont_mul_64(t[ 5], t[ 3], t[ 2], m, mp);
+        sp_4096_mont_sqr_64(t[ 6], t[ 3], m, mp);
+        sp_4096_mont_mul_64(t[ 7], t[ 4], t[ 3], m, mp);
+        sp_4096_mont_sqr_64(t[ 8], t[ 4], m, mp);
+        sp_4096_mont_mul_64(t[ 9], t[ 5], t[ 4], m, mp);
+        sp_4096_mont_sqr_64(t[10], t[ 5], m, mp);
+        sp_4096_mont_mul_64(t[11], t[ 6], t[ 5], m, mp);
+        sp_4096_mont_sqr_64(t[12], t[ 6], m, mp);
+        sp_4096_mont_mul_64(t[13], t[ 7], t[ 6], m, mp);
+        sp_4096_mont_sqr_64(t[14], t[ 7], m, mp);
+        sp_4096_mont_mul_64(t[15], t[ 8], t[ 7], m, mp);
+
+        i = (bits - 1) / 64;
+        n = e[i--];
+        c = bits & 63;
+        if (c == 0) {
+            c = 64;
+        }
+        c -= bits % 4;
+        if (c == 64) {
+            c = 60;
+        }
+        y = (int)(n >> c);
+        n <<= 64 - c;
+        XMEMCPY(r, t[y], sizeof(sp_digit) * 64);
+        for (; i>=0 || c>=4; ) {
+            if (c == 0) {
+                n = e[i--];
+                y = n >> 60;
+                n <<= 4;
+                c = 60;
+            }
+            else if (c < 4) {
+                y = n >> 60;
+                n = e[i--];
+                c = 4 - c;
+                y |= n >> (64 - c);
+                n <<= c;
+                c = 64 - c;
+            }
+            else {
+                y = (n >> 60) & 0xf;
+                n <<= 4;
+                c -= 4;
+            }
+
+            sp_4096_mont_sqr_64(r, r, m, mp);
+            sp_4096_mont_sqr_64(r, r, m, mp);
+            sp_4096_mont_sqr_64(r, r, m, mp);
+            sp_4096_mont_sqr_64(r, r, m, mp);
+
+            sp_4096_mont_mul_64(r, r, t[y], m, mp);
+        }
+
+        XMEMSET(&r[64], 0, sizeof(sp_digit) * 64U);
+        sp_4096_mont_reduce_64(r, m, mp);
+
+        mask = 0 - (sp_4096_cmp_64(r, m) >= 0);
+        sp_4096_cond_sub_64(r, r, m, mask);
+    }
+
+#ifdef WOLFSSL_SMALL_STACK
+    if (td != NULL) {
+        XFREE(td, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    }
+#endif
+
+    return err;
+}
+#else
+/* Modular exponentiate a to the e mod m. (r = a^e mod m)
+ *
+ * r     A single precision number that is the result of the operation.
+ * a     A single precision number being exponentiated.
+ * e     A single precision number that is the exponent.
+ * bits  The number of bits in the exponent.
+ * m     A single precision number that is the modulus.
+ * returns 0 on success and MEMORY_E on dynamic memory allocation failure.
+ */
+static int sp_4096_mod_exp_64(sp_digit* r, const sp_digit* a, const sp_digit* e,
+        int bits, const sp_digit* m, int reduceA)
+{
+#ifndef WOLFSSL_SMALL_STACK
+    sp_digit t[32][128];
+#else
+    sp_digit* t[32];
+    sp_digit* td;
+#endif
+    sp_digit* norm;
+    sp_digit mp = 1;
+    sp_digit n;
+    sp_digit mask;
+    int i;
+    int c, y;
+    int err = MP_OKAY;
+
+#ifdef WOLFSSL_SMALL_STACK
+    td = (sp_digit*)XMALLOC(sizeof(sp_digit) * 32 * 128, NULL,
+                            DYNAMIC_TYPE_TMP_BUFFER);
+    if (td == NULL) {
+        err = MEMORY_E;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#ifdef WOLFSSL_SMALL_STACK
+        for (i=0; i<32; i++) {
+            t[i] = td + i * 128;
+        }
+#endif
+        norm = t[0];
+
+        sp_4096_mont_setup(m, &mp);
+        sp_4096_mont_norm_64(norm, m);
+
+        XMEMSET(t[1], 0, sizeof(sp_digit) * 64U);
+        if (reduceA != 0) {
+            err = sp_4096_mod_64(t[1] + 64, a, m);
+            if (err == MP_OKAY) {
+                err = sp_4096_mod_64(t[1], t[1], m);
+            }
+        }
+        else {
+            XMEMCPY(t[1] + 64, a, sizeof(sp_digit) * 64);
+            err = sp_4096_mod_64(t[1], t[1], m);
+        }
+    }
+
+    if (err == MP_OKAY) {
+        sp_4096_mont_sqr_64(t[ 2], t[ 1], m, mp);
+        sp_4096_mont_mul_64(t[ 3], t[ 2], t[ 1], m, mp);
+        sp_4096_mont_sqr_64(t[ 4], t[ 2], m, mp);
+        sp_4096_mont_mul_64(t[ 5], t[ 3], t[ 2], m, mp);
+        sp_4096_mont_sqr_64(t[ 6], t[ 3], m, mp);
+        sp_4096_mont_mul_64(t[ 7], t[ 4], t[ 3], m, mp);
+        sp_4096_mont_sqr_64(t[ 8], t[ 4], m, mp);
+        sp_4096_mont_mul_64(t[ 9], t[ 5], t[ 4], m, mp);
+        sp_4096_mont_sqr_64(t[10], t[ 5], m, mp);
+        sp_4096_mont_mul_64(t[11], t[ 6], t[ 5], m, mp);
+        sp_4096_mont_sqr_64(t[12], t[ 6], m, mp);
+        sp_4096_mont_mul_64(t[13], t[ 7], t[ 6], m, mp);
+        sp_4096_mont_sqr_64(t[14], t[ 7], m, mp);
+        sp_4096_mont_mul_64(t[15], t[ 8], t[ 7], m, mp);
+        sp_4096_mont_sqr_64(t[16], t[ 8], m, mp);
+        sp_4096_mont_mul_64(t[17], t[ 9], t[ 8], m, mp);
+        sp_4096_mont_sqr_64(t[18], t[ 9], m, mp);
+        sp_4096_mont_mul_64(t[19], t[10], t[ 9], m, mp);
+        sp_4096_mont_sqr_64(t[20], t[10], m, mp);
+        sp_4096_mont_mul_64(t[21], t[11], t[10], m, mp);
+        sp_4096_mont_sqr_64(t[22], t[11], m, mp);
+        sp_4096_mont_mul_64(t[23], t[12], t[11], m, mp);
+        sp_4096_mont_sqr_64(t[24], t[12], m, mp);
+        sp_4096_mont_mul_64(t[25], t[13], t[12], m, mp);
+        sp_4096_mont_sqr_64(t[26], t[13], m, mp);
+        sp_4096_mont_mul_64(t[27], t[14], t[13], m, mp);
+        sp_4096_mont_sqr_64(t[28], t[14], m, mp);
+        sp_4096_mont_mul_64(t[29], t[15], t[14], m, mp);
+        sp_4096_mont_sqr_64(t[30], t[15], m, mp);
+        sp_4096_mont_mul_64(t[31], t[16], t[15], m, mp);
+
+        i = (bits - 1) / 64;
+        n = e[i--];
+        c = bits & 63;
+        if (c == 0) {
+            c = 64;
+        }
+        c -= bits % 5;
+        if (c == 64) {
+            c = 59;
+        }
+        y = (int)(n >> c);
+        n <<= 64 - c;
+        XMEMCPY(r, t[y], sizeof(sp_digit) * 64);
+        for (; i>=0 || c>=5; ) {
+            if (c == 0) {
+                n = e[i--];
+                y = n >> 59;
+                n <<= 5;
+                c = 59;
+            }
+            else if (c < 5) {
+                y = n >> 59;
+                n = e[i--];
+                c = 5 - c;
+                y |= n >> (64 - c);
+                n <<= c;
+                c = 64 - c;
+            }
+            else {
+                y = (n >> 59) & 0x1f;
+                n <<= 5;
+                c -= 5;
+            }
+
+            sp_4096_mont_sqr_64(r, r, m, mp);
+            sp_4096_mont_sqr_64(r, r, m, mp);
+            sp_4096_mont_sqr_64(r, r, m, mp);
+            sp_4096_mont_sqr_64(r, r, m, mp);
+            sp_4096_mont_sqr_64(r, r, m, mp);
+
+            sp_4096_mont_mul_64(r, r, t[y], m, mp);
+        }
+
+        XMEMSET(&r[64], 0, sizeof(sp_digit) * 64U);
+        sp_4096_mont_reduce_64(r, m, mp);
+
+        mask = 0 - (sp_4096_cmp_64(r, m) >= 0);
+        sp_4096_cond_sub_64(r, r, m, mask);
+    }
+
+#ifdef WOLFSSL_SMALL_STACK
+    if (td != NULL) {
+        XFREE(td, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    }
+#endif
+
+    return err;
+}
+#endif /* WOLFSSL_SP_SMALL */
+#endif /* (WOLFSSL_HAVE_SP_RSA && !WOLFSSL_RSA_PUBLIC_ONLY) || WOLFSSL_HAVE_SP_DH */
+
+#ifdef WOLFSSL_HAVE_SP_RSA
+/* RSA public key operation.
+ *
+ * in      Array of bytes representing the number to exponentiate, base.
+ * inLen   Number of bytes in base.
+ * em      Public exponent.
+ * mm      Modulus.
+ * out     Buffer to hold big-endian bytes of exponentiation result.
+ *         Must be at least 512 bytes long.
+ * outLen  Number of bytes in result.
+ * returns 0 on success, MP_TO_E when the outLen is too small, MP_READ_E when
+ * an array is too long and MEMORY_E when dynamic memory allocation fails.
+ */
+int sp_RsaPublic_4096(const byte* in, word32 inLen, mp_int* em, mp_int* mm,
+    byte* out, word32* outLen)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit a[128], m[64], r[128];
+#else
+    sp_digit* d = NULL;
+    sp_digit* a;
+    sp_digit* m;
+    sp_digit* r;
+#endif
+    sp_digit *ah;
+    sp_digit e[1];
+    int err = MP_OKAY;
+
+    if (*outLen < 512)
+        err = MP_TO_E;
+    if (err == MP_OKAY && (mp_count_bits(em) > 64 || inLen > 512 ||
+                                                     mp_count_bits(mm) != 4096))
+        err = MP_READ_E;
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        d = (sp_digit*)XMALLOC(sizeof(sp_digit) * 64 * 5, NULL,
+                                                              DYNAMIC_TYPE_RSA);
+        if (d == NULL)
+            err = MEMORY_E;
+    }
+
+    if (err == MP_OKAY) {
+        a = d;
+        r = a + 64 * 2;
+        m = r + 64 * 2;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+        ah = a + 64;
+
+        sp_4096_from_bin(ah, 64, in, inLen);
+#if DIGIT_BIT >= 64
+        e[0] = em->dp[0];
+#else
+        e[0] = em->dp[0];
+        if (em->used > 1) {
+            e[0] |= ((sp_digit)em->dp[1]) << DIGIT_BIT;
+        }
+#endif
+        if (e[0] == 0) {
+            err = MP_EXPTMOD_E;
+        }
+    }
+    if (err == MP_OKAY) {
+        sp_4096_from_mp(m, 64, mm);
+
+        if (e[0] == 0x3) {
+            if (err == MP_OKAY) {
+                sp_4096_sqr_64(r, ah);
+                err = sp_4096_mod_64_cond(r, r, m);
+            }
+            if (err == MP_OKAY) {
+                sp_4096_mul_64(r, ah, r);
+                err = sp_4096_mod_64_cond(r, r, m);
+            }
+        }
+        else {
+            int i;
+            sp_digit mp;
+
+            sp_4096_mont_setup(m, &mp);
+
+            /* Convert to Montgomery form. */
+            XMEMSET(a, 0, sizeof(sp_digit) * 64);
+            err = sp_4096_mod_64_cond(a, a, m);
+
+            if (err == MP_OKAY) {
+                for (i = 63; i >= 0; i--) {
+                    if (e[0] >> i) {
+                        break;
+                    }
+                }
+
+                XMEMCPY(r, a, sizeof(sp_digit) * 64);
+                for (i--; i>=0; i--) {
+                    sp_4096_mont_sqr_64(r, r, m, mp);
+                    if (((e[0] >> i) & 1) == 1) {
+                        sp_4096_mont_mul_64(r, r, a, m, mp);
+                    }
+                }
+                XMEMSET(&r[64], 0, sizeof(sp_digit) * 64);
+                sp_4096_mont_reduce_64(r, m, mp);
+
+                for (i = 63; i > 0; i--) {
+                    if (r[i] != m[i]) {
+                        break;
+                    }
+                }
+                if (r[i] >= m[i]) {
+                    sp_4096_sub_in_place_64(r, m);
+                }
+            }
+        }
+    }
+
+    if (err == MP_OKAY) {
+        sp_4096_to_bin(r, out);
+        *outLen = 512;
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (d != NULL) {
+        XFREE(d, NULL, DYNAMIC_TYPE_RSA);
+    }
+#endif
+
+    return err;
+}
+
+#if defined(SP_RSA_PRIVATE_EXP_D) || defined(RSA_LOW_MEM)
+    sp_digit* a;
+    sp_digit* d = NULL;
+    sp_digit* m;
+    sp_digit* r;
+    int err = MP_OKAY;
+
+    (void)pm;
+    (void)qm;
+    (void)dpm;
+    (void)dqm;
+    (void)qim;
+
+    if (*outLen < 512U) {
+        err = MP_TO_E;
+    }
+    if (err == MP_OKAY) {
+        if (mp_count_bits(dm) > 4096) {
+           err = MP_READ_E;
+        }
+        if (inLen > 512) {
+            err = MP_READ_E;
+        }
+        if (mp_count_bits(mm) != 4096) {
+            err = MP_READ_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        d = (sp_digit*)XMALLOC(sizeof(sp_digit) * 64 * 4, NULL,
+                                                              DYNAMIC_TYPE_RSA);
+        if (d == NULL) {
+            err = MEMORY_E;
+        }
+    }
+    if (err == MP_OKAY) {
+        a = d + 64;
+        m = a + 128;
+        r = a;
+
+        sp_4096_from_bin(a, 64, in, inLen);
+        sp_4096_from_mp(d, 64, dm);
+        sp_4096_from_mp(m, 64, mm);
+        err = sp_4096_mod_exp_64(r, a, d, 4096, m, 0);
+    }
+    if (err == MP_OKAY) {
+        sp_4096_to_bin(r, out);
+        *outLen = 512;
+    }
+
+    if (d != NULL) {
+        XMEMSET(d, 0, sizeof(sp_digit) * 64);
+        XFREE(d, NULL, DYNAMIC_TYPE_RSA);
+    }
+
+    return err;
+#else
+#ifndef WOLFSSL_RSA_PUBLIC_ONLY
+/* Conditionally add a and b using the mask m.
+ * m is -1 to add and 0 when not.
+ *
+ * r  A single precision number representing conditional add result.
+ * a  A single precision number to add with.
+ * b  A single precision number to add.
+ * m  Mask value to apply.
+ */
+static sp_digit sp_4096_cond_add_32(sp_digit* r, const sp_digit* a, const sp_digit* b,
+        sp_digit m)
+{
+#ifdef WOLFSSL_SP_SMALL
+    sp_digit c = 0;
+
+    __asm__ __volatile__ (
+        "mov	x8, #0\n\t"
+        "1:\n\t"
+        "adds	%[c], %[c], #-1\n\t"
+        "ldr	x4, [%[a], x8]\n\t"
+        "ldr	x5, [%[b], x8]\n\t"
+        "and	x5, x5, %[m]\n\t"
+        "adcs	x4, x4, x5\n\t"
+        "cset	%[c], cs\n\t"
+        "str	x4, [%[r], x8]\n\t"
+        "add	x8, x8, #8\n\t"
+        "cmp	x8, 256\n\t"
+        "b.lt	1b\n\t"
+        : [c] "+r" (c)
+        : [r] "r" (r), [a] "r" (a), [b] "r" (b), [m] "r" (m)
+        : "memory", "x4", "x6", "x5", "x7", "x8", "x9", "x10", "x11", "x12"
+    );
+
+    return c;
+#else
+    __asm__ __volatile__ (
+
+        "ldp	x5, x7, [%[b], 0]\n\t"
+        "ldp	x11, x12, [%[b], 16]\n\t"
+        "ldp	x4, x6, [%[a], 0]\n\t"
+        "and	x5, x5, %[m]\n\t"
+        "ldp	x9, x10, [%[a], 16]\n\t"
+        "and	x7, x7, %[m]\n\t"
+        "adds	x4, x4, x5\n\t"
+        "and	x11, x11, %[m]\n\t"
+        "adcs	x6, x6, x7\n\t"
+        "and	x12, x12, %[m]\n\t"
+        "adcs	x9, x9, x11\n\t"
+        "stp	x4, x6, [%[r], 0]\n\t"
+        "adcs	x10, x10, x12\n\t"
+        "stp	x9, x10, [%[r], 16]\n\t"
+        "ldp	x5, x7, [%[b], 32]\n\t"
+        "ldp	x11, x12, [%[b], 48]\n\t"
+        "ldp	x4, x6, [%[a], 32]\n\t"
+        "and	x5, x5, %[m]\n\t"
+        "ldp	x9, x10, [%[a], 48]\n\t"
+        "and	x7, x7, %[m]\n\t"
+        "adcs	x4, x4, x5\n\t"
+        "and	x11, x11, %[m]\n\t"
+        "adcs	x6, x6, x7\n\t"
+        "and	x12, x12, %[m]\n\t"
+        "adcs	x9, x9, x11\n\t"
+        "stp	x4, x6, [%[r], 32]\n\t"
+        "adcs	x10, x10, x12\n\t"
+        "stp	x9, x10, [%[r], 48]\n\t"
+        "ldp	x5, x7, [%[b], 64]\n\t"
+        "ldp	x11, x12, [%[b], 80]\n\t"
+        "ldp	x4, x6, [%[a], 64]\n\t"
+        "and	x5, x5, %[m]\n\t"
+        "ldp	x9, x10, [%[a], 80]\n\t"
+        "and	x7, x7, %[m]\n\t"
+        "adcs	x4, x4, x5\n\t"
+        "and	x11, x11, %[m]\n\t"
+        "adcs	x6, x6, x7\n\t"
+        "and	x12, x12, %[m]\n\t"
+        "adcs	x9, x9, x11\n\t"
+        "stp	x4, x6, [%[r], 64]\n\t"
+        "adcs	x10, x10, x12\n\t"
+        "stp	x9, x10, [%[r], 80]\n\t"
+        "ldp	x5, x7, [%[b], 96]\n\t"
+        "ldp	x11, x12, [%[b], 112]\n\t"
+        "ldp	x4, x6, [%[a], 96]\n\t"
+        "and	x5, x5, %[m]\n\t"
+        "ldp	x9, x10, [%[a], 112]\n\t"
+        "and	x7, x7, %[m]\n\t"
+        "adcs	x4, x4, x5\n\t"
+        "and	x11, x11, %[m]\n\t"
+        "adcs	x6, x6, x7\n\t"
+        "and	x12, x12, %[m]\n\t"
+        "adcs	x9, x9, x11\n\t"
+        "stp	x4, x6, [%[r], 96]\n\t"
+        "adcs	x10, x10, x12\n\t"
+        "stp	x9, x10, [%[r], 112]\n\t"
+        "ldp	x5, x7, [%[b], 128]\n\t"
+        "ldp	x11, x12, [%[b], 144]\n\t"
+        "ldp	x4, x6, [%[a], 128]\n\t"
+        "and	x5, x5, %[m]\n\t"
+        "ldp	x9, x10, [%[a], 144]\n\t"
+        "and	x7, x7, %[m]\n\t"
+        "adcs	x4, x4, x5\n\t"
+        "and	x11, x11, %[m]\n\t"
+        "adcs	x6, x6, x7\n\t"
+        "and	x12, x12, %[m]\n\t"
+        "adcs	x9, x9, x11\n\t"
+        "stp	x4, x6, [%[r], 128]\n\t"
+        "adcs	x10, x10, x12\n\t"
+        "stp	x9, x10, [%[r], 144]\n\t"
+        "ldp	x5, x7, [%[b], 160]\n\t"
+        "ldp	x11, x12, [%[b], 176]\n\t"
+        "ldp	x4, x6, [%[a], 160]\n\t"
+        "and	x5, x5, %[m]\n\t"
+        "ldp	x9, x10, [%[a], 176]\n\t"
+        "and	x7, x7, %[m]\n\t"
+        "adcs	x4, x4, x5\n\t"
+        "and	x11, x11, %[m]\n\t"
+        "adcs	x6, x6, x7\n\t"
+        "and	x12, x12, %[m]\n\t"
+        "adcs	x9, x9, x11\n\t"
+        "stp	x4, x6, [%[r], 160]\n\t"
+        "adcs	x10, x10, x12\n\t"
+        "stp	x9, x10, [%[r], 176]\n\t"
+        "ldp	x5, x7, [%[b], 192]\n\t"
+        "ldp	x11, x12, [%[b], 208]\n\t"
+        "ldp	x4, x6, [%[a], 192]\n\t"
+        "and	x5, x5, %[m]\n\t"
+        "ldp	x9, x10, [%[a], 208]\n\t"
+        "and	x7, x7, %[m]\n\t"
+        "adcs	x4, x4, x5\n\t"
+        "and	x11, x11, %[m]\n\t"
+        "adcs	x6, x6, x7\n\t"
+        "and	x12, x12, %[m]\n\t"
+        "adcs	x9, x9, x11\n\t"
+        "stp	x4, x6, [%[r], 192]\n\t"
+        "adcs	x10, x10, x12\n\t"
+        "stp	x9, x10, [%[r], 208]\n\t"
+        "ldp	x5, x7, [%[b], 224]\n\t"
+        "ldp	x11, x12, [%[b], 240]\n\t"
+        "ldp	x4, x6, [%[a], 224]\n\t"
+        "and	x5, x5, %[m]\n\t"
+        "ldp	x9, x10, [%[a], 240]\n\t"
+        "and	x7, x7, %[m]\n\t"
+        "adcs	x4, x4, x5\n\t"
+        "and	x11, x11, %[m]\n\t"
+        "adcs	x6, x6, x7\n\t"
+        "and	x12, x12, %[m]\n\t"
+        "adcs	x9, x9, x11\n\t"
+        "stp	x4, x6, [%[r], 224]\n\t"
+        "adcs	x10, x10, x12\n\t"
+        "stp	x9, x10, [%[r], 240]\n\t"
+        "cset	%[r], cs\n\t"
+        : [r] "+r" (r)
+        : [a] "r" (a), [b] "r" (b), [m] "r" (m)
+        : "memory", "x4", "x6", "x5", "x7", "x8", "x9", "x10", "x11", "x12"
+    );
+
+    return (sp_digit)r;
+#endif /* WOLFSSL_SP_SMALL */
+}
+
+/* RSA private key operation.
+ *
+ * in      Array of bytes representing the number to exponentiate, base.
+ * inLen   Number of bytes in base.
+ * dm      Private exponent.
+ * pm      First prime.
+ * qm      Second prime.
+ * dpm     First prime's CRT exponent.
+ * dqm     Second prime's CRT exponent.
+ * qim     Inverse of second prime mod p.
+ * mm      Modulus.
+ * out     Buffer to hold big-endian bytes of exponentiation result.
+ *         Must be at least 512 bytes long.
+ * outLen  Number of bytes in result.
+ * returns 0 on success, MP_TO_E when the outLen is too small, MP_READ_E when
+ * an array is too long and MEMORY_E when dynamic memory allocation fails.
+ */
+int sp_RsaPrivate_4096(const byte* in, word32 inLen, mp_int* dm,
+    mp_int* pm, mp_int* qm, mp_int* dpm, mp_int* dqm, mp_int* qim, mp_int* mm,
+    byte* out, word32* outLen)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit a[64 * 2];
+    sp_digit p[32], q[32], dp[32];
+    sp_digit tmpa[64], tmpb[64];
+#else
+    sp_digit* t = NULL;
+    sp_digit* a;
+    sp_digit* p;
+    sp_digit* q;
+    sp_digit* dp;
+    sp_digit* tmpa;
+    sp_digit* tmpb;
+#endif
+    sp_digit* r;
+    sp_digit* qi;
+    sp_digit* dq;
+    sp_digit c;
+    int err = MP_OKAY;
+
+    (void)dm;
+    (void)mm;
+
+    if (*outLen < 512)
+        err = MP_TO_E;
+    if (err == MP_OKAY && (inLen > 512 || mp_count_bits(mm) != 4096))
+        err = MP_READ_E;
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        t = (sp_digit*)XMALLOC(sizeof(sp_digit) * 32 * 11, NULL,
+                                                              DYNAMIC_TYPE_RSA);
+        if (t == NULL)
+            err = MEMORY_E;
+    }
+    if (err == MP_OKAY) {
+        a = t;
+        p = a + 64 * 2;
+        q = p + 32;
+        qi = dq = dp = q + 32;
+        tmpa = qi + 32;
+        tmpb = tmpa + 64;
+
+        r = t + 64;
+    }
+#else
+#endif
+
+    if (err == MP_OKAY) {
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+        r = a;
+        qi = dq = dp;
+#endif
+        sp_4096_from_bin(a, 64, in, inLen);
+        sp_4096_from_mp(p, 32, pm);
+        sp_4096_from_mp(q, 32, qm);
+        sp_4096_from_mp(dp, 32, dpm);
+
+        err = sp_2048_mod_exp_32(tmpa, a, dp, 2048, p, 1);
+    }
+    if (err == MP_OKAY) {
+        sp_4096_from_mp(dq, 32, dqm);
+        err = sp_2048_mod_exp_32(tmpb, a, dq, 2048, q, 1);
+    }
+
+    if (err == MP_OKAY) {
+        c = sp_2048_sub_in_place_32(tmpa, tmpb);
+        c += sp_4096_cond_add_32(tmpa, tmpa, p, c);
+        sp_4096_cond_add_32(tmpa, tmpa, p, c);
+
+        sp_2048_from_mp(qi, 32, qim);
+        sp_2048_mul_32(tmpa, tmpa, qi);
+        err = sp_2048_mod_32(tmpa, tmpa, p);
+    }
+
+    if (err == MP_OKAY) {
+        sp_2048_mul_32(tmpa, q, tmpa);
+        XMEMSET(&tmpb[32], 0, sizeof(sp_digit) * 32);
+        sp_4096_add_64(r, tmpb, tmpa);
+
+        sp_4096_to_bin(r, out);
+        *outLen = 512;
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (t != NULL) {
+        XMEMSET(t, 0, sizeof(sp_digit) * 32 * 11);
+        XFREE(t, NULL, DYNAMIC_TYPE_RSA);
+    }
+#else
+    XMEMSET(tmpa, 0, sizeof(tmpa));
+    XMEMSET(tmpb, 0, sizeof(tmpb));
+    XMEMSET(p,    0, sizeof(p));
+    XMEMSET(q,    0, sizeof(q));
+    XMEMSET(dp,   0, sizeof(dp));
+#endif
+
+    return err;
+}
+#endif /* WOLFSSL_RSA_PUBLIC_ONLY */
+#endif /* SP_RSA_PRIVATE_EXP_D || RSA_LOW_MEM */
+#endif /* WOLFSSL_HAVE_SP_RSA */
+#if defined(WOLFSSL_HAVE_SP_DH) || (defined(WOLFSSL_HAVE_SP_RSA) && \
+                                              !defined(WOLFSSL_RSA_PUBLIC_ONLY))
+/* Convert an array of sp_digit to an mp_int.
+ *
+ * a  A single precision integer.
+ * r  A multi-precision integer.
+ */
+static int sp_4096_to_mp(const sp_digit* a, mp_int* r)
+{
+    int err;
+
+    err = mp_grow(r, (4096 + DIGIT_BIT - 1) / DIGIT_BIT);
+    if (err == MP_OKAY) { /*lint !e774 case where err is always MP_OKAY*/
+#if DIGIT_BIT == 64
+        XMEMCPY(r->dp, a, sizeof(sp_digit) * 64);
+        r->used = 64;
+        mp_clamp(r);
+#elif DIGIT_BIT < 64
+        int i, j = 0, s = 0;
+
+        r->dp[0] = 0;
+        for (i = 0; i < 64; i++) {
+            r->dp[j] |= (mp_digit)(a[i] << s);
+            r->dp[j] &= (1L << DIGIT_BIT) - 1;
+            s = DIGIT_BIT - s;
+            r->dp[++j] = (mp_digit)(a[i] >> s);
+            while (s + DIGIT_BIT <= 64) {
+                s += DIGIT_BIT;
+                r->dp[j++] &= (1L << DIGIT_BIT) - 1;
+                if (s == SP_WORD_SIZE) {
+                    r->dp[j] = 0;
+                }
+                else {
+                    r->dp[j] = (mp_digit)(a[i] >> s);
+                }
+            }
+            s = 64 - s;
+        }
+        r->used = (4096 + DIGIT_BIT - 1) / DIGIT_BIT;
+        mp_clamp(r);
+#else
+        int i, j = 0, s = 0;
+
+        r->dp[0] = 0;
+        for (i = 0; i < 64; i++) {
+            r->dp[j] |= ((mp_digit)a[i]) << s;
+            if (s + 64 >= DIGIT_BIT) {
+    #if DIGIT_BIT != 32 && DIGIT_BIT != 64
+                r->dp[j] &= (1L << DIGIT_BIT) - 1;
+    #endif
+                s = DIGIT_BIT - s;
+                r->dp[++j] = a[i] >> s;
+                s = 64 - s;
+            }
+            else {
+                s += 64;
+            }
+        }
+        r->used = (4096 + DIGIT_BIT - 1) / DIGIT_BIT;
+        mp_clamp(r);
+#endif
+    }
+
+    return err;
+}
+
+/* Perform the modular exponentiation for Diffie-Hellman.
+ *
+ * base  Base. MP integer.
+ * exp   Exponent. MP integer.
+ * mod   Modulus. MP integer.
+ * res   Result. MP integer.
+ * returns 0 on success, MP_READ_E if there are too many bytes in an array
+ * and MEMORY_E if memory allocation fails.
+ */
+int sp_ModExp_4096(mp_int* base, mp_int* exp, mp_int* mod, mp_int* res)
+{
+    int err = MP_OKAY;
+    sp_digit b[128], e[64], m[64];
+    sp_digit* r = b;
+    int expBits = mp_count_bits(exp);
+
+    if (mp_count_bits(base) > 4096) {
+        err = MP_READ_E;
+    }
+
+    if (err == MP_OKAY) {
+        if (expBits > 4096) {
+            err = MP_READ_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        if (mp_count_bits(mod) != 4096) {
+            err = MP_READ_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        sp_4096_from_mp(b, 64, base);
+        sp_4096_from_mp(e, 64, exp);
+        sp_4096_from_mp(m, 64, mod);
+
+        err = sp_4096_mod_exp_64(r, b, e, expBits, m, 0);
+    }
+
+    if (err == MP_OKAY) {
+        err = sp_4096_to_mp(r, res);
+    }
+
+    XMEMSET(e, 0, sizeof(e));
+
+    return err;
+}
+
+#ifdef WOLFSSL_HAVE_SP_DH
+
+#ifdef HAVE_FFDHE_4096
+static void sp_4096_lshift_64(sp_digit* r, sp_digit* a, byte n)
+{
+    __asm__ __volatile__ (
+        "mov	x6, 63\n\t"
+        "sub	x6, x6, %[n]\n\t"
+        "ldr	x3, [%[a], 504]\n\t"
+        "lsr	x4, x3, 1\n\t"
+        "lsl	x3, x3, %[n]\n\t"
+        "lsr	x4, x4, x6\n\t"
+        "ldr	x2, [%[a], 496]\n\t"
+        "str	x4, [%[r], 512]\n\t"
+        "lsr	x5, x2, 1\n\t"
+        "lsl	x2, x2, %[n]\n\t"
+        "lsr	x5, x5, x6\n\t"
+        "orr	x3, x3, x5\n\t"
+        "ldr	x4, [%[a], 488]\n\t"
+        "str	x3, [%[r], 504]\n\t"
+        "lsr	x5, x4, 1\n\t"
+        "lsl	x4, x4, %[n]\n\t"
+        "lsr	x5, x5, x6\n\t"
+        "orr	x2, x2, x5\n\t"
+        "ldr	x3, [%[a], 480]\n\t"
+        "str	x2, [%[r], 496]\n\t"
+        "lsr	x5, x3, 1\n\t"
+        "lsl	x3, x3, %[n]\n\t"
+        "lsr	x5, x5, x6\n\t"
+        "orr	x4, x4, x5\n\t"
+        "ldr	x2, [%[a], 472]\n\t"
+        "str	x4, [%[r], 488]\n\t"
+        "lsr	x5, x2, 1\n\t"
+        "lsl	x2, x2, %[n]\n\t"
+        "lsr	x5, x5, x6\n\t"
+        "orr	x3, x3, x5\n\t"
+        "ldr	x4, [%[a], 464]\n\t"
+        "str	x3, [%[r], 480]\n\t"
+        "lsr	x5, x4, 1\n\t"
+        "lsl	x4, x4, %[n]\n\t"
+        "lsr	x5, x5, x6\n\t"
+        "orr	x2, x2, x5\n\t"
+        "ldr	x3, [%[a], 456]\n\t"
+        "str	x2, [%[r], 472]\n\t"
+        "lsr	x5, x3, 1\n\t"
+        "lsl	x3, x3, %[n]\n\t"
+        "lsr	x5, x5, x6\n\t"
+        "orr	x4, x4, x5\n\t"
+        "ldr	x2, [%[a], 448]\n\t"
+        "str	x4, [%[r], 464]\n\t"
+        "lsr	x5, x2, 1\n\t"
+        "lsl	x2, x2, %[n]\n\t"
+        "lsr	x5, x5, x6\n\t"
+        "orr	x3, x3, x5\n\t"
+        "ldr	x4, [%[a], 440]\n\t"
+        "str	x3, [%[r], 456]\n\t"
+        "lsr	x5, x4, 1\n\t"
+        "lsl	x4, x4, %[n]\n\t"
+        "lsr	x5, x5, x6\n\t"
+        "orr	x2, x2, x5\n\t"
+        "ldr	x3, [%[a], 432]\n\t"
+        "str	x2, [%[r], 448]\n\t"
+        "lsr	x5, x3, 1\n\t"
+        "lsl	x3, x3, %[n]\n\t"
+        "lsr	x5, x5, x6\n\t"
+        "orr	x4, x4, x5\n\t"
+        "ldr	x2, [%[a], 424]\n\t"
+        "str	x4, [%[r], 440]\n\t"
+        "lsr	x5, x2, 1\n\t"
+        "lsl	x2, x2, %[n]\n\t"
+        "lsr	x5, x5, x6\n\t"
+        "orr	x3, x3, x5\n\t"
+        "ldr	x4, [%[a], 416]\n\t"
+        "str	x3, [%[r], 432]\n\t"
+        "lsr	x5, x4, 1\n\t"
+        "lsl	x4, x4, %[n]\n\t"
+        "lsr	x5, x5, x6\n\t"
+        "orr	x2, x2, x5\n\t"
+        "ldr	x3, [%[a], 408]\n\t"
+        "str	x2, [%[r], 424]\n\t"
+        "lsr	x5, x3, 1\n\t"
+        "lsl	x3, x3, %[n]\n\t"
+        "lsr	x5, x5, x6\n\t"
+        "orr	x4, x4, x5\n\t"
+        "ldr	x2, [%[a], 400]\n\t"
+        "str	x4, [%[r], 416]\n\t"
+        "lsr	x5, x2, 1\n\t"
+        "lsl	x2, x2, %[n]\n\t"
+        "lsr	x5, x5, x6\n\t"
+        "orr	x3, x3, x5\n\t"
+        "ldr	x4, [%[a], 392]\n\t"
+        "str	x3, [%[r], 408]\n\t"
+        "lsr	x5, x4, 1\n\t"
+        "lsl	x4, x4, %[n]\n\t"
+        "lsr	x5, x5, x6\n\t"
+        "orr	x2, x2, x5\n\t"
+        "ldr	x3, [%[a], 384]\n\t"
+        "str	x2, [%[r], 400]\n\t"
+        "lsr	x5, x3, 1\n\t"
+        "lsl	x3, x3, %[n]\n\t"
+        "lsr	x5, x5, x6\n\t"
+        "orr	x4, x4, x5\n\t"
+        "ldr	x2, [%[a], 376]\n\t"
+        "str	x4, [%[r], 392]\n\t"
+        "lsr	x5, x2, 1\n\t"
+        "lsl	x2, x2, %[n]\n\t"
+        "lsr	x5, x5, x6\n\t"
+        "orr	x3, x3, x5\n\t"
+        "ldr	x4, [%[a], 368]\n\t"
+        "str	x3, [%[r], 384]\n\t"
+        "lsr	x5, x4, 1\n\t"
+        "lsl	x4, x4, %[n]\n\t"
+        "lsr	x5, x5, x6\n\t"
+        "orr	x2, x2, x5\n\t"
+        "ldr	x3, [%[a], 360]\n\t"
+        "str	x2, [%[r], 376]\n\t"
+        "lsr	x5, x3, 1\n\t"
+        "lsl	x3, x3, %[n]\n\t"
+        "lsr	x5, x5, x6\n\t"
+        "orr	x4, x4, x5\n\t"
+        "ldr	x2, [%[a], 352]\n\t"
+        "str	x4, [%[r], 368]\n\t"
+        "lsr	x5, x2, 1\n\t"
+        "lsl	x2, x2, %[n]\n\t"
+        "lsr	x5, x5, x6\n\t"
+        "orr	x3, x3, x5\n\t"
+        "ldr	x4, [%[a], 344]\n\t"
+        "str	x3, [%[r], 360]\n\t"
+        "lsr	x5, x4, 1\n\t"
+        "lsl	x4, x4, %[n]\n\t"
+        "lsr	x5, x5, x6\n\t"
+        "orr	x2, x2, x5\n\t"
+        "ldr	x3, [%[a], 336]\n\t"
+        "str	x2, [%[r], 352]\n\t"
+        "lsr	x5, x3, 1\n\t"
+        "lsl	x3, x3, %[n]\n\t"
+        "lsr	x5, x5, x6\n\t"
+        "orr	x4, x4, x5\n\t"
+        "ldr	x2, [%[a], 328]\n\t"
+        "str	x4, [%[r], 344]\n\t"
+        "lsr	x5, x2, 1\n\t"
+        "lsl	x2, x2, %[n]\n\t"
+        "lsr	x5, x5, x6\n\t"
+        "orr	x3, x3, x5\n\t"
+        "ldr	x4, [%[a], 320]\n\t"
+        "str	x3, [%[r], 336]\n\t"
+        "lsr	x5, x4, 1\n\t"
+        "lsl	x4, x4, %[n]\n\t"
+        "lsr	x5, x5, x6\n\t"
+        "orr	x2, x2, x5\n\t"
+        "ldr	x3, [%[a], 312]\n\t"
+        "str	x2, [%[r], 328]\n\t"
+        "lsr	x5, x3, 1\n\t"
+        "lsl	x3, x3, %[n]\n\t"
+        "lsr	x5, x5, x6\n\t"
+        "orr	x4, x4, x5\n\t"
+        "ldr	x2, [%[a], 304]\n\t"
+        "str	x4, [%[r], 320]\n\t"
+        "lsr	x5, x2, 1\n\t"
+        "lsl	x2, x2, %[n]\n\t"
+        "lsr	x5, x5, x6\n\t"
+        "orr	x3, x3, x5\n\t"
+        "ldr	x4, [%[a], 296]\n\t"
+        "str	x3, [%[r], 312]\n\t"
+        "lsr	x5, x4, 1\n\t"
+        "lsl	x4, x4, %[n]\n\t"
+        "lsr	x5, x5, x6\n\t"
+        "orr	x2, x2, x5\n\t"
+        "ldr	x3, [%[a], 288]\n\t"
+        "str	x2, [%[r], 304]\n\t"
+        "lsr	x5, x3, 1\n\t"
+        "lsl	x3, x3, %[n]\n\t"
+        "lsr	x5, x5, x6\n\t"
+        "orr	x4, x4, x5\n\t"
+        "ldr	x2, [%[a], 280]\n\t"
+        "str	x4, [%[r], 296]\n\t"
+        "lsr	x5, x2, 1\n\t"
+        "lsl	x2, x2, %[n]\n\t"
+        "lsr	x5, x5, x6\n\t"
+        "orr	x3, x3, x5\n\t"
+        "ldr	x4, [%[a], 272]\n\t"
+        "str	x3, [%[r], 288]\n\t"
+        "lsr	x5, x4, 1\n\t"
+        "lsl	x4, x4, %[n]\n\t"
+        "lsr	x5, x5, x6\n\t"
+        "orr	x2, x2, x5\n\t"
+        "ldr	x3, [%[a], 264]\n\t"
+        "str	x2, [%[r], 280]\n\t"
+        "lsr	x5, x3, 1\n\t"
+        "lsl	x3, x3, %[n]\n\t"
+        "lsr	x5, x5, x6\n\t"
+        "orr	x4, x4, x5\n\t"
+        "ldr	x2, [%[a], 256]\n\t"
+        "str	x4, [%[r], 272]\n\t"
+        "lsr	x5, x2, 1\n\t"
+        "lsl	x2, x2, %[n]\n\t"
+        "lsr	x5, x5, x6\n\t"
+        "orr	x3, x3, x5\n\t"
+        "ldr	x4, [%[a], 248]\n\t"
+        "str	x3, [%[r], 264]\n\t"
+        "lsr	x5, x4, 1\n\t"
+        "lsl	x4, x4, %[n]\n\t"
+        "lsr	x5, x5, x6\n\t"
+        "orr	x2, x2, x5\n\t"
+        "ldr	x3, [%[a], 240]\n\t"
+        "str	x2, [%[r], 256]\n\t"
+        "lsr	x5, x3, 1\n\t"
+        "lsl	x3, x3, %[n]\n\t"
+        "lsr	x5, x5, x6\n\t"
+        "orr	x4, x4, x5\n\t"
+        "ldr	x2, [%[a], 232]\n\t"
+        "str	x4, [%[r], 248]\n\t"
+        "lsr	x5, x2, 1\n\t"
+        "lsl	x2, x2, %[n]\n\t"
+        "lsr	x5, x5, x6\n\t"
+        "orr	x3, x3, x5\n\t"
+        "ldr	x4, [%[a], 224]\n\t"
+        "str	x3, [%[r], 240]\n\t"
+        "lsr	x5, x4, 1\n\t"
+        "lsl	x4, x4, %[n]\n\t"
+        "lsr	x5, x5, x6\n\t"
+        "orr	x2, x2, x5\n\t"
+        "ldr	x3, [%[a], 216]\n\t"
+        "str	x2, [%[r], 232]\n\t"
+        "lsr	x5, x3, 1\n\t"
+        "lsl	x3, x3, %[n]\n\t"
+        "lsr	x5, x5, x6\n\t"
+        "orr	x4, x4, x5\n\t"
+        "ldr	x2, [%[a], 208]\n\t"
+        "str	x4, [%[r], 224]\n\t"
+        "lsr	x5, x2, 1\n\t"
+        "lsl	x2, x2, %[n]\n\t"
+        "lsr	x5, x5, x6\n\t"
+        "orr	x3, x3, x5\n\t"
+        "ldr	x4, [%[a], 200]\n\t"
+        "str	x3, [%[r], 216]\n\t"
+        "lsr	x5, x4, 1\n\t"
+        "lsl	x4, x4, %[n]\n\t"
+        "lsr	x5, x5, x6\n\t"
+        "orr	x2, x2, x5\n\t"
+        "ldr	x3, [%[a], 192]\n\t"
+        "str	x2, [%[r], 208]\n\t"
+        "lsr	x5, x3, 1\n\t"
+        "lsl	x3, x3, %[n]\n\t"
+        "lsr	x5, x5, x6\n\t"
+        "orr	x4, x4, x5\n\t"
+        "ldr	x2, [%[a], 184]\n\t"
+        "str	x4, [%[r], 200]\n\t"
+        "lsr	x5, x2, 1\n\t"
+        "lsl	x2, x2, %[n]\n\t"
+        "lsr	x5, x5, x6\n\t"
+        "orr	x3, x3, x5\n\t"
+        "ldr	x4, [%[a], 176]\n\t"
+        "str	x3, [%[r], 192]\n\t"
+        "lsr	x5, x4, 1\n\t"
+        "lsl	x4, x4, %[n]\n\t"
+        "lsr	x5, x5, x6\n\t"
+        "orr	x2, x2, x5\n\t"
+        "ldr	x3, [%[a], 168]\n\t"
+        "str	x2, [%[r], 184]\n\t"
+        "lsr	x5, x3, 1\n\t"
+        "lsl	x3, x3, %[n]\n\t"
+        "lsr	x5, x5, x6\n\t"
+        "orr	x4, x4, x5\n\t"
+        "ldr	x2, [%[a], 160]\n\t"
+        "str	x4, [%[r], 176]\n\t"
+        "lsr	x5, x2, 1\n\t"
+        "lsl	x2, x2, %[n]\n\t"
+        "lsr	x5, x5, x6\n\t"
+        "orr	x3, x3, x5\n\t"
+        "ldr	x4, [%[a], 152]\n\t"
+        "str	x3, [%[r], 168]\n\t"
+        "lsr	x5, x4, 1\n\t"
+        "lsl	x4, x4, %[n]\n\t"
+        "lsr	x5, x5, x6\n\t"
+        "orr	x2, x2, x5\n\t"
+        "ldr	x3, [%[a], 144]\n\t"
+        "str	x2, [%[r], 160]\n\t"
+        "lsr	x5, x3, 1\n\t"
+        "lsl	x3, x3, %[n]\n\t"
+        "lsr	x5, x5, x6\n\t"
+        "orr	x4, x4, x5\n\t"
+        "ldr	x2, [%[a], 136]\n\t"
+        "str	x4, [%[r], 152]\n\t"
+        "lsr	x5, x2, 1\n\t"
+        "lsl	x2, x2, %[n]\n\t"
+        "lsr	x5, x5, x6\n\t"
+        "orr	x3, x3, x5\n\t"
+        "ldr	x4, [%[a], 128]\n\t"
+        "str	x3, [%[r], 144]\n\t"
+        "lsr	x5, x4, 1\n\t"
+        "lsl	x4, x4, %[n]\n\t"
+        "lsr	x5, x5, x6\n\t"
+        "orr	x2, x2, x5\n\t"
+        "ldr	x3, [%[a], 120]\n\t"
+        "str	x2, [%[r], 136]\n\t"
+        "lsr	x5, x3, 1\n\t"
+        "lsl	x3, x3, %[n]\n\t"
+        "lsr	x5, x5, x6\n\t"
+        "orr	x4, x4, x5\n\t"
+        "ldr	x2, [%[a], 112]\n\t"
+        "str	x4, [%[r], 128]\n\t"
+        "lsr	x5, x2, 1\n\t"
+        "lsl	x2, x2, %[n]\n\t"
+        "lsr	x5, x5, x6\n\t"
+        "orr	x3, x3, x5\n\t"
+        "ldr	x4, [%[a], 104]\n\t"
+        "str	x3, [%[r], 120]\n\t"
+        "lsr	x5, x4, 1\n\t"
+        "lsl	x4, x4, %[n]\n\t"
+        "lsr	x5, x5, x6\n\t"
+        "orr	x2, x2, x5\n\t"
+        "ldr	x3, [%[a], 96]\n\t"
+        "str	x2, [%[r], 112]\n\t"
+        "lsr	x5, x3, 1\n\t"
+        "lsl	x3, x3, %[n]\n\t"
+        "lsr	x5, x5, x6\n\t"
+        "orr	x4, x4, x5\n\t"
+        "ldr	x2, [%[a], 88]\n\t"
+        "str	x4, [%[r], 104]\n\t"
+        "lsr	x5, x2, 1\n\t"
+        "lsl	x2, x2, %[n]\n\t"
+        "lsr	x5, x5, x6\n\t"
+        "orr	x3, x3, x5\n\t"
+        "ldr	x4, [%[a], 80]\n\t"
+        "str	x3, [%[r], 96]\n\t"
+        "lsr	x5, x4, 1\n\t"
+        "lsl	x4, x4, %[n]\n\t"
+        "lsr	x5, x5, x6\n\t"
+        "orr	x2, x2, x5\n\t"
+        "ldr	x3, [%[a], 72]\n\t"
+        "str	x2, [%[r], 88]\n\t"
+        "lsr	x5, x3, 1\n\t"
+        "lsl	x3, x3, %[n]\n\t"
+        "lsr	x5, x5, x6\n\t"
+        "orr	x4, x4, x5\n\t"
+        "ldr	x2, [%[a], 64]\n\t"
+        "str	x4, [%[r], 80]\n\t"
+        "lsr	x5, x2, 1\n\t"
+        "lsl	x2, x2, %[n]\n\t"
+        "lsr	x5, x5, x6\n\t"
+        "orr	x3, x3, x5\n\t"
+        "ldr	x4, [%[a], 56]\n\t"
+        "str	x3, [%[r], 72]\n\t"
+        "lsr	x5, x4, 1\n\t"
+        "lsl	x4, x4, %[n]\n\t"
+        "lsr	x5, x5, x6\n\t"
+        "orr	x2, x2, x5\n\t"
+        "ldr	x3, [%[a], 48]\n\t"
+        "str	x2, [%[r], 64]\n\t"
+        "lsr	x5, x3, 1\n\t"
+        "lsl	x3, x3, %[n]\n\t"
+        "lsr	x5, x5, x6\n\t"
+        "orr	x4, x4, x5\n\t"
+        "ldr	x2, [%[a], 40]\n\t"
+        "str	x4, [%[r], 56]\n\t"
+        "lsr	x5, x2, 1\n\t"
+        "lsl	x2, x2, %[n]\n\t"
+        "lsr	x5, x5, x6\n\t"
+        "orr	x3, x3, x5\n\t"
+        "ldr	x4, [%[a], 32]\n\t"
+        "str	x3, [%[r], 48]\n\t"
+        "lsr	x5, x4, 1\n\t"
+        "lsl	x4, x4, %[n]\n\t"
+        "lsr	x5, x5, x6\n\t"
+        "orr	x2, x2, x5\n\t"
+        "ldr	x3, [%[a], 24]\n\t"
+        "str	x2, [%[r], 40]\n\t"
+        "lsr	x5, x3, 1\n\t"
+        "lsl	x3, x3, %[n]\n\t"
+        "lsr	x5, x5, x6\n\t"
+        "orr	x4, x4, x5\n\t"
+        "ldr	x2, [%[a], 16]\n\t"
+        "str	x4, [%[r], 32]\n\t"
+        "lsr	x5, x2, 1\n\t"
+        "lsl	x2, x2, %[n]\n\t"
+        "lsr	x5, x5, x6\n\t"
+        "orr	x3, x3, x5\n\t"
+        "ldr	x4, [%[a], 8]\n\t"
+        "str	x3, [%[r], 24]\n\t"
+        "lsr	x5, x4, 1\n\t"
+        "lsl	x4, x4, %[n]\n\t"
+        "lsr	x5, x5, x6\n\t"
+        "orr	x2, x2, x5\n\t"
+        "ldr	x3, [%[a], 0]\n\t"
+        "str	x2, [%[r], 16]\n\t"
+        "lsr	x5, x3, 1\n\t"
+        "lsl	x3, x3, %[n]\n\t"
+        "lsr	x5, x5, x6\n\t"
+        "orr	x4, x4, x5\n\t"
+        "str	x3, [%[r]]\n\t"
+        "str	x4, [%[r], 8]\n\t"
+        :
+        : [r] "r" (r), [a] "r" (a), [n] "r" (n)
+        : "memory", "x2", "x3", "x4", "x5", "x6"
+    );
+}
+
+/* Modular exponentiate 2 to the e mod m. (r = 2^e mod m)
+ *
+ * r     A single precision number that is the result of the operation.
+ * e     A single precision number that is the exponent.
+ * bits  The number of bits in the exponent.
+ * m     A single precision number that is the modulus.
+ * returns 0 on success and MEMORY_E on dynamic memory allocation failure.
+ */
+static int sp_4096_mod_exp_2_64(sp_digit* r, const sp_digit* e, int bits,
+        const sp_digit* m)
+{
+#ifndef WOLFSSL_SMALL_STACK
+    sp_digit nd[128];
+    sp_digit td[65];
+#else
+    sp_digit* td;
+#endif
+    sp_digit* norm;
+    sp_digit* tmp;
+    sp_digit mp = 1;
+    sp_digit n, o;
+    sp_digit mask;
+    int i;
+    int c, y;
+    int err = MP_OKAY;
+
+#ifdef WOLFSSL_SMALL_STACK
+    td = (sp_digit*)XMALLOC(sizeof(sp_digit) * 193, NULL,
+                            DYNAMIC_TYPE_TMP_BUFFER);
+    if (td == NULL) {
+        err = MEMORY_E;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#ifdef WOLFSSL_SMALL_STACK
+        norm = td;
+        tmp  = td + 128;
+#else
+        norm = nd;
+        tmp  = td;
+#endif
+
+        sp_4096_mont_setup(m, &mp);
+        sp_4096_mont_norm_64(norm, m);
+
+        i = (bits - 1) / 64;
+        n = e[i--];
+        c = bits & 63;
+        if (c == 0) {
+            c = 64;
+        }
+        c -= bits % 6;
+        if (c == 64) {
+            c = 58;
+        }
+        y = (int)(n >> c);
+        n <<= 64 - c;
+        sp_4096_lshift_64(r, norm, y);
+        for (; i>=0 || c>=6; ) {
+            if (c == 0) {
+                n = e[i--];
+                y = n >> 58;
+                n <<= 6;
+                c = 58;
+            }
+            else if (c < 6) {
+                y = n >> 58;
+                n = e[i--];
+                c = 6 - c;
+                y |= n >> (64 - c);
+                n <<= c;
+                c = 64 - c;
+            }
+            else {
+                y = (n >> 58) & 0x3f;
+                n <<= 6;
+                c -= 6;
+            }
+
+            sp_4096_mont_sqr_64(r, r, m, mp);
+            sp_4096_mont_sqr_64(r, r, m, mp);
+            sp_4096_mont_sqr_64(r, r, m, mp);
+            sp_4096_mont_sqr_64(r, r, m, mp);
+            sp_4096_mont_sqr_64(r, r, m, mp);
+            sp_4096_mont_sqr_64(r, r, m, mp);
+
+            sp_4096_lshift_64(r, r, y);
+            sp_4096_mul_d_64(tmp, norm, r[64]);
+            r[64] = 0;
+            o = sp_4096_add_64(r, r, tmp);
+            sp_4096_cond_sub_64(r, r, m, (sp_digit)0 - o);
+        }
+
+        XMEMSET(&r[64], 0, sizeof(sp_digit) * 64U);
+        sp_4096_mont_reduce_64(r, m, mp);
+
+        mask = 0 - (sp_4096_cmp_64(r, m) >= 0);
+        sp_4096_cond_sub_64(r, r, m, mask);
+    }
+
+#ifdef WOLFSSL_SMALL_STACK
+    if (td != NULL) {
+        XFREE(td, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    }
+#endif
+
+    return err;
+}
+#endif /* HAVE_FFDHE_4096 */
+
+/* Perform the modular exponentiation for Diffie-Hellman.
+ *
+ * base     Base.
+ * exp      Array of bytes that is the exponent.
+ * expLen   Length of data, in bytes, in exponent.
+ * mod      Modulus.
+ * out      Buffer to hold big-endian bytes of exponentiation result.
+ *          Must be at least 512 bytes long.
+ * outLen   Length, in bytes, of exponentiation result.
+ * returns 0 on success, MP_READ_E if there are too many bytes in an array
+ * and MEMORY_E if memory allocation fails.
+ */
+int sp_DhExp_4096(mp_int* base, const byte* exp, word32 expLen,
+    mp_int* mod, byte* out, word32* outLen)
+{
+    int err = MP_OKAY;
+    sp_digit b[128], e[64], m[64];
+    sp_digit* r = b;
+    word32 i;
+
+    if (mp_count_bits(base) > 4096) {
+        err = MP_READ_E;
+    }
+
+    if (err == MP_OKAY) {
+        if (expLen > 512) {
+            err = MP_READ_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        if (mp_count_bits(mod) != 4096) {
+            err = MP_READ_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        sp_4096_from_mp(b, 64, base);
+        sp_4096_from_bin(e, 64, exp, expLen);
+        sp_4096_from_mp(m, 64, mod);
+
+    #ifdef HAVE_FFDHE_4096
+        if (base->used == 1 && base->dp[0] == 2 && m[63] == (sp_digit)-1)
+            err = sp_4096_mod_exp_2_64(r, e, expLen * 8, m);
+        else
+    #endif
+            err = sp_4096_mod_exp_64(r, b, e, expLen * 8, m, 0);
+
+    }
+
+    if (err == MP_OKAY) {
+        sp_4096_to_bin(r, out);
+        *outLen = 512;
+        for (i=0; i<512 && out[i] == 0; i++) {
+        }
+        *outLen -= i;
+        XMEMMOVE(out, out + i, *outLen);
+
+    }
+
+    XMEMSET(e, 0, sizeof(e));
+
+    return err;
+}
+#endif /* WOLFSSL_HAVE_SP_DH */
+
+#endif /* WOLFSSL_HAVE_SP_DH || (WOLFSSL_HAVE_SP_RSA && !WOLFSSL_RSA_PUBLIC_ONLY) */
+
+#endif /* WOLFSSL_SP_4096 */
+
+#endif /* WOLFSSL_HAVE_SP_RSA || WOLFSSL_HAVE_SP_DH */
+#ifdef WOLFSSL_HAVE_SP_ECC
+#ifndef WOLFSSL_SP_NO_256
+
+/* Point structure to use. */
+typedef struct sp_point_256 {
+    sp_digit x[2 * 4];
+    sp_digit y[2 * 4];
+    sp_digit z[2 * 4];
+    int infinity;
+} sp_point_256;
+
+/* The modulus (prime) of the curve P256. */
+static const sp_digit p256_mod[4] = {
+    0xffffffffffffffffL,0x00000000ffffffffL,0x0000000000000000L,
+    0xffffffff00000001L
+};
+/* The Montogmery normalizer for modulus of the curve P256. */
+static const sp_digit p256_norm_mod[4] = {
+    0x0000000000000001L,0xffffffff00000000L,0xffffffffffffffffL,
+    0x00000000fffffffeL
+};
+/* The Montogmery multiplier for modulus of the curve P256. */
+static const sp_digit p256_mp_mod = 0x0000000000000001;
+#if defined(WOLFSSL_VALIDATE_ECC_KEYGEN) || defined(HAVE_ECC_SIGN) || \
+                                            defined(HAVE_ECC_VERIFY)
+/* The order of the curve P256. */
+static const sp_digit p256_order[4] = {
+    0xf3b9cac2fc632551L,0xbce6faada7179e84L,0xffffffffffffffffL,
+    0xffffffff00000000L
+};
+#endif
+/* The order of the curve P256 minus 2. */
+static const sp_digit p256_order2[4] = {
+    0xf3b9cac2fc63254fL,0xbce6faada7179e84L,0xffffffffffffffffL,
+    0xffffffff00000000L
+};
+#if defined(HAVE_ECC_SIGN) || defined(HAVE_ECC_VERIFY)
+/* The Montogmery normalizer for order of the curve P256. */
+static const sp_digit p256_norm_order[4] = {
+    0x0c46353d039cdaafL,0x4319055258e8617bL,0x0000000000000000L,
+    0x00000000ffffffffL
+};
+#endif
+#if defined(HAVE_ECC_SIGN) || defined(HAVE_ECC_VERIFY)
+/* The Montogmery multiplier for order of the curve P256. */
+static const sp_digit p256_mp_order = 0xccd1c8aaee00bc4fL;
+#endif
+#ifdef WOLFSSL_SP_SMALL
+/* The base point of curve P256. */
+static const sp_point_256 p256_base = {
+    /* X ordinate */
+    {
+        0xf4a13945d898c296L,0x77037d812deb33a0L,0xf8bce6e563a440f2L,
+        0x6b17d1f2e12c4247L,
+        0L, 0L, 0L, 0L
+    },
+    /* Y ordinate */
+    {
+        0xcbb6406837bf51f5L,0x2bce33576b315eceL,0x8ee7eb4a7c0f9e16L,
+        0x4fe342e2fe1a7f9bL,
+        0L, 0L, 0L, 0L
+    },
+    /* Z ordinate */
+    {
+        0x0000000000000001L,0x0000000000000000L,0x0000000000000000L,
+        0x0000000000000000L,
+        0L, 0L, 0L, 0L
+    },
+    /* infinity */
+    0
+};
+#endif /* WOLFSSL_SP_SMALL */
+#if defined(HAVE_ECC_CHECK_KEY) || defined(HAVE_COMP_KEY)
+static const sp_digit p256_b[4] = {
+    0x3bce3c3e27d2604bL,0x651d06b0cc53b0f6L,0xb3ebbd55769886bcL,
+    0x5ac635d8aa3a93e7L
+};
+#endif
+
+static int sp_256_point_new_ex_4(void* heap, sp_point_256* sp, sp_point_256** p)
+{
+    int ret = MP_OKAY;
+    (void)heap;
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    (void)sp;
+    *p = (sp_point_256*)XMALLOC(sizeof(sp_point_256), heap, DYNAMIC_TYPE_ECC);
+#else
+    *p = sp;
+#endif
+    if (*p == NULL) {
+        ret = MEMORY_E;
+    }
+    return ret;
+}
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+/* Allocate memory for point and return error. */
+#define sp_256_point_new_4(heap, sp, p) sp_256_point_new_ex_4((heap), NULL, &(p))
+#else
+/* Set pointer to data and return no error. */
+#define sp_256_point_new_4(heap, sp, p) sp_256_point_new_ex_4((heap), &(sp), &(p))
+#endif
+
+
+static void sp_256_point_free_4(sp_point_256* p, int clear, void* heap)
+{
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+/* If valid pointer then clear point data if requested and free data. */
+    if (p != NULL) {
+        if (clear != 0) {
+            XMEMSET(p, 0, sizeof(*p));
+        }
+        XFREE(p, heap, DYNAMIC_TYPE_ECC);
+    }
+#else
+/* Clear point data if requested. */
+    if (clear != 0) {
+        XMEMSET(p, 0, sizeof(*p));
+    }
+#endif
+    (void)heap;
+}
+
+/* Multiply a number by Montogmery normalizer mod modulus (prime).
+ *
+ * r  The resulting Montgomery form number.
+ * a  The number to convert.
+ * m  The modulus (prime).
+ */
+static int sp_256_mod_mul_norm_4(sp_digit* r, const sp_digit* a, const sp_digit* m)
+{
+    int64_t t[8];
+    int64_t a32[8];
+    int64_t o;
+
+    (void)m;
+
+    a32[0] = a[0] & 0xffffffff;
+    a32[1] = a[0] >> 32;
+    a32[2] = a[1] & 0xffffffff;
+    a32[3] = a[1] >> 32;
+    a32[4] = a[2] & 0xffffffff;
+    a32[5] = a[2] >> 32;
+    a32[6] = a[3] & 0xffffffff;
+    a32[7] = a[3] >> 32;
+
+    /*  1  1  0 -1 -1 -1 -1  0 */
+    t[0] = 0 + a32[0] + a32[1] - a32[3] - a32[4] - a32[5] - a32[6];
+    /*  0  1  1  0 -1 -1 -1 -1 */
+    t[1] = 0 + a32[1] + a32[2] - a32[4] - a32[5] - a32[6] - a32[7];
+    /*  0  0  1  1  0 -1 -1 -1 */
+    t[2] = 0 + a32[2] + a32[3] - a32[5] - a32[6] - a32[7];
+    /* -1 -1  0  2  2  1  0 -1 */
+    t[3] = 0 - a32[0] - a32[1] + 2 * a32[3] + 2 * a32[4] + a32[5] - a32[7];
+    /*  0 -1 -1  0  2  2  1  0 */
+    t[4] = 0 - a32[1] - a32[2] + 2 * a32[4] + 2 * a32[5] + a32[6];
+    /*  0  0 -1 -1  0  2  2  1 */
+    t[5] = 0 - a32[2] - a32[3] + 2 * a32[5] + 2 * a32[6] + a32[7];
+    /* -1 -1  0  0  0  1  3  2 */
+    t[6] = 0 - a32[0] - a32[1] + a32[5] + 3 * a32[6] + 2 * a32[7];
+    /*  1  0 -1 -1 -1 -1  0  3 */
+    t[7] = 0 + a32[0] - a32[2] - a32[3] - a32[4] - a32[5] + 3 * a32[7];
+
+    t[1] += t[0] >> 32; t[0] &= 0xffffffff;
+    t[2] += t[1] >> 32; t[1] &= 0xffffffff;
+    t[3] += t[2] >> 32; t[2] &= 0xffffffff;
+    t[4] += t[3] >> 32; t[3] &= 0xffffffff;
+    t[5] += t[4] >> 32; t[4] &= 0xffffffff;
+    t[6] += t[5] >> 32; t[5] &= 0xffffffff;
+    t[7] += t[6] >> 32; t[6] &= 0xffffffff;
+    o     = t[7] >> 32; t[7] &= 0xffffffff;
+    t[0] += o;
+    t[3] -= o;
+    t[6] -= o;
+    t[7] += o;
+    t[1] += t[0] >> 32; t[0] &= 0xffffffff;
+    t[2] += t[1] >> 32; t[1] &= 0xffffffff;
+    t[3] += t[2] >> 32; t[2] &= 0xffffffff;
+    t[4] += t[3] >> 32; t[3] &= 0xffffffff;
+    t[5] += t[4] >> 32; t[4] &= 0xffffffff;
+    t[6] += t[5] >> 32; t[5] &= 0xffffffff;
+    t[7] += t[6] >> 32; t[6] &= 0xffffffff;
+    r[0] = (t[1] << 32) | t[0];
+    r[1] = (t[3] << 32) | t[2];
+    r[2] = (t[5] << 32) | t[4];
+    r[3] = (t[7] << 32) | t[6];
+
+    return MP_OKAY;
+}
+
+/* Convert an mp_int to an array of sp_digit.
+ *
+ * r  A single precision integer.
+ * size  Maximum number of bytes to convert
+ * a  A multi-precision integer.
+ */
+static void sp_256_from_mp(sp_digit* r, int size, const mp_int* a)
+{
+#if DIGIT_BIT == 64
+    int j;
+
+    XMEMCPY(r, a->dp, sizeof(sp_digit) * a->used);
+
+    for (j = a->used; j < size; j++) {
+        r[j] = 0;
+    }
+#elif DIGIT_BIT > 64
+    int i, j = 0;
+    word32 s = 0;
+
+    r[0] = 0;
+    for (i = 0; i < a->used && j < size; i++) {
+        r[j] |= ((sp_digit)a->dp[i] << s);
+        r[j] &= 0xffffffffffffffffl;
+        s = 64U - s;
+        if (j + 1 >= size) {
+            break;
+        }
+        /* lint allow cast of mismatch word32 and mp_digit */
+        r[++j] = (sp_digit)(a->dp[i] >> s); /*lint !e9033*/
+        while ((s + 64U) <= (word32)DIGIT_BIT) {
+            s += 64U;
+            r[j] &= 0xffffffffffffffffl;
+            if (j + 1 >= size) {
+                break;
+            }
+            if (s < (word32)DIGIT_BIT) {
+                /* lint allow cast of mismatch word32 and mp_digit */
+                r[++j] = (sp_digit)(a->dp[i] >> s); /*lint !e9033*/
+            }
+            else {
+                r[++j] = 0L;
+            }
+        }
+        s = (word32)DIGIT_BIT - s;
+    }
+
+    for (j++; j < size; j++) {
+        r[j] = 0;
+    }
+#else
+    int i, j = 0, s = 0;
+
+    r[0] = 0;
+    for (i = 0; i < a->used && j < size; i++) {
+        r[j] |= ((sp_digit)a->dp[i]) << s;
+        if (s + DIGIT_BIT >= 64) {
+            r[j] &= 0xffffffffffffffffl;
+            if (j + 1 >= size) {
+                break;
+            }
+            s = 64 - s;
+            if (s == DIGIT_BIT) {
+                r[++j] = 0;
+                s = 0;
+            }
+            else {
+                r[++j] = a->dp[i] >> s;
+                s = DIGIT_BIT - s;
+            }
+        }
+        else {
+            s += DIGIT_BIT;
+        }
+    }
+
+    for (j++; j < size; j++) {
+        r[j] = 0;
+    }
+#endif
+}
+
+/* Convert a point of type ecc_point to type sp_point_256.
+ *
+ * p   Point of type sp_point_256 (result).
+ * pm  Point of type ecc_point.
+ */
+static void sp_256_point_from_ecc_point_4(sp_point_256* p, const ecc_point* pm)
+{
+    XMEMSET(p->x, 0, sizeof(p->x));
+    XMEMSET(p->y, 0, sizeof(p->y));
+    XMEMSET(p->z, 0, sizeof(p->z));
+    sp_256_from_mp(p->x, 4, pm->x);
+    sp_256_from_mp(p->y, 4, pm->y);
+    sp_256_from_mp(p->z, 4, pm->z);
+    p->infinity = 0;
+}
+
+/* Convert an array of sp_digit to an mp_int.
+ *
+ * a  A single precision integer.
+ * r  A multi-precision integer.
+ */
+static int sp_256_to_mp(const sp_digit* a, mp_int* r)
+{
+    int err;
+
+    err = mp_grow(r, (256 + DIGIT_BIT - 1) / DIGIT_BIT);
+    if (err == MP_OKAY) { /*lint !e774 case where err is always MP_OKAY*/
+#if DIGIT_BIT == 64
+        XMEMCPY(r->dp, a, sizeof(sp_digit) * 4);
+        r->used = 4;
+        mp_clamp(r);
+#elif DIGIT_BIT < 64
+        int i, j = 0, s = 0;
+
+        r->dp[0] = 0;
+        for (i = 0; i < 4; i++) {
+            r->dp[j] |= (mp_digit)(a[i] << s);
+            r->dp[j] &= (1L << DIGIT_BIT) - 1;
+            s = DIGIT_BIT - s;
+            r->dp[++j] = (mp_digit)(a[i] >> s);
+            while (s + DIGIT_BIT <= 64) {
+                s += DIGIT_BIT;
+                r->dp[j++] &= (1L << DIGIT_BIT) - 1;
+                if (s == SP_WORD_SIZE) {
+                    r->dp[j] = 0;
+                }
+                else {
+                    r->dp[j] = (mp_digit)(a[i] >> s);
+                }
+            }
+            s = 64 - s;
+        }
+        r->used = (256 + DIGIT_BIT - 1) / DIGIT_BIT;
+        mp_clamp(r);
+#else
+        int i, j = 0, s = 0;
+
+        r->dp[0] = 0;
+        for (i = 0; i < 4; i++) {
+            r->dp[j] |= ((mp_digit)a[i]) << s;
+            if (s + 64 >= DIGIT_BIT) {
+    #if DIGIT_BIT != 32 && DIGIT_BIT != 64
+                r->dp[j] &= (1L << DIGIT_BIT) - 1;
+    #endif
+                s = DIGIT_BIT - s;
+                r->dp[++j] = a[i] >> s;
+                s = 64 - s;
+            }
+            else {
+                s += 64;
+            }
+        }
+        r->used = (256 + DIGIT_BIT - 1) / DIGIT_BIT;
+        mp_clamp(r);
+#endif
+    }
+
+    return err;
+}
+
+/* Convert a point of type sp_point_256 to type ecc_point.
+ *
+ * p   Point of type sp_point_256.
+ * pm  Point of type ecc_point (result).
+ * returns MEMORY_E when allocation of memory in ecc_point fails otherwise
+ * MP_OKAY.
+ */
+static int sp_256_point_to_ecc_point_4(const sp_point_256* p, ecc_point* pm)
+{
+    int err;
+
+    err = sp_256_to_mp(p->x, pm->x);
+    if (err == MP_OKAY) {
+        err = sp_256_to_mp(p->y, pm->y);
+    }
+    if (err == MP_OKAY) {
+        err = sp_256_to_mp(p->z, pm->z);
+    }
+
+    return err;
+}
+
+/* Conditionally copy a into r using the mask m.
+ * m is -1 to copy and 0 when not.
+ *
+ * r  A single precision number to copy over.
+ * a  A single precision number to copy.
+ * m  Mask value to apply.
+ */
+static void sp_256_cond_copy_4(sp_digit* r, const sp_digit* a, sp_digit m)
+{
+    __asm__ __volatile__ (
+        "ldp	x3, x4, [%[r], 0]\n\t"
+        "ldp	x7, x8, [%[a], 0]\n\t"
+        "eor	x7, x7, x3\n\t"
+        "ldp	x5, x6, [%[r], 16]\n\t"
+        "eor	x8, x8, x4\n\t"
+        "ldp	x9, x10, [%[a], 16]\n\t"
+        "eor	x9, x9, x5\n\t"
+        "eor	x10, x10, x6\n\t"
+        "and	x7, x7, %[m]\n\t"
+        "and	x8, x8, %[m]\n\t"
+        "and	x9, x9, %[m]\n\t"
+        "and	x10, x10, %[m]\n\t"
+        "eor	x3, x3, x7\n\t"
+        "eor	x4, x4, x8\n\t"
+        "eor	x5, x5, x9\n\t"
+        "stp	x3, x4, [%[r], 0]\n\t"
+        "eor	x6, x6, x10\n\t"
+        "stp	x5, x6, [%[r], 16]\n\t"
+        :
+        : [r] "r" (r), [a] "r" (a), [m] "r" (m)
+        : "memory", "x3", "x4", "x5", "x6", "x7", "x8", "x9", "x10"
+    );
+}
+
+/* Multiply two Montogmery form numbers mod the modulus (prime).
+ * (r = a * b mod m)
+ *
+ * r   Result of multiplication.
+ * a   First number to multiply in Montogmery form.
+ * b   Second number to multiply in Montogmery form.
+ * m   Modulus (prime).
+ * mp  Montogmery mulitplier.
+ */
+SP_NOINLINE static void sp_256_mont_mul_4(sp_digit* r, const sp_digit* a, const sp_digit* b,
+        const sp_digit* m, sp_digit mp)
+{
+    (void)m;
+    (void)mp;
+
+    __asm__ __volatile__ (
+        "ldp       x16, x17, [%[a], 0]\n\t"
+        "ldp       x21, x22, [%[b], 0]\n\t"
+        "#  A[0] * B[0]\n\t"
+        "mul       x8, x16, x21\n\t"
+        "ldr       x19, [%[a], 16]\n\t"
+        "umulh     x9, x16, x21\n\t"
+        "ldr       x23, [%[b], 16]\n\t"
+        "#  A[0] * B[1]\n\t"
+        "mul       x4, x16, x22\n\t"
+        "ldr       x20, [%[a], 24]\n\t"
+        "umulh     x5, x16, x22\n\t"
+        "ldr       x24, [%[b], 24]\n\t"
+        "adds  x9, x9, x4\n\t"
+        "#  A[1] * B[0]\n\t"
+        "mul       x4, x17, x21\n\t"
+        "adc   x10, xzr, x5\n\t"
+        "umulh     x5, x17, x21\n\t"
+        "adds  x9, x9, x4\n\t"
+        "#  A[0] * B[2]\n\t"
+        "mul       x4, x16, x23\n\t"
+        "adcs   x10, x10, x5\n\t"
+        "umulh     x5, x16, x23\n\t"
+        "adc     x11, xzr, xzr\n\t"
+        "adds  x10, x10, x4\n\t"
+        "#  A[1] * B[1]\n\t"
+        "mul       x4, x17, x22\n\t"
+        "adc   x11, x11, x5\n\t"
+        "umulh     x5, x17, x22\n\t"
+        "adds  x10, x10, x4\n\t"
+        "#  A[2] * B[0]\n\t"
+        "mul       x4, x19, x21\n\t"
+        "adcs   x11, x11, x5\n\t"
+        "umulh     x5, x19, x21\n\t"
+        "adc     x12, xzr, xzr\n\t"
+        "adds  x10, x10, x4\n\t"
+        "#  A[0] * B[3]\n\t"
+        "mul       x4, x16, x24\n\t"
+        "adcs   x11, x11, x5\n\t"
+        "umulh     x5, x16, x24\n\t"
+        "adc     x12, x12, xzr\n\t"
+        "adds  x11, x11, x4\n\t"
+        "#  A[1] * B[2]\n\t"
+        "mul       x4, x17, x23\n\t"
+        "adcs   x12, x12, x5\n\t"
+        "umulh     x5, x17, x23\n\t"
+        "adc     x13, xzr, xzr\n\t"
+        "adds  x11, x11, x4\n\t"
+        "#  A[2] * B[1]\n\t"
+        "mul       x4, x19, x22\n\t"
+        "adcs   x12, x12, x5\n\t"
+        "umulh     x5, x19, x22\n\t"
+        "adc     x13, x13, xzr\n\t"
+        "adds  x11, x11, x4\n\t"
+        "#  A[3] * B[0]\n\t"
+        "mul       x4, x20, x21\n\t"
+        "adcs   x12, x12, x5\n\t"
+        "umulh     x5, x20, x21\n\t"
+        "adc     x13, x13, xzr\n\t"
+        "adds  x11, x11, x4\n\t"
+        "#  A[1] * B[3]\n\t"
+        "mul       x4, x17, x24\n\t"
+        "adcs   x12, x12, x5\n\t"
+        "umulh     x5, x17, x24\n\t"
+        "adc     x13, x13, xzr\n\t"
+        "adds  x12, x12, x4\n\t"
+        "#  A[2] * B[2]\n\t"
+        "mul       x4, x19, x23\n\t"
+        "adcs   x13, x13, x5\n\t"
+        "umulh     x5, x19, x23\n\t"
+        "adc     x14, xzr, xzr\n\t"
+        "adds  x12, x12, x4\n\t"
+        "#  A[3] * B[1]\n\t"
+        "mul       x4, x20, x22\n\t"
+        "adcs   x13, x13, x5\n\t"
+        "umulh     x5, x20, x22\n\t"
+        "adc     x14, x14, xzr\n\t"
+        "adds  x12, x12, x4\n\t"
+        "#  A[2] * B[3]\n\t"
+        "mul       x4, x19, x24\n\t"
+        "adcs   x13, x13, x5\n\t"
+        "umulh     x5, x19, x24\n\t"
+        "adc     x14, x14, xzr\n\t"
+        "adds  x13, x13, x4\n\t"
+        "#  A[3] * B[2]\n\t"
+        "mul       x4, x20, x23\n\t"
+        "adcs   x14, x14, x5\n\t"
+        "umulh     x5, x20, x23\n\t"
+        "adc     x15, xzr, xzr\n\t"
+        "adds  x13, x13, x4\n\t"
+        "#  A[3] * B[3]\n\t"
+        "mul       x4, x20, x24\n\t"
+        "adcs   x14, x14, x5\n\t"
+        "umulh     x5, x20, x24\n\t"
+        "adc     x15, x15, xzr\n\t"
+        "adds  x14, x14, x4\n\t"
+        "mov	x4, x8\n\t"
+        "adc   x15, x15, x5\n\t"
+        "# Start Reduction\n\t"
+        "mov	x5, x9\n\t"
+        "mov	x6, x10\n\t"
+        "# mu = a[0]-a[3] + a[0]-a[2] << 32 << 64 + (a[0] * 2) << 192\n\t"
+        "#    - a[0] << 32 << 192\n\t"
+        "#   + (a[0] * 2) << 192\n\t"
+        "#   a[0]-a[2] << 32\n\t"
+        "lsl	x10, x10, 32\n\t"
+        "add	x7, x11, x8\n\t"
+        "eor	x10, x10, x9, lsr #32\n\t"
+        "lsl	x9, x9, 32\n\t"
+        "add	x7, x7, x8\n\t"
+        "eor	x9, x9, x8, lsr #32\n\t"
+        "#   + a[0]-a[2] << 32 << 64\n\t"
+        "#   - a[0] << 32 << 192\n\t"
+        "adds	x5, x5, x8, lsl #32\n\t"
+        "sub	x7, x7, x8, lsl #32\n\t"
+        "adcs	x6, x6, x9\n\t"
+        "adc	x7, x7, x10\n\t"
+        "# a += (mu << 256) - (mu << 224) + (mu << 192) + (mu << 96) - mu\n\t"
+        "#   a += mu << 256\n\t"
+        "adds	x12, x12, x4\n\t"
+        "adcs	x13, x13, x5\n\t"
+        "adcs	x14, x14, x6\n\t"
+        "adcs	x15, x15, x7\n\t"
+        "cset	x8, cs\n\t"
+        "#   a += mu << 192\n\t"
+        "# mu <<= 32\n\t"
+        "#   a += (mu << 32) << 64\n\t"
+        "adds	x11, x11, x4\n\t"
+        "adcs	x12, x12, x5\n\t"
+        "adcs	x13, x13, x6\n\t"
+        "lsr	x16, x7, 32\n\t"
+        "adcs	x14, x14, x7\n\t"
+        "lsl	x7, x7, 32\n\t"
+        "adcs	x15, x15, xzr\n\t"
+        "eor	x7, x7, x6, lsr #32\n\t"
+        "adc	x8, x8, xzr\n\t"
+        "lsl	x6, x6, 32\n\t"
+        "eor	x6, x6, x5, lsr #32\n\t"
+        "adds	x11, x11, x6\n\t"
+        "lsl	x5, x5, 32\n\t"
+        "adcs	x12, x12, x7\n\t"
+        "eor	x5, x5, x4, lsr #32\n\t"
+        "adcs	x13, x13, x16\n\t"
+        "lsl	x4, x4, 32\n\t"
+        "adcs	x14, x14, xzr\n\t"
+        "adcs	x15, x15, xzr\n\t"
+        "adc	x8, x8, xzr\n\t"
+        "#   a -= (mu << 32) << 192\n\t"
+        "subs	x11, x11, x4\n\t"
+        "sbcs	x12, x12, x5\n\t"
+        "sbcs	x13, x13, x6\n\t"
+        "sub	x8, xzr, x8\n\t"
+        "sbcs	x14, x14, x7\n\t"
+        "sub	x8, x8, #1\n\t"
+        "sbcs	x15, x15, x16\n\t"
+        "mov	x19, 0xffffffff00000001\n\t"
+        "adc	x8, x8, xzr\n\t"
+        "# mask m and sub from result if overflow\n\t"
+        "#  m[0] = -1 & mask = mask\n\t"
+        "subs	x12, x12, x8\n\t"
+        "#  m[1] = 0xffffffff & mask = mask >> 32 as mask is all 1s or 0s\n\t"
+        "lsr	x17, x8, 32\n\t"
+        "sbcs	x13, x13, x17\n\t"
+        "and	x19, x19, x8\n\t"
+        "#  m[2] =  0 & mask = 0\n\t"
+        "sbcs	x14, x14, xzr\n\t"
+        "stp	x12, x13, [%[r], 0]\n\t"
+        "#  m[3] =  0xffffffff00000001 & mask\n\t"
+        "sbc	x15, x15, x19\n\t"
+        "stp	x14, x15, [%[r], 16]\n\t"
+        : [a] "+r" (a), [b] "+r" (b)
+        : [r] "r" (r)
+        : "memory", "x4", "x5", "x6", "x7", "x16", "x17", "x19", "x20", "x21", "x22", "x23", "x24", "x8", "x9", "x10", "x11", "x12", "x13", "x14", "x15"
+    );
+}
+
+/* Square the Montgomery form number mod the modulus (prime). (r = a * a mod m)
+ *
+ * r   Result of squaring.
+ * a   Number to square in Montogmery form.
+ * m   Modulus (prime).
+ * mp  Montogmery mulitplier.
+ */
+SP_NOINLINE static void sp_256_mont_sqr_4(sp_digit* r, const sp_digit* a, const sp_digit* m,
+        sp_digit mp)
+{
+    (void)m;
+    (void)mp;
+
+    __asm__ __volatile__ (
+        "ldp       x16, x17, [%[a], 0]\n\t"
+        "#  A[0] * A[1]\n\t"
+        "mul	x9, x16, x17\n\t"
+        "ldr       x19, [%[a], 16]\n\t"
+        "umulh	x10, x16, x17\n\t"
+        "ldr       x20, [%[a], 24]\n\t"
+        "#  A[0] * A[2]\n\t"
+        "mul	x4, x16, x19\n\t"
+        "umulh	x5, x16, x19\n\t"
+        "adds	x10, x10, x4\n\t"
+        "#  A[0] * A[3]\n\t"
+        "mul	x4, x16, x20\n\t"
+        "adc	x11, xzr, x5\n\t"
+        "umulh	x5, x16, x20\n\t"
+        "adds	x11, x11, x4\n\t"
+        "#  A[1] * A[2]\n\t"
+        "mul	x4, x17, x19\n\t"
+        "adc	x12, xzr, x5\n\t"
+        "umulh	x5, x17, x19\n\t"
+        "adds	x11, x11, x4\n\t"
+        "#  A[1] * A[3]\n\t"
+        "mul	x4, x17, x20\n\t"
+        "adcs	x12, x12, x5\n\t"
+        "umulh	x5, x17, x20\n\t"
+        "adc	x13, xzr, xzr\n\t"
+        "adds	x12, x12, x4\n\t"
+        "#  A[2] * A[3]\n\t"
+        "mul	x4, x19, x20\n\t"
+        "adc	x13, x13, x5\n\t"
+        "umulh	x5, x19, x20\n\t"
+        "adds	x13, x13, x4\n\t"
+        "adc	x14, xzr, x5\n\t"
+        "# Double\n\t"
+        "adds	x9, x9, x9\n\t"
+        "adcs	x10, x10, x10\n\t"
+        "adcs	x11, x11, x11\n\t"
+        "adcs	x12, x12, x12\n\t"
+        "adcs	x13, x13, x13\n\t"
+        "#  A[0] * A[0]\n\t"
+        "mul	x8, x16, x16\n\t"
+        "adcs	x14, x14, x14\n\t"
+        "umulh	x3, x16, x16\n\t"
+        "cset	x15, cs\n\t"
+        "#  A[1] * A[1]\n\t"
+        "mul	x4, x17, x17\n\t"
+        "adds	x9, x9, x3\n\t"
+        "umulh	x5, x17, x17\n\t"
+        "adcs	x10, x10, x4\n\t"
+        "#  A[2] * A[2]\n\t"
+        "mul	x6, x19, x19\n\t"
+        "adcs	x11, x11, x5\n\t"
+        "umulh	x7, x19, x19\n\t"
+        "adcs	x12, x12, x6\n\t"
+        "#  A[3] * A[3]\n\t"
+        "mul	x16, x20, x20\n\t"
+        "adcs	x13, x13, x7\n\t"
+        "umulh	x17, x20, x20\n\t"
+        "adcs	x14, x14, x16\n\t"
+        "mov	x3, x8\n\t"
+        "adc	x15, x15, x17\n\t"
+        "# Start Reduction\n\t"
+        "mov	x4, x9\n\t"
+        "mov	x5, x10\n\t"
+        "# mu = a[0]-a[3] + a[0]-a[2] << 32 << 64 + (a[0] * 2) << 192\n\t"
+        "#    - a[0] << 32 << 192\n\t"
+        "#   + (a[0] * 2) << 192\n\t"
+        "#   a[0]-a[2] << 32\n\t"
+        "lsl	x10, x10, 32\n\t"
+        "add	x6, x11, x8\n\t"
+        "eor	x10, x10, x9, lsr #32\n\t"
+        "lsl	x9, x9, 32\n\t"
+        "add	x6, x6, x8\n\t"
+        "eor	x9, x9, x8, lsr #32\n\t"
+        "#   + a[0]-a[2] << 32 << 64\n\t"
+        "#   - a[0] << 32 << 192\n\t"
+        "adds	x4, x4, x8, lsl #32\n\t"
+        "sub	x6, x6, x8, lsl #32\n\t"
+        "adcs	x5, x5, x9\n\t"
+        "adc	x6, x6, x10\n\t"
+        "# a += (mu << 256) - (mu << 224) + (mu << 192) + (mu << 96) - mu\n\t"
+        "#   a += mu << 256\n\t"
+        "adds	x12, x12, x3\n\t"
+        "adcs	x13, x13, x4\n\t"
+        "adcs	x14, x14, x5\n\t"
+        "adcs	x15, x15, x6\n\t"
+        "cset	x8, cs\n\t"
+        "#   a += mu << 192\n\t"
+        "# mu <<= 32\n\t"
+        "#   a += (mu << 32) << 64\n\t"
+        "adds	x11, x11, x3\n\t"
+        "adcs	x12, x12, x4\n\t"
+        "adcs	x13, x13, x5\n\t"
+        "lsr	x7, x6, 32\n\t"
+        "adcs	x14, x14, x6\n\t"
+        "lsl	x6, x6, 32\n\t"
+        "adcs	x15, x15, xzr\n\t"
+        "eor	x6, x6, x5, lsr #32\n\t"
+        "adc	x8, x8, xzr\n\t"
+        "lsl	x5, x5, 32\n\t"
+        "eor	x5, x5, x4, lsr #32\n\t"
+        "adds	x11, x11, x5\n\t"
+        "lsl	x4, x4, 32\n\t"
+        "adcs	x12, x12, x6\n\t"
+        "eor	x4, x4, x3, lsr #32\n\t"
+        "adcs	x13, x13, x7\n\t"
+        "lsl	x3, x3, 32\n\t"
+        "adcs	x14, x14, xzr\n\t"
+        "adcs	x15, x15, xzr\n\t"
+        "adc	x8, x8, xzr\n\t"
+        "#   a -= (mu << 32) << 192\n\t"
+        "subs	x11, x11, x3\n\t"
+        "sbcs	x12, x12, x4\n\t"
+        "sbcs	x13, x13, x5\n\t"
+        "sub	x8, xzr, x8\n\t"
+        "sbcs	x14, x14, x6\n\t"
+        "sub	x8, x8, #1\n\t"
+        "sbcs	x15, x15, x7\n\t"
+        "mov	x17, 0xffffffff00000001\n\t"
+        "adc	x8, x8, xzr\n\t"
+        "# mask m and sub from result if overflow\n\t"
+        "#  m[0] = -1 & mask = mask\n\t"
+        "subs	x12, x12, x8\n\t"
+        "#  m[1] = 0xffffffff & mask = mask >> 32 as mask is all 1s or 0s\n\t"
+        "lsr	x16, x8, 32\n\t"
+        "sbcs	x13, x13, x16\n\t"
+        "and	x17, x17, x8\n\t"
+        "#  m[2] =  0 & mask = 0\n\t"
+        "sbcs	x14, x14, xzr\n\t"
+        "stp	x12, x13, [%[r], 0]\n\t"
+        "#  m[3] =  0xffffffff00000001 & mask\n\t"
+        "sbc	x15, x15, x17\n\t"
+        "stp	x14, x15, [%[r], 16]\n\t"
+        :
+        : [r] "r" (r), [a] "r" (a)
+        : "memory", "x3", "x4", "x5", "x6", "x7", "x8", "x9", "x10", "x11", "x12", "x13", "x14", "x15", "x16", "x17", "x19", "x20"
+    );
+}
+
+#if !defined(WOLFSSL_SP_SMALL) || defined(HAVE_COMP_KEY)
+/* Square the Montgomery form number a number of times. (r = a ^ n mod m)
+ *
+ * r   Result of squaring.
+ * a   Number to square in Montogmery form.
+ * n   Number of times to square.
+ * m   Modulus (prime).
+ * mp  Montogmery mulitplier.
+ */
+static void sp_256_mont_sqr_n_4(sp_digit* r, const sp_digit* a, int n,
+        const sp_digit* m, sp_digit mp)
+{
+    sp_256_mont_sqr_4(r, a, m, mp);
+    for (; n > 1; n--) {
+        sp_256_mont_sqr_4(r, r, m, mp);
+    }
+}
+
+#endif /* !WOLFSSL_SP_SMALL || HAVE_COMP_KEY */
+#ifdef WOLFSSL_SP_SMALL
+/* Mod-2 for the P256 curve. */
+static const uint64_t p256_mod_minus_2[4] = {
+    0xfffffffffffffffdU,0x00000000ffffffffU,0x0000000000000000U,
+    0xffffffff00000001U
+};
+#endif /* !WOLFSSL_SP_SMALL */
+
+/* Invert the number, in Montgomery form, modulo the modulus (prime) of the
+ * P256 curve. (r = 1 / a mod m)
+ *
+ * r   Inverse result.
+ * a   Number to invert.
+ * td  Temporary data.
+ */
+static void sp_256_mont_inv_4(sp_digit* r, const sp_digit* a, sp_digit* td)
+{
+#ifdef WOLFSSL_SP_SMALL
+    sp_digit* t = td;
+    int i;
+
+    XMEMCPY(t, a, sizeof(sp_digit) * 4);
+    for (i=254; i>=0; i--) {
+        sp_256_mont_sqr_4(t, t, p256_mod, p256_mp_mod);
+        if (p256_mod_minus_2[i / 64] & ((sp_digit)1 << (i % 64)))
+            sp_256_mont_mul_4(t, t, a, p256_mod, p256_mp_mod);
+    }
+    XMEMCPY(r, t, sizeof(sp_digit) * 4);
+#else
+    sp_digit* t1 = td;
+    sp_digit* t2 = td + 2 * 4;
+    sp_digit* t3 = td + 4 * 4;
+    /* 0x2 */
+    sp_256_mont_sqr_4(t1, a, p256_mod, p256_mp_mod);
+    /* 0x3 */
+    sp_256_mont_mul_4(t2, t1, a, p256_mod, p256_mp_mod);
+    /* 0xc */
+    sp_256_mont_sqr_n_4(t1, t2, 2, p256_mod, p256_mp_mod);
+    /* 0xd */
+    sp_256_mont_mul_4(t3, t1, a, p256_mod, p256_mp_mod);
+    /* 0xf */
+    sp_256_mont_mul_4(t2, t2, t1, p256_mod, p256_mp_mod);
+    /* 0xf0 */
+    sp_256_mont_sqr_n_4(t1, t2, 4, p256_mod, p256_mp_mod);
+    /* 0xfd */
+    sp_256_mont_mul_4(t3, t3, t1, p256_mod, p256_mp_mod);
+    /* 0xff */
+    sp_256_mont_mul_4(t2, t2, t1, p256_mod, p256_mp_mod);
+    /* 0xff00 */
+    sp_256_mont_sqr_n_4(t1, t2, 8, p256_mod, p256_mp_mod);
+    /* 0xfffd */
+    sp_256_mont_mul_4(t3, t3, t1, p256_mod, p256_mp_mod);
+    /* 0xffff */
+    sp_256_mont_mul_4(t2, t2, t1, p256_mod, p256_mp_mod);
+    /* 0xffff0000 */
+    sp_256_mont_sqr_n_4(t1, t2, 16, p256_mod, p256_mp_mod);
+    /* 0xfffffffd */
+    sp_256_mont_mul_4(t3, t3, t1, p256_mod, p256_mp_mod);
+    /* 0xffffffff */
+    sp_256_mont_mul_4(t2, t2, t1, p256_mod, p256_mp_mod);
+    /* 0xffffffff00000000 */
+    sp_256_mont_sqr_n_4(t1, t2, 32, p256_mod, p256_mp_mod);
+    /* 0xffffffffffffffff */
+    sp_256_mont_mul_4(t2, t2, t1, p256_mod, p256_mp_mod);
+    /* 0xffffffff00000001 */
+    sp_256_mont_mul_4(r, t1, a, p256_mod, p256_mp_mod);
+    /* 0xffffffff000000010000000000000000000000000000000000000000 */
+    sp_256_mont_sqr_n_4(r, r, 160, p256_mod, p256_mp_mod);
+    /* 0xffffffff00000001000000000000000000000000ffffffffffffffff */
+    sp_256_mont_mul_4(r, r, t2, p256_mod, p256_mp_mod);
+    /* 0xffffffff00000001000000000000000000000000ffffffffffffffff00000000 */
+    sp_256_mont_sqr_n_4(r, r, 32, p256_mod, p256_mp_mod);
+    /* 0xffffffff00000001000000000000000000000000fffffffffffffffffffffffd */
+    sp_256_mont_mul_4(r, r, t3, p256_mod, p256_mp_mod);
+#endif /* WOLFSSL_SP_SMALL */
+}
+
+/* Compare a with b in constant time.
+ *
+ * a  A single precision integer.
+ * b  A single precision integer.
+ * return -ve, 0 or +ve if a is less than, equal to or greater than b
+ * respectively.
+ */
+static int64_t sp_256_cmp_4(const sp_digit* a, const sp_digit* b)
+{
+#ifdef WOLFSSL_SP_SMALL
+    __asm__ __volatile__ (
+        "mov	x2, -1\n\t"
+        "mov	x3, 1\n\t"
+        "mov	x4, -1\n\t"
+        "mov	x5, 24\n\t"
+        "1:\n\t"
+        "ldr	x6, [%[a], x5]\n\t"
+        "ldr	x7, [%[b], x5]\n\t"
+        "and	x6, x6, x4\n\t"
+        "and	x7, x7, x4\n\t"
+        "subs	x6, x6, x7\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "subs	x5, x5, #8\n\t"
+        "b.cs	1b\n\t"
+        "eor	%[a], x2, x4\n\t"
+        : [a] "+r" (a)
+        : [b] "r" (b)
+        : "x2", "x3", "x4", "x5", "x6", "x7", "x8", "x9", "x10", "x11", "x12"
+    );
+#else
+    __asm__ __volatile__ (
+        "mov	x2, -1\n\t"
+        "mov	x3, 1\n\t"
+        "mov	x4, -1\n\t"
+        "ldp	x5, x6, [%[a], 0]\n\t"
+        "ldp	x7, x8, [%[a], 16]\n\t"
+        "ldp	x9, x10, [%[b], 0]\n\t"
+        "ldp	x11, x12, [%[b], 16]\n\t"
+        "and	x8, x8, x4\n\t"
+        "and	x12, x12, x4\n\t"
+        "subs	x8, x8, x12\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "and	x7, x7, x4\n\t"
+        "and	x11, x11, x4\n\t"
+        "subs	x7, x7, x11\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "and	x6, x6, x4\n\t"
+        "and	x10, x10, x4\n\t"
+        "subs	x6, x6, x10\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "and	x5, x5, x4\n\t"
+        "and	x9, x9, x4\n\t"
+        "subs	x5, x5, x9\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "eor	%[a], x2, x4\n\t"
+        : [a] "+r" (a)
+        : [b] "r" (b)
+        : "x2", "x3", "x4", "x5", "x6", "x7", "x8", "x9", "x10", "x11", "x12"
+    );
+#endif
+
+    return (int64_t)a;
+}
+
+/* Normalize the values in each word to 64.
+ *
+ * a  Array of sp_digit to normalize.
+ */
+#define sp_256_norm_4(a)
+
+/* Conditionally subtract b from a using the mask m.
+ * m is -1 to subtract and 0 when not copying.
+ *
+ * r  A single precision number representing condition subtract result.
+ * a  A single precision number to subtract from.
+ * b  A single precision number to subtract.
+ * m  Mask value to apply.
+ */
+static sp_digit sp_256_cond_sub_4(sp_digit* r, const sp_digit* a, const sp_digit* b,
+        sp_digit m)
+{
+    __asm__ __volatile__ (
+
+        "ldp	x5, x7, [%[b], 0]\n\t"
+        "ldp	x11, x12, [%[b], 16]\n\t"
+        "ldp	x4, x6, [%[a], 0]\n\t"
+        "and	x5, x5, %[m]\n\t"
+        "ldp	x9, x10, [%[a], 16]\n\t"
+        "and	x7, x7, %[m]\n\t"
+        "subs	x4, x4, x5\n\t"
+        "and	x11, x11, %[m]\n\t"
+        "sbcs	x6, x6, x7\n\t"
+        "and	x12, x12, %[m]\n\t"
+        "sbcs	x9, x9, x11\n\t"
+        "stp	x4, x6, [%[r], 0]\n\t"
+        "sbcs	x10, x10, x12\n\t"
+        "stp	x9, x10, [%[r], 16]\n\t"
+        "csetm	%[r], cc\n\t"
+        : [r] "+r" (r)
+        : [a] "r" (a), [b] "r" (b), [m] "r" (m)
+        : "memory", "x4", "x6", "x5", "x7", "x8", "x9", "x10", "x11", "x12"
+    );
+
+    return (sp_digit)r;
+}
+
+/* Sub b from a into r. (r = a - b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+static sp_digit sp_256_sub_4(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    __asm__ __volatile__ (
+        "ldp	x3, x4, [%[a], 0]\n\t"
+        "ldp	x7, x8, [%[b], 0]\n\t"
+        "subs	x3, x3, x7\n\t"
+        "ldp	x5, x6, [%[a], 16]\n\t"
+        "sbcs	x4, x4, x8\n\t"
+        "ldp	x9, x10, [%[b], 16]\n\t"
+        "sbcs	x5, x5, x9\n\t"
+        "stp	x3, x4, [%[r], 0]\n\t"
+        "sbcs	x6, x6, x10\n\t"
+        "stp	x5, x6, [%[r], 16]\n\t"
+        "csetm	%[r], cc\n\t"
+        : [r] "+r" (r)
+        : [a] "r" (a), [b] "r" (b)
+        : "memory", "x3", "x4", "x5", "x6", "x7", "x8", "x9", "x10"
+    );
+
+    return (sp_digit)r;
+}
+
+#define sp_256_mont_reduce_order_4    sp_256_mont_reduce_4
+
+/* Reduce the number back to 256 bits using Montgomery reduction.
+ *
+ * a   A single precision number to reduce in place.
+ * m   The single precision number representing the modulus.
+ * mp  The digit representing the negative inverse of m mod 2^n.
+ */
+SP_NOINLINE static void sp_256_mont_reduce_4(sp_digit* a, const sp_digit* m,
+        sp_digit mp)
+{
+    __asm__ __volatile__ (
+        "ldp	x9, x10, [%[a], 0]\n\t"
+        "ldp	x11, x12, [%[a], 16]\n\t"
+        "ldp	x17, x19, [%[m], 0]\n\t"
+        "ldp	x20, x21, [%[m], 16]\n\t"
+        "mov	x8, xzr\n\t"
+        "# mu = a[0] * mp\n\t"
+        "mul	x5, %[mp], x9\n\t"
+        "ldr	x13, [%[a], 32]\n\t"
+        "# a[0+0] += m[0] * mu\n\t"
+        "mul	x3, x17, x5\n\t"
+        "ldr	x14, [%[a], 40]\n\t"
+        "umulh	x6, x17, x5\n\t"
+        "ldr	x15, [%[a], 48]\n\t"
+        "adds	x9, x9, x3\n\t"
+        "ldr	x16, [%[a], 56]\n\t"
+        "adc	x6, x6, xzr\n\t"
+        "# a[0+1] += m[1] * mu\n\t"
+        "mul	x3, x19, x5\n\t"
+        "umulh	x7, x19, x5\n\t"
+        "adds	x3, x3, x6\n\t"
+        "adc	x7, x7, xzr\n\t"
+        "adds	x10, x10, x3\n\t"
+        "adc	x7, x7, xzr\n\t"
+        "# a[0+2] += m[2] * mu\n\t"
+        "mul	x3, x20, x5\n\t"
+        "umulh	x6, x20, x5\n\t"
+        "adds	x3, x3, x7\n\t"
+        "adc	x6, x6, xzr\n\t"
+        "adds	x11, x11, x3\n\t"
+        "adc	x6, x6, xzr\n\t"
+        "# a[0+3] += m[3] * mu\n\t"
+        "mul	x3, x21, x5\n\t"
+        "umulh	x4, x21, x5\n\t"
+        "adds	x3, x3, x6\n\t"
+        "adcs	x4, x4, x8\n\t"
+        "cset	x8, cs\n\t"
+        "adds	x12, x12, x3\n\t"
+        "adcs	x13, x13, x4\n\t"
+        "adc	x8, x8, xzr\n\t"
+        "# mu = a[1] * mp\n\t"
+        "mul	x5, %[mp], x10\n\t"
+        "# a[1+0] += m[0] * mu\n\t"
+        "mul	x3, x17, x5\n\t"
+        "umulh	x6, x17, x5\n\t"
+        "adds	x10, x10, x3\n\t"
+        "adc	x6, x6, xzr\n\t"
+        "# a[1+1] += m[1] * mu\n\t"
+        "mul	x3, x19, x5\n\t"
+        "umulh	x7, x19, x5\n\t"
+        "adds	x3, x3, x6\n\t"
+        "adc	x7, x7, xzr\n\t"
+        "adds	x11, x11, x3\n\t"
+        "adc	x7, x7, xzr\n\t"
+        "# a[1+2] += m[2] * mu\n\t"
+        "mul	x3, x20, x5\n\t"
+        "umulh	x6, x20, x5\n\t"
+        "adds	x3, x3, x7\n\t"
+        "adc	x6, x6, xzr\n\t"
+        "adds	x12, x12, x3\n\t"
+        "adc	x6, x6, xzr\n\t"
+        "# a[1+3] += m[3] * mu\n\t"
+        "mul	x3, x21, x5\n\t"
+        "umulh	x4, x21, x5\n\t"
+        "adds	x3, x3, x6\n\t"
+        "adcs	x4, x4, x8\n\t"
+        "cset	x8, cs\n\t"
+        "adds	x13, x13, x3\n\t"
+        "adcs	x14, x14, x4\n\t"
+        "adc	x8, x8, xzr\n\t"
+        "# mu = a[2] * mp\n\t"
+        "mul	x5, %[mp], x11\n\t"
+        "# a[2+0] += m[0] * mu\n\t"
+        "mul	x3, x17, x5\n\t"
+        "umulh	x6, x17, x5\n\t"
+        "adds	x11, x11, x3\n\t"
+        "adc	x6, x6, xzr\n\t"
+        "# a[2+1] += m[1] * mu\n\t"
+        "mul	x3, x19, x5\n\t"
+        "umulh	x7, x19, x5\n\t"
+        "adds	x3, x3, x6\n\t"
+        "adc	x7, x7, xzr\n\t"
+        "adds	x12, x12, x3\n\t"
+        "adc	x7, x7, xzr\n\t"
+        "# a[2+2] += m[2] * mu\n\t"
+        "mul	x3, x20, x5\n\t"
+        "umulh	x6, x20, x5\n\t"
+        "adds	x3, x3, x7\n\t"
+        "adc	x6, x6, xzr\n\t"
+        "adds	x13, x13, x3\n\t"
+        "adc	x6, x6, xzr\n\t"
+        "# a[2+3] += m[3] * mu\n\t"
+        "mul	x3, x21, x5\n\t"
+        "umulh	x4, x21, x5\n\t"
+        "adds	x3, x3, x6\n\t"
+        "adcs	x4, x4, x8\n\t"
+        "cset	x8, cs\n\t"
+        "adds	x14, x14, x3\n\t"
+        "adcs	x15, x15, x4\n\t"
+        "adc	x8, x8, xzr\n\t"
+        "# mu = a[3] * mp\n\t"
+        "mul	x5, %[mp], x12\n\t"
+        "# a[3+0] += m[0] * mu\n\t"
+        "mul	x3, x17, x5\n\t"
+        "umulh	x6, x17, x5\n\t"
+        "adds	x12, x12, x3\n\t"
+        "adc	x6, x6, xzr\n\t"
+        "# a[3+1] += m[1] * mu\n\t"
+        "mul	x3, x19, x5\n\t"
+        "umulh	x7, x19, x5\n\t"
+        "adds	x3, x3, x6\n\t"
+        "adc	x7, x7, xzr\n\t"
+        "adds	x13, x13, x3\n\t"
+        "adc	x7, x7, xzr\n\t"
+        "# a[3+2] += m[2] * mu\n\t"
+        "mul	x3, x20, x5\n\t"
+        "umulh	x6, x20, x5\n\t"
+        "adds	x3, x3, x7\n\t"
+        "adc	x6, x6, xzr\n\t"
+        "adds	x14, x14, x3\n\t"
+        "adc	x6, x6, xzr\n\t"
+        "# a[3+3] += m[3] * mu\n\t"
+        "mul	x3, x21, x5\n\t"
+        "umulh	x4, x21, x5\n\t"
+        "adds	x3, x3, x6\n\t"
+        "adcs	x4, x4, x8\n\t"
+        "cset	x8, cs\n\t"
+        "adds	x15, x15, x3\n\t"
+        "adcs	x16, x16, x4\n\t"
+        "adc	x8, x8, xzr\n\t"
+        "sub	x3, xzr, x8\n\t"
+        "and	x17, x17, x3\n\t"
+        "and	x19, x19, x3\n\t"
+        "and	x20, x20, x3\n\t"
+        "and	x21, x21, x3\n\t"
+        "subs	x13, x13, x17\n\t"
+        "sbcs	x14, x14, x19\n\t"
+        "sbcs	x15, x15, x20\n\t"
+        "stp	x13, x14, [%[a], 0]\n\t"
+        "sbc	x16, x16, x21\n\t"
+        "stp	x15, x16, [%[a], 16]\n\t"
+        :
+        : [a] "r" (a), [m] "r" (m), [mp] "r" (mp)
+        : "memory", "x3", "x4", "x5", "x8", "x6", "x7", "x9", "x10", "x11", "x12", "x13", "x14", "x15", "x16", "x17", "x19", "x20", "x21"
+    );
+}
+
+/* Map the Montgomery form projective coordinate point to an affine point.
+ *
+ * r  Resulting affine coordinate point.
+ * p  Montgomery form projective coordinate point.
+ * t  Temporary ordinate data.
+ */
+static void sp_256_map_4(sp_point_256* r, const sp_point_256* p, sp_digit* t)
+{
+    sp_digit* t1 = t;
+    sp_digit* t2 = t + 2*4;
+    int64_t n;
+
+    sp_256_mont_inv_4(t1, p->z, t + 2*4);
+
+    sp_256_mont_sqr_4(t2, t1, p256_mod, p256_mp_mod);
+    sp_256_mont_mul_4(t1, t2, t1, p256_mod, p256_mp_mod);
+
+    /* x /= z^2 */
+    sp_256_mont_mul_4(r->x, p->x, t2, p256_mod, p256_mp_mod);
+    XMEMSET(r->x + 4, 0, sizeof(r->x) / 2U);
+    sp_256_mont_reduce_4(r->x, p256_mod, p256_mp_mod);
+    /* Reduce x to less than modulus */
+    n = sp_256_cmp_4(r->x, p256_mod);
+    sp_256_cond_sub_4(r->x, r->x, p256_mod, 0 - ((n >= 0) ?
+                (sp_digit)1 : (sp_digit)0));
+    sp_256_norm_4(r->x);
+
+    /* y /= z^3 */
+    sp_256_mont_mul_4(r->y, p->y, t1, p256_mod, p256_mp_mod);
+    XMEMSET(r->y + 4, 0, sizeof(r->y) / 2U);
+    sp_256_mont_reduce_4(r->y, p256_mod, p256_mp_mod);
+    /* Reduce y to less than modulus */
+    n = sp_256_cmp_4(r->y, p256_mod);
+    sp_256_cond_sub_4(r->y, r->y, p256_mod, 0 - ((n >= 0) ?
+                (sp_digit)1 : (sp_digit)0));
+    sp_256_norm_4(r->y);
+
+    XMEMSET(r->z, 0, sizeof(r->z));
+    r->z[0] = 1;
+
+}
+
+/* Add two Montgomery form numbers (r = a + b % m).
+ *
+ * r   Result of addition.
+ * a   First number to add in Montogmery form.
+ * b   Second number to add in Montogmery form.
+ * m   Modulus (prime).
+ */
+static void sp_256_mont_add_4(sp_digit* r, const sp_digit* a, const sp_digit* b,
+        const sp_digit* m)
+{
+    __asm__ __volatile__ (
+        "ldp	x4, x5, [%[a], 0]\n\t"
+        "ldp	x8, x9, [%[b], 0]\n\t"
+        "adds	x4, x4, x8\n\t"
+        "ldp	x6, x7, [%[a], 16]\n\t"
+        "adcs	x5, x5, x9\n\t"
+        "ldp	x10, x11, [%[b], 16]\n\t"
+        "adcs	x6, x6, x10\n\t"
+        "adcs	x7, x7, x11\n\t"
+        "mov	x13, 0xffffffff00000001\n\t"
+        "csetm	x14, cs\n\t"
+        "subs	x4, x4, x14\n\t"
+        "lsr	x12, x14, 32\n\t"
+        "sbcs	x5, x5, x12\n\t"
+        "and	x13, x13, x14\n\t"
+        "sbcs	x6, x6, xzr\n\t"
+        "stp	x4, x5, [%[r],0]\n\t"
+        "sbc	x7, x7, x13\n\t"
+        "stp	x6, x7, [%[r],16]\n\t"
+        :
+        : [r] "r" (r), [a] "r" (a), [b] "r" (b), [m] "r" (m)
+        : "memory", "x4", "x5", "x6", "x7", "x8", "x9", "x10", "x11", "x12", "x13", "x14"
+    );
+}
+
+/* Double a Montgomery form number (r = a + a % m).
+ *
+ * r   Result of doubling.
+ * a   Number to double in Montogmery form.
+ * m   Modulus (prime).
+ */
+static void sp_256_mont_dbl_4(sp_digit* r, const sp_digit* a, const sp_digit* m)
+{
+    __asm__ __volatile__ (
+        "ldp	x3, x4, [%[a]]\n\t"
+        "ldp	x5, x6, [%[a],16]\n\t"
+        "adds	x3, x3, x3\n\t"
+        "adcs	x4, x4, x4\n\t"
+        "adcs	x5, x5, x5\n\t"
+        "adcs	x6, x6, x6\n\t"
+        "mov	x8, 0xffffffff00000001\n\t"
+        "csetm	x9, cs\n\t"
+        "subs	x3, x3, x9\n\t"
+        "lsr	x7, x9, 32\n\t"
+        "sbcs	x4, x4, x7\n\t"
+        "and	x8, x8, x9\n\t"
+        "sbcs	x5, x5, xzr\n\t"
+        "stp	x3, x4, [%[r],0]\n\t"
+        "sbc	x6, x6, x8\n\t"
+        "stp	x5, x6, [%[r],16]\n\t"
+        :
+        : [r] "r" (r), [a] "r" (a)
+        : "memory", "x3", "x4", "x5", "x6", "x7", "x8", "x9"
+    );
+
+    (void)m;
+}
+
+/* Triple a Montgomery form number (r = a + a + a % m).
+ *
+ * r   Result of Tripling.
+ * a   Number to triple in Montogmery form.
+ * m   Modulus (prime).
+ */
+static void sp_256_mont_tpl_4(sp_digit* r, const sp_digit* a, const sp_digit* m)
+{
+    __asm__ __volatile__ (
+        "ldp	x10, x11, [%[a]]\n\t"
+        "adds	x3, x10, x10\n\t"
+        "ldr	x12, [%[a], 16]\n\t"
+        "adcs	x4, x11, x11\n\t"
+        "ldr	x13, [%[a], 24]\n\t"
+        "adcs	x5, x12, x12\n\t"
+        "adcs	x6, x13, x13\n\t"
+        "mov	x8, 0xffffffff00000001\n\t"
+        "csetm	x9, cs\n\t"
+        "subs	x3, x3, x9\n\t"
+        "lsr	x7, x9, 32\n\t"
+        "sbcs	x4, x4, x7\n\t"
+        "and	x8, x8, x9\n\t"
+        "sbcs	x5, x5, xzr\n\t"
+        "sbc	x6, x6, x8\n\t"
+        "adds	x3, x3, x10\n\t"
+        "adcs	x4, x4, x11\n\t"
+        "adcs	x5, x5, x12\n\t"
+        "adcs	x6, x6, x13\n\t"
+        "mov	x8, 0xffffffff00000001\n\t"
+        "csetm	x9, cs\n\t"
+        "subs	x3, x3, x9\n\t"
+        "lsr	x7, x9, 32\n\t"
+        "sbcs	x4, x4, x7\n\t"
+        "and	x8, x8, x9\n\t"
+        "sbcs	x5, x5, xzr\n\t"
+        "stp	x3, x4, [%[r], 0]\n\t"
+        "sbc	x6, x6, x8\n\t"
+        "stp	x5, x6, [%[r], 16]\n\t"
+        :
+        : [r] "r" (r), [a] "r" (a)
+        : "memory", "x10", "x11", "x12", "x13", "x3", "x4", "x5", "x6", "x7", "x8", "x9"
+    );
+
+    (void)m;
+}
+
+/* Subtract two Montgomery form numbers (r = a - b % m).
+ *
+ * r   Result of subtration.
+ * a   Number to subtract from in Montogmery form.
+ * b   Number to subtract with in Montogmery form.
+ * m   Modulus (prime).
+ */
+static void sp_256_mont_sub_4(sp_digit* r, const sp_digit* a, const sp_digit* b,
+        const sp_digit* m)
+{
+    __asm__ __volatile__ (
+        "ldp	x4, x5, [%[a], 0]\n\t"
+        "ldp	x8, x9, [%[b], 0]\n\t"
+        "subs	x4, x4, x8\n\t"
+        "ldp	x6, x7, [%[a], 16]\n\t"
+        "sbcs	x5, x5, x9\n\t"
+        "ldp	x10, x11, [%[b], 16]\n\t"
+        "sbcs	x6, x6, x10\n\t"
+        "sbcs	x7, x7, x11\n\t"
+        "mov	x13, 0xffffffff00000001\n\t"
+        "csetm	x14, cc\n\t"
+        "adds	x4, x4, x14\n\t"
+        "lsr	x12, x14, 32\n\t"
+        "adcs	x5, x5, x12\n\t"
+        "and	x13, x13, x14\n\t"
+        "adcs	x6, x6, xzr\n\t"
+        "stp	x4, x5, [%[r],0]\n\t"
+        "adc	x7, x7, x13\n\t"
+        "stp	x6, x7, [%[r],16]\n\t"
+        :
+        : [r] "r" (r), [a] "r" (a), [b] "r" (b), [m] "r" (m)
+        : "memory", "x4", "x5", "x6", "x7", "x8", "x9", "x10", "x11", "x12", "x13", "x14"
+    );
+}
+
+/* Divide the number by 2 mod the modulus (prime). (r = a / 2 % m)
+ *
+ * r  Result of division by 2.
+ * a  Number to divide.
+ * m  Modulus (prime).
+ */
+static void sp_256_div2_4(sp_digit* r, const sp_digit* a, const sp_digit* m)
+{
+    __asm__ __volatile__ (
+        "ldp	x3, x4, [%[a], 0]\n\t"
+        "and	x9, x3, 1\n\t"
+        "ldp	x5, x6, [%[a], 16]\n\t"
+        "sub	x10, xzr, x9\n\t"
+        "lsr	x7, x10, 32\n\t"
+        "adds	x3, x3, x10\n\t"
+        "and	x8, x10, 0xffffffff00000001\n\t"
+        "adcs	x4, x4, x7\n\t"
+        "lsr	x3, x3, 1\n\t"
+        "adcs	x5, x5, xzr\n\t"
+        "lsr	x7, x4, 1\n\t"
+        "adcs	x6, x6, x8\n\t"
+        "lsr	x8, x5, 1\n\t"
+        "cset	x9, cs\n\t"
+        "lsr	x10, x6, 1\n\t"
+        "orr	x3, x3, x4, lsl 63\n\t"
+        "orr	x4, x7, x5, lsl 63\n\t"
+        "orr	x5, x8, x6, lsl 63\n\t"
+        "stp	x3, x4, [%[r], 0]\n\t"
+        "orr	x6, x10, x9, lsl 63\n\t"
+        "stp	x5, x6, [%[r], 16]\n\t"
+        :
+        : [r] "r" (r), [a] "r" (a), [m] "r" (m)
+        : "memory", "x3", "x4", "x5", "x6", "x7", "x8", "x9", "x10"
+    );
+
+}
+
+/* Double the Montgomery form projective point p.
+ *
+ * r  Result of doubling point.
+ * p  Point to double.
+ * t  Temporary ordinate data.
+ */
+static void sp_256_proj_point_dbl_4(sp_point_256* r, const sp_point_256* p, sp_digit* t)
+{
+    sp_digit* t1 = t;
+    sp_digit* t2 = t + 2*4;
+    sp_digit* x;
+    sp_digit* y;
+    sp_digit* z;
+
+    x = r->x;
+    y = r->y;
+    z = r->z;
+    /* Put infinity into result. */
+    if (r != p) {
+        r->infinity = p->infinity;
+    }
+
+    /* T1 = Z * Z */
+    sp_256_mont_sqr_4(t1, p->z, p256_mod, p256_mp_mod);
+    /* Z = Y * Z */
+    sp_256_mont_mul_4(z, p->y, p->z, p256_mod, p256_mp_mod);
+    /* Z = 2Z */
+    sp_256_mont_dbl_4(z, z, p256_mod);
+    /* T2 = X - T1 */
+    sp_256_mont_sub_4(t2, p->x, t1, p256_mod);
+    /* T1 = X + T1 */
+    sp_256_mont_add_4(t1, p->x, t1, p256_mod);
+    /* T2 = T1 * T2 */
+    sp_256_mont_mul_4(t2, t1, t2, p256_mod, p256_mp_mod);
+    /* T1 = 3T2 */
+    sp_256_mont_tpl_4(t1, t2, p256_mod);
+    /* Y = 2Y */
+    sp_256_mont_dbl_4(y, p->y, p256_mod);
+    /* Y = Y * Y */
+    sp_256_mont_sqr_4(y, y, p256_mod, p256_mp_mod);
+    /* T2 = Y * Y */
+    sp_256_mont_sqr_4(t2, y, p256_mod, p256_mp_mod);
+    /* T2 = T2/2 */
+    sp_256_div2_4(t2, t2, p256_mod);
+    /* Y = Y * X */
+    sp_256_mont_mul_4(y, y, p->x, p256_mod, p256_mp_mod);
+    /* X = T1 * T1 */
+    sp_256_mont_sqr_4(x, t1, p256_mod, p256_mp_mod);
+    /* X = X - Y */
+    sp_256_mont_sub_4(x, x, y, p256_mod);
+    /* X = X - Y */
+    sp_256_mont_sub_4(x, x, y, p256_mod);
+    /* Y = Y - X */
+    sp_256_mont_sub_4(y, y, x, p256_mod);
+    /* Y = Y * T1 */
+    sp_256_mont_mul_4(y, y, t1, p256_mod, p256_mp_mod);
+    /* Y = Y - T2 */
+    sp_256_mont_sub_4(y, y, t2, p256_mod);
+}
+
+/* Subtract two Montgomery form numbers (r = a - b % m).
+ *
+ * r   Result of subtration.
+ * a   Number to subtract from in Montogmery form.
+ * b   Number to subtract with in Montogmery form.
+ * m   Modulus (prime).
+ */
+static void sp_256_mont_sub_dbl_4(sp_digit* r, const sp_digit* a, const sp_digit* b,
+        const sp_digit* m)
+{
+    __asm__ __volatile__ (
+        "ldp	x8, x9, [%[b]]\n\t"
+        "ldp	x10, x11, [%[b],16]\n\t"
+        "adds	x8, x8, x8\n\t"
+        "ldp	x4, x5, [%[a]]\n\t"
+        "adcs	x9, x9, x9\n\t"
+        "ldp	x6, x7, [%[a],16]\n\t"
+        "adcs	x10, x10, x10\n\t"
+        "adcs	x11, x11, x11\n\t"
+        "mov	x13, 0xffffffff00000001\n\t"
+        "csetm	x14, cs\n\t"
+        "subs	x8, x8, x14\n\t"
+        "lsr	x12, x14, 32\n\t"
+        "sbcs	x9, x9, x12\n\t"
+        "and	x13, x13, x14\n\t"
+        "sbcs	x10, x10, xzr\n\t"
+        "sbc	x11, x11, x13\n\t"
+        "subs	x4, x4, x8\n\t"
+        "sbcs	x5, x5, x9\n\t"
+        "sbcs	x6, x6, x10\n\t"
+        "sbcs	x7, x7, x11\n\t"
+        "mov	x13, 0xffffffff00000001\n\t"
+        "csetm	x14, cc\n\t"
+        "adds	x4, x4, x14\n\t"
+        "lsr	x12, x14, 32\n\t"
+        "adcs	x5, x5, x12\n\t"
+        "and	x13, x13, x14\n\t"
+        "adcs	x6, x6, xzr\n\t"
+        "stp	x4, x5, [%[r],0]\n\t"
+        "adc	x7, x7, x13\n\t"
+        "stp	x6, x7, [%[r],16]\n\t"
+        :
+        : [r] "r" (r), [a] "r" (a), [b] "r" (b), [m] "r" (m)
+        : "memory", "x4", "x5", "x6", "x7", "x8", "x9", "x10", "x11", "x12", "x13", "x14"
+    );
+}
+
+/* Subtract two Montgomery form numbers (r = a - b % m).
+ *
+ * r   Result of subtration.
+ * a   Number to subtract from in Montogmery form.
+ * b   Number to subtract with in Montogmery form.
+ * m   Modulus (prime).
+ */
+static void sp_256_mont_dbl_sub_4(sp_digit* r, const sp_digit* a, const sp_digit* b,
+        const sp_digit* m)
+{
+    __asm__ __volatile__ (
+        "ldp	x4, x5, [%[a]]\n\t"
+        "ldp	x6, x7, [%[a],16]\n\t"
+        "adds	x4, x4, x4\n\t"
+        "ldp	x8, x9, [%[b]]\n\t"
+        "adcs	x5, x5, x5\n\t"
+        "ldp	x10, x11, [%[b],16]\n\t"
+        "adcs	x6, x6, x6\n\t"
+        "adcs	x7, x7, x7\n\t"
+        "mov	x13, 0xffffffff00000001\n\t"
+        "csetm	x14, cs\n\t"
+        "subs	x4, x4, x14\n\t"
+        "lsr	x12, x14, 32\n\t"
+        "sbcs	x5, x5, x12\n\t"
+        "and	x13, x13, x14\n\t"
+        "sbcs	x6, x6, xzr\n\t"
+        "sbc	x7, x7, x13\n\t"
+        "subs	x4, x4, x8\n\t"
+        "sbcs	x5, x5, x9\n\t"
+        "sbcs	x6, x6, x10\n\t"
+        "sbcs	x7, x7, x11\n\t"
+        "mov	x13, 0xffffffff00000001\n\t"
+        "csetm	x14, cc\n\t"
+        "adds	x4, x4, x14\n\t"
+        "lsr	x12, x14, 32\n\t"
+        "adcs	x5, x5, x12\n\t"
+        "and	x13, x13, x14\n\t"
+        "adcs	x6, x6, xzr\n\t"
+        "stp	x4, x5, [%[r],0]\n\t"
+        "adc	x7, x7, x13\n\t"
+        "stp	x6, x7, [%[r],16]\n\t"
+        :
+        : [r] "r" (r), [a] "r" (a), [b] "r" (b), [m] "r" (m)
+        : "memory", "x4", "x5", "x6", "x7", "x8", "x9", "x10", "x11", "x12", "x13", "x14"
+    );
+}
+
+/* Double the Montgomery form projective point p a number of times.
+ *
+ * r  Result of repeated doubling of point.
+ * p  Point to double.
+ * n  Number of times to double
+ * t  Temporary ordinate data.
+ */
+static void sp_256_proj_point_dbl_n_4(sp_point_256* p, int n, sp_digit* t)
+{
+    sp_digit* w = t;
+    sp_digit* a = t + 2*4;
+    sp_digit* b = t + 4*4;
+    sp_digit* t1 = t + 6*4;
+    sp_digit* x;
+    sp_digit* y;
+    sp_digit* z;
+
+    x = p->x;
+    y = p->y;
+    z = p->z;
+
+    /* Y = 2*Y */
+    sp_256_mont_dbl_4(y, y, p256_mod);
+    /* W = Z^4 */
+    sp_256_mont_sqr_4(w, z, p256_mod, p256_mp_mod);
+    sp_256_mont_sqr_4(w, w, p256_mod, p256_mp_mod);
+
+#ifndef WOLFSSL_SP_SMALL
+    while (--n > 0)
+#else
+    while (--n >= 0)
+#endif
+    {
+        /* A = 3*(X^2 - W) */
+        sp_256_mont_sqr_4(t1, x, p256_mod, p256_mp_mod);
+        sp_256_mont_sub_4(t1, t1, w, p256_mod);
+        sp_256_mont_tpl_4(a, t1, p256_mod);
+        /* B = X*Y^2 */
+        sp_256_mont_sqr_4(t1, y, p256_mod, p256_mp_mod);
+        sp_256_mont_mul_4(b, t1, x, p256_mod, p256_mp_mod);
+        /* X = A^2 - 2B */
+        sp_256_mont_sqr_4(x, a, p256_mod, p256_mp_mod);
+        sp_256_mont_sub_dbl_4(x, x, b, p256_mod);
+        /* Z = Z*Y */
+        sp_256_mont_mul_4(z, z, y, p256_mod, p256_mp_mod);
+        /* t2 = Y^4 */
+        sp_256_mont_sqr_4(t1, t1, p256_mod, p256_mp_mod);
+#ifdef WOLFSSL_SP_SMALL
+        if (n != 0)
+#endif
+        {
+            /* W = W*Y^4 */
+            sp_256_mont_mul_4(w, w, t1, p256_mod, p256_mp_mod);
+        }
+        /* y = 2*A*(B - X) - Y^4 */
+        sp_256_mont_sub_4(y, b, x, p256_mod);
+        sp_256_mont_mul_4(y, y, a, p256_mod, p256_mp_mod);
+        sp_256_mont_dbl_sub_4(y, y, t1, p256_mod);
+    }
+#ifndef WOLFSSL_SP_SMALL
+    /* A = 3*(X^2 - W) */
+    sp_256_mont_sqr_4(t1, x, p256_mod, p256_mp_mod);
+    sp_256_mont_sub_4(t1, t1, w, p256_mod);
+    sp_256_mont_tpl_4(a, t1, p256_mod);
+    /* B = X*Y^2 */
+    sp_256_mont_sqr_4(t1, y, p256_mod, p256_mp_mod);
+    sp_256_mont_mul_4(b, t1, x, p256_mod, p256_mp_mod);
+    /* X = A^2 - 2B */
+    sp_256_mont_sqr_4(x, a, p256_mod, p256_mp_mod);
+    sp_256_mont_sub_dbl_4(x, x, b, p256_mod);
+    /* Z = Z*Y */
+    sp_256_mont_mul_4(z, z, y, p256_mod, p256_mp_mod);
+    /* t2 = Y^4 */
+    sp_256_mont_sqr_4(t1, t1, p256_mod, p256_mp_mod);
+    /* y = 2*A*(B - X) - Y^4 */
+    sp_256_mont_sub_4(y, b, x, p256_mod);
+    sp_256_mont_mul_4(y, y, a, p256_mod, p256_mp_mod);
+    sp_256_mont_dbl_sub_4(y, y, t1, p256_mod);
+#endif
+    /* Y = Y/2 */
+    sp_256_div2_4(y, y, p256_mod);
+}
+
+/* Compare two numbers to determine if they are equal.
+ * Constant time implementation.
+ *
+ * a  First number to compare.
+ * b  Second number to compare.
+ * returns 1 when equal and 0 otherwise.
+ */
+static int sp_256_cmp_equal_4(const sp_digit* a, const sp_digit* b)
+{
+    return ((a[0] ^ b[0]) | (a[1] ^ b[1]) | (a[2] ^ b[2]) | (a[3] ^ b[3])) == 0;
+}
+
+/* Add two Montgomery form projective points.
+ *
+ * r  Result of addition.
+ * p  First point to add.
+ * q  Second point to add.
+ * t  Temporary ordinate data.
+ */
+static void sp_256_proj_point_add_4(sp_point_256* r, const sp_point_256* p, const sp_point_256* q,
+        sp_digit* t)
+{
+    const sp_point_256* ap[2];
+    sp_point_256* rp[2];
+    sp_digit* t1 = t;
+    sp_digit* t2 = t + 2*4;
+    sp_digit* t3 = t + 4*4;
+    sp_digit* t4 = t + 6*4;
+    sp_digit* t5 = t + 8*4;
+    sp_digit* x;
+    sp_digit* y;
+    sp_digit* z;
+    int i;
+
+    /* Ensure only the first point is the same as the result. */
+    if (q == r) {
+        const sp_point_256* a = p;
+        p = q;
+        q = a;
+    }
+
+    /* Check double */
+    (void)sp_256_sub_4(t1, p256_mod, q->y);
+    sp_256_norm_4(t1);
+    if ((sp_256_cmp_equal_4(p->x, q->x) & sp_256_cmp_equal_4(p->z, q->z) &
+        (sp_256_cmp_equal_4(p->y, q->y) | sp_256_cmp_equal_4(p->y, t1))) != 0) {
+        sp_256_proj_point_dbl_4(r, p, t);
+    }
+    else {
+        rp[0] = r;
+
+        /*lint allow cast to different type of pointer*/
+        rp[1] = (sp_point_256*)t; /*lint !e9087 !e740*/
+        XMEMSET(rp[1], 0, sizeof(sp_point_256));
+        x = rp[p->infinity | q->infinity]->x;
+        y = rp[p->infinity | q->infinity]->y;
+        z = rp[p->infinity | q->infinity]->z;
+
+        ap[0] = p;
+        ap[1] = q;
+        for (i=0; i<4; i++) {
+            r->x[i] = ap[p->infinity]->x[i];
+        }
+        for (i=0; i<4; i++) {
+            r->y[i] = ap[p->infinity]->y[i];
+        }
+        for (i=0; i<4; i++) {
+            r->z[i] = ap[p->infinity]->z[i];
+        }
+        r->infinity = ap[p->infinity]->infinity;
+
+        /* U1 = X1*Z2^2 */
+        sp_256_mont_sqr_4(t1, q->z, p256_mod, p256_mp_mod);
+        sp_256_mont_mul_4(t3, t1, q->z, p256_mod, p256_mp_mod);
+        sp_256_mont_mul_4(t1, t1, x, p256_mod, p256_mp_mod);
+        /* U2 = X2*Z1^2 */
+        sp_256_mont_sqr_4(t2, z, p256_mod, p256_mp_mod);
+        sp_256_mont_mul_4(t4, t2, z, p256_mod, p256_mp_mod);
+        sp_256_mont_mul_4(t2, t2, q->x, p256_mod, p256_mp_mod);
+        /* S1 = Y1*Z2^3 */
+        sp_256_mont_mul_4(t3, t3, y, p256_mod, p256_mp_mod);
+        /* S2 = Y2*Z1^3 */
+        sp_256_mont_mul_4(t4, t4, q->y, p256_mod, p256_mp_mod);
+        /* H = U2 - U1 */
+        sp_256_mont_sub_4(t2, t2, t1, p256_mod);
+        /* R = S2 - S1 */
+        sp_256_mont_sub_4(t4, t4, t3, p256_mod);
+        /* Z3 = H*Z1*Z2 */
+        sp_256_mont_mul_4(z, z, q->z, p256_mod, p256_mp_mod);
+        sp_256_mont_mul_4(z, z, t2, p256_mod, p256_mp_mod);
+        /* X3 = R^2 - H^3 - 2*U1*H^2 */
+        sp_256_mont_sqr_4(x, t4, p256_mod, p256_mp_mod);
+        sp_256_mont_sqr_4(t5, t2, p256_mod, p256_mp_mod);
+        sp_256_mont_mul_4(y, t1, t5, p256_mod, p256_mp_mod);
+        sp_256_mont_mul_4(t5, t5, t2, p256_mod, p256_mp_mod);
+        sp_256_mont_sub_4(x, x, t5, p256_mod);
+        sp_256_mont_dbl_4(t1, y, p256_mod);
+        sp_256_mont_sub_4(x, x, t1, p256_mod);
+        /* Y3 = R*(U1*H^2 - X3) - S1*H^3 */
+        sp_256_mont_sub_4(y, y, x, p256_mod);
+        sp_256_mont_mul_4(y, y, t4, p256_mod, p256_mp_mod);
+        sp_256_mont_mul_4(t5, t5, t3, p256_mod, p256_mp_mod);
+        sp_256_mont_sub_4(y, y, t5, p256_mod);
+    }
+}
+
+/* Double the Montgomery form projective point p a number of times.
+ *
+ * r  Result of repeated doubling of point.
+ * p  Point to double.
+ * n  Number of times to double
+ * t  Temporary ordinate data.
+ */
+static void sp_256_proj_point_dbl_n_store_4(sp_point_256* r, const sp_point_256* p,
+        int n, int m, sp_digit* t)
+{
+    sp_digit* w = t;
+    sp_digit* a = t + 2*4;
+    sp_digit* b = t + 4*4;
+    sp_digit* t1 = t + 6*4;
+    sp_digit* t2 = t + 8*4;
+    sp_digit* x = r[2*m].x;
+    sp_digit* y = r[(1<<n)*m].y;
+    sp_digit* z = r[2*m].z;
+    int i;
+
+    for (i=0; i<4; i++) {
+        x[i] = p->x[i];
+    }
+    for (i=0; i<4; i++) {
+        y[i] = p->y[i];
+    }
+    for (i=0; i<4; i++) {
+        z[i] = p->z[i];
+    }
+
+    /* Y = 2*Y */
+    sp_256_mont_dbl_4(y, y, p256_mod);
+    /* W = Z^4 */
+    sp_256_mont_sqr_4(w, z, p256_mod, p256_mp_mod);
+    sp_256_mont_sqr_4(w, w, p256_mod, p256_mp_mod);
+    for (i=1; i<=n; i++) {
+        /* A = 3*(X^2 - W) */
+        sp_256_mont_sqr_4(t1, x, p256_mod, p256_mp_mod);
+        sp_256_mont_sub_4(t1, t1, w, p256_mod);
+        sp_256_mont_tpl_4(a, t1, p256_mod);
+        /* B = X*Y^2 */
+        sp_256_mont_sqr_4(t2, y, p256_mod, p256_mp_mod);
+        sp_256_mont_mul_4(b, t2, x, p256_mod, p256_mp_mod);
+        x = r[(1<<i)*m].x;
+        /* X = A^2 - 2B */
+        sp_256_mont_sqr_4(x, a, p256_mod, p256_mp_mod);
+        sp_256_mont_dbl_4(t1, b, p256_mod);
+        sp_256_mont_sub_4(x, x, t1, p256_mod);
+        /* Z = Z*Y */
+        sp_256_mont_mul_4(r[(1<<i)*m].z, z, y, p256_mod, p256_mp_mod);
+        z = r[(1<<i)*m].z;
+        /* t2 = Y^4 */
+        sp_256_mont_sqr_4(t2, t2, p256_mod, p256_mp_mod);
+        if (i != n) {
+            /* W = W*Y^4 */
+            sp_256_mont_mul_4(w, w, t2, p256_mod, p256_mp_mod);
+        }
+        /* y = 2*A*(B - X) - Y^4 */
+        sp_256_mont_sub_4(y, b, x, p256_mod);
+        sp_256_mont_mul_4(y, y, a, p256_mod, p256_mp_mod);
+        sp_256_mont_dbl_4(y, y, p256_mod);
+        sp_256_mont_sub_4(y, y, t2, p256_mod);
+
+        /* Y = Y/2 */
+        sp_256_div2_4(r[(1<<i)*m].y, y, p256_mod);
+        r[(1<<i)*m].infinity = 0;
+    }
+}
+
+/* Add two Montgomery form projective points.
+ *
+ * ra  Result of addition.
+ * rs  Result of subtraction.
+ * p   First point to add.
+ * q   Second point to add.
+ * t   Temporary ordinate data.
+ */
+static void sp_256_proj_point_add_sub_4(sp_point_256* ra, sp_point_256* rs,
+        const sp_point_256* p, const sp_point_256* q, sp_digit* t)
+{
+    sp_digit* t1 = t;
+    sp_digit* t2 = t + 2*4;
+    sp_digit* t3 = t + 4*4;
+    sp_digit* t4 = t + 6*4;
+    sp_digit* t5 = t + 8*4;
+    sp_digit* t6 = t + 10*4;
+    sp_digit* x = ra->x;
+    sp_digit* y = ra->y;
+    sp_digit* z = ra->z;
+    sp_digit* xs = rs->x;
+    sp_digit* ys = rs->y;
+    sp_digit* zs = rs->z;
+
+
+    XMEMCPY(x, p->x, sizeof(p->x) / 2);
+    XMEMCPY(y, p->y, sizeof(p->y) / 2);
+    XMEMCPY(z, p->z, sizeof(p->z) / 2);
+    ra->infinity = 0;
+    rs->infinity = 0;
+
+    /* U1 = X1*Z2^2 */
+    sp_256_mont_sqr_4(t1, q->z, p256_mod, p256_mp_mod);
+    sp_256_mont_mul_4(t3, t1, q->z, p256_mod, p256_mp_mod);
+    sp_256_mont_mul_4(t1, t1, x, p256_mod, p256_mp_mod);
+    /* U2 = X2*Z1^2 */
+    sp_256_mont_sqr_4(t2, z, p256_mod, p256_mp_mod);
+    sp_256_mont_mul_4(t4, t2, z, p256_mod, p256_mp_mod);
+    sp_256_mont_mul_4(t2, t2, q->x, p256_mod, p256_mp_mod);
+    /* S1 = Y1*Z2^3 */
+    sp_256_mont_mul_4(t3, t3, y, p256_mod, p256_mp_mod);
+    /* S2 = Y2*Z1^3 */
+    sp_256_mont_mul_4(t4, t4, q->y, p256_mod, p256_mp_mod);
+    /* H = U2 - U1 */
+    sp_256_mont_sub_4(t2, t2, t1, p256_mod);
+    /* RS = S2 + S1 */
+    sp_256_mont_add_4(t6, t4, t3, p256_mod);
+    /* R = S2 - S1 */
+    sp_256_mont_sub_4(t4, t4, t3, p256_mod);
+    /* Z3 = H*Z1*Z2 */
+    /* ZS = H*Z1*Z2 */
+    sp_256_mont_mul_4(z, z, q->z, p256_mod, p256_mp_mod);
+    sp_256_mont_mul_4(z, z, t2, p256_mod, p256_mp_mod);
+    XMEMCPY(zs, z, sizeof(p->z)/2);
+    /* X3 = R^2 - H^3 - 2*U1*H^2 */
+    /* XS = RS^2 - H^3 - 2*U1*H^2 */
+    sp_256_mont_sqr_4(x, t4, p256_mod, p256_mp_mod);
+    sp_256_mont_sqr_4(xs, t6, p256_mod, p256_mp_mod);
+    sp_256_mont_sqr_4(t5, t2, p256_mod, p256_mp_mod);
+    sp_256_mont_mul_4(y, t1, t5, p256_mod, p256_mp_mod);
+    sp_256_mont_mul_4(t5, t5, t2, p256_mod, p256_mp_mod);
+    sp_256_mont_sub_4(x, x, t5, p256_mod);
+    sp_256_mont_sub_4(xs, xs, t5, p256_mod);
+    sp_256_mont_dbl_4(t1, y, p256_mod);
+    sp_256_mont_sub_4(x, x, t1, p256_mod);
+    sp_256_mont_sub_4(xs, xs, t1, p256_mod);
+    /* Y3 = R*(U1*H^2 - X3) - S1*H^3 */
+    /* YS = -RS*(U1*H^2 - XS) - S1*H^3 */
+    sp_256_mont_sub_4(ys, y, xs, p256_mod);
+    sp_256_mont_sub_4(y, y, x, p256_mod);
+    sp_256_mont_mul_4(y, y, t4, p256_mod, p256_mp_mod);
+    sp_256_sub_4(t6, p256_mod, t6);
+    sp_256_mont_mul_4(ys, ys, t6, p256_mod, p256_mp_mod);
+    sp_256_mont_mul_4(t5, t5, t3, p256_mod, p256_mp_mod);
+    sp_256_mont_sub_4(y, y, t5, p256_mod);
+    sp_256_mont_sub_4(ys, ys, t5, p256_mod);
+}
+
+/* Structure used to describe recoding of scalar multiplication. */
+typedef struct ecc_recode_256 {
+    /* Index into pre-computation table. */
+    uint8_t i;
+    /* Use the negative of the point. */
+    uint8_t neg;
+} ecc_recode_256;
+
+/* The index into pre-computation table to use. */
+static const uint8_t recode_index_4_6[66] = {
+     0,  1,  2,  3,  4,  5,  6,  7,  8,  9, 10, 11, 12, 13, 14, 15,
+    16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31,
+    32, 31, 30, 29, 28, 27, 26, 25, 24, 23, 22, 21, 20, 19, 18, 17,
+    16, 15, 14, 13, 12, 11, 10,  9,  8,  7,  6,  5,  4,  3,  2,  1,
+     0,  1,
+};
+
+/* Whether to negate y-ordinate. */
+static const uint8_t recode_neg_4_6[66] = {
+     0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,
+     0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,
+     1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,
+     1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,
+     0,  0,
+};
+
+/* Recode the scalar for multiplication using pre-computed values and
+ * subtraction.
+ *
+ * k  Scalar to multiply by.
+ * v  Vector of operations to perform.
+ */
+static void sp_256_ecc_recode_6_4(const sp_digit* k, ecc_recode_256* v)
+{
+    int i, j;
+    uint8_t y;
+    int carry = 0;
+    int o;
+    sp_digit n;
+
+    j = 0;
+    n = k[j];
+    o = 0;
+    for (i=0; i<43; i++) {
+        y = n;
+        if (o + 6 < 64) {
+            y &= 0x3f;
+            n >>= 6;
+            o += 6;
+        }
+        else if (o + 6 == 64) {
+            n >>= 6;
+            if (++j < 4)
+                n = k[j];
+            o = 0;
+        }
+        else if (++j < 4) {
+            n = k[j];
+            y |= (n << (64 - o)) & 0x3f;
+            o -= 58;
+            n >>= o;
+        }
+
+        y += carry;
+        v[i].i = recode_index_4_6[y];
+        v[i].neg = recode_neg_4_6[y];
+        carry = (y >> 6) + v[i].neg;
+    }
+}
+
+/* Multiply the point by the scalar and return the result.
+ * If map is true then convert result to affine coordinates.
+ *
+ * r     Resulting point.
+ * g     Point to multiply.
+ * k     Scalar to multiply by.
+ * map   Indicates whether to convert result to affine.
+ * heap  Heap to use for allocation.
+ * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
+ */
+static int sp_256_ecc_mulmod_win_add_sub_4(sp_point_256* r, const sp_point_256* g,
+        const sp_digit* k, int map, void* heap)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_point_256 td[33];
+    sp_point_256 rtd, pd;
+    sp_digit tmpd[2 * 4 * 6];
+#endif
+    sp_point_256* t;
+    sp_point_256* rt;
+    sp_point_256* p = NULL;
+    sp_digit* tmp;
+    sp_digit* negy;
+    int i;
+    ecc_recode_256 v[43];
+    int err;
+
+    (void)heap;
+
+    err = sp_256_point_new_4(heap, rtd, rt);
+    if (err == MP_OKAY)
+        err = sp_256_point_new_4(heap, pd, p);
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    t = (sp_point_256*)XMALLOC(sizeof(sp_point_256) * 33, heap, DYNAMIC_TYPE_ECC);
+    if (t == NULL)
+        err = MEMORY_E;
+    tmp = (sp_digit*)XMALLOC(sizeof(sp_digit) * 2 * 4 * 6, heap,
+                             DYNAMIC_TYPE_ECC);
+    if (tmp == NULL)
+        err = MEMORY_E;
+#else
+    t = td;
+    tmp = tmpd;
+#endif
+
+
+    if (err == MP_OKAY) {
+        /* t[0] = {0, 0, 1} * norm */
+        XMEMSET(&t[0], 0, sizeof(t[0]));
+        t[0].infinity = 1;
+        /* t[1] = {g->x, g->y, g->z} * norm */
+        err = sp_256_mod_mul_norm_4(t[1].x, g->x, p256_mod);
+    }
+    if (err == MP_OKAY) {
+        err = sp_256_mod_mul_norm_4(t[1].y, g->y, p256_mod);
+    }
+    if (err == MP_OKAY) {
+        err = sp_256_mod_mul_norm_4(t[1].z, g->z, p256_mod);
+    }
+
+    if (err == MP_OKAY) {
+        t[1].infinity = 0;
+        /* t[2] ... t[32]  */
+        sp_256_proj_point_dbl_n_store_4(t, &t[ 1], 5, 1, tmp);
+        sp_256_proj_point_add_4(&t[ 3], &t[ 2], &t[ 1], tmp);
+        sp_256_proj_point_dbl_4(&t[ 6], &t[ 3], tmp);
+        sp_256_proj_point_add_sub_4(&t[ 7], &t[ 5], &t[ 6], &t[ 1], tmp);
+        sp_256_proj_point_dbl_4(&t[10], &t[ 5], tmp);
+        sp_256_proj_point_add_sub_4(&t[11], &t[ 9], &t[10], &t[ 1], tmp);
+        sp_256_proj_point_dbl_4(&t[12], &t[ 6], tmp);
+        sp_256_proj_point_dbl_4(&t[14], &t[ 7], tmp);
+        sp_256_proj_point_add_sub_4(&t[15], &t[13], &t[14], &t[ 1], tmp);
+        sp_256_proj_point_dbl_4(&t[18], &t[ 9], tmp);
+        sp_256_proj_point_add_sub_4(&t[19], &t[17], &t[18], &t[ 1], tmp);
+        sp_256_proj_point_dbl_4(&t[20], &t[10], tmp);
+        sp_256_proj_point_dbl_4(&t[22], &t[11], tmp);
+        sp_256_proj_point_add_sub_4(&t[23], &t[21], &t[22], &t[ 1], tmp);
+        sp_256_proj_point_dbl_4(&t[24], &t[12], tmp);
+        sp_256_proj_point_dbl_4(&t[26], &t[13], tmp);
+        sp_256_proj_point_add_sub_4(&t[27], &t[25], &t[26], &t[ 1], tmp);
+        sp_256_proj_point_dbl_4(&t[28], &t[14], tmp);
+        sp_256_proj_point_dbl_4(&t[30], &t[15], tmp);
+        sp_256_proj_point_add_sub_4(&t[31], &t[29], &t[30], &t[ 1], tmp);
+
+        negy = t[0].y;
+
+        sp_256_ecc_recode_6_4(k, v);
+
+        i = 42;
+        XMEMCPY(rt, &t[v[i].i], sizeof(sp_point_256));
+        for (--i; i>=0; i--) {
+            sp_256_proj_point_dbl_n_4(rt, 6, tmp);
+
+            XMEMCPY(p, &t[v[i].i], sizeof(sp_point_256));
+            sp_256_sub_4(negy, p256_mod, p->y);
+            sp_256_cond_copy_4(p->y, negy, (sp_digit)0 - v[i].neg);
+            sp_256_proj_point_add_4(rt, rt, p, tmp);
+        }
+
+        if (map != 0) {
+            sp_256_map_4(r, rt, tmp);
+        }
+        else {
+            XMEMCPY(r, rt, sizeof(sp_point_256));
+        }
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (t != NULL)
+        XFREE(t, heap, DYNAMIC_TYPE_ECC);
+    if (tmp != NULL)
+        XFREE(tmp, heap, DYNAMIC_TYPE_ECC);
+#endif
+    sp_256_point_free_4(p, 0, heap);
+    sp_256_point_free_4(rt, 0, heap);
+
+    return err;
+}
+
+/* A table entry for pre-computed points. */
+typedef struct sp_table_entry_256 {
+    sp_digit x[4];
+    sp_digit y[4];
+} sp_table_entry_256;
+
+#if defined(FP_ECC) || defined(WOLFSSL_SP_SMALL)
+#endif /* FP_ECC || WOLFSSL_SP_SMALL */
+/* Add two Montgomery form projective points. The second point has a q value of
+ * one.
+ * Only the first point can be the same pointer as the result point.
+ *
+ * r  Result of addition.
+ * p  First point to add.
+ * q  Second point to add.
+ * t  Temporary ordinate data.
+ */
+static void sp_256_proj_point_add_qz1_4(sp_point_256* r, const sp_point_256* p,
+        const sp_point_256* q, sp_digit* t)
+{
+    const sp_point_256* ap[2];
+    sp_point_256* rp[2];
+    sp_digit* t1 = t;
+    sp_digit* t2 = t + 2*4;
+    sp_digit* t3 = t + 4*4;
+    sp_digit* t4 = t + 6*4;
+    sp_digit* t5 = t + 8*4;
+    sp_digit* x;
+    sp_digit* y;
+    sp_digit* z;
+    int i;
+
+    /* Check double */
+    (void)sp_256_sub_4(t1, p256_mod, q->y);
+    sp_256_norm_4(t1);
+    if ((sp_256_cmp_equal_4(p->x, q->x) & sp_256_cmp_equal_4(p->z, q->z) &
+        (sp_256_cmp_equal_4(p->y, q->y) | sp_256_cmp_equal_4(p->y, t1))) != 0) {
+        sp_256_proj_point_dbl_4(r, p, t);
+    }
+    else {
+        rp[0] = r;
+
+        /*lint allow cast to different type of pointer*/
+        rp[1] = (sp_point_256*)t; /*lint !e9087 !e740*/
+        XMEMSET(rp[1], 0, sizeof(sp_point_256));
+        x = rp[p->infinity | q->infinity]->x;
+        y = rp[p->infinity | q->infinity]->y;
+        z = rp[p->infinity | q->infinity]->z;
+
+        ap[0] = p;
+        ap[1] = q;
+        for (i=0; i<4; i++) {
+            r->x[i] = ap[p->infinity]->x[i];
+        }
+        for (i=0; i<4; i++) {
+            r->y[i] = ap[p->infinity]->y[i];
+        }
+        for (i=0; i<4; i++) {
+            r->z[i] = ap[p->infinity]->z[i];
+        }
+        r->infinity = ap[p->infinity]->infinity;
+
+        /* U2 = X2*Z1^2 */
+        sp_256_mont_sqr_4(t2, z, p256_mod, p256_mp_mod);
+        sp_256_mont_mul_4(t4, t2, z, p256_mod, p256_mp_mod);
+        sp_256_mont_mul_4(t2, t2, q->x, p256_mod, p256_mp_mod);
+        /* S2 = Y2*Z1^3 */
+        sp_256_mont_mul_4(t4, t4, q->y, p256_mod, p256_mp_mod);
+        /* H = U2 - X1 */
+        sp_256_mont_sub_4(t2, t2, x, p256_mod);
+        /* R = S2 - Y1 */
+        sp_256_mont_sub_4(t4, t4, y, p256_mod);
+        /* Z3 = H*Z1 */
+        sp_256_mont_mul_4(z, z, t2, p256_mod, p256_mp_mod);
+        /* X3 = R^2 - H^3 - 2*X1*H^2 */
+        sp_256_mont_sqr_4(t1, t4, p256_mod, p256_mp_mod);
+        sp_256_mont_sqr_4(t5, t2, p256_mod, p256_mp_mod);
+        sp_256_mont_mul_4(t3, x, t5, p256_mod, p256_mp_mod);
+        sp_256_mont_mul_4(t5, t5, t2, p256_mod, p256_mp_mod);
+        sp_256_mont_sub_4(x, t1, t5, p256_mod);
+        sp_256_mont_dbl_4(t1, t3, p256_mod);
+        sp_256_mont_sub_4(x, x, t1, p256_mod);
+        /* Y3 = R*(X1*H^2 - X3) - Y1*H^3 */
+        sp_256_mont_sub_4(t3, t3, x, p256_mod);
+        sp_256_mont_mul_4(t3, t3, t4, p256_mod, p256_mp_mod);
+        sp_256_mont_mul_4(t5, t5, y, p256_mod, p256_mp_mod);
+        sp_256_mont_sub_4(y, t3, t5, p256_mod);
+    }
+}
+
+#ifdef FP_ECC
+/* Convert the projective point to affine.
+ * Ordinates are in Montgomery form.
+ *
+ * a  Point to convert.
+ * t  Temporary data.
+ */
+static void sp_256_proj_to_affine_4(sp_point_256* a, sp_digit* t)
+{
+    sp_digit* t1 = t;
+    sp_digit* t2 = t + 2 * 4;
+    sp_digit* tmp = t + 4 * 4;
+
+    sp_256_mont_inv_4(t1, a->z, tmp);
+
+    sp_256_mont_sqr_4(t2, t1, p256_mod, p256_mp_mod);
+    sp_256_mont_mul_4(t1, t2, t1, p256_mod, p256_mp_mod);
+
+    sp_256_mont_mul_4(a->x, a->x, t2, p256_mod, p256_mp_mod);
+    sp_256_mont_mul_4(a->y, a->y, t1, p256_mod, p256_mp_mod);
+    XMEMCPY(a->z, p256_norm_mod, sizeof(p256_norm_mod));
+}
+
+/* Generate the pre-computed table of points for the base point.
+ *
+ * a      The base point.
+ * table  Place to store generated point data.
+ * tmp    Temporary data.
+ * heap  Heap to use for allocation.
+ */
+static int sp_256_gen_stripe_table_4(const sp_point_256* a,
+        sp_table_entry_256* table, sp_digit* tmp, void* heap)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_point_256 td, s1d, s2d;
+#endif
+    sp_point_256* t;
+    sp_point_256* s1 = NULL;
+    sp_point_256* s2 = NULL;
+    int i, j;
+    int err;
+
+    (void)heap;
+
+    err = sp_256_point_new_4(heap, td, t);
+    if (err == MP_OKAY) {
+        err = sp_256_point_new_4(heap, s1d, s1);
+    }
+    if (err == MP_OKAY) {
+        err = sp_256_point_new_4(heap, s2d, s2);
+    }
+
+    if (err == MP_OKAY) {
+        err = sp_256_mod_mul_norm_4(t->x, a->x, p256_mod);
+    }
+    if (err == MP_OKAY) {
+        err = sp_256_mod_mul_norm_4(t->y, a->y, p256_mod);
+    }
+    if (err == MP_OKAY) {
+        err = sp_256_mod_mul_norm_4(t->z, a->z, p256_mod);
+    }
+    if (err == MP_OKAY) {
+        t->infinity = 0;
+        sp_256_proj_to_affine_4(t, tmp);
+
+        XMEMCPY(s1->z, p256_norm_mod, sizeof(p256_norm_mod));
+        s1->infinity = 0;
+        XMEMCPY(s2->z, p256_norm_mod, sizeof(p256_norm_mod));
+        s2->infinity = 0;
+
+        /* table[0] = {0, 0, infinity} */
+        XMEMSET(&table[0], 0, sizeof(sp_table_entry_256));
+        /* table[1] = Affine version of 'a' in Montgomery form */
+        XMEMCPY(table[1].x, t->x, sizeof(table->x));
+        XMEMCPY(table[1].y, t->y, sizeof(table->y));
+
+        for (i=1; i<8; i++) {
+            sp_256_proj_point_dbl_n_4(t, 32, tmp);
+            sp_256_proj_to_affine_4(t, tmp);
+            XMEMCPY(table[1<<i].x, t->x, sizeof(table->x));
+            XMEMCPY(table[1<<i].y, t->y, sizeof(table->y));
+        }
+
+        for (i=1; i<8; i++) {
+            XMEMCPY(s1->x, table[1<<i].x, sizeof(table->x));
+            XMEMCPY(s1->y, table[1<<i].y, sizeof(table->y));
+            for (j=(1<<i)+1; j<(1<<(i+1)); j++) {
+                XMEMCPY(s2->x, table[j-(1<<i)].x, sizeof(table->x));
+                XMEMCPY(s2->y, table[j-(1<<i)].y, sizeof(table->y));
+                sp_256_proj_point_add_qz1_4(t, s1, s2, tmp);
+                sp_256_proj_to_affine_4(t, tmp);
+                XMEMCPY(table[j].x, t->x, sizeof(table->x));
+                XMEMCPY(table[j].y, t->y, sizeof(table->y));
+            }
+        }
+    }
+
+    sp_256_point_free_4(s2, 0, heap);
+    sp_256_point_free_4(s1, 0, heap);
+    sp_256_point_free_4( t, 0, heap);
+
+    return err;
+}
+
+#endif /* FP_ECC */
+#if defined(FP_ECC) || defined(WOLFSSL_SP_SMALL)
+/* Multiply the point by the scalar and return the result.
+ * If map is true then convert result to affine coordinates.
+ *
+ * r     Resulting point.
+ * k     Scalar to multiply by.
+ * map   Indicates whether to convert result to affine.
+ * heap  Heap to use for allocation.
+ * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
+ */
+static int sp_256_ecc_mulmod_stripe_4(sp_point_256* r, const sp_point_256* g,
+        const sp_table_entry_256* table, const sp_digit* k, int map, void* heap)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_point_256 rtd;
+    sp_point_256 pd;
+    sp_digit td[2 * 4 * 5];
+#endif
+    sp_point_256* rt;
+    sp_point_256* p = NULL;
+    sp_digit* t;
+    int i, j;
+    int y, x;
+    int err;
+
+    (void)g;
+    (void)heap;
+
+
+    err = sp_256_point_new_4(heap, rtd, rt);
+    if (err == MP_OKAY) {
+        err = sp_256_point_new_4(heap, pd, p);
+    }
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    t = (sp_digit*)XMALLOC(sizeof(sp_digit) * 2 * 4 * 5, heap,
+                           DYNAMIC_TYPE_ECC);
+    if (t == NULL) {
+        err = MEMORY_E;
+    }
+#else
+    t = td;
+#endif
+
+    if (err == MP_OKAY) {
+        XMEMCPY(p->z, p256_norm_mod, sizeof(p256_norm_mod));
+        XMEMCPY(rt->z, p256_norm_mod, sizeof(p256_norm_mod));
+
+        y = 0;
+        for (j=0,x=31; j<8; j++,x+=32) {
+            y |= ((k[x / 64] >> (x % 64)) & 1) << j;
+        }
+        XMEMCPY(rt->x, table[y].x, sizeof(table[y].x));
+        XMEMCPY(rt->y, table[y].y, sizeof(table[y].y));
+        rt->infinity = !y;
+        for (i=30; i>=0; i--) {
+            y = 0;
+            for (j=0,x=i; j<8; j++,x+=32) {
+                y |= ((k[x / 64] >> (x % 64)) & 1) << j;
+            }
+
+            sp_256_proj_point_dbl_4(rt, rt, t);
+            XMEMCPY(p->x, table[y].x, sizeof(table[y].x));
+            XMEMCPY(p->y, table[y].y, sizeof(table[y].y));
+            p->infinity = !y;
+            sp_256_proj_point_add_qz1_4(rt, rt, p, t);
+        }
+
+        if (map != 0) {
+            sp_256_map_4(r, rt, t);
+        }
+        else {
+            XMEMCPY(r, rt, sizeof(sp_point_256));
+        }
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (t != NULL) {
+        XFREE(t, heap, DYNAMIC_TYPE_ECC);
+    }
+#endif
+    sp_256_point_free_4(p, 0, heap);
+    sp_256_point_free_4(rt, 0, heap);
+
+    return err;
+}
+
+#endif /* FP_ECC || WOLFSSL_SP_SMALL */
+#ifdef FP_ECC
+#ifndef FP_ENTRIES
+    #define FP_ENTRIES 16
+#endif
+
+typedef struct sp_cache_256_t {
+    sp_digit x[4];
+    sp_digit y[4];
+    sp_table_entry_256 table[256];
+    uint32_t cnt;
+    int set;
+} sp_cache_256_t;
+
+static THREAD_LS_T sp_cache_256_t sp_cache_256[FP_ENTRIES];
+static THREAD_LS_T int sp_cache_256_last = -1;
+static THREAD_LS_T int sp_cache_256_inited = 0;
+
+#ifndef HAVE_THREAD_LS
+    static volatile int initCacheMutex_256 = 0;
+    static wolfSSL_Mutex sp_cache_256_lock;
+#endif
+
+static void sp_ecc_get_cache_256(const sp_point_256* g, sp_cache_256_t** cache)
+{
+    int i, j;
+    uint32_t least;
+
+    if (sp_cache_256_inited == 0) {
+        for (i=0; i<FP_ENTRIES; i++) {
+            sp_cache_256[i].set = 0;
+        }
+        sp_cache_256_inited = 1;
+    }
+
+    /* Compare point with those in cache. */
+    for (i=0; i<FP_ENTRIES; i++) {
+        if (!sp_cache_256[i].set)
+            continue;
+
+        if (sp_256_cmp_equal_4(g->x, sp_cache_256[i].x) &
+                           sp_256_cmp_equal_4(g->y, sp_cache_256[i].y)) {
+            sp_cache_256[i].cnt++;
+            break;
+        }
+    }
+
+    /* No match. */
+    if (i == FP_ENTRIES) {
+        /* Find empty entry. */
+        i = (sp_cache_256_last + 1) % FP_ENTRIES;
+        for (; i != sp_cache_256_last; i=(i+1)%FP_ENTRIES) {
+            if (!sp_cache_256[i].set) {
+                break;
+            }
+        }
+
+        /* Evict least used. */
+        if (i == sp_cache_256_last) {
+            least = sp_cache_256[0].cnt;
+            for (j=1; j<FP_ENTRIES; j++) {
+                if (sp_cache_256[j].cnt < least) {
+                    i = j;
+                    least = sp_cache_256[i].cnt;
+                }
+            }
+        }
+
+        XMEMCPY(sp_cache_256[i].x, g->x, sizeof(sp_cache_256[i].x));
+        XMEMCPY(sp_cache_256[i].y, g->y, sizeof(sp_cache_256[i].y));
+        sp_cache_256[i].set = 1;
+        sp_cache_256[i].cnt = 1;
+    }
+
+    *cache = &sp_cache_256[i];
+    sp_cache_256_last = i;
+}
+#endif /* FP_ECC */
+
+/* Multiply the base point of P256 by the scalar and return the result.
+ * If map is true then convert result to affine coordinates.
+ *
+ * r     Resulting point.
+ * g     Point to multiply.
+ * k     Scalar to multiply by.
+ * map   Indicates whether to convert result to affine.
+ * heap  Heap to use for allocation.
+ * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
+ */
+static int sp_256_ecc_mulmod_4(sp_point_256* r, const sp_point_256* g, const sp_digit* k,
+        int map, void* heap)
+{
+#ifndef FP_ECC
+    return sp_256_ecc_mulmod_win_add_sub_4(r, g, k, map, heap);
+#else
+    sp_digit tmp[2 * 4 * 5];
+    sp_cache_256_t* cache;
+    int err = MP_OKAY;
+
+#ifndef HAVE_THREAD_LS
+    if (initCacheMutex_256 == 0) {
+         wc_InitMutex(&sp_cache_256_lock);
+         initCacheMutex_256 = 1;
+    }
+    if (wc_LockMutex(&sp_cache_256_lock) != 0)
+       err = BAD_MUTEX_E;
+#endif /* HAVE_THREAD_LS */
+
+    if (err == MP_OKAY) {
+        sp_ecc_get_cache_256(g, &cache);
+        if (cache->cnt == 2)
+            sp_256_gen_stripe_table_4(g, cache->table, tmp, heap);
+
+#ifndef HAVE_THREAD_LS
+        wc_UnLockMutex(&sp_cache_256_lock);
+#endif /* HAVE_THREAD_LS */
+
+        if (cache->cnt < 2) {
+            err = sp_256_ecc_mulmod_win_add_sub_4(r, g, k, map, heap);
+        }
+        else {
+            err = sp_256_ecc_mulmod_stripe_4(r, g, cache->table, k,
+                    map, heap);
+        }
+    }
+
+    return err;
+#endif
+}
+
+/* Multiply the point by the scalar and return the result.
+ * If map is true then convert result to affine coordinates.
+ *
+ * km    Scalar to multiply by.
+ * p     Point to multiply.
+ * r     Resulting point.
+ * map   Indicates whether to convert result to affine.
+ * heap  Heap to use for allocation.
+ * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
+ */
+int sp_ecc_mulmod_256(mp_int* km, ecc_point* gm, ecc_point* r, int map,
+        void* heap)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_point_256 p;
+    sp_digit kd[4];
+#endif
+    sp_point_256* point;
+    sp_digit* k = NULL;
+    int err = MP_OKAY;
+
+    err = sp_256_point_new_4(heap, p, point);
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        k = (sp_digit*)XMALLOC(sizeof(sp_digit) * 4, heap,
+                                                              DYNAMIC_TYPE_ECC);
+        if (k == NULL)
+            err = MEMORY_E;
+    }
+#else
+    k = kd;
+#endif
+    if (err == MP_OKAY) {
+        sp_256_from_mp(k, 4, km);
+        sp_256_point_from_ecc_point_4(point, gm);
+
+            err = sp_256_ecc_mulmod_4(point, point, k, map, heap);
+    }
+    if (err == MP_OKAY) {
+        err = sp_256_point_to_ecc_point_4(point, r);
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (k != NULL) {
+        XFREE(k, heap, DYNAMIC_TYPE_ECC);
+    }
+#endif
+    sp_256_point_free_4(point, 0, heap);
+
+    return err;
+}
+
+#ifdef WOLFSSL_SP_SMALL
+static const sp_table_entry_256 p256_table[256] = {
+    /* 0 */
+    { { 0x00, 0x00, 0x00, 0x00 },
+      { 0x00, 0x00, 0x00, 0x00 } },
+    /* 1 */
+    { { 0x79e730d418a9143cL,0x75ba95fc5fedb601L,0x79fb732b77622510L,
+        0x18905f76a53755c6L },
+      { 0xddf25357ce95560aL,0x8b4ab8e4ba19e45cL,0xd2e88688dd21f325L,
+        0x8571ff1825885d85L } },
+    /* 2 */
+    { { 0x202886024147519aL,0xd0981eac26b372f0L,0xa9d4a7caa785ebc8L,
+        0xd953c50ddbdf58e9L },
+      { 0x9d6361ccfd590f8fL,0x72e9626b44e6c917L,0x7fd9611022eb64cfL,
+        0x863ebb7e9eb288f3L } },
+    /* 3 */
+    { { 0x7856b6235cdb6485L,0x808f0ea22f0a2f97L,0x3e68d9544f7e300bL,
+        0x00076055b5ff80a0L },
+      { 0x7634eb9b838d2010L,0x54014fbb3243708aL,0xe0e47d39842a6606L,
+        0x8308776134373ee0L } },
+    /* 4 */
+    { { 0x4f922fc516a0d2bbL,0x0d5cc16c1a623499L,0x9241cf3a57c62c8bL,
+        0x2f5e6961fd1b667fL },
+      { 0x5c15c70bf5a01797L,0x3d20b44d60956192L,0x04911b37071fdb52L,
+        0xf648f9168d6f0f7bL } },
+    /* 5 */
+    { { 0x9e566847e137bbbcL,0xe434469e8a6a0becL,0xb1c4276179d73463L,
+        0x5abe0285133d0015L },
+      { 0x92aa837cc04c7dabL,0x573d9f4c43260c07L,0x0c93156278e6cc37L,
+        0x94bb725b6b6f7383L } },
+    /* 6 */
+    { { 0xbbf9b48f720f141cL,0x6199b3cd2df5bc74L,0xdc3f6129411045c4L,
+        0xcdd6bbcb2f7dc4efL },
+      { 0xcca6700beaf436fdL,0x6f647f6db99326beL,0x0c0fa792014f2522L,
+        0xa361bebd4bdae5f6L } },
+    /* 7 */
+    { { 0x28aa2558597c13c7L,0xc38d635f50b7c3e1L,0x07039aecf3c09d1dL,
+        0xba12ca09c4b5292cL },
+      { 0x9e408fa459f91dfdL,0x3af43b66ceea07fbL,0x1eceb0899d780b29L,
+        0x53ebb99d701fef4bL } },
+    /* 8 */
+    { { 0x4fe7ee31b0e63d34L,0xf4600572a9e54fabL,0xc0493334d5e7b5a4L,
+        0x8589fb9206d54831L },
+      { 0xaa70f5cc6583553aL,0x0879094ae25649e5L,0xcc90450710044652L,
+        0xebb0696d02541c4fL } },
+    /* 9 */
+    { { 0x4616ca15ac1647c5L,0xb8127d47c4cf5799L,0xdc666aa3764dfbacL,
+        0xeb2820cbd1b27da3L },
+      { 0x9406f8d86a87e008L,0xd87dfa9d922378f3L,0x56ed2e4280ccecb2L,
+        0x1f28289b55a7da1dL } },
+    /* 10 */
+    { { 0xabbaa0c03b89da99L,0xa6f2d79eb8284022L,0x27847862b81c05e8L,
+        0x337a4b5905e54d63L },
+      { 0x3c67500d21f7794aL,0x207005b77d6d7f61L,0x0a5a378104cfd6e8L,
+        0x0d65e0d5f4c2fbd6L } },
+    /* 11 */
+    { { 0xd9d09bbeb5275d38L,0x4268a7450be0a358L,0xf0762ff4973eb265L,
+        0xc23da24252f4a232L },
+      { 0x5da1b84f0b94520cL,0x09666763b05bd78eL,0x3a4dcb8694d29ea1L,
+        0x19de3b8cc790cff1L } },
+    /* 12 */
+    { { 0x183a716c26c5fe04L,0x3b28de0b3bba1bdbL,0x7432c586a4cb712cL,
+        0xe34dcbd491fccbfdL },
+      { 0xb408d46baaa58403L,0x9a69748682e97a53L,0x9e39012736aaa8afL,
+        0xe7641f447b4e0f7fL } },
+    /* 13 */
+    { { 0x7d753941df64ba59L,0xd33f10ec0b0242fcL,0x4f06dfc6a1581859L,
+        0x4a12df57052a57bfL },
+      { 0xbfa6338f9439dbd0L,0xd3c24bd4bde53e1fL,0xfd5e4ffa21f1b314L,
+        0x6af5aa93bb5bea46L } },
+    /* 14 */
+    { { 0xda10b69910c91999L,0x0a24b4402a580491L,0x3e0094b4b8cc2090L,
+        0x5fe3475a66a44013L },
+      { 0xb0f8cabdf93e7b4bL,0x292b501a7c23f91aL,0x42e889aecd1e6263L,
+        0xb544e308ecfea916L } },
+    /* 15 */
+    { { 0x6478c6e916ddfdceL,0x2c329166f89179e6L,0x4e8d6e764d4e67e1L,
+        0xe0b6b2bda6b0c20bL },
+      { 0x0d312df2bb7efb57L,0x1aac0dde790c4007L,0xf90336ad679bc944L,
+        0x71c023de25a63774L } },
+    /* 16 */
+    { { 0x62a8c244bfe20925L,0x91c19ac38fdce867L,0x5a96a5d5dd387063L,
+        0x61d587d421d324f6L },
+      { 0xe87673a2a37173eaL,0x2384800853778b65L,0x10f8441e05bab43eL,
+        0xfa11fe124621efbeL } },
+    /* 17 */
+    { { 0x1c891f2b2cb19ffdL,0x01ba8d5bb1923c23L,0xb6d03d678ac5ca8eL,
+        0x586eb04c1f13bedcL },
+      { 0x0c35c6e527e8ed09L,0x1e81a33c1819ede2L,0x278fd6c056c652faL,
+        0x19d5ac0870864f11L } },
+    /* 18 */
+    { { 0x1e99f581309a4e1fL,0xab7de71be9270074L,0x26a5ef0befd28d20L,
+        0xe7c0073f7f9c563fL },
+      { 0x1f6d663a0ef59f76L,0x669b3b5420fcb050L,0xc08c1f7a7a6602d4L,
+        0xe08504fec65b3c0aL } },
+    /* 19 */
+    { { 0xf098f68da031b3caL,0x6d1cab9ee6da6d66L,0x5bfd81fa94f246e8L,
+        0x78f018825b0996b4L },
+      { 0xb7eefde43a25787fL,0x8016f80d1dccac9bL,0x0cea4877b35bfc36L,
+        0x43a773b87e94747aL } },
+    /* 20 */
+    { { 0x62577734d2b533d5L,0x673b8af6a1bdddc0L,0x577e7c9aa79ec293L,
+        0xbb6de651c3b266b1L },
+      { 0xe7e9303ab65259b3L,0xd6a0afd3d03a7480L,0xc5ac83d19b3cfc27L,
+        0x60b4619a5d18b99bL } },
+    /* 21 */
+    { { 0xbd6a38e11ae5aa1cL,0xb8b7652b49e73658L,0x0b130014ee5f87edL,
+        0x9d0f27b2aeebffcdL },
+      { 0xca9246317a730a55L,0x9c955b2fddbbc83aL,0x07c1dfe0ac019a71L,
+        0x244a566d356ec48dL } },
+    /* 22 */
+    { { 0x6db0394aeacf1f96L,0x9f2122a9024c271cL,0x2626ac1b82cbd3b9L,
+        0x45e58c873581ef69L },
+      { 0xd3ff479da38f9dbcL,0xa8aaf146e888a040L,0x945adfb246e0bed7L,
+        0xc040e21cc1e4b7a4L } },
+    /* 23 */
+    { { 0x847af0006f8117b6L,0x651969ff73a35433L,0x482b35761d9475ebL,
+        0x1cdf5c97682c6ec7L },
+      { 0x7db775b411f04839L,0x7dbeacf448de1698L,0xb2921dd1b70b3219L,
+        0x046755f8a92dff3dL } },
+    /* 24 */
+    { { 0xcc8ac5d2bce8ffcdL,0x0d53c48b2fe61a82L,0xf6f161727202d6c7L,
+        0x046e5e113b83a5f3L },
+      { 0xe7b8ff64d8007f01L,0x7fb1ef125af43183L,0x045c5ea635e1a03cL,
+        0x6e0106c3303d005bL } },
+    /* 25 */
+    { { 0x48c7358488dd73b1L,0x7670708f995ed0d9L,0x38385ea8c56a2ab7L,
+        0x442594ede901cf1fL },
+      { 0xf8faa2c912d4b65bL,0x94c2343b96c90c37L,0xd326e4a15e978d1fL,
+        0xa796fa514c2ee68eL } },
+    /* 26 */
+    { { 0x359fb604823addd7L,0x9e2a6183e56693b3L,0xf885b78e3cbf3c80L,
+        0xe4ad2da9c69766e9L },
+      { 0x357f7f428e048a61L,0x082d198cc092d9a0L,0xfc3a1af4c03ed8efL,
+        0xc5e94046c37b5143L } },
+    /* 27 */
+    { { 0x476a538c2be75f9eL,0x6fd1a9e8cb123a78L,0xd85e4df0b109c04bL,
+        0x63283dafdb464747L },
+      { 0xce728cf7baf2df15L,0xe592c4550ad9a7f4L,0xfab226ade834bcc3L,
+        0x68bd19ab1981a938L } },
+    /* 28 */
+    { { 0xc08ead511887d659L,0x3374d5f4b359305aL,0x96986981cfe74fe3L,
+        0x495292f53c6fdfd6L },
+      { 0x4a878c9e1acec896L,0xd964b210ec5b4484L,0x6696f7e2664d60a7L,
+        0x0ec7530d26036837L } },
+    /* 29 */
+    { { 0x2da13a05ad2687bbL,0xa1f83b6af32e21faL,0x390f5ef51dd4607bL,
+        0x0f6207a664863f0bL },
+      { 0xbd67e3bb0f138233L,0xdd66b96c272aa718L,0x8ed0040726ec88aeL,
+        0xff0db07208ed6dcfL } },
+    /* 30 */
+    { { 0x749fa1014c95d553L,0xa44052fd5d680a8aL,0x183b4317ff3b566fL,
+        0x313b513c88740ea3L },
+      { 0xb402e2ac08d11549L,0x071ee10bb4dee21cL,0x26b987dd47f2320eL,
+        0x2d3abcf986f19f81L } },
+    /* 31 */
+    { { 0x4c288501815581a2L,0x9a0a6d56632211afL,0x19ba7a0f0cab2e99L,
+        0xc036fa10ded98cdfL },
+      { 0x29ae08bac1fbd009L,0x0b68b19006d15816L,0xc2eb32779b9e0d8fL,
+        0xa6b2a2c4b6d40194L } },
+    /* 32 */
+    { { 0xd433e50f6d3549cfL,0x6f33696ffacd665eL,0x695bfdacce11fcb4L,
+        0x810ee252af7c9860L },
+      { 0x65450fe17159bb2cL,0xf7dfbebe758b357bL,0x2b057e74d69fea72L,
+        0xd485717a92731745L } },
+    /* 33 */
+    { { 0x11741a8af0cb5a98L,0xd3da8f931f3110bfL,0x1994e2cbab382adfL,
+        0x6a6045a72f9a604eL },
+      { 0x170c0d3fa2b2411dL,0xbe0eb83e510e96e0L,0x3bcc9f738865b3ccL,
+        0xd3e45cfaf9e15790L } },
+    /* 34 */
+    { { 0xce1f69bbe83f7669L,0x09f8ae8272877d6bL,0x9548ae543244278dL,
+        0x207755dee3c2c19cL },
+      { 0x87bd61d96fef1945L,0x18813cefb12d28c3L,0x9fbcd1d672df64aaL,
+        0x48dc5ee57154b00dL } },
+    /* 35 */
+    { { 0x123790bff7e5a199L,0xe0efb8cf989ccbb7L,0xc27a2bfe0a519c79L,
+        0xf2fb0aeddff6f445L },
+      { 0x41c09575f0b5025fL,0x550543d740fa9f22L,0x8fa3c8ad380bfbd0L,
+        0xa13e9015db28d525L } },
+    /* 36 */
+    { { 0xf9f7a350a2b65cbcL,0x0b04b9722a464226L,0x265ce241e23f07a1L,
+        0x2bf0d6b01497526fL },
+      { 0xd3d4dd3f4b216fb7L,0xf7d7b867fbdda26aL,0xaeb7b83f6708505cL,
+        0x42a94a5a162fe89fL } },
+    /* 37 */
+    { { 0x5846ad0beaadf191L,0x0f8a489025a268d7L,0xe8603050494dc1f6L,
+        0x2c2dd969c65ede3dL },
+      { 0x6d02171d93849c17L,0x460488ba1da250ddL,0x4810c7063c3a5485L,
+        0xf437fa1f42c56dbcL } },
+    /* 38 */
+    { { 0x6aa0d7144a0f7dabL,0x0f0497931776e9acL,0x52c0a050f5f39786L,
+        0xaaf45b3354707aa8L },
+      { 0x85e37c33c18d364aL,0xd40b9b063e497165L,0xf417168115ec5444L,
+        0xcdf6310df4f272bcL } },
+    /* 39 */
+    { { 0x7473c6238ea8b7efL,0x08e9351885bc2287L,0x419567722bda8e34L,
+        0xf0d008bada9e2ff2L },
+      { 0x2912671d2414d3b1L,0xb3754985b019ea76L,0x5c61b96d453bcbdbL,
+        0x5bd5c2f5ca887b8bL } },
+    /* 40 */
+    { { 0xef0f469ef49a3154L,0x3e85a5956e2b2e9aL,0x45aaec1eaa924a9cL,
+        0xaa12dfc8a09e4719L },
+      { 0x26f272274df69f1dL,0xe0e4c82ca2ff5e73L,0xb9d8ce73b7a9dd44L,
+        0x6c036e73e48ca901L } },
+    /* 41 */
+    { { 0x5cfae12a0f6e3138L,0x6966ef0025ad345aL,0x8993c64b45672bc5L,
+        0x292ff65896afbe24L },
+      { 0xd5250d445e213402L,0xf6580e274392c9feL,0x097b397fda1c72e8L,
+        0x644e0c90311b7276L } },
+    /* 42 */
+    { { 0xe1e421e1a47153f0L,0xb86c3b79920418c9L,0x93bdce87705d7672L,
+        0xf25ae793cab79a77L },
+      { 0x1f3194a36d869d0cL,0x9d55c8824986c264L,0x49fb5ea3096e945eL,
+        0x39b8e65313db0a3eL } },
+    /* 43 */
+    { { 0x37754200b6fd2e59L,0x35e2c0669255c98fL,0xd9dab21a0e2a5739L,
+        0x39122f2f0f19db06L },
+      { 0xcfbce1e003cad53cL,0x225b2c0fe65c17e3L,0x72baf1d29aa13877L,
+        0x8de80af8ce80ff8dL } },
+    /* 44 */
+    { { 0xafbea8d9207bbb76L,0x921c7e7c21782758L,0xdfa2b74b1c0436b1L,
+        0x871949062e368c04L },
+      { 0xb5f928bba3993df5L,0x639d75b5f3b3d26aL,0x011aa78a85b55050L,
+        0xfc315e6a5b74fde1L } },
+    /* 45 */
+    { { 0x561fd41ae8d6ecfaL,0x5f8c44f61aec7f86L,0x98452a7b4924741dL,
+        0xe6d4a7adee389088L },
+      { 0x60552ed14593c75dL,0x70a70da4dd271162L,0xd2aede937ba2c7dbL,
+        0x35dfaf9a9be2ae57L } },
+    /* 46 */
+    { { 0x6b956fcdaa736636L,0x09f51d97ae2cab7eL,0xfb10bf410f349966L,
+        0x1da5c7d71c830d2bL },
+      { 0x5c41e4833cce6825L,0x15ad118ff9573c3bL,0xa28552c7f23036b8L,
+        0x7077c0fddbf4b9d6L } },
+    /* 47 */
+    { { 0xbf63ff8d46b9661cL,0xa1dfd36b0d2cfd71L,0x0373e140a847f8f7L,
+        0x53a8632ee50efe44L },
+      { 0x0976ff68696d8051L,0xdaec0c95c74f468aL,0x62994dc35e4e26bdL,
+        0x028ca76d34e1fcc1L } },
+    /* 48 */
+    { { 0xd11d47dcfc9877eeL,0xc8b36210801d0002L,0xd002c11754c260b6L,
+        0x04c17cd86962f046L },
+      { 0x6d9bd094b0daddf5L,0xbea2357524ce55c0L,0x663356e672da03b5L,
+        0xf7ba4de9fed97474L } },
+    /* 49 */
+    { { 0xd0dbfa34ebe1263fL,0x5576373571ae7ce6L,0xd244055382a6f523L,
+        0xe31f960052131c41L },
+      { 0xd1bb9216ea6b6ec6L,0x37a1d12e73c2fc44L,0xc10e7eac89d0a294L,
+        0xaa3a6259ce34d47bL } },
+    /* 50 */
+    { { 0xfbcf9df536f3dcd3L,0x6ceded50d2bf7360L,0x491710fadf504f5bL,
+        0x2398dd627e79daeeL },
+      { 0xcf4705a36d09569eL,0xea0619bb5149f769L,0xff9c037735f6034cL,
+        0x5717f5b21c046210L } },
+    /* 51 */
+    { { 0x9fe229c921dd895eL,0x8e51850040c28451L,0xfa13d2391d637ecdL,
+        0x660a2c560e3c28deL },
+      { 0x9cca88aed67fcbd0L,0xc84724780ea9f096L,0x32b2f48172e92b4dL,
+        0x624ee54c4f522453L } },
+    /* 52 */
+    { { 0x09549ce4d897ecccL,0x4d49d1d93f9880aaL,0x723c2423043a7c20L,
+        0x4f392afb92bdfbc0L },
+      { 0x6969f8fa7de44fd9L,0xb66cfbe457b32156L,0xdb2fa803368ebc3cL,
+        0x8a3e7977ccdb399cL } },
+    /* 53 */
+    { { 0xdde1881f06c4b125L,0xae34e300f6e3ca8cL,0xef6999de5c7a13e9L,
+        0x3888d02370c24404L },
+      { 0x7628035644f91081L,0x3d9fcf615f015504L,0x1827edc8632cd36eL,
+        0xa5e62e4718102336L } },
+    /* 54 */
+    { { 0x1a825ee32facd6c8L,0x699c635454bcbc66L,0x0ce3edf798df9931L,
+        0x2c4768e6466a5adcL },
+      { 0xb346ff8c90a64bc9L,0x630a6020e4779f5cL,0xd949d064bc05e884L,
+        0x7b5e6441f9e652a0L } },
+    /* 55 */
+    { { 0x2169422c1d28444aL,0xe996c5d8be136a39L,0x2387afe5fb0c7fceL,
+        0xb8af73cb0c8d744aL },
+      { 0x5fde83aa338b86fdL,0xfee3f158a58a5cffL,0xc9ee8f6f20ac9433L,
+        0xa036395f7f3f0895L } },
+    /* 56 */
+    { { 0x8c73c6bba10f7770L,0xa6f16d81a12a0e24L,0x100df68251bc2b9fL,
+        0x4be36b01875fb533L },
+      { 0x9226086e9fb56dbbL,0x306fef8b07e7a4f8L,0xeeaccc0566d52f20L,
+        0x8cbc9a871bdc00c0L } },
+    /* 57 */
+    { { 0xe131895cc0dac4abL,0xa874a440712ff112L,0x6332ae7c6a1cee57L,
+        0x44e7553e0c0835f8L },
+      { 0x6d503fff7734002dL,0x9d35cb8b0b34425cL,0x95f702760e8738b5L,
+        0x470a683a5eb8fc18L } },
+    /* 58 */
+    { { 0x81b761dc90513482L,0x0287202a01e9276aL,0xcda441ee0ce73083L,
+        0x16410690c63dc6efL },
+      { 0xf5034a066d06a2edL,0xdd4d7745189b100bL,0xd914ae72ab8218c9L,
+        0xd73479fd7abcbb4fL } },
+    /* 59 */
+    { { 0x7edefb165ad4c6e5L,0x262cf08f5b06d04dL,0x12ed5bb18575cb14L,
+        0x816469e30771666bL },
+      { 0xd7ab9d79561e291eL,0xeb9daf22c1de1661L,0xf49827eb135e0513L,
+        0x0a36dd23f0dd3f9cL } },
+    /* 60 */
+    { { 0x098d32c741d5533cL,0x7c5f5a9e8684628fL,0x39a228ade349bd11L,
+        0xe331dfd6fdbab118L },
+      { 0x5100ab686bcc6ed8L,0x7160c3bdef7a260eL,0x9063d9a7bce850d7L,
+        0xd3b4782a492e3389L } },
+    /* 61 */
+    { { 0xa149b6e8f3821f90L,0x92edd9ed66eb7aadL,0x0bb669531a013116L,
+        0x7281275a4c86a5bdL },
+      { 0x503858f7d3ff47e5L,0x5e1616bc61016441L,0x62b0f11a7dfd9bb1L,
+        0x2c062e7ece145059L } },
+    /* 62 */
+    { { 0xa76f996f0159ac2eL,0x281e7736cbdb2713L,0x2ad6d28808e46047L,
+        0x282a35f92c4e7ef1L },
+      { 0x9c354b1ec0ce5cd2L,0xcf99efc91379c229L,0x992caf383e82c11eL,
+        0xc71cd513554d2abdL } },
+    /* 63 */
+    { { 0x4885de9c09b578f4L,0x1884e258e3affa7aL,0x8f76b1b759182f1fL,
+        0xc50f6740cf47f3a3L },
+      { 0xa9c4adf3374b68eaL,0xa406f32369965fe2L,0x2f86a22285a53050L,
+        0xb9ecb3a7212958dcL } },
+    /* 64 */
+    { { 0x56f8410ef4f8b16aL,0x97241afec47b266aL,0x0a406b8e6d9c87c1L,
+        0x803f3e02cd42ab1bL },
+      { 0x7f0309a804dbec69L,0xa83b85f73bbad05fL,0xc6097273ad8e197fL,
+        0xc097440e5067adc1L } },
+    /* 65 */
+    { { 0x846a56f2c379ab34L,0xa8ee068b841df8d1L,0x20314459176c68efL,
+        0xf1af32d5915f1f30L },
+      { 0x99c375315d75bd50L,0x837cffbaf72f67bcL,0x0613a41848d7723fL,
+        0x23d0f130e2d41c8bL } },
+    /* 66 */
+    { { 0x857ab6edf41500d9L,0x0d890ae5fcbeada8L,0x52fe864889725951L,
+        0xb0288dd6c0a3faddL },
+      { 0x85320f30650bcb08L,0x71af6313695d6e16L,0x31f520a7b989aa76L,
+        0xffd3724ff408c8d2L } },
+    /* 67 */
+    { { 0x53968e64b458e6cbL,0x992dad20317a5d28L,0x3814ae0b7aa75f56L,
+        0xf5590f4ad78c26dfL },
+      { 0x0fc24bd3cf0ba55aL,0x0fc4724a0c778baeL,0x1ce9864f683b674aL,
+        0x18d6da54f6f74a20L } },
+    /* 68 */
+    { { 0xed93e225d5be5a2bL,0x6fe799835934f3c6L,0x4314092622626ffcL,
+        0x50bbb4d97990216aL },
+      { 0x378191c6e57ec63eL,0x65422c40181dcdb2L,0x41a8099b0236e0f6L,
+        0x2b10011801fe49c3L } },
+    /* 69 */
+    { { 0xfc68b5c59b391593L,0xc385f5a2598270fcL,0x7144f3aad19adcbbL,
+        0xdd55899983fbae0cL },
+      { 0x93b88b8e74b82ff4L,0xd2e03c4071e734c9L,0x9a7a9eaf43c0322aL,
+        0xe6e4c551149d6041L } },
+    /* 70 */
+    { { 0x55f655bb1e9af288L,0x647e1a64f7ada931L,0x43697e4bcb2820e5L,
+        0x51e00db107ed56ffL },
+      { 0x43d169b8771c327eL,0x29cdb20b4a96c2adL,0xc07d51f53deb4779L,
+        0xe22f424149829177L } },
+    /* 71 */
+    { { 0xcd45e8f4635f1abbL,0x7edc0cb568538874L,0xc9472c1fb5a8034dL,
+        0xf709373d52dc48c9L },
+      { 0x401966bba8af30d6L,0x95bf5f4af137b69cL,0x3966162a9361c47eL,
+        0xbd52d288e7275b11L } },
+    /* 72 */
+    { { 0xab155c7a9c5fa877L,0x17dad6727d3a3d48L,0x43f43f9e73d189d8L,
+        0xa0d0f8e4c8aa77a6L },
+      { 0x0bbeafd8cc94f92dL,0xd818c8be0c4ddb3aL,0x22cc65f8b82eba14L,
+        0xa56c78c7946d6a00L } },
+    /* 73 */
+    { { 0x2962391b0dd09529L,0x803e0ea63daddfcfL,0x2c77351f5b5bf481L,
+        0xd8befdf8731a367aL },
+      { 0xab919d42fc0157f4L,0xf51caed7fec8e650L,0xcdf9cb4002d48b0aL,
+        0x854a68a5ce9f6478L } },
+    /* 74 */
+    { { 0xdc35f67b63506ea5L,0x9286c489a4fe0d66L,0x3f101d3bfe95cd4dL,
+        0x5cacea0b98846a95L },
+      { 0xa90df60c9ceac44dL,0x3db29af4354d1c3aL,0x08dd3de8ad5dbabeL,
+        0xe4982d1235e4efa9L } },
+    /* 75 */
+    { { 0x23104a22c34cd55eL,0x58695bb32680d132L,0xfb345afa1fa1d943L,
+        0x8046b7f616b20499L },
+      { 0xb533581e38e7d098L,0xd7f61e8df46f0b70L,0x30dea9ea44cb78c4L,
+        0xeb17ca7b9082af55L } },
+    /* 76 */
+    { { 0x1751b59876a145b9L,0xa5cf6b0fc1bc71ecL,0xd3e03565392715bbL,
+        0x097b00bafab5e131L },
+      { 0xaa66c8e9565f69e1L,0x77e8f75ab5be5199L,0x6033ba11da4fd984L,
+        0xf95c747bafdbcc9eL } },
+    /* 77 */
+    { { 0x558f01d3bebae45eL,0xa8ebe9f0c4bc6955L,0xaeb705b1dbc64fc6L,
+        0x3512601e566ed837L },
+      { 0x9336f1e1fa1161cdL,0x328ab8d54c65ef87L,0x4757eee2724f21e5L,
+        0x0ef971236068ab6bL } },
+    /* 78 */
+    { { 0x02598cf754ca4226L,0x5eede138f8642c8eL,0x48963f74468e1790L,
+        0xfc16d9333b4fbc95L },
+      { 0xbe96fb31e7c800caL,0x138063312678adaaL,0x3d6244976ff3e8b5L,
+        0x14ca4af1b95d7a17L } },
+    /* 79 */
+    { { 0x7a4771babd2f81d5L,0x1a5f9d6901f7d196L,0xd898bef7cad9c907L,
+        0x4057b063f59c231dL },
+      { 0xbffd82fe89c05c0aL,0xe4911c6f1dc0df85L,0x3befccaea35a16dbL,
+        0x1c3b5d64f1330b13L } },
+    /* 80 */
+    { { 0x5fe14bfe80ec21feL,0xf6ce116ac255be82L,0x98bc5a072f4a5d67L,
+        0xfad27148db7e63afL },
+      { 0x90c0b6ac29ab05b3L,0x37a9a83c4e251ae6L,0x0a7dc875c2aade7dL,
+        0x77387de39f0e1a84L } },
+    /* 81 */
+    { { 0x1e9ecc49a56c0dd7L,0xa5cffcd846086c74L,0x8f7a1408f505aeceL,
+        0xb37b85c0bef0c47eL },
+      { 0x3596b6e4cc0e6a8fL,0xfd6d4bbf6b388f23L,0xaba453fac39cef4eL,
+        0x9c135ac8f9f628d5L } },
+    /* 82 */
+    { { 0x32aa320284e35743L,0x320d6ab185a3cdefL,0xb821b1761df19819L,
+        0x5721361fc433851fL },
+      { 0x1f0db36a71fc9168L,0x5f98ba735e5c403cL,0xf64ca87e37bcd8f5L,
+        0xdcbac3c9e6bb11bdL } },
+    /* 83 */
+    { { 0xf01d99684518cbe2L,0xd242fc189c9eb04eL,0x727663c7e47feebfL,
+        0xb8c1c89e2d626862L },
+      { 0x51a58bddc8e1d569L,0x563809c8b7d88cd0L,0x26c27fd9f11f31ebL,
+        0x5d23bbda2f9422d4L } },
+    /* 84 */
+    { { 0x0a1c729495c8f8beL,0x2961c4803bf362bfL,0x9e418403df63d4acL,
+        0xc109f9cb91ece900L },
+      { 0xc2d095d058945705L,0xb9083d96ddeb85c0L,0x84692b8d7a40449bL,
+        0x9bc3344f2eee1ee1L } },
+    /* 85 */
+    { { 0x0d5ae35642913074L,0x55491b2748a542b1L,0x469ca665b310732aL,
+        0x29591d525f1a4cc1L },
+      { 0xe76f5b6bb84f983fL,0xbe7eef419f5f84e1L,0x1200d49680baa189L,
+        0x6376551f18ef332cL } },
+    /* 86 */
+    { { 0xbda5f14e562976ccL,0x22bca3e60ef12c38L,0xbbfa30646cca9852L,
+        0xbdb79dc808e2987aL },
+      { 0xfd2cb5c9cb06a772L,0x38f475aafe536dceL,0xc2a3e0227c2b5db8L,
+        0x8ee86001add3c14aL } },
+    /* 87 */
+    { { 0xcbe96981a4ade873L,0x7ee9aa4dc4fba48cL,0x2cee28995a054ba5L,
+        0x92e51d7a6f77aa4bL },
+      { 0x948bafa87190a34dL,0xd698f75bf6bd1ed1L,0xd00ee6e30caf1144L,
+        0x5182f86f0a56aaaaL } },
+    /* 88 */
+    { { 0xfba6212c7a4cc99cL,0xff609b683e6d9ca1L,0x5dbb27cb5ac98c5aL,
+        0x91dcab5d4073a6f2L },
+      { 0x01b6cc3d5f575a70L,0x0cb361396f8d87faL,0x165d4e8c89981736L,
+        0x17a0cedb97974f2bL } },
+    /* 89 */
+    { { 0x38861e2a076c8d3aL,0x701aad39210f924bL,0x94d0eae413a835d9L,
+        0x2e8ce36c7f4cdf41L },
+      { 0x91273dab037a862bL,0x01ba9bb760e4c8faL,0xf964538833baf2ddL,
+        0xf4ccc6cb34f668f3L } },
+    /* 90 */
+    { { 0x44ef525cf1f79687L,0x7c59549592efa815L,0xe1231741a5c78d29L,
+        0xac0db4889a0df3c9L },
+      { 0x86bfc711df01747fL,0x592b9358ef17df13L,0xe5880e4f5ccb6bb5L,
+        0x95a64a6194c974a2L } },
+    /* 91 */
+    { { 0x72c1efdac15a4c93L,0x40269b7382585141L,0x6a8dfb1c16cb0badL,
+        0x231e54ba29210677L },
+      { 0xa70df9178ae6d2dcL,0x4d6aa63f39112918L,0xf627726b5e5b7223L,
+        0xab0be032d8a731e1L } },
+    /* 92 */
+    { { 0x097ad0e98d131f2dL,0x637f09e33b04f101L,0x1ac86196d5e9a748L,
+        0xf1bcc8802cf6a679L },
+      { 0x25c69140e8daacb4L,0x3c4e405560f65009L,0x591cc8fc477937a6L,
+        0x851694695aebb271L } },
+    /* 93 */
+    { { 0xde35c143f1dcf593L,0x78202b29b018be3bL,0xe9cdadc29bdd9d3dL,
+        0x8f67d9d2daad55d8L },
+      { 0x841116567481ea5fL,0xe7d2dde9e34c590cL,0xffdd43f405053fa8L,
+        0xf84572b9c0728b5dL } },
+    /* 94 */
+    { { 0x5e1a7a7197af71c9L,0xa14494447a736565L,0xa1b4ae070e1d5063L,
+        0xedee2710616b2c19L },
+      { 0xb2f034f511734121L,0x1cac6e554a25e9f0L,0x8dc148f3a40c2ecfL,
+        0x9fd27e9b44ebd7f4L } },
+    /* 95 */
+    { { 0x3cc7658af6e2cb16L,0xe3eb7d2cfe5919b6L,0x5a8c5816168d5583L,
+        0xa40c2fb6958ff387L },
+      { 0x8c9ec560fedcc158L,0x7ad804c655f23056L,0xd93967049a307e12L,
+        0x99bc9bb87dc6decfL } },
+    /* 96 */
+    { { 0x84a9521d927dafc6L,0x52c1fb695c09cd19L,0x9d9581a0f9366ddeL,
+        0x9abe210ba16d7e64L },
+      { 0x480af84a48915220L,0xfa73176a4dd816c6L,0xc7d539871681ca5aL,
+        0x7881c25787f344b0L } },
+    /* 97 */
+    { { 0x93399b51e0bcf3ffL,0x0d02cbc5127f74f6L,0x8fb465a2dd01d968L,
+        0x15e6e319a30e8940L },
+      { 0x646d6e0d3e0e05f4L,0xfad7bddc43588404L,0xbe61c7d1c4f850d3L,
+        0x0e55facf191172ceL } },
+    /* 98 */
+    { { 0x7e9d9806f8787564L,0x1a33172131e85ce6L,0x6b0158cab819e8d6L,
+        0xd73d09766fe96577L },
+      { 0x424834251eb7206eL,0xa519290fc618bb42L,0x5dcbb8595e30a520L,
+        0x9250a3748f15a50bL } },
+    /* 99 */
+    { { 0xcaff08f8be577410L,0xfd408a035077a8c6L,0xf1f63289ec0a63a4L,
+        0x77414082c1cc8c0bL },
+      { 0x05a40fa6eb0991cdL,0xc1ca086649fdc296L,0x3a68a3c7b324fd40L,
+        0x8cb04f4d12eb20b9L } },
+    /* 100 */
+    { { 0xb1c2d0556906171cL,0x9073e9cdb0240c3fL,0xdb8e6b4fd8906841L,
+        0xe4e429ef47123b51L },
+      { 0x0b8dd53c38ec36f4L,0xf9d2dc01ff4b6a27L,0x5d066e07879a9a48L,
+        0x37bca2ff3c6e6552L } },
+    /* 101 */
+    { { 0x4cd2e3c7df562470L,0x44f272a2c0964ac9L,0x7c6d5df980c793beL,
+        0x59913edc3002b22aL },
+      { 0x7a139a835750592aL,0x99e01d80e783de02L,0xcf8c0375ea05d64fL,
+        0x43786e4ab013e226L } },
+    /* 102 */
+    { { 0xff32b0ed9e56b5a6L,0x0750d9a6d9fc68f9L,0xec15e845597846a7L,
+        0x8638ca98b7e79e7aL },
+      { 0x2f5ae0960afc24b2L,0x05398eaf4dace8f2L,0x3b765dd0aecba78fL,
+        0x1ecdd36a7b3aa6f0L } },
+    /* 103 */
+    { { 0x5d3acd626c5ff2f3L,0xa2d516c02873a978L,0xad94c9fad2110d54L,
+        0xd85d0f85d459f32dL },
+      { 0x9f700b8d10b11da3L,0xd2c22c30a78318c4L,0x556988f49208decdL,
+        0xa04f19c3b4ed3c62L } },
+    /* 104 */
+    { { 0x087924c8ed7f93bdL,0xcb64ac5d392f51f6L,0x7cae330a821b71afL,
+        0x92b2eeea5c0950b0L },
+      { 0x85ac4c9485b6e235L,0xab2ca4a92936c0f0L,0x80faa6b3e0508891L,
+        0x1ee782215834276cL } },
+    /* 105 */
+    { { 0xa60a2e00e63e79f7L,0xf590e7b2f399d906L,0x9021054a6607c09dL,
+        0xf3f2ced857a6e150L },
+      { 0x200510f3f10d9b55L,0x9d2fcfacd8642648L,0xe5631aa7e8bd0e7cL,
+        0x0f56a4543da3e210L } },
+    /* 106 */
+    { { 0x5b21bffa1043e0dfL,0x6c74b6cc9c007e6dL,0x1a656ec0d4a8517aL,
+        0xbd8f17411969e263L },
+      { 0x8a9bbb86beb7494aL,0x1567d46f45f3b838L,0xdf7a12a7a4e5a79aL,
+        0x2d1a1c3530ccfa09L } },
+    /* 107 */
+    { { 0x192e3813506508daL,0x336180c4a1d795a7L,0xcddb59497a9944b3L,
+        0xa107a65eb91fba46L },
+      { 0xe6d1d1c50f94d639L,0x8b4af3758a58b7d7L,0x1a7c5584bd37ca1cL,
+        0x183d760af87a9af2L } },
+    /* 108 */
+    { { 0x29d697110dde59a4L,0xf1ad8d070e8bef87L,0x229b49634f2ebe78L,
+        0x1d44179dc269d754L },
+      { 0xb32dc0cf8390d30eL,0x0a3b27530de8110cL,0x31af1dc52bc0339aL,
+        0x771f9cc29606d262L } },
+    /* 109 */
+    { { 0x99993e7785040739L,0x44539db98026a939L,0xcf40f6f2f5f8fc26L,
+        0x64427a310362718eL },
+      { 0x4f4f2d8785428aa8L,0x7b7adc3febfb49a8L,0x201b2c6df23d01acL,
+        0x49d9b7496ae90d6dL } },
+    /* 110 */
+    { { 0xcc78d8bc435d1099L,0x2adbcd4e8e8d1a08L,0x02c2e2a02cb68a41L,
+        0x9037d81b3f605445L },
+      { 0x7cdbac27074c7b61L,0xfe2031ab57bfd72eL,0x61ccec96596d5352L,
+        0x08c3de6a7cc0639cL } },
+    /* 111 */
+    { { 0x20fdd020f6d552abL,0x56baff9805cd81f1L,0x06fb7c3e91351291L,
+        0xc690944245796b2fL },
+      { 0x17b3ae9c41231bd1L,0x1eac6e875cc58205L,0x208837abf9d6a122L,
+        0x3fa3db02cafe3ac0L } },
+    /* 112 */
+    { { 0xd75a3e6505058880L,0x7da365ef643943f2L,0x4147861cfab24925L,
+        0xc5c4bdb0fdb808ffL },
+      { 0x73513e34b272b56bL,0xc8327e9511b9043aL,0xfd8ce37df8844969L,
+        0x2d56db9446c2b6b5L } },
+    /* 113 */
+    { { 0x2461782fff46ac6bL,0xd19f792607a2e425L,0xfafea3c409a48de1L,
+        0x0f56bd9de503ba42L },
+      { 0x137d4ed1345cda49L,0x821158fc816f299dL,0xe7c6a54aaeb43402L,
+        0x4003bb9d1173b5f1L } },
+    /* 114 */
+    { { 0x3b8e8189a0803387L,0xece115f539cbd404L,0x4297208dd2877f21L,
+        0x53765522a07f2f9eL },
+      { 0xa4980a21a8a4182dL,0xa2bbd07a3219df79L,0x674d0a2e1a19a2d4L,
+        0x7a056f586c5d4549L } },
+    /* 115 */
+    { { 0x646b25589d8a2a47L,0x5b582948c3df2773L,0x51ec000eabf0d539L,
+        0x77d482f17a1a2675L },
+      { 0xb8a1bd9587853948L,0xa6f817bd6cfbffeeL,0xab6ec05780681e47L,
+        0x4115012b2b38b0e4L } },
+    /* 116 */
+    { { 0x3c73f0f46de28cedL,0x1d5da7609b13ec47L,0x61b8ce9e6e5c6392L,
+        0xcdf04572fbea0946L },
+      { 0x1cb3c58b6c53c3b0L,0x97fe3c10447b843cL,0xfb2b8ae12cb9780eL,
+        0xee703dda97383109L } },
+    /* 117 */
+    { { 0x34515140ff57e43aL,0xd44660d3b1b811b8L,0x2b3b5dff8f42b986L,
+        0x2a0ad89da162ce21L },
+      { 0x64e4a6946bc277baL,0xc788c954c141c276L,0x141aa64ccabf6274L,
+        0xd62d0b67ac2b4659L } },
+    /* 118 */
+    { { 0x39c5d87b2c054ac4L,0x57005859f27df788L,0xedf7cbf3b18128d6L,
+        0xb39a23f2991c2426L },
+      { 0x95284a15f0b16ae5L,0x0c6a05b1a136f51bL,0x1d63c137f2700783L,
+        0x04ed0092c0674cc5L } },
+    /* 119 */
+    { { 0x1f4185d19ae90393L,0x3047b4294a3d64e6L,0xae0001a69854fc14L,
+        0xa0a91fc10177c387L },
+      { 0xff0a3f01ae2c831eL,0xbb76ae822b727e16L,0x8f12c8a15a3075b4L,
+        0x084cf9889ed20c41L } },
+    /* 120 */
+    { { 0xd98509defca6becfL,0x2fceae807dffb328L,0x5d8a15c44778e8b9L,
+        0xd57955b273abf77eL },
+      { 0x210da79e31b5d4f1L,0xaa52f04b3cfa7a1cL,0xd4d12089dc27c20bL,
+        0x8e14ea4202d141f1L } },
+    /* 121 */
+    { { 0xeed50345f2897042L,0x8d05331f43402c4aL,0xc8d9c194c8bdfb21L,
+        0x597e1a372aa4d158L },
+      { 0x0327ec1acf0bd68cL,0x6d4be0dcab024945L,0x5b9c8d7ac9fe3e84L,
+        0xca3f0236199b4deaL } },
+    /* 122 */
+    { { 0x592a10b56170bd20L,0x0ea897f16d3f5de7L,0xa3363ff144b2ade2L,
+        0xbde7fd7e309c07e4L },
+      { 0x516bb6d2b8f5432cL,0x210dc1cbe043444bL,0x3db01e6ff8f95b5aL,
+        0xb623ad0e0a7dd198L } },
+    /* 123 */
+    { { 0xa75bd67560c7b65bL,0xab8c559023a4a289L,0xf8220fd0d7b26795L,
+        0xd6aa2e4658ec137bL },
+      { 0x10abc00b5138bb85L,0x8c31d121d833a95cL,0xb24ff00b1702a32eL,
+        0x111662e02dcc513aL } },
+    /* 124 */
+    { { 0x78114015efb42b87L,0xbd9f5d701b6c4dffL,0x66ecccd7a7d7c129L,
+        0xdb3ee1cb94b750f8L },
+      { 0xb26f3db0f34837cfL,0xe7eed18bb9578d4fL,0x5d2cdf937c56657dL,
+        0x886a644252206a59L } },
+    /* 125 */
+    { { 0x3c234cfb65b569eaL,0x20011141f72119c1L,0x8badc85da15a619eL,
+        0xa70cf4eb018a17bcL },
+      { 0x224f97ae8c4a6a65L,0x36e5cf270134378fL,0xbe3a609e4f7e0960L,
+        0xaa4772abd1747b77L } },
+    /* 126 */
+    { { 0x676761317aa60cc0L,0xc79163610368115fL,0xded98bb4bbc1bb5aL,
+        0x611a6ddc30faf974L },
+      { 0x30e78cbcc15ee47aL,0x2e8962824e0d96a5L,0x36f35adf3dd9ed88L,
+        0x5cfffaf816429c88L } },
+    /* 127 */
+    { { 0xc0d54cff9b7a99cdL,0x7bf3b99d843c45a1L,0x038a908f62c739e1L,
+        0x6e5a6b237dc1994cL },
+      { 0xef8b454e0ba5db77L,0xb7b8807facf60d63L,0xe591c0c676608378L,
+        0x481a238d242dabccL } },
+    /* 128 */
+    { { 0xe3417bc035d0b34aL,0x440b386b8327c0a7L,0x8fb7262dac0362d1L,
+        0x2c41114ce0cdf943L },
+      { 0x2ba5cef1ad95a0b1L,0xc09b37a867d54362L,0x26d6cdd201e486c9L,
+        0x20477abf42ff9297L } },
+    /* 129 */
+    { { 0x2f75173c18d65dbfL,0x77bf940e339edad8L,0x7022d26bdcf1001cL,
+        0xac66409ac77396b6L },
+      { 0x8b0bb36fc6261cc3L,0x213f7bc9190e7e90L,0x6541cebaa45e6c10L,
+        0xce8e6975cc122f85L } },
+    /* 130 */
+    { { 0x0f121b41bc0a67d2L,0x62d4760a444d248aL,0x0e044f1d659b4737L,
+        0x08fde365250bb4a8L },
+      { 0xaceec3da848bf287L,0xc2a62182d3369d6eL,0x3582dfdc92449482L,
+        0x2f7e2fd2565d6cd7L } },
+    /* 131 */
+    { { 0xae4b92dbc3770fa7L,0x095e8d5c379043f9L,0x54f34e9d17761171L,
+        0xc65be92e907702aeL },
+      { 0x2758a303f6fd0a40L,0xe7d822e3bcce784bL,0x7ae4f5854f9767bfL,
+        0x4bff8e47d1193b3aL } },
+    /* 132 */
+    { { 0xcd41d21f00ff1480L,0x2ab8fb7d0754db16L,0xac81d2efbbe0f3eaL,
+        0x3e4e4ae65772967dL },
+      { 0x7e18f36d3c5303e6L,0x3bd9994b92262397L,0x9ed70e261324c3c0L,
+        0x5388aefd58ec6028L } },
+    /* 133 */
+    { { 0xad1317eb5e5d7713L,0x09b985ee75de49daL,0x32f5bc4fc74fb261L,
+        0x5cf908d14f75be0eL },
+      { 0x760435108e657b12L,0xbfd421a5b96ed9e6L,0x0e29f51f8970ccc2L,
+        0xa698ba4060f00ce2L } },
+    /* 134 */
+    { { 0x73db1686ef748fecL,0xe6e755a27e9d2cf9L,0x630b6544ce265effL,
+        0xb142ef8a7aebad8dL },
+      { 0xad31af9f17d5770aL,0x66af3b672cb3412fL,0x6bd60d1bdf3359deL,
+        0xd1896a9658515075L } },
+    /* 135 */
+    { { 0xec5957ab33c41c08L,0x87de94ac5468e2e1L,0x18816b73ac472f6cL,
+        0x267b0e0b7981da39L },
+      { 0x6e554e5d8e62b988L,0xd8ddc755116d21e7L,0x4610faf03d2a6f99L,
+        0xb54e287aa1119393L } },
+    /* 136 */
+    { { 0x0a0122b5178a876bL,0x51ff96ff085104b4L,0x050b31ab14f29f76L,
+        0x84abb28b5f87d4e6L },
+      { 0xd5ed439f8270790aL,0x2d6cb59d85e3f46bL,0x75f55c1b6c1e2212L,
+        0xe5436f6717655640L } },
+    /* 137 */
+    { { 0x53f9025e2286e8d5L,0x353c95b4864453beL,0xd832f5bde408e3a0L,
+        0x0404f68b5b9ce99eL },
+      { 0xcad33bdea781e8e5L,0x3cdf5018163c2f5bL,0x575769600119caa3L,
+        0x3a4263df0ac1c701L } },
+    /* 138 */
+    { { 0xc2965ecc9aeb596dL,0x01ea03e7023c92b4L,0x4704b4b62e013961L,
+        0x0ca8fd3f905ea367L },
+      { 0x92523a42551b2b61L,0x1eb7a89c390fcd06L,0xe7f1d2be0392a63eL,
+        0x96dca2644ddb0c33L } },
+    /* 139 */
+    { { 0x203bb43a387510afL,0x846feaa8a9a36a01L,0xd23a57702f950378L,
+        0x4363e2123aad59dcL },
+      { 0xca43a1c740246a47L,0xb362b8d2e55dd24dL,0xf9b086045d8faf96L,
+        0x840e115cd8bb98c4L } },
+    /* 140 */
+    { { 0xf12205e21023e8a7L,0xc808a8cdd8dc7a0bL,0xe292a272163a5ddfL,
+        0x5e0d6abd30ded6d4L },
+      { 0x07a721c27cfc0f64L,0x42eec01d0e55ed88L,0x26a7bef91d1f9db2L,
+        0x7dea48f42945a25aL } },
+    /* 141 */
+    { { 0xabdf6f1ce5060a81L,0xe79f9c72f8f95615L,0xcfd36c5406ac268bL,
+        0xabc2a2beebfd16d1L },
+      { 0x8ac66f91d3e2eac7L,0x6f10ba63d2dd0466L,0x6790e3770282d31bL,
+        0x4ea353946c7eefc1L } },
+    /* 142 */
+    { { 0xed8a2f8d5266309dL,0x0a51c6c081945a3eL,0xcecaf45a578c5dc1L,
+        0x3a76e6891c94ffc3L },
+      { 0x9aace8a47d7b0d0fL,0x963ace968f584a5fL,0x51a30c724e697fbeL,
+        0x8212a10a465e6464L } },
+    /* 143 */
+    { { 0xef7c61c3cfab8caaL,0x18eb8e840e142390L,0xcd1dff677e9733caL,
+        0xaa7cab71599cb164L },
+      { 0x02fc9273bc837bd1L,0xc06407d0c36af5d7L,0x17621292f423da49L,
+        0x40e38073fe0617c3L } },
+    /* 144 */
+    { { 0xf4f80824a7bf9b7cL,0x365d23203fbe30d0L,0xbfbe532097cf9ce3L,
+        0xe3604700b3055526L },
+      { 0x4dcb99116cc6c2c7L,0x72683708ba4cbee6L,0xdcded434637ad9ecL,
+        0x6542d677a3dee15fL } },
+    /* 145 */
+    { { 0x3f32b6d07b6c377aL,0x6cb03847903448beL,0xd6fdd3a820da8af7L,
+        0xa6534aee09bb6f21L },
+      { 0x30a1780d1035facfL,0x35e55a339dcb47e6L,0x6ea50fe1c447f393L,
+        0xf3cb672fdc9aef22L } },
+    /* 146 */
+    { { 0xeb3719fe3b55fd83L,0xe0d7a46c875ddd10L,0x33ac9fa905cea784L,
+        0x7cafaa2eaae870e7L },
+      { 0x9b814d041d53b338L,0xe0acc0a0ef87e6c6L,0xfb93d10811672b0fL,
+        0x0aab13c1b9bd522eL } },
+    /* 147 */
+    { { 0xddcce278d2681297L,0xcb350eb1b509546aL,0x2dc431737661aaf2L,
+        0x4b91a602847012e9L },
+      { 0xdcff109572f8ddcfL,0x08ebf61e9a911af4L,0x48f4360ac372430eL,
+        0x49534c5372321cabL } },
+    /* 148 */
+    { { 0x83df7d71f07b7e9dL,0xa478efa313cd516fL,0x78ef264b6c047ee3L,
+        0xcaf46c4fd65ac5eeL },
+      { 0xa04d0c7792aa8266L,0xedf45466913684bbL,0x56e65168ae4b16b0L,
+        0x14ce9e5704c6770fL } },
+    /* 149 */
+    { { 0x99445e3e965e8f91L,0xd3aca1bacb0f2492L,0xd31cc70f90c8a0a0L,
+        0x1bb708a53e4c9a71L },
+      { 0xd5ca9e69558bdd7aL,0x734a0508018a26b1L,0xb093aa714c9cf1ecL,
+        0xf9d126f2da300102L } },
+    /* 150 */
+    { { 0x749bca7aaff9563eL,0xdd077afeb49914a0L,0xe27a0311bf5f1671L,
+        0x807afcb9729ecc69L },
+      { 0x7f8a9337c9b08b77L,0x86c3a785443c7e38L,0x85fafa59476fd8baL,
+        0x751adcd16568cd8cL } },
+    /* 151 */
+    { { 0x8aea38b410715c0dL,0xd113ea718f7697f7L,0x665eab1493fbf06dL,
+        0x29ec44682537743fL },
+      { 0x3d94719cb50bebbcL,0x399ee5bfe4505422L,0x90cd5b3a8d2dedb1L,
+        0xff9370e392a4077dL } },
+    /* 152 */
+    { { 0x59a2d69bc6b75b65L,0x4188f8d5266651c5L,0x28a9f33e3de9d7d2L,
+        0x9776478ba2a9d01aL },
+      { 0x8852622d929af2c7L,0x334f5d6d4e690923L,0xce6cc7e5a89a51e9L,
+        0x74a6313fac2f82faL } },
+    /* 153 */
+    { { 0xb2f4dfddb75f079cL,0x85b07c9518e36fbbL,0x1b6cfcf0e7cd36ddL,
+        0xab75be150ff4863dL },
+      { 0x81b367c0173fc9b7L,0xb90a7420d2594fd0L,0x15fdbf03c4091236L,
+        0x4ebeac2e0b4459f6L } },
+    /* 154 */
+    { { 0xeb6c5fe75c9f2c53L,0xd25220118eae9411L,0xc8887633f95ac5d8L,
+        0xdf99887b2c1baffcL },
+      { 0xbb78eed2850aaecbL,0x9d49181b01d6a272L,0x978dd511b1cdbcacL,
+        0x27b040a7779f4058L } },
+    /* 155 */
+    { { 0x90405db7f73b2eb2L,0xe0df85088e1b2118L,0x501b71525962327eL,
+        0xb393dd37e4cfa3f5L },
+      { 0xa1230e7b3fd75165L,0xd66344c2bcd33554L,0x6c36f1be0f7b5022L,
+        0x09588c12d0463419L } },
+    /* 156 */
+    { { 0xe086093f02601c3bL,0xfb0252f8cf5c335fL,0x955cf280894aff28L,
+        0x81c879a9db9f648bL },
+      { 0x040e687cc6f56c51L,0xfed471693f17618cL,0x44f88a419059353bL,
+        0xfa0d48f55fc11bc4L } },
+    /* 157 */
+    { { 0xbc6e1c9de1608e4dL,0x010dda113582822cL,0xf6b7ddc1157ec2d7L,
+        0x8ea0e156b6a367d6L },
+      { 0xa354e02f2383b3b4L,0x69966b943f01f53cL,0x4ff6632b2de03ca5L,
+        0x3f5ab924fa00b5acL } },
+    /* 158 */
+    { { 0x337bb0d959739efbL,0xc751b0f4e7ebec0dL,0x2da52dd6411a67d1L,
+        0x8bc768872b74256eL },
+      { 0xa5be3b7282d3d253L,0xa9f679a1f58d779fL,0xa1cac168e16767bbL,
+        0xb386f19060fcf34fL } },
+    /* 159 */
+    { { 0x31f3c1352fedcfc2L,0x5396bf6262f8af0dL,0x9a02b4eae57288c2L,
+        0x4cb460f71b069c4dL },
+      { 0xae67b4d35b8095eaL,0x92bbf8596fc07603L,0xe1475f66b614a165L,
+        0x52c0d50895ef5223L } },
+    /* 160 */
+    { { 0x231c210e15339848L,0xe87a28e870778c8dL,0x9d1de6616956e170L,
+        0x4ac3c9382bb09c0bL },
+      { 0x19be05516998987dL,0x8b2376c4ae09f4d6L,0x1de0b7651a3f933dL,
+        0x380d94c7e39705f4L } },
+    /* 161 */
+    { { 0x01a355aa81542e75L,0x96c724a1ee01b9b7L,0x6b3a2977624d7087L,
+        0x2ce3e171de2637afL },
+      { 0xcfefeb49f5d5bc1aL,0xa655607e2777e2b5L,0x4feaac2f9513756cL,
+        0x2e6cd8520b624e4dL } },
+    /* 162 */
+    { { 0x3685954b8c31c31dL,0x68533d005bf21a0cL,0x0bd7626e75c79ec9L,
+        0xca17754742c69d54L },
+      { 0xcc6edafff6d2dbb2L,0xfd0d8cbd174a9d18L,0x875e8793aa4578e8L,
+        0xa976a7139cab2ce6L } },
+    /* 163 */
+    { { 0x0a651f1b93fb353dL,0xd75cab8b57fcfa72L,0xaa88cfa731b15281L,
+        0x8720a7170a1f4999L },
+      { 0x8c3e8d37693e1b90L,0xd345dc0b16f6dfc3L,0x8ea8d00ab52a8742L,
+        0x9719ef29c769893cL } },
+    /* 164 */
+    { { 0x820eed8d58e35909L,0x9366d8dc33ddc116L,0xd7f999d06e205026L,
+        0xa5072976e15704c1L },
+      { 0x002a37eac4e70b2eL,0x84dcf6576890aa8aL,0xcd71bf18645b2a5cL,
+        0x99389c9df7b77725L } },
+    /* 165 */
+    { { 0x238c08f27ada7a4bL,0x3abe9d03fd389366L,0x6b672e89766f512cL,
+        0xa88806aa202c82e4L },
+      { 0x6602044ad380184eL,0xa8cb78c4126a8b85L,0x79d670c0ad844f17L,
+        0x0043bffb4738dcfeL } },
+    /* 166 */
+    { { 0x8d59b5dc36d5192eL,0xacf885d34590b2afL,0x83566d0a11601781L,
+        0x52f3ef01ba6c4866L },
+      { 0x3986732a0edcb64dL,0x0a482c238068379fL,0x16cbe5fa7040f309L,
+        0x3296bd899ef27e75L } },
+    /* 167 */
+    { { 0x476aba89454d81d7L,0x9eade7ef51eb9b3cL,0x619a21cd81c57986L,
+        0x3b90febfaee571e9L },
+      { 0x9393023e5496f7cbL,0x55be41d87fb51bc4L,0x03f1dd4899beb5ceL,
+        0x6e88069d9f810b18L } },
+    /* 168 */
+    { { 0xce37ab11b43ea1dbL,0x0a7ff1a95259d292L,0x851b02218f84f186L,
+        0xa7222beadefaad13L },
+      { 0xa2ac78ec2b0a9144L,0x5a024051f2fa59c5L,0x91d1eca56147ce38L,
+        0xbe94d523bc2ac690L } },
+    /* 169 */
+    { { 0x72f4945e0b226ce7L,0xb8afd747967e8b70L,0xedea46f185a6c63eL,
+        0x7782defe9be8c766L },
+      { 0x760d2aa43db38626L,0x460ae78776f67ad1L,0x341b86fc54499cdbL,
+        0x03838567a2892e4bL } },
+    /* 170 */
+    { { 0x2d8daefd79ec1a0fL,0x3bbcd6fdceb39c97L,0xf5575ffc58f61a95L,
+        0xdbd986c4adf7b420L },
+      { 0x81aa881415f39eb7L,0x6ee2fcf5b98d976cL,0x5465475dcf2f717dL,
+        0x8e24d3c46860bbd0L } },
+    /* 171 */
+    { { 0x749d8e549a587390L,0x12bb194f0cbec588L,0x46e07da4b25983c6L,
+        0x541a99c4407bafc8L },
+      { 0xdb241692624c8842L,0x6044c12ad86c05ffL,0xc59d14b44f7fcf62L,
+        0xc0092c49f57d35d1L } },
+    /* 172 */
+    { { 0xd3cc75c3df2e61efL,0x7e8841c82e1b35caL,0xc62d30d1909f29f4L,
+        0x75e406347286944dL },
+      { 0xe7d41fc5bbc237d0L,0xc9537bf0ec4f01c9L,0x91c51a16282bd534L,
+        0x5b7cb658c7848586L } },
+    /* 173 */
+    { { 0x964a70848a28ead1L,0x802dc508fd3b47f6L,0x9ae4bfd1767e5b39L,
+        0x7ae13eba8df097a1L },
+      { 0xfd216ef8eadd384eL,0x0361a2d9b6b2ff06L,0x204b98784bcdb5f3L,
+        0x787d8074e2a8e3fdL } },
+    /* 174 */
+    { { 0xc5e25d6b757fbb1cL,0xe47bddb2ca201debL,0x4a55e9a36d2233ffL,
+        0x5c2228199ef28484L },
+      { 0x773d4a8588315250L,0x21b21a2b827097c1L,0xab7c4ea1def5d33fL,
+        0xe45d37abbaf0f2b0L } },
+    /* 175 */
+    { { 0xd2df1e3428511c8aL,0xebb229c8bdca6cd3L,0x578a71a7627c39a7L,
+        0xed7bc12284dfb9d3L },
+      { 0xcf22a6df93dea561L,0x5443f18dd48f0ed1L,0xd8b861405bad23e8L,
+        0xaac97cc945ca6d27L } },
+    /* 176 */
+    { { 0xeb54ea74a16bd00aL,0xd839e9adf5c0bcc1L,0x092bb7f11f9bfc06L,
+        0x318f97b31163dc4eL },
+      { 0xecc0c5bec30d7138L,0x44e8df23abc30220L,0x2bb7972fb0223606L,
+        0xfa41faa19a84ff4dL } },
+    /* 177 */
+    { { 0x4402d974a6642269L,0xc81814ce9bb783bdL,0x398d38e47941e60bL,
+        0x38bb6b2c1d26e9e2L },
+      { 0xc64e4a256a577f87L,0x8b52d253dc11fe1cL,0xff336abf62280728L,
+        0x94dd0905ce7601a5L } },
+    /* 178 */
+    { { 0x156cf7dcde93f92aL,0xa01333cb89b5f315L,0x02404df9c995e750L,
+        0x92077867d25c2ae9L },
+      { 0xe2471e010bf39d44L,0x5f2c902096bb53d7L,0x4c44b7b35c9c3d8fL,
+        0x81e8428bd29beb51L } },
+    /* 179 */
+    { { 0x6dd9c2bac477199fL,0x8cb8eeee6b5ecdd9L,0x8af7db3fee40fd0eL,
+        0x1b94ab62dbbfa4b1L },
+      { 0x44f0d8b3ce47f143L,0x51e623fc63f46163L,0xf18f270fcc599383L,
+        0x06a38e28055590eeL } },
+    /* 180 */
+    { { 0x2e5b0139b3355b49L,0x20e26560b4ebf99bL,0xc08ffa6bd269f3dcL,
+        0xa7b36c2083d9d4f8L },
+      { 0x64d15c3a1b3e8830L,0xd5fceae1a89f9c0bL,0xcfeee4a2e2d16930L,
+        0xbe54c6b4a2822a20L } },
+    /* 181 */
+    { { 0xd6cdb3df8d91167cL,0x517c3f79e7a6625eL,0x7105648f346ac7f4L,
+        0xbf30a5abeae022bbL },
+      { 0x8e7785be93828a68L,0x5161c3327f3ef036L,0xe11b5feb592146b2L,
+        0xd1c820de2732d13aL } },
+    /* 182 */
+    { { 0x043e13479038b363L,0x58c11f546b05e519L,0x4fe57abe6026cad1L,
+        0xb7d17bed68a18da3L },
+      { 0x44ca5891e29c2559L,0x4f7a03765bfffd84L,0x498de4af74e46948L,
+        0x3997fd5e6412cc64L } },
+    /* 183 */
+    { { 0xf20746828bd61507L,0x29e132d534a64d2aL,0xffeddfb08a8a15e3L,
+        0x0eeb89293c6c13e8L },
+      { 0xe9b69a3ea7e259f8L,0xce1db7e6d13e7e67L,0x277318f6ad1fa685L,
+        0x228916f8c922b6efL } },
+    /* 184 */
+    { { 0x959ae25b0a12ab5bL,0xcc11171f957bc136L,0x8058429ed16e2b0cL,
+        0xec05ad1d6e93097eL },
+      { 0x157ba5beac3f3708L,0x31baf93530b59d77L,0x47b55237118234e5L,
+        0x7d3141567ff11b37L } },
+    /* 185 */
+    { { 0x7bd9c05cf6dfefabL,0xbe2f2268dcb37707L,0xe53ead973a38bb95L,
+        0xe9ce66fc9bc1d7a3L },
+      { 0x75aa15766f6a02a1L,0x38c087df60e600edL,0xf8947f3468cdc1b9L,
+        0xd9650b0172280651L } },
+    /* 186 */
+    { { 0x504b4c4a5a057e60L,0xcbccc3be8def25e4L,0xa635320817c1ccbdL,
+        0x14d6699a804eb7a2L },
+      { 0x2c8a8415db1f411aL,0x09fbaf0bf80d769cL,0xb4deef901c2f77adL,
+        0x6f4c68410d43598aL } },
+    /* 187 */
+    { { 0x8726df4e96c24a96L,0x534dbc85fcbd99a3L,0x3c466ef28b2ae30aL,
+        0x4c4350fd61189abbL },
+      { 0x2967f716f855b8daL,0x41a42394463c38a1L,0xc37e1413eae93343L,
+        0xa726d2425a3118b5L } },
+    /* 188 */
+    { { 0xdae6b3ee948c1086L,0xf1de503dcbd3a2e1L,0x3f35ed3f03d022f3L,
+        0x13639e82cc6cf392L },
+      { 0x9ac938fbcdafaa86L,0xf45bc5fb2654a258L,0x1963b26e45051329L,
+        0xca9365e1c1a335a3L } },
+    /* 189 */
+    { { 0x3615ac754c3b2d20L,0x742a5417904e241bL,0xb08521c4cc9d071dL,
+        0x9ce29c34970b72a5L },
+      { 0x8cc81f736d3e0ad6L,0x8060da9ef2f8434cL,0x35ed1d1a6ce862d9L,
+        0x48c4abd7ab42af98L } },
+    /* 190 */
+    { { 0xd221b0cc40c7485aL,0xead455bbe5274dbfL,0x493c76989263d2e8L,
+        0x78017c32f67b33cbL },
+      { 0xb9d35769930cb5eeL,0xc0d14e940c408ed2L,0xf8b7bf55272f1a4dL,
+        0x53cd0454de5c1c04L } },
+    /* 191 */
+    { { 0xbcd585fa5d28ccacL,0x5f823e56005b746eL,0x7c79f0a1cd0123aaL,
+        0xeea465c1d3d7fa8fL },
+      { 0x7810659f0551803bL,0x6c0b599f7ce6af70L,0x4195a77029288e70L,
+        0x1b6e42a47ae69193L } },
+    /* 192 */
+    { { 0x2e80937cf67d04c3L,0x1e312be289eeb811L,0x56b5d88792594d60L,
+        0x0224da14187fbd3dL },
+      { 0x87abb8630c5fe36fL,0x580f3c604ef51f5fL,0x964fb1bfb3b429ecL,
+        0x60838ef042bfff33L } },
+    /* 193 */
+    { { 0x432cb2f27e0bbe99L,0x7bda44f304aa39eeL,0x5f497c7a9fa93903L,
+        0x636eb2022d331643L },
+      { 0xfcfd0e6193ae00aaL,0x875a00fe31ae6d2fL,0xf43658a29f93901cL,
+        0x8844eeb639218bacL } },
+    /* 194 */
+    { { 0x114171d26b3bae58L,0x7db3df7117e39f3eL,0xcd37bc7f81a8eadaL,
+        0x27ba83dc51fb789eL },
+      { 0xa7df439ffbf54de5L,0x7277030bb5fe1a71L,0x42ee8e35db297a48L,
+        0xadb62d3487f3a4abL } },
+    /* 195 */
+    { { 0x9b1168a2a175df2aL,0x082aa04f618c32e9L,0xc9e4f2e7146b0916L,
+        0xb990fd7675e7c8b2L },
+      { 0x0829d96b4df37313L,0x1c205579d0b40789L,0x66c9ae4a78087711L,
+        0x81707ef94d10d18dL } },
+    /* 196 */
+    { { 0x97d7cab203d6ff96L,0x5b851bfc0d843360L,0x268823c4d042db4bL,
+        0x3792daead5a8aa5cL },
+      { 0x52818865941afa0bL,0xf3e9e74142d83671L,0x17c825275be4e0a7L,
+        0x5abd635e94b001baL } },
+    /* 197 */
+    { { 0x727fa84e0ac4927cL,0xe3886035a7c8cf23L,0xa4bcd5ea4adca0dfL,
+        0x5995bf21846ab610L },
+      { 0xe90f860b829dfa33L,0xcaafe2ae958fc18bL,0x9b3baf4478630366L,
+        0x44c32ca2d483411eL } },
+    /* 198 */
+    { { 0xa74a97f1e40ed80cL,0x5f938cb131d2ca82L,0x53f2124b7c2d6ad9L,
+        0x1f2162fb8082a54cL },
+      { 0x7e467cc5720b173eL,0x40e8a666085f12f9L,0x8cebc20e4c9d65dcL,
+        0x8f1d402bc3e907c9L } },
+    /* 199 */
+    { { 0x4f592f9cfbc4058aL,0xb15e14b6292f5670L,0xc55cfe37bc1d8c57L,
+        0xb1980f43926edbf9L },
+      { 0x98c33e0932c76b09L,0x1df5279d33b07f78L,0x6f08ead4863bb461L,
+        0x2828ad9b37448e45L } },
+    /* 200 */
+    { { 0x696722c4c4cf4ac5L,0xf5ac1a3fdde64afbL,0x0551baa2e0890832L,
+        0x4973f1275a14b390L },
+      { 0xe59d8335322eac5dL,0x5e07eef50bd9b568L,0xab36720fa2588393L,
+        0x6dac8ed0db168ac7L } },
+    /* 201 */
+    { { 0xf7b545aeeda835efL,0x4aa113d21d10ed51L,0x035a65e013741b09L,
+        0x4b23ef5920b9de4cL },
+      { 0xe82bb6803c4c7341L,0xd457706d3f58bc37L,0x73527863a51e3ee8L,
+        0x4dd71534ddf49a4eL } },
+    /* 202 */
+    { { 0xbf94467295476cd9L,0x648d072fe31a725bL,0x1441c8b8fc4b67e0L,
+        0xfd3170002f4a4dbbL },
+      { 0x1cb43ff48995d0e1L,0x76e695d10ef729aaL,0xe0d5f97641798982L,
+        0x14fac58c9569f365L } },
+    /* 203 */
+    { { 0xad9a0065f312ae18L,0x51958dc0fcc93fc9L,0xd9a142408a7d2846L,
+        0xed7c765136abda50L },
+      { 0x46270f1a25d4abbcL,0x9b5dd8f3f1a113eaL,0xc609b0755b51952fL,
+        0xfefcb7f74d2e9f53L } },
+    /* 204 */
+    { { 0xbd09497aba119185L,0xd54e8c30aac45ba4L,0x492479deaa521179L,
+        0x1801a57e87e0d80bL },
+      { 0x073d3f8dfcafffb0L,0x6cf33c0bae255240L,0x781d763b5b5fdfbcL,
+        0x9f8fc11e1ead1064L } },
+    /* 205 */
+    { { 0x1583a1715e69544cL,0x0eaf8567f04b7813L,0x1e22a8fd278a4c32L,
+        0xa9d3809d3d3a69a9L },
+      { 0x936c2c2c59a2da3bL,0x38ccbcf61895c847L,0x5e65244e63d50869L,
+        0x3006b9aee1178ef7L } },
+    /* 206 */
+    { { 0x0bb1f2b0c9eead28L,0x7eef635d89f4dfbcL,0x074757fdb2ce8939L,
+        0x0ab85fd745f8f761L },
+      { 0xecda7c933e5b4549L,0x4be2bb5c97922f21L,0x261a1274b43b8040L,
+        0xb122d67511e942c2L } },
+    /* 207 */
+    { { 0x3be607be66a5ae7aL,0x01e703fa76adcbe3L,0xaf9043014eb6e5c5L,
+        0x9f599dc1097dbaecL },
+      { 0x6d75b7180ff250edL,0x8eb91574349a20dcL,0x425605a410b227a3L,
+        0x7d5528e08a294b78L } },
+    /* 208 */
+    { { 0xf0f58f6620c26defL,0x025585ea582b2d1eL,0xfbe7d79b01ce3881L,
+        0x28ccea01303f1730L },
+      { 0xd1dabcd179644ba5L,0x1fc643e806fff0b8L,0xa60a76fc66b3e17bL,
+        0xc18baf48a1d013bfL } },
+    /* 209 */
+    { { 0x34e638c85dc4216dL,0x00c01067206142acL,0xd453a17195f5064aL,
+        0x9def809db7a9596bL },
+      { 0x41e8642e67ab8d2cL,0xb42404336237a2b6L,0x7d506a6d64c4218bL,
+        0x0357f8b068808ce5L } },
+    /* 210 */
+    { { 0x8e9dbe644cd2cc88L,0xcc61c28df0b8f39dL,0x4a309874cd30a0c8L,
+        0xe4a01add1b489887L },
+      { 0x2ed1eeacf57cd8f9L,0x1b767d3ebd594c48L,0xa7295c717bd2f787L,
+        0x466d7d79ce10cc30L } },
+    /* 211 */
+    { { 0x47d318929dada2c7L,0x4fa0a6c38f9aa27dL,0x90e4fd28820a59e1L,
+        0xc672a522451ead1aL },
+      { 0x30607cc85d86b655L,0xf0235d3bf9ad4af1L,0x99a08680571172a6L,
+        0x5e3d64faf2a67513L } },
+    /* 212 */
+    { { 0xaa6410c79b3b4416L,0xcd8fcf85eab26d99L,0x5ebff74adb656a74L,
+        0x6c8a7a95eb8e42fcL },
+      { 0x10c60ba7b02a63bdL,0x6b2f23038b8f0047L,0x8c6c3738312d90b0L,
+        0x348ae422ad82ca91L } },
+    /* 213 */
+    { { 0x7f4746635ccda2fbL,0x22accaa18e0726d2L,0x85adf782492b1f20L,
+        0xc1074de0d9ef2d2eL },
+      { 0xfcf3ce44ae9a65b3L,0xfd71e4ac05d7151bL,0xd4711f50ce6a9788L,
+        0xfbadfbdbc9e54ffcL } },
+    /* 214 */
+    { { 0x1713f1cd20a99363L,0xb915658f6cf22775L,0x968175cd24d359b2L,
+        0xb7f976b483716fcdL },
+      { 0x5758e24d5d6dbf74L,0x8d23bafd71c3af36L,0x48f477600243dfe3L,
+        0xf4d41b2ecafcc805L } },
+    /* 215 */
+    { { 0x51f1cf28fdabd48dL,0xce81be3632c078a4L,0x6ace2974117146e9L,
+        0x180824eae0160f10L },
+      { 0x0387698b66e58358L,0x63568752ce6ca358L,0x82380e345e41e6c5L,
+        0x67e5f63983cf6d25L } },
+    /* 216 */
+    { { 0xf89ccb8dcf4899efL,0x949015f09ebb44c0L,0x546f9276b2598ec9L,
+        0x9fef789a04c11fc6L },
+      { 0x6d367ecf53d2a071L,0xb10e1a7fa4519b09L,0xca6b3fb0611e2eefL,
+        0xbc80c181a99c4e20L } },
+    /* 217 */
+    { { 0x972536f8e5eb82e6L,0x1a484fc7f56cb920L,0xc78e217150b5da5eL,
+        0x49270e629f8cdf10L },
+      { 0x1a39b7bbea6b50adL,0x9a0284c1a2388ffcL,0x5403eb178107197bL,
+        0xd2ee52f961372f7fL } },
+    /* 218 */
+    { { 0xd37cd28588e0362aL,0x442fa8a78fa5d94dL,0xaff836e5a434a526L,
+        0xdfb478bee5abb733L },
+      { 0xa91f1ce7673eede6L,0xa5390ad42b5b2f04L,0x5e66f7bf5530da2fL,
+        0xd9a140b408df473aL } },
+    /* 219 */
+    { { 0x0e0221b56e8ea498L,0x623478293563ee09L,0xe06b8391335d2adeL,
+        0x760c058d623f4b1aL },
+      { 0x0b89b58cc198aa79L,0xf74890d2f07aba7fL,0x4e204110fde2556aL,
+        0x7141982d8f190409L } },
+    /* 220 */
+    { { 0x6f0a0e334d4b0f45L,0xd9280b38392a94e1L,0x3af324c6b3c61d5eL,
+        0x3af9d1ce89d54e47L },
+      { 0xfd8f798120930371L,0xeda2664c21c17097L,0x0e9545dcdc42309bL,
+        0xb1f815c373957dd6L } },
+    /* 221 */
+    { { 0x84faa78e89fec44aL,0xc8c2ae473caa4cafL,0x691c807dc1b6a624L,
+        0xa41aed141543f052L },
+      { 0x424353997d5ffe04L,0x8bacb2df625b6e20L,0x85d660be87817775L,
+        0xd6e9c1dd86fb60efL } },
+    /* 222 */
+    { { 0x3aa2e97ec6853264L,0x771533b7e2304a0bL,0x1b912bb7b8eae9beL,
+        0x9c9c6e10ae9bf8c2L },
+      { 0xa2309a59e030b74cL,0x4ed7494d6a631e90L,0x89f44b23a49b79f2L,
+        0x566bd59640fa61b6L } },
+    /* 223 */
+    { { 0x066c0118c18061f3L,0x190b25d37c83fc70L,0xf05fc8e027273245L,
+        0xcf2c7390f525345eL },
+      { 0xa09bceb410eb30cfL,0xcfd2ebba0d77703aL,0xe842c43a150ff255L,
+        0x02f517558aa20979L } },
+    /* 224 */
+    { { 0x396ef794addb7d07L,0x0b4fc74224455500L,0xfaff8eacc78aa3ceL,
+        0x14e9ada5e8d4d97dL },
+      { 0xdaa480a12f7079e2L,0x45baa3cde4b0800eL,0x01765e2d7838157dL,
+        0xa0ad4fab8e9d9ae8L } },
+    /* 225 */
+    { { 0x0bfb76214a653618L,0x1872813c31eaaa5fL,0x1553e73744949d5eL,
+        0xbcd530b86e56ed1eL },
+      { 0x169be85332e9c47bL,0xdc2776feb50059abL,0xcdba9761192bfbb4L,
+        0x909283cf6979341dL } },
+    /* 226 */
+    { { 0x67b0032476e81a13L,0x9bee1a9962171239L,0x08ed361bd32e19d6L,
+        0x35eeb7c9ace1549aL },
+      { 0x1280ae5a7e4e5bdcL,0x2dcd2cd3b6ceec6eL,0x52e4224c6e266bc1L,
+        0x9a8b2cf4448ae864L } },
+    /* 227 */
+    { { 0xf6471bf209d03b59L,0xc90e62a3b65af2abL,0xff7ff168ebd5eec9L,
+        0x6bdb60f4d4491379L },
+      { 0xdadafebc8a55bc30L,0xc79ead1610097fe0L,0x42e197414c1e3bddL,
+        0x01ec3cfd94ba08a9L } },
+    /* 228 */
+    { { 0xba6277ebdc9485c2L,0x48cc9a7922fb10c7L,0x4f61d60f70a28d8aL,
+        0xd1acb1c0475464f6L },
+      { 0xd26902b126f36612L,0x59c3a44ee0618d8bL,0x4df8a813308357eeL,
+        0x7dcd079d405626c2L } },
+    /* 229 */
+    { { 0x5ce7d4d3f05a4b48L,0xadcd295237230772L,0xd18f7971812a915aL,
+        0x0bf53589377d19b8L },
+      { 0x35ecd95a6c68ea73L,0xc7f3bbca823a584dL,0x9fb674c6f473a723L,
+        0xd28be4d9e16686fcL } },
+    /* 230 */
+    { { 0x5d2b990638fa8e4bL,0x559f186e893fd8fcL,0x3a6de2aa436fb6fcL,
+        0xd76007aa510f88ceL },
+      { 0x2d10aab6523a4988L,0xb455cf4474dd0273L,0x7f467082a3407278L,
+        0xf2b52f68b303bb01L } },
+    /* 231 */
+    { { 0x0d57eafa9835b4caL,0x2d2232fcbb669cbcL,0x8eeeb680c6643198L,
+        0xd8dbe98ecc5aed3aL },
+      { 0xcba9be3fc5a02709L,0x30be68e5f5ba1fa8L,0xfebd43cdf10ea852L,
+        0xe01593a3ee559705L } },
+    /* 232 */
+    { { 0xd3e5af50ea75a0a6L,0x512226ac57858033L,0x6fe6d50fd0176406L,
+        0xafec07b1aeb8ef06L },
+      { 0x7fb9956780bb0a31L,0x6f1af3cc37309aaeL,0x9153a15a01abf389L,
+        0xa71b93546e2dbfddL } },
+    /* 233 */
+    { { 0xbf8e12e018f593d2L,0xd1a90428a078122bL,0x150505db0ba4f2adL,
+        0x53a2005c628523d9L },
+      { 0x07c8b639e7f2b935L,0x2bff975ac182961aL,0x86bceea77518ca2cL,
+        0xbf47d19b3d588e3dL } },
+    /* 234 */
+    { { 0x672967a7dd7665d5L,0x4e3030572f2f4de5L,0x144005ae80d4903fL,
+        0x001c2c7f39c9a1b6L },
+      { 0x143a801469efc6d6L,0xc810bdaa7bc7a724L,0x5f65670ba78150a4L,
+        0xfdadf8e786ffb99bL } },
+    /* 235 */
+    { { 0xfd38cb88ffc00785L,0x77fa75913b48eb67L,0x0454d055bf368fbcL,
+        0x3a838e4d5aa43c94L },
+      { 0x561663293e97bb9aL,0x9eb93363441d94d9L,0x515591a60adb2a83L,
+        0x3cdb8257873e1da3L } },
+    /* 236 */
+    { { 0x137140a97de77eabL,0xf7e1c50d41648109L,0x762dcad2ceb1d0dfL,
+        0x5a60cc89f1f57fbaL },
+      { 0x80b3638240d45673L,0x1b82be195913c655L,0x057284b8dd64b741L,
+        0x922ff56fdbfd8fc0L } },
+    /* 237 */
+    { { 0x1b265deec9a129a1L,0xa5b1ce57cc284e04L,0x04380c46cebfbe3cL,
+        0x72919a7df6c5cd62L },
+      { 0x298f453a8fb90f9aL,0xd719c00b88e4031bL,0xe32c0e77796f1856L,
+        0x5e7917803624089aL } },
+    /* 238 */
+    { { 0x5c16ec557f63cdfbL,0x8e6a3571f1cae4fdL,0xfce26bea560597caL,
+        0x4e0a5371e24c2fabL },
+      { 0x276a40d3a5765357L,0x3c89af440d73a2b4L,0xb8f370ae41d11a32L,
+        0xf5ff7818d56604eeL } },
+    /* 239 */
+    { { 0xfbf3e3fe1a09df21L,0x26d5d28ee66e8e47L,0x2096bd0a29c89015L,
+        0xe41df0e9533f5e64L },
+      { 0x305fda40b3ba9e3fL,0xf2340ceb2604d895L,0x0866e1927f0367c7L,
+        0x8edd7d6eac4f155fL } },
+    /* 240 */
+    { { 0xc9a1dc0e0bfc8ff3L,0x14efd82be936f42fL,0x67016f7ccca381efL,
+        0x1432c1caed8aee96L },
+      { 0xec68482970b23c26L,0xa64fe8730735b273L,0xe389f6e5eaef0f5aL,
+        0xcaef480b5ac8d2c6L } },
+    /* 241 */
+    { { 0x5245c97875315922L,0xd82951713063cca5L,0xf3ce60d0b64ef2cbL,
+        0xd0ba177e8efae236L },
+      { 0x53a9ae8fb1b3af60L,0x1a796ae53d2da20eL,0x01d63605df9eef28L,
+        0xf31c957c1c54ae16L } },
+    /* 242 */
+    { { 0xc0f58d5249cc4597L,0xdc5015b0bae0a028L,0xefc5fc55734a814aL,
+        0x013404cb96e17c3aL },
+      { 0xb29e2585c9a824bfL,0xd593185e001eaed7L,0x8d6ee68261ef68acL,
+        0x6f377c4b91933e6cL } },
+    /* 243 */
+    { { 0x9f93bad1a8333fd2L,0xa89302025a2a95b8L,0x211e5037eaf75aceL,
+        0x6dba3e4ed2d09506L },
+      { 0xa48ef98cd04399cdL,0x1811c66ee6b73adeL,0x72f60752c17ecaf3L,
+        0xf13cf3423becf4a7L } },
+    /* 244 */
+    { { 0xceeb9ec0a919e2ebL,0x83a9a195f62c0f68L,0xcfba3bb67aba2299L,
+        0xc83fa9a9274bbad3L },
+      { 0x0d7d1b0b62fa1ce0L,0xe58b60f53418efbfL,0xbfa8ef9e52706f04L,
+        0xb49d70f45d702683L } },
+    /* 245 */
+    { { 0x914c7510fad5513bL,0x05f32eecb1751e2dL,0x6d850418d9fb9d59L,
+        0x59cfadbb0c30f1cfL },
+      { 0xe167ac2355cb7fd6L,0x249367b8820426a3L,0xeaeec58c90a78864L,
+        0x5babf362354a4b67L } },
+    /* 246 */
+    { { 0x37c981d1ee424865L,0x8b002878f2e5577fL,0x702970f1b9e0c058L,
+        0x6188c6a79026c8f0L },
+      { 0x06f9a19bd0f244daL,0x1ecced5cfb080873L,0x35470f9b9f213637L,
+        0x993fe475df50b9d9L } },
+    /* 247 */
+    { { 0x68e31cdf9b2c3609L,0x84eb19c02c46d4eaL,0x7ac9ec1a9a775101L,
+        0x81f764664c80616bL },
+      { 0x1d7c2a5a75fbe978L,0x6743fed3f183b356L,0x838d1f04501dd2bfL,
+        0x564a812a5fe9060dL } },
+    /* 248 */
+    { { 0x7a5a64f4fa817d1dL,0x55f96844bea82e0fL,0xb5ff5a0fcd57f9aaL,
+        0x226bf3cf00e51d6cL },
+      { 0xd6d1a9f92f2833cfL,0x20a0a35a4f4f89a8L,0x11536c498f3f7f77L,
+        0x68779f47ff257836L } },
+    /* 249 */
+    { { 0x79b0c1c173043d08L,0xa54467741fc020faL,0xd3767e289a6d26d0L,
+        0x97bcb0d1eb092e0bL },
+      { 0x2ab6eaa8f32ed3c3L,0xc8a4f151b281bc48L,0x4d1bf4f3bfa178f3L,
+        0xa872ffe80a784655L } },
+    /* 250 */
+    { { 0xb1ab7935a32b2086L,0xe1eb710e8160f486L,0x9bd0cd913b6ae6beL,
+        0x02812bfcb732a36aL },
+      { 0xa63fd7cacf605318L,0x646e5d50fdfd6d1dL,0xa1d683982102d619L,
+        0x07391cc9fe5396afL } },
+    /* 251 */
+    { { 0xc50157f08b80d02bL,0x6b8333d162877f7fL,0x7aca1af878d542aeL,
+        0x355d2adc7e6d2a08L },
+      { 0xb41f335a287386e1L,0xfd272a94f8e43275L,0x286ca2cde79989eaL,
+        0x3dc2b1e37c2a3a79L } },
+    /* 252 */
+    { { 0xd689d21c04581352L,0x0a00c825376782beL,0x203bd5909fed701fL,
+        0xc47869103ccd846bL },
+      { 0x5dba770824c768edL,0x72feea026841f657L,0x73313ed56accce0eL,
+        0xccc42968d5bb4d32L } },
+    /* 253 */
+    { { 0x94e50de13d7620b9L,0xd89a5c8a5992a56aL,0xdc007640675487c9L,
+        0xe147eb42aa4871cfL },
+      { 0x274ab4eeacf3ae46L,0xfd4936fb50350fbeL,0xdf2afe4748c840eaL,
+        0x239ac047080e96e3L } },
+    /* 254 */
+    { { 0x481d1f352bfee8d4L,0xce80b5cffa7b0fecL,0x105c4c9e2ce9af3cL,
+        0xc55fa1a3f5f7e59dL },
+      { 0x3186f14e8257c227L,0xc5b1653f342be00bL,0x09afc998aa904fb2L,
+        0x094cd99cd4f4b699L } },
+    /* 255 */
+    { { 0x8a981c84d703bebaL,0x8631d15032ceb291L,0xa445f2c9e3bd49ecL,
+        0xb90a30b642abad33L },
+      { 0xb465404fb4a5abf9L,0x004750c375db7603L,0x6f9a42ccca35d89fL,
+        0x019f8b9a1b7924f7L } },
+};
+
+/* Multiply the base point of P256 by the scalar and return the result.
+ * If map is true then convert result to affine coordinates.
+ *
+ * r     Resulting point.
+ * k     Scalar to multiply by.
+ * map   Indicates whether to convert result to affine.
+ * heap  Heap to use for allocation.
+ * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
+ */
+static int sp_256_ecc_mulmod_base_4(sp_point_256* r, const sp_digit* k,
+        int map, void* heap)
+{
+    return sp_256_ecc_mulmod_stripe_4(r, &p256_base, p256_table,
+                                      k, map, heap);
+}
+
+#else
+/* The index into pre-computation table to use. */
+static const uint8_t recode_index_4_7[130] = {
+     0,  1,  2,  3,  4,  5,  6,  7,  8,  9, 10, 11, 12, 13, 14, 15,
+    16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31,
+    32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47,
+    48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63,
+    64, 63, 62, 61, 60, 59, 58, 57, 56, 55, 54, 53, 52, 51, 50, 49,
+    48, 47, 46, 45, 44, 43, 42, 41, 40, 39, 38, 37, 36, 35, 34, 33,
+    32, 31, 30, 29, 28, 27, 26, 25, 24, 23, 22, 21, 20, 19, 18, 17,
+    16, 15, 14, 13, 12, 11, 10,  9,  8,  7,  6,  5,  4,  3,  2,  1,
+     0,  1,
+};
+
+/* Whether to negate y-ordinate. */
+static const uint8_t recode_neg_4_7[130] = {
+     0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,
+     0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,
+     0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,
+     0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,
+     1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,
+     1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,
+     1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,
+     1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,
+     0,  0,
+};
+
+/* Recode the scalar for multiplication using pre-computed values and
+ * subtraction.
+ *
+ * k  Scalar to multiply by.
+ * v  Vector of operations to perform.
+ */
+static void sp_256_ecc_recode_7_4(const sp_digit* k, ecc_recode_256* v)
+{
+    int i, j;
+    uint8_t y;
+    int carry = 0;
+    int o;
+    sp_digit n;
+
+    j = 0;
+    n = k[j];
+    o = 0;
+    for (i=0; i<37; i++) {
+        y = n;
+        if (o + 7 < 64) {
+            y &= 0x7f;
+            n >>= 7;
+            o += 7;
+        }
+        else if (o + 7 == 64) {
+            n >>= 7;
+            if (++j < 4)
+                n = k[j];
+            o = 0;
+        }
+        else if (++j < 4) {
+            n = k[j];
+            y |= (n << (64 - o)) & 0x7f;
+            o -= 57;
+            n >>= o;
+        }
+
+        y += carry;
+        v[i].i = recode_index_4_7[y];
+        v[i].neg = recode_neg_4_7[y];
+        carry = (y >> 7) + v[i].neg;
+    }
+}
+
+static const sp_table_entry_256 p256_table[2405] = {
+    /* 0 << 0 */
+    { { 0x00, 0x00, 0x00, 0x00 },
+      { 0x00, 0x00, 0x00, 0x00 } },
+    /* 1 << 0 */
+    { { 0x79e730d418a9143cL,0x75ba95fc5fedb601L,0x79fb732b77622510L,
+        0x18905f76a53755c6L },
+      { 0xddf25357ce95560aL,0x8b4ab8e4ba19e45cL,0xd2e88688dd21f325L,
+        0x8571ff1825885d85L } },
+    /* 2 << 0 */
+    { { 0x850046d410ddd64dL,0xaa6ae3c1a433827dL,0x732205038d1490d9L,
+        0xf6bb32e43dcf3a3bL },
+      { 0x2f3648d361bee1a5L,0x152cd7cbeb236ff8L,0x19a8fb0e92042dbeL,
+        0x78c577510a5b8a3bL } },
+    /* 3 << 0 */
+    { { 0xffac3f904eebc127L,0xb027f84a087d81fbL,0x66ad77dd87cbbc98L,
+        0x26936a3fb6ff747eL },
+      { 0xb04c5c1fc983a7ebL,0x583e47ad0861fe1aL,0x788208311a2ee98eL,
+        0xd5f06a29e587cc07L } },
+    /* 4 << 0 */
+    { { 0x74b0b50d46918dccL,0x4650a6edc623c173L,0x0cdaacace8100af2L,
+        0x577362f541b0176bL },
+      { 0x2d96f24ce4cbaba6L,0x17628471fad6f447L,0x6b6c36dee5ddd22eL,
+        0x84b14c394c5ab863L } },
+    /* 5 << 0 */
+    { { 0xbe1b8aaec45c61f5L,0x90ec649a94b9537dL,0x941cb5aad076c20cL,
+        0xc9079605890523c8L },
+      { 0xeb309b4ae7ba4f10L,0x73c568efe5eb882bL,0x3540a9877e7a1f68L,
+        0x73a076bb2dd1e916L } },
+    /* 6 << 0 */
+    { { 0x403947373e77664aL,0x55ae744f346cee3eL,0xd50a961a5b17a3adL,
+        0x13074b5954213673L },
+      { 0x93d36220d377e44bL,0x299c2b53adff14b5L,0xf424d44cef639f11L,
+        0xa4c9916d4a07f75fL } },
+    /* 7 << 0 */
+    { { 0x0746354ea0173b4fL,0x2bd20213d23c00f7L,0xf43eaab50c23bb08L,
+        0x13ba5119c3123e03L },
+      { 0x2847d0303f5b9d4dL,0x6742f2f25da67bddL,0xef933bdc77c94195L,
+        0xeaedd9156e240867L } },
+    /* 8 << 0 */
+    { { 0x27f14cd19499a78fL,0x462ab5c56f9b3455L,0x8f90f02af02cfc6bL,
+        0xb763891eb265230dL },
+      { 0xf59da3a9532d4977L,0x21e3327dcf9eba15L,0x123c7b84be60bbf0L,
+        0x56ec12f27706df76L } },
+    /* 9 << 0 */
+    { { 0x75c96e8f264e20e8L,0xabe6bfed59a7a841L,0x2cc09c0444c8eb00L,
+        0xe05b3080f0c4e16bL },
+      { 0x1eb7777aa45f3314L,0x56af7bedce5d45e3L,0x2b6e019a88b12f1aL,
+        0x086659cdfd835f9bL } },
+    /* 10 << 0 */
+    { { 0x2c18dbd19dc21ec8L,0x98f9868a0fcf8139L,0x737d2cd648250b49L,
+        0xcc61c94724b3428fL },
+      { 0x0c2b407880dd9e76L,0xc43a8991383fbe08L,0x5f7d2d65779be5d2L,
+        0x78719a54eb3b4ab5L } },
+    /* 11 << 0 */
+    { { 0xea7d260a6245e404L,0x9de407956e7fdfe0L,0x1ff3a4158dac1ab5L,
+        0x3e7090f1649c9073L },
+      { 0x1a7685612b944e88L,0x250f939ee57f61c8L,0x0c0daa891ead643dL,
+        0x68930023e125b88eL } },
+    /* 12 << 0 */
+    { { 0x04b71aa7d2697768L,0xabdedef5ca345a33L,0x2409d29dee37385eL,
+        0x4ee1df77cb83e156L },
+      { 0x0cac12d91cbb5b43L,0x170ed2f6ca895637L,0x28228cfa8ade6d66L,
+        0x7ff57c9553238acaL } },
+    /* 13 << 0 */
+    { { 0xccc425634b2ed709L,0x0e356769856fd30dL,0xbcbcd43f559e9811L,
+        0x738477ac5395b759L },
+      { 0x35752b90c00ee17fL,0x68748390742ed2e3L,0x7cd06422bd1f5bc1L,
+        0xfbc08769c9e7b797L } },
+    /* 14 << 0 */
+    { { 0xa242a35bb0cf664aL,0x126e48f77f9707e3L,0x1717bf54c6832660L,
+        0xfaae7332fd12c72eL },
+      { 0x27b52db7995d586bL,0xbe29569e832237c2L,0xe8e4193e2a65e7dbL,
+        0x152706dc2eaa1bbbL } },
+    /* 15 << 0 */
+    { { 0x72bcd8b7bc60055bL,0x03cc23ee56e27e4bL,0xee337424e4819370L,
+        0xe2aa0e430ad3da09L },
+      { 0x40b8524f6383c45dL,0xd766355442a41b25L,0x64efa6de778a4797L,
+        0x2042170a7079adf4L } },
+    /* 16 << 0 */
+    { { 0x808b0b650bc6fb80L,0x5882e0753ffe2e6bL,0xd5ef2f7c2c83f549L,
+        0x54d63c809103b723L },
+      { 0xf2f11bd652a23f9bL,0x3670c3194b0b6587L,0x55c4623bb1580e9eL,
+        0x64edf7b201efe220L } },
+    /* 17 << 0 */
+    { { 0x97091dcbd53c5c9dL,0xf17624b6ac0a177bL,0xb0f139752cfe2dffL,
+        0xc1a35c0a6c7a574eL },
+      { 0x227d314693e79987L,0x0575bf30e89cb80eL,0x2f4e247f0d1883bbL,
+        0xebd512263274c3d0L } },
+    /* 18 << 0 */
+    { { 0x5f3e51c856ada97aL,0x4afc964d8f8b403eL,0xa6f247ab412e2979L,
+        0x675abd1b6f80ebdaL },
+      { 0x66a2bd725e485a1dL,0x4b2a5caf8f4f0b3cL,0x2626927f1b847bbaL,
+        0x6c6fc7d90502394dL } },
+    /* 19 << 0 */
+    { { 0xfea912baa5659ae8L,0x68363aba25e1a16eL,0xb8842277752c41acL,
+        0xfe545c282897c3fcL },
+      { 0x2d36e9e7dc4c696bL,0x5806244afba977c5L,0x85665e9be39508c1L,
+        0xf720ee256d12597bL } },
+    /* 20 << 0 */
+    { { 0x8a979129d2337a31L,0x5916868f0f862bdcL,0x048099d95dd283baL,
+        0xe2d1eeb6fe5bfb4eL },
+      { 0x82ef1c417884005dL,0xa2d4ec17ffffcbaeL,0x9161c53f8aa95e66L,
+        0x5ee104e1c5fee0d0L } },
+    /* 21 << 0 */
+    { { 0x562e4cecc135b208L,0x74e1b2654783f47dL,0x6d2a506c5a3f3b30L,
+        0xecead9f4c16762fcL },
+      { 0xf29dd4b2e286e5b9L,0x1b0fadc083bb3c61L,0x7a75023e7fac29a4L,
+        0xc086d5f1c9477fa3L } },
+    /* 22 << 0 */
+    { { 0x0fc611352f6f3076L,0xc99ffa23e3912a9aL,0x6a0b0685d2f8ba3dL,
+        0xfdc777e8e93358a4L },
+      { 0x94a787bb35415f04L,0x640c2d6a4d23fea4L,0x9de917da153a35b5L,
+        0x793e8d075d5cd074L } },
+    /* 23 << 0 */
+    { { 0xf4f876532de45068L,0x37c7a7e89e2e1f6eL,0xd0825fa2a3584069L,
+        0xaf2cea7c1727bf42L },
+      { 0x0360a4fb9e4785a9L,0xe5fda49c27299f4aL,0x48068e1371ac2f71L,
+        0x83d0687b9077666fL } },
+    /* 24 << 0 */
+    { { 0x6d3883b215d02819L,0x6d0d755040dd9a35L,0x61d7cbf91d2b469fL,
+        0xf97b232f2efc3115L },
+      { 0xa551d750b24bcbc7L,0x11ea494988a1e356L,0x7669f03193cb7501L,
+        0x595dc55eca737b8aL } },
+    /* 25 << 0 */
+    { { 0xa4a319acd837879fL,0x6fc1b49eed6b67b0L,0xe395993332f1f3afL,
+        0x966742eb65432a2eL },
+      { 0x4b8dc9feb4966228L,0x96cc631243f43950L,0x12068859c9b731eeL,
+        0x7b948dc356f79968L } },
+    /* 26 << 0 */
+    { { 0x61e4ad32ed1f8008L,0xe6c9267ad8b17538L,0x1ac7c5eb857ff6fbL,
+        0x994baaa855f2fb10L },
+      { 0x84cf14e11d248018L,0x5a39898b628ac508L,0x14fde97b5fa944f5L,
+        0xed178030d12e5ac7L } },
+    /* 27 << 0 */
+    { { 0x042c2af497e2feb4L,0xd36a42d7aebf7313L,0x49d2c9eb084ffdd7L,
+        0x9f8aa54b2ef7c76aL },
+      { 0x9200b7ba09895e70L,0x3bd0c66fddb7fb58L,0x2d97d10878eb4cbbL,
+        0x2d431068d84bde31L } },
+    /* 28 << 0 */
+    { { 0x4b523eb7172ccd1fL,0x7323cb2830a6a892L,0x97082ec0cfe153ebL,
+        0xe97f6b6af2aadb97L },
+      { 0x1d3d393ed1a83da1L,0xa6a7f9c7804b2a68L,0x4a688b482d0cb71eL,
+        0xa9b4cc5f40585278L } },
+    /* 29 << 0 */
+    { { 0x5e5db46acb66e132L,0xf1be963a0d925880L,0x944a70270317b9e2L,
+        0xe266f95948603d48L },
+      { 0x98db66735c208899L,0x90472447a2fb18a3L,0x8a966939777c619fL,
+        0x3798142a2a3be21bL } },
+    /* 30 << 0 */
+    { { 0xb4241cb13298b343L,0xa3a14e49b44f65a1L,0xc5f4d6cd3ac77acdL,
+        0xd0288cb552b6fc3cL },
+      { 0xd5cc8c2f1c040abcL,0xb675511e06bf9b4aL,0xd667da379b3aa441L,
+        0x460d45ce51601f72L } },
+    /* 31 << 0 */
+    { { 0xe2f73c696755ff89L,0xdd3cf7e7473017e6L,0x8ef5689d3cf7600dL,
+        0x948dc4f8b1fc87b4L },
+      { 0xd9e9fe814ea53299L,0x2d921ca298eb6028L,0xfaecedfd0c9803fcL,
+        0xf38ae8914d7b4745L } },
+    /* 32 << 0 */
+    { { 0xd8c5fccfc5e3a3d8L,0xbefd904c4079dfbfL,0xbc6d6a58fead0197L,
+        0x39227077695532a4L },
+      { 0x09e23e6ddbef42f5L,0x7e449b64480a9908L,0x7b969c1aad9a2e40L,
+        0x6231d7929591c2a4L } },
+    /* 33 << 0 */
+    { { 0x871514560f664534L,0x85ceae7c4b68f103L,0xac09c4ae65578ab9L,
+        0x33ec6868f044b10cL },
+      { 0x6ac4832b3a8ec1f1L,0x5509d1285847d5efL,0xf909604f763f1574L,
+        0xb16c4303c32f63c4L } },
+    /* 34 << 0 */
+    { { 0xb6ab20147ca23cd3L,0xcaa7a5c6a391849dL,0x5b0673a375678d94L,
+        0xc982ddd4dd303e64L },
+      { 0xfd7b000b5db6f971L,0xbba2cb1f6f876f92L,0xc77332a33c569426L,
+        0xa159100c570d74f8L } },
+    /* 35 << 0 */
+    { { 0xfd16847fdec67ef5L,0x742ee464233e76b7L,0x0b8e4134efc2b4c8L,
+        0xca640b8642a3e521L },
+      { 0x653a01908ceb6aa9L,0x313c300c547852d5L,0x24e4ab126b237af7L,
+        0x2ba901628bb47af8L } },
+    /* 36 << 0 */
+    { { 0x3d5e58d6a8219bb7L,0xc691d0bd1b06c57fL,0x0ae4cb10d257576eL,
+        0x3569656cd54a3dc3L },
+      { 0xe5ebaebd94cda03aL,0x934e82d3162bfe13L,0x450ac0bae251a0c6L,
+        0x480b9e11dd6da526L } },
+    /* 37 << 0 */
+    { { 0x00467bc58cce08b5L,0xb636458c7f178d55L,0xc5748baea677d806L,
+        0x2763a387dfa394ebL },
+      { 0xa12b448a7d3cebb6L,0xe7adda3e6f20d850L,0xf63ebce51558462cL,
+        0x58b36143620088a8L } },
+    /* 38 << 0 */
+    { { 0x8a2cc3ca4d63c0eeL,0x512331170fe948ceL,0x7463fd85222ef33bL,
+        0xadf0c7dc7c603d6cL },
+      { 0x0ec32d3bfe7765e5L,0xccaab359bf380409L,0xbdaa84d68e59319cL,
+        0xd9a4c2809c80c34dL } },
+    /* 39 << 0 */
+    { { 0xa9d89488a059c142L,0x6f5ae714ff0b9346L,0x068f237d16fb3664L,
+        0x5853e4c4363186acL },
+      { 0xe2d87d2363c52f98L,0x2ec4a76681828876L,0x47b864fae14e7b1cL,
+        0x0c0bc0e569192408L } },
+    /* 40 << 0 */
+    { { 0xe4d7681db82e9f3eL,0x83200f0bdf25e13cL,0x8909984c66f27280L,
+        0x462d7b0075f73227L },
+      { 0xd90ba188f2651798L,0x74c6e18c36ab1c34L,0xab256ea35ef54359L,
+        0x03466612d1aa702fL } },
+    /* 41 << 0 */
+    { { 0x624d60492ed22e91L,0x6fdfe0b56f072822L,0xeeca111539ce2271L,
+        0x98100a4fdb01614fL },
+      { 0xb6b0daa2a35c628fL,0xb6f94d2ec87e9a47L,0xc67732591d57d9ceL,
+        0xf70bfeec03884a7bL } },
+    /* 42 << 0 */
+    { { 0x5fb35ccfed2bad01L,0xa155cbe31da6a5c7L,0xc2e2594c30a92f8fL,
+        0x649c89ce5bfafe43L },
+      { 0xd158667de9ff257aL,0x9b359611f32c50aeL,0x4b00b20b906014cfL,
+        0xf3a8cfe389bc7d3dL } },
+    /* 43 << 0 */
+    { { 0x4ff23ffd248a7d06L,0x80c5bfb4878873faL,0xb7d9ad9005745981L,
+        0x179c85db3db01994L },
+      { 0xba41b06261a6966cL,0x4d82d052eadce5a8L,0x9e91cd3ba5e6a318L,
+        0x47795f4f95b2dda0L } },
+    /* 44 << 0 */
+    { { 0xecfd7c1fd55a897cL,0x009194abb29110fbL,0x5f0e2046e381d3b0L,
+        0x5f3425f6a98dd291L },
+      { 0xbfa06687730d50daL,0x0423446c4b083b7fL,0x397a247dd69d3417L,
+        0xeb629f90387ba42aL } },
+    /* 45 << 0 */
+    { { 0x1ee426ccd5cd79bfL,0x0032940b946c6e18L,0x1b1e8ae057477f58L,
+        0xe94f7d346d823278L },
+      { 0xc747cb96782ba21aL,0xc5254469f72b33a5L,0x772ef6dec7f80c81L,
+        0xd73acbfe2cd9e6b5L } },
+    /* 46 << 0 */
+    { { 0x4075b5b149ee90d9L,0x785c339aa06e9ebaL,0xa1030d5babf825e0L,
+        0xcec684c3a42931dcL },
+      { 0x42ab62c9c1586e63L,0x45431d665ab43f2bL,0x57c8b2c055f7835dL,
+        0x033da338c1b7f865L } },
+    /* 47 << 0 */
+    { { 0x283c7513caa76097L,0x0a624fa936c83906L,0x6b20afec715af2c7L,
+        0x4b969974eba78bfdL },
+      { 0x220755ccd921d60eL,0x9b944e107baeca13L,0x04819d515ded93d4L,
+        0x9bbff86e6dddfd27L } },
+    /* 48 << 0 */
+    { { 0x6b34413077adc612L,0xa7496529bbd803a0L,0x1a1baaa76d8805bdL,
+        0xc8403902470343adL },
+      { 0x39f59f66175adff1L,0x0b26d7fbb7d8c5b7L,0xa875f5ce529d75e3L,
+        0x85efc7e941325cc2L } },
+    /* 49 << 0 */
+    { { 0x21950b421ff6acd3L,0xffe7048453dc6909L,0xff4cd0b228766127L,
+        0xabdbe6084fb7db2bL },
+      { 0x837c92285e1109e8L,0x26147d27f4645b5aL,0x4d78f592f7818ed8L,
+        0xd394077ef247fa36L } },
+    /* 50 << 0 */
+    { { 0x0fb9c2d0488c171aL,0xa78bfbaa13685278L,0xedfbe268d5b1fa6aL,
+        0x0dceb8db2b7eaba7L },
+      { 0xbf9e80899ae2b710L,0xefde7ae6a4449c96L,0x43b7716bcc143a46L,
+        0xd7d34194c3628c13L } },
+    /* 51 << 0 */
+    { { 0x508cec1c3b3f64c9L,0xe20bc0ba1e5edf3fL,0xda1deb852f4318d4L,
+        0xd20ebe0d5c3fa443L },
+      { 0x370b4ea773241ea3L,0x61f1511c5e1a5f65L,0x99a5e23d82681c62L,
+        0xd731e383a2f54c2dL } },
+    /* 52 << 0 */
+    { { 0x2692f36e83445904L,0x2e0ec469af45f9c0L,0x905a3201c67528b7L,
+        0x88f77f34d0e5e542L },
+      { 0xf67a8d295864687cL,0x23b92eae22df3562L,0x5c27014b9bbec39eL,
+        0x7ef2f2269c0f0f8dL } },
+    /* 53 << 0 */
+    { { 0x97359638546c4d8dL,0x5f9c3fc492f24679L,0x912e8beda8c8acd9L,
+        0xec3a318d306634b0L },
+      { 0x80167f41c31cb264L,0x3db82f6f522113f2L,0xb155bcd2dcafe197L,
+        0xfba1da5943465283L } },
+    /* 54 << 0 */
+    { { 0xa0425b8eb212cf53L,0x4f2e512ef8557c5fL,0xc1286ff925c4d56cL,
+        0xbb8a0feaee26c851L },
+      { 0xc28f70d2e7d6107eL,0x7ee0c444e76265aaL,0x3df277a41d1936b1L,
+        0x1a556e3fea9595ebL } },
+    /* 55 << 0 */
+    { { 0x258bbbf9e7305683L,0x31eea5bf07ef5be6L,0x0deb0e4a46c814c1L,
+        0x5cee8449a7b730ddL },
+      { 0xeab495c5a0182bdeL,0xee759f879e27a6b4L,0xc2cf6a6880e518caL,
+        0x25e8013ff14cf3f4L } },
+    /* 56 << 0 */
+    { { 0x8fc441407e8d7a14L,0xbb1ff3ca9556f36aL,0x6a84438514600044L,
+        0xba3f0c4a7451ae63L },
+      { 0xdfcac25b1f9af32aL,0x01e0db86b1f2214bL,0x4e9a5bc2a4b596acL,
+        0x83927681026c2c08L } },
+    /* 57 << 0 */
+    { { 0x3ec832e77acaca28L,0x1bfeea57c7385b29L,0x068212e3fd1eaf38L,
+        0xc13298306acf8cccL },
+      { 0xb909f2db2aac9e59L,0x5748060db661782aL,0xc5ab2632c79b7a01L,
+        0xda44c6c600017626L } },
+    /* 58 << 0 */
+    { { 0xf26c00e8a7ea82f0L,0x99cac80de4299aafL,0xd66fe3b67ed78be1L,
+        0x305f725f648d02cdL },
+      { 0x33ed1bc4623fb21bL,0xfa70533e7a6319adL,0x17ab562dbe5ffb3eL,
+        0x0637499456674741L } },
+    /* 59 << 0 */
+    { { 0x69d44ed65c46aa8eL,0x2100d5d3a8d063d1L,0xcb9727eaa2d17c36L,
+        0x4c2bab1b8add53b7L },
+      { 0xa084e90c15426704L,0x778afcd3a837ebeaL,0x6651f7017ce477f8L,
+        0xa062499846fb7a8bL } },
+    /* 60 << 0 */
+    { { 0xdc1e6828ed8a6e19L,0x33fc23364189d9c7L,0x026f8fe2671c39bcL,
+        0xd40c4ccdbc6f9915L },
+      { 0xafa135bbf80e75caL,0x12c651a022adff2cL,0xc40a04bd4f51ad96L,
+        0x04820109bbe4e832L } },
+    /* 61 << 0 */
+    { { 0x3667eb1a7f4c04ccL,0x59556621a9404f84L,0x71cdf6537eceb50aL,
+        0x994a44a69b8335faL },
+      { 0xd7faf819dbeb9b69L,0x473c5680eed4350dL,0xb6658466da44bba2L,
+        0x0d1bc780872bdbf3L } },
+    /* 62 << 0 */
+    { { 0xe535f175a1962f91L,0x6ed7e061ed58f5a7L,0x177aa4c02089a233L,
+        0x0dbcb03ae539b413L },
+      { 0xe3dc424ebb32e38eL,0x6472e5ef6806701eL,0xdd47ff98814be9eeL,
+        0x6b60cfff35ace009L } },
+    /* 63 << 0 */
+    { { 0xb8d3d9319ff91fe5L,0x039c4800f0518eedL,0x95c376329182cb26L,
+        0x0763a43482fc568dL },
+      { 0x707c04d5383e76baL,0xac98b930824e8197L,0x92bf7c8f91230de0L,
+        0x90876a0140959b70L } },
+    /* 64 << 0 */
+    { { 0xdb6d96f305968b80L,0x380a0913089f73b9L,0x7da70b83c2c61e01L,
+        0x95fb8394569b38c7L },
+      { 0x9a3c651280edfe2fL,0x8f726bb98faeaf82L,0x8010a4a078424bf8L,
+        0x296720440e844970L } },
+    /* 0 << 7 */
+    { { 0x00, 0x00, 0x00, 0x00 },
+      { 0x00, 0x00, 0x00, 0x00 } },
+    /* 1 << 7 */
+    { { 0x63c5cb817a2ad62aL,0x7ef2b6b9ac62ff54L,0x3749bba4b3ad9db5L,
+        0xad311f2c46d5a617L },
+      { 0xb77a8087c2ff3b6dL,0xb46feaf3367834ffL,0xf8aa266d75d6b138L,
+        0xfa38d320ec008188L } },
+    /* 2 << 7 */
+    { { 0x486d8ffa696946fcL,0x50fbc6d8b9cba56dL,0x7e3d423e90f35a15L,
+        0x7c3da195c0dd962cL },
+      { 0xe673fdb03cfd5d8bL,0x0704b7c2889dfca5L,0xf6ce581ff52305aaL,
+        0x399d49eb914d5e53L } },
+    /* 3 << 7 */
+    { { 0x380a496d6ec293cdL,0x733dbda78e7051f5L,0x037e388db849140aL,
+        0xee4b32b05946dbf6L },
+      { 0xb1c4fda9cae368d1L,0x5001a7b0fdb0b2f3L,0x6df593742e3ac46eL,
+        0x4af675f239b3e656L } },
+    /* 4 << 7 */
+    { { 0x44e3811039949296L,0x5b63827b361db1b5L,0x3e5323ed206eaff5L,
+        0x942370d2c21f4290L },
+      { 0xf2caaf2ee0d985a1L,0x192cc64b7239846dL,0x7c0b8f47ae6312f8L,
+        0x7dc61f9196620108L } },
+    /* 5 << 7 */
+    { { 0xb830fb5bc2da7de9L,0xd0e643df0ff8d3beL,0x31ee77ba188a9641L,
+        0x4e8aa3aabcf6d502L },
+      { 0xf9fb65329a49110fL,0xd18317f62dd6b220L,0x7e3ced4152c3ea5aL,
+        0x0d296a147d579c4aL } },
+    /* 6 << 7 */
+    { { 0x35d6a53eed4c3717L,0x9f8240cf3d0ed2a3L,0x8c0d4d05e5543aa5L,
+        0x45d5bbfbdd33b4b4L },
+      { 0xfa04cc73137fd28eL,0x862ac6efc73b3ffdL,0x403ff9f531f51ef2L,
+        0x34d5e0fcbc73f5a2L } },
+    /* 7 << 7 */
+    { { 0xf252682008913f4fL,0xea20ed61eac93d95L,0x51ed38b46ca6b26cL,
+        0x8662dcbcea4327b0L },
+      { 0x6daf295c725d2aaaL,0xbad2752f8e52dcdaL,0x2210e7210b17daccL,
+        0xa37f7912d51e8232L } },
+    /* 8 << 7 */
+    { { 0x4f7081e144cc3addL,0xd5ffa1d687be82cfL,0x89890b6c0edd6472L,
+        0xada26e1a3ed17863L },
+      { 0x276f271563483caaL,0xe6924cd92f6077fdL,0x05a7fe980a466e3cL,
+        0xf1c794b0b1902d1fL } },
+    /* 9 << 7 */
+    { { 0xe521368882a8042cL,0xd931cfafcd278298L,0x069a0ae0f597a740L,
+        0x0adbb3f3eb59107cL },
+      { 0x983e951e5eaa8eb8L,0xe663a8b511b48e78L,0x1631cc0d8a03f2c5L,
+        0x7577c11e11e271e2L } },
+    /* 10 << 7 */
+    { { 0x33b2385c08369a90L,0x2990c59b190eb4f8L,0x819a6145c68eac80L,
+        0x7a786d622ec4a014L },
+      { 0x33faadbe20ac3a8dL,0x31a217815aba2d30L,0x209d2742dba4f565L,
+        0xdb2ce9e355aa0fbbL } },
+    /* 11 << 7 */
+    { { 0x8cef334b168984dfL,0xe81dce1733879638L,0xf6e6949c263720f0L,
+        0x5c56feaff593cbecL },
+      { 0x8bff5601fde58c84L,0x74e241172eccb314L,0xbcf01b614c9a8a78L,
+        0xa233e35e544c9868L } },
+    /* 12 << 7 */
+    { { 0xb3156bf38bd7aff1L,0x1b5ee4cb1d81b146L,0x7ba1ac41d628a915L,
+        0x8f3a8f9cfd89699eL },
+      { 0x7329b9c9a0748be7L,0x1d391c95a92e621fL,0xe51e6b214d10a837L,
+        0xd255f53a4947b435L } },
+    /* 13 << 7 */
+    { { 0x07669e04f1788ee3L,0xc14f27afa86938a2L,0x8b47a334e93a01c0L,
+        0xff627438d9366808L },
+      { 0x7a0985d8ca2a5965L,0x3d9a5542d6e9b9b3L,0xc23eb80b4cf972e8L,
+        0x5c1c33bb4fdf72fdL } },
+    /* 14 << 7 */
+    { { 0x0c4a58d474a86108L,0xf8048a8fee4c5d90L,0xe3c7c924e86d4c80L,
+        0x28c889de056a1e60L },
+      { 0x57e2662eb214a040L,0xe8c48e9837e10347L,0x8774286280ac748aL,
+        0xf1c24022186b06f2L } },
+    /* 15 << 7 */
+    { { 0xac2dd4c35f74040aL,0x409aeb71fceac957L,0x4fbad78255c4ec23L,
+        0xb359ed618a7b76ecL },
+      { 0x12744926ed6f4a60L,0xe21e8d7f4b912de3L,0xe2575a59fc705a59L,
+        0x72f1d4deed2dbc0eL } },
+    /* 16 << 7 */
+    { { 0x3d2b24b9eb7926b8L,0xbff88cb3cdbe5509L,0xd0f399afe4dd640bL,
+        0x3c5fe1302f76ed45L },
+      { 0x6f3562f43764fb3dL,0x7b5af3183151b62dL,0xd5bd0bc7d79ce5f3L,
+        0xfdaf6b20ec66890fL } },
+    /* 17 << 7 */
+    { { 0x735c67ec6063540cL,0x50b259c2e5f9cb8fL,0xb8734f9a3f99c6abL,
+        0xf8cc13d5a3a7bc85L },
+      { 0x80c1b305c5217659L,0xfe5364d44ec12a54L,0xbd87045e681345feL,
+        0x7f8efeb1582f897fL } },
+    /* 18 << 7 */
+    { { 0xe8cbf1e5d5923359L,0xdb0cea9d539b9fb0L,0x0c5b34cf49859b98L,
+        0x5e583c56a4403cc6L },
+      { 0x11fc1a2dd48185b7L,0xc93fbc7e6e521787L,0x47e7a05805105b8bL,
+        0x7b4d4d58db8260c8L } },
+    /* 19 << 7 */
+    { { 0xe33930b046eb842aL,0x8e844a9a7bdae56dL,0x34ef3a9e13f7fdfcL,
+        0xb3768f82636ca176L },
+      { 0x2821f4e04e09e61cL,0x414dc3a1a0c7cddcL,0xd537943754945fcdL,
+        0x151b6eefb3555ff1L } },
+    /* 20 << 7 */
+    { { 0xb31bd6136339c083L,0x39ff8155dfb64701L,0x7c3388d2e29604abL,
+        0x1e19084ba6b10442L },
+      { 0x17cf54c0eccd47efL,0x896933854a5dfb30L,0x69d023fb47daf9f6L,
+        0x9222840b7d91d959L } },
+    /* 21 << 7 */
+    { { 0x439108f5803bac62L,0x0b7dd91d379bd45fL,0xd651e827ca63c581L,
+        0x5c5d75f6509c104fL },
+      { 0x7d5fc7381f2dc308L,0x20faa7bfd98454beL,0x95374beea517b031L,
+        0xf036b9b1642692acL } },
+    /* 22 << 7 */
+    { { 0xc510610939842194L,0xb7e2353e49d05295L,0xfc8c1d5cefb42ee0L,
+        0xe04884eb08ce811cL },
+      { 0xf1f75d817419f40eL,0x5b0ac162a995c241L,0x120921bbc4c55646L,
+        0x713520c28d33cf97L } },
+    /* 23 << 7 */
+    { { 0xb4a65a5ce98c5100L,0x6cec871d2ddd0f5aL,0x251f0b7f9ba2e78bL,
+        0x224a8434ce3a2a5fL },
+      { 0x26827f6125f5c46fL,0x6a22bedc48545ec0L,0x25ae5fa0b1bb5cdcL,
+        0xd693682ffcb9b98fL } },
+    /* 24 << 7 */
+    { { 0x32027fe891e5d7d3L,0xf14b7d1773a07678L,0xf88497b3c0dfdd61L,
+        0xf7c2eec02a8c4f48L },
+      { 0xaa5573f43756e621L,0xc013a2401825b948L,0x1c03b34563878572L,
+        0xa0472bea653a4184L } },
+    /* 25 << 7 */
+    { { 0xf4222e270ac69a80L,0x34096d25f51e54f6L,0x00a648cb8fffa591L,
+        0x4e87acdc69b6527fL },
+      { 0x0575e037e285ccb4L,0x188089e450ddcf52L,0xaa96c9a8870ff719L,
+        0x74a56cd81fc7e369L } },
+    /* 26 << 7 */
+    { { 0x41d04ee21726931aL,0x0bbbb2c83660ecfdL,0xa6ef6de524818e18L,
+        0xe421cc51e7d57887L },
+      { 0xf127d208bea87be6L,0x16a475d3b1cdd682L,0x9db1b684439b63f7L,
+        0x5359b3dbf0f113b6L } },
+    /* 27 << 7 */
+    { { 0xdfccf1de8bf06e31L,0x1fdf8f44dd383901L,0x10775cad5017e7d2L,
+        0xdfc3a59758d11eefL },
+      { 0x6ec9c8a0b1ecff10L,0xee6ed6cc28400549L,0xb5ad7bae1b4f8d73L,
+        0x61b4f11de00aaab9L } },
+    /* 28 << 7 */
+    { { 0x7b32d69bd4eff2d7L,0x88ae67714288b60fL,0x159461b437a1e723L,
+        0x1f3d4789570aae8cL },
+      { 0x869118c07f9871daL,0x35fbda78f635e278L,0x738f3641e1541dacL,
+        0x6794b13ac0dae45fL } },
+    /* 29 << 7 */
+    { { 0x065064ac09cc0917L,0x27c53729c68540fdL,0x0d2d4c8eef227671L,
+        0xd23a9f80a1785a04L },
+      { 0x98c5952852650359L,0xfa09ad0174a1acadL,0x082d5a290b55bf5cL,
+        0xa40f1c67419b8084L } },
+    /* 30 << 7 */
+    { { 0x3a5c752edcc18770L,0x4baf1f2f8825c3a5L,0xebd63f7421b153edL,
+        0xa2383e47b2f64723L },
+      { 0xe7bf620a2646d19aL,0x56cb44ec03c83ffdL,0xaf7267c94f6be9f1L,
+        0x8b2dfd7bc06bb5e9L } },
+    /* 31 << 7 */
+    { { 0xb87072f2a672c5c7L,0xeacb11c80d53c5e2L,0x22dac29dff435932L,
+        0x37bdb99d4408693cL },
+      { 0xf6e62fb62899c20fL,0x3535d512447ece24L,0xfbdc6b88ff577ce3L,
+        0x726693bd190575f2L } },
+    /* 32 << 7 */
+    { { 0x6772b0e5ab4b35a2L,0x1d8b6001f5eeaacfL,0x728f7ce4795b9580L,
+        0x4a20ed2a41fb81daL },
+      { 0x9f685cd44fec01e6L,0x3ed7ddcca7ff50adL,0x460fd2640c2d97fdL,
+        0x3a241426eb82f4f9L } },
+    /* 33 << 7 */
+    { { 0x17d1df2c6a8ea820L,0xb2b50d3bf22cc254L,0x03856cbab7291426L,
+        0x87fd26ae04f5ee39L },
+      { 0x9cb696cc02bee4baL,0x5312180406820fd6L,0xa5dfc2690212e985L,
+        0x666f7ffa160f9a09L } },
+    /* 34 << 7 */
+    { { 0xc503cd33bccd9617L,0x365dede4ba7730a3L,0x798c63555ddb0786L,
+        0xa6c3200efc9cd3bcL },
+      { 0x060ffb2ce5e35efdL,0x99a4e25b5555a1c1L,0x11d95375f70b3751L,
+        0x0a57354a160e1bf6L } },
+    /* 35 << 7 */
+    { { 0xecb3ae4bf8e4b065L,0x07a834c42e53022bL,0x1cd300b38692ed96L,
+        0x16a6f79261ee14ecL },
+      { 0x8f1063c66a8649edL,0xfbcdfcfe869f3e14L,0x2cfb97c100a7b3ecL,
+        0xcea49b3c7130c2f1L } },
+    /* 36 << 7 */
+    { { 0x462d044fe9d96488L,0x4b53d52e8182a0c1L,0x84b6ddd30391e9e9L,
+        0x80ab7b48b1741a09L },
+      { 0xec0e15d427d3317fL,0x8dfc1ddb1a64671eL,0x93cc5d5fd49c5b92L,
+        0xc995d53d3674a331L } },
+    /* 37 << 7 */
+    { { 0x302e41ec090090aeL,0x2278a0ccedb06830L,0x1d025932fbc99690L,
+        0x0c32fbd2b80d68daL },
+      { 0xd79146daf341a6c1L,0xae0ba1391bef68a0L,0xc6b8a5638d774b3aL,
+        0x1cf307bd880ba4d7L } },
+    /* 38 << 7 */
+    { { 0xc033bdc719803511L,0xa9f97b3b8888c3beL,0x3d68aebc85c6d05eL,
+        0xc3b88a9d193919ebL },
+      { 0x2d300748c48b0ee3L,0x7506bc7c07a746c1L,0xfc48437c6e6d57f3L,
+        0x5bd71587cfeaa91aL } },
+    /* 39 << 7 */
+    { { 0xa4ed0408c1bc5225L,0xd0b946db2719226dL,0x109ecd62758d2d43L,
+        0x75c8485a2751759bL },
+      { 0xb0b75f499ce4177aL,0x4fa61a1e79c10c3dL,0xc062d300a167fcd7L,
+        0x4df3874c750f0fa8L } },
+    /* 40 << 7 */
+    { { 0x29ae2cf983dfedc9L,0xf84371348d87631aL,0xaf5717117429c8d2L,
+        0x18d15867146d9272L },
+      { 0x83053ecf69769bb7L,0xc55eb856c479ab82L,0x5ef7791c21b0f4b2L,
+        0xaa5956ba3d491525L } },
+    /* 41 << 7 */
+    { { 0x407a96c29fe20ebaL,0xf27168bbe52a5ad3L,0x43b60ab3bf1d9d89L,
+        0xe45c51ef710e727aL },
+      { 0xdfca5276099b4221L,0x8dc6407c2557a159L,0x0ead833591035895L,
+        0x0a9db9579c55dc32L } },
+    /* 42 << 7 */
+    { { 0xe40736d3df61bc76L,0x13a619c03f778cdbL,0x6dd921a4c56ea28fL,
+        0x76a524332fa647b4L },
+      { 0x23591891ac5bdc5dL,0xff4a1a72bac7dc01L,0x9905e26162df8453L,
+        0x3ac045dfe63b265fL } },
+    /* 43 << 7 */
+    { { 0x8a3f341bad53dba7L,0x8ec269cc837b625aL,0xd71a27823ae31189L,
+        0x8fb4f9a355e96120L },
+      { 0x804af823ff9875cfL,0x23224f575d442a9bL,0x1c4d3b9eecc62679L,
+        0x91da22fba0e7ddb1L } },
+    /* 44 << 7 */
+    { { 0xa370324d6c04a661L,0x9710d3b65e376d17L,0xed8c98f03044e357L,
+        0xc364ebbe6422701cL },
+      { 0x347f5d517733d61cL,0xd55644b9cea826c3L,0x80c6e0ad55a25548L,
+        0x0aa7641d844220a7L } },
+    /* 45 << 7 */
+    { { 0x1438ec8131810660L,0x9dfa6507de4b4043L,0x10b515d8cc3e0273L,
+        0x1b6066dd28d8cfb2L },
+      { 0xd3b045919c9efebdL,0x425d4bdfa21c1ff4L,0x5fe5af19d57607d3L,
+        0xbbf773f754481084L } },
+    /* 46 << 7 */
+    { { 0x8435bd6994b03ed1L,0xd9ad1de3634cc546L,0x2cf423fc00e420caL,
+        0xeed26d80a03096ddL },
+      { 0xd7f60be7a4db09d2L,0xf47f569d960622f7L,0xe5925fd77296c729L,
+        0xeff2db2626ca2715L } },
+    /* 47 << 7 */
+    { { 0xa6fcd014b913e759L,0x53da47868ff4de93L,0x14616d79c32068e1L,
+        0xb187d664ccdf352eL },
+      { 0xf7afb6501dc90b59L,0x8170e9437daa1b26L,0xc8e3bdd8700c0a84L,
+        0x6e8d345f6482bdfaL } },
+    /* 48 << 7 */
+    { { 0x84cfbfa1c5c5ea50L,0xd3baf14c67960681L,0x263984030dd50942L,
+        0xe4b7839c4716a663L },
+      { 0xd5f1f794e7de6dc0L,0x5cd0f4d4622aa7ceL,0x5295f3f159acfeecL,
+        0x8d933552953e0607L } },
+    /* 49 << 7 */
+    { { 0xc7db8ec5776c5722L,0xdc467e622b5f290cL,0xd4297e704ff425a9L,
+        0x4be924c10cf7bb72L },
+      { 0x0d5dc5aea1892131L,0x8bf8a8e3a705c992L,0x73a0b0647a305ac5L,
+        0x00c9ca4e9a8c77a8L } },
+    /* 50 << 7 */
+    { { 0x5dfee80f83774bddL,0x6313160285734485L,0xa1b524ae914a69a9L,
+        0xebc2ffafd4e300d7L },
+      { 0x52c93db77cfa46a5L,0x71e6161f21653b50L,0x3574fc57a4bc580aL,
+        0xc09015dde1bc1253L } },
+    /* 51 << 7 */
+    { { 0x4b7b47b2d174d7aaL,0x4072d8e8f3a15d04L,0xeeb7d47fd6fa07edL,
+        0x6f2b9ff9edbdafb1L },
+      { 0x18c516153760fe8aL,0x7a96e6bff06c6c13L,0x4d7a04100ea2d071L,
+        0xa1914e9b0be2a5ceL } },
+    /* 52 << 7 */
+    { { 0x5726e357d8a3c5cfL,0x1197ecc32abb2b13L,0x6c0d7f7f31ae88ddL,
+        0x15b20d1afdbb3efeL },
+      { 0xcd06aa2670584039L,0x2277c969a7dc9747L,0xbca695877855d815L,
+        0x899ea2385188b32aL } },
+    /* 53 << 7 */
+    { { 0x37d9228b760c1c9dL,0xc7efbb119b5c18daL,0x7f0d1bc819f6dbc5L,
+        0x4875384b07e6905bL },
+      { 0xc7c50baa3ba8cd86L,0xb0ce40fbc2905de0L,0x708406737a231952L,
+        0xa912a262cf43de26L } },
+    /* 54 << 7 */
+    { { 0x9c38ddcceb5b76c1L,0x746f528526fc0ab4L,0x52a63a50d62c269fL,
+        0x60049c5599458621L },
+      { 0xe7f48f823c2f7c9eL,0x6bd99043917d5cf3L,0xeb1317a88701f469L,
+        0xbd3fe2ed9a449fe0L } },
+    /* 55 << 7 */
+    { { 0x421e79ca12ef3d36L,0x9ee3c36c3e7ea5deL,0xe48198b5cdff36f7L,
+        0xaff4f967c6b82228L },
+      { 0x15e19dd0c47adb7eL,0x45699b23032e7dfaL,0x40680c8b1fae026aL,
+        0x5a347a48550dbf4dL } },
+    /* 56 << 7 */
+    { { 0xe652533b3cef0d7dL,0xd94f7b182bbb4381L,0x838752be0e80f500L,
+        0x8e6e24889e9c9bfbL },
+      { 0xc975169716caca6aL,0x866c49d838531ad9L,0xc917e2397151ade1L,
+        0x2d016ec16037c407L } },
+    /* 57 << 7 */
+    { { 0xa407ccc900eac3f9L,0x835f6280e2ed4748L,0xcc54c3471cc98e0dL,
+        0x0e969937dcb572ebL },
+      { 0x1b16c8e88f30c9cbL,0xa606ae75373c4661L,0x47aa689b35502cabL,
+        0xf89014ae4d9bb64fL } },
+    /* 58 << 7 */
+    { { 0x202f6a9c31c71f7bL,0x01f95aa3296ffe5cL,0x5fc0601453cec3a3L,
+        0xeb9912375f498a45L },
+      { 0xae9a935e5d91ba87L,0xc6ac62810b564a19L,0x8a8fe81c3bd44e69L,
+        0x7c8b467f9dd11d45L } },
+    /* 59 << 7 */
+    { { 0xf772251fea5b8e69L,0xaeecb3bdc5b75fbcL,0x1aca3331887ff0e5L,
+        0xbe5d49ff19f0a131L },
+      { 0x582c13aae5c8646fL,0xdbaa12e820e19980L,0x8f40f31af7abbd94L,
+        0x1f13f5a81dfc7663L } },
+    /* 60 << 7 */
+    { { 0x5d81f1eeaceb4fc0L,0x362560025e6f0f42L,0x4b67d6d7751370c8L,
+        0x2608b69803e80589L },
+      { 0xcfc0d2fc05268301L,0xa6943d3940309212L,0x192a90c21fd0e1c2L,
+        0xb209f11337f1dc76L } },
+    /* 61 << 7 */
+    { { 0xefcc5e0697bf1298L,0xcbdb6730219d639eL,0xd009c116b81e8c6fL,
+        0xa3ffdde31a7ce2e5L },
+      { 0xc53fbaaaa914d3baL,0x836d500f88df85eeL,0xd98dc71b66ee0751L,
+        0x5a3d7005714516fdL } },
+    /* 62 << 7 */
+    { { 0x21d3634d39eedbbaL,0x35cd2e680455a46dL,0xc8cafe65f9d7eb0cL,
+        0xbda3ce9e00cefb3eL },
+      { 0xddc17a602c9cf7a4L,0x01572ee47bcb8773L,0xa92b2b018c7548dfL,
+        0x732fd309a84600e3L } },
+    /* 63 << 7 */
+    { { 0xe22109c716543a40L,0x9acafd36fede3c6cL,0xfb2068526824e614L,
+        0x2a4544a9da25dca0L },
+      { 0x2598526291d60b06L,0x281b7be928753545L,0xec667b1a90f13b27L,
+        0x33a83aff940e2eb4L } },
+    /* 64 << 7 */
+    { { 0x80009862d5d721d5L,0x0c3357a35bd3a182L,0x27f3a83b7aa2cda4L,
+        0xb58ae74ef6f83085L },
+      { 0x2a911a812e6dad6bL,0xde286051f43d6c5bL,0x4bdccc41f996c4d8L,
+        0xe7312ec00ae1e24eL } },
+    /* 0 << 14 */
+    { { 0x00, 0x00, 0x00, 0x00 },
+      { 0x00, 0x00, 0x00, 0x00 } },
+    /* 1 << 14 */
+    { { 0xf8d112e76e6485b3L,0x4d3e24db771c52f8L,0x48e3ee41684a2f6dL,
+        0x7161957d21d95551L },
+      { 0x19631283cdb12a6cL,0xbf3fa8822e50e164L,0xf6254b633166cc73L,
+        0x3aefa7aeaee8cc38L } },
+    /* 2 << 14 */
+    { { 0x79b0fe623b36f9fdL,0x26543b23fde19fc0L,0x136e64a0958482efL,
+        0x23f637719b095825L },
+      { 0x14cfd596b6a1142eL,0x5ea6aac6335aac0bL,0x86a0e8bdf3081dd5L,
+        0x5fb89d79003dc12aL } },
+    /* 3 << 14 */
+    { { 0xf615c33af72e34d4L,0x0bd9ea40110eec35L,0x1c12bc5bc1dea34eL,
+        0x686584c949ae4699L },
+      { 0x13ad95d38c97b942L,0x4609561a4e5c7562L,0x9e94a4aef2737f89L,
+        0xf57594c6371c78b6L } },
+    /* 4 << 14 */
+    { { 0x0f0165fce3779ee3L,0xe00e7f9dbd495d9eL,0x1fa4efa220284e7aL,
+        0x4564bade47ac6219L },
+      { 0x90e6312ac4708e8eL,0x4f5725fba71e9adfL,0xe95f55ae3d684b9fL,
+        0x47f7ccb11e94b415L } },
+    /* 5 << 14 */
+    { { 0x7322851b8d946581L,0xf0d13133bdf4a012L,0xa3510f696584dae0L,
+        0x03a7c1713c9f6c6dL },
+      { 0x5be97f38e475381aL,0xca1ba42285823334L,0xf83cc5c70be17ddaL,
+        0x158b14940b918c0fL } },
+    /* 6 << 14 */
+    { { 0xda3a77e5522e6b69L,0x69c908c3bbcd6c18L,0x1f1b9e48d924fd56L,
+        0x37c64e36aa4bb3f7L },
+      { 0x5a4fdbdfee478d7dL,0xba75c8bc0193f7a0L,0x84bc1e8456cd16dfL,
+        0x1fb08f0846fad151L } },
+    /* 7 << 14 */
+    { { 0x8a7cabf9842e9f30L,0xa331d4bf5eab83afL,0xd272cfba017f2a6aL,
+        0x27560abc83aba0e3L },
+      { 0x94b833870e3a6b75L,0x25c6aea26b9f50f5L,0x803d691db5fdf6d0L,
+        0x03b77509e6333514L } },
+    /* 8 << 14 */
+    { { 0x3617890361a341c1L,0x3604dc600cfd6142L,0x022295eb8533316cL,
+        0x3dbde4ac44af2922L },
+      { 0x898afc5d1c7eef69L,0x58896805d14f4fa1L,0x05002160203c21caL,
+        0x6f0d1f3040ef730bL } },
+    /* 9 << 14 */
+    { { 0x8e8c44d4196224f8L,0x75a4ab95374d079dL,0x79085ecc7d48f123L,
+        0x56f04d311bf65ad8L },
+      { 0xe220bf1cbda602b2L,0x73ee1742f9612c69L,0x76008fc8084fd06bL,
+        0x4000ef9ff11380d1L } },
+    /* 10 << 14 */
+    { { 0x48201b4b12cfe297L,0x3eee129c292f74e5L,0xe1fe114ec9e874e8L,
+        0x899b055c92c5fc41L },
+      { 0x4e477a643a39c8cfL,0x82f09efe78963cc9L,0x6fd3fd8fd333f863L,
+        0x85132b2adc949c63L } },
+    /* 11 << 14 */
+    { { 0x7e06a3ab516eb17bL,0x73bec06fd2c7372bL,0xe4f74f55ba896da6L,
+        0xbb4afef88e9eb40fL },
+      { 0x2d75bec8e61d66b0L,0x02bda4b4ef29300bL,0x8bbaa8de026baa5aL,
+        0xff54befda07f4440L } },
+    /* 12 << 14 */
+    { { 0xbd9b8b1dbe7a2af3L,0xec51caa94fb74a72L,0xb9937a4b63879697L,
+        0x7c9a9d20ec2687d5L },
+      { 0x1773e44f6ef5f014L,0x8abcf412e90c6900L,0x387bd0228142161eL,
+        0x50393755fcb6ff2aL } },
+    /* 13 << 14 */
+    { { 0x9813fd56ed6def63L,0x53cf64827d53106cL,0x991a35bd431f7ac1L,
+        0xf1e274dd63e65fafL },
+      { 0xf63ffa3c44cc7880L,0x411a426b7c256981L,0xb698b9fd93a420e0L,
+        0x89fdddc0ae53f8feL } },
+    /* 14 << 14 */
+    { { 0x766e072232398baaL,0x205fee425cfca031L,0xa49f53417a029cf2L,
+        0xa88c68b84023890dL },
+      { 0xbc2750417337aaa8L,0x9ed364ad0eb384f4L,0xe0816f8529aba92fL,
+        0x2e9e194104e38a88L } },
+    /* 15 << 14 */
+    { { 0x57eef44a3dafd2d5L,0x35d1fae597ed98d8L,0x50628c092307f9b1L,
+        0x09d84aaed6cba5c6L },
+      { 0x67071bc788aaa691L,0x2dea57a9afe6cb03L,0xdfe11bb43d78ac01L,
+        0x7286418c7fd7aa51L } },
+    /* 16 << 14 */
+    { { 0xfabf770977f7195aL,0x8ec86167adeb838fL,0xea1285a8bb4f012dL,
+        0xd68835039a3eab3fL },
+      { 0xee5d24f8309004c2L,0xa96e4b7613ffe95eL,0x0cdffe12bd223ea4L,
+        0x8f5c2ee5b6739a53L } },
+    /* 17 << 14 */
+    { { 0x5cb4aaa5dd968198L,0xfa131c5272413a6cL,0x53d46a909536d903L,
+        0xb270f0d348606d8eL },
+      { 0x518c7564a053a3bcL,0x088254b71a86caefL,0xb3ba8cb40ab5efd0L,
+        0x5c59900e4605945dL } },
+    /* 18 << 14 */
+    { { 0xecace1dda1887395L,0x40960f36932a65deL,0x9611ff5c3aa95529L,
+        0xc58215b07c1e5a36L },
+      { 0xd48c9b58f0e1a524L,0xb406856bf590dfb8L,0xc7605e049cd95662L,
+        0x0dd036eea33ecf82L } },
+    /* 19 << 14 */
+    { { 0xa50171acc33156b3L,0xf09d24ea4a80172eL,0x4e1f72c676dc8eefL,
+        0xe60caadc5e3d44eeL },
+      { 0x006ef8a6979b1d8fL,0x60908a1c97788d26L,0x6e08f95b266feec0L,
+        0x618427c222e8c94eL } },
+    /* 20 << 14 */
+    { { 0x3d61333959145a65L,0xcd9bc368fa406337L,0x82d11be32d8a52a0L,
+        0xf6877b2797a1c590L },
+      { 0x837a819bf5cbdb25L,0x2a4fd1d8de090249L,0x622a7de774990e5fL,
+        0x840fa5a07945511bL } },
+    /* 21 << 14 */
+    { { 0x30b974be6558842dL,0x70df8c6417f3d0a6L,0x7c8035207542e46dL,
+        0x7251fe7fe4ecc823L },
+      { 0xe59134cb5e9aac9aL,0x11bb0934f0045d71L,0x53e5d9b5dbcb1d4eL,
+        0x8d97a90592defc91L } },
+    /* 22 << 14 */
+    { { 0xfe2893277946d3f9L,0xe132bd2407472273L,0xeeeb510c1eb6ae86L,
+        0x777708c5f0595067L },
+      { 0x18e2c8cd1297029eL,0x2c61095cbbf9305eL,0xe466c2586b85d6d9L,
+        0x8ac06c36da1ea530L } },
+    /* 23 << 14 */
+    { { 0xa365dc39a1304668L,0xe4a9c88507f89606L,0x65a4898facc7228dL,
+        0x3e2347ff84ca8303L },
+      { 0xa5f6fb77ea7d23a3L,0x2fac257d672a71cdL,0x6908bef87e6a44d3L,
+        0x8ff87566891d3d7aL } },
+    /* 24 << 14 */
+    { { 0xe58e90b36b0cf82eL,0x6438d2462615b5e7L,0x07b1f8fc669c145aL,
+        0xb0d8b2da36f1e1cbL },
+      { 0x54d5dadbd9184c4dL,0x3dbb18d5f93d9976L,0x0a3e0f56d1147d47L,
+        0x2afa8c8da0a48609L } },
+    /* 25 << 14 */
+    { { 0x275353e8bc36742cL,0x898f427eeea0ed90L,0x26f4947e3e477b00L,
+        0x8ad8848a308741e3L },
+      { 0x6c703c38d74a2a46L,0x5e3e05a99ba17ba2L,0xc1fa6f664ab9a9e4L,
+        0x474a2d9a3841d6ecL } },
+    /* 26 << 14 */
+    { { 0x871239ad653ae326L,0x14bcf72aa74cbb43L,0x8737650e20d4c083L,
+        0x3df86536110ed4afL },
+      { 0xd2d86fe7b53ca555L,0x688cb00dabd5d538L,0xcf81bda31ad38468L,
+        0x7ccfe3ccf01167b6L } },
+    /* 27 << 14 */
+    { { 0xcf4f47e06c4c1fe6L,0x557e1f1a298bbb79L,0xf93b974f30d45a14L,
+        0x174a1d2d0baf97c4L },
+      { 0x7a003b30c51fbf53L,0xd8940991ee68b225L,0x5b0aa7b71c0f4173L,
+        0x975797c9a20a7153L } },
+    /* 28 << 14 */
+    { { 0x26e08c07e3533d77L,0xd7222e6a2e341c99L,0x9d60ec3d8d2dc4edL,
+        0xbdfe0d8f7c476cf8L },
+      { 0x1fe59ab61d056605L,0xa9ea9df686a8551fL,0x8489941e47fb8d8cL,
+        0xfeb874eb4a7f1b10L } },
+    /* 29 << 14 */
+    { { 0xfe5fea867ee0d98fL,0x201ad34bdbf61864L,0x45d8fe4737c031d4L,
+        0xd5f49fae795f0822L },
+      { 0xdb0fb291c7f4a40cL,0x2e69d9c1730ddd92L,0x754e105449d76987L,
+        0x8a24911d7662db87L } },
+    /* 30 << 14 */
+    { { 0x61fc181060a71676L,0xe852d1a8f66a8ad1L,0x172bbd656417231eL,
+        0x0d6de7bd3babb11fL },
+      { 0x6fde6f88c8e347f8L,0x1c5875479bd99cc3L,0x78e54ed034076950L,
+        0x97f0f334796e83baL } },
+    /* 31 << 14 */
+    { { 0xe4dbe1ce4924867aL,0xbd5f51b060b84917L,0x375300403cb09a79L,
+        0xdb3fe0f8ff1743d8L },
+      { 0xed7894d8556fa9dbL,0xfa26216923412fbfL,0x563be0dbba7b9291L,
+        0x6ca8b8c00c9fb234L } },
+    /* 32 << 14 */
+    { { 0xed406aa9bd763802L,0xc21486a065303da1L,0x61ae291ec7e62ec4L,
+        0x622a0492df99333eL },
+      { 0x7fd80c9dbb7a8ee0L,0xdc2ed3bc6c01aedbL,0x35c35a1208be74ecL,
+        0xd540cb1a469f671fL } },
+    /* 33 << 14 */
+    { { 0xd16ced4ecf84f6c7L,0x8561fb9c2d090f43L,0x7e693d796f239db4L,
+        0xa736f92877bd0d94L },
+      { 0x07b4d9292c1950eeL,0xda17754356dc11b3L,0xa5dfbbaa7a6a878eL,
+        0x1c70cb294decb08aL } },
+    /* 34 << 14 */
+    { { 0xfba28c8b6f0f7c50L,0xa8eba2b8854dcc6dL,0x5ff8e89a36b78642L,
+        0x070c1c8ef6873adfL },
+      { 0xbbd3c3716484d2e4L,0xfb78318f0d414129L,0x2621a39c6ad93b0bL,
+        0x979d74c2a9e917f7L } },
+    /* 35 << 14 */
+    { { 0xfc19564761fb0428L,0x4d78954abee624d4L,0xb94896e0b8ae86fdL,
+        0x6667ac0cc91c8b13L },
+      { 0x9f18051243bcf832L,0xfbadf8b7a0010137L,0xc69b4089b3ba8aa7L,
+        0xfac4bacde687ce85L } },
+    /* 36 << 14 */
+    { { 0x9164088d977eab40L,0x51f4c5b62760b390L,0xd238238f340dd553L,
+        0x358566c3db1d31c9L },
+      { 0x3a5ad69e5068f5ffL,0xf31435fcdaff6b06L,0xae549a5bd6debff0L,
+        0x59e5f0b775e01331L } },
+    /* 37 << 14 */
+    { { 0x5d492fb898559acfL,0x96018c2e4db79b50L,0x55f4a48f609f66aaL,
+        0x1943b3af4900a14fL },
+      { 0xc22496df15a40d39L,0xb2a446844c20f7c5L,0x76a35afa3b98404cL,
+        0xbec75725ff5d1b77L } },
+    /* 38 << 14 */
+    { { 0xb67aa163bea06444L,0x27e95bb2f724b6f2L,0x3c20e3e9d238c8abL,
+        0x1213754eddd6ae17L },
+      { 0x8c431020716e0f74L,0x6679c82effc095c2L,0x2eb3adf4d0ac2932L,
+        0x2cc970d301bb7a76L } },
+    /* 39 << 14 */
+    { { 0x70c71f2f740f0e66L,0x545c616b2b6b23ccL,0x4528cfcbb40a8bd7L,
+        0xff8396332ab27722L },
+      { 0x049127d9025ac99aL,0xd314d4a02b63e33bL,0xc8c310e728d84519L,
+        0x0fcb8983b3bc84baL } },
+    /* 40 << 14 */
+    { { 0x2cc5226138634818L,0x501814f4b44c2e0bL,0xf7e181aa54dfdba3L,
+        0xcfd58ff0e759718cL },
+      { 0xf90cdb14d3b507a8L,0x57bd478ec50bdad8L,0x29c197e250e5f9aaL,
+        0x4db6eef8e40bc855L } },
+    /* 41 << 14 */
+    { { 0x2cc8f21ad1fc0654L,0xc71cc96381269d73L,0xecfbb204077f49f9L,
+        0xdde92571ca56b793L },
+      { 0x9abed6a3f97ad8f7L,0xe6c19d3f924de3bdL,0x8dce92f4a140a800L,
+        0x85f44d1e1337af07L } },
+    /* 42 << 14 */
+    { { 0x5953c08b09d64c52L,0xa1b5e49ff5df9749L,0x336a8fb852735f7dL,
+        0xb332b6db9add676bL },
+      { 0x558b88a0b4511aa4L,0x09788752dbd5cc55L,0x16b43b9cd8cd52bdL,
+        0x7f0bc5a0c2a2696bL } },
+    /* 43 << 14 */
+    { { 0x146e12d4c11f61efL,0x9ce107543a83e79eL,0x08ec73d96cbfca15L,
+        0x09ff29ad5b49653fL },
+      { 0xe31b72bde7da946eL,0xebf9eb3bee80a4f2L,0xd1aabd0817598ce4L,
+        0x18b5fef453f37e80L } },
+    /* 44 << 14 */
+    { { 0xd5d5cdd35958cd79L,0x3580a1b51d373114L,0xa36e4c91fa935726L,
+        0xa38c534def20d760L },
+      { 0x7088e40a2ff5845bL,0xe5bb40bdbd78177fL,0x4f06a7a8857f9920L,
+        0xe3cc3e50e968f05dL } },
+    /* 45 << 14 */
+    { { 0x1d68b7fee5682d26L,0x5206f76faec7f87cL,0x41110530041951abL,
+        0x58ec52c1d4b5a71aL },
+      { 0xf3488f990f75cf9aL,0xf411951fba82d0d5L,0x27ee75be618895abL,
+        0xeae060d46d8aab14L } },
+    /* 46 << 14 */
+    { { 0x9ae1df737fb54dc2L,0x1f3e391b25963649L,0x242ec32afe055081L,
+        0x5bd450ef8491c9bdL },
+      { 0x367efc67981eb389L,0xed7e19283a0550d5L,0x362e776bab3ce75cL,
+        0xe890e3081f24c523L } },
+    /* 47 << 14 */
+    { { 0xb961b682feccef76L,0x8b8e11f58bba6d92L,0x8f2ccc4c2b2375c4L,
+        0x0d7f7a52e2f86cfaL },
+      { 0xfd94d30a9efe5633L,0x2d8d246b5451f934L,0x2234c6e3244e6a00L,
+        0xde2b5b0dddec8c50L } },
+    /* 48 << 14 */
+    { { 0x2ce53c5abf776f5bL,0x6f72407160357b05L,0xb259371771bf3f7aL,
+        0x87d2501c440c4a9fL },
+      { 0x440552e187b05340L,0xb7bf7cc821624c32L,0x4155a6ce22facddbL,
+        0x5a4228cb889837efL } },
+    /* 49 << 14 */
+    { { 0xef87d6d6fd4fd671L,0xa233687ec2daa10eL,0x7562224403c0eb96L,
+        0x7632d1848bf19be6L },
+      { 0x05d0f8e940735ff4L,0x3a3e6e13c00931f1L,0x31ccde6adafe3f18L,
+        0xf381366acfe51207L } },
+    /* 50 << 14 */
+    { { 0x24c222a960167d92L,0x62f9d6f87529f18cL,0x412397c00353b114L,
+        0x334d89dcef808043L },
+      { 0xd9ec63ba2a4383ceL,0xcec8e9375cf92ba0L,0xfb8b4288c8be74c0L,
+        0x67d6912f105d4391L } },
+    /* 51 << 14 */
+    { { 0x7b996c461b913149L,0x36aae2ef3a4e02daL,0xb68aa003972de594L,
+        0x284ec70d4ec6d545L },
+      { 0xf3d2b2d061391d54L,0x69c5d5d6fe114e92L,0xbe0f00b5b4482dffL,
+        0xe1596fa5f5bf33c5L } },
+    /* 52 << 14 */
+    { { 0x10595b5696a71cbaL,0x944938b2fdcadeb7L,0xa282da4cfccd8471L,
+        0x98ec05f30d37bfe1L },
+      { 0xe171ce1b0698304aL,0x2d69144421bdf79bL,0xd0cd3b741b21dec1L,
+        0x712ecd8b16a15f71L } },
+    /* 53 << 14 */
+    { { 0x8d4c00a700fd56e1L,0x02ec9692f9527c18L,0x21c449374a3e42e1L,
+        0x9176fbab1392ae0aL },
+      { 0x8726f1ba44b7b618L,0xb4d7aae9f1de491cL,0xf91df7b907b582c0L,
+        0x7e116c30ef60aa3aL } },
+    /* 54 << 14 */
+    { { 0x99270f81466265d7L,0xb15b6fe24df7adf0L,0xfe33b2d3f9738f7fL,
+        0x48553ab9d6d70f95L },
+      { 0x2cc72ac8c21e94dbL,0x795ac38dbdc0bbeeL,0x0a1be4492e40478fL,
+        0x81bd3394052bde55L } },
+    /* 55 << 14 */
+    { { 0x63c8dbe956b3c4f2L,0x017a99cf904177ccL,0x947bbddb4d010fc1L,
+        0xacf9b00bbb2c9b21L },
+      { 0x2970bc8d47173611L,0x1a4cbe08ac7d756fL,0x06d9f4aa67d541a2L,
+        0xa3e8b68959c2cf44L } },
+    /* 56 << 14 */
+    { { 0xaad066da4d88f1ddL,0xc604f1657ad35deaL,0x7edc07204478ca67L,
+        0xa10dfae0ba02ce06L },
+      { 0xeceb1c76af36f4e4L,0x994b2292af3f8f48L,0xbf9ed77b77c8a68cL,
+        0x74f544ea51744c9dL } },
+    /* 57 << 14 */
+    { { 0x82d05bb98113a757L,0x4ef2d2b48a9885e4L,0x1e332be51aa7865fL,
+        0x22b76b18290d1a52L },
+      { 0x308a231044351683L,0x9d861896a3f22840L,0x5959ddcd841ed947L,
+        0x0def0c94154b73bfL } },
+    /* 58 << 14 */
+    { { 0xf01054174c7c15e0L,0x539bfb023a277c32L,0xe699268ef9dccf5fL,
+        0x9f5796a50247a3bdL },
+      { 0x8b839de84f157269L,0xc825c1e57a30196bL,0x6ef0aabcdc8a5a91L,
+        0xf4a8ce6c498b7fe6L } },
+    /* 59 << 14 */
+    { { 0x1cce35a770cbac78L,0x83488e9bf6b23958L,0x0341a070d76cb011L,
+        0xda6c9d06ae1b2658L },
+      { 0xb701fb30dd648c52L,0x994ca02c52fb9fd1L,0x069331176f563086L,
+        0x3d2b810017856babL } },
+    /* 60 << 14 */
+    { { 0xe89f48c85963a46eL,0x658ab875a99e61c7L,0x6e296f874b8517b4L,
+        0x36c4fcdcfc1bc656L },
+      { 0xde5227a1a3906defL,0x9fe95f5762418945L,0x20c91e81fdd96cdeL,
+        0x5adbe47eda4480deL } },
+    /* 61 << 14 */
+    { { 0xa009370f396de2b6L,0x98583d4bf0ecc7bdL,0xf44f6b57e51d0672L,
+        0x03d6b078556b1984L },
+      { 0x27dbdd93b0b64912L,0x9b3a343415687b09L,0x0dba646151ec20a9L,
+        0xec93db7fff28187cL } },
+    /* 62 << 14 */
+    { { 0x00ff8c2466e48bddL,0x2514f2f911ccd78eL,0xeba11f4fe1250603L,
+        0x8a22cd41243fa156L },
+      { 0xa4e58df4b283e4c6L,0x78c298598b39783fL,0x5235aee2a5259809L,
+        0xc16284b50e0227ddL } },
+    /* 63 << 14 */
+    { { 0xa5f579161338830dL,0x6d4b8a6bd2123fcaL,0x236ea68af9c546f8L,
+        0xc1d36873fa608d36L },
+      { 0xcd76e4958d436d13L,0xd4d9c2218fb080afL,0x665c1728e8ad3fb5L,
+        0xcf1ebe4db3d572e0L } },
+    /* 64 << 14 */
+    { { 0xa7a8746a584c5e20L,0x267e4ea1b9dc7035L,0x593a15cfb9548c9bL,
+        0x5e6e21354bd012f3L },
+      { 0xdf31cc6a8c8f936eL,0x8af84d04b5c241dcL,0x63990a6f345efb86L,
+        0x6fef4e61b9b962cbL } },
+    /* 0 << 21 */
+    { { 0x00, 0x00, 0x00, 0x00 },
+      { 0x00, 0x00, 0x00, 0x00 } },
+    /* 1 << 21 */
+    { { 0xf6368f0925722608L,0x131260db131cf5c6L,0x40eb353bfab4f7acL,
+        0x85c7888037eee829L },
+      { 0x4c1581ffc3bdf24eL,0x5bff75cbf5c3c5a8L,0x35e8c83fa14e6f40L,
+        0xb81d1c0f0295e0caL } },
+    /* 2 << 21 */
+    { { 0xfcde7cc8f43a730fL,0xe89b6f3c33ab590eL,0xc823f529ad03240bL,
+        0x82b79afe98bea5dbL },
+      { 0x568f2856962fe5deL,0x0c590adb60c591f3L,0x1fc74a144a28a858L,
+        0x3b662498b3203f4cL } },
+    /* 3 << 21 */
+    { { 0x91e3cf0d6c39765aL,0xa2db3acdac3cca0bL,0x288f2f08cb953b50L,
+        0x2414582ccf43cf1aL },
+      { 0x8dec8bbc60eee9a8L,0x54c79f02729aa042L,0xd81cd5ec6532f5d5L,
+        0xa672303acf82e15fL } },
+    /* 4 << 21 */
+    { { 0x376aafa8719c0563L,0xcd8ad2dcbc5fc79fL,0x303fdb9fcb750cd3L,
+        0x14ff052f4418b08eL },
+      { 0xf75084cf3e2d6520L,0x7ebdf0f8144ed509L,0xf43bf0f2d3f25b98L,
+        0x86ad71cfa354d837L } },
+    /* 5 << 21 */
+    { { 0xb827fe9226f43572L,0xdfd3ab5b5d824758L,0x315dd23a539094c1L,
+        0x85c0e37a66623d68L },
+      { 0x575c79727be19ae0L,0x616a3396df0d36b5L,0xa1ebb3c826b1ff7eL,
+        0x635b9485140ad453L } },
+    /* 6 << 21 */
+    { { 0x92bf3cdada430c0bL,0x4702850e3a96dac6L,0xc91cf0a515ac326aL,
+        0x95de4f49ab8c25e4L },
+      { 0xb01bad09e265c17cL,0x24e45464087b3881L,0xd43e583ce1fac5caL,
+        0xe17cb3186ead97a6L } },
+    /* 7 << 21 */
+    { { 0x6cc3924374dcec46L,0x33cfc02d54c2b73fL,0x82917844f26cd99cL,
+        0x8819dd95d1773f89L },
+      { 0x09572aa60871f427L,0x8e0cf365f6f01c34L,0x7fa52988bff1f5afL,
+        0x4eb357eae75e8e50L } },
+    /* 8 << 21 */
+    { { 0xd9d0c8c4868af75dL,0xd7325cff45c8c7eaL,0xab471996cc81ecb0L,
+        0xff5d55f3611824edL },
+      { 0xbe3145411977a0eeL,0x5085c4c5722038c6L,0x2d5335bff94bb495L,
+        0x894ad8a6c8e2a082L } },
+    /* 9 << 21 */
+    { { 0x5c3e2341ada35438L,0xf4a9fc89049b8c4eL,0xbeeb355a9f17cf34L,
+        0x3f311e0e6c91fe10L },
+      { 0xc2d2003892ab9891L,0x257bdcc13e8ce9a9L,0x1b2d978988c53beeL,
+        0x927ce89acdba143aL } },
+    /* 10 << 21 */
+    { { 0xb0a32cca523db280L,0x5c889f8a50d43783L,0x503e04b34897d16fL,
+        0x8cdb6e7808f5f2e8L },
+      { 0x6ab91cf0179c8e74L,0xd8874e5248211d60L,0xf948d4d5ea851200L,
+        0x4076d41ee6f9840aL } },
+    /* 11 << 21 */
+    { { 0xc20e263c47b517eaL,0x79a448fd30685e5eL,0xe55f6f78f90631a0L,
+        0x88a790b1a79e6346L },
+      { 0x62160c7d80969fe8L,0x54f92fd441491bb9L,0xa6645c235c957526L,
+        0xf44cc5aebea3ce7bL } },
+    /* 12 << 21 */
+    { { 0xf76283278b1e68b7L,0xc731ad7a303f29d3L,0xfe5a9ca957d03ecbL,
+        0x96c0d50c41bc97a7L },
+      { 0xc4669fe79b4f7f24L,0xfdd781d83d9967efL,0x7892c7c35d2c208dL,
+        0x8bf64f7cae545cb3L } },
+    /* 13 << 21 */
+    { { 0xc01f862c467be912L,0xf4c85ee9c73d30ccL,0x1fa6f4be6ab83ec7L,
+        0xa07a3c1c4e3e3cf9L },
+      { 0x87f8ef450c00beb3L,0x30e2c2b3000d4c3eL,0x1aa00b94fe08bf5bL,
+        0x32c133aa9224ef52L } },
+    /* 14 << 21 */
+    { { 0x38df16bb32e5685dL,0x68a9e06958e6f544L,0x495aaff7cdc5ebc6L,
+        0xf894a645378b135fL },
+      { 0xf316350a09e27ecfL,0xeced201e58f7179dL,0x2eec273ce97861baL,
+        0x47ec2caed693be2eL } },
+    /* 15 << 21 */
+    { { 0xfa4c97c4f68367ceL,0xe4f47d0bbe5a5755L,0x17de815db298a979L,
+        0xd7eca659c177dc7dL },
+      { 0x20fdbb7149ded0a3L,0x4cb2aad4fb34d3c5L,0x2cf31d2860858a33L,
+        0x3b6873efa24aa40fL } },
+    /* 16 << 21 */
+    { { 0x540234b22c11bb37L,0x2d0366dded4c74a3L,0xf9a968daeec5f25dL,
+        0x3660106867b63142L },
+      { 0x07cd6d2c68d7b6d4L,0xa8f74f090c842942L,0xe27514047768b1eeL,
+        0x4b5f7e89fe62aee4L } },
+    /* 17 << 21 */
+    { { 0xc6a7717789070d26L,0xa1f28e4edd1c8bc7L,0xea5f4f06469e1f17L,
+        0x78fc242afbdb78e0L },
+      { 0xc9c7c5928b0588f1L,0xb6b7a0fd1535921eL,0xcc5bdb91bde5ae35L,
+        0xb42c485e12ff1864L } },
+    /* 18 << 21 */
+    { { 0xa1113e13dbab98aaL,0xde9d469ba17b1024L,0x23f48b37c0462d3aL,
+        0x3752e5377c5c078dL },
+      { 0xe3a86add15544eb9L,0xf013aea780fba279L,0x8b5bb76cf22001b5L,
+        0xe617ba14f02891abL } },
+    /* 19 << 21 */
+    { { 0xd39182a6936219d3L,0x5ce1f194ae51cb19L,0xc78f8598bf07a74cL,
+        0x6d7158f222cbf1bcL },
+      { 0x3b846b21e300ce18L,0x35fba6302d11275dL,0x5fe25c36a0239b9bL,
+        0xd8beb35ddf05d940L } },
+    /* 20 << 21 */
+    { { 0x4db02bb01f7e320dL,0x0641c3646da320eaL,0x6d95fa5d821389a3L,
+        0x926997488fcd8e3dL },
+      { 0x316fef17ceb6c143L,0x67fcb841d933762bL,0xbb837e35118b17f8L,
+        0x4b92552f9fd24821L } },
+    /* 21 << 21 */
+    { { 0xae6bc70e46aca793L,0x1cf0b0e4e579311bL,0x8dc631be5802f716L,
+        0x099bdc6fbddbee4dL },
+      { 0xcc352bb20caf8b05L,0xf74d505a72d63df2L,0xb9876d4b91c4f408L,
+        0x1ce184739e229b2dL } },
+    /* 22 << 21 */
+    { { 0x4950759783abdb4aL,0x850fbcb6dee84b18L,0x6325236e609e67dcL,
+        0x04d831d99336c6d8L },
+      { 0x8deaae3bfa12d45dL,0xe425f8ce4746e246L,0x8004c17524f5f31eL,
+        0xaca16d8fad62c3b7L } },
+    /* 23 << 21 */
+    { { 0x0dc15a6a9152f934L,0xf1235e5ded0e12c1L,0xc33c06ecda477dacL,
+        0x76be8732b2ea0006L },
+      { 0xcf3f78310c0cd313L,0x3c524553a614260dL,0x31a756f8cab22d15L,
+        0x03ee10d177827a20L } },
+    /* 24 << 21 */
+    { { 0xd1e059b21994ef20L,0x2a653b69638ae318L,0x70d5eb582f699010L,
+        0x279739f709f5f84aL },
+      { 0x5da4663c8b799336L,0xfdfdf14d203c37ebL,0x32d8a9dca1dbfb2dL,
+        0xab40cff077d48f9bL } },
+    /* 25 << 21 */
+    { { 0xc018b383d20b42d5L,0xf9a810ef9f78845fL,0x40af3753bdba9df0L,
+        0xb90bdcfc131dfdf9L },
+      { 0x18720591f01ab782L,0xc823f2116af12a88L,0xa51b80f30dc14401L,
+        0xde248f77fb2dfbe3L } },
+    /* 26 << 21 */
+    { { 0xef5a44e50cafe751L,0x73997c9cd4dcd221L,0x32fd86d1de854024L,
+        0xd5b53adca09b84bbL },
+      { 0x008d7a11dcedd8d1L,0x406bd1c874b32c84L,0x5d4472ff05dde8b1L,
+        0x2e25f2cdfce2b32fL } },
+    /* 27 << 21 */
+    { { 0xbec0dd5e29dfc254L,0x4455fcf62b98b267L,0x0b4d43a5c72df2adL,
+        0xea70e6be48a75397L },
+      { 0x2aad61695820f3bfL,0xf410d2dd9e37f68fL,0x70fb7dba7be5ac83L,
+        0x636bb64536ec3eecL } },
+    /* 28 << 21 */
+    { { 0x27104ea39754e21cL,0xbc87a3e68d63c373L,0x483351d74109db9aL,
+        0x0fa724e360134da7L },
+      { 0x9ff44c29b0720b16L,0x2dd0cf1306aceeadL,0x5942758ce26929a6L,
+        0x96c5db92b766a92bL } },
+    /* 29 << 21 */
+    { { 0xcec7d4c05f18395eL,0xd3f227441f80d032L,0x7a68b37acb86075bL,
+        0x074764ddafef92dbL },
+      { 0xded1e9507bc7f389L,0xc580c850b9756460L,0xaeeec2a47da48157L,
+        0x3f0b4e7f82c587b3L } },
+    /* 30 << 21 */
+    { { 0x231c6de8a9f19c53L,0x5717bd736974e34eL,0xd9e1d216f1508fa9L,
+        0x9f112361dadaa124L },
+      { 0x80145e31823b7348L,0x4dd8f0d5ac634069L,0xe3d82fc72297c258L,
+        0x276fcfee9cee7431L } },
+    /* 31 << 21 */
+    { { 0x8eb61b5e2bc0aea9L,0x4f668fd5de329431L,0x03a32ab138e4b87eL,
+        0xe137451773d0ef0bL },
+      { 0x1a46f7e6853ac983L,0xc3bdf42e68e78a57L,0xacf207852ea96dd1L,
+        0xa10649b9f1638460L } },
+    /* 32 << 21 */
+    { { 0xf2369f0b879fbbedL,0x0ff0ae86da9d1869L,0x5251d75956766f45L,
+        0x4984d8c02be8d0fcL },
+      { 0x7ecc95a6d21008f0L,0x29bd54a03a1a1c49L,0xab9828c5d26c50f3L,
+        0x32c0087c51d0d251L } },
+    /* 33 << 21 */
+    { { 0x9bac3ce60c1cdb26L,0xcd94d947557ca205L,0x1b1bd5989db1fdcdL,
+        0x0eda0108a3d8b149L },
+      { 0x9506661056152fccL,0xc2f037e6e7192b33L,0xdeffb41ac92e05a4L,
+        0x1105f6c2c2f6c62eL } },
+    /* 34 << 21 */
+    { { 0x68e735008733913cL,0xcce861633f3adc40L,0xf407a94238a278e9L,
+        0xd13c1b9d2ab21292L },
+      { 0x93ed7ec71c74cf5cL,0x8887dc48f1a4c1b4L,0x3830ff304b3a11f1L,
+        0x358c5a3c58937cb6L } },
+    /* 35 << 21 */
+    { { 0x027dc40489022829L,0x40e939773b798f79L,0x90ad333738be6eadL,
+        0x9c23f6bcf34c0a5dL },
+      { 0xd1711a35fbffd8bbL,0x60fcfb491949d3ddL,0x09c8ef4b7825d93aL,
+        0x24233cffa0a8c968L } },
+    /* 36 << 21 */
+    { { 0x67ade46ce6d982afL,0xebb6bf3ee7544d7cL,0xd6b9ba763d8bd087L,
+        0x46fe382d4dc61280L },
+      { 0xbd39a7e8b5bdbd75L,0xab381331b8f228feL,0x0709a77cce1c4300L,
+        0x6a247e56f337ceacL } },
+    /* 37 << 21 */
+    { { 0x8f34f21b636288beL,0x9dfdca74c8a7c305L,0x6decfd1bea919e04L,
+        0xcdf2688d8e1991f8L },
+      { 0xe607df44d0f8a67eL,0xd985df4b0b58d010L,0x57f834c50c24f8f4L,
+        0xe976ef56a0bf01aeL } },
+    /* 38 << 21 */
+    { { 0x536395aca1c32373L,0x351027aa734c0a13L,0xd2f1b5d65e6bd5bcL,
+        0x2b539e24223debedL },
+      { 0xd4994cec0eaa1d71L,0x2a83381d661dcf65L,0x5f1aed2f7b54c740L,
+        0x0bea3fa5d6dda5eeL } },
+    /* 39 << 21 */
+    { { 0x9d4fb68436cc6134L,0x8eb9bbf3c0a443ddL,0xfc500e2e383b7d2aL,
+        0x7aad621c5b775257L },
+      { 0x69284d740a8f7cc0L,0xe820c2ce07562d65L,0xbf9531b9499758eeL,
+        0x73e95ca56ee0cc2dL } },
+    /* 40 << 21 */
+    { { 0xf61790abfbaf50a5L,0xdf55e76b684e0750L,0xec516da7f176b005L,
+        0x575553bb7a2dddc7L },
+      { 0x37c87ca3553afa73L,0x315f3ffc4d55c251L,0xe846442aaf3e5d35L,
+        0x61b911496495ff28L } },
+    /* 41 << 21 */
+    { { 0x23cc95d3fa326dc3L,0x1df4da1f18fc2ceaL,0x24bf9adcd0a37d59L,
+        0xb6710053320d6e1eL },
+      { 0x96f9667e618344d1L,0xcc7ce042a06445afL,0xa02d8514d68dbc3aL,
+        0x4ea109e4280b5a5bL } },
+    /* 42 << 21 */
+    { { 0x5741a7acb40961bfL,0x4ada59376aa56bfaL,0x7feb914502b765d1L,
+        0x561e97bee6ad1582L },
+      { 0xbbc4a5b6da3982f5L,0x0c2659edb546f468L,0xb8e7e6aa59612d20L,
+        0xd83dfe20ac19e8e0L } },
+    /* 43 << 21 */
+    { { 0x8530c45fb835398cL,0x6106a8bfb38a41c2L,0x21e8f9a635f5dcdbL,
+        0x39707137cae498edL },
+      { 0x70c23834d8249f00L,0x9f14b58fab2537a0L,0xd043c3655f61c0c2L,
+        0xdc5926d609a194a7L } },
+    /* 44 << 21 */
+    { { 0xddec03398e77738aL,0xd07a63effba46426L,0x2e58e79cee7f6e86L,
+        0xe59b0459ff32d241L },
+      { 0xc5ec84e520fa0338L,0x97939ac8eaff5aceL,0x0310a4e3b4a38313L,
+        0x9115fba28f9d9885L } },
+    /* 45 << 21 */
+    { { 0x8dd710c25fadf8c3L,0x66be38a2ce19c0e2L,0xd42a279c4cfe5022L,
+        0x597bb5300e24e1b8L },
+      { 0x3cde86b7c153ca7fL,0xa8d30fb3707d63bdL,0xac905f92bd60d21eL,
+        0x98e7ffb67b9a54abL } },
+    /* 46 << 21 */
+    { { 0xd7147df8e9726a30L,0xb5e216ffafce3533L,0xb550b7992ff1ec40L,
+        0x6b613b87a1e953fdL },
+      { 0x87b88dba792d5610L,0x2ee1270aa190fbe1L,0x02f4e2dc2ef581daL,
+        0x016530e4eff82a95L } },
+    /* 47 << 21 */
+    { { 0xcbb93dfd8fd6ee89L,0x16d3d98646848fffL,0x600eff241da47adfL,
+        0x1b9754a00ad47a71L },
+      { 0x8f9266df70c33b98L,0xaadc87aedf34186eL,0x0d2ce8e14ad24132L,
+        0x8a47cbfc19946ebaL } },
+    /* 48 << 21 */
+    { { 0x47feeb6662b5f3afL,0xcefab5610abb3734L,0x449de60e19f35cb1L,
+        0x39f8db14157f0eb9L },
+      { 0xffaecc5b3c61bfd6L,0xa5a4d41d41216703L,0x7f8fabed224e1cc2L,
+        0x0d5a8186871ad953L } },
+    /* 49 << 21 */
+    { { 0xf10774f7d22da9a9L,0x45b8a678cc8a9b0dL,0xd9c2e722bdc32cffL,
+        0xbf71b5f5337202a5L },
+      { 0x95c57f2f69fc4db9L,0xb6dad34c765d01e1L,0x7e0bd13fcb904635L,
+        0x61751253763a588cL } },
+    /* 50 << 21 */
+    { { 0xd85c299781af2c2dL,0xc0f7d9c481b9d7daL,0x838a34ae08533e8dL,
+        0x15c4cb08311d8311L },
+      { 0x97f832858e121e14L,0xeea7dc1e85000a5fL,0x0c6059b65d256274L,
+        0xec9beaceb95075c0L } },
+    /* 51 << 21 */
+    { { 0x173daad71df97828L,0xbf851cb5a8937877L,0xb083c59401646f3cL,
+        0x3bad30cf50c6d352L },
+      { 0xfeb2b202496bbceaL,0x3cf9fd4f18a1e8baL,0xd26de7ff1c066029L,
+        0x39c81e9e4e9ed4f8L } },
+    /* 52 << 21 */
+    { { 0xd8be0cb97b390d35L,0x01df2bbd964aab27L,0x3e8c1a65c3ef64f8L,
+        0x567291d1716ed1ddL },
+      { 0x95499c6c5f5406d3L,0x71fdda395ba8e23fL,0xcfeb320ed5096eceL,
+        0xbe7ba92bca66dd16L } },
+    /* 53 << 21 */
+    { { 0x4608d36bc6fb5a7dL,0xe3eea15a6d2dd0e0L,0x75b0a3eb8f97a36aL,
+        0xf59814cc1c83de1eL },
+      { 0x56c9c5b01c33c23fL,0xa96c1da46faa4136L,0x46bf2074de316551L,
+        0x3b866e7b1f756c8fL } },
+    /* 54 << 21 */
+    { { 0x727727d81495ed6bL,0xb2394243b682dce7L,0x8ab8454e758610f3L,
+        0xc243ce84857d72a4L },
+      { 0x7b320d71dbbf370fL,0xff9afa3778e0f7caL,0x0119d1e0ea7b523fL,
+        0xb997f8cb058c7d42L } },
+    /* 55 << 21 */
+    { { 0x285bcd2a37bbb184L,0x51dcec49a45d1fa6L,0x6ade3b64e29634cbL,
+        0x080c94a726b86ef1L },
+      { 0xba583db12283fbe3L,0x902bddc85a9315edL,0x07c1ccb386964becL,
+        0x78f4eacfb6258301L } },
+    /* 56 << 21 */
+    { { 0x4bdf3a4956f90823L,0xba0f5080741d777bL,0x091d71c3f38bf760L,
+        0x9633d50f9b625b02L },
+      { 0x03ecb743b8c9de61L,0xb47512545de74720L,0x9f9defc974ce1cb2L,
+        0x774a4f6a00bd32efL } },
+    /* 57 << 21 */
+    { { 0xaca385f773848f22L,0x53dad716f3f8558eL,0xab7b34b093c471f9L,
+        0xf530e06919644bc7L },
+      { 0x3d9fb1ffdd59d31aL,0x4382e0df08daa795L,0x165c6f4bd5cc88d7L,
+        0xeaa392d54a18c900L } },
+    /* 58 << 21 */
+    { { 0x94203c67648024eeL,0x188763f28c2fabcdL,0xa80f87acbbaec835L,
+        0x632c96e0f29d8d54L },
+      { 0x29b0a60e4c00a95eL,0x2ef17f40e011e9faL,0xf6c0e1d115b77223L,
+        0xaaec2c6214b04e32L } },
+    /* 59 << 21 */
+    { { 0xd35688d83d84e58cL,0x2af5094c958571dbL,0x4fff7e19760682a6L,
+        0x4cb27077e39a407cL },
+      { 0x0f59c5474ff0e321L,0x169f34a61b34c8ffL,0x2bff109652bc1ba7L,
+        0xa25423b783583544L } },
+    /* 60 << 21 */
+    { { 0x5d55d5d50ac8b782L,0xff6622ec2db3c892L,0x48fce7416b8bb642L,
+        0x31d6998c69d7e3dcL },
+      { 0xdbaf8004cadcaed0L,0x801b0142d81d053cL,0x94b189fc59630ec6L,
+        0x120e9934af762c8eL } },
+    /* 61 << 21 */
+    { { 0x53a29aa4fdc6a404L,0x19d8e01ea1909948L,0x3cfcabf1d7e89681L,
+        0x3321a50d4e132d37L },
+      { 0xd0496863e9a86111L,0x8c0cde6106a3bc65L,0xaf866c49fc9f8eefL,
+        0x2066350eff7f5141L } },
+    /* 62 << 21 */
+    { { 0x4f8a4689e56ddfbdL,0xea1b0c07fe32983aL,0x2b317462873cb8cbL,
+        0x658deddc2d93229fL },
+      { 0x65efaf4d0f64ef58L,0xfe43287d730cc7a8L,0xaebc0c723d047d70L,
+        0x92efa539d92d26c9L } },
+    /* 63 << 21 */
+    { { 0x06e7845794b56526L,0x415cb80f0961002dL,0x89e5c56576dcb10fL,
+        0x8bbb6982ff9259feL },
+      { 0x4fe8795b9abc2668L,0xb5d4f5341e678fb1L,0x6601f3be7b7da2b9L,
+        0x98da59e2a13d6805L } },
+    /* 64 << 21 */
+    { { 0x190d8ea601799a52L,0xa20cec41b86d2952L,0x3062ffb27fff2a7cL,
+        0x741b32e579f19d37L },
+      { 0xf80d81814eb57d47L,0x7a2d0ed416aef06bL,0x09735fb01cecb588L,
+        0x1641caaac6061f5bL } },
+    /* 0 << 28 */
+    { { 0x00, 0x00, 0x00, 0x00 },
+      { 0x00, 0x00, 0x00, 0x00 } },
+    /* 1 << 28 */
+    { { 0x7f99824f20151427L,0x206828b692430206L,0xaa9097d7e1112357L,
+        0xacf9a2f209e414ecL },
+      { 0xdbdac9da27915356L,0x7e0734b7001efee3L,0x54fab5bbd2b288e2L,
+        0x4c630fc4f62dd09cL } },
+    /* 2 << 28 */
+    { { 0x8537107a1ac2703bL,0xb49258d86bc857b5L,0x57df14debcdaccd1L,
+        0x24ab68d7c4ae8529L },
+      { 0x7ed8b5d4734e59d0L,0x5f8740c8c495cc80L,0x84aedd5a291db9b3L,
+        0x80b360f84fb995beL } },
+    /* 3 << 28 */
+    { { 0xae915f5d5fa067d1L,0x4134b57f9668960cL,0xbd3656d6a48edaacL,
+        0xdac1e3e4fc1d7436L },
+      { 0x674ff869d81fbb26L,0x449ed3ecb26c33d4L,0x85138705d94203e8L,
+        0xccde538bbeeb6f4aL } },
+    /* 4 << 28 */
+    { { 0x55d5c68da61a76faL,0x598b441dca1554dcL,0xd39923b9773b279cL,
+        0x33331d3c36bf9efcL },
+      { 0x2d4c848e298de399L,0xcfdb8e77a1a27f56L,0x94c855ea57b8ab70L,
+        0xdcdb9dae6f7879baL } },
+    /* 5 << 28 */
+    { { 0x7bdff8c2019f2a59L,0xb3ce5bb3cb4fbc74L,0xea907f688a9173ddL,
+        0x6cd3d0d395a75439L },
+      { 0x92ecc4d6efed021cL,0x09a9f9b06a77339aL,0x87ca6b157188c64aL,
+        0x10c2996844899158L } },
+    /* 6 << 28 */
+    { { 0x5859a229ed6e82efL,0x16f338e365ebaf4eL,0x0cd313875ead67aeL,
+        0x1c73d22854ef0bb4L },
+      { 0x4cb5513174a5c8c7L,0x01cd29707f69ad6aL,0xa04d00dde966f87eL,
+        0xd96fe4470b7b0321L } },
+    /* 7 << 28 */
+    { { 0x342ac06e88fbd381L,0x02cd4a845c35a493L,0xe8fa89de54f1bbcdL,
+        0x341d63672575ed4cL },
+      { 0xebe357fbd238202bL,0x600b4d1aa984ead9L,0xc35c9f4452436ea0L,
+        0x96fe0a39a370751bL } },
+    /* 8 << 28 */
+    { { 0x4c4f07367f636a38L,0x9f943fb70e76d5cbL,0xb03510baa8b68b8bL,
+        0xc246780a9ed07a1fL },
+      { 0x3c0514156d549fc2L,0xc2953f31607781caL,0x955e2c69d8d95413L,
+        0xb300fadc7bd282e3L } },
+    /* 9 << 28 */
+    { { 0x81fe7b5087e9189fL,0xdb17375cf42dda27L,0x22f7d896cf0a5904L,
+        0xa0e57c5aebe348e6L },
+      { 0xa61011d3f40e3c80L,0xb11893218db705c5L,0x4ed9309e50fedec3L,
+        0xdcf14a104d6d5c1dL } },
+    /* 10 << 28 */
+    { { 0x056c265b55691342L,0xe8e0850491049dc7L,0x131329f5c9bae20aL,
+        0x96c8b3e8d9dccdb4L },
+      { 0x8c5ff838fb4ee6b4L,0xfc5a9aeb41e8ccf0L,0x7417b764fae050c6L,
+        0x0953c3d700452080L } },
+    /* 11 << 28 */
+    { { 0x2137268238dfe7e8L,0xea417e152bb79d4bL,0x59641f1c76e7cf2dL,
+        0x271e3059ea0bcfccL },
+      { 0x624c7dfd7253ecbdL,0x2f552e254fca6186L,0xcbf84ecd4d866e9cL,
+        0x73967709f68d4610L } },
+    /* 12 << 28 */
+    { { 0xa14b1163c27901b4L,0xfd9236e0899b8bf3L,0x42b091eccbc6da0aL,
+        0xbb1dac6f5ad1d297L },
+      { 0x80e61d53a91cf76eL,0x4110a412d31f1ee7L,0x2d87c3ba13efcf77L,
+        0x1f374bb4df450d76L } },
+    /* 13 << 28 */
+    { { 0x5e78e2f20d188dabL,0xe3968ed0f4b885efL,0x46c0568e7314570fL,
+        0x3161633801170521L },
+      { 0x18e1e7e24f0c8afeL,0x4caa75ffdeea78daL,0x82db67f27c5d8a51L,
+        0x36a44d866f505370L } },
+    /* 14 << 28 */
+    { { 0xd72c5bda0333974fL,0x5db516ae27a70146L,0x34705281210ef921L,
+        0xbff17a8f0c9c38e5L },
+      { 0x78f4814e12476da1L,0xc1e1661333c16980L,0x9e5b386f424d4bcaL,
+        0x4c274e87c85740deL } },
+    /* 15 << 28 */
+    { { 0xb6a9b88d6c2f5226L,0x14d1b944550d7ca8L,0x580c85fc1fc41709L,
+        0xc1da368b54c6d519L },
+      { 0x2b0785ced5113cf7L,0x0670f6335a34708fL,0x46e2376715cc3f88L,
+        0x1b480cfa50c72c8fL } },
+    /* 16 << 28 */
+    { { 0x202886024147519aL,0xd0981eac26b372f0L,0xa9d4a7caa785ebc8L,
+        0xd953c50ddbdf58e9L },
+      { 0x9d6361ccfd590f8fL,0x72e9626b44e6c917L,0x7fd9611022eb64cfL,
+        0x863ebb7e9eb288f3L } },
+    /* 17 << 28 */
+    { { 0x6e6ab7616aca8ee7L,0x97d10b39d7b40358L,0x1687d3771e5feb0dL,
+        0xc83e50e48265a27aL },
+      { 0x8f75a9fec954b313L,0xcc2e8f47310d1f61L,0xf5ba81c56557d0e0L,
+        0x25f9680c3eaf6207L } },
+    /* 18 << 28 */
+    { { 0xf95c66094354080bL,0x5225bfa57bf2fe1cL,0xc5c004e25c7d98faL,
+        0x3561bf1c019aaf60L },
+      { 0x5e6f9f17ba151474L,0xdec2f934b04f6ecaL,0x64e368a1269acb1eL,
+        0x1332d9e40cdda493L } },
+    /* 19 << 28 */
+    { { 0x60d6cf69df23de05L,0x66d17da2009339a0L,0x9fcac9850a693923L,
+        0xbcf057fced7c6a6dL },
+      { 0xc3c5c8c5f0b5662cL,0x25318dd8dcba4f24L,0x60e8cb75082b69ffL,
+        0x7c23b3ee1e728c01L } },
+    /* 20 << 28 */
+    { { 0x15e10a0a097e4403L,0xcb3d0a8619854665L,0x88d8e211d67d4826L,
+        0xb39af66e0b9d2839L },
+      { 0xa5f94588bd475ca8L,0xe06b7966c077b80bL,0xfedb1485da27c26cL,
+        0xd290d33afe0fd5e0L } },
+    /* 21 << 28 */
+    { { 0xa40bcc47f34fb0faL,0xb4760cc81fb1ab09L,0x8fca0993a273bfe3L,
+        0x13e4fe07f70b213cL },
+      { 0x3bcdb992fdb05163L,0x8c484b110c2b19b6L,0x1acb815faaf2e3e2L,
+        0xc6905935b89ff1b4L } },
+    /* 22 << 28 */
+    { { 0xb2ad6f9d586e74e1L,0x488883ad67b80484L,0x758aa2c7369c3ddbL,
+        0x8ab74e699f9afd31L },
+      { 0x10fc2d285e21beb1L,0x3484518a318c42f9L,0x377427dc53cf40c3L,
+        0x9de0781a391bc1d9L } },
+    /* 23 << 28 */
+    { { 0x8faee858693807e1L,0xa38653274e81ccc7L,0x02c30ff26f835b84L,
+        0xb604437b0d3d38d4L },
+      { 0xb3fc8a985ca1823dL,0xb82f7ec903be0324L,0xee36d761cf684a33L,
+        0x5a01df0e9f29bf7dL } },
+    /* 24 << 28 */
+    { { 0x686202f31306583dL,0x05b10da0437c622eL,0xbf9aaa0f076a7bc8L,
+        0x25e94efb8f8f4e43L },
+      { 0x8a35c9b7fa3dc26dL,0xe0e5fb9396ff03c5L,0xa77e3843ebc394ceL,
+        0xcede65958361de60L } },
+    /* 25 << 28 */
+    { { 0xd27c22f6a1993545L,0xab01cc3624d671baL,0x63fa2877a169c28eL,
+        0x925ef9042eb08376L },
+      { 0x3b2fa3cf53aa0b32L,0xb27beb5b71c49d7aL,0xb60e1834d105e27fL,
+        0xd60897884f68570dL } },
+    /* 26 << 28 */
+    { { 0x23094ce0d6fbc2acL,0x738037a1815ff551L,0xda73b1bb6bef119cL,
+        0xdcf6c430eef506baL },
+      { 0x00e4fe7be3ef104aL,0xebdd9a2c0a065628L,0x853a81c38792043eL,
+        0x22ad6eceb3b59108L } },
+    /* 27 << 28 */
+    { { 0x9fb813c039cd297dL,0x8ec7e16e05bda5d9L,0x2834797c0d104b96L,
+        0xcc11a2e77c511510L },
+      { 0x96ca5a5396ee6380L,0x054c8655cea38742L,0xb5946852d54dfa7dL,
+        0x97c422e71f4ab207L } },
+    /* 28 << 28 */
+    { { 0xbf9075090c22b540L,0x2cde42aab7c267d4L,0xba18f9ed5ab0d693L,
+        0x3ba62aa66e4660d9L },
+      { 0xb24bf97bab9ea96aL,0x5d039642e3b60e32L,0x4e6a45067c4d9bd5L,
+        0x666c5b9e7ed4a6a4L } },
+    /* 29 << 28 */
+    { { 0xfa3fdcd98edbd7ccL,0x4660bb87c6ccd753L,0x9ae9082021e6b64fL,
+        0x8a56a713b36bfb3fL },
+      { 0xabfce0965726d47fL,0x9eed01b20b1a9a7fL,0x30e9cad44eb74a37L,
+        0x7b2524cc53e9666dL } },
+    /* 30 << 28 */
+    { { 0x6a29683b8f4b002fL,0xc2200d7a41f4fc20L,0xcf3af47a3a338accL,
+        0x6539a4fbe7128975L },
+      { 0xcec31c14c33c7fcfL,0x7eb6799bc7be322bL,0x119ef4e96646f623L,
+        0x7b7a26a554d7299bL } },
+    /* 31 << 28 */
+    { { 0xcb37f08d403f46f2L,0x94b8fc431a0ec0c7L,0xbb8514e3c332142fL,
+        0xf3ed2c33e80d2a7aL },
+      { 0x8d2080afb639126cL,0xf7b6be60e3553adeL,0x3950aa9f1c7e2b09L,
+        0x847ff9586410f02bL } },
+    /* 32 << 28 */
+    { { 0x877b7cf5678a31b0L,0xd50301ae3998b620L,0x734257c5c00fb396L,
+        0xf9fb18a004e672a6L },
+      { 0xff8bd8ebe8758851L,0x1e64e4c65d99ba44L,0x4b8eaedf7dfd93b7L,
+        0xba2f2a9804e76b8cL } },
+    /* 33 << 28 */
+    { { 0x7d790cbae8053433L,0xc8e725a03d2c9585L,0x58c5c476cdd8f5edL,
+        0xd106b952efa9fe1dL },
+      { 0x3c5c775b0eff13a9L,0x242442bae057b930L,0xe9f458d4c9b70cbdL,
+        0x69b71448a3cdb89aL } },
+    /* 34 << 28 */
+    { { 0x41ee46f60e2ed742L,0x573f104540067493L,0xb1e154ff9d54c304L,
+        0x2ad0436a8d3a7502L },
+      { 0xee4aaa2d431a8121L,0xcd38b3ab886f11edL,0x57d49ea6034a0eb7L,
+        0xd2b773bdf7e85e58L } },
+    /* 35 << 28 */
+    { { 0x4a559ac49b5c1f14L,0xc444be1a3e54df2bL,0x13aad704eda41891L,
+        0xcd927bec5eb5c788L },
+      { 0xeb3c8516e48c8a34L,0x1b7ac8124b546669L,0x1815f896594df8ecL,
+        0x87c6a79c79227865L } },
+    /* 36 << 28 */
+    { { 0xae02a2f09b56ddbdL,0x1339b5ac8a2f1cf3L,0xf2b569c7839dff0dL,
+        0xb0b9e864fee9a43dL },
+      { 0x4ff8ca4177bb064eL,0x145a2812fd249f63L,0x3ab7beacf86f689aL,
+        0x9bafec2701d35f5eL } },
+    /* 37 << 28 */
+    { { 0x28054c654265aa91L,0xa4b18304035efe42L,0x6887b0e69639dec7L,
+        0xf4b8f6ad3d52aea5L },
+      { 0xfb9293cc971a8a13L,0x3f159e5d4c934d07L,0x2c50e9b109acbc29L,
+        0x08eb65e67154d129L } },
+    /* 38 << 28 */
+    { { 0x4feff58930b75c3eL,0x0bb82fe294491c93L,0xd8ac377a89af62bbL,
+        0xd7b514909685e49fL },
+      { 0xabca9a7b04497f19L,0x1b35ed0a1a7ad13fL,0x6b601e213ec86ed6L,
+        0xda91fcb9ce0c76f1L } },
+    /* 39 << 28 */
+    { { 0x9e28507bd7ab27e1L,0x7c19a55563945b7bL,0x6b43f0a1aafc9827L,
+        0x443b4fbd3aa55b91L },
+      { 0x962b2e656962c88fL,0x139da8d4ce0db0caL,0xb93f05dd1b8d6c4fL,
+        0x779cdff7180b9824L } },
+    /* 40 << 28 */
+    { { 0xbba23fddae57c7b7L,0x345342f21b932522L,0xfd9c80fe556d4aa3L,
+        0xa03907ba6525bb61L },
+      { 0x38b010e1ff218933L,0xc066b654aa52117bL,0x8e14192094f2e6eaL,
+        0x66a27dca0d32f2b2L } },
+    /* 41 << 28 */
+    { { 0x69c7f993048b3717L,0xbf5a989ab178ae1cL,0x49fa9058564f1d6bL,
+        0x27ec6e15d31fde4eL },
+      { 0x4cce03737276e7fcL,0x64086d7989d6bf02L,0x5a72f0464ccdd979L,
+        0x909c356647775631L } },
+    /* 42 << 28 */
+    { { 0x1c07bc6b75dd7125L,0xb4c6bc9787a0428dL,0x507ece52fdeb6b9dL,
+        0xfca56512b2c95432L },
+      { 0x15d97181d0e8bd06L,0x384dd317c6bb46eaL,0x5441ea203952b624L,
+        0xbcf70dee4e7dc2fbL } },
+    /* 43 << 28 */
+    { { 0x372b016e6628e8c3L,0x07a0d667b60a7522L,0xcf05751b0a344ee2L,
+        0x0ec09a48118bdeecL },
+      { 0x6e4b3d4ed83dce46L,0x43a6316d99d2fc6eL,0xa99d898956cf044cL,
+        0x7c7f4454ae3e5fb7L } },
+    /* 44 << 28 */
+    { { 0xb2e6b121fbabbe92L,0x281850fbe1330076L,0x093581ec97890015L,
+        0x69b1dded75ff77f5L },
+      { 0x7cf0b18fab105105L,0x953ced31a89ccfefL,0x3151f85feb914009L,
+        0x3c9f1b8788ed48adL } },
+    /* 45 << 28 */
+    { { 0xc9aba1a14a7eadcbL,0x928e7501522e71cfL,0xeaede7273a2e4f83L,
+        0x467e10d11ce3bbd3L },
+      { 0xf3442ac3b955dcf0L,0xba96307dd3d5e527L,0xf763a10efd77f474L,
+        0x5d744bd06a6e1ff0L } },
+    /* 46 << 28 */
+    { { 0xd287282aa777899eL,0xe20eda8fd03f3cdeL,0x6a7e75bb50b07d31L,
+        0x0b7e2a946f379de4L },
+      { 0x31cb64ad19f593cfL,0x7b1a9e4f1e76ef1dL,0xe18c9c9db62d609cL,
+        0x439bad6de779a650L } },
+    /* 47 << 28 */
+    { { 0x219d9066e032f144L,0x1db632b8e8b2ec6aL,0xff0d0fd4fda12f78L,
+        0x56fb4c2d2a25d265L },
+      { 0x5f4e2ee1255a03f1L,0x61cd6af2e96af176L,0xe0317ba8d068bc97L,
+        0x927d6bab264b988eL } },
+    /* 48 << 28 */
+    { { 0xa18f07e0e90fb21eL,0x00fd2b80bba7fca1L,0x20387f2795cd67b5L,
+        0x5b89a4e7d39707f7L },
+      { 0x8f83ad3f894407ceL,0xa0025b946c226132L,0xc79563c7f906c13bL,
+        0x5f548f314e7bb025L } },
+    /* 49 << 28 */
+    { { 0x2b4c6b8feac6d113L,0xa67e3f9c0e813c76L,0x3982717c3fe1f4b9L,
+        0x5886581926d8050eL },
+      { 0x99f3640cf7f06f20L,0xdc6102162a66ebc2L,0x52f2c175767a1e08L,
+        0x05660e1a5999871bL } },
+    /* 50 << 28 */
+    { { 0x6b0f17626d3c4693L,0xf0e7d62737ed7beaL,0xc51758c7b75b226dL,
+        0x40a886281f91613bL },
+      { 0x889dbaa7bbb38ce0L,0xe0404b65bddcad81L,0xfebccd3a8bc9671fL,
+        0xfbf9a357ee1f5375L } },
+    /* 51 << 28 */
+    { { 0x5dc169b028f33398L,0xb07ec11d72e90f65L,0xae7f3b4afaab1eb1L,
+        0xd970195e5f17538aL },
+      { 0x52b05cbe0181e640L,0xf5debd622643313dL,0x761481545df31f82L,
+        0x23e03b333a9e13c5L } },
+    /* 52 << 28 */
+    { { 0xff7589494fde0c1fL,0xbf8a1abee5b6ec20L,0x702278fb87e1db6cL,
+        0xc447ad7a35ed658fL },
+      { 0x48d4aa3803d0ccf2L,0x80acb338819a7c03L,0x9bc7c89e6e17ceccL,
+        0x46736b8b03be1d82L } },
+    /* 53 << 28 */
+    { { 0xd65d7b60c0432f96L,0xddebe7a3deb5442fL,0x79a253077dff69a2L,
+        0x37a56d9402cf3122L },
+      { 0x8bab8aedf2350d0aL,0x13c3f276037b0d9aL,0xc664957c44c65caeL,
+        0x88b44089c2e71a88L } },
+    /* 54 << 28 */
+    { { 0xdb88e5a35cb02664L,0x5d4c0bf18686c72eL,0xea3d9b62a682d53eL,
+        0x9b605ef40b2ad431L },
+      { 0x71bac202c69645d0L,0xa115f03a6a1b66e7L,0xfe2c563a158f4dc4L,
+        0xf715b3a04d12a78cL } },
+    /* 55 << 28 */
+    { { 0x8f7f0a48d413213aL,0x2035806dc04becdbL,0xecd34a995d8587f5L,
+        0x4d8c30799f6d3a71L },
+      { 0x1b2a2a678d95a8f6L,0xc58c9d7df2110d0dL,0xdeee81d5cf8fba3fL,
+        0xa42be3c00c7cdf68L } },
+    /* 56 << 28 */
+    { { 0x2126f742d43b5eaaL,0x054a0766dfa59b85L,0x9d0d5e36126bfd45L,
+        0xa1f8fbd7384f8a8fL },
+      { 0x317680f5d563fcccL,0x48ca5055f280a928L,0xe00b81b227b578cfL,
+        0x10aad9182994a514L } },
+    /* 57 << 28 */
+    { { 0xd9e07b62b7bdc953L,0x9f0f6ff25bc086ddL,0x09d1ccff655eee77L,
+        0x45475f795bef7df1L },
+      { 0x3faa28fa86f702ccL,0x92e609050f021f07L,0xe9e629687f8fa8c6L,
+        0xbd71419af036ea2cL } },
+    /* 58 << 28 */
+    { { 0x171ee1cc6028da9aL,0x5352fe1ac251f573L,0xf8ff236e3fa997f4L,
+        0xd831b6c9a5749d5fL },
+      { 0x7c872e1de350e2c2L,0xc56240d91e0ce403L,0xf9deb0776974f5cbL,
+        0x7d50ba87961c3728L } },
+    /* 59 << 28 */
+    { { 0xd6f894265a3a2518L,0xcf817799c6303d43L,0x510a0471619e5696L,
+        0xab049ff63a5e307bL },
+      { 0xe4cdf9b0feb13ec7L,0xd5e971179d8ff90cL,0xf6f64d069afa96afL,
+        0x00d0bf5e9d2012a2L } },
+    /* 60 << 28 */
+    { { 0xe63f301f358bcdc0L,0x07689e990a9d47f8L,0x1f689e2f4f43d43aL,
+        0x4d542a1690920904L },
+      { 0xaea293d59ca0a707L,0xd061fe458ac68065L,0x1033bf1b0090008cL,
+        0x29749558c08a6db6L } },
+    /* 61 << 28 */
+    { { 0x74b5fc59c1d5d034L,0xf712e9f667e215e0L,0xfd520cbd860200e6L,
+        0x0229acb43ea22588L },
+      { 0x9cd1e14cfff0c82eL,0x87684b6259c69e73L,0xda85e61c96ccb989L,
+        0x2d5dbb02a3d06493L } },
+    /* 62 << 28 */
+    { { 0xf22ad33ae86b173cL,0xe8e41ea5a79ff0e3L,0x01d2d725dd0d0c10L,
+        0x31f39088032d28f9L },
+      { 0x7b3f71e17829839eL,0x0cf691b44502ae58L,0xef658dbdbefc6115L,
+        0xa5cd6ee5b3ab5314L } },
+    /* 63 << 28 */
+    { { 0x206c8d7b5f1d2347L,0x794645ba4cc2253aL,0xd517d8ff58389e08L,
+        0x4fa20dee9f847288L },
+      { 0xeba072d8d797770aL,0x7360c91dbf429e26L,0x7200a3b380af8279L,
+        0x6a1c915082dadce3L } },
+    /* 64 << 28 */
+    { { 0x0ee6d3a7c35d8794L,0x042e65580356bae5L,0x9f59698d643322fdL,
+        0x9379ae1550a61967L },
+      { 0x64b9ae62fcc9981eL,0xaed3d6316d2934c6L,0x2454b3025e4e65ebL,
+        0xab09f647f9950428L } },
+    /* 0 << 35 */
+    { { 0x00, 0x00, 0x00, 0x00 },
+      { 0x00, 0x00, 0x00, 0x00 } },
+    /* 1 << 35 */
+    { { 0xb2083a1222248accL,0x1f6ec0ef3264e366L,0x5659b7045afdee28L,
+        0x7a823a40e6430bb5L },
+      { 0x24592a04e1900a79L,0xcde09d4ac9ee6576L,0x52b6463f4b5ea54aL,
+        0x1efe9ed3d3ca65a7L } },
+    /* 2 << 35 */
+    { { 0xe27a6dbe305406ddL,0x8eb7dc7fdd5d1957L,0xf54a6876387d4d8fL,
+        0x9c479409c7762de4L },
+      { 0xbe4d5b5d99b30778L,0x25380c566e793682L,0x602d37f3dac740e3L,
+        0x140deabe1566e4aeL } },
+    /* 3 << 35 */
+    { { 0x4481d067afd32acfL,0xd8f0fccae1f71ccfL,0xd208dd0cb596f2daL,
+        0xd049d7309aad93f9L },
+      { 0xc79f263d42ab580eL,0x09411bb123f707b4L,0x8cfde1ff835e0edaL,
+        0x7270749090f03402L } },
+    /* 4 << 35 */
+    { { 0xeaee6126c49a861eL,0x024f3b65e14f0d06L,0x51a3f1e8c69bfc17L,
+        0xc3c3a8e9a7686381L },
+      { 0x3400752cb103d4c8L,0x02bc46139218b36bL,0xc67f75eb7651504aL,
+        0xd6848b56d02aebfaL } },
+    /* 5 << 35 */
+    { { 0xbd9802e6c30fa92bL,0x5a70d96d9a552784L,0x9085c4ea3f83169bL,
+        0xfa9423bb06908228L },
+      { 0x2ffebe12fe97a5b9L,0x85da604971b99118L,0x9cbc2f7f63178846L,
+        0xfd96bc709153218eL } },
+    /* 6 << 35 */
+    { { 0x958381db1782269bL,0xae34bf792597e550L,0xbb5c60645f385153L,
+        0x6f0e96afe3088048L },
+      { 0xbf6a021577884456L,0xb3b5688c69310ea7L,0x17c9429504fad2deL,
+        0xe020f0e517896d4dL } },
+    /* 7 << 35 */
+    { { 0x730ba0ab0976505fL,0x567f6813095e2ec5L,0x470620106331ab71L,
+        0x72cfa97741d22b9fL },
+      { 0x33e55ead8a2373daL,0xa8d0d5f47ba45a68L,0xba1d8f9c03029d15L,
+        0x8f34f1ccfc55b9f3L } },
+    /* 8 << 35 */
+    { { 0xcca4428dbbe5a1a9L,0x8187fd5f3126bd67L,0x0036973a48105826L,
+        0xa39b6663b8bd61a0L },
+      { 0x6d42deef2d65a808L,0x4969044f94636b19L,0xf611ee47dd5d564cL,
+        0x7b2f3a49d2873077L } },
+    /* 9 << 35 */
+    { { 0x94157d45300eb294L,0x2b2a656e169c1494L,0xc000dd76d3a47aa9L,
+        0xa2864e4fa6243ea4L },
+      { 0x82716c47db89842eL,0x12dfd7d761479fb7L,0x3b9a2c56e0b2f6dcL,
+        0x46be862ad7f85d67L } },
+    /* 10 << 35 */
+    { { 0x03b0d8dd0f82b214L,0x460c34f9f103cbc6L,0xf32e5c0318d79e19L,
+        0x8b8888baa84117f8L },
+      { 0x8f3c37dcc0722677L,0x10d21be91c1c0f27L,0xd47c8468e0f7a0c6L,
+        0x9bf02213adecc0e0L } },
+    /* 11 << 35 */
+    { { 0x0baa7d1242b48b99L,0x1bcb665d48424096L,0x8b847cd6ebfb5cfbL,
+        0x87c2ae569ad4d10dL },
+      { 0xf1cbb1220de36726L,0xe7043c683fdfbd21L,0x4bd0826a4e79d460L,
+        0x11f5e5984bd1a2cbL } },
+    /* 12 << 35 */
+    { { 0x97554160b7fe7b6eL,0x7d16189a400a3fb2L,0xd73e9beae328ca1eL,
+        0x0dd04b97e793d8ccL },
+      { 0xa9c83c9b506db8ccL,0x5cd47aaecf38814cL,0x26fc430db64b45e6L,
+        0x079b5499d818ea84L } },
+    /* 13 << 35 */
+    { { 0xebb01102c1c24a3bL,0xca24e5681c161c1aL,0x103eea6936f00a4aL,
+        0x9ad76ee876176c7bL },
+      { 0x97451fc2538e0ff7L,0x94f898096604b3b0L,0x6311436e3249cfd7L,
+        0x27b4a7bd41224f69L } },
+    /* 14 << 35 */
+    { { 0x03b5d21ae0ac2941L,0x279b0254c2d31937L,0x3307c052cac992d0L,
+        0x6aa7cb92efa8b1f3L },
+      { 0x5a1825800d37c7a5L,0x13380c37342d5422L,0x92ac2d66d5d2ef92L,
+        0x035a70c9030c63c6L } },
+    /* 15 << 35 */
+    { { 0xc16025dd4ce4f152L,0x1f419a71f9df7c06L,0x6d5b221491e4bb14L,
+        0xfc43c6cc839fb4ceL },
+      { 0x49f06591925d6b2dL,0x4b37d9d362186598L,0x8c54a971d01b1629L,
+        0xe1a9c29f51d50e05L } },
+    /* 16 << 35 */
+    { { 0x5109b78571ba1861L,0x48b22d5cd0c8f93dL,0xe8fa84a78633bb93L,
+        0x53fba6ba5aebbd08L },
+      { 0x7ff27df3e5eea7d8L,0x521c879668ca7158L,0xb9d5133bce6f1a05L,
+        0x2d50cd53fd0ebee4L } },
+    /* 17 << 35 */
+    { { 0xc82115d6c5a3ef16L,0x993eff9dba079221L,0xe4da2c5e4b5da81cL,
+        0x9a89dbdb8033fd85L },
+      { 0x60819ebf2b892891L,0x53902b215d14a4d5L,0x6ac35051d7fda421L,
+        0xcc6ab88561c83284L } },
+    /* 18 << 35 */
+    { { 0x14eba133f74cff17L,0x240aaa03ecb813f2L,0xcfbb65406f665beeL,
+        0x084b1fe4a425ad73L },
+      { 0x009d5d16d081f6a6L,0x35304fe8eef82c90L,0xf20346d5aa9eaa22L,
+        0x0ada9f07ac1c91e3L } },
+    /* 19 << 35 */
+    { { 0xa6e21678968a6144L,0x54c1f77c07b31a1eL,0xd6bb787e5781fbe1L,
+        0x61bd2ee0e31f1c4aL },
+      { 0xf25aa1e9781105fcL,0x9cf2971f7b2f8e80L,0x26d15412cdff919bL,
+        0x01db4ebe34bc896eL } },
+    /* 20 << 35 */
+    { { 0x7d9b3e23b40df1cfL,0x5933737394e971b4L,0xbf57bd14669cf921L,
+        0x865daedf0c1a1064L },
+      { 0x3eb70bd383279125L,0xbc3d5b9f34ecdaabL,0x91e3ed7e5f755cafL,
+        0x49699f54d41e6f02L } },
+    /* 21 << 35 */
+    { { 0x185770e1d4a7a15bL,0x08f3587aeaac87e7L,0x352018db473133eaL,
+        0x674ce71904fd30fcL },
+      { 0x7b8d9835088b3e0eL,0x7a0356a95d0d47a1L,0x9d9e76596474a3c4L,
+        0x61ea48a7ff66966cL } },
+    /* 22 << 35 */
+    { { 0x304177580f3e4834L,0xfdbb21c217a9afcbL,0x756fa17f2f9a67b3L,
+        0x2a6b2421a245c1a8L },
+      { 0x64be27944af02291L,0xade465c62a5804feL,0x8dffbd39a6f08fd7L,
+        0xc4efa84caa14403bL } },
+    /* 23 << 35 */
+    { { 0xa1b91b2a442b0f5cL,0xb748e317cf997736L,0x8d1b62bfcee90e16L,
+        0x907ae2710b2078c0L },
+      { 0xdf31534b0c9bcdddL,0x043fb05439adce83L,0x99031043d826846aL,
+        0x61a9c0d6b144f393L } },
+    /* 24 << 35 */
+    { { 0xdab4804647718427L,0xdf17ff9b6e830f8bL,0x408d7ee8e49a1347L,
+        0x6ac71e2391c1d4aeL },
+      { 0xc8cbb9fd1defd73cL,0x19840657bbbbfec5L,0x39db1cb59e7ef8eaL,
+        0x78aa829664105f30L } },
+    /* 25 << 35 */
+    { { 0xa3d9b7f0a3738c29L,0x0a2f235abc3250a3L,0x55e506f6445e4cafL,
+        0x0974f73d33475f7aL },
+      { 0xd37dbba35ba2f5a8L,0x542c6e636af40066L,0x26d99b53c5d73e2cL,
+        0x06060d7d6c3ca33eL } },
+    /* 26 << 35 */
+    { { 0xcdbef1c2065fef4aL,0x77e60f7dfd5b92e3L,0xd7c549f026708350L,
+        0x201b3ad034f121bfL },
+      { 0x5fcac2a10334fc14L,0x8a9a9e09344552f6L,0x7dd8a1d397653082L,
+        0x5fc0738f79d4f289L } },
+    /* 27 << 35 */
+    { { 0x787d244d17d2d8c3L,0xeffc634570830684L,0x5ddb96dde4f73ae5L,
+        0x8efb14b1172549a5L },
+      { 0x6eb73eee2245ae7aL,0xbca4061eea11f13eL,0xb577421d30b01f5dL,
+        0xaa688b24782e152cL } },
+    /* 28 << 35 */
+    { { 0x67608e71bd3502baL,0x4ef41f24b4de75a0L,0xb08dde5efd6125e5L,
+        0xde484825a409543fL },
+      { 0x1f198d9865cc2295L,0x428a37716e0edfa2L,0x4f9697a2adf35fc7L,
+        0x01a43c79f7cac3c7L } },
+    /* 29 << 35 */
+    { { 0xb05d70590fd3659aL,0x8927f30cbb7f2d9aL,0x4023d1ac8cf984d3L,
+        0x32125ed302897a45L },
+      { 0xfb572dad3d414205L,0x73000ef2e3fa82a9L,0x4c0868e9f10a5581L,
+        0x5b61fc676b0b3ca5L } },
+    /* 30 << 35 */
+    { { 0xc1258d5b7cae440cL,0x21c08b41402b7531L,0xf61a8955de932321L,
+        0x3568faf82d1408afL },
+      { 0x71b15e999ecf965bL,0xf14ed248e917276fL,0xc6f4caa1820cf9e2L,
+        0x681b20b218d83c7eL } },
+    /* 31 << 35 */
+    { { 0x6cde738dc6c01120L,0x71db0813ae70e0dbL,0x95fc064474afe18cL,
+        0x34619053129e2be7L },
+      { 0x80615ceadb2a3b15L,0x0a49a19edb4c7073L,0x0e1b84c88fd2d367L,
+        0xd74bf462033fb8aaL } },
+    /* 32 << 35 */
+    { { 0x889f6d65533ef217L,0x7158c7e4c3ca2e87L,0xfb670dfbdc2b4167L,
+        0x75910a01844c257fL },
+      { 0xf336bf07cf88577dL,0x22245250e45e2aceL,0x2ed92e8d7ca23d85L,
+        0x29f8be4c2b812f58L } },
+    /* 33 << 35 */
+    { { 0xdd9ebaa7076fe12bL,0x3f2400cbae1537f9L,0x1aa9352817bdfb46L,
+        0xc0f9843067883b41L },
+      { 0x5590ede10170911dL,0x7562f5bb34d4b17fL,0xe1fa1df21826b8d2L,
+        0xb40b796a6bd80d59L } },
+    /* 34 << 35 */
+    { { 0xd65bf1973467ba92L,0x8c9b46dbf70954b0L,0x97c8a0f30e78f15dL,
+        0xa8f3a69a85a4c961L },
+      { 0x4242660f61e4ce9bL,0xbf06aab36ea6790cL,0xc6706f8eec986416L,
+        0x9e56dec19a9fc225L } },
+    /* 35 << 35 */
+    { { 0x527c46f49a9898d9L,0xd799e77b5633cdefL,0x24eacc167d9e4297L,
+        0xabb61cea6b1cb734L },
+      { 0xbee2e8a7f778443cL,0x3bb42bf129de2fe6L,0xcbed86a13003bb6fL,
+        0xd3918e6cd781cdf6L } },
+    /* 36 << 35 */
+    { { 0x4bee32719a5103f1L,0x5243efc6f50eac06L,0xb8e122cb6adcc119L,
+        0x1b7faa84c0b80a08L },
+      { 0x32c3d1bd6dfcd08cL,0x129dec4e0be427deL,0x98ab679c1d263c83L,
+        0xafc83cb7cef64effL } },
+    /* 37 << 35 */
+    { { 0x85eb60882fa6be76L,0x892585fb1328cbfeL,0xc154d3edcf618ddaL,
+        0xc44f601b3abaf26eL },
+      { 0x7bf57d0b2be1fdfdL,0xa833bd2d21137feeL,0x9353af362db591a8L,
+        0xc76f26dc5562a056L } },
+    /* 38 << 35 */
+    { { 0x1d87e47d3fdf5a51L,0x7afb5f9355c9cab0L,0x91bbf58f89e0586eL,
+        0x7c72c0180d843709L },
+      { 0xa9a5aafb99b5c3dcL,0xa48a0f1d3844aeb0L,0x7178b7ddb667e482L,
+        0x453985e96e23a59aL } },
+    /* 39 << 35 */
+    { { 0x4a54c86001b25dd8L,0x0dd37f48fb897c8aL,0x5f8aa6100ea90cd9L,
+        0xc8892c6816d5830dL },
+      { 0xeb4befc0ef514ca5L,0x478eb679e72c9ee6L,0x9bca20dadbc40d5fL,
+        0xf015de21dde4f64aL } },
+    /* 40 << 35 */
+    { { 0xaa6a4de0eaf4b8a5L,0x68cfd9ca4bc60e32L,0x668a4b017fd15e70L,
+        0xd9f0694af27dc09dL },
+      { 0xf6c3cad5ba708bcdL,0x5cd2ba695bb95c2aL,0xaa28c1d333c0a58fL,
+        0x23e274e3abc77870L } },
+    /* 41 << 35 */
+    { { 0x44c3692ddfd20a4aL,0x091c5fd381a66653L,0x6c0bb69109a0757dL,
+        0x9072e8b9667343eaL },
+      { 0x31d40eb080848becL,0x95bd480a79fd36ccL,0x01a77c6165ed43f5L,
+        0xafccd1272e0d40bfL } },
+    /* 42 << 35 */
+    { { 0xeccfc82d1cc1884bL,0xc85ac2015d4753b4L,0xc7a6caac658e099fL,
+        0xcf46369e04b27390L },
+      { 0xe2e7d049506467eaL,0x481b63a237cdecccL,0x4029abd8ed80143aL,
+        0x28bfe3c7bcb00b88L } },
+    /* 43 << 35 */
+    { { 0x3bec10090643d84aL,0x885f3668abd11041L,0xdb02432cf83a34d6L,
+        0x32f7b360719ceebeL },
+      { 0xf06c7837dad1fe7aL,0x60a157a95441a0b0L,0x704970e9e2d47550L,
+        0xcd2bd553271b9020L } },
+    /* 44 << 35 */
+    { { 0xff57f82f33e24a0bL,0x9cbee23ff2565079L,0x16353427eb5f5825L,
+        0x276feec4e948d662L },
+      { 0xd1b62bc6da10032bL,0x718351ddf0e72a53L,0x934520762420e7baL,
+        0x96368fff3a00118dL } },
+    /* 45 << 35 */
+    { { 0x00ce2d26150a49e4L,0x0c28b6363f04706bL,0xbad65a4658b196d0L,
+        0x6c8455fcec9f8b7cL },
+      { 0xe90c895f2d71867eL,0x5c0be31bedf9f38cL,0x2a37a15ed8f6ec04L,
+        0x239639e78cd85251L } },
+    /* 46 << 35 */
+    { { 0xd89753159c7c4c6bL,0x603aa3c0d7409af7L,0xb8d53d0c007132fbL,
+        0x68d12af7a6849238L },
+      { 0xbe0607e7bf5d9279L,0x9aa50055aada74ceL,0xe81079cbba7e8ccbL,
+        0x610c71d1a5f4ff5eL } },
+    /* 47 << 35 */
+    { { 0x9e2ee1a75aa07093L,0xca84004ba75da47cL,0x074d39513de75401L,
+        0xf938f756bb311592L },
+      { 0x9619761800a43421L,0x39a2536207bc78c8L,0x278f710a0a171276L,
+        0xb28446ea8d1a8f08L } },
+    /* 48 << 35 */
+    { { 0x184781bfe3b6a661L,0x7751cb1de6d279f7L,0xf8ff95d6c59eb662L,
+        0x186d90b758d3dea7L },
+      { 0x0e4bb6c1dfb4f754L,0x5c5cf56b2b2801dcL,0xc561e4521f54564dL,
+        0xb4fb8c60f0dd7f13L } },
+    /* 49 << 35 */
+    { { 0xf884963033ff98c7L,0x9619fffacf17769cL,0xf8090bf61bfdd80aL,
+        0x14d9a149422cfe63L },
+      { 0xb354c3606f6df9eaL,0xdbcf770d218f17eaL,0x207db7c879eb3480L,
+        0x213dbda8559b6a26L } },
+    /* 50 << 35 */
+    { { 0xac4c200b29fc81b3L,0xebc3e09f171d87c1L,0x917995301481aa9eL,
+        0x051b92e192e114faL },
+      { 0xdf8f92e9ecb5537fL,0x44b1b2cc290c7483L,0xa711455a2adeb016L,
+        0x964b685681a10c2cL } },
+    /* 51 << 35 */
+    { { 0x4f159d99cec03623L,0x05532225ef3271eaL,0xb231bea3c5ee4849L,
+        0x57a54f507094f103L },
+      { 0x3e2d421d9598b352L,0xe865a49c67412ab4L,0xd2998a251cc3a912L,
+        0x5d0928080c74d65dL } },
+    /* 52 << 35 */
+    { { 0x73f459084088567aL,0xeb6b280e1f214a61L,0x8c9adc34caf0c13dL,
+        0x39d12938f561fb80L },
+      { 0xb2dc3a5ebc6edfb4L,0x7485b1b1fe4d210eL,0x062e0400e186ae72L,
+        0x91e32d5c6eeb3b88L } },
+    /* 53 << 35 */
+    { { 0x6df574d74be59224L,0xebc88ccc716d55f3L,0x26c2e6d0cad6ed33L,
+        0xc6e21e7d0d3e8b10L },
+      { 0x2cc5840e5bcc36bbL,0x9292445e7da74f69L,0x8be8d3214e5193a8L,
+        0x3ec236298df06413L } },
+    /* 54 << 35 */
+    { { 0xc7e9ae85b134defaL,0x6073b1d01bb2d475L,0xb9ad615e2863c00dL,
+        0x9e29493d525f4ac4L },
+      { 0xc32b1dea4e9acf4fL,0x3e1f01c8a50db88dL,0xb05d70ea04da916cL,
+        0x714b0d0ad865803eL } },
+    /* 55 << 35 */
+    { { 0x4bd493fc9920cb5eL,0x5b44b1f792c7a3acL,0xa2a77293bcec9235L,
+        0x5ee06e87cd378553L },
+      { 0xceff8173da621607L,0x2bb03e4c99f5d290L,0x2945106aa6f734acL,
+        0xb5056604d25c4732L } },
+    /* 56 << 35 */
+    { { 0x5945920ce079afeeL,0x686e17a06789831fL,0x5966bee8b74a5ae5L,
+        0x38a673a21e258d46L },
+      { 0xbd1cc1f283141c95L,0x3b2ecf4f0e96e486L,0xcd3aa89674e5fc78L,
+        0x415ec10c2482fa7aL } },
+    /* 57 << 35 */
+    { { 0x1523441980503380L,0x513d917ad314b392L,0xb0b52f4e63caecaeL,
+        0x07bf22ad2dc7780bL },
+      { 0xe761e8a1e4306839L,0x1b3be9625dd7feaaL,0x4fe728de74c778f1L,
+        0xf1fa0bda5e0070f6L } },
+    /* 58 << 35 */
+    { { 0x85205a316ec3f510L,0x2c7e4a14d2980475L,0xde3c19c06f30ebfdL,
+        0xdb1c1f38d4b7e644L },
+      { 0xfe291a755dce364aL,0xb7b22a3c058f5be3L,0x2cd2c30237fea38cL,
+        0x2930967a2e17be17L } },
+    /* 59 << 35 */
+    { { 0x87f009de0c061c65L,0xcb014aacedc6ed44L,0x49bd1cb43bafb1ebL,
+        0x81bd8b5c282d3688L },
+      { 0x1cdab87ef01a17afL,0x21f37ac4e710063bL,0x5a6c567642fc8193L,
+        0xf4753e7056a6015cL } },
+    /* 60 << 35 */
+    { { 0x020f795ea15b0a44L,0x8f37c8d78958a958L,0x63b7e89ba4b675b5L,
+        0xb4fb0c0c0fc31aeaL },
+      { 0xed95e639a7ff1f2eL,0x9880f5a3619614fbL,0xdeb6ff02947151abL,
+        0x5bc5118ca868dcdbL } },
+    /* 61 << 35 */
+    { { 0xd8da20554c20cea5L,0xcac2776e14c4d69aL,0xcccb22c1622d599bL,
+        0xa4ddb65368a9bb50L },
+      { 0x2c4ff1511b4941b4L,0xe1ff19b46efba588L,0x35034363c48345e0L,
+        0x45542e3d1e29dfc4L } },
+    /* 62 << 35 */
+    { { 0xf197cb91349f7aedL,0x3b2b5a008fca8420L,0x7c175ee823aaf6d8L,
+        0x54dcf42135af32b6L },
+      { 0x0ba1430727d6561eL,0x879d5ee4d175b1e2L,0xc7c4367399807db5L,
+        0x77a544559cd55bcdL } },
+    /* 63 << 35 */
+    { { 0xe6c2ff130105c072L,0x18f7a99f8dda7da4L,0x4c3018200e2d35c1L,
+        0x06a53ca0d9cc6c82L },
+      { 0xaa21cc1ef1aa1d9eL,0x324143344a75b1e8L,0x2a6d13280ebe9fdcL,
+        0x16bd173f98a4755aL } },
+    /* 64 << 35 */
+    { { 0xfbb9b2452133ffd9L,0x39a8b2f1830f1a20L,0x484bc97dd5a1f52aL,
+        0xd6aebf56a40eddf8L },
+      { 0x32257acb76ccdac6L,0xaf4d36ec1586ff27L,0x8eaa8863f8de7dd1L,
+        0x0045d5cf88647c16L } },
+    /* 0 << 42 */
+    { { 0x00, 0x00, 0x00, 0x00 },
+      { 0x00, 0x00, 0x00, 0x00 } },
+    /* 1 << 42 */
+    { { 0xa6f3d574c005979dL,0xc2072b426a40e350L,0xfca5c1568de2ecf9L,
+        0xa8c8bf5ba515344eL },
+      { 0x97aee555114df14aL,0xd4374a4dfdc5ec6bL,0x754cc28f2ca85418L,
+        0x71cb9e27d3c41f78L } },
+    /* 2 << 42 */
+    { { 0x8910507903605c39L,0xf0843d9ea142c96cL,0xf374493416923684L,
+        0x732caa2ffa0a2893L },
+      { 0xb2e8c27061160170L,0xc32788cc437fbaa3L,0x39cd818ea6eda3acL,
+        0xe2e942399e2b2e07L } },
+    /* 3 << 42 */
+    { { 0x6967d39b0260e52aL,0xd42585cc90653325L,0x0d9bd60521ca7954L,
+        0x4fa2087781ed57b3L },
+      { 0x60c1eff8e34a0bbeL,0x56b0040c84f6ef64L,0x28be2b24b1af8483L,
+        0xb2278163f5531614L } },
+    /* 4 << 42 */
+    { { 0x8df275455922ac1cL,0xa7b3ef5ca52b3f63L,0x8e77b21471de57c4L,
+        0x31682c10834c008bL },
+      { 0xc76824f04bd55d31L,0xb6d1c08617b61c71L,0x31db0903c2a5089dL,
+        0x9c092172184e5d3fL } },
+    /* 5 << 42 */
+    { { 0xdd7ced5bc00cc638L,0x1a2015eb61278fc2L,0x2e8e52886a37f8d6L,
+        0xc457786fe79933adL },
+      { 0xb3fe4cce2c51211aL,0xad9b10b224c20498L,0x90d87a4fd28db5e5L,
+        0x698cd1053aca2fc3L } },
+    /* 6 << 42 */
+    { { 0x4f112d07e91b536dL,0xceb982f29eba09d6L,0x3c157b2c197c396fL,
+        0xe23c2d417b66eb24L },
+      { 0x480c57d93f330d37L,0xb3a4c8a179108debL,0x702388decb199ce5L,
+        0x0b019211b944a8d4L } },
+    /* 7 << 42 */
+    { { 0x24f2a692840bb336L,0x7c353bdca669fa7bL,0xda20d6fcdec9c300L,
+        0x625fbe2fa13a4f17L },
+      { 0xa2b1b61adbc17328L,0x008965bfa9515621L,0x49690939c620ff46L,
+        0x182dd27d8717e91cL } },
+    /* 8 << 42 */
+    { { 0x5ace5035ea6c3997L,0x54259aaac2610befL,0xef18bb3f3c80dd39L,
+        0x6910b95b5fc3fa39L },
+      { 0xfce2f51043e09aeeL,0xced56c9fa7675665L,0x10e265acd872db61L,
+        0x6982812eae9fce69L } },
+    /* 9 << 42 */
+    { { 0x29be11c6ce800998L,0x72bb1752b90360d9L,0x2c1931975a4ad590L,
+        0x2ba2f5489fc1dbc0L },
+      { 0x7fe4eebbe490ebe0L,0x12a0a4cd7fae11c0L,0x7197cf81e903ba37L,
+        0xcf7d4aa8de1c6dd8L } },
+    /* 10 << 42 */
+    { { 0x92af6bf43fd5684cL,0x2b26eecf80360aa1L,0xbd960f3000546a82L,
+        0x407b3c43f59ad8feL },
+      { 0x86cae5fe249c82baL,0x9e0faec72463744cL,0x87f551e894916272L,
+        0x033f93446ceb0615L } },
+    /* 11 << 42 */
+    { { 0x1e5eb0d18be82e84L,0x89967f0e7a582fefL,0xbcf687d5a6e921faL,
+        0xdfee4cf3d37a09baL },
+      { 0x94f06965b493c465L,0x638b9a1c7635c030L,0x7666786466f05e9fL,
+        0xccaf6808c04da725L } },
+    /* 12 << 42 */
+    { { 0xca2eb690768fccfcL,0xf402d37db835b362L,0x0efac0d0e2fdfcceL,
+        0xefc9cdefb638d990L },
+      { 0x2af12b72d1669a8bL,0x33c536bc5774ccbdL,0x30b21909fb34870eL,
+        0xc38fa2f77df25acaL } },
+    /* 13 << 42 */
+    { { 0x74c5f02bbf81f3f5L,0x0525a5aeaf7e4581L,0x88d2aaba433c54aeL,
+        0xed9775db806a56c5L },
+      { 0xd320738ac0edb37dL,0x25fdb6ee66cc1f51L,0xac661d1710600d76L,
+        0x931ec1f3bdd1ed76L } },
+    /* 14 << 42 */
+    { { 0x65c11d6219ee43f1L,0x5cd57c3e60829d97L,0xd26c91a3984be6e8L,
+        0xf08d93098b0c53bdL },
+      { 0x94bc9e5bc016e4eaL,0xd391683911d43d2bL,0x886c5ad773701155L,
+        0xe037762620b00715L } },
+    /* 15 << 42 */
+    { { 0x7f01c9ecaa80ba59L,0x3083411a68538e51L,0x970370f1e88128afL,
+        0x625cc3db91dec14bL },
+      { 0xfef9666c01ac3107L,0xb2a8d577d5057ac3L,0xb0f2629992be5df7L,
+        0xf579c8e500353924L } },
+    /* 16 << 42 */
+    { { 0xb8fa3d931341ed7aL,0x4223272ca7b59d49L,0x3dcb194783b8c4a4L,
+        0x4e413c01ed1302e4L },
+      { 0x6d999127e17e44ceL,0xee86bf7533b3adfbL,0xf6902fe625aa96caL,
+        0xb73540e4e5aae47dL } },
+    /* 17 << 42 */
+    { { 0x32801d7b1b4a158cL,0xe571c99e27e2a369L,0x40cb76c010d9f197L,
+        0xc308c2893167c0aeL },
+      { 0xa6ef9dd3eb7958f2L,0xa7226dfc300879b1L,0x6cd0b3627edf0636L,
+        0x4efbce6c7bc37eedL } },
+    /* 18 << 42 */
+    { { 0x75f92a058d699021L,0x586d4c79772566e3L,0x378ca5f1761ad23aL,
+        0x650d86fc1465a8acL },
+      { 0x7a4ed457842ba251L,0x6b65e3e642234933L,0xaf1543b731aad657L,
+        0xa4cefe98cbfec369L } },
+    /* 19 << 42 */
+    { { 0xb587da909f47befbL,0x6562e9fb41312d13L,0xa691ea59eff1cefeL,
+        0xcc30477a05fc4cf6L },
+      { 0xa16324610b0ffd3dL,0xa1f16f3b5b355956L,0x5b148d534224ec24L,
+        0xdc834e7bf977012aL } },
+    /* 20 << 42 */
+    { { 0x7bfc5e75b2c69dbcL,0x3aa77a2903c3da6cL,0xde0df03cca910271L,
+        0xcbd5ca4a7806dc55L },
+      { 0xe1ca58076db476cbL,0xfde15d625f37a31eL,0xf49af520f41af416L,
+        0x96c5c5b17d342db5L } },
+    /* 21 << 42 */
+    { { 0x155c43b7eb4ceb9bL,0x2e9930104e77371aL,0x1d2987da675d43afL,
+        0xef2bc1c08599fd72L },
+      { 0x96894b7b9342f6b2L,0x201eadf27c8e71f0L,0xf3479d9f4a1f3efcL,
+        0xe0f8a742702a9704L } },
+    /* 22 << 42 */
+    { { 0xeafd44b6b3eba40cL,0xf9739f29c1c1e0d0L,0x0091471a619d505eL,
+        0xc15f9c969d7c263eL },
+      { 0x5be4728583afbe33L,0xa3b6d6af04f1e092L,0xe76526b9751a9d11L,
+        0x2ec5b26d9a4ae4d2L } },
+    /* 23 << 42 */
+    { { 0xeb66f4d902f6fb8dL,0x4063c56196912164L,0xeb7050c180ef3000L,
+        0x288d1c33eaa5b3f0L },
+      { 0xe87c68d607806fd8L,0xb2f7f9d54bbbf50fL,0x25972f3aac8d6627L,
+        0xf854777410e8c13bL } },
+    /* 24 << 42 */
+    { { 0xcc50ef6c872b4a60L,0xab2a34a44613521bL,0x39c5c190983e15d1L,
+        0x61dde5df59905512L },
+      { 0xe417f6219f2275f3L,0x0750c8b6451d894bL,0x75b04ab978b0bdaaL,
+        0x3bfd9fd4458589bdL } },
+    /* 25 << 42 */
+    { { 0xf1013e30ee9120b6L,0x2b51af9323a4743eL,0xea96ffae48d14d9eL,
+        0x71dc0dbe698a1d32L },
+      { 0x914962d20180cca4L,0x1ae60677c3568963L,0x8cf227b1437bc444L,
+        0xc650c83bc9962c7aL } },
+    /* 26 << 42 */
+    { { 0x23c2c7ddfe7ccfc4L,0xf925c89d1b929d48L,0x4460f74b06783c33L,
+        0xac2c8d49a590475aL },
+      { 0xfb40b407b807bba0L,0x9d1e362d69ff8f3aL,0xa33e9681cbef64a4L,
+        0x67ece5fa332fb4b2L } },
+    /* 27 << 42 */
+    { { 0x6900a99b739f10e3L,0xc3341ca9ff525925L,0xee18a626a9e2d041L,
+        0xa5a8368529580dddL },
+      { 0xf3470c819d7de3cdL,0xedf025862062cf9cL,0xf43522fac010edb0L,
+        0x3031413513a4b1aeL } },
+    /* 28 << 42 */
+    { { 0xc792e02adb22b94bL,0x993d8ae9a1eaa45bL,0x8aad6cd3cd1e1c63L,
+        0x89529ca7c5ce688aL },
+      { 0x2ccee3aae572a253L,0xe02b643802a21efbL,0xa7091b6ec9430358L,
+        0x06d1b1fa9d7db504L } },
+    /* 29 << 42 */
+    { { 0x58846d32c4744733L,0x40517c71379f9e34L,0x2f65655f130ef6caL,
+        0x526e4488f1f3503fL },
+      { 0x8467bd177ee4a976L,0x1d9dc913921363d1L,0xd8d24c33b069e041L,
+        0x5eb5da0a2cdf7f51L } },
+    /* 30 << 42 */
+    { { 0x1c0f3cb1197b994fL,0x3c95a6c52843eae9L,0x7766ffc9a6097ea5L,
+        0x7bea4093d723b867L },
+      { 0xb48e1f734db378f9L,0x70025b00e37b77acL,0x943dc8e7af24ad46L,
+        0xb98a15ac16d00a85L } },
+    /* 31 << 42 */
+    { { 0x3adc38ba2743b004L,0xb1c7f4f7334415eeL,0xea43df8f1e62d05aL,
+        0x326189059d76a3b6L },
+      { 0x2fbd0bb5a23a0f46L,0x5bc971db6a01918cL,0x7801d94ab4743f94L,
+        0xb94df65e676ae22bL } },
+    /* 32 << 42 */
+    { { 0xaafcbfabaf95894cL,0x7b9bdc07276b2241L,0xeaf983625bdda48bL,
+        0x5977faf2a3fcb4dfL },
+      { 0xbed042ef052c4b5bL,0x9fe87f71067591f0L,0xc89c73ca22f24ec7L,
+        0x7d37fa9ee64a9f1bL } },
+    /* 33 << 42 */
+    { { 0x2710841a15562627L,0x2c01a613c243b034L,0x1d135c562bc68609L,
+        0xc2ca17158b03f1f6L },
+      { 0xc9966c2d3eb81d82L,0xc02abf4a8f6df13eL,0x77b34bd78f72b43bL,
+        0xaff6218f360c82b0L } },
+    /* 34 << 42 */
+    { { 0x0aa5726c8d55b9d2L,0xdc0adbe999e9bffbL,0x9097549cefb9e72aL,
+        0x167557129dfb3111L },
+      { 0xdd8bf984f26847f9L,0xbcb8e387dfb30cb7L,0xc1fd32a75171ef9cL,
+        0x977f3fc7389b363fL } },
+    /* 35 << 42 */
+    { { 0x116eaf2bf4babda0L,0xfeab68bdf7113c8eL,0xd1e3f064b7def526L,
+        0x1ac30885e0b3fa02L },
+      { 0x1c5a6e7b40142d9dL,0x839b560330921c0bL,0x48f301fa36a116a3L,
+        0x380e1107cfd9ee6dL } },
+    /* 36 << 42 */
+    { { 0x7945ead858854be1L,0x4111c12ecbd4d49dL,0xece3b1ec3a29c2efL,
+        0x6356d4048d3616f5L },
+      { 0x9f0d6a8f594d320eL,0x0989316df651ccd2L,0x6c32117a0f8fdde4L,
+        0x9abe5cc5a26a9bbcL } },
+    /* 37 << 42 */
+    { { 0xcff560fb9723f671L,0x21b2a12d7f3d593cL,0xe4cb18da24ba0696L,
+        0x186e2220c3543384L },
+      { 0x722f64e088312c29L,0x94282a9917dc7752L,0x62467bbf5a85ee89L,
+        0xf435c650f10076a0L } },
+    /* 38 << 42 */
+    { { 0xc9ff153943b3a50bL,0x7132130c1a53efbcL,0x31bfe063f7b0c5b7L,
+        0xb0179a7d4ea994ccL },
+      { 0x12d064b3c85f455bL,0x472593288f6e0062L,0xf64e590bb875d6d9L,
+        0x22dd6225ad92bcc7L } },
+    /* 39 << 42 */
+    { { 0xb658038eb9c3bd6dL,0x00cdb0d6fbba27c8L,0x0c6813371062c45dL,
+        0xd8515b8c2d33407dL },
+      { 0xcb8f699e8cbb5ecfL,0x8c4347f8c608d7d8L,0x2c11850abb3e00dbL,
+        0x20a8dafdecb49d19L } },
+    /* 40 << 42 */
+    { { 0xbd78148045ee2f40L,0x75e354af416b60cfL,0xde0b58a18d49a8c4L,
+        0xe40e94e2fa359536L },
+      { 0xbd4fa59f62accd76L,0x05cf466a8c762837L,0xb5abda99448c277bL,
+        0x5a9e01bf48b13740L } },
+    /* 41 << 42 */
+    { { 0x9d457798326aad8dL,0xbdef4954c396f7e7L,0x6fb274a2c253e292L,
+        0x2800bf0a1cfe53e7L },
+      { 0x22426d3144438fd4L,0xef2339235e259f9aL,0x4188503c03f66264L,
+        0x9e5e7f137f9fdfabL } },
+    /* 42 << 42 */
+    { { 0x565eb76c5fcc1abaL,0xea63254859b5bff8L,0x5587c087aab6d3faL,
+        0x92b639ea6ce39c1bL },
+      { 0x0706e782953b135cL,0x7308912e425268efL,0x599e92c7090e7469L,
+        0x83b90f529bc35e75L } },
+    /* 43 << 42 */
+    { { 0x4750b3d0244975b3L,0xf3a4435811965d72L,0x179c67749c8dc751L,
+        0xff18cdfed23d9ff0L },
+      { 0xc40138332028e247L,0x96e280e2f3bfbc79L,0xf60417bdd0880a84L,
+        0x263c9f3d2a568151L } },
+    /* 44 << 42 */
+    { { 0x36be15b32d2ce811L,0x846dc0c2f8291d21L,0x5cfa0ecb789fcfdbL,
+        0x45a0beedd7535b9aL },
+      { 0xec8e9f0796d69af1L,0x31a7c5b8599ab6dcL,0xd36d45eff9e2e09fL,
+        0x3cf49ef1dcee954bL } },
+    /* 45 << 42 */
+    { { 0x6be34cf3086cff9bL,0x88dbd49139a3360fL,0x1e96b8cc0dbfbd1dL,
+        0xc1e5f7bfcb7e2552L },
+      { 0x0547b21428819d98L,0xc770dd9c7aea9dcbL,0xaef0d4c7041d68c8L,
+        0xcc2b981813cb9ba8L } },
+    /* 46 << 42 */
+    { { 0x7fc7bc76fe86c607L,0x6b7b9337502a9a95L,0x1948dc27d14dab63L,
+        0x249dd198dae047beL },
+      { 0xe8356584a981a202L,0x3531dd183a893387L,0x1be11f90c85c7209L,
+        0x93d2fe1ee2a52b5aL } },
+    /* 47 << 42 */
+    { { 0x8225bfe2ec6d6b97L,0x9cf6d6f4bd0aa5deL,0x911459cb54779f5fL,
+        0x5649cddb86aeb1f3L },
+      { 0x321335793f26ce5aL,0xc289a102550f431eL,0x559dcfda73b84c6fL,
+        0x84973819ee3ac4d7L } },
+    /* 48 << 42 */
+    { { 0xb51e55e6f2606a82L,0xe25f706190f2fb57L,0xacef6c2ab1a4e37cL,
+        0x864e359d5dcf2706L },
+      { 0x479e6b187ce57316L,0x2cab25003a96b23dL,0xed4898628ef16df7L,
+        0x2056538cef3758b5L } },
+    /* 49 << 42 */
+    { { 0xa7df865ef15d3101L,0x80c5533a61b553d7L,0x366e19974ed14294L,
+        0x6620741fb3c0bcd6L },
+      { 0x21d1d9c4edc45418L,0x005b859ec1cc4a9dL,0xdf01f630a1c462f0L,
+        0x15d06cf3f26820c7L } },
+    /* 50 << 42 */
+    { { 0x9f7f24ee3484be47L,0x2ff33e964a0c902fL,0x00bdf4575a0bc453L,
+        0x2378dfaf1aa238dbL },
+      { 0x272420ec856720f2L,0x2ad9d95b96797291L,0xd1242cc6768a1558L,
+        0x2e287f8b5cc86aa8L } },
+    /* 51 << 42 */
+    { { 0x796873d0990cecaaL,0xade55f81675d4080L,0x2645eea321f0cd84L,
+        0x7a1efa0fb4e17d02L },
+      { 0xf6858420037cc061L,0x682e05f0d5d43e12L,0x59c3699427218710L,
+        0x85cbba4d3f7cd2fcL } },
+    /* 52 << 42 */
+    { { 0x726f97297a3cd22aL,0x9f8cd5dc4a628397L,0x17b93ab9c23165edL,
+        0xff5f5dbf122823d4L },
+      { 0xc1e4e4b5654a446dL,0xd1a9496f677257baL,0x6387ba94de766a56L,
+        0x23608bc8521ec74aL } },
+    /* 53 << 42 */
+    { { 0x16a522d76688c4d4L,0x9d6b428207373abdL,0xa62f07acb42efaa3L,
+        0xf73e00f7e3b90180L },
+      { 0x36175fec49421c3eL,0xc4e44f9b3dcf2678L,0x76df436b7220f09fL,
+        0x172755fb3aa8b6cfL } },
+    /* 54 << 42 */
+    { { 0xbab89d57446139ccL,0x0a0a6e025fe0208fL,0xcdbb63e211e5d399L,
+        0x33ecaa12a8977f0bL },
+      { 0x59598b21f7c42664L,0xb3e91b32ab65d08aL,0x035822eef4502526L,
+        0x1dcf0176720a82a9L } },
+    /* 55 << 42 */
+    { { 0x50f8598f3d589e02L,0xdf0478ffb1d63d2cL,0x8b8068bd1571cd07L,
+        0x30c3aa4fd79670cdL },
+      { 0x25e8fd4b941ade7fL,0x3d1debdc32790011L,0x65b6dcbd3a3f9ff0L,
+        0x282736a4793de69cL } },
+    /* 56 << 42 */
+    { { 0xef69a0c3d41d3bd3L,0xb533b8c907a26bdeL,0xe2801d97db2edf9fL,
+        0xdc4a8269e1877af0L },
+      { 0x6c1c58513d590dbeL,0x84632f6bee4e9357L,0xd36d36b779b33374L,
+        0xb46833e39bbca2e6L } },
+    /* 57 << 42 */
+    { { 0x37893913f7fc0586L,0x385315f766bf4719L,0x72c56293b31855dcL,
+        0xd1416d4e849061feL },
+      { 0xbeb3ab7851047213L,0x447f6e61f040c996L,0xd06d310d638b1d0cL,
+        0xe28a413fbad1522eL } },
+    /* 58 << 42 */
+    { { 0x685a76cb82003f86L,0x610d07f70bcdbca3L,0x6ff660219ca4c455L,
+        0x7df39b87cea10eecL },
+      { 0xb9255f96e22db218L,0x8cc6d9eb08a34c44L,0xcd4ffb86859f9276L,
+        0x8fa15eb250d07335L } },
+    /* 59 << 42 */
+    { { 0xdf553845cf2c24b5L,0x89f66a9f52f9c3baL,0x8f22b5b9e4a7ceb3L,
+        0xaffef8090e134686L },
+      { 0x3e53e1c68eb8fac2L,0x93c1e4eb28aec98eL,0xb6b91ec532a43bcbL,
+        0x2dbfa947b2d74a51L } },
+    /* 60 << 42 */
+    { { 0xe065d190ca84bad7L,0xfb13919fad58e65cL,0x3c41718bf1cb6e31L,
+        0x688969f006d05c3fL },
+      { 0xd4f94ce721264d45L,0xfdfb65e97367532bL,0x5b1be8b10945a39dL,
+        0x229f789c2b8baf3bL } },
+    /* 61 << 42 */
+    { { 0xd8f41f3e6f49f15dL,0x678ce828907f0792L,0xc69ace82fca6e867L,
+        0x106451aed01dcc89L },
+      { 0x1bb4f7f019fc32d2L,0x64633dfcb00c52d2L,0x8f13549aad9ea445L,
+        0x99a3bf50fb323705L } },
+    /* 62 << 42 */
+    { { 0x0c9625a2534d4dbcL,0x45b8f1d1c2a2fea3L,0x76ec21a1a530fc1aL,
+        0x4bac9c2a9e5bd734L },
+      { 0x5996d76a7b4e3587L,0x0045cdee1182d9e3L,0x1aee24b91207f13dL,
+        0x66452e9797345a41L } },
+    /* 63 << 42 */
+    { { 0x16e5b0549f950cd0L,0x9cc72fb1d7fdd075L,0x6edd61e766249663L,
+        0xde4caa4df043cccbL },
+      { 0x11b1f57a55c7ac17L,0x779cbd441a85e24dL,0x78030f86e46081e7L,
+        0xfd4a60328e20f643L } },
+    /* 64 << 42 */
+    { { 0xcc7a64880a750c0fL,0x39bacfe34e548e83L,0x3d418c760c110f05L,
+        0x3e4daa4cb1f11588L },
+      { 0x2733e7b55ffc69ffL,0x46f147bc92053127L,0x885b2434d722df94L,
+        0x6a444f65e6fc6b7cL } },
+    /* 0 << 49 */
+    { { 0x00, 0x00, 0x00, 0x00 },
+      { 0x00, 0x00, 0x00, 0x00 } },
+    /* 1 << 49 */
+    { { 0x7a1a465ac3f16ea8L,0x115a461db2f1d11cL,0x4767dd956c68a172L,
+        0x3392f2ebd13a4698L },
+      { 0xc7a99ccde526cdc7L,0x8e537fdc22292b81L,0x76d8cf69a6d39198L,
+        0xffc5ff432446852dL } },
+    /* 2 << 49 */
+    { { 0x97b14f7ea90567e6L,0x513257b7b6ae5cb7L,0x85454a3c9f10903dL,
+        0xd8d2c9ad69bc3724L },
+      { 0x38da93246b29cb44L,0xb540a21d77c8cbacL,0x9bbfe43501918e42L,
+        0xfffa707a56c3614eL } },
+    /* 3 << 49 */
+    { { 0x0ce4e3f1d4e353b7L,0x062d8a14ef46b0a0L,0x6408d5ab574b73fdL,
+        0xbc41d1c9d3273ffdL },
+      { 0x3538e1e76be77800L,0x71fe8b37c5655031L,0x1cd916216b9b331aL,
+        0xad825d0bbb388f73L } },
+    /* 4 << 49 */
+    { { 0x56c2e05b1cb76219L,0x0ec0bf9171567e7eL,0xe7076f8661c4c910L,
+        0xd67b085bbabc04d9L },
+      { 0x9fb904595e93a96aL,0x7526c1eafbdc249aL,0x0d44d367ecdd0bb7L,
+        0x953999179dc0d695L } },
+    /* 5 << 49 */
+    { { 0x61360ee99e240d18L,0x057cdcacb4b94466L,0xe7667cd12fe5325cL,
+        0x1fa297b521974e3bL },
+      { 0xfa4081e7db083d76L,0x31993be6f206bd15L,0x8949269b14c19f8cL,
+        0x21468d72a9d92357L } },
+    /* 6 << 49 */
+    { { 0x2ccbc583a4c506ecL,0x957ed188d1acfe97L,0x8baed83312f1aea2L,
+        0xef2a6cb48325362dL },
+      { 0x130dde428e195c43L,0xc842025a0e6050c6L,0x2da972a708686a5dL,
+        0xb52999a1e508b4a8L } },
+    /* 7 << 49 */
+    { { 0xd9f090b910a5a8bdL,0xca91d249096864daL,0x8e6a93be3f67dbc1L,
+        0xacae6fbaf5f4764cL },
+      { 0x1563c6e0d21411a0L,0x28fa787fda0a4ad8L,0xd524491c908c8030L,
+        0x1257ba0e4c795f07L } },
+    /* 8 << 49 */
+    { { 0x83f49167ceca9754L,0x426d2cf64b7939a0L,0x2555e355723fd0bfL,
+        0xa96e6d06c4f144e2L },
+      { 0x4768a8dd87880e61L,0x15543815e508e4d5L,0x09d7e772b1b65e15L,
+        0x63439dd6ac302fa0L } },
+    /* 9 << 49 */
+    { { 0xb93f802fc14e35c2L,0x71735b7c4341333cL,0x03a2510416d4f362L,
+        0x3f4d069bbf433c8eL },
+      { 0x0d83ae01f78f5a7cL,0x50a8ffbe7c4eed07L,0xc74f890676e10f83L,
+        0x7d0809669ddaf8e1L } },
+    /* 10 << 49 */
+    { { 0xb11df8e1698e04ccL,0x877be203169005c8L,0x32749e8c4f3c6179L,
+        0x2dbc9d0a7853fc05L },
+      { 0x187d4f939454d937L,0xe682ce9db4800e1bL,0xa9129ad8165e68e8L,
+        0x0fe29735be7f785bL } },
+    /* 11 << 49 */
+    { { 0x5303f40c5b9e02b7L,0xa37c969235ee04e8L,0x5f46cc2034d6632bL,
+        0x55ef72b296ac545bL },
+      { 0xabec5c1f7b91b062L,0x0a79e1c7bb33e821L,0xbb04b4283a9f4117L,
+        0x0de1f28ffd2a475aL } },
+    /* 12 << 49 */
+    { { 0x31019ccf3a4434b4L,0xa34581111a7954dcL,0xa9dac80de34972a7L,
+        0xb043d05474f6b8ddL },
+      { 0x021c319e11137b1aL,0x00a754ceed5cc03fL,0x0aa2c794cbea5ad4L,
+        0x093e67f470c015b6L } },
+    /* 13 << 49 */
+    { { 0x72cdfee9c97e3f6bL,0xc10bcab4b6da7461L,0x3b02d2fcb59806b9L,
+        0x85185e89a1de6f47L },
+      { 0x39e6931f0eb6c4d4L,0x4d4440bdd4fa5b04L,0x5418786e34be7eb8L,
+        0x6380e5219d7259bcL } },
+    /* 14 << 49 */
+    { { 0x20ac0351d598d710L,0x272c4166cb3a4da4L,0xdb82fe1aca71de1fL,
+        0x746e79f2d8f54b0fL },
+      { 0x6e7fc7364b573e9bL,0x75d03f46fd4b5040L,0x5c1cc36d0b98d87bL,
+        0x513ba3f11f472da1L } },
+    /* 15 << 49 */
+    { { 0x79d0af26abb177ddL,0xf82ab5687891d564L,0x2b6768a972232173L,
+        0xefbb3bb08c1f6619L },
+      { 0xb29c11dba6d18358L,0x519e2797b0916d3aL,0xd4dc18f09188e290L,
+        0x648e86e398b0ca7fL } },
+    /* 16 << 49 */
+    { { 0x859d3145983c38b5L,0xb14f176c637abc8bL,0x2793fb9dcaff7be6L,
+        0xebe5a55f35a66a5aL },
+      { 0x7cec1dcd9f87dc59L,0x7c595cd3fbdbf560L,0x5b543b2226eb3257L,
+        0x69080646c4c935fdL } },
+    /* 17 << 49 */
+    { { 0x7f2e440381e9ede3L,0x243c3894caf6df0aL,0x7c605bb11c073b11L,
+        0xcd06a541ba6a4a62L },
+      { 0x2916894949d4e2e5L,0x33649d074af66880L,0xbfc0c885e9a85035L,
+        0xb4e52113fc410f4bL } },
+    /* 18 << 49 */
+    { { 0xdca3b70678a6513bL,0x92ea4a2a9edb1943L,0x02642216db6e2dd8L,
+        0x9b45d0b49fd57894L },
+      { 0x114e70dbc69d11aeL,0x1477dd194c57595fL,0xbc2208b4ec77c272L,
+        0x95c5b4d7db68f59cL } },
+    /* 19 << 49 */
+    { { 0xb8c4fc6342e532b7L,0x386ba4229ae35290L,0xfb5dda42d201ecbcL,
+        0x2353dc8ba0e38fd6L },
+      { 0x9a0b85ea68f7e978L,0x96ec56822ad6d11fL,0x5e279d6ce5f6886dL,
+        0xd3fe03cd3cb1914dL } },
+    /* 20 << 49 */
+    { { 0xfe541fa47ea67c77L,0x952bd2afe3ea810cL,0x791fef568d01d374L,
+        0xa3a1c6210f11336eL },
+      { 0x5ad0d5a9c7ec6d79L,0xff7038af3225c342L,0x003c6689bc69601bL,
+        0x25059bc745e8747dL } },
+    /* 21 << 49 */
+    { { 0xfa4965b2f2086fbfL,0xf6840ea686916078L,0xd7ac762070081d6cL,
+        0xe600da31b5328645L },
+      { 0x01916f63529b8a80L,0xe80e48582d7d6f3eL,0x29eb0fe8d664ca7cL,
+        0xf017637be7b43b0cL } },
+    /* 22 << 49 */
+    { { 0x9a75c80676cb2566L,0x8f76acb1b24892d9L,0x7ae7b9cc1f08fe45L,
+        0x19ef73296a4907d8L },
+      { 0x2db4ab715f228bf0L,0xf3cdea39817032d7L,0x0b1f482edcabe3c0L,
+        0x3baf76b4bb86325cL } },
+    /* 23 << 49 */
+    { { 0xd49065e010089465L,0x3bab5d298e77c596L,0x7636c3a6193dbd95L,
+        0xdef5d294b246e499L },
+      { 0xb22c58b9286b2475L,0xa0b93939cd80862bL,0x3002c83af0992388L,
+        0x6de01f9beacbe14cL } },
+    /* 24 << 49 */
+    { { 0x6aac688eadd70482L,0x708de92a7b4a4e8aL,0x75b6dd73758a6eefL,
+        0xea4bf352725b3c43L },
+      { 0x10041f2c87912868L,0xb1b1be95ef09297aL,0x19ae23c5a9f3860aL,
+        0xc4f0f839515dcf4bL } },
+    /* 25 << 49 */
+    { { 0x3c7ecca397f6306aL,0x744c44ae68a3a4b0L,0x69cd13a0b3a1d8a2L,
+        0x7cad0a1e5256b578L },
+      { 0xea653fcd33791d9eL,0x9cc2a05d74b2e05fL,0x73b391dcfd7affa2L,
+        0xddb7091eb6b05442L } },
+    /* 26 << 49 */
+    { { 0xc71e27bf8538a5c6L,0x195c63dd89abff17L,0xfd3152851b71e3daL,
+        0x9cbdfda7fa680fa0L },
+      { 0x9db876ca849d7eabL,0xebe2764b3c273271L,0x663357e3f208dceaL,
+        0x8c5bd833565b1b70L } },
+    /* 27 << 49 */
+    { { 0xccc3b4f59837fc0dL,0x9b641ba8a79cf00fL,0x7428243ddfdf3990L,
+        0x83a594c4020786b1L },
+      { 0xb712451a526c4502L,0x9d39438e6adb3f93L,0xfdb261e3e9ff0ccdL,
+        0x80344e3ce07af4c3L } },
+    /* 28 << 49 */
+    { { 0x75900d7c2fa4f126L,0x08a3b8655c99a232L,0x2478b6bfdb25e0c3L,
+        0x482cc2c271db2edfL },
+      { 0x37df7e645f321bb8L,0x8a93821b9a8005b4L,0x3fa2f10ccc8c1958L,
+        0x0d3322182c269d0aL } },
+    /* 29 << 49 */
+    { { 0x20ab8119e246b0e6L,0xb39781e4d349fd17L,0xd293231eb31aa100L,
+        0x4b779c97bb032168L },
+      { 0x4b3f19e1c8470500L,0x45b7efe90c4c869dL,0xdb84f38aa1a6bbccL,
+        0x3b59cb15b2fddbc1L } },
+    /* 30 << 49 */
+    { { 0xba5514df3fd165e8L,0x499fd6a9061f8811L,0x72cd1fe0bfef9f00L,
+        0x120a4bb979ad7e8aL },
+      { 0xf2ffd0955f4a5ac5L,0xcfd174f195a7a2f0L,0xd42301ba9d17baf1L,
+        0xd2fa487a77f22089L } },
+    /* 31 << 49 */
+    { { 0x9cb09efeb1dc77e1L,0xe956693921c99682L,0x8c5469016c6067bbL,
+        0xfd37857461c24456L },
+      { 0x2b6a6cbe81796b33L,0x62d550f658e87f8bL,0x1b763e1c7f1b01b4L,
+        0x4b93cfea1b1b5e12L } },
+    /* 32 << 49 */
+    { { 0xb93452381d531696L,0x57201c0088cdde69L,0xdde922519a86afc7L,
+        0xe3043895bd35cea8L },
+      { 0x7608c1e18555970dL,0x8267dfa92535935eL,0xd4c60a57322ea38bL,
+        0xe0bf7977804ef8b5L } },
+    /* 33 << 49 */
+    { { 0x1a0dab28c06fece4L,0xd405991e94e7b49dL,0xc542b6d2706dab28L,
+        0xcb228da3a91618fbL },
+      { 0x224e4164107d1ceaL,0xeb9fdab3d0f5d8f1L,0xc02ba3860d6e41cdL,
+        0x676a72c59b1f7146L } },
+    /* 34 << 49 */
+    { { 0xffd6dd984d6cb00bL,0xcef9c5cade2e8d7cL,0xa1bbf5d7641c7936L,
+        0x1b95b230ee8f772eL },
+      { 0xf765a92ee8ac25b1L,0xceb04cfc3a18b7c6L,0x27944cef0acc8966L,
+        0xcbb3c957434c1004L } },
+    /* 35 << 49 */
+    { { 0x9c9971a1a43ff93cL,0x5bc2db17a1e358a9L,0x45b4862ea8d9bc82L,
+        0x70ebfbfb2201e052L },
+      { 0xafdf64c792871591L,0xea5bcae6b42d0219L,0xde536c552ad8f03cL,
+        0xcd6c3f4da76aa33cL } },
+    /* 36 << 49 */
+    { { 0xbeb5f6230bca6de3L,0xdd20dd99b1e706fdL,0x90b3ff9dac9059d4L,
+        0x2d7b29027ccccc4eL },
+      { 0x8a090a59ce98840fL,0xa5d947e08410680aL,0x49ae346a923379a5L,
+        0x7dbc84f9b28a3156L } },
+    /* 37 << 49 */
+    { { 0xfd40d91654a1aff2L,0xabf318ba3a78fb9bL,0x50152ed83029f95eL,
+        0x9fc1dd77c58ad7faL },
+      { 0x5fa5791513595c17L,0xb95046688f62b3a9L,0x907b5b24ff3055b0L,
+        0x2e995e359a84f125L } },
+    /* 38 << 49 */
+    { { 0x87dacf697e9bbcfbL,0x95d0c1d6e86d96e3L,0x65726e3c2d95a75cL,
+        0x2c3c9001acd27f21L },
+      { 0x1deab5616c973f57L,0x108b7e2ca5221643L,0x5fee9859c4ef79d4L,
+        0xbd62b88a40d4b8c6L } },
+    /* 39 << 49 */
+    { { 0xb4dd29c4197c75d6L,0x266a6df2b7076febL,0x9512d0ea4bf2df11L,
+        0x1320c24f6b0cc9ecL },
+      { 0x6bb1e0e101a59596L,0x8317c5bbeff9aaacL,0x65bb405e385aa6c9L,
+        0x613439c18f07988fL } },
+    /* 40 << 49 */
+    { { 0xd730049f16a66e91L,0xe97f2820fa1b0e0dL,0x4131e003304c28eaL,
+        0x820ab732526bac62L },
+      { 0xb2ac9ef928714423L,0x54ecfffaadb10cb2L,0x8781476ef886a4ccL,
+        0x4b2c87b5db2f8d49L } },
+    /* 41 << 49 */
+    { { 0xe857cd200a44295dL,0x707d7d2158c6b044L,0xae8521f9f596757cL,
+        0x87448f0367b2b714L },
+      { 0x13a9bc455ebcd58dL,0x79bcced99122d3c1L,0x3c6442479e076642L,
+        0x0cf227782df4767dL } },
+    /* 42 << 49 */
+    { { 0x5e61aee471d444b6L,0x211236bfc5084a1dL,0x7e15bc9a4fd3eaf6L,
+        0x68df2c34ab622bf5L },
+      { 0x9e674f0f59bf4f36L,0xf883669bd7f34d73L,0xc48ac1b831497b1dL,
+        0x323b925d5106703bL } },
+    /* 43 << 49 */
+    { { 0x22156f4274082008L,0xeffc521ac8482bcbL,0x5c6831bf12173479L,
+        0xcaa2528fc4739490L },
+      { 0x84d2102a8f1b3c4dL,0xcf64dfc12d9bec0dL,0x433febad78a546efL,
+        0x1f621ec37b73cef1L } },
+    /* 44 << 49 */
+    { { 0x6aecd62737338615L,0x162082ab01d8edf6L,0x833a811919e86b66L,
+        0x6023a251d299b5dbL },
+      { 0xf5bb0c3abbf04b89L,0x6735eb69ae749a44L,0xd0e058c54713de3bL,
+        0xfdf2593e2c3d4ccdL } },
+    /* 45 << 49 */
+    { { 0x1b8f414efdd23667L,0xdd52aacafa2015eeL,0x3e31b517bd9625ffL,
+        0x5ec9322d8db5918cL },
+      { 0xbc73ac85a96f5294L,0x82aa5bf361a0666aL,0x49755810bf08ac42L,
+        0xd21cdfd5891cedfcL } },
+    /* 46 << 49 */
+    { { 0x918cb57b67f8be10L,0x365d1a7c56ffa726L,0x2435c5046532de93L,
+        0xc0fc5e102674cd02L },
+      { 0x6e51fcf89cbbb142L,0x1d436e5aafc50692L,0x766bffff3fbcae22L,
+        0x3148c2fdfd55d3b8L } },
+    /* 47 << 49 */
+    { { 0x52c7fdc9233222faL,0x89ff1092e419fb6bL,0x3cd6db9925254977L,
+        0x2e85a1611cf12ca7L },
+      { 0xadd2547cdc810bc9L,0xea3f458f9d257c22L,0x642c1fbe27d6b19bL,
+        0xed07e6b5140481a6L } },
+    /* 48 << 49 */
+    { { 0x6ada1d4286d2e0f8L,0xe59201220e8a9fd5L,0x02c936af708c1b49L,
+        0x60f30fee2b4bfaffL },
+      { 0x6637ad06858e6a61L,0xce4c77673fd374d0L,0x39d54b2d7188defbL,
+        0xa8c9d250f56a6b66L } },
+    /* 49 << 49 */
+    { { 0x58fc0f5eb24fe1dcL,0x9eaf9dee6b73f24cL,0xa90d588b33650705L,
+        0xde5b62c5af2ec729L },
+      { 0x5c72cfaed3c2b36eL,0x868c19d5034435daL,0x88605f93e17ee145L,
+        0xaa60c4ee77a5d5b1L } },
+    /* 50 << 49 */
+    { { 0xbcf5bfd23b60c472L,0xaf4ef13ceb1d3049L,0x373f44fce13895c9L,
+        0xf29b382f0cbc9822L },
+      { 0x1bfcb85373efaef6L,0xcf56ac9ca8c96f40L,0xd7adf1097a191e24L,
+        0x98035f44bf8a8dc2L } },
+    /* 51 << 49 */
+    { { 0xf40a71b91e750c84L,0xc57f7b0c5dc6c469L,0x49a0e79c6fbc19c1L,
+        0x6b0f5889a48ebdb8L },
+      { 0x5d3fd084a07c4e9fL,0xc3830111ab27de14L,0x0e4929fe33e08dccL,
+        0xf4a5ad2440bb73a3L } },
+    /* 52 << 49 */
+    { { 0xde86c2bf490f97caL,0x288f09c667a1ce18L,0x364bb8861844478dL,
+        0x7840fa42ceedb040L },
+      { 0x1269fdd25a631b37L,0x94761f1ea47c8b7dL,0xfc0c2e17481c6266L,
+        0x85e16ea23daa5fa7L } },
+    /* 53 << 49 */
+    { { 0xccd8603392491048L,0x0c2f6963f4d402d7L,0x6336f7dfdf6a865cL,
+        0x0a2a463cb5c02a87L },
+      { 0xb0e29be7bf2f12eeL,0xf0a2200266bad988L,0x27f87e039123c1d7L,
+        0x21669c55328a8c98L } },
+    /* 54 << 49 */
+    { { 0x186b980392f14529L,0xd3d056cc63954df3L,0x2f03fd58175a46f6L,
+        0x63e34ebe11558558L },
+      { 0xe13fedee5b80cfa5L,0xe872a120d401dbd1L,0x52657616e8a9d667L,
+        0xbc8da4b6e08d6693L } },
+    /* 55 << 49 */
+    { { 0x370fb9bb1b703e75L,0x6773b186d4338363L,0x18dad378ecef7bffL,
+        0xaac787ed995677daL },
+      { 0x4801ea8b0437164bL,0xf430ad2073fe795eL,0xb164154d8ee5eb73L,
+        0x0884ecd8108f7c0eL } },
+    /* 56 << 49 */
+    { { 0x0e6ec0965f520698L,0x640631fe44f7b8d9L,0x92fd34fca35a68b9L,
+        0x9c5a4b664d40cf4eL },
+      { 0x949454bf80b6783dL,0x80e701fe3a320a10L,0x8d1a564a1a0a39b2L,
+        0x1436d53d320587dbL } },
+    /* 57 << 49 */
+    { { 0xf5096e6d6556c362L,0xbc23a3c0e2455d7eL,0x3a7aee54807230f9L,
+        0x9ba1cfa622ae82fdL },
+      { 0x833a057a99c5d706L,0x8be85f4b842315c9L,0xd083179a66a72f12L,
+        0x2fc77d5dcdcc73cdL } },
+    /* 58 << 49 */
+    { { 0x22b88a805616ee30L,0xfb09548fe7ab1083L,0x8ad6ab0d511270cdL,
+        0x61f6c57a6924d9abL },
+      { 0xa0f7bf7290aecb08L,0x849f87c90df784a4L,0x27c79c15cfaf1d03L,
+        0xbbf9f675c463faceL } },
+    /* 59 << 49 */
+    { { 0x91502c65765ba543L,0x18ce3cac42ea60ddL,0xe5cee6ac6e43ecb3L,
+        0x63e4e91068f2aeebL },
+      { 0x26234fa3c85932eeL,0x96883e8b4c90c44dL,0x29b9e738a18a50f6L,
+        0xbfc62b2a3f0420dfL } },
+    /* 60 << 49 */
+    { { 0xd22a7d906d3e1fa9L,0x17115618fe05b8a3L,0x2a0c9926bb2b9c01L,
+        0xc739fcc6e07e76a2L },
+      { 0x540e9157165e439aL,0x06353a626a9063d8L,0x84d9559461e927a3L,
+        0x013b9b26e2e0be7fL } },
+    /* 61 << 49 */
+    { { 0x4feaec3b973497f1L,0x15c0f94e093ebc2dL,0x6af5f22733af0583L,
+        0x0c2af206c61f3340L },
+      { 0xd25dbdf14457397cL,0x2e8ed017cabcbae0L,0xe3010938c2815306L,
+        0xbaa99337e8c6cd68L } },
+    /* 62 << 49 */
+    { { 0x085131823b0ec7deL,0x1e1b822b58df05dfL,0x5c14842fa5c3b683L,
+        0x98fe977e3eba34ceL },
+      { 0xfd2316c20d5e8873L,0xe48d839abd0d427dL,0x495b2218623fc961L,
+        0x24ee56e7b46fba5eL } },
+    /* 63 << 49 */
+    { { 0x9184a55b91e4de58L,0xa7488ca5dfdea288L,0xa723862ea8dcc943L,
+        0x92d762b2849dc0fcL },
+      { 0x3c444a12091ff4a9L,0x581113fa0cada274L,0xb9de0a4530d8eae2L,
+        0x5e0fcd85df6b41eaL } },
+    /* 64 << 49 */
+    { { 0x6233ea68c094dbb5L,0xb77d062ed968d410L,0x3e719bbc58b3002dL,
+        0x68e7dd3d3dc49d58L },
+      { 0x8d825740013a5e58L,0x213117473c9e3c1bL,0x0cb0a2a77c99b6abL,
+        0x5c48a3b3c2f888f2L } },
+    /* 0 << 56 */
+    { { 0x00, 0x00, 0x00, 0x00 },
+      { 0x00, 0x00, 0x00, 0x00 } },
+    /* 1 << 56 */
+    { { 0xc7913e91991724f3L,0x5eda799c39cbd686L,0xddb595c763d4fc1eL,
+        0x6b63b80bac4fed54L },
+      { 0x6ea0fc697e5fb516L,0x737708bad0f1c964L,0x9628745f11a92ca5L,
+        0x61f379589a86967aL } },
+    /* 2 << 56 */
+    { { 0x9af39b2caa665072L,0x78322fa4efd324efL,0x3d153394c327bd31L,
+        0x81d5f2713129dab0L },
+      { 0xc72e0c42f48027f5L,0xaa40cdbc8536e717L,0xf45a657a2d369d0fL,
+        0xb03bbfc4ea7f74e6L } },
+    /* 3 << 56 */
+    { { 0x46a8c4180d738dedL,0x6f1a5bb0e0de5729L,0xf10230b98ba81675L,
+        0x32c6f30c112b33d4L },
+      { 0x7559129dd8fffb62L,0x6a281b47b459bf05L,0x77c1bd3afa3b6776L,
+        0x0709b3807829973aL } },
+    /* 4 << 56 */
+    { { 0x8c26b232a3326505L,0x38d69272ee1d41bfL,0x0459453effe32afaL,
+        0xce8143ad7cb3ea87L },
+      { 0x932ec1fa7e6ab666L,0x6cd2d23022286264L,0x459a46fe6736f8edL,
+        0x50bf0d009eca85bbL } },
+    /* 5 << 56 */
+    { { 0x0b825852877a21ecL,0x300414a70f537a94L,0x3f1cba4021a9a6a2L,
+        0x50824eee76943c00L },
+      { 0xa0dbfcecf83cba5dL,0xf953814893b4f3c0L,0x6174416248f24dd7L,
+        0x5322d64de4fb09ddL } },
+    /* 6 << 56 */
+    { { 0x574473843d9325f3L,0xa9bef2d0f371cb84L,0x77d2188ba61e36c5L,
+        0xbbd6a7d7c602df72L },
+      { 0xba3aa9028f61bc0bL,0xf49085ed6ed0b6a1L,0x8bc625d6ae6e8298L,
+        0x832b0b1da2e9c01dL } },
+    /* 7 << 56 */
+    { { 0xa337c447f1f0ced1L,0x800cc7939492dd2bL,0x4b93151dbea08efaL,
+        0x820cf3f8de0a741eL },
+      { 0xff1982dc1c0f7d13L,0xef92196084dde6caL,0x1ad7d97245f96ee3L,
+        0x319c8dbe29dea0c7L } },
+    /* 8 << 56 */
+    { { 0xd3ea38717b82b99bL,0x75922d4d470eb624L,0x8f66ec543b95d466L,
+        0x66e673ccbee1e346L },
+      { 0x6afe67c4b5f2b89aL,0x3de9c1e6290e5cd3L,0x8c278bb6310a2adaL,
+        0x420fa3840bdb323bL } },
+    /* 9 << 56 */
+    { { 0x0ae1d63b0eb919b0L,0xd74ee51da74b9620L,0x395458d0a674290cL,
+        0x324c930f4620a510L },
+      { 0x2d1f4d19fbac27d4L,0x4086e8ca9bedeeacL,0x0cdd211b9b679ab8L,
+        0x5970167d7090fec4L } },
+    /* 10 << 56 */
+    { { 0x3420f2c9faf1fc63L,0x616d333a328c8bb4L,0x7d65364c57f1fe4aL,
+        0x9343e87755e5c73aL },
+      { 0x5795176be970e78cL,0xa36ccebf60533627L,0xfc7c738009cdfc1bL,
+        0xb39a2afeb3fec326L } },
+    /* 11 << 56 */
+    { { 0xb7ff1ba16224408aL,0xcc856e92247cfc5eL,0x01f102e7c18bc493L,
+        0x4613ab742091c727L },
+      { 0xaa25e89cc420bf2bL,0x00a5317690337ec2L,0xd2be9f437d025fc7L,
+        0x3316fb856e6fe3dcL } },
+    /* 12 << 56 */
+    { { 0x27520af59ac50814L,0xfdf95e789a8e4223L,0xb7e7df2a56bec5a0L,
+        0xf7022f7ddf159e5dL },
+      { 0x93eeeab1cac1fe8fL,0x8040188c37451168L,0x7ee8aa8ad967dce6L,
+        0xfa0e79e73abc9299L } },
+    /* 13 << 56 */
+    { { 0x67332cfc2064cfd1L,0x339c31deb0651934L,0x719b28d52a3bcbeaL,
+        0xee74c82b9d6ae5c6L },
+      { 0x0927d05ebaf28ee6L,0x82cecf2c9d719028L,0x0b0d353eddb30289L,
+        0xfe4bb977fddb2e29L } },
+    /* 14 << 56 */
+    { { 0xbb5bb990640bfd9eL,0xd226e27782f62108L,0x4bf0098502ffdd56L,
+        0x7756758a2ca1b1b5L },
+      { 0xc32b62a35285fe91L,0xedbc546a8c9cd140L,0x1e47a013af5cb008L,
+        0xbca7e720073ce8f2L } },
+    /* 15 << 56 */
+    { { 0xe10b2ab817a91caeL,0xb89aab6508e27f63L,0x7b3074a7dba3ddf9L,
+        0x1c20ce09330c2972L },
+      { 0x6b9917b45fcf7e33L,0xe6793743945ceb42L,0x18fc22155c633d19L,
+        0xad1adb3cc7485474L } },
+    /* 16 << 56 */
+    { { 0x646f96796424c49bL,0xf888dfe867c241c9L,0xe12d4b9324f68b49L,
+        0x9a6b62d8a571df20L },
+      { 0x81b4b26d179483cbL,0x666f96329511fae2L,0xd281b3e4d53aa51fL,
+        0x7f96a7657f3dbd16L } },
+    /* 17 << 56 */
+    { { 0xa7f8b5bf074a30ceL,0xd7f52107005a32e6L,0x6f9e090750237ed4L,
+        0x2f21da478096fa2bL },
+      { 0xf3e19cb4eec863a0L,0xd18f77fd9527620aL,0x9505c81c407c1cf8L,
+        0x9998db4e1b6ec284L } },
+    /* 18 << 56 */
+    { { 0x7e3389e5c247d44dL,0x125071413f4f3d80L,0xd4ba01104a78a6c7L,
+        0x312874a0767720beL },
+      { 0xded059a675944370L,0xd6123d903b2c0bddL,0xa56b717b51c108e3L,
+        0x9bb7940e070623e9L } },
+    /* 19 << 56 */
+    { { 0x794e2d5984ac066cL,0xf5954a92e68c69a0L,0x28c524584fd99dccL,
+        0x60e639fcb1012517L },
+      { 0xc2e601257de79248L,0xe9ef6404f12fc6d7L,0x4c4f28082a3b5d32L,
+        0x865ad32ec768eb8aL } },
+    /* 20 << 56 */
+    { { 0xac02331b13fb70b6L,0x037b44c195599b27L,0x1a860fc460bd082cL,
+        0xa2e25745c980cd01L },
+      { 0xee3387a81da0263eL,0x931bfb952d10f3d6L,0x5b687270a1f24a32L,
+        0xf140e65dca494b86L } },
+    /* 21 << 56 */
+    { { 0x4f4ddf91b2f1ac7aL,0xf99eaabb760fee27L,0x57f4008a49c228e5L,
+        0x090be4401cf713bbL },
+      { 0xac91fbe45004f022L,0xd838c2c2569e1af6L,0xd6c7d20b0f1daaa5L,
+        0xaa063ac11bbb02c0L } },
+    /* 22 << 56 */
+    { { 0x0938a42259558a78L,0x5343c6698435da2fL,0x96f67b18034410dcL,
+        0x7cc1e42484510804L },
+      { 0x86a1543f16dfbb7dL,0x921fa9425b5bd592L,0x9dcccb6eb33dd03cL,
+        0x8581ddd9b843f51eL } },
+    /* 23 << 56 */
+    { { 0x54935fcb81d73c9eL,0x6d07e9790a5e97abL,0x4dc7b30acf3a6babL,
+        0x147ab1f3170bee11L },
+      { 0x0aaf8e3d9fafdee4L,0xfab3dbcb538a8b95L,0x405df4b36ef13871L,
+        0xf1f4e9cb088d5a49L } },
+    /* 24 << 56 */
+    { { 0x9bcd24d366b33f1dL,0x3b97b8205ce445c0L,0xe2926549ba93ff61L,
+        0xd9c341ce4dafe616L },
+      { 0xfb30a76e16efb6f3L,0xdf24b8ca605b953cL,0x8bd52afec2fffb9fL,
+        0xbbac5ff7e19d0b96L } },
+    /* 25 << 56 */
+    { { 0x43c01b87459afccdL,0x6bd45143b7432652L,0x8473453055b5d78eL,
+        0x81088fdb1554ba7dL },
+      { 0xada0a52c1e269375L,0xf9f037c42dc5ec10L,0xc066060794bfbc11L,
+        0xc0a630bbc9c40d2fL } },
+    /* 26 << 56 */
+    { { 0x5efc797eab64c31eL,0xffdb1dab74507144L,0xf61242871ca6790cL,
+        0xe9609d81e69bf1bfL },
+      { 0xdb89859500d24fc9L,0x9c750333e51fb417L,0x51830a91fef7bbdeL,
+        0x0ce67dc8945f585cL } },
+    /* 27 << 56 */
+    { { 0x9a730ed44763eb50L,0x24a0e221c1ab0d66L,0x643b6393648748f3L,
+        0x1982daa16d3c6291L },
+      { 0x6f00a9f78bbc5549L,0x7a1783e17f36384eL,0xe8346323de977f50L,
+        0x91ab688db245502aL } },
+    /* 28 << 56 */
+    { { 0x331ab6b56d0bdd66L,0x0a6ef32e64b71229L,0x1028150efe7c352fL,
+        0x27e04350ce7b39d3L },
+      { 0x2a3c8acdc1070c82L,0xfb2034d380c9feefL,0x2d729621709f3729L,
+        0x8df290bf62cb4549L } },
+    /* 29 << 56 */
+    { { 0x02f99f33fc2e4326L,0x3b30076d5eddf032L,0xbb21f8cf0c652fb5L,
+        0x314fb49eed91cf7bL },
+      { 0xa013eca52f700750L,0x2b9e3c23712a4575L,0xe5355557af30fbb0L,
+        0x1ada35167c77e771L } },
+    /* 30 << 56 */
+    { { 0x45f6ecb27b135670L,0xe85d19df7cfc202eL,0x0f1b50c758d1be9fL,
+        0x5ebf2c0aead2e344L },
+      { 0x1531fe4eabc199c9L,0xc703259256bab0aeL,0x16ab2e486c1fec54L,
+        0x0f87fda804280188L } },
+    /* 31 << 56 */
+    { { 0xdc9f46fc609e4a74L,0x2a44a143ba667f91L,0xbc3d8b95b4d83436L,
+        0xa01e4bd0c7bd2958L },
+      { 0x7b18293273483c90L,0xa79c6aa1a7c7b598L,0xbf3983c6eaaac07eL,
+        0x8f18181e96e0d4e6L } },
+    /* 32 << 56 */
+    { { 0x8553d37c051af62bL,0xe9a998eb0bf94496L,0xe0844f9fb0d59aa1L,
+        0x983fd558e6afb813L },
+      { 0x9670c0ca65d69804L,0x732b22de6ea5ff2dL,0xd7640ba95fd8623bL,
+        0x9f619163a6351782L } },
+    /* 33 << 56 */
+    { { 0x0bfc27eeacee5043L,0xae419e732eb10f02L,0x19c028d18943fb05L,
+        0x71f01cf7ff13aa2aL },
+      { 0x7790737e8887a132L,0x6751330966318410L,0x9819e8a37ddb795eL,
+        0xfecb8ef5dad100b2L } },
+    /* 34 << 56 */
+    { { 0x59f74a223021926aL,0xb7c28a496f9b4c1cL,0xed1a733f912ad0abL,
+        0x42a910af01a5659cL },
+      { 0x3842c6e07bd68cabL,0x2b57fa3876d70ac8L,0x8a6707a83c53aaebL,
+        0x62c1c51065b4db18L } },
+    /* 35 << 56 */
+    { { 0x8de2c1fbb2d09dc7L,0xc3dfed12266bd23bL,0x927d039bd5b27db6L,
+        0x2fb2f0f1103243daL },
+      { 0xf855a07b80be7399L,0xed9327ce1f9f27a8L,0xa0bd99c7729bdef7L,
+        0x2b67125e28250d88L } },
+    /* 36 << 56 */
+    { { 0x784b26e88670ced7L,0xe3dfe41fc31bd3b4L,0x9e353a06bcc85cbcL,
+        0x302e290960178a9dL },
+      { 0x860abf11a6eac16eL,0x76447000aa2b3aacL,0x46ff9d19850afdabL,
+        0x35bdd6a5fdb2d4c1L } },
+    /* 37 << 56 */
+    { { 0xe82594b07e5c9ce9L,0x0f379e5320af346eL,0x608b31e3bc65ad4aL,
+        0x710c6b12267c4826L },
+      { 0x51c966f971954cf1L,0xb1cec7930d0aa215L,0x1f15598986bd23a8L,
+        0xae2ff99cf9452e86L } },
+    /* 38 << 56 */
+    { { 0xd8dd953c340ceaa2L,0x263552752e2e9333L,0x15d4e5f98586f06dL,
+        0xd6bf94a8f7cab546L },
+      { 0x33c59a0ab76a9af0L,0x52740ab3ba095af7L,0xc444de8a24389ca0L,
+        0xcc6f9863706da0cbL } },
+    /* 39 << 56 */
+    { { 0xb5a741a76b2515cfL,0x71c416019585c749L,0x78350d4fe683de97L,
+        0x31d6152463d0b5f5L },
+      { 0x7a0cc5e1fbce090bL,0xaac927edfbcb2a5bL,0xe920de4920d84c35L,
+        0x8c06a0b622b4de26L } },
+    /* 40 << 56 */
+    { { 0xd34dd58bafe7ddf3L,0x55851fedc1e6e55bL,0xd1395616960696e7L,
+        0x940304b25f22705fL },
+      { 0x6f43f861b0a2a860L,0xcf1212820e7cc981L,0x121862120ab64a96L,
+        0x09215b9ab789383cL } },
+    /* 41 << 56 */
+    { { 0x311eb30537387c09L,0xc5832fcef03ee760L,0x30358f5832f7ea19L,
+        0xe01d3c3491d53551L },
+      { 0x1ca5ee41da48ea80L,0x34e71e8ecf4fa4c1L,0x312abd257af1e1c7L,
+        0xe3afcdeb2153f4a5L } },
+    /* 42 << 56 */
+    { { 0x9d5c84d700235e9aL,0x0308d3f48c4c836fL,0xc0a66b0489332de5L,
+        0x610dd39989e566efL },
+      { 0xf8eea460d1ac1635L,0x84cbb3fb20a2c0dfL,0x40afb488e74a48c5L,
+        0x29738198d326b150L } },
+    /* 43 << 56 */
+    { { 0x2a17747fa6d74081L,0x60ea4c0555a26214L,0x53514bb41f88c5feL,
+        0xedd645677e83426cL },
+      { 0xd5d6cbec96460b25L,0xa12fd0ce68dc115eL,0xc5bc3ed2697840eaL,
+        0x969876a8a6331e31L } },
+    /* 44 << 56 */
+    { { 0x60c36217472ff580L,0xf42297054ad41393L,0x4bd99ef0a03b8b92L,
+        0x501c7317c144f4f6L },
+      { 0x159009b318464945L,0x6d5e594c74c5c6beL,0x2d587011321a3660L,
+        0xd1e184b13898d022L } },
+    /* 45 << 56 */
+    { { 0x5ba047524c6a7e04L,0x47fa1e2b45550b65L,0x9419daf048c0a9a5L,
+        0x663629537c243236L },
+      { 0xcd0744b15cb12a88L,0x561b6f9a2b646188L,0x599415a566c2c0c0L,
+        0xbe3f08590f83f09aL } },
+    /* 46 << 56 */
+    { { 0x9141c5beb92041b8L,0x01ae38c726477d0dL,0xca8b71f3d12c7a94L,
+        0xfab5b31f765c70dbL },
+      { 0x76ae7492487443e9L,0x8595a310990d1349L,0xf8dbeda87d460a37L,
+        0x7f7ad0821e45a38fL } },
+    /* 47 << 56 */
+    { { 0xed1d4db61059705aL,0xa3dd492ae6b9c697L,0x4b92ee3a6eb38bd5L,
+        0xbab2609d67cc0bb7L },
+      { 0x7fc4fe896e70ee82L,0xeff2c56e13e6b7e3L,0x9b18959e34d26fcaL,
+        0x2517ab66889d6b45L } },
+    /* 48 << 56 */
+    { { 0xf167b4e0bdefdd4fL,0x69958465f366e401L,0x5aa368aba73bbec0L,
+        0x121487097b240c21L },
+      { 0x378c323318969006L,0xcb4d73cee1fe53d1L,0x5f50a80e130c4361L,
+        0xd67f59517ef5212bL } },
+    /* 49 << 56 */
+    { { 0xf145e21e9e70c72eL,0xb2e52e295566d2fbL,0x44eaba4a032397f5L,
+        0x5e56937b7e31a7deL },
+      { 0x68dcf517456c61e1L,0xbc2e954aa8b0a388L,0xe3552fa760a8b755L,
+        0x03442dae73ad0cdeL } },
+    /* 50 << 56 */
+    { { 0x37ffe747ceb26210L,0x983545e8787baef9L,0x8b8c853586a3de31L,
+        0xc621dbcbfacd46dbL },
+      { 0x82e442e959266fbbL,0xa3514c37339d471cL,0x3a11b77162cdad96L,
+        0xf0cb3b3cecf9bdf0L } },
+    /* 51 << 56 */
+    { { 0x3fcbdbce478e2135L,0x7547b5cfbda35342L,0xa97e81f18a677af6L,
+        0xc8c2bf8328817987L },
+      { 0xdf07eaaf45580985L,0xc68d1f05c93b45cbL,0x106aa2fec77b4cacL,
+        0x4c1d8afc04a7ae86L } },
+    /* 52 << 56 */
+    { { 0xdb41c3fd9eb45ab2L,0x5b234b5bd4b22e74L,0xda253decf215958aL,
+        0x67e0606ea04edfa0L },
+      { 0xabbbf070ef751b11L,0xf352f175f6f06dceL,0xdfc4b6af6839f6b4L,
+        0x53ddf9a89959848eL } },
+    /* 53 << 56 */
+    { { 0xda49c379c21520b0L,0x90864ff0dbd5d1b6L,0x2f055d235f49c7f7L,
+        0xe51e4e6aa796b2d8L },
+      { 0xc361a67f5c9dc340L,0x5ad53c37bca7c620L,0xda1d658832c756d0L,
+        0xad60d9118bb67e13L } },
+    /* 54 << 56 */
+    { { 0xd6c47bdf0eeec8c6L,0x4a27fec1078a1821L,0x081f7415c3099524L,
+        0x8effdf0b82cd8060L },
+      { 0xdb70ec1c65842df8L,0x8821b358d319a901L,0x72ee56eede42b529L,
+        0x5bb39592236e4286L } },
+    /* 55 << 56 */
+    { { 0xd1183316fd6f7140L,0xf9fadb5bbd8e81f7L,0x701d5e0c5a02d962L,
+        0xfdee4dbf1b601324L },
+      { 0xbed1740735d7620eL,0x04e3c2c3f48c0012L,0x9ee29da73455449aL,
+        0x562cdef491a836c4L } },
+    /* 56 << 56 */
+    { { 0x8f682a5f47701097L,0x617125d8ff88d0c2L,0x948fda2457bb86ddL,
+        0x348abb8f289f7286L },
+      { 0xeb10eab599d94bbdL,0xd51ba28e4684d160L,0xabe0e51c30c8f41aL,
+        0x66588b4513254f4aL } },
+    /* 57 << 56 */
+    { { 0x147ebf01fad097a5L,0x49883ea8610e815dL,0xe44d60ba8a11de56L,
+        0xa970de6e827a7a6dL },
+      { 0x2be414245e17fc19L,0xd833c65701214057L,0x1375813b363e723fL,
+        0x6820bb88e6a52e9bL } },
+    /* 58 << 56 */
+    { { 0x7e7f6970d875d56aL,0xd6a0a9ac51fbf6bfL,0x54ba8790a3083c12L,
+        0xebaeb23d6ae7eb64L },
+      { 0xa8685c3ab99a907aL,0xf1e74550026bf40bL,0x7b73a027c802cd9eL,
+        0x9a8a927c4fef4635L } },
+    /* 59 << 56 */
+    { { 0xe1b6f60c08191224L,0xc4126ebbde4ec091L,0xe1dff4dc4ae38d84L,
+        0xde3f57db4f2ef985L },
+      { 0x34964337d446a1ddL,0x7bf217a0859e77f6L,0x8ff105278e1d13f5L,
+        0xa304ef0374eeae27L } },
+    /* 60 << 56 */
+    { { 0xfc6f5e47d19dfa5aL,0xdb007de37fad982bL,0x28205ad1613715f5L,
+        0x251e67297889529eL },
+      { 0x727051841ae98e78L,0xf818537d271cac32L,0xc8a15b7eb7f410f5L,
+        0xc474356f81f62393L } },
+    /* 61 << 56 */
+    { { 0x92dbdc5ac242316bL,0xabe060acdbf4aff5L,0x6e8c38fe909a8ec6L,
+        0x43e514e56116cb94L },
+      { 0x2078fa3807d784f9L,0x1161a880f4b5b357L,0x5283ce7913adea3dL,
+        0x0756c3e6cc6a910bL } },
+    /* 62 << 56 */
+    { { 0x60bcfe01aaa79697L,0x04a73b2956391db1L,0xdd8dad47189b45a0L,
+        0xbfac0dd048d5b8d9L },
+      { 0x34ab3af57d3d2ec2L,0x6fa2fc2d207bd3afL,0x9ff4009266550dedL,
+        0x719b3e871fd5b913L } },
+    /* 63 << 56 */
+    { { 0xa573a4966d17fbc7L,0x0cd1a70a73d2b24eL,0x34e2c5cab2676937L,
+        0xe7050b06bf669f21L },
+      { 0xfbe948b61ede9046L,0xa053005197662659L,0x58cbd4edf10124c5L,
+        0xde2646e4dd6c06c8L } },
+    /* 64 << 56 */
+    { { 0x332f81088cad38c0L,0x471b7e906bd68ae2L,0x56ac3fb20d8e27a3L,
+        0xb54660db136b4b0dL },
+      { 0x123a1e11a6fd8de4L,0x44dbffeaa37799efL,0x4540b977ce6ac17cL,
+        0x495173a8af60acefL } },
+    /* 0 << 63 */
+    { { 0x00, 0x00, 0x00, 0x00 },
+      { 0x00, 0x00, 0x00, 0x00 } },
+    /* 1 << 63 */
+    { { 0x9ebb284d391c2a82L,0xbcdd4863158308e8L,0x006f16ec83f1edcaL,
+        0xa13e2c37695dc6c8L },
+      { 0x2ab756f04a057a87L,0xa8765500a6b48f98L,0x4252face68651c44L,
+        0xa52b540be1765e02L } },
+    /* 2 << 63 */
+    { { 0x4f922fc516a0d2bbL,0x0d5cc16c1a623499L,0x9241cf3a57c62c8bL,
+        0x2f5e6961fd1b667fL },
+      { 0x5c15c70bf5a01797L,0x3d20b44d60956192L,0x04911b37071fdb52L,
+        0xf648f9168d6f0f7bL } },
+    /* 3 << 63 */
+    { { 0x6dc1acafe60b7cf7L,0x25860a5084a9d869L,0x56fc6f09e7ba8ac4L,
+        0x828c5bd06148d29eL },
+      { 0xac6b435edc55ae5fL,0xa527f56cc0117411L,0x94d5045efd24342cL,
+        0x2c4c0a3570b67c0dL } },
+    /* 4 << 63 */
+    { { 0x027cc8b8fac61d9aL,0x7d25e062e3c6fe8aL,0xe08805bfe5bff503L,
+        0x13271e6c6ff632f7L },
+      { 0x55dca6c0232f76a5L,0x8957c32d701ef426L,0xee728bcba10a5178L,
+        0x5ea60411b62c5173L } },
+    /* 5 << 63 */
+    { { 0xfc4e964ed0b8892bL,0x9ea176839301bb74L,0x6265c5aefcc48626L,
+        0xe60cf82ebb3e9102L },
+      { 0x57adf797d4df5531L,0x235b59a18deeefe2L,0x60adcf583f306eb1L,
+        0x105c27533d09492dL } },
+    /* 6 << 63 */
+    { { 0x4090914bb5def996L,0x1cb69c83233dd1e7L,0xc1e9c1d39b3d5e76L,
+        0x1f3338edfccf6012L },
+      { 0xb1e95d0d2f5378a8L,0xacf4c2c72f00cd21L,0x6e984240eb5fe290L,
+        0xd66c038d248088aeL } },
+    /* 7 << 63 */
+    { { 0x804d264af94d70cfL,0xbdb802ef7314bf7eL,0x8fb54de24333ed02L,
+        0x740461e0285635d9L },
+      { 0x4113b2c8365e9383L,0xea762c833fdef652L,0x4eec6e2e47b956c1L,
+        0xa3d814be65620fa4L } },
+    /* 8 << 63 */
+    { { 0x9ad5462bb4d8bc50L,0x181c0b16a9195770L,0xebd4fe1c78412a68L,
+        0xae0341bcc0dff48cL },
+      { 0xb6bc45cf7003e866L,0xf11a6dea8a24a41bL,0x5407151ad04c24c2L,
+        0x62c9d27dda5b7b68L } },
+    /* 9 << 63 */
+    { { 0x2e96423588cceff6L,0x8594c54f8b07ed69L,0x1578e73cc84d0d0dL,
+        0x7b4e1055ff532868L },
+      { 0xa348c0d5b5ec995aL,0xbf4b9d5514289a54L,0x9ba155a658fbd777L,
+        0x186ed7a81a84491dL } },
+    /* 10 << 63 */
+    { { 0xd4992b30614c0900L,0xda98d121bd00c24bL,0x7f534dc87ec4bfa1L,
+        0x4a5ff67437dc34bcL },
+      { 0x68c196b81d7ea1d7L,0x38cf289380a6d208L,0xfd56cd09e3cbbd6eL,
+        0xec72e27e4205a5b6L } },
+    /* 11 << 63 */
+    { { 0x15ea68f5a44f77f7L,0x7aa5f9fdb43c52bcL,0x86ff676f94f0e609L,
+        0xa4cde9632e2d432bL },
+      { 0x8cafa0c0eee470afL,0x84137d0e8a3f5ec8L,0xebb40411faa31231L,
+        0xa239c13f6f7f7ccfL } },
+    /* 12 << 63 */
+    { { 0x32865719a8afd30bL,0x867983288a826dceL,0xdf04e891c4a8fbe0L,
+        0xbb6b6e1bebf56ad3L },
+      { 0x0a695b11471f1ff0L,0xd76c3389be15baf0L,0x018edb95be96c43eL,
+        0xf2beaaf490794158L } },
+    /* 13 << 63 */
+    { { 0x152db09ec3076a27L,0x5e82908ee416545dL,0xa2c41272356d6f2eL,
+        0xdc9c964231fd74e1L },
+      { 0x66ceb88d519bf615L,0xe29ecd7605a2274eL,0x3a0473c4bf5e2fa0L,
+        0x6b6eb67164284e67L } },
+    /* 14 << 63 */
+    { { 0xe8b97932b88756ddL,0xed4e8652f17e3e61L,0xc2dd14993ee1c4a4L,
+        0xc0aaee17597f8c0eL },
+      { 0x15c4edb96c168af3L,0x6563c7bfb39ae875L,0xadfadb6f20adb436L,
+        0xad55e8c99a042ac0L } },
+    /* 15 << 63 */
+    { { 0x975a1ed8b76da1f5L,0x10dfa466a58acb94L,0x8dd7f7e3ac060282L,
+        0x6813e66a572a051eL },
+      { 0xb4ccae1e350cb901L,0xb653d65650cb7822L,0x42484710dfab3b87L,
+        0xcd7ee5379b670fd0L } },
+    /* 16 << 63 */
+    { { 0x0a50b12e523b8bf6L,0x8009eb5b8f910c1bL,0xf535af824a167588L,
+        0x0f835f9cfb2a2abdL },
+      { 0xf59b29312afceb62L,0xc797df2a169d383fL,0xeb3f5fb066ac02b0L,
+        0x029d4c6fdaa2d0caL } },
+    /* 17 << 63 */
+    { { 0xd4059bc1afab4bc5L,0x833f5c6f56783247L,0xb53466308d2d3605L,
+        0x83387891d34d8433L },
+      { 0xd973b30fadd9419aL,0xbcca1099afe3fce8L,0x081783150809aac6L,
+        0x01b7f21a540f0f11L } },
+    /* 18 << 63 */
+    { { 0x65c29219909523c8L,0xa62f648fa3a1c741L,0x88598d4f60c9e55aL,
+        0xbce9141b0e4f347aL },
+      { 0x9af97d8435f9b988L,0x0210da62320475b6L,0x3c076e229191476cL,
+        0x7520dbd944fc7834L } },
+    /* 19 << 63 */
+    { { 0x6a6b2cfec1ab1bbdL,0xef8a65bedc650938L,0x72855540805d7bc4L,
+        0xda389396ed11fdfdL },
+      { 0xa9d5bd3674660876L,0x11d67c54b45dff35L,0x6af7d148a4f5da94L,
+        0xbb8d4c3fc0bbeb31L } },
+    /* 20 << 63 */
+    { { 0x87a7ebd1e0a1b12aL,0x1e4ef88d770ba95fL,0x8c33345cdc2ae9cbL,
+        0xcecf127601cc8403L },
+      { 0x687c012e1b39b80fL,0xfd90d0ad35c33ba4L,0xa3ef5a675c9661c2L,
+        0x368fc88ee017429eL } },
+    /* 21 << 63 */
+    { { 0xd30c6761196a2fa2L,0x931b9817bd5b312eL,0xba01000c72f54a31L,
+        0xa203d2c866eaa541L },
+      { 0xf2abdee098939db3L,0xe37d6c2c3e606c02L,0xf2921574521ff643L,
+        0x2781b3c4d7e2fca3L } },
+    /* 22 << 63 */
+    { { 0x664300b07850ec06L,0xac5a38b97d3a10cfL,0x9233188de34ab39dL,
+        0xe77057e45072cbb9L },
+      { 0xbcf0c042b59e78dfL,0x4cfc91e81d97de52L,0x4661a26c3ee0ca4aL,
+        0x5620a4c1fb8507bcL } },
+    /* 23 << 63 */
+    { { 0x4b44d4aa049f842cL,0xceabc5d51540e82bL,0x306710fd15c6f156L,
+        0xbe5ae52b63db1d72L },
+      { 0x06f1e7e6334957f1L,0x57e388f031144a70L,0xfb69bb2fdf96447bL,
+        0x0f78ebd373e38a12L } },
+    /* 24 << 63 */
+    { { 0xb82226052b7ce542L,0xe6d4ce997472bde1L,0x53e16ebe09d2f4daL,
+        0x180ff42e53b92b2eL },
+      { 0xc59bcc022c34a1c6L,0x3803d6f9422c46c2L,0x18aff74f5c14a8a2L,
+        0x55aebf8010a08b28L } },
+    /* 25 << 63 */
+    { { 0x66097d587135593fL,0x32e6eff72be570cdL,0x584e6a102a8c860dL,
+        0xcd185890a2eb4163L },
+      { 0x7ceae99d6d97e134L,0xd42c6b70dd8447ceL,0x59ddbb4ab8c50273L,
+        0x03c612df3cf34e1eL } },
+    /* 26 << 63 */
+    { { 0x84b9ca1504b6c5a0L,0x35216f3918f0e3a3L,0x3ec2d2bcbd986c00L,
+        0x8bf546d9d19228feL },
+      { 0xd1c655a44cd623c3L,0x366ce718502b8e5aL,0x2cfc84b4eea0bfe7L,
+        0xe01d5ceecf443e8eL } },
+    /* 27 << 63 */
+    { { 0x8ec045d9036520f8L,0xdfb3c3d192d40e98L,0x0bac4ccecc559a04L,
+        0x35eccae5240ea6b1L },
+      { 0x180b32dbf8a5a0acL,0x547972a5eb699700L,0xa3765801ca26bca0L,
+        0x57e09d0ea647f25aL } },
+    /* 28 << 63 */
+    { { 0xb956970e2fdd23ccL,0xb80288bc5682e971L,0xe6e6d91e9ae86ebcL,
+        0x0564c83f8c9f1939L },
+      { 0x551932a239560368L,0xe893752b049c28e2L,0x0b03cee5a6a158c3L,
+        0xe12d656b04964263L } },
+    /* 29 << 63 */
+    { { 0x4b47554e63e3bc1dL,0xc719b6a245044ff7L,0x4f24d30ae48daa07L,
+        0xa3f37556c8c1edc3L },
+      { 0x9a47bf760700d360L,0xbb1a1824822ae4e2L,0x22e275a389f1fb4cL,
+        0x72b1aa239968c5f5L } },
+    /* 30 << 63 */
+    { { 0xa75feacabe063f64L,0x9b392f43bce47a09L,0xd42415091ad07acaL,
+        0x4b0c591b8d26cd0fL },
+      { 0x2d42ddfd92f1169aL,0x63aeb1ac4cbf2392L,0x1de9e8770691a2afL,
+        0xebe79af7d98021daL } },
+    /* 31 << 63 */
+    { { 0xcfdf2a4e40e50acfL,0xf0a98ad7af01d665L,0xefb640bf1831be1fL,
+        0x6fe8bd2f80e9ada0L },
+      { 0x94c103a16cafbc91L,0x170f87598308e08cL,0x5de2d2ab9780ff4fL,
+        0x666466bc45b201f2L } },
+    /* 32 << 63 */
+    { { 0x58af2010f5b343bcL,0x0f2e400af2f142feL,0x3483bfdea85f4bdfL,
+        0xf0b1d09303bfeaa9L },
+      { 0x2ea01b95c7081603L,0xe943e4c93dba1097L,0x47be92adb438f3a6L,
+        0x00bb7742e5bf6636L } },
+    /* 33 << 63 */
+    { { 0x136b7083824297b4L,0x9d0e55805584455fL,0xab48cedcf1c7d69eL,
+        0x53a9e4812a256e76L },
+      { 0x0402b0e065eb2413L,0xdadbbb848fc407a7L,0xa65cd5a48d7f5492L,
+        0x21d4429374bae294L } },
+    /* 34 << 63 */
+    { { 0x66917ce63b5f1cc4L,0x37ae52eace872e62L,0xbb087b722905f244L,
+        0x120770861e6af74fL },
+      { 0x4b644e491058edeaL,0x827510e3b638ca1dL,0x8cf2b7046038591cL,
+        0xffc8b47afe635063L } },
+    /* 35 << 63 */
+    { { 0x3ae220e61b4d5e63L,0xbd8647429d961b4bL,0x610c107e9bd16bedL,
+        0x4270352a1127147bL },
+      { 0x7d17ffe664cfc50eL,0x50dee01a1e36cb42L,0x068a762235dc5f9aL,
+        0x9a08d536df53f62cL } },
+    /* 36 << 63 */
+    { { 0x4ed714576be5f7deL,0xd93006f8c2263c9eL,0xe073694ccacacb36L,
+        0x2ff7a5b43ae118abL },
+      { 0x3cce53f1cd871236L,0xf156a39dc2aa6d52L,0x9cc5f271b198d76dL,
+        0xbc615b6f81383d39L } },
+    /* 37 << 63 */
+    { { 0xa54538e8de3eee6bL,0x58c77538ab910d91L,0x31e5bdbc58d278bdL,
+        0x3cde4adfb963acaeL },
+      { 0xb1881fd25302169cL,0x8ca60fa0a989ed8bL,0xa1999458ff96a0eeL,
+        0xc1141f03ac6c283dL } },
+    /* 38 << 63 */
+    { { 0x7677408d6dfafed3L,0x33a0165339661588L,0x3c9c15ec0b726fa0L,
+        0x090cfd936c9b56daL },
+      { 0xe34f4baea3c40af5L,0x3469eadbd21129f1L,0xcc51674a1e207ce8L,
+        0x1e293b24c83b1ef9L } },
+    /* 39 << 63 */
+    { { 0x17173d131e6c0bb4L,0x1900469590776d35L,0xe7980e346de6f922L,
+        0x873554cbf4dd9a22L },
+      { 0x0316c627cbf18a51L,0x4d93651b3032c081L,0x207f27713946834dL,
+        0x2c08d7b430cdbf80L } },
+    /* 40 << 63 */
+    { { 0x137a4fb486df2a61L,0xa1ed9c07ecf7b4a2L,0xb2e460e27bd042ffL,
+        0xb7f5e2fa5f62f5ecL },
+      { 0x7aa6ec6bcc2423b7L,0x75ce0a7fba63eea7L,0x67a45fb1f250a6e1L,
+        0x93bc919ce53cdc9fL } },
+    /* 41 << 63 */
+    { { 0x9271f56f871942dfL,0x2372ff6f7859ad66L,0x5f4c2b9633cb1a78L,
+        0xe3e291015838aa83L },
+      { 0xa7ed1611e4e8110cL,0x2a2d70d5330198ceL,0xbdf132e86720efe0L,
+        0xe61a896266a471bfL } },
+    /* 42 << 63 */
+    { { 0x796d3a85825808bdL,0x51dc3cb73fd6e902L,0x643c768a916219d1L,
+        0x36cd7685a2ad7d32L },
+      { 0xe3db9d05b22922a4L,0x6494c87edba29660L,0xf0ac91dfbcd2ebc7L,
+        0x4deb57a045107f8dL } },
+    /* 43 << 63 */
+    { { 0x42271f59c3d12a73L,0x5f71687ca5c2c51dL,0xcb1f50c605797bcbL,
+        0x29ed0ed9d6d34eb0L },
+      { 0xe5fe5b474683c2ebL,0x4956eeb597447c46L,0x5b163a4371207167L,
+        0x93fa2fed0248c5efL } },
+    /* 44 << 63 */
+    { { 0x67930af231f63950L,0xa77797c114caa2c9L,0x526e80ee27ac7e62L,
+        0xe1e6e62658b28aecL },
+      { 0x636178b0b3c9fef0L,0xaf7752e06d5f90beL,0x94ecaf18eece51cfL,
+        0x2864d0edca806e1fL } },
+    /* 45 << 63 */
+    { { 0x6de2e38397c69134L,0x5a42c316eb291293L,0xc77792196a60bae0L,
+        0xa24de3466b7599d1L },
+      { 0x49d374aab75d4941L,0x989005862d501ff0L,0x9f16d40eeb7974cfL,
+        0x1033860bcdd8c115L } },
+    /* 46 << 63 */
+    { { 0xb6c69ac82094cec3L,0x9976fb88403b770cL,0x1dea026c4859590dL,
+        0xb6acbb468562d1fdL },
+      { 0x7cd6c46144569d85L,0xc3190a3697f0891dL,0xc6f5319548d5a17dL,
+        0x7d919966d749abc8L } },
+    /* 47 << 63 */
+    { { 0x65104837dd1c8a20L,0x7e5410c82f683419L,0x958c3ca8be94022eL,
+        0x605c31976145dac2L },
+      { 0x3fc0750101683d54L,0x1d7127c5595b1234L,0x10b8f87c9481277fL,
+        0x677db2a8e65a1adbL } },
+    /* 48 << 63 */
+    { { 0xec2fccaaddce3345L,0x2a6811b7012a4350L,0x96760ff1ac598bdcL,
+        0x054d652ad1bf4128L },
+      { 0x0a1151d492a21005L,0xad7f397133110fdfL,0x8c95928c1960100fL,
+        0x6c91c8257bf03362L } },
+    /* 49 << 63 */
+    { { 0xc8c8b2a2ce309f06L,0xfdb27b59ca27204bL,0xd223eaa50848e32eL,
+        0xb93e4b2ee7bfaf1eL },
+      { 0xc5308ae644aa3dedL,0x317a666ac015d573L,0xc888ce231a979707L,
+        0xf141c1e60d5c4958L } },
+    /* 50 << 63 */
+    { { 0xb53b7de561906373L,0x858dbadeeb999595L,0x8cbb47b2a59e5c36L,
+        0x660318b3dcf4e842L },
+      { 0xbd161ccd12ba4b7aL,0xf399daabf8c8282aL,0x1587633aeeb2130dL,
+        0xa465311ada38dd7dL } },
+    /* 51 << 63 */
+    { { 0x5f75eec864d3779bL,0x3c5d0476ad64c171L,0x874103712a914428L,
+        0x8096a89190e2fc29L },
+      { 0xd3d2ae9d23b3ebc2L,0x90bdd6dba580cfd6L,0x52dbb7f3c5b01f6cL,
+        0xe68eded4e102a2dcL } },
+    /* 52 << 63 */
+    { { 0x17785b7799eb6df0L,0x26c3cc517386b779L,0x345ed9886417a48eL,
+        0xe990b4e407d6ef31L },
+      { 0x0f456b7e2586abbaL,0x239ca6a559c96e9aL,0xe327459ce2eb4206L,
+        0x3a4c3313a002b90aL } },
+    /* 53 << 63 */
+    { { 0x2a114806f6a3f6fbL,0xad5cad2f85c251ddL,0x92c1f613f5a784d3L,
+        0xec7bfacf349766d5L },
+      { 0x04b3cd333e23cb3bL,0x3979fe84c5a64b2dL,0x192e27207e589106L,
+        0xa60c43d1a15b527fL } },
+    /* 54 << 63 */
+    { { 0x2dae9082be7cf3a6L,0xcc86ba92bc967274L,0xf28a2ce8aea0a8a9L,
+        0x404ca6d96ee988b3L },
+      { 0xfd7e9c5d005921b8L,0xf56297f144e79bf9L,0xa163b4600d75ddc2L,
+        0x30b23616a1f2be87L } },
+    /* 55 << 63 */
+    { { 0x4b070d21bfe50e2bL,0x7ef8cfd0e1bfede1L,0xadba00112aac4ae0L,
+        0x2a3e7d01b9ebd033L },
+      { 0x995277ece38d9d1cL,0xb500249e9c5d2de3L,0x8912b820f13ca8c9L,
+        0xc8798114877793afL } },
+    /* 56 << 63 */
+    { { 0x19e6125dec3f1decL,0x07b1f040911178daL,0xd93ededa904a6738L,
+        0x55187a5a0bebedcdL },
+      { 0xf7d04722eb329d41L,0xf449099ef170b391L,0xfd317a69ca99f828L,
+        0x50c3db2b34a4976dL } },
+    /* 57 << 63 */
+    { { 0xe9ba77843757b392L,0x326caefdaa3ca05aL,0x78e5293bf1e593d4L,
+        0x7842a9370d98fd13L },
+      { 0xe694bf965f96b10dL,0x373a9df606a8cd05L,0x997d1e51e8f0c7fcL,
+        0x1d01979063fd972eL } },
+    /* 58 << 63 */
+    { { 0x0064d8585499fb32L,0x7b67bad977a8aeb7L,0x1d3eb9772d08eec5L,
+        0x5fc047a6cbabae1dL },
+      { 0x0577d159e54a64bbL,0x8862201bc43497e4L,0xad6b4e282ce0608dL,
+        0x8b687b7d0b167aacL } },
+    /* 59 << 63 */
+    { { 0x6ed4d3678b2ecfa9L,0x24dfe62da90c3c38L,0xa1862e103fe5c42bL,
+        0x1ca73dcad5732a9fL },
+      { 0x35f038b776bb87adL,0x674976abf242b81fL,0x4f2bde7eb0fd90cdL,
+        0x6efc172ea7fdf092L } },
+    /* 60 << 63 */
+    { { 0x3806b69b92222f1fL,0x5a2459ca6cf7ae70L,0x6789f69ca85217eeL,
+        0x5f232b5ee3dc85acL },
+      { 0x660e3ec548e9e516L,0x124b4e473197eb31L,0x10a0cb13aafcca23L,
+        0x7bd63ba48213224fL } },
+    /* 61 << 63 */
+    { { 0xaffad7cc290a7f4fL,0x6b409c9e0286b461L,0x58ab809fffa407afL,
+        0xc3122eedc68ac073L },
+      { 0x17bf9e504ef24d7eL,0x5d9297943e2a5811L,0x519bc86702902e01L,
+        0x76bba5da39c8a851L } },
+    /* 62 << 63 */
+    { { 0xe9f9669cda94951eL,0x4b6af58d66b8d418L,0xfa32107417d426a4L,
+        0xc78e66a99dde6027L },
+      { 0x0516c0834a53b964L,0xfc659d38ff602330L,0x0ab55e5c58c5c897L,
+        0x985099b2838bc5dfL } },
+    /* 63 << 63 */
+    { { 0x061d9efcc52fc238L,0x712b27286ac1da3fL,0xfb6581499283fe08L,
+        0x4954ac94b8aaa2f7L },
+      { 0x85c0ada47fb2e74fL,0xee8ba98eb89926b0L,0xe4f9d37d23d1af5bL,
+        0x14ccdbf9ba9b015eL } },
+    /* 64 << 63 */
+    { { 0xb674481b7bfe7178L,0x4e1debae65405868L,0x061b2821c48c867dL,
+        0x69c15b35513b30eaL },
+      { 0x3b4a166636871088L,0xe5e29f5d1220b1ffL,0x4b82bb35233d9f4dL,
+        0x4e07633318cdc675L } },
+    /* 0 << 70 */
+    { { 0x00, 0x00, 0x00, 0x00 },
+      { 0x00, 0x00, 0x00, 0x00 } },
+    /* 1 << 70 */
+    { { 0x0d53f5c7a3e6fcedL,0xe8cbbdd5f45fbdebL,0xf85c01df13339a70L,
+        0x0ff71880142ceb81L },
+      { 0x4c4e8774bd70437aL,0x5fb32891ba0bda6aL,0x1cdbebd2f18bd26eL,
+        0x2f9526f103a9d522L } },
+    /* 2 << 70 */
+    { { 0x40ce305192c4d684L,0x8b04d7257612efcdL,0xb9dcda366f9cae20L,
+        0x0edc4d24f058856cL },
+      { 0x64f2e6bf85427900L,0x3de81295dc09dfeaL,0xd41b4487379bf26cL,
+        0x50b62c6d6df135a9L } },
+    /* 3 << 70 */
+    { { 0xd4f8e3b4c72dfe67L,0xc416b0f690e19fdfL,0x18b9098d4c13bd35L,
+        0xac11118a15b8cb9eL },
+      { 0xf598a318f0062841L,0xbfe0602f89f356f4L,0x7ae3637e30177a0cL,
+        0x3409774761136537L } },
+    /* 4 << 70 */
+    { { 0x0db2fb5ed005832aL,0x5f5efd3b91042e4fL,0x8c4ffdc6ed70f8caL,
+        0xe4645d0bb52da9ccL },
+      { 0x9596f58bc9001d1fL,0x52c8f0bc4e117205L,0xfd4aa0d2e398a084L,
+        0x815bfe3a104f49deL } },
+    /* 5 << 70 */
+    { { 0x97e5443f23885e5fL,0xf72f8f99e8433aabL,0xbd00b154e4d4e604L,
+        0xd0b35e6ae5e173ffL },
+      { 0x57b2a0489164722dL,0x3e3c665b88761ec8L,0x6bdd13973da83832L,
+        0x3c8b1a1e73dafe3bL } },
+    /* 6 << 70 */
+    { { 0x4497ace654317cacL,0xbe600ab9521771b3L,0xb42e409eb0dfe8b8L,
+        0x386a67d73942310fL },
+      { 0x25548d8d4431cc28L,0xa7cff142985dc524L,0x4d60f5a193c4be32L,
+        0x83ebd5c8d071c6e1L } },
+    /* 7 << 70 */
+    { { 0xba3a80a7b1fd2b0bL,0x9b3ad3965bec33e8L,0xb3868d6179743fb3L,
+        0xcfd169fcfdb462faL },
+      { 0xd3b499d79ce0a6afL,0x55dc1cf1e42d3ff8L,0x04fb9e6cc6c3e1b2L,
+        0x47e6961d6f69a474L } },
+    /* 8 << 70 */
+    { { 0x54eb3acce548b37bL,0xb38e754284d40549L,0x8c3daa517b341b4fL,
+        0x2f6928ec690bf7faL },
+      { 0x0496b32386ce6c41L,0x01be1c5510adadcdL,0xc04e67e74bb5faf9L,
+        0x3cbaf678e15c9985L } },
+    /* 9 << 70 */
+    { { 0x8cd1214550ca4247L,0xba1aa47ae7dd30aaL,0x2f81ddf1e58fee24L,
+        0x03452936eec9b0e8L },
+      { 0x8bdc3b81243aea96L,0x9a2919af15c3d0e5L,0x9ea640ec10948361L,
+        0x5ac86d5b6e0bcccfL } },
+    /* 10 << 70 */
+    { { 0xf892d918c36cf440L,0xaed3e837c939719cL,0xb07b08d2c0218b64L,
+        0x6f1bcbbace9790ddL },
+      { 0x4a84d6ed60919b8eL,0xd89007918ac1f9ebL,0xf84941aa0dd5daefL,
+        0xb22fe40a67fd62c5L } },
+    /* 11 << 70 */
+    { { 0x97e15ba2157f2db3L,0xbda2fc8f8e28ca9cL,0x5d050da437b9f454L,
+        0x3d57eb572379d72eL },
+      { 0xe9b5eba2fb5ee997L,0x01648ca2e11538caL,0x32bb76f6f6327974L,
+        0x338f14b8ff3f4bb7L } },
+    /* 12 << 70 */
+    { { 0x524d226ad7ab9a2dL,0x9c00090d7dfae958L,0x0ba5f5398751d8c2L,
+        0x8afcbcdd3ab8262dL },
+      { 0x57392729e99d043bL,0xef51263baebc943aL,0x9feace9320862935L,
+        0x639efc03b06c817bL } },
+    /* 13 << 70 */
+    { { 0x1fe054b366b4be7aL,0x3f25a9de84a37a1eL,0xf39ef1ad78d75cd9L,
+        0xd7b58f495062c1b5L },
+      { 0x6f74f9a9ff563436L,0xf718ff29e8af51e7L,0x5234d31315e97fecL,
+        0xb6a8e2b1292f1c0aL } },
+    /* 14 << 70 */
+    { { 0xa7f53aa8327720c1L,0x956ca322ba092cc8L,0x8f03d64a28746c4dL,
+        0x51fe178266d0d392L },
+      { 0xd19b34db3c832c80L,0x60dccc5c6da2e3b4L,0x245dd62e0a104cccL,
+        0xa7ab1de1620b21fdL } },
+    /* 15 << 70 */
+    { { 0xb293ae0b3893d123L,0xf7b75783b15ee71cL,0x5aa3c61442a9468bL,
+        0xd686123cdb15d744L },
+      { 0x8c616891a7ab4116L,0x6fcd72c8a4e6a459L,0xac21911077e5fad7L,
+        0xfb6a20e7704fa46bL } },
+    /* 16 << 70 */
+    { { 0xe839be7d341d81dcL,0xcddb688932148379L,0xda6211a1f7026eadL,
+        0xf3b2575ff4d1cc5eL },
+      { 0x40cfc8f6a7a73ae6L,0x83879a5e61d5b483L,0xc5acb1ed41a50ebcL,
+        0x59a60cc83c07d8faL } },
+    /* 17 << 70 */
+    { { 0x1b73bdceb1876262L,0x2b0d79f012af4ee9L,0x8bcf3b0bd46e1d07L,
+        0x17d6af9de45d152fL },
+      { 0x735204616d736451L,0x43cbbd9756b0bf5aL,0xb0833a5bd5999b9dL,
+        0x702614f0eb72e398L } },
+    /* 18 << 70 */
+    { { 0x0aadf01a59c3e9f8L,0x40200e77ce6b3d16L,0xda22bdd3deddafadL,
+        0x76dedaf4310d72e1L },
+      { 0x49ef807c4bc2e88fL,0x6ba81291146dd5a5L,0xa1a4077a7d8d59e9L,
+        0x87b6a2e7802db349L } },
+    /* 19 << 70 */
+    { { 0xd56799971b4e598eL,0xf499ef1f06fe4b1dL,0x3978d3aefcb267c5L,
+        0xb582b557235786d0L },
+      { 0x32b3b2ca1715cb07L,0x4c3de6a28480241dL,0x63b5ffedcb571ecdL,
+        0xeaf53900ed2fe9a9L } },
+    /* 20 << 70 */
+    { { 0xdec98d4ac3b81990L,0x1cb837229e0cc8feL,0xfe0b0491d2b427b9L,
+        0x0f2386ace983a66cL },
+      { 0x930c4d1eb3291213L,0xa2f82b2e59a62ae4L,0x77233853f93e89e3L,
+        0x7f8063ac11777c7fL } },
+    /* 21 << 70 */
+    { { 0xff0eb56759ad2877L,0x6f4546429865c754L,0xe6fe701a236e9a84L,
+        0xc586ef1606e40fc3L },
+      { 0x3f62b6e024bafad9L,0xc8b42bd264da906aL,0xc98e1eb4da3276a0L,
+        0x30d0e5fc06cbf852L } },
+    /* 22 << 70 */
+    { { 0x1b6b2ae1e8b4dfd4L,0xd754d5c78301cbacL,0x66097629112a39acL,
+        0xf86b599993ba4ab9L },
+      { 0x26c9dea799f9d581L,0x0473b1a8c2fafeaaL,0x1469af553b2505a5L,
+        0x227d16d7d6a43323L } },
+    /* 23 << 70 */
+    { { 0x3316f73cad3d97f9L,0x52bf3bb51f137455L,0x953eafeb09954e7cL,
+        0xa721dfeddd732411L },
+      { 0xb4929821141d4579L,0x3411321caa3bd435L,0xafb355aa17fa6015L,
+        0xb4e7ef4a18e42f0eL } },
+    /* 24 << 70 */
+    { { 0x604ac97c59371000L,0xe1c48c707f759c18L,0x3f62ecc5a5db6b65L,
+        0x0a78b17338a21495L },
+      { 0x6be1819dbcc8ad94L,0x70dc04f6d89c3400L,0x462557b4a6b4840aL,
+        0x544c6ade60bd21c0L } },
+    /* 25 << 70 */
+    { { 0x6a00f24e907a544bL,0xa7520dcb313da210L,0xfe939b7511e4994bL,
+        0x918b6ba6bc275d70L },
+      { 0xd3e5e0fc644be892L,0x707a9816fdaf6c42L,0x60145567f15c13feL,
+        0x4818ebaae130a54aL } },
+    /* 26 << 70 */
+    { { 0x28aad3ad58d2f767L,0xdc5267fdd7e7c773L,0x4919cc88c3afcc98L,
+        0xaa2e6ab02db8cd4bL },
+      { 0xd46fec04d0c63eaaL,0xa1cb92c519ffa832L,0x678dd178e43a631fL,
+        0xfb5ae1cd3dc788b3L } },
+    /* 27 << 70 */
+    { { 0x68b4fb906e77de04L,0x7992bcf0f06dbb97L,0x896e6a13c417c01dL,
+        0x8d96332cb956be01L },
+      { 0x902fc93a413aa2b9L,0x99a4d915fc98c8a5L,0x52c29407565f1137L,
+        0x4072690f21e4f281L } },
+    /* 28 << 70 */
+    { { 0x36e607cf02ff6072L,0xa47d2ca98ad98cdcL,0xbf471d1ef5f56609L,
+        0xbcf86623f264ada0L },
+      { 0xb70c0687aa9e5cb6L,0xc98124f217401c6cL,0x8189635fd4a61435L,
+        0xd28fb8afa9d98ea6L } },
+    /* 29 << 70 */
+    { { 0xb9a67c2a40c251f8L,0x88cd5d87a2da44beL,0x437deb96e09b5423L,
+        0x150467db64287dc1L },
+      { 0xe161debbcdabb839L,0xa79e9742f1839a3eL,0xbb8dd3c2652d202bL,
+        0x7b3e67f7e9f97d96L } },
+    /* 30 << 70 */
+    { { 0x5aa5d78fb1cb6ac9L,0xffa13e8eca1d0d45L,0x369295dd2ba5bf95L,
+        0xd68bd1f839aff05eL },
+      { 0xaf0d86f926d783f2L,0x543a59b3fc3aafc1L,0x3fcf81d27b7da97cL,
+        0xc990a056d25dee46L } },
+    /* 31 << 70 */
+    { { 0x3e6775b8519cce2cL,0xfc9af71fae13d863L,0x774a4a6f47c1605cL,
+        0x46ba42452fd205e8L },
+      { 0xa06feea4d3fd524dL,0x1e7246416de1acc2L,0xf53816f1334e2b42L,
+        0x49e5918e922f0024L } },
+    /* 32 << 70 */
+    { { 0x439530b665c7322dL,0xcf12cc01b3c1b3fbL,0xc70b01860172f685L,
+        0xb915ee221b58391dL },
+      { 0x9afdf03ba317db24L,0x87dec65917b8ffc4L,0x7f46597be4d3d050L,
+        0x80a1c1ed006500e7L } },
+    /* 33 << 70 */
+    { { 0x84902a9678bf030eL,0xfb5e9c9a50560148L,0x6dae0a9263362426L,
+        0xdcaeecf4a9e30c40L },
+      { 0xc0d887bb518d0c6bL,0x99181152cb985b9dL,0xad186898ef7bc381L,
+        0x18168ffb9ee46201L } },
+    /* 34 << 70 */
+    { { 0x9a04cdaa2502753cL,0xbb279e2651407c41L,0xeacb03aaf23564e5L,
+        0x1833658271e61016L },
+      { 0x8684b8c4eb809877L,0xb336e18dea0e672eL,0xefb601f034ee5867L,
+        0x2733edbe1341cfd1L } },
+    /* 35 << 70 */
+    { { 0xb15e809a26025c3cL,0xe6e981a69350df88L,0x923762378502fd8eL,
+        0x4791f2160c12be9bL },
+      { 0xb725678925f02425L,0xec8631947a974443L,0x7c0ce882fb41cc52L,
+        0xc266ff7ef25c07f2L } },
+    /* 36 << 70 */
+    { { 0x3d4da8c3017025f3L,0xefcf628cfb9579b4L,0x5c4d00161f3716ecL,
+        0x9c27ebc46801116eL },
+      { 0x5eba0ea11da1767eL,0xfe15145247004c57L,0x3ace6df68c2373b7L,
+        0x75c3dffe5dbc37acL } },
+    /* 37 << 70 */
+    { { 0x3dc32a73ddc925fcL,0xb679c8412f65ee0bL,0x715a3295451cbfebL,
+        0xd9889768f76e9a29L },
+      { 0xec20ce7fb28ad247L,0xe99146c400894d79L,0x71457d7c9f5e3ea7L,
+        0x097b266238030031L } },
+    /* 38 << 70 */
+    { { 0xdb7f6ae6cf9f82a8L,0x319decb9438f473aL,0xa63ab386283856c3L,
+        0x13e3172fb06a361bL },
+      { 0x2959f8dc7d5a006cL,0x2dbc27c675fba752L,0xc1227ab287c22c9eL,
+        0x06f61f7571a268b2L } },
+    /* 39 << 70 */
+    { { 0x1b6bb97104779ce2L,0xaca838120aadcb1dL,0x297ae0bcaeaab2d5L,
+        0xa5c14ee75bfb9f13L },
+      { 0xaa00c583f17a62c7L,0x39eb962c173759f6L,0x1eeba1d486c9a88fL,
+        0x0ab6c37adf016c5eL } },
+    /* 40 << 70 */
+    { { 0xa2a147dba28a0749L,0x246c20d6ee519165L,0x5068d1b1d3810715L,
+        0xb1e7018c748160b9L },
+      { 0x03f5b1faf380ff62L,0xef7fb1ddf3cb2c1eL,0xeab539a8fc91a7daL,
+        0x83ddb707f3f9b561L } },
+    /* 41 << 70 */
+    { { 0xc550e211fe7df7a4L,0xa7cd07f2063f6f40L,0xb0de36352976879cL,
+        0xb5f83f85e55741daL },
+      { 0x4ea9d25ef3d8ac3dL,0x6fe2066f62819f02L,0x4ab2b9c2cef4a564L,
+        0x1e155d965ffa2de3L } },
+    /* 42 << 70 */
+    { { 0x0eb0a19bc3a72d00L,0x4037665b8513c31bL,0x2fb2b6bf04c64637L,
+        0x45c34d6e08cdc639L },
+      { 0x56f1e10ff01fd796L,0x4dfb8101fe3667b8L,0xe0eda2539021d0c0L,
+        0x7a94e9ff8a06c6abL } },
+    /* 43 << 70 */
+    { { 0x2d3bb0d9bb9aa882L,0xea20e4e5ec05fd10L,0xed7eeb5f1a1ca64eL,
+        0x2fa6b43cc6327cbdL },
+      { 0xb577e3cf3aa91121L,0x8c6bd5ea3a34079bL,0xd7e5ba3960e02fc0L,
+        0xf16dd2c390141bf8L } },
+    /* 44 << 70 */
+    { { 0xb57276d980101b98L,0x760883fdb82f0f66L,0x89d7de754bc3eff3L,
+        0x03b606435dc2ab40L },
+      { 0xcd6e53dfe05beeacL,0xf2f1e862bc3325cdL,0xdd0f7921774f03c3L,
+        0x97ca72214552cc1bL } },
+    /* 45 << 70 */
+    { { 0x5a0d6afe1cd19f72L,0xa20915dcf183fbebL,0x9fda4b40832c403cL,
+        0x32738eddbe425442L },
+      { 0x469a1df6b5eccf1aL,0x4b5aff4228bbe1f0L,0x31359d7f570dfc93L,
+        0xa18be235f0088628L } },
+    /* 46 << 70 */
+    { { 0xa5b30fbab00ed3a9L,0x34c6137473cdf8beL,0x2c5c5f46abc56797L,
+        0x5cecf93db82a8ae2L },
+      { 0x7d3dbe41a968fbf0L,0xd23d45831a5c7f3dL,0xf28f69a0c087a9c7L,
+        0xc2d75471474471caL } },
+    /* 47 << 70 */
+    { { 0x36ec9f4a4eb732ecL,0x6c943bbdb1ca6bedL,0xd64535e1f2457892L,
+        0x8b84a8eaf7e2ac06L },
+      { 0xe0936cd32499dd5fL,0x12053d7e0ed04e57L,0x4bdd0076e4305d9dL,
+        0x34a527b91f67f0a2L } },
+    /* 48 << 70 */
+    { { 0xe79a4af09cec46eaL,0xb15347a1658b9bc7L,0x6bd2796f35af2f75L,
+        0xac9579904051c435L },
+      { 0x2669dda3c33a655dL,0x5d503c2e88514aa3L,0xdfa113373753dd41L,
+        0x3f0546730b754f78L } },
+    /* 49 << 70 */
+    { { 0xbf185677496125bdL,0xfb0023c83775006cL,0xfa0f072f3a037899L,
+        0x4222b6eb0e4aea57L },
+      { 0x3dde5e767866d25aL,0xb6eb04f84837aa6fL,0x5315591a2cf1cdb8L,
+        0x6dfb4f412d4e683cL } },
+    /* 50 << 70 */
+    { { 0x7e923ea448ee1f3aL,0x9604d9f705a2afd5L,0xbe1d4a3340ea4948L,
+        0x5b45f1f4b44cbd2fL },
+      { 0x5faf83764acc757eL,0xa7cf9ab863d68ff7L,0x8ad62f69df0e404bL,
+        0xd65f33c212bdafdfL } },
+    /* 51 << 70 */
+    { { 0xc365de15a377b14eL,0x6bf5463b8e39f60cL,0x62030d2d2ce68148L,
+        0xd95867efe6f843a8L },
+      { 0xd39a0244ef5ab017L,0x0bd2d8c14ab55d12L,0xc9503db341639169L,
+        0x2d4e25b0f7660c8aL } },
+    /* 52 << 70 */
+    { { 0x760cb3b5e224c5d7L,0xfa3baf8c68616919L,0x9fbca1138d142552L,
+        0x1ab18bf17669ebf5L },
+      { 0x55e6f53e9bdf25ddL,0x04cc0bf3cb6cd154L,0x595bef4995e89080L,
+        0xfe9459a8104a9ac1L } },
+    /* 53 << 70 */
+    { { 0xad2d89cacce9bb32L,0xddea65e1f7de8285L,0x62ed8c35b351bd4bL,
+        0x4150ff360c0e19a7L },
+      { 0x86e3c801345f4e47L,0x3bf21f71203a266cL,0x7ae110d4855b1f13L,
+        0x5d6aaf6a07262517L } },
+    /* 54 << 70 */
+    { { 0x1e0f12e1813d28f1L,0x6000e11d7ad7a523L,0xc7d8deefc744a17bL,
+        0x1e990b4814c05a00L },
+      { 0x68fddaee93e976d5L,0x696241d146610d63L,0xb204e7c3893dda88L,
+        0x8bccfa656a3a6946L } },
+    /* 55 << 70 */
+    { { 0xb59425b4c5cd1411L,0x701b4042ff3658b1L,0xe3e56bca4784cf93L,
+        0x27de5f158fe68d60L },
+      { 0x4ab9cfcef8d53f19L,0xddb10311a40a730dL,0x6fa73cd14eee0a8aL,
+        0xfd5487485249719dL } },
+    /* 56 << 70 */
+    { { 0x49d66316a8123ef0L,0x73c32db4e7f95438L,0x2e2ed2090d9e7854L,
+        0xf98a93299d9f0507L },
+      { 0xc5d33cf60c6aa20aL,0x9a32ba1475279bb2L,0x7e3202cb774a7307L,
+        0x64ed4bc4e8c42dbdL } },
+    /* 57 << 70 */
+    { { 0xc20f1a06d4caed0dL,0xb8021407171d22b3L,0xd426ca04d13268d7L,
+        0x9237700725f4d126L },
+      { 0x4204cbc371f21a85L,0x18461b7af82369baL,0xc0c07d313fc858f9L,
+        0x5deb5a50e2bab569L } },
+    /* 58 << 70 */
+    { { 0xd5959d46d5eea89eL,0xfdff842408437f4bL,0xf21071e43cfe254fL,
+        0x7241769695468321L },
+      { 0x5d8288b9102cae3eL,0x2d143e3df1965dffL,0x00c9a376a078d847L,
+        0x6fc0da3126028731L } },
+    /* 59 << 70 */
+    { { 0xa2baeadfe45083a2L,0x66bc72185e5b4bcdL,0x2c826442d04b8e7fL,
+        0xc19f54516c4b586bL },
+      { 0x60182c495b7eeed5L,0xd9954ecd7aa9dfa1L,0xa403a8ecc73884adL,
+        0x7fb17de29bb39041L } },
+    /* 60 << 70 */
+    { { 0x694b64c5abb020e8L,0x3d18c18419c4eec7L,0x9c4673ef1c4793e5L,
+        0xc7b8aeb5056092e6L },
+      { 0x3aa1ca43f0f8c16bL,0x224ed5ecd679b2f6L,0x0d56eeaf55a205c9L,
+        0xbfe115ba4b8e028bL } },
+    /* 61 << 70 */
+    { { 0x97e608493927f4feL,0xf91fbf94759aa7c5L,0x985af7696be90a51L,
+        0xc1277b7878ccb823L },
+      { 0x395b656ee7a75952L,0x00df7de0928da5f5L,0x09c231754ca4454fL,
+        0x4ec971f47aa2d3c1L } },
+    /* 62 << 70 */
+    { { 0x45c3c507e75d9cccL,0x63b7be8a3dc90306L,0x37e09c665db44bdcL,
+        0x50d60da16841c6a2L },
+      { 0x6f9b65ee08df1b12L,0x387348797ff089dfL,0x9c331a663fe8013dL,
+        0x017f5de95f42fcc8L } },
+    /* 63 << 70 */
+    { { 0x43077866e8e57567L,0xc9f781cef9fcdb18L,0x38131dda9b12e174L,
+        0x25d84aa38a03752aL },
+      { 0x45e09e094d0c0ce2L,0x1564008b92bebba5L,0xf7e8ad31a87284c7L,
+        0xb7c4b46c97e7bbaaL } },
+    /* 64 << 70 */
+    { { 0x3e22a7b397acf4ecL,0x0426c4005ea8b640L,0x5e3295a64e969285L,
+        0x22aabc59a6a45670L },
+      { 0xb929714c5f5942bcL,0x9a6168bdfa3182edL,0x2216a665104152baL,
+        0x46908d03b6926368L } },
+    /* 0 << 77 */
+    { { 0x00, 0x00, 0x00, 0x00 },
+      { 0x00, 0x00, 0x00, 0x00 } },
+    /* 1 << 77 */
+    { { 0xa9f5d8745a1251fbL,0x967747a8c72725c7L,0x195c33e531ffe89eL,
+        0x609d210fe964935eL },
+      { 0xcafd6ca82fe12227L,0xaf9b5b960426469dL,0x2e9ee04c5693183cL,
+        0x1084a333c8146fefL } },
+    /* 2 << 77 */
+    { { 0x96649933aed1d1f7L,0x566eaff350563090L,0x345057f0ad2e39cfL,
+        0x148ff65b1f832124L },
+      { 0x042e89d4cf94cf0dL,0x319bec84520c58b3L,0x2a2676265361aa0dL,
+        0xc86fa3028fbc87adL } },
+    /* 3 << 77 */
+    { { 0xfc83d2ab5c8b06d5L,0xb1a785a2fe4eac46L,0xb99315bc846f7779L,
+        0xcf31d816ef9ea505L },
+      { 0x2391fe6a15d7dc85L,0x2f132b04b4016b33L,0x29547fe3181cb4c7L,
+        0xdb66d8a6650155a1L } },
+    /* 4 << 77 */
+    { { 0x6b66d7e1adc1696fL,0x98ebe5930acd72d0L,0x65f24550cc1b7435L,
+        0xce231393b4b9a5ecL },
+      { 0x234a22d4db067df9L,0x98dda095caff9b00L,0x1bbc75a06100c9c1L,
+        0x1560a9c8939cf695L } },
+    /* 5 << 77 */
+    { { 0xcf006d3e99e0925fL,0x2dd74a966322375aL,0xc58b446ab56af5baL,
+        0x50292683e0b9b4f1L },
+      { 0xe2c34cb41aeaffa3L,0x8b17203f9b9587c1L,0x6d559207ead1350cL,
+        0x2b66a215fb7f9604L } },
+    /* 6 << 77 */
+    { { 0x0850325efe51bf74L,0x9c4f579e5e460094L,0x5c87b92a76da2f25L,
+        0x889de4e06febef33L },
+      { 0x6900ec06646083ceL,0xbe2a0335bfe12773L,0xadd1da35c5344110L,
+        0x757568b7b802cd20L } },
+    /* 7 << 77 */
+    { { 0x7555977900f7e6c8L,0x38e8b94f0facd2f0L,0xfea1f3af03fde375L,
+        0x5e11a1d875881dfcL },
+      { 0xb3a6b02ec1e2f2efL,0x193d2bbbc605a6c5L,0x325ffeee339a0b2dL,
+        0x27b6a7249e0c8846L } },
+    /* 8 << 77 */
+    { { 0xe4050f1cf1c367caL,0x9bc85a9bc90fbc7dL,0xa373c4a2e1a11032L,
+        0xb64232b7ad0393a9L },
+      { 0xf5577eb0167dad29L,0x1604f30194b78ab2L,0x0baa94afe829348bL,
+        0x77fbd8dd41654342L } },
+    /* 9 << 77 */
+    { { 0xdab50ea5b964e39aL,0xd4c29e3cd0d3c76eL,0x80dae67c56d11964L,
+        0x7307a8bfe5ffcc2fL },
+      { 0x65bbc1aa91708c3bL,0xa151e62c28bf0eebL,0x6cb533816fa34db7L,
+        0x5139e05ca29403a8L } },
+    /* 10 << 77 */
+    { { 0x6ff651b494a7cd2eL,0x5671ffd10699336cL,0x6f5fd2cc979a896aL,
+        0x11e893a8d8148cefL },
+      { 0x988906a165cf7b10L,0x81b67178c50d8485L,0x7c0deb358a35b3deL,
+        0x423ac855c1d29799L } },
+    /* 11 << 77 */
+    { { 0xaf580d87dac50b74L,0x28b2b89f5869734cL,0x99a3b936874e28fbL,
+        0xbb2c919025f3f73aL },
+      { 0x199f691884a9d5b7L,0x7ebe23257e770374L,0xf442e1070738efe2L,
+        0xcf9f3f56cf9082d2L } },
+    /* 12 << 77 */
+    { { 0x719f69e109618708L,0xcc9e8364c183f9b1L,0xec203a95366a21afL,
+        0x6aec5d6d068b141fL },
+      { 0xee2df78a994f04e9L,0xb39ccae8271245b0L,0xb875a4a997e43f4fL,
+        0x507dfe11db2cea98L } },
+    /* 13 << 77 */
+    { { 0x4fbf81cb489b03e9L,0xdb86ec5b6ec414faL,0xfad444f9f51b3ae5L,
+        0xca7d33d61914e3feL },
+      { 0xa9c32f5c0ae6c4d0L,0xa9ca1d1e73969568L,0x98043c311aa7467eL,
+        0xe832e75ce21b5ac6L } },
+    /* 14 << 77 */
+    { { 0x314b7aea5232123dL,0x08307c8c65ae86dbL,0x06e7165caa4668edL,
+        0xb170458bb4d3ec39L },
+      { 0x4d2e3ec6c19bb986L,0xc5f34846ae0304edL,0x917695a06c9f9722L,
+        0x6c7f73174cab1c0aL } },
+    /* 15 << 77 */
+    { { 0x6295940e9d6d2e8bL,0xd318b8c1549f7c97L,0x2245320497713885L,
+        0x468d834ba8a440feL },
+      { 0xd81fe5b2bfba796eL,0x152364db6d71f116L,0xbb8c7c59b5b66e53L,
+        0x0b12c61b2641a192L } },
+    /* 16 << 77 */
+    { { 0x31f14802fcf0a7fdL,0x42fd07895488b01eL,0x71d78d6d9952b498L,
+        0x8eb572d907ac5201L },
+      { 0xe0a2a44c4d194a88L,0xd2b63fd9ba017e66L,0x78efc6c8f888aefcL,
+        0xb76f6bda4a881a11L } },
+    /* 17 << 77 */
+    { { 0x187f314bb46c2397L,0x004cf5665ded2819L,0xa9ea570438764d34L,
+        0xbba4521778084709L },
+      { 0x064745711171121eL,0xad7b7eb1e7c9b671L,0xdacfbc40730f7507L,
+        0x178cd8c6c7ad7bd1L } },
+    /* 18 << 77 */
+    { { 0xbf0be101b2a67238L,0x3556d367af9c14f2L,0x104b7831a5662075L,
+        0x58ca59bb79d9e60aL },
+      { 0x4bc45392a569a73bL,0x517a52e85698f6c9L,0x85643da5aeadd755L,
+        0x1aed0cd52a581b84L } },
+    /* 19 << 77 */
+    { { 0xb9b4ff8480af1372L,0x244c3113f1ba5d1fL,0x2a5dacbef5f98d31L,
+        0x2c3323e84375bc2aL },
+      { 0x17a3ab4a5594b1ddL,0xa1928bfbceb4797eL,0xe83af245e4886a19L,
+        0x8979d54672b5a74aL } },
+    /* 20 << 77 */
+    { { 0xa0f726bc19f9e967L,0xd9d03152e8fbbf4eL,0xcfd6f51db7707d40L,
+        0x633084d963f6e6e0L },
+      { 0xedcd9cdc55667eafL,0x73b7f92b2e44d56fL,0xfb2e39b64e962b14L,
+        0x7d408f6ef671fcbfL } },
+    /* 21 << 77 */
+    { { 0xcc634ddc164a89bbL,0x74a42bb23ef3bd05L,0x1280dbb2428decbbL,
+        0x6103f6bb402c8596L },
+      { 0xfa2bf581355a5752L,0x562f96a800946674L,0x4e4ca16d6da0223bL,
+        0xfe47819f28d3aa25L } },
+    /* 22 << 77 */
+    { { 0x9eea3075f8dfcf8aL,0xa284f0aa95669825L,0xb3fca250867d3fd8L,
+        0x20757b5f269d691eL },
+      { 0xf2c2402093b8a5deL,0xd3f93359ebc06da6L,0x1178293eb2739c33L,
+        0xd2a3e770bcd686e5L } },
+    /* 23 << 77 */
+    { { 0xa76f49f4cd941534L,0x0d37406be3c71c0eL,0x172d93973b97f7e3L,
+        0xec17e239bd7fd0deL },
+      { 0xe32905516f496ba2L,0x6a69317236ad50e7L,0xc4e539a283e7eff5L,
+        0x752737e718e1b4cfL } },
+    /* 24 << 77 */
+    { { 0xa2f7932c68af43eeL,0x5502468e703d00bdL,0xe5dc978f2fb061f5L,
+        0xc9a1904a28c815adL },
+      { 0xd3af538d470c56a4L,0x159abc5f193d8cedL,0x2a37245f20108ef3L,
+        0xfa17081e223f7178L } },
+    /* 25 << 77 */
+    { { 0x27b0fb2b10c8c0f5L,0x2102c3ea40650547L,0x594564df8ac3bfa7L,
+        0x98102033509dad96L },
+      { 0x6989643ff1d18a13L,0x35eebd91d7fc5af0L,0x078d096afaeaafd8L,
+        0xb7a89341def3de98L } },
+    /* 26 << 77 */
+    { { 0x2a206e8decf2a73aL,0x066a63978e551994L,0x3a6a088ab98d53a2L,
+        0x0ce7c67c2d1124aaL },
+      { 0x48cec671759a113cL,0xe3b373d34f6f67faL,0x5455d479fd36727bL,
+        0xe5a428eea13c0d81L } },
+    /* 27 << 77 */
+    { { 0xb853dbc81c86682bL,0xb78d2727b8d02b2aL,0xaaf69bed8ebc329aL,
+        0xdb6b40b3293b2148L },
+      { 0xe42ea77db8c4961fL,0xb1a12f7c20e5e0abL,0xa0ec527479e8b05eL,
+        0x68027391fab60a80L } },
+    /* 28 << 77 */
+    { { 0x6bfeea5f16b1bd5eL,0xf957e4204de30ad3L,0xcbaf664e6a353b9eL,
+        0x5c87331226d14febL },
+      { 0x4e87f98cb65f57cbL,0xdb60a6215e0cdd41L,0x67c16865a6881440L,
+        0x1093ef1a46ab52aaL } },
+    /* 29 << 77 */
+    { { 0xc095afb53f4ece64L,0x6a6bb02e7604551aL,0x55d44b4e0b26b8cdL,
+        0xe5f9a999f971268aL },
+      { 0xc08ec42511a7de84L,0x83568095fda469ddL,0x737bfba16c6c90a2L,
+        0x1cb9c4a0be229831L } },
+    /* 30 << 77 */
+    { { 0x93bccbbabb2eec64L,0xa0c23b64da03adbeL,0x5f7aa00ae0e86ac4L,
+        0x470b941efc1401e6L },
+      { 0x5ad8d6799df43574L,0x4ccfb8a90f65d810L,0x1bce80e3aa7fbd81L,
+        0x273291ad9508d20aL } },
+    /* 31 << 77 */
+    { { 0xf5c4b46b42a92806L,0x810684eca86ab44aL,0x4591640bca0bc9f8L,
+        0xb5efcdfc5c4b6054L },
+      { 0x16fc89076e9edd12L,0xe29d0b50d4d792f9L,0xa45fd01c9b03116dL,
+        0x85035235c81765a4L } },
+    /* 32 << 77 */
+    { { 0x1fe2a9b2b4b4b67cL,0xc1d10df0e8020604L,0x9d64abfcbc8058d8L,
+        0x8943b9b2712a0fbbL },
+      { 0x90eed9143b3def04L,0x85ab3aa24ce775ffL,0x605fd4ca7bbc9040L,
+        0x8b34a564e2c75dfbL } },
+    /* 33 << 77 */
+    { { 0x41ffc94a10358560L,0x2d8a50729e5c28aaL,0xe915a0fc4cc7eb15L,
+        0xe9efab058f6d0f5dL },
+      { 0xdbab47a9d19e9b91L,0x8cfed7450276154cL,0x154357ae2cfede0dL,
+        0x520630df19f5a4efL } },
+    /* 34 << 77 */
+    { { 0x25759f7ce382360fL,0xb6db05c988bf5857L,0x2917d61d6c58d46cL,
+        0x14f8e491fd20cb7aL },
+      { 0xb68a727a11c20340L,0x0386f86faf7ccbb6L,0x5c8bc6ccfee09a20L,
+        0x7d76ff4abb7eea35L } },
+    /* 35 << 77 */
+    { { 0xa7bdebe7db15be7aL,0x67a08054d89f0302L,0x56bf0ea9c1193364L,
+        0xc824446762837ebeL },
+      { 0x32bd8e8b20d841b8L,0x127a0548dbb8a54fL,0x83dd4ca663b20236L,
+        0x87714718203491faL } },
+    /* 36 << 77 */
+    { { 0x4dabcaaaaa8a5288L,0x91cc0c8aaf23a1c9L,0x34c72c6a3f220e0cL,
+        0xbcc20bdf1232144aL },
+      { 0x6e2f42daa20ede1bL,0xc441f00c74a00515L,0xbf46a5b6734b8c4bL,
+        0x574095037b56c9a4L } },
+    /* 37 << 77 */
+    { { 0x9f735261e4585d45L,0x9231faed6734e642L,0x1158a176be70ee6cL,
+        0x35f1068d7c3501bfL },
+      { 0x6beef900a2d26115L,0x649406f2ef0afee3L,0x3f43a60abc2420a1L,
+        0x509002a7d5aee4acL } },
+    /* 38 << 77 */
+    { { 0xb46836a53ff3571bL,0x24f98b78837927c1L,0x6254256a4533c716L,
+        0xf27abb0bd07ee196L },
+      { 0xd7cf64fc5c6d5bfdL,0x6915c751f0cd7a77L,0xd9f590128798f534L,
+        0x772b0da8f81d8b5fL } },
+    /* 39 << 77 */
+    { { 0x1244260c2e03fa69L,0x36cf0e3a3be1a374L,0x6e7c1633ef06b960L,
+        0xa71a4c55671f90f6L },
+      { 0x7a94125133c673dbL,0xc0bea51073e8c131L,0x61a8a699d4f6c734L,
+        0x25e78c88341ed001L } },
+    /* 40 << 77 */
+    { { 0x5c18acf88e2f7d90L,0xfdbf33d777be32cdL,0x0a085cd7d2eb5ee9L,
+        0x2d702cfbb3201115L },
+      { 0xb6e0ebdb85c88ce8L,0x23a3ce3c1e01d617L,0x3041618e567333acL,
+        0x9dd0fd8f157edb6bL } },
+    /* 41 << 77 */
+    { { 0x27f74702b57872b8L,0x2ef26b4f657d5fe1L,0x95426f0a57cf3d40L,
+        0x847e2ad165a6067aL },
+      { 0xd474d9a009996a74L,0x16a56acd2a26115cL,0x02a615c3d16f4d43L,
+        0xcc3fc965aadb85b7L } },
+    /* 42 << 77 */
+    { { 0x386bda73ce07d1b0L,0xd82910c258ad4178L,0x124f82cfcd2617f4L,
+        0xcc2f5e8def691770L },
+      { 0x82702550b8c30cccL,0x7b856aea1a8e575aL,0xbb822fefb1ab9459L,
+        0x085928bcec24e38eL } },
+    /* 43 << 77 */
+    { { 0x5d0402ecba8f4b4dL,0xc07cd4ba00b4d58bL,0x5d8dffd529227e7aL,
+        0x61d44d0c31bf386fL },
+      { 0xe486dc2b135e6f4dL,0x680962ebe79410efL,0xa61bd343f10088b5L,
+        0x6aa76076e2e28686L } },
+    /* 44 << 77 */
+    { { 0x80463d118fb98871L,0xcb26f5c3bbc76affL,0xd4ab8eddfbe03614L,
+        0xc8eb579bc0cf2deeL },
+      { 0xcc004c15c93bae41L,0x46fbae5d3aeca3b2L,0x671235cf0f1e9ab1L,
+        0xadfba9349ec285c1L } },
+    /* 45 << 77 */
+    { { 0x88ded013f216c980L,0xc8ac4fb8f79e0bc1L,0xa29b89c6fb97a237L,
+        0xb697b7809922d8e7L },
+      { 0x3142c639ddb945b5L,0x447b06c7e094c3a9L,0xcdcb364272266c90L,
+        0x633aad08a9385046L } },
+    /* 46 << 77 */
+    { { 0xa36c936bb57c6477L,0x871f8b64e94dbcc6L,0x28d0fb62a591a67bL,
+        0x9d40e081c1d926f5L },
+      { 0x3111eaf6f2d84b5aL,0x228993f9a565b644L,0x0ccbf5922c83188bL,
+        0xf87b30ab3df3e197L } },
+    /* 47 << 77 */
+    { { 0xb8658b317642bca8L,0x1a032d7f52800f17L,0x051dcae579bf9445L,
+        0xeba6b8ee54a2e253L },
+      { 0x5c8b9cadd4485692L,0x84bda40e8986e9beL,0xd16d16a42f0db448L,
+        0x8ec80050a14d4188L } },
+    /* 48 << 77 */
+    { { 0xb2b2610798fa7aaaL,0x41209ee4f073aa4eL,0xf1570359f2d6b19bL,
+        0xcbe6868cfc577cafL },
+      { 0x186c4bdc32c04dd3L,0xa6c35faecfeee397L,0xb4a1b312f086c0cfL,
+        0xe0a5ccc6d9461fe2L } },
+    /* 49 << 77 */
+    { { 0xc32278aa1536189fL,0x1126c55fba6df571L,0x0f71a602b194560eL,
+        0x8b2d7405324bd6e1L },
+      { 0x8481939e3738be71L,0xb5090b1a1a4d97a9L,0x116c65a3f05ba915L,
+        0x21863ad3aae448aaL } },
+    /* 50 << 77 */
+    { { 0xd24e2679a7aae5d3L,0x7076013d0de5c1c4L,0x2d50f8babb05b629L,
+        0x73c1abe26e66efbbL },
+      { 0xefd4b422f2488af7L,0xe4105d02663ba575L,0x7eb60a8b53a69457L,
+        0x62210008c945973bL } },
+    /* 51 << 77 */
+    { { 0xfb25547877a50ec6L,0xbf0392f70a37a72cL,0xa0a7a19c4be18e7aL,
+        0x90d8ea1625b1e0afL },
+      { 0x7582a293ef953f57L,0x90a64d05bdc5465aL,0xca79c497e2510717L,
+        0x560dbb7c18cb641fL } },
+    /* 52 << 77 */
+    { { 0x1d8e32864b66abfbL,0xd26f52e559030900L,0x1ee3f6435584941aL,
+        0x6d3b3730569f5958L },
+      { 0x9ff2a62f4789dba5L,0x91fcb81572b5c9b7L,0xf446cb7d6c8f9a0eL,
+        0x48f625c139b7ecb5L } },
+    /* 53 << 77 */
+    { { 0xbabae8011c6219b8L,0xe7a562d928ac2f23L,0xe1b4873226e20588L,
+        0x06ee1cad775af051L },
+      { 0xda29ae43faff79f7L,0xc141a412652ee9e0L,0x1e127f6f195f4bd0L,
+        0x29c6ab4f072f34f8L } },
+    /* 54 << 77 */
+    { { 0x7b7c147730448112L,0x82b51af1e4a38656L,0x2bf2028a2f315010L,
+        0xc9a4a01f6ea88cd4L },
+      { 0xf63e95d8257e5818L,0xdd8efa10b4519b16L,0xed8973e00da910bfL,
+        0xed49d0775c0fe4a9L } },
+    /* 55 << 77 */
+    { { 0xac3aac5eb7caee1eL,0x1033898da7f4da57L,0x42145c0e5c6669b9L,
+        0x42daa688c1aa2aa0L },
+      { 0x629cc15c1a1d885aL,0x25572ec0f4b76817L,0x8312e4359c8f8f28L,
+        0x8107f8cd81965490L } },
+    /* 56 << 77 */
+    { { 0x516ff3a36fa6110cL,0x74fb1eb1fb93561fL,0x6c0c90478457522bL,
+        0xcfd321046bb8bdc6L },
+      { 0x2d6884a2cc80ad57L,0x7c27fc3586a9b637L,0x3461baedadf4e8cdL,
+        0x1d56251a617242f0L } },
+    /* 57 << 77 */
+    { { 0x0b80d209c955bef4L,0xdf02cad206adb047L,0xf0d7cb915ec74feeL,
+        0xd25033751111ba44L },
+      { 0x9671755edf53cb36L,0x54dcb6123368551bL,0x66d69aacc8a025a4L,
+        0x6be946c6e77ef445L } },
+    /* 58 << 77 */
+    { { 0x719946d1a995e094L,0x65e848f6e51e04d8L,0xe62f33006a1e3113L,
+        0x1541c7c1501de503L },
+      { 0x4daac9faf4acfadeL,0x0e58589744cd0b71L,0x544fd8690a51cd77L,
+        0x60fc20ed0031016dL } },
+    /* 59 << 77 */
+    { { 0x58b404eca4276867L,0x46f6c3cc34f34993L,0x477ca007c636e5bdL,
+        0x8018f5e57c458b47L },
+      { 0xa1202270e47b668fL,0xcef48ccdee14f203L,0x23f98bae62ff9b4dL,
+        0x55acc035c589edddL } },
+    /* 60 << 77 */
+    { { 0x3fe712af64db4444L,0x19e9d634becdd480L,0xe08bc047a930978aL,
+        0x2dbf24eca1280733L },
+      { 0x3c0ae38c2cd706b2L,0x5b012a5b359017b9L,0x3943c38c72e0f5aeL,
+        0x786167ea57176fa3L } },
+    /* 61 << 77 */
+    { { 0xe5f9897d594881dcL,0x6b5efad8cfb820c1L,0xb2179093d55018deL,
+        0x39ad7d320bac56ceL },
+      { 0xb55122e02cfc0e81L,0x117c4661f6d89daaL,0x362d01e1cb64fa09L,
+        0x6a309b4e3e9c4dddL } },
+    /* 62 << 77 */
+    { { 0xfa979fb7abea49b1L,0xb4b1d27d10e2c6c5L,0xbd61c2c423afde7aL,
+        0xeb6614f89786d358L },
+      { 0x4a5d816b7f6f7459L,0xe431a44f09360e7bL,0x8c27a032c309914cL,
+        0xcea5d68acaede3d8L } },
+    /* 63 << 77 */
+    { { 0x3668f6653a0a3f95L,0x893694167ceba27bL,0x89981fade4728fe9L,
+        0x7102c8a08a093562L },
+      { 0xbb80310e235d21c8L,0x505e55d1befb7f7bL,0xa0a9081112958a67L,
+        0xd67e106a4d851fefL } },
+    /* 64 << 77 */
+    { { 0xb84011a9431dd80eL,0xeb7c7cca73306cd9L,0x20fadd29d1b3b730L,
+        0x83858b5bfe37b3d3L },
+      { 0xbf4cd193b6251d5cL,0x1cca1fd31352d952L,0xc66157a490fbc051L,
+        0x7990a63889b98636L } },
+    /* 0 << 84 */
+    { { 0x00, 0x00, 0x00, 0x00 },
+      { 0x00, 0x00, 0x00, 0x00 } },
+    /* 1 << 84 */
+    { { 0xe5aa692a87dec0e1L,0x010ded8df7b39d00L,0x7b1b80c854cfa0b5L,
+        0x66beb876a0f8ea28L },
+      { 0x50d7f5313476cd0eL,0xa63d0e65b08d3949L,0x1a09eea953479fc6L,
+        0x82ae9891f499e742L } },
+    /* 2 << 84 */
+    { { 0xab58b9105ca7d866L,0x582967e23adb3b34L,0x89ae4447cceac0bcL,
+        0x919c667c7bf56af5L },
+      { 0x9aec17b160f5dcd7L,0xec697b9fddcaadbcL,0x0b98f341463467f5L,
+        0xb187f1f7a967132fL } },
+    /* 3 << 84 */
+    { { 0x90fe7a1d214aeb18L,0x1506af3c741432f7L,0xbb5565f9e591a0c4L,
+        0x10d41a77b44f1bc3L },
+      { 0xa09d65e4a84bde96L,0x42f060d8f20a6a1cL,0x652a3bfdf27f9ce7L,
+        0xb6bdb65c3b3d739fL } },
+    /* 4 << 84 */
+    { { 0xeb5ddcb6ec7fae9fL,0x995f2714efb66e5aL,0xdee95d8e69445d52L,
+        0x1b6c2d4609e27620L },
+      { 0x32621c318129d716L,0xb03909f10958c1aaL,0x8c468ef91af4af63L,
+        0x162c429ffba5cdf6L } },
+    /* 5 << 84 */
+    { { 0x2f682343753b9371L,0x29cab45a5f1f9cd7L,0x571623abb245db96L,
+        0xc507db093fd79999L },
+      { 0x4e2ef652af036c32L,0x86f0cc7805018e5cL,0xc10a73d4ab8be350L,
+        0x6519b3977e826327L } },
+    /* 6 << 84 */
+    { { 0xe8cb5eef9c053df7L,0x8de25b37b300ea6fL,0xdb03fa92c849cffbL,
+        0x242e43a7e84169bbL },
+      { 0xe4fa51f4dd6f958eL,0x6925a77ff4445a8dL,0xe6e72a50e90d8949L,
+        0xc66648e32b1f6390L } },
+    /* 7 << 84 */
+    { { 0xb2ab1957173e460cL,0x1bbbce7530704590L,0xc0a90dbddb1c7162L,
+        0x505e399e15cdd65dL },
+      { 0x68434dcb57797ab7L,0x60ad35ba6a2ca8e8L,0x4bfdb1e0de3336c1L,
+        0xbbef99ebd8b39015L } },
+    /* 8 << 84 */
+    { { 0x6c3b96f31711ebecL,0x2da40f1fce98fdc4L,0xb99774d357b4411fL,
+        0x87c8bdf415b65bb6L },
+      { 0xda3a89e3c2eef12dL,0xde95bb9b3c7471f3L,0x600f225bd812c594L,
+        0x54907c5d2b75a56bL } },
+    /* 9 << 84 */
+    { { 0xa93cc5f08db60e35L,0x743e3cd6fa833319L,0x7dad5c41f81683c9L,
+        0x70c1e7d99c34107eL },
+      { 0x0edc4a39a6be0907L,0x36d4703586d0b7d3L,0x8c76da03272bfa60L,
+        0x0b4a07ea0f08a414L } },
+    /* 10 << 84 */
+    { { 0x699e4d2945c1dd53L,0xcadc5898231debb5L,0xdf49fcc7a77f00e0L,
+        0x93057bbfa73e5a0eL },
+      { 0x2f8b7ecd027a4cd1L,0x114734b3c614011aL,0xe7a01db767677c68L,
+        0x89d9be5e7e273f4fL } },
+    /* 11 << 84 */
+    { { 0xd225cb2e089808efL,0xf1f7a27dd59e4107L,0x53afc7618211b9c9L,
+        0x0361bc67e6819159L },
+      { 0x2a865d0b7f071426L,0x6a3c1810e7072567L,0x3e3bca1e0d6bcabdL,
+        0xa1b02bc1408591bcL } },
+    /* 12 << 84 */
+    { { 0xe0deee5931fba239L,0xf47424d398bd91d1L,0x0f8886f4071a3c1dL,
+        0x3f7d41e8a819233bL },
+      { 0x708623c2cf6eb998L,0x86bb49af609a287fL,0x942bb24963c90762L,
+        0x0ef6eea555a9654bL } },
+    /* 13 << 84 */
+    { { 0x5f6d2d7236f5defeL,0xfa9922dc56f99176L,0x6c8c5ecef78ce0c7L,
+        0x7b44589dbe09b55eL },
+      { 0xe11b3bca9ea83770L,0xd7fa2c7f2ab71547L,0x2a3dd6fa2a1ddcc0L,
+        0x09acb4305a7b7707L } },
+    /* 14 << 84 */
+    { { 0x4add4a2e649d4e57L,0xcd53a2b01917526eL,0xc526233020b44ac4L,
+        0x4028746abaa2c31dL },
+      { 0x5131839064291d4cL,0xbf48f151ee5ad909L,0xcce57f597b185681L,
+        0x7c3ac1b04854d442L } },
+    /* 15 << 84 */
+    { { 0x65587dc3c093c171L,0xae7acb2424f42b65L,0x5a338adb955996cbL,
+        0xc8e656756051f91bL },
+      { 0x66711fba28b8d0b1L,0x15d74137b6c10a90L,0x70cdd7eb3a232a80L,
+        0xc9e2f07f6191ed24L } },
+    /* 16 << 84 */
+    { { 0xa80d1db6f79588c0L,0xfa52fc69b55768ccL,0x0b4df1ae7f54438aL,
+        0x0cadd1a7f9b46a4fL },
+      { 0xb40ea6b31803dd6fL,0x488e4fa555eaae35L,0x9f047d55382e4e16L,
+        0xc9b5b7e02f6e0c98L } },
+    /* 17 << 84 */
+    { { 0x6b1bd2d395762649L,0xa9604ee7c7aea3f6L,0x3646ff276dc6f896L,
+        0x9bf0e7f52860bad1L },
+      { 0x2d92c8217cb44b92L,0xa2f5ce63aea9c182L,0xd0a2afb19154a5fdL,
+        0x482e474c95801da6L } },
+    /* 18 << 84 */
+    { { 0xc19972d0b611c24bL,0x1d468e6560a8f351L,0xeb7580697bcf6421L,
+        0xec9dd0ee88fbc491L },
+      { 0x5b59d2bf956c2e32L,0x73dc6864dcddf94eL,0xfd5e2321bcee7665L,
+        0xa7b4f8ef5e9a06c4L } },
+    /* 19 << 84 */
+    { { 0xfba918dd7280f855L,0xbbaac2608baec688L,0xa3b3f00f33400f42L,
+        0x3d2dba2966f2e6e4L },
+      { 0xb6f71a9498509375L,0x8f33031fcea423ccL,0x009b8dd04807e6fbL,
+        0x5163cfe55cdb954cL } },
+    /* 20 << 84 */
+    { { 0x03cc8f17cf41c6e8L,0xf1f03c2a037b925cL,0xc39c19cc66d2427cL,
+        0x823d24ba7b6c18e4L },
+      { 0x32ef9013901f0b4fL,0x684360f1f8941c2eL,0x0ebaff522c28092eL,
+        0x7891e4e3256c932fL } },
+    /* 21 << 84 */
+    { { 0x51264319ac445e3dL,0x553432e78ea74381L,0xe6eeaa6967e9c50aL,
+        0x27ced28462e628c7L },
+      { 0x3f96d3757a4afa57L,0xde0a14c3e484c150L,0x364a24eb38bd9923L,
+        0x1df18da0e5177422L } },
+    /* 22 << 84 */
+    { { 0x174e8f82d8d38a9bL,0x2e97c600e7de1391L,0xc5709850a1c175ddL,
+        0x969041a032ae5035L },
+      { 0xcbfd533b76a2086bL,0xd6bba71bd7c2e8feL,0xb2d58ee6099dfb67L,
+        0x3a8b342d064a85d9L } },
+    /* 23 << 84 */
+    { { 0x3bc07649522f9be3L,0x690c075bdf1f49a8L,0x80e1aee83854ec42L,
+        0x2a7dbf4417689dc7L },
+      { 0xc004fc0e3faf4078L,0xb2f02e9edf11862cL,0xf10a5e0fa0a1b7b3L,
+        0x30aca6238936ec80L } },
+    /* 24 << 84 */
+    { { 0xf83cbf0502f40d9aL,0x4681c4682c318a4dL,0x985756180e9c2674L,
+        0xbe79d0461847092eL },
+      { 0xaf1e480a78bd01e0L,0x6dd359e472a51db9L,0x62ce3821e3afbab6L,
+        0xc5cee5b617733199L } },
+    /* 25 << 84 */
+    { { 0xe08b30d46ffd9fbbL,0x6e5bc69936c610b7L,0xf343cff29ce262cfL,
+        0xca2e4e3568b914c1L },
+      { 0x011d64c016de36c5L,0xe0b10fdd42e2b829L,0x789429816685aaf8L,
+        0xe7511708230ede97L } },
+    /* 26 << 84 */
+    { { 0x671ed8fc3b922bf8L,0xe4d8c0a04c29b133L,0x87eb12393b6e99c4L,
+        0xaff3974c8793bebaL },
+      { 0x037494052c18df9bL,0xc5c3a29391007139L,0x6a77234fe37a0b95L,
+        0x02c29a21b661c96bL } },
+    /* 27 << 84 */
+    { { 0xc3aaf1d6141ecf61L,0x9195509e3bb22f53L,0x2959740422d51357L,
+        0x1b083822537bed60L },
+      { 0xcd7d6e35e07289f0L,0x1f94c48c6dd86effL,0xc8bb1f82eb0f9cfaL,
+        0x9ee0b7e61b2eb97dL } },
+    /* 28 << 84 */
+    { { 0x5a52fe2e34d74e31L,0xa352c3103bf79ab6L,0x97ff6c5aabfeeb8fL,
+        0xbfbe8feff5c97305L },
+      { 0xd6081ce6a7904608L,0x1f812f3ac4fca249L,0x9b24bc9ab9e5e200L,
+        0x91022c6738012ee8L } },
+    /* 29 << 84 */
+    { { 0xe83d9c5d30a713a1L,0x4876e3f084ef0f93L,0xc9777029c1fbf928L,
+        0xef7a6bb3bce7d2a4L },
+      { 0xb8067228dfa2a659L,0xd5cd3398d877a48fL,0xbea4fd8f025d0f3fL,
+        0xd67d2e352eae7c2bL } },
+    /* 30 << 84 */
+    { { 0x184de7d7cc5f4394L,0xb5551b5c4536e142L,0x2e89b212d34aa60aL,
+        0x14a96feaf50051d5L },
+      { 0x4e21ef740d12bb0bL,0xc522f02060b9677eL,0x8b12e4672df7731dL,
+        0x39f803827b326d31L } },
+    /* 31 << 84 */
+    { { 0xdfb8630c39024a94L,0xaacb96a897319452L,0xd68a3961eda3867cL,
+        0x0c58e2b077c4ffcaL },
+      { 0x3d545d634da919faL,0xef79b69af15e2289L,0x54bc3d3d808bab10L,
+        0xc8ab300745f82c37L } },
+    /* 32 << 84 */
+    { { 0xc12738b67c4a658aL,0xb3c4763940e72182L,0x3b77be468798e44fL,
+        0xdc047df217a7f85fL },
+      { 0x2439d4c55e59d92dL,0xcedca475e8e64d8dL,0xa724cd0d87ca9b16L,
+        0x35e4fd59a5540dfeL } },
+    /* 33 << 84 */
+    { { 0xf8c1ff18e4bcf6b1L,0x856d6285295018faL,0x433f665c3263c949L,
+        0xa6a76dd6a1f21409L },
+      { 0x17d32334cc7b4f79L,0xa1d0312206720e4aL,0xadb6661d81d9bed5L,
+        0xf0d6fb0211db15d1L } },
+    /* 34 << 84 */
+    { { 0x7fd11ad51fb747d2L,0xab50f9593033762bL,0x2a7e711bfbefaf5aL,
+        0xc73932783fef2bbfL },
+      { 0xe29fa2440df6f9beL,0x9092757b71efd215L,0xee60e3114f3d6fd9L,
+        0x338542d40acfb78bL } },
+    /* 35 << 84 */
+    { { 0x44a23f0838961a0fL,0x1426eade986987caL,0x36e6ee2e4a863cc6L,
+        0x48059420628b8b79L },
+      { 0x30303ad87396e1deL,0x5c8bdc4838c5aad1L,0x3e40e11f5c8f5066L,
+        0xabd6e7688d246bbdL } },
+    /* 36 << 84 */
+    { { 0x68aa40bb23330a01L,0xd23f5ee4c34eafa0L,0x3bbee3155de02c21L,
+        0x18dd4397d1d8dd06L },
+      { 0x3ba1939a122d7b44L,0xe6d3b40aa33870d6L,0x8e620f701c4fe3f8L,
+        0xf6bba1a5d3a50cbfL } },
+    /* 37 << 84 */
+    { { 0x4a78bde5cfc0aee0L,0x847edc46c08c50bdL,0xbaa2439cad63c9b2L,
+        0xceb4a72810fc2acbL },
+      { 0xa419e40e26da033dL,0x6cc3889d03e02683L,0x1cd28559fdccf725L,
+        0x0fd7e0f18d13d208L } },
+    /* 38 << 84 */
+    { { 0x01b9733b1f0df9d4L,0x8cc2c5f3a2b5e4f3L,0x43053bfa3a304fd4L,
+        0x8e87665c0a9f1aa7L },
+      { 0x087f29ecd73dc965L,0x15ace4553e9023dbL,0x2370e3092bce28b4L,
+        0xf9723442b6b1e84aL } },
+    /* 39 << 84 */
+    { { 0xbeee662eb72d9f26L,0xb19396def0e47109L,0x85b1fa73e13289d0L,
+        0x436cf77e54e58e32L },
+      { 0x0ec833b3e990ef77L,0x7373e3ed1b11fc25L,0xbe0eda870fc332ceL,
+        0xced049708d7ea856L } },
+    /* 40 << 84 */
+    { { 0xf85ff7857e977ca0L,0xb66ee8dadfdd5d2bL,0xf5e37950905af461L,
+        0x587b9090966d487cL },
+      { 0x6a198a1b32ba0127L,0xa7720e07141615acL,0xa23f3499996ef2f2L,
+        0xef5f64b4470bcb3dL } },
+    /* 41 << 84 */
+    { { 0xa526a96292b8c559L,0x0c14aac069740a0fL,0x0d41a9e3a6bdc0a5L,
+        0x97d521069c48aef4L },
+      { 0xcf16bd303e7c253bL,0xcc834b1a47fdedc1L,0x7362c6e5373aab2eL,
+        0x264ed85ec5f590ffL } },
+    /* 42 << 84 */
+    { { 0x7a46d9c066d41870L,0xa50c20b14787ba09L,0x185e7e51e3d44635L,
+        0xb3b3e08031e2d8dcL },
+      { 0xbed1e558a179e9d9L,0x2daa3f7974a76781L,0x4372baf23a40864fL,
+        0x46900c544fe75cb5L } },
+    /* 43 << 84 */
+    { { 0xb95f171ef76765d0L,0x4ad726d295c87502L,0x2ec769da4d7c99bdL,
+        0x5e2ddd19c36cdfa8L },
+      { 0xc22117fca93e6deaL,0xe8a2583b93771123L,0xbe2f6089fa08a3a2L,
+        0x4809d5ed8f0e1112L } },
+    /* 44 << 84 */
+    { { 0x3b414aa3da7a095eL,0x9049acf126f5aaddL,0x78d46a4d6be8b84aL,
+        0xd66b1963b732b9b3L },
+      { 0x5c2ac2a0de6e9555L,0xcf52d098b5bd8770L,0x15a15fa60fd28921L,
+        0x56ccb81e8b27536dL } },
+    /* 45 << 84 */
+    { { 0x0f0d8ab89f4ccbb8L,0xed5f44d2db221729L,0x4314198800bed10cL,
+        0xc94348a41d735b8bL },
+      { 0x79f3e9c429ef8479L,0x4c13a4e3614c693fL,0x32c9af568e143a14L,
+        0xbc517799e29ac5c4L } },
+    /* 46 << 84 */
+    { { 0x05e179922774856fL,0x6e52fb056c1bf55fL,0xaeda4225e4f19e16L,
+        0x70f4728aaf5ccb26L },
+      { 0x5d2118d1b2947f22L,0xc827ea16281d6fb9L,0x8412328d8cf0eabdL,
+        0x45ee9fb203ef9dcfL } },
+    /* 47 << 84 */
+    { { 0x8e700421bb937d63L,0xdf8ff2d5cc4b37a6L,0xa4c0d5b25ced7b68L,
+        0x6537c1efc7308f59L },
+      { 0x25ce6a263b37f8e8L,0x170e9a9bdeebc6ceL,0xdd0379528728d72cL,
+        0x445b0e55850154bcL } },
+    /* 48 << 84 */
+    { { 0x4b7d0e0683a7337bL,0x1e3416d4ffecf249L,0x24840eff66a2b71fL,
+        0xd0d9a50ab37cc26dL },
+      { 0xe21981506fe28ef7L,0x3cc5ef1623324c7fL,0x220f3455769b5263L,
+        0xe2ade2f1a10bf475L } },
+    /* 49 << 84 */
+    { { 0x28cd20fa458d3671L,0x1549722c2dc4847bL,0x6dd01e55591941e3L,
+        0x0e6fbcea27128ccbL },
+      { 0xae1a1e6b3bef0262L,0xfa8c472c8f54e103L,0x7539c0a872c052ecL,
+        0xd7b273695a3490e9L } },
+    /* 50 << 84 */
+    { { 0x143fe1f171684349L,0x36b4722e32e19b97L,0xdc05922790980affL,
+        0x175c9c889e13d674L },
+      { 0xa7de5b226e6bfdb1L,0x5ea5b7b2bedb4b46L,0xd5570191d34a6e44L,
+        0xfcf60d2ea24ff7e6L } },
+    /* 51 << 84 */
+    { { 0x614a392d677819e1L,0x7be74c7eaa5a29e8L,0xab50fece63c85f3fL,
+        0xaca2e2a946cab337L },
+      { 0x7f700388122a6fe3L,0xdb69f703882a04a8L,0x9a77935dcf7aed57L,
+        0xdf16207c8d91c86fL } },
+    /* 52 << 84 */
+    { { 0x2fca49ab63ed9998L,0xa3125c44a77ddf96L,0x05dd8a8624344072L,
+        0xa023dda2fec3fb56L },
+      { 0x421b41fc0c743032L,0x4f2120c15e438639L,0xfb7cae51c83c1b07L,
+        0xb2370caacac2171aL } },
+    /* 53 << 84 */
+    { { 0x2eb2d9626cc820fbL,0x59feee5cb85a44bfL,0x94620fca5b6598f0L,
+        0x6b922cae7e314051L },
+      { 0xff8745ad106bed4eL,0x546e71f5dfa1e9abL,0x935c1e481ec29487L,
+        0x9509216c4d936530L } },
+    /* 54 << 84 */
+    { { 0xc7ca306785c9a2dbL,0xd6ae51526be8606fL,0x09dbcae6e14c651dL,
+        0xc9536e239bc32f96L },
+      { 0xa90535a934521b03L,0xf39c526c878756ffL,0x383172ec8aedf03cL,
+        0x20a8075eefe0c034L } },
+    /* 55 << 84 */
+    { { 0xf22f9c6264026422L,0x8dd1078024b9d076L,0x944c742a3bef2950L,
+        0x55b9502e88a2b00bL },
+      { 0xa59e14b486a09817L,0xa39dd3ac47bb4071L,0x55137f663be0592fL,
+        0x07fcafd4c9e63f5bL } },
+    /* 56 << 84 */
+    { { 0x963652ee346eb226L,0x7dfab085ec2facb7L,0x273bf2b8691add26L,
+        0x30d74540f2b46c44L },
+      { 0x05e8e73ef2c2d065L,0xff9b8a00d42eeac9L,0x2fcbd20597209d22L,
+        0xeb740ffade14ea2cL } },
+    /* 57 << 84 */
+    { { 0xc71ff913a8aef518L,0x7bfc74bbfff4cfa2L,0x1716680cb6b36048L,
+        0x121b2cce9ef79af1L },
+      { 0xbff3c836a01eb3d3L,0x50eb1c6a5f79077bL,0xa48c32d6a004bbcfL,
+        0x47a593167d64f61dL } },
+    /* 58 << 84 */
+    { { 0x6068147f93102016L,0x12c5f65494d12576L,0xefb071a7c9bc6b91L,
+        0x7c2da0c56e23ea95L },
+      { 0xf4fd45b6d4a1dd5dL,0x3e7ad9b69122b13cL,0x342ca118e6f57a48L,
+        0x1c2e94a706f8288fL } },
+    /* 59 << 84 */
+    { { 0x99e68f075a97d231L,0x7c80de974d838758L,0xbce0f5d005872727L,
+        0xbe5d95c219c4d016L },
+      { 0x921d5cb19c2492eeL,0x42192dc1404d6fb3L,0x4c84dcd132f988d3L,
+        0xde26d61fa17b8e85L } },
+    /* 60 << 84 */
+    { { 0xc466dcb6137c7408L,0x9a38d7b636a266daL,0x7ef5cb0683bebf1bL,
+        0xe5cdcbbf0fd014e3L },
+      { 0x30aa376df65965a0L,0x60fe88c2ebb3e95eL,0x33fd0b6166ee6f20L,
+        0x8827dcdb3f41f0a0L } },
+    /* 61 << 84 */
+    { { 0xbf8a9d240c56c690L,0x40265dadddb7641dL,0x522b05bf3a6b662bL,
+        0x466d1dfeb1478c9bL },
+      { 0xaa6169621484469bL,0x0db6054902df8f9fL,0xc37bca023cb8bf51L,
+        0x5effe34621371ce8L } },
+    /* 62 << 84 */
+    { { 0xe8f65264ff112c32L,0x8a9c736d7b971fb2L,0xa4f194707b75080dL,
+        0xfc3f2c5a8839c59bL },
+      { 0x1d6c777e5aeb49c2L,0xf3db034dda1addfeL,0xd76fee5a5535affcL,
+        0x0853ac70b92251fdL } },
+    /* 63 << 84 */
+    { { 0x37e3d5948b2a29d5L,0x28f1f4574de00ddbL,0x8083c1b5f42c328bL,
+        0xd8ef1d8fe493c73bL },
+      { 0x96fb626041dc61bdL,0xf74e8a9d27ee2f8aL,0x7c605a802c946a5dL,
+        0xeed48d653839ccfdL } },
+    /* 64 << 84 */
+    { { 0x9894344f3a29467aL,0xde81e949c51eba6dL,0xdaea066ba5e5c2f2L,
+        0x3fc8a61408c8c7b3L },
+      { 0x7adff88f06d0de9fL,0xbbc11cf53b75ce0aL,0x9fbb7accfbbc87d5L,
+        0xa1458e267badfde2L } },
+    /* 0 << 91 */
+    { { 0x00, 0x00, 0x00, 0x00 },
+      { 0x00, 0x00, 0x00, 0x00 } },
+    /* 1 << 91 */
+    { { 0x1cb43668e039c256L,0x5f26fb8b7c17fd5dL,0xeee426af79aa062bL,
+        0x072002d0d78fbf04L },
+      { 0x4c9ca237e84fb7e3L,0xb401d8a10c82133dL,0xaaa525926d7e4181L,
+        0xe943083373dbb152L } },
+    /* 2 << 91 */
+    { { 0xf92dda31be24319aL,0x03f7d28be095a8e7L,0xa52fe84098782185L,
+        0x276ddafe29c24dbcL },
+      { 0x80cd54961d7a64ebL,0xe43608897f1dbe42L,0x2f81a8778438d2d5L,
+        0x7e4d52a885169036L } },
+    /* 3 << 91 */
+    { { 0x19e3d5b11d59715dL,0xc7eaa762d788983eL,0xe5a730b0abf1f248L,
+        0xfbab8084fae3fd83L },
+      { 0x65e50d2153765b2fL,0xbdd4e083fa127f3dL,0x9cf3c074397b1b10L,
+        0x59f8090cb1b59fd3L } },
+    /* 4 << 91 */
+    { { 0x7b15fd9d615faa8fL,0x8fa1eb40968554edL,0x7bb4447e7aa44882L,
+        0x2bb2d0d1029fff32L },
+      { 0x075e2a646caa6d2fL,0x8eb879de22e7351bL,0xbcd5624e9a506c62L,
+        0x218eaef0a87e24dcL } },
+    /* 5 << 91 */
+    { { 0x37e5684744ddfa35L,0x9ccfc5c5dab3f747L,0x9ac1df3f1ee96cf4L,
+        0x0c0571a13b480b8fL },
+      { 0x2fbeb3d54b3a7b3cL,0x35c036695dcdbb99L,0x52a0f5dcb2415b3aL,
+        0xd57759b44413ed9aL } },
+    /* 6 << 91 */
+    { { 0x1fe647d83d30a2c5L,0x0857f77ef78a81dcL,0x11d5a334131a4a9bL,
+        0xc0a94af929d393f5L },
+      { 0xbc3a5c0bdaa6ec1aL,0xba9fe49388d2d7edL,0xbb4335b4bb614797L,
+        0x991c4d6872f83533L } },
+    /* 7 << 91 */
+    { { 0x53258c28d2f01cb3L,0x93d6eaa3d75db0b1L,0x419a2b0de87d0db4L,
+        0xa1e48f03d8fe8493L },
+      { 0xf747faf6c508b23aL,0xf137571a35d53549L,0x9f5e58e2fcf9b838L,
+        0xc7186ceea7fd3cf5L } },
+    /* 8 << 91 */
+    { { 0x77b868cee978a1d3L,0xe3a68b337ab92d04L,0x5102979487a5b862L,
+        0x5f0606c33a61d41dL },
+      { 0x2814be276f9326f1L,0x2f521c14c6fe3c2eL,0x17464d7dacdf7351L,
+        0x10f5f9d3777f7e44L } },
+    /* 9 << 91 */
+    { { 0xce8e616b269fb37dL,0xaaf738047de62de5L,0xaba111754fdd4153L,
+        0x515759ba3770b49bL },
+      { 0x8b09ebf8aa423a61L,0x592245a1cd41fb92L,0x1cba8ec19b4c8936L,
+        0xa87e91e3af36710eL } },
+    /* 10 << 91 */
+    { { 0x1fd84ce43d34a2e3L,0xee3759ceb43b5d61L,0x895bc78c619186c7L,
+        0xf19c3809cbb9725aL },
+      { 0xc0be21aade744b1fL,0xa7d222b060f8056bL,0x74be6157b23efe11L,
+        0x6fab2b4f0cd68253L } },
+    /* 11 << 91 */
+    { { 0xad33ea5f4bf1d725L,0x9c1d8ee24f6c950fL,0x544ee78aa377af06L,
+        0x54f489bb94a113e1L },
+      { 0x8f11d634992fb7e8L,0x0169a7aaa2a44347L,0x1d49d4af95020e00L,
+        0x95945722e08e120bL } },
+    /* 12 << 91 */
+    { { 0xb6e33878a4d32282L,0xe36e029d48020ae7L,0xe05847fb37a9b750L,
+        0xf876812cb29e3819L },
+      { 0x84ad138ed23a17f0L,0x6d7b4480f0b3950eL,0xdfa8aef42fd67ae0L,
+        0x8d3eea2452333af6L } },
+    /* 13 << 91 */
+    { { 0x0d052075b15d5accL,0xc6d9c79fbd815bc4L,0x8dcafd88dfa36cf2L,
+        0x908ccbe238aa9070L },
+      { 0x638722c4ba35afceL,0x5a3da8b0fd6abf0bL,0x2dce252cc9c335c1L,
+        0x84e7f0de65aa799bL } },
+    /* 14 << 91 */
+    { { 0x2101a522b99a72cbL,0x06de6e6787618016L,0x5ff8c7cde6f3653eL,
+        0x0a821ab5c7a6754aL },
+      { 0x7e3fa52b7cb0b5a2L,0xa7fb121cc9048790L,0x1a72502006ce053aL,
+        0xb490a31f04e929b0L } },
+    /* 15 << 91 */
+    { { 0xe17be47d62dd61adL,0x781a961c6be01371L,0x1063bfd3dae3cbbaL,
+        0x356474067f73c9baL },
+      { 0xf50e957b2736a129L,0xa6313702ed13f256L,0x9436ee653a19fcc5L,
+        0xcf2bdb29e7a4c8b6L } },
+    /* 16 << 91 */
+    { { 0xb06b1244c5f95cd8L,0xda8c8af0f4ab95f4L,0x1bae59c2b9e5836dL,
+        0x07d51e7e3acffffcL },
+      { 0x01e15e6ac2ccbcdaL,0x3bc1923f8528c3e0L,0x43324577a49fead4L,
+        0x61a1b8842aa7a711L } },
+    /* 17 << 91 */
+    { { 0xf9a86e08700230efL,0x0af585a1bd19adf8L,0x7645f361f55ad8f2L,
+        0x6e67622346c3614cL },
+      { 0x23cb257c4e774d3fL,0x82a38513ac102d1bL,0x9bcddd887b126aa5L,
+        0xe716998beefd3ee4L } },
+    /* 18 << 91 */
+    { { 0x4239d571fb167583L,0xdd011c78d16c8f8aL,0x271c289569a27519L,
+        0x9ce0a3b7d2d64b6aL },
+      { 0x8c977289d5ec6738L,0xa3b49f9a8840ef6bL,0x808c14c99a453419L,
+        0x5c00295b0cf0a2d5L } },
+    /* 19 << 91 */
+    { { 0x524414fb1d4bcc76L,0xb07691d2459a88f1L,0x77f43263f70d110fL,
+        0x64ada5e0b7abf9f3L },
+      { 0xafd0f94e5b544cf5L,0xb4a13a15fd2713feL,0xb99b7d6e250c74f4L,
+        0x097f2f7320324e45L } },
+    /* 20 << 91 */
+    { { 0x994b37d8affa8208L,0xc3c31b0bdc29aafcL,0x3da746517a3a607fL,
+        0xd8e1b8c1fe6955d6L },
+      { 0x716e1815c8418682L,0x541d487f7dc91d97L,0x48a04669c6996982L,
+        0xf39cab1583a6502eL } },
+    /* 21 << 91 */
+    { { 0x025801a0e68db055L,0xf3569758ba3338d5L,0xb0c8c0aaee2afa84L,
+        0x4f6985d3fb6562d1L },
+      { 0x351f1f15132ed17aL,0x510ed0b4c04365feL,0xa3f98138e5b1f066L,
+        0xbc9d95d632df03dcL } },
+    /* 22 << 91 */
+    { { 0xa83ccf6e19abd09eL,0x0b4097c14ff17edbL,0x58a5c478d64a06ceL,
+        0x2ddcc3fd544a58fdL },
+      { 0xd449503d9e8153b8L,0x3324fd027774179bL,0xaf5d47c8dbd9120cL,
+        0xeb86016234fa94dbL } },
+    /* 23 << 91 */
+    { { 0x5817bdd1972f07f4L,0xe5579e2ed27bbcebL,0x86847a1f5f11e5a6L,
+        0xb39ed2557c3cf048L },
+      { 0xe1076417a2f62e55L,0x6b9ab38f1bcf82a2L,0x4bb7c3197aeb29f9L,
+        0xf6d17da317227a46L } },
+    /* 24 << 91 */
+    { { 0xab53ddbd0f968c00L,0xa03da7ec000c880bL,0x7b2396246a9ad24dL,
+        0x612c040101ec60d0L },
+      { 0x70d10493109f5df1L,0xfbda403080af7550L,0x30b93f95c6b9a9b3L,
+        0x0c74ec71007d9418L } },
+    /* 25 << 91 */
+    { { 0x941755646edb951fL,0x5f4a9d787f22c282L,0xb7870895b38d1196L,
+        0xbc593df3a228ce7cL },
+      { 0xc78c5bd46af3641aL,0x7802200b3d9b3dccL,0x0dc73f328be33304L,
+        0x847ed87d61ffb79aL } },
+    /* 26 << 91 */
+    { { 0xf85c974e6d671192L,0x1e14100ade16f60fL,0x45cb0d5a95c38797L,
+        0x18923bba9b022da4L },
+      { 0xef2be899bbe7e86eL,0x4a1510ee216067bfL,0xd98c815484d5ce3eL,
+        0x1af777f0f92a2b90L } },
+    /* 27 << 91 */
+    { { 0x9fbcb4004ef65724L,0x3e04a4c93c0ca6feL,0xfb3e2cb555002994L,
+        0x1f3a93c55363ecabL },
+      { 0x1fe00efe3923555bL,0x744bedd91e1751eaL,0x3fb2db596ab69357L,
+        0x8dbd7365f5e6618bL } },
+    /* 28 << 91 */
+    { { 0x99d53099df1ea40eL,0xb3f24a0b57d61e64L,0xd088a198596eb812L,
+        0x22c8361b5762940bL },
+      { 0x66f01f97f9c0d95cL,0x884611728e43cdaeL,0x11599a7fb72b15c3L,
+        0x135a7536420d95ccL } },
+    /* 29 << 91 */
+    { { 0x2dcdf0f75f7ae2f6L,0x15fc6e1dd7fa6da2L,0x81ca829ad1d441b6L,
+        0x84c10cf804a106b6L },
+      { 0xa9b26c95a73fbbd0L,0x7f24e0cb4d8f6ee8L,0x48b459371e25a043L,
+        0xf8a74fca036f3dfeL } },
+    /* 30 << 91 */
+    { { 0x1ed46585c9f84296L,0x7fbaa8fb3bc278b0L,0xa8e96cd46c4fcbd0L,
+        0x940a120273b60a5fL },
+      { 0x34aae12055a4aec8L,0x550e9a74dbd742f0L,0x794456d7228c68abL,
+        0x492f8868a4e25ec6L } },
+    /* 31 << 91 */
+    { { 0x682915adb2d8f398L,0xf13b51cc5b84c953L,0xcda90ab85bb917d6L,
+        0x4b6155604ea3dee1L },
+      { 0x578b4e850a52c1c8L,0xeab1a69520b75fc4L,0x60c14f3caa0bb3c6L,
+        0x220f448ab8216094L } },
+    /* 32 << 91 */
+    { { 0x4fe7ee31b0e63d34L,0xf4600572a9e54fabL,0xc0493334d5e7b5a4L,
+        0x8589fb9206d54831L },
+      { 0xaa70f5cc6583553aL,0x0879094ae25649e5L,0xcc90450710044652L,
+        0xebb0696d02541c4fL } },
+    /* 33 << 91 */
+    { { 0x5a171fdeb9718710L,0x38f1bed8f374a9f5L,0xc8c582e1ba39bdc1L,
+        0xfc457b0a908cc0ceL },
+      { 0x9a187fd4883841e2L,0x8ec25b3938725381L,0x2553ed0596f84395L,
+        0x095c76616f6c6897L } },
+    /* 34 << 91 */
+    { { 0x917ac85c4bdc5610L,0xb2885fe4179eb301L,0x5fc655478b78bdccL,
+        0x4a9fc893e59e4699L },
+      { 0xbb7ff0cd3ce299afL,0x195be9b3adf38b20L,0x6a929c87d38ddb8fL,
+        0x55fcc99cb21a51b9L } },
+    /* 35 << 91 */
+    { { 0x2b695b4c721a4593L,0xed1e9a15768eaac2L,0xfb63d71c7489f914L,
+        0xf98ba31c78118910L },
+      { 0x802913739b128eb4L,0x7801214ed448af4aL,0xdbd2e22b55418dd3L,
+        0xeffb3c0dd3998242L } },
+    /* 36 << 91 */
+    { { 0xdfa6077cc7bf3827L,0xf2165bcb47f8238fL,0xfe37cf688564d554L,
+        0xe5f825c40a81fb98L },
+      { 0x43cc4f67ffed4d6fL,0xbc609578b50a34b0L,0x8aa8fcf95041faf1L,
+        0x5659f053651773b6L } },
+    /* 37 << 91 */
+    { { 0xe87582c36044d63bL,0xa60894090cdb0ca0L,0x8c993e0fbfb2bcf6L,
+        0xfc64a71945985cfcL },
+      { 0x15c4da8083dbedbaL,0x804ae1122be67df7L,0xda4c9658a23defdeL,
+        0x12002ddd5156e0d3L } },
+    /* 38 << 91 */
+    { { 0xe68eae895dd21b96L,0x8b99f28bcf44624dL,0x0ae008081ec8897aL,
+        0xdd0a93036712f76eL },
+      { 0x962375224e233de4L,0x192445b12b36a8a5L,0xabf9ff74023993d9L,
+        0x21f37bf42aad4a8fL } },
+    /* 39 << 91 */
+    { { 0x340a4349f8bd2bbdL,0x1d902cd94868195dL,0x3d27bbf1e5fdb6f1L,
+        0x7a5ab088124f9f1cL },
+      { 0xc466ab06f7a09e03L,0x2f8a197731f2c123L,0xda355dc7041b6657L,
+        0xcb840d128ece2a7cL } },
+    /* 40 << 91 */
+    { { 0xb600ad9f7db32675L,0x78fea13307a06f1bL,0x5d032269b31f6094L,
+        0x07753ef583ec37aaL },
+      { 0x03485aed9c0bea78L,0x41bb3989bc3f4524L,0x09403761697f726dL,
+        0x6109beb3df394820L } },
+    /* 41 << 91 */
+    { { 0x804111ea3b6d1145L,0xb6271ea9a8582654L,0x619615e624e66562L,
+        0xa2554945d7b6ad9cL },
+      { 0xd9c4985e99bfe35fL,0x9770ccc07b51cdf6L,0x7c32701392881832L,
+        0x8777d45f286b26d1L } },
+    /* 42 << 91 */
+    { { 0x9bbeda22d847999dL,0x03aa33b6c3525d32L,0x4b7b96d428a959a1L,
+        0xbb3786e531e5d234L },
+      { 0xaeb5d3ce6961f247L,0x20aa85af02f93d3fL,0x9cd1ad3dd7a7ae4fL,
+        0xbf6688f0781adaa8L } },
+    /* 43 << 91 */
+    { { 0xb1b40e867469ceadL,0x1904c524309fca48L,0x9b7312af4b54bbc7L,
+        0xbe24bf8f593affa2L },
+      { 0xbe5e0790bd98764bL,0xa0f45f17a26e299eL,0x4af0d2c26b8fe4c7L,
+        0xef170db18ae8a3e6L } },
+    /* 44 << 91 */
+    { { 0x0e8d61a029e0ccc1L,0xcd53e87e60ad36caL,0x328c6623c8173822L,
+        0x7ee1767da496be55L },
+      { 0x89f13259648945afL,0x9e45a5fd25c8009cL,0xaf2febd91f61ab8cL,
+        0x43f6bc868a275385L } },
+    /* 45 << 91 */
+    { { 0x87792348f2142e79L,0x17d89259c6e6238aL,0x7536d2f64a839d9bL,
+        0x1f428fce76a1fbdcL },
+      { 0x1c1096010db06dfeL,0xbfc16bc150a3a3ccL,0xf9cbd9ec9b30f41bL,
+        0x5b5da0d600138cceL } },
+    /* 46 << 91 */
+    { { 0xec1d0a4856ef96a7L,0xb47eb848982bf842L,0x66deae32ec3f700dL,
+        0x4e43c42caa1181e0L },
+      { 0xa1d72a31d1a4aa2aL,0x440d4668c004f3ceL,0x0d6a2d3b45fe8a7aL,
+        0x820e52e2fb128365L } },
+    /* 47 << 91 */
+    { { 0x29ac5fcf25e51b09L,0x180cd2bf2023d159L,0xa9892171a1ebf90eL,
+        0xf97c4c877c132181L },
+      { 0x9f1dc724c03dbb7eL,0xae043765018cbbe4L,0xfb0b2a360767d153L,
+        0xa8e2f4d6249cbaebL } },
+    /* 48 << 91 */
+    { { 0x172a5247d95ea168L,0x1758fada2970764aL,0xac803a511d978169L,
+        0x299cfe2ede77e01bL },
+      { 0x652a1e17b0a98927L,0x2e26e1d120014495L,0x7ae0af9f7175b56aL,
+        0xc2e22a80d64b9f95L } },
+    /* 49 << 91 */
+    { { 0x4d0ff9fbd90a060aL,0x496a27dbbaf38085L,0x32305401da776bcfL,
+        0xb8cdcef6725f209eL },
+      { 0x61ba0f37436a0bbaL,0x263fa10876860049L,0x92beb98eda3542cfL,
+        0xa2d4d14ad5849538L } },
+    /* 50 << 91 */
+    { { 0x989b9d6812e9a1bcL,0x61d9075c5f6e3268L,0x352c6aa999ace638L,
+        0xde4e4a55920f43ffL },
+      { 0xe5e4144ad673c017L,0x667417ae6f6e05eaL,0x613416aedcd1bd56L,
+        0x5eb3620186693711L } },
+    /* 51 << 91 */
+    { { 0x2d7bc5043a1aa914L,0x175a129976dc5975L,0xe900e0f23fc8125cL,
+        0x569ef68c11198875L },
+      { 0x9012db6363a113b4L,0xe3bd3f5698835766L,0xa5c94a5276412deaL,
+        0xad9e2a09aa735e5cL } },
+    /* 52 << 91 */
+    { { 0x405a984c508b65e9L,0xbde4a1d16df1a0d1L,0x1a9433a1dfba80daL,
+        0xe9192ff99440ad2eL },
+      { 0x9f6496965099fe92L,0x25ddb65c0b27a54aL,0x178279ddc590da61L,
+        0x5479a999fbde681aL } },
+    /* 53 << 91 */
+    { { 0xd0e84e05013fe162L,0xbe11dc92632d471bL,0xdf0b0c45fc0e089fL,
+        0x04fb15b04c144025L },
+      { 0xa61d5fc213c99927L,0xa033e9e03de2eb35L,0xf8185d5cb8dacbb4L,
+        0x9a88e2658644549dL } },
+    /* 54 << 91 */
+    { { 0xf717af6254671ff6L,0x4bd4241b5fa58603L,0x06fba40be67773c0L,
+        0xc1d933d26a2847e9L },
+      { 0xf4f5acf3689e2c70L,0x92aab0e746bafd31L,0x798d76aa3473f6e5L,
+        0xcc6641db93141934L } },
+    /* 55 << 91 */
+    { { 0xcae27757d31e535eL,0x04cc43b687c2ee11L,0x8d1f96752e029ffaL,
+        0xc2150672e4cc7a2cL },
+      { 0x3b03c1e08d68b013L,0xa9d6816fedf298f3L,0x1bfbb529a2804464L,
+        0x95a52fae5db22125L } },
+    /* 56 << 91 */
+    { { 0x55b321600e1cb64eL,0x004828f67e7fc9feL,0x13394b821bb0fb93L,
+        0xb6293a2d35f1a920L },
+      { 0xde35ef21d145d2d9L,0xbe6225b3bb8fa603L,0x00fc8f6b32cf252dL,
+        0xa28e52e6117cf8c2L } },
+    /* 57 << 91 */
+    { { 0x9d1dc89b4c371e6dL,0xcebe067536ef0f28L,0x5de05d09a4292f81L,
+        0xa8303593353e3083L },
+      { 0xa1715b0a7e37a9bbL,0x8c56f61e2b8faec3L,0x5250743133c9b102L,
+        0x0130cefca44431f0L } },
+    /* 58 << 91 */
+    { { 0x56039fa0bd865cfbL,0x4b03e578bc5f1dd7L,0x40edf2e4babe7224L,
+        0xc752496d3a1988f6L },
+      { 0xd1572d3b564beb6bL,0x0db1d11039a1c608L,0x568d193416f60126L,
+        0x05ae9668f354af33L } },
+    /* 59 << 91 */
+    { { 0x19de6d37c92544f2L,0xcc084353a35837d5L,0xcbb6869c1a514eceL,
+        0xb633e7282e1d1066L },
+      { 0xf15dd69f936c581cL,0x96e7b8ce7439c4f9L,0x5e676f482e448a5bL,
+        0xb2ca7d5bfd916bbbL } },
+    /* 60 << 91 */
+    { { 0xd55a2541f5024025L,0x47bc5769e4c2d937L,0x7d31b92a0362189fL,
+        0x83f3086eef7816f9L },
+      { 0xf9f46d94b587579aL,0xec2d22d830e76c5fL,0x27d57461b000ffcfL,
+        0xbb7e65f9364ffc2cL } },
+    /* 61 << 91 */
+    { { 0x7c7c94776652a220L,0x61618f89d696c981L,0x5021701d89effff3L,
+        0xf2c8ff8e7c314163L },
+      { 0x2da413ad8efb4d3eL,0x937b5adfce176d95L,0x22867d342a67d51cL,
+        0x262b9b1018eb3ac9L } },
+    /* 62 << 91 */
+    { { 0x4e314fe4c43ff28bL,0x764766276a664e7aL,0x3e90e40bb7a565c2L,
+        0x8588993ac1acf831L },
+      { 0xd7b501d68f938829L,0x996627ee3edd7d4cL,0x37d44a6290cd34c7L,
+        0xa8327499f3833e8dL } },
+    /* 63 << 91 */
+    { { 0x2e18917d4bf50353L,0x85dd726b556765fbL,0x54fe65d693d5ab66L,
+        0x3ddbaced915c25feL },
+      { 0xa799d9a412f22e85L,0xe2a248676d06f6bcL,0xf4f1ee5643ca1637L,
+        0xfda2828b61ece30aL } },
+    /* 64 << 91 */
+    { { 0x758c1a3ea2dee7a6L,0xdcde2f3c734b2284L,0xaba445d24eaba6adL,
+        0x35aaf66876cee0a7L },
+      { 0x7e0b04a9e5aa049aL,0xe74083ad91103e84L,0xbeb183ce40afecc3L,
+        0x6b89de9fea043f7aL } },
+    /* 0 << 98 */
+    { { 0x00, 0x00, 0x00, 0x00 },
+      { 0x00, 0x00, 0x00, 0x00 } },
+    /* 1 << 98 */
+    { { 0x0e299d23fe67ba66L,0x9145076093cf2f34L,0xf45b5ea997fcf913L,
+        0x5be008438bd7dddaL },
+      { 0x358c3e05d53ff04dL,0xbf7ccdc35de91ef7L,0xad684dbfb69ec1a0L,
+        0x367e7cf2801fd997L } },
+    /* 2 << 98 */
+    { { 0x0ca1f3b7b0dc8595L,0x27de46089f1d9f2eL,0x1af3bf39badd82a7L,
+        0x79356a7965862448L },
+      { 0xc0602345f5f9a052L,0x1a8b0f89139a42f9L,0xb53eee42844d40fcL,
+        0x93b0bfe54e5b6368L } },
+    /* 3 << 98 */
+    { { 0x5434dd02c024789cL,0x90dca9ea41b57bfcL,0x8aa898e2243398dfL,
+        0xf607c834894a94bbL },
+      { 0xbb07be97c2c99b76L,0x6576ba6718c29302L,0x3d79efcce703a88cL,
+        0xf259ced7b6a0d106L } },
+    /* 4 << 98 */
+    { { 0x0f893a5dc8de610bL,0xe8c515fb67e223ceL,0x7774bfa64ead6dc5L,
+        0x89d20f95925c728fL },
+      { 0x7a1e0966098583ceL,0xa2eedb9493f2a7d7L,0x1b2820974c304d4aL,
+        0x0842e3dac077282dL } },
+    /* 5 << 98 */
+    { { 0xe4d972a33b9e2d7bL,0x7cc60b27c48218ffL,0x8fc7083884149d91L,
+        0x5c04346f2f461eccL },
+      { 0xebe9fdf2614650a9L,0x5e35b537c1f666acL,0x645613d188babc83L,
+        0x88cace3ac5e1c93eL } },
+    /* 6 << 98 */
+    { { 0x209ca3753de92e23L,0xccb03cc85fbbb6e3L,0xccb90f03d7b1487eL,
+        0xfa9c2a38c710941fL },
+      { 0x756c38236724ceedL,0x3a902258192d0323L,0xb150e519ea5e038eL,
+        0xdcba2865c7427591L } },
+    /* 7 << 98 */
+    { { 0xe549237f78890732L,0xc443bef953fcb4d9L,0x9884d8a6eb3480d6L,
+        0x8a35b6a13048b186L },
+      { 0xb4e4471665e9a90aL,0x45bf380d653006c0L,0x8f3f820d4fe9ae3bL,
+        0x244a35a0979a3b71L } },
+    /* 8 << 98 */
+    { { 0xa1010e9d74cd06ffL,0x9c17c7dfaca3eeacL,0x74c86cd38063aa2bL,
+        0x8595c4b3734614ffL },
+      { 0xa3de00ca990f62ccL,0xd9bed213ca0c3be5L,0x7886078adf8ce9f5L,
+        0xddb27ce35cd44444L } },
+    /* 9 << 98 */
+    { { 0xed374a6658926dddL,0x138b2d49908015b8L,0x886c6579de1f7ab8L,
+        0x888b9aa0c3020b7aL },
+      { 0xd3ec034e3a96e355L,0xba65b0b8f30fbe9aL,0x064c8e50ff21367aL,
+        0x1f508ea40b04b46eL } },
+    /* 10 << 98 */
+    { { 0x98561a49747c866cL,0xbbb1e5fe0518a062L,0x20ff4e8becdc3608L,
+        0x7f55cded20184027L },
+      { 0x8d73ec95f38c85f0L,0x5b589fdf8bc3b8c3L,0xbe95dd980f12b66fL,
+        0xf5bd1a090e338e01L } },
+    /* 11 << 98 */
+    { { 0x65163ae55e915918L,0x6158d6d986f8a46bL,0x8466b538eeebf99cL,
+        0xca8761f6bca477efL },
+      { 0xaf3449c29ebbc601L,0xef3b0f41e0c3ae2fL,0xaa6c577d5de63752L,
+        0xe916660164682a51L } },
+    /* 12 << 98 */
+    { { 0x5a3097befc15aa1eL,0x40d12548b54b0745L,0x5bad4706519a5f12L,
+        0xed03f717a439dee6L },
+      { 0x0794bb6c4a02c499L,0xf725083dcffe71d2L,0x2cad75190f3adcafL,
+        0x7f68ea1c43729310L } },
+    /* 13 << 98 */
+    { { 0xe747c8c7b7ffd977L,0xec104c3580761a22L,0x8395ebaf5a3ffb83L,
+        0xfb3261f4e4b63db7L },
+      { 0x53544960d883e544L,0x13520d708cc2eeb8L,0x08f6337bd3d65f99L,
+        0x83997db2781cf95bL } },
+    /* 14 << 98 */
+    { { 0xce6ff1060dbd2c01L,0x4f8eea6b1f9ce934L,0x546f7c4b0e993921L,
+        0x6236a3245e753fc7L },
+      { 0x65a41f84a16022e9L,0x0c18d87843d1dbb2L,0x73c556402d4cef9cL,
+        0xa042810870444c74L } },
+    /* 15 << 98 */
+    { { 0x68e4f15e9afdfb3cL,0x49a561435bdfb6dfL,0xa9bc1bd45f823d97L,
+        0xbceb5970ea111c2aL },
+      { 0x366b455fb269bbc4L,0x7cd85e1ee9bc5d62L,0xc743c41c4f18b086L,
+        0xa4b4099095294fb9L } },
+    /* 16 << 98 */
+    { { 0x9c7c581d26ee8382L,0xcf17dcc5359d638eL,0xee8273abb728ae3dL,
+        0x1d112926f821f047L },
+      { 0x1149847750491a74L,0x687fa761fde0dfb9L,0x2c2580227ea435abL,
+        0x6b8bdb9491ce7e3fL } },
+    /* 17 << 98 */
+    { { 0x4c5b5dc93bf834aaL,0x043718194f6c7e4bL,0xc284e00a3736bcadL,
+        0x0d88111821ae8f8dL },
+      { 0xf9cf0f82f48c8e33L,0xa11fd075a1bf40dbL,0xdceab0dedc2733e5L,
+        0xc560a8b58e986bd7L } },
+    /* 18 << 98 */
+    { { 0x48dd1fe23929d097L,0x3885b29092f188f1L,0x0f2ae613da6fcdacL,
+        0x9054303eb662a46cL },
+      { 0xb6871e440738042aL,0x98e6a977bdaf6449L,0xd8bc0650d1c9df1bL,
+        0xef3d645136e098f9L } },
+    /* 19 << 98 */
+    { { 0x03fbae82b6d72d28L,0x77ca9db1f5d84080L,0x8a112cffa58efc1cL,
+        0x518d761cc564cb4aL },
+      { 0x69b5740ef0d1b5ceL,0x717039cce9eb1785L,0x3fe29f9022f53382L,
+        0x8e54ba566bc7c95cL } },
+    /* 20 << 98 */
+    { { 0x9c806d8af7f91d0fL,0x3b61b0f1a82a5728L,0x4640032d94d76754L,
+        0x273eb5de47d834c6L },
+      { 0x2988abf77b4e4d53L,0xb7ce66bfde401777L,0x9fba6b32715071b3L,
+        0x82413c24ad3a1a98L } },
+    /* 21 << 98 */
+    { { 0x5b7fc8c4e0e8ad93L,0xb5679aee5fab868dL,0xb1f9d2fa2b3946f3L,
+        0x458897dc5685b50aL },
+      { 0x1e98c93089d0caf3L,0x39564c5f78642e92L,0x1b77729a0dbdaf18L,
+        0xf9170722579e82e6L } },
+    /* 22 << 98 */
+    { { 0x680c0317e4515fa5L,0xf85cff84fb0c790fL,0xc7a82aab6d2e0765L,
+        0x7446bca935c82b32L },
+      { 0x5de607aa6d63184fL,0x7c1a46a8262803a6L,0xd218313daebe8035L,
+        0x92113ffdc73c51f8L } },
+    /* 23 << 98 */
+    { { 0x4b38e08312e7e46cL,0x69d0a37a56126bd5L,0xfb3f324b73c07e04L,
+        0xa0c22f678fda7267L },
+      { 0x8f2c00514d2c7d8fL,0xbc45ced3cbe2cae5L,0xe1c6cf07a8f0f277L,
+        0xbc3923121eb99a98L } },
+    /* 24 << 98 */
+    { { 0x75537b7e3cc8ac85L,0x8d725f57dd02753bL,0xfd05ff64b737df2fL,
+        0x55fe8712f6d2531dL },
+      { 0x57ce04a96ab6b01cL,0x69a02a897cd93724L,0x4f82ac35cf86699bL,
+        0x8242d3ad9cb4b232L } },
+    /* 25 << 98 */
+    { { 0x713d0f65d62105e5L,0xbb222bfa2d29be61L,0xf2f9a79e6cfbef09L,
+        0xfc24d8d3d5d6782fL },
+      { 0x5db77085d4129967L,0xdb81c3ccdc3c2a43L,0x9d655fc005d8d9a3L,
+        0x3f5d057a54298026L } },
+    /* 26 << 98 */
+    { { 0x1157f56d88c54694L,0xb26baba59b09573eL,0x2cab03b022adffd1L,
+        0x60a412c8dd69f383L },
+      { 0xed76e98b54b25039L,0xd4ee67d3687e714dL,0x877396487b00b594L,
+        0xce419775c9ef709bL } },
+    /* 27 << 98 */
+    { { 0x40f76f851c203a40L,0x30d352d6eafd8f91L,0xaf196d3d95578dd2L,
+        0xea4bb3d777cc3f3dL },
+      { 0x42a5bd03b98e782bL,0xac958c400624920dL,0xb838134cfc56fcc8L,
+        0x86ec4ccf89572e5eL } },
+    /* 28 << 98 */
+    { { 0x69c435269be47be0L,0x323b7dd8cb28fea1L,0xfa5538ba3a6c67e5L,
+        0xef921d701d378e46L },
+      { 0xf92961fc3c4b880eL,0x3f6f914e98940a67L,0xa990eb0afef0ff39L,
+        0xa6c2920ff0eeff9cL } },
+    /* 29 << 98 */
+    { { 0xca80416651b8d9a3L,0x42531bc90ffb0db1L,0x72ce4718aa82e7ceL,
+        0x6e199913df574741L },
+      { 0xd5f1b13dd5d36946L,0x8255dc65f68f0194L,0xdc9df4cd8710d230L,
+        0x3453c20f138c1988L } },
+    /* 30 << 98 */
+    { { 0x9af98dc089a6ef01L,0x4dbcc3f09857df85L,0x348056015c1ad924L,
+        0x40448da5d0493046L },
+      { 0xf629926d4ee343e2L,0x6343f1bd90e8a301L,0xefc9349140815b3fL,
+        0xf882a423de8f66fbL } },
+    /* 31 << 98 */
+    { { 0x3a12d5f4e7db9f57L,0x7dfba38a3c384c27L,0x7a904bfd6fc660b1L,
+        0xeb6c5db32773b21cL },
+      { 0xc350ee661cdfe049L,0x9baac0ce44540f29L,0xbc57b6aba5ec6aadL,
+        0x167ce8c30a7c1baaL } },
+    /* 32 << 98 */
+    { { 0xb23a03a553fb2b56L,0x6ce141e74e057f78L,0x796525c389e490d9L,
+        0x0bc95725a31a7e75L },
+      { 0x1ec567911220fd06L,0x716e3a3c408b0bd6L,0x31cd6bf7e8ebeba9L,
+        0xa7326ca6bee6b670L } },
+    /* 33 << 98 */
+    { { 0x3d9f851ccd090c43L,0x561e8f13f12c3988L,0x50490b6a904b7be4L,
+        0x61690ce10410737bL },
+      { 0x299e9a370f009052L,0x258758f0f026092eL,0x9fa255f3fdfcdc0fL,
+        0xdbc9fb1fc0e1bcd2L } },
+    /* 34 << 98 */
+    { { 0x35f9dd6e24651840L,0xdca45a84a5c59abcL,0x103d396fecca4938L,
+        0x4532da0ab97b3f29L },
+      { 0xc4135ea51999a6bfL,0x3aa9505a5e6bf2eeL,0xf77cef063f5be093L,
+        0x97d1a0f8a943152eL } },
+    /* 35 << 98 */
+    { { 0x2cb0ebba2e1c21ddL,0xf41b29fc2c6797c4L,0xc6e17321b300101fL,
+        0x4422b0e9d0d79a89L },
+      { 0x49e4901c92f1bfc4L,0x06ab1f8fe1e10ed9L,0x84d35577db2926b8L,
+        0xca349d39356e8ec2L } },
+    /* 36 << 98 */
+    { { 0x70b63d32343bf1a9L,0x8fd3bd2837d1a6b1L,0x0454879c316865b4L,
+        0xee959ff6c458efa2L },
+      { 0x0461dcf89706dc3fL,0x737db0e2164e4b2eL,0x092626802f8843c8L,
+        0x54498bbc7745e6f6L } },
+    /* 37 << 98 */
+    { { 0x359473faa29e24afL,0xfcc3c45470aa87a1L,0xfd2c4bf500573aceL,
+        0xb65b514e28dd1965L },
+      { 0xe46ae7cf2193e393L,0x60e9a4e1f5444d97L,0xe7594e9600ff38edL,
+        0x43d84d2f0a0e0f02L } },
+    /* 38 << 98 */
+    { { 0x8b6db141ee398a21L,0xb88a56aee3bcc5beL,0x0a1aa52f373460eaL,
+        0x20da1a56160bb19bL },
+      { 0xfb54999d65bf0384L,0x71a14d245d5a180eL,0xbc44db7b21737b04L,
+        0xd84fcb1801dd8e92L } },
+    /* 39 << 98 */
+    { { 0x80de937bfa44b479L,0x535054995c98fd4fL,0x1edb12ab28f08727L,
+        0x4c58b582a5f3ef53L },
+      { 0xbfb236d88327f246L,0xc3a3bfaa4d7df320L,0xecd96c59b96024f2L,
+        0xfc293a537f4e0433L } },
+    /* 40 << 98 */
+    { { 0x5341352b5acf6e10L,0xc50343fdafe652c3L,0x4af3792d18577a7fL,
+        0xe1a4c617af16823dL },
+      { 0x9b26d0cd33425d0aL,0x306399ed9b7bc47fL,0x2a792f33706bb20bL,
+        0x3121961498111055L } },
+    /* 41 << 98 */
+    { { 0x864ec06487f5d28bL,0x11392d91962277fdL,0xb5aa7942bb6aed5fL,
+        0x080094dc47e799d9L },
+      { 0x4afa588c208ba19bL,0xd3e7570f8512f284L,0xcbae64e602f5799aL,
+        0xdeebe7ef514b9492L } },
+    /* 42 << 98 */
+    { { 0x30300f98e5c298ffL,0x17f561be3678361fL,0xf52ff31298cb9a16L,
+        0x6233c3bc5562d490L },
+      { 0x7bfa15a192e3a2cbL,0x961bcfd1e6365119L,0x3bdd29bf2c8c53b1L,
+        0x739704df822844baL } },
+    /* 43 << 98 */
+    { { 0x7dacfb587e7b754bL,0x23360791a806c9b9L,0xe7eb88c923504452L,
+        0x2983e996852c1783L },
+      { 0xdd4ae529958d881dL,0x026bae03262c7b3cL,0x3a6f9193960b52d1L,
+        0xd0980f9092696cfbL } },
+    /* 44 << 98 */
+    { { 0x4c1f428cd5f30851L,0x94dfed272a4f6630L,0x4df53772fc5d48a4L,
+        0xdd2d5a2f933260ceL },
+      { 0x574115bdd44cc7a5L,0x4ba6b20dbd12533aL,0x30e93cb8243057c9L,
+        0x794c486a14de320eL } },
+    /* 45 << 98 */
+    { { 0xe925d4cef21496e4L,0xf951d198ec696331L,0x9810e2de3e8d812fL,
+        0xd0a47259389294abL },
+      { 0x513ba2b50e3bab66L,0x462caff5abad306fL,0xe2dc6d59af04c49eL,
+        0x1aeb8750e0b84b0bL } },
+    /* 46 << 98 */
+    { { 0xc034f12f2f7d0ca2L,0x6d2e8128e06acf2fL,0x801f4f8321facc2fL,
+        0xa1170c03f40ef607L },
+      { 0xfe0a1d4f7805a99cL,0xbde56a36cc26aba5L,0x5b1629d035531f40L,
+        0xac212c2b9afa6108L } },
+    /* 47 << 98 */
+    { { 0x30a06bf315697be5L,0x6f0545dc2c63c7c1L,0x5d8cb8427ccdadafL,
+        0xd52e379bac7015bbL },
+      { 0xc4f56147f462c23eL,0xd44a429846bc24b0L,0xbc73d23ae2856d4fL,
+        0x61cedd8c0832bcdfL } },
+    /* 48 << 98 */
+    { { 0x6095355699f241d7L,0xee4adbd7001a349dL,0x0b35bf6aaa89e491L,
+        0x7f0076f4136f7546L },
+      { 0xd19a18ba9264da3dL,0x6eb2d2cd62a7a28bL,0xcdba941f8761c971L,
+        0x1550518ba3be4a5dL } },
+    /* 49 << 98 */
+    { { 0xd0e8e2f057d0b70cL,0xeea8612ecd133ba3L,0x814670f044416aecL,
+        0x424db6c330775061L },
+      { 0xd96039d116213fd1L,0xc61e7fa518a3478fL,0xa805bdcccb0c5021L,
+        0xbdd6f3a80cc616ddL } },
+    /* 50 << 98 */
+    { { 0x060096675d97f7e2L,0x31db0fc1af0bf4b6L,0x23680ed45491627aL,
+        0xb99a3c667d741fb1L },
+      { 0xe9bb5f5536b1ff92L,0x29738577512b388dL,0xdb8a2ce750fcf263L,
+        0x385346d46c4f7b47L } },
+    /* 51 << 98 */
+    { { 0xbe86c5ef31631f9eL,0xbf91da2103a57a29L,0xc3b1f7967b23f821L,
+        0x0f7d00d2770db354L },
+      { 0x8ffc6c3bd8fe79daL,0xcc5e8c40d525c996L,0x4640991dcfff632aL,
+        0x64d97e8c67112528L } },
+    /* 52 << 98 */
+    { { 0xc232d97302f1cd1eL,0xce87eacb1dd212a4L,0x6e4c8c73e69802f7L,
+        0x12ef02901fffddbdL },
+      { 0x941ec74e1bcea6e2L,0xd0b540243cb92cbbL,0x809fb9d47e8f9d05L,
+        0x3bf16159f2992aaeL } },
+    /* 53 << 98 */
+    { { 0xad40f279f8a7a838L,0x11aea63105615660L,0xbf52e6f1a01f6fa1L,
+        0xef0469953dc2aec9L },
+      { 0x785dbec9d8080711L,0xe1aec60a9fdedf76L,0xece797b5fa21c126L,
+        0xc66e898f05e52732L } },
+    /* 54 << 98 */
+    { { 0x39bb69c408811fdbL,0x8bfe1ef82fc7f082L,0xc8e7a393174f4138L,
+        0xfba8ad1dd58d1f98L },
+      { 0xbc21d0cebfd2fd5bL,0x0b839a826ee60d61L,0xaacf7658afd22253L,
+        0xb526bed8aae396b3L } },
+    /* 55 << 98 */
+    { { 0xccc1bbc238564464L,0x9e3ff9478c45bc73L,0xcde9bca358188a78L,
+        0x138b8ee0d73bf8f7L },
+      { 0x5c7e234c4123c489L,0x66e69368fa643297L,0x0629eeee39a15fa3L,
+        0x95fab881a9e2a927L } },
+    /* 56 << 98 */
+    { { 0xb2497007eafbb1e1L,0xd75c9ce6e75b7a93L,0x3558352defb68d78L,
+        0xa2f26699223f6396L },
+      { 0xeb911ecfe469b17aL,0x62545779e72d3ec2L,0x8ea47de782cb113fL,
+        0xebe4b0864e1fa98dL } },
+    /* 57 << 98 */
+    { { 0xec2d5ed78cdfedb1L,0xa535c077fe211a74L,0x9678109b11d244c5L,
+        0xf17c8bfbbe299a76L },
+      { 0xb651412efb11fbc4L,0xea0b548294ab3f65L,0xd8dffd950cf78243L,
+        0x2e719e57ce0361d4L } },
+    /* 58 << 98 */
+    { { 0x9007f085304ddc5bL,0x095e8c6d4daba2eaL,0x5a33cdb43f9d28a9L,
+        0x85b95cd8e2283003L },
+      { 0xbcd6c819b9744733L,0x29c5f538fc7f5783L,0x6c49b2fad59038e4L,
+        0x68349cc13bbe1018L } },
+    /* 59 << 98 */
+    { { 0xcc490c1d21830ee5L,0x36f9c4eee9bfa297L,0x58fd729448de1a94L,
+        0xaadb13a84e8f2cdcL },
+      { 0x515eaaa081313dbaL,0xc76bb468c2152dd8L,0x357f8d75a653dbf8L,
+        0xe4d8c4d1b14ac143L } },
+    /* 60 << 98 */
+    { { 0xbdb8e675b055cb40L,0x898f8e7b977b5167L,0xecc65651b82fb863L,
+        0x565448146d88f01fL },
+      { 0xb0928e95263a75a9L,0xcfb6836f1a22fcdaL,0x651d14db3f3bd37cL,
+        0x1d3837fbb6ad4664L } },
+    /* 61 << 98 */
+    { { 0x7c5fb538ff4f94abL,0x7243c7126d7fb8f2L,0xef13d60ca85c5287L,
+        0x18cfb7c74bb8dd1bL },
+      { 0x82f9bfe672908219L,0x35c4592b9d5144abL,0x52734f379cf4b42fL,
+        0x6bac55e78c60ddc4L } },
+    /* 62 << 98 */
+    { { 0xb5cd811e94dea0f6L,0x259ecae4e18cc1a3L,0x6a0e836e15e660f8L,
+        0x6c639ea60e02bff2L },
+      { 0x8721b8cb7e1026fdL,0x9e73b50b63261942L,0xb8c7097477f01da3L,
+        0x1839e6a68268f57fL } },
+    /* 63 << 98 */
+    { { 0x571b94155150b805L,0x1892389ef92c7097L,0x8d69c18e4a084b95L,
+        0x7014c512be5b495cL },
+      { 0x4780db361b07523cL,0x2f6219ce2c1c64faL,0xc38b81b0602c105aL,
+        0xab4f4f205dc8e360L } },
+    /* 64 << 98 */
+    { { 0x20d3c982cf7d62d2L,0x1f36e29d23ba8150L,0x48ae0bf092763f9eL,
+        0x7a527e6b1d3a7007L },
+      { 0xb4a89097581a85e3L,0x1f1a520fdc158be5L,0xf98db37d167d726eL,
+        0x8802786e1113e862L } },
+    /* 0 << 105 */
+    { { 0x00, 0x00, 0x00, 0x00 },
+      { 0x00, 0x00, 0x00, 0x00 } },
+    /* 1 << 105 */
+    { { 0xefb2149e36f09ab0L,0x03f163ca4a10bb5bL,0xd029704506e20998L,
+        0x56f0af001b5a3babL },
+      { 0x7af4cfec70880e0dL,0x7332a66fbe3d913fL,0x32e6c84a7eceb4bdL,
+        0xedc4a79a9c228f55L } },
+    /* 2 << 105 */
+    { { 0xc37c7dd0c55c4496L,0xa6a9635725bbabd2L,0x5b7e63f2add7f363L,
+        0x9dce37822e73f1dfL },
+      { 0xe1e5a16ab2b91f71L,0xe44898235ba0163cL,0xf2759c32f6e515adL,
+        0xa5e2f1f88615eecfL } },
+    /* 3 << 105 */
+    { { 0x74519be7abded551L,0x03d358b8c8b74410L,0x4d00b10b0e10d9a9L,
+        0x6392b0b128da52b7L },
+      { 0x6744a2980b75c904L,0xc305b0aea8f7f96cL,0x042e421d182cf932L,
+        0xf6fc5d509e4636caL } },
+    /* 4 << 105 */
+    { { 0x795847c9d64cc78cL,0x6c50621b9b6cb27bL,0x07099bf8df8022abL,
+        0x48f862ebc04eda1dL },
+      { 0xd12732ede1603c16L,0x19a80e0f5c9a9450L,0xe2257f54b429b4fcL,
+        0x66d3b2c645460515L } },
+    /* 5 << 105 */
+    { { 0x6ca4f87e822e37beL,0x73f237b4253bda4eL,0xf747f3a241190aebL,
+        0xf06fa36f804cf284L },
+      { 0x0a6bbb6efc621c12L,0x5d624b6440b80ec6L,0x4b0724257ba556f3L,
+        0x7fa0c3543e2d20a8L } },
+    /* 6 << 105 */
+    { { 0xe921fa31e3229d41L,0xa929c65294531bd4L,0x84156027a6d38209L,
+        0xf3d69f736bdb97bdL },
+      { 0x8906d19a16833631L,0x68a34c2e03d51be3L,0xcb59583b0e511cd8L,
+        0x99ce6bfdfdc132a8L } },
+    /* 7 << 105 */
+    { { 0x3facdaaaffcdb463L,0x658bbc1a34a38b08L,0x12a801f8f1a9078dL,
+        0x1567bcf96ab855deL },
+      { 0xe08498e03572359bL,0xcf0353e58659e68bL,0xbb86e9c87d23807cL,
+        0xbc08728d2198e8a2L } },
+    /* 8 << 105 */
+    { { 0x8de2b7bc453cadd6L,0x203900a7bc0bc1f8L,0xbcd86e47a6abd3afL,
+        0x911cac128502effbL },
+      { 0x2d550242ec965469L,0x0e9f769229e0017eL,0x633f078f65979885L,
+        0xfb87d4494cf751efL } },
+    /* 9 << 105 */
+    { { 0xe1790e4bfc25419aL,0x364672034bff3cfdL,0xc8db638625b6e83fL,
+        0x6cc69f236cad6fd2L },
+      { 0x0219e45a6bc68bb9L,0xe43d79b6297f7334L,0x7d445368465dc97cL,
+        0x4b9eea322a0b949aL } },
+    /* 10 << 105 */
+    { { 0x1b96c6ba6102d021L,0xeaafac782f4461eaL,0xd4b85c41c49f19a8L,
+        0x275c28e4cf538875L },
+      { 0x35451a9ddd2e54e0L,0x6991adb50605618bL,0x5b8b4bcd7b36cd24L,
+        0x372a4f8c56f37216L } },
+    /* 11 << 105 */
+    { { 0xc890bd73a6a5da60L,0x6f083da0dc4c9ff0L,0xf4e14d94f0536e57L,
+        0xf9ee1edaaaec8243L },
+      { 0x571241ec8bdcf8e7L,0xa5db82710b041e26L,0x9a0b9a99e3fff040L,
+        0xcaaf21dd7c271202L } },
+    /* 12 << 105 */
+    { { 0xb4e2b2e14f0dd2e8L,0xe77e7c4f0a377ac7L,0x69202c3f0d7a2198L,
+        0xf759b7ff28200eb8L },
+      { 0xc87526eddcfe314eL,0xeb84c52453d5cf99L,0xb1b52ace515138b6L,
+        0x5aa7ff8c23fca3f4L } },
+    /* 13 << 105 */
+    { { 0xff0b13c3b9791a26L,0x960022dacdd58b16L,0xdbd55c9257aad2deL,
+        0x3baaaaa3f30fe619L },
+      { 0x9a4b23460d881efdL,0x506416c046325e2aL,0x91381e76035c18d4L,
+        0xb3bb68bef27817b0L } },
+    /* 14 << 105 */
+    { { 0x15bfb8bf5116f937L,0x7c64a586c1268943L,0x71e25cc38419a2c8L,
+        0x9fd6b0c48335f463L },
+      { 0x4bf0ba3ce8ee0e0eL,0x6f6fba60298c21faL,0x57d57b39ae66bee0L,
+        0x292d513022672544L } },
+    /* 15 << 105 */
+    { { 0xf451105dbab093b3L,0x012f59b902839986L,0x8a9158023474a89cL,
+        0x048c919c2de03e97L },
+      { 0xc476a2b591071cd5L,0x791ed89a034970a5L,0x89bd9042e1b7994bL,
+        0x8eaf5179a1057ffdL } },
+    /* 16 << 105 */
+    { { 0x6066e2a2d551ee10L,0x87a8f1d8727e09a6L,0x00d08bab2c01148dL,
+        0x6da8e4f1424f33feL },
+      { 0x466d17f0cf9a4e71L,0xff5020103bf5cb19L,0xdccf97d8d062ecc0L,
+        0x80c0d9af81d80ac4L } },
+    /* 17 << 105 */
+    { { 0xe87771d8033f2876L,0xb0186ec67d5cc3dbL,0x58e8bb803bc9bc1dL,
+        0x4d1395cc6f6ef60eL },
+      { 0xa73c62d6186244a0L,0x918e5f23110a5b53L,0xed4878ca741b7eabL,
+        0x3038d71adbe03e51L } },
+    /* 18 << 105 */
+    { { 0x840204b7a93c3246L,0x21ab6069a0b9b4cdL,0xf5fa6e2bb1d64218L,
+        0x1de6ad0ef3d56191L },
+      { 0x570aaa88ff1929c7L,0xc6df4c6b640e87b5L,0xde8a74f2c65f0cccL,
+        0x8b972fd5e6f6cc01L } },
+    /* 19 << 105 */
+    { { 0x3fff36b60b846531L,0xba7e45e610a5e475L,0x84a1d10e4145b6c5L,
+        0xf1f7f91a5e046d9dL },
+      { 0x0317a69244de90d7L,0x951a1d4af199c15eL,0x91f78046c9d73debL,
+        0x74c82828fab8224fL } },
+    /* 20 << 105 */
+    { { 0xaa6778fce7560b90L,0xb4073e61a7e824ceL,0xff0d693cd642eba8L,
+        0x7ce2e57a5dccef38L },
+      { 0x89c2c7891df1ad46L,0x83a06922098346fdL,0x2d715d72da2fc177L,
+        0x7b6dd71d85b6cf1dL } },
+    /* 21 << 105 */
+    { { 0xc60a6d0a73fa9cb0L,0xedd3992e328bf5a9L,0xc380ddd0832c8c82L,
+        0xd182d410a2a0bf50L },
+      { 0x7d9d7438d9a528dbL,0xe8b1a0e9caf53994L,0xddd6e5fe0e19987cL,
+        0xacb8df03190b059dL } },
+    /* 22 << 105 */
+    { { 0x53703a328300129fL,0x1f63766268c43bfdL,0xbcbd191300e54051L,
+        0x812fcc627bf5a8c5L },
+      { 0x3f969d5f29fb85daL,0x72f4e00a694759e8L,0x426b6e52790726b7L,
+        0x617bbc873bdbb209L } },
+    /* 23 << 105 */
+    { { 0x511f8bb997aee317L,0x812a4096e81536a8L,0x137dfe593ac09b9bL,
+        0x0682238fba8c9a7aL },
+      { 0x7072ead6aeccb4bdL,0x6a34e9aa692ba633L,0xc82eaec26fff9d33L,
+        0xfb7535121d4d2b62L } },
+    /* 24 << 105 */
+    { { 0x1a0445ff1d7aadabL,0x65d38260d5f6a67cL,0x6e62fb0891cfb26fL,
+        0xef1e0fa55c7d91d6L },
+      { 0x47e7c7ba33db72cdL,0x017cbc09fa7c74b2L,0x3c931590f50a503cL,
+        0xcac54f60616baa42L } },
+    /* 25 << 105 */
+    { { 0x9b6cd380b2369f0fL,0x97d3a70d23c76151L,0x5f9dd6fc9862a9c6L,
+        0x044c4ab212312f51L },
+      { 0x035ea0fd834a2ddcL,0x49e6b862cc7b826dL,0xb03d688362fce490L,
+        0x62f2497ab37e36e9L } },
+    /* 26 << 105 */
+    { { 0x04b005b6c6458293L,0x36bb5276e8d10af7L,0xacf2dc138ee617b8L,
+        0x470d2d35b004b3d4L },
+      { 0x06790832feeb1b77L,0x2bb75c3985657f9cL,0xd70bd4edc0f60004L,
+        0xfe797ecc219b018bL } },
+    /* 27 << 105 */
+    { { 0x9b5bec2a753aebccL,0xdaf9f3dcc939eca5L,0xd6bc6833d095ad09L,
+        0x98abdd51daa4d2fcL },
+      { 0xd9840a318d168be5L,0xcf7c10e02325a23cL,0xa5c02aa07e6ecfafL,
+        0x2462e7e6b5bfdf18L } },
+    /* 28 << 105 */
+    { { 0xab2d8a8ba0cc3f12L,0x68dd485dbc672a29L,0x72039752596f2cd3L,
+        0x5d3eea67a0cf3d8dL },
+      { 0x810a1a81e6602671L,0x8f144a4014026c0cL,0xbc753a6d76b50f85L,
+        0xc4dc21e8645cd4a4L } },
+    /* 29 << 105 */
+    { { 0xc5262dea521d0378L,0x802b8e0e05011c6fL,0x1ba19cbb0b4c19eaL,
+        0x21db64b5ebf0aaecL },
+      { 0x1f394ee970342f9dL,0x93a10aee1bc44a14L,0xa7eed31b3efd0baaL,
+        0x6e7c824e1d154e65L } },
+    /* 30 << 105 */
+    { { 0xee23fa819966e7eeL,0x64ec4aa805b7920dL,0x2d44462d2d90aad4L,
+        0xf44dd195df277ad5L },
+      { 0x8d6471f1bb46b6a1L,0x1e65d313fd885090L,0x33a800f513a977b4L,
+        0xaca9d7210797e1efL } },
+    /* 31 << 105 */
+    { { 0x9a5a85a0fcff6a17L,0x9970a3f31eca7ceeL,0xbb9f0d6bc9504be3L,
+        0xe0c504beadd24ee2L },
+      { 0x7e09d95677fcc2f4L,0xef1a522765bb5fc4L,0x145d4fb18b9286aaL,
+        0x66fd0c5d6649028bL } },
+    /* 32 << 105 */
+    { { 0x98857ceb1bf4581cL,0xe635e186aca7b166L,0x278ddd22659722acL,
+        0xa0903c4c1db68007L },
+      { 0x366e458948f21402L,0x31b49c14b96abda2L,0x329c4b09e0403190L,
+        0x97197ca3d29f43feL } },
+    /* 33 << 105 */
+    { { 0x8073dd1e274983d8L,0xda1a3bde55717c8fL,0xfd3d4da20361f9d1L,
+        0x1332d0814c7de1ceL },
+      { 0x9b7ef7a3aa6d0e10L,0x17db2e73f54f1c4aL,0xaf3dffae4cd35567L,
+        0xaaa2f406e56f4e71L } },
+    /* 34 << 105 */
+    { { 0x8966759e7ace3fc7L,0x9594eacf45a8d8c6L,0x8de3bd8b91834e0eL,
+        0xafe4ca53548c0421L },
+      { 0xfdd7e856e6ee81c6L,0x8f671beb6b891a3aL,0xf7a58f2bfae63829L,
+        0x9ab186fb9c11ac9fL } },
+    /* 35 << 105 */
+    { { 0x8d6eb36910b5be76L,0x046b7739fb040bcdL,0xccb4529fcb73de88L,
+        0x1df0fefccf26be03L },
+      { 0xad7757a6bcfcd027L,0xa8786c75bb3165caL,0xe9db1e347e99a4d9L,
+        0x99ee86dfb06c504bL } },
+    /* 36 << 105 */
+    { { 0x5b7c2dddc15c9f0aL,0xdf87a7344295989eL,0x59ece47c03d08fdaL,
+        0xb074d3ddad5fc702L },
+      { 0x2040790351a03776L,0x2bb1f77b2a608007L,0x25c58f4fe1153185L,
+        0xe6df62f6766e6447L } },
+    /* 37 << 105 */
+    { { 0xefb3d1beed51275aL,0x5de47dc72f0f483fL,0x7932d98e97c2bedfL,
+        0xd5c119270219f8a1L },
+      { 0x9d751200a73a294eL,0x5f88434a9dc20172L,0xd28d9fd3a26f506aL,
+        0xa890cd319d1dcd48L } },
+    /* 38 << 105 */
+    { { 0x0aebaec170f4d3b4L,0xfd1a13690ffc8d00L,0xb9d9c24057d57838L,
+        0x45929d2668bac361L },
+      { 0x5a2cd06025b15ca6L,0x4b3c83e16e474446L,0x1aac7578ee1e5134L,
+        0xa418f5d6c91e2f41L } },
+    /* 39 << 105 */
+    { { 0x6936fc8a213ed68bL,0x860ae7ed510a5224L,0x63660335def09b53L,
+        0x641b2897cd79c98dL },
+      { 0x29bd38e101110f35L,0x79c26f42648b1937L,0x64dae5199d9164f4L,
+        0xd85a23100265c273L } },
+    /* 40 << 105 */
+    { { 0x7173dd5d4b07e2b1L,0xd144c4cb8d9ea221L,0xe8b04ea41105ab14L,
+        0x92dda542fe80d8f1L },
+      { 0xe9982fa8cf03dce6L,0x8b5ea9651a22cffcL,0xf7f4ea7f3fad88c4L,
+        0x62db773e6a5ba95cL } },
+    /* 41 << 105 */
+    { { 0xd20f02fb93f24567L,0xfd46c69a315257caL,0x0ac74cc78bcab987L,
+        0x46f31c015ceca2f5L },
+      { 0x40aedb59888b219eL,0xe50ecc37e1fccd02L,0x1bcd9dad911f816cL,
+        0x583cc1ec8db9b00cL } },
+    /* 42 << 105 */
+    { { 0xf3cd2e66a483bf11L,0xfa08a6f5b1b2c169L,0xf375e2454be9fa28L,
+        0x99a7ffec5b6d011fL },
+      { 0x6a3ebddbc4ae62daL,0x6cea00ae374aef5dL,0xab5fb98d9d4d05bcL,
+        0x7cba1423d560f252L } },
+    /* 43 << 105 */
+    { { 0x49b2cc21208490deL,0x1ca66ec3bcfb2879L,0x7f1166b71b6fb16fL,
+        0xfff63e0865fe5db3L },
+      { 0xb8345abe8b2610beL,0xb732ed8039de3df4L,0x0e24ed50211c32b4L,
+        0xd10d8a69848ff27dL } },
+    /* 44 << 105 */
+    { { 0xc1074398ed4de248L,0xd7cedace10488927L,0xa4aa6bf885673e13L,
+        0xb46bae916daf30afL },
+      { 0x07088472fcef7ad8L,0x61151608d4b35e97L,0xbcfe8f26dde29986L,
+        0xeb84c4c7d5a34c79L } },
+    /* 45 << 105 */
+    { { 0xc1eec55c164e1214L,0x891be86da147bb03L,0x9fab4d100ba96835L,
+        0xbf01e9b8a5c1ae9fL },
+      { 0x6b4de139b186ebc0L,0xd5c74c2685b91bcaL,0x5086a99cc2d93854L,
+        0xeed62a7ba7a9dfbcL } },
+    /* 46 << 105 */
+    { { 0x8778ed6f76b7618aL,0xbff750a503b66062L,0x4cb7be22b65186dbL,
+        0x369dfbf0cc3a6d13L },
+      { 0xc7dab26c7191a321L,0x9edac3f940ed718eL,0xbc142b36d0cfd183L,
+        0xc8af82f67c991693L } },
+    /* 47 << 105 */
+    { { 0xb3d1e4d897ce0b2aL,0xe6d7c87fc3a55cdfL,0x35846b9568b81afeL,
+        0x018d12afd3c239d8L },
+      { 0x2b2c620801206e15L,0xe0e42453a3b882c6L,0x854470a3a50162d5L,
+        0x081574787017a62aL } },
+    /* 48 << 105 */
+    { { 0x18bd3fb4820357c7L,0x992039ae6f1458adL,0x9a1df3c525b44aa1L,
+        0x2d780357ed3d5281L },
+      { 0x58cf7e4dc77ad4d4L,0xd49a7998f9df4fc4L,0x4465a8b51d71205eL,
+        0xa0ee0ea6649254aaL } },
+    /* 49 << 105 */
+    { { 0x4b5eeecfab7bd771L,0x6c87307335c262b9L,0xdc5bd6483c9d61e7L,
+        0x233d6d54321460d2L },
+      { 0xd20c5626fc195bccL,0x2544595804d78b63L,0xe03fcb3d17ec8ef3L,
+        0x54b690d146b8f781L } },
+    /* 50 << 105 */
+    { { 0x82fa2c8a21230646L,0xf51aabb9084f418cL,0xff4fbec11a30ba43L,
+        0x6a5acf73743c9df7L },
+      { 0x1da2b357d635b4d5L,0xc3de68ddecd5c1daL,0xa689080bd61af0ddL,
+        0xdea5938ad665bf99L } },
+    /* 51 << 105 */
+    { { 0x0231d71afe637294L,0x01968aa6a5a81cd8L,0x11252d50048e63b5L,
+        0xc446bc526ca007e9L },
+      { 0xef8c50a696d6134bL,0x9361fbf59e09a05cL,0xf17f85a6dca3291aL,
+        0xb178d548ff251a21L } },
+    /* 52 << 105 */
+    { { 0x87f6374ba4df3915L,0x566ce1bf2fd5d608L,0x425cba4d7de35102L,
+        0x6b745f8f58c5d5e2L },
+      { 0x88402af663122edfL,0x3190f9ed3b989a89L,0x4ad3d387ebba3156L,
+        0xef385ad9c7c469a5L } },
+    /* 53 << 105 */
+    { { 0xb08281de3f642c29L,0x20be0888910ffb88L,0xf353dd4ad5292546L,
+        0x3f1627de8377a262L },
+      { 0xa5faa013eefcd638L,0x8f3bf62674cc77c3L,0x32618f65a348f55eL,
+        0x5787c0dc9fefeb9eL } },
+    /* 54 << 105 */
+    { { 0xf1673aa2d9a23e44L,0x88dfa9934e10690dL,0x1ced1b362bf91108L,
+        0x9193ceca3af48649L },
+      { 0xfb34327d2d738fc5L,0x6697b037975fee6cL,0x2f485da0c04079a5L,
+        0x2cdf57352feaa1acL } },
+    /* 55 << 105 */
+    { { 0x76944420bd55659eL,0x7973e32b4376090cL,0x86bb4fe1163b591aL,
+        0x10441aedc196f0caL },
+      { 0x3b431f4a045ad915L,0x6c11b437a4afacb1L,0x30b0c7db71fdbbd8L,
+        0xb642931feda65acdL } },
+    /* 56 << 105 */
+    { { 0x4baae6e89c92b235L,0xa73bbd0e6b3993a1L,0xd06d60ec693dd031L,
+        0x03cab91b7156881cL },
+      { 0xd615862f1db3574bL,0x485b018564bb061aL,0x27434988a0181e06L,
+        0x2cd61ad4c1c0c757L } },
+    /* 57 << 105 */
+    { { 0x3effed5a2ff9f403L,0x8dc98d8b62239029L,0x2206021e1f17b70dL,
+        0xafbec0cabf510015L },
+      { 0x9fed716480130dfaL,0x306dc2b58a02dcf5L,0x48f06620feb10fc0L,
+        0x78d1e1d55a57cf51L } },
+    /* 58 << 105 */
+    { { 0xadef8c5a192ef710L,0x88afbd4b3b7431f9L,0x7e1f740764250c9eL,
+        0x6e31318db58bec07L },
+      { 0xfd4fc4b824f89b4eL,0x65a5dd8848c36a2aL,0x4f1eccfff024baa7L,
+        0x22a21cf2cba94650L } },
+    /* 59 << 105 */
+    { { 0x95d29dee42a554f7L,0x828983a5002ec4baL,0x8112a1f78badb73dL,
+        0x79ea8897a27c1839L },
+      { 0x8969a5a7d065fd83L,0xf49af791b262a0bcL,0xfcdea8b6af2b5127L,
+        0x10e913e1564c2dbcL } },
+    /* 60 << 105 */
+    { { 0x51239d14bc21ef51L,0xe51c3ceb4ce57292L,0x795ff06847bbcc3bL,
+        0x86b46e1ebd7e11e6L },
+      { 0x0ea6ba2380041ef4L,0xd72fe5056262342eL,0x8abc6dfd31d294d4L,
+        0xbbe017a21278c2c9L } },
+    /* 61 << 105 */
+    { { 0xb1fcfa09b389328aL,0x322fbc62d01771b5L,0x04c0d06360b045bfL,
+        0xdb652edc10e52d01L },
+      { 0x50ef932c03ec6627L,0xde1b3b2dc1ee50e3L,0x5ab7bdc5dc37a90dL,
+        0xfea6721331e33a96L } },
+    /* 62 << 105 */
+    { { 0x6482b5cb4f2999aaL,0x38476cc6b8cbf0ddL,0x93ebfacb173405bbL,
+        0x15cdafe7e52369ecL },
+      { 0xd42d5ba4d935b7dbL,0x648b60041c99a4cdL,0x785101bda3b5545bL,
+        0x4bf2c38a9dd67fafL } },
+    /* 63 << 105 */
+    { { 0xb1aadc634442449cL,0xe0e9921a33ad4fb8L,0x5c552313aa686d82L,
+        0xdee635fa465d866cL },
+      { 0xbc3c224a18ee6e8aL,0xeed748a6ed42e02fL,0xe70f930ad474cd08L,
+        0x774ea6ecfff24adfL } },
+    /* 64 << 105 */
+    { { 0x03e2de1cf3480d4aL,0xf0d8edc7bc8acf1aL,0xf23e330368295a9cL,
+        0xfadd5f68c546a97dL },
+      { 0x895597ad96f8acb1L,0xbddd49d5671bdae2L,0x16fcd52821dd43f4L,
+        0xa5a454126619141aL } },
+    /* 0 << 112 */
+    { { 0x00, 0x00, 0x00, 0x00 },
+      { 0x00, 0x00, 0x00, 0x00 } },
+    /* 1 << 112 */
+    { { 0x8ce9b6bfc360e25aL,0xe6425195075a1a78L,0x9dc756a8481732f4L,
+        0x83c0440f5432b57aL },
+      { 0xc670b3f1d720281fL,0x2205910ed135e051L,0xded14b0edb052be7L,
+        0x697b3d27c568ea39L } },
+    /* 2 << 112 */
+    { { 0x2e599b9afb3ff9edL,0x28c2e0ab17f6515cL,0x1cbee4fd474da449L,
+        0x071279a44f364452L },
+      { 0x97abff6601fbe855L,0x3ee394e85fda51c4L,0x190385f667597c0bL,
+        0x6e9fccc6a27ee34bL } },
+    /* 3 << 112 */
+    { { 0x0b89de9314092ebbL,0xf17256bd428e240cL,0xcf89a7f393d2f064L,
+        0x4f57841ee1ed3b14L },
+      { 0x4ee14405e708d855L,0x856aae7203f1c3d0L,0xc8e5424fbdd7eed5L,
+        0x3333e4ef73ab4270L } },
+    /* 4 << 112 */
+    { { 0x3bc77adedda492f8L,0xc11a3aea78297205L,0x5e89a3e734931b4cL,
+        0x17512e2e9f5694bbL },
+      { 0x5dc349f3177bf8b6L,0x232ea4ba08c7ff3eL,0x9c4f9d16f511145dL,
+        0xccf109a333b379c3L } },
+    /* 5 << 112 */
+    { { 0xe75e7a88a1f25897L,0x7ac6961fa1b5d4d8L,0xe3e1077308f3ed5cL,
+        0x208a54ec0a892dfbL },
+      { 0xbe826e1978660710L,0x0cf70a97237df2c8L,0x418a7340ed704da5L,
+        0xa3eeb9a908ca33fdL } },
+    /* 6 << 112 */
+    { { 0x49d96233169bca96L,0x04d286d42da6aafbL,0xc09606eca0c2fa94L,
+        0x8869d0d523ff0fb3L },
+      { 0xa99937e5d0150d65L,0xa92e2503240c14c9L,0x656bf945108e2d49L,
+        0x152a733aa2f59e2bL } },
+    /* 7 << 112 */
+    { { 0xb4323d588434a920L,0xc0af8e93622103c5L,0x667518ef938dbf9aL,
+        0xa184307383a9cdf2L },
+      { 0x350a94aa5447ab80L,0xe5e5a325c75a3d61L,0x74ba507f68411a9eL,
+        0x10581fc1594f70c5L } },
+    /* 8 << 112 */
+    { { 0x60e2857080eb24a9L,0x7bedfb4d488e0cfdL,0x721ebbd7c259cdb8L,
+        0x0b0da855bc6390a9L },
+      { 0x2b4d04dbde314c70L,0xcdbf1fbc6c32e846L,0x33833eabb162fc9eL,
+        0x9939b48bb0dd3ab7L } },
+    /* 9 << 112 */
+    { { 0x5aaa98a7cb0c9c8cL,0x75105f3081c4375cL,0xceee50575ef1c90fL,
+        0xb31e065fc23a17bfL },
+      { 0x5364d275d4b6d45aL,0xd363f3ad62ec8996L,0xb5d212394391c65bL,
+        0x84564765ebb41b47L } },
+    /* 10 << 112 */
+    { { 0x20d18ecc37107c78L,0xacff3b6b570c2a66L,0x22f975d99bd0d845L,
+        0xef0a0c46ba178fa0L },
+      { 0x1a41965176b6028eL,0xc49ec674248612d4L,0x5b6ac4f27338af55L,
+        0x06145e627bee5a36L } },
+    /* 11 << 112 */
+    { { 0x33e95d07e75746b5L,0x1c1e1f6dc40c78beL,0x967833ef222ff8e2L,
+        0x4bedcf6ab49180adL },
+      { 0x6b37e9c13d7a4c8aL,0x2748887c6ddfe760L,0xf7055123aa3a5bbcL,
+        0x954ff2257bbb8e74L } },
+    /* 12 << 112 */
+    { { 0xc42b8ab197c3dfb9L,0x55a549b0cf168154L,0xad6748e7c1b50692L,
+        0x2775780f6fc5cbcbL },
+      { 0x4eab80b8e1c9d7c8L,0x8c69dae13fdbcd56L,0x47e6b4fb9969eaceL,
+        0x002f1085a705cb5aL } },
+    /* 13 << 112 */
+    { { 0x4e23ca446d3fea55L,0xb4ae9c86f4810568L,0x47bfb91b2a62f27dL,
+        0x60deb4c9d9bac28cL },
+      { 0xa892d8947de6c34cL,0x4ee682594494587dL,0x914ee14e1a3f8a5bL,
+        0xbb113eaa28700385L } },
+    /* 14 << 112 */
+    { { 0x81ca03b92115b4c9L,0x7c163d388908cad1L,0xc912a118aa18179aL,
+        0xe09ed750886e3081L },
+      { 0xa676e3fa26f516caL,0x753cacf78e732f91L,0x51592aea833da8b4L,
+        0xc626f42f4cbea8aaL } },
+    /* 15 << 112 */
+    { { 0xef9dc899a7b56eafL,0x00c0e52c34ef7316L,0x5b1e4e24fe818a86L,
+        0x9d31e20dc538be47L },
+      { 0x22eb932d3ed68974L,0xe44bbc087c4e87c4L,0x4121086e0dde9aefL,
+        0x8e6b9cff134f4345L } },
+    /* 16 << 112 */
+    { { 0x96892c1f711b0eb9L,0xb905f2c8780ab954L,0xace26309a20792dbL,
+        0xec8ac9b30684e126L },
+      { 0x486ad8b6b40a2447L,0x60121fc19fe3fb24L,0x5626fccf1a8e3b3fL,
+        0x4e5686226ad1f394L } },
+    /* 17 << 112 */
+    { { 0xda7aae0d196aa5a1L,0xe0df8c771041b5fbL,0x451465d926b318b7L,
+        0xc29b6e557ab136e9L },
+      { 0x2c2ab48b71148463L,0xb5738de364454a76L,0x54ccf9a05a03abe4L,
+        0x377c02960427d58eL } },
+    /* 18 << 112 */
+    { { 0x73f5f0b92bb39c1fL,0x14373f2ce608d8c5L,0xdcbfd31400fbb805L,
+        0xdf18fb2083afdcfbL },
+      { 0x81a57f4242b3523fL,0xe958532d87f650fbL,0xaa8dc8b68b0a7d7cL,
+        0x1b75dfb7150166beL } },
+    /* 19 << 112 */
+    { { 0x90e4f7c92d7d1413L,0x67e2d6b59834f597L,0x4fd4f4f9a808c3e8L,
+        0xaf8237e0d5281ec1L },
+      { 0x25ab5fdc84687ceeL,0xc5ded6b1a5b26c09L,0x8e4a5aecc8ea7650L,
+        0x23b73e5c14cc417fL } },
+    /* 20 << 112 */
+    { { 0x2bfb43183037bf52L,0xb61e6db578c725d7L,0x8efd4060bbb3e5d7L,
+        0x2e014701dbac488eL },
+      { 0xac75cf9a360aa449L,0xb70cfd0579634d08L,0xa591536dfffb15efL,
+        0xb2c37582d07c106cL } },
+    /* 21 << 112 */
+    { { 0xb4293fdcf50225f9L,0xc52e175cb0e12b03L,0xf649c3bad0a8bf64L,
+        0x745a8fefeb8ae3c6L },
+      { 0x30d7e5a358321bc3L,0xb1732be70bc4df48L,0x1f217993e9ea5058L,
+        0xf7a71cde3e4fd745L } },
+    /* 22 << 112 */
+    { { 0x86cc533e894c5bbbL,0x6915c7d969d83082L,0xa6aa2d055815c244L,
+        0xaeeee59249b22ce5L },
+      { 0x89e39d1378135486L,0x3a275c1f16b76f2fL,0xdb6bcc1be036e8f5L,
+        0x4df69b215e4709f5L } },
+    /* 23 << 112 */
+    { { 0xa188b2502d0f39aaL,0x622118bb15a85947L,0x2ebf520ffde0f4faL,
+        0xa40e9f294860e539L },
+      { 0x7b6a51eb22b57f0fL,0x849a33b97e80644aL,0x50e5d16f1cf095feL,
+        0xd754b54eec55f002L } },
+    /* 24 << 112 */
+    { { 0x5cfbbb22236f4a98L,0x0b0c59e9066800bbL,0x4ac69a8f5a9a7774L,
+        0x2b33f804d6bec948L },
+      { 0xb372929532e6c466L,0x68956d0f4e599c73L,0xa47a249f155c31ccL,
+        0x24d80f0de1ce284eL } },
+    /* 25 << 112 */
+    { { 0xcd821dfb988baf01L,0xe6331a7ddbb16647L,0x1eb8ad33094cb960L,
+        0x593cca38c91bbca5L },
+      { 0x384aac8d26567456L,0x40fa0309c04b6490L,0x97834cd6dab6c8f6L,
+        0x68a7318d3f91e55fL } },
+    /* 26 << 112 */
+    { { 0xa00fd04efc4d3157L,0xb56f8ab22bf3bdeaL,0x014f56484fa57172L,
+        0x948c5860450abdb3L },
+      { 0x342b5df00ebd4f08L,0x3e5168cd0e82938eL,0x7aedc1ceb0df5dd0L,
+        0x6bbbc6d9e5732516L } },
+    /* 27 << 112 */
+    { { 0xc7bfd486605daaa6L,0x46fd72b7bb9a6c9eL,0xe4847fb1a124fb89L,
+        0x75959cbda2d8ffbcL },
+      { 0x42579f65c8a588eeL,0x368c92e6b80b499dL,0xea4ef6cd999a5df1L,
+        0xaa73bb7f936fe604L } },
+    /* 28 << 112 */
+    { { 0xf347a70d6457d188L,0x86eda86b8b7a388bL,0xb7cdff060ccd6013L,
+        0xbeb1b6c7d0053fb2L },
+      { 0x0b02238799240a9fL,0x1bbb384f776189b2L,0x8695e71e9066193aL,
+        0x2eb5009706ffac7eL } },
+    /* 29 << 112 */
+    { { 0x0654a9c04a7d2caaL,0x6f3fb3d1a5aaa290L,0x835db041ff476e8fL,
+        0x540b8b0bc42295e4L },
+      { 0xa5c73ac905e214f5L,0x9a74075a56a0b638L,0x2e4b1090ce9e680bL,
+        0x57a5b4796b8d9afaL } },
+    /* 30 << 112 */
+    { { 0x0dca48e726bfe65cL,0x097e391c7290c307L,0x683c462e6669e72eL,
+        0xf505be1e062559acL },
+      { 0x5fbe3ea1e3a3035aL,0x6431ebf69cd50da8L,0xfd169d5c1f6407f2L,
+        0x8d838a9560fce6b8L } },
+    /* 31 << 112 */
+    { { 0x2a2bfa7f650006f0L,0xdfd7dad350c0fbb2L,0x92452495ccf9ad96L,
+        0x183bf494d95635f9L },
+      { 0x02d5df434a7bd989L,0x505385cca5431095L,0xdd98e67dfd43f53eL,
+        0xd61e1a6c500c34a9L } },
+    /* 32 << 112 */
+    { { 0x5a4b46c64a8a3d62L,0x8469c4d0247743d2L,0x2bb3a13d88f7e433L,
+        0x62b23a1001be5849L },
+      { 0xe83596b4a63d1a4cL,0x454e7fea7d183f3eL,0x643fce6117afb01cL,
+        0x4e65e5e61c4c3638L } },
+    /* 33 << 112 */
+    { { 0x41d85ea1ef74c45bL,0x2cfbfa66ae328506L,0x98b078f53ada7da9L,
+        0xd985fe37ec752fbbL },
+      { 0xeece68fe5a0148b4L,0x6f9a55c72d78136dL,0x232dccc4d2b729ceL,
+        0xa27e0dfd90aafbc4L } },
+    /* 34 << 112 */
+    { { 0x9647445212b4603eL,0xa876c5516b706d14L,0xdf145fcf69a9d412L,
+        0xe2ab75b72d479c34L },
+      { 0x12df9a761a23ff97L,0xc61389925d359d10L,0x6e51c7aefa835f22L,
+        0x69a79cb1c0fcc4d9L } },
+    /* 35 << 112 */
+    { { 0xf57f350d594cc7e1L,0x3079ca633350ab79L,0x226fb6149aff594aL,
+        0x35afec026d59a62bL },
+      { 0x9bee46f406ed2c6eL,0x58da17357d939a57L,0x44c504028fd1797eL,
+        0xd8853e7c5ccea6caL } },
+    /* 36 << 112 */
+    { { 0x4065508da35fcd5fL,0x8965df8c495ccaebL,0x0f2da85012e1a962L,
+        0xee471b94c1cf1cc4L },
+      { 0xcef19bc80a08fb75L,0x704958f581de3591L,0x2867f8b23aef4f88L,
+        0x8d749384ea9f9a5fL } },
+    /* 37 << 112 */
+    { { 0x1b3855378c9049f4L,0x5be948f37b92d8b6L,0xd96f725db6e2bd6bL,
+        0x37a222bc958c454dL },
+      { 0xe7c61abb8809bf61L,0x46f07fbc1346f18dL,0xfb567a7ae87c0d1cL,
+        0x84a461c87ef3d07aL } },
+    /* 38 << 112 */
+    { { 0x0a5adce6d9278d98L,0x24d948139dfc73e1L,0x4f3528b6054321c3L,
+        0x2e03fdde692ea706L },
+      { 0x10e6061947b533c0L,0x1a8bc73f2ca3c055L,0xae58d4b21bb62b8fL,
+        0xb2045a73584a24e3L } },
+    /* 39 << 112 */
+    { { 0x3ab3d5afbd76e195L,0x478dd1ad6938a810L,0x6ffab3936ee3d5cbL,
+        0xdfb693db22b361e4L },
+      { 0xf969449651dbf1a7L,0xcab4b4ef08a2e762L,0xe8c92f25d39bba9aL,
+        0x850e61bcf1464d96L } },
+    /* 40 << 112 */
+    { { 0xb7e830e3dc09508bL,0xfaf6d2cf74317655L,0x72606cebdf690355L,
+        0x48bb92b3d0c3ded6L },
+      { 0x65b754845c7cf892L,0xf6cd7ac9d5d5f01fL,0xc2c30a5996401d69L,
+        0x91268650ed921878L } },
+    /* 41 << 112 */
+    { { 0x380bf913b78c558fL,0x43c0baebc8afdaa9L,0x377f61d554f169d3L,
+        0xf8da07e3ae5ff20bL },
+      { 0xb676c49da8a90ea8L,0x81c1ff2b83a29b21L,0x383297ac2ad8d276L,
+        0x3001122fba89f982L } },
+    /* 42 << 112 */
+    { { 0xe1d794be6718e448L,0x246c14827c3e6e13L,0x56646ef85d26b5efL,
+        0x80f5091e88069cddL },
+      { 0xc5992e2f724bdd38L,0x02e915b48471e8c7L,0x96ff320a0d0ff2a9L,
+        0xbf8864874384d1a0L } },
+    /* 43 << 112 */
+    { { 0xbbe1e6a6c93f72d6L,0xd5f75d12cad800eaL,0xfa40a09fe7acf117L,
+        0x32c8cdd57581a355L },
+      { 0x742219927023c499L,0xa8afe5d738ec3901L,0x5691afcba90e83f0L,
+        0x41bcaa030b8f8eacL } },
+    /* 44 << 112 */
+    { { 0xe38b5ff98d2668d5L,0x0715281a7ad81965L,0x1bc8fc7c03c6ce11L,
+        0xcbbee6e28b650436L },
+      { 0x06b00fe80cdb9808L,0x17d6e066fe3ed315L,0x2e9d38c64d0b5018L,
+        0xab8bfd56844dcaefL } },
+    /* 45 << 112 */
+    { { 0x42894a59513aed8bL,0xf77f3b6d314bd07aL,0xbbdecb8f8e42b582L,
+        0xf10e2fa8d2390fe6L },
+      { 0xefb9502262a2f201L,0x4d59ea5050ee32b0L,0xd87f77286da789a8L,
+        0xcf98a2cff79492c4L } },
+    /* 46 << 112 */
+    { { 0xf9577239720943c2L,0xba044cf53990b9d0L,0x5aa8e82395f2884aL,
+        0x834de6ed0278a0afL },
+      { 0xc8e1ee9a5f25bd12L,0x9259ceaa6f7ab271L,0x7e6d97a277d00b76L,
+        0x5c0c6eeaa437832aL } },
+    /* 47 << 112 */
+    { { 0x5232c20f5606b81dL,0xabd7b3750d991ee5L,0x4d2bfe358632d951L,
+        0x78f8514698ed9364L },
+      { 0x951873f0f30c3282L,0x0da8ac80a789230bL,0x3ac7789c5398967fL,
+        0xa69b8f7fbdda0fb5L } },
+    /* 48 << 112 */
+    { { 0xe5db77176add8545L,0x1b71cb6672c49b66L,0xd856073968421d77L,
+        0x03840fe883e3afeaL },
+      { 0xb391dad51ec69977L,0xae243fb9307f6726L,0xc88ac87be8ca160cL,
+        0x5174cced4ce355f4L } },
+    /* 49 << 112 */
+    { { 0x98a35966e58ba37dL,0xfdcc8da27817335dL,0x5b75283083fbc7bfL,
+        0x68e419d4d9c96984L },
+      { 0x409a39f402a40380L,0x88940faf1fe977bcL,0xc640a94b8f8edea6L,
+        0x1e22cd17ed11547dL } },
+    /* 50 << 112 */
+    { { 0xe28568ce59ffc3e2L,0x60aa1b55c1dee4e7L,0xc67497c8837cb363L,
+        0x06fb438a105a2bf2L },
+      { 0x30357ec4500d8e20L,0x1ad9095d0670db10L,0x7f589a05c73b7cfdL,
+        0xf544607d880d6d28L } },
+    /* 51 << 112 */
+    { { 0x17ba93b1a20ef103L,0xad8591306ba6577bL,0x65c91cf66fa214a0L,
+        0xd7d49c6c27990da5L },
+      { 0xecd9ec8d20bb569dL,0xbd4b2502eeffbc33L,0x2056ca5a6bed0467L,
+        0x7916a1f75b63728cL } },
+    /* 52 << 112 */
+    { { 0xd4f9497d53a4f566L,0x8973466497b56810L,0xf8e1da740494a621L,
+        0x82546a938d011c68L },
+      { 0x1f3acb19c61ac162L,0x52f8fa9cabad0d3eL,0x15356523b4b7ea43L,
+        0x5a16ad61ae608125L } },
+    /* 53 << 112 */
+    { { 0xb0bcb87f4faed184L,0x5f236b1d5029f45fL,0xd42c76070bc6b1fcL,
+        0xc644324e68aefce3L },
+      { 0x8e191d595c5d8446L,0xc020807713ae1979L,0xadcaee553ba59cc7L,
+        0x20ed6d6ba2cb81baL } },
+    /* 54 << 112 */
+    { { 0x0952ba19b6efcffcL,0x60f12d6897c0b87cL,0x4ee2c7c49caa30bcL,
+        0x767238b797fbff4eL },
+      { 0xebc73921501b5d92L,0x3279e3dfc2a37737L,0x9fc12bc86d197543L,
+        0xfa94dc6f0a40db4eL } },
+    /* 55 << 112 */
+    { { 0x7392b41a530ccbbdL,0x87c82146ea823525L,0xa52f984c05d98d0cL,
+        0x2ae57d735ef6974cL },
+      { 0x9377f7bf3042a6ddL,0xb1a007c019647a64L,0xfaa9079a0cca9767L,
+        0x3d81a25bf68f72d5L } },
+    /* 56 << 112 */
+    { { 0x752067f8ff81578eL,0x786221509045447dL,0xc0c22fcf0505aa6fL,
+        0x1030f0a66bed1c77L },
+      { 0x31f29f151f0bd739L,0x2d7989c7e6debe85L,0x5c070e728e677e98L,
+        0x0a817bd306e81fd5L } },
+    /* 57 << 112 */
+    { { 0xc110d830b0f2ac95L,0x48d0995aab20e64eL,0x0f3e00e17729cd9aL,
+        0x2a570c20dd556946L },
+      { 0x912dbcfd4e86214dL,0x2d014ee2cf615498L,0x55e2b1e63530d76eL,
+        0xc5135ae4fd0fd6d1L } },
+    /* 58 << 112 */
+    { { 0x0066273ad4f3049fL,0xbb8e9893e7087477L,0x2dba1ddb14c6e5fdL,
+        0xdba3788651f57e6cL },
+      { 0x5aaee0a65a72f2cfL,0x1208bfbf7bea5642L,0xf5c6aa3b67872c37L,
+        0xd726e08343f93224L } },
+    /* 59 << 112 */
+    { { 0x1854daa5061f1658L,0xc0016df1df0cd2b3L,0xc2a3f23e833d50deL,
+        0x73b681d2bbbd3017L },
+      { 0x2f046dc43ac343c0L,0x9c847e7d85716421L,0xe1e13c910917eed4L,
+        0x3fc9eebd63a1b9c6L } },
+    /* 60 << 112 */
+    { { 0x0f816a727fe02299L,0x6335ccc2294f3319L,0x3820179f4745c5beL,
+        0xe647b782922f066eL },
+      { 0xc22e49de02cafb8aL,0x299bc2fffcc2ecccL,0x9a8feea26e0e8282L,
+        0xa627278bfe893205L } },
+    /* 61 << 112 */
+    { { 0xa7e197337933e47bL,0xf4ff6b132e766402L,0xa4d8be0a98440d9fL,
+        0x658f5c2f38938808L },
+      { 0x90b75677c95b3b3eL,0xfa0442693137b6ffL,0x077b039b43c47c29L,
+        0xcca95dd38a6445b2L } },
+    /* 62 << 112 */
+    { { 0x0b498ba42333fc4cL,0x274f8e68f736a1b1L,0x6ca348fd5f1d4b2eL,
+        0x24d3be78a8f10199L },
+      { 0x8535f858ca14f530L,0xa6e7f1635b982e51L,0x847c851236e1bf62L,
+        0xf6a7c58e03448418L } },
+    /* 63 << 112 */
+    { { 0x583f3703f9374ab6L,0x864f91956e564145L,0x33bc3f4822526d50L,
+        0x9f323c801262a496L },
+      { 0xaa97a7ae3f046a9aL,0x70da183edf8a039aL,0x5b68f71c52aa0ba6L,
+        0x9be0fe5121459c2dL } },
+    /* 64 << 112 */
+    { { 0xc1e17eb6cbc613e5L,0x33131d55497ea61cL,0x2f69d39eaf7eded5L,
+        0x73c2f434de6af11bL },
+      { 0x4ca52493a4a375faL,0x5f06787cb833c5c2L,0x814e091f3e6e71cfL,
+        0x76451f578b746666L } },
+    /* 0 << 119 */
+    { { 0x00, 0x00, 0x00, 0x00 },
+      { 0x00, 0x00, 0x00, 0x00 } },
+    /* 1 << 119 */
+    { { 0x80f9bdef694db7e0L,0xedca8787b9fcddc6L,0x51981c3403b8dce1L,
+        0x4274dcf170e10ba1L },
+      { 0xf72743b86def6d1aL,0xd25b1670ebdb1866L,0xc4491e8c050c6f58L,
+        0x2be2b2ab87fbd7f5L } },
+    /* 2 << 119 */
+    { { 0x3e0e5c9dd111f8ecL,0xbcc33f8db7c4e760L,0x702f9a91bd392a51L,
+        0x7da4a795c132e92dL },
+      { 0x1a0b0ae30bb1151bL,0x54febac802e32251L,0xea3a5082694e9e78L,
+        0xe58ffec1e4fe40b8L } },
+    /* 3 << 119 */
+    { { 0xf85592fcd1e0cf9eL,0xdea75f0dc0e7b2e8L,0xc04215cfc135584eL,
+        0x174fc7272f57092aL },
+      { 0xe7277877eb930beaL,0x504caccb5eb02a5aL,0xf9fe08f7f5241b9bL,
+        0xe7fb62f48d5ca954L } },
+    /* 4 << 119 */
+    { { 0xfbb8349d29c4120bL,0x9f94391fc0d0d915L,0xc4074fa75410ba51L,
+        0xa66adbf6150a5911L },
+      { 0xc164543c34bfca38L,0xe0f27560b9e1ccfcL,0x99da0f53e820219cL,
+        0xe8234498c6b4997aL } },
+    /* 5 << 119 */
+    { { 0xcfb88b769d4c5423L,0x9e56eb10b0521c49L,0x418e0b5ebe8700a1L,
+        0x00cbaad6f93cb58aL },
+      { 0xe923fbded92a5e67L,0xca4979ac1f347f11L,0x89162d856bc0585bL,
+        0xdd6254afac3c70e3L } },
+    /* 6 << 119 */
+    { { 0x7b23c513516e19e4L,0x56e2e847c5c4d593L,0x9f727d735ce71ef6L,
+        0x5b6304a6f79a44c5L },
+      { 0x6638a7363ab7e433L,0x1adea470fe742f83L,0xe054b8545b7fc19fL,
+        0xf935381aba1d0698L } },
+    /* 7 << 119 */
+    { { 0x546eab2d799e9a74L,0x96239e0ea949f729L,0xca274c6b7090055aL,
+        0x835142c39020c9b0L },
+      { 0xa405667aa2e8807fL,0x29f2c0851aa3d39eL,0xcc555d6442fc72f5L,
+        0xe856e0e7fbeacb3cL } },
+    /* 8 << 119 */
+    { { 0xb5504f9d918e4936L,0x65035ef6b2513982L,0x0553a0c26f4d9cb9L,
+        0x6cb10d56bea85509L },
+      { 0x48d957b7a242da11L,0x16a4d3dd672b7268L,0x3d7e637c8502a96bL,
+        0x27c7032b730d463bL } },
+    /* 9 << 119 */
+    { { 0xbdc02b18e4136a14L,0xbacf969d678e32bfL,0xc98d89a3dd9c3c03L,
+        0x7b92420a23becc4fL },
+      { 0xd4b41f78c64d565cL,0x9f969d0010f28295L,0xec7f7f76b13d051aL,
+        0x08945e1ea92da585L } },
+    /* 10 << 119 */
+    { { 0x55366b7d5846426fL,0xe7d09e89247d441dL,0x510b404d736fbf48L,
+        0x7fa003d0e784bd7dL },
+      { 0x25f7614f17fd9596L,0x49e0e0a135cb98dbL,0x2c65957b2e83a76aL,
+        0x5d40da8dcddbe0f8L } },
+    /* 11 << 119 */
+    { { 0xf2b8c405050bad24L,0x8918426dc2aa4823L,0x2aeab3dda38365a7L,
+        0x720317177c91b690L },
+      { 0x8b00d69960a94120L,0x478a255de99eaeecL,0xbf656a5f6f60aafdL,
+        0xdfd7cb755dee77b3L } },
+    /* 12 << 119 */
+    { { 0x37f68bb4a595939dL,0x0355647928740217L,0x8e740e7c84ad7612L,
+        0xd89bc8439044695fL },
+      { 0xf7f3da5d85a9184dL,0x562563bb9fc0b074L,0x06d2e6aaf88a888eL,
+        0x612d8643161fbe7cL } },
+    /* 13 << 119 */
+    { { 0x465edba7f64085e7L,0xb230f30429aa8511L,0x53388426cda2d188L,
+        0x908857354b666649L },
+      { 0x6f02ff9a652f54f6L,0x65c822945fae2bf0L,0x7816ade062f5eee3L,
+        0xdcdbdf43fcc56d70L } },
+    /* 14 << 119 */
+    { { 0x9fb3bba354530bb2L,0xbde3ef77cb0869eaL,0x89bc90460b431163L,
+        0x4d03d7d2e4819a35L },
+      { 0x33ae4f9e43b6a782L,0x216db3079c88a686L,0x91dd88e000ffedd9L,
+        0xb280da9f12bd4840L } },
+    /* 15 << 119 */
+    { { 0x32a7cb8a1635e741L,0xfe14008a78be02a7L,0x3fafb3341b7ae030L,
+        0x7fd508e75add0ce9L },
+      { 0x72c83219d607ad51L,0x0f229c0a8d40964aL,0x1be2c3361c878da2L,
+        0xe0c96742eab2ab86L } },
+    /* 16 << 119 */
+    { { 0x458f86913e538cd7L,0xa7001f6c8e08ad53L,0x52b8c6e6bf5d15ffL,
+        0x548234a4011215ddL },
+      { 0xff5a9d2d3d5b4045L,0xb0ffeeb64a904190L,0x55a3aca448607f8bL,
+        0x8cbd665c30a0672aL } },
+    /* 17 << 119 */
+    { { 0x87f834e042583068L,0x02da2aebf3f6e683L,0x6b763e5d05c12248L,
+        0x7230378f65a8aefcL },
+      { 0x93bd80b571e8e5caL,0x53ab041cb3b62524L,0x1b8605136c9c552eL,
+        0xe84d402cd5524e66L } },
+    /* 18 << 119 */
+    { { 0xa37f3573f37f5937L,0xeb0f6c7dd1e4fca5L,0x2965a554ac8ab0fcL,
+        0x17fbf56c274676acL },
+      { 0x2e2f6bd9acf7d720L,0x41fc8f8810224766L,0x517a14b385d53befL,
+        0xdae327a57d76a7d1L } },
+    /* 19 << 119 */
+    { { 0x6ad0a065c4818267L,0x33aa189b37c1bbc1L,0x64970b5227392a92L,
+        0x21699a1c2d1535eaL },
+      { 0xcd20779cc2d7a7fdL,0xe318605999c83cf2L,0x9b69440b72c0b8c7L,
+        0xa81497d77b9e0e4dL } },
+    /* 20 << 119 */
+    { { 0x515d5c891f5f82dcL,0x9a7f67d76361079eL,0xa8da81e311a35330L,
+        0xe44990c44b18be1bL },
+      { 0xc7d5ed95af103e59L,0xece8aba78dac9261L,0xbe82b0999394b8d3L,
+        0x6830f09a16adfe83L } },
+    /* 21 << 119 */
+    { { 0x250a29b488172d01L,0x8b20bd65caff9e02L,0xb8a7661ee8a6329aL,
+        0x4520304dd3fce920L },
+      { 0xae45da1f2b47f7efL,0xe07f52885bffc540L,0xf79970093464f874L,
+        0x2244c2cda6fa1f38L } },
+    /* 22 << 119 */
+    { { 0x43c41ac194d7d9b1L,0x5bafdd82c82e7f17L,0xdf0614c15fda0fcaL,
+        0x74b043a7a8ae37adL },
+      { 0x3ba6afa19e71734cL,0x15d5437e9c450f2eL,0x4a5883fe67e242b1L,
+        0x5143bdc22c1953c2L } },
+    /* 23 << 119 */
+    { { 0x542b8b53fc5e8920L,0x363bf9a89a9cee08L,0x02375f10c3486e08L,
+        0x2037543b8c5e70d2L },
+      { 0x7109bccc625640b4L,0xcbc1051e8bc62c3bL,0xf8455fed803f26eaL,
+        0x6badceabeb372424L } },
+    /* 24 << 119 */
+    { { 0xa2a9ce7c6b53f5f9L,0x642465951b176d99L,0xb1298d36b95c081bL,
+        0x53505bb81d9a9ee6L },
+      { 0x3f6f9e61f2ba70b0L,0xd07e16c98afad453L,0x9f1694bbe7eb4a6aL,
+        0xdfebced93cb0bc8eL } },
+    /* 25 << 119 */
+    { { 0x92d3dcdc53868c8bL,0x174311a2386107a6L,0x4109e07c689b4e64L,
+        0x30e4587f2df3dcb6L },
+      { 0x841aea310811b3b2L,0x6144d41d0cce43eaL,0x464c45812a9a7803L,
+        0xd03d371f3e158930L } },
+    /* 26 << 119 */
+    { { 0xc676d7f2b1f3390bL,0x9f7a1b8ca5b61272L,0x4ebebfc9c2e127a9L,
+        0x4602500c5dd997bfL },
+      { 0x7f09771c4711230fL,0x058eb37c020f09c1L,0xab693d4bfee5e38bL,
+        0x9289eb1f4653cbc0L } },
+    /* 27 << 119 */
+    { { 0xbecf46abd51b9cf5L,0xd2aa9c029f0121afL,0x36aaf7d2e90dc274L,
+        0x909e4ea048b95a3cL },
+      { 0xe6b704966f32dbdbL,0x672188a08b030b3eL,0xeeffe5b3cfb617e2L,
+        0x87e947de7c82709eL } },
+    /* 28 << 119 */
+    { { 0xa44d2b391770f5a7L,0xe4d4d7910e44eb82L,0x42e69d1e3f69712aL,
+        0xbf11c4d6ac6a820eL },
+      { 0xb5e7f3e542c4224cL,0xd6b4e81c449d941cL,0x5d72bd165450e878L,
+        0x6a61e28aee25ac54L } },
+    /* 29 << 119 */
+    { { 0x33272094e6f1cd95L,0x7512f30d0d18673fL,0x32f7a4ca5afc1464L,
+        0x2f0956566bbb977bL },
+      { 0x586f47caa8226200L,0x02c868ad1ac07369L,0x4ef2b845c613acbeL,
+        0x43d7563e0386054cL } },
+    /* 30 << 119 */
+    { { 0x54da9dc7ab952578L,0xb5423df226e84d0bL,0xa8b64eeb9b872042L,
+        0xac2057825990f6dfL },
+      { 0x4ff696eb21f4c77aL,0x1a79c3e4aab273afL,0x29bc922e9436b3f1L,
+        0xff807ef8d6d9a27aL } },
+    /* 31 << 119 */
+    { { 0x82acea3d778f22a0L,0xfb10b2e85b5e7469L,0xc0b169802818ee7dL,
+        0x011afff4c91c1a2fL },
+      { 0x95a6d126ad124418L,0x31c081a5e72e295fL,0x36bb283af2f4db75L,
+        0xd115540f7acef462L } },
+    /* 32 << 119 */
+    { { 0xc7f3a8f833f6746cL,0x21e46f65fea990caL,0x915fd5c5caddb0a9L,
+        0xbd41f01678614555L },
+      { 0x346f4434426ffb58L,0x8055943614dbc204L,0xf3dd20fe5a969b7fL,
+        0x9d59e956e899a39aL } },
+    /* 33 << 119 */
+    { { 0xf1b0971c8ad4cf4bL,0x034488602ffb8fb8L,0xf071ac3c65340ba4L,
+        0x408d0596b27fd758L },
+      { 0xe7c78ea498c364b0L,0xa4aac4a5051e8ab5L,0xb9e1d560485d9002L,
+        0x9acd518a88844455L } },
+    /* 34 << 119 */
+    { { 0xe4ca688fd06f56c0L,0xa48af70ddf027972L,0x691f0f045e9a609dL,
+        0xa9dd82cdee61270eL },
+      { 0x8903ca63a0ef18d3L,0x9fb7ee353d6ca3bdL,0xa7b4a09cabf47d03L,
+        0x4cdada011c67de8eL } },
+    /* 35 << 119 */
+    { { 0x520037499355a244L,0xe77fd2b64f2151a9L,0x695d6cf666b4efcbL,
+        0xc5a0cacfda2cfe25L },
+      { 0x104efe5cef811865L,0xf52813e89ea5cc3dL,0x855683dc40b58dbcL,
+        0x0338ecde175fcb11L } },
+    /* 36 << 119 */
+    { { 0xf9a0563774921592L,0xb4f1261db9bb9d31L,0x551429b74e9c5459L,
+        0xbe182e6f6ea71f53L },
+      { 0xd3a3b07cdfc50573L,0x9ba1afda62be8d44L,0x9bcfd2cb52ab65d3L,
+        0xdf11d547a9571802L } },
+    /* 37 << 119 */
+    { { 0x099403ee02a2404aL,0x497406f421088a71L,0x994794095004ae71L,
+        0xbdb42078a812c362L },
+      { 0x2b72a30fd8828442L,0x283add27fcb5ed1cL,0xf7c0e20066a40015L,
+        0x3e3be64108b295efL } },
+    /* 38 << 119 */
+    { { 0xac127dc1e038a675L,0x729deff38c5c6320L,0xb7df8fd4a90d2c53L,
+        0x9b74b0ec681e7cd3L },
+      { 0x5cb5a623dab407e5L,0xcdbd361576b340c6L,0xa184415a7d28392cL,
+        0xc184c1d8e96f7830L } },
+    /* 39 << 119 */
+    { { 0xc3204f1981d3a80fL,0xfde0c841c8e02432L,0x78203b3e8149e0c1L,
+        0x5904bdbb08053a73L },
+      { 0x30fc1dd1101b6805L,0x43c223bc49aa6d49L,0x9ed671417a174087L,
+        0x311469a0d5997008L } },
+    /* 40 << 119 */
+    { { 0xb189b6845e43fc61L,0xf3282375e0d3ab57L,0x4fa34b67b1181da8L,
+        0x621ed0b299ee52b8L },
+      { 0x9b178de1ad990676L,0xd51de67b56d54065L,0x2a2c27c47538c201L,
+        0x33856ec838a40f5cL } },
+    /* 41 << 119 */
+    { { 0x2522fc15be6cdcdeL,0x1e603f339f0c6f89L,0x7994edc3103e30a6L,
+        0x033a00db220c853eL },
+      { 0xd3cfa409f7bb7fd7L,0x70f8781e462d18f6L,0xbbd82980687fe295L,
+        0x6eef4c32595669f3L } },
+    /* 42 << 119 */
+    { { 0x86a9303b2f7e85c3L,0x5fce462171988f9bL,0x5b935bf6c138acb5L,
+        0x30ea7d6725661212L },
+      { 0xef1eb5f4e51ab9a2L,0x0587c98aae067c78L,0xb3ce1b3c77ca9ca6L,
+        0x2a553d4d54b5f057L } },
+    /* 43 << 119 */
+    { { 0xc78982364da29ec2L,0xdbdd5d13b9c57316L,0xc57d6e6b2cd80d47L,
+        0x80b460cffe9e7391L },
+      { 0x98648cabf963c31eL,0x67f9f633cc4d32fdL,0x0af42a9dfdf7c687L,
+        0x55f292a30b015ea7L } },
+    /* 44 << 119 */
+    { { 0x89e468b2cd21ab3dL,0xe504f022c393d392L,0xab21e1d4a5013af9L,
+        0xe3283f78c2c28acbL },
+      { 0xf38b35f6226bf99fL,0xe83542740e291e69L,0x61673a15b20c162dL,
+        0xc101dc75b04fbdbeL } },
+    /* 45 << 119 */
+    { { 0x8323b4c2255bd617L,0x6c9696936c2a9154L,0xc6e6586062679387L,
+        0x8e01db0cb8c88e23L },
+      { 0x33c42873893a5559L,0x7630f04b47a3e149L,0xb5d80805ddcf35f8L,
+        0x582ca08077dfe732L } },
+    /* 46 << 119 */
+    { { 0x2c7156e10b1894a0L,0x92034001d81c68c0L,0xed225d00c8b115b5L,
+        0x237f9c2283b907f2L },
+      { 0x0ea2f32f4470e2c0L,0xb725f7c158be4e95L,0x0f1dcafab1ae5463L,
+        0x59ed51871ba2fc04L } },
+    /* 47 << 119 */
+    { { 0xf6e0f316d0115d4dL,0x5180b12fd3691599L,0x157e32c9527f0a41L,
+        0x7b0b081da8e0ecc0L },
+      { 0x6dbaaa8abf4f0dd0L,0x99b289c74d252696L,0x79b7755edbf864feL,
+        0x6974e2b176cad3abL } },
+    /* 48 << 119 */
+    { { 0x35dbbee206ddd657L,0xe7cbdd112ff3a96dL,0x88381968076be758L,
+        0x2d737e7208c91f5dL },
+      { 0x5f83ab6286ec3776L,0x98aa649d945fa7a1L,0xf477ec3772ef0933L,
+        0x66f52b1e098c17b1L } },
+    /* 49 << 119 */
+    { { 0x9eec58fbd803738bL,0x91aaade7e4e86aa4L,0x6b1ae617a5b51492L,
+        0x63272121bbc45974L },
+      { 0x7e0e28f0862c5129L,0x0a8f79a93321a4a0L,0xe26d16645041c88fL,
+        0x0571b80553233e3aL } },
+    /* 50 << 119 */
+    { { 0xd1b0ccdec9520711L,0x55a9e4ed3c8b84bfL,0x9426bd39a1fef314L,
+        0x4f5f638e6eb93f2bL },
+      { 0xba2a1ed32bf9341bL,0xd63c13214d42d5a9L,0xd2964a89316dc7c5L,
+        0xd1759606ca511851L } },
+    /* 51 << 119 */
+    { { 0xd8a9201ff9e6ed35L,0xb7b5ee456736925aL,0x0a83fbbc99581af7L,
+        0x3076bc4064eeb051L },
+      { 0x5511c98c02dec312L,0x270de898238dcb78L,0x2cf4cf9c539c08c9L,
+        0xa70cb65e38d3b06eL } },
+    /* 52 << 119 */
+    { { 0xb12ec10ecfe57bbdL,0x82c7b65635a0c2b5L,0xddc7d5cd161c67bdL,
+        0xe32e8985ae3a32ccL },
+      { 0x7aba9444d11a5529L,0xe964ed022427fa1aL,0x1528392d24a1770aL,
+        0xa152ce2c12c72fcdL } },
+    /* 53 << 119 */
+    { { 0x714553a48ec07649L,0x18b4c290459dd453L,0xea32b7147b64b110L,
+        0xb871bfa52e6f07a2L },
+      { 0xb67112e59e2e3c9bL,0xfbf250e544aa90f6L,0xf77aedb8bd539006L,
+        0x3b0cdf9ad172a66fL } },
+    /* 54 << 119 */
+    { { 0xedf69feaf8c51187L,0x05bb67ec741e4da7L,0x47df0f3208114345L,
+        0x56facb07bb9792b1L },
+      { 0xf3e007e98f6229e4L,0x62d103f4526fba0fL,0x4f33bef7b0339d79L,
+        0x9841357bb59bfec1L } },
+    /* 55 << 119 */
+    { { 0xfa8dbb59c34e6705L,0xc3c7180b7fdaa84cL,0xf95872fca4108537L,
+        0x8750cc3b932a3e5aL },
+      { 0xb61cc69db7275d7dL,0xffa0168b2e59b2e9L,0xca032abc6ecbb493L,
+        0x1d86dbd32c9082d8L } },
+    /* 56 << 119 */
+    { { 0xae1e0b67e28ef5baL,0x2c9a4699cb18e169L,0x0ecd0e331e6bbd20L,
+        0x571b360eaf5e81d2L },
+      { 0xcd9fea58101c1d45L,0x6651788e18880452L,0xa99726351f8dd446L,
+        0x44bed022e37281d0L } },
+    /* 57 << 119 */
+    { { 0x094b2b2d33da525dL,0xf193678e13144fd8L,0xb8ab5ba4f4c1061dL,
+        0x4343b5fadccbe0f4L },
+      { 0xa870237163812713L,0x47bf6d2df7611d93L,0x46729b8cbd21e1d7L,
+        0x7484d4e0d629e77dL } },
+    /* 58 << 119 */
+    { { 0x830e6eea60dbac1fL,0x23d8c484da06a2f7L,0x896714b050ca535bL,
+        0xdc8d3644ebd97a9bL },
+      { 0x106ef9fab12177b4L,0xf79bf464534d5d9cL,0x2537a349a6ab360bL,
+        0xc7c54253a00c744fL } },
+    /* 59 << 119 */
+    { { 0xb3c7a047e5911a76L,0x61ffa5c8647f1ee7L,0x15aed36f8f56ab42L,
+        0x6a0d41b0a3ff9ac9L },
+      { 0x68f469f5cc30d357L,0xbe9adf816b72be96L,0x1cd926fe903ad461L,
+        0x7e89e38fcaca441bL } },
+    /* 60 << 119 */
+    { { 0xf0f82de5facf69d4L,0x363b7e764775344cL,0x6894f312b2e36d04L,
+        0x3c6cb4fe11d1c9a5L },
+      { 0x85d9c3394008e1f2L,0x5e9a85ea249f326cL,0xdc35c60a678c5e06L,
+        0xc08b944f9f86fba9L } },
+    /* 61 << 119 */
+    { { 0xde40c02c89f71f0fL,0xad8f3e31ff3da3c0L,0x3ea5096b42125dedL,
+        0x13879cbfa7379183L },
+      { 0x6f4714a56b306a0bL,0x359c2ea667646c5eL,0xfacf894307726368L,
+        0x07a5893565ff431eL } },
+    /* 62 << 119 */
+    { { 0x24d661d168754ab0L,0x801fce1d6f429a76L,0xc068a85fa58ce769L,
+        0xedc35c545d5eca2bL },
+      { 0xea31276fa3f660d1L,0xa0184ebeb8fc7167L,0x0f20f21a1d8db0aeL,
+        0xd96d095f56c35e12L } },
+    /* 63 << 119 */
+    { { 0xedf402b5f8c2a25bL,0x1bb772b9059204b6L,0x50cbeae219b4e34cL,
+        0x93109d803fa0845aL },
+      { 0x54f7ccf78ef59fb5L,0x3b438fe288070963L,0x9e28c65931f3ba9bL,
+        0x9cc31b46ead9da92L } },
+    /* 64 << 119 */
+    { { 0x3c2f0ba9b733aa5fL,0xdece47cbf05af235L,0xf8e3f715a2ac82a5L,
+        0xc97ba6412203f18aL },
+      { 0xc3af550409c11060L,0x56ea2c0546af512dL,0xfac28daff3f28146L,
+        0x87fab43a959ef494L } },
+    /* 0 << 126 */
+    { { 0x00, 0x00, 0x00, 0x00 },
+      { 0x00, 0x00, 0x00, 0x00 } },
+    /* 1 << 126 */
+    { { 0x09891641d4c5105fL,0x1ae80f8e6d7fbd65L,0x9d67225fbee6bdb0L,
+        0x3b433b597fc4d860L },
+      { 0x44e66db693e85638L,0xf7b59252e3e9862fL,0xdb785157665c32ecL,
+        0x702fefd7ae362f50L } },
+    /* 2 << 126 */
+    { { 0x3754475d0fefb0c3L,0xd48fb56b46d7c35dL,0xa070b633363798a4L,
+        0xae89f3d28fdb98e6L },
+      { 0x970b89c86363d14cL,0x8981752167abd27dL,0x9bf7d47444d5a021L,
+        0xb3083bafcac72aeeL } },
+    /* 3 << 126 */
+    { { 0x389741debe949a44L,0x638e9388546a4fa5L,0x3fe6419ca0047bdcL,
+        0x7047f648aaea57caL },
+      { 0x54e48a9041fbab17L,0xda8e0b28576bdba2L,0xe807eebcc72afddcL,
+        0x07d3336df42577bfL } },
+    /* 4 << 126 */
+    { { 0x62a8c244bfe20925L,0x91c19ac38fdce867L,0x5a96a5d5dd387063L,
+        0x61d587d421d324f6L },
+      { 0xe87673a2a37173eaL,0x2384800853778b65L,0x10f8441e05bab43eL,
+        0xfa11fe124621efbeL } },
+    /* 5 << 126 */
+    { { 0x047b772e81685d7bL,0x23f27d81bf34a976L,0xc27608e2915f48efL,
+        0x3b0b43faa521d5c3L },
+      { 0x7613fb2663ca7284L,0x7f5729b41d4db837L,0x87b14898583b526bL,
+        0x00b732a6bbadd3d1L } },
+    /* 6 << 126 */
+    { { 0x8e02f4262048e396L,0x436b50b6383d9de4L,0xf78d3481471e85adL,
+        0x8b01ea6ad005c8d6L },
+      { 0xd3c7afee97015c07L,0x46cdf1a94e3ba2aeL,0x7a42e50183d3a1d2L,
+        0xd54b5268b541dff4L } },
+    /* 7 << 126 */
+    { { 0x3f24cf304e23e9bcL,0x4387f816126e3624L,0x26a46a033b0b6d61L,
+        0xaf1bc8458b2d777cL },
+      { 0x25c401ba527de79cL,0x0e1346d44261bbb6L,0x4b96c44b287b4bc7L,
+        0x658493c75254562fL } },
+    /* 8 << 126 */
+    { { 0x23f949feb8a24a20L,0x17ebfed1f52ca53fL,0x9b691bbebcfb4853L,
+        0x5617ff6b6278a05dL },
+      { 0x241b34c5e3c99ebdL,0xfc64242e1784156aL,0x4206482f695d67dfL,
+        0xb967ce0eee27c011L } },
+    /* 9 << 126 */
+    { { 0x65db375121c80b5dL,0x2e7a563ca31ecca0L,0xe56ffc4e5238a07eL,
+        0x3d6c296632ced854L },
+      { 0xe99d7d1aaf70b885L,0xafc3bad92d686459L,0x9c78bf460cc8ba5bL,
+        0x5a43951918955aa3L } },
+    /* 10 << 126 */
+    { { 0xf8b517a85fe4e314L,0xe60234d0fcb8906fL,0xffe542acf2061b23L,
+        0x287e191f6b4cb59cL },
+      { 0x21857ddc09d877d8L,0x1c23478c14678941L,0xbbf0c056b6e05ea4L,
+        0x82da4b53b01594feL } },
+    /* 11 << 126 */
+    { { 0xf7526791fadb8608L,0x049e832d7b74cdf6L,0xa43581ccc2b90a34L,
+        0x73639eb89360b10cL },
+      { 0x4fba331fe1e4a71bL,0x6ffd6b938072f919L,0x6e53271c65679032L,
+        0x67206444f14272ceL } },
+    /* 12 << 126 */
+    { { 0xc0f734a3b2335834L,0x9526205a90ef6860L,0xcb8be71704e2bb0dL,
+        0x2418871e02f383faL },
+      { 0xd71776814082c157L,0xcc914ad029c20073L,0xf186c1ebe587e728L,
+        0x6fdb3c2261bcd5fdL } },
+    /* 13 << 126 */
+    { { 0x30d014a6f2f9f8e9L,0x963ece234fec49d2L,0x862025c59605a8d9L,
+        0x3987444519f8929aL },
+      { 0x01b6ff6512bf476aL,0x598a64d809cf7d91L,0xd7ec774993be56caL,
+        0x10899785cbb33615L } },
+    /* 14 << 126 */
+    { { 0xb8a092fd02eee3adL,0xa86b3d3530145270L,0x323d98c68512b675L,
+        0x4b8bc78562ebb40fL },
+      { 0x7d301f54413f9cdeL,0xa5e4fb4f2bab5664L,0x1d2b252d1cbfec23L,
+        0xfcd576bbe177120dL } },
+    /* 15 << 126 */
+    { { 0x04427d3e83731a34L,0x2bb9028eed836e8eL,0xb36acff8b612ca7cL,
+        0xb88fe5efd3d9c73aL },
+      { 0xbe2a6bc6edea4eb3L,0x43b93133488eec77L,0xf41ff566b17106e1L,
+        0x469e9172654efa32L } },
+    /* 16 << 126 */
+    { { 0xb4480f0441c23fa3L,0xb4712eb0c1989a2eL,0x3ccbba0f93a29ca7L,
+        0x6e205c14d619428cL },
+      { 0x90db7957b3641686L,0x0432691d45ac8b4eL,0x07a759acf64e0350L,
+        0x0514d89c9c972517L } },
+    /* 17 << 126 */
+    { { 0x1701147fa8e67fc3L,0x9e2e0b8bab2085beL,0xd5651824ac284e57L,
+        0x890d432574893664L },
+      { 0x8a7c5e6ec55e68a3L,0xbf12e90b4339c85aL,0x31846b85f922b655L,
+        0x9a54ce4d0bf4d700L } },
+    /* 18 << 126 */
+    { { 0xd7f4e83af1a14295L,0x916f955cb285d4f9L,0xe57bb0e099ffdabaL,
+        0x28a43034eab0d152L },
+      { 0x0a36ffa2b8a9cef8L,0x5517407eb9ec051aL,0x9c796096ea68e672L,
+        0x853db5fbfb3c77fbL } },
+    /* 19 << 126 */
+    { { 0x21474ba9e864a51aL,0x6c2676996e8a1b8bL,0x7c82362694120a28L,
+        0xe61e9a488383a5dbL },
+      { 0x7dd750039f84216dL,0xab020d07ad43cd85L,0x9437ae48da12c659L,
+        0x6449c2ebe65452adL } },
+    /* 20 << 126 */
+    { { 0xcc7c4c1c2cf9d7c1L,0x1320886aee95e5abL,0xbb7b9056beae170cL,
+        0xc8a5b250dbc0d662L },
+      { 0x4ed81432c11d2303L,0x7da669121f03769fL,0x3ac7a5fd84539828L,
+        0x14dada943bccdd02L } },
+    /* 21 << 126 */
+    { { 0x8b84c3217ef6b0d1L,0x52a9477a7c933f22L,0x5ef6728afd440b82L,
+        0x5c3bd8596ce4bd5eL },
+      { 0x918b80f5f22c2d3eL,0x368d5040b7bb6cc5L,0xb66142a12695a11cL,
+        0x60ac583aeb19ea70L } },
+    /* 22 << 126 */
+    { { 0x317cbb980eab2437L,0x8cc08c555e2654c8L,0xfe2d6520e6d8307fL,
+        0xe9f147f357428993L },
+      { 0x5f9c7d14d2fd6cf1L,0xa3ecd0642d4fcbb0L,0xad83fef08e7341f7L,
+        0x643f23a03a63115cL } },
+    /* 23 << 126 */
+    { { 0xd38a78abe65ab743L,0xbf7c75b135edc89cL,0x3dd8752e530df568L,
+        0xf85c4a76e308c682L },
+      { 0x4c9955b2e68acf37L,0xa544df3dab32af85L,0x4b8ec3f5a25cf493L,
+        0x4d8f27641a622febL } },
+    /* 24 << 126 */
+    { { 0x7bb4f7aaf0dcbc49L,0x7de551f970bbb45bL,0xcfd0f3e49f2ca2e5L,
+        0xece587091f5c76efL },
+      { 0x32920edd167d79aeL,0x039df8a2fa7d7ec1L,0xf46206c0bb30af91L,
+        0x1ff5e2f522676b59L } },
+    /* 25 << 126 */
+    { { 0x11f4a0396ea51d66L,0x506c1445807d7a26L,0x60da5705755a9b24L,
+        0x8fc8cc321f1a319eL },
+      { 0x83642d4d9433d67dL,0x7fa5cb8f6a7dd296L,0x576591db9b7bde07L,
+        0x13173d25419716fbL } },
+    /* 26 << 126 */
+    { { 0xea30599dd5b340ffL,0xfc6b5297b0fe76c5L,0x1c6968c8ab8f5adcL,
+        0xf723c7f5901c928dL },
+      { 0x4203c3219773d402L,0xdf7c6aa31b51dd47L,0x3d49e37a552be23cL,
+        0x57febee80b5a6e87L } },
+    /* 27 << 126 */
+    { { 0xc5ecbee47bd8e739L,0x79d44994ae63bf75L,0x168bd00f38fb8923L,
+        0x75d48ee4d0533130L },
+      { 0x554f77aadb5cdf33L,0x3396e8963c696769L,0x2fdddbf2d3fd674eL,
+        0xbbb8f6ee99d0e3e5L } },
+    /* 28 << 126 */
+    { { 0x51b90651cbae2f70L,0xefc4bc0593aaa8ebL,0x8ecd8689dd1df499L,
+        0x1aee99a822f367a5L },
+      { 0x95d485b9ae8274c5L,0x6c14d4457d30b39cL,0xbafea90bbcc1ef81L,
+        0x7c5f317aa459a2edL } },
+    /* 29 << 126 */
+    { { 0x012110754ef44227L,0xa17bed6edc20f496L,0x0cdfe424819853cdL,
+        0x13793298f71e2ce7L },
+      { 0x3c1f3078dbbe307bL,0x6dd1c20e76ee9936L,0x23ee4b57423caa20L,
+        0x4ac3793b8efb840eL } },
+    /* 30 << 126 */
+    { { 0x934438ebed1f8ca0L,0x3e5466584ebb25a2L,0xc415af0ec069896fL,
+        0xc13eddb09a5aa43dL },
+      { 0x7a04204fd49eb8f6L,0xd0d5bdfcd74f1670L,0x3697e28656fc0558L,
+        0x1020737101cebadeL } },
+    /* 31 << 126 */
+    { { 0x5f87e6900647a82bL,0x908e0ed48f40054fL,0xa9f633d479853803L,
+        0x8ed13c9a4a28b252L },
+      { 0x3e2ef6761f460f64L,0x53930b9b36d06336L,0x347073ac8fc4979bL,
+        0x84380e0e5ecd5597L } },
+    /* 32 << 126 */
+    { { 0xe3b22c6bc4fe3c39L,0xba4a81536c7bebdfL,0xf23ab6b725693459L,
+        0x53bc377014922b11L },
+      { 0x4645c8ab5afc60dbL,0xaa02235520b9f2a3L,0x52a2954cce0fc507L,
+        0x8c2731bb7ce1c2e7L } },
+    /* 33 << 126 */
+    { { 0xf39608ab18a0339dL,0xac7a658d3735436cL,0xb22c2b07cd992b4fL,
+        0x4e83daecf40dcfd4L },
+      { 0x8a34c7be2f39ea3eL,0xef0c005fb0a56d2eL,0x62731f6a6edd8038L,
+        0x5721d7404e3cb075L } },
+    /* 34 << 126 */
+    { { 0x1ea41511fbeeee1bL,0xd1ef5e73ef1d0c05L,0x42feefd173c07d35L,
+        0xe530a00a8a329493L },
+      { 0x5d55b7fef15ebfb0L,0x549de03cd322491aL,0xf7b5f602745b3237L,
+        0x3632a3a21ab6e2b6L } },
+    /* 35 << 126 */
+    { { 0x0d3bba890ef59f78L,0x0dfc6443c9e52b9aL,0x1dc7969972631447L,
+        0xef033917b3be20b1L },
+      { 0x0c92735db1383948L,0xc1fc29a2c0dd7d7dL,0x6485b697403ed068L,
+        0x13bfaab3aac93bdcL } },
+    /* 36 << 126 */
+    { { 0x410dc6a90deeaf52L,0xb003fb024c641c15L,0x1384978c5bc504c4L,
+        0x37640487864a6a77L },
+      { 0x05991bc6222a77daL,0x62260a575e47eb11L,0xc7af6613f21b432cL,
+        0x22f3acc9ab4953e9L } },
+    /* 37 << 126 */
+    { { 0x529349228e41d155L,0x4d0245683ac059efL,0xb02017554d884411L,
+        0xce8055cfa59a178fL },
+      { 0xcd77d1aff6204549L,0xa0a00a3ec7066759L,0x471071ef0272c229L,
+        0x009bcf6bd3c4b6b0L } },
+    /* 38 << 126 */
+    { { 0x2a2638a822305177L,0xd51d59df41645bbfL,0xa81142fdc0a7a3c0L,
+        0xa17eca6d4c7063eeL },
+      { 0x0bb887ed60d9dcecL,0xd6d28e5120ad2455L,0xebed6308a67102baL,
+        0x042c31148bffa408L } },
+    /* 39 << 126 */
+    { { 0xfd099ac58aa68e30L,0x7a6a3d7c1483513eL,0xffcc6b75ba2d8f0cL,
+        0x54dacf961e78b954L },
+      { 0xf645696fa4a9af89L,0x3a41194006ac98ecL,0x41b8b3f622a67a20L,
+        0x2d0b1e0f99dec626L } },
+    /* 40 << 126 */
+    { { 0x27c8919240be34e8L,0xc7162b3791907f35L,0x90188ec1a956702bL,
+        0xca132f7ddf93769cL },
+      { 0x3ece44f90e2025b4L,0x67aaec690c62f14cL,0xad74141822e3cc11L,
+        0xcf9b75c37ff9a50eL } },
+    /* 41 << 126 */
+    { { 0x02fa2b164d348272L,0xbd99d61a9959d56dL,0xbc4f19db18762916L,
+        0xcc7cce5049c1ac80L },
+      { 0x4d59ebaad846bd83L,0x8775a9dca9202849L,0x07ec4ae16e1f4ca9L,
+        0x27eb5875ba893f11L } },
+    /* 42 << 126 */
+    { { 0x00284d51662cc565L,0x82353a6b0db4138dL,0xd9c7aaaaaa32a594L,
+        0xf5528b5ea5669c47L },
+      { 0xf32202312f23c5ffL,0xe3e8147a6affa3a1L,0xfb423d5c202ddda0L,
+        0x3d6414ac6b871bd4L } },
+    /* 43 << 126 */
+    { { 0x586f82e1a51a168aL,0xb712c67148ae5448L,0x9a2e4bd176233eb8L,
+        0x0188223a78811ca9L },
+      { 0x553c5e21f7c18de1L,0x7682e451b27bb286L,0x3ed036b30e51e929L,
+        0xf487211bec9cb34fL } },
+    /* 44 << 126 */
+    { { 0x0d0942770c24efc8L,0x0349fd04bef737a4L,0x6d1c9dd2514cdd28L,
+        0x29c135ff30da9521L },
+      { 0xea6e4508f78b0b6fL,0x176f5dd2678c143cL,0x081484184be21e65L,
+        0x27f7525ce7df38c4L } },
+    /* 45 << 126 */
+    { { 0x1fb70e09748ab1a4L,0x9cba50a05efe4433L,0x7846c7a615f75af2L,
+        0x2a7c2c575ee73ea8L },
+      { 0x42e566a43f0a449aL,0x45474c3bad90fc3dL,0x7447be3d8b61d057L,
+        0x3e9d1cf13a4ec092L } },
+    /* 46 << 126 */
+    { { 0x1603e453f380a6e6L,0x0b86e4319b1437c2L,0x7a4173f2ef29610aL,
+        0x8fa729a7f03d57f7L },
+      { 0x3e186f6e6c9c217eL,0xbe1d307991919524L,0x92a62a70153d4fb1L,
+        0x32ed3e34d68c2f71L } },
+    /* 47 << 126 */
+    { { 0xd785027f9eb1a8b7L,0xbc37eb77c5b22fe8L,0x466b34f0b9d6a191L,
+        0x008a89af9a05f816L },
+      { 0x19b028fb7d42c10aL,0x7fe8c92f49b3f6b8L,0x58907cc0a5a0ade3L,
+        0xb3154f51559d1a7cL } },
+    /* 48 << 126 */
+    { { 0x5066efb6d9790ed6L,0xa77a0cbca6aa793bL,0x1a915f3c223e042eL,
+        0x1c5def0469c5874bL },
+      { 0x0e83007873b6c1daL,0x55cf85d2fcd8557aL,0x0f7c7c760460f3b1L,
+        0x87052acb46e58063L } },
+    /* 49 << 126 */
+    { { 0x09212b80907eae66L,0x3cb068e04d721c89L,0xa87941aedd45ac1cL,
+        0xde8d5c0d0daa0dbbL },
+      { 0xda421fdce3502e6eL,0xc89442014d89a084L,0x7307ba5ef0c24bfbL,
+        0xda212beb20bde0efL } },
+    /* 50 << 126 */
+    { { 0xea2da24bf82ce682L,0x058d381607f71fe4L,0x35a024625ffad8deL,
+        0xcd7b05dcaadcefabL },
+      { 0xd442f8ed1d9f54ecL,0x8be3d618b2d3b5caL,0xe2220ed0e06b2ce2L,
+        0x82699a5f1b0da4c0L } },
+    /* 51 << 126 */
+    { { 0x3ff106f571c0c3a7L,0x8f580f5a0d34180cL,0x4ebb120e22d7d375L,
+        0x5e5782cce9513675L },
+      { 0x2275580c99c82a70L,0xe8359fbf15ea8c4cL,0x53b48db87b415e70L,
+        0xaacf2240100c6014L } },
+    /* 52 << 126 */
+    { { 0x9faaccf5e4652f1dL,0xbd6fdd2ad56157b2L,0xa4f4fb1f6261ec50L,
+        0x244e55ad476bcd52L },
+      { 0x881c9305047d320bL,0x1ca983d56181263fL,0x354e9a44278fb8eeL,
+        0xad2dbc0f396e4964L } },
+    /* 53 << 126 */
+    { { 0x723f3aa29268b3deL,0x0d1ca29ae6e0609aL,0x794866aa6cf44252L,
+        0x0b59f3e301af87edL },
+      { 0xe234e5ff7f4a6c51L,0xa8768fd261dc2f7eL,0xdafc73320a94d81fL,
+        0xd7f8428206938ce1L } },
+    /* 54 << 126 */
+    { { 0xae0b3c0e0546063eL,0x7fbadcb25d61abc6L,0xd5d7a2c9369ac400L,
+        0xa5978d09ae67d10cL },
+      { 0x290f211e4f85eaacL,0xe61e2ad1facac681L,0xae125225388384cdL,
+        0xa7fb68e9ccfde30fL } },
+    /* 55 << 126 */
+    { { 0x7a59b9363daed4c2L,0x80a9aa402606f789L,0xb40c1ea5f6a6d90aL,
+        0x948364d3514d5885L },
+      { 0x062ebc6070985182L,0xa6db5b0e33310895L,0x64a12175e329c2f5L,
+        0xc5f25bd290ea237eL } },
+    /* 56 << 126 */
+    { { 0x7915c5242d0a4c23L,0xeb5d26e46bb3cc52L,0x369a9116c09e2c92L,
+        0x0c527f92cf182cf8L },
+      { 0x9e5919382aede0acL,0xb29222086cc34939L,0x3c9d896299a34361L,
+        0x3c81836dc1905fe6L } },
+    /* 57 << 126 */
+    { { 0x4bfeb57fa001ec5aL,0xe993f5bba0dc5dbaL,0x47884109724a1380L,
+        0x8a0369ab32fe9a04L },
+      { 0xea068d608c927db8L,0xbf5f37cf94655741L,0x47d402a204b6c7eaL,
+        0x4551c2956af259cbL } },
+    /* 58 << 126 */
+    { { 0x698b71e7ed77ee8bL,0xbddf7bd0f309d5c7L,0x6201c22c34e780caL,
+        0xab04f7d84c295ef4L },
+      { 0x1c9472944313a8ceL,0xe532e4ac92ca4cfeL,0x89738f80d0a7a97aL,
+        0xec088c88a580fd5bL } },
+    /* 59 << 126 */
+    { { 0x612b1ecc42ce9e51L,0x8f9840fdb25fdd2aL,0x3cda78c001e7f839L,
+        0x546b3d3aece05480L },
+      { 0x271719a980d30916L,0x45497107584c20c4L,0xaf8f94785bc78608L,
+        0x28c7d484277e2a4cL } },
+    /* 60 << 126 */
+    { { 0xfce0176788a2ffe4L,0xdc506a3528e169a5L,0x0ea108617af9c93aL,
+        0x1ed2436103fa0e08L },
+      { 0x96eaaa92a3d694e7L,0xc0f43b4def50bc74L,0xce6aa58c64114db4L,
+        0x8218e8ea7c000fd4L } },
+    /* 61 << 126 */
+    { { 0xac815dfb185f8844L,0xcd7e90cb1557abfbL,0x23d16655afbfecdfL,
+        0x80f3271f085cac4aL },
+      { 0x7fc39aa7d0e62f47L,0x88d519d1460a48e5L,0x59559ac4d28f101eL,
+        0x7981d9e9ca9ae816L } },
+    /* 62 << 126 */
+    { { 0x5c38652c9ac38203L,0x86eaf87f57657fe5L,0x568fc472e21f5416L,
+        0x2afff39ce7e597b5L },
+      { 0x3adbbb07256d4eabL,0x225986928285ab89L,0x35f8112a041caefeL,
+        0x95df02e3a5064c8bL } },
+    /* 63 << 126 */
+    { { 0x4d63356ec7004bf3L,0x230a08f4db83c7deL,0xca27b2708709a7b7L,
+        0x0d1c4cc4cb9abd2dL },
+      { 0x8a0bc66e7550fee8L,0x369cd4c79cf7247eL,0x75562e8492b5b7e7L,
+        0x8fed0da05802af7bL } },
+    /* 64 << 126 */
+    { { 0x6a7091c2e48fb889L,0x26882c137b8a9d06L,0xa24986631b82a0e2L,
+        0x844ed7363518152dL },
+      { 0x282f476fd86e27c7L,0xa04edaca04afefdcL,0x8b256ebc6119e34dL,
+        0x56a413e90787d78bL } },
+    /* 0 << 133 */
+    { { 0x00, 0x00, 0x00, 0x00 },
+      { 0x00, 0x00, 0x00, 0x00 } },
+    /* 1 << 133 */
+    { { 0x82ee061d5a74be50L,0xe41781c4dea16ff5L,0xe0b0c81e99bfc8a2L,
+        0x624f4d690b547e2dL },
+      { 0x3a83545dbdcc9ae4L,0x2573dbb6409b1e8eL,0x482960c4a6c93539L,
+        0xf01059ad5ae18798L } },
+    /* 2 << 133 */
+    { { 0x715c9f973112795fL,0xe8244437984e6ee1L,0x55cb4858ecb66bcdL,
+        0x7c136735abaffbeeL },
+      { 0x546615955dbec38eL,0x51c0782c388ad153L,0x9ba4c53ac6e0952fL,
+        0x27e6782a1b21dfa8L } },
+    /* 3 << 133 */
+    { { 0x682f903d4ed2dbc2L,0x0eba59c87c3b2d83L,0x8e9dc84d9c7e9335L,
+        0x5f9b21b00eb226d7L },
+      { 0xe33bd394af267baeL,0xaa86cc25be2e15aeL,0x4f0bf67d6a8ec500L,
+        0x5846aa44f9630658L } },
+    /* 4 << 133 */
+    { { 0xfeb09740e2c2bf15L,0x627a2205a9e99704L,0xec8d73d0c2fbc565L,
+        0x223eed8fc20c8de8L },
+      { 0x1ee32583a8363b49L,0x1a0b6cb9c9c2b0a6L,0x49f7c3d290dbc85cL,
+        0xa8dfbb971ef4c1acL } },
+    /* 5 << 133 */
+    { { 0xafb34d4c65c7c2abL,0x1d4610e7e2c5ea84L,0x893f6d1b973c4ab5L,
+        0xa3cdd7e9945ba5c4L },
+      { 0x60514983064417eeL,0x1459b23cad6bdf2bL,0x23b2c3415cf726c3L,
+        0x3a82963532d6354aL } },
+    /* 6 << 133 */
+    { { 0x294f901fab192c18L,0xec5fcbfe7030164fL,0xe2e2fcb7e2246ba6L,
+        0x1e7c88b3221a1a0cL },
+      { 0x72c7dd93c92d88c5L,0x41c2148e1106fb59L,0x547dd4f5a0f60f14L,
+        0xed9b52b263960f31L } },
+    /* 7 << 133 */
+    { { 0x6c8349ebb0a5b358L,0xb154c5c29e7e2ed6L,0xcad5eccfeda462dbL,
+        0xf2d6dbe42de66b69L },
+      { 0x426aedf38665e5b2L,0x488a85137b7f5723L,0x15cc43b38bcbb386L,
+        0x27ad0af3d791d879L } },
+    /* 8 << 133 */
+    { { 0xc16c236e846e364fL,0x7f33527cdea50ca0L,0xc48107750926b86dL,
+        0x6c2a36090598e70cL },
+      { 0xa6755e52f024e924L,0xe0fa07a49db4afcaL,0x15c3ce7d66831790L,
+        0x5b4ef350a6cbb0d6L } },
+    /* 9 << 133 */
+    { { 0x2c4aafc4b6205969L,0x42563f02f6c7854fL,0x016aced51d983b48L,
+        0xfeb356d899949755L },
+      { 0x8c2a2c81d1a39bd7L,0x8f44340fe6934ae9L,0x148cf91c447904daL,
+        0x7340185f0f51a926L } },
+    /* 10 << 133 */
+    { { 0x2f8f00fb7409ab46L,0x057e78e680e289b2L,0x03e5022ca888e5d1L,
+        0x3c87111a9dede4e2L },
+      { 0x5b9b0e1c7809460bL,0xe751c85271c9abc7L,0x8b944e28c7cc1dc9L,
+        0x4f201ffa1d3cfa08L } },
+    /* 11 << 133 */
+    { { 0x02fc905c3e6721ceL,0xd52d70dad0b3674cL,0x5dc2e5ca18810da4L,
+        0xa984b2735c69dd99L },
+      { 0x63b9252784de5ca4L,0x2f1c9872c852dec4L,0x18b03593c2e3de09L,
+        0x19d70b019813dc2fL } },
+    /* 12 << 133 */
+    { { 0x42806b2da6dc1d29L,0xd3030009f871e144L,0xa1feb333aaf49276L,
+        0xb5583b9ec70bc04bL },
+      { 0x1db0be7895695f20L,0xfc84181189d012b5L,0x6409f27205f61643L,
+        0x40d34174d5883128L } },
+    /* 13 << 133 */
+    { { 0xd79196f567419833L,0x6059e252863b7b08L,0x84da18171c56700cL,
+        0x5758ee56b28d3ec4L },
+      { 0x7da2771d013b0ea6L,0xfddf524b54c5e9b9L,0x7df4faf824305d80L,
+        0x58f5c1bf3a97763fL } },
+    /* 14 << 133 */
+    { { 0xa5af37f17c696042L,0xd4cba22c4a2538deL,0x211cb9959ea42600L,
+        0xcd105f417b069889L },
+      { 0xb1e1cf19ddb81e74L,0x472f2d895157b8caL,0x086fb008ee9db885L,
+        0x365cd5700f26d131L } },
+    /* 15 << 133 */
+    { { 0x284b02bba2be7053L,0xdcbbf7c67ab9a6d6L,0x4425559c20f7a530L,
+        0x961f2dfa188767c8L },
+      { 0xe2fd943570dc80c4L,0x104d6b63f0784120L,0x7f592bc153567122L,
+        0xf6bc1246f688ad77L } },
+    /* 16 << 133 */
+    { { 0x05214c050f15dde9L,0xa47a76a80d5f2b82L,0xbb254d3062e82b62L,
+        0x11a05fe03ec955eeL },
+      { 0x7eaff46e9d529b36L,0x55ab13018f9e3df6L,0xc463e37199317698L,
+        0xfd251438ccda47adL } },
+    /* 17 << 133 */
+    { { 0xca9c354723d695eaL,0x48ce626e16e589b5L,0x6b5b64c7b187d086L,
+        0xd02e1794b2207948L },
+      { 0x8b58e98f7198111dL,0x90ca6305dcf9c3ccL,0x5691fe72f34089b0L,
+        0x60941af1fc7c80ffL } },
+    /* 18 << 133 */
+    { { 0xa09bc0a222eb51e5L,0xc0bb7244aa9cf09aL,0x36a8077f80159f06L,
+        0x8b5c989edddc560eL },
+      { 0x19d2f316512e1f43L,0x02eac554ad08ff62L,0x012ab84c07d20b4eL,
+        0x37d1e115d6d4e4e1L } },
+    /* 19 << 133 */
+    { { 0xb6443e1aab7b19a8L,0xf08d067edef8cd45L,0x63adf3e9685e03daL,
+        0xcf15a10e4792b916L },
+      { 0xf44bcce5b738a425L,0xebe131d59636b2fdL,0x940688417850d605L,
+        0x09684eaab40d749dL } },
+    /* 20 << 133 */
+    { { 0x8c3c669c72ba075bL,0x89f78b55ba469015L,0x5706aade3e9f8ba8L,
+        0x6d8bd565b32d7ed7L },
+      { 0x25f4e63b805f08d6L,0x7f48200dc3bcc1b5L,0x4e801968b025d847L,
+        0x74afac0487cbe0a8L } },
+    /* 21 << 133 */
+    { { 0x43ed2c2b7e63d690L,0xefb6bbf00223cdb8L,0x4fec3cae2884d3feL,
+        0x065ecce6d75e25a4L },
+      { 0x6c2294ce69f79071L,0x0d9a8e5f044b8666L,0x5009f23817b69d8fL,
+        0x3c29f8fec5dfdaf7L } },
+    /* 22 << 133 */
+    { { 0x9067528febae68c4L,0x5b38563230c5ba21L,0x540df1191fdd1aecL,
+        0xcf37825bcfba4c78L },
+      { 0x77eff980beb11454L,0x40a1a99160c1b066L,0xe8018980f889a1c7L,
+        0xb9c52ae976c24be0L } },
+    /* 23 << 133 */
+    { { 0x05fbbcce45650ef4L,0xae000f108aa29ac7L,0x884b71724f04c470L,
+        0x7cd4fde219bb5c25L },
+      { 0x6477b22ae8840869L,0xa88688595fbd0686L,0xf23cc02e1116dfbaL,
+        0x76cd563fd87d7776L } },
+    /* 24 << 133 */
+    { { 0xe2a37598a9d82abfL,0x5f188ccbe6c170f5L,0x816822005066b087L,
+        0xda22c212c7155adaL },
+      { 0x151e5d3afbddb479L,0x4b606b846d715b99L,0x4a73b54bf997cb2eL,
+        0x9a1bfe433ecd8b66L } },
+    /* 25 << 133 */
+    { { 0x1c3128092a67d48aL,0xcd6a671e031fa9e2L,0xbec3312a0e43a34aL,
+        0x1d93563955ef47d3L },
+      { 0x5ea024898fea73eaL,0x8247b364a035afb2L,0xb58300a65265b54cL,
+        0x3286662f722c7148L } },
+    /* 26 << 133 */
+    { { 0xb77fd76bb4ec4c20L,0xf0a12fa70f3fe3fdL,0xf845bbf541d8c7e8L,
+        0xe4d969ca5ec10aa8L },
+      { 0x4c0053b743e232a3L,0xdc7a3fac37f8a45aL,0x3c4261c520d81c8fL,
+        0xfd4b3453b00eab00L } },
+    /* 27 << 133 */
+    { { 0x76d48f86d36e3062L,0x626c5277a143ff02L,0x538174deaf76f42eL,
+        0x2267aa866407ceacL },
+      { 0xfad7635172e572d5L,0xab861af7ba7330ebL,0xa0a1c8c7418d8657L,
+        0x988821cb20289a52L } },
+    /* 28 << 133 */
+    { { 0x79732522cccc18adL,0xaadf3f8df1a6e027L,0xf7382c9317c2354dL,
+        0x5ce1680cd818b689L },
+      { 0x359ebbfcd9ecbee9L,0x4330689c1cae62acL,0xb55ce5b4c51ac38aL,
+        0x7921dfeafe238ee8L } },
+    /* 29 << 133 */
+    { { 0x3972bef8271d1ca5L,0x3e423bc7e8aabd18L,0x57b09f3f44a3e5e3L,
+        0x5da886ae7b444d66L },
+      { 0x68206634a9964375L,0x356a2fa3699cd0ffL,0xaf0faa24dba515e9L,
+        0x536e1f5cb321d79aL } },
+    /* 30 << 133 */
+    { { 0xd3b9913a5c04e4eaL,0xd549dcfed6f11513L,0xee227bf579fd1d94L,
+        0x9f35afeeb43f2c67L },
+      { 0xd2638d24f1314f53L,0x62baf948cabcd822L,0x5542de294ef48db0L,
+        0xb3eb6a04fc5f6bb2L } },
+    /* 31 << 133 */
+    { { 0x23c110ae1208e16aL,0x1a4d15b5f8363e24L,0x30716844164be00bL,
+        0xa8e24824f6f4690dL },
+      { 0x548773a290b170cfL,0xa1bef33142f191f4L,0x70f418d09247aa97L,
+        0xea06028e48be9147L } },
+    /* 32 << 133 */
+    { { 0xe13122f3dbfb894eL,0xbe9b79f6ce274b18L,0x85a49de5ca58aadfL,
+        0x2495775811487351L },
+      { 0x111def61bb939099L,0x1d6a974a26d13694L,0x4474b4ced3fc253bL,
+        0x3a1485e64c5db15eL } },
+    /* 33 << 133 */
+    { { 0xe79667b4147c15b4L,0xe34f553b7bc61301L,0x032b80f817094381L,
+        0x55d8bafd723eaa21L },
+      { 0x5a987995f1c0e74eL,0x5a9b292eebba289cL,0x413cd4b2eb4c8251L,
+        0x98b5d243d162db0aL } },
+    /* 34 << 133 */
+    { { 0xbb47bf6668342520L,0x08d68949baa862d1L,0x11f349c7e906abcdL,
+        0x454ce985ed7bf00eL },
+      { 0xacab5c9eb55b803bL,0xb03468ea31e3c16dL,0x5c24213dd273bf12L,
+        0x211538eb71587887L } },
+    /* 35 << 133 */
+    { { 0x198e4a2f731dea2dL,0xd5856cf274ed7b2aL,0x86a632eb13a664feL,
+        0x932cd909bda41291L },
+      { 0x850e95d4c0c4ddc0L,0xc0f422f8347fc2c9L,0xe68cbec486076bcbL,
+        0xf9e7c0c0cd6cd286L } },
+    /* 36 << 133 */
+    { { 0x65994ddb0f5f27caL,0xe85461fba80d59ffL,0xff05481a66601023L,
+        0xc665427afc9ebbfbL },
+      { 0xb0571a697587fd52L,0x935289f88d49efceL,0x61becc60ea420688L,
+        0xb22639d913a786afL } },
+    /* 37 << 133 */
+    { { 0x1a8e6220361ecf90L,0x001f23e025506463L,0xe4ae9b5d0a5c2b79L,
+        0xebc9cdadd8149db5L },
+      { 0xb33164a1934aa728L,0x750eb00eae9b60f3L,0x5a91615b9b9cfbfdL,
+        0x97015cbfef45f7f6L } },
+    /* 38 << 133 */
+    { { 0xb462c4a5bf5151dfL,0x21adcc41b07118f2L,0xd60c545b043fa42cL,
+        0xfc21aa54e96be1abL },
+      { 0xe84bc32f4e51ea80L,0x3dae45f0259b5d8dL,0xbb73c7ebc38f1b5eL,
+        0xe405a74ae8ae617dL } },
+    /* 39 << 133 */
+    { { 0xbb1ae9c69f1c56bdL,0x8c176b9849f196a4L,0xc448f3116875092bL,
+        0xb5afe3de9f976033L },
+      { 0xa8dafd49145813e5L,0x687fc4d9e2b34226L,0xf2dfc92d4c7ff57fL,
+        0x004e3fc1401f1b46L } },
+    /* 40 << 133 */
+    { { 0x5afddab61430c9abL,0x0bdd41d32238e997L,0xf0947430418042aeL,
+        0x71f9addacdddc4cbL },
+      { 0x7090c016c52dd907L,0xd9bdf44d29e2047fL,0xe6f1fe801b1011a6L,
+        0xb63accbcd9acdc78L } },
+    /* 41 << 133 */
+    { { 0xcfc7e2351272a95bL,0x0c667717a6276ac8L,0x3c0d3709e2d7eef7L,
+        0x5add2b069a685b3eL },
+      { 0x363ad32d14ea5d65L,0xf8e01f068d7dd506L,0xc9ea221375b4aac6L,
+        0xed2a2bf90d353466L } },
+    /* 42 << 133 */
+    { { 0x439d79b5e9d3a7c3L,0x8e0ee5a681b7f34bL,0xcf3dacf51dc4ba75L,
+        0x1d3d1773eb3310c7L },
+      { 0xa8e671127747ae83L,0x31f43160197d6b40L,0x0521cceecd961400L,
+        0x67246f11f6535768L } },
+    /* 43 << 133 */
+    { { 0x702fcc5aef0c3133L,0x247cc45d7e16693bL,0xfd484e49c729b749L,
+        0x522cef7db218320fL },
+      { 0xe56ef40559ab93b3L,0x225fba119f181071L,0x33bd659515330ed0L,
+        0xc4be69d51ddb32f7L } },
+    /* 44 << 133 */
+    { { 0x264c76680448087cL,0xac30903f71432daeL,0x3851b26600f9bf47L,
+        0x400ed3116cdd6d03L },
+      { 0x045e79fef8fd2424L,0xfdfd974afa6da98bL,0x45c9f6410c1e673aL,
+        0x76f2e7335b2c5168L } },
+    /* 45 << 133 */
+    { { 0x1adaebb52a601753L,0xb286514cc57c2d49L,0xd87696701e0bfd24L,
+        0x950c547e04478922L },
+      { 0xd1d41969e5d32bfeL,0x30bc1472750d6c3eL,0x8f3679fee0e27f3aL,
+        0x8f64a7dca4a6ee0cL } },
+    /* 46 << 133 */
+    { { 0x2fe59937633dfb1fL,0xea82c395977f2547L,0xcbdfdf1a661ea646L,
+        0xc7ccc591b9085451L },
+      { 0x8217796281761e13L,0xda57596f9196885cL,0xbc17e84928ffbd70L,
+        0x1e6e0a412671d36fL } },
+    /* 47 << 133 */
+    { { 0x61ae872c4152fcf5L,0x441c87b09e77e754L,0xd0799dd5a34dff09L,
+        0x766b4e4488a6b171L },
+      { 0xdc06a51211f1c792L,0xea02ae934be35c3eL,0xe5ca4d6de90c469eL,
+        0x4df4368e56e4ff5cL } },
+    /* 48 << 133 */
+    { { 0x7817acab4baef62eL,0x9f5a2202a85b91e8L,0x9666ebe66ce57610L,
+        0x32ad31f3f73bfe03L },
+      { 0x628330a425bcf4d6L,0xea950593515056e6L,0x59811c89e1332156L,
+        0xc89cf1fe8c11b2d7L } },
+    /* 49 << 133 */
+    { { 0x75b6391304e60cc0L,0xce811e8d4625d375L,0x030e43fc2d26e562L,
+        0xfbb30b4b608d36a0L },
+      { 0x634ff82c48528118L,0x7c6fe085cd285911L,0x7f2830c099358f28L,
+        0x2e60a95e665e6c09L } },
+    /* 50 << 133 */
+    { { 0x08407d3d9b785dbfL,0x530889aba759bce7L,0xf228e0e652f61239L,
+        0x2b6d14616879be3cL },
+      { 0xe6902c0451a7bbf7L,0x30ad99f076f24a64L,0x66d9317a98bc6da0L,
+        0xf4f877f3cb596ac0L } },
+    /* 51 << 133 */
+    { { 0xb05ff62d4c44f119L,0x4555f536e9b77416L,0xc7c0d0598caed63bL,
+        0x0cd2b7cec358b2a9L },
+      { 0x3f33287b46945fa3L,0xf8785b20d67c8791L,0xc54a7a619637bd08L,
+        0x54d4598c18be79d7L } },
+    /* 52 << 133 */
+    { { 0x889e5acbc46d7ce1L,0x9a515bb78b085877L,0xfac1a03d0b7a5050L,
+        0x7d3e738af2926035L },
+      { 0x861cc2ce2a6cb0ebL,0x6f2e29558f7adc79L,0x61c4d45133016376L,
+        0xd9fd2c805ad59090L } },
+    /* 53 << 133 */
+    { { 0xe5a83738b2b836a1L,0x855b41a07c0d6622L,0x186fe3177cc19af1L,
+        0x6465c1fffdd99acbL },
+      { 0x46e5c23f6974b99eL,0x75a7cf8ba2717cbeL,0x4d2ebc3f062be658L,
+        0x094b44475f209c98L } },
+    /* 54 << 133 */
+    { { 0x4af285edb940cb5aL,0x6706d7927cc82f10L,0xc8c8776c030526faL,
+        0xfa8e6f76a0da9140L },
+      { 0x77ea9d34591ee4f0L,0x5f46e33740274166L,0x1bdf98bbea671457L,
+        0xd7c08b46862a1fe2L } },
+    /* 55 << 133 */
+    { { 0x46cc303c1c08ad63L,0x995434404c845e7bL,0x1b8fbdb548f36bf7L,
+        0x5b82c3928c8273a7L },
+      { 0x08f712c4928435d5L,0x071cf0f179330380L,0xc74c2d24a8da054aL,
+        0xcb0e720143c46b5cL } },
+    /* 56 << 133 */
+    { { 0x0ad7337ac0b7eff3L,0x8552225ec5e48b3cL,0xe6f78b0c73f13a5fL,
+        0x5e70062e82349cbeL },
+      { 0x6b8d5048e7073969L,0x392d2a29c33cb3d2L,0xee4f727c4ecaa20fL,
+        0xa068c99e2ccde707L } },
+    /* 57 << 133 */
+    { { 0xfcd5651fb87a2913L,0xea3e3c153cc252f0L,0x777d92df3b6cd3e4L,
+        0x7a414143c5a732e7L },
+      { 0xa895951aa71ff493L,0xfe980c92bbd37cf6L,0x45bd5e64decfeeffL,
+        0x910dc2a9a44c43e9L } },
+    /* 58 << 133 */
+    { { 0xcb403f26cca9f54dL,0x928bbdfb9303f6dbL,0x3c37951ea9eee67cL,
+        0x3bd61a52f79961c3L },
+      { 0x09a238e6395c9a79L,0x6940ca2d61eb352dL,0x7d1e5c5ec1875631L,
+        0x1e19742c1e1b20d1L } },
+    /* 59 << 133 */
+    { { 0x4633d90823fc2e6eL,0xa76e29a908959149L,0x61069d9c84ed7da5L,
+        0x0baa11cf5dbcad51L },
+      { 0xd01eec64961849daL,0x93b75f1faf3d8c28L,0x57bc4f9f1ca2ee44L,
+        0x5a26322d00e00558L } },
+    /* 60 << 133 */
+    { { 0x1888d65861a023efL,0x1d72aab4b9e5246eL,0xa9a26348e5563ec0L,
+        0xa0971963c3439a43L },
+      { 0x567dd54badb9b5b7L,0x73fac1a1c45a524bL,0x8fe97ef7fe38e608L,
+        0x608748d23f384f48L } },
+    /* 61 << 133 */
+    { { 0xb0571794c486094fL,0x869254a38bf3a8d6L,0x148a8dd1310b0e25L,
+        0x99ab9f3f9aa3f7d8L },
+      { 0x0927c68a6706c02eL,0x22b5e76c69790e6cL,0x6c3252606c71376cL,
+        0x53a5769009ef6657L } },
+    /* 62 << 133 */
+    { { 0x8d63f852edffcf3aL,0xb4d2ed043c0a6f55L,0xdb3aa8de12519b9eL,
+        0x5d38e9c41e0a569aL },
+      { 0x871528bf303747e2L,0xa208e77cf5b5c18dL,0x9d129c88ca6bf923L,
+        0xbcbf197fbf02839fL } },
+    /* 63 << 133 */
+    { { 0x9b9bf03027323194L,0x3b055a8b339ca59dL,0xb46b23120f669520L,
+        0x19789f1f497e5f24L },
+      { 0x9c499468aaf01801L,0x72ee11908b69d59cL,0x8bd39595acf4c079L,
+        0x3ee11ece8e0cd048L } },
+    /* 64 << 133 */
+    { { 0xebde86ec1ed66f18L,0x225d906bd61fce43L,0x5cab07d6e8bed74dL,
+        0x16e4617f27855ab7L },
+      { 0x6568aaddb2fbc3ddL,0xedb5484f8aeddf5bL,0x878f20e86dcf2fadL,
+        0x3516497c615f5699L } },
+    /* 0 << 140 */
+    { { 0x00, 0x00, 0x00, 0x00 },
+      { 0x00, 0x00, 0x00, 0x00 } },
+    /* 1 << 140 */
+    { { 0xef0a3fecfa181e69L,0x9ea02f8130d69a98L,0xb2e9cf8e66eab95dL,
+        0x520f2beb24720021L },
+      { 0x621c540a1df84361L,0x1203772171fa6d5dL,0x6e3c7b510ff5f6ffL,
+        0x817a069babb2bef3L } },
+    /* 2 << 140 */
+    { { 0x83572fb6b294cda6L,0x6ce9bf75b9039f34L,0x20e012f0095cbb21L,
+        0xa0aecc1bd063f0daL },
+      { 0x57c21c3af02909e5L,0xc7d59ecf48ce9cdcL,0x2732b8448ae336f8L,
+        0x056e37233f4f85f4L } },
+    /* 3 << 140 */
+    { { 0x8a10b53189e800caL,0x50fe0c17145208fdL,0x9e43c0d3b714ba37L,
+        0x427d200e34189accL },
+      { 0x05dee24fe616e2c0L,0x9c25f4c8ee1854c1L,0x4d3222a58f342a73L,
+        0x0807804fa027c952L } },
+    /* 4 << 140 */
+    { { 0xc222653a4f0d56f3L,0x961e4047ca28b805L,0x2c03f8b04a73434bL,
+        0x4c966787ab712a19L },
+      { 0xcc196c42864fee42L,0xc1be93da5b0ece5cL,0xa87d9f22c131c159L,
+        0x2bb6d593dce45655L } },
+    /* 5 << 140 */
+    { { 0x22c49ec9b809b7ceL,0x8a41486be2c72c2cL,0x813b9420fea0bf36L,
+        0xb3d36ee9a66dac69L },
+      { 0x6fddc08a328cc987L,0x0a3bcd2c3a326461L,0x7103c49dd810dbbaL,
+        0xf9d81a284b78a4c4L } },
+    /* 6 << 140 */
+    { { 0x3de865ade4d55941L,0xdedafa5e30384087L,0x6f414abb4ef18b9bL,
+        0x9ee9ea42faee5268L },
+      { 0x260faa1637a55a4aL,0xeb19a514015f93b9L,0x51d7ebd29e9c3598L,
+        0x523fc56d1932178eL } },
+    /* 7 << 140 */
+    { { 0x501d070cb98fe684L,0xd60fbe9a124a1458L,0xa45761c892bc6b3fL,
+        0xf5384858fe6f27cbL },
+      { 0x4b0271f7b59e763bL,0x3d4606a95b5a8e5eL,0x1eda5d9b05a48292L,
+        0xda7731d0e6fec446L } },
+    /* 8 << 140 */
+    { { 0xa3e3369390d45871L,0xe976404006166d8dL,0xb5c3368289a90403L,
+        0x4bd1798372f1d637L },
+      { 0xa616679ed5d2c53aL,0x5ec4bcd8fdcf3b87L,0xae6d7613b66a694eL,
+        0x7460fc76e3fc27e5L } },
+    /* 9 << 140 */
+    { { 0x70469b8295caabeeL,0xde024ca5889501e3L,0x6bdadc06076ed265L,
+        0x0cb1236b5a0ef8b2L },
+      { 0x4065ddbf0972ebf9L,0xf1dd387522aca432L,0xa88b97cf744aff76L,
+        0xd1359afdfe8e3d24L } },
+    /* 10 << 140 */
+    { { 0x52a3ba2b91502cf3L,0x2c3832a8084db75dL,0x04a12dddde30b1c9L,
+        0x7802eabce31fd60cL },
+      { 0x33707327a37fddabL,0x65d6f2abfaafa973L,0x3525c5b811e6f91aL,
+        0x76aeb0c95f46530bL } },
+    /* 11 << 140 */
+    { { 0xe8815ff62f93a675L,0xa6ec968405f48679L,0x6dcbb556358ae884L,
+        0x0af61472e19e3873L },
+      { 0x72334372a5f696beL,0xc65e57ea6f22fb70L,0x268da30c946cea90L,
+        0x136a8a8765681b2aL } },
+    /* 12 << 140 */
+    { { 0xad5e81dc0f9f44d4L,0xf09a69602c46585aL,0xd1649164c447d1b1L,
+        0x3b4b36c8879dc8b1L },
+      { 0x20d4177b3b6b234cL,0x096a25051730d9d0L,0x0611b9b8ef80531dL,
+        0xba904b3b64bb495dL } },
+    /* 13 << 140 */
+    { { 0x1192d9d493a3147aL,0x9f30a5dc9a565545L,0x90b1f9cb6ef07212L,
+        0x299585460d87fc13L },
+      { 0xd3323effc17db9baL,0xcb18548ccb1644a8L,0x18a306d44f49ffbcL,
+        0x28d658f14c2e8684L } },
+    /* 14 << 140 */
+    { { 0x44ba60cda99f8c71L,0x67b7abdb4bf742ffL,0x66310f9c914b3f99L,
+        0xae430a32f412c161L },
+      { 0x1e6776d388ace52fL,0x4bc0fa2452d7067dL,0x03c286aa8f07cd1bL,
+        0x4cb8f38ca985b2c1L } },
+    /* 15 << 140 */
+    { { 0x83ccbe808c3bff36L,0x005a0bd25263e575L,0x460d7dda259bdcd1L,
+        0x4a1c5642fa5cab6bL },
+      { 0x2b7bdbb99fe4fc88L,0x09418e28cc97bbb5L,0xd8274fb4a12321aeL,
+        0xb137007d5c87b64eL } },
+    /* 16 << 140 */
+    { { 0x80531fe1c63c4962L,0x50541e89981fdb25L,0xdc1291a1fd4c2b6bL,
+        0xc0693a17a6df4fcaL },
+      { 0xb2c4604e0117f203L,0x245f19630a99b8d0L,0xaedc20aac6212c44L,
+        0xb1ed4e56520f52a8L } },
+    /* 17 << 140 */
+    { { 0xfe48f575f8547be3L,0x0a7033cda9e45f98L,0x4b45d3a918c50100L,
+        0xb2a6cd6aa61d41daL },
+      { 0x60bbb4f557933c6bL,0xa7538ebd2b0d7ffcL,0x9ea3ab8d8cd626b6L,
+        0x8273a4843601625aL } },
+    /* 18 << 140 */
+    { { 0x888598450168e508L,0x8cbc9bb299a94abdL,0x713ac792fab0a671L,
+        0xa3995b196c9ebffcL },
+      { 0xe711668e1239e152L,0x56892558bbb8dff4L,0x8bfc7dabdbf17963L,
+        0x5b59fe5ab3de1253L } },
+    /* 19 << 140 */
+    { { 0x7e3320eb34a9f7aeL,0xe5e8cf72d751efe4L,0x7ea003bcd9be2f37L,
+        0xc0f551a0b6c08ef7L },
+      { 0x56606268038f6725L,0x1dd38e356d92d3b6L,0x07dfce7cc3cbd686L,
+        0x4e549e04651c5da8L } },
+    /* 20 << 140 */
+    { { 0x4058f93b08b19340L,0xc2fae6f4cac6d89dL,0x4bad8a8c8f159cc7L,
+        0x0ddba4b3cb0b601cL },
+      { 0xda4fc7b51dd95f8cL,0x1d163cd7cea5c255L,0x30707d06274a8c4cL,
+        0x79d9e0082802e9ceL } },
+    /* 21 << 140 */
+    { { 0x02a29ebfe6ddd505L,0x37064e74b50bed1aL,0x3f6bae65a7327d57L,
+        0x3846f5f1f83920bcL },
+      { 0x87c3749160df1b9bL,0x4cfb28952d1da29fL,0x10a478ca4ed1743cL,
+        0x390c60303edd47c6L } },
+    /* 22 << 140 */
+    { { 0x8f3e53128c0a78deL,0xccd02bda1e85df70L,0xd6c75c03a61b6582L,
+        0x0762921cfc0eebd1L },
+      { 0xd34d0823d85010c0L,0xd73aaacb0044cf1fL,0xfb4159bba3b5e78aL,
+        0x2287c7f7e5826f3fL } },
+    /* 23 << 140 */
+    { { 0x4aeaf742580b1a01L,0xf080415d60423b79L,0xe12622cda7dea144L,
+        0x49ea499659d62472L },
+      { 0xb42991ef571f3913L,0x0610f214f5b25a8aL,0x47adc58530b79e8fL,
+        0xf90e3df607a065a2L } },
+    /* 24 << 140 */
+    { { 0x5d0a5deb43e2e034L,0x53fb5a34444024aaL,0xa8628c686b0c9f7fL,
+        0x9c69c29cac563656L },
+      { 0x5a231febbace47b6L,0xbdce02899ea5a2ecL,0x05da1fac9463853eL,
+        0x96812c52509e78aaL } },
+    /* 25 << 140 */
+    { { 0xd3fb577157151692L,0xeb2721f8d98e1c44L,0xc050608732399be1L,
+        0xda5a5511d979d8b8L },
+      { 0x737ed55dc6f56780L,0xe20d30040dc7a7f4L,0x02ce7301f5941a03L,
+        0x91ef5215ed30f83aL } },
+    /* 26 << 140 */
+    { { 0x28727fc14092d85fL,0x72d223c65c49e41aL,0xa7cf30a2ba6a4d81L,
+        0x7c086209b030d87dL },
+      { 0x04844c7dfc588b09L,0x728cd4995874bbb0L,0xcc1281eee84c0495L,
+        0x0769b5baec31958fL } },
+    /* 27 << 140 */
+    { { 0x665c228bf99c2471L,0xf2d8a11b191eb110L,0x4594f494d36d7024L,
+        0x482ded8bcdcb25a1L },
+      { 0xc958a9d8dadd4885L,0x7004477ef1d2b547L,0x0a45f6ef2a0af550L,
+        0x4fc739d62f8d6351L } },
+    /* 28 << 140 */
+    { { 0x75cdaf27786f08a9L,0x8700bb2642c2737fL,0x855a71411c4e2670L,
+        0x810188c115076fefL },
+      { 0xc251d0c9abcd3297L,0xae4c8967f48108ebL,0xbd146de718ceed30L,
+        0xf9d4f07ac986bcedL } },
+    /* 29 << 140 */
+    { { 0x5ad98ed583fa1e08L,0x7780d33ebeabd1fbL,0xe330513c903b1196L,
+        0xba11de9ea47bc8c4L },
+      { 0x684334da02c2d064L,0x7ecf360da48de23bL,0x57a1b4740a9089d8L,
+        0xf28fa439ff36734cL } },
+    /* 30 << 140 */
+    { { 0xf2a482cbea4570b3L,0xee65d68ba5ebcee9L,0x988d0036b9694cd5L,
+        0x53edd0e937885d32L },
+      { 0xe37e3307beb9bc6dL,0xe9abb9079f5c6768L,0x4396ccd551f2160fL,
+        0x2500888c47336da6L } },
+    /* 31 << 140 */
+    { { 0x383f9ed9926fce43L,0x809dd1c704da2930L,0x30f6f5968a4cb227L,
+        0x0d700c7f73a56b38L },
+      { 0x1825ea33ab64a065L,0xaab9b7351338df80L,0x1516100d9b63f57fL,
+        0x2574395a27a6a634L } },
+    /* 32 << 140 */
+    { { 0xb5560fb6700a1acdL,0xe823fd73fd999681L,0xda915d1f6cb4e1baL,
+        0x0d0301186ebe00a3L },
+      { 0x744fb0c989fca8cdL,0x970d01dbf9da0e0bL,0x0ad8c5647931d76fL,
+        0xb15737bff659b96aL } },
+    /* 33 << 140 */
+    { { 0xdc9933e8a8b484e7L,0xb2fdbdf97a26dec7L,0x2349e9a49f1f0136L,
+        0x7860368e70fddddbL },
+      { 0xd93d2c1cf9ad3e18L,0x6d6c5f17689f4e79L,0x7a544d91b24ff1b6L,
+        0x3e12a5ebfe16cd8cL } },
+    /* 34 << 140 */
+    { { 0x543574e9a56b872fL,0xa1ad550cfcf68ea2L,0x689e37d23f560ef7L,
+        0x8c54b9cac9d47a8bL },
+      { 0x46d40a4a088ac342L,0xec450c7c1576c6d0L,0xb589e31c1f9689e9L,
+        0xdacf2602b8781718L } },
+    /* 35 << 140 */
+    { { 0xa89237c6c8cb6b42L,0x1326fc93b96ef381L,0x55d56c6db5f07825L,
+        0xacba2eea7449e22dL },
+      { 0x74e0887a633c3000L,0xcb6cd172d7cbcf71L,0x309e81dec36cf1beL,
+        0x07a18a6d60ae399bL } },
+    /* 36 << 140 */
+    { { 0xb36c26799edce57eL,0x52b892f4df001d41L,0xd884ae5d16a1f2c6L,
+        0x9b329424efcc370aL },
+      { 0x3120daf2bd2e21dfL,0x55298d2d02470a99L,0x0b78af6ca05db32eL,
+        0x5c76a331601f5636L } },
+    /* 37 << 140 */
+    { { 0xaae861fff8a4f29cL,0x70dc9240d68f8d49L,0x960e649f81b1321cL,
+        0x3d2c801b8792e4ceL },
+      { 0xf479f77242521876L,0x0bed93bc416c79b1L,0xa67fbc05263e5bc9L,
+        0x01e8e630521db049L } },
+    /* 38 << 140 */
+    { { 0x76f26738c6f3431eL,0xe609cb02e3267541L,0xb10cff2d818c877cL,
+        0x1f0e75ce786a13cbL },
+      { 0xf4fdca641158544dL,0x5d777e896cb71ed0L,0x3c233737a9aa4755L,
+        0x7b453192e527ab40L } },
+    /* 39 << 140 */
+    { { 0xdb59f68839f05ffeL,0x8f4f4be06d82574eL,0xcce3450cee292d1bL,
+        0xaa448a1261ccd086L },
+      { 0xabce91b3f7914967L,0x4537f09b1908a5edL,0xa812421ef51042e7L,
+        0xfaf5cebcec0b3a34L } },
+    /* 40 << 140 */
+    { { 0x730ffd874ca6b39aL,0x70fb72ed02efd342L,0xeb4735f9d75c8edbL,
+        0xc11f2157c278aa51L },
+      { 0xc459f635bf3bfebfL,0x3a1ff0b46bd9601fL,0xc9d12823c420cb73L,
+        0x3e9af3e23c2915a3L } },
+    /* 41 << 140 */
+    { { 0xe0c82c72b41c3440L,0x175239e5e3039a5fL,0xe1084b8a558795a3L,
+        0x328d0a1dd01e5c60L },
+      { 0x0a495f2ed3788a04L,0x25d8ff1666c11a9fL,0xf5155f059ed692d6L,
+        0x954fa1074f425fe4L } },
+    /* 42 << 140 */
+    { { 0xd16aabf2e98aaa99L,0x90cd8ba096b0f88aL,0x957f4782c154026aL,
+        0x54ee073452af56d2L },
+      { 0xbcf89e5445b4147aL,0x3d102f219a52816cL,0x6808517e39b62e77L,
+        0x92e2542169169ad8L } },
+    /* 43 << 140 */
+    { { 0xd721d871bb608558L,0x60e4ebaef6d4ff9bL,0x0ba1081941f2763eL,
+        0xca2e45be51ee3247L },
+      { 0x66d172ec2bfd7a5fL,0x528a8f2f74d0b12dL,0xe17f1e38dabe70dcL,
+        0x1d5d73169f93983cL } },
+    /* 44 << 140 */
+    { { 0x51b2184adf423e31L,0xcb417291aedb1a10L,0x2054ca93625bcab9L,
+        0x54396860a98998f0L },
+      { 0x4e53f6c4a54ae57eL,0x0ffeb590ee648e9dL,0xfbbdaadc6afaf6bcL,
+        0xf88ae796aa3bfb8aL } },
+    /* 45 << 140 */
+    { { 0x209f1d44d2359ed9L,0xac68dd03f3544ce2L,0xf378da47fd51e569L,
+        0xe1abd8602cc80097L },
+      { 0x23ca18d9343b6e3aL,0x480797e8b40a1baeL,0xd1f0c717533f3e67L,
+        0x4489697006e6cdfcL } },
+    /* 46 << 140 */
+    { { 0x8ca2105552a82e8dL,0xb2caf78578460cdcL,0x4c1b7b62e9037178L,
+        0xefc09d2cdb514b58L },
+      { 0x5f2df9ee9113be5cL,0x2fbda78fb3f9271cL,0xe09a81af8f83fc54L,
+        0x06b138668afb5141L } },
+    /* 47 << 140 */
+    { { 0x38f6480f43e3865dL,0x72dd77a81ddf47d9L,0xf2a8e9714c205ff7L,
+        0x46d449d89d088ad8L },
+      { 0x926619ea185d706fL,0xe47e02ebc7dd7f62L,0xe7f120a78cbc2031L,
+        0xc18bef00998d4ac9L } },
+    /* 48 << 140 */
+    { { 0x18f37a9c6bdf22daL,0xefbc432f90dc82dfL,0xc52cef8e5d703651L,
+        0x82887ba0d99881a5L },
+      { 0x7cec9ddab920ec1dL,0xd0d7e8c3ec3e8d3bL,0x445bc3954ca88747L,
+        0xedeaa2e09fd53535L } },
+    /* 49 << 140 */
+    { { 0x461b1d936cc87475L,0xd92a52e26d2383bdL,0xfabccb59d7903546L,
+        0x6111a7613d14b112L },
+      { 0x0ae584feb3d5f612L,0x5ea69b8d60e828ecL,0x6c07898554087030L,
+        0x649cab04ac4821feL } },
+    /* 50 << 140 */
+    { { 0x25ecedcf8bdce214L,0xb5622f7286af7361L,0x0e1227aa7038b9e2L,
+        0xd0efb273ac20fa77L },
+      { 0x817ff88b79df975bL,0x856bf2861999503eL,0xb4d5351f5038ec46L,
+        0x740a52c5fc42af6eL } },
+    /* 51 << 140 */
+    { { 0x2e38bb152cbb1a3fL,0xc3eb99fe17a83429L,0xca4fcbf1dd66bb74L,
+        0x880784d6cde5e8fcL },
+      { 0xddc84c1cb4e7a0beL,0x8780510dbd15a72fL,0x44bcf1af81ec30e1L,
+        0x141e50a80a61073eL } },
+    /* 52 << 140 */
+    { { 0x0d95571847be87aeL,0x68a61417f76a4372L,0xf57e7e87c607c3d3L,
+        0x043afaf85252f332L },
+      { 0xcc14e1211552a4d2L,0xb6dee692bb4d4ab4L,0xb6ab74c8a03816a4L,
+        0x84001ae46f394a29L } },
+    /* 53 << 140 */
+    { { 0x5bed8344d795fb45L,0x57326e7db79f55a5L,0xc9533ce04accdffcL,
+        0x53473caf3993fa04L },
+      { 0x7906eb93a13df4c8L,0xa73e51f697cbe46fL,0xd1ab3ae10ae4ccf8L,
+        0x256145088a5b3dbcL } },
+    /* 54 << 140 */
+    { { 0x61eff96211a71b27L,0xdf71412b6bb7fa39L,0xb31ba6b82bd7f3efL,
+        0xb0b9c41569180d29L },
+      { 0xeec14552014cdde5L,0x702c624b227b4bbbL,0x2b15e8c2d3e988f3L,
+        0xee3bcc6da4f7fd04L } },
+    /* 55 << 140 */
+    { { 0x9d00822a42ac6c85L,0x2db0cea61df9f2b7L,0xd7cad2ab42de1e58L,
+        0x346ed5262d6fbb61L },
+      { 0xb39629951a2faf09L,0x2fa8a5807c25612eL,0x30ae04da7cf56490L,
+        0x756629080eea3961L } },
+    /* 56 << 140 */
+    { { 0x3609f5c53d080847L,0xcb081d395241d4f6L,0xb4fb381077961a63L,
+        0xc20c59842abb66fcL },
+      { 0x3d40aa7cf902f245L,0x9cb127364e536b1eL,0x5eda24da99b3134fL,
+        0xafbd9c695cd011afL } },
+    /* 57 << 140 */
+    { { 0x9a16e30ac7088c7dL,0x5ab657103207389fL,0x1b09547fe7407a53L,
+        0x2322f9d74fdc6eabL },
+      { 0xc0f2f22d7430de4dL,0x19382696e68ca9a9L,0x17f1eff1918e5868L,
+        0xe3b5b635586f4204L } },
+    /* 58 << 140 */
+    { { 0x146ef9803fbc4341L,0x359f2c805b5eed4eL,0x9f35744e7482e41dL,
+        0x9a9ac3ecf3b224c2L },
+      { 0x9161a6fe91fc50aeL,0x89ccc66bc613fa7cL,0x89268b14c732f15aL,
+        0x7cd6f4e2b467ed03L } },
+    /* 59 << 140 */
+    { { 0xfbf79869ce56b40eL,0xf93e094cc02dde98L,0xefe0c3a8edee2cd7L,
+        0x90f3ffc0b268fd42L },
+      { 0x81a7fd5608241aedL,0x95ab7ad800b1afe8L,0x401270563e310d52L,
+        0xd3ffdeb109d9fc43L } },
+    /* 60 << 140 */
+    { { 0xc8f85c91d11a8594L,0x2e74d25831cf6db8L,0x829c7ca302b5dfd0L,
+        0xe389cfbe69143c86L },
+      { 0xd01b6405941768d8L,0x4510399503bf825dL,0xcc4ee16656cd17e2L,
+        0xbea3c283ba037e79L } },
+    /* 61 << 140 */
+    { { 0x4e1ac06ed9a47520L,0xfbfe18aaaf852404L,0x5615f8e28087648aL,
+        0x7301e47eb9d150d9L },
+      { 0x79f9f9ddb299b977L,0x76697a7ba5b78314L,0x10d674687d7c90e7L,
+        0x7afffe03937210b5L } },
+    /* 62 << 140 */
+    { { 0x5aef3e4b28c22ceeL,0xefb0ecd809fd55aeL,0x4cea71320d2a5d6aL,
+        0x9cfb5fa101db6357L },
+      { 0x395e0b57f36e1ac5L,0x008fa9ad36cafb7dL,0x8f6cdf705308c4dbL,
+        0x51527a3795ed2477L } },
+    /* 63 << 140 */
+    { { 0xba0dee305bd21311L,0x6ed41b22909c90d7L,0xc5f6b7587c8696d3L,
+        0x0db8eaa83ce83a80L },
+      { 0xd297fe37b24b4b6fL,0xfe58afe8522d1f0dL,0x973587368c98dbd9L,
+        0x6bc226ca9454a527L } },
+    /* 64 << 140 */
+    { { 0xa12b384ece53c2d0L,0x779d897d5e4606daL,0xa53e47b073ec12b0L,
+        0x462dbbba5756f1adL },
+      { 0x69fe09f2cafe37b6L,0x273d1ebfecce2e17L,0x8ac1d5383cf607fdL,
+        0x8035f7ff12e10c25L } },
+    /* 0 << 147 */
+    { { 0x00, 0x00, 0x00, 0x00 },
+      { 0x00, 0x00, 0x00, 0x00 } },
+    /* 1 << 147 */
+    { { 0x854d34c77e6c5520L,0xc27df9efdcb9ea58L,0x405f2369d686666dL,
+        0x29d1febf0417aa85L },
+      { 0x9846819e93470afeL,0x3e6a9669e2a27f9eL,0x24d008a2e31e6504L,
+        0xdba7cecf9cb7680aL } },
+    /* 2 << 147 */
+    { { 0xecaff541338d6e43L,0x56f7dd734541d5ccL,0xb5d426de96bc88caL,
+        0x48d94f6b9ed3a2c3L },
+      { 0x6354a3bb2ef8279cL,0xd575465b0b1867f2L,0xef99b0ff95225151L,
+        0xf3e19d88f94500d8L } },
+    /* 3 << 147 */
+    { { 0x92a83268e32dd620L,0x913ec99f627849a2L,0xedd8fdfa2c378882L,
+        0xaf96f33eee6f8cfeL },
+      { 0xc06737e5dc3fa8a5L,0x236bb531b0b03a1dL,0x33e59f2989f037b0L,
+        0x13f9b5a7d9a12a53L } },
+    /* 4 << 147 */
+    { { 0x0d0df6ce51efb310L,0xcb5b2eb4958df5beL,0xd6459e2936158e59L,
+        0x82aae2b91466e336L },
+      { 0xfb658a39411aa636L,0x7152ecc5d4c0a933L,0xf10c758a49f026b7L,
+        0xf4837f97cb09311fL } },
+    /* 5 << 147 */
+    { { 0xddfb02c4c753c45fL,0x18ca81b6f9c840feL,0x846fd09ab0f8a3e6L,
+        0xb1162adde7733dbcL },
+      { 0x7070ad20236e3ab6L,0xf88cdaf5b2a56326L,0x05fc8719997cbc7aL,
+        0x442cd4524b665272L } },
+    /* 6 << 147 */
+    { { 0x7807f364b71698f5L,0x6ba418d29f7b605eL,0xfd20b00fa03b2cbbL,
+        0x883eca37da54386fL },
+      { 0xff0be43ff3437f24L,0xe910b432a48bb33cL,0x4963a128329df765L,
+        0xac1dd556be2fe6f7L } },
+    /* 7 << 147 */
+    { { 0x557610f924a0a3fcL,0x38e17bf4e881c3f9L,0x6ba84fafed0dac99L,
+        0xd4a222c359eeb918L },
+      { 0xc79c1dbe13f542b6L,0x1fc65e0de425d457L,0xeffb754f1debb779L,
+        0x638d8fd09e08af60L } },
+    /* 8 << 147 */
+    { { 0x994f523a626332d5L,0x7bc388335561bb44L,0x005ed4b03d845ea2L,
+        0xd39d3ee1c2a1f08aL },
+      { 0x6561fdd3e7676b0dL,0x620e35fffb706017L,0x36ce424ff264f9a8L,
+        0xc4c3419fda2681f7L } },
+    /* 9 << 147 */
+    { { 0xfb6afd2f69beb6e8L,0x3a50b9936d700d03L,0xc840b2ad0c83a14fL,
+        0x573207be54085befL },
+      { 0x5af882e309fe7e5bL,0x957678a43b40a7e1L,0x172d4bdd543056e2L,
+        0x9c1b26b40df13c0aL } },
+    /* 10 << 147 */
+    { { 0x1c30861cf405ff06L,0xebac86bd486e828bL,0xe791a971636933fcL,
+        0x50e7c2be7aeee947L },
+      { 0xc3d4a095fa90d767L,0xae60eb7be670ab7bL,0x17633a64397b056dL,
+        0x93a21f33105012aaL } },
+    /* 11 << 147 */
+    { { 0x663c370babb88643L,0x91df36d722e21599L,0x183ba8358b761671L,
+        0x381eea1d728f3bf1L },
+      { 0xb9b2f1ba39966e6cL,0x7c464a28e7295492L,0x0fd5f70a09b26b7fL,
+        0xa9aba1f9fbe009dfL } },
+    /* 12 << 147 */
+    { { 0x857c1f22369b87adL,0x3c00e5d932fca556L,0x1ad74cab90b06466L,
+        0xa7112386550faaf2L },
+      { 0x7435e1986d9bd5f5L,0x2dcc7e3859c3463fL,0xdc7df748ca7bd4b2L,
+        0x13cd4c089dec2f31L } },
+    /* 13 << 147 */
+    { { 0x0d3b5df8e3237710L,0x0dadb26ecbd2f7b0L,0x9f5966abe4aa082bL,
+        0x666ec8de350e966eL },
+      { 0x1bfd1ed5ee524216L,0xcd93c59b41dab0b6L,0x658a8435d186d6baL,
+        0x1b7d34d2159d1195L } },
+    /* 14 << 147 */
+    { { 0x5936e46022caf46bL,0x6a45dd8f9a96fe4fL,0xf7925434b98f474eL,
+        0x414104120053ef15L },
+      { 0x71cf8d1241de97bfL,0xb8547b61bd80bef4L,0xb47d3970c4db0037L,
+        0xf1bcd328fef20dffL } },
+    /* 15 << 147 */
+    { { 0x31a92e0910caad67L,0x1f5919605531a1e1L,0x3bb852e05f4fc840L,
+        0x63e297ca93a72c6cL },
+      { 0x3c2b0b2e49abad67L,0x6ec405fced3db0d9L,0xdc14a5307fef1d40L,
+        0xccd19846280896fcL } },
+    /* 16 << 147 */
+    { { 0x00f831769bb81648L,0xd69eb485653120d0L,0xd17d75f44ccabc62L,
+        0x34a07f82b749fcb1L },
+      { 0x2c3af787bbfb5554L,0xb06ed4d062e283f8L,0x5722889fa19213a0L,
+        0x162b085edcf3c7b4L } },
+    /* 17 << 147 */
+    { { 0xbcaecb31e0dd3ecaL,0xc6237fbce52f13a5L,0xcc2b6b0327bac297L,
+        0x2ae1cac5b917f54aL },
+      { 0x474807d47845ae4fL,0xfec7dd92ce5972e0L,0xc3bd25411d7915bbL,
+        0x66f85dc4d94907caL } },
+    /* 18 << 147 */
+    { { 0xd981b888bdbcf0caL,0xd75f5da6df279e9fL,0x128bbf247054e934L,
+        0x3c6ff6e581db134bL },
+      { 0x795b7cf4047d26e4L,0xf370f7b85049ec37L,0xc6712d4dced945afL,
+        0xdf30b5ec095642bcL } },
+    /* 19 << 147 */
+    { { 0x9b034c624896246eL,0x5652c016ee90bbd1L,0xeb38636f87fedb73L,
+        0x5e32f8470135a613L },
+      { 0x0703b312cf933c83L,0xd05bb76e1a7f47e6L,0x825e4f0c949c2415L,
+        0x569e56227250d6f8L } },
+    /* 20 << 147 */
+    { { 0xbbe9eb3a6568013eL,0x8dbd203f22f243fcL,0x9dbd7694b342734aL,
+        0x8f6d12f846afa984L },
+      { 0xb98610a2c9eade29L,0xbab4f32347dd0f18L,0x5779737b671c0d46L,
+        0x10b6a7c6d3e0a42aL } },
+    /* 21 << 147 */
+    { { 0xfb19ddf33035b41cL,0xd336343f99c45895L,0x61fe493854c857e5L,
+        0xc4d506beae4e57d5L },
+      { 0x3cd8c8cbbbc33f75L,0x7281f08a9262c77dL,0x083f4ea6f11a2823L,
+        0x8895041e9fba2e33L } },
+    /* 22 << 147 */
+    { { 0xfcdfea499c438edfL,0x7678dcc391edba44L,0xf07b3b87e2ba50f0L,
+        0xc13888ef43948c1bL },
+      { 0xc2135ad41140af42L,0x8e5104f3926ed1a7L,0xf24430cb88f6695fL,
+        0x0ce0637b6d73c120L } },
+    /* 23 << 147 */
+    { { 0xb2db01e6fe631e8fL,0x1c5563d7d7bdd24bL,0x8daea3ba369ad44fL,
+        0x000c81b68187a9f9L },
+      { 0x5f48a951aae1fd9aL,0xe35626c78d5aed8aL,0x209527630498c622L,
+        0x76d17634773aa504L } },
+    /* 24 << 147 */
+    { { 0x36d90ddaeb300f7aL,0x9dcf7dfcedb5e801L,0x645cb26874d5244cL,
+        0xa127ee79348e3aa2L },
+      { 0x488acc53575f1dbbL,0x95037e8580e6161eL,0x57e59283292650d0L,
+        0xabe67d9914938216L } },
+    /* 25 << 147 */
+    { { 0x3c7f944b3f8e1065L,0xed908cb6330e8924L,0x08ee8fd56f530136L,
+        0x2227b7d5d7ffc169L },
+      { 0x4f55c893b5cd6dd5L,0x82225e11a62796e8L,0x5c6cead1cb18e12cL,
+        0x4381ae0c84f5a51aL } },
+    /* 26 << 147 */
+    { { 0x345913d37fafa4c8L,0x3d9180820491aac0L,0x9347871f3e69264cL,
+        0xbea9dd3cb4f4f0cdL },
+      { 0xbda5d0673eadd3e7L,0x0033c1b80573bcd8L,0x255893795da2486cL,
+        0xcb89ee5b86abbee7L } },
+    /* 27 << 147 */
+    { { 0x8fe0a8f322532e5dL,0xb6410ff0727dfc4cL,0x619b9d58226726dbL,
+        0x5ec256697a2b2dc7L },
+      { 0xaf4d2e064c3beb01L,0x852123d07acea556L,0x0e9470faf783487aL,
+        0x75a7ea045664b3ebL } },
+    /* 28 << 147 */
+    { { 0x4ad78f356798e4baL,0x9214e6e5c7d0e091L,0xc420b488b1290403L,
+        0x64049e0afc295749L },
+      { 0x03ef5af13ae9841fL,0xdbe4ca19b0b662a6L,0x46845c5ffa453458L,
+        0xf8dabf1910b66722L } },
+    /* 29 << 147 */
+    { { 0xb650f0aacce2793bL,0x71db851ec5ec47c1L,0x3eb78f3e3b234fa9L,
+        0xb0c60f35fc0106ceL },
+      { 0x05427121774eadbdL,0x25367fafce323863L,0x7541b5c9cd086976L,
+        0x4ff069e2dc507ad1L } },
+    /* 30 << 147 */
+    { { 0x741452568776e667L,0x6e76142cb23c6bb5L,0xdbf307121b3a8a87L,
+        0x60e7363e98450836L },
+      { 0x5741450eb7366d80L,0xe4ee14ca4837dbdfL,0xa765eb9b69d4316fL,
+        0x04548dca8ef43825L } },
+    /* 31 << 147 */
+    { { 0x9c9f4e4c5ae888ebL,0x733abb5156e9ac99L,0xdaad3c20ba6ac029L,
+        0x9b8dd3d32ba3e38eL },
+      { 0xa9bb4c920bc5d11aL,0xf20127a79c5f88a3L,0x4f52b06e161d3cb8L,
+        0x26c1ff096afaf0a6L } },
+    /* 32 << 147 */
+    { { 0x32670d2f7189e71fL,0xc64387485ecf91e7L,0x15758e57db757a21L,
+        0x427d09f8290a9ce5L },
+      { 0x846a308f38384a7aL,0xaac3acb4b0732b99L,0x9e94100917845819L,
+        0x95cba111a7ce5e03L } },
+    /* 33 << 147 */
+    { { 0x6f3d4f7fb00009c4L,0xb8396c278ff28b5fL,0xb1a9ae431c97975dL,
+        0x9d7ba8afe5d9fed5L },
+      { 0x338cf09f34f485b6L,0xbc0ddacc64122516L,0xa450da1205d471feL,
+        0x4c3a6250628dd8c9L } },
+    /* 34 << 147 */
+    { { 0x69c7d103d1295837L,0xa2893e503807eb2fL,0xd6e1e1debdb41491L,
+        0xc630745b5e138235L },
+      { 0xc892109e48661ae1L,0x8d17e7ebea2b2674L,0x00ec0f87c328d6b5L,
+        0x6d858645f079ff9eL } },
+    /* 35 << 147 */
+    { { 0x6cdf243e19115eadL,0x1ce1393e4bac4fcfL,0x2c960ed09c29f25bL,
+        0x59be4d8e9d388a05L },
+      { 0x0d46e06cd0def72bL,0xb923db5de0342748L,0xf7d3aacd936d4a3dL,
+        0x558519cc0b0b099eL } },
+    /* 36 << 147 */
+    { { 0x3ea8ebf8827097efL,0x259353dbd054f55dL,0x84c89abc6d2ed089L,
+        0x5c548b698e096a7cL },
+      { 0xd587f616994b995dL,0x4d1531f6a5845601L,0x792ab31e451fd9f0L,
+        0xc8b57bb265adf6caL } },
+    /* 37 << 147 */
+    { { 0x68440fcb1cd5ad73L,0xb9c860e66144da4fL,0x2ab286aa8462beb8L,
+        0xcc6b8fffef46797fL },
+      { 0xac820da420c8a471L,0x69ae05a177ff7fafL,0xb9163f39bfb5da77L,
+        0xbd03e5902c73ab7aL } },
+    /* 38 << 147 */
+    { { 0x7e862b5eb2940d9eL,0x3c663d864b9af564L,0xd8309031bde3033dL,
+        0x298231b2d42c5bc6L },
+      { 0x42090d2c552ad093L,0xa4799d1cff854695L,0x0a88b5d6d31f0d00L,
+        0xf8b40825a2f26b46L } },
+    /* 39 << 147 */
+    { { 0xec29b1edf1bd7218L,0xd491c53b4b24c86eL,0xd2fe588f3395ea65L,
+        0x6f3764f74456ef15L },
+      { 0xdb43116dcdc34800L,0xcdbcd456c1e33955L,0xefdb554074ab286bL,
+        0x948c7a51d18c5d7cL } },
+    /* 40 << 147 */
+    { { 0xeb81aa377378058eL,0x41c746a104411154L,0xa10c73bcfb828ac7L,
+        0x6439be919d972b29L },
+      { 0x4bf3b4b043a2fbadL,0x39e6dadf82b5e840L,0x4f7164086397bd4cL,
+        0x0f7de5687f1eeccbL } },
+    /* 41 << 147 */
+    { { 0x5865c5a1d2ffbfc1L,0xf74211fa4ccb6451L,0x66368a88c0b32558L,
+        0x5b539dc29ad7812eL },
+      { 0x579483d02f3af6f6L,0x5213207899934eceL,0x50b9650fdcc9e983L,
+        0xca989ec9aee42b8aL } },
+    /* 42 << 147 */
+    { { 0x6a44c829d6f62f99L,0x8f06a3094c2a7c0cL,0x4ea2b3a098a0cb0aL,
+        0x5c547b70beee8364L },
+      { 0x461d40e1682afe11L,0x9e0fc77a7b41c0a8L,0x79e4aefde20d5d36L,
+        0x2916e52032dd9f63L } },
+    /* 43 << 147 */
+    { { 0xf59e52e83f883fafL,0x396f96392b868d35L,0xc902a9df4ca19881L,
+        0x0fc96822db2401a6L },
+      { 0x4123758766f1c68dL,0x10fc6de3fb476c0dL,0xf8b6b579841f5d90L,
+        0x2ba8446cfa24f44aL } },
+    /* 44 << 147 */
+    { { 0xa237b920ef4a9975L,0x60bb60042330435fL,0xd6f4ab5acfb7e7b5L,
+        0xb2ac509783435391L },
+      { 0xf036ee2fb0d1ea67L,0xae779a6a74c56230L,0x59bff8c8ab838ae6L,
+        0xcd83ca999b38e6f0L } },
+    /* 45 << 147 */
+    { { 0xbb27bef5e33deed3L,0xe6356f6f001892a8L,0xbf3be6cc7adfbd3eL,
+        0xaecbc81c33d1ac9dL },
+      { 0xe4feb909e6e861dcL,0x90a247a453f5f801L,0x01c50acb27346e57L,
+        0xce29242e461acc1bL } },
+    /* 46 << 147 */
+    { { 0x04dd214a2f998a91L,0x271ee9b1d4baf27bL,0x7e3027d1e8c26722L,
+        0x21d1645c1820dce5L },
+      { 0x086f242c7501779cL,0xf0061407fa0e8009L,0xf23ce47760187129L,
+        0x05bbdedb0fde9bd0L } },
+    /* 47 << 147 */
+    { { 0x682f483225d98473L,0xf207fe855c658427L,0xb6fdd7ba4166ffa1L,
+        0x0c3140569eed799dL },
+      { 0x0db8048f4107e28fL,0x74ed387141216840L,0x74489f8f56a3c06eL,
+        0x1e1c005b12777134L } },
+    /* 48 << 147 */
+    { { 0xdb332a73f37ec3c3L,0xc65259bddd59eba0L,0x2291709cdb4d3257L,
+        0x9a793b25bd389390L },
+      { 0xf39fe34be43756f0L,0x2f76bdce9afb56c9L,0x9f37867a61208b27L,
+        0xea1d4307089972c3L } },
+    /* 49 << 147 */
+    { { 0x8c5953308bdf623aL,0x5f5accda8441fb7dL,0xfafa941832ddfd95L,
+        0x6ad40c5a0fde9be7L },
+      { 0x43faba89aeca8709L,0xc64a7cf12c248a9dL,0x1662025272637a76L,
+        0xaee1c79122b8d1bbL } },
+    /* 50 << 147 */
+    { { 0xf0f798fd21a843b2L,0x56e4ed4d8d005cb1L,0x355f77801f0d8abeL,
+        0x197b04cf34522326L },
+      { 0x41f9b31ffd42c13fL,0x5ef7feb2b40f933dL,0x27326f425d60bad4L,
+        0x027ecdb28c92cf89L } },
+    /* 51 << 147 */
+    { { 0x04aae4d14e3352feL,0x08414d2f73591b90L,0x5ed6124eb7da7d60L,
+        0xb985b9314d13d4ecL },
+      { 0xa592d3ab96bf36f9L,0x012dbed5bbdf51dfL,0xa57963c0df6c177dL,
+        0x010ec86987ca29cfL } },
+    /* 52 << 147 */
+    { { 0xba1700f6bf926dffL,0x7c9fdbd1f4bf6bc2L,0xdc18dc8f64da11f5L,
+        0xa6074b7ad938ae75L },
+      { 0x14270066e84f44a4L,0x99998d38d27b954eL,0xc1be8ab2b4f38e9aL,
+        0x8bb55bbf15c01016L } },
+    /* 53 << 147 */
+    { { 0xf73472b40ea2ab30L,0xd365a340f73d68ddL,0xc01a716819c2e1ebL,
+        0x32f49e3734061719L },
+      { 0xb73c57f101d8b4d6L,0x03c8423c26b47700L,0x321d0bc8a4d8826aL,
+        0x6004213c4bc0e638L } },
+    /* 54 << 147 */
+    { { 0xf78c64a1c1c06681L,0x16e0a16fef018e50L,0x31cbdf91db42b2b3L,
+        0xf8f4ffcee0d36f58L },
+      { 0xcdcc71cd4cc5e3e0L,0xd55c7cfaa129e3e0L,0xccdb6ba00fb2cbf1L,
+        0x6aba0005c4bce3cbL } },
+    /* 55 << 147 */
+    { { 0x501cdb30d232cfc4L,0x9ddcf12ed58a3cefL,0x02d2cf9c87e09149L,
+        0xdc5d7ec72c976257L },
+      { 0x6447986e0b50d7ddL,0x88fdbaf7807f112aL,0x58c9822ab00ae9f6L,
+        0x6abfb9506d3d27e0L } },
+    /* 56 << 147 */
+    { { 0xd0a744878a429f4fL,0x0649712bdb516609L,0xb826ba57e769b5dfL,
+        0x82335df21fc7aaf2L },
+      { 0x2389f0675c93d995L,0x59ac367a68677be6L,0xa77985ff21d9951bL,
+        0x038956fb85011cceL } },
+    /* 57 << 147 */
+    { { 0x608e48cbbb734e37L,0xc08c0bf22be5b26fL,0x17bbdd3bf9b1a0d9L,
+        0xeac7d89810483319L },
+      { 0xc95c4bafbc1a6deaL,0xfdd0e2bf172aafdbL,0x40373cbc8235c41aL,
+        0x14303f21fb6f41d5L } },
+    /* 58 << 147 */
+    { { 0xba0636210408f237L,0xcad3b09aecd2d1edL,0x4667855a52abb6a2L,
+        0xba9157dcaa8b417bL },
+      { 0xfe7f35074f013efbL,0x1b112c4baa38c4a2L,0xa1406a609ba64345L,
+        0xe53cba336993c80bL } },
+    /* 59 << 147 */
+    { { 0x45466063ded40d23L,0x3d5f1f4d54908e25L,0x9ebefe62403c3c31L,
+        0x274ea0b50672a624L },
+      { 0xff818d99451d1b71L,0x80e826438f79cf79L,0xa165df1373ce37f5L,
+        0xa744ef4ffe3a21fdL } },
+    /* 60 << 147 */
+    { { 0x73f1e7f5cf551396L,0xc616898e868c676bL,0x671c28c78c442c36L,
+        0xcfe5e5585e0a317dL },
+      { 0x1242d8187051f476L,0x56fad2a614f03442L,0x262068bc0a44d0f6L,
+        0xdfa2cd6ece6edf4eL } },
+    /* 61 << 147 */
+    { { 0x0f43813ad15d1517L,0x61214cb2377d44f5L,0xd399aa29c639b35fL,
+        0x42136d7154c51c19L },
+      { 0x9774711b08417221L,0x0a5546b352545a57L,0x80624c411150582dL,
+        0x9ec5c418fbc555bcL } },
+    /* 62 << 147 */
+    { { 0x2c87dcad771849f1L,0xb0c932c501d7bf6fL,0x6aa5cd3e89116eb2L,
+        0xd378c25a51ca7bd3L },
+      { 0xc612a0da9e6e3e31L,0x0417a54db68ad5d0L,0x00451e4a22c6edb8L,
+        0x9fbfe019b42827ceL } },
+    /* 63 << 147 */
+    { { 0x2fa92505ba9384a2L,0x21b8596e64ad69c1L,0x8f4fcc49983b35a6L,
+        0xde09376072754672L },
+      { 0x2f14ccc8f7bffe6dL,0x27566bff5d94263dL,0xb5b4e9c62df3ec30L,
+        0x94f1d7d53e6ea6baL } },
+    /* 64 << 147 */
+    { { 0x97b7851aaaca5e9bL,0x518aa52156713b97L,0x3357e8c7150a61f6L,
+        0x7842e7e2ec2c2b69L },
+      { 0x8dffaf656868a548L,0xd963bd82e068fc81L,0x64da5c8b65917733L,
+        0x927090ff7b247328L } },
+    /* 0 << 154 */
+    { { 0x00, 0x00, 0x00, 0x00 },
+      { 0x00, 0x00, 0x00, 0x00 } },
+    /* 1 << 154 */
+    { { 0x214bc9a7d298c241L,0xe3b697ba56807cfdL,0xef1c78024564eadbL,
+        0xdde8cdcfb48149c5L },
+      { 0x946bf0a75a4d2604L,0x27154d7f6c1538afL,0x95cc9230de5b1fccL,
+        0xd88519e966864f82L } },
+    /* 2 << 154 */
+    { { 0xb828dd1a7cb1282cL,0xa08d7626be46973aL,0x6baf8d40e708d6b2L,
+        0x72571fa14daeb3f3L },
+      { 0x85b1732ff22dfd98L,0x87ab01a70087108dL,0xaaaafea85988207aL,
+        0xccc832f869f00755L } },
+    /* 3 << 154 */
+    { { 0x964d950e36ff3bf0L,0x8ad20f6ff0b34638L,0x4d9177b3b5d7585fL,
+        0xcf839760ef3f019fL },
+      { 0x582fc5b38288c545L,0x2f8e4e9b13116bd1L,0xf91e1b2f332120efL,
+        0xcf5687242a17dd23L } },
+    /* 4 << 154 */
+    { { 0x488f1185ca8d9d1aL,0xadf2c77dd987ded2L,0x5f3039f060c46124L,
+        0xe5d70b7571e095f4L },
+      { 0x82d586506260e70fL,0x39d75ea7f750d105L,0x8cf3d0b175bac364L,
+        0xf3a7564d21d01329L } },
+    /* 5 << 154 */
+    { { 0x182f04cd2f52d2a7L,0x4fde149ae2df565aL,0xb80c5eeca79fb2f7L,
+        0xab491d7b22ddc897L },
+      { 0x99d76c18c6312c7fL,0xca0d5f3d6aa41a57L,0x71207325d15363a0L,
+        0xe82aa265beb252c2L } },
+    /* 6 << 154 */
+    { { 0x94ab4700ec3128c2L,0x6c76d8628e383f49L,0xdc36b150c03024ebL,
+        0xfb43947753daac69L },
+      { 0xfc68764a8dc79623L,0x5b86995db440fbb2L,0xd66879bfccc5ee0dL,
+        0x0522894295aa8bd3L } },
+    /* 7 << 154 */
+    { { 0xb51a40a51e6a75c1L,0x24327c760ea7d817L,0x0663018207774597L,
+        0xd6fdbec397fa7164L },
+      { 0x20c99dfb13c90f48L,0xd6ac5273686ef263L,0xc6a50bdcfef64eebL,
+        0xcd87b28186fdfc32L } },
+    /* 8 << 154 */
+    { { 0xb24aa43e3fcd3efcL,0xdd26c034b8088e9aL,0xa5ef4dc9bd3d46eaL,
+        0xa2f99d588a4c6a6fL },
+      { 0xddabd3552f1da46cL,0x72c3f8ce1afacdd1L,0xd90c4eee92d40578L,
+        0xd28bb41fca623b94L } },
+    /* 9 << 154 */
+    { { 0x50fc0711745edc11L,0x9dd9ad7d3dc87558L,0xce6931fbb49d1e64L,
+        0x6c77a0a2c98bd0f9L },
+      { 0x62b9a6296baf7cb1L,0xcf065f91ccf72d22L,0x7203cce979639071L,
+        0x09ae4885f9cb732fL } },
+    /* 10 << 154 */
+    { { 0x5e7c3becee8314f3L,0x1c068aeddbea298fL,0x08d381f17c80acecL,
+        0x03b56be8e330495bL },
+      { 0xaeffb8f29222882dL,0x95ff38f6c4af8bf7L,0x50e32d351fc57d8cL,
+        0x6635be5217b444f0L } },
+    /* 11 << 154 */
+    { { 0x04d15276a5177900L,0x4e1dbb47f6858752L,0x5b475622c615796cL,
+        0xa6fa0387691867bfL },
+      { 0xed7f5d562844c6d0L,0xc633cf9b03a2477dL,0xf6be5c402d3721d6L,
+        0xaf312eb7e9fd68e6L } },
+    /* 12 << 154 */
+    { { 0x242792d2e7417ce1L,0xff42bc71970ee7f5L,0x1ff4dc6d5c67a41eL,
+        0x77709b7b20882a58L },
+      { 0x3554731dbe217f2cL,0x2af2a8cd5bb72177L,0x58eee769591dd059L,
+        0xbb2930c94bba6477L } },
+    /* 13 << 154 */
+    { { 0x863ee0477d930cfcL,0x4c262ad1396fd1f4L,0xf4765bc8039af7e1L,
+        0x2519834b5ba104f6L },
+      { 0x7cd61b4cd105f961L,0xa5415da5d63bca54L,0x778280a088a1f17cL,
+        0xc49689492329512cL } },
+    /* 14 << 154 */
+    { { 0x174a9126cecdaa7aL,0xfc8c7e0e0b13247bL,0x29c110d23484c1c4L,
+        0xf8eb8757831dfc3bL },
+      { 0x022f0212c0067452L,0x3f6f69ee7b9b926cL,0x09032da0ef42daf4L,
+        0x79f00ade83f80de4L } },
+    /* 15 << 154 */
+    { { 0x6210db7181236c97L,0x74f7685b3ee0781fL,0x4df7da7ba3e41372L,
+        0x2aae38b1b1a1553eL },
+      { 0x1688e222f6dd9d1bL,0x576954485b8b6487L,0x478d21274b2edeaaL,
+        0xb2818fa51e85956aL } },
+    /* 16 << 154 */
+    { { 0x1e6adddaf176f2c0L,0x01ca4604e2572658L,0x0a404ded85342ffbL,
+        0x8cf60f96441838d6L },
+      { 0x9bbc691cc9071c4aL,0xfd58874434442803L,0x97101c85809c0d81L,
+        0xa7fb754c8c456f7fL } },
+    /* 17 << 154 */
+    { { 0xc95f3c5cd51805e1L,0xab4ccd39b299dca8L,0x3e03d20b47eaf500L,
+        0xfa3165c1d7b80893L },
+      { 0x005e8b54e160e552L,0xdc4972ba9019d11fL,0x21a6972e0c9a4a7aL,
+        0xa52c258f37840fd7L } },
+    /* 18 << 154 */
+    { { 0xf8559ff4c1e99d81L,0x08e1a7d6a3c617c0L,0xb398fd43248c6ba7L,
+        0x6ffedd91d1283794L },
+      { 0x8a6a59d2d629d208L,0xa9d141d53490530eL,0x42f6fc1838505989L,
+        0x09bf250d479d94eeL } },
+    /* 19 << 154 */
+    { { 0x223ad3b1b3822790L,0x6c5926c093b8971cL,0x609efc7e75f7fa62L,
+        0x45d66a6d1ec2d989L },
+      { 0x4422d663987d2792L,0x4a73caad3eb31d2bL,0xf06c2ac1a32cb9e6L,
+        0xd9445c5f91aeba84L } },
+    /* 20 << 154 */
+    { { 0x6af7a1d5af71013fL,0xe68216e50bedc946L,0xf4cba30bd27370a0L,
+        0x7981afbf870421ccL },
+      { 0x02496a679449f0e1L,0x86cfc4be0a47edaeL,0x3073c936b1feca22L,
+        0xf569461203f8f8fbL } },
+    /* 21 << 154 */
+    { { 0xd063b723901515eaL,0x4c6c77a5749cf038L,0x6361e360ab9e5059L,
+        0x596cf171a76a37c0L },
+      { 0x800f53fa6530ae7aL,0x0f5e631e0792a7a6L,0x5cc29c24efdb81c9L,
+        0xa269e8683f9c40baL } },
+    /* 22 << 154 */
+    { { 0xec14f9e12cb7191eL,0x78ea1bd8e5b08ea6L,0x3c65aa9b46332bb9L,
+        0x84cc22b3bf80ce25L },
+      { 0x0098e9e9d49d5bf1L,0xcd4ec1c619087da4L,0x3c9d07c5aef6e357L,
+        0x839a02689f8f64b8L } },
+    /* 23 << 154 */
+    { { 0xc5e9eb62c6d8607fL,0x759689f56aa995e4L,0x70464669bbb48317L,
+        0x921474bfe402417dL },
+      { 0xcabe135b2a354c8cL,0xd51e52d2812fa4b5L,0xec74109653311fe8L,
+        0x4f774535b864514bL } },
+    /* 24 << 154 */
+    { { 0xbcadd6715bde48f8L,0xc97038732189bc7dL,0x5d45299ec709ee8aL,
+        0xd1287ee2845aaff8L },
+      { 0x7d1f8874db1dbf1fL,0xea46588b990c88d6L,0x60ba649a84368313L,
+        0xd5fdcbce60d543aeL } },
+    /* 25 << 154 */
+    { { 0x90b46d43810d5ab0L,0x6739d8f904d7e5ccL,0x021c1a580d337c33L,
+        0x00a6116268e67c40L },
+      { 0x95ef413b379f0a1fL,0xfe126605e9e2ab95L,0x67578b852f5f199cL,
+        0xf5c003292cb84913L } },
+    /* 26 << 154 */
+    { { 0xf795643037577dd8L,0x83b82af429c5fe88L,0x9c1bea26cdbdc132L,
+        0x589fa0869c04339eL },
+      { 0x033e9538b13799dfL,0x85fa8b21d295d034L,0xdf17f73fbd9ddccaL,
+        0xf32bd122ddb66334L } },
+    /* 27 << 154 */
+    { { 0x55ef88a7858b044cL,0x1f0d69c25aa9e397L,0x55fd9cc340d85559L,
+        0xc774df727785ddb2L },
+      { 0x5dcce9f6d3bd2e1cL,0xeb30da20a85dfed0L,0x5ed7f5bbd3ed09c4L,
+        0x7d42a35c82a9c1bdL } },
+    /* 28 << 154 */
+    { { 0xcf3de9959890272dL,0x75f3432a3e713a10L,0x5e13479fe28227b8L,
+        0xb8561ea9fefacdc8L },
+      { 0xa6a297a08332aafdL,0x9b0d8bb573809b62L,0xd2fa1cfd0c63036fL,
+        0x7a16eb55bd64bda8L } },
+    /* 29 << 154 */
+    { { 0x3f5cf5f678e62ddcL,0x2267c45407fd752bL,0x5e361b6b5e437bbeL,
+        0x95c595018354e075L },
+      { 0xec725f85f2b254d9L,0x844b617d2cb52b4eL,0xed8554f5cf425fb5L,
+        0xab67703e2af9f312L } },
+    /* 30 << 154 */
+    { { 0x4cc34ec13cf48283L,0xb09daa259c8a705eL,0xd1e9d0d05b7d4f84L,
+        0x4df6ef64db38929dL },
+      { 0xe16b0763aa21ba46L,0xc6b1d178a293f8fbL,0x0ff5b602d520aabfL,
+        0x94d671bdc339397aL } },
+    /* 31 << 154 */
+    { { 0x7c7d98cf4f5792faL,0x7c5e0d6711215261L,0x9b19a631a7c5a6d4L,
+        0xc8511a627a45274dL },
+      { 0x0c16621ca5a60d99L,0xf7fbab88cf5e48cbL,0xab1e6ca2f7ddee08L,
+        0x83bd08cee7867f3cL } },
+    /* 32 << 154 */
+    { { 0xf7e48e8a2ac13e27L,0x4494f6df4eb1a9f5L,0xedbf84eb981f0a62L,
+        0x49badc32536438f0L },
+      { 0x50bea541004f7571L,0xbac67d10df1c94eeL,0x253d73a1b727bc31L,
+        0xb3d01cf230686e28L } },
+    /* 33 << 154 */
+    { { 0x51b77b1b55fd0b8bL,0xa099d183feec3173L,0x202b1fb7670e72b7L,
+        0xadc88b33a8e1635fL },
+      { 0x34e8216af989d905L,0xc2e68d2029b58d01L,0x11f81c926fe55a93L,
+        0x15f1462a8f296f40L } },
+    /* 34 << 154 */
+    { { 0x1915d375ea3d62f2L,0xa17765a301c8977dL,0x7559710ae47b26f6L,
+        0xe0bd29c8535077a5L },
+      { 0x615f976d08d84858L,0x370dfe8569ced5c1L,0xbbc7503ca734fa56L,
+        0xfbb9f1ec91ac4574L } },
+    /* 35 << 154 */
+    { { 0x95d7ec53060dd7efL,0xeef2dacd6e657979L,0x54511af3e2a08235L,
+        0x1e324aa41f4aea3dL },
+      { 0x550e7e71e6e67671L,0xbccd5190bf52faf7L,0xf880d316223cc62aL,
+        0x0d402c7e2b32eb5dL } },
+    /* 36 << 154 */
+    { { 0xa40bc039306a5a3bL,0x4e0a41fd96783a1bL,0xa1e8d39a0253cdd4L,
+        0x6480be26c7388638L },
+      { 0xee365e1d2285f382L,0x188d8d8fec0b5c36L,0x34ef1a481f0f4d82L,
+        0x1a8f43e1a487d29aL } },
+    /* 37 << 154 */
+    { { 0x8168226d77aefb3aL,0xf69a751e1e72c253L,0x8e04359ae9594df1L,
+        0x475ffd7dd14c0467L },
+      { 0xb5a2c2b13844e95cL,0x85caf647dd12ef94L,0x1ecd2a9ff1063d00L,
+        0x1dd2e22923843311L } },
+    /* 38 << 154 */
+    { { 0x38f0e09d73d17244L,0x3ede77468fc653f1L,0xae4459f5dc20e21cL,
+        0x00db2ffa6a8599eaL },
+      { 0x11682c3930cfd905L,0x4934d074a5c112a6L,0xbdf063c5568bfe95L,
+        0x779a440a016c441aL } },
+    /* 39 << 154 */
+    { { 0x0c23f21897d6fbdcL,0xd3a5cd87e0776aacL,0xcee37f72d712e8dbL,
+        0xfb28c70d26f74e8dL },
+      { 0xffe0c728b61301a0L,0xa6282168d3724354L,0x7ff4cb00768ffedcL,
+        0xc51b308803b02de9L } },
+    /* 40 << 154 */
+    { { 0xa5a8147c3902dda5L,0x35d2f706fe6973b4L,0x5ac2efcfc257457eL,
+        0x933f48d48700611bL },
+      { 0xc365af884912beb2L,0x7f5a4de6162edf94L,0xc646ba7c0c32f34bL,
+        0x632c6af3b2091074L } },
+    /* 41 << 154 */
+    { { 0x58d4f2e3753e43a9L,0x70e1d21724d4e23fL,0xb24bf729afede6a6L,
+        0x7f4a94d8710c8b60L },
+      { 0xaad90a968d4faa6aL,0xd9ed0b32b066b690L,0x52fcd37b78b6dbfdL,
+        0x0b64615e8bd2b431L } },
+    /* 42 << 154 */
+    { { 0x228e2048cfb9fad5L,0xbeaa386d240b76bdL,0x2d6681c890dad7bcL,
+        0x3e553fc306d38f5eL },
+      { 0xf27cdb9b9d5f9750L,0x3e85c52ad28c5b0eL,0x190795af5247c39bL,
+        0x547831ebbddd6828L } },
+    /* 43 << 154 */
+    { { 0xf327a2274a82f424L,0x36919c787e47f89dL,0xe478391943c7392cL,
+        0xf101b9aa2316fefeL },
+      { 0xbcdc9e9c1c5009d2L,0xfb55ea139cd18345L,0xf5b5e231a3ce77c7L,
+        0xde6b4527d2f2cb3dL } },
+    /* 44 << 154 */
+    { { 0x10f6a3339bb26f5fL,0x1e85db8e044d85b6L,0xc3697a0894197e54L,
+        0x65e18cc0a7cb4ea8L },
+      { 0xa38c4f50a471fe6eL,0xf031747a2f13439cL,0x53c4a6bac007318bL,
+        0xa8da3ee51deccb3dL } },
+    /* 45 << 154 */
+    { { 0x0555b31c558216b1L,0x90c7810c2f79e6c2L,0x9b669f4dfe8eed3cL,
+        0x70398ec8e0fac126L },
+      { 0xa96a449ef701b235L,0x0ceecdb3eb94f395L,0x285fc368d0cb7431L,
+        0x0d37bb5216a18c64L } },
+    /* 46 << 154 */
+    { { 0x05110d38b880d2ddL,0xa60f177b65930d57L,0x7da34a67f36235f5L,
+        0x47f5e17c183816b9L },
+      { 0xc7664b57db394af4L,0x39ba215d7036f789L,0x46d2ca0e2f27b472L,
+        0xc42647eef73a84b7L } },
+    /* 47 << 154 */
+    { { 0x44bc754564488f1dL,0xaa922708f4cf85d5L,0x721a01d553e4df63L,
+        0x649c0c515db46cedL },
+      { 0x6bf0d64e3cffcb6cL,0xe3bf93fe50f71d96L,0x75044558bcc194a0L,
+        0x16ae33726afdc554L } },
+    /* 48 << 154 */
+    { { 0xbfc01adf5ca48f3fL,0x64352f06e22a9b84L,0xcee54da1c1099e4aL,
+        0xbbda54e8fa1b89c0L },
+      { 0x166a3df56f6e55fbL,0x1ca44a2420176f88L,0x936afd88dfb7b5ffL,
+        0xe34c24378611d4a0L } },
+    /* 49 << 154 */
+    { { 0x7effbb7586142103L,0x6704ba1b1f34fc4dL,0x7c2a468f10c1b122L,
+        0x36b3a6108c6aace9L },
+      { 0xabfcc0a775a0d050L,0x066f91973ce33e32L,0xce905ef429fe09beL,
+        0x89ee25baa8376351L } },
+    /* 50 << 154 */
+    { { 0x2a3ede22fd29dc76L,0x7fd32ed936f17260L,0x0cadcf68284b4126L,
+        0x63422f08a7951fc8L },
+      { 0x562b24f40807e199L,0xfe9ce5d122ad4490L,0xc2f51b100db2b1b4L,
+        0xeb3613ffe4541d0dL } },
+    /* 51 << 154 */
+    { { 0xbd2c4a052680813bL,0x527aa55d561b08d6L,0xa9f8a40ea7205558L,
+        0xe3eea56f243d0becL },
+      { 0x7b853817a0ff58b3L,0xb67d3f651a69e627L,0x0b76bbb9a869b5d6L,
+        0xa3afeb82546723edL } },
+    /* 52 << 154 */
+    { { 0x5f24416d3e554892L,0x8413b53d430e2a45L,0x99c56aee9032a2a0L,
+        0x09432bf6eec367b1L },
+      { 0x552850c6daf0ecc1L,0x49ebce555bc92048L,0xdfb66ba654811307L,
+        0x1b84f7976f298597L } },
+    /* 53 << 154 */
+    { { 0x795904818d1d7a0dL,0xd9fabe033a6fa556L,0xa40f9c59ba9e5d35L,
+        0xcb1771c1f6247577L },
+      { 0x542a47cae9a6312bL,0xa34b3560552dd8c5L,0xfdf94de00d794716L,
+        0xd46124a99c623094L } },
+    /* 54 << 154 */
+    { { 0x56b7435d68afe8b4L,0x27f205406c0d8ea1L,0x12b77e1473186898L,
+        0xdbc3dd467479490fL },
+      { 0x951a9842c03b0c05L,0x8b1b3bb37921bc96L,0xa573b3462b202e0aL,
+        0x77e4665d47254d56L } },
+    /* 55 << 154 */
+    { { 0x08b70dfcd23e3984L,0xab86e8bcebd14236L,0xaa3e07f857114ba7L,
+        0x5ac71689ab0ef4f2L },
+      { 0x88fca3840139d9afL,0x72733f8876644af0L,0xf122f72a65d74f4aL,
+        0x13931577a5626c7aL } },
+    /* 56 << 154 */
+    { { 0xd5b5d9eb70f8d5a4L,0x375adde7d7bbb228L,0x31e88b860c1c0b32L,
+        0xd1f568c4173edbaaL },
+      { 0x1592fc835459df02L,0x2beac0fb0fcd9a7eL,0xb0a6fdb81b473b0aL,
+        0xe3224c6f0fe8fc48L } },
+    /* 57 << 154 */
+    { { 0x680bd00ee87edf5bL,0x30385f0220e77cf5L,0xe9ab98c04d42d1b2L,
+        0x72d191d2d3816d77L },
+      { 0x1564daca0917d9e5L,0x394eab591f8fed7fL,0xa209aa8d7fbb3896L,
+        0x5564f3b9be6ac98eL } },
+    /* 58 << 154 */
+    { { 0xead21d05d73654efL,0x68d1a9c413d78d74L,0x61e017086d4973a0L,
+        0x83da350046e6d32aL },
+      { 0x6a3dfca468ae0118L,0xa1b9a4c9d02da069L,0x0b2ff9c7ebab8302L,
+        0x98af07c3944ba436L } },
+    /* 59 << 154 */
+    { { 0x85997326995f0f9fL,0x467fade071b58bc6L,0x47e4495abd625a2bL,
+        0xfdd2d01d33c3b8cdL },
+      { 0x2c38ae28c693f9faL,0x48622329348f7999L,0x97bf738e2161f583L,
+        0x15ee2fa7565e8cc9L } },
+    /* 60 << 154 */
+    { { 0xa1a5c8455777e189L,0xcc10bee0456f2829L,0x8ad95c56da762bd5L,
+        0x152e2214e9d91da8L },
+      { 0x975b0e727cb23c74L,0xfd5d7670a90c66dfL,0xb5b5b8ad225ffc53L,
+        0xab6dff73faded2aeL } },
+    /* 61 << 154 */
+    { { 0xebd567816f4cbe9dL,0x0ed8b2496a574bd7L,0x41c246fe81a881faL,
+        0x91564805c3db9c70L },
+      { 0xd7c12b085b862809L,0x1facd1f155858d7bL,0x7693747caf09e92aL,
+        0x3b69dcba189a425fL } },
+    /* 62 << 154 */
+    { { 0x0be28e9f967365efL,0x57300eb2e801f5c9L,0x93b8ac6ad583352fL,
+        0xa2cf1f89cd05b2b7L },
+      { 0x7c0c9b744dcc40ccL,0xfee38c45ada523fbL,0xb49a4dec1099cc4dL,
+        0x325c377f69f069c6L } },
+    /* 63 << 154 */
+    { { 0xe12458ce476cc9ffL,0x580e0b6cc6d4cb63L,0xd561c8b79072289bL,
+        0x0377f264a619e6daL },
+      { 0x2668536288e591a5L,0xa453a7bd7523ca2bL,0x8a9536d2c1df4533L,
+        0xc8e50f2fbe972f79L } },
+    /* 64 << 154 */
+    { { 0xd433e50f6d3549cfL,0x6f33696ffacd665eL,0x695bfdacce11fcb4L,
+        0x810ee252af7c9860L },
+      { 0x65450fe17159bb2cL,0xf7dfbebe758b357bL,0x2b057e74d69fea72L,
+        0xd485717a92731745L } },
+    /* 0 << 161 */
+    { { 0x00, 0x00, 0x00, 0x00 },
+      { 0x00, 0x00, 0x00, 0x00 } },
+    /* 1 << 161 */
+    { { 0x896c42e8ee36860cL,0xdaf04dfd4113c22dL,0x1adbb7b744104213L,
+        0xe5fd5fa11fd394eaL },
+      { 0x68235d941a4e0551L,0x6772cfbe18d10151L,0x276071e309984523L,
+        0xe4e879de5a56ba98L } },
+    /* 2 << 161 */
+    { { 0xaaafafb0285b9491L,0x01a0be881e4c705eL,0xff1d4f5d2ad9caabL,
+        0x6e349a4ac37a233fL },
+      { 0xcf1c12464a1c6a16L,0xd99e6b6629383260L,0xea3d43665f6d5471L,
+        0x36974d04ff8cc89bL } },
+    /* 3 << 161 */
+    { { 0xc26c49a1cfe89d80L,0xb42c026dda9c8371L,0xca6c013adad066d2L,
+        0xfb8f722856a4f3eeL },
+      { 0x08b579ecd850935bL,0x34c1a74cd631e1b3L,0xcb5fe596ac198534L,
+        0x39ff21f6e1f24f25L } },
+    /* 4 << 161 */
+    { { 0x27f29e148f929057L,0x7a64ae06c0c853dfL,0x256cd18358e9c5ceL,
+        0x9d9cce82ded092a5L },
+      { 0xcc6e59796e93b7c7L,0xe1e4709231bb9e27L,0xb70b3083aa9e29a0L,
+        0xbf181a753785e644L } },
+    /* 5 << 161 */
+    { { 0xf53f2c658ead09f7L,0x1335e1d59780d14dL,0x69cc20e0cd1b66bcL,
+        0x9b670a37bbe0bfc8L },
+      { 0xce53dc8128efbeedL,0x0c74e77c8326a6e5L,0x3604e0d2b88e9a63L,
+        0xbab38fca13dc2248L } },
+    /* 6 << 161 */
+    { { 0x8ed6e8c85c0a3f1eL,0xbcad24927c87c37fL,0xfdfb62bb9ee3b78dL,
+        0xeba8e477cbceba46L },
+      { 0x37d38cb0eeaede4bL,0x0bc498e87976deb6L,0xb2944c046b6147fbL,
+        0x8b123f35f71f9609L } },
+    /* 7 << 161 */
+    { { 0xa155dcc7de79dc24L,0xf1168a32558f69cdL,0xbac215950d1850dfL,
+        0x15c8295bb204c848L },
+      { 0xf661aa367d8184ffL,0xc396228e30447bdbL,0x11cd5143bde4a59eL,
+        0xe3a26e3b6beab5e6L } },
+    /* 8 << 161 */
+    { { 0xd3b3a13f1402b9d0L,0x573441c32c7bc863L,0x4b301ec4578c3e6eL,
+        0xc26fc9c40adaf57eL },
+      { 0x96e71bfd7493cea3L,0xd05d4b3f1af81456L,0xdaca2a8a6a8c608fL,
+        0x53ef07f60725b276L } },
+    /* 9 << 161 */
+    { { 0x07a5fbd27824fc56L,0x3467521813289077L,0x5bf69fd5e0c48349L,
+        0xa613ddd3b6aa7875L },
+      { 0x7f78c19c5450d866L,0x46f4409c8f84a481L,0x9f1d192890fce239L,
+        0x016c4168b2ce44b9L } },
+    /* 10 << 161 */
+    { { 0xbae023f0c7435978L,0xb152c88820e30e19L,0x9c241645e3fa6fafL,
+        0x735d95c184823e60L },
+      { 0x0319757303955317L,0x0b4b02a9f03b4995L,0x076bf55970274600L,
+        0x32c5cc53aaf57508L } },
+    /* 11 << 161 */
+    { { 0xe8af6d1f60624129L,0xb7bc5d649a5e2b5eL,0x3814b0485f082d72L,
+        0x76f267f2ce19677aL },
+      { 0x626c630fb36eed93L,0x55230cd73bf56803L,0x78837949ce2736a0L,
+        0x0d792d60aa6c55f1L } },
+    /* 12 << 161 */
+    { { 0x0318dbfdd5c7c5d2L,0xb38f8da7072b342dL,0x3569bddc7b8de38aL,
+        0xf25b5887a1c94842L },
+      { 0xb2d5b2842946ad60L,0x854f29ade9d1707eL,0xaa5159dc2c6a4509L,
+        0x899f94c057189837L } },
+    /* 13 << 161 */
+    { { 0xcf6adc51f4a55b03L,0x261762de35e3b2d5L,0x4cc4301204827b51L,
+        0xcd22a113c6021442L },
+      { 0xce2fd61a247c9569L,0x59a50973d152becaL,0x6c835a1163a716d4L,
+        0xc26455ed187dedcfL } },
+    /* 14 << 161 */
+    { { 0x27f536e049ce89e7L,0x18908539cc890cb5L,0x308909abd83c2aa1L,
+        0xecd3142b1ab73bd3L },
+      { 0x6a85bf59b3f5ab84L,0x3c320a68f2bea4c6L,0xad8dc5386da4541fL,
+        0xeaf34eb0b7c41186L } },
+    /* 15 << 161 */
+    { { 0x1c780129977c97c4L,0x5ff9beebc57eb9faL,0xa24d0524c822c478L,
+        0xfd8eec2a461cd415L },
+      { 0xfbde194ef027458cL,0xb4ff53191d1be115L,0x63f874d94866d6f4L,
+        0x35c75015b21ad0c9L } },
+    /* 16 << 161 */
+    { { 0xa6b5c9d646ac49d2L,0x42c77c0b83137aa9L,0x24d000fc68225a38L,
+        0x0f63cfc82fe1e907L },
+      { 0x22d1b01bc6441f95L,0x7d38f719ec8e448fL,0x9b33fa5f787fb1baL,
+        0x94dcfda1190158dfL } },
+    /* 17 << 161 */
+    { { 0xc47cb3395f6d4a09L,0x6b4f355cee52b826L,0x3d100f5df51b930aL,
+        0xf4512fac9f668f69L },
+      { 0x546781d5206c4c74L,0xd021d4d4cb4d2e48L,0x494a54c2ca085c2dL,
+        0xf1dbaca4520850a8L } },
+    /* 18 << 161 */
+    { { 0x63c79326490a1acaL,0xcb64dd9c41526b02L,0xbb772591a2979258L,
+        0x3f58297048d97846L },
+      { 0xd66b70d17c213ba7L,0xc28febb5e8a0ced4L,0x6b911831c10338c1L,
+        0x0d54e389bf0126f3L } },
+    /* 19 << 161 */
+    { { 0x7048d4604af206eeL,0x786c88f677e97cb9L,0xd4375ae1ac64802eL,
+        0x469bcfe1d53ec11cL },
+      { 0xfc9b340d47062230L,0xe743bb57c5b4a3acL,0xfe00b4aa59ef45acL,
+        0x29a4ef2359edf188L } },
+    /* 20 << 161 */
+    { { 0x40242efeb483689bL,0x2575d3f6513ac262L,0xf30037c80ca6db72L,
+        0xc9fcce8298864be2L },
+      { 0x84a112ff0149362dL,0x95e575821c4ae971L,0x1fa4b1a8945cf86cL,
+        0x4525a7340b024a2fL } },
+    /* 21 << 161 */
+    { { 0xe76c8b628f338360L,0x483ff59328edf32bL,0x67e8e90a298b1aecL,
+        0x9caab338736d9a21L },
+      { 0x5c09d2fd66892709L,0x2496b4dcb55a1d41L,0x93f5fb1ae24a4394L,
+        0x08c750496fa8f6c1L } },
+    /* 22 << 161 */
+    { { 0xcaead1c2c905d85fL,0xe9d7f7900733ae57L,0x24c9a65cf07cdd94L,
+        0x7389359ca4b55931L },
+      { 0xf58709b7367e45f7L,0x1f203067cb7e7adcL,0x82444bffc7b72818L,
+        0x07303b35baac8033L } },
+    /* 23 << 161 */
+    { { 0x1e1ee4e4d13b7ea1L,0xe6489b24e0e74180L,0xa5f2c6107e70ef70L,
+        0xa1655412bdd10894L },
+      { 0x555ebefb7af4194eL,0x533c1c3c8e89bd9cL,0x735b9b5789895856L,
+        0x15fb3cd2567f5c15L } },
+    /* 24 << 161 */
+    { { 0x057fed45526f09fdL,0xe8a4f10c8128240aL,0x9332efc4ff2bfd8dL,
+        0x214e77a0bd35aa31L },
+      { 0x32896d7314faa40eL,0x767867ec01e5f186L,0xc9adf8f117a1813eL,
+        0xcb6cda7854741795L } },
+    /* 25 << 161 */
+    { { 0xb7521b6d349d51aaL,0xf56b5a9ee3c7b8e9L,0xc6f1e5c932a096dfL,
+        0x083667c4a3635024L },
+      { 0x365ea13518087f2fL,0xf1b8eaacd136e45dL,0xc8a0e48473aec989L,
+        0xd75a324b142c9259L } },
+    /* 26 << 161 */
+    { { 0xb7b4d00101dae185L,0x45434e0b9b7a94bcL,0xf54339affbd8cb0bL,
+        0xdcc4569ee98ef49eL },
+      { 0x7789318a09a51299L,0x81b4d206b2b025d8L,0xf64aa418fae85792L,
+        0x3e50258facd7baf7L } },
+    /* 27 << 161 */
+    { { 0xdce84cdb2996864bL,0xa2e670891f485fa4L,0xb28b2bb6534c6a5aL,
+        0x31a7ec6bc94b9d39L },
+      { 0x1d217766d6bc20daL,0x4acdb5ec86761190L,0x6872632873701063L,
+        0x4d24ee7c2128c29bL } },
+    /* 28 << 161 */
+    { { 0xc072ebd3a19fd868L,0x612e481cdb8ddd3bL,0xb4e1d7541a64d852L,
+        0x00ef95acc4c6c4abL },
+      { 0x1536d2edaa0a6c46L,0x6129408643774790L,0x54af25e8343fda10L,
+        0x9ff9d98dfd25d6f2L } },
+    /* 29 << 161 */
+    { { 0x0746af7c468b8835L,0x977a31cb730ecea7L,0xa5096b80c2cf4a81L,
+        0xaa9868336458c37aL },
+      { 0x6af29bf3a6bd9d34L,0x6a62fe9b33c5d854L,0x50e6c304b7133b5eL,
+        0x04b601597d6e6848L } },
+    /* 30 << 161 */
+    { { 0x4cd296df5579bea4L,0x10e35ac85ceedaf1L,0x04c4c5fde3bcc5b1L,
+        0x95f9ee8a89412cf9L },
+      { 0x2c9459ee82b6eb0fL,0x2e84576595c2aaddL,0x774a84aed327fcfeL,
+        0xd8c937220368d476L } },
+    /* 31 << 161 */
+    { { 0x0dbd5748f83e8a3bL,0xa579aa968d2495f3L,0x535996a0ae496e9bL,
+        0x07afbfe9b7f9bcc2L },
+      { 0x3ac1dc6d5b7bd293L,0x3b592cff7022323dL,0xba0deb989c0a3e76L,
+        0x18e78e9f4b197acbL } },
+    /* 32 << 161 */
+    { { 0x211cde10296c36efL,0x7ee8967282c4da77L,0xb617d270a57836daL,
+        0xf0cd9c319cb7560bL },
+      { 0x01fdcbf7e455fe90L,0x3fb53cbb7e7334f3L,0x781e2ea44e7de4ecL,
+        0x8adab3ad0b384fd0L } },
+    /* 33 << 161 */
+    { { 0x129eee2f53d64829L,0x7a471e17a261492bL,0xe4f9adb9e4cb4a2cL,
+        0x3d359f6f97ba2c2dL },
+      { 0x346c67860aacd697L,0x92b444c375c2f8a8L,0xc79fa117d85df44eL,
+        0x56782372398ddf31L } },
+    /* 34 << 161 */
+    { { 0x60e690f2bbbab3b8L,0x4851f8ae8b04816bL,0xc72046ab9c92e4d2L,
+        0x518c74a17cf3136bL },
+      { 0xff4eb50af9877d4cL,0x14578d90a919cabbL,0x8218f8c4ac5eb2b6L,
+        0xa3ccc547542016e4L } },
+    /* 35 << 161 */
+    { { 0x025bf48e327f8349L,0xf3e97346f43cb641L,0xdc2bafdf500f1085L,
+        0x571678762f063055L },
+      { 0x5bd914b9411925a6L,0x7c078d48a1123de5L,0xee6bf835182b165dL,
+        0xb11b5e5bba519727L } },
+    /* 36 << 161 */
+    { { 0xe33ea76c1eea7b85L,0x2352b46192d4f85eL,0xf101d334afe115bbL,
+        0xfabc1294889175a3L },
+      { 0x7f6bcdc05233f925L,0xe0a802dbe77fec55L,0xbdb47b758069b659L,
+        0x1c5e12def98fbd74L } },
+    /* 37 << 161 */
+    { { 0x869c58c64b8457eeL,0xa5360f694f7ea9f7L,0xe576c09ff460b38fL,
+        0x6b70d54822b7fb36L },
+      { 0x3fd237f13bfae315L,0x33797852cbdff369L,0x97df25f525b516f9L,
+        0x46f388f2ba38ad2dL } },
+    /* 38 << 161 */
+    { { 0x656c465889d8ddbbL,0x8830b26e70f38ee8L,0x4320fd5cde1212b0L,
+        0xc34f30cfe4a2edb2L },
+      { 0xabb131a356ab64b8L,0x7f77f0ccd99c5d26L,0x66856a37bf981d94L,
+        0x19e76d09738bd76eL } },
+    /* 39 << 161 */
+    { { 0xe76c8ac396238f39L,0xc0a482bea830b366L,0xb7b8eaff0b4eb499L,
+        0x8ecd83bc4bfb4865L },
+      { 0x971b2cb7a2f3776fL,0xb42176a4f4b88adfL,0xb9617df5be1fa446L,
+        0x8b32d508cd031bd2L } },
+    /* 40 << 161 */
+    { { 0x1c6bd47d53b618c0L,0xc424f46c6a227923L,0x7303ffdedd92d964L,
+        0xe971287871b5abf2L },
+      { 0x8f48a632f815561dL,0x85f48ff5d3c055d1L,0x222a14277525684fL,
+        0xd0d841a067360cc3L } },
+    /* 41 << 161 */
+    { { 0x4245a9260b9267c6L,0xc78913f1cf07f863L,0xaa844c8e4d0d9e24L,
+        0xa42ad5223d5f9017L },
+      { 0xbd371749a2c989d5L,0x928292dfe1f5e78eL,0x493b383e0a1ea6daL,
+        0x5136fd8d13aee529L } },
+    /* 42 << 161 */
+    { { 0x860c44b1f2c34a99L,0x3b00aca4bf5855acL,0xabf6aaa0faaf37beL,
+        0x65f436822a53ec08L },
+      { 0x1d9a5801a11b12e1L,0x78a7ab2ce20ed475L,0x0de1067e9a41e0d5L,
+        0x30473f5f305023eaL } },
+    /* 43 << 161 */
+    { { 0xdd3ae09d169c7d97L,0x5cd5baa4cfaef9cdL,0x5cd7440b65a44803L,
+        0xdc13966a47f364deL },
+      { 0x077b2be82b8357c1L,0x0cb1b4c5e9d57c2aL,0x7a4ceb3205ff363eL,
+        0xf310fa4dca35a9efL } },
+    /* 44 << 161 */
+    { { 0xdbb7b352f97f68c6L,0x0c773b500b02cf58L,0xea2e48213c1f96d9L,
+        0xffb357b0eee01815L },
+      { 0xb9c924cde0f28039L,0x0b36c95a46a3fbe4L,0x1faaaea45e46db6cL,
+        0xcae575c31928aaffL } },
+    /* 45 << 161 */
+    { { 0x7f671302a70dab86L,0xfcbd12a971c58cfcL,0xcbef9acfbee0cb92L,
+        0x573da0b9f8c1b583L },
+      { 0x4752fcfe0d41d550L,0xe7eec0e32155cffeL,0x0fc39fcb545ae248L,
+        0x522cb8d18065f44eL } },
+    /* 46 << 161 */
+    { { 0x263c962a70cbb96cL,0xe034362abcd124a9L,0xf120db283c2ae58dL,
+        0xb9a38d49fef6d507L },
+      { 0xb1fd2a821ff140fdL,0xbd162f3020aee7e0L,0x4e17a5d4cb251949L,
+        0x2aebcb834f7e1c3dL } },
+    /* 47 << 161 */
+    { { 0x608eb25f937b0527L,0xf42e1e47eb7d9997L,0xeba699c4b8a53a29L,
+        0x1f921c71e091b536L },
+      { 0xcce29e7b5b26bbd5L,0x7a8ef5ed3b61a680L,0xe5ef8043ba1f1c7eL,
+        0x16ea821718158ddaL } },
+    /* 48 << 161 */
+    { { 0x01778a2b599ff0f9L,0x68a923d78104fc6bL,0x5bfa44dfda694ff3L,
+        0x4f7199dbf7667f12L },
+      { 0xc06d8ff6e46f2a79L,0x08b5deade9f8131dL,0x02519a59abb4ce7cL,
+        0xc4f710bcb42aec3eL } },
+    /* 49 << 161 */
+    { { 0x3d77b05778bde41aL,0x6474bf80b4186b5aL,0x048b3f6788c65741L,
+        0xc64519de03c7c154L },
+      { 0xdf0738460edfcc4fL,0x319aa73748f1aa6bL,0x8b9f8a02ca909f77L,
+        0x902581397580bfefL } },
+    /* 50 << 161 */
+    { { 0xd8bfd3cac0c22719L,0xc60209e4c9ca151eL,0x7a744ab5d9a1a69cL,
+        0x6de5048b14937f8fL },
+      { 0x171938d8e115ac04L,0x7df709401c6b16d2L,0xa6aeb6637f8e94e7L,
+        0xc130388e2a2cf094L } },
+    /* 51 << 161 */
+    { { 0x1850be8477f54e6eL,0x9f258a7265d60fe5L,0xff7ff0c06c9146d6L,
+        0x039aaf90e63a830bL },
+      { 0x38f27a739460342fL,0x4703148c3f795f8aL,0x1bb5467b9681a97eL,
+        0x00931ba5ecaeb594L } },
+    /* 52 << 161 */
+    { { 0xcdb6719d786f337cL,0xd9c01cd2e704397dL,0x0f4a3f20555c2fefL,
+        0x004525097c0af223L },
+      { 0x54a5804784db8e76L,0x3bacf1aa93c8aa06L,0x11ca957cf7919422L,
+        0x5064105378cdaa40L } },
+    /* 53 << 161 */
+    { { 0x7a3038749f7144aeL,0x170c963f43d4acfdL,0x5e14814958ddd3efL,
+        0xa7bde5829e72dba8L },
+      { 0x0769da8b6fa68750L,0xfa64e532572e0249L,0xfcaadf9d2619ad31L,
+        0x87882daaa7b349cdL } },
+    /* 54 << 161 */
+    { { 0x9f6eb7316c67a775L,0xcb10471aefc5d0b1L,0xb433750ce1b806b2L,
+        0x19c5714d57b1ae7eL },
+      { 0xc0dc8b7bed03fd3fL,0xdd03344f31bc194eL,0xa66c52a78c6320b5L,
+        0x8bc82ce3d0b6fd93L } },
+    /* 55 << 161 */
+    { { 0xf8e13501b35f1341L,0xe53156dd25a43e42L,0xd3adf27e4daeb85cL,
+        0xb81d8379bbeddeb5L },
+      { 0x1b0b546e2e435867L,0x9020eb94eba5dd60L,0x37d911618210cb9dL,
+        0x4c596b315c91f1cfL } },
+    /* 56 << 161 */
+    { { 0xb228a90f0e0b040dL,0xbaf02d8245ff897fL,0x2aac79e600fa6122L,
+        0x248288178e36f557L },
+      { 0xb9521d31113ec356L,0x9e48861e15eff1f8L,0x2aa1d412e0d41715L,
+        0x71f8620353f131b8L } },
+    /* 57 << 161 */
+    { { 0xf60da8da3fd19408L,0x4aa716dc278d9d99L,0x394531f7a8c51c90L,
+        0xb560b0e8f59db51cL },
+      { 0xa28fc992fa34bdadL,0xf024fa149cd4f8bdL,0x5cf530f723a9d0d3L,
+        0x615ca193e28c9b56L } },
+    /* 58 << 161 */
+    { { 0x6d2a483d6f73c51eL,0xa4cb2412ea0dc2ddL,0x50663c411eb917ffL,
+        0x3d3a74cfeade299eL },
+      { 0x29b3990f4a7a9202L,0xa9bccf59a7b15c3dL,0x66a3ccdca5df9208L,
+        0x48027c1443f2f929L } },
+    /* 59 << 161 */
+    { { 0xd385377c40b557f0L,0xe001c366cd684660L,0x1b18ed6be2183a27L,
+        0x879738d863210329L },
+      { 0xa687c74bbda94882L,0xd1bbcc48a684b299L,0xaf6f1112863b3724L,
+        0x6943d1b42c8ce9f8L } },
+    /* 60 << 161 */
+    { { 0xe044a3bb098cafb4L,0x27ed231060d48cafL,0x542b56753a31b84dL,
+        0xcbf3dd50fcddbed7L },
+      { 0x25031f1641b1d830L,0xa7ec851dcb0c1e27L,0xac1c8fe0b5ae75dbL,
+        0xb24c755708c52120L } },
+    /* 61 << 161 */
+    { { 0x57f811dc1d4636c3L,0xf8436526681a9939L,0x1f6bc6d99c81adb3L,
+        0x840f8ac35b7d80d4L },
+      { 0x731a9811f4387f1aL,0x7c501cd3b5156880L,0xa5ca4a07dfe68867L,
+        0xf123d8f05fcea120L } },
+    /* 62 << 161 */
+    { { 0x1fbb0e71d607039eL,0x2b70e215cd3a4546L,0x32d2f01d53324091L,
+        0xb796ff08180ab19bL },
+      { 0x32d87a863c57c4aaL,0x2aed9cafb7c49a27L,0x9fb35eac31630d98L,
+        0x338e8cdf5c3e20a3L } },
+    /* 63 << 161 */
+    { { 0x80f1618266cde8dbL,0x4e1599802d72fd36L,0xd7b8f13b9b6e5072L,
+        0xf52139073b7b5dc1L },
+      { 0x4d431f1d8ce4396eL,0x37a1a680a7ed2142L,0xbf375696d01aaf6bL,
+        0xaa1c0c54e63aab66L } },
+    /* 64 << 161 */
+    { { 0x3014368b4ed80940L,0x67e6d0567a6fceddL,0x7c208c49ca97579fL,
+        0xfe3d7a81a23597f6L },
+      { 0x5e2032027e096ae2L,0xb1f3e1e724b39366L,0x26da26f32fdcdffcL,
+        0x79422f1d6097be83L } },
+    /* 0 << 168 */
+    { { 0x00, 0x00, 0x00, 0x00 },
+      { 0x00, 0x00, 0x00, 0x00 } },
+    /* 1 << 168 */
+    { { 0x263a2cfb9db3b381L,0x9c3a2deed4df0a4bL,0x728d06e97d04e61fL,
+        0x8b1adfbc42449325L },
+      { 0x6ec1d9397e053a1bL,0xee2be5c766daf707L,0x80ba1e14810ac7abL,
+        0xdd2ae778f530f174L } },
+    /* 2 << 168 */
+    { { 0x0435d97a205b9d8bL,0x6eb8f064056756d4L,0xd5e88a8bb6f8210eL,
+        0x070ef12dec9fd9eaL },
+      { 0x4d8495053bcc876aL,0x12a75338a7404ce3L,0xd22b49e1b8a1db5eL,
+        0xec1f205114bfa5adL } },
+    /* 3 << 168 */
+    { { 0xadbaeb79b6828f36L,0x9d7a025801bd5b9eL,0xeda01e0d1e844b0cL,
+        0x4b625175887edfc9L },
+      { 0x14109fdd9669b621L,0x88a2ca56f6f87b98L,0xfe2eb788170df6bcL,
+        0x0cea06f4ffa473f9L } },
+    /* 4 << 168 */
+    { { 0x43ed81b5c4e83d33L,0xd9f358795efd488bL,0x164a620f9deb4d0fL,
+        0xc6927bdbac6a7394L },
+      { 0x45c28df79f9e0f03L,0x2868661efcd7e1a9L,0x7cf4e8d0ffa348f1L,
+        0x6bd4c284398538e0L } },
+    /* 5 << 168 */
+    { { 0x2618a091289a8619L,0xef796e606671b173L,0x664e46e59090c632L,
+        0xa38062d41e66f8fbL },
+      { 0x6c744a200573274eL,0xd07b67e4a9271394L,0x391223b26bdc0e20L,
+        0xbe2d93f1eb0a05a7L } },
+    /* 6 << 168 */
+    { { 0xf23e2e533f36d141L,0xe84bb3d44dfca442L,0xb804a48d6b7c023aL,
+        0x1e16a8fa76431c3bL },
+      { 0x1b5452adddd472e0L,0x7d405ee70d1ee127L,0x50fc6f1dffa27599L,
+        0x351ac53cbf391b35L } },
+    /* 7 << 168 */
+    { { 0x7efa14b84444896bL,0x64974d2ff94027fbL,0xefdcd0e8de84487dL,
+        0x8c45b2602b48989bL },
+      { 0xa8fcbbc2d8463487L,0xd1b2b3f73fbc476cL,0x21d005b7c8f443c0L,
+        0x518f2e6740c0139cL } },
+    /* 8 << 168 */
+    { { 0x56036e8c06d75fc1L,0x2dcf7bb73249a89fL,0x81dd1d3de245e7ddL,
+        0xf578dc4bebd6e2a7L },
+      { 0x4c028903df2ce7a0L,0xaee362889c39afacL,0xdc847c31146404abL,
+        0x6304c0d8a4e97818L } },
+    /* 9 << 168 */
+    { { 0xae51dca2a91f6791L,0x2abe41909baa9efcL,0xd9d2e2f4559c7ac1L,
+        0xe82f4b51fc9f773aL },
+      { 0xa77130274073e81cL,0xc0276facfbb596fcL,0x1d819fc9a684f70cL,
+        0x29b47fddc9f7b1e0L } },
+    /* 10 << 168 */
+    { { 0x358de103459b1940L,0xec881c595b013e93L,0x51574c9349532ad3L,
+        0x2db1d445b37b46deL },
+      { 0xc6445b87df239fd8L,0xc718af75151d24eeL,0xaea1c4a4f43c6259L,
+        0x40c0e5d770be02f7L } },
+    /* 11 << 168 */
+    { { 0x6a4590f4721b33f2L,0x2124f1fbfedf04eaL,0xf8e53cde9745efe7L,
+        0xe7e1043265f046d9L },
+      { 0xc3fca28ee4d0c7e6L,0x847e339a87253b1bL,0x9b5953483743e643L,
+        0xcb6a0a0b4fd12fc5L } },
+    /* 12 << 168 */
+    { { 0xfb6836c327d02dccL,0x5ad009827a68bcc2L,0x1b24b44c005e912dL,
+        0xcc83d20f811fdcfeL },
+      { 0x36527ec1666fba0cL,0x6994819714754635L,0xfcdcb1a8556da9c2L,
+        0xa593426781a732b2L } },
+    /* 13 << 168 */
+    { { 0xec1214eda714181dL,0x609ac13b6067b341L,0xff4b4c97a545df1fL,
+        0xa124050134d2076bL },
+      { 0x6efa0c231409ca97L,0x254cc1a820638c43L,0xd4e363afdcfb46cdL,
+        0x62c2adc303942a27L } },
+    /* 14 << 168 */
+    { { 0xc67b9df056e46483L,0xa55abb2063736356L,0xab93c098c551bc52L,
+        0x382b49f9b15fe64bL },
+      { 0x9ec221ad4dff8d47L,0x79caf615437df4d6L,0x5f13dc64bb456509L,
+        0xe4c589d9191f0714L } },
+    /* 15 << 168 */
+    { { 0x27b6a8ab3fd40e09L,0xe455842e77313ea9L,0x8b51d1e21f55988bL,
+        0x5716dd73062bbbfcL },
+      { 0x633c11e54e8bf3deL,0x9a0e77b61b85be3bL,0x565107290911cca6L,
+        0x27e76495efa6590fL } },
+    /* 16 << 168 */
+    { { 0xe4ac8b33070d3aabL,0x2643672b9a2cd5e5L,0x52eff79b1cfc9173L,
+        0x665ca49b90a7c13fL },
+      { 0x5a8dda59b3efb998L,0x8a5b922d052f1341L,0xae9ebbab3cf9a530L,
+        0x35986e7bf56da4d7L } },
+    /* 17 << 168 */
+    { { 0x3a636b5cff3513ccL,0xbb0cf8ba3198f7ddL,0xb8d4052241f16f86L,
+        0x760575d8de13a7bfL },
+      { 0x36f74e169f7aa181L,0x163a3ecff509ed1cL,0x6aead61f3c40a491L,
+        0x158c95fcdfe8fcaaL } },
+    /* 18 << 168 */
+    { { 0xa3991b6e13cda46fL,0x79482415342faed0L,0xf3ba5bde666b5970L,
+        0x1d52e6bcb26ab6ddL },
+      { 0x768ba1e78608dd3dL,0x4930db2aea076586L,0xd9575714e7dc1afaL,
+        0x1fc7bf7df7c58817L } },
+    /* 19 << 168 */
+    { { 0x6b47accdd9eee96cL,0x0ca277fbe58cec37L,0x113fe413e702c42aL,
+        0xdd1764eec47cbe51L },
+      { 0x041e7cde7b3ed739L,0x50cb74595ce9e1c0L,0x355685132925b212L,
+        0x7cff95c4001b081cL } },
+    /* 20 << 168 */
+    { { 0x63ee4cbd8088b454L,0xdb7f32f79a9e0c8aL,0xb377d4186b2447cbL,
+        0xe3e982aad370219bL },
+      { 0x06ccc1e4c2a2a593L,0x72c368650773f24fL,0xa13b4da795859423L,
+        0x8bbf1d3375040c8fL } },
+    /* 21 << 168 */
+    { { 0x726f0973da50c991L,0x48afcd5b822d6ee2L,0xe5fc718b20fd7771L,
+        0xb9e8e77dfd0807a1L },
+      { 0x7f5e0f4499a7703dL,0x6972930e618e36f3L,0x2b7c77b823807bbeL,
+        0xe5b82405cb27ff50L } },
+    /* 22 << 168 */
+    { { 0xba8b8be3bd379062L,0xd64b7a1d2dce4a92L,0x040a73c5b2952e37L,
+        0x0a9e252ed438aecaL },
+      { 0xdd43956bc39d3bcbL,0x1a31ca00b32b2d63L,0xd67133b85c417a18L,
+        0xd08e47902ef442c8L } },
+    /* 23 << 168 */
+    { { 0x98cb1ae9255c0980L,0x4bd863812b4a739fL,0x5a5c31e11e4a45a1L,
+        0x1e5d55fe9cb0db2fL },
+      { 0x74661b068ff5cc29L,0x026b389f0eb8a4f4L,0x536b21a458848c24L,
+        0x2e5bf8ec81dc72b0L } },
+    /* 24 << 168 */
+    { { 0x03c187d0ad886aacL,0x5c16878ab771b645L,0xb07dfc6fc74045abL,
+        0x2c6360bf7800caedL },
+      { 0x24295bb5b9c972a3L,0xc9e6f88e7c9a6dbaL,0x90ffbf2492a79aa6L,
+        0xde29d50a41c26ac2L } },
+    /* 25 << 168 */
+    { { 0x9f0af483d309cbe6L,0x5b020d8ae0bced4fL,0x606e986db38023e3L,
+        0xad8f2c9d1abc6933L },
+      { 0x19292e1de7400e93L,0xfe3e18a952be5e4dL,0xe8e9771d2e0680bfL,
+        0x8c5bec98c54db063L } },
+    /* 26 << 168 */
+    { { 0x2af9662a74a55d1fL,0xe3fbf28f046f66d8L,0xa3a72ab4d4dc4794L,
+        0x09779f455c7c2dd8L },
+      { 0xd893bdafc3d19d8dL,0xd5a7509457d6a6dfL,0x8cf8fef9952e6255L,
+        0x3da67cfbda9a8affL } },
+    /* 27 << 168 */
+    { { 0x4c23f62a2c160dcdL,0x34e6c5e38f90eaefL,0x35865519a9a65d5aL,
+        0x07c48aae8fd38a3dL },
+      { 0xb7e7aeda50068527L,0x2c09ef231c90936aL,0x31ecfeb6e879324cL,
+        0xa0871f6bfb0ec938L } },
+    /* 28 << 168 */
+    { { 0xb1f0fb68d84d835dL,0xc90caf39861dc1e6L,0x12e5b0467594f8d7L,
+        0x26897ae265012b92L },
+      { 0xbcf68a08a4d6755dL,0x403ee41c0991fbdaL,0x733e343e3bbf17e8L,
+        0xd2c7980d679b3d65L } },
+    /* 29 << 168 */
+    { { 0x33056232d2e11305L,0x966be492f3c07a6fL,0x6a8878ffbb15509dL,
+        0xff2211010a9b59a4L },
+      { 0x6c9f564aabe30129L,0xc6f2c940336e64cfL,0x0fe752628b0c8022L,
+        0xbe0267e96ae8db87L } },
+    /* 30 << 168 */
+    { { 0x22e192f193bc042bL,0xf085b534b237c458L,0xa0d192bd832c4168L,
+        0x7a76e9e3bdf6271dL },
+      { 0x52a882fab88911b5L,0xc85345e4b4db0eb5L,0xa3be02a681a7c3ffL,
+        0x51889c8cf0ec0469L } },
+    /* 31 << 168 */
+    { { 0x9d031369a5e829e5L,0xcbb4c6fc1607aa41L,0x75ac59a6241d84c1L,
+        0xc043f2bf8829e0eeL },
+      { 0x82a38f758ea5e185L,0x8bda40b9d87cbd9fL,0x9e65e75e2d8fc601L,
+        0x3d515f74a35690b3L } },
+    /* 32 << 168 */
+    { { 0x534acf4fda79e5acL,0x68b83b3a8630215fL,0x5c748b2ed085756eL,
+        0xb0317258e5d37cb2L },
+      { 0x6735841ac5ccc2c4L,0x7d7dc96b3d9d5069L,0xa147e410fd1754bdL,
+        0x65296e94d399ddd5L } },
+    /* 33 << 168 */
+    { { 0xf6b5b2d0bc8fa5bcL,0x8a5ead67500c277bL,0x214625e6dfa08a5dL,
+        0x51fdfedc959cf047L },
+      { 0x6bc9430b289fca32L,0xe36ff0cf9d9bdc3fL,0x2fe187cb58ea0edeL,
+        0xed66af205a900b3fL } },
+    /* 34 << 168 */
+    { { 0x00e0968b5fa9f4d6L,0x2d4066ce37a362e7L,0xa99a9748bd07e772L,
+        0x710989c006a4f1d0L },
+      { 0xd5dedf35ce40cbd8L,0xab55c5f01743293dL,0x766f11448aa24e2cL,
+        0x94d874f8605fbcb4L } },
+    /* 35 << 168 */
+    { { 0xa365f0e8a518001bL,0xee605eb69d04ef0fL,0x5a3915cdba8d4d25L,
+        0x44c0e1b8b5113472L },
+      { 0xcbb024e88b6740dcL,0x89087a53ee1d4f0cL,0xa88fa05c1fc4e372L,
+        0x8bf395cbaf8b3af2L } },
+    /* 36 << 168 */
+    { { 0x1e71c9a1deb8568bL,0xa35daea080fb3d32L,0xe8b6f2662cf8fb81L,
+        0x6d51afe89490696aL },
+      { 0x81beac6e51803a19L,0xe3d24b7f86219080L,0x727cfd9ddf6f463cL,
+        0x8c6865ca72284ee8L } },
+    /* 37 << 168 */
+    { { 0x32c88b7db743f4efL,0x3793909be7d11dceL,0xd398f9222ff2ebe8L,
+        0x2c70ca44e5e49796L },
+      { 0xdf4d9929cb1131b1L,0x7826f29825888e79L,0x4d3a112cf1d8740aL,
+        0x00384cb6270afa8bL } },
+    /* 38 << 168 */
+    { { 0xcb64125b3ab48095L,0x3451c25662d05106L,0xd73d577da4955845L,
+        0x39570c16bf9f4433L },
+      { 0xd7dfaad3adecf263L,0xf1c3d8d1dc76e102L,0x5e774a5854c6a836L,
+        0xdad4b6723e92d47bL } },
+    /* 39 << 168 */
+    { { 0xbe7e990ff0d796a0L,0x5fc62478df0e8b02L,0x8aae8bf4030c00adL,
+        0x3d2db93b9004ba0fL },
+      { 0xe48c8a79d85d5ddcL,0xe907caa76bb07f34L,0x58db343aa39eaed5L,
+        0x0ea6e007adaf5724L } },
+    /* 40 << 168 */
+    { { 0xe00df169d23233f3L,0x3e32279677cb637fL,0x1f897c0e1da0cf6cL,
+        0xa651f5d831d6bbddL },
+      { 0xdd61af191a230c76L,0xbd527272cdaa5e4aL,0xca753636d0abcd7eL,
+        0x78bdd37c370bd8dcL } },
+    /* 41 << 168 */
+    { { 0xc23916c217cd93feL,0x65b97a4ddadce6e2L,0xe04ed4eb174e42f8L,
+        0x1491ccaabb21480aL },
+      { 0x145a828023196332L,0x3c3862d7587b479aL,0x9f4a88a301dcd0edL,
+        0x4da2b7ef3ea12f1fL } },
+    /* 42 << 168 */
+    { { 0xf8e7ae33b126e48eL,0x404a0b32f494e237L,0x9beac474c55acadbL,
+        0x4ee5cf3bcbec9fd9L },
+      { 0x336b33b97df3c8c3L,0xbd905fe3b76808fdL,0x8f436981aa45c16aL,
+        0x255c5bfa3dd27b62L } },
+    /* 43 << 168 */
+    { { 0x71965cbfc3dd9b4dL,0xce23edbffc068a87L,0xb78d4725745b029bL,
+        0x74610713cefdd9bdL },
+      { 0x7116f75f1266bf52L,0x0204672218e49bb6L,0xdf43df9f3d6f19e3L,
+        0xef1bc7d0e685cb2fL } },
+    /* 44 << 168 */
+    { { 0xcddb27c17078c432L,0xe1961b9cb77fedb7L,0x1edc2f5cc2290570L,
+        0x2c3fefca19cbd886L },
+      { 0xcf880a36c2af389aL,0x96c610fdbda71ceaL,0xf03977a932aa8463L,
+        0x8eb7763f8586d90aL } },
+    /* 45 << 168 */
+    { { 0x3f3424542a296e77L,0xc871868342837a35L,0x7dc710906a09c731L,
+        0x54778ffb51b816dbL },
+      { 0x6b33bfecaf06defdL,0xfe3c105f8592b70bL,0xf937fda461da6114L,
+        0x3c13e6514c266ad7L } },
+    /* 46 << 168 */
+    { { 0xe363a829855938e8L,0x2eeb5d9e9de54b72L,0xbeb93b0e20ccfab9L,
+        0x3dffbb5f25e61a25L },
+      { 0x7f655e431acc093dL,0x0cb6cc3d3964ce61L,0x6ab283a1e5e9b460L,
+        0x55d787c5a1c7e72dL } },
+    /* 47 << 168 */
+    { { 0x4d2efd47deadbf02L,0x11e80219ac459068L,0x810c762671f311f0L,
+        0xfa17ef8d4ab6ef53L },
+      { 0xaf47fd2593e43bffL,0x5cb5ff3f0be40632L,0x546871068ee61da3L,
+        0x7764196eb08afd0fL } },
+    /* 48 << 168 */
+    { { 0x831ab3edf0290a8fL,0xcae81966cb47c387L,0xaad7dece184efb4fL,
+        0xdcfc53b34749110eL },
+      { 0x6698f23c4cb632f9L,0xc42a1ad6b91f8067L,0xb116a81d6284180aL,
+        0xebedf5f8e901326fL } },
+    /* 49 << 168 */
+    { { 0xf2274c9f97e3e044L,0x4201852011d09fc9L,0x56a65f17d18e6e23L,
+        0x2ea61e2a352b683cL },
+      { 0x27d291bc575eaa94L,0x9e7bc721b8ff522dL,0x5f7268bfa7f04d6fL,
+        0x5868c73faba41748L } },
+    /* 50 << 168 */
+    { { 0x9f85c2db7be0eeadL,0x511e7842ff719135L,0x5a06b1e9c5ea90d7L,
+        0x0c19e28326fab631L },
+      { 0x8af8f0cfe9206c55L,0x89389cb43553c06aL,0x39dbed97f65f8004L,
+        0x0621b037c508991dL } },
+    /* 51 << 168 */
+    { { 0x1c52e63596e78cc4L,0x5385c8b20c06b4a8L,0xd84ddfdbb0e87d03L,
+        0xc49dfb66934bafadL },
+      { 0x7071e17059f70772L,0x3a073a843a1db56bL,0x034949033b8af190L,
+        0x7d882de3d32920f0L } },
+    /* 52 << 168 */
+    { { 0x91633f0ab2cf8940L,0x72b0b1786f948f51L,0x2d28dc30782653c8L,
+        0x88829849db903a05L },
+      { 0xb8095d0c6a19d2bbL,0x4b9e7f0c86f782cbL,0x7af739882d907064L,
+        0xd12be0fe8b32643cL } },
+    /* 53 << 168 */
+    { { 0x358ed23d0e165dc3L,0x3d47ce624e2378ceL,0x7e2bb0b9feb8a087L,
+        0x3246e8aee29e10b9L },
+      { 0x459f4ec703ce2b4dL,0xe9b4ca1bbbc077cfL,0x2613b4f20e9940c1L,
+        0xfc598bb9047d1eb1L } },
+    /* 54 << 168 */
+    { { 0x9744c62b45036099L,0xa9dee742167c65d8L,0x0c511525dabe1943L,
+        0xda11055493c6c624L },
+      { 0xae00a52c651a3be2L,0xcda5111d884449a6L,0x063c06f4ff33bed1L,
+        0x73baaf9a0d3d76b4L } },
+    /* 55 << 168 */
+    { { 0x52fb0c9d7fc63668L,0x6886c9dd0c039cdeL,0x602bd59955b22351L,
+        0xb00cab02360c7c13L },
+      { 0x8cb616bc81b69442L,0x41486700b55c3ceeL,0x71093281f49ba278L,
+        0xad956d9c64a50710L } },
+    /* 56 << 168 */
+    { { 0x9561f28b638a7e81L,0x54155cdf5980ddc3L,0xb2db4a96d26f247aL,
+        0x9d774e4e4787d100L },
+      { 0x1a9e6e2e078637d2L,0x1c363e2d5e0ae06aL,0x7493483ee9cfa354L,
+        0x76843cb37f74b98dL } },
+    /* 57 << 168 */
+    { { 0xbaca6591d4b66947L,0xb452ce9804460a8cL,0x6830d24643768f55L,
+        0xf4197ed87dff12dfL },
+      { 0x6521b472400dd0f7L,0x59f5ca8f4b1e7093L,0x6feff11b080338aeL,
+        0x0ada31f6a29ca3c6L } },
+    /* 58 << 168 */
+    { { 0x24794eb694a2c215L,0xd83a43ab05a57ab4L,0x264a543a2a6f89feL,
+        0x2c2a3868dd5ec7c2L },
+      { 0xd33739408439d9b2L,0x715ea6720acd1f11L,0x42c1d235e7e6cc19L,
+        0x81ce6e96b990585cL } },
+    /* 59 << 168 */
+    { { 0x04e5dfe0d809c7bdL,0xd7b2580c8f1050abL,0x6d91ad78d8a4176fL,
+        0x0af556ee4e2e897cL },
+      { 0x162a8b73921de0acL,0x52ac9c227ea78400L,0xee2a4eeaefce2174L,
+        0xbe61844e6d637f79L } },
+    /* 60 << 168 */
+    { { 0x0491f1bc789a283bL,0x72d3ac3d880836f4L,0xaa1c5ea388e5402dL,
+        0x1b192421d5cc473dL },
+      { 0x5c0b99989dc84cacL,0xb0a8482d9c6e75b8L,0x639961d03a191ce2L,
+        0xda3bc8656d837930L } },
+    /* 61 << 168 */
+    { { 0xca990653056e6f8fL,0x84861c4164d133a7L,0x8b403276746abe40L,
+        0xb7b4d51aebf8e303L },
+      { 0x05b43211220a255dL,0xc997152c02419e6eL,0x76ff47b6630c2feaL,
+        0x50518677281fdadeL } },
+    /* 62 << 168 */
+    { { 0x3283b8bacf902b0bL,0x8d4b4eb537db303bL,0xcc89f42d755011bcL,
+        0xb43d74bbdd09d19bL },
+      { 0x65746bc98adba350L,0x364eaf8cb51c1927L,0x13c7659610ad72ecL,
+        0x30045121f8d40c20L } },
+    /* 63 << 168 */
+    { { 0x6d2d99b7ea7b979bL,0xcd78cd74e6fb3bcdL,0x11e45a9e86cffbfeL,
+        0x78a61cf4637024f6L },
+      { 0xd06bc8723d502295L,0xf1376854458cb288L,0xb9db26a1342f8586L,
+        0xf33effcf4beee09eL } },
+    /* 64 << 168 */
+    { { 0xd7e0c4cdb30cfb3aL,0x6d09b8c16c9db4c8L,0x40ba1a4207c8d9dfL,
+        0x6fd495f71c52c66dL },
+      { 0xfb0e169f275264daL,0x80c2b746e57d8362L,0xedd987f749ad7222L,
+        0xfdc229af4398ec7bL } },
+    /* 0 << 175 */
+    { { 0x00, 0x00, 0x00, 0x00 },
+      { 0x00, 0x00, 0x00, 0x00 } },
+    /* 1 << 175 */
+    { { 0xb0d1ed8452666a58L,0x4bcb6e00e6a9c3c2L,0x3c57411c26906408L,
+        0xcfc2075513556400L },
+      { 0xa08b1c505294dba3L,0xa30ba2868b7dd31eL,0xd70ba90e991eca74L,
+        0x094e142ce762c2b9L } },
+    /* 2 << 175 */
+    { { 0xb81d783e979f3925L,0x1efd130aaf4c89a7L,0x525c2144fd1bf7faL,
+        0x4b2969041b265a9eL },
+      { 0xed8e9634b9db65b6L,0x35c82e3203599d8aL,0xdaa7a54f403563f3L,
+        0x9df088ad022c38abL } },
+    /* 3 << 175 */
+    { { 0xe5cfb066bb3fd30aL,0x429169daeff0354eL,0x809cf8523524e36cL,
+        0x136f4fb30155be1dL },
+      { 0x4826af011fbba712L,0x6ef0f0b4506ba1a1L,0xd9928b3177aea73eL,
+        0xe2bf6af25eaa244eL } },
+    /* 4 << 175 */
+    { { 0x8d084f124237b64bL,0x688ebe99e3ecfd07L,0x57b8a70cf6845dd8L,
+        0x808fc59c5da4a325L },
+      { 0xa9032b2ba3585862L,0xb66825d5edf29386L,0xb5a5a8db431ec29bL,
+        0xbb143a983a1e8dc8L } },
+    /* 5 << 175 */
+    { { 0x35ee94ce12ae381bL,0x3a7f176c86ccda90L,0xc63a657e4606eacaL,
+        0x9ae5a38043cd04dfL },
+      { 0x9bec8d15ed251b46L,0x1f5d6d30caca5e64L,0x347b3b359ff20f07L,
+        0x4d65f034f7e4b286L } },
+    /* 6 << 175 */
+    { { 0x9e93ba24f111661eL,0xedced484b105eb04L,0x96dc9ba1f424b578L,
+        0xbf8f66b7e83e9069L },
+      { 0x872d4df4d7ed8216L,0xbf07f3778e2cbecfL,0x4281d89998e73754L,
+        0xfec85fbb8aab8708L } },
+    /* 7 << 175 */
+    { { 0x9a3c0deea5ba5b0bL,0xe6a116ce42d05299L,0xae9775fee9b02d42L,
+        0x72b05200a1545cb6L },
+      { 0xbc506f7d31a3b4eaL,0xe58930788bbd9b32L,0xc8bc5f37e4b12a97L,
+        0x6b000c064a73b671L } },
+    /* 8 << 175 */
+    { { 0x13b5bf22765fa7d0L,0x59805bf01d6a5370L,0x67a5e29d4280db98L,
+        0x4f53916f776b1ce3L },
+      { 0x714ff61f33ddf626L,0x4206238ea085d103L,0x1c50d4b7e5809ee3L,
+        0x999f450d85f8eb1dL } },
+    /* 9 << 175 */
+    { { 0x658a6051e4c79e9bL,0x1394cb73c66a9feaL,0x27f31ed5c6be7b23L,
+        0xf4c88f365aa6f8feL },
+      { 0x0fb0721f4aaa499eL,0x68b3a7d5e3fb2a6bL,0xa788097d3a92851dL,
+        0x060e7f8ae96f4913L } },
+    /* 10 << 175 */
+    { { 0x82eebe731a3a93bcL,0x42bbf465a21adc1aL,0xc10b6fa4ef030efdL,
+        0x247aa4c787b097bbL },
+      { 0x8b8dc632f60c77daL,0x6ffbc26ac223523eL,0xa4f6ff11344579cfL,
+        0x5825653c980250f6L } },
+    /* 11 << 175 */
+    { { 0xb2dd097ebc1aa2b9L,0x0788939337a0333aL,0x1cf55e7137a0db38L,
+        0x2648487f792c1613L },
+      { 0xdad013363fcef261L,0x6239c81d0eabf129L,0x8ee761de9d276be2L,
+        0x406a7a341eda6ad3L } },
+    /* 12 << 175 */
+    { { 0x4bf367ba4a493b31L,0x54f20a529bf7f026L,0xb696e0629795914bL,
+        0xcddab96d8bf236acL },
+      { 0x4ff2c70aed25ea13L,0xfa1d09eb81cbbbe7L,0x88fc8c87468544c5L,
+        0x847a670d696b3317L } },
+    /* 13 << 175 */
+    { { 0xf133421e64bcb626L,0xaea638c826dee0b5L,0xd6e7680bb310346cL,
+        0xe06f4097d5d4ced3L },
+      { 0x099614527512a30bL,0xf3d867fde589a59aL,0x2e73254f52d0c180L,
+        0x9063d8a3333c74acL } },
+    /* 14 << 175 */
+    { { 0xeda6c595d314e7bcL,0x2ee7464b467899edL,0x1cef423c0a1ed5d3L,
+        0x217e76ea69cc7613L },
+      { 0x27ccce1fe7cda917L,0x12d8016b8a893f16L,0xbcd6de849fc74f6bL,
+        0xfa5817e2f3144e61L } },
+    /* 15 << 175 */
+    { { 0x1f3541640821ee4cL,0x1583eab40bc61992L,0x7490caf61d72879fL,
+        0x998ad9f3f76ae7b2L },
+      { 0x1e181950a41157f7L,0xa9d7e1e6e8da3a7eL,0x963784eb8426b95fL,
+        0x0ee4ed6e542e2a10L } },
+    /* 16 << 175 */
+    { { 0xb79d4cc5ac751e7bL,0x93f96472fd4211bdL,0x8c72d3d2c8de4fc6L,
+        0x7b69cbf5df44f064L },
+      { 0x3da90ca2f4bf94e1L,0x1a5325f8f12894e2L,0x0a437f6c7917d60bL,
+        0x9be7048696c9cb5dL } },
+    /* 17 << 175 */
+    { { 0xb4d880bfe1dc5c05L,0xd738addaeebeeb57L,0x6f0119d3df0fe6a3L,
+        0x5c686e5566eaaf5aL },
+      { 0x9cb10b50dfd0b7ecL,0xbdd0264b6a497c21L,0xfc0935148c546c96L,
+        0x58a947fa79dbf42aL } },
+    /* 18 << 175 */
+    { { 0xc0b48d4e49ccd6d7L,0xff8fb02c88bd5580L,0xc75235e907d473b2L,
+        0x4fab1ac5a2188af3L },
+      { 0x030fa3bc97576ec0L,0xe8c946e80b7e7d2fL,0x40a5c9cc70305600L,
+        0x6d8260a9c8b013b4L } },
+    /* 19 << 175 */
+    { { 0x0368304f70bba85cL,0xad090da1a4a0d311L,0x7170e8702415eec1L,
+        0xbfba35fe8461ea47L },
+      { 0x6279019ac1e91938L,0xa47638f31afc415fL,0x36c65cbbbcba0e0fL,
+        0x02160efb034e2c48L } },
+    /* 20 << 175 */
+    { { 0xe6c51073615cd9e4L,0x498ec047f1243c06L,0x3e5a8809b17b3d8cL,
+        0x5cd99e610cc565f1L },
+      { 0x81e312df7851dafeL,0xf156f5baa79061e2L,0x80d62b71880c590eL,
+        0xbec9746f0a39faa1L } },
+    /* 21 << 175 */
+    { { 0x1d98a9c1c8ed1f7aL,0x09e43bb5a81d5ff2L,0xd5f00f680da0794aL,
+        0x412050d9661aa836L },
+      { 0xa89f7c4e90747e40L,0x6dc05ebbb62a3686L,0xdf4de847308e3353L,
+        0x53868fbb9fb53bb9L } },
+    /* 22 << 175 */
+    { { 0x2b09d2c3cfdcf7ddL,0x41a9fce3723fcab4L,0x73d905f707f57ca3L,
+        0x080f9fb1ac8e1555L },
+      { 0x7c088e849ba7a531L,0x07d35586ed9a147fL,0x602846abaf48c336L,
+        0x7320fd320ccf0e79L } },
+    /* 23 << 175 */
+    { { 0xaa780798b18bd1ffL,0x52c2e300afdd2905L,0xf27ea3d6434267cdL,
+        0x8b96d16d15605b5fL },
+      { 0x7bb310494b45706bL,0xe7f58b8e743d25f8L,0xe9b5e45b87f30076L,
+        0xd19448d65d053d5aL } },
+    /* 24 << 175 */
+    { { 0x1ecc8cb9d3210a04L,0x6bc7d463dafb5269L,0x3e59b10a67c3489fL,
+        0x1769788c65641e1bL },
+      { 0x8a53b82dbd6cb838L,0x7066d6e6236d5f22L,0x03aa1c616908536eL,
+        0xc971da0d66ae9809L } },
+    /* 25 << 175 */
+    { { 0x01b3a86bc49a2facL,0x3b8420c03092e77aL,0x020573007d6fb556L,
+        0x6941b2a1bff40a87L },
+      { 0x140b63080658ff2aL,0x878043633424ab36L,0x0253bd515751e299L,
+        0xc75bcd76449c3e3aL } },
+    /* 26 << 175 */
+    { { 0x92eb40907f8f875dL,0x9c9d754e56c26bbfL,0x158cea618110bbe7L,
+        0x62a6b802745f91eaL },
+      { 0xa79c41aac6e7394bL,0x445b6a83ad57ef10L,0x0c5277eb6ea6f40cL,
+        0x319fe96b88633365L } },
+    /* 27 << 175 */
+    { { 0x0b0fc61f385f63cbL,0x41250c8422bdd127L,0x67d153f109e942c2L,
+        0x60920d08c021ad5dL },
+      { 0x229f5746724d81a5L,0xb7ffb8925bba3299L,0x518c51a1de413032L,
+        0x2a9bfe773c2fd94cL } },
+    /* 28 << 175 */
+    { { 0xcbcde2393191f4fdL,0x43093e16d3d6ada1L,0x184579f358769606L,
+        0x2c94a8b3d236625cL },
+      { 0x6922b9c05c437d8eL,0x3d4ae423d8d9f3c8L,0xf72c31c12e7090a2L,
+        0x4ac3f5f3d76a55bdL } },
+    /* 29 << 175 */
+    { { 0x342508fc6b6af991L,0x0d5271001b5cebbdL,0xb84740d0dd440dd7L,
+        0x748ef841780162fdL },
+      { 0xa8dbfe0edfc6fafbL,0xeadfdf05f7300f27L,0x7d06555ffeba4ec9L,
+        0x12c56f839e25fa97L } },
+    /* 30 << 175 */
+    { { 0x77f84203d39b8c34L,0xed8b1be63125eddbL,0x5bbf2441f6e39dc5L,
+        0xb00f6ee66a5d678aL },
+      { 0xba456ecf57d0ea99L,0xdcae0f5817e06c43L,0x01643de40f5b4baaL,
+        0x2c324341d161b9beL } },
+    /* 31 << 175 */
+    { { 0x80177f55e126d468L,0xed325f1f76748e09L,0x6116004acfa9bdc2L,
+        0x2d8607e63a9fb468L },
+      { 0x0e573e276009d660L,0x3a525d2e8d10c5a1L,0xd26cb45c3b9009a0L,
+        0xb6b0cdc0de9d7448L } },
+    /* 32 << 175 */
+    { { 0x949c9976e1337c26L,0x6faadebdd73d68e5L,0x9e158614f1b768d9L,
+        0x22dfa5579cc4f069L },
+      { 0xccd6da17be93c6d6L,0x24866c61a504f5b9L,0x2121353c8d694da1L,
+        0x1c6ca5800140b8c6L } },
+    /* 33 << 175 */
+    { { 0xc245ad8ce964021eL,0xb83bffba032b82b3L,0xfaa220c647ef9898L,
+        0x7e8d3ac6982c948aL },
+      { 0x1faa2091bc2d124aL,0xbd54c3dd05b15ff4L,0x386bf3abc87c6fb7L,
+        0xfb2b0563fdeb6f66L } },
+    /* 34 << 175 */
+    { { 0x4e77c5575b45afb4L,0xe9ded649efb8912dL,0x7ec9bbf542f6e557L,
+        0x2570dfff62671f00L },
+      { 0x2b3bfb7888e084bdL,0xa024b238f37fe5b4L,0x44e7dc0495649aeeL,
+        0x498ca2555e7ec1d8L } },
+    /* 35 << 175 */
+    { { 0x3bc766eaaaa07e86L,0x0db6facbf3608586L,0xbadd2549bdc259c8L,
+        0x95af3c6e041c649fL },
+      { 0xb36a928c02e30afbL,0x9b5356ad008a88b8L,0x4b67a5f1cf1d9e9dL,
+        0xc6542e47a5d8d8ceL } },
+    /* 36 << 175 */
+    { { 0x73061fe87adfb6ccL,0xcc826fd398678141L,0x00e758b13c80515aL,
+        0x6afe324741485083L },
+      { 0x0fcb08b9b6ae8a75L,0xb8cf388d4acf51e1L,0x344a55606961b9d6L,
+        0x1a6778b86a97fd0cL } },
+    /* 37 << 175 */
+    { { 0xd840fdc1ecc4c7e3L,0xde9fe47d16db68ccL,0xe95f89dea3e216aaL,
+        0x84f1a6a49594a8beL },
+      { 0x7ddc7d725a7b162bL,0xc5cfda19adc817a3L,0x80a5d35078b58d46L,
+        0x93365b1382978f19L } },
+    /* 38 << 175 */
+    { { 0x2e44d22526a1fc90L,0x0d6d10d24d70705dL,0xd94b6b10d70c45f4L,
+        0x0f201022b216c079L },
+      { 0xcec966c5658fde41L,0xa8d2bc7d7e27601dL,0xbfcce3e1ff230be7L,
+        0x3394ff6b0033ffb5L } },
+    /* 39 << 175 */
+    { { 0xd890c5098132c9afL,0xaac4b0eb361e7868L,0x5194ded3e82d15aaL,
+        0x4550bd2e23ae6b7dL },
+      { 0x3fda318eea5399d4L,0xd989bffa91638b80L,0x5ea124d0a14aa12dL,
+        0x1fb1b8993667b944L } },
+    /* 40 << 175 */
+    { { 0x95ec796944c44d6aL,0x91df144a57e86137L,0x915fd62073adac44L,
+        0x8f01732d59a83801L },
+      { 0xec579d253aa0a633L,0x06de5e7cc9d6d59cL,0xc132f958b1ef8010L,
+        0x29476f96e65c1a02L } },
+    /* 41 << 175 */
+    { { 0x336a77c0d34c3565L,0xef1105b21b9f1e9eL,0x63e6d08bf9e08002L,
+        0x9aff2f21c613809eL },
+      { 0xb5754f853a80e75dL,0xde71853e6bbda681L,0x86f041df8197fd7aL,
+        0x8b332e08127817faL } },
+    /* 42 << 175 */
+    { { 0x05d99be8b9c20cdaL,0x89f7aad5d5cd0c98L,0x7ef936fe5bb94183L,
+        0x92ca0753b05cd7f2L },
+      { 0x9d65db1174a1e035L,0x02628cc813eaea92L,0xf2d9e24249e4fbf2L,
+        0x94fdfd9be384f8b7L } },
+    /* 43 << 175 */
+    { { 0x65f5605463428c6bL,0x2f7205b290b409a5L,0xf778bb78ff45ae11L,
+        0xa13045bec5ee53b2L },
+      { 0xe00a14ff03ef77feL,0x689cd59fffef8befL,0x3578f0ed1e9ade22L,
+        0xe99f3ec06268b6a8L } },
+    /* 44 << 175 */
+    { { 0xa2057d91ea1b3c3eL,0x2d1a7053b8823a4aL,0xabbb336a2cca451eL,
+        0xcd2466e32218bb5dL },
+      { 0x3ac1f42fc8cb762dL,0x7e312aae7690211fL,0xebb9bd7345d07450L,
+        0x207c4b8246c2213fL } },
+    /* 45 << 175 */
+    { { 0x99d425c1375913ecL,0x94e45e9667908220L,0xc08f3087cd67dbf6L,
+        0xa5670fbec0887056L },
+      { 0x6717b64a66f5b8fcL,0xd5a56aea786fec28L,0xa8c3f55fc0ff4952L,
+        0xa77fefae457ac49bL } },
+    /* 46 << 175 */
+    { { 0x29882d7c98379d44L,0xd000bdfb509edc8aL,0xc6f95979e66fe464L,
+        0x504a6115fa61bde0L },
+      { 0x56b3b871effea31aL,0x2d3de26df0c21a54L,0x21dbff31834753bfL,
+        0xe67ecf4969269d86L } },
+    /* 47 << 175 */
+    { { 0x7a176952151fe690L,0x035158047f2adb5fL,0xee794b15d1b62a8dL,
+        0xf004ceecaae454e6L },
+      { 0x0897ea7cf0386facL,0x3b62ff12d1fca751L,0x154181df1b7a04ecL,
+        0x2008e04afb5847ecL } },
+    /* 48 << 175 */
+    { { 0xd147148e41dbd772L,0x2b419f7322942654L,0x669f30d3e9c544f7L,
+        0x52a2c223c8540149L },
+      { 0x5da9ee14634dfb02L,0x5f074ff0f47869f3L,0x74ee878da3933accL,
+        0xe65106514fe35ed1L } },
+    /* 49 << 175 */
+    { { 0xb3eb9482f1012e7aL,0x51013cc0a8a566aeL,0xdd5e924347c00d3bL,
+        0x7fde089d946bb0e5L },
+      { 0x030754fec731b4b3L,0x12a136a499fda062L,0x7c1064b85a1a35bcL,
+        0xbf1f5763446c84efL } },
+    /* 50 << 175 */
+    { { 0xed29a56da16d4b34L,0x7fba9d09dca21c4fL,0x66d7ac006d8de486L,
+        0x6006198773a2a5e1L },
+      { 0x8b400f869da28ff0L,0x3133f70843c4599cL,0x9911c9b8ee28cb0dL,
+        0xcd7e28748e0af61dL } },
+    /* 51 << 175 */
+    { { 0x5a85f0f272ed91fcL,0x85214f319cd4a373L,0x881fe5be1925253cL,
+        0xd8dc98e091e8bc76L },
+      { 0x7120affe585cc3a2L,0x724952ed735bf97aL,0x5581e7dc3eb34581L,
+        0x5cbff4f2e52ee57dL } },
+    /* 52 << 175 */
+    { { 0x8d320a0e87d8cc7bL,0x9beaa7f3f1d280d0L,0x7a0b95719beec704L,
+        0x9126332e5b7f0057L },
+      { 0x01fbc1b48ed3bd6dL,0x35bb2c12d945eb24L,0x6404694e9a8ae255L,
+        0xb6092eec8d6abfb3L } },
+    /* 53 << 175 */
+    { { 0x4d76143fcc058865L,0x7b0a5af26e249922L,0x8aef94406a50d353L,
+        0xe11e4bcc64f0e07aL },
+      { 0x4472993aa14a90faL,0x7706e20cba0c51d4L,0xf403292f1532672dL,
+        0x52573bfa21829382L } },
+    /* 54 << 175 */
+    { { 0x6a7bb6a93b5bdb83L,0x08da65c0a4a72318L,0xc58d22aa63eb065fL,
+        0x1717596c1b15d685L },
+      { 0x112df0d0b266d88bL,0xf688ae975941945aL,0x487386e37c292cacL,
+        0x42f3b50d57d6985cL } },
+    /* 55 << 175 */
+    { { 0x6da4f9986a90fc34L,0xc8f257d365ca8a8dL,0xc2feabca6951f762L,
+        0xe1bc81d074c323acL },
+      { 0x1bc68f67251a2a12L,0x10d86587be8a70dcL,0xd648af7ff0f84d2eL,
+        0xf0aa9ebc6a43ac92L } },
+    /* 56 << 175 */
+    { { 0x69e3be0427596893L,0xb6bb02a645bf452bL,0x0875c11af4c698c8L,
+        0x6652b5c7bece3794L },
+      { 0x7b3755fd4f5c0499L,0x6ea16558b5532b38L,0xd1c69889a2e96ef7L,
+        0x9c773c3a61ed8f48L } },
+    /* 57 << 175 */
+    { { 0x2b653a409b323abcL,0xe26605e1f0e1d791L,0x45d410644a87157aL,
+        0x8f9a78b7cbbce616L },
+      { 0xcf1e44aac407edddL,0x81ddd1d8a35b964fL,0x473e339efd083999L,
+        0x6c94bdde8e796802L } },
+    /* 58 << 175 */
+    { { 0x5a304ada8545d185L,0x82ae44ea738bb8cbL,0x628a35e3df87e10eL,
+        0xd3624f3da15b9fe3L },
+      { 0xcc44209b14be4254L,0x7d0efcbcbdbc2ea5L,0x1f60336204c37bbeL,
+        0x21f363f556a5852cL } },
+    /* 59 << 175 */
+    { { 0xa1503d1ca8501550L,0x2251e0e1d8ab10bbL,0xde129c966961c51cL,
+        0x1f7246a481910f68L },
+      { 0x2eb744ee5f2591f2L,0x3c47d33f5e627157L,0x4d6d62c922f3bd68L,
+        0x6120a64bcb8df856L } },
+    /* 60 << 175 */
+    { { 0x3a9ac6c07b5d07dfL,0xa92b95587ef39783L,0xe128a134ab3a9b4fL,
+        0x41c18807b1252f05L },
+      { 0xfc7ed08980ba9b1cL,0xac8dc6dec532a9ddL,0xbf829cef55246809L,
+        0x101b784f5b4ee80fL } },
+    /* 61 << 175 */
+    { { 0xc09945bbb6f11603L,0x57b09dbe41d2801eL,0xfba5202fa97534a8L,
+        0x7fd8ae5fc17b9614L },
+      { 0xa50ba66678308435L,0x9572f77cd3868c4dL,0x0cef7bfd2dd7aab0L,
+        0xe7958e082c7c79ffL } },
+    /* 62 << 175 */
+    { { 0x81262e4225346689L,0x716da290b07c7004L,0x35f911eab7950ee3L,
+        0x6fd72969261d21b5L },
+      { 0x5238980308b640d3L,0x5b0026ee887f12a1L,0x20e21660742e9311L,
+        0x0ef6d5415ff77ff7L } },
+    /* 63 << 175 */
+    { { 0x969127f0f9c41135L,0xf21d60c968a64993L,0x656e5d0ce541875cL,
+        0xf1e0f84ea1d3c233L },
+      { 0x9bcca35906002d60L,0xbe2da60c06191552L,0x5da8bbae61181ec3L,
+        0x9f04b82365806f19L } },
+    /* 64 << 175 */
+    { { 0xf1604a7dd4b79bb8L,0xaee806fb52c878c8L,0x34144f118d47b8e8L,
+        0x72edf52b949f9054L },
+      { 0xebfca84e2127015aL,0x9051d0c09cb7cef3L,0x86e8fe58296deec8L,
+        0x33b2818841010d74L } },
+    /* 0 << 182 */
+    { { 0x00, 0x00, 0x00, 0x00 },
+      { 0x00, 0x00, 0x00, 0x00 } },
+    /* 1 << 182 */
+    { { 0x01079383171b445fL,0x9bcf21e38131ad4cL,0x8cdfe205c93987e8L,
+        0xe63f4152c92e8c8fL },
+      { 0x729462a930add43dL,0x62ebb143c980f05aL,0x4f3954e53b06e968L,
+        0xfe1d75ad242cf6b1L } },
+    /* 2 << 182 */
+    { { 0x5f95c6c7af8685c8L,0xd4c1c8ce2f8f01aaL,0xc44bbe322574692aL,
+        0xb8003478d4a4a068L },
+      { 0x7c8fc6e52eca3cdbL,0xea1db16bec04d399L,0xb05bc82e8f2bc5cfL,
+        0x763d517ff44793d2L } },
+    /* 3 << 182 */
+    { { 0x4451c1b808bd98d0L,0x644b1cd46575f240L,0x6907eb337375d270L,
+        0x56c8bebdfa2286bdL },
+      { 0xc713d2acc4632b46L,0x17da427aafd60242L,0x313065b7c95c7546L,
+        0xf8239898bf17a3deL } },
+    /* 4 << 182 */
+    { { 0xf3b7963f4c830320L,0x842c7aa0903203e3L,0xaf22ca0ae7327afbL,
+        0x38e13092967609b6L },
+      { 0x73b8fb62757558f1L,0x3cc3e831f7eca8c1L,0xe4174474f6331627L,
+        0xa77989cac3c40234L } },
+    /* 5 << 182 */
+    { { 0xe5fd17a144a081e0L,0xd797fb7db70e296aL,0x2b472b30481f719cL,
+        0x0e632a98fe6f8c52L },
+      { 0x89ccd116c5f0c284L,0xf51088af2d987c62L,0x2a2bccda4c2de6cfL,
+        0x810f9efef679f0f9L } },
+    /* 6 << 182 */
+    { { 0xb0f394b97ffe4b3eL,0x0b691d21e5fa5d21L,0xb0bd77479dfbbc75L,
+        0xd2830fdafaf78b00L },
+      { 0xf78c249c52434f57L,0x4b1f754598096dabL,0x73bf6f948ff8c0b3L,
+        0x34aef03d454e134cL } },
+    /* 7 << 182 */
+    { { 0xf8d151f4b7ac7ec5L,0xd6ceb95ae50da7d5L,0xa1b492b0dc3a0eb8L,
+        0x75157b69b3dd2863L },
+      { 0xe2c4c74ec5413d62L,0xbe329ff7bc5fc4c7L,0x835a2aea60fa9ddaL,
+        0xf117f5ad7445cb87L } },
+    /* 8 << 182 */
+    { { 0xae8317f4b0166f7aL,0xfbd3e3f7ceec74e6L,0xfdb516ace0874bfdL,
+        0x3d846019c681f3a3L },
+      { 0x0b12ee5c7c1620b0L,0xba68b4dd2b63c501L,0xac03cd326668c51eL,
+        0x2a6279f74e0bcb5bL } },
+    /* 9 << 182 */
+    { { 0x17bd69b06ae85c10L,0x729469791dfdd3a6L,0xd9a032682c078becL,
+        0x41c6a658bfd68a52L },
+      { 0xcdea10240e023900L,0xbaeec121b10d144dL,0x5a600e74058ab8dcL,
+        0x1333af21bb89ccddL } },
+    /* 10 << 182 */
+    { { 0xdf25eae03aaba1f1L,0x2cada16e3b7144cfL,0x657ee27d71ab98bcL,
+        0x99088b4c7a6fc96eL },
+      { 0x05d5c0a03549dbd4L,0x42cbdf8ff158c3acL,0x3fb6b3b087edd685L,
+        0x22071cf686f064d0L } },
+    /* 11 << 182 */
+    { { 0xd2d6721fff2811e5L,0xdb81b703fe7fae8cL,0x3cfb74efd3f1f7bbL,
+        0x0cdbcd7616cdeb5dL },
+      { 0x4f39642a566a808cL,0x02b74454340064d6L,0xfabbadca0528fa6fL,
+        0xe4c3074cd3fc0bb6L } },
+    /* 12 << 182 */
+    { { 0xb32cb8b0b796d219L,0xc3e95f4f34741dd9L,0x8721212568edf6f5L,
+        0x7a03aee4a2b9cb8eL },
+      { 0x0cd3c376f53a89aaL,0x0d8af9b1948a28dcL,0xcf86a3f4902ab04fL,
+        0x8aacb62a7f42002dL } },
+    /* 13 << 182 */
+    { { 0x106985ebf62ffd52L,0xe670b54e5797bf10L,0x4b405209c5e30aefL,
+        0x12c97a204365b5e9L },
+      { 0x104646ce1fe32093L,0x13cb4ff63907a8c9L,0x8b9f30d1d46e726bL,
+        0xe1985e21aba0f499L } },
+    /* 14 << 182 */
+    { { 0xc573dea910a230cdL,0x24f46a93cd30f947L,0xf2623fcfabe2010aL,
+        0x3f278cb273f00e4fL },
+      { 0xed55c67d50b920ebL,0xf1cb9a2d8e760571L,0x7c50d1090895b709L,
+        0x4207cf07190d4369L } },
+    /* 15 << 182 */
+    { { 0x3b027e81c4127fe1L,0xa9f8b9ad3ae9c566L,0x5ab10851acbfbba5L,
+        0xa747d648569556f5L },
+      { 0xcc172b5c2ba97bf7L,0x15e0f77dbcfa3324L,0xa345b7977686279dL,
+        0x5a723480e38003d3L } },
+    /* 16 << 182 */
+    { { 0xfd8e139f8f5fcda8L,0xf3e558c4bdee5bfdL,0xd76cbaf4e33f9f77L,
+        0x3a4c97a471771969L },
+      { 0xda27e84bf6dce6a7L,0xff373d9613e6c2d1L,0xf115193cd759a6e9L,
+        0x3f9b702563d2262cL } },
+    /* 17 << 182 */
+    { { 0xd9764a31317cd062L,0x30779d8e199f8332L,0xd807410616b11b0bL,
+        0x7917ab9f78aeaed8L },
+      { 0xb67a9cbe28fb1d8eL,0x2e313563136eda33L,0x010b7069a371a86cL,
+        0x44d90fa26744e6b7L } },
+    /* 18 << 182 */
+    { { 0x68190867d6b3e243L,0x9fe6cd9d59048c48L,0xb900b02895731538L,
+        0xa012062f32cae04fL },
+      { 0x8107c8bc9399d082L,0x47e8c54a41df12e2L,0x14ba5117b6ef3f73L,
+        0x22260bea81362f0bL } },
+    /* 19 << 182 */
+    { { 0x90ea261e1a18cc20L,0x2192999f2321d636L,0xef64d314e311b6a0L,
+        0xd7401e4c3b54a1f5L },
+      { 0x190199836fbca2baL,0x46ad32938fbffc4bL,0xa142d3f63786bf40L,
+        0xeb5cbc26b67039fcL } },
+    /* 20 << 182 */
+    { { 0x9cb0ae6c252bd479L,0x05e0f88a12b5848fL,0x78f6d2b2a5c97663L,
+        0x6f6e149bc162225cL },
+      { 0xe602235cde601a89L,0xd17bbe98f373be1fL,0xcaf49a5ba8471827L,
+        0x7e1a0a8518aaa116L } },
+    /* 21 << 182 */
+    { { 0x6c833196270580c3L,0x1e233839f1c98a14L,0x67b2f7b4ae34e0a5L,
+        0x47ac8745d8ce7289L },
+      { 0x2b74779a100dd467L,0x274a43374ee50d09L,0x603dcf1383608bc9L,
+        0xcd9da6c3c89e8388L } },
+    /* 22 << 182 */
+    { { 0x2660199f355116acL,0xcc38bb59b6d18eedL,0x3075f31f2f4bc071L,
+        0x9774457f265dc57eL },
+      { 0x06a6a9c8c6db88bbL,0x6429d07f4ec98e04L,0x8d05e57b05ecaa8bL,
+        0x20f140b17872ea7bL } },
+    /* 23 << 182 */
+    { { 0xdf8c0f09ca494693L,0x48d3a020f252e909L,0x4c5c29af57b14b12L,
+        0x7e6fa37dbf47ad1cL },
+      { 0x66e7b50649a0c938L,0xb72c0d486be5f41fL,0x6a6242b8b2359412L,
+        0xcd35c7748e859480L } },
+    /* 24 << 182 */
+    { { 0x12536fea87baa627L,0x58c1fec1f72aa680L,0x6c29b637601e5dc9L,
+        0x9e3c3c1cde9e01b9L },
+      { 0xefc8127b2bcfe0b0L,0x351071022a12f50dL,0x6ccd6cb14879b397L,
+        0xf792f804f8a82f21L } },
+    /* 25 << 182 */
+    { { 0x509d4804a9b46402L,0xedddf85dc10f0850L,0x928410dc4b6208aaL,
+        0xf6229c46391012dcL },
+      { 0xc5a7c41e7727b9b6L,0x289e4e4baa444842L,0x049ba1d9e9a947eaL,
+        0x44f9e47f83c8debcL } },
+    /* 26 << 182 */
+    { { 0xfa77a1fe611f8b8eL,0xfd2e416af518f427L,0xc5fffa70114ebac3L,
+        0xfe57c4e95d89697bL },
+      { 0xfdd053acb1aaf613L,0x31df210fea585a45L,0x318cc10e24985034L,
+        0x1a38efd15f1d6130L } },
+    /* 27 << 182 */
+    { { 0xbf86f2370b1e9e21L,0xb258514d1dbe88aaL,0x1e38a58890c1baf9L,
+        0x2936a01ebdb9b692L },
+      { 0xd576de986dd5b20cL,0xb586bf7170f98ecfL,0xcccf0f12c42d2fd7L,
+        0x8717e61cfb35bd7bL } },
+    /* 28 << 182 */
+    { { 0x8b1e572235e6fc06L,0x3477728f0b3e13d5L,0x150c294daa8a7372L,
+        0xc0291d433bfa528aL },
+      { 0xc6c8bc67cec5a196L,0xdeeb31e45c2e8a7cL,0xba93e244fb6e1c51L,
+        0xb9f8b71b2e28e156L } },
+    /* 29 << 182 */
+    { { 0xce65a287968a2ab9L,0xe3c5ce6946bbcb1fL,0xf8c835b9e7ae3f30L,
+        0x16bbee26ff72b82bL },
+      { 0x665e2017fd42cd22L,0x1e139970f8b1d2a0L,0x125cda2979204932L,
+        0x7aee94a549c3bee5L } },
+    /* 30 << 182 */
+    { { 0x68c7016089821a66L,0xf7c376788f981669L,0xd90829fc48cc3645L,
+        0x346af049d70addfcL },
+      { 0x2057b232370bf29cL,0xf90c73ce42e650eeL,0xe03386eaa126ab90L,
+        0x0e266e7e975a087bL } },
+    /* 31 << 182 */
+    { { 0x80578eb90fca65d9L,0x7e2989ea16af45b8L,0x7438212dcac75a4eL,
+        0x38c7ca394fef36b8L },
+      { 0x8650c494d402676aL,0x26ab5a66f72c7c48L,0x4e6cb426ce3a464eL,
+        0xf8f998962b72f841L } },
+    /* 32 << 182 */
+    { { 0x8c3184911a335cc8L,0x563459ba6a5913e4L,0x1b920d61c7b32919L,
+        0x805ab8b6a02425adL },
+      { 0x2ac512da8d006086L,0x6ca4846abcf5c0fdL,0xafea51d8ac2138d7L,
+        0xcb647545344cd443L } },
+    /* 33 << 182 */
+    { { 0x0429ee8fbd7d9040L,0xee66a2de819b9c96L,0x54f9ec25dea7d744L,
+        0x2ffea642671721bbL },
+      { 0x4f19dbd1114344eaL,0x04304536fd0dbc8bL,0x014b50aa29ec7f91L,
+        0xb5fc22febb06014dL } },
+    /* 34 << 182 */
+    { { 0x60d963a91ee682e0L,0xdf48abc0fe85c727L,0x0cadba132e707c2dL,
+        0xde608d3aa645aeffL },
+      { 0x05f1c28bedafd883L,0x3c362edebd94de1fL,0x8dd0629d13593e41L,
+        0x0a5e736f766d6eafL } },
+    /* 35 << 182 */
+    { { 0xbfa92311f68cf9d1L,0xa4f9ef87c1797556L,0x10d75a1f5601c209L,
+        0x651c374c09b07361L },
+      { 0x49950b5888b5ceadL,0x0ef000586fa9dbaaL,0xf51ddc264e15f33aL,
+        0x1f8b5ca62ef46140L } },
+    /* 36 << 182 */
+    { { 0x343ac0a3ee9523f0L,0xbb75eab2975ea978L,0x1bccf332107387f4L,
+        0x790f92599ab0062eL },
+      { 0xf1a363ad1e4f6a5fL,0x06e08b8462519a50L,0x609151877265f1eeL,
+        0x6a80ca3493ae985eL } },
+    /* 37 << 182 */
+    { { 0x81b29768aaba4864L,0xb13cabf28d52a7d6L,0xb5c363488ead03f1L,
+        0xc932ad9581c7c1c0L },
+      { 0x5452708ecae1e27bL,0x9dac42691b0df648L,0x233e3f0cdfcdb8bcL,
+        0xe6ceccdfec540174L } },
+    /* 38 << 182 */
+    { { 0xbd0d845e95081181L,0xcc8a7920699355d5L,0x111c0f6dc3b375a8L,
+        0xfd95bc6bfd51e0dcL },
+      { 0x4a106a266888523aL,0x4d142bd6cb01a06dL,0x79bfd289adb9b397L,
+        0x0bdbfb94e9863914L } },
+    /* 39 << 182 */
+    { { 0x29d8a2291660f6a6L,0x7f6abcd6551c042dL,0x13039deb0ac3ffe8L,
+        0xa01be628ec8523fbL },
+      { 0x6ea341030ca1c328L,0xc74114bdb903928eL,0x8aa4ff4e9e9144b0L,
+        0x7064091f7f9a4b17L } },
+    /* 40 << 182 */
+    { { 0xa3f4f521e447f2c4L,0x81b8da7a604291f0L,0xd680bc467d5926deL,
+        0x84f21fd534a1202fL },
+      { 0x1d1e31814e9df3d8L,0x1ca4861a39ab8d34L,0x809ddeec5b19aa4aL,
+        0x59f72f7e4d329366L } },
+    /* 41 << 182 */
+    { { 0xa2f93f41386d5087L,0x40bf739cdd67d64fL,0xb449420566702158L,
+        0xc33c65be73b1e178L },
+      { 0xcdcd657c38ca6153L,0x97f4519adc791976L,0xcc7c7f29cd6e1f39L,
+        0x38de9cfb7e3c3932L } },
+    /* 42 << 182 */
+    { { 0xe448eba37b793f85L,0xe9f8dbf9f067e914L,0xc0390266f114ae87L,
+        0x39ed75a7cd6a8e2aL },
+      { 0xadb148487ffba390L,0x67f8cb8b6af9bc09L,0x322c38489c7476dbL,
+        0xa320fecf52a538d6L } },
+    /* 43 << 182 */
+    { { 0xe0493002b2aced2bL,0xdfba1809616bd430L,0x531c4644c331be70L,
+        0xbc04d32e90d2e450L },
+      { 0x1805a0d10f9f142dL,0x2c44a0c547ee5a23L,0x31875a433989b4e3L,
+        0x6b1949fd0c063481L } },
+    /* 44 << 182 */
+    { { 0x2dfb9e08be0f4492L,0x3ff0da03e9d5e517L,0x03dbe9a1f79466a8L,
+        0x0b87bcd015ea9932L },
+      { 0xeb64fc83ab1f58abL,0x6d9598da817edc8aL,0x699cff661d3b67e5L,
+        0x645c0f2992635853L } },
+    /* 45 << 182 */
+    { { 0x253cdd82eabaf21cL,0x82b9602a2241659eL,0x2cae07ec2d9f7091L,
+        0xbe4c720c8b48cd9bL },
+      { 0x6ce5bc036f08d6c9L,0x36e8a997af10bf40L,0x83422d213e10ff12L,
+        0x7b26d3ebbcc12494L } },
+    /* 46 << 182 */
+    { { 0xb240d2d0c9469ad6L,0xc4a11b4d30afa05bL,0x4b604acedd6ba286L,
+        0x184866003ee2864cL },
+      { 0x5869d6ba8d9ce5beL,0x0d8f68c5ff4bfb0dL,0xb69f210b5700cf73L,
+        0x61f6653a6d37c135L } },
+    /* 47 << 182 */
+    { { 0xff3d432b5aff5a48L,0x0d81c4b972ba3a69L,0xee879ae9fa1899efL,
+        0xbac7e2a02d6acafdL },
+      { 0xd6d93f6c1c664399L,0x4c288de15bcb135dL,0x83031dab9dab7cbfL,
+        0xfe23feb03abbf5f0L } },
+    /* 48 << 182 */
+    { { 0x9f1b2466cdedca85L,0x140bb7101a09538cL,0xac8ae8515e11115dL,
+        0x0d63ff676f03f59eL },
+      { 0x755e55517d234afbL,0x61c2db4e7e208fc1L,0xaa9859cef28a4b5dL,
+        0xbdd6d4fc34af030fL } },
+    /* 49 << 182 */
+    { { 0xd1c4a26d3be01cb1L,0x9ba14ffc243aa07cL,0xf95cd3a9b2503502L,
+        0xe379bc067d2a93abL },
+      { 0x3efc18e9d4ca8d68L,0x083558ec80bb412aL,0xd903b9409645a968L,
+        0xa499f0b69ba6054fL } },
+    /* 50 << 182 */
+    { { 0x208b573cb8349abeL,0x3baab3e530b4fc1cL,0x87e978bacb524990L,
+        0x3524194eccdf0e80L },
+      { 0x627117257d4bcc42L,0xe90a3d9bb90109baL,0x3b1bdd571323e1e0L,
+        0xb78e9bd55eae1599L } },
+    /* 51 << 182 */
+    { { 0x0794b7469e03d278L,0x80178605d70e6297L,0x171792f899c97855L,
+        0x11b393eef5a86b5cL },
+      { 0x48ef6582d8884f27L,0xbd44737abf19ba5fL,0x8698de4ca42062c6L,
+        0x8975eb8061ce9c54L } },
+    /* 52 << 182 */
+    { { 0xd50e57c7d7fe71f3L,0x15342190bc97ce38L,0x51bda2de4df07b63L,
+        0xba12aeae200eb87dL },
+      { 0xabe135d2a9b4f8f6L,0x04619d65fad6d99cL,0x4a6683a77994937cL,
+        0x7a778c8b6f94f09aL } },
+    /* 53 << 182 */
+    { { 0x8c50862320a71b89L,0x241a2aed1c229165L,0x352be595aaf83a99L,
+        0x9fbfee7f1562bac8L },
+      { 0xeaf658b95c4017e3L,0x1dc7f9e015120b86L,0xd84f13dd4c034d6fL,
+        0x283dd737eaea3038L } },
+    /* 54 << 182 */
+    { { 0x197f2609cd85d6a2L,0x6ebbc345fae60177L,0xb80f031b4e12fedeL,
+        0xde55d0c207a2186bL },
+      { 0x1fb3e37f24dcdd5aL,0x8d602da57ed191fbL,0x108fb05676023e0dL,
+        0x70178c71459c20c0L } },
+    /* 55 << 182 */
+    { { 0xfad5a3863fe54cf0L,0xa4a3ec4f02bbb475L,0x1aa5ec20919d94d7L,
+        0x5d3b63b5a81e4ab3L },
+      { 0x7fa733d85ad3d2afL,0xfbc586ddd1ac7a37L,0x282925de40779614L,
+        0xfe0ffffbe74a242aL } },
+    /* 56 << 182 */
+    { { 0x3f39e67f906151e5L,0xcea27f5f55e10649L,0xdca1d4e1c17cf7b7L,
+        0x0c326d122fe2362dL },
+      { 0x05f7ac337dd35df3L,0x0c3b7639c396dbdfL,0x0912f5ac03b7db1cL,
+        0x9dea4b705c9ed4a9L } },
+    /* 57 << 182 */
+    { { 0x475e6e53aae3f639L,0xfaba0e7cfc278bacL,0x16f9e2219490375fL,
+        0xaebf9746a5a7ed0aL },
+      { 0x45f9af3ff41ad5d6L,0x03c4623cb2e99224L,0x82c5bb5cb3cf56aaL,
+        0x6431181934567ed3L } },
+    /* 58 << 182 */
+    { { 0xec57f2118be489acL,0x2821895db9a1104bL,0x610dc8756064e007L,
+        0x8e526f3f5b20d0feL },
+      { 0x6e71ca775b645aeeL,0x3d1dcb9f800e10ffL,0x36b51162189cf6deL,
+        0x2c5a3e306bb17353L } },
+    /* 59 << 182 */
+    { { 0xc186cd3e2a6c6fbfL,0xa74516fa4bf97906L,0x5b4b8f4b279d6901L,
+        0x0c4e57b42b573743L },
+      { 0x75fdb229b6e386b6L,0xb46793fd99deac27L,0xeeec47eacf712629L,
+        0xe965f3c4cbc3b2ddL } },
+    /* 60 << 182 */
+    { { 0x8dd1fb83425c6559L,0x7fc00ee60af06fdaL,0xe98c922533d956dfL,
+        0x0f1ef3354fbdc8a2L },
+      { 0x2abb5145b79b8ea2L,0x40fd2945bdbff288L,0x6a814ac4d7185db7L,
+        0xc4329d6fc084609aL } },
+    /* 61 << 182 */
+    { { 0xc9ba7b52ed1be45dL,0x891dd20de4cd2c74L,0x5a4d4a7f824139b1L,
+        0x66c17716b873c710L },
+      { 0x5e5bc1412843c4e0L,0xd5ac4817b97eb5bfL,0xc0f8af54450c95c7L,
+        0xc91b3fa0318406c5L } },
+    /* 62 << 182 */
+    { { 0x360c340aab9d97f8L,0xfb57bd0790a2d611L,0x4339ae3ca6a6f7e5L,
+        0x9c1fcd2a2feb8a10L },
+      { 0x972bcca9c7ea7432L,0x1b0b924c308076f6L,0x80b2814a2a5b4ca5L,
+        0x2f78f55b61ef3b29L } },
+    /* 63 << 182 */
+    { { 0xf838744ac18a414fL,0xc611eaae903d0a86L,0x94dabc162a453f55L,
+        0xe6f2e3da14efb279L },
+      { 0x5b7a60179320dc3cL,0x692e382f8df6b5a4L,0x3f5e15e02d40fa90L,
+        0xc87883ae643dd318L } },
+    /* 64 << 182 */
+    { { 0x511053e453544774L,0x834d0ecc3adba2bcL,0x4215d7f7bae371f5L,
+        0xfcfd57bf6c8663bcL },
+      { 0xded2383dd6901b1dL,0x3b49fbb4b5587dc3L,0xfd44a08d07625f62L,
+        0x3ee4d65b9de9b762L } },
+    /* 0 << 189 */
+    { { 0x00, 0x00, 0x00, 0x00 },
+      { 0x00, 0x00, 0x00, 0x00 } },
+    /* 1 << 189 */
+    { { 0x64e5137d0d63d1faL,0x658fc05202a9d89fL,0x4889487450436309L,
+        0xe9ae30f8d598da61L },
+      { 0x2ed710d1818baf91L,0xe27e9e068b6a0c20L,0x1e28dcfb1c1a6b44L,
+        0x883acb64d6ac57dcL } },
+    /* 2 << 189 */
+    { { 0x8735728dc2c6ff70L,0x79d6122fc5dc2235L,0x23f5d00319e277f9L,
+        0x7ee84e25dded8cc7L },
+      { 0x91a8afb063cd880aL,0x3f3ea7c63574af60L,0x0cfcdc8402de7f42L,
+        0x62d0792fb31aa152L } },
+    /* 3 << 189 */
+    { { 0x8e1b4e438a5807ceL,0xad283893e4109a7eL,0xc30cc9cbafd59ddaL,
+        0xf65f36c63d8d8093L },
+      { 0xdf31469ea60d32b2L,0xee93df4b3e8191c8L,0x9c1017c5355bdeb5L,
+        0xd26231858616aa28L } },
+    /* 4 << 189 */
+    { { 0xb02c83f9dec31a21L,0x988c8b236ad9d573L,0x53e983aea57be365L,
+        0xe968734d646f834eL },
+      { 0x9137ea8f5da6309bL,0x10f3a624c1f1ce16L,0x782a9ea2ca440921L,
+        0xdf94739e5b46f1b5L } },
+    /* 5 << 189 */
+    { { 0x9f9be006cce85c9bL,0x360e70d6a4c7c2d3L,0x2cd5beeaaefa1e60L,
+        0x64cf63c08c3d2b6dL },
+      { 0xfb107fa3e1cf6f90L,0xb7e937c6d5e044e6L,0x74e8ca78ce34db9fL,
+        0x4f8b36c13e210bd0L } },
+    /* 6 << 189 */
+    { { 0x1df165a434a35ea8L,0x3418e0f74d4412f6L,0x5af1f8af518836c3L,
+        0x42ceef4d130e1965L },
+      { 0x5560ca0b543a1957L,0xc33761e5886cb123L,0x66624b1ffe98ed30L,
+        0xf772f4bf1090997dL } },
+    /* 7 << 189 */
+    { { 0xf4e540bb4885d410L,0x7287f8109ba5f8d7L,0x22d0d865de98dfb1L,
+        0x49ff51a1bcfbb8a3L },
+      { 0xb6b6fa536bc3012eL,0x3d31fd72170d541dL,0x8018724f4b0f4966L,
+        0x79e7399f87dbde07L } },
+    /* 8 << 189 */
+    { { 0x56f8410ef4f8b16aL,0x97241afec47b266aL,0x0a406b8e6d9c87c1L,
+        0x803f3e02cd42ab1bL },
+      { 0x7f0309a804dbec69L,0xa83b85f73bbad05fL,0xc6097273ad8e197fL,
+        0xc097440e5067adc1L } },
+    /* 9 << 189 */
+    { { 0x730eafb63524ff16L,0xd7f9b51e823fc6ceL,0x27bd0d32443e4ac0L,
+        0x40c59ad94d66f217L },
+      { 0x6c33136f17c387a4L,0x5043b8d5eb86804dL,0x74970312675a73c9L,
+        0x838fdb31f16669b6L } },
+    /* 10 << 189 */
+    { { 0xc507b6dd418e7dddL,0x39888d93472f19d6L,0x7eae26be0c27eb4dL,
+        0x17b53ed3fbabb884L },
+      { 0xfc27021b2b01ae4fL,0x88462e87cf488682L,0xbee096ec215e2d87L,
+        0xeb2fea9ad242e29bL } },
+    /* 11 << 189 */
+    { { 0x5d985b5fb821fc28L,0x89d2e197dc1e2ad2L,0x55b566b89030ba62L,
+        0xe3fd41b54f41b1c6L },
+      { 0xb738ac2eb9a96d61L,0x7f8567ca369443f4L,0x8698622df803a440L,
+        0x2b5862368fe2f4dcL } },
+    /* 12 << 189 */
+    { { 0xbbcc00c756b95bceL,0x5ec03906616da680L,0x79162ee672214252L,
+        0x43132b6386a892d2L },
+      { 0x4bdd3ff22f3263bfL,0xd5b3733c9cd0a142L,0x592eaa8244415ccbL,
+        0x663e89248d5474eaL } },
+    /* 13 << 189 */
+    { { 0x8058a25e5236344eL,0x82e8df9dbda76ee6L,0xdcf6efd811cc3d22L,
+        0x00089cda3b4ab529L },
+      { 0x91d3a071bd38a3dbL,0x4ea97fc0ef72b925L,0x0c9fc15bea3edf75L,
+        0x5a6297cda4348ed3L } },
+    /* 14 << 189 */
+    { { 0x0d38ab35ce7c42d4L,0x9fd493ef82feab10L,0x46056b6d82111b45L,
+        0xda11dae173efc5c3L },
+      { 0xdc7402785545a7fbL,0xbdb2601c40d507e6L,0x121dfeeb7066fa58L,
+        0x214369a839ae8c2aL } },
+    /* 15 << 189 */
+    { { 0x195709cb06e0956cL,0x4c9d254f010cd34bL,0xf51e13f70471a532L,
+        0xe19d67911e73054dL },
+      { 0xf702a628db5c7be3L,0xc7141218b24dde05L,0xdc18233cf29b2e2eL,
+        0x3a6bd1e885342dbaL } },
+    /* 16 << 189 */
+    { { 0x3f747fa0b311898cL,0xe2a272e4cd0eac65L,0x4bba5851f914d0bcL,
+        0x7a1a9660c4a43ee3L },
+      { 0xe5a367cea1c8cde9L,0x9d958ba97271abe3L,0xf3ff7eb63d1615cdL,
+        0xa2280dcef5ae20b0L } },
+    /* 17 << 189 */
+    { { 0x56dba5c1cf640147L,0xea5a2e3d5e83d118L,0x04cd6b6dda24c511L,
+        0x1c0f4671e854d214L },
+      { 0x91a6b7a969565381L,0xdc966240decf1f5bL,0x1b22d21cfcf5d009L,
+        0x2a05f6419021dbd5L } },
+    /* 18 << 189 */
+    { { 0x8c0ed566d4312483L,0x5179a95d643e216fL,0xcc185fec17044493L,
+        0xb306333954991a21L },
+      { 0xd801ecdb0081a726L,0x0149b0c64fa89bbbL,0xafe9065a4391b6b9L,
+        0xedc92786d633f3a3L } },
+    /* 19 << 189 */
+    { { 0xe408c24aae6a8e13L,0x85833fde9f3897abL,0x43800e7ed81a0715L,
+        0xde08e346b44ffc5fL },
+      { 0x7094184ccdeff2e0L,0x49f9387b165eaed1L,0x635d6129777c468aL,
+        0x8c0dcfd1538c2dd8L } },
+    /* 20 << 189 */
+    { { 0xd6d9d9e37a6a308bL,0x623758304c2767d3L,0x874a8bc6f38cbeb6L,
+        0xd94d3f1accb6fd9eL },
+      { 0x92a9735bba21f248L,0x272ad0e56cd1efb0L,0x7437b69c05b03284L,
+        0xe7f047026948c225L } },
+    /* 21 << 189 */
+    { { 0x8a56c04acba2ececL,0x0c181270e3a73e41L,0x6cb34e9d03e93725L,
+        0xf77c8713496521a9L },
+      { 0x94569183fa7f9f90L,0xf2e7aa4c8c9707adL,0xced2c9ba26c1c9a3L,
+        0x9109fe9640197507L } },
+    /* 22 << 189 */
+    { { 0x9ae868a9e9adfe1cL,0x3984403d314e39bbL,0xb5875720f2fe378fL,
+        0x33f901e0ba44a628L },
+      { 0xea1125fe3652438cL,0xae9ec4e69dd1f20bL,0x1e740d9ebebf7fbdL,
+        0x6dbd3ddc42dbe79cL } },
+    /* 23 << 189 */
+    { { 0x62082aecedd36776L,0xf612c478e9859039L,0xa493b201032f7065L,
+        0xebd4d8f24ff9b211L },
+      { 0x3f23a0aaaac4cb32L,0xea3aadb715ed4005L,0xacf17ea4afa27e63L,
+        0x56125c1ac11fd66cL } },
+    /* 24 << 189 */
+    { { 0x266344a43794f8dcL,0xdcca923a483c5c36L,0x2d6b6bbf3f9d10a0L,
+        0xb320c5ca81d9bdf3L },
+      { 0x620e28ff47b50a95L,0x933e3b01cef03371L,0xf081bf8599100153L,
+        0x183be9a0c3a8c8d6L } },
+    /* 25 << 189 */
+    { { 0x4e3ddc5ad6bbe24dL,0xc6c7463053843795L,0x78193dd765ec2d4cL,
+        0xb8df26cccd3c89b2L },
+      { 0x98dbe3995a483f8dL,0x72d8a9577dd3313aL,0x65087294ab0bd375L,
+        0xfcd892487c259d16L } },
+    /* 26 << 189 */
+    { { 0x8a9443d77613aa81L,0x8010080085fe6584L,0x70fc4dbc7fb10288L,
+        0xf58280d3e86beee8L },
+      { 0x14fdd82f7c978c38L,0xdf1204c10de44d7bL,0xa08a1c844160252fL,
+        0x591554cac17646a5L } },
+    /* 27 << 189 */
+    { { 0x214a37d6a05bd525L,0x48d5f09b07957b3cL,0x0247cdcbd7109bc9L,
+        0x40f9e4bb30599ce7L },
+      { 0xc325fa03f46ad2ecL,0x00f766cfc3e3f9eeL,0xab556668d43a4577L,
+        0x68d30a613ee03b93L } },
+    /* 28 << 189 */
+    { { 0x7ddc81ea77b46a08L,0xcf5a6477c7480699L,0x43a8cb346633f683L,
+        0x1b867e6b92363c60L },
+      { 0x439211141f60558eL,0xcdbcdd632f41450eL,0x7fc04601cc630e8bL,
+        0xea7c66d597038b43L } },
+    /* 29 << 189 */
+    { { 0x7259b8a504e99fd8L,0x98a8dd124785549aL,0x0e459a7c840552e1L,
+        0xcdfcf4d04bb0909eL },
+      { 0x34a86db253758da7L,0xe643bb83eac997e1L,0x96400bd7530c5b7eL,
+        0x9f97af87b41c8b52L } },
+    /* 30 << 189 */
+    { { 0x34fc8820fbeee3f9L,0x93e5349049091afdL,0x764b9be59a31f35cL,
+        0x71f3786457e3d924L },
+      { 0x02fb34e0943aa75eL,0xa18c9c58ab8ff6e4L,0x080f31b133cf0d19L,
+        0x5c9682db083518a7L } },
+    /* 31 << 189 */
+    { { 0x873d4ca6b709c3deL,0x64a842623575b8f0L,0x6275da1f020154bbL,
+        0x97678caad17cf1abL },
+      { 0x8779795f951a95c3L,0xdd35b16350fccc08L,0x3270962733d8f031L,
+        0x3c5ab10a498dd85cL } },
+    /* 32 << 189 */
+    { { 0xb6c185c341dca566L,0x7de7fedad8622aa3L,0x99e84d92901b6dfbL,
+        0x30a02b0e7c4ad288L },
+      { 0xc7c81daa2fd3cf36L,0xd1319547df89e59fL,0xb2be8184cd496733L,
+        0xd5f449eb93d3412bL } },
+    /* 33 << 189 */
+    { { 0x7ea41b1b25fe531dL,0xf97974326a1d5646L,0x86067f722bde501aL,
+        0xf91481c00c85e89cL },
+      { 0xca8ee465f8b05bc6L,0x1844e1cf02e83cdaL,0xca82114ab4dbe33bL,
+        0x0f9f87694eabfde2L } },
+    /* 34 << 189 */
+    { { 0x4936b1c038b27fe2L,0x63b6359baba402dfL,0x40c0ea2f656bdbabL,
+        0x9c992a896580c39cL },
+      { 0x600e8f152a60aed1L,0xeb089ca4e0bf49dfL,0x9c233d7d2d42d99aL,
+        0x648d3f954c6bc2faL } },
+    /* 35 << 189 */
+    { { 0xdcc383a8e1add3f3L,0xf42c0c6a4f64a348L,0x2abd176f0030dbdbL,
+        0x4de501a37d6c215eL },
+      { 0x4a107c1f4b9a64bcL,0xa77f0ad32496cd59L,0xfb78ac627688dffbL,
+        0x7025a2ca67937d8eL } },
+    /* 36 << 189 */
+    { { 0xfde8b2d1d1a8f4e7L,0xf5b3da477354927cL,0xe48606a3d9205735L,
+        0xac477cc6e177b917L },
+      { 0xfb1f73d2a883239aL,0xe12572f6cc8b8357L,0x9d355e9cfb1f4f86L,
+        0x89b795f8d9f3ec6eL } },
+    /* 37 << 189 */
+    { { 0x27be56f1b54398dcL,0x1890efd73fedeed5L,0x62f77f1f9c6d0140L,
+        0x7ef0e314596f0ee4L },
+      { 0x50ca6631cc61dab3L,0x4a39801df4866e4fL,0x66c8d032ae363b39L,
+        0x22c591e52ead66aaL } },
+    /* 38 << 189 */
+    { { 0x954ba308de02a53eL,0x2a6c060fd389f357L,0xe6cfcde8fbf40b66L,
+        0x8e02fc56c6340ce1L },
+      { 0xe495779573adb4baL,0x7b86122ca7b03805L,0x63f835120c8e6fa6L,
+        0x83660ea0057d7804L } },
+    /* 39 << 189 */
+    { { 0xbad7910521ba473cL,0xb6c50beeded5389dL,0xee2caf4daa7c9bc0L,
+        0xd97b8de48c4e98a7L },
+      { 0xa9f63e70ab3bbddbL,0x3898aabf2597815aL,0x7659af89ac15b3d9L,
+        0xedf7725b703ce784L } },
+    /* 40 << 189 */
+    { { 0x25470fabe085116bL,0x04a4337587285310L,0x4e39187ee2bfd52fL,
+        0x36166b447d9ebc74L },
+      { 0x92ad433cfd4b322cL,0x726aa817ba79ab51L,0xf96eacd8c1db15ebL,
+        0xfaf71e910476be63L } },
+    /* 41 << 189 */
+    { { 0xdd69a640641fad98L,0xb799591829622559L,0x03c6daa5de4199dcL,
+        0x92cadc97ad545eb4L },
+      { 0x1028238b256534e4L,0x73e80ce68595409aL,0x690d4c66d05dc59bL,
+        0xc95f7b8f981dee80L } },
+    /* 42 << 189 */
+    { { 0xf4337014d856ac25L,0x441bd9ddac524dcaL,0x640b3d855f0499f5L,
+        0x39cf84a9d5fda182L },
+      { 0x04e7b055b2aa95a0L,0x29e33f0a0ddf1860L,0x082e74b5423f6b43L,
+        0x217edeb90aaa2b0fL } },
+    /* 43 << 189 */
+    { { 0x58b83f3583cbea55L,0xc485ee4dbc185d70L,0x833ff03b1e5f6992L,
+        0xb5b9b9cccf0c0dd5L },
+      { 0x7caaee8e4e9e8a50L,0x462e907b6269dafdL,0x6ed5cee9fbe791c6L,
+        0x68ca3259ed430790L } },
+    /* 44 << 189 */
+    { { 0x2b72bdf213b5ba88L,0x60294c8a35ef0ac4L,0x9c3230ed19b99b08L,
+        0x560fff176c2589aaL },
+      { 0x552b8487d6770374L,0xa373202d9a56f685L,0xd3e7f90745f175d9L,
+        0x3c2f315fd080d810L } },
+    /* 45 << 189 */
+    { { 0x1130e9dd7b9520e8L,0xc078f9e20af037b5L,0x38cd2ec71e9c104cL,
+        0x0f684368c472fe92L },
+      { 0xd3f1b5ed6247e7efL,0xb32d33a9396dfe21L,0x46f59cf44a9aa2c2L,
+        0x69cd5168ff0f7e41L } },
+    /* 46 << 189 */
+    { { 0x3f59da0f4b3234daL,0xcf0b0235b4579ebeL,0x6d1cbb256d2476c7L,
+        0x4f0837e69dc30f08L },
+      { 0x9a4075bb906f6e98L,0x253bb434c761e7d1L,0xde2e645f6e73af10L,
+        0xb89a40600c5f131cL } },
+    /* 47 << 189 */
+    { { 0xd12840c5b8cc037fL,0x3d093a5b7405bb47L,0x6202c253206348b8L,
+        0xbf5d57fcc55a3ca7L },
+      { 0x89f6c90c8c3bef48L,0x23ac76235a0a960aL,0xdfbd3d6b552b42abL,
+        0x3ef22458132061f6L } },
+    /* 48 << 189 */
+    { { 0xd74e9bdac97e6516L,0x88779360c230f49eL,0xa6ec1de31e74ea49L,
+        0x581dcee53fb645a2L },
+      { 0xbaef23918f483f14L,0x6d2dddfcd137d13bL,0x54cde50ed2743a42L,
+        0x89a34fc5e4d97e67L } },
+    /* 49 << 189 */
+    { { 0x13f1f5b312e08ce5L,0xa80540b8a7f0b2caL,0x854bcf7701982805L,
+        0xb8653ffd233bea04L },
+      { 0x8e7b878702b0b4c9L,0x2675261f9acb170aL,0x061a9d90930c14e5L,
+        0xb59b30e0def0abeaL } },
+    /* 50 << 189 */
+    { { 0x1dc19ea60200ec7dL,0xb6f4a3f90bce132bL,0xb8d5de90f13e27e0L,
+        0xbaee5ef01fade16fL },
+      { 0x6f406aaae4c6cf38L,0xab4cfe06d1369815L,0x0dcffe87efd550c6L,
+        0x9d4f59c775ff7d39L } },
+    /* 51 << 189 */
+    { { 0xb02553b151deb6adL,0x812399a4b1877749L,0xce90f71fca6006e1L,
+        0xc32363a6b02b6e77L },
+      { 0x02284fbedc36c64dL,0x86c81e31a7e1ae61L,0x2576c7e5b909d94aL,
+        0x8b6f7d02818b2bb0L } },
+    /* 52 << 189 */
+    { { 0xeca3ed0756faa38aL,0xa3790e6c9305bb54L,0xd784eeda7bc73061L,
+        0xbd56d3696dd50614L },
+      { 0xd6575949229a8aa9L,0xdcca8f474595ec28L,0x814305c106ab4fe6L,
+        0xc8c3976824f43f16L } },
+    /* 53 << 189 */
+    { { 0xe2a45f36523f2b36L,0x995c6493920d93bbL,0xf8afdab790f1632bL,
+        0x79ebbecd1c295954L },
+      { 0xc7bb3ddb79592f48L,0x67216a7b5f88e998L,0xd91f098bbc01193eL,
+        0xf7d928a5b1db83fcL } },
+    /* 54 << 189 */
+    { { 0x55e38417e991f600L,0x2a91113e2981a934L,0xcbc9d64806b13bdeL,
+        0xb011b6ac0755ff44L },
+      { 0x6f4cb518045ec613L,0x522d2d31c2f5930aL,0x5acae1af382e65deL,
+        0x5764306727bc966fL } },
+    /* 55 << 189 */
+    { { 0x5e12705d1c7193f0L,0xf0f32f473be8858eL,0x785c3d7d96c6dfc7L,
+        0xd75b4a20bf31795dL },
+      { 0x91acf17b342659d4L,0xe596ea3444f0378fL,0x4515708fce52129dL,
+        0x17387e1e79f2f585L } },
+    /* 56 << 189 */
+    { { 0x72cfd2e949dee168L,0x1ae052233e2af239L,0x009e75be1d94066aL,
+        0x6cca31c738abf413L },
+      { 0xb50bd61d9bc49908L,0x4a9b4a8cf5e2bc1eL,0xeb6cc5f7946f83acL,
+        0x27da93fcebffab28L } },
+    /* 57 << 189 */
+    { { 0xea314c964821c8c5L,0x8de49deda83c15f4L,0x7a64cf207af33004L,
+        0x45f1bfebc9627e10L },
+      { 0x878b062654b9df60L,0x5e4fdc3ca95c0b33L,0xe54a37cac2035d8eL,
+        0x9087cda980f20b8cL } },
+    /* 58 << 189 */
+    { { 0x36f61c238319ade4L,0x766f287ade8cfdf8L,0x48821948346f3705L,
+        0x49a7b85316e4f4a2L },
+      { 0xb9b3f8a75cedadfdL,0x8f5628158db2a815L,0xc0b7d55401f68f95L,
+        0x12971e27688a208eL } },
+    /* 59 << 189 */
+    { { 0xc9f8b696d0ff34fcL,0x20824de21222718cL,0x7213cf9f0c95284dL,
+        0xe2ad741bdc158240L },
+      { 0x0ee3a6df54043ccfL,0x16ff479bd84412b3L,0xf6c74ee0dfc98af0L,
+        0xa78a169f52fcd2fbL } },
+    /* 60 << 189 */
+    { { 0xd8ae874699c930e9L,0x1d33e85849e117a5L,0x7581fcb46624759fL,
+        0xde50644f5bedc01dL },
+      { 0xbeec5d00caf3155eL,0x672d66acbc73e75fL,0x86b9d8c6270b01dbL,
+        0xd249ef8350f55b79L } },
+    /* 61 << 189 */
+    { { 0x6131d6d473978fe3L,0xcc4e4542754b00a1L,0x4e05df0557dfcfe9L,
+        0x94b29cdd51ef6bf0L },
+      { 0xe4530cff9bc7edf2L,0x8ac236fdd3da65f3L,0x0faf7d5fc8eb0b48L,
+        0x4d2de14c660eb039L } },
+    /* 62 << 189 */
+    { { 0xc006bba760430e54L,0x10a2d0d6da3289abL,0x9c037a5dd7979c59L,
+        0x04d1f3d3a116d944L },
+      { 0x9ff224738a0983cdL,0x28e25b38c883cabbL,0xe968dba547a58995L,
+        0x2c80b505774eebdfL } },
+    /* 63 << 189 */
+    { { 0xee763b714a953bebL,0x502e223f1642e7f6L,0x6fe4b64161d5e722L,
+        0x9d37c5b0dbef5316L },
+      { 0x0115ed70f8330bc7L,0x139850e675a72789L,0x27d7faecffceccc2L,
+        0x3016a8604fd9f7f6L } },
+    /* 64 << 189 */
+    { { 0xc492ec644cd8f64cL,0x58a2d790279d7b51L,0x0ced1fc51fc75256L,
+        0x3e658aed8f433017L },
+      { 0x0b61942e05da59ebL,0xba3d60a30ddc3722L,0x7c311cd1742e7f87L,
+        0x6473ffeef6b01b6eL } },
+    /* 0 << 196 */
+    { { 0x00, 0x00, 0x00, 0x00 },
+      { 0x00, 0x00, 0x00, 0x00 } },
+    /* 1 << 196 */
+    { { 0x8303604f692ac542L,0xf079ffe1227b91d3L,0x19f63e6315aaf9bdL,
+        0xf99ee565f1f344fbL },
+      { 0x8a1d661fd6219199L,0x8c883bc6d48ce41cL,0x1065118f3c74d904L,
+        0x713889ee0faf8b1bL } },
+    /* 2 << 196 */
+    { { 0x972b3f8f81a1b3beL,0x4f3ce145ce2764a0L,0xe2d0f1cc28c4f5f7L,
+        0xdeee0c0dc7f3985bL },
+      { 0x7df4adc0d39e25c3L,0x40619820c467a080L,0x440ebc9361cf5a58L,
+        0x527729a6422ad600L } },
+    /* 3 << 196 */
+    { { 0xca6c0937b1b76ba6L,0x1a2eab854d2026dcL,0xb1715e1519d9ae0aL,
+        0xf1ad9199bac4a026L },
+      { 0x35b3dfb807ea7b0eL,0xedf5496f3ed9eb89L,0x8932e5ff2d6d08abL,
+        0xf314874e25bd2731L } },
+    /* 4 << 196 */
+    { { 0xefb26a753f73f449L,0x1d1c94f88d44fc79L,0x49f0fbc53bc0dc4dL,
+        0xb747ea0b3698a0d0L },
+      { 0x5218c3fe228d291eL,0x35b804b543c129d6L,0xfac859b8d1acc516L,
+        0x6c10697d95d6e668L } },
+    /* 5 << 196 */
+    { { 0xc38e438f0876fd4eL,0x45f0c30783d2f383L,0x203cc2ecb10934cbL,
+        0x6a8f24392c9d46eeL },
+      { 0xf16b431b65ccde7bL,0x41e2cd1827e76a6fL,0xb9c8cf8f4e3484d7L,
+        0x64426efd8315244aL } },
+    /* 6 << 196 */
+    { { 0x1c0a8e44fc94dea3L,0x34c8cdbfdad6a0b0L,0x919c384004113cefL,
+        0xfd32fba415490ffaL },
+      { 0x58d190f6795dcfb7L,0xfef01b0383588bafL,0x9e6d1d63ca1fc1c0L,
+        0x53173f96f0a41ac9L } },
+    /* 7 << 196 */
+    { { 0x2b1d402aba16f73bL,0x2fb310148cf9b9fcL,0x2d51e60e446ef7bfL,
+        0xc731021bb91e1745L },
+      { 0x9d3b47244fee99d4L,0x4bca48b6fac5c1eaL,0x70f5f514bbea9af7L,
+        0x751f55a5974c283aL } },
+    /* 8 << 196 */
+    { { 0x6e30251acb452fdbL,0x31ee696550f30650L,0xb0b3e508933548d9L,
+        0xb8949a4ff4b0ef5bL },
+      { 0x208b83263c88f3bdL,0xab147c30db1d9989L,0xed6515fd44d4df03L,
+        0x17a12f75e72eb0c5L } },
+    /* 9 << 196 */
+    { { 0x3b59796d36cf69dbL,0x1219eee956670c18L,0xfe3341f77a070d8eL,
+        0x9b70130ba327f90cL },
+      { 0x36a324620ae18e0eL,0x2021a62346c0a638L,0x251b5817c62eb0d4L,
+        0x87bfbcdf4c762293L } },
+    /* 10 << 196 */
+    { { 0xf78ab505cdd61d64L,0x8c7a53fcc8c18857L,0xa653ce6f16147515L,
+        0x9c923aa5ea7d52d5L },
+      { 0xc24709cb5c18871fL,0x7d53bec873b3cc74L,0x59264afffdd1d4c4L,
+        0x5555917e240da582L } },
+    /* 11 << 196 */
+    { { 0xcae8bbda548f5a0eL,0x1910eaba3bbfbbe1L,0xae5796857677afc3L,
+        0x49ea61f173ff0b5cL },
+      { 0x786554784f7c3922L,0x95d337cd20c68eefL,0x68f1e1e5df779ab9L,
+        0x14b491b0b5cf69a8L } },
+    /* 12 << 196 */
+    { { 0x7a6cbbe028e3fe89L,0xe7e1fee4c5aac0ebL,0x7f47eda5697e5140L,
+        0x4f450137b454921fL },
+      { 0xdb625f8495cd8185L,0x74be0ba1cdb2e583L,0xaee4fd7cdd5e6de4L,
+        0x4251437de8101739L } },
+    /* 13 << 196 */
+    { { 0x686d72a0ac620366L,0x4be3fb9cb6d59344L,0x6e8b44e7a1eb75b9L,
+        0x84e39da391a5c10cL },
+      { 0x37cc1490b38f0409L,0x029519432c2ade82L,0x9b6887831190a2d8L,
+        0x25627d14231182baL } },
+    /* 14 << 196 */
+    { { 0x6eb550aa658a6d87L,0x1405aaa7cf9c7325L,0xd147142e5c8748c9L,
+        0x7f637e4f53ede0e0L },
+      { 0xf8ca277614ffad2cL,0xe58fb1bdbafb6791L,0x17158c23bf8f93fcL,
+        0x7f15b3730a4a4655L } },
+    /* 15 << 196 */
+    { { 0x39d4add2d842ca72L,0xa71e43913ed96305L,0x5bb09cbe6700be14L,
+        0x68d69d54d8befcf6L },
+      { 0xa45f536737183bcfL,0x7152b7bb3370dff7L,0xcf887baabf12525bL,
+        0xe7ac7bddd6d1e3cdL } },
+    /* 16 << 196 */
+    { { 0x25914f7881fdad90L,0xcf638f560d2cf6abL,0xb90bc03fcc054de5L,
+        0x932811a718b06350L },
+      { 0x2f00b3309bbd11ffL,0x76108a6fb4044974L,0x801bb9e0a851d266L,
+        0x0dd099bebf8990c1L } },
+    /* 17 << 196 */
+    { { 0x58c5aaaaabe32986L,0x0fe9dd2a50d59c27L,0x84951ff48d307305L,
+        0x6c23f82986529b78L },
+      { 0x50bb22180b136a79L,0x7e2174de77a20996L,0x6f00a4b9c0bb4da6L,
+        0x89a25a17efdde8daL } },
+    /* 18 << 196 */
+    { { 0xf728a27ec11ee01dL,0xf900553ae5f10dfbL,0x189a83c802ec893cL,
+        0x3ca5bdc123f66d77L },
+      { 0x9878153797eada9fL,0x59c50ab310256230L,0x346042d9323c69b3L,
+        0x1b715a6d2c460449L } },
+    /* 19 << 196 */
+    { { 0xa41dd4766ae06e0bL,0xcdd7888e9d42e25fL,0x0f395f7456b25a20L,
+        0xeadfe0ae8700e27eL },
+      { 0xb09d52a969950093L,0x3525d9cb327f8d40L,0xb8235a9467df886aL,
+        0x77e4b0dd035faec2L } },
+    /* 20 << 196 */
+    { { 0x115eb20a517d7061L,0x77fe34336c2df683L,0x6870ddc7cdc6fc67L,
+        0xb16105880b87de83L },
+      { 0x343584cad9c4ddbeL,0xb3164f1c3d754be2L,0x0731ed3ac1e6c894L,
+        0x26327dec4f6b904cL } },
+    /* 21 << 196 */
+    { { 0x9d49c6de97b5cd32L,0x40835daeb5eceecdL,0xc66350edd9ded7feL,
+        0x8aeebb5c7a678804L },
+      { 0x51d42fb75b8ee9ecL,0xd7a17bdd8e3ca118L,0x40d7511a2ef4400eL,
+        0xc48990ac875a66f4L } },
+    /* 22 << 196 */
+    { { 0x8de07d2a2199e347L,0xbee755562a39e051L,0x56918786916e51dcL,
+        0xeb1913134a2d89ecL },
+      { 0x6679610d37d341edL,0x434fbb4156d51c2bL,0xe54b7ee7d7492dbaL,
+        0xaa33a79a59021493L } },
+    /* 23 << 196 */
+    { { 0x49fc5054e4bd6d3dL,0x09540f045ab551d0L,0x8acc90854942d3a6L,
+        0x231af02f2d28323bL },
+      { 0x93458cac0992c163L,0x1fef8e71888e3bb4L,0x27578da5be8c268cL,
+        0xcc8be792e805ec00L } },
+    /* 24 << 196 */
+    { { 0x29267baec61c3855L,0xebff429d58c1fd3bL,0x22d886c08c0b93b8L,
+        0xca5e00b22ddb8953L },
+      { 0xcf330117c3fed8b7L,0xd49ac6fa819c01f6L,0x6ddaa6bd3c0fbd54L,
+        0x917430688049a2cfL } },
+    /* 25 << 196 */
+    { { 0xd67f981eaff2ef81L,0xc3654d352818ae80L,0x81d050441b2aa892L,
+        0x2db067bf3d099328L },
+      { 0xe7c79e86703dcc97L,0xe66f9b37e133e215L,0xcdf119a6e39a7a5cL,
+        0x47c60de3876f1b61L } },
+    /* 26 << 196 */
+    { { 0x6e405939d860f1b2L,0x3e9a1dbcf5ed4d4aL,0x3f23619ec9b6bcbdL,
+        0x5ee790cf734e4497L },
+      { 0xf0a834b15bdaf9bbL,0x02cedda74ca295f0L,0x4619aa2bcb8e378cL,
+        0xe5613244cc987ea4L } },
+    /* 27 << 196 */
+    { { 0x0bc022cc76b23a50L,0x4a2793ad0a6c21ceL,0x3832878089cac3f5L,
+        0x29176f1bcba26d56L },
+      { 0x062961874f6f59ebL,0x86e9bca98bdc658eL,0x2ca9c4d357e30402L,
+        0x5438b216516a09bbL } },
+    /* 28 << 196 */
+    { { 0x0a6a063c7672765aL,0x37a3ce640547b9bfL,0x42c099c898b1a633L,
+        0xb5ab800d05ee6961L },
+      { 0xf1963f5911a5acd6L,0xbaee615746201063L,0x36d9a649a596210aL,
+        0xaed043631ba7138cL } },
+    /* 29 << 196 */
+    { { 0xcf817d1ca4a82b76L,0x5586960ef3806be9L,0x7ab67c8909dc6bb5L,
+        0x52ace7a0114fe7ebL },
+      { 0xcd987618cbbc9b70L,0x4f06fd5a604ca5e1L,0x90af14ca6dbde133L,
+        0x1afe4322948a3264L } },
+    /* 30 << 196 */
+    { { 0xa70d2ca6c44b2c6cL,0xab7267990ef87dfeL,0x310f64dc2e696377L,
+        0x49b42e684c8126a0L },
+      { 0x0ea444c3cea0b176L,0x53a8ddf7cb269182L,0xf3e674ebbbba9dcbL,
+        0x0d2878a8d8669d33L } },
+    /* 31 << 196 */
+    { { 0x04b935d5d019b6a3L,0xbb5cf88e406f1e46L,0xa1912d165b57c111L,
+        0x9803fc2119ebfd78L },
+      { 0x4f231c9ec07764a9L,0xd93286eeb75bd055L,0x83a9457d8ee6c9deL,
+        0x046959156087ec90L } },
+    /* 32 << 196 */
+    { { 0x14c6dd8a58d6cd46L,0x9cb633b58e6634d2L,0xc1305047f81bc328L,
+        0x12ede0e226a177e5L },
+      { 0x332cca62065a6f4fL,0xc3a47ecd67be487bL,0x741eb1870f47ed1cL,
+        0x99e66e58e7598b14L } },
+    /* 33 << 196 */
+    { { 0x6f0544ca63d0ff12L,0xe5efc784b610a05fL,0xf72917b17cad7b47L,
+        0x3ff6ea20f2cac0c0L },
+      { 0xcc23791bf21db8b7L,0x7dac70b1d7d93565L,0x682cda1d694bdaadL,
+        0xeb88bb8c1023516dL } },
+    /* 34 << 196 */
+    { { 0xc4c634b4dfdbeb1bL,0x22f5ca72b4ee4deaL,0x1045a368e6524821L,
+        0xed9e8a3f052b18b2L },
+      { 0x9b7f2cb1b961f49aL,0x7fee2ec17b009670L,0x350d875422507a6dL,
+        0x561bd7114db55f1dL } },
+    /* 35 << 196 */
+    { { 0x4c189ccc320bbcafL,0x568434cfdf1de48cL,0x6af1b00e0fa8f128L,
+        0xf0ba9d028907583cL },
+      { 0x735a400432ff9f60L,0x3dd8e4b6c25dcf33L,0xf2230f1642c74cefL,
+        0xd8117623013fa8adL } },
+    /* 36 << 196 */
+    { { 0x36822876f51fe76eL,0x8a6811cc11d62589L,0xc3fc7e6546225718L,
+        0xb7df2c9fc82fdbcdL },
+      { 0x3b1d4e52dd7b205bL,0xb695947847a2e414L,0x05e4d793efa91148L,
+        0xb47ed446fd2e9675L } },
+    /* 37 << 196 */
+    { { 0x1a7098b904c9d9bfL,0x661e28811b793048L,0xb1a16966b01ee461L,
+        0xbc5213082954746fL },
+      { 0xc909a0fc2477de50L,0xd80bb41c7dbd51efL,0xa85be7ec53294905L,
+        0x6d465b1883958f97L } },
+    /* 38 << 196 */
+    { { 0x16f6f330fb6840fdL,0xfaaeb2143401e6c8L,0xaf83d30fccb5b4f8L,
+        0x22885739266dec4bL },
+      { 0x51b4367c7bc467dfL,0x926562e3d842d27aL,0xdfcb66140fea14a6L,
+        0xeb394daef2734cd9L } },
+    /* 39 << 196 */
+    { { 0x3eeae5d211c0be98L,0xb1e6ed11814e8165L,0x191086bce52bce1cL,
+        0x14b74cc6a75a04daL },
+      { 0x63cf11868c060985L,0x071047de2dbd7f7cL,0x4e433b8bce0942caL,
+        0xecbac447d8fec61dL } },
+    /* 40 << 196 */
+    { { 0x8f0ed0e2ebf3232fL,0xfff80f9ec52a2eddL,0xad9ab43375b55fdbL,
+        0x73ca7820e42e0c11L },
+      { 0x6dace0a0e6251b46L,0x89bc6b5c4c0d932dL,0x3438cd77095da19aL,
+        0x2f24a9398d48bdfbL } },
+    /* 41 << 196 */
+    { { 0x99b47e46766561b7L,0x736600e60ed0322aL,0x06a47cb1638e1865L,
+        0x927c1c2dcb136000L },
+      { 0x295423370cc5df69L,0x99b37c0209d649a9L,0xc5f0043c6aefdb27L,
+        0x6cdd99871be95c27L } },
+    /* 42 << 196 */
+    { { 0x69850931390420d2L,0x299c40ac0983efa4L,0x3a05e778af39aeadL,
+        0x8427440843a45193L },
+      { 0x6bcd0fb991a711a0L,0x461592c89f52ab17L,0xb49302b4da3c6ed6L,
+        0xc51fddc7330d7067L } },
+    /* 43 << 196 */
+    { { 0x94babeb6da50d531L,0x521b840da6a7b9daL,0x5305151e404bdc89L,
+        0x1bcde201d0d07449L },
+      { 0xf427a78b3b76a59aL,0xf84841ce07791a1bL,0xebd314bebf91ed1cL,
+        0x8e61d34cbf172943L } },
+    /* 44 << 196 */
+    { { 0x1d5dc4515541b892L,0xb186ee41fc9d9e54L,0x9d9f345ed5bf610dL,
+        0x3e7ba65df6acca9fL },
+      { 0x9dda787aa8369486L,0x09f9dab78eb5ba53L,0x5afb2033d6481bc3L,
+        0x76f4ce30afa62104L } },
+    /* 45 << 196 */
+    { { 0xa8fa00cff4f066b5L,0x89ab5143461dafc2L,0x44339ed7a3389998L,
+        0x2ff862f1bc214903L },
+      { 0x2c88f985b05556e3L,0xcd96058e3467081eL,0x7d6a4176edc637eaL,
+        0xe1743d0936a5acdcL } },
+    /* 46 << 196 */
+    { { 0x66fd72e27eb37726L,0xf7fa264e1481a037L,0x9fbd3bde45f4aa79L,
+        0xed1e0147767c3e22L },
+      { 0x7621f97982e7abe2L,0x19eedc7245f633f8L,0xe69b155e6137bf3aL,
+        0xa0ad13ce414ee94eL } },
+    /* 47 << 196 */
+    { { 0x93e3d5241c0e651aL,0xab1a6e2a02ce227eL,0xe7af17974ab27ecaL,
+        0x245446debd444f39L },
+      { 0x59e22a2156c07613L,0x43deafcef4275498L,0x10834ccb67fd0946L,
+        0xa75841e547406edfL } },
+    /* 48 << 196 */
+    { { 0xebd6a6777b0ac93dL,0xa6e37b0d78f5e0d7L,0x2516c09676f5492bL,
+        0x1e4bf8889ac05f3aL },
+      { 0xcdb42ce04df0ba2bL,0x935d5cfd5062341bL,0x8a30333382acac20L,
+        0x429438c45198b00eL } },
+    /* 49 << 196 */
+    { { 0x1d083bc9049d33faL,0x58b82dda946f67ffL,0xac3e2db867a1d6a3L,
+        0x62e6bead1798aac8L },
+      { 0xfc85980fde46c58cL,0xa7f6937969c8d7beL,0x23557927837b35ecL,
+        0x06a933d8e0790c0cL } },
+    /* 50 << 196 */
+    { { 0x827c0e9b077ff55dL,0x53977798bb26e680L,0x595308741d9cb54fL,
+        0xcca3f4494aac53efL },
+      { 0x11dc5c87a07eda0fL,0xc138bccffd6400c8L,0x549680d313e5da72L,
+        0xc93eed824540617eL } },
+    /* 51 << 196 */
+    { { 0xfd3db1574d0b75c0L,0x9716eb426386075bL,0x0639605c817b2c16L,
+        0x09915109f1e4f201L },
+      { 0x35c9a9285cca6c3bL,0xb25f7d1a3505c900L,0xeb9f7d20630480c4L,
+        0xc3c7b8c62a1a501cL } },
+    /* 52 << 196 */
+    { { 0x3f99183c5a1f8e24L,0xfdb118fa9dd255f0L,0xb9b18b90c27f62a6L,
+        0xe8f732f7396ec191L },
+      { 0x524a2d910be786abL,0x5d32adef0ac5a0f5L,0x9b53d4d69725f694L,
+        0x032a76c60510ba89L } },
+    /* 53 << 196 */
+    { { 0x840391a3ebeb1544L,0x44b7b88c3ed73ac3L,0xd24bae7a256cb8b3L,
+        0x7ceb151ae394cb12L },
+      { 0xbd6b66d05bc1e6a8L,0xec70cecb090f07bfL,0x270644ed7d937589L,
+        0xee9e1a3d5f1dccfeL } },
+    /* 54 << 196 */
+    { { 0xb0d40a84745b98d2L,0xda429a212556ed40L,0xf676eced85148cb9L,
+        0x5a22d40cded18936L },
+      { 0x3bc4b9e570e8a4ceL,0xbfd1445b9eae0379L,0xf23f2c0c1a0bd47eL,
+        0xa9c0bb31e1845531L } },
+    /* 55 << 196 */
+    { { 0x9ddc4d600a4c3f6bL,0xbdfaad792c15ef44L,0xce55a2367f484accL,
+        0x08653ca7055b1f15L },
+      { 0x2efa8724538873a3L,0x09299e5dace1c7e7L,0x07afab66ade332baL,
+        0x9be1fdf692dd71b7L } },
+    /* 56 << 196 */
+    { { 0xa49b5d595758b11cL,0x0b852893c8654f40L,0xb63ef6f452379447L,
+        0xd4957d29105e690cL },
+      { 0x7d484363646559b0L,0xf4a8273c49788a8eL,0xee406cb834ce54a9L,
+        0x1e1c260ff86fda9bL } },
+    /* 57 << 196 */
+    { { 0xe150e228cf6a4a81L,0x1fa3b6a31b488772L,0x1e6ff110c5a9c15bL,
+        0xc6133b918ad6aa47L },
+      { 0x8ac5d55c9dffa978L,0xba1d1c1d5f3965f2L,0xf969f4e07732b52fL,
+        0xfceecdb5a5172a07L } },
+    /* 58 << 196 */
+    { { 0xb0120a5f10f2b8f5L,0xc83a6cdf5c4c2f63L,0x4d47a491f8f9c213L,
+        0xd9e1cce5d3f1bbd5L },
+      { 0x0d91bc7caba7e372L,0xfcdc74c8dfd1a2dbL,0x05efa800374618e5L,
+        0x1121696915a7925eL } },
+    /* 59 << 196 */
+    { { 0xd4c89823f6021c5dL,0x880d5e84eff14423L,0x6523bc5a6dcd1396L,
+        0xd1acfdfc113c978bL },
+      { 0xb0c164e8bbb66840L,0xf7f4301e72b58459L,0xc29ad4a6a638e8ecL,
+        0xf5ab896146b78699L } },
+    /* 60 << 196 */
+    { { 0x9dbd79740e954750L,0x0121de8864f9d2c6L,0x2e597b42d985232eL,
+        0x55b6c3c553451777L },
+      { 0xbb53e547519cb9fbL,0xf134019f8428600dL,0x5a473176e081791aL,
+        0x2f3e226335fb0c08L } },
+    /* 61 << 196 */
+    { { 0xb28c301773d273b0L,0xccd210767721ef9aL,0x054cc292b650dc39L,
+        0x662246de6188045eL },
+      { 0x904b52fa6b83c0d1L,0xa72df26797e9cd46L,0x886b43cd899725e4L,
+        0x2b651688d849ff22L } },
+    /* 62 << 196 */
+    { { 0x60479b7902f34533L,0x5e354c140c77c148L,0xb4bb7581a8537c78L,
+        0x188043d7efe1495fL },
+      { 0x9ba12f428c1d5026L,0x2e0c8a2693d4aaabL,0xbdba7b8baa57c450L,
+        0x140c9ad69bbdafefL } },
+    /* 63 << 196 */
+    { { 0x2067aa4225ac0f18L,0xf7b1295b04d1fbf3L,0x14829111a4b04824L,
+        0x2ce3f19233bd5e91L },
+      { 0x9c7a1d558f2e1b72L,0xfe932286302aa243L,0x497ca7b4d4be9554L,
+        0xb8e821b8e0547a6eL } },
+    /* 64 << 196 */
+    { { 0xfb2838be67e573e0L,0x05891db94084c44bL,0x9131137396c1c2c5L,
+        0x6aebfa3fd958444bL },
+      { 0xac9cdce9e56e55c1L,0x7148ced32caa46d0L,0x2e10c7efb61fe8ebL,
+        0x9fd835daff97cf4dL } },
+    /* 0 << 203 */
+    { { 0x00, 0x00, 0x00, 0x00 },
+      { 0x00, 0x00, 0x00, 0x00 } },
+    /* 1 << 203 */
+    { { 0xa36da109081e9387L,0xfb9780d78c935828L,0xd5940332e540b015L,
+        0xc9d7b51be0f466faL },
+      { 0xfaadcd41d6d9f671L,0xba6c1e28b1a2ac17L,0x066a7833ed201e5fL,
+        0x19d99719f90f462bL } },
+    /* 2 << 203 */
+    { { 0xf431f462060b5f61L,0xa56f46b47bd057c2L,0x348dca6c47e1bf65L,
+        0x9a38783e41bcf1ffL },
+      { 0x7a5d33a9da710718L,0x5a7799872e0aeaf6L,0xca87314d2d29d187L,
+        0xfa0edc3ec687d733L } },
+    /* 3 << 203 */
+    { { 0x9df336216a31e09bL,0xde89e44dc1350e35L,0x292148714ca0cf52L,
+        0xdf3796720b88a538L },
+      { 0xc92a510a2591d61bL,0x79aa87d7585b447bL,0xf67db604e5287f77L,
+        0x1697c8bf5efe7a80L } },
+    /* 4 << 203 */
+    { { 0x1c894849cb198ac7L,0xa884a93d0f264665L,0x2da964ef9b200678L,
+        0x3c351b87009834e6L },
+      { 0xafb2ef9fe2c4b44bL,0x580f6c473326790cL,0xb84805210b02264aL,
+        0x8ba6f9e242a194e2L } },
+    /* 5 << 203 */
+    { { 0xfc87975f8fb54738L,0x3516078827c3ead3L,0x834116d2b74a085aL,
+        0x53c99a73a62fe996L },
+      { 0x87585be05b81c51bL,0x925bafa8be0852b7L,0x76a4fafda84d19a7L,
+        0x39a45982585206d4L } },
+    /* 6 << 203 */
+    { { 0x499b6ab65eb03c0eL,0xf19b795472bc3fdeL,0xa86b5b9c6e3a80d2L,
+        0xe43775086d42819fL },
+      { 0xc1663650bb3ee8a3L,0x75eb14fcb132075fL,0xa8ccc9067ad834f6L,
+        0xea6a2474e6e92ffdL } },
+    /* 7 << 203 */
+    { { 0x9d72fd950f8d6758L,0xcb84e101408c07ddL,0xb9114bfda5e23221L,
+        0x358b5fe2e94e742cL },
+      { 0x1c0577ec95f40e75L,0xf01554513d73f3d6L,0x9d55cd67bd1b9b66L,
+        0x63e86e78af8d63c7L } },
+    /* 8 << 203 */
+    { { 0x39d934abd3c095f1L,0x04b261bee4b76d71L,0x1d2e6970e73e6984L,
+        0x879fb23b5e5fcb11L },
+      { 0x11506c72dfd75490L,0x3a97d08561bcf1c1L,0x43201d82bf5e7007L,
+        0x7f0ac52f798232a7L } },
+    /* 9 << 203 */
+    { { 0x2715cbc46eb564d4L,0x8d6c752c9e570e29L,0xf80247c89ef5fd5dL,
+        0xc3c66b46d53eb514L },
+      { 0x9666b4010f87de56L,0xce62c06fc6c603b5L,0xae7b4c607e4fc942L,
+        0x38ac0b77663a9c19L } },
+    /* 10 << 203 */
+    { { 0xcb4d20ee4b049136L,0x8b63bf12356a4613L,0x1221aef670e08128L,
+        0xe62d8c514acb6b16L },
+      { 0x71f64a67379e7896L,0xb25237a2cafd7fa5L,0xf077bd983841ba6aL,
+        0xc4ac02443cd16e7eL } },
+    /* 11 << 203 */
+    { { 0x548ba86921fea4caL,0xd36d0817f3dfdac1L,0x09d8d71ff4685fafL,
+        0x8eff66bec52c459aL },
+      { 0x182faee70b57235eL,0xee3c39b10106712bL,0x5107331fc0fcdcb0L,
+        0x669fb9dca51054baL } },
+    /* 12 << 203 */
+    { { 0xb25101fb319d7682L,0xb02931290a982feeL,0x51c1c9b90261b344L,
+        0x0e008c5bbfd371faL },
+      { 0xd866dd1c0278ca33L,0x666f76a6e5aa53b1L,0xe5cfb7796013a2cfL,
+        0x1d3a1aada3521836L } },
+    /* 13 << 203 */
+    { { 0xcedd253173faa485L,0xc8ee6c4fc0a76878L,0xddbccfc92a11667dL,
+        0x1a418ea91c2f695aL },
+      { 0xdb11bd9251f73971L,0x3e4b3c82da2ed89fL,0x9a44f3f4e73e0319L,
+        0xd1e3de0f303431afL } },
+    /* 14 << 203 */
+    { { 0x3c5604ff50f75f9cL,0x1d8eddf37e752b22L,0x0ef074dd3c9a1118L,
+        0xd0ffc172ccb86d7bL },
+      { 0xabd1ece3037d90f2L,0xe3f307d66055856cL,0x422f93287e4c6dafL,
+        0x902aac66334879a0L } },
+    /* 15 << 203 */
+    { { 0xb6a1e7bf94cdfadeL,0x6c97e1ed7fc6d634L,0x662ad24da2fb63f8L,
+        0xf81be1b9a5928405L },
+      { 0x86d765e4d14b4206L,0xbecc2e0e8fa0db65L,0xa28838e0b17fc76cL,
+        0xe49a602ae37cf24eL } },
+    /* 16 << 203 */
+    { { 0x76b4131a567193ecL,0xaf3c305ae5f6e70bL,0x9587bd39031eebddL,
+        0x5709def871bbe831L },
+      { 0x570599830eb2b669L,0x4d80ce1b875b7029L,0x838a7da80364ac16L,
+        0x2f431d23be1c83abL } },
+    /* 17 << 203 */
+    { { 0xe56812a6f9294dd3L,0xb448d01f9b4b0d77L,0xf3ae606104e8305cL,
+        0x2bead64594d8c63eL },
+      { 0x0a85434d84fd8b07L,0x537b983ff7a9dee5L,0xedcc5f18ef55bd85L,
+        0x2041af6221c6cf8bL } },
+    /* 18 << 203 */
+    { { 0x8e52874cb940c71eL,0x211935a9db5f4b3aL,0x94350492301b1dc3L,
+        0x33d2646d29958620L },
+      { 0x16b0d64bef911404L,0x9d1f25ea9a3c5ef4L,0x20f200eb4a352c78L,
+        0x43929f2c4bd0b428L } },
+    /* 19 << 203 */
+    { { 0xa5656667c7196e29L,0x7992c2f09391be48L,0xaaa97cbd9ee0cd6eL,
+        0x51b0310c3dc8c9bfL },
+      { 0x237f8acfdd9f22cbL,0xbb1d81a1b585d584L,0x8d5d85f58c416388L,
+        0x0d6e5a5a42fe474fL } },
+    /* 20 << 203 */
+    { { 0xe781276638235d4eL,0x1c62bd67496e3298L,0x8378660c3f175bc8L,
+        0x4d04e18917afdd4dL },
+      { 0x32a8160185a8068cL,0xdb58e4e192b29a85L,0xe8a65b86c70d8a3bL,
+        0x5f0e6f4e98a0403bL } },
+    /* 21 << 203 */
+    { { 0x0812968469ed2370L,0x34dc30bd0871ee26L,0x3a5ce9487c9c5b05L,
+        0x7d487b8043a90c87L },
+      { 0x4089ba37dd0e7179L,0x45f80191b4041811L,0x1c3e105898747ba5L,
+        0x98c4e13a6e1ae592L } },
+    /* 22 << 203 */
+    { { 0xd44636e6e82c9f9eL,0x711db87cc33a1043L,0x6f431263aa8aec05L,
+        0x43ff120d2744a4aaL },
+      { 0xd3bd892fae77779bL,0xf0fe0cc98cdc9f82L,0xca5f7fe6f1c5b1bcL,
+        0xcc63a68244929a72L } },
+    /* 23 << 203 */
+    { { 0xc7eaba0c09dbe19aL,0x2f3585ad6b5c73c2L,0x8ab8924b0ae50c30L,
+        0x17fcd27a638b30baL },
+      { 0xaf414d3410b3d5a5L,0x09c107d22a9accf1L,0x15dac49f946a6242L,
+        0xaec3df2ad707d642L } },
+    /* 24 << 203 */
+    { { 0x2c2492b73f894ae0L,0xf59df3e5b75f18ceL,0x7cb740d28f53cad0L,
+        0x3eb585fbc4f01294L },
+      { 0x17da0c8632c7f717L,0xeb8c795baf943f4cL,0x4ee23fb5f67c51d2L,
+        0xef18757568889949L } },
+    /* 25 << 203 */
+    { { 0xa6b4bdb20389168bL,0xc4ecd258ea577d03L,0x3a63782b55743082L,
+        0x6f678f4cc72f08cdL },
+      { 0x553511cf65e58dd8L,0xd53b4e3ed402c0cdL,0x37de3e29a037c14cL,
+        0x86b6c516c05712aaL } },
+    /* 26 << 203 */
+    { { 0x2834da3eb38dff6fL,0xbe012c52ea636be8L,0x292d238c61dd37f8L,
+        0x0e54523f8f8142dbL },
+      { 0xe31eb436036a05d8L,0x83e3cdff1e93c0ffL,0x3fd2fe0f50821ddfL,
+        0xc8e19b0dff9eb33bL } },
+    /* 27 << 203 */
+    { { 0xc8cc943fb569a5feL,0xad0090d4d4342d75L,0x82090b4bcaeca000L,
+        0xca39687f1bd410ebL },
+      { 0xe7bb0df765959d77L,0x39d782189c964999L,0xd87f62e8b2415451L,
+        0xe5efb774bed76108L } },
+    /* 28 << 203 */
+    { { 0x3ea011a4e822f0d0L,0xbc647ad15a8704f8L,0xbb315b3550c6820fL,
+        0x863dec3db7e76becL },
+      { 0x01ff5d3af017bfc7L,0x20054439976b8229L,0x067fca370bbd0d3bL,
+        0xf63dde647f5e3d0fL } },
+    /* 29 << 203 */
+    { { 0x22dbefb32a4c94e9L,0xafbff0fe96f8278aL,0x80aea0b13503793dL,
+        0xb22380295f06cd29L },
+      { 0x65703e578ec3fecaL,0x06c38314393e7053L,0xa0b751eb7c6734c4L,
+        0xd2e8a435c59f0f1eL } },
+    /* 30 << 203 */
+    { { 0x147d90525e9ca895L,0x2f4dd31e972072dfL,0xa16fda8ee6c6755cL,
+        0xc66826ffcf196558L },
+      { 0x1f1a76a30cf43895L,0xa9d604e083c3097bL,0xe190830966390e0eL,
+        0xa50bf753b3c85effL } },
+    /* 31 << 203 */
+    { { 0x0696bddef6a70251L,0x548b801b3c6ab16aL,0x37fcf704a4d08762L,
+        0x090b3defdff76c4eL },
+      { 0x87e8cb8969cb9158L,0x44a90744995ece43L,0xf85395f40ad9fbf5L,
+        0x49b0f6c54fb0c82dL } },
+    /* 32 << 203 */
+    { { 0x75d9bc15adf7cccfL,0x81a3e5d6dfa1e1b0L,0x8c39e444249bc17eL,
+        0xf37dccb28ea7fd43L },
+      { 0xda654873907fba12L,0x35daa6da4a372904L,0x0564cfc66283a6c5L,
+        0xd09fa4f64a9395bfL } },
+    /* 33 << 203 */
+    { { 0x688e9ec9aeb19a36L,0xd913f1cec7bfbfb4L,0x797b9a3c61c2faa6L,
+        0x2f979bec6a0a9c12L },
+      { 0xb5969d0f359679ecL,0xebcf523d079b0460L,0xfd6b000810fab870L,
+        0x3f2edcda9373a39cL } },
+    /* 34 << 203 */
+    { { 0x0d64f9a76f568431L,0xf848c27c02f8898cL,0xf418ade1260b5bd5L,
+        0xc1f3e3236973dee8L },
+      { 0x46e9319c26c185ddL,0x6d85b7d8546f0ac4L,0x427965f2247f9d57L,
+        0xb519b636b0035f48L } },
+    /* 35 << 203 */
+    { { 0x6b6163a9ab87d59cL,0xff9f58c339caaa11L,0x4ac39cde3177387bL,
+        0x5f6557c2873e77f9L },
+      { 0x6750400636a83041L,0x9b1c96ca75ef196cL,0xf34283deb08c7940L,
+        0x7ea096441128c316L } },
+    /* 36 << 203 */
+    { { 0xb510b3b56aa39dffL,0x59b43da29f8e4d8cL,0xa8ce31fd9e4c4b9fL,
+        0x0e20be26c1303c01L },
+      { 0x18187182e8ee47c9L,0xd9687cdb7db98101L,0x7a520e4da1e14ff6L,
+        0x429808ba8836d572L } },
+    /* 37 << 203 */
+    { { 0xa37ca60d4944b663L,0xf901f7a9a3f91ae5L,0xe4e3e76e9e36e3b1L,
+        0x9aa219cf29d93250L },
+      { 0x347fe275056a2512L,0xa4d643d9de65d95cL,0x9669d396699fc3edL,
+        0xb598dee2cf8c6bbeL } },
+    /* 38 << 203 */
+    { { 0x682ac1e5dda9e5c6L,0x4e0d3c72caa9fc95L,0x17faaade772bea44L,
+        0x5ef8428cab0009c8L },
+      { 0xcc4ce47a460ff016L,0xda6d12bf725281cbL,0x44c678480223aad2L,
+        0x6e342afa36256e28L } },
+    /* 39 << 203 */
+    { { 0x1400bb0b93a37c04L,0x62b1bc9bdd10bd96L,0x7251adeb0dac46b7L,
+        0x7d33b92e7be4ef51L },
+      { 0x28b2a94be61fa29aL,0x4b2be13f06422233L,0x36d6d062330d8d37L,
+        0x5ef80e1eb28ca005L } },
+    /* 40 << 203 */
+    { { 0x174d46996d16768eL,0x9fc4ff6a628bf217L,0x77705a94154e490dL,
+        0x9d96dd288d2d997aL },
+      { 0x77e2d9d8ce5d72c4L,0x9d06c5a4c11c714fL,0x02aa513679e4a03eL,
+        0x1386b3c2030ff28bL } },
+    /* 41 << 203 */
+    { { 0xfe82e8a6fb283f61L,0x7df203e5f3abc3fbL,0xeec7c3513a4d3622L,
+        0xf7d17dbfdf762761L },
+      { 0xc3956e44522055f0L,0xde3012db8fa748dbL,0xca9fcb63bf1dcc14L,
+        0xa56d9dcfbe4e2f3aL } },
+    /* 42 << 203 */
+    { { 0xb86186b68bcec9c2L,0x7cf24df9680b9f06L,0xc46b45eac0d29281L,
+        0xfff42bc507b10e12L },
+      { 0x12263c404d289427L,0x3d5f1899b4848ec4L,0x11f97010d040800cL,
+        0xb4c5f529300feb20L } },
+    /* 43 << 203 */
+    { { 0xcc543f8fde94fdcbL,0xe96af739c7c2f05eL,0xaa5e0036882692e1L,
+        0x09c75b68950d4ae9L },
+      { 0x62f63df2b5932a7aL,0x2658252ede0979adL,0x2a19343fb5e69631L,
+        0x718c7501525b666bL } },
+    /* 44 << 203 */
+    { { 0x26a42d69ea40dc3aL,0xdc84ad22aecc018fL,0x25c36c7b3270f04aL,
+        0x46ba6d4750fa72edL },
+      { 0x6c37d1c593e58a8eL,0xa2394731120c088cL,0xc3be4263cb6e86daL,
+        0x2c417d367126d038L } },
+    /* 45 << 203 */
+    { { 0x5b70f9c58b6f8efaL,0x671a2faa37718536L,0xd3ced3c6b539c92bL,
+        0xe56f1bd9a31203c2L },
+      { 0x8b096ec49ff3c8ebL,0x2deae43243491ceaL,0x2465c6eb17943794L,
+        0x5d267e6620586843L } },
+    /* 46 << 203 */
+    { { 0x9d3d116db07159d0L,0xae07a67fc1896210L,0x8fc84d87bb961579L,
+        0x30009e491c1f8dd6L },
+      { 0x8a8caf22e3132819L,0xcffa197cf23ab4ffL,0x58103a44205dd687L,
+        0x57b796c30ded67a2L } },
+    /* 47 << 203 */
+    { { 0x0b9c3a6ca1779ad7L,0xa33cfe2e357c09c5L,0x2ea293153db4a57eL,
+        0x919596958ebeb52eL },
+      { 0x118db9a6e546c879L,0x8e996df46295c8d6L,0xdd99048455ec806bL,
+        0x24f291ca165c1035L } },
+    /* 48 << 203 */
+    { { 0xcca523bb440e2229L,0x324673a273ef4d04L,0xaf3adf343e11ec39L,
+        0x6136d7f1dc5968d3L },
+      { 0x7a7b2899b053a927L,0x3eaa2661ae067ecdL,0x8549b9c802779cd9L,
+        0x061d7940c53385eaL } },
+    /* 49 << 203 */
+    { { 0x3e0ba883f06d18bdL,0x4ba6de53b2700843L,0xb966b668591a9e4dL,
+        0x93f675677f4fa0edL },
+      { 0x5a02711b4347237bL,0xbc041e2fe794608eL,0x55af10f570f73d8cL,
+        0xd2d4d4f7bb7564f7L } },
+    /* 50 << 203 */
+    { { 0xd7d27a89b3e93ce7L,0xf7b5a8755d3a2c1bL,0xb29e68a0255b218aL,
+        0xb533837e8af76754L },
+      { 0xd1b05a73579fab2eL,0xb41055a1ecd74385L,0xb2369274445e9115L,
+        0x2972a7c4f520274eL } },
+    /* 51 << 203 */
+    { { 0x6c08334ef678e68aL,0x4e4160f099b057edL,0x3cfe11b852ccb69aL,
+        0x2fd1823a21c8f772L },
+      { 0xdf7f072f3298f055L,0x8c0566f9fec74a6eL,0xe549e0195bb4d041L,
+        0x7c3930ba9208d850L } },
+    /* 52 << 203 */
+    { { 0xe07141fcaaa2902bL,0x539ad799e4f69ad3L,0xa6453f94813f9ffdL,
+        0xc58d3c48375bc2f7L },
+      { 0xb3326fad5dc64e96L,0x3aafcaa9b240e354L,0x1d1b0903aca1e7a9L,
+        0x4ceb97671211b8a0L } },
+    /* 53 << 203 */
+    { { 0xeca83e49e32a858eL,0x4c32892eae907badL,0xd5b42ab62eb9b494L,
+        0x7fde3ee21eabae1bL },
+      { 0x13b5ab09caf54957L,0xbfb028bee5f5d5d5L,0x928a06502003e2c0L,
+        0x90793aac67476843L } },
+    /* 54 << 203 */
+    { { 0x5e942e79c81710a0L,0x557e4a3627ccadd4L,0x72a2bc564bcf6d0cL,
+        0x09ee5f4326d7b80cL },
+      { 0x6b70dbe9d4292f19L,0x56f74c2663f16b18L,0xc23db0f735fbb42aL,
+        0xb606bdf66ae10040L } },
+    /* 55 << 203 */
+    { { 0x1eb15d4d044573acL,0x7dc3cf86556b0ba4L,0x97af9a33c60df6f7L,
+        0x0b1ef85ca716ce8cL },
+      { 0x2922f884c96958beL,0x7c32fa9435690963L,0x2d7f667ceaa00061L,
+        0xeaaf7c173547365cL } },
+    /* 56 << 203 */
+    { { 0x1eb4de4687032d58L,0xc54f3d835e2c79e0L,0x07818df45d04ef23L,
+        0x55faa9c8673d41b4L },
+      { 0xced64f6f89b95355L,0x4860d2eab7415c84L,0x5fdb9bd2050ebad3L,
+        0xdb53e0cc6685a5bfL } },
+    /* 57 << 203 */
+    { { 0xb830c0319feb6593L,0xdd87f3106accff17L,0x2303ebab9f555c10L,
+        0x94603695287e7065L },
+      { 0xf88311c32e83358cL,0x508dd9b4eefb0178L,0x7ca237062dba8652L,
+        0x62aac5a30047abe5L } },
+    /* 58 << 203 */
+    { { 0x9a61d2a08b1ea7b3L,0xd495ab63ae8b1485L,0x38740f8487052f99L,
+        0x178ebe5bb2974eeaL },
+      { 0x030bbcca5b36d17fL,0xb5e4cce3aaf86eeaL,0xb51a022068f8e9e0L,
+        0xa434879609eb3e75L } },
+    /* 59 << 203 */
+    { { 0xbe592309eef1a752L,0x5d7162d76f2aa1edL,0xaebfb5ed0f007dd2L,
+        0x255e14b2c89edd22L },
+      { 0xba85e0720303b697L,0xc5d17e25f05720ffL,0x02b58d6e5128ebb6L,
+        0x2c80242dd754e113L } },
+    /* 60 << 203 */
+    { { 0x919fca5fabfae1caL,0x937afaac1a21459bL,0x9e0ca91c1f66a4d2L,
+        0x194cc7f323ec1331L },
+      { 0xad25143a8aa11690L,0xbe40ad8d09b59e08L,0x37d60d9be750860aL,
+        0x6c53b008c6bf434cL } },
+    /* 61 << 203 */
+    { { 0xb572415d1356eb80L,0xb8bf9da39578ded8L,0x22658e365e8fb38bL,
+        0x9b70ce225af8cb22L },
+      { 0x7c00018a829a8180L,0x84329f93b81ed295L,0x7c343ea25f3cea83L,
+        0x38f8655f67586536L } },
+    /* 62 << 203 */
+    { { 0xa661a0d01d3ec517L,0x98744652512321aeL,0x084ca591eca92598L,
+        0xa9bb9dc91dcb3febL },
+      { 0x14c5435578b4c240L,0x5ed62a3b610cafdcL,0x07512f371b38846bL,
+        0x571bb70ab0e38161L } },
+    /* 63 << 203 */
+    { { 0xb556b95b2da705d2L,0x3ef8ada6b1a08f98L,0x85302ca7ddecfbe5L,
+        0x0e530573943105cdL },
+      { 0x60554d5521a9255dL,0x63a32fa1f2f3802aL,0x35c8c5b0cd477875L,
+        0x97f458ea6ad42da1L } },
+    /* 64 << 203 */
+    { { 0x832d7080eb6b242dL,0xd30bd0233b71e246L,0x7027991bbe31139dL,
+        0x68797e91462e4e53L },
+      { 0x423fe20a6b4e185aL,0x82f2c67e42d9b707L,0x25c817684cf7811bL,
+        0xbd53005e045bb95dL } },
+    /* 0 << 210 */
+    { { 0x00, 0x00, 0x00, 0x00 },
+      { 0x00, 0x00, 0x00, 0x00 } },
+    /* 1 << 210 */
+    { { 0xe5f649be9d8e68fdL,0xdb0f05331b044320L,0xf6fde9b3e0c33398L,
+        0x92f4209b66c8cfaeL },
+      { 0xe9d1afcc1a739d4bL,0x09aea75fa28ab8deL,0x14375fb5eac6f1d0L,
+        0x6420b560708f7aa5L } },
+    /* 2 << 210 */
+    { { 0x9eae499c6254dc41L,0x7e2939247a837e7eL,0x74aec08c090524a7L,
+        0xf82b92198d6f55f2L },
+      { 0x493c962e1402cec5L,0x9f17ca17fa2f30e7L,0xbcd783e8e9b879cbL,
+        0xea3d8c145a6f145fL } },
+    /* 3 << 210 */
+    { { 0xdede15e75e0dee6eL,0x74f24872dc628aa2L,0xd3e9c4fe7861bb93L,
+        0x56d4822a6187b2e0L },
+      { 0xb66417cfc59826f9L,0xca2609692408169eL,0xedf69d06c79ef885L,
+        0x00031f8adc7d138fL } },
+    /* 4 << 210 */
+    { { 0x103c46e60ebcf726L,0x4482b8316231470eL,0x6f6dfaca487c2109L,
+        0x2e0ace9762e666efL },
+      { 0x3246a9d31f8d1f42L,0x1b1e83f1574944d2L,0x13dfa63aa57f334bL,
+        0x0cf8daed9f025d81L } },
+    /* 5 << 210 */
+    { { 0x30d78ea800ee11c1L,0xeb053cd4b5e3dd75L,0x9b65b13ed58c43c5L,
+        0xc3ad49bdbd151663L },
+      { 0x99fd8e41b6427990L,0x12cf15bd707eae1eL,0x29ad4f1b1aabb71eL,
+        0x5143e74d07545d0eL } },
+    /* 6 << 210 */
+    { { 0x30266336c88bdee1L,0x25f293065876767cL,0x9c078571c6731996L,
+        0xc88690b2ed552951L },
+      { 0x274f2c2d852705b4L,0xb0bf8d444e09552dL,0x7628beeb986575d1L,
+        0x407be2387f864651L } },
+    /* 7 << 210 */
+    { { 0x0e5e3049a639fc6bL,0xe75c35d986003625L,0x0cf35bd85dcc1646L,
+        0x8bcaced26c26273aL },
+      { 0xe22ecf1db5536742L,0x013dd8971a9e068bL,0x17f411cb8a7909c5L,
+        0x5757ac98861dd506L } },
+    /* 8 << 210 */
+    { { 0x85de1f0d1e935abbL,0xdefd10b4154de37aL,0xb8d9e392369cebb5L,
+        0x54d5ef9b761324beL },
+      { 0x4d6341ba74f17e26L,0xc0a0e3c878c1dde4L,0xa6d7758187d918fdL,
+        0x6687601502ca3a13L } },
+    /* 9 << 210 */
+    { { 0xc7313e9cf36658f0L,0xc433ef1c71f8057eL,0x853262461b6a835aL,
+        0xc8f053987c86394cL },
+      { 0xff398cdfe983c4a1L,0xbf5e816203b7b931L,0x93193c46b7b9045bL,
+        0x1e4ebf5da4a6e46bL } },
+    /* 10 << 210 */
+    { { 0xf9942a6043a24fe7L,0x29c1191effb3492bL,0x9f662449902fde05L,
+        0xc792a7ac6713c32dL },
+      { 0x2fd88ad8b737982cL,0x7e3a0319a21e60e3L,0x09b0de447383591aL,
+        0x6df141ee8310a456L } },
+    /* 11 << 210 */
+    { { 0xaec1a039e6d6f471L,0x14b2ba0f1198d12eL,0xebc1a1603aeee5acL,
+        0x401f4836e0b964ceL },
+      { 0x2ee437964fd03f66L,0x3fdb4e49dd8f3f12L,0x6ef267f629380f18L,
+        0x3e8e96708da64d16L } },
+    /* 12 << 210 */
+    { { 0xbc19180c207674f1L,0x112e09a733ae8fdbL,0x996675546aaeb71eL,
+        0x79432af1e101b1c7L },
+      { 0xd5eb558fde2ddec6L,0x81392d1f5357753fL,0xa7a76b973ae1158aL,
+        0x416fbbff4a899991L } },
+    /* 13 << 210 */
+    { { 0x9e65fdfd0d4a9dcfL,0x7bc29e48944ddf12L,0xbc1a92d93c856866L,
+        0x273c69056e98dfe2L },
+      { 0x69fce418cdfaa6b8L,0x606bd8235061c69fL,0x42d495a06af75e27L,
+        0x8ed3d5056d873a1fL } },
+    /* 14 << 210 */
+    { { 0xaf5528416ab25b6aL,0xc6c0ffc72b1a4523L,0xab18827b21c99e03L,
+        0x060e86489034691bL },
+      { 0x5207f90f93c7f398L,0x9f4a96cb82f8d10bL,0xdd71cd793ad0f9e3L,
+        0x84f435d2fc3a54f5L } },
+    /* 15 << 210 */
+    { { 0x4b03c55b8e33787fL,0xef42f975a6384673L,0xff7304f75051b9f0L,
+        0x18aca1dc741c87c2L },
+      { 0x56f120a72d4bfe80L,0xfd823b3d053e732cL,0x11bccfe47537ca16L,
+        0xdf6c9c741b5a996bL } },
+    /* 16 << 210 */
+    { { 0xee7332c7904fc3faL,0x14a23f45c7e3636aL,0xc38659c3f091d9aaL,
+        0x4a995e5db12d8540L },
+      { 0x20a53becf3a5598aL,0x56534b17b1eaa995L,0x9ed3dca4bf04e03cL,
+        0x716c563ad8d56268L } },
+    /* 17 << 210 */
+    { { 0x27ba77a41d6178e7L,0xe4c80c4068a1ff8eL,0x750110990a13f63dL,
+        0x7bf33521a61d46f3L },
+      { 0x0aff218e10b365bbL,0x810218040fd7ea75L,0x05a3fd8aa4b3a925L,
+        0xb829e75f9b3db4e6L } },
+    /* 18 << 210 */
+    { { 0x6bdc75a54d53e5fbL,0x04a5dc02d52717e3L,0x86af502fe9a42ec2L,
+        0x8867e8fb2630e382L },
+      { 0xbf845c6ebec9889bL,0x54f491f2cb47c98dL,0xa3091fba790c2a12L,
+        0xd7f6fd78c20f708bL } },
+    /* 19 << 210 */
+    { { 0xa569ac30acde5e17L,0xd0f996d06852b4d7L,0xe51d4bb54609ae54L,
+        0x3fa37d170daed061L },
+      { 0x62a8868434b8fb41L,0x99a2acbd9efb64f1L,0xb75c1a5e6448e1f2L,
+        0xfa99951a42b5a069L } },
+    /* 20 << 210 */
+    { { 0x6d956e892f3b26e7L,0xf4709860da875247L,0x3ad151792482dda3L,
+        0xd64110e3017d82f0L },
+      { 0x14928d2cfad414e4L,0x2b155f582ed02b24L,0x481a141bcb821bf1L,
+        0x12e3c7704f81f5daL } },
+    /* 21 << 210 */
+    { { 0xe49c5de59fff8381L,0x110532325bbec894L,0xa0d051cc454d88c4L,
+        0x4f6db89c1f8e531bL },
+      { 0x34fe3fd6ca563a44L,0x7f5c221558da8ab9L,0x8445016d9474f0a1L,
+        0x17d34d61cb7d8a0aL } },
+    /* 22 << 210 */
+    { { 0x8e9d39101c474019L,0xcaff2629d52ceefbL,0xf9cf3e32c1622c2bL,
+        0xd4b95e3ce9071a05L },
+      { 0xfbbca61f1594438cL,0x1eb6e6a604aadedfL,0x853027f468e14940L,
+        0x221d322adfabda9cL } },
+    /* 23 << 210 */
+    { { 0xed8ea9f6b7cb179aL,0xdc7b764db7934dccL,0xfcb139405e09180dL,
+        0x6629a6bfb47dc2ddL },
+      { 0xbfc55e4e9f5a915eL,0xb1db9d376204441eL,0xf82d68cf930c5f53L,
+        0x17d3a142cbb605b1L } },
+    /* 24 << 210 */
+    { { 0xdd5944ea308780f2L,0xdc8de7613845f5e4L,0x6beaba7d7624d7a3L,
+        0x1e709afd304df11eL },
+      { 0x9536437602170456L,0xbf204b3ac8f94b64L,0x4e53af7c5680ca68L,
+        0x0526074ae0c67574L } },
+    /* 25 << 210 */
+    { { 0x95d8cef8ecd92af6L,0xe6b9fa7a6cd1745aL,0x3d546d3da325c3e4L,
+        0x1f57691d9ae93aaeL },
+      { 0xe891f3fe9d2e1a33L,0xd430093fac063d35L,0xeda59b125513a327L,
+        0xdc2134f35536f18fL } },
+    /* 26 << 210 */
+    { { 0xaa51fe2c5c210286L,0x3f68aaee1cab658cL,0x5a23a00bf9357292L,
+        0x9a626f397efdabedL },
+      { 0xfe2b3bf3199d78e3L,0xb7a2af7771bbc345L,0x3d19827a1e59802cL,
+        0x823bbc15b487a51cL } },
+    /* 27 << 210 */
+    { { 0x856139f299d0a422L,0x9ac3df65f456c6fbL,0xaddf65c6701f8bd6L,
+        0x149f321e3758df87L },
+      { 0xb1ecf714721b7ebaL,0xe17df09831a3312aL,0xdb2fd6ecd5c4d581L,
+        0xfd02996f8fcea1b3L } },
+    /* 28 << 210 */
+    { { 0xe29fa63e7882f14fL,0xc9f6dc3507c6cadcL,0x46f22d6fb882bed0L,
+        0x1a45755bd118e52cL },
+      { 0x9f2c7c277c4608cfL,0x7ccbdf32568012c2L,0xfcb0aedd61729b0eL,
+        0x7ca2ca9ef7d75dbfL } },
+    /* 29 << 210 */
+    { { 0xf58fecb16f640f62L,0xe274b92b39f51946L,0x7f4dfc046288af44L,
+        0x0a91f32aeac329e5L },
+      { 0x43ad274bd6aaba31L,0x719a16400f6884f9L,0x685d29f6daf91e20L,
+        0x5ec1cc3327e49d52L } },
+    /* 30 << 210 */
+    { { 0x38f4de963b54a059L,0x0e0015e5efbcfdb3L,0x177d23d94dbb8da6L,
+        0x98724aa297a617adL },
+      { 0x30f0885bfdb6558eL,0xf9f7a28ac7899a96L,0xd2ae8ac8872dc112L,
+        0xfa0642ca73c3c459L } },
+    /* 31 << 210 */
+    { { 0x15296981e7dfc8d6L,0x67cd44501fb5b94aL,0x0ec71cf10eddfd37L,
+        0xc7e5eeb39a8eddc7L },
+      { 0x02ac8e3d81d95028L,0x0088f17270b0e35dL,0xec041fabe1881fe3L,
+        0x62cf71b8d99e7faaL } },
+    /* 32 << 210 */
+    { { 0x5043dea7e0f222c2L,0x309d42ac72e65142L,0x94fe9ddd9216cd30L,
+        0xd6539c7d0f87feecL },
+      { 0x03c5a57c432ac7d7L,0x72692cf0327fda10L,0xec28c85f280698deL,
+        0x2331fb467ec283b1L } },
+    /* 33 << 210 */
+    { { 0xd34bfa322867e633L,0x78709a820a9cc815L,0xb7fe6964875e2fa5L,
+        0x25cc064f9e98bfb5L },
+      { 0x9eb0151c493a65c5L,0x5fb5d94153182464L,0x69e6f130f04618e2L,
+        0xa8ecec22f89c8ab6L } },
+    /* 34 << 210 */
+    { { 0xcd6ac88bb96209bdL,0x65fa8cdbb3e1c9e0L,0xa47d22f54a8d8eacL,
+        0x83895cdf8d33f963L },
+      { 0xa8adca59b56cd3d1L,0x10c8350bdaf38232L,0x2b161fb3a5080a9fL,
+        0xbe7f5c643af65b3aL } },
+    /* 35 << 210 */
+    { { 0x2c75403997403a11L,0x94626cf7121b96afL,0x431de7c46a983ec2L,
+        0x3780dd3a52cc3df7L },
+      { 0xe28a0e462baf8e3bL,0xabe68aad51d299aeL,0x603eb8f9647a2408L,
+        0x14c61ed65c750981L } },
+    /* 36 << 210 */
+    { { 0x88b34414c53352e7L,0x5a34889c1337d46eL,0x612c1560f95f2bc8L,
+        0x8a3f8441d4807a3aL },
+      { 0x680d9e975224da68L,0x60cd6e88c3eb00e9L,0x3875a98e9a6bc375L,
+        0xdc80f9244fd554c2L } },
+    /* 37 << 210 */
+    { { 0x6c4b34156ac77407L,0xa1e5ea8f25420681L,0x541bfa144607a458L,
+        0x5dbc7e7a96d7fbf9L },
+      { 0x646a851b31590a47L,0x039e85ba15ee6df8L,0xd19fa231d7b43fc0L,
+        0x84bc8be8299a0e04L } },
+    /* 38 << 210 */
+    { { 0x2b9d2936f20df03aL,0x240543828608d472L,0x76b6ba049149202aL,
+        0xb21c38313670e7b7L },
+      { 0xddd93059d6fdee10L,0x9da47ad378488e71L,0x99cc1dfda0fcfb25L,
+        0x42abde1064696954L } },
+    /* 39 << 210 */
+    { { 0x14cc15fc17eab9feL,0xd6e863e4d3e70972L,0x29a7765c6432112cL,
+        0x886600015b0774d8L },
+      { 0x3729175a2c088eaeL,0x13afbcae8230b8d4L,0x44768151915f4379L,
+        0xf086431ad8d22812L } },
+    /* 40 << 210 */
+    { { 0x37461955c298b974L,0x905fb5f0f8711e04L,0x787abf3afe969d18L,
+        0x392167c26f6a494eL },
+      { 0xfc7a0d2d28c511daL,0xf127c7dcb66a262dL,0xf9c4bb95fd63fdf0L,
+        0x900165893913ef46L } },
+    /* 41 << 210 */
+    { { 0x74d2a73c11aa600dL,0x2f5379bd9fb5ab52L,0xe49e53a47fb70068L,
+        0x68dd39e5404aa9a7L },
+      { 0xb9b0cf572ecaa9c3L,0xba0e103be824826bL,0x60c2198b4631a3c4L,
+        0xc5ff84abfa8966a2L } },
+    /* 42 << 210 */
+    { { 0x2d6ebe22ac95aff8L,0x1c9bb6dbb5a46d09L,0x419062da53ee4f8dL,
+        0x7b9042d0bb97efefL },
+      { 0x0f87f080830cf6bdL,0x4861d19a6ec8a6c6L,0xd3a0daa1202f01aaL,
+        0xb0111674f25afbd5L } },
+    /* 43 << 210 */
+    { { 0x6d00d6cf1afb20d9L,0x1369500040671bc5L,0x913ab0dc2485ea9bL,
+        0x1f2bed069eef61acL },
+      { 0x850c82176d799e20L,0x93415f373271c2deL,0x5afb06e96c4f5910L,
+        0x688a52dfc4e9e421L } },
+    /* 44 << 210 */
+    { { 0x30495ba3e2a9a6dbL,0x4601303d58f9268bL,0xbe3b0dad7eb0f04fL,
+        0x4ea472504456936dL },
+      { 0x8caf8798d33fd3e7L,0x1ccd8a89eb433708L,0x9effe3e887fd50adL,
+        0xbe240a566b29c4dfL } },
+    /* 45 << 210 */
+    { { 0xec4ffd98ca0e7ebdL,0xf586783ae748616eL,0xa5b00d8fc77baa99L,
+        0x0acada29b4f34c9cL },
+      { 0x36dad67d0fe723acL,0x1d8e53a539c36c1eL,0xe4dd342d1f4bea41L,
+        0x64fd5e35ebc9e4e0L } },
+    /* 46 << 210 */
+    { { 0x96f01f9057908805L,0xb5b9ea3d5ed480ddL,0x366c5dc23efd2dd0L,
+        0xed2fe3056e9dfa27L },
+      { 0x4575e8926e9197e2L,0x11719c09ab502a5dL,0x264c7bece81f213fL,
+        0x741b924155f5c457L } },
+    /* 47 << 210 */
+    { { 0x78ac7b6849a5f4f4L,0xf91d70a29fc45b7dL,0x39b05544b0f5f355L,
+        0x11f06bceeef930d9L },
+      { 0xdb84d25d038d05e1L,0x04838ee5bacc1d51L,0x9da3ce869e8ee00bL,
+        0xc3412057c36eda1fL } },
+    /* 48 << 210 */
+    { { 0xae80b91364d9c2f4L,0x7468bac3a010a8ffL,0xdfd2003737359d41L,
+        0x1a0f5ab815efeaccL },
+      { 0x7c25ad2f659d0ce0L,0x4011bcbb6785cff1L,0x128b99127e2192c7L,
+        0xa549d8e113ccb0e8L } },
+    /* 49 << 210 */
+    { { 0x805588d8c85438b1L,0x5680332dbc25cb27L,0xdcd1bc961a4bfdf4L,
+        0x779ff428706f6566L },
+      { 0x8bbee998f059987aL,0xf6ce8cf2cc686de7L,0xf8ad3c4a953cfdb2L,
+        0xd1d426d92205da36L } },
+    /* 50 << 210 */
+    { { 0xb3c0f13fc781a241L,0x3e89360ed75362a8L,0xccd05863c8a91184L,
+        0x9bd0c9b7efa8a7f4L },
+      { 0x97ee4d538a912a4bL,0xde5e15f8bcf518fdL,0x6a055bf8c467e1e0L,
+        0x10be4b4b1587e256L } },
+    /* 51 << 210 */
+    { { 0xd90c14f2668621c9L,0xd5518f51ab9c92c1L,0x8e6a0100d6d47b3cL,
+        0xcbe980dd66716175L },
+      { 0x500d3f10ddd83683L,0x3b6cb35d99cac73cL,0x53730c8b6083d550L,
+        0xcf159767df0a1987L } },
+    /* 52 << 210 */
+    { { 0x84bfcf5343ad73b3L,0x1b528c204f035a94L,0x4294edf733eeac69L,
+        0xb6283e83817f3240L },
+      { 0xc3fdc9590a5f25b1L,0xefaf8aa55844ee22L,0xde269ba5dbdde4deL,
+        0xe3347160c56133bfL } },
+    /* 53 << 210 */
+    { { 0xc11842198d9ea9f8L,0x090de5dbf3fc1ab5L,0x404c37b10bf22cdaL,
+        0x7de20ec8f5618894L },
+      { 0x754c588eecdaecabL,0x6ca4b0ed88342743L,0x76f08bddf4a938ecL,
+        0xd182de8991493ccbL } },
+    /* 54 << 210 */
+    { { 0xd652c53ec8a4186aL,0xb3e878db946d8e33L,0x088453c05f37663cL,
+        0x5cd9daaab407748bL },
+      { 0xa1f5197f586d5e72L,0x47500be8c443ca59L,0x78ef35b2e2652424L,
+        0x09c5d26f6dd7767dL } },
+    /* 55 << 210 */
+    { { 0x7175a79aa74d3f7bL,0x0428fd8dcf5ea459L,0x511cb97ca5d1746dL,
+        0x36363939e71d1278L },
+      { 0xcf2df95510350bf4L,0xb381743960aae782L,0xa748c0e43e688809L,
+        0x98021fbfd7a5a006L } },
+    /* 56 << 210 */
+    { { 0x9076a70c0e367a98L,0xbea1bc150f62b7c2L,0x2645a68c30fe0343L,
+        0xacaffa78699dc14fL },
+      { 0xf4469964457bf9c4L,0x0db6407b0d2ead83L,0x68d56cadb2c6f3ebL,
+        0x3b512e73f376356cL } },
+    /* 57 << 210 */
+    { { 0xe43b0e1ffce10408L,0x89ddc0035a5e257dL,0xb0ae0d120362e5b3L,
+        0x07f983c7b0519161L },
+      { 0xc2e94d155d5231e7L,0xcff22aed0b4f9513L,0xb02588dd6ad0b0b5L,
+        0xb967d1ac11d0dcd5L } },
+    /* 58 << 210 */
+    { { 0x8dac6bc6cf777b6cL,0x0062bdbd4c6d1959L,0x53da71b50ef5cc85L,
+        0x07012c7d4006f14fL },
+      { 0x4617f962ac47800dL,0x53365f2bc102ed75L,0xb422efcb4ab8c9d3L,
+        0x195cb26b34af31c9L } },
+    /* 59 << 210 */
+    { { 0x3a926e2905f2c4ceL,0xbd2bdecb9856966cL,0x5d16ab3a85527015L,
+        0x9f81609e4486c231L },
+      { 0xd8b96b2cda350002L,0xbd054690fa1b7d36L,0xdc90ebf5e71d79bcL,
+        0xf241b6f908964e4eL } },
+    /* 60 << 210 */
+    { { 0x7c8386432fe3cd4cL,0xe0f33acbb4bc633cL,0xb4a9ecec3d139f1fL,
+        0x05ce69cddc4a1f49L },
+      { 0xa19d1b16f5f98aafL,0x45bb71d66f23e0efL,0x33789fcd46cdfdd3L,
+        0x9b8e2978cee040caL } },
+    /* 61 << 210 */
+    { { 0x9c69b246ae0a6828L,0xba533d247078d5aaL,0x7a2e42c07bb4fbdbL,
+        0xcfb4879a7035385cL },
+      { 0x8c3dd30b3281705bL,0x7e361c6c404fe081L,0x7b21649c3f604edfL,
+        0x5dbf6a3fe52ffe47L } },
+    /* 62 << 210 */
+    { { 0xc41b7c234b54d9bfL,0x1374e6813511c3d9L,0x1863bf16c1b2b758L,
+        0x90e785071e9e6a96L },
+      { 0xab4bf98d5d86f174L,0xd74e0bd385e96fe4L,0x8afde39fcac5d344L,
+        0x90946dbcbd91b847L } },
+    /* 63 << 210 */
+    { { 0xf5b42358fe1a838cL,0x05aae6c5620ac9d8L,0x8e193bd8a1ce5a0bL,
+        0x8f7105714dabfd72L },
+      { 0x8d8fdd48182caaacL,0x8c4aeefa040745cfL,0x73c6c30af3b93e6dL,
+        0x991241f316f42011L } },
+    /* 64 << 210 */
+    { { 0xa0158eeae457a477L,0xd19857dbee6ddc05L,0xb326522418c41671L,
+        0x3ffdfc7e3c2c0d58L },
+      { 0x3a3a525426ee7cdaL,0x341b0869df02c3a8L,0xa023bf42723bbfc8L,
+        0x3d15002a14452691L } },
+    /* 0 << 217 */
+    { { 0x00, 0x00, 0x00, 0x00 },
+      { 0x00, 0x00, 0x00, 0x00 } },
+    /* 1 << 217 */
+    { { 0x5ef7324c85edfa30L,0x2597655487d4f3daL,0x352f5bc0dcb50c86L,
+        0x8f6927b04832a96cL },
+      { 0xd08ee1ba55f2f94cL,0x6a996f99344b45faL,0xe133cb8da8aa455dL,
+        0x5d0721ec758dc1f7L } },
+    /* 2 << 217 */
+    { { 0x6ba7a92079e5fb67L,0xe1331feb70aa725eL,0x5080ccf57df5d837L,
+        0xe4cae01d7ff72e21L },
+      { 0xd9243ee60412a77dL,0x06ff7cacdf449025L,0xbe75f7cd23ef5a31L,
+        0xbc9578220ddef7a8L } },
+    /* 3 << 217 */
+    { { 0x8cf7230cb0ce1c55L,0x5b534d050bbfb607L,0xee1ef1130e16363bL,
+        0x27e0aa7ab4999e82L },
+      { 0xce1dac2d79362c41L,0x67920c9091bb6cb0L,0x1e648d632223df24L,
+        0x0f7d9eefe32e8f28L } },
+    /* 4 << 217 */
+    { { 0x6943f39afa833834L,0x22951722a6328562L,0x81d63dd54170fc10L,
+        0x9f5fa58faecc2e6dL },
+      { 0xb66c8725e77d9a3bL,0x11235cea6384ebe0L,0x06a8c1185845e24aL,
+        0x0137b286ebd093b1L } },
+    /* 5 << 217 */
+    { { 0xc589e1ce44ace150L,0xe0f8d3d94381e97cL,0x59e99b1162c5a4b8L,
+        0x90d262f7fd0ec9f9L },
+      { 0xfbc854c9283e13c9L,0x2d04fde7aedc7085L,0x057d776547dcbecbL,
+        0x8dbdf5919a76fa5fL } },
+    /* 6 << 217 */
+    { { 0xd01506950de1e578L,0x2e1463e7e9f72bc6L,0xffa684411b39eca5L,
+        0x673c85307c037f2fL },
+      { 0xd0d6a600747f91daL,0xb08d43e1c9cb78e9L,0x0fc0c64427b5cef5L,
+        0x5c1d160aa60a2fd6L } },
+    /* 7 << 217 */
+    { { 0xf98cae5328c8e13bL,0x375f10c4b2eddcd1L,0xd4eb8b7f5cce06adL,
+        0xb4669f4580a2e1efL },
+      { 0xd593f9d05bbd8699L,0x5528a4c9e7976d13L,0x3923e0951c7e28d3L,
+        0xb92937903f6bb577L } },
+    /* 8 << 217 */
+    { { 0xdb567d6ac42bd6d2L,0x6df86468bb1f96aeL,0x0efe5b1a4843b28eL,
+        0x961bbb056379b240L },
+      { 0xb6caf5f070a6a26bL,0x70686c0d328e6e39L,0x80da06cf895fc8d3L,
+        0x804d8810b363fdc9L } },
+    /* 9 << 217 */
+    { { 0xbe22877b207f1670L,0x9b0dd1884e615291L,0x625ae8dc97a3c2bfL,
+        0x08584ef7439b86e8L },
+      { 0xde7190a5dcd898ffL,0x26286c402058ee3dL,0x3db0b2175f87b1c1L,
+        0xcc334771102a6db5L } },
+    /* 10 << 217 */
+    { { 0xd99de9542f770fb1L,0x97c1c6204cd7535eL,0xd3b6c4483f09cefcL,
+        0xd725af155a63b4f8L },
+      { 0x0c95d24fc01e20ecL,0xdfd374949ae7121fL,0x7d6ddb72ec77b7ecL,
+        0xfe079d3b0353a4aeL } },
+    /* 11 << 217 */
+    { { 0x3066e70a2e6ac8d2L,0x9c6b5a43106e5c05L,0x52d3c6f5ede59b8cL,
+        0x30d6a5c3fccec9aeL },
+      { 0xedec7c224fc0a9efL,0x190ff08395c16cedL,0xbe12ec8f94de0fdeL,
+        0x0d131ab8852d3433L } },
+    /* 12 << 217 */
+    { { 0x42ace07e85701291L,0x94793ed9194061a8L,0x30e83ed6d7f4a485L,
+        0x9eec7269f9eeff4dL },
+      { 0x90acba590c9d8005L,0x5feca4581e79b9d1L,0x8fbe54271d506a1eL,
+        0xa32b2c8e2439cfa7L } },
+    /* 13 << 217 */
+    { { 0x1671c17373dd0b4eL,0x37a2821444a054c6L,0x81760a1b4e8b53f1L,
+        0xa6c04224f9f93b9eL },
+      { 0x18784b34cf671e3cL,0x81bbecd2cda9b994L,0x38831979b2ab3848L,
+        0xef54feb7f2e03c2dL } },
+    /* 14 << 217 */
+    { { 0xcf197ca7fb8088faL,0x014272474ddc96c5L,0xa2d2550a30777176L,
+        0x534698984d0cf71dL },
+      { 0x6ce937b83a2aaac6L,0xe9f91dc35af38d9bL,0x2598ad83c8bf2899L,
+        0x8e706ac9b5536c16L } },
+    /* 15 << 217 */
+    { { 0x40dc7495f688dc98L,0x26490cd7124c4afcL,0xe651ec841f18775cL,
+        0x393ea6c3b4fdaf4aL },
+      { 0x1e1f33437f338e0dL,0x39fb832b6053e7b5L,0x46e702da619e14d5L,
+        0x859cacd1cdeef6e0L } },
+    /* 16 << 217 */
+    { { 0x63b99ce74462007dL,0xb8ab48a54cb5f5b7L,0x9ec673d2f55edde7L,
+        0xd1567f748cfaefdaL },
+      { 0x46381b6b0887bcecL,0x694497cee178f3c2L,0x5e6525e31e6266cbL,
+        0x5931de26697d6413L } },
+    /* 17 << 217 */
+    { { 0x87f8df7c0e58d493L,0xb1ae5ed058b73f12L,0xc368f784dea0c34dL,
+        0x9bd0a120859a91a0L },
+      { 0xb00d88b7cc863c68L,0x3a1cc11e3d1f4d65L,0xea38e0e70aa85593L,
+        0x37f13e987dc4aee8L } },
+    /* 18 << 217 */
+    { { 0x10d38667bc947badL,0x738e07ce2a36ee2eL,0xc93470cdc577fcacL,
+        0xdee1b6162782470dL },
+      { 0x36a25e672e793d12L,0xd6aa6caee0f186daL,0x474d0fd980e07af7L,
+        0xf7cdc47dba8a5cd4L } },
+    /* 19 << 217 */
+    { { 0x28af6d9dab15247fL,0x7c789c10493a537fL,0x7ac9b11023a334e7L,
+        0x0236ac0912c9c277L },
+      { 0xa7e5bd251d7a5144L,0x098b9c2af13ec4ecL,0x3639dacad3f0abcaL,
+        0x642da81aa23960f9L } },
+    /* 20 << 217 */
+    { { 0x7d2e5c054f7269b1L,0xfcf30777e287c385L,0x10edc84ff2a46f21L,
+        0x354417574f43fa36L },
+      { 0xf1327899fd703431L,0xa438d7a616dd587aL,0x65c34c57e9c8352dL,
+        0xa728edab5cc5a24eL } },
+    /* 21 << 217 */
+    { { 0xaed78abc42531689L,0x0a51a0e8010963efL,0x5776fa0ad717d9b3L,
+        0xf356c2397dd3428bL },
+      { 0x29903fff8d3a3dacL,0x409597fa3d94491fL,0x4cd7a5ffbf4a56a4L,
+        0xe50964748adab462L } },
+    /* 22 << 217 */
+    { { 0xa97b51265c3427b0L,0x6401405cd282c9bdL,0x3629f8d7222c5c45L,
+        0xb1c02c16e8d50aedL },
+      { 0xbea2ed75d9635bc9L,0x226790c76e24552fL,0x3c33f2a365f1d066L,
+        0x2a43463e6dfccc2eL } },
+    /* 23 << 217 */
+    { { 0x8cc3453adb483761L,0xe7cc608565d5672bL,0x277ed6cbde3efc87L,
+        0x19f2f36869234eafL },
+      { 0x9aaf43175c0b800bL,0x1f1e7c898b6da6e2L,0x6cfb4715b94ec75eL,
+        0xd590dd5f453118c2L } },
+    /* 24 << 217 */
+    { { 0x14e49da11f17a34cL,0x5420ab39235a1456L,0xb76372412f50363bL,
+        0x7b15d623c3fabb6eL },
+      { 0xa0ef40b1e274e49cL,0x5cf5074496b1860aL,0xd6583fbf66afe5a4L,
+        0x44240510f47e3e9aL } },
+    /* 25 << 217 */
+    { { 0x9925434311b2d595L,0xf1367499eec8df57L,0x3cb12c613e73dd05L,
+        0xd248c0337dac102aL },
+      { 0xcf154f13a77739f5L,0xbf4288cb23d2af42L,0xaa64c9b632e4a1cfL,
+        0xee8c07a8c8a208f3L } },
+    /* 26 << 217 */
+    { { 0xe10d49996fe8393fL,0x0f809a3fe91f3a32L,0x61096d1c802f63c8L,
+        0x289e146257750d3dL },
+      { 0xed06167e9889feeaL,0xd5c9c0e2e0993909L,0x46fca0d856508ac6L,
+        0x918260474f1b8e83L } },
+    /* 27 << 217 */
+    { { 0x4f2c877a9a4a2751L,0x71bd0072cae6feadL,0x38df8dcc06aa1941L,
+        0x5a074b4c63beeaa8L },
+      { 0xd6d65934c1cec8edL,0xa6ecb49eaabc03bdL,0xaade91c2de8a8415L,
+        0xcfb0efdf691136e0L } },
+    /* 28 << 217 */
+    { { 0x11af45ee23ab3495L,0xa132df880b77463dL,0x8923c15c815d06f4L,
+        0xc3ceb3f50d61a436L },
+      { 0xaf52291de88fb1daL,0xea0579741da12179L,0xb0d7218cd2fef720L,
+        0x6c0899c98e1d8845L } },
+    /* 29 << 217 */
+    { { 0x98157504752ddad7L,0xd60bd74fa1a68a97L,0x7047a3a9f658fb99L,
+        0x1f5d86d65f8511e4L },
+      { 0xb8a4bc424b5a6d88L,0x69eb2c331abefa7dL,0x95bf39e813c9c510L,
+        0xf571960ad48aab43L } },
+    /* 30 << 217 */
+    { { 0x7e8cfbcf704e23c6L,0xc71b7d2228aaa65bL,0xa041b2bd245e3c83L,
+        0x69b98834d21854ffL },
+      { 0x89d227a3963bfeecL,0x99947aaade7da7cbL,0x1d9ee9dbee68a9b1L,
+        0x0a08f003698ec368L } },
+    /* 31 << 217 */
+    { { 0xe9ea409478ef2487L,0xc8d2d41502cfec26L,0xc52f9a6eb7dcf328L,
+        0x0ed489e385b6a937L },
+      { 0x9b94986bbef3366eL,0x0de59c70edddddb8L,0xffdb748ceadddbe2L,
+        0x9b9784bb8266ea40L } },
+    /* 32 << 217 */
+    { { 0x142b55021a93507aL,0xb4cd11878d3c06cfL,0xdf70e76a91ec3f40L,
+        0x484e81ad4e7553c2L },
+      { 0x830f87b5272e9d6eL,0xea1c93e5c6ff514aL,0x67cc2adcc4192a8eL,
+        0xc77e27e242f4535aL } },
+    /* 33 << 217 */
+    { { 0x9cdbab36d2b713c5L,0x86274ea0cf7b0cd3L,0x784680f309af826bL,
+        0xbfcc837a0c72dea3L },
+      { 0xa8bdfe9dd6529b73L,0x708aa22863a88002L,0x6c7a9a54c91d45b9L,
+        0xdf1a38bbfd004f56L } },
+    /* 34 << 217 */
+    { { 0x2e8c9a26b8bad853L,0x2d52cea33723eae7L,0x054d6d8156ca2830L,
+        0xa3317d149a8dc411L },
+      { 0xa08662fefd4ddedaL,0xed2a153ab55d792bL,0x7035c16abfc6e944L,
+        0xb6bc583400171cf3L } },
+    /* 35 << 217 */
+    { { 0xe27152b383d102b6L,0xfe695a470646b848L,0xa5bb09d8916e6d37L,
+        0xb4269d640d17015eL },
+      { 0x8d8156a10a1d2285L,0xfeef6c5146d26d72L,0x9dac57c84c5434a7L,
+        0x0282e5be59d39e31L } },
+    /* 36 << 217 */
+    { { 0xedfff181721c486dL,0x301baf10bc58824eL,0x8136a6aa00570031L,
+        0x55aaf78c1cddde68L },
+      { 0x2682937159c63952L,0x3a3bd2748bc25bafL,0xecdf8657b7e52dc3L,
+        0x2dd8c087fd78e6c8L } },
+    /* 37 << 217 */
+    { { 0x20553274f5531461L,0x8b4a12815d95499bL,0xe2c8763a1a80f9d2L,
+        0xd1dbe32b4ddec758L },
+      { 0xaf12210d30c34169L,0xba74a95378baa533L,0x3d133c6ea438f254L,
+        0xa431531a201bef5bL } },
+    /* 38 << 217 */
+    { { 0x15295e22f669d7ecL,0xca374f64357fb515L,0x8a8406ffeaa3fdb3L,
+        0x106ae448df3f2da8L },
+      { 0x8f9b0a9033c8e9a1L,0x234645e271ad5885L,0x3d0832241c0aed14L,
+        0xf10a7d3e7a942d46L } },
+    /* 39 << 217 */
+    { { 0x7c11deee40d5c9beL,0xb2bae7ffba84ed98L,0x93e97139aad58dddL,
+        0x3d8727963f6d1fa3L },
+      { 0x483aca818569ff13L,0x8b89a5fb9a600f72L,0x4cbc27c3c06f2b86L,
+        0x2213071363ad9c0bL } },
+    /* 40 << 217 */
+    { { 0xb5358b1e48ac2840L,0x18311294ecba9477L,0xda58f990a6946b43L,
+        0x3098baf99ab41819L },
+      { 0x66c4c1584198da52L,0xab4fc17c146bfd1bL,0x2f0a4c3cbf36a908L,
+        0x2ae9e34b58cf7838L } },
+    /* 41 << 217 */
+    { { 0xf411529e3fa11b1fL,0x21e43677974af2b4L,0x7c20958ec230793bL,
+        0x710ea88516e840f3L },
+      { 0xfc0b21fcc5dc67cfL,0x08d5164788405718L,0xd955c21fcfe49eb7L,
+        0x9722a5d556dd4a1fL } },
+    /* 42 << 217 */
+    { { 0xc9ef50e2c861baa5L,0xc0c21a5d9505ac3eL,0xaf6b9a338b7c063fL,
+        0xc63703392f4779c1L },
+      { 0x22df99c7638167c3L,0xfe6ffe76795db30cL,0x2b822d33a4854989L,
+        0xfef031dd30563aa5L } },
+    /* 43 << 217 */
+    { { 0x16b09f82d57c667fL,0xc70312cecc0b76f1L,0xbf04a9e6c9118aecL,
+        0x82fcb4193409d133L },
+      { 0x1a8ab385ab45d44dL,0xfba07222617b83a3L,0xb05f50dd58e81b52L,
+        0x1d8db55321ce5affL } },
+    /* 44 << 217 */
+    { { 0x3097b8d4e344a873L,0x7d8d116dfe36d53eL,0x6db22f587875e750L,
+        0x2dc5e37343e144eaL },
+      { 0xc05f32e6e799eb95L,0xe9e5f4df6899e6ecL,0xbdc3bd681fab23d5L,
+        0xb72b8ab773af60e6L } },
+    /* 45 << 217 */
+    { { 0x8db27ae02cecc84aL,0x600016d87bdb871cL,0x42a44b13d7c46f58L,
+        0xb8919727c3a77d39L },
+      { 0xcfc6bbbddafd6088L,0x1a7401466bd20d39L,0x8c747abd98c41072L,
+        0x4c91e765bdf68ea1L } },
+    /* 46 << 217 */
+    { { 0x7c95e5ca08819a78L,0xcf48b729c9587921L,0x091c7c5fdebbcc7dL,
+        0x6f287404f0e05149L },
+      { 0xf83b5ac226cd44ecL,0x88ae32a6cfea250eL,0x6ac5047a1d06ebc5L,
+        0xc7e550b4d434f781L } },
+    /* 47 << 217 */
+    { { 0x61ab1cf25c727bd2L,0x2e4badb11cf915b0L,0x1b4dadecf69d3920L,
+        0xe61b1ca6f14c1dfeL },
+      { 0x90b479ccbd6bd51fL,0x8024e4018045ec30L,0xcab29ca325ef0e62L,
+        0x4f2e941649e4ebc0L } },
+    /* 48 << 217 */
+    { { 0x45eb40ec0ccced58L,0x25cd4b9c0da44f98L,0x43e06458871812c6L,
+        0x99f80d5516cef651L },
+      { 0x571340c9ce6dc153L,0x138d5117d8665521L,0xacdb45bc4e07014dL,
+        0x2f34bb3884b60b91L } },
+    /* 49 << 217 */
+    { { 0xf44a4fd22ae8921eL,0xb039288e892ba1e2L,0x9da50174b1c180b2L,
+        0x6b70ab661693dc87L },
+      { 0x7e9babc9e7057481L,0x4581ddef9c80dc41L,0x0c890da951294682L,
+        0x0b5629d33f4736e5L } },
+    /* 50 << 217 */
+    { { 0x2340c79eb06f5b41L,0xa42e84ce4e243469L,0xf9a20135045a71a9L,
+        0xefbfb415d27b6fb6L },
+      { 0x25ebea239d33cd6fL,0x9caedb88aa6c0af8L,0x53dc7e9ad9ce6f96L,
+        0x3897f9fd51e0b15aL } },
+    /* 51 << 217 */
+    { { 0xf51cb1f88e5d788eL,0x1aec7ba8e1d490eeL,0x265991e0cc58cb3cL,
+        0x9f306e8c9fc3ad31L },
+      { 0x5fed006e5040a0acL,0xca9d5043fb476f2eL,0xa19c06e8beea7a23L,
+        0xd28658010edabb63L } },
+    /* 52 << 217 */
+    { { 0xdb92293f6967469aL,0x2894d8398d8a8ed8L,0x87c9e406bbc77122L,
+        0x8671c6f12ea3a26aL },
+      { 0xe42df8d6d7de9853L,0x2e3ce346b1f2bcc7L,0xda601dfc899d50cfL,
+        0xbfc913defb1b598fL } },
+    /* 53 << 217 */
+    { { 0x81c4909fe61f7908L,0x192e304f9bbc7b29L,0xc3ed8738c104b338L,
+        0xedbe9e47783f5d61L },
+      { 0x0c06e9be2db30660L,0xda3e613fc0eb7d8eL,0xd8fa3e97322e096eL,
+        0xfebd91e8d336e247L } },
+    /* 54 << 217 */
+    { { 0x8f13ccc4df655a49L,0xa9e00dfc5eb20210L,0x84631d0fc656b6eaL,
+        0x93a058cdd8c0d947L },
+      { 0x6846904a67bd3448L,0x4a3d4e1af394fd5cL,0xc102c1a5db225f52L,
+        0xe3455bbafc4f5e9aL } },
+    /* 55 << 217 */
+    { { 0x6b36985b4b9ad1ceL,0xa98185365bb7f793L,0x6c25e1d048b1a416L,
+        0x1381dd533c81bee7L },
+      { 0xd2a30d617a4a7620L,0xc841292639b8944cL,0x3c1c6fbe7a97c33aL,
+        0x941e541d938664e7L } },
+    /* 56 << 217 */
+    { { 0x417499e84a34f239L,0x15fdb83cb90402d5L,0xb75f46bf433aa832L,
+        0xb61e15af63215db1L },
+      { 0xaabe59d4a127f89aL,0x5d541e0c07e816daL,0xaaba0659a618b692L,
+        0x5532773317266026L } },
+    /* 57 << 217 */
+    { { 0xaf53a0fc95f57552L,0x329476506cacb0c9L,0x253ff58dc821be01L,
+        0xb0309531a06f1146L },
+      { 0x59bbbdf505c2e54dL,0x158f27ad26e8dd22L,0xcc5b7ffb397e1e53L,
+        0xae03f65b7fc1e50dL } },
+    /* 58 << 217 */
+    { { 0xa9784ebd9c95f0f9L,0x5ed9deb224640771L,0x31244af7035561c4L,
+        0x87332f3a7ee857deL },
+      { 0x09e16e9e2b9e0d88L,0x52d910f456a06049L,0x507ed477a9592f48L,
+        0x85cb917b2365d678L } },
+    /* 59 << 217 */
+    { { 0xf8511c934c8998d1L,0x2186a3f1730ea58fL,0x50189626b2029db0L,
+        0x9137a6d902ceb75aL },
+      { 0x2fe17f37748bc82cL,0x87c2e93180469f8cL,0x850f71cdbf891aa2L,
+        0x0ca1b89b75ec3d8dL } },
+    /* 60 << 217 */
+    { { 0x516c43aa5e1cd3cdL,0x893978089a887c28L,0x0059c699ddea1f9fL,
+        0x7737d6fa8e6868f7L },
+      { 0x6d93746a60f1524bL,0x36985e55ba052aa7L,0x41b1d322ed923ea5L,
+        0x3429759f25852a11L } },
+    /* 61 << 217 */
+    { { 0xbeca6ec3092e9f41L,0x3a238c6662256bbdL,0xd82958ea70ad487dL,
+        0x4ac8aaf965610d93L },
+      { 0x3fa101b15e4ccab0L,0x9bf430f29de14bfbL,0xa10f5cc66531899dL,
+        0x590005fbea8ce17dL } },
+    /* 62 << 217 */
+    { { 0xc437912f24544cb6L,0x9987b71ad79ac2e3L,0x13e3d9ddc058a212L,
+        0x00075aacd2de9606L },
+      { 0x80ab508b6cac8369L,0x87842be7f54f6c89L,0xa7ad663d6bc532a4L,
+        0x67813de778a91bc8L } },
+    /* 63 << 217 */
+    { { 0x5dcb61cec3427239L,0x5f3c7cf0c56934d9L,0xc079e0fbe3191591L,
+        0xe40896bdb01aada7L },
+      { 0x8d4667910492d25fL,0x8aeb30c9e7408276L,0xe94374959287aaccL,
+        0x23d4708d79fe03d4L } },
+    /* 64 << 217 */
+    { { 0x8cda9cf2d0c05199L,0x502fbc22fae78454L,0xc0bda9dff572a182L,
+        0x5f9b71b86158b372L },
+      { 0xe0f33a592b82dd07L,0x763027359523032eL,0x7fe1a721c4505a32L,
+        0x7b6e3e82f796409fL } },
+    /* 0 << 224 */
+    { { 0x00, 0x00, 0x00, 0x00 },
+      { 0x00, 0x00, 0x00, 0x00 } },
+    /* 1 << 224 */
+    { { 0xe3417bc035d0b34aL,0x440b386b8327c0a7L,0x8fb7262dac0362d1L,
+        0x2c41114ce0cdf943L },
+      { 0x2ba5cef1ad95a0b1L,0xc09b37a867d54362L,0x26d6cdd201e486c9L,
+        0x20477abf42ff9297L } },
+    /* 2 << 224 */
+    { { 0xa004dcb3292a9287L,0xddc15cf677b092c7L,0x083a8464806c0605L,
+        0x4a68df703db997b0L },
+      { 0x9c134e4505bf7dd0L,0xa4e63d398ccf7f8cL,0xa6e6517f41b5f8afL,
+        0xaa8b9342ad7bc1ccL } },
+    /* 3 << 224 */
+    { { 0x126f35b51e706ad9L,0xb99cebb4c3a9ebdfL,0xa75389afbf608d90L,
+        0x76113c4fc6c89858L },
+      { 0x80de8eb097e2b5aaL,0x7e1022cc63b91304L,0x3bdab6056ccc066cL,
+        0x33cbb144b2edf900L } },
+    /* 4 << 224 */
+    { { 0xc41764717af715d2L,0xe2f7f594d0134a96L,0x2c1873efa41ec956L,
+        0xe4e7b4f677821304L },
+      { 0xe5c8ff9788d5374aL,0x2b915e6380823d5bL,0xea6bc755b2ee8fe2L,
+        0x6657624ce7112651L } },
+    /* 5 << 224 */
+    { { 0x157af101dace5acaL,0xc4fdbcf211a6a267L,0xdaddf340c49c8609L,
+        0x97e49f52e9604a65L },
+      { 0x9be8e790937e2ad5L,0x846e2508326e17f1L,0x3f38007a0bbbc0dcL,
+        0xcf03603fb11e16d6L } },
+    /* 6 << 224 */
+    { { 0xd6f800e07442f1d5L,0x475607d166e0e3abL,0x82807f16b7c64047L,
+        0x8858e1e3a749883dL },
+      { 0x5859120b8231ee10L,0x1b80e7eb638a1eceL,0xcb72525ac6aa73a4L,
+        0xa7cdea3d844423acL } },
+    /* 7 << 224 */
+    { { 0x5ed0c007f8ae7c38L,0x6db07a5c3d740192L,0xbe5e9c2a5fe36db3L,
+        0xd5b9d57a76e95046L },
+      { 0x54ac32e78eba20f2L,0xef11ca8f71b9a352L,0x305e373eff98a658L,
+        0xffe5a100823eb667L } },
+    /* 8 << 224 */
+    { { 0x57477b11e51732d2L,0xdfd6eb282538fc0eL,0x5c43b0cc3b39eec5L,
+        0x6af12778cb36cc57L },
+      { 0x70b0852d06c425aeL,0x6df92f8c5c221b9bL,0x6c8d4f9ece826d9cL,
+        0xf59aba7bb49359c3L } },
+    /* 9 << 224 */
+    { { 0x5c8ed8d5da64309dL,0x61a6de5691b30704L,0xd6b52f6a2f9b5808L,
+        0x0eee419498c958a7L },
+      { 0xcddd9aab771e4caaL,0x83965dfd78bc21beL,0x02affce3b3b504f5L,
+        0x30847a21561c8291L } },
+    /* 10 << 224 */
+    { { 0xd2eb2cf152bfda05L,0xe0e4c4e96197b98cL,0x1d35076cf8a1726fL,
+        0x6c06085b2db11e3dL },
+      { 0x15c0c4d74463ba14L,0x9d292f830030238cL,0x1311ee8b3727536dL,
+        0xfeea86efbeaedc1eL } },
+    /* 11 << 224 */
+    { { 0xb9d18cd366131e2eL,0xf31d974f80fe2682L,0xb6e49e0fe4160289L,
+        0x7c48ec0b08e92799L },
+      { 0x818111d8d1989aa7L,0xb34fa0aaebf926f9L,0xdb5fe2f5a245474aL,
+        0xf80a6ebb3c7ca756L } },
+    /* 12 << 224 */
+    { { 0xa7f96054afa05dd8L,0x26dfcf21fcaf119eL,0xe20ef2e30564bb59L,
+        0xef4dca5061cb02b8L },
+      { 0xcda7838a65d30672L,0x8b08d534fd657e86L,0x4c5b439546d595c8L,
+        0x39b58725425cb836L } },
+    /* 13 << 224 */
+    { { 0x8ea610593de9abe3L,0x404348819cdc03beL,0x9b261245cfedce8cL,
+        0x78c318b4cf5234a1L },
+      { 0x510bcf16fde24c99L,0x2a77cb75a2c2ff5dL,0x9c895c2b27960fb4L,
+        0xd30ce975b0eda42bL } },
+    /* 14 << 224 */
+    { { 0xfda853931a62cc26L,0x23c69b9650c0e052L,0xa227df15bfc633f3L,
+        0x2ac788481bae7d48L },
+      { 0x487878f9187d073dL,0x6c2be919967f807dL,0x765861d8336e6d8fL,
+        0x88b8974cce528a43L } },
+    /* 15 << 224 */
+    { { 0x09521177ff57d051L,0x2ff38037fb6a1961L,0xfc0aba74a3d76ad4L,
+        0x7c76480325a7ec17L },
+      { 0x7532d75f48879bc8L,0xea7eacc058ce6bc1L,0xc82176b48e896c16L,
+        0x9a30e0b22c750fedL } },
+    /* 16 << 224 */
+    { { 0xc37e2c2e421d3aa4L,0xf926407ce84fa840L,0x18abc03d1454e41cL,
+        0x26605ecd3f7af644L },
+      { 0x242341a6d6a5eabfL,0x1edb84f4216b668eL,0xd836edb804010102L,
+        0x5b337ce7945e1d8cL } },
+    /* 17 << 224 */
+    { { 0xd2075c77c055dc14L,0x2a0ffa2581d89cdfL,0x8ce815ea6ffdcbafL,
+        0xa3428878fb648867L },
+      { 0x277699cf884655fbL,0xfa5b5bd6364d3e41L,0x01f680c6441e1cb7L,
+        0x3fd61e66b70a7d67L } },
+    /* 18 << 224 */
+    { { 0x666ba2dccc78cf66L,0xb30181746fdbff77L,0x8d4dd0db168d4668L,
+        0x259455d01dab3a2aL },
+      { 0xf58564c5cde3acecL,0x7714192513adb276L,0x527d725d8a303f65L,
+        0x55deb6c9e6f38f7bL } },
+    /* 19 << 224 */
+    { { 0xfd5bb657b1fa70fbL,0xfa07f50fd8073a00L,0xf72e3aa7bca02500L,
+        0xf68f895d9975740dL },
+      { 0x301120605cae2a6aL,0x01bd721802874842L,0x3d4238917ce47bd3L,
+        0xa66663c1789544f6L } },
+    /* 20 << 224 */
+    { { 0x864d05d73272d838L,0xe22924f9fa6295c5L,0x8189593f6c2fda32L,
+        0x330d7189b184b544L },
+      { 0x79efa62cbde1f714L,0x35771c94e5cb1a63L,0x2f4826b8641c8332L,
+        0x00a894fbc8cee854L } },
+    /* 21 << 224 */
+    { { 0xb4b9a39b36194d40L,0xe857a7c577612601L,0xf4209dd24ecf2f58L,
+        0x82b9e66d5a033487L },
+      { 0xc1e36934e4e8b9ddL,0xd2372c9da42377d7L,0x51dc94c70e3ae43bL,
+        0x4c57761e04474f6fL } },
+    /* 22 << 224 */
+    { { 0xdcdacd0a1058a318L,0x369cf3f578053a9aL,0xc6c3de5031c68de2L,
+        0x4653a5763c4b6d9fL },
+      { 0x1688dd5aaa4e5c97L,0x5be80aa1b7ab3c74L,0x70cefe7cbc65c283L,
+        0x57f95f1306867091L } },
+    /* 23 << 224 */
+    { { 0xa39114e24415503bL,0xc08ff7c64cbb17e9L,0x1eff674dd7dec966L,
+        0x6d4690af53376f63L },
+      { 0xff6fe32eea74237bL,0xc436d17ecd57508eL,0x15aa28e1edcc40feL,
+        0x0d769c04581bbb44L } },
+    /* 24 << 224 */
+    { { 0xc240b6de34eaacdaL,0xd9e116e82ba0f1deL,0xcbe45ec779438e55L,
+        0x91787c9d96f752d7L },
+      { 0x897f532bf129ac2fL,0xd307b7c85a36e22cL,0x91940675749fb8f3L,
+        0xd14f95d0157fdb28L } },
+    /* 25 << 224 */
+    { { 0xfe51d0296ae55043L,0x8931e98f44a87de1L,0xe57f1cc609e4fee2L,
+        0x0d063b674e072d92L },
+      { 0x70a998b9ed0e4316L,0xe74a736b306aca46L,0xecf0fbf24fda97c7L,
+        0xa40f65cb3e178d93L } },
+    /* 26 << 224 */
+    { { 0x1625360416df4285L,0xb0c9babbd0c56ae2L,0x73032b19cfc5cfc3L,
+        0xe497e5c309752056L },
+      { 0x12096bb4164bda96L,0x1ee42419a0b74da1L,0x8fc36243403826baL,
+        0x0c8f0069dc09e660L } },
+    /* 27 << 224 */
+    { { 0x8667e981c27253c9L,0x05a6aefb92b36a45L,0xa62c4b369cb7bb46L,
+        0x8394f37511f7027bL },
+      { 0x747bc79c5f109d0fL,0xcad88a765b8cc60aL,0x80c5a66b58f09e68L,
+        0xe753d451f6127eacL } },
+    /* 28 << 224 */
+    { { 0xc44b74a15b0ec6f5L,0x47989fe45289b2b8L,0x745f848458d6fc73L,
+        0xec362a6ff61c70abL },
+      { 0x070c98a7b3a8ad41L,0x73a20fc07b63db51L,0xed2c2173f44c35f4L,
+        0x8a56149d9acc9dcaL } },
+    /* 29 << 224 */
+    { { 0x98f178819ac6e0f4L,0x360fdeafa413b5edL,0x0625b8f4a300b0fdL,
+        0xf1f4d76a5b3222d3L },
+      { 0x9d6f5109587f76b8L,0x8b4ee08d2317fdb5L,0x88089bb78c68b095L,
+        0x95570e9a5808d9b9L } },
+    /* 30 << 224 */
+    { { 0xa395c36f35d33ae7L,0x200ea12350bb5a94L,0x20c789bd0bafe84bL,
+        0x243ef52d0919276aL },
+      { 0x3934c577e23ae233L,0xb93807afa460d1ecL,0xb72a53b1f8fa76a4L,
+        0xd8914cb0c3ca4491L } },
+    /* 31 << 224 */
+    { { 0x2e1284943fb42622L,0x3b2700ac500907d5L,0xf370fb091a95ec63L,
+        0xf8f30be231b6dfbdL },
+      { 0xf2b2f8d269e55f15L,0x1fead851cc1323e9L,0xfa366010d9e5eef6L,
+        0x64d487b0e316107eL } },
+    /* 32 << 224 */
+    { { 0x4c076b86d23ddc82L,0x03fd344c7e0143f0L,0xa95362ff317af2c5L,
+        0x0add3db7e18b7a4fL },
+      { 0x9c673e3f8260e01bL,0xfbeb49e554a1cc91L,0x91351bf292f2e433L,
+        0xc755e7ec851141ebL } },
+    /* 33 << 224 */
+    { { 0xc9a9513929607745L,0x0ca07420a26f2b28L,0xcb2790e74bc6f9ddL,
+        0x345bbb58adcaffc0L },
+      { 0xc65ea38cbe0f27a2L,0x67c24d7c641fcb56L,0x2c25f0a7a9e2c757L,
+        0x93f5cdb016f16c49L } },
+    /* 34 << 224 */
+    { { 0x2ca5a9d7c5ee30a1L,0xd1593635b909b729L,0x804ce9f3dadeff48L,
+        0xec464751b07c30c3L },
+      { 0x89d65ff39e49af6aL,0xf2d6238a6f3d01bcL,0x1095561e0bced843L,
+        0x51789e12c8a13fd8L } },
+    /* 35 << 224 */
+    { { 0xd633f929763231dfL,0x46df9f7de7cbddefL,0x01c889c0cb265da8L,
+        0xfce1ad10af4336d2L },
+      { 0x8d110df6fc6a0a7eL,0xdd431b986da425dcL,0xcdc4aeab1834aabeL,
+        0x84deb1248439b7fcL } },
+    /* 36 << 224 */
+    { { 0x8796f1693c2a5998L,0x9b9247b47947190dL,0x55b9d9a511597014L,
+        0x7e9dd70d7b1566eeL },
+      { 0x94ad78f7cbcd5e64L,0x0359ac179bd4c032L,0x3b11baaf7cc222aeL,
+        0xa6a6e284ba78e812L } },
+    /* 37 << 224 */
+    { { 0x8392053f24cea1a0L,0xc97bce4a33621491L,0x7eb1db3435399ee9L,
+        0x473f78efece81ad1L },
+      { 0x41d72fe0f63d3d0dL,0xe620b880afab62fcL,0x92096bc993158383L,
+        0x41a213578f896f6cL } },
+    /* 38 << 224 */
+    { { 0x1b5ee2fac7dcfcabL,0x650acfde9546e007L,0xc081b749b1b02e07L,
+        0xda9e41a0f9eca03dL },
+      { 0x013ba727175a54abL,0xca0cd190ea5d8d10L,0x85ea52c095fd96a9L,
+        0x2c591b9fbc5c3940L } },
+    /* 39 << 224 */
+    { { 0x6fb4d4e42bad4d5fL,0xfa4c3590fef0059bL,0x6a10218af5122294L,
+        0x9a78a81aa85751d1L },
+      { 0x04f20579a98e84e7L,0xfe1242c04997e5b5L,0xe77a273bca21e1e4L,
+        0xfcc8b1ef9411939dL } },
+    /* 40 << 224 */
+    { { 0xe20ea30292d0487aL,0x1442dbec294b91feL,0x1f7a4afebb6b0e8fL,
+        0x1700ef746889c318L },
+      { 0xf5bbffc370f1fc62L,0x3b31d4b669c79ccaL,0xe8bc2aaba7f6340dL,
+        0xb0b08ab4a725e10aL } },
+    /* 41 << 224 */
+    { { 0x44f05701ae340050L,0xba4b30161cf0c569L,0x5aa29f83fbe19a51L,
+        0x1b9ed428b71d752eL },
+      { 0x1666e54eeb4819f5L,0x616cdfed9e18b75bL,0x112ed5be3ee27b0bL,
+        0xfbf2831944c7de4dL } },
+    /* 42 << 224 */
+    { { 0xd685ec85e0e60d84L,0x68037e301db7ee78L,0x5b65bdcd003c4d6eL,
+        0x33e7363a93e29a6aL },
+      { 0x995b3a6108d0756cL,0xd727f85c2faf134bL,0xfac6edf71d337823L,
+        0x99b9aa500439b8b4L } },
+    /* 43 << 224 */
+    { { 0x722eb104e2b4e075L,0x49987295437c4926L,0xb1e4c0e446a9b82dL,
+        0xd0cb319757a006f5L },
+      { 0xf3de0f7dd7808c56L,0xb5c54d8f51f89772L,0x500a114aadbd31aaL,
+        0x9afaaaa6295f6cabL } },
+    /* 44 << 224 */
+    { { 0x94705e2104cf667aL,0xfc2a811b9d3935d7L,0x560b02806d09267cL,
+        0xf19ed119f780e53bL },
+      { 0xf0227c09067b6269L,0x967b85335caef599L,0x155b924368efeebcL,
+        0xcd6d34f5c497bae6L } },
+    /* 45 << 224 */
+    { { 0x1dd8d5d36cceb370L,0x2aeac579a78d7bf9L,0x5d65017d70b67a62L,
+        0x70c8e44f17c53f67L },
+      { 0xd1fc095086a34d09L,0xe0fca256e7134907L,0xe24fa29c80fdd315L,
+        0x2c4acd03d87499adL } },
+    /* 46 << 224 */
+    { { 0xbaaf75173b5a9ba6L,0xb9cbe1f612e51a51L,0xd88edae35e154897L,
+        0xe4309c3c77b66ca0L },
+      { 0xf5555805f67f3746L,0x85fc37baa36401ffL,0xdf86e2cad9499a53L,
+        0x6270b2a3ecbc955bL } },
+    /* 47 << 224 */
+    { { 0xafae64f5974ad33bL,0x04d85977fe7b2df1L,0x2a3db3ff4ab03f73L,
+        0x0b87878a8702740aL },
+      { 0x6d263f015a061732L,0xc25430cea32a1901L,0xf7ebab3ddb155018L,
+        0x3a86f69363a9b78eL } },
+    /* 48 << 224 */
+    { { 0x349ae368da9f3804L,0x470f07fea164349cL,0xd52f4cc98562baa5L,
+        0xc74a9e862b290df3L },
+      { 0xd3a1aa3543471a24L,0x239446beb8194511L,0xbec2dd0081dcd44dL,
+        0xca3d7f0fc42ac82dL } },
+    /* 49 << 224 */
+    { { 0x1f3db085fdaf4520L,0xbb6d3e804549daf2L,0xf5969d8a19ad5c42L,
+        0x7052b13ddbfd1511L },
+      { 0x11890d1b682b9060L,0xa71d3883ac34452cL,0xa438055b783805b4L,
+        0x432412774725b23eL } },
+    /* 50 << 224 */
+    { { 0xf20cf96e4901bbedL,0x6419c710f432a2bbL,0x57a0fbb9dfa9cd7dL,
+        0x589111e400daa249L },
+      { 0x19809a337b60554eL,0xea5f8887ede283a4L,0x2d713802503bfd35L,
+        0x151bb0af585d2a53L } },
+    /* 51 << 224 */
+    { { 0x40b08f7443b30ca8L,0xe10b5bbad9934583L,0xe8a546d6b51110adL,
+        0x1dd50e6628e0b6c5L },
+      { 0x292e9d54cff2b821L,0x3882555d47281760L,0x134838f83724d6e3L,
+        0xf2c679e022ddcda1L } },
+    /* 52 << 224 */
+    { { 0x40ee88156d2a5768L,0x7f227bd21c1e7e2dL,0x487ba134d04ff443L,
+        0x76e2ff3dc614e54bL },
+      { 0x36b88d6fa3177ec7L,0xbf731d512328fff5L,0x758caea249ba158eL,
+        0x5ab8ff4c02938188L } },
+    /* 53 << 224 */
+    { { 0x33e1605635edc56dL,0x5a69d3497e940d79L,0x6c4fd00103866dcbL,
+        0x20a38f574893cdefL },
+      { 0xfbf3e790fac3a15bL,0x6ed7ea2e7a4f8e6bL,0xa663eb4fbc3aca86L,
+        0x22061ea5080d53f7L } },
+    /* 54 << 224 */
+    { { 0x2480dfe6f546783fL,0xd38bc6da5a0a641eL,0xfb093cd12ede8965L,
+        0x89654db4acb455cfL },
+      { 0x413cbf9a26e1adeeL,0x291f3764373294d4L,0x00797257648083feL,
+        0x25f504d3208cc341L } },
+    /* 55 << 224 */
+    { { 0x635a8e5ec3a0ee43L,0x70aaebca679898ffL,0x9ee9f5475dc63d56L,
+        0xce987966ffb34d00L },
+      { 0xf9f86b195e26310aL,0x9e435484382a8ca8L,0x253bcb81c2352fe4L,
+        0xa4eac8b04474b571L } },
+    /* 56 << 224 */
+    { { 0xc1b97512c1ad8cf8L,0x193b4e9e99e0b697L,0x939d271601e85df0L,
+        0x4fb265b3cd44eafdL },
+      { 0x321e7dcde51e1ae2L,0x8e3a8ca6e3d8b096L,0x8de46cb052604998L,
+        0x91099ad839072aa7L } },
+    /* 57 << 224 */
+    { { 0x2617f91c93aa96b8L,0x0fc8716b7fca2e13L,0xa7106f5e95328723L,
+        0xd1c9c40b262e6522L },
+      { 0xb9bafe8642b7c094L,0x1873439d1543c021L,0xe1baa5de5cbefd5dL,
+        0xa363fc5e521e8affL } },
+    /* 58 << 224 */
+    { { 0xefe6320df862eaacL,0x14419c6322c647dcL,0x0e06707c4e46d428L,
+        0xcb6c834f4a178f8fL },
+      { 0x0f993a45d30f917cL,0xd4c4b0499879afeeL,0xb6142a1e70500063L,
+        0x7c9b41c3a5d9d605L } },
+    /* 59 << 224 */
+    { { 0xbc00fc2f2f8ba2c7L,0x0966eb2f7c67aa28L,0x13f7b5165a786972L,
+        0x3bfb75578a2fbba0L },
+      { 0x131c4f235a2b9620L,0xbff3ed276faf46beL,0x9b4473d17e172323L,
+        0x421e8878339f6246L } },
+    /* 60 << 224 */
+    { { 0x0fa8587a25a41632L,0xc0814124a35b6c93L,0x2b18a9f559ebb8dbL,
+        0x264e335776edb29cL },
+      { 0xaf245ccdc87c51e2L,0x16b3015b501e6214L,0xbb31c5600a3882ceL,
+        0x6961bb94fec11e04L } },
+    /* 61 << 224 */
+    { { 0x3b825b8deff7a3a0L,0xbec33738b1df7326L,0x68ad747c99604a1fL,
+        0xd154c9349a3bd499L },
+      { 0xac33506f1cc7a906L,0x73bb53926c560e8fL,0x6428fcbe263e3944L,
+        0xc11828d51c387434L } },
+    /* 62 << 224 */
+    { { 0x3cd04be13e4b12ffL,0xc3aad9f92d88667cL,0xc52ddcf8248120cfL,
+        0x985a892e2a389532L },
+      { 0xfbb4b21b3bb85fa0L,0xf95375e08dfc6269L,0xfb4fb06c7ee2aceaL,
+        0x6785426e309c4d1fL } },
+    /* 63 << 224 */
+    { { 0x659b17c8d8ceb147L,0x9b649eeeb70a5554L,0x6b7fa0b5ac6bc634L,
+        0xd99fe2c71d6e732fL },
+      { 0x30e6e7628d3abba2L,0x18fee6e7a797b799L,0x5c9d360dc696464dL,
+        0xe3baeb4827bfde12L } },
+    /* 64 << 224 */
+    { { 0x2bf5db47f23206d5L,0x2f6d34201d260152L,0x17b876533f8ff89aL,
+        0x5157c30c378fa458L },
+      { 0x7517c5c52d4fb936L,0xef22f7ace6518cdcL,0xdeb483e6bf847a64L,
+        0xf508455892e0fa89L } },
+    /* 0 << 231 */
+    { { 0x00, 0x00, 0x00, 0x00 },
+      { 0x00, 0x00, 0x00, 0x00 } },
+    /* 1 << 231 */
+    { { 0xab9659d8df7304d4L,0xb71bcf1bff210e8eL,0xa9a2438bd73fbd60L,
+        0x4595cd1f5d11b4deL },
+      { 0x9c0d329a4835859dL,0x4a0f0d2d7dbb6e56L,0xc6038e5edf928a4eL,
+        0xc94296218f5ad154L } },
+    /* 2 << 231 */
+    { { 0x91213462f23f2d92L,0x6cab71bd60b94078L,0x6bdd0a63176cde20L,
+        0x54c9b20cee4d54bcL },
+      { 0x3cd2d8aa9f2ac02fL,0x03f8e617206eedb0L,0xc7f68e1693086434L,
+        0x831469c592dd3db9L } },
+    /* 3 << 231 */
+    { { 0x8521df248f981354L,0x587e23ec3588a259L,0xcbedf281d7a0992cL,
+        0x06930a5538961407L },
+      { 0x09320debbe5bbe21L,0xa7ffa5b52491817fL,0xe6c8b4d909065160L,
+        0xac4f3992fff6d2a9L } },
+    /* 4 << 231 */
+    { { 0x7aa7a1583ae9c1bdL,0xe0af6d98e37ce240L,0xe54342d928ab38b4L,
+        0xe8b750070a1c98caL },
+      { 0xefce86afe02358f2L,0x31b8b856ea921228L,0x052a19120a1c67fcL,
+        0xb4069ea4e3aead59L } },
+    /* 5 << 231 */
+    { { 0x3232d6e27fa03cb3L,0xdb938e5b0fdd7d88L,0x04c1d2cd2ccbfc5dL,
+        0xd2f45c12af3a580fL },
+      { 0x592620b57883e614L,0x5fd27e68be7c5f26L,0x139e45a91567e1e3L,
+        0x2cc71d2d44d8aaafL } },
+    /* 6 << 231 */
+    { { 0x4a9090cde36d0757L,0xf722d7b1d9a29382L,0xfb7fb04c04b48ddfL,
+        0x628ad2a7ebe16f43L },
+      { 0xcd3fbfb520226040L,0x6c34ecb15104b6c4L,0x30c0754ec903c188L,
+        0xec336b082d23cab0L } },
+    /* 7 << 231 */
+    { { 0x473d62a21e206ee5L,0xf1e274808c49a633L,0x87ab956ce9f6b2c3L,
+        0x61830b4862b606eaL },
+      { 0x67cd6846e78e815fL,0xfe40139f4c02082aL,0x52bbbfcb952ec365L,
+        0x74c116426b9836abL } },
+    /* 8 << 231 */
+    { { 0x9f51439e558df019L,0x230da4baac712b27L,0x518919e355185a24L,
+        0x4dcefcdd84b78f50L },
+      { 0xa7d90fb2a47d4c5aL,0x55ac9abfb30e009eL,0xfd2fc35974eed273L,
+        0xb72d824cdbea8fafL } },
+    /* 9 << 231 */
+    { { 0xce721a744513e2caL,0x0b41861238240b2cL,0x05199968d5baa450L,
+        0xeb1757ed2b0e8c25L },
+      { 0x6ebc3e283dfac6d5L,0xb2431e2e48a237f5L,0x2acb5e2352f61499L,
+        0x5558a2a7e06c936bL } },
+    /* 10 << 231 */
+    { { 0xd213f923cbb13d1bL,0x98799f425bfb9bfeL,0x1ae8ddc9701144a9L,
+        0x0b8b3bb64c5595eeL },
+      { 0x0ea9ef2e3ecebb21L,0x17cb6c4b3671f9a7L,0x47ef464f726f1d1fL,
+        0x171b94846943a276L } },
+    /* 11 << 231 */
+    { { 0x51a4ae2d7ef0329cL,0x0850922291c4402aL,0x64a61d35afd45bbcL,
+        0x38f096fe3035a851L },
+      { 0xc7468b74a1dec027L,0xe8cf10e74fc7dcbaL,0xea35ff40f4a06353L,
+        0x0b4c0dfa8b77dd66L } },
+    /* 12 << 231 */
+    { { 0x779b8552de7e5c19L,0xfab28609c1c0256cL,0x64f58eeeabd4743dL,
+        0x4e8ef8387b6cc93bL },
+      { 0xee650d264cb1bf3dL,0x4c1f9d0973dedf61L,0xaef7c9d7bfb70cedL,
+        0x1ec0507e1641de1eL } },
+    /* 13 << 231 */
+    { { 0xcd7e5cc7cde45079L,0xde173c9a516ac9e4L,0x517a8494c170315cL,
+        0x438fd90591d8e8fbL },
+      { 0x5145c506c7d9630bL,0x6457a87bf47d4d75L,0xd31646bf0d9a80e8L,
+        0x453add2bcef3aabeL } },
+    /* 14 << 231 */
+    { { 0xc9941109a607419dL,0xfaa71e62bb6bca80L,0x34158c1307c431f3L,
+        0x594abebc992bc47aL },
+      { 0x6dfea691eb78399fL,0x48aafb353f42cba4L,0xedcd65af077c04f0L,
+        0x1a29a366e884491aL } },
+    /* 15 << 231 */
+    { { 0x023a40e51c21f2bfL,0xf99a513ca5057aeeL,0xa3fe7e25bcab072eL,
+        0x8568d2e140e32bcfL },
+      { 0x904594ebd3f69d9fL,0x181a973307affab1L,0xe4d68d76b6e330f4L,
+        0x87a6dafbc75a7fc1L } },
+    /* 16 << 231 */
+    { { 0x549db2b5ef7d9289L,0x2480d4a8197f015aL,0x61d5590bc40493b6L,
+        0x3a55b52e6f780331L },
+      { 0x40eb8115309eadb0L,0xdea7de5a92e5c625L,0x64d631f0cc6a3d5aL,
+        0x9d5e9d7c93e8dd61L } },
+    /* 17 << 231 */
+    { { 0xf297bef5206d3ffcL,0x23d5e0337d808bd4L,0x4a4f6912d24cf5baL,
+        0xe4d8163b09cdaa8aL },
+      { 0x0e0de9efd3082e8eL,0x4fe1246c0192f360L,0x1f9001504b8eee0aL,
+        0x5219da81f1da391bL } },
+    /* 18 << 231 */
+    { { 0x7bf6a5c1f7ea25aaL,0xd165e6bffbb07d5fL,0xe353936189e78671L,
+        0xa3fcac892bac4219L },
+      { 0xdfab6fd4f0baa8abL,0x5a4adac1e2c1c2e5L,0x6cd75e3140d85849L,
+        0xce263fea19b39181L } },
+    /* 19 << 231 */
+    { { 0xcb6803d307032c72L,0x7f40d5ce790968c8L,0xa6de86bddce978f0L,
+        0x25547c4f368f751cL },
+      { 0xb1e685fd65fb2a9eL,0xce69336f1eb9179cL,0xb15d1c2712504442L,
+        0xb7df465cb911a06bL } },
+    /* 20 << 231 */
+    { { 0xb8d804a3315980cdL,0x693bc492fa3bebf7L,0x3578aeee2253c504L,
+        0x158de498cd2474a2L },
+      { 0x1331f5c7cfda8368L,0xd2d7bbb378d7177eL,0xdf61133af3c1e46eL,
+        0x5836ce7dd30e7be8L } },
+    /* 21 << 231 */
+    { { 0x83084f1994f834cbL,0xd35653d4429ed782L,0xa542f16f59e58243L,
+        0xc2b52f650470a22dL },
+      { 0xe3b6221b18f23d96L,0xcb05abac3f5252b4L,0xca00938b87d61402L,
+        0x2f186cdd411933e4L } },
+    /* 22 << 231 */
+    { { 0xe042ece59a29a5c5L,0xb19b3c073b6c8402L,0xc97667c719d92684L,
+        0xb5624622ebc66372L },
+      { 0x0cb96e653c04fa02L,0x83a7176c8eaa39aaL,0x2033561deaa1633fL,
+        0x45a9d0864533df73L } },
+    /* 23 << 231 */
+    { { 0xe0542c1d3dc090bcL,0x82c996efaa59c167L,0xe3f735e80ee7fc4dL,
+        0x7b1793937c35db79L },
+      { 0xb6419e25f8c5dbfdL,0x4d9d7a1e1f327b04L,0x979f6f9b298dfca8L,
+        0xc7c5dff18de9366aL } },
+    /* 24 << 231 */
+    { { 0x1b7a588d04c82bddL,0x68005534f8319dfdL,0xde8a55b5d8eb9580L,
+        0x5ea886da8d5bca81L },
+      { 0xe8530a01252a0b4dL,0x1bffb4fe35eaa0a1L,0x2ad828b1d8e99563L,
+        0x7de96ef595f9cd87L } },
+    /* 25 << 231 */
+    { { 0x4abb2d0cd77d970cL,0x03cfb933d33ef9cbL,0xb0547c018b211fe9L,
+        0x2fe64809a56ed1c6L },
+      { 0xcb7d5624c2ac98ccL,0x2a1372c01a393e33L,0xc8d1ec1c29660521L,
+        0xf3d31b04b37ac3e9L } },
+    /* 26 << 231 */
+    { { 0xa29ae9df5ece6e7cL,0x0603ac8f0facfb55L,0xcfe85b7adda233a5L,
+        0xe618919fbd75f0b8L },
+      { 0xf555a3d299bf1603L,0x1f43afc9f184255aL,0xdcdaf341319a3e02L,
+        0xd3b117ef03903a39L } },
+    /* 27 << 231 */
+    { { 0xe095da1365d1d131L,0x86f16367c37ad03eL,0x5f37389e462cd8ddL,
+        0xc103fa04d67a60e6L },
+      { 0x57c34344f4b478f0L,0xce91edd8e117c98dL,0x001777b0231fc12eL,
+        0x11ae47f2b207bccbL } },
+    /* 28 << 231 */
+    { { 0xd983cf8d20f8a242L,0x7aff5b1df22e1ad8L,0x68fd11d07fc4feb3L,
+        0x5d53ae90b0f1c3e1L },
+      { 0x50fb7905ec041803L,0x85e3c97714404888L,0x0e67faedac628d8fL,
+        0x2e8651506668532cL } },
+    /* 29 << 231 */
+    { { 0x15acaaa46a67a6b0L,0xf4cdee25b25cec41L,0x49ee565ae4c6701eL,
+        0x2a04ca66fc7d63d8L },
+      { 0xeb105018ef0543fbL,0xf709a4f5d1b0d81dL,0x5b906ee62915d333L,
+        0xf4a8741296f1f0abL } },
+    /* 30 << 231 */
+    { { 0xb6b82fa74d82f4c2L,0x90725a606804efb3L,0xbc82ec46adc3425eL,
+        0xb7b805812787843eL },
+      { 0xdf46d91cdd1fc74cL,0xdc1c62cbe783a6c4L,0x59d1b9f31a04cbbaL,
+        0xd87f6f7295e40764L } },
+    /* 31 << 231 */
+    { { 0x02b4cfc1317f4a76L,0x8d2703eb91036bceL,0x98206cc6a5e72a56L,
+        0x57be9ed1cf53fb0fL },
+      { 0x09374571ef0b17acL,0x74b2655ed9181b38L,0xc8f80ea889935d0eL,
+        0xc0d9e94291529936L } },
+    /* 32 << 231 */
+    { { 0x196860411e84e0e5L,0xa5db84d3aea34c93L,0xf9d5bb197073a732L,
+        0xb8d2fe566bcfd7c0L },
+      { 0x45775f36f3eb82faL,0x8cb20cccfdff8b58L,0x1659b65f8374c110L,
+        0xb8b4a422330c789aL } },
+    /* 33 << 231 */
+    { { 0x75e3c3ea6fe8208bL,0xbd74b9e4286e78feL,0x0be2e81bd7d93a1aL,
+        0x7ed06e27dd0a5aaeL },
+      { 0x721f5a586be8b800L,0x428299d1d846db28L,0x95cb8e6b5be88ed3L,
+        0xc3186b231c034e11L } },
+    /* 34 << 231 */
+    { { 0xa6312c9e8977d99bL,0xbe94433183f531e7L,0x8232c0c218d3b1d4L,
+        0x617aae8be1247b73L },
+      { 0x40153fc4282aec3bL,0xc6063d2ff7b8f823L,0x68f10e583304f94cL,
+        0x31efae74ee676346L } },
+    /* 35 << 231 */
+    { { 0xbadb6c6d40a9b97cL,0x14702c634f666256L,0xdeb954f15184b2e3L,
+        0x5184a52694b6ca40L },
+      { 0xfff05337003c32eaL,0x5aa374dd205974c7L,0x9a7638544b0dd71aL,
+        0x459cd27fdeb947ecL } },
+    /* 36 << 231 */
+    { { 0xa6e28161459c2b92L,0x2f020fa875ee8ef5L,0xb132ec2d30b06310L,
+        0xc3e15899bc6a4530L },
+      { 0xdc5f53feaa3f451aL,0x3a3c7f23c2d9acacL,0x2ec2f8926b27e58bL,
+        0x68466ee7d742799fL } },
+    /* 37 << 231 */
+    { { 0x98324dd41fa26613L,0xa2dc6dabbdc29d63L,0xf9675faad712d657L,
+        0x813994be21fd8d15L },
+      { 0x5ccbb722fd4f7553L,0x5135ff8bf3a36b20L,0x44be28af69559df5L,
+        0x40b65bed9d41bf30L } },
+    /* 38 << 231 */
+    { { 0xd98bf2a43734e520L,0x5e3abbe3209bdcbaL,0x77c76553bc945b35L,
+        0x5331c093c6ef14aaL },
+      { 0x518ffe2976b60c80L,0x2285593b7ace16f8L,0xab1f64ccbe2b9784L,
+        0xe8f2c0d9ab2421b6L } },
+    /* 39 << 231 */
+    { { 0x617d7174c1df065cL,0xafeeb5ab5f6578faL,0x16ff1329263b54a8L,
+        0x45c55808c990dce3L },
+      { 0x42eab6c0ecc8c177L,0x799ea9b55982ecaaL,0xf65da244b607ef8eL,
+        0x8ab226ce32a3fc2cL } },
+    /* 40 << 231 */
+    { { 0x745741e57ea973dcL,0x5c00ca7020888f2eL,0x7cdce3cf45fd9cf1L,
+        0x8a741ef15507f872L },
+      { 0x47c51c2f196b4cecL,0x70d08e43c97ea618L,0x930da15c15b18a2bL,
+        0x33b6c6782f610514L } },
+    /* 41 << 231 */
+    { { 0xc662e4f807ac9794L,0x1eccf050ba06cb79L,0x1ff08623e7d954e5L,
+        0x6ef2c5fb24cf71c3L },
+      { 0xb2c063d267978453L,0xa0cf37961d654af8L,0x7cb242ea7ebdaa37L,
+        0x206e0b10b86747e0L } },
+    /* 42 << 231 */
+    { { 0x481dae5fd5ecfefcL,0x07084fd8c2bff8fcL,0x8040a01aea324596L,
+        0x4c646980d4de4036L },
+      { 0x9eb8ab4ed65abfc3L,0xe01cb91f13541ec7L,0x8f029adbfd695012L,
+        0x9ae284833c7569ecL } },
+    /* 43 << 231 */
+    { { 0xa5614c9ea66d80a1L,0x680a3e4475f5f911L,0x0c07b14dceba4fc1L,
+        0x891c285ba13071c1L },
+      { 0xcac67ceb799ece3cL,0x29b910a941e07e27L,0x66bdb409f2e43123L,
+        0x06f8b1377ac9ecbeL } },
+    /* 44 << 231 */
+    { { 0x5981fafd38547090L,0x19ab8b9f85e3415dL,0xfc28c194c7e31b27L,
+        0x843be0aa6fbcbb42L },
+      { 0xf3b1ed43a6db836cL,0x2a1330e401a45c05L,0x4f19f3c595c1a377L,
+        0xa85f39d044b5ee33L } },
+    /* 45 << 231 */
+    { { 0x3da18e6d4ae52834L,0x5a403b397423dcb0L,0xbb555e0af2374aefL,
+        0x2ad599c41e8ca111L },
+      { 0x1b3a2fb9014b3bf8L,0x73092684f66d5007L,0x079f1426c4340102L,
+        0x1827cf818fddf4deL } },
+    /* 46 << 231 */
+    { { 0xc83605f6f10ff927L,0xd387145123739fc6L,0x6d163450cac1c2ccL,
+        0x6b521296a2ec1ac5L },
+      { 0x0606c4f96e3cb4a5L,0xe47d3f41778abff7L,0x425a8d5ebe8e3a45L,
+        0x53ea9e97a6102160L } },
+    /* 47 << 231 */
+    { { 0x477a106e39cbb688L,0x532401d2f3386d32L,0x8e564f64b1b9b421L,
+        0xca9b838881dad33fL },
+      { 0xb1422b4e2093913eL,0x533d2f9269bc8112L,0x3fa017beebe7b2c7L,
+        0xb2767c4acaf197c6L } },
+    /* 48 << 231 */
+    { { 0xc925ff87aedbae9fL,0x7daf0eb936880a54L,0x9284ddf59c4d0e71L,
+        0x1581cf93316f8cf5L },
+      { 0x3eeca8873ac1f452L,0xb417fce9fb6aeffeL,0xa5918046eefb8dc3L,
+        0x73d318ac02209400L } },
+    /* 49 << 231 */
+    { { 0xe800400f728693e5L,0xe87d814b339927edL,0x93e94d3b57ea9910L,
+        0xff8a35b62245fb69L },
+      { 0x043853d77f200d34L,0x470f1e680f653ce1L,0x81ac05bd59a06379L,
+        0xa14052c203930c29L } },
+    /* 50 << 231 */
+    { { 0x6b72fab526bc2797L,0x13670d1699f16771L,0x001700521e3e48d1L,
+        0x978fe401b7adf678L },
+      { 0x55ecfb92d41c5dd4L,0x5ff8e247c7b27da5L,0xe7518272013fb606L,
+        0x5768d7e52f547a3cL } },
+    /* 51 << 231 */
+    { { 0xbb24eaa360017a5fL,0x6b18e6e49c64ce9bL,0xc225c655103dde07L,
+        0xfc3672ae7592f7eaL },
+      { 0x9606ad77d06283a1L,0x542fc650e4d59d99L,0xabb57c492a40e7c2L,
+        0xac948f13a8db9f55L } },
+    /* 52 << 231 */
+    { { 0x6d4c9682b04465c3L,0xe3d062fa6468bd15L,0xa51729ac5f318d7eL,
+        0x1fc87df69eb6fc95L },
+      { 0x63d146a80591f652L,0xa861b8f7589621aaL,0x59f5f15ace31348cL,
+        0x8f663391440da6daL } },
+    /* 53 << 231 */
+    { { 0xcfa778acb591ffa3L,0x027ca9c54cdfebceL,0xbe8e05a5444ea6b3L,
+        0x8aab4e69a78d8254L },
+      { 0x2437f04fb474d6b8L,0x6597ffd4045b3855L,0xbb0aea4eca47ecaaL,
+        0x568aae8385c7ebfcL } },
+    /* 54 << 231 */
+    { { 0x0e966e64c73b2383L,0x49eb3447d17d8762L,0xde1078218da05dabL,
+        0x443d8baa016b7236L },
+      { 0x163b63a5ea7610d6L,0xe47e4185ce1ca979L,0xae648b6580baa132L,
+        0xebf53de20e0d5b64L } },
+    /* 55 << 231 */
+    { { 0x8d3bfcb4d3c8c1caL,0x0d914ef35d04b309L,0x55ef64153de7d395L,
+        0xbde1666f26b850e8L },
+      { 0xdbe1ca6ed449ab19L,0x8902b322e89a2672L,0xb1674b7edacb7a53L,
+        0x8e9faf6ef52523ffL } },
+    /* 56 << 231 */
+    { { 0x6ba535da9a85788bL,0xd21f03aebd0626d4L,0x099f8c47e873dc64L,
+        0xcda8564d018ec97eL },
+      { 0x3e8d7a5cde92c68cL,0x78e035a173323cc4L,0x3ef26275f880ff7cL,
+        0xa4ee3dff273eedaaL } },
+    /* 57 << 231 */
+    { { 0x58823507af4e18f8L,0x967ec9b50672f328L,0x9ded19d9559d3186L,
+        0x5e2ab3de6cdce39cL },
+      { 0xabad6e4d11c226dfL,0xf9783f4387723014L,0x9a49a0cf1a885719L,
+        0xfc0c1a5a90da9dbfL } },
+    /* 58 << 231 */
+    { { 0x8bbaec49571d92acL,0x569e85fe4692517fL,0x8333b014a14ea4afL,
+        0x32f2a62f12e5c5adL },
+      { 0x98c2ce3a06d89b85L,0xb90741aa2ff77a08L,0x2530defc01f795a2L,
+        0xd6e5ba0b84b3c199L } },
+    /* 59 << 231 */
+    { { 0x7d8e845112e4c936L,0xae419f7dbd0be17bL,0xa583fc8c22262bc9L,
+        0x6b842ac791bfe2bdL },
+      { 0x33cef4e9440d6827L,0x5f69f4deef81fb14L,0xf16cf6f6234fbb92L,
+        0x76ae3fc3d9e7e158L } },
+    /* 60 << 231 */
+    { { 0x4e89f6c2e9740b33L,0x677bc85d4962d6a1L,0x6c6d8a7f68d10d15L,
+        0x5f9a72240257b1cdL },
+      { 0x7096b9164ad85961L,0x5f8c47f7e657ab4aL,0xde57d7d0f7461d7eL,
+        0x7eb6094d80ce5ee2L } },
+    /* 61 << 231 */
+    { { 0x0b1e1dfd34190547L,0x8a394f43f05dd150L,0x0a9eb24d97df44e6L,
+        0x78ca06bf87675719L },
+      { 0x6f0b34626ffeec22L,0x9d91bcea36cdd8fbL,0xac83363ca105be47L,
+        0x81ba76c1069710e3L } },
+    /* 62 << 231 */
+    { { 0x3d1b24cb28c682c6L,0x27f252288612575bL,0xb587c779e8e66e98L,
+        0x7b0c03e9405eb1feL },
+      { 0xfdf0d03015b548e7L,0xa8be76e038b36af7L,0x4cdab04a4f310c40L,
+        0x6287223ef47ecaecL } },
+    /* 63 << 231 */
+    { { 0x678e60558b399320L,0x61fe3fa6c01e4646L,0xc482866b03261a5eL,
+        0xdfcf45b85c2f244aL },
+      { 0x8fab9a512f684b43L,0xf796c654c7220a66L,0x1d90707ef5afa58fL,
+        0x2c421d974fdbe0deL } },
+    /* 64 << 231 */
+    { { 0xc4f4cda3af2ebc2fL,0xa0af843dcb4efe24L,0x53b857c19ccd10b1L,
+        0xddc9d1eb914d3e04L },
+      { 0x7bdec8bb62771debL,0x829277aa91c5aa81L,0x7af18dd6832391aeL,
+        0x1740f316c71a84caL } },
+    /* 0 << 238 */
+    { { 0x00, 0x00, 0x00, 0x00 },
+      { 0x00, 0x00, 0x00, 0x00 } },
+    /* 1 << 238 */
+    { { 0x8928e99aeeaf8c49L,0xee7aa73d6e24d728L,0x4c5007c2e72b156cL,
+        0x5fcf57c5ed408a1dL },
+      { 0x9f719e39b6057604L,0x7d343c01c2868bbfL,0x2cca254b7e103e2dL,
+        0xe6eb38a9f131bea2L } },
+    /* 2 << 238 */
+    { { 0xb33e624f8be762b4L,0x2a9ee4d1058e3413L,0x968e636967d805faL,
+        0x9848949b7db8bfd7L },
+      { 0x5308d7e5d23a8417L,0x892f3b1df3e29da5L,0xc95c139e3dee471fL,
+        0x8631594dd757e089L } },
+    /* 3 << 238 */
+    { { 0xe0c82a3cde918dccL,0x2e7b599426fdcf4bL,0x82c5024932cb1b2dL,
+        0xea613a9d7657ae07L },
+      { 0xc2eb5f6cf1fdc9f7L,0xb6eae8b8879fe682L,0x253dfee0591cbc7fL,
+        0x000da7133e1290e6L } },
+    /* 4 << 238 */
+    { { 0x1083e2ea1f095615L,0x0a28ad7714e68c33L,0x6bfc02523d8818beL,
+        0xb585113af35850cdL },
+      { 0x7d935f0b30df8aa1L,0xaddda07c4ab7e3acL,0x92c34299552f00cbL,
+        0xc33ed1de2909df6cL } },
+    /* 5 << 238 */
+    { { 0x22c2195d80e87766L,0x9e99e6d89ddf4ac0L,0x09642e4e65e74934L,
+        0x2610ffa2ff1ff241L },
+      { 0x4d1d47d4751c8159L,0x697b4985af3a9363L,0x0318ca4687477c33L,
+        0xa90cb5659441eff3L } },
+    /* 6 << 238 */
+    { { 0x58bb384836f024cbL,0x85be1f7736016168L,0x6c59587cdc7e07f1L,
+        0x191be071af1d8f02L },
+      { 0xbf169fa5cca5e55cL,0x3864ba3cf7d04eacL,0x915e367f8d7d05dbL,
+        0xb48a876da6549e5dL } },
+    /* 7 << 238 */
+    { { 0xef89c656580e40a2L,0xf194ed8c728068bcL,0x74528045a47990c9L,
+        0xf53fc7d75e1a4649L },
+      { 0xbec5ae9b78593e7dL,0x2cac4ee341db65d7L,0xa8c1eb2404a3d39bL,
+        0x53b7d63403f8f3efL } },
+    /* 8 << 238 */
+    { { 0x2dc40d483e07113cL,0x6e4a5d397d8b63aeL,0x5582a94b79684c2bL,
+        0x932b33d4622da26cL },
+      { 0xf534f6510dbbf08dL,0x211d07c964c23a52L,0x0eeece0fee5bdc9bL,
+        0xdf178168f7015558L } },
+    /* 9 << 238 */
+    { { 0xd42946350a712229L,0x93cbe44809273f8cL,0x00b095ef8f13bc83L,
+        0xbb7419728798978cL },
+      { 0x9d7309a256dbe6e7L,0xe578ec565a5d39ecL,0x3961151b851f9a31L,
+        0x2da7715de5709eb4L } },
+    /* 10 << 238 */
+    { { 0x867f301753dfabf0L,0x728d2078b8e39259L,0x5c75a0cd815d9958L,
+        0xf84867a616603be1L },
+      { 0xc865b13d70e35b1cL,0x0241446819b03e2cL,0xe46041daac1f3121L,
+        0x7c9017ad6f028a7cL } },
+    /* 11 << 238 */
+    { { 0xabc96de90a482873L,0x4265d6b1b77e54d4L,0x68c38e79a57d88e7L,
+        0xd461d7669ce82de3L },
+      { 0x817a9ec564a7e489L,0xcc5675cda0def5f2L,0x9a00e785985d494eL,
+        0xc626833f1b03514aL } },
+    /* 12 << 238 */
+    { { 0xabe7905a83cdd60eL,0x50602fb5a1170184L,0x689886cdb023642aL,
+        0xd568d090a6e1fb00L },
+      { 0x5b1922c70259217fL,0x93831cd9c43141e4L,0xdfca35870c95f86eL,
+        0xdec2057a568ae828L } },
+    /* 13 << 238 */
+    { { 0xc44ea599f98a759aL,0x55a0a7a2f7c23c1dL,0xd5ffb6e694c4f687L,
+        0x3563cce212848478L },
+      { 0x812b3517e7b1fbe1L,0x8a7dc9794f7338e0L,0x211ecee952d048dbL,
+        0x2eea4056c86ea3b8L } },
+    /* 14 << 238 */
+    { { 0xd8cb68a7ba772b34L,0xe16ed3415f4e2541L,0x9b32f6a60fec14dbL,
+        0xeee376f7391698beL },
+      { 0xe9a7aa1783674c02L,0x65832f975843022aL,0x29f3a8da5ba4990fL,
+        0x79a59c3afb8e3216L } },
+    /* 15 << 238 */
+    { { 0x9cdc4d2ebd19bb16L,0xc6c7cfd0b3262d86L,0xd4ce14d0969c0b47L,
+        0x1fa352b713e56128L },
+      { 0x383d55b8973db6d3L,0x71836850e8e5b7bfL,0xc7714596e6bb571fL,
+        0x259df31f2d5b2dd2L } },
+    /* 16 << 238 */
+    { { 0x568f8925913cc16dL,0x18bc5b6de1a26f5aL,0xdfa413bef5f499aeL,
+        0xf8835decc3f0ae84L },
+      { 0xb6e60bd865a40ab0L,0x65596439194b377eL,0xbcd8562592084a69L,
+        0x5ce433b94f23ede0L } },
+    /* 17 << 238 */
+    { { 0xe8e8f04f6ad65143L,0x11511827d6e14af6L,0x3d390a108295c0c7L,
+        0x71e29ee4621eba16L },
+      { 0xa588fc0963717b46L,0x02be02fee06ad4a2L,0x931558c604c22b22L,
+        0xbb4d4bd612f3c849L } },
+    /* 18 << 238 */
+    { { 0x54a4f49620efd662L,0x92ba6d20c5952d14L,0x2db8ea1ecc9784c2L,
+        0x81cc10ca4b353644L },
+      { 0x40b570ad4b4d7f6cL,0x5c9f1d9684a1dcd2L,0x01379f813147e797L,
+        0xe5c6097b2bd499f5L } },
+    /* 19 << 238 */
+    { { 0x40dcafa6328e5e20L,0xf7b5244a54815550L,0xb9a4f11847bfc978L,
+        0x0ea0e79fd25825b1L },
+      { 0xa50f96eb646c7ecfL,0xeb811493446dea9dL,0x2af04677dfabcf69L,
+        0xbe3a068fc713f6e8L } },
+    /* 20 << 238 */
+    { { 0x860d523d42e06189L,0xbf0779414e3aff13L,0x0b616dcac1b20650L,
+        0xe66dd6d12131300dL },
+      { 0xd4a0fd67ff99abdeL,0xc9903550c7aac50dL,0x022ecf8b7c46b2d7L,
+        0x3333b1e83abf92afL } },
+    /* 21 << 238 */
+    { { 0x11cc113c6c491c14L,0x0597668880dd3f88L,0xf5b4d9e729d932edL,
+        0xe982aad8a2c38b6dL },
+      { 0x6f9253478be0dcf0L,0x700080ae65ca53f2L,0xd8131156443ca77fL,
+        0xe92d6942ec51f984L } },
+    /* 22 << 238 */
+    { { 0xd2a08af885dfe9aeL,0xd825d9a54d2a86caL,0x2c53988d39dff020L,
+        0xf38b135a430cdc40L },
+      { 0x0c918ae062a7150bL,0xf31fd8de0c340e9bL,0xafa0e7ae4dbbf02eL,
+        0x5847fb2a5eba6239L } },
+    /* 23 << 238 */
+    { { 0x6b1647dcdccbac8bL,0xb642aa7806f485c8L,0x873f37657038ecdfL,
+        0x2ce5e865fa49d3feL },
+      { 0xea223788c98c4400L,0x8104a8cdf1fa5279L,0xbcf7cc7a06becfd7L,
+        0x49424316c8f974aeL } },
+    /* 24 << 238 */
+    { { 0xc0da65e784d6365dL,0xbcb7443f8f759fb8L,0x35c712b17ae81930L,
+        0x80428dff4c6e08abL },
+      { 0xf19dafefa4faf843L,0xced8538dffa9855fL,0x20ac409cbe3ac7ceL,
+        0x358c1fb6882da71eL } },
+    /* 25 << 238 */
+    { { 0xafa9c0e5fd349961L,0x2b2cfa518421c2fcL,0x2a80db17f3a28d38L,
+        0xa8aba5395d138e7eL },
+      { 0x52012d1d6e96eb8dL,0x65d8dea0cbaf9622L,0x57735447b264f56cL,
+        0xbeebef3f1b6c8da2L } },
+    /* 26 << 238 */
+    { { 0xfc346d98ce785254L,0xd50e8d72bb64a161L,0xc03567c749794addL,
+        0x15a76065752c7ef6L },
+      { 0x59f3a222961f23d6L,0x378e443873ecc0b0L,0xc74be4345a82fde4L,
+        0xae509af2d8b9cf34L } },
+    /* 27 << 238 */
+    { { 0x4a61ee46577f44a1L,0xe09b748cb611deebL,0xc0481b2cf5f7b884L,
+        0x3562667861acfa6bL },
+      { 0x37f4c518bf8d21e6L,0x22d96531b205a76dL,0x37fb85e1954073c0L,
+        0xbceafe4f65b3a567L } },
+    /* 28 << 238 */
+    { { 0xefecdef7be42a582L,0xd3fc608065046be6L,0xc9af13c809e8dba9L,
+        0x1e6c9847641491ffL },
+      { 0x3b574925d30c31f7L,0xb7eb72baac2a2122L,0x776a0dacef0859e7L,
+        0x06fec31421900942L } },
+    /* 29 << 238 */
+    { { 0x2464bc10f8c22049L,0x9bfbcce7875ebf69L,0xd7a88e2a4336326bL,
+        0xda05261c5bc2acfaL },
+      { 0xc29f5bdceba7efc8L,0x471237ca25dbbf2eL,0xa72773f22975f127L,
+        0xdc744e8e04d0b326L } },
+    /* 30 << 238 */
+    { { 0x38a7ed16a56edb73L,0x64357e372c007e70L,0xa167d15b5080b400L,
+        0x07b4116423de4be1L },
+      { 0xb2d91e3274c89883L,0x3c1628212882e7edL,0xad6b36ba7503e482L,
+        0x48434e8e0ea34331L } },
+    /* 31 << 238 */
+    { { 0x79f4f24f2c7ae0b9L,0xc46fbf811939b44aL,0x76fefae856595eb1L,
+        0x417b66abcd5f29c7L },
+      { 0x5f2332b2c5ceec20L,0xd69661ffe1a1cae2L,0x5ede7e529b0286e6L,
+        0x9d062529e276b993L } },
+    /* 32 << 238 */
+    { { 0x324794b07e50122bL,0xdd744f8b4af07ca5L,0x30a12f08d63fc97bL,
+        0x39650f1a76626d9dL },
+      { 0x101b47f71fa38477L,0x3d815f19d4dc124fL,0x1569ae95b26eb58aL,
+        0xc3cde18895fb1887L } },
+    /* 33 << 238 */
+    { { 0x54e9f37bf9539a48L,0xb0100e067408c1a5L,0x821d9811ea580cbbL,
+        0x8af52d3586e50c56L },
+      { 0xdfbd9d47dbbf698bL,0x2961a1ea03dc1c73L,0x203d38f8e76a5df8L,
+        0x08a53a686def707aL } },
+    /* 34 << 238 */
+    { { 0x26eefb481bee45d4L,0xb3cee3463c688036L,0x463c5315c42f2469L,
+        0x19d84d2e81378162L },
+      { 0x22d7c3c51c4d349fL,0x65965844163d59c5L,0xcf198c56b8abceaeL,
+        0x6fb1fb1b628559d5L } },
+    /* 35 << 238 */
+    { { 0x8bbffd0607bf8fe3L,0x46259c583467734bL,0xd8953cea35f7f0d3L,
+        0x1f0bece2d65b0ff1L },
+      { 0xf7d5b4b3f3c72914L,0x29e8ea953cb53389L,0x4a365626836b6d46L,
+        0xe849f910ea174fdeL } },
+    /* 36 << 238 */
+    { { 0x7ec62fbbf4737f21L,0xd8dba5ab6209f5acL,0x24b5d7a9a5f9adbeL,
+        0x707d28f7a61dc768L },
+      { 0x7711460bcaa999eaL,0xba7b174d1c92e4ccL,0x3c4bab6618d4bf2dL,
+        0xb8f0c980eb8bd279L } },
+    /* 37 << 238 */
+    { { 0x024bea9a324b4737L,0xfba9e42332a83bcaL,0x6e635643a232dcedL,
+        0x996193672571c8baL },
+      { 0xe8c9f35754b7032bL,0xf936b3ba2442d54aL,0x2263f0f08290c65aL,
+        0x48989780ee2c7fdbL } },
+    /* 38 << 238 */
+    { { 0xadc5d55a13d4f95eL,0x737cff85ad9b8500L,0x271c557b8a73f43dL,
+        0xbed617a4e18bc476L },
+      { 0x662454017dfd8ab2L,0xae7b89ae3a2870aaL,0x1b555f5323a7e545L,
+        0x6791e247be057e4cL } },
+    /* 39 << 238 */
+    { { 0x860136ad324fa34dL,0xea1114474cbeae28L,0x023a4270bedd3299L,
+        0x3d5c3a7fc1c35c34L },
+      { 0xb0f6db678d0412d2L,0xd92625e2fcdc6b9aL,0x92ae5ccc4e28a982L,
+        0xea251c3647a3ce7eL } },
+    /* 40 << 238 */
+    { { 0x9d658932790691bfL,0xed61058906b736aeL,0x712c2f04c0d63b6eL,
+        0x5cf06fd5c63d488fL },
+      { 0x97363facd9588e41L,0x1f9bf7622b93257eL,0xa9d1ffc4667acaceL,
+        0x1cf4a1aa0a061ecfL } },
+    /* 41 << 238 */
+    { { 0x40e48a49dc1818d0L,0x0643ff39a3621ab0L,0x5768640ce39ef639L,
+        0x1fc099ea04d86854L },
+      { 0x9130b9c3eccd28fdL,0xd743cbd27eec54abL,0x052b146fe5b475b6L,
+        0x058d9a82900a7d1fL } },
+    /* 42 << 238 */
+    { { 0x65e0229291262b72L,0x96f924f9bb0edf03L,0x5cfa59c8fe206842L,
+        0xf60370045eafa720L },
+      { 0x5f30699e18d7dd96L,0x381e8782cbab2495L,0x91669b46dd8be949L,
+        0xb40606f526aae8efL } },
+    /* 43 << 238 */
+    { { 0x2812b839fc6751a4L,0x16196214fba800efL,0x4398d5ca4c1a2875L,
+        0x720c00ee653d8349L },
+      { 0xc2699eb0d820007cL,0x880ee660a39b5825L,0x70694694471f6984L,
+        0xf7d16ea8e3dda99aL } },
+    /* 44 << 238 */
+    { { 0x28d675b2c0519a23L,0x9ebf94fe4f6952e3L,0xf28bb767a2294a8aL,
+        0x85512b4dfe0af3f5L },
+      { 0x18958ba899b16a0dL,0x95c2430cba7548a7L,0xb30d1b10a16be615L,
+        0xe3ebbb9785bfb74cL } },
+    /* 45 << 238 */
+    { { 0xa3273cfe18549fdbL,0xf6e200bf4fcdb792L,0x54a76e1883aba56cL,
+        0x73ec66f689ef6aa2L },
+      { 0x8d17add7d1b9a305L,0xa959c5b9b7ae1b9dL,0x886435226bcc094aL,
+        0xcc5616c4d7d429b9L } },
+    /* 46 << 238 */
+    { { 0xa6dada01e6a33f7cL,0xc6217a079d4e70adL,0xd619a81809c15b7cL,
+        0xea06b3290e80c854L },
+      { 0x174811cea5f5e7b9L,0x66dfc310787c65f4L,0x4ea7bd693316ab54L,
+        0xc12c4acb1dcc0f70L } },
+    /* 47 << 238 */
+    { { 0xe4308d1a1e407dd9L,0xe8a3587c91afa997L,0xea296c12ab77b7a5L,
+        0xb5ad49e4673c0d52L },
+      { 0x40f9b2b27006085aL,0xa88ff34087bf6ec2L,0x978603b14e3066a6L,
+        0xb3f99fc2b5e486e2L } },
+    /* 48 << 238 */
+    { { 0x07b53f5eb2e63645L,0xbe57e54784c84232L,0xd779c2167214d5cfL,
+        0x617969cd029a3acaL },
+      { 0xd17668cd8a7017a0L,0x77b4d19abe9b7ee8L,0x58fd0e939c161776L,
+        0xa8c4f4efd5968a72L } },
+    /* 49 << 238 */
+    { { 0x296071cc67b3de77L,0xae3c0b8e634f7905L,0x67e440c28a7100c9L,
+        0xbb8c3c1beb4b9b42L },
+      { 0x6d71e8eac51b3583L,0x7591f5af9525e642L,0xf73a2f7b13f509f3L,
+        0x618487aa5619ac9bL } },
+    /* 50 << 238 */
+    { { 0x3a72e5f79d61718aL,0x00413bcc7592d28cL,0x7d9b11d3963c35cfL,
+        0x77623bcfb90a46edL },
+      { 0xdeef273bdcdd2a50L,0x4a741f9b0601846eL,0x33b89e510ec6e929L,
+        0xcb02319f8b7f22cdL } },
+    /* 51 << 238 */
+    { { 0xbbe1500d084bae24L,0x2f0ae8d7343d2693L,0xacffb5f27cdef811L,
+        0xaa0c030a263fb94fL },
+      { 0x6eef0d61a0f442deL,0xf92e181727b139d3L,0x1ae6deb70ad8bc28L,
+        0xa89e38dcc0514130L } },
+    /* 52 << 238 */
+    { { 0x81eeb865d2fdca23L,0x5a15ee08cc8ef895L,0x768fa10a01905614L,
+        0xeff5b8ef880ee19bL },
+      { 0xf0c0cabbcb1c8a0eL,0x2e1ee9cdb8c838f9L,0x0587d8b88a4a14c0L,
+        0xf6f278962ff698e5L } },
+    /* 53 << 238 */
+    { { 0xed38ef1c89ee6256L,0xf44ee1fe6b353b45L,0x9115c0c770e903b3L,
+        0xc78ec0a1818f31dfL },
+      { 0x6c003324b7dccbc6L,0xd96dd1f3163bbc25L,0x33aa82dd5cedd805L,
+        0x123aae4f7f7eb2f1L } },
+    /* 54 << 238 */
+    { { 0x1723fcf5a26262cdL,0x1f7f4d5d0060ebd5L,0xf19c5c01b2eaa3afL,
+        0x2ccb9b149790accfL },
+      { 0x1f9c1cad52324aa6L,0x632005267247df54L,0x5732fe42bac96f82L,
+        0x52fe771f01a1c384L } },
+    /* 55 << 238 */
+    { { 0x546ca13db1001684L,0xb56b4eeea1709f75L,0x266545a9d5db8672L,
+        0xed971c901e8f3cfbL },
+      { 0x4e7d8691e3a07b29L,0x7570d9ece4b696b9L,0xdc5fa0677bc7e9aeL,
+        0x68b44cafc82c4844L } },
+    /* 56 << 238 */
+    { { 0x519d34b3bf44da80L,0x283834f95ab32e66L,0x6e6087976278a000L,
+        0x1e62960e627312f6L },
+      { 0x9b87b27be6901c55L,0x80e7853824fdbc1fL,0xbbbc09512facc27dL,
+        0x06394239ac143b5aL } },
+    /* 57 << 238 */
+    { { 0x35bb4a40376c1944L,0x7cb6269463da1511L,0xafd29161b7148a3bL,
+        0xa6f9d9ed4e2ea2eeL },
+      { 0x15dc2ca2880dd212L,0x903c3813a61139a9L,0x2aa7b46d6c0f8785L,
+        0x36ce2871901c60ffL } },
+    /* 58 << 238 */
+    { { 0xc683b028e10d9c12L,0x7573baa2032f33d3L,0x87a9b1f667a31b58L,
+        0xfd3ed11af4ffae12L },
+      { 0x83dcaa9a0cb2748eL,0x8239f0185d6fdf16L,0xba67b49c72753941L,
+        0x2beec455c321cb36L } },
+    /* 59 << 238 */
+    { { 0x880156063f8b84ceL,0x764170838d38c86fL,0x054f1ca7598953ddL,
+        0xc939e1104e8e7429L },
+      { 0x9b1ac2b35a914f2fL,0x39e35ed3e74b8f9cL,0xd0debdb2781b2fb0L,
+        0x1585638f2d997ba2L } },
+    /* 60 << 238 */
+    { { 0x9c4b646e9e2fce99L,0x68a210811e80857fL,0x06d54e443643b52aL,
+        0xde8d6d630d8eb843L },
+      { 0x7032156342146a0aL,0x8ba826f25eaa3622L,0x227a58bd86138787L,
+        0x43b6c03c10281d37L } },
+    /* 61 << 238 */
+    { { 0x6326afbbb54dde39L,0x744e5e8adb6f2d5fL,0x48b2a99acff158e1L,
+        0xa93c8fa0ef87918fL },
+      { 0x2182f956de058c5cL,0x216235d2936f9e7aL,0xace0c0dbd2e31e67L,
+        0xc96449bff23ac3e7L } },
+    /* 62 << 238 */
+    { { 0x7e9a2874170693bdL,0xa28e14fda45e6335L,0x5757f6b356427344L,
+        0x822e4556acf8edf9L },
+      { 0x2b7a6ee2e6a285cdL,0x5866f211a9df3af0L,0x40dde2ddf845b844L,
+        0x986c3726110e5e49L } },
+    /* 63 << 238 */
+    { { 0x73680c2af7172277L,0x57b94f0f0cccb244L,0xbdff72672d438ca7L,
+        0xbad1ce11cf4663fdL },
+      { 0x9813ed9dd8f71caeL,0xf43272a6961fdaa6L,0xbeff0119bd6d1637L,
+        0xfebc4f9130361978L } },
+    /* 64 << 238 */
+    { { 0x02b37a952f41deffL,0x0e44a59ae63b89b7L,0x673257dc143ff951L,
+        0x19c02205d752baf4L },
+      { 0x46c23069c4b7d692L,0x2e6392c3fd1502acL,0x6057b1a21b220846L,
+        0xe51ff9460c1b5b63L } },
+    /* 0 << 245 */
+    { { 0x00, 0x00, 0x00, 0x00 },
+      { 0x00, 0x00, 0x00, 0x00 } },
+    /* 1 << 245 */
+    { { 0x6e85cb51566c5c43L,0xcff9c9193597f046L,0x9354e90c4994d94aL,
+        0xe0a393322147927dL },
+      { 0x8427fac10dc1eb2bL,0x88cfd8c22ff319faL,0xe2d4e68401965274L,
+        0xfa2e067d67aaa746L } },
+    /* 2 << 245 */
+    { { 0xb6d92a7f3e5f9f11L,0x9afe153ad6cb3b8eL,0x4d1a6dd7ddf800bdL,
+        0xf6c13cc0caf17e19L },
+      { 0x15f6c58e325fc3eeL,0x71095400a31dc3b2L,0x168e7c07afa3d3e7L,
+        0x3f8417a194c7ae2dL } },
+    /* 3 << 245 */
+    { { 0xec234772813b230dL,0x634d0f5f17344427L,0x11548ab1d77fc56aL,
+        0x7fab1750ce06af77L },
+      { 0xb62c10a74f7c4f83L,0xa7d2edc4220a67d9L,0x1c404170921209a0L,
+        0x0b9815a0face59f0L } },
+    /* 4 << 245 */
+    { { 0x2842589b319540c3L,0x18490f59a283d6f8L,0xa2731f84daae9fcbL,
+        0x3db6d960c3683ba0L },
+      { 0xc85c63bb14611069L,0xb19436af0788bf05L,0x905459df347460d2L,
+        0x73f6e094e11a7db1L } },
+    /* 5 << 245 */
+    { { 0xdc7f938eb6357f37L,0xc5d00f792bd8aa62L,0xc878dcb92ca979fcL,
+        0x37e83ed9eb023a99L },
+      { 0x6b23e2731560bf3dL,0x1086e4591d0fae61L,0x782483169a9414bdL,
+        0x1b956bc0f0ea9ea1L } },
+    /* 6 << 245 */
+    { { 0x7b85bb91c31b9c38L,0x0c5aa90b48ef57b5L,0xdedeb169af3bab6fL,
+        0xe610ad732d373685L },
+      { 0xf13870df02ba8e15L,0x0337edb68ca7f771L,0xe4acf747b62c036cL,
+        0xd921d576b6b94e81L } },
+    /* 7 << 245 */
+    { { 0xdbc864392c422f7aL,0xfb635362ed348898L,0x83084668c45bfcd1L,
+        0xc357c9e32b315e11L },
+      { 0xb173b5405b2e5b8cL,0x7e946931e102b9a4L,0x17c890eb7b0fb199L,
+        0xec225a83d61b662bL } },
+    /* 8 << 245 */
+    { { 0xf306a3c8ee3c76cbL,0x3cf11623d32a1f6eL,0xe6d5ab646863e956L,
+        0x3b8a4cbe5c005c26L },
+      { 0xdcd529a59ce6bb27L,0xc4afaa5204d4b16fL,0xb0624a267923798dL,
+        0x85e56df66b307fabL } },
+    /* 9 << 245 */
+    { { 0x0281893c2bf29698L,0x91fc19a4d7ce7603L,0x75a5dca3ad9a558fL,
+        0x40ceb3fa4d50bf77L },
+      { 0x1baf6060bc9ba369L,0x927e1037597888c2L,0xd936bf1986a34c07L,
+        0xd4cf10c1c34ae980L } },
+    /* 10 << 245 */
+    { { 0x3a3e5334859dd614L,0x9c475b5b18d0c8eeL,0x63080d1f07cd51d5L,
+        0xc9c0d0a6b88b4326L },
+      { 0x1ac98691c234296fL,0x2a0a83a494887fb6L,0x565114270cea9cf2L,
+        0x5230a6e8a24802f5L } },
+    /* 11 << 245 */
+    { { 0xf7a2bf0f72e3d5c1L,0x377174464f21439eL,0xfedcbf259ce30334L,
+        0xe0030a787ce202f9L },
+      { 0x6f2d9ebf1202e9caL,0xe79dde6c75e6e591L,0xf52072aff1dac4f8L,
+        0x6c8d087ebb9b404dL } },
+    /* 12 << 245 */
+    { { 0xad0fc73dbce913afL,0x909e587b458a07cbL,0x1300da84d4f00c8aL,
+        0x425cd048b54466acL },
+      { 0xb59cb9be90e9d8bfL,0x991616db3e431b0eL,0xd3aa117a531aecffL,
+        0x91af92d359f4dc3bL } },
+    /* 13 << 245 */
+    { { 0x9b1ec292e93fda29L,0x76bb6c17e97d91bcL,0x7509d95faface1e6L,
+        0x3653fe47be855ae3L },
+      { 0x73180b280f680e75L,0x75eefd1beeb6c26cL,0xa4cdf29fb66d4236L,
+        0x2d70a9976b5821d8L } },
+    /* 14 << 245 */
+    { { 0x7a3ee20720445c36L,0x71d1ac8259877174L,0x0fc539f7949f73e9L,
+        0xd05cf3d7982e3081L },
+      { 0x8758e20b7b1c7129L,0xffadcc20569e61f2L,0xb05d3a2f59544c2dL,
+        0xbe16f5c19fff5e53L } },
+    /* 15 << 245 */
+    { { 0x73cf65b8aad58135L,0x622c2119037aa5beL,0x79373b3f646fd6a0L,
+        0x0e029db50d3978cfL },
+      { 0x8bdfc43794fba037L,0xaefbd687620797a6L,0x3fa5382bbd30d38eL,
+        0x7627cfbf585d7464L } },
+    /* 16 << 245 */
+    { { 0xb2330fef4e4ca463L,0xbcef72873566cc63L,0xd161d2cacf780900L,
+        0x135dc5395b54827dL },
+      { 0x638f052e27bf1bc6L,0x10a224f007dfa06cL,0xe973586d6d3321daL,
+        0x8b0c573826152c8fL } },
+    /* 17 << 245 */
+    { { 0x07ef4f2a34606074L,0x80fe7fe8a0f7047aL,0x3d1a8152e1a0e306L,
+        0x32cf43d888da5222L },
+      { 0xbf89a95f5f02ffe6L,0x3d9eb9a4806ad3eaL,0x012c17bb79c8e55eL,
+        0xfdcd1a7499c81dacL } },
+    /* 18 << 245 */
+    { { 0x7043178bb9556098L,0x4090a1df801c3886L,0x759800ff9b67b912L,
+        0x3e5c0304232620c8L },
+      { 0x4b9d3c4b70dceecaL,0xbb2d3c15181f648eL,0xf981d8376e33345cL,
+        0xb626289b0cf2297aL } },
+    /* 19 << 245 */
+    { { 0x766ac6598baebdcfL,0x1a28ae0975df01e5L,0xb71283da375876d8L,
+        0x4865a96d607b9800L },
+      { 0x25dd1bcd237936b2L,0x332f4f4b60417494L,0xd0923d68370a2147L,
+        0x497f5dfbdc842203L } },
+    /* 20 << 245 */
+    { { 0x9dc74cbd32be5e0fL,0x7475bcb717a01375L,0x438477c950d872b1L,
+        0xcec67879ffe1d63dL },
+      { 0x9b006014d8578c70L,0xc9ad99a878bb6b8bL,0x6799008e11fb3806L,
+        0xcfe81435cd44cab3L } },
+    /* 21 << 245 */
+    { { 0xa2ee15822f4fb344L,0xb8823450483fa6ebL,0x622d323d652c7749L,
+        0xd8474a98beb0a15bL },
+      { 0xe43c154d5d1c00d0L,0x7fd581d90e3e7aacL,0x2b44c6192525ddf8L,
+        0x67a033ebb8ae9739L } },
+    /* 22 << 245 */
+    { { 0x113ffec19ef2d2e4L,0x1bf6767ed5a0ea7fL,0x57fff75e03714c0aL,
+        0xa23c422e0a23e9eeL },
+      { 0xdd5f6b2d540f83afL,0xc2c2c27e55ea46a7L,0xeb6b4246672a1208L,
+        0xd13599f7ae634f7aL } },
+    /* 23 << 245 */
+    { { 0xcf914b5cd7b32c6eL,0x61a5a640eaf61814L,0x8dc3df8b208a1bbbL,
+        0xef627fd6b6d79aa5L },
+      { 0x44232ffcc4c86bc8L,0xe6f9231b061539feL,0x1d04f25a958b9533L,
+        0x180cf93449e8c885L } },
+    /* 24 << 245 */
+    { { 0x896895959884aaf7L,0xb1959be307b348a6L,0x96250e573c147c87L,
+        0xae0efb3add0c61f8L },
+      { 0xed00745eca8c325eL,0x3c911696ecff3f70L,0x73acbc65319ad41dL,
+        0x7b01a020f0b1c7efL } },
+    /* 25 << 245 */
+    { { 0xea32b29363a1483fL,0x89eabe717a248f96L,0x9c6231d3343157e5L,
+        0x93a375e5df3c546dL },
+      { 0xe76e93436a2afe69L,0xc4f89100e166c88eL,0x248efd0d4f872093L,
+        0xae0eb3ea8fe0ea61L } },
+    /* 26 << 245 */
+    { { 0xaf89790d9d79046eL,0x4d650f2d6cee0976L,0xa3935d9a43071ecaL,
+        0x66fcd2c9283b0bfeL },
+      { 0x0e665eb5696605f1L,0xe77e5d07a54cd38dL,0x90ee050a43d950cfL,
+        0x86ddebdad32e69b5L } },
+    /* 27 << 245 */
+    { { 0x6ad94a3dfddf7415L,0xf7fa13093f6e8d5aL,0xc4831d1de9957f75L,
+        0x7de28501d5817447L },
+      { 0x6f1d70789e2aeb6bL,0xba2b9ff4f67a53c2L,0x36963767df9defc3L,
+        0x479deed30d38022cL } },
+    /* 28 << 245 */
+    { { 0xd2edb89b3a8631e8L,0x8de855de7a213746L,0xb2056cb7b00c5f11L,
+        0xdeaefbd02c9b85e4L },
+      { 0x03f39a8dd150892dL,0x37b84686218b7985L,0x36296dd8b7375f1aL,
+        0x472cd4b1b78e898eL } },
+    /* 29 << 245 */
+    { { 0x15dff651e9f05de9L,0xd40450692ce98ba9L,0x8466a7ae9b38024cL,
+        0xb910e700e5a6b5efL },
+      { 0xae1c56eab3aa8f0dL,0xbab2a5077eee74a6L,0x0dca11e24b4c4620L,
+        0xfd896e2e4c47d1f4L } },
+    /* 30 << 245 */
+    { { 0xeb45ae53308fbd93L,0x46cd5a2e02c36fdaL,0x6a3d4e90baa48385L,
+        0xdd55e62e9dbe9960L },
+      { 0xa1406aa02a81ede7L,0x6860dd14f9274ea7L,0xcfdcb0c280414f86L,
+        0xff410b1022f94327L } },
+    /* 31 << 245 */
+    { { 0x5a33cc3849ad467bL,0xefb48b6c0a7335f1L,0x14fb54a4b153a360L,
+        0x604aa9d2b52469ccL },
+      { 0x5e9dc486754e48e9L,0x693cb45537471e8eL,0xfb2fd7cd8d3b37b6L,
+        0x63345e16cf09ff07L } },
+    /* 32 << 245 */
+    { { 0x9910ba6b23a5d896L,0x1fe19e357fe4364eL,0x6e1da8c39a33c677L,
+        0x15b4488b29fd9fd0L },
+      { 0x1f4392541a1f22bfL,0x920a8a70ab8163e8L,0x3fd1b24907e5658eL,
+        0xf2c4f79cb6ec839bL } },
+    /* 33 << 245 */
+    { { 0x1abbc3d04aa38d1bL,0x3b0db35cb5d9510eL,0x1754ac783e60dec0L,
+        0x53272fd7ea099b33L },
+      { 0x5fb0494f07a8e107L,0x4a89e1376a8191faL,0xa113b7f63c4ad544L,
+        0x88a2e9096cb9897bL } },
+    /* 34 << 245 */
+    { { 0x17d55de3b44a3f84L,0xacb2f34417c6c690L,0x3208816810232390L,
+        0xf2e8a61f6c733bf7L },
+      { 0xa774aab69c2d7652L,0xfb5307e3ed95c5bcL,0xa05c73c24981f110L,
+        0x1baae31ca39458c9L } },
+    /* 35 << 245 */
+    { { 0x1def185bcbea62e7L,0xe8ac9eaeeaf63059L,0x098a8cfd9921851cL,
+        0xd959c3f13abe2f5bL },
+      { 0xa4f1952520e40ae5L,0x320789e307a24aa1L,0x259e69277392b2bcL,
+        0x58f6c6671918668bL } },
+    /* 36 << 245 */
+    { { 0xce1db2bbc55d2d8bL,0x41d58bb7f4f6ca56L,0x7650b6808f877614L,
+        0x905e16baf4c349edL },
+      { 0xed415140f661acacL,0x3b8784f0cb2270afL,0x3bc280ac8a402cbaL,
+        0xd53f71460937921aL } },
+    /* 37 << 245 */
+    { { 0xc03c8ee5e5681e83L,0x62126105f6ac9e4aL,0x9503a53f936b1a38L,
+        0x3d45e2d4782fecbdL },
+      { 0x69a5c43976e8ae98L,0xb53b2eebbfb4b00eL,0xf167471272386c89L,
+        0x30ca34a24268bce4L } },
+    /* 38 << 245 */
+    { { 0x7f1ed86c78341730L,0x8ef5beb8b525e248L,0xbbc489fdb74fbf38L,
+        0x38a92a0e91a0b382L },
+      { 0x7a77ba3f22433ccfL,0xde8362d6a29f05a9L,0x7f6a30ea61189afcL,
+        0x693b550559ef114fL } },
+    /* 39 << 245 */
+    { { 0x50266bc0cd1797a1L,0xea17b47ef4b7af2dL,0xd6c4025c3df9483eL,
+        0x8cbb9d9fa37b18c9L },
+      { 0x91cbfd9c4d8424cfL,0xdb7048f1ab1c3506L,0x9eaf641f028206a3L,
+        0xf986f3f925bdf6ceL } },
+    /* 40 << 245 */
+    { { 0x262143b5224c08dcL,0x2bbb09b481b50c91L,0xc16ed709aca8c84fL,
+        0xa6210d9db2850ca8L },
+      { 0x6d8df67a09cb54d6L,0x91eef6e0500919a4L,0x90f613810f132857L,
+        0x9acede47f8d5028bL } },
+    /* 41 << 245 */
+    { { 0x844d1b7190b771c3L,0x563b71e4ba6426beL,0x2efa2e83bdb802ffL,
+        0x3410cbabab5b4a41L },
+      { 0x555b2d2630da84ddL,0xd0711ae9ee1cc29aL,0xcf3e8c602f547792L,
+        0x03d7d5dedc678b35L } },
+    /* 42 << 245 */
+    { { 0x071a2fa8ced806b8L,0x222e6134697f1478L,0xdc16fd5dabfcdbbfL,
+        0x44912ebf121b53b8L },
+      { 0xac9436742496c27cL,0x8ea3176c1ffc26b0L,0xb6e224ac13debf2cL,
+        0x524cc235f372a832L } },
+    /* 43 << 245 */
+    { { 0xd706e1d89f6f1b18L,0x2552f00544cce35bL,0x8c8326c2a88e31fcL,
+        0xb5468b2cf9552047L },
+      { 0xce683e883ff90f2bL,0x77947bdf2f0a5423L,0xd0a1b28bed56e328L,
+        0xaee35253c20134acL } },
+    /* 44 << 245 */
+    { { 0x7e98367d3567962fL,0x379ed61f8188bffbL,0x73bba348faf130a1L,
+        0x6c1f75e1904ed734L },
+      { 0x189566423b4a79fcL,0xf20bc83d54ef4493L,0x836d425d9111eca1L,
+        0xe5b5c318009a8dcfL } },
+    /* 45 << 245 */
+    { { 0x3360b25d13221bc5L,0x707baad26b3eeaf7L,0xd7279ed8743a95a1L,
+        0x7450a875969e809fL },
+      { 0x32b6bd53e5d0338fL,0x1e77f7af2b883bbcL,0x90da12cc1063ecd0L,
+        0xe2697b58c315be47L } },
+    /* 46 << 245 */
+    { { 0x2771a5bdda85d534L,0x53e78c1fff980eeaL,0xadf1cf84900385e7L,
+        0x7d3b14f6c9387b62L },
+      { 0x170e74b0cb8f2bd2L,0x2d50b486827fa993L,0xcdbe8c9af6f32babL,
+        0x55e906b0c3b93ab8L } },
+    /* 47 << 245 */
+    { { 0x747f22fc8fe280d1L,0xcd8e0de5b2e114abL,0x5ab7dbebe10b68b0L,
+        0x9dc63a9ca480d4b2L },
+      { 0x78d4bc3b4be1495fL,0x25eb3db89359122dL,0x3f8ac05b0809cbdcL,
+        0xbf4187bbd37c702fL } },
+    /* 48 << 245 */
+    { { 0x84cea0691416a6a5L,0x8f860c7943ef881cL,0x41311f8a38038a5dL,
+        0xe78c2ec0fc612067L },
+      { 0x494d2e815ad73581L,0xb4cc9e0059604097L,0xff558aecf3612cbaL,
+        0x35beef7a9e36c39eL } },
+    /* 49 << 245 */
+    { { 0x1845c7cfdbcf41b9L,0x5703662aaea997c0L,0x8b925afee402f6d8L,
+        0xd0a1b1ae4dd72162L },
+      { 0x9f47b37503c41c4bL,0xa023829b0391d042L,0x5f5045c3503b8b0aL,
+        0x123c268898c010e5L } },
+    /* 50 << 245 */
+    { { 0x324ec0cc36ba06eeL,0xface31153dd2cc0cL,0xb364f3bef333e91fL,
+        0xef8aff7328e832b0L },
+      { 0x1e9bad042d05841bL,0x42f0e3df356a21e2L,0xa3270bcb4add627eL,
+        0xb09a8158d322e711L } },
+    /* 51 << 245 */
+    { { 0x86e326a10fee104aL,0xad7788f83703f65dL,0x7e76543047bc4833L,
+        0x6cee582b2b9b893aL },
+      { 0x9cd2a167e8f55a7bL,0xefbee3c6d9e4190dL,0x33ee7185d40c2e9dL,
+        0x844cc9c5a380b548L } },
+    /* 52 << 245 */
+    { { 0x323f8ecd66926e04L,0x0001e38f8110c1baL,0x8dbcac12fc6a7f07L,
+        0xd65e1d580cec0827L },
+      { 0xd2cd4141be76ca2dL,0x7895cf5ce892f33aL,0x956d230d367139d2L,
+        0xa91abd3ed012c4c1L } },
+    /* 53 << 245 */
+    { { 0x34fa488387eb36bfL,0xc5f07102914b8fb4L,0x90f0e579adb9c95fL,
+        0xfe6ea8cb28888195L },
+      { 0x7b9b5065edfa9284L,0x6c510bd22b8c8d65L,0xd7b8ebefcbe8aafdL,
+        0xedb3af9896b1da07L } },
+    /* 54 << 245 */
+    { { 0x28ff779d6295d426L,0x0c4f6ac73fa3ad7bL,0xec44d0548b8e2604L,
+        0x9b32a66d8b0050e1L },
+      { 0x1f943366f0476ce2L,0x7554d953a602c7b4L,0xbe35aca6524f2809L,
+        0xb6881229fd4edbeaL } },
+    /* 55 << 245 */
+    { { 0xe8cd0c8f508efb63L,0x9eb5b5c86abcefc7L,0xf5621f5fb441ab4fL,
+        0x79e6c046b76a2b22L },
+      { 0x74a4792ce37a1f69L,0xcbd252cb03542b60L,0x785f65d5b3c20bd3L,
+        0x8dea61434fabc60cL } },
+    /* 56 << 245 */
+    { { 0x45e21446de673629L,0x57f7aa1e703c2d21L,0xa0e99b7f98c868c7L,
+        0x4e42f66d8b641676L },
+      { 0x602884dc91077896L,0xa0d690cfc2c9885bL,0xfeb4da333b9a5187L,
+        0x5f789598153c87eeL } },
+    /* 57 << 245 */
+    { { 0x2192dd4752b16dbaL,0xdeefc0e63524c1b1L,0x465ea76ee4383693L,
+        0x79401711361b8d98L },
+      { 0xa5f9ace9f21a15cbL,0x73d26163efee9aebL,0xcca844b3e677016cL,
+        0x6c122b0757eaee06L } },
+    /* 58 << 245 */
+    { { 0xb782dce715f09690L,0x508b9b122dfc0fc9L,0x9015ab4b65d89fc6L,
+        0x5e79dab7d6d5bb0fL },
+      { 0x64f021f06c775aa2L,0xdf09d8cc37c7eca1L,0x9a761367ef2fa506L,
+        0xed4ca4765b81eec6L } },
+    /* 59 << 245 */
+    { { 0x262ede3610bbb8b5L,0x0737ce830641ada3L,0x4c94288ae9831cccL,
+        0x487fc1ce8065e635L },
+      { 0xb13d7ab3b8bb3659L,0xdea5df3e855e4120L,0xb9a1857385eb0244L,
+        0x1a1b8ea3a7cfe0a3L } },
+    /* 60 << 245 */
+    { { 0x3b83711967b0867cL,0x8d5e0d089d364520L,0x52dccc1ed930f0e3L,
+        0xefbbcec7bf20bbafL },
+      { 0x99cffcab0263ad10L,0xd8199e6dfcd18f8aL,0x64e2773fe9f10617L,
+        0x0079e8e108704848L } },
+    /* 61 << 245 */
+    { { 0x1169989f8a342283L,0x8097799ca83012e6L,0xece966cb8a6a9001L,
+        0x93b3afef072ac7fcL },
+      { 0xe6893a2a2db3d5baL,0x263dc46289bf4fdcL,0x8852dfc9e0396673L,
+        0x7ac708953af362b6L } },
+    /* 62 << 245 */
+    { { 0xbb9cce4d5c2f342bL,0xbf80907ab52d7aaeL,0x97f3d3cd2161bcd0L,
+        0xb25b08340962744dL },
+      { 0xc5b18ea56c3a1ddaL,0xfe4ec7eb06c92317L,0xb787b890ad1c4afeL,
+        0xdccd9a920ede801aL } },
+    /* 63 << 245 */
+    { { 0x9ac6dddadb58da1fL,0x22bbc12fb8cae6eeL,0xc6f8bced815c4a43L,
+        0x8105a92cf96480c7L },
+      { 0x0dc3dbf37a859d51L,0xe3ec7ce63041196bL,0xd9f64b250d1067c9L,
+        0xf23213213d1f8dd8L } },
+    /* 64 << 245 */
+    { { 0x8b5c619c76497ee8L,0x5d2b0ac6c717370eL,0x98204cb64fcf68e1L,
+        0x0bdec21162bc6792L },
+      { 0x6973ccefa63b1011L,0xf9e3fa97e0de1ac5L,0x5efb693e3d0e0c8bL,
+        0x037248e9d2d4fcb4L } },
+    /* 0 << 252 */
+    { { 0x00, 0x00, 0x00, 0x00 },
+      { 0x00, 0x00, 0x00, 0x00 } },
+    /* 1 << 252 */
+    { { 0x80802dc91ec34f9eL,0xd8772d3533810603L,0x3f06d66c530cb4f3L,
+        0x7be5ed0dc475c129L },
+      { 0xcb9e3c1931e82b10L,0xc63d2857c9ff6b4cL,0xb92118c692a1b45eL,
+        0x0aec44147285bbcaL } },
+    /* 2 << 252 */
+    { { 0xfc189ae71e29a3efL,0xcbe906f04c93302eL,0xd0107914ceaae10eL,
+        0xb7a23f34b68e19f8L },
+      { 0xe9d875c2efd2119dL,0x03198c6efcadc9c8L,0x65591bf64da17113L,
+        0x3cf0bbf83d443038L } },
+    /* 3 << 252 */
+    { { 0xae485bb72b724759L,0x945353e1b2d4c63aL,0x82159d07de7d6f2cL,
+        0x389caef34ec5b109L },
+      { 0x4a8ebb53db65ef14L,0x2dc2cb7edd99de43L,0x816fa3ed83f2405fL,
+        0x73429bb9c14208a3L } },
+    /* 4 << 252 */
+    { { 0xb618d590b01e6e27L,0x047e2ccde180b2dcL,0xd1b299b504aea4a9L,
+        0x412c9e1e9fa403a4L },
+      { 0x88d28a3679407552L,0x49c50136f332b8e3L,0x3a1b6fcce668de19L,
+        0x178851bc75122b97L } },
+    /* 5 << 252 */
+    { { 0xb1e13752fb85fa4cL,0xd61257ce383c8ce9L,0xd43da670d2f74daeL,
+        0xa35aa23fbf846bbbL },
+      { 0x5e74235d4421fc83L,0xf6df8ee0c363473bL,0x34d7f52a3c4aa158L,
+        0x50d05aab9bc6d22eL } },
+    /* 6 << 252 */
+    { { 0x8c56e735a64785f4L,0xbc56637b5f29cd07L,0x53b2bb803ee35067L,
+        0x50235a0fdc919270L },
+      { 0x191ab6d8f2c4aa65L,0xc34758318396023bL,0x80400ba5f0f805baL,
+        0x8881065b5ec0f80fL } },
+    /* 7 << 252 */
+    { { 0xc370e522cc1b5e83L,0xde2d4ad1860b8bfbL,0xad364df067b256dfL,
+        0x8f12502ee0138997L },
+      { 0x503fa0dc7783920aL,0xe80014adc0bc866aL,0x3f89b744d3064ba6L,
+        0x03511dcdcba5dba5L } },
+    /* 8 << 252 */
+    { { 0x197dd46d95a7b1a2L,0x9c4e7ad63c6341fbL,0x426eca29484c2eceL,
+        0x9211e489de7f4f8aL },
+      { 0x14997f6ec78ef1f4L,0x2b2c091006574586L,0x17286a6e1c3eede8L,
+        0x25f92e470f60e018L } },
+    /* 9 << 252 */
+    { { 0x805c564631890a36L,0x703ef60057feea5bL,0x389f747caf3c3030L,
+        0xe0e5daeb54dd3739L },
+      { 0xfe24a4c3c9c9f155L,0x7e4bf176b5393962L,0x37183de2af20bf29L,
+        0x4a1bd7b5f95a8c3bL } },
+    /* 10 << 252 */
+    { { 0xa83b969946191d3dL,0x281fc8dd7b87f257L,0xb18e2c1354107588L,
+        0x6372def79b2bafe8L },
+      { 0xdaf4bb480d8972caL,0x3f2dd4b756167a3fL,0x1eace32d84310cf4L,
+        0xe3bcefafe42700aaL } },
+    /* 11 << 252 */
+    { { 0x5fe5691ed785e73dL,0xa5db5ab62ea60467L,0x02e23d41dfc6514aL,
+        0x35e8048ee03c3665L },
+      { 0x3f8b118f1adaa0f8L,0x28ec3b4584ce1a5aL,0xe8cacc6e2c6646b8L,
+        0x1343d185dbd0e40fL } },
+    /* 12 << 252 */
+    { { 0xe5d7f844caaa358cL,0x1a1db7e49924182aL,0xd64cd42d9c875d9aL,
+        0xb37b515f042eeec8L },
+      { 0x4d4dd4097b165fbeL,0xfc322ed9e206eff3L,0x7dee410259b7e17eL,
+        0x55a481c08236ca00L } },
+    /* 13 << 252 */
+    { { 0x8c885312c23fc975L,0x1571580605d6297bL,0xa078868ef78edd39L,
+        0x956b31e003c45e52L },
+      { 0x470275d5ff7b33a6L,0xc8d5dc3a0c7e673fL,0x419227b47e2f2598L,
+        0x8b37b6344c14a975L } },
+    /* 14 << 252 */
+    { { 0xd0667ed68b11888cL,0x5e0e8c3e803e25dcL,0x34e5d0dcb987a24aL,
+        0x9f40ac3bae920323L },
+      { 0x5463de9534e0f63aL,0xa128bf926b6328f9L,0x491ccd7cda64f1b7L,
+        0x7ef1ec27c47bde35L } },
+    /* 15 << 252 */
+    { { 0xa857240fa36a2737L,0x35dc136663621bc1L,0x7a3a6453d4fb6897L,
+        0x80f1a439c929319dL },
+      { 0xfc18274bf8cb0ba0L,0xb0b537668078c5ebL,0xfb0d49241e01d0efL,
+        0x50d7c67d372ab09cL } },
+    /* 16 << 252 */
+    { { 0xb4e370af3aeac968L,0xe4f7fee9c4b63266L,0xb4acd4c2e3ac5664L,
+        0xf8910bd2ceb38cbfL },
+      { 0x1c3ae50cc9c0726eL,0x15309569d97b40bfL,0x70884b7ffd5a5a1bL,
+        0x3890896aef8314cdL } },
+    /* 17 << 252 */
+    { { 0x58e1515ca5618c93L,0xe665432b77d942d1L,0xb32181bfb6f767a8L,
+        0x753794e83a604110L },
+      { 0x09afeb7ce8c0dbccL,0x31e02613598673a3L,0x5d98e5577d46db00L,
+        0xfc21fb8c9d985b28L } },
+    /* 18 << 252 */
+    { { 0xc9040116b0843e0bL,0x53b1b3a869b04531L,0xdd1649f085d7d830L,
+        0xbb3bcc87cb7427e8L },
+      { 0x77261100c93dce83L,0x7e79da61a1922a2aL,0x587a2b02f3149ce8L,
+        0x147e1384de92ec83L } },
+    /* 19 << 252 */
+    { { 0x484c83d3af077f30L,0xea78f8440658b53aL,0x912076c2027aec53L,
+        0xf34714e393c8177dL },
+      { 0x37ef5d15c2376c84L,0x8315b6593d1aa783L,0x3a75c484ef852a90L,
+        0x0ba0c58a16086bd4L } },
+    /* 20 << 252 */
+    { { 0x29688d7a529a6d48L,0x9c7f250dc2f19203L,0x123042fb682e2df9L,
+        0x2b7587e7ad8121bcL },
+      { 0x30fc0233e0182a65L,0xb82ecf87e3e1128aL,0x7168286193fb098fL,
+        0x043e21ae85e9e6a7L } },
+    /* 21 << 252 */
+    { { 0xab5b49d666c834eaL,0x3be43e1847414287L,0xf40fb859219a2a47L,
+        0x0e6559e9cc58df3cL },
+      { 0xfe1dfe8e0c6615b4L,0x14abc8fd56459d70L,0x7be0fa8e05de0386L,
+        0x8e63ef68e9035c7cL } },
+    /* 22 << 252 */
+    { { 0x116401b453b31e91L,0x0cba7ad44436b4d8L,0x9151f9a0107afd66L,
+        0xafaca8d01f0ee4c4L },
+      { 0x75fe5c1d9ee9761cL,0x3497a16bf0c0588fL,0x3ee2bebd0304804cL,
+        0xa8fb9a60c2c990b9L } },
+    /* 23 << 252 */
+    { { 0xd14d32fe39251114L,0x36bf25bccac73366L,0xc9562c66dba7495cL,
+        0x324d301b46ad348bL },
+      { 0x9f46620cd670407eL,0x0ea8d4f1e3733a01L,0xd396d532b0c324e0L,
+        0x5b211a0e03c317cdL } },
+    /* 24 << 252 */
+    { { 0x090d7d205ffe7b37L,0x3b7f3efb1747d2daL,0xa2cb525fb54fc519L,
+        0x6e220932f66a971eL },
+      { 0xddc160dfb486d440L,0x7fcfec463fe13465L,0x83da7e4e76e4c151L,
+        0xd6fa48a1d8d302b5L } },
+    /* 25 << 252 */
+    { { 0xc6304f265872cd88L,0x806c1d3c278b90a1L,0x3553e725caf0bc1cL,
+        0xff59e603bb9d8d5cL },
+      { 0xa4550f327a0b85ddL,0xdec5720a93ecc217L,0x0b88b74169d62213L,
+        0x7212f2455b365955L } },
+    /* 26 << 252 */
+    { { 0x20764111b5cae787L,0x13cb7f581dfd3124L,0x2dca77da1175aefbL,
+        0xeb75466bffaae775L },
+      { 0x74d76f3bdb6cff32L,0x7440f37a61fcda9aL,0x1bb3ac92b525028bL,
+        0x20fbf8f7a1975f29L } },
+    /* 27 << 252 */
+    { { 0x982692e1df83097fL,0x28738f6c554b0800L,0xdc703717a2ce2f2fL,
+        0x7913b93c40814194L },
+      { 0x049245931fe89636L,0x7b98443ff78834a6L,0x11c6ab015114a5a1L,
+        0x60deb383ffba5f4cL } },
+    /* 28 << 252 */
+    { { 0x4caa54c601a982e6L,0x1dd35e113491cd26L,0x973c315f7cbd6b05L,
+        0xcab0077552494724L },
+      { 0x04659b1f6565e15aL,0xbf30f5298c8fb026L,0xfc21641ba8a0de37L,
+        0xe9c7a366fa5e5114L } },
+    /* 29 << 252 */
+    { { 0xdb849ca552f03ad8L,0xc7e8dbe9024e35c0L,0xa1a2bbaccfc3c789L,
+        0xbf733e7d9c26f262L },
+      { 0x882ffbf5b8444823L,0xb7224e886bf8483bL,0x53023b8b65bef640L,
+        0xaabfec91d4d5f8cdL } },
+    /* 30 << 252 */
+    { { 0xa40e1510079ea1bdL,0x1ad9addcd05d5d26L,0xdb3f2eab13e68d4fL,
+        0x1cff1ae2640f803fL },
+      { 0xe0e7b749d4cee117L,0x8e9f275b4036d909L,0xce34e31d8f4d4c38L,
+        0x22b37f69d75130fcL } },
+    /* 31 << 252 */
+    { { 0x83e0f1fdb4014604L,0xa8ce991989415078L,0x82375b7541792efeL,
+        0x4f59bf5c97d4515bL },
+      { 0xac4f324f923a277dL,0xd9bc9b7d650f3406L,0xc6fa87d18a39bc51L,
+        0x825885305ccc108fL } },
+    /* 32 << 252 */
+    { { 0x5ced3c9f82e4c634L,0x8efb83143a4464f8L,0xe706381b7a1dca25L,
+        0x6cd15a3c5a2a412bL },
+      { 0x9347a8fdbfcd8fb5L,0x31db2eef6e54cd22L,0xc4aeb11ef8d8932fL,
+        0x11e7c1ed344411afL } },
+    /* 33 << 252 */
+    { { 0x2653050cdc9a151eL,0x9edbfc083bb0a859L,0x926c81c7fd5691e7L,
+        0x9c1b23426f39019aL },
+      { 0x64a81c8b7f8474b9L,0x90657c0701761819L,0x390b333155e0375aL,
+        0xc676c626b6ebc47dL } },
+    /* 34 << 252 */
+    { { 0x51623247b7d6dee8L,0x0948d92779659313L,0x99700161e9ab35edL,
+        0x06cc32b48ddde408L },
+      { 0x6f2fd664061ef338L,0x1606fa02c202e9edL,0x55388bc1929ba99bL,
+        0xc4428c5e1e81df69L } },
+    /* 35 << 252 */
+    { { 0xce2028aef91b0b2aL,0xce870a23f03dfd3fL,0x66ec2c870affe8edL,
+        0xb205fb46284d0c00L },
+      { 0xbf5dffe744cefa48L,0xb6fc37a8a19876d7L,0xbecfa84c08b72863L,
+        0xd7205ff52576374fL } },
+    /* 36 << 252 */
+    { { 0x80330d328887de41L,0x5de0df0c869ea534L,0x13f427533c56ea17L,
+        0xeb1f6069452b1a78L },
+      { 0x50474396e30ea15cL,0x575816a1c1494125L,0xbe1ce55bfe6bb38fL,
+        0xb901a94896ae30f7L } },
+    /* 37 << 252 */
+    { { 0xe5af0f08d8fc3548L,0x5010b5d0d73bfd08L,0x993d288053fe655aL,
+        0x99f2630b1c1309fdL },
+      { 0xd8677bafb4e3b76fL,0x14e51ddcb840784bL,0x326c750cbf0092ceL,
+        0xc83d306bf528320fL } },
+    /* 38 << 252 */
+    { { 0xc445671577d4715cL,0xd30019f96b703235L,0x207ccb2ed669e986L,
+        0x57c824aff6dbfc28L },
+      { 0xf0eb532fd8f92a23L,0x4a557fd49bb98fd2L,0xa57acea7c1e6199aL,
+        0x0c6638208b94b1edL } },
+    /* 39 << 252 */
+    { { 0x9b42be8ff83a9266L,0xc7741c970101bd45L,0x95770c1107bd9cebL,
+        0x1f50250a8b2e0744L },
+      { 0xf762eec81477b654L,0xc65b900e15efe59aL,0x88c961489546a897L,
+        0x7e8025b3c30b4d7cL } },
+    /* 40 << 252 */
+    { { 0xae4065ef12045cf9L,0x6fcb2caf9ccce8bdL,0x1fa0ba4ef2cf6525L,
+        0xf683125dcb72c312L },
+      { 0xa01da4eae312410eL,0x67e286776cd8e830L,0xabd9575298fb3f07L,
+        0x05f11e11eef649a5L } },
+    /* 41 << 252 */
+    { { 0xba47faef9d3472c2L,0x3adff697c77d1345L,0x4761fa04dd15afeeL,
+        0x64f1f61ab9e69462L },
+      { 0xfa691fab9bfb9093L,0x3df8ae8fa1133dfeL,0xcd5f896758cc710dL,
+        0xfbb88d5016c7fe79L } },
+    /* 42 << 252 */
+    { { 0x8e011b4ce88c50d1L,0x7532e807a8771c4fL,0x64c78a48e2278ee4L,
+        0x0b283e833845072aL },
+      { 0x98a6f29149e69274L,0xb96e96681868b21cL,0x38f0adc2b1a8908eL,
+        0x90afcff71feb829dL } },
+    /* 43 << 252 */
+    { { 0x9915a383210b0856L,0xa5a80602def04889L,0x800e9af97c64d509L,
+        0x81382d0bb8996f6fL },
+      { 0x490eba5381927e27L,0x46c63b324af50182L,0x784c5fd9d3ad62ceL,
+        0xe4fa1870f8ae8736L } },
+    /* 44 << 252 */
+    { { 0x4ec9d0bcd7466b25L,0x84ddbe1adb235c65L,0x5e2645ee163c1688L,
+        0x570bd00e00eba747L },
+      { 0xfa51b629128bfa0fL,0x92fce1bd6c1d3b68L,0x3e7361dcb66778b1L,
+        0x9c7d249d5561d2bbL } },
+    /* 45 << 252 */
+    { { 0xa40b28bf0bbc6229L,0x1c83c05edfd91497L,0x5f9f5154f083df05L,
+        0xbac38b3ceee66c9dL },
+      { 0xf71db7e3ec0dfcfdL,0xf2ecda8e8b0a8416L,0x52fddd867812aa66L,
+        0x2896ef104e6f4272L } },
+    /* 46 << 252 */
+    { { 0xff27186a0fe9a745L,0x08249fcd49ca70dbL,0x7425a2e6441cac49L,
+        0xf4a0885aece5ff57L },
+      { 0x6e2cb7317d7ead58L,0xf96cf7d61898d104L,0xafe67c9d4f2c9a89L,
+        0x89895a501c7bf5bcL } },
+    /* 47 << 252 */
+    { { 0xdc7cb8e5573cecfaL,0x66497eaed15f03e6L,0x6bc0de693f084420L,
+        0x323b9b36acd532b0L },
+      { 0xcfed390a0115a3c1L,0x9414c40b2d65ca0eL,0x641406bd2f530c78L,
+        0x29369a44833438f2L } },
+    /* 48 << 252 */
+    { { 0x996884f5903fa271L,0xe6da0fd2b9da921eL,0xa6f2f2695db01e54L,
+        0x1ee3e9bd6876214eL },
+      { 0xa26e181ce27a9497L,0x36d254e48e215e04L,0x42f32a6c252cabcaL,
+        0x9948148780b57614L } },
+    /* 49 << 252 */
+    { { 0x4c4dfe6940d9cae1L,0x0586958011a10f09L,0xca287b573491b64bL,
+        0x77862d5d3fd4a53bL },
+      { 0xbf94856e50349126L,0x2be30bd171c5268fL,0x10393f19cbb650a6L,
+        0x639531fe778cf9fdL } },
+    /* 50 << 252 */
+    { { 0x02556a11b2935359L,0xda38aa96af8c126eL,0x47dbe6c20960167fL,
+        0x37bbabb6501901cdL },
+      { 0xb6e979e02c947778L,0xd69a51757a1a1dc6L,0xc3ed50959d9faf0cL,
+        0x4dd9c0961d5fa5f0L } },
+    /* 51 << 252 */
+    { { 0xa0c4304d64f16ea8L,0x8b1cac167e718623L,0x0b5765467c67f03eL,
+        0x559cf5adcbd88c01L },
+      { 0x074877bb0e2af19aL,0x1f717ec1a1228c92L,0x70bcb800326e8920L,
+        0xec6e2c5c4f312804L } },
+    /* 52 << 252 */
+    { { 0x426aea7d3fca4752L,0xf12c09492211f62aL,0x24beecd87be7b6b5L,
+        0xb77eaf4c36d7a27dL },
+      { 0x154c2781fda78fd3L,0x848a83b0264eeabeL,0x81287ef04ffe2bc4L,
+        0x7b6d88c6b6b6fc2aL } },
+    /* 53 << 252 */
+    { { 0x805fb947ce417d99L,0x4b93dcc38b916cc4L,0x72e65bb321273323L,
+        0xbcc1badd6ea9886eL },
+      { 0x0e2230114bc5ee85L,0xa561be74c18ee1e4L,0x762fd2d4a6bcf1f1L,
+        0x50e6a5a495231489L } },
+    /* 54 << 252 */
+    { { 0xca96001fa00b500bL,0x5c098cfc5d7dcdf5L,0xa64e2d2e8c446a85L,
+        0xbae9bcf1971f3c62L },
+      { 0x4ec226838435a2c5L,0x8ceaed6c4bad4643L,0xe9f8fb47ccccf4e3L,
+        0xbd4f3fa41ce3b21eL } },
+    /* 55 << 252 */
+    { { 0xd79fb110a3db3292L,0xe28a37dab536c66aL,0x279ce87b8e49e6a9L,
+        0x70ccfe8dfdcec8e3L },
+      { 0x2193e4e03ba464b2L,0x0f39d60eaca9a398L,0x7d7932aff82c12abL,
+        0xd8ff50ed91e7e0f7L } },
+    /* 56 << 252 */
+    { { 0xea961058fa28a7e0L,0xc726cf250bf5ec74L,0xe74d55c8db229666L,
+        0x0bd9abbfa57f5799L },
+      { 0x7479ef074dfc47b3L,0xd9c65fc30c52f91dL,0x8e0283fe36a8bde2L,
+        0xa32a8b5e7d4b7280L } },
+    /* 57 << 252 */
+    { { 0x6a677c6112e83233L,0x0fbb3512dcc9bf28L,0x562e8ea50d780f61L,
+        0x0db8b22b1dc4e89cL },
+      { 0x0a6fd1fb89be0144L,0x8c77d246ca57113bL,0x4639075dff09c91cL,
+        0x5b47b17f5060824cL } },
+    /* 58 << 252 */
+    { { 0x58aea2b016287b52L,0xa1343520d0cd8eb0L,0x6148b4d0c5d58573L,
+        0xdd2b6170291c68aeL },
+      { 0xa61b39291da3b3b7L,0x5f946d7908c4ac10L,0x4105d4a57217d583L,
+        0x5061da3d25e6de5eL } },
+    /* 59 << 252 */
+    { { 0x3113940dec1b4991L,0xf12195e136f485aeL,0xa7507fb2731a2ee0L,
+        0x95057a8e6e9e196eL },
+      { 0xa3c2c9112e130136L,0x97dfbb3633c60d15L,0xcaf3c581b300ee2bL,
+        0x77f25d90f4bac8b8L } },
+    /* 60 << 252 */
+    { { 0xdb1c4f986d840cd6L,0x471d62c0e634288cL,0x8ec2f85ecec8a161L,
+        0x41f37cbcfa6f4ae2L },
+      { 0x6793a20f4b709985L,0x7a7bd33befa8985bL,0x2c6a3fbd938e6446L,
+        0x190426192a8d47c1L } },
+    /* 61 << 252 */
+    { { 0x16848667cc36975fL,0x02acf1689d5f1dfbL,0x62d41ad4613baa94L,
+        0xb56fbb929f684670L },
+      { 0xce610d0de9e40569L,0x7b99c65f35489fefL,0x0c88ad1b3df18b97L,
+        0x81b7d9be5d0e9edbL } },
+    /* 62 << 252 */
+    { { 0xd85218c0c716cc0aL,0xf4b5ff9085691c49L,0xa4fd666bce356ac6L,
+        0x17c728954b327a7aL },
+      { 0xf93d5085da6be7deL,0xff71530e3301d34eL,0x4cd96442d8f448e8L,
+        0x9283d3312ed18ffaL } },
+    /* 63 << 252 */
+    { { 0x4d33dd992a849870L,0xa716964b41576335L,0xff5e3a9b179be0e5L,
+        0x5b9d6b1b83b13632L },
+      { 0x3b8bd7d4a52f313bL,0xc9dd95a0637a4660L,0x300359620b3e218fL,
+        0xce1481a3c7b28a3cL } },
+    /* 64 << 252 */
+    { { 0xab41b43a43228d83L,0x24ae1c304ad63f99L,0x8e525f1a46a51229L,
+        0x14af860fcd26d2b4L },
+      { 0xd6baef613f714aa1L,0xf51865adeb78795eL,0xd3e21fcee6a9d694L,
+        0x82ceb1dd8a37b527L } },
+};
+
+/* Multiply the point by the scalar and return the result.
+ * If map is true then convert result to affine coordinates.
+ *
+ * r     Resulting point.
+ * k     Scalar to multiply by.
+ * map   Indicates whether to convert result to affine.
+ * heap  Heap to use for allocation.
+ * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
+ */
+static int sp_256_ecc_mulmod_add_only_4(sp_point_256* r, const sp_point_256* g,
+        const sp_table_entry_256* table, const sp_digit* k, int map, void* heap)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_point_256 rtd;
+    sp_point_256 pd;
+    sp_digit tmpd[2 * 4 * 5];
+#endif
+    sp_point_256* rt;
+    sp_point_256* p = NULL;
+    sp_digit* tmp;
+    sp_digit* negy;
+    int i;
+    ecc_recode_256 v[37];
+    int err;
+
+    (void)g;
+    (void)heap;
+
+    err = sp_256_point_new_4(heap, rtd, rt);
+    if (err == MP_OKAY)
+        err = sp_256_point_new_4(heap, pd, p);
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    tmp = (sp_digit*)XMALLOC(sizeof(sp_digit) * 2 * 4 * 5, heap,
+                             DYNAMIC_TYPE_ECC);
+    if (tmp == NULL)
+        err = MEMORY_E;
+#else
+    tmp = tmpd;
+#endif
+    negy = tmp;
+
+    if (err == MP_OKAY) {
+        sp_256_ecc_recode_7_4(k, v);
+
+        XMEMCPY(p->z, p256_norm_mod, sizeof(p256_norm_mod));
+        XMEMCPY(rt->z, p256_norm_mod, sizeof(p256_norm_mod));
+
+        i = 36;
+        XMEMCPY(rt->x, table[i * 65 + v[i].i].x, sizeof(table->x));
+        XMEMCPY(rt->y, table[i * 65 + v[i].i].y, sizeof(table->y));
+        rt->infinity = !v[i].i;
+        for (--i; i>=0; i--) {
+            XMEMCPY(p->x, table[i * 65 + v[i].i].x, sizeof(table->x));
+            XMEMCPY(p->y, table[i * 65 + v[i].i].y, sizeof(table->y));
+            p->infinity = !v[i].i;
+            sp_256_sub_4(negy, p256_mod, p->y);
+            sp_256_cond_copy_4(p->y, negy, 0 - v[i].neg);
+            sp_256_proj_point_add_qz1_4(rt, rt, p, tmp);
+        }
+        if (map != 0) {
+            sp_256_map_4(r, rt, tmp);
+        }
+        else {
+            XMEMCPY(r, rt, sizeof(sp_point_256));
+        }
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (tmp != NULL) {
+        XMEMSET(tmp, 0, sizeof(sp_digit) * 2 * 4 * 5);
+        XFREE(tmp, heap, DYNAMIC_TYPE_ECC);
+    }
+#else
+    ForceZero(tmp, sizeof(sp_digit) * 2 * 4 * 5);
+#endif
+    sp_256_point_free_4(p, 0, heap);
+    sp_256_point_free_4(rt, 0, heap);
+
+    return MP_OKAY;
+}
+
+/* Multiply the base point of P256 by the scalar and return the result.
+ * If map is true then convert result to affine coordinates.
+ *
+ * r     Resulting point.
+ * k     Scalar to multiply by.
+ * map   Indicates whether to convert result to affine.
+ * heap  Heap to use for allocation.
+ * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
+ */
+static int sp_256_ecc_mulmod_base_4(sp_point_256* r, const sp_digit* k,
+        int map, void* heap)
+{
+    return sp_256_ecc_mulmod_add_only_4(r, NULL, p256_table,
+                                      k, map, heap);
+}
+
+#endif /* WOLFSSL_SP_SMALL */
+/* Multiply the base point of P256 by the scalar and return the result.
+ * If map is true then convert result to affine coordinates.
+ *
+ * km    Scalar to multiply by.
+ * r     Resulting point.
+ * map   Indicates whether to convert result to affine.
+ * heap  Heap to use for allocation.
+ * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
+ */
+int sp_ecc_mulmod_base_256(mp_int* km, ecc_point* r, int map, void* heap)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_point_256 p;
+    sp_digit kd[4];
+#endif
+    sp_point_256* point;
+    sp_digit* k = NULL;
+    int err = MP_OKAY;
+
+    err = sp_256_point_new_4(heap, p, point);
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        k = (sp_digit*)XMALLOC(sizeof(sp_digit) * 4, heap,
+                                                              DYNAMIC_TYPE_ECC);
+        if (k == NULL) {
+            err = MEMORY_E;
+        }
+    }
+#else
+    k = kd;
+#endif
+    if (err == MP_OKAY) {
+        sp_256_from_mp(k, 4, km);
+
+            err = sp_256_ecc_mulmod_base_4(point, k, map, heap);
+    }
+    if (err == MP_OKAY) {
+        err = sp_256_point_to_ecc_point_4(point, r);
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (k != NULL) {
+        XFREE(k, heap, DYNAMIC_TYPE_ECC);
+    }
+#endif
+    sp_256_point_free_4(point, 0, heap);
+
+    return err;
+}
+
+#if defined(WOLFSSL_VALIDATE_ECC_KEYGEN) || defined(HAVE_ECC_SIGN) || \
+                                                        defined(HAVE_ECC_VERIFY)
+/* Returns 1 if the number of zero.
+ * Implementation is constant time.
+ *
+ * a  Number to check.
+ * returns 1 if the number is zero and 0 otherwise.
+ */
+static int sp_256_iszero_4(const sp_digit* a)
+{
+    return (a[0] | a[1] | a[2] | a[3]) == 0;
+}
+
+#endif /* WOLFSSL_VALIDATE_ECC_KEYGEN || HAVE_ECC_SIGN || HAVE_ECC_VERIFY */
+/* Add 1 to a. (a = a + 1)
+ *
+ * a  A single precision integer.
+ */
+static void sp_256_add_one_4(sp_digit* a)
+{
+    __asm__ __volatile__ (
+        "ldp	x1, x2, [%[a], 0]\n\t"
+        "adds	x1, x1, #1\n\t"
+        "ldr	x3, [%[a], 16]\n\t"
+        "adcs	x2, x2, xzr\n\t"
+        "ldr	x4, [%[a], 24]\n\t"
+        "adcs	x3, x3, xzr\n\t"
+        "stp	x1, x2, [%[a], 0]\n\t"
+        "adcs	x4, x4, xzr\n\t"
+        "stp	x3, x4, [%[a], 16]\n\t"
+        :
+        : [a] "r" (a)
+        : "memory", "x1", "x2", "x3", "x4"
+    );
+}
+
+/* Read big endian unsigned byte array into r.
+ *
+ * r  A single precision integer.
+ * size  Maximum number of bytes to convert
+ * a  Byte array.
+ * n  Number of bytes in array to read.
+ */
+static void sp_256_from_bin(sp_digit* r, int size, const byte* a, int n)
+{
+    int i, j;
+    byte* d;
+
+    for (i = n - 1,j = 0; i >= 7; i -= 8) {
+        r[j]  = ((sp_digit)a[i - 0] <<  0) |
+                ((sp_digit)a[i - 1] <<  8) |
+                ((sp_digit)a[i - 2] << 16) |
+                ((sp_digit)a[i - 3] << 24) |
+                ((sp_digit)a[i - 4] << 32) |
+                ((sp_digit)a[i - 5] << 40) |
+                ((sp_digit)a[i - 6] << 48) |
+                ((sp_digit)a[i - 7] << 56);
+        j++;
+    }
+
+    if (i >= 0) {
+        r[j] = 0;
+
+        d = (byte*)r;
+        switch (i) {
+            case 6: d[n - 1 - 6] = a[6]; //fallthrough
+            case 5: d[n - 1 - 5] = a[5]; //fallthrough
+            case 4: d[n - 1 - 4] = a[4]; //fallthrough
+            case 3: d[n - 1 - 3] = a[3]; //fallthrough
+            case 2: d[n - 1 - 2] = a[2]; //fallthrough
+            case 1: d[n - 1 - 1] = a[1]; //fallthrough
+            case 0: d[n - 1 - 0] = a[0]; //fallthrough
+        }
+        j++;
+    }
+
+    for (; j < size; j++) {
+        r[j] = 0;
+    }
+}
+
+/* Generates a scalar that is in the range 1..order-1.
+ *
+ * rng  Random number generator.
+ * k    Scalar value.
+ * returns RNG failures, MEMORY_E when memory allocation fails and
+ * MP_OKAY on success.
+ */
+static int sp_256_ecc_gen_k_4(WC_RNG* rng, sp_digit* k)
+{
+    int err;
+    byte buf[32];
+
+    do {
+        err = wc_RNG_GenerateBlock(rng, buf, sizeof(buf));
+        if (err == 0) {
+            sp_256_from_bin(k, 4, buf, (int)sizeof(buf));
+            if (sp_256_cmp_4(k, p256_order2) < 0) {
+                sp_256_add_one_4(k);
+                break;
+            }
+        }
+    }
+    while (err == 0);
+
+    return err;
+}
+
+/* Makes a random EC key pair.
+ *
+ * rng   Random number generator.
+ * priv  Generated private value.
+ * pub   Generated public point.
+ * heap  Heap to use for allocation.
+ * returns ECC_INF_E when the point does not have the correct order, RNG
+ * failures, MEMORY_E when memory allocation fails and MP_OKAY on success.
+ */
+int sp_ecc_make_key_256(WC_RNG* rng, mp_int* priv, ecc_point* pub, void* heap)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_point_256 p;
+    sp_digit kd[4];
+#ifdef WOLFSSL_VALIDATE_ECC_KEYGEN
+    sp_point_256 inf;
+#endif
+#endif
+    sp_point_256* point;
+    sp_digit* k = NULL;
+#ifdef WOLFSSL_VALIDATE_ECC_KEYGEN
+    sp_point_256* infinity;
+#endif
+    int err;
+
+    (void)heap;
+
+    err = sp_256_point_new_4(heap, p, point);
+#ifdef WOLFSSL_VALIDATE_ECC_KEYGEN
+    if (err == MP_OKAY) {
+        err = sp_256_point_new_4(heap, inf, infinity);
+    }
+#endif
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        k = (sp_digit*)XMALLOC(sizeof(sp_digit) * 4, heap,
+                                                              DYNAMIC_TYPE_ECC);
+        if (k == NULL) {
+            err = MEMORY_E;
+        }
+    }
+#else
+    k = kd;
+#endif
+
+    if (err == MP_OKAY) {
+        err = sp_256_ecc_gen_k_4(rng, k);
+    }
+    if (err == MP_OKAY) {
+            err = sp_256_ecc_mulmod_base_4(point, k, 1, NULL);
+    }
+
+#ifdef WOLFSSL_VALIDATE_ECC_KEYGEN
+    if (err == MP_OKAY) {
+            err = sp_256_ecc_mulmod_4(infinity, point, p256_order, 1, NULL);
+    }
+    if (err == MP_OKAY) {
+        if ((sp_256_iszero_4(point->x) == 0) || (sp_256_iszero_4(point->y) == 0)) {
+            err = ECC_INF_E;
+        }
+    }
+#endif
+
+    if (err == MP_OKAY) {
+        err = sp_256_to_mp(k, priv);
+    }
+    if (err == MP_OKAY) {
+        err = sp_256_point_to_ecc_point_4(point, pub);
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (k != NULL) {
+        XFREE(k, heap, DYNAMIC_TYPE_ECC);
+    }
+#endif
+#ifdef WOLFSSL_VALIDATE_ECC_KEYGEN
+    sp_256_point_free_4(infinity, 1, heap);
+#endif
+    sp_256_point_free_4(point, 1, heap);
+
+    return err;
+}
+
+#ifdef HAVE_ECC_DHE
+/* Write r as big endian to byte array.
+ * Fixed length number of bytes written: 32
+ *
+ * r  A single precision integer.
+ * a  Byte array.
+ */
+static void sp_256_to_bin(sp_digit* r, byte* a)
+{
+    int i, j;
+
+    for (i = 3, j = 0; i >= 0; i--) {
+        a[j++] = r[i] >> 56;
+        a[j++] = r[i] >> 48;
+        a[j++] = r[i] >> 40;
+        a[j++] = r[i] >> 32;
+        a[j++] = r[i] >> 24;
+        a[j++] = r[i] >> 16;
+        a[j++] = r[i] >> 8;
+        a[j++] = r[i] >> 0;
+    }
+}
+
+/* Multiply the point by the scalar and serialize the X ordinate.
+ * The number is 0 padded to maximum size on output.
+ *
+ * priv    Scalar to multiply the point by.
+ * pub     Point to multiply.
+ * out     Buffer to hold X ordinate.
+ * outLen  On entry, size of the buffer in bytes.
+ *         On exit, length of data in buffer in bytes.
+ * heap    Heap to use for allocation.
+ * returns BUFFER_E if the buffer is to small for output size,
+ * MEMORY_E when memory allocation fails and MP_OKAY on success.
+ */
+int sp_ecc_secret_gen_256(mp_int* priv, ecc_point* pub, byte* out,
+                          word32* outLen, void* heap)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_point_256 p;
+    sp_digit kd[4];
+#endif
+    sp_point_256* point = NULL;
+    sp_digit* k = NULL;
+    int err = MP_OKAY;
+
+    if (*outLen < 32U) {
+        err = BUFFER_E;
+    }
+
+    if (err == MP_OKAY) {
+        err = sp_256_point_new_4(heap, p, point);
+    }
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        k = (sp_digit*)XMALLOC(sizeof(sp_digit) * 4, heap,
+                                                              DYNAMIC_TYPE_ECC);
+        if (k == NULL)
+            err = MEMORY_E;
+    }
+#else
+    k = kd;
+#endif
+
+    if (err == MP_OKAY) {
+        sp_256_from_mp(k, 4, priv);
+        sp_256_point_from_ecc_point_4(point, pub);
+            err = sp_256_ecc_mulmod_4(point, point, k, 1, heap);
+    }
+    if (err == MP_OKAY) {
+        sp_256_to_bin(point->x, out);
+        *outLen = 32;
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (k != NULL) {
+        XFREE(k, heap, DYNAMIC_TYPE_ECC);
+    }
+#endif
+    sp_256_point_free_4(point, 0, heap);
+
+    return err;
+}
+#endif /* HAVE_ECC_DHE */
+
+#if defined(HAVE_ECC_SIGN) || defined(HAVE_ECC_VERIFY)
+/* Add b to a into r. (r = a + b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+static sp_digit sp_256_add_4(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    __asm__ __volatile__ (
+        "ldp	x3, x4, [%[a], 0]\n\t"
+        "ldp	x7, x8, [%[b], 0]\n\t"
+        "adds	x3, x3, x7\n\t"
+        "ldp	x5, x6, [%[a], 16]\n\t"
+        "adcs	x4, x4, x8\n\t"
+        "ldp	x9, x10, [%[b], 16]\n\t"
+        "adcs	x5, x5, x9\n\t"
+        "stp	x3, x4, [%[r], 0]\n\t"
+        "adcs	x6, x6, x10\n\t"
+        "stp	x5, x6, [%[r], 16]\n\t"
+        "cset	%[r], cs\n\t"
+        : [r] "+r" (r)
+        : [a] "r" (a), [b] "r" (b)
+        : "memory", "x3", "x4", "x5", "x6", "x7", "x8", "x9", "x10"
+    );
+
+    return (sp_digit)r;
+}
+
+#endif
+#if defined(HAVE_ECC_SIGN) || defined(HAVE_ECC_VERIFY)
+#ifdef WOLFSSL_SP_SMALL
+/* Multiply a and b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+static void sp_256_mul_4(sp_digit* r, const sp_digit* a, const sp_digit* b)
+{
+    sp_digit tmp[8];
+
+    __asm__ __volatile__ (
+        "mov	x5, 0\n\t"
+        "mov	x6, 0\n\t"
+        "mov	x7, 0\n\t"
+        "mov	x8, 0\n\t"
+        "\n1:\n\t"
+        "subs	x3, x5, 24\n\t"
+        "csel	x3, xzr, x3, cc\n\t"
+        "sub	x4, x5, x3\n\t"
+        "\n2:\n\t"
+        "ldr	x10, [%[a], x3]\n\t"
+        "ldr	x11, [%[b], x4]\n\t"
+        "mul	x9, x10, x11\n\t"
+        "umulh	x10, x10, x11\n\t"
+        "adds	x6, x6, x9\n\t"
+        "adcs	x7, x7, x10\n\t"
+        "adc	x8, x8, xzr\n\t"
+        "add	x3, x3, #8\n\t"
+        "sub	x4, x4, #8\n\t"
+        "cmp	x3, 32\n\t"
+        "b.eq	3f\n\t"
+        "cmp	x3, x5\n\t"
+        "b.le	2b\n\t"
+        "\n3:\n\t"
+        "str	x6, [%[r], x5]\n\t"
+        "mov	x6, x7\n\t"
+        "mov	x7, x8\n\t"
+        "mov	x8, #0\n\t"
+        "add	x5, x5, #8\n\t"
+        "cmp	x5, 48\n\t"
+        "b.le	1b\n\t"
+        "str	x6, [%[r], x5]\n\t"
+        :
+        : [r] "r" (tmp), [a] "r" (a), [b] "r" (b)
+        : "memory", "x3", "x4", "x5", "x6", "x7", "x8", "x9", "x10", "x11"
+    );
+
+    XMEMCPY(r, tmp, sizeof(tmp));
+}
+
+#else
+/* Multiply a and b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+static void sp_256_mul_4(sp_digit* r, const sp_digit* a, const sp_digit* b)
+{
+    sp_digit tmp[4];
+
+    __asm__ __volatile__ (
+        "ldp       x16, x17, [%[a], 0]\n\t"
+        "ldp       x21, x22, [%[b], 0]\n\t"
+        "#  A[0] * B[0]\n\t"
+        "mul       x8, x16, x21\n\t"
+        "ldr       x19, [%[a], 16]\n\t"
+        "umulh     x9, x16, x21\n\t"
+        "ldr       x23, [%[b], 16]\n\t"
+        "#  A[0] * B[1]\n\t"
+        "mul       x4, x16, x22\n\t"
+        "ldr       x20, [%[a], 24]\n\t"
+        "umulh     x5, x16, x22\n\t"
+        "ldr       x24, [%[b], 24]\n\t"
+        "adds  x9, x9, x4\n\t"
+        "#  A[1] * B[0]\n\t"
+        "mul       x4, x17, x21\n\t"
+        "adc   x10, xzr, x5\n\t"
+        "umulh     x5, x17, x21\n\t"
+        "adds  x9, x9, x4\n\t"
+        "#  A[0] * B[2]\n\t"
+        "mul       x4, x16, x23\n\t"
+        "adcs   x10, x10, x5\n\t"
+        "umulh     x5, x16, x23\n\t"
+        "adc     x11, xzr, xzr\n\t"
+        "adds  x10, x10, x4\n\t"
+        "#  A[1] * B[1]\n\t"
+        "mul       x4, x17, x22\n\t"
+        "adc   x11, x11, x5\n\t"
+        "umulh     x5, x17, x22\n\t"
+        "adds  x10, x10, x4\n\t"
+        "#  A[2] * B[0]\n\t"
+        "mul       x4, x19, x21\n\t"
+        "adcs   x11, x11, x5\n\t"
+        "umulh     x5, x19, x21\n\t"
+        "adc     x12, xzr, xzr\n\t"
+        "adds  x10, x10, x4\n\t"
+        "#  A[0] * B[3]\n\t"
+        "mul       x4, x16, x24\n\t"
+        "adcs   x11, x11, x5\n\t"
+        "umulh     x5, x16, x24\n\t"
+        "adc     x12, x12, xzr\n\t"
+        "adds  x11, x11, x4\n\t"
+        "#  A[1] * B[2]\n\t"
+        "mul       x4, x17, x23\n\t"
+        "adcs   x12, x12, x5\n\t"
+        "umulh     x5, x17, x23\n\t"
+        "adc     x13, xzr, xzr\n\t"
+        "adds  x11, x11, x4\n\t"
+        "#  A[2] * B[1]\n\t"
+        "mul       x4, x19, x22\n\t"
+        "adcs   x12, x12, x5\n\t"
+        "umulh     x5, x19, x22\n\t"
+        "adc     x13, x13, xzr\n\t"
+        "adds  x11, x11, x4\n\t"
+        "#  A[3] * B[0]\n\t"
+        "mul       x4, x20, x21\n\t"
+        "adcs   x12, x12, x5\n\t"
+        "umulh     x5, x20, x21\n\t"
+        "adc     x13, x13, xzr\n\t"
+        "adds  x11, x11, x4\n\t"
+        "#  A[1] * B[3]\n\t"
+        "mul       x4, x17, x24\n\t"
+        "adcs   x12, x12, x5\n\t"
+        "umulh     x5, x17, x24\n\t"
+        "adc     x13, x13, xzr\n\t"
+        "adds  x12, x12, x4\n\t"
+        "#  A[2] * B[2]\n\t"
+        "mul       x4, x19, x23\n\t"
+        "adcs   x13, x13, x5\n\t"
+        "umulh     x5, x19, x23\n\t"
+        "adc     x14, xzr, xzr\n\t"
+        "adds  x12, x12, x4\n\t"
+        "#  A[3] * B[1]\n\t"
+        "mul       x4, x20, x22\n\t"
+        "adcs   x13, x13, x5\n\t"
+        "umulh     x5, x20, x22\n\t"
+        "adc     x14, x14, xzr\n\t"
+        "adds  x12, x12, x4\n\t"
+        "#  A[2] * B[3]\n\t"
+        "mul       x4, x19, x24\n\t"
+        "adcs   x13, x13, x5\n\t"
+        "umulh     x5, x19, x24\n\t"
+        "adc     x14, x14, xzr\n\t"
+        "adds  x13, x13, x4\n\t"
+        "#  A[3] * B[2]\n\t"
+        "mul       x4, x20, x23\n\t"
+        "adcs   x14, x14, x5\n\t"
+        "umulh     x5, x20, x23\n\t"
+        "adc     x15, xzr, xzr\n\t"
+        "adds  x13, x13, x4\n\t"
+        "#  A[3] * B[3]\n\t"
+        "mul       x4, x20, x24\n\t"
+        "adcs   x14, x14, x5\n\t"
+        "umulh     x5, x20, x24\n\t"
+        "adc     x15, x15, xzr\n\t"
+        "adds  x14, x14, x4\n\t"
+        "adc   x15, x15, x5\n\t"
+        "stp	x8, x9, [%[r], 0]\n\t"
+        "stp	x10, x11, [%[r], 16]\n\t"
+        "stp	x12, x13, [%[r], 32]\n\t"
+        "stp	x14, x15, [%[r], 48]\n\t"
+        :
+        : [r] "r" (r), [a] "r" (a), [b] "r" (b), [tmp] "r" (tmp)
+        : "memory", "x4", "x5", "x6", "x7", "x16", "x17", "x19", "x20", "x21", "x22", "x23", "x24", "x8", "x9", "x10", "x11", "x12", "x13", "x14", "x15"
+    );
+}
+
+#endif /* WOLFSSL_SP_SMALL */
+#endif
+#if defined(HAVE_ECC_SIGN) || defined(HAVE_ECC_VERIFY)
+/* Sub b from a into a. (a -= b)
+ *
+ * a  A single precision integer and result.
+ * b  A single precision integer.
+ */
+static sp_digit sp_256_sub_in_place_4(sp_digit* a, const sp_digit* b)
+{
+    __asm__ __volatile__ (
+        "ldp	x2, x3, [%[a], 0]\n\t"
+        "ldp	x6, x7, [%[b], 0]\n\t"
+        "subs	x2, x2, x6\n\t"
+        "ldp	x4, x5, [%[a], 16]\n\t"
+        "sbcs	x3, x3, x7\n\t"
+        "ldp	x8, x9, [%[b], 16]\n\t"
+        "sbcs	x4, x4, x8\n\t"
+        "stp	x2, x3, [%[a], 0]\n\t"
+        "sbcs	x5, x5, x9\n\t"
+        "stp	x4, x5, [%[a], 16]\n\t"
+        "csetm	%[a], cc\n\t"
+        : [a] "+r" (a)
+        : [b] "r" (b)
+        : "memory", "x2", "x3", "x4", "x5", "x6", "x7", "x8", "x9"
+    );
+
+    return (sp_digit)a;
+}
+
+/* Mul a by digit b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision digit.
+ */
+static void sp_256_mul_d_4(sp_digit* r, const sp_digit* a,
+        sp_digit b)
+{
+    __asm__ __volatile__ (
+        "# A[0] * B\n\t"
+        "ldp	x2, x3, [%[a]]\n\t"
+        "ldp	x4, x5, [%[a], 16]\n\t"
+        "umulh	x7, %[b], x2\n\t"
+        "mul	x2, %[b], x2\n\t"
+        "# A[1] * B\n\t"
+        "mul	x8, %[b], x3\n\t"
+        "umulh	x9, %[b], x3\n\t"
+        "adds	x3, x7, x8\n\t"
+        "# A[2] * B\n\t"
+        "mul	x8, %[b], x4\n\t"
+        "adc	x7, xzr, x9\n\t"
+        "umulh	x9, %[b], x4\n\t"
+        "adds	x4, x7, x8\n\t"
+        "# A[3] * B\n\t"
+        "mul	x8, %[b], x5\n\t"
+        "adc	x7, xzr, x9\n\t"
+        "umulh	x9, %[b], x5\n\t"
+        "adds	x5, x7, x8\n\t"
+        "str	x2, [%[r]]\n\t"
+        "adc	x6, xzr, x9\n\t"
+        "stp	x3, x4, [%[r], 8]\n\t"
+        "stp	x5, x6, [%[r], 24]\n\t"
+        :
+        : [r] "r" (r), [a] "r" (a), [b] "r" (b)
+        : "memory", "x2", "x3", "x4", "x5", "x6", "x7", "x8", "x9"
+    );
+}
+
+/* Divide the double width number (d1|d0) by the dividend. (d1|d0 / div)
+ *
+ * d1   The high order half of the number to divide.
+ * d0   The low order half of the number to divide.
+ * div  The dividend.
+ * returns the result of the division.
+ */
+static sp_digit div_256_word_4(sp_digit d1, sp_digit d0, sp_digit div)
+{
+    sp_digit r;
+
+    __asm__ __volatile__ (
+        "lsr	x5, %[div], 32\n\t"
+        "add	x5, x5, 1\n\t"
+
+        "udiv	x3, %[d1], x5\n\t"
+        "lsl	x6, x3, 32\n\t"
+        "mul	x4, %[div], x6\n\t"
+        "umulh	x3, %[div], x6\n\t"
+        "subs	%[d0], %[d0], x4\n\t"
+        "sbc	%[d1], %[d1], x3\n\t"
+
+        "udiv	x3, %[d1], x5\n\t"
+        "lsl	x3, x3, 32\n\t"
+        "add	x6, x6, x3\n\t"
+        "mul	x4, %[div], x3\n\t"
+        "umulh	x3, %[div], x3\n\t"
+        "subs	%[d0], %[d0], x4\n\t"
+        "sbc	%[d1], %[d1], x3\n\t"
+
+        "lsr	x3, %[d0], 32\n\t"
+        "orr	x3, x3, %[d1], lsl 32\n\t"
+
+        "udiv	x3, x3, x5\n\t"
+        "add	x6, x6, x3\n\t"
+        "mul	x4, %[div], x3\n\t"
+        "umulh	x3, %[div], x3\n\t"
+        "subs	%[d0], %[d0], x4\n\t"
+        "sbc	%[d1], %[d1], x3\n\t"
+
+        "lsr	x3, %[d0], 32\n\t"
+        "orr	x3, x3, %[d1], lsl 32\n\t"
+
+        "udiv	x3, x3, x5\n\t"
+        "add	x6, x6, x3\n\t"
+        "mul	x4, %[div], x3\n\t"
+        "sub	%[d0], %[d0], x4\n\t"
+
+        "udiv	x3, %[d0], %[div]\n\t"
+        "add	%[r], x6, x3\n\t"
+
+        : [r] "=r" (r)
+        : [d1] "r" (d1), [d0] "r" (d0), [div] "r" (div)
+        : "x3", "x4", "x5", "x6"
+    );
+
+    return r;
+}
+
+/* AND m into each word of a and store in r.
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * m  Mask to AND against each digit.
+ */
+static void sp_256_mask_4(sp_digit* r, const sp_digit* a, sp_digit m)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int i;
+
+    for (i=0; i<4; i++) {
+        r[i] = a[i] & m;
+    }
+#else
+    r[0] = a[0] & m;
+    r[1] = a[1] & m;
+    r[2] = a[2] & m;
+    r[3] = a[3] & m;
+#endif
+}
+
+/* Divide d in a and put remainder into r (m*d + r = a)
+ * m is not calculated as it is not needed at this time.
+ *
+ * a  Nmber to be divided.
+ * d  Number to divide with.
+ * m  Multiplier result.
+ * r  Remainder from the division.
+ * returns MP_OKAY indicating success.
+ */
+static WC_INLINE int sp_256_div_4(const sp_digit* a, const sp_digit* d, sp_digit* m,
+        sp_digit* r)
+{
+    sp_digit t1[8], t2[5];
+    sp_digit div, r1;
+    int i;
+
+    (void)m;
+
+    div = d[3];
+    XMEMCPY(t1, a, sizeof(*t1) * 2 * 4);
+    for (i=3; i>=0; i--) {
+        r1 = div_256_word_4(t1[4 + i], t1[4 + i - 1], div);
+
+        sp_256_mul_d_4(t2, d, r1);
+        t1[4 + i] += sp_256_sub_in_place_4(&t1[i], t2);
+        t1[4 + i] -= t2[4];
+        sp_256_mask_4(t2, d, t1[4 + i]);
+        t1[4 + i] += sp_256_add_4(&t1[i], &t1[i], t2);
+        sp_256_mask_4(t2, d, t1[4 + i]);
+        t1[4 + i] += sp_256_add_4(&t1[i], &t1[i], t2);
+    }
+
+    r1 = sp_256_cmp_4(t1, d) >= 0;
+    sp_256_cond_sub_4(r, t1, d, (sp_digit)0 - r1);
+
+    return MP_OKAY;
+}
+
+/* Reduce a modulo m into r. (r = a mod m)
+ *
+ * r  A single precision number that is the reduced result.
+ * a  A single precision number that is to be reduced.
+ * m  A single precision number that is the modulus to reduce with.
+ * returns MP_OKAY indicating success.
+ */
+static WC_INLINE int sp_256_mod_4(sp_digit* r, const sp_digit* a, const sp_digit* m)
+{
+    return sp_256_div_4(a, m, NULL, r);
+}
+
+#endif
+#if defined(HAVE_ECC_SIGN) || defined(HAVE_ECC_VERIFY)
+/* Square a and put result in r. (r = a * a)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ */
+static void sp_256_sqr_4(sp_digit* r, const sp_digit* a)
+{
+    __asm__ __volatile__ (
+        "ldp       x16, x17, [%[a], 0]\n\t"
+        "#  A[0] * A[1]\n\t"
+        "mul	x9, x16, x17\n\t"
+        "ldr       x19, [%[a], 16]\n\t"
+        "umulh	x10, x16, x17\n\t"
+        "ldr       x20, [%[a], 24]\n\t"
+        "#  A[0] * A[2]\n\t"
+        "mul	x4, x16, x19\n\t"
+        "umulh	x5, x16, x19\n\t"
+        "adds	x10, x10, x4\n\t"
+        "#  A[0] * A[3]\n\t"
+        "mul	x4, x16, x20\n\t"
+        "adc	x11, xzr, x5\n\t"
+        "umulh	x5, x16, x20\n\t"
+        "adds	x11, x11, x4\n\t"
+        "#  A[1] * A[2]\n\t"
+        "mul	x4, x17, x19\n\t"
+        "adc	x12, xzr, x5\n\t"
+        "umulh	x5, x17, x19\n\t"
+        "adds	x11, x11, x4\n\t"
+        "#  A[1] * A[3]\n\t"
+        "mul	x4, x17, x20\n\t"
+        "adcs	x12, x12, x5\n\t"
+        "umulh	x5, x17, x20\n\t"
+        "adc	x13, xzr, xzr\n\t"
+        "adds	x12, x12, x4\n\t"
+        "#  A[2] * A[3]\n\t"
+        "mul	x4, x19, x20\n\t"
+        "adc	x13, x13, x5\n\t"
+        "umulh	x5, x19, x20\n\t"
+        "adds	x13, x13, x4\n\t"
+        "adc	x14, xzr, x5\n\t"
+        "# Double\n\t"
+        "adds	x9, x9, x9\n\t"
+        "adcs	x10, x10, x10\n\t"
+        "adcs	x11, x11, x11\n\t"
+        "adcs	x12, x12, x12\n\t"
+        "adcs	x13, x13, x13\n\t"
+        "#  A[0] * A[0]\n\t"
+        "mul	x8, x16, x16\n\t"
+        "adcs	x14, x14, x14\n\t"
+        "umulh	x3, x16, x16\n\t"
+        "cset	x15, cs\n\t"
+        "#  A[1] * A[1]\n\t"
+        "mul	x4, x17, x17\n\t"
+        "adds	x9, x9, x3\n\t"
+        "umulh	x5, x17, x17\n\t"
+        "adcs	x10, x10, x4\n\t"
+        "#  A[2] * A[2]\n\t"
+        "mul	x6, x19, x19\n\t"
+        "adcs	x11, x11, x5\n\t"
+        "umulh	x7, x19, x19\n\t"
+        "adcs	x12, x12, x6\n\t"
+        "#  A[3] * A[3]\n\t"
+        "mul	x16, x20, x20\n\t"
+        "adcs	x13, x13, x7\n\t"
+        "umulh	x17, x20, x20\n\t"
+        "adcs	x14, x14, x16\n\t"
+        "adc	x15, x15, x17\n\t"
+        "stp	x8, x9, [%[r], 0]\n\t"
+        "stp	x10, x11, [%[r], 16]\n\t"
+        "stp	x12, x13, [%[r], 32]\n\t"
+        "stp	x14, x15, [%[r], 48]\n\t"
+        :
+        : [r] "r" (r), [a] "r" (a)
+        : "memory", "x3", "x4", "x5", "x6", "x7", "x8", "x9", "x10", "x11", "x12", "x13", "x14", "x15", "x16", "x17", "x19", "x20"
+    );
+}
+
+#ifdef WOLFSSL_SP_SMALL
+/* Order-2 for the P256 curve. */
+static const uint64_t p256_order_minus_2[4] = {
+    0xf3b9cac2fc63254fU,0xbce6faada7179e84U,0xffffffffffffffffU,
+    0xffffffff00000000U
+};
+#else
+/* The low half of the order-2 of the P256 curve. */
+static const uint64_t p256_order_low[2] = {
+    0xf3b9cac2fc63254fU,0xbce6faada7179e84U
+};
+#endif /* WOLFSSL_SP_SMALL */
+
+/* Multiply two number mod the order of P256 curve. (r = a * b mod order)
+ *
+ * r  Result of the multiplication.
+ * a  First operand of the multiplication.
+ * b  Second operand of the multiplication.
+ */
+static void sp_256_mont_mul_order_4(sp_digit* r, const sp_digit* a, const sp_digit* b)
+{
+    sp_256_mul_4(r, a, b);
+    sp_256_mont_reduce_order_4(r, p256_order, p256_mp_order);
+}
+
+/* Square number mod the order of P256 curve. (r = a * a mod order)
+ *
+ * r  Result of the squaring.
+ * a  Number to square.
+ */
+static void sp_256_mont_sqr_order_4(sp_digit* r, const sp_digit* a)
+{
+    sp_256_sqr_4(r, a);
+    sp_256_mont_reduce_order_4(r, p256_order, p256_mp_order);
+}
+
+#ifndef WOLFSSL_SP_SMALL
+/* Square number mod the order of P256 curve a number of times.
+ * (r = a ^ n mod order)
+ *
+ * r  Result of the squaring.
+ * a  Number to square.
+ */
+static void sp_256_mont_sqr_n_order_4(sp_digit* r, const sp_digit* a, int n)
+{
+    int i;
+
+    sp_256_mont_sqr_order_4(r, a);
+    for (i=1; i<n; i++) {
+        sp_256_mont_sqr_order_4(r, r);
+    }
+}
+#endif /* !WOLFSSL_SP_SMALL */
+
+/* Invert the number, in Montgomery form, modulo the order of the P256 curve.
+ * (r = 1 / a mod order)
+ *
+ * r   Inverse result.
+ * a   Number to invert.
+ * td  Temporary data.
+ */
+static void sp_256_mont_inv_order_4(sp_digit* r, const sp_digit* a,
+        sp_digit* td)
+{
+#ifdef WOLFSSL_SP_SMALL
+    sp_digit* t = td;
+    int i;
+
+    XMEMCPY(t, a, sizeof(sp_digit) * 4);
+    for (i=254; i>=0; i--) {
+        sp_256_mont_sqr_order_4(t, t);
+        if ((p256_order_minus_2[i / 64] & ((sp_int_digit)1 << (i % 64))) != 0) {
+            sp_256_mont_mul_order_4(t, t, a);
+        }
+    }
+    XMEMCPY(r, t, sizeof(sp_digit) * 4U);
+#else
+    sp_digit* t = td;
+    sp_digit* t2 = td + 2 * 4;
+    sp_digit* t3 = td + 4 * 4;
+    int i;
+
+    /* t = a^2 */
+    sp_256_mont_sqr_order_4(t, a);
+    /* t = a^3 = t * a */
+    sp_256_mont_mul_order_4(t, t, a);
+    /* t2= a^c = t ^ 2 ^ 2 */
+    sp_256_mont_sqr_n_order_4(t2, t, 2);
+    /* t3= a^f = t2 * t */
+    sp_256_mont_mul_order_4(t3, t2, t);
+    /* t2= a^f0 = t3 ^ 2 ^ 4 */
+    sp_256_mont_sqr_n_order_4(t2, t3, 4);
+    /* t = a^ff = t2 * t3 */
+    sp_256_mont_mul_order_4(t, t2, t3);
+    /* t3= a^ff00 = t ^ 2 ^ 8 */
+    sp_256_mont_sqr_n_order_4(t2, t, 8);
+    /* t = a^ffff = t2 * t */
+    sp_256_mont_mul_order_4(t, t2, t);
+    /* t2= a^ffff0000 = t ^ 2 ^ 16 */
+    sp_256_mont_sqr_n_order_4(t2, t, 16);
+    /* t = a^ffffffff = t2 * t */
+    sp_256_mont_mul_order_4(t, t2, t);
+    /* t2= a^ffffffff0000000000000000 = t ^ 2 ^ 64  */
+    sp_256_mont_sqr_n_order_4(t2, t, 64);
+    /* t2= a^ffffffff00000000ffffffff = t2 * t */
+    sp_256_mont_mul_order_4(t2, t2, t);
+    /* t2= a^ffffffff00000000ffffffff00000000 = t2 ^ 2 ^ 32  */
+    sp_256_mont_sqr_n_order_4(t2, t2, 32);
+    /* t2= a^ffffffff00000000ffffffffffffffff = t2 * t */
+    sp_256_mont_mul_order_4(t2, t2, t);
+    /* t2= a^ffffffff00000000ffffffffffffffffbce6 */
+    for (i=127; i>=112; i--) {
+        sp_256_mont_sqr_order_4(t2, t2);
+        if (((sp_digit)p256_order_low[i / 64] & ((sp_int_digit)1 << (i % 64))) != 0) {
+            sp_256_mont_mul_order_4(t2, t2, a);
+        }
+    }
+    /* t2= a^ffffffff00000000ffffffffffffffffbce6f */
+    sp_256_mont_sqr_n_order_4(t2, t2, 4);
+    sp_256_mont_mul_order_4(t2, t2, t3);
+    /* t2= a^ffffffff00000000ffffffffffffffffbce6faada7179e84 */
+    for (i=107; i>=64; i--) {
+        sp_256_mont_sqr_order_4(t2, t2);
+        if (((sp_digit)p256_order_low[i / 64] & ((sp_int_digit)1 << (i % 64))) != 0) {
+            sp_256_mont_mul_order_4(t2, t2, a);
+        }
+    }
+    /* t2= a^ffffffff00000000ffffffffffffffffbce6faada7179e84f */
+    sp_256_mont_sqr_n_order_4(t2, t2, 4);
+    sp_256_mont_mul_order_4(t2, t2, t3);
+    /* t2= a^ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2 */
+    for (i=59; i>=32; i--) {
+        sp_256_mont_sqr_order_4(t2, t2);
+        if (((sp_digit)p256_order_low[i / 64] & ((sp_int_digit)1 << (i % 64))) != 0) {
+            sp_256_mont_mul_order_4(t2, t2, a);
+        }
+    }
+    /* t2= a^ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2f */
+    sp_256_mont_sqr_n_order_4(t2, t2, 4);
+    sp_256_mont_mul_order_4(t2, t2, t3);
+    /* t2= a^ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc63254 */
+    for (i=27; i>=0; i--) {
+        sp_256_mont_sqr_order_4(t2, t2);
+        if (((sp_digit)p256_order_low[i / 64] & ((sp_int_digit)1 << (i % 64))) != 0) {
+            sp_256_mont_mul_order_4(t2, t2, a);
+        }
+    }
+    /* t2= a^ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632540 */
+    sp_256_mont_sqr_n_order_4(t2, t2, 4);
+    /* r = a^ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc63254f */
+    sp_256_mont_mul_order_4(r, t2, t3);
+#endif /* WOLFSSL_SP_SMALL */
+}
+
+#endif /* HAVE_ECC_SIGN || HAVE_ECC_VERIFY */
+#ifdef HAVE_ECC_SIGN
+#ifndef SP_ECC_MAX_SIG_GEN
+#define SP_ECC_MAX_SIG_GEN  64
+#endif
+
+/* Sign the hash using the private key.
+ *   e = [hash, 256 bits] from binary
+ *   r = (k.G)->x mod order
+ *   s = (r * x + e) / k mod order
+ * The hash is truncated to the first 256 bits.
+ *
+ * hash     Hash to sign.
+ * hashLen  Length of the hash data.
+ * rng      Random number generator.
+ * priv     Private part of key - scalar.
+ * rm       First part of result as an mp_int.
+ * sm       Sirst part of result as an mp_int.
+ * heap     Heap to use for allocation.
+ * returns RNG failures, MEMORY_E when memory allocation fails and
+ * MP_OKAY on success.
+ */
+int sp_ecc_sign_256(const byte* hash, word32 hashLen, WC_RNG* rng, mp_int* priv,
+                    mp_int* rm, mp_int* sm, mp_int* km, void* heap)
+{
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit* d = NULL;
+#else
+    sp_digit ed[2*4];
+    sp_digit xd[2*4];
+    sp_digit kd[2*4];
+    sp_digit rd[2*4];
+    sp_digit td[3 * 2*4];
+    sp_point_256 p;
+#endif
+    sp_digit* e = NULL;
+    sp_digit* x = NULL;
+    sp_digit* k = NULL;
+    sp_digit* r = NULL;
+    sp_digit* tmp = NULL;
+    sp_point_256* point = NULL;
+    sp_digit carry;
+    sp_digit* s = NULL;
+    sp_digit* kInv = NULL;
+    int err = MP_OKAY;
+    int64_t c;
+    int i;
+
+    (void)heap;
+
+    err = sp_256_point_new_4(heap, p, point);
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        d = (sp_digit*)XMALLOC(sizeof(sp_digit) * 7 * 2 * 4, heap,
+                                                              DYNAMIC_TYPE_ECC);
+        if (d == NULL) {
+            err = MEMORY_E;
+        }
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+        e = d + 0 * 4;
+        x = d + 2 * 4;
+        k = d + 4 * 4;
+        r = d + 6 * 4;
+        tmp = d + 8 * 4;
+#else
+        e = ed;
+        x = xd;
+        k = kd;
+        r = rd;
+        tmp = td;
+#endif
+        s = e;
+        kInv = k;
+
+        if (hashLen > 32U) {
+            hashLen = 32U;
+        }
+
+        sp_256_from_bin(e, 4, hash, (int)hashLen);
+    }
+
+    for (i = SP_ECC_MAX_SIG_GEN; err == MP_OKAY && i > 0; i--) {
+        sp_256_from_mp(x, 4, priv);
+
+        /* New random point. */
+        if (km == NULL || mp_iszero(km)) {
+            err = sp_256_ecc_gen_k_4(rng, k);
+        }
+        else {
+            sp_256_from_mp(k, 4, km);
+            mp_zero(km);
+        }
+        if (err == MP_OKAY) {
+                err = sp_256_ecc_mulmod_base_4(point, k, 1, NULL);
+        }
+
+        if (err == MP_OKAY) {
+            /* r = point->x mod order */
+            XMEMCPY(r, point->x, sizeof(sp_digit) * 4U);
+            sp_256_norm_4(r);
+            c = sp_256_cmp_4(r, p256_order);
+            sp_256_cond_sub_4(r, r, p256_order, 0L - (sp_digit)(c >= 0));
+            sp_256_norm_4(r);
+
+            /* Conv k to Montgomery form (mod order) */
+                sp_256_mul_4(k, k, p256_norm_order);
+            err = sp_256_mod_4(k, k, p256_order);
+        }
+        if (err == MP_OKAY) {
+            sp_256_norm_4(k);
+            /* kInv = 1/k mod order */
+                sp_256_mont_inv_order_4(kInv, k, tmp);
+            sp_256_norm_4(kInv);
+
+            /* s = r * x + e */
+                sp_256_mul_4(x, x, r);
+            err = sp_256_mod_4(x, x, p256_order);
+        }
+        if (err == MP_OKAY) {
+            sp_256_norm_4(x);
+            carry = sp_256_add_4(s, e, x);
+            sp_256_cond_sub_4(s, s, p256_order, 0 - carry);
+            sp_256_norm_4(s);
+            c = sp_256_cmp_4(s, p256_order);
+            sp_256_cond_sub_4(s, s, p256_order, 0L - (sp_digit)(c >= 0));
+            sp_256_norm_4(s);
+
+            /* s = s * k^-1 mod order */
+                sp_256_mont_mul_order_4(s, s, kInv);
+            sp_256_norm_4(s);
+
+            /* Check that signature is usable. */
+            if (sp_256_iszero_4(s) == 0) {
+                break;
+            }
+        }
+    }
+
+    if (i == 0) {
+        err = RNG_FAILURE_E;
+    }
+
+    if (err == MP_OKAY) {
+        err = sp_256_to_mp(r, rm);
+    }
+    if (err == MP_OKAY) {
+        err = sp_256_to_mp(s, sm);
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (d != NULL) {
+        XMEMSET(d, 0, sizeof(sp_digit) * 8 * 4);
+        XFREE(d, heap, DYNAMIC_TYPE_ECC);
+    }
+#else
+    XMEMSET(e, 0, sizeof(sp_digit) * 2U * 4U);
+    XMEMSET(x, 0, sizeof(sp_digit) * 2U * 4U);
+    XMEMSET(k, 0, sizeof(sp_digit) * 2U * 4U);
+    XMEMSET(r, 0, sizeof(sp_digit) * 2U * 4U);
+    XMEMSET(r, 0, sizeof(sp_digit) * 2U * 4U);
+    XMEMSET(tmp, 0, sizeof(sp_digit) * 3U * 2U * 4U);
+#endif
+    sp_256_point_free_4(point, 1, heap);
+
+    return err;
+}
+#endif /* HAVE_ECC_SIGN */
+
+#ifdef HAVE_ECC_VERIFY
+/* Verify the signature values with the hash and public key.
+ *   e = Truncate(hash, 256)
+ *   u1 = e/s mod order
+ *   u2 = r/s mod order
+ *   r == (u1.G + u2.Q)->x mod order
+ * Optimization: Leave point in projective form.
+ *   (x, y, 1) == (x' / z'*z', y' / z'*z'*z', z' / z')
+ *   (r + n*order).z'.z' mod prime == (u1.G + u2.Q)->x'
+ * The hash is truncated to the first 256 bits.
+ *
+ * hash     Hash to sign.
+ * hashLen  Length of the hash data.
+ * rng      Random number generator.
+ * priv     Private part of key - scalar.
+ * rm       First part of result as an mp_int.
+ * sm       Sirst part of result as an mp_int.
+ * heap     Heap to use for allocation.
+ * returns RNG failures, MEMORY_E when memory allocation fails and
+ * MP_OKAY on success.
+ */
+int sp_ecc_verify_256(const byte* hash, word32 hashLen, mp_int* pX,
+    mp_int* pY, mp_int* pZ, mp_int* r, mp_int* sm, int* res, void* heap)
+{
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit* d = NULL;
+#else
+    sp_digit u1d[2*4];
+    sp_digit u2d[2*4];
+    sp_digit sd[2*4];
+    sp_digit tmpd[2*4 * 5];
+    sp_point_256 p1d;
+    sp_point_256 p2d;
+#endif
+    sp_digit* u1 = NULL;
+    sp_digit* u2 = NULL;
+    sp_digit* s = NULL;
+    sp_digit* tmp = NULL;
+    sp_point_256* p1;
+    sp_point_256* p2 = NULL;
+    sp_digit carry;
+    int64_t c;
+    int err;
+
+    err = sp_256_point_new_4(heap, p1d, p1);
+    if (err == MP_OKAY) {
+        err = sp_256_point_new_4(heap, p2d, p2);
+    }
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        d = (sp_digit*)XMALLOC(sizeof(sp_digit) * 16 * 4, heap,
+                                                              DYNAMIC_TYPE_ECC);
+        if (d == NULL) {
+            err = MEMORY_E;
+        }
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+        u1  = d + 0 * 4;
+        u2  = d + 2 * 4;
+        s   = d + 4 * 4;
+        tmp = d + 6 * 4;
+#else
+        u1 = u1d;
+        u2 = u2d;
+        s  = sd;
+        tmp = tmpd;
+#endif
+
+        if (hashLen > 32U) {
+            hashLen = 32U;
+        }
+
+        sp_256_from_bin(u1, 4, hash, (int)hashLen);
+        sp_256_from_mp(u2, 4, r);
+        sp_256_from_mp(s, 4, sm);
+        sp_256_from_mp(p2->x, 4, pX);
+        sp_256_from_mp(p2->y, 4, pY);
+        sp_256_from_mp(p2->z, 4, pZ);
+
+        {
+            sp_256_mul_4(s, s, p256_norm_order);
+        }
+        err = sp_256_mod_4(s, s, p256_order);
+    }
+    if (err == MP_OKAY) {
+        sp_256_norm_4(s);
+        {
+            sp_256_mont_inv_order_4(s, s, tmp);
+            sp_256_mont_mul_order_4(u1, u1, s);
+            sp_256_mont_mul_order_4(u2, u2, s);
+        }
+
+            err = sp_256_ecc_mulmod_base_4(p1, u1, 0, heap);
+    }
+    if (err == MP_OKAY) {
+            err = sp_256_ecc_mulmod_4(p2, p2, u2, 0, heap);
+    }
+
+    if (err == MP_OKAY) {
+        {
+            sp_256_proj_point_add_4(p1, p1, p2, tmp);
+            if (sp_256_iszero_4(p1->z)) {
+                if (sp_256_iszero_4(p1->x) && sp_256_iszero_4(p1->y)) {
+                    sp_256_proj_point_dbl_4(p1, p2, tmp);
+                }
+                else {
+                    /* Y ordinate is not used from here - don't set. */
+                    p1->x[0] = 0;
+                    p1->x[1] = 0;
+                    p1->x[2] = 0;
+                    p1->x[3] = 0;
+                    XMEMCPY(p1->z, p256_norm_mod, sizeof(p256_norm_mod));
+                }
+            }
+        }
+
+        /* (r + n*order).z'.z' mod prime == (u1.G + u2.Q)->x' */
+        /* Reload r and convert to Montgomery form. */
+        sp_256_from_mp(u2, 4, r);
+        err = sp_256_mod_mul_norm_4(u2, u2, p256_mod);
+    }
+
+    if (err == MP_OKAY) {
+        /* u1 = r.z'.z' mod prime */
+        sp_256_mont_sqr_4(p1->z, p1->z, p256_mod, p256_mp_mod);
+        sp_256_mont_mul_4(u1, u2, p1->z, p256_mod, p256_mp_mod);
+        *res = (int)(sp_256_cmp_4(p1->x, u1) == 0);
+        if (*res == 0) {
+            /* Reload r and add order. */
+            sp_256_from_mp(u2, 4, r);
+            carry = sp_256_add_4(u2, u2, p256_order);
+            /* Carry means result is greater than mod and is not valid. */
+            if (carry == 0) {
+                sp_256_norm_4(u2);
+
+                /* Compare with mod and if greater or equal then not valid. */
+                c = sp_256_cmp_4(u2, p256_mod);
+                if (c < 0) {
+                    /* Convert to Montogomery form */
+                    err = sp_256_mod_mul_norm_4(u2, u2, p256_mod);
+                    if (err == MP_OKAY) {
+                        /* u1 = (r + 1*order).z'.z' mod prime */
+                        sp_256_mont_mul_4(u1, u2, p1->z, p256_mod,
+                                                                  p256_mp_mod);
+                        *res = (int)(sp_256_cmp_4(p1->x, u1) == 0);
+                    }
+                }
+            }
+        }
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (d != NULL)
+        XFREE(d, heap, DYNAMIC_TYPE_ECC);
+#endif
+    sp_256_point_free_4(p1, 0, heap);
+    sp_256_point_free_4(p2, 0, heap);
+
+    return err;
+}
+#endif /* HAVE_ECC_VERIFY */
+
+#ifdef HAVE_ECC_CHECK_KEY
+/* Check that the x and y oridinates are a valid point on the curve.
+ *
+ * point  EC point.
+ * heap   Heap to use if dynamically allocating.
+ * returns MEMORY_E if dynamic memory allocation fails, MP_VAL if the point is
+ * not on the curve and MP_OKAY otherwise.
+ */
+static int sp_256_ecc_is_point_4(sp_point_256* point, void* heap)
+{
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit* d = NULL;
+#else
+    sp_digit t1d[2*4];
+    sp_digit t2d[2*4];
+#endif
+    sp_digit* t1;
+    sp_digit* t2;
+    int err = MP_OKAY;
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    d = (sp_digit*)XMALLOC(sizeof(sp_digit) * 4 * 4, heap, DYNAMIC_TYPE_ECC);
+    if (d == NULL) {
+        err = MEMORY_E;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+        t1 = d + 0 * 4;
+        t2 = d + 2 * 4;
+#else
+        (void)heap;
+
+        t1 = t1d;
+        t2 = t2d;
+#endif
+
+        sp_256_sqr_4(t1, point->y);
+        (void)sp_256_mod_4(t1, t1, p256_mod);
+        sp_256_sqr_4(t2, point->x);
+        (void)sp_256_mod_4(t2, t2, p256_mod);
+        sp_256_mul_4(t2, t2, point->x);
+        (void)sp_256_mod_4(t2, t2, p256_mod);
+        (void)sp_256_sub_4(t2, p256_mod, t2);
+        sp_256_mont_add_4(t1, t1, t2, p256_mod);
+
+        sp_256_mont_add_4(t1, t1, point->x, p256_mod);
+        sp_256_mont_add_4(t1, t1, point->x, p256_mod);
+        sp_256_mont_add_4(t1, t1, point->x, p256_mod);
+
+        if (sp_256_cmp_4(t1, p256_b) != 0) {
+            err = MP_VAL;
+        }
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (d != NULL) {
+        XFREE(d, heap, DYNAMIC_TYPE_ECC);
+    }
+#endif
+
+    return err;
+}
+
+/* Check that the x and y oridinates are a valid point on the curve.
+ *
+ * pX  X ordinate of EC point.
+ * pY  Y ordinate of EC point.
+ * returns MEMORY_E if dynamic memory allocation fails, MP_VAL if the point is
+ * not on the curve and MP_OKAY otherwise.
+ */
+int sp_ecc_is_point_256(mp_int* pX, mp_int* pY)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_point_256 pubd;
+#endif
+    sp_point_256* pub;
+    byte one[1] = { 1 };
+    int err;
+
+    err = sp_256_point_new_4(NULL, pubd, pub);
+    if (err == MP_OKAY) {
+        sp_256_from_mp(pub->x, 4, pX);
+        sp_256_from_mp(pub->y, 4, pY);
+        sp_256_from_bin(pub->z, 4, one, (int)sizeof(one));
+
+        err = sp_256_ecc_is_point_4(pub, NULL);
+    }
+
+    sp_256_point_free_4(pub, 0, NULL);
+
+    return err;
+}
+
+/* Check that the private scalar generates the EC point (px, py), the point is
+ * on the curve and the point has the correct order.
+ *
+ * pX     X ordinate of EC point.
+ * pY     Y ordinate of EC point.
+ * privm  Private scalar that generates EC point.
+ * returns MEMORY_E if dynamic memory allocation fails, MP_VAL if the point is
+ * not on the curve, ECC_INF_E if the point does not have the correct order,
+ * ECC_PRIV_KEY_E when the private scalar doesn't generate the EC point and
+ * MP_OKAY otherwise.
+ */
+int sp_ecc_check_key_256(mp_int* pX, mp_int* pY, mp_int* privm, void* heap)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit privd[4];
+    sp_point_256 pubd;
+    sp_point_256 pd;
+#endif
+    sp_digit* priv = NULL;
+    sp_point_256* pub;
+    sp_point_256* p = NULL;
+    byte one[1] = { 1 };
+    int err;
+
+    err = sp_256_point_new_4(heap, pubd, pub);
+    if (err == MP_OKAY) {
+        err = sp_256_point_new_4(heap, pd, p);
+    }
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        priv = (sp_digit*)XMALLOC(sizeof(sp_digit) * 4, heap,
+                                                              DYNAMIC_TYPE_ECC);
+        if (priv == NULL) {
+            err = MEMORY_E;
+        }
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+        priv = privd;
+#endif
+
+        sp_256_from_mp(pub->x, 4, pX);
+        sp_256_from_mp(pub->y, 4, pY);
+        sp_256_from_bin(pub->z, 4, one, (int)sizeof(one));
+        sp_256_from_mp(priv, 4, privm);
+
+        /* Check point at infinitiy. */
+        if ((sp_256_iszero_4(pub->x) != 0) &&
+            (sp_256_iszero_4(pub->y) != 0)) {
+            err = ECC_INF_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        /* Check range of X and Y */
+        if (sp_256_cmp_4(pub->x, p256_mod) >= 0 ||
+            sp_256_cmp_4(pub->y, p256_mod) >= 0) {
+            err = ECC_OUT_OF_RANGE_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        /* Check point is on curve */
+        err = sp_256_ecc_is_point_4(pub, heap);
+    }
+
+    if (err == MP_OKAY) {
+        /* Point * order = infinity */
+            err = sp_256_ecc_mulmod_4(p, pub, p256_order, 1, heap);
+    }
+    if (err == MP_OKAY) {
+        /* Check result is infinity */
+        if ((sp_256_iszero_4(p->x) == 0) ||
+            (sp_256_iszero_4(p->y) == 0)) {
+            err = ECC_INF_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        /* Base * private = point */
+            err = sp_256_ecc_mulmod_base_4(p, priv, 1, heap);
+    }
+    if (err == MP_OKAY) {
+        /* Check result is public key */
+        if (sp_256_cmp_4(p->x, pub->x) != 0 ||
+            sp_256_cmp_4(p->y, pub->y) != 0) {
+            err = ECC_PRIV_KEY_E;
+        }
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (priv != NULL) {
+        XFREE(priv, heap, DYNAMIC_TYPE_ECC);
+    }
+#endif
+    sp_256_point_free_4(p, 0, heap);
+    sp_256_point_free_4(pub, 0, heap);
+
+    return err;
+}
+#endif
+#ifdef WOLFSSL_PUBLIC_ECC_ADD_DBL
+/* Add two projective EC points together.
+ * (pX, pY, pZ) + (qX, qY, qZ) = (rX, rY, rZ)
+ *
+ * pX   First EC point's X ordinate.
+ * pY   First EC point's Y ordinate.
+ * pZ   First EC point's Z ordinate.
+ * qX   Second EC point's X ordinate.
+ * qY   Second EC point's Y ordinate.
+ * qZ   Second EC point's Z ordinate.
+ * rX   Resultant EC point's X ordinate.
+ * rY   Resultant EC point's Y ordinate.
+ * rZ   Resultant EC point's Z ordinate.
+ * returns MEMORY_E if dynamic memory allocation fails and MP_OKAY otherwise.
+ */
+int sp_ecc_proj_add_point_256(mp_int* pX, mp_int* pY, mp_int* pZ,
+                              mp_int* qX, mp_int* qY, mp_int* qZ,
+                              mp_int* rX, mp_int* rY, mp_int* rZ)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit tmpd[2 * 4 * 5];
+    sp_point_256 pd;
+    sp_point_256 qd;
+#endif
+    sp_digit* tmp;
+    sp_point_256* p;
+    sp_point_256* q = NULL;
+    int err;
+
+    err = sp_256_point_new_4(NULL, pd, p);
+    if (err == MP_OKAY) {
+        err = sp_256_point_new_4(NULL, qd, q);
+    }
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        tmp = (sp_digit*)XMALLOC(sizeof(sp_digit) * 2 * 4 * 5, NULL,
+                                                              DYNAMIC_TYPE_ECC);
+        if (tmp == NULL) {
+            err = MEMORY_E;
+        }
+    }
+#else
+    tmp = tmpd;
+#endif
+
+    if (err == MP_OKAY) {
+        sp_256_from_mp(p->x, 4, pX);
+        sp_256_from_mp(p->y, 4, pY);
+        sp_256_from_mp(p->z, 4, pZ);
+        sp_256_from_mp(q->x, 4, qX);
+        sp_256_from_mp(q->y, 4, qY);
+        sp_256_from_mp(q->z, 4, qZ);
+
+            sp_256_proj_point_add_4(p, p, q, tmp);
+    }
+
+    if (err == MP_OKAY) {
+        err = sp_256_to_mp(p->x, rX);
+    }
+    if (err == MP_OKAY) {
+        err = sp_256_to_mp(p->y, rY);
+    }
+    if (err == MP_OKAY) {
+        err = sp_256_to_mp(p->z, rZ);
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (tmp != NULL) {
+        XFREE(tmp, NULL, DYNAMIC_TYPE_ECC);
+    }
+#endif
+    sp_256_point_free_4(q, 0, NULL);
+    sp_256_point_free_4(p, 0, NULL);
+
+    return err;
+}
+
+/* Double a projective EC point.
+ * (pX, pY, pZ) + (pX, pY, pZ) = (rX, rY, rZ)
+ *
+ * pX   EC point's X ordinate.
+ * pY   EC point's Y ordinate.
+ * pZ   EC point's Z ordinate.
+ * rX   Resultant EC point's X ordinate.
+ * rY   Resultant EC point's Y ordinate.
+ * rZ   Resultant EC point's Z ordinate.
+ * returns MEMORY_E if dynamic memory allocation fails and MP_OKAY otherwise.
+ */
+int sp_ecc_proj_dbl_point_256(mp_int* pX, mp_int* pY, mp_int* pZ,
+                              mp_int* rX, mp_int* rY, mp_int* rZ)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit tmpd[2 * 4 * 2];
+    sp_point_256 pd;
+#endif
+    sp_digit* tmp;
+    sp_point_256* p;
+    int err;
+
+    err = sp_256_point_new_4(NULL, pd, p);
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        tmp = (sp_digit*)XMALLOC(sizeof(sp_digit) * 2 * 4 * 2, NULL,
+                                                              DYNAMIC_TYPE_ECC);
+        if (tmp == NULL) {
+            err = MEMORY_E;
+        }
+    }
+#else
+    tmp = tmpd;
+#endif
+
+    if (err == MP_OKAY) {
+        sp_256_from_mp(p->x, 4, pX);
+        sp_256_from_mp(p->y, 4, pY);
+        sp_256_from_mp(p->z, 4, pZ);
+
+            sp_256_proj_point_dbl_4(p, p, tmp);
+    }
+
+    if (err == MP_OKAY) {
+        err = sp_256_to_mp(p->x, rX);
+    }
+    if (err == MP_OKAY) {
+        err = sp_256_to_mp(p->y, rY);
+    }
+    if (err == MP_OKAY) {
+        err = sp_256_to_mp(p->z, rZ);
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (tmp != NULL) {
+        XFREE(tmp, NULL, DYNAMIC_TYPE_ECC);
+    }
+#endif
+    sp_256_point_free_4(p, 0, NULL);
+
+    return err;
+}
+
+/* Map a projective EC point to affine in place.
+ * pZ will be one.
+ *
+ * pX   EC point's X ordinate.
+ * pY   EC point's Y ordinate.
+ * pZ   EC point's Z ordinate.
+ * returns MEMORY_E if dynamic memory allocation fails and MP_OKAY otherwise.
+ */
+int sp_ecc_map_256(mp_int* pX, mp_int* pY, mp_int* pZ)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit tmpd[2 * 4 * 4];
+    sp_point_256 pd;
+#endif
+    sp_digit* tmp;
+    sp_point_256* p;
+    int err;
+
+    err = sp_256_point_new_4(NULL, pd, p);
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        tmp = (sp_digit*)XMALLOC(sizeof(sp_digit) * 2 * 4 * 4, NULL,
+                                                              DYNAMIC_TYPE_ECC);
+        if (tmp == NULL) {
+            err = MEMORY_E;
+        }
+    }
+#else
+    tmp = tmpd;
+#endif
+    if (err == MP_OKAY) {
+        sp_256_from_mp(p->x, 4, pX);
+        sp_256_from_mp(p->y, 4, pY);
+        sp_256_from_mp(p->z, 4, pZ);
+
+        sp_256_map_4(p, p, tmp);
+    }
+
+    if (err == MP_OKAY) {
+        err = sp_256_to_mp(p->x, pX);
+    }
+    if (err == MP_OKAY) {
+        err = sp_256_to_mp(p->y, pY);
+    }
+    if (err == MP_OKAY) {
+        err = sp_256_to_mp(p->z, pZ);
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (tmp != NULL) {
+        XFREE(tmp, NULL, DYNAMIC_TYPE_ECC);
+    }
+#endif
+    sp_256_point_free_4(p, 0, NULL);
+
+    return err;
+}
+#endif /* WOLFSSL_PUBLIC_ECC_ADD_DBL */
+#ifdef HAVE_COMP_KEY
+/* Find the square root of a number mod the prime of the curve.
+ *
+ * y  The number to operate on and the result.
+ * returns MEMORY_E if dynamic memory allocation fails and MP_OKAY otherwise.
+ */
+static int sp_256_mont_sqrt_4(sp_digit* y)
+{
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit* d;
+#else
+    sp_digit t1d[2 * 4];
+    sp_digit t2d[2 * 4];
+#endif
+    sp_digit* t1;
+    sp_digit* t2;
+    int err = MP_OKAY;
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    d = (sp_digit*)XMALLOC(sizeof(sp_digit) * 4 * 4, NULL, DYNAMIC_TYPE_ECC);
+    if (d == NULL) {
+        err = MEMORY_E;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+        t1 = d + 0 * 4;
+        t2 = d + 2 * 4;
+#else
+        t1 = t1d;
+        t2 = t2d;
+#endif
+
+        {
+            /* t2 = y ^ 0x2 */
+            sp_256_mont_sqr_4(t2, y, p256_mod, p256_mp_mod);
+            /* t1 = y ^ 0x3 */
+            sp_256_mont_mul_4(t1, t2, y, p256_mod, p256_mp_mod);
+            /* t2 = y ^ 0xc */
+            sp_256_mont_sqr_n_4(t2, t1, 2, p256_mod, p256_mp_mod);
+            /* t1 = y ^ 0xf */
+            sp_256_mont_mul_4(t1, t1, t2, p256_mod, p256_mp_mod);
+            /* t2 = y ^ 0xf0 */
+            sp_256_mont_sqr_n_4(t2, t1, 4, p256_mod, p256_mp_mod);
+            /* t1 = y ^ 0xff */
+            sp_256_mont_mul_4(t1, t1, t2, p256_mod, p256_mp_mod);
+            /* t2 = y ^ 0xff00 */
+            sp_256_mont_sqr_n_4(t2, t1, 8, p256_mod, p256_mp_mod);
+            /* t1 = y ^ 0xffff */
+            sp_256_mont_mul_4(t1, t1, t2, p256_mod, p256_mp_mod);
+            /* t2 = y ^ 0xffff0000 */
+            sp_256_mont_sqr_n_4(t2, t1, 16, p256_mod, p256_mp_mod);
+            /* t1 = y ^ 0xffffffff */
+            sp_256_mont_mul_4(t1, t1, t2, p256_mod, p256_mp_mod);
+            /* t1 = y ^ 0xffffffff00000000 */
+            sp_256_mont_sqr_n_4(t1, t1, 32, p256_mod, p256_mp_mod);
+            /* t1 = y ^ 0xffffffff00000001 */
+            sp_256_mont_mul_4(t1, t1, y, p256_mod, p256_mp_mod);
+            /* t1 = y ^ 0xffffffff00000001000000000000000000000000 */
+            sp_256_mont_sqr_n_4(t1, t1, 96, p256_mod, p256_mp_mod);
+            /* t1 = y ^ 0xffffffff00000001000000000000000000000001 */
+            sp_256_mont_mul_4(t1, t1, y, p256_mod, p256_mp_mod);
+            sp_256_mont_sqr_n_4(y, t1, 94, p256_mod, p256_mp_mod);
+        }
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (d != NULL) {
+        XFREE(d, NULL, DYNAMIC_TYPE_ECC);
+    }
+#endif
+
+    return err;
+}
+
+
+/* Uncompress the point given the X ordinate.
+ *
+ * xm    X ordinate.
+ * odd   Whether the Y ordinate is odd.
+ * ym    Calculated Y ordinate.
+ * returns MEMORY_E if dynamic memory allocation fails and MP_OKAY otherwise.
+ */
+int sp_ecc_uncompress_256(mp_int* xm, int odd, mp_int* ym)
+{
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit* d;
+#else
+    sp_digit xd[2 * 4];
+    sp_digit yd[2 * 4];
+#endif
+    sp_digit* x = NULL;
+    sp_digit* y = NULL;
+    int err = MP_OKAY;
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    d = (sp_digit*)XMALLOC(sizeof(sp_digit) * 4 * 4, NULL, DYNAMIC_TYPE_ECC);
+    if (d == NULL) {
+        err = MEMORY_E;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+        x = d + 0 * 4;
+        y = d + 2 * 4;
+#else
+        x = xd;
+        y = yd;
+#endif
+
+        sp_256_from_mp(x, 4, xm);
+        err = sp_256_mod_mul_norm_4(x, x, p256_mod);
+    }
+    if (err == MP_OKAY) {
+        /* y = x^3 */
+        {
+            sp_256_mont_sqr_4(y, x, p256_mod, p256_mp_mod);
+            sp_256_mont_mul_4(y, y, x, p256_mod, p256_mp_mod);
+        }
+        /* y = x^3 - 3x */
+        sp_256_mont_sub_4(y, y, x, p256_mod);
+        sp_256_mont_sub_4(y, y, x, p256_mod);
+        sp_256_mont_sub_4(y, y, x, p256_mod);
+        /* y = x^3 - 3x + b */
+        err = sp_256_mod_mul_norm_4(x, p256_b, p256_mod);
+    }
+    if (err == MP_OKAY) {
+        sp_256_mont_add_4(y, y, x, p256_mod);
+        /* y = sqrt(x^3 - 3x + b) */
+        err = sp_256_mont_sqrt_4(y);
+    }
+    if (err == MP_OKAY) {
+        XMEMSET(y + 4, 0, 4U * sizeof(sp_digit));
+        sp_256_mont_reduce_4(y, p256_mod, p256_mp_mod);
+        if ((((word32)y[0] ^ (word32)odd) & 1U) != 0U) {
+            sp_256_mont_sub_4(y, p256_mod, y, p256_mod);
+        }
+
+        err = sp_256_to_mp(y, ym);
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (d != NULL) {
+        XFREE(d, NULL, DYNAMIC_TYPE_ECC);
+    }
+#endif
+
+    return err;
+}
+#endif
+#endif /* !WOLFSSL_SP_NO_256 */
+#ifdef WOLFSSL_SP_384
+
+/* Point structure to use. */
+typedef struct sp_point_384 {
+    sp_digit x[2 * 6];
+    sp_digit y[2 * 6];
+    sp_digit z[2 * 6];
+    int infinity;
+} sp_point_384;
+
+/* The modulus (prime) of the curve P384. */
+static const sp_digit p384_mod[6] = {
+    0x00000000ffffffffL,0xffffffff00000000L,0xfffffffffffffffeL,
+    0xffffffffffffffffL,0xffffffffffffffffL,0xffffffffffffffffL
+};
+/* The Montogmery normalizer for modulus of the curve P384. */
+static const sp_digit p384_norm_mod[6] = {
+    0xffffffff00000001L,0x00000000ffffffffL,0x0000000000000001L,
+    0x0000000000000000L,0x0000000000000000L,0x0000000000000000L
+};
+/* The Montogmery multiplier for modulus of the curve P384. */
+static sp_digit p384_mp_mod = 0x0000000100000001;
+#if defined(WOLFSSL_VALIDATE_ECC_KEYGEN) || defined(HAVE_ECC_SIGN) || \
+                                            defined(HAVE_ECC_VERIFY)
+/* The order of the curve P384. */
+static const sp_digit p384_order[6] = {
+    0xecec196accc52973L,0x581a0db248b0a77aL,0xc7634d81f4372ddfL,
+    0xffffffffffffffffL,0xffffffffffffffffL,0xffffffffffffffffL
+};
+#endif
+/* The order of the curve P384 minus 2. */
+static const sp_digit p384_order2[6] = {
+    0xecec196accc52971L,0x581a0db248b0a77aL,0xc7634d81f4372ddfL,
+    0xffffffffffffffffL,0xffffffffffffffffL,0xffffffffffffffffL
+};
+#if defined(HAVE_ECC_SIGN) || defined(HAVE_ECC_VERIFY)
+/* The Montogmery normalizer for order of the curve P384. */
+static const sp_digit p384_norm_order[6] = {
+    0x1313e695333ad68dL,0xa7e5f24db74f5885L,0x389cb27e0bc8d220L,
+    0x0000000000000000L,0x0000000000000000L,0x0000000000000000L
+};
+#endif
+#if defined(HAVE_ECC_SIGN) || defined(HAVE_ECC_VERIFY)
+/* The Montogmery multiplier for order of the curve P384. */
+static sp_digit p384_mp_order = 0x6ed46089e88fdc45l;
+#endif
+/* The base point of curve P384. */
+static const sp_point_384 p384_base = {
+    /* X ordinate */
+    {
+        0x3a545e3872760ab7L,0x5502f25dbf55296cL,0x59f741e082542a38L,
+        0x6e1d3b628ba79b98L,0x8eb1c71ef320ad74L,0xaa87ca22be8b0537L,
+        0L, 0L, 0L, 0L, 0L, 0L
+    },
+    /* Y ordinate */
+    {
+        0x7a431d7c90ea0e5fL,0x0a60b1ce1d7e819dL,0xe9da3113b5f0b8c0L,
+        0xf8f41dbd289a147cL,0x5d9e98bf9292dc29L,0x3617de4a96262c6fL,
+        0L, 0L, 0L, 0L, 0L, 0L
+    },
+    /* Z ordinate */
+    {
+        0x0000000000000001L,0x0000000000000000L,0x0000000000000000L,
+        0x0000000000000000L,0x0000000000000000L,0x0000000000000000L,
+        0L, 0L, 0L, 0L, 0L, 0L
+    },
+    /* infinity */
+    0
+};
+#if defined(HAVE_ECC_CHECK_KEY) || defined(HAVE_COMP_KEY)
+static const sp_digit p384_b[6] = {
+    0x2a85c8edd3ec2aefL,0xc656398d8a2ed19dL,0x0314088f5013875aL,
+    0x181d9c6efe814112L,0x988e056be3f82d19L,0xb3312fa7e23ee7e4L
+};
+#endif
+
+static int sp_384_point_new_ex_6(void* heap, sp_point_384* sp, sp_point_384** p)
+{
+    int ret = MP_OKAY;
+    (void)heap;
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    (void)sp;
+    *p = (sp_point_384*)XMALLOC(sizeof(sp_point_384), heap, DYNAMIC_TYPE_ECC);
+#else
+    *p = sp;
+#endif
+    if (*p == NULL) {
+        ret = MEMORY_E;
+    }
+    return ret;
+}
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+/* Allocate memory for point and return error. */
+#define sp_384_point_new_6(heap, sp, p) sp_384_point_new_ex_6((heap), NULL, &(p))
+#else
+/* Set pointer to data and return no error. */
+#define sp_384_point_new_6(heap, sp, p) sp_384_point_new_ex_6((heap), &(sp), &(p))
+#endif
+
+
+static void sp_384_point_free_6(sp_point_384* p, int clear, void* heap)
+{
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+/* If valid pointer then clear point data if requested and free data. */
+    if (p != NULL) {
+        if (clear != 0) {
+            XMEMSET(p, 0, sizeof(*p));
+        }
+        XFREE(p, heap, DYNAMIC_TYPE_ECC);
+    }
+#else
+/* Clear point data if requested. */
+    if (clear != 0) {
+        XMEMSET(p, 0, sizeof(*p));
+    }
+#endif
+    (void)heap;
+}
+
+/* Multiply a number by Montogmery normalizer mod modulus (prime).
+ *
+ * r  The resulting Montgomery form number.
+ * a  The number to convert.
+ * m  The modulus (prime).
+ * returns MEMORY_E when memory allocation fails and MP_OKAY otherwise.
+ */
+static int sp_384_mod_mul_norm_6(sp_digit* r, const sp_digit* a, const sp_digit* m)
+{
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    int64_t* td;
+#else
+    int64_t td[12];
+    int64_t a32d[12];
+#endif
+    int64_t* t;
+    int64_t* a32;
+    int64_t o;
+    int err = MP_OKAY;
+
+    (void)m;
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    td = (int64_t*)XMALLOC(sizeof(int64_t) * 2 * 12, NULL, DYNAMIC_TYPE_ECC);
+    if (td == NULL) {
+        err = MEMORY_E;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+        t = td;
+        a32 = td + 12;
+#else
+        t = td;
+        a32 = a32d;
+#endif
+
+        a32[0] = a[0] & 0xffffffff;
+        a32[1] = a[0] >> 32;
+        a32[2] = a[1] & 0xffffffff;
+        a32[3] = a[1] >> 32;
+        a32[4] = a[2] & 0xffffffff;
+        a32[5] = a[2] >> 32;
+        a32[6] = a[3] & 0xffffffff;
+        a32[7] = a[3] >> 32;
+        a32[8] = a[4] & 0xffffffff;
+        a32[9] = a[4] >> 32;
+        a32[10] = a[5] & 0xffffffff;
+        a32[11] = a[5] >> 32;
+
+        /*  1  0  0  0  0  0  0  0  1  1  0 -1 */
+        t[0] = 0 + a32[0] + a32[8] + a32[9] - a32[11];
+        /* -1  1  0  0  0  0  0  0 -1  0  1  1 */
+        t[1] = 0 - a32[0] + a32[1] - a32[8] + a32[10] + a32[11];
+        /*  0 -1  1  0  0  0  0  0  0 -1  0  1 */
+        t[2] = 0 - a32[1] + a32[2] - a32[9] + a32[11];
+        /*  1  0 -1  1  0  0  0  0  1  1 -1 -1 */
+        t[3] = 0 + a32[0] - a32[2] + a32[3] + a32[8] + a32[9] - a32[10] - a32[11];
+        /*  1  1  0 -1  1  0  0  0  1  2  1 -2 */
+        t[4] = 0 + a32[0] + a32[1] - a32[3] + a32[4] + a32[8] + 2 * a32[9] + a32[10] -  2 * a32[11];
+        /*  0  1  1  0 -1  1  0  0  0  1  2  1 */
+        t[5] = 0 + a32[1] + a32[2] - a32[4] + a32[5] + a32[9] + 2 * a32[10] + a32[11];
+        /*  0  0  1  1  0 -1  1  0  0  0  1  2 */
+        t[6] = 0 + a32[2] + a32[3] - a32[5] + a32[6] + a32[10] + 2 * a32[11];
+        /*  0  0  0  1  1  0 -1  1  0  0  0  1 */
+        t[7] = 0 + a32[3] + a32[4] - a32[6] + a32[7] + a32[11];
+        /*  0  0  0  0  1  1  0 -1  1  0  0  0 */
+        t[8] = 0 + a32[4] + a32[5] - a32[7] + a32[8];
+        /*  0  0  0  0  0  1  1  0 -1  1  0  0 */
+        t[9] = 0 + a32[5] + a32[6] - a32[8] + a32[9];
+        /*  0  0  0  0  0  0  1  1  0 -1  1  0 */
+        t[10] = 0 + a32[6] + a32[7] - a32[9] + a32[10];
+        /*  0  0  0  0  0  0  0  1  1  0 -1  1 */
+        t[11] = 0 + a32[7] + a32[8] - a32[10] + a32[11];
+
+        t[1] += t[0] >> 32; t[0] &= 0xffffffff;
+        t[2] += t[1] >> 32; t[1] &= 0xffffffff;
+        t[3] += t[2] >> 32; t[2] &= 0xffffffff;
+        t[4] += t[3] >> 32; t[3] &= 0xffffffff;
+        t[5] += t[4] >> 32; t[4] &= 0xffffffff;
+        t[6] += t[5] >> 32; t[5] &= 0xffffffff;
+        t[7] += t[6] >> 32; t[6] &= 0xffffffff;
+        t[8] += t[7] >> 32; t[7] &= 0xffffffff;
+        t[9] += t[8] >> 32; t[8] &= 0xffffffff;
+        t[10] += t[9] >> 32; t[9] &= 0xffffffff;
+        t[11] += t[10] >> 32; t[10] &= 0xffffffff;
+        o     = t[11] >> 32; t[11] &= 0xffffffff;
+        t[0] += o;
+        t[1] -= o;
+        t[3] += o;
+        t[4] += o;
+        t[1] += t[0] >> 32; t[0] &= 0xffffffff;
+        t[2] += t[1] >> 32; t[1] &= 0xffffffff;
+        t[3] += t[2] >> 32; t[2] &= 0xffffffff;
+        t[4] += t[3] >> 32; t[3] &= 0xffffffff;
+        t[5] += t[4] >> 32; t[4] &= 0xffffffff;
+        t[6] += t[5] >> 32; t[5] &= 0xffffffff;
+        t[7] += t[6] >> 32; t[6] &= 0xffffffff;
+        t[8] += t[7] >> 32; t[7] &= 0xffffffff;
+        t[9] += t[8] >> 32; t[8] &= 0xffffffff;
+        t[10] += t[9] >> 32; t[9] &= 0xffffffff;
+        t[11] += t[10] >> 32; t[10] &= 0xffffffff;
+
+        r[0] = (t[1] << 32) | t[0];
+        r[1] = (t[3] << 32) | t[2];
+        r[2] = (t[5] << 32) | t[4];
+        r[3] = (t[7] << 32) | t[6];
+        r[4] = (t[9] << 32) | t[8];
+        r[5] = (t[11] << 32) | t[10];
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (td != NULL)
+        XFREE(td, NULL, DYNAMIC_TYPE_ECC);
+#endif
+
+    return err;
+}
+
+/* Convert an mp_int to an array of sp_digit.
+ *
+ * r  A single precision integer.
+ * size  Maximum number of bytes to convert
+ * a  A multi-precision integer.
+ */
+static void sp_384_from_mp(sp_digit* r, int size, const mp_int* a)
+{
+#if DIGIT_BIT == 64
+    int j;
+
+    XMEMCPY(r, a->dp, sizeof(sp_digit) * a->used);
+
+    for (j = a->used; j < size; j++) {
+        r[j] = 0;
+    }
+#elif DIGIT_BIT > 64
+    int i, j = 0;
+    word32 s = 0;
+
+    r[0] = 0;
+    for (i = 0; i < a->used && j < size; i++) {
+        r[j] |= ((sp_digit)a->dp[i] << s);
+        r[j] &= 0xffffffffffffffffl;
+        s = 64U - s;
+        if (j + 1 >= size) {
+            break;
+        }
+        /* lint allow cast of mismatch word32 and mp_digit */
+        r[++j] = (sp_digit)(a->dp[i] >> s); /*lint !e9033*/
+        while ((s + 64U) <= (word32)DIGIT_BIT) {
+            s += 64U;
+            r[j] &= 0xffffffffffffffffl;
+            if (j + 1 >= size) {
+                break;
+            }
+            if (s < (word32)DIGIT_BIT) {
+                /* lint allow cast of mismatch word32 and mp_digit */
+                r[++j] = (sp_digit)(a->dp[i] >> s); /*lint !e9033*/
+            }
+            else {
+                r[++j] = 0L;
+            }
+        }
+        s = (word32)DIGIT_BIT - s;
+    }
+
+    for (j++; j < size; j++) {
+        r[j] = 0;
+    }
+#else
+    int i, j = 0, s = 0;
+
+    r[0] = 0;
+    for (i = 0; i < a->used && j < size; i++) {
+        r[j] |= ((sp_digit)a->dp[i]) << s;
+        if (s + DIGIT_BIT >= 64) {
+            r[j] &= 0xffffffffffffffffl;
+            if (j + 1 >= size) {
+                break;
+            }
+            s = 64 - s;
+            if (s == DIGIT_BIT) {
+                r[++j] = 0;
+                s = 0;
+            }
+            else {
+                r[++j] = a->dp[i] >> s;
+                s = DIGIT_BIT - s;
+            }
+        }
+        else {
+            s += DIGIT_BIT;
+        }
+    }
+
+    for (j++; j < size; j++) {
+        r[j] = 0;
+    }
+#endif
+}
+
+/* Convert a point of type ecc_point to type sp_point_384.
+ *
+ * p   Point of type sp_point_384 (result).
+ * pm  Point of type ecc_point.
+ */
+static void sp_384_point_from_ecc_point_6(sp_point_384* p, const ecc_point* pm)
+{
+    XMEMSET(p->x, 0, sizeof(p->x));
+    XMEMSET(p->y, 0, sizeof(p->y));
+    XMEMSET(p->z, 0, sizeof(p->z));
+    sp_384_from_mp(p->x, 6, pm->x);
+    sp_384_from_mp(p->y, 6, pm->y);
+    sp_384_from_mp(p->z, 6, pm->z);
+    p->infinity = 0;
+}
+
+/* Convert an array of sp_digit to an mp_int.
+ *
+ * a  A single precision integer.
+ * r  A multi-precision integer.
+ */
+static int sp_384_to_mp(const sp_digit* a, mp_int* r)
+{
+    int err;
+
+    err = mp_grow(r, (384 + DIGIT_BIT - 1) / DIGIT_BIT);
+    if (err == MP_OKAY) { /*lint !e774 case where err is always MP_OKAY*/
+#if DIGIT_BIT == 64
+        XMEMCPY(r->dp, a, sizeof(sp_digit) * 6);
+        r->used = 6;
+        mp_clamp(r);
+#elif DIGIT_BIT < 64
+        int i, j = 0, s = 0;
+
+        r->dp[0] = 0;
+        for (i = 0; i < 6; i++) {
+            r->dp[j] |= (mp_digit)(a[i] << s);
+            r->dp[j] &= (1L << DIGIT_BIT) - 1;
+            s = DIGIT_BIT - s;
+            r->dp[++j] = (mp_digit)(a[i] >> s);
+            while (s + DIGIT_BIT <= 64) {
+                s += DIGIT_BIT;
+                r->dp[j++] &= (1L << DIGIT_BIT) - 1;
+                if (s == SP_WORD_SIZE) {
+                    r->dp[j] = 0;
+                }
+                else {
+                    r->dp[j] = (mp_digit)(a[i] >> s);
+                }
+            }
+            s = 64 - s;
+        }
+        r->used = (384 + DIGIT_BIT - 1) / DIGIT_BIT;
+        mp_clamp(r);
+#else
+        int i, j = 0, s = 0;
+
+        r->dp[0] = 0;
+        for (i = 0; i < 6; i++) {
+            r->dp[j] |= ((mp_digit)a[i]) << s;
+            if (s + 64 >= DIGIT_BIT) {
+    #if DIGIT_BIT != 32 && DIGIT_BIT != 64
+                r->dp[j] &= (1L << DIGIT_BIT) - 1;
+    #endif
+                s = DIGIT_BIT - s;
+                r->dp[++j] = a[i] >> s;
+                s = 64 - s;
+            }
+            else {
+                s += 64;
+            }
+        }
+        r->used = (384 + DIGIT_BIT - 1) / DIGIT_BIT;
+        mp_clamp(r);
+#endif
+    }
+
+    return err;
+}
+
+/* Convert a point of type sp_point_384 to type ecc_point.
+ *
+ * p   Point of type sp_point_384.
+ * pm  Point of type ecc_point (result).
+ * returns MEMORY_E when allocation of memory in ecc_point fails otherwise
+ * MP_OKAY.
+ */
+static int sp_384_point_to_ecc_point_6(const sp_point_384* p, ecc_point* pm)
+{
+    int err;
+
+    err = sp_384_to_mp(p->x, pm->x);
+    if (err == MP_OKAY) {
+        err = sp_384_to_mp(p->y, pm->y);
+    }
+    if (err == MP_OKAY) {
+        err = sp_384_to_mp(p->z, pm->z);
+    }
+
+    return err;
+}
+
+/* Conditionally copy a into r using the mask m.
+ * m is -1 to copy and 0 when not.
+ *
+ * r  A single precision number to copy over.
+ * a  A single precision number to copy.
+ * m  Mask value to apply.
+ */
+static void sp_384_cond_copy_6(sp_digit* r, const sp_digit* a, sp_digit m)
+{
+    __asm__ __volatile__ (
+        "ldp	x3, x4, [%[r], 0]\n\t"
+        "ldp	x5, x6, [%[r], 16]\n\t"
+        "ldp	x7, x8, [%[r], 32]\n\t"
+        "ldp	x9, x10, [%[a], 0]\n\t"
+        "ldp	x11, x12, [%[a], 16]\n\t"
+        "ldp	x13, x14, [%[a], 32]\n\t"
+        "eor	x9, x9, x3\n\t"
+        "eor	x10, x10, x4\n\t"
+        "eor	x11, x11, x5\n\t"
+        "eor	x12, x12, x6\n\t"
+        "eor	x13, x13, x7\n\t"
+        "eor	x14, x14, x8\n\t"
+        "and	x9, x9, %[m]\n\t"
+        "and	x10, x10, %[m]\n\t"
+        "and	x11, x11, %[m]\n\t"
+        "and	x12, x12, %[m]\n\t"
+        "and	x13, x13, %[m]\n\t"
+        "and	x14, x14, %[m]\n\t"
+        "eor	x3, x3, x9\n\t"
+        "eor	x4, x4, x10\n\t"
+        "eor	x5, x5, x11\n\t"
+        "eor	x6, x6, x12\n\t"
+        "eor	x7, x7, x13\n\t"
+        "eor	x8, x8, x14\n\t"
+        "stp	x3, x4, [%[r], 0]\n\t"
+        "stp	x5, x6, [%[r], 16]\n\t"
+        "stp	x7, x8, [%[r], 32]\n\t"
+        :
+        : [r] "r" (r), [a] "r" (a), [m] "r" (m)
+        : "memory", "x3", "x4", "x5", "x6", "x7", "x8", "x9", "x10", "x11", "x12", "x13", "x14"
+    );
+}
+
+#ifdef WOLFSSL_SP_SMALL
+/* Multiply a and b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+static void sp_384_mul_6(sp_digit* r, const sp_digit* a, const sp_digit* b)
+{
+    sp_digit tmp[12];
+
+    __asm__ __volatile__ (
+        "mov	x5, 0\n\t"
+        "mov	x6, 0\n\t"
+        "mov	x7, 0\n\t"
+        "mov	x8, 0\n\t"
+        "\n1:\n\t"
+        "subs	x3, x5, 40\n\t"
+        "csel	x3, xzr, x3, cc\n\t"
+        "sub	x4, x5, x3\n\t"
+        "\n2:\n\t"
+        "ldr	x10, [%[a], x3]\n\t"
+        "ldr	x11, [%[b], x4]\n\t"
+        "mul	x9, x10, x11\n\t"
+        "umulh	x10, x10, x11\n\t"
+        "adds	x6, x6, x9\n\t"
+        "adcs	x7, x7, x10\n\t"
+        "adc	x8, x8, xzr\n\t"
+        "add	x3, x3, #8\n\t"
+        "sub	x4, x4, #8\n\t"
+        "cmp	x3, 48\n\t"
+        "b.eq	3f\n\t"
+        "cmp	x3, x5\n\t"
+        "b.le	2b\n\t"
+        "\n3:\n\t"
+        "str	x6, [%[r], x5]\n\t"
+        "mov	x6, x7\n\t"
+        "mov	x7, x8\n\t"
+        "mov	x8, #0\n\t"
+        "add	x5, x5, #8\n\t"
+        "cmp	x5, 80\n\t"
+        "b.le	1b\n\t"
+        "str	x6, [%[r], x5]\n\t"
+        :
+        : [r] "r" (tmp), [a] "r" (a), [b] "r" (b)
+        : "memory", "x3", "x4", "x5", "x6", "x7", "x8", "x9", "x10", "x11"
+    );
+
+    XMEMCPY(r, tmp, sizeof(tmp));
+}
+
+#else
+/* Multiply a and b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+static void sp_384_mul_6(sp_digit* r, const sp_digit* a, const sp_digit* b)
+{
+    sp_digit tmp[6];
+
+    __asm__ __volatile__ (
+        "ldp	x9, x10, [%[a], 0]\n\t"
+        "ldp	x11, x12, [%[a], 16]\n\t"
+        "ldp	x13, x14, [%[a], 32]\n\t"
+        "ldp	x15, x16, [%[b], 0]\n\t"
+        "ldp	x17, x19, [%[b], 16]\n\t"
+        "ldp	x20, x21, [%[b], 32]\n\t"
+        "#  A[0] * B[0]\n\t"
+        "mul	x4, x9, x15\n\t"
+        "umulh	x5, x9, x15\n\t"
+        "str	x4, [%[tmp]]\n\t"
+        "#  A[0] * B[1]\n\t"
+        "mul	x7, x9, x16\n\t"
+        "umulh	x8, x9, x16\n\t"
+        "adds	x5, x5, x7\n\t"
+        "#  A[1] * B[0]\n\t"
+        "mul	x7, x10, x15\n\t"
+        "adc	x6, xzr, x8\n\t"
+        "umulh	x8, x10, x15\n\t"
+        "adds	x5, x5, x7\n\t"
+        "adcs	x6, x6, x8\n\t"
+        "str	x5, [%[tmp], 8]\n\t"
+        "adc	x4, xzr, xzr\n\t"
+        "#  A[0] * B[2]\n\t"
+        "mul	x7, x9, x17\n\t"
+        "umulh	x8, x9, x17\n\t"
+        "adds	x6, x6, x7\n\t"
+        "#  A[1] * B[1]\n\t"
+        "mul	x7, x10, x16\n\t"
+        "adcs	x4, x4, x8\n\t"
+        "umulh	x8, x10, x16\n\t"
+        "adc	x5, xzr, xzr\n\t"
+        "adds	x6, x6, x7\n\t"
+        "#  A[2] * B[0]\n\t"
+        "mul	x7, x11, x15\n\t"
+        "adcs	x4, x4, x8\n\t"
+        "umulh	x8, x11, x15\n\t"
+        "adc	x5, x5, xzr\n\t"
+        "adds	x6, x6, x7\n\t"
+        "adcs	x4, x4, x8\n\t"
+        "str	x6, [%[tmp], 16]\n\t"
+        "adc	x5, x5, xzr\n\t"
+        "#  A[0] * B[3]\n\t"
+        "mul	x7, x9, x19\n\t"
+        "umulh	x8, x9, x19\n\t"
+        "adds	x4, x4, x7\n\t"
+        "#  A[1] * B[2]\n\t"
+        "mul	x7, x10, x17\n\t"
+        "adcs	x5, x5, x8\n\t"
+        "umulh	x8, x10, x17\n\t"
+        "adc	x6, xzr, xzr\n\t"
+        "adds	x4, x4, x7\n\t"
+        "#  A[2] * B[1]\n\t"
+        "mul	x7, x11, x16\n\t"
+        "adcs	x5, x5, x8\n\t"
+        "umulh	x8, x11, x16\n\t"
+        "adc	x6, x6, xzr\n\t"
+        "adds	x4, x4, x7\n\t"
+        "#  A[3] * B[0]\n\t"
+        "mul	x7, x12, x15\n\t"
+        "adcs	x5, x5, x8\n\t"
+        "umulh	x8, x12, x15\n\t"
+        "adc	x6, x6, xzr\n\t"
+        "adds	x4, x4, x7\n\t"
+        "adcs	x5, x5, x8\n\t"
+        "str	x4, [%[tmp], 24]\n\t"
+        "adc	x6, x6, xzr\n\t"
+        "#  A[0] * B[4]\n\t"
+        "mul	x7, x9, x20\n\t"
+        "umulh	x8, x9, x20\n\t"
+        "adds	x5, x5, x7\n\t"
+        "#  A[1] * B[3]\n\t"
+        "mul	x7, x10, x19\n\t"
+        "adcs	x6, x6, x8\n\t"
+        "umulh	x8, x10, x19\n\t"
+        "adc	x4, xzr, xzr\n\t"
+        "adds	x5, x5, x7\n\t"
+        "#  A[2] * B[2]\n\t"
+        "mul	x7, x11, x17\n\t"
+        "adcs	x6, x6, x8\n\t"
+        "umulh	x8, x11, x17\n\t"
+        "adc	x4, x4, xzr\n\t"
+        "adds	x5, x5, x7\n\t"
+        "#  A[3] * B[1]\n\t"
+        "mul	x7, x12, x16\n\t"
+        "adcs	x6, x6, x8\n\t"
+        "umulh	x8, x12, x16\n\t"
+        "adc	x4, x4, xzr\n\t"
+        "adds	x5, x5, x7\n\t"
+        "#  A[4] * B[0]\n\t"
+        "mul	x7, x13, x15\n\t"
+        "adcs	x6, x6, x8\n\t"
+        "umulh	x8, x13, x15\n\t"
+        "adc	x4, x4, xzr\n\t"
+        "adds	x5, x5, x7\n\t"
+        "adcs	x6, x6, x8\n\t"
+        "str	x5, [%[tmp], 32]\n\t"
+        "adc	x4, x4, xzr\n\t"
+        "#  A[0] * B[5]\n\t"
+        "mul	x7, x9, x21\n\t"
+        "umulh	x8, x9, x21\n\t"
+        "adds	x6, x6, x7\n\t"
+        "#  A[1] * B[4]\n\t"
+        "mul	x7, x10, x20\n\t"
+        "adcs	x4, x4, x8\n\t"
+        "umulh	x8, x10, x20\n\t"
+        "adc	x5, xzr, xzr\n\t"
+        "adds	x6, x6, x7\n\t"
+        "#  A[2] * B[3]\n\t"
+        "mul	x7, x11, x19\n\t"
+        "adcs	x4, x4, x8\n\t"
+        "umulh	x8, x11, x19\n\t"
+        "adc	x5, x5, xzr\n\t"
+        "adds	x6, x6, x7\n\t"
+        "#  A[3] * B[2]\n\t"
+        "mul	x7, x12, x17\n\t"
+        "adcs	x4, x4, x8\n\t"
+        "umulh	x8, x12, x17\n\t"
+        "adc	x5, x5, xzr\n\t"
+        "adds	x6, x6, x7\n\t"
+        "#  A[4] * B[1]\n\t"
+        "mul	x7, x13, x16\n\t"
+        "adcs	x4, x4, x8\n\t"
+        "umulh	x8, x13, x16\n\t"
+        "adc	x5, x5, xzr\n\t"
+        "adds	x6, x6, x7\n\t"
+        "#  A[5] * B[0]\n\t"
+        "mul	x7, x14, x15\n\t"
+        "adcs	x4, x4, x8\n\t"
+        "umulh	x8, x14, x15\n\t"
+        "adc	x5, x5, xzr\n\t"
+        "adds	x6, x6, x7\n\t"
+        "adcs	x4, x4, x8\n\t"
+        "str	x6, [%[tmp], 40]\n\t"
+        "adc	x5, x5, xzr\n\t"
+        "#  A[1] * B[5]\n\t"
+        "mul	x7, x10, x21\n\t"
+        "umulh	x8, x10, x21\n\t"
+        "adds	x4, x4, x7\n\t"
+        "#  A[2] * B[4]\n\t"
+        "mul	x7, x11, x20\n\t"
+        "adcs	x5, x5, x8\n\t"
+        "umulh	x8, x11, x20\n\t"
+        "adc	x6, xzr, xzr\n\t"
+        "adds	x4, x4, x7\n\t"
+        "#  A[3] * B[3]\n\t"
+        "mul	x7, x12, x19\n\t"
+        "adcs	x5, x5, x8\n\t"
+        "umulh	x8, x12, x19\n\t"
+        "adc	x6, x6, xzr\n\t"
+        "adds	x4, x4, x7\n\t"
+        "#  A[4] * B[2]\n\t"
+        "mul	x7, x13, x17\n\t"
+        "adcs	x5, x5, x8\n\t"
+        "umulh	x8, x13, x17\n\t"
+        "adc	x6, x6, xzr\n\t"
+        "adds	x4, x4, x7\n\t"
+        "#  A[5] * B[1]\n\t"
+        "mul	x7, x14, x16\n\t"
+        "adcs	x5, x5, x8\n\t"
+        "umulh	x8, x14, x16\n\t"
+        "adc	x6, x6, xzr\n\t"
+        "adds	x4, x4, x7\n\t"
+        "adcs	x5, x5, x8\n\t"
+        "str	x4, [%[r], 48]\n\t"
+        "adc	x6, x6, xzr\n\t"
+        "#  A[2] * B[5]\n\t"
+        "mul	x7, x11, x21\n\t"
+        "umulh	x8, x11, x21\n\t"
+        "adds	x5, x5, x7\n\t"
+        "#  A[3] * B[4]\n\t"
+        "mul	x7, x12, x20\n\t"
+        "adcs	x6, x6, x8\n\t"
+        "umulh	x8, x12, x20\n\t"
+        "adc	x4, xzr, xzr\n\t"
+        "adds	x5, x5, x7\n\t"
+        "#  A[4] * B[3]\n\t"
+        "mul	x7, x13, x19\n\t"
+        "adcs	x6, x6, x8\n\t"
+        "umulh	x8, x13, x19\n\t"
+        "adc	x4, x4, xzr\n\t"
+        "adds	x5, x5, x7\n\t"
+        "#  A[5] * B[2]\n\t"
+        "mul	x7, x14, x17\n\t"
+        "adcs	x6, x6, x8\n\t"
+        "umulh	x8, x14, x17\n\t"
+        "adc	x4, x4, xzr\n\t"
+        "adds	x5, x5, x7\n\t"
+        "adcs	x6, x6, x8\n\t"
+        "str	x5, [%[r], 56]\n\t"
+        "adc	x4, x4, xzr\n\t"
+        "#  A[3] * B[5]\n\t"
+        "mul	x7, x12, x21\n\t"
+        "umulh	x8, x12, x21\n\t"
+        "adds	x6, x6, x7\n\t"
+        "#  A[4] * B[4]\n\t"
+        "mul	x7, x13, x20\n\t"
+        "adcs	x4, x4, x8\n\t"
+        "umulh	x8, x13, x20\n\t"
+        "adc	x5, xzr, xzr\n\t"
+        "adds	x6, x6, x7\n\t"
+        "#  A[5] * B[3]\n\t"
+        "mul	x7, x14, x19\n\t"
+        "adcs	x4, x4, x8\n\t"
+        "umulh	x8, x14, x19\n\t"
+        "adc	x5, x5, xzr\n\t"
+        "adds	x6, x6, x7\n\t"
+        "adcs	x4, x4, x8\n\t"
+        "str	x6, [%[r], 64]\n\t"
+        "adc	x5, x5, xzr\n\t"
+        "#  A[4] * B[5]\n\t"
+        "mul	x7, x13, x21\n\t"
+        "umulh	x8, x13, x21\n\t"
+        "adds	x4, x4, x7\n\t"
+        "#  A[5] * B[4]\n\t"
+        "mul	x7, x14, x20\n\t"
+        "adcs	x5, x5, x8\n\t"
+        "umulh	x8, x14, x20\n\t"
+        "adc	x6, xzr, xzr\n\t"
+        "adds	x4, x4, x7\n\t"
+        "adcs	x5, x5, x8\n\t"
+        "str	x4, [%[r], 72]\n\t"
+        "adc	x6, x6, xzr\n\t"
+        "#  A[5] * B[5]\n\t"
+        "mul	x7, x14, x21\n\t"
+        "umulh	x8, x14, x21\n\t"
+        "adds	x5, x5, x7\n\t"
+        "adc	x6, x6, x8\n\t"
+        "stp	x5, x6, [%[r], 80]\n\t"
+        "ldp	x9, x10, [%[tmp], 0]\n\t"
+        "ldp	x11, x12, [%[tmp], 16]\n\t"
+        "ldp	x13, x14, [%[tmp], 32]\n\t"
+        "stp	x9, x10, [%[r], 0]\n\t"
+        "stp	x11, x12, [%[r], 16]\n\t"
+        "stp	x13, x14, [%[r], 32]\n\t"
+        :
+        : [r] "r" (r), [a] "r" (a), [b] "r" (b), [tmp] "r" (tmp)
+        : "memory", "x4", "x5", "x6", "x7", "x8", "x9", "x9", "x10", "x11", "x12", "x13", "x14", "x15", "x16", "x17", "x19", "x20", "x21"
+    );
+}
+
+#endif /* WOLFSSL_SP_SMALL */
+/* Conditionally subtract b from a using the mask m.
+ * m is -1 to subtract and 0 when not copying.
+ *
+ * r  A single precision number representing condition subtract result.
+ * a  A single precision number to subtract from.
+ * b  A single precision number to subtract.
+ * m  Mask value to apply.
+ */
+static sp_digit sp_384_cond_sub_6(sp_digit* r, const sp_digit* a, const sp_digit* b,
+        sp_digit m)
+{
+    __asm__ __volatile__ (
+
+        "ldp	x5, x7, [%[b], 0]\n\t"
+        "ldp	x11, x12, [%[b], 16]\n\t"
+        "ldp	x4, x6, [%[a], 0]\n\t"
+        "and	x5, x5, %[m]\n\t"
+        "ldp	x9, x10, [%[a], 16]\n\t"
+        "and	x7, x7, %[m]\n\t"
+        "subs	x4, x4, x5\n\t"
+        "and	x11, x11, %[m]\n\t"
+        "sbcs	x6, x6, x7\n\t"
+        "and	x12, x12, %[m]\n\t"
+        "sbcs	x9, x9, x11\n\t"
+        "stp	x4, x6, [%[r], 0]\n\t"
+        "sbcs	x10, x10, x12\n\t"
+        "stp	x9, x10, [%[r], 16]\n\t"
+        "ldp	x5, x7, [%[b], 32]\n\t"
+        "ldp	x4, x6, [%[a], 32]\n\t"
+        "and	x5, x5, %[m]\n\t"
+        "and	x7, x7, %[m]\n\t"
+        "sbcs	x4, x4, x5\n\t"
+        "sbcs	x6, x6, x7\n\t"
+        "stp	x4, x6, [%[r], 32]\n\t"
+        "csetm	%[r], cc\n\t"
+        : [r] "+r" (r)
+        : [a] "r" (a), [b] "r" (b), [m] "r" (m)
+        : "memory", "x4", "x6", "x5", "x7", "x8", "x9", "x10", "x11", "x12"
+    );
+
+    return (sp_digit)r;
+}
+
+#define sp_384_mont_reduce_order_6    sp_384_mont_reduce_6
+
+/* Reduce the number back to 384 bits using Montgomery reduction.
+ *
+ * a   A single precision number to reduce in place.
+ * m   The single precision number representing the modulus.
+ * mp  The digit representing the negative inverse of m mod 2^n.
+ */
+SP_NOINLINE static void sp_384_mont_reduce_6(sp_digit* a, const sp_digit* m,
+        sp_digit mp)
+{
+    sp_digit ca = 0;
+
+    __asm__ __volatile__ (
+        "ldp	x14, x15, [%[m], 0]\n\t"
+        "ldp	x16, x17, [%[m], 16]\n\t"
+        "ldp	x19, x20, [%[m], 32]\n\t"
+        "# i = 6\n\t"
+        "mov	x4, 6\n\t"
+        "ldp	x12, x13, [%[a], 0]\n\t"
+        "\n1:\n\t"
+        "# mu = a[i] * mp\n\t"
+        "mul	x9, %[mp], x12\n\t"
+        "# a[i+0] += m[0] * mu\n\t"
+        "mul	x7, x14, x9\n\t"
+        "umulh	x8, x14, x9\n\t"
+        "adds	x12, x12, x7\n\t"
+        "# a[i+1] += m[1] * mu\n\t"
+        "mul	x7, x15, x9\n\t"
+        "adc	x6, x8, xzr\n\t"
+        "umulh	x8, x15, x9\n\t"
+        "adds	x12, x13, x7\n\t"
+        "# a[i+2] += m[2] * mu\n\t"
+        "ldr	x13, [%[a], 16]\n\t"
+        "adc	x5, x8, xzr\n\t"
+        "mul	x7, x16, x9\n\t"
+        "adds	x12, x12, x6\n\t"
+        "umulh	x8, x16, x9\n\t"
+        "adc	x5, x5, xzr\n\t"
+        "adds	x13, x13, x7\n\t"
+        "# a[i+3] += m[3] * mu\n\t"
+        "ldr	x10, [%[a], 24]\n\t"
+        "adc	x6, x8, xzr\n\t"
+        "mul	x7, x17, x9\n\t"
+        "adds	x13, x13, x5\n\t"
+        "umulh	x8, x17, x9\n\t"
+        "adc	x6, x6, xzr\n\t"
+        "adds	x10, x10, x7\n\t"
+        "# a[i+4] += m[4] * mu\n\t"
+        "ldr	x11, [%[a], 32]\n\t"
+        "adc	x5, x8, xzr\n\t"
+        "adds	x10, x10, x6\n\t"
+        "mul	x7, x19, x9\n\t"
+        "adc	x5, x5, xzr\n\t"
+        "umulh	x8, x19, x9\n\t"
+        "str	x10, [%[a], 24]\n\t"
+        "adds	x11, x11, x7\n\t"
+        "# a[i+5] += m[5] * mu\n\t"
+        "ldr	x10, [%[a], 40]\n\t"
+        "adc	x6, x8, xzr\n\t"
+        "adds	x11, x11, x5\n\t"
+        "mul	x7, x20, x9\n\t"
+        "adc	x6, x6, xzr\n\t"
+        "umulh	x8, x20, x9\n\t"
+        "adds	x6, x6, x7\n\t"
+        "adcs	x8, x8, %[ca]\n\t"
+        "str	x11, [%[a], 32]\n\t"
+        "cset  %[ca], cs\n\t"
+        "adds	x10, x10, x6\n\t"
+        "ldr	x11, [%[a], 48]\n\t"
+        "str	x10, [%[a], 40]\n\t"
+        "adcs	x11, x11, x8\n\t"
+        "str	x11, [%[a], 48]\n\t"
+        "adc	%[ca], %[ca], xzr\n\t"
+        "subs	x4, x4, 1\n\t"
+        "add	%[a], %[a], 8\n\t"
+        "bne	1b\n\t"
+        "stp	x12, x13, [%[a], 0]\n\t"
+        : [ca] "+r" (ca), [a] "+r" (a)
+        : [m] "r" (m), [mp] "r" (mp)
+        : "memory", "x4", "x5", "x6", "x7", "x8", "x9", "x10", "x11", "x12", "x13", "x14", "x15", "x16", "x17", "x19", "x20"
+    );
+
+    sp_384_cond_sub_6(a - 6, a, m, (sp_digit)0 - ca);
+}
+
+/* Multiply two Montogmery form numbers mod the modulus (prime).
+ * (r = a * b mod m)
+ *
+ * r   Result of multiplication.
+ * a   First number to multiply in Montogmery form.
+ * b   Second number to multiply in Montogmery form.
+ * m   Modulus (prime).
+ * mp  Montogmery mulitplier.
+ */
+static void sp_384_mont_mul_6(sp_digit* r, const sp_digit* a, const sp_digit* b,
+        const sp_digit* m, sp_digit mp)
+{
+    sp_384_mul_6(r, a, b);
+    sp_384_mont_reduce_6(r, m, mp);
+}
+
+#ifdef WOLFSSL_SP_SMALL
+/* Square a and put result in r. (r = a * a)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ */
+static void sp_384_sqr_6(sp_digit* r, const sp_digit* a)
+{
+    sp_digit tmp[12];
+
+    __asm__ __volatile__ (
+        "mov	x6, 0\n\t"
+        "mov	x7, 0\n\t"
+        "mov	x8, 0\n\t"
+        "mov	x5, 0\n\t"
+        "\n1:\n\t"
+        "subs	x3, x5, 40\n\t"
+        "csel	x3, xzr, x3, cc\n\t"
+        "sub	x4, x5, x3\n\t"
+        "\n2:\n\t"
+        "cmp	x4, x3\n\t"
+        "b.eq	4f\n\t"
+        "ldr	x10, [%[a], x3]\n\t"
+        "ldr	x11, [%[a], x4]\n\t"
+        "mul	x9, x10, x11\n\t"
+        "umulh	x10, x10, x11\n\t"
+        "adds	x6, x6, x9\n\t"
+        "adcs	x7, x7, x10\n\t"
+        "adc	x8, x8, xzr\n\t"
+        "adds	x6, x6, x9\n\t"
+        "adcs	x7, x7, x10\n\t"
+        "adc	x8, x8, xzr\n\t"
+        "b.al	5f\n\t"
+        "\n4:\n\t"
+        "ldr	x10, [%[a], x3]\n\t"
+        "mul	x9, x10, x10\n\t"
+        "umulh	x10, x10, x10\n\t"
+        "adds	x6, x6, x9\n\t"
+        "adcs	x7, x7, x10\n\t"
+        "adc	x8, x8, xzr\n\t"
+        "\n5:\n\t"
+        "add	x3, x3, #8\n\t"
+        "sub	x4, x4, #8\n\t"
+        "cmp	x3, 48\n\t"
+        "b.eq	3f\n\t"
+        "cmp	x3, x4\n\t"
+        "b.gt	3f\n\t"
+        "cmp	x3, x5\n\t"
+        "b.le	2b\n\t"
+        "\n3:\n\t"
+        "str	x6, [%[r], x5]\n\t"
+        "mov	x6, x7\n\t"
+        "mov	x7, x8\n\t"
+        "mov	x8, #0\n\t"
+        "add	x5, x5, #8\n\t"
+        "cmp	x5, 80\n\t"
+        "b.le	1b\n\t"
+        "str	x6, [%[r], x5]\n\t"
+        :
+        : [r] "r" (tmp), [a] "r" (a)
+        : "memory", "x3", "x4", "x5", "x6", "x7", "x8", "x9", "x10", "x11"
+    );
+
+    XMEMCPY(r, tmp, sizeof(tmp));
+}
+
+#else
+/* Square a and put result in r. (r = a * a)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ */
+static void sp_384_sqr_6(sp_digit* r, const sp_digit* a)
+{
+    __asm__ __volatile__ (
+        "ldp       x17, x19, [%[a], 0]\n\t"
+        "ldp       x20, x21, [%[a], 16]\n\t"
+        "ldp       x22, x23, [%[a], 32]\n\t"
+        "#  A[0] * A[1]\n\t"
+        "mul	x3, x17, x19\n\t"
+        "umulh	x7, x17, x19\n\t"
+        "#  A[0] * A[2]\n\t"
+        "mul	x4, x17, x20\n\t"
+        "umulh	x5, x17, x20\n\t"
+        "adds	x7, x7, x4\n\t"
+        "#  A[0] * A[3]\n\t"
+        "mul	x4, x17, x21\n\t"
+        "adc	x8, xzr, x5\n\t"
+        "umulh	x5, x17, x21\n\t"
+        "adds	x8, x8, x4\n\t"
+        "#  A[1] * A[2]\n\t"
+        "mul	x4, x19, x20\n\t"
+        "adc	x9, xzr, x5\n\t"
+        "umulh	x5, x19, x20\n\t"
+        "adds	x8, x8, x4\n\t"
+        "#  A[0] * A[4]\n\t"
+        "mul	x4, x17, x22\n\t"
+        "adcs	x9, x9, x5\n\t"
+        "umulh	x5, x17, x22\n\t"
+        "adc	x10, xzr, xzr\n\t"
+        "adds	x9, x9, x4\n\t"
+        "#  A[1] * A[3]\n\t"
+        "mul	x4, x19, x21\n\t"
+        "adc	x10, x10, x5\n\t"
+        "umulh	x5, x19, x21\n\t"
+        "adds	x9, x9, x4\n\t"
+        "#  A[0] * A[5]\n\t"
+        "mul	x4, x17, x23\n\t"
+        "adcs	x10, x10, x5\n\t"
+        "umulh	x5, x17, x23\n\t"
+        "adc	x11, xzr, xzr\n\t"
+        "adds	x10, x10, x4\n\t"
+        "#  A[1] * A[4]\n\t"
+        "mul	x4, x19, x22\n\t"
+        "adc	x11, x11, x5\n\t"
+        "umulh	x5, x19, x22\n\t"
+        "adds	x10, x10, x4\n\t"
+        "#  A[2] * A[3]\n\t"
+        "mul	x4, x20, x21\n\t"
+        "adcs	x11, x11, x5\n\t"
+        "umulh	x5, x20, x21\n\t"
+        "adc	x12, xzr, xzr\n\t"
+        "adds	x10, x10, x4\n\t"
+        "#  A[1] * A[5]\n\t"
+        "mul	x4, x19, x23\n\t"
+        "adcs	x11, x11, x5\n\t"
+        "umulh	x5, x19, x23\n\t"
+        "adc	x12, x12, xzr\n\t"
+        "adds	x11, x11, x4\n\t"
+        "#  A[2] * A[4]\n\t"
+        "mul	x4, x20, x22\n\t"
+        "adcs	x12, x12, x5\n\t"
+        "umulh	x5, x20, x22\n\t"
+        "adc	x13, xzr, xzr\n\t"
+        "adds	x11, x11, x4\n\t"
+        "#  A[2] * A[5]\n\t"
+        "mul	x4, x20, x23\n\t"
+        "adcs	x12, x12, x5\n\t"
+        "umulh	x5, x20, x23\n\t"
+        "adc	x13, x13, xzr\n\t"
+        "adds	x12, x12, x4\n\t"
+        "#  A[3] * A[4]\n\t"
+        "mul	x4, x21, x22\n\t"
+        "adcs	x13, x13, x5\n\t"
+        "umulh	x5, x21, x22\n\t"
+        "adc	x14, xzr, xzr\n\t"
+        "adds	x12, x12, x4\n\t"
+        "#  A[3] * A[5]\n\t"
+        "mul	x4, x21, x23\n\t"
+        "adcs	x13, x13, x5\n\t"
+        "umulh	x5, x21, x23\n\t"
+        "adc	x14, x14, xzr\n\t"
+        "adds	x13, x13, x4\n\t"
+        "#  A[4] * A[5]\n\t"
+        "mul	x4, x22, x23\n\t"
+        "adcs	x14, x14, x5\n\t"
+        "umulh	x5, x22, x23\n\t"
+        "adc	x15, xzr, xzr\n\t"
+        "adds	x14, x14, x4\n\t"
+        "adc	x15, x15, x5\n\t"
+        "# Double\n\t"
+        "adds	x3, x3, x3\n\t"
+        "adcs	x7, x7, x7\n\t"
+        "adcs	x8, x8, x8\n\t"
+        "adcs	x9, x9, x9\n\t"
+        "adcs	x10, x10, x10\n\t"
+        "adcs	x11, x11, x11\n\t"
+        "adcs	x12, x12, x12\n\t"
+        "adcs	x13, x13, x13\n\t"
+        "adcs	x14, x14, x14\n\t"
+        "#  A[0] * A[0]\n\t"
+        "mul	x2, x17, x17\n\t"
+        "adcs	x15, x15, x15\n\t"
+        "umulh	x4, x17, x17\n\t"
+        "cset  x16, cs\n\t"
+        "#  A[1] * A[1]\n\t"
+        "mul	x5, x19, x19\n\t"
+        "adds	x3, x3, x4\n\t"
+        "umulh	x6, x19, x19\n\t"
+        "adcs	x7, x7, x5\n\t"
+        "#  A[2] * A[2]\n\t"
+        "mul	x4, x20, x20\n\t"
+        "adcs	x8, x8, x6\n\t"
+        "umulh	x5, x20, x20\n\t"
+        "adcs	x9, x9, x4\n\t"
+        "#  A[3] * A[3]\n\t"
+        "mul	x6, x21, x21\n\t"
+        "adcs	x10, x10, x5\n\t"
+        "umulh	x4, x21, x21\n\t"
+        "adcs	x11, x11, x6\n\t"
+        "#  A[4] * A[4]\n\t"
+        "mul	x5, x22, x22\n\t"
+        "adcs	x12, x12, x4\n\t"
+        "umulh	x6, x22, x22\n\t"
+        "adcs	x13, x13, x5\n\t"
+        "#  A[5] * A[5]\n\t"
+        "mul	x4, x23, x23\n\t"
+        "adcs	x14, x14, x6\n\t"
+        "umulh	x5, x23, x23\n\t"
+        "adcs	x15, x15, x4\n\t"
+        "stp	x2, x3, [%[r], 0]\n\t"
+        "adc	x16, x16, x5\n\t"
+        "stp	x7, x8, [%[r], 16]\n\t"
+        "stp	x9, x10, [%[r], 32]\n\t"
+        "stp	x11, x12, [%[r], 48]\n\t"
+        "stp	x13, x14, [%[r], 64]\n\t"
+        "stp	x15, x16, [%[r], 80]\n\t"
+        :
+        : [r] "r" (r), [a] "r" (a)
+        : "memory", "x4", "x5", "x6", "x2", "x3", "x7", "x8", "x9", "x10", "x11", "x12", "x13", "x14", "x15", "x16", "x17", "x19", "x20", "x21", "x22", "x23"
+    );
+}
+
+#endif /* WOLFSSL_SP_SMALL */
+/* Square the Montgomery form number. (r = a * a mod m)
+ *
+ * r   Result of squaring.
+ * a   Number to square in Montogmery form.
+ * m   Modulus (prime).
+ * mp  Montogmery mulitplier.
+ */
+static void sp_384_mont_sqr_6(sp_digit* r, const sp_digit* a, const sp_digit* m,
+        sp_digit mp)
+{
+    sp_384_sqr_6(r, a);
+    sp_384_mont_reduce_6(r, m, mp);
+}
+
+#if !defined(WOLFSSL_SP_SMALL) || defined(HAVE_COMP_KEY)
+/* Square the Montgomery form number a number of times. (r = a ^ n mod m)
+ *
+ * r   Result of squaring.
+ * a   Number to square in Montogmery form.
+ * n   Number of times to square.
+ * m   Modulus (prime).
+ * mp  Montogmery mulitplier.
+ */
+static void sp_384_mont_sqr_n_6(sp_digit* r, const sp_digit* a, int n,
+        const sp_digit* m, sp_digit mp)
+{
+    sp_384_mont_sqr_6(r, a, m, mp);
+    for (; n > 1; n--) {
+        sp_384_mont_sqr_6(r, r, m, mp);
+    }
+}
+
+#endif /* !WOLFSSL_SP_SMALL || HAVE_COMP_KEY */
+#ifdef WOLFSSL_SP_SMALL
+/* Mod-2 for the P384 curve. */
+static const uint64_t p384_mod_minus_2[6] = {
+    0x00000000fffffffdU,0xffffffff00000000U,0xfffffffffffffffeU,
+    0xffffffffffffffffU,0xffffffffffffffffU,0xffffffffffffffffU
+};
+#endif /* !WOLFSSL_SP_SMALL */
+
+/* Invert the number, in Montgomery form, modulo the modulus (prime) of the
+ * P384 curve. (r = 1 / a mod m)
+ *
+ * r   Inverse result.
+ * a   Number to invert.
+ * td  Temporary data.
+ */
+static void sp_384_mont_inv_6(sp_digit* r, const sp_digit* a, sp_digit* td)
+{
+#ifdef WOLFSSL_SP_SMALL
+    sp_digit* t = td;
+    int i;
+
+    XMEMCPY(t, a, sizeof(sp_digit) * 6);
+    for (i=382; i>=0; i--) {
+        sp_384_mont_sqr_6(t, t, p384_mod, p384_mp_mod);
+        if (p384_mod_minus_2[i / 64] & ((sp_digit)1 << (i % 64)))
+            sp_384_mont_mul_6(t, t, a, p384_mod, p384_mp_mod);
+    }
+    XMEMCPY(r, t, sizeof(sp_digit) * 6);
+#else
+    sp_digit* t1 = td;
+    sp_digit* t2 = td + 2 * 6;
+    sp_digit* t3 = td + 4 * 6;
+    sp_digit* t4 = td + 6 * 6;
+    sp_digit* t5 = td + 8 * 6;
+
+    /* 0x2 */
+    sp_384_mont_sqr_6(t1, a, p384_mod, p384_mp_mod);
+    /* 0x3 */
+    sp_384_mont_mul_6(t5, t1, a, p384_mod, p384_mp_mod);
+    /* 0xc */
+    sp_384_mont_sqr_n_6(t1, t5, 2, p384_mod, p384_mp_mod);
+    /* 0xf */
+    sp_384_mont_mul_6(t2, t5, t1, p384_mod, p384_mp_mod);
+    /* 0x1e */
+    sp_384_mont_sqr_6(t1, t2, p384_mod, p384_mp_mod);
+    /* 0x1f */
+    sp_384_mont_mul_6(t4, t1, a, p384_mod, p384_mp_mod);
+    /* 0x3e0 */
+    sp_384_mont_sqr_n_6(t1, t4, 5, p384_mod, p384_mp_mod);
+    /* 0x3ff */
+    sp_384_mont_mul_6(t2, t4, t1, p384_mod, p384_mp_mod);
+    /* 0x7fe0 */
+    sp_384_mont_sqr_n_6(t1, t2, 5, p384_mod, p384_mp_mod);
+    /* 0x7fff */
+    sp_384_mont_mul_6(t4, t4, t1, p384_mod, p384_mp_mod);
+    /* 0x3fff8000 */
+    sp_384_mont_sqr_n_6(t1, t4, 15, p384_mod, p384_mp_mod);
+    /* 0x3fffffff */
+    sp_384_mont_mul_6(t2, t4, t1, p384_mod, p384_mp_mod);
+    /* 0xfffffffc */
+    sp_384_mont_sqr_n_6(t3, t2, 2, p384_mod, p384_mp_mod);
+    /* 0xfffffffd */
+    sp_384_mont_mul_6(r, t3, a, p384_mod, p384_mp_mod);
+    /* 0xffffffff */
+    sp_384_mont_mul_6(t3, t5, t3, p384_mod, p384_mp_mod);
+    /* 0xfffffffc0000000 */
+    sp_384_mont_sqr_n_6(t1, t2, 30, p384_mod, p384_mp_mod);
+    /* 0xfffffffffffffff */
+    sp_384_mont_mul_6(t2, t2, t1, p384_mod, p384_mp_mod);
+    /* 0xfffffffffffffff000000000000000 */
+    sp_384_mont_sqr_n_6(t1, t2, 60, p384_mod, p384_mp_mod);
+    /* 0xffffffffffffffffffffffffffffff */
+    sp_384_mont_mul_6(t2, t2, t1, p384_mod, p384_mp_mod);
+    /* 0xffffffffffffffffffffffffffffff000000000000000000000000000000 */
+    sp_384_mont_sqr_n_6(t1, t2, 120, p384_mod, p384_mp_mod);
+    /* 0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff */
+    sp_384_mont_mul_6(t2, t2, t1, p384_mod, p384_mp_mod);
+    /* 0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffff8000 */
+    sp_384_mont_sqr_n_6(t1, t2, 15, p384_mod, p384_mp_mod);
+    /* 0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff */
+    sp_384_mont_mul_6(t2, t4, t1, p384_mod, p384_mp_mod);
+    /* 0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffe00000000 */
+    sp_384_mont_sqr_n_6(t1, t2, 33, p384_mod, p384_mp_mod);
+    /* 0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff */
+    sp_384_mont_mul_6(t2, t3, t1, p384_mod, p384_mp_mod);
+    /* 0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff000000000000000000000000 */
+    sp_384_mont_sqr_n_6(t1, t2, 96, p384_mod, p384_mp_mod);
+    /* 0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000fffffffd */
+    sp_384_mont_mul_6(r, r, t1, p384_mod, p384_mp_mod);
+
+#endif /* WOLFSSL_SP_SMALL */
+}
+
+/* Compare a with b in constant time.
+ *
+ * a  A single precision integer.
+ * b  A single precision integer.
+ * return -ve, 0 or +ve if a is less than, equal to or greater than b
+ * respectively.
+ */
+static int64_t sp_384_cmp_6(const sp_digit* a, const sp_digit* b)
+{
+#ifdef WOLFSSL_SP_SMALL
+    __asm__ __volatile__ (
+        "mov	x2, -1\n\t"
+        "mov	x3, 1\n\t"
+        "mov	x4, -1\n\t"
+        "mov	x5, 40\n\t"
+        "1:\n\t"
+        "ldr	x6, [%[a], x5]\n\t"
+        "ldr	x7, [%[b], x5]\n\t"
+        "and	x6, x6, x4\n\t"
+        "and	x7, x7, x4\n\t"
+        "subs	x6, x6, x7\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "subs	x5, x5, #8\n\t"
+        "b.cs	1b\n\t"
+        "eor	%[a], x2, x4\n\t"
+        : [a] "+r" (a)
+        : [b] "r" (b)
+        : "x2", "x3", "x4", "x5", "x6", "x7", "x8", "x9", "x10", "x11", "x12", "x13", "x14", "x15", "x16"
+    );
+#else
+    __asm__ __volatile__ (
+        "mov	x2, -1\n\t"
+        "mov	x3, 1\n\t"
+        "mov	x4, -1\n\t"
+        "ldp	x5, x6, [%[a], 0]\n\t"
+        "ldp	x7, x8, [%[a], 16]\n\t"
+        "ldp	x9, x10, [%[a], 32]\n\t"
+        "ldp	x11, x12, [%[b], 0]\n\t"
+        "ldp	x13, x14, [%[b], 16]\n\t"
+        "ldp	x15, x16, [%[b], 32]\n\t"
+        "and	x10, x10, x4\n\t"
+        "and	x16, x16, x4\n\t"
+        "subs	x10, x10, x16\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "and	x9, x9, x4\n\t"
+        "and	x15, x15, x4\n\t"
+        "subs	x9, x9, x15\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "and	x8, x8, x4\n\t"
+        "and	x14, x14, x4\n\t"
+        "subs	x8, x8, x14\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "and	x7, x7, x4\n\t"
+        "and	x13, x13, x4\n\t"
+        "subs	x7, x7, x13\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "and	x6, x6, x4\n\t"
+        "and	x12, x12, x4\n\t"
+        "subs	x6, x6, x12\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "and	x5, x5, x4\n\t"
+        "and	x11, x11, x4\n\t"
+        "subs	x5, x5, x11\n\t"
+        "csel	x2, x4, x2, lo\n\t"
+        "csel	x4, x4, xzr, eq\n\t"
+        "csel	x2, x3, x2, hi\n\t"
+        "eor	%[a], x2, x4\n\t"
+        : [a] "+r" (a)
+        : [b] "r" (b)
+        : "x2", "x3", "x4", "x5", "x6", "x7", "x8", "x9", "x10", "x11", "x12", "x13", "x14", "x15", "x16"
+    );
+#endif
+
+    return (int64_t)a;
+}
+
+/* Normalize the values in each word to 64.
+ *
+ * a  Array of sp_digit to normalize.
+ */
+#define sp_384_norm_6(a)
+
+/* Map the Montgomery form projective coordinate point to an affine point.
+ *
+ * r  Resulting affine coordinate point.
+ * p  Montgomery form projective coordinate point.
+ * t  Temporary ordinate data.
+ */
+static void sp_384_map_6(sp_point_384* r, const sp_point_384* p, sp_digit* t)
+{
+    sp_digit* t1 = t;
+    sp_digit* t2 = t + 2*6;
+    int64_t n;
+
+    sp_384_mont_inv_6(t1, p->z, t + 2*6);
+
+    sp_384_mont_sqr_6(t2, t1, p384_mod, p384_mp_mod);
+    sp_384_mont_mul_6(t1, t2, t1, p384_mod, p384_mp_mod);
+
+    /* x /= z^2 */
+    sp_384_mont_mul_6(r->x, p->x, t2, p384_mod, p384_mp_mod);
+    XMEMSET(r->x + 6, 0, sizeof(r->x) / 2U);
+    sp_384_mont_reduce_6(r->x, p384_mod, p384_mp_mod);
+    /* Reduce x to less than modulus */
+    n = sp_384_cmp_6(r->x, p384_mod);
+    sp_384_cond_sub_6(r->x, r->x, p384_mod, 0 - ((n >= 0) ?
+                (sp_digit)1 : (sp_digit)0));
+    sp_384_norm_6(r->x);
+
+    /* y /= z^3 */
+    sp_384_mont_mul_6(r->y, p->y, t1, p384_mod, p384_mp_mod);
+    XMEMSET(r->y + 6, 0, sizeof(r->y) / 2U);
+    sp_384_mont_reduce_6(r->y, p384_mod, p384_mp_mod);
+    /* Reduce y to less than modulus */
+    n = sp_384_cmp_6(r->y, p384_mod);
+    sp_384_cond_sub_6(r->y, r->y, p384_mod, 0 - ((n >= 0) ?
+                (sp_digit)1 : (sp_digit)0));
+    sp_384_norm_6(r->y);
+
+    XMEMSET(r->z, 0, sizeof(r->z));
+    r->z[0] = 1;
+
+}
+
+/* Add b to a into r. (r = a + b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+static sp_digit sp_384_add_6(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    __asm__ __volatile__ (
+        "ldp	x3, x4, [%[a], 0]\n\t"
+        "ldp	x7, x8, [%[b], 0]\n\t"
+        "adds	x3, x3, x7\n\t"
+        "ldp	x5, x6, [%[a], 16]\n\t"
+        "adcs	x4, x4, x8\n\t"
+        "ldp	x9, x10, [%[b], 16]\n\t"
+        "adcs	x5, x5, x9\n\t"
+        "stp	x3, x4, [%[r], 0]\n\t"
+        "adcs	x6, x6, x10\n\t"
+        "stp	x5, x6, [%[r], 16]\n\t"
+        "ldr		x3, [%[a], 32]\n\t"
+        "ldr		x4, [%[a], 40]\n\t"
+        "ldr		x7, [%[b], 32]\n\t"
+        "ldr		x8, [%[b], 40]\n\t"
+        "adcs	x3, x3, x7\n\t"
+        "adcs	x4, x4, x8\n\t"
+        "str		x3, [%[r], 32]\n\t"
+        "str		x4, [%[r], 40]\n\t"
+        "cset	%[r], cs\n\t"
+        : [r] "+r" (r)
+        : [a] "r" (a), [b] "r" (b)
+        : "memory", "x3", "x4", "x5", "x6", "x7", "x8", "x9", "x10"
+    );
+
+    return (sp_digit)r;
+}
+
+/* Add two Montgomery form numbers (r = a + b % m).
+ *
+ * r   Result of addition.
+ * a   First number to add in Montogmery form.
+ * b   Second number to add in Montogmery form.
+ * m   Modulus (prime).
+ */
+static void sp_384_mont_add_6(sp_digit* r, const sp_digit* a, const sp_digit* b,
+        const sp_digit* m)
+{
+    sp_digit o;
+
+    o = sp_384_add_6(r, a, b);
+    sp_384_cond_sub_6(r, r, m, 0 - o);
+}
+
+/* Double a Montgomery form number (r = a + a % m).
+ *
+ * r   Result of doubling.
+ * a   Number to double in Montogmery form.
+ * m   Modulus (prime).
+ */
+static void sp_384_mont_dbl_6(sp_digit* r, const sp_digit* a, const sp_digit* m)
+{
+    sp_digit o;
+
+    o = sp_384_add_6(r, a, a);
+    sp_384_cond_sub_6(r, r, m, 0 - o);
+}
+
+/* Triple a Montgomery form number (r = a + a + a % m).
+ *
+ * r   Result of Tripling.
+ * a   Number to triple in Montogmery form.
+ * m   Modulus (prime).
+ */
+static void sp_384_mont_tpl_6(sp_digit* r, const sp_digit* a, const sp_digit* m)
+{
+    sp_digit o;
+
+    o = sp_384_add_6(r, a, a);
+    sp_384_cond_sub_6(r, r, m, 0 - o);
+    o = sp_384_add_6(r, r, a);
+    sp_384_cond_sub_6(r, r, m, 0 - o);
+}
+
+/* Sub b from a into r. (r = a - b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+static sp_digit sp_384_sub_6(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    __asm__ __volatile__ (
+        "ldp	x3, x4, [%[a], 0]\n\t"
+        "ldp	x7, x8, [%[b], 0]\n\t"
+        "subs	x3, x3, x7\n\t"
+        "ldp	x5, x6, [%[a], 16]\n\t"
+        "sbcs	x4, x4, x8\n\t"
+        "ldp	x9, x10, [%[b], 16]\n\t"
+        "sbcs	x5, x5, x9\n\t"
+        "stp	x3, x4, [%[r], 0]\n\t"
+        "sbcs	x6, x6, x10\n\t"
+        "stp	x5, x6, [%[r], 16]\n\t"
+        "ldr		x3, [%[a], 32]\n\t"
+        "ldr		x4, [%[a], 40]\n\t"
+        "ldr		x7, [%[b], 32]\n\t"
+        "ldr		x8, [%[b], 40]\n\t"
+        "sbcs	x3, x3, x7\n\t"
+        "sbcs	x4, x4, x8\n\t"
+        "str		x3, [%[r], 32]\n\t"
+        "str		x4, [%[r], 40]\n\t"
+        "csetm	%[r], cc\n\t"
+        : [r] "+r" (r)
+        : [a] "r" (a), [b] "r" (b)
+        : "memory", "x3", "x4", "x5", "x6", "x7", "x8", "x9", "x10"
+    );
+
+    return (sp_digit)r;
+}
+
+/* Conditionally add a and b using the mask m.
+ * m is -1 to add and 0 when not.
+ *
+ * r  A single precision number representing conditional add result.
+ * a  A single precision number to add with.
+ * b  A single precision number to add.
+ * m  Mask value to apply.
+ */
+static sp_digit sp_384_cond_add_6(sp_digit* r, const sp_digit* a, const sp_digit* b,
+        sp_digit m)
+{
+#ifdef WOLFSSL_SP_SMALL
+    sp_digit c = 0;
+
+    __asm__ __volatile__ (
+        "mov	x8, #0\n\t"
+        "1:\n\t"
+        "adds	%[c], %[c], #-1\n\t"
+        "ldr	x4, [%[a], x8]\n\t"
+        "ldr	x5, [%[b], x8]\n\t"
+        "and	x5, x5, %[m]\n\t"
+        "adcs	x4, x4, x5\n\t"
+        "cset	%[c], cs\n\t"
+        "str	x4, [%[r], x8]\n\t"
+        "add	x8, x8, #8\n\t"
+        "cmp	x8, 48\n\t"
+        "b.lt	1b\n\t"
+        : [c] "+r" (c)
+        : [r] "r" (r), [a] "r" (a), [b] "r" (b), [m] "r" (m)
+        : "memory", "x4", "x6", "x5", "x7", "x8", "x9", "x10", "x11", "x12"
+    );
+
+    return c;
+#else
+    __asm__ __volatile__ (
+
+        "ldp	x5, x7, [%[b], 0]\n\t"
+        "ldp	x11, x12, [%[b], 16]\n\t"
+        "ldp	x4, x6, [%[a], 0]\n\t"
+        "and	x5, x5, %[m]\n\t"
+        "ldp	x9, x10, [%[a], 16]\n\t"
+        "and	x7, x7, %[m]\n\t"
+        "adds	x4, x4, x5\n\t"
+        "and	x11, x11, %[m]\n\t"
+        "adcs	x6, x6, x7\n\t"
+        "and	x12, x12, %[m]\n\t"
+        "adcs	x9, x9, x11\n\t"
+        "stp	x4, x6, [%[r], 0]\n\t"
+        "adcs	x10, x10, x12\n\t"
+        "stp	x9, x10, [%[r], 16]\n\t"
+        "ldp	x5, x7, [%[b], 32]\n\t"
+        "ldp	x4, x6, [%[a], 32]\n\t"
+        "and	x5, x5, %[m]\n\t"
+        "and	x7, x7, %[m]\n\t"
+        "adcs	x4, x4, x5\n\t"
+        "adcs	x6, x6, x7\n\t"
+        "stp	x4, x6, [%[r], 32]\n\t"
+        "cset	%[r], cs\n\t"
+        : [r] "+r" (r)
+        : [a] "r" (a), [b] "r" (b), [m] "r" (m)
+        : "memory", "x4", "x6", "x5", "x7", "x8", "x9", "x10", "x11", "x12"
+    );
+
+    return (sp_digit)r;
+#endif /* WOLFSSL_SP_SMALL */
+}
+
+/* Subtract two Montgomery form numbers (r = a - b % m).
+ *
+ * r   Result of subtration.
+ * a   Number to subtract from in Montogmery form.
+ * b   Number to subtract with in Montogmery form.
+ * m   Modulus (prime).
+ */
+static void sp_384_mont_sub_6(sp_digit* r, const sp_digit* a, const sp_digit* b,
+        const sp_digit* m)
+{
+    sp_digit o;
+
+    o = sp_384_sub_6(r, a, b);
+    sp_384_cond_add_6(r, r, m, o);
+}
+
+static void sp_384_rshift1_6(sp_digit* r, sp_digit* a)
+{
+    __asm__ __volatile__ (
+        "ldp	x2, x3, [%[a]]\n\t"
+        "ldp	x4, x5, [%[a], 16]\n\t"
+        "ldp	x6, x7, [%[a], 32]\n\t"
+        "lsr	x11, x6, 1\n\t"
+        "lsr	x10, x5, 1\n\t"
+        "lsr	x9, x4, 1\n\t"
+        "lsr	x8, x3, 1\n\t"
+        "lsr	x2, x2, 1\n\t"
+        "orr	x2, x2, x3, lsl 63\n\t"
+        "orr	x3, x8, x4, lsl 63\n\t"
+        "orr	x4, x9, x5, lsl 63\n\t"
+        "orr	x5, x10, x6, lsl 63\n\t"
+        "orr	x6, x11, x7, lsl 63\n\t"
+        "lsr	x7, x7, 1\n\t"
+        "stp	x2, x3, [%[r]]\n\t"
+        "stp	x4, x5, [%[r], 16]\n\t"
+        "stp	x6, x7, [%[r], 32]\n\t"
+        :
+        : [r] "r" (r), [a] "r" (a)
+        : "memory", "x2", "x3", "x4", "x5", "x6", "x7", "x8", "x9", "x10", "x11"
+    );
+}
+
+/* Divide the number by 2 mod the modulus (prime). (r = a / 2 % m)
+ *
+ * r  Result of division by 2.
+ * a  Number to divide.
+ * m  Modulus (prime).
+ */
+static void sp_384_div2_6(sp_digit* r, const sp_digit* a, const sp_digit* m)
+{
+    sp_digit o;
+
+    o = sp_384_cond_add_6(r, a, m, 0 - (a[0] & 1));
+    sp_384_rshift1_6(r, r);
+    r[5] |= o << 63;
+}
+
+/* Double the Montgomery form projective point p.
+ *
+ * r  Result of doubling point.
+ * p  Point to double.
+ * t  Temporary ordinate data.
+ */
+static void sp_384_proj_point_dbl_6(sp_point_384* r, const sp_point_384* p, sp_digit* t)
+{
+    sp_digit* t1 = t;
+    sp_digit* t2 = t + 2*6;
+    sp_digit* x;
+    sp_digit* y;
+    sp_digit* z;
+
+    x = r->x;
+    y = r->y;
+    z = r->z;
+    /* Put infinity into result. */
+    if (r != p) {
+        r->infinity = p->infinity;
+    }
+
+    /* T1 = Z * Z */
+    sp_384_mont_sqr_6(t1, p->z, p384_mod, p384_mp_mod);
+    /* Z = Y * Z */
+    sp_384_mont_mul_6(z, p->y, p->z, p384_mod, p384_mp_mod);
+    /* Z = 2Z */
+    sp_384_mont_dbl_6(z, z, p384_mod);
+    /* T2 = X - T1 */
+    sp_384_mont_sub_6(t2, p->x, t1, p384_mod);
+    /* T1 = X + T1 */
+    sp_384_mont_add_6(t1, p->x, t1, p384_mod);
+    /* T2 = T1 * T2 */
+    sp_384_mont_mul_6(t2, t1, t2, p384_mod, p384_mp_mod);
+    /* T1 = 3T2 */
+    sp_384_mont_tpl_6(t1, t2, p384_mod);
+    /* Y = 2Y */
+    sp_384_mont_dbl_6(y, p->y, p384_mod);
+    /* Y = Y * Y */
+    sp_384_mont_sqr_6(y, y, p384_mod, p384_mp_mod);
+    /* T2 = Y * Y */
+    sp_384_mont_sqr_6(t2, y, p384_mod, p384_mp_mod);
+    /* T2 = T2/2 */
+    sp_384_div2_6(t2, t2, p384_mod);
+    /* Y = Y * X */
+    sp_384_mont_mul_6(y, y, p->x, p384_mod, p384_mp_mod);
+    /* X = T1 * T1 */
+    sp_384_mont_sqr_6(x, t1, p384_mod, p384_mp_mod);
+    /* X = X - Y */
+    sp_384_mont_sub_6(x, x, y, p384_mod);
+    /* X = X - Y */
+    sp_384_mont_sub_6(x, x, y, p384_mod);
+    /* Y = Y - X */
+    sp_384_mont_sub_6(y, y, x, p384_mod);
+    /* Y = Y * T1 */
+    sp_384_mont_mul_6(y, y, t1, p384_mod, p384_mp_mod);
+    /* Y = Y - T2 */
+    sp_384_mont_sub_6(y, y, t2, p384_mod);
+}
+
+/* Double the Montgomery form projective point p a number of times.
+ *
+ * r  Result of repeated doubling of point.
+ * p  Point to double.
+ * n  Number of times to double
+ * t  Temporary ordinate data.
+ */
+static void sp_384_proj_point_dbl_n_6(sp_point_384* p, int n, sp_digit* t)
+{
+    sp_digit* w = t;
+    sp_digit* a = t + 2*6;
+    sp_digit* b = t + 4*6;
+    sp_digit* t1 = t + 6*6;
+    sp_digit* t2 = t + 8*6;
+    sp_digit* x;
+    sp_digit* y;
+    sp_digit* z;
+
+    x = p->x;
+    y = p->y;
+    z = p->z;
+
+    /* Y = 2*Y */
+    sp_384_mont_dbl_6(y, y, p384_mod);
+    /* W = Z^4 */
+    sp_384_mont_sqr_6(w, z, p384_mod, p384_mp_mod);
+    sp_384_mont_sqr_6(w, w, p384_mod, p384_mp_mod);
+
+#ifndef WOLFSSL_SP_SMALL
+    while (--n > 0)
+#else
+    while (--n >= 0)
+#endif
+    {
+        /* A = 3*(X^2 - W) */
+        sp_384_mont_sqr_6(t1, x, p384_mod, p384_mp_mod);
+        sp_384_mont_sub_6(t1, t1, w, p384_mod);
+        sp_384_mont_tpl_6(a, t1, p384_mod);
+        /* B = X*Y^2 */
+        sp_384_mont_sqr_6(t1, y, p384_mod, p384_mp_mod);
+        sp_384_mont_mul_6(b, t1, x, p384_mod, p384_mp_mod);
+        /* X = A^2 - 2B */
+        sp_384_mont_sqr_6(x, a, p384_mod, p384_mp_mod);
+        sp_384_mont_dbl_6(t2, b, p384_mod);
+        sp_384_mont_sub_6(x, x, t2, p384_mod);
+        /* Z = Z*Y */
+        sp_384_mont_mul_6(z, z, y, p384_mod, p384_mp_mod);
+        /* t2 = Y^4 */
+        sp_384_mont_sqr_6(t1, t1, p384_mod, p384_mp_mod);
+#ifdef WOLFSSL_SP_SMALL
+        if (n != 0)
+#endif
+        {
+            /* W = W*Y^4 */
+            sp_384_mont_mul_6(w, w, t1, p384_mod, p384_mp_mod);
+        }
+        /* y = 2*A*(B - X) - Y^4 */
+        sp_384_mont_sub_6(y, b, x, p384_mod);
+        sp_384_mont_mul_6(y, y, a, p384_mod, p384_mp_mod);
+        sp_384_mont_dbl_6(y, y, p384_mod);
+        sp_384_mont_sub_6(y, y, t1, p384_mod);
+    }
+#ifndef WOLFSSL_SP_SMALL
+    /* A = 3*(X^2 - W) */
+    sp_384_mont_sqr_6(t1, x, p384_mod, p384_mp_mod);
+    sp_384_mont_sub_6(t1, t1, w, p384_mod);
+    sp_384_mont_tpl_6(a, t1, p384_mod);
+    /* B = X*Y^2 */
+    sp_384_mont_sqr_6(t1, y, p384_mod, p384_mp_mod);
+    sp_384_mont_mul_6(b, t1, x, p384_mod, p384_mp_mod);
+    /* X = A^2 - 2B */
+    sp_384_mont_sqr_6(x, a, p384_mod, p384_mp_mod);
+    sp_384_mont_dbl_6(t2, b, p384_mod);
+    sp_384_mont_sub_6(x, x, t2, p384_mod);
+    /* Z = Z*Y */
+    sp_384_mont_mul_6(z, z, y, p384_mod, p384_mp_mod);
+    /* t2 = Y^4 */
+    sp_384_mont_sqr_6(t1, t1, p384_mod, p384_mp_mod);
+    /* y = 2*A*(B - X) - Y^4 */
+    sp_384_mont_sub_6(y, b, x, p384_mod);
+    sp_384_mont_mul_6(y, y, a, p384_mod, p384_mp_mod);
+    sp_384_mont_dbl_6(y, y, p384_mod);
+    sp_384_mont_sub_6(y, y, t1, p384_mod);
+#endif
+    /* Y = Y/2 */
+    sp_384_div2_6(y, y, p384_mod);
+}
+
+/* Compare two numbers to determine if they are equal.
+ * Constant time implementation.
+ *
+ * a  First number to compare.
+ * b  Second number to compare.
+ * returns 1 when equal and 0 otherwise.
+ */
+static int sp_384_cmp_equal_6(const sp_digit* a, const sp_digit* b)
+{
+    return ((a[0] ^ b[0]) | (a[1] ^ b[1]) | (a[2] ^ b[2]) | (a[3] ^ b[3]) |
+            (a[4] ^ b[4]) | (a[5] ^ b[5])) == 0;
+}
+
+/* Add two Montgomery form projective points.
+ *
+ * r  Result of addition.
+ * p  First point to add.
+ * q  Second point to add.
+ * t  Temporary ordinate data.
+ */
+static void sp_384_proj_point_add_6(sp_point_384* r, const sp_point_384* p, const sp_point_384* q,
+        sp_digit* t)
+{
+    const sp_point_384* ap[2];
+    sp_point_384* rp[2];
+    sp_digit* t1 = t;
+    sp_digit* t2 = t + 2*6;
+    sp_digit* t3 = t + 4*6;
+    sp_digit* t4 = t + 6*6;
+    sp_digit* t5 = t + 8*6;
+    sp_digit* x;
+    sp_digit* y;
+    sp_digit* z;
+    int i;
+
+    /* Ensure only the first point is the same as the result. */
+    if (q == r) {
+        const sp_point_384* a = p;
+        p = q;
+        q = a;
+    }
+
+    /* Check double */
+    (void)sp_384_sub_6(t1, p384_mod, q->y);
+    sp_384_norm_6(t1);
+    if ((sp_384_cmp_equal_6(p->x, q->x) & sp_384_cmp_equal_6(p->z, q->z) &
+        (sp_384_cmp_equal_6(p->y, q->y) | sp_384_cmp_equal_6(p->y, t1))) != 0) {
+        sp_384_proj_point_dbl_6(r, p, t);
+    }
+    else {
+        rp[0] = r;
+
+        /*lint allow cast to different type of pointer*/
+        rp[1] = (sp_point_384*)t; /*lint !e9087 !e740*/
+        XMEMSET(rp[1], 0, sizeof(sp_point_384));
+        x = rp[p->infinity | q->infinity]->x;
+        y = rp[p->infinity | q->infinity]->y;
+        z = rp[p->infinity | q->infinity]->z;
+
+        ap[0] = p;
+        ap[1] = q;
+        for (i=0; i<6; i++) {
+            r->x[i] = ap[p->infinity]->x[i];
+        }
+        for (i=0; i<6; i++) {
+            r->y[i] = ap[p->infinity]->y[i];
+        }
+        for (i=0; i<6; i++) {
+            r->z[i] = ap[p->infinity]->z[i];
+        }
+        r->infinity = ap[p->infinity]->infinity;
+
+        /* U1 = X1*Z2^2 */
+        sp_384_mont_sqr_6(t1, q->z, p384_mod, p384_mp_mod);
+        sp_384_mont_mul_6(t3, t1, q->z, p384_mod, p384_mp_mod);
+        sp_384_mont_mul_6(t1, t1, x, p384_mod, p384_mp_mod);
+        /* U2 = X2*Z1^2 */
+        sp_384_mont_sqr_6(t2, z, p384_mod, p384_mp_mod);
+        sp_384_mont_mul_6(t4, t2, z, p384_mod, p384_mp_mod);
+        sp_384_mont_mul_6(t2, t2, q->x, p384_mod, p384_mp_mod);
+        /* S1 = Y1*Z2^3 */
+        sp_384_mont_mul_6(t3, t3, y, p384_mod, p384_mp_mod);
+        /* S2 = Y2*Z1^3 */
+        sp_384_mont_mul_6(t4, t4, q->y, p384_mod, p384_mp_mod);
+        /* H = U2 - U1 */
+        sp_384_mont_sub_6(t2, t2, t1, p384_mod);
+        /* R = S2 - S1 */
+        sp_384_mont_sub_6(t4, t4, t3, p384_mod);
+        /* Z3 = H*Z1*Z2 */
+        sp_384_mont_mul_6(z, z, q->z, p384_mod, p384_mp_mod);
+        sp_384_mont_mul_6(z, z, t2, p384_mod, p384_mp_mod);
+        /* X3 = R^2 - H^3 - 2*U1*H^2 */
+        sp_384_mont_sqr_6(x, t4, p384_mod, p384_mp_mod);
+        sp_384_mont_sqr_6(t5, t2, p384_mod, p384_mp_mod);
+        sp_384_mont_mul_6(y, t1, t5, p384_mod, p384_mp_mod);
+        sp_384_mont_mul_6(t5, t5, t2, p384_mod, p384_mp_mod);
+        sp_384_mont_sub_6(x, x, t5, p384_mod);
+        sp_384_mont_dbl_6(t1, y, p384_mod);
+        sp_384_mont_sub_6(x, x, t1, p384_mod);
+        /* Y3 = R*(U1*H^2 - X3) - S1*H^3 */
+        sp_384_mont_sub_6(y, y, x, p384_mod);
+        sp_384_mont_mul_6(y, y, t4, p384_mod, p384_mp_mod);
+        sp_384_mont_mul_6(t5, t5, t3, p384_mod, p384_mp_mod);
+        sp_384_mont_sub_6(y, y, t5, p384_mod);
+    }
+}
+
+/* Double the Montgomery form projective point p a number of times.
+ *
+ * r  Result of repeated doubling of point.
+ * p  Point to double.
+ * n  Number of times to double
+ * t  Temporary ordinate data.
+ */
+static void sp_384_proj_point_dbl_n_store_6(sp_point_384* r, const sp_point_384* p,
+        int n, int m, sp_digit* t)
+{
+    sp_digit* w = t;
+    sp_digit* a = t + 2*6;
+    sp_digit* b = t + 4*6;
+    sp_digit* t1 = t + 6*6;
+    sp_digit* t2 = t + 8*6;
+    sp_digit* x = r[2*m].x;
+    sp_digit* y = r[(1<<n)*m].y;
+    sp_digit* z = r[2*m].z;
+    int i;
+
+    for (i=0; i<6; i++) {
+        x[i] = p->x[i];
+    }
+    for (i=0; i<6; i++) {
+        y[i] = p->y[i];
+    }
+    for (i=0; i<6; i++) {
+        z[i] = p->z[i];
+    }
+
+    /* Y = 2*Y */
+    sp_384_mont_dbl_6(y, y, p384_mod);
+    /* W = Z^4 */
+    sp_384_mont_sqr_6(w, z, p384_mod, p384_mp_mod);
+    sp_384_mont_sqr_6(w, w, p384_mod, p384_mp_mod);
+    for (i=1; i<=n; i++) {
+        /* A = 3*(X^2 - W) */
+        sp_384_mont_sqr_6(t1, x, p384_mod, p384_mp_mod);
+        sp_384_mont_sub_6(t1, t1, w, p384_mod);
+        sp_384_mont_tpl_6(a, t1, p384_mod);
+        /* B = X*Y^2 */
+        sp_384_mont_sqr_6(t2, y, p384_mod, p384_mp_mod);
+        sp_384_mont_mul_6(b, t2, x, p384_mod, p384_mp_mod);
+        x = r[(1<<i)*m].x;
+        /* X = A^2 - 2B */
+        sp_384_mont_sqr_6(x, a, p384_mod, p384_mp_mod);
+        sp_384_mont_dbl_6(t1, b, p384_mod);
+        sp_384_mont_sub_6(x, x, t1, p384_mod);
+        /* Z = Z*Y */
+        sp_384_mont_mul_6(r[(1<<i)*m].z, z, y, p384_mod, p384_mp_mod);
+        z = r[(1<<i)*m].z;
+        /* t2 = Y^4 */
+        sp_384_mont_sqr_6(t2, t2, p384_mod, p384_mp_mod);
+        if (i != n) {
+            /* W = W*Y^4 */
+            sp_384_mont_mul_6(w, w, t2, p384_mod, p384_mp_mod);
+        }
+        /* y = 2*A*(B - X) - Y^4 */
+        sp_384_mont_sub_6(y, b, x, p384_mod);
+        sp_384_mont_mul_6(y, y, a, p384_mod, p384_mp_mod);
+        sp_384_mont_dbl_6(y, y, p384_mod);
+        sp_384_mont_sub_6(y, y, t2, p384_mod);
+
+        /* Y = Y/2 */
+        sp_384_div2_6(r[(1<<i)*m].y, y, p384_mod);
+        r[(1<<i)*m].infinity = 0;
+    }
+}
+
+/* Add two Montgomery form projective points.
+ *
+ * ra  Result of addition.
+ * rs  Result of subtraction.
+ * p   First point to add.
+ * q   Second point to add.
+ * t   Temporary ordinate data.
+ */
+static void sp_384_proj_point_add_sub_6(sp_point_384* ra, sp_point_384* rs,
+        const sp_point_384* p, const sp_point_384* q, sp_digit* t)
+{
+    sp_digit* t1 = t;
+    sp_digit* t2 = t + 2*6;
+    sp_digit* t3 = t + 4*6;
+    sp_digit* t4 = t + 6*6;
+    sp_digit* t5 = t + 8*6;
+    sp_digit* t6 = t + 10*6;
+    sp_digit* x = ra->x;
+    sp_digit* y = ra->y;
+    sp_digit* z = ra->z;
+    sp_digit* xs = rs->x;
+    sp_digit* ys = rs->y;
+    sp_digit* zs = rs->z;
+
+
+    XMEMCPY(x, p->x, sizeof(p->x) / 2);
+    XMEMCPY(y, p->y, sizeof(p->y) / 2);
+    XMEMCPY(z, p->z, sizeof(p->z) / 2);
+    ra->infinity = 0;
+    rs->infinity = 0;
+
+    /* U1 = X1*Z2^2 */
+    sp_384_mont_sqr_6(t1, q->z, p384_mod, p384_mp_mod);
+    sp_384_mont_mul_6(t3, t1, q->z, p384_mod, p384_mp_mod);
+    sp_384_mont_mul_6(t1, t1, x, p384_mod, p384_mp_mod);
+    /* U2 = X2*Z1^2 */
+    sp_384_mont_sqr_6(t2, z, p384_mod, p384_mp_mod);
+    sp_384_mont_mul_6(t4, t2, z, p384_mod, p384_mp_mod);
+    sp_384_mont_mul_6(t2, t2, q->x, p384_mod, p384_mp_mod);
+    /* S1 = Y1*Z2^3 */
+    sp_384_mont_mul_6(t3, t3, y, p384_mod, p384_mp_mod);
+    /* S2 = Y2*Z1^3 */
+    sp_384_mont_mul_6(t4, t4, q->y, p384_mod, p384_mp_mod);
+    /* H = U2 - U1 */
+    sp_384_mont_sub_6(t2, t2, t1, p384_mod);
+    /* RS = S2 + S1 */
+    sp_384_mont_add_6(t6, t4, t3, p384_mod);
+    /* R = S2 - S1 */
+    sp_384_mont_sub_6(t4, t4, t3, p384_mod);
+    /* Z3 = H*Z1*Z2 */
+    /* ZS = H*Z1*Z2 */
+    sp_384_mont_mul_6(z, z, q->z, p384_mod, p384_mp_mod);
+    sp_384_mont_mul_6(z, z, t2, p384_mod, p384_mp_mod);
+    XMEMCPY(zs, z, sizeof(p->z)/2);
+    /* X3 = R^2 - H^3 - 2*U1*H^2 */
+    /* XS = RS^2 - H^3 - 2*U1*H^2 */
+    sp_384_mont_sqr_6(x, t4, p384_mod, p384_mp_mod);
+    sp_384_mont_sqr_6(xs, t6, p384_mod, p384_mp_mod);
+    sp_384_mont_sqr_6(t5, t2, p384_mod, p384_mp_mod);
+    sp_384_mont_mul_6(y, t1, t5, p384_mod, p384_mp_mod);
+    sp_384_mont_mul_6(t5, t5, t2, p384_mod, p384_mp_mod);
+    sp_384_mont_sub_6(x, x, t5, p384_mod);
+    sp_384_mont_sub_6(xs, xs, t5, p384_mod);
+    sp_384_mont_dbl_6(t1, y, p384_mod);
+    sp_384_mont_sub_6(x, x, t1, p384_mod);
+    sp_384_mont_sub_6(xs, xs, t1, p384_mod);
+    /* Y3 = R*(U1*H^2 - X3) - S1*H^3 */
+    /* YS = -RS*(U1*H^2 - XS) - S1*H^3 */
+    sp_384_mont_sub_6(ys, y, xs, p384_mod);
+    sp_384_mont_sub_6(y, y, x, p384_mod);
+    sp_384_mont_mul_6(y, y, t4, p384_mod, p384_mp_mod);
+    sp_384_sub_6(t6, p384_mod, t6);
+    sp_384_mont_mul_6(ys, ys, t6, p384_mod, p384_mp_mod);
+    sp_384_mont_mul_6(t5, t5, t3, p384_mod, p384_mp_mod);
+    sp_384_mont_sub_6(y, y, t5, p384_mod);
+    sp_384_mont_sub_6(ys, ys, t5, p384_mod);
+}
+
+/* Structure used to describe recoding of scalar multiplication. */
+typedef struct ecc_recode_384 {
+    /* Index into pre-computation table. */
+    uint8_t i;
+    /* Use the negative of the point. */
+    uint8_t neg;
+} ecc_recode_384;
+
+/* The index into pre-computation table to use. */
+static const uint8_t recode_index_6_6[66] = {
+     0,  1,  2,  3,  4,  5,  6,  7,  8,  9, 10, 11, 12, 13, 14, 15,
+    16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31,
+    32, 31, 30, 29, 28, 27, 26, 25, 24, 23, 22, 21, 20, 19, 18, 17,
+    16, 15, 14, 13, 12, 11, 10,  9,  8,  7,  6,  5,  4,  3,  2,  1,
+     0,  1,
+};
+
+/* Whether to negate y-ordinate. */
+static const uint8_t recode_neg_6_6[66] = {
+     0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,
+     0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,
+     1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,
+     1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,
+     0,  0,
+};
+
+/* Recode the scalar for multiplication using pre-computed values and
+ * subtraction.
+ *
+ * k  Scalar to multiply by.
+ * v  Vector of operations to perform.
+ */
+static void sp_384_ecc_recode_6_6(const sp_digit* k, ecc_recode_384* v)
+{
+    int i, j;
+    uint8_t y;
+    int carry = 0;
+    int o;
+    sp_digit n;
+
+    j = 0;
+    n = k[j];
+    o = 0;
+    for (i=0; i<65; i++) {
+        y = n;
+        if (o + 6 < 64) {
+            y &= 0x3f;
+            n >>= 6;
+            o += 6;
+        }
+        else if (o + 6 == 64) {
+            n >>= 6;
+            if (++j < 6)
+                n = k[j];
+            o = 0;
+        }
+        else if (++j < 6) {
+            n = k[j];
+            y |= (n << (64 - o)) & 0x3f;
+            o -= 58;
+            n >>= o;
+        }
+
+        y += carry;
+        v[i].i = recode_index_6_6[y];
+        v[i].neg = recode_neg_6_6[y];
+        carry = (y >> 6) + v[i].neg;
+    }
+}
+
+/* Multiply the point by the scalar and return the result.
+ * If map is true then convert result to affine coordinates.
+ *
+ * r     Resulting point.
+ * g     Point to multiply.
+ * k     Scalar to multiply by.
+ * map   Indicates whether to convert result to affine.
+ * heap  Heap to use for allocation.
+ * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
+ */
+static int sp_384_ecc_mulmod_win_add_sub_6(sp_point_384* r, const sp_point_384* g,
+        const sp_digit* k, int map, void* heap)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_point_384 td[33];
+    sp_point_384 rtd, pd;
+    sp_digit tmpd[2 * 6 * 6];
+#endif
+    sp_point_384* t;
+    sp_point_384* rt;
+    sp_point_384* p = NULL;
+    sp_digit* tmp;
+    sp_digit* negy;
+    int i;
+    ecc_recode_384 v[65];
+    int err;
+
+    (void)heap;
+
+    err = sp_384_point_new_6(heap, rtd, rt);
+    if (err == MP_OKAY)
+        err = sp_384_point_new_6(heap, pd, p);
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    t = (sp_point_384*)XMALLOC(sizeof(sp_point_384) * 33, heap, DYNAMIC_TYPE_ECC);
+    if (t == NULL)
+        err = MEMORY_E;
+    tmp = (sp_digit*)XMALLOC(sizeof(sp_digit) * 2 * 6 * 6, heap,
+                             DYNAMIC_TYPE_ECC);
+    if (tmp == NULL)
+        err = MEMORY_E;
+#else
+    t = td;
+    tmp = tmpd;
+#endif
+
+
+    if (err == MP_OKAY) {
+        /* t[0] = {0, 0, 1} * norm */
+        XMEMSET(&t[0], 0, sizeof(t[0]));
+        t[0].infinity = 1;
+        /* t[1] = {g->x, g->y, g->z} * norm */
+        err = sp_384_mod_mul_norm_6(t[1].x, g->x, p384_mod);
+    }
+    if (err == MP_OKAY) {
+        err = sp_384_mod_mul_norm_6(t[1].y, g->y, p384_mod);
+    }
+    if (err == MP_OKAY) {
+        err = sp_384_mod_mul_norm_6(t[1].z, g->z, p384_mod);
+    }
+
+    if (err == MP_OKAY) {
+        t[1].infinity = 0;
+        /* t[2] ... t[32]  */
+        sp_384_proj_point_dbl_n_store_6(t, &t[ 1], 5, 1, tmp);
+        sp_384_proj_point_add_6(&t[ 3], &t[ 2], &t[ 1], tmp);
+        sp_384_proj_point_dbl_6(&t[ 6], &t[ 3], tmp);
+        sp_384_proj_point_add_sub_6(&t[ 7], &t[ 5], &t[ 6], &t[ 1], tmp);
+        sp_384_proj_point_dbl_6(&t[10], &t[ 5], tmp);
+        sp_384_proj_point_add_sub_6(&t[11], &t[ 9], &t[10], &t[ 1], tmp);
+        sp_384_proj_point_dbl_6(&t[12], &t[ 6], tmp);
+        sp_384_proj_point_dbl_6(&t[14], &t[ 7], tmp);
+        sp_384_proj_point_add_sub_6(&t[15], &t[13], &t[14], &t[ 1], tmp);
+        sp_384_proj_point_dbl_6(&t[18], &t[ 9], tmp);
+        sp_384_proj_point_add_sub_6(&t[19], &t[17], &t[18], &t[ 1], tmp);
+        sp_384_proj_point_dbl_6(&t[20], &t[10], tmp);
+        sp_384_proj_point_dbl_6(&t[22], &t[11], tmp);
+        sp_384_proj_point_add_sub_6(&t[23], &t[21], &t[22], &t[ 1], tmp);
+        sp_384_proj_point_dbl_6(&t[24], &t[12], tmp);
+        sp_384_proj_point_dbl_6(&t[26], &t[13], tmp);
+        sp_384_proj_point_add_sub_6(&t[27], &t[25], &t[26], &t[ 1], tmp);
+        sp_384_proj_point_dbl_6(&t[28], &t[14], tmp);
+        sp_384_proj_point_dbl_6(&t[30], &t[15], tmp);
+        sp_384_proj_point_add_sub_6(&t[31], &t[29], &t[30], &t[ 1], tmp);
+
+        negy = t[0].y;
+
+        sp_384_ecc_recode_6_6(k, v);
+
+        i = 64;
+        XMEMCPY(rt, &t[v[i].i], sizeof(sp_point_384));
+        for (--i; i>=0; i--) {
+            sp_384_proj_point_dbl_n_6(rt, 6, tmp);
+
+            XMEMCPY(p, &t[v[i].i], sizeof(sp_point_384));
+            sp_384_sub_6(negy, p384_mod, p->y);
+            sp_384_cond_copy_6(p->y, negy, (sp_digit)0 - v[i].neg);
+            sp_384_proj_point_add_6(rt, rt, p, tmp);
+        }
+
+        if (map != 0) {
+            sp_384_map_6(r, rt, tmp);
+        }
+        else {
+            XMEMCPY(r, rt, sizeof(sp_point_384));
+        }
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (t != NULL)
+        XFREE(t, heap, DYNAMIC_TYPE_ECC);
+    if (tmp != NULL)
+        XFREE(tmp, heap, DYNAMIC_TYPE_ECC);
+#endif
+    sp_384_point_free_6(p, 0, heap);
+    sp_384_point_free_6(rt, 0, heap);
+
+    return err;
+}
+
+/* A table entry for pre-computed points. */
+typedef struct sp_table_entry_384 {
+    sp_digit x[6];
+    sp_digit y[6];
+} sp_table_entry_384;
+
+#ifdef FP_ECC
+#endif /* FP_ECC */
+/* Add two Montgomery form projective points. The second point has a q value of
+ * one.
+ * Only the first point can be the same pointer as the result point.
+ *
+ * r  Result of addition.
+ * p  First point to add.
+ * q  Second point to add.
+ * t  Temporary ordinate data.
+ */
+static void sp_384_proj_point_add_qz1_6(sp_point_384* r, const sp_point_384* p,
+        const sp_point_384* q, sp_digit* t)
+{
+    const sp_point_384* ap[2];
+    sp_point_384* rp[2];
+    sp_digit* t1 = t;
+    sp_digit* t2 = t + 2*6;
+    sp_digit* t3 = t + 4*6;
+    sp_digit* t4 = t + 6*6;
+    sp_digit* t5 = t + 8*6;
+    sp_digit* x;
+    sp_digit* y;
+    sp_digit* z;
+    int i;
+
+    /* Check double */
+    (void)sp_384_sub_6(t1, p384_mod, q->y);
+    sp_384_norm_6(t1);
+    if ((sp_384_cmp_equal_6(p->x, q->x) & sp_384_cmp_equal_6(p->z, q->z) &
+        (sp_384_cmp_equal_6(p->y, q->y) | sp_384_cmp_equal_6(p->y, t1))) != 0) {
+        sp_384_proj_point_dbl_6(r, p, t);
+    }
+    else {
+        rp[0] = r;
+
+        /*lint allow cast to different type of pointer*/
+        rp[1] = (sp_point_384*)t; /*lint !e9087 !e740*/
+        XMEMSET(rp[1], 0, sizeof(sp_point_384));
+        x = rp[p->infinity | q->infinity]->x;
+        y = rp[p->infinity | q->infinity]->y;
+        z = rp[p->infinity | q->infinity]->z;
+
+        ap[0] = p;
+        ap[1] = q;
+        for (i=0; i<6; i++) {
+            r->x[i] = ap[p->infinity]->x[i];
+        }
+        for (i=0; i<6; i++) {
+            r->y[i] = ap[p->infinity]->y[i];
+        }
+        for (i=0; i<6; i++) {
+            r->z[i] = ap[p->infinity]->z[i];
+        }
+        r->infinity = ap[p->infinity]->infinity;
+
+        /* U2 = X2*Z1^2 */
+        sp_384_mont_sqr_6(t2, z, p384_mod, p384_mp_mod);
+        sp_384_mont_mul_6(t4, t2, z, p384_mod, p384_mp_mod);
+        sp_384_mont_mul_6(t2, t2, q->x, p384_mod, p384_mp_mod);
+        /* S2 = Y2*Z1^3 */
+        sp_384_mont_mul_6(t4, t4, q->y, p384_mod, p384_mp_mod);
+        /* H = U2 - X1 */
+        sp_384_mont_sub_6(t2, t2, x, p384_mod);
+        /* R = S2 - Y1 */
+        sp_384_mont_sub_6(t4, t4, y, p384_mod);
+        /* Z3 = H*Z1 */
+        sp_384_mont_mul_6(z, z, t2, p384_mod, p384_mp_mod);
+        /* X3 = R^2 - H^3 - 2*X1*H^2 */
+        sp_384_mont_sqr_6(t1, t4, p384_mod, p384_mp_mod);
+        sp_384_mont_sqr_6(t5, t2, p384_mod, p384_mp_mod);
+        sp_384_mont_mul_6(t3, x, t5, p384_mod, p384_mp_mod);
+        sp_384_mont_mul_6(t5, t5, t2, p384_mod, p384_mp_mod);
+        sp_384_mont_sub_6(x, t1, t5, p384_mod);
+        sp_384_mont_dbl_6(t1, t3, p384_mod);
+        sp_384_mont_sub_6(x, x, t1, p384_mod);
+        /* Y3 = R*(X1*H^2 - X3) - Y1*H^3 */
+        sp_384_mont_sub_6(t3, t3, x, p384_mod);
+        sp_384_mont_mul_6(t3, t3, t4, p384_mod, p384_mp_mod);
+        sp_384_mont_mul_6(t5, t5, y, p384_mod, p384_mp_mod);
+        sp_384_mont_sub_6(y, t3, t5, p384_mod);
+    }
+}
+
+#ifdef FP_ECC
+/* Convert the projective point to affine.
+ * Ordinates are in Montgomery form.
+ *
+ * a  Point to convert.
+ * t  Temporary data.
+ */
+static void sp_384_proj_to_affine_6(sp_point_384* a, sp_digit* t)
+{
+    sp_digit* t1 = t;
+    sp_digit* t2 = t + 2 * 6;
+    sp_digit* tmp = t + 4 * 6;
+
+    sp_384_mont_inv_6(t1, a->z, tmp);
+
+    sp_384_mont_sqr_6(t2, t1, p384_mod, p384_mp_mod);
+    sp_384_mont_mul_6(t1, t2, t1, p384_mod, p384_mp_mod);
+
+    sp_384_mont_mul_6(a->x, a->x, t2, p384_mod, p384_mp_mod);
+    sp_384_mont_mul_6(a->y, a->y, t1, p384_mod, p384_mp_mod);
+    XMEMCPY(a->z, p384_norm_mod, sizeof(p384_norm_mod));
+}
+
+/* Generate the pre-computed table of points for the base point.
+ *
+ * a      The base point.
+ * table  Place to store generated point data.
+ * tmp    Temporary data.
+ * heap  Heap to use for allocation.
+ */
+static int sp_384_gen_stripe_table_6(const sp_point_384* a,
+        sp_table_entry_384* table, sp_digit* tmp, void* heap)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_point_384 td, s1d, s2d;
+#endif
+    sp_point_384* t;
+    sp_point_384* s1 = NULL;
+    sp_point_384* s2 = NULL;
+    int i, j;
+    int err;
+
+    (void)heap;
+
+    err = sp_384_point_new_6(heap, td, t);
+    if (err == MP_OKAY) {
+        err = sp_384_point_new_6(heap, s1d, s1);
+    }
+    if (err == MP_OKAY) {
+        err = sp_384_point_new_6(heap, s2d, s2);
+    }
+
+    if (err == MP_OKAY) {
+        err = sp_384_mod_mul_norm_6(t->x, a->x, p384_mod);
+    }
+    if (err == MP_OKAY) {
+        err = sp_384_mod_mul_norm_6(t->y, a->y, p384_mod);
+    }
+    if (err == MP_OKAY) {
+        err = sp_384_mod_mul_norm_6(t->z, a->z, p384_mod);
+    }
+    if (err == MP_OKAY) {
+        t->infinity = 0;
+        sp_384_proj_to_affine_6(t, tmp);
+
+        XMEMCPY(s1->z, p384_norm_mod, sizeof(p384_norm_mod));
+        s1->infinity = 0;
+        XMEMCPY(s2->z, p384_norm_mod, sizeof(p384_norm_mod));
+        s2->infinity = 0;
+
+        /* table[0] = {0, 0, infinity} */
+        XMEMSET(&table[0], 0, sizeof(sp_table_entry_384));
+        /* table[1] = Affine version of 'a' in Montgomery form */
+        XMEMCPY(table[1].x, t->x, sizeof(table->x));
+        XMEMCPY(table[1].y, t->y, sizeof(table->y));
+
+        for (i=1; i<8; i++) {
+            sp_384_proj_point_dbl_n_6(t, 48, tmp);
+            sp_384_proj_to_affine_6(t, tmp);
+            XMEMCPY(table[1<<i].x, t->x, sizeof(table->x));
+            XMEMCPY(table[1<<i].y, t->y, sizeof(table->y));
+        }
+
+        for (i=1; i<8; i++) {
+            XMEMCPY(s1->x, table[1<<i].x, sizeof(table->x));
+            XMEMCPY(s1->y, table[1<<i].y, sizeof(table->y));
+            for (j=(1<<i)+1; j<(1<<(i+1)); j++) {
+                XMEMCPY(s2->x, table[j-(1<<i)].x, sizeof(table->x));
+                XMEMCPY(s2->y, table[j-(1<<i)].y, sizeof(table->y));
+                sp_384_proj_point_add_qz1_6(t, s1, s2, tmp);
+                sp_384_proj_to_affine_6(t, tmp);
+                XMEMCPY(table[j].x, t->x, sizeof(table->x));
+                XMEMCPY(table[j].y, t->y, sizeof(table->y));
+            }
+        }
+    }
+
+    sp_384_point_free_6(s2, 0, heap);
+    sp_384_point_free_6(s1, 0, heap);
+    sp_384_point_free_6( t, 0, heap);
+
+    return err;
+}
+
+#endif /* FP_ECC */
+/* Multiply the point by the scalar and return the result.
+ * If map is true then convert result to affine coordinates.
+ *
+ * r     Resulting point.
+ * k     Scalar to multiply by.
+ * map   Indicates whether to convert result to affine.
+ * heap  Heap to use for allocation.
+ * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
+ */
+static int sp_384_ecc_mulmod_stripe_6(sp_point_384* r, const sp_point_384* g,
+        const sp_table_entry_384* table, const sp_digit* k, int map, void* heap)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_point_384 rtd;
+    sp_point_384 pd;
+    sp_digit td[2 * 6 * 6];
+#endif
+    sp_point_384* rt;
+    sp_point_384* p = NULL;
+    sp_digit* t;
+    int i, j;
+    int y, x;
+    int err;
+
+    (void)g;
+    (void)heap;
+
+
+    err = sp_384_point_new_6(heap, rtd, rt);
+    if (err == MP_OKAY) {
+        err = sp_384_point_new_6(heap, pd, p);
+    }
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    t = (sp_digit*)XMALLOC(sizeof(sp_digit) * 2 * 6 * 6, heap,
+                           DYNAMIC_TYPE_ECC);
+    if (t == NULL) {
+        err = MEMORY_E;
+    }
+#else
+    t = td;
+#endif
+
+    if (err == MP_OKAY) {
+        XMEMCPY(p->z, p384_norm_mod, sizeof(p384_norm_mod));
+        XMEMCPY(rt->z, p384_norm_mod, sizeof(p384_norm_mod));
+
+        y = 0;
+        for (j=0,x=47; j<8; j++,x+=48) {
+            y |= ((k[x / 64] >> (x % 64)) & 1) << j;
+        }
+        XMEMCPY(rt->x, table[y].x, sizeof(table[y].x));
+        XMEMCPY(rt->y, table[y].y, sizeof(table[y].y));
+        rt->infinity = !y;
+        for (i=46; i>=0; i--) {
+            y = 0;
+            for (j=0,x=i; j<8; j++,x+=48) {
+                y |= ((k[x / 64] >> (x % 64)) & 1) << j;
+            }
+
+            sp_384_proj_point_dbl_6(rt, rt, t);
+            XMEMCPY(p->x, table[y].x, sizeof(table[y].x));
+            XMEMCPY(p->y, table[y].y, sizeof(table[y].y));
+            p->infinity = !y;
+            sp_384_proj_point_add_qz1_6(rt, rt, p, t);
+        }
+
+        if (map != 0) {
+            sp_384_map_6(r, rt, t);
+        }
+        else {
+            XMEMCPY(r, rt, sizeof(sp_point_384));
+        }
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (t != NULL) {
+        XFREE(t, heap, DYNAMIC_TYPE_ECC);
+    }
+#endif
+    sp_384_point_free_6(p, 0, heap);
+    sp_384_point_free_6(rt, 0, heap);
+
+    return err;
+}
+
+#ifdef FP_ECC
+#ifndef FP_ENTRIES
+    #define FP_ENTRIES 16
+#endif
+
+typedef struct sp_cache_384_t {
+    sp_digit x[6];
+    sp_digit y[6];
+    sp_table_entry_384 table[256];
+    uint32_t cnt;
+    int set;
+} sp_cache_384_t;
+
+static THREAD_LS_T sp_cache_384_t sp_cache_384[FP_ENTRIES];
+static THREAD_LS_T int sp_cache_384_last = -1;
+static THREAD_LS_T int sp_cache_384_inited = 0;
+
+#ifndef HAVE_THREAD_LS
+    static volatile int initCacheMutex_384 = 0;
+    static wolfSSL_Mutex sp_cache_384_lock;
+#endif
+
+static void sp_ecc_get_cache_384(const sp_point_384* g, sp_cache_384_t** cache)
+{
+    int i, j;
+    uint32_t least;
+
+    if (sp_cache_384_inited == 0) {
+        for (i=0; i<FP_ENTRIES; i++) {
+            sp_cache_384[i].set = 0;
+        }
+        sp_cache_384_inited = 1;
+    }
+
+    /* Compare point with those in cache. */
+    for (i=0; i<FP_ENTRIES; i++) {
+        if (!sp_cache_384[i].set)
+            continue;
+
+        if (sp_384_cmp_equal_6(g->x, sp_cache_384[i].x) &
+                           sp_384_cmp_equal_6(g->y, sp_cache_384[i].y)) {
+            sp_cache_384[i].cnt++;
+            break;
+        }
+    }
+
+    /* No match. */
+    if (i == FP_ENTRIES) {
+        /* Find empty entry. */
+        i = (sp_cache_384_last + 1) % FP_ENTRIES;
+        for (; i != sp_cache_384_last; i=(i+1)%FP_ENTRIES) {
+            if (!sp_cache_384[i].set) {
+                break;
+            }
+        }
+
+        /* Evict least used. */
+        if (i == sp_cache_384_last) {
+            least = sp_cache_384[0].cnt;
+            for (j=1; j<FP_ENTRIES; j++) {
+                if (sp_cache_384[j].cnt < least) {
+                    i = j;
+                    least = sp_cache_384[i].cnt;
+                }
+            }
+        }
+
+        XMEMCPY(sp_cache_384[i].x, g->x, sizeof(sp_cache_384[i].x));
+        XMEMCPY(sp_cache_384[i].y, g->y, sizeof(sp_cache_384[i].y));
+        sp_cache_384[i].set = 1;
+        sp_cache_384[i].cnt = 1;
+    }
+
+    *cache = &sp_cache_384[i];
+    sp_cache_384_last = i;
+}
+#endif /* FP_ECC */
+
+/* Multiply the base point of P384 by the scalar and return the result.
+ * If map is true then convert result to affine coordinates.
+ *
+ * r     Resulting point.
+ * g     Point to multiply.
+ * k     Scalar to multiply by.
+ * map   Indicates whether to convert result to affine.
+ * heap  Heap to use for allocation.
+ * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
+ */
+static int sp_384_ecc_mulmod_6(sp_point_384* r, const sp_point_384* g, const sp_digit* k,
+        int map, void* heap)
+{
+#ifndef FP_ECC
+    return sp_384_ecc_mulmod_win_add_sub_6(r, g, k, map, heap);
+#else
+    sp_digit tmp[2 * 6 * 7];
+    sp_cache_384_t* cache;
+    int err = MP_OKAY;
+
+#ifndef HAVE_THREAD_LS
+    if (initCacheMutex_384 == 0) {
+         wc_InitMutex(&sp_cache_384_lock);
+         initCacheMutex_384 = 1;
+    }
+    if (wc_LockMutex(&sp_cache_384_lock) != 0)
+       err = BAD_MUTEX_E;
+#endif /* HAVE_THREAD_LS */
+
+    if (err == MP_OKAY) {
+        sp_ecc_get_cache_384(g, &cache);
+        if (cache->cnt == 2)
+            sp_384_gen_stripe_table_6(g, cache->table, tmp, heap);
+
+#ifndef HAVE_THREAD_LS
+        wc_UnLockMutex(&sp_cache_384_lock);
+#endif /* HAVE_THREAD_LS */
+
+        if (cache->cnt < 2) {
+            err = sp_384_ecc_mulmod_win_add_sub_6(r, g, k, map, heap);
+        }
+        else {
+            err = sp_384_ecc_mulmod_stripe_6(r, g, cache->table, k,
+                    map, heap);
+        }
+    }
+
+    return err;
+#endif
+}
+
+/* Multiply the point by the scalar and return the result.
+ * If map is true then convert result to affine coordinates.
+ *
+ * km    Scalar to multiply by.
+ * p     Point to multiply.
+ * r     Resulting point.
+ * map   Indicates whether to convert result to affine.
+ * heap  Heap to use for allocation.
+ * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
+ */
+int sp_ecc_mulmod_384(mp_int* km, ecc_point* gm, ecc_point* r, int map,
+        void* heap)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_point_384 p;
+    sp_digit kd[6];
+#endif
+    sp_point_384* point;
+    sp_digit* k = NULL;
+    int err = MP_OKAY;
+
+    err = sp_384_point_new_6(heap, p, point);
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        k = (sp_digit*)XMALLOC(sizeof(sp_digit) * 6, heap,
+                                                              DYNAMIC_TYPE_ECC);
+        if (k == NULL)
+            err = MEMORY_E;
+    }
+#else
+    k = kd;
+#endif
+    if (err == MP_OKAY) {
+        sp_384_from_mp(k, 6, km);
+        sp_384_point_from_ecc_point_6(point, gm);
+
+            err = sp_384_ecc_mulmod_6(point, point, k, map, heap);
+    }
+    if (err == MP_OKAY) {
+        err = sp_384_point_to_ecc_point_6(point, r);
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (k != NULL) {
+        XFREE(k, heap, DYNAMIC_TYPE_ECC);
+    }
+#endif
+    sp_384_point_free_6(point, 0, heap);
+
+    return err;
+}
+
+static const sp_table_entry_384 p384_table[256] = {
+    /* 0 */
+    { { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
+      { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 } },
+    /* 1 */
+    { { 0x3dd0756649c0b528L,0x20e378e2a0d6ce38L,0x879c3afc541b4d6eL,
+        0x6454868459a30effL,0x812ff723614ede2bL,0x4d3aadc2299e1513L },
+      { 0x23043dad4b03a4feL,0xa1bfa8bf7bb4a9acL,0x8bade7562e83b050L,
+        0xc6c3521968f4ffd9L,0xdd8002263969a840L,0x2b78abc25a15c5e9L } },
+    /* 2 */
+    { { 0x298647532b0c535bL,0x90dd695370506296L,0x038cd6b4216ab9acL,
+        0x3df9b7b7be12d76aL,0x13f4d9785f347bdbL,0x222c5c9c13e94489L },
+      { 0x5f8e796f2680dc64L,0x120e7cb758352417L,0x254b5d8ad10740b8L,
+        0xc38b8efb5337dee6L,0xf688c2e194f02247L,0x7b5c75f36c25bc4cL } },
+    /* 3 */
+    { { 0xe26a3cc39edffea5L,0x35bbfd1c37d7e9fcL,0xf0e7700d9bde3ef6L,
+        0x0380eb471a538f5aL,0x2e9da8bb05bf9eb3L,0xdbb93c731a460c3eL },
+      { 0x37dba260f526b605L,0x95d4978efd785537L,0x24ed793aed72a04aL,
+        0x2694837776005b1aL,0x99f557b99e681f82L,0xae5f9557d64954efL } },
+    /* 4 */
+    { { 0x24480c57f26feef9L,0xc31a26943a0e1240L,0x735002c3273e2bc7L,
+        0x8c42e9c53ef1ed4cL,0x028babf67f4948e8L,0x6a502f438a978632L },
+      { 0xf5f13a46b74536feL,0x1d218babd8a9f0ebL,0x30f36bcc37232768L,
+        0xc5317b31576e8c18L,0xef1d57a69bbcb766L,0x917c4930b3e3d4dcL } },
+    /* 5 */
+    { { 0x11426e2ee349ddd0L,0x9f117ef99b2fc250L,0xff36b480ec0174a6L,
+        0x4f4bde7618458466L,0x2f2edb6d05806049L,0x8adc75d119dfca92L },
+      { 0xa619d097b7d5a7ceL,0x874275e5a34411e9L,0x5403e0470da4b4efL,
+        0x2ebaafd977901d8fL,0x5e63ebcea747170fL,0x12a369447f9d8036L } },
+    /* 6 */
+    { { 0x28f9c07a4fc52870L,0xce0b37481a53a961L,0xd550fa180e1828d9L,
+        0xa24abaf76adb225aL,0xd11ed0a56e58a348L,0xf3d811e6948acb62L },
+      { 0x8618dd774c61ed22L,0x0bb747f980b47c9dL,0x22bf796fde6b8559L,
+        0xfdfd1c6d680a21e9L,0xc0db15772af2c9ddL,0xa09379e6c1e90f3dL } },
+    /* 7 */
+    { { 0x386c66efe085c629L,0x5fc2a461095bc89aL,0x1353d631203f4b41L,
+        0x7ca1972b7e4bd8f5L,0xb077380aa7df8ce9L,0xd8a90389ee7e4ea3L },
+      { 0x1bc74dc7e7b14461L,0xdc2cb0140c9c4f78L,0x52b4b3a684ef0a10L,
+        0xbde6ea5d20327fe2L,0xb71ec435660f9615L,0xeede5a04b8ad8173L } },
+    /* 8 */
+    { { 0x5584cbb3893b9a2dL,0x820c660b00850c5dL,0x4126d8267df2d43dL,
+        0xdd5bbbf00109e801L,0x85b92ee338172f1cL,0x609d4f93f31430d9L },
+      { 0x1e059a07eadaf9d6L,0x70e6536c0f125fb0L,0xd6220751560f20e7L,
+        0xa59489ae7aaf3a9aL,0x7b70e2f664bae14eL,0x0dd0370176d08249L } },
+    /* 9 */
+    { { 0x4cc13be88510521fL,0x87315ba9f724cc17L,0xb49d83bb353dc263L,
+        0x8b677efe0c279257L,0x510a1c1cc93c9537L,0x33e30cd8a4702c99L },
+      { 0xf0ffc89d2208353fL,0x0170fa8dced42b2bL,0x090851ed26e2a5f5L,
+        0x81276455ecb52c96L,0x0646c4e17fe1adf4L,0x513f047eb0868eabL } },
+    /* 10 */
+    { { 0xc07611f4df5bdf53L,0x45d331a758b11a6dL,0x58965daf1c4ee394L,
+        0xba8bebe75a5878d1L,0xaecc0a1882dd3025L,0xcf2a3899a923eb8bL },
+      { 0xf98c9281d24fd048L,0x841bfb598bbb025dL,0xb8ddf8cec9ab9d53L,
+        0x538a4cb67fef044eL,0x092ac21f23236662L,0xa919d3850b66f065L } },
+    /* 11 */
+    { { 0x3db03b4085d480d8L,0x8cd9f4791b287a7dL,0x8f24dc754a8f3baeL,
+        0x482eb8003db41892L,0x38bf9eb39c56e0f5L,0x8b9773209a91dc6fL },
+      { 0xa31b05b27209cfc2L,0x4c49bf8505b2db70L,0x56462498d619527bL,
+        0x3fe510391fac51baL,0xfb04f55eab4b8342L,0xc07c10dc04c6eabfL } },
+    /* 12 */
+    { { 0xad22fe4cdb32f048L,0x5f23bf91475ed6dfL,0xa50ce0c0aa66b6cbL,
+        0xdf627a89f03405c0L,0x3674837df95e2d6aL,0x081c95b6ba42e64eL },
+      { 0xeba3e036e71d6cebL,0xb45bcccf6c6b0271L,0x67b47e630684701dL,
+        0x60f8f942e712523fL,0x824234725cd47adcL,0x83027d7987649cbbL } },
+    /* 13 */
+    { { 0xb3929ea63615b0b8L,0xb41441fda54dac41L,0x8995d556b5b6a368L,
+        0xa80d4529167ef05eL,0xf6bcb4a16d25a27fL,0x210d6a4c7bd55b68L },
+      { 0xf3804abb25351130L,0x1d2df699903e37ebL,0x5f201efc084c25c8L,
+        0x31a28c87a1c68e91L,0x81dad253563f62a5L,0x5dd6de70d6c415d4L } },
+    /* 14 */
+    { { 0x29f470fd846612ceL,0x986f3eecda18d997L,0x6b84c1612f34af86L,
+        0x5ef0a40846ddaf8bL,0x14405a00e49e795fL,0x5f491b16aa2f7a37L },
+      { 0xc7f07ae4db41b38dL,0xef7d119e18fbfcaaL,0x3a18e07614443b19L,
+        0x4356841a79a19926L,0x91f4a91ce2226fbeL,0xdc77248c3cc88721L } },
+    /* 15 */
+    { { 0xd570ff1ae4b1ec9dL,0x21d23e0ee7eef706L,0x3cde40f4ca19e086L,
+        0x7d6523c4cd4bb270L,0x16c1f06cbf13aa6cL,0x5aa7245ad14c4b60L },
+      { 0x37f8146744b74de8L,0x839e7a17620a934eL,0xf74d14e8de8b1aa1L,
+        0x8789fa51f30d75e2L,0x09b24052c81c261eL,0x654e267833c565eeL } },
+    /* 16 */
+    { { 0x378205de2f9fbe67L,0xc4afcb837f728e44L,0xdbcec06c682e00f1L,
+        0xf2a145c3114d5423L,0xa01d98747a52463eL,0xfc0935b17d717b0aL },
+      { 0x9653bc4fd4d01f95L,0x9aa83ea89560ad34L,0xf77943dcaf8e3f3fL,
+        0x70774a10e86fe16eL,0x6b62e6f1bf9ffdcfL,0x8a72f39e588745c9L } },
+    /* 17 */
+    { { 0x73ade4da2341c342L,0xdd326e54ea704422L,0x336c7d983741cef3L,
+        0x1eafa00d59e61549L,0xcd3ed892bd9a3efdL,0x03faf26cc5c6c7e4L },
+      { 0x087e2fcf3045f8acL,0x14a65532174f1e73L,0x2cf84f28fe0af9a7L,
+        0xddfd7a842cdc935bL,0x4c0f117b6929c895L,0x356572d64c8bcfccL } },
+    /* 18 */
+    { { 0x7ecbac017d8c1bbaL,0x6058f9c390b0f3d5L,0xaee116e3f6197d0fL,
+        0xc4dd70684033b128L,0xf084dba6c209b983L,0x97c7c2cf831dbc4aL },
+      { 0x2f4e61ddf96010e8L,0xd97e4e20529faa17L,0x4ee6666069d37f20L,
+        0xccc139ed3d366d72L,0x690b6ee213488e0fL,0x7cad1dc5f3a6d533L } },
+    /* 19 */
+    { { 0x660a9a81da57a41fL,0xe74a0412ec0039b6L,0x42343c6b5e1dad15L,
+        0x284f3ff546681d4cL,0xb51087f163749e89L,0x070f23cc6f9f2f13L },
+      { 0x542211da5d186e14L,0x84748f37fddb0dffL,0x41a3aab4db1f4180L,
+        0x25ed667ba6402d0eL,0x2f2924a902f58355L,0x5844ee7cfa44a689L } },
+    /* 20 */
+    { { 0xfab086073f3b236fL,0x19e9d41d81e221daL,0xf3f6571e3927b428L,
+        0x4348a9337550f1f6L,0x7167b996a85e62f0L,0x62d437597f5452bfL },
+      { 0xd85feb9ef2955926L,0x440a561f6df78353L,0x389668ec9ca36b59L,
+        0x052bf1a1a22da016L,0xbdfbff72f6093254L,0x94e50f28e22209f3L } },
+    /* 21 */
+    { { 0x90b2e5b33062e8afL,0xa8572375e8a3d369L,0x3fe1b00b201db7b1L,
+        0xe926def0ee651aa2L,0x6542c9beb9b10ad7L,0x098e309ba2fcbe74L },
+      { 0x779deeb3fff1d63fL,0x23d0e80a20bfd374L,0x8452bb3b8768f797L,
+        0xcf75bb4d1f952856L,0x8fe6b40029ea3faaL,0x12bd3e4081373a53L } },
+    /* 22 */
+    { { 0xc023780d104cbba5L,0x6207e747fa35dd4cL,0x35c239281ca9b6a3L,
+        0x4ff19be897987b10L,0xb8476bbf8022eee8L,0xaa0a4a14d3bbe74dL },
+      { 0x20f94331187d4543L,0x3215387079f6e066L,0x83b0f74eac7e82e1L,
+        0xa7748ba2828f06abL,0xc5f0298ac26ef35fL,0x0f0c50708e9a7dbdL } },
+    /* 23 */
+    { { 0x0c5c244cdef029ddL,0x3dabc687850661b8L,0x9992b865fe11d981L,
+        0xe9801b8f6274dbadL,0xe54e6319098da242L,0x9929a91a91a53d08L },
+      { 0x37bffd7235285887L,0xbc759425f1418102L,0x9280cc35fd2e6e20L,
+        0x735c600cfbc42ee5L,0xb7ad28648837619aL,0xa3627231a778c57bL } },
+    /* 24 */
+    { { 0xae799b5c91361ed8L,0x47d71b756c63366cL,0x54cdd5211b265a6aL,
+        0xe0215a5998d77b74L,0x4424d9b7bab29db0L,0x8b0ffacc7fd9e536L },
+      { 0x46d85d1237b5d9efL,0x5b106d62bfa91747L,0xed0479f85f99ba2dL,
+        0x0e6f39231d104de4L,0x83a84c8425e8983fL,0xa9507e0af8105a70L } },
+    /* 25 */
+    { { 0xf6c68a6e14cf381cL,0xaf9d27bdc22e31ccL,0x23568d4daa8a5ccbL,
+        0xe431eec0e338e4d2L,0xf1a828fe8f52ad1fL,0xdb6a0579e86acd80L },
+      { 0x2885672e4507832aL,0x73fc275f887e5289L,0x65f8027805610d08L,
+        0x8d9b4554075ff5b0L,0x3a8e8fb109f712b5L,0x39f0ac862ebe9cf2L } },
+    /* 26 */
+    { { 0xd8fabf784c52edf5L,0xdcd737e5a589ae53L,0x94918bf0d791ab17L,
+        0xb5fbd956bcff06c9L,0xf6d3032edca46d45L,0x2cdff7e141a3e486L },
+      { 0x6674b3ba61f47ec8L,0x8a882163eef84608L,0xa257c7054c687f90L,
+        0xe30cb2edf6cdf227L,0x2c4c64ca7f6ea846L,0x186fa17ccc6bcd3cL } },
+    /* 27 */
+    { { 0x48a3f5361dfcb91eL,0x83595e13646d358aL,0xbd15827b91128798L,
+        0x3ce612b82187757aL,0x873150a161bd7372L,0xf4684530b662f568L },
+      { 0x8833950b401896f6L,0xe11cb89a77f3e090L,0xb2f12cac48e7f4a5L,
+        0x313dd769f606677eL,0xfdcf08b316579f93L,0x6429cec946b8f22bL } },
+    /* 28 */
+    { { 0x4984dd54bb75f9a4L,0x4aef06b929d3b570L,0xb5f84ca23d6e4c1eL,
+        0x24c61c11b083ef35L,0xce4a7392392ca9ffL,0x865d65176730a800L },
+      { 0xca3dfe76722b4a2bL,0x12c04bf97b083e0eL,0x803ce5b51b86b8a5L,
+        0x3fc7632d6a7e3e0cL,0xc89970c2c81adbe4L,0x3cbcd3ad120e16b1L } },
+    /* 29 */
+    { { 0xfbfb4cc7ec30ce93L,0x10ed6c7db72720a2L,0xec675bf747b55500L,
+        0x90725903333ff7c3L,0xc7c3973e5075bfc0L,0xb049ecb007acf31bL },
+      { 0xb4076eaf4f58839cL,0x101896daa2b05e4fL,0x3f6033b0ab40c66eL,
+        0x19ee9eebc8d864baL,0xeb6cf15547bf6d2aL,0x8e5a9663f826477dL } },
+    /* 30 */
+    { { 0x69e62fddf7fbd5e1L,0x38ecfe5476912b1dL,0x845a3d56d1da3bfbL,
+        0x0494950e1c86f0d4L,0x83cadbf93bc36ce8L,0x41fce5724fccc8d1L },
+      { 0x05f939c28332c144L,0xb17f248b0871e46eL,0x3d8534e266e8aff6L,
+        0x1d06f1dc3b85c629L,0xdb06a32ea3131b73L,0xf295184d8b3f64e5L } },
+    /* 31 */
+    { { 0xd9653ff736ddc103L,0x25f43e3795ef606fL,0x09e301fcfe06dce8L,
+        0x85af234130b6eebfL,0x79b12b530ff56b20L,0x9b4fb499fe9a3c6bL },
+      { 0x0154f89251d27ac2L,0xd33167e356ca5389L,0x7828ec1fafc065a6L,
+        0x0959a2587f746c9bL,0xb18f1be30c44f837L,0xa7946117c4132fdbL } },
+    /* 32 */
+    { { 0xc0426b775e3c647bL,0xbfcbd9398cf05348L,0x31d312e3172c0d3dL,
+        0x5f49fde6ee754737L,0x895530f06da7ee61L,0xcf281b0ae8b3a5fbL },
+      { 0xfd14973541b8a543L,0x41a625a73080dd30L,0xe2baae07653908cfL,
+        0xc3d01436ba02a278L,0xa0d0222e7b21b8f8L,0xfdc270e9d7ec1297L } },
+    /* 33 */
+    { { 0x00873c0cbc7f41d6L,0xd976113e1b7ad641L,0x2a536ff4238443fbL,
+        0x030d00e241e62e45L,0x532e98675f545fc6L,0xcd0331088e91208cL },
+      { 0xd1a04c999797612cL,0xd4393e02eea674e2L,0xd56fa69ee19742a1L,
+        0xdd2ab48085f0590eL,0xa5cefc5248a2243dL,0x48cc67b654383f41L } },
+    /* 34 */
+    { { 0x4e50430efc14ab48L,0x195b7f4f26706a74L,0x2fe8a228cc881ff6L,
+        0xb1b968e2d945013dL,0x936aa5794b92162bL,0x4fb766b7364e754aL },
+      { 0x13f93bca31e1ff7fL,0x696eb5cace4f2691L,0xff754bf8a2b09e02L,
+        0x58f13c9ce58e3ff8L,0xb757346f1678c0b0L,0xd54200dba86692b3L } },
+    /* 35 */
+    { { 0x9a030bbd6dda1265L,0xf7b4f3fce89718ddL,0xa6a4931f936065b8L,
+        0xbce72d875f72241cL,0x6cbb51cb65775857L,0xc71618154e993675L },
+      { 0xe81a0f792ee32189L,0xef2fab26277dc0b2L,0x9e64f6feb71f469fL,
+        0xb448ce33dfdaf859L,0x3f5c1c4cbe6b5df1L,0xfb8dfb001de45f7bL } },
+    /* 36 */
+    { { 0xc7345fa74d5bb921L,0x5c7e04be4d2b667eL,0x47ed3a80282d7a3eL,
+        0x5c2777f87e47b2a4L,0x89b3b10008488e2eL,0x9aad77c2b2eb5b45L },
+      { 0xd681bca7daac34aeL,0x2452e4e526afb326L,0x0c88792441a1ee14L,
+        0x743b04d4c2407adeL,0xcb5e999bfc17a2acL,0x4dca2f824a701a06L } },
+    /* 37 */
+    { { 0x68e31ca61127bc1aL,0xa3edd59b17ead3beL,0x67b6b645e25f5a15L,
+        0x76221794a420e15eL,0x794fd83b4b1e872eL,0x7cab3f03b2dece1bL },
+      { 0x7119bf15ca9b3586L,0xa55459244d250bd7L,0x173633eacc6bcf24L,
+        0x9bd308c2b1b6f884L,0x3bae06f5447d38c3L,0x54dcc135f341fe1cL } },
+    /* 38 */
+    { { 0x56d3598d943caf0dL,0xce044ea9225ff133L,0x9edf6a7c563fadeaL,
+        0x632eb94473e8dc27L,0x814b467e3190dcabL,0x2d4f4f316dbb1e31L },
+      { 0x8d69811ca143b7caL,0x4ec1ac32de7cf950L,0x223ab5fd37b5fe82L,
+        0xe82616e49390f1d9L,0xabff4b2075804610L,0x11b9be15875b08f0L } },
+    /* 39 */
+    { { 0x4ae31a3d3bbe682cL,0xbc7c5d2674eef2ddL,0x92afd10a3c47dd40L,
+        0xec7e0a3bc14ab9e1L,0x6a6c3dd1b2e495e4L,0x085ee5e9309bcd85L },
+      { 0xf381a9088c2e67fdL,0x32083a80e261eaf2L,0x0fcd6a4996deee15L,
+        0xe3b8fb035e524c79L,0x8dc360d91d5b08b9L,0x3a06e2c87f26719fL } },
+    /* 40 */
+    { { 0x5cd9f5a87237cac0L,0x93f0b59d43586794L,0x4384a764e94f6c4eL,
+        0x8304ed2bb62782d3L,0x0b8db8b3cde06015L,0x4336dd535dbe190fL },
+      { 0x5744355392ab473aL,0x031c7275be5ed046L,0x3e78678c21909aa4L,
+        0x4ab7e04f99202ddbL,0x2648d2066977e635L,0xd427d184093198beL } },
+    /* 41 */
+    { { 0x822848f50f9b5a31L,0xbb003468baadb62aL,0x233a04723357559cL,
+        0x49ef688079aee843L,0xa89867a0aeb9e1e3L,0xc151931b1f6f9a55L },
+      { 0xd264eb0bad74251eL,0x37b9b2634abf295eL,0xb600921b04960d10L,
+        0x0de53dbc4da77dc0L,0x01d9bab3d2b18697L,0xad54ec7af7156ddfL } },
+    /* 42 */
+    { { 0x8e74dc3579efdc58L,0x456bd3694ff68ddbL,0x724e74ccd32096a5L,
+        0xe41cff42386783d0L,0xa04c7f217c70d8a4L,0x41199d2fe61a19a2L },
+      { 0xd389a3e029c05dd2L,0x535f2a6be7e3fda9L,0x26ecf72d7c2b4df8L,
+        0x678275f4fe745294L,0x6319c9cc9d23f519L,0x1e05a02d88048fc4L } },
+    /* 43 */
+    { { 0x75cc8e2ed4d5ffe8L,0xf8bb4896dbea17f2L,0x35059790cee3cb4aL,
+        0x4c06ee85a47c6165L,0xf98fff2592935d2fL,0x34c4a57232ffd7c7L },
+      { 0xc4b14806ea0376a2L,0x2ea5e7504f115e02L,0x532d76e21e55d7c0L,
+        0x68dc9411f31044daL,0x9272e46571b77993L,0xadaa38bb93a8cfd5L } },
+    /* 44 */
+    { { 0x4bf0c7127d4ed72aL,0xda0e9264ba1f79a3L,0x48c0258bf4c39ea4L,
+        0xa5394ed82a715138L,0x4af511cebf06c660L,0xfcebceefec5c37cdL },
+      { 0xf23b75aa779ae8c1L,0xdeff59ccad1e606eL,0xf3f526fd22755c82L,
+        0x64c5ab44bb32cefdL,0xa96e11a2915bdefdL,0xab19746a1143813eL } },
+    /* 45 */
+    { { 0x43c78585ec837d7dL,0xca5b6fbcb8ee0ba4L,0x34e924d9d5dbb5eeL,
+        0x3f4fa104bb4f1ca5L,0x15458b72398640f7L,0x4231faa9d7f407eaL },
+      { 0x53e0661ef96e6896L,0x554e4c69d03b0f9dL,0xd4fcb07b9c7858d1L,
+        0x7e95279352cb04faL,0x5f5f15748974e7f7L,0x2e3fa5586b6d57c8L } },
+    /* 46 */
+    { { 0x42cd48036a9951a8L,0xa8b15b8842792ad0L,0x18e8bcf9abb29a73L,
+        0xbfd9a092409933e8L,0x760a3594efb88dc4L,0x1441886340724458L },
+      { 0x162a56ee99caedc7L,0x8fb12ecd91d101c9L,0xea671967393202daL,
+        0x1aac8c4aa4ccd796L,0x7db050361cf185a8L,0x0c9f86cd8cfd095aL } },
+    /* 47 */
+    { { 0x9a72814710b2a556L,0x767ca964327b70b2L,0x04ed9e125e3799b7L,
+        0x6781d2dc22a3eb2aL,0x5bd116eb0d9450acL,0xeccac1fca7ebe08aL },
+      { 0xde68444fdc2d6e94L,0x3621f42935ecf21bL,0x14e2d54329e03a2cL,
+        0x53e42cd57d3e7f0aL,0xbba26c0973ed00b9L,0x00297c39c57d2272L } },
+    /* 48 */
+    { { 0x3aaaab10b8243a7dL,0x6eeef93e8fa58c5bL,0xf866fca39ae7f764L,
+        0x64105a2661ab04d3L,0xa3578d8a03945d66L,0xb08cd3e4791b848cL },
+      { 0x45edc5f8756d2411L,0xd4a790d9a755128cL,0xc2cf096349e5f6a0L,
+        0xc66d267df649beaaL,0x3ce6d9688467039eL,0x50046c6b42f7816fL } },
+    /* 49 */
+    { { 0x92ae160266425043L,0x1ff66afdf08db890L,0x386f5a7f8f162ce5L,
+        0x18d2dea0fcf5598fL,0x78372b3a1a8ca18eL,0xdf0d20eb8cd0e6f7L },
+      { 0x7edd5e1d75bb4045L,0x252a47ceb96d94b7L,0xbdb293582c626776L,
+        0x853c394340dd1031L,0x9dc9becf7d5f47fdL,0x27c2302fbae4044aL } },
+    /* 50 */
+    { { 0x2d1d208a8f2d49ceL,0x0d91aa02162df0a2L,0x9c5cce8709a07f65L,
+        0xdf07238b84339012L,0x5028e2c8419442cdL,0x2dcbd35872062abaL },
+      { 0xb5fbc3cbe4680967L,0x2a7bc6459f92d72cL,0x806c76e1116c369dL,
+        0x5c50677a3177e8d8L,0x753739eb4569df57L,0x2d481ef636c3f40bL } },
+    /* 51 */
+    { { 0x1a2d39fdfea1103eL,0xeaae559295f81b17L,0xdbd0aa18f59b264aL,
+        0x90c39c1acb592ee0L,0xdf62f80d9750cca3L,0xda4d8283df97cc6cL },
+      { 0x0a6dd3461e201067L,0x1531f85969fb1f6bL,0x4895e5521d60121fL,
+        0x0b21aab04c041c91L,0x9d896c46bcc1ccf8L,0xd24da3b33141bde7L } },
+    /* 52 */
+    { { 0x575a053753b0a354L,0x392ff2f40c6ddcd8L,0x0b8e8cff56157b94L,
+        0x073e57bd3b1b80d1L,0x2a75e0f03fedee15L,0x752380e4aa8e6f19L },
+      { 0x1f4e227c6558ffe9L,0x3a34861819ec5415L,0xab382d5ef7997085L,
+        0x5e6deaffddc46ac2L,0xe5144078fc8d094cL,0xf674fe51f60e37c6L } },
+    /* 53 */
+    { { 0x6fb87ae5af63408fL,0xa39c36a9cd75a737L,0x7833313fcf4c618dL,
+        0xfbcd4482f034c88dL,0x4469a76139b35288L,0x77a711c566b5d9c9L },
+      { 0x4a695dc7944f8d65L,0xe6da5f65161aaba8L,0x8654e9c324601669L,
+        0xbc8b93f528ae7491L,0x5f1d1e838f5580d8L,0x8ccf9a1acea32cc8L } },
+    /* 54 */
+    { { 0x28ab110c7196fee2L,0x75799d63874c8945L,0xa262934829aedaddL,
+        0x9714cc7b2be88ff4L,0xf71293cfd58d60d6L,0xda6b6cb332a564e9L },
+      { 0xf43fddb13dd821c2L,0xf2f2785f90dd323dL,0x91246419048489f8L,
+        0x61660f26d24c6749L,0x961d9e8cc803c15cL,0x631c6158faadc4c9L } },
+    /* 55 */
+    { { 0xacf2ebe0fd752366L,0xb93c340e139be88bL,0x98f664850f20179eL,
+        0x14820254ff1da785L,0x5278e2764f85c16eL,0xa246ee457aab1913L },
+      { 0x43861eb453763b33L,0xc49f03fc45c0bc0dL,0xafff16bcad6b1ea1L,
+        0xce33908b6fd49c99L,0x5c51e9bff7fde8c3L,0x076a7a39ff142c5eL } },
+    /* 56 */
+    { { 0x04639dfe9e338d10L,0x8ee6996ff42b411bL,0x960461d1a875cef2L,
+        0x1057b6d695b4d0baL,0x27639252a906e0bcL,0x2c19f09ae1c20f8aL },
+      { 0x5b8fc3f0eef4c43dL,0xe2e1b1a807a84aa9L,0x5f455528835d2bdbL,
+        0x0f4aee4d207132ddL,0xe9f8338c3907f675L,0x7a874dc90e0531f0L } },
+    /* 57 */
+    { { 0x84b22d4597c27050L,0xbd0b8df759e70bf8L,0xb4d6740579738b9bL,
+        0x47f4d5f5cd917c4fL,0x9099c4ce13ce6e33L,0x942bfd39521d0f8bL },
+      { 0x5028f0f6a43b566dL,0xaf6e866921bff7deL,0x83f6f856c44232cdL,
+        0x65680579f915069aL,0xd12095a2ecfecb85L,0xcf7f06aedb01ba16L } },
+    /* 58 */
+    { { 0x0f56e3c48ef96c80L,0xd521f2b33ddb609cL,0x2be941027dc1450dL,
+        0x2d21a07102a91fe2L,0x2e6f74fa1efa37deL,0x9a9a90b8156c28a1L },
+      { 0xc54ea9ea9dc7dfcbL,0xc74e66fc2c2c1d62L,0x9f23f96749d3e067L,
+        0x1c7c3a4654dd38adL,0xc70058845946cee3L,0x8985636845cc045dL } },
+    /* 59 */
+    { { 0x29da7cd4fce73946L,0x8f697db523168563L,0x8e235e9ccba92ec6L,
+        0x55d4655f9f91d3eaL,0xf3689f23aa50a6cdL,0xdcf21c2621e6a1a0L },
+      { 0xcffbc82e61b818bfL,0xc74a2f96da47a243L,0x234e980a8bc1a0cfL,
+        0xf35fd6b57929cb6dL,0x81468e12efe17d6cL,0xddea6ae558b2dafbL } },
+    /* 60 */
+    { { 0x294de8877e787b2eL,0x258acc1f39a9310dL,0x92d9714aac14265dL,
+        0x18b5591c708b48a0L,0x27cc6bb0e1abbf71L,0xc0581fa3568307b9L },
+      { 0x9e0f58a3f24d4d58L,0xfebe9bb8e0ce2327L,0x91fd6a419d1be702L,
+        0x9a7d8a45facac993L,0xabc0a08c9e50d66dL,0x02c342f706498201L } },
+    /* 61 */
+    { { 0xccd71407157bdbc2L,0x72fa89c6ad0e1605L,0xb1d3da2bb92a015fL,
+        0x8ad9e7cda0a3fe56L,0x160edcbd24f06737L,0x79d4db3361275be6L },
+      { 0xd3d31fd95f3497c4L,0x8cafeaee04192fb0L,0xe13ca74513a50af3L,
+        0x188261678c85aae5L,0xce06cea89eb556ffL,0x2eef1995bdb549f3L } },
+    /* 62 */
+    { { 0x8ed7d3eb50596edcL,0xaa359362905243a2L,0xa212c2c2a4b6d02bL,
+        0x611fd727c4fbec68L,0x8a0b8ff7b84f733dL,0xd85a6b905f0daf0eL },
+      { 0x60e899f5d4091cf7L,0x4fef2b672eff2768L,0xc1f195cb10c33964L,
+        0x8275d36993626a8fL,0xc77904f40d6c840aL,0x88d8b7fd7a868acdL } },
+    /* 63 */
+    { { 0x85f237237bd98425L,0xd4463992c70b154eL,0xcbb00ee296687a2eL,
+        0x905fdbf7c83214fdL,0x2019d29313593684L,0x0428c393ef51218eL },
+      { 0x40c7623f981e909aL,0x925133857be192daL,0x48fe480f4010907eL,
+        0xdd7a187c3120b459L,0xc9d7702da1fd8f3cL,0x66e4753be358efc5L } },
+    /* 64 */
+    { { 0x070d34e116973cf4L,0x20aee08b7e4f34f7L,0x269af9b95eb8ad29L,
+        0xdde0a036a6a45ddaL,0xa18b528e63df41e0L,0x03cc71b2a260df2aL },
+      { 0x24a6770aa06b1dd7L,0x5bfa9c119d2675d3L,0x73c1e2a196844432L,
+        0x3660558d131a6cf0L,0xb0289c832ee79454L,0xa6aefb01c6d8ddcdL } },
+    /* 65 */
+    { { 0xba1464b401ab5245L,0x9b8d0b6dc48d93ffL,0x939867dc93ad272cL,
+        0xbebe085eae9fdc77L,0x73ae5103894ea8bdL,0x740fc89a39ac22e1L },
+      { 0x5e28b0a328e23b23L,0x2352722ee13104d0L,0xf4667a18b0a2640dL,
+        0xac74a72e49bb37c3L,0x79f734f0e81e183aL,0xbffe5b6c3fd9c0ebL } },
+    /* 66 */
+    { { 0xb1a358f5c6a2123fL,0x927b2d95fe28df6dL,0x89702753f199d2f9L,
+        0x0a73754c1a3f82dcL,0x063d029d777affe1L,0x5439817edae6d34dL },
+      { 0xf7979eef6b8b83c4L,0x615cb2149d945682L,0x8f0e4facc5e57eaeL,
+        0x042b89b8113047ddL,0x888356dc93f36508L,0xbf008d185fd1f32fL } },
+    /* 67 */
+    { { 0x8012aa244e8068dbL,0xc72cc641a5729a47L,0x3c33df2c43f0691dL,
+        0xfa0573471d92145fL,0xaefc0f2fb97f7946L,0x813d75cb2f8121bfL },
+      { 0x05613c724383bba6L,0xa924ce70a4224b3fL,0xe59cecbe5f2179a6L,
+        0x78e2e8aa79f62b61L,0x3ac2cc3b53ad8079L,0x55518d71d8f4fa96L } },
+    /* 68 */
+    { { 0x03cf292200623f3bL,0x095c71115f29ebffL,0x42d7224780aa6823L,
+        0x044c7ba17458c0b0L,0xca62f7ef0959ec20L,0x40ae2ab7f8ca929fL },
+      { 0xb8c5377aa927b102L,0x398a86a0dc031771L,0x04908f9dc216a406L,
+        0xb423a73a918d3300L,0x634b0ff1e0b94739L,0xe29de7252d69f697L } },
+    /* 69 */
+    { { 0x744d14008435af04L,0x5f255b1dfec192daL,0x1f17dc12336dc542L,
+        0x5c90c2a7636a68a8L,0x960c9eb77704ca1eL,0x9de8cf1e6fb3d65aL },
+      { 0xc60fee0d511d3d06L,0x466e2313f9eb52c7L,0x743c0f5f206b0914L,
+        0x42f55bac2191aa4dL,0xcefc7c8fffebdbc2L,0xd4fa6081e6e8ed1cL } },
+    /* 70 */
+    { { 0xb5e405d3b0ab9645L,0xaeec7f98d5f1f711L,0x8ad42311585c2a6eL,
+        0x045acb9e512c6944L,0xae106c4ea90db1c6L,0xb89f33d5898e6563L },
+      { 0x43b07cd97fed2ce4L,0xf9934e17dd815b20L,0x6778d4d50a81a349L,
+        0x9e616ade52918061L,0xfa06db06d7e67112L,0x1da23cf188488091L } },
+    /* 71 */
+    { { 0x821c46b342f2c4b5L,0x931513ef66059e47L,0x7030ae4366f50cd1L,
+        0x43b536c943e7b127L,0x006258cf5fca5360L,0xe4e3ee796b557abfL },
+      { 0xbb6b390024c8b22fL,0x2eb5e2c1fcbf1054L,0x937b18c9567492afL,
+        0xf09432e4acf53957L,0x585f5a9d1dbf3a56L,0xf86751fdbe0887cfL } },
+    /* 72 */
+    { { 0x157399cb9d10e0b2L,0x1c0d595660dc51b7L,0x1d496b8a1f583090L,
+        0x6658bc2688590484L,0x88c08ab703213f28L,0x8d2e0f737ae58de4L },
+      { 0x9b79bc95486cfee6L,0x036a26c7e9e5bc57L,0x1ad03601cd8ae97aL,
+        0x06907f87ff3a0494L,0x078f4bbf2c7eb584L,0xe3731bf57e8d0a5aL } },
+    /* 73 */
+    { { 0x72f2282be1cd0abeL,0xd4f9015e87efefa2L,0x9d1898066c3834bdL,
+        0x9c8cdcc1b8a29cedL,0x0601b9f4fee82ebcL,0x371052bc7206a756L },
+      { 0x76fa109246f32562L,0xdaad534c17351bb4L,0xc3d64c37b3636bb5L,
+        0x038a8c5145d54e00L,0x301e618032c09e7cL,0x9764eae795735151L } },
+    /* 74 */
+    { { 0x8791b19fcbd5256aL,0x4007e0f26ca13a3bL,0x03b794604cf06904L,
+        0xb18a9c22b6c17589L,0xa1cb7d7d81d45908L,0x6e13fa9d21bb68f1L },
+      { 0x47183c62a71e6e16L,0x5cf0ef8ee18749edL,0x2c9c7f9b2e5ed409L,
+        0x042eeacce6e117e1L,0xb86d481613fb5a7fL,0xea1cf0edc9e5feb1L } },
+    /* 75 */
+    { { 0x6e6573c9cea4cc9bL,0x5417961dafcec8f3L,0x804bf02aa438b6f6L,
+        0xb894b03cdcd4ea88L,0xd0f807e93799571fL,0x3466a7f5862156e8L },
+      { 0x51e59acd56515664L,0x55b0f93ca3c5eb0bL,0x84a06b026a4279dbL,
+        0x5c850579c5fae08eL,0xcf07b8dba663a1a2L,0x49a36bbcf46ffc8dL } },
+    /* 76 */
+    { { 0xe47f5acc46d93106L,0x65b7ade0aa897c9cL,0x37cf4c9412d7e4beL,
+        0xa2ae9b80d4b2caa9L,0x5e7ce09ce60357a3L,0x29f77667c8ecd5f9L },
+      { 0xdf6868f5a8a0b1c5L,0x240858cf62978ad8L,0x0f7ac101dc0002a1L,
+        0x1d28a9d7ffe9aa05L,0x744984d65b962c97L,0xa8a7c00b3d28c8b2L } },
+    /* 77 */
+    { { 0x7c58a852ae11a338L,0xa78613f1d1af96e7L,0x7e9767d25355cc73L,
+        0x6ba37009792a2de6L,0x7d60f618124386b2L,0xab09b53111157674L },
+      { 0x95a0484198eb9dd0L,0xe6c17acc15070328L,0xafc6da45489c6e49L,
+        0xab45a60abb211530L,0xc58d65927d7ea933L,0xa3ef3c65095642c6L } },
+    /* 78 */
+    { { 0x89d420e9df010879L,0x9d25255d39576179L,0x9cdefd50e39513b6L,
+        0xe4efe45bd5d1c313L,0xc0149de73f7af771L,0x55a6b4f4340ab06bL },
+      { 0xf1325251ebeaf771L,0x2ab44128878d4288L,0xfcd5832e18e05afeL,
+        0xef52a348cc1fb62bL,0x2bd08274c1c4792aL,0x345c5846877c6dc7L } },
+    /* 79 */
+    { { 0xde15ceb0bea65e90L,0x0987f72b2416d99cL,0x44db578dfd863decL,
+        0xf617b74bac6a3578L,0x9e62bd7adb48e999L,0x877cae61eab1a1beL },
+      { 0x23adddaa3a358610L,0x2fc4d6d1325e2b07L,0x897198f51585754eL,
+        0xf741852cb392b584L,0x9927804cb55f7de1L,0xe9e6c4ed1aa8efaeL } },
+    /* 80 */
+    { { 0x867db63998683186L,0xfb5cf424ddcc4ea9L,0xcc9a7ffed4f0e7bdL,
+        0x7c57f71c7a779f7eL,0x90774079d6b25ef2L,0x90eae903b4081680L },
+      { 0xdf2aae5e0ee1fcebL,0x3ff1da24e86c1a1fL,0x80f587d6ca193edfL,
+        0xa5695523dc9b9d6aL,0x7b84090085920303L,0x1efa4dfcba6dbdefL } },
+    /* 81 */
+    { { 0xfbd838f9e0540015L,0x2c323946c39077dcL,0x8b1fb9e6ad619124L,
+        0x9612440c0ca62ea8L,0x9ad9b52c2dbe00ffL,0xf52abaa1ae197643L },
+      { 0xd0e898942cac32adL,0xdfb79e4262a98f91L,0x65452ecf276f55cbL,
+        0xdb1ac0d27ad23e12L,0xf68c5f6ade4986f0L,0x389ac37b82ce327dL } },
+    /* 82 */
+    { { 0x511188b4f8e60f5bL,0x7fe6701548aa2adaL,0xdb333cb8381abca2L,
+        0xb15e6d9ddaf3fc97L,0x4b24f6eb36aabc03L,0xc59789df72a748b4L },
+      { 0x26fcb8a529cf5279L,0x7a3c6bfc01ad9a6cL,0x866cf88d4b8bac9bL,
+        0xf4c899899c80d041L,0xf0a0424170add148L,0x5a02f47945d81a41L } },
+    /* 83 */
+    { { 0xfa5c877cc1c90202L,0xd099d440f8ac7570L,0x428a5b1bd17881f7L,
+        0x61e267db5b2501d7L,0xf889bf04f2e4465bL,0x4da3ae0876aa4cb8L },
+      { 0x3ef0fe26e3e66861L,0x5e7729533318b86dL,0xc3c35fbc747396dfL,
+        0x5115a29c439ffd37L,0xbfc4bd97b2d70374L,0x088630ea56246b9dL } },
+    /* 84 */
+    { { 0xcd96866db8a9e8c9L,0xa11963b85bb8091eL,0xc7f90d53045b3cd2L,
+        0x755a72b580f36504L,0x46f8b39921d3751cL,0x4bffdc9153c193deL },
+      { 0xcd15c049b89554e7L,0x353c6754f7a26be6L,0x79602370bd41d970L,
+        0xde16470b12b176c0L,0x56ba117540c8809dL,0xe2db35c3e435fb1eL } },
+    /* 85 */
+    { { 0xd71e4aab6328e33fL,0x5486782baf8136d1L,0x07a4995f86d57231L,
+        0xf1f0a5bd1651a968L,0xa5dc5b2476803b6dL,0x5c587cbc42dda935L },
+      { 0x2b6cdb32bae8b4c0L,0x66d1598bb1331138L,0x4a23b2d25d7e9614L,
+        0x93e402a674a8c05dL,0x45ac94e6da7ce82eL,0xeb9f8281e463d465L } },
+    /* 86 */
+    { { 0x34e0f9d1fecf5b9bL,0xa115b12bf206966aL,0x5591cf3b1eaa0534L,
+        0x5f0293cbfb1558f9L,0x1c8507a41bc703a5L,0x92e6b81c862c1f81L },
+      { 0xcc9ebc66cdaf24e3L,0x68917ecd72fcfc70L,0x6dc9a9308157ba48L,
+        0x5d425c08b06ab2b2L,0x362f8ce736e929c4L,0x09f6f57c62e89324L } },
+    /* 87 */
+    { { 0x1c7d6b78d29375fbL,0xfabd851ee35d1157L,0xf6f62dcd4243ea47L,
+        0x1dd924608fe30b0fL,0x08166dfaffc6e709L,0xc6c4c6930881e6a7L },
+      { 0x20368f87d6a53fb0L,0x38718e9f9eb4d1f9L,0x03f08acdafd7e790L,
+        0x0835eb4472fe2a1cL,0x7e05090388076e5dL,0x538f765ea638e731L } },
+    /* 88 */
+    { { 0x0e0249d9c2663b4bL,0xe700ab5b47cd38ddL,0xb192559d2c46559fL,
+        0x8f9f74a84bcde66dL,0xad1615233e2aced5L,0xc155c0473dd03a5bL },
+      { 0x346a87993be454ebL,0x66ee94db83b7dccdL,0x1f6d8378ab9d2abeL,
+        0x4a396dd27733f355L,0x419bd40af53553c2L,0xd0ead98d731dd943L } },
+    /* 89 */
+    { { 0x908e0b0eec142408L,0x98943cb94114b310L,0x03dbf7d81742b1d7L,
+        0xd270df6b693412f4L,0xc50654948f69e20cL,0xa76a90c3697e43a1L },
+      { 0xe0fa33844624825aL,0x82e48c0b8acc34c2L,0x7b24bd14e9a14f2bL,
+        0x4f5dd5e24db30803L,0x0c77a9e7932da0a3L,0x20db90f274c653dcL } },
+    /* 90 */
+    { { 0x261179b70e6c5fd9L,0xf8bec1236c982eeaL,0x47683338d4957b7eL,
+        0xcc47e6640a72f66aL,0xbd54bf6a1bad9350L,0xdfbf4c6af454e95aL },
+      { 0x3f7a7afa6907f4faL,0x7311fae0865ca735L,0x24737ab82a496adaL,
+        0x13e425f115feb79bL,0xe9e97c50a1b93c21L,0xb26b6eac4ddd3eb5L } },
+    /* 91 */
+    { { 0x81cab9f52a2e5f2bL,0xf93caf29bf385ac4L,0xf4bf35c3c909963aL,
+        0x081e730074c9143cL,0x3ea57fa8c281b4c5L,0xe497905c9b340741L },
+      { 0xf556dd8a55ab3cfbL,0xd444b96b518db6adL,0x34f5425a5ef4b955L,
+        0xdda7a3acecd26aa3L,0xb57da11bda655e97L,0x02da3effc2024c70L } },
+    /* 92 */
+    { { 0xe24b00366481d0d9L,0x3740dbe5818fdfe2L,0xc1fc1f45190fda00L,
+        0x329c92803cf27fdeL,0x7435cb536934f43eL,0x2b505a5d7884e8feL },
+      { 0x6cfcc6a6711adcc9L,0xf034325c531e21e1L,0xa2f4a9679b2a8a99L,
+        0x9d5f38423c21bdffL,0xb25c781131b57d66L,0xdb5344d80b8093b9L } },
+    /* 93 */
+    { { 0x0d72e667ae50a2f5L,0x9b7f8d8ae4a861d1L,0xa129f70f330df1cbL,
+        0xe90aa5d7e04fefc3L,0xff561ecbe72c3ae1L,0x0d8fb428cdb955faL },
+      { 0xd2235f73d7663784L,0xc05baec67e2c456aL,0xe5c292e42adbfcccL,
+        0x4fd17988efb110d5L,0x27e57734d19d49f3L,0x188ac4ce84f679feL } },
+    /* 94 */
+    { { 0x7ee344cfa796c53eL,0xbbf6074d0868009bL,0x1f1594f7474a1295L,
+        0x66776edcac11632dL,0x1862278b04e2fa5aL,0x52665cf2c854a89aL },
+      { 0x7e3764648104ab58L,0x167759137204fd6dL,0x86ca06a544ea1199L,
+        0xaa3f765b1c9240ddL,0x5f8501a924746149L,0x7b982e30dcd251d7L } },
+    /* 95 */
+    { { 0xe44e9efcc15f3060L,0x5ad62f2ea87ebbe6L,0x36499d41c79500d4L,
+        0xa66d6dc0336fa9d1L,0xf8afc4955afd3b1fL,0x1d8ccb24e5c9822bL },
+      { 0x4031422b79d7584bL,0xc54a0580ea3f20ddL,0x3f837c8f958468c5L,
+        0x3d82f110fbea7735L,0x679a87787dffe2fcL,0x48eba63b20704803L } },
+    /* 96 */
+    { { 0x89b10d41df46e2f6L,0x13ab57f819514367L,0x067372b91d469c87L,
+        0x0c195afa4f6c5798L,0xea43a12a272c9acfL,0x9dadd8cb678abdacL },
+      { 0xcce56c6be182579aL,0x86febadb2d26c2d8L,0x1c668ee12a44745cL,
+        0x580acd8698dc047aL,0x5a2b79cc51b9ec2dL,0x007da6084054f6a0L } },
+    /* 97 */
+    { { 0x9e3ca35217b00dd0L,0x046779cb0e81a7a6L,0xb999fef3d482d871L,
+        0xe6f38134d9233fbcL,0x112c3001f48cd0e0L,0x934e75763c6c66aeL },
+      { 0xb44d4fc3d73234dcL,0xfcae2062864eafc1L,0x843afe2526bef21aL,
+        0x61355107f3b75fdfL,0x8367a5aa794c2e6bL,0x3d2629b18548a372L } },
+    /* 98 */
+    { { 0x6230618f437cfaf8L,0x5b8742cb2032c299L,0x949f72472293643aL,
+        0xb8040f1a09464f79L,0x049462d24f254143L,0xabd6b522366c7e76L },
+      { 0x119b392bd5338f55L,0x1a80a9ce01495a0cL,0xf3118ca7f8d7537eL,
+        0xb715adc26bf4b762L,0x24506165a8482b6cL,0xd958d7c696a7c84dL } },
+    /* 99 */
+    { { 0x9ad8aa87bdc21f31L,0xadb3cab48063e58cL,0xefd86283b07dd7b8L,
+        0xc7b9b7621be7c6b4L,0x2ef58741015582deL,0xc970c52e299addf3L },
+      { 0x78f02e2a22f24d66L,0xefec1d1074cc100aL,0xaf2a6a3909316e1aL,
+        0xce7c22055849dd49L,0x9c1fe75c96bffc4cL,0xcad98fd27ba06ec0L } },
+    /* 100 */
+    { { 0xed76e2d0b648b73eL,0xa9f92ce51cfd285eL,0xa8c86c062ed13de1L,
+        0x1d3a574ea5191a93L,0x385cdf8b1ad1b8bfL,0xbbecc28a47d2cfe3L },
+      { 0x98d326c069cec548L,0x4f5bc1ddf240a0b2L,0x241a706229057236L,
+        0x0fc6e9c5c68294a4L,0x4d04838ba319f17aL,0x8b612cf19ffc1c6fL } },
+    /* 101 */
+    { { 0x9bb0b5014c3830ebL,0x3d08f83c8ee0d0c5L,0xa4a6264279ba9389L,
+        0x5d5d40449cbc2914L,0xae9eb83e074c46f0L,0x63bb758f74ead7d6L },
+      { 0x1c40d2eac6bb29e0L,0x95aa2d874b02f41eL,0x9298917553cb199aL,
+        0xdd91bafe51584f6dL,0x3715efb931a1aaecL,0xc1b6ae5b46780f9eL } },
+    /* 102 */
+    { { 0xcded3e4b42772f41L,0x3a700d5d3bcb79d1L,0x4430d50e80feee60L,
+        0x444ef1fcf5e5d4bbL,0xc660194fe6e358ffL,0xe68a2f326a91b43cL },
+      { 0x5842775c977fe4d2L,0x78fdef5c7e2a41ebL,0x5f3bec02ff8df00eL,
+        0xf4b840cd5852525dL,0x0870483a4e6988bdL,0x39499e39cc64b837L } },
+    /* 103 */
+    { { 0xfc05de80b08df5feL,0x0c12957c63ba0362L,0xea379414d5cf1428L,
+        0xc559132a54ef6216L,0x33d5f12fb9e65cf8L,0x09c602781695d663L },
+      { 0x3ac1ced461f7a2fbL,0xdd838444d4f5eeb8L,0x82a38c6c8318fcadL,
+        0x315be2e5e9f1a864L,0x317b5771442daf47L,0x81b5904a95aa5f9eL } },
+    /* 104 */
+    { { 0x6b6b1c508b21d232L,0x87f3dbc08c2cba75L,0xa7e74b46ae9f0fafL,
+        0x036a0985bb7b8079L,0x4f185b908d974a25L,0x5aa7cef0d9af5ec9L },
+      { 0xe0566a7057dcfffcL,0x6ea311dab8453225L,0x72ea1a8d23368aa9L,
+        0xed9b208348cd552dL,0xb987967cc80ea435L,0xad735c756c104173L } },
+    /* 105 */
+    { { 0xaea85ab3cee76ef4L,0x44997444af1d2b93L,0x0851929beacb923fL,
+        0xb080b59051e3bc0cL,0xc4ee1d8659be68a2L,0xf00de21964b26cdaL },
+      { 0x8d7fb5c0f2e90d4dL,0x00e219a777d9ec64L,0xc4e6febd5d1c491cL,
+        0x080e37541a8f4585L,0x4a9b86c848d2af9cL,0x2ed70db6b6679851L } },
+    /* 106 */
+    { { 0xaee44116586f25cbL,0xf7b6861fa0fcf70fL,0x55d2cd2018a350e8L,
+        0x861bf3e592dc286fL,0x9ab18ffa6226aba7L,0xd15827bea9857b03L },
+      { 0x26c1f54792e6acefL,0x422c63c8ac1fbac3L,0xa2d8760dfcbfd71dL,
+        0x35f6a539b2511224L,0xbaa88fa1048d1a21L,0x49f1abe9ebf999dbL } },
+    /* 107 */
+    { { 0x16f9f4f4f7492b73L,0xcf28ec1ecb392b1aL,0x45b130d469ca6ffcL,
+        0x28ba8d40b72efa58L,0xace987c75ca066f5L,0x3e3992464ad022ebL },
+      { 0x63a2d84e752555bbL,0xaaa93b4a9c2ae394L,0xcd80424ec89539caL,
+        0x6d6b5a6daa119a99L,0xbd50334c379f2629L,0x899e925eef3cc7d3L } },
+    /* 108 */
+    { { 0xb7ff3651bf825dc4L,0x0f741cc440b9c462L,0x771ff5a95cc4fb5bL,
+        0xcb9e9c9b47fd56feL,0xbdf053db5626c0d3L,0xa97ce675f7e14098L },
+      { 0x68afe5a36c934f5eL,0x6cd5e148ccefc46fL,0xc7758570d7a88586L,
+        0x49978f5edd558d40L,0xa1d5088a64ae00c1L,0x58f2a720f1d65bb2L } },
+    /* 109 */
+    { { 0x66fdda4a3e4daedbL,0x38318c1265d1b052L,0x28d910a24c4bbf5cL,
+        0x762fe5c478a9cd14L,0x08e5ebaad2cc0aeeL,0xd2cdf257ca0c654cL },
+      { 0x48f7c58b08b717d2L,0x3807184a386cd07aL,0x3240f626ae7d0112L,
+        0x03e9361bc43917b0L,0xf261a87620aea018L,0x53f556a47e1e6372L } },
+    /* 110 */
+    { { 0xc84cee562f512a90L,0x24b3c0041b0ea9f1L,0x0ee15d2de26cc1eaL,
+        0xd848762cf0c9ef7dL,0x1026e9c5d5341435L,0x8f5b73dcfdb16b31L },
+      { 0x1f69bef2d2c75d95L,0x8d33d581be064ddaL,0x8c024c1257ed35e6L,
+        0xf8d435f9c309c281L,0xfd295061d6960193L,0x66618d78e9e49541L } },
+    /* 111 */
+    { { 0x571cfd458ce382deL,0x175806eede900ddeL,0x6184996534aba3b5L,
+        0xe899778ade7aec95L,0xe8f00f6eff4aa97fL,0xae971cb5010b0c6dL },
+      { 0x1827eebc3af788f1L,0xd46229ffe413fe2dL,0x8a15455b4741c9b4L,
+        0x5f02e690f8e424ebL,0x40a1202edae87712L,0x49b3bda264944f6dL } },
+    /* 112 */
+    { { 0xd63c6067035b2d69L,0xb507150d6bed91b0L,0x1f35f82f7afb39b2L,
+        0xb9bd9c0116012b66L,0x00d97960ed0a5f50L,0xed7054512716f7c9L },
+      { 0x1576eff4127abdb4L,0x6850d698f01e701cL,0x9fa7d7493fc87e2fL,
+        0x0b6bcc6fb0ce3e48L,0xf4fbe1f5f7d8c1c0L,0xcf75230e02719cc6L } },
+    /* 113 */
+    { { 0x6761d6c2722d94edL,0xd1ec3f213718820eL,0x65a40b7025d0e7c6L,
+        0xd67f830ebaf3cf31L,0x633b3807b93ea430L,0x17faa0ea0bc96c69L },
+      { 0xe6bf3482df866b98L,0x205c1ee9a9db52d4L,0x51ef9bbdff9ab869L,
+        0x3863dad175eeb985L,0xef216c3bd3cf442aL,0x3fb228e3f9c8e321L } },
+    /* 114 */
+    { { 0x94f9b70c0760ac07L,0xf3c9ccae9d79bf4dL,0x73cea084c5ffc83dL,
+        0xef50f943dc49c38eL,0xf467a2aebc9e7330L,0x5ee534b644ea7fbaL },
+      { 0x20cb627203609e7fL,0x0984435562fdc9f0L,0xaf5c8e580f1457f7L,
+        0xd1f50a6cb4b25941L,0x77cb247c2ec82395L,0xa5f3e1e5da3dca33L } },
+    /* 115 */
+    { { 0x023489d67d85fa94L,0x0ba405372db9ce47L,0x0fdf7a1faed7aad1L,
+        0xa57b0d739a4ccb40L,0x48fcec995b18967cL,0xf30b5b6eb7274d24L },
+      { 0x7ccb4773c81c5338L,0xb85639e6a3ed6bd0L,0x7d9df95f1d56eadaL,
+        0xe256d57f0a1607adL,0x6da7ffdc957574d6L,0x65f8404601c7a8c4L } },
+    /* 116 */
+    { { 0x8d45d0cbcba1e7f1L,0xef0a08c002b55f64L,0x771ca31b17e19892L,
+        0xe1843ecb4885907eL,0x67797ebc364ce16aL,0x816d2b2d8df4b338L },
+      { 0xe870b0e539aa8671L,0x9f0db3e4c102b5f5L,0x342966591720c697L,
+        0x0ad4c89e613c0d2aL,0x1af900b2418ddd61L,0xe087ca72d336e20eL } },
+    /* 117 */
+    { { 0x222831ffaba10079L,0x0dc5f87b6d64fff2L,0x445479073e8cb330L,
+        0xe815aaa2702a33fbL,0x338d6b2e5fba3215L,0x0f7535cb79f549c8L },
+      { 0x471ecd972ee95923L,0x1e868b37c6d1c09fL,0x2bc7b8ecc666ef4eL,
+        0xf5416589808a4bfcL,0xf23e9ee23fbc4d2eL,0x4357236c2d75125bL } },
+    /* 118 */
+    { { 0xfe176d95ba9cdb1bL,0x45a1ca012f82791eL,0x97654af24de4cca2L,
+        0xbdbf9d0e5cc4bcb9L,0xf6a7df50ad97ac0aL,0xc52112b061359fd6L },
+      { 0x696d9ce34f05eae3L,0x903adc02e943ac2bL,0xa90753470848be17L,
+        0x1e20f1702a3973e5L,0xe1aacc1c6feb67e9L,0x2ca0ac32e16bc6b9L } },
+    /* 119 */
+    { { 0xffea12e4ef871eb5L,0x94c2f25da8bf0a7aL,0x4d1e4c2a78134eaaL,
+        0x11ed16fb0360fb10L,0x4029b6db85fc11beL,0x5e9f7ab7f4d390faL },
+      { 0x5076d72f30646612L,0xa0afed1ddda1d0d8L,0x2902225785a1d103L,
+        0xcb499e174e276bcdL,0x16d1da7151246c3dL,0xc72d56d3589a0443L } },
+    /* 120 */
+    { { 0xdf5ffc74dae5bb45L,0x99068c4a261bd6dcL,0xdc0afa7aaa98ec7bL,
+        0xedd2ee00f121e96dL,0x163cc7be1414045cL,0xb0b1bbce335af50eL },
+      { 0xd440d78501a06293L,0xcdebab7c6552e644L,0x48cb8dbc8c757e46L,
+        0x81f9cf783cabe3cbL,0xddd02611b123f59aL,0x3dc7b88eeeb3784dL } },
+    /* 121 */
+    { { 0xe1b8d398c4741456L,0xa9dfa9026032a121L,0x1cbfc86d1263245bL,
+        0xf411c7625244718cL,0x96521d5405b0fc54L,0x1afab46edbaa4985L },
+      { 0xa75902ba8674b4adL,0x486b43ad5ad87d12L,0x72b1c73636e0d099L,
+        0x39890e07bb6cd6d6L,0x8128999c59bace4eL,0xd8da430b7b535e33L } },
+    /* 122 */
+    { { 0x39f65642c6b75791L,0x050947a621806bfbL,0x0ca3e3701362ef84L,
+        0x9bc60aed8c3d2391L,0x9b488671732e1ddcL,0x12d10d9ea98ee077L },
+      { 0xb6f2822d3651b7dcL,0x6345a5ba80abd138L,0x62033262472d3c84L,
+        0xd54a1d40acc57527L,0x6ea46b3a424447cbL,0x5bc410572fb1a496L } },
+    /* 123 */
+    { { 0xe70c57a3a751cd0eL,0x190d8419eba3c7d6L,0xb1c3bee79d47d55aL,
+        0xda941266f912c6d8L,0x12e9aacc407a6ad6L,0xd6ce5f116e838911L },
+      { 0x063ca97b70e1f2ceL,0xa3e47c728213d434L,0xa016e24184df810aL,
+        0x688ad7b0dfd881a4L,0xa37d99fca89bf0adL,0xd8e3f339a23c2d23L } },
+    /* 124 */
+    { { 0xbdf53163750bed6fL,0x808abc3283e68b0aL,0x85a366275bb08a33L,
+        0xf72a3a0f6b0e4abeL,0xf7716d19faf0c6adL,0x22dcc0205379b25fL },
+      { 0x7400bf8df9a56e11L,0x6cb8bad756a47f21L,0x7c97176f7a6eb644L,
+        0xe8fd84f7d1f5b646L,0x98320a9444ddb054L,0x07071ba31dde86f5L } },
+    /* 125 */
+    { { 0x6fdfa0e598f8fcb9L,0x89cec8e094d0d70cL,0xa0899397106d20a8L,
+        0x915bfb9aba8acc9cL,0x1370c94b5507e01cL,0x83246a608a821ffbL },
+      { 0xa8273a9fbe3c378fL,0x7e54478935a25be9L,0x6cfa49724dd929d7L,
+        0x987fed9d365bd878L,0x4982ac945c29a7aeL,0x4589a5d75ddd7ec5L } },
+    /* 126 */
+    { { 0x9fabb174a95540a9L,0x7cfb886f0162c5b0L,0x17be766bea3dee18L,
+        0xff7da41fe88e624cL,0xad0b71eb8b919c38L,0x86a522e0f31ff9a9L },
+      { 0xbc8e6f72868bc259L,0x6130c6383ccef9e4L,0x09f1f4549a466555L,
+        0x8e6c0f0919b2bfb4L,0x945c46c90ca7bb22L,0xacd871684dafb67bL } },
+    /* 127 */
+    { { 0x090c72ca10c53841L,0xc20ae01b55a4fcedL,0x03f7ebd5e10234adL,
+        0xb3f42a6a85892064L,0xbdbc30c0b4a14722L,0x971bc4378ca124ccL },
+      { 0x6f79f46d517ff2ffL,0x6a9c96e2ecba947bL,0x5e79f2f462925122L,
+        0x30a96bb16a4e91f1L,0x1147c9232d4c72daL,0x65bc311f5811e4dfL } },
+    /* 128 */
+    { { 0x87c7dd7d139b3239L,0x8b57824e4d833baeL,0xbcbc48789fff0015L,
+        0x8ffcef8b909eaf1aL,0x9905f4eef1443a78L,0x020dd4a2e15cbfedL },
+      { 0xca2969eca306d695L,0xdf940cadb93caf60L,0x67f7fab787ea6e39L,
+        0x0d0ee10ff98c4fe5L,0xc646879ac19cb91eL,0x4b4ea50c7d1d7ab4L } },
+    /* 129 */
+    { { 0x19e409457a0db57eL,0xe6017cad9a8c9702L,0xdbf739e51be5cff9L,
+        0x3646b3cda7a938a2L,0x0451108568350dfcL,0xad3bd6f356e098b5L },
+      { 0x935ebabfee2e3e3eL,0xfbd01702473926cbL,0x7c735b029e9fb5aaL,
+        0xc52a1b852e3feff0L,0x9199abd3046b405aL,0xe306fcec39039971L } },
+    /* 130 */
+    { { 0xd6d9aec823e4712cL,0x7ca8376cc3c198eeL,0xe6d8318731bebd8aL,
+        0xed57aff3d88bfef3L,0x72a645eecf44edc7L,0xd4e63d0b5cbb1517L },
+      { 0x98ce7a1cceee0ecfL,0x8f0126335383ee8eL,0x3b879078a6b455e8L,
+        0xcbcd3d96c7658c06L,0x721d6fe70783336aL,0xf21a72635a677136L } },
+    /* 131 */
+    { { 0x19d8b3cd9586ba11L,0xd9e0aeb28a5c0480L,0xe4261dbf2230ef5cL,
+        0x095a9dee02e6bf09L,0x8963723c80dc7784L,0x5c97dbaf145157b1L },
+      { 0x97e744344bc4503eL,0x0fb1cb3185a6b370L,0x3e8df2becd205d4bL,
+        0x497dd1bcf8f765daL,0x92ef95c76c988a1aL,0x3f924baa64dc4cfaL } },
+    /* 132 */
+    { { 0x6bf1b8dd7268b448L,0xd4c28ba1efd79b94L,0x2fa1f8c8e4e3551fL,
+        0x769e3ad45c9187a9L,0x28843b4d40326c0dL,0xfefc809450d5d669L },
+      { 0x30c85bfd90339366L,0x4eeb56f15ccf6c3aL,0x0e72b14928ccd1dcL,
+        0x73ee85b5f2ce978eL,0xcdeb2bf33165bb23L,0x8106c9234e410abfL } },
+    /* 133 */
+    { { 0xc8df01617d02f4eeL,0x8a78154718e21225L,0x4ea895eb6acf9e40L,
+        0x8b000cb56e5a633dL,0xf31d86d57e981ffbL,0xf5c8029c4475bc32L },
+      { 0x764561ce1b568973L,0x2f809b81a62996ecL,0x9e513d64da085408L,
+        0xc27d815de61ce309L,0x0da6ff99272999e0L,0xbd284779fead73f7L } },
+    /* 134 */
+    { { 0x6033c2f99b1cdf2bL,0x2a99cf06bc5fa151L,0x7d27d25912177b3bL,
+        0xb1f15273c4485483L,0x5fd57d81102e2297L,0x3d43e017c7f6acb7L },
+      { 0x41a8bb0b3a70eb28L,0x67de2d8e3e80b06bL,0x09245a4170c28de5L,
+        0xad7dbcb1a7b26023L,0x70b08a352cbc6c1eL,0xb504fb669b33041fL } },
+    /* 135 */
+    { { 0xa8e85ab5f97a27c2L,0x6ac5ec8bc10a011bL,0x55745533ffbcf161L,
+        0x01780e8565790a60L,0xe451bf8599ee75b0L,0x8907a63b39c29881L },
+      { 0x76d46738260189edL,0x284a443647bd35cbL,0xd74e8c4020cab61eL,
+        0x6264bf8c416cf20aL,0xfa5a6c955fd820ceL,0xfa7154d0f24bb5fcL } },
+    /* 136 */
+    { { 0x18482cec9b3f5034L,0x962d445acd9e68fdL,0x266fb1d695746f23L,
+        0xc66ade5a58c94a4bL,0xdbbda826ed68a5b6L,0x05664a4d7ab0d6aeL },
+      { 0xbcd4fe51025e32fcL,0x61a5aebfa96df252L,0xd88a07e231592a31L,
+        0x5d9d94de98905517L,0x96bb40105fd440e7L,0x1b0c47a2e807db4cL } },
+    /* 137 */
+    { { 0x5c2a6ac808223878L,0xba08c269e65a5558L,0xd22b1b9b9bbc27fdL,
+        0x919171bf72b9607dL,0x9ab455f9e588dc58L,0x6d54916e23662d93L },
+      { 0x8da8e9383b1de0c1L,0xa84d186a804f278fL,0xbf4988ccd3461695L,
+        0xf5eae3bee10eb0cbL,0x1ff8b68fbf2a66edL,0xa68daf67c305b570L } },
+    /* 138 */
+    { { 0xc1004cff44b2e045L,0x91b5e1364b1c05d4L,0x53ae409088a48a07L,
+        0x73fb2995ea11bb1aL,0x320485703d93a4eaL,0xcce45de83bfc8a5fL },
+      { 0xaff4a97ec2b3106eL,0x9069c630b6848b4fL,0xeda837a6ed76241cL,
+        0x8a0daf136cc3f6cfL,0x199d049d3da018a8L,0xf867c6b1d9093ba3L } },
+    /* 139 */
+    { { 0xe4d42a5656527296L,0xae26c73dce71178dL,0x70a0adac6c251664L,
+        0x813483ae5dc0ae1dL,0x7574eacddaab2dafL,0xc56b52dcc2d55f4fL },
+      { 0x872bc16795f32923L,0x4be175815bdd2a89L,0x9b57f1e7a7699f00L,
+        0x5fcd9c723ac2de02L,0x83af3ba192377739L,0xa64d4e2bfc50b97fL } },
+    /* 140 */
+    { { 0x2172dae20e552b40L,0x62f49725d34d52e8L,0x7930ee4007958f98L,
+        0x56da2a90751fdd74L,0xf1192834f53e48c3L,0x34d2ac268e53c343L },
+      { 0x1073c21813111286L,0x201dac14da9d9827L,0xec2c29dbee95d378L,
+        0x9316f1191f3ee0b1L,0x7890c9f0544ce71cL,0xd77138af27612127L } },
+    /* 141 */
+    { { 0x78045e6d3b4ad1cdL,0xcd86b94e4aa49bc1L,0x57e51f1dfd677a16L,
+        0xd9290935fa613697L,0x7a3f959334f4d893L,0x8c9c248b5d5fcf9bL },
+      { 0x9f23a4826f70d4e9L,0x1727345463190ae9L,0x4bdd7c135b081a48L,
+        0x1e2de38928d65271L,0x0bbaaa25e5841d1fL,0xc4c18a79746772e5L } },
+    /* 142 */
+    { { 0x10ee2681593375acL,0x4f3288be7dd5e113L,0x9a97b2fb240f3538L,
+        0xfa11089f1de6b1e2L,0x516da5621351bc58L,0x573b61192dfa85b5L },
+      { 0x89e966836cba7df5L,0xf299be158c28ab40L,0xe91c9348ad43fcbfL,
+        0xe9bbc7cc9a1cefb3L,0xc8add876738b2775L,0x6e3b1f2e775eaa01L } },
+    /* 143 */
+    { { 0x0365a888b677788bL,0x634ae8c43fd6173cL,0x304987619e498dbeL,
+        0x08c43e6dc8f779abL,0x068ae3844c09aca9L,0x2380c70b2018d170L },
+      { 0xcf77fbc3a297c5ecL,0xdacbc853ca457948L,0x3690de04336bec7eL,
+        0x26bbac6414eec461L,0xd1c23c7e1f713abfL,0xf08bbfcde6fd569eL } },
+    /* 144 */
+    { { 0x5f8163f484770ee3L,0x0e0c7f94744a1706L,0x9c8f05f7e1b2d46dL,
+        0x417eafe7d01fd99aL,0x2ba15df511440e5bL,0xdc5c552a91a6fbcfL },
+      { 0x86271d74a270f721L,0x32c0a075a004485bL,0x9d1a87e38defa075L,
+        0xb590a7acbf0d20feL,0x430c41c28feda1f5L,0x454d287958f6ec24L } },
+    /* 145 */
+    { { 0x52b7a6357c525435L,0x3d9ef57f37c4bdbcL,0x2bb93e9edffcc475L,
+        0xf7b8ba987710f3beL,0x42ee86da21b727deL,0x55ac3f192e490d01L },
+      { 0x487e3a6ec0c1c390L,0x036fb345446cde7bL,0x089eb276496ae951L,
+        0xedfed4d971ed1234L,0x661b0dd5900f0b46L,0x11bd6f1b8582f0d3L } },
+    /* 146 */
+    { { 0x5cf9350f076bc9d1L,0x15d903becf3cd2c3L,0x21cfc8c225af031cL,
+        0xe0ad32488b1cc657L,0xdd9fb96370014e87L,0xf0f3a5a1297f1658L },
+      { 0xbb908fbaf1f703aaL,0x2f9cc4202f6760baL,0x00ceec6666a38b51L,
+        0x4deda33005d645daL,0xb9cf5c72f7de3394L,0xaeef65021ad4c906L } },
+    /* 147 */
+    { { 0x0583c8b17a19045dL,0xae7c3102d052824cL,0x2a234979ff6cfa58L,
+        0xfe9dffc962c733c0L,0x3a7fa2509c0c4b09L,0x516437bb4fe21805L },
+      { 0x9454e3d5c2a23ddbL,0x0726d887289c104eL,0x8977d9184fd15243L,
+        0xc559e73f6d7790baL,0x8fd3e87d465af85fL,0xa2615c745feee46bL } },
+    /* 148 */
+    { { 0xc8d607a84335167dL,0x8b42d804e0f5c887L,0x5f9f13df398d11f9L,
+        0x5aaa508720740c67L,0x83da9a6aa3d9234bL,0xbd3a5c4e2a54bad1L },
+      { 0xdd13914c2db0f658L,0x29dcb66e5a3f373aL,0xbfd62df55245a72bL,
+        0x19d1802391e40847L,0xd9df74dbb136b1aeL,0x72a06b6b3f93bc5bL } },
+    /* 149 */
+    { { 0x6da19ec3ad19d96fL,0xb342daa4fb2a4099L,0x0e61633a662271eaL,
+        0x3bcece81ce8c054bL,0x7cc8e0618bd62dc6L,0xae189e19ee578d8bL },
+      { 0x73e7a25ddced1eedL,0xc1257f0a7875d3abL,0x2cb2d5a21cfef026L,
+        0xd98ef39bb1fdf61cL,0xcd8e6f6924e83e6cL,0xd71e7076c7b7088bL } },
+    /* 150 */
+    { { 0x339368309d4245bfL,0x22d962172ac2953bL,0xb3bf5a8256c3c3cdL,
+        0x50c9be910d0699e8L,0xec0944638f366459L,0x6c056dba513b7c35L },
+      { 0x687a6a83045ab0e3L,0x8d40b57f445c9295L,0x0f345048a16f5954L,
+        0x64b5c6393d8f0a87L,0x106353a29f71c5e2L,0xdd58b475874f0dd4L } },
+    /* 151 */
+    { { 0x67ec084f62230c72L,0xf14f6cca481385e3L,0xf58bb4074cda7774L,
+        0xe15011b1aa2dbb6bL,0xd488369d0c035ab1L,0xef83c24a8245f2fdL },
+      { 0xfb57328f9fdc2538L,0x79808293191fe46aL,0xe28f5c4432ede548L,
+        0x1b3cda99ea1a022cL,0x39e639b73df2ec7fL,0x77b6272b760e9a18L } },
+    /* 152 */
+    { { 0x2b1d51bda65d56d5L,0x3a9b71f97ea696e0L,0x95250ecc9904f4c4L,
+        0x8bc4d6ebe75774b7L,0x0e343f8aeaeeb9aaL,0xc473c1d1930e04cbL },
+      { 0x282321b1064cd8aeL,0xf4b4371e5562221cL,0xc1cc81ecd1bf1221L,
+        0xa52a07a9e2c8082fL,0x350d8e59ba64a958L,0x29e4f3de6fb32c9aL } },
+    /* 153 */
+    { { 0x0aa9d56cba89aaa5L,0xf0208ac0c4c6059eL,0x7400d9c6bd6ddca4L,
+        0xb384e475f2c2f74aL,0x4c1061fcb1562dd3L,0x3924e2482e153b8dL },
+      { 0xf38b8d98849808abL,0x29bf3260a491aa36L,0x85159ada88220edeL,
+        0x8b47915bbe5bc422L,0xa934d72ed7300967L,0xc4f303982e515d0dL } },
+    /* 154 */
+    { { 0xe3e9ee421b1de38bL,0xa124e25a42636760L,0x90bf73c090165b1aL,
+        0x21802a34146434c5L,0x54aa83f22e1fa109L,0x1d4bd03ced9c51e9L },
+      { 0xc2d96a38798751e6L,0xed27235f8c3507f5L,0xb5fb80e2c8c24f88L,
+        0xf873eefad37f4f78L,0x7229fd74f224ba96L,0x9dcd91999edd7149L } },
+    /* 155 */
+    { { 0xee9f81a64e94f22aL,0xe5609892f71ec341L,0x6c818ddda998284eL,
+        0x9fd472953b54b098L,0x47a6ac030e8a7cc9L,0xde684e5eb207a382L },
+      { 0x4bdd1ecd2b6b956bL,0x09084414f01b3583L,0xe2f80b3255233b14L,
+        0x5a0fec54ef5ebc5eL,0x74cf25e6bf8b29a2L,0x1c757fa07f29e014L } },
+    /* 156 */
+    { { 0x1bcb5c4aeb0fdfe4L,0xd7c649b3f0899367L,0xaef68e3f05bc083bL,
+        0x57a06e46a78aa607L,0xa2136ecc21223a44L,0x89bd648452f5a50bL },
+      { 0x724411b94455f15aL,0x23dfa97008a9c0fdL,0x7b0da4d16db63befL,
+        0x6f8a7ec1fb162443L,0xc1ac9ceee98284fbL,0x085a582b33566022L } },
+    /* 157 */
+    { { 0x15cb61f9ec1f138aL,0x11c9a230668f0c28L,0xac829729df93f38fL,
+        0xcef256984048848dL,0x3f686da02bba8fbfL,0xed5fea78111c619aL },
+      { 0x9b4f73bcd6d1c833L,0x5095160686e7bf80L,0xa2a73508042b1d51L,
+        0x9ef6ea495fb89ec2L,0xf1008ce95ef8b892L,0x78a7e6849ae8568bL } },
+    /* 158 */
+    { { 0x3fe83a7c10470cd8L,0x92734682f86df000L,0xb5dac06bda9409b5L,
+        0x1e7a966094939c5fL,0xdec6c1505cc116dcL,0x1a52b40866bac8ccL },
+      { 0x5303a3656e864045L,0x45eae72a9139efc1L,0x83bec6466f31d54fL,
+        0x2fb4a86f6e958a6dL,0x6760718e4ff44030L,0x008117e3e91ae0dfL } },
+    /* 159 */
+    { { 0x5d5833ba384310a2L,0xbdfb4edc1fd6c9fcL,0xb9a4f102849c4fb8L,
+        0xe5fb239a581c1e1fL,0xba44b2e7d0a9746dL,0x78f7b7683bd942b9L },
+      { 0x076c8ca1c87607aeL,0x82b23c2ed5caaa7eL,0x6a581f392763e461L,
+        0xca8a5e4a3886df11L,0xc87e90cf264e7f22L,0x04f74870215cfcfcL } },
+    /* 160 */
+    { { 0x5285d116141d161cL,0x67cd2e0e93c4ed17L,0x12c62a647c36187eL,
+        0xf5329539ed2584caL,0xc4c777c442fbbd69L,0x107de7761bdfc50aL },
+      { 0x9976dcc5e96beebdL,0xbe2aff95a865a151L,0x0e0a9da19d8872afL,
+        0x5e357a3da63c17ccL,0xd31fdfd8e15cc67cL,0xc44bbefd7970c6d8L } },
+    /* 161 */
+    { { 0x703f83e24c0c62f1L,0x9b1e28ee4e195572L,0x6a82858bfe26ccedL,
+        0xd381c84bc43638faL,0x94f72867a5ba43d8L,0x3b4a783d10b82743L },
+      { 0xee1ad7b57576451eL,0xc3d0b59714b6b5c8L,0x3dc30954fcacc1b8L,
+        0x55df110e472c9d7bL,0x97c86ed702f8a328L,0xd043341388dc098fL } },
+    /* 162 */
+    { { 0x1a60d1522ca8f2feL,0x61640948491bd41fL,0x6dae29a558dfe035L,
+        0x9a615bea278e4863L,0xbbdb44779ad7c8e5L,0x1c7066302ceac2fcL },
+      { 0x5e2b54c699699b4bL,0xb509ca6d239e17e8L,0x728165feea063a82L,
+        0x6b5e609db6a22e02L,0x12813905b26ee1dfL,0x07b9f722439491faL } },
+    /* 163 */
+    { { 0x1592ec1448ff4e49L,0x3e4e9f176d644129L,0x7acf82881156acc0L,
+        0x5aa34ba8bb092b0bL,0xcd0f90227d38393dL,0x416724ddea4f8187L },
+      { 0x3c4e641cc0139e73L,0xe0fe46cf91e4d87dL,0xedb3c792cab61f8aL,
+        0x4cb46de4d3868753L,0xe449c21d20f1098aL,0x5e5fd059f5b8ea6eL } },
+    /* 164 */
+    { { 0x7fcadd4675856031L,0x89c7a4cdeaf2fbd0L,0x1af523ce7a87c480L,
+        0xe5fc109561d9ae90L,0x3fb5864fbcdb95f5L,0xbeb5188ebb5b2c7dL },
+      { 0x3d1563c33ae65825L,0x116854c40e57d641L,0x11f73d341942ebd3L,
+        0x24dc5904c06955b3L,0x8a0d4c83995a0a62L,0xfb26b86d5d577b7dL } },
+    /* 165 */
+    { { 0xc53108e7c686ae17L,0x9090d739d1c1da56L,0x4583b0139aec50aeL,
+        0xdd9a088ba49a6ab2L,0x28192eeaf382f850L,0xcc8df756f5fe910eL },
+      { 0x877823a39cab7630L,0x64984a9afb8e7fc1L,0x5448ef9c364bfc16L,
+        0xbbb4f871c44e2a9aL,0x901a41ab435c95e9L,0xc6c23e5faaa50a06L } },
+    /* 166 */
+    { { 0xb78016c19034d8ddL,0x856bb44b0b13e79bL,0x85c6409ab3241a05L,
+        0x8d2fe19a2d78ed21L,0xdcc7c26d726eddf2L,0x3ccaff5f25104f04L },
+      { 0x397d7edc6b21f843L,0xda88e4dde975de4cL,0x5273d3964f5ab69eL,
+        0x537680e39aae6cc0L,0xf749cce53e6f9461L,0x021ddbd9957bffd3L } },
+    /* 167 */
+    { { 0x7b64585f777233cfL,0xfe6771f60942a6f0L,0x636aba7adfe6eef0L,
+        0x63bbeb5686038029L,0xacee5842de8fcf36L,0x48d9aa99d4a20524L },
+      { 0xcff7a74c0da5e57aL,0xc232593ce549d6c9L,0x68504bccf0f2287bL,
+        0x6d7d098dbc8360b5L,0xeac5f1495b402f41L,0x61936f11b87d1bf1L } },
+    /* 168 */
+    { { 0xaa9da167b8153a9dL,0xa49fe3ac9e83ecf0L,0x14c18f8e1b661384L,
+        0x61c24dab38434de1L,0x3d973c3a283dae96L,0xc99baa0182754fc9L },
+      { 0x477d198f4c26b1e3L,0x12e8e186a7516202L,0x386e52f6362addfaL,
+        0x31e8f695c3962853L,0xdec2af136aaedb60L,0xfcfdb4c629cf74acL } },
+    /* 169 */
+    { { 0x6b3ee958cca40298L,0xc3878153f2f5d195L,0x0c565630ed2eae5bL,
+        0xd089b37e3a697cf2L,0xc2ed2ac7ad5029eaL,0x7e5cdfad0f0dda6aL },
+      { 0xf98426dfd9b86202L,0xed1960b14335e054L,0x1fdb02463f14639eL,
+        0x17f709c30db6c670L,0xbfc687ae773421e1L,0x13fefc4a26c1a8acL } },
+    /* 170 */
+    { { 0xe361a1987ffa0a5fL,0xf4b26102c63fe109L,0x264acbc56c74e111L,
+        0x4af445fa77abebafL,0x448c4fdd24cddb75L,0x0b13157d44506eeaL },
+      { 0x22a6b15972e9993dL,0x2c3c57e485e5ecbeL,0xa673560bfd83e1a1L,
+        0x6be23f82c3b8c83bL,0x40b13a9640bbe38eL,0x66eea033ad17399bL } },
+    /* 171 */
+    { { 0x49fc6e95b4c6c693L,0xefc735de36af7d38L,0xe053343d35fe42fcL,
+        0xf0aa427c6a9ab7c3L,0xc79f04364a0fcb24L,0x1628724393ebbc50L },
+      { 0x5c3d6bd016927e1eL,0x40158ed2673b984cL,0xa7f86fc84cd48b9aL,
+        0x1643eda660ea282dL,0x45b393eae2a1beedL,0x664c839e19571a94L } },
+    /* 172 */
+    { { 0x5774575027eeaf94L,0x2875c925ea99e1e7L,0xc127e7ba5086adeaL,
+        0x765252a086fe424fL,0x1143cc6c2b6c0281L,0xc9bb2989d671312dL },
+      { 0x880c337c51acb0a5L,0xa3710915d3c60f78L,0x496113c09262b6edL,
+        0x5d25d9f89ce48182L,0x53b6ad72b3813586L,0x0ea3bebc4c0e159cL } },
+    /* 173 */
+    { { 0xcaba450ac5e49beaL,0x684e54157c05da59L,0xa2e9cab9de7ac36cL,
+        0x4ca79b5f2e6f957bL,0xef7b024709b817b1L,0xeb3049907d89df0fL },
+      { 0x508f730746fe5096L,0x695810e82e04eaafL,0x88ef1bd93512f76cL,
+        0x776613513ebca06bL,0xf7d4863accf158b7L,0xb2a81e4494ee57daL } },
+    /* 174 */
+    { { 0xff288e5b6d53e6baL,0xa90de1a914484ea2L,0x2fadb60ced33c8ecL,
+        0x579d6ef328b66a40L,0x4f2dd6ddec24372dL,0xe9e33fc91d66ec7dL },
+      { 0x110899d2039eab6eL,0xa31a667a3e97bb5eL,0x6200166dcfdce68eL,
+        0xbe83ebae5137d54bL,0x085f7d874800acdfL,0xcf4ab1330c6f8c86L } },
+    /* 175 */
+    { { 0x03f65845931e08fbL,0x6438551e1506e2c0L,0x5791f0dc9c36961fL,
+        0x68107b29e3dcc916L,0x83242374f495d2caL,0xd8cfb6636ee5895bL },
+      { 0x525e0f16a0349b1bL,0x33cd2c6c4a0fab86L,0x46c12ee82af8dda9L,
+        0x7cc424ba71e97ad3L,0x69766ddf37621eb0L,0x95565f56a5f0d390L } },
+    /* 176 */
+    { { 0xe0e7bbf21a0f5e94L,0xf771e1151d82d327L,0x10033e3dceb111faL,
+        0xd269744dd3426638L,0xbdf2d9da00d01ef6L,0x1cb80c71a049ceafL },
+      { 0x17f183289e21c677L,0x6452af0519c8f98bL,0x35b9c5f780b67997L,
+        0x5c2e1cbe40f8f3d4L,0x43f9165666d667caL,0x9faaa059cf9d6e79L } },
+    /* 177 */
+    { { 0x8ad246180a078fe6L,0xf6cc73e6464fd1ddL,0x4d2ce34dc3e37448L,
+        0x624950c5e3271b5fL,0x62910f5eefc5af72L,0x8b585bf8aa132bc6L },
+      { 0x11723985a839327fL,0x34e2d27d4aac252fL,0x402f59ef6296cc4eL,
+        0x00ae055c47053de9L,0xfc22a97228b4f09bL,0xa9e86264fa0c180eL } },
+    /* 178 */
+    { { 0x0b7b6224bc310eccL,0x8a1a74f167fa14edL,0x87dd09607214395cL,
+        0xdf1b3d09f5c91128L,0x39ff23c686b264a8L,0xdc2d49d03e58d4c5L },
+      { 0x2152b7d3a9d6f501L,0xf4c32e24c04094f7L,0xc6366596d938990fL,
+        0x084d078f94fb207fL,0xfd99f1d7328594cbL,0x36defa64cb2d96b3L } },
+    /* 179 */
+    { { 0x4619b78113ed7cbeL,0x95e500159784bd0eL,0x2a32251c2c7705feL,
+        0xa376af995f0dd083L,0x55425c6c0361a45bL,0x812d2cef1f291e7bL },
+      { 0xccf581a05fd94972L,0x26e20e39e56dc383L,0x0093685d63dbfbf0L,
+        0x1fc164cc36b8c575L,0xb9c5ab81390ef5e7L,0x40086beb26908c66L } },
+    /* 180 */
+    { { 0xe5e54f7937e3c115L,0x69b8ee8cc1445a8aL,0x79aedff2b7659709L,
+        0xe288e1631b46fbe6L,0xdb4844f0d18d7bb7L,0xe0ea23d048aa6424L },
+      { 0x714c0e4ef3d80a73L,0x87a0aa9e3bd64f98L,0x8844b8a82ec63080L,
+        0xe0ac9c30255d81a3L,0x86151237455397fcL,0x0b9794642f820155L } },
+    /* 181 */
+    { { 0x127a255a4ae03080L,0x232306b4580a89fbL,0x04e8cd6a6416f539L,
+        0xaeb70dee13b02a0eL,0xa3038cf84c09684aL,0xa710ec3c28e433eeL },
+      { 0x77a72567681b1f7dL,0x86fbce952fc28170L,0xd3408683f5735ac8L,
+        0x3a324e2a6bd68e93L,0x7ec74353c027d155L,0xab60354cd4427177L } },
+    /* 182 */
+    { { 0x32a5342aef4c209dL,0x2ba7527408d62704L,0x4bb4af6fc825d5feL,
+        0x1c3919ced28e7ff1L,0x1dfc2fdcde0340f6L,0xc6580baf29f33ba9L },
+      { 0xae121e7541d442cbL,0x4c7727fd3a4724e4L,0xe556d6a4524f3474L,
+        0x87e13cc7785642a2L,0x182efbb1a17845fdL,0xdcec0cf14e144857L } },
+    /* 183 */
+    { { 0x1cb89541e9539819L,0xc8cb3b4f9d94dbf1L,0x1d353f63417da578L,
+        0xb7a697fb8053a09eL,0x8d841731c35d8b78L,0x85748d6fb656a7a9L },
+      { 0x1fd03947c1859c5dL,0x6ce965c1535d22a2L,0x1966a13e0ca3aadcL,
+        0x9802e41d4fb14effL,0xa9048cbb76dd3fcdL,0x89b182b5e9455bbaL } },
+    /* 184 */
+    { { 0xd777ad6a43360710L,0x841287ef55e9936bL,0xbaf5c67004a21b24L,
+        0xf2c0725f35ad86f1L,0x338fa650c707e72eL,0x2bf8ed2ed8883e52L },
+      { 0xb0212cf4b56e0d6aL,0x50537e126843290cL,0xd8b184a198b3dc6fL,
+        0xd2be9a350210b722L,0x407406db559781eeL,0x5a78d5910bc18534L } },
+    /* 185 */
+    { { 0x4d57aa2ad748b02cL,0xbe5b3451a12b3b95L,0xadca7a4564711258L,
+        0x597e091a322153dbL,0xf327100632eb1eabL,0xbd9adcba2873f301L },
+      { 0xd1dc79d138543f7fL,0x00022092921b1fefL,0x86db3ef51e5df8edL,
+        0x888cae049e6b944aL,0x71bd29ec791a32b4L,0xd3516206a6d1c13eL } },
+    /* 186 */
+    { { 0x2ef6b95255924f43L,0xd2f401ae4f9de8d5L,0xfc73e8d7adc68042L,
+        0x627ea70c0d9d1bb4L,0xc3bb3e3ebbf35679L,0x7e8a254ad882dee4L },
+      { 0x08906f50b5924407L,0xf14a0e61a1ad444aL,0xaa0efa2165f3738eL,
+        0xd60c7dd6ae71f161L,0x9e8390faf175894dL,0xd115cd20149f4c00L } },
+    /* 187 */
+    { { 0x2f2e2c1da52abf77L,0xc2a0dca554232568L,0xed423ea254966dccL,
+        0xe48c93c7cd0dd039L,0x1e54a225176405c7L,0x1efb5b1670d58f2eL },
+      { 0xa751f9d994fb1471L,0xfdb31e1f67d2941dL,0xa6c74eb253733698L,
+        0xd3155d1189a0f64aL,0x4414cfe4a4b8d2b6L,0x8d5a4be8f7a8e9e3L } },
+    /* 188 */
+    { { 0x5c96b4d452669e98L,0x4547f9228fd42a03L,0xcf5c1319d285174eL,
+        0x805cd1ae064bffa0L,0x50e8bc4f246d27e7L,0xf89ef98fd5781e11L },
+      { 0xb4ff95f6dee0b63fL,0xad850047222663a4L,0x026918604d23ce9cL,
+        0x3e5309ce50019f59L,0x27e6f72269a508aeL,0xe9376652267ba52cL } },
+    /* 189 */
+    { { 0xa04d289cc0368708L,0xc458872f5e306e1dL,0x76fa23de33112feaL,
+        0x718e39746efde42eL,0xf0c98cdc1d206091L,0x5fa3ca6214a71987L },
+      { 0xeee8188bdcaa9f2aL,0x312cc732589a860dL,0xf9808dd6c63aeb1fL,
+        0x70fd43db4ea62b53L,0x2c2bfe34890b6e97L,0x105f863cfa426aa6L } },
+    /* 190 */
+    { { 0x0b29795db38059adL,0x5686b77e90647ea0L,0xeff0470edb473a3eL,
+        0x278d2340f9b6d1e2L,0xebbff95bbd594ec7L,0xf4b72334d3a7f23dL },
+      { 0x2a285980a5a83f0bL,0x0786c41a9716a8b3L,0x138901bd22511812L,
+        0xd1b55221e2fede6eL,0x0806e264df4eb590L,0x6c4c897e762e462eL } },
+    /* 191 */
+    { { 0xd10b905fb4b41d9dL,0x826ca4664523a65bL,0x535bbd13b699fa37L,
+        0x5b9933d773bc8f90L,0x9332d61fcd2118adL,0x158c693ed4a65fd0L },
+      { 0x4ddfb2a8e6806e63L,0xe31ed3ecb5de651bL,0xf9460e51819bc69aL,
+        0x6229c0d62c76b1f8L,0xbb78f231901970a3L,0x31f3820f9cee72b8L } },
+    /* 192 */
+    { { 0xe931caf2c09e1c72L,0x0715f29812990cf4L,0x33aad81d943262d8L,
+        0x5d292b7a73048d3fL,0xb152aaa4dc7415f6L,0xc3d10fd90fd19587L },
+      { 0xf76b35c575ddadd0L,0x9f5f4a511e7b694cL,0x2f1ab7ebc0663025L,
+        0x01c9cc87920260b0L,0xc4b1f61a05d39da6L,0x6dcd76c4eb4a9c4eL } },
+    /* 193 */
+    { { 0x0ba0916ffdc83f01L,0x354c8b449553e4f9L,0xa6cc511affc5e622L,
+        0xb954726ae95be787L,0xcb04811575b41a62L,0xfa2ae6cdebfde989L },
+      { 0x6376bbc70f24659aL,0x13a999fd4c289c43L,0xc7134184ec9abd8bL,
+        0x28c02bf6a789ab04L,0xff841ebcd3e526ecL,0x442b191e640893a8L } },
+    /* 194 */
+    { { 0x4cac6c62fa2b6e20L,0x97f29e9bf6d69861L,0x228ab1dbbc96d12dL,
+        0x6eb913275e8e108dL,0xd4b3d4d140771245L,0x61b20623ca8a803aL },
+      { 0x2c2f3b41a6a560b1L,0x879e1d403859fcf4L,0x7cdb5145024dbfc3L,
+        0x55d08f153bfa5315L,0x2f57d773aa93823aL,0xa97f259cc6a2c9a2L } },
+    /* 195 */
+    { { 0xc306317be58edbbbL,0x25ade51c79dfdf13L,0x6b5beaf116d83dd6L,
+        0xe8038a441dd8f925L,0x7f00143cb2a87b6bL,0xa885d00df5b438deL },
+      { 0xe9f76790cf9e48bdL,0xf0bdf9f0a5162768L,0x0436709fad7b57cbL,
+        0x7e151c12f7c15db7L,0x3514f0225d90ee3bL,0x2e84e8032c361a8dL } },
+    /* 196 */
+    { { 0x2277607d563ec8d8L,0xa661811fe3934cb7L,0x3ca72e7af58fd5deL,
+        0x7989da0462294c6aL,0x88b3708bf6bbefe9L,0x0d524cf753ed7c82L },
+      { 0x69f699ca2f30c073L,0xf0fa264b9dc1dcf3L,0x44ca456805f0aaf6L,
+        0x0f5b23c7d19b9bafL,0x39193f41eabd1107L,0x9e3e10ad2a7c9b83L } },
+    /* 197 */
+    { { 0xa90824f0d4ae972fL,0x43eef02bc6e846e7L,0x7e46061229d2160aL,
+        0x29a178acfe604e91L,0x23056f044eb184b2L,0x4fcad55feb54cdf4L },
+      { 0xa0ff96f3ae728d15L,0x8a2680c6c6a00331L,0x5f84cae07ee52556L,
+        0x5e462c3ac5a65dadL,0x5d2b81dfe2d23f4fL,0x6e47301bc5b1eb07L } },
+    /* 198 */
+    { { 0x77411d68af8219b9L,0xcb883ce651b1907aL,0x25c87e57101383b5L,
+        0x9c7d9859982f970dL,0xaa6abca5118305d2L,0x725fed2f9013a5dbL },
+      { 0x487cdbafababd109L,0xc0f8cf5687586528L,0xa02591e68ad58254L,
+        0xc071b1d1debbd526L,0x927dfe8b961e7e31L,0x55f895f99263dfe1L } },
+    /* 199 */
+    { { 0xf899b00db175645bL,0x51f3a627b65b4b92L,0xa2f3ac8db67399efL,
+        0xe717867fe400bc20L,0x42cc90201967b952L,0x3d5967513ecd1de1L },
+      { 0xd41ebcdedb979775L,0x99ba61bc6a2e7e88L,0x039149a5321504f2L,
+        0xe7dc231427ba2fadL,0x9f556308b57d8368L,0x2b6d16c957da80a7L } },
+    /* 200 */
+    { { 0x84af5e76279ad982L,0x9bb4c92d9c8b81a6L,0xd79ad44e0e698e67L,
+        0xe8be9048265fc167L,0xf135f7e60c3a4cccL,0xa0a10d38b8863a33L },
+      { 0xe197247cd386efd9L,0x0eefd3f9b52346c2L,0xc22415f978607bc8L,
+        0xa2a8f862508674ceL,0xa72ad09ec8c9d607L,0xcd9f0ede50fa764fL } },
+    /* 201 */
+    { { 0x063391c7d1a46d4dL,0x2df51c119eb01693L,0xc5849800849e83deL,
+        0x48fd09aa8ad08382L,0xa405d873aa742736L,0xee49e61ee1f9600cL },
+      { 0xd76676be48c76f73L,0xd9c100f601274b2aL,0x110bb67c83f8718dL,
+        0xec85a42002fc0d73L,0xc0449e1e744656adL,0x28ce737637d9939bL } },
+    /* 202 */
+    { { 0x97e9af7244544ac7L,0xf2c658d5ba010426L,0x732dec39fb3adfbdL,
+        0xd12faf91a2df0b07L,0x8ac267252171e208L,0xf820cdc85b24fa54L },
+      { 0x307a6eea94f4cf77L,0x18c783d2944a33c6L,0x4b939d4c0b741ac5L,
+        0x1d7acd153ffbb6e4L,0x06a248587a255e44L,0x14fbc494ce336d50L } },
+    /* 203 */
+    { { 0x9b920c0c51584e3cL,0xc7733c59f7e54027L,0xe24ce13988422bbeL,
+        0x11ada812523bd6abL,0xde068800b88e6defL,0x7b872671fe8c582dL },
+      { 0x4e746f287de53510L,0x492f8b99f7971968L,0x1ec80bc77d928ac2L,
+        0xb3913e48432eb1b5L,0xad08486632028f6eL,0x122bb8358fc2f38bL } },
+    /* 204 */
+    { { 0x0a9f3b1e3b0b29c3L,0x837b64324fa44151L,0xb9905c9217b28ea7L,
+        0xf39bc93798451750L,0xcd383c24ce8b6da1L,0x299f57db010620b2L },
+      { 0x7b6ac39658afdce3L,0xa15206b33d05ef47L,0xa0ae37e2b9bb02ffL,
+        0x107760ab9db3964cL,0xe29de9a067954beaL,0x446a1ad8431c3f82L } },
+    /* 205 */
+    { { 0xc6fecea05c6b8195L,0xd744a7c5f49e71b9L,0xa8e96acc177a7ae7L,
+        0x1a05746c358773a7L,0xa416214637567369L,0xaa0217f787d1c971L },
+      { 0x61e9d15877fd3226L,0x0f6f2304e4f600beL,0xa9c4cebc7a6dff07L,
+        0xd15afa0109f12a24L,0x2bbadb228c863ee9L,0xa28290e4e5eb8c78L } },
+    /* 206 */
+    { { 0x55b87fa03e9de330L,0x12b26066195c145bL,0xe08536e0a920bef0L,
+        0x7bff6f2c4d195adcL,0x7f319e9d945f4187L,0xf9848863f892ce47L },
+      { 0xd0efc1d34fe37657L,0x3c58de825cf0e45aL,0x626ad21a8b0ccbbeL,
+        0xd2a31208af952fc5L,0x81791995eb437357L,0x5f19d30f98e95d4fL } },
+    /* 207 */
+    { { 0x72e83d9a0e6865bbL,0x22f5af3bf63456a6L,0x409e9c73463c8d9eL,
+        0x40e9e578dfe6970eL,0x876b6efa711b91caL,0x895512cf942625a3L },
+      { 0x84c8eda8cb4e462bL,0x84c0154a4412e7c8L,0x04325db1ceb7b71fL,
+        0x1537dde366f70877L,0xf3a093991992b9acL,0xa7316606d498ae77L } },
+    /* 208 */
+    { { 0x13990d2fcad260f5L,0x76c3be29eec0e8c0L,0x7dc5bee00f7bd7d5L,
+        0x9be167d2efebda4bL,0xcce3dde69122b87eL,0x75a28b0982b5415cL },
+      { 0xf6810bcde84607a6L,0xc6d581286f4dbf0dL,0xfead577d1b4dafebL,
+        0x9bc440b2066b28ebL,0x53f1da978b17e84bL,0x0459504bcda9a575L } },
+    /* 209 */
+    { { 0x13e39a02329e5836L,0x2c9e7d51f717269dL,0xc5ac58d6f26c963bL,
+        0x3b0c6c4379967bf5L,0x60bbea3f55908d9dL,0xd84811e7f07c9ad1L },
+      { 0xfe7609a75bd20e4aL,0xe4325dd20a70baa8L,0x3711f370b3600386L,
+        0x97f9562fd0924302L,0x040dc0c34acc4436L,0xfd6d725cde79cdd4L } },
+    /* 210 */
+    { { 0xb3efd0e3cf13eafbL,0x21009cbb5aa0ae5fL,0xe480c55379022279L,
+        0x755cf334b2fc9a6dL,0x8564a5bf07096ae7L,0xddd649d0bd238139L },
+      { 0xd0de10b18a045041L,0x6e05b413c957d572L,0x5c5ff8064e0fb25cL,
+        0xd933179b641162fbL,0x42d48485e57439f9L,0x70c5bd0a8a8d72aaL } },
+    /* 211 */
+    { { 0xa767173897bdf646L,0xaa1485b4ab329f7cL,0xce3e11d6f8f25fdfL,
+        0x76a3fc7ec6221824L,0x045f281ff3924740L,0x24557d4e96d13a9aL },
+      { 0x875c804bdd4c27cdL,0x11c5f0f40f5c7feaL,0xac8c880bdc55ff7eL,
+        0x2acddec51103f101L,0x38341a21f99faa89L,0xc7b67a2cce9d6b57L } },
+    /* 212 */
+    { { 0x9a0d724f8e357586L,0x1d7f4ff5df648da0L,0x9c3e6c9bfdee62a5L,
+        0x0499cef00389b372L,0xe904050d98eab879L,0xe8eef1b66c051617L },
+      { 0xebf5bfebc37e3ca9L,0x7c5e946da4e0b91dL,0x790973142c4bea28L,
+        0x81f6c109ee67b2b7L,0xaf237d9bdafc5edeL,0xd2e602012abb04c7L } },
+    /* 213 */
+    { { 0x6156060c8a4f57bfL,0xf9758696ff11182aL,0x8336773c6296ef00L,
+        0x9c054bceff666899L,0xd6a11611719cd11cL,0x9824a641dbe1acfaL },
+      { 0x0b7b7a5fba89fd01L,0xf8d3b809889f79d8L,0xc5e1ea08f578285cL,
+        0x7ac74536ae6d8288L,0x5d37a2007521ef5fL,0x5ecc4184b260a25dL } },
+    /* 214 */
+    { { 0xddcebb19a708c8d3L,0xe63ed04fc63f81ecL,0xd045f5a011873f95L,
+        0x3b5ad54479f276d5L,0x81272a3d425ae5b3L,0x8bfeb50110ce1605L },
+      { 0x4233809c888228bfL,0x4bd82acfb2aff7dfL,0x9c68f1800cbd4a7fL,
+        0xfcd771246b44323dL,0x60c0fcf6891db957L,0xcfbb4d8904da8f7fL } },
+    /* 215 */
+    { { 0x9a6a5df93b26139aL,0x3e076a83b2cc7eb8L,0x47a8e82d5a964bcdL,
+        0x8a4e2a39b9278d6bL,0x93506c98e4443549L,0x06497a8ff1e0d566L },
+      { 0x3dee8d992b1efa05L,0x2da63ca845393e33L,0xa4af7277cf0579adL,
+        0xaf4b46393236d8eaL,0x6ccad95b32b617f5L,0xce76d8b8b88bb124L } },
+    /* 216 */
+    { { 0x63d2537a083843dcL,0x89eb35141e4153b4L,0x5175ebc4ea9afc94L,
+        0x7a6525808ed1aed7L,0x67295611d85e8297L,0x8dd2d68bb584b73dL },
+      { 0x237139e60133c3a4L,0x9de838ab4bd278eaL,0xe829b072c062fcd9L,
+        0x70730d4f63ba8706L,0x6080483fd3cd05ecL,0x872ab5b80c85f84dL } },
+    /* 217 */
+    { { 0xfc0776d3999d4d49L,0xa3eb59deec3f45e7L,0xbc990e440dae1fc1L,
+        0x33596b1ea15371ffL,0xd447dcb29bc7ab25L,0xcd5b63e935979582L },
+      { 0xae3366fa77d1ff11L,0x59f28f05edee6903L,0x6f43fed1a4433bf2L,
+        0x15409c9bdf9ce00eL,0x21b5cdedaca9c5dcL,0xf9f3359582d7bdb4L } },
+    /* 218 */
+    { { 0x959443789422c792L,0x239ea923c958b8bfL,0x4b61a247df076541L,
+        0x4d29ce85bb9fc544L,0x9a692a670b424559L,0x6e0ca5a00e486900L },
+      { 0x6b79a78285b3beceL,0x41f35e39c61f9892L,0xff82099aae747f82L,
+        0x58c8ae3fd0ca59d6L,0x4ac930e299406b5fL,0x2ce04eb99df24243L } },
+    /* 219 */
+    { { 0x4366b9941ac37b82L,0xff0c728d25b04d83L,0x1f55136119c47b7cL,
+        0xdbf2d5edbeff13e7L,0xf78efd51e12a683dL,0x82cd85b9989cf9c4L },
+      { 0xe23c6db6e0cb5d37L,0x818aeebd72ee1a15L,0x8212aafd28771b14L,
+        0x7bc221d91def817dL,0xdac403a29445c51fL,0x711b051712c3746bL } },
+    /* 220 */
+    { { 0x0ed9ed485ea99eccL,0xf799500db8cab5e1L,0xa8ec87dcb570cbdcL,
+        0x52cfb2c2d35dfaecL,0x8d31fae26e4d80a4L,0xe6a37dc9dcdeabe5L },
+      { 0x5d365a341deca452L,0x09a5f8a50d68b44eL,0x59238ea5a60744b1L,
+        0xf2fedc0dbb4249e9L,0xe395c74ea909b2e3L,0xe156d1a539388250L } },
+    /* 221 */
+    { { 0xd796b3d047181ae9L,0xbaf44ba844197808L,0xe693309434cf3facL,
+        0x41aa6adec3bd5c46L,0x4fda75d8eed947c6L,0xacd9d4129ea5a525L },
+      { 0x65cc55a3d430301bL,0x3c9a5bcf7b52ea49L,0x22d319cf159507f0L,
+        0x2ee0b9b5de74a8ddL,0x20c26a1e877ac2b6L,0x387d73da92e7c314L } },
+    /* 222 */
+    { { 0x13c4833e8cd3fdacL,0x76fcd473332e5b8eL,0xff671b4be2fe1fd3L,
+        0x4d734e8b5d98d8ecL,0xb1ead3c6514bbc11L,0xd14ca8587b390494L },
+      { 0x95a443af5d2d37e9L,0x73c6ea7300464622L,0xa44aeb4b15755044L,
+        0xba3f8575fab58feeL,0x9779dbc9dc680a6fL,0xe1ee5f5a7b37ddfcL } },
+    /* 223 */
+    { { 0xcd0b464812d29f46L,0x93295b0b0ed53137L,0xbfe2609480bef6c9L,
+        0xa656578854248b00L,0x69c43fca80e7f9c4L,0x2190837bbe141ea1L },
+      { 0x875e159aa1b26cfbL,0x90ca9f877affe852L,0x15e6550d92ca598eL,
+        0xe3e0945d1938ad11L,0xef7636bb366ef937L,0xb6034d0bb39869e5L } },
+    /* 224 */
+    { { 0x4d255e3026d8356eL,0xf83666edd314626fL,0x421ddf61d0c8ed64L,
+        0x96e473c526677b61L,0xdad4af7e9e9b18b3L,0xfceffd4aa9393f75L },
+      { 0x843138a111c731d5L,0x05bcb3a1b2f141d9L,0x20e1fa95617b7671L,
+        0xbefce81288ccec7bL,0x582073dc90f1b568L,0xf572261a1f055cb7L } },
+    /* 225 */
+    { { 0xf314827736973088L,0xc008e70886a9f980L,0x1b795947e046c261L,
+        0xdf1e6a7dca76bca0L,0xabafd88671acddf0L,0xff7054d91364d8f4L },
+      { 0x2cf63547e2260594L,0x468a5372d73b277eL,0xc7419e24ef9bd35eL,
+        0x2b4a1c2024043cc3L,0xa28f047a890b39cdL,0xdca2cea146f9a2e3L } },
+    /* 226 */
+    { { 0xab78873653277538L,0xa734e225cf697738L,0x66ee1d1e6b22e2c1L,
+        0x2c615389ebe1d212L,0xf36cad4002bb0766L,0x120885c33e64f207L },
+      { 0x59e77d5690fbfec2L,0xf9e781aad7a574aeL,0x801410b05d045e53L,
+        0xd3b5f0aaa91b5f0eL,0xb3d1df007fbb3521L,0x11c4b33ec72bee9aL } },
+    /* 227 */
+    { { 0xd32b983283c3a7f3L,0x8083abcf88d8a354L,0xdeb1640450f4ec5aL,
+        0x18d747f0641e2907L,0x4e8978aef1bbf03eL,0x932447dc88a0cd89L },
+      { 0x561e0febcf3d5897L,0xfc3a682f13600e6dL,0xc78b9d73d16a6b73L,
+        0xe713feded29bf580L,0x0a22522308d69e5cL,0x3a924a571ff7fda4L } },
+    /* 228 */
+    { { 0xfb64554cb4093beeL,0xa6d65a25a58c6ec0L,0x4126994d43d0ed37L,
+        0xa5689a5155152d44L,0xb8e5ea8c284caa8dL,0x33f05d4fd1f25538L },
+      { 0xe0fdfe091b615d6eL,0x2ded7e8f705507daL,0xdd5631e517bbcc80L,
+        0x4f87453e267fd11fL,0xc6da723fff89d62dL,0x55cbcae2e3cda21dL } },
+    /* 229 */
+    { { 0x336bc94e6b4e84f3L,0x728630314ef72c35L,0x6d85fdeeeeb57f99L,
+        0x7f4e3272a42ece1bL,0x7f86cbb536f0320aL,0xf09b6a2b923331e6L },
+      { 0x21d3ecf156778435L,0x2977ba998323b2d2L,0x6a1b57fb1704bc0fL,
+        0xd777cf8b389f048aL,0x9ce2174fac6b42cdL,0x404e2bff09e6c55aL } },
+    /* 230 */
+    { { 0x9b9b135e204c5ddbL,0x9dbfe0443eff550eL,0x35eab4bfec3be0f6L,
+        0x8b4c3f0d0a43e56fL,0x4c1c66730e73f9b3L,0x92ed38bd2c78c905L },
+      { 0xc7003f6aa386e27cL,0xb9c4f46faced8507L,0xea024ec859df5464L,
+        0x4af96152429572eaL,0x279cd5e2e1fc1194L,0xaa376a03281e358cL } },
+    /* 231 */
+    { { 0x078592233cdbc95cL,0xaae1aa6aef2e337aL,0xc040108d472a8544L,
+        0x80c853e68d037b7dL,0xd221315c8c7eee24L,0x195d38568ee47752L },
+      { 0xd4b1ba03dacd7fbeL,0x4b5ac61ed3e0c52bL,0x68d3c0526aab7b52L,
+        0xf0d7248c660e3feaL,0xafdb3f893145efb4L,0xa73fd9a38f40936dL } },
+    /* 232 */
+    { { 0x891b9ef3bb1b17ceL,0x14023667c6127f31L,0x12b2e58d305521fdL,
+        0x3a47e449e3508088L,0xe49fc84bff751507L,0x4023f7225310d16eL },
+      { 0xa608e5edb73399faL,0xf12632d8d532aa3eL,0x13a2758e845e8415L,
+        0xae4b6f851fc2d861L,0x3879f5b1339d02f2L,0x446d22a680d99ebdL } },
+    /* 233 */
+    { { 0x0f5023024be164f1L,0x8d09d2d688b81920L,0x514056f1984aceffL,
+        0xa5c4ddf075e9e80dL,0x38cb47e6df496a93L,0x899e1d6b38df6bf7L },
+      { 0x69e87e88b59eb2a6L,0x280d9d639b47f38bL,0x599411ea3654e955L,
+        0xcf8dd4fd969aa581L,0xff5c2baf530742a7L,0xa43915361a373085L } },
+    /* 234 */
+    { { 0x6ace72a3a8a4bdd2L,0xc656cdd1b68ef702L,0xd4a33e7e90c4dad8L,
+        0x4aece08a9d951c50L,0xea8005ae085d68e6L,0xfdd7a7d76f7502b8L },
+      { 0xce6fb0a698d6fa45L,0x228f86721104eb8cL,0xd23d8787da09d7dcL,
+        0x5521428b2ae93065L,0x95faba3dea56c366L,0xedbe50390a88aca5L } },
+    /* 235 */
+    { { 0xd64da0adbfb26c82L,0xe5d70b3c952c2f9cL,0xf5e8f365f7e77f68L,
+        0x7234e00208f2d695L,0xfaf900eed12e7be6L,0x27dc69344acf734eL },
+      { 0x80e4ff5ec260a46aL,0x7da5ebce2dc31c28L,0x485c5d73ca69f552L,
+        0xcdfb6b2969cc84c2L,0x031c5afeed6d4ecaL,0xc7bbf4c822247637L } },
+    /* 236 */
+    { { 0x9d5b72c749fe01b2L,0x34785186793a91b8L,0xa3ba3c54cf460438L,
+        0x73e8e43d3ab21b6fL,0x50cde8e0be57b8abL,0x6488b3a7dd204264L },
+      { 0xa9e398b3dddc4582L,0x1698c1a95bec46feL,0x7f1446ef156d3843L,
+        0x3fd25dd8770329a2L,0x05b1221a2c710668L,0x65b2dc2aa72ee6cfL } },
+    /* 237 */
+    { { 0x21a885f7cd021d63L,0x3f344b15fea61f08L,0xad5ba6ddc5cf73e6L,
+        0x154d0d8f227a8b23L,0x9b74373cdc559311L,0x4feab71598620fa1L },
+      { 0x5098938e7d9ec924L,0x84d54a5e6d47e550L,0x1a2d1bdc1b617506L,
+        0x99fe1782615868a4L,0x171da7803005a924L,0xa70bf5ed7d8f79b6L } },
+    /* 238 */
+    { { 0x0bc1250dfe2216c5L,0x2c37e2507601b351L,0xb6300175d6f06b7eL,
+        0x4dde8ca18bfeb9b7L,0x4f210432b82f843dL,0x8d70e2f9b1ac0afdL },
+      { 0x25c73b78aae91abbL,0x0230dca3863028f2L,0x8b923ecfe5cf30b7L,
+        0xed754ec25506f265L,0x8e41b88c729a5e39L,0xee67cec2babf889bL } },
+    /* 239 */
+    { { 0xe183acf51be46c65L,0x9789538fe7565d7aL,0x87873391d9627b4eL,
+        0xbf4ac4c19f1d9187L,0x5db99f634691f5c8L,0xa68df80374a1fb98L },
+      { 0x3c448ed1bf92b5faL,0xa098c8413e0bdc32L,0x8e74cd5579bf016cL,
+        0x5df0d09c115e244dL,0x9418ad013410b66eL,0x8b6124cb17a02130L } },
+    /* 240 */
+    { { 0x425ec3afc26e3392L,0xc07f8470a1722e00L,0xdcc28190e2356b43L,
+        0x4ed97dffb1ef59a6L,0xc22b3ad1c63028c1L,0x070723c268c18988L },
+      { 0x70da302f4cf49e7dL,0xc5e87c933f12a522L,0x74acdd1d18594148L,
+        0xad5f73abca74124cL,0xe72e4a3ed69fd478L,0x615938687b117cc3L } },
+    /* 241 */
+    { { 0x7b7b9577a9aa0486L,0x6e41fb35a063d557L,0xb017d5c7da9047d7L,
+        0x8c74828068a87ba9L,0xab45fa5cdf08ad93L,0xcd9fb2174c288a28L },
+      { 0x595446425747843dL,0x34d64c6ca56111e3L,0x12e47ea14bfce8d5L,
+        0x17740e056169267fL,0x5c49438eeed03fb5L,0x9da30add4fc3f513L } },
+    /* 242 */
+    { { 0xc4e85282ccfa5200L,0x2707608f6a19b13dL,0xdcb9a53df5726e2fL,
+        0x612407c9e9427de5L,0x3e5a17e1d54d582aL,0xb99877de655ae118L },
+      { 0x6f0e972b015254deL,0x92a56db1f0a6f7c5L,0xd297e4e1a656f8b2L,
+        0x99fe0052ad981983L,0xd3652d2f07cfed84L,0xc784352e843c1738L } },
+    /* 243 */
+    { { 0x6ee90af07e9b2d8aL,0xac8d701857cf1964L,0xf6ed903171f28efcL,
+        0x7f70d5a96812b20eL,0x27b557f4f1c61eeeL,0xf1c9bd57c6263758L },
+      { 0x5cf7d0142a1a6194L,0xdd614e0b1890ab84L,0x3ef9de100e93c2a6L,
+        0xf98cf575e0cd91c5L,0x504ec0c614befc32L,0xd0513a666279d68cL } },
+    /* 244 */
+    { { 0xa8eadbada859fb6aL,0xcf8346e7db283666L,0x7b35e61a3e22e355L,
+        0x293ece2c99639c6bL,0xfa0162e256f241c8L,0xd2e6c7b9bf7a1ddaL },
+      { 0xd0de625340075e63L,0x2405aa61f9ec8286L,0x2237830a8fe45494L,
+        0x4fd01ac7364e9c8cL,0x4d9c3d21904ba750L,0xd589be14af1b520bL } },
+    /* 245 */
+    { { 0x13576a4f4662e53bL,0x35ec2f51f9077676L,0x66297d1397c0af97L,
+        0xed3201fe9e598b58L,0x49bc752a5e70f604L,0xb54af535bb12d951L },
+      { 0x36ea4c2b212c1c76L,0x18f5bbc7eb250dfdL,0xa0d466cc9a0a1a46L,
+        0x52564da4dac2d917L,0x206559f48e95fab5L,0x7487c1909ca67a33L } },
+    /* 246 */
+    { { 0x75abfe37dde98e9cL,0x99b90b262a411199L,0x1b410996dcdb1f7cL,
+        0xab346f118b3b5675L,0x04852193f1f8ae1eL,0x1ec4d2276b8b98c1L },
+      { 0xba3bc92645452baaL,0x387d1858acc4a572L,0x9478eff6e51f171eL,
+        0xf357077d931e1c00L,0xffee77cde54c8ca8L,0xfb4892ff551dc9a4L } },
+    /* 247 */
+    { { 0x5b1bdad02db8dff8L,0xd462f4fd5a2285a2L,0x1d6aad8eda00b461L,
+        0x43fbefcf41306d1bL,0x428e86f36a13fe19L,0xc8b2f11817f89404L },
+      { 0x762528aaf0d51afbL,0xa3e2fea4549b1d06L,0x86fad8f2ea3ddf66L,
+        0x0d9ccc4b4fbdd206L,0xcde97d4cc189ff5aL,0xc36793d6199f19a6L } },
+    /* 248 */
+    { { 0xea38909b51b85197L,0xffb17dd0b4c92895L,0x0eb0878b1ddb3f3fL,
+        0xb05d28ffc57cf0f2L,0xd8bde2e71abd57e2L,0x7f2be28dc40c1b20L },
+      { 0x6554dca2299a2d48L,0x5130ba2e8377982dL,0x8863205f1071971aL,
+        0x15ee62827cf2825dL,0xd4b6c57f03748f2bL,0xa9e3f4da430385a0L } },
+    /* 249 */
+    { { 0x33eb7cec83fbc9c6L,0x24a311c74541777eL,0xc81377f74f0767fcL,
+        0x12adae364ab702daL,0xb7fcb6db2a779696L,0x4a6fb28401cea6adL },
+      { 0x5e8b1d2acdfc73deL,0xd0efae8d1b02fd32L,0x3f99c190d81d8519L,
+        0x3c18f7fafc808971L,0x41f713e751b7ae7bL,0x0a4b3435f07fc3f8L } },
+    /* 250 */
+    { { 0x7dda3c4c019b7d2eL,0x631c8d1ad4dc4b89L,0x5489cd6e1cdb313cL,
+        0xd44aed104c07bb06L,0x8f97e13a75f000d1L,0x0e9ee64fdda5df4dL },
+      { 0xeaa99f3b3e346910L,0x622f6921fa294ad7L,0x22aaa20d0d0b2fe9L,
+        0x4fed2f991e5881baL,0x9af3b2d6c1571802L,0x919e67a8dc7ee17cL } },
+    /* 251 */
+    { { 0xc724fe4c76250533L,0x8a2080e57d817ef8L,0xa2afb0f4172c9751L,
+        0x9b10cdeb17c0702eL,0xbf3975e3c9b7e3e9L,0x206117df1cd0cdc5L },
+      { 0xfb049e61be05ebd5L,0xeb0bb55c16c782c0L,0x13a331b8ab7fed09L,
+        0xf6c58b1d632863f0L,0x6264ef6e4d3b6195L,0x92c51b639a53f116L } },
+    /* 252 */
+    { { 0xa57c7bc8288b364dL,0x4a562e087b41e5c4L,0x699d21c6698a9a11L,
+        0xa4ed9581f3f849b9L,0xa223eef39eb726baL,0x13159c23cc2884f9L },
+      { 0x73931e583a3f4963L,0x965003890ada6a81L,0x3ee8a1c65ab2950bL,
+        0xeedf4949775fab52L,0x63d652e14f2671b6L,0xfed4491c3c4e2f55L } },
+    /* 253 */
+    { { 0x335eadc3f4eb453eL,0x5ff74b63cadd1a5bL,0x6933d0d75d84a91aL,
+        0x9ca3eeb9b49ba337L,0x1f6faccec04c15b8L,0x4ef19326dc09a7e4L },
+      { 0x53d2d3243dca3233L,0x0ee40590a2259d4bL,0x18c22edb5546f002L,
+        0x9242980109ea6b71L,0xaada0addb0e91e61L,0x5fe53ef499963c50L } },
+    /* 254 */
+    { { 0x372dd06b90c28c65L,0x1765242c119ce47dL,0xc041fb806b22fc82L,
+        0x667edf07b0a7ccc1L,0xc79599e71261beceL,0xbc69d9ba19cff22aL },
+      { 0x009d77cd13c06819L,0x635a66aee282b79dL,0x4edac4a6225b1be8L,
+        0x57d4f4e4524008f9L,0xee299ac5b056af84L,0xcc38444c3a0bc386L } },
+    /* 255 */
+    { { 0x490643b1cd4c2356L,0x740a4851750547beL,0x643eaf29d4944c04L,
+        0xba572479299a98a0L,0x48b29f16ee05fdf9L,0x33fb4f61089b2d7bL },
+      { 0x86704902a950f955L,0x97e1034dfedc3ddfL,0x211320b605fbb6a2L,
+        0x23d7b93f432299bbL,0x1fe1a0578590e4a3L,0x8e1d0586f58c0ce6L } },
+};
+
+/* Multiply the base point of P384 by the scalar and return the result.
+ * If map is true then convert result to affine coordinates.
+ *
+ * r     Resulting point.
+ * k     Scalar to multiply by.
+ * map   Indicates whether to convert result to affine.
+ * heap  Heap to use for allocation.
+ * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
+ */
+static int sp_384_ecc_mulmod_base_6(sp_point_384* r, const sp_digit* k,
+        int map, void* heap)
+{
+    return sp_384_ecc_mulmod_stripe_6(r, &p384_base, p384_table,
+                                      k, map, heap);
+}
+
+/* Multiply the base point of P384 by the scalar and return the result.
+ * If map is true then convert result to affine coordinates.
+ *
+ * km    Scalar to multiply by.
+ * r     Resulting point.
+ * map   Indicates whether to convert result to affine.
+ * heap  Heap to use for allocation.
+ * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
+ */
+int sp_ecc_mulmod_base_384(mp_int* km, ecc_point* r, int map, void* heap)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_point_384 p;
+    sp_digit kd[6];
+#endif
+    sp_point_384* point;
+    sp_digit* k = NULL;
+    int err = MP_OKAY;
+
+    err = sp_384_point_new_6(heap, p, point);
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        k = (sp_digit*)XMALLOC(sizeof(sp_digit) * 6, heap,
+                                                              DYNAMIC_TYPE_ECC);
+        if (k == NULL) {
+            err = MEMORY_E;
+        }
+    }
+#else
+    k = kd;
+#endif
+    if (err == MP_OKAY) {
+        sp_384_from_mp(k, 6, km);
+
+            err = sp_384_ecc_mulmod_base_6(point, k, map, heap);
+    }
+    if (err == MP_OKAY) {
+        err = sp_384_point_to_ecc_point_6(point, r);
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (k != NULL) {
+        XFREE(k, heap, DYNAMIC_TYPE_ECC);
+    }
+#endif
+    sp_384_point_free_6(point, 0, heap);
+
+    return err;
+}
+
+#if defined(WOLFSSL_VALIDATE_ECC_KEYGEN) || defined(HAVE_ECC_SIGN) || \
+                                                        defined(HAVE_ECC_VERIFY)
+/* Returns 1 if the number of zero.
+ * Implementation is constant time.
+ *
+ * a  Number to check.
+ * returns 1 if the number is zero and 0 otherwise.
+ */
+static int sp_384_iszero_6(const sp_digit* a)
+{
+    return (a[0] | a[1] | a[2] | a[3] | a[4] | a[5]) == 0;
+}
+
+#endif /* WOLFSSL_VALIDATE_ECC_KEYGEN || HAVE_ECC_SIGN || HAVE_ECC_VERIFY */
+/* Add 1 to a. (a = a + 1)
+ *
+ * a  A single precision integer.
+ */
+static void sp_384_add_one_6(sp_digit* a)
+{
+    __asm__ __volatile__ (
+        "ldp	x1, x2, [%[a], 0]\n\t"
+        "adds	x1, x1, #1\n\t"
+        "ldr	x3, [%[a], 16]\n\t"
+        "adcs	x2, x2, xzr\n\t"
+        "ldr	x4, [%[a], 24]\n\t"
+        "adcs	x3, x3, xzr\n\t"
+        "stp	x1, x2, [%[a], 0]\n\t"
+        "adcs	x4, x4, xzr\n\t"
+        "stp	x3, x4, [%[a], 16]\n\t"
+        "ldp	x1, x2, [%[a], 32]\n\t"
+        "adcs	x1, x1, xzr\n\t"
+        "adcs	x2, x2, xzr\n\t"
+        "stp	x1, x2, [%[a], 32]\n\t"
+        :
+        : [a] "r" (a)
+        : "memory", "x1", "x2", "x3", "x4"
+    );
+}
+
+/* Read big endian unsigned byte array into r.
+ *
+ * r  A single precision integer.
+ * size  Maximum number of bytes to convert
+ * a  Byte array.
+ * n  Number of bytes in array to read.
+ */
+static void sp_384_from_bin(sp_digit* r, int size, const byte* a, int n)
+{
+    int i, j;
+    byte* d;
+
+    for (i = n - 1,j = 0; i >= 7; i -= 8) {
+        r[j]  = ((sp_digit)a[i - 0] <<  0) |
+                ((sp_digit)a[i - 1] <<  8) |
+                ((sp_digit)a[i - 2] << 16) |
+                ((sp_digit)a[i - 3] << 24) |
+                ((sp_digit)a[i - 4] << 32) |
+                ((sp_digit)a[i - 5] << 40) |
+                ((sp_digit)a[i - 6] << 48) |
+                ((sp_digit)a[i - 7] << 56);
+        j++;
+    }
+
+    if (i >= 0) {
+        r[j] = 0;
+
+        d = (byte*)r;
+        switch (i) {
+            case 6: d[n - 1 - 6] = a[6]; //fallthrough
+            case 5: d[n - 1 - 5] = a[5]; //fallthrough
+            case 4: d[n - 1 - 4] = a[4]; //fallthrough
+            case 3: d[n - 1 - 3] = a[3]; //fallthrough
+            case 2: d[n - 1 - 2] = a[2]; //fallthrough
+            case 1: d[n - 1 - 1] = a[1]; //fallthrough
+            case 0: d[n - 1 - 0] = a[0]; //fallthrough
+        }
+        j++;
+    }
+
+    for (; j < size; j++) {
+        r[j] = 0;
+    }
+}
+
+/* Generates a scalar that is in the range 1..order-1.
+ *
+ * rng  Random number generator.
+ * k    Scalar value.
+ * returns RNG failures, MEMORY_E when memory allocation fails and
+ * MP_OKAY on success.
+ */
+static int sp_384_ecc_gen_k_6(WC_RNG* rng, sp_digit* k)
+{
+    int err;
+    byte buf[48];
+
+    do {
+        err = wc_RNG_GenerateBlock(rng, buf, sizeof(buf));
+        if (err == 0) {
+            sp_384_from_bin(k, 6, buf, (int)sizeof(buf));
+            if (sp_384_cmp_6(k, p384_order2) < 0) {
+                sp_384_add_one_6(k);
+                break;
+            }
+        }
+    }
+    while (err == 0);
+
+    return err;
+}
+
+/* Makes a random EC key pair.
+ *
+ * rng   Random number generator.
+ * priv  Generated private value.
+ * pub   Generated public point.
+ * heap  Heap to use for allocation.
+ * returns ECC_INF_E when the point does not have the correct order, RNG
+ * failures, MEMORY_E when memory allocation fails and MP_OKAY on success.
+ */
+int sp_ecc_make_key_384(WC_RNG* rng, mp_int* priv, ecc_point* pub, void* heap)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_point_384 p;
+    sp_digit kd[6];
+#ifdef WOLFSSL_VALIDATE_ECC_KEYGEN
+    sp_point_384 inf;
+#endif
+#endif
+    sp_point_384* point;
+    sp_digit* k = NULL;
+#ifdef WOLFSSL_VALIDATE_ECC_KEYGEN
+    sp_point_384* infinity;
+#endif
+    int err;
+
+    (void)heap;
+
+    err = sp_384_point_new_6(heap, p, point);
+#ifdef WOLFSSL_VALIDATE_ECC_KEYGEN
+    if (err == MP_OKAY) {
+        err = sp_384_point_new_6(heap, inf, infinity);
+    }
+#endif
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        k = (sp_digit*)XMALLOC(sizeof(sp_digit) * 6, heap,
+                                                              DYNAMIC_TYPE_ECC);
+        if (k == NULL) {
+            err = MEMORY_E;
+        }
+    }
+#else
+    k = kd;
+#endif
+
+    if (err == MP_OKAY) {
+        err = sp_384_ecc_gen_k_6(rng, k);
+    }
+    if (err == MP_OKAY) {
+            err = sp_384_ecc_mulmod_base_6(point, k, 1, NULL);
+    }
+
+#ifdef WOLFSSL_VALIDATE_ECC_KEYGEN
+    if (err == MP_OKAY) {
+            err = sp_384_ecc_mulmod_6(infinity, point, p384_order, 1, NULL);
+    }
+    if (err == MP_OKAY) {
+        if ((sp_384_iszero_6(point->x) == 0) || (sp_384_iszero_6(point->y) == 0)) {
+            err = ECC_INF_E;
+        }
+    }
+#endif
+
+    if (err == MP_OKAY) {
+        err = sp_384_to_mp(k, priv);
+    }
+    if (err == MP_OKAY) {
+        err = sp_384_point_to_ecc_point_6(point, pub);
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (k != NULL) {
+        XFREE(k, heap, DYNAMIC_TYPE_ECC);
+    }
+#endif
+#ifdef WOLFSSL_VALIDATE_ECC_KEYGEN
+    sp_384_point_free_6(infinity, 1, heap);
+#endif
+    sp_384_point_free_6(point, 1, heap);
+
+    return err;
+}
+
+#ifdef HAVE_ECC_DHE
+/* Write r as big endian to byte array.
+ * Fixed length number of bytes written: 48
+ *
+ * r  A single precision integer.
+ * a  Byte array.
+ */
+static void sp_384_to_bin(sp_digit* r, byte* a)
+{
+    int i, j;
+
+    for (i = 5, j = 0; i >= 0; i--) {
+        a[j++] = r[i] >> 56;
+        a[j++] = r[i] >> 48;
+        a[j++] = r[i] >> 40;
+        a[j++] = r[i] >> 32;
+        a[j++] = r[i] >> 24;
+        a[j++] = r[i] >> 16;
+        a[j++] = r[i] >> 8;
+        a[j++] = r[i] >> 0;
+    }
+}
+
+/* Multiply the point by the scalar and serialize the X ordinate.
+ * The number is 0 padded to maximum size on output.
+ *
+ * priv    Scalar to multiply the point by.
+ * pub     Point to multiply.
+ * out     Buffer to hold X ordinate.
+ * outLen  On entry, size of the buffer in bytes.
+ *         On exit, length of data in buffer in bytes.
+ * heap    Heap to use for allocation.
+ * returns BUFFER_E if the buffer is to small for output size,
+ * MEMORY_E when memory allocation fails and MP_OKAY on success.
+ */
+int sp_ecc_secret_gen_384(mp_int* priv, ecc_point* pub, byte* out,
+                          word32* outLen, void* heap)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_point_384 p;
+    sp_digit kd[6];
+#endif
+    sp_point_384* point = NULL;
+    sp_digit* k = NULL;
+    int err = MP_OKAY;
+
+    if (*outLen < 48U) {
+        err = BUFFER_E;
+    }
+
+    if (err == MP_OKAY) {
+        err = sp_384_point_new_6(heap, p, point);
+    }
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        k = (sp_digit*)XMALLOC(sizeof(sp_digit) * 6, heap,
+                                                              DYNAMIC_TYPE_ECC);
+        if (k == NULL)
+            err = MEMORY_E;
+    }
+#else
+    k = kd;
+#endif
+
+    if (err == MP_OKAY) {
+        sp_384_from_mp(k, 6, priv);
+        sp_384_point_from_ecc_point_6(point, pub);
+            err = sp_384_ecc_mulmod_6(point, point, k, 1, heap);
+    }
+    if (err == MP_OKAY) {
+        sp_384_to_bin(point->x, out);
+        *outLen = 48;
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (k != NULL) {
+        XFREE(k, heap, DYNAMIC_TYPE_ECC);
+    }
+#endif
+    sp_384_point_free_6(point, 0, heap);
+
+    return err;
+}
+#endif /* HAVE_ECC_DHE */
+
+#if defined(HAVE_ECC_SIGN) || defined(HAVE_ECC_VERIFY)
+#endif
+#if defined(HAVE_ECC_SIGN) || defined(HAVE_ECC_VERIFY)
+/* Sub b from a into a. (a -= b)
+ *
+ * a  A single precision integer and result.
+ * b  A single precision integer.
+ */
+static sp_digit sp_384_sub_in_place_6(sp_digit* a, const sp_digit* b)
+{
+    __asm__ __volatile__ (
+        "ldp	x2, x3, [%[a], 0]\n\t"
+        "ldp	x6, x7, [%[b], 0]\n\t"
+        "subs	x2, x2, x6\n\t"
+        "ldp	x4, x5, [%[a], 16]\n\t"
+        "sbcs	x3, x3, x7\n\t"
+        "ldp	x8, x9, [%[b], 16]\n\t"
+        "sbcs	x4, x4, x8\n\t"
+        "stp	x2, x3, [%[a], 0]\n\t"
+        "sbcs	x5, x5, x9\n\t"
+        "stp	x4, x5, [%[a], 16]\n\t"
+        "ldr		x2, [%[a], 32]\n\t"
+        "ldr		x3, [%[a], 40]\n\t"
+        "ldr		x6, [%[b], 32]\n\t"
+        "ldr		x7, [%[b], 40]\n\t"
+        "sbcs	x2, x2, x6\n\t"
+        "sbcs	x3, x3, x7\n\t"
+        "str		x2, [%[a], 32]\n\t"
+        "str		x3, [%[a], 40]\n\t"
+        "csetm	%[a], cc\n\t"
+        : [a] "+r" (a)
+        : [b] "r" (b)
+        : "memory", "x2", "x3", "x4", "x5", "x6", "x7", "x8", "x9"
+    );
+
+    return (sp_digit)a;
+}
+
+/* Mul a by digit b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision digit.
+ */
+static void sp_384_mul_d_6(sp_digit* r, const sp_digit* a,
+        sp_digit b)
+{
+#ifdef WOLFSSL_SP_SMALL
+    __asm__ __volatile__ (
+        "# A[0] * B\n\t"
+        "ldr	x8, [%[a]]\n\t"
+        "mul	x5, %[b], x8\n\t"
+        "umulh	x3, %[b], x8\n\t"
+        "mov	x4, 0\n\t"
+        "str	x5, [%[r]]\n\t"
+        "mov	x5, 0\n\t"
+        "mov	x9, #8\n\t"
+        "1:\n\t"
+        "ldr	x8, [%[a], x9]\n\t"
+        "mul	x6, %[b], x8\n\t"
+        "umulh	x7, %[b], x8\n\t"
+        "adds	x3, x3, x6\n\t"
+        "adcs	x4, x4, x7\n\t"
+        "adc	x5, xzr, xzr\n\t"
+        "str	x3, [%[r], x9]\n\t"
+        "mov	x3, x4\n\t"
+        "mov	x4, x5\n\t"
+        "mov	x5, #0\n\t"
+        "add	x9, x9, #8\n\t"
+        "cmp	x9, 48\n\t"
+        "b.lt	1b\n\t"
+        "str	x3, [%[r], 48]\n\t"
+        :
+        : [r] "r" (r), [a] "r" (a), [b] "r" (b)
+        : "memory", "x3", "x4", "x5", "x6", "x7", "x8", "x9"
+    );
+#else
+    __asm__ __volatile__ (
+        "# A[0] * B\n\t"
+        "ldp	x8, x9, [%[a]]\n\t"
+        "mul	x3, %[b], x8\n\t"
+        "umulh	x4, %[b], x8\n\t"
+        "mov	x5, 0\n\t"
+        "# A[1] * B\n\t"
+        "str	x3, [%[r]]\n\t"
+        "mov	x3, 0\n\t"
+        "mul	x6, %[b], x9\n\t"
+        "umulh	x7, %[b], x9\n\t"
+        "adds	x4, x4, x6\n\t"
+        "# A[2] * B\n\t"
+        "ldp	x8, x9, [%[a], 16]\n\t"
+        "str	x4, [%[r], 8]\n\t"
+        "mov	x4, 0\n\t"
+        "mul	x6, %[b], x8\n\t"
+        "adcs	x5, x5, x7\n\t"
+        "umulh	x7, %[b], x8\n\t"
+        "adc	x3, xzr, xzr\n\t"
+        "adds	x5, x5, x6\n\t"
+        "# A[3] * B\n\t"
+        "str	x5, [%[r], 16]\n\t"
+        "mov	x5, 0\n\t"
+        "mul	x6, %[b], x9\n\t"
+        "adcs	x3, x3, x7\n\t"
+        "umulh	x7, %[b], x9\n\t"
+        "adc	x4, xzr, xzr\n\t"
+        "adds	x3, x3, x6\n\t"
+        "# A[4] * B\n\t"
+        "ldp	x8, x9, [%[a], 32]\n\t"
+        "str	x3, [%[r], 24]\n\t"
+        "mov	x3, 0\n\t"
+        "mul	x6, %[b], x8\n\t"
+        "adcs	x4, x4, x7\n\t"
+        "umulh	x7, %[b], x8\n\t"
+        "adc	x5, xzr, xzr\n\t"
+        "adds	x4, x4, x6\n\t"
+        "# A[5] * B\n\t"
+        "str	x4, [%[r], 32]\n\t"
+        "mul	x6, %[b], x9\n\t"
+        "adcs	x5, x5, x7\n\t"
+        "umulh	x7, %[b], x9\n\t"
+        "adc	x3, xzr, xzr\n\t"
+        "adds	x5, x5, x6\n\t"
+        "adc	x3, x3, x7\n\t"
+        "stp	x5, x3, [%[r], 40]\n\t"
+        :
+        : [r] "r" (r), [a] "r" (a), [b] "r" (b)
+        : "memory", "x3", "x4", "x5", "x6", "x7", "x8", "x9"
+    );
+#endif
+}
+
+/* Divide the double width number (d1|d0) by the dividend. (d1|d0 / div)
+ *
+ * d1   The high order half of the number to divide.
+ * d0   The low order half of the number to divide.
+ * div  The dividend.
+ * returns the result of the division.
+ */
+static sp_digit div_384_word_6(sp_digit d1, sp_digit d0, sp_digit div)
+{
+    sp_digit r;
+
+    __asm__ __volatile__ (
+        "lsr	x5, %[div], 32\n\t"
+        "add	x5, x5, 1\n\t"
+
+        "udiv	x3, %[d1], x5\n\t"
+        "lsl	x6, x3, 32\n\t"
+        "mul	x4, %[div], x6\n\t"
+        "umulh	x3, %[div], x6\n\t"
+        "subs	%[d0], %[d0], x4\n\t"
+        "sbc	%[d1], %[d1], x3\n\t"
+
+        "udiv	x3, %[d1], x5\n\t"
+        "lsl	x3, x3, 32\n\t"
+        "add	x6, x6, x3\n\t"
+        "mul	x4, %[div], x3\n\t"
+        "umulh	x3, %[div], x3\n\t"
+        "subs	%[d0], %[d0], x4\n\t"
+        "sbc	%[d1], %[d1], x3\n\t"
+
+        "lsr	x3, %[d0], 32\n\t"
+        "orr	x3, x3, %[d1], lsl 32\n\t"
+
+        "udiv	x3, x3, x5\n\t"
+        "add	x6, x6, x3\n\t"
+        "mul	x4, %[div], x3\n\t"
+        "umulh	x3, %[div], x3\n\t"
+        "subs	%[d0], %[d0], x4\n\t"
+        "sbc	%[d1], %[d1], x3\n\t"
+
+        "lsr	x3, %[d0], 32\n\t"
+        "orr	x3, x3, %[d1], lsl 32\n\t"
+
+        "udiv	x3, x3, x5\n\t"
+        "add	x6, x6, x3\n\t"
+        "mul	x4, %[div], x3\n\t"
+        "sub	%[d0], %[d0], x4\n\t"
+
+        "udiv	x3, %[d0], %[div]\n\t"
+        "add	%[r], x6, x3\n\t"
+
+        : [r] "=r" (r)
+        : [d1] "r" (d1), [d0] "r" (d0), [div] "r" (div)
+        : "x3", "x4", "x5", "x6"
+    );
+
+    return r;
+}
+
+/* AND m into each word of a and store in r.
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * m  Mask to AND against each digit.
+ */
+static void sp_384_mask_6(sp_digit* r, const sp_digit* a, sp_digit m)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int i;
+
+    for (i=0; i<6; i++) {
+        r[i] = a[i] & m;
+    }
+#else
+    r[0] = a[0] & m;
+    r[1] = a[1] & m;
+    r[2] = a[2] & m;
+    r[3] = a[3] & m;
+    r[4] = a[4] & m;
+    r[5] = a[5] & m;
+#endif
+}
+
+/* Divide d in a and put remainder into r (m*d + r = a)
+ * m is not calculated as it is not needed at this time.
+ *
+ * a  Nmber to be divided.
+ * d  Number to divide with.
+ * m  Multiplier result.
+ * r  Remainder from the division.
+ * returns MP_OKAY indicating success.
+ */
+static WC_INLINE int sp_384_div_6(const sp_digit* a, const sp_digit* d, sp_digit* m,
+        sp_digit* r)
+{
+    sp_digit t1[12], t2[7];
+    sp_digit div, r1;
+    int i;
+
+    (void)m;
+
+    div = d[5];
+    XMEMCPY(t1, a, sizeof(*t1) * 2 * 6);
+    for (i=5; i>=0; i--) {
+        r1 = div_384_word_6(t1[6 + i], t1[6 + i - 1], div);
+
+        sp_384_mul_d_6(t2, d, r1);
+        t1[6 + i] += sp_384_sub_in_place_6(&t1[i], t2);
+        t1[6 + i] -= t2[6];
+        sp_384_mask_6(t2, d, t1[6 + i]);
+        t1[6 + i] += sp_384_add_6(&t1[i], &t1[i], t2);
+        sp_384_mask_6(t2, d, t1[6 + i]);
+        t1[6 + i] += sp_384_add_6(&t1[i], &t1[i], t2);
+    }
+
+    r1 = sp_384_cmp_6(t1, d) >= 0;
+    sp_384_cond_sub_6(r, t1, d, (sp_digit)0 - r1);
+
+    return MP_OKAY;
+}
+
+/* Reduce a modulo m into r. (r = a mod m)
+ *
+ * r  A single precision number that is the reduced result.
+ * a  A single precision number that is to be reduced.
+ * m  A single precision number that is the modulus to reduce with.
+ * returns MP_OKAY indicating success.
+ */
+static WC_INLINE int sp_384_mod_6(sp_digit* r, const sp_digit* a, const sp_digit* m)
+{
+    return sp_384_div_6(a, m, NULL, r);
+}
+
+#endif
+#if defined(HAVE_ECC_SIGN) || defined(HAVE_ECC_VERIFY)
+#ifdef WOLFSSL_SP_SMALL
+/* Order-2 for the P384 curve. */
+static const uint64_t p384_order_minus_2[6] = {
+    0xecec196accc52971U,0x581a0db248b0a77aU,0xc7634d81f4372ddfU,
+    0xffffffffffffffffU,0xffffffffffffffffU,0xffffffffffffffffU
+};
+#else
+/* The low half of the order-2 of the P384 curve. */
+static const uint64_t p384_order_low[3] = {
+    0xecec196accc52971U,0x581a0db248b0a77aU,0xc7634d81f4372ddfU
+    
+};
+#endif /* WOLFSSL_SP_SMALL */
+
+/* Multiply two number mod the order of P384 curve. (r = a * b mod order)
+ *
+ * r  Result of the multiplication.
+ * a  First operand of the multiplication.
+ * b  Second operand of the multiplication.
+ */
+static void sp_384_mont_mul_order_6(sp_digit* r, const sp_digit* a, const sp_digit* b)
+{
+    sp_384_mul_6(r, a, b);
+    sp_384_mont_reduce_order_6(r, p384_order, p384_mp_order);
+}
+
+/* Square number mod the order of P384 curve. (r = a * a mod order)
+ *
+ * r  Result of the squaring.
+ * a  Number to square.
+ */
+static void sp_384_mont_sqr_order_6(sp_digit* r, const sp_digit* a)
+{
+    sp_384_sqr_6(r, a);
+    sp_384_mont_reduce_order_6(r, p384_order, p384_mp_order);
+}
+
+#ifndef WOLFSSL_SP_SMALL
+/* Square number mod the order of P384 curve a number of times.
+ * (r = a ^ n mod order)
+ *
+ * r  Result of the squaring.
+ * a  Number to square.
+ */
+static void sp_384_mont_sqr_n_order_6(sp_digit* r, const sp_digit* a, int n)
+{
+    int i;
+
+    sp_384_mont_sqr_order_6(r, a);
+    for (i=1; i<n; i++) {
+        sp_384_mont_sqr_order_6(r, r);
+    }
+}
+#endif /* !WOLFSSL_SP_SMALL */
+
+/* Invert the number, in Montgomery form, modulo the order of the P384 curve.
+ * (r = 1 / a mod order)
+ *
+ * r   Inverse result.
+ * a   Number to invert.
+ * td  Temporary data.
+ */
+static void sp_384_mont_inv_order_6(sp_digit* r, const sp_digit* a,
+        sp_digit* td)
+{
+#ifdef WOLFSSL_SP_SMALL
+    sp_digit* t = td;
+    int i;
+
+    XMEMCPY(t, a, sizeof(sp_digit) * 6);
+    for (i=382; i>=0; i--) {
+        sp_384_mont_sqr_order_6(t, t);
+        if ((p384_order_minus_2[i / 64] & ((sp_int_digit)1 << (i % 64))) != 0) {
+            sp_384_mont_mul_order_6(t, t, a);
+        }
+    }
+    XMEMCPY(r, t, sizeof(sp_digit) * 6U);
+#else
+    sp_digit* t = td;
+    sp_digit* t2 = td + 2 * 6;
+    sp_digit* t3 = td + 4 * 6;
+    int i;
+
+    /* t = a^2 */
+    sp_384_mont_sqr_order_6(t, a);
+    /* t = a^3 = t * a */
+    sp_384_mont_mul_order_6(t, t, a);
+    /* t2= a^c = t ^ 2 ^ 2 */
+    sp_384_mont_sqr_n_order_6(t2, t, 2);
+    /* t = a^f = t2 * t */
+    sp_384_mont_mul_order_6(t, t2, t);
+    /* t2= a^f0 = t ^ 2 ^ 4 */
+    sp_384_mont_sqr_n_order_6(t2, t, 4);
+    /* t = a^ff = t2 * t */
+    sp_384_mont_mul_order_6(t, t2, t);
+    /* t2= a^ff00 = t ^ 2 ^ 8 */
+    sp_384_mont_sqr_n_order_6(t2, t, 8);
+    /* t3= a^ffff = t2 * t */
+    sp_384_mont_mul_order_6(t3, t2, t);
+    /* t2= a^ffff0000 = t3 ^ 2 ^ 16 */
+    sp_384_mont_sqr_n_order_6(t2, t3, 16);
+    /* t = a^ffffffff = t2 * t3 */
+    sp_384_mont_mul_order_6(t, t2, t3);
+    /* t2= a^ffffffff0000 = t ^ 2 ^ 16  */
+    sp_384_mont_sqr_n_order_6(t2, t, 16);
+    /* t = a^ffffffffffff = t2 * t3 */
+    sp_384_mont_mul_order_6(t, t2, t3);
+    /* t2= a^ffffffffffff000000000000 = t ^ 2 ^ 48  */
+    sp_384_mont_sqr_n_order_6(t2, t, 48);
+    /* t= a^fffffffffffffffffffffffff = t2 * t */
+    sp_384_mont_mul_order_6(t, t2, t);
+    /* t2= a^ffffffffffffffffffffffff000000000000000000000000 */
+    sp_384_mont_sqr_n_order_6(t2, t, 96);
+    /* t2= a^ffffffffffffffffffffffffffffffffffffffffffffffff = t2 * t */
+    sp_384_mont_mul_order_6(t2, t2, t);
+    for (i=191; i>=1; i--) {
+        sp_384_mont_sqr_order_6(t2, t2);
+        if (((sp_digit)p384_order_low[i / 64] & ((sp_int_digit)1 << (i % 64))) != 0) {
+            sp_384_mont_mul_order_6(t2, t2, a);
+        }
+    }
+    sp_384_mont_sqr_order_6(t2, t2);
+    sp_384_mont_mul_order_6(r, t2, a);
+#endif /* WOLFSSL_SP_SMALL */
+}
+
+#endif /* HAVE_ECC_SIGN || HAVE_ECC_VERIFY */
+#ifdef HAVE_ECC_SIGN
+#ifndef SP_ECC_MAX_SIG_GEN
+#define SP_ECC_MAX_SIG_GEN  64
+#endif
+
+/* Sign the hash using the private key.
+ *   e = [hash, 384 bits] from binary
+ *   r = (k.G)->x mod order
+ *   s = (r * x + e) / k mod order
+ * The hash is truncated to the first 384 bits.
+ *
+ * hash     Hash to sign.
+ * hashLen  Length of the hash data.
+ * rng      Random number generator.
+ * priv     Private part of key - scalar.
+ * rm       First part of result as an mp_int.
+ * sm       Sirst part of result as an mp_int.
+ * heap     Heap to use for allocation.
+ * returns RNG failures, MEMORY_E when memory allocation fails and
+ * MP_OKAY on success.
+ */
+int sp_ecc_sign_384(const byte* hash, word32 hashLen, WC_RNG* rng, mp_int* priv,
+                    mp_int* rm, mp_int* sm, mp_int* km, void* heap)
+{
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit* d = NULL;
+#else
+    sp_digit ed[2*6];
+    sp_digit xd[2*6];
+    sp_digit kd[2*6];
+    sp_digit rd[2*6];
+    sp_digit td[3 * 2*6];
+    sp_point_384 p;
+#endif
+    sp_digit* e = NULL;
+    sp_digit* x = NULL;
+    sp_digit* k = NULL;
+    sp_digit* r = NULL;
+    sp_digit* tmp = NULL;
+    sp_point_384* point = NULL;
+    sp_digit carry;
+    sp_digit* s = NULL;
+    sp_digit* kInv = NULL;
+    int err = MP_OKAY;
+    int64_t c;
+    int i;
+
+    (void)heap;
+
+    err = sp_384_point_new_6(heap, p, point);
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        d = (sp_digit*)XMALLOC(sizeof(sp_digit) * 7 * 2 * 6, heap,
+                                                              DYNAMIC_TYPE_ECC);
+        if (d == NULL) {
+            err = MEMORY_E;
+        }
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+        e = d + 0 * 6;
+        x = d + 2 * 6;
+        k = d + 4 * 6;
+        r = d + 6 * 6;
+        tmp = d + 8 * 6;
+#else
+        e = ed;
+        x = xd;
+        k = kd;
+        r = rd;
+        tmp = td;
+#endif
+        s = e;
+        kInv = k;
+
+        if (hashLen > 48U) {
+            hashLen = 48U;
+        }
+
+        sp_384_from_bin(e, 6, hash, (int)hashLen);
+    }
+
+    for (i = SP_ECC_MAX_SIG_GEN; err == MP_OKAY && i > 0; i--) {
+        sp_384_from_mp(x, 6, priv);
+
+        /* New random point. */
+        if (km == NULL || mp_iszero(km)) {
+            err = sp_384_ecc_gen_k_6(rng, k);
+        }
+        else {
+            sp_384_from_mp(k, 6, km);
+            mp_zero(km);
+        }
+        if (err == MP_OKAY) {
+                err = sp_384_ecc_mulmod_base_6(point, k, 1, NULL);
+        }
+
+        if (err == MP_OKAY) {
+            /* r = point->x mod order */
+            XMEMCPY(r, point->x, sizeof(sp_digit) * 6U);
+            sp_384_norm_6(r);
+            c = sp_384_cmp_6(r, p384_order);
+            sp_384_cond_sub_6(r, r, p384_order, 0L - (sp_digit)(c >= 0));
+            sp_384_norm_6(r);
+
+            /* Conv k to Montgomery form (mod order) */
+                sp_384_mul_6(k, k, p384_norm_order);
+            err = sp_384_mod_6(k, k, p384_order);
+        }
+        if (err == MP_OKAY) {
+            sp_384_norm_6(k);
+            /* kInv = 1/k mod order */
+                sp_384_mont_inv_order_6(kInv, k, tmp);
+            sp_384_norm_6(kInv);
+
+            /* s = r * x + e */
+                sp_384_mul_6(x, x, r);
+            err = sp_384_mod_6(x, x, p384_order);
+        }
+        if (err == MP_OKAY) {
+            sp_384_norm_6(x);
+            carry = sp_384_add_6(s, e, x);
+            sp_384_cond_sub_6(s, s, p384_order, 0 - carry);
+            sp_384_norm_6(s);
+            c = sp_384_cmp_6(s, p384_order);
+            sp_384_cond_sub_6(s, s, p384_order, 0L - (sp_digit)(c >= 0));
+            sp_384_norm_6(s);
+
+            /* s = s * k^-1 mod order */
+                sp_384_mont_mul_order_6(s, s, kInv);
+            sp_384_norm_6(s);
+
+            /* Check that signature is usable. */
+            if (sp_384_iszero_6(s) == 0) {
+                break;
+            }
+        }
+    }
+
+    if (i == 0) {
+        err = RNG_FAILURE_E;
+    }
+
+    if (err == MP_OKAY) {
+        err = sp_384_to_mp(r, rm);
+    }
+    if (err == MP_OKAY) {
+        err = sp_384_to_mp(s, sm);
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (d != NULL) {
+        XMEMSET(d, 0, sizeof(sp_digit) * 8 * 6);
+        XFREE(d, heap, DYNAMIC_TYPE_ECC);
+    }
+#else
+    XMEMSET(e, 0, sizeof(sp_digit) * 2U * 6U);
+    XMEMSET(x, 0, sizeof(sp_digit) * 2U * 6U);
+    XMEMSET(k, 0, sizeof(sp_digit) * 2U * 6U);
+    XMEMSET(r, 0, sizeof(sp_digit) * 2U * 6U);
+    XMEMSET(r, 0, sizeof(sp_digit) * 2U * 6U);
+    XMEMSET(tmp, 0, sizeof(sp_digit) * 3U * 2U * 6U);
+#endif
+    sp_384_point_free_6(point, 1, heap);
+
+    return err;
+}
+#endif /* HAVE_ECC_SIGN */
+
+#ifdef HAVE_ECC_VERIFY
+/* Verify the signature values with the hash and public key.
+ *   e = Truncate(hash, 384)
+ *   u1 = e/s mod order
+ *   u2 = r/s mod order
+ *   r == (u1.G + u2.Q)->x mod order
+ * Optimization: Leave point in projective form.
+ *   (x, y, 1) == (x' / z'*z', y' / z'*z'*z', z' / z')
+ *   (r + n*order).z'.z' mod prime == (u1.G + u2.Q)->x'
+ * The hash is truncated to the first 384 bits.
+ *
+ * hash     Hash to sign.
+ * hashLen  Length of the hash data.
+ * rng      Random number generator.
+ * priv     Private part of key - scalar.
+ * rm       First part of result as an mp_int.
+ * sm       Sirst part of result as an mp_int.
+ * heap     Heap to use for allocation.
+ * returns RNG failures, MEMORY_E when memory allocation fails and
+ * MP_OKAY on success.
+ */
+int sp_ecc_verify_384(const byte* hash, word32 hashLen, mp_int* pX,
+    mp_int* pY, mp_int* pZ, mp_int* r, mp_int* sm, int* res, void* heap)
+{
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit* d = NULL;
+#else
+    sp_digit u1d[2*6];
+    sp_digit u2d[2*6];
+    sp_digit sd[2*6];
+    sp_digit tmpd[2*6 * 5];
+    sp_point_384 p1d;
+    sp_point_384 p2d;
+#endif
+    sp_digit* u1 = NULL;
+    sp_digit* u2 = NULL;
+    sp_digit* s = NULL;
+    sp_digit* tmp = NULL;
+    sp_point_384* p1;
+    sp_point_384* p2 = NULL;
+    sp_digit carry;
+    int64_t c;
+    int err;
+
+    err = sp_384_point_new_6(heap, p1d, p1);
+    if (err == MP_OKAY) {
+        err = sp_384_point_new_6(heap, p2d, p2);
+    }
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        d = (sp_digit*)XMALLOC(sizeof(sp_digit) * 16 * 6, heap,
+                                                              DYNAMIC_TYPE_ECC);
+        if (d == NULL) {
+            err = MEMORY_E;
+        }
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+        u1  = d + 0 * 6;
+        u2  = d + 2 * 6;
+        s   = d + 4 * 6;
+        tmp = d + 6 * 6;
+#else
+        u1 = u1d;
+        u2 = u2d;
+        s  = sd;
+        tmp = tmpd;
+#endif
+
+        if (hashLen > 48U) {
+            hashLen = 48U;
+        }
+
+        sp_384_from_bin(u1, 6, hash, (int)hashLen);
+        sp_384_from_mp(u2, 6, r);
+        sp_384_from_mp(s, 6, sm);
+        sp_384_from_mp(p2->x, 6, pX);
+        sp_384_from_mp(p2->y, 6, pY);
+        sp_384_from_mp(p2->z, 6, pZ);
+
+        {
+            sp_384_mul_6(s, s, p384_norm_order);
+        }
+        err = sp_384_mod_6(s, s, p384_order);
+    }
+    if (err == MP_OKAY) {
+        sp_384_norm_6(s);
+        {
+            sp_384_mont_inv_order_6(s, s, tmp);
+            sp_384_mont_mul_order_6(u1, u1, s);
+            sp_384_mont_mul_order_6(u2, u2, s);
+        }
+
+            err = sp_384_ecc_mulmod_base_6(p1, u1, 0, heap);
+    }
+    if (err == MP_OKAY) {
+            err = sp_384_ecc_mulmod_6(p2, p2, u2, 0, heap);
+    }
+
+    if (err == MP_OKAY) {
+        {
+            sp_384_proj_point_add_6(p1, p1, p2, tmp);
+            if (sp_384_iszero_6(p1->z)) {
+                if (sp_384_iszero_6(p1->x) && sp_384_iszero_6(p1->y)) {
+                    sp_384_proj_point_dbl_6(p1, p2, tmp);
+                }
+                else {
+                    /* Y ordinate is not used from here - don't set. */
+                    p1->x[0] = 0;
+                    p1->x[1] = 0;
+                    p1->x[2] = 0;
+                    p1->x[3] = 0;
+                    p1->x[4] = 0;
+                    p1->x[5] = 0;
+                    XMEMCPY(p1->z, p384_norm_mod, sizeof(p384_norm_mod));
+                }
+            }
+        }
+
+        /* (r + n*order).z'.z' mod prime == (u1.G + u2.Q)->x' */
+        /* Reload r and convert to Montgomery form. */
+        sp_384_from_mp(u2, 6, r);
+        err = sp_384_mod_mul_norm_6(u2, u2, p384_mod);
+    }
+
+    if (err == MP_OKAY) {
+        /* u1 = r.z'.z' mod prime */
+        sp_384_mont_sqr_6(p1->z, p1->z, p384_mod, p384_mp_mod);
+        sp_384_mont_mul_6(u1, u2, p1->z, p384_mod, p384_mp_mod);
+        *res = (int)(sp_384_cmp_6(p1->x, u1) == 0);
+        if (*res == 0) {
+            /* Reload r and add order. */
+            sp_384_from_mp(u2, 6, r);
+            carry = sp_384_add_6(u2, u2, p384_order);
+            /* Carry means result is greater than mod and is not valid. */
+            if (carry == 0) {
+                sp_384_norm_6(u2);
+
+                /* Compare with mod and if greater or equal then not valid. */
+                c = sp_384_cmp_6(u2, p384_mod);
+                if (c < 0) {
+                    /* Convert to Montogomery form */
+                    err = sp_384_mod_mul_norm_6(u2, u2, p384_mod);
+                    if (err == MP_OKAY) {
+                        /* u1 = (r + 1*order).z'.z' mod prime */
+                        sp_384_mont_mul_6(u1, u2, p1->z, p384_mod,
+                                                                  p384_mp_mod);
+                        *res = (int)(sp_384_cmp_6(p1->x, u1) == 0);
+                    }
+                }
+            }
+        }
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (d != NULL)
+        XFREE(d, heap, DYNAMIC_TYPE_ECC);
+#endif
+    sp_384_point_free_6(p1, 0, heap);
+    sp_384_point_free_6(p2, 0, heap);
+
+    return err;
+}
+#endif /* HAVE_ECC_VERIFY */
+
+#ifdef HAVE_ECC_CHECK_KEY
+/* Check that the x and y oridinates are a valid point on the curve.
+ *
+ * point  EC point.
+ * heap   Heap to use if dynamically allocating.
+ * returns MEMORY_E if dynamic memory allocation fails, MP_VAL if the point is
+ * not on the curve and MP_OKAY otherwise.
+ */
+static int sp_384_ecc_is_point_6(sp_point_384* point, void* heap)
+{
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit* d = NULL;
+#else
+    sp_digit t1d[2*6];
+    sp_digit t2d[2*6];
+#endif
+    sp_digit* t1;
+    sp_digit* t2;
+    int err = MP_OKAY;
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    d = (sp_digit*)XMALLOC(sizeof(sp_digit) * 6 * 4, heap, DYNAMIC_TYPE_ECC);
+    if (d == NULL) {
+        err = MEMORY_E;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+        t1 = d + 0 * 6;
+        t2 = d + 2 * 6;
+#else
+        (void)heap;
+
+        t1 = t1d;
+        t2 = t2d;
+#endif
+
+        sp_384_sqr_6(t1, point->y);
+        (void)sp_384_mod_6(t1, t1, p384_mod);
+        sp_384_sqr_6(t2, point->x);
+        (void)sp_384_mod_6(t2, t2, p384_mod);
+        sp_384_mul_6(t2, t2, point->x);
+        (void)sp_384_mod_6(t2, t2, p384_mod);
+        (void)sp_384_sub_6(t2, p384_mod, t2);
+        sp_384_mont_add_6(t1, t1, t2, p384_mod);
+
+        sp_384_mont_add_6(t1, t1, point->x, p384_mod);
+        sp_384_mont_add_6(t1, t1, point->x, p384_mod);
+        sp_384_mont_add_6(t1, t1, point->x, p384_mod);
+
+        if (sp_384_cmp_6(t1, p384_b) != 0) {
+            err = MP_VAL;
+        }
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (d != NULL) {
+        XFREE(d, heap, DYNAMIC_TYPE_ECC);
+    }
+#endif
+
+    return err;
+}
+
+/* Check that the x and y oridinates are a valid point on the curve.
+ *
+ * pX  X ordinate of EC point.
+ * pY  Y ordinate of EC point.
+ * returns MEMORY_E if dynamic memory allocation fails, MP_VAL if the point is
+ * not on the curve and MP_OKAY otherwise.
+ */
+int sp_ecc_is_point_384(mp_int* pX, mp_int* pY)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_point_384 pubd;
+#endif
+    sp_point_384* pub;
+    byte one[1] = { 1 };
+    int err;
+
+    err = sp_384_point_new_6(NULL, pubd, pub);
+    if (err == MP_OKAY) {
+        sp_384_from_mp(pub->x, 6, pX);
+        sp_384_from_mp(pub->y, 6, pY);
+        sp_384_from_bin(pub->z, 6, one, (int)sizeof(one));
+
+        err = sp_384_ecc_is_point_6(pub, NULL);
+    }
+
+    sp_384_point_free_6(pub, 0, NULL);
+
+    return err;
+}
+
+/* Check that the private scalar generates the EC point (px, py), the point is
+ * on the curve and the point has the correct order.
+ *
+ * pX     X ordinate of EC point.
+ * pY     Y ordinate of EC point.
+ * privm  Private scalar that generates EC point.
+ * returns MEMORY_E if dynamic memory allocation fails, MP_VAL if the point is
+ * not on the curve, ECC_INF_E if the point does not have the correct order,
+ * ECC_PRIV_KEY_E when the private scalar doesn't generate the EC point and
+ * MP_OKAY otherwise.
+ */
+int sp_ecc_check_key_384(mp_int* pX, mp_int* pY, mp_int* privm, void* heap)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit privd[6];
+    sp_point_384 pubd;
+    sp_point_384 pd;
+#endif
+    sp_digit* priv = NULL;
+    sp_point_384* pub;
+    sp_point_384* p = NULL;
+    byte one[1] = { 1 };
+    int err;
+
+    err = sp_384_point_new_6(heap, pubd, pub);
+    if (err == MP_OKAY) {
+        err = sp_384_point_new_6(heap, pd, p);
+    }
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        priv = (sp_digit*)XMALLOC(sizeof(sp_digit) * 6, heap,
+                                                              DYNAMIC_TYPE_ECC);
+        if (priv == NULL) {
+            err = MEMORY_E;
+        }
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+        priv = privd;
+#endif
+
+        sp_384_from_mp(pub->x, 6, pX);
+        sp_384_from_mp(pub->y, 6, pY);
+        sp_384_from_bin(pub->z, 6, one, (int)sizeof(one));
+        sp_384_from_mp(priv, 6, privm);
+
+        /* Check point at infinitiy. */
+        if ((sp_384_iszero_6(pub->x) != 0) &&
+            (sp_384_iszero_6(pub->y) != 0)) {
+            err = ECC_INF_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        /* Check range of X and Y */
+        if (sp_384_cmp_6(pub->x, p384_mod) >= 0 ||
+            sp_384_cmp_6(pub->y, p384_mod) >= 0) {
+            err = ECC_OUT_OF_RANGE_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        /* Check point is on curve */
+        err = sp_384_ecc_is_point_6(pub, heap);
+    }
+
+    if (err == MP_OKAY) {
+        /* Point * order = infinity */
+            err = sp_384_ecc_mulmod_6(p, pub, p384_order, 1, heap);
+    }
+    if (err == MP_OKAY) {
+        /* Check result is infinity */
+        if ((sp_384_iszero_6(p->x) == 0) ||
+            (sp_384_iszero_6(p->y) == 0)) {
+            err = ECC_INF_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        /* Base * private = point */
+            err = sp_384_ecc_mulmod_base_6(p, priv, 1, heap);
+    }
+    if (err == MP_OKAY) {
+        /* Check result is public key */
+        if (sp_384_cmp_6(p->x, pub->x) != 0 ||
+            sp_384_cmp_6(p->y, pub->y) != 0) {
+            err = ECC_PRIV_KEY_E;
+        }
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (priv != NULL) {
+        XFREE(priv, heap, DYNAMIC_TYPE_ECC);
+    }
+#endif
+    sp_384_point_free_6(p, 0, heap);
+    sp_384_point_free_6(pub, 0, heap);
+
+    return err;
+}
+#endif
+#ifdef WOLFSSL_PUBLIC_ECC_ADD_DBL
+/* Add two projective EC points together.
+ * (pX, pY, pZ) + (qX, qY, qZ) = (rX, rY, rZ)
+ *
+ * pX   First EC point's X ordinate.
+ * pY   First EC point's Y ordinate.
+ * pZ   First EC point's Z ordinate.
+ * qX   Second EC point's X ordinate.
+ * qY   Second EC point's Y ordinate.
+ * qZ   Second EC point's Z ordinate.
+ * rX   Resultant EC point's X ordinate.
+ * rY   Resultant EC point's Y ordinate.
+ * rZ   Resultant EC point's Z ordinate.
+ * returns MEMORY_E if dynamic memory allocation fails and MP_OKAY otherwise.
+ */
+int sp_ecc_proj_add_point_384(mp_int* pX, mp_int* pY, mp_int* pZ,
+                              mp_int* qX, mp_int* qY, mp_int* qZ,
+                              mp_int* rX, mp_int* rY, mp_int* rZ)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit tmpd[2 * 6 * 5];
+    sp_point_384 pd;
+    sp_point_384 qd;
+#endif
+    sp_digit* tmp;
+    sp_point_384* p;
+    sp_point_384* q = NULL;
+    int err;
+
+    err = sp_384_point_new_6(NULL, pd, p);
+    if (err == MP_OKAY) {
+        err = sp_384_point_new_6(NULL, qd, q);
+    }
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        tmp = (sp_digit*)XMALLOC(sizeof(sp_digit) * 2 * 6 * 5, NULL,
+                                                              DYNAMIC_TYPE_ECC);
+        if (tmp == NULL) {
+            err = MEMORY_E;
+        }
+    }
+#else
+    tmp = tmpd;
+#endif
+
+    if (err == MP_OKAY) {
+        sp_384_from_mp(p->x, 6, pX);
+        sp_384_from_mp(p->y, 6, pY);
+        sp_384_from_mp(p->z, 6, pZ);
+        sp_384_from_mp(q->x, 6, qX);
+        sp_384_from_mp(q->y, 6, qY);
+        sp_384_from_mp(q->z, 6, qZ);
+
+            sp_384_proj_point_add_6(p, p, q, tmp);
+    }
+
+    if (err == MP_OKAY) {
+        err = sp_384_to_mp(p->x, rX);
+    }
+    if (err == MP_OKAY) {
+        err = sp_384_to_mp(p->y, rY);
+    }
+    if (err == MP_OKAY) {
+        err = sp_384_to_mp(p->z, rZ);
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (tmp != NULL) {
+        XFREE(tmp, NULL, DYNAMIC_TYPE_ECC);
+    }
+#endif
+    sp_384_point_free_6(q, 0, NULL);
+    sp_384_point_free_6(p, 0, NULL);
+
+    return err;
+}
+
+/* Double a projective EC point.
+ * (pX, pY, pZ) + (pX, pY, pZ) = (rX, rY, rZ)
+ *
+ * pX   EC point's X ordinate.
+ * pY   EC point's Y ordinate.
+ * pZ   EC point's Z ordinate.
+ * rX   Resultant EC point's X ordinate.
+ * rY   Resultant EC point's Y ordinate.
+ * rZ   Resultant EC point's Z ordinate.
+ * returns MEMORY_E if dynamic memory allocation fails and MP_OKAY otherwise.
+ */
+int sp_ecc_proj_dbl_point_384(mp_int* pX, mp_int* pY, mp_int* pZ,
+                              mp_int* rX, mp_int* rY, mp_int* rZ)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit tmpd[2 * 6 * 2];
+    sp_point_384 pd;
+#endif
+    sp_digit* tmp;
+    sp_point_384* p;
+    int err;
+
+    err = sp_384_point_new_6(NULL, pd, p);
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        tmp = (sp_digit*)XMALLOC(sizeof(sp_digit) * 2 * 6 * 2, NULL,
+                                                              DYNAMIC_TYPE_ECC);
+        if (tmp == NULL) {
+            err = MEMORY_E;
+        }
+    }
+#else
+    tmp = tmpd;
+#endif
+
+    if (err == MP_OKAY) {
+        sp_384_from_mp(p->x, 6, pX);
+        sp_384_from_mp(p->y, 6, pY);
+        sp_384_from_mp(p->z, 6, pZ);
+
+            sp_384_proj_point_dbl_6(p, p, tmp);
+    }
+
+    if (err == MP_OKAY) {
+        err = sp_384_to_mp(p->x, rX);
+    }
+    if (err == MP_OKAY) {
+        err = sp_384_to_mp(p->y, rY);
+    }
+    if (err == MP_OKAY) {
+        err = sp_384_to_mp(p->z, rZ);
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (tmp != NULL) {
+        XFREE(tmp, NULL, DYNAMIC_TYPE_ECC);
+    }
+#endif
+    sp_384_point_free_6(p, 0, NULL);
+
+    return err;
+}
+
+/* Map a projective EC point to affine in place.
+ * pZ will be one.
+ *
+ * pX   EC point's X ordinate.
+ * pY   EC point's Y ordinate.
+ * pZ   EC point's Z ordinate.
+ * returns MEMORY_E if dynamic memory allocation fails and MP_OKAY otherwise.
+ */
+int sp_ecc_map_384(mp_int* pX, mp_int* pY, mp_int* pZ)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit tmpd[2 * 6 * 6];
+    sp_point_384 pd;
+#endif
+    sp_digit* tmp;
+    sp_point_384* p;
+    int err;
+
+    err = sp_384_point_new_6(NULL, pd, p);
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        tmp = (sp_digit*)XMALLOC(sizeof(sp_digit) * 2 * 6 * 6, NULL,
+                                                              DYNAMIC_TYPE_ECC);
+        if (tmp == NULL) {
+            err = MEMORY_E;
+        }
+    }
+#else
+    tmp = tmpd;
+#endif
+    if (err == MP_OKAY) {
+        sp_384_from_mp(p->x, 6, pX);
+        sp_384_from_mp(p->y, 6, pY);
+        sp_384_from_mp(p->z, 6, pZ);
+
+        sp_384_map_6(p, p, tmp);
+    }
+
+    if (err == MP_OKAY) {
+        err = sp_384_to_mp(p->x, pX);
+    }
+    if (err == MP_OKAY) {
+        err = sp_384_to_mp(p->y, pY);
+    }
+    if (err == MP_OKAY) {
+        err = sp_384_to_mp(p->z, pZ);
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (tmp != NULL) {
+        XFREE(tmp, NULL, DYNAMIC_TYPE_ECC);
+    }
+#endif
+    sp_384_point_free_6(p, 0, NULL);
+
+    return err;
+}
+#endif /* WOLFSSL_PUBLIC_ECC_ADD_DBL */
+#ifdef HAVE_COMP_KEY
+/* Find the square root of a number mod the prime of the curve.
+ *
+ * y  The number to operate on and the result.
+ * returns MEMORY_E if dynamic memory allocation fails and MP_OKAY otherwise.
+ */
+static int sp_384_mont_sqrt_6(sp_digit* y)
+{
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit* d;
+#else
+    sp_digit t1d[2 * 6];
+    sp_digit t2d[2 * 6];
+    sp_digit t3d[2 * 6];
+    sp_digit t4d[2 * 6];
+    sp_digit t5d[2 * 6];
+#endif
+    sp_digit* t1;
+    sp_digit* t2;
+    sp_digit* t3;
+    sp_digit* t4;
+    sp_digit* t5;
+    int err = MP_OKAY;
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    d = (sp_digit*)XMALLOC(sizeof(sp_digit) * 5 * 2 * 6, NULL, DYNAMIC_TYPE_ECC);
+    if (d == NULL) {
+        err = MEMORY_E;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+        t1 = d + 0 * 6;
+        t2 = d + 2 * 6;
+        t3 = d + 4 * 6;
+        t4 = d + 6 * 6;
+        t5 = d + 8 * 6;
+#else
+        t1 = t1d;
+        t2 = t2d;
+        t3 = t3d;
+        t4 = t4d;
+        t5 = t5d;
+#endif
+
+        {
+            /* t2 = y ^ 0x2 */
+            sp_384_mont_sqr_6(t2, y, p384_mod, p384_mp_mod);
+            /* t1 = y ^ 0x3 */
+            sp_384_mont_mul_6(t1, t2, y, p384_mod, p384_mp_mod);
+            /* t5 = y ^ 0xc */
+            sp_384_mont_sqr_n_6(t5, t1, 2, p384_mod, p384_mp_mod);
+            /* t1 = y ^ 0xf */
+            sp_384_mont_mul_6(t1, t1, t5, p384_mod, p384_mp_mod);
+            /* t2 = y ^ 0x1e */
+            sp_384_mont_sqr_6(t2, t1, p384_mod, p384_mp_mod);
+            /* t3 = y ^ 0x1f */
+            sp_384_mont_mul_6(t3, t2, y, p384_mod, p384_mp_mod);
+            /* t2 = y ^ 0x3e0 */
+            sp_384_mont_sqr_n_6(t2, t3, 5, p384_mod, p384_mp_mod);
+            /* t1 = y ^ 0x3ff */
+            sp_384_mont_mul_6(t1, t3, t2, p384_mod, p384_mp_mod);
+            /* t2 = y ^ 0x7fe0 */
+            sp_384_mont_sqr_n_6(t2, t1, 5, p384_mod, p384_mp_mod);
+            /* t3 = y ^ 0x7fff */
+            sp_384_mont_mul_6(t3, t3, t2, p384_mod, p384_mp_mod);
+            /* t2 = y ^ 0x3fff800 */
+            sp_384_mont_sqr_n_6(t2, t3, 15, p384_mod, p384_mp_mod);
+            /* t4 = y ^ 0x3ffffff */
+            sp_384_mont_mul_6(t4, t3, t2, p384_mod, p384_mp_mod);
+            /* t2 = y ^ 0xffffffc000000 */
+            sp_384_mont_sqr_n_6(t2, t4, 30, p384_mod, p384_mp_mod);
+            /* t1 = y ^ 0xfffffffffffff */
+            sp_384_mont_mul_6(t1, t4, t2, p384_mod, p384_mp_mod);
+            /* t2 = y ^ 0xfffffffffffffff000000000000000 */
+            sp_384_mont_sqr_n_6(t2, t1, 60, p384_mod, p384_mp_mod);
+            /* t1 = y ^ 0xffffffffffffffffffffffffffffff */
+            sp_384_mont_mul_6(t1, t1, t2, p384_mod, p384_mp_mod);
+            /* t2 = y ^ 0xffffffffffffffffffffffffffffff000000000000000000000000000000 */
+            sp_384_mont_sqr_n_6(t2, t1, 120, p384_mod, p384_mp_mod);
+            /* t1 = y ^ 0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff */
+            sp_384_mont_mul_6(t1, t1, t2, p384_mod, p384_mp_mod);
+            /* t2 = y ^ 0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffff8000 */
+            sp_384_mont_sqr_n_6(t2, t1, 15, p384_mod, p384_mp_mod);
+            /* t1 = y ^ 0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff */
+            sp_384_mont_mul_6(t1, t3, t2, p384_mod, p384_mp_mod);
+            /* t2 = y ^ 0x3fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff80000000 */
+            sp_384_mont_sqr_n_6(t2, t1, 31, p384_mod, p384_mp_mod);
+            /* t1 = y ^ 0x3fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffbfffffff */
+            sp_384_mont_mul_6(t1, t4, t2, p384_mod, p384_mp_mod);
+            /* t2 = y ^ 0x3fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffbfffffff0 */
+            sp_384_mont_sqr_n_6(t2, t1, 4, p384_mod, p384_mp_mod);
+            /* t1 = y ^ 0x3fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffbfffffffc */
+            sp_384_mont_mul_6(t1, t5, t2, p384_mod, p384_mp_mod);
+            /* t2 = y ^ 0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000 */
+            sp_384_mont_sqr_n_6(t2, t1, 62, p384_mod, p384_mp_mod);
+            /* t1 = y ^ 0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000001 */
+            sp_384_mont_mul_6(t1, y, t2, p384_mod, p384_mp_mod);
+            /* t2 = y ^ 0x3fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffbfffffffc00000000000000040000000 */
+            sp_384_mont_sqr_n_6(y, t1, 30, p384_mod, p384_mp_mod);
+        }
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (d != NULL) {
+        XFREE(d, NULL, DYNAMIC_TYPE_ECC);
+    }
+#endif
+
+    return err;
+}
+
+
+/* Uncompress the point given the X ordinate.
+ *
+ * xm    X ordinate.
+ * odd   Whether the Y ordinate is odd.
+ * ym    Calculated Y ordinate.
+ * returns MEMORY_E if dynamic memory allocation fails and MP_OKAY otherwise.
+ */
+int sp_ecc_uncompress_384(mp_int* xm, int odd, mp_int* ym)
+{
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit* d;
+#else
+    sp_digit xd[2 * 6];
+    sp_digit yd[2 * 6];
+#endif
+    sp_digit* x = NULL;
+    sp_digit* y = NULL;
+    int err = MP_OKAY;
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    d = (sp_digit*)XMALLOC(sizeof(sp_digit) * 4 * 6, NULL, DYNAMIC_TYPE_ECC);
+    if (d == NULL) {
+        err = MEMORY_E;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+        x = d + 0 * 6;
+        y = d + 2 * 6;
+#else
+        x = xd;
+        y = yd;
+#endif
+
+        sp_384_from_mp(x, 6, xm);
+        err = sp_384_mod_mul_norm_6(x, x, p384_mod);
+    }
+    if (err == MP_OKAY) {
+        /* y = x^3 */
+        {
+            sp_384_mont_sqr_6(y, x, p384_mod, p384_mp_mod);
+            sp_384_mont_mul_6(y, y, x, p384_mod, p384_mp_mod);
+        }
+        /* y = x^3 - 3x */
+        sp_384_mont_sub_6(y, y, x, p384_mod);
+        sp_384_mont_sub_6(y, y, x, p384_mod);
+        sp_384_mont_sub_6(y, y, x, p384_mod);
+        /* y = x^3 - 3x + b */
+        err = sp_384_mod_mul_norm_6(x, p384_b, p384_mod);
+    }
+    if (err == MP_OKAY) {
+        sp_384_mont_add_6(y, y, x, p384_mod);
+        /* y = sqrt(x^3 - 3x + b) */
+        err = sp_384_mont_sqrt_6(y);
+    }
+    if (err == MP_OKAY) {
+        XMEMSET(y + 6, 0, 6U * sizeof(sp_digit));
+        sp_384_mont_reduce_6(y, p384_mod, p384_mp_mod);
+        if ((((word32)y[0] ^ (word32)odd) & 1U) != 0U) {
+            sp_384_mont_sub_6(y, p384_mod, y, p384_mod);
+        }
+
+        err = sp_384_to_mp(y, ym);
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (d != NULL) {
+        XFREE(d, NULL, DYNAMIC_TYPE_ECC);
+    }
+#endif
+
+    return err;
+}
+#endif
+#endif /* WOLFSSL_SP_384 */
+#endif /* WOLFSSL_HAVE_SP_ECC */
+#endif /* WOLFSSL_SP_ARM64_ASM */
+#endif /* WOLFSSL_HAVE_SP_RSA || WOLFSSL_HAVE_SP_DH || WOLFSSL_HAVE_SP_ECC */
diff --git a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/sp_armthumb.c b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/sp_armthumb.c
new file mode 100644
index 000000000..40cb431a3
--- /dev/null
+++ b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/sp_armthumb.c
@@ -0,0 +1,27863 @@
+/* sp.c
+ *
+ * Copyright (C) 2006-2020 wolfSSL Inc.
+ *
+ * This file is part of wolfSSL.
+ *
+ * wolfSSL is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * wolfSSL is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
+ */
+
+/* Implementation by Sean Parkinson. */
+
+#ifdef HAVE_CONFIG_H
+    #include <config.h>
+#endif
+
+#include <wolfssl/wolfcrypt/settings.h>
+#include <wolfssl/wolfcrypt/error-crypt.h>
+#include <wolfssl/wolfcrypt/cpuid.h>
+#ifdef NO_INLINE
+    #include <wolfssl/wolfcrypt/misc.h>
+#else
+    #define WOLFSSL_MISC_INCLUDED
+    #include <wolfcrypt/src/misc.c>
+#endif
+
+#if defined(WOLFSSL_HAVE_SP_RSA) || defined(WOLFSSL_HAVE_SP_DH) || \
+                                    defined(WOLFSSL_HAVE_SP_ECC)
+
+#ifdef RSA_LOW_MEM
+#ifndef WOLFSSL_SP_SMALL
+#define WOLFSSL_SP_SMALL
+#endif
+#endif
+
+#include <wolfssl/wolfcrypt/sp.h>
+
+#ifdef WOLFSSL_SP_ARM_THUMB_ASM
+#if defined(WOLFSSL_HAVE_SP_RSA) || defined(WOLFSSL_HAVE_SP_DH)
+#ifndef WOLFSSL_SP_NO_2048
+/* Read big endian unsigned byte array into r.
+ *
+ * r  A single precision integer.
+ * size  Maximum number of bytes to convert
+ * a  Byte array.
+ * n  Number of bytes in array to read.
+ */
+static void sp_2048_from_bin(sp_digit* r, int size, const byte* a, int n)
+{
+    int i, j = 0;
+    word32 s = 0;
+
+    r[0] = 0;
+    for (i = n-1; i >= 0; i--) {
+        r[j] |= (((sp_digit)a[i]) << s);
+        if (s >= 24U) {
+            r[j] &= 0xffffffff;
+            s = 32U - s;
+            if (j + 1 >= size) {
+                break;
+            }
+            r[++j] = (sp_digit)a[i] >> s;
+            s = 8U - s;
+        }
+        else {
+            s += 8U;
+        }
+    }
+
+    for (j++; j < size; j++) {
+        r[j] = 0;
+    }
+}
+
+/* Convert an mp_int to an array of sp_digit.
+ *
+ * r  A single precision integer.
+ * size  Maximum number of bytes to convert
+ * a  A multi-precision integer.
+ */
+static void sp_2048_from_mp(sp_digit* r, int size, const mp_int* a)
+{
+#if DIGIT_BIT == 32
+    int j;
+
+    XMEMCPY(r, a->dp, sizeof(sp_digit) * a->used);
+
+    for (j = a->used; j < size; j++) {
+        r[j] = 0;
+    }
+#elif DIGIT_BIT > 32
+    int i, j = 0;
+    word32 s = 0;
+
+    r[0] = 0;
+    for (i = 0; i < a->used && j < size; i++) {
+        r[j] |= ((sp_digit)a->dp[i] << s);
+        r[j] &= 0xffffffff;
+        s = 32U - s;
+        if (j + 1 >= size) {
+            break;
+        }
+        /* lint allow cast of mismatch word32 and mp_digit */
+        r[++j] = (sp_digit)(a->dp[i] >> s); /*lint !e9033*/
+        while ((s + 32U) <= (word32)DIGIT_BIT) {
+            s += 32U;
+            r[j] &= 0xffffffff;
+            if (j + 1 >= size) {
+                break;
+            }
+            if (s < (word32)DIGIT_BIT) {
+                /* lint allow cast of mismatch word32 and mp_digit */
+                r[++j] = (sp_digit)(a->dp[i] >> s); /*lint !e9033*/
+            }
+            else {
+                r[++j] = 0L;
+            }
+        }
+        s = (word32)DIGIT_BIT - s;
+    }
+
+    for (j++; j < size; j++) {
+        r[j] = 0;
+    }
+#else
+    int i, j = 0, s = 0;
+
+    r[0] = 0;
+    for (i = 0; i < a->used && j < size; i++) {
+        r[j] |= ((sp_digit)a->dp[i]) << s;
+        if (s + DIGIT_BIT >= 32) {
+            r[j] &= 0xffffffff;
+            if (j + 1 >= size) {
+                break;
+            }
+            s = 32 - s;
+            if (s == DIGIT_BIT) {
+                r[++j] = 0;
+                s = 0;
+            }
+            else {
+                r[++j] = a->dp[i] >> s;
+                s = DIGIT_BIT - s;
+            }
+        }
+        else {
+            s += DIGIT_BIT;
+        }
+    }
+
+    for (j++; j < size; j++) {
+        r[j] = 0;
+    }
+#endif
+}
+
+/* Write r as big endian to byte array.
+ * Fixed length number of bytes written: 256
+ *
+ * r  A single precision integer.
+ * a  Byte array.
+ */
+static void sp_2048_to_bin(sp_digit* r, byte* a)
+{
+    int i, j, s = 0, b;
+
+    j = 2048 / 8 - 1;
+    a[j] = 0;
+    for (i=0; i<64 && j>=0; i++) {
+        b = 0;
+        /* lint allow cast of mismatch sp_digit and int */
+        a[j--] |= (byte)(r[i] << s); /*lint !e9033*/
+        b += 8 - s;
+        if (j < 0) {
+            break;
+        }
+        while (b < 32) {
+            a[j--] = (byte)(r[i] >> b);
+            b += 8;
+            if (j < 0) {
+                break;
+            }
+        }
+        s = 8 - (b - 32);
+        if (j >= 0) {
+            a[j] = 0;
+        }
+        if (s != 0) {
+            j++;
+        }
+    }
+}
+
+#ifndef WOLFSSL_SP_SMALL
+/* Multiply a and b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static void sp_2048_mul_8(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    sp_digit tmp[8 * 2];
+    __asm__ __volatile__ (
+        "mov	r3, #0\n\t"
+        "mov	r4, #0\n\t"
+        "mov	r8, r3\n\t"
+        "mov	r11, %[r]\n\t"
+        "mov	r9, %[a]\n\t"
+        "mov	r10, %[b]\n\t"
+        "mov	r6, #32\n\t"
+        "add	r6, r9\n\t"
+        "mov	r12, r6\n\t"
+        "\n1:\n\t"
+        "mov	%[r], #0\n\t"
+        "mov	r5, #0\n\t"
+        "mov	r6, #28\n\t"
+        "mov	%[a], r8\n\t"
+        "sub	%[a], r6\n\t"
+        "sbc	r6, r6\n\t"
+        "mvn	r6, r6\n\t"
+        "and	%[a], r6\n\t"
+        "mov	%[b], r8\n\t"
+        "sub	%[b], %[a]\n\t"
+        "add	%[a], r9\n\t"
+        "add	%[b], r10\n\t"
+        "\n2:\n\t"
+        "# Multiply Start\n\t"
+        "ldr	r6, [%[a]]\n\t"
+        "ldr	r7, [%[b]]\n\t"
+        "lsl	r6, r6, #16\n\t"
+        "lsl	r7, r7, #16\n\t"
+        "lsr	r6, r6, #16\n\t"
+        "lsr	r7, r7, #16\n\t"
+        "mul	r7, r6\n\t"
+        "add	r3, r7\n\t"
+        "adc	r4, %[r]\n\t"
+        "adc	r5, %[r]\n\t"
+        "ldr	r7, [%[b]]\n\t"
+        "lsr	r7, r7, #16\n\t"
+        "mul	r6, r7\n\t"
+        "lsr	r7, r6, #16\n\t"
+        "lsl	r6, r6, #16\n\t"
+        "add	r3, r6\n\t"
+        "adc	r4, r7\n\t"
+        "adc	r5, %[r]\n\t"
+        "ldr	r6, [%[a]]\n\t"
+        "ldr	r7, [%[b]]\n\t"
+        "lsr	r6, r6, #16\n\t"
+        "lsr	r7, r7, #16\n\t"
+        "mul	r7, r6\n\t"
+        "add	r4, r7\n\t"
+        "adc	r5, %[r]\n\t"
+        "ldr	r7, [%[b]]\n\t"
+        "lsl	r7, r7, #16\n\t"
+        "lsr	r7, r7, #16\n\t"
+        "mul	r6, r7\n\t"
+        "lsr	r7, r6, #16\n\t"
+        "lsl	r6, r6, #16\n\t"
+        "add	r3, r6\n\t"
+        "adc	r4, r7\n\t"
+        "adc	r5, %[r]\n\t"
+        "# Multiply Done\n\t"
+        "add	%[a], #4\n\t"
+        "sub	%[b], #4\n\t"
+        "cmp	%[a], r12\n\t"
+        "beq	3f\n\t"
+        "mov	r6, r8\n\t"
+        "add	r6, r9\n\t"
+        "cmp	%[a], r6\n\t"
+        "ble	2b\n\t"
+        "\n3:\n\t"
+        "mov	%[r], r11\n\t"
+        "mov	r7, r8\n\t"
+        "str	r3, [%[r], r7]\n\t"
+        "mov	r3, r4\n\t"
+        "mov	r4, r5\n\t"
+        "add	r7, #4\n\t"
+        "mov	r8, r7\n\t"
+        "mov	r6, #56\n\t"
+        "cmp	r7, r6\n\t"
+        "ble	1b\n\t"
+        "str	r3, [%[r], r7]\n\t"
+        "mov	%[a], r9\n\t"
+        "mov	%[b], r10\n\t"
+        :
+        : [r] "r" (tmp), [a] "r" (a), [b] "r" (b)
+        : "memory", "r3", "r4", "r5", "r6", "r7", "r8", "r9", "r10", "r11", "r12"
+    );
+
+    XMEMCPY(r, tmp, sizeof(tmp));
+}
+
+/* Square a and put result in r. (r = a * a)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ */
+SP_NOINLINE static void sp_2048_sqr_8(sp_digit* r, const sp_digit* a)
+{
+    __asm__ __volatile__ (
+        "mov	r3, #0\n\t"
+        "mov	r4, #0\n\t"
+        "mov	r5, #0\n\t"
+        "mov	r8, r3\n\t"
+        "mov	r11, %[r]\n\t"
+        "mov	r6, #64\n\t"
+        "neg	r6, r6\n\t"
+        "add	sp, r6\n\t"
+        "mov	r10, sp\n\t"
+        "mov	r9, %[a]\n\t"
+        "\n1:\n\t"
+        "mov	%[r], #0\n\t"
+        "mov	r6, #28\n\t"
+        "mov	%[a], r8\n\t"
+        "sub	%[a], r6\n\t"
+        "sbc	r6, r6\n\t"
+        "mvn	r6, r6\n\t"
+        "and	%[a], r6\n\t"
+        "mov	r2, r8\n\t"
+        "sub	r2, %[a]\n\t"
+        "add	%[a], r9\n\t"
+        "add	r2, r9\n\t"
+        "\n2:\n\t"
+        "cmp	r2, %[a]\n\t"
+        "beq	4f\n\t"
+        "# Multiply * 2: Start\n\t"
+        "ldr	r6, [%[a]]\n\t"
+        "ldr	r7, [r2]\n\t"
+        "lsl	r6, r6, #16\n\t"
+        "lsl	r7, r7, #16\n\t"
+        "lsr	r6, r6, #16\n\t"
+        "lsr	r7, r7, #16\n\t"
+        "mul	r7, r6\n\t"
+        "add	r3, r7\n\t"
+        "adc	r4, %[r]\n\t"
+        "adc	r5, %[r]\n\t"
+        "add	r3, r7\n\t"
+        "adc	r4, %[r]\n\t"
+        "adc	r5, %[r]\n\t"
+        "ldr	r7, [r2]\n\t"
+        "lsr	r7, r7, #16\n\t"
+        "mul	r6, r7\n\t"
+        "lsr	r7, r6, #16\n\t"
+        "lsl	r6, r6, #16\n\t"
+        "add	r3, r6\n\t"
+        "adc	r4, r7\n\t"
+        "adc	r5, %[r]\n\t"
+        "add	r3, r6\n\t"
+        "adc	r4, r7\n\t"
+        "adc	r5, %[r]\n\t"
+        "ldr	r6, [%[a]]\n\t"
+        "ldr	r7, [r2]\n\t"
+        "lsr	r6, r6, #16\n\t"
+        "lsr	r7, r7, #16\n\t"
+        "mul	r7, r6\n\t"
+        "add	r4, r7\n\t"
+        "adc	r5, %[r]\n\t"
+        "add	r4, r7\n\t"
+        "adc	r5, %[r]\n\t"
+        "ldr	r7, [r2]\n\t"
+        "lsl	r7, r7, #16\n\t"
+        "lsr	r7, r7, #16\n\t"
+        "mul	r6, r7\n\t"
+        "lsr	r7, r6, #16\n\t"
+        "lsl	r6, r6, #16\n\t"
+        "add	r3, r6\n\t"
+        "adc	r4, r7\n\t"
+        "adc	r5, %[r]\n\t"
+        "add	r3, r6\n\t"
+        "adc	r4, r7\n\t"
+        "adc	r5, %[r]\n\t"
+        "# Multiply * 2: Done\n\t"
+        "bal	5f\n\t"
+        "\n4:\n\t"
+        "# Square: Start\n\t"
+        "ldr	r6, [%[a]]\n\t"
+        "lsr	r7, r6, #16\n\t"
+        "lsl	r6, r6, #16\n\t"
+        "lsr	r6, r6, #16\n\t"
+        "mul	r6, r6\n\t"
+        "add	r3, r6\n\t"
+        "adc	r4, %[r]\n\t"
+        "adc	r5, %[r]\n\t"
+        "mul	r7, r7\n\t"
+        "add	r4, r7\n\t"
+        "adc	r5, %[r]\n\t"
+        "ldr	r6, [%[a]]\n\t"
+        "lsr	r7, r6, #16\n\t"
+        "lsl	r6, r6, #16\n\t"
+        "lsr	r6, r6, #16\n\t"
+        "mul	r6, r7\n\t"
+        "lsr	r7, r6, #15\n\t"
+        "lsl	r6, r6, #17\n\t"
+        "add	r3, r6\n\t"
+        "adc	r4, r7\n\t"
+        "adc	r5, %[r]\n\t"
+        "# Square: Done\n\t"
+        "\n5:\n\t"
+        "add	%[a], #4\n\t"
+        "sub	r2, #4\n\t"
+        "mov	r6, #32\n\t"
+        "add	r6, r9\n\t"
+        "cmp	%[a], r6\n\t"
+        "beq	3f\n\t"
+        "cmp	%[a], r2\n\t"
+        "bgt	3f\n\t"
+        "mov	r7, r8\n\t"
+        "add	r7, r9\n\t"
+        "cmp	%[a], r7\n\t"
+        "ble	2b\n\t"
+        "\n3:\n\t"
+        "mov	%[r], r10\n\t"
+        "mov	r7, r8\n\t"
+        "str	r3, [%[r], r7]\n\t"
+        "mov	r3, r4\n\t"
+        "mov	r4, r5\n\t"
+        "mov	r5, #0\n\t"
+        "add	r7, #4\n\t"
+        "mov	r8, r7\n\t"
+        "mov	r6, #56\n\t"
+        "cmp	r7, r6\n\t"
+        "ble	1b\n\t"
+        "mov	%[a], r9\n\t"
+        "str	r3, [%[r], r7]\n\t"
+        "mov	%[r], r11\n\t"
+        "mov	%[a], r10\n\t"
+        "mov	r3, #60\n\t"
+        "\n4:\n\t"
+        "ldr	r6, [%[a], r3]\n\t"
+        "str	r6, [%[r], r3]\n\t"
+        "sub	r3, #4\n\t"
+        "bge	4b\n\t"
+        "mov	r6, #64\n\t"
+        "add	sp, r6\n\t"
+        :
+        : [r] "r" (r), [a] "r" (a)
+        : "memory", "r2", "r3", "r4", "r5", "r6", "r7", "r8", "r9", "r10", "r11"
+    );
+}
+
+/* Add b to a into r. (r = a + b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static sp_digit sp_2048_add_8(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    sp_digit c = 0;
+
+    __asm__ __volatile__ (
+        "ldr	r4, [%[a], #0]\n\t"
+        "ldr	r5, [%[b], #0]\n\t"
+        "add	r4, r5\n\t"
+        "str	r4, [%[r], #0]\n\t"
+        "ldr	r4, [%[a], #4]\n\t"
+        "ldr	r5, [%[b], #4]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #4]\n\t"
+        "ldr	r4, [%[a], #8]\n\t"
+        "ldr	r5, [%[b], #8]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #8]\n\t"
+        "ldr	r4, [%[a], #12]\n\t"
+        "ldr	r5, [%[b], #12]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #12]\n\t"
+        "ldr	r4, [%[a], #16]\n\t"
+        "ldr	r5, [%[b], #16]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #16]\n\t"
+        "ldr	r4, [%[a], #20]\n\t"
+        "ldr	r5, [%[b], #20]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #20]\n\t"
+        "ldr	r4, [%[a], #24]\n\t"
+        "ldr	r5, [%[b], #24]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #24]\n\t"
+        "ldr	r4, [%[a], #28]\n\t"
+        "ldr	r5, [%[b], #28]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #28]\n\t"
+        "mov	%[c], #0\n\t"
+        "adc	%[c], %[c]\n\t"
+        : [c] "+r" (c), [r] "+r" (r), [a] "+r" (a), [b] "+r" (b)
+        :
+        : "memory", "r4", "r5"
+    );
+
+    return c;
+}
+
+/* Sub b from a into r. (r = a - b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static sp_digit sp_2048_sub_in_place_16(sp_digit* a,
+        const sp_digit* b)
+{
+    sp_digit c = 0;
+
+    __asm__ __volatile__ (
+        "ldr	r3, [%[a], #0]\n\t"
+        "ldr	r4, [%[a], #4]\n\t"
+        "ldr	r5, [%[b], #0]\n\t"
+        "ldr	r6, [%[b], #4]\n\t"
+        "sub	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #0]\n\t"
+        "str	r4, [%[a], #4]\n\t"
+        "ldr	r3, [%[a], #8]\n\t"
+        "ldr	r4, [%[a], #12]\n\t"
+        "ldr	r5, [%[b], #8]\n\t"
+        "ldr	r6, [%[b], #12]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #8]\n\t"
+        "str	r4, [%[a], #12]\n\t"
+        "ldr	r3, [%[a], #16]\n\t"
+        "ldr	r4, [%[a], #20]\n\t"
+        "ldr	r5, [%[b], #16]\n\t"
+        "ldr	r6, [%[b], #20]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #16]\n\t"
+        "str	r4, [%[a], #20]\n\t"
+        "ldr	r3, [%[a], #24]\n\t"
+        "ldr	r4, [%[a], #28]\n\t"
+        "ldr	r5, [%[b], #24]\n\t"
+        "ldr	r6, [%[b], #28]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #24]\n\t"
+        "str	r4, [%[a], #28]\n\t"
+        "ldr	r3, [%[a], #32]\n\t"
+        "ldr	r4, [%[a], #36]\n\t"
+        "ldr	r5, [%[b], #32]\n\t"
+        "ldr	r6, [%[b], #36]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #32]\n\t"
+        "str	r4, [%[a], #36]\n\t"
+        "ldr	r3, [%[a], #40]\n\t"
+        "ldr	r4, [%[a], #44]\n\t"
+        "ldr	r5, [%[b], #40]\n\t"
+        "ldr	r6, [%[b], #44]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #40]\n\t"
+        "str	r4, [%[a], #44]\n\t"
+        "ldr	r3, [%[a], #48]\n\t"
+        "ldr	r4, [%[a], #52]\n\t"
+        "ldr	r5, [%[b], #48]\n\t"
+        "ldr	r6, [%[b], #52]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #48]\n\t"
+        "str	r4, [%[a], #52]\n\t"
+        "ldr	r3, [%[a], #56]\n\t"
+        "ldr	r4, [%[a], #60]\n\t"
+        "ldr	r5, [%[b], #56]\n\t"
+        "ldr	r6, [%[b], #60]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #56]\n\t"
+        "str	r4, [%[a], #60]\n\t"
+        "sbc	%[c], %[c]\n\t"
+        : [c] "+r" (c), [a] "+r" (a), [b] "+r" (b)
+        :
+        : "memory", "r3", "r4", "r5", "r6"
+    );
+
+    return c;
+}
+
+/* Add b to a into r. (r = a + b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static sp_digit sp_2048_add_16(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    sp_digit c = 0;
+
+    __asm__ __volatile__ (
+        "ldr	r4, [%[a], #0]\n\t"
+        "ldr	r5, [%[b], #0]\n\t"
+        "add	r4, r5\n\t"
+        "str	r4, [%[r], #0]\n\t"
+        "ldr	r4, [%[a], #4]\n\t"
+        "ldr	r5, [%[b], #4]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #4]\n\t"
+        "ldr	r4, [%[a], #8]\n\t"
+        "ldr	r5, [%[b], #8]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #8]\n\t"
+        "ldr	r4, [%[a], #12]\n\t"
+        "ldr	r5, [%[b], #12]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #12]\n\t"
+        "ldr	r4, [%[a], #16]\n\t"
+        "ldr	r5, [%[b], #16]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #16]\n\t"
+        "ldr	r4, [%[a], #20]\n\t"
+        "ldr	r5, [%[b], #20]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #20]\n\t"
+        "ldr	r4, [%[a], #24]\n\t"
+        "ldr	r5, [%[b], #24]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #24]\n\t"
+        "ldr	r4, [%[a], #28]\n\t"
+        "ldr	r5, [%[b], #28]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #28]\n\t"
+        "ldr	r4, [%[a], #32]\n\t"
+        "ldr	r5, [%[b], #32]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #32]\n\t"
+        "ldr	r4, [%[a], #36]\n\t"
+        "ldr	r5, [%[b], #36]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #36]\n\t"
+        "ldr	r4, [%[a], #40]\n\t"
+        "ldr	r5, [%[b], #40]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #40]\n\t"
+        "ldr	r4, [%[a], #44]\n\t"
+        "ldr	r5, [%[b], #44]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #44]\n\t"
+        "ldr	r4, [%[a], #48]\n\t"
+        "ldr	r5, [%[b], #48]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #48]\n\t"
+        "ldr	r4, [%[a], #52]\n\t"
+        "ldr	r5, [%[b], #52]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #52]\n\t"
+        "ldr	r4, [%[a], #56]\n\t"
+        "ldr	r5, [%[b], #56]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #56]\n\t"
+        "ldr	r4, [%[a], #60]\n\t"
+        "ldr	r5, [%[b], #60]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #60]\n\t"
+        "mov	%[c], #0\n\t"
+        "adc	%[c], %[c]\n\t"
+        : [c] "+r" (c), [r] "+r" (r), [a] "+r" (a), [b] "+r" (b)
+        :
+        : "memory", "r4", "r5"
+    );
+
+    return c;
+}
+
+/* AND m into each word of a and store in r.
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * m  Mask to AND against each digit.
+ */
+static void sp_2048_mask_8(sp_digit* r, const sp_digit* a, sp_digit m)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int i;
+
+    for (i=0; i<8; i++) {
+        r[i] = a[i] & m;
+    }
+#else
+    r[0] = a[0] & m;
+    r[1] = a[1] & m;
+    r[2] = a[2] & m;
+    r[3] = a[3] & m;
+    r[4] = a[4] & m;
+    r[5] = a[5] & m;
+    r[6] = a[6] & m;
+    r[7] = a[7] & m;
+#endif
+}
+
+/* Multiply a and b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static void sp_2048_mul_16(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    sp_digit* z0 = r;
+    sp_digit z1[16];
+    sp_digit a1[8];
+    sp_digit b1[8];
+    sp_digit z2[16];
+    sp_digit u, ca, cb;
+
+    ca = sp_2048_add_8(a1, a, &a[8]);
+    cb = sp_2048_add_8(b1, b, &b[8]);
+    u  = ca & cb;
+    sp_2048_mul_8(z1, a1, b1);
+    sp_2048_mul_8(z2, &a[8], &b[8]);
+    sp_2048_mul_8(z0, a, b);
+    sp_2048_mask_8(r + 16, a1, 0 - cb);
+    sp_2048_mask_8(b1, b1, 0 - ca);
+    u += sp_2048_add_8(r + 16, r + 16, b1);
+    u += sp_2048_sub_in_place_16(z1, z2);
+    u += sp_2048_sub_in_place_16(z1, z0);
+    u += sp_2048_add_16(r + 8, r + 8, z1);
+    r[24] = u;
+    XMEMSET(r + 24 + 1, 0, sizeof(sp_digit) * (8 - 1));
+    (void)sp_2048_add_16(r + 16, r + 16, z2);
+}
+
+/* Square a and put result in r. (r = a * a)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ */
+SP_NOINLINE static void sp_2048_sqr_16(sp_digit* r, const sp_digit* a)
+{
+    sp_digit* z0 = r;
+    sp_digit z2[16];
+    sp_digit z1[16];
+    sp_digit a1[8];
+    sp_digit u;
+
+    u = sp_2048_add_8(a1, a, &a[8]);
+    sp_2048_sqr_8(z1, a1);
+    sp_2048_sqr_8(z2, &a[8]);
+    sp_2048_sqr_8(z0, a);
+    sp_2048_mask_8(r + 16, a1, 0 - u);
+    u += sp_2048_add_8(r + 16, r + 16, r + 16);
+    u += sp_2048_sub_in_place_16(z1, z2);
+    u += sp_2048_sub_in_place_16(z1, z0);
+    u += sp_2048_add_16(r + 8, r + 8, z1);
+    r[24] = u;
+    XMEMSET(r + 24 + 1, 0, sizeof(sp_digit) * (8 - 1));
+    (void)sp_2048_add_16(r + 16, r + 16, z2);
+}
+
+/* Sub b from a into r. (r = a - b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static sp_digit sp_2048_sub_in_place_32(sp_digit* a,
+        const sp_digit* b)
+{
+    sp_digit c = 0;
+
+    __asm__ __volatile__ (
+        "ldr	r3, [%[a], #0]\n\t"
+        "ldr	r4, [%[a], #4]\n\t"
+        "ldr	r5, [%[b], #0]\n\t"
+        "ldr	r6, [%[b], #4]\n\t"
+        "sub	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #0]\n\t"
+        "str	r4, [%[a], #4]\n\t"
+        "ldr	r3, [%[a], #8]\n\t"
+        "ldr	r4, [%[a], #12]\n\t"
+        "ldr	r5, [%[b], #8]\n\t"
+        "ldr	r6, [%[b], #12]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #8]\n\t"
+        "str	r4, [%[a], #12]\n\t"
+        "ldr	r3, [%[a], #16]\n\t"
+        "ldr	r4, [%[a], #20]\n\t"
+        "ldr	r5, [%[b], #16]\n\t"
+        "ldr	r6, [%[b], #20]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #16]\n\t"
+        "str	r4, [%[a], #20]\n\t"
+        "ldr	r3, [%[a], #24]\n\t"
+        "ldr	r4, [%[a], #28]\n\t"
+        "ldr	r5, [%[b], #24]\n\t"
+        "ldr	r6, [%[b], #28]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #24]\n\t"
+        "str	r4, [%[a], #28]\n\t"
+        "ldr	r3, [%[a], #32]\n\t"
+        "ldr	r4, [%[a], #36]\n\t"
+        "ldr	r5, [%[b], #32]\n\t"
+        "ldr	r6, [%[b], #36]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #32]\n\t"
+        "str	r4, [%[a], #36]\n\t"
+        "ldr	r3, [%[a], #40]\n\t"
+        "ldr	r4, [%[a], #44]\n\t"
+        "ldr	r5, [%[b], #40]\n\t"
+        "ldr	r6, [%[b], #44]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #40]\n\t"
+        "str	r4, [%[a], #44]\n\t"
+        "ldr	r3, [%[a], #48]\n\t"
+        "ldr	r4, [%[a], #52]\n\t"
+        "ldr	r5, [%[b], #48]\n\t"
+        "ldr	r6, [%[b], #52]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #48]\n\t"
+        "str	r4, [%[a], #52]\n\t"
+        "ldr	r3, [%[a], #56]\n\t"
+        "ldr	r4, [%[a], #60]\n\t"
+        "ldr	r5, [%[b], #56]\n\t"
+        "ldr	r6, [%[b], #60]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #56]\n\t"
+        "str	r4, [%[a], #60]\n\t"
+        "ldr	r3, [%[a], #64]\n\t"
+        "ldr	r4, [%[a], #68]\n\t"
+        "ldr	r5, [%[b], #64]\n\t"
+        "ldr	r6, [%[b], #68]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #64]\n\t"
+        "str	r4, [%[a], #68]\n\t"
+        "ldr	r3, [%[a], #72]\n\t"
+        "ldr	r4, [%[a], #76]\n\t"
+        "ldr	r5, [%[b], #72]\n\t"
+        "ldr	r6, [%[b], #76]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #72]\n\t"
+        "str	r4, [%[a], #76]\n\t"
+        "ldr	r3, [%[a], #80]\n\t"
+        "ldr	r4, [%[a], #84]\n\t"
+        "ldr	r5, [%[b], #80]\n\t"
+        "ldr	r6, [%[b], #84]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #80]\n\t"
+        "str	r4, [%[a], #84]\n\t"
+        "ldr	r3, [%[a], #88]\n\t"
+        "ldr	r4, [%[a], #92]\n\t"
+        "ldr	r5, [%[b], #88]\n\t"
+        "ldr	r6, [%[b], #92]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #88]\n\t"
+        "str	r4, [%[a], #92]\n\t"
+        "ldr	r3, [%[a], #96]\n\t"
+        "ldr	r4, [%[a], #100]\n\t"
+        "ldr	r5, [%[b], #96]\n\t"
+        "ldr	r6, [%[b], #100]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #96]\n\t"
+        "str	r4, [%[a], #100]\n\t"
+        "ldr	r3, [%[a], #104]\n\t"
+        "ldr	r4, [%[a], #108]\n\t"
+        "ldr	r5, [%[b], #104]\n\t"
+        "ldr	r6, [%[b], #108]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #104]\n\t"
+        "str	r4, [%[a], #108]\n\t"
+        "ldr	r3, [%[a], #112]\n\t"
+        "ldr	r4, [%[a], #116]\n\t"
+        "ldr	r5, [%[b], #112]\n\t"
+        "ldr	r6, [%[b], #116]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #112]\n\t"
+        "str	r4, [%[a], #116]\n\t"
+        "ldr	r3, [%[a], #120]\n\t"
+        "ldr	r4, [%[a], #124]\n\t"
+        "ldr	r5, [%[b], #120]\n\t"
+        "ldr	r6, [%[b], #124]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #120]\n\t"
+        "str	r4, [%[a], #124]\n\t"
+        "sbc	%[c], %[c]\n\t"
+        : [c] "+r" (c), [a] "+r" (a), [b] "+r" (b)
+        :
+        : "memory", "r3", "r4", "r5", "r6"
+    );
+
+    return c;
+}
+
+/* Add b to a into r. (r = a + b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static sp_digit sp_2048_add_32(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    sp_digit c = 0;
+
+    __asm__ __volatile__ (
+        "ldr	r4, [%[a], #0]\n\t"
+        "ldr	r5, [%[b], #0]\n\t"
+        "add	r4, r5\n\t"
+        "str	r4, [%[r], #0]\n\t"
+        "ldr	r4, [%[a], #4]\n\t"
+        "ldr	r5, [%[b], #4]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #4]\n\t"
+        "ldr	r4, [%[a], #8]\n\t"
+        "ldr	r5, [%[b], #8]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #8]\n\t"
+        "ldr	r4, [%[a], #12]\n\t"
+        "ldr	r5, [%[b], #12]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #12]\n\t"
+        "ldr	r4, [%[a], #16]\n\t"
+        "ldr	r5, [%[b], #16]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #16]\n\t"
+        "ldr	r4, [%[a], #20]\n\t"
+        "ldr	r5, [%[b], #20]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #20]\n\t"
+        "ldr	r4, [%[a], #24]\n\t"
+        "ldr	r5, [%[b], #24]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #24]\n\t"
+        "ldr	r4, [%[a], #28]\n\t"
+        "ldr	r5, [%[b], #28]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #28]\n\t"
+        "ldr	r4, [%[a], #32]\n\t"
+        "ldr	r5, [%[b], #32]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #32]\n\t"
+        "ldr	r4, [%[a], #36]\n\t"
+        "ldr	r5, [%[b], #36]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #36]\n\t"
+        "ldr	r4, [%[a], #40]\n\t"
+        "ldr	r5, [%[b], #40]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #40]\n\t"
+        "ldr	r4, [%[a], #44]\n\t"
+        "ldr	r5, [%[b], #44]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #44]\n\t"
+        "ldr	r4, [%[a], #48]\n\t"
+        "ldr	r5, [%[b], #48]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #48]\n\t"
+        "ldr	r4, [%[a], #52]\n\t"
+        "ldr	r5, [%[b], #52]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #52]\n\t"
+        "ldr	r4, [%[a], #56]\n\t"
+        "ldr	r5, [%[b], #56]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #56]\n\t"
+        "ldr	r4, [%[a], #60]\n\t"
+        "ldr	r5, [%[b], #60]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #60]\n\t"
+        "ldr	r4, [%[a], #64]\n\t"
+        "ldr	r5, [%[b], #64]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #64]\n\t"
+        "ldr	r4, [%[a], #68]\n\t"
+        "ldr	r5, [%[b], #68]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #68]\n\t"
+        "ldr	r4, [%[a], #72]\n\t"
+        "ldr	r5, [%[b], #72]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #72]\n\t"
+        "ldr	r4, [%[a], #76]\n\t"
+        "ldr	r5, [%[b], #76]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #76]\n\t"
+        "ldr	r4, [%[a], #80]\n\t"
+        "ldr	r5, [%[b], #80]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #80]\n\t"
+        "ldr	r4, [%[a], #84]\n\t"
+        "ldr	r5, [%[b], #84]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #84]\n\t"
+        "ldr	r4, [%[a], #88]\n\t"
+        "ldr	r5, [%[b], #88]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #88]\n\t"
+        "ldr	r4, [%[a], #92]\n\t"
+        "ldr	r5, [%[b], #92]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #92]\n\t"
+        "ldr	r4, [%[a], #96]\n\t"
+        "ldr	r5, [%[b], #96]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #96]\n\t"
+        "ldr	r4, [%[a], #100]\n\t"
+        "ldr	r5, [%[b], #100]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #100]\n\t"
+        "ldr	r4, [%[a], #104]\n\t"
+        "ldr	r5, [%[b], #104]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #104]\n\t"
+        "ldr	r4, [%[a], #108]\n\t"
+        "ldr	r5, [%[b], #108]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #108]\n\t"
+        "ldr	r4, [%[a], #112]\n\t"
+        "ldr	r5, [%[b], #112]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #112]\n\t"
+        "ldr	r4, [%[a], #116]\n\t"
+        "ldr	r5, [%[b], #116]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #116]\n\t"
+        "ldr	r4, [%[a], #120]\n\t"
+        "ldr	r5, [%[b], #120]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #120]\n\t"
+        "ldr	r4, [%[a], #124]\n\t"
+        "ldr	r5, [%[b], #124]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #124]\n\t"
+        "mov	%[c], #0\n\t"
+        "adc	%[c], %[c]\n\t"
+        : [c] "+r" (c), [r] "+r" (r), [a] "+r" (a), [b] "+r" (b)
+        :
+        : "memory", "r4", "r5"
+    );
+
+    return c;
+}
+
+/* AND m into each word of a and store in r.
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * m  Mask to AND against each digit.
+ */
+static void sp_2048_mask_16(sp_digit* r, const sp_digit* a, sp_digit m)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int i;
+
+    for (i=0; i<16; i++) {
+        r[i] = a[i] & m;
+    }
+#else
+    int i;
+
+    for (i = 0; i < 16; i += 8) {
+        r[i+0] = a[i+0] & m;
+        r[i+1] = a[i+1] & m;
+        r[i+2] = a[i+2] & m;
+        r[i+3] = a[i+3] & m;
+        r[i+4] = a[i+4] & m;
+        r[i+5] = a[i+5] & m;
+        r[i+6] = a[i+6] & m;
+        r[i+7] = a[i+7] & m;
+    }
+#endif
+}
+
+/* Multiply a and b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static void sp_2048_mul_32(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    sp_digit* z0 = r;
+    sp_digit z1[32];
+    sp_digit a1[16];
+    sp_digit b1[16];
+    sp_digit z2[32];
+    sp_digit u, ca, cb;
+
+    ca = sp_2048_add_16(a1, a, &a[16]);
+    cb = sp_2048_add_16(b1, b, &b[16]);
+    u  = ca & cb;
+    sp_2048_mul_16(z1, a1, b1);
+    sp_2048_mul_16(z2, &a[16], &b[16]);
+    sp_2048_mul_16(z0, a, b);
+    sp_2048_mask_16(r + 32, a1, 0 - cb);
+    sp_2048_mask_16(b1, b1, 0 - ca);
+    u += sp_2048_add_16(r + 32, r + 32, b1);
+    u += sp_2048_sub_in_place_32(z1, z2);
+    u += sp_2048_sub_in_place_32(z1, z0);
+    u += sp_2048_add_32(r + 16, r + 16, z1);
+    r[48] = u;
+    XMEMSET(r + 48 + 1, 0, sizeof(sp_digit) * (16 - 1));
+    (void)sp_2048_add_32(r + 32, r + 32, z2);
+}
+
+/* Square a and put result in r. (r = a * a)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ */
+SP_NOINLINE static void sp_2048_sqr_32(sp_digit* r, const sp_digit* a)
+{
+    sp_digit* z0 = r;
+    sp_digit z2[32];
+    sp_digit z1[32];
+    sp_digit a1[16];
+    sp_digit u;
+
+    u = sp_2048_add_16(a1, a, &a[16]);
+    sp_2048_sqr_16(z1, a1);
+    sp_2048_sqr_16(z2, &a[16]);
+    sp_2048_sqr_16(z0, a);
+    sp_2048_mask_16(r + 32, a1, 0 - u);
+    u += sp_2048_add_16(r + 32, r + 32, r + 32);
+    u += sp_2048_sub_in_place_32(z1, z2);
+    u += sp_2048_sub_in_place_32(z1, z0);
+    u += sp_2048_add_32(r + 16, r + 16, z1);
+    r[48] = u;
+    XMEMSET(r + 48 + 1, 0, sizeof(sp_digit) * (16 - 1));
+    (void)sp_2048_add_32(r + 32, r + 32, z2);
+}
+
+/* Sub b from a into r. (r = a - b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static sp_digit sp_2048_sub_in_place_64(sp_digit* a,
+        const sp_digit* b)
+{
+    sp_digit c = 0;
+
+    __asm__ __volatile__ (
+        "ldr	r3, [%[a], #0]\n\t"
+        "ldr	r4, [%[a], #4]\n\t"
+        "ldr	r5, [%[b], #0]\n\t"
+        "ldr	r6, [%[b], #4]\n\t"
+        "sub	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #0]\n\t"
+        "str	r4, [%[a], #4]\n\t"
+        "ldr	r3, [%[a], #8]\n\t"
+        "ldr	r4, [%[a], #12]\n\t"
+        "ldr	r5, [%[b], #8]\n\t"
+        "ldr	r6, [%[b], #12]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #8]\n\t"
+        "str	r4, [%[a], #12]\n\t"
+        "ldr	r3, [%[a], #16]\n\t"
+        "ldr	r4, [%[a], #20]\n\t"
+        "ldr	r5, [%[b], #16]\n\t"
+        "ldr	r6, [%[b], #20]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #16]\n\t"
+        "str	r4, [%[a], #20]\n\t"
+        "ldr	r3, [%[a], #24]\n\t"
+        "ldr	r4, [%[a], #28]\n\t"
+        "ldr	r5, [%[b], #24]\n\t"
+        "ldr	r6, [%[b], #28]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #24]\n\t"
+        "str	r4, [%[a], #28]\n\t"
+        "ldr	r3, [%[a], #32]\n\t"
+        "ldr	r4, [%[a], #36]\n\t"
+        "ldr	r5, [%[b], #32]\n\t"
+        "ldr	r6, [%[b], #36]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #32]\n\t"
+        "str	r4, [%[a], #36]\n\t"
+        "ldr	r3, [%[a], #40]\n\t"
+        "ldr	r4, [%[a], #44]\n\t"
+        "ldr	r5, [%[b], #40]\n\t"
+        "ldr	r6, [%[b], #44]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #40]\n\t"
+        "str	r4, [%[a], #44]\n\t"
+        "ldr	r3, [%[a], #48]\n\t"
+        "ldr	r4, [%[a], #52]\n\t"
+        "ldr	r5, [%[b], #48]\n\t"
+        "ldr	r6, [%[b], #52]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #48]\n\t"
+        "str	r4, [%[a], #52]\n\t"
+        "ldr	r3, [%[a], #56]\n\t"
+        "ldr	r4, [%[a], #60]\n\t"
+        "ldr	r5, [%[b], #56]\n\t"
+        "ldr	r6, [%[b], #60]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #56]\n\t"
+        "str	r4, [%[a], #60]\n\t"
+        "ldr	r3, [%[a], #64]\n\t"
+        "ldr	r4, [%[a], #68]\n\t"
+        "ldr	r5, [%[b], #64]\n\t"
+        "ldr	r6, [%[b], #68]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #64]\n\t"
+        "str	r4, [%[a], #68]\n\t"
+        "ldr	r3, [%[a], #72]\n\t"
+        "ldr	r4, [%[a], #76]\n\t"
+        "ldr	r5, [%[b], #72]\n\t"
+        "ldr	r6, [%[b], #76]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #72]\n\t"
+        "str	r4, [%[a], #76]\n\t"
+        "ldr	r3, [%[a], #80]\n\t"
+        "ldr	r4, [%[a], #84]\n\t"
+        "ldr	r5, [%[b], #80]\n\t"
+        "ldr	r6, [%[b], #84]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #80]\n\t"
+        "str	r4, [%[a], #84]\n\t"
+        "ldr	r3, [%[a], #88]\n\t"
+        "ldr	r4, [%[a], #92]\n\t"
+        "ldr	r5, [%[b], #88]\n\t"
+        "ldr	r6, [%[b], #92]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #88]\n\t"
+        "str	r4, [%[a], #92]\n\t"
+        "ldr	r3, [%[a], #96]\n\t"
+        "ldr	r4, [%[a], #100]\n\t"
+        "ldr	r5, [%[b], #96]\n\t"
+        "ldr	r6, [%[b], #100]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #96]\n\t"
+        "str	r4, [%[a], #100]\n\t"
+        "ldr	r3, [%[a], #104]\n\t"
+        "ldr	r4, [%[a], #108]\n\t"
+        "ldr	r5, [%[b], #104]\n\t"
+        "ldr	r6, [%[b], #108]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #104]\n\t"
+        "str	r4, [%[a], #108]\n\t"
+        "ldr	r3, [%[a], #112]\n\t"
+        "ldr	r4, [%[a], #116]\n\t"
+        "ldr	r5, [%[b], #112]\n\t"
+        "ldr	r6, [%[b], #116]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #112]\n\t"
+        "str	r4, [%[a], #116]\n\t"
+        "ldr	r3, [%[a], #120]\n\t"
+        "ldr	r4, [%[a], #124]\n\t"
+        "ldr	r5, [%[b], #120]\n\t"
+        "ldr	r6, [%[b], #124]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #120]\n\t"
+        "str	r4, [%[a], #124]\n\t"
+        "sbc	%[c], %[c]\n\t"
+        "add	%[a], #0x80\n\t"
+        "add	%[b], #0x80\n\t"
+        "mov	r5, #0\n\t"
+        "sub	r5, %[c]\n\t"
+        "ldr	r3, [%[a], #0]\n\t"
+        "ldr	r4, [%[a], #4]\n\t"
+        "ldr	r5, [%[b], #0]\n\t"
+        "ldr	r6, [%[b], #4]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #0]\n\t"
+        "str	r4, [%[a], #4]\n\t"
+        "ldr	r3, [%[a], #8]\n\t"
+        "ldr	r4, [%[a], #12]\n\t"
+        "ldr	r5, [%[b], #8]\n\t"
+        "ldr	r6, [%[b], #12]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #8]\n\t"
+        "str	r4, [%[a], #12]\n\t"
+        "ldr	r3, [%[a], #16]\n\t"
+        "ldr	r4, [%[a], #20]\n\t"
+        "ldr	r5, [%[b], #16]\n\t"
+        "ldr	r6, [%[b], #20]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #16]\n\t"
+        "str	r4, [%[a], #20]\n\t"
+        "ldr	r3, [%[a], #24]\n\t"
+        "ldr	r4, [%[a], #28]\n\t"
+        "ldr	r5, [%[b], #24]\n\t"
+        "ldr	r6, [%[b], #28]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #24]\n\t"
+        "str	r4, [%[a], #28]\n\t"
+        "ldr	r3, [%[a], #32]\n\t"
+        "ldr	r4, [%[a], #36]\n\t"
+        "ldr	r5, [%[b], #32]\n\t"
+        "ldr	r6, [%[b], #36]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #32]\n\t"
+        "str	r4, [%[a], #36]\n\t"
+        "ldr	r3, [%[a], #40]\n\t"
+        "ldr	r4, [%[a], #44]\n\t"
+        "ldr	r5, [%[b], #40]\n\t"
+        "ldr	r6, [%[b], #44]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #40]\n\t"
+        "str	r4, [%[a], #44]\n\t"
+        "ldr	r3, [%[a], #48]\n\t"
+        "ldr	r4, [%[a], #52]\n\t"
+        "ldr	r5, [%[b], #48]\n\t"
+        "ldr	r6, [%[b], #52]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #48]\n\t"
+        "str	r4, [%[a], #52]\n\t"
+        "ldr	r3, [%[a], #56]\n\t"
+        "ldr	r4, [%[a], #60]\n\t"
+        "ldr	r5, [%[b], #56]\n\t"
+        "ldr	r6, [%[b], #60]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #56]\n\t"
+        "str	r4, [%[a], #60]\n\t"
+        "ldr	r3, [%[a], #64]\n\t"
+        "ldr	r4, [%[a], #68]\n\t"
+        "ldr	r5, [%[b], #64]\n\t"
+        "ldr	r6, [%[b], #68]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #64]\n\t"
+        "str	r4, [%[a], #68]\n\t"
+        "ldr	r3, [%[a], #72]\n\t"
+        "ldr	r4, [%[a], #76]\n\t"
+        "ldr	r5, [%[b], #72]\n\t"
+        "ldr	r6, [%[b], #76]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #72]\n\t"
+        "str	r4, [%[a], #76]\n\t"
+        "ldr	r3, [%[a], #80]\n\t"
+        "ldr	r4, [%[a], #84]\n\t"
+        "ldr	r5, [%[b], #80]\n\t"
+        "ldr	r6, [%[b], #84]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #80]\n\t"
+        "str	r4, [%[a], #84]\n\t"
+        "ldr	r3, [%[a], #88]\n\t"
+        "ldr	r4, [%[a], #92]\n\t"
+        "ldr	r5, [%[b], #88]\n\t"
+        "ldr	r6, [%[b], #92]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #88]\n\t"
+        "str	r4, [%[a], #92]\n\t"
+        "ldr	r3, [%[a], #96]\n\t"
+        "ldr	r4, [%[a], #100]\n\t"
+        "ldr	r5, [%[b], #96]\n\t"
+        "ldr	r6, [%[b], #100]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #96]\n\t"
+        "str	r4, [%[a], #100]\n\t"
+        "ldr	r3, [%[a], #104]\n\t"
+        "ldr	r4, [%[a], #108]\n\t"
+        "ldr	r5, [%[b], #104]\n\t"
+        "ldr	r6, [%[b], #108]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #104]\n\t"
+        "str	r4, [%[a], #108]\n\t"
+        "ldr	r3, [%[a], #112]\n\t"
+        "ldr	r4, [%[a], #116]\n\t"
+        "ldr	r5, [%[b], #112]\n\t"
+        "ldr	r6, [%[b], #116]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #112]\n\t"
+        "str	r4, [%[a], #116]\n\t"
+        "ldr	r3, [%[a], #120]\n\t"
+        "ldr	r4, [%[a], #124]\n\t"
+        "ldr	r5, [%[b], #120]\n\t"
+        "ldr	r6, [%[b], #124]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #120]\n\t"
+        "str	r4, [%[a], #124]\n\t"
+        "sbc	%[c], %[c]\n\t"
+        : [c] "+r" (c), [a] "+r" (a), [b] "+r" (b)
+        :
+        : "memory", "r3", "r4", "r5", "r6"
+    );
+
+    return c;
+}
+
+/* Add b to a into r. (r = a + b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static sp_digit sp_2048_add_64(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    sp_digit c = 0;
+
+    __asm__ __volatile__ (
+        "mov	r7, #0\n\t"
+        "mvn	r7, r7\n\t"
+        "ldr	r4, [%[a], #0]\n\t"
+        "ldr	r5, [%[b], #0]\n\t"
+        "add	r4, r5\n\t"
+        "str	r4, [%[r], #0]\n\t"
+        "ldr	r4, [%[a], #4]\n\t"
+        "ldr	r5, [%[b], #4]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #4]\n\t"
+        "ldr	r4, [%[a], #8]\n\t"
+        "ldr	r5, [%[b], #8]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #8]\n\t"
+        "ldr	r4, [%[a], #12]\n\t"
+        "ldr	r5, [%[b], #12]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #12]\n\t"
+        "ldr	r4, [%[a], #16]\n\t"
+        "ldr	r5, [%[b], #16]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #16]\n\t"
+        "ldr	r4, [%[a], #20]\n\t"
+        "ldr	r5, [%[b], #20]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #20]\n\t"
+        "ldr	r4, [%[a], #24]\n\t"
+        "ldr	r5, [%[b], #24]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #24]\n\t"
+        "ldr	r4, [%[a], #28]\n\t"
+        "ldr	r5, [%[b], #28]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #28]\n\t"
+        "ldr	r4, [%[a], #32]\n\t"
+        "ldr	r5, [%[b], #32]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #32]\n\t"
+        "ldr	r4, [%[a], #36]\n\t"
+        "ldr	r5, [%[b], #36]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #36]\n\t"
+        "ldr	r4, [%[a], #40]\n\t"
+        "ldr	r5, [%[b], #40]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #40]\n\t"
+        "ldr	r4, [%[a], #44]\n\t"
+        "ldr	r5, [%[b], #44]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #44]\n\t"
+        "ldr	r4, [%[a], #48]\n\t"
+        "ldr	r5, [%[b], #48]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #48]\n\t"
+        "ldr	r4, [%[a], #52]\n\t"
+        "ldr	r5, [%[b], #52]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #52]\n\t"
+        "ldr	r4, [%[a], #56]\n\t"
+        "ldr	r5, [%[b], #56]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #56]\n\t"
+        "ldr	r4, [%[a], #60]\n\t"
+        "ldr	r5, [%[b], #60]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #60]\n\t"
+        "ldr	r4, [%[a], #64]\n\t"
+        "ldr	r5, [%[b], #64]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #64]\n\t"
+        "ldr	r4, [%[a], #68]\n\t"
+        "ldr	r5, [%[b], #68]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #68]\n\t"
+        "ldr	r4, [%[a], #72]\n\t"
+        "ldr	r5, [%[b], #72]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #72]\n\t"
+        "ldr	r4, [%[a], #76]\n\t"
+        "ldr	r5, [%[b], #76]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #76]\n\t"
+        "ldr	r4, [%[a], #80]\n\t"
+        "ldr	r5, [%[b], #80]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #80]\n\t"
+        "ldr	r4, [%[a], #84]\n\t"
+        "ldr	r5, [%[b], #84]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #84]\n\t"
+        "ldr	r4, [%[a], #88]\n\t"
+        "ldr	r5, [%[b], #88]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #88]\n\t"
+        "ldr	r4, [%[a], #92]\n\t"
+        "ldr	r5, [%[b], #92]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #92]\n\t"
+        "ldr	r4, [%[a], #96]\n\t"
+        "ldr	r5, [%[b], #96]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #96]\n\t"
+        "ldr	r4, [%[a], #100]\n\t"
+        "ldr	r5, [%[b], #100]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #100]\n\t"
+        "ldr	r4, [%[a], #104]\n\t"
+        "ldr	r5, [%[b], #104]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #104]\n\t"
+        "ldr	r4, [%[a], #108]\n\t"
+        "ldr	r5, [%[b], #108]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #108]\n\t"
+        "ldr	r4, [%[a], #112]\n\t"
+        "ldr	r5, [%[b], #112]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #112]\n\t"
+        "ldr	r4, [%[a], #116]\n\t"
+        "ldr	r5, [%[b], #116]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #116]\n\t"
+        "ldr	r4, [%[a], #120]\n\t"
+        "ldr	r5, [%[b], #120]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #120]\n\t"
+        "ldr	r4, [%[a], #124]\n\t"
+        "ldr	r5, [%[b], #124]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #124]\n\t"
+        "mov	%[c], #0\n\t"
+        "adc	%[c], %[c]\n\t"
+        "add	%[a], #0x80\n\t"
+        "add	%[b], #0x80\n\t"
+        "add	%[r], #0x80\n\t"
+        "add	%[c], r7\n\t"
+        "ldr	r4, [%[a], #0]\n\t"
+        "ldr	r5, [%[b], #0]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #0]\n\t"
+        "ldr	r4, [%[a], #4]\n\t"
+        "ldr	r5, [%[b], #4]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #4]\n\t"
+        "ldr	r4, [%[a], #8]\n\t"
+        "ldr	r5, [%[b], #8]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #8]\n\t"
+        "ldr	r4, [%[a], #12]\n\t"
+        "ldr	r5, [%[b], #12]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #12]\n\t"
+        "ldr	r4, [%[a], #16]\n\t"
+        "ldr	r5, [%[b], #16]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #16]\n\t"
+        "ldr	r4, [%[a], #20]\n\t"
+        "ldr	r5, [%[b], #20]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #20]\n\t"
+        "ldr	r4, [%[a], #24]\n\t"
+        "ldr	r5, [%[b], #24]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #24]\n\t"
+        "ldr	r4, [%[a], #28]\n\t"
+        "ldr	r5, [%[b], #28]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #28]\n\t"
+        "ldr	r4, [%[a], #32]\n\t"
+        "ldr	r5, [%[b], #32]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #32]\n\t"
+        "ldr	r4, [%[a], #36]\n\t"
+        "ldr	r5, [%[b], #36]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #36]\n\t"
+        "ldr	r4, [%[a], #40]\n\t"
+        "ldr	r5, [%[b], #40]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #40]\n\t"
+        "ldr	r4, [%[a], #44]\n\t"
+        "ldr	r5, [%[b], #44]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #44]\n\t"
+        "ldr	r4, [%[a], #48]\n\t"
+        "ldr	r5, [%[b], #48]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #48]\n\t"
+        "ldr	r4, [%[a], #52]\n\t"
+        "ldr	r5, [%[b], #52]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #52]\n\t"
+        "ldr	r4, [%[a], #56]\n\t"
+        "ldr	r5, [%[b], #56]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #56]\n\t"
+        "ldr	r4, [%[a], #60]\n\t"
+        "ldr	r5, [%[b], #60]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #60]\n\t"
+        "ldr	r4, [%[a], #64]\n\t"
+        "ldr	r5, [%[b], #64]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #64]\n\t"
+        "ldr	r4, [%[a], #68]\n\t"
+        "ldr	r5, [%[b], #68]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #68]\n\t"
+        "ldr	r4, [%[a], #72]\n\t"
+        "ldr	r5, [%[b], #72]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #72]\n\t"
+        "ldr	r4, [%[a], #76]\n\t"
+        "ldr	r5, [%[b], #76]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #76]\n\t"
+        "ldr	r4, [%[a], #80]\n\t"
+        "ldr	r5, [%[b], #80]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #80]\n\t"
+        "ldr	r4, [%[a], #84]\n\t"
+        "ldr	r5, [%[b], #84]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #84]\n\t"
+        "ldr	r4, [%[a], #88]\n\t"
+        "ldr	r5, [%[b], #88]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #88]\n\t"
+        "ldr	r4, [%[a], #92]\n\t"
+        "ldr	r5, [%[b], #92]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #92]\n\t"
+        "ldr	r4, [%[a], #96]\n\t"
+        "ldr	r5, [%[b], #96]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #96]\n\t"
+        "ldr	r4, [%[a], #100]\n\t"
+        "ldr	r5, [%[b], #100]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #100]\n\t"
+        "ldr	r4, [%[a], #104]\n\t"
+        "ldr	r5, [%[b], #104]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #104]\n\t"
+        "ldr	r4, [%[a], #108]\n\t"
+        "ldr	r5, [%[b], #108]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #108]\n\t"
+        "ldr	r4, [%[a], #112]\n\t"
+        "ldr	r5, [%[b], #112]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #112]\n\t"
+        "ldr	r4, [%[a], #116]\n\t"
+        "ldr	r5, [%[b], #116]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #116]\n\t"
+        "ldr	r4, [%[a], #120]\n\t"
+        "ldr	r5, [%[b], #120]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #120]\n\t"
+        "ldr	r4, [%[a], #124]\n\t"
+        "ldr	r5, [%[b], #124]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #124]\n\t"
+        "mov	%[c], #0\n\t"
+        "adc	%[c], %[c]\n\t"
+        : [c] "+r" (c), [r] "+r" (r), [a] "+r" (a), [b] "+r" (b)
+        :
+        : "memory", "r4", "r5", "r7"
+    );
+
+    return c;
+}
+
+/* AND m into each word of a and store in r.
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * m  Mask to AND against each digit.
+ */
+static void sp_2048_mask_32(sp_digit* r, const sp_digit* a, sp_digit m)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int i;
+
+    for (i=0; i<32; i++) {
+        r[i] = a[i] & m;
+    }
+#else
+    int i;
+
+    for (i = 0; i < 32; i += 8) {
+        r[i+0] = a[i+0] & m;
+        r[i+1] = a[i+1] & m;
+        r[i+2] = a[i+2] & m;
+        r[i+3] = a[i+3] & m;
+        r[i+4] = a[i+4] & m;
+        r[i+5] = a[i+5] & m;
+        r[i+6] = a[i+6] & m;
+        r[i+7] = a[i+7] & m;
+    }
+#endif
+}
+
+/* Multiply a and b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static void sp_2048_mul_64(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    sp_digit* z0 = r;
+    sp_digit z1[64];
+    sp_digit a1[32];
+    sp_digit b1[32];
+    sp_digit z2[64];
+    sp_digit u, ca, cb;
+
+    ca = sp_2048_add_32(a1, a, &a[32]);
+    cb = sp_2048_add_32(b1, b, &b[32]);
+    u  = ca & cb;
+    sp_2048_mul_32(z1, a1, b1);
+    sp_2048_mul_32(z2, &a[32], &b[32]);
+    sp_2048_mul_32(z0, a, b);
+    sp_2048_mask_32(r + 64, a1, 0 - cb);
+    sp_2048_mask_32(b1, b1, 0 - ca);
+    u += sp_2048_add_32(r + 64, r + 64, b1);
+    u += sp_2048_sub_in_place_64(z1, z2);
+    u += sp_2048_sub_in_place_64(z1, z0);
+    u += sp_2048_add_64(r + 32, r + 32, z1);
+    r[96] = u;
+    XMEMSET(r + 96 + 1, 0, sizeof(sp_digit) * (32 - 1));
+    (void)sp_2048_add_64(r + 64, r + 64, z2);
+}
+
+/* Square a and put result in r. (r = a * a)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ */
+SP_NOINLINE static void sp_2048_sqr_64(sp_digit* r, const sp_digit* a)
+{
+    sp_digit* z0 = r;
+    sp_digit z2[64];
+    sp_digit z1[64];
+    sp_digit a1[32];
+    sp_digit u;
+
+    u = sp_2048_add_32(a1, a, &a[32]);
+    sp_2048_sqr_32(z1, a1);
+    sp_2048_sqr_32(z2, &a[32]);
+    sp_2048_sqr_32(z0, a);
+    sp_2048_mask_32(r + 64, a1, 0 - u);
+    u += sp_2048_add_32(r + 64, r + 64, r + 64);
+    u += sp_2048_sub_in_place_64(z1, z2);
+    u += sp_2048_sub_in_place_64(z1, z0);
+    u += sp_2048_add_64(r + 32, r + 32, z1);
+    r[96] = u;
+    XMEMSET(r + 96 + 1, 0, sizeof(sp_digit) * (32 - 1));
+    (void)sp_2048_add_64(r + 64, r + 64, z2);
+}
+
+#endif /* !WOLFSSL_SP_SMALL */
+#ifdef WOLFSSL_SP_SMALL
+/* Add b to a into r. (r = a + b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static sp_digit sp_2048_add_64(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    sp_digit c = 0;
+
+    __asm__ __volatile__ (
+        "mov	r6, %[a]\n\t"
+        "mov	r7, #0\n\t"
+        "mov	r4, #1\n\t"
+        "lsl	r4, #8\n\t"
+        "sub	r7, #1\n\t"
+        "add	r6, r4\n\t"
+        "\n1:\n\t"
+        "add	%[c], r7\n\t"
+        "ldr	r4, [%[a]]\n\t"
+        "ldr	r5, [%[b]]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r]]\n\t"
+        "mov	%[c], #0\n\t"
+        "adc	%[c], %[c]\n\t"
+        "add	%[a], #4\n\t"
+        "add	%[b], #4\n\t"
+        "add	%[r], #4\n\t"
+        "cmp	%[a], r6\n\t"
+        "bne	1b\n\t"
+        : [c] "+r" (c), [r] "+r" (r), [a] "+r" (a), [b] "+r" (b)
+        :
+        : "memory", "r4", "r5", "r6", "r7"
+    );
+
+    return c;
+}
+
+#endif /* WOLFSSL_SP_SMALL */
+#ifdef WOLFSSL_SP_SMALL
+/* Sub b from a into a. (a -= b)
+ *
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static sp_digit sp_2048_sub_in_place_64(sp_digit* a,
+        const sp_digit* b)
+{
+    sp_digit c = 0;
+    __asm__ __volatile__ (
+        "mov	r7, %[a]\n\t"
+        "mov	r5, #1\n\t"
+        "lsl	r5, #8\n\t"
+        "add	r7, r5\n\t"
+        "\n1:\n\t"
+        "mov	r5, #0\n\t"
+        "sub	r5, %[c]\n\t"
+        "ldr	r3, [%[a]]\n\t"
+        "ldr	r4, [%[a], #4]\n\t"
+        "ldr	r5, [%[b]]\n\t"
+        "ldr	r6, [%[b], #4]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a]]\n\t"
+        "str	r4, [%[a], #4]\n\t"
+        "sbc	%[c], %[c]\n\t"
+        "add	%[a], #8\n\t"
+        "add	%[b], #8\n\t"
+        "cmp	%[a], r7\n\t"
+        "bne	1b\n\t"
+        : [c] "+r" (c), [a] "+r" (a), [b] "+r" (b)
+        :
+        : "memory", "r3", "r4", "r5", "r6", "r7"
+    );
+
+    return c;
+}
+
+#endif /* WOLFSSL_SP_SMALL */
+#ifdef WOLFSSL_SP_SMALL
+/* Multiply a and b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static void sp_2048_mul_64(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    sp_digit tmp[64 * 2];
+    __asm__ __volatile__ (
+        "mov	r3, #0\n\t"
+        "mov	r4, #0\n\t"
+        "mov	r8, r3\n\t"
+        "mov	r11, %[r]\n\t"
+        "mov	r9, %[a]\n\t"
+        "mov	r10, %[b]\n\t"
+        "mov	r6, #1\n\t"
+        "lsl	r6, r6, #8\n\t"
+        "add	r6, r9\n\t"
+        "mov	r12, r6\n\t"
+        "\n1:\n\t"
+        "mov	%[r], #0\n\t"
+        "mov	r5, #0\n\t"
+        "mov	r6, #252\n\t"
+        "mov	%[a], r8\n\t"
+        "sub	%[a], r6\n\t"
+        "sbc	r6, r6\n\t"
+        "mvn	r6, r6\n\t"
+        "and	%[a], r6\n\t"
+        "mov	%[b], r8\n\t"
+        "sub	%[b], %[a]\n\t"
+        "add	%[a], r9\n\t"
+        "add	%[b], r10\n\t"
+        "\n2:\n\t"
+        "# Multiply Start\n\t"
+        "ldr	r6, [%[a]]\n\t"
+        "ldr	r7, [%[b]]\n\t"
+        "lsl	r6, r6, #16\n\t"
+        "lsl	r7, r7, #16\n\t"
+        "lsr	r6, r6, #16\n\t"
+        "lsr	r7, r7, #16\n\t"
+        "mul	r7, r6\n\t"
+        "add	r3, r7\n\t"
+        "adc	r4, %[r]\n\t"
+        "adc	r5, %[r]\n\t"
+        "ldr	r7, [%[b]]\n\t"
+        "lsr	r7, r7, #16\n\t"
+        "mul	r6, r7\n\t"
+        "lsr	r7, r6, #16\n\t"
+        "lsl	r6, r6, #16\n\t"
+        "add	r3, r6\n\t"
+        "adc	r4, r7\n\t"
+        "adc	r5, %[r]\n\t"
+        "ldr	r6, [%[a]]\n\t"
+        "ldr	r7, [%[b]]\n\t"
+        "lsr	r6, r6, #16\n\t"
+        "lsr	r7, r7, #16\n\t"
+        "mul	r7, r6\n\t"
+        "add	r4, r7\n\t"
+        "adc	r5, %[r]\n\t"
+        "ldr	r7, [%[b]]\n\t"
+        "lsl	r7, r7, #16\n\t"
+        "lsr	r7, r7, #16\n\t"
+        "mul	r6, r7\n\t"
+        "lsr	r7, r6, #16\n\t"
+        "lsl	r6, r6, #16\n\t"
+        "add	r3, r6\n\t"
+        "adc	r4, r7\n\t"
+        "adc	r5, %[r]\n\t"
+        "# Multiply Done\n\t"
+        "add	%[a], #4\n\t"
+        "sub	%[b], #4\n\t"
+        "cmp	%[a], r12\n\t"
+        "beq	3f\n\t"
+        "mov	r6, r8\n\t"
+        "add	r6, r9\n\t"
+        "cmp	%[a], r6\n\t"
+        "ble	2b\n\t"
+        "\n3:\n\t"
+        "mov	%[r], r11\n\t"
+        "mov	r7, r8\n\t"
+        "str	r3, [%[r], r7]\n\t"
+        "mov	r3, r4\n\t"
+        "mov	r4, r5\n\t"
+        "add	r7, #4\n\t"
+        "mov	r8, r7\n\t"
+        "mov	r6, #1\n\t"
+        "lsl	r6, r6, #8\n\t"
+        "add	r6, #248\n\t"
+        "cmp	r7, r6\n\t"
+        "ble	1b\n\t"
+        "str	r3, [%[r], r7]\n\t"
+        "mov	%[a], r9\n\t"
+        "mov	%[b], r10\n\t"
+        :
+        : [r] "r" (tmp), [a] "r" (a), [b] "r" (b)
+        : "memory", "r3", "r4", "r5", "r6", "r7", "r8", "r9", "r10", "r11", "r12"
+    );
+
+    XMEMCPY(r, tmp, sizeof(tmp));
+}
+
+/* Square a and put result in r. (r = a * a)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ */
+SP_NOINLINE static void sp_2048_sqr_64(sp_digit* r, const sp_digit* a)
+{
+    __asm__ __volatile__ (
+        "mov	r3, #0\n\t"
+        "mov	r4, #0\n\t"
+        "mov	r5, #0\n\t"
+        "mov	r8, r3\n\t"
+        "mov	r11, %[r]\n\t"
+        "mov	r6, #2\n\t"
+        "lsl	r6, r6, #8\n\t"
+        "neg	r6, r6\n\t"
+        "add	sp, r6\n\t"
+        "mov	r10, sp\n\t"
+        "mov	r9, %[a]\n\t"
+        "\n1:\n\t"
+        "mov	%[r], #0\n\t"
+        "mov	r6, #252\n\t"
+        "mov	%[a], r8\n\t"
+        "sub	%[a], r6\n\t"
+        "sbc	r6, r6\n\t"
+        "mvn	r6, r6\n\t"
+        "and	%[a], r6\n\t"
+        "mov	r2, r8\n\t"
+        "sub	r2, %[a]\n\t"
+        "add	%[a], r9\n\t"
+        "add	r2, r9\n\t"
+        "\n2:\n\t"
+        "cmp	r2, %[a]\n\t"
+        "beq	4f\n\t"
+        "# Multiply * 2: Start\n\t"
+        "ldr	r6, [%[a]]\n\t"
+        "ldr	r7, [r2]\n\t"
+        "lsl	r6, r6, #16\n\t"
+        "lsl	r7, r7, #16\n\t"
+        "lsr	r6, r6, #16\n\t"
+        "lsr	r7, r7, #16\n\t"
+        "mul	r7, r6\n\t"
+        "add	r3, r7\n\t"
+        "adc	r4, %[r]\n\t"
+        "adc	r5, %[r]\n\t"
+        "add	r3, r7\n\t"
+        "adc	r4, %[r]\n\t"
+        "adc	r5, %[r]\n\t"
+        "ldr	r7, [r2]\n\t"
+        "lsr	r7, r7, #16\n\t"
+        "mul	r6, r7\n\t"
+        "lsr	r7, r6, #16\n\t"
+        "lsl	r6, r6, #16\n\t"
+        "add	r3, r6\n\t"
+        "adc	r4, r7\n\t"
+        "adc	r5, %[r]\n\t"
+        "add	r3, r6\n\t"
+        "adc	r4, r7\n\t"
+        "adc	r5, %[r]\n\t"
+        "ldr	r6, [%[a]]\n\t"
+        "ldr	r7, [r2]\n\t"
+        "lsr	r6, r6, #16\n\t"
+        "lsr	r7, r7, #16\n\t"
+        "mul	r7, r6\n\t"
+        "add	r4, r7\n\t"
+        "adc	r5, %[r]\n\t"
+        "add	r4, r7\n\t"
+        "adc	r5, %[r]\n\t"
+        "ldr	r7, [r2]\n\t"
+        "lsl	r7, r7, #16\n\t"
+        "lsr	r7, r7, #16\n\t"
+        "mul	r6, r7\n\t"
+        "lsr	r7, r6, #16\n\t"
+        "lsl	r6, r6, #16\n\t"
+        "add	r3, r6\n\t"
+        "adc	r4, r7\n\t"
+        "adc	r5, %[r]\n\t"
+        "add	r3, r6\n\t"
+        "adc	r4, r7\n\t"
+        "adc	r5, %[r]\n\t"
+        "# Multiply * 2: Done\n\t"
+        "bal	5f\n\t"
+        "\n4:\n\t"
+        "# Square: Start\n\t"
+        "ldr	r6, [%[a]]\n\t"
+        "lsr	r7, r6, #16\n\t"
+        "lsl	r6, r6, #16\n\t"
+        "lsr	r6, r6, #16\n\t"
+        "mul	r6, r6\n\t"
+        "add	r3, r6\n\t"
+        "adc	r4, %[r]\n\t"
+        "adc	r5, %[r]\n\t"
+        "mul	r7, r7\n\t"
+        "add	r4, r7\n\t"
+        "adc	r5, %[r]\n\t"
+        "ldr	r6, [%[a]]\n\t"
+        "lsr	r7, r6, #16\n\t"
+        "lsl	r6, r6, #16\n\t"
+        "lsr	r6, r6, #16\n\t"
+        "mul	r6, r7\n\t"
+        "lsr	r7, r6, #15\n\t"
+        "lsl	r6, r6, #17\n\t"
+        "add	r3, r6\n\t"
+        "adc	r4, r7\n\t"
+        "adc	r5, %[r]\n\t"
+        "# Square: Done\n\t"
+        "\n5:\n\t"
+        "add	%[a], #4\n\t"
+        "sub	r2, #4\n\t"
+        "mov	r6, #1\n\t"
+        "lsl	r6, r6, #8\n\t"
+        "add	r6, r9\n\t"
+        "cmp	%[a], r6\n\t"
+        "beq	3f\n\t"
+        "cmp	%[a], r2\n\t"
+        "bgt	3f\n\t"
+        "mov	r7, r8\n\t"
+        "add	r7, r9\n\t"
+        "cmp	%[a], r7\n\t"
+        "ble	2b\n\t"
+        "\n3:\n\t"
+        "mov	%[r], r10\n\t"
+        "mov	r7, r8\n\t"
+        "str	r3, [%[r], r7]\n\t"
+        "mov	r3, r4\n\t"
+        "mov	r4, r5\n\t"
+        "mov	r5, #0\n\t"
+        "add	r7, #4\n\t"
+        "mov	r8, r7\n\t"
+        "mov	r6, #1\n\t"
+        "lsl	r6, r6, #8\n\t"
+        "add	r6, #248\n\t"
+        "cmp	r7, r6\n\t"
+        "ble	1b\n\t"
+        "mov	%[a], r9\n\t"
+        "str	r3, [%[r], r7]\n\t"
+        "mov	%[r], r11\n\t"
+        "mov	%[a], r10\n\t"
+        "mov	r3, #1\n\t"
+        "lsl	r3, r3, #8\n\t"
+        "add	r3, #252\n\t"
+        "\n4:\n\t"
+        "ldr	r6, [%[a], r3]\n\t"
+        "str	r6, [%[r], r3]\n\t"
+        "sub	r3, #4\n\t"
+        "bge	4b\n\t"
+        "mov	r6, #2\n\t"
+        "lsl	r6, r6, #8\n\t"
+        "add	sp, r6\n\t"
+        :
+        : [r] "r" (r), [a] "r" (a)
+        : "memory", "r2", "r3", "r4", "r5", "r6", "r7", "r8", "r9", "r10", "r11"
+    );
+}
+
+#endif /* WOLFSSL_SP_SMALL */
+#if (defined(WOLFSSL_HAVE_SP_RSA) || defined(WOLFSSL_HAVE_SP_DH)) && !defined(WOLFSSL_RSA_PUBLIC_ONLY)
+#ifdef WOLFSSL_SP_SMALL
+/* AND m into each word of a and store in r.
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * m  Mask to AND against each digit.
+ */
+static void sp_2048_mask_32(sp_digit* r, const sp_digit* a, sp_digit m)
+{
+    int i;
+
+    for (i=0; i<32; i++) {
+        r[i] = a[i] & m;
+    }
+}
+
+#endif /* WOLFSSL_SP_SMALL */
+#ifdef WOLFSSL_SP_SMALL
+/* Add b to a into r. (r = a + b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static sp_digit sp_2048_add_32(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    sp_digit c = 0;
+
+    __asm__ __volatile__ (
+        "mov	r6, %[a]\n\t"
+        "mov	r7, #0\n\t"
+        "add	r6, #128\n\t"
+        "sub	r7, #1\n\t"
+        "\n1:\n\t"
+        "add	%[c], r7\n\t"
+        "ldr	r4, [%[a]]\n\t"
+        "ldr	r5, [%[b]]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r]]\n\t"
+        "mov	%[c], #0\n\t"
+        "adc	%[c], %[c]\n\t"
+        "add	%[a], #4\n\t"
+        "add	%[b], #4\n\t"
+        "add	%[r], #4\n\t"
+        "cmp	%[a], r6\n\t"
+        "bne	1b\n\t"
+        : [c] "+r" (c), [r] "+r" (r), [a] "+r" (a), [b] "+r" (b)
+        :
+        : "memory", "r4", "r5", "r6", "r7"
+    );
+
+    return c;
+}
+
+#endif /* WOLFSSL_SP_SMALL */
+#ifdef WOLFSSL_SP_SMALL
+/* Sub b from a into a. (a -= b)
+ *
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static sp_digit sp_2048_sub_in_place_32(sp_digit* a,
+        const sp_digit* b)
+{
+    sp_digit c = 0;
+    __asm__ __volatile__ (
+        "mov	r7, %[a]\n\t"
+        "add	r7, #128\n\t"
+        "\n1:\n\t"
+        "mov	r5, #0\n\t"
+        "sub	r5, %[c]\n\t"
+        "ldr	r3, [%[a]]\n\t"
+        "ldr	r4, [%[a], #4]\n\t"
+        "ldr	r5, [%[b]]\n\t"
+        "ldr	r6, [%[b], #4]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a]]\n\t"
+        "str	r4, [%[a], #4]\n\t"
+        "sbc	%[c], %[c]\n\t"
+        "add	%[a], #8\n\t"
+        "add	%[b], #8\n\t"
+        "cmp	%[a], r7\n\t"
+        "bne	1b\n\t"
+        : [c] "+r" (c), [a] "+r" (a), [b] "+r" (b)
+        :
+        : "memory", "r3", "r4", "r5", "r6", "r7"
+    );
+
+    return c;
+}
+
+#endif /* WOLFSSL_SP_SMALL */
+#ifdef WOLFSSL_SP_SMALL
+/* Multiply a and b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static void sp_2048_mul_32(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    sp_digit tmp[32 * 2];
+    __asm__ __volatile__ (
+        "mov	r3, #0\n\t"
+        "mov	r4, #0\n\t"
+        "mov	r8, r3\n\t"
+        "mov	r11, %[r]\n\t"
+        "mov	r9, %[a]\n\t"
+        "mov	r10, %[b]\n\t"
+        "mov	r6, #128\n\t"
+        "add	r6, r9\n\t"
+        "mov	r12, r6\n\t"
+        "\n1:\n\t"
+        "mov	%[r], #0\n\t"
+        "mov	r5, #0\n\t"
+        "mov	r6, #124\n\t"
+        "mov	%[a], r8\n\t"
+        "sub	%[a], r6\n\t"
+        "sbc	r6, r6\n\t"
+        "mvn	r6, r6\n\t"
+        "and	%[a], r6\n\t"
+        "mov	%[b], r8\n\t"
+        "sub	%[b], %[a]\n\t"
+        "add	%[a], r9\n\t"
+        "add	%[b], r10\n\t"
+        "\n2:\n\t"
+        "# Multiply Start\n\t"
+        "ldr	r6, [%[a]]\n\t"
+        "ldr	r7, [%[b]]\n\t"
+        "lsl	r6, r6, #16\n\t"
+        "lsl	r7, r7, #16\n\t"
+        "lsr	r6, r6, #16\n\t"
+        "lsr	r7, r7, #16\n\t"
+        "mul	r7, r6\n\t"
+        "add	r3, r7\n\t"
+        "adc	r4, %[r]\n\t"
+        "adc	r5, %[r]\n\t"
+        "ldr	r7, [%[b]]\n\t"
+        "lsr	r7, r7, #16\n\t"
+        "mul	r6, r7\n\t"
+        "lsr	r7, r6, #16\n\t"
+        "lsl	r6, r6, #16\n\t"
+        "add	r3, r6\n\t"
+        "adc	r4, r7\n\t"
+        "adc	r5, %[r]\n\t"
+        "ldr	r6, [%[a]]\n\t"
+        "ldr	r7, [%[b]]\n\t"
+        "lsr	r6, r6, #16\n\t"
+        "lsr	r7, r7, #16\n\t"
+        "mul	r7, r6\n\t"
+        "add	r4, r7\n\t"
+        "adc	r5, %[r]\n\t"
+        "ldr	r7, [%[b]]\n\t"
+        "lsl	r7, r7, #16\n\t"
+        "lsr	r7, r7, #16\n\t"
+        "mul	r6, r7\n\t"
+        "lsr	r7, r6, #16\n\t"
+        "lsl	r6, r6, #16\n\t"
+        "add	r3, r6\n\t"
+        "adc	r4, r7\n\t"
+        "adc	r5, %[r]\n\t"
+        "# Multiply Done\n\t"
+        "add	%[a], #4\n\t"
+        "sub	%[b], #4\n\t"
+        "cmp	%[a], r12\n\t"
+        "beq	3f\n\t"
+        "mov	r6, r8\n\t"
+        "add	r6, r9\n\t"
+        "cmp	%[a], r6\n\t"
+        "ble	2b\n\t"
+        "\n3:\n\t"
+        "mov	%[r], r11\n\t"
+        "mov	r7, r8\n\t"
+        "str	r3, [%[r], r7]\n\t"
+        "mov	r3, r4\n\t"
+        "mov	r4, r5\n\t"
+        "add	r7, #4\n\t"
+        "mov	r8, r7\n\t"
+        "mov	r6, #248\n\t"
+        "cmp	r7, r6\n\t"
+        "ble	1b\n\t"
+        "str	r3, [%[r], r7]\n\t"
+        "mov	%[a], r9\n\t"
+        "mov	%[b], r10\n\t"
+        :
+        : [r] "r" (tmp), [a] "r" (a), [b] "r" (b)
+        : "memory", "r3", "r4", "r5", "r6", "r7", "r8", "r9", "r10", "r11", "r12"
+    );
+
+    XMEMCPY(r, tmp, sizeof(tmp));
+}
+
+/* Square a and put result in r. (r = a * a)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ */
+SP_NOINLINE static void sp_2048_sqr_32(sp_digit* r, const sp_digit* a)
+{
+    __asm__ __volatile__ (
+        "mov	r3, #0\n\t"
+        "mov	r4, #0\n\t"
+        "mov	r5, #0\n\t"
+        "mov	r8, r3\n\t"
+        "mov	r11, %[r]\n\t"
+        "mov	r6, #1\n\t"
+        "lsl	r6, r6, #8\n\t"
+        "neg	r6, r6\n\t"
+        "add	sp, r6\n\t"
+        "mov	r10, sp\n\t"
+        "mov	r9, %[a]\n\t"
+        "\n1:\n\t"
+        "mov	%[r], #0\n\t"
+        "mov	r6, #124\n\t"
+        "mov	%[a], r8\n\t"
+        "sub	%[a], r6\n\t"
+        "sbc	r6, r6\n\t"
+        "mvn	r6, r6\n\t"
+        "and	%[a], r6\n\t"
+        "mov	r2, r8\n\t"
+        "sub	r2, %[a]\n\t"
+        "add	%[a], r9\n\t"
+        "add	r2, r9\n\t"
+        "\n2:\n\t"
+        "cmp	r2, %[a]\n\t"
+        "beq	4f\n\t"
+        "# Multiply * 2: Start\n\t"
+        "ldr	r6, [%[a]]\n\t"
+        "ldr	r7, [r2]\n\t"
+        "lsl	r6, r6, #16\n\t"
+        "lsl	r7, r7, #16\n\t"
+        "lsr	r6, r6, #16\n\t"
+        "lsr	r7, r7, #16\n\t"
+        "mul	r7, r6\n\t"
+        "add	r3, r7\n\t"
+        "adc	r4, %[r]\n\t"
+        "adc	r5, %[r]\n\t"
+        "add	r3, r7\n\t"
+        "adc	r4, %[r]\n\t"
+        "adc	r5, %[r]\n\t"
+        "ldr	r7, [r2]\n\t"
+        "lsr	r7, r7, #16\n\t"
+        "mul	r6, r7\n\t"
+        "lsr	r7, r6, #16\n\t"
+        "lsl	r6, r6, #16\n\t"
+        "add	r3, r6\n\t"
+        "adc	r4, r7\n\t"
+        "adc	r5, %[r]\n\t"
+        "add	r3, r6\n\t"
+        "adc	r4, r7\n\t"
+        "adc	r5, %[r]\n\t"
+        "ldr	r6, [%[a]]\n\t"
+        "ldr	r7, [r2]\n\t"
+        "lsr	r6, r6, #16\n\t"
+        "lsr	r7, r7, #16\n\t"
+        "mul	r7, r6\n\t"
+        "add	r4, r7\n\t"
+        "adc	r5, %[r]\n\t"
+        "add	r4, r7\n\t"
+        "adc	r5, %[r]\n\t"
+        "ldr	r7, [r2]\n\t"
+        "lsl	r7, r7, #16\n\t"
+        "lsr	r7, r7, #16\n\t"
+        "mul	r6, r7\n\t"
+        "lsr	r7, r6, #16\n\t"
+        "lsl	r6, r6, #16\n\t"
+        "add	r3, r6\n\t"
+        "adc	r4, r7\n\t"
+        "adc	r5, %[r]\n\t"
+        "add	r3, r6\n\t"
+        "adc	r4, r7\n\t"
+        "adc	r5, %[r]\n\t"
+        "# Multiply * 2: Done\n\t"
+        "bal	5f\n\t"
+        "\n4:\n\t"
+        "# Square: Start\n\t"
+        "ldr	r6, [%[a]]\n\t"
+        "lsr	r7, r6, #16\n\t"
+        "lsl	r6, r6, #16\n\t"
+        "lsr	r6, r6, #16\n\t"
+        "mul	r6, r6\n\t"
+        "add	r3, r6\n\t"
+        "adc	r4, %[r]\n\t"
+        "adc	r5, %[r]\n\t"
+        "mul	r7, r7\n\t"
+        "add	r4, r7\n\t"
+        "adc	r5, %[r]\n\t"
+        "ldr	r6, [%[a]]\n\t"
+        "lsr	r7, r6, #16\n\t"
+        "lsl	r6, r6, #16\n\t"
+        "lsr	r6, r6, #16\n\t"
+        "mul	r6, r7\n\t"
+        "lsr	r7, r6, #15\n\t"
+        "lsl	r6, r6, #17\n\t"
+        "add	r3, r6\n\t"
+        "adc	r4, r7\n\t"
+        "adc	r5, %[r]\n\t"
+        "# Square: Done\n\t"
+        "\n5:\n\t"
+        "add	%[a], #4\n\t"
+        "sub	r2, #4\n\t"
+        "mov	r6, #128\n\t"
+        "add	r6, r9\n\t"
+        "cmp	%[a], r6\n\t"
+        "beq	3f\n\t"
+        "cmp	%[a], r2\n\t"
+        "bgt	3f\n\t"
+        "mov	r7, r8\n\t"
+        "add	r7, r9\n\t"
+        "cmp	%[a], r7\n\t"
+        "ble	2b\n\t"
+        "\n3:\n\t"
+        "mov	%[r], r10\n\t"
+        "mov	r7, r8\n\t"
+        "str	r3, [%[r], r7]\n\t"
+        "mov	r3, r4\n\t"
+        "mov	r4, r5\n\t"
+        "mov	r5, #0\n\t"
+        "add	r7, #4\n\t"
+        "mov	r8, r7\n\t"
+        "mov	r6, #248\n\t"
+        "cmp	r7, r6\n\t"
+        "ble	1b\n\t"
+        "mov	%[a], r9\n\t"
+        "str	r3, [%[r], r7]\n\t"
+        "mov	%[r], r11\n\t"
+        "mov	%[a], r10\n\t"
+        "mov	r3, #252\n\t"
+        "\n4:\n\t"
+        "ldr	r6, [%[a], r3]\n\t"
+        "str	r6, [%[r], r3]\n\t"
+        "sub	r3, #4\n\t"
+        "bge	4b\n\t"
+        "mov	r6, #1\n\t"
+        "lsl	r6, r6, #8\n\t"
+        "add	sp, r6\n\t"
+        :
+        : [r] "r" (r), [a] "r" (a)
+        : "memory", "r2", "r3", "r4", "r5", "r6", "r7", "r8", "r9", "r10", "r11"
+    );
+}
+
+#endif /* WOLFSSL_SP_SMALL */
+#endif /* (WOLFSSL_HAVE_SP_RSA || WOLFSSL_HAVE_SP_DH) && !WOLFSSL_RSA_PUBLIC_ONLY */
+
+/* Caclulate the bottom digit of -1/a mod 2^n.
+ *
+ * a    A single precision number.
+ * rho  Bottom word of inverse.
+ */
+static void sp_2048_mont_setup(const sp_digit* a, sp_digit* rho)
+{
+    sp_digit x, b;
+
+    b = a[0];
+    x = (((b + 2) & 4) << 1) + b; /* here x*a==1 mod 2**4 */
+    x *= 2 - b * x;               /* here x*a==1 mod 2**8 */
+    x *= 2 - b * x;               /* here x*a==1 mod 2**16 */
+    x *= 2 - b * x;               /* here x*a==1 mod 2**32 */
+
+    /* rho = -1/m mod b */
+    *rho = -x;
+}
+
+/* Mul a by digit b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision digit.
+ */
+SP_NOINLINE static void sp_2048_mul_d_64(sp_digit* r, const sp_digit* a,
+        sp_digit b)
+{
+    __asm__ __volatile__ (
+        "mov	r6, #1\n\t"
+        "lsl	r6, r6, #8\n\t"
+        "add	r6, %[a]\n\t"
+        "mov	r8, %[r]\n\t"
+        "mov	r9, r6\n\t"
+        "mov	r3, #0\n\t"
+        "mov	r4, #0\n\t"
+        "1:\n\t"
+        "mov	%[r], #0\n\t"
+        "mov	r5, #0\n\t"
+        "# A[] * B\n\t"
+        "ldr	r6, [%[a]]\n\t"
+        "lsl	r6, r6, #16\n\t"
+        "lsl	r7, %[b], #16\n\t"
+        "lsr	r6, r6, #16\n\t"
+        "lsr	r7, r7, #16\n\t"
+        "mul	r7, r6\n\t"
+        "add	r3, r7\n\t"
+        "adc	r4, %[r]\n\t"
+        "adc	r5, %[r]\n\t"
+        "lsr	r7, %[b], #16\n\t"
+        "mul	r6, r7\n\t"
+        "lsr	r7, r6, #16\n\t"
+        "lsl	r6, r6, #16\n\t"
+        "add	r3, r6\n\t"
+        "adc	r4, r7\n\t"
+        "adc	r5, %[r]\n\t"
+        "ldr	r6, [%[a]]\n\t"
+        "lsr	r6, r6, #16\n\t"
+        "lsr	r7, %[b], #16\n\t"
+        "mul	r7, r6\n\t"
+        "add	r4, r7\n\t"
+        "adc	r5, %[r]\n\t"
+        "lsl	r7, %[b], #16\n\t"
+        "lsr	r7, r7, #16\n\t"
+        "mul	r6, r7\n\t"
+        "lsr	r7, r6, #16\n\t"
+        "lsl	r6, r6, #16\n\t"
+        "add	r3, r6\n\t"
+        "adc	r4, r7\n\t"
+        "adc	r5, %[r]\n\t"
+        "# A[] * B - Done\n\t"
+        "mov	%[r], r8\n\t"
+        "str	r3, [%[r]]\n\t"
+        "mov	r3, r4\n\t"
+        "mov	r4, r5\n\t"
+        "add	%[r], #4\n\t"
+        "add	%[a], #4\n\t"
+        "mov	r8, %[r]\n\t"
+        "cmp	%[a], r9\n\t"
+        "blt	1b\n\t"
+        "str	r3, [%[r]]\n\t"
+        : [r] "+r" (r), [a] "+r" (a)
+        : [b] "r" (b)
+        : "memory", "r3", "r4", "r5", "r6", "r7", "r8", "r9"
+    );
+}
+
+#if (defined(WOLFSSL_HAVE_SP_RSA) || defined(WOLFSSL_HAVE_SP_DH)) && !defined(WOLFSSL_RSA_PUBLIC_ONLY)
+/* r = 2^n mod m where n is the number of bits to reduce by.
+ * Given m must be 2048 bits, just need to subtract.
+ *
+ * r  A single precision number.
+ * m  A single precision number.
+ */
+static void sp_2048_mont_norm_32(sp_digit* r, const sp_digit* m)
+{
+    XMEMSET(r, 0, sizeof(sp_digit) * 32);
+
+    /* r = 2^n mod m */
+    sp_2048_sub_in_place_32(r, m);
+}
+
+/* Conditionally subtract b from a using the mask m.
+ * m is -1 to subtract and 0 when not copying.
+ *
+ * r  A single precision number representing condition subtract result.
+ * a  A single precision number to subtract from.
+ * b  A single precision number to subtract.
+ * m  Mask value to apply.
+ */
+SP_NOINLINE static sp_digit sp_2048_cond_sub_32(sp_digit* r, const sp_digit* a,
+        const sp_digit* b, sp_digit m)
+{
+    sp_digit c = 0;
+
+    __asm__ __volatile__ (
+        "mov	r5, #128\n\t"
+        "mov	r8, r5\n\t"
+        "mov	r7, #0\n\t"
+        "1:\n\t"
+        "ldr	r6, [%[b], r7]\n\t"
+        "and	r6, %[m]\n\t"
+        "mov	r5, #0\n\t"
+        "sub	r5, %[c]\n\t"
+        "ldr	r5, [%[a], r7]\n\t"
+        "sbc	r5, r6\n\t"
+        "sbc	%[c], %[c]\n\t"
+        "str	r5, [%[r], r7]\n\t"
+        "add	r7, #4\n\t"
+        "cmp	r7, r8\n\t"
+        "blt	1b\n\t"
+        : [c] "+r" (c)
+        : [r] "r" (r), [a] "r" (a), [b] "r" (b), [m] "r" (m)
+        : "memory", "r5", "r6", "r7", "r8"
+    );
+
+    return c;
+}
+
+/* Reduce the number back to 2048 bits using Montgomery reduction.
+ *
+ * a   A single precision number to reduce in place.
+ * m   The single precision number representing the modulus.
+ * mp  The digit representing the negative inverse of m mod 2^n.
+ */
+SP_NOINLINE static void sp_2048_mont_reduce_32(sp_digit* a, const sp_digit* m,
+        sp_digit mp)
+{
+    sp_digit ca = 0;
+
+    __asm__ __volatile__ (
+        "mov	r8, %[mp]\n\t"
+        "mov	r12, %[ca]\n\t"
+        "mov	r14, %[m]\n\t"
+        "mov	r9, %[a]\n\t"
+        "mov	r4, #0\n\t"
+        "# i = 0\n\t"
+        "mov	r11, r4\n\t"
+        "\n1:\n\t"
+        "mov	r5, #0\n\t"
+        "mov	%[ca], #0\n\t"
+        "# mu = a[i] * mp\n\t"
+        "mov	%[mp], r8\n\t"
+        "ldr	%[a], [%[a]]\n\t"
+        "mul	%[mp], %[a]\n\t"
+        "mov	%[m], r14\n\t"
+        "mov	r10, r9\n\t"
+        "\n2:\n\t"
+        "# a[i+j] += m[j] * mu\n\t"
+        "mov	%[a], r10\n\t"
+        "ldr	%[a], [%[a]]\n\t"
+        "mov	%[ca], #0\n\t"
+        "mov	r4, r5\n\t"
+        "mov	r5, #0\n\t"
+        "# Multiply m[j] and mu - Start\n\t"
+        "ldr	r7, [%[m]]\n\t"
+        "lsl	r6, %[mp], #16\n\t"
+        "lsl	r7, r7, #16\n\t"
+        "lsr	r6, r6, #16\n\t"
+        "lsr	r7, r7, #16\n\t"
+        "mul	r7, r6\n\t"
+        "add	%[a], r7\n\t"
+        "adc	r5, %[ca]\n\t"
+        "ldr	r7, [%[m]]\n\t"
+        "lsr	r7, r7, #16\n\t"
+        "mul	r6, r7\n\t"
+        "lsr	r7, r6, #16\n\t"
+        "lsl	r6, r6, #16\n\t"
+        "add	%[a], r6\n\t"
+        "adc	r5, r7\n\t"
+        "ldr	r7, [%[m]]\n\t"
+        "lsr	r6, %[mp], #16\n\t"
+        "lsr	r7, r7, #16\n\t"
+        "mul	r7, r6\n\t"
+        "add	r5, r7\n\t"
+        "ldr	r7, [%[m]]\n\t"
+        "lsl	r7, r7, #16\n\t"
+        "lsr	r7, r7, #16\n\t"
+        "mul	r6, r7\n\t"
+        "lsr	r7, r6, #16\n\t"
+        "lsl	r6, r6, #16\n\t"
+        "add	%[a], r6\n\t"
+        "adc	r5, r7\n\t"
+        "# Multiply m[j] and mu - Done\n\t"
+        "add	r4, %[a]\n\t"
+        "adc	r5, %[ca]\n\t"
+        "mov	%[a], r10\n\t"
+        "str	r4, [%[a]]\n\t"
+        "mov	r6, #4\n\t"
+        "add	%[m], #4\n\t"
+        "add	r10, r6\n\t"
+        "mov	r4, #124\n\t"
+        "add	r4, r9\n\t"
+        "cmp	r10, r4\n\t"
+        "blt	2b\n\t"
+        "# a[i+31] += m[31] * mu\n\t"
+        "mov	%[ca], #0\n\t"
+        "mov	r4, r12\n\t"
+        "mov	%[a], #0\n\t"
+        "# Multiply m[31] and mu - Start\n\t"
+        "ldr	r7, [%[m]]\n\t"
+        "lsl	r6, %[mp], #16\n\t"
+        "lsl	r7, r7, #16\n\t"
+        "lsr	r6, r6, #16\n\t"
+        "lsr	r7, r7, #16\n\t"
+        "mul	r7, r6\n\t"
+        "add	r5, r7\n\t"
+        "adc	r4, %[ca]\n\t"
+        "adc	%[a], %[ca]\n\t"
+        "ldr	r7, [%[m]]\n\t"
+        "lsr	r7, r7, #16\n\t"
+        "mul	r6, r7\n\t"
+        "lsr	r7, r6, #16\n\t"
+        "lsl	r6, r6, #16\n\t"
+        "add	r5, r6\n\t"
+        "adc	r4, r7\n\t"
+        "adc	%[a], %[ca]\n\t"
+        "ldr	r7, [%[m]]\n\t"
+        "lsr	r6, %[mp], #16\n\t"
+        "lsr	r7, r7, #16\n\t"
+        "mul	r7, r6\n\t"
+        "add	r4, r7\n\t"
+        "adc	%[a], %[ca]\n\t"
+        "ldr	r7, [%[m]]\n\t"
+        "lsl	r7, r7, #16\n\t"
+        "lsr	r7, r7, #16\n\t"
+        "mul	r6, r7\n\t"
+        "lsr	r7, r6, #16\n\t"
+        "lsl	r6, r6, #16\n\t"
+        "add	r5, r6\n\t"
+        "adc	r4, r7\n\t"
+        "adc	%[a], %[ca]\n\t"
+        "# Multiply m[31] and mu - Done\n\t"
+        "mov	%[ca], %[a]\n\t"
+        "mov	%[a], r10\n\t"
+        "ldr	r7, [%[a], #4]\n\t"
+        "ldr	%[a], [%[a]]\n\t"
+        "mov	r6, #0\n\t"
+        "add	r5, %[a]\n\t"
+        "adc	r7, r4\n\t"
+        "adc	%[ca], r6\n\t"
+        "mov	%[a], r10\n\t"
+        "str	r5, [%[a]]\n\t"
+        "str	r7, [%[a], #4]\n\t"
+        "# i += 1\n\t"
+        "mov	r6, #4\n\t"
+        "add	r9, r6\n\t"
+        "add	r11, r6\n\t"
+        "mov	r12, %[ca]\n\t"
+        "mov	%[a], r9\n\t"
+        "mov	r4, #128\n\t"
+        "cmp	r11, r4\n\t"
+        "blt	1b\n\t"
+        "mov	%[m], r14\n\t"
+        : [ca] "+r" (ca), [a] "+r" (a)
+        : [m] "r" (m), [mp] "r" (mp)
+        : "memory", "r4", "r5", "r6", "r7", "r8", "r9", "r10", "r11", "r12", "r14"
+    );
+
+    sp_2048_cond_sub_32(a - 32, a, m, (sp_digit)0 - ca);
+}
+
+/* Multiply two Montogmery form numbers mod the modulus (prime).
+ * (r = a * b mod m)
+ *
+ * r   Result of multiplication.
+ * a   First number to multiply in Montogmery form.
+ * b   Second number to multiply in Montogmery form.
+ * m   Modulus (prime).
+ * mp  Montogmery mulitplier.
+ */
+static void sp_2048_mont_mul_32(sp_digit* r, const sp_digit* a, const sp_digit* b,
+        const sp_digit* m, sp_digit mp)
+{
+    sp_2048_mul_32(r, a, b);
+    sp_2048_mont_reduce_32(r, m, mp);
+}
+
+/* Square the Montgomery form number. (r = a * a mod m)
+ *
+ * r   Result of squaring.
+ * a   Number to square in Montogmery form.
+ * m   Modulus (prime).
+ * mp  Montogmery mulitplier.
+ */
+static void sp_2048_mont_sqr_32(sp_digit* r, const sp_digit* a, const sp_digit* m,
+        sp_digit mp)
+{
+    sp_2048_sqr_32(r, a);
+    sp_2048_mont_reduce_32(r, m, mp);
+}
+
+/* Mul a by digit b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision digit.
+ */
+SP_NOINLINE static void sp_2048_mul_d_32(sp_digit* r, const sp_digit* a,
+        sp_digit b)
+{
+    __asm__ __volatile__ (
+        "mov	r6, #128\n\t"
+        "add	r6, %[a]\n\t"
+        "mov	r8, %[r]\n\t"
+        "mov	r9, r6\n\t"
+        "mov	r3, #0\n\t"
+        "mov	r4, #0\n\t"
+        "1:\n\t"
+        "mov	%[r], #0\n\t"
+        "mov	r5, #0\n\t"
+        "# A[] * B\n\t"
+        "ldr	r6, [%[a]]\n\t"
+        "lsl	r6, r6, #16\n\t"
+        "lsl	r7, %[b], #16\n\t"
+        "lsr	r6, r6, #16\n\t"
+        "lsr	r7, r7, #16\n\t"
+        "mul	r7, r6\n\t"
+        "add	r3, r7\n\t"
+        "adc	r4, %[r]\n\t"
+        "adc	r5, %[r]\n\t"
+        "lsr	r7, %[b], #16\n\t"
+        "mul	r6, r7\n\t"
+        "lsr	r7, r6, #16\n\t"
+        "lsl	r6, r6, #16\n\t"
+        "add	r3, r6\n\t"
+        "adc	r4, r7\n\t"
+        "adc	r5, %[r]\n\t"
+        "ldr	r6, [%[a]]\n\t"
+        "lsr	r6, r6, #16\n\t"
+        "lsr	r7, %[b], #16\n\t"
+        "mul	r7, r6\n\t"
+        "add	r4, r7\n\t"
+        "adc	r5, %[r]\n\t"
+        "lsl	r7, %[b], #16\n\t"
+        "lsr	r7, r7, #16\n\t"
+        "mul	r6, r7\n\t"
+        "lsr	r7, r6, #16\n\t"
+        "lsl	r6, r6, #16\n\t"
+        "add	r3, r6\n\t"
+        "adc	r4, r7\n\t"
+        "adc	r5, %[r]\n\t"
+        "# A[] * B - Done\n\t"
+        "mov	%[r], r8\n\t"
+        "str	r3, [%[r]]\n\t"
+        "mov	r3, r4\n\t"
+        "mov	r4, r5\n\t"
+        "add	%[r], #4\n\t"
+        "add	%[a], #4\n\t"
+        "mov	r8, %[r]\n\t"
+        "cmp	%[a], r9\n\t"
+        "blt	1b\n\t"
+        "str	r3, [%[r]]\n\t"
+        : [r] "+r" (r), [a] "+r" (a)
+        : [b] "r" (b)
+        : "memory", "r3", "r4", "r5", "r6", "r7", "r8", "r9"
+    );
+}
+
+/* Divide the double width number (d1|d0) by the dividend. (d1|d0 / div)
+ *
+ * d1   The high order half of the number to divide.
+ * d0   The low order half of the number to divide.
+ * div  The dividend.
+ * returns the result of the division.
+ *
+ * Note that this is an approximate div. It may give an answer 1 larger.
+ */
+SP_NOINLINE static sp_digit div_2048_word_32(sp_digit d1, sp_digit d0,
+        sp_digit div)
+{
+    sp_digit r = 0;
+
+    __asm__ __volatile__ (
+        "lsr	r5, %[div], #1\n\t"
+        "add	r5, #1\n\t"
+        "mov	r8, %[d0]\n\t"
+        "mov	r9, %[d1]\n\t"
+        "# Do top 32\n\t"
+        "mov	r6, r5\n\t"
+        "sub	r6, %[d1]\n\t"
+        "sbc	r6, r6\n\t"
+        "add	%[r], %[r]\n\t"
+        "sub	%[r], r6\n\t"
+        "and	r6, r5\n\t"
+        "sub	%[d1], r6\n\t"
+        "# Next 30 bits\n\t"
+        "mov	r4, #29\n\t"
+        "1:\n\t"
+        "lsl	%[d0], %[d0], #1\n\t"
+        "adc	%[d1], %[d1]\n\t"
+        "mov	r6, r5\n\t"
+        "sub	r6, %[d1]\n\t"
+        "sbc	r6, r6\n\t"
+        "add	%[r], %[r]\n\t"
+        "sub	%[r], r6\n\t"
+        "and	r6, r5\n\t"
+        "sub	%[d1], r6\n\t"
+        "sub	r4, #1\n\t"
+        "bpl	1b\n\t"
+        "mov	r7, #0\n\t"
+        "add	%[r], %[r]\n\t"
+        "add	%[r], #1\n\t"
+        "# r * div - Start\n\t"
+        "lsl	%[d1], %[r], #16\n\t"
+        "lsl	r4, %[div], #16\n\t"
+        "lsr	%[d1], %[d1], #16\n\t"
+        "lsr	r4, r4, #16\n\t"
+        "mul	r4, %[d1]\n\t"
+        "lsr	r6, %[div], #16\n\t"
+        "mul	%[d1], r6\n\t"
+        "lsr	r5, %[d1], #16\n\t"
+        "lsl	%[d1], %[d1], #16\n\t"
+        "add	r4, %[d1]\n\t"
+        "adc	r5, r7\n\t"
+        "lsr	%[d1], %[r], #16\n\t"
+        "mul	r6, %[d1]\n\t"
+        "add	r5, r6\n\t"
+        "lsl	r6, %[div], #16\n\t"
+        "lsr	r6, r6, #16\n\t"
+        "mul	%[d1], r6\n\t"
+        "lsr	r6, %[d1], #16\n\t"
+        "lsl	%[d1], %[d1], #16\n\t"
+        "add	r4, %[d1]\n\t"
+        "adc	r5, r6\n\t"
+        "# r * div - Done\n\t"
+        "mov	%[d1], r8\n\t"
+        "sub	%[d1], r4\n\t"
+        "mov	r4, %[d1]\n\t"
+        "mov	%[d1], r9\n\t"
+        "sbc	%[d1], r5\n\t"
+        "mov	r5, %[d1]\n\t"
+        "add	%[r], r5\n\t"
+        "# r * div - Start\n\t"
+        "lsl	%[d1], %[r], #16\n\t"
+        "lsl	r4, %[div], #16\n\t"
+        "lsr	%[d1], %[d1], #16\n\t"
+        "lsr	r4, r4, #16\n\t"
+        "mul	r4, %[d1]\n\t"
+        "lsr	r6, %[div], #16\n\t"
+        "mul	%[d1], r6\n\t"
+        "lsr	r5, %[d1], #16\n\t"
+        "lsl	%[d1], %[d1], #16\n\t"
+        "add	r4, %[d1]\n\t"
+        "adc	r5, r7\n\t"
+        "lsr	%[d1], %[r], #16\n\t"
+        "mul	r6, %[d1]\n\t"
+        "add	r5, r6\n\t"
+        "lsl	r6, %[div], #16\n\t"
+        "lsr	r6, r6, #16\n\t"
+        "mul	%[d1], r6\n\t"
+        "lsr	r6, %[d1], #16\n\t"
+        "lsl	%[d1], %[d1], #16\n\t"
+        "add	r4, %[d1]\n\t"
+        "adc	r5, r6\n\t"
+        "# r * div - Done\n\t"
+        "mov	%[d1], r8\n\t"
+        "mov	r6, r9\n\t"
+        "sub	r4, %[d1], r4\n\t"
+        "sbc	r6, r5\n\t"
+        "mov	r5, r6\n\t"
+        "add	%[r], r5\n\t"
+        "# r * div - Start\n\t"
+        "lsl	%[d1], %[r], #16\n\t"
+        "lsl	r4, %[div], #16\n\t"
+        "lsr	%[d1], %[d1], #16\n\t"
+        "lsr	r4, r4, #16\n\t"
+        "mul	r4, %[d1]\n\t"
+        "lsr	r6, %[div], #16\n\t"
+        "mul	%[d1], r6\n\t"
+        "lsr	r5, %[d1], #16\n\t"
+        "lsl	%[d1], %[d1], #16\n\t"
+        "add	r4, %[d1]\n\t"
+        "adc	r5, r7\n\t"
+        "lsr	%[d1], %[r], #16\n\t"
+        "mul	r6, %[d1]\n\t"
+        "add	r5, r6\n\t"
+        "lsl	r6, %[div], #16\n\t"
+        "lsr	r6, r6, #16\n\t"
+        "mul	%[d1], r6\n\t"
+        "lsr	r6, %[d1], #16\n\t"
+        "lsl	%[d1], %[d1], #16\n\t"
+        "add	r4, %[d1]\n\t"
+        "adc	r5, r6\n\t"
+        "# r * div - Done\n\t"
+        "mov	%[d1], r8\n\t"
+        "mov	r6, r9\n\t"
+        "sub	r4, %[d1], r4\n\t"
+        "sbc	r6, r5\n\t"
+        "mov	r5, r6\n\t"
+        "add	%[r], r5\n\t"
+        "mov	r6, %[div]\n\t"
+        "sub	r6, r4\n\t"
+        "sbc	r6, r6\n\t"
+        "sub	%[r], r6\n\t"
+        : [r] "+r" (r)
+        : [d1] "r" (d1), [d0] "r" (d0), [div] "r" (div)
+        : "r4", "r5", "r7", "r6", "r8", "r9"
+    );
+    return r;
+}
+
+/* Compare a with b in constant time.
+ *
+ * a  A single precision integer.
+ * b  A single precision integer.
+ * return -ve, 0 or +ve if a is less than, equal to or greater than b
+ * respectively.
+ */
+SP_NOINLINE static int32_t sp_2048_cmp_32(const sp_digit* a, const sp_digit* b)
+{
+    sp_digit r = 0;
+
+
+    __asm__ __volatile__ (
+        "mov	r3, #0\n\t"
+        "mvn	r3, r3\n\t"
+        "mov	r6, #124\n\t"
+        "1:\n\t"
+        "ldr	r7, [%[a], r6]\n\t"
+        "ldr	r5, [%[b], r6]\n\t"
+        "and	r7, r3\n\t"
+        "and	r5, r3\n\t"
+        "mov	r4, r7\n\t"
+        "sub	r7, r5\n\t"
+        "sbc	r7, r7\n\t"
+        "add	%[r], r7\n\t"
+        "mvn	r7, r7\n\t"
+        "and	r3, r7\n\t"
+        "sub	r5, r4\n\t"
+        "sbc	r7, r7\n\t"
+        "sub	%[r], r7\n\t"
+        "mvn	r7, r7\n\t"
+        "and	r3, r7\n\t"
+        "sub	r6, #4\n\t"
+        "cmp	r6, #0\n\t"
+        "bge	1b\n\t"
+        : [r] "+r" (r)
+        : [a] "r" (a), [b] "r" (b)
+        : "r3", "r4", "r5", "r6", "r7"
+    );
+
+    return r;
+}
+
+/* Divide d in a and put remainder into r (m*d + r = a)
+ * m is not calculated as it is not needed at this time.
+ *
+ * a  Nmber to be divided.
+ * d  Number to divide with.
+ * m  Multiplier result.
+ * r  Remainder from the division.
+ * returns MP_OKAY indicating success.
+ */
+static WC_INLINE int sp_2048_div_32(const sp_digit* a, const sp_digit* d, sp_digit* m,
+        sp_digit* r)
+{
+    sp_digit t1[64], t2[33];
+    sp_digit div, r1;
+    int i;
+
+    (void)m;
+
+    div = d[31];
+    XMEMCPY(t1, a, sizeof(*t1) * 2 * 32);
+    for (i=31; i>=0; i--) {
+        r1 = div_2048_word_32(t1[32 + i], t1[32 + i - 1], div);
+
+        sp_2048_mul_d_32(t2, d, r1);
+        t1[32 + i] += sp_2048_sub_in_place_32(&t1[i], t2);
+        t1[32 + i] -= t2[32];
+        sp_2048_mask_32(t2, d, t1[32 + i]);
+        t1[32 + i] += sp_2048_add_32(&t1[i], &t1[i], t2);
+        sp_2048_mask_32(t2, d, t1[32 + i]);
+        t1[32 + i] += sp_2048_add_32(&t1[i], &t1[i], t2);
+    }
+
+    r1 = sp_2048_cmp_32(t1, d) >= 0;
+    sp_2048_cond_sub_32(r, t1, d, (sp_digit)0 - r1);
+
+    return MP_OKAY;
+}
+
+/* Reduce a modulo m into r. (r = a mod m)
+ *
+ * r  A single precision number that is the reduced result.
+ * a  A single precision number that is to be reduced.
+ * m  A single precision number that is the modulus to reduce with.
+ * returns MP_OKAY indicating success.
+ */
+static WC_INLINE int sp_2048_mod_32(sp_digit* r, const sp_digit* a, const sp_digit* m)
+{
+    return sp_2048_div_32(a, m, NULL, r);
+}
+
+#ifdef WOLFSSL_SP_SMALL
+/* Modular exponentiate a to the e mod m. (r = a^e mod m)
+ *
+ * r     A single precision number that is the result of the operation.
+ * a     A single precision number being exponentiated.
+ * e     A single precision number that is the exponent.
+ * bits  The number of bits in the exponent.
+ * m     A single precision number that is the modulus.
+ * returns 0 on success and MEMORY_E on dynamic memory allocation failure.
+ */
+static int sp_2048_mod_exp_32(sp_digit* r, const sp_digit* a, const sp_digit* e,
+        int bits, const sp_digit* m, int reduceA)
+{
+#ifndef WOLFSSL_SMALL_STACK
+    sp_digit t[16][64];
+#else
+    sp_digit* t[16];
+    sp_digit* td;
+#endif
+    sp_digit* norm;
+    sp_digit mp = 1;
+    sp_digit n;
+    sp_digit mask;
+    int i;
+    int c, y;
+    int err = MP_OKAY;
+
+#ifdef WOLFSSL_SMALL_STACK
+    td = (sp_digit*)XMALLOC(sizeof(sp_digit) * 16 * 64, NULL,
+                            DYNAMIC_TYPE_TMP_BUFFER);
+    if (td == NULL) {
+        err = MEMORY_E;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#ifdef WOLFSSL_SMALL_STACK
+        for (i=0; i<16; i++) {
+            t[i] = td + i * 64;
+        }
+#endif
+        norm = t[0];
+
+        sp_2048_mont_setup(m, &mp);
+        sp_2048_mont_norm_32(norm, m);
+
+        XMEMSET(t[1], 0, sizeof(sp_digit) * 32U);
+        if (reduceA != 0) {
+            err = sp_2048_mod_32(t[1] + 32, a, m);
+            if (err == MP_OKAY) {
+                err = sp_2048_mod_32(t[1], t[1], m);
+            }
+        }
+        else {
+            XMEMCPY(t[1] + 32, a, sizeof(sp_digit) * 32);
+            err = sp_2048_mod_32(t[1], t[1], m);
+        }
+    }
+
+    if (err == MP_OKAY) {
+        sp_2048_mont_sqr_32(t[ 2], t[ 1], m, mp);
+        sp_2048_mont_mul_32(t[ 3], t[ 2], t[ 1], m, mp);
+        sp_2048_mont_sqr_32(t[ 4], t[ 2], m, mp);
+        sp_2048_mont_mul_32(t[ 5], t[ 3], t[ 2], m, mp);
+        sp_2048_mont_sqr_32(t[ 6], t[ 3], m, mp);
+        sp_2048_mont_mul_32(t[ 7], t[ 4], t[ 3], m, mp);
+        sp_2048_mont_sqr_32(t[ 8], t[ 4], m, mp);
+        sp_2048_mont_mul_32(t[ 9], t[ 5], t[ 4], m, mp);
+        sp_2048_mont_sqr_32(t[10], t[ 5], m, mp);
+        sp_2048_mont_mul_32(t[11], t[ 6], t[ 5], m, mp);
+        sp_2048_mont_sqr_32(t[12], t[ 6], m, mp);
+        sp_2048_mont_mul_32(t[13], t[ 7], t[ 6], m, mp);
+        sp_2048_mont_sqr_32(t[14], t[ 7], m, mp);
+        sp_2048_mont_mul_32(t[15], t[ 8], t[ 7], m, mp);
+
+        i = (bits - 1) / 32;
+        n = e[i--];
+        c = bits & 31;
+        if (c == 0) {
+            c = 32;
+        }
+        c -= bits % 4;
+        if (c == 32) {
+            c = 28;
+        }
+        y = (int)(n >> c);
+        n <<= 32 - c;
+        XMEMCPY(r, t[y], sizeof(sp_digit) * 32);
+        for (; i>=0 || c>=4; ) {
+            if (c == 0) {
+                n = e[i--];
+                y = n >> 28;
+                n <<= 4;
+                c = 28;
+            }
+            else if (c < 4) {
+                y = n >> 28;
+                n = e[i--];
+                c = 4 - c;
+                y |= n >> (32 - c);
+                n <<= c;
+                c = 32 - c;
+            }
+            else {
+                y = (n >> 28) & 0xf;
+                n <<= 4;
+                c -= 4;
+            }
+
+            sp_2048_mont_sqr_32(r, r, m, mp);
+            sp_2048_mont_sqr_32(r, r, m, mp);
+            sp_2048_mont_sqr_32(r, r, m, mp);
+            sp_2048_mont_sqr_32(r, r, m, mp);
+
+            sp_2048_mont_mul_32(r, r, t[y], m, mp);
+        }
+
+        XMEMSET(&r[32], 0, sizeof(sp_digit) * 32U);
+        sp_2048_mont_reduce_32(r, m, mp);
+
+        mask = 0 - (sp_2048_cmp_32(r, m) >= 0);
+        sp_2048_cond_sub_32(r, r, m, mask);
+    }
+
+#ifdef WOLFSSL_SMALL_STACK
+    if (td != NULL) {
+        XFREE(td, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    }
+#endif
+
+    return err;
+}
+#else
+/* Modular exponentiate a to the e mod m. (r = a^e mod m)
+ *
+ * r     A single precision number that is the result of the operation.
+ * a     A single precision number being exponentiated.
+ * e     A single precision number that is the exponent.
+ * bits  The number of bits in the exponent.
+ * m     A single precision number that is the modulus.
+ * returns 0 on success and MEMORY_E on dynamic memory allocation failure.
+ */
+static int sp_2048_mod_exp_32(sp_digit* r, const sp_digit* a, const sp_digit* e,
+        int bits, const sp_digit* m, int reduceA)
+{
+#ifndef WOLFSSL_SMALL_STACK
+    sp_digit t[32][64];
+#else
+    sp_digit* t[32];
+    sp_digit* td;
+#endif
+    sp_digit* norm;
+    sp_digit mp = 1;
+    sp_digit n;
+    sp_digit mask;
+    int i;
+    int c, y;
+    int err = MP_OKAY;
+
+#ifdef WOLFSSL_SMALL_STACK
+    td = (sp_digit*)XMALLOC(sizeof(sp_digit) * 32 * 64, NULL,
+                            DYNAMIC_TYPE_TMP_BUFFER);
+    if (td == NULL) {
+        err = MEMORY_E;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#ifdef WOLFSSL_SMALL_STACK
+        for (i=0; i<32; i++) {
+            t[i] = td + i * 64;
+        }
+#endif
+        norm = t[0];
+
+        sp_2048_mont_setup(m, &mp);
+        sp_2048_mont_norm_32(norm, m);
+
+        XMEMSET(t[1], 0, sizeof(sp_digit) * 32U);
+        if (reduceA != 0) {
+            err = sp_2048_mod_32(t[1] + 32, a, m);
+            if (err == MP_OKAY) {
+                err = sp_2048_mod_32(t[1], t[1], m);
+            }
+        }
+        else {
+            XMEMCPY(t[1] + 32, a, sizeof(sp_digit) * 32);
+            err = sp_2048_mod_32(t[1], t[1], m);
+        }
+    }
+
+    if (err == MP_OKAY) {
+        sp_2048_mont_sqr_32(t[ 2], t[ 1], m, mp);
+        sp_2048_mont_mul_32(t[ 3], t[ 2], t[ 1], m, mp);
+        sp_2048_mont_sqr_32(t[ 4], t[ 2], m, mp);
+        sp_2048_mont_mul_32(t[ 5], t[ 3], t[ 2], m, mp);
+        sp_2048_mont_sqr_32(t[ 6], t[ 3], m, mp);
+        sp_2048_mont_mul_32(t[ 7], t[ 4], t[ 3], m, mp);
+        sp_2048_mont_sqr_32(t[ 8], t[ 4], m, mp);
+        sp_2048_mont_mul_32(t[ 9], t[ 5], t[ 4], m, mp);
+        sp_2048_mont_sqr_32(t[10], t[ 5], m, mp);
+        sp_2048_mont_mul_32(t[11], t[ 6], t[ 5], m, mp);
+        sp_2048_mont_sqr_32(t[12], t[ 6], m, mp);
+        sp_2048_mont_mul_32(t[13], t[ 7], t[ 6], m, mp);
+        sp_2048_mont_sqr_32(t[14], t[ 7], m, mp);
+        sp_2048_mont_mul_32(t[15], t[ 8], t[ 7], m, mp);
+        sp_2048_mont_sqr_32(t[16], t[ 8], m, mp);
+        sp_2048_mont_mul_32(t[17], t[ 9], t[ 8], m, mp);
+        sp_2048_mont_sqr_32(t[18], t[ 9], m, mp);
+        sp_2048_mont_mul_32(t[19], t[10], t[ 9], m, mp);
+        sp_2048_mont_sqr_32(t[20], t[10], m, mp);
+        sp_2048_mont_mul_32(t[21], t[11], t[10], m, mp);
+        sp_2048_mont_sqr_32(t[22], t[11], m, mp);
+        sp_2048_mont_mul_32(t[23], t[12], t[11], m, mp);
+        sp_2048_mont_sqr_32(t[24], t[12], m, mp);
+        sp_2048_mont_mul_32(t[25], t[13], t[12], m, mp);
+        sp_2048_mont_sqr_32(t[26], t[13], m, mp);
+        sp_2048_mont_mul_32(t[27], t[14], t[13], m, mp);
+        sp_2048_mont_sqr_32(t[28], t[14], m, mp);
+        sp_2048_mont_mul_32(t[29], t[15], t[14], m, mp);
+        sp_2048_mont_sqr_32(t[30], t[15], m, mp);
+        sp_2048_mont_mul_32(t[31], t[16], t[15], m, mp);
+
+        i = (bits - 1) / 32;
+        n = e[i--];
+        c = bits & 31;
+        if (c == 0) {
+            c = 32;
+        }
+        c -= bits % 5;
+        if (c == 32) {
+            c = 27;
+        }
+        y = (int)(n >> c);
+        n <<= 32 - c;
+        XMEMCPY(r, t[y], sizeof(sp_digit) * 32);
+        for (; i>=0 || c>=5; ) {
+            if (c == 0) {
+                n = e[i--];
+                y = n >> 27;
+                n <<= 5;
+                c = 27;
+            }
+            else if (c < 5) {
+                y = n >> 27;
+                n = e[i--];
+                c = 5 - c;
+                y |= n >> (32 - c);
+                n <<= c;
+                c = 32 - c;
+            }
+            else {
+                y = (n >> 27) & 0x1f;
+                n <<= 5;
+                c -= 5;
+            }
+
+            sp_2048_mont_sqr_32(r, r, m, mp);
+            sp_2048_mont_sqr_32(r, r, m, mp);
+            sp_2048_mont_sqr_32(r, r, m, mp);
+            sp_2048_mont_sqr_32(r, r, m, mp);
+            sp_2048_mont_sqr_32(r, r, m, mp);
+
+            sp_2048_mont_mul_32(r, r, t[y], m, mp);
+        }
+
+        XMEMSET(&r[32], 0, sizeof(sp_digit) * 32U);
+        sp_2048_mont_reduce_32(r, m, mp);
+
+        mask = 0 - (sp_2048_cmp_32(r, m) >= 0);
+        sp_2048_cond_sub_32(r, r, m, mask);
+    }
+
+#ifdef WOLFSSL_SMALL_STACK
+    if (td != NULL) {
+        XFREE(td, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    }
+#endif
+
+    return err;
+}
+#endif /* WOLFSSL_SP_SMALL */
+
+#endif /* (WOLFSSL_HAVE_SP_RSA || WOLFSSL_HAVE_SP_DH) && !WOLFSSL_RSA_PUBLIC_ONLY */
+
+#if defined(WOLFSSL_HAVE_SP_RSA) || defined(WOLFSSL_HAVE_SP_DH)
+/* r = 2^n mod m where n is the number of bits to reduce by.
+ * Given m must be 2048 bits, just need to subtract.
+ *
+ * r  A single precision number.
+ * m  A single precision number.
+ */
+static void sp_2048_mont_norm_64(sp_digit* r, const sp_digit* m)
+{
+    XMEMSET(r, 0, sizeof(sp_digit) * 64);
+
+    /* r = 2^n mod m */
+    sp_2048_sub_in_place_64(r, m);
+}
+
+#endif /* WOLFSSL_HAVE_SP_RSA || WOLFSSL_HAVE_SP_DH */
+/* Conditionally subtract b from a using the mask m.
+ * m is -1 to subtract and 0 when not copying.
+ *
+ * r  A single precision number representing condition subtract result.
+ * a  A single precision number to subtract from.
+ * b  A single precision number to subtract.
+ * m  Mask value to apply.
+ */
+SP_NOINLINE static sp_digit sp_2048_cond_sub_64(sp_digit* r, const sp_digit* a,
+        const sp_digit* b, sp_digit m)
+{
+    sp_digit c = 0;
+
+    __asm__ __volatile__ (
+        "mov	r5, #1\n\t"
+        "lsl	r5, r5, #8\n\t"
+        "mov	r8, r5\n\t"
+        "mov	r7, #0\n\t"
+        "1:\n\t"
+        "ldr	r6, [%[b], r7]\n\t"
+        "and	r6, %[m]\n\t"
+        "mov	r5, #0\n\t"
+        "sub	r5, %[c]\n\t"
+        "ldr	r5, [%[a], r7]\n\t"
+        "sbc	r5, r6\n\t"
+        "sbc	%[c], %[c]\n\t"
+        "str	r5, [%[r], r7]\n\t"
+        "add	r7, #4\n\t"
+        "cmp	r7, r8\n\t"
+        "blt	1b\n\t"
+        : [c] "+r" (c)
+        : [r] "r" (r), [a] "r" (a), [b] "r" (b), [m] "r" (m)
+        : "memory", "r5", "r6", "r7", "r8"
+    );
+
+    return c;
+}
+
+/* Reduce the number back to 2048 bits using Montgomery reduction.
+ *
+ * a   A single precision number to reduce in place.
+ * m   The single precision number representing the modulus.
+ * mp  The digit representing the negative inverse of m mod 2^n.
+ */
+SP_NOINLINE static void sp_2048_mont_reduce_64(sp_digit* a, const sp_digit* m,
+        sp_digit mp)
+{
+    sp_digit ca = 0;
+
+    __asm__ __volatile__ (
+        "mov	r8, %[mp]\n\t"
+        "mov	r12, %[ca]\n\t"
+        "mov	r14, %[m]\n\t"
+        "mov	r9, %[a]\n\t"
+        "mov	r4, #0\n\t"
+        "# i = 0\n\t"
+        "mov	r11, r4\n\t"
+        "\n1:\n\t"
+        "mov	r5, #0\n\t"
+        "mov	%[ca], #0\n\t"
+        "# mu = a[i] * mp\n\t"
+        "mov	%[mp], r8\n\t"
+        "ldr	%[a], [%[a]]\n\t"
+        "mul	%[mp], %[a]\n\t"
+        "mov	%[m], r14\n\t"
+        "mov	r10, r9\n\t"
+        "\n2:\n\t"
+        "# a[i+j] += m[j] * mu\n\t"
+        "mov	%[a], r10\n\t"
+        "ldr	%[a], [%[a]]\n\t"
+        "mov	%[ca], #0\n\t"
+        "mov	r4, r5\n\t"
+        "mov	r5, #0\n\t"
+        "# Multiply m[j] and mu - Start\n\t"
+        "ldr	r7, [%[m]]\n\t"
+        "lsl	r6, %[mp], #16\n\t"
+        "lsl	r7, r7, #16\n\t"
+        "lsr	r6, r6, #16\n\t"
+        "lsr	r7, r7, #16\n\t"
+        "mul	r7, r6\n\t"
+        "add	%[a], r7\n\t"
+        "adc	r5, %[ca]\n\t"
+        "ldr	r7, [%[m]]\n\t"
+        "lsr	r7, r7, #16\n\t"
+        "mul	r6, r7\n\t"
+        "lsr	r7, r6, #16\n\t"
+        "lsl	r6, r6, #16\n\t"
+        "add	%[a], r6\n\t"
+        "adc	r5, r7\n\t"
+        "ldr	r7, [%[m]]\n\t"
+        "lsr	r6, %[mp], #16\n\t"
+        "lsr	r7, r7, #16\n\t"
+        "mul	r7, r6\n\t"
+        "add	r5, r7\n\t"
+        "ldr	r7, [%[m]]\n\t"
+        "lsl	r7, r7, #16\n\t"
+        "lsr	r7, r7, #16\n\t"
+        "mul	r6, r7\n\t"
+        "lsr	r7, r6, #16\n\t"
+        "lsl	r6, r6, #16\n\t"
+        "add	%[a], r6\n\t"
+        "adc	r5, r7\n\t"
+        "# Multiply m[j] and mu - Done\n\t"
+        "add	r4, %[a]\n\t"
+        "adc	r5, %[ca]\n\t"
+        "mov	%[a], r10\n\t"
+        "str	r4, [%[a]]\n\t"
+        "mov	r6, #4\n\t"
+        "add	%[m], #4\n\t"
+        "add	r10, r6\n\t"
+        "mov	r4, #252\n\t"
+        "add	r4, r9\n\t"
+        "cmp	r10, r4\n\t"
+        "blt	2b\n\t"
+        "# a[i+63] += m[63] * mu\n\t"
+        "mov	%[ca], #0\n\t"
+        "mov	r4, r12\n\t"
+        "mov	%[a], #0\n\t"
+        "# Multiply m[63] and mu - Start\n\t"
+        "ldr	r7, [%[m]]\n\t"
+        "lsl	r6, %[mp], #16\n\t"
+        "lsl	r7, r7, #16\n\t"
+        "lsr	r6, r6, #16\n\t"
+        "lsr	r7, r7, #16\n\t"
+        "mul	r7, r6\n\t"
+        "add	r5, r7\n\t"
+        "adc	r4, %[ca]\n\t"
+        "adc	%[a], %[ca]\n\t"
+        "ldr	r7, [%[m]]\n\t"
+        "lsr	r7, r7, #16\n\t"
+        "mul	r6, r7\n\t"
+        "lsr	r7, r6, #16\n\t"
+        "lsl	r6, r6, #16\n\t"
+        "add	r5, r6\n\t"
+        "adc	r4, r7\n\t"
+        "adc	%[a], %[ca]\n\t"
+        "ldr	r7, [%[m]]\n\t"
+        "lsr	r6, %[mp], #16\n\t"
+        "lsr	r7, r7, #16\n\t"
+        "mul	r7, r6\n\t"
+        "add	r4, r7\n\t"
+        "adc	%[a], %[ca]\n\t"
+        "ldr	r7, [%[m]]\n\t"
+        "lsl	r7, r7, #16\n\t"
+        "lsr	r7, r7, #16\n\t"
+        "mul	r6, r7\n\t"
+        "lsr	r7, r6, #16\n\t"
+        "lsl	r6, r6, #16\n\t"
+        "add	r5, r6\n\t"
+        "adc	r4, r7\n\t"
+        "adc	%[a], %[ca]\n\t"
+        "# Multiply m[63] and mu - Done\n\t"
+        "mov	%[ca], %[a]\n\t"
+        "mov	%[a], r10\n\t"
+        "ldr	r7, [%[a], #4]\n\t"
+        "ldr	%[a], [%[a]]\n\t"
+        "mov	r6, #0\n\t"
+        "add	r5, %[a]\n\t"
+        "adc	r7, r4\n\t"
+        "adc	%[ca], r6\n\t"
+        "mov	%[a], r10\n\t"
+        "str	r5, [%[a]]\n\t"
+        "str	r7, [%[a], #4]\n\t"
+        "# i += 1\n\t"
+        "mov	r6, #4\n\t"
+        "add	r9, r6\n\t"
+        "add	r11, r6\n\t"
+        "mov	r12, %[ca]\n\t"
+        "mov	%[a], r9\n\t"
+        "mov	r4, #1\n\t"
+        "lsl	r4, r4, #8\n\t"
+        "cmp	r11, r4\n\t"
+        "blt	1b\n\t"
+        "mov	%[m], r14\n\t"
+        : [ca] "+r" (ca), [a] "+r" (a)
+        : [m] "r" (m), [mp] "r" (mp)
+        : "memory", "r4", "r5", "r6", "r7", "r8", "r9", "r10", "r11", "r12", "r14"
+    );
+
+    sp_2048_cond_sub_64(a - 64, a, m, (sp_digit)0 - ca);
+}
+
+/* Multiply two Montogmery form numbers mod the modulus (prime).
+ * (r = a * b mod m)
+ *
+ * r   Result of multiplication.
+ * a   First number to multiply in Montogmery form.
+ * b   Second number to multiply in Montogmery form.
+ * m   Modulus (prime).
+ * mp  Montogmery mulitplier.
+ */
+static void sp_2048_mont_mul_64(sp_digit* r, const sp_digit* a, const sp_digit* b,
+        const sp_digit* m, sp_digit mp)
+{
+    sp_2048_mul_64(r, a, b);
+    sp_2048_mont_reduce_64(r, m, mp);
+}
+
+/* Square the Montgomery form number. (r = a * a mod m)
+ *
+ * r   Result of squaring.
+ * a   Number to square in Montogmery form.
+ * m   Modulus (prime).
+ * mp  Montogmery mulitplier.
+ */
+static void sp_2048_mont_sqr_64(sp_digit* r, const sp_digit* a, const sp_digit* m,
+        sp_digit mp)
+{
+    sp_2048_sqr_64(r, a);
+    sp_2048_mont_reduce_64(r, m, mp);
+}
+
+/* Divide the double width number (d1|d0) by the dividend. (d1|d0 / div)
+ *
+ * d1   The high order half of the number to divide.
+ * d0   The low order half of the number to divide.
+ * div  The dividend.
+ * returns the result of the division.
+ *
+ * Note that this is an approximate div. It may give an answer 1 larger.
+ */
+SP_NOINLINE static sp_digit div_2048_word_64(sp_digit d1, sp_digit d0,
+        sp_digit div)
+{
+    sp_digit r = 0;
+
+    __asm__ __volatile__ (
+        "lsr	r5, %[div], #1\n\t"
+        "add	r5, #1\n\t"
+        "mov	r8, %[d0]\n\t"
+        "mov	r9, %[d1]\n\t"
+        "# Do top 32\n\t"
+        "mov	r6, r5\n\t"
+        "sub	r6, %[d1]\n\t"
+        "sbc	r6, r6\n\t"
+        "add	%[r], %[r]\n\t"
+        "sub	%[r], r6\n\t"
+        "and	r6, r5\n\t"
+        "sub	%[d1], r6\n\t"
+        "# Next 30 bits\n\t"
+        "mov	r4, #29\n\t"
+        "1:\n\t"
+        "lsl	%[d0], %[d0], #1\n\t"
+        "adc	%[d1], %[d1]\n\t"
+        "mov	r6, r5\n\t"
+        "sub	r6, %[d1]\n\t"
+        "sbc	r6, r6\n\t"
+        "add	%[r], %[r]\n\t"
+        "sub	%[r], r6\n\t"
+        "and	r6, r5\n\t"
+        "sub	%[d1], r6\n\t"
+        "sub	r4, #1\n\t"
+        "bpl	1b\n\t"
+        "mov	r7, #0\n\t"
+        "add	%[r], %[r]\n\t"
+        "add	%[r], #1\n\t"
+        "# r * div - Start\n\t"
+        "lsl	%[d1], %[r], #16\n\t"
+        "lsl	r4, %[div], #16\n\t"
+        "lsr	%[d1], %[d1], #16\n\t"
+        "lsr	r4, r4, #16\n\t"
+        "mul	r4, %[d1]\n\t"
+        "lsr	r6, %[div], #16\n\t"
+        "mul	%[d1], r6\n\t"
+        "lsr	r5, %[d1], #16\n\t"
+        "lsl	%[d1], %[d1], #16\n\t"
+        "add	r4, %[d1]\n\t"
+        "adc	r5, r7\n\t"
+        "lsr	%[d1], %[r], #16\n\t"
+        "mul	r6, %[d1]\n\t"
+        "add	r5, r6\n\t"
+        "lsl	r6, %[div], #16\n\t"
+        "lsr	r6, r6, #16\n\t"
+        "mul	%[d1], r6\n\t"
+        "lsr	r6, %[d1], #16\n\t"
+        "lsl	%[d1], %[d1], #16\n\t"
+        "add	r4, %[d1]\n\t"
+        "adc	r5, r6\n\t"
+        "# r * div - Done\n\t"
+        "mov	%[d1], r8\n\t"
+        "sub	%[d1], r4\n\t"
+        "mov	r4, %[d1]\n\t"
+        "mov	%[d1], r9\n\t"
+        "sbc	%[d1], r5\n\t"
+        "mov	r5, %[d1]\n\t"
+        "add	%[r], r5\n\t"
+        "# r * div - Start\n\t"
+        "lsl	%[d1], %[r], #16\n\t"
+        "lsl	r4, %[div], #16\n\t"
+        "lsr	%[d1], %[d1], #16\n\t"
+        "lsr	r4, r4, #16\n\t"
+        "mul	r4, %[d1]\n\t"
+        "lsr	r6, %[div], #16\n\t"
+        "mul	%[d1], r6\n\t"
+        "lsr	r5, %[d1], #16\n\t"
+        "lsl	%[d1], %[d1], #16\n\t"
+        "add	r4, %[d1]\n\t"
+        "adc	r5, r7\n\t"
+        "lsr	%[d1], %[r], #16\n\t"
+        "mul	r6, %[d1]\n\t"
+        "add	r5, r6\n\t"
+        "lsl	r6, %[div], #16\n\t"
+        "lsr	r6, r6, #16\n\t"
+        "mul	%[d1], r6\n\t"
+        "lsr	r6, %[d1], #16\n\t"
+        "lsl	%[d1], %[d1], #16\n\t"
+        "add	r4, %[d1]\n\t"
+        "adc	r5, r6\n\t"
+        "# r * div - Done\n\t"
+        "mov	%[d1], r8\n\t"
+        "mov	r6, r9\n\t"
+        "sub	r4, %[d1], r4\n\t"
+        "sbc	r6, r5\n\t"
+        "mov	r5, r6\n\t"
+        "add	%[r], r5\n\t"
+        "# r * div - Start\n\t"
+        "lsl	%[d1], %[r], #16\n\t"
+        "lsl	r4, %[div], #16\n\t"
+        "lsr	%[d1], %[d1], #16\n\t"
+        "lsr	r4, r4, #16\n\t"
+        "mul	r4, %[d1]\n\t"
+        "lsr	r6, %[div], #16\n\t"
+        "mul	%[d1], r6\n\t"
+        "lsr	r5, %[d1], #16\n\t"
+        "lsl	%[d1], %[d1], #16\n\t"
+        "add	r4, %[d1]\n\t"
+        "adc	r5, r7\n\t"
+        "lsr	%[d1], %[r], #16\n\t"
+        "mul	r6, %[d1]\n\t"
+        "add	r5, r6\n\t"
+        "lsl	r6, %[div], #16\n\t"
+        "lsr	r6, r6, #16\n\t"
+        "mul	%[d1], r6\n\t"
+        "lsr	r6, %[d1], #16\n\t"
+        "lsl	%[d1], %[d1], #16\n\t"
+        "add	r4, %[d1]\n\t"
+        "adc	r5, r6\n\t"
+        "# r * div - Done\n\t"
+        "mov	%[d1], r8\n\t"
+        "mov	r6, r9\n\t"
+        "sub	r4, %[d1], r4\n\t"
+        "sbc	r6, r5\n\t"
+        "mov	r5, r6\n\t"
+        "add	%[r], r5\n\t"
+        "mov	r6, %[div]\n\t"
+        "sub	r6, r4\n\t"
+        "sbc	r6, r6\n\t"
+        "sub	%[r], r6\n\t"
+        : [r] "+r" (r)
+        : [d1] "r" (d1), [d0] "r" (d0), [div] "r" (div)
+        : "r4", "r5", "r7", "r6", "r8", "r9"
+    );
+    return r;
+}
+
+/* AND m into each word of a and store in r.
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * m  Mask to AND against each digit.
+ */
+static void sp_2048_mask_64(sp_digit* r, const sp_digit* a, sp_digit m)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int i;
+
+    for (i=0; i<64; i++) {
+        r[i] = a[i] & m;
+    }
+#else
+    int i;
+
+    for (i = 0; i < 64; i += 8) {
+        r[i+0] = a[i+0] & m;
+        r[i+1] = a[i+1] & m;
+        r[i+2] = a[i+2] & m;
+        r[i+3] = a[i+3] & m;
+        r[i+4] = a[i+4] & m;
+        r[i+5] = a[i+5] & m;
+        r[i+6] = a[i+6] & m;
+        r[i+7] = a[i+7] & m;
+    }
+#endif
+}
+
+/* Compare a with b in constant time.
+ *
+ * a  A single precision integer.
+ * b  A single precision integer.
+ * return -ve, 0 or +ve if a is less than, equal to or greater than b
+ * respectively.
+ */
+SP_NOINLINE static int32_t sp_2048_cmp_64(const sp_digit* a, const sp_digit* b)
+{
+    sp_digit r = 0;
+
+
+    __asm__ __volatile__ (
+        "mov	r3, #0\n\t"
+        "mvn	r3, r3\n\t"
+        "mov	r6, #252\n\t"
+        "1:\n\t"
+        "ldr	r7, [%[a], r6]\n\t"
+        "ldr	r5, [%[b], r6]\n\t"
+        "and	r7, r3\n\t"
+        "and	r5, r3\n\t"
+        "mov	r4, r7\n\t"
+        "sub	r7, r5\n\t"
+        "sbc	r7, r7\n\t"
+        "add	%[r], r7\n\t"
+        "mvn	r7, r7\n\t"
+        "and	r3, r7\n\t"
+        "sub	r5, r4\n\t"
+        "sbc	r7, r7\n\t"
+        "sub	%[r], r7\n\t"
+        "mvn	r7, r7\n\t"
+        "and	r3, r7\n\t"
+        "sub	r6, #4\n\t"
+        "cmp	r6, #0\n\t"
+        "bge	1b\n\t"
+        : [r] "+r" (r)
+        : [a] "r" (a), [b] "r" (b)
+        : "r3", "r4", "r5", "r6", "r7"
+    );
+
+    return r;
+}
+
+/* Divide d in a and put remainder into r (m*d + r = a)
+ * m is not calculated as it is not needed at this time.
+ *
+ * a  Nmber to be divided.
+ * d  Number to divide with.
+ * m  Multiplier result.
+ * r  Remainder from the division.
+ * returns MP_OKAY indicating success.
+ */
+static WC_INLINE int sp_2048_div_64(const sp_digit* a, const sp_digit* d, sp_digit* m,
+        sp_digit* r)
+{
+    sp_digit t1[128], t2[65];
+    sp_digit div, r1;
+    int i;
+
+    (void)m;
+
+    div = d[63];
+    XMEMCPY(t1, a, sizeof(*t1) * 2 * 64);
+    for (i=63; i>=0; i--) {
+        r1 = div_2048_word_64(t1[64 + i], t1[64 + i - 1], div);
+
+        sp_2048_mul_d_64(t2, d, r1);
+        t1[64 + i] += sp_2048_sub_in_place_64(&t1[i], t2);
+        t1[64 + i] -= t2[64];
+        sp_2048_mask_64(t2, d, t1[64 + i]);
+        t1[64 + i] += sp_2048_add_64(&t1[i], &t1[i], t2);
+        sp_2048_mask_64(t2, d, t1[64 + i]);
+        t1[64 + i] += sp_2048_add_64(&t1[i], &t1[i], t2);
+    }
+
+    r1 = sp_2048_cmp_64(t1, d) >= 0;
+    sp_2048_cond_sub_64(r, t1, d, (sp_digit)0 - r1);
+
+    return MP_OKAY;
+}
+
+/* Reduce a modulo m into r. (r = a mod m)
+ *
+ * r  A single precision number that is the reduced result.
+ * a  A single precision number that is to be reduced.
+ * m  A single precision number that is the modulus to reduce with.
+ * returns MP_OKAY indicating success.
+ */
+static WC_INLINE int sp_2048_mod_64(sp_digit* r, const sp_digit* a, const sp_digit* m)
+{
+    return sp_2048_div_64(a, m, NULL, r);
+}
+
+/* Divide d in a and put remainder into r (m*d + r = a)
+ * m is not calculated as it is not needed at this time.
+ *
+ * a  Nmber to be divided.
+ * d  Number to divide with.
+ * m  Multiplier result.
+ * r  Remainder from the division.
+ * returns MP_OKAY indicating success.
+ */
+static WC_INLINE int sp_2048_div_64_cond(const sp_digit* a, const sp_digit* d, sp_digit* m,
+        sp_digit* r)
+{
+    sp_digit t1[128], t2[65];
+    sp_digit div, r1;
+    int i;
+
+    (void)m;
+
+    div = d[63];
+    XMEMCPY(t1, a, sizeof(*t1) * 2 * 64);
+    for (i=63; i>=0; i--) {
+        r1 = div_2048_word_64(t1[64 + i], t1[64 + i - 1], div);
+
+        sp_2048_mul_d_64(t2, d, r1);
+        t1[64 + i] += sp_2048_sub_in_place_64(&t1[i], t2);
+        t1[64 + i] -= t2[64];
+        if (t1[64 + i] != 0) {
+            t1[64 + i] += sp_2048_add_64(&t1[i], &t1[i], d);
+            if (t1[64 + i] != 0)
+                t1[64 + i] += sp_2048_add_64(&t1[i], &t1[i], d);
+        }
+    }
+
+    r1 = sp_2048_cmp_64(t1, d) >= 0;
+    sp_2048_cond_sub_64(r, t1, d, (sp_digit)0 - r1);
+
+    return MP_OKAY;
+}
+
+/* Reduce a modulo m into r. (r = a mod m)
+ *
+ * r  A single precision number that is the reduced result.
+ * a  A single precision number that is to be reduced.
+ * m  A single precision number that is the modulus to reduce with.
+ * returns MP_OKAY indicating success.
+ */
+static WC_INLINE int sp_2048_mod_64_cond(sp_digit* r, const sp_digit* a, const sp_digit* m)
+{
+    return sp_2048_div_64_cond(a, m, NULL, r);
+}
+
+#if (defined(WOLFSSL_HAVE_SP_RSA) && !defined(WOLFSSL_RSA_PUBLIC_ONLY)) || \
+                                                     defined(WOLFSSL_HAVE_SP_DH)
+#ifdef WOLFSSL_SP_SMALL
+/* Modular exponentiate a to the e mod m. (r = a^e mod m)
+ *
+ * r     A single precision number that is the result of the operation.
+ * a     A single precision number being exponentiated.
+ * e     A single precision number that is the exponent.
+ * bits  The number of bits in the exponent.
+ * m     A single precision number that is the modulus.
+ * returns 0 on success and MEMORY_E on dynamic memory allocation failure.
+ */
+static int sp_2048_mod_exp_64(sp_digit* r, const sp_digit* a, const sp_digit* e,
+        int bits, const sp_digit* m, int reduceA)
+{
+#ifndef WOLFSSL_SMALL_STACK
+    sp_digit t[16][128];
+#else
+    sp_digit* t[16];
+    sp_digit* td;
+#endif
+    sp_digit* norm;
+    sp_digit mp = 1;
+    sp_digit n;
+    sp_digit mask;
+    int i;
+    int c, y;
+    int err = MP_OKAY;
+
+#ifdef WOLFSSL_SMALL_STACK
+    td = (sp_digit*)XMALLOC(sizeof(sp_digit) * 16 * 128, NULL,
+                            DYNAMIC_TYPE_TMP_BUFFER);
+    if (td == NULL) {
+        err = MEMORY_E;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#ifdef WOLFSSL_SMALL_STACK
+        for (i=0; i<16; i++) {
+            t[i] = td + i * 128;
+        }
+#endif
+        norm = t[0];
+
+        sp_2048_mont_setup(m, &mp);
+        sp_2048_mont_norm_64(norm, m);
+
+        XMEMSET(t[1], 0, sizeof(sp_digit) * 64U);
+        if (reduceA != 0) {
+            err = sp_2048_mod_64(t[1] + 64, a, m);
+            if (err == MP_OKAY) {
+                err = sp_2048_mod_64(t[1], t[1], m);
+            }
+        }
+        else {
+            XMEMCPY(t[1] + 64, a, sizeof(sp_digit) * 64);
+            err = sp_2048_mod_64(t[1], t[1], m);
+        }
+    }
+
+    if (err == MP_OKAY) {
+        sp_2048_mont_sqr_64(t[ 2], t[ 1], m, mp);
+        sp_2048_mont_mul_64(t[ 3], t[ 2], t[ 1], m, mp);
+        sp_2048_mont_sqr_64(t[ 4], t[ 2], m, mp);
+        sp_2048_mont_mul_64(t[ 5], t[ 3], t[ 2], m, mp);
+        sp_2048_mont_sqr_64(t[ 6], t[ 3], m, mp);
+        sp_2048_mont_mul_64(t[ 7], t[ 4], t[ 3], m, mp);
+        sp_2048_mont_sqr_64(t[ 8], t[ 4], m, mp);
+        sp_2048_mont_mul_64(t[ 9], t[ 5], t[ 4], m, mp);
+        sp_2048_mont_sqr_64(t[10], t[ 5], m, mp);
+        sp_2048_mont_mul_64(t[11], t[ 6], t[ 5], m, mp);
+        sp_2048_mont_sqr_64(t[12], t[ 6], m, mp);
+        sp_2048_mont_mul_64(t[13], t[ 7], t[ 6], m, mp);
+        sp_2048_mont_sqr_64(t[14], t[ 7], m, mp);
+        sp_2048_mont_mul_64(t[15], t[ 8], t[ 7], m, mp);
+
+        i = (bits - 1) / 32;
+        n = e[i--];
+        c = bits & 31;
+        if (c == 0) {
+            c = 32;
+        }
+        c -= bits % 4;
+        if (c == 32) {
+            c = 28;
+        }
+        y = (int)(n >> c);
+        n <<= 32 - c;
+        XMEMCPY(r, t[y], sizeof(sp_digit) * 64);
+        for (; i>=0 || c>=4; ) {
+            if (c == 0) {
+                n = e[i--];
+                y = n >> 28;
+                n <<= 4;
+                c = 28;
+            }
+            else if (c < 4) {
+                y = n >> 28;
+                n = e[i--];
+                c = 4 - c;
+                y |= n >> (32 - c);
+                n <<= c;
+                c = 32 - c;
+            }
+            else {
+                y = (n >> 28) & 0xf;
+                n <<= 4;
+                c -= 4;
+            }
+
+            sp_2048_mont_sqr_64(r, r, m, mp);
+            sp_2048_mont_sqr_64(r, r, m, mp);
+            sp_2048_mont_sqr_64(r, r, m, mp);
+            sp_2048_mont_sqr_64(r, r, m, mp);
+
+            sp_2048_mont_mul_64(r, r, t[y], m, mp);
+        }
+
+        XMEMSET(&r[64], 0, sizeof(sp_digit) * 64U);
+        sp_2048_mont_reduce_64(r, m, mp);
+
+        mask = 0 - (sp_2048_cmp_64(r, m) >= 0);
+        sp_2048_cond_sub_64(r, r, m, mask);
+    }
+
+#ifdef WOLFSSL_SMALL_STACK
+    if (td != NULL) {
+        XFREE(td, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    }
+#endif
+
+    return err;
+}
+#else
+/* Modular exponentiate a to the e mod m. (r = a^e mod m)
+ *
+ * r     A single precision number that is the result of the operation.
+ * a     A single precision number being exponentiated.
+ * e     A single precision number that is the exponent.
+ * bits  The number of bits in the exponent.
+ * m     A single precision number that is the modulus.
+ * returns 0 on success and MEMORY_E on dynamic memory allocation failure.
+ */
+static int sp_2048_mod_exp_64(sp_digit* r, const sp_digit* a, const sp_digit* e,
+        int bits, const sp_digit* m, int reduceA)
+{
+#ifndef WOLFSSL_SMALL_STACK
+    sp_digit t[32][128];
+#else
+    sp_digit* t[32];
+    sp_digit* td;
+#endif
+    sp_digit* norm;
+    sp_digit mp = 1;
+    sp_digit n;
+    sp_digit mask;
+    int i;
+    int c, y;
+    int err = MP_OKAY;
+
+#ifdef WOLFSSL_SMALL_STACK
+    td = (sp_digit*)XMALLOC(sizeof(sp_digit) * 32 * 128, NULL,
+                            DYNAMIC_TYPE_TMP_BUFFER);
+    if (td == NULL) {
+        err = MEMORY_E;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#ifdef WOLFSSL_SMALL_STACK
+        for (i=0; i<32; i++) {
+            t[i] = td + i * 128;
+        }
+#endif
+        norm = t[0];
+
+        sp_2048_mont_setup(m, &mp);
+        sp_2048_mont_norm_64(norm, m);
+
+        XMEMSET(t[1], 0, sizeof(sp_digit) * 64U);
+        if (reduceA != 0) {
+            err = sp_2048_mod_64(t[1] + 64, a, m);
+            if (err == MP_OKAY) {
+                err = sp_2048_mod_64(t[1], t[1], m);
+            }
+        }
+        else {
+            XMEMCPY(t[1] + 64, a, sizeof(sp_digit) * 64);
+            err = sp_2048_mod_64(t[1], t[1], m);
+        }
+    }
+
+    if (err == MP_OKAY) {
+        sp_2048_mont_sqr_64(t[ 2], t[ 1], m, mp);
+        sp_2048_mont_mul_64(t[ 3], t[ 2], t[ 1], m, mp);
+        sp_2048_mont_sqr_64(t[ 4], t[ 2], m, mp);
+        sp_2048_mont_mul_64(t[ 5], t[ 3], t[ 2], m, mp);
+        sp_2048_mont_sqr_64(t[ 6], t[ 3], m, mp);
+        sp_2048_mont_mul_64(t[ 7], t[ 4], t[ 3], m, mp);
+        sp_2048_mont_sqr_64(t[ 8], t[ 4], m, mp);
+        sp_2048_mont_mul_64(t[ 9], t[ 5], t[ 4], m, mp);
+        sp_2048_mont_sqr_64(t[10], t[ 5], m, mp);
+        sp_2048_mont_mul_64(t[11], t[ 6], t[ 5], m, mp);
+        sp_2048_mont_sqr_64(t[12], t[ 6], m, mp);
+        sp_2048_mont_mul_64(t[13], t[ 7], t[ 6], m, mp);
+        sp_2048_mont_sqr_64(t[14], t[ 7], m, mp);
+        sp_2048_mont_mul_64(t[15], t[ 8], t[ 7], m, mp);
+        sp_2048_mont_sqr_64(t[16], t[ 8], m, mp);
+        sp_2048_mont_mul_64(t[17], t[ 9], t[ 8], m, mp);
+        sp_2048_mont_sqr_64(t[18], t[ 9], m, mp);
+        sp_2048_mont_mul_64(t[19], t[10], t[ 9], m, mp);
+        sp_2048_mont_sqr_64(t[20], t[10], m, mp);
+        sp_2048_mont_mul_64(t[21], t[11], t[10], m, mp);
+        sp_2048_mont_sqr_64(t[22], t[11], m, mp);
+        sp_2048_mont_mul_64(t[23], t[12], t[11], m, mp);
+        sp_2048_mont_sqr_64(t[24], t[12], m, mp);
+        sp_2048_mont_mul_64(t[25], t[13], t[12], m, mp);
+        sp_2048_mont_sqr_64(t[26], t[13], m, mp);
+        sp_2048_mont_mul_64(t[27], t[14], t[13], m, mp);
+        sp_2048_mont_sqr_64(t[28], t[14], m, mp);
+        sp_2048_mont_mul_64(t[29], t[15], t[14], m, mp);
+        sp_2048_mont_sqr_64(t[30], t[15], m, mp);
+        sp_2048_mont_mul_64(t[31], t[16], t[15], m, mp);
+
+        i = (bits - 1) / 32;
+        n = e[i--];
+        c = bits & 31;
+        if (c == 0) {
+            c = 32;
+        }
+        c -= bits % 5;
+        if (c == 32) {
+            c = 27;
+        }
+        y = (int)(n >> c);
+        n <<= 32 - c;
+        XMEMCPY(r, t[y], sizeof(sp_digit) * 64);
+        for (; i>=0 || c>=5; ) {
+            if (c == 0) {
+                n = e[i--];
+                y = n >> 27;
+                n <<= 5;
+                c = 27;
+            }
+            else if (c < 5) {
+                y = n >> 27;
+                n = e[i--];
+                c = 5 - c;
+                y |= n >> (32 - c);
+                n <<= c;
+                c = 32 - c;
+            }
+            else {
+                y = (n >> 27) & 0x1f;
+                n <<= 5;
+                c -= 5;
+            }
+
+            sp_2048_mont_sqr_64(r, r, m, mp);
+            sp_2048_mont_sqr_64(r, r, m, mp);
+            sp_2048_mont_sqr_64(r, r, m, mp);
+            sp_2048_mont_sqr_64(r, r, m, mp);
+            sp_2048_mont_sqr_64(r, r, m, mp);
+
+            sp_2048_mont_mul_64(r, r, t[y], m, mp);
+        }
+
+        XMEMSET(&r[64], 0, sizeof(sp_digit) * 64U);
+        sp_2048_mont_reduce_64(r, m, mp);
+
+        mask = 0 - (sp_2048_cmp_64(r, m) >= 0);
+        sp_2048_cond_sub_64(r, r, m, mask);
+    }
+
+#ifdef WOLFSSL_SMALL_STACK
+    if (td != NULL) {
+        XFREE(td, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    }
+#endif
+
+    return err;
+}
+#endif /* WOLFSSL_SP_SMALL */
+#endif /* (WOLFSSL_HAVE_SP_RSA && !WOLFSSL_RSA_PUBLIC_ONLY) || WOLFSSL_HAVE_SP_DH */
+
+#ifdef WOLFSSL_HAVE_SP_RSA
+/* RSA public key operation.
+ *
+ * in      Array of bytes representing the number to exponentiate, base.
+ * inLen   Number of bytes in base.
+ * em      Public exponent.
+ * mm      Modulus.
+ * out     Buffer to hold big-endian bytes of exponentiation result.
+ *         Must be at least 256 bytes long.
+ * outLen  Number of bytes in result.
+ * returns 0 on success, MP_TO_E when the outLen is too small, MP_READ_E when
+ * an array is too long and MEMORY_E when dynamic memory allocation fails.
+ */
+int sp_RsaPublic_2048(const byte* in, word32 inLen, mp_int* em, mp_int* mm,
+    byte* out, word32* outLen)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit a[128], m[64], r[128];
+#else
+    sp_digit* d = NULL;
+    sp_digit* a;
+    sp_digit* m;
+    sp_digit* r;
+#endif
+    sp_digit *ah;
+    sp_digit e[1];
+    int err = MP_OKAY;
+
+    if (*outLen < 256)
+        err = MP_TO_E;
+    if (err == MP_OKAY && (mp_count_bits(em) > 32 || inLen > 256 ||
+                                                     mp_count_bits(mm) != 2048))
+        err = MP_READ_E;
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        d = (sp_digit*)XMALLOC(sizeof(sp_digit) * 64 * 5, NULL,
+                                                              DYNAMIC_TYPE_RSA);
+        if (d == NULL)
+            err = MEMORY_E;
+    }
+
+    if (err == MP_OKAY) {
+        a = d;
+        r = a + 64 * 2;
+        m = r + 64 * 2;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+        ah = a + 64;
+
+        sp_2048_from_bin(ah, 64, in, inLen);
+#if DIGIT_BIT >= 32
+        e[0] = em->dp[0];
+#else
+        e[0] = em->dp[0];
+        if (em->used > 1) {
+            e[0] |= ((sp_digit)em->dp[1]) << DIGIT_BIT;
+        }
+#endif
+        if (e[0] == 0) {
+            err = MP_EXPTMOD_E;
+        }
+    }
+    if (err == MP_OKAY) {
+        sp_2048_from_mp(m, 64, mm);
+
+        if (e[0] == 0x3) {
+            if (err == MP_OKAY) {
+                sp_2048_sqr_64(r, ah);
+                err = sp_2048_mod_64_cond(r, r, m);
+            }
+            if (err == MP_OKAY) {
+                sp_2048_mul_64(r, ah, r);
+                err = sp_2048_mod_64_cond(r, r, m);
+            }
+        }
+        else {
+            int i;
+            sp_digit mp;
+
+            sp_2048_mont_setup(m, &mp);
+
+            /* Convert to Montgomery form. */
+            XMEMSET(a, 0, sizeof(sp_digit) * 64);
+            err = sp_2048_mod_64_cond(a, a, m);
+
+            if (err == MP_OKAY) {
+                for (i = 31; i >= 0; i--) {
+                    if (e[0] >> i) {
+                        break;
+                    }
+                }
+
+                XMEMCPY(r, a, sizeof(sp_digit) * 64);
+                for (i--; i>=0; i--) {
+                    sp_2048_mont_sqr_64(r, r, m, mp);
+                    if (((e[0] >> i) & 1) == 1) {
+                        sp_2048_mont_mul_64(r, r, a, m, mp);
+                    }
+                }
+                XMEMSET(&r[64], 0, sizeof(sp_digit) * 64);
+                sp_2048_mont_reduce_64(r, m, mp);
+
+                for (i = 63; i > 0; i--) {
+                    if (r[i] != m[i]) {
+                        break;
+                    }
+                }
+                if (r[i] >= m[i]) {
+                    sp_2048_sub_in_place_64(r, m);
+                }
+            }
+        }
+    }
+
+    if (err == MP_OKAY) {
+        sp_2048_to_bin(r, out);
+        *outLen = 256;
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (d != NULL) {
+        XFREE(d, NULL, DYNAMIC_TYPE_RSA);
+    }
+#endif
+
+    return err;
+}
+
+#if defined(SP_RSA_PRIVATE_EXP_D) || defined(RSA_LOW_MEM)
+    sp_digit* a;
+    sp_digit* d = NULL;
+    sp_digit* m;
+    sp_digit* r;
+    int err = MP_OKAY;
+
+    (void)pm;
+    (void)qm;
+    (void)dpm;
+    (void)dqm;
+    (void)qim;
+
+    if (*outLen < 256U) {
+        err = MP_TO_E;
+    }
+    if (err == MP_OKAY) {
+        if (mp_count_bits(dm) > 2048) {
+           err = MP_READ_E;
+        }
+        if (inLen > 256) {
+            err = MP_READ_E;
+        }
+        if (mp_count_bits(mm) != 2048) {
+            err = MP_READ_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        d = (sp_digit*)XMALLOC(sizeof(sp_digit) * 64 * 4, NULL,
+                                                              DYNAMIC_TYPE_RSA);
+        if (d == NULL) {
+            err = MEMORY_E;
+        }
+    }
+    if (err == MP_OKAY) {
+        a = d + 64;
+        m = a + 128;
+        r = a;
+
+        sp_2048_from_bin(a, 64, in, inLen);
+        sp_2048_from_mp(d, 64, dm);
+        sp_2048_from_mp(m, 64, mm);
+        err = sp_2048_mod_exp_64(r, a, d, 2048, m, 0);
+    }
+    if (err == MP_OKAY) {
+        sp_2048_to_bin(r, out);
+        *outLen = 256;
+    }
+
+    if (d != NULL) {
+        XMEMSET(d, 0, sizeof(sp_digit) * 64);
+        XFREE(d, NULL, DYNAMIC_TYPE_RSA);
+    }
+
+    return err;
+#else
+#ifndef WOLFSSL_RSA_PUBLIC_ONLY
+/* Conditionally add a and b using the mask m.
+ * m is -1 to add and 0 when not.
+ *
+ * r  A single precision number representing conditional add result.
+ * a  A single precision number to add with.
+ * b  A single precision number to add.
+ * m  Mask value to apply.
+ */
+SP_NOINLINE static sp_digit sp_2048_cond_add_32(sp_digit* r, const sp_digit* a, const sp_digit* b,
+        sp_digit m)
+{
+    sp_digit c = 0;
+
+    __asm__ __volatile__ (
+        "mov	r5, #128\n\t"
+        "mov	r8, r5\n\t"
+        "mov	r7, #0\n\t"
+        "1:\n\t"
+        "ldr	r6, [%[b], r7]\n\t"
+        "and	r6, %[m]\n\t"
+        "mov	r5, #0\n\t"
+        "sub	r5, #1\n\t"
+        "add	r5, %[c]\n\t"
+        "ldr	r5, [%[a], r7]\n\t"
+        "adc	r5, r6\n\t"
+        "mov	%[c], #0\n\t"
+        "adc	%[c], %[c]\n\t"
+        "str	r5, [%[r], r7]\n\t"
+        "add	r7, #4\n\t"
+        "cmp	r7, r8\n\t"
+        "blt	1b\n\t"
+        : [c] "+r" (c)
+        : [r] "r" (r), [a] "r" (a), [b] "r" (b), [m] "r" (m)
+        : "memory", "r5", "r6", "r7", "r8"
+    );
+
+    return c;
+}
+
+/* RSA private key operation.
+ *
+ * in      Array of bytes representing the number to exponentiate, base.
+ * inLen   Number of bytes in base.
+ * dm      Private exponent.
+ * pm      First prime.
+ * qm      Second prime.
+ * dpm     First prime's CRT exponent.
+ * dqm     Second prime's CRT exponent.
+ * qim     Inverse of second prime mod p.
+ * mm      Modulus.
+ * out     Buffer to hold big-endian bytes of exponentiation result.
+ *         Must be at least 256 bytes long.
+ * outLen  Number of bytes in result.
+ * returns 0 on success, MP_TO_E when the outLen is too small, MP_READ_E when
+ * an array is too long and MEMORY_E when dynamic memory allocation fails.
+ */
+int sp_RsaPrivate_2048(const byte* in, word32 inLen, mp_int* dm,
+    mp_int* pm, mp_int* qm, mp_int* dpm, mp_int* dqm, mp_int* qim, mp_int* mm,
+    byte* out, word32* outLen)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit a[64 * 2];
+    sp_digit p[32], q[32], dp[32];
+    sp_digit tmpa[64], tmpb[64];
+#else
+    sp_digit* t = NULL;
+    sp_digit* a;
+    sp_digit* p;
+    sp_digit* q;
+    sp_digit* dp;
+    sp_digit* tmpa;
+    sp_digit* tmpb;
+#endif
+    sp_digit* r;
+    sp_digit* qi;
+    sp_digit* dq;
+    sp_digit c;
+    int err = MP_OKAY;
+
+    (void)dm;
+    (void)mm;
+
+    if (*outLen < 256)
+        err = MP_TO_E;
+    if (err == MP_OKAY && (inLen > 256 || mp_count_bits(mm) != 2048))
+        err = MP_READ_E;
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        t = (sp_digit*)XMALLOC(sizeof(sp_digit) * 32 * 11, NULL,
+                                                              DYNAMIC_TYPE_RSA);
+        if (t == NULL)
+            err = MEMORY_E;
+    }
+    if (err == MP_OKAY) {
+        a = t;
+        p = a + 64 * 2;
+        q = p + 32;
+        qi = dq = dp = q + 32;
+        tmpa = qi + 32;
+        tmpb = tmpa + 64;
+
+        r = t + 64;
+    }
+#else
+#endif
+
+    if (err == MP_OKAY) {
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+        r = a;
+        qi = dq = dp;
+#endif
+        sp_2048_from_bin(a, 64, in, inLen);
+        sp_2048_from_mp(p, 32, pm);
+        sp_2048_from_mp(q, 32, qm);
+        sp_2048_from_mp(dp, 32, dpm);
+
+        err = sp_2048_mod_exp_32(tmpa, a, dp, 1024, p, 1);
+    }
+    if (err == MP_OKAY) {
+        sp_2048_from_mp(dq, 32, dqm);
+        err = sp_2048_mod_exp_32(tmpb, a, dq, 1024, q, 1);
+    }
+
+    if (err == MP_OKAY) {
+        c = sp_2048_sub_in_place_32(tmpa, tmpb);
+        c += sp_2048_cond_add_32(tmpa, tmpa, p, c);
+        sp_2048_cond_add_32(tmpa, tmpa, p, c);
+
+        sp_2048_from_mp(qi, 32, qim);
+        sp_2048_mul_32(tmpa, tmpa, qi);
+        err = sp_2048_mod_32(tmpa, tmpa, p);
+    }
+
+    if (err == MP_OKAY) {
+        sp_2048_mul_32(tmpa, q, tmpa);
+        XMEMSET(&tmpb[32], 0, sizeof(sp_digit) * 32);
+        sp_2048_add_64(r, tmpb, tmpa);
+
+        sp_2048_to_bin(r, out);
+        *outLen = 256;
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (t != NULL) {
+        XMEMSET(t, 0, sizeof(sp_digit) * 32 * 11);
+        XFREE(t, NULL, DYNAMIC_TYPE_RSA);
+    }
+#else
+    XMEMSET(tmpa, 0, sizeof(tmpa));
+    XMEMSET(tmpb, 0, sizeof(tmpb));
+    XMEMSET(p,    0, sizeof(p));
+    XMEMSET(q,    0, sizeof(q));
+    XMEMSET(dp,   0, sizeof(dp));
+#endif
+
+    return err;
+}
+#endif /* WOLFSSL_RSA_PUBLIC_ONLY */
+#endif /* SP_RSA_PRIVATE_EXP_D || RSA_LOW_MEM */
+#endif /* WOLFSSL_HAVE_SP_RSA */
+#if defined(WOLFSSL_HAVE_SP_DH) || (defined(WOLFSSL_HAVE_SP_RSA) && \
+                                              !defined(WOLFSSL_RSA_PUBLIC_ONLY))
+/* Convert an array of sp_digit to an mp_int.
+ *
+ * a  A single precision integer.
+ * r  A multi-precision integer.
+ */
+static int sp_2048_to_mp(const sp_digit* a, mp_int* r)
+{
+    int err;
+
+    err = mp_grow(r, (2048 + DIGIT_BIT - 1) / DIGIT_BIT);
+    if (err == MP_OKAY) { /*lint !e774 case where err is always MP_OKAY*/
+#if DIGIT_BIT == 32
+        XMEMCPY(r->dp, a, sizeof(sp_digit) * 64);
+        r->used = 64;
+        mp_clamp(r);
+#elif DIGIT_BIT < 32
+        int i, j = 0, s = 0;
+
+        r->dp[0] = 0;
+        for (i = 0; i < 64; i++) {
+            r->dp[j] |= (mp_digit)(a[i] << s);
+            r->dp[j] &= (1L << DIGIT_BIT) - 1;
+            s = DIGIT_BIT - s;
+            r->dp[++j] = (mp_digit)(a[i] >> s);
+            while (s + DIGIT_BIT <= 32) {
+                s += DIGIT_BIT;
+                r->dp[j++] &= (1L << DIGIT_BIT) - 1;
+                if (s == SP_WORD_SIZE) {
+                    r->dp[j] = 0;
+                }
+                else {
+                    r->dp[j] = (mp_digit)(a[i] >> s);
+                }
+            }
+            s = 32 - s;
+        }
+        r->used = (2048 + DIGIT_BIT - 1) / DIGIT_BIT;
+        mp_clamp(r);
+#else
+        int i, j = 0, s = 0;
+
+        r->dp[0] = 0;
+        for (i = 0; i < 64; i++) {
+            r->dp[j] |= ((mp_digit)a[i]) << s;
+            if (s + 32 >= DIGIT_BIT) {
+    #if DIGIT_BIT != 32 && DIGIT_BIT != 64
+                r->dp[j] &= (1L << DIGIT_BIT) - 1;
+    #endif
+                s = DIGIT_BIT - s;
+                r->dp[++j] = a[i] >> s;
+                s = 32 - s;
+            }
+            else {
+                s += 32;
+            }
+        }
+        r->used = (2048 + DIGIT_BIT - 1) / DIGIT_BIT;
+        mp_clamp(r);
+#endif
+    }
+
+    return err;
+}
+
+/* Perform the modular exponentiation for Diffie-Hellman.
+ *
+ * base  Base. MP integer.
+ * exp   Exponent. MP integer.
+ * mod   Modulus. MP integer.
+ * res   Result. MP integer.
+ * returns 0 on success, MP_READ_E if there are too many bytes in an array
+ * and MEMORY_E if memory allocation fails.
+ */
+int sp_ModExp_2048(mp_int* base, mp_int* exp, mp_int* mod, mp_int* res)
+{
+    int err = MP_OKAY;
+    sp_digit b[128], e[64], m[64];
+    sp_digit* r = b;
+    int expBits = mp_count_bits(exp);
+
+    if (mp_count_bits(base) > 2048) {
+        err = MP_READ_E;
+    }
+
+    if (err == MP_OKAY) {
+        if (expBits > 2048) {
+            err = MP_READ_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        if (mp_count_bits(mod) != 2048) {
+            err = MP_READ_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        sp_2048_from_mp(b, 64, base);
+        sp_2048_from_mp(e, 64, exp);
+        sp_2048_from_mp(m, 64, mod);
+
+        err = sp_2048_mod_exp_64(r, b, e, expBits, m, 0);
+    }
+
+    if (err == MP_OKAY) {
+        err = sp_2048_to_mp(r, res);
+    }
+
+    XMEMSET(e, 0, sizeof(e));
+
+    return err;
+}
+
+#ifdef WOLFSSL_HAVE_SP_DH
+
+#ifdef HAVE_FFDHE_2048
+static void sp_2048_lshift_64(sp_digit* r, sp_digit* a, byte n)
+{
+    __asm__ __volatile__ (
+        "mov	r6, #31\n\t"
+        "sub	r6, r6, %[n]\n\t"
+        "add	%[a], %[a], #192\n\t"
+        "add	%[r], %[r], #192\n\t"
+        "ldr	r3, [%[a], #60]\n\t"
+        "lsr	r4, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r4, r4, r6\n\t"
+        "ldr	r2, [%[a], #56]\n\t"
+        "str	r4, [%[r], #64]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #52]\n\t"
+        "str	r3, [%[r], #60]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #48]\n\t"
+        "str	r2, [%[r], #56]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #44]\n\t"
+        "str	r4, [%[r], #52]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #40]\n\t"
+        "str	r3, [%[r], #48]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #36]\n\t"
+        "str	r2, [%[r], #44]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #32]\n\t"
+        "str	r4, [%[r], #40]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #28]\n\t"
+        "str	r3, [%[r], #36]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #24]\n\t"
+        "str	r2, [%[r], #32]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #20]\n\t"
+        "str	r4, [%[r], #28]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #16]\n\t"
+        "str	r3, [%[r], #24]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #12]\n\t"
+        "str	r2, [%[r], #20]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #8]\n\t"
+        "str	r4, [%[r], #16]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #4]\n\t"
+        "str	r3, [%[r], #12]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #0]\n\t"
+        "str	r2, [%[r], #8]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "sub	%[a], %[a], #64\n\t"
+        "sub	%[r], %[r], #64\n\t"
+        "ldr	r2, [%[a], #60]\n\t"
+        "str	r4, [%[r], #68]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #56]\n\t"
+        "str	r3, [%[r], #64]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #52]\n\t"
+        "str	r2, [%[r], #60]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #48]\n\t"
+        "str	r4, [%[r], #56]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #44]\n\t"
+        "str	r3, [%[r], #52]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #40]\n\t"
+        "str	r2, [%[r], #48]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #36]\n\t"
+        "str	r4, [%[r], #44]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #32]\n\t"
+        "str	r3, [%[r], #40]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #28]\n\t"
+        "str	r2, [%[r], #36]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #24]\n\t"
+        "str	r4, [%[r], #32]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #20]\n\t"
+        "str	r3, [%[r], #28]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #16]\n\t"
+        "str	r2, [%[r], #24]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #12]\n\t"
+        "str	r4, [%[r], #20]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #8]\n\t"
+        "str	r3, [%[r], #16]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #4]\n\t"
+        "str	r2, [%[r], #12]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #0]\n\t"
+        "str	r4, [%[r], #8]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "sub	%[a], %[a], #64\n\t"
+        "sub	%[r], %[r], #64\n\t"
+        "ldr	r4, [%[a], #60]\n\t"
+        "str	r3, [%[r], #68]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #56]\n\t"
+        "str	r2, [%[r], #64]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #52]\n\t"
+        "str	r4, [%[r], #60]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #48]\n\t"
+        "str	r3, [%[r], #56]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #44]\n\t"
+        "str	r2, [%[r], #52]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #40]\n\t"
+        "str	r4, [%[r], #48]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #36]\n\t"
+        "str	r3, [%[r], #44]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #32]\n\t"
+        "str	r2, [%[r], #40]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #28]\n\t"
+        "str	r4, [%[r], #36]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #24]\n\t"
+        "str	r3, [%[r], #32]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #20]\n\t"
+        "str	r2, [%[r], #28]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #16]\n\t"
+        "str	r4, [%[r], #24]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #12]\n\t"
+        "str	r3, [%[r], #20]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #8]\n\t"
+        "str	r2, [%[r], #16]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #4]\n\t"
+        "str	r4, [%[r], #12]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #0]\n\t"
+        "str	r3, [%[r], #8]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "sub	%[a], %[a], #64\n\t"
+        "sub	%[r], %[r], #64\n\t"
+        "ldr	r3, [%[a], #60]\n\t"
+        "str	r2, [%[r], #68]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #56]\n\t"
+        "str	r4, [%[r], #64]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #52]\n\t"
+        "str	r3, [%[r], #60]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #48]\n\t"
+        "str	r2, [%[r], #56]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #44]\n\t"
+        "str	r4, [%[r], #52]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #40]\n\t"
+        "str	r3, [%[r], #48]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #36]\n\t"
+        "str	r2, [%[r], #44]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #32]\n\t"
+        "str	r4, [%[r], #40]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #28]\n\t"
+        "str	r3, [%[r], #36]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #24]\n\t"
+        "str	r2, [%[r], #32]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #20]\n\t"
+        "str	r4, [%[r], #28]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #16]\n\t"
+        "str	r3, [%[r], #24]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #12]\n\t"
+        "str	r2, [%[r], #20]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #8]\n\t"
+        "str	r4, [%[r], #16]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #4]\n\t"
+        "str	r3, [%[r], #12]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #0]\n\t"
+        "str	r2, [%[r], #8]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "str	r3, [%[r]]\n\t"
+        "str	r4, [%[r], #4]\n\t"
+        :
+        : [r] "r" (r), [a] "r" (a), [n] "r" (n)
+        : "memory", "r2", "r3", "r4", "r5", "r6"
+    );
+}
+
+/* Modular exponentiate 2 to the e mod m. (r = 2^e mod m)
+ *
+ * r     A single precision number that is the result of the operation.
+ * e     A single precision number that is the exponent.
+ * bits  The number of bits in the exponent.
+ * m     A single precision number that is the modulus.
+ * returns 0 on success and MEMORY_E on dynamic memory allocation failure.
+ */
+static int sp_2048_mod_exp_2_64(sp_digit* r, const sp_digit* e, int bits,
+        const sp_digit* m)
+{
+#ifndef WOLFSSL_SMALL_STACK
+    sp_digit nd[128];
+    sp_digit td[65];
+#else
+    sp_digit* td;
+#endif
+    sp_digit* norm;
+    sp_digit* tmp;
+    sp_digit mp = 1;
+    sp_digit n, o;
+    sp_digit mask;
+    int i;
+    int c, y;
+    int err = MP_OKAY;
+
+#ifdef WOLFSSL_SMALL_STACK
+    td = (sp_digit*)XMALLOC(sizeof(sp_digit) * 193, NULL,
+                            DYNAMIC_TYPE_TMP_BUFFER);
+    if (td == NULL) {
+        err = MEMORY_E;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#ifdef WOLFSSL_SMALL_STACK
+        norm = td;
+        tmp  = td + 128;
+#else
+        norm = nd;
+        tmp  = td;
+#endif
+
+        sp_2048_mont_setup(m, &mp);
+        sp_2048_mont_norm_64(norm, m);
+
+        i = (bits - 1) / 32;
+        n = e[i--];
+        c = bits & 31;
+        if (c == 0) {
+            c = 32;
+        }
+        c -= bits % 5;
+        if (c == 32) {
+            c = 27;
+        }
+        y = (int)(n >> c);
+        n <<= 32 - c;
+        sp_2048_lshift_64(r, norm, y);
+        for (; i>=0 || c>=5; ) {
+            if (c == 0) {
+                n = e[i--];
+                y = n >> 27;
+                n <<= 5;
+                c = 27;
+            }
+            else if (c < 5) {
+                y = n >> 27;
+                n = e[i--];
+                c = 5 - c;
+                y |= n >> (32 - c);
+                n <<= c;
+                c = 32 - c;
+            }
+            else {
+                y = (n >> 27) & 0x1f;
+                n <<= 5;
+                c -= 5;
+            }
+
+            sp_2048_mont_sqr_64(r, r, m, mp);
+            sp_2048_mont_sqr_64(r, r, m, mp);
+            sp_2048_mont_sqr_64(r, r, m, mp);
+            sp_2048_mont_sqr_64(r, r, m, mp);
+            sp_2048_mont_sqr_64(r, r, m, mp);
+
+            sp_2048_lshift_64(r, r, y);
+            sp_2048_mul_d_64(tmp, norm, r[64]);
+            r[64] = 0;
+            o = sp_2048_add_64(r, r, tmp);
+            sp_2048_cond_sub_64(r, r, m, (sp_digit)0 - o);
+        }
+
+        XMEMSET(&r[64], 0, sizeof(sp_digit) * 64U);
+        sp_2048_mont_reduce_64(r, m, mp);
+
+        mask = 0 - (sp_2048_cmp_64(r, m) >= 0);
+        sp_2048_cond_sub_64(r, r, m, mask);
+    }
+
+#ifdef WOLFSSL_SMALL_STACK
+    if (td != NULL) {
+        XFREE(td, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    }
+#endif
+
+    return err;
+}
+#endif /* HAVE_FFDHE_2048 */
+
+/* Perform the modular exponentiation for Diffie-Hellman.
+ *
+ * base     Base.
+ * exp      Array of bytes that is the exponent.
+ * expLen   Length of data, in bytes, in exponent.
+ * mod      Modulus.
+ * out      Buffer to hold big-endian bytes of exponentiation result.
+ *          Must be at least 256 bytes long.
+ * outLen   Length, in bytes, of exponentiation result.
+ * returns 0 on success, MP_READ_E if there are too many bytes in an array
+ * and MEMORY_E if memory allocation fails.
+ */
+int sp_DhExp_2048(mp_int* base, const byte* exp, word32 expLen,
+    mp_int* mod, byte* out, word32* outLen)
+{
+    int err = MP_OKAY;
+    sp_digit b[128], e[64], m[64];
+    sp_digit* r = b;
+    word32 i;
+
+    if (mp_count_bits(base) > 2048) {
+        err = MP_READ_E;
+    }
+
+    if (err == MP_OKAY) {
+        if (expLen > 256) {
+            err = MP_READ_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        if (mp_count_bits(mod) != 2048) {
+            err = MP_READ_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        sp_2048_from_mp(b, 64, base);
+        sp_2048_from_bin(e, 64, exp, expLen);
+        sp_2048_from_mp(m, 64, mod);
+
+    #ifdef HAVE_FFDHE_2048
+        if (base->used == 1 && base->dp[0] == 2 && m[63] == (sp_digit)-1)
+            err = sp_2048_mod_exp_2_64(r, e, expLen * 8, m);
+        else
+    #endif
+            err = sp_2048_mod_exp_64(r, b, e, expLen * 8, m, 0);
+
+    }
+
+    if (err == MP_OKAY) {
+        sp_2048_to_bin(r, out);
+        *outLen = 256;
+        for (i=0; i<256 && out[i] == 0; i++) {
+        }
+        *outLen -= i;
+        XMEMMOVE(out, out + i, *outLen);
+
+    }
+
+    XMEMSET(e, 0, sizeof(e));
+
+    return err;
+}
+#endif /* WOLFSSL_HAVE_SP_DH */
+
+/* Perform the modular exponentiation for Diffie-Hellman.
+ *
+ * base  Base. MP integer.
+ * exp   Exponent. MP integer.
+ * mod   Modulus. MP integer.
+ * res   Result. MP integer.
+ * returns 0 on success, MP_READ_E if there are too many bytes in an array
+ * and MEMORY_E if memory allocation fails.
+ */
+int sp_ModExp_1024(mp_int* base, mp_int* exp, mp_int* mod, mp_int* res)
+{
+    int err = MP_OKAY;
+    sp_digit b[64], e[32], m[32];
+    sp_digit* r = b;
+    int expBits = mp_count_bits(exp);
+
+    if (mp_count_bits(base) > 1024) {
+        err = MP_READ_E;
+    }
+
+    if (err == MP_OKAY) {
+        if (expBits > 1024) {
+            err = MP_READ_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        if (mp_count_bits(mod) != 1024) {
+            err = MP_READ_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        sp_2048_from_mp(b, 32, base);
+        sp_2048_from_mp(e, 32, exp);
+        sp_2048_from_mp(m, 32, mod);
+
+        err = sp_2048_mod_exp_32(r, b, e, expBits, m, 0);
+    }
+
+    if (err == MP_OKAY) {
+        XMEMSET(r + 32, 0, sizeof(*r) * 32U);
+        err = sp_2048_to_mp(r, res);
+        res->used = mod->used;
+        mp_clamp(res);
+    }
+
+    XMEMSET(e, 0, sizeof(e));
+
+    return err;
+}
+
+#endif /* WOLFSSL_HAVE_SP_DH || (WOLFSSL_HAVE_SP_RSA && !WOLFSSL_RSA_PUBLIC_ONLY) */
+
+#endif /* !WOLFSSL_SP_NO_2048 */
+
+#ifndef WOLFSSL_SP_NO_3072
+/* Read big endian unsigned byte array into r.
+ *
+ * r  A single precision integer.
+ * size  Maximum number of bytes to convert
+ * a  Byte array.
+ * n  Number of bytes in array to read.
+ */
+static void sp_3072_from_bin(sp_digit* r, int size, const byte* a, int n)
+{
+    int i, j = 0;
+    word32 s = 0;
+
+    r[0] = 0;
+    for (i = n-1; i >= 0; i--) {
+        r[j] |= (((sp_digit)a[i]) << s);
+        if (s >= 24U) {
+            r[j] &= 0xffffffff;
+            s = 32U - s;
+            if (j + 1 >= size) {
+                break;
+            }
+            r[++j] = (sp_digit)a[i] >> s;
+            s = 8U - s;
+        }
+        else {
+            s += 8U;
+        }
+    }
+
+    for (j++; j < size; j++) {
+        r[j] = 0;
+    }
+}
+
+/* Convert an mp_int to an array of sp_digit.
+ *
+ * r  A single precision integer.
+ * size  Maximum number of bytes to convert
+ * a  A multi-precision integer.
+ */
+static void sp_3072_from_mp(sp_digit* r, int size, const mp_int* a)
+{
+#if DIGIT_BIT == 32
+    int j;
+
+    XMEMCPY(r, a->dp, sizeof(sp_digit) * a->used);
+
+    for (j = a->used; j < size; j++) {
+        r[j] = 0;
+    }
+#elif DIGIT_BIT > 32
+    int i, j = 0;
+    word32 s = 0;
+
+    r[0] = 0;
+    for (i = 0; i < a->used && j < size; i++) {
+        r[j] |= ((sp_digit)a->dp[i] << s);
+        r[j] &= 0xffffffff;
+        s = 32U - s;
+        if (j + 1 >= size) {
+            break;
+        }
+        /* lint allow cast of mismatch word32 and mp_digit */
+        r[++j] = (sp_digit)(a->dp[i] >> s); /*lint !e9033*/
+        while ((s + 32U) <= (word32)DIGIT_BIT) {
+            s += 32U;
+            r[j] &= 0xffffffff;
+            if (j + 1 >= size) {
+                break;
+            }
+            if (s < (word32)DIGIT_BIT) {
+                /* lint allow cast of mismatch word32 and mp_digit */
+                r[++j] = (sp_digit)(a->dp[i] >> s); /*lint !e9033*/
+            }
+            else {
+                r[++j] = 0L;
+            }
+        }
+        s = (word32)DIGIT_BIT - s;
+    }
+
+    for (j++; j < size; j++) {
+        r[j] = 0;
+    }
+#else
+    int i, j = 0, s = 0;
+
+    r[0] = 0;
+    for (i = 0; i < a->used && j < size; i++) {
+        r[j] |= ((sp_digit)a->dp[i]) << s;
+        if (s + DIGIT_BIT >= 32) {
+            r[j] &= 0xffffffff;
+            if (j + 1 >= size) {
+                break;
+            }
+            s = 32 - s;
+            if (s == DIGIT_BIT) {
+                r[++j] = 0;
+                s = 0;
+            }
+            else {
+                r[++j] = a->dp[i] >> s;
+                s = DIGIT_BIT - s;
+            }
+        }
+        else {
+            s += DIGIT_BIT;
+        }
+    }
+
+    for (j++; j < size; j++) {
+        r[j] = 0;
+    }
+#endif
+}
+
+/* Write r as big endian to byte array.
+ * Fixed length number of bytes written: 384
+ *
+ * r  A single precision integer.
+ * a  Byte array.
+ */
+static void sp_3072_to_bin(sp_digit* r, byte* a)
+{
+    int i, j, s = 0, b;
+
+    j = 3072 / 8 - 1;
+    a[j] = 0;
+    for (i=0; i<96 && j>=0; i++) {
+        b = 0;
+        /* lint allow cast of mismatch sp_digit and int */
+        a[j--] |= (byte)(r[i] << s); /*lint !e9033*/
+        b += 8 - s;
+        if (j < 0) {
+            break;
+        }
+        while (b < 32) {
+            a[j--] = (byte)(r[i] >> b);
+            b += 8;
+            if (j < 0) {
+                break;
+            }
+        }
+        s = 8 - (b - 32);
+        if (j >= 0) {
+            a[j] = 0;
+        }
+        if (s != 0) {
+            j++;
+        }
+    }
+}
+
+#ifndef WOLFSSL_SP_SMALL
+/* Multiply a and b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static void sp_3072_mul_12(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    sp_digit tmp[12 * 2];
+    __asm__ __volatile__ (
+        "mov	r3, #0\n\t"
+        "mov	r4, #0\n\t"
+        "mov	r8, r3\n\t"
+        "mov	r11, %[r]\n\t"
+        "mov	r9, %[a]\n\t"
+        "mov	r10, %[b]\n\t"
+        "mov	r6, #48\n\t"
+        "add	r6, r9\n\t"
+        "mov	r12, r6\n\t"
+        "\n1:\n\t"
+        "mov	%[r], #0\n\t"
+        "mov	r5, #0\n\t"
+        "mov	r6, #44\n\t"
+        "mov	%[a], r8\n\t"
+        "sub	%[a], r6\n\t"
+        "sbc	r6, r6\n\t"
+        "mvn	r6, r6\n\t"
+        "and	%[a], r6\n\t"
+        "mov	%[b], r8\n\t"
+        "sub	%[b], %[a]\n\t"
+        "add	%[a], r9\n\t"
+        "add	%[b], r10\n\t"
+        "\n2:\n\t"
+        "# Multiply Start\n\t"
+        "ldr	r6, [%[a]]\n\t"
+        "ldr	r7, [%[b]]\n\t"
+        "lsl	r6, r6, #16\n\t"
+        "lsl	r7, r7, #16\n\t"
+        "lsr	r6, r6, #16\n\t"
+        "lsr	r7, r7, #16\n\t"
+        "mul	r7, r6\n\t"
+        "add	r3, r7\n\t"
+        "adc	r4, %[r]\n\t"
+        "adc	r5, %[r]\n\t"
+        "ldr	r7, [%[b]]\n\t"
+        "lsr	r7, r7, #16\n\t"
+        "mul	r6, r7\n\t"
+        "lsr	r7, r6, #16\n\t"
+        "lsl	r6, r6, #16\n\t"
+        "add	r3, r6\n\t"
+        "adc	r4, r7\n\t"
+        "adc	r5, %[r]\n\t"
+        "ldr	r6, [%[a]]\n\t"
+        "ldr	r7, [%[b]]\n\t"
+        "lsr	r6, r6, #16\n\t"
+        "lsr	r7, r7, #16\n\t"
+        "mul	r7, r6\n\t"
+        "add	r4, r7\n\t"
+        "adc	r5, %[r]\n\t"
+        "ldr	r7, [%[b]]\n\t"
+        "lsl	r7, r7, #16\n\t"
+        "lsr	r7, r7, #16\n\t"
+        "mul	r6, r7\n\t"
+        "lsr	r7, r6, #16\n\t"
+        "lsl	r6, r6, #16\n\t"
+        "add	r3, r6\n\t"
+        "adc	r4, r7\n\t"
+        "adc	r5, %[r]\n\t"
+        "# Multiply Done\n\t"
+        "add	%[a], #4\n\t"
+        "sub	%[b], #4\n\t"
+        "cmp	%[a], r12\n\t"
+        "beq	3f\n\t"
+        "mov	r6, r8\n\t"
+        "add	r6, r9\n\t"
+        "cmp	%[a], r6\n\t"
+        "ble	2b\n\t"
+        "\n3:\n\t"
+        "mov	%[r], r11\n\t"
+        "mov	r7, r8\n\t"
+        "str	r3, [%[r], r7]\n\t"
+        "mov	r3, r4\n\t"
+        "mov	r4, r5\n\t"
+        "add	r7, #4\n\t"
+        "mov	r8, r7\n\t"
+        "mov	r6, #88\n\t"
+        "cmp	r7, r6\n\t"
+        "ble	1b\n\t"
+        "str	r3, [%[r], r7]\n\t"
+        "mov	%[a], r9\n\t"
+        "mov	%[b], r10\n\t"
+        :
+        : [r] "r" (tmp), [a] "r" (a), [b] "r" (b)
+        : "memory", "r3", "r4", "r5", "r6", "r7", "r8", "r9", "r10", "r11", "r12"
+    );
+
+    XMEMCPY(r, tmp, sizeof(tmp));
+}
+
+/* Square a and put result in r. (r = a * a)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ */
+SP_NOINLINE static void sp_3072_sqr_12(sp_digit* r, const sp_digit* a)
+{
+    __asm__ __volatile__ (
+        "mov	r3, #0\n\t"
+        "mov	r4, #0\n\t"
+        "mov	r5, #0\n\t"
+        "mov	r8, r3\n\t"
+        "mov	r11, %[r]\n\t"
+        "mov	r6, #96\n\t"
+        "neg	r6, r6\n\t"
+        "add	sp, r6\n\t"
+        "mov	r10, sp\n\t"
+        "mov	r9, %[a]\n\t"
+        "\n1:\n\t"
+        "mov	%[r], #0\n\t"
+        "mov	r6, #44\n\t"
+        "mov	%[a], r8\n\t"
+        "sub	%[a], r6\n\t"
+        "sbc	r6, r6\n\t"
+        "mvn	r6, r6\n\t"
+        "and	%[a], r6\n\t"
+        "mov	r2, r8\n\t"
+        "sub	r2, %[a]\n\t"
+        "add	%[a], r9\n\t"
+        "add	r2, r9\n\t"
+        "\n2:\n\t"
+        "cmp	r2, %[a]\n\t"
+        "beq	4f\n\t"
+        "# Multiply * 2: Start\n\t"
+        "ldr	r6, [%[a]]\n\t"
+        "ldr	r7, [r2]\n\t"
+        "lsl	r6, r6, #16\n\t"
+        "lsl	r7, r7, #16\n\t"
+        "lsr	r6, r6, #16\n\t"
+        "lsr	r7, r7, #16\n\t"
+        "mul	r7, r6\n\t"
+        "add	r3, r7\n\t"
+        "adc	r4, %[r]\n\t"
+        "adc	r5, %[r]\n\t"
+        "add	r3, r7\n\t"
+        "adc	r4, %[r]\n\t"
+        "adc	r5, %[r]\n\t"
+        "ldr	r7, [r2]\n\t"
+        "lsr	r7, r7, #16\n\t"
+        "mul	r6, r7\n\t"
+        "lsr	r7, r6, #16\n\t"
+        "lsl	r6, r6, #16\n\t"
+        "add	r3, r6\n\t"
+        "adc	r4, r7\n\t"
+        "adc	r5, %[r]\n\t"
+        "add	r3, r6\n\t"
+        "adc	r4, r7\n\t"
+        "adc	r5, %[r]\n\t"
+        "ldr	r6, [%[a]]\n\t"
+        "ldr	r7, [r2]\n\t"
+        "lsr	r6, r6, #16\n\t"
+        "lsr	r7, r7, #16\n\t"
+        "mul	r7, r6\n\t"
+        "add	r4, r7\n\t"
+        "adc	r5, %[r]\n\t"
+        "add	r4, r7\n\t"
+        "adc	r5, %[r]\n\t"
+        "ldr	r7, [r2]\n\t"
+        "lsl	r7, r7, #16\n\t"
+        "lsr	r7, r7, #16\n\t"
+        "mul	r6, r7\n\t"
+        "lsr	r7, r6, #16\n\t"
+        "lsl	r6, r6, #16\n\t"
+        "add	r3, r6\n\t"
+        "adc	r4, r7\n\t"
+        "adc	r5, %[r]\n\t"
+        "add	r3, r6\n\t"
+        "adc	r4, r7\n\t"
+        "adc	r5, %[r]\n\t"
+        "# Multiply * 2: Done\n\t"
+        "bal	5f\n\t"
+        "\n4:\n\t"
+        "# Square: Start\n\t"
+        "ldr	r6, [%[a]]\n\t"
+        "lsr	r7, r6, #16\n\t"
+        "lsl	r6, r6, #16\n\t"
+        "lsr	r6, r6, #16\n\t"
+        "mul	r6, r6\n\t"
+        "add	r3, r6\n\t"
+        "adc	r4, %[r]\n\t"
+        "adc	r5, %[r]\n\t"
+        "mul	r7, r7\n\t"
+        "add	r4, r7\n\t"
+        "adc	r5, %[r]\n\t"
+        "ldr	r6, [%[a]]\n\t"
+        "lsr	r7, r6, #16\n\t"
+        "lsl	r6, r6, #16\n\t"
+        "lsr	r6, r6, #16\n\t"
+        "mul	r6, r7\n\t"
+        "lsr	r7, r6, #15\n\t"
+        "lsl	r6, r6, #17\n\t"
+        "add	r3, r6\n\t"
+        "adc	r4, r7\n\t"
+        "adc	r5, %[r]\n\t"
+        "# Square: Done\n\t"
+        "\n5:\n\t"
+        "add	%[a], #4\n\t"
+        "sub	r2, #4\n\t"
+        "mov	r6, #48\n\t"
+        "add	r6, r9\n\t"
+        "cmp	%[a], r6\n\t"
+        "beq	3f\n\t"
+        "cmp	%[a], r2\n\t"
+        "bgt	3f\n\t"
+        "mov	r7, r8\n\t"
+        "add	r7, r9\n\t"
+        "cmp	%[a], r7\n\t"
+        "ble	2b\n\t"
+        "\n3:\n\t"
+        "mov	%[r], r10\n\t"
+        "mov	r7, r8\n\t"
+        "str	r3, [%[r], r7]\n\t"
+        "mov	r3, r4\n\t"
+        "mov	r4, r5\n\t"
+        "mov	r5, #0\n\t"
+        "add	r7, #4\n\t"
+        "mov	r8, r7\n\t"
+        "mov	r6, #88\n\t"
+        "cmp	r7, r6\n\t"
+        "ble	1b\n\t"
+        "mov	%[a], r9\n\t"
+        "str	r3, [%[r], r7]\n\t"
+        "mov	%[r], r11\n\t"
+        "mov	%[a], r10\n\t"
+        "mov	r3, #92\n\t"
+        "\n4:\n\t"
+        "ldr	r6, [%[a], r3]\n\t"
+        "str	r6, [%[r], r3]\n\t"
+        "sub	r3, #4\n\t"
+        "bge	4b\n\t"
+        "mov	r6, #96\n\t"
+        "add	sp, r6\n\t"
+        :
+        : [r] "r" (r), [a] "r" (a)
+        : "memory", "r2", "r3", "r4", "r5", "r6", "r7", "r8", "r9", "r10", "r11"
+    );
+}
+
+/* Add b to a into r. (r = a + b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static sp_digit sp_3072_add_12(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    sp_digit c = 0;
+
+    __asm__ __volatile__ (
+        "ldr	r4, [%[a], #0]\n\t"
+        "ldr	r5, [%[b], #0]\n\t"
+        "add	r4, r5\n\t"
+        "str	r4, [%[r], #0]\n\t"
+        "ldr	r4, [%[a], #4]\n\t"
+        "ldr	r5, [%[b], #4]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #4]\n\t"
+        "ldr	r4, [%[a], #8]\n\t"
+        "ldr	r5, [%[b], #8]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #8]\n\t"
+        "ldr	r4, [%[a], #12]\n\t"
+        "ldr	r5, [%[b], #12]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #12]\n\t"
+        "ldr	r4, [%[a], #16]\n\t"
+        "ldr	r5, [%[b], #16]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #16]\n\t"
+        "ldr	r4, [%[a], #20]\n\t"
+        "ldr	r5, [%[b], #20]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #20]\n\t"
+        "ldr	r4, [%[a], #24]\n\t"
+        "ldr	r5, [%[b], #24]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #24]\n\t"
+        "ldr	r4, [%[a], #28]\n\t"
+        "ldr	r5, [%[b], #28]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #28]\n\t"
+        "ldr	r4, [%[a], #32]\n\t"
+        "ldr	r5, [%[b], #32]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #32]\n\t"
+        "ldr	r4, [%[a], #36]\n\t"
+        "ldr	r5, [%[b], #36]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #36]\n\t"
+        "ldr	r4, [%[a], #40]\n\t"
+        "ldr	r5, [%[b], #40]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #40]\n\t"
+        "ldr	r4, [%[a], #44]\n\t"
+        "ldr	r5, [%[b], #44]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #44]\n\t"
+        "mov	%[c], #0\n\t"
+        "adc	%[c], %[c]\n\t"
+        : [c] "+r" (c), [r] "+r" (r), [a] "+r" (a), [b] "+r" (b)
+        :
+        : "memory", "r4", "r5"
+    );
+
+    return c;
+}
+
+/* Sub b from a into r. (r = a - b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static sp_digit sp_3072_sub_in_place_24(sp_digit* a,
+        const sp_digit* b)
+{
+    sp_digit c = 0;
+
+    __asm__ __volatile__ (
+        "ldr	r3, [%[a], #0]\n\t"
+        "ldr	r4, [%[a], #4]\n\t"
+        "ldr	r5, [%[b], #0]\n\t"
+        "ldr	r6, [%[b], #4]\n\t"
+        "sub	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #0]\n\t"
+        "str	r4, [%[a], #4]\n\t"
+        "ldr	r3, [%[a], #8]\n\t"
+        "ldr	r4, [%[a], #12]\n\t"
+        "ldr	r5, [%[b], #8]\n\t"
+        "ldr	r6, [%[b], #12]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #8]\n\t"
+        "str	r4, [%[a], #12]\n\t"
+        "ldr	r3, [%[a], #16]\n\t"
+        "ldr	r4, [%[a], #20]\n\t"
+        "ldr	r5, [%[b], #16]\n\t"
+        "ldr	r6, [%[b], #20]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #16]\n\t"
+        "str	r4, [%[a], #20]\n\t"
+        "ldr	r3, [%[a], #24]\n\t"
+        "ldr	r4, [%[a], #28]\n\t"
+        "ldr	r5, [%[b], #24]\n\t"
+        "ldr	r6, [%[b], #28]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #24]\n\t"
+        "str	r4, [%[a], #28]\n\t"
+        "ldr	r3, [%[a], #32]\n\t"
+        "ldr	r4, [%[a], #36]\n\t"
+        "ldr	r5, [%[b], #32]\n\t"
+        "ldr	r6, [%[b], #36]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #32]\n\t"
+        "str	r4, [%[a], #36]\n\t"
+        "ldr	r3, [%[a], #40]\n\t"
+        "ldr	r4, [%[a], #44]\n\t"
+        "ldr	r5, [%[b], #40]\n\t"
+        "ldr	r6, [%[b], #44]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #40]\n\t"
+        "str	r4, [%[a], #44]\n\t"
+        "ldr	r3, [%[a], #48]\n\t"
+        "ldr	r4, [%[a], #52]\n\t"
+        "ldr	r5, [%[b], #48]\n\t"
+        "ldr	r6, [%[b], #52]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #48]\n\t"
+        "str	r4, [%[a], #52]\n\t"
+        "ldr	r3, [%[a], #56]\n\t"
+        "ldr	r4, [%[a], #60]\n\t"
+        "ldr	r5, [%[b], #56]\n\t"
+        "ldr	r6, [%[b], #60]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #56]\n\t"
+        "str	r4, [%[a], #60]\n\t"
+        "ldr	r3, [%[a], #64]\n\t"
+        "ldr	r4, [%[a], #68]\n\t"
+        "ldr	r5, [%[b], #64]\n\t"
+        "ldr	r6, [%[b], #68]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #64]\n\t"
+        "str	r4, [%[a], #68]\n\t"
+        "ldr	r3, [%[a], #72]\n\t"
+        "ldr	r4, [%[a], #76]\n\t"
+        "ldr	r5, [%[b], #72]\n\t"
+        "ldr	r6, [%[b], #76]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #72]\n\t"
+        "str	r4, [%[a], #76]\n\t"
+        "ldr	r3, [%[a], #80]\n\t"
+        "ldr	r4, [%[a], #84]\n\t"
+        "ldr	r5, [%[b], #80]\n\t"
+        "ldr	r6, [%[b], #84]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #80]\n\t"
+        "str	r4, [%[a], #84]\n\t"
+        "ldr	r3, [%[a], #88]\n\t"
+        "ldr	r4, [%[a], #92]\n\t"
+        "ldr	r5, [%[b], #88]\n\t"
+        "ldr	r6, [%[b], #92]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #88]\n\t"
+        "str	r4, [%[a], #92]\n\t"
+        "sbc	%[c], %[c]\n\t"
+        : [c] "+r" (c), [a] "+r" (a), [b] "+r" (b)
+        :
+        : "memory", "r3", "r4", "r5", "r6"
+    );
+
+    return c;
+}
+
+/* Add b to a into r. (r = a + b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static sp_digit sp_3072_add_24(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    sp_digit c = 0;
+
+    __asm__ __volatile__ (
+        "ldr	r4, [%[a], #0]\n\t"
+        "ldr	r5, [%[b], #0]\n\t"
+        "add	r4, r5\n\t"
+        "str	r4, [%[r], #0]\n\t"
+        "ldr	r4, [%[a], #4]\n\t"
+        "ldr	r5, [%[b], #4]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #4]\n\t"
+        "ldr	r4, [%[a], #8]\n\t"
+        "ldr	r5, [%[b], #8]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #8]\n\t"
+        "ldr	r4, [%[a], #12]\n\t"
+        "ldr	r5, [%[b], #12]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #12]\n\t"
+        "ldr	r4, [%[a], #16]\n\t"
+        "ldr	r5, [%[b], #16]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #16]\n\t"
+        "ldr	r4, [%[a], #20]\n\t"
+        "ldr	r5, [%[b], #20]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #20]\n\t"
+        "ldr	r4, [%[a], #24]\n\t"
+        "ldr	r5, [%[b], #24]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #24]\n\t"
+        "ldr	r4, [%[a], #28]\n\t"
+        "ldr	r5, [%[b], #28]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #28]\n\t"
+        "ldr	r4, [%[a], #32]\n\t"
+        "ldr	r5, [%[b], #32]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #32]\n\t"
+        "ldr	r4, [%[a], #36]\n\t"
+        "ldr	r5, [%[b], #36]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #36]\n\t"
+        "ldr	r4, [%[a], #40]\n\t"
+        "ldr	r5, [%[b], #40]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #40]\n\t"
+        "ldr	r4, [%[a], #44]\n\t"
+        "ldr	r5, [%[b], #44]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #44]\n\t"
+        "ldr	r4, [%[a], #48]\n\t"
+        "ldr	r5, [%[b], #48]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #48]\n\t"
+        "ldr	r4, [%[a], #52]\n\t"
+        "ldr	r5, [%[b], #52]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #52]\n\t"
+        "ldr	r4, [%[a], #56]\n\t"
+        "ldr	r5, [%[b], #56]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #56]\n\t"
+        "ldr	r4, [%[a], #60]\n\t"
+        "ldr	r5, [%[b], #60]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #60]\n\t"
+        "ldr	r4, [%[a], #64]\n\t"
+        "ldr	r5, [%[b], #64]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #64]\n\t"
+        "ldr	r4, [%[a], #68]\n\t"
+        "ldr	r5, [%[b], #68]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #68]\n\t"
+        "ldr	r4, [%[a], #72]\n\t"
+        "ldr	r5, [%[b], #72]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #72]\n\t"
+        "ldr	r4, [%[a], #76]\n\t"
+        "ldr	r5, [%[b], #76]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #76]\n\t"
+        "ldr	r4, [%[a], #80]\n\t"
+        "ldr	r5, [%[b], #80]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #80]\n\t"
+        "ldr	r4, [%[a], #84]\n\t"
+        "ldr	r5, [%[b], #84]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #84]\n\t"
+        "ldr	r4, [%[a], #88]\n\t"
+        "ldr	r5, [%[b], #88]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #88]\n\t"
+        "ldr	r4, [%[a], #92]\n\t"
+        "ldr	r5, [%[b], #92]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #92]\n\t"
+        "mov	%[c], #0\n\t"
+        "adc	%[c], %[c]\n\t"
+        : [c] "+r" (c), [r] "+r" (r), [a] "+r" (a), [b] "+r" (b)
+        :
+        : "memory", "r4", "r5"
+    );
+
+    return c;
+}
+
+/* AND m into each word of a and store in r.
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * m  Mask to AND against each digit.
+ */
+static void sp_3072_mask_12(sp_digit* r, const sp_digit* a, sp_digit m)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int i;
+
+    for (i=0; i<12; i++) {
+        r[i] = a[i] & m;
+    }
+#else
+    r[0] = a[0] & m;
+    r[1] = a[1] & m;
+    r[2] = a[2] & m;
+    r[3] = a[3] & m;
+    r[4] = a[4] & m;
+    r[5] = a[5] & m;
+    r[6] = a[6] & m;
+    r[7] = a[7] & m;
+    r[8] = a[8] & m;
+    r[9] = a[9] & m;
+    r[10] = a[10] & m;
+    r[11] = a[11] & m;
+#endif
+}
+
+/* Multiply a and b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static void sp_3072_mul_24(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    sp_digit* z0 = r;
+    sp_digit z1[24];
+    sp_digit a1[12];
+    sp_digit b1[12];
+    sp_digit z2[24];
+    sp_digit u, ca, cb;
+
+    ca = sp_3072_add_12(a1, a, &a[12]);
+    cb = sp_3072_add_12(b1, b, &b[12]);
+    u  = ca & cb;
+    sp_3072_mul_12(z1, a1, b1);
+    sp_3072_mul_12(z2, &a[12], &b[12]);
+    sp_3072_mul_12(z0, a, b);
+    sp_3072_mask_12(r + 24, a1, 0 - cb);
+    sp_3072_mask_12(b1, b1, 0 - ca);
+    u += sp_3072_add_12(r + 24, r + 24, b1);
+    u += sp_3072_sub_in_place_24(z1, z2);
+    u += sp_3072_sub_in_place_24(z1, z0);
+    u += sp_3072_add_24(r + 12, r + 12, z1);
+    r[36] = u;
+    XMEMSET(r + 36 + 1, 0, sizeof(sp_digit) * (12 - 1));
+    (void)sp_3072_add_24(r + 24, r + 24, z2);
+}
+
+/* Square a and put result in r. (r = a * a)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ */
+SP_NOINLINE static void sp_3072_sqr_24(sp_digit* r, const sp_digit* a)
+{
+    sp_digit* z0 = r;
+    sp_digit z2[24];
+    sp_digit z1[24];
+    sp_digit a1[12];
+    sp_digit u;
+
+    u = sp_3072_add_12(a1, a, &a[12]);
+    sp_3072_sqr_12(z1, a1);
+    sp_3072_sqr_12(z2, &a[12]);
+    sp_3072_sqr_12(z0, a);
+    sp_3072_mask_12(r + 24, a1, 0 - u);
+    u += sp_3072_add_12(r + 24, r + 24, r + 24);
+    u += sp_3072_sub_in_place_24(z1, z2);
+    u += sp_3072_sub_in_place_24(z1, z0);
+    u += sp_3072_add_24(r + 12, r + 12, z1);
+    r[36] = u;
+    XMEMSET(r + 36 + 1, 0, sizeof(sp_digit) * (12 - 1));
+    (void)sp_3072_add_24(r + 24, r + 24, z2);
+}
+
+/* Sub b from a into r. (r = a - b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static sp_digit sp_3072_sub_in_place_48(sp_digit* a,
+        const sp_digit* b)
+{
+    sp_digit c = 0;
+
+    __asm__ __volatile__ (
+        "ldr	r3, [%[a], #0]\n\t"
+        "ldr	r4, [%[a], #4]\n\t"
+        "ldr	r5, [%[b], #0]\n\t"
+        "ldr	r6, [%[b], #4]\n\t"
+        "sub	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #0]\n\t"
+        "str	r4, [%[a], #4]\n\t"
+        "ldr	r3, [%[a], #8]\n\t"
+        "ldr	r4, [%[a], #12]\n\t"
+        "ldr	r5, [%[b], #8]\n\t"
+        "ldr	r6, [%[b], #12]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #8]\n\t"
+        "str	r4, [%[a], #12]\n\t"
+        "ldr	r3, [%[a], #16]\n\t"
+        "ldr	r4, [%[a], #20]\n\t"
+        "ldr	r5, [%[b], #16]\n\t"
+        "ldr	r6, [%[b], #20]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #16]\n\t"
+        "str	r4, [%[a], #20]\n\t"
+        "ldr	r3, [%[a], #24]\n\t"
+        "ldr	r4, [%[a], #28]\n\t"
+        "ldr	r5, [%[b], #24]\n\t"
+        "ldr	r6, [%[b], #28]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #24]\n\t"
+        "str	r4, [%[a], #28]\n\t"
+        "ldr	r3, [%[a], #32]\n\t"
+        "ldr	r4, [%[a], #36]\n\t"
+        "ldr	r5, [%[b], #32]\n\t"
+        "ldr	r6, [%[b], #36]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #32]\n\t"
+        "str	r4, [%[a], #36]\n\t"
+        "ldr	r3, [%[a], #40]\n\t"
+        "ldr	r4, [%[a], #44]\n\t"
+        "ldr	r5, [%[b], #40]\n\t"
+        "ldr	r6, [%[b], #44]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #40]\n\t"
+        "str	r4, [%[a], #44]\n\t"
+        "ldr	r3, [%[a], #48]\n\t"
+        "ldr	r4, [%[a], #52]\n\t"
+        "ldr	r5, [%[b], #48]\n\t"
+        "ldr	r6, [%[b], #52]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #48]\n\t"
+        "str	r4, [%[a], #52]\n\t"
+        "ldr	r3, [%[a], #56]\n\t"
+        "ldr	r4, [%[a], #60]\n\t"
+        "ldr	r5, [%[b], #56]\n\t"
+        "ldr	r6, [%[b], #60]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #56]\n\t"
+        "str	r4, [%[a], #60]\n\t"
+        "ldr	r3, [%[a], #64]\n\t"
+        "ldr	r4, [%[a], #68]\n\t"
+        "ldr	r5, [%[b], #64]\n\t"
+        "ldr	r6, [%[b], #68]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #64]\n\t"
+        "str	r4, [%[a], #68]\n\t"
+        "ldr	r3, [%[a], #72]\n\t"
+        "ldr	r4, [%[a], #76]\n\t"
+        "ldr	r5, [%[b], #72]\n\t"
+        "ldr	r6, [%[b], #76]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #72]\n\t"
+        "str	r4, [%[a], #76]\n\t"
+        "ldr	r3, [%[a], #80]\n\t"
+        "ldr	r4, [%[a], #84]\n\t"
+        "ldr	r5, [%[b], #80]\n\t"
+        "ldr	r6, [%[b], #84]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #80]\n\t"
+        "str	r4, [%[a], #84]\n\t"
+        "ldr	r3, [%[a], #88]\n\t"
+        "ldr	r4, [%[a], #92]\n\t"
+        "ldr	r5, [%[b], #88]\n\t"
+        "ldr	r6, [%[b], #92]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #88]\n\t"
+        "str	r4, [%[a], #92]\n\t"
+        "ldr	r3, [%[a], #96]\n\t"
+        "ldr	r4, [%[a], #100]\n\t"
+        "ldr	r5, [%[b], #96]\n\t"
+        "ldr	r6, [%[b], #100]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #96]\n\t"
+        "str	r4, [%[a], #100]\n\t"
+        "ldr	r3, [%[a], #104]\n\t"
+        "ldr	r4, [%[a], #108]\n\t"
+        "ldr	r5, [%[b], #104]\n\t"
+        "ldr	r6, [%[b], #108]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #104]\n\t"
+        "str	r4, [%[a], #108]\n\t"
+        "ldr	r3, [%[a], #112]\n\t"
+        "ldr	r4, [%[a], #116]\n\t"
+        "ldr	r5, [%[b], #112]\n\t"
+        "ldr	r6, [%[b], #116]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #112]\n\t"
+        "str	r4, [%[a], #116]\n\t"
+        "ldr	r3, [%[a], #120]\n\t"
+        "ldr	r4, [%[a], #124]\n\t"
+        "ldr	r5, [%[b], #120]\n\t"
+        "ldr	r6, [%[b], #124]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #120]\n\t"
+        "str	r4, [%[a], #124]\n\t"
+        "sbc	%[c], %[c]\n\t"
+        "add	%[a], #0x80\n\t"
+        "add	%[b], #0x80\n\t"
+        "mov	r5, #0\n\t"
+        "sub	r5, %[c]\n\t"
+        "ldr	r3, [%[a], #0]\n\t"
+        "ldr	r4, [%[a], #4]\n\t"
+        "ldr	r5, [%[b], #0]\n\t"
+        "ldr	r6, [%[b], #4]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #0]\n\t"
+        "str	r4, [%[a], #4]\n\t"
+        "ldr	r3, [%[a], #8]\n\t"
+        "ldr	r4, [%[a], #12]\n\t"
+        "ldr	r5, [%[b], #8]\n\t"
+        "ldr	r6, [%[b], #12]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #8]\n\t"
+        "str	r4, [%[a], #12]\n\t"
+        "ldr	r3, [%[a], #16]\n\t"
+        "ldr	r4, [%[a], #20]\n\t"
+        "ldr	r5, [%[b], #16]\n\t"
+        "ldr	r6, [%[b], #20]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #16]\n\t"
+        "str	r4, [%[a], #20]\n\t"
+        "ldr	r3, [%[a], #24]\n\t"
+        "ldr	r4, [%[a], #28]\n\t"
+        "ldr	r5, [%[b], #24]\n\t"
+        "ldr	r6, [%[b], #28]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #24]\n\t"
+        "str	r4, [%[a], #28]\n\t"
+        "ldr	r3, [%[a], #32]\n\t"
+        "ldr	r4, [%[a], #36]\n\t"
+        "ldr	r5, [%[b], #32]\n\t"
+        "ldr	r6, [%[b], #36]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #32]\n\t"
+        "str	r4, [%[a], #36]\n\t"
+        "ldr	r3, [%[a], #40]\n\t"
+        "ldr	r4, [%[a], #44]\n\t"
+        "ldr	r5, [%[b], #40]\n\t"
+        "ldr	r6, [%[b], #44]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #40]\n\t"
+        "str	r4, [%[a], #44]\n\t"
+        "ldr	r3, [%[a], #48]\n\t"
+        "ldr	r4, [%[a], #52]\n\t"
+        "ldr	r5, [%[b], #48]\n\t"
+        "ldr	r6, [%[b], #52]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #48]\n\t"
+        "str	r4, [%[a], #52]\n\t"
+        "ldr	r3, [%[a], #56]\n\t"
+        "ldr	r4, [%[a], #60]\n\t"
+        "ldr	r5, [%[b], #56]\n\t"
+        "ldr	r6, [%[b], #60]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #56]\n\t"
+        "str	r4, [%[a], #60]\n\t"
+        "sbc	%[c], %[c]\n\t"
+        : [c] "+r" (c), [a] "+r" (a), [b] "+r" (b)
+        :
+        : "memory", "r3", "r4", "r5", "r6"
+    );
+
+    return c;
+}
+
+/* Add b to a into r. (r = a + b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static sp_digit sp_3072_add_48(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    sp_digit c = 0;
+
+    __asm__ __volatile__ (
+        "mov	r7, #0\n\t"
+        "mvn	r7, r7\n\t"
+        "ldr	r4, [%[a], #0]\n\t"
+        "ldr	r5, [%[b], #0]\n\t"
+        "add	r4, r5\n\t"
+        "str	r4, [%[r], #0]\n\t"
+        "ldr	r4, [%[a], #4]\n\t"
+        "ldr	r5, [%[b], #4]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #4]\n\t"
+        "ldr	r4, [%[a], #8]\n\t"
+        "ldr	r5, [%[b], #8]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #8]\n\t"
+        "ldr	r4, [%[a], #12]\n\t"
+        "ldr	r5, [%[b], #12]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #12]\n\t"
+        "ldr	r4, [%[a], #16]\n\t"
+        "ldr	r5, [%[b], #16]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #16]\n\t"
+        "ldr	r4, [%[a], #20]\n\t"
+        "ldr	r5, [%[b], #20]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #20]\n\t"
+        "ldr	r4, [%[a], #24]\n\t"
+        "ldr	r5, [%[b], #24]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #24]\n\t"
+        "ldr	r4, [%[a], #28]\n\t"
+        "ldr	r5, [%[b], #28]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #28]\n\t"
+        "ldr	r4, [%[a], #32]\n\t"
+        "ldr	r5, [%[b], #32]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #32]\n\t"
+        "ldr	r4, [%[a], #36]\n\t"
+        "ldr	r5, [%[b], #36]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #36]\n\t"
+        "ldr	r4, [%[a], #40]\n\t"
+        "ldr	r5, [%[b], #40]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #40]\n\t"
+        "ldr	r4, [%[a], #44]\n\t"
+        "ldr	r5, [%[b], #44]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #44]\n\t"
+        "ldr	r4, [%[a], #48]\n\t"
+        "ldr	r5, [%[b], #48]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #48]\n\t"
+        "ldr	r4, [%[a], #52]\n\t"
+        "ldr	r5, [%[b], #52]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #52]\n\t"
+        "ldr	r4, [%[a], #56]\n\t"
+        "ldr	r5, [%[b], #56]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #56]\n\t"
+        "ldr	r4, [%[a], #60]\n\t"
+        "ldr	r5, [%[b], #60]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #60]\n\t"
+        "ldr	r4, [%[a], #64]\n\t"
+        "ldr	r5, [%[b], #64]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #64]\n\t"
+        "ldr	r4, [%[a], #68]\n\t"
+        "ldr	r5, [%[b], #68]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #68]\n\t"
+        "ldr	r4, [%[a], #72]\n\t"
+        "ldr	r5, [%[b], #72]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #72]\n\t"
+        "ldr	r4, [%[a], #76]\n\t"
+        "ldr	r5, [%[b], #76]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #76]\n\t"
+        "ldr	r4, [%[a], #80]\n\t"
+        "ldr	r5, [%[b], #80]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #80]\n\t"
+        "ldr	r4, [%[a], #84]\n\t"
+        "ldr	r5, [%[b], #84]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #84]\n\t"
+        "ldr	r4, [%[a], #88]\n\t"
+        "ldr	r5, [%[b], #88]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #88]\n\t"
+        "ldr	r4, [%[a], #92]\n\t"
+        "ldr	r5, [%[b], #92]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #92]\n\t"
+        "ldr	r4, [%[a], #96]\n\t"
+        "ldr	r5, [%[b], #96]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #96]\n\t"
+        "ldr	r4, [%[a], #100]\n\t"
+        "ldr	r5, [%[b], #100]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #100]\n\t"
+        "ldr	r4, [%[a], #104]\n\t"
+        "ldr	r5, [%[b], #104]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #104]\n\t"
+        "ldr	r4, [%[a], #108]\n\t"
+        "ldr	r5, [%[b], #108]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #108]\n\t"
+        "ldr	r4, [%[a], #112]\n\t"
+        "ldr	r5, [%[b], #112]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #112]\n\t"
+        "ldr	r4, [%[a], #116]\n\t"
+        "ldr	r5, [%[b], #116]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #116]\n\t"
+        "ldr	r4, [%[a], #120]\n\t"
+        "ldr	r5, [%[b], #120]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #120]\n\t"
+        "ldr	r4, [%[a], #124]\n\t"
+        "ldr	r5, [%[b], #124]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #124]\n\t"
+        "mov	%[c], #0\n\t"
+        "adc	%[c], %[c]\n\t"
+        "add	%[a], #0x80\n\t"
+        "add	%[b], #0x80\n\t"
+        "add	%[r], #0x80\n\t"
+        "add	%[c], r7\n\t"
+        "ldr	r4, [%[a], #0]\n\t"
+        "ldr	r5, [%[b], #0]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #0]\n\t"
+        "ldr	r4, [%[a], #4]\n\t"
+        "ldr	r5, [%[b], #4]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #4]\n\t"
+        "ldr	r4, [%[a], #8]\n\t"
+        "ldr	r5, [%[b], #8]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #8]\n\t"
+        "ldr	r4, [%[a], #12]\n\t"
+        "ldr	r5, [%[b], #12]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #12]\n\t"
+        "ldr	r4, [%[a], #16]\n\t"
+        "ldr	r5, [%[b], #16]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #16]\n\t"
+        "ldr	r4, [%[a], #20]\n\t"
+        "ldr	r5, [%[b], #20]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #20]\n\t"
+        "ldr	r4, [%[a], #24]\n\t"
+        "ldr	r5, [%[b], #24]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #24]\n\t"
+        "ldr	r4, [%[a], #28]\n\t"
+        "ldr	r5, [%[b], #28]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #28]\n\t"
+        "ldr	r4, [%[a], #32]\n\t"
+        "ldr	r5, [%[b], #32]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #32]\n\t"
+        "ldr	r4, [%[a], #36]\n\t"
+        "ldr	r5, [%[b], #36]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #36]\n\t"
+        "ldr	r4, [%[a], #40]\n\t"
+        "ldr	r5, [%[b], #40]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #40]\n\t"
+        "ldr	r4, [%[a], #44]\n\t"
+        "ldr	r5, [%[b], #44]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #44]\n\t"
+        "ldr	r4, [%[a], #48]\n\t"
+        "ldr	r5, [%[b], #48]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #48]\n\t"
+        "ldr	r4, [%[a], #52]\n\t"
+        "ldr	r5, [%[b], #52]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #52]\n\t"
+        "ldr	r4, [%[a], #56]\n\t"
+        "ldr	r5, [%[b], #56]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #56]\n\t"
+        "ldr	r4, [%[a], #60]\n\t"
+        "ldr	r5, [%[b], #60]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #60]\n\t"
+        "mov	%[c], #0\n\t"
+        "adc	%[c], %[c]\n\t"
+        : [c] "+r" (c), [r] "+r" (r), [a] "+r" (a), [b] "+r" (b)
+        :
+        : "memory", "r4", "r5", "r7"
+    );
+
+    return c;
+}
+
+/* AND m into each word of a and store in r.
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * m  Mask to AND against each digit.
+ */
+static void sp_3072_mask_24(sp_digit* r, const sp_digit* a, sp_digit m)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int i;
+
+    for (i=0; i<24; i++) {
+        r[i] = a[i] & m;
+    }
+#else
+    int i;
+
+    for (i = 0; i < 24; i += 8) {
+        r[i+0] = a[i+0] & m;
+        r[i+1] = a[i+1] & m;
+        r[i+2] = a[i+2] & m;
+        r[i+3] = a[i+3] & m;
+        r[i+4] = a[i+4] & m;
+        r[i+5] = a[i+5] & m;
+        r[i+6] = a[i+6] & m;
+        r[i+7] = a[i+7] & m;
+    }
+#endif
+}
+
+/* Multiply a and b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static void sp_3072_mul_48(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    sp_digit* z0 = r;
+    sp_digit z1[48];
+    sp_digit a1[24];
+    sp_digit b1[24];
+    sp_digit z2[48];
+    sp_digit u, ca, cb;
+
+    ca = sp_3072_add_24(a1, a, &a[24]);
+    cb = sp_3072_add_24(b1, b, &b[24]);
+    u  = ca & cb;
+    sp_3072_mul_24(z1, a1, b1);
+    sp_3072_mul_24(z2, &a[24], &b[24]);
+    sp_3072_mul_24(z0, a, b);
+    sp_3072_mask_24(r + 48, a1, 0 - cb);
+    sp_3072_mask_24(b1, b1, 0 - ca);
+    u += sp_3072_add_24(r + 48, r + 48, b1);
+    u += sp_3072_sub_in_place_48(z1, z2);
+    u += sp_3072_sub_in_place_48(z1, z0);
+    u += sp_3072_add_48(r + 24, r + 24, z1);
+    r[72] = u;
+    XMEMSET(r + 72 + 1, 0, sizeof(sp_digit) * (24 - 1));
+    (void)sp_3072_add_48(r + 48, r + 48, z2);
+}
+
+/* Square a and put result in r. (r = a * a)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ */
+SP_NOINLINE static void sp_3072_sqr_48(sp_digit* r, const sp_digit* a)
+{
+    sp_digit* z0 = r;
+    sp_digit z2[48];
+    sp_digit z1[48];
+    sp_digit a1[24];
+    sp_digit u;
+
+    u = sp_3072_add_24(a1, a, &a[24]);
+    sp_3072_sqr_24(z1, a1);
+    sp_3072_sqr_24(z2, &a[24]);
+    sp_3072_sqr_24(z0, a);
+    sp_3072_mask_24(r + 48, a1, 0 - u);
+    u += sp_3072_add_24(r + 48, r + 48, r + 48);
+    u += sp_3072_sub_in_place_48(z1, z2);
+    u += sp_3072_sub_in_place_48(z1, z0);
+    u += sp_3072_add_48(r + 24, r + 24, z1);
+    r[72] = u;
+    XMEMSET(r + 72 + 1, 0, sizeof(sp_digit) * (24 - 1));
+    (void)sp_3072_add_48(r + 48, r + 48, z2);
+}
+
+/* Sub b from a into r. (r = a - b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static sp_digit sp_3072_sub_in_place_96(sp_digit* a,
+        const sp_digit* b)
+{
+    sp_digit c = 0;
+
+    __asm__ __volatile__ (
+        "ldr	r3, [%[a], #0]\n\t"
+        "ldr	r4, [%[a], #4]\n\t"
+        "ldr	r5, [%[b], #0]\n\t"
+        "ldr	r6, [%[b], #4]\n\t"
+        "sub	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #0]\n\t"
+        "str	r4, [%[a], #4]\n\t"
+        "ldr	r3, [%[a], #8]\n\t"
+        "ldr	r4, [%[a], #12]\n\t"
+        "ldr	r5, [%[b], #8]\n\t"
+        "ldr	r6, [%[b], #12]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #8]\n\t"
+        "str	r4, [%[a], #12]\n\t"
+        "ldr	r3, [%[a], #16]\n\t"
+        "ldr	r4, [%[a], #20]\n\t"
+        "ldr	r5, [%[b], #16]\n\t"
+        "ldr	r6, [%[b], #20]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #16]\n\t"
+        "str	r4, [%[a], #20]\n\t"
+        "ldr	r3, [%[a], #24]\n\t"
+        "ldr	r4, [%[a], #28]\n\t"
+        "ldr	r5, [%[b], #24]\n\t"
+        "ldr	r6, [%[b], #28]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #24]\n\t"
+        "str	r4, [%[a], #28]\n\t"
+        "ldr	r3, [%[a], #32]\n\t"
+        "ldr	r4, [%[a], #36]\n\t"
+        "ldr	r5, [%[b], #32]\n\t"
+        "ldr	r6, [%[b], #36]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #32]\n\t"
+        "str	r4, [%[a], #36]\n\t"
+        "ldr	r3, [%[a], #40]\n\t"
+        "ldr	r4, [%[a], #44]\n\t"
+        "ldr	r5, [%[b], #40]\n\t"
+        "ldr	r6, [%[b], #44]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #40]\n\t"
+        "str	r4, [%[a], #44]\n\t"
+        "ldr	r3, [%[a], #48]\n\t"
+        "ldr	r4, [%[a], #52]\n\t"
+        "ldr	r5, [%[b], #48]\n\t"
+        "ldr	r6, [%[b], #52]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #48]\n\t"
+        "str	r4, [%[a], #52]\n\t"
+        "ldr	r3, [%[a], #56]\n\t"
+        "ldr	r4, [%[a], #60]\n\t"
+        "ldr	r5, [%[b], #56]\n\t"
+        "ldr	r6, [%[b], #60]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #56]\n\t"
+        "str	r4, [%[a], #60]\n\t"
+        "ldr	r3, [%[a], #64]\n\t"
+        "ldr	r4, [%[a], #68]\n\t"
+        "ldr	r5, [%[b], #64]\n\t"
+        "ldr	r6, [%[b], #68]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #64]\n\t"
+        "str	r4, [%[a], #68]\n\t"
+        "ldr	r3, [%[a], #72]\n\t"
+        "ldr	r4, [%[a], #76]\n\t"
+        "ldr	r5, [%[b], #72]\n\t"
+        "ldr	r6, [%[b], #76]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #72]\n\t"
+        "str	r4, [%[a], #76]\n\t"
+        "ldr	r3, [%[a], #80]\n\t"
+        "ldr	r4, [%[a], #84]\n\t"
+        "ldr	r5, [%[b], #80]\n\t"
+        "ldr	r6, [%[b], #84]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #80]\n\t"
+        "str	r4, [%[a], #84]\n\t"
+        "ldr	r3, [%[a], #88]\n\t"
+        "ldr	r4, [%[a], #92]\n\t"
+        "ldr	r5, [%[b], #88]\n\t"
+        "ldr	r6, [%[b], #92]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #88]\n\t"
+        "str	r4, [%[a], #92]\n\t"
+        "ldr	r3, [%[a], #96]\n\t"
+        "ldr	r4, [%[a], #100]\n\t"
+        "ldr	r5, [%[b], #96]\n\t"
+        "ldr	r6, [%[b], #100]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #96]\n\t"
+        "str	r4, [%[a], #100]\n\t"
+        "ldr	r3, [%[a], #104]\n\t"
+        "ldr	r4, [%[a], #108]\n\t"
+        "ldr	r5, [%[b], #104]\n\t"
+        "ldr	r6, [%[b], #108]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #104]\n\t"
+        "str	r4, [%[a], #108]\n\t"
+        "ldr	r3, [%[a], #112]\n\t"
+        "ldr	r4, [%[a], #116]\n\t"
+        "ldr	r5, [%[b], #112]\n\t"
+        "ldr	r6, [%[b], #116]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #112]\n\t"
+        "str	r4, [%[a], #116]\n\t"
+        "ldr	r3, [%[a], #120]\n\t"
+        "ldr	r4, [%[a], #124]\n\t"
+        "ldr	r5, [%[b], #120]\n\t"
+        "ldr	r6, [%[b], #124]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #120]\n\t"
+        "str	r4, [%[a], #124]\n\t"
+        "sbc	%[c], %[c]\n\t"
+        "add	%[a], #0x80\n\t"
+        "add	%[b], #0x80\n\t"
+        "mov	r5, #0\n\t"
+        "sub	r5, %[c]\n\t"
+        "ldr	r3, [%[a], #0]\n\t"
+        "ldr	r4, [%[a], #4]\n\t"
+        "ldr	r5, [%[b], #0]\n\t"
+        "ldr	r6, [%[b], #4]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #0]\n\t"
+        "str	r4, [%[a], #4]\n\t"
+        "ldr	r3, [%[a], #8]\n\t"
+        "ldr	r4, [%[a], #12]\n\t"
+        "ldr	r5, [%[b], #8]\n\t"
+        "ldr	r6, [%[b], #12]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #8]\n\t"
+        "str	r4, [%[a], #12]\n\t"
+        "ldr	r3, [%[a], #16]\n\t"
+        "ldr	r4, [%[a], #20]\n\t"
+        "ldr	r5, [%[b], #16]\n\t"
+        "ldr	r6, [%[b], #20]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #16]\n\t"
+        "str	r4, [%[a], #20]\n\t"
+        "ldr	r3, [%[a], #24]\n\t"
+        "ldr	r4, [%[a], #28]\n\t"
+        "ldr	r5, [%[b], #24]\n\t"
+        "ldr	r6, [%[b], #28]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #24]\n\t"
+        "str	r4, [%[a], #28]\n\t"
+        "ldr	r3, [%[a], #32]\n\t"
+        "ldr	r4, [%[a], #36]\n\t"
+        "ldr	r5, [%[b], #32]\n\t"
+        "ldr	r6, [%[b], #36]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #32]\n\t"
+        "str	r4, [%[a], #36]\n\t"
+        "ldr	r3, [%[a], #40]\n\t"
+        "ldr	r4, [%[a], #44]\n\t"
+        "ldr	r5, [%[b], #40]\n\t"
+        "ldr	r6, [%[b], #44]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #40]\n\t"
+        "str	r4, [%[a], #44]\n\t"
+        "ldr	r3, [%[a], #48]\n\t"
+        "ldr	r4, [%[a], #52]\n\t"
+        "ldr	r5, [%[b], #48]\n\t"
+        "ldr	r6, [%[b], #52]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #48]\n\t"
+        "str	r4, [%[a], #52]\n\t"
+        "ldr	r3, [%[a], #56]\n\t"
+        "ldr	r4, [%[a], #60]\n\t"
+        "ldr	r5, [%[b], #56]\n\t"
+        "ldr	r6, [%[b], #60]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #56]\n\t"
+        "str	r4, [%[a], #60]\n\t"
+        "ldr	r3, [%[a], #64]\n\t"
+        "ldr	r4, [%[a], #68]\n\t"
+        "ldr	r5, [%[b], #64]\n\t"
+        "ldr	r6, [%[b], #68]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #64]\n\t"
+        "str	r4, [%[a], #68]\n\t"
+        "ldr	r3, [%[a], #72]\n\t"
+        "ldr	r4, [%[a], #76]\n\t"
+        "ldr	r5, [%[b], #72]\n\t"
+        "ldr	r6, [%[b], #76]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #72]\n\t"
+        "str	r4, [%[a], #76]\n\t"
+        "ldr	r3, [%[a], #80]\n\t"
+        "ldr	r4, [%[a], #84]\n\t"
+        "ldr	r5, [%[b], #80]\n\t"
+        "ldr	r6, [%[b], #84]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #80]\n\t"
+        "str	r4, [%[a], #84]\n\t"
+        "ldr	r3, [%[a], #88]\n\t"
+        "ldr	r4, [%[a], #92]\n\t"
+        "ldr	r5, [%[b], #88]\n\t"
+        "ldr	r6, [%[b], #92]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #88]\n\t"
+        "str	r4, [%[a], #92]\n\t"
+        "ldr	r3, [%[a], #96]\n\t"
+        "ldr	r4, [%[a], #100]\n\t"
+        "ldr	r5, [%[b], #96]\n\t"
+        "ldr	r6, [%[b], #100]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #96]\n\t"
+        "str	r4, [%[a], #100]\n\t"
+        "ldr	r3, [%[a], #104]\n\t"
+        "ldr	r4, [%[a], #108]\n\t"
+        "ldr	r5, [%[b], #104]\n\t"
+        "ldr	r6, [%[b], #108]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #104]\n\t"
+        "str	r4, [%[a], #108]\n\t"
+        "ldr	r3, [%[a], #112]\n\t"
+        "ldr	r4, [%[a], #116]\n\t"
+        "ldr	r5, [%[b], #112]\n\t"
+        "ldr	r6, [%[b], #116]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #112]\n\t"
+        "str	r4, [%[a], #116]\n\t"
+        "ldr	r3, [%[a], #120]\n\t"
+        "ldr	r4, [%[a], #124]\n\t"
+        "ldr	r5, [%[b], #120]\n\t"
+        "ldr	r6, [%[b], #124]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #120]\n\t"
+        "str	r4, [%[a], #124]\n\t"
+        "sbc	%[c], %[c]\n\t"
+        "add	%[a], #0x80\n\t"
+        "add	%[b], #0x80\n\t"
+        "mov	r5, #0\n\t"
+        "sub	r5, %[c]\n\t"
+        "ldr	r3, [%[a], #0]\n\t"
+        "ldr	r4, [%[a], #4]\n\t"
+        "ldr	r5, [%[b], #0]\n\t"
+        "ldr	r6, [%[b], #4]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #0]\n\t"
+        "str	r4, [%[a], #4]\n\t"
+        "ldr	r3, [%[a], #8]\n\t"
+        "ldr	r4, [%[a], #12]\n\t"
+        "ldr	r5, [%[b], #8]\n\t"
+        "ldr	r6, [%[b], #12]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #8]\n\t"
+        "str	r4, [%[a], #12]\n\t"
+        "ldr	r3, [%[a], #16]\n\t"
+        "ldr	r4, [%[a], #20]\n\t"
+        "ldr	r5, [%[b], #16]\n\t"
+        "ldr	r6, [%[b], #20]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #16]\n\t"
+        "str	r4, [%[a], #20]\n\t"
+        "ldr	r3, [%[a], #24]\n\t"
+        "ldr	r4, [%[a], #28]\n\t"
+        "ldr	r5, [%[b], #24]\n\t"
+        "ldr	r6, [%[b], #28]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #24]\n\t"
+        "str	r4, [%[a], #28]\n\t"
+        "ldr	r3, [%[a], #32]\n\t"
+        "ldr	r4, [%[a], #36]\n\t"
+        "ldr	r5, [%[b], #32]\n\t"
+        "ldr	r6, [%[b], #36]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #32]\n\t"
+        "str	r4, [%[a], #36]\n\t"
+        "ldr	r3, [%[a], #40]\n\t"
+        "ldr	r4, [%[a], #44]\n\t"
+        "ldr	r5, [%[b], #40]\n\t"
+        "ldr	r6, [%[b], #44]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #40]\n\t"
+        "str	r4, [%[a], #44]\n\t"
+        "ldr	r3, [%[a], #48]\n\t"
+        "ldr	r4, [%[a], #52]\n\t"
+        "ldr	r5, [%[b], #48]\n\t"
+        "ldr	r6, [%[b], #52]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #48]\n\t"
+        "str	r4, [%[a], #52]\n\t"
+        "ldr	r3, [%[a], #56]\n\t"
+        "ldr	r4, [%[a], #60]\n\t"
+        "ldr	r5, [%[b], #56]\n\t"
+        "ldr	r6, [%[b], #60]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #56]\n\t"
+        "str	r4, [%[a], #60]\n\t"
+        "ldr	r3, [%[a], #64]\n\t"
+        "ldr	r4, [%[a], #68]\n\t"
+        "ldr	r5, [%[b], #64]\n\t"
+        "ldr	r6, [%[b], #68]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #64]\n\t"
+        "str	r4, [%[a], #68]\n\t"
+        "ldr	r3, [%[a], #72]\n\t"
+        "ldr	r4, [%[a], #76]\n\t"
+        "ldr	r5, [%[b], #72]\n\t"
+        "ldr	r6, [%[b], #76]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #72]\n\t"
+        "str	r4, [%[a], #76]\n\t"
+        "ldr	r3, [%[a], #80]\n\t"
+        "ldr	r4, [%[a], #84]\n\t"
+        "ldr	r5, [%[b], #80]\n\t"
+        "ldr	r6, [%[b], #84]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #80]\n\t"
+        "str	r4, [%[a], #84]\n\t"
+        "ldr	r3, [%[a], #88]\n\t"
+        "ldr	r4, [%[a], #92]\n\t"
+        "ldr	r5, [%[b], #88]\n\t"
+        "ldr	r6, [%[b], #92]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #88]\n\t"
+        "str	r4, [%[a], #92]\n\t"
+        "ldr	r3, [%[a], #96]\n\t"
+        "ldr	r4, [%[a], #100]\n\t"
+        "ldr	r5, [%[b], #96]\n\t"
+        "ldr	r6, [%[b], #100]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #96]\n\t"
+        "str	r4, [%[a], #100]\n\t"
+        "ldr	r3, [%[a], #104]\n\t"
+        "ldr	r4, [%[a], #108]\n\t"
+        "ldr	r5, [%[b], #104]\n\t"
+        "ldr	r6, [%[b], #108]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #104]\n\t"
+        "str	r4, [%[a], #108]\n\t"
+        "ldr	r3, [%[a], #112]\n\t"
+        "ldr	r4, [%[a], #116]\n\t"
+        "ldr	r5, [%[b], #112]\n\t"
+        "ldr	r6, [%[b], #116]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #112]\n\t"
+        "str	r4, [%[a], #116]\n\t"
+        "ldr	r3, [%[a], #120]\n\t"
+        "ldr	r4, [%[a], #124]\n\t"
+        "ldr	r5, [%[b], #120]\n\t"
+        "ldr	r6, [%[b], #124]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #120]\n\t"
+        "str	r4, [%[a], #124]\n\t"
+        "sbc	%[c], %[c]\n\t"
+        : [c] "+r" (c), [a] "+r" (a), [b] "+r" (b)
+        :
+        : "memory", "r3", "r4", "r5", "r6"
+    );
+
+    return c;
+}
+
+/* Add b to a into r. (r = a + b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static sp_digit sp_3072_add_96(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    sp_digit c = 0;
+
+    __asm__ __volatile__ (
+        "mov	r7, #0\n\t"
+        "mvn	r7, r7\n\t"
+        "ldr	r4, [%[a], #0]\n\t"
+        "ldr	r5, [%[b], #0]\n\t"
+        "add	r4, r5\n\t"
+        "str	r4, [%[r], #0]\n\t"
+        "ldr	r4, [%[a], #4]\n\t"
+        "ldr	r5, [%[b], #4]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #4]\n\t"
+        "ldr	r4, [%[a], #8]\n\t"
+        "ldr	r5, [%[b], #8]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #8]\n\t"
+        "ldr	r4, [%[a], #12]\n\t"
+        "ldr	r5, [%[b], #12]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #12]\n\t"
+        "ldr	r4, [%[a], #16]\n\t"
+        "ldr	r5, [%[b], #16]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #16]\n\t"
+        "ldr	r4, [%[a], #20]\n\t"
+        "ldr	r5, [%[b], #20]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #20]\n\t"
+        "ldr	r4, [%[a], #24]\n\t"
+        "ldr	r5, [%[b], #24]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #24]\n\t"
+        "ldr	r4, [%[a], #28]\n\t"
+        "ldr	r5, [%[b], #28]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #28]\n\t"
+        "ldr	r4, [%[a], #32]\n\t"
+        "ldr	r5, [%[b], #32]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #32]\n\t"
+        "ldr	r4, [%[a], #36]\n\t"
+        "ldr	r5, [%[b], #36]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #36]\n\t"
+        "ldr	r4, [%[a], #40]\n\t"
+        "ldr	r5, [%[b], #40]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #40]\n\t"
+        "ldr	r4, [%[a], #44]\n\t"
+        "ldr	r5, [%[b], #44]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #44]\n\t"
+        "ldr	r4, [%[a], #48]\n\t"
+        "ldr	r5, [%[b], #48]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #48]\n\t"
+        "ldr	r4, [%[a], #52]\n\t"
+        "ldr	r5, [%[b], #52]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #52]\n\t"
+        "ldr	r4, [%[a], #56]\n\t"
+        "ldr	r5, [%[b], #56]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #56]\n\t"
+        "ldr	r4, [%[a], #60]\n\t"
+        "ldr	r5, [%[b], #60]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #60]\n\t"
+        "ldr	r4, [%[a], #64]\n\t"
+        "ldr	r5, [%[b], #64]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #64]\n\t"
+        "ldr	r4, [%[a], #68]\n\t"
+        "ldr	r5, [%[b], #68]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #68]\n\t"
+        "ldr	r4, [%[a], #72]\n\t"
+        "ldr	r5, [%[b], #72]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #72]\n\t"
+        "ldr	r4, [%[a], #76]\n\t"
+        "ldr	r5, [%[b], #76]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #76]\n\t"
+        "ldr	r4, [%[a], #80]\n\t"
+        "ldr	r5, [%[b], #80]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #80]\n\t"
+        "ldr	r4, [%[a], #84]\n\t"
+        "ldr	r5, [%[b], #84]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #84]\n\t"
+        "ldr	r4, [%[a], #88]\n\t"
+        "ldr	r5, [%[b], #88]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #88]\n\t"
+        "ldr	r4, [%[a], #92]\n\t"
+        "ldr	r5, [%[b], #92]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #92]\n\t"
+        "ldr	r4, [%[a], #96]\n\t"
+        "ldr	r5, [%[b], #96]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #96]\n\t"
+        "ldr	r4, [%[a], #100]\n\t"
+        "ldr	r5, [%[b], #100]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #100]\n\t"
+        "ldr	r4, [%[a], #104]\n\t"
+        "ldr	r5, [%[b], #104]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #104]\n\t"
+        "ldr	r4, [%[a], #108]\n\t"
+        "ldr	r5, [%[b], #108]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #108]\n\t"
+        "ldr	r4, [%[a], #112]\n\t"
+        "ldr	r5, [%[b], #112]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #112]\n\t"
+        "ldr	r4, [%[a], #116]\n\t"
+        "ldr	r5, [%[b], #116]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #116]\n\t"
+        "ldr	r4, [%[a], #120]\n\t"
+        "ldr	r5, [%[b], #120]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #120]\n\t"
+        "ldr	r4, [%[a], #124]\n\t"
+        "ldr	r5, [%[b], #124]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #124]\n\t"
+        "mov	%[c], #0\n\t"
+        "adc	%[c], %[c]\n\t"
+        "add	%[a], #0x80\n\t"
+        "add	%[b], #0x80\n\t"
+        "add	%[r], #0x80\n\t"
+        "add	%[c], r7\n\t"
+        "ldr	r4, [%[a], #0]\n\t"
+        "ldr	r5, [%[b], #0]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #0]\n\t"
+        "ldr	r4, [%[a], #4]\n\t"
+        "ldr	r5, [%[b], #4]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #4]\n\t"
+        "ldr	r4, [%[a], #8]\n\t"
+        "ldr	r5, [%[b], #8]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #8]\n\t"
+        "ldr	r4, [%[a], #12]\n\t"
+        "ldr	r5, [%[b], #12]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #12]\n\t"
+        "ldr	r4, [%[a], #16]\n\t"
+        "ldr	r5, [%[b], #16]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #16]\n\t"
+        "ldr	r4, [%[a], #20]\n\t"
+        "ldr	r5, [%[b], #20]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #20]\n\t"
+        "ldr	r4, [%[a], #24]\n\t"
+        "ldr	r5, [%[b], #24]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #24]\n\t"
+        "ldr	r4, [%[a], #28]\n\t"
+        "ldr	r5, [%[b], #28]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #28]\n\t"
+        "ldr	r4, [%[a], #32]\n\t"
+        "ldr	r5, [%[b], #32]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #32]\n\t"
+        "ldr	r4, [%[a], #36]\n\t"
+        "ldr	r5, [%[b], #36]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #36]\n\t"
+        "ldr	r4, [%[a], #40]\n\t"
+        "ldr	r5, [%[b], #40]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #40]\n\t"
+        "ldr	r4, [%[a], #44]\n\t"
+        "ldr	r5, [%[b], #44]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #44]\n\t"
+        "ldr	r4, [%[a], #48]\n\t"
+        "ldr	r5, [%[b], #48]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #48]\n\t"
+        "ldr	r4, [%[a], #52]\n\t"
+        "ldr	r5, [%[b], #52]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #52]\n\t"
+        "ldr	r4, [%[a], #56]\n\t"
+        "ldr	r5, [%[b], #56]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #56]\n\t"
+        "ldr	r4, [%[a], #60]\n\t"
+        "ldr	r5, [%[b], #60]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #60]\n\t"
+        "ldr	r4, [%[a], #64]\n\t"
+        "ldr	r5, [%[b], #64]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #64]\n\t"
+        "ldr	r4, [%[a], #68]\n\t"
+        "ldr	r5, [%[b], #68]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #68]\n\t"
+        "ldr	r4, [%[a], #72]\n\t"
+        "ldr	r5, [%[b], #72]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #72]\n\t"
+        "ldr	r4, [%[a], #76]\n\t"
+        "ldr	r5, [%[b], #76]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #76]\n\t"
+        "ldr	r4, [%[a], #80]\n\t"
+        "ldr	r5, [%[b], #80]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #80]\n\t"
+        "ldr	r4, [%[a], #84]\n\t"
+        "ldr	r5, [%[b], #84]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #84]\n\t"
+        "ldr	r4, [%[a], #88]\n\t"
+        "ldr	r5, [%[b], #88]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #88]\n\t"
+        "ldr	r4, [%[a], #92]\n\t"
+        "ldr	r5, [%[b], #92]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #92]\n\t"
+        "ldr	r4, [%[a], #96]\n\t"
+        "ldr	r5, [%[b], #96]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #96]\n\t"
+        "ldr	r4, [%[a], #100]\n\t"
+        "ldr	r5, [%[b], #100]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #100]\n\t"
+        "ldr	r4, [%[a], #104]\n\t"
+        "ldr	r5, [%[b], #104]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #104]\n\t"
+        "ldr	r4, [%[a], #108]\n\t"
+        "ldr	r5, [%[b], #108]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #108]\n\t"
+        "ldr	r4, [%[a], #112]\n\t"
+        "ldr	r5, [%[b], #112]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #112]\n\t"
+        "ldr	r4, [%[a], #116]\n\t"
+        "ldr	r5, [%[b], #116]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #116]\n\t"
+        "ldr	r4, [%[a], #120]\n\t"
+        "ldr	r5, [%[b], #120]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #120]\n\t"
+        "ldr	r4, [%[a], #124]\n\t"
+        "ldr	r5, [%[b], #124]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #124]\n\t"
+        "mov	%[c], #0\n\t"
+        "adc	%[c], %[c]\n\t"
+        "add	%[a], #0x80\n\t"
+        "add	%[b], #0x80\n\t"
+        "add	%[r], #0x80\n\t"
+        "add	%[c], r7\n\t"
+        "ldr	r4, [%[a], #0]\n\t"
+        "ldr	r5, [%[b], #0]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #0]\n\t"
+        "ldr	r4, [%[a], #4]\n\t"
+        "ldr	r5, [%[b], #4]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #4]\n\t"
+        "ldr	r4, [%[a], #8]\n\t"
+        "ldr	r5, [%[b], #8]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #8]\n\t"
+        "ldr	r4, [%[a], #12]\n\t"
+        "ldr	r5, [%[b], #12]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #12]\n\t"
+        "ldr	r4, [%[a], #16]\n\t"
+        "ldr	r5, [%[b], #16]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #16]\n\t"
+        "ldr	r4, [%[a], #20]\n\t"
+        "ldr	r5, [%[b], #20]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #20]\n\t"
+        "ldr	r4, [%[a], #24]\n\t"
+        "ldr	r5, [%[b], #24]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #24]\n\t"
+        "ldr	r4, [%[a], #28]\n\t"
+        "ldr	r5, [%[b], #28]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #28]\n\t"
+        "ldr	r4, [%[a], #32]\n\t"
+        "ldr	r5, [%[b], #32]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #32]\n\t"
+        "ldr	r4, [%[a], #36]\n\t"
+        "ldr	r5, [%[b], #36]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #36]\n\t"
+        "ldr	r4, [%[a], #40]\n\t"
+        "ldr	r5, [%[b], #40]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #40]\n\t"
+        "ldr	r4, [%[a], #44]\n\t"
+        "ldr	r5, [%[b], #44]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #44]\n\t"
+        "ldr	r4, [%[a], #48]\n\t"
+        "ldr	r5, [%[b], #48]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #48]\n\t"
+        "ldr	r4, [%[a], #52]\n\t"
+        "ldr	r5, [%[b], #52]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #52]\n\t"
+        "ldr	r4, [%[a], #56]\n\t"
+        "ldr	r5, [%[b], #56]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #56]\n\t"
+        "ldr	r4, [%[a], #60]\n\t"
+        "ldr	r5, [%[b], #60]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #60]\n\t"
+        "ldr	r4, [%[a], #64]\n\t"
+        "ldr	r5, [%[b], #64]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #64]\n\t"
+        "ldr	r4, [%[a], #68]\n\t"
+        "ldr	r5, [%[b], #68]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #68]\n\t"
+        "ldr	r4, [%[a], #72]\n\t"
+        "ldr	r5, [%[b], #72]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #72]\n\t"
+        "ldr	r4, [%[a], #76]\n\t"
+        "ldr	r5, [%[b], #76]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #76]\n\t"
+        "ldr	r4, [%[a], #80]\n\t"
+        "ldr	r5, [%[b], #80]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #80]\n\t"
+        "ldr	r4, [%[a], #84]\n\t"
+        "ldr	r5, [%[b], #84]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #84]\n\t"
+        "ldr	r4, [%[a], #88]\n\t"
+        "ldr	r5, [%[b], #88]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #88]\n\t"
+        "ldr	r4, [%[a], #92]\n\t"
+        "ldr	r5, [%[b], #92]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #92]\n\t"
+        "ldr	r4, [%[a], #96]\n\t"
+        "ldr	r5, [%[b], #96]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #96]\n\t"
+        "ldr	r4, [%[a], #100]\n\t"
+        "ldr	r5, [%[b], #100]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #100]\n\t"
+        "ldr	r4, [%[a], #104]\n\t"
+        "ldr	r5, [%[b], #104]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #104]\n\t"
+        "ldr	r4, [%[a], #108]\n\t"
+        "ldr	r5, [%[b], #108]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #108]\n\t"
+        "ldr	r4, [%[a], #112]\n\t"
+        "ldr	r5, [%[b], #112]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #112]\n\t"
+        "ldr	r4, [%[a], #116]\n\t"
+        "ldr	r5, [%[b], #116]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #116]\n\t"
+        "ldr	r4, [%[a], #120]\n\t"
+        "ldr	r5, [%[b], #120]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #120]\n\t"
+        "ldr	r4, [%[a], #124]\n\t"
+        "ldr	r5, [%[b], #124]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #124]\n\t"
+        "mov	%[c], #0\n\t"
+        "adc	%[c], %[c]\n\t"
+        : [c] "+r" (c), [r] "+r" (r), [a] "+r" (a), [b] "+r" (b)
+        :
+        : "memory", "r4", "r5", "r7"
+    );
+
+    return c;
+}
+
+/* AND m into each word of a and store in r.
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * m  Mask to AND against each digit.
+ */
+static void sp_3072_mask_48(sp_digit* r, const sp_digit* a, sp_digit m)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int i;
+
+    for (i=0; i<48; i++) {
+        r[i] = a[i] & m;
+    }
+#else
+    int i;
+
+    for (i = 0; i < 48; i += 8) {
+        r[i+0] = a[i+0] & m;
+        r[i+1] = a[i+1] & m;
+        r[i+2] = a[i+2] & m;
+        r[i+3] = a[i+3] & m;
+        r[i+4] = a[i+4] & m;
+        r[i+5] = a[i+5] & m;
+        r[i+6] = a[i+6] & m;
+        r[i+7] = a[i+7] & m;
+    }
+#endif
+}
+
+/* Multiply a and b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static void sp_3072_mul_96(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    sp_digit* z0 = r;
+    sp_digit z1[96];
+    sp_digit a1[48];
+    sp_digit b1[48];
+    sp_digit z2[96];
+    sp_digit u, ca, cb;
+
+    ca = sp_3072_add_48(a1, a, &a[48]);
+    cb = sp_3072_add_48(b1, b, &b[48]);
+    u  = ca & cb;
+    sp_3072_mul_48(z1, a1, b1);
+    sp_3072_mul_48(z2, &a[48], &b[48]);
+    sp_3072_mul_48(z0, a, b);
+    sp_3072_mask_48(r + 96, a1, 0 - cb);
+    sp_3072_mask_48(b1, b1, 0 - ca);
+    u += sp_3072_add_48(r + 96, r + 96, b1);
+    u += sp_3072_sub_in_place_96(z1, z2);
+    u += sp_3072_sub_in_place_96(z1, z0);
+    u += sp_3072_add_96(r + 48, r + 48, z1);
+    r[144] = u;
+    XMEMSET(r + 144 + 1, 0, sizeof(sp_digit) * (48 - 1));
+    (void)sp_3072_add_96(r + 96, r + 96, z2);
+}
+
+/* Square a and put result in r. (r = a * a)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ */
+SP_NOINLINE static void sp_3072_sqr_96(sp_digit* r, const sp_digit* a)
+{
+    sp_digit* z0 = r;
+    sp_digit z2[96];
+    sp_digit z1[96];
+    sp_digit a1[48];
+    sp_digit u;
+
+    u = sp_3072_add_48(a1, a, &a[48]);
+    sp_3072_sqr_48(z1, a1);
+    sp_3072_sqr_48(z2, &a[48]);
+    sp_3072_sqr_48(z0, a);
+    sp_3072_mask_48(r + 96, a1, 0 - u);
+    u += sp_3072_add_48(r + 96, r + 96, r + 96);
+    u += sp_3072_sub_in_place_96(z1, z2);
+    u += sp_3072_sub_in_place_96(z1, z0);
+    u += sp_3072_add_96(r + 48, r + 48, z1);
+    r[144] = u;
+    XMEMSET(r + 144 + 1, 0, sizeof(sp_digit) * (48 - 1));
+    (void)sp_3072_add_96(r + 96, r + 96, z2);
+}
+
+#endif /* !WOLFSSL_SP_SMALL */
+#ifdef WOLFSSL_SP_SMALL
+/* Add b to a into r. (r = a + b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static sp_digit sp_3072_add_96(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    sp_digit c = 0;
+
+    __asm__ __volatile__ (
+        "mov	r6, %[a]\n\t"
+        "mov	r7, #0\n\t"
+        "mov	r4, #1\n\t"
+        "lsl	r4, #8\n\t"
+        "add	r4, #128\n\t"
+        "sub	r7, #1\n\t"
+        "add	r6, r4\n\t"
+        "\n1:\n\t"
+        "add	%[c], r7\n\t"
+        "ldr	r4, [%[a]]\n\t"
+        "ldr	r5, [%[b]]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r]]\n\t"
+        "mov	%[c], #0\n\t"
+        "adc	%[c], %[c]\n\t"
+        "add	%[a], #4\n\t"
+        "add	%[b], #4\n\t"
+        "add	%[r], #4\n\t"
+        "cmp	%[a], r6\n\t"
+        "bne	1b\n\t"
+        : [c] "+r" (c), [r] "+r" (r), [a] "+r" (a), [b] "+r" (b)
+        :
+        : "memory", "r4", "r5", "r6", "r7"
+    );
+
+    return c;
+}
+
+#endif /* WOLFSSL_SP_SMALL */
+#ifdef WOLFSSL_SP_SMALL
+/* Sub b from a into a. (a -= b)
+ *
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static sp_digit sp_3072_sub_in_place_96(sp_digit* a,
+        const sp_digit* b)
+{
+    sp_digit c = 0;
+    __asm__ __volatile__ (
+        "mov	r7, %[a]\n\t"
+        "mov	r5, #1\n\t"
+        "lsl	r5, #8\n\t"
+        "add	r5, #128\n\t"
+        "add	r7, r5\n\t"
+        "\n1:\n\t"
+        "mov	r5, #0\n\t"
+        "sub	r5, %[c]\n\t"
+        "ldr	r3, [%[a]]\n\t"
+        "ldr	r4, [%[a], #4]\n\t"
+        "ldr	r5, [%[b]]\n\t"
+        "ldr	r6, [%[b], #4]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a]]\n\t"
+        "str	r4, [%[a], #4]\n\t"
+        "sbc	%[c], %[c]\n\t"
+        "add	%[a], #8\n\t"
+        "add	%[b], #8\n\t"
+        "cmp	%[a], r7\n\t"
+        "bne	1b\n\t"
+        : [c] "+r" (c), [a] "+r" (a), [b] "+r" (b)
+        :
+        : "memory", "r3", "r4", "r5", "r6", "r7"
+    );
+
+    return c;
+}
+
+#endif /* WOLFSSL_SP_SMALL */
+#ifdef WOLFSSL_SP_SMALL
+/* Multiply a and b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static void sp_3072_mul_96(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    sp_digit tmp[96 * 2];
+    __asm__ __volatile__ (
+        "mov	r3, #0\n\t"
+        "mov	r4, #0\n\t"
+        "mov	r8, r3\n\t"
+        "mov	r11, %[r]\n\t"
+        "mov	r9, %[a]\n\t"
+        "mov	r10, %[b]\n\t"
+        "mov	r6, #1\n\t"
+        "lsl	r6, r6, #8\n\t"
+        "add	r6, #128\n\t"
+        "add	r6, r9\n\t"
+        "mov	r12, r6\n\t"
+        "\n1:\n\t"
+        "mov	%[r], #0\n\t"
+        "mov	r5, #0\n\t"
+        "mov	r6, #1\n\t"
+        "lsl	r6, r6, #8\n\t"
+        "add	r6, #124\n\t"
+        "mov	%[a], r8\n\t"
+        "sub	%[a], r6\n\t"
+        "sbc	r6, r6\n\t"
+        "mvn	r6, r6\n\t"
+        "and	%[a], r6\n\t"
+        "mov	%[b], r8\n\t"
+        "sub	%[b], %[a]\n\t"
+        "add	%[a], r9\n\t"
+        "add	%[b], r10\n\t"
+        "\n2:\n\t"
+        "# Multiply Start\n\t"
+        "ldr	r6, [%[a]]\n\t"
+        "ldr	r7, [%[b]]\n\t"
+        "lsl	r6, r6, #16\n\t"
+        "lsl	r7, r7, #16\n\t"
+        "lsr	r6, r6, #16\n\t"
+        "lsr	r7, r7, #16\n\t"
+        "mul	r7, r6\n\t"
+        "add	r3, r7\n\t"
+        "adc	r4, %[r]\n\t"
+        "adc	r5, %[r]\n\t"
+        "ldr	r7, [%[b]]\n\t"
+        "lsr	r7, r7, #16\n\t"
+        "mul	r6, r7\n\t"
+        "lsr	r7, r6, #16\n\t"
+        "lsl	r6, r6, #16\n\t"
+        "add	r3, r6\n\t"
+        "adc	r4, r7\n\t"
+        "adc	r5, %[r]\n\t"
+        "ldr	r6, [%[a]]\n\t"
+        "ldr	r7, [%[b]]\n\t"
+        "lsr	r6, r6, #16\n\t"
+        "lsr	r7, r7, #16\n\t"
+        "mul	r7, r6\n\t"
+        "add	r4, r7\n\t"
+        "adc	r5, %[r]\n\t"
+        "ldr	r7, [%[b]]\n\t"
+        "lsl	r7, r7, #16\n\t"
+        "lsr	r7, r7, #16\n\t"
+        "mul	r6, r7\n\t"
+        "lsr	r7, r6, #16\n\t"
+        "lsl	r6, r6, #16\n\t"
+        "add	r3, r6\n\t"
+        "adc	r4, r7\n\t"
+        "adc	r5, %[r]\n\t"
+        "# Multiply Done\n\t"
+        "add	%[a], #4\n\t"
+        "sub	%[b], #4\n\t"
+        "cmp	%[a], r12\n\t"
+        "beq	3f\n\t"
+        "mov	r6, r8\n\t"
+        "add	r6, r9\n\t"
+        "cmp	%[a], r6\n\t"
+        "ble	2b\n\t"
+        "\n3:\n\t"
+        "mov	%[r], r11\n\t"
+        "mov	r7, r8\n\t"
+        "str	r3, [%[r], r7]\n\t"
+        "mov	r3, r4\n\t"
+        "mov	r4, r5\n\t"
+        "add	r7, #4\n\t"
+        "mov	r8, r7\n\t"
+        "mov	r6, #2\n\t"
+        "lsl	r6, r6, #8\n\t"
+        "add	r6, #248\n\t"
+        "cmp	r7, r6\n\t"
+        "ble	1b\n\t"
+        "str	r3, [%[r], r7]\n\t"
+        "mov	%[a], r9\n\t"
+        "mov	%[b], r10\n\t"
+        :
+        : [r] "r" (tmp), [a] "r" (a), [b] "r" (b)
+        : "memory", "r3", "r4", "r5", "r6", "r7", "r8", "r9", "r10", "r11", "r12"
+    );
+
+    XMEMCPY(r, tmp, sizeof(tmp));
+}
+
+/* Square a and put result in r. (r = a * a)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ */
+SP_NOINLINE static void sp_3072_sqr_96(sp_digit* r, const sp_digit* a)
+{
+    __asm__ __volatile__ (
+        "mov	r3, #0\n\t"
+        "mov	r4, #0\n\t"
+        "mov	r5, #0\n\t"
+        "mov	r8, r3\n\t"
+        "mov	r11, %[r]\n\t"
+        "mov	r6, #3\n\t"
+        "lsl	r6, r6, #8\n\t"
+        "neg	r6, r6\n\t"
+        "add	sp, r6\n\t"
+        "mov	r10, sp\n\t"
+        "mov	r9, %[a]\n\t"
+        "\n1:\n\t"
+        "mov	%[r], #0\n\t"
+        "mov	r6, #1\n\t"
+        "lsl	r6, r6, #8\n\t"
+        "add	r6, #124\n\t"
+        "mov	%[a], r8\n\t"
+        "sub	%[a], r6\n\t"
+        "sbc	r6, r6\n\t"
+        "mvn	r6, r6\n\t"
+        "and	%[a], r6\n\t"
+        "mov	r2, r8\n\t"
+        "sub	r2, %[a]\n\t"
+        "add	%[a], r9\n\t"
+        "add	r2, r9\n\t"
+        "\n2:\n\t"
+        "cmp	r2, %[a]\n\t"
+        "beq	4f\n\t"
+        "# Multiply * 2: Start\n\t"
+        "ldr	r6, [%[a]]\n\t"
+        "ldr	r7, [r2]\n\t"
+        "lsl	r6, r6, #16\n\t"
+        "lsl	r7, r7, #16\n\t"
+        "lsr	r6, r6, #16\n\t"
+        "lsr	r7, r7, #16\n\t"
+        "mul	r7, r6\n\t"
+        "add	r3, r7\n\t"
+        "adc	r4, %[r]\n\t"
+        "adc	r5, %[r]\n\t"
+        "add	r3, r7\n\t"
+        "adc	r4, %[r]\n\t"
+        "adc	r5, %[r]\n\t"
+        "ldr	r7, [r2]\n\t"
+        "lsr	r7, r7, #16\n\t"
+        "mul	r6, r7\n\t"
+        "lsr	r7, r6, #16\n\t"
+        "lsl	r6, r6, #16\n\t"
+        "add	r3, r6\n\t"
+        "adc	r4, r7\n\t"
+        "adc	r5, %[r]\n\t"
+        "add	r3, r6\n\t"
+        "adc	r4, r7\n\t"
+        "adc	r5, %[r]\n\t"
+        "ldr	r6, [%[a]]\n\t"
+        "ldr	r7, [r2]\n\t"
+        "lsr	r6, r6, #16\n\t"
+        "lsr	r7, r7, #16\n\t"
+        "mul	r7, r6\n\t"
+        "add	r4, r7\n\t"
+        "adc	r5, %[r]\n\t"
+        "add	r4, r7\n\t"
+        "adc	r5, %[r]\n\t"
+        "ldr	r7, [r2]\n\t"
+        "lsl	r7, r7, #16\n\t"
+        "lsr	r7, r7, #16\n\t"
+        "mul	r6, r7\n\t"
+        "lsr	r7, r6, #16\n\t"
+        "lsl	r6, r6, #16\n\t"
+        "add	r3, r6\n\t"
+        "adc	r4, r7\n\t"
+        "adc	r5, %[r]\n\t"
+        "add	r3, r6\n\t"
+        "adc	r4, r7\n\t"
+        "adc	r5, %[r]\n\t"
+        "# Multiply * 2: Done\n\t"
+        "bal	5f\n\t"
+        "\n4:\n\t"
+        "# Square: Start\n\t"
+        "ldr	r6, [%[a]]\n\t"
+        "lsr	r7, r6, #16\n\t"
+        "lsl	r6, r6, #16\n\t"
+        "lsr	r6, r6, #16\n\t"
+        "mul	r6, r6\n\t"
+        "add	r3, r6\n\t"
+        "adc	r4, %[r]\n\t"
+        "adc	r5, %[r]\n\t"
+        "mul	r7, r7\n\t"
+        "add	r4, r7\n\t"
+        "adc	r5, %[r]\n\t"
+        "ldr	r6, [%[a]]\n\t"
+        "lsr	r7, r6, #16\n\t"
+        "lsl	r6, r6, #16\n\t"
+        "lsr	r6, r6, #16\n\t"
+        "mul	r6, r7\n\t"
+        "lsr	r7, r6, #15\n\t"
+        "lsl	r6, r6, #17\n\t"
+        "add	r3, r6\n\t"
+        "adc	r4, r7\n\t"
+        "adc	r5, %[r]\n\t"
+        "# Square: Done\n\t"
+        "\n5:\n\t"
+        "add	%[a], #4\n\t"
+        "sub	r2, #4\n\t"
+        "mov	r6, #1\n\t"
+        "lsl	r6, r6, #8\n\t"
+        "add	r6, #128\n\t"
+        "add	r6, r9\n\t"
+        "cmp	%[a], r6\n\t"
+        "beq	3f\n\t"
+        "cmp	%[a], r2\n\t"
+        "bgt	3f\n\t"
+        "mov	r7, r8\n\t"
+        "add	r7, r9\n\t"
+        "cmp	%[a], r7\n\t"
+        "ble	2b\n\t"
+        "\n3:\n\t"
+        "mov	%[r], r10\n\t"
+        "mov	r7, r8\n\t"
+        "str	r3, [%[r], r7]\n\t"
+        "mov	r3, r4\n\t"
+        "mov	r4, r5\n\t"
+        "mov	r5, #0\n\t"
+        "add	r7, #4\n\t"
+        "mov	r8, r7\n\t"
+        "mov	r6, #2\n\t"
+        "lsl	r6, r6, #8\n\t"
+        "add	r6, #248\n\t"
+        "cmp	r7, r6\n\t"
+        "ble	1b\n\t"
+        "mov	%[a], r9\n\t"
+        "str	r3, [%[r], r7]\n\t"
+        "mov	%[r], r11\n\t"
+        "mov	%[a], r10\n\t"
+        "mov	r3, #2\n\t"
+        "lsl	r3, r3, #8\n\t"
+        "add	r3, #252\n\t"
+        "\n4:\n\t"
+        "ldr	r6, [%[a], r3]\n\t"
+        "str	r6, [%[r], r3]\n\t"
+        "sub	r3, #4\n\t"
+        "bge	4b\n\t"
+        "mov	r6, #3\n\t"
+        "lsl	r6, r6, #8\n\t"
+        "add	sp, r6\n\t"
+        :
+        : [r] "r" (r), [a] "r" (a)
+        : "memory", "r2", "r3", "r4", "r5", "r6", "r7", "r8", "r9", "r10", "r11"
+    );
+}
+
+#endif /* WOLFSSL_SP_SMALL */
+#if (defined(WOLFSSL_HAVE_SP_RSA) || defined(WOLFSSL_HAVE_SP_DH)) && !defined(WOLFSSL_RSA_PUBLIC_ONLY)
+#ifdef WOLFSSL_SP_SMALL
+/* AND m into each word of a and store in r.
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * m  Mask to AND against each digit.
+ */
+static void sp_3072_mask_48(sp_digit* r, const sp_digit* a, sp_digit m)
+{
+    int i;
+
+    for (i=0; i<48; i++) {
+        r[i] = a[i] & m;
+    }
+}
+
+#endif /* WOLFSSL_SP_SMALL */
+#ifdef WOLFSSL_SP_SMALL
+/* Add b to a into r. (r = a + b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static sp_digit sp_3072_add_48(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    sp_digit c = 0;
+
+    __asm__ __volatile__ (
+        "mov	r6, %[a]\n\t"
+        "mov	r7, #0\n\t"
+        "add	r6, #192\n\t"
+        "sub	r7, #1\n\t"
+        "\n1:\n\t"
+        "add	%[c], r7\n\t"
+        "ldr	r4, [%[a]]\n\t"
+        "ldr	r5, [%[b]]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r]]\n\t"
+        "mov	%[c], #0\n\t"
+        "adc	%[c], %[c]\n\t"
+        "add	%[a], #4\n\t"
+        "add	%[b], #4\n\t"
+        "add	%[r], #4\n\t"
+        "cmp	%[a], r6\n\t"
+        "bne	1b\n\t"
+        : [c] "+r" (c), [r] "+r" (r), [a] "+r" (a), [b] "+r" (b)
+        :
+        : "memory", "r4", "r5", "r6", "r7"
+    );
+
+    return c;
+}
+
+#endif /* WOLFSSL_SP_SMALL */
+#ifdef WOLFSSL_SP_SMALL
+/* Sub b from a into a. (a -= b)
+ *
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static sp_digit sp_3072_sub_in_place_48(sp_digit* a,
+        const sp_digit* b)
+{
+    sp_digit c = 0;
+    __asm__ __volatile__ (
+        "mov	r7, %[a]\n\t"
+        "add	r7, #192\n\t"
+        "\n1:\n\t"
+        "mov	r5, #0\n\t"
+        "sub	r5, %[c]\n\t"
+        "ldr	r3, [%[a]]\n\t"
+        "ldr	r4, [%[a], #4]\n\t"
+        "ldr	r5, [%[b]]\n\t"
+        "ldr	r6, [%[b], #4]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a]]\n\t"
+        "str	r4, [%[a], #4]\n\t"
+        "sbc	%[c], %[c]\n\t"
+        "add	%[a], #8\n\t"
+        "add	%[b], #8\n\t"
+        "cmp	%[a], r7\n\t"
+        "bne	1b\n\t"
+        : [c] "+r" (c), [a] "+r" (a), [b] "+r" (b)
+        :
+        : "memory", "r3", "r4", "r5", "r6", "r7"
+    );
+
+    return c;
+}
+
+#endif /* WOLFSSL_SP_SMALL */
+#ifdef WOLFSSL_SP_SMALL
+/* Multiply a and b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static void sp_3072_mul_48(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    sp_digit tmp[48 * 2];
+    __asm__ __volatile__ (
+        "mov	r3, #0\n\t"
+        "mov	r4, #0\n\t"
+        "mov	r8, r3\n\t"
+        "mov	r11, %[r]\n\t"
+        "mov	r9, %[a]\n\t"
+        "mov	r10, %[b]\n\t"
+        "mov	r6, #192\n\t"
+        "add	r6, r9\n\t"
+        "mov	r12, r6\n\t"
+        "\n1:\n\t"
+        "mov	%[r], #0\n\t"
+        "mov	r5, #0\n\t"
+        "mov	r6, #188\n\t"
+        "mov	%[a], r8\n\t"
+        "sub	%[a], r6\n\t"
+        "sbc	r6, r6\n\t"
+        "mvn	r6, r6\n\t"
+        "and	%[a], r6\n\t"
+        "mov	%[b], r8\n\t"
+        "sub	%[b], %[a]\n\t"
+        "add	%[a], r9\n\t"
+        "add	%[b], r10\n\t"
+        "\n2:\n\t"
+        "# Multiply Start\n\t"
+        "ldr	r6, [%[a]]\n\t"
+        "ldr	r7, [%[b]]\n\t"
+        "lsl	r6, r6, #16\n\t"
+        "lsl	r7, r7, #16\n\t"
+        "lsr	r6, r6, #16\n\t"
+        "lsr	r7, r7, #16\n\t"
+        "mul	r7, r6\n\t"
+        "add	r3, r7\n\t"
+        "adc	r4, %[r]\n\t"
+        "adc	r5, %[r]\n\t"
+        "ldr	r7, [%[b]]\n\t"
+        "lsr	r7, r7, #16\n\t"
+        "mul	r6, r7\n\t"
+        "lsr	r7, r6, #16\n\t"
+        "lsl	r6, r6, #16\n\t"
+        "add	r3, r6\n\t"
+        "adc	r4, r7\n\t"
+        "adc	r5, %[r]\n\t"
+        "ldr	r6, [%[a]]\n\t"
+        "ldr	r7, [%[b]]\n\t"
+        "lsr	r6, r6, #16\n\t"
+        "lsr	r7, r7, #16\n\t"
+        "mul	r7, r6\n\t"
+        "add	r4, r7\n\t"
+        "adc	r5, %[r]\n\t"
+        "ldr	r7, [%[b]]\n\t"
+        "lsl	r7, r7, #16\n\t"
+        "lsr	r7, r7, #16\n\t"
+        "mul	r6, r7\n\t"
+        "lsr	r7, r6, #16\n\t"
+        "lsl	r6, r6, #16\n\t"
+        "add	r3, r6\n\t"
+        "adc	r4, r7\n\t"
+        "adc	r5, %[r]\n\t"
+        "# Multiply Done\n\t"
+        "add	%[a], #4\n\t"
+        "sub	%[b], #4\n\t"
+        "cmp	%[a], r12\n\t"
+        "beq	3f\n\t"
+        "mov	r6, r8\n\t"
+        "add	r6, r9\n\t"
+        "cmp	%[a], r6\n\t"
+        "ble	2b\n\t"
+        "\n3:\n\t"
+        "mov	%[r], r11\n\t"
+        "mov	r7, r8\n\t"
+        "str	r3, [%[r], r7]\n\t"
+        "mov	r3, r4\n\t"
+        "mov	r4, r5\n\t"
+        "add	r7, #4\n\t"
+        "mov	r8, r7\n\t"
+        "mov	r6, #1\n\t"
+        "lsl	r6, r6, #8\n\t"
+        "add	r6, #120\n\t"
+        "cmp	r7, r6\n\t"
+        "ble	1b\n\t"
+        "str	r3, [%[r], r7]\n\t"
+        "mov	%[a], r9\n\t"
+        "mov	%[b], r10\n\t"
+        :
+        : [r] "r" (tmp), [a] "r" (a), [b] "r" (b)
+        : "memory", "r3", "r4", "r5", "r6", "r7", "r8", "r9", "r10", "r11", "r12"
+    );
+
+    XMEMCPY(r, tmp, sizeof(tmp));
+}
+
+/* Square a and put result in r. (r = a * a)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ */
+SP_NOINLINE static void sp_3072_sqr_48(sp_digit* r, const sp_digit* a)
+{
+    __asm__ __volatile__ (
+        "mov	r3, #0\n\t"
+        "mov	r4, #0\n\t"
+        "mov	r5, #0\n\t"
+        "mov	r8, r3\n\t"
+        "mov	r11, %[r]\n\t"
+        "mov	r6, #1\n\t"
+        "lsl	r6, r6, #8\n\t"
+        "add	r6, #128\n\t"
+        "neg	r6, r6\n\t"
+        "add	sp, r6\n\t"
+        "mov	r10, sp\n\t"
+        "mov	r9, %[a]\n\t"
+        "\n1:\n\t"
+        "mov	%[r], #0\n\t"
+        "mov	r6, #188\n\t"
+        "mov	%[a], r8\n\t"
+        "sub	%[a], r6\n\t"
+        "sbc	r6, r6\n\t"
+        "mvn	r6, r6\n\t"
+        "and	%[a], r6\n\t"
+        "mov	r2, r8\n\t"
+        "sub	r2, %[a]\n\t"
+        "add	%[a], r9\n\t"
+        "add	r2, r9\n\t"
+        "\n2:\n\t"
+        "cmp	r2, %[a]\n\t"
+        "beq	4f\n\t"
+        "# Multiply * 2: Start\n\t"
+        "ldr	r6, [%[a]]\n\t"
+        "ldr	r7, [r2]\n\t"
+        "lsl	r6, r6, #16\n\t"
+        "lsl	r7, r7, #16\n\t"
+        "lsr	r6, r6, #16\n\t"
+        "lsr	r7, r7, #16\n\t"
+        "mul	r7, r6\n\t"
+        "add	r3, r7\n\t"
+        "adc	r4, %[r]\n\t"
+        "adc	r5, %[r]\n\t"
+        "add	r3, r7\n\t"
+        "adc	r4, %[r]\n\t"
+        "adc	r5, %[r]\n\t"
+        "ldr	r7, [r2]\n\t"
+        "lsr	r7, r7, #16\n\t"
+        "mul	r6, r7\n\t"
+        "lsr	r7, r6, #16\n\t"
+        "lsl	r6, r6, #16\n\t"
+        "add	r3, r6\n\t"
+        "adc	r4, r7\n\t"
+        "adc	r5, %[r]\n\t"
+        "add	r3, r6\n\t"
+        "adc	r4, r7\n\t"
+        "adc	r5, %[r]\n\t"
+        "ldr	r6, [%[a]]\n\t"
+        "ldr	r7, [r2]\n\t"
+        "lsr	r6, r6, #16\n\t"
+        "lsr	r7, r7, #16\n\t"
+        "mul	r7, r6\n\t"
+        "add	r4, r7\n\t"
+        "adc	r5, %[r]\n\t"
+        "add	r4, r7\n\t"
+        "adc	r5, %[r]\n\t"
+        "ldr	r7, [r2]\n\t"
+        "lsl	r7, r7, #16\n\t"
+        "lsr	r7, r7, #16\n\t"
+        "mul	r6, r7\n\t"
+        "lsr	r7, r6, #16\n\t"
+        "lsl	r6, r6, #16\n\t"
+        "add	r3, r6\n\t"
+        "adc	r4, r7\n\t"
+        "adc	r5, %[r]\n\t"
+        "add	r3, r6\n\t"
+        "adc	r4, r7\n\t"
+        "adc	r5, %[r]\n\t"
+        "# Multiply * 2: Done\n\t"
+        "bal	5f\n\t"
+        "\n4:\n\t"
+        "# Square: Start\n\t"
+        "ldr	r6, [%[a]]\n\t"
+        "lsr	r7, r6, #16\n\t"
+        "lsl	r6, r6, #16\n\t"
+        "lsr	r6, r6, #16\n\t"
+        "mul	r6, r6\n\t"
+        "add	r3, r6\n\t"
+        "adc	r4, %[r]\n\t"
+        "adc	r5, %[r]\n\t"
+        "mul	r7, r7\n\t"
+        "add	r4, r7\n\t"
+        "adc	r5, %[r]\n\t"
+        "ldr	r6, [%[a]]\n\t"
+        "lsr	r7, r6, #16\n\t"
+        "lsl	r6, r6, #16\n\t"
+        "lsr	r6, r6, #16\n\t"
+        "mul	r6, r7\n\t"
+        "lsr	r7, r6, #15\n\t"
+        "lsl	r6, r6, #17\n\t"
+        "add	r3, r6\n\t"
+        "adc	r4, r7\n\t"
+        "adc	r5, %[r]\n\t"
+        "# Square: Done\n\t"
+        "\n5:\n\t"
+        "add	%[a], #4\n\t"
+        "sub	r2, #4\n\t"
+        "mov	r6, #192\n\t"
+        "add	r6, r9\n\t"
+        "cmp	%[a], r6\n\t"
+        "beq	3f\n\t"
+        "cmp	%[a], r2\n\t"
+        "bgt	3f\n\t"
+        "mov	r7, r8\n\t"
+        "add	r7, r9\n\t"
+        "cmp	%[a], r7\n\t"
+        "ble	2b\n\t"
+        "\n3:\n\t"
+        "mov	%[r], r10\n\t"
+        "mov	r7, r8\n\t"
+        "str	r3, [%[r], r7]\n\t"
+        "mov	r3, r4\n\t"
+        "mov	r4, r5\n\t"
+        "mov	r5, #0\n\t"
+        "add	r7, #4\n\t"
+        "mov	r8, r7\n\t"
+        "mov	r6, #1\n\t"
+        "lsl	r6, r6, #8\n\t"
+        "add	r6, #120\n\t"
+        "cmp	r7, r6\n\t"
+        "ble	1b\n\t"
+        "mov	%[a], r9\n\t"
+        "str	r3, [%[r], r7]\n\t"
+        "mov	%[r], r11\n\t"
+        "mov	%[a], r10\n\t"
+        "mov	r3, #1\n\t"
+        "lsl	r3, r3, #8\n\t"
+        "add	r3, #124\n\t"
+        "\n4:\n\t"
+        "ldr	r6, [%[a], r3]\n\t"
+        "str	r6, [%[r], r3]\n\t"
+        "sub	r3, #4\n\t"
+        "bge	4b\n\t"
+        "mov	r6, #1\n\t"
+        "lsl	r6, r6, #8\n\t"
+        "add	r6, #128\n\t"
+        "add	sp, r6\n\t"
+        :
+        : [r] "r" (r), [a] "r" (a)
+        : "memory", "r2", "r3", "r4", "r5", "r6", "r7", "r8", "r9", "r10", "r11"
+    );
+}
+
+#endif /* WOLFSSL_SP_SMALL */
+#endif /* (WOLFSSL_HAVE_SP_RSA || WOLFSSL_HAVE_SP_DH) && !WOLFSSL_RSA_PUBLIC_ONLY */
+
+/* Caclulate the bottom digit of -1/a mod 2^n.
+ *
+ * a    A single precision number.
+ * rho  Bottom word of inverse.
+ */
+static void sp_3072_mont_setup(const sp_digit* a, sp_digit* rho)
+{
+    sp_digit x, b;
+
+    b = a[0];
+    x = (((b + 2) & 4) << 1) + b; /* here x*a==1 mod 2**4 */
+    x *= 2 - b * x;               /* here x*a==1 mod 2**8 */
+    x *= 2 - b * x;               /* here x*a==1 mod 2**16 */
+    x *= 2 - b * x;               /* here x*a==1 mod 2**32 */
+
+    /* rho = -1/m mod b */
+    *rho = -x;
+}
+
+/* Mul a by digit b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision digit.
+ */
+SP_NOINLINE static void sp_3072_mul_d_96(sp_digit* r, const sp_digit* a,
+        sp_digit b)
+{
+    __asm__ __volatile__ (
+        "mov	r6, #1\n\t"
+        "lsl	r6, r6, #8\n\t"
+        "add	r6, #128\n\t"
+        "add	r6, %[a]\n\t"
+        "mov	r8, %[r]\n\t"
+        "mov	r9, r6\n\t"
+        "mov	r3, #0\n\t"
+        "mov	r4, #0\n\t"
+        "1:\n\t"
+        "mov	%[r], #0\n\t"
+        "mov	r5, #0\n\t"
+        "# A[] * B\n\t"
+        "ldr	r6, [%[a]]\n\t"
+        "lsl	r6, r6, #16\n\t"
+        "lsl	r7, %[b], #16\n\t"
+        "lsr	r6, r6, #16\n\t"
+        "lsr	r7, r7, #16\n\t"
+        "mul	r7, r6\n\t"
+        "add	r3, r7\n\t"
+        "adc	r4, %[r]\n\t"
+        "adc	r5, %[r]\n\t"
+        "lsr	r7, %[b], #16\n\t"
+        "mul	r6, r7\n\t"
+        "lsr	r7, r6, #16\n\t"
+        "lsl	r6, r6, #16\n\t"
+        "add	r3, r6\n\t"
+        "adc	r4, r7\n\t"
+        "adc	r5, %[r]\n\t"
+        "ldr	r6, [%[a]]\n\t"
+        "lsr	r6, r6, #16\n\t"
+        "lsr	r7, %[b], #16\n\t"
+        "mul	r7, r6\n\t"
+        "add	r4, r7\n\t"
+        "adc	r5, %[r]\n\t"
+        "lsl	r7, %[b], #16\n\t"
+        "lsr	r7, r7, #16\n\t"
+        "mul	r6, r7\n\t"
+        "lsr	r7, r6, #16\n\t"
+        "lsl	r6, r6, #16\n\t"
+        "add	r3, r6\n\t"
+        "adc	r4, r7\n\t"
+        "adc	r5, %[r]\n\t"
+        "# A[] * B - Done\n\t"
+        "mov	%[r], r8\n\t"
+        "str	r3, [%[r]]\n\t"
+        "mov	r3, r4\n\t"
+        "mov	r4, r5\n\t"
+        "add	%[r], #4\n\t"
+        "add	%[a], #4\n\t"
+        "mov	r8, %[r]\n\t"
+        "cmp	%[a], r9\n\t"
+        "blt	1b\n\t"
+        "str	r3, [%[r]]\n\t"
+        : [r] "+r" (r), [a] "+r" (a)
+        : [b] "r" (b)
+        : "memory", "r3", "r4", "r5", "r6", "r7", "r8", "r9"
+    );
+}
+
+#if (defined(WOLFSSL_HAVE_SP_RSA) || defined(WOLFSSL_HAVE_SP_DH)) && !defined(WOLFSSL_RSA_PUBLIC_ONLY)
+/* r = 2^n mod m where n is the number of bits to reduce by.
+ * Given m must be 3072 bits, just need to subtract.
+ *
+ * r  A single precision number.
+ * m  A single precision number.
+ */
+static void sp_3072_mont_norm_48(sp_digit* r, const sp_digit* m)
+{
+    XMEMSET(r, 0, sizeof(sp_digit) * 48);
+
+    /* r = 2^n mod m */
+    sp_3072_sub_in_place_48(r, m);
+}
+
+/* Conditionally subtract b from a using the mask m.
+ * m is -1 to subtract and 0 when not copying.
+ *
+ * r  A single precision number representing condition subtract result.
+ * a  A single precision number to subtract from.
+ * b  A single precision number to subtract.
+ * m  Mask value to apply.
+ */
+SP_NOINLINE static sp_digit sp_3072_cond_sub_48(sp_digit* r, const sp_digit* a,
+        const sp_digit* b, sp_digit m)
+{
+    sp_digit c = 0;
+
+    __asm__ __volatile__ (
+        "mov	r5, #192\n\t"
+        "mov	r8, r5\n\t"
+        "mov	r7, #0\n\t"
+        "1:\n\t"
+        "ldr	r6, [%[b], r7]\n\t"
+        "and	r6, %[m]\n\t"
+        "mov	r5, #0\n\t"
+        "sub	r5, %[c]\n\t"
+        "ldr	r5, [%[a], r7]\n\t"
+        "sbc	r5, r6\n\t"
+        "sbc	%[c], %[c]\n\t"
+        "str	r5, [%[r], r7]\n\t"
+        "add	r7, #4\n\t"
+        "cmp	r7, r8\n\t"
+        "blt	1b\n\t"
+        : [c] "+r" (c)
+        : [r] "r" (r), [a] "r" (a), [b] "r" (b), [m] "r" (m)
+        : "memory", "r5", "r6", "r7", "r8"
+    );
+
+    return c;
+}
+
+/* Reduce the number back to 3072 bits using Montgomery reduction.
+ *
+ * a   A single precision number to reduce in place.
+ * m   The single precision number representing the modulus.
+ * mp  The digit representing the negative inverse of m mod 2^n.
+ */
+SP_NOINLINE static void sp_3072_mont_reduce_48(sp_digit* a, const sp_digit* m,
+        sp_digit mp)
+{
+    sp_digit ca = 0;
+
+    __asm__ __volatile__ (
+        "mov	r8, %[mp]\n\t"
+        "mov	r12, %[ca]\n\t"
+        "mov	r14, %[m]\n\t"
+        "mov	r9, %[a]\n\t"
+        "mov	r4, #0\n\t"
+        "# i = 0\n\t"
+        "mov	r11, r4\n\t"
+        "\n1:\n\t"
+        "mov	r5, #0\n\t"
+        "mov	%[ca], #0\n\t"
+        "# mu = a[i] * mp\n\t"
+        "mov	%[mp], r8\n\t"
+        "ldr	%[a], [%[a]]\n\t"
+        "mul	%[mp], %[a]\n\t"
+        "mov	%[m], r14\n\t"
+        "mov	r10, r9\n\t"
+        "\n2:\n\t"
+        "# a[i+j] += m[j] * mu\n\t"
+        "mov	%[a], r10\n\t"
+        "ldr	%[a], [%[a]]\n\t"
+        "mov	%[ca], #0\n\t"
+        "mov	r4, r5\n\t"
+        "mov	r5, #0\n\t"
+        "# Multiply m[j] and mu - Start\n\t"
+        "ldr	r7, [%[m]]\n\t"
+        "lsl	r6, %[mp], #16\n\t"
+        "lsl	r7, r7, #16\n\t"
+        "lsr	r6, r6, #16\n\t"
+        "lsr	r7, r7, #16\n\t"
+        "mul	r7, r6\n\t"
+        "add	%[a], r7\n\t"
+        "adc	r5, %[ca]\n\t"
+        "ldr	r7, [%[m]]\n\t"
+        "lsr	r7, r7, #16\n\t"
+        "mul	r6, r7\n\t"
+        "lsr	r7, r6, #16\n\t"
+        "lsl	r6, r6, #16\n\t"
+        "add	%[a], r6\n\t"
+        "adc	r5, r7\n\t"
+        "ldr	r7, [%[m]]\n\t"
+        "lsr	r6, %[mp], #16\n\t"
+        "lsr	r7, r7, #16\n\t"
+        "mul	r7, r6\n\t"
+        "add	r5, r7\n\t"
+        "ldr	r7, [%[m]]\n\t"
+        "lsl	r7, r7, #16\n\t"
+        "lsr	r7, r7, #16\n\t"
+        "mul	r6, r7\n\t"
+        "lsr	r7, r6, #16\n\t"
+        "lsl	r6, r6, #16\n\t"
+        "add	%[a], r6\n\t"
+        "adc	r5, r7\n\t"
+        "# Multiply m[j] and mu - Done\n\t"
+        "add	r4, %[a]\n\t"
+        "adc	r5, %[ca]\n\t"
+        "mov	%[a], r10\n\t"
+        "str	r4, [%[a]]\n\t"
+        "mov	r6, #4\n\t"
+        "add	%[m], #4\n\t"
+        "add	r10, r6\n\t"
+        "mov	r4, #188\n\t"
+        "add	r4, r9\n\t"
+        "cmp	r10, r4\n\t"
+        "blt	2b\n\t"
+        "# a[i+47] += m[47] * mu\n\t"
+        "mov	%[ca], #0\n\t"
+        "mov	r4, r12\n\t"
+        "mov	%[a], #0\n\t"
+        "# Multiply m[47] and mu - Start\n\t"
+        "ldr	r7, [%[m]]\n\t"
+        "lsl	r6, %[mp], #16\n\t"
+        "lsl	r7, r7, #16\n\t"
+        "lsr	r6, r6, #16\n\t"
+        "lsr	r7, r7, #16\n\t"
+        "mul	r7, r6\n\t"
+        "add	r5, r7\n\t"
+        "adc	r4, %[ca]\n\t"
+        "adc	%[a], %[ca]\n\t"
+        "ldr	r7, [%[m]]\n\t"
+        "lsr	r7, r7, #16\n\t"
+        "mul	r6, r7\n\t"
+        "lsr	r7, r6, #16\n\t"
+        "lsl	r6, r6, #16\n\t"
+        "add	r5, r6\n\t"
+        "adc	r4, r7\n\t"
+        "adc	%[a], %[ca]\n\t"
+        "ldr	r7, [%[m]]\n\t"
+        "lsr	r6, %[mp], #16\n\t"
+        "lsr	r7, r7, #16\n\t"
+        "mul	r7, r6\n\t"
+        "add	r4, r7\n\t"
+        "adc	%[a], %[ca]\n\t"
+        "ldr	r7, [%[m]]\n\t"
+        "lsl	r7, r7, #16\n\t"
+        "lsr	r7, r7, #16\n\t"
+        "mul	r6, r7\n\t"
+        "lsr	r7, r6, #16\n\t"
+        "lsl	r6, r6, #16\n\t"
+        "add	r5, r6\n\t"
+        "adc	r4, r7\n\t"
+        "adc	%[a], %[ca]\n\t"
+        "# Multiply m[47] and mu - Done\n\t"
+        "mov	%[ca], %[a]\n\t"
+        "mov	%[a], r10\n\t"
+        "ldr	r7, [%[a], #4]\n\t"
+        "ldr	%[a], [%[a]]\n\t"
+        "mov	r6, #0\n\t"
+        "add	r5, %[a]\n\t"
+        "adc	r7, r4\n\t"
+        "adc	%[ca], r6\n\t"
+        "mov	%[a], r10\n\t"
+        "str	r5, [%[a]]\n\t"
+        "str	r7, [%[a], #4]\n\t"
+        "# i += 1\n\t"
+        "mov	r6, #4\n\t"
+        "add	r9, r6\n\t"
+        "add	r11, r6\n\t"
+        "mov	r12, %[ca]\n\t"
+        "mov	%[a], r9\n\t"
+        "mov	r4, #192\n\t"
+        "cmp	r11, r4\n\t"
+        "blt	1b\n\t"
+        "mov	%[m], r14\n\t"
+        : [ca] "+r" (ca), [a] "+r" (a)
+        : [m] "r" (m), [mp] "r" (mp)
+        : "memory", "r4", "r5", "r6", "r7", "r8", "r9", "r10", "r11", "r12", "r14"
+    );
+
+    sp_3072_cond_sub_48(a - 48, a, m, (sp_digit)0 - ca);
+}
+
+/* Multiply two Montogmery form numbers mod the modulus (prime).
+ * (r = a * b mod m)
+ *
+ * r   Result of multiplication.
+ * a   First number to multiply in Montogmery form.
+ * b   Second number to multiply in Montogmery form.
+ * m   Modulus (prime).
+ * mp  Montogmery mulitplier.
+ */
+static void sp_3072_mont_mul_48(sp_digit* r, const sp_digit* a, const sp_digit* b,
+        const sp_digit* m, sp_digit mp)
+{
+    sp_3072_mul_48(r, a, b);
+    sp_3072_mont_reduce_48(r, m, mp);
+}
+
+/* Square the Montgomery form number. (r = a * a mod m)
+ *
+ * r   Result of squaring.
+ * a   Number to square in Montogmery form.
+ * m   Modulus (prime).
+ * mp  Montogmery mulitplier.
+ */
+static void sp_3072_mont_sqr_48(sp_digit* r, const sp_digit* a, const sp_digit* m,
+        sp_digit mp)
+{
+    sp_3072_sqr_48(r, a);
+    sp_3072_mont_reduce_48(r, m, mp);
+}
+
+/* Mul a by digit b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision digit.
+ */
+SP_NOINLINE static void sp_3072_mul_d_48(sp_digit* r, const sp_digit* a,
+        sp_digit b)
+{
+    __asm__ __volatile__ (
+        "mov	r6, #192\n\t"
+        "add	r6, %[a]\n\t"
+        "mov	r8, %[r]\n\t"
+        "mov	r9, r6\n\t"
+        "mov	r3, #0\n\t"
+        "mov	r4, #0\n\t"
+        "1:\n\t"
+        "mov	%[r], #0\n\t"
+        "mov	r5, #0\n\t"
+        "# A[] * B\n\t"
+        "ldr	r6, [%[a]]\n\t"
+        "lsl	r6, r6, #16\n\t"
+        "lsl	r7, %[b], #16\n\t"
+        "lsr	r6, r6, #16\n\t"
+        "lsr	r7, r7, #16\n\t"
+        "mul	r7, r6\n\t"
+        "add	r3, r7\n\t"
+        "adc	r4, %[r]\n\t"
+        "adc	r5, %[r]\n\t"
+        "lsr	r7, %[b], #16\n\t"
+        "mul	r6, r7\n\t"
+        "lsr	r7, r6, #16\n\t"
+        "lsl	r6, r6, #16\n\t"
+        "add	r3, r6\n\t"
+        "adc	r4, r7\n\t"
+        "adc	r5, %[r]\n\t"
+        "ldr	r6, [%[a]]\n\t"
+        "lsr	r6, r6, #16\n\t"
+        "lsr	r7, %[b], #16\n\t"
+        "mul	r7, r6\n\t"
+        "add	r4, r7\n\t"
+        "adc	r5, %[r]\n\t"
+        "lsl	r7, %[b], #16\n\t"
+        "lsr	r7, r7, #16\n\t"
+        "mul	r6, r7\n\t"
+        "lsr	r7, r6, #16\n\t"
+        "lsl	r6, r6, #16\n\t"
+        "add	r3, r6\n\t"
+        "adc	r4, r7\n\t"
+        "adc	r5, %[r]\n\t"
+        "# A[] * B - Done\n\t"
+        "mov	%[r], r8\n\t"
+        "str	r3, [%[r]]\n\t"
+        "mov	r3, r4\n\t"
+        "mov	r4, r5\n\t"
+        "add	%[r], #4\n\t"
+        "add	%[a], #4\n\t"
+        "mov	r8, %[r]\n\t"
+        "cmp	%[a], r9\n\t"
+        "blt	1b\n\t"
+        "str	r3, [%[r]]\n\t"
+        : [r] "+r" (r), [a] "+r" (a)
+        : [b] "r" (b)
+        : "memory", "r3", "r4", "r5", "r6", "r7", "r8", "r9"
+    );
+}
+
+/* Divide the double width number (d1|d0) by the dividend. (d1|d0 / div)
+ *
+ * d1   The high order half of the number to divide.
+ * d0   The low order half of the number to divide.
+ * div  The dividend.
+ * returns the result of the division.
+ *
+ * Note that this is an approximate div. It may give an answer 1 larger.
+ */
+SP_NOINLINE static sp_digit div_3072_word_48(sp_digit d1, sp_digit d0,
+        sp_digit div)
+{
+    sp_digit r = 0;
+
+    __asm__ __volatile__ (
+        "lsr	r5, %[div], #1\n\t"
+        "add	r5, #1\n\t"
+        "mov	r8, %[d0]\n\t"
+        "mov	r9, %[d1]\n\t"
+        "# Do top 32\n\t"
+        "mov	r6, r5\n\t"
+        "sub	r6, %[d1]\n\t"
+        "sbc	r6, r6\n\t"
+        "add	%[r], %[r]\n\t"
+        "sub	%[r], r6\n\t"
+        "and	r6, r5\n\t"
+        "sub	%[d1], r6\n\t"
+        "# Next 30 bits\n\t"
+        "mov	r4, #29\n\t"
+        "1:\n\t"
+        "lsl	%[d0], %[d0], #1\n\t"
+        "adc	%[d1], %[d1]\n\t"
+        "mov	r6, r5\n\t"
+        "sub	r6, %[d1]\n\t"
+        "sbc	r6, r6\n\t"
+        "add	%[r], %[r]\n\t"
+        "sub	%[r], r6\n\t"
+        "and	r6, r5\n\t"
+        "sub	%[d1], r6\n\t"
+        "sub	r4, #1\n\t"
+        "bpl	1b\n\t"
+        "mov	r7, #0\n\t"
+        "add	%[r], %[r]\n\t"
+        "add	%[r], #1\n\t"
+        "# r * div - Start\n\t"
+        "lsl	%[d1], %[r], #16\n\t"
+        "lsl	r4, %[div], #16\n\t"
+        "lsr	%[d1], %[d1], #16\n\t"
+        "lsr	r4, r4, #16\n\t"
+        "mul	r4, %[d1]\n\t"
+        "lsr	r6, %[div], #16\n\t"
+        "mul	%[d1], r6\n\t"
+        "lsr	r5, %[d1], #16\n\t"
+        "lsl	%[d1], %[d1], #16\n\t"
+        "add	r4, %[d1]\n\t"
+        "adc	r5, r7\n\t"
+        "lsr	%[d1], %[r], #16\n\t"
+        "mul	r6, %[d1]\n\t"
+        "add	r5, r6\n\t"
+        "lsl	r6, %[div], #16\n\t"
+        "lsr	r6, r6, #16\n\t"
+        "mul	%[d1], r6\n\t"
+        "lsr	r6, %[d1], #16\n\t"
+        "lsl	%[d1], %[d1], #16\n\t"
+        "add	r4, %[d1]\n\t"
+        "adc	r5, r6\n\t"
+        "# r * div - Done\n\t"
+        "mov	%[d1], r8\n\t"
+        "sub	%[d1], r4\n\t"
+        "mov	r4, %[d1]\n\t"
+        "mov	%[d1], r9\n\t"
+        "sbc	%[d1], r5\n\t"
+        "mov	r5, %[d1]\n\t"
+        "add	%[r], r5\n\t"
+        "# r * div - Start\n\t"
+        "lsl	%[d1], %[r], #16\n\t"
+        "lsl	r4, %[div], #16\n\t"
+        "lsr	%[d1], %[d1], #16\n\t"
+        "lsr	r4, r4, #16\n\t"
+        "mul	r4, %[d1]\n\t"
+        "lsr	r6, %[div], #16\n\t"
+        "mul	%[d1], r6\n\t"
+        "lsr	r5, %[d1], #16\n\t"
+        "lsl	%[d1], %[d1], #16\n\t"
+        "add	r4, %[d1]\n\t"
+        "adc	r5, r7\n\t"
+        "lsr	%[d1], %[r], #16\n\t"
+        "mul	r6, %[d1]\n\t"
+        "add	r5, r6\n\t"
+        "lsl	r6, %[div], #16\n\t"
+        "lsr	r6, r6, #16\n\t"
+        "mul	%[d1], r6\n\t"
+        "lsr	r6, %[d1], #16\n\t"
+        "lsl	%[d1], %[d1], #16\n\t"
+        "add	r4, %[d1]\n\t"
+        "adc	r5, r6\n\t"
+        "# r * div - Done\n\t"
+        "mov	%[d1], r8\n\t"
+        "mov	r6, r9\n\t"
+        "sub	r4, %[d1], r4\n\t"
+        "sbc	r6, r5\n\t"
+        "mov	r5, r6\n\t"
+        "add	%[r], r5\n\t"
+        "# r * div - Start\n\t"
+        "lsl	%[d1], %[r], #16\n\t"
+        "lsl	r4, %[div], #16\n\t"
+        "lsr	%[d1], %[d1], #16\n\t"
+        "lsr	r4, r4, #16\n\t"
+        "mul	r4, %[d1]\n\t"
+        "lsr	r6, %[div], #16\n\t"
+        "mul	%[d1], r6\n\t"
+        "lsr	r5, %[d1], #16\n\t"
+        "lsl	%[d1], %[d1], #16\n\t"
+        "add	r4, %[d1]\n\t"
+        "adc	r5, r7\n\t"
+        "lsr	%[d1], %[r], #16\n\t"
+        "mul	r6, %[d1]\n\t"
+        "add	r5, r6\n\t"
+        "lsl	r6, %[div], #16\n\t"
+        "lsr	r6, r6, #16\n\t"
+        "mul	%[d1], r6\n\t"
+        "lsr	r6, %[d1], #16\n\t"
+        "lsl	%[d1], %[d1], #16\n\t"
+        "add	r4, %[d1]\n\t"
+        "adc	r5, r6\n\t"
+        "# r * div - Done\n\t"
+        "mov	%[d1], r8\n\t"
+        "mov	r6, r9\n\t"
+        "sub	r4, %[d1], r4\n\t"
+        "sbc	r6, r5\n\t"
+        "mov	r5, r6\n\t"
+        "add	%[r], r5\n\t"
+        "mov	r6, %[div]\n\t"
+        "sub	r6, r4\n\t"
+        "sbc	r6, r6\n\t"
+        "sub	%[r], r6\n\t"
+        : [r] "+r" (r)
+        : [d1] "r" (d1), [d0] "r" (d0), [div] "r" (div)
+        : "r4", "r5", "r7", "r6", "r8", "r9"
+    );
+    return r;
+}
+
+/* Compare a with b in constant time.
+ *
+ * a  A single precision integer.
+ * b  A single precision integer.
+ * return -ve, 0 or +ve if a is less than, equal to or greater than b
+ * respectively.
+ */
+SP_NOINLINE static int32_t sp_3072_cmp_48(const sp_digit* a, const sp_digit* b)
+{
+    sp_digit r = 0;
+
+
+    __asm__ __volatile__ (
+        "mov	r3, #0\n\t"
+        "mvn	r3, r3\n\t"
+        "mov	r6, #188\n\t"
+        "1:\n\t"
+        "ldr	r7, [%[a], r6]\n\t"
+        "ldr	r5, [%[b], r6]\n\t"
+        "and	r7, r3\n\t"
+        "and	r5, r3\n\t"
+        "mov	r4, r7\n\t"
+        "sub	r7, r5\n\t"
+        "sbc	r7, r7\n\t"
+        "add	%[r], r7\n\t"
+        "mvn	r7, r7\n\t"
+        "and	r3, r7\n\t"
+        "sub	r5, r4\n\t"
+        "sbc	r7, r7\n\t"
+        "sub	%[r], r7\n\t"
+        "mvn	r7, r7\n\t"
+        "and	r3, r7\n\t"
+        "sub	r6, #4\n\t"
+        "cmp	r6, #0\n\t"
+        "bge	1b\n\t"
+        : [r] "+r" (r)
+        : [a] "r" (a), [b] "r" (b)
+        : "r3", "r4", "r5", "r6", "r7"
+    );
+
+    return r;
+}
+
+/* Divide d in a and put remainder into r (m*d + r = a)
+ * m is not calculated as it is not needed at this time.
+ *
+ * a  Nmber to be divided.
+ * d  Number to divide with.
+ * m  Multiplier result.
+ * r  Remainder from the division.
+ * returns MP_OKAY indicating success.
+ */
+static WC_INLINE int sp_3072_div_48(const sp_digit* a, const sp_digit* d, sp_digit* m,
+        sp_digit* r)
+{
+    sp_digit t1[96], t2[49];
+    sp_digit div, r1;
+    int i;
+
+    (void)m;
+
+    div = d[47];
+    XMEMCPY(t1, a, sizeof(*t1) * 2 * 48);
+    for (i=47; i>=0; i--) {
+        r1 = div_3072_word_48(t1[48 + i], t1[48 + i - 1], div);
+
+        sp_3072_mul_d_48(t2, d, r1);
+        t1[48 + i] += sp_3072_sub_in_place_48(&t1[i], t2);
+        t1[48 + i] -= t2[48];
+        sp_3072_mask_48(t2, d, t1[48 + i]);
+        t1[48 + i] += sp_3072_add_48(&t1[i], &t1[i], t2);
+        sp_3072_mask_48(t2, d, t1[48 + i]);
+        t1[48 + i] += sp_3072_add_48(&t1[i], &t1[i], t2);
+    }
+
+    r1 = sp_3072_cmp_48(t1, d) >= 0;
+    sp_3072_cond_sub_48(r, t1, d, (sp_digit)0 - r1);
+
+    return MP_OKAY;
+}
+
+/* Reduce a modulo m into r. (r = a mod m)
+ *
+ * r  A single precision number that is the reduced result.
+ * a  A single precision number that is to be reduced.
+ * m  A single precision number that is the modulus to reduce with.
+ * returns MP_OKAY indicating success.
+ */
+static WC_INLINE int sp_3072_mod_48(sp_digit* r, const sp_digit* a, const sp_digit* m)
+{
+    return sp_3072_div_48(a, m, NULL, r);
+}
+
+#ifdef WOLFSSL_SP_SMALL
+/* Modular exponentiate a to the e mod m. (r = a^e mod m)
+ *
+ * r     A single precision number that is the result of the operation.
+ * a     A single precision number being exponentiated.
+ * e     A single precision number that is the exponent.
+ * bits  The number of bits in the exponent.
+ * m     A single precision number that is the modulus.
+ * returns 0 on success and MEMORY_E on dynamic memory allocation failure.
+ */
+static int sp_3072_mod_exp_48(sp_digit* r, const sp_digit* a, const sp_digit* e,
+        int bits, const sp_digit* m, int reduceA)
+{
+#ifndef WOLFSSL_SMALL_STACK
+    sp_digit t[16][96];
+#else
+    sp_digit* t[16];
+    sp_digit* td;
+#endif
+    sp_digit* norm;
+    sp_digit mp = 1;
+    sp_digit n;
+    sp_digit mask;
+    int i;
+    int c, y;
+    int err = MP_OKAY;
+
+#ifdef WOLFSSL_SMALL_STACK
+    td = (sp_digit*)XMALLOC(sizeof(sp_digit) * 16 * 96, NULL,
+                            DYNAMIC_TYPE_TMP_BUFFER);
+    if (td == NULL) {
+        err = MEMORY_E;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#ifdef WOLFSSL_SMALL_STACK
+        for (i=0; i<16; i++) {
+            t[i] = td + i * 96;
+        }
+#endif
+        norm = t[0];
+
+        sp_3072_mont_setup(m, &mp);
+        sp_3072_mont_norm_48(norm, m);
+
+        XMEMSET(t[1], 0, sizeof(sp_digit) * 48U);
+        if (reduceA != 0) {
+            err = sp_3072_mod_48(t[1] + 48, a, m);
+            if (err == MP_OKAY) {
+                err = sp_3072_mod_48(t[1], t[1], m);
+            }
+        }
+        else {
+            XMEMCPY(t[1] + 48, a, sizeof(sp_digit) * 48);
+            err = sp_3072_mod_48(t[1], t[1], m);
+        }
+    }
+
+    if (err == MP_OKAY) {
+        sp_3072_mont_sqr_48(t[ 2], t[ 1], m, mp);
+        sp_3072_mont_mul_48(t[ 3], t[ 2], t[ 1], m, mp);
+        sp_3072_mont_sqr_48(t[ 4], t[ 2], m, mp);
+        sp_3072_mont_mul_48(t[ 5], t[ 3], t[ 2], m, mp);
+        sp_3072_mont_sqr_48(t[ 6], t[ 3], m, mp);
+        sp_3072_mont_mul_48(t[ 7], t[ 4], t[ 3], m, mp);
+        sp_3072_mont_sqr_48(t[ 8], t[ 4], m, mp);
+        sp_3072_mont_mul_48(t[ 9], t[ 5], t[ 4], m, mp);
+        sp_3072_mont_sqr_48(t[10], t[ 5], m, mp);
+        sp_3072_mont_mul_48(t[11], t[ 6], t[ 5], m, mp);
+        sp_3072_mont_sqr_48(t[12], t[ 6], m, mp);
+        sp_3072_mont_mul_48(t[13], t[ 7], t[ 6], m, mp);
+        sp_3072_mont_sqr_48(t[14], t[ 7], m, mp);
+        sp_3072_mont_mul_48(t[15], t[ 8], t[ 7], m, mp);
+
+        i = (bits - 1) / 32;
+        n = e[i--];
+        c = bits & 31;
+        if (c == 0) {
+            c = 32;
+        }
+        c -= bits % 4;
+        if (c == 32) {
+            c = 28;
+        }
+        y = (int)(n >> c);
+        n <<= 32 - c;
+        XMEMCPY(r, t[y], sizeof(sp_digit) * 48);
+        for (; i>=0 || c>=4; ) {
+            if (c == 0) {
+                n = e[i--];
+                y = n >> 28;
+                n <<= 4;
+                c = 28;
+            }
+            else if (c < 4) {
+                y = n >> 28;
+                n = e[i--];
+                c = 4 - c;
+                y |= n >> (32 - c);
+                n <<= c;
+                c = 32 - c;
+            }
+            else {
+                y = (n >> 28) & 0xf;
+                n <<= 4;
+                c -= 4;
+            }
+
+            sp_3072_mont_sqr_48(r, r, m, mp);
+            sp_3072_mont_sqr_48(r, r, m, mp);
+            sp_3072_mont_sqr_48(r, r, m, mp);
+            sp_3072_mont_sqr_48(r, r, m, mp);
+
+            sp_3072_mont_mul_48(r, r, t[y], m, mp);
+        }
+
+        XMEMSET(&r[48], 0, sizeof(sp_digit) * 48U);
+        sp_3072_mont_reduce_48(r, m, mp);
+
+        mask = 0 - (sp_3072_cmp_48(r, m) >= 0);
+        sp_3072_cond_sub_48(r, r, m, mask);
+    }
+
+#ifdef WOLFSSL_SMALL_STACK
+    if (td != NULL) {
+        XFREE(td, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    }
+#endif
+
+    return err;
+}
+#else
+/* Modular exponentiate a to the e mod m. (r = a^e mod m)
+ *
+ * r     A single precision number that is the result of the operation.
+ * a     A single precision number being exponentiated.
+ * e     A single precision number that is the exponent.
+ * bits  The number of bits in the exponent.
+ * m     A single precision number that is the modulus.
+ * returns 0 on success and MEMORY_E on dynamic memory allocation failure.
+ */
+static int sp_3072_mod_exp_48(sp_digit* r, const sp_digit* a, const sp_digit* e,
+        int bits, const sp_digit* m, int reduceA)
+{
+#ifndef WOLFSSL_SMALL_STACK
+    sp_digit t[32][96];
+#else
+    sp_digit* t[32];
+    sp_digit* td;
+#endif
+    sp_digit* norm;
+    sp_digit mp = 1;
+    sp_digit n;
+    sp_digit mask;
+    int i;
+    int c, y;
+    int err = MP_OKAY;
+
+#ifdef WOLFSSL_SMALL_STACK
+    td = (sp_digit*)XMALLOC(sizeof(sp_digit) * 32 * 96, NULL,
+                            DYNAMIC_TYPE_TMP_BUFFER);
+    if (td == NULL) {
+        err = MEMORY_E;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#ifdef WOLFSSL_SMALL_STACK
+        for (i=0; i<32; i++) {
+            t[i] = td + i * 96;
+        }
+#endif
+        norm = t[0];
+
+        sp_3072_mont_setup(m, &mp);
+        sp_3072_mont_norm_48(norm, m);
+
+        XMEMSET(t[1], 0, sizeof(sp_digit) * 48U);
+        if (reduceA != 0) {
+            err = sp_3072_mod_48(t[1] + 48, a, m);
+            if (err == MP_OKAY) {
+                err = sp_3072_mod_48(t[1], t[1], m);
+            }
+        }
+        else {
+            XMEMCPY(t[1] + 48, a, sizeof(sp_digit) * 48);
+            err = sp_3072_mod_48(t[1], t[1], m);
+        }
+    }
+
+    if (err == MP_OKAY) {
+        sp_3072_mont_sqr_48(t[ 2], t[ 1], m, mp);
+        sp_3072_mont_mul_48(t[ 3], t[ 2], t[ 1], m, mp);
+        sp_3072_mont_sqr_48(t[ 4], t[ 2], m, mp);
+        sp_3072_mont_mul_48(t[ 5], t[ 3], t[ 2], m, mp);
+        sp_3072_mont_sqr_48(t[ 6], t[ 3], m, mp);
+        sp_3072_mont_mul_48(t[ 7], t[ 4], t[ 3], m, mp);
+        sp_3072_mont_sqr_48(t[ 8], t[ 4], m, mp);
+        sp_3072_mont_mul_48(t[ 9], t[ 5], t[ 4], m, mp);
+        sp_3072_mont_sqr_48(t[10], t[ 5], m, mp);
+        sp_3072_mont_mul_48(t[11], t[ 6], t[ 5], m, mp);
+        sp_3072_mont_sqr_48(t[12], t[ 6], m, mp);
+        sp_3072_mont_mul_48(t[13], t[ 7], t[ 6], m, mp);
+        sp_3072_mont_sqr_48(t[14], t[ 7], m, mp);
+        sp_3072_mont_mul_48(t[15], t[ 8], t[ 7], m, mp);
+        sp_3072_mont_sqr_48(t[16], t[ 8], m, mp);
+        sp_3072_mont_mul_48(t[17], t[ 9], t[ 8], m, mp);
+        sp_3072_mont_sqr_48(t[18], t[ 9], m, mp);
+        sp_3072_mont_mul_48(t[19], t[10], t[ 9], m, mp);
+        sp_3072_mont_sqr_48(t[20], t[10], m, mp);
+        sp_3072_mont_mul_48(t[21], t[11], t[10], m, mp);
+        sp_3072_mont_sqr_48(t[22], t[11], m, mp);
+        sp_3072_mont_mul_48(t[23], t[12], t[11], m, mp);
+        sp_3072_mont_sqr_48(t[24], t[12], m, mp);
+        sp_3072_mont_mul_48(t[25], t[13], t[12], m, mp);
+        sp_3072_mont_sqr_48(t[26], t[13], m, mp);
+        sp_3072_mont_mul_48(t[27], t[14], t[13], m, mp);
+        sp_3072_mont_sqr_48(t[28], t[14], m, mp);
+        sp_3072_mont_mul_48(t[29], t[15], t[14], m, mp);
+        sp_3072_mont_sqr_48(t[30], t[15], m, mp);
+        sp_3072_mont_mul_48(t[31], t[16], t[15], m, mp);
+
+        i = (bits - 1) / 32;
+        n = e[i--];
+        c = bits & 31;
+        if (c == 0) {
+            c = 32;
+        }
+        c -= bits % 5;
+        if (c == 32) {
+            c = 27;
+        }
+        y = (int)(n >> c);
+        n <<= 32 - c;
+        XMEMCPY(r, t[y], sizeof(sp_digit) * 48);
+        for (; i>=0 || c>=5; ) {
+            if (c == 0) {
+                n = e[i--];
+                y = n >> 27;
+                n <<= 5;
+                c = 27;
+            }
+            else if (c < 5) {
+                y = n >> 27;
+                n = e[i--];
+                c = 5 - c;
+                y |= n >> (32 - c);
+                n <<= c;
+                c = 32 - c;
+            }
+            else {
+                y = (n >> 27) & 0x1f;
+                n <<= 5;
+                c -= 5;
+            }
+
+            sp_3072_mont_sqr_48(r, r, m, mp);
+            sp_3072_mont_sqr_48(r, r, m, mp);
+            sp_3072_mont_sqr_48(r, r, m, mp);
+            sp_3072_mont_sqr_48(r, r, m, mp);
+            sp_3072_mont_sqr_48(r, r, m, mp);
+
+            sp_3072_mont_mul_48(r, r, t[y], m, mp);
+        }
+
+        XMEMSET(&r[48], 0, sizeof(sp_digit) * 48U);
+        sp_3072_mont_reduce_48(r, m, mp);
+
+        mask = 0 - (sp_3072_cmp_48(r, m) >= 0);
+        sp_3072_cond_sub_48(r, r, m, mask);
+    }
+
+#ifdef WOLFSSL_SMALL_STACK
+    if (td != NULL) {
+        XFREE(td, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    }
+#endif
+
+    return err;
+}
+#endif /* WOLFSSL_SP_SMALL */
+
+#endif /* (WOLFSSL_HAVE_SP_RSA || WOLFSSL_HAVE_SP_DH) && !WOLFSSL_RSA_PUBLIC_ONLY */
+
+#if defined(WOLFSSL_HAVE_SP_RSA) || defined(WOLFSSL_HAVE_SP_DH)
+/* r = 2^n mod m where n is the number of bits to reduce by.
+ * Given m must be 3072 bits, just need to subtract.
+ *
+ * r  A single precision number.
+ * m  A single precision number.
+ */
+static void sp_3072_mont_norm_96(sp_digit* r, const sp_digit* m)
+{
+    XMEMSET(r, 0, sizeof(sp_digit) * 96);
+
+    /* r = 2^n mod m */
+    sp_3072_sub_in_place_96(r, m);
+}
+
+#endif /* WOLFSSL_HAVE_SP_RSA || WOLFSSL_HAVE_SP_DH */
+/* Conditionally subtract b from a using the mask m.
+ * m is -1 to subtract and 0 when not copying.
+ *
+ * r  A single precision number representing condition subtract result.
+ * a  A single precision number to subtract from.
+ * b  A single precision number to subtract.
+ * m  Mask value to apply.
+ */
+SP_NOINLINE static sp_digit sp_3072_cond_sub_96(sp_digit* r, const sp_digit* a,
+        const sp_digit* b, sp_digit m)
+{
+    sp_digit c = 0;
+
+    __asm__ __volatile__ (
+        "mov	r5, #1\n\t"
+        "lsl	r5, r5, #8\n\t"
+        "add	r5, #128\n\t"
+        "mov	r8, r5\n\t"
+        "mov	r7, #0\n\t"
+        "1:\n\t"
+        "ldr	r6, [%[b], r7]\n\t"
+        "and	r6, %[m]\n\t"
+        "mov	r5, #0\n\t"
+        "sub	r5, %[c]\n\t"
+        "ldr	r5, [%[a], r7]\n\t"
+        "sbc	r5, r6\n\t"
+        "sbc	%[c], %[c]\n\t"
+        "str	r5, [%[r], r7]\n\t"
+        "add	r7, #4\n\t"
+        "cmp	r7, r8\n\t"
+        "blt	1b\n\t"
+        : [c] "+r" (c)
+        : [r] "r" (r), [a] "r" (a), [b] "r" (b), [m] "r" (m)
+        : "memory", "r5", "r6", "r7", "r8"
+    );
+
+    return c;
+}
+
+/* Reduce the number back to 3072 bits using Montgomery reduction.
+ *
+ * a   A single precision number to reduce in place.
+ * m   The single precision number representing the modulus.
+ * mp  The digit representing the negative inverse of m mod 2^n.
+ */
+SP_NOINLINE static void sp_3072_mont_reduce_96(sp_digit* a, const sp_digit* m,
+        sp_digit mp)
+{
+    sp_digit ca = 0;
+
+    __asm__ __volatile__ (
+        "mov	r8, %[mp]\n\t"
+        "mov	r12, %[ca]\n\t"
+        "mov	r14, %[m]\n\t"
+        "mov	r9, %[a]\n\t"
+        "mov	r4, #0\n\t"
+        "# i = 0\n\t"
+        "mov	r11, r4\n\t"
+        "\n1:\n\t"
+        "mov	r5, #0\n\t"
+        "mov	%[ca], #0\n\t"
+        "# mu = a[i] * mp\n\t"
+        "mov	%[mp], r8\n\t"
+        "ldr	%[a], [%[a]]\n\t"
+        "mul	%[mp], %[a]\n\t"
+        "mov	%[m], r14\n\t"
+        "mov	r10, r9\n\t"
+        "\n2:\n\t"
+        "# a[i+j] += m[j] * mu\n\t"
+        "mov	%[a], r10\n\t"
+        "ldr	%[a], [%[a]]\n\t"
+        "mov	%[ca], #0\n\t"
+        "mov	r4, r5\n\t"
+        "mov	r5, #0\n\t"
+        "# Multiply m[j] and mu - Start\n\t"
+        "ldr	r7, [%[m]]\n\t"
+        "lsl	r6, %[mp], #16\n\t"
+        "lsl	r7, r7, #16\n\t"
+        "lsr	r6, r6, #16\n\t"
+        "lsr	r7, r7, #16\n\t"
+        "mul	r7, r6\n\t"
+        "add	%[a], r7\n\t"
+        "adc	r5, %[ca]\n\t"
+        "ldr	r7, [%[m]]\n\t"
+        "lsr	r7, r7, #16\n\t"
+        "mul	r6, r7\n\t"
+        "lsr	r7, r6, #16\n\t"
+        "lsl	r6, r6, #16\n\t"
+        "add	%[a], r6\n\t"
+        "adc	r5, r7\n\t"
+        "ldr	r7, [%[m]]\n\t"
+        "lsr	r6, %[mp], #16\n\t"
+        "lsr	r7, r7, #16\n\t"
+        "mul	r7, r6\n\t"
+        "add	r5, r7\n\t"
+        "ldr	r7, [%[m]]\n\t"
+        "lsl	r7, r7, #16\n\t"
+        "lsr	r7, r7, #16\n\t"
+        "mul	r6, r7\n\t"
+        "lsr	r7, r6, #16\n\t"
+        "lsl	r6, r6, #16\n\t"
+        "add	%[a], r6\n\t"
+        "adc	r5, r7\n\t"
+        "# Multiply m[j] and mu - Done\n\t"
+        "add	r4, %[a]\n\t"
+        "adc	r5, %[ca]\n\t"
+        "mov	%[a], r10\n\t"
+        "str	r4, [%[a]]\n\t"
+        "mov	r6, #4\n\t"
+        "add	%[m], #4\n\t"
+        "add	r10, r6\n\t"
+        "mov	r4, #1\n\t"
+        "lsl	r4, r4, #8\n\t"
+        "add	r4, #124\n\t"
+        "add	r4, r9\n\t"
+        "cmp	r10, r4\n\t"
+        "blt	2b\n\t"
+        "# a[i+95] += m[95] * mu\n\t"
+        "mov	%[ca], #0\n\t"
+        "mov	r4, r12\n\t"
+        "mov	%[a], #0\n\t"
+        "# Multiply m[95] and mu - Start\n\t"
+        "ldr	r7, [%[m]]\n\t"
+        "lsl	r6, %[mp], #16\n\t"
+        "lsl	r7, r7, #16\n\t"
+        "lsr	r6, r6, #16\n\t"
+        "lsr	r7, r7, #16\n\t"
+        "mul	r7, r6\n\t"
+        "add	r5, r7\n\t"
+        "adc	r4, %[ca]\n\t"
+        "adc	%[a], %[ca]\n\t"
+        "ldr	r7, [%[m]]\n\t"
+        "lsr	r7, r7, #16\n\t"
+        "mul	r6, r7\n\t"
+        "lsr	r7, r6, #16\n\t"
+        "lsl	r6, r6, #16\n\t"
+        "add	r5, r6\n\t"
+        "adc	r4, r7\n\t"
+        "adc	%[a], %[ca]\n\t"
+        "ldr	r7, [%[m]]\n\t"
+        "lsr	r6, %[mp], #16\n\t"
+        "lsr	r7, r7, #16\n\t"
+        "mul	r7, r6\n\t"
+        "add	r4, r7\n\t"
+        "adc	%[a], %[ca]\n\t"
+        "ldr	r7, [%[m]]\n\t"
+        "lsl	r7, r7, #16\n\t"
+        "lsr	r7, r7, #16\n\t"
+        "mul	r6, r7\n\t"
+        "lsr	r7, r6, #16\n\t"
+        "lsl	r6, r6, #16\n\t"
+        "add	r5, r6\n\t"
+        "adc	r4, r7\n\t"
+        "adc	%[a], %[ca]\n\t"
+        "# Multiply m[95] and mu - Done\n\t"
+        "mov	%[ca], %[a]\n\t"
+        "mov	%[a], r10\n\t"
+        "ldr	r7, [%[a], #4]\n\t"
+        "ldr	%[a], [%[a]]\n\t"
+        "mov	r6, #0\n\t"
+        "add	r5, %[a]\n\t"
+        "adc	r7, r4\n\t"
+        "adc	%[ca], r6\n\t"
+        "mov	%[a], r10\n\t"
+        "str	r5, [%[a]]\n\t"
+        "str	r7, [%[a], #4]\n\t"
+        "# i += 1\n\t"
+        "mov	r6, #4\n\t"
+        "add	r9, r6\n\t"
+        "add	r11, r6\n\t"
+        "mov	r12, %[ca]\n\t"
+        "mov	%[a], r9\n\t"
+        "mov	r4, #1\n\t"
+        "lsl	r4, r4, #8\n\t"
+        "add	r4, #128\n\t"
+        "cmp	r11, r4\n\t"
+        "blt	1b\n\t"
+        "mov	%[m], r14\n\t"
+        : [ca] "+r" (ca), [a] "+r" (a)
+        : [m] "r" (m), [mp] "r" (mp)
+        : "memory", "r4", "r5", "r6", "r7", "r8", "r9", "r10", "r11", "r12", "r14"
+    );
+
+    sp_3072_cond_sub_96(a - 96, a, m, (sp_digit)0 - ca);
+}
+
+/* Multiply two Montogmery form numbers mod the modulus (prime).
+ * (r = a * b mod m)
+ *
+ * r   Result of multiplication.
+ * a   First number to multiply in Montogmery form.
+ * b   Second number to multiply in Montogmery form.
+ * m   Modulus (prime).
+ * mp  Montogmery mulitplier.
+ */
+static void sp_3072_mont_mul_96(sp_digit* r, const sp_digit* a, const sp_digit* b,
+        const sp_digit* m, sp_digit mp)
+{
+    sp_3072_mul_96(r, a, b);
+    sp_3072_mont_reduce_96(r, m, mp);
+}
+
+/* Square the Montgomery form number. (r = a * a mod m)
+ *
+ * r   Result of squaring.
+ * a   Number to square in Montogmery form.
+ * m   Modulus (prime).
+ * mp  Montogmery mulitplier.
+ */
+static void sp_3072_mont_sqr_96(sp_digit* r, const sp_digit* a, const sp_digit* m,
+        sp_digit mp)
+{
+    sp_3072_sqr_96(r, a);
+    sp_3072_mont_reduce_96(r, m, mp);
+}
+
+/* Divide the double width number (d1|d0) by the dividend. (d1|d0 / div)
+ *
+ * d1   The high order half of the number to divide.
+ * d0   The low order half of the number to divide.
+ * div  The dividend.
+ * returns the result of the division.
+ *
+ * Note that this is an approximate div. It may give an answer 1 larger.
+ */
+SP_NOINLINE static sp_digit div_3072_word_96(sp_digit d1, sp_digit d0,
+        sp_digit div)
+{
+    sp_digit r = 0;
+
+    __asm__ __volatile__ (
+        "lsr	r5, %[div], #1\n\t"
+        "add	r5, #1\n\t"
+        "mov	r8, %[d0]\n\t"
+        "mov	r9, %[d1]\n\t"
+        "# Do top 32\n\t"
+        "mov	r6, r5\n\t"
+        "sub	r6, %[d1]\n\t"
+        "sbc	r6, r6\n\t"
+        "add	%[r], %[r]\n\t"
+        "sub	%[r], r6\n\t"
+        "and	r6, r5\n\t"
+        "sub	%[d1], r6\n\t"
+        "# Next 30 bits\n\t"
+        "mov	r4, #29\n\t"
+        "1:\n\t"
+        "lsl	%[d0], %[d0], #1\n\t"
+        "adc	%[d1], %[d1]\n\t"
+        "mov	r6, r5\n\t"
+        "sub	r6, %[d1]\n\t"
+        "sbc	r6, r6\n\t"
+        "add	%[r], %[r]\n\t"
+        "sub	%[r], r6\n\t"
+        "and	r6, r5\n\t"
+        "sub	%[d1], r6\n\t"
+        "sub	r4, #1\n\t"
+        "bpl	1b\n\t"
+        "mov	r7, #0\n\t"
+        "add	%[r], %[r]\n\t"
+        "add	%[r], #1\n\t"
+        "# r * div - Start\n\t"
+        "lsl	%[d1], %[r], #16\n\t"
+        "lsl	r4, %[div], #16\n\t"
+        "lsr	%[d1], %[d1], #16\n\t"
+        "lsr	r4, r4, #16\n\t"
+        "mul	r4, %[d1]\n\t"
+        "lsr	r6, %[div], #16\n\t"
+        "mul	%[d1], r6\n\t"
+        "lsr	r5, %[d1], #16\n\t"
+        "lsl	%[d1], %[d1], #16\n\t"
+        "add	r4, %[d1]\n\t"
+        "adc	r5, r7\n\t"
+        "lsr	%[d1], %[r], #16\n\t"
+        "mul	r6, %[d1]\n\t"
+        "add	r5, r6\n\t"
+        "lsl	r6, %[div], #16\n\t"
+        "lsr	r6, r6, #16\n\t"
+        "mul	%[d1], r6\n\t"
+        "lsr	r6, %[d1], #16\n\t"
+        "lsl	%[d1], %[d1], #16\n\t"
+        "add	r4, %[d1]\n\t"
+        "adc	r5, r6\n\t"
+        "# r * div - Done\n\t"
+        "mov	%[d1], r8\n\t"
+        "sub	%[d1], r4\n\t"
+        "mov	r4, %[d1]\n\t"
+        "mov	%[d1], r9\n\t"
+        "sbc	%[d1], r5\n\t"
+        "mov	r5, %[d1]\n\t"
+        "add	%[r], r5\n\t"
+        "# r * div - Start\n\t"
+        "lsl	%[d1], %[r], #16\n\t"
+        "lsl	r4, %[div], #16\n\t"
+        "lsr	%[d1], %[d1], #16\n\t"
+        "lsr	r4, r4, #16\n\t"
+        "mul	r4, %[d1]\n\t"
+        "lsr	r6, %[div], #16\n\t"
+        "mul	%[d1], r6\n\t"
+        "lsr	r5, %[d1], #16\n\t"
+        "lsl	%[d1], %[d1], #16\n\t"
+        "add	r4, %[d1]\n\t"
+        "adc	r5, r7\n\t"
+        "lsr	%[d1], %[r], #16\n\t"
+        "mul	r6, %[d1]\n\t"
+        "add	r5, r6\n\t"
+        "lsl	r6, %[div], #16\n\t"
+        "lsr	r6, r6, #16\n\t"
+        "mul	%[d1], r6\n\t"
+        "lsr	r6, %[d1], #16\n\t"
+        "lsl	%[d1], %[d1], #16\n\t"
+        "add	r4, %[d1]\n\t"
+        "adc	r5, r6\n\t"
+        "# r * div - Done\n\t"
+        "mov	%[d1], r8\n\t"
+        "mov	r6, r9\n\t"
+        "sub	r4, %[d1], r4\n\t"
+        "sbc	r6, r5\n\t"
+        "mov	r5, r6\n\t"
+        "add	%[r], r5\n\t"
+        "# r * div - Start\n\t"
+        "lsl	%[d1], %[r], #16\n\t"
+        "lsl	r4, %[div], #16\n\t"
+        "lsr	%[d1], %[d1], #16\n\t"
+        "lsr	r4, r4, #16\n\t"
+        "mul	r4, %[d1]\n\t"
+        "lsr	r6, %[div], #16\n\t"
+        "mul	%[d1], r6\n\t"
+        "lsr	r5, %[d1], #16\n\t"
+        "lsl	%[d1], %[d1], #16\n\t"
+        "add	r4, %[d1]\n\t"
+        "adc	r5, r7\n\t"
+        "lsr	%[d1], %[r], #16\n\t"
+        "mul	r6, %[d1]\n\t"
+        "add	r5, r6\n\t"
+        "lsl	r6, %[div], #16\n\t"
+        "lsr	r6, r6, #16\n\t"
+        "mul	%[d1], r6\n\t"
+        "lsr	r6, %[d1], #16\n\t"
+        "lsl	%[d1], %[d1], #16\n\t"
+        "add	r4, %[d1]\n\t"
+        "adc	r5, r6\n\t"
+        "# r * div - Done\n\t"
+        "mov	%[d1], r8\n\t"
+        "mov	r6, r9\n\t"
+        "sub	r4, %[d1], r4\n\t"
+        "sbc	r6, r5\n\t"
+        "mov	r5, r6\n\t"
+        "add	%[r], r5\n\t"
+        "mov	r6, %[div]\n\t"
+        "sub	r6, r4\n\t"
+        "sbc	r6, r6\n\t"
+        "sub	%[r], r6\n\t"
+        : [r] "+r" (r)
+        : [d1] "r" (d1), [d0] "r" (d0), [div] "r" (div)
+        : "r4", "r5", "r7", "r6", "r8", "r9"
+    );
+    return r;
+}
+
+/* AND m into each word of a and store in r.
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * m  Mask to AND against each digit.
+ */
+static void sp_3072_mask_96(sp_digit* r, const sp_digit* a, sp_digit m)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int i;
+
+    for (i=0; i<96; i++) {
+        r[i] = a[i] & m;
+    }
+#else
+    int i;
+
+    for (i = 0; i < 96; i += 8) {
+        r[i+0] = a[i+0] & m;
+        r[i+1] = a[i+1] & m;
+        r[i+2] = a[i+2] & m;
+        r[i+3] = a[i+3] & m;
+        r[i+4] = a[i+4] & m;
+        r[i+5] = a[i+5] & m;
+        r[i+6] = a[i+6] & m;
+        r[i+7] = a[i+7] & m;
+    }
+#endif
+}
+
+/* Compare a with b in constant time.
+ *
+ * a  A single precision integer.
+ * b  A single precision integer.
+ * return -ve, 0 or +ve if a is less than, equal to or greater than b
+ * respectively.
+ */
+SP_NOINLINE static int32_t sp_3072_cmp_96(const sp_digit* a, const sp_digit* b)
+{
+    sp_digit r = 0;
+
+
+    __asm__ __volatile__ (
+        "mov	r3, #0\n\t"
+        "mvn	r3, r3\n\t"
+        "mov	r6, #1\n\t"
+        "lsl	r6, r6, #8\n\t"
+        "add	r6, #124\n\t"
+        "1:\n\t"
+        "ldr	r7, [%[a], r6]\n\t"
+        "ldr	r5, [%[b], r6]\n\t"
+        "and	r7, r3\n\t"
+        "and	r5, r3\n\t"
+        "mov	r4, r7\n\t"
+        "sub	r7, r5\n\t"
+        "sbc	r7, r7\n\t"
+        "add	%[r], r7\n\t"
+        "mvn	r7, r7\n\t"
+        "and	r3, r7\n\t"
+        "sub	r5, r4\n\t"
+        "sbc	r7, r7\n\t"
+        "sub	%[r], r7\n\t"
+        "mvn	r7, r7\n\t"
+        "and	r3, r7\n\t"
+        "sub	r6, #4\n\t"
+        "cmp	r6, #0\n\t"
+        "bge	1b\n\t"
+        : [r] "+r" (r)
+        : [a] "r" (a), [b] "r" (b)
+        : "r3", "r4", "r5", "r6", "r7"
+    );
+
+    return r;
+}
+
+/* Divide d in a and put remainder into r (m*d + r = a)
+ * m is not calculated as it is not needed at this time.
+ *
+ * a  Nmber to be divided.
+ * d  Number to divide with.
+ * m  Multiplier result.
+ * r  Remainder from the division.
+ * returns MP_OKAY indicating success.
+ */
+static WC_INLINE int sp_3072_div_96(const sp_digit* a, const sp_digit* d, sp_digit* m,
+        sp_digit* r)
+{
+    sp_digit t1[192], t2[97];
+    sp_digit div, r1;
+    int i;
+
+    (void)m;
+
+    div = d[95];
+    XMEMCPY(t1, a, sizeof(*t1) * 2 * 96);
+    for (i=95; i>=0; i--) {
+        r1 = div_3072_word_96(t1[96 + i], t1[96 + i - 1], div);
+
+        sp_3072_mul_d_96(t2, d, r1);
+        t1[96 + i] += sp_3072_sub_in_place_96(&t1[i], t2);
+        t1[96 + i] -= t2[96];
+        sp_3072_mask_96(t2, d, t1[96 + i]);
+        t1[96 + i] += sp_3072_add_96(&t1[i], &t1[i], t2);
+        sp_3072_mask_96(t2, d, t1[96 + i]);
+        t1[96 + i] += sp_3072_add_96(&t1[i], &t1[i], t2);
+    }
+
+    r1 = sp_3072_cmp_96(t1, d) >= 0;
+    sp_3072_cond_sub_96(r, t1, d, (sp_digit)0 - r1);
+
+    return MP_OKAY;
+}
+
+/* Reduce a modulo m into r. (r = a mod m)
+ *
+ * r  A single precision number that is the reduced result.
+ * a  A single precision number that is to be reduced.
+ * m  A single precision number that is the modulus to reduce with.
+ * returns MP_OKAY indicating success.
+ */
+static WC_INLINE int sp_3072_mod_96(sp_digit* r, const sp_digit* a, const sp_digit* m)
+{
+    return sp_3072_div_96(a, m, NULL, r);
+}
+
+/* Divide d in a and put remainder into r (m*d + r = a)
+ * m is not calculated as it is not needed at this time.
+ *
+ * a  Nmber to be divided.
+ * d  Number to divide with.
+ * m  Multiplier result.
+ * r  Remainder from the division.
+ * returns MP_OKAY indicating success.
+ */
+static WC_INLINE int sp_3072_div_96_cond(const sp_digit* a, const sp_digit* d, sp_digit* m,
+        sp_digit* r)
+{
+    sp_digit t1[192], t2[97];
+    sp_digit div, r1;
+    int i;
+
+    (void)m;
+
+    div = d[95];
+    XMEMCPY(t1, a, sizeof(*t1) * 2 * 96);
+    for (i=95; i>=0; i--) {
+        r1 = div_3072_word_96(t1[96 + i], t1[96 + i - 1], div);
+
+        sp_3072_mul_d_96(t2, d, r1);
+        t1[96 + i] += sp_3072_sub_in_place_96(&t1[i], t2);
+        t1[96 + i] -= t2[96];
+        if (t1[96 + i] != 0) {
+            t1[96 + i] += sp_3072_add_96(&t1[i], &t1[i], d);
+            if (t1[96 + i] != 0)
+                t1[96 + i] += sp_3072_add_96(&t1[i], &t1[i], d);
+        }
+    }
+
+    r1 = sp_3072_cmp_96(t1, d) >= 0;
+    sp_3072_cond_sub_96(r, t1, d, (sp_digit)0 - r1);
+
+    return MP_OKAY;
+}
+
+/* Reduce a modulo m into r. (r = a mod m)
+ *
+ * r  A single precision number that is the reduced result.
+ * a  A single precision number that is to be reduced.
+ * m  A single precision number that is the modulus to reduce with.
+ * returns MP_OKAY indicating success.
+ */
+static WC_INLINE int sp_3072_mod_96_cond(sp_digit* r, const sp_digit* a, const sp_digit* m)
+{
+    return sp_3072_div_96_cond(a, m, NULL, r);
+}
+
+#if (defined(WOLFSSL_HAVE_SP_RSA) && !defined(WOLFSSL_RSA_PUBLIC_ONLY)) || \
+                                                     defined(WOLFSSL_HAVE_SP_DH)
+#ifdef WOLFSSL_SP_SMALL
+/* Modular exponentiate a to the e mod m. (r = a^e mod m)
+ *
+ * r     A single precision number that is the result of the operation.
+ * a     A single precision number being exponentiated.
+ * e     A single precision number that is the exponent.
+ * bits  The number of bits in the exponent.
+ * m     A single precision number that is the modulus.
+ * returns 0 on success and MEMORY_E on dynamic memory allocation failure.
+ */
+static int sp_3072_mod_exp_96(sp_digit* r, const sp_digit* a, const sp_digit* e,
+        int bits, const sp_digit* m, int reduceA)
+{
+#ifndef WOLFSSL_SMALL_STACK
+    sp_digit t[16][192];
+#else
+    sp_digit* t[16];
+    sp_digit* td;
+#endif
+    sp_digit* norm;
+    sp_digit mp = 1;
+    sp_digit n;
+    sp_digit mask;
+    int i;
+    int c, y;
+    int err = MP_OKAY;
+
+#ifdef WOLFSSL_SMALL_STACK
+    td = (sp_digit*)XMALLOC(sizeof(sp_digit) * 16 * 192, NULL,
+                            DYNAMIC_TYPE_TMP_BUFFER);
+    if (td == NULL) {
+        err = MEMORY_E;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#ifdef WOLFSSL_SMALL_STACK
+        for (i=0; i<16; i++) {
+            t[i] = td + i * 192;
+        }
+#endif
+        norm = t[0];
+
+        sp_3072_mont_setup(m, &mp);
+        sp_3072_mont_norm_96(norm, m);
+
+        XMEMSET(t[1], 0, sizeof(sp_digit) * 96U);
+        if (reduceA != 0) {
+            err = sp_3072_mod_96(t[1] + 96, a, m);
+            if (err == MP_OKAY) {
+                err = sp_3072_mod_96(t[1], t[1], m);
+            }
+        }
+        else {
+            XMEMCPY(t[1] + 96, a, sizeof(sp_digit) * 96);
+            err = sp_3072_mod_96(t[1], t[1], m);
+        }
+    }
+
+    if (err == MP_OKAY) {
+        sp_3072_mont_sqr_96(t[ 2], t[ 1], m, mp);
+        sp_3072_mont_mul_96(t[ 3], t[ 2], t[ 1], m, mp);
+        sp_3072_mont_sqr_96(t[ 4], t[ 2], m, mp);
+        sp_3072_mont_mul_96(t[ 5], t[ 3], t[ 2], m, mp);
+        sp_3072_mont_sqr_96(t[ 6], t[ 3], m, mp);
+        sp_3072_mont_mul_96(t[ 7], t[ 4], t[ 3], m, mp);
+        sp_3072_mont_sqr_96(t[ 8], t[ 4], m, mp);
+        sp_3072_mont_mul_96(t[ 9], t[ 5], t[ 4], m, mp);
+        sp_3072_mont_sqr_96(t[10], t[ 5], m, mp);
+        sp_3072_mont_mul_96(t[11], t[ 6], t[ 5], m, mp);
+        sp_3072_mont_sqr_96(t[12], t[ 6], m, mp);
+        sp_3072_mont_mul_96(t[13], t[ 7], t[ 6], m, mp);
+        sp_3072_mont_sqr_96(t[14], t[ 7], m, mp);
+        sp_3072_mont_mul_96(t[15], t[ 8], t[ 7], m, mp);
+
+        i = (bits - 1) / 32;
+        n = e[i--];
+        c = bits & 31;
+        if (c == 0) {
+            c = 32;
+        }
+        c -= bits % 4;
+        if (c == 32) {
+            c = 28;
+        }
+        y = (int)(n >> c);
+        n <<= 32 - c;
+        XMEMCPY(r, t[y], sizeof(sp_digit) * 96);
+        for (; i>=0 || c>=4; ) {
+            if (c == 0) {
+                n = e[i--];
+                y = n >> 28;
+                n <<= 4;
+                c = 28;
+            }
+            else if (c < 4) {
+                y = n >> 28;
+                n = e[i--];
+                c = 4 - c;
+                y |= n >> (32 - c);
+                n <<= c;
+                c = 32 - c;
+            }
+            else {
+                y = (n >> 28) & 0xf;
+                n <<= 4;
+                c -= 4;
+            }
+
+            sp_3072_mont_sqr_96(r, r, m, mp);
+            sp_3072_mont_sqr_96(r, r, m, mp);
+            sp_3072_mont_sqr_96(r, r, m, mp);
+            sp_3072_mont_sqr_96(r, r, m, mp);
+
+            sp_3072_mont_mul_96(r, r, t[y], m, mp);
+        }
+
+        XMEMSET(&r[96], 0, sizeof(sp_digit) * 96U);
+        sp_3072_mont_reduce_96(r, m, mp);
+
+        mask = 0 - (sp_3072_cmp_96(r, m) >= 0);
+        sp_3072_cond_sub_96(r, r, m, mask);
+    }
+
+#ifdef WOLFSSL_SMALL_STACK
+    if (td != NULL) {
+        XFREE(td, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    }
+#endif
+
+    return err;
+}
+#else
+/* Modular exponentiate a to the e mod m. (r = a^e mod m)
+ *
+ * r     A single precision number that is the result of the operation.
+ * a     A single precision number being exponentiated.
+ * e     A single precision number that is the exponent.
+ * bits  The number of bits in the exponent.
+ * m     A single precision number that is the modulus.
+ * returns 0 on success and MEMORY_E on dynamic memory allocation failure.
+ */
+static int sp_3072_mod_exp_96(sp_digit* r, const sp_digit* a, const sp_digit* e,
+        int bits, const sp_digit* m, int reduceA)
+{
+#ifndef WOLFSSL_SMALL_STACK
+    sp_digit t[32][192];
+#else
+    sp_digit* t[32];
+    sp_digit* td;
+#endif
+    sp_digit* norm;
+    sp_digit mp = 1;
+    sp_digit n;
+    sp_digit mask;
+    int i;
+    int c, y;
+    int err = MP_OKAY;
+
+#ifdef WOLFSSL_SMALL_STACK
+    td = (sp_digit*)XMALLOC(sizeof(sp_digit) * 32 * 192, NULL,
+                            DYNAMIC_TYPE_TMP_BUFFER);
+    if (td == NULL) {
+        err = MEMORY_E;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#ifdef WOLFSSL_SMALL_STACK
+        for (i=0; i<32; i++) {
+            t[i] = td + i * 192;
+        }
+#endif
+        norm = t[0];
+
+        sp_3072_mont_setup(m, &mp);
+        sp_3072_mont_norm_96(norm, m);
+
+        XMEMSET(t[1], 0, sizeof(sp_digit) * 96U);
+        if (reduceA != 0) {
+            err = sp_3072_mod_96(t[1] + 96, a, m);
+            if (err == MP_OKAY) {
+                err = sp_3072_mod_96(t[1], t[1], m);
+            }
+        }
+        else {
+            XMEMCPY(t[1] + 96, a, sizeof(sp_digit) * 96);
+            err = sp_3072_mod_96(t[1], t[1], m);
+        }
+    }
+
+    if (err == MP_OKAY) {
+        sp_3072_mont_sqr_96(t[ 2], t[ 1], m, mp);
+        sp_3072_mont_mul_96(t[ 3], t[ 2], t[ 1], m, mp);
+        sp_3072_mont_sqr_96(t[ 4], t[ 2], m, mp);
+        sp_3072_mont_mul_96(t[ 5], t[ 3], t[ 2], m, mp);
+        sp_3072_mont_sqr_96(t[ 6], t[ 3], m, mp);
+        sp_3072_mont_mul_96(t[ 7], t[ 4], t[ 3], m, mp);
+        sp_3072_mont_sqr_96(t[ 8], t[ 4], m, mp);
+        sp_3072_mont_mul_96(t[ 9], t[ 5], t[ 4], m, mp);
+        sp_3072_mont_sqr_96(t[10], t[ 5], m, mp);
+        sp_3072_mont_mul_96(t[11], t[ 6], t[ 5], m, mp);
+        sp_3072_mont_sqr_96(t[12], t[ 6], m, mp);
+        sp_3072_mont_mul_96(t[13], t[ 7], t[ 6], m, mp);
+        sp_3072_mont_sqr_96(t[14], t[ 7], m, mp);
+        sp_3072_mont_mul_96(t[15], t[ 8], t[ 7], m, mp);
+        sp_3072_mont_sqr_96(t[16], t[ 8], m, mp);
+        sp_3072_mont_mul_96(t[17], t[ 9], t[ 8], m, mp);
+        sp_3072_mont_sqr_96(t[18], t[ 9], m, mp);
+        sp_3072_mont_mul_96(t[19], t[10], t[ 9], m, mp);
+        sp_3072_mont_sqr_96(t[20], t[10], m, mp);
+        sp_3072_mont_mul_96(t[21], t[11], t[10], m, mp);
+        sp_3072_mont_sqr_96(t[22], t[11], m, mp);
+        sp_3072_mont_mul_96(t[23], t[12], t[11], m, mp);
+        sp_3072_mont_sqr_96(t[24], t[12], m, mp);
+        sp_3072_mont_mul_96(t[25], t[13], t[12], m, mp);
+        sp_3072_mont_sqr_96(t[26], t[13], m, mp);
+        sp_3072_mont_mul_96(t[27], t[14], t[13], m, mp);
+        sp_3072_mont_sqr_96(t[28], t[14], m, mp);
+        sp_3072_mont_mul_96(t[29], t[15], t[14], m, mp);
+        sp_3072_mont_sqr_96(t[30], t[15], m, mp);
+        sp_3072_mont_mul_96(t[31], t[16], t[15], m, mp);
+
+        i = (bits - 1) / 32;
+        n = e[i--];
+        c = bits & 31;
+        if (c == 0) {
+            c = 32;
+        }
+        c -= bits % 5;
+        if (c == 32) {
+            c = 27;
+        }
+        y = (int)(n >> c);
+        n <<= 32 - c;
+        XMEMCPY(r, t[y], sizeof(sp_digit) * 96);
+        for (; i>=0 || c>=5; ) {
+            if (c == 0) {
+                n = e[i--];
+                y = n >> 27;
+                n <<= 5;
+                c = 27;
+            }
+            else if (c < 5) {
+                y = n >> 27;
+                n = e[i--];
+                c = 5 - c;
+                y |= n >> (32 - c);
+                n <<= c;
+                c = 32 - c;
+            }
+            else {
+                y = (n >> 27) & 0x1f;
+                n <<= 5;
+                c -= 5;
+            }
+
+            sp_3072_mont_sqr_96(r, r, m, mp);
+            sp_3072_mont_sqr_96(r, r, m, mp);
+            sp_3072_mont_sqr_96(r, r, m, mp);
+            sp_3072_mont_sqr_96(r, r, m, mp);
+            sp_3072_mont_sqr_96(r, r, m, mp);
+
+            sp_3072_mont_mul_96(r, r, t[y], m, mp);
+        }
+
+        XMEMSET(&r[96], 0, sizeof(sp_digit) * 96U);
+        sp_3072_mont_reduce_96(r, m, mp);
+
+        mask = 0 - (sp_3072_cmp_96(r, m) >= 0);
+        sp_3072_cond_sub_96(r, r, m, mask);
+    }
+
+#ifdef WOLFSSL_SMALL_STACK
+    if (td != NULL) {
+        XFREE(td, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    }
+#endif
+
+    return err;
+}
+#endif /* WOLFSSL_SP_SMALL */
+#endif /* (WOLFSSL_HAVE_SP_RSA && !WOLFSSL_RSA_PUBLIC_ONLY) || WOLFSSL_HAVE_SP_DH */
+
+#ifdef WOLFSSL_HAVE_SP_RSA
+/* RSA public key operation.
+ *
+ * in      Array of bytes representing the number to exponentiate, base.
+ * inLen   Number of bytes in base.
+ * em      Public exponent.
+ * mm      Modulus.
+ * out     Buffer to hold big-endian bytes of exponentiation result.
+ *         Must be at least 384 bytes long.
+ * outLen  Number of bytes in result.
+ * returns 0 on success, MP_TO_E when the outLen is too small, MP_READ_E when
+ * an array is too long and MEMORY_E when dynamic memory allocation fails.
+ */
+int sp_RsaPublic_3072(const byte* in, word32 inLen, mp_int* em, mp_int* mm,
+    byte* out, word32* outLen)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit a[192], m[96], r[192];
+#else
+    sp_digit* d = NULL;
+    sp_digit* a;
+    sp_digit* m;
+    sp_digit* r;
+#endif
+    sp_digit *ah;
+    sp_digit e[1];
+    int err = MP_OKAY;
+
+    if (*outLen < 384)
+        err = MP_TO_E;
+    if (err == MP_OKAY && (mp_count_bits(em) > 32 || inLen > 384 ||
+                                                     mp_count_bits(mm) != 3072))
+        err = MP_READ_E;
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        d = (sp_digit*)XMALLOC(sizeof(sp_digit) * 96 * 5, NULL,
+                                                              DYNAMIC_TYPE_RSA);
+        if (d == NULL)
+            err = MEMORY_E;
+    }
+
+    if (err == MP_OKAY) {
+        a = d;
+        r = a + 96 * 2;
+        m = r + 96 * 2;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+        ah = a + 96;
+
+        sp_3072_from_bin(ah, 96, in, inLen);
+#if DIGIT_BIT >= 32
+        e[0] = em->dp[0];
+#else
+        e[0] = em->dp[0];
+        if (em->used > 1) {
+            e[0] |= ((sp_digit)em->dp[1]) << DIGIT_BIT;
+        }
+#endif
+        if (e[0] == 0) {
+            err = MP_EXPTMOD_E;
+        }
+    }
+    if (err == MP_OKAY) {
+        sp_3072_from_mp(m, 96, mm);
+
+        if (e[0] == 0x3) {
+            if (err == MP_OKAY) {
+                sp_3072_sqr_96(r, ah);
+                err = sp_3072_mod_96_cond(r, r, m);
+            }
+            if (err == MP_OKAY) {
+                sp_3072_mul_96(r, ah, r);
+                err = sp_3072_mod_96_cond(r, r, m);
+            }
+        }
+        else {
+            int i;
+            sp_digit mp;
+
+            sp_3072_mont_setup(m, &mp);
+
+            /* Convert to Montgomery form. */
+            XMEMSET(a, 0, sizeof(sp_digit) * 96);
+            err = sp_3072_mod_96_cond(a, a, m);
+
+            if (err == MP_OKAY) {
+                for (i = 31; i >= 0; i--) {
+                    if (e[0] >> i) {
+                        break;
+                    }
+                }
+
+                XMEMCPY(r, a, sizeof(sp_digit) * 96);
+                for (i--; i>=0; i--) {
+                    sp_3072_mont_sqr_96(r, r, m, mp);
+                    if (((e[0] >> i) & 1) == 1) {
+                        sp_3072_mont_mul_96(r, r, a, m, mp);
+                    }
+                }
+                XMEMSET(&r[96], 0, sizeof(sp_digit) * 96);
+                sp_3072_mont_reduce_96(r, m, mp);
+
+                for (i = 95; i > 0; i--) {
+                    if (r[i] != m[i]) {
+                        break;
+                    }
+                }
+                if (r[i] >= m[i]) {
+                    sp_3072_sub_in_place_96(r, m);
+                }
+            }
+        }
+    }
+
+    if (err == MP_OKAY) {
+        sp_3072_to_bin(r, out);
+        *outLen = 384;
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (d != NULL) {
+        XFREE(d, NULL, DYNAMIC_TYPE_RSA);
+    }
+#endif
+
+    return err;
+}
+
+#if defined(SP_RSA_PRIVATE_EXP_D) || defined(RSA_LOW_MEM)
+    sp_digit* a;
+    sp_digit* d = NULL;
+    sp_digit* m;
+    sp_digit* r;
+    int err = MP_OKAY;
+
+    (void)pm;
+    (void)qm;
+    (void)dpm;
+    (void)dqm;
+    (void)qim;
+
+    if (*outLen < 384U) {
+        err = MP_TO_E;
+    }
+    if (err == MP_OKAY) {
+        if (mp_count_bits(dm) > 3072) {
+           err = MP_READ_E;
+        }
+        if (inLen > 384) {
+            err = MP_READ_E;
+        }
+        if (mp_count_bits(mm) != 3072) {
+            err = MP_READ_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        d = (sp_digit*)XMALLOC(sizeof(sp_digit) * 96 * 4, NULL,
+                                                              DYNAMIC_TYPE_RSA);
+        if (d == NULL) {
+            err = MEMORY_E;
+        }
+    }
+    if (err == MP_OKAY) {
+        a = d + 96;
+        m = a + 192;
+        r = a;
+
+        sp_3072_from_bin(a, 96, in, inLen);
+        sp_3072_from_mp(d, 96, dm);
+        sp_3072_from_mp(m, 96, mm);
+        err = sp_3072_mod_exp_96(r, a, d, 3072, m, 0);
+    }
+    if (err == MP_OKAY) {
+        sp_3072_to_bin(r, out);
+        *outLen = 384;
+    }
+
+    if (d != NULL) {
+        XMEMSET(d, 0, sizeof(sp_digit) * 96);
+        XFREE(d, NULL, DYNAMIC_TYPE_RSA);
+    }
+
+    return err;
+#else
+#ifndef WOLFSSL_RSA_PUBLIC_ONLY
+/* Conditionally add a and b using the mask m.
+ * m is -1 to add and 0 when not.
+ *
+ * r  A single precision number representing conditional add result.
+ * a  A single precision number to add with.
+ * b  A single precision number to add.
+ * m  Mask value to apply.
+ */
+SP_NOINLINE static sp_digit sp_3072_cond_add_48(sp_digit* r, const sp_digit* a, const sp_digit* b,
+        sp_digit m)
+{
+    sp_digit c = 0;
+
+    __asm__ __volatile__ (
+        "mov	r5, #192\n\t"
+        "mov	r8, r5\n\t"
+        "mov	r7, #0\n\t"
+        "1:\n\t"
+        "ldr	r6, [%[b], r7]\n\t"
+        "and	r6, %[m]\n\t"
+        "mov	r5, #0\n\t"
+        "sub	r5, #1\n\t"
+        "add	r5, %[c]\n\t"
+        "ldr	r5, [%[a], r7]\n\t"
+        "adc	r5, r6\n\t"
+        "mov	%[c], #0\n\t"
+        "adc	%[c], %[c]\n\t"
+        "str	r5, [%[r], r7]\n\t"
+        "add	r7, #4\n\t"
+        "cmp	r7, r8\n\t"
+        "blt	1b\n\t"
+        : [c] "+r" (c)
+        : [r] "r" (r), [a] "r" (a), [b] "r" (b), [m] "r" (m)
+        : "memory", "r5", "r6", "r7", "r8"
+    );
+
+    return c;
+}
+
+/* RSA private key operation.
+ *
+ * in      Array of bytes representing the number to exponentiate, base.
+ * inLen   Number of bytes in base.
+ * dm      Private exponent.
+ * pm      First prime.
+ * qm      Second prime.
+ * dpm     First prime's CRT exponent.
+ * dqm     Second prime's CRT exponent.
+ * qim     Inverse of second prime mod p.
+ * mm      Modulus.
+ * out     Buffer to hold big-endian bytes of exponentiation result.
+ *         Must be at least 384 bytes long.
+ * outLen  Number of bytes in result.
+ * returns 0 on success, MP_TO_E when the outLen is too small, MP_READ_E when
+ * an array is too long and MEMORY_E when dynamic memory allocation fails.
+ */
+int sp_RsaPrivate_3072(const byte* in, word32 inLen, mp_int* dm,
+    mp_int* pm, mp_int* qm, mp_int* dpm, mp_int* dqm, mp_int* qim, mp_int* mm,
+    byte* out, word32* outLen)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit a[96 * 2];
+    sp_digit p[48], q[48], dp[48];
+    sp_digit tmpa[96], tmpb[96];
+#else
+    sp_digit* t = NULL;
+    sp_digit* a;
+    sp_digit* p;
+    sp_digit* q;
+    sp_digit* dp;
+    sp_digit* tmpa;
+    sp_digit* tmpb;
+#endif
+    sp_digit* r;
+    sp_digit* qi;
+    sp_digit* dq;
+    sp_digit c;
+    int err = MP_OKAY;
+
+    (void)dm;
+    (void)mm;
+
+    if (*outLen < 384)
+        err = MP_TO_E;
+    if (err == MP_OKAY && (inLen > 384 || mp_count_bits(mm) != 3072))
+        err = MP_READ_E;
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        t = (sp_digit*)XMALLOC(sizeof(sp_digit) * 48 * 11, NULL,
+                                                              DYNAMIC_TYPE_RSA);
+        if (t == NULL)
+            err = MEMORY_E;
+    }
+    if (err == MP_OKAY) {
+        a = t;
+        p = a + 96 * 2;
+        q = p + 48;
+        qi = dq = dp = q + 48;
+        tmpa = qi + 48;
+        tmpb = tmpa + 96;
+
+        r = t + 96;
+    }
+#else
+#endif
+
+    if (err == MP_OKAY) {
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+        r = a;
+        qi = dq = dp;
+#endif
+        sp_3072_from_bin(a, 96, in, inLen);
+        sp_3072_from_mp(p, 48, pm);
+        sp_3072_from_mp(q, 48, qm);
+        sp_3072_from_mp(dp, 48, dpm);
+
+        err = sp_3072_mod_exp_48(tmpa, a, dp, 1536, p, 1);
+    }
+    if (err == MP_OKAY) {
+        sp_3072_from_mp(dq, 48, dqm);
+        err = sp_3072_mod_exp_48(tmpb, a, dq, 1536, q, 1);
+    }
+
+    if (err == MP_OKAY) {
+        c = sp_3072_sub_in_place_48(tmpa, tmpb);
+        c += sp_3072_cond_add_48(tmpa, tmpa, p, c);
+        sp_3072_cond_add_48(tmpa, tmpa, p, c);
+
+        sp_3072_from_mp(qi, 48, qim);
+        sp_3072_mul_48(tmpa, tmpa, qi);
+        err = sp_3072_mod_48(tmpa, tmpa, p);
+    }
+
+    if (err == MP_OKAY) {
+        sp_3072_mul_48(tmpa, q, tmpa);
+        XMEMSET(&tmpb[48], 0, sizeof(sp_digit) * 48);
+        sp_3072_add_96(r, tmpb, tmpa);
+
+        sp_3072_to_bin(r, out);
+        *outLen = 384;
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (t != NULL) {
+        XMEMSET(t, 0, sizeof(sp_digit) * 48 * 11);
+        XFREE(t, NULL, DYNAMIC_TYPE_RSA);
+    }
+#else
+    XMEMSET(tmpa, 0, sizeof(tmpa));
+    XMEMSET(tmpb, 0, sizeof(tmpb));
+    XMEMSET(p,    0, sizeof(p));
+    XMEMSET(q,    0, sizeof(q));
+    XMEMSET(dp,   0, sizeof(dp));
+#endif
+
+    return err;
+}
+#endif /* WOLFSSL_RSA_PUBLIC_ONLY */
+#endif /* SP_RSA_PRIVATE_EXP_D || RSA_LOW_MEM */
+#endif /* WOLFSSL_HAVE_SP_RSA */
+#if defined(WOLFSSL_HAVE_SP_DH) || (defined(WOLFSSL_HAVE_SP_RSA) && \
+                                              !defined(WOLFSSL_RSA_PUBLIC_ONLY))
+/* Convert an array of sp_digit to an mp_int.
+ *
+ * a  A single precision integer.
+ * r  A multi-precision integer.
+ */
+static int sp_3072_to_mp(const sp_digit* a, mp_int* r)
+{
+    int err;
+
+    err = mp_grow(r, (3072 + DIGIT_BIT - 1) / DIGIT_BIT);
+    if (err == MP_OKAY) { /*lint !e774 case where err is always MP_OKAY*/
+#if DIGIT_BIT == 32
+        XMEMCPY(r->dp, a, sizeof(sp_digit) * 96);
+        r->used = 96;
+        mp_clamp(r);
+#elif DIGIT_BIT < 32
+        int i, j = 0, s = 0;
+
+        r->dp[0] = 0;
+        for (i = 0; i < 96; i++) {
+            r->dp[j] |= (mp_digit)(a[i] << s);
+            r->dp[j] &= (1L << DIGIT_BIT) - 1;
+            s = DIGIT_BIT - s;
+            r->dp[++j] = (mp_digit)(a[i] >> s);
+            while (s + DIGIT_BIT <= 32) {
+                s += DIGIT_BIT;
+                r->dp[j++] &= (1L << DIGIT_BIT) - 1;
+                if (s == SP_WORD_SIZE) {
+                    r->dp[j] = 0;
+                }
+                else {
+                    r->dp[j] = (mp_digit)(a[i] >> s);
+                }
+            }
+            s = 32 - s;
+        }
+        r->used = (3072 + DIGIT_BIT - 1) / DIGIT_BIT;
+        mp_clamp(r);
+#else
+        int i, j = 0, s = 0;
+
+        r->dp[0] = 0;
+        for (i = 0; i < 96; i++) {
+            r->dp[j] |= ((mp_digit)a[i]) << s;
+            if (s + 32 >= DIGIT_BIT) {
+    #if DIGIT_BIT != 32 && DIGIT_BIT != 64
+                r->dp[j] &= (1L << DIGIT_BIT) - 1;
+    #endif
+                s = DIGIT_BIT - s;
+                r->dp[++j] = a[i] >> s;
+                s = 32 - s;
+            }
+            else {
+                s += 32;
+            }
+        }
+        r->used = (3072 + DIGIT_BIT - 1) / DIGIT_BIT;
+        mp_clamp(r);
+#endif
+    }
+
+    return err;
+}
+
+/* Perform the modular exponentiation for Diffie-Hellman.
+ *
+ * base  Base. MP integer.
+ * exp   Exponent. MP integer.
+ * mod   Modulus. MP integer.
+ * res   Result. MP integer.
+ * returns 0 on success, MP_READ_E if there are too many bytes in an array
+ * and MEMORY_E if memory allocation fails.
+ */
+int sp_ModExp_3072(mp_int* base, mp_int* exp, mp_int* mod, mp_int* res)
+{
+    int err = MP_OKAY;
+    sp_digit b[192], e[96], m[96];
+    sp_digit* r = b;
+    int expBits = mp_count_bits(exp);
+
+    if (mp_count_bits(base) > 3072) {
+        err = MP_READ_E;
+    }
+
+    if (err == MP_OKAY) {
+        if (expBits > 3072) {
+            err = MP_READ_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        if (mp_count_bits(mod) != 3072) {
+            err = MP_READ_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        sp_3072_from_mp(b, 96, base);
+        sp_3072_from_mp(e, 96, exp);
+        sp_3072_from_mp(m, 96, mod);
+
+        err = sp_3072_mod_exp_96(r, b, e, expBits, m, 0);
+    }
+
+    if (err == MP_OKAY) {
+        err = sp_3072_to_mp(r, res);
+    }
+
+    XMEMSET(e, 0, sizeof(e));
+
+    return err;
+}
+
+#ifdef WOLFSSL_HAVE_SP_DH
+
+#ifdef HAVE_FFDHE_3072
+static void sp_3072_lshift_96(sp_digit* r, sp_digit* a, byte n)
+{
+    __asm__ __volatile__ (
+        "mov	r6, #31\n\t"
+        "sub	r6, r6, %[n]\n\t"
+        "add	%[a], %[a], #255\n\t"
+        "add	%[r], %[r], #255\n\t"
+        "add	%[a], %[a], #65\n\t"
+        "add	%[r], %[r], #65\n\t"
+        "ldr	r3, [%[a], #60]\n\t"
+        "lsr	r4, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r4, r4, r6\n\t"
+        "ldr	r2, [%[a], #56]\n\t"
+        "str	r4, [%[r], #64]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #52]\n\t"
+        "str	r3, [%[r], #60]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #48]\n\t"
+        "str	r2, [%[r], #56]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #44]\n\t"
+        "str	r4, [%[r], #52]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #40]\n\t"
+        "str	r3, [%[r], #48]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #36]\n\t"
+        "str	r2, [%[r], #44]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #32]\n\t"
+        "str	r4, [%[r], #40]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #28]\n\t"
+        "str	r3, [%[r], #36]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #24]\n\t"
+        "str	r2, [%[r], #32]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #20]\n\t"
+        "str	r4, [%[r], #28]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #16]\n\t"
+        "str	r3, [%[r], #24]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #12]\n\t"
+        "str	r2, [%[r], #20]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #8]\n\t"
+        "str	r4, [%[r], #16]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #4]\n\t"
+        "str	r3, [%[r], #12]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #0]\n\t"
+        "str	r2, [%[r], #8]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "sub	%[a], %[a], #64\n\t"
+        "sub	%[r], %[r], #64\n\t"
+        "ldr	r2, [%[a], #60]\n\t"
+        "str	r4, [%[r], #68]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #56]\n\t"
+        "str	r3, [%[r], #64]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #52]\n\t"
+        "str	r2, [%[r], #60]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #48]\n\t"
+        "str	r4, [%[r], #56]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #44]\n\t"
+        "str	r3, [%[r], #52]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #40]\n\t"
+        "str	r2, [%[r], #48]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #36]\n\t"
+        "str	r4, [%[r], #44]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #32]\n\t"
+        "str	r3, [%[r], #40]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #28]\n\t"
+        "str	r2, [%[r], #36]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #24]\n\t"
+        "str	r4, [%[r], #32]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #20]\n\t"
+        "str	r3, [%[r], #28]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #16]\n\t"
+        "str	r2, [%[r], #24]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #12]\n\t"
+        "str	r4, [%[r], #20]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #8]\n\t"
+        "str	r3, [%[r], #16]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #4]\n\t"
+        "str	r2, [%[r], #12]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #0]\n\t"
+        "str	r4, [%[r], #8]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "sub	%[a], %[a], #64\n\t"
+        "sub	%[r], %[r], #64\n\t"
+        "ldr	r4, [%[a], #60]\n\t"
+        "str	r3, [%[r], #68]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #56]\n\t"
+        "str	r2, [%[r], #64]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #52]\n\t"
+        "str	r4, [%[r], #60]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #48]\n\t"
+        "str	r3, [%[r], #56]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #44]\n\t"
+        "str	r2, [%[r], #52]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #40]\n\t"
+        "str	r4, [%[r], #48]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #36]\n\t"
+        "str	r3, [%[r], #44]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #32]\n\t"
+        "str	r2, [%[r], #40]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #28]\n\t"
+        "str	r4, [%[r], #36]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #24]\n\t"
+        "str	r3, [%[r], #32]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #20]\n\t"
+        "str	r2, [%[r], #28]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #16]\n\t"
+        "str	r4, [%[r], #24]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #12]\n\t"
+        "str	r3, [%[r], #20]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #8]\n\t"
+        "str	r2, [%[r], #16]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #4]\n\t"
+        "str	r4, [%[r], #12]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #0]\n\t"
+        "str	r3, [%[r], #8]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "sub	%[a], %[a], #64\n\t"
+        "sub	%[r], %[r], #64\n\t"
+        "ldr	r3, [%[a], #60]\n\t"
+        "str	r2, [%[r], #68]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #56]\n\t"
+        "str	r4, [%[r], #64]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #52]\n\t"
+        "str	r3, [%[r], #60]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #48]\n\t"
+        "str	r2, [%[r], #56]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #44]\n\t"
+        "str	r4, [%[r], #52]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #40]\n\t"
+        "str	r3, [%[r], #48]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #36]\n\t"
+        "str	r2, [%[r], #44]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #32]\n\t"
+        "str	r4, [%[r], #40]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #28]\n\t"
+        "str	r3, [%[r], #36]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #24]\n\t"
+        "str	r2, [%[r], #32]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #20]\n\t"
+        "str	r4, [%[r], #28]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #16]\n\t"
+        "str	r3, [%[r], #24]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #12]\n\t"
+        "str	r2, [%[r], #20]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #8]\n\t"
+        "str	r4, [%[r], #16]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #4]\n\t"
+        "str	r3, [%[r], #12]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #0]\n\t"
+        "str	r2, [%[r], #8]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "sub	%[a], %[a], #64\n\t"
+        "sub	%[r], %[r], #64\n\t"
+        "ldr	r2, [%[a], #60]\n\t"
+        "str	r4, [%[r], #68]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #56]\n\t"
+        "str	r3, [%[r], #64]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #52]\n\t"
+        "str	r2, [%[r], #60]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #48]\n\t"
+        "str	r4, [%[r], #56]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #44]\n\t"
+        "str	r3, [%[r], #52]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #40]\n\t"
+        "str	r2, [%[r], #48]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #36]\n\t"
+        "str	r4, [%[r], #44]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #32]\n\t"
+        "str	r3, [%[r], #40]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #28]\n\t"
+        "str	r2, [%[r], #36]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #24]\n\t"
+        "str	r4, [%[r], #32]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #20]\n\t"
+        "str	r3, [%[r], #28]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #16]\n\t"
+        "str	r2, [%[r], #24]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #12]\n\t"
+        "str	r4, [%[r], #20]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #8]\n\t"
+        "str	r3, [%[r], #16]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #4]\n\t"
+        "str	r2, [%[r], #12]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #0]\n\t"
+        "str	r4, [%[r], #8]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "sub	%[a], %[a], #64\n\t"
+        "sub	%[r], %[r], #64\n\t"
+        "ldr	r4, [%[a], #60]\n\t"
+        "str	r3, [%[r], #68]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #56]\n\t"
+        "str	r2, [%[r], #64]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #52]\n\t"
+        "str	r4, [%[r], #60]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #48]\n\t"
+        "str	r3, [%[r], #56]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #44]\n\t"
+        "str	r2, [%[r], #52]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #40]\n\t"
+        "str	r4, [%[r], #48]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #36]\n\t"
+        "str	r3, [%[r], #44]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #32]\n\t"
+        "str	r2, [%[r], #40]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #28]\n\t"
+        "str	r4, [%[r], #36]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #24]\n\t"
+        "str	r3, [%[r], #32]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #20]\n\t"
+        "str	r2, [%[r], #28]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #16]\n\t"
+        "str	r4, [%[r], #24]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #12]\n\t"
+        "str	r3, [%[r], #20]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #8]\n\t"
+        "str	r2, [%[r], #16]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #4]\n\t"
+        "str	r4, [%[r], #12]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #0]\n\t"
+        "str	r3, [%[r], #8]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "str	r4, [%[r]]\n\t"
+        "str	r2, [%[r], #4]\n\t"
+        :
+        : [r] "r" (r), [a] "r" (a), [n] "r" (n)
+        : "memory", "r2", "r3", "r4", "r5", "r6"
+    );
+}
+
+/* Modular exponentiate 2 to the e mod m. (r = 2^e mod m)
+ *
+ * r     A single precision number that is the result of the operation.
+ * e     A single precision number that is the exponent.
+ * bits  The number of bits in the exponent.
+ * m     A single precision number that is the modulus.
+ * returns 0 on success and MEMORY_E on dynamic memory allocation failure.
+ */
+static int sp_3072_mod_exp_2_96(sp_digit* r, const sp_digit* e, int bits,
+        const sp_digit* m)
+{
+#ifndef WOLFSSL_SMALL_STACK
+    sp_digit nd[192];
+    sp_digit td[97];
+#else
+    sp_digit* td;
+#endif
+    sp_digit* norm;
+    sp_digit* tmp;
+    sp_digit mp = 1;
+    sp_digit n, o;
+    sp_digit mask;
+    int i;
+    int c, y;
+    int err = MP_OKAY;
+
+#ifdef WOLFSSL_SMALL_STACK
+    td = (sp_digit*)XMALLOC(sizeof(sp_digit) * 289, NULL,
+                            DYNAMIC_TYPE_TMP_BUFFER);
+    if (td == NULL) {
+        err = MEMORY_E;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#ifdef WOLFSSL_SMALL_STACK
+        norm = td;
+        tmp  = td + 192;
+#else
+        norm = nd;
+        tmp  = td;
+#endif
+
+        sp_3072_mont_setup(m, &mp);
+        sp_3072_mont_norm_96(norm, m);
+
+        i = (bits - 1) / 32;
+        n = e[i--];
+        c = bits & 31;
+        if (c == 0) {
+            c = 32;
+        }
+        c -= bits % 5;
+        if (c == 32) {
+            c = 27;
+        }
+        y = (int)(n >> c);
+        n <<= 32 - c;
+        sp_3072_lshift_96(r, norm, y);
+        for (; i>=0 || c>=5; ) {
+            if (c == 0) {
+                n = e[i--];
+                y = n >> 27;
+                n <<= 5;
+                c = 27;
+            }
+            else if (c < 5) {
+                y = n >> 27;
+                n = e[i--];
+                c = 5 - c;
+                y |= n >> (32 - c);
+                n <<= c;
+                c = 32 - c;
+            }
+            else {
+                y = (n >> 27) & 0x1f;
+                n <<= 5;
+                c -= 5;
+            }
+
+            sp_3072_mont_sqr_96(r, r, m, mp);
+            sp_3072_mont_sqr_96(r, r, m, mp);
+            sp_3072_mont_sqr_96(r, r, m, mp);
+            sp_3072_mont_sqr_96(r, r, m, mp);
+            sp_3072_mont_sqr_96(r, r, m, mp);
+
+            sp_3072_lshift_96(r, r, y);
+            sp_3072_mul_d_96(tmp, norm, r[96]);
+            r[96] = 0;
+            o = sp_3072_add_96(r, r, tmp);
+            sp_3072_cond_sub_96(r, r, m, (sp_digit)0 - o);
+        }
+
+        XMEMSET(&r[96], 0, sizeof(sp_digit) * 96U);
+        sp_3072_mont_reduce_96(r, m, mp);
+
+        mask = 0 - (sp_3072_cmp_96(r, m) >= 0);
+        sp_3072_cond_sub_96(r, r, m, mask);
+    }
+
+#ifdef WOLFSSL_SMALL_STACK
+    if (td != NULL) {
+        XFREE(td, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    }
+#endif
+
+    return err;
+}
+#endif /* HAVE_FFDHE_3072 */
+
+/* Perform the modular exponentiation for Diffie-Hellman.
+ *
+ * base     Base.
+ * exp      Array of bytes that is the exponent.
+ * expLen   Length of data, in bytes, in exponent.
+ * mod      Modulus.
+ * out      Buffer to hold big-endian bytes of exponentiation result.
+ *          Must be at least 384 bytes long.
+ * outLen   Length, in bytes, of exponentiation result.
+ * returns 0 on success, MP_READ_E if there are too many bytes in an array
+ * and MEMORY_E if memory allocation fails.
+ */
+int sp_DhExp_3072(mp_int* base, const byte* exp, word32 expLen,
+    mp_int* mod, byte* out, word32* outLen)
+{
+    int err = MP_OKAY;
+    sp_digit b[192], e[96], m[96];
+    sp_digit* r = b;
+    word32 i;
+
+    if (mp_count_bits(base) > 3072) {
+        err = MP_READ_E;
+    }
+
+    if (err == MP_OKAY) {
+        if (expLen > 384) {
+            err = MP_READ_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        if (mp_count_bits(mod) != 3072) {
+            err = MP_READ_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        sp_3072_from_mp(b, 96, base);
+        sp_3072_from_bin(e, 96, exp, expLen);
+        sp_3072_from_mp(m, 96, mod);
+
+    #ifdef HAVE_FFDHE_3072
+        if (base->used == 1 && base->dp[0] == 2 && m[95] == (sp_digit)-1)
+            err = sp_3072_mod_exp_2_96(r, e, expLen * 8, m);
+        else
+    #endif
+            err = sp_3072_mod_exp_96(r, b, e, expLen * 8, m, 0);
+
+    }
+
+    if (err == MP_OKAY) {
+        sp_3072_to_bin(r, out);
+        *outLen = 384;
+        for (i=0; i<384 && out[i] == 0; i++) {
+        }
+        *outLen -= i;
+        XMEMMOVE(out, out + i, *outLen);
+
+    }
+
+    XMEMSET(e, 0, sizeof(e));
+
+    return err;
+}
+#endif /* WOLFSSL_HAVE_SP_DH */
+
+/* Perform the modular exponentiation for Diffie-Hellman.
+ *
+ * base  Base. MP integer.
+ * exp   Exponent. MP integer.
+ * mod   Modulus. MP integer.
+ * res   Result. MP integer.
+ * returns 0 on success, MP_READ_E if there are too many bytes in an array
+ * and MEMORY_E if memory allocation fails.
+ */
+int sp_ModExp_1536(mp_int* base, mp_int* exp, mp_int* mod, mp_int* res)
+{
+    int err = MP_OKAY;
+    sp_digit b[96], e[48], m[48];
+    sp_digit* r = b;
+    int expBits = mp_count_bits(exp);
+
+    if (mp_count_bits(base) > 1536) {
+        err = MP_READ_E;
+    }
+
+    if (err == MP_OKAY) {
+        if (expBits > 1536) {
+            err = MP_READ_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        if (mp_count_bits(mod) != 1536) {
+            err = MP_READ_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        sp_3072_from_mp(b, 48, base);
+        sp_3072_from_mp(e, 48, exp);
+        sp_3072_from_mp(m, 48, mod);
+
+        err = sp_3072_mod_exp_48(r, b, e, expBits, m, 0);
+    }
+
+    if (err == MP_OKAY) {
+        XMEMSET(r + 48, 0, sizeof(*r) * 48U);
+        err = sp_3072_to_mp(r, res);
+        res->used = mod->used;
+        mp_clamp(res);
+    }
+
+    XMEMSET(e, 0, sizeof(e));
+
+    return err;
+}
+
+#endif /* WOLFSSL_HAVE_SP_DH || (WOLFSSL_HAVE_SP_RSA && !WOLFSSL_RSA_PUBLIC_ONLY) */
+
+#endif /* !WOLFSSL_SP_NO_3072 */
+
+#ifdef WOLFSSL_SP_4096
+/* Read big endian unsigned byte array into r.
+ *
+ * r  A single precision integer.
+ * size  Maximum number of bytes to convert
+ * a  Byte array.
+ * n  Number of bytes in array to read.
+ */
+static void sp_4096_from_bin(sp_digit* r, int size, const byte* a, int n)
+{
+    int i, j = 0;
+    word32 s = 0;
+
+    r[0] = 0;
+    for (i = n-1; i >= 0; i--) {
+        r[j] |= (((sp_digit)a[i]) << s);
+        if (s >= 24U) {
+            r[j] &= 0xffffffff;
+            s = 32U - s;
+            if (j + 1 >= size) {
+                break;
+            }
+            r[++j] = (sp_digit)a[i] >> s;
+            s = 8U - s;
+        }
+        else {
+            s += 8U;
+        }
+    }
+
+    for (j++; j < size; j++) {
+        r[j] = 0;
+    }
+}
+
+/* Convert an mp_int to an array of sp_digit.
+ *
+ * r  A single precision integer.
+ * size  Maximum number of bytes to convert
+ * a  A multi-precision integer.
+ */
+static void sp_4096_from_mp(sp_digit* r, int size, const mp_int* a)
+{
+#if DIGIT_BIT == 32
+    int j;
+
+    XMEMCPY(r, a->dp, sizeof(sp_digit) * a->used);
+
+    for (j = a->used; j < size; j++) {
+        r[j] = 0;
+    }
+#elif DIGIT_BIT > 32
+    int i, j = 0;
+    word32 s = 0;
+
+    r[0] = 0;
+    for (i = 0; i < a->used && j < size; i++) {
+        r[j] |= ((sp_digit)a->dp[i] << s);
+        r[j] &= 0xffffffff;
+        s = 32U - s;
+        if (j + 1 >= size) {
+            break;
+        }
+        /* lint allow cast of mismatch word32 and mp_digit */
+        r[++j] = (sp_digit)(a->dp[i] >> s); /*lint !e9033*/
+        while ((s + 32U) <= (word32)DIGIT_BIT) {
+            s += 32U;
+            r[j] &= 0xffffffff;
+            if (j + 1 >= size) {
+                break;
+            }
+            if (s < (word32)DIGIT_BIT) {
+                /* lint allow cast of mismatch word32 and mp_digit */
+                r[++j] = (sp_digit)(a->dp[i] >> s); /*lint !e9033*/
+            }
+            else {
+                r[++j] = 0L;
+            }
+        }
+        s = (word32)DIGIT_BIT - s;
+    }
+
+    for (j++; j < size; j++) {
+        r[j] = 0;
+    }
+#else
+    int i, j = 0, s = 0;
+
+    r[0] = 0;
+    for (i = 0; i < a->used && j < size; i++) {
+        r[j] |= ((sp_digit)a->dp[i]) << s;
+        if (s + DIGIT_BIT >= 32) {
+            r[j] &= 0xffffffff;
+            if (j + 1 >= size) {
+                break;
+            }
+            s = 32 - s;
+            if (s == DIGIT_BIT) {
+                r[++j] = 0;
+                s = 0;
+            }
+            else {
+                r[++j] = a->dp[i] >> s;
+                s = DIGIT_BIT - s;
+            }
+        }
+        else {
+            s += DIGIT_BIT;
+        }
+    }
+
+    for (j++; j < size; j++) {
+        r[j] = 0;
+    }
+#endif
+}
+
+/* Write r as big endian to byte array.
+ * Fixed length number of bytes written: 512
+ *
+ * r  A single precision integer.
+ * a  Byte array.
+ */
+static void sp_4096_to_bin(sp_digit* r, byte* a)
+{
+    int i, j, s = 0, b;
+
+    j = 4096 / 8 - 1;
+    a[j] = 0;
+    for (i=0; i<128 && j>=0; i++) {
+        b = 0;
+        /* lint allow cast of mismatch sp_digit and int */
+        a[j--] |= (byte)(r[i] << s); /*lint !e9033*/
+        b += 8 - s;
+        if (j < 0) {
+            break;
+        }
+        while (b < 32) {
+            a[j--] = (byte)(r[i] >> b);
+            b += 8;
+            if (j < 0) {
+                break;
+            }
+        }
+        s = 8 - (b - 32);
+        if (j >= 0) {
+            a[j] = 0;
+        }
+        if (s != 0) {
+            j++;
+        }
+    }
+}
+
+#ifndef WOLFSSL_SP_SMALL
+/* Add b to a into r. (r = a + b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static sp_digit sp_4096_add_64(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    sp_digit c = 0;
+
+    __asm__ __volatile__ (
+        "mov	r7, #0\n\t"
+        "mvn	r7, r7\n\t"
+        "ldr	r4, [%[a], #0]\n\t"
+        "ldr	r5, [%[b], #0]\n\t"
+        "add	r4, r5\n\t"
+        "str	r4, [%[r], #0]\n\t"
+        "ldr	r4, [%[a], #4]\n\t"
+        "ldr	r5, [%[b], #4]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #4]\n\t"
+        "ldr	r4, [%[a], #8]\n\t"
+        "ldr	r5, [%[b], #8]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #8]\n\t"
+        "ldr	r4, [%[a], #12]\n\t"
+        "ldr	r5, [%[b], #12]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #12]\n\t"
+        "ldr	r4, [%[a], #16]\n\t"
+        "ldr	r5, [%[b], #16]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #16]\n\t"
+        "ldr	r4, [%[a], #20]\n\t"
+        "ldr	r5, [%[b], #20]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #20]\n\t"
+        "ldr	r4, [%[a], #24]\n\t"
+        "ldr	r5, [%[b], #24]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #24]\n\t"
+        "ldr	r4, [%[a], #28]\n\t"
+        "ldr	r5, [%[b], #28]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #28]\n\t"
+        "ldr	r4, [%[a], #32]\n\t"
+        "ldr	r5, [%[b], #32]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #32]\n\t"
+        "ldr	r4, [%[a], #36]\n\t"
+        "ldr	r5, [%[b], #36]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #36]\n\t"
+        "ldr	r4, [%[a], #40]\n\t"
+        "ldr	r5, [%[b], #40]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #40]\n\t"
+        "ldr	r4, [%[a], #44]\n\t"
+        "ldr	r5, [%[b], #44]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #44]\n\t"
+        "ldr	r4, [%[a], #48]\n\t"
+        "ldr	r5, [%[b], #48]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #48]\n\t"
+        "ldr	r4, [%[a], #52]\n\t"
+        "ldr	r5, [%[b], #52]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #52]\n\t"
+        "ldr	r4, [%[a], #56]\n\t"
+        "ldr	r5, [%[b], #56]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #56]\n\t"
+        "ldr	r4, [%[a], #60]\n\t"
+        "ldr	r5, [%[b], #60]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #60]\n\t"
+        "ldr	r4, [%[a], #64]\n\t"
+        "ldr	r5, [%[b], #64]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #64]\n\t"
+        "ldr	r4, [%[a], #68]\n\t"
+        "ldr	r5, [%[b], #68]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #68]\n\t"
+        "ldr	r4, [%[a], #72]\n\t"
+        "ldr	r5, [%[b], #72]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #72]\n\t"
+        "ldr	r4, [%[a], #76]\n\t"
+        "ldr	r5, [%[b], #76]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #76]\n\t"
+        "ldr	r4, [%[a], #80]\n\t"
+        "ldr	r5, [%[b], #80]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #80]\n\t"
+        "ldr	r4, [%[a], #84]\n\t"
+        "ldr	r5, [%[b], #84]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #84]\n\t"
+        "ldr	r4, [%[a], #88]\n\t"
+        "ldr	r5, [%[b], #88]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #88]\n\t"
+        "ldr	r4, [%[a], #92]\n\t"
+        "ldr	r5, [%[b], #92]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #92]\n\t"
+        "ldr	r4, [%[a], #96]\n\t"
+        "ldr	r5, [%[b], #96]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #96]\n\t"
+        "ldr	r4, [%[a], #100]\n\t"
+        "ldr	r5, [%[b], #100]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #100]\n\t"
+        "ldr	r4, [%[a], #104]\n\t"
+        "ldr	r5, [%[b], #104]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #104]\n\t"
+        "ldr	r4, [%[a], #108]\n\t"
+        "ldr	r5, [%[b], #108]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #108]\n\t"
+        "ldr	r4, [%[a], #112]\n\t"
+        "ldr	r5, [%[b], #112]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #112]\n\t"
+        "ldr	r4, [%[a], #116]\n\t"
+        "ldr	r5, [%[b], #116]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #116]\n\t"
+        "ldr	r4, [%[a], #120]\n\t"
+        "ldr	r5, [%[b], #120]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #120]\n\t"
+        "ldr	r4, [%[a], #124]\n\t"
+        "ldr	r5, [%[b], #124]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #124]\n\t"
+        "mov	%[c], #0\n\t"
+        "adc	%[c], %[c]\n\t"
+        "add	%[a], #0x80\n\t"
+        "add	%[b], #0x80\n\t"
+        "add	%[r], #0x80\n\t"
+        "add	%[c], r7\n\t"
+        "ldr	r4, [%[a], #0]\n\t"
+        "ldr	r5, [%[b], #0]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #0]\n\t"
+        "ldr	r4, [%[a], #4]\n\t"
+        "ldr	r5, [%[b], #4]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #4]\n\t"
+        "ldr	r4, [%[a], #8]\n\t"
+        "ldr	r5, [%[b], #8]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #8]\n\t"
+        "ldr	r4, [%[a], #12]\n\t"
+        "ldr	r5, [%[b], #12]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #12]\n\t"
+        "ldr	r4, [%[a], #16]\n\t"
+        "ldr	r5, [%[b], #16]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #16]\n\t"
+        "ldr	r4, [%[a], #20]\n\t"
+        "ldr	r5, [%[b], #20]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #20]\n\t"
+        "ldr	r4, [%[a], #24]\n\t"
+        "ldr	r5, [%[b], #24]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #24]\n\t"
+        "ldr	r4, [%[a], #28]\n\t"
+        "ldr	r5, [%[b], #28]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #28]\n\t"
+        "ldr	r4, [%[a], #32]\n\t"
+        "ldr	r5, [%[b], #32]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #32]\n\t"
+        "ldr	r4, [%[a], #36]\n\t"
+        "ldr	r5, [%[b], #36]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #36]\n\t"
+        "ldr	r4, [%[a], #40]\n\t"
+        "ldr	r5, [%[b], #40]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #40]\n\t"
+        "ldr	r4, [%[a], #44]\n\t"
+        "ldr	r5, [%[b], #44]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #44]\n\t"
+        "ldr	r4, [%[a], #48]\n\t"
+        "ldr	r5, [%[b], #48]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #48]\n\t"
+        "ldr	r4, [%[a], #52]\n\t"
+        "ldr	r5, [%[b], #52]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #52]\n\t"
+        "ldr	r4, [%[a], #56]\n\t"
+        "ldr	r5, [%[b], #56]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #56]\n\t"
+        "ldr	r4, [%[a], #60]\n\t"
+        "ldr	r5, [%[b], #60]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #60]\n\t"
+        "ldr	r4, [%[a], #64]\n\t"
+        "ldr	r5, [%[b], #64]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #64]\n\t"
+        "ldr	r4, [%[a], #68]\n\t"
+        "ldr	r5, [%[b], #68]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #68]\n\t"
+        "ldr	r4, [%[a], #72]\n\t"
+        "ldr	r5, [%[b], #72]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #72]\n\t"
+        "ldr	r4, [%[a], #76]\n\t"
+        "ldr	r5, [%[b], #76]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #76]\n\t"
+        "ldr	r4, [%[a], #80]\n\t"
+        "ldr	r5, [%[b], #80]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #80]\n\t"
+        "ldr	r4, [%[a], #84]\n\t"
+        "ldr	r5, [%[b], #84]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #84]\n\t"
+        "ldr	r4, [%[a], #88]\n\t"
+        "ldr	r5, [%[b], #88]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #88]\n\t"
+        "ldr	r4, [%[a], #92]\n\t"
+        "ldr	r5, [%[b], #92]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #92]\n\t"
+        "ldr	r4, [%[a], #96]\n\t"
+        "ldr	r5, [%[b], #96]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #96]\n\t"
+        "ldr	r4, [%[a], #100]\n\t"
+        "ldr	r5, [%[b], #100]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #100]\n\t"
+        "ldr	r4, [%[a], #104]\n\t"
+        "ldr	r5, [%[b], #104]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #104]\n\t"
+        "ldr	r4, [%[a], #108]\n\t"
+        "ldr	r5, [%[b], #108]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #108]\n\t"
+        "ldr	r4, [%[a], #112]\n\t"
+        "ldr	r5, [%[b], #112]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #112]\n\t"
+        "ldr	r4, [%[a], #116]\n\t"
+        "ldr	r5, [%[b], #116]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #116]\n\t"
+        "ldr	r4, [%[a], #120]\n\t"
+        "ldr	r5, [%[b], #120]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #120]\n\t"
+        "ldr	r4, [%[a], #124]\n\t"
+        "ldr	r5, [%[b], #124]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #124]\n\t"
+        "mov	%[c], #0\n\t"
+        "adc	%[c], %[c]\n\t"
+        : [c] "+r" (c), [r] "+r" (r), [a] "+r" (a), [b] "+r" (b)
+        :
+        : "memory", "r4", "r5", "r7"
+    );
+
+    return c;
+}
+
+/* Sub b from a into r. (r = a - b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static sp_digit sp_4096_sub_in_place_128(sp_digit* a,
+        const sp_digit* b)
+{
+    sp_digit c = 0;
+
+    __asm__ __volatile__ (
+        "ldr	r3, [%[a], #0]\n\t"
+        "ldr	r4, [%[a], #4]\n\t"
+        "ldr	r5, [%[b], #0]\n\t"
+        "ldr	r6, [%[b], #4]\n\t"
+        "sub	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #0]\n\t"
+        "str	r4, [%[a], #4]\n\t"
+        "ldr	r3, [%[a], #8]\n\t"
+        "ldr	r4, [%[a], #12]\n\t"
+        "ldr	r5, [%[b], #8]\n\t"
+        "ldr	r6, [%[b], #12]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #8]\n\t"
+        "str	r4, [%[a], #12]\n\t"
+        "ldr	r3, [%[a], #16]\n\t"
+        "ldr	r4, [%[a], #20]\n\t"
+        "ldr	r5, [%[b], #16]\n\t"
+        "ldr	r6, [%[b], #20]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #16]\n\t"
+        "str	r4, [%[a], #20]\n\t"
+        "ldr	r3, [%[a], #24]\n\t"
+        "ldr	r4, [%[a], #28]\n\t"
+        "ldr	r5, [%[b], #24]\n\t"
+        "ldr	r6, [%[b], #28]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #24]\n\t"
+        "str	r4, [%[a], #28]\n\t"
+        "ldr	r3, [%[a], #32]\n\t"
+        "ldr	r4, [%[a], #36]\n\t"
+        "ldr	r5, [%[b], #32]\n\t"
+        "ldr	r6, [%[b], #36]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #32]\n\t"
+        "str	r4, [%[a], #36]\n\t"
+        "ldr	r3, [%[a], #40]\n\t"
+        "ldr	r4, [%[a], #44]\n\t"
+        "ldr	r5, [%[b], #40]\n\t"
+        "ldr	r6, [%[b], #44]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #40]\n\t"
+        "str	r4, [%[a], #44]\n\t"
+        "ldr	r3, [%[a], #48]\n\t"
+        "ldr	r4, [%[a], #52]\n\t"
+        "ldr	r5, [%[b], #48]\n\t"
+        "ldr	r6, [%[b], #52]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #48]\n\t"
+        "str	r4, [%[a], #52]\n\t"
+        "ldr	r3, [%[a], #56]\n\t"
+        "ldr	r4, [%[a], #60]\n\t"
+        "ldr	r5, [%[b], #56]\n\t"
+        "ldr	r6, [%[b], #60]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #56]\n\t"
+        "str	r4, [%[a], #60]\n\t"
+        "ldr	r3, [%[a], #64]\n\t"
+        "ldr	r4, [%[a], #68]\n\t"
+        "ldr	r5, [%[b], #64]\n\t"
+        "ldr	r6, [%[b], #68]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #64]\n\t"
+        "str	r4, [%[a], #68]\n\t"
+        "ldr	r3, [%[a], #72]\n\t"
+        "ldr	r4, [%[a], #76]\n\t"
+        "ldr	r5, [%[b], #72]\n\t"
+        "ldr	r6, [%[b], #76]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #72]\n\t"
+        "str	r4, [%[a], #76]\n\t"
+        "ldr	r3, [%[a], #80]\n\t"
+        "ldr	r4, [%[a], #84]\n\t"
+        "ldr	r5, [%[b], #80]\n\t"
+        "ldr	r6, [%[b], #84]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #80]\n\t"
+        "str	r4, [%[a], #84]\n\t"
+        "ldr	r3, [%[a], #88]\n\t"
+        "ldr	r4, [%[a], #92]\n\t"
+        "ldr	r5, [%[b], #88]\n\t"
+        "ldr	r6, [%[b], #92]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #88]\n\t"
+        "str	r4, [%[a], #92]\n\t"
+        "ldr	r3, [%[a], #96]\n\t"
+        "ldr	r4, [%[a], #100]\n\t"
+        "ldr	r5, [%[b], #96]\n\t"
+        "ldr	r6, [%[b], #100]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #96]\n\t"
+        "str	r4, [%[a], #100]\n\t"
+        "ldr	r3, [%[a], #104]\n\t"
+        "ldr	r4, [%[a], #108]\n\t"
+        "ldr	r5, [%[b], #104]\n\t"
+        "ldr	r6, [%[b], #108]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #104]\n\t"
+        "str	r4, [%[a], #108]\n\t"
+        "ldr	r3, [%[a], #112]\n\t"
+        "ldr	r4, [%[a], #116]\n\t"
+        "ldr	r5, [%[b], #112]\n\t"
+        "ldr	r6, [%[b], #116]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #112]\n\t"
+        "str	r4, [%[a], #116]\n\t"
+        "ldr	r3, [%[a], #120]\n\t"
+        "ldr	r4, [%[a], #124]\n\t"
+        "ldr	r5, [%[b], #120]\n\t"
+        "ldr	r6, [%[b], #124]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #120]\n\t"
+        "str	r4, [%[a], #124]\n\t"
+        "sbc	%[c], %[c]\n\t"
+        "add	%[a], #0x80\n\t"
+        "add	%[b], #0x80\n\t"
+        "mov	r5, #0\n\t"
+        "sub	r5, %[c]\n\t"
+        "ldr	r3, [%[a], #0]\n\t"
+        "ldr	r4, [%[a], #4]\n\t"
+        "ldr	r5, [%[b], #0]\n\t"
+        "ldr	r6, [%[b], #4]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #0]\n\t"
+        "str	r4, [%[a], #4]\n\t"
+        "ldr	r3, [%[a], #8]\n\t"
+        "ldr	r4, [%[a], #12]\n\t"
+        "ldr	r5, [%[b], #8]\n\t"
+        "ldr	r6, [%[b], #12]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #8]\n\t"
+        "str	r4, [%[a], #12]\n\t"
+        "ldr	r3, [%[a], #16]\n\t"
+        "ldr	r4, [%[a], #20]\n\t"
+        "ldr	r5, [%[b], #16]\n\t"
+        "ldr	r6, [%[b], #20]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #16]\n\t"
+        "str	r4, [%[a], #20]\n\t"
+        "ldr	r3, [%[a], #24]\n\t"
+        "ldr	r4, [%[a], #28]\n\t"
+        "ldr	r5, [%[b], #24]\n\t"
+        "ldr	r6, [%[b], #28]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #24]\n\t"
+        "str	r4, [%[a], #28]\n\t"
+        "ldr	r3, [%[a], #32]\n\t"
+        "ldr	r4, [%[a], #36]\n\t"
+        "ldr	r5, [%[b], #32]\n\t"
+        "ldr	r6, [%[b], #36]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #32]\n\t"
+        "str	r4, [%[a], #36]\n\t"
+        "ldr	r3, [%[a], #40]\n\t"
+        "ldr	r4, [%[a], #44]\n\t"
+        "ldr	r5, [%[b], #40]\n\t"
+        "ldr	r6, [%[b], #44]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #40]\n\t"
+        "str	r4, [%[a], #44]\n\t"
+        "ldr	r3, [%[a], #48]\n\t"
+        "ldr	r4, [%[a], #52]\n\t"
+        "ldr	r5, [%[b], #48]\n\t"
+        "ldr	r6, [%[b], #52]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #48]\n\t"
+        "str	r4, [%[a], #52]\n\t"
+        "ldr	r3, [%[a], #56]\n\t"
+        "ldr	r4, [%[a], #60]\n\t"
+        "ldr	r5, [%[b], #56]\n\t"
+        "ldr	r6, [%[b], #60]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #56]\n\t"
+        "str	r4, [%[a], #60]\n\t"
+        "ldr	r3, [%[a], #64]\n\t"
+        "ldr	r4, [%[a], #68]\n\t"
+        "ldr	r5, [%[b], #64]\n\t"
+        "ldr	r6, [%[b], #68]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #64]\n\t"
+        "str	r4, [%[a], #68]\n\t"
+        "ldr	r3, [%[a], #72]\n\t"
+        "ldr	r4, [%[a], #76]\n\t"
+        "ldr	r5, [%[b], #72]\n\t"
+        "ldr	r6, [%[b], #76]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #72]\n\t"
+        "str	r4, [%[a], #76]\n\t"
+        "ldr	r3, [%[a], #80]\n\t"
+        "ldr	r4, [%[a], #84]\n\t"
+        "ldr	r5, [%[b], #80]\n\t"
+        "ldr	r6, [%[b], #84]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #80]\n\t"
+        "str	r4, [%[a], #84]\n\t"
+        "ldr	r3, [%[a], #88]\n\t"
+        "ldr	r4, [%[a], #92]\n\t"
+        "ldr	r5, [%[b], #88]\n\t"
+        "ldr	r6, [%[b], #92]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #88]\n\t"
+        "str	r4, [%[a], #92]\n\t"
+        "ldr	r3, [%[a], #96]\n\t"
+        "ldr	r4, [%[a], #100]\n\t"
+        "ldr	r5, [%[b], #96]\n\t"
+        "ldr	r6, [%[b], #100]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #96]\n\t"
+        "str	r4, [%[a], #100]\n\t"
+        "ldr	r3, [%[a], #104]\n\t"
+        "ldr	r4, [%[a], #108]\n\t"
+        "ldr	r5, [%[b], #104]\n\t"
+        "ldr	r6, [%[b], #108]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #104]\n\t"
+        "str	r4, [%[a], #108]\n\t"
+        "ldr	r3, [%[a], #112]\n\t"
+        "ldr	r4, [%[a], #116]\n\t"
+        "ldr	r5, [%[b], #112]\n\t"
+        "ldr	r6, [%[b], #116]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #112]\n\t"
+        "str	r4, [%[a], #116]\n\t"
+        "ldr	r3, [%[a], #120]\n\t"
+        "ldr	r4, [%[a], #124]\n\t"
+        "ldr	r5, [%[b], #120]\n\t"
+        "ldr	r6, [%[b], #124]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #120]\n\t"
+        "str	r4, [%[a], #124]\n\t"
+        "sbc	%[c], %[c]\n\t"
+        "add	%[a], #0x80\n\t"
+        "add	%[b], #0x80\n\t"
+        "mov	r5, #0\n\t"
+        "sub	r5, %[c]\n\t"
+        "ldr	r3, [%[a], #0]\n\t"
+        "ldr	r4, [%[a], #4]\n\t"
+        "ldr	r5, [%[b], #0]\n\t"
+        "ldr	r6, [%[b], #4]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #0]\n\t"
+        "str	r4, [%[a], #4]\n\t"
+        "ldr	r3, [%[a], #8]\n\t"
+        "ldr	r4, [%[a], #12]\n\t"
+        "ldr	r5, [%[b], #8]\n\t"
+        "ldr	r6, [%[b], #12]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #8]\n\t"
+        "str	r4, [%[a], #12]\n\t"
+        "ldr	r3, [%[a], #16]\n\t"
+        "ldr	r4, [%[a], #20]\n\t"
+        "ldr	r5, [%[b], #16]\n\t"
+        "ldr	r6, [%[b], #20]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #16]\n\t"
+        "str	r4, [%[a], #20]\n\t"
+        "ldr	r3, [%[a], #24]\n\t"
+        "ldr	r4, [%[a], #28]\n\t"
+        "ldr	r5, [%[b], #24]\n\t"
+        "ldr	r6, [%[b], #28]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #24]\n\t"
+        "str	r4, [%[a], #28]\n\t"
+        "ldr	r3, [%[a], #32]\n\t"
+        "ldr	r4, [%[a], #36]\n\t"
+        "ldr	r5, [%[b], #32]\n\t"
+        "ldr	r6, [%[b], #36]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #32]\n\t"
+        "str	r4, [%[a], #36]\n\t"
+        "ldr	r3, [%[a], #40]\n\t"
+        "ldr	r4, [%[a], #44]\n\t"
+        "ldr	r5, [%[b], #40]\n\t"
+        "ldr	r6, [%[b], #44]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #40]\n\t"
+        "str	r4, [%[a], #44]\n\t"
+        "ldr	r3, [%[a], #48]\n\t"
+        "ldr	r4, [%[a], #52]\n\t"
+        "ldr	r5, [%[b], #48]\n\t"
+        "ldr	r6, [%[b], #52]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #48]\n\t"
+        "str	r4, [%[a], #52]\n\t"
+        "ldr	r3, [%[a], #56]\n\t"
+        "ldr	r4, [%[a], #60]\n\t"
+        "ldr	r5, [%[b], #56]\n\t"
+        "ldr	r6, [%[b], #60]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #56]\n\t"
+        "str	r4, [%[a], #60]\n\t"
+        "ldr	r3, [%[a], #64]\n\t"
+        "ldr	r4, [%[a], #68]\n\t"
+        "ldr	r5, [%[b], #64]\n\t"
+        "ldr	r6, [%[b], #68]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #64]\n\t"
+        "str	r4, [%[a], #68]\n\t"
+        "ldr	r3, [%[a], #72]\n\t"
+        "ldr	r4, [%[a], #76]\n\t"
+        "ldr	r5, [%[b], #72]\n\t"
+        "ldr	r6, [%[b], #76]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #72]\n\t"
+        "str	r4, [%[a], #76]\n\t"
+        "ldr	r3, [%[a], #80]\n\t"
+        "ldr	r4, [%[a], #84]\n\t"
+        "ldr	r5, [%[b], #80]\n\t"
+        "ldr	r6, [%[b], #84]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #80]\n\t"
+        "str	r4, [%[a], #84]\n\t"
+        "ldr	r3, [%[a], #88]\n\t"
+        "ldr	r4, [%[a], #92]\n\t"
+        "ldr	r5, [%[b], #88]\n\t"
+        "ldr	r6, [%[b], #92]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #88]\n\t"
+        "str	r4, [%[a], #92]\n\t"
+        "ldr	r3, [%[a], #96]\n\t"
+        "ldr	r4, [%[a], #100]\n\t"
+        "ldr	r5, [%[b], #96]\n\t"
+        "ldr	r6, [%[b], #100]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #96]\n\t"
+        "str	r4, [%[a], #100]\n\t"
+        "ldr	r3, [%[a], #104]\n\t"
+        "ldr	r4, [%[a], #108]\n\t"
+        "ldr	r5, [%[b], #104]\n\t"
+        "ldr	r6, [%[b], #108]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #104]\n\t"
+        "str	r4, [%[a], #108]\n\t"
+        "ldr	r3, [%[a], #112]\n\t"
+        "ldr	r4, [%[a], #116]\n\t"
+        "ldr	r5, [%[b], #112]\n\t"
+        "ldr	r6, [%[b], #116]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #112]\n\t"
+        "str	r4, [%[a], #116]\n\t"
+        "ldr	r3, [%[a], #120]\n\t"
+        "ldr	r4, [%[a], #124]\n\t"
+        "ldr	r5, [%[b], #120]\n\t"
+        "ldr	r6, [%[b], #124]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #120]\n\t"
+        "str	r4, [%[a], #124]\n\t"
+        "sbc	%[c], %[c]\n\t"
+        "add	%[a], #0x80\n\t"
+        "add	%[b], #0x80\n\t"
+        "mov	r5, #0\n\t"
+        "sub	r5, %[c]\n\t"
+        "ldr	r3, [%[a], #0]\n\t"
+        "ldr	r4, [%[a], #4]\n\t"
+        "ldr	r5, [%[b], #0]\n\t"
+        "ldr	r6, [%[b], #4]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #0]\n\t"
+        "str	r4, [%[a], #4]\n\t"
+        "ldr	r3, [%[a], #8]\n\t"
+        "ldr	r4, [%[a], #12]\n\t"
+        "ldr	r5, [%[b], #8]\n\t"
+        "ldr	r6, [%[b], #12]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #8]\n\t"
+        "str	r4, [%[a], #12]\n\t"
+        "ldr	r3, [%[a], #16]\n\t"
+        "ldr	r4, [%[a], #20]\n\t"
+        "ldr	r5, [%[b], #16]\n\t"
+        "ldr	r6, [%[b], #20]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #16]\n\t"
+        "str	r4, [%[a], #20]\n\t"
+        "ldr	r3, [%[a], #24]\n\t"
+        "ldr	r4, [%[a], #28]\n\t"
+        "ldr	r5, [%[b], #24]\n\t"
+        "ldr	r6, [%[b], #28]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #24]\n\t"
+        "str	r4, [%[a], #28]\n\t"
+        "ldr	r3, [%[a], #32]\n\t"
+        "ldr	r4, [%[a], #36]\n\t"
+        "ldr	r5, [%[b], #32]\n\t"
+        "ldr	r6, [%[b], #36]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #32]\n\t"
+        "str	r4, [%[a], #36]\n\t"
+        "ldr	r3, [%[a], #40]\n\t"
+        "ldr	r4, [%[a], #44]\n\t"
+        "ldr	r5, [%[b], #40]\n\t"
+        "ldr	r6, [%[b], #44]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #40]\n\t"
+        "str	r4, [%[a], #44]\n\t"
+        "ldr	r3, [%[a], #48]\n\t"
+        "ldr	r4, [%[a], #52]\n\t"
+        "ldr	r5, [%[b], #48]\n\t"
+        "ldr	r6, [%[b], #52]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #48]\n\t"
+        "str	r4, [%[a], #52]\n\t"
+        "ldr	r3, [%[a], #56]\n\t"
+        "ldr	r4, [%[a], #60]\n\t"
+        "ldr	r5, [%[b], #56]\n\t"
+        "ldr	r6, [%[b], #60]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #56]\n\t"
+        "str	r4, [%[a], #60]\n\t"
+        "ldr	r3, [%[a], #64]\n\t"
+        "ldr	r4, [%[a], #68]\n\t"
+        "ldr	r5, [%[b], #64]\n\t"
+        "ldr	r6, [%[b], #68]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #64]\n\t"
+        "str	r4, [%[a], #68]\n\t"
+        "ldr	r3, [%[a], #72]\n\t"
+        "ldr	r4, [%[a], #76]\n\t"
+        "ldr	r5, [%[b], #72]\n\t"
+        "ldr	r6, [%[b], #76]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #72]\n\t"
+        "str	r4, [%[a], #76]\n\t"
+        "ldr	r3, [%[a], #80]\n\t"
+        "ldr	r4, [%[a], #84]\n\t"
+        "ldr	r5, [%[b], #80]\n\t"
+        "ldr	r6, [%[b], #84]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #80]\n\t"
+        "str	r4, [%[a], #84]\n\t"
+        "ldr	r3, [%[a], #88]\n\t"
+        "ldr	r4, [%[a], #92]\n\t"
+        "ldr	r5, [%[b], #88]\n\t"
+        "ldr	r6, [%[b], #92]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #88]\n\t"
+        "str	r4, [%[a], #92]\n\t"
+        "ldr	r3, [%[a], #96]\n\t"
+        "ldr	r4, [%[a], #100]\n\t"
+        "ldr	r5, [%[b], #96]\n\t"
+        "ldr	r6, [%[b], #100]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #96]\n\t"
+        "str	r4, [%[a], #100]\n\t"
+        "ldr	r3, [%[a], #104]\n\t"
+        "ldr	r4, [%[a], #108]\n\t"
+        "ldr	r5, [%[b], #104]\n\t"
+        "ldr	r6, [%[b], #108]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #104]\n\t"
+        "str	r4, [%[a], #108]\n\t"
+        "ldr	r3, [%[a], #112]\n\t"
+        "ldr	r4, [%[a], #116]\n\t"
+        "ldr	r5, [%[b], #112]\n\t"
+        "ldr	r6, [%[b], #116]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #112]\n\t"
+        "str	r4, [%[a], #116]\n\t"
+        "ldr	r3, [%[a], #120]\n\t"
+        "ldr	r4, [%[a], #124]\n\t"
+        "ldr	r5, [%[b], #120]\n\t"
+        "ldr	r6, [%[b], #124]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #120]\n\t"
+        "str	r4, [%[a], #124]\n\t"
+        "sbc	%[c], %[c]\n\t"
+        : [c] "+r" (c), [a] "+r" (a), [b] "+r" (b)
+        :
+        : "memory", "r3", "r4", "r5", "r6"
+    );
+
+    return c;
+}
+
+/* Add b to a into r. (r = a + b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static sp_digit sp_4096_add_128(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    sp_digit c = 0;
+
+    __asm__ __volatile__ (
+        "mov	r7, #0\n\t"
+        "mvn	r7, r7\n\t"
+        "ldr	r4, [%[a], #0]\n\t"
+        "ldr	r5, [%[b], #0]\n\t"
+        "add	r4, r5\n\t"
+        "str	r4, [%[r], #0]\n\t"
+        "ldr	r4, [%[a], #4]\n\t"
+        "ldr	r5, [%[b], #4]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #4]\n\t"
+        "ldr	r4, [%[a], #8]\n\t"
+        "ldr	r5, [%[b], #8]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #8]\n\t"
+        "ldr	r4, [%[a], #12]\n\t"
+        "ldr	r5, [%[b], #12]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #12]\n\t"
+        "ldr	r4, [%[a], #16]\n\t"
+        "ldr	r5, [%[b], #16]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #16]\n\t"
+        "ldr	r4, [%[a], #20]\n\t"
+        "ldr	r5, [%[b], #20]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #20]\n\t"
+        "ldr	r4, [%[a], #24]\n\t"
+        "ldr	r5, [%[b], #24]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #24]\n\t"
+        "ldr	r4, [%[a], #28]\n\t"
+        "ldr	r5, [%[b], #28]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #28]\n\t"
+        "ldr	r4, [%[a], #32]\n\t"
+        "ldr	r5, [%[b], #32]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #32]\n\t"
+        "ldr	r4, [%[a], #36]\n\t"
+        "ldr	r5, [%[b], #36]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #36]\n\t"
+        "ldr	r4, [%[a], #40]\n\t"
+        "ldr	r5, [%[b], #40]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #40]\n\t"
+        "ldr	r4, [%[a], #44]\n\t"
+        "ldr	r5, [%[b], #44]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #44]\n\t"
+        "ldr	r4, [%[a], #48]\n\t"
+        "ldr	r5, [%[b], #48]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #48]\n\t"
+        "ldr	r4, [%[a], #52]\n\t"
+        "ldr	r5, [%[b], #52]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #52]\n\t"
+        "ldr	r4, [%[a], #56]\n\t"
+        "ldr	r5, [%[b], #56]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #56]\n\t"
+        "ldr	r4, [%[a], #60]\n\t"
+        "ldr	r5, [%[b], #60]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #60]\n\t"
+        "ldr	r4, [%[a], #64]\n\t"
+        "ldr	r5, [%[b], #64]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #64]\n\t"
+        "ldr	r4, [%[a], #68]\n\t"
+        "ldr	r5, [%[b], #68]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #68]\n\t"
+        "ldr	r4, [%[a], #72]\n\t"
+        "ldr	r5, [%[b], #72]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #72]\n\t"
+        "ldr	r4, [%[a], #76]\n\t"
+        "ldr	r5, [%[b], #76]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #76]\n\t"
+        "ldr	r4, [%[a], #80]\n\t"
+        "ldr	r5, [%[b], #80]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #80]\n\t"
+        "ldr	r4, [%[a], #84]\n\t"
+        "ldr	r5, [%[b], #84]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #84]\n\t"
+        "ldr	r4, [%[a], #88]\n\t"
+        "ldr	r5, [%[b], #88]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #88]\n\t"
+        "ldr	r4, [%[a], #92]\n\t"
+        "ldr	r5, [%[b], #92]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #92]\n\t"
+        "ldr	r4, [%[a], #96]\n\t"
+        "ldr	r5, [%[b], #96]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #96]\n\t"
+        "ldr	r4, [%[a], #100]\n\t"
+        "ldr	r5, [%[b], #100]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #100]\n\t"
+        "ldr	r4, [%[a], #104]\n\t"
+        "ldr	r5, [%[b], #104]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #104]\n\t"
+        "ldr	r4, [%[a], #108]\n\t"
+        "ldr	r5, [%[b], #108]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #108]\n\t"
+        "ldr	r4, [%[a], #112]\n\t"
+        "ldr	r5, [%[b], #112]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #112]\n\t"
+        "ldr	r4, [%[a], #116]\n\t"
+        "ldr	r5, [%[b], #116]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #116]\n\t"
+        "ldr	r4, [%[a], #120]\n\t"
+        "ldr	r5, [%[b], #120]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #120]\n\t"
+        "ldr	r4, [%[a], #124]\n\t"
+        "ldr	r5, [%[b], #124]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #124]\n\t"
+        "mov	%[c], #0\n\t"
+        "adc	%[c], %[c]\n\t"
+        "add	%[a], #0x80\n\t"
+        "add	%[b], #0x80\n\t"
+        "add	%[r], #0x80\n\t"
+        "add	%[c], r7\n\t"
+        "ldr	r4, [%[a], #0]\n\t"
+        "ldr	r5, [%[b], #0]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #0]\n\t"
+        "ldr	r4, [%[a], #4]\n\t"
+        "ldr	r5, [%[b], #4]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #4]\n\t"
+        "ldr	r4, [%[a], #8]\n\t"
+        "ldr	r5, [%[b], #8]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #8]\n\t"
+        "ldr	r4, [%[a], #12]\n\t"
+        "ldr	r5, [%[b], #12]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #12]\n\t"
+        "ldr	r4, [%[a], #16]\n\t"
+        "ldr	r5, [%[b], #16]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #16]\n\t"
+        "ldr	r4, [%[a], #20]\n\t"
+        "ldr	r5, [%[b], #20]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #20]\n\t"
+        "ldr	r4, [%[a], #24]\n\t"
+        "ldr	r5, [%[b], #24]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #24]\n\t"
+        "ldr	r4, [%[a], #28]\n\t"
+        "ldr	r5, [%[b], #28]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #28]\n\t"
+        "ldr	r4, [%[a], #32]\n\t"
+        "ldr	r5, [%[b], #32]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #32]\n\t"
+        "ldr	r4, [%[a], #36]\n\t"
+        "ldr	r5, [%[b], #36]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #36]\n\t"
+        "ldr	r4, [%[a], #40]\n\t"
+        "ldr	r5, [%[b], #40]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #40]\n\t"
+        "ldr	r4, [%[a], #44]\n\t"
+        "ldr	r5, [%[b], #44]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #44]\n\t"
+        "ldr	r4, [%[a], #48]\n\t"
+        "ldr	r5, [%[b], #48]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #48]\n\t"
+        "ldr	r4, [%[a], #52]\n\t"
+        "ldr	r5, [%[b], #52]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #52]\n\t"
+        "ldr	r4, [%[a], #56]\n\t"
+        "ldr	r5, [%[b], #56]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #56]\n\t"
+        "ldr	r4, [%[a], #60]\n\t"
+        "ldr	r5, [%[b], #60]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #60]\n\t"
+        "ldr	r4, [%[a], #64]\n\t"
+        "ldr	r5, [%[b], #64]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #64]\n\t"
+        "ldr	r4, [%[a], #68]\n\t"
+        "ldr	r5, [%[b], #68]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #68]\n\t"
+        "ldr	r4, [%[a], #72]\n\t"
+        "ldr	r5, [%[b], #72]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #72]\n\t"
+        "ldr	r4, [%[a], #76]\n\t"
+        "ldr	r5, [%[b], #76]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #76]\n\t"
+        "ldr	r4, [%[a], #80]\n\t"
+        "ldr	r5, [%[b], #80]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #80]\n\t"
+        "ldr	r4, [%[a], #84]\n\t"
+        "ldr	r5, [%[b], #84]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #84]\n\t"
+        "ldr	r4, [%[a], #88]\n\t"
+        "ldr	r5, [%[b], #88]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #88]\n\t"
+        "ldr	r4, [%[a], #92]\n\t"
+        "ldr	r5, [%[b], #92]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #92]\n\t"
+        "ldr	r4, [%[a], #96]\n\t"
+        "ldr	r5, [%[b], #96]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #96]\n\t"
+        "ldr	r4, [%[a], #100]\n\t"
+        "ldr	r5, [%[b], #100]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #100]\n\t"
+        "ldr	r4, [%[a], #104]\n\t"
+        "ldr	r5, [%[b], #104]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #104]\n\t"
+        "ldr	r4, [%[a], #108]\n\t"
+        "ldr	r5, [%[b], #108]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #108]\n\t"
+        "ldr	r4, [%[a], #112]\n\t"
+        "ldr	r5, [%[b], #112]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #112]\n\t"
+        "ldr	r4, [%[a], #116]\n\t"
+        "ldr	r5, [%[b], #116]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #116]\n\t"
+        "ldr	r4, [%[a], #120]\n\t"
+        "ldr	r5, [%[b], #120]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #120]\n\t"
+        "ldr	r4, [%[a], #124]\n\t"
+        "ldr	r5, [%[b], #124]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #124]\n\t"
+        "mov	%[c], #0\n\t"
+        "adc	%[c], %[c]\n\t"
+        "add	%[a], #0x80\n\t"
+        "add	%[b], #0x80\n\t"
+        "add	%[r], #0x80\n\t"
+        "add	%[c], r7\n\t"
+        "ldr	r4, [%[a], #0]\n\t"
+        "ldr	r5, [%[b], #0]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #0]\n\t"
+        "ldr	r4, [%[a], #4]\n\t"
+        "ldr	r5, [%[b], #4]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #4]\n\t"
+        "ldr	r4, [%[a], #8]\n\t"
+        "ldr	r5, [%[b], #8]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #8]\n\t"
+        "ldr	r4, [%[a], #12]\n\t"
+        "ldr	r5, [%[b], #12]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #12]\n\t"
+        "ldr	r4, [%[a], #16]\n\t"
+        "ldr	r5, [%[b], #16]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #16]\n\t"
+        "ldr	r4, [%[a], #20]\n\t"
+        "ldr	r5, [%[b], #20]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #20]\n\t"
+        "ldr	r4, [%[a], #24]\n\t"
+        "ldr	r5, [%[b], #24]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #24]\n\t"
+        "ldr	r4, [%[a], #28]\n\t"
+        "ldr	r5, [%[b], #28]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #28]\n\t"
+        "ldr	r4, [%[a], #32]\n\t"
+        "ldr	r5, [%[b], #32]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #32]\n\t"
+        "ldr	r4, [%[a], #36]\n\t"
+        "ldr	r5, [%[b], #36]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #36]\n\t"
+        "ldr	r4, [%[a], #40]\n\t"
+        "ldr	r5, [%[b], #40]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #40]\n\t"
+        "ldr	r4, [%[a], #44]\n\t"
+        "ldr	r5, [%[b], #44]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #44]\n\t"
+        "ldr	r4, [%[a], #48]\n\t"
+        "ldr	r5, [%[b], #48]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #48]\n\t"
+        "ldr	r4, [%[a], #52]\n\t"
+        "ldr	r5, [%[b], #52]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #52]\n\t"
+        "ldr	r4, [%[a], #56]\n\t"
+        "ldr	r5, [%[b], #56]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #56]\n\t"
+        "ldr	r4, [%[a], #60]\n\t"
+        "ldr	r5, [%[b], #60]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #60]\n\t"
+        "ldr	r4, [%[a], #64]\n\t"
+        "ldr	r5, [%[b], #64]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #64]\n\t"
+        "ldr	r4, [%[a], #68]\n\t"
+        "ldr	r5, [%[b], #68]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #68]\n\t"
+        "ldr	r4, [%[a], #72]\n\t"
+        "ldr	r5, [%[b], #72]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #72]\n\t"
+        "ldr	r4, [%[a], #76]\n\t"
+        "ldr	r5, [%[b], #76]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #76]\n\t"
+        "ldr	r4, [%[a], #80]\n\t"
+        "ldr	r5, [%[b], #80]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #80]\n\t"
+        "ldr	r4, [%[a], #84]\n\t"
+        "ldr	r5, [%[b], #84]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #84]\n\t"
+        "ldr	r4, [%[a], #88]\n\t"
+        "ldr	r5, [%[b], #88]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #88]\n\t"
+        "ldr	r4, [%[a], #92]\n\t"
+        "ldr	r5, [%[b], #92]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #92]\n\t"
+        "ldr	r4, [%[a], #96]\n\t"
+        "ldr	r5, [%[b], #96]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #96]\n\t"
+        "ldr	r4, [%[a], #100]\n\t"
+        "ldr	r5, [%[b], #100]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #100]\n\t"
+        "ldr	r4, [%[a], #104]\n\t"
+        "ldr	r5, [%[b], #104]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #104]\n\t"
+        "ldr	r4, [%[a], #108]\n\t"
+        "ldr	r5, [%[b], #108]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #108]\n\t"
+        "ldr	r4, [%[a], #112]\n\t"
+        "ldr	r5, [%[b], #112]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #112]\n\t"
+        "ldr	r4, [%[a], #116]\n\t"
+        "ldr	r5, [%[b], #116]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #116]\n\t"
+        "ldr	r4, [%[a], #120]\n\t"
+        "ldr	r5, [%[b], #120]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #120]\n\t"
+        "ldr	r4, [%[a], #124]\n\t"
+        "ldr	r5, [%[b], #124]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #124]\n\t"
+        "mov	%[c], #0\n\t"
+        "adc	%[c], %[c]\n\t"
+        "add	%[a], #0x80\n\t"
+        "add	%[b], #0x80\n\t"
+        "add	%[r], #0x80\n\t"
+        "add	%[c], r7\n\t"
+        "ldr	r4, [%[a], #0]\n\t"
+        "ldr	r5, [%[b], #0]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #0]\n\t"
+        "ldr	r4, [%[a], #4]\n\t"
+        "ldr	r5, [%[b], #4]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #4]\n\t"
+        "ldr	r4, [%[a], #8]\n\t"
+        "ldr	r5, [%[b], #8]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #8]\n\t"
+        "ldr	r4, [%[a], #12]\n\t"
+        "ldr	r5, [%[b], #12]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #12]\n\t"
+        "ldr	r4, [%[a], #16]\n\t"
+        "ldr	r5, [%[b], #16]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #16]\n\t"
+        "ldr	r4, [%[a], #20]\n\t"
+        "ldr	r5, [%[b], #20]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #20]\n\t"
+        "ldr	r4, [%[a], #24]\n\t"
+        "ldr	r5, [%[b], #24]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #24]\n\t"
+        "ldr	r4, [%[a], #28]\n\t"
+        "ldr	r5, [%[b], #28]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #28]\n\t"
+        "ldr	r4, [%[a], #32]\n\t"
+        "ldr	r5, [%[b], #32]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #32]\n\t"
+        "ldr	r4, [%[a], #36]\n\t"
+        "ldr	r5, [%[b], #36]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #36]\n\t"
+        "ldr	r4, [%[a], #40]\n\t"
+        "ldr	r5, [%[b], #40]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #40]\n\t"
+        "ldr	r4, [%[a], #44]\n\t"
+        "ldr	r5, [%[b], #44]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #44]\n\t"
+        "ldr	r4, [%[a], #48]\n\t"
+        "ldr	r5, [%[b], #48]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #48]\n\t"
+        "ldr	r4, [%[a], #52]\n\t"
+        "ldr	r5, [%[b], #52]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #52]\n\t"
+        "ldr	r4, [%[a], #56]\n\t"
+        "ldr	r5, [%[b], #56]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #56]\n\t"
+        "ldr	r4, [%[a], #60]\n\t"
+        "ldr	r5, [%[b], #60]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #60]\n\t"
+        "ldr	r4, [%[a], #64]\n\t"
+        "ldr	r5, [%[b], #64]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #64]\n\t"
+        "ldr	r4, [%[a], #68]\n\t"
+        "ldr	r5, [%[b], #68]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #68]\n\t"
+        "ldr	r4, [%[a], #72]\n\t"
+        "ldr	r5, [%[b], #72]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #72]\n\t"
+        "ldr	r4, [%[a], #76]\n\t"
+        "ldr	r5, [%[b], #76]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #76]\n\t"
+        "ldr	r4, [%[a], #80]\n\t"
+        "ldr	r5, [%[b], #80]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #80]\n\t"
+        "ldr	r4, [%[a], #84]\n\t"
+        "ldr	r5, [%[b], #84]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #84]\n\t"
+        "ldr	r4, [%[a], #88]\n\t"
+        "ldr	r5, [%[b], #88]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #88]\n\t"
+        "ldr	r4, [%[a], #92]\n\t"
+        "ldr	r5, [%[b], #92]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #92]\n\t"
+        "ldr	r4, [%[a], #96]\n\t"
+        "ldr	r5, [%[b], #96]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #96]\n\t"
+        "ldr	r4, [%[a], #100]\n\t"
+        "ldr	r5, [%[b], #100]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #100]\n\t"
+        "ldr	r4, [%[a], #104]\n\t"
+        "ldr	r5, [%[b], #104]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #104]\n\t"
+        "ldr	r4, [%[a], #108]\n\t"
+        "ldr	r5, [%[b], #108]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #108]\n\t"
+        "ldr	r4, [%[a], #112]\n\t"
+        "ldr	r5, [%[b], #112]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #112]\n\t"
+        "ldr	r4, [%[a], #116]\n\t"
+        "ldr	r5, [%[b], #116]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #116]\n\t"
+        "ldr	r4, [%[a], #120]\n\t"
+        "ldr	r5, [%[b], #120]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #120]\n\t"
+        "ldr	r4, [%[a], #124]\n\t"
+        "ldr	r5, [%[b], #124]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #124]\n\t"
+        "mov	%[c], #0\n\t"
+        "adc	%[c], %[c]\n\t"
+        : [c] "+r" (c), [r] "+r" (r), [a] "+r" (a), [b] "+r" (b)
+        :
+        : "memory", "r4", "r5", "r7"
+    );
+
+    return c;
+}
+
+/* Multiply a and b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static void sp_4096_mul_64(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    sp_digit tmp[64 * 2];
+    __asm__ __volatile__ (
+        "mov	r3, #0\n\t"
+        "mov	r4, #0\n\t"
+        "mov	r8, r3\n\t"
+        "mov	r11, %[r]\n\t"
+        "mov	r9, %[a]\n\t"
+        "mov	r10, %[b]\n\t"
+        "mov	r6, #1\n\t"
+        "lsl	r6, r6, #8\n\t"
+        "add	r6, r9\n\t"
+        "mov	r12, r6\n\t"
+        "\n1:\n\t"
+        "mov	%[r], #0\n\t"
+        "mov	r5, #0\n\t"
+        "mov	r6, #252\n\t"
+        "mov	%[a], r8\n\t"
+        "sub	%[a], r6\n\t"
+        "sbc	r6, r6\n\t"
+        "mvn	r6, r6\n\t"
+        "and	%[a], r6\n\t"
+        "mov	%[b], r8\n\t"
+        "sub	%[b], %[a]\n\t"
+        "add	%[a], r9\n\t"
+        "add	%[b], r10\n\t"
+        "\n2:\n\t"
+        "# Multiply Start\n\t"
+        "ldr	r6, [%[a]]\n\t"
+        "ldr	r7, [%[b]]\n\t"
+        "lsl	r6, r6, #16\n\t"
+        "lsl	r7, r7, #16\n\t"
+        "lsr	r6, r6, #16\n\t"
+        "lsr	r7, r7, #16\n\t"
+        "mul	r7, r6\n\t"
+        "add	r3, r7\n\t"
+        "adc	r4, %[r]\n\t"
+        "adc	r5, %[r]\n\t"
+        "ldr	r7, [%[b]]\n\t"
+        "lsr	r7, r7, #16\n\t"
+        "mul	r6, r7\n\t"
+        "lsr	r7, r6, #16\n\t"
+        "lsl	r6, r6, #16\n\t"
+        "add	r3, r6\n\t"
+        "adc	r4, r7\n\t"
+        "adc	r5, %[r]\n\t"
+        "ldr	r6, [%[a]]\n\t"
+        "ldr	r7, [%[b]]\n\t"
+        "lsr	r6, r6, #16\n\t"
+        "lsr	r7, r7, #16\n\t"
+        "mul	r7, r6\n\t"
+        "add	r4, r7\n\t"
+        "adc	r5, %[r]\n\t"
+        "ldr	r7, [%[b]]\n\t"
+        "lsl	r7, r7, #16\n\t"
+        "lsr	r7, r7, #16\n\t"
+        "mul	r6, r7\n\t"
+        "lsr	r7, r6, #16\n\t"
+        "lsl	r6, r6, #16\n\t"
+        "add	r3, r6\n\t"
+        "adc	r4, r7\n\t"
+        "adc	r5, %[r]\n\t"
+        "# Multiply Done\n\t"
+        "add	%[a], #4\n\t"
+        "sub	%[b], #4\n\t"
+        "cmp	%[a], r12\n\t"
+        "beq	3f\n\t"
+        "mov	r6, r8\n\t"
+        "add	r6, r9\n\t"
+        "cmp	%[a], r6\n\t"
+        "ble	2b\n\t"
+        "\n3:\n\t"
+        "mov	%[r], r11\n\t"
+        "mov	r7, r8\n\t"
+        "str	r3, [%[r], r7]\n\t"
+        "mov	r3, r4\n\t"
+        "mov	r4, r5\n\t"
+        "add	r7, #4\n\t"
+        "mov	r8, r7\n\t"
+        "mov	r6, #1\n\t"
+        "lsl	r6, r6, #8\n\t"
+        "add	r6, #248\n\t"
+        "cmp	r7, r6\n\t"
+        "ble	1b\n\t"
+        "str	r3, [%[r], r7]\n\t"
+        "mov	%[a], r9\n\t"
+        "mov	%[b], r10\n\t"
+        :
+        : [r] "r" (tmp), [a] "r" (a), [b] "r" (b)
+        : "memory", "r3", "r4", "r5", "r6", "r7", "r8", "r9", "r10", "r11", "r12"
+    );
+
+    XMEMCPY(r, tmp, sizeof(tmp));
+}
+
+/* AND m into each word of a and store in r.
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * m  Mask to AND against each digit.
+ */
+static void sp_4096_mask_64(sp_digit* r, const sp_digit* a, sp_digit m)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int i;
+
+    for (i=0; i<64; i++) {
+        r[i] = a[i] & m;
+    }
+#else
+    int i;
+
+    for (i = 0; i < 64; i += 8) {
+        r[i+0] = a[i+0] & m;
+        r[i+1] = a[i+1] & m;
+        r[i+2] = a[i+2] & m;
+        r[i+3] = a[i+3] & m;
+        r[i+4] = a[i+4] & m;
+        r[i+5] = a[i+5] & m;
+        r[i+6] = a[i+6] & m;
+        r[i+7] = a[i+7] & m;
+    }
+#endif
+}
+
+/* Multiply a and b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static void sp_4096_mul_128(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    sp_digit* z0 = r;
+    sp_digit z1[128];
+    sp_digit a1[64];
+    sp_digit b1[64];
+    sp_digit z2[128];
+    sp_digit u, ca, cb;
+
+    ca = sp_2048_add_64(a1, a, &a[64]);
+    cb = sp_2048_add_64(b1, b, &b[64]);
+    u  = ca & cb;
+    sp_2048_mul_64(z1, a1, b1);
+    sp_2048_mul_64(z2, &a[64], &b[64]);
+    sp_2048_mul_64(z0, a, b);
+    sp_2048_mask_64(r + 128, a1, 0 - cb);
+    sp_2048_mask_64(b1, b1, 0 - ca);
+    u += sp_2048_add_64(r + 128, r + 128, b1);
+    u += sp_4096_sub_in_place_128(z1, z2);
+    u += sp_4096_sub_in_place_128(z1, z0);
+    u += sp_4096_add_128(r + 64, r + 64, z1);
+    r[192] = u;
+    XMEMSET(r + 192 + 1, 0, sizeof(sp_digit) * (64 - 1));
+    (void)sp_4096_add_128(r + 128, r + 128, z2);
+}
+
+/* Square a and put result in r. (r = a * a)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ */
+SP_NOINLINE static void sp_4096_sqr_64(sp_digit* r, const sp_digit* a)
+{
+    __asm__ __volatile__ (
+        "mov	r3, #0\n\t"
+        "mov	r4, #0\n\t"
+        "mov	r5, #0\n\t"
+        "mov	r8, r3\n\t"
+        "mov	r11, %[r]\n\t"
+        "mov	r6, #2\n\t"
+        "lsl	r6, r6, #8\n\t"
+        "neg	r6, r6\n\t"
+        "add	sp, r6\n\t"
+        "mov	r10, sp\n\t"
+        "mov	r9, %[a]\n\t"
+        "\n1:\n\t"
+        "mov	%[r], #0\n\t"
+        "mov	r6, #252\n\t"
+        "mov	%[a], r8\n\t"
+        "sub	%[a], r6\n\t"
+        "sbc	r6, r6\n\t"
+        "mvn	r6, r6\n\t"
+        "and	%[a], r6\n\t"
+        "mov	r2, r8\n\t"
+        "sub	r2, %[a]\n\t"
+        "add	%[a], r9\n\t"
+        "add	r2, r9\n\t"
+        "\n2:\n\t"
+        "cmp	r2, %[a]\n\t"
+        "beq	4f\n\t"
+        "# Multiply * 2: Start\n\t"
+        "ldr	r6, [%[a]]\n\t"
+        "ldr	r7, [r2]\n\t"
+        "lsl	r6, r6, #16\n\t"
+        "lsl	r7, r7, #16\n\t"
+        "lsr	r6, r6, #16\n\t"
+        "lsr	r7, r7, #16\n\t"
+        "mul	r7, r6\n\t"
+        "add	r3, r7\n\t"
+        "adc	r4, %[r]\n\t"
+        "adc	r5, %[r]\n\t"
+        "add	r3, r7\n\t"
+        "adc	r4, %[r]\n\t"
+        "adc	r5, %[r]\n\t"
+        "ldr	r7, [r2]\n\t"
+        "lsr	r7, r7, #16\n\t"
+        "mul	r6, r7\n\t"
+        "lsr	r7, r6, #16\n\t"
+        "lsl	r6, r6, #16\n\t"
+        "add	r3, r6\n\t"
+        "adc	r4, r7\n\t"
+        "adc	r5, %[r]\n\t"
+        "add	r3, r6\n\t"
+        "adc	r4, r7\n\t"
+        "adc	r5, %[r]\n\t"
+        "ldr	r6, [%[a]]\n\t"
+        "ldr	r7, [r2]\n\t"
+        "lsr	r6, r6, #16\n\t"
+        "lsr	r7, r7, #16\n\t"
+        "mul	r7, r6\n\t"
+        "add	r4, r7\n\t"
+        "adc	r5, %[r]\n\t"
+        "add	r4, r7\n\t"
+        "adc	r5, %[r]\n\t"
+        "ldr	r7, [r2]\n\t"
+        "lsl	r7, r7, #16\n\t"
+        "lsr	r7, r7, #16\n\t"
+        "mul	r6, r7\n\t"
+        "lsr	r7, r6, #16\n\t"
+        "lsl	r6, r6, #16\n\t"
+        "add	r3, r6\n\t"
+        "adc	r4, r7\n\t"
+        "adc	r5, %[r]\n\t"
+        "add	r3, r6\n\t"
+        "adc	r4, r7\n\t"
+        "adc	r5, %[r]\n\t"
+        "# Multiply * 2: Done\n\t"
+        "bal	5f\n\t"
+        "\n4:\n\t"
+        "# Square: Start\n\t"
+        "ldr	r6, [%[a]]\n\t"
+        "lsr	r7, r6, #16\n\t"
+        "lsl	r6, r6, #16\n\t"
+        "lsr	r6, r6, #16\n\t"
+        "mul	r6, r6\n\t"
+        "add	r3, r6\n\t"
+        "adc	r4, %[r]\n\t"
+        "adc	r5, %[r]\n\t"
+        "mul	r7, r7\n\t"
+        "add	r4, r7\n\t"
+        "adc	r5, %[r]\n\t"
+        "ldr	r6, [%[a]]\n\t"
+        "lsr	r7, r6, #16\n\t"
+        "lsl	r6, r6, #16\n\t"
+        "lsr	r6, r6, #16\n\t"
+        "mul	r6, r7\n\t"
+        "lsr	r7, r6, #15\n\t"
+        "lsl	r6, r6, #17\n\t"
+        "add	r3, r6\n\t"
+        "adc	r4, r7\n\t"
+        "adc	r5, %[r]\n\t"
+        "# Square: Done\n\t"
+        "\n5:\n\t"
+        "add	%[a], #4\n\t"
+        "sub	r2, #4\n\t"
+        "mov	r6, #1\n\t"
+        "lsl	r6, r6, #8\n\t"
+        "add	r6, r9\n\t"
+        "cmp	%[a], r6\n\t"
+        "beq	3f\n\t"
+        "cmp	%[a], r2\n\t"
+        "bgt	3f\n\t"
+        "mov	r7, r8\n\t"
+        "add	r7, r9\n\t"
+        "cmp	%[a], r7\n\t"
+        "ble	2b\n\t"
+        "\n3:\n\t"
+        "mov	%[r], r10\n\t"
+        "mov	r7, r8\n\t"
+        "str	r3, [%[r], r7]\n\t"
+        "mov	r3, r4\n\t"
+        "mov	r4, r5\n\t"
+        "mov	r5, #0\n\t"
+        "add	r7, #4\n\t"
+        "mov	r8, r7\n\t"
+        "mov	r6, #1\n\t"
+        "lsl	r6, r6, #8\n\t"
+        "add	r6, #248\n\t"
+        "cmp	r7, r6\n\t"
+        "ble	1b\n\t"
+        "mov	%[a], r9\n\t"
+        "str	r3, [%[r], r7]\n\t"
+        "mov	%[r], r11\n\t"
+        "mov	%[a], r10\n\t"
+        "mov	r3, #1\n\t"
+        "lsl	r3, r3, #8\n\t"
+        "add	r3, #252\n\t"
+        "\n4:\n\t"
+        "ldr	r6, [%[a], r3]\n\t"
+        "str	r6, [%[r], r3]\n\t"
+        "sub	r3, #4\n\t"
+        "bge	4b\n\t"
+        "mov	r6, #2\n\t"
+        "lsl	r6, r6, #8\n\t"
+        "add	sp, r6\n\t"
+        :
+        : [r] "r" (r), [a] "r" (a)
+        : "memory", "r2", "r3", "r4", "r5", "r6", "r7", "r8", "r9", "r10", "r11"
+    );
+}
+
+/* Square a and put result in r. (r = a * a)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ */
+SP_NOINLINE static void sp_4096_sqr_128(sp_digit* r, const sp_digit* a)
+{
+    sp_digit* z0 = r;
+    sp_digit z2[128];
+    sp_digit z1[128];
+    sp_digit a1[64];
+    sp_digit u;
+
+    u = sp_2048_add_64(a1, a, &a[64]);
+    sp_2048_sqr_64(z1, a1);
+    sp_2048_sqr_64(z2, &a[64]);
+    sp_2048_sqr_64(z0, a);
+    sp_2048_mask_64(r + 128, a1, 0 - u);
+    u += sp_2048_add_64(r + 128, r + 128, r + 128);
+    u += sp_4096_sub_in_place_128(z1, z2);
+    u += sp_4096_sub_in_place_128(z1, z0);
+    u += sp_4096_add_128(r + 64, r + 64, z1);
+    r[192] = u;
+    XMEMSET(r + 192 + 1, 0, sizeof(sp_digit) * (64 - 1));
+    (void)sp_4096_add_128(r + 128, r + 128, z2);
+}
+
+#endif /* !WOLFSSL_SP_SMALL */
+#ifdef WOLFSSL_SP_SMALL
+/* Add b to a into r. (r = a + b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static sp_digit sp_4096_add_128(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    sp_digit c = 0;
+
+    __asm__ __volatile__ (
+        "mov	r6, %[a]\n\t"
+        "mov	r7, #0\n\t"
+        "mov	r4, #2\n\t"
+        "lsl	r4, #8\n\t"
+        "sub	r7, #1\n\t"
+        "add	r6, r4\n\t"
+        "\n1:\n\t"
+        "add	%[c], r7\n\t"
+        "ldr	r4, [%[a]]\n\t"
+        "ldr	r5, [%[b]]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r]]\n\t"
+        "mov	%[c], #0\n\t"
+        "adc	%[c], %[c]\n\t"
+        "add	%[a], #4\n\t"
+        "add	%[b], #4\n\t"
+        "add	%[r], #4\n\t"
+        "cmp	%[a], r6\n\t"
+        "bne	1b\n\t"
+        : [c] "+r" (c), [r] "+r" (r), [a] "+r" (a), [b] "+r" (b)
+        :
+        : "memory", "r4", "r5", "r6", "r7"
+    );
+
+    return c;
+}
+
+#endif /* WOLFSSL_SP_SMALL */
+#ifdef WOLFSSL_SP_SMALL
+/* Sub b from a into a. (a -= b)
+ *
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static sp_digit sp_4096_sub_in_place_128(sp_digit* a,
+        const sp_digit* b)
+{
+    sp_digit c = 0;
+    __asm__ __volatile__ (
+        "mov	r7, %[a]\n\t"
+        "mov	r5, #2\n\t"
+        "lsl	r5, #8\n\t"
+        "add	r7, r5\n\t"
+        "\n1:\n\t"
+        "mov	r5, #0\n\t"
+        "sub	r5, %[c]\n\t"
+        "ldr	r3, [%[a]]\n\t"
+        "ldr	r4, [%[a], #4]\n\t"
+        "ldr	r5, [%[b]]\n\t"
+        "ldr	r6, [%[b], #4]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a]]\n\t"
+        "str	r4, [%[a], #4]\n\t"
+        "sbc	%[c], %[c]\n\t"
+        "add	%[a], #8\n\t"
+        "add	%[b], #8\n\t"
+        "cmp	%[a], r7\n\t"
+        "bne	1b\n\t"
+        : [c] "+r" (c), [a] "+r" (a), [b] "+r" (b)
+        :
+        : "memory", "r3", "r4", "r5", "r6", "r7"
+    );
+
+    return c;
+}
+
+#endif /* WOLFSSL_SP_SMALL */
+#ifdef WOLFSSL_SP_SMALL
+/* Multiply a and b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static void sp_4096_mul_128(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    sp_digit tmp[128 * 2];
+    __asm__ __volatile__ (
+        "mov	r3, #0\n\t"
+        "mov	r4, #0\n\t"
+        "mov	r8, r3\n\t"
+        "mov	r11, %[r]\n\t"
+        "mov	r9, %[a]\n\t"
+        "mov	r10, %[b]\n\t"
+        "mov	r6, #2\n\t"
+        "lsl	r6, r6, #8\n\t"
+        "add	r6, r9\n\t"
+        "mov	r12, r6\n\t"
+        "\n1:\n\t"
+        "mov	%[r], #0\n\t"
+        "mov	r5, #0\n\t"
+        "mov	r6, #1\n\t"
+        "lsl	r6, r6, #8\n\t"
+        "add	r6, #252\n\t"
+        "mov	%[a], r8\n\t"
+        "sub	%[a], r6\n\t"
+        "sbc	r6, r6\n\t"
+        "mvn	r6, r6\n\t"
+        "and	%[a], r6\n\t"
+        "mov	%[b], r8\n\t"
+        "sub	%[b], %[a]\n\t"
+        "add	%[a], r9\n\t"
+        "add	%[b], r10\n\t"
+        "\n2:\n\t"
+        "# Multiply Start\n\t"
+        "ldr	r6, [%[a]]\n\t"
+        "ldr	r7, [%[b]]\n\t"
+        "lsl	r6, r6, #16\n\t"
+        "lsl	r7, r7, #16\n\t"
+        "lsr	r6, r6, #16\n\t"
+        "lsr	r7, r7, #16\n\t"
+        "mul	r7, r6\n\t"
+        "add	r3, r7\n\t"
+        "adc	r4, %[r]\n\t"
+        "adc	r5, %[r]\n\t"
+        "ldr	r7, [%[b]]\n\t"
+        "lsr	r7, r7, #16\n\t"
+        "mul	r6, r7\n\t"
+        "lsr	r7, r6, #16\n\t"
+        "lsl	r6, r6, #16\n\t"
+        "add	r3, r6\n\t"
+        "adc	r4, r7\n\t"
+        "adc	r5, %[r]\n\t"
+        "ldr	r6, [%[a]]\n\t"
+        "ldr	r7, [%[b]]\n\t"
+        "lsr	r6, r6, #16\n\t"
+        "lsr	r7, r7, #16\n\t"
+        "mul	r7, r6\n\t"
+        "add	r4, r7\n\t"
+        "adc	r5, %[r]\n\t"
+        "ldr	r7, [%[b]]\n\t"
+        "lsl	r7, r7, #16\n\t"
+        "lsr	r7, r7, #16\n\t"
+        "mul	r6, r7\n\t"
+        "lsr	r7, r6, #16\n\t"
+        "lsl	r6, r6, #16\n\t"
+        "add	r3, r6\n\t"
+        "adc	r4, r7\n\t"
+        "adc	r5, %[r]\n\t"
+        "# Multiply Done\n\t"
+        "add	%[a], #4\n\t"
+        "sub	%[b], #4\n\t"
+        "cmp	%[a], r12\n\t"
+        "beq	3f\n\t"
+        "mov	r6, r8\n\t"
+        "add	r6, r9\n\t"
+        "cmp	%[a], r6\n\t"
+        "ble	2b\n\t"
+        "\n3:\n\t"
+        "mov	%[r], r11\n\t"
+        "mov	r7, r8\n\t"
+        "str	r3, [%[r], r7]\n\t"
+        "mov	r3, r4\n\t"
+        "mov	r4, r5\n\t"
+        "add	r7, #4\n\t"
+        "mov	r8, r7\n\t"
+        "mov	r6, #3\n\t"
+        "lsl	r6, r6, #8\n\t"
+        "add	r6, #248\n\t"
+        "cmp	r7, r6\n\t"
+        "ble	1b\n\t"
+        "str	r3, [%[r], r7]\n\t"
+        "mov	%[a], r9\n\t"
+        "mov	%[b], r10\n\t"
+        :
+        : [r] "r" (tmp), [a] "r" (a), [b] "r" (b)
+        : "memory", "r3", "r4", "r5", "r6", "r7", "r8", "r9", "r10", "r11", "r12"
+    );
+
+    XMEMCPY(r, tmp, sizeof(tmp));
+}
+
+/* Square a and put result in r. (r = a * a)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ */
+SP_NOINLINE static void sp_4096_sqr_128(sp_digit* r, const sp_digit* a)
+{
+    __asm__ __volatile__ (
+        "mov	r3, #0\n\t"
+        "mov	r4, #0\n\t"
+        "mov	r5, #0\n\t"
+        "mov	r8, r3\n\t"
+        "mov	r11, %[r]\n\t"
+        "mov	r6, #4\n\t"
+        "lsl	r6, r6, #8\n\t"
+        "neg	r6, r6\n\t"
+        "add	sp, r6\n\t"
+        "mov	r10, sp\n\t"
+        "mov	r9, %[a]\n\t"
+        "\n1:\n\t"
+        "mov	%[r], #0\n\t"
+        "mov	r6, #1\n\t"
+        "lsl	r6, r6, #8\n\t"
+        "add	r6, #252\n\t"
+        "mov	%[a], r8\n\t"
+        "sub	%[a], r6\n\t"
+        "sbc	r6, r6\n\t"
+        "mvn	r6, r6\n\t"
+        "and	%[a], r6\n\t"
+        "mov	r2, r8\n\t"
+        "sub	r2, %[a]\n\t"
+        "add	%[a], r9\n\t"
+        "add	r2, r9\n\t"
+        "\n2:\n\t"
+        "cmp	r2, %[a]\n\t"
+        "beq	4f\n\t"
+        "# Multiply * 2: Start\n\t"
+        "ldr	r6, [%[a]]\n\t"
+        "ldr	r7, [r2]\n\t"
+        "lsl	r6, r6, #16\n\t"
+        "lsl	r7, r7, #16\n\t"
+        "lsr	r6, r6, #16\n\t"
+        "lsr	r7, r7, #16\n\t"
+        "mul	r7, r6\n\t"
+        "add	r3, r7\n\t"
+        "adc	r4, %[r]\n\t"
+        "adc	r5, %[r]\n\t"
+        "add	r3, r7\n\t"
+        "adc	r4, %[r]\n\t"
+        "adc	r5, %[r]\n\t"
+        "ldr	r7, [r2]\n\t"
+        "lsr	r7, r7, #16\n\t"
+        "mul	r6, r7\n\t"
+        "lsr	r7, r6, #16\n\t"
+        "lsl	r6, r6, #16\n\t"
+        "add	r3, r6\n\t"
+        "adc	r4, r7\n\t"
+        "adc	r5, %[r]\n\t"
+        "add	r3, r6\n\t"
+        "adc	r4, r7\n\t"
+        "adc	r5, %[r]\n\t"
+        "ldr	r6, [%[a]]\n\t"
+        "ldr	r7, [r2]\n\t"
+        "lsr	r6, r6, #16\n\t"
+        "lsr	r7, r7, #16\n\t"
+        "mul	r7, r6\n\t"
+        "add	r4, r7\n\t"
+        "adc	r5, %[r]\n\t"
+        "add	r4, r7\n\t"
+        "adc	r5, %[r]\n\t"
+        "ldr	r7, [r2]\n\t"
+        "lsl	r7, r7, #16\n\t"
+        "lsr	r7, r7, #16\n\t"
+        "mul	r6, r7\n\t"
+        "lsr	r7, r6, #16\n\t"
+        "lsl	r6, r6, #16\n\t"
+        "add	r3, r6\n\t"
+        "adc	r4, r7\n\t"
+        "adc	r5, %[r]\n\t"
+        "add	r3, r6\n\t"
+        "adc	r4, r7\n\t"
+        "adc	r5, %[r]\n\t"
+        "# Multiply * 2: Done\n\t"
+        "bal	5f\n\t"
+        "\n4:\n\t"
+        "# Square: Start\n\t"
+        "ldr	r6, [%[a]]\n\t"
+        "lsr	r7, r6, #16\n\t"
+        "lsl	r6, r6, #16\n\t"
+        "lsr	r6, r6, #16\n\t"
+        "mul	r6, r6\n\t"
+        "add	r3, r6\n\t"
+        "adc	r4, %[r]\n\t"
+        "adc	r5, %[r]\n\t"
+        "mul	r7, r7\n\t"
+        "add	r4, r7\n\t"
+        "adc	r5, %[r]\n\t"
+        "ldr	r6, [%[a]]\n\t"
+        "lsr	r7, r6, #16\n\t"
+        "lsl	r6, r6, #16\n\t"
+        "lsr	r6, r6, #16\n\t"
+        "mul	r6, r7\n\t"
+        "lsr	r7, r6, #15\n\t"
+        "lsl	r6, r6, #17\n\t"
+        "add	r3, r6\n\t"
+        "adc	r4, r7\n\t"
+        "adc	r5, %[r]\n\t"
+        "# Square: Done\n\t"
+        "\n5:\n\t"
+        "add	%[a], #4\n\t"
+        "sub	r2, #4\n\t"
+        "mov	r6, #2\n\t"
+        "lsl	r6, r6, #8\n\t"
+        "add	r6, r9\n\t"
+        "cmp	%[a], r6\n\t"
+        "beq	3f\n\t"
+        "cmp	%[a], r2\n\t"
+        "bgt	3f\n\t"
+        "mov	r7, r8\n\t"
+        "add	r7, r9\n\t"
+        "cmp	%[a], r7\n\t"
+        "ble	2b\n\t"
+        "\n3:\n\t"
+        "mov	%[r], r10\n\t"
+        "mov	r7, r8\n\t"
+        "str	r3, [%[r], r7]\n\t"
+        "mov	r3, r4\n\t"
+        "mov	r4, r5\n\t"
+        "mov	r5, #0\n\t"
+        "add	r7, #4\n\t"
+        "mov	r8, r7\n\t"
+        "mov	r6, #3\n\t"
+        "lsl	r6, r6, #8\n\t"
+        "add	r6, #248\n\t"
+        "cmp	r7, r6\n\t"
+        "ble	1b\n\t"
+        "mov	%[a], r9\n\t"
+        "str	r3, [%[r], r7]\n\t"
+        "mov	%[r], r11\n\t"
+        "mov	%[a], r10\n\t"
+        "mov	r3, #3\n\t"
+        "lsl	r3, r3, #8\n\t"
+        "add	r3, #252\n\t"
+        "\n4:\n\t"
+        "ldr	r6, [%[a], r3]\n\t"
+        "str	r6, [%[r], r3]\n\t"
+        "sub	r3, #4\n\t"
+        "bge	4b\n\t"
+        "mov	r6, #4\n\t"
+        "lsl	r6, r6, #8\n\t"
+        "add	sp, r6\n\t"
+        :
+        : [r] "r" (r), [a] "r" (a)
+        : "memory", "r2", "r3", "r4", "r5", "r6", "r7", "r8", "r9", "r10", "r11"
+    );
+}
+
+#endif /* WOLFSSL_SP_SMALL */
+/* Caclulate the bottom digit of -1/a mod 2^n.
+ *
+ * a    A single precision number.
+ * rho  Bottom word of inverse.
+ */
+static void sp_4096_mont_setup(const sp_digit* a, sp_digit* rho)
+{
+    sp_digit x, b;
+
+    b = a[0];
+    x = (((b + 2) & 4) << 1) + b; /* here x*a==1 mod 2**4 */
+    x *= 2 - b * x;               /* here x*a==1 mod 2**8 */
+    x *= 2 - b * x;               /* here x*a==1 mod 2**16 */
+    x *= 2 - b * x;               /* here x*a==1 mod 2**32 */
+
+    /* rho = -1/m mod b */
+    *rho = -x;
+}
+
+/* Mul a by digit b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision digit.
+ */
+SP_NOINLINE static void sp_4096_mul_d_128(sp_digit* r, const sp_digit* a,
+        sp_digit b)
+{
+    __asm__ __volatile__ (
+        "mov	r6, #2\n\t"
+        "lsl	r6, r6, #8\n\t"
+        "add	r6, %[a]\n\t"
+        "mov	r8, %[r]\n\t"
+        "mov	r9, r6\n\t"
+        "mov	r3, #0\n\t"
+        "mov	r4, #0\n\t"
+        "1:\n\t"
+        "mov	%[r], #0\n\t"
+        "mov	r5, #0\n\t"
+        "# A[] * B\n\t"
+        "ldr	r6, [%[a]]\n\t"
+        "lsl	r6, r6, #16\n\t"
+        "lsl	r7, %[b], #16\n\t"
+        "lsr	r6, r6, #16\n\t"
+        "lsr	r7, r7, #16\n\t"
+        "mul	r7, r6\n\t"
+        "add	r3, r7\n\t"
+        "adc	r4, %[r]\n\t"
+        "adc	r5, %[r]\n\t"
+        "lsr	r7, %[b], #16\n\t"
+        "mul	r6, r7\n\t"
+        "lsr	r7, r6, #16\n\t"
+        "lsl	r6, r6, #16\n\t"
+        "add	r3, r6\n\t"
+        "adc	r4, r7\n\t"
+        "adc	r5, %[r]\n\t"
+        "ldr	r6, [%[a]]\n\t"
+        "lsr	r6, r6, #16\n\t"
+        "lsr	r7, %[b], #16\n\t"
+        "mul	r7, r6\n\t"
+        "add	r4, r7\n\t"
+        "adc	r5, %[r]\n\t"
+        "lsl	r7, %[b], #16\n\t"
+        "lsr	r7, r7, #16\n\t"
+        "mul	r6, r7\n\t"
+        "lsr	r7, r6, #16\n\t"
+        "lsl	r6, r6, #16\n\t"
+        "add	r3, r6\n\t"
+        "adc	r4, r7\n\t"
+        "adc	r5, %[r]\n\t"
+        "# A[] * B - Done\n\t"
+        "mov	%[r], r8\n\t"
+        "str	r3, [%[r]]\n\t"
+        "mov	r3, r4\n\t"
+        "mov	r4, r5\n\t"
+        "add	%[r], #4\n\t"
+        "add	%[a], #4\n\t"
+        "mov	r8, %[r]\n\t"
+        "cmp	%[a], r9\n\t"
+        "blt	1b\n\t"
+        "str	r3, [%[r]]\n\t"
+        : [r] "+r" (r), [a] "+r" (a)
+        : [b] "r" (b)
+        : "memory", "r3", "r4", "r5", "r6", "r7", "r8", "r9"
+    );
+}
+
+#if defined(WOLFSSL_HAVE_SP_RSA) || defined(WOLFSSL_HAVE_SP_DH)
+/* r = 2^n mod m where n is the number of bits to reduce by.
+ * Given m must be 4096 bits, just need to subtract.
+ *
+ * r  A single precision number.
+ * m  A single precision number.
+ */
+static void sp_4096_mont_norm_128(sp_digit* r, const sp_digit* m)
+{
+    XMEMSET(r, 0, sizeof(sp_digit) * 128);
+
+    /* r = 2^n mod m */
+    sp_4096_sub_in_place_128(r, m);
+}
+
+#endif /* WOLFSSL_HAVE_SP_RSA || WOLFSSL_HAVE_SP_DH */
+/* Conditionally subtract b from a using the mask m.
+ * m is -1 to subtract and 0 when not copying.
+ *
+ * r  A single precision number representing condition subtract result.
+ * a  A single precision number to subtract from.
+ * b  A single precision number to subtract.
+ * m  Mask value to apply.
+ */
+SP_NOINLINE static sp_digit sp_4096_cond_sub_128(sp_digit* r, const sp_digit* a,
+        const sp_digit* b, sp_digit m)
+{
+    sp_digit c = 0;
+
+    __asm__ __volatile__ (
+        "mov	r5, #2\n\t"
+        "lsl	r5, r5, #8\n\t"
+        "mov	r8, r5\n\t"
+        "mov	r7, #0\n\t"
+        "1:\n\t"
+        "ldr	r6, [%[b], r7]\n\t"
+        "and	r6, %[m]\n\t"
+        "mov	r5, #0\n\t"
+        "sub	r5, %[c]\n\t"
+        "ldr	r5, [%[a], r7]\n\t"
+        "sbc	r5, r6\n\t"
+        "sbc	%[c], %[c]\n\t"
+        "str	r5, [%[r], r7]\n\t"
+        "add	r7, #4\n\t"
+        "cmp	r7, r8\n\t"
+        "blt	1b\n\t"
+        : [c] "+r" (c)
+        : [r] "r" (r), [a] "r" (a), [b] "r" (b), [m] "r" (m)
+        : "memory", "r5", "r6", "r7", "r8"
+    );
+
+    return c;
+}
+
+/* Reduce the number back to 4096 bits using Montgomery reduction.
+ *
+ * a   A single precision number to reduce in place.
+ * m   The single precision number representing the modulus.
+ * mp  The digit representing the negative inverse of m mod 2^n.
+ */
+SP_NOINLINE static void sp_4096_mont_reduce_128(sp_digit* a, const sp_digit* m,
+        sp_digit mp)
+{
+    sp_digit ca = 0;
+
+    __asm__ __volatile__ (
+        "mov	r8, %[mp]\n\t"
+        "mov	r12, %[ca]\n\t"
+        "mov	r14, %[m]\n\t"
+        "mov	r9, %[a]\n\t"
+        "mov	r4, #0\n\t"
+        "# i = 0\n\t"
+        "mov	r11, r4\n\t"
+        "\n1:\n\t"
+        "mov	r5, #0\n\t"
+        "mov	%[ca], #0\n\t"
+        "# mu = a[i] * mp\n\t"
+        "mov	%[mp], r8\n\t"
+        "ldr	%[a], [%[a]]\n\t"
+        "mul	%[mp], %[a]\n\t"
+        "mov	%[m], r14\n\t"
+        "mov	r10, r9\n\t"
+        "\n2:\n\t"
+        "# a[i+j] += m[j] * mu\n\t"
+        "mov	%[a], r10\n\t"
+        "ldr	%[a], [%[a]]\n\t"
+        "mov	%[ca], #0\n\t"
+        "mov	r4, r5\n\t"
+        "mov	r5, #0\n\t"
+        "# Multiply m[j] and mu - Start\n\t"
+        "ldr	r7, [%[m]]\n\t"
+        "lsl	r6, %[mp], #16\n\t"
+        "lsl	r7, r7, #16\n\t"
+        "lsr	r6, r6, #16\n\t"
+        "lsr	r7, r7, #16\n\t"
+        "mul	r7, r6\n\t"
+        "add	%[a], r7\n\t"
+        "adc	r5, %[ca]\n\t"
+        "ldr	r7, [%[m]]\n\t"
+        "lsr	r7, r7, #16\n\t"
+        "mul	r6, r7\n\t"
+        "lsr	r7, r6, #16\n\t"
+        "lsl	r6, r6, #16\n\t"
+        "add	%[a], r6\n\t"
+        "adc	r5, r7\n\t"
+        "ldr	r7, [%[m]]\n\t"
+        "lsr	r6, %[mp], #16\n\t"
+        "lsr	r7, r7, #16\n\t"
+        "mul	r7, r6\n\t"
+        "add	r5, r7\n\t"
+        "ldr	r7, [%[m]]\n\t"
+        "lsl	r7, r7, #16\n\t"
+        "lsr	r7, r7, #16\n\t"
+        "mul	r6, r7\n\t"
+        "lsr	r7, r6, #16\n\t"
+        "lsl	r6, r6, #16\n\t"
+        "add	%[a], r6\n\t"
+        "adc	r5, r7\n\t"
+        "# Multiply m[j] and mu - Done\n\t"
+        "add	r4, %[a]\n\t"
+        "adc	r5, %[ca]\n\t"
+        "mov	%[a], r10\n\t"
+        "str	r4, [%[a]]\n\t"
+        "mov	r6, #4\n\t"
+        "add	%[m], #4\n\t"
+        "add	r10, r6\n\t"
+        "mov	r4, #1\n\t"
+        "lsl	r4, r4, #8\n\t"
+        "add	r4, #252\n\t"
+        "add	r4, r9\n\t"
+        "cmp	r10, r4\n\t"
+        "blt	2b\n\t"
+        "# a[i+127] += m[127] * mu\n\t"
+        "mov	%[ca], #0\n\t"
+        "mov	r4, r12\n\t"
+        "mov	%[a], #0\n\t"
+        "# Multiply m[127] and mu - Start\n\t"
+        "ldr	r7, [%[m]]\n\t"
+        "lsl	r6, %[mp], #16\n\t"
+        "lsl	r7, r7, #16\n\t"
+        "lsr	r6, r6, #16\n\t"
+        "lsr	r7, r7, #16\n\t"
+        "mul	r7, r6\n\t"
+        "add	r5, r7\n\t"
+        "adc	r4, %[ca]\n\t"
+        "adc	%[a], %[ca]\n\t"
+        "ldr	r7, [%[m]]\n\t"
+        "lsr	r7, r7, #16\n\t"
+        "mul	r6, r7\n\t"
+        "lsr	r7, r6, #16\n\t"
+        "lsl	r6, r6, #16\n\t"
+        "add	r5, r6\n\t"
+        "adc	r4, r7\n\t"
+        "adc	%[a], %[ca]\n\t"
+        "ldr	r7, [%[m]]\n\t"
+        "lsr	r6, %[mp], #16\n\t"
+        "lsr	r7, r7, #16\n\t"
+        "mul	r7, r6\n\t"
+        "add	r4, r7\n\t"
+        "adc	%[a], %[ca]\n\t"
+        "ldr	r7, [%[m]]\n\t"
+        "lsl	r7, r7, #16\n\t"
+        "lsr	r7, r7, #16\n\t"
+        "mul	r6, r7\n\t"
+        "lsr	r7, r6, #16\n\t"
+        "lsl	r6, r6, #16\n\t"
+        "add	r5, r6\n\t"
+        "adc	r4, r7\n\t"
+        "adc	%[a], %[ca]\n\t"
+        "# Multiply m[127] and mu - Done\n\t"
+        "mov	%[ca], %[a]\n\t"
+        "mov	%[a], r10\n\t"
+        "ldr	r7, [%[a], #4]\n\t"
+        "ldr	%[a], [%[a]]\n\t"
+        "mov	r6, #0\n\t"
+        "add	r5, %[a]\n\t"
+        "adc	r7, r4\n\t"
+        "adc	%[ca], r6\n\t"
+        "mov	%[a], r10\n\t"
+        "str	r5, [%[a]]\n\t"
+        "str	r7, [%[a], #4]\n\t"
+        "# i += 1\n\t"
+        "mov	r6, #4\n\t"
+        "add	r9, r6\n\t"
+        "add	r11, r6\n\t"
+        "mov	r12, %[ca]\n\t"
+        "mov	%[a], r9\n\t"
+        "mov	r4, #2\n\t"
+        "lsl	r4, r4, #8\n\t"
+        "cmp	r11, r4\n\t"
+        "blt	1b\n\t"
+        "mov	%[m], r14\n\t"
+        : [ca] "+r" (ca), [a] "+r" (a)
+        : [m] "r" (m), [mp] "r" (mp)
+        : "memory", "r4", "r5", "r6", "r7", "r8", "r9", "r10", "r11", "r12", "r14"
+    );
+
+    sp_4096_cond_sub_128(a - 128, a, m, (sp_digit)0 - ca);
+}
+
+/* Multiply two Montogmery form numbers mod the modulus (prime).
+ * (r = a * b mod m)
+ *
+ * r   Result of multiplication.
+ * a   First number to multiply in Montogmery form.
+ * b   Second number to multiply in Montogmery form.
+ * m   Modulus (prime).
+ * mp  Montogmery mulitplier.
+ */
+static void sp_4096_mont_mul_128(sp_digit* r, const sp_digit* a, const sp_digit* b,
+        const sp_digit* m, sp_digit mp)
+{
+    sp_4096_mul_128(r, a, b);
+    sp_4096_mont_reduce_128(r, m, mp);
+}
+
+/* Square the Montgomery form number. (r = a * a mod m)
+ *
+ * r   Result of squaring.
+ * a   Number to square in Montogmery form.
+ * m   Modulus (prime).
+ * mp  Montogmery mulitplier.
+ */
+static void sp_4096_mont_sqr_128(sp_digit* r, const sp_digit* a, const sp_digit* m,
+        sp_digit mp)
+{
+    sp_4096_sqr_128(r, a);
+    sp_4096_mont_reduce_128(r, m, mp);
+}
+
+/* Divide the double width number (d1|d0) by the dividend. (d1|d0 / div)
+ *
+ * d1   The high order half of the number to divide.
+ * d0   The low order half of the number to divide.
+ * div  The dividend.
+ * returns the result of the division.
+ *
+ * Note that this is an approximate div. It may give an answer 1 larger.
+ */
+SP_NOINLINE static sp_digit div_4096_word_128(sp_digit d1, sp_digit d0,
+        sp_digit div)
+{
+    sp_digit r = 0;
+
+    __asm__ __volatile__ (
+        "lsr	r5, %[div], #1\n\t"
+        "add	r5, #1\n\t"
+        "mov	r8, %[d0]\n\t"
+        "mov	r9, %[d1]\n\t"
+        "# Do top 32\n\t"
+        "mov	r6, r5\n\t"
+        "sub	r6, %[d1]\n\t"
+        "sbc	r6, r6\n\t"
+        "add	%[r], %[r]\n\t"
+        "sub	%[r], r6\n\t"
+        "and	r6, r5\n\t"
+        "sub	%[d1], r6\n\t"
+        "# Next 30 bits\n\t"
+        "mov	r4, #29\n\t"
+        "1:\n\t"
+        "lsl	%[d0], %[d0], #1\n\t"
+        "adc	%[d1], %[d1]\n\t"
+        "mov	r6, r5\n\t"
+        "sub	r6, %[d1]\n\t"
+        "sbc	r6, r6\n\t"
+        "add	%[r], %[r]\n\t"
+        "sub	%[r], r6\n\t"
+        "and	r6, r5\n\t"
+        "sub	%[d1], r6\n\t"
+        "sub	r4, #1\n\t"
+        "bpl	1b\n\t"
+        "mov	r7, #0\n\t"
+        "add	%[r], %[r]\n\t"
+        "add	%[r], #1\n\t"
+        "# r * div - Start\n\t"
+        "lsl	%[d1], %[r], #16\n\t"
+        "lsl	r4, %[div], #16\n\t"
+        "lsr	%[d1], %[d1], #16\n\t"
+        "lsr	r4, r4, #16\n\t"
+        "mul	r4, %[d1]\n\t"
+        "lsr	r6, %[div], #16\n\t"
+        "mul	%[d1], r6\n\t"
+        "lsr	r5, %[d1], #16\n\t"
+        "lsl	%[d1], %[d1], #16\n\t"
+        "add	r4, %[d1]\n\t"
+        "adc	r5, r7\n\t"
+        "lsr	%[d1], %[r], #16\n\t"
+        "mul	r6, %[d1]\n\t"
+        "add	r5, r6\n\t"
+        "lsl	r6, %[div], #16\n\t"
+        "lsr	r6, r6, #16\n\t"
+        "mul	%[d1], r6\n\t"
+        "lsr	r6, %[d1], #16\n\t"
+        "lsl	%[d1], %[d1], #16\n\t"
+        "add	r4, %[d1]\n\t"
+        "adc	r5, r6\n\t"
+        "# r * div - Done\n\t"
+        "mov	%[d1], r8\n\t"
+        "sub	%[d1], r4\n\t"
+        "mov	r4, %[d1]\n\t"
+        "mov	%[d1], r9\n\t"
+        "sbc	%[d1], r5\n\t"
+        "mov	r5, %[d1]\n\t"
+        "add	%[r], r5\n\t"
+        "# r * div - Start\n\t"
+        "lsl	%[d1], %[r], #16\n\t"
+        "lsl	r4, %[div], #16\n\t"
+        "lsr	%[d1], %[d1], #16\n\t"
+        "lsr	r4, r4, #16\n\t"
+        "mul	r4, %[d1]\n\t"
+        "lsr	r6, %[div], #16\n\t"
+        "mul	%[d1], r6\n\t"
+        "lsr	r5, %[d1], #16\n\t"
+        "lsl	%[d1], %[d1], #16\n\t"
+        "add	r4, %[d1]\n\t"
+        "adc	r5, r7\n\t"
+        "lsr	%[d1], %[r], #16\n\t"
+        "mul	r6, %[d1]\n\t"
+        "add	r5, r6\n\t"
+        "lsl	r6, %[div], #16\n\t"
+        "lsr	r6, r6, #16\n\t"
+        "mul	%[d1], r6\n\t"
+        "lsr	r6, %[d1], #16\n\t"
+        "lsl	%[d1], %[d1], #16\n\t"
+        "add	r4, %[d1]\n\t"
+        "adc	r5, r6\n\t"
+        "# r * div - Done\n\t"
+        "mov	%[d1], r8\n\t"
+        "mov	r6, r9\n\t"
+        "sub	r4, %[d1], r4\n\t"
+        "sbc	r6, r5\n\t"
+        "mov	r5, r6\n\t"
+        "add	%[r], r5\n\t"
+        "# r * div - Start\n\t"
+        "lsl	%[d1], %[r], #16\n\t"
+        "lsl	r4, %[div], #16\n\t"
+        "lsr	%[d1], %[d1], #16\n\t"
+        "lsr	r4, r4, #16\n\t"
+        "mul	r4, %[d1]\n\t"
+        "lsr	r6, %[div], #16\n\t"
+        "mul	%[d1], r6\n\t"
+        "lsr	r5, %[d1], #16\n\t"
+        "lsl	%[d1], %[d1], #16\n\t"
+        "add	r4, %[d1]\n\t"
+        "adc	r5, r7\n\t"
+        "lsr	%[d1], %[r], #16\n\t"
+        "mul	r6, %[d1]\n\t"
+        "add	r5, r6\n\t"
+        "lsl	r6, %[div], #16\n\t"
+        "lsr	r6, r6, #16\n\t"
+        "mul	%[d1], r6\n\t"
+        "lsr	r6, %[d1], #16\n\t"
+        "lsl	%[d1], %[d1], #16\n\t"
+        "add	r4, %[d1]\n\t"
+        "adc	r5, r6\n\t"
+        "# r * div - Done\n\t"
+        "mov	%[d1], r8\n\t"
+        "mov	r6, r9\n\t"
+        "sub	r4, %[d1], r4\n\t"
+        "sbc	r6, r5\n\t"
+        "mov	r5, r6\n\t"
+        "add	%[r], r5\n\t"
+        "mov	r6, %[div]\n\t"
+        "sub	r6, r4\n\t"
+        "sbc	r6, r6\n\t"
+        "sub	%[r], r6\n\t"
+        : [r] "+r" (r)
+        : [d1] "r" (d1), [d0] "r" (d0), [div] "r" (div)
+        : "r4", "r5", "r7", "r6", "r8", "r9"
+    );
+    return r;
+}
+
+/* AND m into each word of a and store in r.
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * m  Mask to AND against each digit.
+ */
+static void sp_4096_mask_128(sp_digit* r, const sp_digit* a, sp_digit m)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int i;
+
+    for (i=0; i<128; i++) {
+        r[i] = a[i] & m;
+    }
+#else
+    int i;
+
+    for (i = 0; i < 128; i += 8) {
+        r[i+0] = a[i+0] & m;
+        r[i+1] = a[i+1] & m;
+        r[i+2] = a[i+2] & m;
+        r[i+3] = a[i+3] & m;
+        r[i+4] = a[i+4] & m;
+        r[i+5] = a[i+5] & m;
+        r[i+6] = a[i+6] & m;
+        r[i+7] = a[i+7] & m;
+    }
+#endif
+}
+
+/* Compare a with b in constant time.
+ *
+ * a  A single precision integer.
+ * b  A single precision integer.
+ * return -ve, 0 or +ve if a is less than, equal to or greater than b
+ * respectively.
+ */
+SP_NOINLINE static int32_t sp_4096_cmp_128(const sp_digit* a, const sp_digit* b)
+{
+    sp_digit r = 0;
+
+
+    __asm__ __volatile__ (
+        "mov	r3, #0\n\t"
+        "mvn	r3, r3\n\t"
+        "mov	r6, #1\n\t"
+        "lsl	r6, r6, #8\n\t"
+        "add	r6, #252\n\t"
+        "1:\n\t"
+        "ldr	r7, [%[a], r6]\n\t"
+        "ldr	r5, [%[b], r6]\n\t"
+        "and	r7, r3\n\t"
+        "and	r5, r3\n\t"
+        "mov	r4, r7\n\t"
+        "sub	r7, r5\n\t"
+        "sbc	r7, r7\n\t"
+        "add	%[r], r7\n\t"
+        "mvn	r7, r7\n\t"
+        "and	r3, r7\n\t"
+        "sub	r5, r4\n\t"
+        "sbc	r7, r7\n\t"
+        "sub	%[r], r7\n\t"
+        "mvn	r7, r7\n\t"
+        "and	r3, r7\n\t"
+        "sub	r6, #4\n\t"
+        "cmp	r6, #0\n\t"
+        "bge	1b\n\t"
+        : [r] "+r" (r)
+        : [a] "r" (a), [b] "r" (b)
+        : "r3", "r4", "r5", "r6", "r7"
+    );
+
+    return r;
+}
+
+/* Divide d in a and put remainder into r (m*d + r = a)
+ * m is not calculated as it is not needed at this time.
+ *
+ * a  Nmber to be divided.
+ * d  Number to divide with.
+ * m  Multiplier result.
+ * r  Remainder from the division.
+ * returns MP_OKAY indicating success.
+ */
+static WC_INLINE int sp_4096_div_128(const sp_digit* a, const sp_digit* d, sp_digit* m,
+        sp_digit* r)
+{
+    sp_digit t1[256], t2[129];
+    sp_digit div, r1;
+    int i;
+
+    (void)m;
+
+    div = d[127];
+    XMEMCPY(t1, a, sizeof(*t1) * 2 * 128);
+    for (i=127; i>=0; i--) {
+        r1 = div_4096_word_128(t1[128 + i], t1[128 + i - 1], div);
+
+        sp_4096_mul_d_128(t2, d, r1);
+        t1[128 + i] += sp_4096_sub_in_place_128(&t1[i], t2);
+        t1[128 + i] -= t2[128];
+        sp_4096_mask_128(t2, d, t1[128 + i]);
+        t1[128 + i] += sp_4096_add_128(&t1[i], &t1[i], t2);
+        sp_4096_mask_128(t2, d, t1[128 + i]);
+        t1[128 + i] += sp_4096_add_128(&t1[i], &t1[i], t2);
+    }
+
+    r1 = sp_4096_cmp_128(t1, d) >= 0;
+    sp_4096_cond_sub_128(r, t1, d, (sp_digit)0 - r1);
+
+    return MP_OKAY;
+}
+
+/* Reduce a modulo m into r. (r = a mod m)
+ *
+ * r  A single precision number that is the reduced result.
+ * a  A single precision number that is to be reduced.
+ * m  A single precision number that is the modulus to reduce with.
+ * returns MP_OKAY indicating success.
+ */
+static WC_INLINE int sp_4096_mod_128(sp_digit* r, const sp_digit* a, const sp_digit* m)
+{
+    return sp_4096_div_128(a, m, NULL, r);
+}
+
+/* Divide d in a and put remainder into r (m*d + r = a)
+ * m is not calculated as it is not needed at this time.
+ *
+ * a  Nmber to be divided.
+ * d  Number to divide with.
+ * m  Multiplier result.
+ * r  Remainder from the division.
+ * returns MP_OKAY indicating success.
+ */
+static WC_INLINE int sp_4096_div_128_cond(const sp_digit* a, const sp_digit* d, sp_digit* m,
+        sp_digit* r)
+{
+    sp_digit t1[256], t2[129];
+    sp_digit div, r1;
+    int i;
+
+    (void)m;
+
+    div = d[127];
+    XMEMCPY(t1, a, sizeof(*t1) * 2 * 128);
+    for (i=127; i>=0; i--) {
+        r1 = div_4096_word_128(t1[128 + i], t1[128 + i - 1], div);
+
+        sp_4096_mul_d_128(t2, d, r1);
+        t1[128 + i] += sp_4096_sub_in_place_128(&t1[i], t2);
+        t1[128 + i] -= t2[128];
+        if (t1[128 + i] != 0) {
+            t1[128 + i] += sp_4096_add_128(&t1[i], &t1[i], d);
+            if (t1[128 + i] != 0)
+                t1[128 + i] += sp_4096_add_128(&t1[i], &t1[i], d);
+        }
+    }
+
+    r1 = sp_4096_cmp_128(t1, d) >= 0;
+    sp_4096_cond_sub_128(r, t1, d, (sp_digit)0 - r1);
+
+    return MP_OKAY;
+}
+
+/* Reduce a modulo m into r. (r = a mod m)
+ *
+ * r  A single precision number that is the reduced result.
+ * a  A single precision number that is to be reduced.
+ * m  A single precision number that is the modulus to reduce with.
+ * returns MP_OKAY indicating success.
+ */
+static WC_INLINE int sp_4096_mod_128_cond(sp_digit* r, const sp_digit* a, const sp_digit* m)
+{
+    return sp_4096_div_128_cond(a, m, NULL, r);
+}
+
+#if (defined(WOLFSSL_HAVE_SP_RSA) && !defined(WOLFSSL_RSA_PUBLIC_ONLY)) || \
+                                                     defined(WOLFSSL_HAVE_SP_DH)
+#ifdef WOLFSSL_SP_SMALL
+/* Modular exponentiate a to the e mod m. (r = a^e mod m)
+ *
+ * r     A single precision number that is the result of the operation.
+ * a     A single precision number being exponentiated.
+ * e     A single precision number that is the exponent.
+ * bits  The number of bits in the exponent.
+ * m     A single precision number that is the modulus.
+ * returns 0 on success and MEMORY_E on dynamic memory allocation failure.
+ */
+static int sp_4096_mod_exp_128(sp_digit* r, const sp_digit* a, const sp_digit* e,
+        int bits, const sp_digit* m, int reduceA)
+{
+#ifndef WOLFSSL_SMALL_STACK
+    sp_digit t[16][256];
+#else
+    sp_digit* t[16];
+    sp_digit* td;
+#endif
+    sp_digit* norm;
+    sp_digit mp = 1;
+    sp_digit n;
+    sp_digit mask;
+    int i;
+    int c, y;
+    int err = MP_OKAY;
+
+#ifdef WOLFSSL_SMALL_STACK
+    td = (sp_digit*)XMALLOC(sizeof(sp_digit) * 16 * 256, NULL,
+                            DYNAMIC_TYPE_TMP_BUFFER);
+    if (td == NULL) {
+        err = MEMORY_E;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#ifdef WOLFSSL_SMALL_STACK
+        for (i=0; i<16; i++) {
+            t[i] = td + i * 256;
+        }
+#endif
+        norm = t[0];
+
+        sp_4096_mont_setup(m, &mp);
+        sp_4096_mont_norm_128(norm, m);
+
+        XMEMSET(t[1], 0, sizeof(sp_digit) * 128U);
+        if (reduceA != 0) {
+            err = sp_4096_mod_128(t[1] + 128, a, m);
+            if (err == MP_OKAY) {
+                err = sp_4096_mod_128(t[1], t[1], m);
+            }
+        }
+        else {
+            XMEMCPY(t[1] + 128, a, sizeof(sp_digit) * 128);
+            err = sp_4096_mod_128(t[1], t[1], m);
+        }
+    }
+
+    if (err == MP_OKAY) {
+        sp_4096_mont_sqr_128(t[ 2], t[ 1], m, mp);
+        sp_4096_mont_mul_128(t[ 3], t[ 2], t[ 1], m, mp);
+        sp_4096_mont_sqr_128(t[ 4], t[ 2], m, mp);
+        sp_4096_mont_mul_128(t[ 5], t[ 3], t[ 2], m, mp);
+        sp_4096_mont_sqr_128(t[ 6], t[ 3], m, mp);
+        sp_4096_mont_mul_128(t[ 7], t[ 4], t[ 3], m, mp);
+        sp_4096_mont_sqr_128(t[ 8], t[ 4], m, mp);
+        sp_4096_mont_mul_128(t[ 9], t[ 5], t[ 4], m, mp);
+        sp_4096_mont_sqr_128(t[10], t[ 5], m, mp);
+        sp_4096_mont_mul_128(t[11], t[ 6], t[ 5], m, mp);
+        sp_4096_mont_sqr_128(t[12], t[ 6], m, mp);
+        sp_4096_mont_mul_128(t[13], t[ 7], t[ 6], m, mp);
+        sp_4096_mont_sqr_128(t[14], t[ 7], m, mp);
+        sp_4096_mont_mul_128(t[15], t[ 8], t[ 7], m, mp);
+
+        i = (bits - 1) / 32;
+        n = e[i--];
+        c = bits & 31;
+        if (c == 0) {
+            c = 32;
+        }
+        c -= bits % 4;
+        if (c == 32) {
+            c = 28;
+        }
+        y = (int)(n >> c);
+        n <<= 32 - c;
+        XMEMCPY(r, t[y], sizeof(sp_digit) * 128);
+        for (; i>=0 || c>=4; ) {
+            if (c == 0) {
+                n = e[i--];
+                y = n >> 28;
+                n <<= 4;
+                c = 28;
+            }
+            else if (c < 4) {
+                y = n >> 28;
+                n = e[i--];
+                c = 4 - c;
+                y |= n >> (32 - c);
+                n <<= c;
+                c = 32 - c;
+            }
+            else {
+                y = (n >> 28) & 0xf;
+                n <<= 4;
+                c -= 4;
+            }
+
+            sp_4096_mont_sqr_128(r, r, m, mp);
+            sp_4096_mont_sqr_128(r, r, m, mp);
+            sp_4096_mont_sqr_128(r, r, m, mp);
+            sp_4096_mont_sqr_128(r, r, m, mp);
+
+            sp_4096_mont_mul_128(r, r, t[y], m, mp);
+        }
+
+        XMEMSET(&r[128], 0, sizeof(sp_digit) * 128U);
+        sp_4096_mont_reduce_128(r, m, mp);
+
+        mask = 0 - (sp_4096_cmp_128(r, m) >= 0);
+        sp_4096_cond_sub_128(r, r, m, mask);
+    }
+
+#ifdef WOLFSSL_SMALL_STACK
+    if (td != NULL) {
+        XFREE(td, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    }
+#endif
+
+    return err;
+}
+#else
+/* Modular exponentiate a to the e mod m. (r = a^e mod m)
+ *
+ * r     A single precision number that is the result of the operation.
+ * a     A single precision number being exponentiated.
+ * e     A single precision number that is the exponent.
+ * bits  The number of bits in the exponent.
+ * m     A single precision number that is the modulus.
+ * returns 0 on success and MEMORY_E on dynamic memory allocation failure.
+ */
+static int sp_4096_mod_exp_128(sp_digit* r, const sp_digit* a, const sp_digit* e,
+        int bits, const sp_digit* m, int reduceA)
+{
+#ifndef WOLFSSL_SMALL_STACK
+    sp_digit t[32][256];
+#else
+    sp_digit* t[32];
+    sp_digit* td;
+#endif
+    sp_digit* norm;
+    sp_digit mp = 1;
+    sp_digit n;
+    sp_digit mask;
+    int i;
+    int c, y;
+    int err = MP_OKAY;
+
+#ifdef WOLFSSL_SMALL_STACK
+    td = (sp_digit*)XMALLOC(sizeof(sp_digit) * 32 * 256, NULL,
+                            DYNAMIC_TYPE_TMP_BUFFER);
+    if (td == NULL) {
+        err = MEMORY_E;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#ifdef WOLFSSL_SMALL_STACK
+        for (i=0; i<32; i++) {
+            t[i] = td + i * 256;
+        }
+#endif
+        norm = t[0];
+
+        sp_4096_mont_setup(m, &mp);
+        sp_4096_mont_norm_128(norm, m);
+
+        XMEMSET(t[1], 0, sizeof(sp_digit) * 128U);
+        if (reduceA != 0) {
+            err = sp_4096_mod_128(t[1] + 128, a, m);
+            if (err == MP_OKAY) {
+                err = sp_4096_mod_128(t[1], t[1], m);
+            }
+        }
+        else {
+            XMEMCPY(t[1] + 128, a, sizeof(sp_digit) * 128);
+            err = sp_4096_mod_128(t[1], t[1], m);
+        }
+    }
+
+    if (err == MP_OKAY) {
+        sp_4096_mont_sqr_128(t[ 2], t[ 1], m, mp);
+        sp_4096_mont_mul_128(t[ 3], t[ 2], t[ 1], m, mp);
+        sp_4096_mont_sqr_128(t[ 4], t[ 2], m, mp);
+        sp_4096_mont_mul_128(t[ 5], t[ 3], t[ 2], m, mp);
+        sp_4096_mont_sqr_128(t[ 6], t[ 3], m, mp);
+        sp_4096_mont_mul_128(t[ 7], t[ 4], t[ 3], m, mp);
+        sp_4096_mont_sqr_128(t[ 8], t[ 4], m, mp);
+        sp_4096_mont_mul_128(t[ 9], t[ 5], t[ 4], m, mp);
+        sp_4096_mont_sqr_128(t[10], t[ 5], m, mp);
+        sp_4096_mont_mul_128(t[11], t[ 6], t[ 5], m, mp);
+        sp_4096_mont_sqr_128(t[12], t[ 6], m, mp);
+        sp_4096_mont_mul_128(t[13], t[ 7], t[ 6], m, mp);
+        sp_4096_mont_sqr_128(t[14], t[ 7], m, mp);
+        sp_4096_mont_mul_128(t[15], t[ 8], t[ 7], m, mp);
+        sp_4096_mont_sqr_128(t[16], t[ 8], m, mp);
+        sp_4096_mont_mul_128(t[17], t[ 9], t[ 8], m, mp);
+        sp_4096_mont_sqr_128(t[18], t[ 9], m, mp);
+        sp_4096_mont_mul_128(t[19], t[10], t[ 9], m, mp);
+        sp_4096_mont_sqr_128(t[20], t[10], m, mp);
+        sp_4096_mont_mul_128(t[21], t[11], t[10], m, mp);
+        sp_4096_mont_sqr_128(t[22], t[11], m, mp);
+        sp_4096_mont_mul_128(t[23], t[12], t[11], m, mp);
+        sp_4096_mont_sqr_128(t[24], t[12], m, mp);
+        sp_4096_mont_mul_128(t[25], t[13], t[12], m, mp);
+        sp_4096_mont_sqr_128(t[26], t[13], m, mp);
+        sp_4096_mont_mul_128(t[27], t[14], t[13], m, mp);
+        sp_4096_mont_sqr_128(t[28], t[14], m, mp);
+        sp_4096_mont_mul_128(t[29], t[15], t[14], m, mp);
+        sp_4096_mont_sqr_128(t[30], t[15], m, mp);
+        sp_4096_mont_mul_128(t[31], t[16], t[15], m, mp);
+
+        i = (bits - 1) / 32;
+        n = e[i--];
+        c = bits & 31;
+        if (c == 0) {
+            c = 32;
+        }
+        c -= bits % 5;
+        if (c == 32) {
+            c = 27;
+        }
+        y = (int)(n >> c);
+        n <<= 32 - c;
+        XMEMCPY(r, t[y], sizeof(sp_digit) * 128);
+        for (; i>=0 || c>=5; ) {
+            if (c == 0) {
+                n = e[i--];
+                y = n >> 27;
+                n <<= 5;
+                c = 27;
+            }
+            else if (c < 5) {
+                y = n >> 27;
+                n = e[i--];
+                c = 5 - c;
+                y |= n >> (32 - c);
+                n <<= c;
+                c = 32 - c;
+            }
+            else {
+                y = (n >> 27) & 0x1f;
+                n <<= 5;
+                c -= 5;
+            }
+
+            sp_4096_mont_sqr_128(r, r, m, mp);
+            sp_4096_mont_sqr_128(r, r, m, mp);
+            sp_4096_mont_sqr_128(r, r, m, mp);
+            sp_4096_mont_sqr_128(r, r, m, mp);
+            sp_4096_mont_sqr_128(r, r, m, mp);
+
+            sp_4096_mont_mul_128(r, r, t[y], m, mp);
+        }
+
+        XMEMSET(&r[128], 0, sizeof(sp_digit) * 128U);
+        sp_4096_mont_reduce_128(r, m, mp);
+
+        mask = 0 - (sp_4096_cmp_128(r, m) >= 0);
+        sp_4096_cond_sub_128(r, r, m, mask);
+    }
+
+#ifdef WOLFSSL_SMALL_STACK
+    if (td != NULL) {
+        XFREE(td, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    }
+#endif
+
+    return err;
+}
+#endif /* WOLFSSL_SP_SMALL */
+#endif /* (WOLFSSL_HAVE_SP_RSA && !WOLFSSL_RSA_PUBLIC_ONLY) || WOLFSSL_HAVE_SP_DH */
+
+#ifdef WOLFSSL_HAVE_SP_RSA
+/* RSA public key operation.
+ *
+ * in      Array of bytes representing the number to exponentiate, base.
+ * inLen   Number of bytes in base.
+ * em      Public exponent.
+ * mm      Modulus.
+ * out     Buffer to hold big-endian bytes of exponentiation result.
+ *         Must be at least 512 bytes long.
+ * outLen  Number of bytes in result.
+ * returns 0 on success, MP_TO_E when the outLen is too small, MP_READ_E when
+ * an array is too long and MEMORY_E when dynamic memory allocation fails.
+ */
+int sp_RsaPublic_4096(const byte* in, word32 inLen, mp_int* em, mp_int* mm,
+    byte* out, word32* outLen)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit a[256], m[128], r[256];
+#else
+    sp_digit* d = NULL;
+    sp_digit* a;
+    sp_digit* m;
+    sp_digit* r;
+#endif
+    sp_digit *ah;
+    sp_digit e[1];
+    int err = MP_OKAY;
+
+    if (*outLen < 512)
+        err = MP_TO_E;
+    if (err == MP_OKAY && (mp_count_bits(em) > 32 || inLen > 512 ||
+                                                     mp_count_bits(mm) != 4096))
+        err = MP_READ_E;
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        d = (sp_digit*)XMALLOC(sizeof(sp_digit) * 128 * 5, NULL,
+                                                              DYNAMIC_TYPE_RSA);
+        if (d == NULL)
+            err = MEMORY_E;
+    }
+
+    if (err == MP_OKAY) {
+        a = d;
+        r = a + 128 * 2;
+        m = r + 128 * 2;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+        ah = a + 128;
+
+        sp_4096_from_bin(ah, 128, in, inLen);
+#if DIGIT_BIT >= 32
+        e[0] = em->dp[0];
+#else
+        e[0] = em->dp[0];
+        if (em->used > 1) {
+            e[0] |= ((sp_digit)em->dp[1]) << DIGIT_BIT;
+        }
+#endif
+        if (e[0] == 0) {
+            err = MP_EXPTMOD_E;
+        }
+    }
+    if (err == MP_OKAY) {
+        sp_4096_from_mp(m, 128, mm);
+
+        if (e[0] == 0x3) {
+            if (err == MP_OKAY) {
+                sp_4096_sqr_128(r, ah);
+                err = sp_4096_mod_128_cond(r, r, m);
+            }
+            if (err == MP_OKAY) {
+                sp_4096_mul_128(r, ah, r);
+                err = sp_4096_mod_128_cond(r, r, m);
+            }
+        }
+        else {
+            int i;
+            sp_digit mp;
+
+            sp_4096_mont_setup(m, &mp);
+
+            /* Convert to Montgomery form. */
+            XMEMSET(a, 0, sizeof(sp_digit) * 128);
+            err = sp_4096_mod_128_cond(a, a, m);
+
+            if (err == MP_OKAY) {
+                for (i = 31; i >= 0; i--) {
+                    if (e[0] >> i) {
+                        break;
+                    }
+                }
+
+                XMEMCPY(r, a, sizeof(sp_digit) * 128);
+                for (i--; i>=0; i--) {
+                    sp_4096_mont_sqr_128(r, r, m, mp);
+                    if (((e[0] >> i) & 1) == 1) {
+                        sp_4096_mont_mul_128(r, r, a, m, mp);
+                    }
+                }
+                XMEMSET(&r[128], 0, sizeof(sp_digit) * 128);
+                sp_4096_mont_reduce_128(r, m, mp);
+
+                for (i = 127; i > 0; i--) {
+                    if (r[i] != m[i]) {
+                        break;
+                    }
+                }
+                if (r[i] >= m[i]) {
+                    sp_4096_sub_in_place_128(r, m);
+                }
+            }
+        }
+    }
+
+    if (err == MP_OKAY) {
+        sp_4096_to_bin(r, out);
+        *outLen = 512;
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (d != NULL) {
+        XFREE(d, NULL, DYNAMIC_TYPE_RSA);
+    }
+#endif
+
+    return err;
+}
+
+#if defined(SP_RSA_PRIVATE_EXP_D) || defined(RSA_LOW_MEM)
+    sp_digit* a;
+    sp_digit* d = NULL;
+    sp_digit* m;
+    sp_digit* r;
+    int err = MP_OKAY;
+
+    (void)pm;
+    (void)qm;
+    (void)dpm;
+    (void)dqm;
+    (void)qim;
+
+    if (*outLen < 512U) {
+        err = MP_TO_E;
+    }
+    if (err == MP_OKAY) {
+        if (mp_count_bits(dm) > 4096) {
+           err = MP_READ_E;
+        }
+        if (inLen > 512) {
+            err = MP_READ_E;
+        }
+        if (mp_count_bits(mm) != 4096) {
+            err = MP_READ_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        d = (sp_digit*)XMALLOC(sizeof(sp_digit) * 128 * 4, NULL,
+                                                              DYNAMIC_TYPE_RSA);
+        if (d == NULL) {
+            err = MEMORY_E;
+        }
+    }
+    if (err == MP_OKAY) {
+        a = d + 128;
+        m = a + 256;
+        r = a;
+
+        sp_4096_from_bin(a, 128, in, inLen);
+        sp_4096_from_mp(d, 128, dm);
+        sp_4096_from_mp(m, 128, mm);
+        err = sp_4096_mod_exp_128(r, a, d, 4096, m, 0);
+    }
+    if (err == MP_OKAY) {
+        sp_4096_to_bin(r, out);
+        *outLen = 512;
+    }
+
+    if (d != NULL) {
+        XMEMSET(d, 0, sizeof(sp_digit) * 128);
+        XFREE(d, NULL, DYNAMIC_TYPE_RSA);
+    }
+
+    return err;
+#else
+#ifndef WOLFSSL_RSA_PUBLIC_ONLY
+/* Conditionally add a and b using the mask m.
+ * m is -1 to add and 0 when not.
+ *
+ * r  A single precision number representing conditional add result.
+ * a  A single precision number to add with.
+ * b  A single precision number to add.
+ * m  Mask value to apply.
+ */
+SP_NOINLINE static sp_digit sp_4096_cond_add_64(sp_digit* r, const sp_digit* a, const sp_digit* b,
+        sp_digit m)
+{
+    sp_digit c = 0;
+
+    __asm__ __volatile__ (
+        "mov	r5, #1\n\t"
+        "lsl	r5, r5, #8\n\t"
+        "mov	r8, r5\n\t"
+        "mov	r7, #0\n\t"
+        "1:\n\t"
+        "ldr	r6, [%[b], r7]\n\t"
+        "and	r6, %[m]\n\t"
+        "mov	r5, #0\n\t"
+        "sub	r5, #1\n\t"
+        "add	r5, %[c]\n\t"
+        "ldr	r5, [%[a], r7]\n\t"
+        "adc	r5, r6\n\t"
+        "mov	%[c], #0\n\t"
+        "adc	%[c], %[c]\n\t"
+        "str	r5, [%[r], r7]\n\t"
+        "add	r7, #4\n\t"
+        "cmp	r7, r8\n\t"
+        "blt	1b\n\t"
+        : [c] "+r" (c)
+        : [r] "r" (r), [a] "r" (a), [b] "r" (b), [m] "r" (m)
+        : "memory", "r5", "r6", "r7", "r8"
+    );
+
+    return c;
+}
+
+/* RSA private key operation.
+ *
+ * in      Array of bytes representing the number to exponentiate, base.
+ * inLen   Number of bytes in base.
+ * dm      Private exponent.
+ * pm      First prime.
+ * qm      Second prime.
+ * dpm     First prime's CRT exponent.
+ * dqm     Second prime's CRT exponent.
+ * qim     Inverse of second prime mod p.
+ * mm      Modulus.
+ * out     Buffer to hold big-endian bytes of exponentiation result.
+ *         Must be at least 512 bytes long.
+ * outLen  Number of bytes in result.
+ * returns 0 on success, MP_TO_E when the outLen is too small, MP_READ_E when
+ * an array is too long and MEMORY_E when dynamic memory allocation fails.
+ */
+int sp_RsaPrivate_4096(const byte* in, word32 inLen, mp_int* dm,
+    mp_int* pm, mp_int* qm, mp_int* dpm, mp_int* dqm, mp_int* qim, mp_int* mm,
+    byte* out, word32* outLen)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit a[128 * 2];
+    sp_digit p[64], q[64], dp[64];
+    sp_digit tmpa[128], tmpb[128];
+#else
+    sp_digit* t = NULL;
+    sp_digit* a;
+    sp_digit* p;
+    sp_digit* q;
+    sp_digit* dp;
+    sp_digit* tmpa;
+    sp_digit* tmpb;
+#endif
+    sp_digit* r;
+    sp_digit* qi;
+    sp_digit* dq;
+    sp_digit c;
+    int err = MP_OKAY;
+
+    (void)dm;
+    (void)mm;
+
+    if (*outLen < 512)
+        err = MP_TO_E;
+    if (err == MP_OKAY && (inLen > 512 || mp_count_bits(mm) != 4096))
+        err = MP_READ_E;
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        t = (sp_digit*)XMALLOC(sizeof(sp_digit) * 64 * 11, NULL,
+                                                              DYNAMIC_TYPE_RSA);
+        if (t == NULL)
+            err = MEMORY_E;
+    }
+    if (err == MP_OKAY) {
+        a = t;
+        p = a + 128 * 2;
+        q = p + 64;
+        qi = dq = dp = q + 64;
+        tmpa = qi + 64;
+        tmpb = tmpa + 128;
+
+        r = t + 128;
+    }
+#else
+#endif
+
+    if (err == MP_OKAY) {
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+        r = a;
+        qi = dq = dp;
+#endif
+        sp_4096_from_bin(a, 128, in, inLen);
+        sp_4096_from_mp(p, 64, pm);
+        sp_4096_from_mp(q, 64, qm);
+        sp_4096_from_mp(dp, 64, dpm);
+
+        err = sp_2048_mod_exp_64(tmpa, a, dp, 2048, p, 1);
+    }
+    if (err == MP_OKAY) {
+        sp_4096_from_mp(dq, 64, dqm);
+        err = sp_2048_mod_exp_64(tmpb, a, dq, 2048, q, 1);
+    }
+
+    if (err == MP_OKAY) {
+        c = sp_2048_sub_in_place_64(tmpa, tmpb);
+        c += sp_4096_cond_add_64(tmpa, tmpa, p, c);
+        sp_4096_cond_add_64(tmpa, tmpa, p, c);
+
+        sp_2048_from_mp(qi, 64, qim);
+        sp_2048_mul_64(tmpa, tmpa, qi);
+        err = sp_2048_mod_64(tmpa, tmpa, p);
+    }
+
+    if (err == MP_OKAY) {
+        sp_2048_mul_64(tmpa, q, tmpa);
+        XMEMSET(&tmpb[64], 0, sizeof(sp_digit) * 64);
+        sp_4096_add_128(r, tmpb, tmpa);
+
+        sp_4096_to_bin(r, out);
+        *outLen = 512;
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (t != NULL) {
+        XMEMSET(t, 0, sizeof(sp_digit) * 64 * 11);
+        XFREE(t, NULL, DYNAMIC_TYPE_RSA);
+    }
+#else
+    XMEMSET(tmpa, 0, sizeof(tmpa));
+    XMEMSET(tmpb, 0, sizeof(tmpb));
+    XMEMSET(p,    0, sizeof(p));
+    XMEMSET(q,    0, sizeof(q));
+    XMEMSET(dp,   0, sizeof(dp));
+#endif
+
+    return err;
+}
+#endif /* WOLFSSL_RSA_PUBLIC_ONLY */
+#endif /* SP_RSA_PRIVATE_EXP_D || RSA_LOW_MEM */
+#endif /* WOLFSSL_HAVE_SP_RSA */
+#if defined(WOLFSSL_HAVE_SP_DH) || (defined(WOLFSSL_HAVE_SP_RSA) && \
+                                              !defined(WOLFSSL_RSA_PUBLIC_ONLY))
+/* Convert an array of sp_digit to an mp_int.
+ *
+ * a  A single precision integer.
+ * r  A multi-precision integer.
+ */
+static int sp_4096_to_mp(const sp_digit* a, mp_int* r)
+{
+    int err;
+
+    err = mp_grow(r, (4096 + DIGIT_BIT - 1) / DIGIT_BIT);
+    if (err == MP_OKAY) { /*lint !e774 case where err is always MP_OKAY*/
+#if DIGIT_BIT == 32
+        XMEMCPY(r->dp, a, sizeof(sp_digit) * 128);
+        r->used = 128;
+        mp_clamp(r);
+#elif DIGIT_BIT < 32
+        int i, j = 0, s = 0;
+
+        r->dp[0] = 0;
+        for (i = 0; i < 128; i++) {
+            r->dp[j] |= (mp_digit)(a[i] << s);
+            r->dp[j] &= (1L << DIGIT_BIT) - 1;
+            s = DIGIT_BIT - s;
+            r->dp[++j] = (mp_digit)(a[i] >> s);
+            while (s + DIGIT_BIT <= 32) {
+                s += DIGIT_BIT;
+                r->dp[j++] &= (1L << DIGIT_BIT) - 1;
+                if (s == SP_WORD_SIZE) {
+                    r->dp[j] = 0;
+                }
+                else {
+                    r->dp[j] = (mp_digit)(a[i] >> s);
+                }
+            }
+            s = 32 - s;
+        }
+        r->used = (4096 + DIGIT_BIT - 1) / DIGIT_BIT;
+        mp_clamp(r);
+#else
+        int i, j = 0, s = 0;
+
+        r->dp[0] = 0;
+        for (i = 0; i < 128; i++) {
+            r->dp[j] |= ((mp_digit)a[i]) << s;
+            if (s + 32 >= DIGIT_BIT) {
+    #if DIGIT_BIT != 32 && DIGIT_BIT != 64
+                r->dp[j] &= (1L << DIGIT_BIT) - 1;
+    #endif
+                s = DIGIT_BIT - s;
+                r->dp[++j] = a[i] >> s;
+                s = 32 - s;
+            }
+            else {
+                s += 32;
+            }
+        }
+        r->used = (4096 + DIGIT_BIT - 1) / DIGIT_BIT;
+        mp_clamp(r);
+#endif
+    }
+
+    return err;
+}
+
+/* Perform the modular exponentiation for Diffie-Hellman.
+ *
+ * base  Base. MP integer.
+ * exp   Exponent. MP integer.
+ * mod   Modulus. MP integer.
+ * res   Result. MP integer.
+ * returns 0 on success, MP_READ_E if there are too many bytes in an array
+ * and MEMORY_E if memory allocation fails.
+ */
+int sp_ModExp_4096(mp_int* base, mp_int* exp, mp_int* mod, mp_int* res)
+{
+    int err = MP_OKAY;
+    sp_digit b[256], e[128], m[128];
+    sp_digit* r = b;
+    int expBits = mp_count_bits(exp);
+
+    if (mp_count_bits(base) > 4096) {
+        err = MP_READ_E;
+    }
+
+    if (err == MP_OKAY) {
+        if (expBits > 4096) {
+            err = MP_READ_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        if (mp_count_bits(mod) != 4096) {
+            err = MP_READ_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        sp_4096_from_mp(b, 128, base);
+        sp_4096_from_mp(e, 128, exp);
+        sp_4096_from_mp(m, 128, mod);
+
+        err = sp_4096_mod_exp_128(r, b, e, expBits, m, 0);
+    }
+
+    if (err == MP_OKAY) {
+        err = sp_4096_to_mp(r, res);
+    }
+
+    XMEMSET(e, 0, sizeof(e));
+
+    return err;
+}
+
+#ifdef WOLFSSL_HAVE_SP_DH
+
+#ifdef HAVE_FFDHE_4096
+static void sp_4096_lshift_128(sp_digit* r, sp_digit* a, byte n)
+{
+    __asm__ __volatile__ (
+        "mov	r6, #31\n\t"
+        "sub	r6, r6, %[n]\n\t"
+        "add	%[a], %[a], #255\n\t"
+        "add	%[r], %[r], #255\n\t"
+        "add	%[a], %[a], #193\n\t"
+        "add	%[r], %[r], #193\n\t"
+        "ldr	r3, [%[a], #60]\n\t"
+        "lsr	r4, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r4, r4, r6\n\t"
+        "ldr	r2, [%[a], #56]\n\t"
+        "str	r4, [%[r], #64]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #52]\n\t"
+        "str	r3, [%[r], #60]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #48]\n\t"
+        "str	r2, [%[r], #56]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #44]\n\t"
+        "str	r4, [%[r], #52]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #40]\n\t"
+        "str	r3, [%[r], #48]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #36]\n\t"
+        "str	r2, [%[r], #44]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #32]\n\t"
+        "str	r4, [%[r], #40]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #28]\n\t"
+        "str	r3, [%[r], #36]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #24]\n\t"
+        "str	r2, [%[r], #32]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #20]\n\t"
+        "str	r4, [%[r], #28]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #16]\n\t"
+        "str	r3, [%[r], #24]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #12]\n\t"
+        "str	r2, [%[r], #20]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #8]\n\t"
+        "str	r4, [%[r], #16]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #4]\n\t"
+        "str	r3, [%[r], #12]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #0]\n\t"
+        "str	r2, [%[r], #8]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "sub	%[a], %[a], #64\n\t"
+        "sub	%[r], %[r], #64\n\t"
+        "ldr	r2, [%[a], #60]\n\t"
+        "str	r4, [%[r], #68]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #56]\n\t"
+        "str	r3, [%[r], #64]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #52]\n\t"
+        "str	r2, [%[r], #60]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #48]\n\t"
+        "str	r4, [%[r], #56]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #44]\n\t"
+        "str	r3, [%[r], #52]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #40]\n\t"
+        "str	r2, [%[r], #48]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #36]\n\t"
+        "str	r4, [%[r], #44]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #32]\n\t"
+        "str	r3, [%[r], #40]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #28]\n\t"
+        "str	r2, [%[r], #36]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #24]\n\t"
+        "str	r4, [%[r], #32]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #20]\n\t"
+        "str	r3, [%[r], #28]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #16]\n\t"
+        "str	r2, [%[r], #24]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #12]\n\t"
+        "str	r4, [%[r], #20]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #8]\n\t"
+        "str	r3, [%[r], #16]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #4]\n\t"
+        "str	r2, [%[r], #12]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #0]\n\t"
+        "str	r4, [%[r], #8]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "sub	%[a], %[a], #64\n\t"
+        "sub	%[r], %[r], #64\n\t"
+        "ldr	r4, [%[a], #60]\n\t"
+        "str	r3, [%[r], #68]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #56]\n\t"
+        "str	r2, [%[r], #64]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #52]\n\t"
+        "str	r4, [%[r], #60]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #48]\n\t"
+        "str	r3, [%[r], #56]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #44]\n\t"
+        "str	r2, [%[r], #52]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #40]\n\t"
+        "str	r4, [%[r], #48]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #36]\n\t"
+        "str	r3, [%[r], #44]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #32]\n\t"
+        "str	r2, [%[r], #40]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #28]\n\t"
+        "str	r4, [%[r], #36]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #24]\n\t"
+        "str	r3, [%[r], #32]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #20]\n\t"
+        "str	r2, [%[r], #28]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #16]\n\t"
+        "str	r4, [%[r], #24]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #12]\n\t"
+        "str	r3, [%[r], #20]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #8]\n\t"
+        "str	r2, [%[r], #16]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #4]\n\t"
+        "str	r4, [%[r], #12]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #0]\n\t"
+        "str	r3, [%[r], #8]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "sub	%[a], %[a], #64\n\t"
+        "sub	%[r], %[r], #64\n\t"
+        "ldr	r3, [%[a], #60]\n\t"
+        "str	r2, [%[r], #68]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #56]\n\t"
+        "str	r4, [%[r], #64]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #52]\n\t"
+        "str	r3, [%[r], #60]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #48]\n\t"
+        "str	r2, [%[r], #56]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #44]\n\t"
+        "str	r4, [%[r], #52]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #40]\n\t"
+        "str	r3, [%[r], #48]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #36]\n\t"
+        "str	r2, [%[r], #44]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #32]\n\t"
+        "str	r4, [%[r], #40]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #28]\n\t"
+        "str	r3, [%[r], #36]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #24]\n\t"
+        "str	r2, [%[r], #32]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #20]\n\t"
+        "str	r4, [%[r], #28]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #16]\n\t"
+        "str	r3, [%[r], #24]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #12]\n\t"
+        "str	r2, [%[r], #20]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #8]\n\t"
+        "str	r4, [%[r], #16]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #4]\n\t"
+        "str	r3, [%[r], #12]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #0]\n\t"
+        "str	r2, [%[r], #8]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "sub	%[a], %[a], #64\n\t"
+        "sub	%[r], %[r], #64\n\t"
+        "ldr	r2, [%[a], #60]\n\t"
+        "str	r4, [%[r], #68]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #56]\n\t"
+        "str	r3, [%[r], #64]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #52]\n\t"
+        "str	r2, [%[r], #60]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #48]\n\t"
+        "str	r4, [%[r], #56]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #44]\n\t"
+        "str	r3, [%[r], #52]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #40]\n\t"
+        "str	r2, [%[r], #48]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #36]\n\t"
+        "str	r4, [%[r], #44]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #32]\n\t"
+        "str	r3, [%[r], #40]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #28]\n\t"
+        "str	r2, [%[r], #36]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #24]\n\t"
+        "str	r4, [%[r], #32]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #20]\n\t"
+        "str	r3, [%[r], #28]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #16]\n\t"
+        "str	r2, [%[r], #24]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #12]\n\t"
+        "str	r4, [%[r], #20]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #8]\n\t"
+        "str	r3, [%[r], #16]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #4]\n\t"
+        "str	r2, [%[r], #12]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #0]\n\t"
+        "str	r4, [%[r], #8]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "sub	%[a], %[a], #64\n\t"
+        "sub	%[r], %[r], #64\n\t"
+        "ldr	r4, [%[a], #60]\n\t"
+        "str	r3, [%[r], #68]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #56]\n\t"
+        "str	r2, [%[r], #64]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #52]\n\t"
+        "str	r4, [%[r], #60]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #48]\n\t"
+        "str	r3, [%[r], #56]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #44]\n\t"
+        "str	r2, [%[r], #52]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #40]\n\t"
+        "str	r4, [%[r], #48]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #36]\n\t"
+        "str	r3, [%[r], #44]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #32]\n\t"
+        "str	r2, [%[r], #40]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #28]\n\t"
+        "str	r4, [%[r], #36]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #24]\n\t"
+        "str	r3, [%[r], #32]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #20]\n\t"
+        "str	r2, [%[r], #28]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #16]\n\t"
+        "str	r4, [%[r], #24]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #12]\n\t"
+        "str	r3, [%[r], #20]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #8]\n\t"
+        "str	r2, [%[r], #16]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #4]\n\t"
+        "str	r4, [%[r], #12]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #0]\n\t"
+        "str	r3, [%[r], #8]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "sub	%[a], %[a], #64\n\t"
+        "sub	%[r], %[r], #64\n\t"
+        "ldr	r3, [%[a], #60]\n\t"
+        "str	r2, [%[r], #68]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #56]\n\t"
+        "str	r4, [%[r], #64]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #52]\n\t"
+        "str	r3, [%[r], #60]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #48]\n\t"
+        "str	r2, [%[r], #56]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #44]\n\t"
+        "str	r4, [%[r], #52]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #40]\n\t"
+        "str	r3, [%[r], #48]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #36]\n\t"
+        "str	r2, [%[r], #44]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #32]\n\t"
+        "str	r4, [%[r], #40]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #28]\n\t"
+        "str	r3, [%[r], #36]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #24]\n\t"
+        "str	r2, [%[r], #32]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #20]\n\t"
+        "str	r4, [%[r], #28]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #16]\n\t"
+        "str	r3, [%[r], #24]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #12]\n\t"
+        "str	r2, [%[r], #20]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #8]\n\t"
+        "str	r4, [%[r], #16]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #4]\n\t"
+        "str	r3, [%[r], #12]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #0]\n\t"
+        "str	r2, [%[r], #8]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "sub	%[a], %[a], #64\n\t"
+        "sub	%[r], %[r], #64\n\t"
+        "ldr	r2, [%[a], #60]\n\t"
+        "str	r4, [%[r], #68]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #56]\n\t"
+        "str	r3, [%[r], #64]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #52]\n\t"
+        "str	r2, [%[r], #60]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #48]\n\t"
+        "str	r4, [%[r], #56]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #44]\n\t"
+        "str	r3, [%[r], #52]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #40]\n\t"
+        "str	r2, [%[r], #48]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #36]\n\t"
+        "str	r4, [%[r], #44]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #32]\n\t"
+        "str	r3, [%[r], #40]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #28]\n\t"
+        "str	r2, [%[r], #36]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #24]\n\t"
+        "str	r4, [%[r], #32]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #20]\n\t"
+        "str	r3, [%[r], #28]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #16]\n\t"
+        "str	r2, [%[r], #24]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #12]\n\t"
+        "str	r4, [%[r], #20]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r4, [%[a], #8]\n\t"
+        "str	r3, [%[r], #16]\n\t"
+        "lsr	r5, r4, #1\n\t"
+        "lsl	r4, r4, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r3, [%[a], #4]\n\t"
+        "str	r2, [%[r], #12]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r2, [%[a], #0]\n\t"
+        "str	r4, [%[r], #8]\n\t"
+        "lsr	r5, r2, #1\n\t"
+        "lsl	r2, r2, %[n]\n\t"
+        "lsr	r5, r5, r6\n\t"
+        "orr	r3, r3, r5\n\t"
+        "str	r2, [%[r]]\n\t"
+        "str	r3, [%[r], #4]\n\t"
+        :
+        : [r] "r" (r), [a] "r" (a), [n] "r" (n)
+        : "memory", "r2", "r3", "r4", "r5", "r6"
+    );
+}
+
+/* Modular exponentiate 2 to the e mod m. (r = 2^e mod m)
+ *
+ * r     A single precision number that is the result of the operation.
+ * e     A single precision number that is the exponent.
+ * bits  The number of bits in the exponent.
+ * m     A single precision number that is the modulus.
+ * returns 0 on success and MEMORY_E on dynamic memory allocation failure.
+ */
+static int sp_4096_mod_exp_2_128(sp_digit* r, const sp_digit* e, int bits,
+        const sp_digit* m)
+{
+#ifndef WOLFSSL_SMALL_STACK
+    sp_digit nd[256];
+    sp_digit td[129];
+#else
+    sp_digit* td;
+#endif
+    sp_digit* norm;
+    sp_digit* tmp;
+    sp_digit mp = 1;
+    sp_digit n, o;
+    sp_digit mask;
+    int i;
+    int c, y;
+    int err = MP_OKAY;
+
+#ifdef WOLFSSL_SMALL_STACK
+    td = (sp_digit*)XMALLOC(sizeof(sp_digit) * 385, NULL,
+                            DYNAMIC_TYPE_TMP_BUFFER);
+    if (td == NULL) {
+        err = MEMORY_E;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#ifdef WOLFSSL_SMALL_STACK
+        norm = td;
+        tmp  = td + 256;
+#else
+        norm = nd;
+        tmp  = td;
+#endif
+
+        sp_4096_mont_setup(m, &mp);
+        sp_4096_mont_norm_128(norm, m);
+
+        i = (bits - 1) / 32;
+        n = e[i--];
+        c = bits & 31;
+        if (c == 0) {
+            c = 32;
+        }
+        c -= bits % 5;
+        if (c == 32) {
+            c = 27;
+        }
+        y = (int)(n >> c);
+        n <<= 32 - c;
+        sp_4096_lshift_128(r, norm, y);
+        for (; i>=0 || c>=5; ) {
+            if (c == 0) {
+                n = e[i--];
+                y = n >> 27;
+                n <<= 5;
+                c = 27;
+            }
+            else if (c < 5) {
+                y = n >> 27;
+                n = e[i--];
+                c = 5 - c;
+                y |= n >> (32 - c);
+                n <<= c;
+                c = 32 - c;
+            }
+            else {
+                y = (n >> 27) & 0x1f;
+                n <<= 5;
+                c -= 5;
+            }
+
+            sp_4096_mont_sqr_128(r, r, m, mp);
+            sp_4096_mont_sqr_128(r, r, m, mp);
+            sp_4096_mont_sqr_128(r, r, m, mp);
+            sp_4096_mont_sqr_128(r, r, m, mp);
+            sp_4096_mont_sqr_128(r, r, m, mp);
+
+            sp_4096_lshift_128(r, r, y);
+            sp_4096_mul_d_128(tmp, norm, r[128]);
+            r[128] = 0;
+            o = sp_4096_add_128(r, r, tmp);
+            sp_4096_cond_sub_128(r, r, m, (sp_digit)0 - o);
+        }
+
+        XMEMSET(&r[128], 0, sizeof(sp_digit) * 128U);
+        sp_4096_mont_reduce_128(r, m, mp);
+
+        mask = 0 - (sp_4096_cmp_128(r, m) >= 0);
+        sp_4096_cond_sub_128(r, r, m, mask);
+    }
+
+#ifdef WOLFSSL_SMALL_STACK
+    if (td != NULL) {
+        XFREE(td, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    }
+#endif
+
+    return err;
+}
+#endif /* HAVE_FFDHE_4096 */
+
+/* Perform the modular exponentiation for Diffie-Hellman.
+ *
+ * base     Base.
+ * exp      Array of bytes that is the exponent.
+ * expLen   Length of data, in bytes, in exponent.
+ * mod      Modulus.
+ * out      Buffer to hold big-endian bytes of exponentiation result.
+ *          Must be at least 512 bytes long.
+ * outLen   Length, in bytes, of exponentiation result.
+ * returns 0 on success, MP_READ_E if there are too many bytes in an array
+ * and MEMORY_E if memory allocation fails.
+ */
+int sp_DhExp_4096(mp_int* base, const byte* exp, word32 expLen,
+    mp_int* mod, byte* out, word32* outLen)
+{
+    int err = MP_OKAY;
+    sp_digit b[256], e[128], m[128];
+    sp_digit* r = b;
+    word32 i;
+
+    if (mp_count_bits(base) > 4096) {
+        err = MP_READ_E;
+    }
+
+    if (err == MP_OKAY) {
+        if (expLen > 512) {
+            err = MP_READ_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        if (mp_count_bits(mod) != 4096) {
+            err = MP_READ_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        sp_4096_from_mp(b, 128, base);
+        sp_4096_from_bin(e, 128, exp, expLen);
+        sp_4096_from_mp(m, 128, mod);
+
+    #ifdef HAVE_FFDHE_4096
+        if (base->used == 1 && base->dp[0] == 2 && m[127] == (sp_digit)-1)
+            err = sp_4096_mod_exp_2_128(r, e, expLen * 8, m);
+        else
+    #endif
+            err = sp_4096_mod_exp_128(r, b, e, expLen * 8, m, 0);
+
+    }
+
+    if (err == MP_OKAY) {
+        sp_4096_to_bin(r, out);
+        *outLen = 512;
+        for (i=0; i<512 && out[i] == 0; i++) {
+        }
+        *outLen -= i;
+        XMEMMOVE(out, out + i, *outLen);
+
+    }
+
+    XMEMSET(e, 0, sizeof(e));
+
+    return err;
+}
+#endif /* WOLFSSL_HAVE_SP_DH */
+
+#endif /* WOLFSSL_HAVE_SP_DH || (WOLFSSL_HAVE_SP_RSA && !WOLFSSL_RSA_PUBLIC_ONLY) */
+
+#endif /* WOLFSSL_SP_4096 */
+
+#endif /* WOLFSSL_HAVE_SP_RSA || WOLFSSL_HAVE_SP_DH */
+#ifdef WOLFSSL_HAVE_SP_ECC
+#ifndef WOLFSSL_SP_NO_256
+
+/* Point structure to use. */
+typedef struct sp_point_256 {
+    sp_digit x[2 * 8];
+    sp_digit y[2 * 8];
+    sp_digit z[2 * 8];
+    int infinity;
+} sp_point_256;
+
+/* The modulus (prime) of the curve P256. */
+static const sp_digit p256_mod[8] = {
+    0xffffffff,0xffffffff,0xffffffff,0x00000000,0x00000000,0x00000000,
+    0x00000001,0xffffffff
+};
+/* The Montogmery normalizer for modulus of the curve P256. */
+static const sp_digit p256_norm_mod[8] = {
+    0x00000001,0x00000000,0x00000000,0xffffffff,0xffffffff,0xffffffff,
+    0xfffffffe,0x00000000
+};
+/* The Montogmery multiplier for modulus of the curve P256. */
+static const sp_digit p256_mp_mod = 0x00000001;
+#if defined(WOLFSSL_VALIDATE_ECC_KEYGEN) || defined(HAVE_ECC_SIGN) || \
+                                            defined(HAVE_ECC_VERIFY)
+/* The order of the curve P256. */
+static const sp_digit p256_order[8] = {
+    0xfc632551,0xf3b9cac2,0xa7179e84,0xbce6faad,0xffffffff,0xffffffff,
+    0x00000000,0xffffffff
+};
+#endif
+/* The order of the curve P256 minus 2. */
+static const sp_digit p256_order2[8] = {
+    0xfc63254f,0xf3b9cac2,0xa7179e84,0xbce6faad,0xffffffff,0xffffffff,
+    0x00000000,0xffffffff
+};
+#if defined(HAVE_ECC_SIGN) || defined(HAVE_ECC_VERIFY)
+/* The Montogmery normalizer for order of the curve P256. */
+static const sp_digit p256_norm_order[8] = {
+    0x039cdaaf,0x0c46353d,0x58e8617b,0x43190552,0x00000000,0x00000000,
+    0xffffffff,0x00000000
+};
+#endif
+#if defined(HAVE_ECC_SIGN) || defined(HAVE_ECC_VERIFY)
+/* The Montogmery multiplier for order of the curve P256. */
+static const sp_digit p256_mp_order = 0xee00bc4f;
+#endif
+/* The base point of curve P256. */
+static const sp_point_256 p256_base = {
+    /* X ordinate */
+    {
+        0xd898c296,0xf4a13945,0x2deb33a0,0x77037d81,0x63a440f2,0xf8bce6e5,
+        0xe12c4247,0x6b17d1f2,
+        0L, 0L, 0L, 0L, 0L, 0L, 0L, 0L
+    },
+    /* Y ordinate */
+    {
+        0x37bf51f5,0xcbb64068,0x6b315ece,0x2bce3357,0x7c0f9e16,0x8ee7eb4a,
+        0xfe1a7f9b,0x4fe342e2,
+        0L, 0L, 0L, 0L, 0L, 0L, 0L, 0L
+    },
+    /* Z ordinate */
+    {
+        0x00000001,0x00000000,0x00000000,0x00000000,0x00000000,0x00000000,
+        0x00000000,0x00000000,
+        0L, 0L, 0L, 0L, 0L, 0L, 0L, 0L
+    },
+    /* infinity */
+    0
+};
+#if defined(HAVE_ECC_CHECK_KEY) || defined(HAVE_COMP_KEY)
+static const sp_digit p256_b[8] = {
+    0x27d2604b,0x3bce3c3e,0xcc53b0f6,0x651d06b0,0x769886bc,0xb3ebbd55,
+    0xaa3a93e7,0x5ac635d8
+};
+#endif
+
+static int sp_256_point_new_ex_8(void* heap, sp_point_256* sp, sp_point_256** p)
+{
+    int ret = MP_OKAY;
+    (void)heap;
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    (void)sp;
+    *p = (sp_point_256*)XMALLOC(sizeof(sp_point_256), heap, DYNAMIC_TYPE_ECC);
+#else
+    *p = sp;
+#endif
+    if (*p == NULL) {
+        ret = MEMORY_E;
+    }
+    return ret;
+}
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+/* Allocate memory for point and return error. */
+#define sp_256_point_new_8(heap, sp, p) sp_256_point_new_ex_8((heap), NULL, &(p))
+#else
+/* Set pointer to data and return no error. */
+#define sp_256_point_new_8(heap, sp, p) sp_256_point_new_ex_8((heap), &(sp), &(p))
+#endif
+
+
+static void sp_256_point_free_8(sp_point_256* p, int clear, void* heap)
+{
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+/* If valid pointer then clear point data if requested and free data. */
+    if (p != NULL) {
+        if (clear != 0) {
+            XMEMSET(p, 0, sizeof(*p));
+        }
+        XFREE(p, heap, DYNAMIC_TYPE_ECC);
+    }
+#else
+/* Clear point data if requested. */
+    if (clear != 0) {
+        XMEMSET(p, 0, sizeof(*p));
+    }
+#endif
+    (void)heap;
+}
+
+/* Multiply a number by Montogmery normalizer mod modulus (prime).
+ *
+ * r  The resulting Montgomery form number.
+ * a  The number to convert.
+ * m  The modulus (prime).
+ */
+static int sp_256_mod_mul_norm_8(sp_digit* r, const sp_digit* a, const sp_digit* m)
+{
+    int64_t t[8];
+    int64_t a64[8];
+    int64_t o;
+
+    (void)m;
+
+    a64[0] = a[0];
+    a64[1] = a[1];
+    a64[2] = a[2];
+    a64[3] = a[3];
+    a64[4] = a[4];
+    a64[5] = a[5];
+    a64[6] = a[6];
+    a64[7] = a[7];
+
+    /*  1  1  0 -1 -1 -1 -1  0 */
+    t[0] = 0 + a64[0] + a64[1] - a64[3] - a64[4] - a64[5] - a64[6];
+    /*  0  1  1  0 -1 -1 -1 -1 */
+    t[1] = 0 + a64[1] + a64[2] - a64[4] - a64[5] - a64[6] - a64[7];
+    /*  0  0  1  1  0 -1 -1 -1 */
+    t[2] = 0 + a64[2] + a64[3] - a64[5] - a64[6] - a64[7];
+    /* -1 -1  0  2  2  1  0 -1 */
+    t[3] = 0 - a64[0] - a64[1] + 2 * a64[3] + 2 * a64[4] + a64[5] - a64[7];
+    /*  0 -1 -1  0  2  2  1  0 */
+    t[4] = 0 - a64[1] - a64[2] + 2 * a64[4] + 2 * a64[5] + a64[6];
+    /*  0  0 -1 -1  0  2  2  1 */
+    t[5] = 0 - a64[2] - a64[3] + 2 * a64[5] + 2 * a64[6] + a64[7];
+    /* -1 -1  0  0  0  1  3  2 */
+    t[6] = 0 - a64[0] - a64[1] + a64[5] + 3 * a64[6] + 2 * a64[7];
+    /*  1  0 -1 -1 -1 -1  0  3 */
+    t[7] = 0 + a64[0] - a64[2] - a64[3] - a64[4] - a64[5] + 3 * a64[7];
+
+    t[1] += t[0] >> 32; t[0] &= 0xffffffff;
+    t[2] += t[1] >> 32; t[1] &= 0xffffffff;
+    t[3] += t[2] >> 32; t[2] &= 0xffffffff;
+    t[4] += t[3] >> 32; t[3] &= 0xffffffff;
+    t[5] += t[4] >> 32; t[4] &= 0xffffffff;
+    t[6] += t[5] >> 32; t[5] &= 0xffffffff;
+    t[7] += t[6] >> 32; t[6] &= 0xffffffff;
+    o     = t[7] >> 32; t[7] &= 0xffffffff;
+    t[0] += o;
+    t[3] -= o;
+    t[6] -= o;
+    t[7] += o;
+    t[1] += t[0] >> 32; t[0] &= 0xffffffff;
+    t[2] += t[1] >> 32; t[1] &= 0xffffffff;
+    t[3] += t[2] >> 32; t[2] &= 0xffffffff;
+    t[4] += t[3] >> 32; t[3] &= 0xffffffff;
+    t[5] += t[4] >> 32; t[4] &= 0xffffffff;
+    t[6] += t[5] >> 32; t[5] &= 0xffffffff;
+    t[7] += t[6] >> 32; t[6] &= 0xffffffff;
+    r[0] = t[0];
+    r[1] = t[1];
+    r[2] = t[2];
+    r[3] = t[3];
+    r[4] = t[4];
+    r[5] = t[5];
+    r[6] = t[6];
+    r[7] = t[7];
+
+    return MP_OKAY;
+}
+
+/* Convert an mp_int to an array of sp_digit.
+ *
+ * r  A single precision integer.
+ * size  Maximum number of bytes to convert
+ * a  A multi-precision integer.
+ */
+static void sp_256_from_mp(sp_digit* r, int size, const mp_int* a)
+{
+#if DIGIT_BIT == 32
+    int j;
+
+    XMEMCPY(r, a->dp, sizeof(sp_digit) * a->used);
+
+    for (j = a->used; j < size; j++) {
+        r[j] = 0;
+    }
+#elif DIGIT_BIT > 32
+    int i, j = 0;
+    word32 s = 0;
+
+    r[0] = 0;
+    for (i = 0; i < a->used && j < size; i++) {
+        r[j] |= ((sp_digit)a->dp[i] << s);
+        r[j] &= 0xffffffff;
+        s = 32U - s;
+        if (j + 1 >= size) {
+            break;
+        }
+        /* lint allow cast of mismatch word32 and mp_digit */
+        r[++j] = (sp_digit)(a->dp[i] >> s); /*lint !e9033*/
+        while ((s + 32U) <= (word32)DIGIT_BIT) {
+            s += 32U;
+            r[j] &= 0xffffffff;
+            if (j + 1 >= size) {
+                break;
+            }
+            if (s < (word32)DIGIT_BIT) {
+                /* lint allow cast of mismatch word32 and mp_digit */
+                r[++j] = (sp_digit)(a->dp[i] >> s); /*lint !e9033*/
+            }
+            else {
+                r[++j] = 0L;
+            }
+        }
+        s = (word32)DIGIT_BIT - s;
+    }
+
+    for (j++; j < size; j++) {
+        r[j] = 0;
+    }
+#else
+    int i, j = 0, s = 0;
+
+    r[0] = 0;
+    for (i = 0; i < a->used && j < size; i++) {
+        r[j] |= ((sp_digit)a->dp[i]) << s;
+        if (s + DIGIT_BIT >= 32) {
+            r[j] &= 0xffffffff;
+            if (j + 1 >= size) {
+                break;
+            }
+            s = 32 - s;
+            if (s == DIGIT_BIT) {
+                r[++j] = 0;
+                s = 0;
+            }
+            else {
+                r[++j] = a->dp[i] >> s;
+                s = DIGIT_BIT - s;
+            }
+        }
+        else {
+            s += DIGIT_BIT;
+        }
+    }
+
+    for (j++; j < size; j++) {
+        r[j] = 0;
+    }
+#endif
+}
+
+/* Convert a point of type ecc_point to type sp_point_256.
+ *
+ * p   Point of type sp_point_256 (result).
+ * pm  Point of type ecc_point.
+ */
+static void sp_256_point_from_ecc_point_8(sp_point_256* p, const ecc_point* pm)
+{
+    XMEMSET(p->x, 0, sizeof(p->x));
+    XMEMSET(p->y, 0, sizeof(p->y));
+    XMEMSET(p->z, 0, sizeof(p->z));
+    sp_256_from_mp(p->x, 8, pm->x);
+    sp_256_from_mp(p->y, 8, pm->y);
+    sp_256_from_mp(p->z, 8, pm->z);
+    p->infinity = 0;
+}
+
+/* Convert an array of sp_digit to an mp_int.
+ *
+ * a  A single precision integer.
+ * r  A multi-precision integer.
+ */
+static int sp_256_to_mp(const sp_digit* a, mp_int* r)
+{
+    int err;
+
+    err = mp_grow(r, (256 + DIGIT_BIT - 1) / DIGIT_BIT);
+    if (err == MP_OKAY) { /*lint !e774 case where err is always MP_OKAY*/
+#if DIGIT_BIT == 32
+        XMEMCPY(r->dp, a, sizeof(sp_digit) * 8);
+        r->used = 8;
+        mp_clamp(r);
+#elif DIGIT_BIT < 32
+        int i, j = 0, s = 0;
+
+        r->dp[0] = 0;
+        for (i = 0; i < 8; i++) {
+            r->dp[j] |= (mp_digit)(a[i] << s);
+            r->dp[j] &= (1L << DIGIT_BIT) - 1;
+            s = DIGIT_BIT - s;
+            r->dp[++j] = (mp_digit)(a[i] >> s);
+            while (s + DIGIT_BIT <= 32) {
+                s += DIGIT_BIT;
+                r->dp[j++] &= (1L << DIGIT_BIT) - 1;
+                if (s == SP_WORD_SIZE) {
+                    r->dp[j] = 0;
+                }
+                else {
+                    r->dp[j] = (mp_digit)(a[i] >> s);
+                }
+            }
+            s = 32 - s;
+        }
+        r->used = (256 + DIGIT_BIT - 1) / DIGIT_BIT;
+        mp_clamp(r);
+#else
+        int i, j = 0, s = 0;
+
+        r->dp[0] = 0;
+        for (i = 0; i < 8; i++) {
+            r->dp[j] |= ((mp_digit)a[i]) << s;
+            if (s + 32 >= DIGIT_BIT) {
+    #if DIGIT_BIT != 32 && DIGIT_BIT != 64
+                r->dp[j] &= (1L << DIGIT_BIT) - 1;
+    #endif
+                s = DIGIT_BIT - s;
+                r->dp[++j] = a[i] >> s;
+                s = 32 - s;
+            }
+            else {
+                s += 32;
+            }
+        }
+        r->used = (256 + DIGIT_BIT - 1) / DIGIT_BIT;
+        mp_clamp(r);
+#endif
+    }
+
+    return err;
+}
+
+/* Convert a point of type sp_point_256 to type ecc_point.
+ *
+ * p   Point of type sp_point_256.
+ * pm  Point of type ecc_point (result).
+ * returns MEMORY_E when allocation of memory in ecc_point fails otherwise
+ * MP_OKAY.
+ */
+static int sp_256_point_to_ecc_point_8(const sp_point_256* p, ecc_point* pm)
+{
+    int err;
+
+    err = sp_256_to_mp(p->x, pm->x);
+    if (err == MP_OKAY) {
+        err = sp_256_to_mp(p->y, pm->y);
+    }
+    if (err == MP_OKAY) {
+        err = sp_256_to_mp(p->z, pm->z);
+    }
+
+    return err;
+}
+
+/* Multiply a and b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static void sp_256_mul_8(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    sp_digit tmp[8 * 2];
+    __asm__ __volatile__ (
+        "mov	r3, #0\n\t"
+        "mov	r4, #0\n\t"
+        "mov	r8, r3\n\t"
+        "mov	r11, %[r]\n\t"
+        "mov	r9, %[a]\n\t"
+        "mov	r10, %[b]\n\t"
+        "mov	r6, #32\n\t"
+        "add	r6, r9\n\t"
+        "mov	r12, r6\n\t"
+        "\n1:\n\t"
+        "mov	%[r], #0\n\t"
+        "mov	r5, #0\n\t"
+        "mov	r6, #28\n\t"
+        "mov	%[a], r8\n\t"
+        "sub	%[a], r6\n\t"
+        "sbc	r6, r6\n\t"
+        "mvn	r6, r6\n\t"
+        "and	%[a], r6\n\t"
+        "mov	%[b], r8\n\t"
+        "sub	%[b], %[a]\n\t"
+        "add	%[a], r9\n\t"
+        "add	%[b], r10\n\t"
+        "\n2:\n\t"
+        "# Multiply Start\n\t"
+        "ldr	r6, [%[a]]\n\t"
+        "ldr	r7, [%[b]]\n\t"
+        "lsl	r6, r6, #16\n\t"
+        "lsl	r7, r7, #16\n\t"
+        "lsr	r6, r6, #16\n\t"
+        "lsr	r7, r7, #16\n\t"
+        "mul	r7, r6\n\t"
+        "add	r3, r7\n\t"
+        "adc	r4, %[r]\n\t"
+        "adc	r5, %[r]\n\t"
+        "ldr	r7, [%[b]]\n\t"
+        "lsr	r7, r7, #16\n\t"
+        "mul	r6, r7\n\t"
+        "lsr	r7, r6, #16\n\t"
+        "lsl	r6, r6, #16\n\t"
+        "add	r3, r6\n\t"
+        "adc	r4, r7\n\t"
+        "adc	r5, %[r]\n\t"
+        "ldr	r6, [%[a]]\n\t"
+        "ldr	r7, [%[b]]\n\t"
+        "lsr	r6, r6, #16\n\t"
+        "lsr	r7, r7, #16\n\t"
+        "mul	r7, r6\n\t"
+        "add	r4, r7\n\t"
+        "adc	r5, %[r]\n\t"
+        "ldr	r7, [%[b]]\n\t"
+        "lsl	r7, r7, #16\n\t"
+        "lsr	r7, r7, #16\n\t"
+        "mul	r6, r7\n\t"
+        "lsr	r7, r6, #16\n\t"
+        "lsl	r6, r6, #16\n\t"
+        "add	r3, r6\n\t"
+        "adc	r4, r7\n\t"
+        "adc	r5, %[r]\n\t"
+        "# Multiply Done\n\t"
+        "add	%[a], #4\n\t"
+        "sub	%[b], #4\n\t"
+        "cmp	%[a], r12\n\t"
+        "beq	3f\n\t"
+        "mov	r6, r8\n\t"
+        "add	r6, r9\n\t"
+        "cmp	%[a], r6\n\t"
+        "ble	2b\n\t"
+        "\n3:\n\t"
+        "mov	%[r], r11\n\t"
+        "mov	r7, r8\n\t"
+        "str	r3, [%[r], r7]\n\t"
+        "mov	r3, r4\n\t"
+        "mov	r4, r5\n\t"
+        "add	r7, #4\n\t"
+        "mov	r8, r7\n\t"
+        "mov	r6, #56\n\t"
+        "cmp	r7, r6\n\t"
+        "ble	1b\n\t"
+        "str	r3, [%[r], r7]\n\t"
+        "mov	%[a], r9\n\t"
+        "mov	%[b], r10\n\t"
+        :
+        : [r] "r" (tmp), [a] "r" (a), [b] "r" (b)
+        : "memory", "r3", "r4", "r5", "r6", "r7", "r8", "r9", "r10", "r11", "r12"
+    );
+
+    XMEMCPY(r, tmp, sizeof(tmp));
+}
+
+/* Conditionally subtract b from a using the mask m.
+ * m is -1 to subtract and 0 when not copying.
+ *
+ * r  A single precision number representing condition subtract result.
+ * a  A single precision number to subtract from.
+ * b  A single precision number to subtract.
+ * m  Mask value to apply.
+ */
+SP_NOINLINE static sp_digit sp_256_cond_sub_8(sp_digit* r, const sp_digit* a,
+        const sp_digit* b, sp_digit m)
+{
+    sp_digit c = 0;
+
+    __asm__ __volatile__ (
+        "mov	r5, #32\n\t"
+        "mov	r8, r5\n\t"
+        "mov	r7, #0\n\t"
+        "1:\n\t"
+        "ldr	r6, [%[b], r7]\n\t"
+        "and	r6, %[m]\n\t"
+        "mov	r5, #0\n\t"
+        "sub	r5, %[c]\n\t"
+        "ldr	r5, [%[a], r7]\n\t"
+        "sbc	r5, r6\n\t"
+        "sbc	%[c], %[c]\n\t"
+        "str	r5, [%[r], r7]\n\t"
+        "add	r7, #4\n\t"
+        "cmp	r7, r8\n\t"
+        "blt	1b\n\t"
+        : [c] "+r" (c)
+        : [r] "r" (r), [a] "r" (a), [b] "r" (b), [m] "r" (m)
+        : "memory", "r5", "r6", "r7", "r8"
+    );
+
+    return c;
+}
+
+/* Reduce the number back to 256 bits using Montgomery reduction.
+ *
+ * a   A single precision number to reduce in place.
+ * m   The single precision number representing the modulus.
+ * mp  The digit representing the negative inverse of m mod 2^n.
+ */
+SP_NOINLINE static void sp_256_mont_reduce_8(sp_digit* a, const sp_digit* m,
+        sp_digit mp)
+{
+    (void)mp;
+    (void)m;
+
+    __asm__ __volatile__ (
+        "mov	r2, #0\n\t"
+        "mov	r1, #0\n\t"
+        "# i = 0\n\t"
+        "mov	r8, r2\n\t"
+        "\n1:\n\t"
+        "mov	r4, #0\n\t"
+        "# mu = a[i] * 1 (mp) = a[i]\n\t"
+        "ldr	r3, [%[a]]\n\t"
+        "# a[i+0] += -1 * mu\n\t"
+        "mov	r5, r3\n\t"
+        "str	r4, [%[a], #0]\n\t"
+        "# a[i+1] += -1 * mu\n\t"
+        "ldr	r6, [%[a], #4]\n\t"
+        "mov	r4, r3\n\t"
+        "sub	r5, r3\n\t"
+        "sbc	r4, r2\n\t"
+        "add	r5, r6\n\t"
+        "adc	r4, r2\n\t"
+        "str	r5, [%[a], #4]\n\t"
+        "# a[i+2] += -1 * mu\n\t"
+        "ldr	r6, [%[a], #8]\n\t"
+        "mov	r5, r3\n\t"
+        "sub	r4, r3\n\t"
+        "sbc	r5, r2\n\t"
+        "add	r4, r6\n\t"
+        "adc	r5, r2\n\t"
+        "str	r4, [%[a], #8]\n\t"
+        "# a[i+3] += 0 * mu\n\t"
+        "ldr	r6, [%[a], #12]\n\t"
+        "mov	r4, #0\n\t"
+        "add	r5, r6\n\t"
+        "adc	r4, r2\n\t"
+        "str	r5, [%[a], #12]\n\t"
+        "# a[i+4] += 0 * mu\n\t"
+        "ldr	r6, [%[a], #16]\n\t"
+        "mov	r5, #0\n\t"
+        "add	r4, r6\n\t"
+        "adc	r5, r2\n\t"
+        "str	r4, [%[a], #16]\n\t"
+        "# a[i+5] += 0 * mu\n\t"
+        "ldr	r6, [%[a], #20]\n\t"
+        "mov	r4, #0\n\t"
+        "add	r5, r6\n\t"
+        "adc	r4, r2\n\t"
+        "str	r5, [%[a], #20]\n\t"
+        "# a[i+6] += 1 * mu\n\t"
+        "ldr	r6, [%[a], #24]\n\t"
+        "mov	r5, #0\n\t"
+        "add	r4, r3\n\t"
+        "adc	r5, r2\n\t"
+        "add	r4, r6\n\t"
+        "adc	r5, r2\n\t"
+        "str	r4, [%[a], #24]\n\t"
+        "# a[i+7] += -1 * mu\n\t"
+        "ldr	r6, [%[a], #28]\n\t"
+        "ldr	r7, [%[a], #32]\n\t"
+        "add	r4, r1, r3\n\t"
+        "mov	r1, #0\n\t"
+        "adc	r1, r2\n\t"
+        "sub	r5, r3\n\t"
+        "sbc	r4, r2\n\t"
+        "sbc	r1, r2\n\t"
+        "add	r5, r6\n\t"
+        "adc	r4, r7\n\t"
+        "adc	r1, r2\n\t"
+        "str	r5, [%[a],  #28]\n\t"
+        "str	r4, [%[a], #32]\n\t"
+        "# i += 1\n\t"
+        "mov	r6, #4\n\t"
+        "add	r8, r6\n\t"
+        "add	%[a], #4\n\t"
+        "mov	r6, #32\n\t"
+        "cmp	r8, r6\n\t"
+        "blt	1b\n\t"
+        "sub	%[a], #32\n\t"
+        "mov	r3, r1\n\t"
+        "sub	r1, #1\n\t"
+        "mvn	r1, r1\n\t"
+        "ldr	r5, [%[a],#32]\n\t"
+        "ldr	r4, [%[a],#36]\n\t"
+        "ldr	r6, [%[a],#40]\n\t"
+        "ldr	r7, [%[a],#44]\n\t"
+        "sub	r5, r1\n\t"
+        "sbc	r4, r1\n\t"
+        "sbc	r6, r1\n\t"
+        "sbc	r7, r2\n\t"
+        "str	r5, [%[a],#0]\n\t"
+        "str	r4, [%[a],#4]\n\t"
+        "str	r6, [%[a],#8]\n\t"
+        "str	r7, [%[a],#12]\n\t"
+        "ldr	r5, [%[a],#48]\n\t"
+        "ldr	r4, [%[a],#52]\n\t"
+        "ldr	r6, [%[a],#56]\n\t"
+        "ldr	r7, [%[a],#60]\n\t"
+        "sbc	r5, r2\n\t"
+        "sbc	r4, r2\n\t"
+        "sbc	r6, r3\n\t"
+        "sbc	r7, r1\n\t"
+        "str	r5, [%[a],#16]\n\t"
+        "str	r4, [%[a],#20]\n\t"
+        "str	r6, [%[a],#24]\n\t"
+        "str	r7, [%[a],#28]\n\t"
+        : [a] "+r" (a)
+        :
+        : "memory", "r1", "r2", "r3", "r4", "r5", "r6", "r7", "r8"
+    );
+
+
+    (void)m;
+    (void)mp;
+}
+
+/* Reduce the number back to 256 bits using Montgomery reduction.
+ *
+ * a   A single precision number to reduce in place.
+ * m   The single precision number representing the modulus.
+ * mp  The digit representing the negative inverse of m mod 2^n.
+ */
+SP_NOINLINE static void sp_256_mont_reduce_order_8(sp_digit* a, const sp_digit* m,
+        sp_digit mp)
+{
+    sp_digit ca = 0;
+
+    __asm__ __volatile__ (
+        "mov	r8, %[mp]\n\t"
+        "mov	r12, %[ca]\n\t"
+        "mov	r14, %[m]\n\t"
+        "mov	r9, %[a]\n\t"
+        "mov	r4, #0\n\t"
+        "# i = 0\n\t"
+        "mov	r11, r4\n\t"
+        "\n1:\n\t"
+        "mov	r5, #0\n\t"
+        "mov	%[ca], #0\n\t"
+        "# mu = a[i] * mp\n\t"
+        "mov	%[mp], r8\n\t"
+        "ldr	%[a], [%[a]]\n\t"
+        "mul	%[mp], %[a]\n\t"
+        "mov	%[m], r14\n\t"
+        "mov	r10, r9\n\t"
+        "\n2:\n\t"
+        "# a[i+j] += m[j] * mu\n\t"
+        "mov	%[a], r10\n\t"
+        "ldr	%[a], [%[a]]\n\t"
+        "mov	%[ca], #0\n\t"
+        "mov	r4, r5\n\t"
+        "mov	r5, #0\n\t"
+        "# Multiply m[j] and mu - Start\n\t"
+        "ldr	r7, [%[m]]\n\t"
+        "lsl	r6, %[mp], #16\n\t"
+        "lsl	r7, r7, #16\n\t"
+        "lsr	r6, r6, #16\n\t"
+        "lsr	r7, r7, #16\n\t"
+        "mul	r7, r6\n\t"
+        "add	%[a], r7\n\t"
+        "adc	r5, %[ca]\n\t"
+        "ldr	r7, [%[m]]\n\t"
+        "lsr	r7, r7, #16\n\t"
+        "mul	r6, r7\n\t"
+        "lsr	r7, r6, #16\n\t"
+        "lsl	r6, r6, #16\n\t"
+        "add	%[a], r6\n\t"
+        "adc	r5, r7\n\t"
+        "ldr	r7, [%[m]]\n\t"
+        "lsr	r6, %[mp], #16\n\t"
+        "lsr	r7, r7, #16\n\t"
+        "mul	r7, r6\n\t"
+        "add	r5, r7\n\t"
+        "ldr	r7, [%[m]]\n\t"
+        "lsl	r7, r7, #16\n\t"
+        "lsr	r7, r7, #16\n\t"
+        "mul	r6, r7\n\t"
+        "lsr	r7, r6, #16\n\t"
+        "lsl	r6, r6, #16\n\t"
+        "add	%[a], r6\n\t"
+        "adc	r5, r7\n\t"
+        "# Multiply m[j] and mu - Done\n\t"
+        "add	r4, %[a]\n\t"
+        "adc	r5, %[ca]\n\t"
+        "mov	%[a], r10\n\t"
+        "str	r4, [%[a]]\n\t"
+        "mov	r6, #4\n\t"
+        "add	%[m], #4\n\t"
+        "add	r10, r6\n\t"
+        "mov	r4, #28\n\t"
+        "add	r4, r9\n\t"
+        "cmp	r10, r4\n\t"
+        "blt	2b\n\t"
+        "# a[i+7] += m[7] * mu\n\t"
+        "mov	%[ca], #0\n\t"
+        "mov	r4, r12\n\t"
+        "mov	%[a], #0\n\t"
+        "# Multiply m[7] and mu - Start\n\t"
+        "ldr	r7, [%[m]]\n\t"
+        "lsl	r6, %[mp], #16\n\t"
+        "lsl	r7, r7, #16\n\t"
+        "lsr	r6, r6, #16\n\t"
+        "lsr	r7, r7, #16\n\t"
+        "mul	r7, r6\n\t"
+        "add	r5, r7\n\t"
+        "adc	r4, %[ca]\n\t"
+        "adc	%[a], %[ca]\n\t"
+        "ldr	r7, [%[m]]\n\t"
+        "lsr	r7, r7, #16\n\t"
+        "mul	r6, r7\n\t"
+        "lsr	r7, r6, #16\n\t"
+        "lsl	r6, r6, #16\n\t"
+        "add	r5, r6\n\t"
+        "adc	r4, r7\n\t"
+        "adc	%[a], %[ca]\n\t"
+        "ldr	r7, [%[m]]\n\t"
+        "lsr	r6, %[mp], #16\n\t"
+        "lsr	r7, r7, #16\n\t"
+        "mul	r7, r6\n\t"
+        "add	r4, r7\n\t"
+        "adc	%[a], %[ca]\n\t"
+        "ldr	r7, [%[m]]\n\t"
+        "lsl	r7, r7, #16\n\t"
+        "lsr	r7, r7, #16\n\t"
+        "mul	r6, r7\n\t"
+        "lsr	r7, r6, #16\n\t"
+        "lsl	r6, r6, #16\n\t"
+        "add	r5, r6\n\t"
+        "adc	r4, r7\n\t"
+        "adc	%[a], %[ca]\n\t"
+        "# Multiply m[7] and mu - Done\n\t"
+        "mov	%[ca], %[a]\n\t"
+        "mov	%[a], r10\n\t"
+        "ldr	r7, [%[a], #4]\n\t"
+        "ldr	%[a], [%[a]]\n\t"
+        "mov	r6, #0\n\t"
+        "add	r5, %[a]\n\t"
+        "adc	r7, r4\n\t"
+        "adc	%[ca], r6\n\t"
+        "mov	%[a], r10\n\t"
+        "str	r5, [%[a]]\n\t"
+        "str	r7, [%[a], #4]\n\t"
+        "# i += 1\n\t"
+        "mov	r6, #4\n\t"
+        "add	r9, r6\n\t"
+        "add	r11, r6\n\t"
+        "mov	r12, %[ca]\n\t"
+        "mov	%[a], r9\n\t"
+        "mov	r4, #32\n\t"
+        "cmp	r11, r4\n\t"
+        "blt	1b\n\t"
+        "mov	%[m], r14\n\t"
+        : [ca] "+r" (ca), [a] "+r" (a)
+        : [m] "r" (m), [mp] "r" (mp)
+        : "memory", "r4", "r5", "r6", "r7", "r8", "r9", "r10", "r11", "r12", "r14"
+    );
+
+    sp_256_cond_sub_8(a - 8, a, m, (sp_digit)0 - ca);
+}
+
+/* Multiply two Montogmery form numbers mod the modulus (prime).
+ * (r = a * b mod m)
+ *
+ * r   Result of multiplication.
+ * a   First number to multiply in Montogmery form.
+ * b   Second number to multiply in Montogmery form.
+ * m   Modulus (prime).
+ * mp  Montogmery mulitplier.
+ */
+static void sp_256_mont_mul_8(sp_digit* r, const sp_digit* a, const sp_digit* b,
+        const sp_digit* m, sp_digit mp)
+{
+    sp_256_mul_8(r, a, b);
+    sp_256_mont_reduce_8(r, m, mp);
+}
+
+/* Square a and put result in r. (r = a * a)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ */
+SP_NOINLINE static void sp_256_sqr_8(sp_digit* r, const sp_digit* a)
+{
+    __asm__ __volatile__ (
+        "mov	r3, #0\n\t"
+        "mov	r4, #0\n\t"
+        "mov	r5, #0\n\t"
+        "mov	r8, r3\n\t"
+        "mov	r11, %[r]\n\t"
+        "mov	r6, #64\n\t"
+        "neg	r6, r6\n\t"
+        "add	sp, r6\n\t"
+        "mov	r10, sp\n\t"
+        "mov	r9, %[a]\n\t"
+        "\n1:\n\t"
+        "mov	%[r], #0\n\t"
+        "mov	r6, #28\n\t"
+        "mov	%[a], r8\n\t"
+        "sub	%[a], r6\n\t"
+        "sbc	r6, r6\n\t"
+        "mvn	r6, r6\n\t"
+        "and	%[a], r6\n\t"
+        "mov	r2, r8\n\t"
+        "sub	r2, %[a]\n\t"
+        "add	%[a], r9\n\t"
+        "add	r2, r9\n\t"
+        "\n2:\n\t"
+        "cmp	r2, %[a]\n\t"
+        "beq	4f\n\t"
+        "# Multiply * 2: Start\n\t"
+        "ldr	r6, [%[a]]\n\t"
+        "ldr	r7, [r2]\n\t"
+        "lsl	r6, r6, #16\n\t"
+        "lsl	r7, r7, #16\n\t"
+        "lsr	r6, r6, #16\n\t"
+        "lsr	r7, r7, #16\n\t"
+        "mul	r7, r6\n\t"
+        "add	r3, r7\n\t"
+        "adc	r4, %[r]\n\t"
+        "adc	r5, %[r]\n\t"
+        "add	r3, r7\n\t"
+        "adc	r4, %[r]\n\t"
+        "adc	r5, %[r]\n\t"
+        "ldr	r7, [r2]\n\t"
+        "lsr	r7, r7, #16\n\t"
+        "mul	r6, r7\n\t"
+        "lsr	r7, r6, #16\n\t"
+        "lsl	r6, r6, #16\n\t"
+        "add	r3, r6\n\t"
+        "adc	r4, r7\n\t"
+        "adc	r5, %[r]\n\t"
+        "add	r3, r6\n\t"
+        "adc	r4, r7\n\t"
+        "adc	r5, %[r]\n\t"
+        "ldr	r6, [%[a]]\n\t"
+        "ldr	r7, [r2]\n\t"
+        "lsr	r6, r6, #16\n\t"
+        "lsr	r7, r7, #16\n\t"
+        "mul	r7, r6\n\t"
+        "add	r4, r7\n\t"
+        "adc	r5, %[r]\n\t"
+        "add	r4, r7\n\t"
+        "adc	r5, %[r]\n\t"
+        "ldr	r7, [r2]\n\t"
+        "lsl	r7, r7, #16\n\t"
+        "lsr	r7, r7, #16\n\t"
+        "mul	r6, r7\n\t"
+        "lsr	r7, r6, #16\n\t"
+        "lsl	r6, r6, #16\n\t"
+        "add	r3, r6\n\t"
+        "adc	r4, r7\n\t"
+        "adc	r5, %[r]\n\t"
+        "add	r3, r6\n\t"
+        "adc	r4, r7\n\t"
+        "adc	r5, %[r]\n\t"
+        "# Multiply * 2: Done\n\t"
+        "bal	5f\n\t"
+        "\n4:\n\t"
+        "# Square: Start\n\t"
+        "ldr	r6, [%[a]]\n\t"
+        "lsr	r7, r6, #16\n\t"
+        "lsl	r6, r6, #16\n\t"
+        "lsr	r6, r6, #16\n\t"
+        "mul	r6, r6\n\t"
+        "add	r3, r6\n\t"
+        "adc	r4, %[r]\n\t"
+        "adc	r5, %[r]\n\t"
+        "mul	r7, r7\n\t"
+        "add	r4, r7\n\t"
+        "adc	r5, %[r]\n\t"
+        "ldr	r6, [%[a]]\n\t"
+        "lsr	r7, r6, #16\n\t"
+        "lsl	r6, r6, #16\n\t"
+        "lsr	r6, r6, #16\n\t"
+        "mul	r6, r7\n\t"
+        "lsr	r7, r6, #15\n\t"
+        "lsl	r6, r6, #17\n\t"
+        "add	r3, r6\n\t"
+        "adc	r4, r7\n\t"
+        "adc	r5, %[r]\n\t"
+        "# Square: Done\n\t"
+        "\n5:\n\t"
+        "add	%[a], #4\n\t"
+        "sub	r2, #4\n\t"
+        "mov	r6, #32\n\t"
+        "add	r6, r9\n\t"
+        "cmp	%[a], r6\n\t"
+        "beq	3f\n\t"
+        "cmp	%[a], r2\n\t"
+        "bgt	3f\n\t"
+        "mov	r7, r8\n\t"
+        "add	r7, r9\n\t"
+        "cmp	%[a], r7\n\t"
+        "ble	2b\n\t"
+        "\n3:\n\t"
+        "mov	%[r], r10\n\t"
+        "mov	r7, r8\n\t"
+        "str	r3, [%[r], r7]\n\t"
+        "mov	r3, r4\n\t"
+        "mov	r4, r5\n\t"
+        "mov	r5, #0\n\t"
+        "add	r7, #4\n\t"
+        "mov	r8, r7\n\t"
+        "mov	r6, #56\n\t"
+        "cmp	r7, r6\n\t"
+        "ble	1b\n\t"
+        "mov	%[a], r9\n\t"
+        "str	r3, [%[r], r7]\n\t"
+        "mov	%[r], r11\n\t"
+        "mov	%[a], r10\n\t"
+        "mov	r3, #60\n\t"
+        "\n4:\n\t"
+        "ldr	r6, [%[a], r3]\n\t"
+        "str	r6, [%[r], r3]\n\t"
+        "sub	r3, #4\n\t"
+        "bge	4b\n\t"
+        "mov	r6, #64\n\t"
+        "add	sp, r6\n\t"
+        :
+        : [r] "r" (r), [a] "r" (a)
+        : "memory", "r2", "r3", "r4", "r5", "r6", "r7", "r8", "r9", "r10", "r11"
+    );
+}
+
+/* Square the Montgomery form number. (r = a * a mod m)
+ *
+ * r   Result of squaring.
+ * a   Number to square in Montogmery form.
+ * m   Modulus (prime).
+ * mp  Montogmery mulitplier.
+ */
+static void sp_256_mont_sqr_8(sp_digit* r, const sp_digit* a, const sp_digit* m,
+        sp_digit mp)
+{
+    sp_256_sqr_8(r, a);
+    sp_256_mont_reduce_8(r, m, mp);
+}
+
+#if !defined(WOLFSSL_SP_SMALL) || defined(HAVE_COMP_KEY)
+/* Square the Montgomery form number a number of times. (r = a ^ n mod m)
+ *
+ * r   Result of squaring.
+ * a   Number to square in Montogmery form.
+ * n   Number of times to square.
+ * m   Modulus (prime).
+ * mp  Montogmery mulitplier.
+ */
+static void sp_256_mont_sqr_n_8(sp_digit* r, const sp_digit* a, int n,
+        const sp_digit* m, sp_digit mp)
+{
+    sp_256_mont_sqr_8(r, a, m, mp);
+    for (; n > 1; n--) {
+        sp_256_mont_sqr_8(r, r, m, mp);
+    }
+}
+
+#endif /* !WOLFSSL_SP_SMALL || HAVE_COMP_KEY */
+#ifdef WOLFSSL_SP_SMALL
+/* Mod-2 for the P256 curve. */
+static const uint32_t p256_mod_minus_2[8] = {
+    0xfffffffdU,0xffffffffU,0xffffffffU,0x00000000U,0x00000000U,0x00000000U,
+    0x00000001U,0xffffffffU
+};
+#endif /* !WOLFSSL_SP_SMALL */
+
+/* Invert the number, in Montgomery form, modulo the modulus (prime) of the
+ * P256 curve. (r = 1 / a mod m)
+ *
+ * r   Inverse result.
+ * a   Number to invert.
+ * td  Temporary data.
+ */
+static void sp_256_mont_inv_8(sp_digit* r, const sp_digit* a, sp_digit* td)
+{
+#ifdef WOLFSSL_SP_SMALL
+    sp_digit* t = td;
+    int i;
+
+    XMEMCPY(t, a, sizeof(sp_digit) * 8);
+    for (i=254; i>=0; i--) {
+        sp_256_mont_sqr_8(t, t, p256_mod, p256_mp_mod);
+        if (p256_mod_minus_2[i / 32] & ((sp_digit)1 << (i % 32)))
+            sp_256_mont_mul_8(t, t, a, p256_mod, p256_mp_mod);
+    }
+    XMEMCPY(r, t, sizeof(sp_digit) * 8);
+#else
+    sp_digit* t1 = td;
+    sp_digit* t2 = td + 2 * 8;
+    sp_digit* t3 = td + 4 * 8;
+    /* 0x2 */
+    sp_256_mont_sqr_8(t1, a, p256_mod, p256_mp_mod);
+    /* 0x3 */
+    sp_256_mont_mul_8(t2, t1, a, p256_mod, p256_mp_mod);
+    /* 0xc */
+    sp_256_mont_sqr_n_8(t1, t2, 2, p256_mod, p256_mp_mod);
+    /* 0xd */
+    sp_256_mont_mul_8(t3, t1, a, p256_mod, p256_mp_mod);
+    /* 0xf */
+    sp_256_mont_mul_8(t2, t2, t1, p256_mod, p256_mp_mod);
+    /* 0xf0 */
+    sp_256_mont_sqr_n_8(t1, t2, 4, p256_mod, p256_mp_mod);
+    /* 0xfd */
+    sp_256_mont_mul_8(t3, t3, t1, p256_mod, p256_mp_mod);
+    /* 0xff */
+    sp_256_mont_mul_8(t2, t2, t1, p256_mod, p256_mp_mod);
+    /* 0xff00 */
+    sp_256_mont_sqr_n_8(t1, t2, 8, p256_mod, p256_mp_mod);
+    /* 0xfffd */
+    sp_256_mont_mul_8(t3, t3, t1, p256_mod, p256_mp_mod);
+    /* 0xffff */
+    sp_256_mont_mul_8(t2, t2, t1, p256_mod, p256_mp_mod);
+    /* 0xffff0000 */
+    sp_256_mont_sqr_n_8(t1, t2, 16, p256_mod, p256_mp_mod);
+    /* 0xfffffffd */
+    sp_256_mont_mul_8(t3, t3, t1, p256_mod, p256_mp_mod);
+    /* 0xffffffff */
+    sp_256_mont_mul_8(t2, t2, t1, p256_mod, p256_mp_mod);
+    /* 0xffffffff00000000 */
+    sp_256_mont_sqr_n_8(t1, t2, 32, p256_mod, p256_mp_mod);
+    /* 0xffffffffffffffff */
+    sp_256_mont_mul_8(t2, t2, t1, p256_mod, p256_mp_mod);
+    /* 0xffffffff00000001 */
+    sp_256_mont_mul_8(r, t1, a, p256_mod, p256_mp_mod);
+    /* 0xffffffff000000010000000000000000000000000000000000000000 */
+    sp_256_mont_sqr_n_8(r, r, 160, p256_mod, p256_mp_mod);
+    /* 0xffffffff00000001000000000000000000000000ffffffffffffffff */
+    sp_256_mont_mul_8(r, r, t2, p256_mod, p256_mp_mod);
+    /* 0xffffffff00000001000000000000000000000000ffffffffffffffff00000000 */
+    sp_256_mont_sqr_n_8(r, r, 32, p256_mod, p256_mp_mod);
+    /* 0xffffffff00000001000000000000000000000000fffffffffffffffffffffffd */
+    sp_256_mont_mul_8(r, r, t3, p256_mod, p256_mp_mod);
+#endif /* WOLFSSL_SP_SMALL */
+}
+
+/* Compare a with b in constant time.
+ *
+ * a  A single precision integer.
+ * b  A single precision integer.
+ * return -ve, 0 or +ve if a is less than, equal to or greater than b
+ * respectively.
+ */
+SP_NOINLINE static int32_t sp_256_cmp_8(const sp_digit* a, const sp_digit* b)
+{
+    sp_digit r = 0;
+
+
+    __asm__ __volatile__ (
+        "mov	r3, #0\n\t"
+        "mvn	r3, r3\n\t"
+        "mov	r6, #28\n\t"
+        "1:\n\t"
+        "ldr	r7, [%[a], r6]\n\t"
+        "ldr	r5, [%[b], r6]\n\t"
+        "and	r7, r3\n\t"
+        "and	r5, r3\n\t"
+        "mov	r4, r7\n\t"
+        "sub	r7, r5\n\t"
+        "sbc	r7, r7\n\t"
+        "add	%[r], r7\n\t"
+        "mvn	r7, r7\n\t"
+        "and	r3, r7\n\t"
+        "sub	r5, r4\n\t"
+        "sbc	r7, r7\n\t"
+        "sub	%[r], r7\n\t"
+        "mvn	r7, r7\n\t"
+        "and	r3, r7\n\t"
+        "sub	r6, #4\n\t"
+        "cmp	r6, #0\n\t"
+        "bge	1b\n\t"
+        : [r] "+r" (r)
+        : [a] "r" (a), [b] "r" (b)
+        : "r3", "r4", "r5", "r6", "r7"
+    );
+
+    return r;
+}
+
+/* Normalize the values in each word to 32.
+ *
+ * a  Array of sp_digit to normalize.
+ */
+#define sp_256_norm_8(a)
+
+/* Map the Montgomery form projective coordinate point to an affine point.
+ *
+ * r  Resulting affine coordinate point.
+ * p  Montgomery form projective coordinate point.
+ * t  Temporary ordinate data.
+ */
+static void sp_256_map_8(sp_point_256* r, const sp_point_256* p, sp_digit* t)
+{
+    sp_digit* t1 = t;
+    sp_digit* t2 = t + 2*8;
+    int32_t n;
+
+    sp_256_mont_inv_8(t1, p->z, t + 2*8);
+
+    sp_256_mont_sqr_8(t2, t1, p256_mod, p256_mp_mod);
+    sp_256_mont_mul_8(t1, t2, t1, p256_mod, p256_mp_mod);
+
+    /* x /= z^2 */
+    sp_256_mont_mul_8(r->x, p->x, t2, p256_mod, p256_mp_mod);
+    XMEMSET(r->x + 8, 0, sizeof(r->x) / 2U);
+    sp_256_mont_reduce_8(r->x, p256_mod, p256_mp_mod);
+    /* Reduce x to less than modulus */
+    n = sp_256_cmp_8(r->x, p256_mod);
+    sp_256_cond_sub_8(r->x, r->x, p256_mod, 0 - ((n >= 0) ?
+                (sp_digit)1 : (sp_digit)0));
+    sp_256_norm_8(r->x);
+
+    /* y /= z^3 */
+    sp_256_mont_mul_8(r->y, p->y, t1, p256_mod, p256_mp_mod);
+    XMEMSET(r->y + 8, 0, sizeof(r->y) / 2U);
+    sp_256_mont_reduce_8(r->y, p256_mod, p256_mp_mod);
+    /* Reduce y to less than modulus */
+    n = sp_256_cmp_8(r->y, p256_mod);
+    sp_256_cond_sub_8(r->y, r->y, p256_mod, 0 - ((n >= 0) ?
+                (sp_digit)1 : (sp_digit)0));
+    sp_256_norm_8(r->y);
+
+    XMEMSET(r->z, 0, sizeof(r->z));
+    r->z[0] = 1;
+
+}
+
+#ifdef WOLFSSL_SP_SMALL
+/* Add b to a into r. (r = a + b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static sp_digit sp_256_add_8(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    sp_digit c = 0;
+
+    __asm__ __volatile__ (
+        "mov	r6, %[a]\n\t"
+        "mov	r7, #0\n\t"
+        "add	r6, #32\n\t"
+        "sub	r7, #1\n\t"
+        "\n1:\n\t"
+        "add	%[c], r7\n\t"
+        "ldr	r4, [%[a]]\n\t"
+        "ldr	r5, [%[b]]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r]]\n\t"
+        "mov	%[c], #0\n\t"
+        "adc	%[c], %[c]\n\t"
+        "add	%[a], #4\n\t"
+        "add	%[b], #4\n\t"
+        "add	%[r], #4\n\t"
+        "cmp	%[a], r6\n\t"
+        "bne	1b\n\t"
+        : [c] "+r" (c), [r] "+r" (r), [a] "+r" (a), [b] "+r" (b)
+        :
+        : "memory", "r4", "r5", "r6", "r7"
+    );
+
+    return c;
+}
+
+#else
+/* Add b to a into r. (r = a + b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static sp_digit sp_256_add_8(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    sp_digit c = 0;
+
+    __asm__ __volatile__ (
+        "ldr	r4, [%[a], #0]\n\t"
+        "ldr	r5, [%[b], #0]\n\t"
+        "add	r4, r5\n\t"
+        "str	r4, [%[r], #0]\n\t"
+        "ldr	r4, [%[a], #4]\n\t"
+        "ldr	r5, [%[b], #4]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #4]\n\t"
+        "ldr	r4, [%[a], #8]\n\t"
+        "ldr	r5, [%[b], #8]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #8]\n\t"
+        "ldr	r4, [%[a], #12]\n\t"
+        "ldr	r5, [%[b], #12]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #12]\n\t"
+        "ldr	r4, [%[a], #16]\n\t"
+        "ldr	r5, [%[b], #16]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #16]\n\t"
+        "ldr	r4, [%[a], #20]\n\t"
+        "ldr	r5, [%[b], #20]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #20]\n\t"
+        "ldr	r4, [%[a], #24]\n\t"
+        "ldr	r5, [%[b], #24]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #24]\n\t"
+        "ldr	r4, [%[a], #28]\n\t"
+        "ldr	r5, [%[b], #28]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #28]\n\t"
+        "mov	%[c], #0\n\t"
+        "adc	%[c], %[c]\n\t"
+        : [c] "+r" (c), [r] "+r" (r), [a] "+r" (a), [b] "+r" (b)
+        :
+        : "memory", "r4", "r5"
+    );
+
+    return c;
+}
+
+#endif /* WOLFSSL_SP_SMALL */
+/* Add two Montgomery form numbers (r = a + b % m).
+ *
+ * r   Result of addition.
+ * a   First number to add in Montogmery form.
+ * b   Second number to add in Montogmery form.
+ * m   Modulus (prime).
+ */
+SP_NOINLINE static void sp_256_mont_add_8(sp_digit* r, const sp_digit* a, const sp_digit* b,
+        const sp_digit* m)
+{
+    (void)m;
+
+    __asm__ __volatile__ (
+        "mov	r3, #0\n\t"
+        "ldr	r4, [%[a],#0]\n\t"
+        "ldr	r5, [%[a],#4]\n\t"
+        "ldr	r6, [%[b],#0]\n\t"
+        "ldr	r7, [%[b],#4]\n\t"
+        "add	r4, r6\n\t"
+        "adc	r5, r7\n\t"
+        "str	r4, [%[r],#0]\n\t"
+        "str	r5, [%[r],#4]\n\t"
+        "ldr	r4, [%[a],#8]\n\t"
+        "ldr	r5, [%[a],#12]\n\t"
+        "ldr	r6, [%[b],#8]\n\t"
+        "ldr	r7, [%[b],#12]\n\t"
+        "adc	r4, r6\n\t"
+        "adc	r5, r7\n\t"
+        "str	r4, [%[r],#8]\n\t"
+        "str	r5, [%[r],#12]\n\t"
+        "ldr	r4, [%[a],#16]\n\t"
+        "ldr	r5, [%[a],#20]\n\t"
+        "ldr	r6, [%[b],#16]\n\t"
+        "ldr	r7, [%[b],#20]\n\t"
+        "adc	r4, r6\n\t"
+        "adc	r5, r7\n\t"
+        "mov	r8, r4\n\t"
+        "mov	r9, r5\n\t"
+        "ldr	r4, [%[a],#24]\n\t"
+        "ldr	r5, [%[a],#28]\n\t"
+        "ldr	r6, [%[b],#24]\n\t"
+        "ldr	r7, [%[b],#28]\n\t"
+        "adc	r4, r6\n\t"
+        "adc	r5, r7\n\t"
+        "mov	r10, r4\n\t"
+        "mov	r11, r5\n\t"
+        "adc	r3, r3\n\t"
+        "mov	r6, r3\n\t"
+        "sub	r3, #1\n\t"
+        "mvn	r3, r3\n\t"
+        "mov	r7, #0\n\t"
+        "ldr	r4, [%[r],#0]\n\t"
+        "ldr	r5, [%[r],#4]\n\t"
+        "sub	r4, r3\n\t"
+        "sbc	r5, r3\n\t"
+        "str	r4, [%[r],#0]\n\t"
+        "str	r5, [%[r],#4]\n\t"
+        "ldr	r4, [%[r],#8]\n\t"
+        "ldr	r5, [%[r],#12]\n\t"
+        "sbc	r4, r3\n\t"
+        "sbc	r5, r7\n\t"
+        "str	r4, [%[r],#8]\n\t"
+        "str	r5, [%[r],#12]\n\t"
+        "mov	r4, r8\n\t"
+        "mov	r5, r9\n\t"
+        "sbc	r4, r7\n\t"
+        "sbc	r5, r7\n\t"
+        "str	r4, [%[r],#16]\n\t"
+        "str	r5, [%[r],#20]\n\t"
+        "mov	r4, r10\n\t"
+        "mov	r5, r11\n\t"
+        "sbc	r4, r6\n\t"
+        "sbc	r5, r3\n\t"
+        "str	r4, [%[r],#24]\n\t"
+        "str	r5, [%[r],#28]\n\t"
+        :
+        : [r] "r" (r), [a] "r" (a), [b] "r" (b)
+        : "memory", "r3", "r4", "r5", "r6", "r7", "r8", "r9", "r10", "r11"
+    );
+}
+
+/* Double a Montgomery form number (r = a + a % m).
+ *
+ * r   Result of doubling.
+ * a   Number to double in Montogmery form.
+ * m   Modulus (prime).
+ */
+SP_NOINLINE static void sp_256_mont_dbl_8(sp_digit* r, const sp_digit* a, const sp_digit* m)
+{
+    (void)m;
+
+    __asm__ __volatile__ (
+        "ldr	r4, [%[a],#0]\n\t"
+        "ldr	r5, [%[a],#4]\n\t"
+        "ldr	r6, [%[a],#8]\n\t"
+        "ldr	r7, [%[a],#12]\n\t"
+        "add	r4, r4\n\t"
+        "adc	r5, r5\n\t"
+        "adc	r6, r6\n\t"
+        "adc	r7, r7\n\t"
+        "str	r4, [%[r],#0]\n\t"
+        "str	r5, [%[r],#4]\n\t"
+        "str	r6, [%[r],#8]\n\t"
+        "str	r7, [%[r],#12]\n\t"
+        "ldr	r4, [%[a],#16]\n\t"
+        "ldr	r5, [%[a],#20]\n\t"
+        "ldr	r6, [%[a],#24]\n\t"
+        "ldr	r7, [%[a],#28]\n\t"
+        "adc	r4, r4\n\t"
+        "adc	r5, r5\n\t"
+        "adc	r6, r6\n\t"
+        "adc	r7, r7\n\t"
+        "mov	r8, r4\n\t"
+        "mov	r9, r5\n\t"
+        "mov	r10, r6\n\t"
+        "mov	r11, r7\n\t"
+        "mov	r3, #0\n\t"
+        "mov	r7, #0\n\t"
+        "adc	r3, r3\n\t"
+        "mov	r2, r3\n\t"
+        "sub	r3, #1\n\t"
+        "mvn	r3, r3\n\t"
+        "ldr	r4, [%[r],#0]\n\t"
+        "ldr	r5, [%[r],#4]\n\t"
+        "ldr	r6, [%[r],#8]\n\t"
+        "sub	r4, r3\n\t"
+        "sbc	r5, r3\n\t"
+        "sbc	r6, r3\n\t"
+        "str	r4, [%[r],#0]\n\t"
+        "str	r5, [%[r],#4]\n\t"
+        "str	r6, [%[r],#8]\n\t"
+        "ldr	r4, [%[r],#12]\n\t"
+        "mov	r5, r8\n\t"
+        "mov	r6, r9\n\t"
+        "sbc	r4, r7\n\t"
+        "sbc	r5, r7\n\t"
+        "sbc	r6, r7\n\t"
+        "str	r4, [%[r],#12]\n\t"
+        "str	r5, [%[r],#16]\n\t"
+        "str	r6, [%[r],#20]\n\t"
+        "mov	r4, r10\n\t"
+        "mov	r5, r11\n\t"
+        "sbc	r4, r2\n\t"
+        "sbc	r5, r3\n\t"
+        "str	r4, [%[r],#24]\n\t"
+        "str	r5, [%[r],#28]\n\t"
+        :
+        : [r] "r" (r), [a] "r" (a)
+        : "memory", "r3", "r2", "r4", "r5", "r6", "r7", "r8", "r9", "r10", "r11"
+    );
+}
+
+/* Triple a Montgomery form number (r = a + a + a % m).
+ *
+ * r   Result of Tripling.
+ * a   Number to triple in Montogmery form.
+ * m   Modulus (prime).
+ */
+SP_NOINLINE static void sp_256_mont_tpl_8(sp_digit* r, const sp_digit* a, const sp_digit* m)
+{
+    (void)m;
+
+    __asm__ __volatile__ (
+        "ldr   r6, [%[a],#0]\n\t"
+        "ldr   r7, [%[a],#4]\n\t"
+        "ldr   r4, [%[a],#8]\n\t"
+        "ldr   r5, [%[a],#12]\n\t"
+        "add   r6, r6\n\t"
+        "adc   r7, r7\n\t"
+        "adc   r4, r4\n\t"
+        "adc   r5, r5\n\t"
+        "mov   r8, r4\n\t"
+        "mov   r9, r5\n\t"
+        "ldr   r2, [%[a],#16]\n\t"
+        "ldr   r3, [%[a],#20]\n\t"
+        "ldr   r4, [%[a],#24]\n\t"
+        "ldr   r5, [%[a],#28]\n\t"
+        "adc   r2, r2\n\t"
+        "adc   r3, r3\n\t"
+        "adc   r4, r4\n\t"
+        "adc   r5, r5\n\t"
+        "mov   r10, r2\n\t"
+        "mov   r11, r3\n\t"
+        "mov   r12, r4\n\t"
+        "mov   r14, r5\n\t"
+        "mov   r3, #0\n\t"
+        "mov   r5, #0\n\t"
+        "adc   r3, r3\n\t"
+        "mov   r4, r3\n\t"
+        "sub   r3, #1\n\t"
+        "mvn   r3, r3\n\t"
+        "sub   r6, r3\n\t"
+        "sbc   r7, r3\n\t"
+        "mov   r2, r8\n\t"
+        "sbc   r2, r3\n\t"
+        "mov   r8, r2\n\t"
+        "mov   r2, r9\n\t"
+        "sbc   r2, r5\n\t"
+        "mov   r9, r2\n\t"
+        "mov   r2, r10\n\t"
+        "sbc   r2, r5\n\t"
+        "mov   r10, r2\n\t"
+        "mov   r2, r11\n\t"
+        "sbc   r2, r5\n\t"
+        "mov   r11, r2\n\t"
+        "mov   r2, r12\n\t"
+        "sbc   r2, r4\n\t"
+        "mov   r12, r2\n\t"
+        "mov   r2, r14\n\t"
+        "sbc   r2, r3\n\t"
+        "mov   r14, r2\n\t"
+        "ldr	r2, [%[a],#0]\n\t"
+        "ldr	r3, [%[a],#4]\n\t"
+        "add	r6, r2\n\t"
+        "adc	r7, r3\n\t"
+        "ldr	r2, [%[a],#8]\n\t"
+        "ldr	r3, [%[a],#12]\n\t"
+        "mov	r4, r8\n\t"
+        "mov	r5, r9\n\t"
+        "adc	r2, r4\n\t"
+        "adc	r3, r5\n\t"
+        "mov   r8, r2\n\t"
+        "mov   r9, r3\n\t"
+        "ldr	r2, [%[a],#16]\n\t"
+        "ldr	r3, [%[a],#20]\n\t"
+        "mov	r4, r10\n\t"
+        "mov	r5, r11\n\t"
+        "adc	r2, r4\n\t"
+        "adc	r3, r5\n\t"
+        "mov	r10, r2\n\t"
+        "mov	r11, r3\n\t"
+        "ldr	r2, [%[a],#24]\n\t"
+        "ldr	r3, [%[a],#28]\n\t"
+        "mov	r4, r12\n\t"
+        "mov	r5, r14\n\t"
+        "adc	r2, r4\n\t"
+        "adc	r3, r5\n\t"
+        "mov	r12, r2\n\t"
+        "mov	r14, r3\n\t"
+        "mov   r3, #0\n\t"
+        "mov	r5, #0\n\t"
+        "adc	r3, r3\n\t"
+        "mov	r4, r3\n\t"
+        "sub	r3, #1\n\t"
+        "mvn	r3, r3\n\t"
+        "sub	r6, r3\n\t"
+        "str	r6, [%[r],#0]\n\t"
+        "sbc	r7, r3\n\t"
+        "str	r7, [%[r],#4]\n\t"
+        "mov   r2, r8\n\t"
+        "sbc   r2, r3\n\t"
+        "str	r2, [%[r],#8]\n\t"
+        "mov   r2, r9\n\t"
+        "sbc   r2, r5\n\t"
+        "str	r2, [%[r],#12]\n\t"
+        "mov   r2, r10\n\t"
+        "sbc   r2, r5\n\t"
+        "str	r2, [%[r],#16]\n\t"
+        "mov   r2, r11\n\t"
+        "sbc   r2, r5\n\t"
+        "str	r2, [%[r],#20]\n\t"
+        "mov   r2, r12\n\t"
+        "sbc   r2, r4\n\t"
+        "str	r2, [%[r],#24]\n\t"
+        "mov   r2, r14\n\t"
+        "sbc   r2, r3\n\t"
+        "str	r2, [%[r],#28]\n\t"
+        :
+        : [r] "r" (r), [a] "r" (a)
+        : "memory", "r2", "r3", "r4", "r5", "r6", "r7", "r8", "r9", "r10", "r11", "r12", "r14"
+    );
+}
+
+/* Subtract two Montgomery form numbers (r = a - b % m).
+ *
+ * r   Result of subtration.
+ * a   Number to subtract from in Montogmery form.
+ * b   Number to subtract with in Montogmery form.
+ * m   Modulus (prime).
+ */
+SP_NOINLINE static void sp_256_mont_sub_8(sp_digit* r, const sp_digit* a, const sp_digit* b,
+        const sp_digit* m)
+{
+    (void)m;
+
+    __asm__ __volatile__ (
+        "ldr	r4, [%[a],#0]\n\t"
+        "ldr	r5, [%[a],#4]\n\t"
+        "ldr	r6, [%[b],#0]\n\t"
+        "ldr	r7, [%[b],#4]\n\t"
+        "sub	r4, r6\n\t"
+        "sbc	r5, r7\n\t"
+        "str	r4, [%[r],#0]\n\t"
+        "str	r5, [%[r],#4]\n\t"
+        "ldr	r4, [%[a],#8]\n\t"
+        "ldr	r5, [%[a],#12]\n\t"
+        "ldr	r6, [%[b],#8]\n\t"
+        "ldr	r7, [%[b],#12]\n\t"
+        "sbc	r4, r6\n\t"
+        "sbc	r5, r7\n\t"
+        "str	r4, [%[r],#8]\n\t"
+        "str	r5, [%[r],#12]\n\t"
+        "ldr	r4, [%[a],#16]\n\t"
+        "ldr	r5, [%[a],#20]\n\t"
+        "ldr	r6, [%[b],#16]\n\t"
+        "ldr	r7, [%[b],#20]\n\t"
+        "sbc	r4, r6\n\t"
+        "sbc	r5, r7\n\t"
+        "mov	r8, r4\n\t"
+        "mov	r9, r5\n\t"
+        "ldr	r4, [%[a],#24]\n\t"
+        "ldr	r5, [%[a],#28]\n\t"
+        "ldr	r6, [%[b],#24]\n\t"
+        "ldr	r7, [%[b],#28]\n\t"
+        "sbc	r4, r6\n\t"
+        "sbc	r5, r7\n\t"
+        "mov	r10, r4\n\t"
+        "mov	r11, r5\n\t"
+        "sbc   r3, r3\n\t"
+        "lsr   r7, r3, #31\n\t"
+        "mov   r6, #0\n\t"
+        "ldr	r4, [%[r],#0]\n\t"
+        "ldr	r5, [%[r],#4]\n\t"
+        "add	r4, r3\n\t"
+        "adc	r5, r3\n\t"
+        "str	r4, [%[r],#0]\n\t"
+        "str	r5, [%[r],#4]\n\t"
+        "ldr	r4, [%[r],#8]\n\t"
+        "ldr	r5, [%[r],#12]\n\t"
+        "adc	r4, r3\n\t"
+        "adc	r5, r6\n\t"
+        "str	r4, [%[r],#8]\n\t"
+        "str	r5, [%[r],#12]\n\t"
+        "mov	r4, r8\n\t"
+        "mov	r5, r9\n\t"
+        "adc	r4, r6\n\t"
+        "adc	r5, r6\n\t"
+        "str	r4, [%[r],#16]\n\t"
+        "str	r5, [%[r],#20]\n\t"
+        "mov	r4, r10\n\t"
+        "mov	r5, r11\n\t"
+        "adc	r4, r7\n\t"
+        "adc	r5, r3\n\t"
+        "str	r4, [%[r],#24]\n\t"
+        "str	r5, [%[r],#28]\n\t"
+        :
+        : [r] "r" (r), [a] "r" (a), [b] "r" (b)
+        : "memory", "r3", "r4", "r5", "r6", "r7", "r8", "r9", "r10", "r11"
+    );
+}
+
+/* Divide the number by 2 mod the modulus (prime). (r = a / 2 % m)
+ *
+ * r  Result of division by 2.
+ * a  Number to divide.
+ * m  Modulus (prime).
+ */
+SP_NOINLINE static void sp_256_div2_8(sp_digit* r, const sp_digit* a, const sp_digit* m)
+{
+    __asm__ __volatile__ (
+        "ldr	r7, [%[a], #0]\n\t"
+        "lsl	r7, r7, #31\n\t"
+        "lsr	r7, r7, #31\n\t"
+        "mov	r5, #0\n\t"
+        "sub	r5, r7\n\t"
+        "mov	r7, #0\n\t"
+        "lsl	r6, r5, #31\n\t"
+        "lsr	r6, r6, #31\n\t"
+        "ldr	r3, [%[a], #0]\n\t"
+        "ldr	r4, [%[a], #4]\n\t"
+        "add	r3, r5\n\t"
+        "adc	r4, r5\n\t"
+        "str	r3, [%[r], #0]\n\t"
+        "str	r4, [%[r], #4]\n\t"
+        "ldr	r3, [%[a], #8]\n\t"
+        "ldr	r4, [%[a], #12]\n\t"
+        "adc	r3, r5\n\t"
+        "adc	r4, r7\n\t"
+        "str	r3, [%[r], #8]\n\t"
+        "str	r4, [%[r], #12]\n\t"
+        "ldr	r3, [%[a], #16]\n\t"
+        "ldr	r4, [%[a], #20]\n\t"
+        "adc	r3, r7\n\t"
+        "adc	r4, r7\n\t"
+        "str	r3, [%[r], #16]\n\t"
+        "str	r4, [%[r], #20]\n\t"
+        "ldr	r3, [%[a], #24]\n\t"
+        "ldr	r4, [%[a], #28]\n\t"
+        "adc	r3, r6\n\t"
+        "adc	r4, r5\n\t"
+        "adc	r7, r7\n\t"
+        "lsl	r7, r7, #31\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, #31\n\t"
+        "lsr	r6, r4, #1\n\t"
+        "lsl	r4, r4, #31\n\t"
+        "orr	r5, r4\n\t"
+        "orr	r6, r7\n\t"
+        "mov	r7, r3\n\t"
+        "str	r5, [%[r], #24]\n\t"
+        "str	r6, [%[r], #28]\n\t"
+        "ldr	r3, [%[a], #16]\n\t"
+        "ldr	r4, [%[a], #20]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, #31\n\t"
+        "lsr	r6, r4, #1\n\t"
+        "lsl	r4, r4, #31\n\t"
+        "orr	r5, r4\n\t"
+        "orr	r6, r7\n\t"
+        "mov	r7, r3\n\t"
+        "str	r5, [%[r], #16]\n\t"
+        "str	r6, [%[r], #20]\n\t"
+        "ldr	r3, [%[a], #8]\n\t"
+        "ldr	r4, [%[a], #12]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, #31\n\t"
+        "lsr	r6, r4, #1\n\t"
+        "lsl	r4, r4, #31\n\t"
+        "orr	r5, r4\n\t"
+        "orr	r6, r7\n\t"
+        "mov	r7, r3\n\t"
+        "str	r5, [%[r], #8]\n\t"
+        "str	r6, [%[r], #12]\n\t"
+        "ldr	r3, [%[r], #0]\n\t"
+        "ldr	r4, [%[r], #4]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsr	r6, r4, #1\n\t"
+        "lsl	r4, r4, #31\n\t"
+        "orr	r5, r4\n\t"
+        "orr	r6, r7\n\t"
+        "str	r5, [%[r], #0]\n\t"
+        "str	r6, [%[r], #4]\n\t"
+        :
+        : [r] "r" (r), [a] "r" (a), [m] "r" (m)
+        : "memory", "r3", "r4", "r5", "r6", "r7"
+    );
+}
+
+/* Double the Montgomery form projective point p.
+ *
+ * r  Result of doubling point.
+ * p  Point to double.
+ * t  Temporary ordinate data.
+ */
+static void sp_256_proj_point_dbl_8(sp_point_256* r, const sp_point_256* p, sp_digit* t)
+{
+    sp_digit* t1 = t;
+    sp_digit* t2 = t + 2*8;
+    sp_digit* x;
+    sp_digit* y;
+    sp_digit* z;
+
+    x = r->x;
+    y = r->y;
+    z = r->z;
+    /* Put infinity into result. */
+    if (r != p) {
+        r->infinity = p->infinity;
+    }
+
+    /* T1 = Z * Z */
+    sp_256_mont_sqr_8(t1, p->z, p256_mod, p256_mp_mod);
+    /* Z = Y * Z */
+    sp_256_mont_mul_8(z, p->y, p->z, p256_mod, p256_mp_mod);
+    /* Z = 2Z */
+    sp_256_mont_dbl_8(z, z, p256_mod);
+    /* T2 = X - T1 */
+    sp_256_mont_sub_8(t2, p->x, t1, p256_mod);
+    /* T1 = X + T1 */
+    sp_256_mont_add_8(t1, p->x, t1, p256_mod);
+    /* T2 = T1 * T2 */
+    sp_256_mont_mul_8(t2, t1, t2, p256_mod, p256_mp_mod);
+    /* T1 = 3T2 */
+    sp_256_mont_tpl_8(t1, t2, p256_mod);
+    /* Y = 2Y */
+    sp_256_mont_dbl_8(y, p->y, p256_mod);
+    /* Y = Y * Y */
+    sp_256_mont_sqr_8(y, y, p256_mod, p256_mp_mod);
+    /* T2 = Y * Y */
+    sp_256_mont_sqr_8(t2, y, p256_mod, p256_mp_mod);
+    /* T2 = T2/2 */
+    sp_256_div2_8(t2, t2, p256_mod);
+    /* Y = Y * X */
+    sp_256_mont_mul_8(y, y, p->x, p256_mod, p256_mp_mod);
+    /* X = T1 * T1 */
+    sp_256_mont_sqr_8(x, t1, p256_mod, p256_mp_mod);
+    /* X = X - Y */
+    sp_256_mont_sub_8(x, x, y, p256_mod);
+    /* X = X - Y */
+    sp_256_mont_sub_8(x, x, y, p256_mod);
+    /* Y = Y - X */
+    sp_256_mont_sub_8(y, y, x, p256_mod);
+    /* Y = Y * T1 */
+    sp_256_mont_mul_8(y, y, t1, p256_mod, p256_mp_mod);
+    /* Y = Y - T2 */
+    sp_256_mont_sub_8(y, y, t2, p256_mod);
+}
+
+#ifdef WOLFSSL_SP_SMALL
+/* Sub b from a into r. (r = a - b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static sp_digit sp_256_sub_8(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    sp_digit c = 0;
+
+    __asm__ __volatile__ (
+        "mov	r6, %[a]\n\t"
+        "add	r6, #32\n\t"
+        "\n1:\n\t"
+        "mov	r5, #0\n\t"
+        "sub	r5, %[c]\n\t"
+        "ldr	r4, [%[a]]\n\t"
+        "ldr	r5, [%[b]]\n\t"
+        "sbc	r4, r5\n\t"
+        "str	r4, [%[r]]\n\t"
+        "sbc	%[c], %[c]\n\t"
+        "add	%[a], #4\n\t"
+        "add	%[b], #4\n\t"
+        "add	%[r], #4\n\t"
+        "cmp	%[a], r6\n\t"
+        "bne	1b\n\t"
+        : [c] "+r" (c), [r] "+r" (r), [a] "+r" (a), [b] "+r" (b)
+        :
+        : "memory", "r4", "r5", "r6"
+    );
+
+    return c;
+}
+
+#else
+/* Sub b from a into r. (r = a - b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static sp_digit sp_256_sub_8(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    sp_digit c = 0;
+
+    __asm__ __volatile__ (
+        "ldr	r4, [%[a], #0]\n\t"
+        "ldr	r5, [%[a], #4]\n\t"
+        "ldr	r6, [%[b], #0]\n\t"
+        "ldr	r7, [%[b], #4]\n\t"
+        "sub	r4, r6\n\t"
+        "sbc	r5, r7\n\t"
+        "str	r4, [%[r], #0]\n\t"
+        "str	r5, [%[r], #4]\n\t"
+        "ldr	r4, [%[a], #8]\n\t"
+        "ldr	r5, [%[a], #12]\n\t"
+        "ldr	r6, [%[b], #8]\n\t"
+        "ldr	r7, [%[b], #12]\n\t"
+        "sbc	r4, r6\n\t"
+        "sbc	r5, r7\n\t"
+        "str	r4, [%[r], #8]\n\t"
+        "str	r5, [%[r], #12]\n\t"
+        "ldr	r4, [%[a], #16]\n\t"
+        "ldr	r5, [%[a], #20]\n\t"
+        "ldr	r6, [%[b], #16]\n\t"
+        "ldr	r7, [%[b], #20]\n\t"
+        "sbc	r4, r6\n\t"
+        "sbc	r5, r7\n\t"
+        "str	r4, [%[r], #16]\n\t"
+        "str	r5, [%[r], #20]\n\t"
+        "ldr	r4, [%[a], #24]\n\t"
+        "ldr	r5, [%[a], #28]\n\t"
+        "ldr	r6, [%[b], #24]\n\t"
+        "ldr	r7, [%[b], #28]\n\t"
+        "sbc	r4, r6\n\t"
+        "sbc	r5, r7\n\t"
+        "str	r4, [%[r], #24]\n\t"
+        "str	r5, [%[r], #28]\n\t"
+        "sbc	%[c], %[c]\n\t"
+        : [c] "+r" (c), [r] "+r" (r), [a] "+r" (a), [b] "+r" (b)
+        :
+        : "memory", "r4", "r5", "r6", "r7"
+    );
+
+    return c;
+}
+
+#endif /* WOLFSSL_SP_SMALL */
+/* Compare two numbers to determine if they are equal.
+ * Constant time implementation.
+ *
+ * a  First number to compare.
+ * b  Second number to compare.
+ * returns 1 when equal and 0 otherwise.
+ */
+static int sp_256_cmp_equal_8(const sp_digit* a, const sp_digit* b)
+{
+    return ((a[0] ^ b[0]) | (a[1] ^ b[1]) | (a[2] ^ b[2]) | (a[3] ^ b[3]) |
+            (a[4] ^ b[4]) | (a[5] ^ b[5]) | (a[6] ^ b[6]) | (a[7] ^ b[7])) == 0;
+}
+
+/* Add two Montgomery form projective points.
+ *
+ * r  Result of addition.
+ * p  First point to add.
+ * q  Second point to add.
+ * t  Temporary ordinate data.
+ */
+static void sp_256_proj_point_add_8(sp_point_256* r, const sp_point_256* p, const sp_point_256* q,
+        sp_digit* t)
+{
+    const sp_point_256* ap[2];
+    sp_point_256* rp[2];
+    sp_digit* t1 = t;
+    sp_digit* t2 = t + 2*8;
+    sp_digit* t3 = t + 4*8;
+    sp_digit* t4 = t + 6*8;
+    sp_digit* t5 = t + 8*8;
+    sp_digit* x;
+    sp_digit* y;
+    sp_digit* z;
+    int i;
+
+    /* Ensure only the first point is the same as the result. */
+    if (q == r) {
+        const sp_point_256* a = p;
+        p = q;
+        q = a;
+    }
+
+    /* Check double */
+    (void)sp_256_sub_8(t1, p256_mod, q->y);
+    sp_256_norm_8(t1);
+    if ((sp_256_cmp_equal_8(p->x, q->x) & sp_256_cmp_equal_8(p->z, q->z) &
+        (sp_256_cmp_equal_8(p->y, q->y) | sp_256_cmp_equal_8(p->y, t1))) != 0) {
+        sp_256_proj_point_dbl_8(r, p, t);
+    }
+    else {
+        rp[0] = r;
+
+        /*lint allow cast to different type of pointer*/
+        rp[1] = (sp_point_256*)t; /*lint !e9087 !e740*/
+        XMEMSET(rp[1], 0, sizeof(sp_point_256));
+        x = rp[p->infinity | q->infinity]->x;
+        y = rp[p->infinity | q->infinity]->y;
+        z = rp[p->infinity | q->infinity]->z;
+
+        ap[0] = p;
+        ap[1] = q;
+        for (i=0; i<8; i++) {
+            r->x[i] = ap[p->infinity]->x[i];
+        }
+        for (i=0; i<8; i++) {
+            r->y[i] = ap[p->infinity]->y[i];
+        }
+        for (i=0; i<8; i++) {
+            r->z[i] = ap[p->infinity]->z[i];
+        }
+        r->infinity = ap[p->infinity]->infinity;
+
+        /* U1 = X1*Z2^2 */
+        sp_256_mont_sqr_8(t1, q->z, p256_mod, p256_mp_mod);
+        sp_256_mont_mul_8(t3, t1, q->z, p256_mod, p256_mp_mod);
+        sp_256_mont_mul_8(t1, t1, x, p256_mod, p256_mp_mod);
+        /* U2 = X2*Z1^2 */
+        sp_256_mont_sqr_8(t2, z, p256_mod, p256_mp_mod);
+        sp_256_mont_mul_8(t4, t2, z, p256_mod, p256_mp_mod);
+        sp_256_mont_mul_8(t2, t2, q->x, p256_mod, p256_mp_mod);
+        /* S1 = Y1*Z2^3 */
+        sp_256_mont_mul_8(t3, t3, y, p256_mod, p256_mp_mod);
+        /* S2 = Y2*Z1^3 */
+        sp_256_mont_mul_8(t4, t4, q->y, p256_mod, p256_mp_mod);
+        /* H = U2 - U1 */
+        sp_256_mont_sub_8(t2, t2, t1, p256_mod);
+        /* R = S2 - S1 */
+        sp_256_mont_sub_8(t4, t4, t3, p256_mod);
+        /* Z3 = H*Z1*Z2 */
+        sp_256_mont_mul_8(z, z, q->z, p256_mod, p256_mp_mod);
+        sp_256_mont_mul_8(z, z, t2, p256_mod, p256_mp_mod);
+        /* X3 = R^2 - H^3 - 2*U1*H^2 */
+        sp_256_mont_sqr_8(x, t4, p256_mod, p256_mp_mod);
+        sp_256_mont_sqr_8(t5, t2, p256_mod, p256_mp_mod);
+        sp_256_mont_mul_8(y, t1, t5, p256_mod, p256_mp_mod);
+        sp_256_mont_mul_8(t5, t5, t2, p256_mod, p256_mp_mod);
+        sp_256_mont_sub_8(x, x, t5, p256_mod);
+        sp_256_mont_dbl_8(t1, y, p256_mod);
+        sp_256_mont_sub_8(x, x, t1, p256_mod);
+        /* Y3 = R*(U1*H^2 - X3) - S1*H^3 */
+        sp_256_mont_sub_8(y, y, x, p256_mod);
+        sp_256_mont_mul_8(y, y, t4, p256_mod, p256_mp_mod);
+        sp_256_mont_mul_8(t5, t5, t3, p256_mod, p256_mp_mod);
+        sp_256_mont_sub_8(y, y, t5, p256_mod);
+    }
+}
+
+/* Multiply the point by the scalar and return the result.
+ * If map is true then convert result to affine coordinates.
+ *
+ * r     Resulting point.
+ * g     Point to multiply.
+ * k     Scalar to multiply by.
+ * map   Indicates whether to convert result to affine.
+ * heap  Heap to use for allocation.
+ * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
+ */
+static int sp_256_ecc_mulmod_fast_8(sp_point_256* r, const sp_point_256* g, const sp_digit* k,
+        int map, void* heap)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_point_256 td[16];
+    sp_point_256 rtd;
+    sp_digit tmpd[2 * 8 * 5];
+#endif
+    sp_point_256* t;
+    sp_point_256* rt;
+    sp_digit* tmp;
+    sp_digit n;
+    int i;
+    int c, y;
+    int err;
+
+    (void)heap;
+
+    err = sp_256_point_new_8(heap, rtd, rt);
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    t = (sp_point_256*)XMALLOC(sizeof(sp_point_256) * 16, heap, DYNAMIC_TYPE_ECC);
+    if (t == NULL)
+        err = MEMORY_E;
+    tmp = (sp_digit*)XMALLOC(sizeof(sp_digit) * 2 * 8 * 5, heap,
+                             DYNAMIC_TYPE_ECC);
+    if (tmp == NULL)
+        err = MEMORY_E;
+#else
+    t = td;
+    tmp = tmpd;
+#endif
+
+    if (err == MP_OKAY) {
+        /* t[0] = {0, 0, 1} * norm */
+        XMEMSET(&t[0], 0, sizeof(t[0]));
+        t[0].infinity = 1;
+        /* t[1] = {g->x, g->y, g->z} * norm */
+        (void)sp_256_mod_mul_norm_8(t[1].x, g->x, p256_mod);
+        (void)sp_256_mod_mul_norm_8(t[1].y, g->y, p256_mod);
+        (void)sp_256_mod_mul_norm_8(t[1].z, g->z, p256_mod);
+        t[1].infinity = 0;
+        sp_256_proj_point_dbl_8(&t[ 2], &t[ 1], tmp);
+        t[ 2].infinity = 0;
+        sp_256_proj_point_add_8(&t[ 3], &t[ 2], &t[ 1], tmp);
+        t[ 3].infinity = 0;
+        sp_256_proj_point_dbl_8(&t[ 4], &t[ 2], tmp);
+        t[ 4].infinity = 0;
+        sp_256_proj_point_add_8(&t[ 5], &t[ 3], &t[ 2], tmp);
+        t[ 5].infinity = 0;
+        sp_256_proj_point_dbl_8(&t[ 6], &t[ 3], tmp);
+        t[ 6].infinity = 0;
+        sp_256_proj_point_add_8(&t[ 7], &t[ 4], &t[ 3], tmp);
+        t[ 7].infinity = 0;
+        sp_256_proj_point_dbl_8(&t[ 8], &t[ 4], tmp);
+        t[ 8].infinity = 0;
+        sp_256_proj_point_add_8(&t[ 9], &t[ 5], &t[ 4], tmp);
+        t[ 9].infinity = 0;
+        sp_256_proj_point_dbl_8(&t[10], &t[ 5], tmp);
+        t[10].infinity = 0;
+        sp_256_proj_point_add_8(&t[11], &t[ 6], &t[ 5], tmp);
+        t[11].infinity = 0;
+        sp_256_proj_point_dbl_8(&t[12], &t[ 6], tmp);
+        t[12].infinity = 0;
+        sp_256_proj_point_add_8(&t[13], &t[ 7], &t[ 6], tmp);
+        t[13].infinity = 0;
+        sp_256_proj_point_dbl_8(&t[14], &t[ 7], tmp);
+        t[14].infinity = 0;
+        sp_256_proj_point_add_8(&t[15], &t[ 8], &t[ 7], tmp);
+        t[15].infinity = 0;
+
+        i = 6;
+        n = k[i+1] << 0;
+        c = 28;
+        y = n >> 28;
+        XMEMCPY(rt, &t[y], sizeof(sp_point_256));
+        n <<= 4;
+        for (; i>=0 || c>=4; ) {
+            if (c < 4) {
+                n |= k[i--];
+                c += 32;
+            }
+            y = (n >> 28) & 0xf;
+            n <<= 4;
+            c -= 4;
+
+            sp_256_proj_point_dbl_8(rt, rt, tmp);
+            sp_256_proj_point_dbl_8(rt, rt, tmp);
+            sp_256_proj_point_dbl_8(rt, rt, tmp);
+            sp_256_proj_point_dbl_8(rt, rt, tmp);
+
+            sp_256_proj_point_add_8(rt, rt, &t[y], tmp);
+        }
+
+        if (map != 0) {
+            sp_256_map_8(r, rt, tmp);
+        }
+        else {
+            XMEMCPY(r, rt, sizeof(sp_point_256));
+        }
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (tmp != NULL) {
+        XMEMSET(tmp, 0, sizeof(sp_digit) * 2 * 8 * 5);
+        XFREE(tmp, heap, DYNAMIC_TYPE_ECC);
+    }
+    if (t != NULL) {
+        XMEMSET(t, 0, sizeof(sp_point_256) * 16);
+        XFREE(t, heap, DYNAMIC_TYPE_ECC);
+    }
+#else
+    ForceZero(tmpd, sizeof(tmpd));
+    ForceZero(td, sizeof(td));
+#endif
+    sp_256_point_free_8(rt, 1, heap);
+
+    return err;
+}
+
+/* A table entry for pre-computed points. */
+typedef struct sp_table_entry_256 {
+    sp_digit x[8];
+    sp_digit y[8];
+} sp_table_entry_256;
+
+#ifdef FP_ECC
+/* Double the Montgomery form projective point p a number of times.
+ *
+ * r  Result of repeated doubling of point.
+ * p  Point to double.
+ * n  Number of times to double
+ * t  Temporary ordinate data.
+ */
+static void sp_256_proj_point_dbl_n_8(sp_point_256* p, int n, sp_digit* t)
+{
+    sp_digit* w = t;
+    sp_digit* a = t + 2*8;
+    sp_digit* b = t + 4*8;
+    sp_digit* t1 = t + 6*8;
+    sp_digit* t2 = t + 8*8;
+    sp_digit* x;
+    sp_digit* y;
+    sp_digit* z;
+
+    x = p->x;
+    y = p->y;
+    z = p->z;
+
+    /* Y = 2*Y */
+    sp_256_mont_dbl_8(y, y, p256_mod);
+    /* W = Z^4 */
+    sp_256_mont_sqr_8(w, z, p256_mod, p256_mp_mod);
+    sp_256_mont_sqr_8(w, w, p256_mod, p256_mp_mod);
+
+#ifndef WOLFSSL_SP_SMALL
+    while (--n > 0)
+#else
+    while (--n >= 0)
+#endif
+    {
+        /* A = 3*(X^2 - W) */
+        sp_256_mont_sqr_8(t1, x, p256_mod, p256_mp_mod);
+        sp_256_mont_sub_8(t1, t1, w, p256_mod);
+        sp_256_mont_tpl_8(a, t1, p256_mod);
+        /* B = X*Y^2 */
+        sp_256_mont_sqr_8(t1, y, p256_mod, p256_mp_mod);
+        sp_256_mont_mul_8(b, t1, x, p256_mod, p256_mp_mod);
+        /* X = A^2 - 2B */
+        sp_256_mont_sqr_8(x, a, p256_mod, p256_mp_mod);
+        sp_256_mont_dbl_8(t2, b, p256_mod);
+        sp_256_mont_sub_8(x, x, t2, p256_mod);
+        /* Z = Z*Y */
+        sp_256_mont_mul_8(z, z, y, p256_mod, p256_mp_mod);
+        /* t2 = Y^4 */
+        sp_256_mont_sqr_8(t1, t1, p256_mod, p256_mp_mod);
+#ifdef WOLFSSL_SP_SMALL
+        if (n != 0)
+#endif
+        {
+            /* W = W*Y^4 */
+            sp_256_mont_mul_8(w, w, t1, p256_mod, p256_mp_mod);
+        }
+        /* y = 2*A*(B - X) - Y^4 */
+        sp_256_mont_sub_8(y, b, x, p256_mod);
+        sp_256_mont_mul_8(y, y, a, p256_mod, p256_mp_mod);
+        sp_256_mont_dbl_8(y, y, p256_mod);
+        sp_256_mont_sub_8(y, y, t1, p256_mod);
+    }
+#ifndef WOLFSSL_SP_SMALL
+    /* A = 3*(X^2 - W) */
+    sp_256_mont_sqr_8(t1, x, p256_mod, p256_mp_mod);
+    sp_256_mont_sub_8(t1, t1, w, p256_mod);
+    sp_256_mont_tpl_8(a, t1, p256_mod);
+    /* B = X*Y^2 */
+    sp_256_mont_sqr_8(t1, y, p256_mod, p256_mp_mod);
+    sp_256_mont_mul_8(b, t1, x, p256_mod, p256_mp_mod);
+    /* X = A^2 - 2B */
+    sp_256_mont_sqr_8(x, a, p256_mod, p256_mp_mod);
+    sp_256_mont_dbl_8(t2, b, p256_mod);
+    sp_256_mont_sub_8(x, x, t2, p256_mod);
+    /* Z = Z*Y */
+    sp_256_mont_mul_8(z, z, y, p256_mod, p256_mp_mod);
+    /* t2 = Y^4 */
+    sp_256_mont_sqr_8(t1, t1, p256_mod, p256_mp_mod);
+    /* y = 2*A*(B - X) - Y^4 */
+    sp_256_mont_sub_8(y, b, x, p256_mod);
+    sp_256_mont_mul_8(y, y, a, p256_mod, p256_mp_mod);
+    sp_256_mont_dbl_8(y, y, p256_mod);
+    sp_256_mont_sub_8(y, y, t1, p256_mod);
+#endif
+    /* Y = Y/2 */
+    sp_256_div2_8(y, y, p256_mod);
+}
+
+#endif /* FP_ECC */
+/* Add two Montgomery form projective points. The second point has a q value of
+ * one.
+ * Only the first point can be the same pointer as the result point.
+ *
+ * r  Result of addition.
+ * p  First point to add.
+ * q  Second point to add.
+ * t  Temporary ordinate data.
+ */
+static void sp_256_proj_point_add_qz1_8(sp_point_256* r, const sp_point_256* p,
+        const sp_point_256* q, sp_digit* t)
+{
+    const sp_point_256* ap[2];
+    sp_point_256* rp[2];
+    sp_digit* t1 = t;
+    sp_digit* t2 = t + 2*8;
+    sp_digit* t3 = t + 4*8;
+    sp_digit* t4 = t + 6*8;
+    sp_digit* t5 = t + 8*8;
+    sp_digit* x;
+    sp_digit* y;
+    sp_digit* z;
+    int i;
+
+    /* Check double */
+    (void)sp_256_sub_8(t1, p256_mod, q->y);
+    sp_256_norm_8(t1);
+    if ((sp_256_cmp_equal_8(p->x, q->x) & sp_256_cmp_equal_8(p->z, q->z) &
+        (sp_256_cmp_equal_8(p->y, q->y) | sp_256_cmp_equal_8(p->y, t1))) != 0) {
+        sp_256_proj_point_dbl_8(r, p, t);
+    }
+    else {
+        rp[0] = r;
+
+        /*lint allow cast to different type of pointer*/
+        rp[1] = (sp_point_256*)t; /*lint !e9087 !e740*/
+        XMEMSET(rp[1], 0, sizeof(sp_point_256));
+        x = rp[p->infinity | q->infinity]->x;
+        y = rp[p->infinity | q->infinity]->y;
+        z = rp[p->infinity | q->infinity]->z;
+
+        ap[0] = p;
+        ap[1] = q;
+        for (i=0; i<8; i++) {
+            r->x[i] = ap[p->infinity]->x[i];
+        }
+        for (i=0; i<8; i++) {
+            r->y[i] = ap[p->infinity]->y[i];
+        }
+        for (i=0; i<8; i++) {
+            r->z[i] = ap[p->infinity]->z[i];
+        }
+        r->infinity = ap[p->infinity]->infinity;
+
+        /* U2 = X2*Z1^2 */
+        sp_256_mont_sqr_8(t2, z, p256_mod, p256_mp_mod);
+        sp_256_mont_mul_8(t4, t2, z, p256_mod, p256_mp_mod);
+        sp_256_mont_mul_8(t2, t2, q->x, p256_mod, p256_mp_mod);
+        /* S2 = Y2*Z1^3 */
+        sp_256_mont_mul_8(t4, t4, q->y, p256_mod, p256_mp_mod);
+        /* H = U2 - X1 */
+        sp_256_mont_sub_8(t2, t2, x, p256_mod);
+        /* R = S2 - Y1 */
+        sp_256_mont_sub_8(t4, t4, y, p256_mod);
+        /* Z3 = H*Z1 */
+        sp_256_mont_mul_8(z, z, t2, p256_mod, p256_mp_mod);
+        /* X3 = R^2 - H^3 - 2*X1*H^2 */
+        sp_256_mont_sqr_8(t1, t4, p256_mod, p256_mp_mod);
+        sp_256_mont_sqr_8(t5, t2, p256_mod, p256_mp_mod);
+        sp_256_mont_mul_8(t3, x, t5, p256_mod, p256_mp_mod);
+        sp_256_mont_mul_8(t5, t5, t2, p256_mod, p256_mp_mod);
+        sp_256_mont_sub_8(x, t1, t5, p256_mod);
+        sp_256_mont_dbl_8(t1, t3, p256_mod);
+        sp_256_mont_sub_8(x, x, t1, p256_mod);
+        /* Y3 = R*(X1*H^2 - X3) - Y1*H^3 */
+        sp_256_mont_sub_8(t3, t3, x, p256_mod);
+        sp_256_mont_mul_8(t3, t3, t4, p256_mod, p256_mp_mod);
+        sp_256_mont_mul_8(t5, t5, y, p256_mod, p256_mp_mod);
+        sp_256_mont_sub_8(y, t3, t5, p256_mod);
+    }
+}
+
+#ifdef WOLFSSL_SP_SMALL
+#ifdef FP_ECC
+/* Convert the projective point to affine.
+ * Ordinates are in Montgomery form.
+ *
+ * a  Point to convert.
+ * t  Temporary data.
+ */
+static void sp_256_proj_to_affine_8(sp_point_256* a, sp_digit* t)
+{
+    sp_digit* t1 = t;
+    sp_digit* t2 = t + 2 * 8;
+    sp_digit* tmp = t + 4 * 8;
+
+    sp_256_mont_inv_8(t1, a->z, tmp);
+
+    sp_256_mont_sqr_8(t2, t1, p256_mod, p256_mp_mod);
+    sp_256_mont_mul_8(t1, t2, t1, p256_mod, p256_mp_mod);
+
+    sp_256_mont_mul_8(a->x, a->x, t2, p256_mod, p256_mp_mod);
+    sp_256_mont_mul_8(a->y, a->y, t1, p256_mod, p256_mp_mod);
+    XMEMCPY(a->z, p256_norm_mod, sizeof(p256_norm_mod));
+}
+
+/* Generate the pre-computed table of points for the base point.
+ *
+ * a      The base point.
+ * table  Place to store generated point data.
+ * tmp    Temporary data.
+ * heap  Heap to use for allocation.
+ */
+static int sp_256_gen_stripe_table_8(const sp_point_256* a,
+        sp_table_entry_256* table, sp_digit* tmp, void* heap)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_point_256 td, s1d, s2d;
+#endif
+    sp_point_256* t;
+    sp_point_256* s1 = NULL;
+    sp_point_256* s2 = NULL;
+    int i, j;
+    int err;
+
+    (void)heap;
+
+    err = sp_256_point_new_8(heap, td, t);
+    if (err == MP_OKAY) {
+        err = sp_256_point_new_8(heap, s1d, s1);
+    }
+    if (err == MP_OKAY) {
+        err = sp_256_point_new_8(heap, s2d, s2);
+    }
+
+    if (err == MP_OKAY) {
+        err = sp_256_mod_mul_norm_8(t->x, a->x, p256_mod);
+    }
+    if (err == MP_OKAY) {
+        err = sp_256_mod_mul_norm_8(t->y, a->y, p256_mod);
+    }
+    if (err == MP_OKAY) {
+        err = sp_256_mod_mul_norm_8(t->z, a->z, p256_mod);
+    }
+    if (err == MP_OKAY) {
+        t->infinity = 0;
+        sp_256_proj_to_affine_8(t, tmp);
+
+        XMEMCPY(s1->z, p256_norm_mod, sizeof(p256_norm_mod));
+        s1->infinity = 0;
+        XMEMCPY(s2->z, p256_norm_mod, sizeof(p256_norm_mod));
+        s2->infinity = 0;
+
+        /* table[0] = {0, 0, infinity} */
+        XMEMSET(&table[0], 0, sizeof(sp_table_entry_256));
+        /* table[1] = Affine version of 'a' in Montgomery form */
+        XMEMCPY(table[1].x, t->x, sizeof(table->x));
+        XMEMCPY(table[1].y, t->y, sizeof(table->y));
+
+        for (i=1; i<4; i++) {
+            sp_256_proj_point_dbl_n_8(t, 64, tmp);
+            sp_256_proj_to_affine_8(t, tmp);
+            XMEMCPY(table[1<<i].x, t->x, sizeof(table->x));
+            XMEMCPY(table[1<<i].y, t->y, sizeof(table->y));
+        }
+
+        for (i=1; i<4; i++) {
+            XMEMCPY(s1->x, table[1<<i].x, sizeof(table->x));
+            XMEMCPY(s1->y, table[1<<i].y, sizeof(table->y));
+            for (j=(1<<i)+1; j<(1<<(i+1)); j++) {
+                XMEMCPY(s2->x, table[j-(1<<i)].x, sizeof(table->x));
+                XMEMCPY(s2->y, table[j-(1<<i)].y, sizeof(table->y));
+                sp_256_proj_point_add_qz1_8(t, s1, s2, tmp);
+                sp_256_proj_to_affine_8(t, tmp);
+                XMEMCPY(table[j].x, t->x, sizeof(table->x));
+                XMEMCPY(table[j].y, t->y, sizeof(table->y));
+            }
+        }
+    }
+
+    sp_256_point_free_8(s2, 0, heap);
+    sp_256_point_free_8(s1, 0, heap);
+    sp_256_point_free_8( t, 0, heap);
+
+    return err;
+}
+
+#endif /* FP_ECC */
+/* Multiply the point by the scalar and return the result.
+ * If map is true then convert result to affine coordinates.
+ *
+ * r     Resulting point.
+ * k     Scalar to multiply by.
+ * map   Indicates whether to convert result to affine.
+ * heap  Heap to use for allocation.
+ * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
+ */
+static int sp_256_ecc_mulmod_stripe_8(sp_point_256* r, const sp_point_256* g,
+        const sp_table_entry_256* table, const sp_digit* k, int map, void* heap)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_point_256 rtd;
+    sp_point_256 pd;
+    sp_digit td[2 * 8 * 5];
+#endif
+    sp_point_256* rt;
+    sp_point_256* p = NULL;
+    sp_digit* t;
+    int i, j;
+    int y, x;
+    int err;
+
+    (void)g;
+    (void)heap;
+
+
+    err = sp_256_point_new_8(heap, rtd, rt);
+    if (err == MP_OKAY) {
+        err = sp_256_point_new_8(heap, pd, p);
+    }
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    t = (sp_digit*)XMALLOC(sizeof(sp_digit) * 2 * 8 * 5, heap,
+                           DYNAMIC_TYPE_ECC);
+    if (t == NULL) {
+        err = MEMORY_E;
+    }
+#else
+    t = td;
+#endif
+
+    if (err == MP_OKAY) {
+        XMEMCPY(p->z, p256_norm_mod, sizeof(p256_norm_mod));
+        XMEMCPY(rt->z, p256_norm_mod, sizeof(p256_norm_mod));
+
+        y = 0;
+        for (j=0,x=63; j<4; j++,x+=64) {
+            y |= ((k[x / 32] >> (x % 32)) & 1) << j;
+        }
+        XMEMCPY(rt->x, table[y].x, sizeof(table[y].x));
+        XMEMCPY(rt->y, table[y].y, sizeof(table[y].y));
+        rt->infinity = !y;
+        for (i=62; i>=0; i--) {
+            y = 0;
+            for (j=0,x=i; j<4; j++,x+=64) {
+                y |= ((k[x / 32] >> (x % 32)) & 1) << j;
+            }
+
+            sp_256_proj_point_dbl_8(rt, rt, t);
+            XMEMCPY(p->x, table[y].x, sizeof(table[y].x));
+            XMEMCPY(p->y, table[y].y, sizeof(table[y].y));
+            p->infinity = !y;
+            sp_256_proj_point_add_qz1_8(rt, rt, p, t);
+        }
+
+        if (map != 0) {
+            sp_256_map_8(r, rt, t);
+        }
+        else {
+            XMEMCPY(r, rt, sizeof(sp_point_256));
+        }
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (t != NULL) {
+        XFREE(t, heap, DYNAMIC_TYPE_ECC);
+    }
+#endif
+    sp_256_point_free_8(p, 0, heap);
+    sp_256_point_free_8(rt, 0, heap);
+
+    return err;
+}
+
+#ifdef FP_ECC
+#ifndef FP_ENTRIES
+    #define FP_ENTRIES 16
+#endif
+
+typedef struct sp_cache_256_t {
+    sp_digit x[8];
+    sp_digit y[8];
+    sp_table_entry_256 table[16];
+    uint32_t cnt;
+    int set;
+} sp_cache_256_t;
+
+static THREAD_LS_T sp_cache_256_t sp_cache_256[FP_ENTRIES];
+static THREAD_LS_T int sp_cache_256_last = -1;
+static THREAD_LS_T int sp_cache_256_inited = 0;
+
+#ifndef HAVE_THREAD_LS
+    static volatile int initCacheMutex_256 = 0;
+    static wolfSSL_Mutex sp_cache_256_lock;
+#endif
+
+static void sp_ecc_get_cache_256(const sp_point_256* g, sp_cache_256_t** cache)
+{
+    int i, j;
+    uint32_t least;
+
+    if (sp_cache_256_inited == 0) {
+        for (i=0; i<FP_ENTRIES; i++) {
+            sp_cache_256[i].set = 0;
+        }
+        sp_cache_256_inited = 1;
+    }
+
+    /* Compare point with those in cache. */
+    for (i=0; i<FP_ENTRIES; i++) {
+        if (!sp_cache_256[i].set)
+            continue;
+
+        if (sp_256_cmp_equal_8(g->x, sp_cache_256[i].x) &
+                           sp_256_cmp_equal_8(g->y, sp_cache_256[i].y)) {
+            sp_cache_256[i].cnt++;
+            break;
+        }
+    }
+
+    /* No match. */
+    if (i == FP_ENTRIES) {
+        /* Find empty entry. */
+        i = (sp_cache_256_last + 1) % FP_ENTRIES;
+        for (; i != sp_cache_256_last; i=(i+1)%FP_ENTRIES) {
+            if (!sp_cache_256[i].set) {
+                break;
+            }
+        }
+
+        /* Evict least used. */
+        if (i == sp_cache_256_last) {
+            least = sp_cache_256[0].cnt;
+            for (j=1; j<FP_ENTRIES; j++) {
+                if (sp_cache_256[j].cnt < least) {
+                    i = j;
+                    least = sp_cache_256[i].cnt;
+                }
+            }
+        }
+
+        XMEMCPY(sp_cache_256[i].x, g->x, sizeof(sp_cache_256[i].x));
+        XMEMCPY(sp_cache_256[i].y, g->y, sizeof(sp_cache_256[i].y));
+        sp_cache_256[i].set = 1;
+        sp_cache_256[i].cnt = 1;
+    }
+
+    *cache = &sp_cache_256[i];
+    sp_cache_256_last = i;
+}
+#endif /* FP_ECC */
+
+/* Multiply the base point of P256 by the scalar and return the result.
+ * If map is true then convert result to affine coordinates.
+ *
+ * r     Resulting point.
+ * g     Point to multiply.
+ * k     Scalar to multiply by.
+ * map   Indicates whether to convert result to affine.
+ * heap  Heap to use for allocation.
+ * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
+ */
+static int sp_256_ecc_mulmod_8(sp_point_256* r, const sp_point_256* g, const sp_digit* k,
+        int map, void* heap)
+{
+#ifndef FP_ECC
+    return sp_256_ecc_mulmod_fast_8(r, g, k, map, heap);
+#else
+    sp_digit tmp[2 * 8 * 5];
+    sp_cache_256_t* cache;
+    int err = MP_OKAY;
+
+#ifndef HAVE_THREAD_LS
+    if (initCacheMutex_256 == 0) {
+         wc_InitMutex(&sp_cache_256_lock);
+         initCacheMutex_256 = 1;
+    }
+    if (wc_LockMutex(&sp_cache_256_lock) != 0)
+       err = BAD_MUTEX_E;
+#endif /* HAVE_THREAD_LS */
+
+    if (err == MP_OKAY) {
+        sp_ecc_get_cache_256(g, &cache);
+        if (cache->cnt == 2)
+            sp_256_gen_stripe_table_8(g, cache->table, tmp, heap);
+
+#ifndef HAVE_THREAD_LS
+        wc_UnLockMutex(&sp_cache_256_lock);
+#endif /* HAVE_THREAD_LS */
+
+        if (cache->cnt < 2) {
+            err = sp_256_ecc_mulmod_fast_8(r, g, k, map, heap);
+        }
+        else {
+            err = sp_256_ecc_mulmod_stripe_8(r, g, cache->table, k,
+                    map, heap);
+        }
+    }
+
+    return err;
+#endif
+}
+
+#else
+#ifdef FP_ECC
+/* Generate the pre-computed table of points for the base point.
+ *
+ * a      The base point.
+ * table  Place to store generated point data.
+ * tmp    Temporary data.
+ * heap  Heap to use for allocation.
+ */
+static int sp_256_gen_stripe_table_8(const sp_point_256* a,
+        sp_table_entry_256* table, sp_digit* tmp, void* heap)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_point_256 td, s1d, s2d;
+#endif
+    sp_point_256* t;
+    sp_point_256* s1 = NULL;
+    sp_point_256* s2 = NULL;
+    int i, j;
+    int err;
+
+    (void)heap;
+
+    err = sp_256_point_new_8(heap, td, t);
+    if (err == MP_OKAY) {
+        err = sp_256_point_new_8(heap, s1d, s1);
+    }
+    if (err == MP_OKAY) {
+        err = sp_256_point_new_8(heap, s2d, s2);
+    }
+
+    if (err == MP_OKAY) {
+        err = sp_256_mod_mul_norm_8(t->x, a->x, p256_mod);
+    }
+    if (err == MP_OKAY) {
+        err = sp_256_mod_mul_norm_8(t->y, a->y, p256_mod);
+    }
+    if (err == MP_OKAY) {
+        err = sp_256_mod_mul_norm_8(t->z, a->z, p256_mod);
+    }
+    if (err == MP_OKAY) {
+        t->infinity = 0;
+        sp_256_proj_to_affine_8(t, tmp);
+
+        XMEMCPY(s1->z, p256_norm_mod, sizeof(p256_norm_mod));
+        s1->infinity = 0;
+        XMEMCPY(s2->z, p256_norm_mod, sizeof(p256_norm_mod));
+        s2->infinity = 0;
+
+        /* table[0] = {0, 0, infinity} */
+        XMEMSET(&table[0], 0, sizeof(sp_table_entry_256));
+        /* table[1] = Affine version of 'a' in Montgomery form */
+        XMEMCPY(table[1].x, t->x, sizeof(table->x));
+        XMEMCPY(table[1].y, t->y, sizeof(table->y));
+
+        for (i=1; i<8; i++) {
+            sp_256_proj_point_dbl_n_8(t, 32, tmp);
+            sp_256_proj_to_affine_8(t, tmp);
+            XMEMCPY(table[1<<i].x, t->x, sizeof(table->x));
+            XMEMCPY(table[1<<i].y, t->y, sizeof(table->y));
+        }
+
+        for (i=1; i<8; i++) {
+            XMEMCPY(s1->x, table[1<<i].x, sizeof(table->x));
+            XMEMCPY(s1->y, table[1<<i].y, sizeof(table->y));
+            for (j=(1<<i)+1; j<(1<<(i+1)); j++) {
+                XMEMCPY(s2->x, table[j-(1<<i)].x, sizeof(table->x));
+                XMEMCPY(s2->y, table[j-(1<<i)].y, sizeof(table->y));
+                sp_256_proj_point_add_qz1_8(t, s1, s2, tmp);
+                sp_256_proj_to_affine_8(t, tmp);
+                XMEMCPY(table[j].x, t->x, sizeof(table->x));
+                XMEMCPY(table[j].y, t->y, sizeof(table->y));
+            }
+        }
+    }
+
+    sp_256_point_free_8(s2, 0, heap);
+    sp_256_point_free_8(s1, 0, heap);
+    sp_256_point_free_8( t, 0, heap);
+
+    return err;
+}
+
+#endif /* FP_ECC */
+/* Multiply the point by the scalar and return the result.
+ * If map is true then convert result to affine coordinates.
+ *
+ * r     Resulting point.
+ * k     Scalar to multiply by.
+ * map   Indicates whether to convert result to affine.
+ * heap  Heap to use for allocation.
+ * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
+ */
+static int sp_256_ecc_mulmod_stripe_8(sp_point_256* r, const sp_point_256* g,
+        const sp_table_entry_256* table, const sp_digit* k, int map, void* heap)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_point_256 rtd;
+    sp_point_256 pd;
+    sp_digit td[2 * 8 * 5];
+#endif
+    sp_point_256* rt;
+    sp_point_256* p = NULL;
+    sp_digit* t;
+    int i, j;
+    int y, x;
+    int err;
+
+    (void)g;
+    (void)heap;
+
+
+    err = sp_256_point_new_8(heap, rtd, rt);
+    if (err == MP_OKAY) {
+        err = sp_256_point_new_8(heap, pd, p);
+    }
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    t = (sp_digit*)XMALLOC(sizeof(sp_digit) * 2 * 8 * 5, heap,
+                           DYNAMIC_TYPE_ECC);
+    if (t == NULL) {
+        err = MEMORY_E;
+    }
+#else
+    t = td;
+#endif
+
+    if (err == MP_OKAY) {
+        XMEMCPY(p->z, p256_norm_mod, sizeof(p256_norm_mod));
+        XMEMCPY(rt->z, p256_norm_mod, sizeof(p256_norm_mod));
+
+        y = 0;
+        for (j=0,x=31; j<8; j++,x+=32) {
+            y |= ((k[x / 32] >> (x % 32)) & 1) << j;
+        }
+        XMEMCPY(rt->x, table[y].x, sizeof(table[y].x));
+        XMEMCPY(rt->y, table[y].y, sizeof(table[y].y));
+        rt->infinity = !y;
+        for (i=30; i>=0; i--) {
+            y = 0;
+            for (j=0,x=i; j<8; j++,x+=32) {
+                y |= ((k[x / 32] >> (x % 32)) & 1) << j;
+            }
+
+            sp_256_proj_point_dbl_8(rt, rt, t);
+            XMEMCPY(p->x, table[y].x, sizeof(table[y].x));
+            XMEMCPY(p->y, table[y].y, sizeof(table[y].y));
+            p->infinity = !y;
+            sp_256_proj_point_add_qz1_8(rt, rt, p, t);
+        }
+
+        if (map != 0) {
+            sp_256_map_8(r, rt, t);
+        }
+        else {
+            XMEMCPY(r, rt, sizeof(sp_point_256));
+        }
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (t != NULL) {
+        XFREE(t, heap, DYNAMIC_TYPE_ECC);
+    }
+#endif
+    sp_256_point_free_8(p, 0, heap);
+    sp_256_point_free_8(rt, 0, heap);
+
+    return err;
+}
+
+#ifdef FP_ECC
+#ifndef FP_ENTRIES
+    #define FP_ENTRIES 16
+#endif
+
+typedef struct sp_cache_256_t {
+    sp_digit x[8];
+    sp_digit y[8];
+    sp_table_entry_256 table[256];
+    uint32_t cnt;
+    int set;
+} sp_cache_256_t;
+
+static THREAD_LS_T sp_cache_256_t sp_cache_256[FP_ENTRIES];
+static THREAD_LS_T int sp_cache_256_last = -1;
+static THREAD_LS_T int sp_cache_256_inited = 0;
+
+#ifndef HAVE_THREAD_LS
+    static volatile int initCacheMutex_256 = 0;
+    static wolfSSL_Mutex sp_cache_256_lock;
+#endif
+
+static void sp_ecc_get_cache_256(const sp_point_256* g, sp_cache_256_t** cache)
+{
+    int i, j;
+    uint32_t least;
+
+    if (sp_cache_256_inited == 0) {
+        for (i=0; i<FP_ENTRIES; i++) {
+            sp_cache_256[i].set = 0;
+        }
+        sp_cache_256_inited = 1;
+    }
+
+    /* Compare point with those in cache. */
+    for (i=0; i<FP_ENTRIES; i++) {
+        if (!sp_cache_256[i].set)
+            continue;
+
+        if (sp_256_cmp_equal_8(g->x, sp_cache_256[i].x) &
+                           sp_256_cmp_equal_8(g->y, sp_cache_256[i].y)) {
+            sp_cache_256[i].cnt++;
+            break;
+        }
+    }
+
+    /* No match. */
+    if (i == FP_ENTRIES) {
+        /* Find empty entry. */
+        i = (sp_cache_256_last + 1) % FP_ENTRIES;
+        for (; i != sp_cache_256_last; i=(i+1)%FP_ENTRIES) {
+            if (!sp_cache_256[i].set) {
+                break;
+            }
+        }
+
+        /* Evict least used. */
+        if (i == sp_cache_256_last) {
+            least = sp_cache_256[0].cnt;
+            for (j=1; j<FP_ENTRIES; j++) {
+                if (sp_cache_256[j].cnt < least) {
+                    i = j;
+                    least = sp_cache_256[i].cnt;
+                }
+            }
+        }
+
+        XMEMCPY(sp_cache_256[i].x, g->x, sizeof(sp_cache_256[i].x));
+        XMEMCPY(sp_cache_256[i].y, g->y, sizeof(sp_cache_256[i].y));
+        sp_cache_256[i].set = 1;
+        sp_cache_256[i].cnt = 1;
+    }
+
+    *cache = &sp_cache_256[i];
+    sp_cache_256_last = i;
+}
+#endif /* FP_ECC */
+
+/* Multiply the base point of P256 by the scalar and return the result.
+ * If map is true then convert result to affine coordinates.
+ *
+ * r     Resulting point.
+ * g     Point to multiply.
+ * k     Scalar to multiply by.
+ * map   Indicates whether to convert result to affine.
+ * heap  Heap to use for allocation.
+ * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
+ */
+static int sp_256_ecc_mulmod_8(sp_point_256* r, const sp_point_256* g, const sp_digit* k,
+        int map, void* heap)
+{
+#ifndef FP_ECC
+    return sp_256_ecc_mulmod_fast_8(r, g, k, map, heap);
+#else
+    sp_digit tmp[2 * 8 * 5];
+    sp_cache_256_t* cache;
+    int err = MP_OKAY;
+
+#ifndef HAVE_THREAD_LS
+    if (initCacheMutex_256 == 0) {
+         wc_InitMutex(&sp_cache_256_lock);
+         initCacheMutex_256 = 1;
+    }
+    if (wc_LockMutex(&sp_cache_256_lock) != 0)
+       err = BAD_MUTEX_E;
+#endif /* HAVE_THREAD_LS */
+
+    if (err == MP_OKAY) {
+        sp_ecc_get_cache_256(g, &cache);
+        if (cache->cnt == 2)
+            sp_256_gen_stripe_table_8(g, cache->table, tmp, heap);
+
+#ifndef HAVE_THREAD_LS
+        wc_UnLockMutex(&sp_cache_256_lock);
+#endif /* HAVE_THREAD_LS */
+
+        if (cache->cnt < 2) {
+            err = sp_256_ecc_mulmod_fast_8(r, g, k, map, heap);
+        }
+        else {
+            err = sp_256_ecc_mulmod_stripe_8(r, g, cache->table, k,
+                    map, heap);
+        }
+    }
+
+    return err;
+#endif
+}
+
+#endif /* WOLFSSL_SP_SMALL */
+/* Multiply the point by the scalar and return the result.
+ * If map is true then convert result to affine coordinates.
+ *
+ * km    Scalar to multiply by.
+ * p     Point to multiply.
+ * r     Resulting point.
+ * map   Indicates whether to convert result to affine.
+ * heap  Heap to use for allocation.
+ * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
+ */
+int sp_ecc_mulmod_256(mp_int* km, ecc_point* gm, ecc_point* r, int map,
+        void* heap)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_point_256 p;
+    sp_digit kd[8];
+#endif
+    sp_point_256* point;
+    sp_digit* k = NULL;
+    int err = MP_OKAY;
+
+    err = sp_256_point_new_8(heap, p, point);
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        k = (sp_digit*)XMALLOC(sizeof(sp_digit) * 8, heap,
+                                                              DYNAMIC_TYPE_ECC);
+        if (k == NULL)
+            err = MEMORY_E;
+    }
+#else
+    k = kd;
+#endif
+    if (err == MP_OKAY) {
+        sp_256_from_mp(k, 8, km);
+        sp_256_point_from_ecc_point_8(point, gm);
+
+            err = sp_256_ecc_mulmod_8(point, point, k, map, heap);
+    }
+    if (err == MP_OKAY) {
+        err = sp_256_point_to_ecc_point_8(point, r);
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (k != NULL) {
+        XFREE(k, heap, DYNAMIC_TYPE_ECC);
+    }
+#endif
+    sp_256_point_free_8(point, 0, heap);
+
+    return err;
+}
+
+#ifdef WOLFSSL_SP_SMALL
+static const sp_table_entry_256 p256_table[16] = {
+    /* 0 */
+    { { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
+      { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 } },
+    /* 1 */
+    { { 0x18a9143c,0x79e730d4,0x5fedb601,0x75ba95fc,0x77622510,0x79fb732b,
+        0xa53755c6,0x18905f76 },
+      { 0xce95560a,0xddf25357,0xba19e45c,0x8b4ab8e4,0xdd21f325,0xd2e88688,
+        0x25885d85,0x8571ff18 } },
+    /* 2 */
+    { { 0x16a0d2bb,0x4f922fc5,0x1a623499,0x0d5cc16c,0x57c62c8b,0x9241cf3a,
+        0xfd1b667f,0x2f5e6961 },
+      { 0xf5a01797,0x5c15c70b,0x60956192,0x3d20b44d,0x071fdb52,0x04911b37,
+        0x8d6f0f7b,0xf648f916 } },
+    /* 3 */
+    { { 0xe137bbbc,0x9e566847,0x8a6a0bec,0xe434469e,0x79d73463,0xb1c42761,
+        0x133d0015,0x5abe0285 },
+      { 0xc04c7dab,0x92aa837c,0x43260c07,0x573d9f4c,0x78e6cc37,0x0c931562,
+        0x6b6f7383,0x94bb725b } },
+    /* 4 */
+    { { 0xbfe20925,0x62a8c244,0x8fdce867,0x91c19ac3,0xdd387063,0x5a96a5d5,
+        0x21d324f6,0x61d587d4 },
+      { 0xa37173ea,0xe87673a2,0x53778b65,0x23848008,0x05bab43e,0x10f8441e,
+        0x4621efbe,0xfa11fe12 } },
+    /* 5 */
+    { { 0x2cb19ffd,0x1c891f2b,0xb1923c23,0x01ba8d5b,0x8ac5ca8e,0xb6d03d67,
+        0x1f13bedc,0x586eb04c },
+      { 0x27e8ed09,0x0c35c6e5,0x1819ede2,0x1e81a33c,0x56c652fa,0x278fd6c0,
+        0x70864f11,0x19d5ac08 } },
+    /* 6 */
+    { { 0xd2b533d5,0x62577734,0xa1bdddc0,0x673b8af6,0xa79ec293,0x577e7c9a,
+        0xc3b266b1,0xbb6de651 },
+      { 0xb65259b3,0xe7e9303a,0xd03a7480,0xd6a0afd3,0x9b3cfc27,0xc5ac83d1,
+        0x5d18b99b,0x60b4619a } },
+    /* 7 */
+    { { 0x1ae5aa1c,0xbd6a38e1,0x49e73658,0xb8b7652b,0xee5f87ed,0x0b130014,
+        0xaeebffcd,0x9d0f27b2 },
+      { 0x7a730a55,0xca924631,0xddbbc83a,0x9c955b2f,0xac019a71,0x07c1dfe0,
+        0x356ec48d,0x244a566d } },
+    /* 8 */
+    { { 0xf4f8b16a,0x56f8410e,0xc47b266a,0x97241afe,0x6d9c87c1,0x0a406b8e,
+        0xcd42ab1b,0x803f3e02 },
+      { 0x04dbec69,0x7f0309a8,0x3bbad05f,0xa83b85f7,0xad8e197f,0xc6097273,
+        0x5067adc1,0xc097440e } },
+    /* 9 */
+    { { 0xc379ab34,0x846a56f2,0x841df8d1,0xa8ee068b,0x176c68ef,0x20314459,
+        0x915f1f30,0xf1af32d5 },
+      { 0x5d75bd50,0x99c37531,0xf72f67bc,0x837cffba,0x48d7723f,0x0613a418,
+        0xe2d41c8b,0x23d0f130 } },
+    /* 10 */
+    { { 0xd5be5a2b,0xed93e225,0x5934f3c6,0x6fe79983,0x22626ffc,0x43140926,
+        0x7990216a,0x50bbb4d9 },
+      { 0xe57ec63e,0x378191c6,0x181dcdb2,0x65422c40,0x0236e0f6,0x41a8099b,
+        0x01fe49c3,0x2b100118 } },
+    /* 11 */
+    { { 0x9b391593,0xfc68b5c5,0x598270fc,0xc385f5a2,0xd19adcbb,0x7144f3aa,
+        0x83fbae0c,0xdd558999 },
+      { 0x74b82ff4,0x93b88b8e,0x71e734c9,0xd2e03c40,0x43c0322a,0x9a7a9eaf,
+        0x149d6041,0xe6e4c551 } },
+    /* 12 */
+    { { 0x80ec21fe,0x5fe14bfe,0xc255be82,0xf6ce116a,0x2f4a5d67,0x98bc5a07,
+        0xdb7e63af,0xfad27148 },
+      { 0x29ab05b3,0x90c0b6ac,0x4e251ae6,0x37a9a83c,0xc2aade7d,0x0a7dc875,
+        0x9f0e1a84,0x77387de3 } },
+    /* 13 */
+    { { 0xa56c0dd7,0x1e9ecc49,0x46086c74,0xa5cffcd8,0xf505aece,0x8f7a1408,
+        0xbef0c47e,0xb37b85c0 },
+      { 0xcc0e6a8f,0x3596b6e4,0x6b388f23,0xfd6d4bbf,0xc39cef4e,0xaba453fa,
+        0xf9f628d5,0x9c135ac8 } },
+    /* 14 */
+    { { 0x95c8f8be,0x0a1c7294,0x3bf362bf,0x2961c480,0xdf63d4ac,0x9e418403,
+        0x91ece900,0xc109f9cb },
+      { 0x58945705,0xc2d095d0,0xddeb85c0,0xb9083d96,0x7a40449b,0x84692b8d,
+        0x2eee1ee1,0x9bc3344f } },
+    /* 15 */
+    { { 0x42913074,0x0d5ae356,0x48a542b1,0x55491b27,0xb310732a,0x469ca665,
+        0x5f1a4cc1,0x29591d52 },
+      { 0xb84f983f,0xe76f5b6b,0x9f5f84e1,0xbe7eef41,0x80baa189,0x1200d496,
+        0x18ef332c,0x6376551f } },
+};
+
+/* Multiply the base point of P256 by the scalar and return the result.
+ * If map is true then convert result to affine coordinates.
+ *
+ * r     Resulting point.
+ * k     Scalar to multiply by.
+ * map   Indicates whether to convert result to affine.
+ * heap  Heap to use for allocation.
+ * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
+ */
+static int sp_256_ecc_mulmod_base_8(sp_point_256* r, const sp_digit* k,
+        int map, void* heap)
+{
+    return sp_256_ecc_mulmod_stripe_8(r, &p256_base, p256_table,
+                                      k, map, heap);
+}
+
+#else
+static const sp_table_entry_256 p256_table[256] = {
+    /* 0 */
+    { { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
+      { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 } },
+    /* 1 */
+    { { 0x18a9143c,0x79e730d4,0x5fedb601,0x75ba95fc,0x77622510,0x79fb732b,
+        0xa53755c6,0x18905f76 },
+      { 0xce95560a,0xddf25357,0xba19e45c,0x8b4ab8e4,0xdd21f325,0xd2e88688,
+        0x25885d85,0x8571ff18 } },
+    /* 2 */
+    { { 0x4147519a,0x20288602,0x26b372f0,0xd0981eac,0xa785ebc8,0xa9d4a7ca,
+        0xdbdf58e9,0xd953c50d },
+      { 0xfd590f8f,0x9d6361cc,0x44e6c917,0x72e9626b,0x22eb64cf,0x7fd96110,
+        0x9eb288f3,0x863ebb7e } },
+    /* 3 */
+    { { 0x5cdb6485,0x7856b623,0x2f0a2f97,0x808f0ea2,0x4f7e300b,0x3e68d954,
+        0xb5ff80a0,0x00076055 },
+      { 0x838d2010,0x7634eb9b,0x3243708a,0x54014fbb,0x842a6606,0xe0e47d39,
+        0x34373ee0,0x83087761 } },
+    /* 4 */
+    { { 0x16a0d2bb,0x4f922fc5,0x1a623499,0x0d5cc16c,0x57c62c8b,0x9241cf3a,
+        0xfd1b667f,0x2f5e6961 },
+      { 0xf5a01797,0x5c15c70b,0x60956192,0x3d20b44d,0x071fdb52,0x04911b37,
+        0x8d6f0f7b,0xf648f916 } },
+    /* 5 */
+    { { 0xe137bbbc,0x9e566847,0x8a6a0bec,0xe434469e,0x79d73463,0xb1c42761,
+        0x133d0015,0x5abe0285 },
+      { 0xc04c7dab,0x92aa837c,0x43260c07,0x573d9f4c,0x78e6cc37,0x0c931562,
+        0x6b6f7383,0x94bb725b } },
+    /* 6 */
+    { { 0x720f141c,0xbbf9b48f,0x2df5bc74,0x6199b3cd,0x411045c4,0xdc3f6129,
+        0x2f7dc4ef,0xcdd6bbcb },
+      { 0xeaf436fd,0xcca6700b,0xb99326be,0x6f647f6d,0x014f2522,0x0c0fa792,
+        0x4bdae5f6,0xa361bebd } },
+    /* 7 */
+    { { 0x597c13c7,0x28aa2558,0x50b7c3e1,0xc38d635f,0xf3c09d1d,0x07039aec,
+        0xc4b5292c,0xba12ca09 },
+      { 0x59f91dfd,0x9e408fa4,0xceea07fb,0x3af43b66,0x9d780b29,0x1eceb089,
+        0x701fef4b,0x53ebb99d } },
+    /* 8 */
+    { { 0xb0e63d34,0x4fe7ee31,0xa9e54fab,0xf4600572,0xd5e7b5a4,0xc0493334,
+        0x06d54831,0x8589fb92 },
+      { 0x6583553a,0xaa70f5cc,0xe25649e5,0x0879094a,0x10044652,0xcc904507,
+        0x02541c4f,0xebb0696d } },
+    /* 9 */
+    { { 0xac1647c5,0x4616ca15,0xc4cf5799,0xb8127d47,0x764dfbac,0xdc666aa3,
+        0xd1b27da3,0xeb2820cb },
+      { 0x6a87e008,0x9406f8d8,0x922378f3,0xd87dfa9d,0x80ccecb2,0x56ed2e42,
+        0x55a7da1d,0x1f28289b } },
+    /* 10 */
+    { { 0x3b89da99,0xabbaa0c0,0xb8284022,0xa6f2d79e,0xb81c05e8,0x27847862,
+        0x05e54d63,0x337a4b59 },
+      { 0x21f7794a,0x3c67500d,0x7d6d7f61,0x207005b7,0x04cfd6e8,0x0a5a3781,
+        0xf4c2fbd6,0x0d65e0d5 } },
+    /* 11 */
+    { { 0xb5275d38,0xd9d09bbe,0x0be0a358,0x4268a745,0x973eb265,0xf0762ff4,
+        0x52f4a232,0xc23da242 },
+      { 0x0b94520c,0x5da1b84f,0xb05bd78e,0x09666763,0x94d29ea1,0x3a4dcb86,
+        0xc790cff1,0x19de3b8c } },
+    /* 12 */
+    { { 0x26c5fe04,0x183a716c,0x3bba1bdb,0x3b28de0b,0xa4cb712c,0x7432c586,
+        0x91fccbfd,0xe34dcbd4 },
+      { 0xaaa58403,0xb408d46b,0x82e97a53,0x9a697486,0x36aaa8af,0x9e390127,
+        0x7b4e0f7f,0xe7641f44 } },
+    /* 13 */
+    { { 0xdf64ba59,0x7d753941,0x0b0242fc,0xd33f10ec,0xa1581859,0x4f06dfc6,
+        0x052a57bf,0x4a12df57 },
+      { 0x9439dbd0,0xbfa6338f,0xbde53e1f,0xd3c24bd4,0x21f1b314,0xfd5e4ffa,
+        0xbb5bea46,0x6af5aa93 } },
+    /* 14 */
+    { { 0x10c91999,0xda10b699,0x2a580491,0x0a24b440,0xb8cc2090,0x3e0094b4,
+        0x66a44013,0x5fe3475a },
+      { 0xf93e7b4b,0xb0f8cabd,0x7c23f91a,0x292b501a,0xcd1e6263,0x42e889ae,
+        0xecfea916,0xb544e308 } },
+    /* 15 */
+    { { 0x16ddfdce,0x6478c6e9,0xf89179e6,0x2c329166,0x4d4e67e1,0x4e8d6e76,
+        0xa6b0c20b,0xe0b6b2bd },
+      { 0xbb7efb57,0x0d312df2,0x790c4007,0x1aac0dde,0x679bc944,0xf90336ad,
+        0x25a63774,0x71c023de } },
+    /* 16 */
+    { { 0xbfe20925,0x62a8c244,0x8fdce867,0x91c19ac3,0xdd387063,0x5a96a5d5,
+        0x21d324f6,0x61d587d4 },
+      { 0xa37173ea,0xe87673a2,0x53778b65,0x23848008,0x05bab43e,0x10f8441e,
+        0x4621efbe,0xfa11fe12 } },
+    /* 17 */
+    { { 0x2cb19ffd,0x1c891f2b,0xb1923c23,0x01ba8d5b,0x8ac5ca8e,0xb6d03d67,
+        0x1f13bedc,0x586eb04c },
+      { 0x27e8ed09,0x0c35c6e5,0x1819ede2,0x1e81a33c,0x56c652fa,0x278fd6c0,
+        0x70864f11,0x19d5ac08 } },
+    /* 18 */
+    { { 0x309a4e1f,0x1e99f581,0xe9270074,0xab7de71b,0xefd28d20,0x26a5ef0b,
+        0x7f9c563f,0xe7c0073f },
+      { 0x0ef59f76,0x1f6d663a,0x20fcb050,0x669b3b54,0x7a6602d4,0xc08c1f7a,
+        0xc65b3c0a,0xe08504fe } },
+    /* 19 */
+    { { 0xa031b3ca,0xf098f68d,0xe6da6d66,0x6d1cab9e,0x94f246e8,0x5bfd81fa,
+        0x5b0996b4,0x78f01882 },
+      { 0x3a25787f,0xb7eefde4,0x1dccac9b,0x8016f80d,0xb35bfc36,0x0cea4877,
+        0x7e94747a,0x43a773b8 } },
+    /* 20 */
+    { { 0xd2b533d5,0x62577734,0xa1bdddc0,0x673b8af6,0xa79ec293,0x577e7c9a,
+        0xc3b266b1,0xbb6de651 },
+      { 0xb65259b3,0xe7e9303a,0xd03a7480,0xd6a0afd3,0x9b3cfc27,0xc5ac83d1,
+        0x5d18b99b,0x60b4619a } },
+    /* 21 */
+    { { 0x1ae5aa1c,0xbd6a38e1,0x49e73658,0xb8b7652b,0xee5f87ed,0x0b130014,
+        0xaeebffcd,0x9d0f27b2 },
+      { 0x7a730a55,0xca924631,0xddbbc83a,0x9c955b2f,0xac019a71,0x07c1dfe0,
+        0x356ec48d,0x244a566d } },
+    /* 22 */
+    { { 0xeacf1f96,0x6db0394a,0x024c271c,0x9f2122a9,0x82cbd3b9,0x2626ac1b,
+        0x3581ef69,0x45e58c87 },
+      { 0xa38f9dbc,0xd3ff479d,0xe888a040,0xa8aaf146,0x46e0bed7,0x945adfb2,
+        0xc1e4b7a4,0xc040e21c } },
+    /* 23 */
+    { { 0x6f8117b6,0x847af000,0x73a35433,0x651969ff,0x1d9475eb,0x482b3576,
+        0x682c6ec7,0x1cdf5c97 },
+      { 0x11f04839,0x7db775b4,0x48de1698,0x7dbeacf4,0xb70b3219,0xb2921dd1,
+        0xa92dff3d,0x046755f8 } },
+    /* 24 */
+    { { 0xbce8ffcd,0xcc8ac5d2,0x2fe61a82,0x0d53c48b,0x7202d6c7,0xf6f16172,
+        0x3b83a5f3,0x046e5e11 },
+      { 0xd8007f01,0xe7b8ff64,0x5af43183,0x7fb1ef12,0x35e1a03c,0x045c5ea6,
+        0x303d005b,0x6e0106c3 } },
+    /* 25 */
+    { { 0x88dd73b1,0x48c73584,0x995ed0d9,0x7670708f,0xc56a2ab7,0x38385ea8,
+        0xe901cf1f,0x442594ed },
+      { 0x12d4b65b,0xf8faa2c9,0x96c90c37,0x94c2343b,0x5e978d1f,0xd326e4a1,
+        0x4c2ee68e,0xa796fa51 } },
+    /* 26 */
+    { { 0x823addd7,0x359fb604,0xe56693b3,0x9e2a6183,0x3cbf3c80,0xf885b78e,
+        0xc69766e9,0xe4ad2da9 },
+      { 0x8e048a61,0x357f7f42,0xc092d9a0,0x082d198c,0xc03ed8ef,0xfc3a1af4,
+        0xc37b5143,0xc5e94046 } },
+    /* 27 */
+    { { 0x2be75f9e,0x476a538c,0xcb123a78,0x6fd1a9e8,0xb109c04b,0xd85e4df0,
+        0xdb464747,0x63283daf },
+      { 0xbaf2df15,0xce728cf7,0x0ad9a7f4,0xe592c455,0xe834bcc3,0xfab226ad,
+        0x1981a938,0x68bd19ab } },
+    /* 28 */
+    { { 0x1887d659,0xc08ead51,0xb359305a,0x3374d5f4,0xcfe74fe3,0x96986981,
+        0x3c6fdfd6,0x495292f5 },
+      { 0x1acec896,0x4a878c9e,0xec5b4484,0xd964b210,0x664d60a7,0x6696f7e2,
+        0x26036837,0x0ec7530d } },
+    /* 29 */
+    { { 0xad2687bb,0x2da13a05,0xf32e21fa,0xa1f83b6a,0x1dd4607b,0x390f5ef5,
+        0x64863f0b,0x0f6207a6 },
+      { 0x0f138233,0xbd67e3bb,0x272aa718,0xdd66b96c,0x26ec88ae,0x8ed00407,
+        0x08ed6dcf,0xff0db072 } },
+    /* 30 */
+    { { 0x4c95d553,0x749fa101,0x5d680a8a,0xa44052fd,0xff3b566f,0x183b4317,
+        0x88740ea3,0x313b513c },
+      { 0x08d11549,0xb402e2ac,0xb4dee21c,0x071ee10b,0x47f2320e,0x26b987dd,
+        0x86f19f81,0x2d3abcf9 } },
+    /* 31 */
+    { { 0x815581a2,0x4c288501,0x632211af,0x9a0a6d56,0x0cab2e99,0x19ba7a0f,
+        0xded98cdf,0xc036fa10 },
+      { 0xc1fbd009,0x29ae08ba,0x06d15816,0x0b68b190,0x9b9e0d8f,0xc2eb3277,
+        0xb6d40194,0xa6b2a2c4 } },
+    /* 32 */
+    { { 0x6d3549cf,0xd433e50f,0xfacd665e,0x6f33696f,0xce11fcb4,0x695bfdac,
+        0xaf7c9860,0x810ee252 },
+      { 0x7159bb2c,0x65450fe1,0x758b357b,0xf7dfbebe,0xd69fea72,0x2b057e74,
+        0x92731745,0xd485717a } },
+    /* 33 */
+    { { 0xf0cb5a98,0x11741a8a,0x1f3110bf,0xd3da8f93,0xab382adf,0x1994e2cb,
+        0x2f9a604e,0x6a6045a7 },
+      { 0xa2b2411d,0x170c0d3f,0x510e96e0,0xbe0eb83e,0x8865b3cc,0x3bcc9f73,
+        0xf9e15790,0xd3e45cfa } },
+    /* 34 */
+    { { 0xe83f7669,0xce1f69bb,0x72877d6b,0x09f8ae82,0x3244278d,0x9548ae54,
+        0xe3c2c19c,0x207755de },
+      { 0x6fef1945,0x87bd61d9,0xb12d28c3,0x18813cef,0x72df64aa,0x9fbcd1d6,
+        0x7154b00d,0x48dc5ee5 } },
+    /* 35 */
+    { { 0xf7e5a199,0x123790bf,0x989ccbb7,0xe0efb8cf,0x0a519c79,0xc27a2bfe,
+        0xdff6f445,0xf2fb0aed },
+      { 0xf0b5025f,0x41c09575,0x40fa9f22,0x550543d7,0x380bfbd0,0x8fa3c8ad,
+        0xdb28d525,0xa13e9015 } },
+    /* 36 */
+    { { 0xa2b65cbc,0xf9f7a350,0x2a464226,0x0b04b972,0xe23f07a1,0x265ce241,
+        0x1497526f,0x2bf0d6b0 },
+      { 0x4b216fb7,0xd3d4dd3f,0xfbdda26a,0xf7d7b867,0x6708505c,0xaeb7b83f,
+        0x162fe89f,0x42a94a5a } },
+    /* 37 */
+    { { 0xeaadf191,0x5846ad0b,0x25a268d7,0x0f8a4890,0x494dc1f6,0xe8603050,
+        0xc65ede3d,0x2c2dd969 },
+      { 0x93849c17,0x6d02171d,0x1da250dd,0x460488ba,0x3c3a5485,0x4810c706,
+        0x42c56dbc,0xf437fa1f } },
+    /* 38 */
+    { { 0x4a0f7dab,0x6aa0d714,0x1776e9ac,0x0f049793,0xf5f39786,0x52c0a050,
+        0x54707aa8,0xaaf45b33 },
+      { 0xc18d364a,0x85e37c33,0x3e497165,0xd40b9b06,0x15ec5444,0xf4171681,
+        0xf4f272bc,0xcdf6310d } },
+    /* 39 */
+    { { 0x8ea8b7ef,0x7473c623,0x85bc2287,0x08e93518,0x2bda8e34,0x41956772,
+        0xda9e2ff2,0xf0d008ba },
+      { 0x2414d3b1,0x2912671d,0xb019ea76,0xb3754985,0x453bcbdb,0x5c61b96d,
+        0xca887b8b,0x5bd5c2f5 } },
+    /* 40 */
+    { { 0xf49a3154,0xef0f469e,0x6e2b2e9a,0x3e85a595,0xaa924a9c,0x45aaec1e,
+        0xa09e4719,0xaa12dfc8 },
+      { 0x4df69f1d,0x26f27227,0xa2ff5e73,0xe0e4c82c,0xb7a9dd44,0xb9d8ce73,
+        0xe48ca901,0x6c036e73 } },
+    /* 41 */
+    { { 0x0f6e3138,0x5cfae12a,0x25ad345a,0x6966ef00,0x45672bc5,0x8993c64b,
+        0x96afbe24,0x292ff658 },
+      { 0x5e213402,0xd5250d44,0x4392c9fe,0xf6580e27,0xda1c72e8,0x097b397f,
+        0x311b7276,0x644e0c90 } },
+    /* 42 */
+    { { 0xa47153f0,0xe1e421e1,0x920418c9,0xb86c3b79,0x705d7672,0x93bdce87,
+        0xcab79a77,0xf25ae793 },
+      { 0x6d869d0c,0x1f3194a3,0x4986c264,0x9d55c882,0x096e945e,0x49fb5ea3,
+        0x13db0a3e,0x39b8e653 } },
+    /* 43 */
+    { { 0xb6fd2e59,0x37754200,0x9255c98f,0x35e2c066,0x0e2a5739,0xd9dab21a,
+        0x0f19db06,0x39122f2f },
+      { 0x03cad53c,0xcfbce1e0,0xe65c17e3,0x225b2c0f,0x9aa13877,0x72baf1d2,
+        0xce80ff8d,0x8de80af8 } },
+    /* 44 */
+    { { 0x207bbb76,0xafbea8d9,0x21782758,0x921c7e7c,0x1c0436b1,0xdfa2b74b,
+        0x2e368c04,0x87194906 },
+      { 0xa3993df5,0xb5f928bb,0xf3b3d26a,0x639d75b5,0x85b55050,0x011aa78a,
+        0x5b74fde1,0xfc315e6a } },
+    /* 45 */
+    { { 0xe8d6ecfa,0x561fd41a,0x1aec7f86,0x5f8c44f6,0x4924741d,0x98452a7b,
+        0xee389088,0xe6d4a7ad },
+      { 0x4593c75d,0x60552ed1,0xdd271162,0x70a70da4,0x7ba2c7db,0xd2aede93,
+        0x9be2ae57,0x35dfaf9a } },
+    /* 46 */
+    { { 0xaa736636,0x6b956fcd,0xae2cab7e,0x09f51d97,0x0f349966,0xfb10bf41,
+        0x1c830d2b,0x1da5c7d7 },
+      { 0x3cce6825,0x5c41e483,0xf9573c3b,0x15ad118f,0xf23036b8,0xa28552c7,
+        0xdbf4b9d6,0x7077c0fd } },
+    /* 47 */
+    { { 0x46b9661c,0xbf63ff8d,0x0d2cfd71,0xa1dfd36b,0xa847f8f7,0x0373e140,
+        0xe50efe44,0x53a8632e },
+      { 0x696d8051,0x0976ff68,0xc74f468a,0xdaec0c95,0x5e4e26bd,0x62994dc3,
+        0x34e1fcc1,0x028ca76d } },
+    /* 48 */
+    { { 0xfc9877ee,0xd11d47dc,0x801d0002,0xc8b36210,0x54c260b6,0xd002c117,
+        0x6962f046,0x04c17cd8 },
+      { 0xb0daddf5,0x6d9bd094,0x24ce55c0,0xbea23575,0x72da03b5,0x663356e6,
+        0xfed97474,0xf7ba4de9 } },
+    /* 49 */
+    { { 0xebe1263f,0xd0dbfa34,0x71ae7ce6,0x55763735,0x82a6f523,0xd2440553,
+        0x52131c41,0xe31f9600 },
+      { 0xea6b6ec6,0xd1bb9216,0x73c2fc44,0x37a1d12e,0x89d0a294,0xc10e7eac,
+        0xce34d47b,0xaa3a6259 } },
+    /* 50 */
+    { { 0x36f3dcd3,0xfbcf9df5,0xd2bf7360,0x6ceded50,0xdf504f5b,0x491710fa,
+        0x7e79daee,0x2398dd62 },
+      { 0x6d09569e,0xcf4705a3,0x5149f769,0xea0619bb,0x35f6034c,0xff9c0377,
+        0x1c046210,0x5717f5b2 } },
+    /* 51 */
+    { { 0x21dd895e,0x9fe229c9,0x40c28451,0x8e518500,0x1d637ecd,0xfa13d239,
+        0x0e3c28de,0x660a2c56 },
+      { 0xd67fcbd0,0x9cca88ae,0x0ea9f096,0xc8472478,0x72e92b4d,0x32b2f481,
+        0x4f522453,0x624ee54c } },
+    /* 52 */
+    { { 0xd897eccc,0x09549ce4,0x3f9880aa,0x4d49d1d9,0x043a7c20,0x723c2423,
+        0x92bdfbc0,0x4f392afb },
+      { 0x7de44fd9,0x6969f8fa,0x57b32156,0xb66cfbe4,0x368ebc3c,0xdb2fa803,
+        0xccdb399c,0x8a3e7977 } },
+    /* 53 */
+    { { 0x06c4b125,0xdde1881f,0xf6e3ca8c,0xae34e300,0x5c7a13e9,0xef6999de,
+        0x70c24404,0x3888d023 },
+      { 0x44f91081,0x76280356,0x5f015504,0x3d9fcf61,0x632cd36e,0x1827edc8,
+        0x18102336,0xa5e62e47 } },
+    /* 54 */
+    { { 0x2facd6c8,0x1a825ee3,0x54bcbc66,0x699c6354,0x98df9931,0x0ce3edf7,
+        0x466a5adc,0x2c4768e6 },
+      { 0x90a64bc9,0xb346ff8c,0xe4779f5c,0x630a6020,0xbc05e884,0xd949d064,
+        0xf9e652a0,0x7b5e6441 } },
+    /* 55 */
+    { { 0x1d28444a,0x2169422c,0xbe136a39,0xe996c5d8,0xfb0c7fce,0x2387afe5,
+        0x0c8d744a,0xb8af73cb },
+      { 0x338b86fd,0x5fde83aa,0xa58a5cff,0xfee3f158,0x20ac9433,0xc9ee8f6f,
+        0x7f3f0895,0xa036395f } },
+    /* 56 */
+    { { 0xa10f7770,0x8c73c6bb,0xa12a0e24,0xa6f16d81,0x51bc2b9f,0x100df682,
+        0x875fb533,0x4be36b01 },
+      { 0x9fb56dbb,0x9226086e,0x07e7a4f8,0x306fef8b,0x66d52f20,0xeeaccc05,
+        0x1bdc00c0,0x8cbc9a87 } },
+    /* 57 */
+    { { 0xc0dac4ab,0xe131895c,0x712ff112,0xa874a440,0x6a1cee57,0x6332ae7c,
+        0x0c0835f8,0x44e7553e },
+      { 0x7734002d,0x6d503fff,0x0b34425c,0x9d35cb8b,0x0e8738b5,0x95f70276,
+        0x5eb8fc18,0x470a683a } },
+    /* 58 */
+    { { 0x90513482,0x81b761dc,0x01e9276a,0x0287202a,0x0ce73083,0xcda441ee,
+        0xc63dc6ef,0x16410690 },
+      { 0x6d06a2ed,0xf5034a06,0x189b100b,0xdd4d7745,0xab8218c9,0xd914ae72,
+        0x7abcbb4f,0xd73479fd } },
+    /* 59 */
+    { { 0x5ad4c6e5,0x7edefb16,0x5b06d04d,0x262cf08f,0x8575cb14,0x12ed5bb1,
+        0x0771666b,0x816469e3 },
+      { 0x561e291e,0xd7ab9d79,0xc1de1661,0xeb9daf22,0x135e0513,0xf49827eb,
+        0xf0dd3f9c,0x0a36dd23 } },
+    /* 60 */
+    { { 0x41d5533c,0x098d32c7,0x8684628f,0x7c5f5a9e,0xe349bd11,0x39a228ad,
+        0xfdbab118,0xe331dfd6 },
+      { 0x6bcc6ed8,0x5100ab68,0xef7a260e,0x7160c3bd,0xbce850d7,0x9063d9a7,
+        0x492e3389,0xd3b4782a } },
+    /* 61 */
+    { { 0xf3821f90,0xa149b6e8,0x66eb7aad,0x92edd9ed,0x1a013116,0x0bb66953,
+        0x4c86a5bd,0x7281275a },
+      { 0xd3ff47e5,0x503858f7,0x61016441,0x5e1616bc,0x7dfd9bb1,0x62b0f11a,
+        0xce145059,0x2c062e7e } },
+    /* 62 */
+    { { 0x0159ac2e,0xa76f996f,0xcbdb2713,0x281e7736,0x08e46047,0x2ad6d288,
+        0x2c4e7ef1,0x282a35f9 },
+      { 0xc0ce5cd2,0x9c354b1e,0x1379c229,0xcf99efc9,0x3e82c11e,0x992caf38,
+        0x554d2abd,0xc71cd513 } },
+    /* 63 */
+    { { 0x09b578f4,0x4885de9c,0xe3affa7a,0x1884e258,0x59182f1f,0x8f76b1b7,
+        0xcf47f3a3,0xc50f6740 },
+      { 0x374b68ea,0xa9c4adf3,0x69965fe2,0xa406f323,0x85a53050,0x2f86a222,
+        0x212958dc,0xb9ecb3a7 } },
+    /* 64 */
+    { { 0xf4f8b16a,0x56f8410e,0xc47b266a,0x97241afe,0x6d9c87c1,0x0a406b8e,
+        0xcd42ab1b,0x803f3e02 },
+      { 0x04dbec69,0x7f0309a8,0x3bbad05f,0xa83b85f7,0xad8e197f,0xc6097273,
+        0x5067adc1,0xc097440e } },
+    /* 65 */
+    { { 0xc379ab34,0x846a56f2,0x841df8d1,0xa8ee068b,0x176c68ef,0x20314459,
+        0x915f1f30,0xf1af32d5 },
+      { 0x5d75bd50,0x99c37531,0xf72f67bc,0x837cffba,0x48d7723f,0x0613a418,
+        0xe2d41c8b,0x23d0f130 } },
+    /* 66 */
+    { { 0xf41500d9,0x857ab6ed,0xfcbeada8,0x0d890ae5,0x89725951,0x52fe8648,
+        0xc0a3fadd,0xb0288dd6 },
+      { 0x650bcb08,0x85320f30,0x695d6e16,0x71af6313,0xb989aa76,0x31f520a7,
+        0xf408c8d2,0xffd3724f } },
+    /* 67 */
+    { { 0xb458e6cb,0x53968e64,0x317a5d28,0x992dad20,0x7aa75f56,0x3814ae0b,
+        0xd78c26df,0xf5590f4a },
+      { 0xcf0ba55a,0x0fc24bd3,0x0c778bae,0x0fc4724a,0x683b674a,0x1ce9864f,
+        0xf6f74a20,0x18d6da54 } },
+    /* 68 */
+    { { 0xd5be5a2b,0xed93e225,0x5934f3c6,0x6fe79983,0x22626ffc,0x43140926,
+        0x7990216a,0x50bbb4d9 },
+      { 0xe57ec63e,0x378191c6,0x181dcdb2,0x65422c40,0x0236e0f6,0x41a8099b,
+        0x01fe49c3,0x2b100118 } },
+    /* 69 */
+    { { 0x9b391593,0xfc68b5c5,0x598270fc,0xc385f5a2,0xd19adcbb,0x7144f3aa,
+        0x83fbae0c,0xdd558999 },
+      { 0x74b82ff4,0x93b88b8e,0x71e734c9,0xd2e03c40,0x43c0322a,0x9a7a9eaf,
+        0x149d6041,0xe6e4c551 } },
+    /* 70 */
+    { { 0x1e9af288,0x55f655bb,0xf7ada931,0x647e1a64,0xcb2820e5,0x43697e4b,
+        0x07ed56ff,0x51e00db1 },
+      { 0x771c327e,0x43d169b8,0x4a96c2ad,0x29cdb20b,0x3deb4779,0xc07d51f5,
+        0x49829177,0xe22f4241 } },
+    /* 71 */
+    { { 0x635f1abb,0xcd45e8f4,0x68538874,0x7edc0cb5,0xb5a8034d,0xc9472c1f,
+        0x52dc48c9,0xf709373d },
+      { 0xa8af30d6,0x401966bb,0xf137b69c,0x95bf5f4a,0x9361c47e,0x3966162a,
+        0xe7275b11,0xbd52d288 } },
+    /* 72 */
+    { { 0x9c5fa877,0xab155c7a,0x7d3a3d48,0x17dad672,0x73d189d8,0x43f43f9e,
+        0xc8aa77a6,0xa0d0f8e4 },
+      { 0xcc94f92d,0x0bbeafd8,0x0c4ddb3a,0xd818c8be,0xb82eba14,0x22cc65f8,
+        0x946d6a00,0xa56c78c7 } },
+    /* 73 */
+    { { 0x0dd09529,0x2962391b,0x3daddfcf,0x803e0ea6,0x5b5bf481,0x2c77351f,
+        0x731a367a,0xd8befdf8 },
+      { 0xfc0157f4,0xab919d42,0xfec8e650,0xf51caed7,0x02d48b0a,0xcdf9cb40,
+        0xce9f6478,0x854a68a5 } },
+    /* 74 */
+    { { 0x63506ea5,0xdc35f67b,0xa4fe0d66,0x9286c489,0xfe95cd4d,0x3f101d3b,
+        0x98846a95,0x5cacea0b },
+      { 0x9ceac44d,0xa90df60c,0x354d1c3a,0x3db29af4,0xad5dbabe,0x08dd3de8,
+        0x35e4efa9,0xe4982d12 } },
+    /* 75 */
+    { { 0xc34cd55e,0x23104a22,0x2680d132,0x58695bb3,0x1fa1d943,0xfb345afa,
+        0x16b20499,0x8046b7f6 },
+      { 0x38e7d098,0xb533581e,0xf46f0b70,0xd7f61e8d,0x44cb78c4,0x30dea9ea,
+        0x9082af55,0xeb17ca7b } },
+    /* 76 */
+    { { 0x76a145b9,0x1751b598,0xc1bc71ec,0xa5cf6b0f,0x392715bb,0xd3e03565,
+        0xfab5e131,0x097b00ba },
+      { 0x565f69e1,0xaa66c8e9,0xb5be5199,0x77e8f75a,0xda4fd984,0x6033ba11,
+        0xafdbcc9e,0xf95c747b } },
+    /* 77 */
+    { { 0xbebae45e,0x558f01d3,0xc4bc6955,0xa8ebe9f0,0xdbc64fc6,0xaeb705b1,
+        0x566ed837,0x3512601e },
+      { 0xfa1161cd,0x9336f1e1,0x4c65ef87,0x328ab8d5,0x724f21e5,0x4757eee2,
+        0x6068ab6b,0x0ef97123 } },
+    /* 78 */
+    { { 0x54ca4226,0x02598cf7,0xf8642c8e,0x5eede138,0x468e1790,0x48963f74,
+        0x3b4fbc95,0xfc16d933 },
+      { 0xe7c800ca,0xbe96fb31,0x2678adaa,0x13806331,0x6ff3e8b5,0x3d624497,
+        0xb95d7a17,0x14ca4af1 } },
+    /* 79 */
+    { { 0xbd2f81d5,0x7a4771ba,0x01f7d196,0x1a5f9d69,0xcad9c907,0xd898bef7,
+        0xf59c231d,0x4057b063 },
+      { 0x89c05c0a,0xbffd82fe,0x1dc0df85,0xe4911c6f,0xa35a16db,0x3befccae,
+        0xf1330b13,0x1c3b5d64 } },
+    /* 80 */
+    { { 0x80ec21fe,0x5fe14bfe,0xc255be82,0xf6ce116a,0x2f4a5d67,0x98bc5a07,
+        0xdb7e63af,0xfad27148 },
+      { 0x29ab05b3,0x90c0b6ac,0x4e251ae6,0x37a9a83c,0xc2aade7d,0x0a7dc875,
+        0x9f0e1a84,0x77387de3 } },
+    /* 81 */
+    { { 0xa56c0dd7,0x1e9ecc49,0x46086c74,0xa5cffcd8,0xf505aece,0x8f7a1408,
+        0xbef0c47e,0xb37b85c0 },
+      { 0xcc0e6a8f,0x3596b6e4,0x6b388f23,0xfd6d4bbf,0xc39cef4e,0xaba453fa,
+        0xf9f628d5,0x9c135ac8 } },
+    /* 82 */
+    { { 0x84e35743,0x32aa3202,0x85a3cdef,0x320d6ab1,0x1df19819,0xb821b176,
+        0xc433851f,0x5721361f },
+      { 0x71fc9168,0x1f0db36a,0x5e5c403c,0x5f98ba73,0x37bcd8f5,0xf64ca87e,
+        0xe6bb11bd,0xdcbac3c9 } },
+    /* 83 */
+    { { 0x4518cbe2,0xf01d9968,0x9c9eb04e,0xd242fc18,0xe47feebf,0x727663c7,
+        0x2d626862,0xb8c1c89e },
+      { 0xc8e1d569,0x51a58bdd,0xb7d88cd0,0x563809c8,0xf11f31eb,0x26c27fd9,
+        0x2f9422d4,0x5d23bbda } },
+    /* 84 */
+    { { 0x95c8f8be,0x0a1c7294,0x3bf362bf,0x2961c480,0xdf63d4ac,0x9e418403,
+        0x91ece900,0xc109f9cb },
+      { 0x58945705,0xc2d095d0,0xddeb85c0,0xb9083d96,0x7a40449b,0x84692b8d,
+        0x2eee1ee1,0x9bc3344f } },
+    /* 85 */
+    { { 0x42913074,0x0d5ae356,0x48a542b1,0x55491b27,0xb310732a,0x469ca665,
+        0x5f1a4cc1,0x29591d52 },
+      { 0xb84f983f,0xe76f5b6b,0x9f5f84e1,0xbe7eef41,0x80baa189,0x1200d496,
+        0x18ef332c,0x6376551f } },
+    /* 86 */
+    { { 0x562976cc,0xbda5f14e,0x0ef12c38,0x22bca3e6,0x6cca9852,0xbbfa3064,
+        0x08e2987a,0xbdb79dc8 },
+      { 0xcb06a772,0xfd2cb5c9,0xfe536dce,0x38f475aa,0x7c2b5db8,0xc2a3e022,
+        0xadd3c14a,0x8ee86001 } },
+    /* 87 */
+    { { 0xa4ade873,0xcbe96981,0xc4fba48c,0x7ee9aa4d,0x5a054ba5,0x2cee2899,
+        0x6f77aa4b,0x92e51d7a },
+      { 0x7190a34d,0x948bafa8,0xf6bd1ed1,0xd698f75b,0x0caf1144,0xd00ee6e3,
+        0x0a56aaaa,0x5182f86f } },
+    /* 88 */
+    { { 0x7a4cc99c,0xfba6212c,0x3e6d9ca1,0xff609b68,0x5ac98c5a,0x5dbb27cb,
+        0x4073a6f2,0x91dcab5d },
+      { 0x5f575a70,0x01b6cc3d,0x6f8d87fa,0x0cb36139,0x89981736,0x165d4e8c,
+        0x97974f2b,0x17a0cedb } },
+    /* 89 */
+    { { 0x076c8d3a,0x38861e2a,0x210f924b,0x701aad39,0x13a835d9,0x94d0eae4,
+        0x7f4cdf41,0x2e8ce36c },
+      { 0x037a862b,0x91273dab,0x60e4c8fa,0x01ba9bb7,0x33baf2dd,0xf9645388,
+        0x34f668f3,0xf4ccc6cb } },
+    /* 90 */
+    { { 0xf1f79687,0x44ef525c,0x92efa815,0x7c595495,0xa5c78d29,0xe1231741,
+        0x9a0df3c9,0xac0db488 },
+      { 0xdf01747f,0x86bfc711,0xef17df13,0x592b9358,0x5ccb6bb5,0xe5880e4f,
+        0x94c974a2,0x95a64a61 } },
+    /* 91 */
+    { { 0xc15a4c93,0x72c1efda,0x82585141,0x40269b73,0x16cb0bad,0x6a8dfb1c,
+        0x29210677,0x231e54ba },
+      { 0x8ae6d2dc,0xa70df917,0x39112918,0x4d6aa63f,0x5e5b7223,0xf627726b,
+        0xd8a731e1,0xab0be032 } },
+    /* 92 */
+    { { 0x8d131f2d,0x097ad0e9,0x3b04f101,0x637f09e3,0xd5e9a748,0x1ac86196,
+        0x2cf6a679,0xf1bcc880 },
+      { 0xe8daacb4,0x25c69140,0x60f65009,0x3c4e4055,0x477937a6,0x591cc8fc,
+        0x5aebb271,0x85169469 } },
+    /* 93 */
+    { { 0xf1dcf593,0xde35c143,0xb018be3b,0x78202b29,0x9bdd9d3d,0xe9cdadc2,
+        0xdaad55d8,0x8f67d9d2 },
+      { 0x7481ea5f,0x84111656,0xe34c590c,0xe7d2dde9,0x05053fa8,0xffdd43f4,
+        0xc0728b5d,0xf84572b9 } },
+    /* 94 */
+    { { 0x97af71c9,0x5e1a7a71,0x7a736565,0xa1449444,0x0e1d5063,0xa1b4ae07,
+        0x616b2c19,0xedee2710 },
+      { 0x11734121,0xb2f034f5,0x4a25e9f0,0x1cac6e55,0xa40c2ecf,0x8dc148f3,
+        0x44ebd7f4,0x9fd27e9b } },
+    /* 95 */
+    { { 0xf6e2cb16,0x3cc7658a,0xfe5919b6,0xe3eb7d2c,0x168d5583,0x5a8c5816,
+        0x958ff387,0xa40c2fb6 },
+      { 0xfedcc158,0x8c9ec560,0x55f23056,0x7ad804c6,0x9a307e12,0xd9396704,
+        0x7dc6decf,0x99bc9bb8 } },
+    /* 96 */
+    { { 0x927dafc6,0x84a9521d,0x5c09cd19,0x52c1fb69,0xf9366dde,0x9d9581a0,
+        0xa16d7e64,0x9abe210b },
+      { 0x48915220,0x480af84a,0x4dd816c6,0xfa73176a,0x1681ca5a,0xc7d53987,
+        0x87f344b0,0x7881c257 } },
+    /* 97 */
+    { { 0xe0bcf3ff,0x93399b51,0x127f74f6,0x0d02cbc5,0xdd01d968,0x8fb465a2,
+        0xa30e8940,0x15e6e319 },
+      { 0x3e0e05f4,0x646d6e0d,0x43588404,0xfad7bddc,0xc4f850d3,0xbe61c7d1,
+        0x191172ce,0x0e55facf } },
+    /* 98 */
+    { { 0xf8787564,0x7e9d9806,0x31e85ce6,0x1a331721,0xb819e8d6,0x6b0158ca,
+        0x6fe96577,0xd73d0976 },
+      { 0x1eb7206e,0x42483425,0xc618bb42,0xa519290f,0x5e30a520,0x5dcbb859,
+        0x8f15a50b,0x9250a374 } },
+    /* 99 */
+    { { 0xbe577410,0xcaff08f8,0x5077a8c6,0xfd408a03,0xec0a63a4,0xf1f63289,
+        0xc1cc8c0b,0x77414082 },
+      { 0xeb0991cd,0x05a40fa6,0x49fdc296,0xc1ca0866,0xb324fd40,0x3a68a3c7,
+        0x12eb20b9,0x8cb04f4d } },
+    /* 100 */
+    { { 0x6906171c,0xb1c2d055,0xb0240c3f,0x9073e9cd,0xd8906841,0xdb8e6b4f,
+        0x47123b51,0xe4e429ef },
+      { 0x38ec36f4,0x0b8dd53c,0xff4b6a27,0xf9d2dc01,0x879a9a48,0x5d066e07,
+        0x3c6e6552,0x37bca2ff } },
+    /* 101 */
+    { { 0xdf562470,0x4cd2e3c7,0xc0964ac9,0x44f272a2,0x80c793be,0x7c6d5df9,
+        0x3002b22a,0x59913edc },
+      { 0x5750592a,0x7a139a83,0xe783de02,0x99e01d80,0xea05d64f,0xcf8c0375,
+        0xb013e226,0x43786e4a } },
+    /* 102 */
+    { { 0x9e56b5a6,0xff32b0ed,0xd9fc68f9,0x0750d9a6,0x597846a7,0xec15e845,
+        0xb7e79e7a,0x8638ca98 },
+      { 0x0afc24b2,0x2f5ae096,0x4dace8f2,0x05398eaf,0xaecba78f,0x3b765dd0,
+        0x7b3aa6f0,0x1ecdd36a } },
+    /* 103 */
+    { { 0x6c5ff2f3,0x5d3acd62,0x2873a978,0xa2d516c0,0xd2110d54,0xad94c9fa,
+        0xd459f32d,0xd85d0f85 },
+      { 0x10b11da3,0x9f700b8d,0xa78318c4,0xd2c22c30,0x9208decd,0x556988f4,
+        0xb4ed3c62,0xa04f19c3 } },
+    /* 104 */
+    { { 0xed7f93bd,0x087924c8,0x392f51f6,0xcb64ac5d,0x821b71af,0x7cae330a,
+        0x5c0950b0,0x92b2eeea },
+      { 0x85b6e235,0x85ac4c94,0x2936c0f0,0xab2ca4a9,0xe0508891,0x80faa6b3,
+        0x5834276c,0x1ee78221 } },
+    /* 105 */
+    { { 0xe63e79f7,0xa60a2e00,0xf399d906,0xf590e7b2,0x6607c09d,0x9021054a,
+        0x57a6e150,0xf3f2ced8 },
+      { 0xf10d9b55,0x200510f3,0xd8642648,0x9d2fcfac,0xe8bd0e7c,0xe5631aa7,
+        0x3da3e210,0x0f56a454 } },
+    /* 106 */
+    { { 0x1043e0df,0x5b21bffa,0x9c007e6d,0x6c74b6cc,0xd4a8517a,0x1a656ec0,
+        0x1969e263,0xbd8f1741 },
+      { 0xbeb7494a,0x8a9bbb86,0x45f3b838,0x1567d46f,0xa4e5a79a,0xdf7a12a7,
+        0x30ccfa09,0x2d1a1c35 } },
+    /* 107 */
+    { { 0x506508da,0x192e3813,0xa1d795a7,0x336180c4,0x7a9944b3,0xcddb5949,
+        0xb91fba46,0xa107a65e },
+      { 0x0f94d639,0xe6d1d1c5,0x8a58b7d7,0x8b4af375,0xbd37ca1c,0x1a7c5584,
+        0xf87a9af2,0x183d760a } },
+    /* 108 */
+    { { 0x0dde59a4,0x29d69711,0x0e8bef87,0xf1ad8d07,0x4f2ebe78,0x229b4963,
+        0xc269d754,0x1d44179d },
+      { 0x8390d30e,0xb32dc0cf,0x0de8110c,0x0a3b2753,0x2bc0339a,0x31af1dc5,
+        0x9606d262,0x771f9cc2 } },
+    /* 109 */
+    { { 0x85040739,0x99993e77,0x8026a939,0x44539db9,0xf5f8fc26,0xcf40f6f2,
+        0x0362718e,0x64427a31 },
+      { 0x85428aa8,0x4f4f2d87,0xebfb49a8,0x7b7adc3f,0xf23d01ac,0x201b2c6d,
+        0x6ae90d6d,0x49d9b749 } },
+    /* 110 */
+    { { 0x435d1099,0xcc78d8bc,0x8e8d1a08,0x2adbcd4e,0x2cb68a41,0x02c2e2a0,
+        0x3f605445,0x9037d81b },
+      { 0x074c7b61,0x7cdbac27,0x57bfd72e,0xfe2031ab,0x596d5352,0x61ccec96,
+        0x7cc0639c,0x08c3de6a } },
+    /* 111 */
+    { { 0xf6d552ab,0x20fdd020,0x05cd81f1,0x56baff98,0x91351291,0x06fb7c3e,
+        0x45796b2f,0xc6909442 },
+      { 0x41231bd1,0x17b3ae9c,0x5cc58205,0x1eac6e87,0xf9d6a122,0x208837ab,
+        0xcafe3ac0,0x3fa3db02 } },
+    /* 112 */
+    { { 0x05058880,0xd75a3e65,0x643943f2,0x7da365ef,0xfab24925,0x4147861c,
+        0xfdb808ff,0xc5c4bdb0 },
+      { 0xb272b56b,0x73513e34,0x11b9043a,0xc8327e95,0xf8844969,0xfd8ce37d,
+        0x46c2b6b5,0x2d56db94 } },
+    /* 113 */
+    { { 0xff46ac6b,0x2461782f,0x07a2e425,0xd19f7926,0x09a48de1,0xfafea3c4,
+        0xe503ba42,0x0f56bd9d },
+      { 0x345cda49,0x137d4ed1,0x816f299d,0x821158fc,0xaeb43402,0xe7c6a54a,
+        0x1173b5f1,0x4003bb9d } },
+    /* 114 */
+    { { 0xa0803387,0x3b8e8189,0x39cbd404,0xece115f5,0xd2877f21,0x4297208d,
+        0xa07f2f9e,0x53765522 },
+      { 0xa8a4182d,0xa4980a21,0x3219df79,0xa2bbd07a,0x1a19a2d4,0x674d0a2e,
+        0x6c5d4549,0x7a056f58 } },
+    /* 115 */
+    { { 0x9d8a2a47,0x646b2558,0xc3df2773,0x5b582948,0xabf0d539,0x51ec000e,
+        0x7a1a2675,0x77d482f1 },
+      { 0x87853948,0xb8a1bd95,0x6cfbffee,0xa6f817bd,0x80681e47,0xab6ec057,
+        0x2b38b0e4,0x4115012b } },
+    /* 116 */
+    { { 0x6de28ced,0x3c73f0f4,0x9b13ec47,0x1d5da760,0x6e5c6392,0x61b8ce9e,
+        0xfbea0946,0xcdf04572 },
+      { 0x6c53c3b0,0x1cb3c58b,0x447b843c,0x97fe3c10,0x2cb9780e,0xfb2b8ae1,
+        0x97383109,0xee703dda } },
+    /* 117 */
+    { { 0xff57e43a,0x34515140,0xb1b811b8,0xd44660d3,0x8f42b986,0x2b3b5dff,
+        0xa162ce21,0x2a0ad89d },
+      { 0x6bc277ba,0x64e4a694,0xc141c276,0xc788c954,0xcabf6274,0x141aa64c,
+        0xac2b4659,0xd62d0b67 } },
+    /* 118 */
+    { { 0x2c054ac4,0x39c5d87b,0xf27df788,0x57005859,0xb18128d6,0xedf7cbf3,
+        0x991c2426,0xb39a23f2 },
+      { 0xf0b16ae5,0x95284a15,0xa136f51b,0x0c6a05b1,0xf2700783,0x1d63c137,
+        0xc0674cc5,0x04ed0092 } },
+    /* 119 */
+    { { 0x9ae90393,0x1f4185d1,0x4a3d64e6,0x3047b429,0x9854fc14,0xae0001a6,
+        0x0177c387,0xa0a91fc1 },
+      { 0xae2c831e,0xff0a3f01,0x2b727e16,0xbb76ae82,0x5a3075b4,0x8f12c8a1,
+        0x9ed20c41,0x084cf988 } },
+    /* 120 */
+    { { 0xfca6becf,0xd98509de,0x7dffb328,0x2fceae80,0x4778e8b9,0x5d8a15c4,
+        0x73abf77e,0xd57955b2 },
+      { 0x31b5d4f1,0x210da79e,0x3cfa7a1c,0xaa52f04b,0xdc27c20b,0xd4d12089,
+        0x02d141f1,0x8e14ea42 } },
+    /* 121 */
+    { { 0xf2897042,0xeed50345,0x43402c4a,0x8d05331f,0xc8bdfb21,0xc8d9c194,
+        0x2aa4d158,0x597e1a37 },
+      { 0xcf0bd68c,0x0327ec1a,0xab024945,0x6d4be0dc,0xc9fe3e84,0x5b9c8d7a,
+        0x199b4dea,0xca3f0236 } },
+    /* 122 */
+    { { 0x6170bd20,0x592a10b5,0x6d3f5de7,0x0ea897f1,0x44b2ade2,0xa3363ff1,
+        0x309c07e4,0xbde7fd7e },
+      { 0xb8f5432c,0x516bb6d2,0xe043444b,0x210dc1cb,0xf8f95b5a,0x3db01e6f,
+        0x0a7dd198,0xb623ad0e } },
+    /* 123 */
+    { { 0x60c7b65b,0xa75bd675,0x23a4a289,0xab8c5590,0xd7b26795,0xf8220fd0,
+        0x58ec137b,0xd6aa2e46 },
+      { 0x5138bb85,0x10abc00b,0xd833a95c,0x8c31d121,0x1702a32e,0xb24ff00b,
+        0x2dcc513a,0x111662e0 } },
+    /* 124 */
+    { { 0xefb42b87,0x78114015,0x1b6c4dff,0xbd9f5d70,0xa7d7c129,0x66ecccd7,
+        0x94b750f8,0xdb3ee1cb },
+      { 0xf34837cf,0xb26f3db0,0xb9578d4f,0xe7eed18b,0x7c56657d,0x5d2cdf93,
+        0x52206a59,0x886a6442 } },
+    /* 125 */
+    { { 0x65b569ea,0x3c234cfb,0xf72119c1,0x20011141,0xa15a619e,0x8badc85d,
+        0x018a17bc,0xa70cf4eb },
+      { 0x8c4a6a65,0x224f97ae,0x0134378f,0x36e5cf27,0x4f7e0960,0xbe3a609e,
+        0xd1747b77,0xaa4772ab } },
+    /* 126 */
+    { { 0x7aa60cc0,0x67676131,0x0368115f,0xc7916361,0xbbc1bb5a,0xded98bb4,
+        0x30faf974,0x611a6ddc },
+      { 0xc15ee47a,0x30e78cbc,0x4e0d96a5,0x2e896282,0x3dd9ed88,0x36f35adf,
+        0x16429c88,0x5cfffaf8 } },
+    /* 127 */
+    { { 0x9b7a99cd,0xc0d54cff,0x843c45a1,0x7bf3b99d,0x62c739e1,0x038a908f,
+        0x7dc1994c,0x6e5a6b23 },
+      { 0x0ba5db77,0xef8b454e,0xacf60d63,0xb7b8807f,0x76608378,0xe591c0c6,
+        0x242dabcc,0x481a238d } },
+    /* 128 */
+    { { 0x35d0b34a,0xe3417bc0,0x8327c0a7,0x440b386b,0xac0362d1,0x8fb7262d,
+        0xe0cdf943,0x2c41114c },
+      { 0xad95a0b1,0x2ba5cef1,0x67d54362,0xc09b37a8,0x01e486c9,0x26d6cdd2,
+        0x42ff9297,0x20477abf } },
+    /* 129 */
+    { { 0x18d65dbf,0x2f75173c,0x339edad8,0x77bf940e,0xdcf1001c,0x7022d26b,
+        0xc77396b6,0xac66409a },
+      { 0xc6261cc3,0x8b0bb36f,0x190e7e90,0x213f7bc9,0xa45e6c10,0x6541ceba,
+        0xcc122f85,0xce8e6975 } },
+    /* 130 */
+    { { 0xbc0a67d2,0x0f121b41,0x444d248a,0x62d4760a,0x659b4737,0x0e044f1d,
+        0x250bb4a8,0x08fde365 },
+      { 0x848bf287,0xaceec3da,0xd3369d6e,0xc2a62182,0x92449482,0x3582dfdc,
+        0x565d6cd7,0x2f7e2fd2 } },
+    /* 131 */
+    { { 0xc3770fa7,0xae4b92db,0x379043f9,0x095e8d5c,0x17761171,0x54f34e9d,
+        0x907702ae,0xc65be92e },
+      { 0xf6fd0a40,0x2758a303,0xbcce784b,0xe7d822e3,0x4f9767bf,0x7ae4f585,
+        0xd1193b3a,0x4bff8e47 } },
+    /* 132 */
+    { { 0x00ff1480,0xcd41d21f,0x0754db16,0x2ab8fb7d,0xbbe0f3ea,0xac81d2ef,
+        0x5772967d,0x3e4e4ae6 },
+      { 0x3c5303e6,0x7e18f36d,0x92262397,0x3bd9994b,0x1324c3c0,0x9ed70e26,
+        0x58ec6028,0x5388aefd } },
+    /* 133 */
+    { { 0x5e5d7713,0xad1317eb,0x75de49da,0x09b985ee,0xc74fb261,0x32f5bc4f,
+        0x4f75be0e,0x5cf908d1 },
+      { 0x8e657b12,0x76043510,0xb96ed9e6,0xbfd421a5,0x8970ccc2,0x0e29f51f,
+        0x60f00ce2,0xa698ba40 } },
+    /* 134 */
+    { { 0xef748fec,0x73db1686,0x7e9d2cf9,0xe6e755a2,0xce265eff,0x630b6544,
+        0x7aebad8d,0xb142ef8a },
+      { 0x17d5770a,0xad31af9f,0x2cb3412f,0x66af3b67,0xdf3359de,0x6bd60d1b,
+        0x58515075,0xd1896a96 } },
+    /* 135 */
+    { { 0x33c41c08,0xec5957ab,0x5468e2e1,0x87de94ac,0xac472f6c,0x18816b73,
+        0x7981da39,0x267b0e0b },
+      { 0x8e62b988,0x6e554e5d,0x116d21e7,0xd8ddc755,0x3d2a6f99,0x4610faf0,
+        0xa1119393,0xb54e287a } },
+    /* 136 */
+    { { 0x178a876b,0x0a0122b5,0x085104b4,0x51ff96ff,0x14f29f76,0x050b31ab,
+        0x5f87d4e6,0x84abb28b },
+      { 0x8270790a,0xd5ed439f,0x85e3f46b,0x2d6cb59d,0x6c1e2212,0x75f55c1b,
+        0x17655640,0xe5436f67 } },
+    /* 137 */
+    { { 0x2286e8d5,0x53f9025e,0x864453be,0x353c95b4,0xe408e3a0,0xd832f5bd,
+        0x5b9ce99e,0x0404f68b },
+      { 0xa781e8e5,0xcad33bde,0x163c2f5b,0x3cdf5018,0x0119caa3,0x57576960,
+        0x0ac1c701,0x3a4263df } },
+    /* 138 */
+    { { 0x9aeb596d,0xc2965ecc,0x023c92b4,0x01ea03e7,0x2e013961,0x4704b4b6,
+        0x905ea367,0x0ca8fd3f },
+      { 0x551b2b61,0x92523a42,0x390fcd06,0x1eb7a89c,0x0392a63e,0xe7f1d2be,
+        0x4ddb0c33,0x96dca264 } },
+    /* 139 */
+    { { 0x387510af,0x203bb43a,0xa9a36a01,0x846feaa8,0x2f950378,0xd23a5770,
+        0x3aad59dc,0x4363e212 },
+      { 0x40246a47,0xca43a1c7,0xe55dd24d,0xb362b8d2,0x5d8faf96,0xf9b08604,
+        0xd8bb98c4,0x840e115c } },
+    /* 140 */
+    { { 0x1023e8a7,0xf12205e2,0xd8dc7a0b,0xc808a8cd,0x163a5ddf,0xe292a272,
+        0x30ded6d4,0x5e0d6abd },
+      { 0x7cfc0f64,0x07a721c2,0x0e55ed88,0x42eec01d,0x1d1f9db2,0x26a7bef9,
+        0x2945a25a,0x7dea48f4 } },
+    /* 141 */
+    { { 0xe5060a81,0xabdf6f1c,0xf8f95615,0xe79f9c72,0x06ac268b,0xcfd36c54,
+        0xebfd16d1,0xabc2a2be },
+      { 0xd3e2eac7,0x8ac66f91,0xd2dd0466,0x6f10ba63,0x0282d31b,0x6790e377,
+        0x6c7eefc1,0x4ea35394 } },
+    /* 142 */
+    { { 0x5266309d,0xed8a2f8d,0x81945a3e,0x0a51c6c0,0x578c5dc1,0xcecaf45a,
+        0x1c94ffc3,0x3a76e689 },
+      { 0x7d7b0d0f,0x9aace8a4,0x8f584a5f,0x963ace96,0x4e697fbe,0x51a30c72,
+        0x465e6464,0x8212a10a } },
+    /* 143 */
+    { { 0xcfab8caa,0xef7c61c3,0x0e142390,0x18eb8e84,0x7e9733ca,0xcd1dff67,
+        0x599cb164,0xaa7cab71 },
+      { 0xbc837bd1,0x02fc9273,0xc36af5d7,0xc06407d0,0xf423da49,0x17621292,
+        0xfe0617c3,0x40e38073 } },
+    /* 144 */
+    { { 0xa7bf9b7c,0xf4f80824,0x3fbe30d0,0x365d2320,0x97cf9ce3,0xbfbe5320,
+        0xb3055526,0xe3604700 },
+      { 0x6cc6c2c7,0x4dcb9911,0xba4cbee6,0x72683708,0x637ad9ec,0xdcded434,
+        0xa3dee15f,0x6542d677 } },
+    /* 145 */
+    { { 0x7b6c377a,0x3f32b6d0,0x903448be,0x6cb03847,0x20da8af7,0xd6fdd3a8,
+        0x09bb6f21,0xa6534aee },
+      { 0x1035facf,0x30a1780d,0x9dcb47e6,0x35e55a33,0xc447f393,0x6ea50fe1,
+        0xdc9aef22,0xf3cb672f } },
+    /* 146 */
+    { { 0x3b55fd83,0xeb3719fe,0x875ddd10,0xe0d7a46c,0x05cea784,0x33ac9fa9,
+        0xaae870e7,0x7cafaa2e },
+      { 0x1d53b338,0x9b814d04,0xef87e6c6,0xe0acc0a0,0x11672b0f,0xfb93d108,
+        0xb9bd522e,0x0aab13c1 } },
+    /* 147 */
+    { { 0xd2681297,0xddcce278,0xb509546a,0xcb350eb1,0x7661aaf2,0x2dc43173,
+        0x847012e9,0x4b91a602 },
+      { 0x72f8ddcf,0xdcff1095,0x9a911af4,0x08ebf61e,0xc372430e,0x48f4360a,
+        0x72321cab,0x49534c53 } },
+    /* 148 */
+    { { 0xf07b7e9d,0x83df7d71,0x13cd516f,0xa478efa3,0x6c047ee3,0x78ef264b,
+        0xd65ac5ee,0xcaf46c4f },
+      { 0x92aa8266,0xa04d0c77,0x913684bb,0xedf45466,0xae4b16b0,0x56e65168,
+        0x04c6770f,0x14ce9e57 } },
+    /* 149 */
+    { { 0x965e8f91,0x99445e3e,0xcb0f2492,0xd3aca1ba,0x90c8a0a0,0xd31cc70f,
+        0x3e4c9a71,0x1bb708a5 },
+      { 0x558bdd7a,0xd5ca9e69,0x018a26b1,0x734a0508,0x4c9cf1ec,0xb093aa71,
+        0xda300102,0xf9d126f2 } },
+    /* 150 */
+    { { 0xaff9563e,0x749bca7a,0xb49914a0,0xdd077afe,0xbf5f1671,0xe27a0311,
+        0x729ecc69,0x807afcb9 },
+      { 0xc9b08b77,0x7f8a9337,0x443c7e38,0x86c3a785,0x476fd8ba,0x85fafa59,
+        0x6568cd8c,0x751adcd1 } },
+    /* 151 */
+    { { 0x10715c0d,0x8aea38b4,0x8f7697f7,0xd113ea71,0x93fbf06d,0x665eab14,
+        0x2537743f,0x29ec4468 },
+      { 0xb50bebbc,0x3d94719c,0xe4505422,0x399ee5bf,0x8d2dedb1,0x90cd5b3a,
+        0x92a4077d,0xff9370e3 } },
+    /* 152 */
+    { { 0xc6b75b65,0x59a2d69b,0x266651c5,0x4188f8d5,0x3de9d7d2,0x28a9f33e,
+        0xa2a9d01a,0x9776478b },
+      { 0x929af2c7,0x8852622d,0x4e690923,0x334f5d6d,0xa89a51e9,0xce6cc7e5,
+        0xac2f82fa,0x74a6313f } },
+    /* 153 */
+    { { 0xb75f079c,0xb2f4dfdd,0x18e36fbb,0x85b07c95,0xe7cd36dd,0x1b6cfcf0,
+        0x0ff4863d,0xab75be15 },
+      { 0x173fc9b7,0x81b367c0,0xd2594fd0,0xb90a7420,0xc4091236,0x15fdbf03,
+        0x0b4459f6,0x4ebeac2e } },
+    /* 154 */
+    { { 0x5c9f2c53,0xeb6c5fe7,0x8eae9411,0xd2522011,0xf95ac5d8,0xc8887633,
+        0x2c1baffc,0xdf99887b },
+      { 0x850aaecb,0xbb78eed2,0x01d6a272,0x9d49181b,0xb1cdbcac,0x978dd511,
+        0x779f4058,0x27b040a7 } },
+    /* 155 */
+    { { 0xf73b2eb2,0x90405db7,0x8e1b2118,0xe0df8508,0x5962327e,0x501b7152,
+        0xe4cfa3f5,0xb393dd37 },
+      { 0x3fd75165,0xa1230e7b,0xbcd33554,0xd66344c2,0x0f7b5022,0x6c36f1be,
+        0xd0463419,0x09588c12 } },
+    /* 156 */
+    { { 0x02601c3b,0xe086093f,0xcf5c335f,0xfb0252f8,0x894aff28,0x955cf280,
+        0xdb9f648b,0x81c879a9 },
+      { 0xc6f56c51,0x040e687c,0x3f17618c,0xfed47169,0x9059353b,0x44f88a41,
+        0x5fc11bc4,0xfa0d48f5 } },
+    /* 157 */
+    { { 0xe1608e4d,0xbc6e1c9d,0x3582822c,0x010dda11,0x157ec2d7,0xf6b7ddc1,
+        0xb6a367d6,0x8ea0e156 },
+      { 0x2383b3b4,0xa354e02f,0x3f01f53c,0x69966b94,0x2de03ca5,0x4ff6632b,
+        0xfa00b5ac,0x3f5ab924 } },
+    /* 158 */
+    { { 0x59739efb,0x337bb0d9,0xe7ebec0d,0xc751b0f4,0x411a67d1,0x2da52dd6,
+        0x2b74256e,0x8bc76887 },
+      { 0x82d3d253,0xa5be3b72,0xf58d779f,0xa9f679a1,0xe16767bb,0xa1cac168,
+        0x60fcf34f,0xb386f190 } },
+    /* 159 */
+    { { 0x2fedcfc2,0x31f3c135,0x62f8af0d,0x5396bf62,0xe57288c2,0x9a02b4ea,
+        0x1b069c4d,0x4cb460f7 },
+      { 0x5b8095ea,0xae67b4d3,0x6fc07603,0x92bbf859,0xb614a165,0xe1475f66,
+        0x95ef5223,0x52c0d508 } },
+    /* 160 */
+    { { 0x15339848,0x231c210e,0x70778c8d,0xe87a28e8,0x6956e170,0x9d1de661,
+        0x2bb09c0b,0x4ac3c938 },
+      { 0x6998987d,0x19be0551,0xae09f4d6,0x8b2376c4,0x1a3f933d,0x1de0b765,
+        0xe39705f4,0x380d94c7 } },
+    /* 161 */
+    { { 0x81542e75,0x01a355aa,0xee01b9b7,0x96c724a1,0x624d7087,0x6b3a2977,
+        0xde2637af,0x2ce3e171 },
+      { 0xf5d5bc1a,0xcfefeb49,0x2777e2b5,0xa655607e,0x9513756c,0x4feaac2f,
+        0x0b624e4d,0x2e6cd852 } },
+    /* 162 */
+    { { 0x8c31c31d,0x3685954b,0x5bf21a0c,0x68533d00,0x75c79ec9,0x0bd7626e,
+        0x42c69d54,0xca177547 },
+      { 0xf6d2dbb2,0xcc6edaff,0x174a9d18,0xfd0d8cbd,0xaa4578e8,0x875e8793,
+        0x9cab2ce6,0xa976a713 } },
+    /* 163 */
+    { { 0x93fb353d,0x0a651f1b,0x57fcfa72,0xd75cab8b,0x31b15281,0xaa88cfa7,
+        0x0a1f4999,0x8720a717 },
+      { 0x693e1b90,0x8c3e8d37,0x16f6dfc3,0xd345dc0b,0xb52a8742,0x8ea8d00a,
+        0xc769893c,0x9719ef29 } },
+    /* 164 */
+    { { 0x58e35909,0x820eed8d,0x33ddc116,0x9366d8dc,0x6e205026,0xd7f999d0,
+        0xe15704c1,0xa5072976 },
+      { 0xc4e70b2e,0x002a37ea,0x6890aa8a,0x84dcf657,0x645b2a5c,0xcd71bf18,
+        0xf7b77725,0x99389c9d } },
+    /* 165 */
+    { { 0x7ada7a4b,0x238c08f2,0xfd389366,0x3abe9d03,0x766f512c,0x6b672e89,
+        0x202c82e4,0xa88806aa },
+      { 0xd380184e,0x6602044a,0x126a8b85,0xa8cb78c4,0xad844f17,0x79d670c0,
+        0x4738dcfe,0x0043bffb } },
+    /* 166 */
+    { { 0x36d5192e,0x8d59b5dc,0x4590b2af,0xacf885d3,0x11601781,0x83566d0a,
+        0xba6c4866,0x52f3ef01 },
+      { 0x0edcb64d,0x3986732a,0x8068379f,0x0a482c23,0x7040f309,0x16cbe5fa,
+        0x9ef27e75,0x3296bd89 } },
+    /* 167 */
+    { { 0x454d81d7,0x476aba89,0x51eb9b3c,0x9eade7ef,0x81c57986,0x619a21cd,
+        0xaee571e9,0x3b90febf },
+      { 0x5496f7cb,0x9393023e,0x7fb51bc4,0x55be41d8,0x99beb5ce,0x03f1dd48,
+        0x9f810b18,0x6e88069d } },
+    /* 168 */
+    { { 0xb43ea1db,0xce37ab11,0x5259d292,0x0a7ff1a9,0x8f84f186,0x851b0221,
+        0xdefaad13,0xa7222bea },
+      { 0x2b0a9144,0xa2ac78ec,0xf2fa59c5,0x5a024051,0x6147ce38,0x91d1eca5,
+        0xbc2ac690,0xbe94d523 } },
+    /* 169 */
+    { { 0x0b226ce7,0x72f4945e,0x967e8b70,0xb8afd747,0x85a6c63e,0xedea46f1,
+        0x9be8c766,0x7782defe },
+      { 0x3db38626,0x760d2aa4,0x76f67ad1,0x460ae787,0x54499cdb,0x341b86fc,
+        0xa2892e4b,0x03838567 } },
+    /* 170 */
+    { { 0x79ec1a0f,0x2d8daefd,0xceb39c97,0x3bbcd6fd,0x58f61a95,0xf5575ffc,
+        0xadf7b420,0xdbd986c4 },
+      { 0x15f39eb7,0x81aa8814,0xb98d976c,0x6ee2fcf5,0xcf2f717d,0x5465475d,
+        0x6860bbd0,0x8e24d3c4 } },
+    /* 171 */
+    { { 0x9a587390,0x749d8e54,0x0cbec588,0x12bb194f,0xb25983c6,0x46e07da4,
+        0x407bafc8,0x541a99c4 },
+      { 0x624c8842,0xdb241692,0xd86c05ff,0x6044c12a,0x4f7fcf62,0xc59d14b4,
+        0xf57d35d1,0xc0092c49 } },
+    /* 172 */
+    { { 0xdf2e61ef,0xd3cc75c3,0x2e1b35ca,0x7e8841c8,0x909f29f4,0xc62d30d1,
+        0x7286944d,0x75e40634 },
+      { 0xbbc237d0,0xe7d41fc5,0xec4f01c9,0xc9537bf0,0x282bd534,0x91c51a16,
+        0xc7848586,0x5b7cb658 } },
+    /* 173 */
+    { { 0x8a28ead1,0x964a7084,0xfd3b47f6,0x802dc508,0x767e5b39,0x9ae4bfd1,
+        0x8df097a1,0x7ae13eba },
+      { 0xeadd384e,0xfd216ef8,0xb6b2ff06,0x0361a2d9,0x4bcdb5f3,0x204b9878,
+        0xe2a8e3fd,0x787d8074 } },
+    /* 174 */
+    { { 0x757fbb1c,0xc5e25d6b,0xca201deb,0xe47bddb2,0x6d2233ff,0x4a55e9a3,
+        0x9ef28484,0x5c222819 },
+      { 0x88315250,0x773d4a85,0x827097c1,0x21b21a2b,0xdef5d33f,0xab7c4ea1,
+        0xbaf0f2b0,0xe45d37ab } },
+    /* 175 */
+    { { 0x28511c8a,0xd2df1e34,0xbdca6cd3,0xebb229c8,0x627c39a7,0x578a71a7,
+        0x84dfb9d3,0xed7bc122 },
+      { 0x93dea561,0xcf22a6df,0xd48f0ed1,0x5443f18d,0x5bad23e8,0xd8b86140,
+        0x45ca6d27,0xaac97cc9 } },
+    /* 176 */
+    { { 0xa16bd00a,0xeb54ea74,0xf5c0bcc1,0xd839e9ad,0x1f9bfc06,0x092bb7f1,
+        0x1163dc4e,0x318f97b3 },
+      { 0xc30d7138,0xecc0c5be,0xabc30220,0x44e8df23,0xb0223606,0x2bb7972f,
+        0x9a84ff4d,0xfa41faa1 } },
+    /* 177 */
+    { { 0xa6642269,0x4402d974,0x9bb783bd,0xc81814ce,0x7941e60b,0x398d38e4,
+        0x1d26e9e2,0x38bb6b2c },
+      { 0x6a577f87,0xc64e4a25,0xdc11fe1c,0x8b52d253,0x62280728,0xff336abf,
+        0xce7601a5,0x94dd0905 } },
+    /* 178 */
+    { { 0xde93f92a,0x156cf7dc,0x89b5f315,0xa01333cb,0xc995e750,0x02404df9,
+        0xd25c2ae9,0x92077867 },
+      { 0x0bf39d44,0xe2471e01,0x96bb53d7,0x5f2c9020,0x5c9c3d8f,0x4c44b7b3,
+        0xd29beb51,0x81e8428b } },
+    /* 179 */
+    { { 0xc477199f,0x6dd9c2ba,0x6b5ecdd9,0x8cb8eeee,0xee40fd0e,0x8af7db3f,
+        0xdbbfa4b1,0x1b94ab62 },
+      { 0xce47f143,0x44f0d8b3,0x63f46163,0x51e623fc,0xcc599383,0xf18f270f,
+        0x055590ee,0x06a38e28 } },
+    /* 180 */
+    { { 0xb3355b49,0x2e5b0139,0xb4ebf99b,0x20e26560,0xd269f3dc,0xc08ffa6b,
+        0x83d9d4f8,0xa7b36c20 },
+      { 0x1b3e8830,0x64d15c3a,0xa89f9c0b,0xd5fceae1,0xe2d16930,0xcfeee4a2,
+        0xa2822a20,0xbe54c6b4 } },
+    /* 181 */
+    { { 0x8d91167c,0xd6cdb3df,0xe7a6625e,0x517c3f79,0x346ac7f4,0x7105648f,
+        0xeae022bb,0xbf30a5ab },
+      { 0x93828a68,0x8e7785be,0x7f3ef036,0x5161c332,0x592146b2,0xe11b5feb,
+        0x2732d13a,0xd1c820de } },
+    /* 182 */
+    { { 0x9038b363,0x043e1347,0x6b05e519,0x58c11f54,0x6026cad1,0x4fe57abe,
+        0x68a18da3,0xb7d17bed },
+      { 0xe29c2559,0x44ca5891,0x5bfffd84,0x4f7a0376,0x74e46948,0x498de4af,
+        0x6412cc64,0x3997fd5e } },
+    /* 183 */
+    { { 0x8bd61507,0xf2074682,0x34a64d2a,0x29e132d5,0x8a8a15e3,0xffeddfb0,
+        0x3c6c13e8,0x0eeb8929 },
+      { 0xa7e259f8,0xe9b69a3e,0xd13e7e67,0xce1db7e6,0xad1fa685,0x277318f6,
+        0xc922b6ef,0x228916f8 } },
+    /* 184 */
+    { { 0x0a12ab5b,0x959ae25b,0x957bc136,0xcc11171f,0xd16e2b0c,0x8058429e,
+        0x6e93097e,0xec05ad1d },
+      { 0xac3f3708,0x157ba5be,0x30b59d77,0x31baf935,0x118234e5,0x47b55237,
+        0x7ff11b37,0x7d314156 } },
+    /* 185 */
+    { { 0xf6dfefab,0x7bd9c05c,0xdcb37707,0xbe2f2268,0x3a38bb95,0xe53ead97,
+        0x9bc1d7a3,0xe9ce66fc },
+      { 0x6f6a02a1,0x75aa1576,0x60e600ed,0x38c087df,0x68cdc1b9,0xf8947f34,
+        0x72280651,0xd9650b01 } },
+    /* 186 */
+    { { 0x5a057e60,0x504b4c4a,0x8def25e4,0xcbccc3be,0x17c1ccbd,0xa6353208,
+        0x804eb7a2,0x14d6699a },
+      { 0xdb1f411a,0x2c8a8415,0xf80d769c,0x09fbaf0b,0x1c2f77ad,0xb4deef90,
+        0x0d43598a,0x6f4c6841 } },
+    /* 187 */
+    { { 0x96c24a96,0x8726df4e,0xfcbd99a3,0x534dbc85,0x8b2ae30a,0x3c466ef2,
+        0x61189abb,0x4c4350fd },
+      { 0xf855b8da,0x2967f716,0x463c38a1,0x41a42394,0xeae93343,0xc37e1413,
+        0x5a3118b5,0xa726d242 } },
+    /* 188 */
+    { { 0x948c1086,0xdae6b3ee,0xcbd3a2e1,0xf1de503d,0x03d022f3,0x3f35ed3f,
+        0xcc6cf392,0x13639e82 },
+      { 0xcdafaa86,0x9ac938fb,0x2654a258,0xf45bc5fb,0x45051329,0x1963b26e,
+        0xc1a335a3,0xca9365e1 } },
+    /* 189 */
+    { { 0x4c3b2d20,0x3615ac75,0x904e241b,0x742a5417,0xcc9d071d,0xb08521c4,
+        0x970b72a5,0x9ce29c34 },
+      { 0x6d3e0ad6,0x8cc81f73,0xf2f8434c,0x8060da9e,0x6ce862d9,0x35ed1d1a,
+        0xab42af98,0x48c4abd7 } },
+    /* 190 */
+    { { 0x40c7485a,0xd221b0cc,0xe5274dbf,0xead455bb,0x9263d2e8,0x493c7698,
+        0xf67b33cb,0x78017c32 },
+      { 0x930cb5ee,0xb9d35769,0x0c408ed2,0xc0d14e94,0x272f1a4d,0xf8b7bf55,
+        0xde5c1c04,0x53cd0454 } },
+    /* 191 */
+    { { 0x5d28ccac,0xbcd585fa,0x005b746e,0x5f823e56,0xcd0123aa,0x7c79f0a1,
+        0xd3d7fa8f,0xeea465c1 },
+      { 0x0551803b,0x7810659f,0x7ce6af70,0x6c0b599f,0x29288e70,0x4195a770,
+        0x7ae69193,0x1b6e42a4 } },
+    /* 192 */
+    { { 0xf67d04c3,0x2e80937c,0x89eeb811,0x1e312be2,0x92594d60,0x56b5d887,
+        0x187fbd3d,0x0224da14 },
+      { 0x0c5fe36f,0x87abb863,0x4ef51f5f,0x580f3c60,0xb3b429ec,0x964fb1bf,
+        0x42bfff33,0x60838ef0 } },
+    /* 193 */
+    { { 0x7e0bbe99,0x432cb2f2,0x04aa39ee,0x7bda44f3,0x9fa93903,0x5f497c7a,
+        0x2d331643,0x636eb202 },
+      { 0x93ae00aa,0xfcfd0e61,0x31ae6d2f,0x875a00fe,0x9f93901c,0xf43658a2,
+        0x39218bac,0x8844eeb6 } },
+    /* 194 */
+    { { 0x6b3bae58,0x114171d2,0x17e39f3e,0x7db3df71,0x81a8eada,0xcd37bc7f,
+        0x51fb789e,0x27ba83dc },
+      { 0xfbf54de5,0xa7df439f,0xb5fe1a71,0x7277030b,0xdb297a48,0x42ee8e35,
+        0x87f3a4ab,0xadb62d34 } },
+    /* 195 */
+    { { 0xa175df2a,0x9b1168a2,0x618c32e9,0x082aa04f,0x146b0916,0xc9e4f2e7,
+        0x75e7c8b2,0xb990fd76 },
+      { 0x4df37313,0x0829d96b,0xd0b40789,0x1c205579,0x78087711,0x66c9ae4a,
+        0x4d10d18d,0x81707ef9 } },
+    /* 196 */
+    { { 0x03d6ff96,0x97d7cab2,0x0d843360,0x5b851bfc,0xd042db4b,0x268823c4,
+        0xd5a8aa5c,0x3792daea },
+      { 0x941afa0b,0x52818865,0x42d83671,0xf3e9e741,0x5be4e0a7,0x17c82527,
+        0x94b001ba,0x5abd635e } },
+    /* 197 */
+    { { 0x0ac4927c,0x727fa84e,0xa7c8cf23,0xe3886035,0x4adca0df,0xa4bcd5ea,
+        0x846ab610,0x5995bf21 },
+      { 0x829dfa33,0xe90f860b,0x958fc18b,0xcaafe2ae,0x78630366,0x9b3baf44,
+        0xd483411e,0x44c32ca2 } },
+    /* 198 */
+    { { 0xe40ed80c,0xa74a97f1,0x31d2ca82,0x5f938cb1,0x7c2d6ad9,0x53f2124b,
+        0x8082a54c,0x1f2162fb },
+      { 0x720b173e,0x7e467cc5,0x085f12f9,0x40e8a666,0x4c9d65dc,0x8cebc20e,
+        0xc3e907c9,0x8f1d402b } },
+    /* 199 */
+    { { 0xfbc4058a,0x4f592f9c,0x292f5670,0xb15e14b6,0xbc1d8c57,0xc55cfe37,
+        0x926edbf9,0xb1980f43 },
+      { 0x32c76b09,0x98c33e09,0x33b07f78,0x1df5279d,0x863bb461,0x6f08ead4,
+        0x37448e45,0x2828ad9b } },
+    /* 200 */
+    { { 0xc4cf4ac5,0x696722c4,0xdde64afb,0xf5ac1a3f,0xe0890832,0x0551baa2,
+        0x5a14b390,0x4973f127 },
+      { 0x322eac5d,0xe59d8335,0x0bd9b568,0x5e07eef5,0xa2588393,0xab36720f,
+        0xdb168ac7,0x6dac8ed0 } },
+    /* 201 */
+    { { 0xeda835ef,0xf7b545ae,0x1d10ed51,0x4aa113d2,0x13741b09,0x035a65e0,
+        0x20b9de4c,0x4b23ef59 },
+      { 0x3c4c7341,0xe82bb680,0x3f58bc37,0xd457706d,0xa51e3ee8,0x73527863,
+        0xddf49a4e,0x4dd71534 } },
+    /* 202 */
+    { { 0x95476cd9,0xbf944672,0xe31a725b,0x648d072f,0xfc4b67e0,0x1441c8b8,
+        0x2f4a4dbb,0xfd317000 },
+      { 0x8995d0e1,0x1cb43ff4,0x0ef729aa,0x76e695d1,0x41798982,0xe0d5f976,
+        0x9569f365,0x14fac58c } },
+    /* 203 */
+    { { 0xf312ae18,0xad9a0065,0xfcc93fc9,0x51958dc0,0x8a7d2846,0xd9a14240,
+        0x36abda50,0xed7c7651 },
+      { 0x25d4abbc,0x46270f1a,0xf1a113ea,0x9b5dd8f3,0x5b51952f,0xc609b075,
+        0x4d2e9f53,0xfefcb7f7 } },
+    /* 204 */
+    { { 0xba119185,0xbd09497a,0xaac45ba4,0xd54e8c30,0xaa521179,0x492479de,
+        0x87e0d80b,0x1801a57e },
+      { 0xfcafffb0,0x073d3f8d,0xae255240,0x6cf33c0b,0x5b5fdfbc,0x781d763b,
+        0x1ead1064,0x9f8fc11e } },
+    /* 205 */
+    { { 0x5e69544c,0x1583a171,0xf04b7813,0x0eaf8567,0x278a4c32,0x1e22a8fd,
+        0x3d3a69a9,0xa9d3809d },
+      { 0x59a2da3b,0x936c2c2c,0x1895c847,0x38ccbcf6,0x63d50869,0x5e65244e,
+        0xe1178ef7,0x3006b9ae } },
+    /* 206 */
+    { { 0xc9eead28,0x0bb1f2b0,0x89f4dfbc,0x7eef635d,0xb2ce8939,0x074757fd,
+        0x45f8f761,0x0ab85fd7 },
+      { 0x3e5b4549,0xecda7c93,0x97922f21,0x4be2bb5c,0xb43b8040,0x261a1274,
+        0x11e942c2,0xb122d675 } },
+    /* 207 */
+    { { 0x66a5ae7a,0x3be607be,0x76adcbe3,0x01e703fa,0x4eb6e5c5,0xaf904301,
+        0x097dbaec,0x9f599dc1 },
+      { 0x0ff250ed,0x6d75b718,0x349a20dc,0x8eb91574,0x10b227a3,0x425605a4,
+        0x8a294b78,0x7d5528e0 } },
+    /* 208 */
+    { { 0x20c26def,0xf0f58f66,0x582b2d1e,0x025585ea,0x01ce3881,0xfbe7d79b,
+        0x303f1730,0x28ccea01 },
+      { 0x79644ba5,0xd1dabcd1,0x06fff0b8,0x1fc643e8,0x66b3e17b,0xa60a76fc,
+        0xa1d013bf,0xc18baf48 } },
+    /* 209 */
+    { { 0x5dc4216d,0x34e638c8,0x206142ac,0x00c01067,0x95f5064a,0xd453a171,
+        0xb7a9596b,0x9def809d },
+      { 0x67ab8d2c,0x41e8642e,0x6237a2b6,0xb4240433,0x64c4218b,0x7d506a6d,
+        0x68808ce5,0x0357f8b0 } },
+    /* 210 */
+    { { 0x4cd2cc88,0x8e9dbe64,0xf0b8f39d,0xcc61c28d,0xcd30a0c8,0x4a309874,
+        0x1b489887,0xe4a01add },
+      { 0xf57cd8f9,0x2ed1eeac,0xbd594c48,0x1b767d3e,0x7bd2f787,0xa7295c71,
+        0xce10cc30,0x466d7d79 } },
+    /* 211 */
+    { { 0x9dada2c7,0x47d31892,0x8f9aa27d,0x4fa0a6c3,0x820a59e1,0x90e4fd28,
+        0x451ead1a,0xc672a522 },
+      { 0x5d86b655,0x30607cc8,0xf9ad4af1,0xf0235d3b,0x571172a6,0x99a08680,
+        0xf2a67513,0x5e3d64fa } },
+    /* 212 */
+    { { 0x9b3b4416,0xaa6410c7,0xeab26d99,0xcd8fcf85,0xdb656a74,0x5ebff74a,
+        0xeb8e42fc,0x6c8a7a95 },
+      { 0xb02a63bd,0x10c60ba7,0x8b8f0047,0x6b2f2303,0x312d90b0,0x8c6c3738,
+        0xad82ca91,0x348ae422 } },
+    /* 213 */
+    { { 0x5ccda2fb,0x7f474663,0x8e0726d2,0x22accaa1,0x492b1f20,0x85adf782,
+        0xd9ef2d2e,0xc1074de0 },
+      { 0xae9a65b3,0xfcf3ce44,0x05d7151b,0xfd71e4ac,0xce6a9788,0xd4711f50,
+        0xc9e54ffc,0xfbadfbdb } },
+    /* 214 */
+    { { 0x20a99363,0x1713f1cd,0x6cf22775,0xb915658f,0x24d359b2,0x968175cd,
+        0x83716fcd,0xb7f976b4 },
+      { 0x5d6dbf74,0x5758e24d,0x71c3af36,0x8d23bafd,0x0243dfe3,0x48f47760,
+        0xcafcc805,0xf4d41b2e } },
+    /* 215 */
+    { { 0xfdabd48d,0x51f1cf28,0x32c078a4,0xce81be36,0x117146e9,0x6ace2974,
+        0xe0160f10,0x180824ea },
+      { 0x66e58358,0x0387698b,0xce6ca358,0x63568752,0x5e41e6c5,0x82380e34,
+        0x83cf6d25,0x67e5f639 } },
+    /* 216 */
+    { { 0xcf4899ef,0xf89ccb8d,0x9ebb44c0,0x949015f0,0xb2598ec9,0x546f9276,
+        0x04c11fc6,0x9fef789a },
+      { 0x53d2a071,0x6d367ecf,0xa4519b09,0xb10e1a7f,0x611e2eef,0xca6b3fb0,
+        0xa99c4e20,0xbc80c181 } },
+    /* 217 */
+    { { 0xe5eb82e6,0x972536f8,0xf56cb920,0x1a484fc7,0x50b5da5e,0xc78e2171,
+        0x9f8cdf10,0x49270e62 },
+      { 0xea6b50ad,0x1a39b7bb,0xa2388ffc,0x9a0284c1,0x8107197b,0x5403eb17,
+        0x61372f7f,0xd2ee52f9 } },
+    /* 218 */
+    { { 0x88e0362a,0xd37cd285,0x8fa5d94d,0x442fa8a7,0xa434a526,0xaff836e5,
+        0xe5abb733,0xdfb478be },
+      { 0x673eede6,0xa91f1ce7,0x2b5b2f04,0xa5390ad4,0x5530da2f,0x5e66f7bf,
+        0x08df473a,0xd9a140b4 } },
+    /* 219 */
+    { { 0x6e8ea498,0x0e0221b5,0x3563ee09,0x62347829,0x335d2ade,0xe06b8391,
+        0x623f4b1a,0x760c058d },
+      { 0xc198aa79,0x0b89b58c,0xf07aba7f,0xf74890d2,0xfde2556a,0x4e204110,
+        0x8f190409,0x7141982d } },
+    /* 220 */
+    { { 0x4d4b0f45,0x6f0a0e33,0x392a94e1,0xd9280b38,0xb3c61d5e,0x3af324c6,
+        0x89d54e47,0x3af9d1ce },
+      { 0x20930371,0xfd8f7981,0x21c17097,0xeda2664c,0xdc42309b,0x0e9545dc,
+        0x73957dd6,0xb1f815c3 } },
+    /* 221 */
+    { { 0x89fec44a,0x84faa78e,0x3caa4caf,0xc8c2ae47,0xc1b6a624,0x691c807d,
+        0x1543f052,0xa41aed14 },
+      { 0x7d5ffe04,0x42435399,0x625b6e20,0x8bacb2df,0x87817775,0x85d660be,
+        0x86fb60ef,0xd6e9c1dd } },
+    /* 222 */
+    { { 0xc6853264,0x3aa2e97e,0xe2304a0b,0x771533b7,0xb8eae9be,0x1b912bb7,
+        0xae9bf8c2,0x9c9c6e10 },
+      { 0xe030b74c,0xa2309a59,0x6a631e90,0x4ed7494d,0xa49b79f2,0x89f44b23,
+        0x40fa61b6,0x566bd596 } },
+    /* 223 */
+    { { 0xc18061f3,0x066c0118,0x7c83fc70,0x190b25d3,0x27273245,0xf05fc8e0,
+        0xf525345e,0xcf2c7390 },
+      { 0x10eb30cf,0xa09bceb4,0x0d77703a,0xcfd2ebba,0x150ff255,0xe842c43a,
+        0x8aa20979,0x02f51755 } },
+    /* 224 */
+    { { 0xaddb7d07,0x396ef794,0x24455500,0x0b4fc742,0xc78aa3ce,0xfaff8eac,
+        0xe8d4d97d,0x14e9ada5 },
+      { 0x2f7079e2,0xdaa480a1,0xe4b0800e,0x45baa3cd,0x7838157d,0x01765e2d,
+        0x8e9d9ae8,0xa0ad4fab } },
+    /* 225 */
+    { { 0x4a653618,0x0bfb7621,0x31eaaa5f,0x1872813c,0x44949d5e,0x1553e737,
+        0x6e56ed1e,0xbcd530b8 },
+      { 0x32e9c47b,0x169be853,0xb50059ab,0xdc2776fe,0x192bfbb4,0xcdba9761,
+        0x6979341d,0x909283cf } },
+    /* 226 */
+    { { 0x76e81a13,0x67b00324,0x62171239,0x9bee1a99,0xd32e19d6,0x08ed361b,
+        0xace1549a,0x35eeb7c9 },
+      { 0x7e4e5bdc,0x1280ae5a,0xb6ceec6e,0x2dcd2cd3,0x6e266bc1,0x52e4224c,
+        0x448ae864,0x9a8b2cf4 } },
+    /* 227 */
+    { { 0x09d03b59,0xf6471bf2,0xb65af2ab,0xc90e62a3,0xebd5eec9,0xff7ff168,
+        0xd4491379,0x6bdb60f4 },
+      { 0x8a55bc30,0xdadafebc,0x10097fe0,0xc79ead16,0x4c1e3bdd,0x42e19741,
+        0x94ba08a9,0x01ec3cfd } },
+    /* 228 */
+    { { 0xdc9485c2,0xba6277eb,0x22fb10c7,0x48cc9a79,0x70a28d8a,0x4f61d60f,
+        0x475464f6,0xd1acb1c0 },
+      { 0x26f36612,0xd26902b1,0xe0618d8b,0x59c3a44e,0x308357ee,0x4df8a813,
+        0x405626c2,0x7dcd079d } },
+    /* 229 */
+    { { 0xf05a4b48,0x5ce7d4d3,0x37230772,0xadcd2952,0x812a915a,0xd18f7971,
+        0x377d19b8,0x0bf53589 },
+      { 0x6c68ea73,0x35ecd95a,0x823a584d,0xc7f3bbca,0xf473a723,0x9fb674c6,
+        0xe16686fc,0xd28be4d9 } },
+    /* 230 */
+    { { 0x38fa8e4b,0x5d2b9906,0x893fd8fc,0x559f186e,0x436fb6fc,0x3a6de2aa,
+        0x510f88ce,0xd76007aa },
+      { 0x523a4988,0x2d10aab6,0x74dd0273,0xb455cf44,0xa3407278,0x7f467082,
+        0xb303bb01,0xf2b52f68 } },
+    /* 231 */
+    { { 0x9835b4ca,0x0d57eafa,0xbb669cbc,0x2d2232fc,0xc6643198,0x8eeeb680,
+        0xcc5aed3a,0xd8dbe98e },
+      { 0xc5a02709,0xcba9be3f,0xf5ba1fa8,0x30be68e5,0xf10ea852,0xfebd43cd,
+        0xee559705,0xe01593a3 } },
+    /* 232 */
+    { { 0xea75a0a6,0xd3e5af50,0x57858033,0x512226ac,0xd0176406,0x6fe6d50f,
+        0xaeb8ef06,0xafec07b1 },
+      { 0x80bb0a31,0x7fb99567,0x37309aae,0x6f1af3cc,0x01abf389,0x9153a15a,
+        0x6e2dbfdd,0xa71b9354 } },
+    /* 233 */
+    { { 0x18f593d2,0xbf8e12e0,0xa078122b,0xd1a90428,0x0ba4f2ad,0x150505db,
+        0x628523d9,0x53a2005c },
+      { 0xe7f2b935,0x07c8b639,0xc182961a,0x2bff975a,0x7518ca2c,0x86bceea7,
+        0x3d588e3d,0xbf47d19b } },
+    /* 234 */
+    { { 0xdd7665d5,0x672967a7,0x2f2f4de5,0x4e303057,0x80d4903f,0x144005ae,
+        0x39c9a1b6,0x001c2c7f },
+      { 0x69efc6d6,0x143a8014,0x7bc7a724,0xc810bdaa,0xa78150a4,0x5f65670b,
+        0x86ffb99b,0xfdadf8e7 } },
+    /* 235 */
+    { { 0xffc00785,0xfd38cb88,0x3b48eb67,0x77fa7591,0xbf368fbc,0x0454d055,
+        0x5aa43c94,0x3a838e4d },
+      { 0x3e97bb9a,0x56166329,0x441d94d9,0x9eb93363,0x0adb2a83,0x515591a6,
+        0x873e1da3,0x3cdb8257 } },
+    /* 236 */
+    { { 0x7de77eab,0x137140a9,0x41648109,0xf7e1c50d,0xceb1d0df,0x762dcad2,
+        0xf1f57fba,0x5a60cc89 },
+      { 0x40d45673,0x80b36382,0x5913c655,0x1b82be19,0xdd64b741,0x057284b8,
+        0xdbfd8fc0,0x922ff56f } },
+    /* 237 */
+    { { 0xc9a129a1,0x1b265dee,0xcc284e04,0xa5b1ce57,0xcebfbe3c,0x04380c46,
+        0xf6c5cd62,0x72919a7d },
+      { 0x8fb90f9a,0x298f453a,0x88e4031b,0xd719c00b,0x796f1856,0xe32c0e77,
+        0x3624089a,0x5e791780 } },
+    /* 238 */
+    { { 0x7f63cdfb,0x5c16ec55,0xf1cae4fd,0x8e6a3571,0x560597ca,0xfce26bea,
+        0xe24c2fab,0x4e0a5371 },
+      { 0xa5765357,0x276a40d3,0x0d73a2b4,0x3c89af44,0x41d11a32,0xb8f370ae,
+        0xd56604ee,0xf5ff7818 } },
+    /* 239 */
+    { { 0x1a09df21,0xfbf3e3fe,0xe66e8e47,0x26d5d28e,0x29c89015,0x2096bd0a,
+        0x533f5e64,0xe41df0e9 },
+      { 0xb3ba9e3f,0x305fda40,0x2604d895,0xf2340ceb,0x7f0367c7,0x0866e192,
+        0xac4f155f,0x8edd7d6e } },
+    /* 240 */
+    { { 0x0bfc8ff3,0xc9a1dc0e,0xe936f42f,0x14efd82b,0xcca381ef,0x67016f7c,
+        0xed8aee96,0x1432c1ca },
+      { 0x70b23c26,0xec684829,0x0735b273,0xa64fe873,0xeaef0f5a,0xe389f6e5,
+        0x5ac8d2c6,0xcaef480b } },
+    /* 241 */
+    { { 0x75315922,0x5245c978,0x3063cca5,0xd8295171,0xb64ef2cb,0xf3ce60d0,
+        0x8efae236,0xd0ba177e },
+      { 0xb1b3af60,0x53a9ae8f,0x3d2da20e,0x1a796ae5,0xdf9eef28,0x01d63605,
+        0x1c54ae16,0xf31c957c } },
+    /* 242 */
+    { { 0x49cc4597,0xc0f58d52,0xbae0a028,0xdc5015b0,0x734a814a,0xefc5fc55,
+        0x96e17c3a,0x013404cb },
+      { 0xc9a824bf,0xb29e2585,0x001eaed7,0xd593185e,0x61ef68ac,0x8d6ee682,
+        0x91933e6c,0x6f377c4b } },
+    /* 243 */
+    { { 0xa8333fd2,0x9f93bad1,0x5a2a95b8,0xa8930202,0xeaf75ace,0x211e5037,
+        0xd2d09506,0x6dba3e4e },
+      { 0xd04399cd,0xa48ef98c,0xe6b73ade,0x1811c66e,0xc17ecaf3,0x72f60752,
+        0x3becf4a7,0xf13cf342 } },
+    /* 244 */
+    { { 0xa919e2eb,0xceeb9ec0,0xf62c0f68,0x83a9a195,0x7aba2299,0xcfba3bb6,
+        0x274bbad3,0xc83fa9a9 },
+      { 0x62fa1ce0,0x0d7d1b0b,0x3418efbf,0xe58b60f5,0x52706f04,0xbfa8ef9e,
+        0x5d702683,0xb49d70f4 } },
+    /* 245 */
+    { { 0xfad5513b,0x914c7510,0xb1751e2d,0x05f32eec,0xd9fb9d59,0x6d850418,
+        0x0c30f1cf,0x59cfadbb },
+      { 0x55cb7fd6,0xe167ac23,0x820426a3,0x249367b8,0x90a78864,0xeaeec58c,
+        0x354a4b67,0x5babf362 } },
+    /* 246 */
+    { { 0xee424865,0x37c981d1,0xf2e5577f,0x8b002878,0xb9e0c058,0x702970f1,
+        0x9026c8f0,0x6188c6a7 },
+      { 0xd0f244da,0x06f9a19b,0xfb080873,0x1ecced5c,0x9f213637,0x35470f9b,
+        0xdf50b9d9,0x993fe475 } },
+    /* 247 */
+    { { 0x9b2c3609,0x68e31cdf,0x2c46d4ea,0x84eb19c0,0x9a775101,0x7ac9ec1a,
+        0x4c80616b,0x81f76466 },
+      { 0x75fbe978,0x1d7c2a5a,0xf183b356,0x6743fed3,0x501dd2bf,0x838d1f04,
+        0x5fe9060d,0x564a812a } },
+    /* 248 */
+    { { 0xfa817d1d,0x7a5a64f4,0xbea82e0f,0x55f96844,0xcd57f9aa,0xb5ff5a0f,
+        0x00e51d6c,0x226bf3cf },
+      { 0x2f2833cf,0xd6d1a9f9,0x4f4f89a8,0x20a0a35a,0x8f3f7f77,0x11536c49,
+        0xff257836,0x68779f47 } },
+    /* 249 */
+    { { 0x73043d08,0x79b0c1c1,0x1fc020fa,0xa5446774,0x9a6d26d0,0xd3767e28,
+        0xeb092e0b,0x97bcb0d1 },
+      { 0xf32ed3c3,0x2ab6eaa8,0xb281bc48,0xc8a4f151,0xbfa178f3,0x4d1bf4f3,
+        0x0a784655,0xa872ffe8 } },
+    /* 250 */
+    { { 0xa32b2086,0xb1ab7935,0x8160f486,0xe1eb710e,0x3b6ae6be,0x9bd0cd91,
+        0xb732a36a,0x02812bfc },
+      { 0xcf605318,0xa63fd7ca,0xfdfd6d1d,0x646e5d50,0x2102d619,0xa1d68398,
+        0xfe5396af,0x07391cc9 } },
+    /* 251 */
+    { { 0x8b80d02b,0xc50157f0,0x62877f7f,0x6b8333d1,0x78d542ae,0x7aca1af8,
+        0x7e6d2a08,0x355d2adc },
+      { 0x287386e1,0xb41f335a,0xf8e43275,0xfd272a94,0xe79989ea,0x286ca2cd,
+        0x7c2a3a79,0x3dc2b1e3 } },
+    /* 252 */
+    { { 0x04581352,0xd689d21c,0x376782be,0x0a00c825,0x9fed701f,0x203bd590,
+        0x3ccd846b,0xc4786910 },
+      { 0x24c768ed,0x5dba7708,0x6841f657,0x72feea02,0x6accce0e,0x73313ed5,
+        0xd5bb4d32,0xccc42968 } },
+    /* 253 */
+    { { 0x3d7620b9,0x94e50de1,0x5992a56a,0xd89a5c8a,0x675487c9,0xdc007640,
+        0xaa4871cf,0xe147eb42 },
+      { 0xacf3ae46,0x274ab4ee,0x50350fbe,0xfd4936fb,0x48c840ea,0xdf2afe47,
+        0x080e96e3,0x239ac047 } },
+    /* 254 */
+    { { 0x2bfee8d4,0x481d1f35,0xfa7b0fec,0xce80b5cf,0x2ce9af3c,0x105c4c9e,
+        0xf5f7e59d,0xc55fa1a3 },
+      { 0x8257c227,0x3186f14e,0x342be00b,0xc5b1653f,0xaa904fb2,0x09afc998,
+        0xd4f4b699,0x094cd99c } },
+    /* 255 */
+    { { 0xd703beba,0x8a981c84,0x32ceb291,0x8631d150,0xe3bd49ec,0xa445f2c9,
+        0x42abad33,0xb90a30b6 },
+      { 0xb4a5abf9,0xb465404f,0x75db7603,0x004750c3,0xca35d89f,0x6f9a42cc,
+        0x1b7924f7,0x019f8b9a } },
+};
+
+/* Multiply the base point of P256 by the scalar and return the result.
+ * If map is true then convert result to affine coordinates.
+ *
+ * r     Resulting point.
+ * k     Scalar to multiply by.
+ * map   Indicates whether to convert result to affine.
+ * heap  Heap to use for allocation.
+ * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
+ */
+static int sp_256_ecc_mulmod_base_8(sp_point_256* r, const sp_digit* k,
+        int map, void* heap)
+{
+    return sp_256_ecc_mulmod_stripe_8(r, &p256_base, p256_table,
+                                      k, map, heap);
+}
+
+#endif
+
+/* Multiply the base point of P256 by the scalar and return the result.
+ * If map is true then convert result to affine coordinates.
+ *
+ * km    Scalar to multiply by.
+ * r     Resulting point.
+ * map   Indicates whether to convert result to affine.
+ * heap  Heap to use for allocation.
+ * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
+ */
+int sp_ecc_mulmod_base_256(mp_int* km, ecc_point* r, int map, void* heap)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_point_256 p;
+    sp_digit kd[8];
+#endif
+    sp_point_256* point;
+    sp_digit* k = NULL;
+    int err = MP_OKAY;
+
+    err = sp_256_point_new_8(heap, p, point);
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        k = (sp_digit*)XMALLOC(sizeof(sp_digit) * 8, heap,
+                                                              DYNAMIC_TYPE_ECC);
+        if (k == NULL) {
+            err = MEMORY_E;
+        }
+    }
+#else
+    k = kd;
+#endif
+    if (err == MP_OKAY) {
+        sp_256_from_mp(k, 8, km);
+
+            err = sp_256_ecc_mulmod_base_8(point, k, map, heap);
+    }
+    if (err == MP_OKAY) {
+        err = sp_256_point_to_ecc_point_8(point, r);
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (k != NULL) {
+        XFREE(k, heap, DYNAMIC_TYPE_ECC);
+    }
+#endif
+    sp_256_point_free_8(point, 0, heap);
+
+    return err;
+}
+
+#if defined(WOLFSSL_VALIDATE_ECC_KEYGEN) || defined(HAVE_ECC_SIGN) || \
+                                                        defined(HAVE_ECC_VERIFY)
+/* Returns 1 if the number of zero.
+ * Implementation is constant time.
+ *
+ * a  Number to check.
+ * returns 1 if the number is zero and 0 otherwise.
+ */
+static int sp_256_iszero_8(const sp_digit* a)
+{
+    return (a[0] | a[1] | a[2] | a[3] | a[4] | a[5] | a[6] | a[7]) == 0;
+}
+
+#endif /* WOLFSSL_VALIDATE_ECC_KEYGEN || HAVE_ECC_SIGN || HAVE_ECC_VERIFY */
+/* Add 1 to a. (a = a + 1)
+ *
+ * a  A single precision integer.
+ */
+SP_NOINLINE static void sp_256_add_one_8(sp_digit* a)
+{
+    __asm__ __volatile__ (
+        "mov	r2, #1\n\t"
+        "ldr	r1, [%[a], #0]\n\t"
+        "add	r1, r2\n\t"
+        "mov	r2, #0\n\t"
+        "str	r1, [%[a], #0]\n\t"
+        "ldr	r1, [%[a], #4]\n\t"
+        "adc	r1, r2\n\t"
+        "str	r1, [%[a], #4]\n\t"
+        "ldr	r1, [%[a], #8]\n\t"
+        "adc	r1, r2\n\t"
+        "str	r1, [%[a], #8]\n\t"
+        "ldr	r1, [%[a], #12]\n\t"
+        "adc	r1, r2\n\t"
+        "str	r1, [%[a], #12]\n\t"
+        "ldr	r1, [%[a], #16]\n\t"
+        "adc	r1, r2\n\t"
+        "str	r1, [%[a], #16]\n\t"
+        "ldr	r1, [%[a], #20]\n\t"
+        "adc	r1, r2\n\t"
+        "str	r1, [%[a], #20]\n\t"
+        "ldr	r1, [%[a], #24]\n\t"
+        "adc	r1, r2\n\t"
+        "str	r1, [%[a], #24]\n\t"
+        "ldr	r1, [%[a], #28]\n\t"
+        "adc	r1, r2\n\t"
+        "str	r1, [%[a], #28]\n\t"
+        :
+        : [a] "r" (a)
+        : "memory", "r1", "r2"
+    );
+}
+
+/* Read big endian unsigned byte array into r.
+ *
+ * r  A single precision integer.
+ * size  Maximum number of bytes to convert
+ * a  Byte array.
+ * n  Number of bytes in array to read.
+ */
+static void sp_256_from_bin(sp_digit* r, int size, const byte* a, int n)
+{
+    int i, j = 0;
+    word32 s = 0;
+
+    r[0] = 0;
+    for (i = n-1; i >= 0; i--) {
+        r[j] |= (((sp_digit)a[i]) << s);
+        if (s >= 24U) {
+            r[j] &= 0xffffffff;
+            s = 32U - s;
+            if (j + 1 >= size) {
+                break;
+            }
+            r[++j] = (sp_digit)a[i] >> s;
+            s = 8U - s;
+        }
+        else {
+            s += 8U;
+        }
+    }
+
+    for (j++; j < size; j++) {
+        r[j] = 0;
+    }
+}
+
+/* Generates a scalar that is in the range 1..order-1.
+ *
+ * rng  Random number generator.
+ * k    Scalar value.
+ * returns RNG failures, MEMORY_E when memory allocation fails and
+ * MP_OKAY on success.
+ */
+static int sp_256_ecc_gen_k_8(WC_RNG* rng, sp_digit* k)
+{
+    int err;
+    byte buf[32];
+
+    do {
+        err = wc_RNG_GenerateBlock(rng, buf, sizeof(buf));
+        if (err == 0) {
+            sp_256_from_bin(k, 8, buf, (int)sizeof(buf));
+            if (sp_256_cmp_8(k, p256_order2) < 0) {
+                sp_256_add_one_8(k);
+                break;
+            }
+        }
+    }
+    while (err == 0);
+
+    return err;
+}
+
+/* Makes a random EC key pair.
+ *
+ * rng   Random number generator.
+ * priv  Generated private value.
+ * pub   Generated public point.
+ * heap  Heap to use for allocation.
+ * returns ECC_INF_E when the point does not have the correct order, RNG
+ * failures, MEMORY_E when memory allocation fails and MP_OKAY on success.
+ */
+int sp_ecc_make_key_256(WC_RNG* rng, mp_int* priv, ecc_point* pub, void* heap)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_point_256 p;
+    sp_digit kd[8];
+#ifdef WOLFSSL_VALIDATE_ECC_KEYGEN
+    sp_point_256 inf;
+#endif
+#endif
+    sp_point_256* point;
+    sp_digit* k = NULL;
+#ifdef WOLFSSL_VALIDATE_ECC_KEYGEN
+    sp_point_256* infinity;
+#endif
+    int err;
+
+    (void)heap;
+
+    err = sp_256_point_new_8(heap, p, point);
+#ifdef WOLFSSL_VALIDATE_ECC_KEYGEN
+    if (err == MP_OKAY) {
+        err = sp_256_point_new_8(heap, inf, infinity);
+    }
+#endif
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        k = (sp_digit*)XMALLOC(sizeof(sp_digit) * 8, heap,
+                                                              DYNAMIC_TYPE_ECC);
+        if (k == NULL) {
+            err = MEMORY_E;
+        }
+    }
+#else
+    k = kd;
+#endif
+
+    if (err == MP_OKAY) {
+        err = sp_256_ecc_gen_k_8(rng, k);
+    }
+    if (err == MP_OKAY) {
+            err = sp_256_ecc_mulmod_base_8(point, k, 1, NULL);
+    }
+
+#ifdef WOLFSSL_VALIDATE_ECC_KEYGEN
+    if (err == MP_OKAY) {
+            err = sp_256_ecc_mulmod_8(infinity, point, p256_order, 1, NULL);
+    }
+    if (err == MP_OKAY) {
+        if ((sp_256_iszero_8(point->x) == 0) || (sp_256_iszero_8(point->y) == 0)) {
+            err = ECC_INF_E;
+        }
+    }
+#endif
+
+    if (err == MP_OKAY) {
+        err = sp_256_to_mp(k, priv);
+    }
+    if (err == MP_OKAY) {
+        err = sp_256_point_to_ecc_point_8(point, pub);
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (k != NULL) {
+        XFREE(k, heap, DYNAMIC_TYPE_ECC);
+    }
+#endif
+#ifdef WOLFSSL_VALIDATE_ECC_KEYGEN
+    sp_256_point_free_8(infinity, 1, heap);
+#endif
+    sp_256_point_free_8(point, 1, heap);
+
+    return err;
+}
+
+#ifdef HAVE_ECC_DHE
+/* Write r as big endian to byte array.
+ * Fixed length number of bytes written: 32
+ *
+ * r  A single precision integer.
+ * a  Byte array.
+ */
+static void sp_256_to_bin(sp_digit* r, byte* a)
+{
+    int i, j, s = 0, b;
+
+    j = 256 / 8 - 1;
+    a[j] = 0;
+    for (i=0; i<8 && j>=0; i++) {
+        b = 0;
+        /* lint allow cast of mismatch sp_digit and int */
+        a[j--] |= (byte)(r[i] << s); /*lint !e9033*/
+        b += 8 - s;
+        if (j < 0) {
+            break;
+        }
+        while (b < 32) {
+            a[j--] = (byte)(r[i] >> b);
+            b += 8;
+            if (j < 0) {
+                break;
+            }
+        }
+        s = 8 - (b - 32);
+        if (j >= 0) {
+            a[j] = 0;
+        }
+        if (s != 0) {
+            j++;
+        }
+    }
+}
+
+/* Multiply the point by the scalar and serialize the X ordinate.
+ * The number is 0 padded to maximum size on output.
+ *
+ * priv    Scalar to multiply the point by.
+ * pub     Point to multiply.
+ * out     Buffer to hold X ordinate.
+ * outLen  On entry, size of the buffer in bytes.
+ *         On exit, length of data in buffer in bytes.
+ * heap    Heap to use for allocation.
+ * returns BUFFER_E if the buffer is to small for output size,
+ * MEMORY_E when memory allocation fails and MP_OKAY on success.
+ */
+int sp_ecc_secret_gen_256(mp_int* priv, ecc_point* pub, byte* out,
+                          word32* outLen, void* heap)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_point_256 p;
+    sp_digit kd[8];
+#endif
+    sp_point_256* point = NULL;
+    sp_digit* k = NULL;
+    int err = MP_OKAY;
+
+    if (*outLen < 32U) {
+        err = BUFFER_E;
+    }
+
+    if (err == MP_OKAY) {
+        err = sp_256_point_new_8(heap, p, point);
+    }
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        k = (sp_digit*)XMALLOC(sizeof(sp_digit) * 8, heap,
+                                                              DYNAMIC_TYPE_ECC);
+        if (k == NULL)
+            err = MEMORY_E;
+    }
+#else
+    k = kd;
+#endif
+
+    if (err == MP_OKAY) {
+        sp_256_from_mp(k, 8, priv);
+        sp_256_point_from_ecc_point_8(point, pub);
+            err = sp_256_ecc_mulmod_8(point, point, k, 1, heap);
+    }
+    if (err == MP_OKAY) {
+        sp_256_to_bin(point->x, out);
+        *outLen = 32;
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (k != NULL) {
+        XFREE(k, heap, DYNAMIC_TYPE_ECC);
+    }
+#endif
+    sp_256_point_free_8(point, 0, heap);
+
+    return err;
+}
+#endif /* HAVE_ECC_DHE */
+
+#if defined(HAVE_ECC_SIGN) || defined(HAVE_ECC_VERIFY)
+#endif
+#if defined(HAVE_ECC_SIGN) || defined(HAVE_ECC_VERIFY)
+#ifdef WOLFSSL_SP_SMALL
+/* Sub b from a into a. (a -= b)
+ *
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static sp_digit sp_256_sub_in_place_8(sp_digit* a,
+        const sp_digit* b)
+{
+    sp_digit c = 0;
+    __asm__ __volatile__ (
+        "mov	r7, %[a]\n\t"
+        "add	r7, #32\n\t"
+        "\n1:\n\t"
+        "mov	r5, #0\n\t"
+        "sub	r5, %[c]\n\t"
+        "ldr	r3, [%[a]]\n\t"
+        "ldr	r4, [%[a], #4]\n\t"
+        "ldr	r5, [%[b]]\n\t"
+        "ldr	r6, [%[b], #4]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a]]\n\t"
+        "str	r4, [%[a], #4]\n\t"
+        "sbc	%[c], %[c]\n\t"
+        "add	%[a], #8\n\t"
+        "add	%[b], #8\n\t"
+        "cmp	%[a], r7\n\t"
+        "bne	1b\n\t"
+        : [c] "+r" (c), [a] "+r" (a), [b] "+r" (b)
+        :
+        : "memory", "r3", "r4", "r5", "r6", "r7"
+    );
+
+    return c;
+}
+
+#else
+/* Sub b from a into r. (r = a - b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static sp_digit sp_256_sub_in_place_8(sp_digit* a,
+        const sp_digit* b)
+{
+    sp_digit c = 0;
+
+    __asm__ __volatile__ (
+        "ldr	r3, [%[a], #0]\n\t"
+        "ldr	r4, [%[a], #4]\n\t"
+        "ldr	r5, [%[b], #0]\n\t"
+        "ldr	r6, [%[b], #4]\n\t"
+        "sub	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #0]\n\t"
+        "str	r4, [%[a], #4]\n\t"
+        "ldr	r3, [%[a], #8]\n\t"
+        "ldr	r4, [%[a], #12]\n\t"
+        "ldr	r5, [%[b], #8]\n\t"
+        "ldr	r6, [%[b], #12]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #8]\n\t"
+        "str	r4, [%[a], #12]\n\t"
+        "ldr	r3, [%[a], #16]\n\t"
+        "ldr	r4, [%[a], #20]\n\t"
+        "ldr	r5, [%[b], #16]\n\t"
+        "ldr	r6, [%[b], #20]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #16]\n\t"
+        "str	r4, [%[a], #20]\n\t"
+        "ldr	r3, [%[a], #24]\n\t"
+        "ldr	r4, [%[a], #28]\n\t"
+        "ldr	r5, [%[b], #24]\n\t"
+        "ldr	r6, [%[b], #28]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #24]\n\t"
+        "str	r4, [%[a], #28]\n\t"
+        "sbc	%[c], %[c]\n\t"
+        : [c] "+r" (c), [a] "+r" (a), [b] "+r" (b)
+        :
+        : "memory", "r3", "r4", "r5", "r6"
+    );
+
+    return c;
+}
+
+#endif /* WOLFSSL_SP_SMALL */
+/* Mul a by digit b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision digit.
+ */
+SP_NOINLINE static void sp_256_mul_d_8(sp_digit* r, const sp_digit* a,
+        sp_digit b)
+{
+    __asm__ __volatile__ (
+        "mov	r6, #32\n\t"
+        "add	r6, %[a]\n\t"
+        "mov	r8, %[r]\n\t"
+        "mov	r9, r6\n\t"
+        "mov	r3, #0\n\t"
+        "mov	r4, #0\n\t"
+        "1:\n\t"
+        "mov	%[r], #0\n\t"
+        "mov	r5, #0\n\t"
+        "# A[] * B\n\t"
+        "ldr	r6, [%[a]]\n\t"
+        "lsl	r6, r6, #16\n\t"
+        "lsl	r7, %[b], #16\n\t"
+        "lsr	r6, r6, #16\n\t"
+        "lsr	r7, r7, #16\n\t"
+        "mul	r7, r6\n\t"
+        "add	r3, r7\n\t"
+        "adc	r4, %[r]\n\t"
+        "adc	r5, %[r]\n\t"
+        "lsr	r7, %[b], #16\n\t"
+        "mul	r6, r7\n\t"
+        "lsr	r7, r6, #16\n\t"
+        "lsl	r6, r6, #16\n\t"
+        "add	r3, r6\n\t"
+        "adc	r4, r7\n\t"
+        "adc	r5, %[r]\n\t"
+        "ldr	r6, [%[a]]\n\t"
+        "lsr	r6, r6, #16\n\t"
+        "lsr	r7, %[b], #16\n\t"
+        "mul	r7, r6\n\t"
+        "add	r4, r7\n\t"
+        "adc	r5, %[r]\n\t"
+        "lsl	r7, %[b], #16\n\t"
+        "lsr	r7, r7, #16\n\t"
+        "mul	r6, r7\n\t"
+        "lsr	r7, r6, #16\n\t"
+        "lsl	r6, r6, #16\n\t"
+        "add	r3, r6\n\t"
+        "adc	r4, r7\n\t"
+        "adc	r5, %[r]\n\t"
+        "# A[] * B - Done\n\t"
+        "mov	%[r], r8\n\t"
+        "str	r3, [%[r]]\n\t"
+        "mov	r3, r4\n\t"
+        "mov	r4, r5\n\t"
+        "add	%[r], #4\n\t"
+        "add	%[a], #4\n\t"
+        "mov	r8, %[r]\n\t"
+        "cmp	%[a], r9\n\t"
+        "blt	1b\n\t"
+        "str	r3, [%[r]]\n\t"
+        : [r] "+r" (r), [a] "+r" (a)
+        : [b] "r" (b)
+        : "memory", "r3", "r4", "r5", "r6", "r7", "r8", "r9"
+    );
+}
+
+/* Divide the double width number (d1|d0) by the dividend. (d1|d0 / div)
+ *
+ * d1   The high order half of the number to divide.
+ * d0   The low order half of the number to divide.
+ * div  The dividend.
+ * returns the result of the division.
+ *
+ * Note that this is an approximate div. It may give an answer 1 larger.
+ */
+SP_NOINLINE static sp_digit div_256_word_8(sp_digit d1, sp_digit d0,
+        sp_digit div)
+{
+    sp_digit r = 0;
+
+    __asm__ __volatile__ (
+        "lsr	r5, %[div], #1\n\t"
+        "add	r5, #1\n\t"
+        "mov	r8, %[d0]\n\t"
+        "mov	r9, %[d1]\n\t"
+        "# Do top 32\n\t"
+        "mov	r6, r5\n\t"
+        "sub	r6, %[d1]\n\t"
+        "sbc	r6, r6\n\t"
+        "add	%[r], %[r]\n\t"
+        "sub	%[r], r6\n\t"
+        "and	r6, r5\n\t"
+        "sub	%[d1], r6\n\t"
+        "# Next 30 bits\n\t"
+        "mov	r4, #29\n\t"
+        "1:\n\t"
+        "lsl	%[d0], %[d0], #1\n\t"
+        "adc	%[d1], %[d1]\n\t"
+        "mov	r6, r5\n\t"
+        "sub	r6, %[d1]\n\t"
+        "sbc	r6, r6\n\t"
+        "add	%[r], %[r]\n\t"
+        "sub	%[r], r6\n\t"
+        "and	r6, r5\n\t"
+        "sub	%[d1], r6\n\t"
+        "sub	r4, #1\n\t"
+        "bpl	1b\n\t"
+        "mov	r7, #0\n\t"
+        "add	%[r], %[r]\n\t"
+        "add	%[r], #1\n\t"
+        "# r * div - Start\n\t"
+        "lsl	%[d1], %[r], #16\n\t"
+        "lsl	r4, %[div], #16\n\t"
+        "lsr	%[d1], %[d1], #16\n\t"
+        "lsr	r4, r4, #16\n\t"
+        "mul	r4, %[d1]\n\t"
+        "lsr	r6, %[div], #16\n\t"
+        "mul	%[d1], r6\n\t"
+        "lsr	r5, %[d1], #16\n\t"
+        "lsl	%[d1], %[d1], #16\n\t"
+        "add	r4, %[d1]\n\t"
+        "adc	r5, r7\n\t"
+        "lsr	%[d1], %[r], #16\n\t"
+        "mul	r6, %[d1]\n\t"
+        "add	r5, r6\n\t"
+        "lsl	r6, %[div], #16\n\t"
+        "lsr	r6, r6, #16\n\t"
+        "mul	%[d1], r6\n\t"
+        "lsr	r6, %[d1], #16\n\t"
+        "lsl	%[d1], %[d1], #16\n\t"
+        "add	r4, %[d1]\n\t"
+        "adc	r5, r6\n\t"
+        "# r * div - Done\n\t"
+        "mov	%[d1], r8\n\t"
+        "sub	%[d1], r4\n\t"
+        "mov	r4, %[d1]\n\t"
+        "mov	%[d1], r9\n\t"
+        "sbc	%[d1], r5\n\t"
+        "mov	r5, %[d1]\n\t"
+        "add	%[r], r5\n\t"
+        "# r * div - Start\n\t"
+        "lsl	%[d1], %[r], #16\n\t"
+        "lsl	r4, %[div], #16\n\t"
+        "lsr	%[d1], %[d1], #16\n\t"
+        "lsr	r4, r4, #16\n\t"
+        "mul	r4, %[d1]\n\t"
+        "lsr	r6, %[div], #16\n\t"
+        "mul	%[d1], r6\n\t"
+        "lsr	r5, %[d1], #16\n\t"
+        "lsl	%[d1], %[d1], #16\n\t"
+        "add	r4, %[d1]\n\t"
+        "adc	r5, r7\n\t"
+        "lsr	%[d1], %[r], #16\n\t"
+        "mul	r6, %[d1]\n\t"
+        "add	r5, r6\n\t"
+        "lsl	r6, %[div], #16\n\t"
+        "lsr	r6, r6, #16\n\t"
+        "mul	%[d1], r6\n\t"
+        "lsr	r6, %[d1], #16\n\t"
+        "lsl	%[d1], %[d1], #16\n\t"
+        "add	r4, %[d1]\n\t"
+        "adc	r5, r6\n\t"
+        "# r * div - Done\n\t"
+        "mov	%[d1], r8\n\t"
+        "mov	r6, r9\n\t"
+        "sub	r4, %[d1], r4\n\t"
+        "sbc	r6, r5\n\t"
+        "mov	r5, r6\n\t"
+        "add	%[r], r5\n\t"
+        "# r * div - Start\n\t"
+        "lsl	%[d1], %[r], #16\n\t"
+        "lsl	r4, %[div], #16\n\t"
+        "lsr	%[d1], %[d1], #16\n\t"
+        "lsr	r4, r4, #16\n\t"
+        "mul	r4, %[d1]\n\t"
+        "lsr	r6, %[div], #16\n\t"
+        "mul	%[d1], r6\n\t"
+        "lsr	r5, %[d1], #16\n\t"
+        "lsl	%[d1], %[d1], #16\n\t"
+        "add	r4, %[d1]\n\t"
+        "adc	r5, r7\n\t"
+        "lsr	%[d1], %[r], #16\n\t"
+        "mul	r6, %[d1]\n\t"
+        "add	r5, r6\n\t"
+        "lsl	r6, %[div], #16\n\t"
+        "lsr	r6, r6, #16\n\t"
+        "mul	%[d1], r6\n\t"
+        "lsr	r6, %[d1], #16\n\t"
+        "lsl	%[d1], %[d1], #16\n\t"
+        "add	r4, %[d1]\n\t"
+        "adc	r5, r6\n\t"
+        "# r * div - Done\n\t"
+        "mov	%[d1], r8\n\t"
+        "mov	r6, r9\n\t"
+        "sub	r4, %[d1], r4\n\t"
+        "sbc	r6, r5\n\t"
+        "mov	r5, r6\n\t"
+        "add	%[r], r5\n\t"
+        "mov	r6, %[div]\n\t"
+        "sub	r6, r4\n\t"
+        "sbc	r6, r6\n\t"
+        "sub	%[r], r6\n\t"
+        : [r] "+r" (r)
+        : [d1] "r" (d1), [d0] "r" (d0), [div] "r" (div)
+        : "r4", "r5", "r7", "r6", "r8", "r9"
+    );
+    return r;
+}
+
+/* AND m into each word of a and store in r.
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * m  Mask to AND against each digit.
+ */
+static void sp_256_mask_8(sp_digit* r, const sp_digit* a, sp_digit m)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int i;
+
+    for (i=0; i<8; i++) {
+        r[i] = a[i] & m;
+    }
+#else
+    r[0] = a[0] & m;
+    r[1] = a[1] & m;
+    r[2] = a[2] & m;
+    r[3] = a[3] & m;
+    r[4] = a[4] & m;
+    r[5] = a[5] & m;
+    r[6] = a[6] & m;
+    r[7] = a[7] & m;
+#endif
+}
+
+/* Divide d in a and put remainder into r (m*d + r = a)
+ * m is not calculated as it is not needed at this time.
+ *
+ * a  Nmber to be divided.
+ * d  Number to divide with.
+ * m  Multiplier result.
+ * r  Remainder from the division.
+ * returns MP_OKAY indicating success.
+ */
+static WC_INLINE int sp_256_div_8(const sp_digit* a, const sp_digit* d, sp_digit* m,
+        sp_digit* r)
+{
+    sp_digit t1[16], t2[9];
+    sp_digit div, r1;
+    int i;
+
+    (void)m;
+
+    div = d[7];
+    XMEMCPY(t1, a, sizeof(*t1) * 2 * 8);
+    for (i=7; i>=0; i--) {
+        r1 = div_256_word_8(t1[8 + i], t1[8 + i - 1], div);
+
+        sp_256_mul_d_8(t2, d, r1);
+        t1[8 + i] += sp_256_sub_in_place_8(&t1[i], t2);
+        t1[8 + i] -= t2[8];
+        sp_256_mask_8(t2, d, t1[8 + i]);
+        t1[8 + i] += sp_256_add_8(&t1[i], &t1[i], t2);
+        sp_256_mask_8(t2, d, t1[8 + i]);
+        t1[8 + i] += sp_256_add_8(&t1[i], &t1[i], t2);
+    }
+
+    r1 = sp_256_cmp_8(t1, d) >= 0;
+    sp_256_cond_sub_8(r, t1, d, (sp_digit)0 - r1);
+
+    return MP_OKAY;
+}
+
+/* Reduce a modulo m into r. (r = a mod m)
+ *
+ * r  A single precision number that is the reduced result.
+ * a  A single precision number that is to be reduced.
+ * m  A single precision number that is the modulus to reduce with.
+ * returns MP_OKAY indicating success.
+ */
+static WC_INLINE int sp_256_mod_8(sp_digit* r, const sp_digit* a, const sp_digit* m)
+{
+    return sp_256_div_8(a, m, NULL, r);
+}
+
+#endif
+#if defined(HAVE_ECC_SIGN) || defined(HAVE_ECC_VERIFY)
+#ifdef WOLFSSL_SP_SMALL
+/* Order-2 for the P256 curve. */
+static const uint32_t p256_order_minus_2[8] = {
+    0xfc63254fU,0xf3b9cac2U,0xa7179e84U,0xbce6faadU,0xffffffffU,0xffffffffU,
+    0x00000000U,0xffffffffU
+};
+#else
+/* The low half of the order-2 of the P256 curve. */
+static const uint32_t p256_order_low[4] = {
+    0xfc63254fU,0xf3b9cac2U,0xa7179e84U,0xbce6faadU
+};
+#endif /* WOLFSSL_SP_SMALL */
+
+/* Multiply two number mod the order of P256 curve. (r = a * b mod order)
+ *
+ * r  Result of the multiplication.
+ * a  First operand of the multiplication.
+ * b  Second operand of the multiplication.
+ */
+static void sp_256_mont_mul_order_8(sp_digit* r, const sp_digit* a, const sp_digit* b)
+{
+    sp_256_mul_8(r, a, b);
+    sp_256_mont_reduce_order_8(r, p256_order, p256_mp_order);
+}
+
+/* Square number mod the order of P256 curve. (r = a * a mod order)
+ *
+ * r  Result of the squaring.
+ * a  Number to square.
+ */
+static void sp_256_mont_sqr_order_8(sp_digit* r, const sp_digit* a)
+{
+    sp_256_sqr_8(r, a);
+    sp_256_mont_reduce_order_8(r, p256_order, p256_mp_order);
+}
+
+#ifndef WOLFSSL_SP_SMALL
+/* Square number mod the order of P256 curve a number of times.
+ * (r = a ^ n mod order)
+ *
+ * r  Result of the squaring.
+ * a  Number to square.
+ */
+static void sp_256_mont_sqr_n_order_8(sp_digit* r, const sp_digit* a, int n)
+{
+    int i;
+
+    sp_256_mont_sqr_order_8(r, a);
+    for (i=1; i<n; i++) {
+        sp_256_mont_sqr_order_8(r, r);
+    }
+}
+#endif /* !WOLFSSL_SP_SMALL */
+
+/* Invert the number, in Montgomery form, modulo the order of the P256 curve.
+ * (r = 1 / a mod order)
+ *
+ * r   Inverse result.
+ * a   Number to invert.
+ * td  Temporary data.
+ */
+static void sp_256_mont_inv_order_8(sp_digit* r, const sp_digit* a,
+        sp_digit* td)
+{
+#ifdef WOLFSSL_SP_SMALL
+    sp_digit* t = td;
+    int i;
+
+    XMEMCPY(t, a, sizeof(sp_digit) * 8);
+    for (i=254; i>=0; i--) {
+        sp_256_mont_sqr_order_8(t, t);
+        if ((p256_order_minus_2[i / 32] & ((sp_int_digit)1 << (i % 32))) != 0) {
+            sp_256_mont_mul_order_8(t, t, a);
+        }
+    }
+    XMEMCPY(r, t, sizeof(sp_digit) * 8U);
+#else
+    sp_digit* t = td;
+    sp_digit* t2 = td + 2 * 8;
+    sp_digit* t3 = td + 4 * 8;
+    int i;
+
+    /* t = a^2 */
+    sp_256_mont_sqr_order_8(t, a);
+    /* t = a^3 = t * a */
+    sp_256_mont_mul_order_8(t, t, a);
+    /* t2= a^c = t ^ 2 ^ 2 */
+    sp_256_mont_sqr_n_order_8(t2, t, 2);
+    /* t3= a^f = t2 * t */
+    sp_256_mont_mul_order_8(t3, t2, t);
+    /* t2= a^f0 = t3 ^ 2 ^ 4 */
+    sp_256_mont_sqr_n_order_8(t2, t3, 4);
+    /* t = a^ff = t2 * t3 */
+    sp_256_mont_mul_order_8(t, t2, t3);
+    /* t3= a^ff00 = t ^ 2 ^ 8 */
+    sp_256_mont_sqr_n_order_8(t2, t, 8);
+    /* t = a^ffff = t2 * t */
+    sp_256_mont_mul_order_8(t, t2, t);
+    /* t2= a^ffff0000 = t ^ 2 ^ 16 */
+    sp_256_mont_sqr_n_order_8(t2, t, 16);
+    /* t = a^ffffffff = t2 * t */
+    sp_256_mont_mul_order_8(t, t2, t);
+    /* t2= a^ffffffff0000000000000000 = t ^ 2 ^ 64  */
+    sp_256_mont_sqr_n_order_8(t2, t, 64);
+    /* t2= a^ffffffff00000000ffffffff = t2 * t */
+    sp_256_mont_mul_order_8(t2, t2, t);
+    /* t2= a^ffffffff00000000ffffffff00000000 = t2 ^ 2 ^ 32  */
+    sp_256_mont_sqr_n_order_8(t2, t2, 32);
+    /* t2= a^ffffffff00000000ffffffffffffffff = t2 * t */
+    sp_256_mont_mul_order_8(t2, t2, t);
+    /* t2= a^ffffffff00000000ffffffffffffffffbce6 */
+    for (i=127; i>=112; i--) {
+        sp_256_mont_sqr_order_8(t2, t2);
+        if (((sp_digit)p256_order_low[i / 32] & ((sp_int_digit)1 << (i % 32))) != 0) {
+            sp_256_mont_mul_order_8(t2, t2, a);
+        }
+    }
+    /* t2= a^ffffffff00000000ffffffffffffffffbce6f */
+    sp_256_mont_sqr_n_order_8(t2, t2, 4);
+    sp_256_mont_mul_order_8(t2, t2, t3);
+    /* t2= a^ffffffff00000000ffffffffffffffffbce6faada7179e84 */
+    for (i=107; i>=64; i--) {
+        sp_256_mont_sqr_order_8(t2, t2);
+        if (((sp_digit)p256_order_low[i / 32] & ((sp_int_digit)1 << (i % 32))) != 0) {
+            sp_256_mont_mul_order_8(t2, t2, a);
+        }
+    }
+    /* t2= a^ffffffff00000000ffffffffffffffffbce6faada7179e84f */
+    sp_256_mont_sqr_n_order_8(t2, t2, 4);
+    sp_256_mont_mul_order_8(t2, t2, t3);
+    /* t2= a^ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2 */
+    for (i=59; i>=32; i--) {
+        sp_256_mont_sqr_order_8(t2, t2);
+        if (((sp_digit)p256_order_low[i / 32] & ((sp_int_digit)1 << (i % 32))) != 0) {
+            sp_256_mont_mul_order_8(t2, t2, a);
+        }
+    }
+    /* t2= a^ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2f */
+    sp_256_mont_sqr_n_order_8(t2, t2, 4);
+    sp_256_mont_mul_order_8(t2, t2, t3);
+    /* t2= a^ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc63254 */
+    for (i=27; i>=0; i--) {
+        sp_256_mont_sqr_order_8(t2, t2);
+        if (((sp_digit)p256_order_low[i / 32] & ((sp_int_digit)1 << (i % 32))) != 0) {
+            sp_256_mont_mul_order_8(t2, t2, a);
+        }
+    }
+    /* t2= a^ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632540 */
+    sp_256_mont_sqr_n_order_8(t2, t2, 4);
+    /* r = a^ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc63254f */
+    sp_256_mont_mul_order_8(r, t2, t3);
+#endif /* WOLFSSL_SP_SMALL */
+}
+
+#endif /* HAVE_ECC_SIGN || HAVE_ECC_VERIFY */
+#ifdef HAVE_ECC_SIGN
+#ifndef SP_ECC_MAX_SIG_GEN
+#define SP_ECC_MAX_SIG_GEN  64
+#endif
+
+/* Sign the hash using the private key.
+ *   e = [hash, 256 bits] from binary
+ *   r = (k.G)->x mod order
+ *   s = (r * x + e) / k mod order
+ * The hash is truncated to the first 256 bits.
+ *
+ * hash     Hash to sign.
+ * hashLen  Length of the hash data.
+ * rng      Random number generator.
+ * priv     Private part of key - scalar.
+ * rm       First part of result as an mp_int.
+ * sm       Sirst part of result as an mp_int.
+ * heap     Heap to use for allocation.
+ * returns RNG failures, MEMORY_E when memory allocation fails and
+ * MP_OKAY on success.
+ */
+int sp_ecc_sign_256(const byte* hash, word32 hashLen, WC_RNG* rng, mp_int* priv,
+                    mp_int* rm, mp_int* sm, mp_int* km, void* heap)
+{
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit* d = NULL;
+#else
+    sp_digit ed[2*8];
+    sp_digit xd[2*8];
+    sp_digit kd[2*8];
+    sp_digit rd[2*8];
+    sp_digit td[3 * 2*8];
+    sp_point_256 p;
+#endif
+    sp_digit* e = NULL;
+    sp_digit* x = NULL;
+    sp_digit* k = NULL;
+    sp_digit* r = NULL;
+    sp_digit* tmp = NULL;
+    sp_point_256* point = NULL;
+    sp_digit carry;
+    sp_digit* s = NULL;
+    sp_digit* kInv = NULL;
+    int err = MP_OKAY;
+    int32_t c;
+    int i;
+
+    (void)heap;
+
+    err = sp_256_point_new_8(heap, p, point);
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        d = (sp_digit*)XMALLOC(sizeof(sp_digit) * 7 * 2 * 8, heap,
+                                                              DYNAMIC_TYPE_ECC);
+        if (d == NULL) {
+            err = MEMORY_E;
+        }
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+        e = d + 0 * 8;
+        x = d + 2 * 8;
+        k = d + 4 * 8;
+        r = d + 6 * 8;
+        tmp = d + 8 * 8;
+#else
+        e = ed;
+        x = xd;
+        k = kd;
+        r = rd;
+        tmp = td;
+#endif
+        s = e;
+        kInv = k;
+
+        if (hashLen > 32U) {
+            hashLen = 32U;
+        }
+
+        sp_256_from_bin(e, 8, hash, (int)hashLen);
+    }
+
+    for (i = SP_ECC_MAX_SIG_GEN; err == MP_OKAY && i > 0; i--) {
+        sp_256_from_mp(x, 8, priv);
+
+        /* New random point. */
+        if (km == NULL || mp_iszero(km)) {
+            err = sp_256_ecc_gen_k_8(rng, k);
+        }
+        else {
+            sp_256_from_mp(k, 8, km);
+            mp_zero(km);
+        }
+        if (err == MP_OKAY) {
+                err = sp_256_ecc_mulmod_base_8(point, k, 1, NULL);
+        }
+
+        if (err == MP_OKAY) {
+            /* r = point->x mod order */
+            XMEMCPY(r, point->x, sizeof(sp_digit) * 8U);
+            sp_256_norm_8(r);
+            c = sp_256_cmp_8(r, p256_order);
+            sp_256_cond_sub_8(r, r, p256_order, 0L - (sp_digit)(c >= 0));
+            sp_256_norm_8(r);
+
+            /* Conv k to Montgomery form (mod order) */
+                sp_256_mul_8(k, k, p256_norm_order);
+            err = sp_256_mod_8(k, k, p256_order);
+        }
+        if (err == MP_OKAY) {
+            sp_256_norm_8(k);
+            /* kInv = 1/k mod order */
+                sp_256_mont_inv_order_8(kInv, k, tmp);
+            sp_256_norm_8(kInv);
+
+            /* s = r * x + e */
+                sp_256_mul_8(x, x, r);
+            err = sp_256_mod_8(x, x, p256_order);
+        }
+        if (err == MP_OKAY) {
+            sp_256_norm_8(x);
+            carry = sp_256_add_8(s, e, x);
+            sp_256_cond_sub_8(s, s, p256_order, 0 - carry);
+            sp_256_norm_8(s);
+            c = sp_256_cmp_8(s, p256_order);
+            sp_256_cond_sub_8(s, s, p256_order, 0L - (sp_digit)(c >= 0));
+            sp_256_norm_8(s);
+
+            /* s = s * k^-1 mod order */
+                sp_256_mont_mul_order_8(s, s, kInv);
+            sp_256_norm_8(s);
+
+            /* Check that signature is usable. */
+            if (sp_256_iszero_8(s) == 0) {
+                break;
+            }
+        }
+    }
+
+    if (i == 0) {
+        err = RNG_FAILURE_E;
+    }
+
+    if (err == MP_OKAY) {
+        err = sp_256_to_mp(r, rm);
+    }
+    if (err == MP_OKAY) {
+        err = sp_256_to_mp(s, sm);
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (d != NULL) {
+        XMEMSET(d, 0, sizeof(sp_digit) * 8 * 8);
+        XFREE(d, heap, DYNAMIC_TYPE_ECC);
+    }
+#else
+    XMEMSET(e, 0, sizeof(sp_digit) * 2U * 8U);
+    XMEMSET(x, 0, sizeof(sp_digit) * 2U * 8U);
+    XMEMSET(k, 0, sizeof(sp_digit) * 2U * 8U);
+    XMEMSET(r, 0, sizeof(sp_digit) * 2U * 8U);
+    XMEMSET(r, 0, sizeof(sp_digit) * 2U * 8U);
+    XMEMSET(tmp, 0, sizeof(sp_digit) * 3U * 2U * 8U);
+#endif
+    sp_256_point_free_8(point, 1, heap);
+
+    return err;
+}
+#endif /* HAVE_ECC_SIGN */
+
+#ifdef HAVE_ECC_VERIFY
+/* Verify the signature values with the hash and public key.
+ *   e = Truncate(hash, 256)
+ *   u1 = e/s mod order
+ *   u2 = r/s mod order
+ *   r == (u1.G + u2.Q)->x mod order
+ * Optimization: Leave point in projective form.
+ *   (x, y, 1) == (x' / z'*z', y' / z'*z'*z', z' / z')
+ *   (r + n*order).z'.z' mod prime == (u1.G + u2.Q)->x'
+ * The hash is truncated to the first 256 bits.
+ *
+ * hash     Hash to sign.
+ * hashLen  Length of the hash data.
+ * rng      Random number generator.
+ * priv     Private part of key - scalar.
+ * rm       First part of result as an mp_int.
+ * sm       Sirst part of result as an mp_int.
+ * heap     Heap to use for allocation.
+ * returns RNG failures, MEMORY_E when memory allocation fails and
+ * MP_OKAY on success.
+ */
+int sp_ecc_verify_256(const byte* hash, word32 hashLen, mp_int* pX,
+    mp_int* pY, mp_int* pZ, mp_int* r, mp_int* sm, int* res, void* heap)
+{
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit* d = NULL;
+#else
+    sp_digit u1d[2*8];
+    sp_digit u2d[2*8];
+    sp_digit sd[2*8];
+    sp_digit tmpd[2*8 * 5];
+    sp_point_256 p1d;
+    sp_point_256 p2d;
+#endif
+    sp_digit* u1 = NULL;
+    sp_digit* u2 = NULL;
+    sp_digit* s = NULL;
+    sp_digit* tmp = NULL;
+    sp_point_256* p1;
+    sp_point_256* p2 = NULL;
+    sp_digit carry;
+    int32_t c;
+    int err;
+
+    err = sp_256_point_new_8(heap, p1d, p1);
+    if (err == MP_OKAY) {
+        err = sp_256_point_new_8(heap, p2d, p2);
+    }
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        d = (sp_digit*)XMALLOC(sizeof(sp_digit) * 16 * 8, heap,
+                                                              DYNAMIC_TYPE_ECC);
+        if (d == NULL) {
+            err = MEMORY_E;
+        }
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+        u1  = d + 0 * 8;
+        u2  = d + 2 * 8;
+        s   = d + 4 * 8;
+        tmp = d + 6 * 8;
+#else
+        u1 = u1d;
+        u2 = u2d;
+        s  = sd;
+        tmp = tmpd;
+#endif
+
+        if (hashLen > 32U) {
+            hashLen = 32U;
+        }
+
+        sp_256_from_bin(u1, 8, hash, (int)hashLen);
+        sp_256_from_mp(u2, 8, r);
+        sp_256_from_mp(s, 8, sm);
+        sp_256_from_mp(p2->x, 8, pX);
+        sp_256_from_mp(p2->y, 8, pY);
+        sp_256_from_mp(p2->z, 8, pZ);
+
+        {
+            sp_256_mul_8(s, s, p256_norm_order);
+        }
+        err = sp_256_mod_8(s, s, p256_order);
+    }
+    if (err == MP_OKAY) {
+        sp_256_norm_8(s);
+        {
+            sp_256_mont_inv_order_8(s, s, tmp);
+            sp_256_mont_mul_order_8(u1, u1, s);
+            sp_256_mont_mul_order_8(u2, u2, s);
+        }
+
+            err = sp_256_ecc_mulmod_base_8(p1, u1, 0, heap);
+    }
+    if (err == MP_OKAY) {
+            err = sp_256_ecc_mulmod_8(p2, p2, u2, 0, heap);
+    }
+
+    if (err == MP_OKAY) {
+        {
+            sp_256_proj_point_add_8(p1, p1, p2, tmp);
+            if (sp_256_iszero_8(p1->z)) {
+                if (sp_256_iszero_8(p1->x) && sp_256_iszero_8(p1->y)) {
+                    sp_256_proj_point_dbl_8(p1, p2, tmp);
+                }
+                else {
+                    /* Y ordinate is not used from here - don't set. */
+                    p1->x[0] = 0;
+                    p1->x[1] = 0;
+                    p1->x[2] = 0;
+                    p1->x[3] = 0;
+                    p1->x[4] = 0;
+                    p1->x[5] = 0;
+                    p1->x[6] = 0;
+                    p1->x[7] = 0;
+                    XMEMCPY(p1->z, p256_norm_mod, sizeof(p256_norm_mod));
+                }
+            }
+        }
+
+        /* (r + n*order).z'.z' mod prime == (u1.G + u2.Q)->x' */
+        /* Reload r and convert to Montgomery form. */
+        sp_256_from_mp(u2, 8, r);
+        err = sp_256_mod_mul_norm_8(u2, u2, p256_mod);
+    }
+
+    if (err == MP_OKAY) {
+        /* u1 = r.z'.z' mod prime */
+        sp_256_mont_sqr_8(p1->z, p1->z, p256_mod, p256_mp_mod);
+        sp_256_mont_mul_8(u1, u2, p1->z, p256_mod, p256_mp_mod);
+        *res = (int)(sp_256_cmp_8(p1->x, u1) == 0);
+        if (*res == 0) {
+            /* Reload r and add order. */
+            sp_256_from_mp(u2, 8, r);
+            carry = sp_256_add_8(u2, u2, p256_order);
+            /* Carry means result is greater than mod and is not valid. */
+            if (carry == 0) {
+                sp_256_norm_8(u2);
+
+                /* Compare with mod and if greater or equal then not valid. */
+                c = sp_256_cmp_8(u2, p256_mod);
+                if (c < 0) {
+                    /* Convert to Montogomery form */
+                    err = sp_256_mod_mul_norm_8(u2, u2, p256_mod);
+                    if (err == MP_OKAY) {
+                        /* u1 = (r + 1*order).z'.z' mod prime */
+                        sp_256_mont_mul_8(u1, u2, p1->z, p256_mod,
+                                                                  p256_mp_mod);
+                        *res = (int)(sp_256_cmp_8(p1->x, u1) == 0);
+                    }
+                }
+            }
+        }
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (d != NULL)
+        XFREE(d, heap, DYNAMIC_TYPE_ECC);
+#endif
+    sp_256_point_free_8(p1, 0, heap);
+    sp_256_point_free_8(p2, 0, heap);
+
+    return err;
+}
+#endif /* HAVE_ECC_VERIFY */
+
+#ifdef HAVE_ECC_CHECK_KEY
+/* Check that the x and y oridinates are a valid point on the curve.
+ *
+ * point  EC point.
+ * heap   Heap to use if dynamically allocating.
+ * returns MEMORY_E if dynamic memory allocation fails, MP_VAL if the point is
+ * not on the curve and MP_OKAY otherwise.
+ */
+static int sp_256_ecc_is_point_8(sp_point_256* point, void* heap)
+{
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit* d = NULL;
+#else
+    sp_digit t1d[2*8];
+    sp_digit t2d[2*8];
+#endif
+    sp_digit* t1;
+    sp_digit* t2;
+    int err = MP_OKAY;
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    d = (sp_digit*)XMALLOC(sizeof(sp_digit) * 8 * 4, heap, DYNAMIC_TYPE_ECC);
+    if (d == NULL) {
+        err = MEMORY_E;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+        t1 = d + 0 * 8;
+        t2 = d + 2 * 8;
+#else
+        (void)heap;
+
+        t1 = t1d;
+        t2 = t2d;
+#endif
+
+        sp_256_sqr_8(t1, point->y);
+        (void)sp_256_mod_8(t1, t1, p256_mod);
+        sp_256_sqr_8(t2, point->x);
+        (void)sp_256_mod_8(t2, t2, p256_mod);
+        sp_256_mul_8(t2, t2, point->x);
+        (void)sp_256_mod_8(t2, t2, p256_mod);
+        (void)sp_256_sub_8(t2, p256_mod, t2);
+        sp_256_mont_add_8(t1, t1, t2, p256_mod);
+
+        sp_256_mont_add_8(t1, t1, point->x, p256_mod);
+        sp_256_mont_add_8(t1, t1, point->x, p256_mod);
+        sp_256_mont_add_8(t1, t1, point->x, p256_mod);
+
+        if (sp_256_cmp_8(t1, p256_b) != 0) {
+            err = MP_VAL;
+        }
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (d != NULL) {
+        XFREE(d, heap, DYNAMIC_TYPE_ECC);
+    }
+#endif
+
+    return err;
+}
+
+/* Check that the x and y oridinates are a valid point on the curve.
+ *
+ * pX  X ordinate of EC point.
+ * pY  Y ordinate of EC point.
+ * returns MEMORY_E if dynamic memory allocation fails, MP_VAL if the point is
+ * not on the curve and MP_OKAY otherwise.
+ */
+int sp_ecc_is_point_256(mp_int* pX, mp_int* pY)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_point_256 pubd;
+#endif
+    sp_point_256* pub;
+    byte one[1] = { 1 };
+    int err;
+
+    err = sp_256_point_new_8(NULL, pubd, pub);
+    if (err == MP_OKAY) {
+        sp_256_from_mp(pub->x, 8, pX);
+        sp_256_from_mp(pub->y, 8, pY);
+        sp_256_from_bin(pub->z, 8, one, (int)sizeof(one));
+
+        err = sp_256_ecc_is_point_8(pub, NULL);
+    }
+
+    sp_256_point_free_8(pub, 0, NULL);
+
+    return err;
+}
+
+/* Check that the private scalar generates the EC point (px, py), the point is
+ * on the curve and the point has the correct order.
+ *
+ * pX     X ordinate of EC point.
+ * pY     Y ordinate of EC point.
+ * privm  Private scalar that generates EC point.
+ * returns MEMORY_E if dynamic memory allocation fails, MP_VAL if the point is
+ * not on the curve, ECC_INF_E if the point does not have the correct order,
+ * ECC_PRIV_KEY_E when the private scalar doesn't generate the EC point and
+ * MP_OKAY otherwise.
+ */
+int sp_ecc_check_key_256(mp_int* pX, mp_int* pY, mp_int* privm, void* heap)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit privd[8];
+    sp_point_256 pubd;
+    sp_point_256 pd;
+#endif
+    sp_digit* priv = NULL;
+    sp_point_256* pub;
+    sp_point_256* p = NULL;
+    byte one[1] = { 1 };
+    int err;
+
+    err = sp_256_point_new_8(heap, pubd, pub);
+    if (err == MP_OKAY) {
+        err = sp_256_point_new_8(heap, pd, p);
+    }
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        priv = (sp_digit*)XMALLOC(sizeof(sp_digit) * 8, heap,
+                                                              DYNAMIC_TYPE_ECC);
+        if (priv == NULL) {
+            err = MEMORY_E;
+        }
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+        priv = privd;
+#endif
+
+        sp_256_from_mp(pub->x, 8, pX);
+        sp_256_from_mp(pub->y, 8, pY);
+        sp_256_from_bin(pub->z, 8, one, (int)sizeof(one));
+        sp_256_from_mp(priv, 8, privm);
+
+        /* Check point at infinitiy. */
+        if ((sp_256_iszero_8(pub->x) != 0) &&
+            (sp_256_iszero_8(pub->y) != 0)) {
+            err = ECC_INF_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        /* Check range of X and Y */
+        if (sp_256_cmp_8(pub->x, p256_mod) >= 0 ||
+            sp_256_cmp_8(pub->y, p256_mod) >= 0) {
+            err = ECC_OUT_OF_RANGE_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        /* Check point is on curve */
+        err = sp_256_ecc_is_point_8(pub, heap);
+    }
+
+    if (err == MP_OKAY) {
+        /* Point * order = infinity */
+            err = sp_256_ecc_mulmod_8(p, pub, p256_order, 1, heap);
+    }
+    if (err == MP_OKAY) {
+        /* Check result is infinity */
+        if ((sp_256_iszero_8(p->x) == 0) ||
+            (sp_256_iszero_8(p->y) == 0)) {
+            err = ECC_INF_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        /* Base * private = point */
+            err = sp_256_ecc_mulmod_base_8(p, priv, 1, heap);
+    }
+    if (err == MP_OKAY) {
+        /* Check result is public key */
+        if (sp_256_cmp_8(p->x, pub->x) != 0 ||
+            sp_256_cmp_8(p->y, pub->y) != 0) {
+            err = ECC_PRIV_KEY_E;
+        }
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (priv != NULL) {
+        XFREE(priv, heap, DYNAMIC_TYPE_ECC);
+    }
+#endif
+    sp_256_point_free_8(p, 0, heap);
+    sp_256_point_free_8(pub, 0, heap);
+
+    return err;
+}
+#endif
+#ifdef WOLFSSL_PUBLIC_ECC_ADD_DBL
+/* Add two projective EC points together.
+ * (pX, pY, pZ) + (qX, qY, qZ) = (rX, rY, rZ)
+ *
+ * pX   First EC point's X ordinate.
+ * pY   First EC point's Y ordinate.
+ * pZ   First EC point's Z ordinate.
+ * qX   Second EC point's X ordinate.
+ * qY   Second EC point's Y ordinate.
+ * qZ   Second EC point's Z ordinate.
+ * rX   Resultant EC point's X ordinate.
+ * rY   Resultant EC point's Y ordinate.
+ * rZ   Resultant EC point's Z ordinate.
+ * returns MEMORY_E if dynamic memory allocation fails and MP_OKAY otherwise.
+ */
+int sp_ecc_proj_add_point_256(mp_int* pX, mp_int* pY, mp_int* pZ,
+                              mp_int* qX, mp_int* qY, mp_int* qZ,
+                              mp_int* rX, mp_int* rY, mp_int* rZ)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit tmpd[2 * 8 * 5];
+    sp_point_256 pd;
+    sp_point_256 qd;
+#endif
+    sp_digit* tmp;
+    sp_point_256* p;
+    sp_point_256* q = NULL;
+    int err;
+
+    err = sp_256_point_new_8(NULL, pd, p);
+    if (err == MP_OKAY) {
+        err = sp_256_point_new_8(NULL, qd, q);
+    }
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        tmp = (sp_digit*)XMALLOC(sizeof(sp_digit) * 2 * 8 * 5, NULL,
+                                                              DYNAMIC_TYPE_ECC);
+        if (tmp == NULL) {
+            err = MEMORY_E;
+        }
+    }
+#else
+    tmp = tmpd;
+#endif
+
+    if (err == MP_OKAY) {
+        sp_256_from_mp(p->x, 8, pX);
+        sp_256_from_mp(p->y, 8, pY);
+        sp_256_from_mp(p->z, 8, pZ);
+        sp_256_from_mp(q->x, 8, qX);
+        sp_256_from_mp(q->y, 8, qY);
+        sp_256_from_mp(q->z, 8, qZ);
+
+            sp_256_proj_point_add_8(p, p, q, tmp);
+    }
+
+    if (err == MP_OKAY) {
+        err = sp_256_to_mp(p->x, rX);
+    }
+    if (err == MP_OKAY) {
+        err = sp_256_to_mp(p->y, rY);
+    }
+    if (err == MP_OKAY) {
+        err = sp_256_to_mp(p->z, rZ);
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (tmp != NULL) {
+        XFREE(tmp, NULL, DYNAMIC_TYPE_ECC);
+    }
+#endif
+    sp_256_point_free_8(q, 0, NULL);
+    sp_256_point_free_8(p, 0, NULL);
+
+    return err;
+}
+
+/* Double a projective EC point.
+ * (pX, pY, pZ) + (pX, pY, pZ) = (rX, rY, rZ)
+ *
+ * pX   EC point's X ordinate.
+ * pY   EC point's Y ordinate.
+ * pZ   EC point's Z ordinate.
+ * rX   Resultant EC point's X ordinate.
+ * rY   Resultant EC point's Y ordinate.
+ * rZ   Resultant EC point's Z ordinate.
+ * returns MEMORY_E if dynamic memory allocation fails and MP_OKAY otherwise.
+ */
+int sp_ecc_proj_dbl_point_256(mp_int* pX, mp_int* pY, mp_int* pZ,
+                              mp_int* rX, mp_int* rY, mp_int* rZ)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit tmpd[2 * 8 * 2];
+    sp_point_256 pd;
+#endif
+    sp_digit* tmp;
+    sp_point_256* p;
+    int err;
+
+    err = sp_256_point_new_8(NULL, pd, p);
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        tmp = (sp_digit*)XMALLOC(sizeof(sp_digit) * 2 * 8 * 2, NULL,
+                                                              DYNAMIC_TYPE_ECC);
+        if (tmp == NULL) {
+            err = MEMORY_E;
+        }
+    }
+#else
+    tmp = tmpd;
+#endif
+
+    if (err == MP_OKAY) {
+        sp_256_from_mp(p->x, 8, pX);
+        sp_256_from_mp(p->y, 8, pY);
+        sp_256_from_mp(p->z, 8, pZ);
+
+            sp_256_proj_point_dbl_8(p, p, tmp);
+    }
+
+    if (err == MP_OKAY) {
+        err = sp_256_to_mp(p->x, rX);
+    }
+    if (err == MP_OKAY) {
+        err = sp_256_to_mp(p->y, rY);
+    }
+    if (err == MP_OKAY) {
+        err = sp_256_to_mp(p->z, rZ);
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (tmp != NULL) {
+        XFREE(tmp, NULL, DYNAMIC_TYPE_ECC);
+    }
+#endif
+    sp_256_point_free_8(p, 0, NULL);
+
+    return err;
+}
+
+/* Map a projective EC point to affine in place.
+ * pZ will be one.
+ *
+ * pX   EC point's X ordinate.
+ * pY   EC point's Y ordinate.
+ * pZ   EC point's Z ordinate.
+ * returns MEMORY_E if dynamic memory allocation fails and MP_OKAY otherwise.
+ */
+int sp_ecc_map_256(mp_int* pX, mp_int* pY, mp_int* pZ)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit tmpd[2 * 8 * 4];
+    sp_point_256 pd;
+#endif
+    sp_digit* tmp;
+    sp_point_256* p;
+    int err;
+
+    err = sp_256_point_new_8(NULL, pd, p);
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        tmp = (sp_digit*)XMALLOC(sizeof(sp_digit) * 2 * 8 * 4, NULL,
+                                                              DYNAMIC_TYPE_ECC);
+        if (tmp == NULL) {
+            err = MEMORY_E;
+        }
+    }
+#else
+    tmp = tmpd;
+#endif
+    if (err == MP_OKAY) {
+        sp_256_from_mp(p->x, 8, pX);
+        sp_256_from_mp(p->y, 8, pY);
+        sp_256_from_mp(p->z, 8, pZ);
+
+        sp_256_map_8(p, p, tmp);
+    }
+
+    if (err == MP_OKAY) {
+        err = sp_256_to_mp(p->x, pX);
+    }
+    if (err == MP_OKAY) {
+        err = sp_256_to_mp(p->y, pY);
+    }
+    if (err == MP_OKAY) {
+        err = sp_256_to_mp(p->z, pZ);
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (tmp != NULL) {
+        XFREE(tmp, NULL, DYNAMIC_TYPE_ECC);
+    }
+#endif
+    sp_256_point_free_8(p, 0, NULL);
+
+    return err;
+}
+#endif /* WOLFSSL_PUBLIC_ECC_ADD_DBL */
+#ifdef HAVE_COMP_KEY
+/* Find the square root of a number mod the prime of the curve.
+ *
+ * y  The number to operate on and the result.
+ * returns MEMORY_E if dynamic memory allocation fails and MP_OKAY otherwise.
+ */
+static int sp_256_mont_sqrt_8(sp_digit* y)
+{
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit* d;
+#else
+    sp_digit t1d[2 * 8];
+    sp_digit t2d[2 * 8];
+#endif
+    sp_digit* t1;
+    sp_digit* t2;
+    int err = MP_OKAY;
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    d = (sp_digit*)XMALLOC(sizeof(sp_digit) * 4 * 8, NULL, DYNAMIC_TYPE_ECC);
+    if (d == NULL) {
+        err = MEMORY_E;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+        t1 = d + 0 * 8;
+        t2 = d + 2 * 8;
+#else
+        t1 = t1d;
+        t2 = t2d;
+#endif
+
+        {
+            /* t2 = y ^ 0x2 */
+            sp_256_mont_sqr_8(t2, y, p256_mod, p256_mp_mod);
+            /* t1 = y ^ 0x3 */
+            sp_256_mont_mul_8(t1, t2, y, p256_mod, p256_mp_mod);
+            /* t2 = y ^ 0xc */
+            sp_256_mont_sqr_n_8(t2, t1, 2, p256_mod, p256_mp_mod);
+            /* t1 = y ^ 0xf */
+            sp_256_mont_mul_8(t1, t1, t2, p256_mod, p256_mp_mod);
+            /* t2 = y ^ 0xf0 */
+            sp_256_mont_sqr_n_8(t2, t1, 4, p256_mod, p256_mp_mod);
+            /* t1 = y ^ 0xff */
+            sp_256_mont_mul_8(t1, t1, t2, p256_mod, p256_mp_mod);
+            /* t2 = y ^ 0xff00 */
+            sp_256_mont_sqr_n_8(t2, t1, 8, p256_mod, p256_mp_mod);
+            /* t1 = y ^ 0xffff */
+            sp_256_mont_mul_8(t1, t1, t2, p256_mod, p256_mp_mod);
+            /* t2 = y ^ 0xffff0000 */
+            sp_256_mont_sqr_n_8(t2, t1, 16, p256_mod, p256_mp_mod);
+            /* t1 = y ^ 0xffffffff */
+            sp_256_mont_mul_8(t1, t1, t2, p256_mod, p256_mp_mod);
+            /* t1 = y ^ 0xffffffff00000000 */
+            sp_256_mont_sqr_n_8(t1, t1, 32, p256_mod, p256_mp_mod);
+            /* t1 = y ^ 0xffffffff00000001 */
+            sp_256_mont_mul_8(t1, t1, y, p256_mod, p256_mp_mod);
+            /* t1 = y ^ 0xffffffff00000001000000000000000000000000 */
+            sp_256_mont_sqr_n_8(t1, t1, 96, p256_mod, p256_mp_mod);
+            /* t1 = y ^ 0xffffffff00000001000000000000000000000001 */
+            sp_256_mont_mul_8(t1, t1, y, p256_mod, p256_mp_mod);
+            sp_256_mont_sqr_n_8(y, t1, 94, p256_mod, p256_mp_mod);
+        }
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (d != NULL) {
+        XFREE(d, NULL, DYNAMIC_TYPE_ECC);
+    }
+#endif
+
+    return err;
+}
+
+
+/* Uncompress the point given the X ordinate.
+ *
+ * xm    X ordinate.
+ * odd   Whether the Y ordinate is odd.
+ * ym    Calculated Y ordinate.
+ * returns MEMORY_E if dynamic memory allocation fails and MP_OKAY otherwise.
+ */
+int sp_ecc_uncompress_256(mp_int* xm, int odd, mp_int* ym)
+{
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit* d;
+#else
+    sp_digit xd[2 * 8];
+    sp_digit yd[2 * 8];
+#endif
+    sp_digit* x = NULL;
+    sp_digit* y = NULL;
+    int err = MP_OKAY;
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    d = (sp_digit*)XMALLOC(sizeof(sp_digit) * 4 * 8, NULL, DYNAMIC_TYPE_ECC);
+    if (d == NULL) {
+        err = MEMORY_E;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+        x = d + 0 * 8;
+        y = d + 2 * 8;
+#else
+        x = xd;
+        y = yd;
+#endif
+
+        sp_256_from_mp(x, 8, xm);
+        err = sp_256_mod_mul_norm_8(x, x, p256_mod);
+    }
+    if (err == MP_OKAY) {
+        /* y = x^3 */
+        {
+            sp_256_mont_sqr_8(y, x, p256_mod, p256_mp_mod);
+            sp_256_mont_mul_8(y, y, x, p256_mod, p256_mp_mod);
+        }
+        /* y = x^3 - 3x */
+        sp_256_mont_sub_8(y, y, x, p256_mod);
+        sp_256_mont_sub_8(y, y, x, p256_mod);
+        sp_256_mont_sub_8(y, y, x, p256_mod);
+        /* y = x^3 - 3x + b */
+        err = sp_256_mod_mul_norm_8(x, p256_b, p256_mod);
+    }
+    if (err == MP_OKAY) {
+        sp_256_mont_add_8(y, y, x, p256_mod);
+        /* y = sqrt(x^3 - 3x + b) */
+        err = sp_256_mont_sqrt_8(y);
+    }
+    if (err == MP_OKAY) {
+        XMEMSET(y + 8, 0, 8U * sizeof(sp_digit));
+        sp_256_mont_reduce_8(y, p256_mod, p256_mp_mod);
+        if ((((word32)y[0] ^ (word32)odd) & 1U) != 0U) {
+            sp_256_mont_sub_8(y, p256_mod, y, p256_mod);
+        }
+
+        err = sp_256_to_mp(y, ym);
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (d != NULL) {
+        XFREE(d, NULL, DYNAMIC_TYPE_ECC);
+    }
+#endif
+
+    return err;
+}
+#endif
+#endif /* !WOLFSSL_SP_NO_256 */
+#ifdef WOLFSSL_SP_384
+
+/* Point structure to use. */
+typedef struct sp_point_384 {
+    sp_digit x[2 * 12];
+    sp_digit y[2 * 12];
+    sp_digit z[2 * 12];
+    int infinity;
+} sp_point_384;
+
+/* The modulus (prime) of the curve P384. */
+static const sp_digit p384_mod[12] = {
+    0xffffffff,0x00000000,0x00000000,0xffffffff,0xfffffffe,0xffffffff,
+    0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff
+};
+/* The Montogmery normalizer for modulus of the curve P384. */
+static const sp_digit p384_norm_mod[12] = {
+    0x00000001,0xffffffff,0xffffffff,0x00000000,0x00000001,0x00000000,
+    0x00000000,0x00000000,0x00000000,0x00000000,0x00000000,0x00000000
+};
+/* The Montogmery multiplier for modulus of the curve P384. */
+static sp_digit p384_mp_mod = 0x00000001;
+#if defined(WOLFSSL_VALIDATE_ECC_KEYGEN) || defined(HAVE_ECC_SIGN) || \
+                                            defined(HAVE_ECC_VERIFY)
+/* The order of the curve P384. */
+static const sp_digit p384_order[12] = {
+    0xccc52973,0xecec196a,0x48b0a77a,0x581a0db2,0xf4372ddf,0xc7634d81,
+    0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff
+};
+#endif
+/* The order of the curve P384 minus 2. */
+static const sp_digit p384_order2[12] = {
+    0xccc52971,0xecec196a,0x48b0a77a,0x581a0db2,0xf4372ddf,0xc7634d81,
+    0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff
+};
+#if defined(HAVE_ECC_SIGN) || defined(HAVE_ECC_VERIFY)
+/* The Montogmery normalizer for order of the curve P384. */
+static const sp_digit p384_norm_order[12] = {
+    0x333ad68d,0x1313e695,0xb74f5885,0xa7e5f24d,0x0bc8d220,0x389cb27e,
+    0x00000000,0x00000000,0x00000000,0x00000000,0x00000000,0x00000000
+};
+#endif
+#if defined(HAVE_ECC_SIGN) || defined(HAVE_ECC_VERIFY)
+/* The Montogmery multiplier for order of the curve P384. */
+static sp_digit p384_mp_order = 0xe88fdc45;
+#endif
+/* The base point of curve P384. */
+static const sp_point_384 p384_base = {
+    /* X ordinate */
+    {
+        0x72760ab7,0x3a545e38,0xbf55296c,0x5502f25d,0x82542a38,0x59f741e0,
+        0x8ba79b98,0x6e1d3b62,0xf320ad74,0x8eb1c71e,0xbe8b0537,0xaa87ca22,
+        0L, 0L, 0L, 0L, 0L, 0L, 0L, 0L, 0L, 0L, 0L, 0L
+    },
+    /* Y ordinate */
+    {
+        0x90ea0e5f,0x7a431d7c,0x1d7e819d,0x0a60b1ce,0xb5f0b8c0,0xe9da3113,
+        0x289a147c,0xf8f41dbd,0x9292dc29,0x5d9e98bf,0x96262c6f,0x3617de4a,
+        0L, 0L, 0L, 0L, 0L, 0L, 0L, 0L, 0L, 0L, 0L, 0L
+    },
+    /* Z ordinate */
+    {
+        0x00000001,0x00000000,0x00000000,0x00000000,0x00000000,0x00000000,
+        0x00000000,0x00000000,0x00000000,0x00000000,0x00000000,0x00000000,
+        0L, 0L, 0L, 0L, 0L, 0L, 0L, 0L, 0L, 0L, 0L, 0L
+    },
+    /* infinity */
+    0
+};
+#if defined(HAVE_ECC_CHECK_KEY) || defined(HAVE_COMP_KEY)
+static const sp_digit p384_b[12] = {
+    0xd3ec2aef,0x2a85c8ed,0x8a2ed19d,0xc656398d,0x5013875a,0x0314088f,
+    0xfe814112,0x181d9c6e,0xe3f82d19,0x988e056b,0xe23ee7e4,0xb3312fa7
+};
+#endif
+
+static int sp_384_point_new_ex_12(void* heap, sp_point_384* sp, sp_point_384** p)
+{
+    int ret = MP_OKAY;
+    (void)heap;
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    (void)sp;
+    *p = (sp_point_384*)XMALLOC(sizeof(sp_point_384), heap, DYNAMIC_TYPE_ECC);
+#else
+    *p = sp;
+#endif
+    if (*p == NULL) {
+        ret = MEMORY_E;
+    }
+    return ret;
+}
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+/* Allocate memory for point and return error. */
+#define sp_384_point_new_12(heap, sp, p) sp_384_point_new_ex_12((heap), NULL, &(p))
+#else
+/* Set pointer to data and return no error. */
+#define sp_384_point_new_12(heap, sp, p) sp_384_point_new_ex_12((heap), &(sp), &(p))
+#endif
+
+
+static void sp_384_point_free_12(sp_point_384* p, int clear, void* heap)
+{
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+/* If valid pointer then clear point data if requested and free data. */
+    if (p != NULL) {
+        if (clear != 0) {
+            XMEMSET(p, 0, sizeof(*p));
+        }
+        XFREE(p, heap, DYNAMIC_TYPE_ECC);
+    }
+#else
+/* Clear point data if requested. */
+    if (clear != 0) {
+        XMEMSET(p, 0, sizeof(*p));
+    }
+#endif
+    (void)heap;
+}
+
+/* Multiply a number by Montogmery normalizer mod modulus (prime).
+ *
+ * r  The resulting Montgomery form number.
+ * a  The number to convert.
+ * m  The modulus (prime).
+ * returns MEMORY_E when memory allocation fails and MP_OKAY otherwise.
+ */
+static int sp_384_mod_mul_norm_12(sp_digit* r, const sp_digit* a, const sp_digit* m)
+{
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    int64_t* t;
+#else
+    int64_t t[12];
+#endif
+    int64_t o;
+    int err = MP_OKAY;
+
+    (void)m;
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    t = (int64_t*)XMALLOC(sizeof(int64_t) * 12, NULL, DYNAMIC_TYPE_ECC);
+    if (t == NULL) {
+        err = MEMORY_E;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+        /*  1  0  0  0  0  0  0  0  1  1  0 -1 */
+        t[0] = 0 + (uint64_t)a[0] + (uint64_t)a[8] + (uint64_t)a[9] - (uint64_t)a[11];
+        /* -1  1  0  0  0  0  0  0 -1  0  1  1 */
+        t[1] = 0 - (uint64_t)a[0] + (uint64_t)a[1] - (uint64_t)a[8] + (uint64_t)a[10] + (uint64_t)a[11];
+        /*  0 -1  1  0  0  0  0  0  0 -1  0  1 */
+        t[2] = 0 - (uint64_t)a[1] + (uint64_t)a[2] - (uint64_t)a[9] + (uint64_t)a[11];
+        /*  1  0 -1  1  0  0  0  0  1  1 -1 -1 */
+        t[3] = 0 + (uint64_t)a[0] - (uint64_t)a[2] + (uint64_t)a[3] + (uint64_t)a[8] + (uint64_t)a[9] - (uint64_t)a[10] - (uint64_t)a[11];
+        /*  1  1  0 -1  1  0  0  0  1  2  1 -2 */
+        t[4] = 0 + (uint64_t)a[0] + (uint64_t)a[1] - (uint64_t)a[3] + (uint64_t)a[4] + (uint64_t)a[8] + 2 * (uint64_t)a[9] + (uint64_t)a[10] -  2 * (uint64_t)a[11];
+        /*  0  1  1  0 -1  1  0  0  0  1  2  1 */
+        t[5] = 0 + (uint64_t)a[1] + (uint64_t)a[2] - (uint64_t)a[4] + (uint64_t)a[5] + (uint64_t)a[9] + 2 * (uint64_t)a[10] + (uint64_t)a[11];
+        /*  0  0  1  1  0 -1  1  0  0  0  1  2 */
+        t[6] = 0 + (uint64_t)a[2] + (uint64_t)a[3] - (uint64_t)a[5] + (uint64_t)a[6] + (uint64_t)a[10] + 2 * (uint64_t)a[11];
+        /*  0  0  0  1  1  0 -1  1  0  0  0  1 */
+        t[7] = 0 + (uint64_t)a[3] + (uint64_t)a[4] - (uint64_t)a[6] + (uint64_t)a[7] + (uint64_t)a[11];
+        /*  0  0  0  0  1  1  0 -1  1  0  0  0 */
+        t[8] = 0 + (uint64_t)a[4] + (uint64_t)a[5] - (uint64_t)a[7] + (uint64_t)a[8];
+        /*  0  0  0  0  0  1  1  0 -1  1  0  0 */
+        t[9] = 0 + (uint64_t)a[5] + (uint64_t)a[6] - (uint64_t)a[8] + (uint64_t)a[9];
+        /*  0  0  0  0  0  0  1  1  0 -1  1  0 */
+        t[10] = 0 + (uint64_t)a[6] + (uint64_t)a[7] - (uint64_t)a[9] + (uint64_t)a[10];
+        /*  0  0  0  0  0  0  0  1  1  0 -1  1 */
+        t[11] = 0 + (uint64_t)a[7] + (uint64_t)a[8] - (uint64_t)a[10] + (uint64_t)a[11];
+
+        t[1] += t[0] >> 32; t[0] &= 0xffffffff;
+        t[2] += t[1] >> 32; t[1] &= 0xffffffff;
+        t[3] += t[2] >> 32; t[2] &= 0xffffffff;
+        t[4] += t[3] >> 32; t[3] &= 0xffffffff;
+        t[5] += t[4] >> 32; t[4] &= 0xffffffff;
+        t[6] += t[5] >> 32; t[5] &= 0xffffffff;
+        t[7] += t[6] >> 32; t[6] &= 0xffffffff;
+        t[8] += t[7] >> 32; t[7] &= 0xffffffff;
+        t[9] += t[8] >> 32; t[8] &= 0xffffffff;
+        t[10] += t[9] >> 32; t[9] &= 0xffffffff;
+        t[11] += t[10] >> 32; t[10] &= 0xffffffff;
+        o     = t[11] >> 32; t[11] &= 0xffffffff;
+        t[0] += o;
+        t[1] -= o;
+        t[3] += o;
+        t[4] += o;
+        t[1] += t[0] >> 32; t[0] &= 0xffffffff;
+        t[2] += t[1] >> 32; t[1] &= 0xffffffff;
+        t[3] += t[2] >> 32; t[2] &= 0xffffffff;
+        t[4] += t[3] >> 32; t[3] &= 0xffffffff;
+        t[5] += t[4] >> 32; t[4] &= 0xffffffff;
+        t[6] += t[5] >> 32; t[5] &= 0xffffffff;
+        t[7] += t[6] >> 32; t[6] &= 0xffffffff;
+        t[8] += t[7] >> 32; t[7] &= 0xffffffff;
+        t[9] += t[8] >> 32; t[8] &= 0xffffffff;
+        t[10] += t[9] >> 32; t[9] &= 0xffffffff;
+        t[11] += t[10] >> 32; t[10] &= 0xffffffff;
+
+        r[0] = t[0];
+        r[1] = t[1];
+        r[2] = t[2];
+        r[3] = t[3];
+        r[4] = t[4];
+        r[5] = t[5];
+        r[6] = t[6];
+        r[7] = t[7];
+        r[8] = t[8];
+        r[9] = t[9];
+        r[10] = t[10];
+        r[11] = t[11];
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (t != NULL)
+        XFREE(t, NULL, DYNAMIC_TYPE_ECC);
+#endif
+
+    return err;
+}
+
+/* Convert an mp_int to an array of sp_digit.
+ *
+ * r  A single precision integer.
+ * size  Maximum number of bytes to convert
+ * a  A multi-precision integer.
+ */
+static void sp_384_from_mp(sp_digit* r, int size, const mp_int* a)
+{
+#if DIGIT_BIT == 32
+    int j;
+
+    XMEMCPY(r, a->dp, sizeof(sp_digit) * a->used);
+
+    for (j = a->used; j < size; j++) {
+        r[j] = 0;
+    }
+#elif DIGIT_BIT > 32
+    int i, j = 0;
+    word32 s = 0;
+
+    r[0] = 0;
+    for (i = 0; i < a->used && j < size; i++) {
+        r[j] |= ((sp_digit)a->dp[i] << s);
+        r[j] &= 0xffffffff;
+        s = 32U - s;
+        if (j + 1 >= size) {
+            break;
+        }
+        /* lint allow cast of mismatch word32 and mp_digit */
+        r[++j] = (sp_digit)(a->dp[i] >> s); /*lint !e9033*/
+        while ((s + 32U) <= (word32)DIGIT_BIT) {
+            s += 32U;
+            r[j] &= 0xffffffff;
+            if (j + 1 >= size) {
+                break;
+            }
+            if (s < (word32)DIGIT_BIT) {
+                /* lint allow cast of mismatch word32 and mp_digit */
+                r[++j] = (sp_digit)(a->dp[i] >> s); /*lint !e9033*/
+            }
+            else {
+                r[++j] = 0L;
+            }
+        }
+        s = (word32)DIGIT_BIT - s;
+    }
+
+    for (j++; j < size; j++) {
+        r[j] = 0;
+    }
+#else
+    int i, j = 0, s = 0;
+
+    r[0] = 0;
+    for (i = 0; i < a->used && j < size; i++) {
+        r[j] |= ((sp_digit)a->dp[i]) << s;
+        if (s + DIGIT_BIT >= 32) {
+            r[j] &= 0xffffffff;
+            if (j + 1 >= size) {
+                break;
+            }
+            s = 32 - s;
+            if (s == DIGIT_BIT) {
+                r[++j] = 0;
+                s = 0;
+            }
+            else {
+                r[++j] = a->dp[i] >> s;
+                s = DIGIT_BIT - s;
+            }
+        }
+        else {
+            s += DIGIT_BIT;
+        }
+    }
+
+    for (j++; j < size; j++) {
+        r[j] = 0;
+    }
+#endif
+}
+
+/* Convert a point of type ecc_point to type sp_point_384.
+ *
+ * p   Point of type sp_point_384 (result).
+ * pm  Point of type ecc_point.
+ */
+static void sp_384_point_from_ecc_point_12(sp_point_384* p, const ecc_point* pm)
+{
+    XMEMSET(p->x, 0, sizeof(p->x));
+    XMEMSET(p->y, 0, sizeof(p->y));
+    XMEMSET(p->z, 0, sizeof(p->z));
+    sp_384_from_mp(p->x, 12, pm->x);
+    sp_384_from_mp(p->y, 12, pm->y);
+    sp_384_from_mp(p->z, 12, pm->z);
+    p->infinity = 0;
+}
+
+/* Convert an array of sp_digit to an mp_int.
+ *
+ * a  A single precision integer.
+ * r  A multi-precision integer.
+ */
+static int sp_384_to_mp(const sp_digit* a, mp_int* r)
+{
+    int err;
+
+    err = mp_grow(r, (384 + DIGIT_BIT - 1) / DIGIT_BIT);
+    if (err == MP_OKAY) { /*lint !e774 case where err is always MP_OKAY*/
+#if DIGIT_BIT == 32
+        XMEMCPY(r->dp, a, sizeof(sp_digit) * 12);
+        r->used = 12;
+        mp_clamp(r);
+#elif DIGIT_BIT < 32
+        int i, j = 0, s = 0;
+
+        r->dp[0] = 0;
+        for (i = 0; i < 12; i++) {
+            r->dp[j] |= (mp_digit)(a[i] << s);
+            r->dp[j] &= (1L << DIGIT_BIT) - 1;
+            s = DIGIT_BIT - s;
+            r->dp[++j] = (mp_digit)(a[i] >> s);
+            while (s + DIGIT_BIT <= 32) {
+                s += DIGIT_BIT;
+                r->dp[j++] &= (1L << DIGIT_BIT) - 1;
+                if (s == SP_WORD_SIZE) {
+                    r->dp[j] = 0;
+                }
+                else {
+                    r->dp[j] = (mp_digit)(a[i] >> s);
+                }
+            }
+            s = 32 - s;
+        }
+        r->used = (384 + DIGIT_BIT - 1) / DIGIT_BIT;
+        mp_clamp(r);
+#else
+        int i, j = 0, s = 0;
+
+        r->dp[0] = 0;
+        for (i = 0; i < 12; i++) {
+            r->dp[j] |= ((mp_digit)a[i]) << s;
+            if (s + 32 >= DIGIT_BIT) {
+    #if DIGIT_BIT != 32 && DIGIT_BIT != 64
+                r->dp[j] &= (1L << DIGIT_BIT) - 1;
+    #endif
+                s = DIGIT_BIT - s;
+                r->dp[++j] = a[i] >> s;
+                s = 32 - s;
+            }
+            else {
+                s += 32;
+            }
+        }
+        r->used = (384 + DIGIT_BIT - 1) / DIGIT_BIT;
+        mp_clamp(r);
+#endif
+    }
+
+    return err;
+}
+
+/* Convert a point of type sp_point_384 to type ecc_point.
+ *
+ * p   Point of type sp_point_384.
+ * pm  Point of type ecc_point (result).
+ * returns MEMORY_E when allocation of memory in ecc_point fails otherwise
+ * MP_OKAY.
+ */
+static int sp_384_point_to_ecc_point_12(const sp_point_384* p, ecc_point* pm)
+{
+    int err;
+
+    err = sp_384_to_mp(p->x, pm->x);
+    if (err == MP_OKAY) {
+        err = sp_384_to_mp(p->y, pm->y);
+    }
+    if (err == MP_OKAY) {
+        err = sp_384_to_mp(p->z, pm->z);
+    }
+
+    return err;
+}
+
+/* Multiply a and b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static void sp_384_mul_12(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    sp_digit tmp[12 * 2];
+    __asm__ __volatile__ (
+        "mov	r3, #0\n\t"
+        "mov	r4, #0\n\t"
+        "mov	r8, r3\n\t"
+        "mov	r11, %[r]\n\t"
+        "mov	r9, %[a]\n\t"
+        "mov	r10, %[b]\n\t"
+        "mov	r6, #48\n\t"
+        "add	r6, r9\n\t"
+        "mov	r12, r6\n\t"
+        "\n1:\n\t"
+        "mov	%[r], #0\n\t"
+        "mov	r5, #0\n\t"
+        "mov	r6, #44\n\t"
+        "mov	%[a], r8\n\t"
+        "sub	%[a], r6\n\t"
+        "sbc	r6, r6\n\t"
+        "mvn	r6, r6\n\t"
+        "and	%[a], r6\n\t"
+        "mov	%[b], r8\n\t"
+        "sub	%[b], %[a]\n\t"
+        "add	%[a], r9\n\t"
+        "add	%[b], r10\n\t"
+        "\n2:\n\t"
+        "# Multiply Start\n\t"
+        "ldr	r6, [%[a]]\n\t"
+        "ldr	r7, [%[b]]\n\t"
+        "lsl	r6, r6, #16\n\t"
+        "lsl	r7, r7, #16\n\t"
+        "lsr	r6, r6, #16\n\t"
+        "lsr	r7, r7, #16\n\t"
+        "mul	r7, r6\n\t"
+        "add	r3, r7\n\t"
+        "adc	r4, %[r]\n\t"
+        "adc	r5, %[r]\n\t"
+        "ldr	r7, [%[b]]\n\t"
+        "lsr	r7, r7, #16\n\t"
+        "mul	r6, r7\n\t"
+        "lsr	r7, r6, #16\n\t"
+        "lsl	r6, r6, #16\n\t"
+        "add	r3, r6\n\t"
+        "adc	r4, r7\n\t"
+        "adc	r5, %[r]\n\t"
+        "ldr	r6, [%[a]]\n\t"
+        "ldr	r7, [%[b]]\n\t"
+        "lsr	r6, r6, #16\n\t"
+        "lsr	r7, r7, #16\n\t"
+        "mul	r7, r6\n\t"
+        "add	r4, r7\n\t"
+        "adc	r5, %[r]\n\t"
+        "ldr	r7, [%[b]]\n\t"
+        "lsl	r7, r7, #16\n\t"
+        "lsr	r7, r7, #16\n\t"
+        "mul	r6, r7\n\t"
+        "lsr	r7, r6, #16\n\t"
+        "lsl	r6, r6, #16\n\t"
+        "add	r3, r6\n\t"
+        "adc	r4, r7\n\t"
+        "adc	r5, %[r]\n\t"
+        "# Multiply Done\n\t"
+        "add	%[a], #4\n\t"
+        "sub	%[b], #4\n\t"
+        "cmp	%[a], r12\n\t"
+        "beq	3f\n\t"
+        "mov	r6, r8\n\t"
+        "add	r6, r9\n\t"
+        "cmp	%[a], r6\n\t"
+        "ble	2b\n\t"
+        "\n3:\n\t"
+        "mov	%[r], r11\n\t"
+        "mov	r7, r8\n\t"
+        "str	r3, [%[r], r7]\n\t"
+        "mov	r3, r4\n\t"
+        "mov	r4, r5\n\t"
+        "add	r7, #4\n\t"
+        "mov	r8, r7\n\t"
+        "mov	r6, #88\n\t"
+        "cmp	r7, r6\n\t"
+        "ble	1b\n\t"
+        "str	r3, [%[r], r7]\n\t"
+        "mov	%[a], r9\n\t"
+        "mov	%[b], r10\n\t"
+        :
+        : [r] "r" (tmp), [a] "r" (a), [b] "r" (b)
+        : "memory", "r3", "r4", "r5", "r6", "r7", "r8", "r9", "r10", "r11", "r12"
+    );
+
+    XMEMCPY(r, tmp, sizeof(tmp));
+}
+
+/* Conditionally subtract b from a using the mask m.
+ * m is -1 to subtract and 0 when not copying.
+ *
+ * r  A single precision number representing condition subtract result.
+ * a  A single precision number to subtract from.
+ * b  A single precision number to subtract.
+ * m  Mask value to apply.
+ */
+SP_NOINLINE static sp_digit sp_384_cond_sub_12(sp_digit* r, const sp_digit* a,
+        const sp_digit* b, sp_digit m)
+{
+    sp_digit c = 0;
+
+    __asm__ __volatile__ (
+        "mov	r5, #48\n\t"
+        "mov	r8, r5\n\t"
+        "mov	r7, #0\n\t"
+        "1:\n\t"
+        "ldr	r6, [%[b], r7]\n\t"
+        "and	r6, %[m]\n\t"
+        "mov	r5, #0\n\t"
+        "sub	r5, %[c]\n\t"
+        "ldr	r5, [%[a], r7]\n\t"
+        "sbc	r5, r6\n\t"
+        "sbc	%[c], %[c]\n\t"
+        "str	r5, [%[r], r7]\n\t"
+        "add	r7, #4\n\t"
+        "cmp	r7, r8\n\t"
+        "blt	1b\n\t"
+        : [c] "+r" (c)
+        : [r] "r" (r), [a] "r" (a), [b] "r" (b), [m] "r" (m)
+        : "memory", "r5", "r6", "r7", "r8"
+    );
+
+    return c;
+}
+
+#define sp_384_mont_reduce_order_12   sp_384_mont_reduce_12
+
+/* Reduce the number back to 384 bits using Montgomery reduction.
+ *
+ * a   A single precision number to reduce in place.
+ * m   The single precision number representing the modulus.
+ * mp  The digit representing the negative inverse of m mod 2^n.
+ */
+SP_NOINLINE static void sp_384_mont_reduce_12(sp_digit* a, const sp_digit* m,
+        sp_digit mp)
+{
+    sp_digit ca = 0;
+
+    __asm__ __volatile__ (
+        "mov	r8, %[mp]\n\t"
+        "mov	r12, %[ca]\n\t"
+        "mov	r14, %[m]\n\t"
+        "mov	r9, %[a]\n\t"
+        "mov	r4, #0\n\t"
+        "# i = 0\n\t"
+        "mov	r11, r4\n\t"
+        "\n1:\n\t"
+        "mov	r5, #0\n\t"
+        "mov	%[ca], #0\n\t"
+        "# mu = a[i] * mp\n\t"
+        "mov	%[mp], r8\n\t"
+        "ldr	%[a], [%[a]]\n\t"
+        "mul	%[mp], %[a]\n\t"
+        "mov	%[m], r14\n\t"
+        "mov	r10, r9\n\t"
+        "\n2:\n\t"
+        "# a[i+j] += m[j] * mu\n\t"
+        "mov	%[a], r10\n\t"
+        "ldr	%[a], [%[a]]\n\t"
+        "mov	%[ca], #0\n\t"
+        "mov	r4, r5\n\t"
+        "mov	r5, #0\n\t"
+        "# Multiply m[j] and mu - Start\n\t"
+        "ldr	r7, [%[m]]\n\t"
+        "lsl	r6, %[mp], #16\n\t"
+        "lsl	r7, r7, #16\n\t"
+        "lsr	r6, r6, #16\n\t"
+        "lsr	r7, r7, #16\n\t"
+        "mul	r7, r6\n\t"
+        "add	%[a], r7\n\t"
+        "adc	r5, %[ca]\n\t"
+        "ldr	r7, [%[m]]\n\t"
+        "lsr	r7, r7, #16\n\t"
+        "mul	r6, r7\n\t"
+        "lsr	r7, r6, #16\n\t"
+        "lsl	r6, r6, #16\n\t"
+        "add	%[a], r6\n\t"
+        "adc	r5, r7\n\t"
+        "ldr	r7, [%[m]]\n\t"
+        "lsr	r6, %[mp], #16\n\t"
+        "lsr	r7, r7, #16\n\t"
+        "mul	r7, r6\n\t"
+        "add	r5, r7\n\t"
+        "ldr	r7, [%[m]]\n\t"
+        "lsl	r7, r7, #16\n\t"
+        "lsr	r7, r7, #16\n\t"
+        "mul	r6, r7\n\t"
+        "lsr	r7, r6, #16\n\t"
+        "lsl	r6, r6, #16\n\t"
+        "add	%[a], r6\n\t"
+        "adc	r5, r7\n\t"
+        "# Multiply m[j] and mu - Done\n\t"
+        "add	r4, %[a]\n\t"
+        "adc	r5, %[ca]\n\t"
+        "mov	%[a], r10\n\t"
+        "str	r4, [%[a]]\n\t"
+        "mov	r6, #4\n\t"
+        "add	%[m], #4\n\t"
+        "add	r10, r6\n\t"
+        "mov	r4, #44\n\t"
+        "add	r4, r9\n\t"
+        "cmp	r10, r4\n\t"
+        "blt	2b\n\t"
+        "# a[i+11] += m[11] * mu\n\t"
+        "mov	%[ca], #0\n\t"
+        "mov	r4, r12\n\t"
+        "mov	%[a], #0\n\t"
+        "# Multiply m[11] and mu - Start\n\t"
+        "ldr	r7, [%[m]]\n\t"
+        "lsl	r6, %[mp], #16\n\t"
+        "lsl	r7, r7, #16\n\t"
+        "lsr	r6, r6, #16\n\t"
+        "lsr	r7, r7, #16\n\t"
+        "mul	r7, r6\n\t"
+        "add	r5, r7\n\t"
+        "adc	r4, %[ca]\n\t"
+        "adc	%[a], %[ca]\n\t"
+        "ldr	r7, [%[m]]\n\t"
+        "lsr	r7, r7, #16\n\t"
+        "mul	r6, r7\n\t"
+        "lsr	r7, r6, #16\n\t"
+        "lsl	r6, r6, #16\n\t"
+        "add	r5, r6\n\t"
+        "adc	r4, r7\n\t"
+        "adc	%[a], %[ca]\n\t"
+        "ldr	r7, [%[m]]\n\t"
+        "lsr	r6, %[mp], #16\n\t"
+        "lsr	r7, r7, #16\n\t"
+        "mul	r7, r6\n\t"
+        "add	r4, r7\n\t"
+        "adc	%[a], %[ca]\n\t"
+        "ldr	r7, [%[m]]\n\t"
+        "lsl	r7, r7, #16\n\t"
+        "lsr	r7, r7, #16\n\t"
+        "mul	r6, r7\n\t"
+        "lsr	r7, r6, #16\n\t"
+        "lsl	r6, r6, #16\n\t"
+        "add	r5, r6\n\t"
+        "adc	r4, r7\n\t"
+        "adc	%[a], %[ca]\n\t"
+        "# Multiply m[11] and mu - Done\n\t"
+        "mov	%[ca], %[a]\n\t"
+        "mov	%[a], r10\n\t"
+        "ldr	r7, [%[a], #4]\n\t"
+        "ldr	%[a], [%[a]]\n\t"
+        "mov	r6, #0\n\t"
+        "add	r5, %[a]\n\t"
+        "adc	r7, r4\n\t"
+        "adc	%[ca], r6\n\t"
+        "mov	%[a], r10\n\t"
+        "str	r5, [%[a]]\n\t"
+        "str	r7, [%[a], #4]\n\t"
+        "# i += 1\n\t"
+        "mov	r6, #4\n\t"
+        "add	r9, r6\n\t"
+        "add	r11, r6\n\t"
+        "mov	r12, %[ca]\n\t"
+        "mov	%[a], r9\n\t"
+        "mov	r4, #48\n\t"
+        "cmp	r11, r4\n\t"
+        "blt	1b\n\t"
+        "mov	%[m], r14\n\t"
+        : [ca] "+r" (ca), [a] "+r" (a)
+        : [m] "r" (m), [mp] "r" (mp)
+        : "memory", "r4", "r5", "r6", "r7", "r8", "r9", "r10", "r11", "r12", "r14"
+    );
+
+    sp_384_cond_sub_12(a - 12, a, m, (sp_digit)0 - ca);
+}
+
+/* Multiply two Montogmery form numbers mod the modulus (prime).
+ * (r = a * b mod m)
+ *
+ * r   Result of multiplication.
+ * a   First number to multiply in Montogmery form.
+ * b   Second number to multiply in Montogmery form.
+ * m   Modulus (prime).
+ * mp  Montogmery mulitplier.
+ */
+static void sp_384_mont_mul_12(sp_digit* r, const sp_digit* a, const sp_digit* b,
+        const sp_digit* m, sp_digit mp)
+{
+    sp_384_mul_12(r, a, b);
+    sp_384_mont_reduce_12(r, m, mp);
+}
+
+/* Square a and put result in r. (r = a * a)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ */
+SP_NOINLINE static void sp_384_sqr_12(sp_digit* r, const sp_digit* a)
+{
+    __asm__ __volatile__ (
+        "mov	r3, #0\n\t"
+        "mov	r4, #0\n\t"
+        "mov	r5, #0\n\t"
+        "mov	r8, r3\n\t"
+        "mov	r11, %[r]\n\t"
+        "mov	r6, #96\n\t"
+        "neg	r6, r6\n\t"
+        "add	sp, r6\n\t"
+        "mov	r10, sp\n\t"
+        "mov	r9, %[a]\n\t"
+        "\n1:\n\t"
+        "mov	%[r], #0\n\t"
+        "mov	r6, #44\n\t"
+        "mov	%[a], r8\n\t"
+        "sub	%[a], r6\n\t"
+        "sbc	r6, r6\n\t"
+        "mvn	r6, r6\n\t"
+        "and	%[a], r6\n\t"
+        "mov	r2, r8\n\t"
+        "sub	r2, %[a]\n\t"
+        "add	%[a], r9\n\t"
+        "add	r2, r9\n\t"
+        "\n2:\n\t"
+        "cmp	r2, %[a]\n\t"
+        "beq	4f\n\t"
+        "# Multiply * 2: Start\n\t"
+        "ldr	r6, [%[a]]\n\t"
+        "ldr	r7, [r2]\n\t"
+        "lsl	r6, r6, #16\n\t"
+        "lsl	r7, r7, #16\n\t"
+        "lsr	r6, r6, #16\n\t"
+        "lsr	r7, r7, #16\n\t"
+        "mul	r7, r6\n\t"
+        "add	r3, r7\n\t"
+        "adc	r4, %[r]\n\t"
+        "adc	r5, %[r]\n\t"
+        "add	r3, r7\n\t"
+        "adc	r4, %[r]\n\t"
+        "adc	r5, %[r]\n\t"
+        "ldr	r7, [r2]\n\t"
+        "lsr	r7, r7, #16\n\t"
+        "mul	r6, r7\n\t"
+        "lsr	r7, r6, #16\n\t"
+        "lsl	r6, r6, #16\n\t"
+        "add	r3, r6\n\t"
+        "adc	r4, r7\n\t"
+        "adc	r5, %[r]\n\t"
+        "add	r3, r6\n\t"
+        "adc	r4, r7\n\t"
+        "adc	r5, %[r]\n\t"
+        "ldr	r6, [%[a]]\n\t"
+        "ldr	r7, [r2]\n\t"
+        "lsr	r6, r6, #16\n\t"
+        "lsr	r7, r7, #16\n\t"
+        "mul	r7, r6\n\t"
+        "add	r4, r7\n\t"
+        "adc	r5, %[r]\n\t"
+        "add	r4, r7\n\t"
+        "adc	r5, %[r]\n\t"
+        "ldr	r7, [r2]\n\t"
+        "lsl	r7, r7, #16\n\t"
+        "lsr	r7, r7, #16\n\t"
+        "mul	r6, r7\n\t"
+        "lsr	r7, r6, #16\n\t"
+        "lsl	r6, r6, #16\n\t"
+        "add	r3, r6\n\t"
+        "adc	r4, r7\n\t"
+        "adc	r5, %[r]\n\t"
+        "add	r3, r6\n\t"
+        "adc	r4, r7\n\t"
+        "adc	r5, %[r]\n\t"
+        "# Multiply * 2: Done\n\t"
+        "bal	5f\n\t"
+        "\n4:\n\t"
+        "# Square: Start\n\t"
+        "ldr	r6, [%[a]]\n\t"
+        "lsr	r7, r6, #16\n\t"
+        "lsl	r6, r6, #16\n\t"
+        "lsr	r6, r6, #16\n\t"
+        "mul	r6, r6\n\t"
+        "add	r3, r6\n\t"
+        "adc	r4, %[r]\n\t"
+        "adc	r5, %[r]\n\t"
+        "mul	r7, r7\n\t"
+        "add	r4, r7\n\t"
+        "adc	r5, %[r]\n\t"
+        "ldr	r6, [%[a]]\n\t"
+        "lsr	r7, r6, #16\n\t"
+        "lsl	r6, r6, #16\n\t"
+        "lsr	r6, r6, #16\n\t"
+        "mul	r6, r7\n\t"
+        "lsr	r7, r6, #15\n\t"
+        "lsl	r6, r6, #17\n\t"
+        "add	r3, r6\n\t"
+        "adc	r4, r7\n\t"
+        "adc	r5, %[r]\n\t"
+        "# Square: Done\n\t"
+        "\n5:\n\t"
+        "add	%[a], #4\n\t"
+        "sub	r2, #4\n\t"
+        "mov	r6, #48\n\t"
+        "add	r6, r9\n\t"
+        "cmp	%[a], r6\n\t"
+        "beq	3f\n\t"
+        "cmp	%[a], r2\n\t"
+        "bgt	3f\n\t"
+        "mov	r7, r8\n\t"
+        "add	r7, r9\n\t"
+        "cmp	%[a], r7\n\t"
+        "ble	2b\n\t"
+        "\n3:\n\t"
+        "mov	%[r], r10\n\t"
+        "mov	r7, r8\n\t"
+        "str	r3, [%[r], r7]\n\t"
+        "mov	r3, r4\n\t"
+        "mov	r4, r5\n\t"
+        "mov	r5, #0\n\t"
+        "add	r7, #4\n\t"
+        "mov	r8, r7\n\t"
+        "mov	r6, #88\n\t"
+        "cmp	r7, r6\n\t"
+        "ble	1b\n\t"
+        "mov	%[a], r9\n\t"
+        "str	r3, [%[r], r7]\n\t"
+        "mov	%[r], r11\n\t"
+        "mov	%[a], r10\n\t"
+        "mov	r3, #92\n\t"
+        "\n4:\n\t"
+        "ldr	r6, [%[a], r3]\n\t"
+        "str	r6, [%[r], r3]\n\t"
+        "sub	r3, #4\n\t"
+        "bge	4b\n\t"
+        "mov	r6, #96\n\t"
+        "add	sp, r6\n\t"
+        :
+        : [r] "r" (r), [a] "r" (a)
+        : "memory", "r2", "r3", "r4", "r5", "r6", "r7", "r8", "r9", "r10", "r11"
+    );
+}
+
+/* Square the Montgomery form number. (r = a * a mod m)
+ *
+ * r   Result of squaring.
+ * a   Number to square in Montogmery form.
+ * m   Modulus (prime).
+ * mp  Montogmery mulitplier.
+ */
+static void sp_384_mont_sqr_12(sp_digit* r, const sp_digit* a, const sp_digit* m,
+        sp_digit mp)
+{
+    sp_384_sqr_12(r, a);
+    sp_384_mont_reduce_12(r, m, mp);
+}
+
+#if !defined(WOLFSSL_SP_SMALL) || defined(HAVE_COMP_KEY)
+/* Square the Montgomery form number a number of times. (r = a ^ n mod m)
+ *
+ * r   Result of squaring.
+ * a   Number to square in Montogmery form.
+ * n   Number of times to square.
+ * m   Modulus (prime).
+ * mp  Montogmery mulitplier.
+ */
+static void sp_384_mont_sqr_n_12(sp_digit* r, const sp_digit* a, int n,
+        const sp_digit* m, sp_digit mp)
+{
+    sp_384_mont_sqr_12(r, a, m, mp);
+    for (; n > 1; n--) {
+        sp_384_mont_sqr_12(r, r, m, mp);
+    }
+}
+
+#endif /* !WOLFSSL_SP_SMALL || HAVE_COMP_KEY */
+#ifdef WOLFSSL_SP_SMALL
+/* Mod-2 for the P384 curve. */
+static const uint32_t p384_mod_minus_2[12] = {
+    0xfffffffdU,0x00000000U,0x00000000U,0xffffffffU,0xfffffffeU,0xffffffffU,
+    0xffffffffU,0xffffffffU,0xffffffffU,0xffffffffU,0xffffffffU,0xffffffffU
+};
+#endif /* !WOLFSSL_SP_SMALL */
+
+/* Invert the number, in Montgomery form, modulo the modulus (prime) of the
+ * P384 curve. (r = 1 / a mod m)
+ *
+ * r   Inverse result.
+ * a   Number to invert.
+ * td  Temporary data.
+ */
+static void sp_384_mont_inv_12(sp_digit* r, const sp_digit* a, sp_digit* td)
+{
+#ifdef WOLFSSL_SP_SMALL
+    sp_digit* t = td;
+    int i;
+
+    XMEMCPY(t, a, sizeof(sp_digit) * 12);
+    for (i=382; i>=0; i--) {
+        sp_384_mont_sqr_12(t, t, p384_mod, p384_mp_mod);
+        if (p384_mod_minus_2[i / 32] & ((sp_digit)1 << (i % 32)))
+            sp_384_mont_mul_12(t, t, a, p384_mod, p384_mp_mod);
+    }
+    XMEMCPY(r, t, sizeof(sp_digit) * 12);
+#else
+    sp_digit* t1 = td;
+    sp_digit* t2 = td + 2 * 12;
+    sp_digit* t3 = td + 4 * 12;
+    sp_digit* t4 = td + 6 * 12;
+    sp_digit* t5 = td + 8 * 12;
+
+    /* 0x2 */
+    sp_384_mont_sqr_12(t1, a, p384_mod, p384_mp_mod);
+    /* 0x3 */
+    sp_384_mont_mul_12(t5, t1, a, p384_mod, p384_mp_mod);
+    /* 0xc */
+    sp_384_mont_sqr_n_12(t1, t5, 2, p384_mod, p384_mp_mod);
+    /* 0xf */
+    sp_384_mont_mul_12(t2, t5, t1, p384_mod, p384_mp_mod);
+    /* 0x1e */
+    sp_384_mont_sqr_12(t1, t2, p384_mod, p384_mp_mod);
+    /* 0x1f */
+    sp_384_mont_mul_12(t4, t1, a, p384_mod, p384_mp_mod);
+    /* 0x3e0 */
+    sp_384_mont_sqr_n_12(t1, t4, 5, p384_mod, p384_mp_mod);
+    /* 0x3ff */
+    sp_384_mont_mul_12(t2, t4, t1, p384_mod, p384_mp_mod);
+    /* 0x7fe0 */
+    sp_384_mont_sqr_n_12(t1, t2, 5, p384_mod, p384_mp_mod);
+    /* 0x7fff */
+    sp_384_mont_mul_12(t4, t4, t1, p384_mod, p384_mp_mod);
+    /* 0x3fff8000 */
+    sp_384_mont_sqr_n_12(t1, t4, 15, p384_mod, p384_mp_mod);
+    /* 0x3fffffff */
+    sp_384_mont_mul_12(t2, t4, t1, p384_mod, p384_mp_mod);
+    /* 0xfffffffc */
+    sp_384_mont_sqr_n_12(t3, t2, 2, p384_mod, p384_mp_mod);
+    /* 0xfffffffd */
+    sp_384_mont_mul_12(r, t3, a, p384_mod, p384_mp_mod);
+    /* 0xffffffff */
+    sp_384_mont_mul_12(t3, t5, t3, p384_mod, p384_mp_mod);
+    /* 0xfffffffc0000000 */
+    sp_384_mont_sqr_n_12(t1, t2, 30, p384_mod, p384_mp_mod);
+    /* 0xfffffffffffffff */
+    sp_384_mont_mul_12(t2, t2, t1, p384_mod, p384_mp_mod);
+    /* 0xfffffffffffffff000000000000000 */
+    sp_384_mont_sqr_n_12(t1, t2, 60, p384_mod, p384_mp_mod);
+    /* 0xffffffffffffffffffffffffffffff */
+    sp_384_mont_mul_12(t2, t2, t1, p384_mod, p384_mp_mod);
+    /* 0xffffffffffffffffffffffffffffff000000000000000000000000000000 */
+    sp_384_mont_sqr_n_12(t1, t2, 120, p384_mod, p384_mp_mod);
+    /* 0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff */
+    sp_384_mont_mul_12(t2, t2, t1, p384_mod, p384_mp_mod);
+    /* 0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffff8000 */
+    sp_384_mont_sqr_n_12(t1, t2, 15, p384_mod, p384_mp_mod);
+    /* 0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff */
+    sp_384_mont_mul_12(t2, t4, t1, p384_mod, p384_mp_mod);
+    /* 0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffe00000000 */
+    sp_384_mont_sqr_n_12(t1, t2, 33, p384_mod, p384_mp_mod);
+    /* 0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff */
+    sp_384_mont_mul_12(t2, t3, t1, p384_mod, p384_mp_mod);
+    /* 0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff000000000000000000000000 */
+    sp_384_mont_sqr_n_12(t1, t2, 96, p384_mod, p384_mp_mod);
+    /* 0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000fffffffd */
+    sp_384_mont_mul_12(r, r, t1, p384_mod, p384_mp_mod);
+
+#endif /* WOLFSSL_SP_SMALL */
+}
+
+/* Compare a with b in constant time.
+ *
+ * a  A single precision integer.
+ * b  A single precision integer.
+ * return -ve, 0 or +ve if a is less than, equal to or greater than b
+ * respectively.
+ */
+SP_NOINLINE static int32_t sp_384_cmp_12(const sp_digit* a, const sp_digit* b)
+{
+    sp_digit r = 0;
+
+
+    __asm__ __volatile__ (
+        "mov	r3, #0\n\t"
+        "mvn	r3, r3\n\t"
+        "mov	r6, #44\n\t"
+        "1:\n\t"
+        "ldr	r7, [%[a], r6]\n\t"
+        "ldr	r5, [%[b], r6]\n\t"
+        "and	r7, r3\n\t"
+        "and	r5, r3\n\t"
+        "mov	r4, r7\n\t"
+        "sub	r7, r5\n\t"
+        "sbc	r7, r7\n\t"
+        "add	%[r], r7\n\t"
+        "mvn	r7, r7\n\t"
+        "and	r3, r7\n\t"
+        "sub	r5, r4\n\t"
+        "sbc	r7, r7\n\t"
+        "sub	%[r], r7\n\t"
+        "mvn	r7, r7\n\t"
+        "and	r3, r7\n\t"
+        "sub	r6, #4\n\t"
+        "cmp	r6, #0\n\t"
+        "bge	1b\n\t"
+        : [r] "+r" (r)
+        : [a] "r" (a), [b] "r" (b)
+        : "r3", "r4", "r5", "r6", "r7"
+    );
+
+    return r;
+}
+
+/* Normalize the values in each word to 32.
+ *
+ * a  Array of sp_digit to normalize.
+ */
+#define sp_384_norm_12(a)
+
+/* Map the Montgomery form projective coordinate point to an affine point.
+ *
+ * r  Resulting affine coordinate point.
+ * p  Montgomery form projective coordinate point.
+ * t  Temporary ordinate data.
+ */
+static void sp_384_map_12(sp_point_384* r, const sp_point_384* p, sp_digit* t)
+{
+    sp_digit* t1 = t;
+    sp_digit* t2 = t + 2*12;
+    int32_t n;
+
+    sp_384_mont_inv_12(t1, p->z, t + 2*12);
+
+    sp_384_mont_sqr_12(t2, t1, p384_mod, p384_mp_mod);
+    sp_384_mont_mul_12(t1, t2, t1, p384_mod, p384_mp_mod);
+
+    /* x /= z^2 */
+    sp_384_mont_mul_12(r->x, p->x, t2, p384_mod, p384_mp_mod);
+    XMEMSET(r->x + 12, 0, sizeof(r->x) / 2U);
+    sp_384_mont_reduce_12(r->x, p384_mod, p384_mp_mod);
+    /* Reduce x to less than modulus */
+    n = sp_384_cmp_12(r->x, p384_mod);
+    sp_384_cond_sub_12(r->x, r->x, p384_mod, 0 - ((n >= 0) ?
+                (sp_digit)1 : (sp_digit)0));
+    sp_384_norm_12(r->x);
+
+    /* y /= z^3 */
+    sp_384_mont_mul_12(r->y, p->y, t1, p384_mod, p384_mp_mod);
+    XMEMSET(r->y + 12, 0, sizeof(r->y) / 2U);
+    sp_384_mont_reduce_12(r->y, p384_mod, p384_mp_mod);
+    /* Reduce y to less than modulus */
+    n = sp_384_cmp_12(r->y, p384_mod);
+    sp_384_cond_sub_12(r->y, r->y, p384_mod, 0 - ((n >= 0) ?
+                (sp_digit)1 : (sp_digit)0));
+    sp_384_norm_12(r->y);
+
+    XMEMSET(r->z, 0, sizeof(r->z));
+    r->z[0] = 1;
+
+}
+
+#ifdef WOLFSSL_SP_SMALL
+/* Add b to a into r. (r = a + b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static sp_digit sp_384_add_12(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    sp_digit c = 0;
+
+    __asm__ __volatile__ (
+        "mov	r6, %[a]\n\t"
+        "mov	r7, #0\n\t"
+        "add	r6, #48\n\t"
+        "sub	r7, #1\n\t"
+        "\n1:\n\t"
+        "add	%[c], r7\n\t"
+        "ldr	r4, [%[a]]\n\t"
+        "ldr	r5, [%[b]]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r]]\n\t"
+        "mov	%[c], #0\n\t"
+        "adc	%[c], %[c]\n\t"
+        "add	%[a], #4\n\t"
+        "add	%[b], #4\n\t"
+        "add	%[r], #4\n\t"
+        "cmp	%[a], r6\n\t"
+        "bne	1b\n\t"
+        : [c] "+r" (c), [r] "+r" (r), [a] "+r" (a), [b] "+r" (b)
+        :
+        : "memory", "r4", "r5", "r6", "r7"
+    );
+
+    return c;
+}
+
+#else
+/* Add b to a into r. (r = a + b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static sp_digit sp_384_add_12(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    sp_digit c = 0;
+
+    __asm__ __volatile__ (
+        "ldr	r4, [%[a], #0]\n\t"
+        "ldr	r5, [%[b], #0]\n\t"
+        "add	r4, r5\n\t"
+        "str	r4, [%[r], #0]\n\t"
+        "ldr	r4, [%[a], #4]\n\t"
+        "ldr	r5, [%[b], #4]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #4]\n\t"
+        "ldr	r4, [%[a], #8]\n\t"
+        "ldr	r5, [%[b], #8]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #8]\n\t"
+        "ldr	r4, [%[a], #12]\n\t"
+        "ldr	r5, [%[b], #12]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #12]\n\t"
+        "ldr	r4, [%[a], #16]\n\t"
+        "ldr	r5, [%[b], #16]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #16]\n\t"
+        "ldr	r4, [%[a], #20]\n\t"
+        "ldr	r5, [%[b], #20]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #20]\n\t"
+        "ldr	r4, [%[a], #24]\n\t"
+        "ldr	r5, [%[b], #24]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #24]\n\t"
+        "ldr	r4, [%[a], #28]\n\t"
+        "ldr	r5, [%[b], #28]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #28]\n\t"
+        "ldr	r4, [%[a], #32]\n\t"
+        "ldr	r5, [%[b], #32]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #32]\n\t"
+        "ldr	r4, [%[a], #36]\n\t"
+        "ldr	r5, [%[b], #36]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #36]\n\t"
+        "ldr	r4, [%[a], #40]\n\t"
+        "ldr	r5, [%[b], #40]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #40]\n\t"
+        "ldr	r4, [%[a], #44]\n\t"
+        "ldr	r5, [%[b], #44]\n\t"
+        "adc	r4, r5\n\t"
+        "str	r4, [%[r], #44]\n\t"
+        "mov	%[c], #0\n\t"
+        "adc	%[c], %[c]\n\t"
+        : [c] "+r" (c), [r] "+r" (r), [a] "+r" (a), [b] "+r" (b)
+        :
+        : "memory", "r4", "r5"
+    );
+
+    return c;
+}
+
+#endif /* WOLFSSL_SP_SMALL */
+/* Add two Montgomery form numbers (r = a + b % m).
+ *
+ * r   Result of addition.
+ * a   First number to add in Montogmery form.
+ * b   Second number to add in Montogmery form.
+ * m   Modulus (prime).
+ */
+SP_NOINLINE static void sp_384_mont_add_12(sp_digit* r, const sp_digit* a, const sp_digit* b,
+        const sp_digit* m)
+{
+    sp_digit o;
+
+    o = sp_384_add_12(r, a, b);
+    sp_384_cond_sub_12(r, r, m, 0 - o);
+}
+
+/* Double a Montgomery form number (r = a + a % m).
+ *
+ * r   Result of doubling.
+ * a   Number to double in Montogmery form.
+ * m   Modulus (prime).
+ */
+SP_NOINLINE static void sp_384_mont_dbl_12(sp_digit* r, const sp_digit* a, const sp_digit* m)
+{
+    sp_digit o;
+
+    o = sp_384_add_12(r, a, a);
+    sp_384_cond_sub_12(r, r, m, 0 - o);
+}
+
+/* Triple a Montgomery form number (r = a + a + a % m).
+ *
+ * r   Result of Tripling.
+ * a   Number to triple in Montogmery form.
+ * m   Modulus (prime).
+ */
+SP_NOINLINE static void sp_384_mont_tpl_12(sp_digit* r, const sp_digit* a, const sp_digit* m)
+{
+    sp_digit o;
+
+    o = sp_384_add_12(r, a, a);
+    sp_384_cond_sub_12(r, r, m, 0 - o);
+    o = sp_384_add_12(r, r, a);
+    sp_384_cond_sub_12(r, r, m, 0 - o);
+}
+
+#ifdef WOLFSSL_SP_SMALL
+/* Sub b from a into r. (r = a - b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static sp_digit sp_384_sub_12(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    sp_digit c = 0;
+
+    __asm__ __volatile__ (
+        "mov	r6, %[a]\n\t"
+        "add	r6, #48\n\t"
+        "\n1:\n\t"
+        "mov	r5, #0\n\t"
+        "sub	r5, %[c]\n\t"
+        "ldr	r4, [%[a]]\n\t"
+        "ldr	r5, [%[b]]\n\t"
+        "sbc	r4, r5\n\t"
+        "str	r4, [%[r]]\n\t"
+        "sbc	%[c], %[c]\n\t"
+        "add	%[a], #4\n\t"
+        "add	%[b], #4\n\t"
+        "add	%[r], #4\n\t"
+        "cmp	%[a], r6\n\t"
+        "bne	1b\n\t"
+        : [c] "+r" (c), [r] "+r" (r), [a] "+r" (a), [b] "+r" (b)
+        :
+        : "memory", "r4", "r5", "r6"
+    );
+
+    return c;
+}
+
+#else
+/* Sub b from a into r. (r = a - b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static sp_digit sp_384_sub_12(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    sp_digit c = 0;
+
+    __asm__ __volatile__ (
+        "ldr	r4, [%[a], #0]\n\t"
+        "ldr	r5, [%[a], #4]\n\t"
+        "ldr	r6, [%[b], #0]\n\t"
+        "ldr	r7, [%[b], #4]\n\t"
+        "sub	r4, r6\n\t"
+        "sbc	r5, r7\n\t"
+        "str	r4, [%[r], #0]\n\t"
+        "str	r5, [%[r], #4]\n\t"
+        "ldr	r4, [%[a], #8]\n\t"
+        "ldr	r5, [%[a], #12]\n\t"
+        "ldr	r6, [%[b], #8]\n\t"
+        "ldr	r7, [%[b], #12]\n\t"
+        "sbc	r4, r6\n\t"
+        "sbc	r5, r7\n\t"
+        "str	r4, [%[r], #8]\n\t"
+        "str	r5, [%[r], #12]\n\t"
+        "ldr	r4, [%[a], #16]\n\t"
+        "ldr	r5, [%[a], #20]\n\t"
+        "ldr	r6, [%[b], #16]\n\t"
+        "ldr	r7, [%[b], #20]\n\t"
+        "sbc	r4, r6\n\t"
+        "sbc	r5, r7\n\t"
+        "str	r4, [%[r], #16]\n\t"
+        "str	r5, [%[r], #20]\n\t"
+        "ldr	r4, [%[a], #24]\n\t"
+        "ldr	r5, [%[a], #28]\n\t"
+        "ldr	r6, [%[b], #24]\n\t"
+        "ldr	r7, [%[b], #28]\n\t"
+        "sbc	r4, r6\n\t"
+        "sbc	r5, r7\n\t"
+        "str	r4, [%[r], #24]\n\t"
+        "str	r5, [%[r], #28]\n\t"
+        "ldr	r4, [%[a], #32]\n\t"
+        "ldr	r5, [%[a], #36]\n\t"
+        "ldr	r6, [%[b], #32]\n\t"
+        "ldr	r7, [%[b], #36]\n\t"
+        "sbc	r4, r6\n\t"
+        "sbc	r5, r7\n\t"
+        "str	r4, [%[r], #32]\n\t"
+        "str	r5, [%[r], #36]\n\t"
+        "ldr	r4, [%[a], #40]\n\t"
+        "ldr	r5, [%[a], #44]\n\t"
+        "ldr	r6, [%[b], #40]\n\t"
+        "ldr	r7, [%[b], #44]\n\t"
+        "sbc	r4, r6\n\t"
+        "sbc	r5, r7\n\t"
+        "str	r4, [%[r], #40]\n\t"
+        "str	r5, [%[r], #44]\n\t"
+        "sbc	%[c], %[c]\n\t"
+        : [c] "+r" (c), [r] "+r" (r), [a] "+r" (a), [b] "+r" (b)
+        :
+        : "memory", "r4", "r5", "r6", "r7"
+    );
+
+    return c;
+}
+
+#endif /* WOLFSSL_SP_SMALL */
+/* Conditionally add a and b using the mask m.
+ * m is -1 to add and 0 when not.
+ *
+ * r  A single precision number representing conditional add result.
+ * a  A single precision number to add with.
+ * b  A single precision number to add.
+ * m  Mask value to apply.
+ */
+SP_NOINLINE static sp_digit sp_384_cond_add_12(sp_digit* r, const sp_digit* a, const sp_digit* b,
+        sp_digit m)
+{
+    sp_digit c = 0;
+
+    __asm__ __volatile__ (
+        "mov	r5, #48\n\t"
+        "mov	r8, r5\n\t"
+        "mov	r7, #0\n\t"
+        "1:\n\t"
+        "ldr	r6, [%[b], r7]\n\t"
+        "and	r6, %[m]\n\t"
+        "mov	r5, #0\n\t"
+        "sub	r5, #1\n\t"
+        "add	r5, %[c]\n\t"
+        "ldr	r5, [%[a], r7]\n\t"
+        "adc	r5, r6\n\t"
+        "mov	%[c], #0\n\t"
+        "adc	%[c], %[c]\n\t"
+        "str	r5, [%[r], r7]\n\t"
+        "add	r7, #4\n\t"
+        "cmp	r7, r8\n\t"
+        "blt	1b\n\t"
+        : [c] "+r" (c)
+        : [r] "r" (r), [a] "r" (a), [b] "r" (b), [m] "r" (m)
+        : "memory", "r5", "r6", "r7", "r8"
+    );
+
+    return c;
+}
+
+/* Subtract two Montgomery form numbers (r = a - b % m).
+ *
+ * r   Result of subtration.
+ * a   Number to subtract from in Montogmery form.
+ * b   Number to subtract with in Montogmery form.
+ * m   Modulus (prime).
+ */
+SP_NOINLINE static void sp_384_mont_sub_12(sp_digit* r, const sp_digit* a, const sp_digit* b,
+        const sp_digit* m)
+{
+    sp_digit o;
+
+    o = sp_384_sub_12(r, a, b);
+    sp_384_cond_add_12(r, r, m, o);
+}
+
+static void sp_384_rshift1_12(sp_digit* r, sp_digit* a)
+{
+    __asm__ __volatile__ (
+        "ldr	r2, [%[a]]\n\t"
+        "ldr	r3, [%[a], #4]\n\t"
+        "lsr	r2, r2, #1\n\t"
+        "lsl	r5, r3, #31\n\t"
+        "lsr	r3, r3, #1\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r4, [%[a], #8]\n\t"
+        "str	r2, [%[r], #0]\n\t"
+        "lsl	r5, r4, #31\n\t"
+        "lsr	r4, r4, #1\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r2, [%[a], #12]\n\t"
+        "str	r3, [%[r], #4]\n\t"
+        "lsl	r5, r2, #31\n\t"
+        "lsr	r2, r2, #1\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r3, [%[a], #16]\n\t"
+        "str	r4, [%[r], #8]\n\t"
+        "lsl	r5, r3, #31\n\t"
+        "lsr	r3, r3, #1\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r4, [%[a], #20]\n\t"
+        "str	r2, [%[r], #12]\n\t"
+        "lsl	r5, r4, #31\n\t"
+        "lsr	r4, r4, #1\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r2, [%[a], #24]\n\t"
+        "str	r3, [%[r], #16]\n\t"
+        "lsl	r5, r2, #31\n\t"
+        "lsr	r2, r2, #1\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r3, [%[a], #28]\n\t"
+        "str	r4, [%[r], #20]\n\t"
+        "lsl	r5, r3, #31\n\t"
+        "lsr	r3, r3, #1\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r4, [%[a], #32]\n\t"
+        "str	r2, [%[r], #24]\n\t"
+        "lsl	r5, r4, #31\n\t"
+        "lsr	r4, r4, #1\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r2, [%[a], #36]\n\t"
+        "str	r3, [%[r], #28]\n\t"
+        "lsl	r5, r2, #31\n\t"
+        "lsr	r2, r2, #1\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r3, [%[a], #40]\n\t"
+        "str	r4, [%[r], #32]\n\t"
+        "lsl	r5, r3, #31\n\t"
+        "lsr	r3, r3, #1\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r4, [%[a], #44]\n\t"
+        "str	r2, [%[r], #36]\n\t"
+        "lsl	r5, r4, #31\n\t"
+        "lsr	r4, r4, #1\n\t"
+        "orr	r3, r3, r5\n\t"
+        "str	r3, [%[r], #40]\n\t"
+        "str	r4, [%[r], #44]\n\t"
+        :
+        : [r] "r" (r), [a] "r" (a)
+        : "memory", "r2", "r3", "r4", "r5"
+    );
+}
+
+/* Divide the number by 2 mod the modulus (prime). (r = a / 2 % m)
+ *
+ * r  Result of division by 2.
+ * a  Number to divide.
+ * m  Modulus (prime).
+ */
+SP_NOINLINE static void sp_384_div2_12(sp_digit* r, const sp_digit* a, const sp_digit* m)
+{
+    sp_digit o;
+
+    o = sp_384_cond_add_12(r, a, m, 0 - (a[0] & 1));
+    sp_384_rshift1_12(r, r);
+    r[11] |= o << 31;
+}
+
+/* Double the Montgomery form projective point p.
+ *
+ * r  Result of doubling point.
+ * p  Point to double.
+ * t  Temporary ordinate data.
+ */
+static void sp_384_proj_point_dbl_12(sp_point_384* r, const sp_point_384* p, sp_digit* t)
+{
+    sp_digit* t1 = t;
+    sp_digit* t2 = t + 2*12;
+    sp_digit* x;
+    sp_digit* y;
+    sp_digit* z;
+
+    x = r->x;
+    y = r->y;
+    z = r->z;
+    /* Put infinity into result. */
+    if (r != p) {
+        r->infinity = p->infinity;
+    }
+
+    /* T1 = Z * Z */
+    sp_384_mont_sqr_12(t1, p->z, p384_mod, p384_mp_mod);
+    /* Z = Y * Z */
+    sp_384_mont_mul_12(z, p->y, p->z, p384_mod, p384_mp_mod);
+    /* Z = 2Z */
+    sp_384_mont_dbl_12(z, z, p384_mod);
+    /* T2 = X - T1 */
+    sp_384_mont_sub_12(t2, p->x, t1, p384_mod);
+    /* T1 = X + T1 */
+    sp_384_mont_add_12(t1, p->x, t1, p384_mod);
+    /* T2 = T1 * T2 */
+    sp_384_mont_mul_12(t2, t1, t2, p384_mod, p384_mp_mod);
+    /* T1 = 3T2 */
+    sp_384_mont_tpl_12(t1, t2, p384_mod);
+    /* Y = 2Y */
+    sp_384_mont_dbl_12(y, p->y, p384_mod);
+    /* Y = Y * Y */
+    sp_384_mont_sqr_12(y, y, p384_mod, p384_mp_mod);
+    /* T2 = Y * Y */
+    sp_384_mont_sqr_12(t2, y, p384_mod, p384_mp_mod);
+    /* T2 = T2/2 */
+    sp_384_div2_12(t2, t2, p384_mod);
+    /* Y = Y * X */
+    sp_384_mont_mul_12(y, y, p->x, p384_mod, p384_mp_mod);
+    /* X = T1 * T1 */
+    sp_384_mont_sqr_12(x, t1, p384_mod, p384_mp_mod);
+    /* X = X - Y */
+    sp_384_mont_sub_12(x, x, y, p384_mod);
+    /* X = X - Y */
+    sp_384_mont_sub_12(x, x, y, p384_mod);
+    /* Y = Y - X */
+    sp_384_mont_sub_12(y, y, x, p384_mod);
+    /* Y = Y * T1 */
+    sp_384_mont_mul_12(y, y, t1, p384_mod, p384_mp_mod);
+    /* Y = Y - T2 */
+    sp_384_mont_sub_12(y, y, t2, p384_mod);
+}
+
+/* Compare two numbers to determine if they are equal.
+ * Constant time implementation.
+ *
+ * a  First number to compare.
+ * b  Second number to compare.
+ * returns 1 when equal and 0 otherwise.
+ */
+static int sp_384_cmp_equal_12(const sp_digit* a, const sp_digit* b)
+{
+    return ((a[0] ^ b[0]) | (a[1] ^ b[1]) | (a[2] ^ b[2]) | (a[3] ^ b[3]) |
+            (a[4] ^ b[4]) | (a[5] ^ b[5]) | (a[6] ^ b[6]) | (a[7] ^ b[7]) |
+            (a[8] ^ b[8]) | (a[9] ^ b[9]) | (a[10] ^ b[10]) | (a[11] ^ b[11])) == 0;
+}
+
+/* Add two Montgomery form projective points.
+ *
+ * r  Result of addition.
+ * p  First point to add.
+ * q  Second point to add.
+ * t  Temporary ordinate data.
+ */
+static void sp_384_proj_point_add_12(sp_point_384* r, const sp_point_384* p, const sp_point_384* q,
+        sp_digit* t)
+{
+    const sp_point_384* ap[2];
+    sp_point_384* rp[2];
+    sp_digit* t1 = t;
+    sp_digit* t2 = t + 2*12;
+    sp_digit* t3 = t + 4*12;
+    sp_digit* t4 = t + 6*12;
+    sp_digit* t5 = t + 8*12;
+    sp_digit* x;
+    sp_digit* y;
+    sp_digit* z;
+    int i;
+
+    /* Ensure only the first point is the same as the result. */
+    if (q == r) {
+        const sp_point_384* a = p;
+        p = q;
+        q = a;
+    }
+
+    /* Check double */
+    (void)sp_384_sub_12(t1, p384_mod, q->y);
+    sp_384_norm_12(t1);
+    if ((sp_384_cmp_equal_12(p->x, q->x) & sp_384_cmp_equal_12(p->z, q->z) &
+        (sp_384_cmp_equal_12(p->y, q->y) | sp_384_cmp_equal_12(p->y, t1))) != 0) {
+        sp_384_proj_point_dbl_12(r, p, t);
+    }
+    else {
+        rp[0] = r;
+
+        /*lint allow cast to different type of pointer*/
+        rp[1] = (sp_point_384*)t; /*lint !e9087 !e740*/
+        XMEMSET(rp[1], 0, sizeof(sp_point_384));
+        x = rp[p->infinity | q->infinity]->x;
+        y = rp[p->infinity | q->infinity]->y;
+        z = rp[p->infinity | q->infinity]->z;
+
+        ap[0] = p;
+        ap[1] = q;
+        for (i=0; i<12; i++) {
+            r->x[i] = ap[p->infinity]->x[i];
+        }
+        for (i=0; i<12; i++) {
+            r->y[i] = ap[p->infinity]->y[i];
+        }
+        for (i=0; i<12; i++) {
+            r->z[i] = ap[p->infinity]->z[i];
+        }
+        r->infinity = ap[p->infinity]->infinity;
+
+        /* U1 = X1*Z2^2 */
+        sp_384_mont_sqr_12(t1, q->z, p384_mod, p384_mp_mod);
+        sp_384_mont_mul_12(t3, t1, q->z, p384_mod, p384_mp_mod);
+        sp_384_mont_mul_12(t1, t1, x, p384_mod, p384_mp_mod);
+        /* U2 = X2*Z1^2 */
+        sp_384_mont_sqr_12(t2, z, p384_mod, p384_mp_mod);
+        sp_384_mont_mul_12(t4, t2, z, p384_mod, p384_mp_mod);
+        sp_384_mont_mul_12(t2, t2, q->x, p384_mod, p384_mp_mod);
+        /* S1 = Y1*Z2^3 */
+        sp_384_mont_mul_12(t3, t3, y, p384_mod, p384_mp_mod);
+        /* S2 = Y2*Z1^3 */
+        sp_384_mont_mul_12(t4, t4, q->y, p384_mod, p384_mp_mod);
+        /* H = U2 - U1 */
+        sp_384_mont_sub_12(t2, t2, t1, p384_mod);
+        /* R = S2 - S1 */
+        sp_384_mont_sub_12(t4, t4, t3, p384_mod);
+        /* Z3 = H*Z1*Z2 */
+        sp_384_mont_mul_12(z, z, q->z, p384_mod, p384_mp_mod);
+        sp_384_mont_mul_12(z, z, t2, p384_mod, p384_mp_mod);
+        /* X3 = R^2 - H^3 - 2*U1*H^2 */
+        sp_384_mont_sqr_12(x, t4, p384_mod, p384_mp_mod);
+        sp_384_mont_sqr_12(t5, t2, p384_mod, p384_mp_mod);
+        sp_384_mont_mul_12(y, t1, t5, p384_mod, p384_mp_mod);
+        sp_384_mont_mul_12(t5, t5, t2, p384_mod, p384_mp_mod);
+        sp_384_mont_sub_12(x, x, t5, p384_mod);
+        sp_384_mont_dbl_12(t1, y, p384_mod);
+        sp_384_mont_sub_12(x, x, t1, p384_mod);
+        /* Y3 = R*(U1*H^2 - X3) - S1*H^3 */
+        sp_384_mont_sub_12(y, y, x, p384_mod);
+        sp_384_mont_mul_12(y, y, t4, p384_mod, p384_mp_mod);
+        sp_384_mont_mul_12(t5, t5, t3, p384_mod, p384_mp_mod);
+        sp_384_mont_sub_12(y, y, t5, p384_mod);
+    }
+}
+
+/* Multiply the point by the scalar and return the result.
+ * If map is true then convert result to affine coordinates.
+ *
+ * r     Resulting point.
+ * g     Point to multiply.
+ * k     Scalar to multiply by.
+ * map   Indicates whether to convert result to affine.
+ * heap  Heap to use for allocation.
+ * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
+ */
+static int sp_384_ecc_mulmod_fast_12(sp_point_384* r, const sp_point_384* g, const sp_digit* k,
+        int map, void* heap)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_point_384 td[16];
+    sp_point_384 rtd;
+    sp_digit tmpd[2 * 12 * 6];
+#endif
+    sp_point_384* t;
+    sp_point_384* rt;
+    sp_digit* tmp;
+    sp_digit n;
+    int i;
+    int c, y;
+    int err;
+
+    (void)heap;
+
+    err = sp_384_point_new_12(heap, rtd, rt);
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    t = (sp_point_384*)XMALLOC(sizeof(sp_point_384) * 16, heap, DYNAMIC_TYPE_ECC);
+    if (t == NULL)
+        err = MEMORY_E;
+    tmp = (sp_digit*)XMALLOC(sizeof(sp_digit) * 2 * 12 * 6, heap,
+                             DYNAMIC_TYPE_ECC);
+    if (tmp == NULL)
+        err = MEMORY_E;
+#else
+    t = td;
+    tmp = tmpd;
+#endif
+
+    if (err == MP_OKAY) {
+        /* t[0] = {0, 0, 1} * norm */
+        XMEMSET(&t[0], 0, sizeof(t[0]));
+        t[0].infinity = 1;
+        /* t[1] = {g->x, g->y, g->z} * norm */
+        (void)sp_384_mod_mul_norm_12(t[1].x, g->x, p384_mod);
+        (void)sp_384_mod_mul_norm_12(t[1].y, g->y, p384_mod);
+        (void)sp_384_mod_mul_norm_12(t[1].z, g->z, p384_mod);
+        t[1].infinity = 0;
+        sp_384_proj_point_dbl_12(&t[ 2], &t[ 1], tmp);
+        t[ 2].infinity = 0;
+        sp_384_proj_point_add_12(&t[ 3], &t[ 2], &t[ 1], tmp);
+        t[ 3].infinity = 0;
+        sp_384_proj_point_dbl_12(&t[ 4], &t[ 2], tmp);
+        t[ 4].infinity = 0;
+        sp_384_proj_point_add_12(&t[ 5], &t[ 3], &t[ 2], tmp);
+        t[ 5].infinity = 0;
+        sp_384_proj_point_dbl_12(&t[ 6], &t[ 3], tmp);
+        t[ 6].infinity = 0;
+        sp_384_proj_point_add_12(&t[ 7], &t[ 4], &t[ 3], tmp);
+        t[ 7].infinity = 0;
+        sp_384_proj_point_dbl_12(&t[ 8], &t[ 4], tmp);
+        t[ 8].infinity = 0;
+        sp_384_proj_point_add_12(&t[ 9], &t[ 5], &t[ 4], tmp);
+        t[ 9].infinity = 0;
+        sp_384_proj_point_dbl_12(&t[10], &t[ 5], tmp);
+        t[10].infinity = 0;
+        sp_384_proj_point_add_12(&t[11], &t[ 6], &t[ 5], tmp);
+        t[11].infinity = 0;
+        sp_384_proj_point_dbl_12(&t[12], &t[ 6], tmp);
+        t[12].infinity = 0;
+        sp_384_proj_point_add_12(&t[13], &t[ 7], &t[ 6], tmp);
+        t[13].infinity = 0;
+        sp_384_proj_point_dbl_12(&t[14], &t[ 7], tmp);
+        t[14].infinity = 0;
+        sp_384_proj_point_add_12(&t[15], &t[ 8], &t[ 7], tmp);
+        t[15].infinity = 0;
+
+        i = 10;
+        n = k[i+1] << 0;
+        c = 28;
+        y = n >> 28;
+        XMEMCPY(rt, &t[y], sizeof(sp_point_384));
+        n <<= 4;
+        for (; i>=0 || c>=4; ) {
+            if (c < 4) {
+                n |= k[i--];
+                c += 32;
+            }
+            y = (n >> 28) & 0xf;
+            n <<= 4;
+            c -= 4;
+
+            sp_384_proj_point_dbl_12(rt, rt, tmp);
+            sp_384_proj_point_dbl_12(rt, rt, tmp);
+            sp_384_proj_point_dbl_12(rt, rt, tmp);
+            sp_384_proj_point_dbl_12(rt, rt, tmp);
+
+            sp_384_proj_point_add_12(rt, rt, &t[y], tmp);
+        }
+
+        if (map != 0) {
+            sp_384_map_12(r, rt, tmp);
+        }
+        else {
+            XMEMCPY(r, rt, sizeof(sp_point_384));
+        }
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (tmp != NULL) {
+        XMEMSET(tmp, 0, sizeof(sp_digit) * 2 * 12 * 6);
+        XFREE(tmp, heap, DYNAMIC_TYPE_ECC);
+    }
+    if (t != NULL) {
+        XMEMSET(t, 0, sizeof(sp_point_384) * 16);
+        XFREE(t, heap, DYNAMIC_TYPE_ECC);
+    }
+#else
+    ForceZero(tmpd, sizeof(tmpd));
+    ForceZero(td, sizeof(td));
+#endif
+    sp_384_point_free_12(rt, 1, heap);
+
+    return err;
+}
+
+/* A table entry for pre-computed points. */
+typedef struct sp_table_entry_384 {
+    sp_digit x[12];
+    sp_digit y[12];
+} sp_table_entry_384;
+
+#ifdef FP_ECC
+/* Double the Montgomery form projective point p a number of times.
+ *
+ * r  Result of repeated doubling of point.
+ * p  Point to double.
+ * n  Number of times to double
+ * t  Temporary ordinate data.
+ */
+static void sp_384_proj_point_dbl_n_12(sp_point_384* p, int n, sp_digit* t)
+{
+    sp_digit* w = t;
+    sp_digit* a = t + 2*12;
+    sp_digit* b = t + 4*12;
+    sp_digit* t1 = t + 6*12;
+    sp_digit* t2 = t + 8*12;
+    sp_digit* x;
+    sp_digit* y;
+    sp_digit* z;
+
+    x = p->x;
+    y = p->y;
+    z = p->z;
+
+    /* Y = 2*Y */
+    sp_384_mont_dbl_12(y, y, p384_mod);
+    /* W = Z^4 */
+    sp_384_mont_sqr_12(w, z, p384_mod, p384_mp_mod);
+    sp_384_mont_sqr_12(w, w, p384_mod, p384_mp_mod);
+
+#ifndef WOLFSSL_SP_SMALL
+    while (--n > 0)
+#else
+    while (--n >= 0)
+#endif
+    {
+        /* A = 3*(X^2 - W) */
+        sp_384_mont_sqr_12(t1, x, p384_mod, p384_mp_mod);
+        sp_384_mont_sub_12(t1, t1, w, p384_mod);
+        sp_384_mont_tpl_12(a, t1, p384_mod);
+        /* B = X*Y^2 */
+        sp_384_mont_sqr_12(t1, y, p384_mod, p384_mp_mod);
+        sp_384_mont_mul_12(b, t1, x, p384_mod, p384_mp_mod);
+        /* X = A^2 - 2B */
+        sp_384_mont_sqr_12(x, a, p384_mod, p384_mp_mod);
+        sp_384_mont_dbl_12(t2, b, p384_mod);
+        sp_384_mont_sub_12(x, x, t2, p384_mod);
+        /* Z = Z*Y */
+        sp_384_mont_mul_12(z, z, y, p384_mod, p384_mp_mod);
+        /* t2 = Y^4 */
+        sp_384_mont_sqr_12(t1, t1, p384_mod, p384_mp_mod);
+#ifdef WOLFSSL_SP_SMALL
+        if (n != 0)
+#endif
+        {
+            /* W = W*Y^4 */
+            sp_384_mont_mul_12(w, w, t1, p384_mod, p384_mp_mod);
+        }
+        /* y = 2*A*(B - X) - Y^4 */
+        sp_384_mont_sub_12(y, b, x, p384_mod);
+        sp_384_mont_mul_12(y, y, a, p384_mod, p384_mp_mod);
+        sp_384_mont_dbl_12(y, y, p384_mod);
+        sp_384_mont_sub_12(y, y, t1, p384_mod);
+    }
+#ifndef WOLFSSL_SP_SMALL
+    /* A = 3*(X^2 - W) */
+    sp_384_mont_sqr_12(t1, x, p384_mod, p384_mp_mod);
+    sp_384_mont_sub_12(t1, t1, w, p384_mod);
+    sp_384_mont_tpl_12(a, t1, p384_mod);
+    /* B = X*Y^2 */
+    sp_384_mont_sqr_12(t1, y, p384_mod, p384_mp_mod);
+    sp_384_mont_mul_12(b, t1, x, p384_mod, p384_mp_mod);
+    /* X = A^2 - 2B */
+    sp_384_mont_sqr_12(x, a, p384_mod, p384_mp_mod);
+    sp_384_mont_dbl_12(t2, b, p384_mod);
+    sp_384_mont_sub_12(x, x, t2, p384_mod);
+    /* Z = Z*Y */
+    sp_384_mont_mul_12(z, z, y, p384_mod, p384_mp_mod);
+    /* t2 = Y^4 */
+    sp_384_mont_sqr_12(t1, t1, p384_mod, p384_mp_mod);
+    /* y = 2*A*(B - X) - Y^4 */
+    sp_384_mont_sub_12(y, b, x, p384_mod);
+    sp_384_mont_mul_12(y, y, a, p384_mod, p384_mp_mod);
+    sp_384_mont_dbl_12(y, y, p384_mod);
+    sp_384_mont_sub_12(y, y, t1, p384_mod);
+#endif
+    /* Y = Y/2 */
+    sp_384_div2_12(y, y, p384_mod);
+}
+
+#endif /* FP_ECC */
+/* Add two Montgomery form projective points. The second point has a q value of
+ * one.
+ * Only the first point can be the same pointer as the result point.
+ *
+ * r  Result of addition.
+ * p  First point to add.
+ * q  Second point to add.
+ * t  Temporary ordinate data.
+ */
+static void sp_384_proj_point_add_qz1_12(sp_point_384* r, const sp_point_384* p,
+        const sp_point_384* q, sp_digit* t)
+{
+    const sp_point_384* ap[2];
+    sp_point_384* rp[2];
+    sp_digit* t1 = t;
+    sp_digit* t2 = t + 2*12;
+    sp_digit* t3 = t + 4*12;
+    sp_digit* t4 = t + 6*12;
+    sp_digit* t5 = t + 8*12;
+    sp_digit* x;
+    sp_digit* y;
+    sp_digit* z;
+    int i;
+
+    /* Check double */
+    (void)sp_384_sub_12(t1, p384_mod, q->y);
+    sp_384_norm_12(t1);
+    if ((sp_384_cmp_equal_12(p->x, q->x) & sp_384_cmp_equal_12(p->z, q->z) &
+        (sp_384_cmp_equal_12(p->y, q->y) | sp_384_cmp_equal_12(p->y, t1))) != 0) {
+        sp_384_proj_point_dbl_12(r, p, t);
+    }
+    else {
+        rp[0] = r;
+
+        /*lint allow cast to different type of pointer*/
+        rp[1] = (sp_point_384*)t; /*lint !e9087 !e740*/
+        XMEMSET(rp[1], 0, sizeof(sp_point_384));
+        x = rp[p->infinity | q->infinity]->x;
+        y = rp[p->infinity | q->infinity]->y;
+        z = rp[p->infinity | q->infinity]->z;
+
+        ap[0] = p;
+        ap[1] = q;
+        for (i=0; i<12; i++) {
+            r->x[i] = ap[p->infinity]->x[i];
+        }
+        for (i=0; i<12; i++) {
+            r->y[i] = ap[p->infinity]->y[i];
+        }
+        for (i=0; i<12; i++) {
+            r->z[i] = ap[p->infinity]->z[i];
+        }
+        r->infinity = ap[p->infinity]->infinity;
+
+        /* U2 = X2*Z1^2 */
+        sp_384_mont_sqr_12(t2, z, p384_mod, p384_mp_mod);
+        sp_384_mont_mul_12(t4, t2, z, p384_mod, p384_mp_mod);
+        sp_384_mont_mul_12(t2, t2, q->x, p384_mod, p384_mp_mod);
+        /* S2 = Y2*Z1^3 */
+        sp_384_mont_mul_12(t4, t4, q->y, p384_mod, p384_mp_mod);
+        /* H = U2 - X1 */
+        sp_384_mont_sub_12(t2, t2, x, p384_mod);
+        /* R = S2 - Y1 */
+        sp_384_mont_sub_12(t4, t4, y, p384_mod);
+        /* Z3 = H*Z1 */
+        sp_384_mont_mul_12(z, z, t2, p384_mod, p384_mp_mod);
+        /* X3 = R^2 - H^3 - 2*X1*H^2 */
+        sp_384_mont_sqr_12(t1, t4, p384_mod, p384_mp_mod);
+        sp_384_mont_sqr_12(t5, t2, p384_mod, p384_mp_mod);
+        sp_384_mont_mul_12(t3, x, t5, p384_mod, p384_mp_mod);
+        sp_384_mont_mul_12(t5, t5, t2, p384_mod, p384_mp_mod);
+        sp_384_mont_sub_12(x, t1, t5, p384_mod);
+        sp_384_mont_dbl_12(t1, t3, p384_mod);
+        sp_384_mont_sub_12(x, x, t1, p384_mod);
+        /* Y3 = R*(X1*H^2 - X3) - Y1*H^3 */
+        sp_384_mont_sub_12(t3, t3, x, p384_mod);
+        sp_384_mont_mul_12(t3, t3, t4, p384_mod, p384_mp_mod);
+        sp_384_mont_mul_12(t5, t5, y, p384_mod, p384_mp_mod);
+        sp_384_mont_sub_12(y, t3, t5, p384_mod);
+    }
+}
+
+#ifdef WOLFSSL_SP_SMALL
+#ifdef FP_ECC
+/* Convert the projective point to affine.
+ * Ordinates are in Montgomery form.
+ *
+ * a  Point to convert.
+ * t  Temporary data.
+ */
+static void sp_384_proj_to_affine_12(sp_point_384* a, sp_digit* t)
+{
+    sp_digit* t1 = t;
+    sp_digit* t2 = t + 2 * 12;
+    sp_digit* tmp = t + 4 * 12;
+
+    sp_384_mont_inv_12(t1, a->z, tmp);
+
+    sp_384_mont_sqr_12(t2, t1, p384_mod, p384_mp_mod);
+    sp_384_mont_mul_12(t1, t2, t1, p384_mod, p384_mp_mod);
+
+    sp_384_mont_mul_12(a->x, a->x, t2, p384_mod, p384_mp_mod);
+    sp_384_mont_mul_12(a->y, a->y, t1, p384_mod, p384_mp_mod);
+    XMEMCPY(a->z, p384_norm_mod, sizeof(p384_norm_mod));
+}
+
+/* Generate the pre-computed table of points for the base point.
+ *
+ * a      The base point.
+ * table  Place to store generated point data.
+ * tmp    Temporary data.
+ * heap  Heap to use for allocation.
+ */
+static int sp_384_gen_stripe_table_12(const sp_point_384* a,
+        sp_table_entry_384* table, sp_digit* tmp, void* heap)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_point_384 td, s1d, s2d;
+#endif
+    sp_point_384* t;
+    sp_point_384* s1 = NULL;
+    sp_point_384* s2 = NULL;
+    int i, j;
+    int err;
+
+    (void)heap;
+
+    err = sp_384_point_new_12(heap, td, t);
+    if (err == MP_OKAY) {
+        err = sp_384_point_new_12(heap, s1d, s1);
+    }
+    if (err == MP_OKAY) {
+        err = sp_384_point_new_12(heap, s2d, s2);
+    }
+
+    if (err == MP_OKAY) {
+        err = sp_384_mod_mul_norm_12(t->x, a->x, p384_mod);
+    }
+    if (err == MP_OKAY) {
+        err = sp_384_mod_mul_norm_12(t->y, a->y, p384_mod);
+    }
+    if (err == MP_OKAY) {
+        err = sp_384_mod_mul_norm_12(t->z, a->z, p384_mod);
+    }
+    if (err == MP_OKAY) {
+        t->infinity = 0;
+        sp_384_proj_to_affine_12(t, tmp);
+
+        XMEMCPY(s1->z, p384_norm_mod, sizeof(p384_norm_mod));
+        s1->infinity = 0;
+        XMEMCPY(s2->z, p384_norm_mod, sizeof(p384_norm_mod));
+        s2->infinity = 0;
+
+        /* table[0] = {0, 0, infinity} */
+        XMEMSET(&table[0], 0, sizeof(sp_table_entry_384));
+        /* table[1] = Affine version of 'a' in Montgomery form */
+        XMEMCPY(table[1].x, t->x, sizeof(table->x));
+        XMEMCPY(table[1].y, t->y, sizeof(table->y));
+
+        for (i=1; i<4; i++) {
+            sp_384_proj_point_dbl_n_12(t, 96, tmp);
+            sp_384_proj_to_affine_12(t, tmp);
+            XMEMCPY(table[1<<i].x, t->x, sizeof(table->x));
+            XMEMCPY(table[1<<i].y, t->y, sizeof(table->y));
+        }
+
+        for (i=1; i<4; i++) {
+            XMEMCPY(s1->x, table[1<<i].x, sizeof(table->x));
+            XMEMCPY(s1->y, table[1<<i].y, sizeof(table->y));
+            for (j=(1<<i)+1; j<(1<<(i+1)); j++) {
+                XMEMCPY(s2->x, table[j-(1<<i)].x, sizeof(table->x));
+                XMEMCPY(s2->y, table[j-(1<<i)].y, sizeof(table->y));
+                sp_384_proj_point_add_qz1_12(t, s1, s2, tmp);
+                sp_384_proj_to_affine_12(t, tmp);
+                XMEMCPY(table[j].x, t->x, sizeof(table->x));
+                XMEMCPY(table[j].y, t->y, sizeof(table->y));
+            }
+        }
+    }
+
+    sp_384_point_free_12(s2, 0, heap);
+    sp_384_point_free_12(s1, 0, heap);
+    sp_384_point_free_12( t, 0, heap);
+
+    return err;
+}
+
+#endif /* FP_ECC */
+/* Multiply the point by the scalar and return the result.
+ * If map is true then convert result to affine coordinates.
+ *
+ * r     Resulting point.
+ * k     Scalar to multiply by.
+ * map   Indicates whether to convert result to affine.
+ * heap  Heap to use for allocation.
+ * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
+ */
+static int sp_384_ecc_mulmod_stripe_12(sp_point_384* r, const sp_point_384* g,
+        const sp_table_entry_384* table, const sp_digit* k, int map, void* heap)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_point_384 rtd;
+    sp_point_384 pd;
+    sp_digit td[2 * 12 * 6];
+#endif
+    sp_point_384* rt;
+    sp_point_384* p = NULL;
+    sp_digit* t;
+    int i, j;
+    int y, x;
+    int err;
+
+    (void)g;
+    (void)heap;
+
+
+    err = sp_384_point_new_12(heap, rtd, rt);
+    if (err == MP_OKAY) {
+        err = sp_384_point_new_12(heap, pd, p);
+    }
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    t = (sp_digit*)XMALLOC(sizeof(sp_digit) * 2 * 12 * 6, heap,
+                           DYNAMIC_TYPE_ECC);
+    if (t == NULL) {
+        err = MEMORY_E;
+    }
+#else
+    t = td;
+#endif
+
+    if (err == MP_OKAY) {
+        XMEMCPY(p->z, p384_norm_mod, sizeof(p384_norm_mod));
+        XMEMCPY(rt->z, p384_norm_mod, sizeof(p384_norm_mod));
+
+        y = 0;
+        for (j=0,x=95; j<4; j++,x+=96) {
+            y |= ((k[x / 32] >> (x % 32)) & 1) << j;
+        }
+        XMEMCPY(rt->x, table[y].x, sizeof(table[y].x));
+        XMEMCPY(rt->y, table[y].y, sizeof(table[y].y));
+        rt->infinity = !y;
+        for (i=94; i>=0; i--) {
+            y = 0;
+            for (j=0,x=i; j<4; j++,x+=96) {
+                y |= ((k[x / 32] >> (x % 32)) & 1) << j;
+            }
+
+            sp_384_proj_point_dbl_12(rt, rt, t);
+            XMEMCPY(p->x, table[y].x, sizeof(table[y].x));
+            XMEMCPY(p->y, table[y].y, sizeof(table[y].y));
+            p->infinity = !y;
+            sp_384_proj_point_add_qz1_12(rt, rt, p, t);
+        }
+
+        if (map != 0) {
+            sp_384_map_12(r, rt, t);
+        }
+        else {
+            XMEMCPY(r, rt, sizeof(sp_point_384));
+        }
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (t != NULL) {
+        XFREE(t, heap, DYNAMIC_TYPE_ECC);
+    }
+#endif
+    sp_384_point_free_12(p, 0, heap);
+    sp_384_point_free_12(rt, 0, heap);
+
+    return err;
+}
+
+#ifdef FP_ECC
+#ifndef FP_ENTRIES
+    #define FP_ENTRIES 16
+#endif
+
+typedef struct sp_cache_384_t {
+    sp_digit x[12];
+    sp_digit y[12];
+    sp_table_entry_384 table[16];
+    uint32_t cnt;
+    int set;
+} sp_cache_384_t;
+
+static THREAD_LS_T sp_cache_384_t sp_cache_384[FP_ENTRIES];
+static THREAD_LS_T int sp_cache_384_last = -1;
+static THREAD_LS_T int sp_cache_384_inited = 0;
+
+#ifndef HAVE_THREAD_LS
+    static volatile int initCacheMutex_384 = 0;
+    static wolfSSL_Mutex sp_cache_384_lock;
+#endif
+
+static void sp_ecc_get_cache_384(const sp_point_384* g, sp_cache_384_t** cache)
+{
+    int i, j;
+    uint32_t least;
+
+    if (sp_cache_384_inited == 0) {
+        for (i=0; i<FP_ENTRIES; i++) {
+            sp_cache_384[i].set = 0;
+        }
+        sp_cache_384_inited = 1;
+    }
+
+    /* Compare point with those in cache. */
+    for (i=0; i<FP_ENTRIES; i++) {
+        if (!sp_cache_384[i].set)
+            continue;
+
+        if (sp_384_cmp_equal_12(g->x, sp_cache_384[i].x) &
+                           sp_384_cmp_equal_12(g->y, sp_cache_384[i].y)) {
+            sp_cache_384[i].cnt++;
+            break;
+        }
+    }
+
+    /* No match. */
+    if (i == FP_ENTRIES) {
+        /* Find empty entry. */
+        i = (sp_cache_384_last + 1) % FP_ENTRIES;
+        for (; i != sp_cache_384_last; i=(i+1)%FP_ENTRIES) {
+            if (!sp_cache_384[i].set) {
+                break;
+            }
+        }
+
+        /* Evict least used. */
+        if (i == sp_cache_384_last) {
+            least = sp_cache_384[0].cnt;
+            for (j=1; j<FP_ENTRIES; j++) {
+                if (sp_cache_384[j].cnt < least) {
+                    i = j;
+                    least = sp_cache_384[i].cnt;
+                }
+            }
+        }
+
+        XMEMCPY(sp_cache_384[i].x, g->x, sizeof(sp_cache_384[i].x));
+        XMEMCPY(sp_cache_384[i].y, g->y, sizeof(sp_cache_384[i].y));
+        sp_cache_384[i].set = 1;
+        sp_cache_384[i].cnt = 1;
+    }
+
+    *cache = &sp_cache_384[i];
+    sp_cache_384_last = i;
+}
+#endif /* FP_ECC */
+
+/* Multiply the base point of P384 by the scalar and return the result.
+ * If map is true then convert result to affine coordinates.
+ *
+ * r     Resulting point.
+ * g     Point to multiply.
+ * k     Scalar to multiply by.
+ * map   Indicates whether to convert result to affine.
+ * heap  Heap to use for allocation.
+ * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
+ */
+static int sp_384_ecc_mulmod_12(sp_point_384* r, const sp_point_384* g, const sp_digit* k,
+        int map, void* heap)
+{
+#ifndef FP_ECC
+    return sp_384_ecc_mulmod_fast_12(r, g, k, map, heap);
+#else
+    sp_digit tmp[2 * 12 * 7];
+    sp_cache_384_t* cache;
+    int err = MP_OKAY;
+
+#ifndef HAVE_THREAD_LS
+    if (initCacheMutex_384 == 0) {
+         wc_InitMutex(&sp_cache_384_lock);
+         initCacheMutex_384 = 1;
+    }
+    if (wc_LockMutex(&sp_cache_384_lock) != 0)
+       err = BAD_MUTEX_E;
+#endif /* HAVE_THREAD_LS */
+
+    if (err == MP_OKAY) {
+        sp_ecc_get_cache_384(g, &cache);
+        if (cache->cnt == 2)
+            sp_384_gen_stripe_table_12(g, cache->table, tmp, heap);
+
+#ifndef HAVE_THREAD_LS
+        wc_UnLockMutex(&sp_cache_384_lock);
+#endif /* HAVE_THREAD_LS */
+
+        if (cache->cnt < 2) {
+            err = sp_384_ecc_mulmod_fast_12(r, g, k, map, heap);
+        }
+        else {
+            err = sp_384_ecc_mulmod_stripe_12(r, g, cache->table, k,
+                    map, heap);
+        }
+    }
+
+    return err;
+#endif
+}
+
+#else
+#ifdef FP_ECC
+/* Generate the pre-computed table of points for the base point.
+ *
+ * a      The base point.
+ * table  Place to store generated point data.
+ * tmp    Temporary data.
+ * heap  Heap to use for allocation.
+ */
+static int sp_384_gen_stripe_table_12(const sp_point_384* a,
+        sp_table_entry_384* table, sp_digit* tmp, void* heap)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_point_384 td, s1d, s2d;
+#endif
+    sp_point_384* t;
+    sp_point_384* s1 = NULL;
+    sp_point_384* s2 = NULL;
+    int i, j;
+    int err;
+
+    (void)heap;
+
+    err = sp_384_point_new_12(heap, td, t);
+    if (err == MP_OKAY) {
+        err = sp_384_point_new_12(heap, s1d, s1);
+    }
+    if (err == MP_OKAY) {
+        err = sp_384_point_new_12(heap, s2d, s2);
+    }
+
+    if (err == MP_OKAY) {
+        err = sp_384_mod_mul_norm_12(t->x, a->x, p384_mod);
+    }
+    if (err == MP_OKAY) {
+        err = sp_384_mod_mul_norm_12(t->y, a->y, p384_mod);
+    }
+    if (err == MP_OKAY) {
+        err = sp_384_mod_mul_norm_12(t->z, a->z, p384_mod);
+    }
+    if (err == MP_OKAY) {
+        t->infinity = 0;
+        sp_384_proj_to_affine_12(t, tmp);
+
+        XMEMCPY(s1->z, p384_norm_mod, sizeof(p384_norm_mod));
+        s1->infinity = 0;
+        XMEMCPY(s2->z, p384_norm_mod, sizeof(p384_norm_mod));
+        s2->infinity = 0;
+
+        /* table[0] = {0, 0, infinity} */
+        XMEMSET(&table[0], 0, sizeof(sp_table_entry_384));
+        /* table[1] = Affine version of 'a' in Montgomery form */
+        XMEMCPY(table[1].x, t->x, sizeof(table->x));
+        XMEMCPY(table[1].y, t->y, sizeof(table->y));
+
+        for (i=1; i<8; i++) {
+            sp_384_proj_point_dbl_n_12(t, 48, tmp);
+            sp_384_proj_to_affine_12(t, tmp);
+            XMEMCPY(table[1<<i].x, t->x, sizeof(table->x));
+            XMEMCPY(table[1<<i].y, t->y, sizeof(table->y));
+        }
+
+        for (i=1; i<8; i++) {
+            XMEMCPY(s1->x, table[1<<i].x, sizeof(table->x));
+            XMEMCPY(s1->y, table[1<<i].y, sizeof(table->y));
+            for (j=(1<<i)+1; j<(1<<(i+1)); j++) {
+                XMEMCPY(s2->x, table[j-(1<<i)].x, sizeof(table->x));
+                XMEMCPY(s2->y, table[j-(1<<i)].y, sizeof(table->y));
+                sp_384_proj_point_add_qz1_12(t, s1, s2, tmp);
+                sp_384_proj_to_affine_12(t, tmp);
+                XMEMCPY(table[j].x, t->x, sizeof(table->x));
+                XMEMCPY(table[j].y, t->y, sizeof(table->y));
+            }
+        }
+    }
+
+    sp_384_point_free_12(s2, 0, heap);
+    sp_384_point_free_12(s1, 0, heap);
+    sp_384_point_free_12( t, 0, heap);
+
+    return err;
+}
+
+#endif /* FP_ECC */
+/* Multiply the point by the scalar and return the result.
+ * If map is true then convert result to affine coordinates.
+ *
+ * r     Resulting point.
+ * k     Scalar to multiply by.
+ * map   Indicates whether to convert result to affine.
+ * heap  Heap to use for allocation.
+ * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
+ */
+static int sp_384_ecc_mulmod_stripe_12(sp_point_384* r, const sp_point_384* g,
+        const sp_table_entry_384* table, const sp_digit* k, int map, void* heap)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_point_384 rtd;
+    sp_point_384 pd;
+    sp_digit td[2 * 12 * 6];
+#endif
+    sp_point_384* rt;
+    sp_point_384* p = NULL;
+    sp_digit* t;
+    int i, j;
+    int y, x;
+    int err;
+
+    (void)g;
+    (void)heap;
+
+
+    err = sp_384_point_new_12(heap, rtd, rt);
+    if (err == MP_OKAY) {
+        err = sp_384_point_new_12(heap, pd, p);
+    }
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    t = (sp_digit*)XMALLOC(sizeof(sp_digit) * 2 * 12 * 6, heap,
+                           DYNAMIC_TYPE_ECC);
+    if (t == NULL) {
+        err = MEMORY_E;
+    }
+#else
+    t = td;
+#endif
+
+    if (err == MP_OKAY) {
+        XMEMCPY(p->z, p384_norm_mod, sizeof(p384_norm_mod));
+        XMEMCPY(rt->z, p384_norm_mod, sizeof(p384_norm_mod));
+
+        y = 0;
+        for (j=0,x=47; j<8; j++,x+=48) {
+            y |= ((k[x / 32] >> (x % 32)) & 1) << j;
+        }
+        XMEMCPY(rt->x, table[y].x, sizeof(table[y].x));
+        XMEMCPY(rt->y, table[y].y, sizeof(table[y].y));
+        rt->infinity = !y;
+        for (i=46; i>=0; i--) {
+            y = 0;
+            for (j=0,x=i; j<8; j++,x+=48) {
+                y |= ((k[x / 32] >> (x % 32)) & 1) << j;
+            }
+
+            sp_384_proj_point_dbl_12(rt, rt, t);
+            XMEMCPY(p->x, table[y].x, sizeof(table[y].x));
+            XMEMCPY(p->y, table[y].y, sizeof(table[y].y));
+            p->infinity = !y;
+            sp_384_proj_point_add_qz1_12(rt, rt, p, t);
+        }
+
+        if (map != 0) {
+            sp_384_map_12(r, rt, t);
+        }
+        else {
+            XMEMCPY(r, rt, sizeof(sp_point_384));
+        }
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (t != NULL) {
+        XFREE(t, heap, DYNAMIC_TYPE_ECC);
+    }
+#endif
+    sp_384_point_free_12(p, 0, heap);
+    sp_384_point_free_12(rt, 0, heap);
+
+    return err;
+}
+
+#ifdef FP_ECC
+#ifndef FP_ENTRIES
+    #define FP_ENTRIES 16
+#endif
+
+typedef struct sp_cache_384_t {
+    sp_digit x[12];
+    sp_digit y[12];
+    sp_table_entry_384 table[256];
+    uint32_t cnt;
+    int set;
+} sp_cache_384_t;
+
+static THREAD_LS_T sp_cache_384_t sp_cache_384[FP_ENTRIES];
+static THREAD_LS_T int sp_cache_384_last = -1;
+static THREAD_LS_T int sp_cache_384_inited = 0;
+
+#ifndef HAVE_THREAD_LS
+    static volatile int initCacheMutex_384 = 0;
+    static wolfSSL_Mutex sp_cache_384_lock;
+#endif
+
+static void sp_ecc_get_cache_384(const sp_point_384* g, sp_cache_384_t** cache)
+{
+    int i, j;
+    uint32_t least;
+
+    if (sp_cache_384_inited == 0) {
+        for (i=0; i<FP_ENTRIES; i++) {
+            sp_cache_384[i].set = 0;
+        }
+        sp_cache_384_inited = 1;
+    }
+
+    /* Compare point with those in cache. */
+    for (i=0; i<FP_ENTRIES; i++) {
+        if (!sp_cache_384[i].set)
+            continue;
+
+        if (sp_384_cmp_equal_12(g->x, sp_cache_384[i].x) &
+                           sp_384_cmp_equal_12(g->y, sp_cache_384[i].y)) {
+            sp_cache_384[i].cnt++;
+            break;
+        }
+    }
+
+    /* No match. */
+    if (i == FP_ENTRIES) {
+        /* Find empty entry. */
+        i = (sp_cache_384_last + 1) % FP_ENTRIES;
+        for (; i != sp_cache_384_last; i=(i+1)%FP_ENTRIES) {
+            if (!sp_cache_384[i].set) {
+                break;
+            }
+        }
+
+        /* Evict least used. */
+        if (i == sp_cache_384_last) {
+            least = sp_cache_384[0].cnt;
+            for (j=1; j<FP_ENTRIES; j++) {
+                if (sp_cache_384[j].cnt < least) {
+                    i = j;
+                    least = sp_cache_384[i].cnt;
+                }
+            }
+        }
+
+        XMEMCPY(sp_cache_384[i].x, g->x, sizeof(sp_cache_384[i].x));
+        XMEMCPY(sp_cache_384[i].y, g->y, sizeof(sp_cache_384[i].y));
+        sp_cache_384[i].set = 1;
+        sp_cache_384[i].cnt = 1;
+    }
+
+    *cache = &sp_cache_384[i];
+    sp_cache_384_last = i;
+}
+#endif /* FP_ECC */
+
+/* Multiply the base point of P384 by the scalar and return the result.
+ * If map is true then convert result to affine coordinates.
+ *
+ * r     Resulting point.
+ * g     Point to multiply.
+ * k     Scalar to multiply by.
+ * map   Indicates whether to convert result to affine.
+ * heap  Heap to use for allocation.
+ * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
+ */
+static int sp_384_ecc_mulmod_12(sp_point_384* r, const sp_point_384* g, const sp_digit* k,
+        int map, void* heap)
+{
+#ifndef FP_ECC
+    return sp_384_ecc_mulmod_fast_12(r, g, k, map, heap);
+#else
+    sp_digit tmp[2 * 12 * 7];
+    sp_cache_384_t* cache;
+    int err = MP_OKAY;
+
+#ifndef HAVE_THREAD_LS
+    if (initCacheMutex_384 == 0) {
+         wc_InitMutex(&sp_cache_384_lock);
+         initCacheMutex_384 = 1;
+    }
+    if (wc_LockMutex(&sp_cache_384_lock) != 0)
+       err = BAD_MUTEX_E;
+#endif /* HAVE_THREAD_LS */
+
+    if (err == MP_OKAY) {
+        sp_ecc_get_cache_384(g, &cache);
+        if (cache->cnt == 2)
+            sp_384_gen_stripe_table_12(g, cache->table, tmp, heap);
+
+#ifndef HAVE_THREAD_LS
+        wc_UnLockMutex(&sp_cache_384_lock);
+#endif /* HAVE_THREAD_LS */
+
+        if (cache->cnt < 2) {
+            err = sp_384_ecc_mulmod_fast_12(r, g, k, map, heap);
+        }
+        else {
+            err = sp_384_ecc_mulmod_stripe_12(r, g, cache->table, k,
+                    map, heap);
+        }
+    }
+
+    return err;
+#endif
+}
+
+#endif /* WOLFSSL_SP_SMALL */
+/* Multiply the point by the scalar and return the result.
+ * If map is true then convert result to affine coordinates.
+ *
+ * km    Scalar to multiply by.
+ * p     Point to multiply.
+ * r     Resulting point.
+ * map   Indicates whether to convert result to affine.
+ * heap  Heap to use for allocation.
+ * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
+ */
+int sp_ecc_mulmod_384(mp_int* km, ecc_point* gm, ecc_point* r, int map,
+        void* heap)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_point_384 p;
+    sp_digit kd[12];
+#endif
+    sp_point_384* point;
+    sp_digit* k = NULL;
+    int err = MP_OKAY;
+
+    err = sp_384_point_new_12(heap, p, point);
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        k = (sp_digit*)XMALLOC(sizeof(sp_digit) * 12, heap,
+                                                              DYNAMIC_TYPE_ECC);
+        if (k == NULL)
+            err = MEMORY_E;
+    }
+#else
+    k = kd;
+#endif
+    if (err == MP_OKAY) {
+        sp_384_from_mp(k, 12, km);
+        sp_384_point_from_ecc_point_12(point, gm);
+
+            err = sp_384_ecc_mulmod_12(point, point, k, map, heap);
+    }
+    if (err == MP_OKAY) {
+        err = sp_384_point_to_ecc_point_12(point, r);
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (k != NULL) {
+        XFREE(k, heap, DYNAMIC_TYPE_ECC);
+    }
+#endif
+    sp_384_point_free_12(point, 0, heap);
+
+    return err;
+}
+
+#ifdef WOLFSSL_SP_SMALL
+static const sp_table_entry_384 p384_table[16] = {
+    /* 0 */
+    { { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
+      { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 } },
+    /* 1 */
+    { { 0x49c0b528,0x3dd07566,0xa0d6ce38,0x20e378e2,0x541b4d6e,0x879c3afc,
+        0x59a30eff,0x64548684,0x614ede2b,0x812ff723,0x299e1513,0x4d3aadc2 },
+      { 0x4b03a4fe,0x23043dad,0x7bb4a9ac,0xa1bfa8bf,0x2e83b050,0x8bade756,
+        0x68f4ffd9,0xc6c35219,0x3969a840,0xdd800226,0x5a15c5e9,0x2b78abc2 } },
+    /* 2 */
+    { { 0xf26feef9,0x24480c57,0x3a0e1240,0xc31a2694,0x273e2bc7,0x735002c3,
+        0x3ef1ed4c,0x8c42e9c5,0x7f4948e8,0x028babf6,0x8a978632,0x6a502f43 },
+      { 0xb74536fe,0xf5f13a46,0xd8a9f0eb,0x1d218bab,0x37232768,0x30f36bcc,
+        0x576e8c18,0xc5317b31,0x9bbcb766,0xef1d57a6,0xb3e3d4dc,0x917c4930 } },
+    /* 3 */
+    { { 0xe349ddd0,0x11426e2e,0x9b2fc250,0x9f117ef9,0xec0174a6,0xff36b480,
+        0x18458466,0x4f4bde76,0x05806049,0x2f2edb6d,0x19dfca92,0x8adc75d1 },
+      { 0xb7d5a7ce,0xa619d097,0xa34411e9,0x874275e5,0x0da4b4ef,0x5403e047,
+        0x77901d8f,0x2ebaafd9,0xa747170f,0x5e63ebce,0x7f9d8036,0x12a36944 } },
+    /* 4 */
+    { { 0x2f9fbe67,0x378205de,0x7f728e44,0xc4afcb83,0x682e00f1,0xdbcec06c,
+        0x114d5423,0xf2a145c3,0x7a52463e,0xa01d9874,0x7d717b0a,0xfc0935b1 },
+      { 0xd4d01f95,0x9653bc4f,0x9560ad34,0x9aa83ea8,0xaf8e3f3f,0xf77943dc,
+        0xe86fe16e,0x70774a10,0xbf9ffdcf,0x6b62e6f1,0x588745c9,0x8a72f39e } },
+    /* 5 */
+    { { 0x2341c342,0x73ade4da,0xea704422,0xdd326e54,0x3741cef3,0x336c7d98,
+        0x59e61549,0x1eafa00d,0xbd9a3efd,0xcd3ed892,0xc5c6c7e4,0x03faf26c },
+      { 0x3045f8ac,0x087e2fcf,0x174f1e73,0x14a65532,0xfe0af9a7,0x2cf84f28,
+        0x2cdc935b,0xddfd7a84,0x6929c895,0x4c0f117b,0x4c8bcfcc,0x356572d6 } },
+    /* 6 */
+    { { 0x3f3b236f,0xfab08607,0x81e221da,0x19e9d41d,0x3927b428,0xf3f6571e,
+        0x7550f1f6,0x4348a933,0xa85e62f0,0x7167b996,0x7f5452bf,0x62d43759 },
+      { 0xf2955926,0xd85feb9e,0x6df78353,0x440a561f,0x9ca36b59,0x389668ec,
+        0xa22da016,0x052bf1a1,0xf6093254,0xbdfbff72,0xe22209f3,0x94e50f28 } },
+    /* 7 */
+    { { 0x3062e8af,0x90b2e5b3,0xe8a3d369,0xa8572375,0x201db7b1,0x3fe1b00b,
+        0xee651aa2,0xe926def0,0xb9b10ad7,0x6542c9be,0xa2fcbe74,0x098e309b },
+      { 0xfff1d63f,0x779deeb3,0x20bfd374,0x23d0e80a,0x8768f797,0x8452bb3b,
+        0x1f952856,0xcf75bb4d,0x29ea3faa,0x8fe6b400,0x81373a53,0x12bd3e40 } },
+    /* 8 */
+    { { 0x16973cf4,0x070d34e1,0x7e4f34f7,0x20aee08b,0x5eb8ad29,0x269af9b9,
+        0xa6a45dda,0xdde0a036,0x63df41e0,0xa18b528e,0xa260df2a,0x03cc71b2 },
+      { 0xa06b1dd7,0x24a6770a,0x9d2675d3,0x5bfa9c11,0x96844432,0x73c1e2a1,
+        0x131a6cf0,0x3660558d,0x2ee79454,0xb0289c83,0xc6d8ddcd,0xa6aefb01 } },
+    /* 9 */
+    { { 0x01ab5245,0xba1464b4,0xc48d93ff,0x9b8d0b6d,0x93ad272c,0x939867dc,
+        0xae9fdc77,0xbebe085e,0x894ea8bd,0x73ae5103,0x39ac22e1,0x740fc89a },
+      { 0x28e23b23,0x5e28b0a3,0xe13104d0,0x2352722e,0xb0a2640d,0xf4667a18,
+        0x49bb37c3,0xac74a72e,0xe81e183a,0x79f734f0,0x3fd9c0eb,0xbffe5b6c } },
+    /* 10 */
+    { { 0x00623f3b,0x03cf2922,0x5f29ebff,0x095c7111,0x80aa6823,0x42d72247,
+        0x7458c0b0,0x044c7ba1,0x0959ec20,0xca62f7ef,0xf8ca929f,0x40ae2ab7 },
+      { 0xa927b102,0xb8c5377a,0xdc031771,0x398a86a0,0xc216a406,0x04908f9d,
+        0x918d3300,0xb423a73a,0xe0b94739,0x634b0ff1,0x2d69f697,0xe29de725 } },
+    /* 11 */
+    { { 0x8435af04,0x744d1400,0xfec192da,0x5f255b1d,0x336dc542,0x1f17dc12,
+        0x636a68a8,0x5c90c2a7,0x7704ca1e,0x960c9eb7,0x6fb3d65a,0x9de8cf1e },
+      { 0x511d3d06,0xc60fee0d,0xf9eb52c7,0x466e2313,0x206b0914,0x743c0f5f,
+        0x2191aa4d,0x42f55bac,0xffebdbc2,0xcefc7c8f,0xe6e8ed1c,0xd4fa6081 } },
+    /* 12 */
+    { { 0x98683186,0x867db639,0xddcc4ea9,0xfb5cf424,0xd4f0e7bd,0xcc9a7ffe,
+        0x7a779f7e,0x7c57f71c,0xd6b25ef2,0x90774079,0xb4081680,0x90eae903 },
+      { 0x0ee1fceb,0xdf2aae5e,0xe86c1a1f,0x3ff1da24,0xca193edf,0x80f587d6,
+        0xdc9b9d6a,0xa5695523,0x85920303,0x7b840900,0xba6dbdef,0x1efa4dfc } },
+    /* 13 */
+    { { 0xe0540015,0xfbd838f9,0xc39077dc,0x2c323946,0xad619124,0x8b1fb9e6,
+        0x0ca62ea8,0x9612440c,0x2dbe00ff,0x9ad9b52c,0xae197643,0xf52abaa1 },
+      { 0x2cac32ad,0xd0e89894,0x62a98f91,0xdfb79e42,0x276f55cb,0x65452ecf,
+        0x7ad23e12,0xdb1ac0d2,0xde4986f0,0xf68c5f6a,0x82ce327d,0x389ac37b } },
+    /* 14 */
+    { { 0xb8a9e8c9,0xcd96866d,0x5bb8091e,0xa11963b8,0x045b3cd2,0xc7f90d53,
+        0x80f36504,0x755a72b5,0x21d3751c,0x46f8b399,0x53c193de,0x4bffdc91 },
+      { 0xb89554e7,0xcd15c049,0xf7a26be6,0x353c6754,0xbd41d970,0x79602370,
+        0x12b176c0,0xde16470b,0x40c8809d,0x56ba1175,0xe435fb1e,0xe2db35c3 } },
+    /* 15 */
+    { { 0x6328e33f,0xd71e4aab,0xaf8136d1,0x5486782b,0x86d57231,0x07a4995f,
+        0x1651a968,0xf1f0a5bd,0x76803b6d,0xa5dc5b24,0x42dda935,0x5c587cbc },
+      { 0xbae8b4c0,0x2b6cdb32,0xb1331138,0x66d1598b,0x5d7e9614,0x4a23b2d2,
+        0x74a8c05d,0x93e402a6,0xda7ce82e,0x45ac94e6,0xe463d465,0xeb9f8281 } },
+};
+
+/* Multiply the base point of P384 by the scalar and return the result.
+ * If map is true then convert result to affine coordinates.
+ *
+ * r     Resulting point.
+ * k     Scalar to multiply by.
+ * map   Indicates whether to convert result to affine.
+ * heap  Heap to use for allocation.
+ * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
+ */
+static int sp_384_ecc_mulmod_base_12(sp_point_384* r, const sp_digit* k,
+        int map, void* heap)
+{
+    return sp_384_ecc_mulmod_stripe_12(r, &p384_base, p384_table,
+                                      k, map, heap);
+}
+
+#else
+static const sp_table_entry_384 p384_table[256] = {
+    /* 0 */
+    { { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
+      { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 } },
+    /* 1 */
+    { { 0x49c0b528,0x3dd07566,0xa0d6ce38,0x20e378e2,0x541b4d6e,0x879c3afc,
+        0x59a30eff,0x64548684,0x614ede2b,0x812ff723,0x299e1513,0x4d3aadc2 },
+      { 0x4b03a4fe,0x23043dad,0x7bb4a9ac,0xa1bfa8bf,0x2e83b050,0x8bade756,
+        0x68f4ffd9,0xc6c35219,0x3969a840,0xdd800226,0x5a15c5e9,0x2b78abc2 } },
+    /* 2 */
+    { { 0x2b0c535b,0x29864753,0x70506296,0x90dd6953,0x216ab9ac,0x038cd6b4,
+        0xbe12d76a,0x3df9b7b7,0x5f347bdb,0x13f4d978,0x13e94489,0x222c5c9c },
+      { 0x2680dc64,0x5f8e796f,0x58352417,0x120e7cb7,0xd10740b8,0x254b5d8a,
+        0x5337dee6,0xc38b8efb,0x94f02247,0xf688c2e1,0x6c25bc4c,0x7b5c75f3 } },
+    /* 3 */
+    { { 0x9edffea5,0xe26a3cc3,0x37d7e9fc,0x35bbfd1c,0x9bde3ef6,0xf0e7700d,
+        0x1a538f5a,0x0380eb47,0x05bf9eb3,0x2e9da8bb,0x1a460c3e,0xdbb93c73 },
+      { 0xf526b605,0x37dba260,0xfd785537,0x95d4978e,0xed72a04a,0x24ed793a,
+        0x76005b1a,0x26948377,0x9e681f82,0x99f557b9,0xd64954ef,0xae5f9557 } },
+    /* 4 */
+    { { 0xf26feef9,0x24480c57,0x3a0e1240,0xc31a2694,0x273e2bc7,0x735002c3,
+        0x3ef1ed4c,0x8c42e9c5,0x7f4948e8,0x028babf6,0x8a978632,0x6a502f43 },
+      { 0xb74536fe,0xf5f13a46,0xd8a9f0eb,0x1d218bab,0x37232768,0x30f36bcc,
+        0x576e8c18,0xc5317b31,0x9bbcb766,0xef1d57a6,0xb3e3d4dc,0x917c4930 } },
+    /* 5 */
+    { { 0xe349ddd0,0x11426e2e,0x9b2fc250,0x9f117ef9,0xec0174a6,0xff36b480,
+        0x18458466,0x4f4bde76,0x05806049,0x2f2edb6d,0x19dfca92,0x8adc75d1 },
+      { 0xb7d5a7ce,0xa619d097,0xa34411e9,0x874275e5,0x0da4b4ef,0x5403e047,
+        0x77901d8f,0x2ebaafd9,0xa747170f,0x5e63ebce,0x7f9d8036,0x12a36944 } },
+    /* 6 */
+    { { 0x4fc52870,0x28f9c07a,0x1a53a961,0xce0b3748,0x0e1828d9,0xd550fa18,
+        0x6adb225a,0xa24abaf7,0x6e58a348,0xd11ed0a5,0x948acb62,0xf3d811e6 },
+      { 0x4c61ed22,0x8618dd77,0x80b47c9d,0x0bb747f9,0xde6b8559,0x22bf796f,
+        0x680a21e9,0xfdfd1c6d,0x2af2c9dd,0xc0db1577,0xc1e90f3d,0xa09379e6 } },
+    /* 7 */
+    { { 0xe085c629,0x386c66ef,0x095bc89a,0x5fc2a461,0x203f4b41,0x1353d631,
+        0x7e4bd8f5,0x7ca1972b,0xa7df8ce9,0xb077380a,0xee7e4ea3,0xd8a90389 },
+      { 0xe7b14461,0x1bc74dc7,0x0c9c4f78,0xdc2cb014,0x84ef0a10,0x52b4b3a6,
+        0x20327fe2,0xbde6ea5d,0x660f9615,0xb71ec435,0xb8ad8173,0xeede5a04 } },
+    /* 8 */
+    { { 0x893b9a2d,0x5584cbb3,0x00850c5d,0x820c660b,0x7df2d43d,0x4126d826,
+        0x0109e801,0xdd5bbbf0,0x38172f1c,0x85b92ee3,0xf31430d9,0x609d4f93 },
+      { 0xeadaf9d6,0x1e059a07,0x0f125fb0,0x70e6536c,0x560f20e7,0xd6220751,
+        0x7aaf3a9a,0xa59489ae,0x64bae14e,0x7b70e2f6,0x76d08249,0x0dd03701 } },
+    /* 9 */
+    { { 0x8510521f,0x4cc13be8,0xf724cc17,0x87315ba9,0x353dc263,0xb49d83bb,
+        0x0c279257,0x8b677efe,0xc93c9537,0x510a1c1c,0xa4702c99,0x33e30cd8 },
+      { 0x2208353f,0xf0ffc89d,0xced42b2b,0x0170fa8d,0x26e2a5f5,0x090851ed,
+        0xecb52c96,0x81276455,0x7fe1adf4,0x0646c4e1,0xb0868eab,0x513f047e } },
+    /* 10 */
+    { { 0xdf5bdf53,0xc07611f4,0x58b11a6d,0x45d331a7,0x1c4ee394,0x58965daf,
+        0x5a5878d1,0xba8bebe7,0x82dd3025,0xaecc0a18,0xa923eb8b,0xcf2a3899 },
+      { 0xd24fd048,0xf98c9281,0x8bbb025d,0x841bfb59,0xc9ab9d53,0xb8ddf8ce,
+        0x7fef044e,0x538a4cb6,0x23236662,0x092ac21f,0x0b66f065,0xa919d385 } },
+    /* 11 */
+    { { 0x85d480d8,0x3db03b40,0x1b287a7d,0x8cd9f479,0x4a8f3bae,0x8f24dc75,
+        0x3db41892,0x482eb800,0x9c56e0f5,0x38bf9eb3,0x9a91dc6f,0x8b977320 },
+      { 0x7209cfc2,0xa31b05b2,0x05b2db70,0x4c49bf85,0xd619527b,0x56462498,
+        0x1fac51ba,0x3fe51039,0xab4b8342,0xfb04f55e,0x04c6eabf,0xc07c10dc } },
+    /* 12 */
+    { { 0xdb32f048,0xad22fe4c,0x475ed6df,0x5f23bf91,0xaa66b6cb,0xa50ce0c0,
+        0xf03405c0,0xdf627a89,0xf95e2d6a,0x3674837d,0xba42e64e,0x081c95b6 },
+      { 0xe71d6ceb,0xeba3e036,0x6c6b0271,0xb45bcccf,0x0684701d,0x67b47e63,
+        0xe712523f,0x60f8f942,0x5cd47adc,0x82423472,0x87649cbb,0x83027d79 } },
+    /* 13 */
+    { { 0x3615b0b8,0xb3929ea6,0xa54dac41,0xb41441fd,0xb5b6a368,0x8995d556,
+        0x167ef05e,0xa80d4529,0x6d25a27f,0xf6bcb4a1,0x7bd55b68,0x210d6a4c },
+      { 0x25351130,0xf3804abb,0x903e37eb,0x1d2df699,0x084c25c8,0x5f201efc,
+        0xa1c68e91,0x31a28c87,0x563f62a5,0x81dad253,0xd6c415d4,0x5dd6de70 } },
+    /* 14 */
+    { { 0x846612ce,0x29f470fd,0xda18d997,0x986f3eec,0x2f34af86,0x6b84c161,
+        0x46ddaf8b,0x5ef0a408,0xe49e795f,0x14405a00,0xaa2f7a37,0x5f491b16 },
+      { 0xdb41b38d,0xc7f07ae4,0x18fbfcaa,0xef7d119e,0x14443b19,0x3a18e076,
+        0x79a19926,0x4356841a,0xe2226fbe,0x91f4a91c,0x3cc88721,0xdc77248c } },
+    /* 15 */
+    { { 0xe4b1ec9d,0xd570ff1a,0xe7eef706,0x21d23e0e,0xca19e086,0x3cde40f4,
+        0xcd4bb270,0x7d6523c4,0xbf13aa6c,0x16c1f06c,0xd14c4b60,0x5aa7245a },
+      { 0x44b74de8,0x37f81467,0x620a934e,0x839e7a17,0xde8b1aa1,0xf74d14e8,
+        0xf30d75e2,0x8789fa51,0xc81c261e,0x09b24052,0x33c565ee,0x654e2678 } },
+    /* 16 */
+    { { 0x2f9fbe67,0x378205de,0x7f728e44,0xc4afcb83,0x682e00f1,0xdbcec06c,
+        0x114d5423,0xf2a145c3,0x7a52463e,0xa01d9874,0x7d717b0a,0xfc0935b1 },
+      { 0xd4d01f95,0x9653bc4f,0x9560ad34,0x9aa83ea8,0xaf8e3f3f,0xf77943dc,
+        0xe86fe16e,0x70774a10,0xbf9ffdcf,0x6b62e6f1,0x588745c9,0x8a72f39e } },
+    /* 17 */
+    { { 0x2341c342,0x73ade4da,0xea704422,0xdd326e54,0x3741cef3,0x336c7d98,
+        0x59e61549,0x1eafa00d,0xbd9a3efd,0xcd3ed892,0xc5c6c7e4,0x03faf26c },
+      { 0x3045f8ac,0x087e2fcf,0x174f1e73,0x14a65532,0xfe0af9a7,0x2cf84f28,
+        0x2cdc935b,0xddfd7a84,0x6929c895,0x4c0f117b,0x4c8bcfcc,0x356572d6 } },
+    /* 18 */
+    { { 0x7d8c1bba,0x7ecbac01,0x90b0f3d5,0x6058f9c3,0xf6197d0f,0xaee116e3,
+        0x4033b128,0xc4dd7068,0xc209b983,0xf084dba6,0x831dbc4a,0x97c7c2cf },
+      { 0xf96010e8,0x2f4e61dd,0x529faa17,0xd97e4e20,0x69d37f20,0x4ee66660,
+        0x3d366d72,0xccc139ed,0x13488e0f,0x690b6ee2,0xf3a6d533,0x7cad1dc5 } },
+    /* 19 */
+    { { 0xda57a41f,0x660a9a81,0xec0039b6,0xe74a0412,0x5e1dad15,0x42343c6b,
+        0x46681d4c,0x284f3ff5,0x63749e89,0xb51087f1,0x6f9f2f13,0x070f23cc },
+      { 0x5d186e14,0x542211da,0xfddb0dff,0x84748f37,0xdb1f4180,0x41a3aab4,
+        0xa6402d0e,0x25ed667b,0x02f58355,0x2f2924a9,0xfa44a689,0x5844ee7c } },
+    /* 20 */
+    { { 0x3f3b236f,0xfab08607,0x81e221da,0x19e9d41d,0x3927b428,0xf3f6571e,
+        0x7550f1f6,0x4348a933,0xa85e62f0,0x7167b996,0x7f5452bf,0x62d43759 },
+      { 0xf2955926,0xd85feb9e,0x6df78353,0x440a561f,0x9ca36b59,0x389668ec,
+        0xa22da016,0x052bf1a1,0xf6093254,0xbdfbff72,0xe22209f3,0x94e50f28 } },
+    /* 21 */
+    { { 0x3062e8af,0x90b2e5b3,0xe8a3d369,0xa8572375,0x201db7b1,0x3fe1b00b,
+        0xee651aa2,0xe926def0,0xb9b10ad7,0x6542c9be,0xa2fcbe74,0x098e309b },
+      { 0xfff1d63f,0x779deeb3,0x20bfd374,0x23d0e80a,0x8768f797,0x8452bb3b,
+        0x1f952856,0xcf75bb4d,0x29ea3faa,0x8fe6b400,0x81373a53,0x12bd3e40 } },
+    /* 22 */
+    { { 0x104cbba5,0xc023780d,0xfa35dd4c,0x6207e747,0x1ca9b6a3,0x35c23928,
+        0x97987b10,0x4ff19be8,0x8022eee8,0xb8476bbf,0xd3bbe74d,0xaa0a4a14 },
+      { 0x187d4543,0x20f94331,0x79f6e066,0x32153870,0xac7e82e1,0x83b0f74e,
+        0x828f06ab,0xa7748ba2,0xc26ef35f,0xc5f0298a,0x8e9a7dbd,0x0f0c5070 } },
+    /* 23 */
+    { { 0xdef029dd,0x0c5c244c,0x850661b8,0x3dabc687,0xfe11d981,0x9992b865,
+        0x6274dbad,0xe9801b8f,0x098da242,0xe54e6319,0x91a53d08,0x9929a91a },
+      { 0x35285887,0x37bffd72,0xf1418102,0xbc759425,0xfd2e6e20,0x9280cc35,
+        0xfbc42ee5,0x735c600c,0x8837619a,0xb7ad2864,0xa778c57b,0xa3627231 } },
+    /* 24 */
+    { { 0x91361ed8,0xae799b5c,0x6c63366c,0x47d71b75,0x1b265a6a,0x54cdd521,
+        0x98d77b74,0xe0215a59,0xbab29db0,0x4424d9b7,0x7fd9e536,0x8b0ffacc },
+      { 0x37b5d9ef,0x46d85d12,0xbfa91747,0x5b106d62,0x5f99ba2d,0xed0479f8,
+        0x1d104de4,0x0e6f3923,0x25e8983f,0x83a84c84,0xf8105a70,0xa9507e0a } },
+    /* 25 */
+    { { 0x14cf381c,0xf6c68a6e,0xc22e31cc,0xaf9d27bd,0xaa8a5ccb,0x23568d4d,
+        0xe338e4d2,0xe431eec0,0x8f52ad1f,0xf1a828fe,0xe86acd80,0xdb6a0579 },
+      { 0x4507832a,0x2885672e,0x887e5289,0x73fc275f,0x05610d08,0x65f80278,
+        0x075ff5b0,0x8d9b4554,0x09f712b5,0x3a8e8fb1,0x2ebe9cf2,0x39f0ac86 } },
+    /* 26 */
+    { { 0x4c52edf5,0xd8fabf78,0xa589ae53,0xdcd737e5,0xd791ab17,0x94918bf0,
+        0xbcff06c9,0xb5fbd956,0xdca46d45,0xf6d3032e,0x41a3e486,0x2cdff7e1 },
+      { 0x61f47ec8,0x6674b3ba,0xeef84608,0x8a882163,0x4c687f90,0xa257c705,
+        0xf6cdf227,0xe30cb2ed,0x7f6ea846,0x2c4c64ca,0xcc6bcd3c,0x186fa17c } },
+    /* 27 */
+    { { 0x1dfcb91e,0x48a3f536,0x646d358a,0x83595e13,0x91128798,0xbd15827b,
+        0x2187757a,0x3ce612b8,0x61bd7372,0x873150a1,0xb662f568,0xf4684530 },
+      { 0x401896f6,0x8833950b,0x77f3e090,0xe11cb89a,0x48e7f4a5,0xb2f12cac,
+        0xf606677e,0x313dd769,0x16579f93,0xfdcf08b3,0x46b8f22b,0x6429cec9 } },
+    /* 28 */
+    { { 0xbb75f9a4,0x4984dd54,0x29d3b570,0x4aef06b9,0x3d6e4c1e,0xb5f84ca2,
+        0xb083ef35,0x24c61c11,0x392ca9ff,0xce4a7392,0x6730a800,0x865d6517 },
+      { 0x722b4a2b,0xca3dfe76,0x7b083e0e,0x12c04bf9,0x1b86b8a5,0x803ce5b5,
+        0x6a7e3e0c,0x3fc7632d,0xc81adbe4,0xc89970c2,0x120e16b1,0x3cbcd3ad } },
+    /* 29 */
+    { { 0xec30ce93,0xfbfb4cc7,0xb72720a2,0x10ed6c7d,0x47b55500,0xec675bf7,
+        0x333ff7c3,0x90725903,0x5075bfc0,0xc7c3973e,0x07acf31b,0xb049ecb0 },
+      { 0x4f58839c,0xb4076eaf,0xa2b05e4f,0x101896da,0xab40c66e,0x3f6033b0,
+        0xc8d864ba,0x19ee9eeb,0x47bf6d2a,0xeb6cf155,0xf826477d,0x8e5a9663 } },
+    /* 30 */
+    { { 0xf7fbd5e1,0x69e62fdd,0x76912b1d,0x38ecfe54,0xd1da3bfb,0x845a3d56,
+        0x1c86f0d4,0x0494950e,0x3bc36ce8,0x83cadbf9,0x4fccc8d1,0x41fce572 },
+      { 0x8332c144,0x05f939c2,0x0871e46e,0xb17f248b,0x66e8aff6,0x3d8534e2,
+        0x3b85c629,0x1d06f1dc,0xa3131b73,0xdb06a32e,0x8b3f64e5,0xf295184d } },
+    /* 31 */
+    { { 0x36ddc103,0xd9653ff7,0x95ef606f,0x25f43e37,0xfe06dce8,0x09e301fc,
+        0x30b6eebf,0x85af2341,0x0ff56b20,0x79b12b53,0xfe9a3c6b,0x9b4fb499 },
+      { 0x51d27ac2,0x0154f892,0x56ca5389,0xd33167e3,0xafc065a6,0x7828ec1f,
+        0x7f746c9b,0x0959a258,0x0c44f837,0xb18f1be3,0xc4132fdb,0xa7946117 } },
+    /* 32 */
+    { { 0x5e3c647b,0xc0426b77,0x8cf05348,0xbfcbd939,0x172c0d3d,0x31d312e3,
+        0xee754737,0x5f49fde6,0x6da7ee61,0x895530f0,0xe8b3a5fb,0xcf281b0a },
+      { 0x41b8a543,0xfd149735,0x3080dd30,0x41a625a7,0x653908cf,0xe2baae07,
+        0xba02a278,0xc3d01436,0x7b21b8f8,0xa0d0222e,0xd7ec1297,0xfdc270e9 } },
+    /* 33 */
+    { { 0xbc7f41d6,0x00873c0c,0x1b7ad641,0xd976113e,0x238443fb,0x2a536ff4,
+        0x41e62e45,0x030d00e2,0x5f545fc6,0x532e9867,0x8e91208c,0xcd033108 },
+      { 0x9797612c,0xd1a04c99,0xeea674e2,0xd4393e02,0xe19742a1,0xd56fa69e,
+        0x85f0590e,0xdd2ab480,0x48a2243d,0xa5cefc52,0x54383f41,0x48cc67b6 } },
+    /* 34 */
+    { { 0xfc14ab48,0x4e50430e,0x26706a74,0x195b7f4f,0xcc881ff6,0x2fe8a228,
+        0xd945013d,0xb1b968e2,0x4b92162b,0x936aa579,0x364e754a,0x4fb766b7 },
+      { 0x31e1ff7f,0x13f93bca,0xce4f2691,0x696eb5ca,0xa2b09e02,0xff754bf8,
+        0xe58e3ff8,0x58f13c9c,0x1678c0b0,0xb757346f,0xa86692b3,0xd54200db } },
+    /* 35 */
+    { { 0x6dda1265,0x9a030bbd,0xe89718dd,0xf7b4f3fc,0x936065b8,0xa6a4931f,
+        0x5f72241c,0xbce72d87,0x65775857,0x6cbb51cb,0x4e993675,0xc7161815 },
+      { 0x2ee32189,0xe81a0f79,0x277dc0b2,0xef2fab26,0xb71f469f,0x9e64f6fe,
+        0xdfdaf859,0xb448ce33,0xbe6b5df1,0x3f5c1c4c,0x1de45f7b,0xfb8dfb00 } },
+    /* 36 */
+    { { 0x4d5bb921,0xc7345fa7,0x4d2b667e,0x5c7e04be,0x282d7a3e,0x47ed3a80,
+        0x7e47b2a4,0x5c2777f8,0x08488e2e,0x89b3b100,0xb2eb5b45,0x9aad77c2 },
+      { 0xdaac34ae,0xd681bca7,0x26afb326,0x2452e4e5,0x41a1ee14,0x0c887924,
+        0xc2407ade,0x743b04d4,0xfc17a2ac,0xcb5e999b,0x4a701a06,0x4dca2f82 } },
+    /* 37 */
+    { { 0x1127bc1a,0x68e31ca6,0x17ead3be,0xa3edd59b,0xe25f5a15,0x67b6b645,
+        0xa420e15e,0x76221794,0x4b1e872e,0x794fd83b,0xb2dece1b,0x7cab3f03 },
+      { 0xca9b3586,0x7119bf15,0x4d250bd7,0xa5545924,0xcc6bcf24,0x173633ea,
+        0xb1b6f884,0x9bd308c2,0x447d38c3,0x3bae06f5,0xf341fe1c,0x54dcc135 } },
+    /* 38 */
+    { { 0x943caf0d,0x56d3598d,0x225ff133,0xce044ea9,0x563fadea,0x9edf6a7c,
+        0x73e8dc27,0x632eb944,0x3190dcab,0x814b467e,0x6dbb1e31,0x2d4f4f31 },
+      { 0xa143b7ca,0x8d69811c,0xde7cf950,0x4ec1ac32,0x37b5fe82,0x223ab5fd,
+        0x9390f1d9,0xe82616e4,0x75804610,0xabff4b20,0x875b08f0,0x11b9be15 } },
+    /* 39 */
+    { { 0x3bbe682c,0x4ae31a3d,0x74eef2dd,0xbc7c5d26,0x3c47dd40,0x92afd10a,
+        0xc14ab9e1,0xec7e0a3b,0xb2e495e4,0x6a6c3dd1,0x309bcd85,0x085ee5e9 },
+      { 0x8c2e67fd,0xf381a908,0xe261eaf2,0x32083a80,0x96deee15,0x0fcd6a49,
+        0x5e524c79,0xe3b8fb03,0x1d5b08b9,0x8dc360d9,0x7f26719f,0x3a06e2c8 } },
+    /* 40 */
+    { { 0x7237cac0,0x5cd9f5a8,0x43586794,0x93f0b59d,0xe94f6c4e,0x4384a764,
+        0xb62782d3,0x8304ed2b,0xcde06015,0x0b8db8b3,0x5dbe190f,0x4336dd53 },
+      { 0x92ab473a,0x57443553,0xbe5ed046,0x031c7275,0x21909aa4,0x3e78678c,
+        0x99202ddb,0x4ab7e04f,0x6977e635,0x2648d206,0x093198be,0xd427d184 } },
+    /* 41 */
+    { { 0x0f9b5a31,0x822848f5,0xbaadb62a,0xbb003468,0x3357559c,0x233a0472,
+        0x79aee843,0x49ef6880,0xaeb9e1e3,0xa89867a0,0x1f6f9a55,0xc151931b },
+      { 0xad74251e,0xd264eb0b,0x4abf295e,0x37b9b263,0x04960d10,0xb600921b,
+        0x4da77dc0,0x0de53dbc,0xd2b18697,0x01d9bab3,0xf7156ddf,0xad54ec7a } },
+    /* 42 */
+    { { 0x79efdc58,0x8e74dc35,0x4ff68ddb,0x456bd369,0xd32096a5,0x724e74cc,
+        0x386783d0,0xe41cff42,0x7c70d8a4,0xa04c7f21,0xe61a19a2,0x41199d2f },
+      { 0x29c05dd2,0xd389a3e0,0xe7e3fda9,0x535f2a6b,0x7c2b4df8,0x26ecf72d,
+        0xfe745294,0x678275f4,0x9d23f519,0x6319c9cc,0x88048fc4,0x1e05a02d } },
+    /* 43 */
+    { { 0xd4d5ffe8,0x75cc8e2e,0xdbea17f2,0xf8bb4896,0xcee3cb4a,0x35059790,
+        0xa47c6165,0x4c06ee85,0x92935d2f,0xf98fff25,0x32ffd7c7,0x34c4a572 },
+      { 0xea0376a2,0xc4b14806,0x4f115e02,0x2ea5e750,0x1e55d7c0,0x532d76e2,
+        0xf31044da,0x68dc9411,0x71b77993,0x9272e465,0x93a8cfd5,0xadaa38bb } },
+    /* 44 */
+    { { 0x7d4ed72a,0x4bf0c712,0xba1f79a3,0xda0e9264,0xf4c39ea4,0x48c0258b,
+        0x2a715138,0xa5394ed8,0xbf06c660,0x4af511ce,0xec5c37cd,0xfcebceef },
+      { 0x779ae8c1,0xf23b75aa,0xad1e606e,0xdeff59cc,0x22755c82,0xf3f526fd,
+        0xbb32cefd,0x64c5ab44,0x915bdefd,0xa96e11a2,0x1143813e,0xab19746a } },
+    /* 45 */
+    { { 0xec837d7d,0x43c78585,0xb8ee0ba4,0xca5b6fbc,0xd5dbb5ee,0x34e924d9,
+        0xbb4f1ca5,0x3f4fa104,0x398640f7,0x15458b72,0xd7f407ea,0x4231faa9 },
+      { 0xf96e6896,0x53e0661e,0xd03b0f9d,0x554e4c69,0x9c7858d1,0xd4fcb07b,
+        0x52cb04fa,0x7e952793,0x8974e7f7,0x5f5f1574,0x6b6d57c8,0x2e3fa558 } },
+    /* 46 */
+    { { 0x6a9951a8,0x42cd4803,0x42792ad0,0xa8b15b88,0xabb29a73,0x18e8bcf9,
+        0x409933e8,0xbfd9a092,0xefb88dc4,0x760a3594,0x40724458,0x14418863 },
+      { 0x99caedc7,0x162a56ee,0x91d101c9,0x8fb12ecd,0x393202da,0xea671967,
+        0xa4ccd796,0x1aac8c4a,0x1cf185a8,0x7db05036,0x8cfd095a,0x0c9f86cd } },
+    /* 47 */
+    { { 0x10b2a556,0x9a728147,0x327b70b2,0x767ca964,0x5e3799b7,0x04ed9e12,
+        0x22a3eb2a,0x6781d2dc,0x0d9450ac,0x5bd116eb,0xa7ebe08a,0xeccac1fc },
+      { 0xdc2d6e94,0xde68444f,0x35ecf21b,0x3621f429,0x29e03a2c,0x14e2d543,
+        0x7d3e7f0a,0x53e42cd5,0x73ed00b9,0xbba26c09,0xc57d2272,0x00297c39 } },
+    /* 48 */
+    { { 0xb8243a7d,0x3aaaab10,0x8fa58c5b,0x6eeef93e,0x9ae7f764,0xf866fca3,
+        0x61ab04d3,0x64105a26,0x03945d66,0xa3578d8a,0x791b848c,0xb08cd3e4 },
+      { 0x756d2411,0x45edc5f8,0xa755128c,0xd4a790d9,0x49e5f6a0,0xc2cf0963,
+        0xf649beaa,0xc66d267d,0x8467039e,0x3ce6d968,0x42f7816f,0x50046c6b } },
+    /* 49 */
+    { { 0x66425043,0x92ae1602,0xf08db890,0x1ff66afd,0x8f162ce5,0x386f5a7f,
+        0xfcf5598f,0x18d2dea0,0x1a8ca18e,0x78372b3a,0x8cd0e6f7,0xdf0d20eb },
+      { 0x75bb4045,0x7edd5e1d,0xb96d94b7,0x252a47ce,0x2c626776,0xbdb29358,
+        0x40dd1031,0x853c3943,0x7d5f47fd,0x9dc9becf,0xbae4044a,0x27c2302f } },
+    /* 50 */
+    { { 0x8f2d49ce,0x2d1d208a,0x162df0a2,0x0d91aa02,0x09a07f65,0x9c5cce87,
+        0x84339012,0xdf07238b,0x419442cd,0x5028e2c8,0x72062aba,0x2dcbd358 },
+      { 0xe4680967,0xb5fbc3cb,0x9f92d72c,0x2a7bc645,0x116c369d,0x806c76e1,
+        0x3177e8d8,0x5c50677a,0x4569df57,0x753739eb,0x36c3f40b,0x2d481ef6 } },
+    /* 51 */
+    { { 0xfea1103e,0x1a2d39fd,0x95f81b17,0xeaae5592,0xf59b264a,0xdbd0aa18,
+        0xcb592ee0,0x90c39c1a,0x9750cca3,0xdf62f80d,0xdf97cc6c,0xda4d8283 },
+      { 0x1e201067,0x0a6dd346,0x69fb1f6b,0x1531f859,0x1d60121f,0x4895e552,
+        0x4c041c91,0x0b21aab0,0xbcc1ccf8,0x9d896c46,0x3141bde7,0xd24da3b3 } },
+    /* 52 */
+    { { 0x53b0a354,0x575a0537,0x0c6ddcd8,0x392ff2f4,0x56157b94,0x0b8e8cff,
+        0x3b1b80d1,0x073e57bd,0x3fedee15,0x2a75e0f0,0xaa8e6f19,0x752380e4 },
+      { 0x6558ffe9,0x1f4e227c,0x19ec5415,0x3a348618,0xf7997085,0xab382d5e,
+        0xddc46ac2,0x5e6deaff,0xfc8d094c,0xe5144078,0xf60e37c6,0xf674fe51 } },
+    /* 53 */
+    { { 0xaf63408f,0x6fb87ae5,0xcd75a737,0xa39c36a9,0xcf4c618d,0x7833313f,
+        0xf034c88d,0xfbcd4482,0x39b35288,0x4469a761,0x66b5d9c9,0x77a711c5 },
+      { 0x944f8d65,0x4a695dc7,0x161aaba8,0xe6da5f65,0x24601669,0x8654e9c3,
+        0x28ae7491,0xbc8b93f5,0x8f5580d8,0x5f1d1e83,0xcea32cc8,0x8ccf9a1a } },
+    /* 54 */
+    { { 0x7196fee2,0x28ab110c,0x874c8945,0x75799d63,0x29aedadd,0xa2629348,
+        0x2be88ff4,0x9714cc7b,0xd58d60d6,0xf71293cf,0x32a564e9,0xda6b6cb3 },
+      { 0x3dd821c2,0xf43fddb1,0x90dd323d,0xf2f2785f,0x048489f8,0x91246419,
+        0xd24c6749,0x61660f26,0xc803c15c,0x961d9e8c,0xfaadc4c9,0x631c6158 } },
+    /* 55 */
+    { { 0xfd752366,0xacf2ebe0,0x139be88b,0xb93c340e,0x0f20179e,0x98f66485,
+        0xff1da785,0x14820254,0x4f85c16e,0x5278e276,0x7aab1913,0xa246ee45 },
+      { 0x53763b33,0x43861eb4,0x45c0bc0d,0xc49f03fc,0xad6b1ea1,0xafff16bc,
+        0x6fd49c99,0xce33908b,0xf7fde8c3,0x5c51e9bf,0xff142c5e,0x076a7a39 } },
+    /* 56 */
+    { { 0x9e338d10,0x04639dfe,0xf42b411b,0x8ee6996f,0xa875cef2,0x960461d1,
+        0x95b4d0ba,0x1057b6d6,0xa906e0bc,0x27639252,0xe1c20f8a,0x2c19f09a },
+      { 0xeef4c43d,0x5b8fc3f0,0x07a84aa9,0xe2e1b1a8,0x835d2bdb,0x5f455528,
+        0x207132dd,0x0f4aee4d,0x3907f675,0xe9f8338c,0x0e0531f0,0x7a874dc9 } },
+    /* 57 */
+    { { 0x97c27050,0x84b22d45,0x59e70bf8,0xbd0b8df7,0x79738b9b,0xb4d67405,
+        0xcd917c4f,0x47f4d5f5,0x13ce6e33,0x9099c4ce,0x521d0f8b,0x942bfd39 },
+      { 0xa43b566d,0x5028f0f6,0x21bff7de,0xaf6e8669,0xc44232cd,0x83f6f856,
+        0xf915069a,0x65680579,0xecfecb85,0xd12095a2,0xdb01ba16,0xcf7f06ae } },
+    /* 58 */
+    { { 0x8ef96c80,0x0f56e3c4,0x3ddb609c,0xd521f2b3,0x7dc1450d,0x2be94102,
+        0x02a91fe2,0x2d21a071,0x1efa37de,0x2e6f74fa,0x156c28a1,0x9a9a90b8 },
+      { 0x9dc7dfcb,0xc54ea9ea,0x2c2c1d62,0xc74e66fc,0x49d3e067,0x9f23f967,
+        0x54dd38ad,0x1c7c3a46,0x5946cee3,0xc7005884,0x45cc045d,0x89856368 } },
+    /* 59 */
+    { { 0xfce73946,0x29da7cd4,0x23168563,0x8f697db5,0xcba92ec6,0x8e235e9c,
+        0x9f91d3ea,0x55d4655f,0xaa50a6cd,0xf3689f23,0x21e6a1a0,0xdcf21c26 },
+      { 0x61b818bf,0xcffbc82e,0xda47a243,0xc74a2f96,0x8bc1a0cf,0x234e980a,
+        0x7929cb6d,0xf35fd6b5,0xefe17d6c,0x81468e12,0x58b2dafb,0xddea6ae5 } },
+    /* 60 */
+    { { 0x7e787b2e,0x294de887,0x39a9310d,0x258acc1f,0xac14265d,0x92d9714a,
+        0x708b48a0,0x18b5591c,0xe1abbf71,0x27cc6bb0,0x568307b9,0xc0581fa3 },
+      { 0xf24d4d58,0x9e0f58a3,0xe0ce2327,0xfebe9bb8,0x9d1be702,0x91fd6a41,
+        0xfacac993,0x9a7d8a45,0x9e50d66d,0xabc0a08c,0x06498201,0x02c342f7 } },
+    /* 61 */
+    { { 0x157bdbc2,0xccd71407,0xad0e1605,0x72fa89c6,0xb92a015f,0xb1d3da2b,
+        0xa0a3fe56,0x8ad9e7cd,0x24f06737,0x160edcbd,0x61275be6,0x79d4db33 },
+      { 0x5f3497c4,0xd3d31fd9,0x04192fb0,0x8cafeaee,0x13a50af3,0xe13ca745,
+        0x8c85aae5,0x18826167,0x9eb556ff,0xce06cea8,0xbdb549f3,0x2eef1995 } },
+    /* 62 */
+    { { 0x50596edc,0x8ed7d3eb,0x905243a2,0xaa359362,0xa4b6d02b,0xa212c2c2,
+        0xc4fbec68,0x611fd727,0xb84f733d,0x8a0b8ff7,0x5f0daf0e,0xd85a6b90 },
+      { 0xd4091cf7,0x60e899f5,0x2eff2768,0x4fef2b67,0x10c33964,0xc1f195cb,
+        0x93626a8f,0x8275d369,0x0d6c840a,0xc77904f4,0x7a868acd,0x88d8b7fd } },
+    /* 63 */
+    { { 0x7bd98425,0x85f23723,0xc70b154e,0xd4463992,0x96687a2e,0xcbb00ee2,
+        0xc83214fd,0x905fdbf7,0x13593684,0x2019d293,0xef51218e,0x0428c393 },
+      { 0x981e909a,0x40c7623f,0x7be192da,0x92513385,0x4010907e,0x48fe480f,
+        0x3120b459,0xdd7a187c,0xa1fd8f3c,0xc9d7702d,0xe358efc5,0x66e4753b } },
+    /* 64 */
+    { { 0x16973cf4,0x070d34e1,0x7e4f34f7,0x20aee08b,0x5eb8ad29,0x269af9b9,
+        0xa6a45dda,0xdde0a036,0x63df41e0,0xa18b528e,0xa260df2a,0x03cc71b2 },
+      { 0xa06b1dd7,0x24a6770a,0x9d2675d3,0x5bfa9c11,0x96844432,0x73c1e2a1,
+        0x131a6cf0,0x3660558d,0x2ee79454,0xb0289c83,0xc6d8ddcd,0xa6aefb01 } },
+    /* 65 */
+    { { 0x01ab5245,0xba1464b4,0xc48d93ff,0x9b8d0b6d,0x93ad272c,0x939867dc,
+        0xae9fdc77,0xbebe085e,0x894ea8bd,0x73ae5103,0x39ac22e1,0x740fc89a },
+      { 0x28e23b23,0x5e28b0a3,0xe13104d0,0x2352722e,0xb0a2640d,0xf4667a18,
+        0x49bb37c3,0xac74a72e,0xe81e183a,0x79f734f0,0x3fd9c0eb,0xbffe5b6c } },
+    /* 66 */
+    { { 0xc6a2123f,0xb1a358f5,0xfe28df6d,0x927b2d95,0xf199d2f9,0x89702753,
+        0x1a3f82dc,0x0a73754c,0x777affe1,0x063d029d,0xdae6d34d,0x5439817e },
+      { 0x6b8b83c4,0xf7979eef,0x9d945682,0x615cb214,0xc5e57eae,0x8f0e4fac,
+        0x113047dd,0x042b89b8,0x93f36508,0x888356dc,0x5fd1f32f,0xbf008d18 } },
+    /* 67 */
+    { { 0x4e8068db,0x8012aa24,0xa5729a47,0xc72cc641,0x43f0691d,0x3c33df2c,
+        0x1d92145f,0xfa057347,0xb97f7946,0xaefc0f2f,0x2f8121bf,0x813d75cb },
+      { 0x4383bba6,0x05613c72,0xa4224b3f,0xa924ce70,0x5f2179a6,0xe59cecbe,
+        0x79f62b61,0x78e2e8aa,0x53ad8079,0x3ac2cc3b,0xd8f4fa96,0x55518d71 } },
+    /* 68 */
+    { { 0x00623f3b,0x03cf2922,0x5f29ebff,0x095c7111,0x80aa6823,0x42d72247,
+        0x7458c0b0,0x044c7ba1,0x0959ec20,0xca62f7ef,0xf8ca929f,0x40ae2ab7 },
+      { 0xa927b102,0xb8c5377a,0xdc031771,0x398a86a0,0xc216a406,0x04908f9d,
+        0x918d3300,0xb423a73a,0xe0b94739,0x634b0ff1,0x2d69f697,0xe29de725 } },
+    /* 69 */
+    { { 0x8435af04,0x744d1400,0xfec192da,0x5f255b1d,0x336dc542,0x1f17dc12,
+        0x636a68a8,0x5c90c2a7,0x7704ca1e,0x960c9eb7,0x6fb3d65a,0x9de8cf1e },
+      { 0x511d3d06,0xc60fee0d,0xf9eb52c7,0x466e2313,0x206b0914,0x743c0f5f,
+        0x2191aa4d,0x42f55bac,0xffebdbc2,0xcefc7c8f,0xe6e8ed1c,0xd4fa6081 } },
+    /* 70 */
+    { { 0xb0ab9645,0xb5e405d3,0xd5f1f711,0xaeec7f98,0x585c2a6e,0x8ad42311,
+        0x512c6944,0x045acb9e,0xa90db1c6,0xae106c4e,0x898e6563,0xb89f33d5 },
+      { 0x7fed2ce4,0x43b07cd9,0xdd815b20,0xf9934e17,0x0a81a349,0x6778d4d5,
+        0x52918061,0x9e616ade,0xd7e67112,0xfa06db06,0x88488091,0x1da23cf1 } },
+    /* 71 */
+    { { 0x42f2c4b5,0x821c46b3,0x66059e47,0x931513ef,0x66f50cd1,0x7030ae43,
+        0x43e7b127,0x43b536c9,0x5fca5360,0x006258cf,0x6b557abf,0xe4e3ee79 },
+      { 0x24c8b22f,0xbb6b3900,0xfcbf1054,0x2eb5e2c1,0x567492af,0x937b18c9,
+        0xacf53957,0xf09432e4,0x1dbf3a56,0x585f5a9d,0xbe0887cf,0xf86751fd } },
+    /* 72 */
+    { { 0x9d10e0b2,0x157399cb,0x60dc51b7,0x1c0d5956,0x1f583090,0x1d496b8a,
+        0x88590484,0x6658bc26,0x03213f28,0x88c08ab7,0x7ae58de4,0x8d2e0f73 },
+      { 0x486cfee6,0x9b79bc95,0xe9e5bc57,0x036a26c7,0xcd8ae97a,0x1ad03601,
+        0xff3a0494,0x06907f87,0x2c7eb584,0x078f4bbf,0x7e8d0a5a,0xe3731bf5 } },
+    /* 73 */
+    { { 0xe1cd0abe,0x72f2282b,0x87efefa2,0xd4f9015e,0x6c3834bd,0x9d189806,
+        0xb8a29ced,0x9c8cdcc1,0xfee82ebc,0x0601b9f4,0x7206a756,0x371052bc },
+      { 0x46f32562,0x76fa1092,0x17351bb4,0xdaad534c,0xb3636bb5,0xc3d64c37,
+        0x45d54e00,0x038a8c51,0x32c09e7c,0x301e6180,0x95735151,0x9764eae7 } },
+    /* 74 */
+    { { 0xcbd5256a,0x8791b19f,0x6ca13a3b,0x4007e0f2,0x4cf06904,0x03b79460,
+        0xb6c17589,0xb18a9c22,0x81d45908,0xa1cb7d7d,0x21bb68f1,0x6e13fa9d },
+      { 0xa71e6e16,0x47183c62,0xe18749ed,0x5cf0ef8e,0x2e5ed409,0x2c9c7f9b,
+        0xe6e117e1,0x042eeacc,0x13fb5a7f,0xb86d4816,0xc9e5feb1,0xea1cf0ed } },
+    /* 75 */
+    { { 0xcea4cc9b,0x6e6573c9,0xafcec8f3,0x5417961d,0xa438b6f6,0x804bf02a,
+        0xdcd4ea88,0xb894b03c,0x3799571f,0xd0f807e9,0x862156e8,0x3466a7f5 },
+      { 0x56515664,0x51e59acd,0xa3c5eb0b,0x55b0f93c,0x6a4279db,0x84a06b02,
+        0xc5fae08e,0x5c850579,0xa663a1a2,0xcf07b8db,0xf46ffc8d,0x49a36bbc } },
+    /* 76 */
+    { { 0x46d93106,0xe47f5acc,0xaa897c9c,0x65b7ade0,0x12d7e4be,0x37cf4c94,
+        0xd4b2caa9,0xa2ae9b80,0xe60357a3,0x5e7ce09c,0xc8ecd5f9,0x29f77667 },
+      { 0xa8a0b1c5,0xdf6868f5,0x62978ad8,0x240858cf,0xdc0002a1,0x0f7ac101,
+        0xffe9aa05,0x1d28a9d7,0x5b962c97,0x744984d6,0x3d28c8b2,0xa8a7c00b } },
+    /* 77 */
+    { { 0xae11a338,0x7c58a852,0xd1af96e7,0xa78613f1,0x5355cc73,0x7e9767d2,
+        0x792a2de6,0x6ba37009,0x124386b2,0x7d60f618,0x11157674,0xab09b531 },
+      { 0x98eb9dd0,0x95a04841,0x15070328,0xe6c17acc,0x489c6e49,0xafc6da45,
+        0xbb211530,0xab45a60a,0x7d7ea933,0xc58d6592,0x095642c6,0xa3ef3c65 } },
+    /* 78 */
+    { { 0xdf010879,0x89d420e9,0x39576179,0x9d25255d,0xe39513b6,0x9cdefd50,
+        0xd5d1c313,0xe4efe45b,0x3f7af771,0xc0149de7,0x340ab06b,0x55a6b4f4 },
+      { 0xebeaf771,0xf1325251,0x878d4288,0x2ab44128,0x18e05afe,0xfcd5832e,
+        0xcc1fb62b,0xef52a348,0xc1c4792a,0x2bd08274,0x877c6dc7,0x345c5846 } },
+    /* 79 */
+    { { 0xbea65e90,0xde15ceb0,0x2416d99c,0x0987f72b,0xfd863dec,0x44db578d,
+        0xac6a3578,0xf617b74b,0xdb48e999,0x9e62bd7a,0xeab1a1be,0x877cae61 },
+      { 0x3a358610,0x23adddaa,0x325e2b07,0x2fc4d6d1,0x1585754e,0x897198f5,
+        0xb392b584,0xf741852c,0xb55f7de1,0x9927804c,0x1aa8efae,0xe9e6c4ed } },
+    /* 80 */
+    { { 0x98683186,0x867db639,0xddcc4ea9,0xfb5cf424,0xd4f0e7bd,0xcc9a7ffe,
+        0x7a779f7e,0x7c57f71c,0xd6b25ef2,0x90774079,0xb4081680,0x90eae903 },
+      { 0x0ee1fceb,0xdf2aae5e,0xe86c1a1f,0x3ff1da24,0xca193edf,0x80f587d6,
+        0xdc9b9d6a,0xa5695523,0x85920303,0x7b840900,0xba6dbdef,0x1efa4dfc } },
+    /* 81 */
+    { { 0xe0540015,0xfbd838f9,0xc39077dc,0x2c323946,0xad619124,0x8b1fb9e6,
+        0x0ca62ea8,0x9612440c,0x2dbe00ff,0x9ad9b52c,0xae197643,0xf52abaa1 },
+      { 0x2cac32ad,0xd0e89894,0x62a98f91,0xdfb79e42,0x276f55cb,0x65452ecf,
+        0x7ad23e12,0xdb1ac0d2,0xde4986f0,0xf68c5f6a,0x82ce327d,0x389ac37b } },
+    /* 82 */
+    { { 0xf8e60f5b,0x511188b4,0x48aa2ada,0x7fe67015,0x381abca2,0xdb333cb8,
+        0xdaf3fc97,0xb15e6d9d,0x36aabc03,0x4b24f6eb,0x72a748b4,0xc59789df },
+      { 0x29cf5279,0x26fcb8a5,0x01ad9a6c,0x7a3c6bfc,0x4b8bac9b,0x866cf88d,
+        0x9c80d041,0xf4c89989,0x70add148,0xf0a04241,0x45d81a41,0x5a02f479 } },
+    /* 83 */
+    { { 0xc1c90202,0xfa5c877c,0xf8ac7570,0xd099d440,0xd17881f7,0x428a5b1b,
+        0x5b2501d7,0x61e267db,0xf2e4465b,0xf889bf04,0x76aa4cb8,0x4da3ae08 },
+      { 0xe3e66861,0x3ef0fe26,0x3318b86d,0x5e772953,0x747396df,0xc3c35fbc,
+        0x439ffd37,0x5115a29c,0xb2d70374,0xbfc4bd97,0x56246b9d,0x088630ea } },
+    /* 84 */
+    { { 0xb8a9e8c9,0xcd96866d,0x5bb8091e,0xa11963b8,0x045b3cd2,0xc7f90d53,
+        0x80f36504,0x755a72b5,0x21d3751c,0x46f8b399,0x53c193de,0x4bffdc91 },
+      { 0xb89554e7,0xcd15c049,0xf7a26be6,0x353c6754,0xbd41d970,0x79602370,
+        0x12b176c0,0xde16470b,0x40c8809d,0x56ba1175,0xe435fb1e,0xe2db35c3 } },
+    /* 85 */
+    { { 0x6328e33f,0xd71e4aab,0xaf8136d1,0x5486782b,0x86d57231,0x07a4995f,
+        0x1651a968,0xf1f0a5bd,0x76803b6d,0xa5dc5b24,0x42dda935,0x5c587cbc },
+      { 0xbae8b4c0,0x2b6cdb32,0xb1331138,0x66d1598b,0x5d7e9614,0x4a23b2d2,
+        0x74a8c05d,0x93e402a6,0xda7ce82e,0x45ac94e6,0xe463d465,0xeb9f8281 } },
+    /* 86 */
+    { { 0xfecf5b9b,0x34e0f9d1,0xf206966a,0xa115b12b,0x1eaa0534,0x5591cf3b,
+        0xfb1558f9,0x5f0293cb,0x1bc703a5,0x1c8507a4,0x862c1f81,0x92e6b81c },
+      { 0xcdaf24e3,0xcc9ebc66,0x72fcfc70,0x68917ecd,0x8157ba48,0x6dc9a930,
+        0xb06ab2b2,0x5d425c08,0x36e929c4,0x362f8ce7,0x62e89324,0x09f6f57c } },
+    /* 87 */
+    { { 0xd29375fb,0x1c7d6b78,0xe35d1157,0xfabd851e,0x4243ea47,0xf6f62dcd,
+        0x8fe30b0f,0x1dd92460,0xffc6e709,0x08166dfa,0x0881e6a7,0xc6c4c693 },
+      { 0xd6a53fb0,0x20368f87,0x9eb4d1f9,0x38718e9f,0xafd7e790,0x03f08acd,
+        0x72fe2a1c,0x0835eb44,0x88076e5d,0x7e050903,0xa638e731,0x538f765e } },
+    /* 88 */
+    { { 0xc2663b4b,0x0e0249d9,0x47cd38dd,0xe700ab5b,0x2c46559f,0xb192559d,
+        0x4bcde66d,0x8f9f74a8,0x3e2aced5,0xad161523,0x3dd03a5b,0xc155c047 },
+      { 0x3be454eb,0x346a8799,0x83b7dccd,0x66ee94db,0xab9d2abe,0x1f6d8378,
+        0x7733f355,0x4a396dd2,0xf53553c2,0x419bd40a,0x731dd943,0xd0ead98d } },
+    /* 89 */
+    { { 0xec142408,0x908e0b0e,0x4114b310,0x98943cb9,0x1742b1d7,0x03dbf7d8,
+        0x693412f4,0xd270df6b,0x8f69e20c,0xc5065494,0x697e43a1,0xa76a90c3 },
+      { 0x4624825a,0xe0fa3384,0x8acc34c2,0x82e48c0b,0xe9a14f2b,0x7b24bd14,
+        0x4db30803,0x4f5dd5e2,0x932da0a3,0x0c77a9e7,0x74c653dc,0x20db90f2 } },
+    /* 90 */
+    { { 0x0e6c5fd9,0x261179b7,0x6c982eea,0xf8bec123,0xd4957b7e,0x47683338,
+        0x0a72f66a,0xcc47e664,0x1bad9350,0xbd54bf6a,0xf454e95a,0xdfbf4c6a },
+      { 0x6907f4fa,0x3f7a7afa,0x865ca735,0x7311fae0,0x2a496ada,0x24737ab8,
+        0x15feb79b,0x13e425f1,0xa1b93c21,0xe9e97c50,0x4ddd3eb5,0xb26b6eac } },
+    /* 91 */
+    { { 0x2a2e5f2b,0x81cab9f5,0xbf385ac4,0xf93caf29,0xc909963a,0xf4bf35c3,
+        0x74c9143c,0x081e7300,0xc281b4c5,0x3ea57fa8,0x9b340741,0xe497905c },
+      { 0x55ab3cfb,0xf556dd8a,0x518db6ad,0xd444b96b,0x5ef4b955,0x34f5425a,
+        0xecd26aa3,0xdda7a3ac,0xda655e97,0xb57da11b,0xc2024c70,0x02da3eff } },
+    /* 92 */
+    { { 0x6481d0d9,0xe24b0036,0x818fdfe2,0x3740dbe5,0x190fda00,0xc1fc1f45,
+        0x3cf27fde,0x329c9280,0x6934f43e,0x7435cb53,0x7884e8fe,0x2b505a5d },
+      { 0x711adcc9,0x6cfcc6a6,0x531e21e1,0xf034325c,0x9b2a8a99,0xa2f4a967,
+        0x3c21bdff,0x9d5f3842,0x31b57d66,0xb25c7811,0x0b8093b9,0xdb5344d8 } },
+    /* 93 */
+    { { 0xae50a2f5,0x0d72e667,0xe4a861d1,0x9b7f8d8a,0x330df1cb,0xa129f70f,
+        0xe04fefc3,0xe90aa5d7,0xe72c3ae1,0xff561ecb,0xcdb955fa,0x0d8fb428 },
+      { 0xd7663784,0xd2235f73,0x7e2c456a,0xc05baec6,0x2adbfccc,0xe5c292e4,
+        0xefb110d5,0x4fd17988,0xd19d49f3,0x27e57734,0x84f679fe,0x188ac4ce } },
+    /* 94 */
+    { { 0xa796c53e,0x7ee344cf,0x0868009b,0xbbf6074d,0x474a1295,0x1f1594f7,
+        0xac11632d,0x66776edc,0x04e2fa5a,0x1862278b,0xc854a89a,0x52665cf2 },
+      { 0x8104ab58,0x7e376464,0x7204fd6d,0x16775913,0x44ea1199,0x86ca06a5,
+        0x1c9240dd,0xaa3f765b,0x24746149,0x5f8501a9,0xdcd251d7,0x7b982e30 } },
+    /* 95 */
+    { { 0xc15f3060,0xe44e9efc,0xa87ebbe6,0x5ad62f2e,0xc79500d4,0x36499d41,
+        0x336fa9d1,0xa66d6dc0,0x5afd3b1f,0xf8afc495,0xe5c9822b,0x1d8ccb24 },
+      { 0x79d7584b,0x4031422b,0xea3f20dd,0xc54a0580,0x958468c5,0x3f837c8f,
+        0xfbea7735,0x3d82f110,0x7dffe2fc,0x679a8778,0x20704803,0x48eba63b } },
+    /* 96 */
+    { { 0xdf46e2f6,0x89b10d41,0x19514367,0x13ab57f8,0x1d469c87,0x067372b9,
+        0x4f6c5798,0x0c195afa,0x272c9acf,0xea43a12a,0x678abdac,0x9dadd8cb },
+      { 0xe182579a,0xcce56c6b,0x2d26c2d8,0x86febadb,0x2a44745c,0x1c668ee1,
+        0x98dc047a,0x580acd86,0x51b9ec2d,0x5a2b79cc,0x4054f6a0,0x007da608 } },
+    /* 97 */
+    { { 0x17b00dd0,0x9e3ca352,0x0e81a7a6,0x046779cb,0xd482d871,0xb999fef3,
+        0xd9233fbc,0xe6f38134,0xf48cd0e0,0x112c3001,0x3c6c66ae,0x934e7576 },
+      { 0xd73234dc,0xb44d4fc3,0x864eafc1,0xfcae2062,0x26bef21a,0x843afe25,
+        0xf3b75fdf,0x61355107,0x794c2e6b,0x8367a5aa,0x8548a372,0x3d2629b1 } },
+    /* 98 */
+    { { 0x437cfaf8,0x6230618f,0x2032c299,0x5b8742cb,0x2293643a,0x949f7247,
+        0x09464f79,0xb8040f1a,0x4f254143,0x049462d2,0x366c7e76,0xabd6b522 },
+      { 0xd5338f55,0x119b392b,0x01495a0c,0x1a80a9ce,0xf8d7537e,0xf3118ca7,
+        0x6bf4b762,0xb715adc2,0xa8482b6c,0x24506165,0x96a7c84d,0xd958d7c6 } },
+    /* 99 */
+    { { 0xbdc21f31,0x9ad8aa87,0x8063e58c,0xadb3cab4,0xb07dd7b8,0xefd86283,
+        0x1be7c6b4,0xc7b9b762,0x015582de,0x2ef58741,0x299addf3,0xc970c52e },
+      { 0x22f24d66,0x78f02e2a,0x74cc100a,0xefec1d10,0x09316e1a,0xaf2a6a39,
+        0x5849dd49,0xce7c2205,0x96bffc4c,0x9c1fe75c,0x7ba06ec0,0xcad98fd2 } },
+    /* 100 */
+    { { 0xb648b73e,0xed76e2d0,0x1cfd285e,0xa9f92ce5,0x2ed13de1,0xa8c86c06,
+        0xa5191a93,0x1d3a574e,0x1ad1b8bf,0x385cdf8b,0x47d2cfe3,0xbbecc28a },
+      { 0x69cec548,0x98d326c0,0xf240a0b2,0x4f5bc1dd,0x29057236,0x241a7062,
+        0xc68294a4,0x0fc6e9c5,0xa319f17a,0x4d04838b,0x9ffc1c6f,0x8b612cf1 } },
+    /* 101 */
+    { { 0x4c3830eb,0x9bb0b501,0x8ee0d0c5,0x3d08f83c,0x79ba9389,0xa4a62642,
+        0x9cbc2914,0x5d5d4044,0x074c46f0,0xae9eb83e,0x74ead7d6,0x63bb758f },
+      { 0xc6bb29e0,0x1c40d2ea,0x4b02f41e,0x95aa2d87,0x53cb199a,0x92989175,
+        0x51584f6d,0xdd91bafe,0x31a1aaec,0x3715efb9,0x46780f9e,0xc1b6ae5b } },
+    /* 102 */
+    { { 0x42772f41,0xcded3e4b,0x3bcb79d1,0x3a700d5d,0x80feee60,0x4430d50e,
+        0xf5e5d4bb,0x444ef1fc,0xe6e358ff,0xc660194f,0x6a91b43c,0xe68a2f32 },
+      { 0x977fe4d2,0x5842775c,0x7e2a41eb,0x78fdef5c,0xff8df00e,0x5f3bec02,
+        0x5852525d,0xf4b840cd,0x4e6988bd,0x0870483a,0xcc64b837,0x39499e39 } },
+    /* 103 */
+    { { 0xb08df5fe,0xfc05de80,0x63ba0362,0x0c12957c,0xd5cf1428,0xea379414,
+        0x54ef6216,0xc559132a,0xb9e65cf8,0x33d5f12f,0x1695d663,0x09c60278 },
+      { 0x61f7a2fb,0x3ac1ced4,0xd4f5eeb8,0xdd838444,0x8318fcad,0x82a38c6c,
+        0xe9f1a864,0x315be2e5,0x442daf47,0x317b5771,0x95aa5f9e,0x81b5904a } },
+    /* 104 */
+    { { 0x8b21d232,0x6b6b1c50,0x8c2cba75,0x87f3dbc0,0xae9f0faf,0xa7e74b46,
+        0xbb7b8079,0x036a0985,0x8d974a25,0x4f185b90,0xd9af5ec9,0x5aa7cef0 },
+      { 0x57dcfffc,0xe0566a70,0xb8453225,0x6ea311da,0x23368aa9,0x72ea1a8d,
+        0x48cd552d,0xed9b2083,0xc80ea435,0xb987967c,0x6c104173,0xad735c75 } },
+    /* 105 */
+    { { 0xcee76ef4,0xaea85ab3,0xaf1d2b93,0x44997444,0xeacb923f,0x0851929b,
+        0x51e3bc0c,0xb080b590,0x59be68a2,0xc4ee1d86,0x64b26cda,0xf00de219 },
+      { 0xf2e90d4d,0x8d7fb5c0,0x77d9ec64,0x00e219a7,0x5d1c491c,0xc4e6febd,
+        0x1a8f4585,0x080e3754,0x48d2af9c,0x4a9b86c8,0xb6679851,0x2ed70db6 } },
+    /* 106 */
+    { { 0x586f25cb,0xaee44116,0xa0fcf70f,0xf7b6861f,0x18a350e8,0x55d2cd20,
+        0x92dc286f,0x861bf3e5,0x6226aba7,0x9ab18ffa,0xa9857b03,0xd15827be },
+      { 0x92e6acef,0x26c1f547,0xac1fbac3,0x422c63c8,0xfcbfd71d,0xa2d8760d,
+        0xb2511224,0x35f6a539,0x048d1a21,0xbaa88fa1,0xebf999db,0x49f1abe9 } },
+    /* 107 */
+    { { 0xf7492b73,0x16f9f4f4,0xcb392b1a,0xcf28ec1e,0x69ca6ffc,0x45b130d4,
+        0xb72efa58,0x28ba8d40,0x5ca066f5,0xace987c7,0x4ad022eb,0x3e399246 },
+      { 0x752555bb,0x63a2d84e,0x9c2ae394,0xaaa93b4a,0xc89539ca,0xcd80424e,
+        0xaa119a99,0x6d6b5a6d,0x379f2629,0xbd50334c,0xef3cc7d3,0x899e925e } },
+    /* 108 */
+    { { 0xbf825dc4,0xb7ff3651,0x40b9c462,0x0f741cc4,0x5cc4fb5b,0x771ff5a9,
+        0x47fd56fe,0xcb9e9c9b,0x5626c0d3,0xbdf053db,0xf7e14098,0xa97ce675 },
+      { 0x6c934f5e,0x68afe5a3,0xccefc46f,0x6cd5e148,0xd7a88586,0xc7758570,
+        0xdd558d40,0x49978f5e,0x64ae00c1,0xa1d5088a,0xf1d65bb2,0x58f2a720 } },
+    /* 109 */
+    { { 0x3e4daedb,0x66fdda4a,0x65d1b052,0x38318c12,0x4c4bbf5c,0x28d910a2,
+        0x78a9cd14,0x762fe5c4,0xd2cc0aee,0x08e5ebaa,0xca0c654c,0xd2cdf257 },
+      { 0x08b717d2,0x48f7c58b,0x386cd07a,0x3807184a,0xae7d0112,0x3240f626,
+        0xc43917b0,0x03e9361b,0x20aea018,0xf261a876,0x7e1e6372,0x53f556a4 } },
+    /* 110 */
+    { { 0x2f512a90,0xc84cee56,0x1b0ea9f1,0x24b3c004,0xe26cc1ea,0x0ee15d2d,
+        0xf0c9ef7d,0xd848762c,0xd5341435,0x1026e9c5,0xfdb16b31,0x8f5b73dc },
+      { 0xd2c75d95,0x1f69bef2,0xbe064dda,0x8d33d581,0x57ed35e6,0x8c024c12,
+        0xc309c281,0xf8d435f9,0xd6960193,0xfd295061,0xe9e49541,0x66618d78 } },
+    /* 111 */
+    { { 0x8ce382de,0x571cfd45,0xde900dde,0x175806ee,0x34aba3b5,0x61849965,
+        0xde7aec95,0xe899778a,0xff4aa97f,0xe8f00f6e,0x010b0c6d,0xae971cb5 },
+      { 0x3af788f1,0x1827eebc,0xe413fe2d,0xd46229ff,0x4741c9b4,0x8a15455b,
+        0xf8e424eb,0x5f02e690,0xdae87712,0x40a1202e,0x64944f6d,0x49b3bda2 } },
+    /* 112 */
+    { { 0x035b2d69,0xd63c6067,0x6bed91b0,0xb507150d,0x7afb39b2,0x1f35f82f,
+        0x16012b66,0xb9bd9c01,0xed0a5f50,0x00d97960,0x2716f7c9,0xed705451 },
+      { 0x127abdb4,0x1576eff4,0xf01e701c,0x6850d698,0x3fc87e2f,0x9fa7d749,
+        0xb0ce3e48,0x0b6bcc6f,0xf7d8c1c0,0xf4fbe1f5,0x02719cc6,0xcf75230e } },
+    /* 113 */
+    { { 0x722d94ed,0x6761d6c2,0x3718820e,0xd1ec3f21,0x25d0e7c6,0x65a40b70,
+        0xbaf3cf31,0xd67f830e,0xb93ea430,0x633b3807,0x0bc96c69,0x17faa0ea },
+      { 0xdf866b98,0xe6bf3482,0xa9db52d4,0x205c1ee9,0xff9ab869,0x51ef9bbd,
+        0x75eeb985,0x3863dad1,0xd3cf442a,0xef216c3b,0xf9c8e321,0x3fb228e3 } },
+    /* 114 */
+    { { 0x0760ac07,0x94f9b70c,0x9d79bf4d,0xf3c9ccae,0xc5ffc83d,0x73cea084,
+        0xdc49c38e,0xef50f943,0xbc9e7330,0xf467a2ae,0x44ea7fba,0x5ee534b6 },
+      { 0x03609e7f,0x20cb6272,0x62fdc9f0,0x09844355,0x0f1457f7,0xaf5c8e58,
+        0xb4b25941,0xd1f50a6c,0x2ec82395,0x77cb247c,0xda3dca33,0xa5f3e1e5 } },
+    /* 115 */
+    { { 0x7d85fa94,0x023489d6,0x2db9ce47,0x0ba40537,0xaed7aad1,0x0fdf7a1f,
+        0x9a4ccb40,0xa57b0d73,0x5b18967c,0x48fcec99,0xb7274d24,0xf30b5b6e },
+      { 0xc81c5338,0x7ccb4773,0xa3ed6bd0,0xb85639e6,0x1d56eada,0x7d9df95f,
+        0x0a1607ad,0xe256d57f,0x957574d6,0x6da7ffdc,0x01c7a8c4,0x65f84046 } },
+    /* 116 */
+    { { 0xcba1e7f1,0x8d45d0cb,0x02b55f64,0xef0a08c0,0x17e19892,0x771ca31b,
+        0x4885907e,0xe1843ecb,0x364ce16a,0x67797ebc,0x8df4b338,0x816d2b2d },
+      { 0x39aa8671,0xe870b0e5,0xc102b5f5,0x9f0db3e4,0x1720c697,0x34296659,
+        0x613c0d2a,0x0ad4c89e,0x418ddd61,0x1af900b2,0xd336e20e,0xe087ca72 } },
+    /* 117 */
+    { { 0xaba10079,0x222831ff,0x6d64fff2,0x0dc5f87b,0x3e8cb330,0x44547907,
+        0x702a33fb,0xe815aaa2,0x5fba3215,0x338d6b2e,0x79f549c8,0x0f7535cb },
+      { 0x2ee95923,0x471ecd97,0xc6d1c09f,0x1e868b37,0xc666ef4e,0x2bc7b8ec,
+        0x808a4bfc,0xf5416589,0x3fbc4d2e,0xf23e9ee2,0x2d75125b,0x4357236c } },
+    /* 118 */
+    { { 0xba9cdb1b,0xfe176d95,0x2f82791e,0x45a1ca01,0x4de4cca2,0x97654af2,
+        0x5cc4bcb9,0xbdbf9d0e,0xad97ac0a,0xf6a7df50,0x61359fd6,0xc52112b0 },
+      { 0x4f05eae3,0x696d9ce3,0xe943ac2b,0x903adc02,0x0848be17,0xa9075347,
+        0x2a3973e5,0x1e20f170,0x6feb67e9,0xe1aacc1c,0xe16bc6b9,0x2ca0ac32 } },
+    /* 119 */
+    { { 0xef871eb5,0xffea12e4,0xa8bf0a7a,0x94c2f25d,0x78134eaa,0x4d1e4c2a,
+        0x0360fb10,0x11ed16fb,0x85fc11be,0x4029b6db,0xf4d390fa,0x5e9f7ab7 },
+      { 0x30646612,0x5076d72f,0xdda1d0d8,0xa0afed1d,0x85a1d103,0x29022257,
+        0x4e276bcd,0xcb499e17,0x51246c3d,0x16d1da71,0x589a0443,0xc72d56d3 } },
+    /* 120 */
+    { { 0xdae5bb45,0xdf5ffc74,0x261bd6dc,0x99068c4a,0xaa98ec7b,0xdc0afa7a,
+        0xf121e96d,0xedd2ee00,0x1414045c,0x163cc7be,0x335af50e,0xb0b1bbce },
+      { 0x01a06293,0xd440d785,0x6552e644,0xcdebab7c,0x8c757e46,0x48cb8dbc,
+        0x3cabe3cb,0x81f9cf78,0xb123f59a,0xddd02611,0xeeb3784d,0x3dc7b88e } },
+    /* 121 */
+    { { 0xc4741456,0xe1b8d398,0x6032a121,0xa9dfa902,0x1263245b,0x1cbfc86d,
+        0x5244718c,0xf411c762,0x05b0fc54,0x96521d54,0xdbaa4985,0x1afab46e },
+      { 0x8674b4ad,0xa75902ba,0x5ad87d12,0x486b43ad,0x36e0d099,0x72b1c736,
+        0xbb6cd6d6,0x39890e07,0x59bace4e,0x8128999c,0x7b535e33,0xd8da430b } },
+    /* 122 */
+    { { 0xc6b75791,0x39f65642,0x21806bfb,0x050947a6,0x1362ef84,0x0ca3e370,
+        0x8c3d2391,0x9bc60aed,0x732e1ddc,0x9b488671,0xa98ee077,0x12d10d9e },
+      { 0x3651b7dc,0xb6f2822d,0x80abd138,0x6345a5ba,0x472d3c84,0x62033262,
+        0xacc57527,0xd54a1d40,0x424447cb,0x6ea46b3a,0x2fb1a496,0x5bc41057 } },
+    /* 123 */
+    { { 0xa751cd0e,0xe70c57a3,0xeba3c7d6,0x190d8419,0x9d47d55a,0xb1c3bee7,
+        0xf912c6d8,0xda941266,0x407a6ad6,0x12e9aacc,0x6e838911,0xd6ce5f11 },
+      { 0x70e1f2ce,0x063ca97b,0x8213d434,0xa3e47c72,0x84df810a,0xa016e241,
+        0xdfd881a4,0x688ad7b0,0xa89bf0ad,0xa37d99fc,0xa23c2d23,0xd8e3f339 } },
+    /* 124 */
+    { { 0x750bed6f,0xbdf53163,0x83e68b0a,0x808abc32,0x5bb08a33,0x85a36627,
+        0x6b0e4abe,0xf72a3a0f,0xfaf0c6ad,0xf7716d19,0x5379b25f,0x22dcc020 },
+      { 0xf9a56e11,0x7400bf8d,0x56a47f21,0x6cb8bad7,0x7a6eb644,0x7c97176f,
+        0xd1f5b646,0xe8fd84f7,0x44ddb054,0x98320a94,0x1dde86f5,0x07071ba3 } },
+    /* 125 */
+    { { 0x98f8fcb9,0x6fdfa0e5,0x94d0d70c,0x89cec8e0,0x106d20a8,0xa0899397,
+        0xba8acc9c,0x915bfb9a,0x5507e01c,0x1370c94b,0x8a821ffb,0x83246a60 },
+      { 0xbe3c378f,0xa8273a9f,0x35a25be9,0x7e544789,0x4dd929d7,0x6cfa4972,
+        0x365bd878,0x987fed9d,0x5c29a7ae,0x4982ac94,0x5ddd7ec5,0x4589a5d7 } },
+    /* 126 */
+    { { 0xa95540a9,0x9fabb174,0x0162c5b0,0x7cfb886f,0xea3dee18,0x17be766b,
+        0xe88e624c,0xff7da41f,0x8b919c38,0xad0b71eb,0xf31ff9a9,0x86a522e0 },
+      { 0x868bc259,0xbc8e6f72,0x3ccef9e4,0x6130c638,0x9a466555,0x09f1f454,
+        0x19b2bfb4,0x8e6c0f09,0x0ca7bb22,0x945c46c9,0x4dafb67b,0xacd87168 } },
+    /* 127 */
+    { { 0x10c53841,0x090c72ca,0x55a4fced,0xc20ae01b,0xe10234ad,0x03f7ebd5,
+        0x85892064,0xb3f42a6a,0xb4a14722,0xbdbc30c0,0x8ca124cc,0x971bc437 },
+      { 0x517ff2ff,0x6f79f46d,0xecba947b,0x6a9c96e2,0x62925122,0x5e79f2f4,
+        0x6a4e91f1,0x30a96bb1,0x2d4c72da,0x1147c923,0x5811e4df,0x65bc311f } },
+    /* 128 */
+    { { 0x139b3239,0x87c7dd7d,0x4d833bae,0x8b57824e,0x9fff0015,0xbcbc4878,
+        0x909eaf1a,0x8ffcef8b,0xf1443a78,0x9905f4ee,0xe15cbfed,0x020dd4a2 },
+      { 0xa306d695,0xca2969ec,0xb93caf60,0xdf940cad,0x87ea6e39,0x67f7fab7,
+        0xf98c4fe5,0x0d0ee10f,0xc19cb91e,0xc646879a,0x7d1d7ab4,0x4b4ea50c } },
+    /* 129 */
+    { { 0x7a0db57e,0x19e40945,0x9a8c9702,0xe6017cad,0x1be5cff9,0xdbf739e5,
+        0xa7a938a2,0x3646b3cd,0x68350dfc,0x04511085,0x56e098b5,0xad3bd6f3 },
+      { 0xee2e3e3e,0x935ebabf,0x473926cb,0xfbd01702,0x9e9fb5aa,0x7c735b02,
+        0x2e3feff0,0xc52a1b85,0x046b405a,0x9199abd3,0x39039971,0xe306fcec } },
+    /* 130 */
+    { { 0x23e4712c,0xd6d9aec8,0xc3c198ee,0x7ca8376c,0x31bebd8a,0xe6d83187,
+        0xd88bfef3,0xed57aff3,0xcf44edc7,0x72a645ee,0x5cbb1517,0xd4e63d0b },
+      { 0xceee0ecf,0x98ce7a1c,0x5383ee8e,0x8f012633,0xa6b455e8,0x3b879078,
+        0xc7658c06,0xcbcd3d96,0x0783336a,0x721d6fe7,0x5a677136,0xf21a7263 } },
+    /* 131 */
+    { { 0x9586ba11,0x19d8b3cd,0x8a5c0480,0xd9e0aeb2,0x2230ef5c,0xe4261dbf,
+        0x02e6bf09,0x095a9dee,0x80dc7784,0x8963723c,0x145157b1,0x5c97dbaf },
+      { 0x4bc4503e,0x97e74434,0x85a6b370,0x0fb1cb31,0xcd205d4b,0x3e8df2be,
+        0xf8f765da,0x497dd1bc,0x6c988a1a,0x92ef95c7,0x64dc4cfa,0x3f924baa } },
+    /* 132 */
+    { { 0x7268b448,0x6bf1b8dd,0xefd79b94,0xd4c28ba1,0xe4e3551f,0x2fa1f8c8,
+        0x5c9187a9,0x769e3ad4,0x40326c0d,0x28843b4d,0x50d5d669,0xfefc8094 },
+      { 0x90339366,0x30c85bfd,0x5ccf6c3a,0x4eeb56f1,0x28ccd1dc,0x0e72b149,
+        0xf2ce978e,0x73ee85b5,0x3165bb23,0xcdeb2bf3,0x4e410abf,0x8106c923 } },
+    /* 133 */
+    { { 0x7d02f4ee,0xc8df0161,0x18e21225,0x8a781547,0x6acf9e40,0x4ea895eb,
+        0x6e5a633d,0x8b000cb5,0x7e981ffb,0xf31d86d5,0x4475bc32,0xf5c8029c },
+      { 0x1b568973,0x764561ce,0xa62996ec,0x2f809b81,0xda085408,0x9e513d64,
+        0xe61ce309,0xc27d815d,0x272999e0,0x0da6ff99,0xfead73f7,0xbd284779 } },
+    /* 134 */
+    { { 0x9b1cdf2b,0x6033c2f9,0xbc5fa151,0x2a99cf06,0x12177b3b,0x7d27d259,
+        0xc4485483,0xb1f15273,0x102e2297,0x5fd57d81,0xc7f6acb7,0x3d43e017 },
+      { 0x3a70eb28,0x41a8bb0b,0x3e80b06b,0x67de2d8e,0x70c28de5,0x09245a41,
+        0xa7b26023,0xad7dbcb1,0x2cbc6c1e,0x70b08a35,0x9b33041f,0xb504fb66 } },
+    /* 135 */
+    { { 0xf97a27c2,0xa8e85ab5,0xc10a011b,0x6ac5ec8b,0xffbcf161,0x55745533,
+        0x65790a60,0x01780e85,0x99ee75b0,0xe451bf85,0x39c29881,0x8907a63b },
+      { 0x260189ed,0x76d46738,0x47bd35cb,0x284a4436,0x20cab61e,0xd74e8c40,
+        0x416cf20a,0x6264bf8c,0x5fd820ce,0xfa5a6c95,0xf24bb5fc,0xfa7154d0 } },
+    /* 136 */
+    { { 0x9b3f5034,0x18482cec,0xcd9e68fd,0x962d445a,0x95746f23,0x266fb1d6,
+        0x58c94a4b,0xc66ade5a,0xed68a5b6,0xdbbda826,0x7ab0d6ae,0x05664a4d },
+      { 0x025e32fc,0xbcd4fe51,0xa96df252,0x61a5aebf,0x31592a31,0xd88a07e2,
+        0x98905517,0x5d9d94de,0x5fd440e7,0x96bb4010,0xe807db4c,0x1b0c47a2 } },
+    /* 137 */
+    { { 0x08223878,0x5c2a6ac8,0xe65a5558,0xba08c269,0x9bbc27fd,0xd22b1b9b,
+        0x72b9607d,0x919171bf,0xe588dc58,0x9ab455f9,0x23662d93,0x6d54916e },
+      { 0x3b1de0c1,0x8da8e938,0x804f278f,0xa84d186a,0xd3461695,0xbf4988cc,
+        0xe10eb0cb,0xf5eae3be,0xbf2a66ed,0x1ff8b68f,0xc305b570,0xa68daf67 } },
+    /* 138 */
+    { { 0x44b2e045,0xc1004cff,0x4b1c05d4,0x91b5e136,0x88a48a07,0x53ae4090,
+        0xea11bb1a,0x73fb2995,0x3d93a4ea,0x32048570,0x3bfc8a5f,0xcce45de8 },
+      { 0xc2b3106e,0xaff4a97e,0xb6848b4f,0x9069c630,0xed76241c,0xeda837a6,
+        0x6cc3f6cf,0x8a0daf13,0x3da018a8,0x199d049d,0xd9093ba3,0xf867c6b1 } },
+    /* 139 */
+    { { 0x56527296,0xe4d42a56,0xce71178d,0xae26c73d,0x6c251664,0x70a0adac,
+        0x5dc0ae1d,0x813483ae,0xdaab2daf,0x7574eacd,0xc2d55f4f,0xc56b52dc },
+      { 0x95f32923,0x872bc167,0x5bdd2a89,0x4be17581,0xa7699f00,0x9b57f1e7,
+        0x3ac2de02,0x5fcd9c72,0x92377739,0x83af3ba1,0xfc50b97f,0xa64d4e2b } },
+    /* 140 */
+    { { 0x0e552b40,0x2172dae2,0xd34d52e8,0x62f49725,0x07958f98,0x7930ee40,
+        0x751fdd74,0x56da2a90,0xf53e48c3,0xf1192834,0x8e53c343,0x34d2ac26 },
+      { 0x13111286,0x1073c218,0xda9d9827,0x201dac14,0xee95d378,0xec2c29db,
+        0x1f3ee0b1,0x9316f119,0x544ce71c,0x7890c9f0,0x27612127,0xd77138af } },
+    /* 141 */
+    { { 0x3b4ad1cd,0x78045e6d,0x4aa49bc1,0xcd86b94e,0xfd677a16,0x57e51f1d,
+        0xfa613697,0xd9290935,0x34f4d893,0x7a3f9593,0x5d5fcf9b,0x8c9c248b },
+      { 0x6f70d4e9,0x9f23a482,0x63190ae9,0x17273454,0x5b081a48,0x4bdd7c13,
+        0x28d65271,0x1e2de389,0xe5841d1f,0x0bbaaa25,0x746772e5,0xc4c18a79 } },
+    /* 142 */
+    { { 0x593375ac,0x10ee2681,0x7dd5e113,0x4f3288be,0x240f3538,0x9a97b2fb,
+        0x1de6b1e2,0xfa11089f,0x1351bc58,0x516da562,0x2dfa85b5,0x573b6119 },
+      { 0x6cba7df5,0x89e96683,0x8c28ab40,0xf299be15,0xad43fcbf,0xe91c9348,
+        0x9a1cefb3,0xe9bbc7cc,0x738b2775,0xc8add876,0x775eaa01,0x6e3b1f2e } },
+    /* 143 */
+    { { 0xb677788b,0x0365a888,0x3fd6173c,0x634ae8c4,0x9e498dbe,0x30498761,
+        0xc8f779ab,0x08c43e6d,0x4c09aca9,0x068ae384,0x2018d170,0x2380c70b },
+      { 0xa297c5ec,0xcf77fbc3,0xca457948,0xdacbc853,0x336bec7e,0x3690de04,
+        0x14eec461,0x26bbac64,0x1f713abf,0xd1c23c7e,0xe6fd569e,0xf08bbfcd } },
+    /* 144 */
+    { { 0x84770ee3,0x5f8163f4,0x744a1706,0x0e0c7f94,0xe1b2d46d,0x9c8f05f7,
+        0xd01fd99a,0x417eafe7,0x11440e5b,0x2ba15df5,0x91a6fbcf,0xdc5c552a },
+      { 0xa270f721,0x86271d74,0xa004485b,0x32c0a075,0x8defa075,0x9d1a87e3,
+        0xbf0d20fe,0xb590a7ac,0x8feda1f5,0x430c41c2,0x58f6ec24,0x454d2879 } },
+    /* 145 */
+    { { 0x7c525435,0x52b7a635,0x37c4bdbc,0x3d9ef57f,0xdffcc475,0x2bb93e9e,
+        0x7710f3be,0xf7b8ba98,0x21b727de,0x42ee86da,0x2e490d01,0x55ac3f19 },
+      { 0xc0c1c390,0x487e3a6e,0x446cde7b,0x036fb345,0x496ae951,0x089eb276,
+        0x71ed1234,0xedfed4d9,0x900f0b46,0x661b0dd5,0x8582f0d3,0x11bd6f1b } },
+    /* 146 */
+    { { 0x076bc9d1,0x5cf9350f,0xcf3cd2c3,0x15d903be,0x25af031c,0x21cfc8c2,
+        0x8b1cc657,0xe0ad3248,0x70014e87,0xdd9fb963,0x297f1658,0xf0f3a5a1 },
+      { 0xf1f703aa,0xbb908fba,0x2f6760ba,0x2f9cc420,0x66a38b51,0x00ceec66,
+        0x05d645da,0x4deda330,0xf7de3394,0xb9cf5c72,0x1ad4c906,0xaeef6502 } },
+    /* 147 */
+    { { 0x7a19045d,0x0583c8b1,0xd052824c,0xae7c3102,0xff6cfa58,0x2a234979,
+        0x62c733c0,0xfe9dffc9,0x9c0c4b09,0x3a7fa250,0x4fe21805,0x516437bb },
+      { 0xc2a23ddb,0x9454e3d5,0x289c104e,0x0726d887,0x4fd15243,0x8977d918,
+        0x6d7790ba,0xc559e73f,0x465af85f,0x8fd3e87d,0x5feee46b,0xa2615c74 } },
+    /* 148 */
+    { { 0x4335167d,0xc8d607a8,0xe0f5c887,0x8b42d804,0x398d11f9,0x5f9f13df,
+        0x20740c67,0x5aaa5087,0xa3d9234b,0x83da9a6a,0x2a54bad1,0xbd3a5c4e },
+      { 0x2db0f658,0xdd13914c,0x5a3f373a,0x29dcb66e,0x5245a72b,0xbfd62df5,
+        0x91e40847,0x19d18023,0xb136b1ae,0xd9df74db,0x3f93bc5b,0x72a06b6b } },
+    /* 149 */
+    { { 0xad19d96f,0x6da19ec3,0xfb2a4099,0xb342daa4,0x662271ea,0x0e61633a,
+        0xce8c054b,0x3bcece81,0x8bd62dc6,0x7cc8e061,0xee578d8b,0xae189e19 },
+      { 0xdced1eed,0x73e7a25d,0x7875d3ab,0xc1257f0a,0x1cfef026,0x2cb2d5a2,
+        0xb1fdf61c,0xd98ef39b,0x24e83e6c,0xcd8e6f69,0xc7b7088b,0xd71e7076 } },
+    /* 150 */
+    { { 0x9d4245bf,0x33936830,0x2ac2953b,0x22d96217,0x56c3c3cd,0xb3bf5a82,
+        0x0d0699e8,0x50c9be91,0x8f366459,0xec094463,0x513b7c35,0x6c056dba },
+      { 0x045ab0e3,0x687a6a83,0x445c9295,0x8d40b57f,0xa16f5954,0x0f345048,
+        0x3d8f0a87,0x64b5c639,0x9f71c5e2,0x106353a2,0x874f0dd4,0xdd58b475 } },
+    /* 151 */
+    { { 0x62230c72,0x67ec084f,0x481385e3,0xf14f6cca,0x4cda7774,0xf58bb407,
+        0xaa2dbb6b,0xe15011b1,0x0c035ab1,0xd488369d,0x8245f2fd,0xef83c24a },
+      { 0x9fdc2538,0xfb57328f,0x191fe46a,0x79808293,0x32ede548,0xe28f5c44,
+        0xea1a022c,0x1b3cda99,0x3df2ec7f,0x39e639b7,0x760e9a18,0x77b6272b } },
+    /* 152 */
+    { { 0xa65d56d5,0x2b1d51bd,0x7ea696e0,0x3a9b71f9,0x9904f4c4,0x95250ecc,
+        0xe75774b7,0x8bc4d6eb,0xeaeeb9aa,0x0e343f8a,0x930e04cb,0xc473c1d1 },
+      { 0x064cd8ae,0x282321b1,0x5562221c,0xf4b4371e,0xd1bf1221,0xc1cc81ec,
+        0xe2c8082f,0xa52a07a9,0xba64a958,0x350d8e59,0x6fb32c9a,0x29e4f3de } },
+    /* 153 */
+    { { 0xba89aaa5,0x0aa9d56c,0xc4c6059e,0xf0208ac0,0xbd6ddca4,0x7400d9c6,
+        0xf2c2f74a,0xb384e475,0xb1562dd3,0x4c1061fc,0x2e153b8d,0x3924e248 },
+      { 0x849808ab,0xf38b8d98,0xa491aa36,0x29bf3260,0x88220ede,0x85159ada,
+        0xbe5bc422,0x8b47915b,0xd7300967,0xa934d72e,0x2e515d0d,0xc4f30398 } },
+    /* 154 */
+    { { 0x1b1de38b,0xe3e9ee42,0x42636760,0xa124e25a,0x90165b1a,0x90bf73c0,
+        0x146434c5,0x21802a34,0x2e1fa109,0x54aa83f2,0xed9c51e9,0x1d4bd03c },
+      { 0x798751e6,0xc2d96a38,0x8c3507f5,0xed27235f,0xc8c24f88,0xb5fb80e2,
+        0xd37f4f78,0xf873eefa,0xf224ba96,0x7229fd74,0x9edd7149,0x9dcd9199 } },
+    /* 155 */
+    { { 0x4e94f22a,0xee9f81a6,0xf71ec341,0xe5609892,0xa998284e,0x6c818ddd,
+        0x3b54b098,0x9fd47295,0x0e8a7cc9,0x47a6ac03,0xb207a382,0xde684e5e },
+      { 0x2b6b956b,0x4bdd1ecd,0xf01b3583,0x09084414,0x55233b14,0xe2f80b32,
+        0xef5ebc5e,0x5a0fec54,0xbf8b29a2,0x74cf25e6,0x7f29e014,0x1c757fa0 } },
+    /* 156 */
+    { { 0xeb0fdfe4,0x1bcb5c4a,0xf0899367,0xd7c649b3,0x05bc083b,0xaef68e3f,
+        0xa78aa607,0x57a06e46,0x21223a44,0xa2136ecc,0x52f5a50b,0x89bd6484 },
+      { 0x4455f15a,0x724411b9,0x08a9c0fd,0x23dfa970,0x6db63bef,0x7b0da4d1,
+        0xfb162443,0x6f8a7ec1,0xe98284fb,0xc1ac9cee,0x33566022,0x085a582b } },
+    /* 157 */
+    { { 0xec1f138a,0x15cb61f9,0x668f0c28,0x11c9a230,0xdf93f38f,0xac829729,
+        0x4048848d,0xcef25698,0x2bba8fbf,0x3f686da0,0x111c619a,0xed5fea78 },
+      { 0xd6d1c833,0x9b4f73bc,0x86e7bf80,0x50951606,0x042b1d51,0xa2a73508,
+        0x5fb89ec2,0x9ef6ea49,0x5ef8b892,0xf1008ce9,0x9ae8568b,0x78a7e684 } },
+    /* 158 */
+    { { 0x10470cd8,0x3fe83a7c,0xf86df000,0x92734682,0xda9409b5,0xb5dac06b,
+        0x94939c5f,0x1e7a9660,0x5cc116dc,0xdec6c150,0x66bac8cc,0x1a52b408 },
+      { 0x6e864045,0x5303a365,0x9139efc1,0x45eae72a,0x6f31d54f,0x83bec646,
+        0x6e958a6d,0x2fb4a86f,0x4ff44030,0x6760718e,0xe91ae0df,0x008117e3 } },
+    /* 159 */
+    { { 0x384310a2,0x5d5833ba,0x1fd6c9fc,0xbdfb4edc,0x849c4fb8,0xb9a4f102,
+        0x581c1e1f,0xe5fb239a,0xd0a9746d,0xba44b2e7,0x3bd942b9,0x78f7b768 },
+      { 0xc87607ae,0x076c8ca1,0xd5caaa7e,0x82b23c2e,0x2763e461,0x6a581f39,
+        0x3886df11,0xca8a5e4a,0x264e7f22,0xc87e90cf,0x215cfcfc,0x04f74870 } },
+    /* 160 */
+    { { 0x141d161c,0x5285d116,0x93c4ed17,0x67cd2e0e,0x7c36187e,0x12c62a64,
+        0xed2584ca,0xf5329539,0x42fbbd69,0xc4c777c4,0x1bdfc50a,0x107de776 },
+      { 0xe96beebd,0x9976dcc5,0xa865a151,0xbe2aff95,0x9d8872af,0x0e0a9da1,
+        0xa63c17cc,0x5e357a3d,0xe15cc67c,0xd31fdfd8,0x7970c6d8,0xc44bbefd } },
+    /* 161 */
+    { { 0x4c0c62f1,0x703f83e2,0x4e195572,0x9b1e28ee,0xfe26cced,0x6a82858b,
+        0xc43638fa,0xd381c84b,0xa5ba43d8,0x94f72867,0x10b82743,0x3b4a783d },
+      { 0x7576451e,0xee1ad7b5,0x14b6b5c8,0xc3d0b597,0xfcacc1b8,0x3dc30954,
+        0x472c9d7b,0x55df110e,0x02f8a328,0x97c86ed7,0x88dc098f,0xd0433413 } },
+    /* 162 */
+    { { 0x2ca8f2fe,0x1a60d152,0x491bd41f,0x61640948,0x58dfe035,0x6dae29a5,
+        0x278e4863,0x9a615bea,0x9ad7c8e5,0xbbdb4477,0x2ceac2fc,0x1c706630 },
+      { 0x99699b4b,0x5e2b54c6,0x239e17e8,0xb509ca6d,0xea063a82,0x728165fe,
+        0xb6a22e02,0x6b5e609d,0xb26ee1df,0x12813905,0x439491fa,0x07b9f722 } },
+    /* 163 */
+    { { 0x48ff4e49,0x1592ec14,0x6d644129,0x3e4e9f17,0x1156acc0,0x7acf8288,
+        0xbb092b0b,0x5aa34ba8,0x7d38393d,0xcd0f9022,0xea4f8187,0x416724dd },
+      { 0xc0139e73,0x3c4e641c,0x91e4d87d,0xe0fe46cf,0xcab61f8a,0xedb3c792,
+        0xd3868753,0x4cb46de4,0x20f1098a,0xe449c21d,0xf5b8ea6e,0x5e5fd059 } },
+    /* 164 */
+    { { 0x75856031,0x7fcadd46,0xeaf2fbd0,0x89c7a4cd,0x7a87c480,0x1af523ce,
+        0x61d9ae90,0xe5fc1095,0xbcdb95f5,0x3fb5864f,0xbb5b2c7d,0xbeb5188e },
+      { 0x3ae65825,0x3d1563c3,0x0e57d641,0x116854c4,0x1942ebd3,0x11f73d34,
+        0xc06955b3,0x24dc5904,0x995a0a62,0x8a0d4c83,0x5d577b7d,0xfb26b86d } },
+    /* 165 */
+    { { 0xc686ae17,0xc53108e7,0xd1c1da56,0x9090d739,0x9aec50ae,0x4583b013,
+        0xa49a6ab2,0xdd9a088b,0xf382f850,0x28192eea,0xf5fe910e,0xcc8df756 },
+      { 0x9cab7630,0x877823a3,0xfb8e7fc1,0x64984a9a,0x364bfc16,0x5448ef9c,
+        0xc44e2a9a,0xbbb4f871,0x435c95e9,0x901a41ab,0xaaa50a06,0xc6c23e5f } },
+    /* 166 */
+    { { 0x9034d8dd,0xb78016c1,0x0b13e79b,0x856bb44b,0xb3241a05,0x85c6409a,
+        0x2d78ed21,0x8d2fe19a,0x726eddf2,0xdcc7c26d,0x25104f04,0x3ccaff5f },
+      { 0x6b21f843,0x397d7edc,0xe975de4c,0xda88e4dd,0x4f5ab69e,0x5273d396,
+        0x9aae6cc0,0x537680e3,0x3e6f9461,0xf749cce5,0x957bffd3,0x021ddbd9 } },
+    /* 167 */
+    { { 0x777233cf,0x7b64585f,0x0942a6f0,0xfe6771f6,0xdfe6eef0,0x636aba7a,
+        0x86038029,0x63bbeb56,0xde8fcf36,0xacee5842,0xd4a20524,0x48d9aa99 },
+      { 0x0da5e57a,0xcff7a74c,0xe549d6c9,0xc232593c,0xf0f2287b,0x68504bcc,
+        0xbc8360b5,0x6d7d098d,0x5b402f41,0xeac5f149,0xb87d1bf1,0x61936f11 } },
+    /* 168 */
+    { { 0xb8153a9d,0xaa9da167,0x9e83ecf0,0xa49fe3ac,0x1b661384,0x14c18f8e,
+        0x38434de1,0x61c24dab,0x283dae96,0x3d973c3a,0x82754fc9,0xc99baa01 },
+      { 0x4c26b1e3,0x477d198f,0xa7516202,0x12e8e186,0x362addfa,0x386e52f6,
+        0xc3962853,0x31e8f695,0x6aaedb60,0xdec2af13,0x29cf74ac,0xfcfdb4c6 } },
+    /* 169 */
+    { { 0xcca40298,0x6b3ee958,0xf2f5d195,0xc3878153,0xed2eae5b,0x0c565630,
+        0x3a697cf2,0xd089b37e,0xad5029ea,0xc2ed2ac7,0x0f0dda6a,0x7e5cdfad },
+      { 0xd9b86202,0xf98426df,0x4335e054,0xed1960b1,0x3f14639e,0x1fdb0246,
+        0x0db6c670,0x17f709c3,0x773421e1,0xbfc687ae,0x26c1a8ac,0x13fefc4a } },
+    /* 170 */
+    { { 0x7ffa0a5f,0xe361a198,0xc63fe109,0xf4b26102,0x6c74e111,0x264acbc5,
+        0x77abebaf,0x4af445fa,0x24cddb75,0x448c4fdd,0x44506eea,0x0b13157d },
+      { 0x72e9993d,0x22a6b159,0x85e5ecbe,0x2c3c57e4,0xfd83e1a1,0xa673560b,
+        0xc3b8c83b,0x6be23f82,0x40bbe38e,0x40b13a96,0xad17399b,0x66eea033 } },
+    /* 171 */
+    { { 0xb4c6c693,0x49fc6e95,0x36af7d38,0xefc735de,0x35fe42fc,0xe053343d,
+        0x6a9ab7c3,0xf0aa427c,0x4a0fcb24,0xc79f0436,0x93ebbc50,0x16287243 },
+      { 0x16927e1e,0x5c3d6bd0,0x673b984c,0x40158ed2,0x4cd48b9a,0xa7f86fc8,
+        0x60ea282d,0x1643eda6,0xe2a1beed,0x45b393ea,0x19571a94,0x664c839e } },
+    /* 172 */
+    { { 0x27eeaf94,0x57745750,0xea99e1e7,0x2875c925,0x5086adea,0xc127e7ba,
+        0x86fe424f,0x765252a0,0x2b6c0281,0x1143cc6c,0xd671312d,0xc9bb2989 },
+      { 0x51acb0a5,0x880c337c,0xd3c60f78,0xa3710915,0x9262b6ed,0x496113c0,
+        0x9ce48182,0x5d25d9f8,0xb3813586,0x53b6ad72,0x4c0e159c,0x0ea3bebc } },
+    /* 173 */
+    { { 0xc5e49bea,0xcaba450a,0x7c05da59,0x684e5415,0xde7ac36c,0xa2e9cab9,
+        0x2e6f957b,0x4ca79b5f,0x09b817b1,0xef7b0247,0x7d89df0f,0xeb304990 },
+      { 0x46fe5096,0x508f7307,0x2e04eaaf,0x695810e8,0x3512f76c,0x88ef1bd9,
+        0x3ebca06b,0x77661351,0xccf158b7,0xf7d4863a,0x94ee57da,0xb2a81e44 } },
+    /* 174 */
+    { { 0x6d53e6ba,0xff288e5b,0x14484ea2,0xa90de1a9,0xed33c8ec,0x2fadb60c,
+        0x28b66a40,0x579d6ef3,0xec24372d,0x4f2dd6dd,0x1d66ec7d,0xe9e33fc9 },
+      { 0x039eab6e,0x110899d2,0x3e97bb5e,0xa31a667a,0xcfdce68e,0x6200166d,
+        0x5137d54b,0xbe83ebae,0x4800acdf,0x085f7d87,0x0c6f8c86,0xcf4ab133 } },
+    /* 175 */
+    { { 0x931e08fb,0x03f65845,0x1506e2c0,0x6438551e,0x9c36961f,0x5791f0dc,
+        0xe3dcc916,0x68107b29,0xf495d2ca,0x83242374,0x6ee5895b,0xd8cfb663 },
+      { 0xa0349b1b,0x525e0f16,0x4a0fab86,0x33cd2c6c,0x2af8dda9,0x46c12ee8,
+        0x71e97ad3,0x7cc424ba,0x37621eb0,0x69766ddf,0xa5f0d390,0x95565f56 } },
+    /* 176 */
+    { { 0x1a0f5e94,0xe0e7bbf2,0x1d82d327,0xf771e115,0xceb111fa,0x10033e3d,
+        0xd3426638,0xd269744d,0x00d01ef6,0xbdf2d9da,0xa049ceaf,0x1cb80c71 },
+      { 0x9e21c677,0x17f18328,0x19c8f98b,0x6452af05,0x80b67997,0x35b9c5f7,
+        0x40f8f3d4,0x5c2e1cbe,0x66d667ca,0x43f91656,0xcf9d6e79,0x9faaa059 } },
+    /* 177 */
+    { { 0x0a078fe6,0x8ad24618,0x464fd1dd,0xf6cc73e6,0xc3e37448,0x4d2ce34d,
+        0xe3271b5f,0x624950c5,0xefc5af72,0x62910f5e,0xaa132bc6,0x8b585bf8 },
+      { 0xa839327f,0x11723985,0x4aac252f,0x34e2d27d,0x6296cc4e,0x402f59ef,
+        0x47053de9,0x00ae055c,0x28b4f09b,0xfc22a972,0xfa0c180e,0xa9e86264 } },
+    /* 178 */
+    { { 0xbc310ecc,0x0b7b6224,0x67fa14ed,0x8a1a74f1,0x7214395c,0x87dd0960,
+        0xf5c91128,0xdf1b3d09,0x86b264a8,0x39ff23c6,0x3e58d4c5,0xdc2d49d0 },
+      { 0xa9d6f501,0x2152b7d3,0xc04094f7,0xf4c32e24,0xd938990f,0xc6366596,
+        0x94fb207f,0x084d078f,0x328594cb,0xfd99f1d7,0xcb2d96b3,0x36defa64 } },
+    /* 179 */
+    { { 0x13ed7cbe,0x4619b781,0x9784bd0e,0x95e50015,0x2c7705fe,0x2a32251c,
+        0x5f0dd083,0xa376af99,0x0361a45b,0x55425c6c,0x1f291e7b,0x812d2cef },
+      { 0x5fd94972,0xccf581a0,0xe56dc383,0x26e20e39,0x63dbfbf0,0x0093685d,
+        0x36b8c575,0x1fc164cc,0x390ef5e7,0xb9c5ab81,0x26908c66,0x40086beb } },
+    /* 180 */
+    { { 0x37e3c115,0xe5e54f79,0xc1445a8a,0x69b8ee8c,0xb7659709,0x79aedff2,
+        0x1b46fbe6,0xe288e163,0xd18d7bb7,0xdb4844f0,0x48aa6424,0xe0ea23d0 },
+      { 0xf3d80a73,0x714c0e4e,0x3bd64f98,0x87a0aa9e,0x2ec63080,0x8844b8a8,
+        0x255d81a3,0xe0ac9c30,0x455397fc,0x86151237,0x2f820155,0x0b979464 } },
+    /* 181 */
+    { { 0x4ae03080,0x127a255a,0x580a89fb,0x232306b4,0x6416f539,0x04e8cd6a,
+        0x13b02a0e,0xaeb70dee,0x4c09684a,0xa3038cf8,0x28e433ee,0xa710ec3c },
+      { 0x681b1f7d,0x77a72567,0x2fc28170,0x86fbce95,0xf5735ac8,0xd3408683,
+        0x6bd68e93,0x3a324e2a,0xc027d155,0x7ec74353,0xd4427177,0xab60354c } },
+    /* 182 */
+    { { 0xef4c209d,0x32a5342a,0x08d62704,0x2ba75274,0xc825d5fe,0x4bb4af6f,
+        0xd28e7ff1,0x1c3919ce,0xde0340f6,0x1dfc2fdc,0x29f33ba9,0xc6580baf },
+      { 0x41d442cb,0xae121e75,0x3a4724e4,0x4c7727fd,0x524f3474,0xe556d6a4,
+        0x785642a2,0x87e13cc7,0xa17845fd,0x182efbb1,0x4e144857,0xdcec0cf1 } },
+    /* 183 */
+    { { 0xe9539819,0x1cb89541,0x9d94dbf1,0xc8cb3b4f,0x417da578,0x1d353f63,
+        0x8053a09e,0xb7a697fb,0xc35d8b78,0x8d841731,0xb656a7a9,0x85748d6f },
+      { 0xc1859c5d,0x1fd03947,0x535d22a2,0x6ce965c1,0x0ca3aadc,0x1966a13e,
+        0x4fb14eff,0x9802e41d,0x76dd3fcd,0xa9048cbb,0xe9455bba,0x89b182b5 } },
+    /* 184 */
+    { { 0x43360710,0xd777ad6a,0x55e9936b,0x841287ef,0x04a21b24,0xbaf5c670,
+        0x35ad86f1,0xf2c0725f,0xc707e72e,0x338fa650,0xd8883e52,0x2bf8ed2e },
+      { 0xb56e0d6a,0xb0212cf4,0x6843290c,0x50537e12,0x98b3dc6f,0xd8b184a1,
+        0x0210b722,0xd2be9a35,0x559781ee,0x407406db,0x0bc18534,0x5a78d591 } },
+    /* 185 */
+    { { 0xd748b02c,0x4d57aa2a,0xa12b3b95,0xbe5b3451,0x64711258,0xadca7a45,
+        0x322153db,0x597e091a,0x32eb1eab,0xf3271006,0x2873f301,0xbd9adcba },
+      { 0x38543f7f,0xd1dc79d1,0x921b1fef,0x00022092,0x1e5df8ed,0x86db3ef5,
+        0x9e6b944a,0x888cae04,0x791a32b4,0x71bd29ec,0xa6d1c13e,0xd3516206 } },
+    /* 186 */
+    { { 0x55924f43,0x2ef6b952,0x4f9de8d5,0xd2f401ae,0xadc68042,0xfc73e8d7,
+        0x0d9d1bb4,0x627ea70c,0xbbf35679,0xc3bb3e3e,0xd882dee4,0x7e8a254a },
+      { 0xb5924407,0x08906f50,0xa1ad444a,0xf14a0e61,0x65f3738e,0xaa0efa21,
+        0xae71f161,0xd60c7dd6,0xf175894d,0x9e8390fa,0x149f4c00,0xd115cd20 } },
+    /* 187 */
+    { { 0xa52abf77,0x2f2e2c1d,0x54232568,0xc2a0dca5,0x54966dcc,0xed423ea2,
+        0xcd0dd039,0xe48c93c7,0x176405c7,0x1e54a225,0x70d58f2e,0x1efb5b16 },
+      { 0x94fb1471,0xa751f9d9,0x67d2941d,0xfdb31e1f,0x53733698,0xa6c74eb2,
+        0x89a0f64a,0xd3155d11,0xa4b8d2b6,0x4414cfe4,0xf7a8e9e3,0x8d5a4be8 } },
+    /* 188 */
+    { { 0x52669e98,0x5c96b4d4,0x8fd42a03,0x4547f922,0xd285174e,0xcf5c1319,
+        0x064bffa0,0x805cd1ae,0x246d27e7,0x50e8bc4f,0xd5781e11,0xf89ef98f },
+      { 0xdee0b63f,0xb4ff95f6,0x222663a4,0xad850047,0x4d23ce9c,0x02691860,
+        0x50019f59,0x3e5309ce,0x69a508ae,0x27e6f722,0x267ba52c,0xe9376652 } },
+    /* 189 */
+    { { 0xc0368708,0xa04d289c,0x5e306e1d,0xc458872f,0x33112fea,0x76fa23de,
+        0x6efde42e,0x718e3974,0x1d206091,0xf0c98cdc,0x14a71987,0x5fa3ca62 },
+      { 0xdcaa9f2a,0xeee8188b,0x589a860d,0x312cc732,0xc63aeb1f,0xf9808dd6,
+        0x4ea62b53,0x70fd43db,0x890b6e97,0x2c2bfe34,0xfa426aa6,0x105f863c } },
+    /* 190 */
+    { { 0xb38059ad,0x0b29795d,0x90647ea0,0x5686b77e,0xdb473a3e,0xeff0470e,
+        0xf9b6d1e2,0x278d2340,0xbd594ec7,0xebbff95b,0xd3a7f23d,0xf4b72334 },
+      { 0xa5a83f0b,0x2a285980,0x9716a8b3,0x0786c41a,0x22511812,0x138901bd,
+        0xe2fede6e,0xd1b55221,0xdf4eb590,0x0806e264,0x762e462e,0x6c4c897e } },
+    /* 191 */
+    { { 0xb4b41d9d,0xd10b905f,0x4523a65b,0x826ca466,0xb699fa37,0x535bbd13,
+        0x73bc8f90,0x5b9933d7,0xcd2118ad,0x9332d61f,0xd4a65fd0,0x158c693e },
+      { 0xe6806e63,0x4ddfb2a8,0xb5de651b,0xe31ed3ec,0x819bc69a,0xf9460e51,
+        0x2c76b1f8,0x6229c0d6,0x901970a3,0xbb78f231,0x9cee72b8,0x31f3820f } },
+    /* 192 */
+    { { 0xc09e1c72,0xe931caf2,0x12990cf4,0x0715f298,0x943262d8,0x33aad81d,
+        0x73048d3f,0x5d292b7a,0xdc7415f6,0xb152aaa4,0x0fd19587,0xc3d10fd9 },
+      { 0x75ddadd0,0xf76b35c5,0x1e7b694c,0x9f5f4a51,0xc0663025,0x2f1ab7eb,
+        0x920260b0,0x01c9cc87,0x05d39da6,0xc4b1f61a,0xeb4a9c4e,0x6dcd76c4 } },
+    /* 193 */
+    { { 0xfdc83f01,0x0ba0916f,0x9553e4f9,0x354c8b44,0xffc5e622,0xa6cc511a,
+        0xe95be787,0xb954726a,0x75b41a62,0xcb048115,0xebfde989,0xfa2ae6cd },
+      { 0x0f24659a,0x6376bbc7,0x4c289c43,0x13a999fd,0xec9abd8b,0xc7134184,
+        0xa789ab04,0x28c02bf6,0xd3e526ec,0xff841ebc,0x640893a8,0x442b191e } },
+    /* 194 */
+    { { 0xfa2b6e20,0x4cac6c62,0xf6d69861,0x97f29e9b,0xbc96d12d,0x228ab1db,
+        0x5e8e108d,0x6eb91327,0x40771245,0xd4b3d4d1,0xca8a803a,0x61b20623 },
+      { 0xa6a560b1,0x2c2f3b41,0x3859fcf4,0x879e1d40,0x024dbfc3,0x7cdb5145,
+        0x3bfa5315,0x55d08f15,0xaa93823a,0x2f57d773,0xc6a2c9a2,0xa97f259c } },
+    /* 195 */
+    { { 0xe58edbbb,0xc306317b,0x79dfdf13,0x25ade51c,0x16d83dd6,0x6b5beaf1,
+        0x1dd8f925,0xe8038a44,0xb2a87b6b,0x7f00143c,0xf5b438de,0xa885d00d },
+      { 0xcf9e48bd,0xe9f76790,0xa5162768,0xf0bdf9f0,0xad7b57cb,0x0436709f,
+        0xf7c15db7,0x7e151c12,0x5d90ee3b,0x3514f022,0x2c361a8d,0x2e84e803 } },
+    /* 196 */
+    { { 0x563ec8d8,0x2277607d,0xe3934cb7,0xa661811f,0xf58fd5de,0x3ca72e7a,
+        0x62294c6a,0x7989da04,0xf6bbefe9,0x88b3708b,0x53ed7c82,0x0d524cf7 },
+      { 0x2f30c073,0x69f699ca,0x9dc1dcf3,0xf0fa264b,0x05f0aaf6,0x44ca4568,
+        0xd19b9baf,0x0f5b23c7,0xeabd1107,0x39193f41,0x2a7c9b83,0x9e3e10ad } },
+    /* 197 */
+    { { 0xd4ae972f,0xa90824f0,0xc6e846e7,0x43eef02b,0x29d2160a,0x7e460612,
+        0xfe604e91,0x29a178ac,0x4eb184b2,0x23056f04,0xeb54cdf4,0x4fcad55f },
+      { 0xae728d15,0xa0ff96f3,0xc6a00331,0x8a2680c6,0x7ee52556,0x5f84cae0,
+        0xc5a65dad,0x5e462c3a,0xe2d23f4f,0x5d2b81df,0xc5b1eb07,0x6e47301b } },
+    /* 198 */
+    { { 0xaf8219b9,0x77411d68,0x51b1907a,0xcb883ce6,0x101383b5,0x25c87e57,
+        0x982f970d,0x9c7d9859,0x118305d2,0xaa6abca5,0x9013a5db,0x725fed2f },
+      { 0xababd109,0x487cdbaf,0x87586528,0xc0f8cf56,0x8ad58254,0xa02591e6,
+        0xdebbd526,0xc071b1d1,0x961e7e31,0x927dfe8b,0x9263dfe1,0x55f895f9 } },
+    /* 199 */
+    { { 0xb175645b,0xf899b00d,0xb65b4b92,0x51f3a627,0xb67399ef,0xa2f3ac8d,
+        0xe400bc20,0xe717867f,0x1967b952,0x42cc9020,0x3ecd1de1,0x3d596751 },
+      { 0xdb979775,0xd41ebcde,0x6a2e7e88,0x99ba61bc,0x321504f2,0x039149a5,
+        0x27ba2fad,0xe7dc2314,0xb57d8368,0x9f556308,0x57da80a7,0x2b6d16c9 } },
+    /* 200 */
+    { { 0x279ad982,0x84af5e76,0x9c8b81a6,0x9bb4c92d,0x0e698e67,0xd79ad44e,
+        0x265fc167,0xe8be9048,0x0c3a4ccc,0xf135f7e6,0xb8863a33,0xa0a10d38 },
+      { 0xd386efd9,0xe197247c,0xb52346c2,0x0eefd3f9,0x78607bc8,0xc22415f9,
+        0x508674ce,0xa2a8f862,0xc8c9d607,0xa72ad09e,0x50fa764f,0xcd9f0ede } },
+    /* 201 */
+    { { 0xd1a46d4d,0x063391c7,0x9eb01693,0x2df51c11,0x849e83de,0xc5849800,
+        0x8ad08382,0x48fd09aa,0xaa742736,0xa405d873,0xe1f9600c,0xee49e61e },
+      { 0x48c76f73,0xd76676be,0x01274b2a,0xd9c100f6,0x83f8718d,0x110bb67c,
+        0x02fc0d73,0xec85a420,0x744656ad,0xc0449e1e,0x37d9939b,0x28ce7376 } },
+    /* 202 */
+    { { 0x44544ac7,0x97e9af72,0xba010426,0xf2c658d5,0xfb3adfbd,0x732dec39,
+        0xa2df0b07,0xd12faf91,0x2171e208,0x8ac26725,0x5b24fa54,0xf820cdc8 },
+      { 0x94f4cf77,0x307a6eea,0x944a33c6,0x18c783d2,0x0b741ac5,0x4b939d4c,
+        0x3ffbb6e4,0x1d7acd15,0x7a255e44,0x06a24858,0xce336d50,0x14fbc494 } },
+    /* 203 */
+    { { 0x51584e3c,0x9b920c0c,0xf7e54027,0xc7733c59,0x88422bbe,0xe24ce139,
+        0x523bd6ab,0x11ada812,0xb88e6def,0xde068800,0xfe8c582d,0x7b872671 },
+      { 0x7de53510,0x4e746f28,0xf7971968,0x492f8b99,0x7d928ac2,0x1ec80bc7,
+        0x432eb1b5,0xb3913e48,0x32028f6e,0xad084866,0x8fc2f38b,0x122bb835 } },
+    /* 204 */
+    { { 0x3b0b29c3,0x0a9f3b1e,0x4fa44151,0x837b6432,0x17b28ea7,0xb9905c92,
+        0x98451750,0xf39bc937,0xce8b6da1,0xcd383c24,0x010620b2,0x299f57db },
+      { 0x58afdce3,0x7b6ac396,0x3d05ef47,0xa15206b3,0xb9bb02ff,0xa0ae37e2,
+        0x9db3964c,0x107760ab,0x67954bea,0xe29de9a0,0x431c3f82,0x446a1ad8 } },
+    /* 205 */
+    { { 0x5c6b8195,0xc6fecea0,0xf49e71b9,0xd744a7c5,0x177a7ae7,0xa8e96acc,
+        0x358773a7,0x1a05746c,0x37567369,0xa4162146,0x87d1c971,0xaa0217f7 },
+      { 0x77fd3226,0x61e9d158,0xe4f600be,0x0f6f2304,0x7a6dff07,0xa9c4cebc,
+        0x09f12a24,0xd15afa01,0x8c863ee9,0x2bbadb22,0xe5eb8c78,0xa28290e4 } },
+    /* 206 */
+    { { 0x3e9de330,0x55b87fa0,0x195c145b,0x12b26066,0xa920bef0,0xe08536e0,
+        0x4d195adc,0x7bff6f2c,0x945f4187,0x7f319e9d,0xf892ce47,0xf9848863 },
+      { 0x4fe37657,0xd0efc1d3,0x5cf0e45a,0x3c58de82,0x8b0ccbbe,0x626ad21a,
+        0xaf952fc5,0xd2a31208,0xeb437357,0x81791995,0x98e95d4f,0x5f19d30f } },
+    /* 207 */
+    { { 0x0e6865bb,0x72e83d9a,0xf63456a6,0x22f5af3b,0x463c8d9e,0x409e9c73,
+        0xdfe6970e,0x40e9e578,0x711b91ca,0x876b6efa,0x942625a3,0x895512cf },
+      { 0xcb4e462b,0x84c8eda8,0x4412e7c8,0x84c0154a,0xceb7b71f,0x04325db1,
+        0x66f70877,0x1537dde3,0x1992b9ac,0xf3a09399,0xd498ae77,0xa7316606 } },
+    /* 208 */
+    { { 0xcad260f5,0x13990d2f,0xeec0e8c0,0x76c3be29,0x0f7bd7d5,0x7dc5bee0,
+        0xefebda4b,0x9be167d2,0x9122b87e,0xcce3dde6,0x82b5415c,0x75a28b09 },
+      { 0xe84607a6,0xf6810bcd,0x6f4dbf0d,0xc6d58128,0x1b4dafeb,0xfead577d,
+        0x066b28eb,0x9bc440b2,0x8b17e84b,0x53f1da97,0xcda9a575,0x0459504b } },
+    /* 209 */
+    { { 0x329e5836,0x13e39a02,0xf717269d,0x2c9e7d51,0xf26c963b,0xc5ac58d6,
+        0x79967bf5,0x3b0c6c43,0x55908d9d,0x60bbea3f,0xf07c9ad1,0xd84811e7 },
+      { 0x5bd20e4a,0xfe7609a7,0x0a70baa8,0xe4325dd2,0xb3600386,0x3711f370,
+        0xd0924302,0x97f9562f,0x4acc4436,0x040dc0c3,0xde79cdd4,0xfd6d725c } },
+    /* 210 */
+    { { 0xcf13eafb,0xb3efd0e3,0x5aa0ae5f,0x21009cbb,0x79022279,0xe480c553,
+        0xb2fc9a6d,0x755cf334,0x07096ae7,0x8564a5bf,0xbd238139,0xddd649d0 },
+      { 0x8a045041,0xd0de10b1,0xc957d572,0x6e05b413,0x4e0fb25c,0x5c5ff806,
+        0x641162fb,0xd933179b,0xe57439f9,0x42d48485,0x8a8d72aa,0x70c5bd0a } },
+    /* 211 */
+    { { 0x97bdf646,0xa7671738,0xab329f7c,0xaa1485b4,0xf8f25fdf,0xce3e11d6,
+        0xc6221824,0x76a3fc7e,0xf3924740,0x045f281f,0x96d13a9a,0x24557d4e },
+      { 0xdd4c27cd,0x875c804b,0x0f5c7fea,0x11c5f0f4,0xdc55ff7e,0xac8c880b,
+        0x1103f101,0x2acddec5,0xf99faa89,0x38341a21,0xce9d6b57,0xc7b67a2c } },
+    /* 212 */
+    { { 0x8e357586,0x9a0d724f,0xdf648da0,0x1d7f4ff5,0xfdee62a5,0x9c3e6c9b,
+        0x0389b372,0x0499cef0,0x98eab879,0xe904050d,0x6c051617,0xe8eef1b6 },
+      { 0xc37e3ca9,0xebf5bfeb,0xa4e0b91d,0x7c5e946d,0x2c4bea28,0x79097314,
+        0xee67b2b7,0x81f6c109,0xdafc5ede,0xaf237d9b,0x2abb04c7,0xd2e60201 } },
+    /* 213 */
+    { { 0x8a4f57bf,0x6156060c,0xff11182a,0xf9758696,0x6296ef00,0x8336773c,
+        0xff666899,0x9c054bce,0x719cd11c,0xd6a11611,0xdbe1acfa,0x9824a641 },
+      { 0xba89fd01,0x0b7b7a5f,0x889f79d8,0xf8d3b809,0xf578285c,0xc5e1ea08,
+        0xae6d8288,0x7ac74536,0x7521ef5f,0x5d37a200,0xb260a25d,0x5ecc4184 } },
+    /* 214 */
+    { { 0xa708c8d3,0xddcebb19,0xc63f81ec,0xe63ed04f,0x11873f95,0xd045f5a0,
+        0x79f276d5,0x3b5ad544,0x425ae5b3,0x81272a3d,0x10ce1605,0x8bfeb501 },
+      { 0x888228bf,0x4233809c,0xb2aff7df,0x4bd82acf,0x0cbd4a7f,0x9c68f180,
+        0x6b44323d,0xfcd77124,0x891db957,0x60c0fcf6,0x04da8f7f,0xcfbb4d89 } },
+    /* 215 */
+    { { 0x3b26139a,0x9a6a5df9,0xb2cc7eb8,0x3e076a83,0x5a964bcd,0x47a8e82d,
+        0xb9278d6b,0x8a4e2a39,0xe4443549,0x93506c98,0xf1e0d566,0x06497a8f },
+      { 0x2b1efa05,0x3dee8d99,0x45393e33,0x2da63ca8,0xcf0579ad,0xa4af7277,
+        0x3236d8ea,0xaf4b4639,0x32b617f5,0x6ccad95b,0xb88bb124,0xce76d8b8 } },
+    /* 216 */
+    { { 0x083843dc,0x63d2537a,0x1e4153b4,0x89eb3514,0xea9afc94,0x5175ebc4,
+        0x8ed1aed7,0x7a652580,0xd85e8297,0x67295611,0xb584b73d,0x8dd2d68b },
+      { 0x0133c3a4,0x237139e6,0x4bd278ea,0x9de838ab,0xc062fcd9,0xe829b072,
+        0x63ba8706,0x70730d4f,0xd3cd05ec,0x6080483f,0x0c85f84d,0x872ab5b8 } },
+    /* 217 */
+    { { 0x999d4d49,0xfc0776d3,0xec3f45e7,0xa3eb59de,0x0dae1fc1,0xbc990e44,
+        0xa15371ff,0x33596b1e,0x9bc7ab25,0xd447dcb2,0x35979582,0xcd5b63e9 },
+      { 0x77d1ff11,0xae3366fa,0xedee6903,0x59f28f05,0xa4433bf2,0x6f43fed1,
+        0xdf9ce00e,0x15409c9b,0xaca9c5dc,0x21b5cded,0x82d7bdb4,0xf9f33595 } },
+    /* 218 */
+    { { 0x9422c792,0x95944378,0xc958b8bf,0x239ea923,0xdf076541,0x4b61a247,
+        0xbb9fc544,0x4d29ce85,0x0b424559,0x9a692a67,0x0e486900,0x6e0ca5a0 },
+      { 0x85b3bece,0x6b79a782,0xc61f9892,0x41f35e39,0xae747f82,0xff82099a,
+        0xd0ca59d6,0x58c8ae3f,0x99406b5f,0x4ac930e2,0x9df24243,0x2ce04eb9 } },
+    /* 219 */
+    { { 0x1ac37b82,0x4366b994,0x25b04d83,0xff0c728d,0x19c47b7c,0x1f551361,
+        0xbeff13e7,0xdbf2d5ed,0xe12a683d,0xf78efd51,0x989cf9c4,0x82cd85b9 },
+      { 0xe0cb5d37,0xe23c6db6,0x72ee1a15,0x818aeebd,0x28771b14,0x8212aafd,
+        0x1def817d,0x7bc221d9,0x9445c51f,0xdac403a2,0x12c3746b,0x711b0517 } },
+    /* 220 */
+    { { 0x5ea99ecc,0x0ed9ed48,0xb8cab5e1,0xf799500d,0xb570cbdc,0xa8ec87dc,
+        0xd35dfaec,0x52cfb2c2,0x6e4d80a4,0x8d31fae2,0xdcdeabe5,0xe6a37dc9 },
+      { 0x1deca452,0x5d365a34,0x0d68b44e,0x09a5f8a5,0xa60744b1,0x59238ea5,
+        0xbb4249e9,0xf2fedc0d,0xa909b2e3,0xe395c74e,0x39388250,0xe156d1a5 } },
+    /* 221 */
+    { { 0x47181ae9,0xd796b3d0,0x44197808,0xbaf44ba8,0x34cf3fac,0xe6933094,
+        0xc3bd5c46,0x41aa6ade,0xeed947c6,0x4fda75d8,0x9ea5a525,0xacd9d412 },
+      { 0xd430301b,0x65cc55a3,0x7b52ea49,0x3c9a5bcf,0x159507f0,0x22d319cf,
+        0xde74a8dd,0x2ee0b9b5,0x877ac2b6,0x20c26a1e,0x92e7c314,0x387d73da } },
+    /* 222 */
+    { { 0x8cd3fdac,0x13c4833e,0x332e5b8e,0x76fcd473,0xe2fe1fd3,0xff671b4b,
+        0x5d98d8ec,0x4d734e8b,0x514bbc11,0xb1ead3c6,0x7b390494,0xd14ca858 },
+      { 0x5d2d37e9,0x95a443af,0x00464622,0x73c6ea73,0x15755044,0xa44aeb4b,
+        0xfab58fee,0xba3f8575,0xdc680a6f,0x9779dbc9,0x7b37ddfc,0xe1ee5f5a } },
+    /* 223 */
+    { { 0x12d29f46,0xcd0b4648,0x0ed53137,0x93295b0b,0x80bef6c9,0xbfe26094,
+        0x54248b00,0xa6565788,0x80e7f9c4,0x69c43fca,0xbe141ea1,0x2190837b },
+      { 0xa1b26cfb,0x875e159a,0x7affe852,0x90ca9f87,0x92ca598e,0x15e6550d,
+        0x1938ad11,0xe3e0945d,0x366ef937,0xef7636bb,0xb39869e5,0xb6034d0b } },
+    /* 224 */
+    { { 0x26d8356e,0x4d255e30,0xd314626f,0xf83666ed,0xd0c8ed64,0x421ddf61,
+        0x26677b61,0x96e473c5,0x9e9b18b3,0xdad4af7e,0xa9393f75,0xfceffd4a },
+      { 0x11c731d5,0x843138a1,0xb2f141d9,0x05bcb3a1,0x617b7671,0x20e1fa95,
+        0x88ccec7b,0xbefce812,0x90f1b568,0x582073dc,0x1f055cb7,0xf572261a } },
+    /* 225 */
+    { { 0x36973088,0xf3148277,0x86a9f980,0xc008e708,0xe046c261,0x1b795947,
+        0xca76bca0,0xdf1e6a7d,0x71acddf0,0xabafd886,0x1364d8f4,0xff7054d9 },
+      { 0xe2260594,0x2cf63547,0xd73b277e,0x468a5372,0xef9bd35e,0xc7419e24,
+        0x24043cc3,0x2b4a1c20,0x890b39cd,0xa28f047a,0x46f9a2e3,0xdca2cea1 } },
+    /* 226 */
+    { { 0x53277538,0xab788736,0xcf697738,0xa734e225,0x6b22e2c1,0x66ee1d1e,
+        0xebe1d212,0x2c615389,0x02bb0766,0xf36cad40,0x3e64f207,0x120885c3 },
+      { 0x90fbfec2,0x59e77d56,0xd7a574ae,0xf9e781aa,0x5d045e53,0x801410b0,
+        0xa91b5f0e,0xd3b5f0aa,0x7fbb3521,0xb3d1df00,0xc72bee9a,0x11c4b33e } },
+    /* 227 */
+    { { 0x83c3a7f3,0xd32b9832,0x88d8a354,0x8083abcf,0x50f4ec5a,0xdeb16404,
+        0x641e2907,0x18d747f0,0xf1bbf03e,0x4e8978ae,0x88a0cd89,0x932447dc },
+      { 0xcf3d5897,0x561e0feb,0x13600e6d,0xfc3a682f,0xd16a6b73,0xc78b9d73,
+        0xd29bf580,0xe713fede,0x08d69e5c,0x0a225223,0x1ff7fda4,0x3a924a57 } },
+    /* 228 */
+    { { 0xb4093bee,0xfb64554c,0xa58c6ec0,0xa6d65a25,0x43d0ed37,0x4126994d,
+        0x55152d44,0xa5689a51,0x284caa8d,0xb8e5ea8c,0xd1f25538,0x33f05d4f },
+      { 0x1b615d6e,0xe0fdfe09,0x705507da,0x2ded7e8f,0x17bbcc80,0xdd5631e5,
+        0x267fd11f,0x4f87453e,0xff89d62d,0xc6da723f,0xe3cda21d,0x55cbcae2 } },
+    /* 229 */
+    { { 0x6b4e84f3,0x336bc94e,0x4ef72c35,0x72863031,0xeeb57f99,0x6d85fdee,
+        0xa42ece1b,0x7f4e3272,0x36f0320a,0x7f86cbb5,0x923331e6,0xf09b6a2b },
+      { 0x56778435,0x21d3ecf1,0x8323b2d2,0x2977ba99,0x1704bc0f,0x6a1b57fb,
+        0x389f048a,0xd777cf8b,0xac6b42cd,0x9ce2174f,0x09e6c55a,0x404e2bff } },
+    /* 230 */
+    { { 0x204c5ddb,0x9b9b135e,0x3eff550e,0x9dbfe044,0xec3be0f6,0x35eab4bf,
+        0x0a43e56f,0x8b4c3f0d,0x0e73f9b3,0x4c1c6673,0x2c78c905,0x92ed38bd },
+      { 0xa386e27c,0xc7003f6a,0xaced8507,0xb9c4f46f,0x59df5464,0xea024ec8,
+        0x429572ea,0x4af96152,0xe1fc1194,0x279cd5e2,0x281e358c,0xaa376a03 } },
+    /* 231 */
+    { { 0x3cdbc95c,0x07859223,0xef2e337a,0xaae1aa6a,0x472a8544,0xc040108d,
+        0x8d037b7d,0x80c853e6,0x8c7eee24,0xd221315c,0x8ee47752,0x195d3856 },
+      { 0xdacd7fbe,0xd4b1ba03,0xd3e0c52b,0x4b5ac61e,0x6aab7b52,0x68d3c052,
+        0x660e3fea,0xf0d7248c,0x3145efb4,0xafdb3f89,0x8f40936d,0xa73fd9a3 } },
+    /* 232 */
+    { { 0xbb1b17ce,0x891b9ef3,0xc6127f31,0x14023667,0x305521fd,0x12b2e58d,
+        0xe3508088,0x3a47e449,0xff751507,0xe49fc84b,0x5310d16e,0x4023f722 },
+      { 0xb73399fa,0xa608e5ed,0xd532aa3e,0xf12632d8,0x845e8415,0x13a2758e,
+        0x1fc2d861,0xae4b6f85,0x339d02f2,0x3879f5b1,0x80d99ebd,0x446d22a6 } },
+    /* 233 */
+    { { 0x4be164f1,0x0f502302,0x88b81920,0x8d09d2d6,0x984aceff,0x514056f1,
+        0x75e9e80d,0xa5c4ddf0,0xdf496a93,0x38cb47e6,0x38df6bf7,0x899e1d6b },
+      { 0xb59eb2a6,0x69e87e88,0x9b47f38b,0x280d9d63,0x3654e955,0x599411ea,
+        0x969aa581,0xcf8dd4fd,0x530742a7,0xff5c2baf,0x1a373085,0xa4391536 } },
+    /* 234 */
+    { { 0xa8a4bdd2,0x6ace72a3,0xb68ef702,0xc656cdd1,0x90c4dad8,0xd4a33e7e,
+        0x9d951c50,0x4aece08a,0x085d68e6,0xea8005ae,0x6f7502b8,0xfdd7a7d7 },
+      { 0x98d6fa45,0xce6fb0a6,0x1104eb8c,0x228f8672,0xda09d7dc,0xd23d8787,
+        0x2ae93065,0x5521428b,0xea56c366,0x95faba3d,0x0a88aca5,0xedbe5039 } },
+    /* 235 */
+    { { 0xbfb26c82,0xd64da0ad,0x952c2f9c,0xe5d70b3c,0xf7e77f68,0xf5e8f365,
+        0x08f2d695,0x7234e002,0xd12e7be6,0xfaf900ee,0x4acf734e,0x27dc6934 },
+      { 0xc260a46a,0x80e4ff5e,0x2dc31c28,0x7da5ebce,0xca69f552,0x485c5d73,
+        0x69cc84c2,0xcdfb6b29,0xed6d4eca,0x031c5afe,0x22247637,0xc7bbf4c8 } },
+    /* 236 */
+    { { 0x49fe01b2,0x9d5b72c7,0x793a91b8,0x34785186,0xcf460438,0xa3ba3c54,
+        0x3ab21b6f,0x73e8e43d,0xbe57b8ab,0x50cde8e0,0xdd204264,0x6488b3a7 },
+      { 0xdddc4582,0xa9e398b3,0x5bec46fe,0x1698c1a9,0x156d3843,0x7f1446ef,
+        0x770329a2,0x3fd25dd8,0x2c710668,0x05b1221a,0xa72ee6cf,0x65b2dc2a } },
+    /* 237 */
+    { { 0xcd021d63,0x21a885f7,0xfea61f08,0x3f344b15,0xc5cf73e6,0xad5ba6dd,
+        0x227a8b23,0x154d0d8f,0xdc559311,0x9b74373c,0x98620fa1,0x4feab715 },
+      { 0x7d9ec924,0x5098938e,0x6d47e550,0x84d54a5e,0x1b617506,0x1a2d1bdc,
+        0x615868a4,0x99fe1782,0x3005a924,0x171da780,0x7d8f79b6,0xa70bf5ed } },
+    /* 238 */
+    { { 0xfe2216c5,0x0bc1250d,0x7601b351,0x2c37e250,0xd6f06b7e,0xb6300175,
+        0x8bfeb9b7,0x4dde8ca1,0xb82f843d,0x4f210432,0xb1ac0afd,0x8d70e2f9 },
+      { 0xaae91abb,0x25c73b78,0x863028f2,0x0230dca3,0xe5cf30b7,0x8b923ecf,
+        0x5506f265,0xed754ec2,0x729a5e39,0x8e41b88c,0xbabf889b,0xee67cec2 } },
+    /* 239 */
+    { { 0x1be46c65,0xe183acf5,0xe7565d7a,0x9789538f,0xd9627b4e,0x87873391,
+        0x9f1d9187,0xbf4ac4c1,0x4691f5c8,0x5db99f63,0x74a1fb98,0xa68df803 },
+      { 0xbf92b5fa,0x3c448ed1,0x3e0bdc32,0xa098c841,0x79bf016c,0x8e74cd55,
+        0x115e244d,0x5df0d09c,0x3410b66e,0x9418ad01,0x17a02130,0x8b6124cb } },
+    /* 240 */
+    { { 0xc26e3392,0x425ec3af,0xa1722e00,0xc07f8470,0xe2356b43,0xdcc28190,
+        0xb1ef59a6,0x4ed97dff,0xc63028c1,0xc22b3ad1,0x68c18988,0x070723c2 },
+      { 0x4cf49e7d,0x70da302f,0x3f12a522,0xc5e87c93,0x18594148,0x74acdd1d,
+        0xca74124c,0xad5f73ab,0xd69fd478,0xe72e4a3e,0x7b117cc3,0x61593868 } },
+    /* 241 */
+    { { 0xa9aa0486,0x7b7b9577,0xa063d557,0x6e41fb35,0xda9047d7,0xb017d5c7,
+        0x68a87ba9,0x8c748280,0xdf08ad93,0xab45fa5c,0x4c288a28,0xcd9fb217 },
+      { 0x5747843d,0x59544642,0xa56111e3,0x34d64c6c,0x4bfce8d5,0x12e47ea1,
+        0x6169267f,0x17740e05,0xeed03fb5,0x5c49438e,0x4fc3f513,0x9da30add } },
+    /* 242 */
+    { { 0xccfa5200,0xc4e85282,0x6a19b13d,0x2707608f,0xf5726e2f,0xdcb9a53d,
+        0xe9427de5,0x612407c9,0xd54d582a,0x3e5a17e1,0x655ae118,0xb99877de },
+      { 0x015254de,0x6f0e972b,0xf0a6f7c5,0x92a56db1,0xa656f8b2,0xd297e4e1,
+        0xad981983,0x99fe0052,0x07cfed84,0xd3652d2f,0x843c1738,0xc784352e } },
+    /* 243 */
+    { { 0x7e9b2d8a,0x6ee90af0,0x57cf1964,0xac8d7018,0x71f28efc,0xf6ed9031,
+        0x6812b20e,0x7f70d5a9,0xf1c61eee,0x27b557f4,0xc6263758,0xf1c9bd57 },
+      { 0x2a1a6194,0x5cf7d014,0x1890ab84,0xdd614e0b,0x0e93c2a6,0x3ef9de10,
+        0xe0cd91c5,0xf98cf575,0x14befc32,0x504ec0c6,0x6279d68c,0xd0513a66 } },
+    /* 244 */
+    { { 0xa859fb6a,0xa8eadbad,0xdb283666,0xcf8346e7,0x3e22e355,0x7b35e61a,
+        0x99639c6b,0x293ece2c,0x56f241c8,0xfa0162e2,0xbf7a1dda,0xd2e6c7b9 },
+      { 0x40075e63,0xd0de6253,0xf9ec8286,0x2405aa61,0x8fe45494,0x2237830a,
+        0x364e9c8c,0x4fd01ac7,0x904ba750,0x4d9c3d21,0xaf1b520b,0xd589be14 } },
+    /* 245 */
+    { { 0x4662e53b,0x13576a4f,0xf9077676,0x35ec2f51,0x97c0af97,0x66297d13,
+        0x9e598b58,0xed3201fe,0x5e70f604,0x49bc752a,0xbb12d951,0xb54af535 },
+      { 0x212c1c76,0x36ea4c2b,0xeb250dfd,0x18f5bbc7,0x9a0a1a46,0xa0d466cc,
+        0xdac2d917,0x52564da4,0x8e95fab5,0x206559f4,0x9ca67a33,0x7487c190 } },
+    /* 246 */
+    { { 0xdde98e9c,0x75abfe37,0x2a411199,0x99b90b26,0xdcdb1f7c,0x1b410996,
+        0x8b3b5675,0xab346f11,0xf1f8ae1e,0x04852193,0x6b8b98c1,0x1ec4d227 },
+      { 0x45452baa,0xba3bc926,0xacc4a572,0x387d1858,0xe51f171e,0x9478eff6,
+        0x931e1c00,0xf357077d,0xe54c8ca8,0xffee77cd,0x551dc9a4,0xfb4892ff } },
+    /* 247 */
+    { { 0x2db8dff8,0x5b1bdad0,0x5a2285a2,0xd462f4fd,0xda00b461,0x1d6aad8e,
+        0x41306d1b,0x43fbefcf,0x6a13fe19,0x428e86f3,0x17f89404,0xc8b2f118 },
+      { 0xf0d51afb,0x762528aa,0x549b1d06,0xa3e2fea4,0xea3ddf66,0x86fad8f2,
+        0x4fbdd206,0x0d9ccc4b,0xc189ff5a,0xcde97d4c,0x199f19a6,0xc36793d6 } },
+    /* 248 */
+    { { 0x51b85197,0xea38909b,0xb4c92895,0xffb17dd0,0x1ddb3f3f,0x0eb0878b,
+        0xc57cf0f2,0xb05d28ff,0x1abd57e2,0xd8bde2e7,0xc40c1b20,0x7f2be28d },
+      { 0x299a2d48,0x6554dca2,0x8377982d,0x5130ba2e,0x1071971a,0x8863205f,
+        0x7cf2825d,0x15ee6282,0x03748f2b,0xd4b6c57f,0x430385a0,0xa9e3f4da } },
+    /* 249 */
+    { { 0x83fbc9c6,0x33eb7cec,0x4541777e,0x24a311c7,0x4f0767fc,0xc81377f7,
+        0x4ab702da,0x12adae36,0x2a779696,0xb7fcb6db,0x01cea6ad,0x4a6fb284 },
+      { 0xcdfc73de,0x5e8b1d2a,0x1b02fd32,0xd0efae8d,0xd81d8519,0x3f99c190,
+        0xfc808971,0x3c18f7fa,0x51b7ae7b,0x41f713e7,0xf07fc3f8,0x0a4b3435 } },
+    /* 250 */
+    { { 0x019b7d2e,0x7dda3c4c,0xd4dc4b89,0x631c8d1a,0x1cdb313c,0x5489cd6e,
+        0x4c07bb06,0xd44aed10,0x75f000d1,0x8f97e13a,0xdda5df4d,0x0e9ee64f },
+      { 0x3e346910,0xeaa99f3b,0xfa294ad7,0x622f6921,0x0d0b2fe9,0x22aaa20d,
+        0x1e5881ba,0x4fed2f99,0xc1571802,0x9af3b2d6,0xdc7ee17c,0x919e67a8 } },
+    /* 251 */
+    { { 0x76250533,0xc724fe4c,0x7d817ef8,0x8a2080e5,0x172c9751,0xa2afb0f4,
+        0x17c0702e,0x9b10cdeb,0xc9b7e3e9,0xbf3975e3,0x1cd0cdc5,0x206117df },
+      { 0xbe05ebd5,0xfb049e61,0x16c782c0,0xeb0bb55c,0xab7fed09,0x13a331b8,
+        0x632863f0,0xf6c58b1d,0x4d3b6195,0x6264ef6e,0x9a53f116,0x92c51b63 } },
+    /* 252 */
+    { { 0x288b364d,0xa57c7bc8,0x7b41e5c4,0x4a562e08,0x698a9a11,0x699d21c6,
+        0xf3f849b9,0xa4ed9581,0x9eb726ba,0xa223eef3,0xcc2884f9,0x13159c23 },
+      { 0x3a3f4963,0x73931e58,0x0ada6a81,0x96500389,0x5ab2950b,0x3ee8a1c6,
+        0x775fab52,0xeedf4949,0x4f2671b6,0x63d652e1,0x3c4e2f55,0xfed4491c } },
+    /* 253 */
+    { { 0xf4eb453e,0x335eadc3,0xcadd1a5b,0x5ff74b63,0x5d84a91a,0x6933d0d7,
+        0xb49ba337,0x9ca3eeb9,0xc04c15b8,0x1f6facce,0xdc09a7e4,0x4ef19326 },
+      { 0x3dca3233,0x53d2d324,0xa2259d4b,0x0ee40590,0x5546f002,0x18c22edb,
+        0x09ea6b71,0x92429801,0xb0e91e61,0xaada0add,0x99963c50,0x5fe53ef4 } },
+    /* 254 */
+    { { 0x90c28c65,0x372dd06b,0x119ce47d,0x1765242c,0x6b22fc82,0xc041fb80,
+        0xb0a7ccc1,0x667edf07,0x1261bece,0xc79599e7,0x19cff22a,0xbc69d9ba },
+      { 0x13c06819,0x009d77cd,0xe282b79d,0x635a66ae,0x225b1be8,0x4edac4a6,
+        0x524008f9,0x57d4f4e4,0xb056af84,0xee299ac5,0x3a0bc386,0xcc38444c } },
+    /* 255 */
+    { { 0xcd4c2356,0x490643b1,0x750547be,0x740a4851,0xd4944c04,0x643eaf29,
+        0x299a98a0,0xba572479,0xee05fdf9,0x48b29f16,0x089b2d7b,0x33fb4f61 },
+      { 0xa950f955,0x86704902,0xfedc3ddf,0x97e1034d,0x05fbb6a2,0x211320b6,
+        0x432299bb,0x23d7b93f,0x8590e4a3,0x1fe1a057,0xf58c0ce6,0x8e1d0586 } },
+};
+
+/* Multiply the base point of P384 by the scalar and return the result.
+ * If map is true then convert result to affine coordinates.
+ *
+ * r     Resulting point.
+ * k     Scalar to multiply by.
+ * map   Indicates whether to convert result to affine.
+ * heap  Heap to use for allocation.
+ * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
+ */
+static int sp_384_ecc_mulmod_base_12(sp_point_384* r, const sp_digit* k,
+        int map, void* heap)
+{
+    return sp_384_ecc_mulmod_stripe_12(r, &p384_base, p384_table,
+                                      k, map, heap);
+}
+
+#endif
+
+/* Multiply the base point of P384 by the scalar and return the result.
+ * If map is true then convert result to affine coordinates.
+ *
+ * km    Scalar to multiply by.
+ * r     Resulting point.
+ * map   Indicates whether to convert result to affine.
+ * heap  Heap to use for allocation.
+ * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
+ */
+int sp_ecc_mulmod_base_384(mp_int* km, ecc_point* r, int map, void* heap)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_point_384 p;
+    sp_digit kd[12];
+#endif
+    sp_point_384* point;
+    sp_digit* k = NULL;
+    int err = MP_OKAY;
+
+    err = sp_384_point_new_12(heap, p, point);
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        k = (sp_digit*)XMALLOC(sizeof(sp_digit) * 12, heap,
+                                                              DYNAMIC_TYPE_ECC);
+        if (k == NULL) {
+            err = MEMORY_E;
+        }
+    }
+#else
+    k = kd;
+#endif
+    if (err == MP_OKAY) {
+        sp_384_from_mp(k, 12, km);
+
+            err = sp_384_ecc_mulmod_base_12(point, k, map, heap);
+    }
+    if (err == MP_OKAY) {
+        err = sp_384_point_to_ecc_point_12(point, r);
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (k != NULL) {
+        XFREE(k, heap, DYNAMIC_TYPE_ECC);
+    }
+#endif
+    sp_384_point_free_12(point, 0, heap);
+
+    return err;
+}
+
+#if defined(WOLFSSL_VALIDATE_ECC_KEYGEN) || defined(HAVE_ECC_SIGN) || \
+                                                        defined(HAVE_ECC_VERIFY)
+/* Returns 1 if the number of zero.
+ * Implementation is constant time.
+ *
+ * a  Number to check.
+ * returns 1 if the number is zero and 0 otherwise.
+ */
+static int sp_384_iszero_12(const sp_digit* a)
+{
+    return (a[0] | a[1] | a[2] | a[3] | a[4] | a[5] | a[6] | a[7] |
+            a[8] | a[9] | a[10] | a[11]) == 0;
+}
+
+#endif /* WOLFSSL_VALIDATE_ECC_KEYGEN || HAVE_ECC_SIGN || HAVE_ECC_VERIFY */
+/* Add 1 to a. (a = a + 1)
+ *
+ * a  A single precision integer.
+ */
+SP_NOINLINE static void sp_384_add_one_12(sp_digit* a)
+{
+    __asm__ __volatile__ (
+        "mov	r2, #1\n\t"
+        "ldr	r1, [%[a], #0]\n\t"
+        "add	r1, r2\n\t"
+        "mov	r2, #0\n\t"
+        "str	r1, [%[a], #0]\n\t"
+        "ldr	r1, [%[a], #4]\n\t"
+        "adc	r1, r2\n\t"
+        "str	r1, [%[a], #4]\n\t"
+        "ldr	r1, [%[a], #8]\n\t"
+        "adc	r1, r2\n\t"
+        "str	r1, [%[a], #8]\n\t"
+        "ldr	r1, [%[a], #12]\n\t"
+        "adc	r1, r2\n\t"
+        "str	r1, [%[a], #12]\n\t"
+        "ldr	r1, [%[a], #16]\n\t"
+        "adc	r1, r2\n\t"
+        "str	r1, [%[a], #16]\n\t"
+        "ldr	r1, [%[a], #20]\n\t"
+        "adc	r1, r2\n\t"
+        "str	r1, [%[a], #20]\n\t"
+        "ldr	r1, [%[a], #24]\n\t"
+        "adc	r1, r2\n\t"
+        "str	r1, [%[a], #24]\n\t"
+        "ldr	r1, [%[a], #28]\n\t"
+        "adc	r1, r2\n\t"
+        "str	r1, [%[a], #28]\n\t"
+        "ldr	r1, [%[a], #32]\n\t"
+        "adc	r1, r2\n\t"
+        "str	r1, [%[a], #32]\n\t"
+        "ldr	r1, [%[a], #36]\n\t"
+        "adc	r1, r2\n\t"
+        "str	r1, [%[a], #36]\n\t"
+        "ldr	r1, [%[a], #40]\n\t"
+        "adc	r1, r2\n\t"
+        "str	r1, [%[a], #40]\n\t"
+        "ldr	r1, [%[a], #44]\n\t"
+        "adc	r1, r2\n\t"
+        "str	r1, [%[a], #44]\n\t"
+        :
+        : [a] "r" (a)
+        : "memory", "r1", "r2"
+    );
+}
+
+/* Read big endian unsigned byte array into r.
+ *
+ * r  A single precision integer.
+ * size  Maximum number of bytes to convert
+ * a  Byte array.
+ * n  Number of bytes in array to read.
+ */
+static void sp_384_from_bin(sp_digit* r, int size, const byte* a, int n)
+{
+    int i, j = 0;
+    word32 s = 0;
+
+    r[0] = 0;
+    for (i = n-1; i >= 0; i--) {
+        r[j] |= (((sp_digit)a[i]) << s);
+        if (s >= 24U) {
+            r[j] &= 0xffffffff;
+            s = 32U - s;
+            if (j + 1 >= size) {
+                break;
+            }
+            r[++j] = (sp_digit)a[i] >> s;
+            s = 8U - s;
+        }
+        else {
+            s += 8U;
+        }
+    }
+
+    for (j++; j < size; j++) {
+        r[j] = 0;
+    }
+}
+
+/* Generates a scalar that is in the range 1..order-1.
+ *
+ * rng  Random number generator.
+ * k    Scalar value.
+ * returns RNG failures, MEMORY_E when memory allocation fails and
+ * MP_OKAY on success.
+ */
+static int sp_384_ecc_gen_k_12(WC_RNG* rng, sp_digit* k)
+{
+    int err;
+    byte buf[48];
+
+    do {
+        err = wc_RNG_GenerateBlock(rng, buf, sizeof(buf));
+        if (err == 0) {
+            sp_384_from_bin(k, 12, buf, (int)sizeof(buf));
+            if (sp_384_cmp_12(k, p384_order2) < 0) {
+                sp_384_add_one_12(k);
+                break;
+            }
+        }
+    }
+    while (err == 0);
+
+    return err;
+}
+
+/* Makes a random EC key pair.
+ *
+ * rng   Random number generator.
+ * priv  Generated private value.
+ * pub   Generated public point.
+ * heap  Heap to use for allocation.
+ * returns ECC_INF_E when the point does not have the correct order, RNG
+ * failures, MEMORY_E when memory allocation fails and MP_OKAY on success.
+ */
+int sp_ecc_make_key_384(WC_RNG* rng, mp_int* priv, ecc_point* pub, void* heap)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_point_384 p;
+    sp_digit kd[12];
+#ifdef WOLFSSL_VALIDATE_ECC_KEYGEN
+    sp_point_384 inf;
+#endif
+#endif
+    sp_point_384* point;
+    sp_digit* k = NULL;
+#ifdef WOLFSSL_VALIDATE_ECC_KEYGEN
+    sp_point_384* infinity;
+#endif
+    int err;
+
+    (void)heap;
+
+    err = sp_384_point_new_12(heap, p, point);
+#ifdef WOLFSSL_VALIDATE_ECC_KEYGEN
+    if (err == MP_OKAY) {
+        err = sp_384_point_new_12(heap, inf, infinity);
+    }
+#endif
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        k = (sp_digit*)XMALLOC(sizeof(sp_digit) * 12, heap,
+                                                              DYNAMIC_TYPE_ECC);
+        if (k == NULL) {
+            err = MEMORY_E;
+        }
+    }
+#else
+    k = kd;
+#endif
+
+    if (err == MP_OKAY) {
+        err = sp_384_ecc_gen_k_12(rng, k);
+    }
+    if (err == MP_OKAY) {
+            err = sp_384_ecc_mulmod_base_12(point, k, 1, NULL);
+    }
+
+#ifdef WOLFSSL_VALIDATE_ECC_KEYGEN
+    if (err == MP_OKAY) {
+            err = sp_384_ecc_mulmod_12(infinity, point, p384_order, 1, NULL);
+    }
+    if (err == MP_OKAY) {
+        if ((sp_384_iszero_12(point->x) == 0) || (sp_384_iszero_12(point->y) == 0)) {
+            err = ECC_INF_E;
+        }
+    }
+#endif
+
+    if (err == MP_OKAY) {
+        err = sp_384_to_mp(k, priv);
+    }
+    if (err == MP_OKAY) {
+        err = sp_384_point_to_ecc_point_12(point, pub);
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (k != NULL) {
+        XFREE(k, heap, DYNAMIC_TYPE_ECC);
+    }
+#endif
+#ifdef WOLFSSL_VALIDATE_ECC_KEYGEN
+    sp_384_point_free_12(infinity, 1, heap);
+#endif
+    sp_384_point_free_12(point, 1, heap);
+
+    return err;
+}
+
+#ifdef HAVE_ECC_DHE
+/* Write r as big endian to byte array.
+ * Fixed length number of bytes written: 48
+ *
+ * r  A single precision integer.
+ * a  Byte array.
+ */
+static void sp_384_to_bin(sp_digit* r, byte* a)
+{
+    int i, j, s = 0, b;
+
+    j = 384 / 8 - 1;
+    a[j] = 0;
+    for (i=0; i<12 && j>=0; i++) {
+        b = 0;
+        /* lint allow cast of mismatch sp_digit and int */
+        a[j--] |= (byte)(r[i] << s); /*lint !e9033*/
+        b += 8 - s;
+        if (j < 0) {
+            break;
+        }
+        while (b < 32) {
+            a[j--] = (byte)(r[i] >> b);
+            b += 8;
+            if (j < 0) {
+                break;
+            }
+        }
+        s = 8 - (b - 32);
+        if (j >= 0) {
+            a[j] = 0;
+        }
+        if (s != 0) {
+            j++;
+        }
+    }
+}
+
+/* Multiply the point by the scalar and serialize the X ordinate.
+ * The number is 0 padded to maximum size on output.
+ *
+ * priv    Scalar to multiply the point by.
+ * pub     Point to multiply.
+ * out     Buffer to hold X ordinate.
+ * outLen  On entry, size of the buffer in bytes.
+ *         On exit, length of data in buffer in bytes.
+ * heap    Heap to use for allocation.
+ * returns BUFFER_E if the buffer is to small for output size,
+ * MEMORY_E when memory allocation fails and MP_OKAY on success.
+ */
+int sp_ecc_secret_gen_384(mp_int* priv, ecc_point* pub, byte* out,
+                          word32* outLen, void* heap)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_point_384 p;
+    sp_digit kd[12];
+#endif
+    sp_point_384* point = NULL;
+    sp_digit* k = NULL;
+    int err = MP_OKAY;
+
+    if (*outLen < 48U) {
+        err = BUFFER_E;
+    }
+
+    if (err == MP_OKAY) {
+        err = sp_384_point_new_12(heap, p, point);
+    }
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        k = (sp_digit*)XMALLOC(sizeof(sp_digit) * 12, heap,
+                                                              DYNAMIC_TYPE_ECC);
+        if (k == NULL)
+            err = MEMORY_E;
+    }
+#else
+    k = kd;
+#endif
+
+    if (err == MP_OKAY) {
+        sp_384_from_mp(k, 12, priv);
+        sp_384_point_from_ecc_point_12(point, pub);
+            err = sp_384_ecc_mulmod_12(point, point, k, 1, heap);
+    }
+    if (err == MP_OKAY) {
+        sp_384_to_bin(point->x, out);
+        *outLen = 48;
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (k != NULL) {
+        XFREE(k, heap, DYNAMIC_TYPE_ECC);
+    }
+#endif
+    sp_384_point_free_12(point, 0, heap);
+
+    return err;
+}
+#endif /* HAVE_ECC_DHE */
+
+#if defined(HAVE_ECC_SIGN) || defined(HAVE_ECC_VERIFY)
+#endif
+#if defined(HAVE_ECC_SIGN) || defined(HAVE_ECC_VERIFY)
+#ifdef WOLFSSL_SP_SMALL
+/* Sub b from a into a. (a -= b)
+ *
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static sp_digit sp_384_sub_in_place_12(sp_digit* a,
+        const sp_digit* b)
+{
+    sp_digit c = 0;
+    __asm__ __volatile__ (
+        "mov	r7, %[a]\n\t"
+        "add	r7, #48\n\t"
+        "\n1:\n\t"
+        "mov	r5, #0\n\t"
+        "sub	r5, %[c]\n\t"
+        "ldr	r3, [%[a]]\n\t"
+        "ldr	r4, [%[a], #4]\n\t"
+        "ldr	r5, [%[b]]\n\t"
+        "ldr	r6, [%[b], #4]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a]]\n\t"
+        "str	r4, [%[a], #4]\n\t"
+        "sbc	%[c], %[c]\n\t"
+        "add	%[a], #8\n\t"
+        "add	%[b], #8\n\t"
+        "cmp	%[a], r7\n\t"
+        "bne	1b\n\t"
+        : [c] "+r" (c), [a] "+r" (a), [b] "+r" (b)
+        :
+        : "memory", "r3", "r4", "r5", "r6", "r7"
+    );
+
+    return c;
+}
+
+#else
+/* Sub b from a into r. (r = a - b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static sp_digit sp_384_sub_in_place_12(sp_digit* a,
+        const sp_digit* b)
+{
+    sp_digit c = 0;
+
+    __asm__ __volatile__ (
+        "ldr	r3, [%[a], #0]\n\t"
+        "ldr	r4, [%[a], #4]\n\t"
+        "ldr	r5, [%[b], #0]\n\t"
+        "ldr	r6, [%[b], #4]\n\t"
+        "sub	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #0]\n\t"
+        "str	r4, [%[a], #4]\n\t"
+        "ldr	r3, [%[a], #8]\n\t"
+        "ldr	r4, [%[a], #12]\n\t"
+        "ldr	r5, [%[b], #8]\n\t"
+        "ldr	r6, [%[b], #12]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #8]\n\t"
+        "str	r4, [%[a], #12]\n\t"
+        "ldr	r3, [%[a], #16]\n\t"
+        "ldr	r4, [%[a], #20]\n\t"
+        "ldr	r5, [%[b], #16]\n\t"
+        "ldr	r6, [%[b], #20]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #16]\n\t"
+        "str	r4, [%[a], #20]\n\t"
+        "ldr	r3, [%[a], #24]\n\t"
+        "ldr	r4, [%[a], #28]\n\t"
+        "ldr	r5, [%[b], #24]\n\t"
+        "ldr	r6, [%[b], #28]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #24]\n\t"
+        "str	r4, [%[a], #28]\n\t"
+        "ldr	r3, [%[a], #32]\n\t"
+        "ldr	r4, [%[a], #36]\n\t"
+        "ldr	r5, [%[b], #32]\n\t"
+        "ldr	r6, [%[b], #36]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #32]\n\t"
+        "str	r4, [%[a], #36]\n\t"
+        "ldr	r3, [%[a], #40]\n\t"
+        "ldr	r4, [%[a], #44]\n\t"
+        "ldr	r5, [%[b], #40]\n\t"
+        "ldr	r6, [%[b], #44]\n\t"
+        "sbc	r3, r5\n\t"
+        "sbc	r4, r6\n\t"
+        "str	r3, [%[a], #40]\n\t"
+        "str	r4, [%[a], #44]\n\t"
+        "sbc	%[c], %[c]\n\t"
+        : [c] "+r" (c), [a] "+r" (a), [b] "+r" (b)
+        :
+        : "memory", "r3", "r4", "r5", "r6"
+    );
+
+    return c;
+}
+
+#endif /* WOLFSSL_SP_SMALL */
+/* Mul a by digit b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision digit.
+ */
+SP_NOINLINE static void sp_384_mul_d_12(sp_digit* r, const sp_digit* a,
+        sp_digit b)
+{
+    __asm__ __volatile__ (
+        "mov	r6, #48\n\t"
+        "add	r6, %[a]\n\t"
+        "mov	r8, %[r]\n\t"
+        "mov	r9, r6\n\t"
+        "mov	r3, #0\n\t"
+        "mov	r4, #0\n\t"
+        "1:\n\t"
+        "mov	%[r], #0\n\t"
+        "mov	r5, #0\n\t"
+        "# A[] * B\n\t"
+        "ldr	r6, [%[a]]\n\t"
+        "lsl	r6, r6, #16\n\t"
+        "lsl	r7, %[b], #16\n\t"
+        "lsr	r6, r6, #16\n\t"
+        "lsr	r7, r7, #16\n\t"
+        "mul	r7, r6\n\t"
+        "add	r3, r7\n\t"
+        "adc	r4, %[r]\n\t"
+        "adc	r5, %[r]\n\t"
+        "lsr	r7, %[b], #16\n\t"
+        "mul	r6, r7\n\t"
+        "lsr	r7, r6, #16\n\t"
+        "lsl	r6, r6, #16\n\t"
+        "add	r3, r6\n\t"
+        "adc	r4, r7\n\t"
+        "adc	r5, %[r]\n\t"
+        "ldr	r6, [%[a]]\n\t"
+        "lsr	r6, r6, #16\n\t"
+        "lsr	r7, %[b], #16\n\t"
+        "mul	r7, r6\n\t"
+        "add	r4, r7\n\t"
+        "adc	r5, %[r]\n\t"
+        "lsl	r7, %[b], #16\n\t"
+        "lsr	r7, r7, #16\n\t"
+        "mul	r6, r7\n\t"
+        "lsr	r7, r6, #16\n\t"
+        "lsl	r6, r6, #16\n\t"
+        "add	r3, r6\n\t"
+        "adc	r4, r7\n\t"
+        "adc	r5, %[r]\n\t"
+        "# A[] * B - Done\n\t"
+        "mov	%[r], r8\n\t"
+        "str	r3, [%[r]]\n\t"
+        "mov	r3, r4\n\t"
+        "mov	r4, r5\n\t"
+        "add	%[r], #4\n\t"
+        "add	%[a], #4\n\t"
+        "mov	r8, %[r]\n\t"
+        "cmp	%[a], r9\n\t"
+        "blt	1b\n\t"
+        "str	r3, [%[r]]\n\t"
+        : [r] "+r" (r), [a] "+r" (a)
+        : [b] "r" (b)
+        : "memory", "r3", "r4", "r5", "r6", "r7", "r8", "r9"
+    );
+}
+
+/* Divide the double width number (d1|d0) by the dividend. (d1|d0 / div)
+ *
+ * d1   The high order half of the number to divide.
+ * d0   The low order half of the number to divide.
+ * div  The dividend.
+ * returns the result of the division.
+ *
+ * Note that this is an approximate div. It may give an answer 1 larger.
+ */
+SP_NOINLINE static sp_digit div_384_word_12(sp_digit d1, sp_digit d0,
+        sp_digit div)
+{
+    sp_digit r = 0;
+
+    __asm__ __volatile__ (
+        "lsr	r5, %[div], #1\n\t"
+        "add	r5, #1\n\t"
+        "mov	r8, %[d0]\n\t"
+        "mov	r9, %[d1]\n\t"
+        "# Do top 32\n\t"
+        "mov	r6, r5\n\t"
+        "sub	r6, %[d1]\n\t"
+        "sbc	r6, r6\n\t"
+        "add	%[r], %[r]\n\t"
+        "sub	%[r], r6\n\t"
+        "and	r6, r5\n\t"
+        "sub	%[d1], r6\n\t"
+        "# Next 30 bits\n\t"
+        "mov	r4, #29\n\t"
+        "1:\n\t"
+        "lsl	%[d0], %[d0], #1\n\t"
+        "adc	%[d1], %[d1]\n\t"
+        "mov	r6, r5\n\t"
+        "sub	r6, %[d1]\n\t"
+        "sbc	r6, r6\n\t"
+        "add	%[r], %[r]\n\t"
+        "sub	%[r], r6\n\t"
+        "and	r6, r5\n\t"
+        "sub	%[d1], r6\n\t"
+        "sub	r4, #1\n\t"
+        "bpl	1b\n\t"
+        "mov	r7, #0\n\t"
+        "add	%[r], %[r]\n\t"
+        "add	%[r], #1\n\t"
+        "# r * div - Start\n\t"
+        "lsl	%[d1], %[r], #16\n\t"
+        "lsl	r4, %[div], #16\n\t"
+        "lsr	%[d1], %[d1], #16\n\t"
+        "lsr	r4, r4, #16\n\t"
+        "mul	r4, %[d1]\n\t"
+        "lsr	r6, %[div], #16\n\t"
+        "mul	%[d1], r6\n\t"
+        "lsr	r5, %[d1], #16\n\t"
+        "lsl	%[d1], %[d1], #16\n\t"
+        "add	r4, %[d1]\n\t"
+        "adc	r5, r7\n\t"
+        "lsr	%[d1], %[r], #16\n\t"
+        "mul	r6, %[d1]\n\t"
+        "add	r5, r6\n\t"
+        "lsl	r6, %[div], #16\n\t"
+        "lsr	r6, r6, #16\n\t"
+        "mul	%[d1], r6\n\t"
+        "lsr	r6, %[d1], #16\n\t"
+        "lsl	%[d1], %[d1], #16\n\t"
+        "add	r4, %[d1]\n\t"
+        "adc	r5, r6\n\t"
+        "# r * div - Done\n\t"
+        "mov	%[d1], r8\n\t"
+        "sub	%[d1], r4\n\t"
+        "mov	r4, %[d1]\n\t"
+        "mov	%[d1], r9\n\t"
+        "sbc	%[d1], r5\n\t"
+        "mov	r5, %[d1]\n\t"
+        "add	%[r], r5\n\t"
+        "# r * div - Start\n\t"
+        "lsl	%[d1], %[r], #16\n\t"
+        "lsl	r4, %[div], #16\n\t"
+        "lsr	%[d1], %[d1], #16\n\t"
+        "lsr	r4, r4, #16\n\t"
+        "mul	r4, %[d1]\n\t"
+        "lsr	r6, %[div], #16\n\t"
+        "mul	%[d1], r6\n\t"
+        "lsr	r5, %[d1], #16\n\t"
+        "lsl	%[d1], %[d1], #16\n\t"
+        "add	r4, %[d1]\n\t"
+        "adc	r5, r7\n\t"
+        "lsr	%[d1], %[r], #16\n\t"
+        "mul	r6, %[d1]\n\t"
+        "add	r5, r6\n\t"
+        "lsl	r6, %[div], #16\n\t"
+        "lsr	r6, r6, #16\n\t"
+        "mul	%[d1], r6\n\t"
+        "lsr	r6, %[d1], #16\n\t"
+        "lsl	%[d1], %[d1], #16\n\t"
+        "add	r4, %[d1]\n\t"
+        "adc	r5, r6\n\t"
+        "# r * div - Done\n\t"
+        "mov	%[d1], r8\n\t"
+        "mov	r6, r9\n\t"
+        "sub	r4, %[d1], r4\n\t"
+        "sbc	r6, r5\n\t"
+        "mov	r5, r6\n\t"
+        "add	%[r], r5\n\t"
+        "# r * div - Start\n\t"
+        "lsl	%[d1], %[r], #16\n\t"
+        "lsl	r4, %[div], #16\n\t"
+        "lsr	%[d1], %[d1], #16\n\t"
+        "lsr	r4, r4, #16\n\t"
+        "mul	r4, %[d1]\n\t"
+        "lsr	r6, %[div], #16\n\t"
+        "mul	%[d1], r6\n\t"
+        "lsr	r5, %[d1], #16\n\t"
+        "lsl	%[d1], %[d1], #16\n\t"
+        "add	r4, %[d1]\n\t"
+        "adc	r5, r7\n\t"
+        "lsr	%[d1], %[r], #16\n\t"
+        "mul	r6, %[d1]\n\t"
+        "add	r5, r6\n\t"
+        "lsl	r6, %[div], #16\n\t"
+        "lsr	r6, r6, #16\n\t"
+        "mul	%[d1], r6\n\t"
+        "lsr	r6, %[d1], #16\n\t"
+        "lsl	%[d1], %[d1], #16\n\t"
+        "add	r4, %[d1]\n\t"
+        "adc	r5, r6\n\t"
+        "# r * div - Done\n\t"
+        "mov	%[d1], r8\n\t"
+        "mov	r6, r9\n\t"
+        "sub	r4, %[d1], r4\n\t"
+        "sbc	r6, r5\n\t"
+        "mov	r5, r6\n\t"
+        "add	%[r], r5\n\t"
+        "mov	r6, %[div]\n\t"
+        "sub	r6, r4\n\t"
+        "sbc	r6, r6\n\t"
+        "sub	%[r], r6\n\t"
+        : [r] "+r" (r)
+        : [d1] "r" (d1), [d0] "r" (d0), [div] "r" (div)
+        : "r4", "r5", "r7", "r6", "r8", "r9"
+    );
+    return r;
+}
+
+/* AND m into each word of a and store in r.
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * m  Mask to AND against each digit.
+ */
+static void sp_384_mask_12(sp_digit* r, const sp_digit* a, sp_digit m)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int i;
+
+    for (i=0; i<12; i++) {
+        r[i] = a[i] & m;
+    }
+#else
+    r[0] = a[0] & m;
+    r[1] = a[1] & m;
+    r[2] = a[2] & m;
+    r[3] = a[3] & m;
+    r[4] = a[4] & m;
+    r[5] = a[5] & m;
+    r[6] = a[6] & m;
+    r[7] = a[7] & m;
+    r[8] = a[8] & m;
+    r[9] = a[9] & m;
+    r[10] = a[10] & m;
+    r[11] = a[11] & m;
+#endif
+}
+
+/* Divide d in a and put remainder into r (m*d + r = a)
+ * m is not calculated as it is not needed at this time.
+ *
+ * a  Nmber to be divided.
+ * d  Number to divide with.
+ * m  Multiplier result.
+ * r  Remainder from the division.
+ * returns MP_OKAY indicating success.
+ */
+static WC_INLINE int sp_384_div_12(const sp_digit* a, const sp_digit* d, sp_digit* m,
+        sp_digit* r)
+{
+    sp_digit t1[24], t2[13];
+    sp_digit div, r1;
+    int i;
+
+    (void)m;
+
+    div = d[11];
+    XMEMCPY(t1, a, sizeof(*t1) * 2 * 12);
+    for (i=11; i>=0; i--) {
+        r1 = div_384_word_12(t1[12 + i], t1[12 + i - 1], div);
+
+        sp_384_mul_d_12(t2, d, r1);
+        t1[12 + i] += sp_384_sub_in_place_12(&t1[i], t2);
+        t1[12 + i] -= t2[12];
+        sp_384_mask_12(t2, d, t1[12 + i]);
+        t1[12 + i] += sp_384_add_12(&t1[i], &t1[i], t2);
+        sp_384_mask_12(t2, d, t1[12 + i]);
+        t1[12 + i] += sp_384_add_12(&t1[i], &t1[i], t2);
+    }
+
+    r1 = sp_384_cmp_12(t1, d) >= 0;
+    sp_384_cond_sub_12(r, t1, d, (sp_digit)0 - r1);
+
+    return MP_OKAY;
+}
+
+/* Reduce a modulo m into r. (r = a mod m)
+ *
+ * r  A single precision number that is the reduced result.
+ * a  A single precision number that is to be reduced.
+ * m  A single precision number that is the modulus to reduce with.
+ * returns MP_OKAY indicating success.
+ */
+static WC_INLINE int sp_384_mod_12(sp_digit* r, const sp_digit* a, const sp_digit* m)
+{
+    return sp_384_div_12(a, m, NULL, r);
+}
+
+#endif
+#if defined(HAVE_ECC_SIGN) || defined(HAVE_ECC_VERIFY)
+#ifdef WOLFSSL_SP_SMALL
+/* Order-2 for the P384 curve. */
+static const uint32_t p384_order_minus_2[12] = {
+    0xccc52971U,0xecec196aU,0x48b0a77aU,0x581a0db2U,0xf4372ddfU,0xc7634d81U,
+    0xffffffffU,0xffffffffU,0xffffffffU,0xffffffffU,0xffffffffU,0xffffffffU
+};
+#else
+/* The low half of the order-2 of the P384 curve. */
+static const uint32_t p384_order_low[6] = {
+    0xccc52971U,0xecec196aU,0x48b0a77aU,0x581a0db2U,0xf4372ddfU,0xc7634d81U
+    
+};
+#endif /* WOLFSSL_SP_SMALL */
+
+/* Multiply two number mod the order of P384 curve. (r = a * b mod order)
+ *
+ * r  Result of the multiplication.
+ * a  First operand of the multiplication.
+ * b  Second operand of the multiplication.
+ */
+static void sp_384_mont_mul_order_12(sp_digit* r, const sp_digit* a, const sp_digit* b)
+{
+    sp_384_mul_12(r, a, b);
+    sp_384_mont_reduce_order_12(r, p384_order, p384_mp_order);
+}
+
+/* Square number mod the order of P384 curve. (r = a * a mod order)
+ *
+ * r  Result of the squaring.
+ * a  Number to square.
+ */
+static void sp_384_mont_sqr_order_12(sp_digit* r, const sp_digit* a)
+{
+    sp_384_sqr_12(r, a);
+    sp_384_mont_reduce_order_12(r, p384_order, p384_mp_order);
+}
+
+#ifndef WOLFSSL_SP_SMALL
+/* Square number mod the order of P384 curve a number of times.
+ * (r = a ^ n mod order)
+ *
+ * r  Result of the squaring.
+ * a  Number to square.
+ */
+static void sp_384_mont_sqr_n_order_12(sp_digit* r, const sp_digit* a, int n)
+{
+    int i;
+
+    sp_384_mont_sqr_order_12(r, a);
+    for (i=1; i<n; i++) {
+        sp_384_mont_sqr_order_12(r, r);
+    }
+}
+#endif /* !WOLFSSL_SP_SMALL */
+
+/* Invert the number, in Montgomery form, modulo the order of the P384 curve.
+ * (r = 1 / a mod order)
+ *
+ * r   Inverse result.
+ * a   Number to invert.
+ * td  Temporary data.
+ */
+static void sp_384_mont_inv_order_12(sp_digit* r, const sp_digit* a,
+        sp_digit* td)
+{
+#ifdef WOLFSSL_SP_SMALL
+    sp_digit* t = td;
+    int i;
+
+    XMEMCPY(t, a, sizeof(sp_digit) * 12);
+    for (i=382; i>=0; i--) {
+        sp_384_mont_sqr_order_12(t, t);
+        if ((p384_order_minus_2[i / 32] & ((sp_int_digit)1 << (i % 32))) != 0) {
+            sp_384_mont_mul_order_12(t, t, a);
+        }
+    }
+    XMEMCPY(r, t, sizeof(sp_digit) * 12U);
+#else
+    sp_digit* t = td;
+    sp_digit* t2 = td + 2 * 12;
+    sp_digit* t3 = td + 4 * 12;
+    int i;
+
+    /* t = a^2 */
+    sp_384_mont_sqr_order_12(t, a);
+    /* t = a^3 = t * a */
+    sp_384_mont_mul_order_12(t, t, a);
+    /* t2= a^c = t ^ 2 ^ 2 */
+    sp_384_mont_sqr_n_order_12(t2, t, 2);
+    /* t = a^f = t2 * t */
+    sp_384_mont_mul_order_12(t, t2, t);
+    /* t2= a^f0 = t ^ 2 ^ 4 */
+    sp_384_mont_sqr_n_order_12(t2, t, 4);
+    /* t = a^ff = t2 * t */
+    sp_384_mont_mul_order_12(t, t2, t);
+    /* t2= a^ff00 = t ^ 2 ^ 8 */
+    sp_384_mont_sqr_n_order_12(t2, t, 8);
+    /* t3= a^ffff = t2 * t */
+    sp_384_mont_mul_order_12(t3, t2, t);
+    /* t2= a^ffff0000 = t3 ^ 2 ^ 16 */
+    sp_384_mont_sqr_n_order_12(t2, t3, 16);
+    /* t = a^ffffffff = t2 * t3 */
+    sp_384_mont_mul_order_12(t, t2, t3);
+    /* t2= a^ffffffff0000 = t ^ 2 ^ 16  */
+    sp_384_mont_sqr_n_order_12(t2, t, 16);
+    /* t = a^ffffffffffff = t2 * t3 */
+    sp_384_mont_mul_order_12(t, t2, t3);
+    /* t2= a^ffffffffffff000000000000 = t ^ 2 ^ 48  */
+    sp_384_mont_sqr_n_order_12(t2, t, 48);
+    /* t= a^fffffffffffffffffffffffff = t2 * t */
+    sp_384_mont_mul_order_12(t, t2, t);
+    /* t2= a^ffffffffffffffffffffffff000000000000000000000000 */
+    sp_384_mont_sqr_n_order_12(t2, t, 96);
+    /* t2= a^ffffffffffffffffffffffffffffffffffffffffffffffff = t2 * t */
+    sp_384_mont_mul_order_12(t2, t2, t);
+    for (i=191; i>=1; i--) {
+        sp_384_mont_sqr_order_12(t2, t2);
+        if (((sp_digit)p384_order_low[i / 32] & ((sp_int_digit)1 << (i % 32))) != 0) {
+            sp_384_mont_mul_order_12(t2, t2, a);
+        }
+    }
+    sp_384_mont_sqr_order_12(t2, t2);
+    sp_384_mont_mul_order_12(r, t2, a);
+#endif /* WOLFSSL_SP_SMALL */
+}
+
+#endif /* HAVE_ECC_SIGN || HAVE_ECC_VERIFY */
+#ifdef HAVE_ECC_SIGN
+#ifndef SP_ECC_MAX_SIG_GEN
+#define SP_ECC_MAX_SIG_GEN  64
+#endif
+
+/* Sign the hash using the private key.
+ *   e = [hash, 384 bits] from binary
+ *   r = (k.G)->x mod order
+ *   s = (r * x + e) / k mod order
+ * The hash is truncated to the first 384 bits.
+ *
+ * hash     Hash to sign.
+ * hashLen  Length of the hash data.
+ * rng      Random number generator.
+ * priv     Private part of key - scalar.
+ * rm       First part of result as an mp_int.
+ * sm       Sirst part of result as an mp_int.
+ * heap     Heap to use for allocation.
+ * returns RNG failures, MEMORY_E when memory allocation fails and
+ * MP_OKAY on success.
+ */
+int sp_ecc_sign_384(const byte* hash, word32 hashLen, WC_RNG* rng, mp_int* priv,
+                    mp_int* rm, mp_int* sm, mp_int* km, void* heap)
+{
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit* d = NULL;
+#else
+    sp_digit ed[2*12];
+    sp_digit xd[2*12];
+    sp_digit kd[2*12];
+    sp_digit rd[2*12];
+    sp_digit td[3 * 2*12];
+    sp_point_384 p;
+#endif
+    sp_digit* e = NULL;
+    sp_digit* x = NULL;
+    sp_digit* k = NULL;
+    sp_digit* r = NULL;
+    sp_digit* tmp = NULL;
+    sp_point_384* point = NULL;
+    sp_digit carry;
+    sp_digit* s = NULL;
+    sp_digit* kInv = NULL;
+    int err = MP_OKAY;
+    int32_t c;
+    int i;
+
+    (void)heap;
+
+    err = sp_384_point_new_12(heap, p, point);
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        d = (sp_digit*)XMALLOC(sizeof(sp_digit) * 7 * 2 * 12, heap,
+                                                              DYNAMIC_TYPE_ECC);
+        if (d == NULL) {
+            err = MEMORY_E;
+        }
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+        e = d + 0 * 12;
+        x = d + 2 * 12;
+        k = d + 4 * 12;
+        r = d + 6 * 12;
+        tmp = d + 8 * 12;
+#else
+        e = ed;
+        x = xd;
+        k = kd;
+        r = rd;
+        tmp = td;
+#endif
+        s = e;
+        kInv = k;
+
+        if (hashLen > 48U) {
+            hashLen = 48U;
+        }
+
+        sp_384_from_bin(e, 12, hash, (int)hashLen);
+    }
+
+    for (i = SP_ECC_MAX_SIG_GEN; err == MP_OKAY && i > 0; i--) {
+        sp_384_from_mp(x, 12, priv);
+
+        /* New random point. */
+        if (km == NULL || mp_iszero(km)) {
+            err = sp_384_ecc_gen_k_12(rng, k);
+        }
+        else {
+            sp_384_from_mp(k, 12, km);
+            mp_zero(km);
+        }
+        if (err == MP_OKAY) {
+                err = sp_384_ecc_mulmod_base_12(point, k, 1, NULL);
+        }
+
+        if (err == MP_OKAY) {
+            /* r = point->x mod order */
+            XMEMCPY(r, point->x, sizeof(sp_digit) * 12U);
+            sp_384_norm_12(r);
+            c = sp_384_cmp_12(r, p384_order);
+            sp_384_cond_sub_12(r, r, p384_order, 0L - (sp_digit)(c >= 0));
+            sp_384_norm_12(r);
+
+            /* Conv k to Montgomery form (mod order) */
+                sp_384_mul_12(k, k, p384_norm_order);
+            err = sp_384_mod_12(k, k, p384_order);
+        }
+        if (err == MP_OKAY) {
+            sp_384_norm_12(k);
+            /* kInv = 1/k mod order */
+                sp_384_mont_inv_order_12(kInv, k, tmp);
+            sp_384_norm_12(kInv);
+
+            /* s = r * x + e */
+                sp_384_mul_12(x, x, r);
+            err = sp_384_mod_12(x, x, p384_order);
+        }
+        if (err == MP_OKAY) {
+            sp_384_norm_12(x);
+            carry = sp_384_add_12(s, e, x);
+            sp_384_cond_sub_12(s, s, p384_order, 0 - carry);
+            sp_384_norm_12(s);
+            c = sp_384_cmp_12(s, p384_order);
+            sp_384_cond_sub_12(s, s, p384_order, 0L - (sp_digit)(c >= 0));
+            sp_384_norm_12(s);
+
+            /* s = s * k^-1 mod order */
+                sp_384_mont_mul_order_12(s, s, kInv);
+            sp_384_norm_12(s);
+
+            /* Check that signature is usable. */
+            if (sp_384_iszero_12(s) == 0) {
+                break;
+            }
+        }
+    }
+
+    if (i == 0) {
+        err = RNG_FAILURE_E;
+    }
+
+    if (err == MP_OKAY) {
+        err = sp_384_to_mp(r, rm);
+    }
+    if (err == MP_OKAY) {
+        err = sp_384_to_mp(s, sm);
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (d != NULL) {
+        XMEMSET(d, 0, sizeof(sp_digit) * 8 * 12);
+        XFREE(d, heap, DYNAMIC_TYPE_ECC);
+    }
+#else
+    XMEMSET(e, 0, sizeof(sp_digit) * 2U * 12U);
+    XMEMSET(x, 0, sizeof(sp_digit) * 2U * 12U);
+    XMEMSET(k, 0, sizeof(sp_digit) * 2U * 12U);
+    XMEMSET(r, 0, sizeof(sp_digit) * 2U * 12U);
+    XMEMSET(r, 0, sizeof(sp_digit) * 2U * 12U);
+    XMEMSET(tmp, 0, sizeof(sp_digit) * 3U * 2U * 12U);
+#endif
+    sp_384_point_free_12(point, 1, heap);
+
+    return err;
+}
+#endif /* HAVE_ECC_SIGN */
+
+#ifdef HAVE_ECC_VERIFY
+/* Verify the signature values with the hash and public key.
+ *   e = Truncate(hash, 384)
+ *   u1 = e/s mod order
+ *   u2 = r/s mod order
+ *   r == (u1.G + u2.Q)->x mod order
+ * Optimization: Leave point in projective form.
+ *   (x, y, 1) == (x' / z'*z', y' / z'*z'*z', z' / z')
+ *   (r + n*order).z'.z' mod prime == (u1.G + u2.Q)->x'
+ * The hash is truncated to the first 384 bits.
+ *
+ * hash     Hash to sign.
+ * hashLen  Length of the hash data.
+ * rng      Random number generator.
+ * priv     Private part of key - scalar.
+ * rm       First part of result as an mp_int.
+ * sm       Sirst part of result as an mp_int.
+ * heap     Heap to use for allocation.
+ * returns RNG failures, MEMORY_E when memory allocation fails and
+ * MP_OKAY on success.
+ */
+int sp_ecc_verify_384(const byte* hash, word32 hashLen, mp_int* pX,
+    mp_int* pY, mp_int* pZ, mp_int* r, mp_int* sm, int* res, void* heap)
+{
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit* d = NULL;
+#else
+    sp_digit u1d[2*12];
+    sp_digit u2d[2*12];
+    sp_digit sd[2*12];
+    sp_digit tmpd[2*12 * 5];
+    sp_point_384 p1d;
+    sp_point_384 p2d;
+#endif
+    sp_digit* u1 = NULL;
+    sp_digit* u2 = NULL;
+    sp_digit* s = NULL;
+    sp_digit* tmp = NULL;
+    sp_point_384* p1;
+    sp_point_384* p2 = NULL;
+    sp_digit carry;
+    int32_t c;
+    int err;
+
+    err = sp_384_point_new_12(heap, p1d, p1);
+    if (err == MP_OKAY) {
+        err = sp_384_point_new_12(heap, p2d, p2);
+    }
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        d = (sp_digit*)XMALLOC(sizeof(sp_digit) * 16 * 12, heap,
+                                                              DYNAMIC_TYPE_ECC);
+        if (d == NULL) {
+            err = MEMORY_E;
+        }
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+        u1  = d + 0 * 12;
+        u2  = d + 2 * 12;
+        s   = d + 4 * 12;
+        tmp = d + 6 * 12;
+#else
+        u1 = u1d;
+        u2 = u2d;
+        s  = sd;
+        tmp = tmpd;
+#endif
+
+        if (hashLen > 48U) {
+            hashLen = 48U;
+        }
+
+        sp_384_from_bin(u1, 12, hash, (int)hashLen);
+        sp_384_from_mp(u2, 12, r);
+        sp_384_from_mp(s, 12, sm);
+        sp_384_from_mp(p2->x, 12, pX);
+        sp_384_from_mp(p2->y, 12, pY);
+        sp_384_from_mp(p2->z, 12, pZ);
+
+        {
+            sp_384_mul_12(s, s, p384_norm_order);
+        }
+        err = sp_384_mod_12(s, s, p384_order);
+    }
+    if (err == MP_OKAY) {
+        sp_384_norm_12(s);
+        {
+            sp_384_mont_inv_order_12(s, s, tmp);
+            sp_384_mont_mul_order_12(u1, u1, s);
+            sp_384_mont_mul_order_12(u2, u2, s);
+        }
+
+            err = sp_384_ecc_mulmod_base_12(p1, u1, 0, heap);
+    }
+    if (err == MP_OKAY) {
+            err = sp_384_ecc_mulmod_12(p2, p2, u2, 0, heap);
+    }
+
+    if (err == MP_OKAY) {
+        {
+            sp_384_proj_point_add_12(p1, p1, p2, tmp);
+            if (sp_384_iszero_12(p1->z)) {
+                if (sp_384_iszero_12(p1->x) && sp_384_iszero_12(p1->y)) {
+                    sp_384_proj_point_dbl_12(p1, p2, tmp);
+                }
+                else {
+                    /* Y ordinate is not used from here - don't set. */
+                    p1->x[0] = 0;
+                    p1->x[1] = 0;
+                    p1->x[2] = 0;
+                    p1->x[3] = 0;
+                    p1->x[4] = 0;
+                    p1->x[5] = 0;
+                    p1->x[6] = 0;
+                    p1->x[7] = 0;
+                    p1->x[8] = 0;
+                    p1->x[9] = 0;
+                    p1->x[10] = 0;
+                    p1->x[11] = 0;
+                    XMEMCPY(p1->z, p384_norm_mod, sizeof(p384_norm_mod));
+                }
+            }
+        }
+
+        /* (r + n*order).z'.z' mod prime == (u1.G + u2.Q)->x' */
+        /* Reload r and convert to Montgomery form. */
+        sp_384_from_mp(u2, 12, r);
+        err = sp_384_mod_mul_norm_12(u2, u2, p384_mod);
+    }
+
+    if (err == MP_OKAY) {
+        /* u1 = r.z'.z' mod prime */
+        sp_384_mont_sqr_12(p1->z, p1->z, p384_mod, p384_mp_mod);
+        sp_384_mont_mul_12(u1, u2, p1->z, p384_mod, p384_mp_mod);
+        *res = (int)(sp_384_cmp_12(p1->x, u1) == 0);
+        if (*res == 0) {
+            /* Reload r and add order. */
+            sp_384_from_mp(u2, 12, r);
+            carry = sp_384_add_12(u2, u2, p384_order);
+            /* Carry means result is greater than mod and is not valid. */
+            if (carry == 0) {
+                sp_384_norm_12(u2);
+
+                /* Compare with mod and if greater or equal then not valid. */
+                c = sp_384_cmp_12(u2, p384_mod);
+                if (c < 0) {
+                    /* Convert to Montogomery form */
+                    err = sp_384_mod_mul_norm_12(u2, u2, p384_mod);
+                    if (err == MP_OKAY) {
+                        /* u1 = (r + 1*order).z'.z' mod prime */
+                        sp_384_mont_mul_12(u1, u2, p1->z, p384_mod,
+                                                                  p384_mp_mod);
+                        *res = (int)(sp_384_cmp_12(p1->x, u1) == 0);
+                    }
+                }
+            }
+        }
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (d != NULL)
+        XFREE(d, heap, DYNAMIC_TYPE_ECC);
+#endif
+    sp_384_point_free_12(p1, 0, heap);
+    sp_384_point_free_12(p2, 0, heap);
+
+    return err;
+}
+#endif /* HAVE_ECC_VERIFY */
+
+#ifdef HAVE_ECC_CHECK_KEY
+/* Check that the x and y oridinates are a valid point on the curve.
+ *
+ * point  EC point.
+ * heap   Heap to use if dynamically allocating.
+ * returns MEMORY_E if dynamic memory allocation fails, MP_VAL if the point is
+ * not on the curve and MP_OKAY otherwise.
+ */
+static int sp_384_ecc_is_point_12(sp_point_384* point, void* heap)
+{
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit* d = NULL;
+#else
+    sp_digit t1d[2*12];
+    sp_digit t2d[2*12];
+#endif
+    sp_digit* t1;
+    sp_digit* t2;
+    int err = MP_OKAY;
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    d = (sp_digit*)XMALLOC(sizeof(sp_digit) * 12 * 4, heap, DYNAMIC_TYPE_ECC);
+    if (d == NULL) {
+        err = MEMORY_E;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+        t1 = d + 0 * 12;
+        t2 = d + 2 * 12;
+#else
+        (void)heap;
+
+        t1 = t1d;
+        t2 = t2d;
+#endif
+
+        sp_384_sqr_12(t1, point->y);
+        (void)sp_384_mod_12(t1, t1, p384_mod);
+        sp_384_sqr_12(t2, point->x);
+        (void)sp_384_mod_12(t2, t2, p384_mod);
+        sp_384_mul_12(t2, t2, point->x);
+        (void)sp_384_mod_12(t2, t2, p384_mod);
+        (void)sp_384_sub_12(t2, p384_mod, t2);
+        sp_384_mont_add_12(t1, t1, t2, p384_mod);
+
+        sp_384_mont_add_12(t1, t1, point->x, p384_mod);
+        sp_384_mont_add_12(t1, t1, point->x, p384_mod);
+        sp_384_mont_add_12(t1, t1, point->x, p384_mod);
+
+        if (sp_384_cmp_12(t1, p384_b) != 0) {
+            err = MP_VAL;
+        }
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (d != NULL) {
+        XFREE(d, heap, DYNAMIC_TYPE_ECC);
+    }
+#endif
+
+    return err;
+}
+
+/* Check that the x and y oridinates are a valid point on the curve.
+ *
+ * pX  X ordinate of EC point.
+ * pY  Y ordinate of EC point.
+ * returns MEMORY_E if dynamic memory allocation fails, MP_VAL if the point is
+ * not on the curve and MP_OKAY otherwise.
+ */
+int sp_ecc_is_point_384(mp_int* pX, mp_int* pY)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_point_384 pubd;
+#endif
+    sp_point_384* pub;
+    byte one[1] = { 1 };
+    int err;
+
+    err = sp_384_point_new_12(NULL, pubd, pub);
+    if (err == MP_OKAY) {
+        sp_384_from_mp(pub->x, 12, pX);
+        sp_384_from_mp(pub->y, 12, pY);
+        sp_384_from_bin(pub->z, 12, one, (int)sizeof(one));
+
+        err = sp_384_ecc_is_point_12(pub, NULL);
+    }
+
+    sp_384_point_free_12(pub, 0, NULL);
+
+    return err;
+}
+
+/* Check that the private scalar generates the EC point (px, py), the point is
+ * on the curve and the point has the correct order.
+ *
+ * pX     X ordinate of EC point.
+ * pY     Y ordinate of EC point.
+ * privm  Private scalar that generates EC point.
+ * returns MEMORY_E if dynamic memory allocation fails, MP_VAL if the point is
+ * not on the curve, ECC_INF_E if the point does not have the correct order,
+ * ECC_PRIV_KEY_E when the private scalar doesn't generate the EC point and
+ * MP_OKAY otherwise.
+ */
+int sp_ecc_check_key_384(mp_int* pX, mp_int* pY, mp_int* privm, void* heap)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit privd[12];
+    sp_point_384 pubd;
+    sp_point_384 pd;
+#endif
+    sp_digit* priv = NULL;
+    sp_point_384* pub;
+    sp_point_384* p = NULL;
+    byte one[1] = { 1 };
+    int err;
+
+    err = sp_384_point_new_12(heap, pubd, pub);
+    if (err == MP_OKAY) {
+        err = sp_384_point_new_12(heap, pd, p);
+    }
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        priv = (sp_digit*)XMALLOC(sizeof(sp_digit) * 12, heap,
+                                                              DYNAMIC_TYPE_ECC);
+        if (priv == NULL) {
+            err = MEMORY_E;
+        }
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+        priv = privd;
+#endif
+
+        sp_384_from_mp(pub->x, 12, pX);
+        sp_384_from_mp(pub->y, 12, pY);
+        sp_384_from_bin(pub->z, 12, one, (int)sizeof(one));
+        sp_384_from_mp(priv, 12, privm);
+
+        /* Check point at infinitiy. */
+        if ((sp_384_iszero_12(pub->x) != 0) &&
+            (sp_384_iszero_12(pub->y) != 0)) {
+            err = ECC_INF_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        /* Check range of X and Y */
+        if (sp_384_cmp_12(pub->x, p384_mod) >= 0 ||
+            sp_384_cmp_12(pub->y, p384_mod) >= 0) {
+            err = ECC_OUT_OF_RANGE_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        /* Check point is on curve */
+        err = sp_384_ecc_is_point_12(pub, heap);
+    }
+
+    if (err == MP_OKAY) {
+        /* Point * order = infinity */
+            err = sp_384_ecc_mulmod_12(p, pub, p384_order, 1, heap);
+    }
+    if (err == MP_OKAY) {
+        /* Check result is infinity */
+        if ((sp_384_iszero_12(p->x) == 0) ||
+            (sp_384_iszero_12(p->y) == 0)) {
+            err = ECC_INF_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        /* Base * private = point */
+            err = sp_384_ecc_mulmod_base_12(p, priv, 1, heap);
+    }
+    if (err == MP_OKAY) {
+        /* Check result is public key */
+        if (sp_384_cmp_12(p->x, pub->x) != 0 ||
+            sp_384_cmp_12(p->y, pub->y) != 0) {
+            err = ECC_PRIV_KEY_E;
+        }
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (priv != NULL) {
+        XFREE(priv, heap, DYNAMIC_TYPE_ECC);
+    }
+#endif
+    sp_384_point_free_12(p, 0, heap);
+    sp_384_point_free_12(pub, 0, heap);
+
+    return err;
+}
+#endif
+#ifdef WOLFSSL_PUBLIC_ECC_ADD_DBL
+/* Add two projective EC points together.
+ * (pX, pY, pZ) + (qX, qY, qZ) = (rX, rY, rZ)
+ *
+ * pX   First EC point's X ordinate.
+ * pY   First EC point's Y ordinate.
+ * pZ   First EC point's Z ordinate.
+ * qX   Second EC point's X ordinate.
+ * qY   Second EC point's Y ordinate.
+ * qZ   Second EC point's Z ordinate.
+ * rX   Resultant EC point's X ordinate.
+ * rY   Resultant EC point's Y ordinate.
+ * rZ   Resultant EC point's Z ordinate.
+ * returns MEMORY_E if dynamic memory allocation fails and MP_OKAY otherwise.
+ */
+int sp_ecc_proj_add_point_384(mp_int* pX, mp_int* pY, mp_int* pZ,
+                              mp_int* qX, mp_int* qY, mp_int* qZ,
+                              mp_int* rX, mp_int* rY, mp_int* rZ)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit tmpd[2 * 12 * 5];
+    sp_point_384 pd;
+    sp_point_384 qd;
+#endif
+    sp_digit* tmp;
+    sp_point_384* p;
+    sp_point_384* q = NULL;
+    int err;
+
+    err = sp_384_point_new_12(NULL, pd, p);
+    if (err == MP_OKAY) {
+        err = sp_384_point_new_12(NULL, qd, q);
+    }
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        tmp = (sp_digit*)XMALLOC(sizeof(sp_digit) * 2 * 12 * 5, NULL,
+                                                              DYNAMIC_TYPE_ECC);
+        if (tmp == NULL) {
+            err = MEMORY_E;
+        }
+    }
+#else
+    tmp = tmpd;
+#endif
+
+    if (err == MP_OKAY) {
+        sp_384_from_mp(p->x, 12, pX);
+        sp_384_from_mp(p->y, 12, pY);
+        sp_384_from_mp(p->z, 12, pZ);
+        sp_384_from_mp(q->x, 12, qX);
+        sp_384_from_mp(q->y, 12, qY);
+        sp_384_from_mp(q->z, 12, qZ);
+
+            sp_384_proj_point_add_12(p, p, q, tmp);
+    }
+
+    if (err == MP_OKAY) {
+        err = sp_384_to_mp(p->x, rX);
+    }
+    if (err == MP_OKAY) {
+        err = sp_384_to_mp(p->y, rY);
+    }
+    if (err == MP_OKAY) {
+        err = sp_384_to_mp(p->z, rZ);
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (tmp != NULL) {
+        XFREE(tmp, NULL, DYNAMIC_TYPE_ECC);
+    }
+#endif
+    sp_384_point_free_12(q, 0, NULL);
+    sp_384_point_free_12(p, 0, NULL);
+
+    return err;
+}
+
+/* Double a projective EC point.
+ * (pX, pY, pZ) + (pX, pY, pZ) = (rX, rY, rZ)
+ *
+ * pX   EC point's X ordinate.
+ * pY   EC point's Y ordinate.
+ * pZ   EC point's Z ordinate.
+ * rX   Resultant EC point's X ordinate.
+ * rY   Resultant EC point's Y ordinate.
+ * rZ   Resultant EC point's Z ordinate.
+ * returns MEMORY_E if dynamic memory allocation fails and MP_OKAY otherwise.
+ */
+int sp_ecc_proj_dbl_point_384(mp_int* pX, mp_int* pY, mp_int* pZ,
+                              mp_int* rX, mp_int* rY, mp_int* rZ)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit tmpd[2 * 12 * 2];
+    sp_point_384 pd;
+#endif
+    sp_digit* tmp;
+    sp_point_384* p;
+    int err;
+
+    err = sp_384_point_new_12(NULL, pd, p);
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        tmp = (sp_digit*)XMALLOC(sizeof(sp_digit) * 2 * 12 * 2, NULL,
+                                                              DYNAMIC_TYPE_ECC);
+        if (tmp == NULL) {
+            err = MEMORY_E;
+        }
+    }
+#else
+    tmp = tmpd;
+#endif
+
+    if (err == MP_OKAY) {
+        sp_384_from_mp(p->x, 12, pX);
+        sp_384_from_mp(p->y, 12, pY);
+        sp_384_from_mp(p->z, 12, pZ);
+
+            sp_384_proj_point_dbl_12(p, p, tmp);
+    }
+
+    if (err == MP_OKAY) {
+        err = sp_384_to_mp(p->x, rX);
+    }
+    if (err == MP_OKAY) {
+        err = sp_384_to_mp(p->y, rY);
+    }
+    if (err == MP_OKAY) {
+        err = sp_384_to_mp(p->z, rZ);
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (tmp != NULL) {
+        XFREE(tmp, NULL, DYNAMIC_TYPE_ECC);
+    }
+#endif
+    sp_384_point_free_12(p, 0, NULL);
+
+    return err;
+}
+
+/* Map a projective EC point to affine in place.
+ * pZ will be one.
+ *
+ * pX   EC point's X ordinate.
+ * pY   EC point's Y ordinate.
+ * pZ   EC point's Z ordinate.
+ * returns MEMORY_E if dynamic memory allocation fails and MP_OKAY otherwise.
+ */
+int sp_ecc_map_384(mp_int* pX, mp_int* pY, mp_int* pZ)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit tmpd[2 * 12 * 6];
+    sp_point_384 pd;
+#endif
+    sp_digit* tmp;
+    sp_point_384* p;
+    int err;
+
+    err = sp_384_point_new_12(NULL, pd, p);
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        tmp = (sp_digit*)XMALLOC(sizeof(sp_digit) * 2 * 12 * 6, NULL,
+                                                              DYNAMIC_TYPE_ECC);
+        if (tmp == NULL) {
+            err = MEMORY_E;
+        }
+    }
+#else
+    tmp = tmpd;
+#endif
+    if (err == MP_OKAY) {
+        sp_384_from_mp(p->x, 12, pX);
+        sp_384_from_mp(p->y, 12, pY);
+        sp_384_from_mp(p->z, 12, pZ);
+
+        sp_384_map_12(p, p, tmp);
+    }
+
+    if (err == MP_OKAY) {
+        err = sp_384_to_mp(p->x, pX);
+    }
+    if (err == MP_OKAY) {
+        err = sp_384_to_mp(p->y, pY);
+    }
+    if (err == MP_OKAY) {
+        err = sp_384_to_mp(p->z, pZ);
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (tmp != NULL) {
+        XFREE(tmp, NULL, DYNAMIC_TYPE_ECC);
+    }
+#endif
+    sp_384_point_free_12(p, 0, NULL);
+
+    return err;
+}
+#endif /* WOLFSSL_PUBLIC_ECC_ADD_DBL */
+#ifdef HAVE_COMP_KEY
+/* Find the square root of a number mod the prime of the curve.
+ *
+ * y  The number to operate on and the result.
+ * returns MEMORY_E if dynamic memory allocation fails and MP_OKAY otherwise.
+ */
+static int sp_384_mont_sqrt_12(sp_digit* y)
+{
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit* d;
+#else
+    sp_digit t1d[2 * 12];
+    sp_digit t2d[2 * 12];
+    sp_digit t3d[2 * 12];
+    sp_digit t4d[2 * 12];
+    sp_digit t5d[2 * 12];
+#endif
+    sp_digit* t1;
+    sp_digit* t2;
+    sp_digit* t3;
+    sp_digit* t4;
+    sp_digit* t5;
+    int err = MP_OKAY;
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    d = (sp_digit*)XMALLOC(sizeof(sp_digit) * 5 * 2 * 12, NULL, DYNAMIC_TYPE_ECC);
+    if (d == NULL) {
+        err = MEMORY_E;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+        t1 = d + 0 * 12;
+        t2 = d + 2 * 12;
+        t3 = d + 4 * 12;
+        t4 = d + 6 * 12;
+        t5 = d + 8 * 12;
+#else
+        t1 = t1d;
+        t2 = t2d;
+        t3 = t3d;
+        t4 = t4d;
+        t5 = t5d;
+#endif
+
+        {
+            /* t2 = y ^ 0x2 */
+            sp_384_mont_sqr_12(t2, y, p384_mod, p384_mp_mod);
+            /* t1 = y ^ 0x3 */
+            sp_384_mont_mul_12(t1, t2, y, p384_mod, p384_mp_mod);
+            /* t5 = y ^ 0xc */
+            sp_384_mont_sqr_n_12(t5, t1, 2, p384_mod, p384_mp_mod);
+            /* t1 = y ^ 0xf */
+            sp_384_mont_mul_12(t1, t1, t5, p384_mod, p384_mp_mod);
+            /* t2 = y ^ 0x1e */
+            sp_384_mont_sqr_12(t2, t1, p384_mod, p384_mp_mod);
+            /* t3 = y ^ 0x1f */
+            sp_384_mont_mul_12(t3, t2, y, p384_mod, p384_mp_mod);
+            /* t2 = y ^ 0x3e0 */
+            sp_384_mont_sqr_n_12(t2, t3, 5, p384_mod, p384_mp_mod);
+            /* t1 = y ^ 0x3ff */
+            sp_384_mont_mul_12(t1, t3, t2, p384_mod, p384_mp_mod);
+            /* t2 = y ^ 0x7fe0 */
+            sp_384_mont_sqr_n_12(t2, t1, 5, p384_mod, p384_mp_mod);
+            /* t3 = y ^ 0x7fff */
+            sp_384_mont_mul_12(t3, t3, t2, p384_mod, p384_mp_mod);
+            /* t2 = y ^ 0x3fff800 */
+            sp_384_mont_sqr_n_12(t2, t3, 15, p384_mod, p384_mp_mod);
+            /* t4 = y ^ 0x3ffffff */
+            sp_384_mont_mul_12(t4, t3, t2, p384_mod, p384_mp_mod);
+            /* t2 = y ^ 0xffffffc000000 */
+            sp_384_mont_sqr_n_12(t2, t4, 30, p384_mod, p384_mp_mod);
+            /* t1 = y ^ 0xfffffffffffff */
+            sp_384_mont_mul_12(t1, t4, t2, p384_mod, p384_mp_mod);
+            /* t2 = y ^ 0xfffffffffffffff000000000000000 */
+            sp_384_mont_sqr_n_12(t2, t1, 60, p384_mod, p384_mp_mod);
+            /* t1 = y ^ 0xffffffffffffffffffffffffffffff */
+            sp_384_mont_mul_12(t1, t1, t2, p384_mod, p384_mp_mod);
+            /* t2 = y ^ 0xffffffffffffffffffffffffffffff000000000000000000000000000000 */
+            sp_384_mont_sqr_n_12(t2, t1, 120, p384_mod, p384_mp_mod);
+            /* t1 = y ^ 0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff */
+            sp_384_mont_mul_12(t1, t1, t2, p384_mod, p384_mp_mod);
+            /* t2 = y ^ 0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffff8000 */
+            sp_384_mont_sqr_n_12(t2, t1, 15, p384_mod, p384_mp_mod);
+            /* t1 = y ^ 0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff */
+            sp_384_mont_mul_12(t1, t3, t2, p384_mod, p384_mp_mod);
+            /* t2 = y ^ 0x3fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff80000000 */
+            sp_384_mont_sqr_n_12(t2, t1, 31, p384_mod, p384_mp_mod);
+            /* t1 = y ^ 0x3fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffbfffffff */
+            sp_384_mont_mul_12(t1, t4, t2, p384_mod, p384_mp_mod);
+            /* t2 = y ^ 0x3fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffbfffffff0 */
+            sp_384_mont_sqr_n_12(t2, t1, 4, p384_mod, p384_mp_mod);
+            /* t1 = y ^ 0x3fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffbfffffffc */
+            sp_384_mont_mul_12(t1, t5, t2, p384_mod, p384_mp_mod);
+            /* t2 = y ^ 0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000 */
+            sp_384_mont_sqr_n_12(t2, t1, 62, p384_mod, p384_mp_mod);
+            /* t1 = y ^ 0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000001 */
+            sp_384_mont_mul_12(t1, y, t2, p384_mod, p384_mp_mod);
+            /* t2 = y ^ 0x3fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffbfffffffc00000000000000040000000 */
+            sp_384_mont_sqr_n_12(y, t1, 30, p384_mod, p384_mp_mod);
+        }
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (d != NULL) {
+        XFREE(d, NULL, DYNAMIC_TYPE_ECC);
+    }
+#endif
+
+    return err;
+}
+
+
+/* Uncompress the point given the X ordinate.
+ *
+ * xm    X ordinate.
+ * odd   Whether the Y ordinate is odd.
+ * ym    Calculated Y ordinate.
+ * returns MEMORY_E if dynamic memory allocation fails and MP_OKAY otherwise.
+ */
+int sp_ecc_uncompress_384(mp_int* xm, int odd, mp_int* ym)
+{
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit* d;
+#else
+    sp_digit xd[2 * 12];
+    sp_digit yd[2 * 12];
+#endif
+    sp_digit* x = NULL;
+    sp_digit* y = NULL;
+    int err = MP_OKAY;
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    d = (sp_digit*)XMALLOC(sizeof(sp_digit) * 4 * 12, NULL, DYNAMIC_TYPE_ECC);
+    if (d == NULL) {
+        err = MEMORY_E;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+        x = d + 0 * 12;
+        y = d + 2 * 12;
+#else
+        x = xd;
+        y = yd;
+#endif
+
+        sp_384_from_mp(x, 12, xm);
+        err = sp_384_mod_mul_norm_12(x, x, p384_mod);
+    }
+    if (err == MP_OKAY) {
+        /* y = x^3 */
+        {
+            sp_384_mont_sqr_12(y, x, p384_mod, p384_mp_mod);
+            sp_384_mont_mul_12(y, y, x, p384_mod, p384_mp_mod);
+        }
+        /* y = x^3 - 3x */
+        sp_384_mont_sub_12(y, y, x, p384_mod);
+        sp_384_mont_sub_12(y, y, x, p384_mod);
+        sp_384_mont_sub_12(y, y, x, p384_mod);
+        /* y = x^3 - 3x + b */
+        err = sp_384_mod_mul_norm_12(x, p384_b, p384_mod);
+    }
+    if (err == MP_OKAY) {
+        sp_384_mont_add_12(y, y, x, p384_mod);
+        /* y = sqrt(x^3 - 3x + b) */
+        err = sp_384_mont_sqrt_12(y);
+    }
+    if (err == MP_OKAY) {
+        XMEMSET(y + 12, 0, 12U * sizeof(sp_digit));
+        sp_384_mont_reduce_12(y, p384_mod, p384_mp_mod);
+        if ((((word32)y[0] ^ (word32)odd) & 1U) != 0U) {
+            sp_384_mont_sub_12(y, p384_mod, y, p384_mod);
+        }
+
+        err = sp_384_to_mp(y, ym);
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (d != NULL) {
+        XFREE(d, NULL, DYNAMIC_TYPE_ECC);
+    }
+#endif
+
+    return err;
+}
+#endif
+#endif /* WOLFSSL_SP_384 */
+#endif /* WOLFSSL_HAVE_SP_ECC */
+#endif /* WOLFSSL_SP_ARM_THUMB_ASM */
+#endif /* WOLFSSL_HAVE_SP_RSA || WOLFSSL_HAVE_SP_DH || WOLFSSL_HAVE_SP_ECC */
diff --git a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/sp_c32.c b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/sp_c32.c
new file mode 100644
index 000000000..4b9596dc7
--- /dev/null
+++ b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/sp_c32.c
@@ -0,0 +1,23857 @@
+/* sp.c
+ *
+ * Copyright (C) 2006-2020 wolfSSL Inc.
+ *
+ * This file is part of wolfSSL.
+ *
+ * wolfSSL is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * wolfSSL is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
+ */
+
+/* Implementation by Sean Parkinson. */
+
+#ifdef HAVE_CONFIG_H
+    #include <config.h>
+#endif
+
+#include <wolfssl/wolfcrypt/settings.h>
+#include <wolfssl/wolfcrypt/error-crypt.h>
+#include <wolfssl/wolfcrypt/cpuid.h>
+#ifdef NO_INLINE
+    #include <wolfssl/wolfcrypt/misc.h>
+#else
+    #define WOLFSSL_MISC_INCLUDED
+    #include <wolfcrypt/src/misc.c>
+#endif
+
+#if defined(WOLFSSL_HAVE_SP_RSA) || defined(WOLFSSL_HAVE_SP_DH) || \
+                                    defined(WOLFSSL_HAVE_SP_ECC)
+
+#ifdef RSA_LOW_MEM
+#ifndef SP_RSA_PRIVATE_EXP_D
+#define SP_RSA_PRIVATE_EXP_D
+#endif
+
+#ifndef WOLFSSL_SP_SMALL
+#define WOLFSSL_SP_SMALL
+#endif
+#endif
+
+#include <wolfssl/wolfcrypt/sp.h>
+
+#ifndef WOLFSSL_SP_ASM
+#if SP_WORD_SIZE == 32
+#if (defined(WOLFSSL_SP_CACHE_RESISTANT) || defined(WOLFSSL_SP_SMALL)) &&              (defined(WOLFSSL_HAVE_SP_ECC) || !defined(WOLFSSL_RSA_PUBLIC_ONLY))
+/* Mask for address to obfuscate which of the two address will be used. */
+static const size_t addr_mask[2] = { 0, (size_t)-1 };
+#endif
+
+#if defined(WOLFSSL_HAVE_SP_RSA) || defined(WOLFSSL_HAVE_SP_DH)
+#ifndef WOLFSSL_SP_NO_2048
+/* Read big endian unsigned byte array into r.
+ *
+ * r  A single precision integer.
+ * size  Maximum number of bytes to convert
+ * a  Byte array.
+ * n  Number of bytes in array to read.
+ */
+static void sp_2048_from_bin(sp_digit* r, int size, const byte* a, int n)
+{
+    int i, j = 0;
+    word32 s = 0;
+
+    r[0] = 0;
+    for (i = n-1; i >= 0; i--) {
+        r[j] |= (((sp_digit)a[i]) << s);
+        if (s >= 15U) {
+            r[j] &= 0x7fffff;
+            s = 23U - s;
+            if (j + 1 >= size) {
+                break;
+            }
+            r[++j] = (sp_digit)a[i] >> s;
+            s = 8U - s;
+        }
+        else {
+            s += 8U;
+        }
+    }
+
+    for (j++; j < size; j++) {
+        r[j] = 0;
+    }
+}
+
+/* Convert an mp_int to an array of sp_digit.
+ *
+ * r  A single precision integer.
+ * size  Maximum number of bytes to convert
+ * a  A multi-precision integer.
+ */
+static void sp_2048_from_mp(sp_digit* r, int size, const mp_int* a)
+{
+#if DIGIT_BIT == 23
+    int j;
+
+    XMEMCPY(r, a->dp, sizeof(sp_digit) * a->used);
+
+    for (j = a->used; j < size; j++) {
+        r[j] = 0;
+    }
+#elif DIGIT_BIT > 23
+    int i, j = 0;
+    word32 s = 0;
+
+    r[0] = 0;
+    for (i = 0; i < a->used && j < size; i++) {
+        r[j] |= ((sp_digit)a->dp[i] << s);
+        r[j] &= 0x7fffff;
+        s = 23U - s;
+        if (j + 1 >= size) {
+            break;
+        }
+        /* lint allow cast of mismatch word32 and mp_digit */
+        r[++j] = (sp_digit)(a->dp[i] >> s); /*lint !e9033*/
+        while ((s + 23U) <= (word32)DIGIT_BIT) {
+            s += 23U;
+            r[j] &= 0x7fffff;
+            if (j + 1 >= size) {
+                break;
+            }
+            if (s < (word32)DIGIT_BIT) {
+                /* lint allow cast of mismatch word32 and mp_digit */
+                r[++j] = (sp_digit)(a->dp[i] >> s); /*lint !e9033*/
+            }
+            else {
+                r[++j] = 0L;
+            }
+        }
+        s = (word32)DIGIT_BIT - s;
+    }
+
+    for (j++; j < size; j++) {
+        r[j] = 0;
+    }
+#else
+    int i, j = 0, s = 0;
+
+    r[0] = 0;
+    for (i = 0; i < a->used && j < size; i++) {
+        r[j] |= ((sp_digit)a->dp[i]) << s;
+        if (s + DIGIT_BIT >= 23) {
+            r[j] &= 0x7fffff;
+            if (j + 1 >= size) {
+                break;
+            }
+            s = 23 - s;
+            if (s == DIGIT_BIT) {
+                r[++j] = 0;
+                s = 0;
+            }
+            else {
+                r[++j] = a->dp[i] >> s;
+                s = DIGIT_BIT - s;
+            }
+        }
+        else {
+            s += DIGIT_BIT;
+        }
+    }
+
+    for (j++; j < size; j++) {
+        r[j] = 0;
+    }
+#endif
+}
+
+/* Write r as big endian to byte array.
+ * Fixed length number of bytes written: 256
+ *
+ * r  A single precision integer.
+ * a  Byte array.
+ */
+static void sp_2048_to_bin(sp_digit* r, byte* a)
+{
+    int i, j, s = 0, b;
+
+    for (i=0; i<89; i++) {
+        r[i+1] += r[i] >> 23;
+        r[i] &= 0x7fffff;
+    }
+    j = 2048 / 8 - 1;
+    a[j] = 0;
+    for (i=0; i<90 && j>=0; i++) {
+        b = 0;
+        /* lint allow cast of mismatch sp_digit and int */
+        a[j--] |= (byte)(r[i] << s); /*lint !e9033*/
+        b += 8 - s;
+        if (j < 0) {
+            break;
+        }
+        while (b < 23) {
+            a[j--] = (byte)(r[i] >> b);
+            b += 8;
+            if (j < 0) {
+                break;
+            }
+        }
+        s = 8 - (b - 23);
+        if (j >= 0) {
+            a[j] = 0;
+        }
+        if (s != 0) {
+            j++;
+        }
+    }
+}
+
+#ifndef WOLFSSL_SP_SMALL
+/* Multiply a and b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static void sp_2048_mul_15(sp_digit* r, const sp_digit* a,
+    const sp_digit* b)
+{
+    int64_t t0   = ((int64_t)a[ 0]) * b[ 0];
+    int64_t t1   = ((int64_t)a[ 0]) * b[ 1]
+                 + ((int64_t)a[ 1]) * b[ 0];
+    int64_t t2   = ((int64_t)a[ 0]) * b[ 2]
+                 + ((int64_t)a[ 1]) * b[ 1]
+                 + ((int64_t)a[ 2]) * b[ 0];
+    int64_t t3   = ((int64_t)a[ 0]) * b[ 3]
+                 + ((int64_t)a[ 1]) * b[ 2]
+                 + ((int64_t)a[ 2]) * b[ 1]
+                 + ((int64_t)a[ 3]) * b[ 0];
+    int64_t t4   = ((int64_t)a[ 0]) * b[ 4]
+                 + ((int64_t)a[ 1]) * b[ 3]
+                 + ((int64_t)a[ 2]) * b[ 2]
+                 + ((int64_t)a[ 3]) * b[ 1]
+                 + ((int64_t)a[ 4]) * b[ 0];
+    int64_t t5   = ((int64_t)a[ 0]) * b[ 5]
+                 + ((int64_t)a[ 1]) * b[ 4]
+                 + ((int64_t)a[ 2]) * b[ 3]
+                 + ((int64_t)a[ 3]) * b[ 2]
+                 + ((int64_t)a[ 4]) * b[ 1]
+                 + ((int64_t)a[ 5]) * b[ 0];
+    int64_t t6   = ((int64_t)a[ 0]) * b[ 6]
+                 + ((int64_t)a[ 1]) * b[ 5]
+                 + ((int64_t)a[ 2]) * b[ 4]
+                 + ((int64_t)a[ 3]) * b[ 3]
+                 + ((int64_t)a[ 4]) * b[ 2]
+                 + ((int64_t)a[ 5]) * b[ 1]
+                 + ((int64_t)a[ 6]) * b[ 0];
+    int64_t t7   = ((int64_t)a[ 0]) * b[ 7]
+                 + ((int64_t)a[ 1]) * b[ 6]
+                 + ((int64_t)a[ 2]) * b[ 5]
+                 + ((int64_t)a[ 3]) * b[ 4]
+                 + ((int64_t)a[ 4]) * b[ 3]
+                 + ((int64_t)a[ 5]) * b[ 2]
+                 + ((int64_t)a[ 6]) * b[ 1]
+                 + ((int64_t)a[ 7]) * b[ 0];
+    int64_t t8   = ((int64_t)a[ 0]) * b[ 8]
+                 + ((int64_t)a[ 1]) * b[ 7]
+                 + ((int64_t)a[ 2]) * b[ 6]
+                 + ((int64_t)a[ 3]) * b[ 5]
+                 + ((int64_t)a[ 4]) * b[ 4]
+                 + ((int64_t)a[ 5]) * b[ 3]
+                 + ((int64_t)a[ 6]) * b[ 2]
+                 + ((int64_t)a[ 7]) * b[ 1]
+                 + ((int64_t)a[ 8]) * b[ 0];
+    int64_t t9   = ((int64_t)a[ 0]) * b[ 9]
+                 + ((int64_t)a[ 1]) * b[ 8]
+                 + ((int64_t)a[ 2]) * b[ 7]
+                 + ((int64_t)a[ 3]) * b[ 6]
+                 + ((int64_t)a[ 4]) * b[ 5]
+                 + ((int64_t)a[ 5]) * b[ 4]
+                 + ((int64_t)a[ 6]) * b[ 3]
+                 + ((int64_t)a[ 7]) * b[ 2]
+                 + ((int64_t)a[ 8]) * b[ 1]
+                 + ((int64_t)a[ 9]) * b[ 0];
+    int64_t t10  = ((int64_t)a[ 0]) * b[10]
+                 + ((int64_t)a[ 1]) * b[ 9]
+                 + ((int64_t)a[ 2]) * b[ 8]
+                 + ((int64_t)a[ 3]) * b[ 7]
+                 + ((int64_t)a[ 4]) * b[ 6]
+                 + ((int64_t)a[ 5]) * b[ 5]
+                 + ((int64_t)a[ 6]) * b[ 4]
+                 + ((int64_t)a[ 7]) * b[ 3]
+                 + ((int64_t)a[ 8]) * b[ 2]
+                 + ((int64_t)a[ 9]) * b[ 1]
+                 + ((int64_t)a[10]) * b[ 0];
+    int64_t t11  = ((int64_t)a[ 0]) * b[11]
+                 + ((int64_t)a[ 1]) * b[10]
+                 + ((int64_t)a[ 2]) * b[ 9]
+                 + ((int64_t)a[ 3]) * b[ 8]
+                 + ((int64_t)a[ 4]) * b[ 7]
+                 + ((int64_t)a[ 5]) * b[ 6]
+                 + ((int64_t)a[ 6]) * b[ 5]
+                 + ((int64_t)a[ 7]) * b[ 4]
+                 + ((int64_t)a[ 8]) * b[ 3]
+                 + ((int64_t)a[ 9]) * b[ 2]
+                 + ((int64_t)a[10]) * b[ 1]
+                 + ((int64_t)a[11]) * b[ 0];
+    int64_t t12  = ((int64_t)a[ 0]) * b[12]
+                 + ((int64_t)a[ 1]) * b[11]
+                 + ((int64_t)a[ 2]) * b[10]
+                 + ((int64_t)a[ 3]) * b[ 9]
+                 + ((int64_t)a[ 4]) * b[ 8]
+                 + ((int64_t)a[ 5]) * b[ 7]
+                 + ((int64_t)a[ 6]) * b[ 6]
+                 + ((int64_t)a[ 7]) * b[ 5]
+                 + ((int64_t)a[ 8]) * b[ 4]
+                 + ((int64_t)a[ 9]) * b[ 3]
+                 + ((int64_t)a[10]) * b[ 2]
+                 + ((int64_t)a[11]) * b[ 1]
+                 + ((int64_t)a[12]) * b[ 0];
+    int64_t t13  = ((int64_t)a[ 0]) * b[13]
+                 + ((int64_t)a[ 1]) * b[12]
+                 + ((int64_t)a[ 2]) * b[11]
+                 + ((int64_t)a[ 3]) * b[10]
+                 + ((int64_t)a[ 4]) * b[ 9]
+                 + ((int64_t)a[ 5]) * b[ 8]
+                 + ((int64_t)a[ 6]) * b[ 7]
+                 + ((int64_t)a[ 7]) * b[ 6]
+                 + ((int64_t)a[ 8]) * b[ 5]
+                 + ((int64_t)a[ 9]) * b[ 4]
+                 + ((int64_t)a[10]) * b[ 3]
+                 + ((int64_t)a[11]) * b[ 2]
+                 + ((int64_t)a[12]) * b[ 1]
+                 + ((int64_t)a[13]) * b[ 0];
+    int64_t t14  = ((int64_t)a[ 0]) * b[14]
+                 + ((int64_t)a[ 1]) * b[13]
+                 + ((int64_t)a[ 2]) * b[12]
+                 + ((int64_t)a[ 3]) * b[11]
+                 + ((int64_t)a[ 4]) * b[10]
+                 + ((int64_t)a[ 5]) * b[ 9]
+                 + ((int64_t)a[ 6]) * b[ 8]
+                 + ((int64_t)a[ 7]) * b[ 7]
+                 + ((int64_t)a[ 8]) * b[ 6]
+                 + ((int64_t)a[ 9]) * b[ 5]
+                 + ((int64_t)a[10]) * b[ 4]
+                 + ((int64_t)a[11]) * b[ 3]
+                 + ((int64_t)a[12]) * b[ 2]
+                 + ((int64_t)a[13]) * b[ 1]
+                 + ((int64_t)a[14]) * b[ 0];
+    int64_t t15  = ((int64_t)a[ 1]) * b[14]
+                 + ((int64_t)a[ 2]) * b[13]
+                 + ((int64_t)a[ 3]) * b[12]
+                 + ((int64_t)a[ 4]) * b[11]
+                 + ((int64_t)a[ 5]) * b[10]
+                 + ((int64_t)a[ 6]) * b[ 9]
+                 + ((int64_t)a[ 7]) * b[ 8]
+                 + ((int64_t)a[ 8]) * b[ 7]
+                 + ((int64_t)a[ 9]) * b[ 6]
+                 + ((int64_t)a[10]) * b[ 5]
+                 + ((int64_t)a[11]) * b[ 4]
+                 + ((int64_t)a[12]) * b[ 3]
+                 + ((int64_t)a[13]) * b[ 2]
+                 + ((int64_t)a[14]) * b[ 1];
+    int64_t t16  = ((int64_t)a[ 2]) * b[14]
+                 + ((int64_t)a[ 3]) * b[13]
+                 + ((int64_t)a[ 4]) * b[12]
+                 + ((int64_t)a[ 5]) * b[11]
+                 + ((int64_t)a[ 6]) * b[10]
+                 + ((int64_t)a[ 7]) * b[ 9]
+                 + ((int64_t)a[ 8]) * b[ 8]
+                 + ((int64_t)a[ 9]) * b[ 7]
+                 + ((int64_t)a[10]) * b[ 6]
+                 + ((int64_t)a[11]) * b[ 5]
+                 + ((int64_t)a[12]) * b[ 4]
+                 + ((int64_t)a[13]) * b[ 3]
+                 + ((int64_t)a[14]) * b[ 2];
+    int64_t t17  = ((int64_t)a[ 3]) * b[14]
+                 + ((int64_t)a[ 4]) * b[13]
+                 + ((int64_t)a[ 5]) * b[12]
+                 + ((int64_t)a[ 6]) * b[11]
+                 + ((int64_t)a[ 7]) * b[10]
+                 + ((int64_t)a[ 8]) * b[ 9]
+                 + ((int64_t)a[ 9]) * b[ 8]
+                 + ((int64_t)a[10]) * b[ 7]
+                 + ((int64_t)a[11]) * b[ 6]
+                 + ((int64_t)a[12]) * b[ 5]
+                 + ((int64_t)a[13]) * b[ 4]
+                 + ((int64_t)a[14]) * b[ 3];
+    int64_t t18  = ((int64_t)a[ 4]) * b[14]
+                 + ((int64_t)a[ 5]) * b[13]
+                 + ((int64_t)a[ 6]) * b[12]
+                 + ((int64_t)a[ 7]) * b[11]
+                 + ((int64_t)a[ 8]) * b[10]
+                 + ((int64_t)a[ 9]) * b[ 9]
+                 + ((int64_t)a[10]) * b[ 8]
+                 + ((int64_t)a[11]) * b[ 7]
+                 + ((int64_t)a[12]) * b[ 6]
+                 + ((int64_t)a[13]) * b[ 5]
+                 + ((int64_t)a[14]) * b[ 4];
+    int64_t t19  = ((int64_t)a[ 5]) * b[14]
+                 + ((int64_t)a[ 6]) * b[13]
+                 + ((int64_t)a[ 7]) * b[12]
+                 + ((int64_t)a[ 8]) * b[11]
+                 + ((int64_t)a[ 9]) * b[10]
+                 + ((int64_t)a[10]) * b[ 9]
+                 + ((int64_t)a[11]) * b[ 8]
+                 + ((int64_t)a[12]) * b[ 7]
+                 + ((int64_t)a[13]) * b[ 6]
+                 + ((int64_t)a[14]) * b[ 5];
+    int64_t t20  = ((int64_t)a[ 6]) * b[14]
+                 + ((int64_t)a[ 7]) * b[13]
+                 + ((int64_t)a[ 8]) * b[12]
+                 + ((int64_t)a[ 9]) * b[11]
+                 + ((int64_t)a[10]) * b[10]
+                 + ((int64_t)a[11]) * b[ 9]
+                 + ((int64_t)a[12]) * b[ 8]
+                 + ((int64_t)a[13]) * b[ 7]
+                 + ((int64_t)a[14]) * b[ 6];
+    int64_t t21  = ((int64_t)a[ 7]) * b[14]
+                 + ((int64_t)a[ 8]) * b[13]
+                 + ((int64_t)a[ 9]) * b[12]
+                 + ((int64_t)a[10]) * b[11]
+                 + ((int64_t)a[11]) * b[10]
+                 + ((int64_t)a[12]) * b[ 9]
+                 + ((int64_t)a[13]) * b[ 8]
+                 + ((int64_t)a[14]) * b[ 7];
+    int64_t t22  = ((int64_t)a[ 8]) * b[14]
+                 + ((int64_t)a[ 9]) * b[13]
+                 + ((int64_t)a[10]) * b[12]
+                 + ((int64_t)a[11]) * b[11]
+                 + ((int64_t)a[12]) * b[10]
+                 + ((int64_t)a[13]) * b[ 9]
+                 + ((int64_t)a[14]) * b[ 8];
+    int64_t t23  = ((int64_t)a[ 9]) * b[14]
+                 + ((int64_t)a[10]) * b[13]
+                 + ((int64_t)a[11]) * b[12]
+                 + ((int64_t)a[12]) * b[11]
+                 + ((int64_t)a[13]) * b[10]
+                 + ((int64_t)a[14]) * b[ 9];
+    int64_t t24  = ((int64_t)a[10]) * b[14]
+                 + ((int64_t)a[11]) * b[13]
+                 + ((int64_t)a[12]) * b[12]
+                 + ((int64_t)a[13]) * b[11]
+                 + ((int64_t)a[14]) * b[10];
+    int64_t t25  = ((int64_t)a[11]) * b[14]
+                 + ((int64_t)a[12]) * b[13]
+                 + ((int64_t)a[13]) * b[12]
+                 + ((int64_t)a[14]) * b[11];
+    int64_t t26  = ((int64_t)a[12]) * b[14]
+                 + ((int64_t)a[13]) * b[13]
+                 + ((int64_t)a[14]) * b[12];
+    int64_t t27  = ((int64_t)a[13]) * b[14]
+                 + ((int64_t)a[14]) * b[13];
+    int64_t t28  = ((int64_t)a[14]) * b[14];
+
+    t1   += t0  >> 23; r[ 0] = t0  & 0x7fffff;
+    t2   += t1  >> 23; r[ 1] = t1  & 0x7fffff;
+    t3   += t2  >> 23; r[ 2] = t2  & 0x7fffff;
+    t4   += t3  >> 23; r[ 3] = t3  & 0x7fffff;
+    t5   += t4  >> 23; r[ 4] = t4  & 0x7fffff;
+    t6   += t5  >> 23; r[ 5] = t5  & 0x7fffff;
+    t7   += t6  >> 23; r[ 6] = t6  & 0x7fffff;
+    t8   += t7  >> 23; r[ 7] = t7  & 0x7fffff;
+    t9   += t8  >> 23; r[ 8] = t8  & 0x7fffff;
+    t10  += t9  >> 23; r[ 9] = t9  & 0x7fffff;
+    t11  += t10 >> 23; r[10] = t10 & 0x7fffff;
+    t12  += t11 >> 23; r[11] = t11 & 0x7fffff;
+    t13  += t12 >> 23; r[12] = t12 & 0x7fffff;
+    t14  += t13 >> 23; r[13] = t13 & 0x7fffff;
+    t15  += t14 >> 23; r[14] = t14 & 0x7fffff;
+    t16  += t15 >> 23; r[15] = t15 & 0x7fffff;
+    t17  += t16 >> 23; r[16] = t16 & 0x7fffff;
+    t18  += t17 >> 23; r[17] = t17 & 0x7fffff;
+    t19  += t18 >> 23; r[18] = t18 & 0x7fffff;
+    t20  += t19 >> 23; r[19] = t19 & 0x7fffff;
+    t21  += t20 >> 23; r[20] = t20 & 0x7fffff;
+    t22  += t21 >> 23; r[21] = t21 & 0x7fffff;
+    t23  += t22 >> 23; r[22] = t22 & 0x7fffff;
+    t24  += t23 >> 23; r[23] = t23 & 0x7fffff;
+    t25  += t24 >> 23; r[24] = t24 & 0x7fffff;
+    t26  += t25 >> 23; r[25] = t25 & 0x7fffff;
+    t27  += t26 >> 23; r[26] = t26 & 0x7fffff;
+    t28  += t27 >> 23; r[27] = t27 & 0x7fffff;
+    r[29] = (sp_digit)(t28 >> 23);
+                       r[28] = t28 & 0x7fffff;
+}
+
+/* Square a and put result in r. (r = a * a)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ */
+SP_NOINLINE static void sp_2048_sqr_15(sp_digit* r, const sp_digit* a)
+{
+    int64_t t0   =  ((int64_t)a[ 0]) * a[ 0];
+    int64_t t1   = (((int64_t)a[ 0]) * a[ 1]) * 2;
+    int64_t t2   = (((int64_t)a[ 0]) * a[ 2]) * 2
+                 +  ((int64_t)a[ 1]) * a[ 1];
+    int64_t t3   = (((int64_t)a[ 0]) * a[ 3]
+                 +  ((int64_t)a[ 1]) * a[ 2]) * 2;
+    int64_t t4   = (((int64_t)a[ 0]) * a[ 4]
+                 +  ((int64_t)a[ 1]) * a[ 3]) * 2
+                 +  ((int64_t)a[ 2]) * a[ 2];
+    int64_t t5   = (((int64_t)a[ 0]) * a[ 5]
+                 +  ((int64_t)a[ 1]) * a[ 4]
+                 +  ((int64_t)a[ 2]) * a[ 3]) * 2;
+    int64_t t6   = (((int64_t)a[ 0]) * a[ 6]
+                 +  ((int64_t)a[ 1]) * a[ 5]
+                 +  ((int64_t)a[ 2]) * a[ 4]) * 2
+                 +  ((int64_t)a[ 3]) * a[ 3];
+    int64_t t7   = (((int64_t)a[ 0]) * a[ 7]
+                 +  ((int64_t)a[ 1]) * a[ 6]
+                 +  ((int64_t)a[ 2]) * a[ 5]
+                 +  ((int64_t)a[ 3]) * a[ 4]) * 2;
+    int64_t t8   = (((int64_t)a[ 0]) * a[ 8]
+                 +  ((int64_t)a[ 1]) * a[ 7]
+                 +  ((int64_t)a[ 2]) * a[ 6]
+                 +  ((int64_t)a[ 3]) * a[ 5]) * 2
+                 +  ((int64_t)a[ 4]) * a[ 4];
+    int64_t t9   = (((int64_t)a[ 0]) * a[ 9]
+                 +  ((int64_t)a[ 1]) * a[ 8]
+                 +  ((int64_t)a[ 2]) * a[ 7]
+                 +  ((int64_t)a[ 3]) * a[ 6]
+                 +  ((int64_t)a[ 4]) * a[ 5]) * 2;
+    int64_t t10  = (((int64_t)a[ 0]) * a[10]
+                 +  ((int64_t)a[ 1]) * a[ 9]
+                 +  ((int64_t)a[ 2]) * a[ 8]
+                 +  ((int64_t)a[ 3]) * a[ 7]
+                 +  ((int64_t)a[ 4]) * a[ 6]) * 2
+                 +  ((int64_t)a[ 5]) * a[ 5];
+    int64_t t11  = (((int64_t)a[ 0]) * a[11]
+                 +  ((int64_t)a[ 1]) * a[10]
+                 +  ((int64_t)a[ 2]) * a[ 9]
+                 +  ((int64_t)a[ 3]) * a[ 8]
+                 +  ((int64_t)a[ 4]) * a[ 7]
+                 +  ((int64_t)a[ 5]) * a[ 6]) * 2;
+    int64_t t12  = (((int64_t)a[ 0]) * a[12]
+                 +  ((int64_t)a[ 1]) * a[11]
+                 +  ((int64_t)a[ 2]) * a[10]
+                 +  ((int64_t)a[ 3]) * a[ 9]
+                 +  ((int64_t)a[ 4]) * a[ 8]
+                 +  ((int64_t)a[ 5]) * a[ 7]) * 2
+                 +  ((int64_t)a[ 6]) * a[ 6];
+    int64_t t13  = (((int64_t)a[ 0]) * a[13]
+                 +  ((int64_t)a[ 1]) * a[12]
+                 +  ((int64_t)a[ 2]) * a[11]
+                 +  ((int64_t)a[ 3]) * a[10]
+                 +  ((int64_t)a[ 4]) * a[ 9]
+                 +  ((int64_t)a[ 5]) * a[ 8]
+                 +  ((int64_t)a[ 6]) * a[ 7]) * 2;
+    int64_t t14  = (((int64_t)a[ 0]) * a[14]
+                 +  ((int64_t)a[ 1]) * a[13]
+                 +  ((int64_t)a[ 2]) * a[12]
+                 +  ((int64_t)a[ 3]) * a[11]
+                 +  ((int64_t)a[ 4]) * a[10]
+                 +  ((int64_t)a[ 5]) * a[ 9]
+                 +  ((int64_t)a[ 6]) * a[ 8]) * 2
+                 +  ((int64_t)a[ 7]) * a[ 7];
+    int64_t t15  = (((int64_t)a[ 1]) * a[14]
+                 +  ((int64_t)a[ 2]) * a[13]
+                 +  ((int64_t)a[ 3]) * a[12]
+                 +  ((int64_t)a[ 4]) * a[11]
+                 +  ((int64_t)a[ 5]) * a[10]
+                 +  ((int64_t)a[ 6]) * a[ 9]
+                 +  ((int64_t)a[ 7]) * a[ 8]) * 2;
+    int64_t t16  = (((int64_t)a[ 2]) * a[14]
+                 +  ((int64_t)a[ 3]) * a[13]
+                 +  ((int64_t)a[ 4]) * a[12]
+                 +  ((int64_t)a[ 5]) * a[11]
+                 +  ((int64_t)a[ 6]) * a[10]
+                 +  ((int64_t)a[ 7]) * a[ 9]) * 2
+                 +  ((int64_t)a[ 8]) * a[ 8];
+    int64_t t17  = (((int64_t)a[ 3]) * a[14]
+                 +  ((int64_t)a[ 4]) * a[13]
+                 +  ((int64_t)a[ 5]) * a[12]
+                 +  ((int64_t)a[ 6]) * a[11]
+                 +  ((int64_t)a[ 7]) * a[10]
+                 +  ((int64_t)a[ 8]) * a[ 9]) * 2;
+    int64_t t18  = (((int64_t)a[ 4]) * a[14]
+                 +  ((int64_t)a[ 5]) * a[13]
+                 +  ((int64_t)a[ 6]) * a[12]
+                 +  ((int64_t)a[ 7]) * a[11]
+                 +  ((int64_t)a[ 8]) * a[10]) * 2
+                 +  ((int64_t)a[ 9]) * a[ 9];
+    int64_t t19  = (((int64_t)a[ 5]) * a[14]
+                 +  ((int64_t)a[ 6]) * a[13]
+                 +  ((int64_t)a[ 7]) * a[12]
+                 +  ((int64_t)a[ 8]) * a[11]
+                 +  ((int64_t)a[ 9]) * a[10]) * 2;
+    int64_t t20  = (((int64_t)a[ 6]) * a[14]
+                 +  ((int64_t)a[ 7]) * a[13]
+                 +  ((int64_t)a[ 8]) * a[12]
+                 +  ((int64_t)a[ 9]) * a[11]) * 2
+                 +  ((int64_t)a[10]) * a[10];
+    int64_t t21  = (((int64_t)a[ 7]) * a[14]
+                 +  ((int64_t)a[ 8]) * a[13]
+                 +  ((int64_t)a[ 9]) * a[12]
+                 +  ((int64_t)a[10]) * a[11]) * 2;
+    int64_t t22  = (((int64_t)a[ 8]) * a[14]
+                 +  ((int64_t)a[ 9]) * a[13]
+                 +  ((int64_t)a[10]) * a[12]) * 2
+                 +  ((int64_t)a[11]) * a[11];
+    int64_t t23  = (((int64_t)a[ 9]) * a[14]
+                 +  ((int64_t)a[10]) * a[13]
+                 +  ((int64_t)a[11]) * a[12]) * 2;
+    int64_t t24  = (((int64_t)a[10]) * a[14]
+                 +  ((int64_t)a[11]) * a[13]) * 2
+                 +  ((int64_t)a[12]) * a[12];
+    int64_t t25  = (((int64_t)a[11]) * a[14]
+                 +  ((int64_t)a[12]) * a[13]) * 2;
+    int64_t t26  = (((int64_t)a[12]) * a[14]) * 2
+                 +  ((int64_t)a[13]) * a[13];
+    int64_t t27  = (((int64_t)a[13]) * a[14]) * 2;
+    int64_t t28  =  ((int64_t)a[14]) * a[14];
+
+    t1   += t0  >> 23; r[ 0] = t0  & 0x7fffff;
+    t2   += t1  >> 23; r[ 1] = t1  & 0x7fffff;
+    t3   += t2  >> 23; r[ 2] = t2  & 0x7fffff;
+    t4   += t3  >> 23; r[ 3] = t3  & 0x7fffff;
+    t5   += t4  >> 23; r[ 4] = t4  & 0x7fffff;
+    t6   += t5  >> 23; r[ 5] = t5  & 0x7fffff;
+    t7   += t6  >> 23; r[ 6] = t6  & 0x7fffff;
+    t8   += t7  >> 23; r[ 7] = t7  & 0x7fffff;
+    t9   += t8  >> 23; r[ 8] = t8  & 0x7fffff;
+    t10  += t9  >> 23; r[ 9] = t9  & 0x7fffff;
+    t11  += t10 >> 23; r[10] = t10 & 0x7fffff;
+    t12  += t11 >> 23; r[11] = t11 & 0x7fffff;
+    t13  += t12 >> 23; r[12] = t12 & 0x7fffff;
+    t14  += t13 >> 23; r[13] = t13 & 0x7fffff;
+    t15  += t14 >> 23; r[14] = t14 & 0x7fffff;
+    t16  += t15 >> 23; r[15] = t15 & 0x7fffff;
+    t17  += t16 >> 23; r[16] = t16 & 0x7fffff;
+    t18  += t17 >> 23; r[17] = t17 & 0x7fffff;
+    t19  += t18 >> 23; r[18] = t18 & 0x7fffff;
+    t20  += t19 >> 23; r[19] = t19 & 0x7fffff;
+    t21  += t20 >> 23; r[20] = t20 & 0x7fffff;
+    t22  += t21 >> 23; r[21] = t21 & 0x7fffff;
+    t23  += t22 >> 23; r[22] = t22 & 0x7fffff;
+    t24  += t23 >> 23; r[23] = t23 & 0x7fffff;
+    t25  += t24 >> 23; r[24] = t24 & 0x7fffff;
+    t26  += t25 >> 23; r[25] = t25 & 0x7fffff;
+    t27  += t26 >> 23; r[26] = t26 & 0x7fffff;
+    t28  += t27 >> 23; r[27] = t27 & 0x7fffff;
+    r[29] = (sp_digit)(t28 >> 23);
+                       r[28] = t28 & 0x7fffff;
+}
+
+/* Add b to a into r. (r = a + b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static int sp_2048_add_15(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    r[ 0] = a[ 0] + b[ 0];
+    r[ 1] = a[ 1] + b[ 1];
+    r[ 2] = a[ 2] + b[ 2];
+    r[ 3] = a[ 3] + b[ 3];
+    r[ 4] = a[ 4] + b[ 4];
+    r[ 5] = a[ 5] + b[ 5];
+    r[ 6] = a[ 6] + b[ 6];
+    r[ 7] = a[ 7] + b[ 7];
+    r[ 8] = a[ 8] + b[ 8];
+    r[ 9] = a[ 9] + b[ 9];
+    r[10] = a[10] + b[10];
+    r[11] = a[11] + b[11];
+    r[12] = a[12] + b[12];
+    r[13] = a[13] + b[13];
+    r[14] = a[14] + b[14];
+
+    return 0;
+}
+
+/* Sub b from a into r. (r = a - b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static int sp_2048_sub_30(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    int i;
+
+    for (i = 0; i < 24; i += 8) {
+        r[i + 0] = a[i + 0] - b[i + 0];
+        r[i + 1] = a[i + 1] - b[i + 1];
+        r[i + 2] = a[i + 2] - b[i + 2];
+        r[i + 3] = a[i + 3] - b[i + 3];
+        r[i + 4] = a[i + 4] - b[i + 4];
+        r[i + 5] = a[i + 5] - b[i + 5];
+        r[i + 6] = a[i + 6] - b[i + 6];
+        r[i + 7] = a[i + 7] - b[i + 7];
+    }
+    r[24] = a[24] - b[24];
+    r[25] = a[25] - b[25];
+    r[26] = a[26] - b[26];
+    r[27] = a[27] - b[27];
+    r[28] = a[28] - b[28];
+    r[29] = a[29] - b[29];
+
+    return 0;
+}
+
+/* Add b to a into r. (r = a + b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static int sp_2048_add_30(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    int i;
+
+    for (i = 0; i < 24; i += 8) {
+        r[i + 0] = a[i + 0] + b[i + 0];
+        r[i + 1] = a[i + 1] + b[i + 1];
+        r[i + 2] = a[i + 2] + b[i + 2];
+        r[i + 3] = a[i + 3] + b[i + 3];
+        r[i + 4] = a[i + 4] + b[i + 4];
+        r[i + 5] = a[i + 5] + b[i + 5];
+        r[i + 6] = a[i + 6] + b[i + 6];
+        r[i + 7] = a[i + 7] + b[i + 7];
+    }
+    r[24] = a[24] + b[24];
+    r[25] = a[25] + b[25];
+    r[26] = a[26] + b[26];
+    r[27] = a[27] + b[27];
+    r[28] = a[28] + b[28];
+    r[29] = a[29] + b[29];
+
+    return 0;
+}
+
+/* Multiply a and b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static void sp_2048_mul_45(sp_digit* r, const sp_digit* a,
+    const sp_digit* b)
+{
+    sp_digit p0[30];
+    sp_digit p1[30];
+    sp_digit p2[30];
+    sp_digit p3[30];
+    sp_digit p4[30];
+    sp_digit p5[30];
+    sp_digit t0[30];
+    sp_digit t1[30];
+    sp_digit t2[30];
+    sp_digit a0[15];
+    sp_digit a1[15];
+    sp_digit a2[15];
+    sp_digit b0[15];
+    sp_digit b1[15];
+    sp_digit b2[15];
+    (void)sp_2048_add_15(a0, a, &a[15]);
+    (void)sp_2048_add_15(b0, b, &b[15]);
+    (void)sp_2048_add_15(a1, &a[15], &a[30]);
+    (void)sp_2048_add_15(b1, &b[15], &b[30]);
+    (void)sp_2048_add_15(a2, a0, &a[30]);
+    (void)sp_2048_add_15(b2, b0, &b[30]);
+    sp_2048_mul_15(p0, a, b);
+    sp_2048_mul_15(p2, &a[15], &b[15]);
+    sp_2048_mul_15(p4, &a[30], &b[30]);
+    sp_2048_mul_15(p1, a0, b0);
+    sp_2048_mul_15(p3, a1, b1);
+    sp_2048_mul_15(p5, a2, b2);
+    XMEMSET(r, 0, sizeof(*r)*2U*45U);
+    (void)sp_2048_sub_30(t0, p3, p2);
+    (void)sp_2048_sub_30(t1, p1, p2);
+    (void)sp_2048_sub_30(t2, p5, t0);
+    (void)sp_2048_sub_30(t2, t2, t1);
+    (void)sp_2048_sub_30(t0, t0, p4);
+    (void)sp_2048_sub_30(t1, t1, p0);
+    (void)sp_2048_add_30(r, r, p0);
+    (void)sp_2048_add_30(&r[15], &r[15], t1);
+    (void)sp_2048_add_30(&r[30], &r[30], t2);
+    (void)sp_2048_add_30(&r[45], &r[45], t0);
+    (void)sp_2048_add_30(&r[60], &r[60], p4);
+}
+
+/* Square a into r. (r = a * a)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ */
+SP_NOINLINE static void sp_2048_sqr_45(sp_digit* r, const sp_digit* a)
+{
+    sp_digit p0[30];
+    sp_digit p1[30];
+    sp_digit p2[30];
+    sp_digit p3[30];
+    sp_digit p4[30];
+    sp_digit p5[30];
+    sp_digit t0[30];
+    sp_digit t1[30];
+    sp_digit t2[30];
+    sp_digit a0[15];
+    sp_digit a1[15];
+    sp_digit a2[15];
+    (void)sp_2048_add_15(a0, a, &a[15]);
+    (void)sp_2048_add_15(a1, &a[15], &a[30]);
+    (void)sp_2048_add_15(a2, a0, &a[30]);
+    sp_2048_sqr_15(p0, a);
+    sp_2048_sqr_15(p2, &a[15]);
+    sp_2048_sqr_15(p4, &a[30]);
+    sp_2048_sqr_15(p1, a0);
+    sp_2048_sqr_15(p3, a1);
+    sp_2048_sqr_15(p5, a2);
+    XMEMSET(r, 0, sizeof(*r)*2U*45U);
+    (void)sp_2048_sub_30(t0, p3, p2);
+    (void)sp_2048_sub_30(t1, p1, p2);
+    (void)sp_2048_sub_30(t2, p5, t0);
+    (void)sp_2048_sub_30(t2, t2, t1);
+    (void)sp_2048_sub_30(t0, t0, p4);
+    (void)sp_2048_sub_30(t1, t1, p0);
+    (void)sp_2048_add_30(r, r, p0);
+    (void)sp_2048_add_30(&r[15], &r[15], t1);
+    (void)sp_2048_add_30(&r[30], &r[30], t2);
+    (void)sp_2048_add_30(&r[45], &r[45], t0);
+    (void)sp_2048_add_30(&r[60], &r[60], p4);
+}
+
+/* Add b to a into r. (r = a + b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static int sp_2048_add_45(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    int i;
+
+    for (i = 0; i < 40; i += 8) {
+        r[i + 0] = a[i + 0] + b[i + 0];
+        r[i + 1] = a[i + 1] + b[i + 1];
+        r[i + 2] = a[i + 2] + b[i + 2];
+        r[i + 3] = a[i + 3] + b[i + 3];
+        r[i + 4] = a[i + 4] + b[i + 4];
+        r[i + 5] = a[i + 5] + b[i + 5];
+        r[i + 6] = a[i + 6] + b[i + 6];
+        r[i + 7] = a[i + 7] + b[i + 7];
+    }
+    r[40] = a[40] + b[40];
+    r[41] = a[41] + b[41];
+    r[42] = a[42] + b[42];
+    r[43] = a[43] + b[43];
+    r[44] = a[44] + b[44];
+
+    return 0;
+}
+
+/* Add b to a into r. (r = a + b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static int sp_2048_add_90(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    int i;
+
+    for (i = 0; i < 88; i += 8) {
+        r[i + 0] = a[i + 0] + b[i + 0];
+        r[i + 1] = a[i + 1] + b[i + 1];
+        r[i + 2] = a[i + 2] + b[i + 2];
+        r[i + 3] = a[i + 3] + b[i + 3];
+        r[i + 4] = a[i + 4] + b[i + 4];
+        r[i + 5] = a[i + 5] + b[i + 5];
+        r[i + 6] = a[i + 6] + b[i + 6];
+        r[i + 7] = a[i + 7] + b[i + 7];
+    }
+    r[88] = a[88] + b[88];
+    r[89] = a[89] + b[89];
+
+    return 0;
+}
+
+/* Sub b from a into r. (r = a - b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static int sp_2048_sub_90(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    int i;
+
+    for (i = 0; i < 88; i += 8) {
+        r[i + 0] = a[i + 0] - b[i + 0];
+        r[i + 1] = a[i + 1] - b[i + 1];
+        r[i + 2] = a[i + 2] - b[i + 2];
+        r[i + 3] = a[i + 3] - b[i + 3];
+        r[i + 4] = a[i + 4] - b[i + 4];
+        r[i + 5] = a[i + 5] - b[i + 5];
+        r[i + 6] = a[i + 6] - b[i + 6];
+        r[i + 7] = a[i + 7] - b[i + 7];
+    }
+    r[88] = a[88] - b[88];
+    r[89] = a[89] - b[89];
+
+    return 0;
+}
+
+/* Multiply a and b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static void sp_2048_mul_90(sp_digit* r, const sp_digit* a,
+    const sp_digit* b)
+{
+    sp_digit* z0 = r;
+    sp_digit z1[90];
+    sp_digit* a1 = z1;
+    sp_digit b1[45];
+    sp_digit* z2 = r + 90;
+    (void)sp_2048_add_45(a1, a, &a[45]);
+    (void)sp_2048_add_45(b1, b, &b[45]);
+    sp_2048_mul_45(z2, &a[45], &b[45]);
+    sp_2048_mul_45(z0, a, b);
+    sp_2048_mul_45(z1, a1, b1);
+    (void)sp_2048_sub_90(z1, z1, z2);
+    (void)sp_2048_sub_90(z1, z1, z0);
+    (void)sp_2048_add_90(r + 45, r + 45, z1);
+}
+
+/* Square a and put result in r. (r = a * a)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ */
+SP_NOINLINE static void sp_2048_sqr_90(sp_digit* r, const sp_digit* a)
+{
+    sp_digit* z0 = r;
+    sp_digit z1[90];
+    sp_digit* a1 = z1;
+    sp_digit* z2 = r + 90;
+    (void)sp_2048_add_45(a1, a, &a[45]);
+    sp_2048_sqr_45(z2, &a[45]);
+    sp_2048_sqr_45(z0, a);
+    sp_2048_sqr_45(z1, a1);
+    (void)sp_2048_sub_90(z1, z1, z2);
+    (void)sp_2048_sub_90(z1, z1, z0);
+    (void)sp_2048_add_90(r + 45, r + 45, z1);
+}
+
+#endif /* !WOLFSSL_SP_SMALL */
+#ifdef WOLFSSL_SP_SMALL
+/* Add b to a into r. (r = a + b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static int sp_2048_add_90(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    int i;
+
+    for (i = 0; i < 90; i++) {
+        r[i] = a[i] + b[i];
+    }
+
+    return 0;
+}
+#endif /* WOLFSSL_SP_SMALL */
+#ifdef WOLFSSL_SP_SMALL
+/* Sub b from a into r. (r = a - b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static int sp_2048_sub_90(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    int i;
+
+    for (i = 0; i < 90; i++) {
+        r[i] = a[i] - b[i];
+    }
+
+    return 0;
+}
+
+#endif /* WOLFSSL_SP_SMALL */
+#ifdef WOLFSSL_SP_SMALL
+/* Multiply a and b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static void sp_2048_mul_90(sp_digit* r, const sp_digit* a,
+    const sp_digit* b)
+{
+    int i, j, k;
+    int64_t c;
+
+    c = ((int64_t)a[89]) * b[89];
+    r[179] = (sp_digit)(c >> 23);
+    c = (c & 0x7fffff) << 23;
+    for (k = 177; k >= 0; k--) {
+        for (i = 89; i >= 0; i--) {
+            j = k - i;
+            if (j >= 90) {
+                break;
+            }
+            if (j < 0) {
+                continue;
+            }
+
+            c += ((int64_t)a[i]) * b[j];
+        }
+        r[k + 2] += c >> 46;
+        r[k + 1] = (c >> 23) & 0x7fffff;
+        c = (c & 0x7fffff) << 23;
+    }
+    r[0] = (sp_digit)(c >> 23);
+}
+
+/* Square a and put result in r. (r = a * a)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ */
+SP_NOINLINE static void sp_2048_sqr_90(sp_digit* r, const sp_digit* a)
+{
+    int i, j, k;
+    int64_t c;
+
+    c = ((int64_t)a[89]) * a[89];
+    r[179] = (sp_digit)(c >> 23);
+    c = (c & 0x7fffff) << 23;
+    for (k = 177; k >= 0; k--) {
+        for (i = 89; i >= 0; i--) {
+            j = k - i;
+            if (j >= 90 || i <= j) {
+                break;
+            }
+            if (j < 0) {
+                continue;
+            }
+
+            c += ((int64_t)a[i]) * a[j] * 2;
+        }
+        if (i == j) {
+           c += ((int64_t)a[i]) * a[i];
+        }
+
+        r[k + 2] += c >> 46;
+        r[k + 1] = (c >> 23) & 0x7fffff;
+        c = (c & 0x7fffff) << 23;
+    }
+    r[0] = (sp_digit)(c >> 23);
+}
+
+#endif /* WOLFSSL_SP_SMALL */
+#if (defined(WOLFSSL_HAVE_SP_RSA) || defined(WOLFSSL_HAVE_SP_DH)) && !defined(WOLFSSL_RSA_PUBLIC_ONLY)
+#ifdef WOLFSSL_SP_SMALL
+/* Add b to a into r. (r = a + b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static int sp_2048_add_45(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    int i;
+
+    for (i = 0; i < 45; i++) {
+        r[i] = a[i] + b[i];
+    }
+
+    return 0;
+}
+#endif /* WOLFSSL_SP_SMALL */
+#ifdef WOLFSSL_SP_SMALL
+/* Sub b from a into r. (r = a - b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static int sp_2048_sub_45(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    int i;
+
+    for (i = 0; i < 45; i++) {
+        r[i] = a[i] - b[i];
+    }
+
+    return 0;
+}
+
+#else
+/* Sub b from a into r. (r = a - b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static int sp_2048_sub_45(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    int i;
+
+    for (i = 0; i < 40; i += 8) {
+        r[i + 0] = a[i + 0] - b[i + 0];
+        r[i + 1] = a[i + 1] - b[i + 1];
+        r[i + 2] = a[i + 2] - b[i + 2];
+        r[i + 3] = a[i + 3] - b[i + 3];
+        r[i + 4] = a[i + 4] - b[i + 4];
+        r[i + 5] = a[i + 5] - b[i + 5];
+        r[i + 6] = a[i + 6] - b[i + 6];
+        r[i + 7] = a[i + 7] - b[i + 7];
+    }
+    r[40] = a[40] - b[40];
+    r[41] = a[41] - b[41];
+    r[42] = a[42] - b[42];
+    r[43] = a[43] - b[43];
+    r[44] = a[44] - b[44];
+
+    return 0;
+}
+
+#endif /* WOLFSSL_SP_SMALL */
+#ifdef WOLFSSL_SP_SMALL
+/* Multiply a and b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static void sp_2048_mul_45(sp_digit* r, const sp_digit* a,
+    const sp_digit* b)
+{
+    int i, j, k;
+    int64_t c;
+
+    c = ((int64_t)a[44]) * b[44];
+    r[89] = (sp_digit)(c >> 23);
+    c = (c & 0x7fffff) << 23;
+    for (k = 87; k >= 0; k--) {
+        for (i = 44; i >= 0; i--) {
+            j = k - i;
+            if (j >= 45) {
+                break;
+            }
+            if (j < 0) {
+                continue;
+            }
+
+            c += ((int64_t)a[i]) * b[j];
+        }
+        r[k + 2] += c >> 46;
+        r[k + 1] = (c >> 23) & 0x7fffff;
+        c = (c & 0x7fffff) << 23;
+    }
+    r[0] = (sp_digit)(c >> 23);
+}
+
+/* Square a and put result in r. (r = a * a)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ */
+SP_NOINLINE static void sp_2048_sqr_45(sp_digit* r, const sp_digit* a)
+{
+    int i, j, k;
+    int64_t c;
+
+    c = ((int64_t)a[44]) * a[44];
+    r[89] = (sp_digit)(c >> 23);
+    c = (c & 0x7fffff) << 23;
+    for (k = 87; k >= 0; k--) {
+        for (i = 44; i >= 0; i--) {
+            j = k - i;
+            if (j >= 45 || i <= j) {
+                break;
+            }
+            if (j < 0) {
+                continue;
+            }
+
+            c += ((int64_t)a[i]) * a[j] * 2;
+        }
+        if (i == j) {
+           c += ((int64_t)a[i]) * a[i];
+        }
+
+        r[k + 2] += c >> 46;
+        r[k + 1] = (c >> 23) & 0x7fffff;
+        c = (c & 0x7fffff) << 23;
+    }
+    r[0] = (sp_digit)(c >> 23);
+}
+
+#endif /* WOLFSSL_SP_SMALL */
+#endif /* (WOLFSSL_HAVE_SP_RSA || WOLFSSL_HAVE_SP_DH) && !WOLFSSL_RSA_PUBLIC_ONLY */
+
+/* Caclulate the bottom digit of -1/a mod 2^n.
+ *
+ * a    A single precision number.
+ * rho  Bottom word of inverse.
+ */
+static void sp_2048_mont_setup(const sp_digit* a, sp_digit* rho)
+{
+    sp_digit x, b;
+
+    b = a[0];
+    x = (((b + 2) & 4) << 1) + b; /* here x*a==1 mod 2**4 */
+    x *= 2 - b * x;               /* here x*a==1 mod 2**8 */
+    x *= 2 - b * x;               /* here x*a==1 mod 2**16 */
+    x *= 2 - b * x;               /* here x*a==1 mod 2**32 */
+    x &= 0x7fffff;
+
+    /* rho = -1/m mod b */
+    *rho = (1L << 23) - x;
+}
+
+/* Multiply a by scalar b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A scalar.
+ */
+SP_NOINLINE static void sp_2048_mul_d_90(sp_digit* r, const sp_digit* a,
+    sp_digit b)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int64_t tb = b;
+    int64_t t = 0;
+    int i;
+
+    for (i = 0; i < 90; i++) {
+        t += tb * a[i];
+        r[i] = t & 0x7fffff;
+        t >>= 23;
+    }
+    r[90] = (sp_digit)t;
+#else
+    int64_t tb = b;
+    int64_t t[8];
+    int i;
+
+    t[0] = tb * a[0]; r[0] = t[0] & 0x7fffff;
+    for (i = 0; i < 88; i += 8) {
+        t[1] = tb * a[i+1];
+        r[i+1] = (sp_digit)(t[0] >> 23) + (t[1] & 0x7fffff);
+        t[2] = tb * a[i+2];
+        r[i+2] = (sp_digit)(t[1] >> 23) + (t[2] & 0x7fffff);
+        t[3] = tb * a[i+3];
+        r[i+3] = (sp_digit)(t[2] >> 23) + (t[3] & 0x7fffff);
+        t[4] = tb * a[i+4];
+        r[i+4] = (sp_digit)(t[3] >> 23) + (t[4] & 0x7fffff);
+        t[5] = tb * a[i+5];
+        r[i+5] = (sp_digit)(t[4] >> 23) + (t[5] & 0x7fffff);
+        t[6] = tb * a[i+6];
+        r[i+6] = (sp_digit)(t[5] >> 23) + (t[6] & 0x7fffff);
+        t[7] = tb * a[i+7];
+        r[i+7] = (sp_digit)(t[6] >> 23) + (t[7] & 0x7fffff);
+        t[0] = tb * a[i+8];
+        r[i+8] = (sp_digit)(t[7] >> 23) + (t[0] & 0x7fffff);
+    }
+    t[1] = tb * a[89];
+    r[89] = (sp_digit)(t[0] >> 23) + (t[1] & 0x7fffff);
+    r[90] =  (sp_digit)(t[1] >> 23);
+#endif /* WOLFSSL_SP_SMALL */
+}
+
+#if (defined(WOLFSSL_HAVE_SP_RSA) || defined(WOLFSSL_HAVE_SP_DH)) && !defined(WOLFSSL_RSA_PUBLIC_ONLY)
+/* r = 2^n mod m where n is the number of bits to reduce by.
+ * Given m must be 2048 bits, just need to subtract.
+ *
+ * r  A single precision number.
+ * m  A single precision number.
+ */
+static void sp_2048_mont_norm_45(sp_digit* r, const sp_digit* m)
+{
+    /* Set r = 2^n - 1. */
+#ifdef WOLFSSL_SP_SMALL
+    int i;
+
+    for (i=0; i<44; i++) {
+        r[i] = 0x7fffff;
+    }
+#else
+    int i;
+
+    for (i = 0; i < 40; i += 8) {
+        r[i + 0] = 0x7fffff;
+        r[i + 1] = 0x7fffff;
+        r[i + 2] = 0x7fffff;
+        r[i + 3] = 0x7fffff;
+        r[i + 4] = 0x7fffff;
+        r[i + 5] = 0x7fffff;
+        r[i + 6] = 0x7fffff;
+        r[i + 7] = 0x7fffff;
+    }
+    r[40] = 0x7fffff;
+    r[41] = 0x7fffff;
+    r[42] = 0x7fffff;
+    r[43] = 0x7fffff;
+#endif
+    r[44] = 0xfffL;
+
+    /* r = (2^n - 1) mod n */
+    (void)sp_2048_sub_45(r, r, m);
+
+    /* Add one so r = 2^n mod m */
+    r[0] += 1;
+}
+
+/* Compare a with b in constant time.
+ *
+ * a  A single precision integer.
+ * b  A single precision integer.
+ * return -ve, 0 or +ve if a is less than, equal to or greater than b
+ * respectively.
+ */
+static sp_digit sp_2048_cmp_45(const sp_digit* a, const sp_digit* b)
+{
+    sp_digit r = 0;
+#ifdef WOLFSSL_SP_SMALL
+    int i;
+
+    for (i=44; i>=0; i--) {
+        r |= (a[i] - b[i]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+    }
+#else
+    int i;
+
+    r |= (a[44] - b[44]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+    r |= (a[43] - b[43]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+    r |= (a[42] - b[42]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+    r |= (a[41] - b[41]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+    r |= (a[40] - b[40]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+    for (i = 32; i >= 0; i -= 8) {
+        r |= (a[i + 7] - b[i + 7]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+        r |= (a[i + 6] - b[i + 6]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+        r |= (a[i + 5] - b[i + 5]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+        r |= (a[i + 4] - b[i + 4]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+        r |= (a[i + 3] - b[i + 3]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+        r |= (a[i + 2] - b[i + 2]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+        r |= (a[i + 1] - b[i + 1]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+        r |= (a[i + 0] - b[i + 0]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+    }
+#endif /* WOLFSSL_SP_SMALL */
+
+    return r;
+}
+
+/* Conditionally subtract b from a using the mask m.
+ * m is -1 to subtract and 0 when not.
+ *
+ * r  A single precision number representing condition subtract result.
+ * a  A single precision number to subtract from.
+ * b  A single precision number to subtract.
+ * m  Mask value to apply.
+ */
+static void sp_2048_cond_sub_45(sp_digit* r, const sp_digit* a,
+        const sp_digit* b, const sp_digit m)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int i;
+
+    for (i = 0; i < 45; i++) {
+        r[i] = a[i] - (b[i] & m);
+    }
+#else
+    int i;
+
+    for (i = 0; i < 40; i += 8) {
+        r[i + 0] = a[i + 0] - (b[i + 0] & m);
+        r[i + 1] = a[i + 1] - (b[i + 1] & m);
+        r[i + 2] = a[i + 2] - (b[i + 2] & m);
+        r[i + 3] = a[i + 3] - (b[i + 3] & m);
+        r[i + 4] = a[i + 4] - (b[i + 4] & m);
+        r[i + 5] = a[i + 5] - (b[i + 5] & m);
+        r[i + 6] = a[i + 6] - (b[i + 6] & m);
+        r[i + 7] = a[i + 7] - (b[i + 7] & m);
+    }
+    r[40] = a[40] - (b[40] & m);
+    r[41] = a[41] - (b[41] & m);
+    r[42] = a[42] - (b[42] & m);
+    r[43] = a[43] - (b[43] & m);
+    r[44] = a[44] - (b[44] & m);
+#endif /* WOLFSSL_SP_SMALL */
+}
+
+/* Mul a by scalar b and add into r. (r += a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A scalar.
+ */
+SP_NOINLINE static void sp_2048_mul_add_45(sp_digit* r, const sp_digit* a,
+        const sp_digit b)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int64_t tb = b;
+    int64_t t = 0;
+    int i;
+
+    for (i = 0; i < 45; i++) {
+        t += (tb * a[i]) + r[i];
+        r[i] = t & 0x7fffff;
+        t >>= 23;
+    }
+    r[45] += t;
+#else
+    int64_t tb = b;
+    int64_t t[8];
+    int i;
+
+    t[0] = tb * a[0]; r[0] += (sp_digit)(t[0] & 0x7fffff);
+    for (i = 0; i < 40; i += 8) {
+        t[1] = tb * a[i+1];
+        r[i+1] += (sp_digit)((t[0] >> 23) + (t[1] & 0x7fffff));
+        t[2] = tb * a[i+2];
+        r[i+2] += (sp_digit)((t[1] >> 23) + (t[2] & 0x7fffff));
+        t[3] = tb * a[i+3];
+        r[i+3] += (sp_digit)((t[2] >> 23) + (t[3] & 0x7fffff));
+        t[4] = tb * a[i+4];
+        r[i+4] += (sp_digit)((t[3] >> 23) + (t[4] & 0x7fffff));
+        t[5] = tb * a[i+5];
+        r[i+5] += (sp_digit)((t[4] >> 23) + (t[5] & 0x7fffff));
+        t[6] = tb * a[i+6];
+        r[i+6] += (sp_digit)((t[5] >> 23) + (t[6] & 0x7fffff));
+        t[7] = tb * a[i+7];
+        r[i+7] += (sp_digit)((t[6] >> 23) + (t[7] & 0x7fffff));
+        t[0] = tb * a[i+8];
+        r[i+8] += (sp_digit)((t[7] >> 23) + (t[0] & 0x7fffff));
+    }
+    t[1] = tb * a[41]; r[41] += (sp_digit)((t[0] >> 23) + (t[1] & 0x7fffff));
+    t[2] = tb * a[42]; r[42] += (sp_digit)((t[1] >> 23) + (t[2] & 0x7fffff));
+    t[3] = tb * a[43]; r[43] += (sp_digit)((t[2] >> 23) + (t[3] & 0x7fffff));
+    t[4] = tb * a[44]; r[44] += (sp_digit)((t[3] >> 23) + (t[4] & 0x7fffff));
+    r[45] +=  (sp_digit)(t[4] >> 23);
+#endif /* WOLFSSL_SP_SMALL */
+}
+
+/* Normalize the values in each word to 23.
+ *
+ * a  Array of sp_digit to normalize.
+ */
+static void sp_2048_norm_45(sp_digit* a)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int i;
+    for (i = 0; i < 44; i++) {
+        a[i+1] += a[i] >> 23;
+        a[i] &= 0x7fffff;
+    }
+#else
+    int i;
+    for (i = 0; i < 40; i += 8) {
+        a[i+1] += a[i+0] >> 23; a[i+0] &= 0x7fffff;
+        a[i+2] += a[i+1] >> 23; a[i+1] &= 0x7fffff;
+        a[i+3] += a[i+2] >> 23; a[i+2] &= 0x7fffff;
+        a[i+4] += a[i+3] >> 23; a[i+3] &= 0x7fffff;
+        a[i+5] += a[i+4] >> 23; a[i+4] &= 0x7fffff;
+        a[i+6] += a[i+5] >> 23; a[i+5] &= 0x7fffff;
+        a[i+7] += a[i+6] >> 23; a[i+6] &= 0x7fffff;
+        a[i+8] += a[i+7] >> 23; a[i+7] &= 0x7fffff;
+        a[i+9] += a[i+8] >> 23; a[i+8] &= 0x7fffff;
+    }
+    a[40+1] += a[40] >> 23;
+    a[40] &= 0x7fffff;
+    a[41+1] += a[41] >> 23;
+    a[41] &= 0x7fffff;
+    a[42+1] += a[42] >> 23;
+    a[42] &= 0x7fffff;
+    a[43+1] += a[43] >> 23;
+    a[43] &= 0x7fffff;
+#endif
+}
+
+/* Shift the result in the high 1024 bits down to the bottom.
+ *
+ * r  A single precision number.
+ * a  A single precision number.
+ */
+static void sp_2048_mont_shift_45(sp_digit* r, const sp_digit* a)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int i;
+    int64_t n = a[44] >> 12;
+    n += ((int64_t)a[45]) << 11;
+
+    for (i = 0; i < 44; i++) {
+        r[i] = n & 0x7fffff;
+        n >>= 23;
+        n += ((int64_t)a[46 + i]) << 11;
+    }
+    r[44] = (sp_digit)n;
+#else
+    int i;
+    int64_t n = a[44] >> 12;
+    n += ((int64_t)a[45]) << 11;
+    for (i = 0; i < 40; i += 8) {
+        r[i + 0] = n & 0x7fffff;
+        n >>= 23; n += ((int64_t)a[i + 46]) << 11;
+        r[i + 1] = n & 0x7fffff;
+        n >>= 23; n += ((int64_t)a[i + 47]) << 11;
+        r[i + 2] = n & 0x7fffff;
+        n >>= 23; n += ((int64_t)a[i + 48]) << 11;
+        r[i + 3] = n & 0x7fffff;
+        n >>= 23; n += ((int64_t)a[i + 49]) << 11;
+        r[i + 4] = n & 0x7fffff;
+        n >>= 23; n += ((int64_t)a[i + 50]) << 11;
+        r[i + 5] = n & 0x7fffff;
+        n >>= 23; n += ((int64_t)a[i + 51]) << 11;
+        r[i + 6] = n & 0x7fffff;
+        n >>= 23; n += ((int64_t)a[i + 52]) << 11;
+        r[i + 7] = n & 0x7fffff;
+        n >>= 23; n += ((int64_t)a[i + 53]) << 11;
+    }
+    r[40] = n & 0x7fffff; n >>= 23; n += ((int64_t)a[86]) << 11;
+    r[41] = n & 0x7fffff; n >>= 23; n += ((int64_t)a[87]) << 11;
+    r[42] = n & 0x7fffff; n >>= 23; n += ((int64_t)a[88]) << 11;
+    r[43] = n & 0x7fffff; n >>= 23; n += ((int64_t)a[89]) << 11;
+    r[44] = (sp_digit)n;
+#endif /* WOLFSSL_SP_SMALL */
+    XMEMSET(&r[45], 0, sizeof(*r) * 45U);
+}
+
+/* Reduce the number back to 2048 bits using Montgomery reduction.
+ *
+ * a   A single precision number to reduce in place.
+ * m   The single precision number representing the modulus.
+ * mp  The digit representing the negative inverse of m mod 2^n.
+ */
+static void sp_2048_mont_reduce_45(sp_digit* a, const sp_digit* m, sp_digit mp)
+{
+    int i;
+    sp_digit mu;
+
+    sp_2048_norm_45(a + 45);
+
+    for (i=0; i<44; i++) {
+        mu = (a[i] * mp) & 0x7fffff;
+        sp_2048_mul_add_45(a+i, m, mu);
+        a[i+1] += a[i] >> 23;
+    }
+    mu = (a[i] * mp) & 0xfffL;
+    sp_2048_mul_add_45(a+i, m, mu);
+    a[i+1] += a[i] >> 23;
+    a[i] &= 0x7fffff;
+
+    sp_2048_mont_shift_45(a, a);
+    sp_2048_cond_sub_45(a, a, m, 0 - (((a[44] >> 12) > 0) ?
+            (sp_digit)1 : (sp_digit)0));
+    sp_2048_norm_45(a);
+}
+
+/* Multiply two Montogmery form numbers mod the modulus (prime).
+ * (r = a * b mod m)
+ *
+ * r   Result of multiplication.
+ * a   First number to multiply in Montogmery form.
+ * b   Second number to multiply in Montogmery form.
+ * m   Modulus (prime).
+ * mp  Montogmery mulitplier.
+ */
+static void sp_2048_mont_mul_45(sp_digit* r, const sp_digit* a, const sp_digit* b,
+        const sp_digit* m, sp_digit mp)
+{
+    sp_2048_mul_45(r, a, b);
+    sp_2048_mont_reduce_45(r, m, mp);
+}
+
+/* Square the Montgomery form number. (r = a * a mod m)
+ *
+ * r   Result of squaring.
+ * a   Number to square in Montogmery form.
+ * m   Modulus (prime).
+ * mp  Montogmery mulitplier.
+ */
+static void sp_2048_mont_sqr_45(sp_digit* r, const sp_digit* a, const sp_digit* m,
+        sp_digit mp)
+{
+    sp_2048_sqr_45(r, a);
+    sp_2048_mont_reduce_45(r, m, mp);
+}
+
+/* Multiply a by scalar b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A scalar.
+ */
+SP_NOINLINE static void sp_2048_mul_d_45(sp_digit* r, const sp_digit* a,
+    sp_digit b)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int64_t tb = b;
+    int64_t t = 0;
+    int i;
+
+    for (i = 0; i < 45; i++) {
+        t += tb * a[i];
+        r[i] = t & 0x7fffff;
+        t >>= 23;
+    }
+    r[45] = (sp_digit)t;
+#else
+    int64_t tb = b;
+    int64_t t[8];
+    int i;
+
+    t[0] = tb * a[0]; r[0] = t[0] & 0x7fffff;
+    for (i = 0; i < 40; i += 8) {
+        t[1] = tb * a[i+1];
+        r[i+1] = (sp_digit)(t[0] >> 23) + (t[1] & 0x7fffff);
+        t[2] = tb * a[i+2];
+        r[i+2] = (sp_digit)(t[1] >> 23) + (t[2] & 0x7fffff);
+        t[3] = tb * a[i+3];
+        r[i+3] = (sp_digit)(t[2] >> 23) + (t[3] & 0x7fffff);
+        t[4] = tb * a[i+4];
+        r[i+4] = (sp_digit)(t[3] >> 23) + (t[4] & 0x7fffff);
+        t[5] = tb * a[i+5];
+        r[i+5] = (sp_digit)(t[4] >> 23) + (t[5] & 0x7fffff);
+        t[6] = tb * a[i+6];
+        r[i+6] = (sp_digit)(t[5] >> 23) + (t[6] & 0x7fffff);
+        t[7] = tb * a[i+7];
+        r[i+7] = (sp_digit)(t[6] >> 23) + (t[7] & 0x7fffff);
+        t[0] = tb * a[i+8];
+        r[i+8] = (sp_digit)(t[7] >> 23) + (t[0] & 0x7fffff);
+    }
+    t[1] = tb * a[41];
+    r[41] = (sp_digit)(t[0] >> 23) + (t[1] & 0x7fffff);
+    t[2] = tb * a[42];
+    r[42] = (sp_digit)(t[1] >> 23) + (t[2] & 0x7fffff);
+    t[3] = tb * a[43];
+    r[43] = (sp_digit)(t[2] >> 23) + (t[3] & 0x7fffff);
+    t[4] = tb * a[44];
+    r[44] = (sp_digit)(t[3] >> 23) + (t[4] & 0x7fffff);
+    r[45] =  (sp_digit)(t[4] >> 23);
+#endif /* WOLFSSL_SP_SMALL */
+}
+
+/* Conditionally add a and b using the mask m.
+ * m is -1 to add and 0 when not.
+ *
+ * r  A single precision number representing conditional add result.
+ * a  A single precision number to add with.
+ * b  A single precision number to add.
+ * m  Mask value to apply.
+ */
+static void sp_2048_cond_add_45(sp_digit* r, const sp_digit* a,
+        const sp_digit* b, const sp_digit m)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int i;
+
+    for (i = 0; i < 45; i++) {
+        r[i] = a[i] + (b[i] & m);
+    }
+#else
+    int i;
+
+    for (i = 0; i < 40; i += 8) {
+        r[i + 0] = a[i + 0] + (b[i + 0] & m);
+        r[i + 1] = a[i + 1] + (b[i + 1] & m);
+        r[i + 2] = a[i + 2] + (b[i + 2] & m);
+        r[i + 3] = a[i + 3] + (b[i + 3] & m);
+        r[i + 4] = a[i + 4] + (b[i + 4] & m);
+        r[i + 5] = a[i + 5] + (b[i + 5] & m);
+        r[i + 6] = a[i + 6] + (b[i + 6] & m);
+        r[i + 7] = a[i + 7] + (b[i + 7] & m);
+    }
+    r[40] = a[40] + (b[40] & m);
+    r[41] = a[41] + (b[41] & m);
+    r[42] = a[42] + (b[42] & m);
+    r[43] = a[43] + (b[43] & m);
+    r[44] = a[44] + (b[44] & m);
+#endif /* WOLFSSL_SP_SMALL */
+}
+
+#ifdef WOLFSSL_SMALL
+/* Add b to a into r. (r = a + b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static int sp_2048_add_45(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    int i;
+
+    for (i = 0; i < 45; i++) {
+        r[i] = a[i] + b[i];
+    }
+
+    return 0;
+}
+#endif
+SP_NOINLINE static void sp_2048_rshift_45(sp_digit* r, sp_digit* a, byte n)
+{
+    int i;
+
+#ifdef WOLFSSL_SP_SMALL
+    for (i=0; i<44; i++) {
+        r[i] = ((a[i] >> n) | (a[i + 1] << (23 - n))) & 0x7fffff;
+    }
+#else
+    for (i=0; i<40; i += 8) {
+        r[i+0] = ((a[i+0] >> n) | (a[i+1] << (23 - n))) & 0x7fffff;
+        r[i+1] = ((a[i+1] >> n) | (a[i+2] << (23 - n))) & 0x7fffff;
+        r[i+2] = ((a[i+2] >> n) | (a[i+3] << (23 - n))) & 0x7fffff;
+        r[i+3] = ((a[i+3] >> n) | (a[i+4] << (23 - n))) & 0x7fffff;
+        r[i+4] = ((a[i+4] >> n) | (a[i+5] << (23 - n))) & 0x7fffff;
+        r[i+5] = ((a[i+5] >> n) | (a[i+6] << (23 - n))) & 0x7fffff;
+        r[i+6] = ((a[i+6] >> n) | (a[i+7] << (23 - n))) & 0x7fffff;
+        r[i+7] = ((a[i+7] >> n) | (a[i+8] << (23 - n))) & 0x7fffff;
+    }
+    r[40] = ((a[40] >> n) | (a[41] << (23 - n))) & 0x7fffff;
+    r[41] = ((a[41] >> n) | (a[42] << (23 - n))) & 0x7fffff;
+    r[42] = ((a[42] >> n) | (a[43] << (23 - n))) & 0x7fffff;
+    r[43] = ((a[43] >> n) | (a[44] << (23 - n))) & 0x7fffff;
+#endif
+    r[44] = a[44] >> n;
+}
+
+#ifdef WOLFSSL_SP_DIV_32
+static WC_INLINE sp_digit sp_2048_div_word_45(sp_digit d1, sp_digit d0,
+    sp_digit dv)
+{
+    sp_digit d, r, t;
+
+    /* All 23 bits from d1 and top 8 bits from d0. */
+    d = (d1 << 8) | (d0 >> 15);
+    r = d / dv;
+    d -= r * dv;
+    /* Up to 9 bits in r */
+    /* Next 8 bits from d0. */
+    r <<= 8;
+    d <<= 8;
+    d |= (d0 >> 7) & ((1 << 8) - 1);
+    t = d / dv;
+    d -= t * dv;
+    r += t;
+    /* Up to 17 bits in r */
+    /* Remaining 7 bits from d0. */
+    r <<= 7;
+    d <<= 7;
+    d |= d0 & ((1 << 7) - 1);
+    t = d / dv;
+    r += t;
+
+    return r;
+}
+#endif /* WOLFSSL_SP_DIV_32 */
+
+/* Divide d in a and put remainder into r (m*d + r = a)
+ * m is not calculated as it is not needed at this time.
+ *
+ * a  Nmber to be divided.
+ * d  Number to divide with.
+ * m  Multiplier result.
+ * r  Remainder from the division.
+ * returns MEMORY_E when unable to allocate memory and MP_OKAY otherwise.
+ */
+static int sp_2048_div_45(const sp_digit* a, const sp_digit* d, sp_digit* m,
+        sp_digit* r)
+{
+    int i;
+#ifndef WOLFSSL_SP_DIV_32
+    int64_t d1;
+#endif
+    sp_digit dv, r1;
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit* td;
+#else
+    sp_digit t1d[90 + 1], t2d[45 + 1], sdd[45 + 1];
+#endif
+    sp_digit* t1;
+    sp_digit* t2;
+    sp_digit* sd;
+    int err = MP_OKAY;
+
+    (void)m;
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    td = (sp_digit*)XMALLOC(sizeof(sp_digit) * (4 * 45 + 3), NULL,
+                                                       DYNAMIC_TYPE_TMP_BUFFER);
+    if (td == NULL) {
+        err = MEMORY_E;
+    }
+#endif
+
+    (void)m;
+
+    if (err == MP_OKAY) {
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+        t1 = td;
+        t2 = td + 90 + 1;
+        sd = t2 + 45 + 1;
+#else
+        t1 = t1d;
+        t2 = t2d;
+        sd = sdd;
+#endif
+
+        sp_2048_mul_d_45(sd, d, 1L << 11);
+        sp_2048_mul_d_90(t1, a, 1L << 11);
+        dv = sd[44];
+        for (i=45; i>=0; i--) {
+            t1[45 + i] += t1[45 + i - 1] >> 23;
+            t1[45 + i - 1] &= 0x7fffff;
+#ifndef WOLFSSL_SP_DIV_32
+            d1 = t1[45 + i];
+            d1 <<= 23;
+            d1 += t1[45 + i - 1];
+            r1 = (sp_digit)(d1 / dv);
+#else
+            r1 = sp_2048_div_word_45(t1[45 + i], t1[45 + i - 1], dv);
+#endif
+
+            sp_2048_mul_d_45(t2, sd, r1);
+            (void)sp_2048_sub_45(&t1[i], &t1[i], t2);
+            t1[45 + i] -= t2[45];
+            t1[45 + i] += t1[45 + i - 1] >> 23;
+            t1[45 + i - 1] &= 0x7fffff;
+            r1 = (((-t1[45 + i]) << 23) - t1[45 + i - 1]) / dv;
+            r1 -= t1[45 + i];
+            sp_2048_mul_d_45(t2, sd, r1);
+            (void)sp_2048_add_45(&t1[i], &t1[i], t2);
+            t1[45 + i] += t1[45 + i - 1] >> 23;
+            t1[45 + i - 1] &= 0x7fffff;
+        }
+        t1[45 - 1] += t1[45 - 2] >> 23;
+        t1[45 - 2] &= 0x7fffff;
+        r1 = t1[45 - 1] / dv;
+
+        sp_2048_mul_d_45(t2, sd, r1);
+        sp_2048_sub_45(t1, t1, t2);
+        XMEMCPY(r, t1, sizeof(*r) * 2U * 45U);
+        for (i=0; i<43; i++) {
+            r[i+1] += r[i] >> 23;
+            r[i] &= 0x7fffff;
+        }
+        sp_2048_cond_add_45(r, r, sd, 0 - ((r[44] < 0) ?
+                    (sp_digit)1 : (sp_digit)0));
+
+        sp_2048_norm_45(r);
+        sp_2048_rshift_45(r, r, 11);
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (td != NULL) {
+        XFREE(td, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    }
+#endif
+
+    return err;
+}
+
+/* Reduce a modulo m into r. (r = a mod m)
+ *
+ * r  A single precision number that is the reduced result.
+ * a  A single precision number that is to be reduced.
+ * m  A single precision number that is the modulus to reduce with.
+ * returns MEMORY_E when unable to allocate memory and MP_OKAY otherwise.
+ */
+static int sp_2048_mod_45(sp_digit* r, const sp_digit* a, const sp_digit* m)
+{
+    return sp_2048_div_45(a, m, NULL, r);
+}
+
+/* Modular exponentiate a to the e mod m. (r = a^e mod m)
+ *
+ * r     A single precision number that is the result of the operation.
+ * a     A single precision number being exponentiated.
+ * e     A single precision number that is the exponent.
+ * bits  The number of bits in the exponent.
+ * m     A single precision number that is the modulus.
+ * returns 0 on success and MEMORY_E on dynamic memory allocation failure.
+ */
+static int sp_2048_mod_exp_45(sp_digit* r, const sp_digit* a, const sp_digit* e, int bits,
+    const sp_digit* m, int reduceA)
+{
+#ifdef WOLFSSL_SP_SMALL
+    sp_digit* td;
+    sp_digit* t[3];
+    sp_digit* norm;
+    sp_digit mp = 1;
+    sp_digit n;
+    int i;
+    int c, y;
+    int err = MP_OKAY;
+
+    td = (sp_digit*)XMALLOC(sizeof(*td) * 3 * 45 * 2, NULL,
+                            DYNAMIC_TYPE_TMP_BUFFER);
+    if (td == NULL) {
+        err = MEMORY_E;
+    }
+
+    if (err == MP_OKAY) {
+        XMEMSET(td, 0, sizeof(*td) * 3U * 45U * 2U);
+
+        norm = t[0] = td;
+        t[1] = &td[45 * 2];
+        t[2] = &td[2 * 45 * 2];
+
+        sp_2048_mont_setup(m, &mp);
+        sp_2048_mont_norm_45(norm, m);
+
+        if (reduceA != 0) {
+            err = sp_2048_mod_45(t[1], a, m);
+        }
+        else {
+            XMEMCPY(t[1], a, sizeof(sp_digit) * 45U);
+        }
+    }
+    if (err == MP_OKAY) {
+        sp_2048_mul_45(t[1], t[1], norm);
+        err = sp_2048_mod_45(t[1], t[1], m);
+    }
+
+    if (err == MP_OKAY) {
+        i = bits / 23;
+        c = bits % 23;
+        n = e[i--] << (23 - c);
+        for (; ; c--) {
+            if (c == 0) {
+                if (i == -1) {
+                    break;
+                }
+
+                n = e[i--];
+                c = 23;
+            }
+
+            y = (n >> 22) & 1;
+            n <<= 1;
+
+            sp_2048_mont_mul_45(t[y^1], t[0], t[1], m, mp);
+
+            XMEMCPY(t[2], (void*)(((size_t)t[0] & addr_mask[y^1]) +
+                                  ((size_t)t[1] & addr_mask[y])),
+                    sizeof(*t[2]) * 45 * 2);
+            sp_2048_mont_sqr_45(t[2], t[2], m, mp);
+            XMEMCPY((void*)(((size_t)t[0] & addr_mask[y^1]) +
+                            ((size_t)t[1] & addr_mask[y])), t[2],
+                    sizeof(*t[2]) * 45 * 2);
+        }
+
+        sp_2048_mont_reduce_45(t[0], m, mp);
+        n = sp_2048_cmp_45(t[0], m);
+        sp_2048_cond_sub_45(t[0], t[0], m, ((n < 0) ?
+                    (sp_digit)1 : (sp_digit)0) - 1);
+        XMEMCPY(r, t[0], sizeof(*r) * 45 * 2);
+
+    }
+
+    if (td != NULL) {
+        XFREE(td, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    }
+
+    return err;
+#elif defined(WOLFSSL_SP_CACHE_RESISTANT)
+#ifndef WOLFSSL_SMALL_STACK
+    sp_digit t[3][90];
+#else
+    sp_digit* td;
+    sp_digit* t[3];
+#endif
+    sp_digit* norm;
+    sp_digit mp = 1;
+    sp_digit n;
+    int i;
+    int c, y;
+    int err = MP_OKAY;
+
+#ifdef WOLFSSL_SMALL_STACK
+    td = (sp_digit*)XMALLOC(sizeof(*td) * 3 * 45 * 2, NULL,
+                            DYNAMIC_TYPE_TMP_BUFFER);
+    if (td == NULL) {
+        err = MEMORY_E;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#ifdef WOLFSSL_SMALL_STACK
+        t[0] = td;
+        t[1] = &td[45 * 2];
+        t[2] = &td[2 * 45 * 2];
+#endif
+        norm = t[0];
+
+        sp_2048_mont_setup(m, &mp);
+        sp_2048_mont_norm_45(norm, m);
+
+        if (reduceA != 0) {
+            err = sp_2048_mod_45(t[1], a, m);
+            if (err == MP_OKAY) {
+                sp_2048_mul_45(t[1], t[1], norm);
+                err = sp_2048_mod_45(t[1], t[1], m);
+            }
+        }
+        else {
+            sp_2048_mul_45(t[1], a, norm);
+            err = sp_2048_mod_45(t[1], t[1], m);
+        }
+    }
+
+    if (err == MP_OKAY) {
+        i = bits / 23;
+        c = bits % 23;
+        n = e[i--] << (23 - c);
+        for (; ; c--) {
+            if (c == 0) {
+                if (i == -1) {
+                    break;
+                }
+
+                n = e[i--];
+                c = 23;
+            }
+
+            y = (n >> 22) & 1;
+            n <<= 1;
+
+            sp_2048_mont_mul_45(t[y^1], t[0], t[1], m, mp);
+
+            XMEMCPY(t[2], (void*)(((size_t)t[0] & addr_mask[y^1]) +
+                                 ((size_t)t[1] & addr_mask[y])), sizeof(t[2]));
+            sp_2048_mont_sqr_45(t[2], t[2], m, mp);
+            XMEMCPY((void*)(((size_t)t[0] & addr_mask[y^1]) +
+                           ((size_t)t[1] & addr_mask[y])), t[2], sizeof(t[2]));
+        }
+
+        sp_2048_mont_reduce_45(t[0], m, mp);
+        n = sp_2048_cmp_45(t[0], m);
+        sp_2048_cond_sub_45(t[0], t[0], m, ((n < 0) ?
+                   (sp_digit)1 : (sp_digit)0) - 1);
+        XMEMCPY(r, t[0], sizeof(t[0]));
+    }
+
+#ifdef WOLFSSL_SMALL_STACK
+    if (td != NULL) {
+        XFREE(td, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    }
+#endif
+
+    return err;
+#else
+#ifndef WOLFSSL_SMALL_STACK
+    sp_digit t[32][90];
+#else
+    sp_digit* t[32];
+    sp_digit* td;
+#endif
+    sp_digit* norm;
+    sp_digit rt[90];
+    sp_digit mp = 1;
+    sp_digit n;
+    int i;
+    int c, y;
+    int err = MP_OKAY;
+
+#ifdef WOLFSSL_SMALL_STACK
+    td = (sp_digit*)XMALLOC(sizeof(sp_digit) * 32 * 90, NULL,
+                            DYNAMIC_TYPE_TMP_BUFFER);
+    if (td == NULL) {
+        err = MEMORY_E;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#ifdef WOLFSSL_SMALL_STACK
+        for (i=0; i<32; i++)
+            t[i] = td + i * 90;
+#endif
+        norm = t[0];
+
+        sp_2048_mont_setup(m, &mp);
+        sp_2048_mont_norm_45(norm, m);
+
+        if (reduceA != 0) {
+            err = sp_2048_mod_45(t[1], a, m);
+            if (err == MP_OKAY) {
+                sp_2048_mul_45(t[1], t[1], norm);
+                err = sp_2048_mod_45(t[1], t[1], m);
+            }
+        }
+        else {
+            sp_2048_mul_45(t[1], a, norm);
+            err = sp_2048_mod_45(t[1], t[1], m);
+        }
+    }
+
+    if (err == MP_OKAY) {
+        sp_2048_mont_sqr_45(t[ 2], t[ 1], m, mp);
+        sp_2048_mont_mul_45(t[ 3], t[ 2], t[ 1], m, mp);
+        sp_2048_mont_sqr_45(t[ 4], t[ 2], m, mp);
+        sp_2048_mont_mul_45(t[ 5], t[ 3], t[ 2], m, mp);
+        sp_2048_mont_sqr_45(t[ 6], t[ 3], m, mp);
+        sp_2048_mont_mul_45(t[ 7], t[ 4], t[ 3], m, mp);
+        sp_2048_mont_sqr_45(t[ 8], t[ 4], m, mp);
+        sp_2048_mont_mul_45(t[ 9], t[ 5], t[ 4], m, mp);
+        sp_2048_mont_sqr_45(t[10], t[ 5], m, mp);
+        sp_2048_mont_mul_45(t[11], t[ 6], t[ 5], m, mp);
+        sp_2048_mont_sqr_45(t[12], t[ 6], m, mp);
+        sp_2048_mont_mul_45(t[13], t[ 7], t[ 6], m, mp);
+        sp_2048_mont_sqr_45(t[14], t[ 7], m, mp);
+        sp_2048_mont_mul_45(t[15], t[ 8], t[ 7], m, mp);
+        sp_2048_mont_sqr_45(t[16], t[ 8], m, mp);
+        sp_2048_mont_mul_45(t[17], t[ 9], t[ 8], m, mp);
+        sp_2048_mont_sqr_45(t[18], t[ 9], m, mp);
+        sp_2048_mont_mul_45(t[19], t[10], t[ 9], m, mp);
+        sp_2048_mont_sqr_45(t[20], t[10], m, mp);
+        sp_2048_mont_mul_45(t[21], t[11], t[10], m, mp);
+        sp_2048_mont_sqr_45(t[22], t[11], m, mp);
+        sp_2048_mont_mul_45(t[23], t[12], t[11], m, mp);
+        sp_2048_mont_sqr_45(t[24], t[12], m, mp);
+        sp_2048_mont_mul_45(t[25], t[13], t[12], m, mp);
+        sp_2048_mont_sqr_45(t[26], t[13], m, mp);
+        sp_2048_mont_mul_45(t[27], t[14], t[13], m, mp);
+        sp_2048_mont_sqr_45(t[28], t[14], m, mp);
+        sp_2048_mont_mul_45(t[29], t[15], t[14], m, mp);
+        sp_2048_mont_sqr_45(t[30], t[15], m, mp);
+        sp_2048_mont_mul_45(t[31], t[16], t[15], m, mp);
+
+        bits = ((bits + 4) / 5) * 5;
+        i = ((bits + 22) / 23) - 1;
+        c = bits % 23;
+        if (c == 0) {
+            c = 23;
+        }
+        if (i < 45) {
+            n = e[i--] << (32 - c);
+        }
+        else {
+            n = 0;
+            i--;
+        }
+        if (c < 5) {
+            n |= e[i--] << (9 - c);
+            c += 23;
+        }
+        y = (n >> 27) & 0x1f;
+        n <<= 5;
+        c -= 5;
+        XMEMCPY(rt, t[y], sizeof(rt));
+        for (; i>=0 || c>=5; ) {
+            if (c < 5) {
+                n |= e[i--] << (9 - c);
+                c += 23;
+            }
+            y = (n >> 27) & 0x1f;
+            n <<= 5;
+            c -= 5;
+
+            sp_2048_mont_sqr_45(rt, rt, m, mp);
+            sp_2048_mont_sqr_45(rt, rt, m, mp);
+            sp_2048_mont_sqr_45(rt, rt, m, mp);
+            sp_2048_mont_sqr_45(rt, rt, m, mp);
+            sp_2048_mont_sqr_45(rt, rt, m, mp);
+
+            sp_2048_mont_mul_45(rt, rt, t[y], m, mp);
+        }
+
+        sp_2048_mont_reduce_45(rt, m, mp);
+        n = sp_2048_cmp_45(rt, m);
+        sp_2048_cond_sub_45(rt, rt, m, ((n < 0) ?
+                   (sp_digit)1 : (sp_digit)0) - 1);
+        XMEMCPY(r, rt, sizeof(rt));
+    }
+
+#ifdef WOLFSSL_SMALL_STACK
+    if (td != NULL) {
+        XFREE(td, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    }
+#endif
+
+    return err;
+#endif
+}
+
+#endif /* (WOLFSSL_HAVE_SP_RSA || WOLFSSL_HAVE_SP_DH) && !WOLFSSL_RSA_PUBLIC_ONLY */
+
+/* r = 2^n mod m where n is the number of bits to reduce by.
+ * Given m must be 2048 bits, just need to subtract.
+ *
+ * r  A single precision number.
+ * m  A single precision number.
+ */
+static void sp_2048_mont_norm_90(sp_digit* r, const sp_digit* m)
+{
+    /* Set r = 2^n - 1. */
+#ifdef WOLFSSL_SP_SMALL
+    int i;
+
+    for (i=0; i<89; i++) {
+        r[i] = 0x7fffff;
+    }
+#else
+    int i;
+
+    for (i = 0; i < 88; i += 8) {
+        r[i + 0] = 0x7fffff;
+        r[i + 1] = 0x7fffff;
+        r[i + 2] = 0x7fffff;
+        r[i + 3] = 0x7fffff;
+        r[i + 4] = 0x7fffff;
+        r[i + 5] = 0x7fffff;
+        r[i + 6] = 0x7fffff;
+        r[i + 7] = 0x7fffff;
+    }
+    r[88] = 0x7fffff;
+#endif
+    r[89] = 0x1L;
+
+    /* r = (2^n - 1) mod n */
+    (void)sp_2048_sub_90(r, r, m);
+
+    /* Add one so r = 2^n mod m */
+    r[0] += 1;
+}
+
+/* Compare a with b in constant time.
+ *
+ * a  A single precision integer.
+ * b  A single precision integer.
+ * return -ve, 0 or +ve if a is less than, equal to or greater than b
+ * respectively.
+ */
+static sp_digit sp_2048_cmp_90(const sp_digit* a, const sp_digit* b)
+{
+    sp_digit r = 0;
+#ifdef WOLFSSL_SP_SMALL
+    int i;
+
+    for (i=89; i>=0; i--) {
+        r |= (a[i] - b[i]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+    }
+#else
+    int i;
+
+    r |= (a[89] - b[89]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+    r |= (a[88] - b[88]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+    for (i = 80; i >= 0; i -= 8) {
+        r |= (a[i + 7] - b[i + 7]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+        r |= (a[i + 6] - b[i + 6]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+        r |= (a[i + 5] - b[i + 5]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+        r |= (a[i + 4] - b[i + 4]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+        r |= (a[i + 3] - b[i + 3]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+        r |= (a[i + 2] - b[i + 2]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+        r |= (a[i + 1] - b[i + 1]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+        r |= (a[i + 0] - b[i + 0]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+    }
+#endif /* WOLFSSL_SP_SMALL */
+
+    return r;
+}
+
+/* Conditionally subtract b from a using the mask m.
+ * m is -1 to subtract and 0 when not.
+ *
+ * r  A single precision number representing condition subtract result.
+ * a  A single precision number to subtract from.
+ * b  A single precision number to subtract.
+ * m  Mask value to apply.
+ */
+static void sp_2048_cond_sub_90(sp_digit* r, const sp_digit* a,
+        const sp_digit* b, const sp_digit m)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int i;
+
+    for (i = 0; i < 90; i++) {
+        r[i] = a[i] - (b[i] & m);
+    }
+#else
+    int i;
+
+    for (i = 0; i < 88; i += 8) {
+        r[i + 0] = a[i + 0] - (b[i + 0] & m);
+        r[i + 1] = a[i + 1] - (b[i + 1] & m);
+        r[i + 2] = a[i + 2] - (b[i + 2] & m);
+        r[i + 3] = a[i + 3] - (b[i + 3] & m);
+        r[i + 4] = a[i + 4] - (b[i + 4] & m);
+        r[i + 5] = a[i + 5] - (b[i + 5] & m);
+        r[i + 6] = a[i + 6] - (b[i + 6] & m);
+        r[i + 7] = a[i + 7] - (b[i + 7] & m);
+    }
+    r[88] = a[88] - (b[88] & m);
+    r[89] = a[89] - (b[89] & m);
+#endif /* WOLFSSL_SP_SMALL */
+}
+
+/* Mul a by scalar b and add into r. (r += a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A scalar.
+ */
+SP_NOINLINE static void sp_2048_mul_add_90(sp_digit* r, const sp_digit* a,
+        const sp_digit b)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int64_t tb = b;
+    int64_t t = 0;
+    int i;
+
+    for (i = 0; i < 90; i++) {
+        t += (tb * a[i]) + r[i];
+        r[i] = t & 0x7fffff;
+        t >>= 23;
+    }
+    r[90] += t;
+#else
+    int64_t tb = b;
+    int64_t t[8];
+    int i;
+
+    t[0] = tb * a[0]; r[0] += (sp_digit)(t[0] & 0x7fffff);
+    for (i = 0; i < 88; i += 8) {
+        t[1] = tb * a[i+1];
+        r[i+1] += (sp_digit)((t[0] >> 23) + (t[1] & 0x7fffff));
+        t[2] = tb * a[i+2];
+        r[i+2] += (sp_digit)((t[1] >> 23) + (t[2] & 0x7fffff));
+        t[3] = tb * a[i+3];
+        r[i+3] += (sp_digit)((t[2] >> 23) + (t[3] & 0x7fffff));
+        t[4] = tb * a[i+4];
+        r[i+4] += (sp_digit)((t[3] >> 23) + (t[4] & 0x7fffff));
+        t[5] = tb * a[i+5];
+        r[i+5] += (sp_digit)((t[4] >> 23) + (t[5] & 0x7fffff));
+        t[6] = tb * a[i+6];
+        r[i+6] += (sp_digit)((t[5] >> 23) + (t[6] & 0x7fffff));
+        t[7] = tb * a[i+7];
+        r[i+7] += (sp_digit)((t[6] >> 23) + (t[7] & 0x7fffff));
+        t[0] = tb * a[i+8];
+        r[i+8] += (sp_digit)((t[7] >> 23) + (t[0] & 0x7fffff));
+    }
+    t[1] = tb * a[89]; r[89] += (sp_digit)((t[0] >> 23) + (t[1] & 0x7fffff));
+    r[90] +=  (sp_digit)(t[1] >> 23);
+#endif /* WOLFSSL_SP_SMALL */
+}
+
+/* Normalize the values in each word to 23.
+ *
+ * a  Array of sp_digit to normalize.
+ */
+static void sp_2048_norm_90(sp_digit* a)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int i;
+    for (i = 0; i < 89; i++) {
+        a[i+1] += a[i] >> 23;
+        a[i] &= 0x7fffff;
+    }
+#else
+    int i;
+    for (i = 0; i < 88; i += 8) {
+        a[i+1] += a[i+0] >> 23; a[i+0] &= 0x7fffff;
+        a[i+2] += a[i+1] >> 23; a[i+1] &= 0x7fffff;
+        a[i+3] += a[i+2] >> 23; a[i+2] &= 0x7fffff;
+        a[i+4] += a[i+3] >> 23; a[i+3] &= 0x7fffff;
+        a[i+5] += a[i+4] >> 23; a[i+4] &= 0x7fffff;
+        a[i+6] += a[i+5] >> 23; a[i+5] &= 0x7fffff;
+        a[i+7] += a[i+6] >> 23; a[i+6] &= 0x7fffff;
+        a[i+8] += a[i+7] >> 23; a[i+7] &= 0x7fffff;
+        a[i+9] += a[i+8] >> 23; a[i+8] &= 0x7fffff;
+    }
+    a[88+1] += a[88] >> 23;
+    a[88] &= 0x7fffff;
+#endif
+}
+
+/* Shift the result in the high 2048 bits down to the bottom.
+ *
+ * r  A single precision number.
+ * a  A single precision number.
+ */
+static void sp_2048_mont_shift_90(sp_digit* r, const sp_digit* a)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int i;
+    int64_t n = a[89] >> 1;
+    n += ((int64_t)a[90]) << 22;
+
+    for (i = 0; i < 89; i++) {
+        r[i] = n & 0x7fffff;
+        n >>= 23;
+        n += ((int64_t)a[91 + i]) << 22;
+    }
+    r[89] = (sp_digit)n;
+#else
+    int i;
+    int64_t n = a[89] >> 1;
+    n += ((int64_t)a[90]) << 22;
+    for (i = 0; i < 88; i += 8) {
+        r[i + 0] = n & 0x7fffff;
+        n >>= 23; n += ((int64_t)a[i + 91]) << 22;
+        r[i + 1] = n & 0x7fffff;
+        n >>= 23; n += ((int64_t)a[i + 92]) << 22;
+        r[i + 2] = n & 0x7fffff;
+        n >>= 23; n += ((int64_t)a[i + 93]) << 22;
+        r[i + 3] = n & 0x7fffff;
+        n >>= 23; n += ((int64_t)a[i + 94]) << 22;
+        r[i + 4] = n & 0x7fffff;
+        n >>= 23; n += ((int64_t)a[i + 95]) << 22;
+        r[i + 5] = n & 0x7fffff;
+        n >>= 23; n += ((int64_t)a[i + 96]) << 22;
+        r[i + 6] = n & 0x7fffff;
+        n >>= 23; n += ((int64_t)a[i + 97]) << 22;
+        r[i + 7] = n & 0x7fffff;
+        n >>= 23; n += ((int64_t)a[i + 98]) << 22;
+    }
+    r[88] = n & 0x7fffff; n >>= 23; n += ((int64_t)a[179]) << 22;
+    r[89] = (sp_digit)n;
+#endif /* WOLFSSL_SP_SMALL */
+    XMEMSET(&r[90], 0, sizeof(*r) * 90U);
+}
+
+/* Reduce the number back to 2048 bits using Montgomery reduction.
+ *
+ * a   A single precision number to reduce in place.
+ * m   The single precision number representing the modulus.
+ * mp  The digit representing the negative inverse of m mod 2^n.
+ */
+static void sp_2048_mont_reduce_90(sp_digit* a, const sp_digit* m, sp_digit mp)
+{
+    int i;
+    sp_digit mu;
+
+    sp_2048_norm_90(a + 90);
+
+#ifdef WOLFSSL_SP_DH
+    if (mp != 1) {
+        for (i=0; i<89; i++) {
+            mu = (a[i] * mp) & 0x7fffff;
+            sp_2048_mul_add_90(a+i, m, mu);
+            a[i+1] += a[i] >> 23;
+        }
+        mu = (a[i] * mp) & 0x1L;
+        sp_2048_mul_add_90(a+i, m, mu);
+        a[i+1] += a[i] >> 23;
+        a[i] &= 0x7fffff;
+    }
+    else {
+        for (i=0; i<89; i++) {
+            mu = a[i] & 0x7fffff;
+            sp_2048_mul_add_90(a+i, m, mu);
+            a[i+1] += a[i] >> 23;
+        }
+        mu = a[i] & 0x1L;
+        sp_2048_mul_add_90(a+i, m, mu);
+        a[i+1] += a[i] >> 23;
+        a[i] &= 0x7fffff;
+    }
+#else
+    for (i=0; i<89; i++) {
+        mu = (a[i] * mp) & 0x7fffff;
+        sp_2048_mul_add_90(a+i, m, mu);
+        a[i+1] += a[i] >> 23;
+    }
+    mu = (a[i] * mp) & 0x1L;
+    sp_2048_mul_add_90(a+i, m, mu);
+    a[i+1] += a[i] >> 23;
+    a[i] &= 0x7fffff;
+#endif
+
+    sp_2048_mont_shift_90(a, a);
+    sp_2048_cond_sub_90(a, a, m, 0 - (((a[89] >> 1) > 0) ?
+            (sp_digit)1 : (sp_digit)0));
+    sp_2048_norm_90(a);
+}
+
+/* Multiply two Montogmery form numbers mod the modulus (prime).
+ * (r = a * b mod m)
+ *
+ * r   Result of multiplication.
+ * a   First number to multiply in Montogmery form.
+ * b   Second number to multiply in Montogmery form.
+ * m   Modulus (prime).
+ * mp  Montogmery mulitplier.
+ */
+static void sp_2048_mont_mul_90(sp_digit* r, const sp_digit* a, const sp_digit* b,
+        const sp_digit* m, sp_digit mp)
+{
+    sp_2048_mul_90(r, a, b);
+    sp_2048_mont_reduce_90(r, m, mp);
+}
+
+/* Square the Montgomery form number. (r = a * a mod m)
+ *
+ * r   Result of squaring.
+ * a   Number to square in Montogmery form.
+ * m   Modulus (prime).
+ * mp  Montogmery mulitplier.
+ */
+static void sp_2048_mont_sqr_90(sp_digit* r, const sp_digit* a, const sp_digit* m,
+        sp_digit mp)
+{
+    sp_2048_sqr_90(r, a);
+    sp_2048_mont_reduce_90(r, m, mp);
+}
+
+/* Multiply a by scalar b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A scalar.
+ */
+SP_NOINLINE static void sp_2048_mul_d_180(sp_digit* r, const sp_digit* a,
+    sp_digit b)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int64_t tb = b;
+    int64_t t = 0;
+    int i;
+
+    for (i = 0; i < 180; i++) {
+        t += tb * a[i];
+        r[i] = t & 0x7fffff;
+        t >>= 23;
+    }
+    r[180] = (sp_digit)t;
+#else
+    int64_t tb = b;
+    int64_t t[8];
+    int i;
+
+    t[0] = tb * a[0]; r[0] = t[0] & 0x7fffff;
+    for (i = 0; i < 176; i += 8) {
+        t[1] = tb * a[i+1];
+        r[i+1] = (sp_digit)(t[0] >> 23) + (t[1] & 0x7fffff);
+        t[2] = tb * a[i+2];
+        r[i+2] = (sp_digit)(t[1] >> 23) + (t[2] & 0x7fffff);
+        t[3] = tb * a[i+3];
+        r[i+3] = (sp_digit)(t[2] >> 23) + (t[3] & 0x7fffff);
+        t[4] = tb * a[i+4];
+        r[i+4] = (sp_digit)(t[3] >> 23) + (t[4] & 0x7fffff);
+        t[5] = tb * a[i+5];
+        r[i+5] = (sp_digit)(t[4] >> 23) + (t[5] & 0x7fffff);
+        t[6] = tb * a[i+6];
+        r[i+6] = (sp_digit)(t[5] >> 23) + (t[6] & 0x7fffff);
+        t[7] = tb * a[i+7];
+        r[i+7] = (sp_digit)(t[6] >> 23) + (t[7] & 0x7fffff);
+        t[0] = tb * a[i+8];
+        r[i+8] = (sp_digit)(t[7] >> 23) + (t[0] & 0x7fffff);
+    }
+    t[1] = tb * a[177];
+    r[177] = (sp_digit)(t[0] >> 23) + (t[1] & 0x7fffff);
+    t[2] = tb * a[178];
+    r[178] = (sp_digit)(t[1] >> 23) + (t[2] & 0x7fffff);
+    t[3] = tb * a[179];
+    r[179] = (sp_digit)(t[2] >> 23) + (t[3] & 0x7fffff);
+    r[180] =  (sp_digit)(t[3] >> 23);
+#endif /* WOLFSSL_SP_SMALL */
+}
+
+/* Conditionally add a and b using the mask m.
+ * m is -1 to add and 0 when not.
+ *
+ * r  A single precision number representing conditional add result.
+ * a  A single precision number to add with.
+ * b  A single precision number to add.
+ * m  Mask value to apply.
+ */
+static void sp_2048_cond_add_90(sp_digit* r, const sp_digit* a,
+        const sp_digit* b, const sp_digit m)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int i;
+
+    for (i = 0; i < 90; i++) {
+        r[i] = a[i] + (b[i] & m);
+    }
+#else
+    int i;
+
+    for (i = 0; i < 88; i += 8) {
+        r[i + 0] = a[i + 0] + (b[i + 0] & m);
+        r[i + 1] = a[i + 1] + (b[i + 1] & m);
+        r[i + 2] = a[i + 2] + (b[i + 2] & m);
+        r[i + 3] = a[i + 3] + (b[i + 3] & m);
+        r[i + 4] = a[i + 4] + (b[i + 4] & m);
+        r[i + 5] = a[i + 5] + (b[i + 5] & m);
+        r[i + 6] = a[i + 6] + (b[i + 6] & m);
+        r[i + 7] = a[i + 7] + (b[i + 7] & m);
+    }
+    r[88] = a[88] + (b[88] & m);
+    r[89] = a[89] + (b[89] & m);
+#endif /* WOLFSSL_SP_SMALL */
+}
+
+#ifdef WOLFSSL_SMALL
+/* Sub b from a into r. (r = a - b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static int sp_2048_sub_90(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    int i;
+
+    for (i = 0; i < 90; i++) {
+        r[i] = a[i] - b[i];
+    }
+
+    return 0;
+}
+
+#endif
+#ifdef WOLFSSL_SMALL
+/* Add b to a into r. (r = a + b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static int sp_2048_add_90(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    int i;
+
+    for (i = 0; i < 90; i++) {
+        r[i] = a[i] + b[i];
+    }
+
+    return 0;
+}
+#endif
+SP_NOINLINE static void sp_2048_rshift_90(sp_digit* r, sp_digit* a, byte n)
+{
+    int i;
+
+#ifdef WOLFSSL_SP_SMALL
+    for (i=0; i<89; i++) {
+        r[i] = ((a[i] >> n) | (a[i + 1] << (23 - n))) & 0x7fffff;
+    }
+#else
+    for (i=0; i<88; i += 8) {
+        r[i+0] = ((a[i+0] >> n) | (a[i+1] << (23 - n))) & 0x7fffff;
+        r[i+1] = ((a[i+1] >> n) | (a[i+2] << (23 - n))) & 0x7fffff;
+        r[i+2] = ((a[i+2] >> n) | (a[i+3] << (23 - n))) & 0x7fffff;
+        r[i+3] = ((a[i+3] >> n) | (a[i+4] << (23 - n))) & 0x7fffff;
+        r[i+4] = ((a[i+4] >> n) | (a[i+5] << (23 - n))) & 0x7fffff;
+        r[i+5] = ((a[i+5] >> n) | (a[i+6] << (23 - n))) & 0x7fffff;
+        r[i+6] = ((a[i+6] >> n) | (a[i+7] << (23 - n))) & 0x7fffff;
+        r[i+7] = ((a[i+7] >> n) | (a[i+8] << (23 - n))) & 0x7fffff;
+    }
+    r[88] = ((a[88] >> n) | (a[89] << (23 - n))) & 0x7fffff;
+#endif
+    r[89] = a[89] >> n;
+}
+
+#ifdef WOLFSSL_SP_DIV_32
+static WC_INLINE sp_digit sp_2048_div_word_90(sp_digit d1, sp_digit d0,
+    sp_digit dv)
+{
+    sp_digit d, r, t;
+
+    /* All 23 bits from d1 and top 8 bits from d0. */
+    d = (d1 << 8) | (d0 >> 15);
+    r = d / dv;
+    d -= r * dv;
+    /* Up to 9 bits in r */
+    /* Next 8 bits from d0. */
+    r <<= 8;
+    d <<= 8;
+    d |= (d0 >> 7) & ((1 << 8) - 1);
+    t = d / dv;
+    d -= t * dv;
+    r += t;
+    /* Up to 17 bits in r */
+    /* Remaining 7 bits from d0. */
+    r <<= 7;
+    d <<= 7;
+    d |= d0 & ((1 << 7) - 1);
+    t = d / dv;
+    r += t;
+
+    return r;
+}
+#endif /* WOLFSSL_SP_DIV_32 */
+
+/* Divide d in a and put remainder into r (m*d + r = a)
+ * m is not calculated as it is not needed at this time.
+ *
+ * a  Nmber to be divided.
+ * d  Number to divide with.
+ * m  Multiplier result.
+ * r  Remainder from the division.
+ * returns MEMORY_E when unable to allocate memory and MP_OKAY otherwise.
+ */
+static int sp_2048_div_90(const sp_digit* a, const sp_digit* d, sp_digit* m,
+        sp_digit* r)
+{
+    int i;
+#ifndef WOLFSSL_SP_DIV_32
+    int64_t d1;
+#endif
+    sp_digit dv, r1;
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit* td;
+#else
+    sp_digit t1d[180 + 1], t2d[90 + 1], sdd[90 + 1];
+#endif
+    sp_digit* t1;
+    sp_digit* t2;
+    sp_digit* sd;
+    int err = MP_OKAY;
+
+    (void)m;
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    td = (sp_digit*)XMALLOC(sizeof(sp_digit) * (4 * 90 + 3), NULL,
+                                                       DYNAMIC_TYPE_TMP_BUFFER);
+    if (td == NULL) {
+        err = MEMORY_E;
+    }
+#endif
+
+    (void)m;
+
+    if (err == MP_OKAY) {
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+        t1 = td;
+        t2 = td + 180 + 1;
+        sd = t2 + 90 + 1;
+#else
+        t1 = t1d;
+        t2 = t2d;
+        sd = sdd;
+#endif
+
+        sp_2048_mul_d_90(sd, d, 1L << 22);
+        sp_2048_mul_d_180(t1, a, 1L << 22);
+        dv = sd[89];
+        for (i=90; i>=0; i--) {
+            t1[90 + i] += t1[90 + i - 1] >> 23;
+            t1[90 + i - 1] &= 0x7fffff;
+#ifndef WOLFSSL_SP_DIV_32
+            d1 = t1[90 + i];
+            d1 <<= 23;
+            d1 += t1[90 + i - 1];
+            r1 = (sp_digit)(d1 / dv);
+#else
+            r1 = sp_2048_div_word_90(t1[90 + i], t1[90 + i - 1], dv);
+#endif
+
+            sp_2048_mul_d_90(t2, sd, r1);
+            (void)sp_2048_sub_90(&t1[i], &t1[i], t2);
+            t1[90 + i] -= t2[90];
+            t1[90 + i] += t1[90 + i - 1] >> 23;
+            t1[90 + i - 1] &= 0x7fffff;
+            r1 = (((-t1[90 + i]) << 23) - t1[90 + i - 1]) / dv;
+            r1 -= t1[90 + i];
+            sp_2048_mul_d_90(t2, sd, r1);
+            (void)sp_2048_add_90(&t1[i], &t1[i], t2);
+            t1[90 + i] += t1[90 + i - 1] >> 23;
+            t1[90 + i - 1] &= 0x7fffff;
+        }
+        t1[90 - 1] += t1[90 - 2] >> 23;
+        t1[90 - 2] &= 0x7fffff;
+        r1 = t1[90 - 1] / dv;
+
+        sp_2048_mul_d_90(t2, sd, r1);
+        sp_2048_sub_90(t1, t1, t2);
+        XMEMCPY(r, t1, sizeof(*r) * 2U * 90U);
+        for (i=0; i<88; i++) {
+            r[i+1] += r[i] >> 23;
+            r[i] &= 0x7fffff;
+        }
+        sp_2048_cond_add_90(r, r, sd, 0 - ((r[89] < 0) ?
+                    (sp_digit)1 : (sp_digit)0));
+
+        sp_2048_norm_90(r);
+        sp_2048_rshift_90(r, r, 22);
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (td != NULL) {
+        XFREE(td, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    }
+#endif
+
+    return err;
+}
+
+/* Reduce a modulo m into r. (r = a mod m)
+ *
+ * r  A single precision number that is the reduced result.
+ * a  A single precision number that is to be reduced.
+ * m  A single precision number that is the modulus to reduce with.
+ * returns MEMORY_E when unable to allocate memory and MP_OKAY otherwise.
+ */
+static int sp_2048_mod_90(sp_digit* r, const sp_digit* a, const sp_digit* m)
+{
+    return sp_2048_div_90(a, m, NULL, r);
+}
+
+#if (defined(WOLFSSL_HAVE_SP_RSA) && !defined(WOLFSSL_RSA_PUBLIC_ONLY)) || \
+                                                     defined(WOLFSSL_HAVE_SP_DH)
+/* Modular exponentiate a to the e mod m. (r = a^e mod m)
+ *
+ * r     A single precision number that is the result of the operation.
+ * a     A single precision number being exponentiated.
+ * e     A single precision number that is the exponent.
+ * bits  The number of bits in the exponent.
+ * m     A single precision number that is the modulus.
+ * returns 0 on success and MEMORY_E on dynamic memory allocation failure.
+ */
+static int sp_2048_mod_exp_90(sp_digit* r, const sp_digit* a, const sp_digit* e, int bits,
+    const sp_digit* m, int reduceA)
+{
+#ifdef WOLFSSL_SP_SMALL
+    sp_digit* td;
+    sp_digit* t[3];
+    sp_digit* norm;
+    sp_digit mp = 1;
+    sp_digit n;
+    int i;
+    int c, y;
+    int err = MP_OKAY;
+
+    td = (sp_digit*)XMALLOC(sizeof(*td) * 3 * 90 * 2, NULL,
+                            DYNAMIC_TYPE_TMP_BUFFER);
+    if (td == NULL) {
+        err = MEMORY_E;
+    }
+
+    if (err == MP_OKAY) {
+        XMEMSET(td, 0, sizeof(*td) * 3U * 90U * 2U);
+
+        norm = t[0] = td;
+        t[1] = &td[90 * 2];
+        t[2] = &td[2 * 90 * 2];
+
+        sp_2048_mont_setup(m, &mp);
+        sp_2048_mont_norm_90(norm, m);
+
+        if (reduceA != 0) {
+            err = sp_2048_mod_90(t[1], a, m);
+        }
+        else {
+            XMEMCPY(t[1], a, sizeof(sp_digit) * 90U);
+        }
+    }
+    if (err == MP_OKAY) {
+        sp_2048_mul_90(t[1], t[1], norm);
+        err = sp_2048_mod_90(t[1], t[1], m);
+    }
+
+    if (err == MP_OKAY) {
+        i = bits / 23;
+        c = bits % 23;
+        n = e[i--] << (23 - c);
+        for (; ; c--) {
+            if (c == 0) {
+                if (i == -1) {
+                    break;
+                }
+
+                n = e[i--];
+                c = 23;
+            }
+
+            y = (n >> 22) & 1;
+            n <<= 1;
+
+            sp_2048_mont_mul_90(t[y^1], t[0], t[1], m, mp);
+
+            XMEMCPY(t[2], (void*)(((size_t)t[0] & addr_mask[y^1]) +
+                                  ((size_t)t[1] & addr_mask[y])),
+                    sizeof(*t[2]) * 90 * 2);
+            sp_2048_mont_sqr_90(t[2], t[2], m, mp);
+            XMEMCPY((void*)(((size_t)t[0] & addr_mask[y^1]) +
+                            ((size_t)t[1] & addr_mask[y])), t[2],
+                    sizeof(*t[2]) * 90 * 2);
+        }
+
+        sp_2048_mont_reduce_90(t[0], m, mp);
+        n = sp_2048_cmp_90(t[0], m);
+        sp_2048_cond_sub_90(t[0], t[0], m, ((n < 0) ?
+                    (sp_digit)1 : (sp_digit)0) - 1);
+        XMEMCPY(r, t[0], sizeof(*r) * 90 * 2);
+
+    }
+
+    if (td != NULL) {
+        XFREE(td, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    }
+
+    return err;
+#elif defined(WOLFSSL_SP_CACHE_RESISTANT)
+#ifndef WOLFSSL_SMALL_STACK
+    sp_digit t[3][180];
+#else
+    sp_digit* td;
+    sp_digit* t[3];
+#endif
+    sp_digit* norm;
+    sp_digit mp = 1;
+    sp_digit n;
+    int i;
+    int c, y;
+    int err = MP_OKAY;
+
+#ifdef WOLFSSL_SMALL_STACK
+    td = (sp_digit*)XMALLOC(sizeof(*td) * 3 * 90 * 2, NULL,
+                            DYNAMIC_TYPE_TMP_BUFFER);
+    if (td == NULL) {
+        err = MEMORY_E;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#ifdef WOLFSSL_SMALL_STACK
+        t[0] = td;
+        t[1] = &td[90 * 2];
+        t[2] = &td[2 * 90 * 2];
+#endif
+        norm = t[0];
+
+        sp_2048_mont_setup(m, &mp);
+        sp_2048_mont_norm_90(norm, m);
+
+        if (reduceA != 0) {
+            err = sp_2048_mod_90(t[1], a, m);
+            if (err == MP_OKAY) {
+                sp_2048_mul_90(t[1], t[1], norm);
+                err = sp_2048_mod_90(t[1], t[1], m);
+            }
+        }
+        else {
+            sp_2048_mul_90(t[1], a, norm);
+            err = sp_2048_mod_90(t[1], t[1], m);
+        }
+    }
+
+    if (err == MP_OKAY) {
+        i = bits / 23;
+        c = bits % 23;
+        n = e[i--] << (23 - c);
+        for (; ; c--) {
+            if (c == 0) {
+                if (i == -1) {
+                    break;
+                }
+
+                n = e[i--];
+                c = 23;
+            }
+
+            y = (n >> 22) & 1;
+            n <<= 1;
+
+            sp_2048_mont_mul_90(t[y^1], t[0], t[1], m, mp);
+
+            XMEMCPY(t[2], (void*)(((size_t)t[0] & addr_mask[y^1]) +
+                                 ((size_t)t[1] & addr_mask[y])), sizeof(t[2]));
+            sp_2048_mont_sqr_90(t[2], t[2], m, mp);
+            XMEMCPY((void*)(((size_t)t[0] & addr_mask[y^1]) +
+                           ((size_t)t[1] & addr_mask[y])), t[2], sizeof(t[2]));
+        }
+
+        sp_2048_mont_reduce_90(t[0], m, mp);
+        n = sp_2048_cmp_90(t[0], m);
+        sp_2048_cond_sub_90(t[0], t[0], m, ((n < 0) ?
+                   (sp_digit)1 : (sp_digit)0) - 1);
+        XMEMCPY(r, t[0], sizeof(t[0]));
+    }
+
+#ifdef WOLFSSL_SMALL_STACK
+    if (td != NULL) {
+        XFREE(td, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    }
+#endif
+
+    return err;
+#else
+#ifndef WOLFSSL_SMALL_STACK
+    sp_digit t[32][180];
+#else
+    sp_digit* t[32];
+    sp_digit* td;
+#endif
+    sp_digit* norm;
+    sp_digit rt[180];
+    sp_digit mp = 1;
+    sp_digit n;
+    int i;
+    int c, y;
+    int err = MP_OKAY;
+
+#ifdef WOLFSSL_SMALL_STACK
+    td = (sp_digit*)XMALLOC(sizeof(sp_digit) * 32 * 180, NULL,
+                            DYNAMIC_TYPE_TMP_BUFFER);
+    if (td == NULL) {
+        err = MEMORY_E;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#ifdef WOLFSSL_SMALL_STACK
+        for (i=0; i<32; i++)
+            t[i] = td + i * 180;
+#endif
+        norm = t[0];
+
+        sp_2048_mont_setup(m, &mp);
+        sp_2048_mont_norm_90(norm, m);
+
+        if (reduceA != 0) {
+            err = sp_2048_mod_90(t[1], a, m);
+            if (err == MP_OKAY) {
+                sp_2048_mul_90(t[1], t[1], norm);
+                err = sp_2048_mod_90(t[1], t[1], m);
+            }
+        }
+        else {
+            sp_2048_mul_90(t[1], a, norm);
+            err = sp_2048_mod_90(t[1], t[1], m);
+        }
+    }
+
+    if (err == MP_OKAY) {
+        sp_2048_mont_sqr_90(t[ 2], t[ 1], m, mp);
+        sp_2048_mont_mul_90(t[ 3], t[ 2], t[ 1], m, mp);
+        sp_2048_mont_sqr_90(t[ 4], t[ 2], m, mp);
+        sp_2048_mont_mul_90(t[ 5], t[ 3], t[ 2], m, mp);
+        sp_2048_mont_sqr_90(t[ 6], t[ 3], m, mp);
+        sp_2048_mont_mul_90(t[ 7], t[ 4], t[ 3], m, mp);
+        sp_2048_mont_sqr_90(t[ 8], t[ 4], m, mp);
+        sp_2048_mont_mul_90(t[ 9], t[ 5], t[ 4], m, mp);
+        sp_2048_mont_sqr_90(t[10], t[ 5], m, mp);
+        sp_2048_mont_mul_90(t[11], t[ 6], t[ 5], m, mp);
+        sp_2048_mont_sqr_90(t[12], t[ 6], m, mp);
+        sp_2048_mont_mul_90(t[13], t[ 7], t[ 6], m, mp);
+        sp_2048_mont_sqr_90(t[14], t[ 7], m, mp);
+        sp_2048_mont_mul_90(t[15], t[ 8], t[ 7], m, mp);
+        sp_2048_mont_sqr_90(t[16], t[ 8], m, mp);
+        sp_2048_mont_mul_90(t[17], t[ 9], t[ 8], m, mp);
+        sp_2048_mont_sqr_90(t[18], t[ 9], m, mp);
+        sp_2048_mont_mul_90(t[19], t[10], t[ 9], m, mp);
+        sp_2048_mont_sqr_90(t[20], t[10], m, mp);
+        sp_2048_mont_mul_90(t[21], t[11], t[10], m, mp);
+        sp_2048_mont_sqr_90(t[22], t[11], m, mp);
+        sp_2048_mont_mul_90(t[23], t[12], t[11], m, mp);
+        sp_2048_mont_sqr_90(t[24], t[12], m, mp);
+        sp_2048_mont_mul_90(t[25], t[13], t[12], m, mp);
+        sp_2048_mont_sqr_90(t[26], t[13], m, mp);
+        sp_2048_mont_mul_90(t[27], t[14], t[13], m, mp);
+        sp_2048_mont_sqr_90(t[28], t[14], m, mp);
+        sp_2048_mont_mul_90(t[29], t[15], t[14], m, mp);
+        sp_2048_mont_sqr_90(t[30], t[15], m, mp);
+        sp_2048_mont_mul_90(t[31], t[16], t[15], m, mp);
+
+        bits = ((bits + 4) / 5) * 5;
+        i = ((bits + 22) / 23) - 1;
+        c = bits % 23;
+        if (c == 0) {
+            c = 23;
+        }
+        if (i < 90) {
+            n = e[i--] << (32 - c);
+        }
+        else {
+            n = 0;
+            i--;
+        }
+        if (c < 5) {
+            n |= e[i--] << (9 - c);
+            c += 23;
+        }
+        y = (n >> 27) & 0x1f;
+        n <<= 5;
+        c -= 5;
+        XMEMCPY(rt, t[y], sizeof(rt));
+        for (; i>=0 || c>=5; ) {
+            if (c < 5) {
+                n |= e[i--] << (9 - c);
+                c += 23;
+            }
+            y = (n >> 27) & 0x1f;
+            n <<= 5;
+            c -= 5;
+
+            sp_2048_mont_sqr_90(rt, rt, m, mp);
+            sp_2048_mont_sqr_90(rt, rt, m, mp);
+            sp_2048_mont_sqr_90(rt, rt, m, mp);
+            sp_2048_mont_sqr_90(rt, rt, m, mp);
+            sp_2048_mont_sqr_90(rt, rt, m, mp);
+
+            sp_2048_mont_mul_90(rt, rt, t[y], m, mp);
+        }
+
+        sp_2048_mont_reduce_90(rt, m, mp);
+        n = sp_2048_cmp_90(rt, m);
+        sp_2048_cond_sub_90(rt, rt, m, ((n < 0) ?
+                   (sp_digit)1 : (sp_digit)0) - 1);
+        XMEMCPY(r, rt, sizeof(rt));
+    }
+
+#ifdef WOLFSSL_SMALL_STACK
+    if (td != NULL) {
+        XFREE(td, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    }
+#endif
+
+    return err;
+#endif
+}
+#endif /* (WOLFSSL_HAVE_SP_RSA && !WOLFSSL_RSA_PUBLIC_ONLY) || */
+       /* WOLFSSL_HAVE_SP_DH */
+
+#ifdef WOLFSSL_HAVE_SP_RSA
+/* RSA public key operation.
+ *
+ * in      Array of bytes representing the number to exponentiate, base.
+ * inLen   Number of bytes in base.
+ * em      Public exponent.
+ * mm      Modulus.
+ * out     Buffer to hold big-endian bytes of exponentiation result.
+ *         Must be at least 256 bytes long.
+ * outLen  Number of bytes in result.
+ * returns 0 on success, MP_TO_E when the outLen is too small, MP_READ_E when
+ * an array is too long and MEMORY_E when dynamic memory allocation fails.
+ */
+int sp_RsaPublic_2048(const byte* in, word32 inLen, mp_int* em, mp_int* mm,
+    byte* out, word32* outLen)
+{
+#ifdef WOLFSSL_SP_SMALL
+    sp_digit* d = NULL;
+    sp_digit* a;
+    sp_digit* m;
+    sp_digit* r;
+    sp_digit* norm;
+    sp_digit e[1] = {0};
+    sp_digit mp;
+    int i;
+    int err = MP_OKAY;
+
+    if (*outLen < 256U) {
+        err = MP_TO_E;
+    }
+
+    if (err == MP_OKAY) {
+        if (mp_count_bits(em) > 23) {
+            err = MP_READ_E;
+        }
+        if (inLen > 256U) {
+            err = MP_READ_E;
+        }
+        if (mp_count_bits(mm) != 2048) {
+            err = MP_READ_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        d = (sp_digit*)XMALLOC(sizeof(sp_digit) * 90 * 5, NULL,
+                                                              DYNAMIC_TYPE_RSA);
+        if (d == NULL)
+            err = MEMORY_E;
+    }
+
+    if (err == MP_OKAY) {
+        a = d;
+        r = a + 90 * 2;
+        m = r + 90 * 2;
+        norm = r;
+
+        sp_2048_from_bin(a, 90, in, inLen);
+#if DIGIT_BIT >= 23
+        e[0] = (sp_digit)em->dp[0];
+#else
+        e[0] = (sp_digit)em->dp[0];
+        if (em->used > 1) {
+            e[0] |= ((sp_digit)em->dp[1]) << DIGIT_BIT;
+        }
+#endif
+        if (e[0] == 0) {
+            err = MP_EXPTMOD_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        sp_2048_from_mp(m, 90, mm);
+
+        sp_2048_mont_setup(m, &mp);
+        sp_2048_mont_norm_90(norm, m);
+    }
+    if (err == MP_OKAY) {
+        sp_2048_mul_90(a, a, norm);
+        err = sp_2048_mod_90(a, a, m);
+    }
+    if (err == MP_OKAY) {
+        for (i=22; i>=0; i--) {
+            if ((e[0] >> i) != 0) {
+                break;
+            }
+        }
+
+        XMEMCPY(r, a, sizeof(sp_digit) * 90 * 2);
+        for (i--; i>=0; i--) {
+            sp_2048_mont_sqr_90(r, r, m, mp);
+
+            if (((e[0] >> i) & 1) == 1) {
+                sp_2048_mont_mul_90(r, r, a, m, mp);
+            }
+        }
+        sp_2048_mont_reduce_90(r, m, mp);
+        mp = sp_2048_cmp_90(r, m);
+        sp_2048_cond_sub_90(r, r, m, ((mp < 0) ?
+                    (sp_digit)1 : (sp_digit)0)- 1);
+
+        sp_2048_to_bin(r, out);
+        *outLen = 256;
+    }
+
+    if (d != NULL) {
+        XFREE(d, NULL, DYNAMIC_TYPE_RSA);
+    }
+
+    return err;
+#else
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit ad[180], md[90], rd[180];
+#else
+    sp_digit* d = NULL;
+#endif
+    sp_digit* a;
+    sp_digit* m;
+    sp_digit* r;
+    sp_digit e[1] = {0};
+    int err = MP_OKAY;
+
+    if (*outLen < 256U) {
+        err = MP_TO_E;
+    }
+    if (err == MP_OKAY) {
+        if (mp_count_bits(em) > 23) {
+            err = MP_READ_E;
+        }
+        if (inLen > 256U) {
+            err = MP_READ_E;
+        }
+        if (mp_count_bits(mm) != 2048) {
+            err = MP_READ_E;
+        }
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        d = (sp_digit*)XMALLOC(sizeof(sp_digit) * 90 * 5, NULL,
+                                                              DYNAMIC_TYPE_RSA);
+        if (d == NULL) {
+            err = MEMORY_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        a = d;
+        r = a + 90 * 2;
+        m = r + 90 * 2;
+    }
+#else
+    a = ad;
+    m = md;
+    r = rd;
+#endif
+
+    if (err == MP_OKAY) {
+        sp_2048_from_bin(a, 90, in, inLen);
+#if DIGIT_BIT >= 23
+        e[0] = (sp_digit)em->dp[0];
+#else
+        e[0] = (sp_digit)em->dp[0];
+        if (em->used > 1) {
+            e[0] |= ((sp_digit)em->dp[1]) << DIGIT_BIT;
+        }
+#endif
+        if (e[0] == 0) {
+            err = MP_EXPTMOD_E;
+        }
+    }
+    if (err == MP_OKAY) {
+        sp_2048_from_mp(m, 90, mm);
+
+        if (e[0] == 0x3) {
+            sp_2048_sqr_90(r, a);
+            err = sp_2048_mod_90(r, r, m);
+            if (err == MP_OKAY) {
+                sp_2048_mul_90(r, a, r);
+                err = sp_2048_mod_90(r, r, m);
+            }
+        }
+        else {
+            sp_digit* norm = r;
+            int i;
+            sp_digit mp;
+
+            sp_2048_mont_setup(m, &mp);
+            sp_2048_mont_norm_90(norm, m);
+
+            sp_2048_mul_90(a, a, norm);
+            err = sp_2048_mod_90(a, a, m);
+
+            if (err == MP_OKAY) {
+                for (i=22; i>=0; i--) {
+                    if ((e[0] >> i) != 0) {
+                        break;
+                    }
+                }
+
+                XMEMCPY(r, a, sizeof(sp_digit) * 180U);
+                for (i--; i>=0; i--) {
+                    sp_2048_mont_sqr_90(r, r, m, mp);
+
+                    if (((e[0] >> i) & 1) == 1) {
+                        sp_2048_mont_mul_90(r, r, a, m, mp);
+                    }
+                }
+                sp_2048_mont_reduce_90(r, m, mp);
+                mp = sp_2048_cmp_90(r, m);
+                sp_2048_cond_sub_90(r, r, m, ((mp < 0) ?
+                           (sp_digit)1 : (sp_digit)0) - 1);
+            }
+        }
+    }
+
+    if (err == MP_OKAY) {
+        sp_2048_to_bin(r, out);
+        *outLen = 256;
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (d != NULL) {
+        XFREE(d, NULL, DYNAMIC_TYPE_RSA);
+    }
+#endif
+
+    return err;
+#endif /* WOLFSSL_SP_SMALL */
+}
+
+#ifndef WOLFSSL_RSA_PUBLIC_ONLY
+#if !defined(SP_RSA_PRIVATE_EXP_D) && !defined(RSA_LOW_MEM)
+#endif /* !SP_RSA_PRIVATE_EXP_D && !RSA_LOW_MEM */
+/* RSA private key operation.
+ *
+ * in      Array of bytes representing the number to exponentiate, base.
+ * inLen   Number of bytes in base.
+ * dm      Private exponent.
+ * pm      First prime.
+ * qm      Second prime.
+ * dpm     First prime's CRT exponent.
+ * dqm     Second prime's CRT exponent.
+ * qim     Inverse of second prime mod p.
+ * mm      Modulus.
+ * out     Buffer to hold big-endian bytes of exponentiation result.
+ *         Must be at least 256 bytes long.
+ * outLen  Number of bytes in result.
+ * returns 0 on success, MP_TO_E when the outLen is too small, MP_READ_E when
+ * an array is too long and MEMORY_E when dynamic memory allocation fails.
+ */
+int sp_RsaPrivate_2048(const byte* in, word32 inLen, mp_int* dm,
+    mp_int* pm, mp_int* qm, mp_int* dpm, mp_int* dqm, mp_int* qim, mp_int* mm,
+    byte* out, word32* outLen)
+{
+#if defined(SP_RSA_PRIVATE_EXP_D) || defined(RSA_LOW_MEM)
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit* a;
+    sp_digit* d = NULL;
+    sp_digit* m;
+    sp_digit* r;
+    int err = MP_OKAY;
+
+    (void)pm;
+    (void)qm;
+    (void)dpm;
+    (void)dqm;
+    (void)qim;
+
+    if (*outLen < 256U) {
+        err = MP_TO_E;
+    }
+    if (err == MP_OKAY) {
+        if (mp_count_bits(dm) > 2048) {
+           err = MP_READ_E;
+        }
+        if (inLen > 256) {
+            err = MP_READ_E;
+        }
+        if (mp_count_bits(mm) != 2048) {
+            err = MP_READ_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        d = (sp_digit*)XMALLOC(sizeof(sp_digit) * 90 * 4, NULL,
+                                                              DYNAMIC_TYPE_RSA);
+        if (d == NULL) {
+            err = MEMORY_E;
+        }
+    }
+    if (err == MP_OKAY) {
+        a = d + 90;
+        m = a + 180;
+        r = a;
+
+        sp_2048_from_bin(a, 90, in, inLen);
+        sp_2048_from_mp(d, 90, dm);
+        sp_2048_from_mp(m, 90, mm);
+        err = sp_2048_mod_exp_90(r, a, d, 2048, m, 0);
+    }
+    if (err == MP_OKAY) {
+        sp_2048_to_bin(r, out);
+        *outLen = 256;
+    }
+
+    if (d != NULL) {
+        XMEMSET(d, 0, sizeof(sp_digit) * 90);
+        XFREE(d, NULL, DYNAMIC_TYPE_RSA);
+    }
+
+    return err;
+#else
+    sp_digit a[180], d[90], m[90];
+    sp_digit* r = a;
+    int err = MP_OKAY;
+
+    (void)pm;
+    (void)qm;
+    (void)dpm;
+    (void)dqm;
+    (void)qim;
+
+    if (*outLen < 256U) {
+        err = MP_TO_E;
+    }
+    if (err == MP_OKAY) {
+        if (mp_count_bits(dm) > 2048) {
+            err = MP_READ_E;
+        }
+        if (inLen > 256U) {
+            err = MP_READ_E;
+        }
+        if (mp_count_bits(mm) != 2048) {
+            err = MP_READ_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        sp_2048_from_bin(a, 90, in, inLen);
+        sp_2048_from_mp(d, 90, dm);
+        sp_2048_from_mp(m, 90, mm);
+        err = sp_2048_mod_exp_90(r, a, d, 2048, m, 0);
+    }
+
+    if (err == MP_OKAY) {
+        sp_2048_to_bin(r, out);
+        *outLen = 256;
+    }
+
+    XMEMSET(d, 0, sizeof(sp_digit) * 90);
+
+    return err;
+#endif /* WOLFSSL_SP_SMALL || defined(WOLFSSL_SMALL_STACK) */
+#else
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit* t = NULL;
+    sp_digit* a;
+    sp_digit* p;
+    sp_digit* q;
+    sp_digit* dp;
+    sp_digit* dq;
+    sp_digit* qi;
+    sp_digit* tmpa;
+    sp_digit* tmpb;
+    sp_digit* r;
+    int err = MP_OKAY;
+
+    (void)dm;
+    (void)mm;
+
+    if (*outLen < 256U) {
+        err = MP_TO_E;
+    }
+    if (err == MP_OKAY) {
+        if (inLen > 256) {
+            err = MP_READ_E;
+        }
+        if (mp_count_bits(mm) != 2048) {
+            err = MP_READ_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        t = (sp_digit*)XMALLOC(sizeof(sp_digit) * 45 * 11, NULL,
+                                                              DYNAMIC_TYPE_RSA);
+        if (t == NULL) {
+            err = MEMORY_E;
+        }
+    }
+    if (err == MP_OKAY) {
+        a = t;
+        p = a + 90 * 2;
+        q = p + 45;
+        qi = dq = dp = q + 45;
+        tmpa = qi + 45;
+        tmpb = tmpa + 90;
+
+        r = t + 90;
+
+        sp_2048_from_bin(a, 90, in, inLen);
+        sp_2048_from_mp(p, 45, pm);
+        sp_2048_from_mp(q, 45, qm);
+        sp_2048_from_mp(dp, 45, dpm);
+        err = sp_2048_mod_exp_45(tmpa, a, dp, 1024, p, 1);
+    }
+    if (err == MP_OKAY) {
+        sp_2048_from_mp(dq, 45, dqm);
+        err = sp_2048_mod_exp_45(tmpb, a, dq, 1024, q, 1);
+    }
+    if (err == MP_OKAY) {
+        (void)sp_2048_sub_45(tmpa, tmpa, tmpb);
+        sp_2048_cond_add_45(tmpa, tmpa, p, 0 - ((sp_int_digit)tmpa[44] >> 31));
+        sp_2048_cond_add_45(tmpa, tmpa, p, 0 - ((sp_int_digit)tmpa[44] >> 31));
+
+        sp_2048_from_mp(qi, 45, qim);
+        sp_2048_mul_45(tmpa, tmpa, qi);
+        err = sp_2048_mod_45(tmpa, tmpa, p);
+    }
+
+    if (err == MP_OKAY) {
+        sp_2048_mul_45(tmpa, q, tmpa);
+        (void)sp_2048_add_90(r, tmpb, tmpa);
+        sp_2048_norm_90(r);
+
+        sp_2048_to_bin(r, out);
+        *outLen = 256;
+    }
+
+    if (t != NULL) {
+        XMEMSET(t, 0, sizeof(sp_digit) * 45 * 11);
+        XFREE(t, NULL, DYNAMIC_TYPE_RSA);
+    }
+
+    return err;
+#else
+    sp_digit a[90 * 2];
+    sp_digit p[45], q[45], dp[45], dq[45], qi[45];
+    sp_digit tmpa[90], tmpb[90];
+    sp_digit* r = a;
+    int err = MP_OKAY;
+
+    (void)dm;
+    (void)mm;
+
+    if (*outLen < 256U) {
+        err = MP_TO_E;
+    }
+    if (err == MP_OKAY) {
+        if (inLen > 256U) {
+            err = MP_READ_E;
+        }
+        if (mp_count_bits(mm) != 2048) {
+            err = MP_READ_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        sp_2048_from_bin(a, 90, in, inLen);
+        sp_2048_from_mp(p, 45, pm);
+        sp_2048_from_mp(q, 45, qm);
+        sp_2048_from_mp(dp, 45, dpm);
+        sp_2048_from_mp(dq, 45, dqm);
+        sp_2048_from_mp(qi, 45, qim);
+
+        err = sp_2048_mod_exp_45(tmpa, a, dp, 1024, p, 1);
+    }
+    if (err == MP_OKAY) {
+        err = sp_2048_mod_exp_45(tmpb, a, dq, 1024, q, 1);
+    }
+
+    if (err == MP_OKAY) {
+        (void)sp_2048_sub_45(tmpa, tmpa, tmpb);
+        sp_2048_cond_add_45(tmpa, tmpa, p, 0 - ((sp_int_digit)tmpa[44] >> 31));
+        sp_2048_cond_add_45(tmpa, tmpa, p, 0 - ((sp_int_digit)tmpa[44] >> 31));
+        sp_2048_mul_45(tmpa, tmpa, qi);
+        err = sp_2048_mod_45(tmpa, tmpa, p);
+    }
+
+    if (err == MP_OKAY) {
+        sp_2048_mul_45(tmpa, tmpa, q);
+        (void)sp_2048_add_90(r, tmpb, tmpa);
+        sp_2048_norm_90(r);
+
+        sp_2048_to_bin(r, out);
+        *outLen = 256;
+    }
+
+    XMEMSET(tmpa, 0, sizeof(tmpa));
+    XMEMSET(tmpb, 0, sizeof(tmpb));
+    XMEMSET(p, 0, sizeof(p));
+    XMEMSET(q, 0, sizeof(q));
+    XMEMSET(dp, 0, sizeof(dp));
+    XMEMSET(dq, 0, sizeof(dq));
+    XMEMSET(qi, 0, sizeof(qi));
+
+    return err;
+#endif /* WOLFSSL_SP_SMALL || defined(WOLFSSL_SMALL_STACK) */
+#endif /* SP_RSA_PRIVATE_EXP_D || RSA_LOW_MEM */
+}
+
+#endif /* !WOLFSSL_RSA_PUBLIC_ONLY */
+#endif /* WOLFSSL_HAVE_SP_RSA */
+#if defined(WOLFSSL_HAVE_SP_DH) || (defined(WOLFSSL_HAVE_SP_RSA) && \
+                                              !defined(WOLFSSL_RSA_PUBLIC_ONLY))
+/* Convert an array of sp_digit to an mp_int.
+ *
+ * a  A single precision integer.
+ * r  A multi-precision integer.
+ */
+static int sp_2048_to_mp(const sp_digit* a, mp_int* r)
+{
+    int err;
+
+    err = mp_grow(r, (2048 + DIGIT_BIT - 1) / DIGIT_BIT);
+    if (err == MP_OKAY) { /*lint !e774 case where err is always MP_OKAY*/
+#if DIGIT_BIT == 23
+        XMEMCPY(r->dp, a, sizeof(sp_digit) * 90);
+        r->used = 90;
+        mp_clamp(r);
+#elif DIGIT_BIT < 23
+        int i, j = 0, s = 0;
+
+        r->dp[0] = 0;
+        for (i = 0; i < 90; i++) {
+            r->dp[j] |= (mp_digit)(a[i] << s);
+            r->dp[j] &= (1L << DIGIT_BIT) - 1;
+            s = DIGIT_BIT - s;
+            r->dp[++j] = (mp_digit)(a[i] >> s);
+            while (s + DIGIT_BIT <= 23) {
+                s += DIGIT_BIT;
+                r->dp[j++] &= (1L << DIGIT_BIT) - 1;
+                if (s == SP_WORD_SIZE) {
+                    r->dp[j] = 0;
+                }
+                else {
+                    r->dp[j] = (mp_digit)(a[i] >> s);
+                }
+            }
+            s = 23 - s;
+        }
+        r->used = (2048 + DIGIT_BIT - 1) / DIGIT_BIT;
+        mp_clamp(r);
+#else
+        int i, j = 0, s = 0;
+
+        r->dp[0] = 0;
+        for (i = 0; i < 90; i++) {
+            r->dp[j] |= ((mp_digit)a[i]) << s;
+            if (s + 23 >= DIGIT_BIT) {
+    #if DIGIT_BIT != 32 && DIGIT_BIT != 64
+                r->dp[j] &= (1L << DIGIT_BIT) - 1;
+    #endif
+                s = DIGIT_BIT - s;
+                r->dp[++j] = a[i] >> s;
+                s = 23 - s;
+            }
+            else {
+                s += 23;
+            }
+        }
+        r->used = (2048 + DIGIT_BIT - 1) / DIGIT_BIT;
+        mp_clamp(r);
+#endif
+    }
+
+    return err;
+}
+
+/* Perform the modular exponentiation for Diffie-Hellman.
+ *
+ * base  Base. MP integer.
+ * exp   Exponent. MP integer.
+ * mod   Modulus. MP integer.
+ * res   Result. MP integer.
+ * returns 0 on success, MP_READ_E if there are too many bytes in an array
+ * and MEMORY_E if memory allocation fails.
+ */
+int sp_ModExp_2048(mp_int* base, mp_int* exp, mp_int* mod, mp_int* res)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int err = MP_OKAY;
+    sp_digit* d = NULL;
+    sp_digit* b;
+    sp_digit* e;
+    sp_digit* m;
+    sp_digit* r;
+    int expBits = mp_count_bits(exp);
+
+    if (mp_count_bits(base) > 2048) {
+        err = MP_READ_E;
+    }
+
+    if (err == MP_OKAY) {
+        if (expBits > 2048) {
+            err = MP_READ_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        if (mp_count_bits(mod) != 2048) {
+            err = MP_READ_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        d = (sp_digit*)XMALLOC(sizeof(*d) * 90 * 4, NULL, DYNAMIC_TYPE_DH);
+        if (d == NULL) {
+            err = MEMORY_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        b = d;
+        e = b + 90 * 2;
+        m = e + 90;
+        r = b;
+
+        sp_2048_from_mp(b, 90, base);
+        sp_2048_from_mp(e, 90, exp);
+        sp_2048_from_mp(m, 90, mod);
+
+        err = sp_2048_mod_exp_90(r, b, e, mp_count_bits(exp), m, 0);
+    }
+
+    if (err == MP_OKAY) {
+        err = sp_2048_to_mp(r, res);
+    }
+
+    if (d != NULL) {
+        XMEMSET(e, 0, sizeof(sp_digit) * 90U);
+        XFREE(d, NULL, DYNAMIC_TYPE_DH);
+    }
+    return err;
+#else
+#ifndef WOLFSSL_SMALL_STACK
+    sp_digit bd[180], ed[90], md[90];
+#else
+    sp_digit* d = NULL;
+#endif
+    sp_digit* b;
+    sp_digit* e;
+    sp_digit* m;
+    sp_digit* r;
+    int err = MP_OKAY;
+    int expBits = mp_count_bits(exp);
+
+    if (mp_count_bits(base) > 2048) {
+        err = MP_READ_E;
+    }
+
+    if (err == MP_OKAY) {
+        if (expBits > 2048) {
+            err = MP_READ_E;
+        }
+    }
+    
+    if (err == MP_OKAY) {
+        if (mp_count_bits(mod) != 2048) {
+            err = MP_READ_E;
+        }
+    }
+
+#ifdef WOLFSSL_SMALL_STACK
+    if (err == MP_OKAY) {
+        d = (sp_digit*)XMALLOC(sizeof(*d) * 90 * 4, NULL, DYNAMIC_TYPE_DH);
+        if (d == NULL)
+            err = MEMORY_E;
+    }
+
+    if (err == MP_OKAY) {
+        b = d;
+        e = b + 90 * 2;
+        m = e + 90;
+        r = b;
+    }
+#else
+    r = b = bd;
+    e = ed;
+    m = md;
+#endif
+
+    if (err == MP_OKAY) {
+        sp_2048_from_mp(b, 90, base);
+        sp_2048_from_mp(e, 90, exp);
+        sp_2048_from_mp(m, 90, mod);
+
+        err = sp_2048_mod_exp_90(r, b, e, expBits, m, 0);
+    }
+
+    if (err == MP_OKAY) {
+        err = sp_2048_to_mp(r, res);
+    }
+
+
+#ifdef WOLFSSL_SMALL_STACK
+    if (d != NULL) {
+        XMEMSET(e, 0, sizeof(sp_digit) * 90U);
+        XFREE(d, NULL, DYNAMIC_TYPE_DH);
+    }
+#else
+    XMEMSET(e, 0, sizeof(sp_digit) * 90U);
+#endif
+
+    return err;
+#endif
+}
+
+#ifdef WOLFSSL_HAVE_SP_DH
+
+#ifdef HAVE_FFDHE_2048
+SP_NOINLINE static void sp_2048_lshift_90(sp_digit* r, sp_digit* a, byte n)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int i;
+
+    r[90] = a[89] >> (23 - n);
+    for (i=89; i>0; i--) {
+        r[i] = ((a[i] << n) | (a[i-1] >> (23 - n))) & 0x7fffff;
+    }
+#else
+    sp_int_digit s, t;
+
+    s = (sp_int_digit)a[89];
+    r[90] = s >> (23U - n);
+    s = (sp_int_digit)(a[89]); t = (sp_int_digit)(a[88]);
+    r[89] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[88]); t = (sp_int_digit)(a[87]);
+    r[88] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[87]); t = (sp_int_digit)(a[86]);
+    r[87] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[86]); t = (sp_int_digit)(a[85]);
+    r[86] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[85]); t = (sp_int_digit)(a[84]);
+    r[85] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[84]); t = (sp_int_digit)(a[83]);
+    r[84] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[83]); t = (sp_int_digit)(a[82]);
+    r[83] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[82]); t = (sp_int_digit)(a[81]);
+    r[82] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[81]); t = (sp_int_digit)(a[80]);
+    r[81] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[80]); t = (sp_int_digit)(a[79]);
+    r[80] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[79]); t = (sp_int_digit)(a[78]);
+    r[79] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[78]); t = (sp_int_digit)(a[77]);
+    r[78] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[77]); t = (sp_int_digit)(a[76]);
+    r[77] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[76]); t = (sp_int_digit)(a[75]);
+    r[76] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[75]); t = (sp_int_digit)(a[74]);
+    r[75] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[74]); t = (sp_int_digit)(a[73]);
+    r[74] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[73]); t = (sp_int_digit)(a[72]);
+    r[73] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[72]); t = (sp_int_digit)(a[71]);
+    r[72] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[71]); t = (sp_int_digit)(a[70]);
+    r[71] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[70]); t = (sp_int_digit)(a[69]);
+    r[70] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[69]); t = (sp_int_digit)(a[68]);
+    r[69] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[68]); t = (sp_int_digit)(a[67]);
+    r[68] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[67]); t = (sp_int_digit)(a[66]);
+    r[67] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[66]); t = (sp_int_digit)(a[65]);
+    r[66] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[65]); t = (sp_int_digit)(a[64]);
+    r[65] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[64]); t = (sp_int_digit)(a[63]);
+    r[64] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[63]); t = (sp_int_digit)(a[62]);
+    r[63] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[62]); t = (sp_int_digit)(a[61]);
+    r[62] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[61]); t = (sp_int_digit)(a[60]);
+    r[61] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[60]); t = (sp_int_digit)(a[59]);
+    r[60] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[59]); t = (sp_int_digit)(a[58]);
+    r[59] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[58]); t = (sp_int_digit)(a[57]);
+    r[58] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[57]); t = (sp_int_digit)(a[56]);
+    r[57] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[56]); t = (sp_int_digit)(a[55]);
+    r[56] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[55]); t = (sp_int_digit)(a[54]);
+    r[55] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[54]); t = (sp_int_digit)(a[53]);
+    r[54] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[53]); t = (sp_int_digit)(a[52]);
+    r[53] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[52]); t = (sp_int_digit)(a[51]);
+    r[52] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[51]); t = (sp_int_digit)(a[50]);
+    r[51] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[50]); t = (sp_int_digit)(a[49]);
+    r[50] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[49]); t = (sp_int_digit)(a[48]);
+    r[49] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[48]); t = (sp_int_digit)(a[47]);
+    r[48] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[47]); t = (sp_int_digit)(a[46]);
+    r[47] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[46]); t = (sp_int_digit)(a[45]);
+    r[46] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[45]); t = (sp_int_digit)(a[44]);
+    r[45] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[44]); t = (sp_int_digit)(a[43]);
+    r[44] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[43]); t = (sp_int_digit)(a[42]);
+    r[43] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[42]); t = (sp_int_digit)(a[41]);
+    r[42] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[41]); t = (sp_int_digit)(a[40]);
+    r[41] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[40]); t = (sp_int_digit)(a[39]);
+    r[40] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[39]); t = (sp_int_digit)(a[38]);
+    r[39] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[38]); t = (sp_int_digit)(a[37]);
+    r[38] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[37]); t = (sp_int_digit)(a[36]);
+    r[37] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[36]); t = (sp_int_digit)(a[35]);
+    r[36] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[35]); t = (sp_int_digit)(a[34]);
+    r[35] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[34]); t = (sp_int_digit)(a[33]);
+    r[34] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[33]); t = (sp_int_digit)(a[32]);
+    r[33] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[32]); t = (sp_int_digit)(a[31]);
+    r[32] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[31]); t = (sp_int_digit)(a[30]);
+    r[31] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[30]); t = (sp_int_digit)(a[29]);
+    r[30] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[29]); t = (sp_int_digit)(a[28]);
+    r[29] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[28]); t = (sp_int_digit)(a[27]);
+    r[28] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[27]); t = (sp_int_digit)(a[26]);
+    r[27] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[26]); t = (sp_int_digit)(a[25]);
+    r[26] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[25]); t = (sp_int_digit)(a[24]);
+    r[25] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[24]); t = (sp_int_digit)(a[23]);
+    r[24] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[23]); t = (sp_int_digit)(a[22]);
+    r[23] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[22]); t = (sp_int_digit)(a[21]);
+    r[22] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[21]); t = (sp_int_digit)(a[20]);
+    r[21] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[20]); t = (sp_int_digit)(a[19]);
+    r[20] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[19]); t = (sp_int_digit)(a[18]);
+    r[19] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[18]); t = (sp_int_digit)(a[17]);
+    r[18] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[17]); t = (sp_int_digit)(a[16]);
+    r[17] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[16]); t = (sp_int_digit)(a[15]);
+    r[16] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[15]); t = (sp_int_digit)(a[14]);
+    r[15] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[14]); t = (sp_int_digit)(a[13]);
+    r[14] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[13]); t = (sp_int_digit)(a[12]);
+    r[13] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[12]); t = (sp_int_digit)(a[11]);
+    r[12] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[11]); t = (sp_int_digit)(a[10]);
+    r[11] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[10]); t = (sp_int_digit)(a[9]);
+    r[10] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[9]); t = (sp_int_digit)(a[8]);
+    r[9] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[8]); t = (sp_int_digit)(a[7]);
+    r[8] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[7]); t = (sp_int_digit)(a[6]);
+    r[7] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[6]); t = (sp_int_digit)(a[5]);
+    r[6] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[5]); t = (sp_int_digit)(a[4]);
+    r[5] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[4]); t = (sp_int_digit)(a[3]);
+    r[4] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[3]); t = (sp_int_digit)(a[2]);
+    r[3] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[2]); t = (sp_int_digit)(a[1]);
+    r[2] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[1]); t = (sp_int_digit)(a[0]);
+    r[1] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+#endif
+    r[0] = (a[0] << n) & 0x7fffff;
+}
+
+/* Modular exponentiate 2 to the e mod m. (r = 2^e mod m)
+ *
+ * r     A single precision number that is the result of the operation.
+ * e     A single precision number that is the exponent.
+ * bits  The number of bits in the exponent.
+ * m     A single precision number that is the modulus.
+ * returns 0 on success and MEMORY_E on dynamic memory allocation failure.
+ */
+static int sp_2048_mod_exp_2_90(sp_digit* r, const sp_digit* e, int bits, const sp_digit* m)
+{
+#ifndef WOLFSSL_SMALL_STACK
+    sp_digit nd[180];
+    sp_digit td[91];
+#else
+    sp_digit* td;
+#endif
+    sp_digit* norm;
+    sp_digit* tmp;
+    sp_digit mp = 1;
+    sp_digit n, o;
+    int i;
+    int c, y;
+    int err = MP_OKAY;
+
+#ifdef WOLFSSL_SMALL_STACK
+    td = (sp_digit*)XMALLOC(sizeof(sp_digit) * 271, NULL,
+                            DYNAMIC_TYPE_TMP_BUFFER);
+    if (td == NULL) {
+        err = MEMORY_E;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#ifdef WOLFSSL_SMALL_STACK
+        norm = td;
+        tmp  = td + 180;
+        XMEMSET(td, 0, sizeof(sp_digit) * 271);
+#else
+        norm = nd;
+        tmp  = td;
+        XMEMSET(td, 0, sizeof(td));
+#endif
+
+        sp_2048_mont_setup(m, &mp);
+        sp_2048_mont_norm_90(norm, m);
+
+        bits = ((bits + 3) / 4) * 4;
+        i = ((bits + 22) / 23) - 1;
+        c = bits % 23;
+        if (c == 0) {
+            c = 23;
+        }
+        if (i < 90) {
+            n = e[i--] << (32 - c);
+        }
+        else {
+            n = 0;
+            i--;
+        }
+        if (c < 4) {
+            n |= e[i--] << (9 - c);
+            c += 23;
+        }
+        y = (n >> 28) & 0xf;
+        n <<= 4;
+        c -= 4;
+        sp_2048_lshift_90(r, norm, y);
+        for (; i>=0 || c>=4; ) {
+            if (c < 4) {
+                n |= e[i--] << (9 - c);
+                c += 23;
+            }
+            y = (n >> 28) & 0xf;
+            n <<= 4;
+            c -= 4;
+
+            sp_2048_mont_sqr_90(r, r, m, mp);
+            sp_2048_mont_sqr_90(r, r, m, mp);
+            sp_2048_mont_sqr_90(r, r, m, mp);
+            sp_2048_mont_sqr_90(r, r, m, mp);
+
+            sp_2048_lshift_90(r, r, y);
+            sp_2048_mul_d_90(tmp, norm, (r[90] << 22) + (r[89] >> 1));
+            r[90] = 0;
+            r[89] &= 0x1L;
+            (void)sp_2048_add_90(r, r, tmp);
+            sp_2048_norm_90(r);
+            o = sp_2048_cmp_90(r, m);
+            sp_2048_cond_sub_90(r, r, m, ((o < 0) ?
+                                          (sp_digit)1 : (sp_digit)0) - 1);
+        }
+
+        sp_2048_mont_reduce_90(r, m, mp);
+        n = sp_2048_cmp_90(r, m);
+        sp_2048_cond_sub_90(r, r, m, ((n < 0) ?
+                                                (sp_digit)1 : (sp_digit)0) - 1);
+    }
+
+#ifdef WOLFSSL_SMALL_STACK
+    if (td != NULL) {
+        XFREE(td, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    }
+#endif
+
+    return err;
+}
+
+#endif /* HAVE_FFDHE_2048 */
+
+/* Perform the modular exponentiation for Diffie-Hellman.
+ *
+ * base     Base.
+ * exp      Array of bytes that is the exponent.
+ * expLen   Length of data, in bytes, in exponent.
+ * mod      Modulus.
+ * out      Buffer to hold big-endian bytes of exponentiation result.
+ *          Must be at least 256 bytes long.
+ * outLen   Length, in bytes, of exponentiation result.
+ * returns 0 on success, MP_READ_E if there are too many bytes in an array
+ * and MEMORY_E if memory allocation fails.
+ */
+int sp_DhExp_2048(mp_int* base, const byte* exp, word32 expLen,
+    mp_int* mod, byte* out, word32* outLen)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int err = MP_OKAY;
+    sp_digit* d = NULL;
+    sp_digit* b;
+    sp_digit* e;
+    sp_digit* m;
+    sp_digit* r;
+    word32 i;
+
+    if (mp_count_bits(base) > 2048) {
+        err = MP_READ_E;
+    }
+
+    if (err == MP_OKAY) {
+        if (expLen > 256) {
+            err = MP_READ_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        if (mp_count_bits(mod) != 2048) {
+            err = MP_READ_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        d = (sp_digit*)XMALLOC(sizeof(*d) * 90 * 4, NULL, DYNAMIC_TYPE_DH);
+        if (d == NULL) {
+            err = MEMORY_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        b = d;
+        e = b + 90 * 2;
+        m = e + 90;
+        r = b;
+
+        sp_2048_from_mp(b, 90, base);
+        sp_2048_from_bin(e, 90, exp, expLen);
+        sp_2048_from_mp(m, 90, mod);
+
+    #ifdef HAVE_FFDHE_2048
+        if (base->used == 1 && base->dp[0] == 2 &&
+                ((m[89] << 15) | (m[88] >> 8)) == 0xffffL) {
+            err = sp_2048_mod_exp_2_90(r, e, expLen * 8, m);
+        }
+        else
+    #endif
+            err = sp_2048_mod_exp_90(r, b, e, expLen * 8, m, 0);
+    }
+
+    if (err == MP_OKAY) {
+        sp_2048_to_bin(r, out);
+        *outLen = 256;
+        for (i=0; i<256 && out[i] == 0; i++) {
+        }
+        *outLen -= i;
+        XMEMMOVE(out, out + i, *outLen);
+    }
+
+    if (d != NULL) {
+        XMEMSET(e, 0, sizeof(sp_digit) * 90U);
+        XFREE(d, NULL, DYNAMIC_TYPE_DH);
+    }
+    return err;
+#else
+#ifndef WOLFSSL_SMALL_STACK
+    sp_digit bd[180], ed[90], md[90];
+#else
+    sp_digit* d = NULL;
+#endif
+    sp_digit* b;
+    sp_digit* e;
+    sp_digit* m;
+    sp_digit* r;
+    word32 i;
+    int err = MP_OKAY;
+
+    if (mp_count_bits(base) > 2048) {
+        err = MP_READ_E;
+    }
+
+    if (err == MP_OKAY) {
+        if (expLen > 256U) {
+            err = MP_READ_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        if (mp_count_bits(mod) != 2048) {
+            err = MP_READ_E;
+        }
+    }
+#ifdef WOLFSSL_SMALL_STACK
+    if (err == MP_OKAY) {
+        d = (sp_digit*)XMALLOC(sizeof(*d) * 90 * 4, NULL, DYNAMIC_TYPE_DH);
+        if (d == NULL)
+            err = MEMORY_E;
+    }
+
+    if (err == MP_OKAY) {
+        b = d;
+        e = b + 90 * 2;
+        m = e + 90;
+        r = b;
+    }
+#else
+    r = b = bd;
+    e = ed;
+    m = md;
+#endif
+
+    if (err == MP_OKAY) {
+        sp_2048_from_mp(b, 90, base);
+        sp_2048_from_bin(e, 90, exp, expLen);
+        sp_2048_from_mp(m, 90, mod);
+
+    #ifdef HAVE_FFDHE_2048
+        if (base->used == 1 && base->dp[0] == 2U &&
+                ((m[89] << 15) | (m[88] >> 8)) == 0xffffL) {
+            err = sp_2048_mod_exp_2_90(r, e, expLen * 8U, m);
+        }
+        else {
+    #endif
+            err = sp_2048_mod_exp_90(r, b, e, expLen * 8U, m, 0);
+    #ifdef HAVE_FFDHE_2048
+        }
+    #endif
+    }
+
+    if (err == MP_OKAY) {
+        sp_2048_to_bin(r, out);
+        *outLen = 256;
+        for (i=0; i<256U && out[i] == 0U; i++) {
+        }
+        *outLen -= i;
+        XMEMMOVE(out, out + i, *outLen);
+    }
+
+#ifdef WOLFSSL_SMALL_STACK
+    if (d != NULL) {
+        XMEMSET(e, 0, sizeof(sp_digit) * 90U);
+        XFREE(d, NULL, DYNAMIC_TYPE_DH);
+    }
+#else
+    XMEMSET(e, 0, sizeof(sp_digit) * 90U);
+#endif
+
+    return err;
+#endif
+}
+#endif /* WOLFSSL_HAVE_SP_DH */
+
+/* Perform the modular exponentiation for Diffie-Hellman.
+ *
+ * base  Base. MP integer.
+ * exp   Exponent. MP integer.
+ * mod   Modulus. MP integer.
+ * res   Result. MP integer.
+ * returns 0 on success, MP_READ_E if there are too many bytes in an array
+ * and MEMORY_E if memory allocation fails.
+ */
+int sp_ModExp_1024(mp_int* base, mp_int* exp, mp_int* mod, mp_int* res)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int err = MP_OKAY;
+    sp_digit* d = NULL;
+    sp_digit* b;
+    sp_digit* e;
+    sp_digit* m;
+    sp_digit* r;
+    int expBits = mp_count_bits(exp);
+
+    if (mp_count_bits(base) > 1024) {
+        err = MP_READ_E;
+    }
+
+    if (err == MP_OKAY) {
+        if (expBits > 1024) {
+            err = MP_READ_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        if (mp_count_bits(mod) != 1024) {
+            err = MP_READ_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        d = (sp_digit*)XMALLOC(sizeof(*d) * 45 * 4, NULL, DYNAMIC_TYPE_DH);
+        if (d == NULL) {
+            err = MEMORY_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        b = d;
+        e = b + 45 * 2;
+        m = e + 45;
+        r = b;
+
+        sp_2048_from_mp(b, 45, base);
+        sp_2048_from_mp(e, 45, exp);
+        sp_2048_from_mp(m, 45, mod);
+
+        err = sp_2048_mod_exp_45(r, b, e, mp_count_bits(exp), m, 0);
+    }
+
+    if (err == MP_OKAY) {
+        XMEMSET(r + 45, 0, sizeof(*r) * 45U);
+        err = sp_2048_to_mp(r, res);
+    }
+
+    if (d != NULL) {
+        XMEMSET(e, 0, sizeof(sp_digit) * 45U);
+        XFREE(d, NULL, DYNAMIC_TYPE_DH);
+    }
+    return err;
+#else
+#ifndef WOLFSSL_SMALL_STACK
+    sp_digit bd[90], ed[45], md[45];
+#else
+    sp_digit* d = NULL;
+#endif
+    sp_digit* b;
+    sp_digit* e;
+    sp_digit* m;
+    sp_digit* r;
+    int err = MP_OKAY;
+    int expBits = mp_count_bits(exp);
+
+    if (mp_count_bits(base) > 1024) {
+        err = MP_READ_E;
+    }
+
+    if (err == MP_OKAY) {
+        if (expBits > 1024) {
+            err = MP_READ_E;
+        }
+    }
+    
+    if (err == MP_OKAY) {
+        if (mp_count_bits(mod) != 1024) {
+            err = MP_READ_E;
+        }
+    }
+
+#ifdef WOLFSSL_SMALL_STACK
+    if (err == MP_OKAY) {
+        d = (sp_digit*)XMALLOC(sizeof(*d) * 45 * 4, NULL, DYNAMIC_TYPE_DH);
+        if (d == NULL)
+            err = MEMORY_E;
+    }
+
+    if (err == MP_OKAY) {
+        b = d;
+        e = b + 45 * 2;
+        m = e + 45;
+        r = b;
+    }
+#else
+    r = b = bd;
+    e = ed;
+    m = md;
+#endif
+
+    if (err == MP_OKAY) {
+        sp_2048_from_mp(b, 45, base);
+        sp_2048_from_mp(e, 45, exp);
+        sp_2048_from_mp(m, 45, mod);
+
+        err = sp_2048_mod_exp_45(r, b, e, expBits, m, 0);
+    }
+
+    if (err == MP_OKAY) {
+        XMEMSET(r + 45, 0, sizeof(*r) * 45U);
+        err = sp_2048_to_mp(r, res);
+    }
+
+
+#ifdef WOLFSSL_SMALL_STACK
+    if (d != NULL) {
+        XMEMSET(e, 0, sizeof(sp_digit) * 45U);
+        XFREE(d, NULL, DYNAMIC_TYPE_DH);
+    }
+#else
+    XMEMSET(e, 0, sizeof(sp_digit) * 45U);
+#endif
+
+    return err;
+#endif
+}
+
+#endif /* WOLFSSL_HAVE_SP_DH || (WOLFSSL_HAVE_SP_RSA && !WOLFSSL_RSA_PUBLIC_ONLY) */
+
+#endif /* !WOLFSSL_SP_NO_2048 */
+
+#ifndef WOLFSSL_SP_NO_3072
+/* Read big endian unsigned byte array into r.
+ *
+ * r  A single precision integer.
+ * size  Maximum number of bytes to convert
+ * a  Byte array.
+ * n  Number of bytes in array to read.
+ */
+static void sp_3072_from_bin(sp_digit* r, int size, const byte* a, int n)
+{
+    int i, j = 0;
+    word32 s = 0;
+
+    r[0] = 0;
+    for (i = n-1; i >= 0; i--) {
+        r[j] |= (((sp_digit)a[i]) << s);
+        if (s >= 15U) {
+            r[j] &= 0x7fffff;
+            s = 23U - s;
+            if (j + 1 >= size) {
+                break;
+            }
+            r[++j] = (sp_digit)a[i] >> s;
+            s = 8U - s;
+        }
+        else {
+            s += 8U;
+        }
+    }
+
+    for (j++; j < size; j++) {
+        r[j] = 0;
+    }
+}
+
+/* Convert an mp_int to an array of sp_digit.
+ *
+ * r  A single precision integer.
+ * size  Maximum number of bytes to convert
+ * a  A multi-precision integer.
+ */
+static void sp_3072_from_mp(sp_digit* r, int size, const mp_int* a)
+{
+#if DIGIT_BIT == 23
+    int j;
+
+    XMEMCPY(r, a->dp, sizeof(sp_digit) * a->used);
+
+    for (j = a->used; j < size; j++) {
+        r[j] = 0;
+    }
+#elif DIGIT_BIT > 23
+    int i, j = 0;
+    word32 s = 0;
+
+    r[0] = 0;
+    for (i = 0; i < a->used && j < size; i++) {
+        r[j] |= ((sp_digit)a->dp[i] << s);
+        r[j] &= 0x7fffff;
+        s = 23U - s;
+        if (j + 1 >= size) {
+            break;
+        }
+        /* lint allow cast of mismatch word32 and mp_digit */
+        r[++j] = (sp_digit)(a->dp[i] >> s); /*lint !e9033*/
+        while ((s + 23U) <= (word32)DIGIT_BIT) {
+            s += 23U;
+            r[j] &= 0x7fffff;
+            if (j + 1 >= size) {
+                break;
+            }
+            if (s < (word32)DIGIT_BIT) {
+                /* lint allow cast of mismatch word32 and mp_digit */
+                r[++j] = (sp_digit)(a->dp[i] >> s); /*lint !e9033*/
+            }
+            else {
+                r[++j] = 0L;
+            }
+        }
+        s = (word32)DIGIT_BIT - s;
+    }
+
+    for (j++; j < size; j++) {
+        r[j] = 0;
+    }
+#else
+    int i, j = 0, s = 0;
+
+    r[0] = 0;
+    for (i = 0; i < a->used && j < size; i++) {
+        r[j] |= ((sp_digit)a->dp[i]) << s;
+        if (s + DIGIT_BIT >= 23) {
+            r[j] &= 0x7fffff;
+            if (j + 1 >= size) {
+                break;
+            }
+            s = 23 - s;
+            if (s == DIGIT_BIT) {
+                r[++j] = 0;
+                s = 0;
+            }
+            else {
+                r[++j] = a->dp[i] >> s;
+                s = DIGIT_BIT - s;
+            }
+        }
+        else {
+            s += DIGIT_BIT;
+        }
+    }
+
+    for (j++; j < size; j++) {
+        r[j] = 0;
+    }
+#endif
+}
+
+/* Write r as big endian to byte array.
+ * Fixed length number of bytes written: 384
+ *
+ * r  A single precision integer.
+ * a  Byte array.
+ */
+static void sp_3072_to_bin(sp_digit* r, byte* a)
+{
+    int i, j, s = 0, b;
+
+    for (i=0; i<133; i++) {
+        r[i+1] += r[i] >> 23;
+        r[i] &= 0x7fffff;
+    }
+    j = 3072 / 8 - 1;
+    a[j] = 0;
+    for (i=0; i<134 && j>=0; i++) {
+        b = 0;
+        /* lint allow cast of mismatch sp_digit and int */
+        a[j--] |= (byte)(r[i] << s); /*lint !e9033*/
+        b += 8 - s;
+        if (j < 0) {
+            break;
+        }
+        while (b < 23) {
+            a[j--] = (byte)(r[i] >> b);
+            b += 8;
+            if (j < 0) {
+                break;
+            }
+        }
+        s = 8 - (b - 23);
+        if (j >= 0) {
+            a[j] = 0;
+        }
+        if (s != 0) {
+            j++;
+        }
+    }
+}
+
+#ifndef WOLFSSL_SP_SMALL
+/* Multiply a and b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static void sp_3072_mul_67(sp_digit* r, const sp_digit* a,
+    const sp_digit* b)
+{
+    int i, j;
+    int64_t t[134];
+
+    XMEMSET(t, 0, sizeof(t));
+    for (i=0; i<67; i++) {
+        for (j=0; j<67; j++) {
+            t[i+j] += ((int64_t)a[i]) * b[j];
+        }
+    }
+    for (i=0; i<133; i++) {
+        r[i] = t[i] & 0x7fffff;
+        t[i+1] += t[i] >> 23;
+    }
+    r[133] = (sp_digit)t[133];
+}
+
+/* Square a and put result in r. (r = a * a)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ */
+SP_NOINLINE static void sp_3072_sqr_67(sp_digit* r, const sp_digit* a)
+{
+    int i, j;
+    int64_t t[134];
+
+    XMEMSET(t, 0, sizeof(t));
+    for (i=0; i<67; i++) {
+        for (j=0; j<i; j++) {
+            t[i+j] += (((int64_t)a[i]) * a[j]) * 2;
+        }
+        t[i+i] += ((int64_t)a[i]) * a[i];
+    }
+    for (i=0; i<133; i++) {
+        r[i] = t[i] & 0x7fffff;
+        t[i+1] += t[i] >> 23;
+    }
+    r[133] = (sp_digit)t[133];
+}
+
+/* Add b to a into r. (r = a + b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static int sp_3072_add_67(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    int i;
+
+    for (i = 0; i < 64; i += 8) {
+        r[i + 0] = a[i + 0] + b[i + 0];
+        r[i + 1] = a[i + 1] + b[i + 1];
+        r[i + 2] = a[i + 2] + b[i + 2];
+        r[i + 3] = a[i + 3] + b[i + 3];
+        r[i + 4] = a[i + 4] + b[i + 4];
+        r[i + 5] = a[i + 5] + b[i + 5];
+        r[i + 6] = a[i + 6] + b[i + 6];
+        r[i + 7] = a[i + 7] + b[i + 7];
+    }
+    r[64] = a[64] + b[64];
+    r[65] = a[65] + b[65];
+    r[66] = a[66] + b[66];
+
+    return 0;
+}
+
+/* Add b to a into r. (r = a + b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static int sp_3072_add_134(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    int i;
+
+    for (i = 0; i < 128; i += 8) {
+        r[i + 0] = a[i + 0] + b[i + 0];
+        r[i + 1] = a[i + 1] + b[i + 1];
+        r[i + 2] = a[i + 2] + b[i + 2];
+        r[i + 3] = a[i + 3] + b[i + 3];
+        r[i + 4] = a[i + 4] + b[i + 4];
+        r[i + 5] = a[i + 5] + b[i + 5];
+        r[i + 6] = a[i + 6] + b[i + 6];
+        r[i + 7] = a[i + 7] + b[i + 7];
+    }
+    r[128] = a[128] + b[128];
+    r[129] = a[129] + b[129];
+    r[130] = a[130] + b[130];
+    r[131] = a[131] + b[131];
+    r[132] = a[132] + b[132];
+    r[133] = a[133] + b[133];
+
+    return 0;
+}
+
+/* Sub b from a into r. (r = a - b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static int sp_3072_sub_134(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    int i;
+
+    for (i = 0; i < 128; i += 8) {
+        r[i + 0] = a[i + 0] - b[i + 0];
+        r[i + 1] = a[i + 1] - b[i + 1];
+        r[i + 2] = a[i + 2] - b[i + 2];
+        r[i + 3] = a[i + 3] - b[i + 3];
+        r[i + 4] = a[i + 4] - b[i + 4];
+        r[i + 5] = a[i + 5] - b[i + 5];
+        r[i + 6] = a[i + 6] - b[i + 6];
+        r[i + 7] = a[i + 7] - b[i + 7];
+    }
+    r[128] = a[128] - b[128];
+    r[129] = a[129] - b[129];
+    r[130] = a[130] - b[130];
+    r[131] = a[131] - b[131];
+    r[132] = a[132] - b[132];
+    r[133] = a[133] - b[133];
+
+    return 0;
+}
+
+/* Multiply a and b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static void sp_3072_mul_134(sp_digit* r, const sp_digit* a,
+    const sp_digit* b)
+{
+    sp_digit* z0 = r;
+    sp_digit z1[134];
+    sp_digit* a1 = z1;
+    sp_digit b1[67];
+    sp_digit* z2 = r + 134;
+    (void)sp_3072_add_67(a1, a, &a[67]);
+    (void)sp_3072_add_67(b1, b, &b[67]);
+    sp_3072_mul_67(z2, &a[67], &b[67]);
+    sp_3072_mul_67(z0, a, b);
+    sp_3072_mul_67(z1, a1, b1);
+    (void)sp_3072_sub_134(z1, z1, z2);
+    (void)sp_3072_sub_134(z1, z1, z0);
+    (void)sp_3072_add_134(r + 67, r + 67, z1);
+}
+
+/* Square a and put result in r. (r = a * a)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ */
+SP_NOINLINE static void sp_3072_sqr_134(sp_digit* r, const sp_digit* a)
+{
+    sp_digit* z0 = r;
+    sp_digit z1[134];
+    sp_digit* a1 = z1;
+    sp_digit* z2 = r + 134;
+    (void)sp_3072_add_67(a1, a, &a[67]);
+    sp_3072_sqr_67(z2, &a[67]);
+    sp_3072_sqr_67(z0, a);
+    sp_3072_sqr_67(z1, a1);
+    (void)sp_3072_sub_134(z1, z1, z2);
+    (void)sp_3072_sub_134(z1, z1, z0);
+    (void)sp_3072_add_134(r + 67, r + 67, z1);
+}
+
+#endif /* !WOLFSSL_SP_SMALL */
+#ifdef WOLFSSL_SP_SMALL
+/* Add b to a into r. (r = a + b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static int sp_3072_add_134(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    int i;
+
+    for (i = 0; i < 134; i++) {
+        r[i] = a[i] + b[i];
+    }
+
+    return 0;
+}
+#endif /* WOLFSSL_SP_SMALL */
+#ifdef WOLFSSL_SP_SMALL
+/* Sub b from a into r. (r = a - b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static int sp_3072_sub_134(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    int i;
+
+    for (i = 0; i < 134; i++) {
+        r[i] = a[i] - b[i];
+    }
+
+    return 0;
+}
+
+#endif /* WOLFSSL_SP_SMALL */
+#ifdef WOLFSSL_SP_SMALL
+/* Multiply a and b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static void sp_3072_mul_134(sp_digit* r, const sp_digit* a,
+    const sp_digit* b)
+{
+    int i, j, k;
+    int64_t c;
+
+    c = ((int64_t)a[133]) * b[133];
+    r[267] = (sp_digit)(c >> 23);
+    c = (c & 0x7fffff) << 23;
+    for (k = 265; k >= 0; k--) {
+        for (i = 133; i >= 0; i--) {
+            j = k - i;
+            if (j >= 134) {
+                break;
+            }
+            if (j < 0) {
+                continue;
+            }
+
+            c += ((int64_t)a[i]) * b[j];
+        }
+        r[k + 2] += c >> 46;
+        r[k + 1] = (c >> 23) & 0x7fffff;
+        c = (c & 0x7fffff) << 23;
+    }
+    r[0] = (sp_digit)(c >> 23);
+}
+
+/* Square a and put result in r. (r = a * a)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ */
+SP_NOINLINE static void sp_3072_sqr_134(sp_digit* r, const sp_digit* a)
+{
+    int i, j, k;
+    int64_t c;
+
+    c = ((int64_t)a[133]) * a[133];
+    r[267] = (sp_digit)(c >> 23);
+    c = (c & 0x7fffff) << 23;
+    for (k = 265; k >= 0; k--) {
+        for (i = 133; i >= 0; i--) {
+            j = k - i;
+            if (j >= 134 || i <= j) {
+                break;
+            }
+            if (j < 0) {
+                continue;
+            }
+
+            c += ((int64_t)a[i]) * a[j] * 2;
+        }
+        if (i == j) {
+           c += ((int64_t)a[i]) * a[i];
+        }
+
+        r[k + 2] += c >> 46;
+        r[k + 1] = (c >> 23) & 0x7fffff;
+        c = (c & 0x7fffff) << 23;
+    }
+    r[0] = (sp_digit)(c >> 23);
+}
+
+#endif /* WOLFSSL_SP_SMALL */
+#if (defined(WOLFSSL_HAVE_SP_RSA) || defined(WOLFSSL_HAVE_SP_DH)) && !defined(WOLFSSL_RSA_PUBLIC_ONLY)
+#ifdef WOLFSSL_SP_SMALL
+/* Add b to a into r. (r = a + b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static int sp_3072_add_67(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    int i;
+
+    for (i = 0; i < 67; i++) {
+        r[i] = a[i] + b[i];
+    }
+
+    return 0;
+}
+#endif /* WOLFSSL_SP_SMALL */
+#ifdef WOLFSSL_SP_SMALL
+/* Sub b from a into r. (r = a - b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static int sp_3072_sub_67(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    int i;
+
+    for (i = 0; i < 67; i++) {
+        r[i] = a[i] - b[i];
+    }
+
+    return 0;
+}
+
+#else
+/* Sub b from a into r. (r = a - b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static int sp_3072_sub_67(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    int i;
+
+    for (i = 0; i < 64; i += 8) {
+        r[i + 0] = a[i + 0] - b[i + 0];
+        r[i + 1] = a[i + 1] - b[i + 1];
+        r[i + 2] = a[i + 2] - b[i + 2];
+        r[i + 3] = a[i + 3] - b[i + 3];
+        r[i + 4] = a[i + 4] - b[i + 4];
+        r[i + 5] = a[i + 5] - b[i + 5];
+        r[i + 6] = a[i + 6] - b[i + 6];
+        r[i + 7] = a[i + 7] - b[i + 7];
+    }
+    r[64] = a[64] - b[64];
+    r[65] = a[65] - b[65];
+    r[66] = a[66] - b[66];
+
+    return 0;
+}
+
+#endif /* WOLFSSL_SP_SMALL */
+#ifdef WOLFSSL_SP_SMALL
+/* Multiply a and b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static void sp_3072_mul_67(sp_digit* r, const sp_digit* a,
+    const sp_digit* b)
+{
+    int i, j, k;
+    int64_t c;
+
+    c = ((int64_t)a[66]) * b[66];
+    r[133] = (sp_digit)(c >> 23);
+    c = (c & 0x7fffff) << 23;
+    for (k = 131; k >= 0; k--) {
+        for (i = 66; i >= 0; i--) {
+            j = k - i;
+            if (j >= 67) {
+                break;
+            }
+            if (j < 0) {
+                continue;
+            }
+
+            c += ((int64_t)a[i]) * b[j];
+        }
+        r[k + 2] += c >> 46;
+        r[k + 1] = (c >> 23) & 0x7fffff;
+        c = (c & 0x7fffff) << 23;
+    }
+    r[0] = (sp_digit)(c >> 23);
+}
+
+/* Square a and put result in r. (r = a * a)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ */
+SP_NOINLINE static void sp_3072_sqr_67(sp_digit* r, const sp_digit* a)
+{
+    int i, j, k;
+    int64_t c;
+
+    c = ((int64_t)a[66]) * a[66];
+    r[133] = (sp_digit)(c >> 23);
+    c = (c & 0x7fffff) << 23;
+    for (k = 131; k >= 0; k--) {
+        for (i = 66; i >= 0; i--) {
+            j = k - i;
+            if (j >= 67 || i <= j) {
+                break;
+            }
+            if (j < 0) {
+                continue;
+            }
+
+            c += ((int64_t)a[i]) * a[j] * 2;
+        }
+        if (i == j) {
+           c += ((int64_t)a[i]) * a[i];
+        }
+
+        r[k + 2] += c >> 46;
+        r[k + 1] = (c >> 23) & 0x7fffff;
+        c = (c & 0x7fffff) << 23;
+    }
+    r[0] = (sp_digit)(c >> 23);
+}
+
+#endif /* WOLFSSL_SP_SMALL */
+#endif /* (WOLFSSL_HAVE_SP_RSA || WOLFSSL_HAVE_SP_DH) && !WOLFSSL_RSA_PUBLIC_ONLY */
+
+/* Caclulate the bottom digit of -1/a mod 2^n.
+ *
+ * a    A single precision number.
+ * rho  Bottom word of inverse.
+ */
+static void sp_3072_mont_setup(const sp_digit* a, sp_digit* rho)
+{
+    sp_digit x, b;
+
+    b = a[0];
+    x = (((b + 2) & 4) << 1) + b; /* here x*a==1 mod 2**4 */
+    x *= 2 - b * x;               /* here x*a==1 mod 2**8 */
+    x *= 2 - b * x;               /* here x*a==1 mod 2**16 */
+    x *= 2 - b * x;               /* here x*a==1 mod 2**32 */
+    x &= 0x7fffff;
+
+    /* rho = -1/m mod b */
+    *rho = (1L << 23) - x;
+}
+
+/* Multiply a by scalar b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A scalar.
+ */
+SP_NOINLINE static void sp_3072_mul_d_134(sp_digit* r, const sp_digit* a,
+    sp_digit b)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int64_t tb = b;
+    int64_t t = 0;
+    int i;
+
+    for (i = 0; i < 134; i++) {
+        t += tb * a[i];
+        r[i] = t & 0x7fffff;
+        t >>= 23;
+    }
+    r[134] = (sp_digit)t;
+#else
+    int64_t tb = b;
+    int64_t t[8];
+    int i;
+
+    t[0] = tb * a[0]; r[0] = t[0] & 0x7fffff;
+    for (i = 0; i < 128; i += 8) {
+        t[1] = tb * a[i+1];
+        r[i+1] = (sp_digit)(t[0] >> 23) + (t[1] & 0x7fffff);
+        t[2] = tb * a[i+2];
+        r[i+2] = (sp_digit)(t[1] >> 23) + (t[2] & 0x7fffff);
+        t[3] = tb * a[i+3];
+        r[i+3] = (sp_digit)(t[2] >> 23) + (t[3] & 0x7fffff);
+        t[4] = tb * a[i+4];
+        r[i+4] = (sp_digit)(t[3] >> 23) + (t[4] & 0x7fffff);
+        t[5] = tb * a[i+5];
+        r[i+5] = (sp_digit)(t[4] >> 23) + (t[5] & 0x7fffff);
+        t[6] = tb * a[i+6];
+        r[i+6] = (sp_digit)(t[5] >> 23) + (t[6] & 0x7fffff);
+        t[7] = tb * a[i+7];
+        r[i+7] = (sp_digit)(t[6] >> 23) + (t[7] & 0x7fffff);
+        t[0] = tb * a[i+8];
+        r[i+8] = (sp_digit)(t[7] >> 23) + (t[0] & 0x7fffff);
+    }
+    t[1] = tb * a[129];
+    r[129] = (sp_digit)(t[0] >> 23) + (t[1] & 0x7fffff);
+    t[2] = tb * a[130];
+    r[130] = (sp_digit)(t[1] >> 23) + (t[2] & 0x7fffff);
+    t[3] = tb * a[131];
+    r[131] = (sp_digit)(t[2] >> 23) + (t[3] & 0x7fffff);
+    t[4] = tb * a[132];
+    r[132] = (sp_digit)(t[3] >> 23) + (t[4] & 0x7fffff);
+    t[5] = tb * a[133];
+    r[133] = (sp_digit)(t[4] >> 23) + (t[5] & 0x7fffff);
+    r[134] =  (sp_digit)(t[5] >> 23);
+#endif /* WOLFSSL_SP_SMALL */
+}
+
+#if (defined(WOLFSSL_HAVE_SP_RSA) || defined(WOLFSSL_HAVE_SP_DH)) && !defined(WOLFSSL_RSA_PUBLIC_ONLY)
+/* r = 2^n mod m where n is the number of bits to reduce by.
+ * Given m must be 3072 bits, just need to subtract.
+ *
+ * r  A single precision number.
+ * m  A single precision number.
+ */
+static void sp_3072_mont_norm_67(sp_digit* r, const sp_digit* m)
+{
+    /* Set r = 2^n - 1. */
+#ifdef WOLFSSL_SP_SMALL
+    int i;
+
+    for (i=0; i<66; i++) {
+        r[i] = 0x7fffff;
+    }
+#else
+    int i;
+
+    for (i = 0; i < 64; i += 8) {
+        r[i + 0] = 0x7fffff;
+        r[i + 1] = 0x7fffff;
+        r[i + 2] = 0x7fffff;
+        r[i + 3] = 0x7fffff;
+        r[i + 4] = 0x7fffff;
+        r[i + 5] = 0x7fffff;
+        r[i + 6] = 0x7fffff;
+        r[i + 7] = 0x7fffff;
+    }
+    r[64] = 0x7fffff;
+    r[65] = 0x7fffff;
+#endif
+    r[66] = 0x3ffffL;
+
+    /* r = (2^n - 1) mod n */
+    (void)sp_3072_sub_67(r, r, m);
+
+    /* Add one so r = 2^n mod m */
+    r[0] += 1;
+}
+
+/* Compare a with b in constant time.
+ *
+ * a  A single precision integer.
+ * b  A single precision integer.
+ * return -ve, 0 or +ve if a is less than, equal to or greater than b
+ * respectively.
+ */
+static sp_digit sp_3072_cmp_67(const sp_digit* a, const sp_digit* b)
+{
+    sp_digit r = 0;
+#ifdef WOLFSSL_SP_SMALL
+    int i;
+
+    for (i=66; i>=0; i--) {
+        r |= (a[i] - b[i]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+    }
+#else
+    int i;
+
+    r |= (a[66] - b[66]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+    r |= (a[65] - b[65]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+    r |= (a[64] - b[64]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+    for (i = 56; i >= 0; i -= 8) {
+        r |= (a[i + 7] - b[i + 7]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+        r |= (a[i + 6] - b[i + 6]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+        r |= (a[i + 5] - b[i + 5]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+        r |= (a[i + 4] - b[i + 4]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+        r |= (a[i + 3] - b[i + 3]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+        r |= (a[i + 2] - b[i + 2]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+        r |= (a[i + 1] - b[i + 1]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+        r |= (a[i + 0] - b[i + 0]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+    }
+#endif /* WOLFSSL_SP_SMALL */
+
+    return r;
+}
+
+/* Conditionally subtract b from a using the mask m.
+ * m is -1 to subtract and 0 when not.
+ *
+ * r  A single precision number representing condition subtract result.
+ * a  A single precision number to subtract from.
+ * b  A single precision number to subtract.
+ * m  Mask value to apply.
+ */
+static void sp_3072_cond_sub_67(sp_digit* r, const sp_digit* a,
+        const sp_digit* b, const sp_digit m)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int i;
+
+    for (i = 0; i < 67; i++) {
+        r[i] = a[i] - (b[i] & m);
+    }
+#else
+    int i;
+
+    for (i = 0; i < 64; i += 8) {
+        r[i + 0] = a[i + 0] - (b[i + 0] & m);
+        r[i + 1] = a[i + 1] - (b[i + 1] & m);
+        r[i + 2] = a[i + 2] - (b[i + 2] & m);
+        r[i + 3] = a[i + 3] - (b[i + 3] & m);
+        r[i + 4] = a[i + 4] - (b[i + 4] & m);
+        r[i + 5] = a[i + 5] - (b[i + 5] & m);
+        r[i + 6] = a[i + 6] - (b[i + 6] & m);
+        r[i + 7] = a[i + 7] - (b[i + 7] & m);
+    }
+    r[64] = a[64] - (b[64] & m);
+    r[65] = a[65] - (b[65] & m);
+    r[66] = a[66] - (b[66] & m);
+#endif /* WOLFSSL_SP_SMALL */
+}
+
+/* Mul a by scalar b and add into r. (r += a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A scalar.
+ */
+SP_NOINLINE static void sp_3072_mul_add_67(sp_digit* r, const sp_digit* a,
+        const sp_digit b)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int64_t tb = b;
+    int64_t t = 0;
+    int i;
+
+    for (i = 0; i < 67; i++) {
+        t += (tb * a[i]) + r[i];
+        r[i] = t & 0x7fffff;
+        t >>= 23;
+    }
+    r[67] += t;
+#else
+    int64_t tb = b;
+    int64_t t[8];
+    int i;
+
+    t[0] = tb * a[0]; r[0] += (sp_digit)(t[0] & 0x7fffff);
+    for (i = 0; i < 64; i += 8) {
+        t[1] = tb * a[i+1];
+        r[i+1] += (sp_digit)((t[0] >> 23) + (t[1] & 0x7fffff));
+        t[2] = tb * a[i+2];
+        r[i+2] += (sp_digit)((t[1] >> 23) + (t[2] & 0x7fffff));
+        t[3] = tb * a[i+3];
+        r[i+3] += (sp_digit)((t[2] >> 23) + (t[3] & 0x7fffff));
+        t[4] = tb * a[i+4];
+        r[i+4] += (sp_digit)((t[3] >> 23) + (t[4] & 0x7fffff));
+        t[5] = tb * a[i+5];
+        r[i+5] += (sp_digit)((t[4] >> 23) + (t[5] & 0x7fffff));
+        t[6] = tb * a[i+6];
+        r[i+6] += (sp_digit)((t[5] >> 23) + (t[6] & 0x7fffff));
+        t[7] = tb * a[i+7];
+        r[i+7] += (sp_digit)((t[6] >> 23) + (t[7] & 0x7fffff));
+        t[0] = tb * a[i+8];
+        r[i+8] += (sp_digit)((t[7] >> 23) + (t[0] & 0x7fffff));
+    }
+    t[1] = tb * a[65]; r[65] += (sp_digit)((t[0] >> 23) + (t[1] & 0x7fffff));
+    t[2] = tb * a[66]; r[66] += (sp_digit)((t[1] >> 23) + (t[2] & 0x7fffff));
+    r[67] +=  (sp_digit)(t[2] >> 23);
+#endif /* WOLFSSL_SP_SMALL */
+}
+
+/* Normalize the values in each word to 23.
+ *
+ * a  Array of sp_digit to normalize.
+ */
+static void sp_3072_norm_67(sp_digit* a)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int i;
+    for (i = 0; i < 66; i++) {
+        a[i+1] += a[i] >> 23;
+        a[i] &= 0x7fffff;
+    }
+#else
+    int i;
+    for (i = 0; i < 64; i += 8) {
+        a[i+1] += a[i+0] >> 23; a[i+0] &= 0x7fffff;
+        a[i+2] += a[i+1] >> 23; a[i+1] &= 0x7fffff;
+        a[i+3] += a[i+2] >> 23; a[i+2] &= 0x7fffff;
+        a[i+4] += a[i+3] >> 23; a[i+3] &= 0x7fffff;
+        a[i+5] += a[i+4] >> 23; a[i+4] &= 0x7fffff;
+        a[i+6] += a[i+5] >> 23; a[i+5] &= 0x7fffff;
+        a[i+7] += a[i+6] >> 23; a[i+6] &= 0x7fffff;
+        a[i+8] += a[i+7] >> 23; a[i+7] &= 0x7fffff;
+        a[i+9] += a[i+8] >> 23; a[i+8] &= 0x7fffff;
+    }
+    a[64+1] += a[64] >> 23;
+    a[64] &= 0x7fffff;
+    a[65+1] += a[65] >> 23;
+    a[65] &= 0x7fffff;
+#endif
+}
+
+/* Shift the result in the high 1536 bits down to the bottom.
+ *
+ * r  A single precision number.
+ * a  A single precision number.
+ */
+static void sp_3072_mont_shift_67(sp_digit* r, const sp_digit* a)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int i;
+    sp_digit n, s;
+
+    s = a[67];
+    n = a[66] >> 18;
+    for (i = 0; i < 66; i++) {
+        n += (s & 0x7fffff) << 5;
+        r[i] = n & 0x7fffff;
+        n >>= 23;
+        s = a[68 + i] + (s >> 23);
+    }
+    n += s << 5;
+    r[66] = n;
+#else
+    sp_digit n, s;
+    int i;
+
+    s = a[67]; n = a[66] >> 18;
+    for (i = 0; i < 64; i += 8) {
+        n += (s & 0x7fffff) << 5; r[i+0] = n & 0x7fffff;
+        n >>= 23; s = a[i+68] + (s >> 23);
+        n += (s & 0x7fffff) << 5; r[i+1] = n & 0x7fffff;
+        n >>= 23; s = a[i+69] + (s >> 23);
+        n += (s & 0x7fffff) << 5; r[i+2] = n & 0x7fffff;
+        n >>= 23; s = a[i+70] + (s >> 23);
+        n += (s & 0x7fffff) << 5; r[i+3] = n & 0x7fffff;
+        n >>= 23; s = a[i+71] + (s >> 23);
+        n += (s & 0x7fffff) << 5; r[i+4] = n & 0x7fffff;
+        n >>= 23; s = a[i+72] + (s >> 23);
+        n += (s & 0x7fffff) << 5; r[i+5] = n & 0x7fffff;
+        n >>= 23; s = a[i+73] + (s >> 23);
+        n += (s & 0x7fffff) << 5; r[i+6] = n & 0x7fffff;
+        n >>= 23; s = a[i+74] + (s >> 23);
+        n += (s & 0x7fffff) << 5; r[i+7] = n & 0x7fffff;
+        n >>= 23; s = a[i+75] + (s >> 23);
+    }
+    n += (s & 0x7fffff) << 5; r[64] = n & 0x7fffff;
+    n >>= 23; s = a[132] + (s >> 23);
+    n += (s & 0x7fffff) << 5; r[65] = n & 0x7fffff;
+    n >>= 23; s = a[133] + (s >> 23);
+    n += s << 5;              r[66] = n;
+#endif /* WOLFSSL_SP_SMALL */
+    XMEMSET(&r[67], 0, sizeof(*r) * 67U);
+}
+
+/* Reduce the number back to 3072 bits using Montgomery reduction.
+ *
+ * a   A single precision number to reduce in place.
+ * m   The single precision number representing the modulus.
+ * mp  The digit representing the negative inverse of m mod 2^n.
+ */
+static void sp_3072_mont_reduce_67(sp_digit* a, const sp_digit* m, sp_digit mp)
+{
+    int i;
+    sp_digit mu;
+
+    sp_3072_norm_67(a + 67);
+
+    for (i=0; i<66; i++) {
+        mu = (a[i] * mp) & 0x7fffff;
+        sp_3072_mul_add_67(a+i, m, mu);
+        a[i+1] += a[i] >> 23;
+    }
+    mu = (a[i] * mp) & 0x3ffffL;
+    sp_3072_mul_add_67(a+i, m, mu);
+    a[i+1] += a[i] >> 23;
+    a[i] &= 0x7fffff;
+
+    sp_3072_mont_shift_67(a, a);
+    sp_3072_cond_sub_67(a, a, m, 0 - (((a[66] >> 18) > 0) ?
+            (sp_digit)1 : (sp_digit)0));
+    sp_3072_norm_67(a);
+}
+
+/* Multiply two Montogmery form numbers mod the modulus (prime).
+ * (r = a * b mod m)
+ *
+ * r   Result of multiplication.
+ * a   First number to multiply in Montogmery form.
+ * b   Second number to multiply in Montogmery form.
+ * m   Modulus (prime).
+ * mp  Montogmery mulitplier.
+ */
+static void sp_3072_mont_mul_67(sp_digit* r, const sp_digit* a, const sp_digit* b,
+        const sp_digit* m, sp_digit mp)
+{
+    sp_3072_mul_67(r, a, b);
+    sp_3072_mont_reduce_67(r, m, mp);
+}
+
+/* Square the Montgomery form number. (r = a * a mod m)
+ *
+ * r   Result of squaring.
+ * a   Number to square in Montogmery form.
+ * m   Modulus (prime).
+ * mp  Montogmery mulitplier.
+ */
+static void sp_3072_mont_sqr_67(sp_digit* r, const sp_digit* a, const sp_digit* m,
+        sp_digit mp)
+{
+    sp_3072_sqr_67(r, a);
+    sp_3072_mont_reduce_67(r, m, mp);
+}
+
+/* Multiply a by scalar b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A scalar.
+ */
+SP_NOINLINE static void sp_3072_mul_d_67(sp_digit* r, const sp_digit* a,
+    sp_digit b)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int64_t tb = b;
+    int64_t t = 0;
+    int i;
+
+    for (i = 0; i < 67; i++) {
+        t += tb * a[i];
+        r[i] = t & 0x7fffff;
+        t >>= 23;
+    }
+    r[67] = (sp_digit)t;
+#else
+    int64_t tb = b;
+    int64_t t[8];
+    int i;
+
+    t[0] = tb * a[0]; r[0] = t[0] & 0x7fffff;
+    for (i = 0; i < 64; i += 8) {
+        t[1] = tb * a[i+1];
+        r[i+1] = (sp_digit)(t[0] >> 23) + (t[1] & 0x7fffff);
+        t[2] = tb * a[i+2];
+        r[i+2] = (sp_digit)(t[1] >> 23) + (t[2] & 0x7fffff);
+        t[3] = tb * a[i+3];
+        r[i+3] = (sp_digit)(t[2] >> 23) + (t[3] & 0x7fffff);
+        t[4] = tb * a[i+4];
+        r[i+4] = (sp_digit)(t[3] >> 23) + (t[4] & 0x7fffff);
+        t[5] = tb * a[i+5];
+        r[i+5] = (sp_digit)(t[4] >> 23) + (t[5] & 0x7fffff);
+        t[6] = tb * a[i+6];
+        r[i+6] = (sp_digit)(t[5] >> 23) + (t[6] & 0x7fffff);
+        t[7] = tb * a[i+7];
+        r[i+7] = (sp_digit)(t[6] >> 23) + (t[7] & 0x7fffff);
+        t[0] = tb * a[i+8];
+        r[i+8] = (sp_digit)(t[7] >> 23) + (t[0] & 0x7fffff);
+    }
+    t[1] = tb * a[65];
+    r[65] = (sp_digit)(t[0] >> 23) + (t[1] & 0x7fffff);
+    t[2] = tb * a[66];
+    r[66] = (sp_digit)(t[1] >> 23) + (t[2] & 0x7fffff);
+    r[67] =  (sp_digit)(t[2] >> 23);
+#endif /* WOLFSSL_SP_SMALL */
+}
+
+/* Conditionally add a and b using the mask m.
+ * m is -1 to add and 0 when not.
+ *
+ * r  A single precision number representing conditional add result.
+ * a  A single precision number to add with.
+ * b  A single precision number to add.
+ * m  Mask value to apply.
+ */
+static void sp_3072_cond_add_67(sp_digit* r, const sp_digit* a,
+        const sp_digit* b, const sp_digit m)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int i;
+
+    for (i = 0; i < 67; i++) {
+        r[i] = a[i] + (b[i] & m);
+    }
+#else
+    int i;
+
+    for (i = 0; i < 64; i += 8) {
+        r[i + 0] = a[i + 0] + (b[i + 0] & m);
+        r[i + 1] = a[i + 1] + (b[i + 1] & m);
+        r[i + 2] = a[i + 2] + (b[i + 2] & m);
+        r[i + 3] = a[i + 3] + (b[i + 3] & m);
+        r[i + 4] = a[i + 4] + (b[i + 4] & m);
+        r[i + 5] = a[i + 5] + (b[i + 5] & m);
+        r[i + 6] = a[i + 6] + (b[i + 6] & m);
+        r[i + 7] = a[i + 7] + (b[i + 7] & m);
+    }
+    r[64] = a[64] + (b[64] & m);
+    r[65] = a[65] + (b[65] & m);
+    r[66] = a[66] + (b[66] & m);
+#endif /* WOLFSSL_SP_SMALL */
+}
+
+#ifdef WOLFSSL_SMALL
+/* Add b to a into r. (r = a + b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static int sp_3072_add_67(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    int i;
+
+    for (i = 0; i < 67; i++) {
+        r[i] = a[i] + b[i];
+    }
+
+    return 0;
+}
+#endif
+#ifdef WOLFSSL_SP_DIV_32
+static WC_INLINE sp_digit sp_3072_div_word_67(sp_digit d1, sp_digit d0,
+    sp_digit dv)
+{
+    sp_digit d, r, t;
+
+    /* All 23 bits from d1 and top 8 bits from d0. */
+    d = (d1 << 8) | (d0 >> 15);
+    r = d / dv;
+    d -= r * dv;
+    /* Up to 9 bits in r */
+    /* Next 8 bits from d0. */
+    r <<= 8;
+    d <<= 8;
+    d |= (d0 >> 7) & ((1 << 8) - 1);
+    t = d / dv;
+    d -= t * dv;
+    r += t;
+    /* Up to 17 bits in r */
+    /* Remaining 7 bits from d0. */
+    r <<= 7;
+    d <<= 7;
+    d |= d0 & ((1 << 7) - 1);
+    t = d / dv;
+    r += t;
+
+    return r;
+}
+#endif /* WOLFSSL_SP_DIV_32 */
+
+/* Divide d in a and put remainder into r (m*d + r = a)
+ * m is not calculated as it is not needed at this time.
+ *
+ * a  Number to be divided.
+ * d  Number to divide with.
+ * m  Multiplier result.
+ * r  Remainder from the division.
+ * returns MEMORY_E when unable to allocate memory and MP_OKAY otherwise.
+ */
+static int sp_3072_div_67(const sp_digit* a, const sp_digit* d, sp_digit* m,
+        sp_digit* r)
+{
+    int i;
+#ifndef WOLFSSL_SP_DIV_32
+    int64_t d1;
+#endif
+    sp_digit dv, r1;
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit* td;
+#else
+    sp_digit t1d[134], t2d[67 + 1];
+#endif
+    sp_digit* t1;
+    sp_digit* t2;
+    int err = MP_OKAY;
+
+    (void)m;
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    td = (sp_digit*)XMALLOC(sizeof(sp_digit) * (3 * 67 + 1), NULL,
+                                                       DYNAMIC_TYPE_TMP_BUFFER);
+    if (td == NULL) {
+        err = MEMORY_E;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+        t1 = td;
+        t2 = td + 2 * 67;
+#else
+        t1 = t1d;
+        t2 = t2d;
+#endif
+
+        dv = d[66];
+        XMEMCPY(t1, a, sizeof(*t1) * 2U * 67U);
+        for (i=66; i>=0; i--) {
+            t1[67 + i] += t1[67 + i - 1] >> 23;
+            t1[67 + i - 1] &= 0x7fffff;
+#ifndef WOLFSSL_SP_DIV_32
+            d1 = t1[67 + i];
+            d1 <<= 23;
+            d1 += t1[67 + i - 1];
+            r1 = (sp_digit)(d1 / dv);
+#else
+            r1 = sp_3072_div_word_67(t1[67 + i], t1[67 + i - 1], dv);
+#endif
+
+            sp_3072_mul_d_67(t2, d, r1);
+            (void)sp_3072_sub_67(&t1[i], &t1[i], t2);
+            t1[67 + i] -= t2[67];
+            t1[67 + i] += t1[67 + i - 1] >> 23;
+            t1[67 + i - 1] &= 0x7fffff;
+            r1 = (((-t1[67 + i]) << 23) - t1[67 + i - 1]) / dv;
+            r1++;
+            sp_3072_mul_d_67(t2, d, r1);
+            (void)sp_3072_add_67(&t1[i], &t1[i], t2);
+            t1[67 + i] += t1[67 + i - 1] >> 23;
+            t1[67 + i - 1] &= 0x7fffff;
+        }
+        t1[67 - 1] += t1[67 - 2] >> 23;
+        t1[67 - 2] &= 0x7fffff;
+        r1 = t1[67 - 1] / dv;
+
+        sp_3072_mul_d_67(t2, d, r1);
+        (void)sp_3072_sub_67(t1, t1, t2);
+        XMEMCPY(r, t1, sizeof(*r) * 2U * 67U);
+        for (i=0; i<65; i++) {
+            r[i+1] += r[i] >> 23;
+            r[i] &= 0x7fffff;
+        }
+        sp_3072_cond_add_67(r, r, d, 0 - ((r[66] < 0) ?
+                    (sp_digit)1 : (sp_digit)0));
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (td != NULL) {
+        XFREE(td, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    }
+#endif
+
+    return err;
+}
+
+/* Reduce a modulo m into r. (r = a mod m)
+ *
+ * r  A single precision number that is the reduced result.
+ * a  A single precision number that is to be reduced.
+ * m  A single precision number that is the modulus to reduce with.
+ * returns MEMORY_E when unable to allocate memory and MP_OKAY otherwise.
+ */
+static int sp_3072_mod_67(sp_digit* r, const sp_digit* a, const sp_digit* m)
+{
+    return sp_3072_div_67(a, m, NULL, r);
+}
+
+/* Modular exponentiate a to the e mod m. (r = a^e mod m)
+ *
+ * r     A single precision number that is the result of the operation.
+ * a     A single precision number being exponentiated.
+ * e     A single precision number that is the exponent.
+ * bits  The number of bits in the exponent.
+ * m     A single precision number that is the modulus.
+ * returns 0 on success and MEMORY_E on dynamic memory allocation failure.
+ */
+static int sp_3072_mod_exp_67(sp_digit* r, const sp_digit* a, const sp_digit* e, int bits,
+    const sp_digit* m, int reduceA)
+{
+#ifdef WOLFSSL_SP_SMALL
+    sp_digit* td;
+    sp_digit* t[3];
+    sp_digit* norm;
+    sp_digit mp = 1;
+    sp_digit n;
+    int i;
+    int c, y;
+    int err = MP_OKAY;
+
+    td = (sp_digit*)XMALLOC(sizeof(*td) * 3 * 67 * 2, NULL,
+                            DYNAMIC_TYPE_TMP_BUFFER);
+    if (td == NULL) {
+        err = MEMORY_E;
+    }
+
+    if (err == MP_OKAY) {
+        XMEMSET(td, 0, sizeof(*td) * 3U * 67U * 2U);
+
+        norm = t[0] = td;
+        t[1] = &td[67 * 2];
+        t[2] = &td[2 * 67 * 2];
+
+        sp_3072_mont_setup(m, &mp);
+        sp_3072_mont_norm_67(norm, m);
+
+        if (reduceA != 0) {
+            err = sp_3072_mod_67(t[1], a, m);
+        }
+        else {
+            XMEMCPY(t[1], a, sizeof(sp_digit) * 67U);
+        }
+    }
+    if (err == MP_OKAY) {
+        sp_3072_mul_67(t[1], t[1], norm);
+        err = sp_3072_mod_67(t[1], t[1], m);
+    }
+
+    if (err == MP_OKAY) {
+        i = bits / 23;
+        c = bits % 23;
+        n = e[i--] << (23 - c);
+        for (; ; c--) {
+            if (c == 0) {
+                if (i == -1) {
+                    break;
+                }
+
+                n = e[i--];
+                c = 23;
+            }
+
+            y = (n >> 22) & 1;
+            n <<= 1;
+
+            sp_3072_mont_mul_67(t[y^1], t[0], t[1], m, mp);
+
+            XMEMCPY(t[2], (void*)(((size_t)t[0] & addr_mask[y^1]) +
+                                  ((size_t)t[1] & addr_mask[y])),
+                    sizeof(*t[2]) * 67 * 2);
+            sp_3072_mont_sqr_67(t[2], t[2], m, mp);
+            XMEMCPY((void*)(((size_t)t[0] & addr_mask[y^1]) +
+                            ((size_t)t[1] & addr_mask[y])), t[2],
+                    sizeof(*t[2]) * 67 * 2);
+        }
+
+        sp_3072_mont_reduce_67(t[0], m, mp);
+        n = sp_3072_cmp_67(t[0], m);
+        sp_3072_cond_sub_67(t[0], t[0], m, ((n < 0) ?
+                    (sp_digit)1 : (sp_digit)0) - 1);
+        XMEMCPY(r, t[0], sizeof(*r) * 67 * 2);
+
+    }
+
+    if (td != NULL) {
+        XFREE(td, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    }
+
+    return err;
+#elif defined(WOLFSSL_SP_CACHE_RESISTANT)
+#ifndef WOLFSSL_SMALL_STACK
+    sp_digit t[3][134];
+#else
+    sp_digit* td;
+    sp_digit* t[3];
+#endif
+    sp_digit* norm;
+    sp_digit mp = 1;
+    sp_digit n;
+    int i;
+    int c, y;
+    int err = MP_OKAY;
+
+#ifdef WOLFSSL_SMALL_STACK
+    td = (sp_digit*)XMALLOC(sizeof(*td) * 3 * 67 * 2, NULL,
+                            DYNAMIC_TYPE_TMP_BUFFER);
+    if (td == NULL) {
+        err = MEMORY_E;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#ifdef WOLFSSL_SMALL_STACK
+        t[0] = td;
+        t[1] = &td[67 * 2];
+        t[2] = &td[2 * 67 * 2];
+#endif
+        norm = t[0];
+
+        sp_3072_mont_setup(m, &mp);
+        sp_3072_mont_norm_67(norm, m);
+
+        if (reduceA != 0) {
+            err = sp_3072_mod_67(t[1], a, m);
+            if (err == MP_OKAY) {
+                sp_3072_mul_67(t[1], t[1], norm);
+                err = sp_3072_mod_67(t[1], t[1], m);
+            }
+        }
+        else {
+            sp_3072_mul_67(t[1], a, norm);
+            err = sp_3072_mod_67(t[1], t[1], m);
+        }
+    }
+
+    if (err == MP_OKAY) {
+        i = bits / 23;
+        c = bits % 23;
+        n = e[i--] << (23 - c);
+        for (; ; c--) {
+            if (c == 0) {
+                if (i == -1) {
+                    break;
+                }
+
+                n = e[i--];
+                c = 23;
+            }
+
+            y = (n >> 22) & 1;
+            n <<= 1;
+
+            sp_3072_mont_mul_67(t[y^1], t[0], t[1], m, mp);
+
+            XMEMCPY(t[2], (void*)(((size_t)t[0] & addr_mask[y^1]) +
+                                 ((size_t)t[1] & addr_mask[y])), sizeof(t[2]));
+            sp_3072_mont_sqr_67(t[2], t[2], m, mp);
+            XMEMCPY((void*)(((size_t)t[0] & addr_mask[y^1]) +
+                           ((size_t)t[1] & addr_mask[y])), t[2], sizeof(t[2]));
+        }
+
+        sp_3072_mont_reduce_67(t[0], m, mp);
+        n = sp_3072_cmp_67(t[0], m);
+        sp_3072_cond_sub_67(t[0], t[0], m, ((n < 0) ?
+                   (sp_digit)1 : (sp_digit)0) - 1);
+        XMEMCPY(r, t[0], sizeof(t[0]));
+    }
+
+#ifdef WOLFSSL_SMALL_STACK
+    if (td != NULL) {
+        XFREE(td, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    }
+#endif
+
+    return err;
+#else
+#ifndef WOLFSSL_SMALL_STACK
+    sp_digit t[32][134];
+#else
+    sp_digit* t[32];
+    sp_digit* td;
+#endif
+    sp_digit* norm;
+    sp_digit rt[134];
+    sp_digit mp = 1;
+    sp_digit n;
+    int i;
+    int c, y;
+    int err = MP_OKAY;
+
+#ifdef WOLFSSL_SMALL_STACK
+    td = (sp_digit*)XMALLOC(sizeof(sp_digit) * 32 * 134, NULL,
+                            DYNAMIC_TYPE_TMP_BUFFER);
+    if (td == NULL) {
+        err = MEMORY_E;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#ifdef WOLFSSL_SMALL_STACK
+        for (i=0; i<32; i++)
+            t[i] = td + i * 134;
+#endif
+        norm = t[0];
+
+        sp_3072_mont_setup(m, &mp);
+        sp_3072_mont_norm_67(norm, m);
+
+        if (reduceA != 0) {
+            err = sp_3072_mod_67(t[1], a, m);
+            if (err == MP_OKAY) {
+                sp_3072_mul_67(t[1], t[1], norm);
+                err = sp_3072_mod_67(t[1], t[1], m);
+            }
+        }
+        else {
+            sp_3072_mul_67(t[1], a, norm);
+            err = sp_3072_mod_67(t[1], t[1], m);
+        }
+    }
+
+    if (err == MP_OKAY) {
+        sp_3072_mont_sqr_67(t[ 2], t[ 1], m, mp);
+        sp_3072_mont_mul_67(t[ 3], t[ 2], t[ 1], m, mp);
+        sp_3072_mont_sqr_67(t[ 4], t[ 2], m, mp);
+        sp_3072_mont_mul_67(t[ 5], t[ 3], t[ 2], m, mp);
+        sp_3072_mont_sqr_67(t[ 6], t[ 3], m, mp);
+        sp_3072_mont_mul_67(t[ 7], t[ 4], t[ 3], m, mp);
+        sp_3072_mont_sqr_67(t[ 8], t[ 4], m, mp);
+        sp_3072_mont_mul_67(t[ 9], t[ 5], t[ 4], m, mp);
+        sp_3072_mont_sqr_67(t[10], t[ 5], m, mp);
+        sp_3072_mont_mul_67(t[11], t[ 6], t[ 5], m, mp);
+        sp_3072_mont_sqr_67(t[12], t[ 6], m, mp);
+        sp_3072_mont_mul_67(t[13], t[ 7], t[ 6], m, mp);
+        sp_3072_mont_sqr_67(t[14], t[ 7], m, mp);
+        sp_3072_mont_mul_67(t[15], t[ 8], t[ 7], m, mp);
+        sp_3072_mont_sqr_67(t[16], t[ 8], m, mp);
+        sp_3072_mont_mul_67(t[17], t[ 9], t[ 8], m, mp);
+        sp_3072_mont_sqr_67(t[18], t[ 9], m, mp);
+        sp_3072_mont_mul_67(t[19], t[10], t[ 9], m, mp);
+        sp_3072_mont_sqr_67(t[20], t[10], m, mp);
+        sp_3072_mont_mul_67(t[21], t[11], t[10], m, mp);
+        sp_3072_mont_sqr_67(t[22], t[11], m, mp);
+        sp_3072_mont_mul_67(t[23], t[12], t[11], m, mp);
+        sp_3072_mont_sqr_67(t[24], t[12], m, mp);
+        sp_3072_mont_mul_67(t[25], t[13], t[12], m, mp);
+        sp_3072_mont_sqr_67(t[26], t[13], m, mp);
+        sp_3072_mont_mul_67(t[27], t[14], t[13], m, mp);
+        sp_3072_mont_sqr_67(t[28], t[14], m, mp);
+        sp_3072_mont_mul_67(t[29], t[15], t[14], m, mp);
+        sp_3072_mont_sqr_67(t[30], t[15], m, mp);
+        sp_3072_mont_mul_67(t[31], t[16], t[15], m, mp);
+
+        bits = ((bits + 4) / 5) * 5;
+        i = ((bits + 22) / 23) - 1;
+        c = bits % 23;
+        if (c == 0) {
+            c = 23;
+        }
+        if (i < 67) {
+            n = e[i--] << (32 - c);
+        }
+        else {
+            n = 0;
+            i--;
+        }
+        if (c < 5) {
+            n |= e[i--] << (9 - c);
+            c += 23;
+        }
+        y = (n >> 27) & 0x1f;
+        n <<= 5;
+        c -= 5;
+        XMEMCPY(rt, t[y], sizeof(rt));
+        for (; i>=0 || c>=5; ) {
+            if (c < 5) {
+                n |= e[i--] << (9 - c);
+                c += 23;
+            }
+            y = (n >> 27) & 0x1f;
+            n <<= 5;
+            c -= 5;
+
+            sp_3072_mont_sqr_67(rt, rt, m, mp);
+            sp_3072_mont_sqr_67(rt, rt, m, mp);
+            sp_3072_mont_sqr_67(rt, rt, m, mp);
+            sp_3072_mont_sqr_67(rt, rt, m, mp);
+            sp_3072_mont_sqr_67(rt, rt, m, mp);
+
+            sp_3072_mont_mul_67(rt, rt, t[y], m, mp);
+        }
+
+        sp_3072_mont_reduce_67(rt, m, mp);
+        n = sp_3072_cmp_67(rt, m);
+        sp_3072_cond_sub_67(rt, rt, m, ((n < 0) ?
+                   (sp_digit)1 : (sp_digit)0) - 1);
+        XMEMCPY(r, rt, sizeof(rt));
+    }
+
+#ifdef WOLFSSL_SMALL_STACK
+    if (td != NULL) {
+        XFREE(td, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    }
+#endif
+
+    return err;
+#endif
+}
+
+#endif /* (WOLFSSL_HAVE_SP_RSA || WOLFSSL_HAVE_SP_DH) && !WOLFSSL_RSA_PUBLIC_ONLY */
+
+/* r = 2^n mod m where n is the number of bits to reduce by.
+ * Given m must be 3072 bits, just need to subtract.
+ *
+ * r  A single precision number.
+ * m  A single precision number.
+ */
+static void sp_3072_mont_norm_134(sp_digit* r, const sp_digit* m)
+{
+    /* Set r = 2^n - 1. */
+#ifdef WOLFSSL_SP_SMALL
+    int i;
+
+    for (i=0; i<133; i++) {
+        r[i] = 0x7fffff;
+    }
+#else
+    int i;
+
+    for (i = 0; i < 128; i += 8) {
+        r[i + 0] = 0x7fffff;
+        r[i + 1] = 0x7fffff;
+        r[i + 2] = 0x7fffff;
+        r[i + 3] = 0x7fffff;
+        r[i + 4] = 0x7fffff;
+        r[i + 5] = 0x7fffff;
+        r[i + 6] = 0x7fffff;
+        r[i + 7] = 0x7fffff;
+    }
+    r[128] = 0x7fffff;
+    r[129] = 0x7fffff;
+    r[130] = 0x7fffff;
+    r[131] = 0x7fffff;
+    r[132] = 0x7fffff;
+#endif
+    r[133] = 0x1fffL;
+
+    /* r = (2^n - 1) mod n */
+    (void)sp_3072_sub_134(r, r, m);
+
+    /* Add one so r = 2^n mod m */
+    r[0] += 1;
+}
+
+/* Compare a with b in constant time.
+ *
+ * a  A single precision integer.
+ * b  A single precision integer.
+ * return -ve, 0 or +ve if a is less than, equal to or greater than b
+ * respectively.
+ */
+static sp_digit sp_3072_cmp_134(const sp_digit* a, const sp_digit* b)
+{
+    sp_digit r = 0;
+#ifdef WOLFSSL_SP_SMALL
+    int i;
+
+    for (i=133; i>=0; i--) {
+        r |= (a[i] - b[i]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+    }
+#else
+    int i;
+
+    r |= (a[133] - b[133]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+    r |= (a[132] - b[132]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+    r |= (a[131] - b[131]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+    r |= (a[130] - b[130]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+    r |= (a[129] - b[129]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+    r |= (a[128] - b[128]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+    for (i = 120; i >= 0; i -= 8) {
+        r |= (a[i + 7] - b[i + 7]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+        r |= (a[i + 6] - b[i + 6]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+        r |= (a[i + 5] - b[i + 5]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+        r |= (a[i + 4] - b[i + 4]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+        r |= (a[i + 3] - b[i + 3]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+        r |= (a[i + 2] - b[i + 2]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+        r |= (a[i + 1] - b[i + 1]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+        r |= (a[i + 0] - b[i + 0]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+    }
+#endif /* WOLFSSL_SP_SMALL */
+
+    return r;
+}
+
+/* Conditionally subtract b from a using the mask m.
+ * m is -1 to subtract and 0 when not.
+ *
+ * r  A single precision number representing condition subtract result.
+ * a  A single precision number to subtract from.
+ * b  A single precision number to subtract.
+ * m  Mask value to apply.
+ */
+static void sp_3072_cond_sub_134(sp_digit* r, const sp_digit* a,
+        const sp_digit* b, const sp_digit m)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int i;
+
+    for (i = 0; i < 134; i++) {
+        r[i] = a[i] - (b[i] & m);
+    }
+#else
+    int i;
+
+    for (i = 0; i < 128; i += 8) {
+        r[i + 0] = a[i + 0] - (b[i + 0] & m);
+        r[i + 1] = a[i + 1] - (b[i + 1] & m);
+        r[i + 2] = a[i + 2] - (b[i + 2] & m);
+        r[i + 3] = a[i + 3] - (b[i + 3] & m);
+        r[i + 4] = a[i + 4] - (b[i + 4] & m);
+        r[i + 5] = a[i + 5] - (b[i + 5] & m);
+        r[i + 6] = a[i + 6] - (b[i + 6] & m);
+        r[i + 7] = a[i + 7] - (b[i + 7] & m);
+    }
+    r[128] = a[128] - (b[128] & m);
+    r[129] = a[129] - (b[129] & m);
+    r[130] = a[130] - (b[130] & m);
+    r[131] = a[131] - (b[131] & m);
+    r[132] = a[132] - (b[132] & m);
+    r[133] = a[133] - (b[133] & m);
+#endif /* WOLFSSL_SP_SMALL */
+}
+
+/* Mul a by scalar b and add into r. (r += a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A scalar.
+ */
+SP_NOINLINE static void sp_3072_mul_add_134(sp_digit* r, const sp_digit* a,
+        const sp_digit b)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int64_t tb = b;
+    int64_t t = 0;
+    int i;
+
+    for (i = 0; i < 134; i++) {
+        t += (tb * a[i]) + r[i];
+        r[i] = t & 0x7fffff;
+        t >>= 23;
+    }
+    r[134] += t;
+#else
+    int64_t tb = b;
+    int64_t t[8];
+    int i;
+
+    t[0] = tb * a[0]; r[0] += (sp_digit)(t[0] & 0x7fffff);
+    for (i = 0; i < 128; i += 8) {
+        t[1] = tb * a[i+1];
+        r[i+1] += (sp_digit)((t[0] >> 23) + (t[1] & 0x7fffff));
+        t[2] = tb * a[i+2];
+        r[i+2] += (sp_digit)((t[1] >> 23) + (t[2] & 0x7fffff));
+        t[3] = tb * a[i+3];
+        r[i+3] += (sp_digit)((t[2] >> 23) + (t[3] & 0x7fffff));
+        t[4] = tb * a[i+4];
+        r[i+4] += (sp_digit)((t[3] >> 23) + (t[4] & 0x7fffff));
+        t[5] = tb * a[i+5];
+        r[i+5] += (sp_digit)((t[4] >> 23) + (t[5] & 0x7fffff));
+        t[6] = tb * a[i+6];
+        r[i+6] += (sp_digit)((t[5] >> 23) + (t[6] & 0x7fffff));
+        t[7] = tb * a[i+7];
+        r[i+7] += (sp_digit)((t[6] >> 23) + (t[7] & 0x7fffff));
+        t[0] = tb * a[i+8];
+        r[i+8] += (sp_digit)((t[7] >> 23) + (t[0] & 0x7fffff));
+    }
+    t[1] = tb * a[129]; r[129] += (sp_digit)((t[0] >> 23) + (t[1] & 0x7fffff));
+    t[2] = tb * a[130]; r[130] += (sp_digit)((t[1] >> 23) + (t[2] & 0x7fffff));
+    t[3] = tb * a[131]; r[131] += (sp_digit)((t[2] >> 23) + (t[3] & 0x7fffff));
+    t[4] = tb * a[132]; r[132] += (sp_digit)((t[3] >> 23) + (t[4] & 0x7fffff));
+    t[5] = tb * a[133]; r[133] += (sp_digit)((t[4] >> 23) + (t[5] & 0x7fffff));
+    r[134] +=  (sp_digit)(t[5] >> 23);
+#endif /* WOLFSSL_SP_SMALL */
+}
+
+/* Normalize the values in each word to 23.
+ *
+ * a  Array of sp_digit to normalize.
+ */
+static void sp_3072_norm_134(sp_digit* a)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int i;
+    for (i = 0; i < 133; i++) {
+        a[i+1] += a[i] >> 23;
+        a[i] &= 0x7fffff;
+    }
+#else
+    int i;
+    for (i = 0; i < 128; i += 8) {
+        a[i+1] += a[i+0] >> 23; a[i+0] &= 0x7fffff;
+        a[i+2] += a[i+1] >> 23; a[i+1] &= 0x7fffff;
+        a[i+3] += a[i+2] >> 23; a[i+2] &= 0x7fffff;
+        a[i+4] += a[i+3] >> 23; a[i+3] &= 0x7fffff;
+        a[i+5] += a[i+4] >> 23; a[i+4] &= 0x7fffff;
+        a[i+6] += a[i+5] >> 23; a[i+5] &= 0x7fffff;
+        a[i+7] += a[i+6] >> 23; a[i+6] &= 0x7fffff;
+        a[i+8] += a[i+7] >> 23; a[i+7] &= 0x7fffff;
+        a[i+9] += a[i+8] >> 23; a[i+8] &= 0x7fffff;
+    }
+    a[128+1] += a[128] >> 23;
+    a[128] &= 0x7fffff;
+    a[129+1] += a[129] >> 23;
+    a[129] &= 0x7fffff;
+    a[130+1] += a[130] >> 23;
+    a[130] &= 0x7fffff;
+    a[131+1] += a[131] >> 23;
+    a[131] &= 0x7fffff;
+    a[132+1] += a[132] >> 23;
+    a[132] &= 0x7fffff;
+#endif
+}
+
+/* Shift the result in the high 3072 bits down to the bottom.
+ *
+ * r  A single precision number.
+ * a  A single precision number.
+ */
+static void sp_3072_mont_shift_134(sp_digit* r, const sp_digit* a)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int i;
+    int64_t n = a[133] >> 13;
+    n += ((int64_t)a[134]) << 10;
+
+    for (i = 0; i < 133; i++) {
+        r[i] = n & 0x7fffff;
+        n >>= 23;
+        n += ((int64_t)a[135 + i]) << 10;
+    }
+    r[133] = (sp_digit)n;
+#else
+    int i;
+    int64_t n = a[133] >> 13;
+    n += ((int64_t)a[134]) << 10;
+    for (i = 0; i < 128; i += 8) {
+        r[i + 0] = n & 0x7fffff;
+        n >>= 23; n += ((int64_t)a[i + 135]) << 10;
+        r[i + 1] = n & 0x7fffff;
+        n >>= 23; n += ((int64_t)a[i + 136]) << 10;
+        r[i + 2] = n & 0x7fffff;
+        n >>= 23; n += ((int64_t)a[i + 137]) << 10;
+        r[i + 3] = n & 0x7fffff;
+        n >>= 23; n += ((int64_t)a[i + 138]) << 10;
+        r[i + 4] = n & 0x7fffff;
+        n >>= 23; n += ((int64_t)a[i + 139]) << 10;
+        r[i + 5] = n & 0x7fffff;
+        n >>= 23; n += ((int64_t)a[i + 140]) << 10;
+        r[i + 6] = n & 0x7fffff;
+        n >>= 23; n += ((int64_t)a[i + 141]) << 10;
+        r[i + 7] = n & 0x7fffff;
+        n >>= 23; n += ((int64_t)a[i + 142]) << 10;
+    }
+    r[128] = n & 0x7fffff; n >>= 23; n += ((int64_t)a[263]) << 10;
+    r[129] = n & 0x7fffff; n >>= 23; n += ((int64_t)a[264]) << 10;
+    r[130] = n & 0x7fffff; n >>= 23; n += ((int64_t)a[265]) << 10;
+    r[131] = n & 0x7fffff; n >>= 23; n += ((int64_t)a[266]) << 10;
+    r[132] = n & 0x7fffff; n >>= 23; n += ((int64_t)a[267]) << 10;
+    r[133] = (sp_digit)n;
+#endif /* WOLFSSL_SP_SMALL */
+    XMEMSET(&r[134], 0, sizeof(*r) * 134U);
+}
+
+/* Reduce the number back to 3072 bits using Montgomery reduction.
+ *
+ * a   A single precision number to reduce in place.
+ * m   The single precision number representing the modulus.
+ * mp  The digit representing the negative inverse of m mod 2^n.
+ */
+static void sp_3072_mont_reduce_134(sp_digit* a, const sp_digit* m, sp_digit mp)
+{
+    int i;
+    sp_digit mu;
+
+    sp_3072_norm_134(a + 134);
+
+#ifdef WOLFSSL_SP_DH
+    if (mp != 1) {
+        for (i=0; i<133; i++) {
+            mu = (a[i] * mp) & 0x7fffff;
+            sp_3072_mul_add_134(a+i, m, mu);
+            a[i+1] += a[i] >> 23;
+        }
+        mu = (a[i] * mp) & 0x1fffL;
+        sp_3072_mul_add_134(a+i, m, mu);
+        a[i+1] += a[i] >> 23;
+        a[i] &= 0x7fffff;
+    }
+    else {
+        for (i=0; i<133; i++) {
+            mu = a[i] & 0x7fffff;
+            sp_3072_mul_add_134(a+i, m, mu);
+            a[i+1] += a[i] >> 23;
+        }
+        mu = a[i] & 0x1fffL;
+        sp_3072_mul_add_134(a+i, m, mu);
+        a[i+1] += a[i] >> 23;
+        a[i] &= 0x7fffff;
+    }
+#else
+    for (i=0; i<133; i++) {
+        mu = (a[i] * mp) & 0x7fffff;
+        sp_3072_mul_add_134(a+i, m, mu);
+        a[i+1] += a[i] >> 23;
+    }
+    mu = (a[i] * mp) & 0x1fffL;
+    sp_3072_mul_add_134(a+i, m, mu);
+    a[i+1] += a[i] >> 23;
+    a[i] &= 0x7fffff;
+#endif
+
+    sp_3072_mont_shift_134(a, a);
+    sp_3072_cond_sub_134(a, a, m, 0 - (((a[133] >> 13) > 0) ?
+            (sp_digit)1 : (sp_digit)0));
+    sp_3072_norm_134(a);
+}
+
+/* Multiply two Montogmery form numbers mod the modulus (prime).
+ * (r = a * b mod m)
+ *
+ * r   Result of multiplication.
+ * a   First number to multiply in Montogmery form.
+ * b   Second number to multiply in Montogmery form.
+ * m   Modulus (prime).
+ * mp  Montogmery mulitplier.
+ */
+static void sp_3072_mont_mul_134(sp_digit* r, const sp_digit* a, const sp_digit* b,
+        const sp_digit* m, sp_digit mp)
+{
+    sp_3072_mul_134(r, a, b);
+    sp_3072_mont_reduce_134(r, m, mp);
+}
+
+/* Square the Montgomery form number. (r = a * a mod m)
+ *
+ * r   Result of squaring.
+ * a   Number to square in Montogmery form.
+ * m   Modulus (prime).
+ * mp  Montogmery mulitplier.
+ */
+static void sp_3072_mont_sqr_134(sp_digit* r, const sp_digit* a, const sp_digit* m,
+        sp_digit mp)
+{
+    sp_3072_sqr_134(r, a);
+    sp_3072_mont_reduce_134(r, m, mp);
+}
+
+/* Multiply a by scalar b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A scalar.
+ */
+SP_NOINLINE static void sp_3072_mul_d_268(sp_digit* r, const sp_digit* a,
+    sp_digit b)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int64_t tb = b;
+    int64_t t = 0;
+    int i;
+
+    for (i = 0; i < 268; i++) {
+        t += tb * a[i];
+        r[i] = t & 0x7fffff;
+        t >>= 23;
+    }
+    r[268] = (sp_digit)t;
+#else
+    int64_t tb = b;
+    int64_t t[8];
+    int i;
+
+    t[0] = tb * a[0]; r[0] = t[0] & 0x7fffff;
+    for (i = 0; i < 264; i += 8) {
+        t[1] = tb * a[i+1];
+        r[i+1] = (sp_digit)(t[0] >> 23) + (t[1] & 0x7fffff);
+        t[2] = tb * a[i+2];
+        r[i+2] = (sp_digit)(t[1] >> 23) + (t[2] & 0x7fffff);
+        t[3] = tb * a[i+3];
+        r[i+3] = (sp_digit)(t[2] >> 23) + (t[3] & 0x7fffff);
+        t[4] = tb * a[i+4];
+        r[i+4] = (sp_digit)(t[3] >> 23) + (t[4] & 0x7fffff);
+        t[5] = tb * a[i+5];
+        r[i+5] = (sp_digit)(t[4] >> 23) + (t[5] & 0x7fffff);
+        t[6] = tb * a[i+6];
+        r[i+6] = (sp_digit)(t[5] >> 23) + (t[6] & 0x7fffff);
+        t[7] = tb * a[i+7];
+        r[i+7] = (sp_digit)(t[6] >> 23) + (t[7] & 0x7fffff);
+        t[0] = tb * a[i+8];
+        r[i+8] = (sp_digit)(t[7] >> 23) + (t[0] & 0x7fffff);
+    }
+    t[1] = tb * a[265];
+    r[265] = (sp_digit)(t[0] >> 23) + (t[1] & 0x7fffff);
+    t[2] = tb * a[266];
+    r[266] = (sp_digit)(t[1] >> 23) + (t[2] & 0x7fffff);
+    t[3] = tb * a[267];
+    r[267] = (sp_digit)(t[2] >> 23) + (t[3] & 0x7fffff);
+    r[268] =  (sp_digit)(t[3] >> 23);
+#endif /* WOLFSSL_SP_SMALL */
+}
+
+/* Conditionally add a and b using the mask m.
+ * m is -1 to add and 0 when not.
+ *
+ * r  A single precision number representing conditional add result.
+ * a  A single precision number to add with.
+ * b  A single precision number to add.
+ * m  Mask value to apply.
+ */
+static void sp_3072_cond_add_134(sp_digit* r, const sp_digit* a,
+        const sp_digit* b, const sp_digit m)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int i;
+
+    for (i = 0; i < 134; i++) {
+        r[i] = a[i] + (b[i] & m);
+    }
+#else
+    int i;
+
+    for (i = 0; i < 128; i += 8) {
+        r[i + 0] = a[i + 0] + (b[i + 0] & m);
+        r[i + 1] = a[i + 1] + (b[i + 1] & m);
+        r[i + 2] = a[i + 2] + (b[i + 2] & m);
+        r[i + 3] = a[i + 3] + (b[i + 3] & m);
+        r[i + 4] = a[i + 4] + (b[i + 4] & m);
+        r[i + 5] = a[i + 5] + (b[i + 5] & m);
+        r[i + 6] = a[i + 6] + (b[i + 6] & m);
+        r[i + 7] = a[i + 7] + (b[i + 7] & m);
+    }
+    r[128] = a[128] + (b[128] & m);
+    r[129] = a[129] + (b[129] & m);
+    r[130] = a[130] + (b[130] & m);
+    r[131] = a[131] + (b[131] & m);
+    r[132] = a[132] + (b[132] & m);
+    r[133] = a[133] + (b[133] & m);
+#endif /* WOLFSSL_SP_SMALL */
+}
+
+#ifdef WOLFSSL_SMALL
+/* Sub b from a into r. (r = a - b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static int sp_3072_sub_134(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    int i;
+
+    for (i = 0; i < 134; i++) {
+        r[i] = a[i] - b[i];
+    }
+
+    return 0;
+}
+
+#endif
+#ifdef WOLFSSL_SMALL
+/* Add b to a into r. (r = a + b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static int sp_3072_add_134(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    int i;
+
+    for (i = 0; i < 134; i++) {
+        r[i] = a[i] + b[i];
+    }
+
+    return 0;
+}
+#endif
+SP_NOINLINE static void sp_3072_rshift_134(sp_digit* r, sp_digit* a, byte n)
+{
+    int i;
+
+#ifdef WOLFSSL_SP_SMALL
+    for (i=0; i<133; i++) {
+        r[i] = ((a[i] >> n) | (a[i + 1] << (23 - n))) & 0x7fffff;
+    }
+#else
+    for (i=0; i<128; i += 8) {
+        r[i+0] = ((a[i+0] >> n) | (a[i+1] << (23 - n))) & 0x7fffff;
+        r[i+1] = ((a[i+1] >> n) | (a[i+2] << (23 - n))) & 0x7fffff;
+        r[i+2] = ((a[i+2] >> n) | (a[i+3] << (23 - n))) & 0x7fffff;
+        r[i+3] = ((a[i+3] >> n) | (a[i+4] << (23 - n))) & 0x7fffff;
+        r[i+4] = ((a[i+4] >> n) | (a[i+5] << (23 - n))) & 0x7fffff;
+        r[i+5] = ((a[i+5] >> n) | (a[i+6] << (23 - n))) & 0x7fffff;
+        r[i+6] = ((a[i+6] >> n) | (a[i+7] << (23 - n))) & 0x7fffff;
+        r[i+7] = ((a[i+7] >> n) | (a[i+8] << (23 - n))) & 0x7fffff;
+    }
+    r[128] = ((a[128] >> n) | (a[129] << (23 - n))) & 0x7fffff;
+    r[129] = ((a[129] >> n) | (a[130] << (23 - n))) & 0x7fffff;
+    r[130] = ((a[130] >> n) | (a[131] << (23 - n))) & 0x7fffff;
+    r[131] = ((a[131] >> n) | (a[132] << (23 - n))) & 0x7fffff;
+    r[132] = ((a[132] >> n) | (a[133] << (23 - n))) & 0x7fffff;
+#endif
+    r[133] = a[133] >> n;
+}
+
+#ifdef WOLFSSL_SP_DIV_32
+static WC_INLINE sp_digit sp_3072_div_word_134(sp_digit d1, sp_digit d0,
+    sp_digit dv)
+{
+    sp_digit d, r, t;
+
+    /* All 23 bits from d1 and top 8 bits from d0. */
+    d = (d1 << 8) | (d0 >> 15);
+    r = d / dv;
+    d -= r * dv;
+    /* Up to 9 bits in r */
+    /* Next 8 bits from d0. */
+    r <<= 8;
+    d <<= 8;
+    d |= (d0 >> 7) & ((1 << 8) - 1);
+    t = d / dv;
+    d -= t * dv;
+    r += t;
+    /* Up to 17 bits in r */
+    /* Remaining 7 bits from d0. */
+    r <<= 7;
+    d <<= 7;
+    d |= d0 & ((1 << 7) - 1);
+    t = d / dv;
+    r += t;
+
+    return r;
+}
+#endif /* WOLFSSL_SP_DIV_32 */
+
+/* Divide d in a and put remainder into r (m*d + r = a)
+ * m is not calculated as it is not needed at this time.
+ *
+ * a  Nmber to be divided.
+ * d  Number to divide with.
+ * m  Multiplier result.
+ * r  Remainder from the division.
+ * returns MEMORY_E when unable to allocate memory and MP_OKAY otherwise.
+ */
+static int sp_3072_div_134(const sp_digit* a, const sp_digit* d, sp_digit* m,
+        sp_digit* r)
+{
+    int i;
+#ifndef WOLFSSL_SP_DIV_32
+    int64_t d1;
+#endif
+    sp_digit dv, r1;
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit* td;
+#else
+    sp_digit t1d[268 + 1], t2d[134 + 1], sdd[134 + 1];
+#endif
+    sp_digit* t1;
+    sp_digit* t2;
+    sp_digit* sd;
+    int err = MP_OKAY;
+
+    (void)m;
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    td = (sp_digit*)XMALLOC(sizeof(sp_digit) * (4 * 134 + 3), NULL,
+                                                       DYNAMIC_TYPE_TMP_BUFFER);
+    if (td == NULL) {
+        err = MEMORY_E;
+    }
+#endif
+
+    (void)m;
+
+    if (err == MP_OKAY) {
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+        t1 = td;
+        t2 = td + 268 + 1;
+        sd = t2 + 134 + 1;
+#else
+        t1 = t1d;
+        t2 = t2d;
+        sd = sdd;
+#endif
+
+        sp_3072_mul_d_134(sd, d, 1L << 10);
+        sp_3072_mul_d_268(t1, a, 1L << 10);
+        dv = sd[133];
+        for (i=134; i>=0; i--) {
+            t1[134 + i] += t1[134 + i - 1] >> 23;
+            t1[134 + i - 1] &= 0x7fffff;
+#ifndef WOLFSSL_SP_DIV_32
+            d1 = t1[134 + i];
+            d1 <<= 23;
+            d1 += t1[134 + i - 1];
+            r1 = (sp_digit)(d1 / dv);
+#else
+            r1 = sp_3072_div_word_134(t1[134 + i], t1[134 + i - 1], dv);
+#endif
+
+            sp_3072_mul_d_134(t2, sd, r1);
+            (void)sp_3072_sub_134(&t1[i], &t1[i], t2);
+            t1[134 + i] -= t2[134];
+            t1[134 + i] += t1[134 + i - 1] >> 23;
+            t1[134 + i - 1] &= 0x7fffff;
+            r1 = (((-t1[134 + i]) << 23) - t1[134 + i - 1]) / dv;
+            r1 -= t1[134 + i];
+            sp_3072_mul_d_134(t2, sd, r1);
+            (void)sp_3072_add_134(&t1[i], &t1[i], t2);
+            t1[134 + i] += t1[134 + i - 1] >> 23;
+            t1[134 + i - 1] &= 0x7fffff;
+        }
+        t1[134 - 1] += t1[134 - 2] >> 23;
+        t1[134 - 2] &= 0x7fffff;
+        r1 = t1[134 - 1] / dv;
+
+        sp_3072_mul_d_134(t2, sd, r1);
+        sp_3072_sub_134(t1, t1, t2);
+        XMEMCPY(r, t1, sizeof(*r) * 2U * 134U);
+        for (i=0; i<132; i++) {
+            r[i+1] += r[i] >> 23;
+            r[i] &= 0x7fffff;
+        }
+        sp_3072_cond_add_134(r, r, sd, 0 - ((r[133] < 0) ?
+                    (sp_digit)1 : (sp_digit)0));
+
+        sp_3072_norm_134(r);
+        sp_3072_rshift_134(r, r, 10);
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (td != NULL) {
+        XFREE(td, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    }
+#endif
+
+    return err;
+}
+
+/* Reduce a modulo m into r. (r = a mod m)
+ *
+ * r  A single precision number that is the reduced result.
+ * a  A single precision number that is to be reduced.
+ * m  A single precision number that is the modulus to reduce with.
+ * returns MEMORY_E when unable to allocate memory and MP_OKAY otherwise.
+ */
+static int sp_3072_mod_134(sp_digit* r, const sp_digit* a, const sp_digit* m)
+{
+    return sp_3072_div_134(a, m, NULL, r);
+}
+
+#if (defined(WOLFSSL_HAVE_SP_RSA) && !defined(WOLFSSL_RSA_PUBLIC_ONLY)) || \
+                                                     defined(WOLFSSL_HAVE_SP_DH)
+/* Modular exponentiate a to the e mod m. (r = a^e mod m)
+ *
+ * r     A single precision number that is the result of the operation.
+ * a     A single precision number being exponentiated.
+ * e     A single precision number that is the exponent.
+ * bits  The number of bits in the exponent.
+ * m     A single precision number that is the modulus.
+ * returns 0 on success and MEMORY_E on dynamic memory allocation failure.
+ */
+static int sp_3072_mod_exp_134(sp_digit* r, const sp_digit* a, const sp_digit* e, int bits,
+    const sp_digit* m, int reduceA)
+{
+#ifdef WOLFSSL_SP_SMALL
+    sp_digit* td;
+    sp_digit* t[3];
+    sp_digit* norm;
+    sp_digit mp = 1;
+    sp_digit n;
+    int i;
+    int c, y;
+    int err = MP_OKAY;
+
+    td = (sp_digit*)XMALLOC(sizeof(*td) * 3 * 134 * 2, NULL,
+                            DYNAMIC_TYPE_TMP_BUFFER);
+    if (td == NULL) {
+        err = MEMORY_E;
+    }
+
+    if (err == MP_OKAY) {
+        XMEMSET(td, 0, sizeof(*td) * 3U * 134U * 2U);
+
+        norm = t[0] = td;
+        t[1] = &td[134 * 2];
+        t[2] = &td[2 * 134 * 2];
+
+        sp_3072_mont_setup(m, &mp);
+        sp_3072_mont_norm_134(norm, m);
+
+        if (reduceA != 0) {
+            err = sp_3072_mod_134(t[1], a, m);
+        }
+        else {
+            XMEMCPY(t[1], a, sizeof(sp_digit) * 134U);
+        }
+    }
+    if (err == MP_OKAY) {
+        sp_3072_mul_134(t[1], t[1], norm);
+        err = sp_3072_mod_134(t[1], t[1], m);
+    }
+
+    if (err == MP_OKAY) {
+        i = bits / 23;
+        c = bits % 23;
+        n = e[i--] << (23 - c);
+        for (; ; c--) {
+            if (c == 0) {
+                if (i == -1) {
+                    break;
+                }
+
+                n = e[i--];
+                c = 23;
+            }
+
+            y = (n >> 22) & 1;
+            n <<= 1;
+
+            sp_3072_mont_mul_134(t[y^1], t[0], t[1], m, mp);
+
+            XMEMCPY(t[2], (void*)(((size_t)t[0] & addr_mask[y^1]) +
+                                  ((size_t)t[1] & addr_mask[y])),
+                    sizeof(*t[2]) * 134 * 2);
+            sp_3072_mont_sqr_134(t[2], t[2], m, mp);
+            XMEMCPY((void*)(((size_t)t[0] & addr_mask[y^1]) +
+                            ((size_t)t[1] & addr_mask[y])), t[2],
+                    sizeof(*t[2]) * 134 * 2);
+        }
+
+        sp_3072_mont_reduce_134(t[0], m, mp);
+        n = sp_3072_cmp_134(t[0], m);
+        sp_3072_cond_sub_134(t[0], t[0], m, ((n < 0) ?
+                    (sp_digit)1 : (sp_digit)0) - 1);
+        XMEMCPY(r, t[0], sizeof(*r) * 134 * 2);
+
+    }
+
+    if (td != NULL) {
+        XFREE(td, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    }
+
+    return err;
+#elif defined(WOLFSSL_SP_CACHE_RESISTANT)
+#ifndef WOLFSSL_SMALL_STACK
+    sp_digit t[3][268];
+#else
+    sp_digit* td;
+    sp_digit* t[3];
+#endif
+    sp_digit* norm;
+    sp_digit mp = 1;
+    sp_digit n;
+    int i;
+    int c, y;
+    int err = MP_OKAY;
+
+#ifdef WOLFSSL_SMALL_STACK
+    td = (sp_digit*)XMALLOC(sizeof(*td) * 3 * 134 * 2, NULL,
+                            DYNAMIC_TYPE_TMP_BUFFER);
+    if (td == NULL) {
+        err = MEMORY_E;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#ifdef WOLFSSL_SMALL_STACK
+        t[0] = td;
+        t[1] = &td[134 * 2];
+        t[2] = &td[2 * 134 * 2];
+#endif
+        norm = t[0];
+
+        sp_3072_mont_setup(m, &mp);
+        sp_3072_mont_norm_134(norm, m);
+
+        if (reduceA != 0) {
+            err = sp_3072_mod_134(t[1], a, m);
+            if (err == MP_OKAY) {
+                sp_3072_mul_134(t[1], t[1], norm);
+                err = sp_3072_mod_134(t[1], t[1], m);
+            }
+        }
+        else {
+            sp_3072_mul_134(t[1], a, norm);
+            err = sp_3072_mod_134(t[1], t[1], m);
+        }
+    }
+
+    if (err == MP_OKAY) {
+        i = bits / 23;
+        c = bits % 23;
+        n = e[i--] << (23 - c);
+        for (; ; c--) {
+            if (c == 0) {
+                if (i == -1) {
+                    break;
+                }
+
+                n = e[i--];
+                c = 23;
+            }
+
+            y = (n >> 22) & 1;
+            n <<= 1;
+
+            sp_3072_mont_mul_134(t[y^1], t[0], t[1], m, mp);
+
+            XMEMCPY(t[2], (void*)(((size_t)t[0] & addr_mask[y^1]) +
+                                 ((size_t)t[1] & addr_mask[y])), sizeof(t[2]));
+            sp_3072_mont_sqr_134(t[2], t[2], m, mp);
+            XMEMCPY((void*)(((size_t)t[0] & addr_mask[y^1]) +
+                           ((size_t)t[1] & addr_mask[y])), t[2], sizeof(t[2]));
+        }
+
+        sp_3072_mont_reduce_134(t[0], m, mp);
+        n = sp_3072_cmp_134(t[0], m);
+        sp_3072_cond_sub_134(t[0], t[0], m, ((n < 0) ?
+                   (sp_digit)1 : (sp_digit)0) - 1);
+        XMEMCPY(r, t[0], sizeof(t[0]));
+    }
+
+#ifdef WOLFSSL_SMALL_STACK
+    if (td != NULL) {
+        XFREE(td, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    }
+#endif
+
+    return err;
+#else
+#ifndef WOLFSSL_SMALL_STACK
+    sp_digit t[32][268];
+#else
+    sp_digit* t[32];
+    sp_digit* td;
+#endif
+    sp_digit* norm;
+    sp_digit rt[268];
+    sp_digit mp = 1;
+    sp_digit n;
+    int i;
+    int c, y;
+    int err = MP_OKAY;
+
+#ifdef WOLFSSL_SMALL_STACK
+    td = (sp_digit*)XMALLOC(sizeof(sp_digit) * 32 * 268, NULL,
+                            DYNAMIC_TYPE_TMP_BUFFER);
+    if (td == NULL) {
+        err = MEMORY_E;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#ifdef WOLFSSL_SMALL_STACK
+        for (i=0; i<32; i++)
+            t[i] = td + i * 268;
+#endif
+        norm = t[0];
+
+        sp_3072_mont_setup(m, &mp);
+        sp_3072_mont_norm_134(norm, m);
+
+        if (reduceA != 0) {
+            err = sp_3072_mod_134(t[1], a, m);
+            if (err == MP_OKAY) {
+                sp_3072_mul_134(t[1], t[1], norm);
+                err = sp_3072_mod_134(t[1], t[1], m);
+            }
+        }
+        else {
+            sp_3072_mul_134(t[1], a, norm);
+            err = sp_3072_mod_134(t[1], t[1], m);
+        }
+    }
+
+    if (err == MP_OKAY) {
+        sp_3072_mont_sqr_134(t[ 2], t[ 1], m, mp);
+        sp_3072_mont_mul_134(t[ 3], t[ 2], t[ 1], m, mp);
+        sp_3072_mont_sqr_134(t[ 4], t[ 2], m, mp);
+        sp_3072_mont_mul_134(t[ 5], t[ 3], t[ 2], m, mp);
+        sp_3072_mont_sqr_134(t[ 6], t[ 3], m, mp);
+        sp_3072_mont_mul_134(t[ 7], t[ 4], t[ 3], m, mp);
+        sp_3072_mont_sqr_134(t[ 8], t[ 4], m, mp);
+        sp_3072_mont_mul_134(t[ 9], t[ 5], t[ 4], m, mp);
+        sp_3072_mont_sqr_134(t[10], t[ 5], m, mp);
+        sp_3072_mont_mul_134(t[11], t[ 6], t[ 5], m, mp);
+        sp_3072_mont_sqr_134(t[12], t[ 6], m, mp);
+        sp_3072_mont_mul_134(t[13], t[ 7], t[ 6], m, mp);
+        sp_3072_mont_sqr_134(t[14], t[ 7], m, mp);
+        sp_3072_mont_mul_134(t[15], t[ 8], t[ 7], m, mp);
+        sp_3072_mont_sqr_134(t[16], t[ 8], m, mp);
+        sp_3072_mont_mul_134(t[17], t[ 9], t[ 8], m, mp);
+        sp_3072_mont_sqr_134(t[18], t[ 9], m, mp);
+        sp_3072_mont_mul_134(t[19], t[10], t[ 9], m, mp);
+        sp_3072_mont_sqr_134(t[20], t[10], m, mp);
+        sp_3072_mont_mul_134(t[21], t[11], t[10], m, mp);
+        sp_3072_mont_sqr_134(t[22], t[11], m, mp);
+        sp_3072_mont_mul_134(t[23], t[12], t[11], m, mp);
+        sp_3072_mont_sqr_134(t[24], t[12], m, mp);
+        sp_3072_mont_mul_134(t[25], t[13], t[12], m, mp);
+        sp_3072_mont_sqr_134(t[26], t[13], m, mp);
+        sp_3072_mont_mul_134(t[27], t[14], t[13], m, mp);
+        sp_3072_mont_sqr_134(t[28], t[14], m, mp);
+        sp_3072_mont_mul_134(t[29], t[15], t[14], m, mp);
+        sp_3072_mont_sqr_134(t[30], t[15], m, mp);
+        sp_3072_mont_mul_134(t[31], t[16], t[15], m, mp);
+
+        bits = ((bits + 4) / 5) * 5;
+        i = ((bits + 22) / 23) - 1;
+        c = bits % 23;
+        if (c == 0) {
+            c = 23;
+        }
+        if (i < 134) {
+            n = e[i--] << (32 - c);
+        }
+        else {
+            n = 0;
+            i--;
+        }
+        if (c < 5) {
+            n |= e[i--] << (9 - c);
+            c += 23;
+        }
+        y = (n >> 27) & 0x1f;
+        n <<= 5;
+        c -= 5;
+        XMEMCPY(rt, t[y], sizeof(rt));
+        for (; i>=0 || c>=5; ) {
+            if (c < 5) {
+                n |= e[i--] << (9 - c);
+                c += 23;
+            }
+            y = (n >> 27) & 0x1f;
+            n <<= 5;
+            c -= 5;
+
+            sp_3072_mont_sqr_134(rt, rt, m, mp);
+            sp_3072_mont_sqr_134(rt, rt, m, mp);
+            sp_3072_mont_sqr_134(rt, rt, m, mp);
+            sp_3072_mont_sqr_134(rt, rt, m, mp);
+            sp_3072_mont_sqr_134(rt, rt, m, mp);
+
+            sp_3072_mont_mul_134(rt, rt, t[y], m, mp);
+        }
+
+        sp_3072_mont_reduce_134(rt, m, mp);
+        n = sp_3072_cmp_134(rt, m);
+        sp_3072_cond_sub_134(rt, rt, m, ((n < 0) ?
+                   (sp_digit)1 : (sp_digit)0) - 1);
+        XMEMCPY(r, rt, sizeof(rt));
+    }
+
+#ifdef WOLFSSL_SMALL_STACK
+    if (td != NULL) {
+        XFREE(td, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    }
+#endif
+
+    return err;
+#endif
+}
+#endif /* (WOLFSSL_HAVE_SP_RSA && !WOLFSSL_RSA_PUBLIC_ONLY) || */
+       /* WOLFSSL_HAVE_SP_DH */
+
+#ifdef WOLFSSL_HAVE_SP_RSA
+/* RSA public key operation.
+ *
+ * in      Array of bytes representing the number to exponentiate, base.
+ * inLen   Number of bytes in base.
+ * em      Public exponent.
+ * mm      Modulus.
+ * out     Buffer to hold big-endian bytes of exponentiation result.
+ *         Must be at least 384 bytes long.
+ * outLen  Number of bytes in result.
+ * returns 0 on success, MP_TO_E when the outLen is too small, MP_READ_E when
+ * an array is too long and MEMORY_E when dynamic memory allocation fails.
+ */
+int sp_RsaPublic_3072(const byte* in, word32 inLen, mp_int* em, mp_int* mm,
+    byte* out, word32* outLen)
+{
+#ifdef WOLFSSL_SP_SMALL
+    sp_digit* d = NULL;
+    sp_digit* a;
+    sp_digit* m;
+    sp_digit* r;
+    sp_digit* norm;
+    sp_digit e[1] = {0};
+    sp_digit mp;
+    int i;
+    int err = MP_OKAY;
+
+    if (*outLen < 384U) {
+        err = MP_TO_E;
+    }
+
+    if (err == MP_OKAY) {
+        if (mp_count_bits(em) > 23) {
+            err = MP_READ_E;
+        }
+        if (inLen > 384U) {
+            err = MP_READ_E;
+        }
+        if (mp_count_bits(mm) != 3072) {
+            err = MP_READ_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        d = (sp_digit*)XMALLOC(sizeof(sp_digit) * 134 * 5, NULL,
+                                                              DYNAMIC_TYPE_RSA);
+        if (d == NULL)
+            err = MEMORY_E;
+    }
+
+    if (err == MP_OKAY) {
+        a = d;
+        r = a + 134 * 2;
+        m = r + 134 * 2;
+        norm = r;
+
+        sp_3072_from_bin(a, 134, in, inLen);
+#if DIGIT_BIT >= 23
+        e[0] = (sp_digit)em->dp[0];
+#else
+        e[0] = (sp_digit)em->dp[0];
+        if (em->used > 1) {
+            e[0] |= ((sp_digit)em->dp[1]) << DIGIT_BIT;
+        }
+#endif
+        if (e[0] == 0) {
+            err = MP_EXPTMOD_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        sp_3072_from_mp(m, 134, mm);
+
+        sp_3072_mont_setup(m, &mp);
+        sp_3072_mont_norm_134(norm, m);
+    }
+    if (err == MP_OKAY) {
+        sp_3072_mul_134(a, a, norm);
+        err = sp_3072_mod_134(a, a, m);
+    }
+    if (err == MP_OKAY) {
+        for (i=22; i>=0; i--) {
+            if ((e[0] >> i) != 0) {
+                break;
+            }
+        }
+
+        XMEMCPY(r, a, sizeof(sp_digit) * 134 * 2);
+        for (i--; i>=0; i--) {
+            sp_3072_mont_sqr_134(r, r, m, mp);
+
+            if (((e[0] >> i) & 1) == 1) {
+                sp_3072_mont_mul_134(r, r, a, m, mp);
+            }
+        }
+        sp_3072_mont_reduce_134(r, m, mp);
+        mp = sp_3072_cmp_134(r, m);
+        sp_3072_cond_sub_134(r, r, m, ((mp < 0) ?
+                    (sp_digit)1 : (sp_digit)0)- 1);
+
+        sp_3072_to_bin(r, out);
+        *outLen = 384;
+    }
+
+    if (d != NULL) {
+        XFREE(d, NULL, DYNAMIC_TYPE_RSA);
+    }
+
+    return err;
+#else
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit ad[268], md[134], rd[268];
+#else
+    sp_digit* d = NULL;
+#endif
+    sp_digit* a;
+    sp_digit* m;
+    sp_digit* r;
+    sp_digit e[1] = {0};
+    int err = MP_OKAY;
+
+    if (*outLen < 384U) {
+        err = MP_TO_E;
+    }
+    if (err == MP_OKAY) {
+        if (mp_count_bits(em) > 23) {
+            err = MP_READ_E;
+        }
+        if (inLen > 384U) {
+            err = MP_READ_E;
+        }
+        if (mp_count_bits(mm) != 3072) {
+            err = MP_READ_E;
+        }
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        d = (sp_digit*)XMALLOC(sizeof(sp_digit) * 134 * 5, NULL,
+                                                              DYNAMIC_TYPE_RSA);
+        if (d == NULL) {
+            err = MEMORY_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        a = d;
+        r = a + 134 * 2;
+        m = r + 134 * 2;
+    }
+#else
+    a = ad;
+    m = md;
+    r = rd;
+#endif
+
+    if (err == MP_OKAY) {
+        sp_3072_from_bin(a, 134, in, inLen);
+#if DIGIT_BIT >= 23
+        e[0] = (sp_digit)em->dp[0];
+#else
+        e[0] = (sp_digit)em->dp[0];
+        if (em->used > 1) {
+            e[0] |= ((sp_digit)em->dp[1]) << DIGIT_BIT;
+        }
+#endif
+        if (e[0] == 0) {
+            err = MP_EXPTMOD_E;
+        }
+    }
+    if (err == MP_OKAY) {
+        sp_3072_from_mp(m, 134, mm);
+
+        if (e[0] == 0x3) {
+            sp_3072_sqr_134(r, a);
+            err = sp_3072_mod_134(r, r, m);
+            if (err == MP_OKAY) {
+                sp_3072_mul_134(r, a, r);
+                err = sp_3072_mod_134(r, r, m);
+            }
+        }
+        else {
+            sp_digit* norm = r;
+            int i;
+            sp_digit mp;
+
+            sp_3072_mont_setup(m, &mp);
+            sp_3072_mont_norm_134(norm, m);
+
+            sp_3072_mul_134(a, a, norm);
+            err = sp_3072_mod_134(a, a, m);
+
+            if (err == MP_OKAY) {
+                for (i=22; i>=0; i--) {
+                    if ((e[0] >> i) != 0) {
+                        break;
+                    }
+                }
+
+                XMEMCPY(r, a, sizeof(sp_digit) * 268U);
+                for (i--; i>=0; i--) {
+                    sp_3072_mont_sqr_134(r, r, m, mp);
+
+                    if (((e[0] >> i) & 1) == 1) {
+                        sp_3072_mont_mul_134(r, r, a, m, mp);
+                    }
+                }
+                sp_3072_mont_reduce_134(r, m, mp);
+                mp = sp_3072_cmp_134(r, m);
+                sp_3072_cond_sub_134(r, r, m, ((mp < 0) ?
+                           (sp_digit)1 : (sp_digit)0) - 1);
+            }
+        }
+    }
+
+    if (err == MP_OKAY) {
+        sp_3072_to_bin(r, out);
+        *outLen = 384;
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (d != NULL) {
+        XFREE(d, NULL, DYNAMIC_TYPE_RSA);
+    }
+#endif
+
+    return err;
+#endif /* WOLFSSL_SP_SMALL */
+}
+
+#ifndef WOLFSSL_RSA_PUBLIC_ONLY
+#if !defined(SP_RSA_PRIVATE_EXP_D) && !defined(RSA_LOW_MEM)
+#endif /* !SP_RSA_PRIVATE_EXP_D && !RSA_LOW_MEM */
+/* RSA private key operation.
+ *
+ * in      Array of bytes representing the number to exponentiate, base.
+ * inLen   Number of bytes in base.
+ * dm      Private exponent.
+ * pm      First prime.
+ * qm      Second prime.
+ * dpm     First prime's CRT exponent.
+ * dqm     Second prime's CRT exponent.
+ * qim     Inverse of second prime mod p.
+ * mm      Modulus.
+ * out     Buffer to hold big-endian bytes of exponentiation result.
+ *         Must be at least 384 bytes long.
+ * outLen  Number of bytes in result.
+ * returns 0 on success, MP_TO_E when the outLen is too small, MP_READ_E when
+ * an array is too long and MEMORY_E when dynamic memory allocation fails.
+ */
+int sp_RsaPrivate_3072(const byte* in, word32 inLen, mp_int* dm,
+    mp_int* pm, mp_int* qm, mp_int* dpm, mp_int* dqm, mp_int* qim, mp_int* mm,
+    byte* out, word32* outLen)
+{
+#if defined(SP_RSA_PRIVATE_EXP_D) || defined(RSA_LOW_MEM)
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit* a;
+    sp_digit* d = NULL;
+    sp_digit* m;
+    sp_digit* r;
+    int err = MP_OKAY;
+
+    (void)pm;
+    (void)qm;
+    (void)dpm;
+    (void)dqm;
+    (void)qim;
+
+    if (*outLen < 384U) {
+        err = MP_TO_E;
+    }
+    if (err == MP_OKAY) {
+        if (mp_count_bits(dm) > 3072) {
+           err = MP_READ_E;
+        }
+        if (inLen > 384) {
+            err = MP_READ_E;
+        }
+        if (mp_count_bits(mm) != 3072) {
+            err = MP_READ_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        d = (sp_digit*)XMALLOC(sizeof(sp_digit) * 134 * 4, NULL,
+                                                              DYNAMIC_TYPE_RSA);
+        if (d == NULL) {
+            err = MEMORY_E;
+        }
+    }
+    if (err == MP_OKAY) {
+        a = d + 134;
+        m = a + 268;
+        r = a;
+
+        sp_3072_from_bin(a, 134, in, inLen);
+        sp_3072_from_mp(d, 134, dm);
+        sp_3072_from_mp(m, 134, mm);
+        err = sp_3072_mod_exp_134(r, a, d, 3072, m, 0);
+    }
+    if (err == MP_OKAY) {
+        sp_3072_to_bin(r, out);
+        *outLen = 384;
+    }
+
+    if (d != NULL) {
+        XMEMSET(d, 0, sizeof(sp_digit) * 134);
+        XFREE(d, NULL, DYNAMIC_TYPE_RSA);
+    }
+
+    return err;
+#else
+    sp_digit a[268], d[134], m[134];
+    sp_digit* r = a;
+    int err = MP_OKAY;
+
+    (void)pm;
+    (void)qm;
+    (void)dpm;
+    (void)dqm;
+    (void)qim;
+
+    if (*outLen < 384U) {
+        err = MP_TO_E;
+    }
+    if (err == MP_OKAY) {
+        if (mp_count_bits(dm) > 3072) {
+            err = MP_READ_E;
+        }
+        if (inLen > 384U) {
+            err = MP_READ_E;
+        }
+        if (mp_count_bits(mm) != 3072) {
+            err = MP_READ_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        sp_3072_from_bin(a, 134, in, inLen);
+        sp_3072_from_mp(d, 134, dm);
+        sp_3072_from_mp(m, 134, mm);
+        err = sp_3072_mod_exp_134(r, a, d, 3072, m, 0);
+    }
+
+    if (err == MP_OKAY) {
+        sp_3072_to_bin(r, out);
+        *outLen = 384;
+    }
+
+    XMEMSET(d, 0, sizeof(sp_digit) * 134);
+
+    return err;
+#endif /* WOLFSSL_SP_SMALL || defined(WOLFSSL_SMALL_STACK) */
+#else
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit* t = NULL;
+    sp_digit* a;
+    sp_digit* p;
+    sp_digit* q;
+    sp_digit* dp;
+    sp_digit* dq;
+    sp_digit* qi;
+    sp_digit* tmpa;
+    sp_digit* tmpb;
+    sp_digit* r;
+    int err = MP_OKAY;
+
+    (void)dm;
+    (void)mm;
+
+    if (*outLen < 384U) {
+        err = MP_TO_E;
+    }
+    if (err == MP_OKAY) {
+        if (inLen > 384) {
+            err = MP_READ_E;
+        }
+        if (mp_count_bits(mm) != 3072) {
+            err = MP_READ_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        t = (sp_digit*)XMALLOC(sizeof(sp_digit) * 67 * 11, NULL,
+                                                              DYNAMIC_TYPE_RSA);
+        if (t == NULL) {
+            err = MEMORY_E;
+        }
+    }
+    if (err == MP_OKAY) {
+        a = t;
+        p = a + 134 * 2;
+        q = p + 67;
+        qi = dq = dp = q + 67;
+        tmpa = qi + 67;
+        tmpb = tmpa + 134;
+
+        r = t + 134;
+
+        sp_3072_from_bin(a, 134, in, inLen);
+        sp_3072_from_mp(p, 67, pm);
+        sp_3072_from_mp(q, 67, qm);
+        sp_3072_from_mp(dp, 67, dpm);
+        err = sp_3072_mod_exp_67(tmpa, a, dp, 1536, p, 1);
+    }
+    if (err == MP_OKAY) {
+        sp_3072_from_mp(dq, 67, dqm);
+        err = sp_3072_mod_exp_67(tmpb, a, dq, 1536, q, 1);
+    }
+    if (err == MP_OKAY) {
+        (void)sp_3072_sub_67(tmpa, tmpa, tmpb);
+        sp_3072_cond_add_67(tmpa, tmpa, p, 0 - ((sp_int_digit)tmpa[66] >> 31));
+        sp_3072_cond_add_67(tmpa, tmpa, p, 0 - ((sp_int_digit)tmpa[66] >> 31));
+
+        sp_3072_from_mp(qi, 67, qim);
+        sp_3072_mul_67(tmpa, tmpa, qi);
+        err = sp_3072_mod_67(tmpa, tmpa, p);
+    }
+
+    if (err == MP_OKAY) {
+        sp_3072_mul_67(tmpa, q, tmpa);
+        (void)sp_3072_add_134(r, tmpb, tmpa);
+        sp_3072_norm_134(r);
+
+        sp_3072_to_bin(r, out);
+        *outLen = 384;
+    }
+
+    if (t != NULL) {
+        XMEMSET(t, 0, sizeof(sp_digit) * 67 * 11);
+        XFREE(t, NULL, DYNAMIC_TYPE_RSA);
+    }
+
+    return err;
+#else
+    sp_digit a[134 * 2];
+    sp_digit p[67], q[67], dp[67], dq[67], qi[67];
+    sp_digit tmpa[134], tmpb[134];
+    sp_digit* r = a;
+    int err = MP_OKAY;
+
+    (void)dm;
+    (void)mm;
+
+    if (*outLen < 384U) {
+        err = MP_TO_E;
+    }
+    if (err == MP_OKAY) {
+        if (inLen > 384U) {
+            err = MP_READ_E;
+        }
+        if (mp_count_bits(mm) != 3072) {
+            err = MP_READ_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        sp_3072_from_bin(a, 134, in, inLen);
+        sp_3072_from_mp(p, 67, pm);
+        sp_3072_from_mp(q, 67, qm);
+        sp_3072_from_mp(dp, 67, dpm);
+        sp_3072_from_mp(dq, 67, dqm);
+        sp_3072_from_mp(qi, 67, qim);
+
+        err = sp_3072_mod_exp_67(tmpa, a, dp, 1536, p, 1);
+    }
+    if (err == MP_OKAY) {
+        err = sp_3072_mod_exp_67(tmpb, a, dq, 1536, q, 1);
+    }
+
+    if (err == MP_OKAY) {
+        (void)sp_3072_sub_67(tmpa, tmpa, tmpb);
+        sp_3072_cond_add_67(tmpa, tmpa, p, 0 - ((sp_int_digit)tmpa[66] >> 31));
+        sp_3072_cond_add_67(tmpa, tmpa, p, 0 - ((sp_int_digit)tmpa[66] >> 31));
+        sp_3072_mul_67(tmpa, tmpa, qi);
+        err = sp_3072_mod_67(tmpa, tmpa, p);
+    }
+
+    if (err == MP_OKAY) {
+        sp_3072_mul_67(tmpa, tmpa, q);
+        (void)sp_3072_add_134(r, tmpb, tmpa);
+        sp_3072_norm_134(r);
+
+        sp_3072_to_bin(r, out);
+        *outLen = 384;
+    }
+
+    XMEMSET(tmpa, 0, sizeof(tmpa));
+    XMEMSET(tmpb, 0, sizeof(tmpb));
+    XMEMSET(p, 0, sizeof(p));
+    XMEMSET(q, 0, sizeof(q));
+    XMEMSET(dp, 0, sizeof(dp));
+    XMEMSET(dq, 0, sizeof(dq));
+    XMEMSET(qi, 0, sizeof(qi));
+
+    return err;
+#endif /* WOLFSSL_SP_SMALL || defined(WOLFSSL_SMALL_STACK) */
+#endif /* SP_RSA_PRIVATE_EXP_D || RSA_LOW_MEM */
+}
+
+#endif /* !WOLFSSL_RSA_PUBLIC_ONLY */
+#endif /* WOLFSSL_HAVE_SP_RSA */
+#if defined(WOLFSSL_HAVE_SP_DH) || (defined(WOLFSSL_HAVE_SP_RSA) && \
+                                              !defined(WOLFSSL_RSA_PUBLIC_ONLY))
+/* Convert an array of sp_digit to an mp_int.
+ *
+ * a  A single precision integer.
+ * r  A multi-precision integer.
+ */
+static int sp_3072_to_mp(const sp_digit* a, mp_int* r)
+{
+    int err;
+
+    err = mp_grow(r, (3072 + DIGIT_BIT - 1) / DIGIT_BIT);
+    if (err == MP_OKAY) { /*lint !e774 case where err is always MP_OKAY*/
+#if DIGIT_BIT == 23
+        XMEMCPY(r->dp, a, sizeof(sp_digit) * 134);
+        r->used = 134;
+        mp_clamp(r);
+#elif DIGIT_BIT < 23
+        int i, j = 0, s = 0;
+
+        r->dp[0] = 0;
+        for (i = 0; i < 134; i++) {
+            r->dp[j] |= (mp_digit)(a[i] << s);
+            r->dp[j] &= (1L << DIGIT_BIT) - 1;
+            s = DIGIT_BIT - s;
+            r->dp[++j] = (mp_digit)(a[i] >> s);
+            while (s + DIGIT_BIT <= 23) {
+                s += DIGIT_BIT;
+                r->dp[j++] &= (1L << DIGIT_BIT) - 1;
+                if (s == SP_WORD_SIZE) {
+                    r->dp[j] = 0;
+                }
+                else {
+                    r->dp[j] = (mp_digit)(a[i] >> s);
+                }
+            }
+            s = 23 - s;
+        }
+        r->used = (3072 + DIGIT_BIT - 1) / DIGIT_BIT;
+        mp_clamp(r);
+#else
+        int i, j = 0, s = 0;
+
+        r->dp[0] = 0;
+        for (i = 0; i < 134; i++) {
+            r->dp[j] |= ((mp_digit)a[i]) << s;
+            if (s + 23 >= DIGIT_BIT) {
+    #if DIGIT_BIT != 32 && DIGIT_BIT != 64
+                r->dp[j] &= (1L << DIGIT_BIT) - 1;
+    #endif
+                s = DIGIT_BIT - s;
+                r->dp[++j] = a[i] >> s;
+                s = 23 - s;
+            }
+            else {
+                s += 23;
+            }
+        }
+        r->used = (3072 + DIGIT_BIT - 1) / DIGIT_BIT;
+        mp_clamp(r);
+#endif
+    }
+
+    return err;
+}
+
+/* Perform the modular exponentiation for Diffie-Hellman.
+ *
+ * base  Base. MP integer.
+ * exp   Exponent. MP integer.
+ * mod   Modulus. MP integer.
+ * res   Result. MP integer.
+ * returns 0 on success, MP_READ_E if there are too many bytes in an array
+ * and MEMORY_E if memory allocation fails.
+ */
+int sp_ModExp_3072(mp_int* base, mp_int* exp, mp_int* mod, mp_int* res)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int err = MP_OKAY;
+    sp_digit* d = NULL;
+    sp_digit* b;
+    sp_digit* e;
+    sp_digit* m;
+    sp_digit* r;
+    int expBits = mp_count_bits(exp);
+
+    if (mp_count_bits(base) > 3072) {
+        err = MP_READ_E;
+    }
+
+    if (err == MP_OKAY) {
+        if (expBits > 3072) {
+            err = MP_READ_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        if (mp_count_bits(mod) != 3072) {
+            err = MP_READ_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        d = (sp_digit*)XMALLOC(sizeof(*d) * 134 * 4, NULL, DYNAMIC_TYPE_DH);
+        if (d == NULL) {
+            err = MEMORY_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        b = d;
+        e = b + 134 * 2;
+        m = e + 134;
+        r = b;
+
+        sp_3072_from_mp(b, 134, base);
+        sp_3072_from_mp(e, 134, exp);
+        sp_3072_from_mp(m, 134, mod);
+
+        err = sp_3072_mod_exp_134(r, b, e, mp_count_bits(exp), m, 0);
+    }
+
+    if (err == MP_OKAY) {
+        err = sp_3072_to_mp(r, res);
+    }
+
+    if (d != NULL) {
+        XMEMSET(e, 0, sizeof(sp_digit) * 134U);
+        XFREE(d, NULL, DYNAMIC_TYPE_DH);
+    }
+    return err;
+#else
+#ifndef WOLFSSL_SMALL_STACK
+    sp_digit bd[268], ed[134], md[134];
+#else
+    sp_digit* d = NULL;
+#endif
+    sp_digit* b;
+    sp_digit* e;
+    sp_digit* m;
+    sp_digit* r;
+    int err = MP_OKAY;
+    int expBits = mp_count_bits(exp);
+
+    if (mp_count_bits(base) > 3072) {
+        err = MP_READ_E;
+    }
+
+    if (err == MP_OKAY) {
+        if (expBits > 3072) {
+            err = MP_READ_E;
+        }
+    }
+    
+    if (err == MP_OKAY) {
+        if (mp_count_bits(mod) != 3072) {
+            err = MP_READ_E;
+        }
+    }
+
+#ifdef WOLFSSL_SMALL_STACK
+    if (err == MP_OKAY) {
+        d = (sp_digit*)XMALLOC(sizeof(*d) * 134 * 4, NULL, DYNAMIC_TYPE_DH);
+        if (d == NULL)
+            err = MEMORY_E;
+    }
+
+    if (err == MP_OKAY) {
+        b = d;
+        e = b + 134 * 2;
+        m = e + 134;
+        r = b;
+    }
+#else
+    r = b = bd;
+    e = ed;
+    m = md;
+#endif
+
+    if (err == MP_OKAY) {
+        sp_3072_from_mp(b, 134, base);
+        sp_3072_from_mp(e, 134, exp);
+        sp_3072_from_mp(m, 134, mod);
+
+        err = sp_3072_mod_exp_134(r, b, e, expBits, m, 0);
+    }
+
+    if (err == MP_OKAY) {
+        err = sp_3072_to_mp(r, res);
+    }
+
+
+#ifdef WOLFSSL_SMALL_STACK
+    if (d != NULL) {
+        XMEMSET(e, 0, sizeof(sp_digit) * 134U);
+        XFREE(d, NULL, DYNAMIC_TYPE_DH);
+    }
+#else
+    XMEMSET(e, 0, sizeof(sp_digit) * 134U);
+#endif
+
+    return err;
+#endif
+}
+
+#ifdef WOLFSSL_HAVE_SP_DH
+
+#ifdef HAVE_FFDHE_3072
+SP_NOINLINE static void sp_3072_lshift_134(sp_digit* r, sp_digit* a, byte n)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int i;
+
+    r[134] = a[133] >> (23 - n);
+    for (i=133; i>0; i--) {
+        r[i] = ((a[i] << n) | (a[i-1] >> (23 - n))) & 0x7fffff;
+    }
+#else
+    sp_int_digit s, t;
+
+    s = (sp_int_digit)a[133];
+    r[134] = s >> (23U - n);
+    s = (sp_int_digit)(a[133]); t = (sp_int_digit)(a[132]);
+    r[133] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[132]); t = (sp_int_digit)(a[131]);
+    r[132] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[131]); t = (sp_int_digit)(a[130]);
+    r[131] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[130]); t = (sp_int_digit)(a[129]);
+    r[130] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[129]); t = (sp_int_digit)(a[128]);
+    r[129] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[128]); t = (sp_int_digit)(a[127]);
+    r[128] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[127]); t = (sp_int_digit)(a[126]);
+    r[127] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[126]); t = (sp_int_digit)(a[125]);
+    r[126] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[125]); t = (sp_int_digit)(a[124]);
+    r[125] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[124]); t = (sp_int_digit)(a[123]);
+    r[124] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[123]); t = (sp_int_digit)(a[122]);
+    r[123] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[122]); t = (sp_int_digit)(a[121]);
+    r[122] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[121]); t = (sp_int_digit)(a[120]);
+    r[121] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[120]); t = (sp_int_digit)(a[119]);
+    r[120] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[119]); t = (sp_int_digit)(a[118]);
+    r[119] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[118]); t = (sp_int_digit)(a[117]);
+    r[118] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[117]); t = (sp_int_digit)(a[116]);
+    r[117] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[116]); t = (sp_int_digit)(a[115]);
+    r[116] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[115]); t = (sp_int_digit)(a[114]);
+    r[115] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[114]); t = (sp_int_digit)(a[113]);
+    r[114] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[113]); t = (sp_int_digit)(a[112]);
+    r[113] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[112]); t = (sp_int_digit)(a[111]);
+    r[112] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[111]); t = (sp_int_digit)(a[110]);
+    r[111] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[110]); t = (sp_int_digit)(a[109]);
+    r[110] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[109]); t = (sp_int_digit)(a[108]);
+    r[109] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[108]); t = (sp_int_digit)(a[107]);
+    r[108] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[107]); t = (sp_int_digit)(a[106]);
+    r[107] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[106]); t = (sp_int_digit)(a[105]);
+    r[106] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[105]); t = (sp_int_digit)(a[104]);
+    r[105] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[104]); t = (sp_int_digit)(a[103]);
+    r[104] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[103]); t = (sp_int_digit)(a[102]);
+    r[103] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[102]); t = (sp_int_digit)(a[101]);
+    r[102] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[101]); t = (sp_int_digit)(a[100]);
+    r[101] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[100]); t = (sp_int_digit)(a[99]);
+    r[100] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[99]); t = (sp_int_digit)(a[98]);
+    r[99] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[98]); t = (sp_int_digit)(a[97]);
+    r[98] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[97]); t = (sp_int_digit)(a[96]);
+    r[97] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[96]); t = (sp_int_digit)(a[95]);
+    r[96] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[95]); t = (sp_int_digit)(a[94]);
+    r[95] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[94]); t = (sp_int_digit)(a[93]);
+    r[94] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[93]); t = (sp_int_digit)(a[92]);
+    r[93] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[92]); t = (sp_int_digit)(a[91]);
+    r[92] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[91]); t = (sp_int_digit)(a[90]);
+    r[91] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[90]); t = (sp_int_digit)(a[89]);
+    r[90] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[89]); t = (sp_int_digit)(a[88]);
+    r[89] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[88]); t = (sp_int_digit)(a[87]);
+    r[88] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[87]); t = (sp_int_digit)(a[86]);
+    r[87] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[86]); t = (sp_int_digit)(a[85]);
+    r[86] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[85]); t = (sp_int_digit)(a[84]);
+    r[85] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[84]); t = (sp_int_digit)(a[83]);
+    r[84] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[83]); t = (sp_int_digit)(a[82]);
+    r[83] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[82]); t = (sp_int_digit)(a[81]);
+    r[82] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[81]); t = (sp_int_digit)(a[80]);
+    r[81] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[80]); t = (sp_int_digit)(a[79]);
+    r[80] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[79]); t = (sp_int_digit)(a[78]);
+    r[79] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[78]); t = (sp_int_digit)(a[77]);
+    r[78] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[77]); t = (sp_int_digit)(a[76]);
+    r[77] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[76]); t = (sp_int_digit)(a[75]);
+    r[76] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[75]); t = (sp_int_digit)(a[74]);
+    r[75] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[74]); t = (sp_int_digit)(a[73]);
+    r[74] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[73]); t = (sp_int_digit)(a[72]);
+    r[73] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[72]); t = (sp_int_digit)(a[71]);
+    r[72] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[71]); t = (sp_int_digit)(a[70]);
+    r[71] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[70]); t = (sp_int_digit)(a[69]);
+    r[70] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[69]); t = (sp_int_digit)(a[68]);
+    r[69] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[68]); t = (sp_int_digit)(a[67]);
+    r[68] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[67]); t = (sp_int_digit)(a[66]);
+    r[67] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[66]); t = (sp_int_digit)(a[65]);
+    r[66] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[65]); t = (sp_int_digit)(a[64]);
+    r[65] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[64]); t = (sp_int_digit)(a[63]);
+    r[64] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[63]); t = (sp_int_digit)(a[62]);
+    r[63] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[62]); t = (sp_int_digit)(a[61]);
+    r[62] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[61]); t = (sp_int_digit)(a[60]);
+    r[61] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[60]); t = (sp_int_digit)(a[59]);
+    r[60] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[59]); t = (sp_int_digit)(a[58]);
+    r[59] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[58]); t = (sp_int_digit)(a[57]);
+    r[58] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[57]); t = (sp_int_digit)(a[56]);
+    r[57] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[56]); t = (sp_int_digit)(a[55]);
+    r[56] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[55]); t = (sp_int_digit)(a[54]);
+    r[55] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[54]); t = (sp_int_digit)(a[53]);
+    r[54] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[53]); t = (sp_int_digit)(a[52]);
+    r[53] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[52]); t = (sp_int_digit)(a[51]);
+    r[52] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[51]); t = (sp_int_digit)(a[50]);
+    r[51] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[50]); t = (sp_int_digit)(a[49]);
+    r[50] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[49]); t = (sp_int_digit)(a[48]);
+    r[49] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[48]); t = (sp_int_digit)(a[47]);
+    r[48] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[47]); t = (sp_int_digit)(a[46]);
+    r[47] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[46]); t = (sp_int_digit)(a[45]);
+    r[46] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[45]); t = (sp_int_digit)(a[44]);
+    r[45] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[44]); t = (sp_int_digit)(a[43]);
+    r[44] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[43]); t = (sp_int_digit)(a[42]);
+    r[43] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[42]); t = (sp_int_digit)(a[41]);
+    r[42] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[41]); t = (sp_int_digit)(a[40]);
+    r[41] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[40]); t = (sp_int_digit)(a[39]);
+    r[40] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[39]); t = (sp_int_digit)(a[38]);
+    r[39] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[38]); t = (sp_int_digit)(a[37]);
+    r[38] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[37]); t = (sp_int_digit)(a[36]);
+    r[37] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[36]); t = (sp_int_digit)(a[35]);
+    r[36] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[35]); t = (sp_int_digit)(a[34]);
+    r[35] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[34]); t = (sp_int_digit)(a[33]);
+    r[34] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[33]); t = (sp_int_digit)(a[32]);
+    r[33] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[32]); t = (sp_int_digit)(a[31]);
+    r[32] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[31]); t = (sp_int_digit)(a[30]);
+    r[31] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[30]); t = (sp_int_digit)(a[29]);
+    r[30] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[29]); t = (sp_int_digit)(a[28]);
+    r[29] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[28]); t = (sp_int_digit)(a[27]);
+    r[28] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[27]); t = (sp_int_digit)(a[26]);
+    r[27] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[26]); t = (sp_int_digit)(a[25]);
+    r[26] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[25]); t = (sp_int_digit)(a[24]);
+    r[25] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[24]); t = (sp_int_digit)(a[23]);
+    r[24] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[23]); t = (sp_int_digit)(a[22]);
+    r[23] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[22]); t = (sp_int_digit)(a[21]);
+    r[22] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[21]); t = (sp_int_digit)(a[20]);
+    r[21] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[20]); t = (sp_int_digit)(a[19]);
+    r[20] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[19]); t = (sp_int_digit)(a[18]);
+    r[19] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[18]); t = (sp_int_digit)(a[17]);
+    r[18] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[17]); t = (sp_int_digit)(a[16]);
+    r[17] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[16]); t = (sp_int_digit)(a[15]);
+    r[16] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[15]); t = (sp_int_digit)(a[14]);
+    r[15] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[14]); t = (sp_int_digit)(a[13]);
+    r[14] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[13]); t = (sp_int_digit)(a[12]);
+    r[13] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[12]); t = (sp_int_digit)(a[11]);
+    r[12] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[11]); t = (sp_int_digit)(a[10]);
+    r[11] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[10]); t = (sp_int_digit)(a[9]);
+    r[10] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[9]); t = (sp_int_digit)(a[8]);
+    r[9] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[8]); t = (sp_int_digit)(a[7]);
+    r[8] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[7]); t = (sp_int_digit)(a[6]);
+    r[7] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[6]); t = (sp_int_digit)(a[5]);
+    r[6] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[5]); t = (sp_int_digit)(a[4]);
+    r[5] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[4]); t = (sp_int_digit)(a[3]);
+    r[4] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[3]); t = (sp_int_digit)(a[2]);
+    r[3] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[2]); t = (sp_int_digit)(a[1]);
+    r[2] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+    s = (sp_int_digit)(a[1]); t = (sp_int_digit)(a[0]);
+    r[1] = ((s << n) | (t >> (23U - n))) & 0x7fffff;
+#endif
+    r[0] = (a[0] << n) & 0x7fffff;
+}
+
+/* Modular exponentiate 2 to the e mod m. (r = 2^e mod m)
+ *
+ * r     A single precision number that is the result of the operation.
+ * e     A single precision number that is the exponent.
+ * bits  The number of bits in the exponent.
+ * m     A single precision number that is the modulus.
+ * returns 0 on success and MEMORY_E on dynamic memory allocation failure.
+ */
+static int sp_3072_mod_exp_2_134(sp_digit* r, const sp_digit* e, int bits, const sp_digit* m)
+{
+#ifndef WOLFSSL_SMALL_STACK
+    sp_digit nd[268];
+    sp_digit td[135];
+#else
+    sp_digit* td;
+#endif
+    sp_digit* norm;
+    sp_digit* tmp;
+    sp_digit mp = 1;
+    sp_digit n, o;
+    int i;
+    int c, y;
+    int err = MP_OKAY;
+
+#ifdef WOLFSSL_SMALL_STACK
+    td = (sp_digit*)XMALLOC(sizeof(sp_digit) * 403, NULL,
+                            DYNAMIC_TYPE_TMP_BUFFER);
+    if (td == NULL) {
+        err = MEMORY_E;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#ifdef WOLFSSL_SMALL_STACK
+        norm = td;
+        tmp  = td + 268;
+        XMEMSET(td, 0, sizeof(sp_digit) * 403);
+#else
+        norm = nd;
+        tmp  = td;
+        XMEMSET(td, 0, sizeof(td));
+#endif
+
+        sp_3072_mont_setup(m, &mp);
+        sp_3072_mont_norm_134(norm, m);
+
+        bits = ((bits + 3) / 4) * 4;
+        i = ((bits + 22) / 23) - 1;
+        c = bits % 23;
+        if (c == 0) {
+            c = 23;
+        }
+        if (i < 134) {
+            n = e[i--] << (32 - c);
+        }
+        else {
+            n = 0;
+            i--;
+        }
+        if (c < 4) {
+            n |= e[i--] << (9 - c);
+            c += 23;
+        }
+        y = (n >> 28) & 0xf;
+        n <<= 4;
+        c -= 4;
+        sp_3072_lshift_134(r, norm, y);
+        for (; i>=0 || c>=4; ) {
+            if (c < 4) {
+                n |= e[i--] << (9 - c);
+                c += 23;
+            }
+            y = (n >> 28) & 0xf;
+            n <<= 4;
+            c -= 4;
+
+            sp_3072_mont_sqr_134(r, r, m, mp);
+            sp_3072_mont_sqr_134(r, r, m, mp);
+            sp_3072_mont_sqr_134(r, r, m, mp);
+            sp_3072_mont_sqr_134(r, r, m, mp);
+
+            sp_3072_lshift_134(r, r, y);
+            sp_3072_mul_d_134(tmp, norm, (r[134] << 10) + (r[133] >> 13));
+            r[134] = 0;
+            r[133] &= 0x1fffL;
+            (void)sp_3072_add_134(r, r, tmp);
+            sp_3072_norm_134(r);
+            o = sp_3072_cmp_134(r, m);
+            sp_3072_cond_sub_134(r, r, m, ((o < 0) ?
+                                          (sp_digit)1 : (sp_digit)0) - 1);
+        }
+
+        sp_3072_mont_reduce_134(r, m, mp);
+        n = sp_3072_cmp_134(r, m);
+        sp_3072_cond_sub_134(r, r, m, ((n < 0) ?
+                                                (sp_digit)1 : (sp_digit)0) - 1);
+    }
+
+#ifdef WOLFSSL_SMALL_STACK
+    if (td != NULL) {
+        XFREE(td, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    }
+#endif
+
+    return err;
+}
+
+#endif /* HAVE_FFDHE_3072 */
+
+/* Perform the modular exponentiation for Diffie-Hellman.
+ *
+ * base     Base.
+ * exp      Array of bytes that is the exponent.
+ * expLen   Length of data, in bytes, in exponent.
+ * mod      Modulus.
+ * out      Buffer to hold big-endian bytes of exponentiation result.
+ *          Must be at least 384 bytes long.
+ * outLen   Length, in bytes, of exponentiation result.
+ * returns 0 on success, MP_READ_E if there are too many bytes in an array
+ * and MEMORY_E if memory allocation fails.
+ */
+int sp_DhExp_3072(mp_int* base, const byte* exp, word32 expLen,
+    mp_int* mod, byte* out, word32* outLen)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int err = MP_OKAY;
+    sp_digit* d = NULL;
+    sp_digit* b;
+    sp_digit* e;
+    sp_digit* m;
+    sp_digit* r;
+    word32 i;
+
+    if (mp_count_bits(base) > 3072) {
+        err = MP_READ_E;
+    }
+
+    if (err == MP_OKAY) {
+        if (expLen > 384) {
+            err = MP_READ_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        if (mp_count_bits(mod) != 3072) {
+            err = MP_READ_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        d = (sp_digit*)XMALLOC(sizeof(*d) * 134 * 4, NULL, DYNAMIC_TYPE_DH);
+        if (d == NULL) {
+            err = MEMORY_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        b = d;
+        e = b + 134 * 2;
+        m = e + 134;
+        r = b;
+
+        sp_3072_from_mp(b, 134, base);
+        sp_3072_from_bin(e, 134, exp, expLen);
+        sp_3072_from_mp(m, 134, mod);
+
+    #ifdef HAVE_FFDHE_3072
+        if (base->used == 1 && base->dp[0] == 2 &&
+                ((m[133] << 3) | (m[132] >> 20)) == 0xffffL) {
+            err = sp_3072_mod_exp_2_134(r, e, expLen * 8, m);
+        }
+        else
+    #endif
+            err = sp_3072_mod_exp_134(r, b, e, expLen * 8, m, 0);
+    }
+
+    if (err == MP_OKAY) {
+        sp_3072_to_bin(r, out);
+        *outLen = 384;
+        for (i=0; i<384 && out[i] == 0; i++) {
+        }
+        *outLen -= i;
+        XMEMMOVE(out, out + i, *outLen);
+    }
+
+    if (d != NULL) {
+        XMEMSET(e, 0, sizeof(sp_digit) * 134U);
+        XFREE(d, NULL, DYNAMIC_TYPE_DH);
+    }
+    return err;
+#else
+#ifndef WOLFSSL_SMALL_STACK
+    sp_digit bd[268], ed[134], md[134];
+#else
+    sp_digit* d = NULL;
+#endif
+    sp_digit* b;
+    sp_digit* e;
+    sp_digit* m;
+    sp_digit* r;
+    word32 i;
+    int err = MP_OKAY;
+
+    if (mp_count_bits(base) > 3072) {
+        err = MP_READ_E;
+    }
+
+    if (err == MP_OKAY) {
+        if (expLen > 384U) {
+            err = MP_READ_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        if (mp_count_bits(mod) != 3072) {
+            err = MP_READ_E;
+        }
+    }
+#ifdef WOLFSSL_SMALL_STACK
+    if (err == MP_OKAY) {
+        d = (sp_digit*)XMALLOC(sizeof(*d) * 134 * 4, NULL, DYNAMIC_TYPE_DH);
+        if (d == NULL)
+            err = MEMORY_E;
+    }
+
+    if (err == MP_OKAY) {
+        b = d;
+        e = b + 134 * 2;
+        m = e + 134;
+        r = b;
+    }
+#else
+    r = b = bd;
+    e = ed;
+    m = md;
+#endif
+
+    if (err == MP_OKAY) {
+        sp_3072_from_mp(b, 134, base);
+        sp_3072_from_bin(e, 134, exp, expLen);
+        sp_3072_from_mp(m, 134, mod);
+
+    #ifdef HAVE_FFDHE_3072
+        if (base->used == 1 && base->dp[0] == 2U &&
+                ((m[133] << 3) | (m[132] >> 20)) == 0xffffL) {
+            err = sp_3072_mod_exp_2_134(r, e, expLen * 8U, m);
+        }
+        else {
+    #endif
+            err = sp_3072_mod_exp_134(r, b, e, expLen * 8U, m, 0);
+    #ifdef HAVE_FFDHE_3072
+        }
+    #endif
+    }
+
+    if (err == MP_OKAY) {
+        sp_3072_to_bin(r, out);
+        *outLen = 384;
+        for (i=0; i<384U && out[i] == 0U; i++) {
+        }
+        *outLen -= i;
+        XMEMMOVE(out, out + i, *outLen);
+    }
+
+#ifdef WOLFSSL_SMALL_STACK
+    if (d != NULL) {
+        XMEMSET(e, 0, sizeof(sp_digit) * 134U);
+        XFREE(d, NULL, DYNAMIC_TYPE_DH);
+    }
+#else
+    XMEMSET(e, 0, sizeof(sp_digit) * 134U);
+#endif
+
+    return err;
+#endif
+}
+#endif /* WOLFSSL_HAVE_SP_DH */
+
+/* Perform the modular exponentiation for Diffie-Hellman.
+ *
+ * base  Base. MP integer.
+ * exp   Exponent. MP integer.
+ * mod   Modulus. MP integer.
+ * res   Result. MP integer.
+ * returns 0 on success, MP_READ_E if there are too many bytes in an array
+ * and MEMORY_E if memory allocation fails.
+ */
+int sp_ModExp_1536(mp_int* base, mp_int* exp, mp_int* mod, mp_int* res)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int err = MP_OKAY;
+    sp_digit* d = NULL;
+    sp_digit* b;
+    sp_digit* e;
+    sp_digit* m;
+    sp_digit* r;
+    int expBits = mp_count_bits(exp);
+
+    if (mp_count_bits(base) > 1536) {
+        err = MP_READ_E;
+    }
+
+    if (err == MP_OKAY) {
+        if (expBits > 1536) {
+            err = MP_READ_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        if (mp_count_bits(mod) != 1536) {
+            err = MP_READ_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        d = (sp_digit*)XMALLOC(sizeof(*d) * 67 * 4, NULL, DYNAMIC_TYPE_DH);
+        if (d == NULL) {
+            err = MEMORY_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        b = d;
+        e = b + 67 * 2;
+        m = e + 67;
+        r = b;
+
+        sp_3072_from_mp(b, 67, base);
+        sp_3072_from_mp(e, 67, exp);
+        sp_3072_from_mp(m, 67, mod);
+
+        err = sp_3072_mod_exp_67(r, b, e, mp_count_bits(exp), m, 0);
+    }
+
+    if (err == MP_OKAY) {
+        XMEMSET(r + 67, 0, sizeof(*r) * 67U);
+        err = sp_3072_to_mp(r, res);
+    }
+
+    if (d != NULL) {
+        XMEMSET(e, 0, sizeof(sp_digit) * 67U);
+        XFREE(d, NULL, DYNAMIC_TYPE_DH);
+    }
+    return err;
+#else
+#ifndef WOLFSSL_SMALL_STACK
+    sp_digit bd[134], ed[67], md[67];
+#else
+    sp_digit* d = NULL;
+#endif
+    sp_digit* b;
+    sp_digit* e;
+    sp_digit* m;
+    sp_digit* r;
+    int err = MP_OKAY;
+    int expBits = mp_count_bits(exp);
+
+    if (mp_count_bits(base) > 1536) {
+        err = MP_READ_E;
+    }
+
+    if (err == MP_OKAY) {
+        if (expBits > 1536) {
+            err = MP_READ_E;
+        }
+    }
+    
+    if (err == MP_OKAY) {
+        if (mp_count_bits(mod) != 1536) {
+            err = MP_READ_E;
+        }
+    }
+
+#ifdef WOLFSSL_SMALL_STACK
+    if (err == MP_OKAY) {
+        d = (sp_digit*)XMALLOC(sizeof(*d) * 67 * 4, NULL, DYNAMIC_TYPE_DH);
+        if (d == NULL)
+            err = MEMORY_E;
+    }
+
+    if (err == MP_OKAY) {
+        b = d;
+        e = b + 67 * 2;
+        m = e + 67;
+        r = b;
+    }
+#else
+    r = b = bd;
+    e = ed;
+    m = md;
+#endif
+
+    if (err == MP_OKAY) {
+        sp_3072_from_mp(b, 67, base);
+        sp_3072_from_mp(e, 67, exp);
+        sp_3072_from_mp(m, 67, mod);
+
+        err = sp_3072_mod_exp_67(r, b, e, expBits, m, 0);
+    }
+
+    if (err == MP_OKAY) {
+        XMEMSET(r + 67, 0, sizeof(*r) * 67U);
+        err = sp_3072_to_mp(r, res);
+    }
+
+
+#ifdef WOLFSSL_SMALL_STACK
+    if (d != NULL) {
+        XMEMSET(e, 0, sizeof(sp_digit) * 67U);
+        XFREE(d, NULL, DYNAMIC_TYPE_DH);
+    }
+#else
+    XMEMSET(e, 0, sizeof(sp_digit) * 67U);
+#endif
+
+    return err;
+#endif
+}
+
+#endif /* WOLFSSL_HAVE_SP_DH || (WOLFSSL_HAVE_SP_RSA && !WOLFSSL_RSA_PUBLIC_ONLY) */
+
+#endif /* !WOLFSSL_SP_NO_3072 */
+
+#ifdef WOLFSSL_SP_4096
+/* Read big endian unsigned byte array into r.
+ *
+ * r  A single precision integer.
+ * size  Maximum number of bytes to convert
+ * a  Byte array.
+ * n  Number of bytes in array to read.
+ */
+static void sp_4096_from_bin(sp_digit* r, int size, const byte* a, int n)
+{
+    int i, j = 0;
+    word32 s = 0;
+
+    r[0] = 0;
+    for (i = n-1; i >= 0; i--) {
+        r[j] |= (((sp_digit)a[i]) << s);
+        if (s >= 13U) {
+            r[j] &= 0x1fffff;
+            s = 21U - s;
+            if (j + 1 >= size) {
+                break;
+            }
+            r[++j] = (sp_digit)a[i] >> s;
+            s = 8U - s;
+        }
+        else {
+            s += 8U;
+        }
+    }
+
+    for (j++; j < size; j++) {
+        r[j] = 0;
+    }
+}
+
+/* Convert an mp_int to an array of sp_digit.
+ *
+ * r  A single precision integer.
+ * size  Maximum number of bytes to convert
+ * a  A multi-precision integer.
+ */
+static void sp_4096_from_mp(sp_digit* r, int size, const mp_int* a)
+{
+#if DIGIT_BIT == 21
+    int j;
+
+    XMEMCPY(r, a->dp, sizeof(sp_digit) * a->used);
+
+    for (j = a->used; j < size; j++) {
+        r[j] = 0;
+    }
+#elif DIGIT_BIT > 21
+    int i, j = 0;
+    word32 s = 0;
+
+    r[0] = 0;
+    for (i = 0; i < a->used && j < size; i++) {
+        r[j] |= ((sp_digit)a->dp[i] << s);
+        r[j] &= 0x1fffff;
+        s = 21U - s;
+        if (j + 1 >= size) {
+            break;
+        }
+        /* lint allow cast of mismatch word32 and mp_digit */
+        r[++j] = (sp_digit)(a->dp[i] >> s); /*lint !e9033*/
+        while ((s + 21U) <= (word32)DIGIT_BIT) {
+            s += 21U;
+            r[j] &= 0x1fffff;
+            if (j + 1 >= size) {
+                break;
+            }
+            if (s < (word32)DIGIT_BIT) {
+                /* lint allow cast of mismatch word32 and mp_digit */
+                r[++j] = (sp_digit)(a->dp[i] >> s); /*lint !e9033*/
+            }
+            else {
+                r[++j] = 0L;
+            }
+        }
+        s = (word32)DIGIT_BIT - s;
+    }
+
+    for (j++; j < size; j++) {
+        r[j] = 0;
+    }
+#else
+    int i, j = 0, s = 0;
+
+    r[0] = 0;
+    for (i = 0; i < a->used && j < size; i++) {
+        r[j] |= ((sp_digit)a->dp[i]) << s;
+        if (s + DIGIT_BIT >= 21) {
+            r[j] &= 0x1fffff;
+            if (j + 1 >= size) {
+                break;
+            }
+            s = 21 - s;
+            if (s == DIGIT_BIT) {
+                r[++j] = 0;
+                s = 0;
+            }
+            else {
+                r[++j] = a->dp[i] >> s;
+                s = DIGIT_BIT - s;
+            }
+        }
+        else {
+            s += DIGIT_BIT;
+        }
+    }
+
+    for (j++; j < size; j++) {
+        r[j] = 0;
+    }
+#endif
+}
+
+/* Write r as big endian to byte array.
+ * Fixed length number of bytes written: 512
+ *
+ * r  A single precision integer.
+ * a  Byte array.
+ */
+static void sp_4096_to_bin(sp_digit* r, byte* a)
+{
+    int i, j, s = 0, b;
+
+    for (i=0; i<195; i++) {
+        r[i+1] += r[i] >> 21;
+        r[i] &= 0x1fffff;
+    }
+    j = 4096 / 8 - 1;
+    a[j] = 0;
+    for (i=0; i<196 && j>=0; i++) {
+        b = 0;
+        /* lint allow cast of mismatch sp_digit and int */
+        a[j--] |= (byte)(r[i] << s); /*lint !e9033*/
+        b += 8 - s;
+        if (j < 0) {
+            break;
+        }
+        while (b < 21) {
+            a[j--] = (byte)(r[i] >> b);
+            b += 8;
+            if (j < 0) {
+                break;
+            }
+        }
+        s = 8 - (b - 21);
+        if (j >= 0) {
+            a[j] = 0;
+        }
+        if (s != 0) {
+            j++;
+        }
+    }
+}
+
+#ifndef WOLFSSL_SP_SMALL
+/* Multiply a and b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static void sp_4096_mul_49(sp_digit* r, const sp_digit* a,
+    const sp_digit* b)
+{
+    int i, j;
+    int64_t t[98];
+
+    XMEMSET(t, 0, sizeof(t));
+    for (i=0; i<49; i++) {
+        for (j=0; j<49; j++) {
+            t[i+j] += ((int64_t)a[i]) * b[j];
+        }
+    }
+    for (i=0; i<97; i++) {
+        r[i] = t[i] & 0x1fffff;
+        t[i+1] += t[i] >> 21;
+    }
+    r[97] = (sp_digit)t[97];
+}
+
+/* Square a and put result in r. (r = a * a)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ */
+SP_NOINLINE static void sp_4096_sqr_49(sp_digit* r, const sp_digit* a)
+{
+    int i, j;
+    int64_t t[98];
+
+    XMEMSET(t, 0, sizeof(t));
+    for (i=0; i<49; i++) {
+        for (j=0; j<i; j++) {
+            t[i+j] += (((int64_t)a[i]) * a[j]) * 2;
+        }
+        t[i+i] += ((int64_t)a[i]) * a[i];
+    }
+    for (i=0; i<97; i++) {
+        r[i] = t[i] & 0x1fffff;
+        t[i+1] += t[i] >> 21;
+    }
+    r[97] = (sp_digit)t[97];
+}
+
+/* Add b to a into r. (r = a + b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static int sp_4096_add_49(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    int i;
+
+    for (i = 0; i < 48; i += 8) {
+        r[i + 0] = a[i + 0] + b[i + 0];
+        r[i + 1] = a[i + 1] + b[i + 1];
+        r[i + 2] = a[i + 2] + b[i + 2];
+        r[i + 3] = a[i + 3] + b[i + 3];
+        r[i + 4] = a[i + 4] + b[i + 4];
+        r[i + 5] = a[i + 5] + b[i + 5];
+        r[i + 6] = a[i + 6] + b[i + 6];
+        r[i + 7] = a[i + 7] + b[i + 7];
+    }
+    r[48] = a[48] + b[48];
+
+    return 0;
+}
+
+/* Add b to a into r. (r = a + b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static int sp_4096_add_98(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    int i;
+
+    for (i = 0; i < 96; i += 8) {
+        r[i + 0] = a[i + 0] + b[i + 0];
+        r[i + 1] = a[i + 1] + b[i + 1];
+        r[i + 2] = a[i + 2] + b[i + 2];
+        r[i + 3] = a[i + 3] + b[i + 3];
+        r[i + 4] = a[i + 4] + b[i + 4];
+        r[i + 5] = a[i + 5] + b[i + 5];
+        r[i + 6] = a[i + 6] + b[i + 6];
+        r[i + 7] = a[i + 7] + b[i + 7];
+    }
+    r[96] = a[96] + b[96];
+    r[97] = a[97] + b[97];
+
+    return 0;
+}
+
+/* Sub b from a into r. (r = a - b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static int sp_4096_sub_98(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    int i;
+
+    for (i = 0; i < 96; i += 8) {
+        r[i + 0] = a[i + 0] - b[i + 0];
+        r[i + 1] = a[i + 1] - b[i + 1];
+        r[i + 2] = a[i + 2] - b[i + 2];
+        r[i + 3] = a[i + 3] - b[i + 3];
+        r[i + 4] = a[i + 4] - b[i + 4];
+        r[i + 5] = a[i + 5] - b[i + 5];
+        r[i + 6] = a[i + 6] - b[i + 6];
+        r[i + 7] = a[i + 7] - b[i + 7];
+    }
+    r[96] = a[96] - b[96];
+    r[97] = a[97] - b[97];
+
+    return 0;
+}
+
+/* Multiply a and b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static void sp_4096_mul_98(sp_digit* r, const sp_digit* a,
+    const sp_digit* b)
+{
+    sp_digit* z0 = r;
+    sp_digit z1[98];
+    sp_digit* a1 = z1;
+    sp_digit b1[49];
+    sp_digit* z2 = r + 98;
+    (void)sp_4096_add_49(a1, a, &a[49]);
+    (void)sp_4096_add_49(b1, b, &b[49]);
+    sp_4096_mul_49(z2, &a[49], &b[49]);
+    sp_4096_mul_49(z0, a, b);
+    sp_4096_mul_49(z1, a1, b1);
+    (void)sp_4096_sub_98(z1, z1, z2);
+    (void)sp_4096_sub_98(z1, z1, z0);
+    (void)sp_4096_add_98(r + 49, r + 49, z1);
+}
+
+/* Square a and put result in r. (r = a * a)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ */
+SP_NOINLINE static void sp_4096_sqr_98(sp_digit* r, const sp_digit* a)
+{
+    sp_digit* z0 = r;
+    sp_digit z1[98];
+    sp_digit* a1 = z1;
+    sp_digit* z2 = r + 98;
+    (void)sp_4096_add_49(a1, a, &a[49]);
+    sp_4096_sqr_49(z2, &a[49]);
+    sp_4096_sqr_49(z0, a);
+    sp_4096_sqr_49(z1, a1);
+    (void)sp_4096_sub_98(z1, z1, z2);
+    (void)sp_4096_sub_98(z1, z1, z0);
+    (void)sp_4096_add_98(r + 49, r + 49, z1);
+}
+
+/* Add b to a into r. (r = a + b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static int sp_4096_add_196(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    int i;
+
+    for (i = 0; i < 192; i += 8) {
+        r[i + 0] = a[i + 0] + b[i + 0];
+        r[i + 1] = a[i + 1] + b[i + 1];
+        r[i + 2] = a[i + 2] + b[i + 2];
+        r[i + 3] = a[i + 3] + b[i + 3];
+        r[i + 4] = a[i + 4] + b[i + 4];
+        r[i + 5] = a[i + 5] + b[i + 5];
+        r[i + 6] = a[i + 6] + b[i + 6];
+        r[i + 7] = a[i + 7] + b[i + 7];
+    }
+    r[192] = a[192] + b[192];
+    r[193] = a[193] + b[193];
+    r[194] = a[194] + b[194];
+    r[195] = a[195] + b[195];
+
+    return 0;
+}
+
+/* Sub b from a into r. (r = a - b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static int sp_4096_sub_196(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    int i;
+
+    for (i = 0; i < 192; i += 8) {
+        r[i + 0] = a[i + 0] - b[i + 0];
+        r[i + 1] = a[i + 1] - b[i + 1];
+        r[i + 2] = a[i + 2] - b[i + 2];
+        r[i + 3] = a[i + 3] - b[i + 3];
+        r[i + 4] = a[i + 4] - b[i + 4];
+        r[i + 5] = a[i + 5] - b[i + 5];
+        r[i + 6] = a[i + 6] - b[i + 6];
+        r[i + 7] = a[i + 7] - b[i + 7];
+    }
+    r[192] = a[192] - b[192];
+    r[193] = a[193] - b[193];
+    r[194] = a[194] - b[194];
+    r[195] = a[195] - b[195];
+
+    return 0;
+}
+
+/* Multiply a and b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static void sp_4096_mul_196(sp_digit* r, const sp_digit* a,
+    const sp_digit* b)
+{
+    sp_digit* z0 = r;
+    sp_digit z1[196];
+    sp_digit* a1 = z1;
+    sp_digit b1[98];
+    sp_digit* z2 = r + 196;
+    (void)sp_4096_add_98(a1, a, &a[98]);
+    (void)sp_4096_add_98(b1, b, &b[98]);
+    sp_4096_mul_98(z2, &a[98], &b[98]);
+    sp_4096_mul_98(z0, a, b);
+    sp_4096_mul_98(z1, a1, b1);
+    (void)sp_4096_sub_196(z1, z1, z2);
+    (void)sp_4096_sub_196(z1, z1, z0);
+    (void)sp_4096_add_196(r + 98, r + 98, z1);
+}
+
+/* Square a and put result in r. (r = a * a)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ */
+SP_NOINLINE static void sp_4096_sqr_196(sp_digit* r, const sp_digit* a)
+{
+    sp_digit* z0 = r;
+    sp_digit z1[196];
+    sp_digit* a1 = z1;
+    sp_digit* z2 = r + 196;
+    (void)sp_4096_add_98(a1, a, &a[98]);
+    sp_4096_sqr_98(z2, &a[98]);
+    sp_4096_sqr_98(z0, a);
+    sp_4096_sqr_98(z1, a1);
+    (void)sp_4096_sub_196(z1, z1, z2);
+    (void)sp_4096_sub_196(z1, z1, z0);
+    (void)sp_4096_add_196(r + 98, r + 98, z1);
+}
+
+#endif /* !WOLFSSL_SP_SMALL */
+#ifdef WOLFSSL_SP_SMALL
+/* Add b to a into r. (r = a + b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static int sp_4096_add_196(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    int i;
+
+    for (i = 0; i < 196; i++) {
+        r[i] = a[i] + b[i];
+    }
+
+    return 0;
+}
+#endif /* WOLFSSL_SP_SMALL */
+#ifdef WOLFSSL_SP_SMALL
+/* Sub b from a into r. (r = a - b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static int sp_4096_sub_196(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    int i;
+
+    for (i = 0; i < 196; i++) {
+        r[i] = a[i] - b[i];
+    }
+
+    return 0;
+}
+
+#endif /* WOLFSSL_SP_SMALL */
+#ifdef WOLFSSL_SP_SMALL
+/* Multiply a and b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static void sp_4096_mul_196(sp_digit* r, const sp_digit* a,
+    const sp_digit* b)
+{
+    int i, j, k;
+    int64_t c;
+
+    c = ((int64_t)a[195]) * b[195];
+    r[391] = (sp_digit)(c >> 21);
+    c = (c & 0x1fffff) << 21;
+    for (k = 389; k >= 0; k--) {
+        for (i = 195; i >= 0; i--) {
+            j = k - i;
+            if (j >= 196) {
+                break;
+            }
+            if (j < 0) {
+                continue;
+            }
+
+            c += ((int64_t)a[i]) * b[j];
+        }
+        r[k + 2] += c >> 42;
+        r[k + 1] = (c >> 21) & 0x1fffff;
+        c = (c & 0x1fffff) << 21;
+    }
+    r[0] = (sp_digit)(c >> 21);
+}
+
+/* Square a and put result in r. (r = a * a)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ */
+SP_NOINLINE static void sp_4096_sqr_196(sp_digit* r, const sp_digit* a)
+{
+    int i, j, k;
+    int64_t c;
+
+    c = ((int64_t)a[195]) * a[195];
+    r[391] = (sp_digit)(c >> 21);
+    c = (c & 0x1fffff) << 21;
+    for (k = 389; k >= 0; k--) {
+        for (i = 195; i >= 0; i--) {
+            j = k - i;
+            if (j >= 196 || i <= j) {
+                break;
+            }
+            if (j < 0) {
+                continue;
+            }
+
+            c += ((int64_t)a[i]) * a[j] * 2;
+        }
+        if (i == j) {
+           c += ((int64_t)a[i]) * a[i];
+        }
+
+        r[k + 2] += c >> 42;
+        r[k + 1] = (c >> 21) & 0x1fffff;
+        c = (c & 0x1fffff) << 21;
+    }
+    r[0] = (sp_digit)(c >> 21);
+}
+
+#endif /* WOLFSSL_SP_SMALL */
+#if (defined(WOLFSSL_HAVE_SP_RSA) || defined(WOLFSSL_HAVE_SP_DH)) && !defined(WOLFSSL_RSA_PUBLIC_ONLY)
+#if defined(WOLFSSL_HAVE_SP_RSA) && !defined(SP_RSA_PRIVATE_EXP_D)
+#ifdef WOLFSSL_SP_SMALL
+/* Add b to a into r. (r = a + b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static int sp_4096_add_98(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    int i;
+
+    for (i = 0; i < 98; i++) {
+        r[i] = a[i] + b[i];
+    }
+
+    return 0;
+}
+#endif /* WOLFSSL_SP_SMALL */
+#ifdef WOLFSSL_SP_SMALL
+/* Sub b from a into r. (r = a - b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static int sp_4096_sub_98(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    int i;
+
+    for (i = 0; i < 98; i++) {
+        r[i] = a[i] - b[i];
+    }
+
+    return 0;
+}
+
+#endif /* WOLFSSL_SP_SMALL */
+#ifdef WOLFSSL_SP_SMALL
+/* Multiply a and b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static void sp_4096_mul_98(sp_digit* r, const sp_digit* a,
+    const sp_digit* b)
+{
+    int i, j, k;
+    int64_t c;
+
+    c = ((int64_t)a[97]) * b[97];
+    r[195] = (sp_digit)(c >> 21);
+    c = (c & 0x1fffff) << 21;
+    for (k = 193; k >= 0; k--) {
+        for (i = 97; i >= 0; i--) {
+            j = k - i;
+            if (j >= 98) {
+                break;
+            }
+            if (j < 0) {
+                continue;
+            }
+
+            c += ((int64_t)a[i]) * b[j];
+        }
+        r[k + 2] += c >> 42;
+        r[k + 1] = (c >> 21) & 0x1fffff;
+        c = (c & 0x1fffff) << 21;
+    }
+    r[0] = (sp_digit)(c >> 21);
+}
+
+/* Square a and put result in r. (r = a * a)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ */
+SP_NOINLINE static void sp_4096_sqr_98(sp_digit* r, const sp_digit* a)
+{
+    int i, j, k;
+    int64_t c;
+
+    c = ((int64_t)a[97]) * a[97];
+    r[195] = (sp_digit)(c >> 21);
+    c = (c & 0x1fffff) << 21;
+    for (k = 193; k >= 0; k--) {
+        for (i = 97; i >= 0; i--) {
+            j = k - i;
+            if (j >= 98 || i <= j) {
+                break;
+            }
+            if (j < 0) {
+                continue;
+            }
+
+            c += ((int64_t)a[i]) * a[j] * 2;
+        }
+        if (i == j) {
+           c += ((int64_t)a[i]) * a[i];
+        }
+
+        r[k + 2] += c >> 42;
+        r[k + 1] = (c >> 21) & 0x1fffff;
+        c = (c & 0x1fffff) << 21;
+    }
+    r[0] = (sp_digit)(c >> 21);
+}
+
+#endif /* WOLFSSL_SP_SMALL */
+#endif /* WOLFSSL_HAVE_SP_RSA && !SP_RSA_PRIVATE_EXP_D */
+#endif /* (WOLFSSL_HAVE_SP_RSA || WOLFSSL_HAVE_SP_DH) && !WOLFSSL_RSA_PUBLIC_ONLY */
+
+/* Caclulate the bottom digit of -1/a mod 2^n.
+ *
+ * a    A single precision number.
+ * rho  Bottom word of inverse.
+ */
+static void sp_4096_mont_setup(const sp_digit* a, sp_digit* rho)
+{
+    sp_digit x, b;
+
+    b = a[0];
+    x = (((b + 2) & 4) << 1) + b; /* here x*a==1 mod 2**4 */
+    x *= 2 - b * x;               /* here x*a==1 mod 2**8 */
+    x *= 2 - b * x;               /* here x*a==1 mod 2**16 */
+    x *= 2 - b * x;               /* here x*a==1 mod 2**32 */
+    x &= 0x1fffff;
+
+    /* rho = -1/m mod b */
+    *rho = (1L << 21) - x;
+}
+
+/* Multiply a by scalar b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A scalar.
+ */
+SP_NOINLINE static void sp_4096_mul_d_196(sp_digit* r, const sp_digit* a,
+    sp_digit b)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int64_t tb = b;
+    int64_t t = 0;
+    int i;
+
+    for (i = 0; i < 196; i++) {
+        t += tb * a[i];
+        r[i] = t & 0x1fffff;
+        t >>= 21;
+    }
+    r[196] = (sp_digit)t;
+#else
+    int64_t tb = b;
+    int64_t t[8];
+    int i;
+
+    t[0] = tb * a[0]; r[0] = t[0] & 0x1fffff;
+    for (i = 0; i < 192; i += 8) {
+        t[1] = tb * a[i+1];
+        r[i+1] = (sp_digit)(t[0] >> 21) + (t[1] & 0x1fffff);
+        t[2] = tb * a[i+2];
+        r[i+2] = (sp_digit)(t[1] >> 21) + (t[2] & 0x1fffff);
+        t[3] = tb * a[i+3];
+        r[i+3] = (sp_digit)(t[2] >> 21) + (t[3] & 0x1fffff);
+        t[4] = tb * a[i+4];
+        r[i+4] = (sp_digit)(t[3] >> 21) + (t[4] & 0x1fffff);
+        t[5] = tb * a[i+5];
+        r[i+5] = (sp_digit)(t[4] >> 21) + (t[5] & 0x1fffff);
+        t[6] = tb * a[i+6];
+        r[i+6] = (sp_digit)(t[5] >> 21) + (t[6] & 0x1fffff);
+        t[7] = tb * a[i+7];
+        r[i+7] = (sp_digit)(t[6] >> 21) + (t[7] & 0x1fffff);
+        t[0] = tb * a[i+8];
+        r[i+8] = (sp_digit)(t[7] >> 21) + (t[0] & 0x1fffff);
+    }
+    t[1] = tb * a[193];
+    r[193] = (sp_digit)(t[0] >> 21) + (t[1] & 0x1fffff);
+    t[2] = tb * a[194];
+    r[194] = (sp_digit)(t[1] >> 21) + (t[2] & 0x1fffff);
+    t[3] = tb * a[195];
+    r[195] = (sp_digit)(t[2] >> 21) + (t[3] & 0x1fffff);
+    r[196] =  (sp_digit)(t[3] >> 21);
+#endif /* WOLFSSL_SP_SMALL */
+}
+
+#if (defined(WOLFSSL_HAVE_SP_RSA) || defined(WOLFSSL_HAVE_SP_DH)) && !defined(WOLFSSL_RSA_PUBLIC_ONLY)
+#if defined(WOLFSSL_HAVE_SP_RSA) && !defined(SP_RSA_PRIVATE_EXP_D)
+/* r = 2^n mod m where n is the number of bits to reduce by.
+ * Given m must be 4096 bits, just need to subtract.
+ *
+ * r  A single precision number.
+ * m  A single precision number.
+ */
+static void sp_4096_mont_norm_98(sp_digit* r, const sp_digit* m)
+{
+    /* Set r = 2^n - 1. */
+#ifdef WOLFSSL_SP_SMALL
+    int i;
+
+    for (i=0; i<97; i++) {
+        r[i] = 0x1fffff;
+    }
+#else
+    int i;
+
+    for (i = 0; i < 96; i += 8) {
+        r[i + 0] = 0x1fffff;
+        r[i + 1] = 0x1fffff;
+        r[i + 2] = 0x1fffff;
+        r[i + 3] = 0x1fffff;
+        r[i + 4] = 0x1fffff;
+        r[i + 5] = 0x1fffff;
+        r[i + 6] = 0x1fffff;
+        r[i + 7] = 0x1fffff;
+    }
+    r[96] = 0x1fffff;
+#endif
+    r[97] = 0x7ffL;
+
+    /* r = (2^n - 1) mod n */
+    (void)sp_4096_sub_98(r, r, m);
+
+    /* Add one so r = 2^n mod m */
+    r[0] += 1;
+}
+
+/* Compare a with b in constant time.
+ *
+ * a  A single precision integer.
+ * b  A single precision integer.
+ * return -ve, 0 or +ve if a is less than, equal to or greater than b
+ * respectively.
+ */
+static sp_digit sp_4096_cmp_98(const sp_digit* a, const sp_digit* b)
+{
+    sp_digit r = 0;
+#ifdef WOLFSSL_SP_SMALL
+    int i;
+
+    for (i=97; i>=0; i--) {
+        r |= (a[i] - b[i]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+    }
+#else
+    int i;
+
+    r |= (a[97] - b[97]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+    r |= (a[96] - b[96]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+    for (i = 88; i >= 0; i -= 8) {
+        r |= (a[i + 7] - b[i + 7]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+        r |= (a[i + 6] - b[i + 6]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+        r |= (a[i + 5] - b[i + 5]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+        r |= (a[i + 4] - b[i + 4]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+        r |= (a[i + 3] - b[i + 3]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+        r |= (a[i + 2] - b[i + 2]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+        r |= (a[i + 1] - b[i + 1]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+        r |= (a[i + 0] - b[i + 0]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+    }
+#endif /* WOLFSSL_SP_SMALL */
+
+    return r;
+}
+
+/* Conditionally subtract b from a using the mask m.
+ * m is -1 to subtract and 0 when not.
+ *
+ * r  A single precision number representing condition subtract result.
+ * a  A single precision number to subtract from.
+ * b  A single precision number to subtract.
+ * m  Mask value to apply.
+ */
+static void sp_4096_cond_sub_98(sp_digit* r, const sp_digit* a,
+        const sp_digit* b, const sp_digit m)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int i;
+
+    for (i = 0; i < 98; i++) {
+        r[i] = a[i] - (b[i] & m);
+    }
+#else
+    int i;
+
+    for (i = 0; i < 96; i += 8) {
+        r[i + 0] = a[i + 0] - (b[i + 0] & m);
+        r[i + 1] = a[i + 1] - (b[i + 1] & m);
+        r[i + 2] = a[i + 2] - (b[i + 2] & m);
+        r[i + 3] = a[i + 3] - (b[i + 3] & m);
+        r[i + 4] = a[i + 4] - (b[i + 4] & m);
+        r[i + 5] = a[i + 5] - (b[i + 5] & m);
+        r[i + 6] = a[i + 6] - (b[i + 6] & m);
+        r[i + 7] = a[i + 7] - (b[i + 7] & m);
+    }
+    r[96] = a[96] - (b[96] & m);
+    r[97] = a[97] - (b[97] & m);
+#endif /* WOLFSSL_SP_SMALL */
+}
+
+/* Mul a by scalar b and add into r. (r += a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A scalar.
+ */
+SP_NOINLINE static void sp_4096_mul_add_98(sp_digit* r, const sp_digit* a,
+        const sp_digit b)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int64_t tb = b;
+    int64_t t = 0;
+    int i;
+
+    for (i = 0; i < 98; i++) {
+        t += (tb * a[i]) + r[i];
+        r[i] = t & 0x1fffff;
+        t >>= 21;
+    }
+    r[98] += t;
+#else
+    int64_t tb = b;
+    int64_t t[8];
+    int i;
+
+    t[0] = tb * a[0]; r[0] += (sp_digit)(t[0] & 0x1fffff);
+    for (i = 0; i < 96; i += 8) {
+        t[1] = tb * a[i+1];
+        r[i+1] += (sp_digit)((t[0] >> 21) + (t[1] & 0x1fffff));
+        t[2] = tb * a[i+2];
+        r[i+2] += (sp_digit)((t[1] >> 21) + (t[2] & 0x1fffff));
+        t[3] = tb * a[i+3];
+        r[i+3] += (sp_digit)((t[2] >> 21) + (t[3] & 0x1fffff));
+        t[4] = tb * a[i+4];
+        r[i+4] += (sp_digit)((t[3] >> 21) + (t[4] & 0x1fffff));
+        t[5] = tb * a[i+5];
+        r[i+5] += (sp_digit)((t[4] >> 21) + (t[5] & 0x1fffff));
+        t[6] = tb * a[i+6];
+        r[i+6] += (sp_digit)((t[5] >> 21) + (t[6] & 0x1fffff));
+        t[7] = tb * a[i+7];
+        r[i+7] += (sp_digit)((t[6] >> 21) + (t[7] & 0x1fffff));
+        t[0] = tb * a[i+8];
+        r[i+8] += (sp_digit)((t[7] >> 21) + (t[0] & 0x1fffff));
+    }
+    t[1] = tb * a[97]; r[97] += (sp_digit)((t[0] >> 21) + (t[1] & 0x1fffff));
+    r[98] +=  (sp_digit)(t[1] >> 21);
+#endif /* WOLFSSL_SP_SMALL */
+}
+
+/* Normalize the values in each word to 21.
+ *
+ * a  Array of sp_digit to normalize.
+ */
+static void sp_4096_norm_98(sp_digit* a)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int i;
+    for (i = 0; i < 97; i++) {
+        a[i+1] += a[i] >> 21;
+        a[i] &= 0x1fffff;
+    }
+#else
+    int i;
+    for (i = 0; i < 96; i += 8) {
+        a[i+1] += a[i+0] >> 21; a[i+0] &= 0x1fffff;
+        a[i+2] += a[i+1] >> 21; a[i+1] &= 0x1fffff;
+        a[i+3] += a[i+2] >> 21; a[i+2] &= 0x1fffff;
+        a[i+4] += a[i+3] >> 21; a[i+3] &= 0x1fffff;
+        a[i+5] += a[i+4] >> 21; a[i+4] &= 0x1fffff;
+        a[i+6] += a[i+5] >> 21; a[i+5] &= 0x1fffff;
+        a[i+7] += a[i+6] >> 21; a[i+6] &= 0x1fffff;
+        a[i+8] += a[i+7] >> 21; a[i+7] &= 0x1fffff;
+        a[i+9] += a[i+8] >> 21; a[i+8] &= 0x1fffff;
+    }
+    a[96+1] += a[96] >> 21;
+    a[96] &= 0x1fffff;
+#endif
+}
+
+/* Shift the result in the high 2048 bits down to the bottom.
+ *
+ * r  A single precision number.
+ * a  A single precision number.
+ */
+static void sp_4096_mont_shift_98(sp_digit* r, const sp_digit* a)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int i;
+    int64_t n = a[97] >> 11;
+    n += ((int64_t)a[98]) << 10;
+
+    for (i = 0; i < 97; i++) {
+        r[i] = n & 0x1fffff;
+        n >>= 21;
+        n += ((int64_t)a[99 + i]) << 10;
+    }
+    r[97] = (sp_digit)n;
+#else
+    int i;
+    int64_t n = a[97] >> 11;
+    n += ((int64_t)a[98]) << 10;
+    for (i = 0; i < 96; i += 8) {
+        r[i + 0] = n & 0x1fffff;
+        n >>= 21; n += ((int64_t)a[i + 99]) << 10;
+        r[i + 1] = n & 0x1fffff;
+        n >>= 21; n += ((int64_t)a[i + 100]) << 10;
+        r[i + 2] = n & 0x1fffff;
+        n >>= 21; n += ((int64_t)a[i + 101]) << 10;
+        r[i + 3] = n & 0x1fffff;
+        n >>= 21; n += ((int64_t)a[i + 102]) << 10;
+        r[i + 4] = n & 0x1fffff;
+        n >>= 21; n += ((int64_t)a[i + 103]) << 10;
+        r[i + 5] = n & 0x1fffff;
+        n >>= 21; n += ((int64_t)a[i + 104]) << 10;
+        r[i + 6] = n & 0x1fffff;
+        n >>= 21; n += ((int64_t)a[i + 105]) << 10;
+        r[i + 7] = n & 0x1fffff;
+        n >>= 21; n += ((int64_t)a[i + 106]) << 10;
+    }
+    r[96] = n & 0x1fffff; n >>= 21; n += ((int64_t)a[195]) << 10;
+    r[97] = (sp_digit)n;
+#endif /* WOLFSSL_SP_SMALL */
+    XMEMSET(&r[98], 0, sizeof(*r) * 98U);
+}
+
+/* Reduce the number back to 4096 bits using Montgomery reduction.
+ *
+ * a   A single precision number to reduce in place.
+ * m   The single precision number representing the modulus.
+ * mp  The digit representing the negative inverse of m mod 2^n.
+ */
+static void sp_4096_mont_reduce_98(sp_digit* a, const sp_digit* m, sp_digit mp)
+{
+    int i;
+    sp_digit mu;
+
+    sp_4096_norm_98(a + 98);
+
+    for (i=0; i<97; i++) {
+        mu = (a[i] * mp) & 0x1fffff;
+        sp_4096_mul_add_98(a+i, m, mu);
+        a[i+1] += a[i] >> 21;
+    }
+    mu = (a[i] * mp) & 0x7ffL;
+    sp_4096_mul_add_98(a+i, m, mu);
+    a[i+1] += a[i] >> 21;
+    a[i] &= 0x1fffff;
+
+    sp_4096_mont_shift_98(a, a);
+    sp_4096_cond_sub_98(a, a, m, 0 - (((a[97] >> 11) > 0) ?
+            (sp_digit)1 : (sp_digit)0));
+    sp_4096_norm_98(a);
+}
+
+/* Multiply two Montogmery form numbers mod the modulus (prime).
+ * (r = a * b mod m)
+ *
+ * r   Result of multiplication.
+ * a   First number to multiply in Montogmery form.
+ * b   Second number to multiply in Montogmery form.
+ * m   Modulus (prime).
+ * mp  Montogmery mulitplier.
+ */
+static void sp_4096_mont_mul_98(sp_digit* r, const sp_digit* a, const sp_digit* b,
+        const sp_digit* m, sp_digit mp)
+{
+    sp_4096_mul_98(r, a, b);
+    sp_4096_mont_reduce_98(r, m, mp);
+}
+
+/* Square the Montgomery form number. (r = a * a mod m)
+ *
+ * r   Result of squaring.
+ * a   Number to square in Montogmery form.
+ * m   Modulus (prime).
+ * mp  Montogmery mulitplier.
+ */
+static void sp_4096_mont_sqr_98(sp_digit* r, const sp_digit* a, const sp_digit* m,
+        sp_digit mp)
+{
+    sp_4096_sqr_98(r, a);
+    sp_4096_mont_reduce_98(r, m, mp);
+}
+
+/* Multiply a by scalar b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A scalar.
+ */
+SP_NOINLINE static void sp_4096_mul_d_98(sp_digit* r, const sp_digit* a,
+    sp_digit b)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int64_t tb = b;
+    int64_t t = 0;
+    int i;
+
+    for (i = 0; i < 98; i++) {
+        t += tb * a[i];
+        r[i] = t & 0x1fffff;
+        t >>= 21;
+    }
+    r[98] = (sp_digit)t;
+#else
+    int64_t tb = b;
+    int64_t t[8];
+    int i;
+
+    t[0] = tb * a[0]; r[0] = t[0] & 0x1fffff;
+    for (i = 0; i < 96; i += 8) {
+        t[1] = tb * a[i+1];
+        r[i+1] = (sp_digit)(t[0] >> 21) + (t[1] & 0x1fffff);
+        t[2] = tb * a[i+2];
+        r[i+2] = (sp_digit)(t[1] >> 21) + (t[2] & 0x1fffff);
+        t[3] = tb * a[i+3];
+        r[i+3] = (sp_digit)(t[2] >> 21) + (t[3] & 0x1fffff);
+        t[4] = tb * a[i+4];
+        r[i+4] = (sp_digit)(t[3] >> 21) + (t[4] & 0x1fffff);
+        t[5] = tb * a[i+5];
+        r[i+5] = (sp_digit)(t[4] >> 21) + (t[5] & 0x1fffff);
+        t[6] = tb * a[i+6];
+        r[i+6] = (sp_digit)(t[5] >> 21) + (t[6] & 0x1fffff);
+        t[7] = tb * a[i+7];
+        r[i+7] = (sp_digit)(t[6] >> 21) + (t[7] & 0x1fffff);
+        t[0] = tb * a[i+8];
+        r[i+8] = (sp_digit)(t[7] >> 21) + (t[0] & 0x1fffff);
+    }
+    t[1] = tb * a[97];
+    r[97] = (sp_digit)(t[0] >> 21) + (t[1] & 0x1fffff);
+    r[98] =  (sp_digit)(t[1] >> 21);
+#endif /* WOLFSSL_SP_SMALL */
+}
+
+/* Conditionally add a and b using the mask m.
+ * m is -1 to add and 0 when not.
+ *
+ * r  A single precision number representing conditional add result.
+ * a  A single precision number to add with.
+ * b  A single precision number to add.
+ * m  Mask value to apply.
+ */
+static void sp_4096_cond_add_98(sp_digit* r, const sp_digit* a,
+        const sp_digit* b, const sp_digit m)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int i;
+
+    for (i = 0; i < 98; i++) {
+        r[i] = a[i] + (b[i] & m);
+    }
+#else
+    int i;
+
+    for (i = 0; i < 96; i += 8) {
+        r[i + 0] = a[i + 0] + (b[i + 0] & m);
+        r[i + 1] = a[i + 1] + (b[i + 1] & m);
+        r[i + 2] = a[i + 2] + (b[i + 2] & m);
+        r[i + 3] = a[i + 3] + (b[i + 3] & m);
+        r[i + 4] = a[i + 4] + (b[i + 4] & m);
+        r[i + 5] = a[i + 5] + (b[i + 5] & m);
+        r[i + 6] = a[i + 6] + (b[i + 6] & m);
+        r[i + 7] = a[i + 7] + (b[i + 7] & m);
+    }
+    r[96] = a[96] + (b[96] & m);
+    r[97] = a[97] + (b[97] & m);
+#endif /* WOLFSSL_SP_SMALL */
+}
+
+#ifdef WOLFSSL_SMALL
+/* Sub b from a into r. (r = a - b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static int sp_4096_sub_98(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    int i;
+
+    for (i = 0; i < 98; i++) {
+        r[i] = a[i] - b[i];
+    }
+
+    return 0;
+}
+
+#endif
+#ifdef WOLFSSL_SMALL
+/* Add b to a into r. (r = a + b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static int sp_4096_add_98(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    int i;
+
+    for (i = 0; i < 98; i++) {
+        r[i] = a[i] + b[i];
+    }
+
+    return 0;
+}
+#endif
+SP_NOINLINE static void sp_4096_rshift_98(sp_digit* r, sp_digit* a, byte n)
+{
+    int i;
+
+#ifdef WOLFSSL_SP_SMALL
+    for (i=0; i<97; i++) {
+        r[i] = ((a[i] >> n) | (a[i + 1] << (21 - n))) & 0x1fffff;
+    }
+#else
+    for (i=0; i<96; i += 8) {
+        r[i+0] = ((a[i+0] >> n) | (a[i+1] << (21 - n))) & 0x1fffff;
+        r[i+1] = ((a[i+1] >> n) | (a[i+2] << (21 - n))) & 0x1fffff;
+        r[i+2] = ((a[i+2] >> n) | (a[i+3] << (21 - n))) & 0x1fffff;
+        r[i+3] = ((a[i+3] >> n) | (a[i+4] << (21 - n))) & 0x1fffff;
+        r[i+4] = ((a[i+4] >> n) | (a[i+5] << (21 - n))) & 0x1fffff;
+        r[i+5] = ((a[i+5] >> n) | (a[i+6] << (21 - n))) & 0x1fffff;
+        r[i+6] = ((a[i+6] >> n) | (a[i+7] << (21 - n))) & 0x1fffff;
+        r[i+7] = ((a[i+7] >> n) | (a[i+8] << (21 - n))) & 0x1fffff;
+    }
+    r[96] = ((a[96] >> n) | (a[97] << (21 - n))) & 0x1fffff;
+#endif
+    r[97] = a[97] >> n;
+}
+
+#ifdef WOLFSSL_SP_DIV_32
+static WC_INLINE sp_digit sp_4096_div_word_98(sp_digit d1, sp_digit d0,
+    sp_digit dv)
+{
+    sp_digit d, r, t;
+
+    /* All 21 bits from d1 and top 10 bits from d0. */
+    d = (d1 << 10) | (d0 >> 11);
+    r = d / dv;
+    d -= r * dv;
+    /* Up to 11 bits in r */
+    /* Next 10 bits from d0. */
+    r <<= 10;
+    d <<= 10;
+    d |= (d0 >> 1) & ((1 << 10) - 1);
+    t = d / dv;
+    d -= t * dv;
+    r += t;
+    /* Up to 21 bits in r */
+    /* Remaining 1 bits from d0. */
+    r <<= 1;
+    d <<= 1;
+    d |= d0 & ((1 << 1) - 1);
+    t = d / dv;
+    r += t;
+
+    return r;
+}
+#endif /* WOLFSSL_SP_DIV_32 */
+
+/* Divide d in a and put remainder into r (m*d + r = a)
+ * m is not calculated as it is not needed at this time.
+ *
+ * a  Nmber to be divided.
+ * d  Number to divide with.
+ * m  Multiplier result.
+ * r  Remainder from the division.
+ * returns MEMORY_E when unable to allocate memory and MP_OKAY otherwise.
+ */
+static int sp_4096_div_98(const sp_digit* a, const sp_digit* d, sp_digit* m,
+        sp_digit* r)
+{
+    int i;
+#ifndef WOLFSSL_SP_DIV_32
+    int64_t d1;
+#endif
+    sp_digit dv, r1;
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit* td;
+#else
+    sp_digit t1d[196 + 1], t2d[98 + 1], sdd[98 + 1];
+#endif
+    sp_digit* t1;
+    sp_digit* t2;
+    sp_digit* sd;
+    int err = MP_OKAY;
+
+    (void)m;
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    td = (sp_digit*)XMALLOC(sizeof(sp_digit) * (4 * 98 + 3), NULL,
+                                                       DYNAMIC_TYPE_TMP_BUFFER);
+    if (td == NULL) {
+        err = MEMORY_E;
+    }
+#endif
+
+    (void)m;
+
+    if (err == MP_OKAY) {
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+        t1 = td;
+        t2 = td + 196 + 1;
+        sd = t2 + 98 + 1;
+#else
+        t1 = t1d;
+        t2 = t2d;
+        sd = sdd;
+#endif
+
+        sp_4096_mul_d_98(sd, d, 1L << 10);
+        sp_4096_mul_d_196(t1, a, 1L << 10);
+        dv = sd[97];
+        for (i=98; i>=0; i--) {
+            t1[98 + i] += t1[98 + i - 1] >> 21;
+            t1[98 + i - 1] &= 0x1fffff;
+#ifndef WOLFSSL_SP_DIV_32
+            d1 = t1[98 + i];
+            d1 <<= 21;
+            d1 += t1[98 + i - 1];
+            r1 = (sp_digit)(d1 / dv);
+#else
+            r1 = sp_4096_div_word_98(t1[98 + i], t1[98 + i - 1], dv);
+#endif
+
+            sp_4096_mul_d_98(t2, sd, r1);
+            (void)sp_4096_sub_98(&t1[i], &t1[i], t2);
+            t1[98 + i] -= t2[98];
+            t1[98 + i] += t1[98 + i - 1] >> 21;
+            t1[98 + i - 1] &= 0x1fffff;
+            r1 = (((-t1[98 + i]) << 21) - t1[98 + i - 1]) / dv;
+            r1 -= t1[98 + i];
+            sp_4096_mul_d_98(t2, sd, r1);
+            (void)sp_4096_add_98(&t1[i], &t1[i], t2);
+            t1[98 + i] += t1[98 + i - 1] >> 21;
+            t1[98 + i - 1] &= 0x1fffff;
+        }
+        t1[98 - 1] += t1[98 - 2] >> 21;
+        t1[98 - 2] &= 0x1fffff;
+        r1 = t1[98 - 1] / dv;
+
+        sp_4096_mul_d_98(t2, sd, r1);
+        sp_4096_sub_98(t1, t1, t2);
+        XMEMCPY(r, t1, sizeof(*r) * 2U * 98U);
+        for (i=0; i<96; i++) {
+            r[i+1] += r[i] >> 21;
+            r[i] &= 0x1fffff;
+        }
+        sp_4096_cond_add_98(r, r, sd, 0 - ((r[97] < 0) ?
+                    (sp_digit)1 : (sp_digit)0));
+
+        sp_4096_norm_98(r);
+        sp_4096_rshift_98(r, r, 10);
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (td != NULL) {
+        XFREE(td, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    }
+#endif
+
+    return err;
+}
+
+/* Reduce a modulo m into r. (r = a mod m)
+ *
+ * r  A single precision number that is the reduced result.
+ * a  A single precision number that is to be reduced.
+ * m  A single precision number that is the modulus to reduce with.
+ * returns MEMORY_E when unable to allocate memory and MP_OKAY otherwise.
+ */
+static int sp_4096_mod_98(sp_digit* r, const sp_digit* a, const sp_digit* m)
+{
+    return sp_4096_div_98(a, m, NULL, r);
+}
+
+/* Modular exponentiate a to the e mod m. (r = a^e mod m)
+ *
+ * r     A single precision number that is the result of the operation.
+ * a     A single precision number being exponentiated.
+ * e     A single precision number that is the exponent.
+ * bits  The number of bits in the exponent.
+ * m     A single precision number that is the modulus.
+ * returns 0 on success and MEMORY_E on dynamic memory allocation failure.
+ */
+static int sp_4096_mod_exp_98(sp_digit* r, const sp_digit* a, const sp_digit* e, int bits,
+    const sp_digit* m, int reduceA)
+{
+#ifdef WOLFSSL_SP_SMALL
+    sp_digit* td;
+    sp_digit* t[3];
+    sp_digit* norm;
+    sp_digit mp = 1;
+    sp_digit n;
+    int i;
+    int c, y;
+    int err = MP_OKAY;
+
+    td = (sp_digit*)XMALLOC(sizeof(*td) * 3 * 98 * 2, NULL,
+                            DYNAMIC_TYPE_TMP_BUFFER);
+    if (td == NULL) {
+        err = MEMORY_E;
+    }
+
+    if (err == MP_OKAY) {
+        XMEMSET(td, 0, sizeof(*td) * 3U * 98U * 2U);
+
+        norm = t[0] = td;
+        t[1] = &td[98 * 2];
+        t[2] = &td[2 * 98 * 2];
+
+        sp_4096_mont_setup(m, &mp);
+        sp_4096_mont_norm_98(norm, m);
+
+        if (reduceA != 0) {
+            err = sp_4096_mod_98(t[1], a, m);
+        }
+        else {
+            XMEMCPY(t[1], a, sizeof(sp_digit) * 98U);
+        }
+    }
+    if (err == MP_OKAY) {
+        sp_4096_mul_98(t[1], t[1], norm);
+        err = sp_4096_mod_98(t[1], t[1], m);
+    }
+
+    if (err == MP_OKAY) {
+        i = bits / 21;
+        c = bits % 21;
+        n = e[i--] << (21 - c);
+        for (; ; c--) {
+            if (c == 0) {
+                if (i == -1) {
+                    break;
+                }
+
+                n = e[i--];
+                c = 21;
+            }
+
+            y = (n >> 20) & 1;
+            n <<= 1;
+
+            sp_4096_mont_mul_98(t[y^1], t[0], t[1], m, mp);
+
+            XMEMCPY(t[2], (void*)(((size_t)t[0] & addr_mask[y^1]) +
+                                  ((size_t)t[1] & addr_mask[y])),
+                    sizeof(*t[2]) * 98 * 2);
+            sp_4096_mont_sqr_98(t[2], t[2], m, mp);
+            XMEMCPY((void*)(((size_t)t[0] & addr_mask[y^1]) +
+                            ((size_t)t[1] & addr_mask[y])), t[2],
+                    sizeof(*t[2]) * 98 * 2);
+        }
+
+        sp_4096_mont_reduce_98(t[0], m, mp);
+        n = sp_4096_cmp_98(t[0], m);
+        sp_4096_cond_sub_98(t[0], t[0], m, ((n < 0) ?
+                    (sp_digit)1 : (sp_digit)0) - 1);
+        XMEMCPY(r, t[0], sizeof(*r) * 98 * 2);
+
+    }
+
+    if (td != NULL) {
+        XFREE(td, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    }
+
+    return err;
+#elif defined(WOLFSSL_SP_CACHE_RESISTANT)
+#ifndef WOLFSSL_SMALL_STACK
+    sp_digit t[3][196];
+#else
+    sp_digit* td;
+    sp_digit* t[3];
+#endif
+    sp_digit* norm;
+    sp_digit mp = 1;
+    sp_digit n;
+    int i;
+    int c, y;
+    int err = MP_OKAY;
+
+#ifdef WOLFSSL_SMALL_STACK
+    td = (sp_digit*)XMALLOC(sizeof(*td) * 3 * 98 * 2, NULL,
+                            DYNAMIC_TYPE_TMP_BUFFER);
+    if (td == NULL) {
+        err = MEMORY_E;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#ifdef WOLFSSL_SMALL_STACK
+        t[0] = td;
+        t[1] = &td[98 * 2];
+        t[2] = &td[2 * 98 * 2];
+#endif
+        norm = t[0];
+
+        sp_4096_mont_setup(m, &mp);
+        sp_4096_mont_norm_98(norm, m);
+
+        if (reduceA != 0) {
+            err = sp_4096_mod_98(t[1], a, m);
+            if (err == MP_OKAY) {
+                sp_4096_mul_98(t[1], t[1], norm);
+                err = sp_4096_mod_98(t[1], t[1], m);
+            }
+        }
+        else {
+            sp_4096_mul_98(t[1], a, norm);
+            err = sp_4096_mod_98(t[1], t[1], m);
+        }
+    }
+
+    if (err == MP_OKAY) {
+        i = bits / 21;
+        c = bits % 21;
+        n = e[i--] << (21 - c);
+        for (; ; c--) {
+            if (c == 0) {
+                if (i == -1) {
+                    break;
+                }
+
+                n = e[i--];
+                c = 21;
+            }
+
+            y = (n >> 20) & 1;
+            n <<= 1;
+
+            sp_4096_mont_mul_98(t[y^1], t[0], t[1], m, mp);
+
+            XMEMCPY(t[2], (void*)(((size_t)t[0] & addr_mask[y^1]) +
+                                 ((size_t)t[1] & addr_mask[y])), sizeof(t[2]));
+            sp_4096_mont_sqr_98(t[2], t[2], m, mp);
+            XMEMCPY((void*)(((size_t)t[0] & addr_mask[y^1]) +
+                           ((size_t)t[1] & addr_mask[y])), t[2], sizeof(t[2]));
+        }
+
+        sp_4096_mont_reduce_98(t[0], m, mp);
+        n = sp_4096_cmp_98(t[0], m);
+        sp_4096_cond_sub_98(t[0], t[0], m, ((n < 0) ?
+                   (sp_digit)1 : (sp_digit)0) - 1);
+        XMEMCPY(r, t[0], sizeof(t[0]));
+    }
+
+#ifdef WOLFSSL_SMALL_STACK
+    if (td != NULL) {
+        XFREE(td, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    }
+#endif
+
+    return err;
+#else
+#ifndef WOLFSSL_SMALL_STACK
+    sp_digit t[32][196];
+#else
+    sp_digit* t[32];
+    sp_digit* td;
+#endif
+    sp_digit* norm;
+    sp_digit rt[196];
+    sp_digit mp = 1;
+    sp_digit n;
+    int i;
+    int c, y;
+    int err = MP_OKAY;
+
+#ifdef WOLFSSL_SMALL_STACK
+    td = (sp_digit*)XMALLOC(sizeof(sp_digit) * 32 * 196, NULL,
+                            DYNAMIC_TYPE_TMP_BUFFER);
+    if (td == NULL) {
+        err = MEMORY_E;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#ifdef WOLFSSL_SMALL_STACK
+        for (i=0; i<32; i++)
+            t[i] = td + i * 196;
+#endif
+        norm = t[0];
+
+        sp_4096_mont_setup(m, &mp);
+        sp_4096_mont_norm_98(norm, m);
+
+        if (reduceA != 0) {
+            err = sp_4096_mod_98(t[1], a, m);
+            if (err == MP_OKAY) {
+                sp_4096_mul_98(t[1], t[1], norm);
+                err = sp_4096_mod_98(t[1], t[1], m);
+            }
+        }
+        else {
+            sp_4096_mul_98(t[1], a, norm);
+            err = sp_4096_mod_98(t[1], t[1], m);
+        }
+    }
+
+    if (err == MP_OKAY) {
+        sp_4096_mont_sqr_98(t[ 2], t[ 1], m, mp);
+        sp_4096_mont_mul_98(t[ 3], t[ 2], t[ 1], m, mp);
+        sp_4096_mont_sqr_98(t[ 4], t[ 2], m, mp);
+        sp_4096_mont_mul_98(t[ 5], t[ 3], t[ 2], m, mp);
+        sp_4096_mont_sqr_98(t[ 6], t[ 3], m, mp);
+        sp_4096_mont_mul_98(t[ 7], t[ 4], t[ 3], m, mp);
+        sp_4096_mont_sqr_98(t[ 8], t[ 4], m, mp);
+        sp_4096_mont_mul_98(t[ 9], t[ 5], t[ 4], m, mp);
+        sp_4096_mont_sqr_98(t[10], t[ 5], m, mp);
+        sp_4096_mont_mul_98(t[11], t[ 6], t[ 5], m, mp);
+        sp_4096_mont_sqr_98(t[12], t[ 6], m, mp);
+        sp_4096_mont_mul_98(t[13], t[ 7], t[ 6], m, mp);
+        sp_4096_mont_sqr_98(t[14], t[ 7], m, mp);
+        sp_4096_mont_mul_98(t[15], t[ 8], t[ 7], m, mp);
+        sp_4096_mont_sqr_98(t[16], t[ 8], m, mp);
+        sp_4096_mont_mul_98(t[17], t[ 9], t[ 8], m, mp);
+        sp_4096_mont_sqr_98(t[18], t[ 9], m, mp);
+        sp_4096_mont_mul_98(t[19], t[10], t[ 9], m, mp);
+        sp_4096_mont_sqr_98(t[20], t[10], m, mp);
+        sp_4096_mont_mul_98(t[21], t[11], t[10], m, mp);
+        sp_4096_mont_sqr_98(t[22], t[11], m, mp);
+        sp_4096_mont_mul_98(t[23], t[12], t[11], m, mp);
+        sp_4096_mont_sqr_98(t[24], t[12], m, mp);
+        sp_4096_mont_mul_98(t[25], t[13], t[12], m, mp);
+        sp_4096_mont_sqr_98(t[26], t[13], m, mp);
+        sp_4096_mont_mul_98(t[27], t[14], t[13], m, mp);
+        sp_4096_mont_sqr_98(t[28], t[14], m, mp);
+        sp_4096_mont_mul_98(t[29], t[15], t[14], m, mp);
+        sp_4096_mont_sqr_98(t[30], t[15], m, mp);
+        sp_4096_mont_mul_98(t[31], t[16], t[15], m, mp);
+
+        bits = ((bits + 4) / 5) * 5;
+        i = ((bits + 20) / 21) - 1;
+        c = bits % 21;
+        if (c == 0) {
+            c = 21;
+        }
+        if (i < 98) {
+            n = e[i--] << (32 - c);
+        }
+        else {
+            n = 0;
+            i--;
+        }
+        if (c < 5) {
+            n |= e[i--] << (11 - c);
+            c += 21;
+        }
+        y = (n >> 27) & 0x1f;
+        n <<= 5;
+        c -= 5;
+        XMEMCPY(rt, t[y], sizeof(rt));
+        for (; i>=0 || c>=5; ) {
+            if (c < 5) {
+                n |= e[i--] << (11 - c);
+                c += 21;
+            }
+            y = (n >> 27) & 0x1f;
+            n <<= 5;
+            c -= 5;
+
+            sp_4096_mont_sqr_98(rt, rt, m, mp);
+            sp_4096_mont_sqr_98(rt, rt, m, mp);
+            sp_4096_mont_sqr_98(rt, rt, m, mp);
+            sp_4096_mont_sqr_98(rt, rt, m, mp);
+            sp_4096_mont_sqr_98(rt, rt, m, mp);
+
+            sp_4096_mont_mul_98(rt, rt, t[y], m, mp);
+        }
+
+        sp_4096_mont_reduce_98(rt, m, mp);
+        n = sp_4096_cmp_98(rt, m);
+        sp_4096_cond_sub_98(rt, rt, m, ((n < 0) ?
+                   (sp_digit)1 : (sp_digit)0) - 1);
+        XMEMCPY(r, rt, sizeof(rt));
+    }
+
+#ifdef WOLFSSL_SMALL_STACK
+    if (td != NULL) {
+        XFREE(td, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    }
+#endif
+
+    return err;
+#endif
+}
+
+#endif /* WOLFSSL_HAVE_SP_RSA && !SP_RSA_PRIVATE_EXP_D */
+#endif /* (WOLFSSL_HAVE_SP_RSA || WOLFSSL_HAVE_SP_DH) && !WOLFSSL_RSA_PUBLIC_ONLY */
+
+/* r = 2^n mod m where n is the number of bits to reduce by.
+ * Given m must be 4096 bits, just need to subtract.
+ *
+ * r  A single precision number.
+ * m  A single precision number.
+ */
+static void sp_4096_mont_norm_196(sp_digit* r, const sp_digit* m)
+{
+    /* Set r = 2^n - 1. */
+#ifdef WOLFSSL_SP_SMALL
+    int i;
+
+    for (i=0; i<195; i++) {
+        r[i] = 0x1fffff;
+    }
+#else
+    int i;
+
+    for (i = 0; i < 192; i += 8) {
+        r[i + 0] = 0x1fffff;
+        r[i + 1] = 0x1fffff;
+        r[i + 2] = 0x1fffff;
+        r[i + 3] = 0x1fffff;
+        r[i + 4] = 0x1fffff;
+        r[i + 5] = 0x1fffff;
+        r[i + 6] = 0x1fffff;
+        r[i + 7] = 0x1fffff;
+    }
+    r[192] = 0x1fffff;
+    r[193] = 0x1fffff;
+    r[194] = 0x1fffff;
+#endif
+    r[195] = 0x1L;
+
+    /* r = (2^n - 1) mod n */
+    (void)sp_4096_sub_196(r, r, m);
+
+    /* Add one so r = 2^n mod m */
+    r[0] += 1;
+}
+
+/* Compare a with b in constant time.
+ *
+ * a  A single precision integer.
+ * b  A single precision integer.
+ * return -ve, 0 or +ve if a is less than, equal to or greater than b
+ * respectively.
+ */
+static sp_digit sp_4096_cmp_196(const sp_digit* a, const sp_digit* b)
+{
+    sp_digit r = 0;
+#ifdef WOLFSSL_SP_SMALL
+    int i;
+
+    for (i=195; i>=0; i--) {
+        r |= (a[i] - b[i]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+    }
+#else
+    int i;
+
+    r |= (a[195] - b[195]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+    r |= (a[194] - b[194]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+    r |= (a[193] - b[193]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+    r |= (a[192] - b[192]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+    for (i = 184; i >= 0; i -= 8) {
+        r |= (a[i + 7] - b[i + 7]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+        r |= (a[i + 6] - b[i + 6]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+        r |= (a[i + 5] - b[i + 5]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+        r |= (a[i + 4] - b[i + 4]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+        r |= (a[i + 3] - b[i + 3]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+        r |= (a[i + 2] - b[i + 2]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+        r |= (a[i + 1] - b[i + 1]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+        r |= (a[i + 0] - b[i + 0]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+    }
+#endif /* WOLFSSL_SP_SMALL */
+
+    return r;
+}
+
+/* Conditionally subtract b from a using the mask m.
+ * m is -1 to subtract and 0 when not.
+ *
+ * r  A single precision number representing condition subtract result.
+ * a  A single precision number to subtract from.
+ * b  A single precision number to subtract.
+ * m  Mask value to apply.
+ */
+static void sp_4096_cond_sub_196(sp_digit* r, const sp_digit* a,
+        const sp_digit* b, const sp_digit m)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int i;
+
+    for (i = 0; i < 196; i++) {
+        r[i] = a[i] - (b[i] & m);
+    }
+#else
+    int i;
+
+    for (i = 0; i < 192; i += 8) {
+        r[i + 0] = a[i + 0] - (b[i + 0] & m);
+        r[i + 1] = a[i + 1] - (b[i + 1] & m);
+        r[i + 2] = a[i + 2] - (b[i + 2] & m);
+        r[i + 3] = a[i + 3] - (b[i + 3] & m);
+        r[i + 4] = a[i + 4] - (b[i + 4] & m);
+        r[i + 5] = a[i + 5] - (b[i + 5] & m);
+        r[i + 6] = a[i + 6] - (b[i + 6] & m);
+        r[i + 7] = a[i + 7] - (b[i + 7] & m);
+    }
+    r[192] = a[192] - (b[192] & m);
+    r[193] = a[193] - (b[193] & m);
+    r[194] = a[194] - (b[194] & m);
+    r[195] = a[195] - (b[195] & m);
+#endif /* WOLFSSL_SP_SMALL */
+}
+
+/* Mul a by scalar b and add into r. (r += a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A scalar.
+ */
+SP_NOINLINE static void sp_4096_mul_add_196(sp_digit* r, const sp_digit* a,
+        const sp_digit b)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int64_t tb = b;
+    int64_t t = 0;
+    int i;
+
+    for (i = 0; i < 196; i++) {
+        t += (tb * a[i]) + r[i];
+        r[i] = t & 0x1fffff;
+        t >>= 21;
+    }
+    r[196] += t;
+#else
+    int64_t tb = b;
+    int64_t t[8];
+    int i;
+
+    t[0] = tb * a[0]; r[0] += (sp_digit)(t[0] & 0x1fffff);
+    for (i = 0; i < 192; i += 8) {
+        t[1] = tb * a[i+1];
+        r[i+1] += (sp_digit)((t[0] >> 21) + (t[1] & 0x1fffff));
+        t[2] = tb * a[i+2];
+        r[i+2] += (sp_digit)((t[1] >> 21) + (t[2] & 0x1fffff));
+        t[3] = tb * a[i+3];
+        r[i+3] += (sp_digit)((t[2] >> 21) + (t[3] & 0x1fffff));
+        t[4] = tb * a[i+4];
+        r[i+4] += (sp_digit)((t[3] >> 21) + (t[4] & 0x1fffff));
+        t[5] = tb * a[i+5];
+        r[i+5] += (sp_digit)((t[4] >> 21) + (t[5] & 0x1fffff));
+        t[6] = tb * a[i+6];
+        r[i+6] += (sp_digit)((t[5] >> 21) + (t[6] & 0x1fffff));
+        t[7] = tb * a[i+7];
+        r[i+7] += (sp_digit)((t[6] >> 21) + (t[7] & 0x1fffff));
+        t[0] = tb * a[i+8];
+        r[i+8] += (sp_digit)((t[7] >> 21) + (t[0] & 0x1fffff));
+    }
+    t[1] = tb * a[193]; r[193] += (sp_digit)((t[0] >> 21) + (t[1] & 0x1fffff));
+    t[2] = tb * a[194]; r[194] += (sp_digit)((t[1] >> 21) + (t[2] & 0x1fffff));
+    t[3] = tb * a[195]; r[195] += (sp_digit)((t[2] >> 21) + (t[3] & 0x1fffff));
+    r[196] +=  (sp_digit)(t[3] >> 21);
+#endif /* WOLFSSL_SP_SMALL */
+}
+
+/* Normalize the values in each word to 21.
+ *
+ * a  Array of sp_digit to normalize.
+ */
+static void sp_4096_norm_196(sp_digit* a)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int i;
+    for (i = 0; i < 195; i++) {
+        a[i+1] += a[i] >> 21;
+        a[i] &= 0x1fffff;
+    }
+#else
+    int i;
+    for (i = 0; i < 192; i += 8) {
+        a[i+1] += a[i+0] >> 21; a[i+0] &= 0x1fffff;
+        a[i+2] += a[i+1] >> 21; a[i+1] &= 0x1fffff;
+        a[i+3] += a[i+2] >> 21; a[i+2] &= 0x1fffff;
+        a[i+4] += a[i+3] >> 21; a[i+3] &= 0x1fffff;
+        a[i+5] += a[i+4] >> 21; a[i+4] &= 0x1fffff;
+        a[i+6] += a[i+5] >> 21; a[i+5] &= 0x1fffff;
+        a[i+7] += a[i+6] >> 21; a[i+6] &= 0x1fffff;
+        a[i+8] += a[i+7] >> 21; a[i+7] &= 0x1fffff;
+        a[i+9] += a[i+8] >> 21; a[i+8] &= 0x1fffff;
+    }
+    a[192+1] += a[192] >> 21;
+    a[192] &= 0x1fffff;
+    a[193+1] += a[193] >> 21;
+    a[193] &= 0x1fffff;
+    a[194+1] += a[194] >> 21;
+    a[194] &= 0x1fffff;
+#endif
+}
+
+/* Shift the result in the high 4096 bits down to the bottom.
+ *
+ * r  A single precision number.
+ * a  A single precision number.
+ */
+static void sp_4096_mont_shift_196(sp_digit* r, const sp_digit* a)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int i;
+    int64_t n = a[195] >> 1;
+    n += ((int64_t)a[196]) << 20;
+
+    for (i = 0; i < 195; i++) {
+        r[i] = n & 0x1fffff;
+        n >>= 21;
+        n += ((int64_t)a[197 + i]) << 20;
+    }
+    r[195] = (sp_digit)n;
+#else
+    int i;
+    int64_t n = a[195] >> 1;
+    n += ((int64_t)a[196]) << 20;
+    for (i = 0; i < 192; i += 8) {
+        r[i + 0] = n & 0x1fffff;
+        n >>= 21; n += ((int64_t)a[i + 197]) << 20;
+        r[i + 1] = n & 0x1fffff;
+        n >>= 21; n += ((int64_t)a[i + 198]) << 20;
+        r[i + 2] = n & 0x1fffff;
+        n >>= 21; n += ((int64_t)a[i + 199]) << 20;
+        r[i + 3] = n & 0x1fffff;
+        n >>= 21; n += ((int64_t)a[i + 200]) << 20;
+        r[i + 4] = n & 0x1fffff;
+        n >>= 21; n += ((int64_t)a[i + 201]) << 20;
+        r[i + 5] = n & 0x1fffff;
+        n >>= 21; n += ((int64_t)a[i + 202]) << 20;
+        r[i + 6] = n & 0x1fffff;
+        n >>= 21; n += ((int64_t)a[i + 203]) << 20;
+        r[i + 7] = n & 0x1fffff;
+        n >>= 21; n += ((int64_t)a[i + 204]) << 20;
+    }
+    r[192] = n & 0x1fffff; n >>= 21; n += ((int64_t)a[389]) << 20;
+    r[193] = n & 0x1fffff; n >>= 21; n += ((int64_t)a[390]) << 20;
+    r[194] = n & 0x1fffff; n >>= 21; n += ((int64_t)a[391]) << 20;
+    r[195] = (sp_digit)n;
+#endif /* WOLFSSL_SP_SMALL */
+    XMEMSET(&r[196], 0, sizeof(*r) * 196U);
+}
+
+/* Reduce the number back to 4096 bits using Montgomery reduction.
+ *
+ * a   A single precision number to reduce in place.
+ * m   The single precision number representing the modulus.
+ * mp  The digit representing the negative inverse of m mod 2^n.
+ */
+static void sp_4096_mont_reduce_196(sp_digit* a, const sp_digit* m, sp_digit mp)
+{
+    int i;
+    sp_digit mu;
+
+    sp_4096_norm_196(a + 196);
+
+#ifdef WOLFSSL_SP_DH
+    if (mp != 1) {
+        for (i=0; i<195; i++) {
+            mu = (a[i] * mp) & 0x1fffff;
+            sp_4096_mul_add_196(a+i, m, mu);
+            a[i+1] += a[i] >> 21;
+        }
+        mu = (a[i] * mp) & 0x1L;
+        sp_4096_mul_add_196(a+i, m, mu);
+        a[i+1] += a[i] >> 21;
+        a[i] &= 0x1fffff;
+    }
+    else {
+        for (i=0; i<195; i++) {
+            mu = a[i] & 0x1fffff;
+            sp_4096_mul_add_196(a+i, m, mu);
+            a[i+1] += a[i] >> 21;
+        }
+        mu = a[i] & 0x1L;
+        sp_4096_mul_add_196(a+i, m, mu);
+        a[i+1] += a[i] >> 21;
+        a[i] &= 0x1fffff;
+    }
+#else
+    for (i=0; i<195; i++) {
+        mu = (a[i] * mp) & 0x1fffff;
+        sp_4096_mul_add_196(a+i, m, mu);
+        a[i+1] += a[i] >> 21;
+    }
+    mu = (a[i] * mp) & 0x1L;
+    sp_4096_mul_add_196(a+i, m, mu);
+    a[i+1] += a[i] >> 21;
+    a[i] &= 0x1fffff;
+#endif
+
+    sp_4096_mont_shift_196(a, a);
+    sp_4096_cond_sub_196(a, a, m, 0 - (((a[195] >> 1) > 0) ?
+            (sp_digit)1 : (sp_digit)0));
+    sp_4096_norm_196(a);
+}
+
+/* Multiply two Montogmery form numbers mod the modulus (prime).
+ * (r = a * b mod m)
+ *
+ * r   Result of multiplication.
+ * a   First number to multiply in Montogmery form.
+ * b   Second number to multiply in Montogmery form.
+ * m   Modulus (prime).
+ * mp  Montogmery mulitplier.
+ */
+static void sp_4096_mont_mul_196(sp_digit* r, const sp_digit* a, const sp_digit* b,
+        const sp_digit* m, sp_digit mp)
+{
+    sp_4096_mul_196(r, a, b);
+    sp_4096_mont_reduce_196(r, m, mp);
+}
+
+/* Square the Montgomery form number. (r = a * a mod m)
+ *
+ * r   Result of squaring.
+ * a   Number to square in Montogmery form.
+ * m   Modulus (prime).
+ * mp  Montogmery mulitplier.
+ */
+static void sp_4096_mont_sqr_196(sp_digit* r, const sp_digit* a, const sp_digit* m,
+        sp_digit mp)
+{
+    sp_4096_sqr_196(r, a);
+    sp_4096_mont_reduce_196(r, m, mp);
+}
+
+/* Multiply a by scalar b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A scalar.
+ */
+SP_NOINLINE static void sp_4096_mul_d_392(sp_digit* r, const sp_digit* a,
+    sp_digit b)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int64_t tb = b;
+    int64_t t = 0;
+    int i;
+
+    for (i = 0; i < 392; i++) {
+        t += tb * a[i];
+        r[i] = t & 0x1fffff;
+        t >>= 21;
+    }
+    r[392] = (sp_digit)t;
+#else
+    int64_t tb = b;
+    int64_t t[8];
+    int i;
+
+    t[0] = tb * a[0]; r[0] = t[0] & 0x1fffff;
+    for (i = 0; i < 392; i += 8) {
+        t[1] = tb * a[i+1];
+        r[i+1] = (sp_digit)(t[0] >> 21) + (t[1] & 0x1fffff);
+        t[2] = tb * a[i+2];
+        r[i+2] = (sp_digit)(t[1] >> 21) + (t[2] & 0x1fffff);
+        t[3] = tb * a[i+3];
+        r[i+3] = (sp_digit)(t[2] >> 21) + (t[3] & 0x1fffff);
+        t[4] = tb * a[i+4];
+        r[i+4] = (sp_digit)(t[3] >> 21) + (t[4] & 0x1fffff);
+        t[5] = tb * a[i+5];
+        r[i+5] = (sp_digit)(t[4] >> 21) + (t[5] & 0x1fffff);
+        t[6] = tb * a[i+6];
+        r[i+6] = (sp_digit)(t[5] >> 21) + (t[6] & 0x1fffff);
+        t[7] = tb * a[i+7];
+        r[i+7] = (sp_digit)(t[6] >> 21) + (t[7] & 0x1fffff);
+        t[0] = tb * a[i+8];
+        r[i+8] = (sp_digit)(t[7] >> 21) + (t[0] & 0x1fffff);
+    }
+    r[392] =  (sp_digit)(t[7] >> 21);
+#endif /* WOLFSSL_SP_SMALL */
+}
+
+/* Conditionally add a and b using the mask m.
+ * m is -1 to add and 0 when not.
+ *
+ * r  A single precision number representing conditional add result.
+ * a  A single precision number to add with.
+ * b  A single precision number to add.
+ * m  Mask value to apply.
+ */
+static void sp_4096_cond_add_196(sp_digit* r, const sp_digit* a,
+        const sp_digit* b, const sp_digit m)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int i;
+
+    for (i = 0; i < 196; i++) {
+        r[i] = a[i] + (b[i] & m);
+    }
+#else
+    int i;
+
+    for (i = 0; i < 192; i += 8) {
+        r[i + 0] = a[i + 0] + (b[i + 0] & m);
+        r[i + 1] = a[i + 1] + (b[i + 1] & m);
+        r[i + 2] = a[i + 2] + (b[i + 2] & m);
+        r[i + 3] = a[i + 3] + (b[i + 3] & m);
+        r[i + 4] = a[i + 4] + (b[i + 4] & m);
+        r[i + 5] = a[i + 5] + (b[i + 5] & m);
+        r[i + 6] = a[i + 6] + (b[i + 6] & m);
+        r[i + 7] = a[i + 7] + (b[i + 7] & m);
+    }
+    r[192] = a[192] + (b[192] & m);
+    r[193] = a[193] + (b[193] & m);
+    r[194] = a[194] + (b[194] & m);
+    r[195] = a[195] + (b[195] & m);
+#endif /* WOLFSSL_SP_SMALL */
+}
+
+#ifdef WOLFSSL_SMALL
+/* Sub b from a into r. (r = a - b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static int sp_4096_sub_196(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    int i;
+
+    for (i = 0; i < 196; i++) {
+        r[i] = a[i] - b[i];
+    }
+
+    return 0;
+}
+
+#endif
+#ifdef WOLFSSL_SMALL
+/* Add b to a into r. (r = a + b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static int sp_4096_add_196(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    int i;
+
+    for (i = 0; i < 196; i++) {
+        r[i] = a[i] + b[i];
+    }
+
+    return 0;
+}
+#endif
+SP_NOINLINE static void sp_4096_rshift_196(sp_digit* r, sp_digit* a, byte n)
+{
+    int i;
+
+#ifdef WOLFSSL_SP_SMALL
+    for (i=0; i<195; i++) {
+        r[i] = ((a[i] >> n) | (a[i + 1] << (21 - n))) & 0x1fffff;
+    }
+#else
+    for (i=0; i<192; i += 8) {
+        r[i+0] = ((a[i+0] >> n) | (a[i+1] << (21 - n))) & 0x1fffff;
+        r[i+1] = ((a[i+1] >> n) | (a[i+2] << (21 - n))) & 0x1fffff;
+        r[i+2] = ((a[i+2] >> n) | (a[i+3] << (21 - n))) & 0x1fffff;
+        r[i+3] = ((a[i+3] >> n) | (a[i+4] << (21 - n))) & 0x1fffff;
+        r[i+4] = ((a[i+4] >> n) | (a[i+5] << (21 - n))) & 0x1fffff;
+        r[i+5] = ((a[i+5] >> n) | (a[i+6] << (21 - n))) & 0x1fffff;
+        r[i+6] = ((a[i+6] >> n) | (a[i+7] << (21 - n))) & 0x1fffff;
+        r[i+7] = ((a[i+7] >> n) | (a[i+8] << (21 - n))) & 0x1fffff;
+    }
+    r[192] = ((a[192] >> n) | (a[193] << (21 - n))) & 0x1fffff;
+    r[193] = ((a[193] >> n) | (a[194] << (21 - n))) & 0x1fffff;
+    r[194] = ((a[194] >> n) | (a[195] << (21 - n))) & 0x1fffff;
+#endif
+    r[195] = a[195] >> n;
+}
+
+#ifdef WOLFSSL_SP_DIV_32
+static WC_INLINE sp_digit sp_4096_div_word_196(sp_digit d1, sp_digit d0,
+    sp_digit dv)
+{
+    sp_digit d, r, t;
+
+    /* All 21 bits from d1 and top 10 bits from d0. */
+    d = (d1 << 10) | (d0 >> 11);
+    r = d / dv;
+    d -= r * dv;
+    /* Up to 11 bits in r */
+    /* Next 10 bits from d0. */
+    r <<= 10;
+    d <<= 10;
+    d |= (d0 >> 1) & ((1 << 10) - 1);
+    t = d / dv;
+    d -= t * dv;
+    r += t;
+    /* Up to 21 bits in r */
+    /* Remaining 1 bits from d0. */
+    r <<= 1;
+    d <<= 1;
+    d |= d0 & ((1 << 1) - 1);
+    t = d / dv;
+    r += t;
+
+    return r;
+}
+#endif /* WOLFSSL_SP_DIV_32 */
+
+/* Divide d in a and put remainder into r (m*d + r = a)
+ * m is not calculated as it is not needed at this time.
+ *
+ * a  Nmber to be divided.
+ * d  Number to divide with.
+ * m  Multiplier result.
+ * r  Remainder from the division.
+ * returns MEMORY_E when unable to allocate memory and MP_OKAY otherwise.
+ */
+static int sp_4096_div_196(const sp_digit* a, const sp_digit* d, sp_digit* m,
+        sp_digit* r)
+{
+    int i;
+#ifndef WOLFSSL_SP_DIV_32
+    int64_t d1;
+#endif
+    sp_digit dv, r1;
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit* td;
+#else
+    sp_digit t1d[392 + 1], t2d[196 + 1], sdd[196 + 1];
+#endif
+    sp_digit* t1;
+    sp_digit* t2;
+    sp_digit* sd;
+    int err = MP_OKAY;
+
+    (void)m;
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    td = (sp_digit*)XMALLOC(sizeof(sp_digit) * (4 * 196 + 3), NULL,
+                                                       DYNAMIC_TYPE_TMP_BUFFER);
+    if (td == NULL) {
+        err = MEMORY_E;
+    }
+#endif
+
+    (void)m;
+
+    if (err == MP_OKAY) {
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+        t1 = td;
+        t2 = td + 392 + 1;
+        sd = t2 + 196 + 1;
+#else
+        t1 = t1d;
+        t2 = t2d;
+        sd = sdd;
+#endif
+
+        sp_4096_mul_d_196(sd, d, 1L << 20);
+        sp_4096_mul_d_392(t1, a, 1L << 20);
+        dv = sd[195];
+        for (i=196; i>=0; i--) {
+            t1[196 + i] += t1[196 + i - 1] >> 21;
+            t1[196 + i - 1] &= 0x1fffff;
+#ifndef WOLFSSL_SP_DIV_32
+            d1 = t1[196 + i];
+            d1 <<= 21;
+            d1 += t1[196 + i - 1];
+            r1 = (sp_digit)(d1 / dv);
+#else
+            r1 = sp_4096_div_word_196(t1[196 + i], t1[196 + i - 1], dv);
+#endif
+
+            sp_4096_mul_d_196(t2, sd, r1);
+            (void)sp_4096_sub_196(&t1[i], &t1[i], t2);
+            t1[196 + i] -= t2[196];
+            t1[196 + i] += t1[196 + i - 1] >> 21;
+            t1[196 + i - 1] &= 0x1fffff;
+            r1 = (((-t1[196 + i]) << 21) - t1[196 + i - 1]) / dv;
+            r1 -= t1[196 + i];
+            sp_4096_mul_d_196(t2, sd, r1);
+            (void)sp_4096_add_196(&t1[i], &t1[i], t2);
+            t1[196 + i] += t1[196 + i - 1] >> 21;
+            t1[196 + i - 1] &= 0x1fffff;
+        }
+        t1[196 - 1] += t1[196 - 2] >> 21;
+        t1[196 - 2] &= 0x1fffff;
+        r1 = t1[196 - 1] / dv;
+
+        sp_4096_mul_d_196(t2, sd, r1);
+        sp_4096_sub_196(t1, t1, t2);
+        XMEMCPY(r, t1, sizeof(*r) * 2U * 196U);
+        for (i=0; i<194; i++) {
+            r[i+1] += r[i] >> 21;
+            r[i] &= 0x1fffff;
+        }
+        sp_4096_cond_add_196(r, r, sd, 0 - ((r[195] < 0) ?
+                    (sp_digit)1 : (sp_digit)0));
+
+        sp_4096_norm_196(r);
+        sp_4096_rshift_196(r, r, 20);
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (td != NULL) {
+        XFREE(td, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    }
+#endif
+
+    return err;
+}
+
+/* Reduce a modulo m into r. (r = a mod m)
+ *
+ * r  A single precision number that is the reduced result.
+ * a  A single precision number that is to be reduced.
+ * m  A single precision number that is the modulus to reduce with.
+ * returns MEMORY_E when unable to allocate memory and MP_OKAY otherwise.
+ */
+static int sp_4096_mod_196(sp_digit* r, const sp_digit* a, const sp_digit* m)
+{
+    return sp_4096_div_196(a, m, NULL, r);
+}
+
+#if (defined(WOLFSSL_HAVE_SP_RSA) && !defined(WOLFSSL_RSA_PUBLIC_ONLY)) || \
+                                                     defined(WOLFSSL_HAVE_SP_DH)
+/* Modular exponentiate a to the e mod m. (r = a^e mod m)
+ *
+ * r     A single precision number that is the result of the operation.
+ * a     A single precision number being exponentiated.
+ * e     A single precision number that is the exponent.
+ * bits  The number of bits in the exponent.
+ * m     A single precision number that is the modulus.
+ * returns 0 on success and MEMORY_E on dynamic memory allocation failure.
+ */
+static int sp_4096_mod_exp_196(sp_digit* r, const sp_digit* a, const sp_digit* e, int bits,
+    const sp_digit* m, int reduceA)
+{
+#ifdef WOLFSSL_SP_SMALL
+    sp_digit* td;
+    sp_digit* t[3];
+    sp_digit* norm;
+    sp_digit mp = 1;
+    sp_digit n;
+    int i;
+    int c, y;
+    int err = MP_OKAY;
+
+    td = (sp_digit*)XMALLOC(sizeof(*td) * 3 * 196 * 2, NULL,
+                            DYNAMIC_TYPE_TMP_BUFFER);
+    if (td == NULL) {
+        err = MEMORY_E;
+    }
+
+    if (err == MP_OKAY) {
+        XMEMSET(td, 0, sizeof(*td) * 3U * 196U * 2U);
+
+        norm = t[0] = td;
+        t[1] = &td[196 * 2];
+        t[2] = &td[2 * 196 * 2];
+
+        sp_4096_mont_setup(m, &mp);
+        sp_4096_mont_norm_196(norm, m);
+
+        if (reduceA != 0) {
+            err = sp_4096_mod_196(t[1], a, m);
+        }
+        else {
+            XMEMCPY(t[1], a, sizeof(sp_digit) * 196U);
+        }
+    }
+    if (err == MP_OKAY) {
+        sp_4096_mul_196(t[1], t[1], norm);
+        err = sp_4096_mod_196(t[1], t[1], m);
+    }
+
+    if (err == MP_OKAY) {
+        i = bits / 21;
+        c = bits % 21;
+        n = e[i--] << (21 - c);
+        for (; ; c--) {
+            if (c == 0) {
+                if (i == -1) {
+                    break;
+                }
+
+                n = e[i--];
+                c = 21;
+            }
+
+            y = (n >> 20) & 1;
+            n <<= 1;
+
+            sp_4096_mont_mul_196(t[y^1], t[0], t[1], m, mp);
+
+            XMEMCPY(t[2], (void*)(((size_t)t[0] & addr_mask[y^1]) +
+                                  ((size_t)t[1] & addr_mask[y])),
+                    sizeof(*t[2]) * 196 * 2);
+            sp_4096_mont_sqr_196(t[2], t[2], m, mp);
+            XMEMCPY((void*)(((size_t)t[0] & addr_mask[y^1]) +
+                            ((size_t)t[1] & addr_mask[y])), t[2],
+                    sizeof(*t[2]) * 196 * 2);
+        }
+
+        sp_4096_mont_reduce_196(t[0], m, mp);
+        n = sp_4096_cmp_196(t[0], m);
+        sp_4096_cond_sub_196(t[0], t[0], m, ((n < 0) ?
+                    (sp_digit)1 : (sp_digit)0) - 1);
+        XMEMCPY(r, t[0], sizeof(*r) * 196 * 2);
+
+    }
+
+    if (td != NULL) {
+        XFREE(td, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    }
+
+    return err;
+#elif defined(WOLFSSL_SP_CACHE_RESISTANT)
+#ifndef WOLFSSL_SMALL_STACK
+    sp_digit t[3][392];
+#else
+    sp_digit* td;
+    sp_digit* t[3];
+#endif
+    sp_digit* norm;
+    sp_digit mp = 1;
+    sp_digit n;
+    int i;
+    int c, y;
+    int err = MP_OKAY;
+
+#ifdef WOLFSSL_SMALL_STACK
+    td = (sp_digit*)XMALLOC(sizeof(*td) * 3 * 196 * 2, NULL,
+                            DYNAMIC_TYPE_TMP_BUFFER);
+    if (td == NULL) {
+        err = MEMORY_E;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#ifdef WOLFSSL_SMALL_STACK
+        t[0] = td;
+        t[1] = &td[196 * 2];
+        t[2] = &td[2 * 196 * 2];
+#endif
+        norm = t[0];
+
+        sp_4096_mont_setup(m, &mp);
+        sp_4096_mont_norm_196(norm, m);
+
+        if (reduceA != 0) {
+            err = sp_4096_mod_196(t[1], a, m);
+            if (err == MP_OKAY) {
+                sp_4096_mul_196(t[1], t[1], norm);
+                err = sp_4096_mod_196(t[1], t[1], m);
+            }
+        }
+        else {
+            sp_4096_mul_196(t[1], a, norm);
+            err = sp_4096_mod_196(t[1], t[1], m);
+        }
+    }
+
+    if (err == MP_OKAY) {
+        i = bits / 21;
+        c = bits % 21;
+        n = e[i--] << (21 - c);
+        for (; ; c--) {
+            if (c == 0) {
+                if (i == -1) {
+                    break;
+                }
+
+                n = e[i--];
+                c = 21;
+            }
+
+            y = (n >> 20) & 1;
+            n <<= 1;
+
+            sp_4096_mont_mul_196(t[y^1], t[0], t[1], m, mp);
+
+            XMEMCPY(t[2], (void*)(((size_t)t[0] & addr_mask[y^1]) +
+                                 ((size_t)t[1] & addr_mask[y])), sizeof(t[2]));
+            sp_4096_mont_sqr_196(t[2], t[2], m, mp);
+            XMEMCPY((void*)(((size_t)t[0] & addr_mask[y^1]) +
+                           ((size_t)t[1] & addr_mask[y])), t[2], sizeof(t[2]));
+        }
+
+        sp_4096_mont_reduce_196(t[0], m, mp);
+        n = sp_4096_cmp_196(t[0], m);
+        sp_4096_cond_sub_196(t[0], t[0], m, ((n < 0) ?
+                   (sp_digit)1 : (sp_digit)0) - 1);
+        XMEMCPY(r, t[0], sizeof(t[0]));
+    }
+
+#ifdef WOLFSSL_SMALL_STACK
+    if (td != NULL) {
+        XFREE(td, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    }
+#endif
+
+    return err;
+#else
+#ifndef WOLFSSL_SMALL_STACK
+    sp_digit t[32][392];
+#else
+    sp_digit* t[32];
+    sp_digit* td;
+#endif
+    sp_digit* norm;
+    sp_digit rt[392];
+    sp_digit mp = 1;
+    sp_digit n;
+    int i;
+    int c, y;
+    int err = MP_OKAY;
+
+#ifdef WOLFSSL_SMALL_STACK
+    td = (sp_digit*)XMALLOC(sizeof(sp_digit) * 32 * 392, NULL,
+                            DYNAMIC_TYPE_TMP_BUFFER);
+    if (td == NULL) {
+        err = MEMORY_E;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#ifdef WOLFSSL_SMALL_STACK
+        for (i=0; i<32; i++)
+            t[i] = td + i * 392;
+#endif
+        norm = t[0];
+
+        sp_4096_mont_setup(m, &mp);
+        sp_4096_mont_norm_196(norm, m);
+
+        if (reduceA != 0) {
+            err = sp_4096_mod_196(t[1], a, m);
+            if (err == MP_OKAY) {
+                sp_4096_mul_196(t[1], t[1], norm);
+                err = sp_4096_mod_196(t[1], t[1], m);
+            }
+        }
+        else {
+            sp_4096_mul_196(t[1], a, norm);
+            err = sp_4096_mod_196(t[1], t[1], m);
+        }
+    }
+
+    if (err == MP_OKAY) {
+        sp_4096_mont_sqr_196(t[ 2], t[ 1], m, mp);
+        sp_4096_mont_mul_196(t[ 3], t[ 2], t[ 1], m, mp);
+        sp_4096_mont_sqr_196(t[ 4], t[ 2], m, mp);
+        sp_4096_mont_mul_196(t[ 5], t[ 3], t[ 2], m, mp);
+        sp_4096_mont_sqr_196(t[ 6], t[ 3], m, mp);
+        sp_4096_mont_mul_196(t[ 7], t[ 4], t[ 3], m, mp);
+        sp_4096_mont_sqr_196(t[ 8], t[ 4], m, mp);
+        sp_4096_mont_mul_196(t[ 9], t[ 5], t[ 4], m, mp);
+        sp_4096_mont_sqr_196(t[10], t[ 5], m, mp);
+        sp_4096_mont_mul_196(t[11], t[ 6], t[ 5], m, mp);
+        sp_4096_mont_sqr_196(t[12], t[ 6], m, mp);
+        sp_4096_mont_mul_196(t[13], t[ 7], t[ 6], m, mp);
+        sp_4096_mont_sqr_196(t[14], t[ 7], m, mp);
+        sp_4096_mont_mul_196(t[15], t[ 8], t[ 7], m, mp);
+        sp_4096_mont_sqr_196(t[16], t[ 8], m, mp);
+        sp_4096_mont_mul_196(t[17], t[ 9], t[ 8], m, mp);
+        sp_4096_mont_sqr_196(t[18], t[ 9], m, mp);
+        sp_4096_mont_mul_196(t[19], t[10], t[ 9], m, mp);
+        sp_4096_mont_sqr_196(t[20], t[10], m, mp);
+        sp_4096_mont_mul_196(t[21], t[11], t[10], m, mp);
+        sp_4096_mont_sqr_196(t[22], t[11], m, mp);
+        sp_4096_mont_mul_196(t[23], t[12], t[11], m, mp);
+        sp_4096_mont_sqr_196(t[24], t[12], m, mp);
+        sp_4096_mont_mul_196(t[25], t[13], t[12], m, mp);
+        sp_4096_mont_sqr_196(t[26], t[13], m, mp);
+        sp_4096_mont_mul_196(t[27], t[14], t[13], m, mp);
+        sp_4096_mont_sqr_196(t[28], t[14], m, mp);
+        sp_4096_mont_mul_196(t[29], t[15], t[14], m, mp);
+        sp_4096_mont_sqr_196(t[30], t[15], m, mp);
+        sp_4096_mont_mul_196(t[31], t[16], t[15], m, mp);
+
+        bits = ((bits + 4) / 5) * 5;
+        i = ((bits + 20) / 21) - 1;
+        c = bits % 21;
+        if (c == 0) {
+            c = 21;
+        }
+        if (i < 196) {
+            n = e[i--] << (32 - c);
+        }
+        else {
+            n = 0;
+            i--;
+        }
+        if (c < 5) {
+            n |= e[i--] << (11 - c);
+            c += 21;
+        }
+        y = (n >> 27) & 0x1f;
+        n <<= 5;
+        c -= 5;
+        XMEMCPY(rt, t[y], sizeof(rt));
+        for (; i>=0 || c>=5; ) {
+            if (c < 5) {
+                n |= e[i--] << (11 - c);
+                c += 21;
+            }
+            y = (n >> 27) & 0x1f;
+            n <<= 5;
+            c -= 5;
+
+            sp_4096_mont_sqr_196(rt, rt, m, mp);
+            sp_4096_mont_sqr_196(rt, rt, m, mp);
+            sp_4096_mont_sqr_196(rt, rt, m, mp);
+            sp_4096_mont_sqr_196(rt, rt, m, mp);
+            sp_4096_mont_sqr_196(rt, rt, m, mp);
+
+            sp_4096_mont_mul_196(rt, rt, t[y], m, mp);
+        }
+
+        sp_4096_mont_reduce_196(rt, m, mp);
+        n = sp_4096_cmp_196(rt, m);
+        sp_4096_cond_sub_196(rt, rt, m, ((n < 0) ?
+                   (sp_digit)1 : (sp_digit)0) - 1);
+        XMEMCPY(r, rt, sizeof(rt));
+    }
+
+#ifdef WOLFSSL_SMALL_STACK
+    if (td != NULL) {
+        XFREE(td, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    }
+#endif
+
+    return err;
+#endif
+}
+#endif /* (WOLFSSL_HAVE_SP_RSA && !WOLFSSL_RSA_PUBLIC_ONLY) || */
+       /* WOLFSSL_HAVE_SP_DH */
+
+#ifdef WOLFSSL_HAVE_SP_RSA
+/* RSA public key operation.
+ *
+ * in      Array of bytes representing the number to exponentiate, base.
+ * inLen   Number of bytes in base.
+ * em      Public exponent.
+ * mm      Modulus.
+ * out     Buffer to hold big-endian bytes of exponentiation result.
+ *         Must be at least 512 bytes long.
+ * outLen  Number of bytes in result.
+ * returns 0 on success, MP_TO_E when the outLen is too small, MP_READ_E when
+ * an array is too long and MEMORY_E when dynamic memory allocation fails.
+ */
+int sp_RsaPublic_4096(const byte* in, word32 inLen, mp_int* em, mp_int* mm,
+    byte* out, word32* outLen)
+{
+#ifdef WOLFSSL_SP_SMALL
+    sp_digit* d = NULL;
+    sp_digit* a;
+    sp_digit* m;
+    sp_digit* r;
+    sp_digit* norm;
+    sp_digit e[1] = {0};
+    sp_digit mp;
+    int i;
+    int err = MP_OKAY;
+
+    if (*outLen < 512U) {
+        err = MP_TO_E;
+    }
+
+    if (err == MP_OKAY) {
+        if (mp_count_bits(em) > 21) {
+            err = MP_READ_E;
+        }
+        if (inLen > 512U) {
+            err = MP_READ_E;
+        }
+        if (mp_count_bits(mm) != 4096) {
+            err = MP_READ_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        d = (sp_digit*)XMALLOC(sizeof(sp_digit) * 196 * 5, NULL,
+                                                              DYNAMIC_TYPE_RSA);
+        if (d == NULL)
+            err = MEMORY_E;
+    }
+
+    if (err == MP_OKAY) {
+        a = d;
+        r = a + 196 * 2;
+        m = r + 196 * 2;
+        norm = r;
+
+        sp_4096_from_bin(a, 196, in, inLen);
+#if DIGIT_BIT >= 21
+        e[0] = (sp_digit)em->dp[0];
+#else
+        e[0] = (sp_digit)em->dp[0];
+        if (em->used > 1) {
+            e[0] |= ((sp_digit)em->dp[1]) << DIGIT_BIT;
+        }
+#endif
+        if (e[0] == 0) {
+            err = MP_EXPTMOD_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        sp_4096_from_mp(m, 196, mm);
+
+        sp_4096_mont_setup(m, &mp);
+        sp_4096_mont_norm_196(norm, m);
+    }
+    if (err == MP_OKAY) {
+        sp_4096_mul_196(a, a, norm);
+        err = sp_4096_mod_196(a, a, m);
+    }
+    if (err == MP_OKAY) {
+        for (i=20; i>=0; i--) {
+            if ((e[0] >> i) != 0) {
+                break;
+            }
+        }
+
+        XMEMCPY(r, a, sizeof(sp_digit) * 196 * 2);
+        for (i--; i>=0; i--) {
+            sp_4096_mont_sqr_196(r, r, m, mp);
+
+            if (((e[0] >> i) & 1) == 1) {
+                sp_4096_mont_mul_196(r, r, a, m, mp);
+            }
+        }
+        sp_4096_mont_reduce_196(r, m, mp);
+        mp = sp_4096_cmp_196(r, m);
+        sp_4096_cond_sub_196(r, r, m, ((mp < 0) ?
+                    (sp_digit)1 : (sp_digit)0)- 1);
+
+        sp_4096_to_bin(r, out);
+        *outLen = 512;
+    }
+
+    if (d != NULL) {
+        XFREE(d, NULL, DYNAMIC_TYPE_RSA);
+    }
+
+    return err;
+#else
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit ad[392], md[196], rd[392];
+#else
+    sp_digit* d = NULL;
+#endif
+    sp_digit* a;
+    sp_digit* m;
+    sp_digit* r;
+    sp_digit e[1] = {0};
+    int err = MP_OKAY;
+
+    if (*outLen < 512U) {
+        err = MP_TO_E;
+    }
+    if (err == MP_OKAY) {
+        if (mp_count_bits(em) > 21) {
+            err = MP_READ_E;
+        }
+        if (inLen > 512U) {
+            err = MP_READ_E;
+        }
+        if (mp_count_bits(mm) != 4096) {
+            err = MP_READ_E;
+        }
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        d = (sp_digit*)XMALLOC(sizeof(sp_digit) * 196 * 5, NULL,
+                                                              DYNAMIC_TYPE_RSA);
+        if (d == NULL) {
+            err = MEMORY_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        a = d;
+        r = a + 196 * 2;
+        m = r + 196 * 2;
+    }
+#else
+    a = ad;
+    m = md;
+    r = rd;
+#endif
+
+    if (err == MP_OKAY) {
+        sp_4096_from_bin(a, 196, in, inLen);
+#if DIGIT_BIT >= 21
+        e[0] = (sp_digit)em->dp[0];
+#else
+        e[0] = (sp_digit)em->dp[0];
+        if (em->used > 1) {
+            e[0] |= ((sp_digit)em->dp[1]) << DIGIT_BIT;
+        }
+#endif
+        if (e[0] == 0) {
+            err = MP_EXPTMOD_E;
+        }
+    }
+    if (err == MP_OKAY) {
+        sp_4096_from_mp(m, 196, mm);
+
+        if (e[0] == 0x3) {
+            sp_4096_sqr_196(r, a);
+            err = sp_4096_mod_196(r, r, m);
+            if (err == MP_OKAY) {
+                sp_4096_mul_196(r, a, r);
+                err = sp_4096_mod_196(r, r, m);
+            }
+        }
+        else {
+            sp_digit* norm = r;
+            int i;
+            sp_digit mp;
+
+            sp_4096_mont_setup(m, &mp);
+            sp_4096_mont_norm_196(norm, m);
+
+            sp_4096_mul_196(a, a, norm);
+            err = sp_4096_mod_196(a, a, m);
+
+            if (err == MP_OKAY) {
+                for (i=20; i>=0; i--) {
+                    if ((e[0] >> i) != 0) {
+                        break;
+                    }
+                }
+
+                XMEMCPY(r, a, sizeof(sp_digit) * 392U);
+                for (i--; i>=0; i--) {
+                    sp_4096_mont_sqr_196(r, r, m, mp);
+
+                    if (((e[0] >> i) & 1) == 1) {
+                        sp_4096_mont_mul_196(r, r, a, m, mp);
+                    }
+                }
+                sp_4096_mont_reduce_196(r, m, mp);
+                mp = sp_4096_cmp_196(r, m);
+                sp_4096_cond_sub_196(r, r, m, ((mp < 0) ?
+                           (sp_digit)1 : (sp_digit)0) - 1);
+            }
+        }
+    }
+
+    if (err == MP_OKAY) {
+        sp_4096_to_bin(r, out);
+        *outLen = 512;
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (d != NULL) {
+        XFREE(d, NULL, DYNAMIC_TYPE_RSA);
+    }
+#endif
+
+    return err;
+#endif /* WOLFSSL_SP_SMALL */
+}
+
+#ifndef WOLFSSL_RSA_PUBLIC_ONLY
+#if !defined(SP_RSA_PRIVATE_EXP_D) && !defined(RSA_LOW_MEM)
+#endif /* !SP_RSA_PRIVATE_EXP_D && !RSA_LOW_MEM */
+/* RSA private key operation.
+ *
+ * in      Array of bytes representing the number to exponentiate, base.
+ * inLen   Number of bytes in base.
+ * dm      Private exponent.
+ * pm      First prime.
+ * qm      Second prime.
+ * dpm     First prime's CRT exponent.
+ * dqm     Second prime's CRT exponent.
+ * qim     Inverse of second prime mod p.
+ * mm      Modulus.
+ * out     Buffer to hold big-endian bytes of exponentiation result.
+ *         Must be at least 512 bytes long.
+ * outLen  Number of bytes in result.
+ * returns 0 on success, MP_TO_E when the outLen is too small, MP_READ_E when
+ * an array is too long and MEMORY_E when dynamic memory allocation fails.
+ */
+int sp_RsaPrivate_4096(const byte* in, word32 inLen, mp_int* dm,
+    mp_int* pm, mp_int* qm, mp_int* dpm, mp_int* dqm, mp_int* qim, mp_int* mm,
+    byte* out, word32* outLen)
+{
+#if defined(SP_RSA_PRIVATE_EXP_D) || defined(RSA_LOW_MEM)
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit* a;
+    sp_digit* d = NULL;
+    sp_digit* m;
+    sp_digit* r;
+    int err = MP_OKAY;
+
+    (void)pm;
+    (void)qm;
+    (void)dpm;
+    (void)dqm;
+    (void)qim;
+
+    if (*outLen < 512U) {
+        err = MP_TO_E;
+    }
+    if (err == MP_OKAY) {
+        if (mp_count_bits(dm) > 4096) {
+           err = MP_READ_E;
+        }
+        if (inLen > 512) {
+            err = MP_READ_E;
+        }
+        if (mp_count_bits(mm) != 4096) {
+            err = MP_READ_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        d = (sp_digit*)XMALLOC(sizeof(sp_digit) * 196 * 4, NULL,
+                                                              DYNAMIC_TYPE_RSA);
+        if (d == NULL) {
+            err = MEMORY_E;
+        }
+    }
+    if (err == MP_OKAY) {
+        a = d + 196;
+        m = a + 392;
+        r = a;
+
+        sp_4096_from_bin(a, 196, in, inLen);
+        sp_4096_from_mp(d, 196, dm);
+        sp_4096_from_mp(m, 196, mm);
+        err = sp_4096_mod_exp_196(r, a, d, 4096, m, 0);
+    }
+    if (err == MP_OKAY) {
+        sp_4096_to_bin(r, out);
+        *outLen = 512;
+    }
+
+    if (d != NULL) {
+        XMEMSET(d, 0, sizeof(sp_digit) * 196);
+        XFREE(d, NULL, DYNAMIC_TYPE_RSA);
+    }
+
+    return err;
+#else
+    sp_digit a[392], d[196], m[196];
+    sp_digit* r = a;
+    int err = MP_OKAY;
+
+    (void)pm;
+    (void)qm;
+    (void)dpm;
+    (void)dqm;
+    (void)qim;
+
+    if (*outLen < 512U) {
+        err = MP_TO_E;
+    }
+    if (err == MP_OKAY) {
+        if (mp_count_bits(dm) > 4096) {
+            err = MP_READ_E;
+        }
+        if (inLen > 512U) {
+            err = MP_READ_E;
+        }
+        if (mp_count_bits(mm) != 4096) {
+            err = MP_READ_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        sp_4096_from_bin(a, 196, in, inLen);
+        sp_4096_from_mp(d, 196, dm);
+        sp_4096_from_mp(m, 196, mm);
+        err = sp_4096_mod_exp_196(r, a, d, 4096, m, 0);
+    }
+
+    if (err == MP_OKAY) {
+        sp_4096_to_bin(r, out);
+        *outLen = 512;
+    }
+
+    XMEMSET(d, 0, sizeof(sp_digit) * 196);
+
+    return err;
+#endif /* WOLFSSL_SP_SMALL || defined(WOLFSSL_SMALL_STACK) */
+#else
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit* t = NULL;
+    sp_digit* a;
+    sp_digit* p;
+    sp_digit* q;
+    sp_digit* dp;
+    sp_digit* dq;
+    sp_digit* qi;
+    sp_digit* tmpa;
+    sp_digit* tmpb;
+    sp_digit* r;
+    int err = MP_OKAY;
+
+    (void)dm;
+    (void)mm;
+
+    if (*outLen < 512U) {
+        err = MP_TO_E;
+    }
+    if (err == MP_OKAY) {
+        if (inLen > 512) {
+            err = MP_READ_E;
+        }
+        if (mp_count_bits(mm) != 4096) {
+            err = MP_READ_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        t = (sp_digit*)XMALLOC(sizeof(sp_digit) * 98 * 11, NULL,
+                                                              DYNAMIC_TYPE_RSA);
+        if (t == NULL) {
+            err = MEMORY_E;
+        }
+    }
+    if (err == MP_OKAY) {
+        a = t;
+        p = a + 196 * 2;
+        q = p + 98;
+        qi = dq = dp = q + 98;
+        tmpa = qi + 98;
+        tmpb = tmpa + 196;
+
+        r = t + 196;
+
+        sp_4096_from_bin(a, 196, in, inLen);
+        sp_4096_from_mp(p, 98, pm);
+        sp_4096_from_mp(q, 98, qm);
+        sp_4096_from_mp(dp, 98, dpm);
+        err = sp_4096_mod_exp_98(tmpa, a, dp, 2048, p, 1);
+    }
+    if (err == MP_OKAY) {
+        sp_4096_from_mp(dq, 98, dqm);
+        err = sp_4096_mod_exp_98(tmpb, a, dq, 2048, q, 1);
+    }
+    if (err == MP_OKAY) {
+        (void)sp_4096_sub_98(tmpa, tmpa, tmpb);
+        sp_4096_cond_add_98(tmpa, tmpa, p, 0 - ((sp_int_digit)tmpa[97] >> 31));
+        sp_4096_cond_add_98(tmpa, tmpa, p, 0 - ((sp_int_digit)tmpa[97] >> 31));
+
+        sp_4096_from_mp(qi, 98, qim);
+        sp_4096_mul_98(tmpa, tmpa, qi);
+        err = sp_4096_mod_98(tmpa, tmpa, p);
+    }
+
+    if (err == MP_OKAY) {
+        sp_4096_mul_98(tmpa, q, tmpa);
+        (void)sp_4096_add_196(r, tmpb, tmpa);
+        sp_4096_norm_196(r);
+
+        sp_4096_to_bin(r, out);
+        *outLen = 512;
+    }
+
+    if (t != NULL) {
+        XMEMSET(t, 0, sizeof(sp_digit) * 98 * 11);
+        XFREE(t, NULL, DYNAMIC_TYPE_RSA);
+    }
+
+    return err;
+#else
+    sp_digit a[196 * 2];
+    sp_digit p[98], q[98], dp[98], dq[98], qi[98];
+    sp_digit tmpa[196], tmpb[196];
+    sp_digit* r = a;
+    int err = MP_OKAY;
+
+    (void)dm;
+    (void)mm;
+
+    if (*outLen < 512U) {
+        err = MP_TO_E;
+    }
+    if (err == MP_OKAY) {
+        if (inLen > 512U) {
+            err = MP_READ_E;
+        }
+        if (mp_count_bits(mm) != 4096) {
+            err = MP_READ_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        sp_4096_from_bin(a, 196, in, inLen);
+        sp_4096_from_mp(p, 98, pm);
+        sp_4096_from_mp(q, 98, qm);
+        sp_4096_from_mp(dp, 98, dpm);
+        sp_4096_from_mp(dq, 98, dqm);
+        sp_4096_from_mp(qi, 98, qim);
+
+        err = sp_4096_mod_exp_98(tmpa, a, dp, 2048, p, 1);
+    }
+    if (err == MP_OKAY) {
+        err = sp_4096_mod_exp_98(tmpb, a, dq, 2048, q, 1);
+    }
+
+    if (err == MP_OKAY) {
+        (void)sp_4096_sub_98(tmpa, tmpa, tmpb);
+        sp_4096_cond_add_98(tmpa, tmpa, p, 0 - ((sp_int_digit)tmpa[97] >> 31));
+        sp_4096_cond_add_98(tmpa, tmpa, p, 0 - ((sp_int_digit)tmpa[97] >> 31));
+        sp_4096_mul_98(tmpa, tmpa, qi);
+        err = sp_4096_mod_98(tmpa, tmpa, p);
+    }
+
+    if (err == MP_OKAY) {
+        sp_4096_mul_98(tmpa, tmpa, q);
+        (void)sp_4096_add_196(r, tmpb, tmpa);
+        sp_4096_norm_196(r);
+
+        sp_4096_to_bin(r, out);
+        *outLen = 512;
+    }
+
+    XMEMSET(tmpa, 0, sizeof(tmpa));
+    XMEMSET(tmpb, 0, sizeof(tmpb));
+    XMEMSET(p, 0, sizeof(p));
+    XMEMSET(q, 0, sizeof(q));
+    XMEMSET(dp, 0, sizeof(dp));
+    XMEMSET(dq, 0, sizeof(dq));
+    XMEMSET(qi, 0, sizeof(qi));
+
+    return err;
+#endif /* WOLFSSL_SP_SMALL || defined(WOLFSSL_SMALL_STACK) */
+#endif /* SP_RSA_PRIVATE_EXP_D || RSA_LOW_MEM */
+}
+
+#endif /* !WOLFSSL_RSA_PUBLIC_ONLY */
+#endif /* WOLFSSL_HAVE_SP_RSA */
+#if defined(WOLFSSL_HAVE_SP_DH) || (defined(WOLFSSL_HAVE_SP_RSA) && \
+                                              !defined(WOLFSSL_RSA_PUBLIC_ONLY))
+/* Convert an array of sp_digit to an mp_int.
+ *
+ * a  A single precision integer.
+ * r  A multi-precision integer.
+ */
+static int sp_4096_to_mp(const sp_digit* a, mp_int* r)
+{
+    int err;
+
+    err = mp_grow(r, (4096 + DIGIT_BIT - 1) / DIGIT_BIT);
+    if (err == MP_OKAY) { /*lint !e774 case where err is always MP_OKAY*/
+#if DIGIT_BIT == 21
+        XMEMCPY(r->dp, a, sizeof(sp_digit) * 196);
+        r->used = 196;
+        mp_clamp(r);
+#elif DIGIT_BIT < 21
+        int i, j = 0, s = 0;
+
+        r->dp[0] = 0;
+        for (i = 0; i < 196; i++) {
+            r->dp[j] |= (mp_digit)(a[i] << s);
+            r->dp[j] &= (1L << DIGIT_BIT) - 1;
+            s = DIGIT_BIT - s;
+            r->dp[++j] = (mp_digit)(a[i] >> s);
+            while (s + DIGIT_BIT <= 21) {
+                s += DIGIT_BIT;
+                r->dp[j++] &= (1L << DIGIT_BIT) - 1;
+                if (s == SP_WORD_SIZE) {
+                    r->dp[j] = 0;
+                }
+                else {
+                    r->dp[j] = (mp_digit)(a[i] >> s);
+                }
+            }
+            s = 21 - s;
+        }
+        r->used = (4096 + DIGIT_BIT - 1) / DIGIT_BIT;
+        mp_clamp(r);
+#else
+        int i, j = 0, s = 0;
+
+        r->dp[0] = 0;
+        for (i = 0; i < 196; i++) {
+            r->dp[j] |= ((mp_digit)a[i]) << s;
+            if (s + 21 >= DIGIT_BIT) {
+    #if DIGIT_BIT != 32 && DIGIT_BIT != 64
+                r->dp[j] &= (1L << DIGIT_BIT) - 1;
+    #endif
+                s = DIGIT_BIT - s;
+                r->dp[++j] = a[i] >> s;
+                s = 21 - s;
+            }
+            else {
+                s += 21;
+            }
+        }
+        r->used = (4096 + DIGIT_BIT - 1) / DIGIT_BIT;
+        mp_clamp(r);
+#endif
+    }
+
+    return err;
+}
+
+/* Perform the modular exponentiation for Diffie-Hellman.
+ *
+ * base  Base. MP integer.
+ * exp   Exponent. MP integer.
+ * mod   Modulus. MP integer.
+ * res   Result. MP integer.
+ * returns 0 on success, MP_READ_E if there are too many bytes in an array
+ * and MEMORY_E if memory allocation fails.
+ */
+int sp_ModExp_4096(mp_int* base, mp_int* exp, mp_int* mod, mp_int* res)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int err = MP_OKAY;
+    sp_digit* d = NULL;
+    sp_digit* b;
+    sp_digit* e;
+    sp_digit* m;
+    sp_digit* r;
+    int expBits = mp_count_bits(exp);
+
+    if (mp_count_bits(base) > 4096) {
+        err = MP_READ_E;
+    }
+
+    if (err == MP_OKAY) {
+        if (expBits > 4096) {
+            err = MP_READ_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        if (mp_count_bits(mod) != 4096) {
+            err = MP_READ_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        d = (sp_digit*)XMALLOC(sizeof(*d) * 196 * 4, NULL, DYNAMIC_TYPE_DH);
+        if (d == NULL) {
+            err = MEMORY_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        b = d;
+        e = b + 196 * 2;
+        m = e + 196;
+        r = b;
+
+        sp_4096_from_mp(b, 196, base);
+        sp_4096_from_mp(e, 196, exp);
+        sp_4096_from_mp(m, 196, mod);
+
+        err = sp_4096_mod_exp_196(r, b, e, mp_count_bits(exp), m, 0);
+    }
+
+    if (err == MP_OKAY) {
+        err = sp_4096_to_mp(r, res);
+    }
+
+    if (d != NULL) {
+        XMEMSET(e, 0, sizeof(sp_digit) * 196U);
+        XFREE(d, NULL, DYNAMIC_TYPE_DH);
+    }
+    return err;
+#else
+#ifndef WOLFSSL_SMALL_STACK
+    sp_digit bd[392], ed[196], md[196];
+#else
+    sp_digit* d = NULL;
+#endif
+    sp_digit* b;
+    sp_digit* e;
+    sp_digit* m;
+    sp_digit* r;
+    int err = MP_OKAY;
+    int expBits = mp_count_bits(exp);
+
+    if (mp_count_bits(base) > 4096) {
+        err = MP_READ_E;
+    }
+
+    if (err == MP_OKAY) {
+        if (expBits > 4096) {
+            err = MP_READ_E;
+        }
+    }
+    
+    if (err == MP_OKAY) {
+        if (mp_count_bits(mod) != 4096) {
+            err = MP_READ_E;
+        }
+    }
+
+#ifdef WOLFSSL_SMALL_STACK
+    if (err == MP_OKAY) {
+        d = (sp_digit*)XMALLOC(sizeof(*d) * 196 * 4, NULL, DYNAMIC_TYPE_DH);
+        if (d == NULL)
+            err = MEMORY_E;
+    }
+
+    if (err == MP_OKAY) {
+        b = d;
+        e = b + 196 * 2;
+        m = e + 196;
+        r = b;
+    }
+#else
+    r = b = bd;
+    e = ed;
+    m = md;
+#endif
+
+    if (err == MP_OKAY) {
+        sp_4096_from_mp(b, 196, base);
+        sp_4096_from_mp(e, 196, exp);
+        sp_4096_from_mp(m, 196, mod);
+
+        err = sp_4096_mod_exp_196(r, b, e, expBits, m, 0);
+    }
+
+    if (err == MP_OKAY) {
+        err = sp_4096_to_mp(r, res);
+    }
+
+
+#ifdef WOLFSSL_SMALL_STACK
+    if (d != NULL) {
+        XMEMSET(e, 0, sizeof(sp_digit) * 196U);
+        XFREE(d, NULL, DYNAMIC_TYPE_DH);
+    }
+#else
+    XMEMSET(e, 0, sizeof(sp_digit) * 196U);
+#endif
+
+    return err;
+#endif
+}
+
+#ifdef WOLFSSL_HAVE_SP_DH
+
+#ifdef HAVE_FFDHE_4096
+SP_NOINLINE static void sp_4096_lshift_196(sp_digit* r, sp_digit* a, byte n)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int i;
+
+    r[196] = a[195] >> (21 - n);
+    for (i=195; i>0; i--) {
+        r[i] = ((a[i] << n) | (a[i-1] >> (21 - n))) & 0x1fffff;
+    }
+#else
+    sp_int_digit s, t;
+
+    s = (sp_int_digit)a[195];
+    r[196] = s >> (21U - n);
+    s = (sp_int_digit)(a[195]); t = (sp_int_digit)(a[194]);
+    r[195] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[194]); t = (sp_int_digit)(a[193]);
+    r[194] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[193]); t = (sp_int_digit)(a[192]);
+    r[193] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[192]); t = (sp_int_digit)(a[191]);
+    r[192] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[191]); t = (sp_int_digit)(a[190]);
+    r[191] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[190]); t = (sp_int_digit)(a[189]);
+    r[190] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[189]); t = (sp_int_digit)(a[188]);
+    r[189] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[188]); t = (sp_int_digit)(a[187]);
+    r[188] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[187]); t = (sp_int_digit)(a[186]);
+    r[187] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[186]); t = (sp_int_digit)(a[185]);
+    r[186] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[185]); t = (sp_int_digit)(a[184]);
+    r[185] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[184]); t = (sp_int_digit)(a[183]);
+    r[184] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[183]); t = (sp_int_digit)(a[182]);
+    r[183] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[182]); t = (sp_int_digit)(a[181]);
+    r[182] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[181]); t = (sp_int_digit)(a[180]);
+    r[181] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[180]); t = (sp_int_digit)(a[179]);
+    r[180] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[179]); t = (sp_int_digit)(a[178]);
+    r[179] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[178]); t = (sp_int_digit)(a[177]);
+    r[178] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[177]); t = (sp_int_digit)(a[176]);
+    r[177] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[176]); t = (sp_int_digit)(a[175]);
+    r[176] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[175]); t = (sp_int_digit)(a[174]);
+    r[175] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[174]); t = (sp_int_digit)(a[173]);
+    r[174] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[173]); t = (sp_int_digit)(a[172]);
+    r[173] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[172]); t = (sp_int_digit)(a[171]);
+    r[172] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[171]); t = (sp_int_digit)(a[170]);
+    r[171] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[170]); t = (sp_int_digit)(a[169]);
+    r[170] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[169]); t = (sp_int_digit)(a[168]);
+    r[169] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[168]); t = (sp_int_digit)(a[167]);
+    r[168] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[167]); t = (sp_int_digit)(a[166]);
+    r[167] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[166]); t = (sp_int_digit)(a[165]);
+    r[166] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[165]); t = (sp_int_digit)(a[164]);
+    r[165] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[164]); t = (sp_int_digit)(a[163]);
+    r[164] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[163]); t = (sp_int_digit)(a[162]);
+    r[163] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[162]); t = (sp_int_digit)(a[161]);
+    r[162] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[161]); t = (sp_int_digit)(a[160]);
+    r[161] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[160]); t = (sp_int_digit)(a[159]);
+    r[160] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[159]); t = (sp_int_digit)(a[158]);
+    r[159] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[158]); t = (sp_int_digit)(a[157]);
+    r[158] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[157]); t = (sp_int_digit)(a[156]);
+    r[157] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[156]); t = (sp_int_digit)(a[155]);
+    r[156] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[155]); t = (sp_int_digit)(a[154]);
+    r[155] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[154]); t = (sp_int_digit)(a[153]);
+    r[154] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[153]); t = (sp_int_digit)(a[152]);
+    r[153] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[152]); t = (sp_int_digit)(a[151]);
+    r[152] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[151]); t = (sp_int_digit)(a[150]);
+    r[151] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[150]); t = (sp_int_digit)(a[149]);
+    r[150] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[149]); t = (sp_int_digit)(a[148]);
+    r[149] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[148]); t = (sp_int_digit)(a[147]);
+    r[148] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[147]); t = (sp_int_digit)(a[146]);
+    r[147] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[146]); t = (sp_int_digit)(a[145]);
+    r[146] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[145]); t = (sp_int_digit)(a[144]);
+    r[145] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[144]); t = (sp_int_digit)(a[143]);
+    r[144] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[143]); t = (sp_int_digit)(a[142]);
+    r[143] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[142]); t = (sp_int_digit)(a[141]);
+    r[142] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[141]); t = (sp_int_digit)(a[140]);
+    r[141] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[140]); t = (sp_int_digit)(a[139]);
+    r[140] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[139]); t = (sp_int_digit)(a[138]);
+    r[139] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[138]); t = (sp_int_digit)(a[137]);
+    r[138] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[137]); t = (sp_int_digit)(a[136]);
+    r[137] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[136]); t = (sp_int_digit)(a[135]);
+    r[136] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[135]); t = (sp_int_digit)(a[134]);
+    r[135] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[134]); t = (sp_int_digit)(a[133]);
+    r[134] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[133]); t = (sp_int_digit)(a[132]);
+    r[133] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[132]); t = (sp_int_digit)(a[131]);
+    r[132] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[131]); t = (sp_int_digit)(a[130]);
+    r[131] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[130]); t = (sp_int_digit)(a[129]);
+    r[130] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[129]); t = (sp_int_digit)(a[128]);
+    r[129] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[128]); t = (sp_int_digit)(a[127]);
+    r[128] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[127]); t = (sp_int_digit)(a[126]);
+    r[127] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[126]); t = (sp_int_digit)(a[125]);
+    r[126] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[125]); t = (sp_int_digit)(a[124]);
+    r[125] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[124]); t = (sp_int_digit)(a[123]);
+    r[124] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[123]); t = (sp_int_digit)(a[122]);
+    r[123] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[122]); t = (sp_int_digit)(a[121]);
+    r[122] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[121]); t = (sp_int_digit)(a[120]);
+    r[121] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[120]); t = (sp_int_digit)(a[119]);
+    r[120] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[119]); t = (sp_int_digit)(a[118]);
+    r[119] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[118]); t = (sp_int_digit)(a[117]);
+    r[118] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[117]); t = (sp_int_digit)(a[116]);
+    r[117] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[116]); t = (sp_int_digit)(a[115]);
+    r[116] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[115]); t = (sp_int_digit)(a[114]);
+    r[115] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[114]); t = (sp_int_digit)(a[113]);
+    r[114] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[113]); t = (sp_int_digit)(a[112]);
+    r[113] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[112]); t = (sp_int_digit)(a[111]);
+    r[112] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[111]); t = (sp_int_digit)(a[110]);
+    r[111] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[110]); t = (sp_int_digit)(a[109]);
+    r[110] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[109]); t = (sp_int_digit)(a[108]);
+    r[109] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[108]); t = (sp_int_digit)(a[107]);
+    r[108] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[107]); t = (sp_int_digit)(a[106]);
+    r[107] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[106]); t = (sp_int_digit)(a[105]);
+    r[106] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[105]); t = (sp_int_digit)(a[104]);
+    r[105] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[104]); t = (sp_int_digit)(a[103]);
+    r[104] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[103]); t = (sp_int_digit)(a[102]);
+    r[103] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[102]); t = (sp_int_digit)(a[101]);
+    r[102] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[101]); t = (sp_int_digit)(a[100]);
+    r[101] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[100]); t = (sp_int_digit)(a[99]);
+    r[100] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[99]); t = (sp_int_digit)(a[98]);
+    r[99] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[98]); t = (sp_int_digit)(a[97]);
+    r[98] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[97]); t = (sp_int_digit)(a[96]);
+    r[97] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[96]); t = (sp_int_digit)(a[95]);
+    r[96] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[95]); t = (sp_int_digit)(a[94]);
+    r[95] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[94]); t = (sp_int_digit)(a[93]);
+    r[94] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[93]); t = (sp_int_digit)(a[92]);
+    r[93] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[92]); t = (sp_int_digit)(a[91]);
+    r[92] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[91]); t = (sp_int_digit)(a[90]);
+    r[91] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[90]); t = (sp_int_digit)(a[89]);
+    r[90] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[89]); t = (sp_int_digit)(a[88]);
+    r[89] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[88]); t = (sp_int_digit)(a[87]);
+    r[88] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[87]); t = (sp_int_digit)(a[86]);
+    r[87] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[86]); t = (sp_int_digit)(a[85]);
+    r[86] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[85]); t = (sp_int_digit)(a[84]);
+    r[85] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[84]); t = (sp_int_digit)(a[83]);
+    r[84] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[83]); t = (sp_int_digit)(a[82]);
+    r[83] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[82]); t = (sp_int_digit)(a[81]);
+    r[82] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[81]); t = (sp_int_digit)(a[80]);
+    r[81] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[80]); t = (sp_int_digit)(a[79]);
+    r[80] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[79]); t = (sp_int_digit)(a[78]);
+    r[79] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[78]); t = (sp_int_digit)(a[77]);
+    r[78] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[77]); t = (sp_int_digit)(a[76]);
+    r[77] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[76]); t = (sp_int_digit)(a[75]);
+    r[76] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[75]); t = (sp_int_digit)(a[74]);
+    r[75] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[74]); t = (sp_int_digit)(a[73]);
+    r[74] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[73]); t = (sp_int_digit)(a[72]);
+    r[73] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[72]); t = (sp_int_digit)(a[71]);
+    r[72] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[71]); t = (sp_int_digit)(a[70]);
+    r[71] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[70]); t = (sp_int_digit)(a[69]);
+    r[70] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[69]); t = (sp_int_digit)(a[68]);
+    r[69] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[68]); t = (sp_int_digit)(a[67]);
+    r[68] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[67]); t = (sp_int_digit)(a[66]);
+    r[67] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[66]); t = (sp_int_digit)(a[65]);
+    r[66] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[65]); t = (sp_int_digit)(a[64]);
+    r[65] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[64]); t = (sp_int_digit)(a[63]);
+    r[64] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[63]); t = (sp_int_digit)(a[62]);
+    r[63] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[62]); t = (sp_int_digit)(a[61]);
+    r[62] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[61]); t = (sp_int_digit)(a[60]);
+    r[61] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[60]); t = (sp_int_digit)(a[59]);
+    r[60] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[59]); t = (sp_int_digit)(a[58]);
+    r[59] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[58]); t = (sp_int_digit)(a[57]);
+    r[58] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[57]); t = (sp_int_digit)(a[56]);
+    r[57] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[56]); t = (sp_int_digit)(a[55]);
+    r[56] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[55]); t = (sp_int_digit)(a[54]);
+    r[55] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[54]); t = (sp_int_digit)(a[53]);
+    r[54] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[53]); t = (sp_int_digit)(a[52]);
+    r[53] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[52]); t = (sp_int_digit)(a[51]);
+    r[52] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[51]); t = (sp_int_digit)(a[50]);
+    r[51] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[50]); t = (sp_int_digit)(a[49]);
+    r[50] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[49]); t = (sp_int_digit)(a[48]);
+    r[49] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[48]); t = (sp_int_digit)(a[47]);
+    r[48] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[47]); t = (sp_int_digit)(a[46]);
+    r[47] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[46]); t = (sp_int_digit)(a[45]);
+    r[46] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[45]); t = (sp_int_digit)(a[44]);
+    r[45] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[44]); t = (sp_int_digit)(a[43]);
+    r[44] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[43]); t = (sp_int_digit)(a[42]);
+    r[43] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[42]); t = (sp_int_digit)(a[41]);
+    r[42] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[41]); t = (sp_int_digit)(a[40]);
+    r[41] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[40]); t = (sp_int_digit)(a[39]);
+    r[40] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[39]); t = (sp_int_digit)(a[38]);
+    r[39] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[38]); t = (sp_int_digit)(a[37]);
+    r[38] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[37]); t = (sp_int_digit)(a[36]);
+    r[37] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[36]); t = (sp_int_digit)(a[35]);
+    r[36] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[35]); t = (sp_int_digit)(a[34]);
+    r[35] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[34]); t = (sp_int_digit)(a[33]);
+    r[34] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[33]); t = (sp_int_digit)(a[32]);
+    r[33] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[32]); t = (sp_int_digit)(a[31]);
+    r[32] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[31]); t = (sp_int_digit)(a[30]);
+    r[31] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[30]); t = (sp_int_digit)(a[29]);
+    r[30] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[29]); t = (sp_int_digit)(a[28]);
+    r[29] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[28]); t = (sp_int_digit)(a[27]);
+    r[28] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[27]); t = (sp_int_digit)(a[26]);
+    r[27] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[26]); t = (sp_int_digit)(a[25]);
+    r[26] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[25]); t = (sp_int_digit)(a[24]);
+    r[25] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[24]); t = (sp_int_digit)(a[23]);
+    r[24] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[23]); t = (sp_int_digit)(a[22]);
+    r[23] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[22]); t = (sp_int_digit)(a[21]);
+    r[22] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[21]); t = (sp_int_digit)(a[20]);
+    r[21] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[20]); t = (sp_int_digit)(a[19]);
+    r[20] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[19]); t = (sp_int_digit)(a[18]);
+    r[19] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[18]); t = (sp_int_digit)(a[17]);
+    r[18] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[17]); t = (sp_int_digit)(a[16]);
+    r[17] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[16]); t = (sp_int_digit)(a[15]);
+    r[16] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[15]); t = (sp_int_digit)(a[14]);
+    r[15] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[14]); t = (sp_int_digit)(a[13]);
+    r[14] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[13]); t = (sp_int_digit)(a[12]);
+    r[13] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[12]); t = (sp_int_digit)(a[11]);
+    r[12] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[11]); t = (sp_int_digit)(a[10]);
+    r[11] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[10]); t = (sp_int_digit)(a[9]);
+    r[10] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[9]); t = (sp_int_digit)(a[8]);
+    r[9] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[8]); t = (sp_int_digit)(a[7]);
+    r[8] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[7]); t = (sp_int_digit)(a[6]);
+    r[7] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[6]); t = (sp_int_digit)(a[5]);
+    r[6] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[5]); t = (sp_int_digit)(a[4]);
+    r[5] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[4]); t = (sp_int_digit)(a[3]);
+    r[4] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[3]); t = (sp_int_digit)(a[2]);
+    r[3] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[2]); t = (sp_int_digit)(a[1]);
+    r[2] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+    s = (sp_int_digit)(a[1]); t = (sp_int_digit)(a[0]);
+    r[1] = ((s << n) | (t >> (21U - n))) & 0x1fffff;
+#endif
+    r[0] = (a[0] << n) & 0x1fffff;
+}
+
+/* Modular exponentiate 2 to the e mod m. (r = 2^e mod m)
+ *
+ * r     A single precision number that is the result of the operation.
+ * e     A single precision number that is the exponent.
+ * bits  The number of bits in the exponent.
+ * m     A single precision number that is the modulus.
+ * returns 0 on success and MEMORY_E on dynamic memory allocation failure.
+ */
+static int sp_4096_mod_exp_2_196(sp_digit* r, const sp_digit* e, int bits, const sp_digit* m)
+{
+#ifndef WOLFSSL_SMALL_STACK
+    sp_digit nd[392];
+    sp_digit td[197];
+#else
+    sp_digit* td;
+#endif
+    sp_digit* norm;
+    sp_digit* tmp;
+    sp_digit mp = 1;
+    sp_digit n, o;
+    int i;
+    int c, y;
+    int err = MP_OKAY;
+
+#ifdef WOLFSSL_SMALL_STACK
+    td = (sp_digit*)XMALLOC(sizeof(sp_digit) * 589, NULL,
+                            DYNAMIC_TYPE_TMP_BUFFER);
+    if (td == NULL) {
+        err = MEMORY_E;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#ifdef WOLFSSL_SMALL_STACK
+        norm = td;
+        tmp  = td + 392;
+        XMEMSET(td, 0, sizeof(sp_digit) * 589);
+#else
+        norm = nd;
+        tmp  = td;
+        XMEMSET(td, 0, sizeof(td));
+#endif
+
+        sp_4096_mont_setup(m, &mp);
+        sp_4096_mont_norm_196(norm, m);
+
+        bits = ((bits + 3) / 4) * 4;
+        i = ((bits + 20) / 21) - 1;
+        c = bits % 21;
+        if (c == 0) {
+            c = 21;
+        }
+        if (i < 196) {
+            n = e[i--] << (32 - c);
+        }
+        else {
+            n = 0;
+            i--;
+        }
+        if (c < 4) {
+            n |= e[i--] << (11 - c);
+            c += 21;
+        }
+        y = (n >> 28) & 0xf;
+        n <<= 4;
+        c -= 4;
+        sp_4096_lshift_196(r, norm, y);
+        for (; i>=0 || c>=4; ) {
+            if (c < 4) {
+                n |= e[i--] << (11 - c);
+                c += 21;
+            }
+            y = (n >> 28) & 0xf;
+            n <<= 4;
+            c -= 4;
+
+            sp_4096_mont_sqr_196(r, r, m, mp);
+            sp_4096_mont_sqr_196(r, r, m, mp);
+            sp_4096_mont_sqr_196(r, r, m, mp);
+            sp_4096_mont_sqr_196(r, r, m, mp);
+
+            sp_4096_lshift_196(r, r, y);
+            sp_4096_mul_d_196(tmp, norm, (r[196] << 20) + (r[195] >> 1));
+            r[196] = 0;
+            r[195] &= 0x1L;
+            (void)sp_4096_add_196(r, r, tmp);
+            sp_4096_norm_196(r);
+            o = sp_4096_cmp_196(r, m);
+            sp_4096_cond_sub_196(r, r, m, ((o < 0) ?
+                                          (sp_digit)1 : (sp_digit)0) - 1);
+        }
+
+        sp_4096_mont_reduce_196(r, m, mp);
+        n = sp_4096_cmp_196(r, m);
+        sp_4096_cond_sub_196(r, r, m, ((n < 0) ?
+                                                (sp_digit)1 : (sp_digit)0) - 1);
+    }
+
+#ifdef WOLFSSL_SMALL_STACK
+    if (td != NULL) {
+        XFREE(td, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    }
+#endif
+
+    return err;
+}
+
+#endif /* HAVE_FFDHE_4096 */
+
+/* Perform the modular exponentiation for Diffie-Hellman.
+ *
+ * base     Base.
+ * exp      Array of bytes that is the exponent.
+ * expLen   Length of data, in bytes, in exponent.
+ * mod      Modulus.
+ * out      Buffer to hold big-endian bytes of exponentiation result.
+ *          Must be at least 512 bytes long.
+ * outLen   Length, in bytes, of exponentiation result.
+ * returns 0 on success, MP_READ_E if there are too many bytes in an array
+ * and MEMORY_E if memory allocation fails.
+ */
+int sp_DhExp_4096(mp_int* base, const byte* exp, word32 expLen,
+    mp_int* mod, byte* out, word32* outLen)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int err = MP_OKAY;
+    sp_digit* d = NULL;
+    sp_digit* b;
+    sp_digit* e;
+    sp_digit* m;
+    sp_digit* r;
+    word32 i;
+
+    if (mp_count_bits(base) > 4096) {
+        err = MP_READ_E;
+    }
+
+    if (err == MP_OKAY) {
+        if (expLen > 512) {
+            err = MP_READ_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        if (mp_count_bits(mod) != 4096) {
+            err = MP_READ_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        d = (sp_digit*)XMALLOC(sizeof(*d) * 196 * 4, NULL, DYNAMIC_TYPE_DH);
+        if (d == NULL) {
+            err = MEMORY_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        b = d;
+        e = b + 196 * 2;
+        m = e + 196;
+        r = b;
+
+        sp_4096_from_mp(b, 196, base);
+        sp_4096_from_bin(e, 196, exp, expLen);
+        sp_4096_from_mp(m, 196, mod);
+
+    #ifdef HAVE_FFDHE_4096
+        if (base->used == 1 && base->dp[0] == 2 &&
+                ((m[195] << 15) | (m[194] >> 6)) == 0xffffL) {
+            err = sp_4096_mod_exp_2_196(r, e, expLen * 8, m);
+        }
+        else
+    #endif
+            err = sp_4096_mod_exp_196(r, b, e, expLen * 8, m, 0);
+    }
+
+    if (err == MP_OKAY) {
+        sp_4096_to_bin(r, out);
+        *outLen = 512;
+        for (i=0; i<512 && out[i] == 0; i++) {
+        }
+        *outLen -= i;
+        XMEMMOVE(out, out + i, *outLen);
+    }
+
+    if (d != NULL) {
+        XMEMSET(e, 0, sizeof(sp_digit) * 196U);
+        XFREE(d, NULL, DYNAMIC_TYPE_DH);
+    }
+    return err;
+#else
+#ifndef WOLFSSL_SMALL_STACK
+    sp_digit bd[392], ed[196], md[196];
+#else
+    sp_digit* d = NULL;
+#endif
+    sp_digit* b;
+    sp_digit* e;
+    sp_digit* m;
+    sp_digit* r;
+    word32 i;
+    int err = MP_OKAY;
+
+    if (mp_count_bits(base) > 4096) {
+        err = MP_READ_E;
+    }
+
+    if (err == MP_OKAY) {
+        if (expLen > 512U) {
+            err = MP_READ_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        if (mp_count_bits(mod) != 4096) {
+            err = MP_READ_E;
+        }
+    }
+#ifdef WOLFSSL_SMALL_STACK
+    if (err == MP_OKAY) {
+        d = (sp_digit*)XMALLOC(sizeof(*d) * 196 * 4, NULL, DYNAMIC_TYPE_DH);
+        if (d == NULL)
+            err = MEMORY_E;
+    }
+
+    if (err == MP_OKAY) {
+        b = d;
+        e = b + 196 * 2;
+        m = e + 196;
+        r = b;
+    }
+#else
+    r = b = bd;
+    e = ed;
+    m = md;
+#endif
+
+    if (err == MP_OKAY) {
+        sp_4096_from_mp(b, 196, base);
+        sp_4096_from_bin(e, 196, exp, expLen);
+        sp_4096_from_mp(m, 196, mod);
+
+    #ifdef HAVE_FFDHE_4096
+        if (base->used == 1 && base->dp[0] == 2U &&
+                ((m[195] << 15) | (m[194] >> 6)) == 0xffffL) {
+            err = sp_4096_mod_exp_2_196(r, e, expLen * 8U, m);
+        }
+        else {
+    #endif
+            err = sp_4096_mod_exp_196(r, b, e, expLen * 8U, m, 0);
+    #ifdef HAVE_FFDHE_4096
+        }
+    #endif
+    }
+
+    if (err == MP_OKAY) {
+        sp_4096_to_bin(r, out);
+        *outLen = 512;
+        for (i=0; i<512U && out[i] == 0U; i++) {
+        }
+        *outLen -= i;
+        XMEMMOVE(out, out + i, *outLen);
+    }
+
+#ifdef WOLFSSL_SMALL_STACK
+    if (d != NULL) {
+        XMEMSET(e, 0, sizeof(sp_digit) * 196U);
+        XFREE(d, NULL, DYNAMIC_TYPE_DH);
+    }
+#else
+    XMEMSET(e, 0, sizeof(sp_digit) * 196U);
+#endif
+
+    return err;
+#endif
+}
+#endif /* WOLFSSL_HAVE_SP_DH */
+
+#endif /* WOLFSSL_HAVE_SP_DH || (WOLFSSL_HAVE_SP_RSA && !WOLFSSL_RSA_PUBLIC_ONLY) */
+
+#endif /* WOLFSSL_SP_4096 */
+
+#endif /* WOLFSSL_HAVE_SP_RSA || WOLFSSL_HAVE_SP_DH */
+#ifdef WOLFSSL_HAVE_SP_ECC
+#ifndef WOLFSSL_SP_NO_256
+
+/* Point structure to use. */
+typedef struct sp_point_256 {
+    sp_digit x[2 * 10];
+    sp_digit y[2 * 10];
+    sp_digit z[2 * 10];
+    int infinity;
+} sp_point_256;
+
+/* The modulus (prime) of the curve P256. */
+static const sp_digit p256_mod[10] = {
+    0x3ffffff,0x3ffffff,0x3ffffff,0x003ffff,0x0000000,0x0000000,0x0000000,
+    0x0000400,0x3ff0000,0x03fffff
+};
+/* The Montogmery normalizer for modulus of the curve P256. */
+static const sp_digit p256_norm_mod[10] = {
+    0x0000001,0x0000000,0x0000000,0x3fc0000,0x3ffffff,0x3ffffff,0x3ffffff,
+    0x3fffbff,0x000ffff,0x0000000
+};
+/* The Montogmery multiplier for modulus of the curve P256. */
+static const sp_digit p256_mp_mod = 0x000001;
+#if defined(WOLFSSL_VALIDATE_ECC_KEYGEN) || defined(HAVE_ECC_SIGN) || \
+                                            defined(HAVE_ECC_VERIFY)
+/* The order of the curve P256. */
+static const sp_digit p256_order[10] = {
+    0x0632551,0x272b0bf,0x1e84f3b,0x2b69c5e,0x3bce6fa,0x3ffffff,0x3ffffff,
+    0x00003ff,0x3ff0000,0x03fffff
+};
+#endif
+/* The order of the curve P256 minus 2. */
+static const sp_digit p256_order2[10] = {
+    0x063254f,0x272b0bf,0x1e84f3b,0x2b69c5e,0x3bce6fa,0x3ffffff,0x3ffffff,
+    0x00003ff,0x3ff0000,0x03fffff
+};
+#if defined(HAVE_ECC_SIGN) || defined(HAVE_ECC_VERIFY)
+/* The Montogmery normalizer for order of the curve P256. */
+static const sp_digit p256_norm_order[10] = {
+    0x39cdaaf,0x18d4f40,0x217b0c4,0x14963a1,0x0431905,0x0000000,0x0000000,
+    0x3fffc00,0x000ffff,0x0000000
+};
+#endif
+#if defined(HAVE_ECC_SIGN) || defined(HAVE_ECC_VERIFY)
+/* The Montogmery multiplier for order of the curve P256. */
+static const sp_digit p256_mp_order = 0x200bc4f;
+#endif
+/* The base point of curve P256. */
+static const sp_point_256 p256_base = {
+    /* X ordinate */
+    {
+        0x098c296,0x04e5176,0x33a0f4a,0x204b7ac,0x277037d,0x0e9103c,0x3ce6e56,
+        0x1091fe2,0x1f2e12c,0x01ac5f4,
+        0L, 0L, 0L, 0L, 0L, 0L, 0L, 0L, 0L, 0L
+    },
+    /* Y ordinate */
+    {
+        0x3bf51f5,0x1901a0d,0x1ececbb,0x15dacc5,0x22bce33,0x303e785,0x27eb4a7,
+        0x1fe6e3b,0x2e2fe1a,0x013f8d0,
+        0L, 0L, 0L, 0L, 0L, 0L, 0L, 0L, 0L, 0L
+    },
+    /* Z ordinate */
+    {
+        0x0000001,0x0000000,0x0000000,0x0000000,0x0000000,0x0000000,0x0000000,
+        0x0000000,0x0000000,0x0000000,
+        0L, 0L, 0L, 0L, 0L, 0L, 0L, 0L, 0L, 0L
+    },
+    /* infinity */
+    0
+};
+#if defined(HAVE_ECC_CHECK_KEY) || defined(HAVE_COMP_KEY)
+static const sp_digit p256_b[10] = {
+    0x3d2604b,0x38f0f89,0x30f63bc,0x2c3314e,0x0651d06,0x1a621af,0x2bbd557,
+    0x24f9ecf,0x1d8aa3a,0x016b18d
+};
+#endif
+
+static int sp_256_point_new_ex_10(void* heap, sp_point_256* sp, sp_point_256** p)
+{
+    int ret = MP_OKAY;
+    (void)heap;
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    (void)sp;
+    *p = (sp_point_256*)XMALLOC(sizeof(sp_point_256), heap, DYNAMIC_TYPE_ECC);
+#else
+    *p = sp;
+#endif
+    if (*p == NULL) {
+        ret = MEMORY_E;
+    }
+    return ret;
+}
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+/* Allocate memory for point and return error. */
+#define sp_256_point_new_10(heap, sp, p) sp_256_point_new_ex_10((heap), NULL, &(p))
+#else
+/* Set pointer to data and return no error. */
+#define sp_256_point_new_10(heap, sp, p) sp_256_point_new_ex_10((heap), &(sp), &(p))
+#endif
+
+
+static void sp_256_point_free_10(sp_point_256* p, int clear, void* heap)
+{
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+/* If valid pointer then clear point data if requested and free data. */
+    if (p != NULL) {
+        if (clear != 0) {
+            XMEMSET(p, 0, sizeof(*p));
+        }
+        XFREE(p, heap, DYNAMIC_TYPE_ECC);
+    }
+#else
+/* Clear point data if requested. */
+    if (clear != 0) {
+        XMEMSET(p, 0, sizeof(*p));
+    }
+#endif
+    (void)heap;
+}
+
+/* Multiply a number by Montogmery normalizer mod modulus (prime).
+ *
+ * r  The resulting Montgomery form number.
+ * a  The number to convert.
+ * m  The modulus (prime).
+ * returns MEMORY_E when memory allocation fails and MP_OKAY otherwise.
+ */
+static int sp_256_mod_mul_norm_10(sp_digit* r, const sp_digit* a, const sp_digit* m)
+{
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    int64_t* td;
+#else
+    int64_t td[8];
+    int64_t a32d[8];
+#endif
+    int64_t* t;
+    int64_t* a32;
+    int64_t o;
+    int err = MP_OKAY;
+
+    (void)m;
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    td = (int64_t*)XMALLOC(sizeof(int64_t) * 2 * 8, NULL, DYNAMIC_TYPE_ECC);
+    if (td == NULL) {
+        return MEMORY_E;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+        t = td;
+        a32 = td + 8;
+#else
+        t = td;
+        a32 = a32d;
+#endif
+
+        a32[0] = a[0];
+        a32[0] |= a[1] << 26U;
+        a32[0] &= 0xffffffffL;
+        a32[1] = (sp_digit)(a[1] >> 6);
+        a32[1] |= a[2] << 20U;
+        a32[1] &= 0xffffffffL;
+        a32[2] = (sp_digit)(a[2] >> 12);
+        a32[2] |= a[3] << 14U;
+        a32[2] &= 0xffffffffL;
+        a32[3] = (sp_digit)(a[3] >> 18);
+        a32[3] |= a[4] << 8U;
+        a32[3] &= 0xffffffffL;
+        a32[4] = (sp_digit)(a[4] >> 24);
+        a32[4] |= a[5] << 2U;
+        a32[4] |= a[6] << 28U;
+        a32[4] &= 0xffffffffL;
+        a32[5] = (sp_digit)(a[6] >> 4);
+        a32[5] |= a[7] << 22U;
+        a32[5] &= 0xffffffffL;
+        a32[6] = (sp_digit)(a[7] >> 10);
+        a32[6] |= a[8] << 16U;
+        a32[6] &= 0xffffffffL;
+        a32[7] = (sp_digit)(a[8] >> 16);
+        a32[7] |= a[9] << 10U;
+        a32[7] &= 0xffffffffL;
+
+        /*  1  1  0 -1 -1 -1 -1  0 */
+            t[0] = 0 + a32[0] + a32[1] - a32[3] - a32[4] - a32[5] - a32[6];
+        /*  0  1  1  0 -1 -1 -1 -1 */
+            t[1] = 0 + a32[1] + a32[2] - a32[4] - a32[5] - a32[6] - a32[7];
+        /*  0  0  1  1  0 -1 -1 -1 */
+            t[2] = 0 + a32[2] + a32[3] - a32[5] - a32[6] - a32[7];
+        /* -1 -1  0  2  2  1  0 -1 */
+            t[3] = 0 - a32[0] - a32[1] + 2 * a32[3] + 2 * a32[4] + a32[5] - a32[7];
+        /*  0 -1 -1  0  2  2  1  0 */
+            t[4] = 0 - a32[1] - a32[2] + 2 * a32[4] + 2 * a32[5] + a32[6];
+        /*  0  0 -1 -1  0  2  2  1 */
+            t[5] = 0 - a32[2] - a32[3] + 2 * a32[5] + 2 * a32[6] + a32[7];
+        /* -1 -1  0  0  0  1  3  2 */
+            t[6] = 0 - a32[0] - a32[1] + a32[5] + 3 * a32[6] + 2 * a32[7];
+        /*  1  0 -1 -1 -1 -1  0  3 */
+            t[7] = 0 + a32[0] - a32[2] - a32[3] - a32[4] - a32[5] + 3 * a32[7];
+
+            t[1] += t[0] >> 32U; t[0] &= 0xffffffffL;
+            t[2] += t[1] >> 32U; t[1] &= 0xffffffffL;
+            t[3] += t[2] >> 32U; t[2] &= 0xffffffffL;
+            t[4] += t[3] >> 32U; t[3] &= 0xffffffffL;
+            t[5] += t[4] >> 32U; t[4] &= 0xffffffffL;
+            t[6] += t[5] >> 32U; t[5] &= 0xffffffffL;
+            t[7] += t[6] >> 32U; t[6] &= 0xffffffffL;
+            o     = t[7] >> 32U; t[7] &= 0xffffffffL;
+            t[0] += o;
+            t[3] -= o;
+            t[6] -= o;
+            t[7] += o;
+            t[1] += t[0] >> 32U; t[0] &= 0xffffffffL;
+            t[2] += t[1] >> 32U; t[1] &= 0xffffffffL;
+            t[3] += t[2] >> 32U; t[2] &= 0xffffffffL;
+            t[4] += t[3] >> 32U; t[3] &= 0xffffffffL;
+            t[5] += t[4] >> 32U; t[4] &= 0xffffffffL;
+            t[6] += t[5] >> 32U; t[5] &= 0xffffffffL;
+            t[7] += t[6] >> 32U; t[6] &= 0xffffffffL;
+
+        r[0] = (sp_digit)(t[0]) & 0x3ffffffL;
+        r[1] = (sp_digit)(t[0] >> 26U);
+        r[1] |= t[1] << 6U;
+        r[1] &= 0x3ffffffL;
+        r[2] = (sp_digit)(t[1] >> 20U);
+        r[2] |= t[2] << 12U;
+        r[2] &= 0x3ffffffL;
+        r[3] = (sp_digit)(t[2] >> 14U);
+        r[3] |= t[3] << 18U;
+        r[3] &= 0x3ffffffL;
+        r[4] = (sp_digit)(t[3] >> 8U);
+        r[4] |= t[4] << 24U;
+        r[4] &= 0x3ffffffL;
+        r[5] = (sp_digit)(t[4] >> 2U) & 0x3ffffffL;
+        r[6] = (sp_digit)(t[4] >> 28U);
+        r[6] |= t[5] << 4U;
+        r[6] &= 0x3ffffffL;
+        r[7] = (sp_digit)(t[5] >> 22U);
+        r[7] |= t[6] << 10U;
+        r[7] &= 0x3ffffffL;
+        r[8] = (sp_digit)(t[6] >> 16U);
+        r[8] |= t[7] << 16U;
+        r[8] &= 0x3ffffffL;
+        r[9] = (sp_digit)(t[7] >> 10U);
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (td != NULL) {
+        XFREE(td, NULL, DYNAMIC_TYPE_ECC);
+    }
+#endif
+
+    return err;
+}
+
+/* Convert an mp_int to an array of sp_digit.
+ *
+ * r  A single precision integer.
+ * size  Maximum number of bytes to convert
+ * a  A multi-precision integer.
+ */
+static void sp_256_from_mp(sp_digit* r, int size, const mp_int* a)
+{
+#if DIGIT_BIT == 26
+    int j;
+
+    XMEMCPY(r, a->dp, sizeof(sp_digit) * a->used);
+
+    for (j = a->used; j < size; j++) {
+        r[j] = 0;
+    }
+#elif DIGIT_BIT > 26
+    int i, j = 0;
+    word32 s = 0;
+
+    r[0] = 0;
+    for (i = 0; i < a->used && j < size; i++) {
+        r[j] |= ((sp_digit)a->dp[i] << s);
+        r[j] &= 0x3ffffff;
+        s = 26U - s;
+        if (j + 1 >= size) {
+            break;
+        }
+        /* lint allow cast of mismatch word32 and mp_digit */
+        r[++j] = (sp_digit)(a->dp[i] >> s); /*lint !e9033*/
+        while ((s + 26U) <= (word32)DIGIT_BIT) {
+            s += 26U;
+            r[j] &= 0x3ffffff;
+            if (j + 1 >= size) {
+                break;
+            }
+            if (s < (word32)DIGIT_BIT) {
+                /* lint allow cast of mismatch word32 and mp_digit */
+                r[++j] = (sp_digit)(a->dp[i] >> s); /*lint !e9033*/
+            }
+            else {
+                r[++j] = 0L;
+            }
+        }
+        s = (word32)DIGIT_BIT - s;
+    }
+
+    for (j++; j < size; j++) {
+        r[j] = 0;
+    }
+#else
+    int i, j = 0, s = 0;
+
+    r[0] = 0;
+    for (i = 0; i < a->used && j < size; i++) {
+        r[j] |= ((sp_digit)a->dp[i]) << s;
+        if (s + DIGIT_BIT >= 26) {
+            r[j] &= 0x3ffffff;
+            if (j + 1 >= size) {
+                break;
+            }
+            s = 26 - s;
+            if (s == DIGIT_BIT) {
+                r[++j] = 0;
+                s = 0;
+            }
+            else {
+                r[++j] = a->dp[i] >> s;
+                s = DIGIT_BIT - s;
+            }
+        }
+        else {
+            s += DIGIT_BIT;
+        }
+    }
+
+    for (j++; j < size; j++) {
+        r[j] = 0;
+    }
+#endif
+}
+
+/* Convert a point of type ecc_point to type sp_point_256.
+ *
+ * p   Point of type sp_point_256 (result).
+ * pm  Point of type ecc_point.
+ */
+static void sp_256_point_from_ecc_point_10(sp_point_256* p, const ecc_point* pm)
+{
+    XMEMSET(p->x, 0, sizeof(p->x));
+    XMEMSET(p->y, 0, sizeof(p->y));
+    XMEMSET(p->z, 0, sizeof(p->z));
+    sp_256_from_mp(p->x, 10, pm->x);
+    sp_256_from_mp(p->y, 10, pm->y);
+    sp_256_from_mp(p->z, 10, pm->z);
+    p->infinity = 0;
+}
+
+/* Convert an array of sp_digit to an mp_int.
+ *
+ * a  A single precision integer.
+ * r  A multi-precision integer.
+ */
+static int sp_256_to_mp(const sp_digit* a, mp_int* r)
+{
+    int err;
+
+    err = mp_grow(r, (256 + DIGIT_BIT - 1) / DIGIT_BIT);
+    if (err == MP_OKAY) { /*lint !e774 case where err is always MP_OKAY*/
+#if DIGIT_BIT == 26
+        XMEMCPY(r->dp, a, sizeof(sp_digit) * 10);
+        r->used = 10;
+        mp_clamp(r);
+#elif DIGIT_BIT < 26
+        int i, j = 0, s = 0;
+
+        r->dp[0] = 0;
+        for (i = 0; i < 10; i++) {
+            r->dp[j] |= (mp_digit)(a[i] << s);
+            r->dp[j] &= (1L << DIGIT_BIT) - 1;
+            s = DIGIT_BIT - s;
+            r->dp[++j] = (mp_digit)(a[i] >> s);
+            while (s + DIGIT_BIT <= 26) {
+                s += DIGIT_BIT;
+                r->dp[j++] &= (1L << DIGIT_BIT) - 1;
+                if (s == SP_WORD_SIZE) {
+                    r->dp[j] = 0;
+                }
+                else {
+                    r->dp[j] = (mp_digit)(a[i] >> s);
+                }
+            }
+            s = 26 - s;
+        }
+        r->used = (256 + DIGIT_BIT - 1) / DIGIT_BIT;
+        mp_clamp(r);
+#else
+        int i, j = 0, s = 0;
+
+        r->dp[0] = 0;
+        for (i = 0; i < 10; i++) {
+            r->dp[j] |= ((mp_digit)a[i]) << s;
+            if (s + 26 >= DIGIT_BIT) {
+    #if DIGIT_BIT != 32 && DIGIT_BIT != 64
+                r->dp[j] &= (1L << DIGIT_BIT) - 1;
+    #endif
+                s = DIGIT_BIT - s;
+                r->dp[++j] = a[i] >> s;
+                s = 26 - s;
+            }
+            else {
+                s += 26;
+            }
+        }
+        r->used = (256 + DIGIT_BIT - 1) / DIGIT_BIT;
+        mp_clamp(r);
+#endif
+    }
+
+    return err;
+}
+
+/* Convert a point of type sp_point_256 to type ecc_point.
+ *
+ * p   Point of type sp_point_256.
+ * pm  Point of type ecc_point (result).
+ * returns MEMORY_E when allocation of memory in ecc_point fails otherwise
+ * MP_OKAY.
+ */
+static int sp_256_point_to_ecc_point_10(const sp_point_256* p, ecc_point* pm)
+{
+    int err;
+
+    err = sp_256_to_mp(p->x, pm->x);
+    if (err == MP_OKAY) {
+        err = sp_256_to_mp(p->y, pm->y);
+    }
+    if (err == MP_OKAY) {
+        err = sp_256_to_mp(p->z, pm->z);
+    }
+
+    return err;
+}
+
+#ifdef WOLFSSL_SP_SMALL
+/* Multiply a and b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static void sp_256_mul_10(sp_digit* r, const sp_digit* a,
+    const sp_digit* b)
+{
+    int i, j, k;
+    int64_t c;
+
+    c = ((int64_t)a[9]) * b[9];
+    r[19] = (sp_digit)(c >> 26);
+    c = (c & 0x3ffffff) << 26;
+    for (k = 17; k >= 0; k--) {
+        for (i = 9; i >= 0; i--) {
+            j = k - i;
+            if (j >= 10) {
+                break;
+            }
+            if (j < 0) {
+                continue;
+            }
+
+            c += ((int64_t)a[i]) * b[j];
+        }
+        r[k + 2] += c >> 52;
+        r[k + 1] = (c >> 26) & 0x3ffffff;
+        c = (c & 0x3ffffff) << 26;
+    }
+    r[0] = (sp_digit)(c >> 26);
+}
+
+#else
+/* Multiply a and b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static void sp_256_mul_10(sp_digit* r, const sp_digit* a,
+    const sp_digit* b)
+{
+    int64_t t0   = ((int64_t)a[ 0]) * b[ 0];
+    int64_t t1   = ((int64_t)a[ 0]) * b[ 1]
+                 + ((int64_t)a[ 1]) * b[ 0];
+    int64_t t2   = ((int64_t)a[ 0]) * b[ 2]
+                 + ((int64_t)a[ 1]) * b[ 1]
+                 + ((int64_t)a[ 2]) * b[ 0];
+    int64_t t3   = ((int64_t)a[ 0]) * b[ 3]
+                 + ((int64_t)a[ 1]) * b[ 2]
+                 + ((int64_t)a[ 2]) * b[ 1]
+                 + ((int64_t)a[ 3]) * b[ 0];
+    int64_t t4   = ((int64_t)a[ 0]) * b[ 4]
+                 + ((int64_t)a[ 1]) * b[ 3]
+                 + ((int64_t)a[ 2]) * b[ 2]
+                 + ((int64_t)a[ 3]) * b[ 1]
+                 + ((int64_t)a[ 4]) * b[ 0];
+    int64_t t5   = ((int64_t)a[ 0]) * b[ 5]
+                 + ((int64_t)a[ 1]) * b[ 4]
+                 + ((int64_t)a[ 2]) * b[ 3]
+                 + ((int64_t)a[ 3]) * b[ 2]
+                 + ((int64_t)a[ 4]) * b[ 1]
+                 + ((int64_t)a[ 5]) * b[ 0];
+    int64_t t6   = ((int64_t)a[ 0]) * b[ 6]
+                 + ((int64_t)a[ 1]) * b[ 5]
+                 + ((int64_t)a[ 2]) * b[ 4]
+                 + ((int64_t)a[ 3]) * b[ 3]
+                 + ((int64_t)a[ 4]) * b[ 2]
+                 + ((int64_t)a[ 5]) * b[ 1]
+                 + ((int64_t)a[ 6]) * b[ 0];
+    int64_t t7   = ((int64_t)a[ 0]) * b[ 7]
+                 + ((int64_t)a[ 1]) * b[ 6]
+                 + ((int64_t)a[ 2]) * b[ 5]
+                 + ((int64_t)a[ 3]) * b[ 4]
+                 + ((int64_t)a[ 4]) * b[ 3]
+                 + ((int64_t)a[ 5]) * b[ 2]
+                 + ((int64_t)a[ 6]) * b[ 1]
+                 + ((int64_t)a[ 7]) * b[ 0];
+    int64_t t8   = ((int64_t)a[ 0]) * b[ 8]
+                 + ((int64_t)a[ 1]) * b[ 7]
+                 + ((int64_t)a[ 2]) * b[ 6]
+                 + ((int64_t)a[ 3]) * b[ 5]
+                 + ((int64_t)a[ 4]) * b[ 4]
+                 + ((int64_t)a[ 5]) * b[ 3]
+                 + ((int64_t)a[ 6]) * b[ 2]
+                 + ((int64_t)a[ 7]) * b[ 1]
+                 + ((int64_t)a[ 8]) * b[ 0];
+    int64_t t9   = ((int64_t)a[ 0]) * b[ 9]
+                 + ((int64_t)a[ 1]) * b[ 8]
+                 + ((int64_t)a[ 2]) * b[ 7]
+                 + ((int64_t)a[ 3]) * b[ 6]
+                 + ((int64_t)a[ 4]) * b[ 5]
+                 + ((int64_t)a[ 5]) * b[ 4]
+                 + ((int64_t)a[ 6]) * b[ 3]
+                 + ((int64_t)a[ 7]) * b[ 2]
+                 + ((int64_t)a[ 8]) * b[ 1]
+                 + ((int64_t)a[ 9]) * b[ 0];
+    int64_t t10  = ((int64_t)a[ 1]) * b[ 9]
+                 + ((int64_t)a[ 2]) * b[ 8]
+                 + ((int64_t)a[ 3]) * b[ 7]
+                 + ((int64_t)a[ 4]) * b[ 6]
+                 + ((int64_t)a[ 5]) * b[ 5]
+                 + ((int64_t)a[ 6]) * b[ 4]
+                 + ((int64_t)a[ 7]) * b[ 3]
+                 + ((int64_t)a[ 8]) * b[ 2]
+                 + ((int64_t)a[ 9]) * b[ 1];
+    int64_t t11  = ((int64_t)a[ 2]) * b[ 9]
+                 + ((int64_t)a[ 3]) * b[ 8]
+                 + ((int64_t)a[ 4]) * b[ 7]
+                 + ((int64_t)a[ 5]) * b[ 6]
+                 + ((int64_t)a[ 6]) * b[ 5]
+                 + ((int64_t)a[ 7]) * b[ 4]
+                 + ((int64_t)a[ 8]) * b[ 3]
+                 + ((int64_t)a[ 9]) * b[ 2];
+    int64_t t12  = ((int64_t)a[ 3]) * b[ 9]
+                 + ((int64_t)a[ 4]) * b[ 8]
+                 + ((int64_t)a[ 5]) * b[ 7]
+                 + ((int64_t)a[ 6]) * b[ 6]
+                 + ((int64_t)a[ 7]) * b[ 5]
+                 + ((int64_t)a[ 8]) * b[ 4]
+                 + ((int64_t)a[ 9]) * b[ 3];
+    int64_t t13  = ((int64_t)a[ 4]) * b[ 9]
+                 + ((int64_t)a[ 5]) * b[ 8]
+                 + ((int64_t)a[ 6]) * b[ 7]
+                 + ((int64_t)a[ 7]) * b[ 6]
+                 + ((int64_t)a[ 8]) * b[ 5]
+                 + ((int64_t)a[ 9]) * b[ 4];
+    int64_t t14  = ((int64_t)a[ 5]) * b[ 9]
+                 + ((int64_t)a[ 6]) * b[ 8]
+                 + ((int64_t)a[ 7]) * b[ 7]
+                 + ((int64_t)a[ 8]) * b[ 6]
+                 + ((int64_t)a[ 9]) * b[ 5];
+    int64_t t15  = ((int64_t)a[ 6]) * b[ 9]
+                 + ((int64_t)a[ 7]) * b[ 8]
+                 + ((int64_t)a[ 8]) * b[ 7]
+                 + ((int64_t)a[ 9]) * b[ 6];
+    int64_t t16  = ((int64_t)a[ 7]) * b[ 9]
+                 + ((int64_t)a[ 8]) * b[ 8]
+                 + ((int64_t)a[ 9]) * b[ 7];
+    int64_t t17  = ((int64_t)a[ 8]) * b[ 9]
+                 + ((int64_t)a[ 9]) * b[ 8];
+    int64_t t18  = ((int64_t)a[ 9]) * b[ 9];
+
+    t1   += t0  >> 26; r[ 0] = t0  & 0x3ffffff;
+    t2   += t1  >> 26; r[ 1] = t1  & 0x3ffffff;
+    t3   += t2  >> 26; r[ 2] = t2  & 0x3ffffff;
+    t4   += t3  >> 26; r[ 3] = t3  & 0x3ffffff;
+    t5   += t4  >> 26; r[ 4] = t4  & 0x3ffffff;
+    t6   += t5  >> 26; r[ 5] = t5  & 0x3ffffff;
+    t7   += t6  >> 26; r[ 6] = t6  & 0x3ffffff;
+    t8   += t7  >> 26; r[ 7] = t7  & 0x3ffffff;
+    t9   += t8  >> 26; r[ 8] = t8  & 0x3ffffff;
+    t10  += t9  >> 26; r[ 9] = t9  & 0x3ffffff;
+    t11  += t10 >> 26; r[10] = t10 & 0x3ffffff;
+    t12  += t11 >> 26; r[11] = t11 & 0x3ffffff;
+    t13  += t12 >> 26; r[12] = t12 & 0x3ffffff;
+    t14  += t13 >> 26; r[13] = t13 & 0x3ffffff;
+    t15  += t14 >> 26; r[14] = t14 & 0x3ffffff;
+    t16  += t15 >> 26; r[15] = t15 & 0x3ffffff;
+    t17  += t16 >> 26; r[16] = t16 & 0x3ffffff;
+    t18  += t17 >> 26; r[17] = t17 & 0x3ffffff;
+    r[19] = (sp_digit)(t18 >> 26);
+                       r[18] = t18 & 0x3ffffff;
+}
+
+#endif /* WOLFSSL_SP_SMALL */
+#define sp_256_mont_reduce_order_10         sp_256_mont_reduce_10
+
+/* Compare a with b in constant time.
+ *
+ * a  A single precision integer.
+ * b  A single precision integer.
+ * return -ve, 0 or +ve if a is less than, equal to or greater than b
+ * respectively.
+ */
+static sp_digit sp_256_cmp_10(const sp_digit* a, const sp_digit* b)
+{
+    sp_digit r = 0;
+#ifdef WOLFSSL_SP_SMALL
+    int i;
+
+    for (i=9; i>=0; i--) {
+        r |= (a[i] - b[i]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+    }
+#else
+    r |= (a[ 9] - b[ 9]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+    r |= (a[ 8] - b[ 8]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+    r |= (a[ 7] - b[ 7]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+    r |= (a[ 6] - b[ 6]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+    r |= (a[ 5] - b[ 5]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+    r |= (a[ 4] - b[ 4]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+    r |= (a[ 3] - b[ 3]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+    r |= (a[ 2] - b[ 2]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+    r |= (a[ 1] - b[ 1]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+    r |= (a[ 0] - b[ 0]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+#endif /* WOLFSSL_SP_SMALL */
+
+    return r;
+}
+
+/* Conditionally subtract b from a using the mask m.
+ * m is -1 to subtract and 0 when not.
+ *
+ * r  A single precision number representing condition subtract result.
+ * a  A single precision number to subtract from.
+ * b  A single precision number to subtract.
+ * m  Mask value to apply.
+ */
+static void sp_256_cond_sub_10(sp_digit* r, const sp_digit* a,
+        const sp_digit* b, const sp_digit m)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int i;
+
+    for (i = 0; i < 10; i++) {
+        r[i] = a[i] - (b[i] & m);
+    }
+#else
+    r[ 0] = a[ 0] - (b[ 0] & m);
+    r[ 1] = a[ 1] - (b[ 1] & m);
+    r[ 2] = a[ 2] - (b[ 2] & m);
+    r[ 3] = a[ 3] - (b[ 3] & m);
+    r[ 4] = a[ 4] - (b[ 4] & m);
+    r[ 5] = a[ 5] - (b[ 5] & m);
+    r[ 6] = a[ 6] - (b[ 6] & m);
+    r[ 7] = a[ 7] - (b[ 7] & m);
+    r[ 8] = a[ 8] - (b[ 8] & m);
+    r[ 9] = a[ 9] - (b[ 9] & m);
+#endif /* WOLFSSL_SP_SMALL */
+}
+
+/* Mul a by scalar b and add into r. (r += a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A scalar.
+ */
+SP_NOINLINE static void sp_256_mul_add_10(sp_digit* r, const sp_digit* a,
+        const sp_digit b)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int64_t tb = b;
+    int64_t t = 0;
+    int i;
+
+    for (i = 0; i < 10; i++) {
+        t += (tb * a[i]) + r[i];
+        r[i] = t & 0x3ffffff;
+        t >>= 26;
+    }
+    r[10] += t;
+#else
+    int64_t tb = b;
+    int64_t t[10];
+
+    t[ 0] = tb * a[ 0];
+    t[ 1] = tb * a[ 1];
+    t[ 2] = tb * a[ 2];
+    t[ 3] = tb * a[ 3];
+    t[ 4] = tb * a[ 4];
+    t[ 5] = tb * a[ 5];
+    t[ 6] = tb * a[ 6];
+    t[ 7] = tb * a[ 7];
+    t[ 8] = tb * a[ 8];
+    t[ 9] = tb * a[ 9];
+    r[ 0] += (sp_digit)                 (t[ 0] & 0x3ffffff);
+    r[ 1] += (sp_digit)((t[ 0] >> 26) + (t[ 1] & 0x3ffffff));
+    r[ 2] += (sp_digit)((t[ 1] >> 26) + (t[ 2] & 0x3ffffff));
+    r[ 3] += (sp_digit)((t[ 2] >> 26) + (t[ 3] & 0x3ffffff));
+    r[ 4] += (sp_digit)((t[ 3] >> 26) + (t[ 4] & 0x3ffffff));
+    r[ 5] += (sp_digit)((t[ 4] >> 26) + (t[ 5] & 0x3ffffff));
+    r[ 6] += (sp_digit)((t[ 5] >> 26) + (t[ 6] & 0x3ffffff));
+    r[ 7] += (sp_digit)((t[ 6] >> 26) + (t[ 7] & 0x3ffffff));
+    r[ 8] += (sp_digit)((t[ 7] >> 26) + (t[ 8] & 0x3ffffff));
+    r[ 9] += (sp_digit)((t[ 8] >> 26) + (t[ 9] & 0x3ffffff));
+    r[10] += (sp_digit) (t[ 9] >> 26);
+#endif /* WOLFSSL_SP_SMALL */
+}
+
+/* Normalize the values in each word to 26.
+ *
+ * a  Array of sp_digit to normalize.
+ */
+static void sp_256_norm_10(sp_digit* a)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int i;
+    for (i = 0; i < 9; i++) {
+        a[i+1] += a[i] >> 26;
+        a[i] &= 0x3ffffff;
+    }
+#else
+    a[1] += a[0] >> 26; a[0] &= 0x3ffffff;
+    a[2] += a[1] >> 26; a[1] &= 0x3ffffff;
+    a[3] += a[2] >> 26; a[2] &= 0x3ffffff;
+    a[4] += a[3] >> 26; a[3] &= 0x3ffffff;
+    a[5] += a[4] >> 26; a[4] &= 0x3ffffff;
+    a[6] += a[5] >> 26; a[5] &= 0x3ffffff;
+    a[7] += a[6] >> 26; a[6] &= 0x3ffffff;
+    a[8] += a[7] >> 26; a[7] &= 0x3ffffff;
+    a[9] += a[8] >> 26; a[8] &= 0x3ffffff;
+#endif
+}
+
+/* Shift the result in the high 256 bits down to the bottom.
+ *
+ * r  A single precision number.
+ * a  A single precision number.
+ */
+static void sp_256_mont_shift_10(sp_digit* r, const sp_digit* a)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int i;
+    sp_digit n, s;
+
+    s = a[10];
+    n = a[9] >> 22;
+    for (i = 0; i < 9; i++) {
+        n += (s & 0x3ffffff) << 4;
+        r[i] = n & 0x3ffffff;
+        n >>= 26;
+        s = a[11 + i] + (s >> 26);
+    }
+    n += s << 4;
+    r[9] = n;
+#else
+    sp_digit n, s;
+
+    s = a[10]; n = a[9] >> 22;
+    n += (s & 0x3ffffff) << 4; r[ 0] = n & 0x3ffffff;
+    n >>= 26; s = a[11] + (s >> 26);
+    n += (s & 0x3ffffff) << 4; r[ 1] = n & 0x3ffffff;
+    n >>= 26; s = a[12] + (s >> 26);
+    n += (s & 0x3ffffff) << 4; r[ 2] = n & 0x3ffffff;
+    n >>= 26; s = a[13] + (s >> 26);
+    n += (s & 0x3ffffff) << 4; r[ 3] = n & 0x3ffffff;
+    n >>= 26; s = a[14] + (s >> 26);
+    n += (s & 0x3ffffff) << 4; r[ 4] = n & 0x3ffffff;
+    n >>= 26; s = a[15] + (s >> 26);
+    n += (s & 0x3ffffff) << 4; r[ 5] = n & 0x3ffffff;
+    n >>= 26; s = a[16] + (s >> 26);
+    n += (s & 0x3ffffff) << 4; r[ 6] = n & 0x3ffffff;
+    n >>= 26; s = a[17] + (s >> 26);
+    n += (s & 0x3ffffff) << 4; r[ 7] = n & 0x3ffffff;
+    n >>= 26; s = a[18] + (s >> 26);
+    n += (s & 0x3ffffff) << 4; r[ 8] = n & 0x3ffffff;
+    n >>= 26; s = a[19] + (s >> 26);
+    n += s << 4;              r[ 9] = n;
+#endif /* WOLFSSL_SP_SMALL */
+    XMEMSET(&r[10], 0, sizeof(*r) * 10U);
+}
+
+/* Reduce the number back to 256 bits using Montgomery reduction.
+ *
+ * a   A single precision number to reduce in place.
+ * m   The single precision number representing the modulus.
+ * mp  The digit representing the negative inverse of m mod 2^n.
+ */
+static void sp_256_mont_reduce_10(sp_digit* a, const sp_digit* m, sp_digit mp)
+{
+    int i;
+    sp_digit mu;
+
+    if (mp != 1) {
+        for (i=0; i<9; i++) {
+            mu = (a[i] * mp) & 0x3ffffff;
+            sp_256_mul_add_10(a+i, m, mu);
+            a[i+1] += a[i] >> 26;
+        }
+        mu = (a[i] * mp) & 0x3fffffL;
+        sp_256_mul_add_10(a+i, m, mu);
+        a[i+1] += a[i] >> 26;
+        a[i] &= 0x3ffffff;
+    }
+    else {
+        for (i=0; i<9; i++) {
+            mu = a[i] & 0x3ffffff;
+            sp_256_mul_add_10(a+i, p256_mod, mu);
+            a[i+1] += a[i] >> 26;
+        }
+        mu = a[i] & 0x3fffffL;
+        sp_256_mul_add_10(a+i, p256_mod, mu);
+        a[i+1] += a[i] >> 26;
+        a[i] &= 0x3ffffff;
+    }
+
+    sp_256_mont_shift_10(a, a);
+    sp_256_cond_sub_10(a, a, m, 0 - (((a[9] >> 22) > 0) ?
+            (sp_digit)1 : (sp_digit)0));
+    sp_256_norm_10(a);
+}
+
+/* Multiply two Montogmery form numbers mod the modulus (prime).
+ * (r = a * b mod m)
+ *
+ * r   Result of multiplication.
+ * a   First number to multiply in Montogmery form.
+ * b   Second number to multiply in Montogmery form.
+ * m   Modulus (prime).
+ * mp  Montogmery mulitplier.
+ */
+static void sp_256_mont_mul_10(sp_digit* r, const sp_digit* a, const sp_digit* b,
+        const sp_digit* m, sp_digit mp)
+{
+    sp_256_mul_10(r, a, b);
+    sp_256_mont_reduce_10(r, m, mp);
+}
+
+#ifdef WOLFSSL_SP_SMALL
+/* Square a and put result in r. (r = a * a)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ */
+SP_NOINLINE static void sp_256_sqr_10(sp_digit* r, const sp_digit* a)
+{
+    int i, j, k;
+    int64_t c;
+
+    c = ((int64_t)a[9]) * a[9];
+    r[19] = (sp_digit)(c >> 26);
+    c = (c & 0x3ffffff) << 26;
+    for (k = 17; k >= 0; k--) {
+        for (i = 9; i >= 0; i--) {
+            j = k - i;
+            if (j >= 10 || i <= j) {
+                break;
+            }
+            if (j < 0) {
+                continue;
+            }
+
+            c += ((int64_t)a[i]) * a[j] * 2;
+        }
+        if (i == j) {
+           c += ((int64_t)a[i]) * a[i];
+        }
+
+        r[k + 2] += c >> 52;
+        r[k + 1] = (c >> 26) & 0x3ffffff;
+        c = (c & 0x3ffffff) << 26;
+    }
+    r[0] = (sp_digit)(c >> 26);
+}
+
+#else
+/* Square a and put result in r. (r = a * a)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ */
+SP_NOINLINE static void sp_256_sqr_10(sp_digit* r, const sp_digit* a)
+{
+    int64_t t0   =  ((int64_t)a[ 0]) * a[ 0];
+    int64_t t1   = (((int64_t)a[ 0]) * a[ 1]) * 2;
+    int64_t t2   = (((int64_t)a[ 0]) * a[ 2]) * 2
+                 +  ((int64_t)a[ 1]) * a[ 1];
+    int64_t t3   = (((int64_t)a[ 0]) * a[ 3]
+                 +  ((int64_t)a[ 1]) * a[ 2]) * 2;
+    int64_t t4   = (((int64_t)a[ 0]) * a[ 4]
+                 +  ((int64_t)a[ 1]) * a[ 3]) * 2
+                 +  ((int64_t)a[ 2]) * a[ 2];
+    int64_t t5   = (((int64_t)a[ 0]) * a[ 5]
+                 +  ((int64_t)a[ 1]) * a[ 4]
+                 +  ((int64_t)a[ 2]) * a[ 3]) * 2;
+    int64_t t6   = (((int64_t)a[ 0]) * a[ 6]
+                 +  ((int64_t)a[ 1]) * a[ 5]
+                 +  ((int64_t)a[ 2]) * a[ 4]) * 2
+                 +  ((int64_t)a[ 3]) * a[ 3];
+    int64_t t7   = (((int64_t)a[ 0]) * a[ 7]
+                 +  ((int64_t)a[ 1]) * a[ 6]
+                 +  ((int64_t)a[ 2]) * a[ 5]
+                 +  ((int64_t)a[ 3]) * a[ 4]) * 2;
+    int64_t t8   = (((int64_t)a[ 0]) * a[ 8]
+                 +  ((int64_t)a[ 1]) * a[ 7]
+                 +  ((int64_t)a[ 2]) * a[ 6]
+                 +  ((int64_t)a[ 3]) * a[ 5]) * 2
+                 +  ((int64_t)a[ 4]) * a[ 4];
+    int64_t t9   = (((int64_t)a[ 0]) * a[ 9]
+                 +  ((int64_t)a[ 1]) * a[ 8]
+                 +  ((int64_t)a[ 2]) * a[ 7]
+                 +  ((int64_t)a[ 3]) * a[ 6]
+                 +  ((int64_t)a[ 4]) * a[ 5]) * 2;
+    int64_t t10  = (((int64_t)a[ 1]) * a[ 9]
+                 +  ((int64_t)a[ 2]) * a[ 8]
+                 +  ((int64_t)a[ 3]) * a[ 7]
+                 +  ((int64_t)a[ 4]) * a[ 6]) * 2
+                 +  ((int64_t)a[ 5]) * a[ 5];
+    int64_t t11  = (((int64_t)a[ 2]) * a[ 9]
+                 +  ((int64_t)a[ 3]) * a[ 8]
+                 +  ((int64_t)a[ 4]) * a[ 7]
+                 +  ((int64_t)a[ 5]) * a[ 6]) * 2;
+    int64_t t12  = (((int64_t)a[ 3]) * a[ 9]
+                 +  ((int64_t)a[ 4]) * a[ 8]
+                 +  ((int64_t)a[ 5]) * a[ 7]) * 2
+                 +  ((int64_t)a[ 6]) * a[ 6];
+    int64_t t13  = (((int64_t)a[ 4]) * a[ 9]
+                 +  ((int64_t)a[ 5]) * a[ 8]
+                 +  ((int64_t)a[ 6]) * a[ 7]) * 2;
+    int64_t t14  = (((int64_t)a[ 5]) * a[ 9]
+                 +  ((int64_t)a[ 6]) * a[ 8]) * 2
+                 +  ((int64_t)a[ 7]) * a[ 7];
+    int64_t t15  = (((int64_t)a[ 6]) * a[ 9]
+                 +  ((int64_t)a[ 7]) * a[ 8]) * 2;
+    int64_t t16  = (((int64_t)a[ 7]) * a[ 9]) * 2
+                 +  ((int64_t)a[ 8]) * a[ 8];
+    int64_t t17  = (((int64_t)a[ 8]) * a[ 9]) * 2;
+    int64_t t18  =  ((int64_t)a[ 9]) * a[ 9];
+
+    t1   += t0  >> 26; r[ 0] = t0  & 0x3ffffff;
+    t2   += t1  >> 26; r[ 1] = t1  & 0x3ffffff;
+    t3   += t2  >> 26; r[ 2] = t2  & 0x3ffffff;
+    t4   += t3  >> 26; r[ 3] = t3  & 0x3ffffff;
+    t5   += t4  >> 26; r[ 4] = t4  & 0x3ffffff;
+    t6   += t5  >> 26; r[ 5] = t5  & 0x3ffffff;
+    t7   += t6  >> 26; r[ 6] = t6  & 0x3ffffff;
+    t8   += t7  >> 26; r[ 7] = t7  & 0x3ffffff;
+    t9   += t8  >> 26; r[ 8] = t8  & 0x3ffffff;
+    t10  += t9  >> 26; r[ 9] = t9  & 0x3ffffff;
+    t11  += t10 >> 26; r[10] = t10 & 0x3ffffff;
+    t12  += t11 >> 26; r[11] = t11 & 0x3ffffff;
+    t13  += t12 >> 26; r[12] = t12 & 0x3ffffff;
+    t14  += t13 >> 26; r[13] = t13 & 0x3ffffff;
+    t15  += t14 >> 26; r[14] = t14 & 0x3ffffff;
+    t16  += t15 >> 26; r[15] = t15 & 0x3ffffff;
+    t17  += t16 >> 26; r[16] = t16 & 0x3ffffff;
+    t18  += t17 >> 26; r[17] = t17 & 0x3ffffff;
+    r[19] = (sp_digit)(t18 >> 26);
+                       r[18] = t18 & 0x3ffffff;
+}
+
+#endif /* WOLFSSL_SP_SMALL */
+/* Square the Montgomery form number. (r = a * a mod m)
+ *
+ * r   Result of squaring.
+ * a   Number to square in Montogmery form.
+ * m   Modulus (prime).
+ * mp  Montogmery mulitplier.
+ */
+static void sp_256_mont_sqr_10(sp_digit* r, const sp_digit* a, const sp_digit* m,
+        sp_digit mp)
+{
+    sp_256_sqr_10(r, a);
+    sp_256_mont_reduce_10(r, m, mp);
+}
+
+#if !defined(WOLFSSL_SP_SMALL) || defined(HAVE_COMP_KEY)
+/* Square the Montgomery form number a number of times. (r = a ^ n mod m)
+ *
+ * r   Result of squaring.
+ * a   Number to square in Montogmery form.
+ * n   Number of times to square.
+ * m   Modulus (prime).
+ * mp  Montogmery mulitplier.
+ */
+static void sp_256_mont_sqr_n_10(sp_digit* r, const sp_digit* a, int n,
+        const sp_digit* m, sp_digit mp)
+{
+    sp_256_mont_sqr_10(r, a, m, mp);
+    for (; n > 1; n--) {
+        sp_256_mont_sqr_10(r, r, m, mp);
+    }
+}
+
+#endif /* !WOLFSSL_SP_SMALL || HAVE_COMP_KEY */
+#ifdef WOLFSSL_SP_SMALL
+/* Mod-2 for the P256 curve. */
+static const uint32_t p256_mod_minus_2[8] = {
+    0xfffffffdU,0xffffffffU,0xffffffffU,0x00000000U,0x00000000U,0x00000000U,
+    0x00000001U,0xffffffffU
+};
+#endif /* !WOLFSSL_SP_SMALL */
+
+/* Invert the number, in Montgomery form, modulo the modulus (prime) of the
+ * P256 curve. (r = 1 / a mod m)
+ *
+ * r   Inverse result.
+ * a   Number to invert.
+ * td  Temporary data.
+ */
+static void sp_256_mont_inv_10(sp_digit* r, const sp_digit* a, sp_digit* td)
+{
+#ifdef WOLFSSL_SP_SMALL
+    sp_digit* t = td;
+    int i;
+
+    XMEMCPY(t, a, sizeof(sp_digit) * 10);
+    for (i=254; i>=0; i--) {
+        sp_256_mont_sqr_10(t, t, p256_mod, p256_mp_mod);
+        if (p256_mod_minus_2[i / 32] & ((sp_digit)1 << (i % 32)))
+            sp_256_mont_mul_10(t, t, a, p256_mod, p256_mp_mod);
+    }
+    XMEMCPY(r, t, sizeof(sp_digit) * 10);
+#else
+    sp_digit* t1 = td;
+    sp_digit* t2 = td + 2 * 10;
+    sp_digit* t3 = td + 4 * 10;
+    /* 0x2 */
+    sp_256_mont_sqr_10(t1, a, p256_mod, p256_mp_mod);
+    /* 0x3 */
+    sp_256_mont_mul_10(t2, t1, a, p256_mod, p256_mp_mod);
+    /* 0xc */
+    sp_256_mont_sqr_n_10(t1, t2, 2, p256_mod, p256_mp_mod);
+    /* 0xd */
+    sp_256_mont_mul_10(t3, t1, a, p256_mod, p256_mp_mod);
+    /* 0xf */
+    sp_256_mont_mul_10(t2, t2, t1, p256_mod, p256_mp_mod);
+    /* 0xf0 */
+    sp_256_mont_sqr_n_10(t1, t2, 4, p256_mod, p256_mp_mod);
+    /* 0xfd */
+    sp_256_mont_mul_10(t3, t3, t1, p256_mod, p256_mp_mod);
+    /* 0xff */
+    sp_256_mont_mul_10(t2, t2, t1, p256_mod, p256_mp_mod);
+    /* 0xff00 */
+    sp_256_mont_sqr_n_10(t1, t2, 8, p256_mod, p256_mp_mod);
+    /* 0xfffd */
+    sp_256_mont_mul_10(t3, t3, t1, p256_mod, p256_mp_mod);
+    /* 0xffff */
+    sp_256_mont_mul_10(t2, t2, t1, p256_mod, p256_mp_mod);
+    /* 0xffff0000 */
+    sp_256_mont_sqr_n_10(t1, t2, 16, p256_mod, p256_mp_mod);
+    /* 0xfffffffd */
+    sp_256_mont_mul_10(t3, t3, t1, p256_mod, p256_mp_mod);
+    /* 0xffffffff */
+    sp_256_mont_mul_10(t2, t2, t1, p256_mod, p256_mp_mod);
+    /* 0xffffffff00000000 */
+    sp_256_mont_sqr_n_10(t1, t2, 32, p256_mod, p256_mp_mod);
+    /* 0xffffffffffffffff */
+    sp_256_mont_mul_10(t2, t2, t1, p256_mod, p256_mp_mod);
+    /* 0xffffffff00000001 */
+    sp_256_mont_mul_10(r, t1, a, p256_mod, p256_mp_mod);
+    /* 0xffffffff000000010000000000000000000000000000000000000000 */
+    sp_256_mont_sqr_n_10(r, r, 160, p256_mod, p256_mp_mod);
+    /* 0xffffffff00000001000000000000000000000000ffffffffffffffff */
+    sp_256_mont_mul_10(r, r, t2, p256_mod, p256_mp_mod);
+    /* 0xffffffff00000001000000000000000000000000ffffffffffffffff00000000 */
+    sp_256_mont_sqr_n_10(r, r, 32, p256_mod, p256_mp_mod);
+    /* 0xffffffff00000001000000000000000000000000fffffffffffffffffffffffd */
+    sp_256_mont_mul_10(r, r, t3, p256_mod, p256_mp_mod);
+#endif /* WOLFSSL_SP_SMALL */
+}
+
+/* Map the Montgomery form projective coordinate point to an affine point.
+ *
+ * r  Resulting affine coordinate point.
+ * p  Montgomery form projective coordinate point.
+ * t  Temporary ordinate data.
+ */
+static void sp_256_map_10(sp_point_256* r, const sp_point_256* p, sp_digit* t)
+{
+    sp_digit* t1 = t;
+    sp_digit* t2 = t + 2*10;
+    int32_t n;
+
+    sp_256_mont_inv_10(t1, p->z, t + 2*10);
+
+    sp_256_mont_sqr_10(t2, t1, p256_mod, p256_mp_mod);
+    sp_256_mont_mul_10(t1, t2, t1, p256_mod, p256_mp_mod);
+
+    /* x /= z^2 */
+    sp_256_mont_mul_10(r->x, p->x, t2, p256_mod, p256_mp_mod);
+    XMEMSET(r->x + 10, 0, sizeof(r->x) / 2U);
+    sp_256_mont_reduce_10(r->x, p256_mod, p256_mp_mod);
+    /* Reduce x to less than modulus */
+    n = sp_256_cmp_10(r->x, p256_mod);
+    sp_256_cond_sub_10(r->x, r->x, p256_mod, 0 - ((n >= 0) ?
+                (sp_digit)1 : (sp_digit)0));
+    sp_256_norm_10(r->x);
+
+    /* y /= z^3 */
+    sp_256_mont_mul_10(r->y, p->y, t1, p256_mod, p256_mp_mod);
+    XMEMSET(r->y + 10, 0, sizeof(r->y) / 2U);
+    sp_256_mont_reduce_10(r->y, p256_mod, p256_mp_mod);
+    /* Reduce y to less than modulus */
+    n = sp_256_cmp_10(r->y, p256_mod);
+    sp_256_cond_sub_10(r->y, r->y, p256_mod, 0 - ((n >= 0) ?
+                (sp_digit)1 : (sp_digit)0));
+    sp_256_norm_10(r->y);
+
+    XMEMSET(r->z, 0, sizeof(r->z));
+    r->z[0] = 1;
+
+}
+
+#ifdef WOLFSSL_SP_SMALL
+/* Add b to a into r. (r = a + b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static int sp_256_add_10(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    int i;
+
+    for (i = 0; i < 10; i++) {
+        r[i] = a[i] + b[i];
+    }
+
+    return 0;
+}
+#else
+/* Add b to a into r. (r = a + b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static int sp_256_add_10(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    r[ 0] = a[ 0] + b[ 0];
+    r[ 1] = a[ 1] + b[ 1];
+    r[ 2] = a[ 2] + b[ 2];
+    r[ 3] = a[ 3] + b[ 3];
+    r[ 4] = a[ 4] + b[ 4];
+    r[ 5] = a[ 5] + b[ 5];
+    r[ 6] = a[ 6] + b[ 6];
+    r[ 7] = a[ 7] + b[ 7];
+    r[ 8] = a[ 8] + b[ 8];
+    r[ 9] = a[ 9] + b[ 9];
+
+    return 0;
+}
+
+#endif /* WOLFSSL_SP_SMALL */
+/* Add two Montgomery form numbers (r = a + b % m).
+ *
+ * r   Result of addition.
+ * a   First number to add in Montogmery form.
+ * b   Second number to add in Montogmery form.
+ * m   Modulus (prime).
+ */
+static void sp_256_mont_add_10(sp_digit* r, const sp_digit* a, const sp_digit* b,
+        const sp_digit* m)
+{
+    (void)sp_256_add_10(r, a, b);
+    sp_256_norm_10(r);
+    sp_256_cond_sub_10(r, r, m, 0 - (((r[9] >> 22) > 0) ?
+                (sp_digit)1 : (sp_digit)0));
+    sp_256_norm_10(r);
+}
+
+/* Double a Montgomery form number (r = a + a % m).
+ *
+ * r   Result of doubling.
+ * a   Number to double in Montogmery form.
+ * m   Modulus (prime).
+ */
+static void sp_256_mont_dbl_10(sp_digit* r, const sp_digit* a, const sp_digit* m)
+{
+    (void)sp_256_add_10(r, a, a);
+    sp_256_norm_10(r);
+    sp_256_cond_sub_10(r, r, m, 0 - (((r[9] >> 22) > 0) ?
+                (sp_digit)1 : (sp_digit)0));
+    sp_256_norm_10(r);
+}
+
+/* Triple a Montgomery form number (r = a + a + a % m).
+ *
+ * r   Result of Tripling.
+ * a   Number to triple in Montogmery form.
+ * m   Modulus (prime).
+ */
+static void sp_256_mont_tpl_10(sp_digit* r, const sp_digit* a, const sp_digit* m)
+{
+    (void)sp_256_add_10(r, a, a);
+    sp_256_norm_10(r);
+    sp_256_cond_sub_10(r, r, m, 0 - (((r[9] >> 22) > 0) ?
+                (sp_digit)1 : (sp_digit)0));
+    sp_256_norm_10(r);
+    (void)sp_256_add_10(r, r, a);
+    sp_256_norm_10(r);
+    sp_256_cond_sub_10(r, r, m, 0 - (((r[9] >> 22) > 0) ?
+                (sp_digit)1 : (sp_digit)0));
+    sp_256_norm_10(r);
+}
+
+#ifdef WOLFSSL_SP_SMALL
+/* Sub b from a into r. (r = a - b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static int sp_256_sub_10(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    int i;
+
+    for (i = 0; i < 10; i++) {
+        r[i] = a[i] - b[i];
+    }
+
+    return 0;
+}
+
+#else
+/* Sub b from a into r. (r = a - b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static int sp_256_sub_10(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    r[ 0] = a[ 0] - b[ 0];
+    r[ 1] = a[ 1] - b[ 1];
+    r[ 2] = a[ 2] - b[ 2];
+    r[ 3] = a[ 3] - b[ 3];
+    r[ 4] = a[ 4] - b[ 4];
+    r[ 5] = a[ 5] - b[ 5];
+    r[ 6] = a[ 6] - b[ 6];
+    r[ 7] = a[ 7] - b[ 7];
+    r[ 8] = a[ 8] - b[ 8];
+    r[ 9] = a[ 9] - b[ 9];
+
+    return 0;
+}
+
+#endif /* WOLFSSL_SP_SMALL */
+/* Conditionally add a and b using the mask m.
+ * m is -1 to add and 0 when not.
+ *
+ * r  A single precision number representing conditional add result.
+ * a  A single precision number to add with.
+ * b  A single precision number to add.
+ * m  Mask value to apply.
+ */
+static void sp_256_cond_add_10(sp_digit* r, const sp_digit* a,
+        const sp_digit* b, const sp_digit m)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int i;
+
+    for (i = 0; i < 10; i++) {
+        r[i] = a[i] + (b[i] & m);
+    }
+#else
+    r[ 0] = a[ 0] + (b[ 0] & m);
+    r[ 1] = a[ 1] + (b[ 1] & m);
+    r[ 2] = a[ 2] + (b[ 2] & m);
+    r[ 3] = a[ 3] + (b[ 3] & m);
+    r[ 4] = a[ 4] + (b[ 4] & m);
+    r[ 5] = a[ 5] + (b[ 5] & m);
+    r[ 6] = a[ 6] + (b[ 6] & m);
+    r[ 7] = a[ 7] + (b[ 7] & m);
+    r[ 8] = a[ 8] + (b[ 8] & m);
+    r[ 9] = a[ 9] + (b[ 9] & m);
+#endif /* WOLFSSL_SP_SMALL */
+}
+
+/* Subtract two Montgomery form numbers (r = a - b % m).
+ *
+ * r   Result of subtration.
+ * a   Number to subtract from in Montogmery form.
+ * b   Number to subtract with in Montogmery form.
+ * m   Modulus (prime).
+ */
+static void sp_256_mont_sub_10(sp_digit* r, const sp_digit* a, const sp_digit* b,
+        const sp_digit* m)
+{
+    (void)sp_256_sub_10(r, a, b);
+    sp_256_cond_add_10(r, r, m, r[9] >> 22);
+    sp_256_norm_10(r);
+}
+
+/* Shift number left one bit.
+ * Bottom bit is lost.
+ *
+ * r  Result of shift.
+ * a  Number to shift.
+ */
+SP_NOINLINE static void sp_256_rshift1_10(sp_digit* r, sp_digit* a)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int i;
+
+    for (i=0; i<9; i++) {
+        r[i] = ((a[i] >> 1) | (a[i + 1] << 25)) & 0x3ffffff;
+    }
+#else
+    r[0] = ((a[0] >> 1) | (a[1] << 25)) & 0x3ffffff;
+    r[1] = ((a[1] >> 1) | (a[2] << 25)) & 0x3ffffff;
+    r[2] = ((a[2] >> 1) | (a[3] << 25)) & 0x3ffffff;
+    r[3] = ((a[3] >> 1) | (a[4] << 25)) & 0x3ffffff;
+    r[4] = ((a[4] >> 1) | (a[5] << 25)) & 0x3ffffff;
+    r[5] = ((a[5] >> 1) | (a[6] << 25)) & 0x3ffffff;
+    r[6] = ((a[6] >> 1) | (a[7] << 25)) & 0x3ffffff;
+    r[7] = ((a[7] >> 1) | (a[8] << 25)) & 0x3ffffff;
+    r[8] = ((a[8] >> 1) | (a[9] << 25)) & 0x3ffffff;
+#endif
+    r[9] = a[9] >> 1;
+}
+
+/* Divide the number by 2 mod the modulus (prime). (r = a / 2 % m)
+ *
+ * r  Result of division by 2.
+ * a  Number to divide.
+ * m  Modulus (prime).
+ */
+static void sp_256_div2_10(sp_digit* r, const sp_digit* a, const sp_digit* m)
+{
+    sp_256_cond_add_10(r, a, m, 0 - (a[0] & 1));
+    sp_256_norm_10(r);
+    sp_256_rshift1_10(r, r);
+}
+
+/* Double the Montgomery form projective point p.
+ *
+ * r  Result of doubling point.
+ * p  Point to double.
+ * t  Temporary ordinate data.
+ */
+static void sp_256_proj_point_dbl_10(sp_point_256* r, const sp_point_256* p, sp_digit* t)
+{
+    sp_digit* t1 = t;
+    sp_digit* t2 = t + 2*10;
+    sp_digit* x;
+    sp_digit* y;
+    sp_digit* z;
+
+    x = r->x;
+    y = r->y;
+    z = r->z;
+    /* Put infinity into result. */
+    if (r != p) {
+        r->infinity = p->infinity;
+    }
+
+    /* T1 = Z * Z */
+    sp_256_mont_sqr_10(t1, p->z, p256_mod, p256_mp_mod);
+    /* Z = Y * Z */
+    sp_256_mont_mul_10(z, p->y, p->z, p256_mod, p256_mp_mod);
+    /* Z = 2Z */
+    sp_256_mont_dbl_10(z, z, p256_mod);
+    /* T2 = X - T1 */
+    sp_256_mont_sub_10(t2, p->x, t1, p256_mod);
+    /* T1 = X + T1 */
+    sp_256_mont_add_10(t1, p->x, t1, p256_mod);
+    /* T2 = T1 * T2 */
+    sp_256_mont_mul_10(t2, t1, t2, p256_mod, p256_mp_mod);
+    /* T1 = 3T2 */
+    sp_256_mont_tpl_10(t1, t2, p256_mod);
+    /* Y = 2Y */
+    sp_256_mont_dbl_10(y, p->y, p256_mod);
+    /* Y = Y * Y */
+    sp_256_mont_sqr_10(y, y, p256_mod, p256_mp_mod);
+    /* T2 = Y * Y */
+    sp_256_mont_sqr_10(t2, y, p256_mod, p256_mp_mod);
+    /* T2 = T2/2 */
+    sp_256_div2_10(t2, t2, p256_mod);
+    /* Y = Y * X */
+    sp_256_mont_mul_10(y, y, p->x, p256_mod, p256_mp_mod);
+    /* X = T1 * T1 */
+    sp_256_mont_sqr_10(x, t1, p256_mod, p256_mp_mod);
+    /* X = X - Y */
+    sp_256_mont_sub_10(x, x, y, p256_mod);
+    /* X = X - Y */
+    sp_256_mont_sub_10(x, x, y, p256_mod);
+    /* Y = Y - X */
+    sp_256_mont_sub_10(y, y, x, p256_mod);
+    /* Y = Y * T1 */
+    sp_256_mont_mul_10(y, y, t1, p256_mod, p256_mp_mod);
+    /* Y = Y - T2 */
+    sp_256_mont_sub_10(y, y, t2, p256_mod);
+}
+
+/* Compare two numbers to determine if they are equal.
+ * Constant time implementation.
+ *
+ * a  First number to compare.
+ * b  Second number to compare.
+ * returns 1 when equal and 0 otherwise.
+ */
+static int sp_256_cmp_equal_10(const sp_digit* a, const sp_digit* b)
+{
+    return ((a[0] ^ b[0]) | (a[1] ^ b[1]) | (a[2] ^ b[2]) | (a[3] ^ b[3]) |
+            (a[4] ^ b[4]) | (a[5] ^ b[5]) | (a[6] ^ b[6]) | (a[7] ^ b[7]) |
+            (a[8] ^ b[8]) | (a[9] ^ b[9])) == 0;
+}
+
+/* Add two Montgomery form projective points.
+ *
+ * r  Result of addition.
+ * p  First point to add.
+ * q  Second point to add.
+ * t  Temporary ordinate data.
+ */
+static void sp_256_proj_point_add_10(sp_point_256* r, const sp_point_256* p, const sp_point_256* q,
+        sp_digit* t)
+{
+    const sp_point_256* ap[2];
+    sp_point_256* rp[2];
+    sp_digit* t1 = t;
+    sp_digit* t2 = t + 2*10;
+    sp_digit* t3 = t + 4*10;
+    sp_digit* t4 = t + 6*10;
+    sp_digit* t5 = t + 8*10;
+    sp_digit* x;
+    sp_digit* y;
+    sp_digit* z;
+    int i;
+
+    /* Ensure only the first point is the same as the result. */
+    if (q == r) {
+        const sp_point_256* a = p;
+        p = q;
+        q = a;
+    }
+
+    /* Check double */
+    (void)sp_256_sub_10(t1, p256_mod, q->y);
+    sp_256_norm_10(t1);
+    if ((sp_256_cmp_equal_10(p->x, q->x) & sp_256_cmp_equal_10(p->z, q->z) &
+        (sp_256_cmp_equal_10(p->y, q->y) | sp_256_cmp_equal_10(p->y, t1))) != 0) {
+        sp_256_proj_point_dbl_10(r, p, t);
+    }
+    else {
+        rp[0] = r;
+
+        /*lint allow cast to different type of pointer*/
+        rp[1] = (sp_point_256*)t; /*lint !e9087 !e740*/
+        XMEMSET(rp[1], 0, sizeof(sp_point_256));
+        x = rp[p->infinity | q->infinity]->x;
+        y = rp[p->infinity | q->infinity]->y;
+        z = rp[p->infinity | q->infinity]->z;
+
+        ap[0] = p;
+        ap[1] = q;
+        for (i=0; i<10; i++) {
+            r->x[i] = ap[p->infinity]->x[i];
+        }
+        for (i=0; i<10; i++) {
+            r->y[i] = ap[p->infinity]->y[i];
+        }
+        for (i=0; i<10; i++) {
+            r->z[i] = ap[p->infinity]->z[i];
+        }
+        r->infinity = ap[p->infinity]->infinity;
+
+        /* U1 = X1*Z2^2 */
+        sp_256_mont_sqr_10(t1, q->z, p256_mod, p256_mp_mod);
+        sp_256_mont_mul_10(t3, t1, q->z, p256_mod, p256_mp_mod);
+        sp_256_mont_mul_10(t1, t1, x, p256_mod, p256_mp_mod);
+        /* U2 = X2*Z1^2 */
+        sp_256_mont_sqr_10(t2, z, p256_mod, p256_mp_mod);
+        sp_256_mont_mul_10(t4, t2, z, p256_mod, p256_mp_mod);
+        sp_256_mont_mul_10(t2, t2, q->x, p256_mod, p256_mp_mod);
+        /* S1 = Y1*Z2^3 */
+        sp_256_mont_mul_10(t3, t3, y, p256_mod, p256_mp_mod);
+        /* S2 = Y2*Z1^3 */
+        sp_256_mont_mul_10(t4, t4, q->y, p256_mod, p256_mp_mod);
+        /* H = U2 - U1 */
+        sp_256_mont_sub_10(t2, t2, t1, p256_mod);
+        /* R = S2 - S1 */
+        sp_256_mont_sub_10(t4, t4, t3, p256_mod);
+        /* Z3 = H*Z1*Z2 */
+        sp_256_mont_mul_10(z, z, q->z, p256_mod, p256_mp_mod);
+        sp_256_mont_mul_10(z, z, t2, p256_mod, p256_mp_mod);
+        /* X3 = R^2 - H^3 - 2*U1*H^2 */
+        sp_256_mont_sqr_10(x, t4, p256_mod, p256_mp_mod);
+        sp_256_mont_sqr_10(t5, t2, p256_mod, p256_mp_mod);
+        sp_256_mont_mul_10(y, t1, t5, p256_mod, p256_mp_mod);
+        sp_256_mont_mul_10(t5, t5, t2, p256_mod, p256_mp_mod);
+        sp_256_mont_sub_10(x, x, t5, p256_mod);
+        sp_256_mont_dbl_10(t1, y, p256_mod);
+        sp_256_mont_sub_10(x, x, t1, p256_mod);
+        /* Y3 = R*(U1*H^2 - X3) - S1*H^3 */
+        sp_256_mont_sub_10(y, y, x, p256_mod);
+        sp_256_mont_mul_10(y, y, t4, p256_mod, p256_mp_mod);
+        sp_256_mont_mul_10(t5, t5, t3, p256_mod, p256_mp_mod);
+        sp_256_mont_sub_10(y, y, t5, p256_mod);
+    }
+}
+
+#ifdef WOLFSSL_SP_SMALL
+/* Multiply the point by the scalar and return the result.
+ * If map is true then convert result to affine coordinates.
+ *
+ * r     Resulting point.
+ * g     Point to multiply.
+ * k     Scalar to multiply by.
+ * map   Indicates whether to convert result to affine.
+ * heap  Heap to use for allocation.
+ * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
+ */
+static int sp_256_ecc_mulmod_10(sp_point_256* r, const sp_point_256* g, const sp_digit* k,
+        int map, void* heap)
+{
+#ifdef WOLFSSL_SP_NO_MALLOC
+    sp_point_256 t[3];
+    sp_digit tmp[2 * 10 * 5];
+#else
+    sp_point_256* t;
+    sp_digit* tmp;
+#endif
+    sp_digit n;
+    int i;
+    int c, y;
+    int err = MP_OKAY;
+
+    (void)heap;
+
+#ifndef WOLFSSL_SP_NO_MALLOC
+    t = (sp_point_256*)XMALLOC(sizeof(sp_point_256) * 3, heap, DYNAMIC_TYPE_ECC);
+    if (t == NULL)
+        err = MEMORY_E;
+    tmp = (sp_digit*)XMALLOC(sizeof(sp_digit) * 2 * 10 * 5, heap,
+                                                              DYNAMIC_TYPE_ECC);
+    if (tmp == NULL)
+        err = MEMORY_E;
+#endif
+
+    if (err == MP_OKAY) {
+        XMEMSET(t, 0, sizeof(sp_point_256) * 3);
+
+        /* t[0] = {0, 0, 1} * norm */
+        t[0].infinity = 1;
+        /* t[1] = {g->x, g->y, g->z} * norm */
+        err = sp_256_mod_mul_norm_10(t[1].x, g->x, p256_mod);
+    }
+    if (err == MP_OKAY)
+        err = sp_256_mod_mul_norm_10(t[1].y, g->y, p256_mod);
+    if (err == MP_OKAY)
+        err = sp_256_mod_mul_norm_10(t[1].z, g->z, p256_mod);
+
+    if (err == MP_OKAY) {
+        i = 9;
+        c = 22;
+        n = k[i--] << (26 - c);
+        for (; ; c--) {
+            if (c == 0) {
+                if (i == -1)
+                    break;
+
+                n = k[i--];
+                c = 26;
+            }
+
+            y = (n >> 25) & 1;
+            n <<= 1;
+
+            sp_256_proj_point_add_10(&t[y^1], &t[0], &t[1], tmp);
+
+            XMEMCPY(&t[2], (void*)(((size_t)&t[0] & addr_mask[y^1]) +
+                                   ((size_t)&t[1] & addr_mask[y])),
+                    sizeof(sp_point_256));
+            sp_256_proj_point_dbl_10(&t[2], &t[2], tmp);
+            XMEMCPY((void*)(((size_t)&t[0] & addr_mask[y^1]) +
+                            ((size_t)&t[1] & addr_mask[y])), &t[2],
+                    sizeof(sp_point_256));
+        }
+
+        if (map != 0) {
+            sp_256_map_10(r, &t[0], tmp);
+        }
+        else {
+            XMEMCPY(r, &t[0], sizeof(sp_point_256));
+        }
+    }
+
+#ifndef WOLFSSL_SP_NO_MALLOC
+    if (tmp != NULL) {
+        XMEMSET(tmp, 0, sizeof(sp_digit) * 2 * 10 * 5);
+        XFREE(tmp, NULL, DYNAMIC_TYPE_ECC);
+    }
+    if (t != NULL) {
+        XMEMSET(t, 0, sizeof(sp_point_256) * 3);
+        XFREE(t, NULL, DYNAMIC_TYPE_ECC);
+    }
+#else
+    ForceZero(tmp, sizeof(tmp));
+    ForceZero(t, sizeof(t));
+#endif
+
+    return err;
+}
+
+#elif defined(WOLFSSL_SP_CACHE_RESISTANT)
+/* Multiply the point by the scalar and return the result.
+ * If map is true then convert result to affine coordinates.
+ *
+ * r     Resulting point.
+ * g     Point to multiply.
+ * k     Scalar to multiply by.
+ * map   Indicates whether to convert result to affine.
+ * heap  Heap to use for allocation.
+ * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
+ */
+static int sp_256_ecc_mulmod_10(sp_point_256* r, const sp_point_256* g, const sp_digit* k,
+        int map, void* heap)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_point_256 t[3];
+    sp_digit tmp[2 * 10 * 5];
+#else
+    sp_point_256* t;
+    sp_digit* tmp;
+#endif
+    sp_digit n;
+    int i;
+    int c, y;
+    int err = MP_OKAY;
+
+    (void)heap;
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    t = (sp_point*)XMALLOC(sizeof(*t) * 3, heap, DYNAMIC_TYPE_ECC);
+    if (t == NULL)
+        err = MEMORY_E;
+    tmp = (sp_digit*)XMALLOC(sizeof(sp_digit) * 2 * 10 * 5, heap,
+                             DYNAMIC_TYPE_ECC);
+    if (tmp == NULL)
+        err = MEMORY_E;
+#endif
+
+    if (err == MP_OKAY) {
+        /* t[0] = {0, 0, 1} * norm */
+        XMEMSET(&t[0], 0, sizeof(t[0]));
+        t[0].infinity = 1;
+        /* t[1] = {g->x, g->y, g->z} * norm */
+        t[1].infinity = 0;
+        err = sp_256_mod_mul_norm_10(t[1].x, g->x, p256_mod);
+    }
+    if (err == MP_OKAY)
+        err = sp_256_mod_mul_norm_10(t[1].y, g->y, p256_mod);
+    if (err == MP_OKAY)
+        err = sp_256_mod_mul_norm_10(t[1].z, g->z, p256_mod);
+
+    if (err == MP_OKAY) {
+        i = 9;
+        c = 22;
+        n = k[i--] << (26 - c);
+        for (; ; c--) {
+            if (c == 0) {
+                if (i == -1)
+                    break;
+
+                n = k[i--];
+                c = 26;
+            }
+
+            y = (n >> 25) & 1;
+            n <<= 1;
+
+            sp_256_proj_point_add_10(&t[y^1], &t[0], &t[1], tmp);
+
+            XMEMCPY(&t[2], (void*)(((size_t)&t[0] & addr_mask[y^1]) +
+                                 ((size_t)&t[1] & addr_mask[y])), sizeof(t[2]));
+            sp_256_proj_point_dbl_10(&t[2], &t[2], tmp);
+            XMEMCPY((void*)(((size_t)&t[0] & addr_mask[y^1]) +
+                          ((size_t)&t[1] & addr_mask[y])), &t[2], sizeof(t[2]));
+        }
+
+        if (map != 0) {
+            sp_256_map_10(r, &t[0], tmp);
+        }
+        else {
+            XMEMCPY(r, &t[0], sizeof(sp_point_256));
+        }
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (tmp != NULL) {
+        XMEMSET(tmp, 0, sizeof(sp_digit) * 2 * 10 * 5);
+        XFREE(tmp, heap, DYNAMIC_TYPE_ECC);
+    }
+    if (t != NULL) {
+        XMEMSET(t, 0, sizeof(sp_point_256) * 3);
+        XFREE(t, heap, DYNAMIC_TYPE_ECC);
+    }
+#else
+    ForceZero(tmp, sizeof(tmp));
+    ForceZero(t, sizeof(t));
+#endif
+
+    return err;
+}
+
+#else
+/* A table entry for pre-computed points. */
+typedef struct sp_table_entry_256 {
+    sp_digit x[10];
+    sp_digit y[10];
+} sp_table_entry_256;
+
+/* Multiply the point by the scalar and return the result.
+ * If map is true then convert result to affine coordinates.
+ *
+ * r     Resulting point.
+ * g     Point to multiply.
+ * k     Scalar to multiply by.
+ * map   Indicates whether to convert result to affine.
+ * heap  Heap to use for allocation.
+ * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
+ */
+static int sp_256_ecc_mulmod_fast_10(sp_point_256* r, const sp_point_256* g, const sp_digit* k,
+        int map, void* heap)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_point_256 td[16];
+    sp_point_256 rtd;
+    sp_digit tmpd[2 * 10 * 5];
+#endif
+    sp_point_256* t;
+    sp_point_256* rt;
+    sp_digit* tmp;
+    sp_digit n;
+    int i;
+    int c, y;
+    int err;
+
+    (void)heap;
+
+    err = sp_256_point_new_10(heap, rtd, rt);
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    t = (sp_point_256*)XMALLOC(sizeof(sp_point_256) * 16, heap, DYNAMIC_TYPE_ECC);
+    if (t == NULL)
+        err = MEMORY_E;
+    tmp = (sp_digit*)XMALLOC(sizeof(sp_digit) * 2 * 10 * 5, heap,
+                             DYNAMIC_TYPE_ECC);
+    if (tmp == NULL)
+        err = MEMORY_E;
+#else
+    t = td;
+    tmp = tmpd;
+#endif
+
+    if (err == MP_OKAY) {
+        /* t[0] = {0, 0, 1} * norm */
+        XMEMSET(&t[0], 0, sizeof(t[0]));
+        t[0].infinity = 1;
+        /* t[1] = {g->x, g->y, g->z} * norm */
+        (void)sp_256_mod_mul_norm_10(t[1].x, g->x, p256_mod);
+        (void)sp_256_mod_mul_norm_10(t[1].y, g->y, p256_mod);
+        (void)sp_256_mod_mul_norm_10(t[1].z, g->z, p256_mod);
+        t[1].infinity = 0;
+        sp_256_proj_point_dbl_10(&t[ 2], &t[ 1], tmp);
+        t[ 2].infinity = 0;
+        sp_256_proj_point_add_10(&t[ 3], &t[ 2], &t[ 1], tmp);
+        t[ 3].infinity = 0;
+        sp_256_proj_point_dbl_10(&t[ 4], &t[ 2], tmp);
+        t[ 4].infinity = 0;
+        sp_256_proj_point_add_10(&t[ 5], &t[ 3], &t[ 2], tmp);
+        t[ 5].infinity = 0;
+        sp_256_proj_point_dbl_10(&t[ 6], &t[ 3], tmp);
+        t[ 6].infinity = 0;
+        sp_256_proj_point_add_10(&t[ 7], &t[ 4], &t[ 3], tmp);
+        t[ 7].infinity = 0;
+        sp_256_proj_point_dbl_10(&t[ 8], &t[ 4], tmp);
+        t[ 8].infinity = 0;
+        sp_256_proj_point_add_10(&t[ 9], &t[ 5], &t[ 4], tmp);
+        t[ 9].infinity = 0;
+        sp_256_proj_point_dbl_10(&t[10], &t[ 5], tmp);
+        t[10].infinity = 0;
+        sp_256_proj_point_add_10(&t[11], &t[ 6], &t[ 5], tmp);
+        t[11].infinity = 0;
+        sp_256_proj_point_dbl_10(&t[12], &t[ 6], tmp);
+        t[12].infinity = 0;
+        sp_256_proj_point_add_10(&t[13], &t[ 7], &t[ 6], tmp);
+        t[13].infinity = 0;
+        sp_256_proj_point_dbl_10(&t[14], &t[ 7], tmp);
+        t[14].infinity = 0;
+        sp_256_proj_point_add_10(&t[15], &t[ 8], &t[ 7], tmp);
+        t[15].infinity = 0;
+
+        i = 8;
+        n = k[i+1] << 6;
+        c = 18;
+        y = n >> 24;
+        XMEMCPY(rt, &t[y], sizeof(sp_point_256));
+        n <<= 8;
+        for (; i>=0 || c>=4; ) {
+            if (c < 4) {
+                n |= k[i--] << (6 - c);
+                c += 26;
+            }
+            y = (n >> 28) & 0xf;
+            n <<= 4;
+            c -= 4;
+
+            sp_256_proj_point_dbl_10(rt, rt, tmp);
+            sp_256_proj_point_dbl_10(rt, rt, tmp);
+            sp_256_proj_point_dbl_10(rt, rt, tmp);
+            sp_256_proj_point_dbl_10(rt, rt, tmp);
+
+            sp_256_proj_point_add_10(rt, rt, &t[y], tmp);
+        }
+
+        if (map != 0) {
+            sp_256_map_10(r, rt, tmp);
+        }
+        else {
+            XMEMCPY(r, rt, sizeof(sp_point_256));
+        }
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (tmp != NULL) {
+        XMEMSET(tmp, 0, sizeof(sp_digit) * 2 * 10 * 5);
+        XFREE(tmp, heap, DYNAMIC_TYPE_ECC);
+    }
+    if (t != NULL) {
+        XMEMSET(t, 0, sizeof(sp_point_256) * 16);
+        XFREE(t, heap, DYNAMIC_TYPE_ECC);
+    }
+#else
+    ForceZero(tmpd, sizeof(tmpd));
+    ForceZero(td, sizeof(td));
+#endif
+    sp_256_point_free_10(rt, 1, heap);
+
+    return err;
+}
+
+#ifdef FP_ECC
+/* Double the Montgomery form projective point p a number of times.
+ *
+ * r  Result of repeated doubling of point.
+ * p  Point to double.
+ * n  Number of times to double
+ * t  Temporary ordinate data.
+ */
+static void sp_256_proj_point_dbl_n_10(sp_point_256* p, int n, sp_digit* t)
+{
+    sp_digit* w = t;
+    sp_digit* a = t + 2*10;
+    sp_digit* b = t + 4*10;
+    sp_digit* t1 = t + 6*10;
+    sp_digit* t2 = t + 8*10;
+    sp_digit* x;
+    sp_digit* y;
+    sp_digit* z;
+
+    x = p->x;
+    y = p->y;
+    z = p->z;
+
+    /* Y = 2*Y */
+    sp_256_mont_dbl_10(y, y, p256_mod);
+    /* W = Z^4 */
+    sp_256_mont_sqr_10(w, z, p256_mod, p256_mp_mod);
+    sp_256_mont_sqr_10(w, w, p256_mod, p256_mp_mod);
+
+#ifndef WOLFSSL_SP_SMALL
+    while (--n > 0)
+#else
+    while (--n >= 0)
+#endif
+    {
+        /* A = 3*(X^2 - W) */
+        sp_256_mont_sqr_10(t1, x, p256_mod, p256_mp_mod);
+        sp_256_mont_sub_10(t1, t1, w, p256_mod);
+        sp_256_mont_tpl_10(a, t1, p256_mod);
+        /* B = X*Y^2 */
+        sp_256_mont_sqr_10(t1, y, p256_mod, p256_mp_mod);
+        sp_256_mont_mul_10(b, t1, x, p256_mod, p256_mp_mod);
+        /* X = A^2 - 2B */
+        sp_256_mont_sqr_10(x, a, p256_mod, p256_mp_mod);
+        sp_256_mont_dbl_10(t2, b, p256_mod);
+        sp_256_mont_sub_10(x, x, t2, p256_mod);
+        /* Z = Z*Y */
+        sp_256_mont_mul_10(z, z, y, p256_mod, p256_mp_mod);
+        /* t2 = Y^4 */
+        sp_256_mont_sqr_10(t1, t1, p256_mod, p256_mp_mod);
+#ifdef WOLFSSL_SP_SMALL
+        if (n != 0)
+#endif
+        {
+            /* W = W*Y^4 */
+            sp_256_mont_mul_10(w, w, t1, p256_mod, p256_mp_mod);
+        }
+        /* y = 2*A*(B - X) - Y^4 */
+        sp_256_mont_sub_10(y, b, x, p256_mod);
+        sp_256_mont_mul_10(y, y, a, p256_mod, p256_mp_mod);
+        sp_256_mont_dbl_10(y, y, p256_mod);
+        sp_256_mont_sub_10(y, y, t1, p256_mod);
+    }
+#ifndef WOLFSSL_SP_SMALL
+    /* A = 3*(X^2 - W) */
+    sp_256_mont_sqr_10(t1, x, p256_mod, p256_mp_mod);
+    sp_256_mont_sub_10(t1, t1, w, p256_mod);
+    sp_256_mont_tpl_10(a, t1, p256_mod);
+    /* B = X*Y^2 */
+    sp_256_mont_sqr_10(t1, y, p256_mod, p256_mp_mod);
+    sp_256_mont_mul_10(b, t1, x, p256_mod, p256_mp_mod);
+    /* X = A^2 - 2B */
+    sp_256_mont_sqr_10(x, a, p256_mod, p256_mp_mod);
+    sp_256_mont_dbl_10(t2, b, p256_mod);
+    sp_256_mont_sub_10(x, x, t2, p256_mod);
+    /* Z = Z*Y */
+    sp_256_mont_mul_10(z, z, y, p256_mod, p256_mp_mod);
+    /* t2 = Y^4 */
+    sp_256_mont_sqr_10(t1, t1, p256_mod, p256_mp_mod);
+    /* y = 2*A*(B - X) - Y^4 */
+    sp_256_mont_sub_10(y, b, x, p256_mod);
+    sp_256_mont_mul_10(y, y, a, p256_mod, p256_mp_mod);
+    sp_256_mont_dbl_10(y, y, p256_mod);
+    sp_256_mont_sub_10(y, y, t1, p256_mod);
+#endif
+    /* Y = Y/2 */
+    sp_256_div2_10(y, y, p256_mod);
+}
+
+#endif /* FP_ECC */
+/* Add two Montgomery form projective points. The second point has a q value of
+ * one.
+ * Only the first point can be the same pointer as the result point.
+ *
+ * r  Result of addition.
+ * p  First point to add.
+ * q  Second point to add.
+ * t  Temporary ordinate data.
+ */
+static void sp_256_proj_point_add_qz1_10(sp_point_256* r, const sp_point_256* p,
+        const sp_point_256* q, sp_digit* t)
+{
+    const sp_point_256* ap[2];
+    sp_point_256* rp[2];
+    sp_digit* t1 = t;
+    sp_digit* t2 = t + 2*10;
+    sp_digit* t3 = t + 4*10;
+    sp_digit* t4 = t + 6*10;
+    sp_digit* t5 = t + 8*10;
+    sp_digit* x;
+    sp_digit* y;
+    sp_digit* z;
+    int i;
+
+    /* Check double */
+    (void)sp_256_sub_10(t1, p256_mod, q->y);
+    sp_256_norm_10(t1);
+    if ((sp_256_cmp_equal_10(p->x, q->x) & sp_256_cmp_equal_10(p->z, q->z) &
+        (sp_256_cmp_equal_10(p->y, q->y) | sp_256_cmp_equal_10(p->y, t1))) != 0) {
+        sp_256_proj_point_dbl_10(r, p, t);
+    }
+    else {
+        rp[0] = r;
+
+        /*lint allow cast to different type of pointer*/
+        rp[1] = (sp_point_256*)t; /*lint !e9087 !e740*/
+        XMEMSET(rp[1], 0, sizeof(sp_point_256));
+        x = rp[p->infinity | q->infinity]->x;
+        y = rp[p->infinity | q->infinity]->y;
+        z = rp[p->infinity | q->infinity]->z;
+
+        ap[0] = p;
+        ap[1] = q;
+        for (i=0; i<10; i++) {
+            r->x[i] = ap[p->infinity]->x[i];
+        }
+        for (i=0; i<10; i++) {
+            r->y[i] = ap[p->infinity]->y[i];
+        }
+        for (i=0; i<10; i++) {
+            r->z[i] = ap[p->infinity]->z[i];
+        }
+        r->infinity = ap[p->infinity]->infinity;
+
+        /* U2 = X2*Z1^2 */
+        sp_256_mont_sqr_10(t2, z, p256_mod, p256_mp_mod);
+        sp_256_mont_mul_10(t4, t2, z, p256_mod, p256_mp_mod);
+        sp_256_mont_mul_10(t2, t2, q->x, p256_mod, p256_mp_mod);
+        /* S2 = Y2*Z1^3 */
+        sp_256_mont_mul_10(t4, t4, q->y, p256_mod, p256_mp_mod);
+        /* H = U2 - X1 */
+        sp_256_mont_sub_10(t2, t2, x, p256_mod);
+        /* R = S2 - Y1 */
+        sp_256_mont_sub_10(t4, t4, y, p256_mod);
+        /* Z3 = H*Z1 */
+        sp_256_mont_mul_10(z, z, t2, p256_mod, p256_mp_mod);
+        /* X3 = R^2 - H^3 - 2*X1*H^2 */
+        sp_256_mont_sqr_10(t1, t4, p256_mod, p256_mp_mod);
+        sp_256_mont_sqr_10(t5, t2, p256_mod, p256_mp_mod);
+        sp_256_mont_mul_10(t3, x, t5, p256_mod, p256_mp_mod);
+        sp_256_mont_mul_10(t5, t5, t2, p256_mod, p256_mp_mod);
+        sp_256_mont_sub_10(x, t1, t5, p256_mod);
+        sp_256_mont_dbl_10(t1, t3, p256_mod);
+        sp_256_mont_sub_10(x, x, t1, p256_mod);
+        /* Y3 = R*(X1*H^2 - X3) - Y1*H^3 */
+        sp_256_mont_sub_10(t3, t3, x, p256_mod);
+        sp_256_mont_mul_10(t3, t3, t4, p256_mod, p256_mp_mod);
+        sp_256_mont_mul_10(t5, t5, y, p256_mod, p256_mp_mod);
+        sp_256_mont_sub_10(y, t3, t5, p256_mod);
+    }
+}
+
+#ifdef FP_ECC
+/* Convert the projective point to affine.
+ * Ordinates are in Montgomery form.
+ *
+ * a  Point to convert.
+ * t  Temporary data.
+ */
+static void sp_256_proj_to_affine_10(sp_point_256* a, sp_digit* t)
+{
+    sp_digit* t1 = t;
+    sp_digit* t2 = t + 2 * 10;
+    sp_digit* tmp = t + 4 * 10;
+
+    sp_256_mont_inv_10(t1, a->z, tmp);
+
+    sp_256_mont_sqr_10(t2, t1, p256_mod, p256_mp_mod);
+    sp_256_mont_mul_10(t1, t2, t1, p256_mod, p256_mp_mod);
+
+    sp_256_mont_mul_10(a->x, a->x, t2, p256_mod, p256_mp_mod);
+    sp_256_mont_mul_10(a->y, a->y, t1, p256_mod, p256_mp_mod);
+    XMEMCPY(a->z, p256_norm_mod, sizeof(p256_norm_mod));
+}
+
+/* Generate the pre-computed table of points for the base point.
+ *
+ * a      The base point.
+ * table  Place to store generated point data.
+ * tmp    Temporary data.
+ * heap  Heap to use for allocation.
+ */
+static int sp_256_gen_stripe_table_10(const sp_point_256* a,
+        sp_table_entry_256* table, sp_digit* tmp, void* heap)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_point_256 td, s1d, s2d;
+#endif
+    sp_point_256* t;
+    sp_point_256* s1 = NULL;
+    sp_point_256* s2 = NULL;
+    int i, j;
+    int err;
+
+    (void)heap;
+
+    err = sp_256_point_new_10(heap, td, t);
+    if (err == MP_OKAY) {
+        err = sp_256_point_new_10(heap, s1d, s1);
+    }
+    if (err == MP_OKAY) {
+        err = sp_256_point_new_10(heap, s2d, s2);
+    }
+
+    if (err == MP_OKAY) {
+        err = sp_256_mod_mul_norm_10(t->x, a->x, p256_mod);
+    }
+    if (err == MP_OKAY) {
+        err = sp_256_mod_mul_norm_10(t->y, a->y, p256_mod);
+    }
+    if (err == MP_OKAY) {
+        err = sp_256_mod_mul_norm_10(t->z, a->z, p256_mod);
+    }
+    if (err == MP_OKAY) {
+        t->infinity = 0;
+        sp_256_proj_to_affine_10(t, tmp);
+
+        XMEMCPY(s1->z, p256_norm_mod, sizeof(p256_norm_mod));
+        s1->infinity = 0;
+        XMEMCPY(s2->z, p256_norm_mod, sizeof(p256_norm_mod));
+        s2->infinity = 0;
+
+        /* table[0] = {0, 0, infinity} */
+        XMEMSET(&table[0], 0, sizeof(sp_table_entry_256));
+        /* table[1] = Affine version of 'a' in Montgomery form */
+        XMEMCPY(table[1].x, t->x, sizeof(table->x));
+        XMEMCPY(table[1].y, t->y, sizeof(table->y));
+
+        for (i=1; i<8; i++) {
+            sp_256_proj_point_dbl_n_10(t, 32, tmp);
+            sp_256_proj_to_affine_10(t, tmp);
+            XMEMCPY(table[1<<i].x, t->x, sizeof(table->x));
+            XMEMCPY(table[1<<i].y, t->y, sizeof(table->y));
+        }
+
+        for (i=1; i<8; i++) {
+            XMEMCPY(s1->x, table[1<<i].x, sizeof(table->x));
+            XMEMCPY(s1->y, table[1<<i].y, sizeof(table->y));
+            for (j=(1<<i)+1; j<(1<<(i+1)); j++) {
+                XMEMCPY(s2->x, table[j-(1<<i)].x, sizeof(table->x));
+                XMEMCPY(s2->y, table[j-(1<<i)].y, sizeof(table->y));
+                sp_256_proj_point_add_qz1_10(t, s1, s2, tmp);
+                sp_256_proj_to_affine_10(t, tmp);
+                XMEMCPY(table[j].x, t->x, sizeof(table->x));
+                XMEMCPY(table[j].y, t->y, sizeof(table->y));
+            }
+        }
+    }
+
+    sp_256_point_free_10(s2, 0, heap);
+    sp_256_point_free_10(s1, 0, heap);
+    sp_256_point_free_10( t, 0, heap);
+
+    return err;
+}
+
+#endif /* FP_ECC */
+/* Multiply the point by the scalar and return the result.
+ * If map is true then convert result to affine coordinates.
+ *
+ * r     Resulting point.
+ * k     Scalar to multiply by.
+ * map   Indicates whether to convert result to affine.
+ * heap  Heap to use for allocation.
+ * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
+ */
+static int sp_256_ecc_mulmod_stripe_10(sp_point_256* r, const sp_point_256* g,
+        const sp_table_entry_256* table, const sp_digit* k, int map, void* heap)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_point_256 rtd;
+    sp_point_256 pd;
+    sp_digit td[2 * 10 * 5];
+#endif
+    sp_point_256* rt;
+    sp_point_256* p = NULL;
+    sp_digit* t;
+    int i, j;
+    int y, x;
+    int err;
+
+    (void)g;
+    (void)heap;
+
+
+    err = sp_256_point_new_10(heap, rtd, rt);
+    if (err == MP_OKAY) {
+        err = sp_256_point_new_10(heap, pd, p);
+    }
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    t = (sp_digit*)XMALLOC(sizeof(sp_digit) * 2 * 10 * 5, heap,
+                           DYNAMIC_TYPE_ECC);
+    if (t == NULL) {
+        err = MEMORY_E;
+    }
+#else
+    t = td;
+#endif
+
+    if (err == MP_OKAY) {
+        XMEMCPY(p->z, p256_norm_mod, sizeof(p256_norm_mod));
+        XMEMCPY(rt->z, p256_norm_mod, sizeof(p256_norm_mod));
+
+        y = 0;
+        for (j=0,x=31; j<8; j++,x+=32) {
+            y |= ((k[x / 26] >> (x % 26)) & 1) << j;
+        }
+        XMEMCPY(rt->x, table[y].x, sizeof(table[y].x));
+        XMEMCPY(rt->y, table[y].y, sizeof(table[y].y));
+        rt->infinity = !y;
+        for (i=30; i>=0; i--) {
+            y = 0;
+            for (j=0,x=i; j<8; j++,x+=32) {
+                y |= ((k[x / 26] >> (x % 26)) & 1) << j;
+            }
+
+            sp_256_proj_point_dbl_10(rt, rt, t);
+            XMEMCPY(p->x, table[y].x, sizeof(table[y].x));
+            XMEMCPY(p->y, table[y].y, sizeof(table[y].y));
+            p->infinity = !y;
+            sp_256_proj_point_add_qz1_10(rt, rt, p, t);
+        }
+
+        if (map != 0) {
+            sp_256_map_10(r, rt, t);
+        }
+        else {
+            XMEMCPY(r, rt, sizeof(sp_point_256));
+        }
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (t != NULL) {
+        XFREE(t, heap, DYNAMIC_TYPE_ECC);
+    }
+#endif
+    sp_256_point_free_10(p, 0, heap);
+    sp_256_point_free_10(rt, 0, heap);
+
+    return err;
+}
+
+#ifdef FP_ECC
+#ifndef FP_ENTRIES
+    #define FP_ENTRIES 16
+#endif
+
+typedef struct sp_cache_256_t {
+    sp_digit x[10];
+    sp_digit y[10];
+    sp_table_entry_256 table[256];
+    uint32_t cnt;
+    int set;
+} sp_cache_256_t;
+
+static THREAD_LS_T sp_cache_256_t sp_cache_256[FP_ENTRIES];
+static THREAD_LS_T int sp_cache_256_last = -1;
+static THREAD_LS_T int sp_cache_256_inited = 0;
+
+#ifndef HAVE_THREAD_LS
+    static volatile int initCacheMutex_256 = 0;
+    static wolfSSL_Mutex sp_cache_256_lock;
+#endif
+
+static void sp_ecc_get_cache_256(const sp_point_256* g, sp_cache_256_t** cache)
+{
+    int i, j;
+    uint32_t least;
+
+    if (sp_cache_256_inited == 0) {
+        for (i=0; i<FP_ENTRIES; i++) {
+            sp_cache_256[i].set = 0;
+        }
+        sp_cache_256_inited = 1;
+    }
+
+    /* Compare point with those in cache. */
+    for (i=0; i<FP_ENTRIES; i++) {
+        if (!sp_cache_256[i].set)
+            continue;
+
+        if (sp_256_cmp_equal_10(g->x, sp_cache_256[i].x) &
+                           sp_256_cmp_equal_10(g->y, sp_cache_256[i].y)) {
+            sp_cache_256[i].cnt++;
+            break;
+        }
+    }
+
+    /* No match. */
+    if (i == FP_ENTRIES) {
+        /* Find empty entry. */
+        i = (sp_cache_256_last + 1) % FP_ENTRIES;
+        for (; i != sp_cache_256_last; i=(i+1)%FP_ENTRIES) {
+            if (!sp_cache_256[i].set) {
+                break;
+            }
+        }
+
+        /* Evict least used. */
+        if (i == sp_cache_256_last) {
+            least = sp_cache_256[0].cnt;
+            for (j=1; j<FP_ENTRIES; j++) {
+                if (sp_cache_256[j].cnt < least) {
+                    i = j;
+                    least = sp_cache_256[i].cnt;
+                }
+            }
+        }
+
+        XMEMCPY(sp_cache_256[i].x, g->x, sizeof(sp_cache_256[i].x));
+        XMEMCPY(sp_cache_256[i].y, g->y, sizeof(sp_cache_256[i].y));
+        sp_cache_256[i].set = 1;
+        sp_cache_256[i].cnt = 1;
+    }
+
+    *cache = &sp_cache_256[i];
+    sp_cache_256_last = i;
+}
+#endif /* FP_ECC */
+
+/* Multiply the base point of P256 by the scalar and return the result.
+ * If map is true then convert result to affine coordinates.
+ *
+ * r     Resulting point.
+ * g     Point to multiply.
+ * k     Scalar to multiply by.
+ * map   Indicates whether to convert result to affine.
+ * heap  Heap to use for allocation.
+ * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
+ */
+static int sp_256_ecc_mulmod_10(sp_point_256* r, const sp_point_256* g, const sp_digit* k,
+        int map, void* heap)
+{
+#ifndef FP_ECC
+    return sp_256_ecc_mulmod_fast_10(r, g, k, map, heap);
+#else
+    sp_digit tmp[2 * 10 * 5];
+    sp_cache_256_t* cache;
+    int err = MP_OKAY;
+
+#ifndef HAVE_THREAD_LS
+    if (initCacheMutex_256 == 0) {
+         wc_InitMutex(&sp_cache_256_lock);
+         initCacheMutex_256 = 1;
+    }
+    if (wc_LockMutex(&sp_cache_256_lock) != 0)
+       err = BAD_MUTEX_E;
+#endif /* HAVE_THREAD_LS */
+
+    if (err == MP_OKAY) {
+        sp_ecc_get_cache_256(g, &cache);
+        if (cache->cnt == 2)
+            sp_256_gen_stripe_table_10(g, cache->table, tmp, heap);
+
+#ifndef HAVE_THREAD_LS
+        wc_UnLockMutex(&sp_cache_256_lock);
+#endif /* HAVE_THREAD_LS */
+
+        if (cache->cnt < 2) {
+            err = sp_256_ecc_mulmod_fast_10(r, g, k, map, heap);
+        }
+        else {
+            err = sp_256_ecc_mulmod_stripe_10(r, g, cache->table, k,
+                    map, heap);
+        }
+    }
+
+    return err;
+#endif
+}
+
+#endif
+/* Multiply the point by the scalar and return the result.
+ * If map is true then convert result to affine coordinates.
+ *
+ * km    Scalar to multiply by.
+ * p     Point to multiply.
+ * r     Resulting point.
+ * map   Indicates whether to convert result to affine.
+ * heap  Heap to use for allocation.
+ * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
+ */
+int sp_ecc_mulmod_256(mp_int* km, ecc_point* gm, ecc_point* r, int map,
+        void* heap)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_point_256 p;
+    sp_digit kd[10];
+#endif
+    sp_point_256* point;
+    sp_digit* k = NULL;
+    int err = MP_OKAY;
+
+    err = sp_256_point_new_10(heap, p, point);
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        k = (sp_digit*)XMALLOC(sizeof(sp_digit) * 10, heap,
+                                                              DYNAMIC_TYPE_ECC);
+        if (k == NULL)
+            err = MEMORY_E;
+    }
+#else
+    k = kd;
+#endif
+    if (err == MP_OKAY) {
+        sp_256_from_mp(k, 10, km);
+        sp_256_point_from_ecc_point_10(point, gm);
+
+            err = sp_256_ecc_mulmod_10(point, point, k, map, heap);
+    }
+    if (err == MP_OKAY) {
+        err = sp_256_point_to_ecc_point_10(point, r);
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (k != NULL) {
+        XFREE(k, heap, DYNAMIC_TYPE_ECC);
+    }
+#endif
+    sp_256_point_free_10(point, 0, heap);
+
+    return err;
+}
+
+#ifdef WOLFSSL_SP_SMALL
+/* Multiply the base point of P256 by the scalar and return the result.
+ * If map is true then convert result to affine coordinates.
+ *
+ * r     Resulting point.
+ * k     Scalar to multiply by.
+ * map   Indicates whether to convert result to affine.
+ * heap  Heap to use for allocation.
+ * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
+ */
+static int sp_256_ecc_mulmod_base_10(sp_point_256* r, const sp_digit* k,
+        int map, void* heap)
+{
+    /* No pre-computed values. */
+    return sp_256_ecc_mulmod_10(r, &p256_base, k, map, heap);
+}
+
+#elif defined(WOLFSSL_SP_CACHE_RESISTANT)
+/* Multiply the base point of P256 by the scalar and return the result.
+ * If map is true then convert result to affine coordinates.
+ *
+ * r     Resulting point.
+ * k     Scalar to multiply by.
+ * map   Indicates whether to convert result to affine.
+ * heap  Heap to use for allocation.
+ * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
+ */
+static int sp_256_ecc_mulmod_base_10(sp_point_256* r, const sp_digit* k,
+        int map, void* heap)
+{
+    /* No pre-computed values. */
+    return sp_256_ecc_mulmod_10(r, &p256_base, k, map, heap);
+}
+
+#else
+static const sp_table_entry_256 p256_table[256] = {
+    /* 0 */
+    { { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
+      { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 } },
+    /* 1 */
+    { { 0x0a9143c,0x1cc3506,0x360179e,0x3f17fb6,0x075ba95,0x1d88944,
+        0x3b732b7,0x15719e7,0x376a537,0x0062417 },
+      { 0x295560a,0x094d5f3,0x245cddf,0x392e867,0x18b4ab8,0x3487cc9,
+        0x288688d,0x176174b,0x3182588,0x0215c7f } },
+    /* 2 */
+    { { 0x147519a,0x2218090,0x32f0202,0x2b09acd,0x0d0981e,0x1e17af2,
+        0x14a7caa,0x163a6a7,0x10ddbdf,0x03654f1 },
+      { 0x1590f8f,0x0d8733f,0x09179d6,0x1ad139b,0x372e962,0x0bad933,
+        0x1961102,0x223cdff,0x37e9eb2,0x0218fae } },
+    /* 3 */
+    { { 0x0db6485,0x1ad88d7,0x2f97785,0x288bc28,0x3808f0e,0x3df8c02,
+        0x28d9544,0x20280f9,0x055b5ff,0x00001d8 },
+      { 0x38d2010,0x13ae6e0,0x308a763,0x2ecc90d,0x254014f,0x10a9981,
+        0x247d398,0x0fb8383,0x3613437,0x020c21d } },
+    /* 4 */
+    { { 0x2a0d2bb,0x08bf145,0x34994f9,0x1b06988,0x30d5cc1,0x1f18b22,
+        0x01cf3a5,0x199fe49,0x161fd1b,0x00bd79a },
+      { 0x1a01797,0x171c2fd,0x21925c1,0x1358255,0x23d20b4,0x1c7f6d4,
+        0x111b370,0x03dec12,0x1168d6f,0x03d923e } },
+    /* 5 */
+    { { 0x137bbbc,0x19a11f8,0x0bec9e5,0x27a29a8,0x3e43446,0x275cd18,
+        0x0427617,0x00056c7,0x285133d,0x016af80 },
+      { 0x04c7dab,0x2a0df30,0x0c0792a,0x1310c98,0x3573d9f,0x239b30d,
+        0x1315627,0x1ce0c32,0x25b6b6f,0x0252edc } },
+    /* 6 */
+    { { 0x20f141c,0x26d23dc,0x3c74bbf,0x334b7d6,0x06199b3,0x0441171,
+        0x3f61294,0x313bf70,0x3cb2f7d,0x03375ae },
+      { 0x2f436fd,0x19c02fa,0x26becca,0x1b6e64c,0x26f647f,0x053c948,
+        0x0fa7920,0x397d830,0x2bd4bda,0x028d86f } },
+    /* 7 */
+    { { 0x17c13c7,0x2895616,0x03e128a,0x17d42df,0x1c38d63,0x0f02747,
+        0x039aecf,0x0a4b01c,0x209c4b5,0x02e84b2 },
+      { 0x1f91dfd,0x023e916,0x07fb9e4,0x19b3ba8,0x13af43b,0x35e02ca,
+        0x0eb0899,0x3bd2c7b,0x19d701f,0x014faee } },
+    /* 8 */
+    { { 0x0e63d34,0x1fb8c6c,0x0fab4fe,0x1caa795,0x0f46005,0x179ed69,
+        0x093334d,0x120c701,0x39206d5,0x021627e },
+      { 0x183553a,0x03d7319,0x09e5aa7,0x12b8959,0x2087909,0x0011194,
+        0x1045071,0x0713f32,0x16d0254,0x03aec1a } },
+    /* 9 */
+    { { 0x01647c5,0x1b2856b,0x1799461,0x11f133d,0x0b8127d,0x1937eeb,
+        0x266aa37,0x1f68f71,0x0cbd1b2,0x03aca08 },
+      { 0x287e008,0x1be361a,0x38f3940,0x276488d,0x2d87dfa,0x0333b2c,
+        0x2d2e428,0x368755b,0x09b55a7,0x007ca0a } },
+    /* 10 */
+    { { 0x389da99,0x2a8300e,0x0022abb,0x27ae0a1,0x0a6f2d7,0x207017a,
+        0x047862b,0x1358c9e,0x35905e5,0x00cde92 },
+      { 0x1f7794a,0x1d40348,0x3f613c6,0x2ddf5b5,0x0207005,0x133f5ba,
+        0x1a37810,0x3ef5829,0x0d5f4c2,0x0035978 } },
+    /* 11 */
+    { { 0x1275d38,0x026efad,0x2358d9d,0x1142f82,0x14268a7,0x1cfac99,
+        0x362ff49,0x288cbc1,0x24252f4,0x0308f68 },
+      { 0x394520c,0x06e13c2,0x178e5da,0x18ec16f,0x1096667,0x134a7a8,
+        0x0dcb869,0x33fc4e9,0x38cc790,0x006778e } },
+    /* 12 */
+    { { 0x2c5fe04,0x29c5b09,0x1bdb183,0x02ceee8,0x03b28de,0x132dc4b,
+        0x32c586a,0x32ff5d0,0x3d491fc,0x038d372 },
+      { 0x2a58403,0x2351aea,0x3a53b40,0x21a0ba5,0x39a6974,0x1aaaa2b,
+        0x3901273,0x03dfe78,0x3447b4e,0x039d907 } },
+    /* 13 */
+    { { 0x364ba59,0x14e5077,0x02fc7d7,0x3b02c09,0x1d33f10,0x0560616,
+        0x06dfc6a,0x15efd3c,0x357052a,0x01284b7 },
+      { 0x039dbd0,0x18ce3e5,0x3e1fbfa,0x352f794,0x0d3c24b,0x07c6cc5,
+        0x1e4ffa2,0x3a91bf5,0x293bb5b,0x01abd6a } },
+    /* 14 */
+    { { 0x0c91999,0x02da644,0x0491da1,0x100a960,0x00a24b4,0x2330824,
+        0x0094b4b,0x1004cf8,0x35a66a4,0x017f8d1 },
+      { 0x13e7b4b,0x232af7e,0x391ab0f,0x069f08f,0x3292b50,0x3479898,
+        0x2889aec,0x2a4590b,0x308ecfe,0x02d5138 } },
+    /* 15 */
+    { { 0x2ddfdce,0x231ba45,0x39e6647,0x19be245,0x12c3291,0x35399f8,
+        0x0d6e764,0x3082d3a,0x2bda6b0,0x0382dac },
+      { 0x37efb57,0x04b7cae,0x00070d3,0x379e431,0x01aac0d,0x1e6f251,
+        0x0336ad6,0x0ddd3e4,0x3de25a6,0x01c7008 } },
+    /* 16 */
+    { { 0x3e20925,0x230912f,0x286762a,0x30e3f73,0x391c19a,0x34e1c18,
+        0x16a5d5d,0x093d96a,0x3d421d3,0x0187561 },
+      { 0x37173ea,0x19ce8a8,0x0b65e87,0x0214dde,0x2238480,0x16ead0f,
+        0x38441e0,0x3bef843,0x2124621,0x03e847f } },
+    /* 17 */
+    { { 0x0b19ffd,0x247cacb,0x3c231c8,0x16ec648,0x201ba8d,0x2b172a3,
+        0x103d678,0x2fb72db,0x04c1f13,0x0161bac },
+      { 0x3e8ed09,0x171b949,0x2de20c3,0x0f06067,0x21e81a3,0x1b194be,
+        0x0fd6c05,0x13c449e,0x0087086,0x006756b } },
+    /* 18 */
+    { { 0x09a4e1f,0x27d604c,0x00741e9,0x06fa49c,0x0ab7de7,0x3f4a348,
+        0x25ef0be,0x158fc9a,0x33f7f9c,0x039f001 },
+      { 0x2f59f76,0x3598e83,0x30501f6,0x15083f2,0x0669b3b,0x29980b5,
+        0x0c1f7a7,0x0f02b02,0x0fec65b,0x0382141 } },
+    /* 19 */
+    { { 0x031b3ca,0x23da368,0x2d66f09,0x27b9b69,0x06d1cab,0x13c91ba,
+        0x3d81fa9,0x25ad16f,0x0825b09,0x01e3c06 },
+      { 0x225787f,0x3bf790e,0x2c9bb7e,0x0347732,0x28016f8,0x0d6ff0d,
+        0x2a4877b,0x1d1e833,0x3b87e94,0x010e9dc } },
+    /* 20 */
+    { { 0x2b533d5,0x1ddcd34,0x1dc0625,0x3da86f7,0x3673b8a,0x1e7b0a4,
+        0x3e7c9aa,0x19ac55d,0x251c3b2,0x02edb79 },
+      { 0x25259b3,0x24c0ead,0x3480e7e,0x34f40e9,0x3d6a0af,0x2cf3f09,
+        0x2c83d19,0x2e66f16,0x19a5d18,0x0182d18 } },
+    /* 21 */
+    { { 0x2e5aa1c,0x28e3846,0x3658bd6,0x0ad279c,0x1b8b765,0x397e1fb,
+        0x130014e,0x3ff342c,0x3b2aeeb,0x02743c9 },
+      { 0x2730a55,0x0918c5e,0x083aca9,0x0bf76ef,0x19c955b,0x300669c,
+        0x01dfe0a,0x312341f,0x26d356e,0x0091295 } },
+    /* 22 */
+    { { 0x2cf1f96,0x00e52ba,0x271c6db,0x2a40930,0x19f2122,0x0b2f4ee,
+        0x26ac1b8,0x3bda498,0x0873581,0x0117963 },
+      { 0x38f9dbc,0x3d1e768,0x2040d3f,0x11ba222,0x3a8aaf1,0x1b82fb5,
+        0x1adfb24,0x2de9251,0x21cc1e4,0x0301038 } },
+    /* 23 */
+    { { 0x38117b6,0x2bc001b,0x1433847,0x3fdce8d,0x3651969,0x3651d7a,
+        0x2b35761,0x1bb1d20,0x097682c,0x00737d7 },
+      { 0x1f04839,0x1dd6d04,0x16987db,0x3d12378,0x17dbeac,0x1c2cc86,
+        0x121dd1b,0x3fcf6ca,0x1f8a92d,0x00119d5 } },
+    /* 24 */
+    { { 0x0e8ffcd,0x2b174af,0x1a82cc8,0x22cbf98,0x30d53c4,0x080b5b1,
+        0x3161727,0x297cfdb,0x2113b83,0x0011b97 },
+      { 0x0007f01,0x23fd936,0x3183e7b,0x0496bd0,0x07fb1ef,0x178680f,
+        0x1c5ea63,0x0016c11,0x2c3303d,0x01b8041 } },
+    /* 25 */
+    { { 0x0dd73b1,0x1cd6122,0x10d948c,0x23e657b,0x3767070,0x15a8aad,
+        0x385ea8c,0x33c7ce0,0x0ede901,0x0110965 },
+      { 0x2d4b65b,0x2a8b244,0x0c37f8f,0x0ee5b24,0x394c234,0x3a5e347,
+        0x26e4a15,0x39a3b4c,0x2514c2e,0x029e5be } },
+    /* 26 */
+    { { 0x23addd7,0x3ed8120,0x13b3359,0x20f959a,0x09e2a61,0x32fcf20,
+        0x05b78e3,0x19ba7e2,0x1a9c697,0x0392b4b },
+      { 0x2048a61,0x3dfd0a3,0x19a0357,0x233024b,0x3082d19,0x00fb63b,
+        0x3a1af4c,0x1450ff0,0x046c37b,0x0317a50 } },
+    /* 27 */
+    { { 0x3e75f9e,0x294e30a,0x3a78476,0x3a32c48,0x36fd1a9,0x0427012,
+        0x1e4df0b,0x11d1f61,0x1afdb46,0x018ca0f },
+      { 0x2f2df15,0x0a33dee,0x27f4ce7,0x1542b66,0x3e592c4,0x20d2f30,
+        0x3226ade,0x2a4e3ea,0x1ab1981,0x01a2f46 } },
+    /* 28 */
+    { { 0x087d659,0x3ab5446,0x305ac08,0x3d2cd64,0x33374d5,0x3f9d3f8,
+        0x186981c,0x37f5a5a,0x2f53c6f,0x01254a4 },
+      { 0x2cec896,0x1e32786,0x04844a8,0x043b16d,0x3d964b2,0x1935829,
+        0x16f7e26,0x1a0dd9a,0x30d2603,0x003b1d4 } },
+    /* 29 */
+    { { 0x12687bb,0x04e816b,0x21fa2da,0x1abccb8,0x3a1f83b,0x375181e,
+        0x0f5ef51,0x0fc2ce4,0x3a66486,0x003d881 },
+      { 0x3138233,0x1f8eec3,0x2718bd6,0x1b09caa,0x2dd66b9,0x1bb222b,
+        0x1004072,0x1b73e3b,0x07208ed,0x03fc36c } },
+    /* 30 */
+    { { 0x095d553,0x3e84053,0x0a8a749,0x3f575a0,0x3a44052,0x3ced59b,
+        0x3b4317f,0x03a8c60,0x13c8874,0x00c4ed4 },
+      { 0x0d11549,0x0b8ab02,0x221cb40,0x02ed37b,0x2071ee1,0x1fc8c83,
+        0x3987dd4,0x27e049a,0x0f986f1,0x00b4eaf } },
+    /* 31 */
+    { { 0x15581a2,0x2214060,0x11af4c2,0x1598c88,0x19a0a6d,0x32acba6,
+        0x3a7a0f0,0x2337c66,0x210ded9,0x0300dbe },
+      { 0x1fbd009,0x3822eb0,0x181629a,0x2401b45,0x30b68b1,0x2e78363,
+        0x2b32779,0x006530b,0x2c4b6d4,0x029aca8 } },
+    /* 32 */
+    { { 0x13549cf,0x0f943db,0x265ed43,0x1bfeb35,0x06f3369,0x3847f2d,
+        0x1bfdacc,0x26181a5,0x252af7c,0x02043b8 },
+      { 0x159bb2c,0x143f85c,0x357b654,0x2f9d62c,0x2f7dfbe,0x1a7fa9c,
+        0x057e74d,0x05d14ac,0x17a9273,0x035215c } },
+    /* 33 */
+    { { 0x0cb5a98,0x106a2bc,0x10bf117,0x24c7cc4,0x3d3da8f,0x2ce0ab7,
+        0x14e2cba,0x1813866,0x1a72f9a,0x01a9811 },
+      { 0x2b2411d,0x3034fe8,0x16e0170,0x0f9443a,0x0be0eb8,0x2196cf3,
+        0x0c9f738,0x15e40ef,0x0faf9e1,0x034f917 } },
+    /* 34 */
+    { { 0x03f7669,0x3da6efa,0x3d6bce1,0x209ca1d,0x109f8ae,0x09109e3,
+        0x08ae543,0x3067255,0x1dee3c2,0x0081dd5 },
+      { 0x3ef1945,0x358765b,0x28c387b,0x3bec4b4,0x218813c,0x0b7d92a,
+        0x3cd1d67,0x2c0367e,0x2e57154,0x0123717 } },
+    /* 35 */
+    { { 0x3e5a199,0x1e42ffd,0x0bb7123,0x33e6273,0x1e0efb8,0x294671e,
+        0x3a2bfe0,0x3d11709,0x2eddff6,0x03cbec2 },
+      { 0x0b5025f,0x0255d7c,0x1f2241c,0x35d03ea,0x0550543,0x202fef4,
+        0x23c8ad3,0x354963e,0x015db28,0x0284fa4 } },
+    /* 36 */
+    { { 0x2b65cbc,0x1e8d428,0x0226f9f,0x1c8a919,0x10b04b9,0x08fc1e8,
+        0x1ce241e,0x149bc99,0x2b01497,0x00afc35 },
+      { 0x3216fb7,0x1374fd2,0x226ad3d,0x19fef76,0x0f7d7b8,0x1c21417,
+        0x37b83f6,0x3a27eba,0x25a162f,0x010aa52 } },
+    /* 37 */
+    { { 0x2adf191,0x1ab42fa,0x28d7584,0x2409689,0x20f8a48,0x253707d,
+        0x2030504,0x378f7a1,0x169c65e,0x00b0b76 },
+      { 0x3849c17,0x085c764,0x10dd6d0,0x2e87689,0x1460488,0x30e9521,
+        0x10c7063,0x1b6f120,0x21f42c5,0x03d0dfe } },
+    /* 38 */
+    { { 0x20f7dab,0x035c512,0x29ac6aa,0x24c5ddb,0x20f0497,0x17ce5e1,
+        0x00a050f,0x1eaa14b,0x3335470,0x02abd16 },
+      { 0x18d364a,0x0df0cf0,0x316585e,0x018f925,0x0d40b9b,0x17b1511,
+        0x1716811,0x1caf3d0,0x10df4f2,0x0337d8c } },
+    /* 39 */
+    { { 0x2a8b7ef,0x0f188e3,0x2287747,0x06216f0,0x008e935,0x2f6a38d,
+        0x1567722,0x0bfc906,0x0bada9e,0x03c3402 },
+      { 0x014d3b1,0x099c749,0x2a76291,0x216c067,0x3b37549,0x14ef2f6,
+        0x21b96d4,0x1ee2d71,0x2f5ca88,0x016f570 } },
+    /* 40 */
+    { { 0x09a3154,0x3d1a7bd,0x2e9aef0,0x255b8ac,0x03e85a5,0x2a492a7,
+        0x2aec1ea,0x11c6516,0x3c8a09e,0x02a84b7 },
+      { 0x1f69f1d,0x09c89d3,0x1e7326f,0x0b28bfd,0x0e0e4c8,0x1ea7751,
+        0x18ce73b,0x2a406e7,0x273e48c,0x01b00db } },
+    /* 41 */
+    { { 0x36e3138,0x2b84a83,0x345a5cf,0x00096b4,0x16966ef,0x159caf1,
+        0x13c64b4,0x2f89226,0x25896af,0x00a4bfd },
+      { 0x2213402,0x1435117,0x09fed52,0x09d0e4b,0x0f6580e,0x2871cba,
+        0x3b397fd,0x1c9d825,0x090311b,0x0191383 } },
+    /* 42 */
+    { { 0x07153f0,0x1087869,0x18c9e1e,0x1e64810,0x2b86c3b,0x0175d9c,
+        0x3dce877,0x269de4e,0x393cab7,0x03c96b9 },
+      { 0x1869d0c,0x06528db,0x02641f3,0x209261b,0x29d55c8,0x25ba517,
+        0x3b5ea30,0x028f927,0x25313db,0x00e6e39 } },
+    /* 43 */
+    { { 0x2fd2e59,0x150802d,0x098f377,0x19a4957,0x135e2c0,0x38a95ce,
+        0x1ab21a0,0x36c1b67,0x32f0f19,0x00e448b },
+      { 0x3cad53c,0x3387800,0x17e3cfb,0x03f9970,0x3225b2c,0x2a84e1d,
+        0x3af1d29,0x3fe35ca,0x2f8ce80,0x0237a02 } },
+    /* 44 */
+    { { 0x07bbb76,0x3aa3648,0x2758afb,0x1f085e0,0x1921c7e,0x3010dac,
+        0x22b74b1,0x230137e,0x1062e36,0x021c652 },
+      { 0x3993df5,0x24a2ee8,0x126ab5f,0x2d7cecf,0x0639d75,0x16d5414,
+        0x1aa78a8,0x3f78404,0x26a5b74,0x03f0c57 } },
+    /* 45 */
+    { { 0x0d6ecfa,0x3f506ba,0x3f86561,0x3d86bb1,0x15f8c44,0x2491d07,
+        0x052a7b4,0x2422261,0x3adee38,0x039b529 },
+      { 0x193c75d,0x14bb451,0x1162605,0x293749c,0x370a70d,0x2e8b1f6,
+        0x2ede937,0x2b95f4a,0x39a9be2,0x00d77eb } },
+    /* 46 */
+    { { 0x2736636,0x15bf36a,0x2b7e6b9,0x25eb8b2,0x209f51d,0x3cd2659,
+        0x10bf410,0x034afec,0x3d71c83,0x0076971 },
+      { 0x0ce6825,0x07920cf,0x3c3b5c4,0x23fe55c,0x015ad11,0x08c0dae,
+        0x0552c7f,0x2e75a8a,0x0fddbf4,0x01c1df0 } },
+    /* 47 */
+    { { 0x2b9661c,0x0ffe351,0x3d71bf6,0x1ac34b3,0x3a1dfd3,0x211fe3d,
+        0x33e140a,0x3f9100d,0x32ee50e,0x014ea18 },
+      { 0x16d8051,0x1bfda1a,0x068a097,0x2571d3d,0x1daec0c,0x39389af,
+        0x194dc35,0x3f3058a,0x36d34e1,0x000a329 } },
+    /* 48 */
+    { { 0x09877ee,0x351f73f,0x0002d11,0x0420074,0x2c8b362,0x130982d,
+        0x02c1175,0x3c11b40,0x0d86962,0x001305f },
+      { 0x0daddf5,0x2f4252c,0x15c06d9,0x1d49339,0x1bea235,0x0b680ed,
+        0x3356e67,0x1d1d198,0x1e9fed9,0x03dee93 } },
+    /* 49 */
+    { { 0x3e1263f,0x2fe8d3a,0x3ce6d0d,0x0d5c6b9,0x3557637,0x0a9bd48,
+        0x0405538,0x0710749,0x2005213,0x038c7e5 },
+      { 0x26b6ec6,0x2e485ba,0x3c44d1b,0x0b9cf0b,0x037a1d1,0x27428a5,
+        0x0e7eac8,0x351ef04,0x259ce34,0x02a8e98 } },
+    /* 50 */
+    { { 0x2f3dcd3,0x3e77d4d,0x3360fbc,0x1434afd,0x36ceded,0x3d413d6,
+        0x1710fad,0x36bb924,0x1627e79,0x008e637 },
+      { 0x109569e,0x1c168db,0x3769cf4,0x2ed4527,0x0ea0619,0x17d80d3,
+        0x1c03773,0x18843fe,0x1b21c04,0x015c5fd } },
+    /* 51 */
+    { { 0x1dd895e,0x08a7248,0x04519fe,0x001030a,0x18e5185,0x358dfb3,
+        0x13d2391,0x0a37be8,0x0560e3c,0x019828b },
+      { 0x27fcbd0,0x2a22bb5,0x30969cc,0x1e03aa7,0x1c84724,0x0ba4ad3,
+        0x32f4817,0x0914cca,0x14c4f52,0x01893b9 } },
+    /* 52 */
+    { { 0x097eccc,0x1273936,0x00aa095,0x364fe62,0x04d49d1,0x10e9f08,
+        0x3c24230,0x3ef01c8,0x2fb92bd,0x013ce4a },
+      { 0x1e44fd9,0x27e3e9f,0x2156696,0x3915ecc,0x0b66cfb,0x1a3af0f,
+        0x2fa8033,0x0e6736c,0x177ccdb,0x0228f9e } },
+    /* 53 */
+    { { 0x2c4b125,0x06207c1,0x0a8cdde,0x003db8f,0x1ae34e3,0x31e84fa,
+        0x2999de5,0x11013bd,0x02370c2,0x00e2234 },
+      { 0x0f91081,0x200d591,0x1504762,0x1857c05,0x23d9fcf,0x0cb34db,
+        0x27edc86,0x08cd860,0x2471810,0x029798b } },
+    /* 54 */
+    { { 0x3acd6c8,0x097b8cb,0x3c661a8,0x15152f2,0x1699c63,0x237e64c,
+        0x23edf79,0x16b7033,0x0e6466a,0x00b11da },
+      { 0x0a64bc9,0x1bfe324,0x1f5cb34,0x08391de,0x0630a60,0x3017a21,
+        0x09d064b,0x14a8365,0x041f9e6,0x01ed799 } },
+    /* 55 */
+    { { 0x128444a,0x2508b07,0x2a39216,0x362f84d,0x2e996c5,0x2c31ff3,
+        0x07afe5f,0x1d1288e,0x3cb0c8d,0x02e2bdc },
+      { 0x38b86fd,0x3a0ea8c,0x1cff5fd,0x1629629,0x3fee3f1,0x02b250c,
+        0x2e8f6f2,0x0225727,0x15f7f3f,0x0280d8e } },
+    /* 56 */
+    { { 0x10f7770,0x0f1aee8,0x0e248c7,0x20684a8,0x3a6f16d,0x06f0ae7,
+        0x0df6825,0x2d4cc40,0x301875f,0x012f8da },
+      { 0x3b56dbb,0x1821ba7,0x24f8922,0x22c1f9e,0x0306fef,0x1b54bc8,
+        0x2ccc056,0x00303ba,0x2871bdc,0x0232f26 } },
+    /* 57 */
+    { { 0x0dac4ab,0x0625730,0x3112e13,0x101c4bf,0x3a874a4,0x2873b95,
+        0x32ae7c6,0x0d7e18c,0x13e0c08,0x01139d5 },
+      { 0x334002d,0x00fffdd,0x025c6d5,0x22c2cd1,0x19d35cb,0x3a1ce2d,
+        0x3702760,0x3f06257,0x03a5eb8,0x011c29a } },
+    /* 58 */
+    { { 0x0513482,0x1d87724,0x276a81b,0x0a807a4,0x3028720,0x339cc20,
+        0x2441ee0,0x31bbf36,0x290c63d,0x0059041 },
+      { 0x106a2ed,0x0d2819b,0x100bf50,0x114626c,0x1dd4d77,0x2e08632,
+        0x14ae72a,0x2ed3f64,0x1fd7abc,0x035cd1e } },
+    /* 59 */
+    { { 0x2d4c6e5,0x3bec596,0x104d7ed,0x23d6c1b,0x0262cf0,0x15d72c5,
+        0x2d5bb18,0x199ac4b,0x1e30771,0x020591a },
+      { 0x21e291e,0x2e75e55,0x1661d7a,0x08b0778,0x3eb9daf,0x0d78144,
+        0x1827eb1,0x0fe73d2,0x123f0dd,0x0028db7 } },
+    /* 60 */
+    { { 0x1d5533c,0x34cb1d0,0x228f098,0x27a1a11,0x17c5f5a,0x0d26f44,
+        0x2228ade,0x2c460e6,0x3d6fdba,0x038cc77 },
+      { 0x3cc6ed8,0x02ada1a,0x260e510,0x2f7bde8,0x37160c3,0x33a1435,
+        0x23d9a7b,0x0ce2641,0x02a492e,0x034ed1e } },
+    /* 61 */
+    { { 0x3821f90,0x26dba3c,0x3aada14,0x3b59bad,0x292edd9,0x2804c45,
+        0x3669531,0x296f42e,0x35a4c86,0x01ca049 },
+      { 0x3ff47e5,0x2163df4,0x2441503,0x2f18405,0x15e1616,0x37f66ec,
+        0x30f11a7,0x141658a,0x27ece14,0x00b018b } },
+    /* 62 */
+    { { 0x159ac2e,0x3e65bc0,0x2713a76,0x0db2f6c,0x3281e77,0x2391811,
+        0x16d2880,0x1fbc4ab,0x1f92c4e,0x00a0a8d },
+      { 0x0ce5cd2,0x152c7b0,0x02299c3,0x3244de7,0x2cf99ef,0x3a0b047,
+        0x2caf383,0x0aaf664,0x113554d,0x031c735 } },
+    /* 63 */
+    { { 0x1b578f4,0x177a702,0x3a7a488,0x1638ebf,0x31884e2,0x2460bc7,
+        0x36b1b75,0x3ce8e3d,0x340cf47,0x03143d9 },
+      { 0x34b68ea,0x12b7ccd,0x1fe2a9c,0x08da659,0x0a406f3,0x1694c14,
+        0x06a2228,0x16370be,0x3a72129,0x02e7b2c } },
+    /* 64 */
+    { { 0x0f8b16a,0x21043bd,0x266a56f,0x3fb11ec,0x197241a,0x36721f0,
+        0x006b8e6,0x2ac6c29,0x202cd42,0x0200fcf },
+      { 0x0dbec69,0x0c26a01,0x105f7f0,0x3dceeeb,0x3a83b85,0x363865f,
+        0x097273a,0x2b70718,0x00e5067,0x03025d1 } },
+    /* 65 */
+    { { 0x379ab34,0x295bcb0,0x38d1846,0x22e1077,0x3a8ee06,0x1db1a3b,
+        0x3144591,0x07cc080,0x2d5915f,0x03c6bcc },
+      { 0x175bd50,0x0dd4c57,0x27bc99c,0x2ebdcbd,0x3837cff,0x235dc8f,
+        0x13a4184,0x0722c18,0x130e2d4,0x008f43c } },
+    /* 66 */
+    { { 0x01500d9,0x2adbb7d,0x2da8857,0x397f2fa,0x10d890a,0x25c9654,
+        0x3e86488,0x3eb754b,0x1d6c0a3,0x02c0a23 },
+      { 0x10bcb08,0x083cc19,0x2e16853,0x04da575,0x271af63,0x2626a9d,
+        0x3520a7b,0x32348c7,0x24ff408,0x03ff4dc } },
+    /* 67 */
+    { { 0x058e6cb,0x1a3992d,0x1d28539,0x080c5e9,0x2992dad,0x2a9d7d5,
+        0x14ae0b7,0x09b7ce0,0x34ad78c,0x03d5643 },
+      { 0x30ba55a,0x092f4f3,0x0bae0fc,0x12831de,0x20fc472,0x20ed9d2,
+        0x29864f6,0x1288073,0x254f6f7,0x00635b6 } },
+    /* 68 */
+    { { 0x1be5a2b,0x0f88975,0x33c6ed9,0x20d64d3,0x06fe799,0x0989bff,
+        0x1409262,0x085a90c,0x0d97990,0x0142eed },
+      { 0x17ec63e,0x06471b9,0x0db2378,0x1006077,0x265422c,0x08db83d,
+        0x28099b0,0x1270d06,0x11801fe,0x00ac400 } },
+    /* 69 */
+    { { 0x3391593,0x22d7166,0x30fcfc6,0x2896609,0x3c385f5,0x066b72e,
+        0x04f3aad,0x2b831c5,0x19983fb,0x0375562 },
+      { 0x0b82ff4,0x222e39d,0x34c993b,0x101c79c,0x2d2e03c,0x0f00c8a,
+        0x3a9eaf4,0x1810669,0x151149d,0x039b931 } },
+    /* 70 */
+    { { 0x29af288,0x1956ec7,0x293155f,0x193deb6,0x1647e1a,0x2ca0839,
+        0x297e4bc,0x15bfd0d,0x1b107ed,0x0147803 },
+      { 0x31c327e,0x05a6e1d,0x02ad43d,0x02d2a5b,0x129cdb2,0x37ad1de,
+        0x3d51f53,0x245df01,0x2414982,0x0388bd0 } },
+    /* 71 */
+    { { 0x35f1abb,0x17a3d18,0x0874cd4,0x2d5a14e,0x17edc0c,0x16a00d3,
+        0x072c1fb,0x1232725,0x33d52dc,0x03dc24d },
+      { 0x0af30d6,0x259aeea,0x369c401,0x12bc4de,0x295bf5f,0x0d8711f,
+        0x26162a9,0x16c44e5,0x288e727,0x02f54b4 } },
+    /* 72 */
+    { { 0x05fa877,0x1571ea7,0x3d48ab1,0x1c9f4e8,0x017dad6,0x0f46276,
+        0x343f9e7,0x1de990f,0x0e4c8aa,0x028343e },
+      { 0x094f92d,0x3abf633,0x1b3a0bb,0x2f83137,0x0d818c8,0x20bae85,
+        0x0c65f8b,0x1a8008b,0x0c7946d,0x0295b1e } },
+    /* 73 */
+    { { 0x1d09529,0x08e46c3,0x1fcf296,0x298f6b7,0x1803e0e,0x2d6fd20,
+        0x37351f5,0x0d9e8b1,0x1f8731a,0x0362fbf },
+      { 0x00157f4,0x06750bf,0x2650ab9,0x35ffb23,0x2f51cae,0x0b522c2,
+        0x39cb400,0x191e337,0x0a5ce9f,0x021529a } },
+    /* 74 */
+    { { 0x3506ea5,0x17d9ed8,0x0d66dc3,0x22693f8,0x19286c4,0x3a57353,
+        0x101d3bf,0x1aa54fc,0x20b9884,0x0172b3a },
+      { 0x0eac44d,0x37d8327,0x1c3aa90,0x3d0d534,0x23db29a,0x3576eaf,
+        0x1d3de8a,0x3bea423,0x11235e4,0x039260b } },
+    /* 75 */
+    { { 0x34cd55e,0x01288b0,0x1132231,0x2cc9a03,0x358695b,0x3e87650,
+        0x345afa1,0x01267ec,0x3f616b2,0x02011ad },
+      { 0x0e7d098,0x0d6078e,0x0b70b53,0x237d1bc,0x0d7f61e,0x132de31,
+        0x1ea9ea4,0x2bd54c3,0x27b9082,0x03ac5f2 } },
+    /* 76 */
+    { { 0x2a145b9,0x06d661d,0x31ec175,0x03f06f1,0x3a5cf6b,0x249c56e,
+        0x2035653,0x384c74f,0x0bafab5,0x0025ec0 },
+      { 0x25f69e1,0x1b23a55,0x1199aa6,0x16ad6f9,0x077e8f7,0x293f661,
+        0x33ba11d,0x3327980,0x07bafdb,0x03e571d } },
+    /* 77 */
+    { { 0x2bae45e,0x3c074ef,0x2955558,0x3c312f1,0x2a8ebe9,0x2f193f1,
+        0x3705b1d,0x360deba,0x01e566e,0x00d4498 },
+      { 0x21161cd,0x1bc787e,0x2f87933,0x3553197,0x1328ab8,0x093c879,
+        0x17eee27,0x2adad1d,0x1236068,0x003be5c } },
+    /* 78 */
+    { { 0x0ca4226,0x2633dd5,0x2c8e025,0x0e3e190,0x05eede1,0x1a385e4,
+        0x163f744,0x2f25522,0x1333b4f,0x03f05b6 },
+      { 0x3c800ca,0x1becc79,0x2daabe9,0x0c499e2,0x1138063,0x3fcfa2d,
+        0x2244976,0x1e85cf5,0x2f1b95d,0x0053292 } },
+    /* 79 */
+    { { 0x12f81d5,0x1dc6eaf,0x11967a4,0x1a407df,0x31a5f9d,0x2b67241,
+        0x18bef7c,0x08c7762,0x063f59c,0x01015ec },
+      { 0x1c05c0a,0x360bfa2,0x1f85bff,0x1bc7703,0x3e4911c,0x0d685b6,
+        0x2fccaea,0x02c4cef,0x164f133,0x0070ed7 } },
+    /* 80 */
+    { { 0x0ec21fe,0x052ffa0,0x3e825fe,0x1ab0956,0x3f6ce11,0x3d29759,
+        0x3c5a072,0x18ebe62,0x148db7e,0x03eb49c },
+      { 0x1ab05b3,0x02dab0a,0x1ae690c,0x0f13894,0x137a9a8,0x0aab79f,
+        0x3dc875c,0x06a1029,0x1e39f0e,0x01dce1f } },
+    /* 81 */
+    { { 0x16c0dd7,0x3b31269,0x2c741e9,0x3611821,0x2a5cffc,0x1416bb3,
+        0x3a1408f,0x311fa3d,0x1c0bef0,0x02cdee1 },
+      { 0x00e6a8f,0x1adb933,0x0f23359,0x2fdace2,0x2fd6d4b,0x0e73bd3,
+        0x2453fac,0x0a356ae,0x2c8f9f6,0x02704d6 } },
+    /* 82 */
+    { { 0x0e35743,0x28c80a1,0x0def32a,0x2c6168f,0x1320d6a,0x37c6606,
+        0x21b1761,0x2147ee0,0x21fc433,0x015c84d },
+      { 0x1fc9168,0x36cda9c,0x003c1f0,0x1cd7971,0x15f98ba,0x1ef363d,
+        0x0ca87e3,0x046f7d9,0x3c9e6bb,0x0372eb0 } },
+    /* 83 */
+    { { 0x118cbe2,0x3665a11,0x304ef01,0x062727a,0x3d242fc,0x11ffbaf,
+        0x3663c7e,0x1a189c9,0x09e2d62,0x02e3072 },
+      { 0x0e1d569,0x162f772,0x0cd051a,0x322df62,0x3563809,0x047cc7a,
+        0x027fd9f,0x08b509b,0x3da2f94,0x01748ee } },
+    /* 84 */
+    { { 0x1c8f8be,0x31ca525,0x22bf0a1,0x200efcd,0x02961c4,0x3d8f52b,
+        0x018403d,0x3a40279,0x1cb91ec,0x030427e },
+      { 0x0945705,0x0257416,0x05c0c2d,0x25b77ae,0x3b9083d,0x2901126,
+        0x292b8d7,0x07b8611,0x04f2eee,0x026f0cd } },
+    /* 85 */
+    { { 0x2913074,0x2b8d590,0x02b10d5,0x09d2295,0x255491b,0x0c41cca,
+        0x1ca665b,0x133051a,0x1525f1a,0x00a5647 },
+      { 0x04f983f,0x3d6daee,0x04e1e76,0x1067d7e,0x1be7eef,0x02ea862,
+        0x00d4968,0x0ccb048,0x11f18ef,0x018dd95 } },
+    /* 86 */
+    { { 0x22976cc,0x17c5395,0x2c38bda,0x3983bc4,0x222bca3,0x332a614,
+        0x3a30646,0x261eaef,0x1c808e2,0x02f6de7 },
+      { 0x306a772,0x32d7272,0x2dcefd2,0x2abf94d,0x038f475,0x30ad76e,
+        0x23e0227,0x3052b0a,0x001add3,0x023ba18 } },
+    /* 87 */
+    { { 0x0ade873,0x25a6069,0x248ccbe,0x13713ee,0x17ee9aa,0x28152e9,
+        0x2e28995,0x2a92cb3,0x17a6f77,0x024b947 },
+      { 0x190a34d,0x2ebea1c,0x1ed1948,0x16fdaf4,0x0d698f7,0x32bc451,
+        0x0ee6e30,0x2aaab40,0x06f0a56,0x01460be } },
+    /* 88 */
+    { { 0x24cc99c,0x1884b1e,0x1ca1fba,0x1a0f9b6,0x2ff609b,0x2b26316,
+        0x3b27cb5,0x29bc976,0x35d4073,0x024772a },
+      { 0x3575a70,0x1b30f57,0x07fa01b,0x0e5be36,0x20cb361,0x26605cd,
+        0x1d4e8c8,0x13cac59,0x2db9797,0x005e833 } },
+    /* 89 */
+    { { 0x36c8d3a,0x1878a81,0x124b388,0x0e4843e,0x1701aad,0x0ea0d76,
+        0x10eae41,0x37d0653,0x36c7f4c,0x00ba338 },
+      { 0x37a862b,0x1cf6ac0,0x08fa912,0x2dd8393,0x101ba9b,0x0eebcb7,
+        0x2453883,0x1a3cfe5,0x2cb34f6,0x03d3331 } },
+    /* 90 */
+    { { 0x1f79687,0x3d4973c,0x281544e,0x2564bbe,0x17c5954,0x171e34a,
+        0x231741a,0x3cf2784,0x0889a0d,0x02b036d },
+      { 0x301747f,0x3f1c477,0x1f1386b,0x163bc5f,0x1592b93,0x332daed,
+        0x080e4f5,0x1d28b96,0x26194c9,0x0256992 } },
+    /* 91 */
+    { { 0x15a4c93,0x07bf6b0,0x114172c,0x1ce0961,0x140269b,0x1b2c2eb,
+        0x0dfb1c1,0x019ddaa,0x0ba2921,0x008c795 },
+      { 0x2e6d2dc,0x37e45e2,0x2918a70,0x0fce444,0x34d6aa6,0x396dc88,
+        0x27726b5,0x0c787d8,0x032d8a7,0x02ac2f8 } },
+    /* 92 */
+    { { 0x1131f2d,0x2b43a63,0x3101097,0x38cec13,0x0637f09,0x17a69d2,
+        0x086196d,0x299e46b,0x0802cf6,0x03c6f32 },
+      { 0x0daacb4,0x1a4503a,0x100925c,0x15583d9,0x23c4e40,0x1de4de9,
+        0x1cc8fc4,0x2c9c564,0x0695aeb,0x02145a5 } },
+    /* 93 */
+    { { 0x1dcf593,0x17050fc,0x3e3bde3,0x0a6c062,0x178202b,0x2f7674f,
+        0x0dadc29,0x15763a7,0x1d2daad,0x023d9f6 },
+      { 0x081ea5f,0x045959d,0x190c841,0x3a78d31,0x0e7d2dd,0x1414fea,
+        0x1d43f40,0x22d77ff,0x2b9c072,0x03e115c } },
+    /* 94 */
+    { { 0x3af71c9,0x29e9c65,0x25655e1,0x111e9cd,0x3a14494,0x3875418,
+        0x34ae070,0x0b06686,0x310616b,0x03b7b89 },
+      { 0x1734121,0x00d3d44,0x29f0b2f,0x1552897,0x31cac6e,0x1030bb3,
+        0x0148f3a,0x35fd237,0x29b44eb,0x027f49f } },
+    /* 95 */
+    { { 0x2e2cb16,0x1d962bd,0x19b63cc,0x0b3f964,0x3e3eb7d,0x1a35560,
+        0x0c58161,0x3ce1d6a,0x3b6958f,0x029030b },
+      { 0x2dcc158,0x3b1583f,0x30568c9,0x31957c8,0x27ad804,0x28c1f84,
+        0x3967049,0x37b3f64,0x3b87dc6,0x0266f26 } },
+    /* 96 */
+    { { 0x27dafc6,0x2548764,0x0d1984a,0x1a57027,0x252c1fb,0x24d9b77,
+        0x1581a0f,0x1f99276,0x10ba16d,0x026af88 },
+      { 0x0915220,0x2be1292,0x16c6480,0x1a93760,0x2fa7317,0x1a07296,
+        0x1539871,0x112c31f,0x25787f3,0x01e2070 } },
+    /* 97 */
+    { { 0x0bcf3ff,0x266d478,0x34f6933,0x31449fd,0x00d02cb,0x340765a,
+        0x3465a2d,0x225023e,0x319a30e,0x00579b8 },
+      { 0x20e05f4,0x35b834f,0x0404646,0x3710d62,0x3fad7bd,0x13e1434,
+        0x21c7d1c,0x1cb3af9,0x2cf1911,0x003957e } },
+    /* 98 */
+    { { 0x0787564,0x36601be,0x1ce67e9,0x084c7a1,0x21a3317,0x2067a35,
+        0x0158cab,0x195ddac,0x1766fe9,0x035cf42 },
+      { 0x2b7206e,0x20d0947,0x3b42424,0x03f1862,0x0a51929,0x38c2948,
+        0x0bb8595,0x2942d77,0x3748f15,0x0249428 } },
+    /* 99 */
+    { { 0x2577410,0x3c23e2f,0x28c6caf,0x00d41de,0x0fd408a,0x30298e9,
+        0x363289e,0x2302fc7,0x082c1cc,0x01dd050 },
+      { 0x30991cd,0x103e9ba,0x029605a,0x19927f7,0x0c1ca08,0x0c93f50,
+        0x28a3c7b,0x082e4e9,0x34d12eb,0x0232c13 } },
+    /* 100 */
+    { { 0x106171c,0x0b4155a,0x0c3fb1c,0x336c090,0x19073e9,0x2241a10,
+        0x0e6b4fd,0x0ed476e,0x1ef4712,0x039390a },
+      { 0x0ec36f4,0x3754f0e,0x2a270b8,0x007fd2d,0x0f9d2dc,0x1e6a692,
+        0x066e078,0x1954974,0x2ff3c6e,0x00def28 } },
+    /* 101 */
+    { { 0x3562470,0x0b8f1f7,0x0ac94cd,0x28b0259,0x244f272,0x031e4ef,
+        0x2d5df98,0x2c8a9f1,0x2dc3002,0x016644f },
+      { 0x350592a,0x0e6a0d5,0x1e027a1,0x2039e0f,0x399e01d,0x2817593,
+        0x0c0375e,0x3889b3e,0x24ab013,0x010de1b } },
+    /* 102 */
+    { { 0x256b5a6,0x0ac3b67,0x28f9ff3,0x29b67f1,0x30750d9,0x25e11a9,
+        0x15e8455,0x279ebb0,0x298b7e7,0x0218e32 },
+      { 0x2fc24b2,0x2b82582,0x28f22f5,0x2bd36b3,0x305398e,0x3b2e9e3,
+        0x365dd0a,0x29bc0ed,0x36a7b3a,0x007b374 } },
+    /* 103 */
+    { { 0x05ff2f3,0x2b3589b,0x29785d3,0x300a1ce,0x0a2d516,0x0844355,
+        0x14c9fad,0x3ccb6b6,0x385d459,0x0361743 },
+      { 0x0b11da3,0x002e344,0x18c49f7,0x0c29e0c,0x1d2c22c,0x08237b3,
+        0x2988f49,0x0f18955,0x1c3b4ed,0x02813c6 } },
+    /* 104 */
+    { { 0x17f93bd,0x249323b,0x11f6087,0x174e4bd,0x3cb64ac,0x086dc6b,
+        0x2e330a8,0x142c1f2,0x2ea5c09,0x024acbb },
+      { 0x1b6e235,0x3132521,0x00f085a,0x2a4a4db,0x1ab2ca4,0x0142224,
+        0x3aa6b3e,0x09db203,0x2215834,0x007b9e0 } },
+    /* 105 */
+    { { 0x23e79f7,0x28b8039,0x1906a60,0x2cbce67,0x1f590e7,0x181f027,
+        0x21054a6,0x3854240,0x2d857a6,0x03cfcb3 },
+      { 0x10d9b55,0x1443cfc,0x2648200,0x2b36190,0x09d2fcf,0x22f439f,
+        0x231aa7e,0x3884395,0x0543da3,0x003d5a9 } },
+    /* 106 */
+    { { 0x043e0df,0x06ffe84,0x3e6d5b2,0x3327001,0x26c74b6,0x12a145e,
+        0x256ec0d,0x3898c69,0x3411969,0x02f63c5 },
+      { 0x2b7494a,0x2eee1af,0x38388a9,0x1bd17ce,0x21567d4,0x13969e6,
+        0x3a12a7a,0x3e8277d,0x03530cc,0x00b4687 } },
+    /* 107 */
+    { { 0x06508da,0x38e04d4,0x15a7192,0x312875e,0x3336180,0x2a6512c,
+        0x1b59497,0x2e91b37,0x25eb91f,0x02841e9 },
+      { 0x394d639,0x0747143,0x37d7e6d,0x1d62962,0x08b4af3,0x34df287,
+        0x3c5584b,0x26bc869,0x20af87a,0x0060f5d } },
+    /* 108 */
+    { { 0x1de59a4,0x1a5c443,0x2f8729d,0x01c3a2f,0x0f1ad8d,0x3cbaf9e,
+        0x1b49634,0x35d508a,0x39dc269,0x0075105 },
+      { 0x390d30e,0x37033e0,0x110cb32,0x14c37a0,0x20a3b27,0x2f00ce6,
+        0x2f1dc52,0x34988c6,0x0c29606,0x01dc7e7 } },
+    /* 109 */
+    { { 0x1040739,0x24f9de1,0x2939999,0x2e6009a,0x244539d,0x17e3f09,
+        0x00f6f2f,0x1c63b3d,0x2310362,0x019109e },
+      { 0x1428aa8,0x3cb61e1,0x09a84f4,0x0ffafed,0x07b7adc,0x08f406b,
+        0x1b2c6df,0x035b480,0x3496ae9,0x012766d } },
+    /* 110 */
+    { { 0x35d1099,0x2362f10,0x1a08cc7,0x13a3a34,0x12adbcd,0x32da290,
+        0x02e2a02,0x151140b,0x01b3f60,0x0240df6 },
+      { 0x34c7b61,0x2eb09c1,0x172e7cd,0x2ad5eff,0x2fe2031,0x25b54d4,
+        0x0cec965,0x18e7187,0x26a7cc0,0x00230f7 } },
+    /* 111 */
+    { { 0x2d552ab,0x374083d,0x01f120f,0x2601736,0x156baff,0x04d44a4,
+        0x3b7c3e9,0x1acbc1b,0x0424579,0x031a425 },
+      { 0x1231bd1,0x0eba710,0x020517b,0x21d7316,0x21eac6e,0x275a848,
+        0x0837abf,0x0eb0082,0x302cafe,0x00fe8f6 } },
+    /* 112 */
+    { { 0x1058880,0x28f9941,0x03f2d75,0x3bd90e5,0x17da365,0x2ac9249,
+        0x07861cf,0x023fd05,0x1b0fdb8,0x031712f },
+      { 0x272b56b,0x04f8d2c,0x043a735,0x25446e4,0x1c8327e,0x221125a,
+        0x0ce37df,0x2dad7f6,0x39446c2,0x00b55b6 } },
+    /* 113 */
+    { { 0x346ac6b,0x05e0bff,0x2425246,0x0981e8b,0x1d19f79,0x2692378,
+        0x3ea3c40,0x2e90beb,0x19de503,0x003d5af },
+      { 0x05cda49,0x353b44d,0x299d137,0x3f205bc,0x2821158,0x3ad0d00,
+        0x06a54aa,0x2d7c79f,0x39d1173,0x01000ee } },
+    /* 114 */
+    { { 0x0803387,0x3a06268,0x14043b8,0x3d4e72f,0x1ece115,0x0a1dfc8,
+        0x17208dd,0x0be790a,0x122a07f,0x014dd95 },
+      { 0x0a4182d,0x202886a,0x1f79a49,0x1e8c867,0x0a2bbd0,0x28668b5,
+        0x0d0a2e1,0x115259d,0x3586c5d,0x01e815b } },
+    /* 115 */
+    { { 0x18a2a47,0x2c95627,0x2773646,0x1230f7c,0x15b5829,0x2fc354e,
+        0x2c000ea,0x099d547,0x2f17a1a,0x01df520 },
+      { 0x3853948,0x06f6561,0x3feeb8a,0x2f5b3ef,0x3a6f817,0x01a0791,
+        0x2ec0578,0x2c392ad,0x12b2b38,0x0104540 } },
+    /* 116 */
+    { { 0x1e28ced,0x0fc3d1b,0x2c473c7,0x1826c4f,0x21d5da7,0x39718e4,
+        0x38ce9e6,0x0251986,0x172fbea,0x0337c11 },
+      { 0x053c3b0,0x0f162db,0x043c1cb,0x04111ee,0x297fe3c,0x32e5e03,
+        0x2b8ae12,0x0c427ec,0x1da9738,0x03b9c0f } },
+    /* 117 */
+    { { 0x357e43a,0x054503f,0x11b8345,0x34ec6e0,0x2d44660,0x3d0ae61,
+        0x3b5dff8,0x33884ac,0x09da162,0x00a82b6 },
+      { 0x3c277ba,0x129a51a,0x027664e,0x1530507,0x0c788c9,0x2afd89d,
+        0x1aa64cc,0x1196450,0x367ac2b,0x0358b42 } },
+    /* 118 */
+    { { 0x0054ac4,0x1761ecb,0x378839c,0x167c9f7,0x2570058,0x0604a35,
+        0x37cbf3b,0x0909bb7,0x3f2991c,0x02ce688 },
+      { 0x0b16ae5,0x212857c,0x351b952,0x2c684db,0x30c6a05,0x09c01e0,
+        0x23c137f,0x1331475,0x092c067,0x0013b40 } },
+    /* 119 */
+    { { 0x2e90393,0x0617466,0x24e61f4,0x0a528f5,0x03047b4,0x2153f05,
+        0x0001a69,0x30e1eb8,0x3c10177,0x0282a47 },
+      { 0x22c831e,0x28fc06b,0x3e16ff0,0x208adc9,0x0bb76ae,0x28c1d6d,
+        0x12c8a15,0x031063c,0x1889ed2,0x002133e } },
+    /* 120 */
+    { { 0x0a6becf,0x14277bf,0x3328d98,0x201f7fe,0x12fceae,0x1de3a2e,
+        0x0a15c44,0x3ddf976,0x1b273ab,0x0355e55 },
+      { 0x1b5d4f1,0x369e78c,0x3a1c210,0x12cf3e9,0x3aa52f0,0x309f082,
+        0x112089d,0x107c753,0x24202d1,0x023853a } },
+    /* 121 */
+    { { 0x2897042,0x140d17c,0x2c4aeed,0x07d0d00,0x18d0533,0x22f7ec8,
+        0x19c194c,0x3456323,0x2372aa4,0x0165f86 },
+      { 0x30bd68c,0x1fb06b3,0x0945032,0x372ac09,0x06d4be0,0x27f8fa1,
+        0x1c8d7ac,0x137a96e,0x236199b,0x0328fc0 } },
+    /* 122 */
+    { { 0x170bd20,0x2842d58,0x1de7592,0x3c5b4fd,0x20ea897,0x12cab78,
+        0x363ff14,0x01f928c,0x17e309c,0x02f79ff },
+      { 0x0f5432c,0x2edb4ae,0x044b516,0x32f810d,0x2210dc1,0x23e56d6,
+        0x301e6ff,0x34660f6,0x10e0a7d,0x02d88eb } },
+    /* 123 */
+    { { 0x0c7b65b,0x2f59d58,0x2289a75,0x2408e92,0x1ab8c55,0x1ec99e5,
+        0x220fd0d,0x04defe0,0x24658ec,0x035aa8b },
+      { 0x138bb85,0x2f002d4,0x295c10a,0x08760ce,0x28c31d1,0x1c0a8cb,
+        0x0ff00b1,0x144eac9,0x2e02dcc,0x0044598 } },
+    /* 124 */
+    { { 0x3b42b87,0x050057b,0x0dff781,0x1c06db1,0x1bd9f5d,0x1f5f04a,
+        0x2cccd7a,0x143e19b,0x1cb94b7,0x036cfb8 },
+      { 0x34837cf,0x3cf6c3c,0x0d4fb26,0x22ee55e,0x1e7eed1,0x315995f,
+        0x2cdf937,0x1a96574,0x0425220,0x0221a99 } },
+    /* 125 */
+    { { 0x1b569ea,0x0d33ed9,0x19c13c2,0x107dc84,0x2200111,0x0569867,
+        0x2dc85da,0x05ef22e,0x0eb018a,0x029c33d },
+      { 0x04a6a65,0x3e5eba3,0x378f224,0x09c04d0,0x036e5cf,0x3df8258,
+        0x3a609e4,0x1eddef8,0x2abd174,0x02a91dc } },
+    /* 126 */
+    { { 0x2a60cc0,0x1d84c5e,0x115f676,0x1840da0,0x2c79163,0x2f06ed6,
+        0x198bb4b,0x3e5d37b,0x1dc30fa,0x018469b },
+      { 0x15ee47a,0x1e32f30,0x16a530e,0x2093836,0x02e8962,0x3767b62,
+        0x335adf3,0x27220db,0x2f81642,0x0173ffe } },
+    /* 127 */
+    { { 0x37a99cd,0x1533fe6,0x05a1c0d,0x27610f1,0x17bf3b9,0x0b1ce78,
+        0x0a908f6,0x265300e,0x3237dc1,0x01b969a },
+      { 0x3a5db77,0x2d15382,0x0d63ef8,0x1feb3d8,0x0b7b880,0x19820de,
+        0x11c0c67,0x2af3396,0x38d242d,0x0120688 } },
+    /* 128 */
+    { { 0x1d0b34a,0x05ef00d,0x00a7e34,0x1ae0c9f,0x1440b38,0x300d8b4,
+        0x37262da,0x3e50e3e,0x14ce0cd,0x00b1044 },
+      { 0x195a0b1,0x173bc6b,0x03622ba,0x2a19f55,0x1c09b37,0x07921b2,
+        0x16cdd20,0x24a5c9b,0x2bf42ff,0x00811de } },
+    /* 129 */
+    { { 0x0d65dbf,0x145cf06,0x1ad82f7,0x038ce7b,0x077bf94,0x33c4007,
+        0x22d26bd,0x25ad9c0,0x09ac773,0x02b1990 },
+      { 0x2261cc3,0x2ecdbf1,0x3e908b0,0x3246439,0x0213f7b,0x1179b04,
+        0x01cebaa,0x0be1595,0x175cc12,0x033a39a } },
+    /* 130 */
+    { { 0x00a67d2,0x086d06f,0x248a0f1,0x0291134,0x362d476,0x166d1cd,
+        0x044f1d6,0x2d2a038,0x365250b,0x0023f78 },
+      { 0x08bf287,0x3b0f6a1,0x1d6eace,0x20b4cda,0x2c2a621,0x0912520,
+        0x02dfdc9,0x1b35cd6,0x3d2565d,0x00bdf8b } },
+    /* 131 */
+    { { 0x3770fa7,0x2e4b6f0,0x03f9ae4,0x170de41,0x1095e8d,0x1dd845c,
+        0x334e9d1,0x00ab953,0x12e9077,0x03196fa },
+      { 0x2fd0a40,0x228c0fd,0x384b275,0x38ef339,0x3e7d822,0x3e5d9ef,
+        0x24f5854,0x0ece9eb,0x247d119,0x012ffe3 } },
+    /* 132 */
+    { { 0x0ff1480,0x07487c0,0x1b16cd4,0x1f41d53,0x22ab8fb,0x2f83cfa,
+        0x01d2efb,0x259f6b2,0x2e65772,0x00f9392 },
+      { 0x05303e6,0x23cdb4f,0x23977e1,0x12e4898,0x03bd999,0x0c930f0,
+        0x170e261,0x180a27b,0x2fd58ec,0x014e22b } },
+    /* 133 */
+    { { 0x25d7713,0x0c5fad7,0x09daad1,0x3b9d779,0x109b985,0x1d3ec98,
+        0x35bc4fc,0x2f838cb,0x0d14f75,0x0173e42 },
+      { 0x2657b12,0x10d4423,0x19e6760,0x296e5bb,0x2bfd421,0x25c3330,
+        0x29f51f8,0x0338838,0x24060f0,0x029a62e } },
+    /* 134 */
+    { { 0x3748fec,0x2c5a1bb,0x2cf973d,0x289fa74,0x3e6e755,0x38997bf,
+        0x0b6544c,0x2b6358c,0x38a7aeb,0x02c50bb },
+      { 0x3d5770a,0x06be7c5,0x012fad3,0x19cb2cd,0x266af3b,0x3ccd677,
+        0x160d1bd,0x141d5af,0x2965851,0x034625a } },
+    /* 135 */
+    { { 0x3c41c08,0x255eacc,0x22e1ec5,0x2b151a3,0x087de94,0x311cbdb,
+        0x016b73a,0x368e462,0x20b7981,0x0099ec3 },
+      { 0x262b988,0x1539763,0x21e76e5,0x15445b4,0x1d8ddc7,0x34a9be6,
+        0x10faf03,0x24e4d18,0x07aa111,0x02d538a } },
+    /* 136 */
+    { { 0x38a876b,0x048ad45,0x04b40a0,0x3fc2144,0x251ff96,0x13ca7dd,
+        0x0b31ab1,0x3539814,0x28b5f87,0x0212aec },
+      { 0x270790a,0x350e7e0,0x346bd5e,0x276178f,0x22d6cb5,0x3078884,
+        0x355c1b6,0x15901d7,0x3671765,0x03950db } },
+    /* 137 */
+    { { 0x286e8d5,0x2409788,0x13be53f,0x2d21911,0x0353c95,0x10238e8,
+        0x32f5bde,0x3a67b60,0x28b5b9c,0x001013d },
+      { 0x381e8e5,0x0cef7a9,0x2f5bcad,0x06058f0,0x33cdf50,0x04672a8,
+        0x1769600,0x31c055d,0x3df0ac1,0x00e9098 } },
+    /* 138 */
+    { { 0x2eb596d,0x197b326,0x12b4c29,0x39c08f2,0x101ea03,0x3804e58,
+        0x04b4b62,0x28d9d1c,0x13f905e,0x0032a3f },
+      { 0x11b2b61,0x08e9095,0x0d06925,0x270e43f,0x21eb7a8,0x0e4a98f,
+        0x31d2be0,0x030cf9f,0x2644ddb,0x025b728 } },
+    /* 139 */
+    { { 0x07510af,0x2ed0e8e,0x2a01203,0x2a2a68d,0x0846fea,0x3e540de,
+        0x3a57702,0x1677348,0x2123aad,0x010d8f8 },
+      { 0x0246a47,0x0e871d0,0x124dca4,0x34b9577,0x2b362b8,0x363ebe5,
+        0x3086045,0x26313e6,0x15cd8bb,0x0210384 } },
+    /* 140 */
+    { { 0x023e8a7,0x0817884,0x3a0bf12,0x3376371,0x3c808a8,0x18e9777,
+        0x12a2721,0x35b538a,0x2bd30de,0x017835a },
+      { 0x0fc0f64,0x1c8709f,0x2d8807a,0x0743957,0x242eec0,0x347e76c,
+        0x27bef91,0x289689a,0x0f42945,0x01f7a92 } },
+    /* 141 */
+    { { 0x1060a81,0x3dbc739,0x1615abd,0x1cbe3e5,0x3e79f9c,0x1ab09a2,
+        0x136c540,0x05b473f,0x2beebfd,0x02af0a8 },
+      { 0x3e2eac7,0x19be474,0x04668ac,0x18f4b74,0x36f10ba,0x0a0b4c6,
+        0x10e3770,0x3bf059e,0x3946c7e,0x013a8d4 } },
+    /* 142 */
+    { { 0x266309d,0x28be354,0x1a3eed8,0x3020651,0x10a51c6,0x1e31770,
+        0x0af45a5,0x3ff0f3b,0x2891c94,0x00e9db9 },
+      { 0x17b0d0f,0x33a291f,0x0a5f9aa,0x25a3d61,0x2963ace,0x39a5fef,
+        0x230c724,0x1919146,0x10a465e,0x02084a8 } },
+    /* 143 */
+    { { 0x3ab8caa,0x31870f3,0x2390ef7,0x2103850,0x218eb8e,0x3a5ccf2,
+        0x1dff677,0x2c59334,0x371599c,0x02a9f2a },
+      { 0x0837bd1,0x3249cef,0x35d702f,0x3430dab,0x1c06407,0x108f692,
+        0x221292f,0x05f0c5d,0x073fe06,0x01038e0 } },
+    /* 144 */
+    { { 0x3bf9b7c,0x2020929,0x30d0f4f,0x080fef8,0x3365d23,0x1f3e738,
+        0x3e53209,0x1549afe,0x300b305,0x038d811 },
+      { 0x0c6c2c7,0x2e6445b,0x3ee64dc,0x022e932,0x0726837,0x0deb67b,
+        0x1ed4346,0x3857f73,0x277a3de,0x01950b5 } },
+    /* 145 */
+    { { 0x36c377a,0x0adb41e,0x08be3f3,0x11e40d1,0x36cb038,0x036a2bd,
+        0x3dd3a82,0x1bc875b,0x2ee09bb,0x02994d2 },
+      { 0x035facf,0x05e0344,0x07e630a,0x0ce772d,0x335e55a,0x111fce4,
+        0x250fe1c,0x3bc89ba,0x32fdc9a,0x03cf2d9 } },
+    /* 146 */
+    { { 0x355fd83,0x1c67f8e,0x1d10eb3,0x1b21d77,0x0e0d7a4,0x173a9e1,
+        0x2c9fa90,0x1c39cce,0x22eaae8,0x01f2bea },
+      { 0x153b338,0x0534107,0x26c69b8,0x283be1f,0x3e0acc0,0x059cac3,
+        0x13d1081,0x148bbee,0x3c1b9bd,0x002aac4 } },
+    /* 147 */
+    { { 0x2681297,0x3389e34,0x146addc,0x2c6d425,0x2cb350e,0x1986abc,
+        0x0431737,0x04ba4b7,0x2028470,0x012e469 },
+      { 0x2f8ddcf,0x3c4255c,0x1af4dcf,0x07a6a44,0x208ebf6,0x0dc90c3,
+        0x34360ac,0x072ad23,0x0537232,0x01254d3 } },
+    /* 148 */
+    { { 0x07b7e9d,0x3df5c7c,0x116f83d,0x28c4f35,0x3a478ef,0x3011fb8,
+        0x2f264b6,0x317b9e3,0x04fd65a,0x032bd1b },
+      { 0x2aa8266,0x3431de4,0x04bba04,0x19a44da,0x0edf454,0x392c5ac,
+        0x265168a,0x1dc3d5b,0x25704c6,0x00533a7 } },
+    /* 149 */
+    { { 0x25e8f91,0x1178fa5,0x2492994,0x2eb2c3c,0x0d3aca1,0x0322828,
+        0x1cc70f9,0x269c74c,0x0a53e4c,0x006edc2 },
+      { 0x18bdd7a,0x2a79a55,0x26b1d5c,0x0200628,0x0734a05,0x3273c7b,
+        0x13aa714,0x0040ac2,0x2f2da30,0x03e7449 } },
+    /* 150 */
+    { { 0x3f9563e,0x2f29eab,0x14a0749,0x3fad264,0x1dd077a,0x3d7c59c,
+        0x3a0311b,0x331a789,0x0b9729e,0x0201ebf },
+      { 0x1b08b77,0x2a4cdf2,0x3e387f8,0x21510f1,0x286c3a7,0x1dbf62e,
+        0x3afa594,0x3363217,0x0d16568,0x01d46b7 } },
+    /* 151 */
+    { { 0x0715c0d,0x28e2d04,0x17f78ae,0x1c63dda,0x1d113ea,0x0fefc1b,
+        0x1eab149,0x1d0fd99,0x0682537,0x00a7b11 },
+      { 0x10bebbc,0x11c672d,0x14223d9,0x2ff9141,0x1399ee5,0x34b7b6c,
+        0x0d5b3a8,0x01df643,0x0e392a4,0x03fe4dc } },
+    /* 152 */
+    { { 0x2b75b65,0x0b5a6f1,0x11c559a,0x3549999,0x24188f8,0x37a75f4,
+        0x29f33e3,0x34068a2,0x38ba2a9,0x025dd91 },
+      { 0x29af2c7,0x0988b64,0x0923885,0x1b539a4,0x1334f5d,0x226947a,
+        0x2cc7e5a,0x20beb39,0x13fac2f,0x01d298c } },
+    /* 153 */
+    { { 0x35f079c,0x137f76d,0x2fbbb2f,0x254638d,0x185b07c,0x1f34db7,
+        0x2cfcf0e,0x218f46d,0x2150ff4,0x02add6f },
+      { 0x33fc9b7,0x0d9f005,0x0fd081b,0x0834965,0x2b90a74,0x102448d,
+        0x3dbf03c,0x167d857,0x02e0b44,0x013afab } },
+    /* 154 */
+    { { 0x09f2c53,0x317f9d7,0x1411eb6,0x0463aba,0x0d25220,0x256b176,
+        0x087633f,0x2bff322,0x07b2c1b,0x037e662 },
+      { 0x10aaecb,0x23bb4a1,0x2272bb7,0x06c075a,0x09d4918,0x0736f2b,
+        0x0dd511b,0x101625e,0x0a7779f,0x009ec10 } },
+    /* 155 */
+    { { 0x33b2eb2,0x0176dfd,0x2118904,0x022386c,0x2e0df85,0x2588c9f,
+        0x1b71525,0x28fd540,0x137e4cf,0x02ce4f7 },
+      { 0x3d75165,0x0c39ecf,0x3554a12,0x30af34c,0x2d66344,0x3ded408,
+        0x36f1be0,0x0d065b0,0x012d046,0x0025623 } },
+    /* 156 */
+    { { 0x2601c3b,0x1824fc0,0x335fe08,0x3e33d70,0x0fb0252,0x252bfca,
+        0x1cf2808,0x1922e55,0x1a9db9f,0x020721e },
+      { 0x2f56c51,0x39a1f31,0x218c040,0x1a4fc5d,0x3fed471,0x0164d4e,
+        0x388a419,0x06f1113,0x0f55fc1,0x03e8352 } },
+    /* 157 */
+    { { 0x1608e4d,0x3872778,0x022cbc6,0x044d60a,0x3010dda,0x15fb0b5,
+        0x37ddc11,0x19f5bda,0x156b6a3,0x023a838 },
+      { 0x383b3b4,0x1380bc8,0x353ca35,0x250fc07,0x169966b,0x3780f29,
+        0x36632b2,0x2d6b13f,0x124fa00,0x00fd6ae } },
+    /* 158 */
+    { { 0x1739efb,0x2ec3656,0x2c0d337,0x3d39faf,0x1c751b0,0x04699f4,
+        0x252dd64,0x095b8b6,0x0872b74,0x022f1da },
+      { 0x2d3d253,0x38edca0,0x379fa5b,0x287d635,0x3a9f679,0x059d9ee,
+        0x0ac168e,0x3cd3e87,0x19060fc,0x02ce1bc } },
+    /* 159 */
+    { { 0x3edcfc2,0x0f04d4b,0x2f0d31f,0x1898be2,0x25396bf,0x15ca230,
+        0x02b4eae,0x2713668,0x0f71b06,0x0132d18 },
+      { 0x38095ea,0x1ed34d6,0x3603ae6,0x165bf01,0x192bbf8,0x1852859,
+        0x075f66b,0x1488f85,0x10895ef,0x014b035 } },
+    /* 160 */
+    { { 0x1339848,0x3084385,0x0c8d231,0x3a1c1de,0x0e87a28,0x255b85c,
+        0x1de6616,0x2702e74,0x1382bb0,0x012b0f2 },
+      { 0x198987d,0x381545a,0x34d619b,0x312b827,0x18b2376,0x28fe4cf,
+        0x20b7651,0x017d077,0x0c7e397,0x00e0365 } },
+    /* 161 */
+    { { 0x1542e75,0x0d56aa0,0x39b701a,0x287b806,0x396c724,0x0935c21,
+        0x3a29776,0x0debdac,0x171de26,0x00b38f8 },
+      { 0x1d5bc1a,0x3fad27d,0x22b5cfe,0x1f89ddf,0x0a65560,0x144dd5b,
+        0x2aac2f9,0x139353f,0x0520b62,0x00b9b36 } },
+    /* 162 */
+    { { 0x031c31d,0x16552e3,0x1a0c368,0x0016fc8,0x168533d,0x171e7b2,
+        0x17626e7,0x275502f,0x14742c6,0x03285dd },
+      { 0x2d2dbb2,0x3b6bffd,0x1d18cc6,0x2f45d2a,0x0fd0d8c,0x2915e3a,
+        0x1e8793a,0x0b39a1d,0x3139cab,0x02a5da9 } },
+    /* 163 */
+    { { 0x3fb353d,0x147c6e4,0x3a720a6,0x22d5ff3,0x1d75cab,0x06c54a0,
+        0x08cfa73,0x12666aa,0x3170a1f,0x021c829 },
+      { 0x13e1b90,0x3a34dda,0x1fc38c3,0x02c5bdb,0x2d345dc,0x14aa1d0,
+        0x28d00ab,0x224f23a,0x329c769,0x025c67b } },
+    /* 164 */
+    { { 0x0e35909,0x3bb6356,0x0116820,0x370cf77,0x29366d8,0x3881409,
+        0x3999d06,0x013075f,0x176e157,0x02941ca },
+      { 0x0e70b2e,0x28dfab1,0x2a8a002,0x15da242,0x084dcf6,0x116ca97,
+        0x31bf186,0x1dc9735,0x09df7b7,0x0264e27 } },
+    /* 165 */
+    { { 0x2da7a4b,0x3023c9e,0x1366238,0x00ff4e2,0x03abe9d,0x19bd44b,
+        0x272e897,0x20b91ad,0x2aa202c,0x02a2201 },
+      { 0x380184e,0x08112b4,0x0b85660,0x31049aa,0x3a8cb78,0x36113c5,
+        0x1670c0a,0x373f9e7,0x3fb4738,0x00010ef } },
+    /* 166 */
+    { { 0x2d5192e,0x26d770d,0x32af8d5,0x34d1642,0x1acf885,0x05805e0,
+        0x166d0a1,0x1219a0d,0x301ba6c,0x014bcfb },
+      { 0x2dcb64d,0x19cca83,0x379f398,0x08e01a0,0x10a482c,0x0103cc2,
+        0x0be5fa7,0x1f9d45b,0x1899ef2,0x00ca5af } },
+    /* 167 */
+    { { 0x14d81d7,0x2aea251,0x1b3c476,0x3bd47ae,0x29eade7,0x0715e61,
+        0x1a21cd8,0x1c7a586,0x2bfaee5,0x00ee43f },
+      { 0x096f7cb,0x0c08f95,0x1bc4939,0x361fed4,0x255be41,0x26fad73,
+        0x31dd489,0x02c600f,0x29d9f81,0x01ba201 } },
+    /* 168 */
+    { { 0x03ea1db,0x1eac46d,0x1292ce3,0x2a54967,0x20a7ff1,0x3e13c61,
+        0x1b02218,0x2b44e14,0x3eadefa,0x029c88a },
+      { 0x30a9144,0x31e3b0a,0x19c5a2a,0x147cbe9,0x05a0240,0x051f38e,
+        0x11eca56,0x31a4247,0x123bc2a,0x02fa535 } },
+    /* 169 */
+    { { 0x3226ce7,0x1251782,0x0b7072f,0x11e59fa,0x2b8afd7,0x169b18f,
+        0x2a46f18,0x31d9bb7,0x2fe9be8,0x01de0b7 },
+      { 0x1b38626,0x34aa90f,0x3ad1760,0x21ddbd9,0x3460ae7,0x1126736,
+        0x1b86fc5,0x0b92cd0,0x167a289,0x000e0e1 } },
+    /* 170 */
+    { { 0x1ec1a0f,0x36bbf5e,0x1c972d8,0x3f73ace,0x13bbcd6,0x23d86a5,
+        0x175ffc5,0x2d083d5,0x2c4adf7,0x036f661 },
+      { 0x1f39eb7,0x2a20505,0x176c81a,0x3d6e636,0x16ee2fc,0x3cbdc5f,
+        0x25475dc,0x2ef4151,0x3c46860,0x0238934 } },
+    /* 171 */
+    { { 0x2587390,0x3639526,0x0588749,0x13c32fb,0x212bb19,0x09660f1,
+        0x207da4b,0x2bf211b,0x1c4407b,0x01506a6 },
+      { 0x24c8842,0x105a498,0x05ffdb2,0x0ab61b0,0x26044c1,0x3dff3d8,
+        0x1d14b44,0x0d74716,0x049f57d,0x030024b } },
+    /* 172 */
+    { { 0x32e61ef,0x31d70f7,0x35cad3c,0x320b86c,0x07e8841,0x027ca7d,
+        0x2d30d19,0x2513718,0x2347286,0x01d7901 },
+      { 0x3c237d0,0x107f16e,0x01c9e7d,0x3c3b13c,0x0c9537b,0x20af54d,
+        0x051a162,0x2161a47,0x258c784,0x016df2d } },
+    /* 173 */
+    { { 0x228ead1,0x29c2122,0x07f6964,0x023f4ed,0x1802dc5,0x19f96ce,
+        0x24bfd17,0x25e866b,0x2ba8df0,0x01eb84f },
+      { 0x2dd384e,0x05bbe3a,0x3f06fd2,0x366dacb,0x30361a2,0x2f36d7c,
+        0x0b98784,0x38ff481,0x074e2a8,0x01e1f60 } },
+    /* 174 */
+    { { 0x17fbb1c,0x0975add,0x1debc5e,0x2cb2880,0x3e47bdd,0x3488cff,
+        0x15e9a36,0x2121129,0x0199ef2,0x017088a },
+      { 0x0315250,0x352a162,0x17c1773,0x0ae09c2,0x321b21a,0x3bd74cf,
+        0x3c4ea1d,0x3cac2ad,0x3abbaf0,0x039174d } },
+    /* 175 */
+    { { 0x0511c8a,0x3c78d0a,0x2cd3d2d,0x322f729,0x3ebb229,0x09f0e69,
+        0x0a71a76,0x2e74d5e,0x12284df,0x03b5ef0 },
+      { 0x3dea561,0x0a9b7e4,0x0ed1cf2,0x237523c,0x05443f1,0x2eb48fa,
+        0x3861405,0x1b49f62,0x0c945ca,0x02ab25f } },
+    /* 176 */
+    { { 0x16bd00a,0x13a9d28,0x3cc1eb5,0x2b7d702,0x2d839e9,0x3e6ff01,
+        0x2bb7f11,0x3713824,0x3b31163,0x00c63e5 },
+      { 0x30d7138,0x0316fb0,0x0220ecc,0x08eaf0c,0x244e8df,0x0088d81,
+        0x37972fb,0x3fd34ae,0x2a19a84,0x03e907e } },
+    /* 177 */
+    { { 0x2642269,0x0b65d29,0x03bd440,0x33a6ede,0x3c81814,0x2507982,
+        0x0d38e47,0x3a788e6,0x32c1d26,0x00e2eda },
+      { 0x2577f87,0x392895a,0x3e1cc64,0x14f7047,0x08b52d2,0x08a01ca,
+        0x336abf6,0x00697fc,0x105ce76,0x0253742 } },
+    /* 178 */
+    { { 0x293f92a,0x33df737,0x3315156,0x32e26d7,0x0a01333,0x26579d4,
+        0x004df9c,0x0aba409,0x067d25c,0x02481de },
+      { 0x3f39d44,0x1c78042,0x13d7e24,0x0825aed,0x35f2c90,0x3270f63,
+        0x04b7b35,0x3ad4531,0x28bd29b,0x0207a10 } },
+    /* 179 */
+    { { 0x077199f,0x270aeb1,0x0dd96dd,0x3b9ad7b,0x28cb8ee,0x3903f43,
+        0x37db3fe,0x292c62b,0x362dbbf,0x006e52a },
+      { 0x247f143,0x0362cf3,0x216344f,0x3f18fd1,0x351e623,0x31664e0,
+        0x0f270fc,0x243bbc6,0x2280555,0x001a8e3 } },
+    /* 180 */
+    { { 0x3355b49,0x2c04e6c,0x399b2e5,0x182d3af,0x020e265,0x09a7cf7,
+        0x0ffa6bd,0x353e302,0x02083d9,0x029ecdb },
+      { 0x33e8830,0x0570e86,0x1c0b64d,0x386a27e,0x0d5fcea,0x0b45a4c,
+        0x2ee4a2e,0x0a8833f,0x2b4a282,0x02f9531 } },
+    /* 181 */
+    { { 0x191167c,0x36cf7e3,0x225ed6c,0x1e79e99,0x0517c3f,0x11ab1fd,
+        0x05648f3,0x08aedc4,0x1abeae0,0x02fcc29 },
+      { 0x3828a68,0x1e16fa4,0x30368e7,0x0c9fcfb,0x25161c3,0x24851ac,
+        0x1b5feb5,0x344eb84,0x0de2732,0x0347208 } },
+    /* 182 */
+    { { 0x038b363,0x384d1e4,0x2519043,0x151ac17,0x158c11f,0x009b2b4,
+        0x257abe6,0x2368d3f,0x3ed68a1,0x02df45e },
+      { 0x29c2559,0x2962478,0x3d8444c,0x1d96fff,0x04f7a03,0x1391a52,
+        0x0de4af7,0x3319126,0x15e6412,0x00e65ff } },
+    /* 183 */
+    { { 0x3d61507,0x1d1a0a2,0x0d2af20,0x354d299,0x329e132,0x2a28578,
+        0x2ddfb08,0x04fa3ff,0x1293c6c,0x003bae2 },
+      { 0x3e259f8,0x1a68fa9,0x3e67e9b,0x39b44f9,0x1ce1db7,0x347e9a1,
+        0x3318f6a,0x2dbbc9d,0x2f8c922,0x008a245 } },
+    /* 184 */
+    { { 0x212ab5b,0x2b896c2,0x0136959,0x07e55ef,0x0cc1117,0x05b8ac3,
+        0x18429ed,0x025fa01,0x11d6e93,0x03b016b },
+      { 0x03f3708,0x2e96fab,0x1d77157,0x0d4c2d6,0x131baf9,0x0608d39,
+        0x3552371,0x06cdd1e,0x1567ff1,0x01f4c50 } },
+    /* 185 */
+    { { 0x2dfefab,0x270173d,0x37077bd,0x1a372cd,0x1be2f22,0x28e2ee5,
+        0x3ead973,0x35e8f94,0x2fc9bc1,0x03a7399 },
+      { 0x36a02a1,0x2855d9b,0x00ed75a,0x37d8398,0x138c087,0x233706e,
+        0x147f346,0x01947e2,0x3017228,0x0365942 } },
+    /* 186 */
+    { { 0x2057e60,0x2d31296,0x25e4504,0x2fa37bc,0x1cbccc3,0x1f0732f,
+        0x3532081,0x2de8a98,0x19a804e,0x005359a },
+      { 0x31f411a,0x2a10576,0x369c2c8,0x02fe035,0x109fbaf,0x30bddeb,
+        0x1eef901,0x1662ad3,0x0410d43,0x01bd31a } },
+    /* 187 */
+    { { 0x2c24a96,0x1b7d3a5,0x19a3872,0x217f2f6,0x2534dbc,0x2cab8c2,
+        0x066ef28,0x26aecf1,0x0fd6118,0x01310d4 },
+      { 0x055b8da,0x1fdc5be,0x38a1296,0x25118f0,0x341a423,0x2ba4cd0,
+        0x3e1413e,0x062d70d,0x2425a31,0x029c9b4 } },
+    /* 188 */
+    { { 0x08c1086,0x1acfba5,0x22e1dae,0x0f72f4e,0x3f1de50,0x0f408bc,
+        0x35ed3f0,0x3ce48fc,0x282cc6c,0x004d8e7 },
+      { 0x1afaa86,0x24e3ef3,0x22589ac,0x3ec9952,0x1f45bc5,0x14144ca,
+        0x23b26e4,0x0d68c65,0x1e1c1a3,0x032a4d9 } },
+    /* 189 */
+    { { 0x03b2d20,0x16b1d53,0x241b361,0x05e4138,0x1742a54,0x32741c7,
+        0x0521c4c,0x1ca96c2,0x034970b,0x02738a7 },
+      { 0x13e0ad6,0x207dcdb,0x034c8cc,0x27bcbe1,0x18060da,0x33a18b6,
+        0x2d1d1a6,0x2be60d7,0x3d7ab42,0x012312a } },
+    /* 190 */
+    { { 0x0c7485a,0x06c3310,0x0dbfd22,0x2ef949d,0x0ead455,0x098f4ba,
+        0x3c76989,0x0cf2d24,0x032f67b,0x01e005f },
+      { 0x30cb5ee,0x0d5da64,0x0ed2b9d,0x2503102,0x1c0d14e,0x1cbc693,
+        0x37bf552,0x07013e2,0x054de5c,0x014f341 } },
+    /* 191 */
+    { { 0x128ccac,0x1617e97,0x346ebcd,0x158016d,0x25f823e,0x34048ea,
+        0x39f0a1c,0x3ea3df1,0x1c1d3d7,0x03ba919 },
+      { 0x151803b,0x01967c1,0x2f70781,0x27df39a,0x06c0b59,0x24a239c,
+        0x15a7702,0x2464d06,0x2a47ae6,0x006db90 } },
+    /* 192 */
+    { { 0x27d04c3,0x024df3d,0x38112e8,0x38a27ba,0x01e312b,0x0965358,
+        0x35d8879,0x2f4f55a,0x214187f,0x0008936 },
+      { 0x05fe36f,0x2ee18c3,0x1f5f87a,0x1813bd4,0x0580f3c,0x0ed0a7b,
+        0x0fb1bfb,0x3fcce59,0x2f042bf,0x01820e3 } },
+    /* 193 */
+    { { 0x20bbe99,0x32cbc9f,0x39ee432,0x3cc12a8,0x37bda44,0x3ea4e40,
+        0x097c7a9,0x0590d7d,0x2022d33,0x018dbac },
+      { 0x3ae00aa,0x3439864,0x2d2ffcf,0x3f8c6b9,0x0875a00,0x3e4e407,
+        0x3658a29,0x22eb3d0,0x2b63921,0x022113b } },
+    /* 194 */
+    { { 0x33bae58,0x05c749a,0x1f3e114,0x1c45f8e,0x27db3df,0x06a3ab6,
+        0x37bc7f8,0x1e27b34,0x3dc51fb,0x009eea0 },
+      { 0x3f54de5,0x3d0e7fe,0x1a71a7d,0x02ed7f8,0x0727703,0x2ca5e92,
+        0x2e8e35d,0x292ad0b,0x13487f3,0x02b6d8b } },
+    /* 195 */
+    { { 0x175df2a,0x05a28a8,0x32e99b1,0x13d8630,0x2082aa0,0x11ac245,
+        0x24f2e71,0x322cb27,0x17675e7,0x02e643f },
+      { 0x1f37313,0x2765ad3,0x0789082,0x1e742d0,0x11c2055,0x2021dc4,
+        0x09ae4a7,0x346359b,0x2f94d10,0x0205c1f } },
+    /* 196 */
+    { { 0x3d6ff96,0x1f2ac80,0x336097d,0x3f03610,0x35b851b,0x010b6d2,
+        0x0823c4d,0x2a9709a,0x2ead5a8,0x00de4b6 },
+      { 0x01afa0b,0x0621965,0x3671528,0x1050b60,0x3f3e9e7,0x2f93829,
+        0x0825275,0x006e85f,0x35e94b0,0x016af58 } },
+    /* 197 */
+    { { 0x2c4927c,0x3ea1382,0x0f23727,0x0d69f23,0x3e38860,0x2b72837,
+        0x3cd5ea4,0x2d84292,0x321846a,0x016656f },
+      { 0x29dfa33,0x3e182e0,0x018be90,0x2ba563f,0x2caafe2,0x218c0d9,
+        0x3baf447,0x1047a6c,0x0a2d483,0x01130cb } },
+    /* 198 */
+    { { 0x00ed80c,0x2a5fc79,0x0a82a74,0x2c4c74b,0x15f938c,0x30b5ab6,
+        0x32124b7,0x295314f,0x2fb8082,0x007c858 },
+      { 0x20b173e,0x19f315c,0x12f97e4,0x198217c,0x040e8a6,0x3275977,
+        0x2bc20e4,0x01f2633,0x02bc3e9,0x023c750 } },
+    /* 199 */
+    { { 0x3c4058a,0x24be73e,0x16704f5,0x2d8a4bd,0x3b15e14,0x3076315,
+        0x1cfe37b,0x36fe715,0x343926e,0x02c6603 },
+      { 0x2c76b09,0x0cf824c,0x3f7898c,0x274cec1,0x11df527,0x18eed18,
+        0x08ead48,0x23915bc,0x19b3744,0x00a0a2b } },
+    /* 200 */
+    { { 0x0cf4ac5,0x1c8b131,0x0afb696,0x0ff7799,0x2f5ac1a,0x022420c,
+        0x11baa2e,0x2ce4015,0x1275a14,0x0125cfc },
+      { 0x22eac5d,0x360cd4c,0x3568e59,0x3d42f66,0x35e07ee,0x09620e4,
+        0x36720fa,0x22b1eac,0x2d0db16,0x01b6b23 } },
+    /* 201 */
+    { { 0x1a835ef,0x1516bbb,0x2d51f7b,0x3487443,0x14aa113,0x0dd06c2,
+        0x1a65e01,0x379300d,0x35920b9,0x012c8fb },
+      { 0x04c7341,0x2eda00f,0x3c37e82,0x1b4fd62,0x0d45770,0x1478fba,
+        0x127863a,0x26939cd,0x134ddf4,0x01375c5 } },
+    /* 202 */
+    { { 0x1476cd9,0x1119ca5,0x325bbf9,0x0bf8c69,0x0648d07,0x312d9f8,
+        0x01c8b8f,0x136ec51,0x0002f4a,0x03f4c5c },
+      { 0x195d0e1,0x10ffd22,0x29aa1cb,0x3443bdc,0x276e695,0x05e6260,
+        0x15f9764,0x3cd9783,0x18c9569,0x0053eb1 } },
+    /* 203 */
+    { { 0x312ae18,0x280197c,0x3fc9ad9,0x303f324,0x251958d,0x29f4a11,
+        0x2142408,0x3694366,0x25136ab,0x03b5f1d },
+      { 0x1d4abbc,0x1c3c689,0x13ea462,0x3cfc684,0x39b5dd8,0x2d4654b,
+        0x09b0755,0x27d4f18,0x3f74d2e,0x03fbf2d } },
+    /* 204 */
+    { { 0x2119185,0x2525eae,0x1ba4bd0,0x0c2ab11,0x1d54e8c,0x294845e,
+        0x2479dea,0x3602d24,0x17e87e0,0x0060069 },
+      { 0x0afffb0,0x34fe37f,0x1240073,0x02eb895,0x06cf33c,0x2d7f7ef,
+        0x1d763b5,0x04191e0,0x11e1ead,0x027e3f0 } },
+    /* 205 */
+    { { 0x269544c,0x0e85c57,0x3813158,0x19fc12d,0x20eaf85,0x1e2930c,
+        0x22a8fd2,0x1a6a478,0x09d3d3a,0x02a74e0 },
+      { 0x1a2da3b,0x30b0b16,0x0847936,0x3d86257,0x138ccbc,0x0f5421a,
+        0x25244e6,0x23bdd79,0x1aee117,0x00c01ae } },
+    /* 206 */
+    { { 0x1eead28,0x07cac32,0x1fbc0bb,0x17627d3,0x17eef63,0x0b3a24e,
+        0x0757fdb,0x3dd841d,0x3d745f8,0x002ae17 },
+      { 0x25b4549,0x29f24cf,0x2f21ecd,0x1725e48,0x04be2bb,0x10ee010,
+        0x1a1274b,0x10b0898,0x27511e9,0x02c48b5 } },
+    /* 207 */
+    { { 0x2a5ae7a,0x181ef99,0x0be33be,0x3e9dab7,0x101e703,0x3adb971,
+        0x1043014,0x2ebb2be,0x1c1097d,0x027d667 },
+      { 0x3f250ed,0x16dc603,0x20dc6d7,0x1d0d268,0x38eb915,0x02c89e8,
+        0x1605a41,0x12de109,0x0e08a29,0x01f554a } },
+    /* 208 */
+    { { 0x0c26def,0x163d988,0x2d1ef0f,0x3a960ac,0x1025585,0x0738e20,
+        0x27d79b0,0x05cc3ef,0x201303f,0x00a333a },
+      { 0x1644ba5,0x2af345e,0x30b8d1d,0x3a01bff,0x31fc643,0x1acf85e,
+        0x0a76fc6,0x04efe98,0x348a1d0,0x03062eb } },
+    /* 209 */
+    { { 0x1c4216d,0x18e3217,0x02ac34e,0x19c8185,0x200c010,0x17d4192,
+        0x13a1719,0x165af51,0x09db7a9,0x0277be0 },
+      { 0x3ab8d2c,0x2190b99,0x22b641e,0x0cd88de,0x3b42404,0x1310862,
+        0x106a6d6,0x23395f5,0x0b06880,0x000d5fe } },
+    /* 210 */
+    { { 0x0d2cc88,0x36f9913,0x339d8e9,0x237c2e3,0x0cc61c2,0x34c2832,
+        0x309874c,0x2621d28,0x2dd1b48,0x0392806 },
+      { 0x17cd8f9,0x07bab3d,0x0c482ed,0x0faf565,0x31b767d,0x2f4bde1,
+        0x295c717,0x330c29c,0x179ce10,0x0119b5f } },
+    /* 211 */
+    { { 0x1ada2c7,0x0c624a7,0x227d47d,0x30e3e6a,0x14fa0a6,0x0829678,
+        0x24fd288,0x2b46a43,0x122451e,0x0319ca9 },
+      { 0x186b655,0x01f3217,0x0af1306,0x0efe6b5,0x2f0235d,0x1c45ca9,
+        0x2086805,0x1d44e66,0x0faf2a6,0x0178f59 } },
+    /* 212 */
+    { { 0x33b4416,0x10431e6,0x2d99aa6,0x217aac9,0x0cd8fcf,0x2d95a9d,
+        0x3ff74ad,0x10bf17a,0x295eb8e,0x01b229e },
+      { 0x02a63bd,0x182e9ec,0x004710c,0x00e2e3c,0x06b2f23,0x04b642c,
+        0x2c37383,0x32a4631,0x022ad82,0x00d22b9 } },
+    /* 213 */
+    { { 0x0cda2fb,0x1d198d7,0x26d27f4,0x286381c,0x022acca,0x24ac7c8,
+        0x2df7824,0x0b4ba16,0x1e0d9ef,0x03041d3 },
+      { 0x29a65b3,0x0f3912b,0x151bfcf,0x2b0175c,0x0fd71e4,0x39aa5e2,
+        0x311f50c,0x13ff351,0x3dbc9e5,0x03eeb7e } },
+    /* 214 */
+    { { 0x0a99363,0x0fc7348,0x2775171,0x23db3c8,0x2b91565,0x134d66c,
+        0x0175cd2,0x1bf365a,0x2b48371,0x02dfe5d },
+      { 0x16dbf74,0x2389357,0x2f36575,0x3f5c70e,0x38d23ba,0x090f7f8,
+        0x3477600,0x3201523,0x32ecafc,0x03d3506 } },
+    /* 215 */
+    { { 0x1abd48d,0x073ca3f,0x38a451f,0x0d8cb01,0x1ce81be,0x05c51ba,
+        0x0e29741,0x03c41ab,0x0eae016,0x0060209 },
+      { 0x2e58358,0x1da62d9,0x2358038,0x14b39b2,0x1635687,0x39079b1,
+        0x380e345,0x1b49608,0x23983cf,0x019f97d } },
+    /* 216 */
+    { { 0x34899ef,0x332e373,0x04c0f89,0x3c27aed,0x1949015,0x09663b2,
+        0x2f9276b,0x07f1951,0x09a04c1,0x027fbde },
+      { 0x3d2a071,0x19fb3d4,0x1b096d3,0x1fe9146,0x3b10e1a,0x0478bbb,
+        0x2b3fb06,0x1388329,0x181a99c,0x02f2030 } },
+    /* 217 */
+    { { 0x1eb82e6,0x14dbe39,0x3920972,0x31fd5b2,0x21a484f,0x02d7697,
+        0x0e21715,0x37c431e,0x2629f8c,0x01249c3 },
+      { 0x26b50ad,0x26deefa,0x0ffc1a3,0x30688e2,0x39a0284,0x041c65e,
+        0x03eb178,0x0bdfd50,0x2f96137,0x034bb94 } },
+    /* 218 */
+    { { 0x0e0362a,0x334a162,0x194dd37,0x29e3e97,0x2442fa8,0x10d2949,
+        0x3836e5a,0x2dccebf,0x0bee5ab,0x037ed1e },
+      { 0x33eede6,0x3c739d9,0x2f04a91,0x350ad6c,0x3a5390a,0x14c368b,
+        0x26f7bf5,0x11ce979,0x0b408df,0x0366850 } },
+    /* 219 */
+    { { 0x28ea498,0x0886d5b,0x2e090e0,0x0a4d58f,0x2623478,0x0d74ab7,
+        0x2b83913,0x12c6b81,0x18d623f,0x01d8301 },
+      { 0x198aa79,0x26d6330,0x3a7f0b8,0x34bc1ea,0x2f74890,0x378955a,
+        0x204110f,0x0102538,0x02d8f19,0x01c5066 } },
+    /* 220 */
+    { { 0x14b0f45,0x2838cd3,0x14e16f0,0x0e0e4aa,0x2d9280b,0x0f18757,
+        0x3324c6b,0x1391ceb,0x1ce89d5,0x00ebe74 },
+      { 0x0930371,0x3de6048,0x3097fd8,0x1308705,0x3eda266,0x3108c26,
+        0x1545dcd,0x1f7583a,0x1c37395,0x02c7e05 } },
+    /* 221 */
+    { { 0x1fec44a,0x2a9e3a2,0x0caf84f,0x11cf2a9,0x0c8c2ae,0x06da989,
+        0x1c807dc,0x3c149a4,0x1141543,0x02906bb },
+      { 0x15ffe04,0x0d4e65f,0x2e20424,0x37d896d,0x18bacb2,0x1e05ddd,
+        0x1660be8,0x183be17,0x1dd86fb,0x035ba70 } },
+    /* 222 */
+    { { 0x2853264,0x0ba5fb1,0x0a0b3aa,0x2df88c1,0x2771533,0x23aba6f,
+        0x112bb7b,0x3e3086e,0x210ae9b,0x027271b },
+      { 0x030b74c,0x0269678,0x1e90a23,0x135a98c,0x24ed749,0x126de7c,
+        0x344b23a,0x186da27,0x19640fa,0x0159af5 } },
+    /* 223 */
+    { { 0x18061f3,0x3004630,0x3c70066,0x34df20f,0x1190b25,0x1c9cc91,
+        0x1fc8e02,0x0d17bc1,0x390f525,0x033cb1c },
+      { 0x0eb30cf,0x2f3ad04,0x303aa09,0x2e835dd,0x1cfd2eb,0x143fc95,
+        0x02c43a1,0x025e7a1,0x3558aa2,0x000bd45 } },
+    /* 224 */
+    { { 0x1db7d07,0x3bde52b,0x1500396,0x1089115,0x20b4fc7,0x1e2a8f3,
+        0x3f8eacc,0x365f7eb,0x1a5e8d4,0x0053a6b },
+      { 0x37079e2,0x120284b,0x000edaa,0x33792c2,0x145baa3,0x20e055f,
+        0x365e2d7,0x26ba005,0x3ab8e9d,0x0282b53 } },
+    /* 225 */
+    { { 0x2653618,0x2dd8852,0x2a5f0bf,0x0f0c7aa,0x2187281,0x1252757,
+        0x13e7374,0x3b47855,0x0b86e56,0x02f354c },
+      { 0x2e9c47b,0x2fa14cc,0x19ab169,0x3fad401,0x0dc2776,0x24afeed,
+        0x3a97611,0x0d07736,0x3cf6979,0x02424a0 } },
+    /* 226 */
+    { { 0x2e81a13,0x000c91d,0x123967b,0x265885c,0x29bee1a,0x0cb8675,
+        0x2d361bd,0x1526823,0x3c9ace1,0x00d7bad },
+      { 0x24e5bdc,0x02b969f,0x2c6e128,0x34edb3b,0x12dcd2c,0x3899af0,
+        0x24224c6,0x3a1914b,0x0f4448a,0x026a2cb } },
+    /* 227 */
+    { { 0x1d03b59,0x1c6fc82,0x32abf64,0x28ed96b,0x1c90e62,0x2f57bb2,
+        0x3ff168e,0x04de7fd,0x0f4d449,0x01af6d8 },
+      { 0x255bc30,0x2bfaf22,0x3fe0dad,0x0584025,0x1c79ead,0x3078ef7,
+        0x2197414,0x022a50b,0x0fd94ba,0x0007b0f } },
+    /* 228 */
+    { { 0x09485c2,0x09dfaf7,0x10c7ba6,0x1e48bec,0x248cc9a,0x028a362,
+        0x21d60f7,0x193d93d,0x1c04754,0x0346b2c },
+      { 0x2f36612,0x240ac49,0x0d8bd26,0x13b8186,0x259c3a4,0x020d5fb,
+        0x38a8133,0x09b0937,0x39d4056,0x01f7341 } },
+    /* 229 */
+    { { 0x05a4b48,0x1f534fc,0x07725ce,0x148dc8c,0x2adcd29,0x04aa456,
+        0x0f79718,0x066e346,0x189377d,0x002fd4d },
+      { 0x068ea73,0x336569b,0x184d35e,0x32a08e9,0x3c7f3bb,0x11ce9c8,
+        0x3674c6f,0x21bf27e,0x0d9e166,0x034a2f9 } },
+    /* 230 */
+    { { 0x0fa8e4b,0x2e6418e,0x18fc5d2,0x1ba24ff,0x0559f18,0x0dbedbf,
+        0x2de2aa4,0x22338e9,0x3aa510f,0x035d801 },
+      { 0x23a4988,0x02aad94,0x02732d1,0x111d374,0x0b455cf,0x0d01c9e,
+        0x067082a,0x2ec05fd,0x368b303,0x03cad4b } },
+    /* 231 */
+    { { 0x035b4ca,0x1fabea6,0x1cbc0d5,0x3f2ed9a,0x02d2232,0x1990c66,
+        0x2eb680c,0x3b4ea3b,0x18ecc5a,0x03636fa },
+      { 0x1a02709,0x26f8ff1,0x1fa8cba,0x397d6e8,0x230be68,0x043aa14,
+        0x3d43cdf,0x25c17fa,0x3a3ee55,0x0380564 } },
+    /* 232 */
+    { { 0x275a0a6,0x16bd43a,0x0033d3e,0x2b15e16,0x2512226,0x005d901,
+        0x26d50fd,0x3bc19bf,0x3b1aeb8,0x02bfb01 },
+      { 0x0bb0a31,0x26559e0,0x1aae7fb,0x330dcc2,0x16f1af3,0x06afce2,
+        0x13a15a0,0x2ff7645,0x3546e2d,0x029c6e4 } },
+    /* 233 */
+    { { 0x0f593d2,0x384b806,0x122bbf8,0x0a281e0,0x1d1a904,0x2e93cab,
+        0x0505db0,0x08f6454,0x05c6285,0x014e880 },
+      { 0x3f2b935,0x22d8e79,0x161a07c,0x16b060a,0x02bff97,0x146328b,
+        0x3ceea77,0x238f61a,0x19b3d58,0x02fd1f4 } },
+    /* 234 */
+    { { 0x17665d5,0x259e9f7,0x0de5672,0x15cbcbd,0x34e3030,0x035240f,
+        0x0005ae8,0x286d851,0x07f39c9,0x000070b },
+      { 0x1efc6d6,0x2a0051a,0x2724143,0x2a9ef1e,0x0c810bd,0x1e05429,
+        0x25670ba,0x2e66d7d,0x0e786ff,0x03f6b7e } },
+    /* 235 */
+    { { 0x3c00785,0x232e23f,0x2b67fd3,0x244ed23,0x077fa75,0x3cda3ef,
+        0x14d055b,0x0f25011,0x24d5aa4,0x00ea0e3 },
+      { 0x297bb9a,0x198ca4f,0x14d9561,0x18d1076,0x39eb933,0x2b6caa0,
+        0x1591a60,0x0768d45,0x257873e,0x00f36e0 } },
+    /* 236 */
+    { { 0x1e77eab,0x0502a5f,0x0109137,0x0350592,0x3f7e1c5,0x3ac7437,
+        0x2dcad2c,0x1fee9d8,0x089f1f5,0x0169833 },
+      { 0x0d45673,0x0d8e090,0x065580b,0x065644f,0x11b82be,0x3592dd0,
+        0x3284b8d,0x23f0015,0x16fdbfd,0x0248bfd } },
+    /* 237 */
+    { { 0x1a129a1,0x1977bb2,0x0e041b2,0x15f30a1,0x0a5b1ce,0x3afef8f,
+        0x380c46c,0x3358810,0x27df6c5,0x01ca466 },
+      { 0x3b90f9a,0x3d14ea3,0x031b298,0x02e2390,0x2d719c0,0x25bc615,
+        0x2c0e777,0x0226b8c,0x3803624,0x0179e45 } },
+    /* 238 */
+    { { 0x363cdfb,0x1bb155f,0x24fd5c1,0x1c7c72b,0x28e6a35,0x18165f2,
+        0x226bea5,0x0beaff3,0x371e24c,0x0138294 },
+      { 0x1765357,0x29034e9,0x22b4276,0x11035ce,0x23c89af,0x074468c,
+        0x3370ae4,0x013bae3,0x018d566,0x03d7fde } },
+    /* 239 */
+    { { 0x209df21,0x0f8ff86,0x0e47fbf,0x23b99ba,0x126d5d2,0x2722405,
+        0x16bd0a2,0x1799082,0x0e9533f,0x039077c },
+      { 0x3ba9e3f,0x3f6902c,0x1895305,0x3ac9813,0x3f2340c,0x3c0d9f1,
+        0x26e1927,0x0557c21,0x16eac4f,0x023b75f } },
+    /* 240 */
+    { { 0x3fc8ff3,0x0770382,0x342fc9a,0x0afa4db,0x314efd8,0x328e07b,
+        0x016f7cc,0x3ba599c,0x1caed8a,0x0050cb0 },
+      { 0x0b23c26,0x2120a5c,0x3273ec6,0x1cc1cd6,0x2a64fe8,0x2bbc3d6,
+        0x09f6e5e,0x34b1b8e,0x00b5ac8,0x032bbd2 } },
+    /* 241 */
+    { { 0x1315922,0x1725e1d,0x0ca5524,0x1c4c18f,0x3d82951,0x193bcb2,
+        0x0e60d0b,0x388dbcf,0x37e8efa,0x0342e85 },
+      { 0x1b3af60,0x26ba3ec,0x220e53a,0x394f4b6,0x01a796a,0x3e7bbca,
+        0x163605d,0x2b85807,0x17c1c54,0x03cc725 } },
+    /* 242 */
+    { { 0x1cc4597,0x1635492,0x2028c0f,0x2c2eb82,0x2dc5015,0x0d2a052,
+        0x05fc557,0x1f0ebbf,0x0cb96e1,0x0004d01 },
+      { 0x1a824bf,0x3896172,0x2ed7b29,0x178007a,0x0d59318,0x07bda2b,
+        0x2ee6826,0x0f9b235,0x04b9193,0x01bcddf } },
+    /* 243 */
+    { { 0x0333fd2,0x0eeb46a,0x15b89f9,0x00968aa,0x2a89302,0x2bdd6b3,
+        0x1e5037e,0x2541884,0x24ed2d0,0x01b6e8f },
+      { 0x04399cd,0x3be6334,0x3adea48,0x1bb9adc,0x31811c6,0x05fb2bc,
+        0x360752c,0x3d29dcb,0x3423bec,0x03c4f3c } },
+    /* 244 */
+    { { 0x119e2eb,0x2e7b02a,0x0f68cee,0x257d8b0,0x183a9a1,0x2ae88a6,
+        0x3a3bb67,0x2eb4f3e,0x1a9274b,0x0320fea },
+      { 0x2fa1ce0,0x346c2d8,0x2fbf0d7,0x3d4d063,0x0e58b60,0x09c1bc1,
+        0x28ef9e5,0x09a0efe,0x0f45d70,0x02d275c } },
+    /* 245 */
+    { { 0x2d5513b,0x31d443e,0x1e2d914,0x3b2c5d4,0x105f32e,0x27ee756,
+        0x050418d,0x3c73db6,0x1bb0c30,0x01673eb },
+      { 0x1cb7fd6,0x1eb08d5,0x26a3e16,0x2e20810,0x0249367,0x029e219,
+        0x2ec58c9,0x12d9fab,0x362354a,0x016eafc } },
+    /* 246 */
+    { { 0x2424865,0x260747b,0x177f37c,0x1e3cb95,0x08b0028,0x2783016,
+        0x2970f1b,0x323c1c0,0x2a79026,0x0186231 },
+      { 0x0f244da,0x26866f4,0x087306f,0x173ec20,0x31ecced,0x3c84d8d,
+        0x070f9b9,0x2e764d5,0x075df50,0x0264ff9 } },
+    /* 247 */
+    { { 0x32c3609,0x0c737e6,0x14ea68e,0x300b11b,0x184eb19,0x29dd440,
+        0x09ec1a9,0x185adeb,0x0664c80,0x0207dd9 },
+      { 0x1fbe978,0x30a969d,0x33561d7,0x34fc60e,0x36743fe,0x00774af,
+        0x0d1f045,0x018360e,0x12a5fe9,0x01592a0 } },
+    /* 248 */
+    { { 0x2817d1d,0x2993d3e,0x2e0f7a5,0x112faa0,0x255f968,0x355fe6a,
+        0x3f5a0fc,0x075b2d7,0x3cf00e5,0x0089afc },
+      { 0x32833cf,0x06a7e4b,0x09a8d6d,0x1693d3e,0x320a0a3,0x3cfdfdd,
+        0x136c498,0x1e0d845,0x347ff25,0x01a1de7 } },
+    /* 249 */
+    { { 0x3043d08,0x030705c,0x20fa79b,0x1d07f00,0x0a54467,0x29b49b4,
+        0x367e289,0x0b82f4d,0x0d1eb09,0x025ef2c },
+      { 0x32ed3c3,0x1baaa3c,0x3c482ab,0x146ca06,0x3c8a4f1,0x3e85e3c,
+        0x1bf4f3b,0x1195534,0x3e80a78,0x02a1cbf } },
+    /* 250 */
+    { { 0x32b2086,0x2de4d68,0x3486b1a,0x03a0583,0x2e1eb71,0x2dab9af,
+        0x10cd913,0x28daa6f,0x3fcb732,0x000a04a },
+      { 0x3605318,0x3f5f2b3,0x2d1da63,0x143f7f5,0x1646e5d,0x040b586,
+        0x1683982,0x25abe87,0x0c9fe53,0x001ce47 } },
+    /* 251 */
+    { { 0x380d02b,0x055fc22,0x3f7fc50,0x3458a1d,0x26b8333,0x23550ab,
+        0x0a1af87,0x0a821eb,0x2dc7e6d,0x00d574a },
+      { 0x07386e1,0x3ccd68a,0x3275b41,0x253e390,0x2fd272a,0x1e6627a,
+        0x2ca2cde,0x0e9e4a1,0x1e37c2a,0x00f70ac } },
+    /* 252 */
+    { { 0x0581352,0x2748701,0x02bed68,0x094dd9e,0x30a00c8,0x3fb5c07,
+        0x3bd5909,0x211ac80,0x1103ccd,0x0311e1a },
+      { 0x0c768ed,0x29dc209,0x36575db,0x009a107,0x272feea,0x2b33383,
+        0x313ed56,0x134c9cc,0x168d5bb,0x033310a } },
+    /* 253 */
+    { { 0x17620b9,0x143784f,0x256a94e,0x229664a,0x1d89a5c,0x1d521f2,
+        0x0076406,0x1c73f70,0x342aa48,0x03851fa },
+      { 0x0f3ae46,0x2ad3bab,0x0fbe274,0x3ed40d4,0x2fd4936,0x232103a,
+        0x2afe474,0x25b8f7c,0x047080e,0x008e6b0 } },
+    /* 254 */
+    { { 0x3fee8d4,0x347cd4a,0x0fec481,0x33fe9ec,0x0ce80b5,0x33a6bcf,
+        0x1c4c9e2,0x3967441,0x1a3f5f7,0x03157e8 },
+      { 0x257c227,0x1bc53a0,0x200b318,0x0fcd0af,0x2c5b165,0x2a413ec,
+        0x2fc998a,0x2da6426,0x19cd4f4,0x0025336 } },
+    /* 255 */
+    { { 0x303beba,0x2072135,0x32918a9,0x140cb3a,0x08631d1,0x0ef527b,
+        0x05f2c9e,0x2b4ce91,0x0b642ab,0x02e428c },
+      { 0x0a5abf9,0x15013ed,0x3603b46,0x30dd76d,0x3004750,0x28d7627,
+        0x1a42ccc,0x093ddbe,0x39a1b79,0x00067e2 } },
+};
+
+/* Multiply the base point of P256 by the scalar and return the result.
+ * If map is true then convert result to affine coordinates.
+ *
+ * r     Resulting point.
+ * k     Scalar to multiply by.
+ * map   Indicates whether to convert result to affine.
+ * heap  Heap to use for allocation.
+ * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
+ */
+static int sp_256_ecc_mulmod_base_10(sp_point_256* r, const sp_digit* k,
+        int map, void* heap)
+{
+    return sp_256_ecc_mulmod_stripe_10(r, &p256_base, p256_table,
+                                      k, map, heap);
+}
+
+#endif
+
+/* Multiply the base point of P256 by the scalar and return the result.
+ * If map is true then convert result to affine coordinates.
+ *
+ * km    Scalar to multiply by.
+ * r     Resulting point.
+ * map   Indicates whether to convert result to affine.
+ * heap  Heap to use for allocation.
+ * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
+ */
+int sp_ecc_mulmod_base_256(mp_int* km, ecc_point* r, int map, void* heap)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_point_256 p;
+    sp_digit kd[10];
+#endif
+    sp_point_256* point;
+    sp_digit* k = NULL;
+    int err = MP_OKAY;
+
+    err = sp_256_point_new_10(heap, p, point);
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        k = (sp_digit*)XMALLOC(sizeof(sp_digit) * 10, heap,
+                                                              DYNAMIC_TYPE_ECC);
+        if (k == NULL) {
+            err = MEMORY_E;
+        }
+    }
+#else
+    k = kd;
+#endif
+    if (err == MP_OKAY) {
+        sp_256_from_mp(k, 10, km);
+
+            err = sp_256_ecc_mulmod_base_10(point, k, map, heap);
+    }
+    if (err == MP_OKAY) {
+        err = sp_256_point_to_ecc_point_10(point, r);
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (k != NULL) {
+        XFREE(k, heap, DYNAMIC_TYPE_ECC);
+    }
+#endif
+    sp_256_point_free_10(point, 0, heap);
+
+    return err;
+}
+
+#if defined(WOLFSSL_VALIDATE_ECC_KEYGEN) || defined(HAVE_ECC_SIGN) || \
+                                                        defined(HAVE_ECC_VERIFY)
+/* Returns 1 if the number of zero.
+ * Implementation is constant time.
+ *
+ * a  Number to check.
+ * returns 1 if the number is zero and 0 otherwise.
+ */
+static int sp_256_iszero_10(const sp_digit* a)
+{
+    return (a[0] | a[1] | a[2] | a[3] | a[4] | a[5] | a[6] | a[7] |
+            a[8] | a[9]) == 0;
+}
+
+#endif /* WOLFSSL_VALIDATE_ECC_KEYGEN || HAVE_ECC_SIGN || HAVE_ECC_VERIFY */
+/* Add 1 to a. (a = a + 1)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ */
+SP_NOINLINE static void sp_256_add_one_10(sp_digit* a)
+{
+    a[0]++;
+    sp_256_norm_10(a);
+}
+
+/* Read big endian unsigned byte array into r.
+ *
+ * r  A single precision integer.
+ * size  Maximum number of bytes to convert
+ * a  Byte array.
+ * n  Number of bytes in array to read.
+ */
+static void sp_256_from_bin(sp_digit* r, int size, const byte* a, int n)
+{
+    int i, j = 0;
+    word32 s = 0;
+
+    r[0] = 0;
+    for (i = n-1; i >= 0; i--) {
+        r[j] |= (((sp_digit)a[i]) << s);
+        if (s >= 18U) {
+            r[j] &= 0x3ffffff;
+            s = 26U - s;
+            if (j + 1 >= size) {
+                break;
+            }
+            r[++j] = (sp_digit)a[i] >> s;
+            s = 8U - s;
+        }
+        else {
+            s += 8U;
+        }
+    }
+
+    for (j++; j < size; j++) {
+        r[j] = 0;
+    }
+}
+
+/* Generates a scalar that is in the range 1..order-1.
+ *
+ * rng  Random number generator.
+ * k    Scalar value.
+ * returns RNG failures, MEMORY_E when memory allocation fails and
+ * MP_OKAY on success.
+ */
+static int sp_256_ecc_gen_k_10(WC_RNG* rng, sp_digit* k)
+{
+    int err;
+    byte buf[32];
+
+    do {
+        err = wc_RNG_GenerateBlock(rng, buf, sizeof(buf));
+        if (err == 0) {
+            sp_256_from_bin(k, 10, buf, (int)sizeof(buf));
+            if (sp_256_cmp_10(k, p256_order2) < 0) {
+                sp_256_add_one_10(k);
+                break;
+            }
+        }
+    }
+    while (err == 0);
+
+    return err;
+}
+
+/* Makes a random EC key pair.
+ *
+ * rng   Random number generator.
+ * priv  Generated private value.
+ * pub   Generated public point.
+ * heap  Heap to use for allocation.
+ * returns ECC_INF_E when the point does not have the correct order, RNG
+ * failures, MEMORY_E when memory allocation fails and MP_OKAY on success.
+ */
+int sp_ecc_make_key_256(WC_RNG* rng, mp_int* priv, ecc_point* pub, void* heap)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_point_256 p;
+    sp_digit kd[10];
+#ifdef WOLFSSL_VALIDATE_ECC_KEYGEN
+    sp_point_256 inf;
+#endif
+#endif
+    sp_point_256* point;
+    sp_digit* k = NULL;
+#ifdef WOLFSSL_VALIDATE_ECC_KEYGEN
+    sp_point_256* infinity;
+#endif
+    int err;
+
+    (void)heap;
+
+    err = sp_256_point_new_10(heap, p, point);
+#ifdef WOLFSSL_VALIDATE_ECC_KEYGEN
+    if (err == MP_OKAY) {
+        err = sp_256_point_new_10(heap, inf, infinity);
+    }
+#endif
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        k = (sp_digit*)XMALLOC(sizeof(sp_digit) * 10, heap,
+                                                              DYNAMIC_TYPE_ECC);
+        if (k == NULL) {
+            err = MEMORY_E;
+        }
+    }
+#else
+    k = kd;
+#endif
+
+    if (err == MP_OKAY) {
+        err = sp_256_ecc_gen_k_10(rng, k);
+    }
+    if (err == MP_OKAY) {
+            err = sp_256_ecc_mulmod_base_10(point, k, 1, NULL);
+    }
+
+#ifdef WOLFSSL_VALIDATE_ECC_KEYGEN
+    if (err == MP_OKAY) {
+            err = sp_256_ecc_mulmod_10(infinity, point, p256_order, 1, NULL);
+    }
+    if (err == MP_OKAY) {
+        if ((sp_256_iszero_10(point->x) == 0) || (sp_256_iszero_10(point->y) == 0)) {
+            err = ECC_INF_E;
+        }
+    }
+#endif
+
+    if (err == MP_OKAY) {
+        err = sp_256_to_mp(k, priv);
+    }
+    if (err == MP_OKAY) {
+        err = sp_256_point_to_ecc_point_10(point, pub);
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (k != NULL) {
+        XFREE(k, heap, DYNAMIC_TYPE_ECC);
+    }
+#endif
+#ifdef WOLFSSL_VALIDATE_ECC_KEYGEN
+    sp_256_point_free_10(infinity, 1, heap);
+#endif
+    sp_256_point_free_10(point, 1, heap);
+
+    return err;
+}
+
+#ifdef HAVE_ECC_DHE
+/* Write r as big endian to byte array.
+ * Fixed length number of bytes written: 32
+ *
+ * r  A single precision integer.
+ * a  Byte array.
+ */
+static void sp_256_to_bin(sp_digit* r, byte* a)
+{
+    int i, j, s = 0, b;
+
+    for (i=0; i<9; i++) {
+        r[i+1] += r[i] >> 26;
+        r[i] &= 0x3ffffff;
+    }
+    j = 256 / 8 - 1;
+    a[j] = 0;
+    for (i=0; i<10 && j>=0; i++) {
+        b = 0;
+        /* lint allow cast of mismatch sp_digit and int */
+        a[j--] |= (byte)(r[i] << s); /*lint !e9033*/
+        b += 8 - s;
+        if (j < 0) {
+            break;
+        }
+        while (b < 26) {
+            a[j--] = (byte)(r[i] >> b);
+            b += 8;
+            if (j < 0) {
+                break;
+            }
+        }
+        s = 8 - (b - 26);
+        if (j >= 0) {
+            a[j] = 0;
+        }
+        if (s != 0) {
+            j++;
+        }
+    }
+}
+
+/* Multiply the point by the scalar and serialize the X ordinate.
+ * The number is 0 padded to maximum size on output.
+ *
+ * priv    Scalar to multiply the point by.
+ * pub     Point to multiply.
+ * out     Buffer to hold X ordinate.
+ * outLen  On entry, size of the buffer in bytes.
+ *         On exit, length of data in buffer in bytes.
+ * heap    Heap to use for allocation.
+ * returns BUFFER_E if the buffer is to small for output size,
+ * MEMORY_E when memory allocation fails and MP_OKAY on success.
+ */
+int sp_ecc_secret_gen_256(mp_int* priv, ecc_point* pub, byte* out,
+                          word32* outLen, void* heap)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_point_256 p;
+    sp_digit kd[10];
+#endif
+    sp_point_256* point = NULL;
+    sp_digit* k = NULL;
+    int err = MP_OKAY;
+
+    if (*outLen < 32U) {
+        err = BUFFER_E;
+    }
+
+    if (err == MP_OKAY) {
+        err = sp_256_point_new_10(heap, p, point);
+    }
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        k = (sp_digit*)XMALLOC(sizeof(sp_digit) * 10, heap,
+                                                              DYNAMIC_TYPE_ECC);
+        if (k == NULL)
+            err = MEMORY_E;
+    }
+#else
+    k = kd;
+#endif
+
+    if (err == MP_OKAY) {
+        sp_256_from_mp(k, 10, priv);
+        sp_256_point_from_ecc_point_10(point, pub);
+            err = sp_256_ecc_mulmod_10(point, point, k, 1, heap);
+    }
+    if (err == MP_OKAY) {
+        sp_256_to_bin(point->x, out);
+        *outLen = 32;
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (k != NULL) {
+        XFREE(k, heap, DYNAMIC_TYPE_ECC);
+    }
+#endif
+    sp_256_point_free_10(point, 0, heap);
+
+    return err;
+}
+#endif /* HAVE_ECC_DHE */
+
+#if defined(HAVE_ECC_SIGN) || defined(HAVE_ECC_VERIFY)
+#endif
+#if defined(HAVE_ECC_SIGN) || defined(HAVE_ECC_VERIFY)
+/* Multiply a by scalar b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A scalar.
+ */
+SP_NOINLINE static void sp_256_mul_d_10(sp_digit* r, const sp_digit* a,
+    sp_digit b)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int64_t tb = b;
+    int64_t t = 0;
+    int i;
+
+    for (i = 0; i < 10; i++) {
+        t += tb * a[i];
+        r[i] = t & 0x3ffffff;
+        t >>= 26;
+    }
+    r[10] = (sp_digit)t;
+#else
+    int64_t tb = b;
+    int64_t t[10];
+
+    t[ 0] = tb * a[ 0];
+    t[ 1] = tb * a[ 1];
+    t[ 2] = tb * a[ 2];
+    t[ 3] = tb * a[ 3];
+    t[ 4] = tb * a[ 4];
+    t[ 5] = tb * a[ 5];
+    t[ 6] = tb * a[ 6];
+    t[ 7] = tb * a[ 7];
+    t[ 8] = tb * a[ 8];
+    t[ 9] = tb * a[ 9];
+    r[ 0] =                           (t[ 0] & 0x3ffffff);
+    r[ 1] = (sp_digit)(t[ 0] >> 26) + (t[ 1] & 0x3ffffff);
+    r[ 2] = (sp_digit)(t[ 1] >> 26) + (t[ 2] & 0x3ffffff);
+    r[ 3] = (sp_digit)(t[ 2] >> 26) + (t[ 3] & 0x3ffffff);
+    r[ 4] = (sp_digit)(t[ 3] >> 26) + (t[ 4] & 0x3ffffff);
+    r[ 5] = (sp_digit)(t[ 4] >> 26) + (t[ 5] & 0x3ffffff);
+    r[ 6] = (sp_digit)(t[ 5] >> 26) + (t[ 6] & 0x3ffffff);
+    r[ 7] = (sp_digit)(t[ 6] >> 26) + (t[ 7] & 0x3ffffff);
+    r[ 8] = (sp_digit)(t[ 7] >> 26) + (t[ 8] & 0x3ffffff);
+    r[ 9] = (sp_digit)(t[ 8] >> 26) + (t[ 9] & 0x3ffffff);
+    r[10] = (sp_digit)(t[ 9] >> 26);
+#endif /* WOLFSSL_SP_SMALL */
+}
+
+#ifdef WOLFSSL_SP_DIV_32
+static WC_INLINE sp_digit sp_256_div_word_10(sp_digit d1, sp_digit d0,
+    sp_digit dv)
+{
+    sp_digit d, r, t;
+
+    /* All 26 bits from d1 and top 5 bits from d0. */
+    d = (d1 << 5) | (d0 >> 21);
+    r = d / dv;
+    d -= r * dv;
+    /* Up to 6 bits in r */
+    /* Next 5 bits from d0. */
+    r <<= 5;
+    d <<= 5;
+    d |= (d0 >> 16) & ((1 << 5) - 1);
+    t = d / dv;
+    d -= t * dv;
+    r += t;
+    /* Up to 11 bits in r */
+    /* Next 5 bits from d0. */
+    r <<= 5;
+    d <<= 5;
+    d |= (d0 >> 11) & ((1 << 5) - 1);
+    t = d / dv;
+    d -= t * dv;
+    r += t;
+    /* Up to 16 bits in r */
+    /* Next 5 bits from d0. */
+    r <<= 5;
+    d <<= 5;
+    d |= (d0 >> 6) & ((1 << 5) - 1);
+    t = d / dv;
+    d -= t * dv;
+    r += t;
+    /* Up to 21 bits in r */
+    /* Next 5 bits from d0. */
+    r <<= 5;
+    d <<= 5;
+    d |= (d0 >> 1) & ((1 << 5) - 1);
+    t = d / dv;
+    d -= t * dv;
+    r += t;
+    /* Up to 26 bits in r */
+    /* Remaining 1 bits from d0. */
+    r <<= 1;
+    d <<= 1;
+    d |= d0 & ((1 << 1) - 1);
+    t = d / dv;
+    r += t;
+
+    return r;
+}
+#endif /* WOLFSSL_SP_DIV_32 */
+
+/* Divide d in a and put remainder into r (m*d + r = a)
+ * m is not calculated as it is not needed at this time.
+ *
+ * a  Number to be divided.
+ * d  Number to divide with.
+ * m  Multiplier result.
+ * r  Remainder from the division.
+ * returns MEMORY_E when unable to allocate memory and MP_OKAY otherwise.
+ */
+static int sp_256_div_10(const sp_digit* a, const sp_digit* d, sp_digit* m,
+        sp_digit* r)
+{
+    int i;
+#ifndef WOLFSSL_SP_DIV_32
+    int64_t d1;
+#endif
+    sp_digit dv, r1;
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit* td;
+#else
+    sp_digit t1d[20], t2d[10 + 1];
+#endif
+    sp_digit* t1;
+    sp_digit* t2;
+    int err = MP_OKAY;
+
+    (void)m;
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    td = (sp_digit*)XMALLOC(sizeof(sp_digit) * (3 * 10 + 1), NULL,
+                                                       DYNAMIC_TYPE_TMP_BUFFER);
+    if (td == NULL) {
+        err = MEMORY_E;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+        t1 = td;
+        t2 = td + 2 * 10;
+#else
+        t1 = t1d;
+        t2 = t2d;
+#endif
+
+        dv = d[9];
+        XMEMCPY(t1, a, sizeof(*t1) * 2U * 10U);
+        for (i=9; i>=0; i--) {
+            t1[10 + i] += t1[10 + i - 1] >> 26;
+            t1[10 + i - 1] &= 0x3ffffff;
+#ifndef WOLFSSL_SP_DIV_32
+            d1 = t1[10 + i];
+            d1 <<= 26;
+            d1 += t1[10 + i - 1];
+            r1 = (sp_digit)(d1 / dv);
+#else
+            r1 = sp_256_div_word_10(t1[10 + i], t1[10 + i - 1], dv);
+#endif
+
+            sp_256_mul_d_10(t2, d, r1);
+            (void)sp_256_sub_10(&t1[i], &t1[i], t2);
+            t1[10 + i] -= t2[10];
+            t1[10 + i] += t1[10 + i - 1] >> 26;
+            t1[10 + i - 1] &= 0x3ffffff;
+            r1 = (((-t1[10 + i]) << 26) - t1[10 + i - 1]) / dv;
+            r1++;
+            sp_256_mul_d_10(t2, d, r1);
+            (void)sp_256_add_10(&t1[i], &t1[i], t2);
+            t1[10 + i] += t1[10 + i - 1] >> 26;
+            t1[10 + i - 1] &= 0x3ffffff;
+        }
+        t1[10 - 1] += t1[10 - 2] >> 26;
+        t1[10 - 2] &= 0x3ffffff;
+        r1 = t1[10 - 1] / dv;
+
+        sp_256_mul_d_10(t2, d, r1);
+        (void)sp_256_sub_10(t1, t1, t2);
+        XMEMCPY(r, t1, sizeof(*r) * 2U * 10U);
+        for (i=0; i<8; i++) {
+            r[i+1] += r[i] >> 26;
+            r[i] &= 0x3ffffff;
+        }
+        sp_256_cond_add_10(r, r, d, 0 - ((r[9] < 0) ?
+                    (sp_digit)1 : (sp_digit)0));
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (td != NULL) {
+        XFREE(td, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    }
+#endif
+
+    return err;
+}
+
+/* Reduce a modulo m into r. (r = a mod m)
+ *
+ * r  A single precision number that is the reduced result.
+ * a  A single precision number that is to be reduced.
+ * m  A single precision number that is the modulus to reduce with.
+ * returns MEMORY_E when unable to allocate memory and MP_OKAY otherwise.
+ */
+static int sp_256_mod_10(sp_digit* r, const sp_digit* a, const sp_digit* m)
+{
+    return sp_256_div_10(a, m, NULL, r);
+}
+
+#endif
+#if defined(HAVE_ECC_SIGN) || defined(HAVE_ECC_VERIFY)
+#ifdef WOLFSSL_SP_SMALL
+/* Order-2 for the P256 curve. */
+static const uint32_t p256_order_minus_2[8] = {
+    0xfc63254fU,0xf3b9cac2U,0xa7179e84U,0xbce6faadU,0xffffffffU,0xffffffffU,
+    0x00000000U,0xffffffffU
+};
+#else
+/* The low half of the order-2 of the P256 curve. */
+static const uint32_t p256_order_low[4] = {
+    0xfc63254fU,0xf3b9cac2U,0xa7179e84U,0xbce6faadU
+};
+#endif /* WOLFSSL_SP_SMALL */
+
+/* Multiply two number mod the order of P256 curve. (r = a * b mod order)
+ *
+ * r  Result of the multiplication.
+ * a  First operand of the multiplication.
+ * b  Second operand of the multiplication.
+ */
+static void sp_256_mont_mul_order_10(sp_digit* r, const sp_digit* a, const sp_digit* b)
+{
+    sp_256_mul_10(r, a, b);
+    sp_256_mont_reduce_order_10(r, p256_order, p256_mp_order);
+}
+
+/* Square number mod the order of P256 curve. (r = a * a mod order)
+ *
+ * r  Result of the squaring.
+ * a  Number to square.
+ */
+static void sp_256_mont_sqr_order_10(sp_digit* r, const sp_digit* a)
+{
+    sp_256_sqr_10(r, a);
+    sp_256_mont_reduce_order_10(r, p256_order, p256_mp_order);
+}
+
+#ifndef WOLFSSL_SP_SMALL
+/* Square number mod the order of P256 curve a number of times.
+ * (r = a ^ n mod order)
+ *
+ * r  Result of the squaring.
+ * a  Number to square.
+ */
+static void sp_256_mont_sqr_n_order_10(sp_digit* r, const sp_digit* a, int n)
+{
+    int i;
+
+    sp_256_mont_sqr_order_10(r, a);
+    for (i=1; i<n; i++) {
+        sp_256_mont_sqr_order_10(r, r);
+    }
+}
+#endif /* !WOLFSSL_SP_SMALL */
+
+/* Invert the number, in Montgomery form, modulo the order of the P256 curve.
+ * (r = 1 / a mod order)
+ *
+ * r   Inverse result.
+ * a   Number to invert.
+ * td  Temporary data.
+ */
+static void sp_256_mont_inv_order_10(sp_digit* r, const sp_digit* a,
+        sp_digit* td)
+{
+#ifdef WOLFSSL_SP_SMALL
+    sp_digit* t = td;
+    int i;
+
+    XMEMCPY(t, a, sizeof(sp_digit) * 10);
+    for (i=254; i>=0; i--) {
+        sp_256_mont_sqr_order_10(t, t);
+        if ((p256_order_minus_2[i / 32] & ((sp_int_digit)1 << (i % 32))) != 0) {
+            sp_256_mont_mul_order_10(t, t, a);
+        }
+    }
+    XMEMCPY(r, t, sizeof(sp_digit) * 10U);
+#else
+    sp_digit* t = td;
+    sp_digit* t2 = td + 2 * 10;
+    sp_digit* t3 = td + 4 * 10;
+    int i;
+
+    /* t = a^2 */
+    sp_256_mont_sqr_order_10(t, a);
+    /* t = a^3 = t * a */
+    sp_256_mont_mul_order_10(t, t, a);
+    /* t2= a^c = t ^ 2 ^ 2 */
+    sp_256_mont_sqr_n_order_10(t2, t, 2);
+    /* t3= a^f = t2 * t */
+    sp_256_mont_mul_order_10(t3, t2, t);
+    /* t2= a^f0 = t3 ^ 2 ^ 4 */
+    sp_256_mont_sqr_n_order_10(t2, t3, 4);
+    /* t = a^ff = t2 * t3 */
+    sp_256_mont_mul_order_10(t, t2, t3);
+    /* t3= a^ff00 = t ^ 2 ^ 8 */
+    sp_256_mont_sqr_n_order_10(t2, t, 8);
+    /* t = a^ffff = t2 * t */
+    sp_256_mont_mul_order_10(t, t2, t);
+    /* t2= a^ffff0000 = t ^ 2 ^ 16 */
+    sp_256_mont_sqr_n_order_10(t2, t, 16);
+    /* t = a^ffffffff = t2 * t */
+    sp_256_mont_mul_order_10(t, t2, t);
+    /* t2= a^ffffffff0000000000000000 = t ^ 2 ^ 64  */
+    sp_256_mont_sqr_n_order_10(t2, t, 64);
+    /* t2= a^ffffffff00000000ffffffff = t2 * t */
+    sp_256_mont_mul_order_10(t2, t2, t);
+    /* t2= a^ffffffff00000000ffffffff00000000 = t2 ^ 2 ^ 32  */
+    sp_256_mont_sqr_n_order_10(t2, t2, 32);
+    /* t2= a^ffffffff00000000ffffffffffffffff = t2 * t */
+    sp_256_mont_mul_order_10(t2, t2, t);
+    /* t2= a^ffffffff00000000ffffffffffffffffbce6 */
+    for (i=127; i>=112; i--) {
+        sp_256_mont_sqr_order_10(t2, t2);
+        if (((sp_digit)p256_order_low[i / 32] & ((sp_int_digit)1 << (i % 32))) != 0) {
+            sp_256_mont_mul_order_10(t2, t2, a);
+        }
+    }
+    /* t2= a^ffffffff00000000ffffffffffffffffbce6f */
+    sp_256_mont_sqr_n_order_10(t2, t2, 4);
+    sp_256_mont_mul_order_10(t2, t2, t3);
+    /* t2= a^ffffffff00000000ffffffffffffffffbce6faada7179e84 */
+    for (i=107; i>=64; i--) {
+        sp_256_mont_sqr_order_10(t2, t2);
+        if (((sp_digit)p256_order_low[i / 32] & ((sp_int_digit)1 << (i % 32))) != 0) {
+            sp_256_mont_mul_order_10(t2, t2, a);
+        }
+    }
+    /* t2= a^ffffffff00000000ffffffffffffffffbce6faada7179e84f */
+    sp_256_mont_sqr_n_order_10(t2, t2, 4);
+    sp_256_mont_mul_order_10(t2, t2, t3);
+    /* t2= a^ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2 */
+    for (i=59; i>=32; i--) {
+        sp_256_mont_sqr_order_10(t2, t2);
+        if (((sp_digit)p256_order_low[i / 32] & ((sp_int_digit)1 << (i % 32))) != 0) {
+            sp_256_mont_mul_order_10(t2, t2, a);
+        }
+    }
+    /* t2= a^ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2f */
+    sp_256_mont_sqr_n_order_10(t2, t2, 4);
+    sp_256_mont_mul_order_10(t2, t2, t3);
+    /* t2= a^ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc63254 */
+    for (i=27; i>=0; i--) {
+        sp_256_mont_sqr_order_10(t2, t2);
+        if (((sp_digit)p256_order_low[i / 32] & ((sp_int_digit)1 << (i % 32))) != 0) {
+            sp_256_mont_mul_order_10(t2, t2, a);
+        }
+    }
+    /* t2= a^ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632540 */
+    sp_256_mont_sqr_n_order_10(t2, t2, 4);
+    /* r = a^ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc63254f */
+    sp_256_mont_mul_order_10(r, t2, t3);
+#endif /* WOLFSSL_SP_SMALL */
+}
+
+#endif /* HAVE_ECC_SIGN || HAVE_ECC_VERIFY */
+#ifdef HAVE_ECC_SIGN
+#ifndef SP_ECC_MAX_SIG_GEN
+#define SP_ECC_MAX_SIG_GEN  64
+#endif
+
+/* Sign the hash using the private key.
+ *   e = [hash, 256 bits] from binary
+ *   r = (k.G)->x mod order
+ *   s = (r * x + e) / k mod order
+ * The hash is truncated to the first 256 bits.
+ *
+ * hash     Hash to sign.
+ * hashLen  Length of the hash data.
+ * rng      Random number generator.
+ * priv     Private part of key - scalar.
+ * rm       First part of result as an mp_int.
+ * sm       Sirst part of result as an mp_int.
+ * heap     Heap to use for allocation.
+ * returns RNG failures, MEMORY_E when memory allocation fails and
+ * MP_OKAY on success.
+ */
+int sp_ecc_sign_256(const byte* hash, word32 hashLen, WC_RNG* rng, mp_int* priv,
+                    mp_int* rm, mp_int* sm, mp_int* km, void* heap)
+{
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit* d = NULL;
+#else
+    sp_digit ed[2*10];
+    sp_digit xd[2*10];
+    sp_digit kd[2*10];
+    sp_digit rd[2*10];
+    sp_digit td[3 * 2*10];
+    sp_point_256 p;
+#endif
+    sp_digit* e = NULL;
+    sp_digit* x = NULL;
+    sp_digit* k = NULL;
+    sp_digit* r = NULL;
+    sp_digit* tmp = NULL;
+    sp_point_256* point = NULL;
+    sp_digit carry;
+    sp_digit* s = NULL;
+    sp_digit* kInv = NULL;
+    int err = MP_OKAY;
+    int32_t c;
+    int i;
+
+    (void)heap;
+
+    err = sp_256_point_new_10(heap, p, point);
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        d = (sp_digit*)XMALLOC(sizeof(sp_digit) * 7 * 2 * 10, heap,
+                                                              DYNAMIC_TYPE_ECC);
+        if (d == NULL) {
+            err = MEMORY_E;
+        }
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+        e = d + 0 * 10;
+        x = d + 2 * 10;
+        k = d + 4 * 10;
+        r = d + 6 * 10;
+        tmp = d + 8 * 10;
+#else
+        e = ed;
+        x = xd;
+        k = kd;
+        r = rd;
+        tmp = td;
+#endif
+        s = e;
+        kInv = k;
+
+        if (hashLen > 32U) {
+            hashLen = 32U;
+        }
+
+        sp_256_from_bin(e, 10, hash, (int)hashLen);
+    }
+
+    for (i = SP_ECC_MAX_SIG_GEN; err == MP_OKAY && i > 0; i--) {
+        sp_256_from_mp(x, 10, priv);
+
+        /* New random point. */
+        if (km == NULL || mp_iszero(km)) {
+            err = sp_256_ecc_gen_k_10(rng, k);
+        }
+        else {
+            sp_256_from_mp(k, 10, km);
+            mp_zero(km);
+        }
+        if (err == MP_OKAY) {
+                err = sp_256_ecc_mulmod_base_10(point, k, 1, NULL);
+        }
+
+        if (err == MP_OKAY) {
+            /* r = point->x mod order */
+            XMEMCPY(r, point->x, sizeof(sp_digit) * 10U);
+            sp_256_norm_10(r);
+            c = sp_256_cmp_10(r, p256_order);
+            sp_256_cond_sub_10(r, r, p256_order, 0L - (sp_digit)(c >= 0));
+            sp_256_norm_10(r);
+
+            /* Conv k to Montgomery form (mod order) */
+                sp_256_mul_10(k, k, p256_norm_order);
+            err = sp_256_mod_10(k, k, p256_order);
+        }
+        if (err == MP_OKAY) {
+            sp_256_norm_10(k);
+            /* kInv = 1/k mod order */
+                sp_256_mont_inv_order_10(kInv, k, tmp);
+            sp_256_norm_10(kInv);
+
+            /* s = r * x + e */
+                sp_256_mul_10(x, x, r);
+            err = sp_256_mod_10(x, x, p256_order);
+        }
+        if (err == MP_OKAY) {
+            sp_256_norm_10(x);
+            carry = sp_256_add_10(s, e, x);
+            sp_256_cond_sub_10(s, s, p256_order, 0 - carry);
+            sp_256_norm_10(s);
+            c = sp_256_cmp_10(s, p256_order);
+            sp_256_cond_sub_10(s, s, p256_order, 0L - (sp_digit)(c >= 0));
+            sp_256_norm_10(s);
+
+            /* s = s * k^-1 mod order */
+                sp_256_mont_mul_order_10(s, s, kInv);
+            sp_256_norm_10(s);
+
+            /* Check that signature is usable. */
+            if (sp_256_iszero_10(s) == 0) {
+                break;
+            }
+        }
+    }
+
+    if (i == 0) {
+        err = RNG_FAILURE_E;
+    }
+
+    if (err == MP_OKAY) {
+        err = sp_256_to_mp(r, rm);
+    }
+    if (err == MP_OKAY) {
+        err = sp_256_to_mp(s, sm);
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (d != NULL) {
+        XMEMSET(d, 0, sizeof(sp_digit) * 8 * 10);
+        XFREE(d, heap, DYNAMIC_TYPE_ECC);
+    }
+#else
+    XMEMSET(e, 0, sizeof(sp_digit) * 2U * 10U);
+    XMEMSET(x, 0, sizeof(sp_digit) * 2U * 10U);
+    XMEMSET(k, 0, sizeof(sp_digit) * 2U * 10U);
+    XMEMSET(r, 0, sizeof(sp_digit) * 2U * 10U);
+    XMEMSET(r, 0, sizeof(sp_digit) * 2U * 10U);
+    XMEMSET(tmp, 0, sizeof(sp_digit) * 3U * 2U * 10U);
+#endif
+    sp_256_point_free_10(point, 1, heap);
+
+    return err;
+}
+#endif /* HAVE_ECC_SIGN */
+
+#ifdef HAVE_ECC_VERIFY
+/* Verify the signature values with the hash and public key.
+ *   e = Truncate(hash, 256)
+ *   u1 = e/s mod order
+ *   u2 = r/s mod order
+ *   r == (u1.G + u2.Q)->x mod order
+ * Optimization: Leave point in projective form.
+ *   (x, y, 1) == (x' / z'*z', y' / z'*z'*z', z' / z')
+ *   (r + n*order).z'.z' mod prime == (u1.G + u2.Q)->x'
+ * The hash is truncated to the first 256 bits.
+ *
+ * hash     Hash to sign.
+ * hashLen  Length of the hash data.
+ * rng      Random number generator.
+ * priv     Private part of key - scalar.
+ * rm       First part of result as an mp_int.
+ * sm       Sirst part of result as an mp_int.
+ * heap     Heap to use for allocation.
+ * returns RNG failures, MEMORY_E when memory allocation fails and
+ * MP_OKAY on success.
+ */
+int sp_ecc_verify_256(const byte* hash, word32 hashLen, mp_int* pX,
+    mp_int* pY, mp_int* pZ, mp_int* r, mp_int* sm, int* res, void* heap)
+{
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit* d = NULL;
+#else
+    sp_digit u1d[2*10];
+    sp_digit u2d[2*10];
+    sp_digit sd[2*10];
+    sp_digit tmpd[2*10 * 5];
+    sp_point_256 p1d;
+    sp_point_256 p2d;
+#endif
+    sp_digit* u1 = NULL;
+    sp_digit* u2 = NULL;
+    sp_digit* s = NULL;
+    sp_digit* tmp = NULL;
+    sp_point_256* p1;
+    sp_point_256* p2 = NULL;
+    sp_digit carry;
+    int32_t c;
+    int err;
+
+    err = sp_256_point_new_10(heap, p1d, p1);
+    if (err == MP_OKAY) {
+        err = sp_256_point_new_10(heap, p2d, p2);
+    }
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        d = (sp_digit*)XMALLOC(sizeof(sp_digit) * 16 * 10, heap,
+                                                              DYNAMIC_TYPE_ECC);
+        if (d == NULL) {
+            err = MEMORY_E;
+        }
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+        u1  = d + 0 * 10;
+        u2  = d + 2 * 10;
+        s   = d + 4 * 10;
+        tmp = d + 6 * 10;
+#else
+        u1 = u1d;
+        u2 = u2d;
+        s  = sd;
+        tmp = tmpd;
+#endif
+
+        if (hashLen > 32U) {
+            hashLen = 32U;
+        }
+
+        sp_256_from_bin(u1, 10, hash, (int)hashLen);
+        sp_256_from_mp(u2, 10, r);
+        sp_256_from_mp(s, 10, sm);
+        sp_256_from_mp(p2->x, 10, pX);
+        sp_256_from_mp(p2->y, 10, pY);
+        sp_256_from_mp(p2->z, 10, pZ);
+
+        {
+            sp_256_mul_10(s, s, p256_norm_order);
+        }
+        err = sp_256_mod_10(s, s, p256_order);
+    }
+    if (err == MP_OKAY) {
+        sp_256_norm_10(s);
+        {
+            sp_256_mont_inv_order_10(s, s, tmp);
+            sp_256_mont_mul_order_10(u1, u1, s);
+            sp_256_mont_mul_order_10(u2, u2, s);
+        }
+
+            err = sp_256_ecc_mulmod_base_10(p1, u1, 0, heap);
+    }
+    if (err == MP_OKAY) {
+            err = sp_256_ecc_mulmod_10(p2, p2, u2, 0, heap);
+    }
+
+    if (err == MP_OKAY) {
+        {
+            sp_256_proj_point_add_10(p1, p1, p2, tmp);
+            if (sp_256_iszero_10(p1->z)) {
+                if (sp_256_iszero_10(p1->x) && sp_256_iszero_10(p1->y)) {
+                    sp_256_proj_point_dbl_10(p1, p2, tmp);
+                }
+                else {
+                    /* Y ordinate is not used from here - don't set. */
+                    p1->x[0] = 0;
+                    p1->x[1] = 0;
+                    p1->x[2] = 0;
+                    p1->x[3] = 0;
+                    p1->x[4] = 0;
+                    p1->x[5] = 0;
+                    p1->x[6] = 0;
+                    p1->x[7] = 0;
+                    p1->x[8] = 0;
+                    p1->x[9] = 0;
+                    XMEMCPY(p1->z, p256_norm_mod, sizeof(p256_norm_mod));
+                }
+            }
+        }
+
+        /* (r + n*order).z'.z' mod prime == (u1.G + u2.Q)->x' */
+        /* Reload r and convert to Montgomery form. */
+        sp_256_from_mp(u2, 10, r);
+        err = sp_256_mod_mul_norm_10(u2, u2, p256_mod);
+    }
+
+    if (err == MP_OKAY) {
+        /* u1 = r.z'.z' mod prime */
+        sp_256_mont_sqr_10(p1->z, p1->z, p256_mod, p256_mp_mod);
+        sp_256_mont_mul_10(u1, u2, p1->z, p256_mod, p256_mp_mod);
+        *res = (int)(sp_256_cmp_10(p1->x, u1) == 0);
+        if (*res == 0) {
+            /* Reload r and add order. */
+            sp_256_from_mp(u2, 10, r);
+            carry = sp_256_add_10(u2, u2, p256_order);
+            /* Carry means result is greater than mod and is not valid. */
+            if (carry == 0) {
+                sp_256_norm_10(u2);
+
+                /* Compare with mod and if greater or equal then not valid. */
+                c = sp_256_cmp_10(u2, p256_mod);
+                if (c < 0) {
+                    /* Convert to Montogomery form */
+                    err = sp_256_mod_mul_norm_10(u2, u2, p256_mod);
+                    if (err == MP_OKAY) {
+                        /* u1 = (r + 1*order).z'.z' mod prime */
+                        sp_256_mont_mul_10(u1, u2, p1->z, p256_mod,
+                                                                  p256_mp_mod);
+                        *res = (int)(sp_256_cmp_10(p1->x, u1) == 0);
+                    }
+                }
+            }
+        }
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (d != NULL)
+        XFREE(d, heap, DYNAMIC_TYPE_ECC);
+#endif
+    sp_256_point_free_10(p1, 0, heap);
+    sp_256_point_free_10(p2, 0, heap);
+
+    return err;
+}
+#endif /* HAVE_ECC_VERIFY */
+
+#ifdef HAVE_ECC_CHECK_KEY
+/* Check that the x and y oridinates are a valid point on the curve.
+ *
+ * point  EC point.
+ * heap   Heap to use if dynamically allocating.
+ * returns MEMORY_E if dynamic memory allocation fails, MP_VAL if the point is
+ * not on the curve and MP_OKAY otherwise.
+ */
+static int sp_256_ecc_is_point_10(sp_point_256* point, void* heap)
+{
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit* d = NULL;
+#else
+    sp_digit t1d[2*10];
+    sp_digit t2d[2*10];
+#endif
+    sp_digit* t1;
+    sp_digit* t2;
+    int err = MP_OKAY;
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    d = (sp_digit*)XMALLOC(sizeof(sp_digit) * 10 * 4, heap, DYNAMIC_TYPE_ECC);
+    if (d == NULL) {
+        err = MEMORY_E;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+        t1 = d + 0 * 10;
+        t2 = d + 2 * 10;
+#else
+        (void)heap;
+
+        t1 = t1d;
+        t2 = t2d;
+#endif
+
+        sp_256_sqr_10(t1, point->y);
+        (void)sp_256_mod_10(t1, t1, p256_mod);
+        sp_256_sqr_10(t2, point->x);
+        (void)sp_256_mod_10(t2, t2, p256_mod);
+        sp_256_mul_10(t2, t2, point->x);
+        (void)sp_256_mod_10(t2, t2, p256_mod);
+        (void)sp_256_sub_10(t2, p256_mod, t2);
+        sp_256_mont_add_10(t1, t1, t2, p256_mod);
+
+        sp_256_mont_add_10(t1, t1, point->x, p256_mod);
+        sp_256_mont_add_10(t1, t1, point->x, p256_mod);
+        sp_256_mont_add_10(t1, t1, point->x, p256_mod);
+
+        if (sp_256_cmp_10(t1, p256_b) != 0) {
+            err = MP_VAL;
+        }
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (d != NULL) {
+        XFREE(d, heap, DYNAMIC_TYPE_ECC);
+    }
+#endif
+
+    return err;
+}
+
+/* Check that the x and y oridinates are a valid point on the curve.
+ *
+ * pX  X ordinate of EC point.
+ * pY  Y ordinate of EC point.
+ * returns MEMORY_E if dynamic memory allocation fails, MP_VAL if the point is
+ * not on the curve and MP_OKAY otherwise.
+ */
+int sp_ecc_is_point_256(mp_int* pX, mp_int* pY)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_point_256 pubd;
+#endif
+    sp_point_256* pub;
+    byte one[1] = { 1 };
+    int err;
+
+    err = sp_256_point_new_10(NULL, pubd, pub);
+    if (err == MP_OKAY) {
+        sp_256_from_mp(pub->x, 10, pX);
+        sp_256_from_mp(pub->y, 10, pY);
+        sp_256_from_bin(pub->z, 10, one, (int)sizeof(one));
+
+        err = sp_256_ecc_is_point_10(pub, NULL);
+    }
+
+    sp_256_point_free_10(pub, 0, NULL);
+
+    return err;
+}
+
+/* Check that the private scalar generates the EC point (px, py), the point is
+ * on the curve and the point has the correct order.
+ *
+ * pX     X ordinate of EC point.
+ * pY     Y ordinate of EC point.
+ * privm  Private scalar that generates EC point.
+ * returns MEMORY_E if dynamic memory allocation fails, MP_VAL if the point is
+ * not on the curve, ECC_INF_E if the point does not have the correct order,
+ * ECC_PRIV_KEY_E when the private scalar doesn't generate the EC point and
+ * MP_OKAY otherwise.
+ */
+int sp_ecc_check_key_256(mp_int* pX, mp_int* pY, mp_int* privm, void* heap)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit privd[10];
+    sp_point_256 pubd;
+    sp_point_256 pd;
+#endif
+    sp_digit* priv = NULL;
+    sp_point_256* pub;
+    sp_point_256* p = NULL;
+    byte one[1] = { 1 };
+    int err;
+
+    err = sp_256_point_new_10(heap, pubd, pub);
+    if (err == MP_OKAY) {
+        err = sp_256_point_new_10(heap, pd, p);
+    }
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        priv = (sp_digit*)XMALLOC(sizeof(sp_digit) * 10, heap,
+                                                              DYNAMIC_TYPE_ECC);
+        if (priv == NULL) {
+            err = MEMORY_E;
+        }
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+        priv = privd;
+#endif
+
+        sp_256_from_mp(pub->x, 10, pX);
+        sp_256_from_mp(pub->y, 10, pY);
+        sp_256_from_bin(pub->z, 10, one, (int)sizeof(one));
+        sp_256_from_mp(priv, 10, privm);
+
+        /* Check point at infinitiy. */
+        if ((sp_256_iszero_10(pub->x) != 0) &&
+            (sp_256_iszero_10(pub->y) != 0)) {
+            err = ECC_INF_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        /* Check range of X and Y */
+        if (sp_256_cmp_10(pub->x, p256_mod) >= 0 ||
+            sp_256_cmp_10(pub->y, p256_mod) >= 0) {
+            err = ECC_OUT_OF_RANGE_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        /* Check point is on curve */
+        err = sp_256_ecc_is_point_10(pub, heap);
+    }
+
+    if (err == MP_OKAY) {
+        /* Point * order = infinity */
+            err = sp_256_ecc_mulmod_10(p, pub, p256_order, 1, heap);
+    }
+    if (err == MP_OKAY) {
+        /* Check result is infinity */
+        if ((sp_256_iszero_10(p->x) == 0) ||
+            (sp_256_iszero_10(p->y) == 0)) {
+            err = ECC_INF_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        /* Base * private = point */
+            err = sp_256_ecc_mulmod_base_10(p, priv, 1, heap);
+    }
+    if (err == MP_OKAY) {
+        /* Check result is public key */
+        if (sp_256_cmp_10(p->x, pub->x) != 0 ||
+            sp_256_cmp_10(p->y, pub->y) != 0) {
+            err = ECC_PRIV_KEY_E;
+        }
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (priv != NULL) {
+        XFREE(priv, heap, DYNAMIC_TYPE_ECC);
+    }
+#endif
+    sp_256_point_free_10(p, 0, heap);
+    sp_256_point_free_10(pub, 0, heap);
+
+    return err;
+}
+#endif
+#ifdef WOLFSSL_PUBLIC_ECC_ADD_DBL
+/* Add two projective EC points together.
+ * (pX, pY, pZ) + (qX, qY, qZ) = (rX, rY, rZ)
+ *
+ * pX   First EC point's X ordinate.
+ * pY   First EC point's Y ordinate.
+ * pZ   First EC point's Z ordinate.
+ * qX   Second EC point's X ordinate.
+ * qY   Second EC point's Y ordinate.
+ * qZ   Second EC point's Z ordinate.
+ * rX   Resultant EC point's X ordinate.
+ * rY   Resultant EC point's Y ordinate.
+ * rZ   Resultant EC point's Z ordinate.
+ * returns MEMORY_E if dynamic memory allocation fails and MP_OKAY otherwise.
+ */
+int sp_ecc_proj_add_point_256(mp_int* pX, mp_int* pY, mp_int* pZ,
+                              mp_int* qX, mp_int* qY, mp_int* qZ,
+                              mp_int* rX, mp_int* rY, mp_int* rZ)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit tmpd[2 * 10 * 5];
+    sp_point_256 pd;
+    sp_point_256 qd;
+#endif
+    sp_digit* tmp;
+    sp_point_256* p;
+    sp_point_256* q = NULL;
+    int err;
+
+    err = sp_256_point_new_10(NULL, pd, p);
+    if (err == MP_OKAY) {
+        err = sp_256_point_new_10(NULL, qd, q);
+    }
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        tmp = (sp_digit*)XMALLOC(sizeof(sp_digit) * 2 * 10 * 5, NULL,
+                                                              DYNAMIC_TYPE_ECC);
+        if (tmp == NULL) {
+            err = MEMORY_E;
+        }
+    }
+#else
+    tmp = tmpd;
+#endif
+
+    if (err == MP_OKAY) {
+        sp_256_from_mp(p->x, 10, pX);
+        sp_256_from_mp(p->y, 10, pY);
+        sp_256_from_mp(p->z, 10, pZ);
+        sp_256_from_mp(q->x, 10, qX);
+        sp_256_from_mp(q->y, 10, qY);
+        sp_256_from_mp(q->z, 10, qZ);
+
+            sp_256_proj_point_add_10(p, p, q, tmp);
+    }
+
+    if (err == MP_OKAY) {
+        err = sp_256_to_mp(p->x, rX);
+    }
+    if (err == MP_OKAY) {
+        err = sp_256_to_mp(p->y, rY);
+    }
+    if (err == MP_OKAY) {
+        err = sp_256_to_mp(p->z, rZ);
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (tmp != NULL) {
+        XFREE(tmp, NULL, DYNAMIC_TYPE_ECC);
+    }
+#endif
+    sp_256_point_free_10(q, 0, NULL);
+    sp_256_point_free_10(p, 0, NULL);
+
+    return err;
+}
+
+/* Double a projective EC point.
+ * (pX, pY, pZ) + (pX, pY, pZ) = (rX, rY, rZ)
+ *
+ * pX   EC point's X ordinate.
+ * pY   EC point's Y ordinate.
+ * pZ   EC point's Z ordinate.
+ * rX   Resultant EC point's X ordinate.
+ * rY   Resultant EC point's Y ordinate.
+ * rZ   Resultant EC point's Z ordinate.
+ * returns MEMORY_E if dynamic memory allocation fails and MP_OKAY otherwise.
+ */
+int sp_ecc_proj_dbl_point_256(mp_int* pX, mp_int* pY, mp_int* pZ,
+                              mp_int* rX, mp_int* rY, mp_int* rZ)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit tmpd[2 * 10 * 2];
+    sp_point_256 pd;
+#endif
+    sp_digit* tmp;
+    sp_point_256* p;
+    int err;
+
+    err = sp_256_point_new_10(NULL, pd, p);
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        tmp = (sp_digit*)XMALLOC(sizeof(sp_digit) * 2 * 10 * 2, NULL,
+                                                              DYNAMIC_TYPE_ECC);
+        if (tmp == NULL) {
+            err = MEMORY_E;
+        }
+    }
+#else
+    tmp = tmpd;
+#endif
+
+    if (err == MP_OKAY) {
+        sp_256_from_mp(p->x, 10, pX);
+        sp_256_from_mp(p->y, 10, pY);
+        sp_256_from_mp(p->z, 10, pZ);
+
+            sp_256_proj_point_dbl_10(p, p, tmp);
+    }
+
+    if (err == MP_OKAY) {
+        err = sp_256_to_mp(p->x, rX);
+    }
+    if (err == MP_OKAY) {
+        err = sp_256_to_mp(p->y, rY);
+    }
+    if (err == MP_OKAY) {
+        err = sp_256_to_mp(p->z, rZ);
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (tmp != NULL) {
+        XFREE(tmp, NULL, DYNAMIC_TYPE_ECC);
+    }
+#endif
+    sp_256_point_free_10(p, 0, NULL);
+
+    return err;
+}
+
+/* Map a projective EC point to affine in place.
+ * pZ will be one.
+ *
+ * pX   EC point's X ordinate.
+ * pY   EC point's Y ordinate.
+ * pZ   EC point's Z ordinate.
+ * returns MEMORY_E if dynamic memory allocation fails and MP_OKAY otherwise.
+ */
+int sp_ecc_map_256(mp_int* pX, mp_int* pY, mp_int* pZ)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit tmpd[2 * 10 * 4];
+    sp_point_256 pd;
+#endif
+    sp_digit* tmp;
+    sp_point_256* p;
+    int err;
+
+    err = sp_256_point_new_10(NULL, pd, p);
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        tmp = (sp_digit*)XMALLOC(sizeof(sp_digit) * 2 * 10 * 4, NULL,
+                                                              DYNAMIC_TYPE_ECC);
+        if (tmp == NULL) {
+            err = MEMORY_E;
+        }
+    }
+#else
+    tmp = tmpd;
+#endif
+    if (err == MP_OKAY) {
+        sp_256_from_mp(p->x, 10, pX);
+        sp_256_from_mp(p->y, 10, pY);
+        sp_256_from_mp(p->z, 10, pZ);
+
+        sp_256_map_10(p, p, tmp);
+    }
+
+    if (err == MP_OKAY) {
+        err = sp_256_to_mp(p->x, pX);
+    }
+    if (err == MP_OKAY) {
+        err = sp_256_to_mp(p->y, pY);
+    }
+    if (err == MP_OKAY) {
+        err = sp_256_to_mp(p->z, pZ);
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (tmp != NULL) {
+        XFREE(tmp, NULL, DYNAMIC_TYPE_ECC);
+    }
+#endif
+    sp_256_point_free_10(p, 0, NULL);
+
+    return err;
+}
+#endif /* WOLFSSL_PUBLIC_ECC_ADD_DBL */
+#ifdef HAVE_COMP_KEY
+/* Find the square root of a number mod the prime of the curve.
+ *
+ * y  The number to operate on and the result.
+ * returns MEMORY_E if dynamic memory allocation fails and MP_OKAY otherwise.
+ */
+static int sp_256_mont_sqrt_10(sp_digit* y)
+{
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit* d;
+#else
+    sp_digit t1d[2 * 10];
+    sp_digit t2d[2 * 10];
+#endif
+    sp_digit* t1;
+    sp_digit* t2;
+    int err = MP_OKAY;
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    d = (sp_digit*)XMALLOC(sizeof(sp_digit) * 4 * 10, NULL, DYNAMIC_TYPE_ECC);
+    if (d == NULL) {
+        err = MEMORY_E;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+        t1 = d + 0 * 10;
+        t2 = d + 2 * 10;
+#else
+        t1 = t1d;
+        t2 = t2d;
+#endif
+
+        {
+            /* t2 = y ^ 0x2 */
+            sp_256_mont_sqr_10(t2, y, p256_mod, p256_mp_mod);
+            /* t1 = y ^ 0x3 */
+            sp_256_mont_mul_10(t1, t2, y, p256_mod, p256_mp_mod);
+            /* t2 = y ^ 0xc */
+            sp_256_mont_sqr_n_10(t2, t1, 2, p256_mod, p256_mp_mod);
+            /* t1 = y ^ 0xf */
+            sp_256_mont_mul_10(t1, t1, t2, p256_mod, p256_mp_mod);
+            /* t2 = y ^ 0xf0 */
+            sp_256_mont_sqr_n_10(t2, t1, 4, p256_mod, p256_mp_mod);
+            /* t1 = y ^ 0xff */
+            sp_256_mont_mul_10(t1, t1, t2, p256_mod, p256_mp_mod);
+            /* t2 = y ^ 0xff00 */
+            sp_256_mont_sqr_n_10(t2, t1, 8, p256_mod, p256_mp_mod);
+            /* t1 = y ^ 0xffff */
+            sp_256_mont_mul_10(t1, t1, t2, p256_mod, p256_mp_mod);
+            /* t2 = y ^ 0xffff0000 */
+            sp_256_mont_sqr_n_10(t2, t1, 16, p256_mod, p256_mp_mod);
+            /* t1 = y ^ 0xffffffff */
+            sp_256_mont_mul_10(t1, t1, t2, p256_mod, p256_mp_mod);
+            /* t1 = y ^ 0xffffffff00000000 */
+            sp_256_mont_sqr_n_10(t1, t1, 32, p256_mod, p256_mp_mod);
+            /* t1 = y ^ 0xffffffff00000001 */
+            sp_256_mont_mul_10(t1, t1, y, p256_mod, p256_mp_mod);
+            /* t1 = y ^ 0xffffffff00000001000000000000000000000000 */
+            sp_256_mont_sqr_n_10(t1, t1, 96, p256_mod, p256_mp_mod);
+            /* t1 = y ^ 0xffffffff00000001000000000000000000000001 */
+            sp_256_mont_mul_10(t1, t1, y, p256_mod, p256_mp_mod);
+            sp_256_mont_sqr_n_10(y, t1, 94, p256_mod, p256_mp_mod);
+        }
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (d != NULL) {
+        XFREE(d, NULL, DYNAMIC_TYPE_ECC);
+    }
+#endif
+
+    return err;
+}
+
+
+/* Uncompress the point given the X ordinate.
+ *
+ * xm    X ordinate.
+ * odd   Whether the Y ordinate is odd.
+ * ym    Calculated Y ordinate.
+ * returns MEMORY_E if dynamic memory allocation fails and MP_OKAY otherwise.
+ */
+int sp_ecc_uncompress_256(mp_int* xm, int odd, mp_int* ym)
+{
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit* d;
+#else
+    sp_digit xd[2 * 10];
+    sp_digit yd[2 * 10];
+#endif
+    sp_digit* x = NULL;
+    sp_digit* y = NULL;
+    int err = MP_OKAY;
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    d = (sp_digit*)XMALLOC(sizeof(sp_digit) * 4 * 10, NULL, DYNAMIC_TYPE_ECC);
+    if (d == NULL) {
+        err = MEMORY_E;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+        x = d + 0 * 10;
+        y = d + 2 * 10;
+#else
+        x = xd;
+        y = yd;
+#endif
+
+        sp_256_from_mp(x, 10, xm);
+        err = sp_256_mod_mul_norm_10(x, x, p256_mod);
+    }
+    if (err == MP_OKAY) {
+        /* y = x^3 */
+        {
+            sp_256_mont_sqr_10(y, x, p256_mod, p256_mp_mod);
+            sp_256_mont_mul_10(y, y, x, p256_mod, p256_mp_mod);
+        }
+        /* y = x^3 - 3x */
+        sp_256_mont_sub_10(y, y, x, p256_mod);
+        sp_256_mont_sub_10(y, y, x, p256_mod);
+        sp_256_mont_sub_10(y, y, x, p256_mod);
+        /* y = x^3 - 3x + b */
+        err = sp_256_mod_mul_norm_10(x, p256_b, p256_mod);
+    }
+    if (err == MP_OKAY) {
+        sp_256_mont_add_10(y, y, x, p256_mod);
+        /* y = sqrt(x^3 - 3x + b) */
+        err = sp_256_mont_sqrt_10(y);
+    }
+    if (err == MP_OKAY) {
+        XMEMSET(y + 10, 0, 10U * sizeof(sp_digit));
+        sp_256_mont_reduce_10(y, p256_mod, p256_mp_mod);
+        if ((((word32)y[0] ^ (word32)odd) & 1U) != 0U) {
+            sp_256_mont_sub_10(y, p256_mod, y, p256_mod);
+        }
+
+        err = sp_256_to_mp(y, ym);
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (d != NULL) {
+        XFREE(d, NULL, DYNAMIC_TYPE_ECC);
+    }
+#endif
+
+    return err;
+}
+#endif
+#endif /* !WOLFSSL_SP_NO_256 */
+#ifdef WOLFSSL_SP_384
+
+/* Point structure to use. */
+typedef struct sp_point_384 {
+    sp_digit x[2 * 15];
+    sp_digit y[2 * 15];
+    sp_digit z[2 * 15];
+    int infinity;
+} sp_point_384;
+
+/* The modulus (prime) of the curve P384. */
+static const sp_digit p384_mod[15] = {
+    0x3ffffff,0x000003f,0x0000000,0x3fc0000,0x2ffffff,0x3ffffff,0x3ffffff,
+    0x3ffffff,0x3ffffff,0x3ffffff,0x3ffffff,0x3ffffff,0x3ffffff,0x3ffffff,0x00fffff
+    
+};
+/* The Montogmery normalizer for modulus of the curve P384. */
+static const sp_digit p384_norm_mod[15] = {
+    0x0000001,0x3ffffc0,0x3ffffff,0x003ffff,0x1000000,0x0000000,0x0000000,
+    0x0000000,0x0000000,0x0000000,0x0000000,0x0000000,0x0000000,0x0000000,0x0000000
+    
+};
+/* The Montogmery multiplier for modulus of the curve P384. */
+static sp_digit p384_mp_mod = 0x000001;
+#if defined(WOLFSSL_VALIDATE_ECC_KEYGEN) || defined(HAVE_ECC_SIGN) || \
+                                            defined(HAVE_ECC_VERIFY)
+/* The order of the curve P384. */
+static const sp_digit p384_order[15] = {
+    0x0c52973,0x3065ab3,0x277aece,0x2c922c2,0x3581a0d,0x10dcb77,0x234d81f,
+    0x3ffff1d,0x3ffffff,0x3ffffff,0x3ffffff,0x3ffffff,0x3ffffff,0x3ffffff,0x00fffff
+    
+};
+#endif
+/* The order of the curve P384 minus 2. */
+static const sp_digit p384_order2[15] = {
+    0x0c52971,0x3065ab3,0x277aece,0x2c922c2,0x3581a0d,0x10dcb77,0x234d81f,
+    0x3ffff1d,0x3ffffff,0x3ffffff,0x3ffffff,0x3ffffff,0x3ffffff,0x3ffffff,0x00fffff
+    
+};
+#if defined(HAVE_ECC_SIGN) || defined(HAVE_ECC_VERIFY)
+/* The Montogmery normalizer for order of the curve P384. */
+static const sp_digit p384_norm_order[15] = {
+    0x33ad68d,0x0f9a54c,0x1885131,0x136dd3d,0x0a7e5f2,0x2f23488,0x1cb27e0,
+    0x00000e2,0x0000000,0x0000000,0x0000000,0x0000000,0x0000000,0x0000000,0x0000000
+    
+};
+#endif
+#if defined(HAVE_ECC_SIGN) || defined(HAVE_ECC_VERIFY)
+/* The Montogmery multiplier for order of the curve P384. */
+static sp_digit p384_mp_order = 0x8fdc45;
+#endif
+/* The base point of curve P384. */
+static const sp_point_384 p384_base = {
+    /* X ordinate */
+    {
+        0x2760ab7,0x1178e1c,0x296c3a5,0x176fd54,0x05502f2,0x0950a8e,0x3741e08,
+        0x26e6167,0x3628ba7,0x11b874e,0x3320ad7,0x2c71c7b,0x305378e,0x288afa2,0x00aa87c,
+        
+        0L, 0L, 0L, 0L, 0L, 0L, 0L, 0L, 0L, 0L, 0L, 0L, 0L, 0L, 0L
+    },
+    /* Y ordinate */
+    {
+        0x0ea0e5f,0x0c75f24,0x019d7a4,0x33875fa,0x00a60b1,0x17c2e30,0x1a3113b,
+        0x051f3a7,0x1bd289a,0x27e3d07,0x1292dc2,0x27a62fe,0x22c6f5d,0x392a589,0x003617d,
+        
+        0L, 0L, 0L, 0L, 0L, 0L, 0L, 0L, 0L, 0L, 0L, 0L, 0L, 0L, 0L
+    },
+    /* Z ordinate */
+    {
+        0x0000001,0x0000000,0x0000000,0x0000000,0x0000000,0x0000000,0x0000000,
+        0x0000000,0x0000000,0x0000000,0x0000000,0x0000000,0x0000000,0x0000000,0x0000000,
+        
+        0L, 0L, 0L, 0L, 0L, 0L, 0L, 0L, 0L, 0L, 0L, 0L, 0L, 0L, 0L
+    },
+    /* infinity */
+    0
+};
+#if defined(HAVE_ECC_CHECK_KEY) || defined(HAVE_COMP_KEY)
+static const sp_digit p384_b[15] = {
+    0x3ec2aef,0x1723b74,0x119d2a8,0x23628bb,0x2c65639,0x004e1d6,0x14088f5,
+    0x104480c,0x06efe81,0x2460767,0x23f82d1,0x23815af,0x2e7e498,0x3e9f88f,0x00b3312
+    
+};
+#endif
+
+static int sp_384_point_new_ex_15(void* heap, sp_point_384* sp, sp_point_384** p)
+{
+    int ret = MP_OKAY;
+    (void)heap;
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    (void)sp;
+    *p = (sp_point_384*)XMALLOC(sizeof(sp_point_384), heap, DYNAMIC_TYPE_ECC);
+#else
+    *p = sp;
+#endif
+    if (*p == NULL) {
+        ret = MEMORY_E;
+    }
+    return ret;
+}
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+/* Allocate memory for point and return error. */
+#define sp_384_point_new_15(heap, sp, p) sp_384_point_new_ex_15((heap), NULL, &(p))
+#else
+/* Set pointer to data and return no error. */
+#define sp_384_point_new_15(heap, sp, p) sp_384_point_new_ex_15((heap), &(sp), &(p))
+#endif
+
+
+static void sp_384_point_free_15(sp_point_384* p, int clear, void* heap)
+{
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+/* If valid pointer then clear point data if requested and free data. */
+    if (p != NULL) {
+        if (clear != 0) {
+            XMEMSET(p, 0, sizeof(*p));
+        }
+        XFREE(p, heap, DYNAMIC_TYPE_ECC);
+    }
+#else
+/* Clear point data if requested. */
+    if (clear != 0) {
+        XMEMSET(p, 0, sizeof(*p));
+    }
+#endif
+    (void)heap;
+}
+
+/* Multiply a number by Montogmery normalizer mod modulus (prime).
+ *
+ * r  The resulting Montgomery form number.
+ * a  The number to convert.
+ * m  The modulus (prime).
+ * returns MEMORY_E when memory allocation fails and MP_OKAY otherwise.
+ */
+static int sp_384_mod_mul_norm_15(sp_digit* r, const sp_digit* a, const sp_digit* m)
+{
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    int64_t* td;
+#else
+    int64_t td[12];
+    int64_t a32d[12];
+#endif
+    int64_t* t;
+    int64_t* a32;
+    int64_t o;
+    int err = MP_OKAY;
+
+    (void)m;
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    td = (int64_t*)XMALLOC(sizeof(int64_t) * 2 * 12, NULL, DYNAMIC_TYPE_ECC);
+    if (td == NULL) {
+        err = MEMORY_E;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+        t = td;
+        a32 = td + 12;
+#else
+        t = td;
+        a32 = a32d;
+#endif
+
+        a32[0] = a[0];
+        a32[0] |= a[1] << 26U;
+        a32[0] &= 0xffffffffL;
+        a32[1] = (sp_digit)(a[1] >> 6);
+        a32[1] |= a[2] << 20U;
+        a32[1] &= 0xffffffffL;
+        a32[2] = (sp_digit)(a[2] >> 12);
+        a32[2] |= a[3] << 14U;
+        a32[2] &= 0xffffffffL;
+        a32[3] = (sp_digit)(a[3] >> 18);
+        a32[3] |= a[4] << 8U;
+        a32[3] &= 0xffffffffL;
+        a32[4] = (sp_digit)(a[4] >> 24);
+        a32[4] |= a[5] << 2U;
+        a32[4] |= a[6] << 28U;
+        a32[4] &= 0xffffffffL;
+        a32[5] = (sp_digit)(a[6] >> 4);
+        a32[5] |= a[7] << 22U;
+        a32[5] &= 0xffffffffL;
+        a32[6] = (sp_digit)(a[7] >> 10);
+        a32[6] |= a[8] << 16U;
+        a32[6] &= 0xffffffffL;
+        a32[7] = (sp_digit)(a[8] >> 16);
+        a32[7] |= a[9] << 10U;
+        a32[7] &= 0xffffffffL;
+        a32[8] = (sp_digit)(a[9] >> 22);
+        a32[8] |= a[10] << 4U;
+        a32[8] |= a[11] << 30U;
+        a32[8] &= 0xffffffffL;
+        a32[9] = (sp_digit)(a[11] >> 2);
+        a32[9] |= a[12] << 24U;
+        a32[9] &= 0xffffffffL;
+        a32[10] = (sp_digit)(a[12] >> 8);
+        a32[10] |= a[13] << 18U;
+        a32[10] &= 0xffffffffL;
+        a32[11] = (sp_digit)(a[13] >> 14);
+        a32[11] |= a[14] << 12U;
+        a32[11] &= 0xffffffffL;
+
+        /*  1  0  0  0  0  0  0  0  1  1  0 -1 */
+        t[0] = 0 + a32[0] + a32[8] + a32[9] - a32[11];
+        /* -1  1  0  0  0  0  0  0 -1  0  1  1 */
+        t[1] = 0 - a32[0] + a32[1] - a32[8] + a32[10] + a32[11];
+        /*  0 -1  1  0  0  0  0  0  0 -1  0  1 */
+        t[2] = 0 - a32[1] + a32[2] - a32[9] + a32[11];
+        /*  1  0 -1  1  0  0  0  0  1  1 -1 -1 */
+        t[3] = 0 + a32[0] - a32[2] + a32[3] + a32[8] + a32[9] - a32[10] - a32[11];
+        /*  1  1  0 -1  1  0  0  0  1  2  1 -2 */
+        t[4] = 0 + a32[0] + a32[1] - a32[3] + a32[4] + a32[8] + 2 * a32[9] + a32[10] -  2 * a32[11];
+        /*  0  1  1  0 -1  1  0  0  0  1  2  1 */
+        t[5] = 0 + a32[1] + a32[2] - a32[4] + a32[5] + a32[9] + 2 * a32[10] + a32[11];
+        /*  0  0  1  1  0 -1  1  0  0  0  1  2 */
+        t[6] = 0 + a32[2] + a32[3] - a32[5] + a32[6] + a32[10] + 2 * a32[11];
+        /*  0  0  0  1  1  0 -1  1  0  0  0  1 */
+        t[7] = 0 + a32[3] + a32[4] - a32[6] + a32[7] + a32[11];
+        /*  0  0  0  0  1  1  0 -1  1  0  0  0 */
+        t[8] = 0 + a32[4] + a32[5] - a32[7] + a32[8];
+        /*  0  0  0  0  0  1  1  0 -1  1  0  0 */
+        t[9] = 0 + a32[5] + a32[6] - a32[8] + a32[9];
+        /*  0  0  0  0  0  0  1  1  0 -1  1  0 */
+        t[10] = 0 + a32[6] + a32[7] - a32[9] + a32[10];
+        /*  0  0  0  0  0  0  0  1  1  0 -1  1 */
+        t[11] = 0 + a32[7] + a32[8] - a32[10] + a32[11];
+
+        t[1] += t[0] >> 32; t[0] &= 0xffffffff;
+        t[2] += t[1] >> 32; t[1] &= 0xffffffff;
+        t[3] += t[2] >> 32; t[2] &= 0xffffffff;
+        t[4] += t[3] >> 32; t[3] &= 0xffffffff;
+        t[5] += t[4] >> 32; t[4] &= 0xffffffff;
+        t[6] += t[5] >> 32; t[5] &= 0xffffffff;
+        t[7] += t[6] >> 32; t[6] &= 0xffffffff;
+        t[8] += t[7] >> 32; t[7] &= 0xffffffff;
+        t[9] += t[8] >> 32; t[8] &= 0xffffffff;
+        t[10] += t[9] >> 32; t[9] &= 0xffffffff;
+        t[11] += t[10] >> 32; t[10] &= 0xffffffff;
+        o     = t[11] >> 32; t[11] &= 0xffffffff;
+        t[0] += o;
+        t[1] -= o;
+        t[3] += o;
+        t[4] += o;
+        t[1] += t[0] >> 32; t[0] &= 0xffffffff;
+        t[2] += t[1] >> 32; t[1] &= 0xffffffff;
+        t[3] += t[2] >> 32; t[2] &= 0xffffffff;
+        t[4] += t[3] >> 32; t[3] &= 0xffffffff;
+        t[5] += t[4] >> 32; t[4] &= 0xffffffff;
+        t[6] += t[5] >> 32; t[5] &= 0xffffffff;
+        t[7] += t[6] >> 32; t[6] &= 0xffffffff;
+        t[8] += t[7] >> 32; t[7] &= 0xffffffff;
+        t[9] += t[8] >> 32; t[8] &= 0xffffffff;
+        t[10] += t[9] >> 32; t[9] &= 0xffffffff;
+        t[11] += t[10] >> 32; t[10] &= 0xffffffff;
+
+        r[0] = (sp_digit)(t[0]) & 0x3ffffffL;
+        r[1] = (sp_digit)(t[0] >> 26U);
+        r[1] |= t[1] << 6U;
+        r[1] &= 0x3ffffffL;
+        r[2] = (sp_digit)(t[1] >> 20U);
+        r[2] |= t[2] << 12U;
+        r[2] &= 0x3ffffffL;
+        r[3] = (sp_digit)(t[2] >> 14U);
+        r[3] |= t[3] << 18U;
+        r[3] &= 0x3ffffffL;
+        r[4] = (sp_digit)(t[3] >> 8U);
+        r[4] |= t[4] << 24U;
+        r[4] &= 0x3ffffffL;
+        r[5] = (sp_digit)(t[4] >> 2U) & 0x3ffffffL;
+        r[6] = (sp_digit)(t[4] >> 28U);
+        r[6] |= t[5] << 4U;
+        r[6] &= 0x3ffffffL;
+        r[7] = (sp_digit)(t[5] >> 22U);
+        r[7] |= t[6] << 10U;
+        r[7] &= 0x3ffffffL;
+        r[8] = (sp_digit)(t[6] >> 16U);
+        r[8] |= t[7] << 16U;
+        r[8] &= 0x3ffffffL;
+        r[9] = (sp_digit)(t[7] >> 10U);
+        r[9] |= t[8] << 22U;
+        r[9] &= 0x3ffffffL;
+        r[10] = (sp_digit)(t[8] >> 4U) & 0x3ffffffL;
+        r[11] = (sp_digit)(t[8] >> 30U);
+        r[11] |= t[9] << 2U;
+        r[11] &= 0x3ffffffL;
+        r[12] = (sp_digit)(t[9] >> 24U);
+        r[12] |= t[10] << 8U;
+        r[12] &= 0x3ffffffL;
+        r[13] = (sp_digit)(t[10] >> 18U);
+        r[13] |= t[11] << 14U;
+        r[13] &= 0x3ffffffL;
+        r[14] = (sp_digit)(t[11] >> 12U);
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (td != NULL)
+        XFREE(td, NULL, DYNAMIC_TYPE_ECC);
+#endif
+
+    return err;
+}
+
+/* Convert an mp_int to an array of sp_digit.
+ *
+ * r  A single precision integer.
+ * size  Maximum number of bytes to convert
+ * a  A multi-precision integer.
+ */
+static void sp_384_from_mp(sp_digit* r, int size, const mp_int* a)
+{
+#if DIGIT_BIT == 26
+    int j;
+
+    XMEMCPY(r, a->dp, sizeof(sp_digit) * a->used);
+
+    for (j = a->used; j < size; j++) {
+        r[j] = 0;
+    }
+#elif DIGIT_BIT > 26
+    int i, j = 0;
+    word32 s = 0;
+
+    r[0] = 0;
+    for (i = 0; i < a->used && j < size; i++) {
+        r[j] |= ((sp_digit)a->dp[i] << s);
+        r[j] &= 0x3ffffff;
+        s = 26U - s;
+        if (j + 1 >= size) {
+            break;
+        }
+        /* lint allow cast of mismatch word32 and mp_digit */
+        r[++j] = (sp_digit)(a->dp[i] >> s); /*lint !e9033*/
+        while ((s + 26U) <= (word32)DIGIT_BIT) {
+            s += 26U;
+            r[j] &= 0x3ffffff;
+            if (j + 1 >= size) {
+                break;
+            }
+            if (s < (word32)DIGIT_BIT) {
+                /* lint allow cast of mismatch word32 and mp_digit */
+                r[++j] = (sp_digit)(a->dp[i] >> s); /*lint !e9033*/
+            }
+            else {
+                r[++j] = 0L;
+            }
+        }
+        s = (word32)DIGIT_BIT - s;
+    }
+
+    for (j++; j < size; j++) {
+        r[j] = 0;
+    }
+#else
+    int i, j = 0, s = 0;
+
+    r[0] = 0;
+    for (i = 0; i < a->used && j < size; i++) {
+        r[j] |= ((sp_digit)a->dp[i]) << s;
+        if (s + DIGIT_BIT >= 26) {
+            r[j] &= 0x3ffffff;
+            if (j + 1 >= size) {
+                break;
+            }
+            s = 26 - s;
+            if (s == DIGIT_BIT) {
+                r[++j] = 0;
+                s = 0;
+            }
+            else {
+                r[++j] = a->dp[i] >> s;
+                s = DIGIT_BIT - s;
+            }
+        }
+        else {
+            s += DIGIT_BIT;
+        }
+    }
+
+    for (j++; j < size; j++) {
+        r[j] = 0;
+    }
+#endif
+}
+
+/* Convert a point of type ecc_point to type sp_point_384.
+ *
+ * p   Point of type sp_point_384 (result).
+ * pm  Point of type ecc_point.
+ */
+static void sp_384_point_from_ecc_point_15(sp_point_384* p, const ecc_point* pm)
+{
+    XMEMSET(p->x, 0, sizeof(p->x));
+    XMEMSET(p->y, 0, sizeof(p->y));
+    XMEMSET(p->z, 0, sizeof(p->z));
+    sp_384_from_mp(p->x, 15, pm->x);
+    sp_384_from_mp(p->y, 15, pm->y);
+    sp_384_from_mp(p->z, 15, pm->z);
+    p->infinity = 0;
+}
+
+/* Convert an array of sp_digit to an mp_int.
+ *
+ * a  A single precision integer.
+ * r  A multi-precision integer.
+ */
+static int sp_384_to_mp(const sp_digit* a, mp_int* r)
+{
+    int err;
+
+    err = mp_grow(r, (384 + DIGIT_BIT - 1) / DIGIT_BIT);
+    if (err == MP_OKAY) { /*lint !e774 case where err is always MP_OKAY*/
+#if DIGIT_BIT == 26
+        XMEMCPY(r->dp, a, sizeof(sp_digit) * 15);
+        r->used = 15;
+        mp_clamp(r);
+#elif DIGIT_BIT < 26
+        int i, j = 0, s = 0;
+
+        r->dp[0] = 0;
+        for (i = 0; i < 15; i++) {
+            r->dp[j] |= (mp_digit)(a[i] << s);
+            r->dp[j] &= (1L << DIGIT_BIT) - 1;
+            s = DIGIT_BIT - s;
+            r->dp[++j] = (mp_digit)(a[i] >> s);
+            while (s + DIGIT_BIT <= 26) {
+                s += DIGIT_BIT;
+                r->dp[j++] &= (1L << DIGIT_BIT) - 1;
+                if (s == SP_WORD_SIZE) {
+                    r->dp[j] = 0;
+                }
+                else {
+                    r->dp[j] = (mp_digit)(a[i] >> s);
+                }
+            }
+            s = 26 - s;
+        }
+        r->used = (384 + DIGIT_BIT - 1) / DIGIT_BIT;
+        mp_clamp(r);
+#else
+        int i, j = 0, s = 0;
+
+        r->dp[0] = 0;
+        for (i = 0; i < 15; i++) {
+            r->dp[j] |= ((mp_digit)a[i]) << s;
+            if (s + 26 >= DIGIT_BIT) {
+    #if DIGIT_BIT != 32 && DIGIT_BIT != 64
+                r->dp[j] &= (1L << DIGIT_BIT) - 1;
+    #endif
+                s = DIGIT_BIT - s;
+                r->dp[++j] = a[i] >> s;
+                s = 26 - s;
+            }
+            else {
+                s += 26;
+            }
+        }
+        r->used = (384 + DIGIT_BIT - 1) / DIGIT_BIT;
+        mp_clamp(r);
+#endif
+    }
+
+    return err;
+}
+
+/* Convert a point of type sp_point_384 to type ecc_point.
+ *
+ * p   Point of type sp_point_384.
+ * pm  Point of type ecc_point (result).
+ * returns MEMORY_E when allocation of memory in ecc_point fails otherwise
+ * MP_OKAY.
+ */
+static int sp_384_point_to_ecc_point_15(const sp_point_384* p, ecc_point* pm)
+{
+    int err;
+
+    err = sp_384_to_mp(p->x, pm->x);
+    if (err == MP_OKAY) {
+        err = sp_384_to_mp(p->y, pm->y);
+    }
+    if (err == MP_OKAY) {
+        err = sp_384_to_mp(p->z, pm->z);
+    }
+
+    return err;
+}
+
+#ifdef WOLFSSL_SP_SMALL
+/* Multiply a and b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static void sp_384_mul_15(sp_digit* r, const sp_digit* a,
+    const sp_digit* b)
+{
+    int i, j, k;
+    int64_t c;
+
+    c = ((int64_t)a[14]) * b[14];
+    r[29] = (sp_digit)(c >> 26);
+    c = (c & 0x3ffffff) << 26;
+    for (k = 27; k >= 0; k--) {
+        for (i = 14; i >= 0; i--) {
+            j = k - i;
+            if (j >= 15) {
+                break;
+            }
+            if (j < 0) {
+                continue;
+            }
+
+            c += ((int64_t)a[i]) * b[j];
+        }
+        r[k + 2] += c >> 52;
+        r[k + 1] = (c >> 26) & 0x3ffffff;
+        c = (c & 0x3ffffff) << 26;
+    }
+    r[0] = (sp_digit)(c >> 26);
+}
+
+#else
+/* Multiply a and b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static void sp_384_mul_15(sp_digit* r, const sp_digit* a,
+    const sp_digit* b)
+{
+    int64_t t0   = ((int64_t)a[ 0]) * b[ 0];
+    int64_t t1   = ((int64_t)a[ 0]) * b[ 1]
+                 + ((int64_t)a[ 1]) * b[ 0];
+    int64_t t2   = ((int64_t)a[ 0]) * b[ 2]
+                 + ((int64_t)a[ 1]) * b[ 1]
+                 + ((int64_t)a[ 2]) * b[ 0];
+    int64_t t3   = ((int64_t)a[ 0]) * b[ 3]
+                 + ((int64_t)a[ 1]) * b[ 2]
+                 + ((int64_t)a[ 2]) * b[ 1]
+                 + ((int64_t)a[ 3]) * b[ 0];
+    int64_t t4   = ((int64_t)a[ 0]) * b[ 4]
+                 + ((int64_t)a[ 1]) * b[ 3]
+                 + ((int64_t)a[ 2]) * b[ 2]
+                 + ((int64_t)a[ 3]) * b[ 1]
+                 + ((int64_t)a[ 4]) * b[ 0];
+    int64_t t5   = ((int64_t)a[ 0]) * b[ 5]
+                 + ((int64_t)a[ 1]) * b[ 4]
+                 + ((int64_t)a[ 2]) * b[ 3]
+                 + ((int64_t)a[ 3]) * b[ 2]
+                 + ((int64_t)a[ 4]) * b[ 1]
+                 + ((int64_t)a[ 5]) * b[ 0];
+    int64_t t6   = ((int64_t)a[ 0]) * b[ 6]
+                 + ((int64_t)a[ 1]) * b[ 5]
+                 + ((int64_t)a[ 2]) * b[ 4]
+                 + ((int64_t)a[ 3]) * b[ 3]
+                 + ((int64_t)a[ 4]) * b[ 2]
+                 + ((int64_t)a[ 5]) * b[ 1]
+                 + ((int64_t)a[ 6]) * b[ 0];
+    int64_t t7   = ((int64_t)a[ 0]) * b[ 7]
+                 + ((int64_t)a[ 1]) * b[ 6]
+                 + ((int64_t)a[ 2]) * b[ 5]
+                 + ((int64_t)a[ 3]) * b[ 4]
+                 + ((int64_t)a[ 4]) * b[ 3]
+                 + ((int64_t)a[ 5]) * b[ 2]
+                 + ((int64_t)a[ 6]) * b[ 1]
+                 + ((int64_t)a[ 7]) * b[ 0];
+    int64_t t8   = ((int64_t)a[ 0]) * b[ 8]
+                 + ((int64_t)a[ 1]) * b[ 7]
+                 + ((int64_t)a[ 2]) * b[ 6]
+                 + ((int64_t)a[ 3]) * b[ 5]
+                 + ((int64_t)a[ 4]) * b[ 4]
+                 + ((int64_t)a[ 5]) * b[ 3]
+                 + ((int64_t)a[ 6]) * b[ 2]
+                 + ((int64_t)a[ 7]) * b[ 1]
+                 + ((int64_t)a[ 8]) * b[ 0];
+    int64_t t9   = ((int64_t)a[ 0]) * b[ 9]
+                 + ((int64_t)a[ 1]) * b[ 8]
+                 + ((int64_t)a[ 2]) * b[ 7]
+                 + ((int64_t)a[ 3]) * b[ 6]
+                 + ((int64_t)a[ 4]) * b[ 5]
+                 + ((int64_t)a[ 5]) * b[ 4]
+                 + ((int64_t)a[ 6]) * b[ 3]
+                 + ((int64_t)a[ 7]) * b[ 2]
+                 + ((int64_t)a[ 8]) * b[ 1]
+                 + ((int64_t)a[ 9]) * b[ 0];
+    int64_t t10  = ((int64_t)a[ 0]) * b[10]
+                 + ((int64_t)a[ 1]) * b[ 9]
+                 + ((int64_t)a[ 2]) * b[ 8]
+                 + ((int64_t)a[ 3]) * b[ 7]
+                 + ((int64_t)a[ 4]) * b[ 6]
+                 + ((int64_t)a[ 5]) * b[ 5]
+                 + ((int64_t)a[ 6]) * b[ 4]
+                 + ((int64_t)a[ 7]) * b[ 3]
+                 + ((int64_t)a[ 8]) * b[ 2]
+                 + ((int64_t)a[ 9]) * b[ 1]
+                 + ((int64_t)a[10]) * b[ 0];
+    int64_t t11  = ((int64_t)a[ 0]) * b[11]
+                 + ((int64_t)a[ 1]) * b[10]
+                 + ((int64_t)a[ 2]) * b[ 9]
+                 + ((int64_t)a[ 3]) * b[ 8]
+                 + ((int64_t)a[ 4]) * b[ 7]
+                 + ((int64_t)a[ 5]) * b[ 6]
+                 + ((int64_t)a[ 6]) * b[ 5]
+                 + ((int64_t)a[ 7]) * b[ 4]
+                 + ((int64_t)a[ 8]) * b[ 3]
+                 + ((int64_t)a[ 9]) * b[ 2]
+                 + ((int64_t)a[10]) * b[ 1]
+                 + ((int64_t)a[11]) * b[ 0];
+    int64_t t12  = ((int64_t)a[ 0]) * b[12]
+                 + ((int64_t)a[ 1]) * b[11]
+                 + ((int64_t)a[ 2]) * b[10]
+                 + ((int64_t)a[ 3]) * b[ 9]
+                 + ((int64_t)a[ 4]) * b[ 8]
+                 + ((int64_t)a[ 5]) * b[ 7]
+                 + ((int64_t)a[ 6]) * b[ 6]
+                 + ((int64_t)a[ 7]) * b[ 5]
+                 + ((int64_t)a[ 8]) * b[ 4]
+                 + ((int64_t)a[ 9]) * b[ 3]
+                 + ((int64_t)a[10]) * b[ 2]
+                 + ((int64_t)a[11]) * b[ 1]
+                 + ((int64_t)a[12]) * b[ 0];
+    int64_t t13  = ((int64_t)a[ 0]) * b[13]
+                 + ((int64_t)a[ 1]) * b[12]
+                 + ((int64_t)a[ 2]) * b[11]
+                 + ((int64_t)a[ 3]) * b[10]
+                 + ((int64_t)a[ 4]) * b[ 9]
+                 + ((int64_t)a[ 5]) * b[ 8]
+                 + ((int64_t)a[ 6]) * b[ 7]
+                 + ((int64_t)a[ 7]) * b[ 6]
+                 + ((int64_t)a[ 8]) * b[ 5]
+                 + ((int64_t)a[ 9]) * b[ 4]
+                 + ((int64_t)a[10]) * b[ 3]
+                 + ((int64_t)a[11]) * b[ 2]
+                 + ((int64_t)a[12]) * b[ 1]
+                 + ((int64_t)a[13]) * b[ 0];
+    int64_t t14  = ((int64_t)a[ 0]) * b[14]
+                 + ((int64_t)a[ 1]) * b[13]
+                 + ((int64_t)a[ 2]) * b[12]
+                 + ((int64_t)a[ 3]) * b[11]
+                 + ((int64_t)a[ 4]) * b[10]
+                 + ((int64_t)a[ 5]) * b[ 9]
+                 + ((int64_t)a[ 6]) * b[ 8]
+                 + ((int64_t)a[ 7]) * b[ 7]
+                 + ((int64_t)a[ 8]) * b[ 6]
+                 + ((int64_t)a[ 9]) * b[ 5]
+                 + ((int64_t)a[10]) * b[ 4]
+                 + ((int64_t)a[11]) * b[ 3]
+                 + ((int64_t)a[12]) * b[ 2]
+                 + ((int64_t)a[13]) * b[ 1]
+                 + ((int64_t)a[14]) * b[ 0];
+    int64_t t15  = ((int64_t)a[ 1]) * b[14]
+                 + ((int64_t)a[ 2]) * b[13]
+                 + ((int64_t)a[ 3]) * b[12]
+                 + ((int64_t)a[ 4]) * b[11]
+                 + ((int64_t)a[ 5]) * b[10]
+                 + ((int64_t)a[ 6]) * b[ 9]
+                 + ((int64_t)a[ 7]) * b[ 8]
+                 + ((int64_t)a[ 8]) * b[ 7]
+                 + ((int64_t)a[ 9]) * b[ 6]
+                 + ((int64_t)a[10]) * b[ 5]
+                 + ((int64_t)a[11]) * b[ 4]
+                 + ((int64_t)a[12]) * b[ 3]
+                 + ((int64_t)a[13]) * b[ 2]
+                 + ((int64_t)a[14]) * b[ 1];
+    int64_t t16  = ((int64_t)a[ 2]) * b[14]
+                 + ((int64_t)a[ 3]) * b[13]
+                 + ((int64_t)a[ 4]) * b[12]
+                 + ((int64_t)a[ 5]) * b[11]
+                 + ((int64_t)a[ 6]) * b[10]
+                 + ((int64_t)a[ 7]) * b[ 9]
+                 + ((int64_t)a[ 8]) * b[ 8]
+                 + ((int64_t)a[ 9]) * b[ 7]
+                 + ((int64_t)a[10]) * b[ 6]
+                 + ((int64_t)a[11]) * b[ 5]
+                 + ((int64_t)a[12]) * b[ 4]
+                 + ((int64_t)a[13]) * b[ 3]
+                 + ((int64_t)a[14]) * b[ 2];
+    int64_t t17  = ((int64_t)a[ 3]) * b[14]
+                 + ((int64_t)a[ 4]) * b[13]
+                 + ((int64_t)a[ 5]) * b[12]
+                 + ((int64_t)a[ 6]) * b[11]
+                 + ((int64_t)a[ 7]) * b[10]
+                 + ((int64_t)a[ 8]) * b[ 9]
+                 + ((int64_t)a[ 9]) * b[ 8]
+                 + ((int64_t)a[10]) * b[ 7]
+                 + ((int64_t)a[11]) * b[ 6]
+                 + ((int64_t)a[12]) * b[ 5]
+                 + ((int64_t)a[13]) * b[ 4]
+                 + ((int64_t)a[14]) * b[ 3];
+    int64_t t18  = ((int64_t)a[ 4]) * b[14]
+                 + ((int64_t)a[ 5]) * b[13]
+                 + ((int64_t)a[ 6]) * b[12]
+                 + ((int64_t)a[ 7]) * b[11]
+                 + ((int64_t)a[ 8]) * b[10]
+                 + ((int64_t)a[ 9]) * b[ 9]
+                 + ((int64_t)a[10]) * b[ 8]
+                 + ((int64_t)a[11]) * b[ 7]
+                 + ((int64_t)a[12]) * b[ 6]
+                 + ((int64_t)a[13]) * b[ 5]
+                 + ((int64_t)a[14]) * b[ 4];
+    int64_t t19  = ((int64_t)a[ 5]) * b[14]
+                 + ((int64_t)a[ 6]) * b[13]
+                 + ((int64_t)a[ 7]) * b[12]
+                 + ((int64_t)a[ 8]) * b[11]
+                 + ((int64_t)a[ 9]) * b[10]
+                 + ((int64_t)a[10]) * b[ 9]
+                 + ((int64_t)a[11]) * b[ 8]
+                 + ((int64_t)a[12]) * b[ 7]
+                 + ((int64_t)a[13]) * b[ 6]
+                 + ((int64_t)a[14]) * b[ 5];
+    int64_t t20  = ((int64_t)a[ 6]) * b[14]
+                 + ((int64_t)a[ 7]) * b[13]
+                 + ((int64_t)a[ 8]) * b[12]
+                 + ((int64_t)a[ 9]) * b[11]
+                 + ((int64_t)a[10]) * b[10]
+                 + ((int64_t)a[11]) * b[ 9]
+                 + ((int64_t)a[12]) * b[ 8]
+                 + ((int64_t)a[13]) * b[ 7]
+                 + ((int64_t)a[14]) * b[ 6];
+    int64_t t21  = ((int64_t)a[ 7]) * b[14]
+                 + ((int64_t)a[ 8]) * b[13]
+                 + ((int64_t)a[ 9]) * b[12]
+                 + ((int64_t)a[10]) * b[11]
+                 + ((int64_t)a[11]) * b[10]
+                 + ((int64_t)a[12]) * b[ 9]
+                 + ((int64_t)a[13]) * b[ 8]
+                 + ((int64_t)a[14]) * b[ 7];
+    int64_t t22  = ((int64_t)a[ 8]) * b[14]
+                 + ((int64_t)a[ 9]) * b[13]
+                 + ((int64_t)a[10]) * b[12]
+                 + ((int64_t)a[11]) * b[11]
+                 + ((int64_t)a[12]) * b[10]
+                 + ((int64_t)a[13]) * b[ 9]
+                 + ((int64_t)a[14]) * b[ 8];
+    int64_t t23  = ((int64_t)a[ 9]) * b[14]
+                 + ((int64_t)a[10]) * b[13]
+                 + ((int64_t)a[11]) * b[12]
+                 + ((int64_t)a[12]) * b[11]
+                 + ((int64_t)a[13]) * b[10]
+                 + ((int64_t)a[14]) * b[ 9];
+    int64_t t24  = ((int64_t)a[10]) * b[14]
+                 + ((int64_t)a[11]) * b[13]
+                 + ((int64_t)a[12]) * b[12]
+                 + ((int64_t)a[13]) * b[11]
+                 + ((int64_t)a[14]) * b[10];
+    int64_t t25  = ((int64_t)a[11]) * b[14]
+                 + ((int64_t)a[12]) * b[13]
+                 + ((int64_t)a[13]) * b[12]
+                 + ((int64_t)a[14]) * b[11];
+    int64_t t26  = ((int64_t)a[12]) * b[14]
+                 + ((int64_t)a[13]) * b[13]
+                 + ((int64_t)a[14]) * b[12];
+    int64_t t27  = ((int64_t)a[13]) * b[14]
+                 + ((int64_t)a[14]) * b[13];
+    int64_t t28  = ((int64_t)a[14]) * b[14];
+
+    t1   += t0  >> 26; r[ 0] = t0  & 0x3ffffff;
+    t2   += t1  >> 26; r[ 1] = t1  & 0x3ffffff;
+    t3   += t2  >> 26; r[ 2] = t2  & 0x3ffffff;
+    t4   += t3  >> 26; r[ 3] = t3  & 0x3ffffff;
+    t5   += t4  >> 26; r[ 4] = t4  & 0x3ffffff;
+    t6   += t5  >> 26; r[ 5] = t5  & 0x3ffffff;
+    t7   += t6  >> 26; r[ 6] = t6  & 0x3ffffff;
+    t8   += t7  >> 26; r[ 7] = t7  & 0x3ffffff;
+    t9   += t8  >> 26; r[ 8] = t8  & 0x3ffffff;
+    t10  += t9  >> 26; r[ 9] = t9  & 0x3ffffff;
+    t11  += t10 >> 26; r[10] = t10 & 0x3ffffff;
+    t12  += t11 >> 26; r[11] = t11 & 0x3ffffff;
+    t13  += t12 >> 26; r[12] = t12 & 0x3ffffff;
+    t14  += t13 >> 26; r[13] = t13 & 0x3ffffff;
+    t15  += t14 >> 26; r[14] = t14 & 0x3ffffff;
+    t16  += t15 >> 26; r[15] = t15 & 0x3ffffff;
+    t17  += t16 >> 26; r[16] = t16 & 0x3ffffff;
+    t18  += t17 >> 26; r[17] = t17 & 0x3ffffff;
+    t19  += t18 >> 26; r[18] = t18 & 0x3ffffff;
+    t20  += t19 >> 26; r[19] = t19 & 0x3ffffff;
+    t21  += t20 >> 26; r[20] = t20 & 0x3ffffff;
+    t22  += t21 >> 26; r[21] = t21 & 0x3ffffff;
+    t23  += t22 >> 26; r[22] = t22 & 0x3ffffff;
+    t24  += t23 >> 26; r[23] = t23 & 0x3ffffff;
+    t25  += t24 >> 26; r[24] = t24 & 0x3ffffff;
+    t26  += t25 >> 26; r[25] = t25 & 0x3ffffff;
+    t27  += t26 >> 26; r[26] = t26 & 0x3ffffff;
+    t28  += t27 >> 26; r[27] = t27 & 0x3ffffff;
+    r[29] = (sp_digit)(t28 >> 26);
+                       r[28] = t28 & 0x3ffffff;
+}
+
+#endif /* WOLFSSL_SP_SMALL */
+#define sp_384_mont_reduce_order_15         sp_384_mont_reduce_15
+
+/* Compare a with b in constant time.
+ *
+ * a  A single precision integer.
+ * b  A single precision integer.
+ * return -ve, 0 or +ve if a is less than, equal to or greater than b
+ * respectively.
+ */
+static sp_digit sp_384_cmp_15(const sp_digit* a, const sp_digit* b)
+{
+    sp_digit r = 0;
+#ifdef WOLFSSL_SP_SMALL
+    int i;
+
+    for (i=14; i>=0; i--) {
+        r |= (a[i] - b[i]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+    }
+#else
+    r |= (a[14] - b[14]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+    r |= (a[13] - b[13]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+    r |= (a[12] - b[12]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+    r |= (a[11] - b[11]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+    r |= (a[10] - b[10]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+    r |= (a[ 9] - b[ 9]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+    r |= (a[ 8] - b[ 8]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+    r |= (a[ 7] - b[ 7]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+    r |= (a[ 6] - b[ 6]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+    r |= (a[ 5] - b[ 5]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+    r |= (a[ 4] - b[ 4]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+    r |= (a[ 3] - b[ 3]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+    r |= (a[ 2] - b[ 2]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+    r |= (a[ 1] - b[ 1]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+    r |= (a[ 0] - b[ 0]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+#endif /* WOLFSSL_SP_SMALL */
+
+    return r;
+}
+
+/* Conditionally subtract b from a using the mask m.
+ * m is -1 to subtract and 0 when not.
+ *
+ * r  A single precision number representing condition subtract result.
+ * a  A single precision number to subtract from.
+ * b  A single precision number to subtract.
+ * m  Mask value to apply.
+ */
+static void sp_384_cond_sub_15(sp_digit* r, const sp_digit* a,
+        const sp_digit* b, const sp_digit m)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int i;
+
+    for (i = 0; i < 15; i++) {
+        r[i] = a[i] - (b[i] & m);
+    }
+#else
+    r[ 0] = a[ 0] - (b[ 0] & m);
+    r[ 1] = a[ 1] - (b[ 1] & m);
+    r[ 2] = a[ 2] - (b[ 2] & m);
+    r[ 3] = a[ 3] - (b[ 3] & m);
+    r[ 4] = a[ 4] - (b[ 4] & m);
+    r[ 5] = a[ 5] - (b[ 5] & m);
+    r[ 6] = a[ 6] - (b[ 6] & m);
+    r[ 7] = a[ 7] - (b[ 7] & m);
+    r[ 8] = a[ 8] - (b[ 8] & m);
+    r[ 9] = a[ 9] - (b[ 9] & m);
+    r[10] = a[10] - (b[10] & m);
+    r[11] = a[11] - (b[11] & m);
+    r[12] = a[12] - (b[12] & m);
+    r[13] = a[13] - (b[13] & m);
+    r[14] = a[14] - (b[14] & m);
+#endif /* WOLFSSL_SP_SMALL */
+}
+
+/* Mul a by scalar b and add into r. (r += a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A scalar.
+ */
+SP_NOINLINE static void sp_384_mul_add_15(sp_digit* r, const sp_digit* a,
+        const sp_digit b)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int64_t tb = b;
+    int64_t t = 0;
+    int i;
+
+    for (i = 0; i < 15; i++) {
+        t += (tb * a[i]) + r[i];
+        r[i] = t & 0x3ffffff;
+        t >>= 26;
+    }
+    r[15] += t;
+#else
+    int64_t tb = b;
+    int64_t t[15];
+
+    t[ 0] = tb * a[ 0];
+    t[ 1] = tb * a[ 1];
+    t[ 2] = tb * a[ 2];
+    t[ 3] = tb * a[ 3];
+    t[ 4] = tb * a[ 4];
+    t[ 5] = tb * a[ 5];
+    t[ 6] = tb * a[ 6];
+    t[ 7] = tb * a[ 7];
+    t[ 8] = tb * a[ 8];
+    t[ 9] = tb * a[ 9];
+    t[10] = tb * a[10];
+    t[11] = tb * a[11];
+    t[12] = tb * a[12];
+    t[13] = tb * a[13];
+    t[14] = tb * a[14];
+    r[ 0] += (sp_digit)                 (t[ 0] & 0x3ffffff);
+    r[ 1] += (sp_digit)((t[ 0] >> 26) + (t[ 1] & 0x3ffffff));
+    r[ 2] += (sp_digit)((t[ 1] >> 26) + (t[ 2] & 0x3ffffff));
+    r[ 3] += (sp_digit)((t[ 2] >> 26) + (t[ 3] & 0x3ffffff));
+    r[ 4] += (sp_digit)((t[ 3] >> 26) + (t[ 4] & 0x3ffffff));
+    r[ 5] += (sp_digit)((t[ 4] >> 26) + (t[ 5] & 0x3ffffff));
+    r[ 6] += (sp_digit)((t[ 5] >> 26) + (t[ 6] & 0x3ffffff));
+    r[ 7] += (sp_digit)((t[ 6] >> 26) + (t[ 7] & 0x3ffffff));
+    r[ 8] += (sp_digit)((t[ 7] >> 26) + (t[ 8] & 0x3ffffff));
+    r[ 9] += (sp_digit)((t[ 8] >> 26) + (t[ 9] & 0x3ffffff));
+    r[10] += (sp_digit)((t[ 9] >> 26) + (t[10] & 0x3ffffff));
+    r[11] += (sp_digit)((t[10] >> 26) + (t[11] & 0x3ffffff));
+    r[12] += (sp_digit)((t[11] >> 26) + (t[12] & 0x3ffffff));
+    r[13] += (sp_digit)((t[12] >> 26) + (t[13] & 0x3ffffff));
+    r[14] += (sp_digit)((t[13] >> 26) + (t[14] & 0x3ffffff));
+    r[15] += (sp_digit) (t[14] >> 26);
+#endif /* WOLFSSL_SP_SMALL */
+}
+
+/* Normalize the values in each word to 26.
+ *
+ * a  Array of sp_digit to normalize.
+ */
+static void sp_384_norm_15(sp_digit* a)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int i;
+    for (i = 0; i < 14; i++) {
+        a[i+1] += a[i] >> 26;
+        a[i] &= 0x3ffffff;
+    }
+#else
+    a[1] += a[0] >> 26; a[0] &= 0x3ffffff;
+    a[2] += a[1] >> 26; a[1] &= 0x3ffffff;
+    a[3] += a[2] >> 26; a[2] &= 0x3ffffff;
+    a[4] += a[3] >> 26; a[3] &= 0x3ffffff;
+    a[5] += a[4] >> 26; a[4] &= 0x3ffffff;
+    a[6] += a[5] >> 26; a[5] &= 0x3ffffff;
+    a[7] += a[6] >> 26; a[6] &= 0x3ffffff;
+    a[8] += a[7] >> 26; a[7] &= 0x3ffffff;
+    a[9] += a[8] >> 26; a[8] &= 0x3ffffff;
+    a[10] += a[9] >> 26; a[9] &= 0x3ffffff;
+    a[11] += a[10] >> 26; a[10] &= 0x3ffffff;
+    a[12] += a[11] >> 26; a[11] &= 0x3ffffff;
+    a[13] += a[12] >> 26; a[12] &= 0x3ffffff;
+    a[14] += a[13] >> 26; a[13] &= 0x3ffffff;
+#endif
+}
+
+/* Shift the result in the high 384 bits down to the bottom.
+ *
+ * r  A single precision number.
+ * a  A single precision number.
+ */
+static void sp_384_mont_shift_15(sp_digit* r, const sp_digit* a)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int i;
+    int64_t n = a[14] >> 20;
+    n += ((int64_t)a[15]) << 6;
+
+    for (i = 0; i < 14; i++) {
+        r[i] = n & 0x3ffffff;
+        n >>= 26;
+        n += ((int64_t)a[16 + i]) << 6;
+    }
+    r[14] = (sp_digit)n;
+#else
+    int64_t n = a[14] >> 20;
+    n += ((int64_t)a[15]) << 6;
+    r[ 0] = n & 0x3ffffff; n >>= 26; n += ((int64_t)a[16]) << 6;
+    r[ 1] = n & 0x3ffffff; n >>= 26; n += ((int64_t)a[17]) << 6;
+    r[ 2] = n & 0x3ffffff; n >>= 26; n += ((int64_t)a[18]) << 6;
+    r[ 3] = n & 0x3ffffff; n >>= 26; n += ((int64_t)a[19]) << 6;
+    r[ 4] = n & 0x3ffffff; n >>= 26; n += ((int64_t)a[20]) << 6;
+    r[ 5] = n & 0x3ffffff; n >>= 26; n += ((int64_t)a[21]) << 6;
+    r[ 6] = n & 0x3ffffff; n >>= 26; n += ((int64_t)a[22]) << 6;
+    r[ 7] = n & 0x3ffffff; n >>= 26; n += ((int64_t)a[23]) << 6;
+    r[ 8] = n & 0x3ffffff; n >>= 26; n += ((int64_t)a[24]) << 6;
+    r[ 9] = n & 0x3ffffff; n >>= 26; n += ((int64_t)a[25]) << 6;
+    r[10] = n & 0x3ffffff; n >>= 26; n += ((int64_t)a[26]) << 6;
+    r[11] = n & 0x3ffffff; n >>= 26; n += ((int64_t)a[27]) << 6;
+    r[12] = n & 0x3ffffff; n >>= 26; n += ((int64_t)a[28]) << 6;
+    r[13] = n & 0x3ffffff; n >>= 26; n += ((int64_t)a[29]) << 6;
+    r[14] = (sp_digit)n;
+#endif /* WOLFSSL_SP_SMALL */
+    XMEMSET(&r[15], 0, sizeof(*r) * 15U);
+}
+
+/* Reduce the number back to 384 bits using Montgomery reduction.
+ *
+ * a   A single precision number to reduce in place.
+ * m   The single precision number representing the modulus.
+ * mp  The digit representing the negative inverse of m mod 2^n.
+ */
+static void sp_384_mont_reduce_15(sp_digit* a, const sp_digit* m, sp_digit mp)
+{
+    int i;
+    sp_digit mu;
+
+    sp_384_norm_15(a + 15);
+
+    for (i=0; i<14; i++) {
+        mu = (a[i] * mp) & 0x3ffffff;
+        sp_384_mul_add_15(a+i, m, mu);
+        a[i+1] += a[i] >> 26;
+    }
+    mu = (a[i] * mp) & 0xfffffL;
+    sp_384_mul_add_15(a+i, m, mu);
+    a[i+1] += a[i] >> 26;
+    a[i] &= 0x3ffffff;
+
+    sp_384_mont_shift_15(a, a);
+    sp_384_cond_sub_15(a, a, m, 0 - (((a[14] >> 20) > 0) ?
+            (sp_digit)1 : (sp_digit)0));
+    sp_384_norm_15(a);
+}
+
+/* Multiply two Montogmery form numbers mod the modulus (prime).
+ * (r = a * b mod m)
+ *
+ * r   Result of multiplication.
+ * a   First number to multiply in Montogmery form.
+ * b   Second number to multiply in Montogmery form.
+ * m   Modulus (prime).
+ * mp  Montogmery mulitplier.
+ */
+static void sp_384_mont_mul_15(sp_digit* r, const sp_digit* a, const sp_digit* b,
+        const sp_digit* m, sp_digit mp)
+{
+    sp_384_mul_15(r, a, b);
+    sp_384_mont_reduce_15(r, m, mp);
+}
+
+#ifdef WOLFSSL_SP_SMALL
+/* Square a and put result in r. (r = a * a)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ */
+SP_NOINLINE static void sp_384_sqr_15(sp_digit* r, const sp_digit* a)
+{
+    int i, j, k;
+    int64_t c;
+
+    c = ((int64_t)a[14]) * a[14];
+    r[29] = (sp_digit)(c >> 26);
+    c = (c & 0x3ffffff) << 26;
+    for (k = 27; k >= 0; k--) {
+        for (i = 14; i >= 0; i--) {
+            j = k - i;
+            if (j >= 15 || i <= j) {
+                break;
+            }
+            if (j < 0) {
+                continue;
+            }
+
+            c += ((int64_t)a[i]) * a[j] * 2;
+        }
+        if (i == j) {
+           c += ((int64_t)a[i]) * a[i];
+        }
+
+        r[k + 2] += c >> 52;
+        r[k + 1] = (c >> 26) & 0x3ffffff;
+        c = (c & 0x3ffffff) << 26;
+    }
+    r[0] = (sp_digit)(c >> 26);
+}
+
+#else
+/* Square a and put result in r. (r = a * a)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ */
+SP_NOINLINE static void sp_384_sqr_15(sp_digit* r, const sp_digit* a)
+{
+    int64_t t0   =  ((int64_t)a[ 0]) * a[ 0];
+    int64_t t1   = (((int64_t)a[ 0]) * a[ 1]) * 2;
+    int64_t t2   = (((int64_t)a[ 0]) * a[ 2]) * 2
+                 +  ((int64_t)a[ 1]) * a[ 1];
+    int64_t t3   = (((int64_t)a[ 0]) * a[ 3]
+                 +  ((int64_t)a[ 1]) * a[ 2]) * 2;
+    int64_t t4   = (((int64_t)a[ 0]) * a[ 4]
+                 +  ((int64_t)a[ 1]) * a[ 3]) * 2
+                 +  ((int64_t)a[ 2]) * a[ 2];
+    int64_t t5   = (((int64_t)a[ 0]) * a[ 5]
+                 +  ((int64_t)a[ 1]) * a[ 4]
+                 +  ((int64_t)a[ 2]) * a[ 3]) * 2;
+    int64_t t6   = (((int64_t)a[ 0]) * a[ 6]
+                 +  ((int64_t)a[ 1]) * a[ 5]
+                 +  ((int64_t)a[ 2]) * a[ 4]) * 2
+                 +  ((int64_t)a[ 3]) * a[ 3];
+    int64_t t7   = (((int64_t)a[ 0]) * a[ 7]
+                 +  ((int64_t)a[ 1]) * a[ 6]
+                 +  ((int64_t)a[ 2]) * a[ 5]
+                 +  ((int64_t)a[ 3]) * a[ 4]) * 2;
+    int64_t t8   = (((int64_t)a[ 0]) * a[ 8]
+                 +  ((int64_t)a[ 1]) * a[ 7]
+                 +  ((int64_t)a[ 2]) * a[ 6]
+                 +  ((int64_t)a[ 3]) * a[ 5]) * 2
+                 +  ((int64_t)a[ 4]) * a[ 4];
+    int64_t t9   = (((int64_t)a[ 0]) * a[ 9]
+                 +  ((int64_t)a[ 1]) * a[ 8]
+                 +  ((int64_t)a[ 2]) * a[ 7]
+                 +  ((int64_t)a[ 3]) * a[ 6]
+                 +  ((int64_t)a[ 4]) * a[ 5]) * 2;
+    int64_t t10  = (((int64_t)a[ 0]) * a[10]
+                 +  ((int64_t)a[ 1]) * a[ 9]
+                 +  ((int64_t)a[ 2]) * a[ 8]
+                 +  ((int64_t)a[ 3]) * a[ 7]
+                 +  ((int64_t)a[ 4]) * a[ 6]) * 2
+                 +  ((int64_t)a[ 5]) * a[ 5];
+    int64_t t11  = (((int64_t)a[ 0]) * a[11]
+                 +  ((int64_t)a[ 1]) * a[10]
+                 +  ((int64_t)a[ 2]) * a[ 9]
+                 +  ((int64_t)a[ 3]) * a[ 8]
+                 +  ((int64_t)a[ 4]) * a[ 7]
+                 +  ((int64_t)a[ 5]) * a[ 6]) * 2;
+    int64_t t12  = (((int64_t)a[ 0]) * a[12]
+                 +  ((int64_t)a[ 1]) * a[11]
+                 +  ((int64_t)a[ 2]) * a[10]
+                 +  ((int64_t)a[ 3]) * a[ 9]
+                 +  ((int64_t)a[ 4]) * a[ 8]
+                 +  ((int64_t)a[ 5]) * a[ 7]) * 2
+                 +  ((int64_t)a[ 6]) * a[ 6];
+    int64_t t13  = (((int64_t)a[ 0]) * a[13]
+                 +  ((int64_t)a[ 1]) * a[12]
+                 +  ((int64_t)a[ 2]) * a[11]
+                 +  ((int64_t)a[ 3]) * a[10]
+                 +  ((int64_t)a[ 4]) * a[ 9]
+                 +  ((int64_t)a[ 5]) * a[ 8]
+                 +  ((int64_t)a[ 6]) * a[ 7]) * 2;
+    int64_t t14  = (((int64_t)a[ 0]) * a[14]
+                 +  ((int64_t)a[ 1]) * a[13]
+                 +  ((int64_t)a[ 2]) * a[12]
+                 +  ((int64_t)a[ 3]) * a[11]
+                 +  ((int64_t)a[ 4]) * a[10]
+                 +  ((int64_t)a[ 5]) * a[ 9]
+                 +  ((int64_t)a[ 6]) * a[ 8]) * 2
+                 +  ((int64_t)a[ 7]) * a[ 7];
+    int64_t t15  = (((int64_t)a[ 1]) * a[14]
+                 +  ((int64_t)a[ 2]) * a[13]
+                 +  ((int64_t)a[ 3]) * a[12]
+                 +  ((int64_t)a[ 4]) * a[11]
+                 +  ((int64_t)a[ 5]) * a[10]
+                 +  ((int64_t)a[ 6]) * a[ 9]
+                 +  ((int64_t)a[ 7]) * a[ 8]) * 2;
+    int64_t t16  = (((int64_t)a[ 2]) * a[14]
+                 +  ((int64_t)a[ 3]) * a[13]
+                 +  ((int64_t)a[ 4]) * a[12]
+                 +  ((int64_t)a[ 5]) * a[11]
+                 +  ((int64_t)a[ 6]) * a[10]
+                 +  ((int64_t)a[ 7]) * a[ 9]) * 2
+                 +  ((int64_t)a[ 8]) * a[ 8];
+    int64_t t17  = (((int64_t)a[ 3]) * a[14]
+                 +  ((int64_t)a[ 4]) * a[13]
+                 +  ((int64_t)a[ 5]) * a[12]
+                 +  ((int64_t)a[ 6]) * a[11]
+                 +  ((int64_t)a[ 7]) * a[10]
+                 +  ((int64_t)a[ 8]) * a[ 9]) * 2;
+    int64_t t18  = (((int64_t)a[ 4]) * a[14]
+                 +  ((int64_t)a[ 5]) * a[13]
+                 +  ((int64_t)a[ 6]) * a[12]
+                 +  ((int64_t)a[ 7]) * a[11]
+                 +  ((int64_t)a[ 8]) * a[10]) * 2
+                 +  ((int64_t)a[ 9]) * a[ 9];
+    int64_t t19  = (((int64_t)a[ 5]) * a[14]
+                 +  ((int64_t)a[ 6]) * a[13]
+                 +  ((int64_t)a[ 7]) * a[12]
+                 +  ((int64_t)a[ 8]) * a[11]
+                 +  ((int64_t)a[ 9]) * a[10]) * 2;
+    int64_t t20  = (((int64_t)a[ 6]) * a[14]
+                 +  ((int64_t)a[ 7]) * a[13]
+                 +  ((int64_t)a[ 8]) * a[12]
+                 +  ((int64_t)a[ 9]) * a[11]) * 2
+                 +  ((int64_t)a[10]) * a[10];
+    int64_t t21  = (((int64_t)a[ 7]) * a[14]
+                 +  ((int64_t)a[ 8]) * a[13]
+                 +  ((int64_t)a[ 9]) * a[12]
+                 +  ((int64_t)a[10]) * a[11]) * 2;
+    int64_t t22  = (((int64_t)a[ 8]) * a[14]
+                 +  ((int64_t)a[ 9]) * a[13]
+                 +  ((int64_t)a[10]) * a[12]) * 2
+                 +  ((int64_t)a[11]) * a[11];
+    int64_t t23  = (((int64_t)a[ 9]) * a[14]
+                 +  ((int64_t)a[10]) * a[13]
+                 +  ((int64_t)a[11]) * a[12]) * 2;
+    int64_t t24  = (((int64_t)a[10]) * a[14]
+                 +  ((int64_t)a[11]) * a[13]) * 2
+                 +  ((int64_t)a[12]) * a[12];
+    int64_t t25  = (((int64_t)a[11]) * a[14]
+                 +  ((int64_t)a[12]) * a[13]) * 2;
+    int64_t t26  = (((int64_t)a[12]) * a[14]) * 2
+                 +  ((int64_t)a[13]) * a[13];
+    int64_t t27  = (((int64_t)a[13]) * a[14]) * 2;
+    int64_t t28  =  ((int64_t)a[14]) * a[14];
+
+    t1   += t0  >> 26; r[ 0] = t0  & 0x3ffffff;
+    t2   += t1  >> 26; r[ 1] = t1  & 0x3ffffff;
+    t3   += t2  >> 26; r[ 2] = t2  & 0x3ffffff;
+    t4   += t3  >> 26; r[ 3] = t3  & 0x3ffffff;
+    t5   += t4  >> 26; r[ 4] = t4  & 0x3ffffff;
+    t6   += t5  >> 26; r[ 5] = t5  & 0x3ffffff;
+    t7   += t6  >> 26; r[ 6] = t6  & 0x3ffffff;
+    t8   += t7  >> 26; r[ 7] = t7  & 0x3ffffff;
+    t9   += t8  >> 26; r[ 8] = t8  & 0x3ffffff;
+    t10  += t9  >> 26; r[ 9] = t9  & 0x3ffffff;
+    t11  += t10 >> 26; r[10] = t10 & 0x3ffffff;
+    t12  += t11 >> 26; r[11] = t11 & 0x3ffffff;
+    t13  += t12 >> 26; r[12] = t12 & 0x3ffffff;
+    t14  += t13 >> 26; r[13] = t13 & 0x3ffffff;
+    t15  += t14 >> 26; r[14] = t14 & 0x3ffffff;
+    t16  += t15 >> 26; r[15] = t15 & 0x3ffffff;
+    t17  += t16 >> 26; r[16] = t16 & 0x3ffffff;
+    t18  += t17 >> 26; r[17] = t17 & 0x3ffffff;
+    t19  += t18 >> 26; r[18] = t18 & 0x3ffffff;
+    t20  += t19 >> 26; r[19] = t19 & 0x3ffffff;
+    t21  += t20 >> 26; r[20] = t20 & 0x3ffffff;
+    t22  += t21 >> 26; r[21] = t21 & 0x3ffffff;
+    t23  += t22 >> 26; r[22] = t22 & 0x3ffffff;
+    t24  += t23 >> 26; r[23] = t23 & 0x3ffffff;
+    t25  += t24 >> 26; r[24] = t24 & 0x3ffffff;
+    t26  += t25 >> 26; r[25] = t25 & 0x3ffffff;
+    t27  += t26 >> 26; r[26] = t26 & 0x3ffffff;
+    t28  += t27 >> 26; r[27] = t27 & 0x3ffffff;
+    r[29] = (sp_digit)(t28 >> 26);
+                       r[28] = t28 & 0x3ffffff;
+}
+
+#endif /* WOLFSSL_SP_SMALL */
+/* Square the Montgomery form number. (r = a * a mod m)
+ *
+ * r   Result of squaring.
+ * a   Number to square in Montogmery form.
+ * m   Modulus (prime).
+ * mp  Montogmery mulitplier.
+ */
+static void sp_384_mont_sqr_15(sp_digit* r, const sp_digit* a, const sp_digit* m,
+        sp_digit mp)
+{
+    sp_384_sqr_15(r, a);
+    sp_384_mont_reduce_15(r, m, mp);
+}
+
+#if !defined(WOLFSSL_SP_SMALL) || defined(HAVE_COMP_KEY)
+/* Square the Montgomery form number a number of times. (r = a ^ n mod m)
+ *
+ * r   Result of squaring.
+ * a   Number to square in Montogmery form.
+ * n   Number of times to square.
+ * m   Modulus (prime).
+ * mp  Montogmery mulitplier.
+ */
+static void sp_384_mont_sqr_n_15(sp_digit* r, const sp_digit* a, int n,
+        const sp_digit* m, sp_digit mp)
+{
+    sp_384_mont_sqr_15(r, a, m, mp);
+    for (; n > 1; n--) {
+        sp_384_mont_sqr_15(r, r, m, mp);
+    }
+}
+
+#endif /* !WOLFSSL_SP_SMALL || HAVE_COMP_KEY */
+#ifdef WOLFSSL_SP_SMALL
+/* Mod-2 for the P384 curve. */
+static const uint32_t p384_mod_minus_2[12] = {
+    0xfffffffdU,0x00000000U,0x00000000U,0xffffffffU,0xfffffffeU,0xffffffffU,
+    0xffffffffU,0xffffffffU,0xffffffffU,0xffffffffU,0xffffffffU,0xffffffffU
+};
+#endif /* !WOLFSSL_SP_SMALL */
+
+/* Invert the number, in Montgomery form, modulo the modulus (prime) of the
+ * P384 curve. (r = 1 / a mod m)
+ *
+ * r   Inverse result.
+ * a   Number to invert.
+ * td  Temporary data.
+ */
+static void sp_384_mont_inv_15(sp_digit* r, const sp_digit* a, sp_digit* td)
+{
+#ifdef WOLFSSL_SP_SMALL
+    sp_digit* t = td;
+    int i;
+
+    XMEMCPY(t, a, sizeof(sp_digit) * 15);
+    for (i=382; i>=0; i--) {
+        sp_384_mont_sqr_15(t, t, p384_mod, p384_mp_mod);
+        if (p384_mod_minus_2[i / 32] & ((sp_digit)1 << (i % 32)))
+            sp_384_mont_mul_15(t, t, a, p384_mod, p384_mp_mod);
+    }
+    XMEMCPY(r, t, sizeof(sp_digit) * 15);
+#else
+    sp_digit* t1 = td;
+    sp_digit* t2 = td + 2 * 15;
+    sp_digit* t3 = td + 4 * 15;
+    sp_digit* t4 = td + 6 * 15;
+    sp_digit* t5 = td + 8 * 15;
+
+    /* 0x2 */
+    sp_384_mont_sqr_15(t1, a, p384_mod, p384_mp_mod);
+    /* 0x3 */
+    sp_384_mont_mul_15(t5, t1, a, p384_mod, p384_mp_mod);
+    /* 0xc */
+    sp_384_mont_sqr_n_15(t1, t5, 2, p384_mod, p384_mp_mod);
+    /* 0xf */
+    sp_384_mont_mul_15(t2, t5, t1, p384_mod, p384_mp_mod);
+    /* 0x1e */
+    sp_384_mont_sqr_15(t1, t2, p384_mod, p384_mp_mod);
+    /* 0x1f */
+    sp_384_mont_mul_15(t4, t1, a, p384_mod, p384_mp_mod);
+    /* 0x3e0 */
+    sp_384_mont_sqr_n_15(t1, t4, 5, p384_mod, p384_mp_mod);
+    /* 0x3ff */
+    sp_384_mont_mul_15(t2, t4, t1, p384_mod, p384_mp_mod);
+    /* 0x7fe0 */
+    sp_384_mont_sqr_n_15(t1, t2, 5, p384_mod, p384_mp_mod);
+    /* 0x7fff */
+    sp_384_mont_mul_15(t4, t4, t1, p384_mod, p384_mp_mod);
+    /* 0x3fff8000 */
+    sp_384_mont_sqr_n_15(t1, t4, 15, p384_mod, p384_mp_mod);
+    /* 0x3fffffff */
+    sp_384_mont_mul_15(t2, t4, t1, p384_mod, p384_mp_mod);
+    /* 0xfffffffc */
+    sp_384_mont_sqr_n_15(t3, t2, 2, p384_mod, p384_mp_mod);
+    /* 0xfffffffd */
+    sp_384_mont_mul_15(r, t3, a, p384_mod, p384_mp_mod);
+    /* 0xffffffff */
+    sp_384_mont_mul_15(t3, t5, t3, p384_mod, p384_mp_mod);
+    /* 0xfffffffc0000000 */
+    sp_384_mont_sqr_n_15(t1, t2, 30, p384_mod, p384_mp_mod);
+    /* 0xfffffffffffffff */
+    sp_384_mont_mul_15(t2, t2, t1, p384_mod, p384_mp_mod);
+    /* 0xfffffffffffffff000000000000000 */
+    sp_384_mont_sqr_n_15(t1, t2, 60, p384_mod, p384_mp_mod);
+    /* 0xffffffffffffffffffffffffffffff */
+    sp_384_mont_mul_15(t2, t2, t1, p384_mod, p384_mp_mod);
+    /* 0xffffffffffffffffffffffffffffff000000000000000000000000000000 */
+    sp_384_mont_sqr_n_15(t1, t2, 120, p384_mod, p384_mp_mod);
+    /* 0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff */
+    sp_384_mont_mul_15(t2, t2, t1, p384_mod, p384_mp_mod);
+    /* 0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffff8000 */
+    sp_384_mont_sqr_n_15(t1, t2, 15, p384_mod, p384_mp_mod);
+    /* 0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff */
+    sp_384_mont_mul_15(t2, t4, t1, p384_mod, p384_mp_mod);
+    /* 0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffe00000000 */
+    sp_384_mont_sqr_n_15(t1, t2, 33, p384_mod, p384_mp_mod);
+    /* 0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff */
+    sp_384_mont_mul_15(t2, t3, t1, p384_mod, p384_mp_mod);
+    /* 0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff000000000000000000000000 */
+    sp_384_mont_sqr_n_15(t1, t2, 96, p384_mod, p384_mp_mod);
+    /* 0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000fffffffd */
+    sp_384_mont_mul_15(r, r, t1, p384_mod, p384_mp_mod);
+
+#endif /* WOLFSSL_SP_SMALL */
+}
+
+/* Map the Montgomery form projective coordinate point to an affine point.
+ *
+ * r  Resulting affine coordinate point.
+ * p  Montgomery form projective coordinate point.
+ * t  Temporary ordinate data.
+ */
+static void sp_384_map_15(sp_point_384* r, const sp_point_384* p, sp_digit* t)
+{
+    sp_digit* t1 = t;
+    sp_digit* t2 = t + 2*15;
+    int32_t n;
+
+    sp_384_mont_inv_15(t1, p->z, t + 2*15);
+
+    sp_384_mont_sqr_15(t2, t1, p384_mod, p384_mp_mod);
+    sp_384_mont_mul_15(t1, t2, t1, p384_mod, p384_mp_mod);
+
+    /* x /= z^2 */
+    sp_384_mont_mul_15(r->x, p->x, t2, p384_mod, p384_mp_mod);
+    XMEMSET(r->x + 15, 0, sizeof(r->x) / 2U);
+    sp_384_mont_reduce_15(r->x, p384_mod, p384_mp_mod);
+    /* Reduce x to less than modulus */
+    n = sp_384_cmp_15(r->x, p384_mod);
+    sp_384_cond_sub_15(r->x, r->x, p384_mod, 0 - ((n >= 0) ?
+                (sp_digit)1 : (sp_digit)0));
+    sp_384_norm_15(r->x);
+
+    /* y /= z^3 */
+    sp_384_mont_mul_15(r->y, p->y, t1, p384_mod, p384_mp_mod);
+    XMEMSET(r->y + 15, 0, sizeof(r->y) / 2U);
+    sp_384_mont_reduce_15(r->y, p384_mod, p384_mp_mod);
+    /* Reduce y to less than modulus */
+    n = sp_384_cmp_15(r->y, p384_mod);
+    sp_384_cond_sub_15(r->y, r->y, p384_mod, 0 - ((n >= 0) ?
+                (sp_digit)1 : (sp_digit)0));
+    sp_384_norm_15(r->y);
+
+    XMEMSET(r->z, 0, sizeof(r->z));
+    r->z[0] = 1;
+
+}
+
+#ifdef WOLFSSL_SP_SMALL
+/* Add b to a into r. (r = a + b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static int sp_384_add_15(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    int i;
+
+    for (i = 0; i < 15; i++) {
+        r[i] = a[i] + b[i];
+    }
+
+    return 0;
+}
+#else
+/* Add b to a into r. (r = a + b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static int sp_384_add_15(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    r[ 0] = a[ 0] + b[ 0];
+    r[ 1] = a[ 1] + b[ 1];
+    r[ 2] = a[ 2] + b[ 2];
+    r[ 3] = a[ 3] + b[ 3];
+    r[ 4] = a[ 4] + b[ 4];
+    r[ 5] = a[ 5] + b[ 5];
+    r[ 6] = a[ 6] + b[ 6];
+    r[ 7] = a[ 7] + b[ 7];
+    r[ 8] = a[ 8] + b[ 8];
+    r[ 9] = a[ 9] + b[ 9];
+    r[10] = a[10] + b[10];
+    r[11] = a[11] + b[11];
+    r[12] = a[12] + b[12];
+    r[13] = a[13] + b[13];
+    r[14] = a[14] + b[14];
+
+    return 0;
+}
+
+#endif /* WOLFSSL_SP_SMALL */
+/* Add two Montgomery form numbers (r = a + b % m).
+ *
+ * r   Result of addition.
+ * a   First number to add in Montogmery form.
+ * b   Second number to add in Montogmery form.
+ * m   Modulus (prime).
+ */
+static void sp_384_mont_add_15(sp_digit* r, const sp_digit* a, const sp_digit* b,
+        const sp_digit* m)
+{
+    (void)sp_384_add_15(r, a, b);
+    sp_384_norm_15(r);
+    sp_384_cond_sub_15(r, r, m, 0 - (((r[14] >> 20) > 0) ?
+                (sp_digit)1 : (sp_digit)0));
+    sp_384_norm_15(r);
+}
+
+/* Double a Montgomery form number (r = a + a % m).
+ *
+ * r   Result of doubling.
+ * a   Number to double in Montogmery form.
+ * m   Modulus (prime).
+ */
+static void sp_384_mont_dbl_15(sp_digit* r, const sp_digit* a, const sp_digit* m)
+{
+    (void)sp_384_add_15(r, a, a);
+    sp_384_norm_15(r);
+    sp_384_cond_sub_15(r, r, m, 0 - (((r[14] >> 20) > 0) ?
+                (sp_digit)1 : (sp_digit)0));
+    sp_384_norm_15(r);
+}
+
+/* Triple a Montgomery form number (r = a + a + a % m).
+ *
+ * r   Result of Tripling.
+ * a   Number to triple in Montogmery form.
+ * m   Modulus (prime).
+ */
+static void sp_384_mont_tpl_15(sp_digit* r, const sp_digit* a, const sp_digit* m)
+{
+    (void)sp_384_add_15(r, a, a);
+    sp_384_norm_15(r);
+    sp_384_cond_sub_15(r, r, m, 0 - (((r[14] >> 20) > 0) ?
+                (sp_digit)1 : (sp_digit)0));
+    sp_384_norm_15(r);
+    (void)sp_384_add_15(r, r, a);
+    sp_384_norm_15(r);
+    sp_384_cond_sub_15(r, r, m, 0 - (((r[14] >> 20) > 0) ?
+                (sp_digit)1 : (sp_digit)0));
+    sp_384_norm_15(r);
+}
+
+#ifdef WOLFSSL_SP_SMALL
+/* Sub b from a into r. (r = a - b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static int sp_384_sub_15(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    int i;
+
+    for (i = 0; i < 15; i++) {
+        r[i] = a[i] - b[i];
+    }
+
+    return 0;
+}
+
+#else
+/* Sub b from a into r. (r = a - b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static int sp_384_sub_15(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    r[ 0] = a[ 0] - b[ 0];
+    r[ 1] = a[ 1] - b[ 1];
+    r[ 2] = a[ 2] - b[ 2];
+    r[ 3] = a[ 3] - b[ 3];
+    r[ 4] = a[ 4] - b[ 4];
+    r[ 5] = a[ 5] - b[ 5];
+    r[ 6] = a[ 6] - b[ 6];
+    r[ 7] = a[ 7] - b[ 7];
+    r[ 8] = a[ 8] - b[ 8];
+    r[ 9] = a[ 9] - b[ 9];
+    r[10] = a[10] - b[10];
+    r[11] = a[11] - b[11];
+    r[12] = a[12] - b[12];
+    r[13] = a[13] - b[13];
+    r[14] = a[14] - b[14];
+
+    return 0;
+}
+
+#endif /* WOLFSSL_SP_SMALL */
+/* Conditionally add a and b using the mask m.
+ * m is -1 to add and 0 when not.
+ *
+ * r  A single precision number representing conditional add result.
+ * a  A single precision number to add with.
+ * b  A single precision number to add.
+ * m  Mask value to apply.
+ */
+static void sp_384_cond_add_15(sp_digit* r, const sp_digit* a,
+        const sp_digit* b, const sp_digit m)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int i;
+
+    for (i = 0; i < 15; i++) {
+        r[i] = a[i] + (b[i] & m);
+    }
+#else
+    r[ 0] = a[ 0] + (b[ 0] & m);
+    r[ 1] = a[ 1] + (b[ 1] & m);
+    r[ 2] = a[ 2] + (b[ 2] & m);
+    r[ 3] = a[ 3] + (b[ 3] & m);
+    r[ 4] = a[ 4] + (b[ 4] & m);
+    r[ 5] = a[ 5] + (b[ 5] & m);
+    r[ 6] = a[ 6] + (b[ 6] & m);
+    r[ 7] = a[ 7] + (b[ 7] & m);
+    r[ 8] = a[ 8] + (b[ 8] & m);
+    r[ 9] = a[ 9] + (b[ 9] & m);
+    r[10] = a[10] + (b[10] & m);
+    r[11] = a[11] + (b[11] & m);
+    r[12] = a[12] + (b[12] & m);
+    r[13] = a[13] + (b[13] & m);
+    r[14] = a[14] + (b[14] & m);
+#endif /* WOLFSSL_SP_SMALL */
+}
+
+/* Subtract two Montgomery form numbers (r = a - b % m).
+ *
+ * r   Result of subtration.
+ * a   Number to subtract from in Montogmery form.
+ * b   Number to subtract with in Montogmery form.
+ * m   Modulus (prime).
+ */
+static void sp_384_mont_sub_15(sp_digit* r, const sp_digit* a, const sp_digit* b,
+        const sp_digit* m)
+{
+    (void)sp_384_sub_15(r, a, b);
+    sp_384_cond_add_15(r, r, m, r[14] >> 20);
+    sp_384_norm_15(r);
+}
+
+/* Shift number left one bit.
+ * Bottom bit is lost.
+ *
+ * r  Result of shift.
+ * a  Number to shift.
+ */
+SP_NOINLINE static void sp_384_rshift1_15(sp_digit* r, sp_digit* a)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int i;
+
+    for (i=0; i<14; i++) {
+        r[i] = ((a[i] >> 1) | (a[i + 1] << 25)) & 0x3ffffff;
+    }
+#else
+    r[0] = ((a[0] >> 1) | (a[1] << 25)) & 0x3ffffff;
+    r[1] = ((a[1] >> 1) | (a[2] << 25)) & 0x3ffffff;
+    r[2] = ((a[2] >> 1) | (a[3] << 25)) & 0x3ffffff;
+    r[3] = ((a[3] >> 1) | (a[4] << 25)) & 0x3ffffff;
+    r[4] = ((a[4] >> 1) | (a[5] << 25)) & 0x3ffffff;
+    r[5] = ((a[5] >> 1) | (a[6] << 25)) & 0x3ffffff;
+    r[6] = ((a[6] >> 1) | (a[7] << 25)) & 0x3ffffff;
+    r[7] = ((a[7] >> 1) | (a[8] << 25)) & 0x3ffffff;
+    r[8] = ((a[8] >> 1) | (a[9] << 25)) & 0x3ffffff;
+    r[9] = ((a[9] >> 1) | (a[10] << 25)) & 0x3ffffff;
+    r[10] = ((a[10] >> 1) | (a[11] << 25)) & 0x3ffffff;
+    r[11] = ((a[11] >> 1) | (a[12] << 25)) & 0x3ffffff;
+    r[12] = ((a[12] >> 1) | (a[13] << 25)) & 0x3ffffff;
+    r[13] = ((a[13] >> 1) | (a[14] << 25)) & 0x3ffffff;
+#endif
+    r[14] = a[14] >> 1;
+}
+
+/* Divide the number by 2 mod the modulus (prime). (r = a / 2 % m)
+ *
+ * r  Result of division by 2.
+ * a  Number to divide.
+ * m  Modulus (prime).
+ */
+static void sp_384_div2_15(sp_digit* r, const sp_digit* a, const sp_digit* m)
+{
+    sp_384_cond_add_15(r, a, m, 0 - (a[0] & 1));
+    sp_384_norm_15(r);
+    sp_384_rshift1_15(r, r);
+}
+
+/* Double the Montgomery form projective point p.
+ *
+ * r  Result of doubling point.
+ * p  Point to double.
+ * t  Temporary ordinate data.
+ */
+static void sp_384_proj_point_dbl_15(sp_point_384* r, const sp_point_384* p, sp_digit* t)
+{
+    sp_digit* t1 = t;
+    sp_digit* t2 = t + 2*15;
+    sp_digit* x;
+    sp_digit* y;
+    sp_digit* z;
+
+    x = r->x;
+    y = r->y;
+    z = r->z;
+    /* Put infinity into result. */
+    if (r != p) {
+        r->infinity = p->infinity;
+    }
+
+    /* T1 = Z * Z */
+    sp_384_mont_sqr_15(t1, p->z, p384_mod, p384_mp_mod);
+    /* Z = Y * Z */
+    sp_384_mont_mul_15(z, p->y, p->z, p384_mod, p384_mp_mod);
+    /* Z = 2Z */
+    sp_384_mont_dbl_15(z, z, p384_mod);
+    /* T2 = X - T1 */
+    sp_384_mont_sub_15(t2, p->x, t1, p384_mod);
+    /* T1 = X + T1 */
+    sp_384_mont_add_15(t1, p->x, t1, p384_mod);
+    /* T2 = T1 * T2 */
+    sp_384_mont_mul_15(t2, t1, t2, p384_mod, p384_mp_mod);
+    /* T1 = 3T2 */
+    sp_384_mont_tpl_15(t1, t2, p384_mod);
+    /* Y = 2Y */
+    sp_384_mont_dbl_15(y, p->y, p384_mod);
+    /* Y = Y * Y */
+    sp_384_mont_sqr_15(y, y, p384_mod, p384_mp_mod);
+    /* T2 = Y * Y */
+    sp_384_mont_sqr_15(t2, y, p384_mod, p384_mp_mod);
+    /* T2 = T2/2 */
+    sp_384_div2_15(t2, t2, p384_mod);
+    /* Y = Y * X */
+    sp_384_mont_mul_15(y, y, p->x, p384_mod, p384_mp_mod);
+    /* X = T1 * T1 */
+    sp_384_mont_sqr_15(x, t1, p384_mod, p384_mp_mod);
+    /* X = X - Y */
+    sp_384_mont_sub_15(x, x, y, p384_mod);
+    /* X = X - Y */
+    sp_384_mont_sub_15(x, x, y, p384_mod);
+    /* Y = Y - X */
+    sp_384_mont_sub_15(y, y, x, p384_mod);
+    /* Y = Y * T1 */
+    sp_384_mont_mul_15(y, y, t1, p384_mod, p384_mp_mod);
+    /* Y = Y - T2 */
+    sp_384_mont_sub_15(y, y, t2, p384_mod);
+}
+
+/* Compare two numbers to determine if they are equal.
+ * Constant time implementation.
+ *
+ * a  First number to compare.
+ * b  Second number to compare.
+ * returns 1 when equal and 0 otherwise.
+ */
+static int sp_384_cmp_equal_15(const sp_digit* a, const sp_digit* b)
+{
+    return ((a[0] ^ b[0]) | (a[1] ^ b[1]) | (a[2] ^ b[2]) | (a[3] ^ b[3]) |
+            (a[4] ^ b[4]) | (a[5] ^ b[5]) | (a[6] ^ b[6]) | (a[7] ^ b[7]) |
+            (a[8] ^ b[8]) | (a[9] ^ b[9]) | (a[10] ^ b[10]) | (a[11] ^ b[11]) |
+            (a[12] ^ b[12]) | (a[13] ^ b[13]) | (a[14] ^ b[14])) == 0;
+}
+
+/* Add two Montgomery form projective points.
+ *
+ * r  Result of addition.
+ * p  First point to add.
+ * q  Second point to add.
+ * t  Temporary ordinate data.
+ */
+static void sp_384_proj_point_add_15(sp_point_384* r, const sp_point_384* p, const sp_point_384* q,
+        sp_digit* t)
+{
+    const sp_point_384* ap[2];
+    sp_point_384* rp[2];
+    sp_digit* t1 = t;
+    sp_digit* t2 = t + 2*15;
+    sp_digit* t3 = t + 4*15;
+    sp_digit* t4 = t + 6*15;
+    sp_digit* t5 = t + 8*15;
+    sp_digit* x;
+    sp_digit* y;
+    sp_digit* z;
+    int i;
+
+    /* Ensure only the first point is the same as the result. */
+    if (q == r) {
+        const sp_point_384* a = p;
+        p = q;
+        q = a;
+    }
+
+    /* Check double */
+    (void)sp_384_sub_15(t1, p384_mod, q->y);
+    sp_384_norm_15(t1);
+    if ((sp_384_cmp_equal_15(p->x, q->x) & sp_384_cmp_equal_15(p->z, q->z) &
+        (sp_384_cmp_equal_15(p->y, q->y) | sp_384_cmp_equal_15(p->y, t1))) != 0) {
+        sp_384_proj_point_dbl_15(r, p, t);
+    }
+    else {
+        rp[0] = r;
+
+        /*lint allow cast to different type of pointer*/
+        rp[1] = (sp_point_384*)t; /*lint !e9087 !e740*/
+        XMEMSET(rp[1], 0, sizeof(sp_point_384));
+        x = rp[p->infinity | q->infinity]->x;
+        y = rp[p->infinity | q->infinity]->y;
+        z = rp[p->infinity | q->infinity]->z;
+
+        ap[0] = p;
+        ap[1] = q;
+        for (i=0; i<15; i++) {
+            r->x[i] = ap[p->infinity]->x[i];
+        }
+        for (i=0; i<15; i++) {
+            r->y[i] = ap[p->infinity]->y[i];
+        }
+        for (i=0; i<15; i++) {
+            r->z[i] = ap[p->infinity]->z[i];
+        }
+        r->infinity = ap[p->infinity]->infinity;
+
+        /* U1 = X1*Z2^2 */
+        sp_384_mont_sqr_15(t1, q->z, p384_mod, p384_mp_mod);
+        sp_384_mont_mul_15(t3, t1, q->z, p384_mod, p384_mp_mod);
+        sp_384_mont_mul_15(t1, t1, x, p384_mod, p384_mp_mod);
+        /* U2 = X2*Z1^2 */
+        sp_384_mont_sqr_15(t2, z, p384_mod, p384_mp_mod);
+        sp_384_mont_mul_15(t4, t2, z, p384_mod, p384_mp_mod);
+        sp_384_mont_mul_15(t2, t2, q->x, p384_mod, p384_mp_mod);
+        /* S1 = Y1*Z2^3 */
+        sp_384_mont_mul_15(t3, t3, y, p384_mod, p384_mp_mod);
+        /* S2 = Y2*Z1^3 */
+        sp_384_mont_mul_15(t4, t4, q->y, p384_mod, p384_mp_mod);
+        /* H = U2 - U1 */
+        sp_384_mont_sub_15(t2, t2, t1, p384_mod);
+        /* R = S2 - S1 */
+        sp_384_mont_sub_15(t4, t4, t3, p384_mod);
+        /* Z3 = H*Z1*Z2 */
+        sp_384_mont_mul_15(z, z, q->z, p384_mod, p384_mp_mod);
+        sp_384_mont_mul_15(z, z, t2, p384_mod, p384_mp_mod);
+        /* X3 = R^2 - H^3 - 2*U1*H^2 */
+        sp_384_mont_sqr_15(x, t4, p384_mod, p384_mp_mod);
+        sp_384_mont_sqr_15(t5, t2, p384_mod, p384_mp_mod);
+        sp_384_mont_mul_15(y, t1, t5, p384_mod, p384_mp_mod);
+        sp_384_mont_mul_15(t5, t5, t2, p384_mod, p384_mp_mod);
+        sp_384_mont_sub_15(x, x, t5, p384_mod);
+        sp_384_mont_dbl_15(t1, y, p384_mod);
+        sp_384_mont_sub_15(x, x, t1, p384_mod);
+        /* Y3 = R*(U1*H^2 - X3) - S1*H^3 */
+        sp_384_mont_sub_15(y, y, x, p384_mod);
+        sp_384_mont_mul_15(y, y, t4, p384_mod, p384_mp_mod);
+        sp_384_mont_mul_15(t5, t5, t3, p384_mod, p384_mp_mod);
+        sp_384_mont_sub_15(y, y, t5, p384_mod);
+    }
+}
+
+#ifdef WOLFSSL_SP_SMALL
+/* Multiply the point by the scalar and return the result.
+ * If map is true then convert result to affine coordinates.
+ *
+ * r     Resulting point.
+ * g     Point to multiply.
+ * k     Scalar to multiply by.
+ * map   Indicates whether to convert result to affine.
+ * heap  Heap to use for allocation.
+ * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
+ */
+static int sp_384_ecc_mulmod_15(sp_point_384* r, const sp_point_384* g, const sp_digit* k,
+        int map, void* heap)
+{
+#ifdef WOLFSSL_SP_NO_MALLOC
+    sp_point_384 t[3];
+    sp_digit tmp[2 * 15 * 6];
+#else
+    sp_point_384* t;
+    sp_digit* tmp;
+#endif
+    sp_digit n;
+    int i;
+    int c, y;
+    int err = MP_OKAY;
+
+    (void)heap;
+
+#ifndef WOLFSSL_SP_NO_MALLOC
+    t = (sp_point_384*)XMALLOC(sizeof(sp_point_384) * 3, heap, DYNAMIC_TYPE_ECC);
+    if (t == NULL)
+        err = MEMORY_E;
+    tmp = (sp_digit*)XMALLOC(sizeof(sp_digit) * 2 * 15 * 6, heap,
+                                                              DYNAMIC_TYPE_ECC);
+    if (tmp == NULL)
+        err = MEMORY_E;
+#endif
+
+    if (err == MP_OKAY) {
+        XMEMSET(t, 0, sizeof(sp_point_384) * 3);
+
+        /* t[0] = {0, 0, 1} * norm */
+        t[0].infinity = 1;
+        /* t[1] = {g->x, g->y, g->z} * norm */
+        err = sp_384_mod_mul_norm_15(t[1].x, g->x, p384_mod);
+    }
+    if (err == MP_OKAY)
+        err = sp_384_mod_mul_norm_15(t[1].y, g->y, p384_mod);
+    if (err == MP_OKAY)
+        err = sp_384_mod_mul_norm_15(t[1].z, g->z, p384_mod);
+
+    if (err == MP_OKAY) {
+        i = 14;
+        c = 20;
+        n = k[i--] << (26 - c);
+        for (; ; c--) {
+            if (c == 0) {
+                if (i == -1)
+                    break;
+
+                n = k[i--];
+                c = 26;
+            }
+
+            y = (n >> 25) & 1;
+            n <<= 1;
+
+            sp_384_proj_point_add_15(&t[y^1], &t[0], &t[1], tmp);
+
+            XMEMCPY(&t[2], (void*)(((size_t)&t[0] & addr_mask[y^1]) +
+                                   ((size_t)&t[1] & addr_mask[y])),
+                    sizeof(sp_point_384));
+            sp_384_proj_point_dbl_15(&t[2], &t[2], tmp);
+            XMEMCPY((void*)(((size_t)&t[0] & addr_mask[y^1]) +
+                            ((size_t)&t[1] & addr_mask[y])), &t[2],
+                    sizeof(sp_point_384));
+        }
+
+        if (map != 0) {
+            sp_384_map_15(r, &t[0], tmp);
+        }
+        else {
+            XMEMCPY(r, &t[0], sizeof(sp_point_384));
+        }
+    }
+
+#ifndef WOLFSSL_SP_NO_MALLOC
+    if (tmp != NULL) {
+        XMEMSET(tmp, 0, sizeof(sp_digit) * 2 * 15 * 6);
+        XFREE(tmp, NULL, DYNAMIC_TYPE_ECC);
+    }
+    if (t != NULL) {
+        XMEMSET(t, 0, sizeof(sp_point_384) * 3);
+        XFREE(t, NULL, DYNAMIC_TYPE_ECC);
+    }
+#else
+    ForceZero(tmp, sizeof(tmp));
+    ForceZero(t, sizeof(t));
+#endif
+
+    return err;
+}
+
+#elif defined(WOLFSSL_SP_CACHE_RESISTANT)
+/* Multiply the point by the scalar and return the result.
+ * If map is true then convert result to affine coordinates.
+ *
+ * r     Resulting point.
+ * g     Point to multiply.
+ * k     Scalar to multiply by.
+ * map   Indicates whether to convert result to affine.
+ * heap  Heap to use for allocation.
+ * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
+ */
+static int sp_384_ecc_mulmod_15(sp_point_384* r, const sp_point_384* g, const sp_digit* k,
+        int map, void* heap)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_point_384 t[3];
+    sp_digit tmp[2 * 15 * 6];
+#else
+    sp_point_384* t;
+    sp_digit* tmp;
+#endif
+    sp_digit n;
+    int i;
+    int c, y;
+    int err = MP_OKAY;
+
+    (void)heap;
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    t = (sp_point*)XMALLOC(sizeof(*t) * 3, heap, DYNAMIC_TYPE_ECC);
+    if (t == NULL)
+        err = MEMORY_E;
+    tmp = (sp_digit*)XMALLOC(sizeof(sp_digit) * 2 * 15 * 6, heap,
+                             DYNAMIC_TYPE_ECC);
+    if (tmp == NULL)
+        err = MEMORY_E;
+#endif
+
+    if (err == MP_OKAY) {
+        /* t[0] = {0, 0, 1} * norm */
+        XMEMSET(&t[0], 0, sizeof(t[0]));
+        t[0].infinity = 1;
+        /* t[1] = {g->x, g->y, g->z} * norm */
+        t[1].infinity = 0;
+        err = sp_384_mod_mul_norm_15(t[1].x, g->x, p384_mod);
+    }
+    if (err == MP_OKAY)
+        err = sp_384_mod_mul_norm_15(t[1].y, g->y, p384_mod);
+    if (err == MP_OKAY)
+        err = sp_384_mod_mul_norm_15(t[1].z, g->z, p384_mod);
+
+    if (err == MP_OKAY) {
+        i = 14;
+        c = 20;
+        n = k[i--] << (26 - c);
+        for (; ; c--) {
+            if (c == 0) {
+                if (i == -1)
+                    break;
+
+                n = k[i--];
+                c = 26;
+            }
+
+            y = (n >> 25) & 1;
+            n <<= 1;
+
+            sp_384_proj_point_add_15(&t[y^1], &t[0], &t[1], tmp);
+
+            XMEMCPY(&t[2], (void*)(((size_t)&t[0] & addr_mask[y^1]) +
+                                 ((size_t)&t[1] & addr_mask[y])), sizeof(t[2]));
+            sp_384_proj_point_dbl_15(&t[2], &t[2], tmp);
+            XMEMCPY((void*)(((size_t)&t[0] & addr_mask[y^1]) +
+                          ((size_t)&t[1] & addr_mask[y])), &t[2], sizeof(t[2]));
+        }
+
+        if (map != 0) {
+            sp_384_map_15(r, &t[0], tmp);
+        }
+        else {
+            XMEMCPY(r, &t[0], sizeof(sp_point_384));
+        }
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (tmp != NULL) {
+        XMEMSET(tmp, 0, sizeof(sp_digit) * 2 * 15 * 6);
+        XFREE(tmp, heap, DYNAMIC_TYPE_ECC);
+    }
+    if (t != NULL) {
+        XMEMSET(t, 0, sizeof(sp_point_384) * 3);
+        XFREE(t, heap, DYNAMIC_TYPE_ECC);
+    }
+#else
+    ForceZero(tmp, sizeof(tmp));
+    ForceZero(t, sizeof(t));
+#endif
+
+    return err;
+}
+
+#else
+/* A table entry for pre-computed points. */
+typedef struct sp_table_entry_384 {
+    sp_digit x[15];
+    sp_digit y[15];
+} sp_table_entry_384;
+
+/* Multiply the point by the scalar and return the result.
+ * If map is true then convert result to affine coordinates.
+ *
+ * r     Resulting point.
+ * g     Point to multiply.
+ * k     Scalar to multiply by.
+ * map   Indicates whether to convert result to affine.
+ * heap  Heap to use for allocation.
+ * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
+ */
+static int sp_384_ecc_mulmod_fast_15(sp_point_384* r, const sp_point_384* g, const sp_digit* k,
+        int map, void* heap)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_point_384 td[16];
+    sp_point_384 rtd;
+    sp_digit tmpd[2 * 15 * 6];
+#endif
+    sp_point_384* t;
+    sp_point_384* rt;
+    sp_digit* tmp;
+    sp_digit n;
+    int i;
+    int c, y;
+    int err;
+
+    (void)heap;
+
+    err = sp_384_point_new_15(heap, rtd, rt);
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    t = (sp_point_384*)XMALLOC(sizeof(sp_point_384) * 16, heap, DYNAMIC_TYPE_ECC);
+    if (t == NULL)
+        err = MEMORY_E;
+    tmp = (sp_digit*)XMALLOC(sizeof(sp_digit) * 2 * 15 * 6, heap,
+                             DYNAMIC_TYPE_ECC);
+    if (tmp == NULL)
+        err = MEMORY_E;
+#else
+    t = td;
+    tmp = tmpd;
+#endif
+
+    if (err == MP_OKAY) {
+        /* t[0] = {0, 0, 1} * norm */
+        XMEMSET(&t[0], 0, sizeof(t[0]));
+        t[0].infinity = 1;
+        /* t[1] = {g->x, g->y, g->z} * norm */
+        (void)sp_384_mod_mul_norm_15(t[1].x, g->x, p384_mod);
+        (void)sp_384_mod_mul_norm_15(t[1].y, g->y, p384_mod);
+        (void)sp_384_mod_mul_norm_15(t[1].z, g->z, p384_mod);
+        t[1].infinity = 0;
+        sp_384_proj_point_dbl_15(&t[ 2], &t[ 1], tmp);
+        t[ 2].infinity = 0;
+        sp_384_proj_point_add_15(&t[ 3], &t[ 2], &t[ 1], tmp);
+        t[ 3].infinity = 0;
+        sp_384_proj_point_dbl_15(&t[ 4], &t[ 2], tmp);
+        t[ 4].infinity = 0;
+        sp_384_proj_point_add_15(&t[ 5], &t[ 3], &t[ 2], tmp);
+        t[ 5].infinity = 0;
+        sp_384_proj_point_dbl_15(&t[ 6], &t[ 3], tmp);
+        t[ 6].infinity = 0;
+        sp_384_proj_point_add_15(&t[ 7], &t[ 4], &t[ 3], tmp);
+        t[ 7].infinity = 0;
+        sp_384_proj_point_dbl_15(&t[ 8], &t[ 4], tmp);
+        t[ 8].infinity = 0;
+        sp_384_proj_point_add_15(&t[ 9], &t[ 5], &t[ 4], tmp);
+        t[ 9].infinity = 0;
+        sp_384_proj_point_dbl_15(&t[10], &t[ 5], tmp);
+        t[10].infinity = 0;
+        sp_384_proj_point_add_15(&t[11], &t[ 6], &t[ 5], tmp);
+        t[11].infinity = 0;
+        sp_384_proj_point_dbl_15(&t[12], &t[ 6], tmp);
+        t[12].infinity = 0;
+        sp_384_proj_point_add_15(&t[13], &t[ 7], &t[ 6], tmp);
+        t[13].infinity = 0;
+        sp_384_proj_point_dbl_15(&t[14], &t[ 7], tmp);
+        t[14].infinity = 0;
+        sp_384_proj_point_add_15(&t[15], &t[ 8], &t[ 7], tmp);
+        t[15].infinity = 0;
+
+        i = 13;
+        n = k[i+1] << 6;
+        c = 16;
+        y = n >> 22;
+        XMEMCPY(rt, &t[y], sizeof(sp_point_384));
+        n <<= 10;
+        for (; i>=0 || c>=4; ) {
+            if (c < 4) {
+                n |= k[i--] << (6 - c);
+                c += 26;
+            }
+            y = (n >> 28) & 0xf;
+            n <<= 4;
+            c -= 4;
+
+            sp_384_proj_point_dbl_15(rt, rt, tmp);
+            sp_384_proj_point_dbl_15(rt, rt, tmp);
+            sp_384_proj_point_dbl_15(rt, rt, tmp);
+            sp_384_proj_point_dbl_15(rt, rt, tmp);
+
+            sp_384_proj_point_add_15(rt, rt, &t[y], tmp);
+        }
+
+        if (map != 0) {
+            sp_384_map_15(r, rt, tmp);
+        }
+        else {
+            XMEMCPY(r, rt, sizeof(sp_point_384));
+        }
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (tmp != NULL) {
+        XMEMSET(tmp, 0, sizeof(sp_digit) * 2 * 15 * 6);
+        XFREE(tmp, heap, DYNAMIC_TYPE_ECC);
+    }
+    if (t != NULL) {
+        XMEMSET(t, 0, sizeof(sp_point_384) * 16);
+        XFREE(t, heap, DYNAMIC_TYPE_ECC);
+    }
+#else
+    ForceZero(tmpd, sizeof(tmpd));
+    ForceZero(td, sizeof(td));
+#endif
+    sp_384_point_free_15(rt, 1, heap);
+
+    return err;
+}
+
+#ifdef FP_ECC
+/* Double the Montgomery form projective point p a number of times.
+ *
+ * r  Result of repeated doubling of point.
+ * p  Point to double.
+ * n  Number of times to double
+ * t  Temporary ordinate data.
+ */
+static void sp_384_proj_point_dbl_n_15(sp_point_384* p, int n, sp_digit* t)
+{
+    sp_digit* w = t;
+    sp_digit* a = t + 2*15;
+    sp_digit* b = t + 4*15;
+    sp_digit* t1 = t + 6*15;
+    sp_digit* t2 = t + 8*15;
+    sp_digit* x;
+    sp_digit* y;
+    sp_digit* z;
+
+    x = p->x;
+    y = p->y;
+    z = p->z;
+
+    /* Y = 2*Y */
+    sp_384_mont_dbl_15(y, y, p384_mod);
+    /* W = Z^4 */
+    sp_384_mont_sqr_15(w, z, p384_mod, p384_mp_mod);
+    sp_384_mont_sqr_15(w, w, p384_mod, p384_mp_mod);
+
+#ifndef WOLFSSL_SP_SMALL
+    while (--n > 0)
+#else
+    while (--n >= 0)
+#endif
+    {
+        /* A = 3*(X^2 - W) */
+        sp_384_mont_sqr_15(t1, x, p384_mod, p384_mp_mod);
+        sp_384_mont_sub_15(t1, t1, w, p384_mod);
+        sp_384_mont_tpl_15(a, t1, p384_mod);
+        /* B = X*Y^2 */
+        sp_384_mont_sqr_15(t1, y, p384_mod, p384_mp_mod);
+        sp_384_mont_mul_15(b, t1, x, p384_mod, p384_mp_mod);
+        /* X = A^2 - 2B */
+        sp_384_mont_sqr_15(x, a, p384_mod, p384_mp_mod);
+        sp_384_mont_dbl_15(t2, b, p384_mod);
+        sp_384_mont_sub_15(x, x, t2, p384_mod);
+        /* Z = Z*Y */
+        sp_384_mont_mul_15(z, z, y, p384_mod, p384_mp_mod);
+        /* t2 = Y^4 */
+        sp_384_mont_sqr_15(t1, t1, p384_mod, p384_mp_mod);
+#ifdef WOLFSSL_SP_SMALL
+        if (n != 0)
+#endif
+        {
+            /* W = W*Y^4 */
+            sp_384_mont_mul_15(w, w, t1, p384_mod, p384_mp_mod);
+        }
+        /* y = 2*A*(B - X) - Y^4 */
+        sp_384_mont_sub_15(y, b, x, p384_mod);
+        sp_384_mont_mul_15(y, y, a, p384_mod, p384_mp_mod);
+        sp_384_mont_dbl_15(y, y, p384_mod);
+        sp_384_mont_sub_15(y, y, t1, p384_mod);
+    }
+#ifndef WOLFSSL_SP_SMALL
+    /* A = 3*(X^2 - W) */
+    sp_384_mont_sqr_15(t1, x, p384_mod, p384_mp_mod);
+    sp_384_mont_sub_15(t1, t1, w, p384_mod);
+    sp_384_mont_tpl_15(a, t1, p384_mod);
+    /* B = X*Y^2 */
+    sp_384_mont_sqr_15(t1, y, p384_mod, p384_mp_mod);
+    sp_384_mont_mul_15(b, t1, x, p384_mod, p384_mp_mod);
+    /* X = A^2 - 2B */
+    sp_384_mont_sqr_15(x, a, p384_mod, p384_mp_mod);
+    sp_384_mont_dbl_15(t2, b, p384_mod);
+    sp_384_mont_sub_15(x, x, t2, p384_mod);
+    /* Z = Z*Y */
+    sp_384_mont_mul_15(z, z, y, p384_mod, p384_mp_mod);
+    /* t2 = Y^4 */
+    sp_384_mont_sqr_15(t1, t1, p384_mod, p384_mp_mod);
+    /* y = 2*A*(B - X) - Y^4 */
+    sp_384_mont_sub_15(y, b, x, p384_mod);
+    sp_384_mont_mul_15(y, y, a, p384_mod, p384_mp_mod);
+    sp_384_mont_dbl_15(y, y, p384_mod);
+    sp_384_mont_sub_15(y, y, t1, p384_mod);
+#endif
+    /* Y = Y/2 */
+    sp_384_div2_15(y, y, p384_mod);
+}
+
+#endif /* FP_ECC */
+/* Add two Montgomery form projective points. The second point has a q value of
+ * one.
+ * Only the first point can be the same pointer as the result point.
+ *
+ * r  Result of addition.
+ * p  First point to add.
+ * q  Second point to add.
+ * t  Temporary ordinate data.
+ */
+static void sp_384_proj_point_add_qz1_15(sp_point_384* r, const sp_point_384* p,
+        const sp_point_384* q, sp_digit* t)
+{
+    const sp_point_384* ap[2];
+    sp_point_384* rp[2];
+    sp_digit* t1 = t;
+    sp_digit* t2 = t + 2*15;
+    sp_digit* t3 = t + 4*15;
+    sp_digit* t4 = t + 6*15;
+    sp_digit* t5 = t + 8*15;
+    sp_digit* x;
+    sp_digit* y;
+    sp_digit* z;
+    int i;
+
+    /* Check double */
+    (void)sp_384_sub_15(t1, p384_mod, q->y);
+    sp_384_norm_15(t1);
+    if ((sp_384_cmp_equal_15(p->x, q->x) & sp_384_cmp_equal_15(p->z, q->z) &
+        (sp_384_cmp_equal_15(p->y, q->y) | sp_384_cmp_equal_15(p->y, t1))) != 0) {
+        sp_384_proj_point_dbl_15(r, p, t);
+    }
+    else {
+        rp[0] = r;
+
+        /*lint allow cast to different type of pointer*/
+        rp[1] = (sp_point_384*)t; /*lint !e9087 !e740*/
+        XMEMSET(rp[1], 0, sizeof(sp_point_384));
+        x = rp[p->infinity | q->infinity]->x;
+        y = rp[p->infinity | q->infinity]->y;
+        z = rp[p->infinity | q->infinity]->z;
+
+        ap[0] = p;
+        ap[1] = q;
+        for (i=0; i<15; i++) {
+            r->x[i] = ap[p->infinity]->x[i];
+        }
+        for (i=0; i<15; i++) {
+            r->y[i] = ap[p->infinity]->y[i];
+        }
+        for (i=0; i<15; i++) {
+            r->z[i] = ap[p->infinity]->z[i];
+        }
+        r->infinity = ap[p->infinity]->infinity;
+
+        /* U2 = X2*Z1^2 */
+        sp_384_mont_sqr_15(t2, z, p384_mod, p384_mp_mod);
+        sp_384_mont_mul_15(t4, t2, z, p384_mod, p384_mp_mod);
+        sp_384_mont_mul_15(t2, t2, q->x, p384_mod, p384_mp_mod);
+        /* S2 = Y2*Z1^3 */
+        sp_384_mont_mul_15(t4, t4, q->y, p384_mod, p384_mp_mod);
+        /* H = U2 - X1 */
+        sp_384_mont_sub_15(t2, t2, x, p384_mod);
+        /* R = S2 - Y1 */
+        sp_384_mont_sub_15(t4, t4, y, p384_mod);
+        /* Z3 = H*Z1 */
+        sp_384_mont_mul_15(z, z, t2, p384_mod, p384_mp_mod);
+        /* X3 = R^2 - H^3 - 2*X1*H^2 */
+        sp_384_mont_sqr_15(t1, t4, p384_mod, p384_mp_mod);
+        sp_384_mont_sqr_15(t5, t2, p384_mod, p384_mp_mod);
+        sp_384_mont_mul_15(t3, x, t5, p384_mod, p384_mp_mod);
+        sp_384_mont_mul_15(t5, t5, t2, p384_mod, p384_mp_mod);
+        sp_384_mont_sub_15(x, t1, t5, p384_mod);
+        sp_384_mont_dbl_15(t1, t3, p384_mod);
+        sp_384_mont_sub_15(x, x, t1, p384_mod);
+        /* Y3 = R*(X1*H^2 - X3) - Y1*H^3 */
+        sp_384_mont_sub_15(t3, t3, x, p384_mod);
+        sp_384_mont_mul_15(t3, t3, t4, p384_mod, p384_mp_mod);
+        sp_384_mont_mul_15(t5, t5, y, p384_mod, p384_mp_mod);
+        sp_384_mont_sub_15(y, t3, t5, p384_mod);
+    }
+}
+
+#ifdef FP_ECC
+/* Convert the projective point to affine.
+ * Ordinates are in Montgomery form.
+ *
+ * a  Point to convert.
+ * t  Temporary data.
+ */
+static void sp_384_proj_to_affine_15(sp_point_384* a, sp_digit* t)
+{
+    sp_digit* t1 = t;
+    sp_digit* t2 = t + 2 * 15;
+    sp_digit* tmp = t + 4 * 15;
+
+    sp_384_mont_inv_15(t1, a->z, tmp);
+
+    sp_384_mont_sqr_15(t2, t1, p384_mod, p384_mp_mod);
+    sp_384_mont_mul_15(t1, t2, t1, p384_mod, p384_mp_mod);
+
+    sp_384_mont_mul_15(a->x, a->x, t2, p384_mod, p384_mp_mod);
+    sp_384_mont_mul_15(a->y, a->y, t1, p384_mod, p384_mp_mod);
+    XMEMCPY(a->z, p384_norm_mod, sizeof(p384_norm_mod));
+}
+
+/* Generate the pre-computed table of points for the base point.
+ *
+ * a      The base point.
+ * table  Place to store generated point data.
+ * tmp    Temporary data.
+ * heap  Heap to use for allocation.
+ */
+static int sp_384_gen_stripe_table_15(const sp_point_384* a,
+        sp_table_entry_384* table, sp_digit* tmp, void* heap)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_point_384 td, s1d, s2d;
+#endif
+    sp_point_384* t;
+    sp_point_384* s1 = NULL;
+    sp_point_384* s2 = NULL;
+    int i, j;
+    int err;
+
+    (void)heap;
+
+    err = sp_384_point_new_15(heap, td, t);
+    if (err == MP_OKAY) {
+        err = sp_384_point_new_15(heap, s1d, s1);
+    }
+    if (err == MP_OKAY) {
+        err = sp_384_point_new_15(heap, s2d, s2);
+    }
+
+    if (err == MP_OKAY) {
+        err = sp_384_mod_mul_norm_15(t->x, a->x, p384_mod);
+    }
+    if (err == MP_OKAY) {
+        err = sp_384_mod_mul_norm_15(t->y, a->y, p384_mod);
+    }
+    if (err == MP_OKAY) {
+        err = sp_384_mod_mul_norm_15(t->z, a->z, p384_mod);
+    }
+    if (err == MP_OKAY) {
+        t->infinity = 0;
+        sp_384_proj_to_affine_15(t, tmp);
+
+        XMEMCPY(s1->z, p384_norm_mod, sizeof(p384_norm_mod));
+        s1->infinity = 0;
+        XMEMCPY(s2->z, p384_norm_mod, sizeof(p384_norm_mod));
+        s2->infinity = 0;
+
+        /* table[0] = {0, 0, infinity} */
+        XMEMSET(&table[0], 0, sizeof(sp_table_entry_384));
+        /* table[1] = Affine version of 'a' in Montgomery form */
+        XMEMCPY(table[1].x, t->x, sizeof(table->x));
+        XMEMCPY(table[1].y, t->y, sizeof(table->y));
+
+        for (i=1; i<8; i++) {
+            sp_384_proj_point_dbl_n_15(t, 48, tmp);
+            sp_384_proj_to_affine_15(t, tmp);
+            XMEMCPY(table[1<<i].x, t->x, sizeof(table->x));
+            XMEMCPY(table[1<<i].y, t->y, sizeof(table->y));
+        }
+
+        for (i=1; i<8; i++) {
+            XMEMCPY(s1->x, table[1<<i].x, sizeof(table->x));
+            XMEMCPY(s1->y, table[1<<i].y, sizeof(table->y));
+            for (j=(1<<i)+1; j<(1<<(i+1)); j++) {
+                XMEMCPY(s2->x, table[j-(1<<i)].x, sizeof(table->x));
+                XMEMCPY(s2->y, table[j-(1<<i)].y, sizeof(table->y));
+                sp_384_proj_point_add_qz1_15(t, s1, s2, tmp);
+                sp_384_proj_to_affine_15(t, tmp);
+                XMEMCPY(table[j].x, t->x, sizeof(table->x));
+                XMEMCPY(table[j].y, t->y, sizeof(table->y));
+            }
+        }
+    }
+
+    sp_384_point_free_15(s2, 0, heap);
+    sp_384_point_free_15(s1, 0, heap);
+    sp_384_point_free_15( t, 0, heap);
+
+    return err;
+}
+
+#endif /* FP_ECC */
+/* Multiply the point by the scalar and return the result.
+ * If map is true then convert result to affine coordinates.
+ *
+ * r     Resulting point.
+ * k     Scalar to multiply by.
+ * map   Indicates whether to convert result to affine.
+ * heap  Heap to use for allocation.
+ * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
+ */
+static int sp_384_ecc_mulmod_stripe_15(sp_point_384* r, const sp_point_384* g,
+        const sp_table_entry_384* table, const sp_digit* k, int map, void* heap)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_point_384 rtd;
+    sp_point_384 pd;
+    sp_digit td[2 * 15 * 6];
+#endif
+    sp_point_384* rt;
+    sp_point_384* p = NULL;
+    sp_digit* t;
+    int i, j;
+    int y, x;
+    int err;
+
+    (void)g;
+    (void)heap;
+
+
+    err = sp_384_point_new_15(heap, rtd, rt);
+    if (err == MP_OKAY) {
+        err = sp_384_point_new_15(heap, pd, p);
+    }
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    t = (sp_digit*)XMALLOC(sizeof(sp_digit) * 2 * 15 * 6, heap,
+                           DYNAMIC_TYPE_ECC);
+    if (t == NULL) {
+        err = MEMORY_E;
+    }
+#else
+    t = td;
+#endif
+
+    if (err == MP_OKAY) {
+        XMEMCPY(p->z, p384_norm_mod, sizeof(p384_norm_mod));
+        XMEMCPY(rt->z, p384_norm_mod, sizeof(p384_norm_mod));
+
+        y = 0;
+        for (j=0,x=47; j<8; j++,x+=48) {
+            y |= ((k[x / 26] >> (x % 26)) & 1) << j;
+        }
+        XMEMCPY(rt->x, table[y].x, sizeof(table[y].x));
+        XMEMCPY(rt->y, table[y].y, sizeof(table[y].y));
+        rt->infinity = !y;
+        for (i=46; i>=0; i--) {
+            y = 0;
+            for (j=0,x=i; j<8; j++,x+=48) {
+                y |= ((k[x / 26] >> (x % 26)) & 1) << j;
+            }
+
+            sp_384_proj_point_dbl_15(rt, rt, t);
+            XMEMCPY(p->x, table[y].x, sizeof(table[y].x));
+            XMEMCPY(p->y, table[y].y, sizeof(table[y].y));
+            p->infinity = !y;
+            sp_384_proj_point_add_qz1_15(rt, rt, p, t);
+        }
+
+        if (map != 0) {
+            sp_384_map_15(r, rt, t);
+        }
+        else {
+            XMEMCPY(r, rt, sizeof(sp_point_384));
+        }
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (t != NULL) {
+        XFREE(t, heap, DYNAMIC_TYPE_ECC);
+    }
+#endif
+    sp_384_point_free_15(p, 0, heap);
+    sp_384_point_free_15(rt, 0, heap);
+
+    return err;
+}
+
+#ifdef FP_ECC
+#ifndef FP_ENTRIES
+    #define FP_ENTRIES 16
+#endif
+
+typedef struct sp_cache_384_t {
+    sp_digit x[15];
+    sp_digit y[15];
+    sp_table_entry_384 table[256];
+    uint32_t cnt;
+    int set;
+} sp_cache_384_t;
+
+static THREAD_LS_T sp_cache_384_t sp_cache_384[FP_ENTRIES];
+static THREAD_LS_T int sp_cache_384_last = -1;
+static THREAD_LS_T int sp_cache_384_inited = 0;
+
+#ifndef HAVE_THREAD_LS
+    static volatile int initCacheMutex_384 = 0;
+    static wolfSSL_Mutex sp_cache_384_lock;
+#endif
+
+static void sp_ecc_get_cache_384(const sp_point_384* g, sp_cache_384_t** cache)
+{
+    int i, j;
+    uint32_t least;
+
+    if (sp_cache_384_inited == 0) {
+        for (i=0; i<FP_ENTRIES; i++) {
+            sp_cache_384[i].set = 0;
+        }
+        sp_cache_384_inited = 1;
+    }
+
+    /* Compare point with those in cache. */
+    for (i=0; i<FP_ENTRIES; i++) {
+        if (!sp_cache_384[i].set)
+            continue;
+
+        if (sp_384_cmp_equal_15(g->x, sp_cache_384[i].x) &
+                           sp_384_cmp_equal_15(g->y, sp_cache_384[i].y)) {
+            sp_cache_384[i].cnt++;
+            break;
+        }
+    }
+
+    /* No match. */
+    if (i == FP_ENTRIES) {
+        /* Find empty entry. */
+        i = (sp_cache_384_last + 1) % FP_ENTRIES;
+        for (; i != sp_cache_384_last; i=(i+1)%FP_ENTRIES) {
+            if (!sp_cache_384[i].set) {
+                break;
+            }
+        }
+
+        /* Evict least used. */
+        if (i == sp_cache_384_last) {
+            least = sp_cache_384[0].cnt;
+            for (j=1; j<FP_ENTRIES; j++) {
+                if (sp_cache_384[j].cnt < least) {
+                    i = j;
+                    least = sp_cache_384[i].cnt;
+                }
+            }
+        }
+
+        XMEMCPY(sp_cache_384[i].x, g->x, sizeof(sp_cache_384[i].x));
+        XMEMCPY(sp_cache_384[i].y, g->y, sizeof(sp_cache_384[i].y));
+        sp_cache_384[i].set = 1;
+        sp_cache_384[i].cnt = 1;
+    }
+
+    *cache = &sp_cache_384[i];
+    sp_cache_384_last = i;
+}
+#endif /* FP_ECC */
+
+/* Multiply the base point of P384 by the scalar and return the result.
+ * If map is true then convert result to affine coordinates.
+ *
+ * r     Resulting point.
+ * g     Point to multiply.
+ * k     Scalar to multiply by.
+ * map   Indicates whether to convert result to affine.
+ * heap  Heap to use for allocation.
+ * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
+ */
+static int sp_384_ecc_mulmod_15(sp_point_384* r, const sp_point_384* g, const sp_digit* k,
+        int map, void* heap)
+{
+#ifndef FP_ECC
+    return sp_384_ecc_mulmod_fast_15(r, g, k, map, heap);
+#else
+    sp_digit tmp[2 * 15 * 7];
+    sp_cache_384_t* cache;
+    int err = MP_OKAY;
+
+#ifndef HAVE_THREAD_LS
+    if (initCacheMutex_384 == 0) {
+         wc_InitMutex(&sp_cache_384_lock);
+         initCacheMutex_384 = 1;
+    }
+    if (wc_LockMutex(&sp_cache_384_lock) != 0)
+       err = BAD_MUTEX_E;
+#endif /* HAVE_THREAD_LS */
+
+    if (err == MP_OKAY) {
+        sp_ecc_get_cache_384(g, &cache);
+        if (cache->cnt == 2)
+            sp_384_gen_stripe_table_15(g, cache->table, tmp, heap);
+
+#ifndef HAVE_THREAD_LS
+        wc_UnLockMutex(&sp_cache_384_lock);
+#endif /* HAVE_THREAD_LS */
+
+        if (cache->cnt < 2) {
+            err = sp_384_ecc_mulmod_fast_15(r, g, k, map, heap);
+        }
+        else {
+            err = sp_384_ecc_mulmod_stripe_15(r, g, cache->table, k,
+                    map, heap);
+        }
+    }
+
+    return err;
+#endif
+}
+
+#endif
+/* Multiply the point by the scalar and return the result.
+ * If map is true then convert result to affine coordinates.
+ *
+ * km    Scalar to multiply by.
+ * p     Point to multiply.
+ * r     Resulting point.
+ * map   Indicates whether to convert result to affine.
+ * heap  Heap to use for allocation.
+ * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
+ */
+int sp_ecc_mulmod_384(mp_int* km, ecc_point* gm, ecc_point* r, int map,
+        void* heap)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_point_384 p;
+    sp_digit kd[15];
+#endif
+    sp_point_384* point;
+    sp_digit* k = NULL;
+    int err = MP_OKAY;
+
+    err = sp_384_point_new_15(heap, p, point);
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        k = (sp_digit*)XMALLOC(sizeof(sp_digit) * 15, heap,
+                                                              DYNAMIC_TYPE_ECC);
+        if (k == NULL)
+            err = MEMORY_E;
+    }
+#else
+    k = kd;
+#endif
+    if (err == MP_OKAY) {
+        sp_384_from_mp(k, 15, km);
+        sp_384_point_from_ecc_point_15(point, gm);
+
+            err = sp_384_ecc_mulmod_15(point, point, k, map, heap);
+    }
+    if (err == MP_OKAY) {
+        err = sp_384_point_to_ecc_point_15(point, r);
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (k != NULL) {
+        XFREE(k, heap, DYNAMIC_TYPE_ECC);
+    }
+#endif
+    sp_384_point_free_15(point, 0, heap);
+
+    return err;
+}
+
+#ifdef WOLFSSL_SP_SMALL
+/* Multiply the base point of P384 by the scalar and return the result.
+ * If map is true then convert result to affine coordinates.
+ *
+ * r     Resulting point.
+ * k     Scalar to multiply by.
+ * map   Indicates whether to convert result to affine.
+ * heap  Heap to use for allocation.
+ * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
+ */
+static int sp_384_ecc_mulmod_base_15(sp_point_384* r, const sp_digit* k,
+        int map, void* heap)
+{
+    /* No pre-computed values. */
+    return sp_384_ecc_mulmod_15(r, &p384_base, k, map, heap);
+}
+
+#elif defined(WOLFSSL_SP_CACHE_RESISTANT)
+/* Multiply the base point of P384 by the scalar and return the result.
+ * If map is true then convert result to affine coordinates.
+ *
+ * r     Resulting point.
+ * k     Scalar to multiply by.
+ * map   Indicates whether to convert result to affine.
+ * heap  Heap to use for allocation.
+ * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
+ */
+static int sp_384_ecc_mulmod_base_15(sp_point_384* r, const sp_digit* k,
+        int map, void* heap)
+{
+    /* No pre-computed values. */
+    return sp_384_ecc_mulmod_15(r, &p384_base, k, map, heap);
+}
+
+#else
+static const sp_table_entry_384 p384_table[256] = {
+    /* 0 */
+    { { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
+      { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 } },
+    /* 1 */
+    { { 0x1c0b528,0x01d5992,0x0e383dd,0x38a835b,0x220e378,0x106d35b,
+        0x1c3afc5,0x03bfe1e,0x28459a3,0x2d91521,0x214ede2,0x0bfdc8d,
+        0x2151381,0x3708a67,0x004d3aa },
+      { 0x303a4fe,0x10f6b52,0x29ac230,0x2fdeed2,0x0a1bfa8,0x3a0ec14,
+        0x2de7562,0x3ff662e,0x21968f4,0x031b0d4,0x3969a84,0x2000898,
+        0x1c5e9dd,0x2f09685,0x002b78a } },
+    /* 2 */
+    { { 0x30c535b,0x191d4ca,0x2296298,0x14dc141,0x090dd69,0x05aae6b,
+        0x0cd6b42,0x35da80e,0x3b7be12,0x2cf7e6d,0x1f347bd,0x3d365e1,
+        0x1448913,0x32704fa,0x00222c5 },
+      { 0x280dc64,0x39e5bc9,0x24175f8,0x2dd60d4,0x0120e7c,0x041d02e,
+        0x0b5d8ad,0x37b9895,0x2fb5337,0x1f0e2e3,0x14f0224,0x2230b86,
+        0x1bc4cf6,0x17cdb09,0x007b5c7 } },
+    /* 3 */
+    { { 0x2dffea5,0x28f30e7,0x29fce26,0x070df5f,0x235bbfd,0x2f78fbd,
+        0x27700d9,0x23d6bc3,0x3471a53,0x0c0e03a,0x05bf9eb,0x276a2ec,
+        0x20c3e2e,0x31cc691,0x00dbb93 },
+      { 0x126b605,0x2e8983d,0x153737d,0x23bf5e1,0x295d497,0x35ca812,
+        0x2d793ae,0x16c6893,0x3777600,0x089a520,0x1e681f8,0x3d55ee6,
+        0x154ef99,0x155f592,0x00ae5f9 } },
+    /* 4 */
+    { { 0x26feef9,0x20315fc,0x1240244,0x250e838,0x3c31a26,0x1cf8af1,
+        0x1002c32,0x3b531cd,0x1c53ef1,0x22310ba,0x3f4948e,0x22eafd9,
+        0x3863202,0x3d0e2a5,0x006a502 },
+      { 0x34536fe,0x04e91ad,0x30ebf5f,0x2af62a7,0x01d218b,0x1c8c9da,
+        0x336bcc3,0x23060c3,0x331576e,0x1b14c5e,0x1bbcb76,0x0755e9a,
+        0x3d4dcef,0x24c2cf8,0x00917c4 } },
+    /* 5 */
+    { { 0x349ddd0,0x09b8bb8,0x0250114,0x3e66cbf,0x29f117e,0x3005d29,
+        0x36b480e,0x2119bfc,0x2761845,0x253d2f7,0x0580604,0x0bb6db4,
+        0x3ca922f,0x1744677,0x008adc7 },
+      { 0x3d5a7ce,0x27425ed,0x11e9a61,0x3968d10,0x3874275,0x3692d3b,
+        0x03e0470,0x0763d50,0x3d97790,0x3cbaeab,0x2747170,0x18faf3a,
+        0x180365e,0x2511fe7,0x0012a36 } },
+    /* 6 */
+    { { 0x3c52870,0x2701e93,0x296128f,0x120694e,0x1ce0b37,0x3860a36,
+        0x10fa180,0x0896b55,0x2f76adb,0x22892ae,0x2e58a34,0x07b4295,
+        0x2cb62d1,0x079a522,0x00f3d81 },
+      { 0x061ed22,0x2375dd3,0x3c9d861,0x3e602d1,0x10bb747,0x39ae156,
+        0x3f796fd,0x087a48a,0x06d680a,0x37f7f47,0x2af2c9d,0x36c55dc,
+        0x10f3dc0,0x279b07a,0x00a0937 } },
+    /* 7 */
+    { { 0x085c629,0x319bbf8,0x089a386,0x184256f,0x15fc2a4,0x00fd2d0,
+        0x13d6312,0x363d44d,0x32b7e4b,0x25f2865,0x27df8ce,0x1dce02a,
+        0x24ea3b0,0x0e27b9f,0x00d8a90 },
+      { 0x3b14461,0x1d371f9,0x0f781bc,0x0503271,0x0dc2cb0,0x13bc284,
+        0x34b3a68,0x1ff894a,0x25d2032,0x16f79ba,0x260f961,0x07b10d5,
+        0x18173b7,0x2812e2b,0x00eede5 } },
+    /* 8 */
+    { { 0x13b9a2d,0x132ece2,0x0c5d558,0x02c0214,0x1820c66,0x37cb50f,
+        0x26d8267,0x3a00504,0x3f00109,0x33756ee,0x38172f1,0x2e4bb8c,
+        0x030d985,0x3e4fcc5,0x00609d4 },
+      { 0x2daf9d6,0x16681fa,0x1fb01e0,0x1b03c49,0x370e653,0x183c839,
+        0x2207515,0x0ea6b58,0x1ae7aaf,0x3a96522,0x24bae14,0x1c38bd9,
+        0x082497b,0x1c05db4,0x000dd03 } },
+    /* 9 */
+    { { 0x110521f,0x04efa21,0x0c174cc,0x2a7dc93,0x387315b,0x14f7098,
+        0x1d83bb3,0x2495ed2,0x2fe0c27,0x1e2d9df,0x093c953,0x0287073,
+        0x02c9951,0x336291c,0x0033e30 },
+      { 0x208353f,0x3f22748,0x2b2bf0f,0x2373b50,0x10170fa,0x1b8a97d,
+        0x0851ed2,0x0b25824,0x055ecb5,0x12049d9,0x3fe1adf,0x11b1385,
+        0x28eab06,0x11fac21,0x00513f0 } },
+    /* 10 */
+    { { 0x35bdf53,0x1847d37,0x1a6dc07,0x29d62c4,0x045d331,0x313b8e5,
+        0x165daf1,0x1e34562,0x3e75a58,0x16ea2fa,0x02dd302,0x3302862,
+        0x3eb8bae,0x2266a48,0x00cf2a3 },
+      { 0x24fd048,0x324a074,0x025df98,0x1662eec,0x3841bfb,0x26ae754,
+        0x1df8cec,0x0113ae3,0x0b67fef,0x094e293,0x2323666,0x0ab087c,
+        0x2f06509,0x0e142d9,0x00a919d } },
+    /* 11 */
+    { { 0x1d480d8,0x00ed021,0x3a7d3db,0x1e46ca1,0x28cd9f4,0x2a3ceeb,
+        0x24dc754,0x0624a3c,0x0003db4,0x1520bae,0x1c56e0f,0x2fe7ace,
+        0x1dc6f38,0x0c826a4,0x008b977 },
+      { 0x209cfc2,0x2c16c9c,0x1b70a31,0x21416cb,0x34c49bf,0x186549e,
+        0x062498d,0x146e959,0x0391fac,0x08ff944,0x2b4b834,0x013d57a,
+        0x2eabffb,0x0370131,0x00c07c1 } },
+    /* 12 */
+    { { 0x332f048,0x0bf9336,0x16dfad2,0x2451d7b,0x35f23bf,0x299adb2,
+        0x0ce0c0a,0x0170294,0x289f034,0x2b7d89e,0x395e2d6,0x1d20df7,
+        0x2e64e36,0x16dae90,0x00081c9 },
+      { 0x31d6ceb,0x0f80db9,0x0271eba,0x33db1ac,0x1b45bcc,0x1a11c07,
+        0x347e630,0x148fd9e,0x142e712,0x3183e3e,0x1cd47ad,0x108d1c9,
+        0x09cbb82,0x35e61d9,0x0083027 } },
+    /* 13 */
+    { { 0x215b0b8,0x0a7a98d,0x2c41b39,0x3f69536,0x0b41441,0x16da8da,
+        0x15d556b,0x3c17a26,0x129167e,0x3ea0351,0x2d25a27,0x2f2d285,
+        0x15b68f6,0x2931ef5,0x00210d6 },
+      { 0x1351130,0x012aec9,0x37ebf38,0x26640f8,0x01d2df6,0x2130972,
+        0x201efc0,0x23a457c,0x087a1c6,0x14c68a3,0x163f62a,0x36b494d,
+        0x015d481,0x39c35b1,0x005dd6d } },
+    /* 14 */
+    { { 0x06612ce,0x11c3f61,0x199729f,0x3b36863,0x2986f3e,0x3cd2be1,
+        0x04c1612,0x2be2dae,0x00846dd,0x3d7bc29,0x249e795,0x1016803,
+        0x37a3714,0x2c5aa8b,0x005f491 },
+      { 0x341b38d,0x01eb936,0x3caac7f,0x27863ef,0x1ef7d11,0x1110ec6,
+        0x18e0761,0x26498e8,0x01a79a1,0x390d5a1,0x22226fb,0x3d2a473,
+        0x0872191,0x1230f32,0x00dc772 } },
+    /* 15 */
+    { { 0x0b1ec9d,0x03fc6b9,0x3706d57,0x03b9fbb,0x221d23e,0x2867821,
+        0x1e40f4c,0x2c9c0f3,0x3c4cd4b,0x31f5948,0x3f13aa6,0x307c1b2,
+        0x04b6016,0x116b453,0x005aa72 },
+      { 0x0b74de8,0x20519d1,0x134e37f,0x05d882a,0x1839e7a,0x3a2c6a8,
+        0x0d14e8d,0x1d78bdd,0x251f30d,0x3a1e27e,0x081c261,0x2c9014b,
+        0x165ee09,0x19e0cf1,0x00654e2 } },
+    /* 16 */
+    { { 0x39fbe67,0x081778b,0x0e44378,0x20dfdca,0x1c4afcb,0x20b803c,
+        0x0ec06c6,0x1508f6f,0x1c3114d,0x3bca851,0x3a52463,0x07661d1,
+        0x17b0aa0,0x16c5f5c,0x00fc093 },
+      { 0x0d01f95,0x0ef13f5,0x2d34965,0x2a25582,0x39aa83e,0x3e38fcf,
+        0x3943dca,0x385bbdd,0x210e86f,0x3dc1dd2,0x3f9ffdc,0x18b9bc6,
+        0x345c96b,0x0e79621,0x008a72f } },
+    /* 17 */
+    { { 0x341c342,0x3793688,0x042273a,0x153a9c1,0x3dd326e,0x1d073bc,
+        0x2c7d983,0x05524cd,0x00d59e6,0x347abe8,0x3d9a3ef,0x0fb624a,
+        0x2c7e4cd,0x09b3171,0x0003faf },
+      { 0x045f8ac,0x38bf3cc,0x1e73087,0x0c85d3c,0x314a655,0x382be69,
+        0x384f28f,0x24d6cb3,0x2842cdc,0x1777f5e,0x2929c89,0x03c45ed,
+        0x3cfcc4c,0x0b59322,0x0035657 } },
+    /* 18 */
+    { { 0x18c1bba,0x2eb005f,0x33d57ec,0x30e42c3,0x36058f9,0x1865f43,
+        0x2116e3f,0x2c4a2bb,0x0684033,0x0f1375c,0x0209b98,0x2136e9b,
+        0x1bc4af0,0x0b3e0c7,0x0097c7c },
+      { 0x16010e8,0x398777e,0x2a172f4,0x0814a7e,0x0d97e4e,0x274dfc8,
+        0x2666606,0x1b5c93b,0x1ed3d36,0x3f3304e,0x13488e0,0x02dbb88,
+        0x2d53369,0x3717ce9,0x007cad1 } },
+    /* 19 */
+    { { 0x257a41f,0x2a6a076,0x39b6660,0x04bb000,0x1e74a04,0x3876b45,
+        0x343c6b5,0x0753108,0x3f54668,0x24a13cf,0x23749e8,0x0421fc5,
+        0x32f13b5,0x0f31be7,0x00070f2 },
+      { 0x1186e14,0x0847697,0x0dff542,0x0dff76c,0x084748f,0x2c7d060,
+        0x23aab4d,0x0b43906,0x27ba640,0x1497b59,0x02f5835,0x0a492a4,
+        0x0a6892f,0x39f3e91,0x005844e } },
+    /* 20 */
+    { { 0x33b236f,0x02181cf,0x21dafab,0x0760788,0x019e9d4,0x249ed0a,
+        0x36571e3,0x3c7dbcf,0x1337550,0x010d22a,0x285e62f,0x19ee65a,
+        0x052bf71,0x1d65fd5,0x0062d43 },
+      { 0x2955926,0x3fae7bc,0x0353d85,0x07db7de,0x1440a56,0x328dad6,
+        0x1668ec9,0x28058e2,0x1a1a22d,0x1014afc,0x3609325,0x3effdcb,
+        0x209f3bd,0x3ca3888,0x0094e50 } },
+    /* 21 */
+    { { 0x062e8af,0x0b96ccc,0x136990b,0x1d7a28f,0x1a85723,0x0076dec,
+        0x21b00b2,0x06a88ff,0x2f0ee65,0x1fa49b7,0x39b10ad,0x10b26fa,
+        0x0be7465,0x026e8bf,0x00098e3 },
+      { 0x3f1d63f,0x37bacff,0x1374779,0x02882ff,0x323d0e8,0x1da3de5,
+        0x12bb3b8,0x0a15a11,0x34d1f95,0x2b3dd6e,0x29ea3fa,0x39ad000,
+        0x33a538f,0x390204d,0x0012bd3 } },
+    /* 22 */
+    { { 0x04cbba5,0x0de0344,0x1d4cc02,0x11fe8d7,0x36207e7,0x32a6da8,
+        0x0239281,0x1ec40d7,0x3e89798,0x213fc66,0x0022eee,0x11daefe,
+        0x3e74db8,0x28534ee,0x00aa0a4 },
+      { 0x07d4543,0x250cc46,0x206620f,0x1c1e7db,0x1321538,0x31fa0b8,
+        0x30f74ea,0x01aae0e,0x3a2828f,0x3e9dd22,0x026ef35,0x3c0a62b,
+        0x27dbdc5,0x01c23a6,0x000f0c5 } },
+    /* 23 */
+    { { 0x2f029dd,0x3091337,0x21b80c5,0x21e1419,0x13dabc6,0x3847660,
+        0x12b865f,0x36eb666,0x38f6274,0x0ba6006,0x098da24,0x1398c64,
+        0x13d08e5,0x246a469,0x009929a },
+      { 0x1285887,0x3ff5c8d,0x010237b,0x097c506,0x0bc7594,0x34b9b88,
+        0x00cc35f,0x0bb964a,0x00cfbc4,0x29cd718,0x0837619,0x2b4a192,
+        0x0c57bb7,0x08c69de,0x00a3627 } },
+    /* 24 */
+    { { 0x1361ed8,0x266d724,0x366cae7,0x1d5b18c,0x247d71b,0x2c9969a,
+        0x0dd5211,0x1edd153,0x25998d7,0x0380856,0x3ab29db,0x09366de,
+        0x1e53644,0x2b31ff6,0x008b0ff },
+      { 0x3b5d9ef,0x217448d,0x174746d,0x18afea4,0x15b106d,0x3e66e8b,
+        0x0479f85,0x13793b4,0x1231d10,0x3c39bce,0x25e8983,0x2a13210,
+        0x05a7083,0x382be04,0x00a9507 } },
+    /* 25 */
+    { { 0x0cf381c,0x1a29b85,0x31ccf6c,0x2f708b8,0x3af9d27,0x2a29732,
+        0x168d4da,0x393488d,0x2c0e338,0x3f90c7b,0x0f52ad1,0x2a0a3fa,
+        0x2cd80f1,0x15e7a1a,0x00db6a0 },
+      { 0x107832a,0x159cb91,0x1289288,0x17e21f9,0x073fc27,0x1584342,
+        0x3802780,0x3d6c197,0x154075f,0x16366d1,0x09f712b,0x23a3ec4,
+        0x29cf23a,0x3218baf,0x0039f0a } },
+    /* 26 */
+    { { 0x052edf5,0x2afde13,0x2e53d8f,0x3969626,0x3dcd737,0x1e46ac5,
+        0x118bf0d,0x01b2652,0x156bcff,0x16d7ef6,0x1ca46d4,0x34c0cbb,
+        0x3e486f6,0x1f85068,0x002cdff },
+      { 0x1f47ec8,0x12cee98,0x0608667,0x18fbbe1,0x08a8821,0x31a1fe4,
+        0x17c7054,0x3c89e89,0x2edf6cd,0x1b8c32c,0x3f6ea84,0x1319329,
+        0x3cd3c2c,0x05f331a,0x00186fa } },
+    /* 27 */
+    { { 0x1fcb91e,0x0fd4d87,0x358a48a,0x04d91b4,0x083595e,0x044a1e6,
+        0x15827b9,0x1d5eaf4,0x2b82187,0x08f3984,0x21bd737,0x0c54285,
+        0x2f56887,0x14c2d98,0x00f4684 },
+      { 0x01896f6,0x0e542d0,0x2090883,0x269dfcf,0x1e11cb8,0x239fd29,
+        0x312cac4,0x19dfacb,0x369f606,0x0cc4f75,0x16579f9,0x33c22cc,
+        0x0f22bfd,0x3b251ae,0x006429c } },
+    /* 28 */
+    { { 0x375f9a4,0x137552e,0x3570498,0x2e4a74e,0x24aef06,0x35b9307,
+        0x384ca23,0x3bcd6d7,0x011b083,0x3c93187,0x392ca9f,0x129ce48,
+        0x0a800ce,0x145d9cc,0x00865d6 },
+      { 0x22b4a2b,0x37f9d9c,0x3e0eca3,0x3e5ec20,0x112c04b,0x2e1ae29,
+        0x3ce5b51,0x0f83200,0x32d6a7e,0x10ff1d8,0x081adbe,0x265c30b,
+        0x216b1c8,0x0eb4483,0x003cbcd } },
+    /* 29 */
+    { { 0x030ce93,0x2d331fb,0x20a2fbf,0x1f6dc9c,0x010ed6c,0x1ed5540,
+        0x275bf74,0x3df0fb1,0x103333f,0x0241c96,0x1075bfc,0x30e5cf9,
+        0x0f31bc7,0x32c01eb,0x00b049e },
+      { 0x358839c,0x1dbabd3,0x1e4fb40,0x36a8ac1,0x2101896,0x2d0319b,
+        0x2033b0a,0x192e8fd,0x2ebc8d8,0x2867ba7,0x07bf6d2,0x1b3c555,
+        0x2477deb,0x198fe09,0x008e5a9 } },
+    /* 30 */
+    { { 0x3fbd5e1,0x18bf77d,0x2b1d69e,0x151da44,0x338ecfe,0x0768efe,
+        0x1a3d56d,0x3c35211,0x10e1c86,0x2012525,0x3bc36ce,0x32b6fe4,
+        0x0c8d183,0x15c93f3,0x0041fce },
+      { 0x332c144,0x24e70a0,0x246e05f,0x22c21c7,0x2b17f24,0x1ba2bfd,
+        0x0534e26,0x318a4f6,0x1dc3b85,0x0c741bc,0x23131b7,0x01a8cba,
+        0x364e5db,0x21362cf,0x00f2951 } },
+    /* 31 */
+    { { 0x2ddc103,0x14ffdcd,0x206fd96,0x0de57bd,0x025f43e,0x381b73a,
+        0x2301fcf,0x3bafc27,0x34130b6,0x0216bc8,0x0ff56b2,0x2c4ad4c,
+        0x23c6b79,0x1267fa6,0x009b4fb },
+      { 0x1d27ac2,0x13e2494,0x1389015,0x38d5b29,0x2d33167,0x3f01969,
+        0x28ec1fa,0x1b26de0,0x2587f74,0x1c25668,0x0c44f83,0x23c6f8c,
+        0x32fdbb1,0x045f104,0x00a7946 } },
+    /* 32 */
+    { { 0x23c647b,0x09addd7,0x1348c04,0x0e633c1,0x1bfcbd9,0x1cb034f,
+        0x1312e31,0x11cdcc7,0x1e6ee75,0x057d27f,0x2da7ee6,0x154c3c1,
+        0x3a5fb89,0x2c2ba2c,0x00cf281 },
+      { 0x1b8a543,0x125cd50,0x1d30fd1,0x29cc203,0x341a625,0x14e4233,
+        0x3aae076,0x289e38a,0x036ba02,0x230f405,0x3b21b8f,0x34088b9,
+        0x01297a0,0x03a75fb,0x00fdc27 } },
+    /* 33 */
+    { { 0x07f41d6,0x1cf032f,0x1641008,0x0f86deb,0x3d97611,0x0e110fe,
+        0x136ff42,0x0b914a9,0x0e241e6,0x180c340,0x1f545fc,0x0ba619d,
+        0x1208c53,0x04223a4,0x00cd033 },
+      { 0x397612c,0x0132665,0x34e2d1a,0x00bba99,0x1d4393e,0x065d0a8,
+        0x2fa69ee,0x1643b55,0x08085f0,0x3774aad,0x08a2243,0x33bf149,
+        0x03f41a5,0x1ed950e,0x0048cc6 } },
+    /* 34 */
+    { { 0x014ab48,0x010c3bf,0x2a744e5,0x13c99c1,0x2195b7f,0x32207fd,
+        0x28a228c,0x004f4bf,0x0e2d945,0x2ec6e5a,0x0b92162,0x1aa95e5,
+        0x2754a93,0x1adcd93,0x004fb76 },
+      { 0x1e1ff7f,0x24ef28c,0x269113f,0x32b393c,0x2696eb5,0x0ac2780,
+        0x354bf8a,0x0ffe3fd,0x09ce58e,0x0163c4f,0x1678c0b,0x15cd1bc,
+        0x292b3b7,0x036ea19,0x00d5420 } },
+    /* 35 */
+    { { 0x1da1265,0x0c2ef5b,0x18dd9a0,0x3f3a25c,0x0f7b4f3,0x0d8196e,
+        0x24931f9,0x090729a,0x1875f72,0x1ef39cb,0x2577585,0x2ed472d,
+        0x136756c,0x20553a6,0x00c7161 },
+      { 0x2e32189,0x283de4b,0x00b2e81,0x0989df7,0x3ef2fab,0x1c7d1a7,
+        0x24f6feb,0x3e16679,0x233dfda,0x06d1233,0x3e6b5df,0x1707132,
+        0x05f7b3f,0x2c00779,0x00fb8df } },
+    /* 36 */
+    { { 0x15bb921,0x117e9d3,0x267ec73,0x2f934ad,0x25c7e04,0x20b5e8f,
+        0x2d3a802,0x2ca911f,0x3f87e47,0x39709dd,0x08488e2,0x2cec400,
+        0x35b4589,0x1f0acba,0x009aad7 },
+      { 0x2ac34ae,0x06f29f6,0x3326d68,0x3949abe,0x02452e4,0x0687b85,
+        0x0879244,0x1eb7832,0x0d4c240,0x31d0ec1,0x3c17a2a,0x17a666f,
+        0x01a06cb,0x3e0929c,0x004dca2 } },
+    /* 37 */
+    { { 0x127bc1a,0x0c72984,0x13be68e,0x26c5fab,0x1a3edd5,0x097d685,
+        0x36b645e,0x385799e,0x394a420,0x39d8885,0x0b1e872,0x13f60ed,
+        0x2ce1b79,0x3c0ecb7,0x007cab3 },
+      { 0x29b3586,0x26fc572,0x0bd7711,0x0913494,0x0a55459,0x31af3c9,
+        0x3633eac,0x3e2105c,0x0c2b1b6,0x0e6f4c2,0x047d38c,0x2b81bd5,
+        0x1fe1c3b,0x04d7cd0,0x0054dcc } },
+    /* 38 */
+    { { 0x03caf0d,0x0d66365,0x313356d,0x2a4897f,0x2ce044e,0x18feb7a,
+        0x1f6a7c5,0x3709e7b,0x14473e8,0x2d8cbae,0x3190dca,0x12d19f8,
+        0x31e3181,0x3cc5b6e,0x002d4f4 },
+      { 0x143b7ca,0x2604728,0x39508d6,0x0cb79f3,0x24ec1ac,0x1ed7fa0,
+        0x3ab5fd3,0x3c76488,0x2e49390,0x03a0985,0x3580461,0x3fd2c81,
+        0x308f0ab,0x38561d6,0x0011b9b } },
+    /* 39 */
+    { { 0x3be682c,0x0c68f4e,0x32dd4ae,0x099d3bb,0x0bc7c5d,0x311f750,
+        0x2fd10a3,0x2e7864a,0x23bc14a,0x13b1f82,0x32e495e,0x1b0f746,
+        0x3cd856a,0x17a4c26,0x00085ee },
+      { 0x02e67fd,0x06a4223,0x2af2f38,0x2038987,0x132083a,0x1b7bb85,
+        0x0d6a499,0x131e43f,0x3035e52,0x278ee3e,0x1d5b08b,0x30d8364,
+        0x2719f8d,0x0b21fc9,0x003a06e } },
+    /* 40 */
+    { { 0x237cac0,0x27d6a1c,0x27945cd,0x2750d61,0x293f0b5,0x253db13,
+        0x04a764e,0x20b4d0e,0x12bb627,0x160c13b,0x0de0601,0x236e2cf,
+        0x2190f0b,0x354d76f,0x004336d },
+      { 0x2ab473a,0x10d54e4,0x1046574,0x1d6f97b,0x0031c72,0x06426a9,
+        0x38678c2,0x0b76cf9,0x04f9920,0x152adf8,0x2977e63,0x1234819,
+        0x198be26,0x061024c,0x00d427d } },
+    /* 41 */
+    { { 0x39b5a31,0x2123d43,0x362a822,0x1a2eab6,0x0bb0034,0x0d5d567,
+        0x3a04723,0x3a10c8c,0x08079ae,0x0d27bda,0x2eb9e1e,0x2619e82,
+        0x39a55a8,0x0c6c7db,0x00c1519 },
+      { 0x174251e,0x13ac2eb,0x295ed26,0x18d2afc,0x037b9b2,0x1258344,
+        0x00921b0,0x1f702d8,0x1bc4da7,0x1c3794f,0x12b1869,0x366eacf,
+        0x16ddf01,0x31ebdc5,0x00ad54e } },
+    /* 42 */
+    { { 0x1efdc58,0x1370d5e,0x0ddb8e7,0x1a53fda,0x1456bd3,0x0c825a9,
+        0x0e74ccd,0x20f41c9,0x3423867,0x139073f,0x3c70d8a,0x131fc85,
+        0x219a2a0,0x34bf986,0x0041199 },
+      { 0x1c05dd2,0x268f80a,0x3da9d38,0x1af9f8f,0x0535f2a,0x30ad37e,
+        0x2cf72d7,0x14a509b,0x1f4fe74,0x259e09d,0x1d23f51,0x0672732,
+        0x08fc463,0x00b6201,0x001e05a } },
+    /* 43 */
+    { { 0x0d5ffe8,0x3238bb5,0x17f275c,0x25b6fa8,0x2f8bb48,0x3b8f2d2,
+        0x059790c,0x18594d4,0x285a47c,0x3d301bb,0x12935d2,0x23ffc96,
+        0x3d7c7f9,0x15c8cbf,0x0034c4a },
+      { 0x20376a2,0x05201ba,0x1e02c4b,0x1413c45,0x02ea5e7,0x39575f0,
+        0x2d76e21,0x113694c,0x011f310,0x0da3725,0x31b7799,0x1cb9195,
+        0x0cfd592,0x22ee4ea,0x00adaa3 } },
+    /* 44 */
+    { { 0x14ed72a,0x031c49f,0x39a34bf,0x192e87d,0x0da0e92,0x130e7a9,
+        0x00258bf,0x144e123,0x2d82a71,0x0294e53,0x3f06c66,0x3d4473a,
+        0x037cd4a,0x3bbfb17,0x00fcebc },
+      { 0x39ae8c1,0x2dd6a9d,0x206ef23,0x332b479,0x2deff59,0x09d5720,
+        0x3526fd2,0x33bf7cf,0x344bb32,0x359316a,0x115bdef,0x1b8468a,
+        0x3813ea9,0x11a8450,0x00ab197 } },
+    /* 45 */
+    { { 0x0837d7d,0x1e1617b,0x0ba443c,0x2f2e3b8,0x2ca5b6f,0x176ed7b,
+        0x2924d9d,0x07294d3,0x104bb4f,0x1cfd3e8,0x398640f,0x1162dc8,
+        0x007ea15,0x2aa75fd,0x004231f },
+      { 0x16e6896,0x01987be,0x0f9d53e,0x1a740ec,0x1554e4c,0x31e1634,
+        0x3cb07b9,0x013eb53,0x39352cb,0x1dfa549,0x0974e7f,0x17c55d2,
+        0x157c85f,0x1561adb,0x002e3fa } },
+    /* 46 */
+    { { 0x29951a8,0x35200da,0x2ad042c,0x22109e4,0x3a8b15b,0x2eca69c,
+        0x28bcf9a,0x0cfa063,0x0924099,0x12ff668,0x2fb88dc,0x028d653,
+        0x2445876,0x218d01c,0x0014418 },
+      { 0x1caedc7,0x295bba6,0x01c9162,0x3364744,0x28fb12e,0x24c80b6,
+        0x2719673,0x35e5ba9,0x04aa4cc,0x206ab23,0x1cf185a,0x2c140d8,
+        0x1095a7d,0x1b3633f,0x000c9f8 } },
+    /* 47 */
+    { { 0x0b2a556,0x0a051c4,0x30b29a7,0x190c9ed,0x3767ca9,0x38de66d,
+        0x2d9e125,0x3aca813,0x2dc22a3,0x319e074,0x0d9450a,0x3445bac,
+        0x3e08a5b,0x07f29fa,0x00eccac },
+      { 0x02d6e94,0x21113f7,0x321bde6,0x0a4d7b3,0x03621f4,0x2780e8b,
+        0x22d5432,0x1fc2853,0x0d57d3e,0x254f90b,0x33ed00b,0x289b025,
+        0x12272bb,0x30e715f,0x0000297 } },
+    /* 48 */
+    { { 0x0243a7d,0x2aac42e,0x0c5b3aa,0x0fa3e96,0x06eeef9,0x2b9fdd9,
+        0x26fca39,0x0134fe1,0x22661ab,0x1990416,0x03945d6,0x15e3628,
+        0x3848ca3,0x0f91e46,0x00b08cd },
+      { 0x16d2411,0x3717e1d,0x128c45e,0x3669d54,0x0d4a790,0x2797da8,
+        0x0f09634,0x2faab0b,0x27df649,0x3b19b49,0x0467039,0x39b65a2,
+        0x3816f3c,0x31ad0bd,0x0050046 } },
+    /* 49 */
+    { { 0x2425043,0x3858099,0x389092a,0x3f7c236,0x11ff66a,0x3c58b39,
+        0x2f5a7f8,0x1663ce1,0x2a0fcf5,0x38634b7,0x1a8ca18,0x0dcace8,
+        0x0e6f778,0x03ae334,0x00df0d2 },
+      { 0x1bb4045,0x357875d,0x14b77ed,0x33ae5b6,0x2252a47,0x31899dd,
+        0x3293582,0x040c6f6,0x14340dd,0x3614f0e,0x3d5f47f,0x326fb3d,
+        0x0044a9d,0x00beeb9,0x0027c23 } },
+    /* 50 */
+    { { 0x32d49ce,0x34822a3,0x30a22d1,0x00858b7,0x10d91aa,0x2681fd9,
+        0x1cce870,0x2404a71,0x38b8433,0x377c1c8,0x019442c,0x0a38b21,
+        0x22aba50,0x0d61c81,0x002dcbd },
+      { 0x0680967,0x2f0f2f9,0x172cb5f,0x1167e4b,0x12a7bc6,0x05b0da7,
+        0x2c76e11,0x3a36201,0x37a3177,0x1d71419,0x0569df5,0x0dce7ad,
+        0x3f40b75,0x3bd8db0,0x002d481 } },
+    /* 51 */
+    { { 0x2a1103e,0x34e7f7f,0x1b171a2,0x24a57e0,0x2eaae55,0x166c992,
+        0x10aa18f,0x0bb836f,0x01acb59,0x0e430e7,0x1750cca,0x18be036,
+        0x3cc6cdf,0x0a0f7e5,0x00da4d8 },
+      { 0x2201067,0x374d187,0x1f6b0a6,0x165a7ec,0x31531f8,0x3580487,
+        0x15e5521,0x0724522,0x2b04c04,0x202c86a,0x3cc1ccf,0x225b11a,
+        0x1bde79d,0x0eccc50,0x00d24da } },
+    /* 52 */
+    { { 0x3b0a354,0x2814dd4,0x1cd8575,0x3d031b7,0x0392ff2,0x1855ee5,
+        0x0e8cff5,0x203442e,0x3bd3b1b,0x141cf95,0x3fedee1,0x1d783c0,
+        0x26f192a,0x0392aa3,0x0075238 },
+      { 0x158ffe9,0x3889f19,0x14151f4,0x06067b1,0x13a3486,0x1e65c21,
+        0x382d5ef,0x1ab0aac,0x2ffddc4,0x3179b7a,0x3c8d094,0x05101e3,
+        0x237c6e5,0x3947d83,0x00f674f } },
+    /* 53 */
+    { { 0x363408f,0x21eb96b,0x27376fb,0x2a735d6,0x1a39c36,0x3d31863,
+        0x33313fc,0x32235e0,0x082f034,0x23ef351,0x39b3528,0x1a69d84,
+        0x1d9c944,0x07159ad,0x0077a71 },
+      { 0x04f8d65,0x25771e5,0x2ba84a6,0x194586a,0x1e6da5f,0x118059a,
+        0x14e9c32,0x1d24619,0x3f528ae,0x22f22e4,0x0f5580d,0x0747a0e,
+        0x32cc85f,0x286b3a8,0x008ccf9 } },
+    /* 54 */
+    { { 0x196fee2,0x2c4431c,0x094528a,0x18e1d32,0x175799d,0x26bb6b7,
+        0x2293482,0x23fd289,0x07b2be8,0x1a5c533,0x158d60d,0x04a4f3f,
+        0x164e9f7,0x32ccca9,0x00da6b6 },
+      { 0x1d821c2,0x3f76c4f,0x323df43,0x17e4374,0x0f2f278,0x121227e,
+        0x2464190,0x19d2644,0x326d24c,0x3185983,0x0803c15,0x0767a33,
+        0x1c4c996,0x0563eab,0x00631c6 } },
+    /* 55 */
+    { { 0x1752366,0x0baf83f,0x288bacf,0x0384e6f,0x2b93c34,0x3c805e7,
+        0x3664850,0x29e1663,0x254ff1d,0x3852080,0x0f85c16,0x1e389d9,
+        0x3191352,0x3915eaa,0x00a246e },
+      { 0x3763b33,0x187ad14,0x3c0d438,0x3f11702,0x1c49f03,0x35ac7a8,
+        0x3f16bca,0x27266bf,0x08b6fd4,0x0f38ce4,0x37fde8c,0x147a6ff,
+        0x02c5e5c,0x28e7fc5,0x00076a7 } },
+    /* 56 */
+    { { 0x2338d10,0x0e77fa7,0x011b046,0x1bfd0ad,0x28ee699,0x21d73bc,
+        0x0461d1a,0x342ea58,0x2d695b4,0x30415ed,0x2906e0b,0x18e494a,
+        0x20f8a27,0x026b870,0x002c19f },
+      { 0x2f4c43d,0x3f0fc3b,0x0aa95b8,0x2a01ea1,0x3e2e1b1,0x0d74af6,
+        0x0555288,0x0cb757d,0x24d2071,0x143d2bb,0x3907f67,0x3e0ce30,
+        0x131f0e9,0x3724381,0x007a874 } },
+    /* 57 */
+    { { 0x3c27050,0x08b5165,0x0bf884b,0x3dd679c,0x3bd0b8d,0x25ce2e6,
+        0x1674057,0x1f13ed3,0x1f5cd91,0x0d1fd35,0x13ce6e3,0x2671338,
+        0x10f8b90,0x34e5487,0x00942bf },
+      { 0x03b566d,0x23c3da9,0x37de502,0x1a486ff,0x1af6e86,0x1108cb3,
+        0x36f856c,0x01a6a0f,0x179f915,0x1595a01,0x2cfecb8,0x082568b,
+        0x1ba16d1,0x1abb6c0,0x00cf7f0 } },
+    /* 58 */
+    { { 0x2f96c80,0x1b8f123,0x209c0f5,0x2ccf76d,0x1d521f2,0x3705143,
+        0x2941027,0x07f88af,0x07102a9,0x38b4868,0x1efa37d,0x1bdd3e8,
+        0x028a12e,0x02e055b,0x009a9a9 },
+      { 0x1c7dfcb,0x3aa7aa7,0x1d62c54,0x3f0b0b0,0x3c74e66,0x274f819,
+        0x23f9674,0x0e2b67c,0x24654dd,0x0c71f0e,0x1946cee,0x0016211,
+        0x0045dc7,0x0da1173,0x0089856 } },
+    /* 59 */
+    { { 0x0e73946,0x29f353f,0x056329d,0x2d48c5a,0x28f697d,0x2ea4bb1,
+        0x235e9cc,0x34faa38,0x15f9f91,0x3557519,0x2a50a6c,0x1a27c8e,
+        0x2a1a0f3,0x3098879,0x00dcf21 },
+      { 0x1b818bf,0x2f20b98,0x2243cff,0x25b691e,0x3c74a2f,0x2f06833,
+        0x0e980a8,0x32db48d,0x2b57929,0x33cd7f5,0x2fe17d6,0x11a384b,
+        0x2dafb81,0x2b9562c,0x00ddea6 } },
+    /* 60 */
+    { { 0x2787b2e,0x37a21df,0x310d294,0x07ce6a4,0x1258acc,0x3050997,
+        0x19714aa,0x122824b,0x11c708b,0x0462d56,0x21abbf7,0x331aec3,
+        0x307b927,0x3e8d5a0,0x00c0581 },
+      { 0x24d4d58,0x3d628fc,0x23279e0,0x2e38338,0x2febe9b,0x346f9c0,
+        0x3d6a419,0x3264e47,0x245faca,0x3669f62,0x1e50d66,0x3028232,
+        0x18201ab,0x0bdc192,0x0002c34 } },
+    /* 61 */
+    { { 0x17bdbc2,0x1c501c5,0x1605ccd,0x31ab438,0x372fa89,0x24a8057,
+        0x13da2bb,0x3f95ac7,0x3cda0a3,0x1e2b679,0x24f0673,0x03b72f4,
+        0x35be616,0x2ccd849,0x0079d4d },
+      { 0x33497c4,0x0c7f657,0x2fb0d3d,0x3b81064,0x38cafea,0x0e942bc,
+        0x3ca7451,0x2ab9784,0x1678c85,0x3c62098,0x1eb556f,0x01b3aa2,
+        0x149f3ce,0x2656f6d,0x002eef1 } },
+    /* 62 */
+    { { 0x0596edc,0x1f4fad4,0x03a28ed,0x18a4149,0x3aa3593,0x12db40a,
+        0x12c2c2a,0x3b1a288,0x327c4fb,0x35847f5,0x384f733,0x02e3fde,
+        0x1af0e8a,0x2e417c3,0x00d85a6 },
+      { 0x0091cf7,0x2267d75,0x276860e,0x19cbbfc,0x04fef2b,0x030ce59,
+        0x3195cb1,0x1aa3f07,0x3699362,0x2a09d74,0x0d6c840,0x1e413d0,
+        0x28acdc7,0x1ff5ea1,0x0088d8b } },
+    /* 63 */
+    { { 0x3d98425,0x08dc8de,0x154e85f,0x24b1c2c,0x2d44639,0x19a1e8b,
+        0x300ee29,0x053f72e,0x3f7c832,0x12417f6,0x1359368,0x0674a4c,
+        0x1218e20,0x0e4fbd4,0x000428c },
+      { 0x01e909a,0x1d88fe6,0x12da40c,0x215ef86,0x2925133,0x004241f,
+        0x3e480f4,0x2d16523,0x07c3120,0x3375e86,0x21fd8f3,0x35dc0b6,
+        0x0efc5c9,0x14ef8d6,0x0066e47 } },
+    /* 64 */
+    { { 0x2973cf4,0x34d3845,0x34f7070,0x22df93c,0x120aee0,0x3ae2b4a,
+        0x1af9b95,0x177689a,0x036a6a4,0x0377828,0x23df41e,0x22d4a39,
+        0x0df2aa1,0x06ca898,0x0003cc7 },
+      { 0x06b1dd7,0x19dc2a8,0x35d324a,0x0467499,0x25bfa9c,0x1a1110c,
+        0x01e2a19,0x1b3c1cf,0x18d131a,0x10d9815,0x2ee7945,0x0a2720c,
+        0x0ddcdb0,0x2c071b6,0x00a6aef } },
+    /* 65 */
+    { { 0x1ab5245,0x1192d00,0x13ffba1,0x1b71236,0x09b8d0b,0x0eb49cb,
+        0x1867dc9,0x371de4e,0x05eae9f,0x36faf82,0x094ea8b,0x2b9440e,
+        0x022e173,0x2268e6b,0x00740fc },
+      { 0x0e23b23,0x22c28ca,0x04d05e2,0x0bb84c4,0x1235272,0x0289903,
+        0x267a18b,0x0df0fd1,0x32e49bb,0x2ab1d29,0x281e183,0x3dcd3c3,
+        0x1c0eb79,0x2db0ff6,0x00bffe5 } },
+    /* 66 */
+    { { 0x2a2123f,0x0d63d71,0x1f6db1a,0x257f8a3,0x1927b2d,0x06674be,
+        0x302753f,0x20b7225,0x14c1a3f,0x0429cdd,0x377affe,0x0f40a75,
+        0x2d34d06,0x05fb6b9,0x0054398 },
+      { 0x38b83c4,0x1e7bbda,0x1682f79,0x0527651,0x2615cb2,0x1795fab,
+        0x0e4facc,0x11f763c,0x1b81130,0x2010ae2,0x13f3650,0x20d5b72,
+        0x1f32f88,0x34617f4,0x00bf008 } },
+    /* 67 */
+    { { 0x28068db,0x0aa8913,0x1a47801,0x10695ca,0x1c72cc6,0x0fc1a47,
+        0x33df2c4,0x0517cf0,0x3471d92,0x1be815c,0x397f794,0x3f03cbe,
+        0x121bfae,0x172cbe0,0x00813d7 },
+      { 0x383bba6,0x04f1c90,0x0b3f056,0x1c29089,0x2a924ce,0x3c85e69,
+        0x1cecbe5,0x0ad8796,0x0aa79f6,0x25e38ba,0x13ad807,0x30b30ed,
+        0x0fa963a,0x35c763d,0x0055518 } },
+    /* 68 */
+    { { 0x0623f3b,0x3ca4880,0x2bff03c,0x0457ca7,0x3095c71,0x02a9a08,
+        0x1722478,0x302c10b,0x3a17458,0x001131e,0x0959ec2,0x18bdfbc,
+        0x2929fca,0x2adfe32,0x0040ae2 },
+      { 0x127b102,0x14ddeaa,0x1771b8c,0x283700c,0x2398a86,0x085a901,
+        0x108f9dc,0x0cc0012,0x33a918d,0x26d08e9,0x20b9473,0x12c3fc7,
+        0x1f69763,0x1c94b5a,0x00e29de } },
+    /* 69 */
+    { { 0x035af04,0x3450021,0x12da744,0x077fb06,0x25f255b,0x0db7150,
+        0x17dc123,0x1a2a07c,0x2a7636a,0x3972430,0x3704ca1,0x0327add,
+        0x3d65a96,0x3c79bec,0x009de8c },
+      { 0x11d3d06,0x3fb8354,0x12c7c60,0x04fe7ad,0x0466e23,0x01ac245,
+        0x3c0f5f2,0x2a935d0,0x3ac2191,0x090bd56,0x3febdbc,0x3f1f23f,
+        0x0ed1cce,0x02079ba,0x00d4fa6 } },
+    /* 70 */
+    { { 0x0ab9645,0x10174ec,0x3711b5e,0x26357c7,0x2aeec7f,0x2170a9b,
+        0x1423115,0x1a5122b,0x39e512c,0x18116b2,0x290db1c,0x041b13a,
+        0x26563ae,0x0f56263,0x00b89f3 },
+      { 0x3ed2ce4,0x01f365f,0x1b2043b,0x05f7605,0x1f9934e,0x2a068d2,
+        0x38d4d50,0x201859d,0x2de5291,0x0a7985a,0x17e6711,0x01b6c1b,
+        0x08091fa,0x33c6212,0x001da23 } },
+    /* 71 */
+    { { 0x2f2c4b5,0x311acd0,0x1e47821,0x3bd9816,0x1931513,0x1bd4334,
+        0x30ae436,0x2c49dc0,0x2c943e7,0x010ed4d,0x1fca536,0x189633d,
+        0x17abf00,0x39e5ad5,0x00e4e3e },
+      { 0x0c8b22f,0x2ce4009,0x1054bb6,0x307f2fc,0x32eb5e2,0x19d24ab,
+        0x3b18c95,0x0e55e4d,0x2e4acf5,0x1bc250c,0x1dbf3a5,0x17d6a74,
+        0x087cf58,0x07f6f82,0x00f8675 } },
+    /* 72 */
+    { { 0x110e0b2,0x0e672e7,0x11b7157,0x1598371,0x01c0d59,0x3d60c24,
+        0x096b8a1,0x0121075,0x0268859,0x219962f,0x03213f2,0x3022adc,
+        0x18de488,0x3dcdeb9,0x008d2e0 },
+      { 0x06cfee6,0x26f2552,0x3c579b7,0x31fa796,0x2036a26,0x362ba5e,
+        0x103601c,0x012506b,0x387ff3a,0x101a41f,0x2c7eb58,0x23d2efc,
+        0x10a5a07,0x2fd5fa3,0x00e3731 } },
+    /* 73 */
+    { { 0x1cd0abe,0x08a0af8,0x2fa272f,0x17a1fbf,0x1d4f901,0x30e0d2f,
+        0x1898066,0x273b674,0x0c1b8a2,0x3272337,0x3ee82eb,0x006e7d3,
+        0x2a75606,0x0af1c81,0x0037105 },
+      { 0x2f32562,0x2842491,0x1bb476f,0x1305cd4,0x1daad53,0x0d8daed,
+        0x164c37b,0x138030f,0x05145d5,0x300e2a3,0x32c09e7,0x0798600,
+        0x3515130,0x2b9e55c,0x009764e } },
+    /* 74 */
+    { { 0x3d5256a,0x06c67f2,0x3a3b879,0x3c9b284,0x04007e0,0x33c1a41,
+        0x3794604,0x1d6240e,0x022b6c1,0x22c62a7,0x01d4590,0x32df5f6,
+        0x368f1a1,0x2a7486e,0x006e13f },
+      { 0x31e6e16,0x20f18a9,0x09ed471,0x23b861d,0x15cf0ef,0x397b502,
+        0x1c7f9b2,0x05f84b2,0x2cce6e1,0x3c10bba,0x13fb5a7,0x1b52058,
+        0x1feb1b8,0x03b7279,0x00ea1cf } },
+    /* 75 */
+    { { 0x2a4cc9b,0x15cf273,0x08f36e6,0x076bf3b,0x2541796,0x10e2dbd,
+        0x0bf02aa,0x3aa2201,0x03cdcd4,0x3ee252c,0x3799571,0x3e01fa4,
+        0x156e8d0,0x1fd6188,0x003466a },
+      { 0x2515664,0x166b355,0x2b0b51e,0x0f28f17,0x355b0f9,0x2909e76,
+        0x206b026,0x3823a12,0x179c5fa,0x0972141,0x2663a1a,0x01ee36e,
+        0x3fc8dcf,0x2ef3d1b,0x0049a36 } },
+    /* 76 */
+    { { 0x2d93106,0x3d6b311,0x3c9ce47,0x382aa25,0x265b7ad,0x0b5f92f,
+        0x0f4c941,0x32aa4df,0x380d4b2,0x0e8aba6,0x260357a,0x1f38273,
+        0x0d5f95e,0x199f23b,0x0029f77 },
+      { 0x0a0b1c5,0x21a3d6a,0x0ad8df6,0x33d8a5e,0x1240858,0x30000a8,
+        0x3ac101d,0x2a8143d,0x1d7ffe9,0x1c74a2a,0x1b962c9,0x1261359,
+        0x0c8b274,0x002cf4a,0x00a8a7c } },
+    /* 77 */
+    { { 0x211a338,0x22a14ab,0x16e77c5,0x3c746be,0x3a78613,0x0d5731c,
+        0x1767d25,0x0b799fa,0x009792a,0x09ae8dc,0x124386b,0x183d860,
+        0x176747d,0x14c4445,0x00ab09b },
+      { 0x0eb9dd0,0x0121066,0x032895a,0x330541c,0x1e6c17a,0x2271b92,
+        0x06da454,0x054c2bf,0x20abb21,0x0ead169,0x3d7ea93,0x2359649,
+        0x242c6c5,0x3194255,0x00a3ef3 } },
+    /* 78 */
+    { { 0x3010879,0x1083a77,0x217989d,0x174e55d,0x29d2525,0x0e544ed,
+        0x1efd50e,0x30c4e73,0x05bd5d1,0x0793bf9,0x3f7af77,0x052779c,
+        0x2b06bc0,0x13d0d02,0x0055a6b },
+      { 0x3eaf771,0x094947a,0x0288f13,0x0a21e35,0x22ab441,0x23816bf,
+        0x15832e1,0x2d8aff3,0x348cc1f,0x2bbd4a8,0x01c4792,0x34209d3,
+        0x06dc72b,0x211a1df,0x00345c5 } },
+    /* 79 */
+    { { 0x2a65e90,0x173ac2f,0x199cde1,0x0ac905b,0x00987f7,0x3618f7b,
+        0x1b578df,0x0d5e113,0x34bac6a,0x27d85ed,0x1b48e99,0x18af5eb,
+        0x1a1be9e,0x3987aac,0x00877ca },
+      { 0x2358610,0x3776a8e,0x2b0723a,0x344c978,0x22fc4d6,0x1615d53,
+        0x3198f51,0x2d61225,0x12cb392,0x07dd061,0x355f7de,0x09e0132,
+        0x0efae99,0x13b46aa,0x00e9e6c } },
+    /* 80 */
+    { { 0x0683186,0x36d8e66,0x0ea9867,0x0937731,0x1fb5cf4,0x13c39ef,
+        0x1a7ffed,0x27dfb32,0x31c7a77,0x09f15fd,0x16b25ef,0x1dd01e7,
+        0x0168090,0x240ed02,0x0090eae },
+      { 0x2e1fceb,0x2ab9783,0x1a1fdf2,0x093a1b0,0x33ff1da,0x2864fb7,
+        0x3587d6c,0x275aa03,0x123dc9b,0x0e95a55,0x0592030,0x2102402,
+        0x1bdef7b,0x37f2e9b,0x001efa4 } },
+    /* 81 */
+    { { 0x0540015,0x20e3e78,0x37dcfbd,0x11b0e41,0x02c3239,0x3586449,
+        0x1fb9e6a,0x0baa22c,0x00c0ca6,0x3e58491,0x2dbe00f,0x366d4b0,
+        0x176439a,0x2a86b86,0x00f52ab },
+      { 0x0ac32ad,0x226250b,0x0f91d0e,0x1098aa6,0x3dfb79e,0x1dbd572,
+        0x052ecf2,0x0f84995,0x0d27ad2,0x036c6b0,0x1e4986f,0x2317dab,
+        0x2327df6,0x0dee0b3,0x00389ac } },
+    /* 82 */
+    { { 0x0e60f5b,0x0622d3e,0x2ada511,0x05522a8,0x27fe670,0x206af28,
+        0x333cb83,0x3f25f6c,0x19ddaf3,0x0ec579b,0x36aabc0,0x093dbac,
+        0x348b44b,0x277dca9,0x00c5978 },
+      { 0x1cf5279,0x32e294a,0x1a6c26f,0x3f006b6,0x37a3c6b,0x2e2eb26,
+        0x2cf88d4,0x3410619,0x1899c80,0x23d3226,0x30add14,0x2810905,
+        0x01a41f0,0x11e5176,0x005a02f } },
+    /* 83 */
+    { { 0x1c90202,0x321df30,0x3570fa5,0x103e2b1,0x3d099d4,0x05e207d,
+        0x0a5b1bd,0x0075d0a,0x3db5b25,0x2d87899,0x32e4465,0x226fc13,
+        0x24cb8f8,0x3821daa,0x004da3a },
+      { 0x3e66861,0x03f89b8,0x386d3ef,0x14ccc62,0x35e7729,0x11ce5b7,
+        0x035fbc7,0x3f4df0f,0x29c439f,0x1144568,0x32d7037,0x312f65e,
+        0x06b9dbf,0x03a9589,0x0008863 } },
+    /* 84 */
+    { { 0x0a9e8c9,0x1a19b6e,0x091ecd9,0x2e16ee0,0x2a11963,0x116cf34,
+        0x390d530,0x194131f,0x2b580f3,0x31d569c,0x21d3751,0x3e2ce64,
+        0x193de46,0x32454f0,0x004bffd },
+      { 0x09554e7,0x170126e,0x2be6cd1,0x153de89,0x0353c67,0x350765c,
+        0x202370b,0x1db01e5,0x30b12b1,0x3778591,0x00c8809,0x2e845d5,
+        0x1fb1e56,0x170f90d,0x00e2db3 } },
+    /* 85 */
+    { { 0x328e33f,0x392aad8,0x36d1d71,0x0aebe04,0x1548678,0x1b55c8c,
+        0x24995f8,0x2a5a01e,0x1bd1651,0x37c7c29,0x36803b6,0x3716c91,
+        0x1a935a5,0x32f10b7,0x005c587 },
+      { 0x2e8b4c0,0x336ccae,0x11382b6,0x22ec4cc,0x066d159,0x35fa585,
+        0x23b2d25,0x3017528,0x2a674a8,0x3a4f900,0x1a7ce82,0x2b2539b,
+        0x3d46545,0x0a07918,0x00eb9f8 } },
+    /* 86 */
+    { { 0x2cf5b9b,0x03e747f,0x166a34e,0x0afc81a,0x0a115b1,0x3aa814d,
+        0x11cf3b1,0x163e556,0x3cbfb15,0x157c0a4,0x1bc703a,0x2141e90,
+        0x01f811c,0x207218b,0x0092e6b },
+      { 0x1af24e3,0x3af19b3,0x3c70cc9,0x335cbf3,0x068917e,0x055ee92,
+        0x09a9308,0x2cac9b7,0x008b06a,0x1175097,0x36e929c,0x0be339c,
+        0x0932436,0x15f18ba,0x0009f6f } },
+    /* 87 */
+    { { 0x29375fb,0x35ade34,0x11571c7,0x07b8d74,0x3fabd85,0x090fa91,
+        0x362dcd4,0x02c3fdb,0x0608fe3,0x2477649,0x3fc6e70,0x059b7eb,
+        0x1e6a708,0x1a4c220,0x00c6c4c },
+      { 0x2a53fb0,0x1a3e1f5,0x11f9203,0x27e7ad3,0x038718e,0x3f5f9e4,
+        0x308acda,0x0a8700f,0x34472fe,0x3420d7a,0x08076e5,0x014240e,
+        0x0e7317e,0x197a98e,0x00538f7 } },
+    /* 88 */
+    { { 0x2663b4b,0x0927670,0x38dd0e0,0x16d1f34,0x3e700ab,0x3119567,
+        0x12559d2,0x399b6c6,0x0a84bcd,0x163e7dd,0x3e2aced,0x058548c,
+        0x03a5bad,0x011cf74,0x00c155c },
+      { 0x3e454eb,0x2a1e64e,0x1ccd346,0x36e0edf,0x266ee94,0x2e74aaf,
+        0x2d8378a,0x3cd547d,0x1d27733,0x0928e5b,0x353553c,0x26f502b,
+        0x1d94341,0x2635cc7,0x00d0ead } },
+    /* 89 */
+    { { 0x0142408,0x382c3bb,0x3310908,0x2e50452,0x398943c,0x1d0ac75,
+        0x1bf7d81,0x04bd00f,0x36b6934,0x3349c37,0x0f69e20,0x0195252,
+        0x243a1c5,0x030da5f,0x00a76a9 },
+      { 0x224825a,0x28ce111,0x34c2e0f,0x02e2b30,0x382e48c,0x26853ca,
+        0x24bd14e,0x0200dec,0x1e24db3,0x0d3d775,0x132da0a,0x1dea79e,
+        0x253dc0c,0x03c9d31,0x0020db9 } },
+    /* 90 */
+    { { 0x26c5fd9,0x05e6dc3,0x2eea261,0x08db260,0x2f8bec1,0x1255edf,
+        0x283338d,0x3d9a91d,0x2640a72,0x03311f9,0x1bad935,0x152fda8,
+        0x0e95abd,0x31abd15,0x00dfbf4 },
+      { 0x107f4fa,0x29ebe9a,0x27353f7,0x3821972,0x27311fa,0x2925ab6,
+        0x337ab82,0x2de6c91,0x1f115fe,0x044f909,0x21b93c2,0x3a5f142,
+        0x13eb5e9,0x3ab1377,0x00b26b6 } },
+    /* 91 */
+    { { 0x22e5f2b,0x2ae7d4a,0x1ac481c,0x0a6fce1,0x2f93caf,0x242658e,
+        0x3f35c3c,0x050f3d2,0x30074c9,0x142079c,0x0281b4c,0x295fea3,
+        0x007413e,0x01726cd,0x00e4979 },
+      { 0x1ab3cfb,0x1b76295,0x36adf55,0x1ad4636,0x1d444b9,0x3bd2e55,
+        0x35425a5,0x1aa8cd3,0x3acecd2,0x1f769e8,0x1a655e9,0x1f6846f,
+        0x24c70b5,0x3bff080,0x0002da3 } },
+    /* 92 */
+    { { 0x081d0d9,0x2c00d99,0x1fe2e24,0x396063f,0x03740db,0x243f680,
+        0x3c1f451,0x1ff7b07,0x2803cf2,0x38ca724,0x2934f43,0x0d72d4d,
+        0x0e8fe74,0x2975e21,0x002b505 },
+      { 0x11adcc9,0x331a99c,0x21e16cf,0x1714c78,0x1f03432,0x2caa2a6,
+        0x34a9679,0x2f7fe8b,0x0423c21,0x1a757ce,0x31b57d6,0x171e044,
+        0x093b9b2,0x13602e0,0x00db534 } },
+    /* 93 */
+    { { 0x250a2f5,0x0b999eb,0x21d10d7,0x22b92a1,0x39b7f8d,0x0c37c72,
+        0x29f70f3,0x3bf0e84,0x1d7e04f,0x07a42a9,0x272c3ae,0x1587b2f,
+        0x155faff,0x10a336e,0x000d8fb },
+      { 0x3663784,0x0d7dcf5,0x056ad22,0x319f8b1,0x0c05bae,0x2b6ff33,
+        0x0292e42,0x0435797,0x188efb1,0x0d3f45e,0x119d49f,0x395dcd3,
+        0x279fe27,0x133a13d,0x00188ac } },
+    /* 94 */
+    { { 0x396c53e,0x0d133e9,0x009b7ee,0x13421a0,0x1bbf607,0x1d284a5,
+        0x1594f74,0x18cb47c,0x2dcac11,0x2999ddb,0x04e2fa5,0x1889e2c,
+        0x0a89a18,0x33cb215,0x0052665 },
+      { 0x104ab58,0x1d91920,0x3d6d7e3,0x04dc813,0x1167759,0x13a8466,
+        0x0a06a54,0x103761b,0x25b1c92,0x26a8fdd,0x2474614,0x21406a4,
+        0x251d75f,0x38c3734,0x007b982 } },
+    /* 95 */
+    { { 0x15f3060,0x3a7bf30,0x3be6e44,0x0baa1fa,0x05ad62f,0x1e54035,
+        0x099d41c,0x2a744d9,0x1c0336f,0x3e99b5b,0x1afd3b1,0x2bf1255,
+        0x1822bf8,0x2c93972,0x001d8cc },
+      { 0x1d7584b,0x0508ade,0x20dd403,0x203a8fc,0x1c54a05,0x1611a31,
+        0x037c8f9,0x1dcd4fe,0x110fbea,0x30f60bc,0x3dffe2f,0x26a1de1,
+        0x0480367,0x18ec81c,0x0048eba } },
+    /* 96 */
+    { { 0x346e2f6,0x0435077,0x036789b,0x3e06545,0x313ab57,0x351a721,
+        0x3372b91,0x15e6019,0x2fa4f6c,0x3c30656,0x272c9ac,0x10e84a8,
+        0x2bdacea,0x232d9e2,0x009dadd },
+      { 0x182579a,0x15b1af8,0x02d8cce,0x36cb49b,0x086feba,0x2911d17,
+        0x268ee12,0x011e871,0x18698dc,0x35602b3,0x11b9ec2,0x0ade731,
+        0x0f6a05a,0x1821015,0x00007da } },
+    /* 97 */
+    { { 0x3b00dd0,0x328d485,0x27a69e3,0x32c3a06,0x1046779,0x120b61c,
+        0x19fef3d,0x0fef2e6,0x134d923,0x039bce0,0x348cd0e,0x0b0c007,
+        0x066ae11,0x15d8f1b,0x00934e7 },
+      { 0x33234dc,0x353f0f5,0x2fc1b44,0x18a193a,0x2fcae20,0x1afbc86,
+        0x3afe252,0x17f7e10,0x107f3b7,0x2d84d54,0x394c2e6,0x19e96a9,
+        0x0a37283,0x26c6152,0x003d262 } },
+    /* 98 */
+    { { 0x37cfaf8,0x01863d0,0x0299623,0x32c80cb,0x25b8742,0x0a4d90e,
+        0x1f72472,0x13de652,0x31a0946,0x0ee0103,0x0f25414,0x2518b49,
+        0x07e7604,0x1488d9b,0x00abd6b },
+      { 0x1338f55,0x2ce4af5,0x1a0c119,0x3380525,0x21a80a9,0x235d4df,
+        0x118ca7f,0x2dd8bcc,0x1c26bf4,0x32dc56b,0x28482b6,0x1418596,
+        0x3c84d24,0x1f1a5a9,0x00d958d } },
+    /* 99 */
+    { { 0x1c21f31,0x22aa1ef,0x258c9ad,0x2d2018f,0x0adb3ca,0x01f75ee,
+        0x186283b,0x31ad3bf,0x3621be7,0x3b1ee6d,0x015582d,0x3d61d04,
+        0x2ddf32e,0x14b8a66,0x00c970c },
+      { 0x2f24d66,0x00b8a88,0x100a78f,0x041d330,0x2efec1d,0x24c5b86,
+        0x2a6a390,0x37526bc,0x2055849,0x3339f08,0x16bffc4,0x07f9d72,
+        0x06ec09c,0x3f49ee8,0x00cad98 } },
+    /* 100 */
+    { { 0x248b73e,0x1b8b42d,0x285eed7,0x39473f4,0x1a9f92c,0x3b44f78,
+        0x086c062,0x06a4ea3,0x34ea519,0x3c74e95,0x1ad1b8b,0x1737e2c,
+        0x2cfe338,0x0a291f4,0x00bbecc },
+      { 0x1cec548,0x0c9b01a,0x20b298d,0x377c902,0x24f5bc1,0x2415c8d,
+        0x1a70622,0x2529090,0x1c5c682,0x283f1ba,0x2319f17,0x0120e2e,
+        0x01c6f4d,0x33c67ff,0x008b612 } },
+    /* 101 */
+    { { 0x03830eb,0x02d4053,0x10c59bb,0x0f23b83,0x13d08f8,0x26ea4e2,
+        0x2626427,0x0a45292,0x0449cbc,0x0175750,0x074c46f,0x27ae0f8,
+        0x2d7d6ae,0x163dd3a,0x0063bb7 },
+      { 0x2bb29e0,0x034bab1,0x341e1c4,0x21d2c0b,0x295aa2d,0x0f2c666,
+        0x1891755,0x13db64a,0x2fe5158,0x337646e,0x31a1aae,0x057bee4,
+        0x00f9e37,0x396d19e,0x00c1b6a } },
+    /* 102 */
+    { { 0x2772f41,0x34f92d0,0x39d1cde,0x174ef2d,0x03a700d,0x03fbb98,
+        0x30d50e8,0x352ed10,0x1fcf5e5,0x3d113bc,0x26e358f,0x180653f,
+        0x1b43cc6,0x3cc9aa4,0x00e68a2 },
+      { 0x37fe4d2,0x09dd725,0x01eb584,0x171f8a9,0x278fdef,0x3e37c03,
+        0x3bec02f,0x149757c,0x0cd5852,0x37d2e10,0x0e6988b,0x1c120e9,
+        0x0b83708,0x38e7319,0x0039499 } },
+    /* 103 */
+    { { 0x08df5fe,0x177a02c,0x0362fc0,0x1f18ee8,0x00c1295,0x173c50a,
+        0x379414d,0x1885ba8,0x32a54ef,0x2315644,0x39e65cf,0x357c4be,
+        0x1d66333,0x09e05a5,0x0009c60 },
+      { 0x1f7a2fb,0x073b518,0x2eb83ac,0x11353d7,0x1dd8384,0x0c63f2b,
+        0x238c6c8,0x2a1920a,0x2e5e9f1,0x1cc56f8,0x042daf4,0x1ed5dc5,
+        0x25f9e31,0x012a56a,0x0081b59 } },
+    /* 104 */
+    { { 0x321d232,0x2c71422,0x3a756b6,0x30230b2,0x387f3db,0x3a7c3eb,
+        0x274b46a,0x201e69f,0x185bb7b,0x140da82,0x0d974a2,0x0616e42,
+        0x35ec94f,0x3bc366b,0x005aa7c },
+      { 0x3dcfffc,0x19a9c15,0x3225e05,0x36ae114,0x16ea311,0x0cda2aa,
+        0x2a1a8d2,0x154b5cb,0x08348cd,0x17b66c8,0x080ea43,0x21e59f3,
+        0x04173b9,0x31d5b04,0x00ad735 } },
+    /* 105 */
+    { { 0x2e76ef4,0x216acf3,0x2b93aea,0x112bc74,0x3449974,0x2b2e48f,
+        0x11929be,0x2f03021,0x19051e3,0x0ac202d,0x19be68a,0x3b87619,
+        0x26cdac4,0x086592c,0x00f00de },
+      { 0x2e90d4d,0x3ed703c,0x2c648d7,0x29ddf67,0x000e219,0x3471247,
+        0x26febd5,0x1161713,0x3541a8f,0x302038d,0x08d2af9,0x26e1b21,
+        0x398514a,0x36dad99,0x002ed70 } },
+    /* 106 */
+    { { 0x06f25cb,0x1104596,0x370faee,0x07e83f3,0x0f7b686,0x228d43a,
+        0x12cd201,0x0a1bd57,0x3e592dc,0x1e186fc,0x2226aba,0x2c63fe9,
+        0x17b039a,0x1efaa61,0x00d1582 },
+      { 0x2e6acef,0x07d51e4,0x3ac326c,0x322b07e,0x1422c63,0x32ff5c7,
+        0x18760df,0x048928b,0x139b251,0x04d7da9,0x048d1a2,0x2a23e84,
+        0x199dbba,0x2fa7afe,0x0049f1a } },
+    /* 107 */
+    { { 0x3492b73,0x27d3d3d,0x2b1a16f,0x07b2ce4,0x0cf28ec,0x2729bff,
+        0x3130d46,0x3e96116,0x140b72e,0x14a2ea3,0x1ca066f,0x3a61f1d,
+        0x022ebac,0x09192b4,0x003e399 },
+      { 0x12555bb,0x0b6139d,0x239463a,0x12a70ab,0x2aaa93b,0x2254e72,
+        0x00424ec,0x26a6736,0x26daa11,0x25b5ad6,0x379f262,0x140cd30,
+        0x0c7d3bd,0x097bbcf,0x00899e9 } },
+    /* 108 */
+    { { 0x3825dc4,0x3cd946f,0x0462b7f,0x31102e7,0x30f741c,0x3313ed6,
+        0x1ff5a95,0x15bf9dc,0x09b47fd,0x0f2e7a7,0x1626c0d,0x3c14f6d,
+        0x14098bd,0x19d7df8,0x00a97ce },
+      { 0x0934f5e,0x3f968db,0x046f68a,0x12333bf,0x26cd5e1,0x1ea2161,
+        0x358570d,0x235031d,0x35edd55,0x05265e3,0x24ae00c,0x3542229,
+        0x25bb2a1,0x1c83c75,0x0058f2a } },
+    /* 109 */
+    { { 0x24daedb,0x376928f,0x305266f,0x0499746,0x038318c,0x312efd7,
+        0x1910a24,0x33450a3,0x1c478a9,0x39d8bf9,0x12cc0ae,0x397aeab,
+        0x0654c08,0x095f283,0x00d2cdf },
+      { 0x0b717d2,0x1f162c2,0x107a48f,0x128e1b3,0x2380718,0x39f4044,
+        0x00f626a,0x05ec0c9,0x21bc439,0x200fa4d,0x20aea01,0x186a1d8,
+        0x26372f2,0x1a91f87,0x0053f55 } },
+    /* 110 */
+    { { 0x3512a90,0x33b958b,0x29f1c84,0x0106c3a,0x224b3c0,0x09b307a,
+        0x215d2de,0x3bdf43b,0x22cf0c9,0x176121d,0x1534143,0x09ba717,
+        0x16b3110,0x0f73f6c,0x008f5b7 },
+      { 0x2c75d95,0x26fbcb4,0x0dda1f6,0x206f819,0x28d33d5,0x1fb4d79,
+        0x024c125,0x30a0630,0x1f9c309,0x0fe350d,0x1696019,0x0a54187,
+        0x09541fd,0x35e3a79,0x0066618 } },
+    /* 111 */
+    { { 0x0e382de,0x33f5163,0x0dde571,0x3bb7a40,0x1175806,0x12ae8ed,
+        0x0499653,0x3b25586,0x38ade7a,0x3fa265d,0x3f4aa97,0x3c03dbb,
+        0x30c6de8,0x32d4042,0x00ae971 },
+      { 0x2f788f1,0x1fbaf0e,0x3e2d182,0x3ff904f,0x0d46229,0x1d0726d,
+        0x15455b4,0x093ae28,0x290f8e4,0x097c0b9,0x1ae8771,0x28480bb,
+        0x04f6d40,0x3689925,0x0049b3b } },
+    /* 112 */
+    { { 0x35b2d69,0x31819c0,0x11b0d63,0x035afb6,0x2b50715,0x2bece6c,
+        0x35f82f7,0x0ad987c,0x0011601,0x02e6f67,0x2d0a5f5,0x365e583,
+        0x2f7c900,0x11449c5,0x00ed705 },
+      { 0x27abdb4,0x1bbfd04,0x301c157,0x263c079,0x36850d6,0x3f21f8b,
+        0x27d7493,0x0f9227e,0x06fb0ce,0x002daf3,0x37d8c1c,0x3ef87d7,
+        0x19cc6f4,0x0c3809c,0x00cf752 } },
+    /* 113 */
+    { { 0x22d94ed,0x075b09c,0x020e676,0x084dc62,0x2d1ec3f,0x17439f1,
+        0x240b702,0x33cc596,0x30ebaf3,0x0359fe0,0x393ea43,0x0ece01e,
+        0x16c6963,0x03a82f2,0x0017faa },
+      { 0x3866b98,0x3cd20b7,0x12d4e6b,0x3a6a76d,0x1205c1e,0x3e6ae1a,
+        0x2f9bbdf,0x2e61547,0x2d175ee,0x28e18f6,0x13cf442,0x085b0ef,
+        0x0e321ef,0x238fe72,0x003fb22 } },
+    /* 114 */
+    { { 0x360ac07,0x26dc301,0x3f4d94f,0x2ba75e6,0x1f3c9cc,0x17ff20f,
+        0x0ea084c,0x30e39cf,0x143dc49,0x03bd43e,0x3c9e733,0x19e8aba,
+        0x27fbaf4,0x12d913a,0x005ee53 },
+      { 0x3609e7f,0x2d89c80,0x09f020c,0x1558bf7,0x3098443,0x3c515fd,
+        0x1c8e580,0x16506bd,0x26cb4b2,0x1747d42,0x2ec8239,0x32c91f0,
+        0x1ca3377,0x079768f,0x00a5f3e } },
+    /* 115 */
+    { { 0x185fa94,0x122759f,0x0e47023,0x0dcb6e7,0x10ba405,0x3b5eab4,
+        0x1f7a1fa,0x32d003f,0x1739a4c,0x3295ec3,0x1b18967,0x3f3b265,
+        0x34d2448,0x2dbadc9,0x00f30b5 },
+      { 0x01c5338,0x2d1dcf2,0x2bd07cc,0x39a8fb5,0x2b85639,0x355bab6,
+        0x1df95f1,0x01eb5f6,0x17f0a16,0x1b895b5,0x157574d,0x29fff72,
+        0x3a8c46d,0x0118071,0x0065f84 } },
+    /* 116 */
+    { { 0x3a1e7f1,0x17432f2,0x1f648d4,0x3000ad5,0x2ef0a08,0x1f86624,
+        0x1ca31b1,0x241f9dc,0x2cb4885,0x2b8610f,0x364ce16,0x1e5faf0,
+        0x0b33867,0x2cb637d,0x00816d2 },
+      { 0x1aa8671,0x02c394e,0x35f5e87,0x393040a,0x39f0db3,0x1c831a5,
+        0x2966591,0x034a8d0,0x09e613c,0x042b532,0x018ddd6,0x3e402c9,
+        0x2e20e1a,0x29cb4cd,0x00e087c } },
+    /* 117 */
+    { { 0x3a10079,0x20c7fea,0x3ff2222,0x1edb593,0x00dc5f8,0x3a32ccc,
+        0x1479073,0x0cfed11,0x2a2702a,0x17a056a,0x1fba321,0x235acb9,
+        0x149c833,0x172de7d,0x000f753 },
+      { 0x2e95923,0x3b365cb,0x009f471,0x0df1b47,0x21e868b,0x199bbd3,
+        0x07b8ecc,0x12ff0af,0x189808a,0x3bd5059,0x3fbc4d2,0x0fa7b88,
+        0x1125bf2,0x0db0b5d,0x0043572 } },
+    /* 118 */
+    { { 0x29cdb1b,0x1db656e,0x391efe1,0x004be09,0x245a1ca,0x3793328,
+        0x254af24,0x2f2e65d,0x10e5cc4,0x2af6fe7,0x2d97ac0,0x29f7d42,
+        0x19fd6f6,0x0ac184d,0x00c5211 },
+      { 0x305eae3,0x36738d3,0x2c2b696,0x00ba50e,0x3903adc,0x2122f85,
+        0x0753470,0x1cf96a4,0x1702a39,0x247883c,0x2feb67e,0x2ab3071,
+        0x3c6b9e1,0x30cb85a,0x002ca0a } },
+    /* 119 */
+    { { 0x3871eb5,0x284b93b,0x0a7affe,0x176a2fc,0x294c2f2,0x204d3aa,
+        0x1e4c2a7,0x3ec4134,0x2fb0360,0x3847b45,0x05fc11b,0x0a6db6e,
+        0x390fa40,0x2adfd34,0x005e9f7 },
+      { 0x0646612,0x1b5cbcc,0x10d8507,0x0777687,0x3a0afed,0x1687440,
+        0x0222578,0x1af34a4,0x2174e27,0x372d267,0x11246c3,0x34769c5,
+        0x2044316,0x1b4d626,0x00c72d5 } },
+    /* 120 */
+    { { 0x2e5bb45,0x3ff1d36,0x16dcdf5,0x128986f,0x399068c,0x2a63b1e,
+        0x0afa7aa,0x3a5b770,0x200f121,0x33b74bb,0x1414045,0x0f31ef8,
+        0x2f50e16,0x2f38cd6,0x00b0b1b },
+      { 0x1a06293,0x035e140,0x2644d44,0x1f1954b,0x2cdebab,0x31d5f91,
+        0x0b8dbc8,0x38f2d23,0x3783cab,0x2a07e73,0x3123f59,0x3409846,
+        0x3784ddd,0x223bbac,0x003dc7b } },
+    /* 121 */
+    { { 0x0741456,0x234e631,0x2121e1b,0x00980ca,0x3a9dfa9,0x098c916,
+        0x3fc86d1,0x1c63072,0x3625244,0x13d0471,0x05b0fc5,0x1487550,
+        0x2498596,0x11bb6ea,0x001afab },
+      { 0x274b4ad,0x240aea1,0x3d12a75,0x2b56b61,0x1486b43,0x1b83426,
+        0x31c7363,0x35b59ca,0x207bb6c,0x38e6243,0x19bace4,0x0a26671,
+        0x35e3381,0x0c2ded4,0x00d8da4 } },
+    /* 122 */
+    { { 0x2b75791,0x19590b1,0x2bfb39f,0x2988601,0x0050947,0x0d8bbe1,
+        0x23e3701,0x08e4432,0x2ed8c3d,0x326f182,0x332e1dd,0x12219c5,
+        0x2e0779b,0x367aa63,0x0012d10 },
+      { 0x251b7dc,0x0a08b4d,0x1138b6f,0x2ea02af,0x06345a5,0x1cb4f21,
+        0x0332624,0x1d49d88,0x140acc5,0x2f55287,0x024447c,0x291ace9,
+        0x1a4966e,0x015cbec,0x005bc41 } },
+    /* 123 */
+    { { 0x351cd0e,0x315e8e9,0x07d6e70,0x067ae8f,0x2190d84,0x351f556,
+        0x03bee79,0x31b62c7,0x266f912,0x1b6a504,0x007a6ad,0x3a6ab31,
+        0x3891112,0x3c45ba0,0x00d6ce5 },
+      { 0x0e1f2ce,0x32a5edc,0x1434063,0x1ca084f,0x2a3e47c,0x137e042,
+        0x16e2418,0x2069280,0x3b0dfd8,0x35a22b5,0x289bf0a,0x1f667f2,
+        0x02d23a3,0x0ce688f,0x00d8e3f } },
+    /* 124 */
+    { { 0x10bed6f,0x14c58dd,0x0b0abdf,0x0ca0f9a,0x3808abc,0x2ec228c,
+        0x2366275,0x12afa16,0x20f6b0e,0x37dca8e,0x3af0c6a,0x1c5b467,
+        0x1b25ff7,0x00814de,0x0022dcc },
+      { 0x1a56e11,0x02fe37e,0x3f21740,0x35d5a91,0x06cb8ba,0x29bad91,
+        0x17176f7,0x2d919f2,0x0f7d1f5,0x13a3f61,0x04ddb05,0x0c82a51,
+        0x286f598,0x2e8c777,0x0007071 } },
+    /* 125 */
+    { { 0x0f8fcb9,0x3e83966,0x170c6fd,0x3825343,0x089cec8,0x01b482a,
+        0x0993971,0x3327282,0x39aba8a,0x32456fe,0x1507e01,0x1c3252d,
+        0x21ffb13,0x29822a0,0x0083246 },
+      { 0x23c378f,0x1cea7ef,0x1be9a82,0x224d689,0x37e5447,0x3764a75,
+        0x3a49724,0x361e1b3,0x19d365b,0x3a61ffb,0x1c29a7a,0x20ab251,
+        0x17ec549,0x175d777,0x004589a } },
+    /* 126 */
+    { { 0x15540a9,0x2ec5d2a,0x05b09fa,0x1bc058b,0x07cfb88,0x28f7b86,
+        0x3e766be,0x189305e,0x01fe88e,0x23fdf69,0x0b919c3,0x02dc7ae,
+        0x3f9a9ad,0x0b83cc7,0x0086a52 },
+      { 0x28bc259,0x39bdca1,0x39e4bc8,0x0e0f33b,0x16130c6,0x2919955,
+        0x31f4549,0x2fed027,0x30919b2,0x0a39b03,0x0ca7bb2,0x1711b24,
+        0x3b67b94,0x05a136b,0x00acd87 } },
+    /* 127 */
+    { { 0x0c53841,0x31cb284,0x3ced090,0x06d5693,0x1c20ae0,0x0408d2b,
+        0x37ebd5e,0x081900f,0x26a8589,0x0acfd0a,0x34a1472,0x2f0c302,
+        0x124ccbd,0x10de328,0x00971bc },
+      { 0x17ff2ff,0x27d1b54,0x147b6f7,0x38bb2ea,0x26a9c96,0x0a49448,
+        0x39f2f46,0x247c579,0x3b16a4e,0x28c2a5a,0x2d4c72d,0x11f248c,
+        0x1e4df11,0x047d604,0x0065bc3 } },
+    /* 128 */
+    { { 0x39b3239,0x1f75f44,0x3bae87c,0x139360c,0x18b5782,0x3ffc005,
+        0x3c48789,0x2bc6af2,0x38b909e,0x223ff3b,0x31443a7,0x017d3bb,
+        0x0bfed99,0x128b857,0x00020dd },
+      { 0x306d695,0x25a7b28,0x2f60ca2,0x2b6e4f2,0x1df940c,0x1fa9b8e,
+        0x37fab78,0x13f959f,0x10ff98c,0x38343b8,0x019cb91,0x11a1e6b,
+        0x17ab4c6,0x1431f47,0x004b4ea } },
+    /* 129 */
+    { { 0x20db57e,0x102515e,0x170219e,0x2b66a32,0x1e6017c,0x2f973fe,
+        0x3739e51,0x0e28b6f,0x3cda7a9,0x30d91ac,0x28350df,0x1444215,
+        0x098b504,0x1bcd5b8,0x00ad3bd },
+      { 0x22e3e3e,0x3aeaffb,0x26cb935,0x0091ce4,0x2fbd017,0x3a7ed6a,
+        0x335b029,0x3bfc1f1,0x3852e3f,0x2b14a86,0x046b405,0x266af4c,
+        0x3997191,0x33b0e40,0x00e306f } },
+    /* 130 */
+    { { 0x3e4712c,0x26bb208,0x18eed6d,0x1b30f06,0x27ca837,0x06faf62,
+        0x1831873,0x3fbcf9b,0x3f3d88b,0x1fb55eb,0x0f44edc,0x29917bb,
+        0x3151772,0x342d72e,0x00d4e63 },
+      { 0x2ee0ecf,0x39e8733,0x2e8e98c,0x0cd4e0f,0x08f0126,0x1ad157a,
+        0x079078a,0x23018ee,0x196c765,0x2b2f34f,0x0783336,0x075bf9c,
+        0x3713672,0x098d699,0x00f21a7 } },
+    /* 131 */
+    { { 0x186ba11,0x22cf365,0x048019d,0x2ca2970,0x0d9e0ae,0x08c3bd7,
+        0x261dbf2,0x2fc2790,0x1ee02e6,0x10256a7,0x00dc778,0x18dc8f2,
+        0x157b189,0x2ebc514,0x005c97d },
+      { 0x3c4503e,0x1d10d12,0x337097e,0x0c6169a,0x30fb1cb,0x3481752,
+        0x0df2bec,0x19768fa,0x1bcf8f7,0x2925f74,0x2c988a1,0x3be571d,
+        0x04cfa92,0x2ea9937,0x003f924 } },
+    /* 132 */
+    { { 0x268b448,0x06e375c,0x1b946bf,0x287bf5e,0x3d4c28b,0x138d547,
+        0x21f8c8e,0x21ea4be,0x2d45c91,0x35da78e,0x00326c0,0x210ed35,
+        0x1d66928,0x0251435,0x00fefc8 },
+      { 0x0339366,0x216ff64,0x2c3a30c,0x3c5733d,0x04eeb56,0x2333477,
+        0x32b1492,0x25e3839,0x1b5f2ce,0x0dcfba1,0x3165bb2,0x3acafcc,
+        0x10abfcd,0x248d390,0x008106c } },
+    /* 133 */
+    { { 0x102f4ee,0x3c0585f,0x1225c8d,0x11c6388,0x08a7815,0x2b3e790,
+        0x2895eb6,0x18cf53a,0x0b56e5a,0x2e2c003,0x3e981ff,0x0761b55,
+        0x1bc32f3,0x0a7111d,0x00f5c80 },
+      { 0x3568973,0x1587386,0x16ec764,0x20698a6,0x02f809b,0x2821502,
+        0x113d64d,0x38c2679,0x15de61c,0x0309f60,0x272999e,0x29bfe64,
+        0x173f70d,0x1de7fab,0x00bd284 } },
+    /* 134 */
+    { { 0x31cdf2b,0x0f0be66,0x2151603,0x01af17e,0x32a99cf,0x085dece,
+        0x27d2591,0x1520df4,0x273c448,0x1ec7c54,0x102e229,0x355f604,
+        0x2acb75f,0x005f1fd,0x003d43e },
+      { 0x270eb28,0x22ec2ce,0x306b41a,0x238fa02,0x167de2d,0x030a379,
+        0x245a417,0x1808c24,0x0b1a7b2,0x3ab5f6f,0x2cbc6c1,0x2c228d4,
+        0x3041f70,0x2d9a6cc,0x00b504f } },
+    /* 135 */
+    { { 0x17a27c2,0x216ad7e,0x011ba8e,0x22f0428,0x16ac5ec,0x3ef3c58,
+        0x345533f,0x0298155,0x2856579,0x0005e03,0x19ee75b,0x146fe16,
+        0x29881e4,0x18ece70,0x008907a },
+      { 0x20189ed,0x119ce09,0x35cb76d,0x0d91ef4,0x2284a44,0x032ad87,
+        0x0e8c402,0x3c82b5d,0x38c416c,0x398992f,0x1fd820c,0x169b255,
+        0x3b5fcfa,0x1343c92,0x00fa715 } },
+    /* 136 */
+    { { 0x33f5034,0x20b3b26,0x28fd184,0x16b3679,0x3962d44,0x15d1bc8,
+        0x2fb1d69,0x1292c99,0x25a58c9,0x1b19ab7,0x2d68a5b,0x2f6a09b,
+        0x0d6aedb,0x2935eac,0x0005664 },
+      { 0x25e32fc,0x13f9440,0x3252bcd,0x2fea5b7,0x161a5ae,0x0564a8c,
+        0x0a07e23,0x1545f62,0x0de9890,0x1d76765,0x1fd440e,0x2ed0041,
+        0x3db4c96,0x1e8ba01,0x001b0c4 } },
+    /* 137 */
+    { { 0x0223878,0x29ab202,0x15585c2,0x1a79969,0x1ba08c2,0x2ef09ff,
+        0x2b1b9b9,0x181f748,0x1bf72b9,0x224645c,0x2588dc5,0x2d157e7,
+        0x22d939a,0x05b88d9,0x006d549 },
+      { 0x31de0c1,0x23a4e0e,0x278f8da,0x1aa013c,0x1a84d18,0x0d185a5,
+        0x0988ccd,0x2c32efd,0x3bee10e,0x37d7ab8,0x3f2a66e,0x3e2da3e,
+        0x1b5701f,0x3d9f0c1,0x00a68da } },
+    /* 138 */
+    { { 0x0b2e045,0x0133fd1,0x05d4c10,0x0d92c70,0x391b5e1,0x2292281,
+        0x2e40908,0x2ec694e,0x195ea11,0x29cfeca,0x3d93a4e,0x01215c0,
+        0x08a5f32,0x37a0eff,0x00cce45 },
+      { 0x2b3106e,0x12a5fb0,0x0b4faff,0x0c2da12,0x09069c6,0x35d8907,
+        0x2837a6e,0x3db3fb6,0x3136cc3,0x222836b,0x3da018a,0x2741274,
+        0x13ba319,0x1ac7642,0x00f867c } },
+    /* 139 */
+    { { 0x2527296,0x10a9595,0x178de4d,0x0f739c4,0x0ae26c7,0x3094599,
+        0x20adac6,0x2b875c2,0x3ae5dc0,0x3e04d20,0x1aab2da,0x1d3ab37,
+        0x15f4f75,0x0b730b5,0x00c56b5 },
+      { 0x1f32923,0x2f059e5,0x2a89872,0x2056f74,0x04be175,0x1da67c0,
+        0x17f1e7a,0x3780a6d,0x0723ac2,0x257f367,0x1237773,0x2bcee86,
+        0x0b97f83,0x38aff14,0x00a64d4 } },
+    /* 140 */
+    { { 0x2552b40,0x0b6b883,0x12e8217,0x0974d35,0x062f497,0x1e563e6,
+        0x30ee400,0x375d1e4,0x290751f,0x0d5b68a,0x353e48c,0x064a0d3,
+        0x3c343f1,0x309a394,0x0034d2a },
+      { 0x3111286,0x0f08604,0x1827107,0x0536a76,0x0201dac,0x3a574de,
+        0x2c29dbe,0x382c7b0,0x1191f3e,0x324c5bc,0x144ce71,0x24327c1,
+        0x1212778,0x22bc9d8,0x00d7713 } },
+    /* 141 */
+    { { 0x34ad1cd,0x1179b4e,0x1bc1780,0x1392a92,0x2cd86b9,0x359de85,
+        0x251f1df,0x0da5d5f,0x135fa61,0x0f64a42,0x34f4d89,0x0fe564c,
+        0x3cf9b7a,0x122d757,0x008c9c2 },
+      { 0x370d4e9,0x0e9209b,0x0ae99f2,0x1518c64,0x0172734,0x2c20692,
+        0x1d7c135,0x149c52f,0x38928d6,0x3c78b78,0x25841d1,0x2eaa897,
+        0x372e50b,0x29e5d19,0x00c4c18 } },
+    /* 142 */
+    { { 0x13375ac,0x389a056,0x211310e,0x2f9f757,0x04f3288,0x103cd4e,
+        0x17b2fb2,0x2c78a6a,0x09f1de6,0x23e8442,0x1351bc5,0x1b69588,
+        0x285b551,0x0464b7e,0x00573b6 },
+      { 0x0ba7df5,0x259a0db,0x2b4089e,0x05630a2,0x3f299be,0x350ff2f,
+        0x1c9348a,0x3becfa4,0x3cc9a1c,0x17a6ef1,0x338b277,0x2b761d9,
+        0x2aa01c8,0x3cb9dd7,0x006e3b1 } },
+    /* 143 */
+    { { 0x277788b,0x16a222d,0x173c036,0x310ff58,0x2634ae8,0x392636f,
+        0x0987619,0x1e6acc1,0x26dc8f7,0x242310f,0x0c09aca,0x22b8e11,
+        0x0d17006,0x1c2c806,0x002380c },
+      { 0x297c5ec,0x1fef0e8,0x3948cf7,0x14f2915,0x2dacbc8,0x0dafb1f,
+        0x10de043,0x31184da,0x06414ee,0x3c9aeeb,0x1f713ab,0x308f1f8,
+        0x1569ed1,0x3f379bf,0x00f08bb } },
+    /* 144 */
+    { { 0x0770ee3,0x058fd21,0x17065f8,0x251d128,0x10e0c7f,0x06cb51b,
+        0x0f05f7e,0x3666a72,0x3e7d01f,0x2d05fab,0x11440e5,0x28577d4,
+        0x2fbcf2b,0x14aa469,0x00dc5c5 },
+      { 0x270f721,0x1c75d28,0x085b862,0x1d68011,0x132c0a0,0x37be81d,
+        0x1a87e38,0x083fa74,0x3acbf0d,0x16d6429,0x0feda1f,0x031070a,
+        0x2ec2443,0x21e563d,0x00454d2 } },
+    /* 145 */
+    { { 0x0525435,0x1e98d5f,0x3dbc52b,0x1fcdf12,0x13d9ef5,0x3ff311d,
+        0x393e9ed,0x3cef8ae,0x2987710,0x3bdee2e,0x21b727d,0x3ba1b68,
+        0x10d0142,0x3c64b92,0x0055ac3 },
+      { 0x0c1c390,0x38e9bb0,0x1e7b487,0x11511b3,0x1036fb3,0x25aba54,
+        0x1eb2764,0x048d022,0x0d971ed,0x1bb7fb5,0x100f0b4,0x06c3756,
+        0x2f0d366,0x3c6e160,0x0011bd6 } },
+    /* 146 */
+    { { 0x36bc9d1,0x24d43c1,0x12c35cf,0x2fb3cf3,0x015d903,0x16bc0c7,
+        0x0fc8c22,0x3195c87,0x2488b1c,0x1f82b4c,0x30014e8,0x27ee58d,
+        0x31658dd,0x1684a5f,0x00f0f3a },
+      { 0x1f703aa,0x023eebc,0x20babb9,0x080bd9d,0x12f9cc4,0x1a8e2d4,
+        0x0eec666,0x1176803,0x33005d6,0x1137b68,0x37de339,0x33d71cb,
+        0x0c906b9,0x14086b5,0x00aeef6 } },
+    /* 147 */
+    { { 0x219045d,0x0f22c5e,0x024c058,0x00b414a,0x0ae7c31,0x3db3e96,
+        0x234979f,0x0cf00a8,0x3c962c7,0x27fa77f,0x1c0c4b0,0x1fe8942,
+        0x218053a,0x1eed3f8,0x0051643 },
+      { 0x2a23ddb,0x138f570,0x104e945,0x21ca270,0x30726d8,0x3f45490,
+        0x37d9184,0x242ea25,0x33f6d77,0x3f15679,0x065af85,0x34fa1f5,
+        0x2e46b8f,0x31d17fb,0x00a2615 } },
+    /* 148 */
+    { { 0x335167d,0x181ea10,0x0887c8d,0x01383d7,0x18b42d8,0x263447e,
+        0x1f13df3,0x0319d7e,0x0872074,0x2d6aa94,0x23d9234,0x36a69aa,
+        0x0bad183,0x3138a95,0x00bd3a5 },
+      { 0x1b0f658,0x0e4530b,0x373add1,0x1b968fc,0x329dcb6,0x09169ca,
+        0x162df55,0x0211eff,0x02391e4,0x3867460,0x3136b1a,0x37dd36e,
+        0x3bc5bd9,0x2dacfe4,0x0072a06 } },
+    /* 149 */
+    { { 0x119d96f,0x067b0eb,0x00996da,0x293eca9,0x2b342da,0x1889c7a,
+        0x21633a6,0x0152c39,0x281ce8c,0x18ef3b3,0x0bd62dc,0x3238186,
+        0x38d8b7c,0x3867b95,0x00ae189 },
+      { 0x0ed1eed,0x1e89777,0x13ab73e,0x029e1d7,0x2c1257f,0x33fbc09,
+        0x32d5a21,0x3d870b2,0x39bb1fd,0x33663bc,0x24e83e6,0x239bda4,
+        0x3088bcd,0x01db1ed,0x00d71e7 } },
+    /* 150 */
+    { { 0x14245bf,0x0da0c27,0x153b339,0x05cab0a,0x122d962,0x1b0f0f3,
+        0x3f5a825,0x267a2ce,0x2910d06,0x254326f,0x0f36645,0x025118e,
+        0x37c35ec,0x36e944e,0x006c056 },
+      { 0x05ab0e3,0x29aa0c1,0x1295687,0x1fd1172,0x08d40b5,0x05bd655,
+        0x345048a,0x02a1c3c,0x2393d8f,0x0992d71,0x1f71c5e,0x18d4e8a,
+        0x30dd410,0x11d61d3,0x00dd58b } },
+    /* 151 */
+    { { 0x2230c72,0x30213d8,0x05e367e,0x329204e,0x0f14f6c,0x3369ddd,
+        0x0bb4074,0x2edafd6,0x1b1aa2d,0x0785404,0x0c035ab,0x220da74,
+        0x1f2fdd4,0x092a091,0x00ef83c },
+      { 0x3dc2538,0x1cca3e7,0x246afb5,0x24c647f,0x0798082,0x0bb7952,
+        0x0f5c443,0x008b38a,0x299ea1a,0x3c6cf36,0x3df2ec7,0x398e6dc,
+        0x29a1839,0x1cadd83,0x0077b62 } },
+    /* 152 */
+    { { 0x25d56d5,0x3546f69,0x16e02b1,0x3e5fa9a,0x03a9b71,0x2413d31,
+        0x250ecc9,0x1d2de54,0x2ebe757,0x2a2f135,0x2aeeb9a,0x0d0fe2b,
+        0x204cb0e,0x07464c3,0x00c473c },
+      { 0x24cd8ae,0x0c86c41,0x221c282,0x0795588,0x1f4b437,0x06fc488,
+        0x0c81ecd,0x020bf07,0x3a9e2c8,0x2294a81,0x3a64a95,0x0363966,
+        0x32c9a35,0x0f79bec,0x0029e4f } },
+    /* 153 */
+    { { 0x289aaa5,0x2755b2e,0x059e0aa,0x3031318,0x0f0208a,0x35b7729,
+        0x00d9c6b,0x3dd29d0,0x075f2c2,0x0ece139,0x31562dd,0x04187f2,
+        0x13b8d4c,0x0920b85,0x003924e },
+      { 0x09808ab,0x2e36621,0x2a36f38,0x1829246,0x229bf32,0x20883b7,
+        0x159ada8,0x3108a14,0x15bbe5b,0x1e2d1e4,0x1730096,0x0d35cbb,
+        0x15d0da9,0x0e60b94,0x00c4f30 } },
+    /* 154 */
+    { { 0x31de38b,0x27b9086,0x2760e3e,0x169098d,0x2a124e2,0x00596c6,
+        0x3f73c09,0x0d31642,0x2341464,0x248600a,0x2e1fa10,0x2aa0fc8,
+        0x051e954,0x00f3b67,0x001d4bd },
+      { 0x18751e6,0x25a8e1e,0x07f5c2d,0x17e30d4,0x0ed2723,0x23093e2,
+        0x3b80e2c,0x13de2d7,0x2fad37f,0x1be1cfb,0x3224ba9,0x0a7f5d3,
+        0x1714972,0x06667b7,0x009dcd9 } },
+    /* 155 */
+    { { 0x294f22a,0x3e06993,0x0341ee9,0x24bdc7b,0x2e56098,0x2660a13,
+        0x018ddda,0x2c261b2,0x2953b54,0x267f51c,0x0e8a7cc,0x29ab00c,
+        0x3a38247,0x397ac81,0x00de684 },
+      { 0x36b956b,0x347b34a,0x35834bd,0x053c06c,0x0090844,0x148cec5,
+        0x380b325,0x2f17b8b,0x054ef5e,0x09683fb,0x3f8b29a,0x33c979a,
+        0x1e01474,0x3e81fca,0x001c757 } },
+    /* 156 */
+    { { 0x30fdfe4,0x2d712ba,0x13671bc,0x2cfc226,0x3d7c649,0x16f020e,
+        0x368e3f0,0x2981ebb,0x246a78a,0x115e81b,0x21223a4,0x04dbb30,
+        0x1a50ba2,0x12114bd,0x0089bd6 },
+      { 0x055f15a,0x1046e51,0x00fd724,0x1c022a7,0x323dfa9,0x36d8efb,
+        0x0da4d16,0x0910dec,0x2c1fb16,0x2dbe29f,0x298284f,0x2b273bb,
+        0x26022c1,0x20accd5,0x00085a5 } },
+    /* 157 */
+    { { 0x01f138a,0x2d87e7b,0x0c2815c,0x0c19a3c,0x311c9a2,0x3e4fce3,
+        0x029729d,0x21236b2,0x2984048,0x3f3bc95,0x2bba8fb,0x1a1b680,
+        0x0619a3f,0x29e0447,0x00ed5fe },
+      { 0x2d1c833,0x3dcef35,0x3f809b4,0x01a1b9e,0x1509516,0x10ac754,
+        0x2735080,0x27b0a8a,0x2495fb8,0x0a7bdba,0x1ef8b89,0x00233a5,
+        0x0568bf1,0x1a126ba,0x0078a7e } },
+    /* 158 */
+    { { 0x0470cd8,0x20e9f04,0x30003fe,0x20be1b7,0x1927346,0x2a5026d,
+        0x1ac06bd,0x2717ed7,0x2609493,0x3079ea5,0x1cc116d,0x31b0541,
+        0x2c8ccde,0x10219ae,0x001a52b },
+      { 0x2864045,0x0e8d95b,0x2fc1530,0x0aa44e7,0x345eae7,0x3cc7553,
+        0x3ec6466,0x229b60e,0x06f6e95,0x00bed2a,0x0ff4403,0x181c639,
+        0x2e0df67,0x1f8fa46,0x0000811 } },
+    /* 159 */
+    { { 0x04310a2,0x20cee8e,0x09fc5d5,0x3707f5b,0x0bdfb4e,0x12713ee,
+        0x24f1028,0x0787ee6,0x39a581c,0x3797ec8,0x10a9746,0x112cb9f,
+        0x142b9ba,0x1da0ef6,0x0078f7b },
+      { 0x07607ae,0x3232872,0x2a7e076,0x0bb572a,0x182b23c,0x1d8f918,
+        0x181f392,0x37c45a9,0x24a3886,0x0b2a297,0x264e7f2,0x1fa433c,
+        0x0fcfcc8,0x21c0857,0x0004f74 } },
+    /* 160 */
+    { { 0x01d161c,0x1744585,0x2d17528,0x03a4f13,0x267cd2e,0x30d861f,
+        0x062a647,0x213284b,0x139ed25,0x27d4ca5,0x02fbbd6,0x31ddf11,
+        0x3c50ac4,0x1dd86f7,0x00107de },
+      { 0x16beebd,0x1b7317a,0x2151997,0x256a196,0x3be2aff,0x3621cab,
+        0x0a9da19,0x05f3038,0x23da63c,0x3178d5e,0x215cc67,0x07f7f63,
+        0x0c6d8d3,0x3bf5e5c,0x00c44bb } },
+    /* 161 */
+    { { 0x00c62f1,0x3e0f893,0x1572703,0x3b93865,0x19b1e28,0x389b33b,
+        0x02858bf,0x0e3e9aa,0x04bc436,0x234e072,0x25ba43d,0x3dca19e,
+        0x0274394,0x20f442e,0x003b4a7 },
+      { 0x176451e,0x2b5ed5d,0x35c8ee1,0x25c52da,0x0c3d0b5,0x32b306e,
+        0x030954f,0x275ecf7,0x10e472c,0x21577c4,0x02f8a32,0x321bb5c,
+        0x0098f97,0x104e237,0x00d0433 } },
+    /* 162 */
+    { { 0x0a8f2fe,0x034548b,0x141f1a6,0x121246f,0x1616409,0x237f80d,
+        0x2e29a55,0x1218db6,0x3ea278e,0x1669856,0x1ad7c8e,0x36d11de,
+        0x2c2fcbb,0x18c0b3a,0x001c706 },
+      { 0x1699b4b,0x2d531a6,0x17e85e2,0x1b48e78,0x2b509ca,0x2818ea0,
+        0x0165fee,0x0b809ca,0x09db6a2,0x3dad798,0x326ee1d,0x204e416,
+        0x091fa12,0x1c890e5,0x0007b9f } },
+    /* 163 */
+    { { 0x0ff4e49,0x0bb0512,0x0129159,0x05db591,0x03e4e9f,0x055ab30,
+        0x0f82881,0x0ac2deb,0x3a8bb09,0x356a8d2,0x3d38393,0x03e4089,
+        0x38187cd,0x1377a93,0x0041672 },
+      { 0x0139e73,0x3990730,0x187d3c4,0x33e4793,0x2e0fe46,0x2ad87e2,
+        0x33c792c,0x21d4fb6,0x1e4d386,0x2932d1b,0x20f1098,0x1270874,
+        0x0ea6ee4,0x0167d6e,0x005e5fd } },
+    /* 164 */
+    { { 0x1856031,0x2b7519d,0x3bd07fc,0x337abcb,0x089c7a4,0x2a1f120,
+        0x3523ce7,0x2ba406b,0x09561d9,0x1797f04,0x3cdb95f,0x2d6193e,
+        0x32c7d3f,0x223aed6,0x00beb51 },
+      { 0x2e65825,0x158f0ce,0x16413d1,0x310395f,0x3116854,0x250baf4,
+        0x373d341,0x156cc47,0x104c069,0x0893716,0x195a0a6,0x035320e,
+        0x37b7d8a,0x21b5755,0x00fb26b } },
+    /* 165 */
+    { { 0x286ae17,0x04239f1,0x1a56c53,0x0e74707,0x29090d7,0x2bb142b,
+        0x03b0139,0x1aac916,0x08ba49a,0x0376682,0x3382f85,0x064bbab,
+        0x2910e28,0x1d5bd7f,0x00cc8df },
+      { 0x0ab7630,0x208e8e7,0x3fc1877,0x26bee39,0x264984a,0x192ff05,
+        0x08ef9c3,0x0aa6951,0x071c44e,0x26eed3e,0x035c95e,0x06906ad,
+        0x10a0690,0x397eaa9,0x00c6c23 } },
+    /* 166 */
+    { { 0x034d8dd,0x005b064,0x279bb78,0x12c2c4f,0x1856bb4,0x0c90681,
+        0x06409ab,0x3b48617,0x19a2d78,0x0a34bf8,0x326eddf,0x31f09b5,
+        0x04f04dc,0x3d7c944,0x003ccaf },
+      { 0x321f843,0x35fb71a,0x1e4c397,0x377a5d7,0x2da88e4,0x3d6ada7,
+        0x33d3964,0x1b30149,0x0e39aae,0x054dda0,0x3e6f946,0x1273394,
+        0x3ffd3f7,0x2f6655e,0x00021dd } },
+    /* 167 */
+    { { 0x37233cf,0x11617dd,0x26f07b6,0x3d8250a,0x0fe6771,0x3f9bbbc,
+        0x2aba7ad,0x200a58d,0x3568603,0x198eefa,0x1e8fcf3,0x3b9610b,
+        0x20524ac,0x2a67528,0x0048d9a },
+      { 0x1a5e57a,0x1e9d303,0x16c9cff,0x0f39527,0x3c23259,0x03c8a1e,
+        0x104bccf,0x182d5a1,0x18dbc83,0x05b5f42,0x1b402f4,0x317c525,
+        0x11bf1ea,0x3c46e1f,0x0061936 } },
+    /* 168 */
+    { { 0x0153a9d,0x36859ee,0x2cf0aa9,0x2b27a0f,0x0a49fe3,0x2d984e1,
+        0x018f8e1,0x1378453,0x1ab3843,0x1987093,0x283dae9,0x25cf0e8,
+        0x14fc93d,0x280609d,0x00c99ba },
+      { 0x026b1e3,0x34663d3,0x2202477,0x21a9d45,0x212e8e1,0x18ab77e,
+        0x2e52f63,0x0a14ce1,0x295c396,0x00c7a3d,0x2aaedb6,0x30abc4d,
+        0x374acde,0x1318a73,0x00fcfdb } },
+    /* 169 */
+    { { 0x0a40298,0x3ba5633,0x11956b3,0x14fcbd7,0x3c38781,0x34bab96,
+        0x165630e,0x1f3c831,0x37e3a69,0x2b4226c,0x2d5029e,0x3b4ab1e,
+        0x1da6ac2,0x3eb43c3,0x007e5cd },
+      { 0x1b86202,0x109b7f6,0x2054f98,0x2c50cd7,0x2ed1960,0x3c518e7,
+        0x1b02463,0x319c07f,0x1c30db6,0x045fdc2,0x373421e,0x31a1eb9,
+        0x1a8acbf,0x31289b0,0x0013fef } },
+    /* 170 */
+    { { 0x3fa0a5f,0x068661f,0x2109e36,0x00b18ff,0x1f4b261,0x31d3844,
+        0x0acbc56,0x3aebc99,0x1fa77ab,0x152bd11,0x24cddb7,0x2313f74,
+        0x06eea44,0x15f5114,0x000b131 },
+      { 0x2e9993d,0x1ac565c,0x2cbe22a,0x3921797,0x12c3c57,0x360f868,
+        0x33560bf,0x320ee99,0x382c3b8,0x39af88f,0x00bbe38,0x2c4ea59,
+        0x3399b40,0x00ceb45,0x0066eea } },
+    /* 171 */
+    { { 0x0c6c693,0x31ba56d,0x3d3849f,0x378dabd,0x0efc735,0x17f90bf,
+        0x13343d3,0x2df0f81,0x27c6a9a,0x13c2a90,0x0a0fcb2,0x27c10d9,
+        0x3bc50c7,0x090e4fa,0x0016287 },
+      { 0x2927e1e,0x35af405,0x184c5c3,0x3499cee,0x240158e,0x33522e6,
+        0x386fc84,0x0a0b69f,0x1a660ea,0x34590fb,0x22a1bee,0x2ce4fab,
+        0x31a9445,0x0e78655,0x00664c8 } },
+    /* 172 */
+    { { 0x3eeaf94,0x115d409,0x21e7577,0x097aa67,0x22875c9,0x021ab7a,
+        0x27e7ba5,0x1093f04,0x2a086fe,0x05d9494,0x2b6c028,0x10f31b0,
+        0x1312d11,0x262759c,0x00c9bb2 },
+      { 0x1acb0a5,0x30cdf14,0x0f78880,0x0574f18,0x1a37109,0x098adbb,
+        0x2113c09,0x2060925,0x1f89ce4,0x1974976,0x3381358,0x2dab5ca,
+        0x2159c53,0x3af1303,0x000ea3b } },
+    /* 173 */
+    { { 0x1e49bea,0x29142b1,0x1a59cab,0x055f017,0x0684e54,0x39eb0db,
+        0x29cab9d,0x255ee8b,0x35f2e6f,0x05329e6,0x09b817b,0x1ec091c,
+        0x1df0fef,0x2641f62,0x00eb304 },
+      { 0x2fe5096,0x3dcc1d1,0x2aaf508,0x3a0b813,0x0695810,0x144bddb,
+        0x2f1bd93,0x281ae23,0x3513ebc,0x1ddd984,0x0cf158b,0x35218eb,
+        0x257daf7,0x391253b,0x00b2a81 } },
+    /* 174 */
+    { { 0x153e6ba,0x22396db,0x0ea2ff2,0x2a45121,0x0a90de1,0x34cf23b,
+        0x2db60ce,0x1a900be,0x2f328b6,0x355e75b,0x2c24372,0x0b75b77,
+        0x2ec7d4f,0x3f24759,0x00e9e33 },
+      { 0x39eab6e,0x2267480,0x3b5e110,0x1e8fa5e,0x2a31a66,0x3f739a3,
+        0x00166dc,0x3552d88,0x3ae5137,0x3efa0fa,0x0800acd,0x17df61d,
+        0x38c8608,0x04cc31b,0x00cf4ab } },
+    /* 175 */
+    { { 0x31e08fb,0x1961164,0x22c003f,0x078541b,0x3643855,0x30da587,
+        0x11f0dc9,0x324595e,0x329e3dc,0x29a041e,0x3495d2c,0x0908dd3,
+        0x1895b83,0x198dbb9,0x00d8cfb },
+      { 0x0349b1b,0x383c5a8,0x2b86525,0x1b1283e,0x133cd2c,0x2be376a,
+        0x012ee82,0x1eb4d1b,0x0ba71e9,0x01f3109,0x37621eb,0x1d9b77c,
+        0x0d39069,0x3d5a97c,0x0095565 } },
+    /* 176 */
+    { { 0x20f5e94,0x1eefc86,0x1327e0e,0x054760b,0x2f771e1,0x3ac447e,
+        0x033e3dc,0x198e040,0x04dd342,0x1b49a5d,0x00d01ef,0x3cb6768,
+        0x1ceafbd,0x31c6812,0x001cb80 },
+      { 0x221c677,0x060ca27,0x398b17f,0x0146723,0x36452af,0x02d9e65,
+        0x39c5f78,0x3cf50d6,0x0be40f8,0x2970b87,0x26d667c,0x3e45959,
+        0x16e7943,0x01673e7,0x009faaa } },
+    /* 177 */
+    { { 0x2078fe6,0x0918602,0x11dd8ad,0x399193f,0x0f6cc73,0x0f8dd12,
+        0x2ce34dc,0x06d7d34,0x0c5e327,0x0989254,0x2fc5af7,0x2443d7b,
+        0x32bc662,0x2fe2a84,0x008b585 },
+      { 0x039327f,0x08e616a,0x252f117,0x1f52ab0,0x234e2d2,0x0a5b313,
+        0x2f59ef6,0x0f7a500,0x15c4705,0x2c02b81,0x28b4f09,0x08aa5c8,
+        0x0180efc,0x0993e83,0x00a9e86 } },
+    /* 178 */
+    { { 0x0310ecc,0x2d8892f,0x14ed0b7,0x3c59fe8,0x08a1a74,0x0850e57,
+        0x1d09607,0x044a21f,0x109f5c9,0x237c6cf,0x06b264a,0x3fc8f1a,
+        0x0d4c539,0x2740f96,0x00dc2d4 },
+      { 0x1d6f501,0x0adf4ea,0x14f7215,0x0930102,0x3f4c32e,0x24e2643,
+        0x366596d,0x081ff18,0x38f94fb,0x2c21341,0x328594c,0x267c75c,
+        0x196b3fd,0x29932cb,0x0036def } },
+    /* 179 */
+    { { 0x3ed7cbe,0x26de044,0x3d0e461,0x0565e12,0x295e500,0x31dc17f,
+        0x32251c2,0x3420ca8,0x3995f0d,0x2e8ddab,0x0361a45,0x10971b0,
+        0x11e7b55,0x33bc7ca,0x00812d2 },
+      { 0x3d94972,0x1606817,0x0383ccf,0x0e795b7,0x026e20e,0x0f6fefc,
+        0x13685d6,0x315d402,0x0cc36b8,0x1c7f059,0x390ef5e,0x316ae04,
+        0x08c66b9,0x2fac9a4,0x0040086 } },
+    /* 180 */
+    { { 0x3e3c115,0x153de4d,0x1a8ae5e,0x2330511,0x169b8ee,0x1d965c2,
+        0x2edff2b,0x3ef99e6,0x1631b46,0x1f8a238,0x118d7bb,0x12113c3,
+        0x26424db,0x0f4122a,0x00e0ea2 },
+      { 0x3d80a73,0x30393bc,0x0f98714,0x278ef59,0x087a0aa,0x3b18c20,
+        0x04b8a82,0x2068e21,0x030255d,0x3382b27,0x055397f,0x05448dd,
+        0x2015586,0x1190be0,0x000b979 } },
+    /* 181 */
+    { { 0x2e03080,0x2895692,0x09fb127,0x2d1602a,0x1232306,0x105bd4e,
+        0x28cd6a6,0x0a83813,0x1ee13b0,0x2abadc3,0x0c09684,0x00e33e1,
+        0x033eea3,0x30f0a39,0x00a710e },
+      { 0x01b1f7d,0x1c959da,0x017077a,0x254bf0a,0x086fbce,0x15cd6b2,
+        0x008683f,0x23a4f4d,0x22a6bd6,0x14e8c93,0x0027d15,0x31d0d4f,
+        0x271777e,0x1533510,0x00ab603 } },
+    /* 182 */
+    { { 0x34c209d,0x14d0abb,0x270432a,0x1d02358,0x22ba752,0x209757f,
+        0x34af6fc,0x1ffc52e,0x1ced28e,0x1870e46,0x1e0340f,0x3f0bf73,
+        0x33ba91d,0x2ebca7c,0x00c6580 },
+      { 0x1d442cb,0x0879d50,0x24e4ae1,0x3f4e91c,0x04c7727,0x093cd1d,
+        0x16d6a45,0x10a8b95,0x0c77856,0x361f84f,0x217845f,0x0bbeec6,
+        0x0485718,0x33c5385,0x00dcec0 } },
+    /* 183 */
+    { { 0x1539819,0x225507a,0x1bf11cb,0x13e7653,0x0c8cb3b,0x05f695e,
+        0x353f634,0x2827874,0x3fb8053,0x22de9a5,0x035d8b7,0x2105cc7,
+        0x2a7a98d,0x35bed95,0x0085748 },
+      { 0x1859c5d,0x00e51f0,0x22a21fd,0x3054d74,0x06ce965,0x328eab7,
+        0x26a13e0,0x13bfc65,0x01d4fb1,0x36600b9,0x36dd3fc,0x01232ed,
+        0x15bbaa9,0x0ad7a51,0x0089b18 } },
+    /* 184 */
+    { { 0x3360710,0x1eb5a90,0x136bd77,0x3bd57a6,0x0841287,0x12886c9,
+        0x35c6700,0x21bc6eb,0x25f35ad,0x3bcb01c,0x0707e72,0x23e9943,
+        0x03e5233,0x34bb622,0x002bf8e },
+      { 0x16e0d6a,0x04b3d2d,0x290cb02,0x049a10c,0x350537e,0x22cf71b,
+        0x3184a19,0x2dc8b62,0x2350210,0x3b4afa6,0x159781e,0x1d01b6d,
+        0x1853440,0x16442f0,0x005a78d } },
+    /* 185 */
+    { { 0x348b02c,0x1ea8ab5,0x3b954d5,0x14684ac,0x0be5b34,0x11c4496,
+        0x0a7a456,0x14f6eb7,0x11a3221,0x2d65f82,0x32eb1ea,0x09c4018,
+        0x3f301f3,0x32e8a1c,0x00bd9ad },
+      { 0x0543f7f,0x31e744e,0x1fefd1d,0x24a486c,0x1000220,0x3977e3b,
+        0x1b3ef51,0x2512a1b,0x2049e6b,0x122232b,0x391a32b,0x2f4a7b1,
+        0x1c13e71,0x081a9b4,0x00d3516 } },
+    /* 186 */
+    { { 0x1924f43,0x1ae5495,0x28d52ef,0x2b93e77,0x2d2f401,0x371a010,
+        0x33e8d7a,0x06ed3f1,0x30c0d9d,0x2589fa9,0x3bf3567,0x2ecf8fa,
+        0x2dee4c3,0x152b620,0x007e8a2 },
+      { 0x1924407,0x01bd42d,0x044a089,0x18686b5,0x2f14a0e,0x17cdce3,
+        0x0efa216,0x3c586a8,0x1d6ae71,0x375831f,0x3175894,0x20e43eb,
+        0x34c009e,0x3480527,0x00d115c } },
+    /* 187 */
+    { { 0x12abf77,0x38b0769,0x25682f2,0x295508c,0x0c2a0dc,0x1259b73,
+        0x023ea25,0x340e7b5,0x3c7cd0d,0x1f92324,0x176405c,0x1528894,
+        0x18f2e1e,0x2c59c35,0x001efb5 },
+      { 0x0fb1471,0x07e7665,0x141da75,0x07d9f4a,0x0fdb31e,0x0dccda6,
+        0x074eb25,0x3d92a9b,0x11189a0,0x1b4c557,0x24b8d2b,0x0533f92,
+        0x0e9e344,0x2fa3dea,0x008d5a4 } },
+    /* 188 */
+    { { 0x2669e98,0x1ad3514,0x2a035c9,0x08a3f50,0x24547f9,0x0a145d3,
+        0x1c1319d,0x3fe833d,0x1ae064b,0x1e01734,0x246d27e,0x3a2f13c,
+        0x01e1150,0x263f55e,0x00f89ef },
+      { 0x2e0b63f,0x3e57db7,0x23a4b4f,0x11c8899,0x0ad8500,0x348f3a7,
+        0x2918604,0x27d6409,0x1ce5001,0x38f94c2,0x29a508a,0x39bdc89,
+        0x3a52c27,0x194899e,0x00e9376 } },
+    /* 189 */
+    { { 0x0368708,0x34a2730,0x2e1da04,0x0bd78c1,0x2c45887,0x0c44bfa,
+        0x3a23de3,0x390b9db,0x1746efd,0x05c638e,0x1d20609,0x3263370,
+        0x31987f0,0x2988529,0x005fa3c },
+      { 0x0aa9f2a,0x20622f7,0x060deee,0x0c9626a,0x3312cc7,0x18ebac7,
+        0x008dd6c,0x0ad4fe6,0x3db4ea6,0x1dc3f50,0x090b6e9,0x0aff8d2,
+        0x26aa62c,0x18f3e90,0x00105f8 } },
+    /* 190 */
+    { { 0x38059ad,0x25e576c,0x3ea00b2,0x1fa4191,0x25686b7,0x2d1ce8f,
+        0x30470ed,0x3478bbf,0x340f9b6,0x1c9e348,0x3d594ec,0x2ffe56e,
+        0x3f23deb,0x0cd34e9,0x00f4b72 },
+      { 0x1a83f0b,0x2166029,0x28b32a2,0x06a5c5a,0x20786c4,0x0944604,
+        0x0901bd2,0x379b84e,0x221e2fe,0x0346d54,0x1f4eb59,0x01b8993,
+        0x2462e08,0x25f9d8b,0x006c4c8 } },
+    /* 191 */
+    { { 0x0b41d9d,0x2e417ed,0x265bd10,0x199148e,0x3826ca4,0x1a67e8d,
+        0x1bbd13b,0x23e414d,0x3d773bc,0x356e64c,0x0d2118a,0x0cb587f,
+        0x25fd093,0x24fb529,0x00158c6 },
+      { 0x2806e63,0x3ecaa39,0x251b4dd,0x3b2d779,0x2e31ed3,0x066f1a6,
+        0x060e518,0x2c7e3e5,0x0d62c76,0x0d88a70,0x101970a,0x1e3c8c6,
+        0x272b8bb,0x083e73b,0x0031f38 } },
+    /* 192 */
+    { { 0x09e1c72,0x072bcb0,0x0cf4e93,0x2604a64,0x00715f2,0x10c98b6,
+        0x2ad81d9,0x234fcce,0x37a7304,0x1974a4a,0x1c7415f,0x14aaa93,
+        0x19587b1,0x3f643f4,0x00c3d10 },
+      { 0x1ddadd0,0x2cd715d,0x294cf76,0x14479ed,0x19f5f4a,0x0198c09,
+        0x1ab7ebc,0x182c0bc,0x0879202,0x1807273,0x05d39da,0x2c7d868,
+        0x29c4ec4,0x1b13ad2,0x006dcd7 } },
+    /* 193 */
+    { { 0x1c83f01,0x0245bff,0x24f90ba,0x112554f,0x2354c8b,0x3f17988,
+        0x0c511af,0x39e1e9b,0x26ae95b,0x0ae551c,0x35b41a6,0x0120455,
+        0x1e989cb,0x1b37aff,0x00fa2ae },
+      { 0x324659a,0x1aef1c3,0x1c43637,0x3f530a2,0x313a999,0x326af62,
+        0x134184e,0x2ac131c,0x3f6a789,0x30a300a,0x13e526e,0x2107af3,
+        0x093a8ff,0x2479902,0x00442b1 } },
+    /* 194 */
+    { { 0x22b6e20,0x31b18be,0x18614ca,0x26fdb5a,0x197f29e,0x325b44b,
+        0x0ab1dbb,0x042348a,0x3275e8e,0x15bae44,0x0077124,0x2cf5345,
+        0x2803ad4,0x188f2a2,0x0061b20 },
+      { 0x2a560b1,0x3ced069,0x3cf42c2,0x100e167,0x3879e1d,0x0936ff0,
+        0x1b51450,0x14c55f3,0x3153bfa,0x2957423,0x2a93823,0x15f5dce,
+        0x2c9a22f,0x16731a8,0x00a97f2 } },
+    /* 195 */
+    { { 0x18edbbb,0x18c5ef9,0x1f13c30,0x071e77f,0x225ade5,0x1b60f75,
+        0x1beaf11,0x3e495ad,0x2441dd8,0x2fa00e2,0x32a87b6,0x00050f2,
+        0x038de7f,0x0037d6d,0x00a885d },
+      { 0x39e48bd,0x1d9e433,0x2768e9f,0x3c29458,0x3f0bdf9,0x35ed5f2,
+        0x36709fa,0x176dc10,0x012f7c1,0x2df8547,0x1d90ee3,0x053c089,
+        0x21a8d35,0x200cb0d,0x002e84e } },
+    /* 196 */
+    { { 0x23ec8d8,0x1d81f55,0x0cb7227,0x07f8e4d,0x2a66181,0x163f577,
+        0x272e7af,0x131a8f2,0x2046229,0x25e6276,0x36bbefe,0x2cdc22f,
+        0x17c8288,0x33dd4fb,0x000d524 },
+      { 0x330c073,0x1a6728b,0x1cf369f,0x12e7707,0x2f0fa26,0x17c2abd,
+        0x0a45680,0x26ebd13,0x3c7d19b,0x1c3d6c8,0x2abd110,0x064fd07,
+        0x09b8339,0x02b4a9f,0x009e3e1 } },
+    /* 197 */
+    { { 0x0ae972f,0x2093c35,0x06e7a90,0x0af1ba1,0x243eef0,0x2748582,
+        0x0606122,0x13a45f9,0x0acfe60,0x08a685e,0x0eb184b,0x015bc11,
+        0x0cdf423,0x157fad5,0x004fcad },
+      { 0x2728d15,0x3e5bceb,0x0331a0f,0x31b1a80,0x28a2680,0x3b94955,
+        0x04cae07,0x176b57e,0x03ac5a6,0x3d7918b,0x22d23f4,0x0ae077f,
+        0x1eb075d,0x006f16c,0x006e473 } },
+    /* 198 */
+    { { 0x38219b9,0x0475a2b,0x107a774,0x39946c6,0x1cb883c,0x004e0ed,
+        0x087e571,0x25c3497,0x059982f,0x0a71f66,0x118305d,0x1aaf294,
+        0x3a5dbaa,0x34be404,0x00725fe },
+      { 0x3abd109,0x336ebea,0x2528487,0x15a1d61,0x0c0f8cf,0x2b56095,
+        0x2591e68,0x3549a80,0x1d1debb,0x0701c6c,0x161e7e3,0x1f7fa2e,
+        0x3dfe192,0x17e6498,0x0055f89 } },
+    /* 199 */
+    { { 0x175645b,0x26c036c,0x0b92f89,0x09ed96d,0x351f3a6,0x19ce67b,
+        0x33ac8db,0x2f0828b,0x27fe400,0x0b9c5e1,0x1967b95,0x3324080,
+        0x11de142,0x1d44fb3,0x003d596 },
+      { 0x3979775,0x3af37b6,0x3e88d41,0x2f1a8b9,0x299ba61,0x085413c,
+        0x1149a53,0x0beb40e,0x31427ba,0x239f708,0x357d836,0x1558c22,
+        0x280a79f,0x1b255f6,0x002b6d1 } },
+    /* 200 */
+    { { 0x39ad982,0x3d79d89,0x01a684a,0x0b6722e,0x39bb4c9,0x39a6399,
+        0x1ad44e0,0x3059f5e,0x048265f,0x33a2fa4,0x0c3a4cc,0x0d7df98,
+        0x23a33f1,0x34e2e21,0x00a0a10 },
+      { 0x386efd9,0x1c91f34,0x06c2e19,0x3e6d48d,0x00eefd3,0x2181ef2,
+        0x2415f97,0x1d33b08,0x0625086,0x1e8aa3e,0x08c9d60,0x0ab427b,
+        0x2764fa7,0x3b7943e,0x00cd9f0 } },
+    /* 201 */
+    { { 0x1a46d4d,0x0e471f4,0x1693063,0x0467ac0,0x22df51c,0x127a0f7,
+        0x0498008,0x20e0b16,0x1aa8ad0,0x1923f42,0x2a74273,0x01761ce,
+        0x1600ca4,0x187b87e,0x00ee49e },
+      { 0x0c76f73,0x19daf92,0x0b2ad76,0x3d8049d,0x1d9c100,0x0fe1c63,
+        0x0bb67c8,0x035cc44,0x02002fc,0x37b2169,0x344656a,0x1127879,
+        0x1939bc0,0x0dd8df6,0x0028ce7 } },
+    /* 202 */
+    { { 0x0544ac7,0x26bdc91,0x042697e,0x356e804,0x1f2c658,0x2ceb7ef,
+        0x2dec39f,0x02c1dcc,0x391a2df,0x2344beb,0x2171e20,0x3099c94,
+        0x0fa548a,0x37216c9,0x00f820c },
+      { 0x0f4cf77,0x29bbaa5,0x33c6307,0x34a5128,0x118c783,0x2dd06b1,
+        0x139d4c0,0x2db912e,0x1153ffb,0x1075eb3,0x3a255e4,0x2892161,
+        0x36d5006,0x125338c,0x0014fbc } },
+    /* 203 */
+    { { 0x1584e3c,0x0830314,0x00279b9,0x167df95,0x2c7733c,0x2108aef,
+        0x0ce1398,0x35aaf89,0x012523b,0x3c46b6a,0x388e6de,0x01a2002,
+        0x0582dde,0x19c7fa3,0x007b872 },
+      { 0x1e53510,0x11bca1f,0x19684e7,0x267de5c,0x2492f8b,0x364a2b0,
+        0x080bc77,0x2c6d47b,0x248432e,0x3ace44f,0x32028f6,0x0212198,
+        0x2f38bad,0x20d63f0,0x00122bb } },
+    /* 204 */
+    { { 0x30b29c3,0x3cec78e,0x01510a9,0x0c93e91,0x3837b64,0x1eca3a9,
+        0x105c921,0x05d42e6,0x1379845,0x07ce6f2,0x0e8b6da,0x0e0f093,
+        0x220b2cd,0x1f6c041,0x00299f5 },
+      { 0x0afdce3,0x2b0e596,0x2f477b6,0x2ccf417,0x3a15206,0x26ec0bf,
+        0x2e37e2b,0x2593282,0x0ab9db3,0x2841dd8,0x27954be,0x277a681,
+        0x03f82e2,0x2b610c7,0x00446a1 } },
+    /* 205 */
+    { { 0x06b8195,0x3b3a817,0x31b9c6f,0x317d279,0x3d744a7,0x1de9eb9,
+        0x296acc1,0x1ce9ea3,0x06c3587,0x246815d,0x3756736,0x0588518,
+        0x1c971a4,0x1fde1f4,0x00aa021 },
+      { 0x3fd3226,0x274561d,0x00be61e,0x01393d8,0x30f6f23,0x29b7fc1,
+        0x04cebc7,0x0a892a7,0x20109f1,0x27456be,0x0c863ee,0x2eb6c8a,
+        0x38c782b,0x039397a,0x00a2829 } },
+    /* 206 */
+    { { 0x29de330,0x21fe80f,0x145b55b,0x1986570,0x012b260,0x2482fbc,
+        0x0536e0a,0x16b7382,0x32c4d19,0x1deffdb,0x145f418,0x0c67a76,
+        0x2ce477f,0x218fe24,0x00f9848 },
+      { 0x3e37657,0x3f074d3,0x245ad0e,0x20973c3,0x23c58de,0x2c332ef,
+        0x2ad21a8,0x0bf1589,0x208af95,0x1f4a8c4,0x2b43735,0x1e46657,
+        0x15d4f81,0x0c3e63a,0x005f19d } },
+    /* 207 */
+    { { 0x26865bb,0x20f6683,0x16a672e,0x0efd8d1,0x222f5af,0x18f2367,
+        0x1e9c734,0x25c3902,0x178dfe6,0x2903a79,0x311b91c,0x1adbbe9,
+        0x225a387,0x0b3e509,0x0089551 },
+      { 0x34e462b,0x23b6a32,0x27c884c,0x129104b,0x384c015,0x3adedc7,
+        0x325db1c,0x021dc10,0x1e366f7,0x3054df7,0x1992b9a,0x2824e64,
+        0x0ae77f3,0x181b526,0x00a7316 } },
+    /* 208 */
+    { { 0x2d260f5,0x2434bf2,0x28c0139,0x0a7bb03,0x176c3be,0x3def5f5,
+        0x05bee00,0x3692df7,0x3d2efeb,0x3a6f859,0x1122b87,0x38f779a,
+        0x1415ccc,0x2c260ad,0x0075a28 },
+      { 0x04607a6,0x042f37a,0x3f0df68,0x0a1bd36,0x3c6d581,0x2d36bfa,
+        0x2d577d1,0x0a3affa,0x0b2066b,0x2e6f110,0x0b17e84,0x3c76a5e,
+        0x1a57553,0x012f36a,0x0004595 } },
+    /* 209 */
+    { { 0x29e5836,0x0e6808c,0x269d13e,0x147dc5c,0x32c9e7d,0x09b258e,
+        0x2c58d6f,0x1efd716,0x0437996,0x34ec31b,0x15908d9,0x2efa8fd,
+        0x09ad160,0x079fc1f,0x00d8481 },
+      { 0x3d20e4a,0x18269d6,0x3aa8fe7,0x34829c2,0x2e4325d,0x0d800e1,
+        0x11f370b,0x10c08dc,0x22fd092,0x1a5fe55,0x0acc443,0x037030d,
+        0x1cdd404,0x097379e,0x00fd6d7 } },
+    /* 210 */
+    { { 0x313eafb,0x3f438f3,0x2e5fb3e,0x2ed6a82,0x121009c,0x240889e,
+        0x00c5537,0x269b792,0x334b2fc,0x1dd573c,0x07096ae,0x19296fc,
+        0x3813985,0x2742f48,0x00ddd64 },
+      { 0x2045041,0x3842c62,0x1572d0d,0x04f255f,0x06e05b4,0x383ec97,
+        0x1ff8064,0x18bed71,0x39b6411,0x2764cc5,0x257439f,0x3521217,
+        0x172aa42,0x342a2a3,0x0070c5b } },
+    /* 211 */
+    { { 0x3bdf646,0x1c5ce25,0x1f7ca76,0x2d2acca,0x3aa1485,0x23c97f7,
+        0x3e11d6f,0x0609338,0x07ec622,0x01da8ff,0x3392474,0x17ca07f,
+        0x13a9a04,0x353a5b4,0x0024557 },
+      { 0x14c27cd,0x32012f7,0x3fea875,0x3d03d71,0x211c5f0,0x3157fdf,
+        0x0c880bd,0x3c406b2,0x2c51103,0x24ab377,0x399faa8,0x0d06887,
+        0x16b5738,0x28b33a7,0x00c7b67 } },
+    /* 212 */
+    { { 0x2357586,0x35c93e3,0x0da09a0,0x3d77d92,0x11d7f4f,0x37b98a9,
+        0x3e6c9bf,0x2cdca70,0x2f00389,0x2412673,0x18eab87,0x0101436,
+        0x11617e9,0x06d9b01,0x00e8eef },
+      { 0x37e3ca9,0x16ffaf0,0x391debf,0x1b69382,0x07c5e94,0x312fa8a,
+        0x0973142,0x2cadde4,0x109ee67,0x3a07db0,0x1afc5ed,0x08df66f,
+        0x304c7af,0x0804aae,0x00d2e60 } },
+    /* 213 */
+    { { 0x24f57bf,0x1818322,0x182a615,0x25bfc44,0x0f97586,0x0a5bbc0,
+        0x36773c6,0x1a2660c,0x3ceff66,0x3270152,0x319cd11,0x2845845,
+        0x1acfad6,0x19076f8,0x009824a },
+      { 0x289fd01,0x2de97ee,0x39d80b7,0x026227d,0x0f8d3b8,0x15e0a17,
+        0x21ea08f,0x20a2317,0x136ae6d,0x3deb1d1,0x3521ef5,0x0de8801,
+        0x0a25d5d,0x0612c98,0x005ecc4 } },
+    /* 214 */
+    { { 0x308c8d3,0x3aec669,0x01ecddc,0x13f18fe,0x1e63ed0,0x061cfe5,
+        0x05f5a01,0x1db5741,0x14479f2,0x0ced6b5,0x025ae5b,0x09ca8f5,
+        0x2160581,0x1404433,0x008bfeb },
+      { 0x08228bf,0x0e02722,0x37df423,0x33ecabf,0x34bd82a,0x32f529f,
+        0x28f1800,0x0c8f671,0x1246b44,0x1ff35dc,0x091db95,0x303f3da,
+        0x28f7f60,0x3624136,0x00cfbb4 } },
+    /* 215 */
+    { { 0x326139a,0x2977e4e,0x3eb89a6,0x20ecb31,0x13e076a,0x2a592f3,
+        0x28e82d5,0x235ad1e,0x239b927,0x262938a,0x2444354,0x141b263,
+        0x0d56693,0x2a3fc78,0x0006497 },
+      { 0x31efa05,0x3a3664a,0x3e333de,0x2a114e4,0x12da63c,0x3c15e6b,
+        0x2f7277c,0x363aa92,0x2393236,0x16bd2d1,0x32b617f,0x32b656c,
+        0x3b1246c,0x22e2e22,0x00ce76d } },
+    /* 216 */
+    { { 0x03843dc,0x094de82,0x13b463d,0x0507905,0x089eb35,0x2a6bf25,
+        0x35ebc4e,0x2bb5d45,0x1808ed1,0x1de9949,0x185e829,0x0a55847,
+        0x0b73d67,0x1a2ed61,0x008dd2d },
+      { 0x133c3a4,0x04e7980,0x38ea237,0x2ad2f49,0x19de838,0x018bf36,
+        0x29b072c,0x21c1ba0,0x14f63ba,0x31c1cc3,0x13cd05e,0x20120ff,
+        0x1f84d60,0x16e0321,0x00872ab } },
+    /* 217 */
+    { { 0x19d4d49,0x1ddb4e6,0x05e7fc0,0x37bb0fd,0x1a3eb59,0x36b87f0,
+        0x190e440,0x1c7fef2,0x31ea153,0x14cd65a,0x1bc7ab2,0x11f72ca,
+        0x39582d4,0x0fa4d65,0x00cd5b6 },
+      { 0x3d1ff11,0x0d9be9d,0x2903ae3,0x017b7b9,0x259f28f,0x110cefc,
+        0x03fed1a,0x38039bd,0x09bdf9c,0x3055027,0x2ca9c5d,0x2d737b6,
+        0x3bdb421,0x16560b5,0x00f9f33 } },
+    /* 218 */
+    { { 0x022c792,0x110de25,0x38bf959,0x08f2562,0x1239ea9,0x3c1d950,
+        0x21a247d,0x315112d,0x285bb9f,0x2534a73,0x0b42455,0x1a4a99c,
+        0x069009a,0x1680392,0x006e0ca },
+      { 0x1b3bece,0x269e0a1,0x18926b7,0x0e7187e,0x241f35e,0x39d1fe0,
+        0x02099aa,0x1675bfe,0x23fd0ca,0x3d6322b,0x19406b5,0x324c38a,
+        0x242434a,0x3ae677c,0x002ce04 } },
+    /* 219 */
+    { { 0x2c37b82,0x1ae6506,0x0d83436,0x23496c1,0x0ff0c72,0x2711edf,
+        0x1513611,0x04f9c7d,0x1edbeff,0x376fcb5,0x212a683,0x23bf547,
+        0x0f9c4f7,0x16e6627,0x0082cd8 },
+      { 0x0cb5d37,0x31b6db8,0x1a15e23,0x2f5cbb8,0x0818aee,0x21dc6c5,
+        0x12aafd2,0x205f608,0x1d91def,0x3def088,0x1445c51,0x3100e8a,
+        0x3746bda,0x145c4b0,0x00711b0 } },
+    /* 220 */
+    { { 0x2a99ecc,0x27b5217,0x35e10ed,0x036e32a,0x0f79950,0x15c32f7,
+        0x2c87dcb,0x3ebb2a3,0x2c2d35d,0x114b3ec,0x2e4d80a,0x0c7eb89,
+        0x2abe58d,0x3727737,0x00e6a37 },
+      { 0x1eca452,0x1968d07,0x344e5d3,0x29435a2,0x109a5f8,0x181d12c,
+        0x238ea5a,0x127a564,0x00dbb42,0x0fcbfb7,0x2909b2e,0x2571d3a,
+        0x08250e3,0x0694e4e,0x00e156d } },
+    /* 221 */
+    { { 0x3181ae9,0x1acf411,0x3808d79,0x2a11065,0x0baf44b,0x133cfeb,
+        0x1330943,0x1711b9a,0x2dec3bd,0x1906a9a,0x2ed947c,0x369d763,
+        0x1a5254f,0x104a7a9,0x00acd9d },
+      { 0x030301b,0x31568f5,0x2a4965c,0x33ded4b,0x03c9a5b,0x16541fc,
+        0x1319cf1,0x2a3748b,0x1b5de74,0x18bb82e,0x077ac2b,0x309a87a,
+        0x3c31420,0x0f6a4b9,0x00387d7 } },
+    /* 222 */
+    { { 0x0d3fdac,0x120cfa3,0x1b8e13c,0x1ccccb9,0x376fcd4,0x0bf87f4,
+        0x271b4be,0x363b3fd,0x28b5d98,0x0535cd3,0x114bbc1,0x3ab4f19,
+        0x10494b1,0x2161ece,0x00d14ca },
+      { 0x12d37e9,0x110ebd7,0x062295a,0x1cc0119,0x073c6ea,0x15d5411,
+        0x0aeb4b1,0x23fba91,0x175fab5,0x3ee8fe1,0x1c680a6,0x1e76f27,
+        0x3ddfc97,0x3d69ecd,0x00e1ee5 } },
+    /* 223 */
+    { { 0x2d29f46,0x2d19204,0x3137cd0,0x02c3b54,0x193295b,0x02fbdb2,
+        0x2260948,0x22c02ff,0x3885424,0x1299595,0x00e7f9c,0x310ff2a,
+        0x01ea169,0x0deef85,0x0021908 },
+      { 0x1b26cfb,0x38566a8,0x2852875,0x21debff,0x290ca9f,0x0b29663,
+        0x26550d9,0x2b44457,0x05d1938,0x1f8f825,0x366ef93,0x1d8daec,
+        0x069e5ef,0x342ece6,0x00b6034 } },
+    /* 224 */
+    { { 0x2d8356e,0x1578c09,0x226f4d2,0x3b74c51,0x0f83666,0x0323b59,
+        0x1ddf61d,0x1ed8508,0x3c52667,0x0e5b91c,0x1e9b18b,0x352bdfa,
+        0x13f75da,0x352aa4e,0x00fceff },
+      { 0x1c731d5,0x04e2844,0x01d9843,0x286cbc5,0x105bcb3,0x05edd9c,
+        0x21fa956,0x3b1ec83,0x01288cc,0x22fbf3a,0x10f1b56,0x081cf72,
+        0x15cb758,0x18687c1,0x00f5722 } },
+    /* 225 */
+    { { 0x2973088,0x1209dcd,0x3980f31,0x0221aa7,0x1c008e7,0x011b098,
+        0x395947e,0x2f2806d,0x27dca76,0x037c79a,0x31acddf,0x2bf6219,
+        0x0d8f4ab,0x13644d9,0x00ff705 },
+      { 0x2260594,0x18d51f8,0x277e2cf,0x1cb5cec,0x2468a53,0x3e6f4d7,
+        0x019e24e,0x0f30f1d,0x0202404,0x34ad287,0x090b39c,0x23c11ea,
+        0x1a2e3a2,0x3a851be,0x00dca2c } },
+    /* 226 */
+    { { 0x3277538,0x221cd94,0x3738ab7,0x0973da5,0x1a734e2,0x2c8b8b0,
+        0x2e1d1e6,0x348499b,0x389ebe1,0x18b1854,0x02bb076,0x1b2b500,
+        0x0f207f3,0x170cf99,0x0012088 },
+      { 0x0fbfec2,0x1df55a4,0x34ae59e,0x2ab5e95,0x3f9e781,0x3411794,
+        0x1410b05,0x17c3a00,0x0aaa91b,0x074ed7c,0x3fbb352,0x3477c01,
+        0x3ee9ab3,0x0cfb1ca,0x0011c4b } },
+    /* 227 */
+    { { 0x3c3a7f3,0x2e60ca0,0x2354d32,0x33e2362,0x28083ab,0x03d3b16,
+        0x3164045,0x0a41f7a,0x3f0641e,0x38635d1,0x31bbf03,0x225e2bb,
+        0x0cd894e,0x1f72228,0x0093244 },
+      { 0x33d5897,0x383faf3,0x0e6d561,0x0bc4d80,0x3fc3a68,0x05a9adc,
+        0x0b9d73d,0x3d6031e,0x2ded29b,0x339c4ff,0x08d69e5,0x089488c,
+        0x3fda40a,0x295c7fd,0x003a924 } },
+    /* 228 */
+    { { 0x0093bee,0x115532d,0x2ec0fb6,0x0969631,0x3a6d65a,0x0f43b4d,
+        0x26994d4,0x0b51104,0x2515515,0x3695a26,0x284caa8,0x397aa30,
+        0x25538b8,0x353f47c,0x0033f05 },
+      { 0x3615d6e,0x37f8246,0x07dae0f,0x23dc154,0x02ded7e,0x1eef320,
+        0x1631e51,0x3447f75,0x13e267f,0x353e1d1,0x3f89d62,0x369c8ff,
+        0x1a21dc6,0x2b8b8f3,0x0055cbc } },
+    /* 229 */
+    { { 0x34e84f3,0x2f2539a,0x2c35336,0x0c53bdc,0x1728630,0x3ad5fe6,
+        0x05fdeee,0x3386db6,0x272a42e,0x29fd38c,0x36f0320,0x21b2ed4,
+        0x331e67f,0x28ae48c,0x00f09b6 },
+      { 0x2778435,0x0fb3c55,0x32d221d,0x2660c8e,0x32977ba,0x1c12f03,
+        0x1b57fb1,0x01229a8,0x38b389f,0x375ddf3,0x2c6b42c,0x3885d3e,
+        0x2c55a9c,0x2ffc279,0x00404e2 } },
+    /* 230 */
+    { { 0x04c5ddb,0x2c4d788,0x150e9b9,0x110fbfd,0x29dbfe0,0x30ef83d,
+        0x2ab4bfe,0x395bcd7,0x30d0a43,0x0e2d30f,0x0e73f9b,0x07199cc,
+        0x0c9054c,0x22f4b1e,0x0092ed3 },
+      { 0x386e27c,0x00fdaa8,0x0507c70,0x1beb3b6,0x0b9c4f4,0x277d519,
+        0x024ec85,0x1cbaba8,0x1524295,0x112be58,0x21fc119,0x273578b,
+        0x2358c27,0x280ca07,0x00aa376 } },
+    /* 231 */
+    { { 0x0dbc95c,0x16488cf,0x337a078,0x1abbcb8,0x0aae1aa,0x1caa151,
+        0x00108d4,0x1edf701,0x3e68d03,0x1203214,0x0c7eee2,0x084c572,
+        0x07752d2,0x215a3b9,0x00195d3 },
+      { 0x2cd7fbe,0x06e80f6,0x052bd4b,0x07b4f83,0x24b5ac6,0x2aaded4,
+        0x13c0526,0x0ffa9a3,0x08c660e,0x13c35c9,0x3145efb,0x36cfe24,
+        0x0936daf,0x268e3d0,0x00a73fd } },
+    /* 232 */
+    { { 0x31b17ce,0x2e7bcee,0x3f31891,0x19f1849,0x1140236,0x015487f,
+        0x32e58d3,0x202204a,0x049e350,0x1ce91f9,0x3f75150,0x27f212f,
+        0x0d16ee4,0x1c894c4,0x004023f },
+      { 0x33399fa,0x2397b6d,0x2a3ea60,0x36354ca,0x1f12632,0x117a105,
+        0x22758e8,0x361844e,0x3851fc2,0x0ab92db,0x339d02f,0x1e7d6c4,
+        0x19ebd38,0x0a9a036,0x00446d2 } },
+    /* 233 */
+    { { 0x3e164f1,0x008c092,0x19200f5,0x35a22e0,0x38d09d2,0x212b3bf,
+        0x0056f19,0x3a03545,0x1f075e9,0x0e97137,0x1f496a9,0x32d1f9b,
+        0x36bf738,0x35ace37,0x00899e1 },
+      { 0x19eb2a6,0x21fa22d,0x338b69e,0x18e6d1f,0x1280d9d,0x1953a55,
+        0x1411ea3,0x2960566,0x0fd969a,0x1f3e375,0x130742a,0x170aebd,
+        0x33085ff,0x14d868d,0x00a4391 } },
+    /* 234 */
+    { { 0x0a4bdd2,0x39ca8ea,0x37026ac,0x346da3b,0x0c656cd,0x03136b6,
+        0x233e7e9,0x0714352,0x08a9d95,0x192bb38,0x085d68e,0x20016b8,
+        0x102b8ea,0x1f5dbdd,0x00fdd7a },
+      { 0x0d6fa45,0x3ec29a6,0x2b8cce6,0x1c84413,0x0228f86,0x28275f7,
+        0x3d8787d,0x0c19748,0x28b2ae9,0x1954850,0x2a56c36,0x3eae8f7,
+        0x0aca595,0x00e42a2,0x00edbe5 } },
+    /* 235 */
+    { { 0x3b26c82,0x3682b6f,0x2f9cd64,0x0f254b0,0x0e5d70b,0x1f9dfda,
+        0x28f365f,0x35a57d7,0x00208f2,0x19c8d38,0x112e7be,0x3e403bb,
+        0x3734efa,0x24d12b3,0x0027dc6 },
+      { 0x260a46a,0x13fd7b0,0x1c2880e,0x338b70c,0x27da5eb,0x29a7d54,
+        0x1c5d73c,0x2130921,0x32969cc,0x2b37eda,0x2d6d4ec,0x0716bfb,
+        0x0763703,0x1320889,0x00c7bbf } },
+    /* 236 */
+    { { 0x1fe01b2,0x2dcb1d2,0x11b89d5,0x219e4ea,0x0347851,0x3d1810e,
+        0x3a3c54c,0x06dbe8e,0x03d3ab2,0x2dcfa39,0x3e57b8a,0x337a382,
+        0x0426450,0x0e9f748,0x006488b },
+      { 0x1dc4582,0x0e62cf7,0x06fea9e,0x2a56fb1,0x31698c1,0x15b4e10,
+        0x1446ef1,0x0a689fc,0x1d87703,0x20ff497,0x2c71066,0x2c48868,
+        0x2e6cf05,0x30aa9cb,0x0065b2d } },
+    /* 237 */
+    { { 0x1021d63,0x2217df3,0x1f0821a,0x057fa98,0x23f344b,0x173dcf9,
+        0x1ba6ddc,0x22c8eb5,0x18f227a,0x0455343,0x1c55931,0x1d0dcf3,
+        0x20fa19b,0x1c56618,0x004feab },
+      { 0x19ec924,0x224e39f,0x2550509,0x179b51f,0x284d54a,0x2d85d41,
+        0x2d1bdc1,0x1a29068,0x3826158,0x1267f85,0x3005a92,0x0769e00,
+        0x379b617,0x17b5f63,0x00a70bf } },
+    /* 238 */
+    { { 0x22216c5,0x049437f,0x33510bc,0x141d806,0x22c37e2,0x1bc1adf,
+        0x300175d,0x2e6ded8,0x0a18bfe,0x35377a3,0x382f843,0x08410ca,
+        0x00afd4f,0x0be6c6b,0x008d70e },
+      { 0x2e91abb,0x1cede2a,0x28f225c,0x28e18c0,0x30230dc,0x173cc2d,
+        0x123ecfe,0x3c9962e,0x2c25506,0x27b5d53,0x329a5e3,0x106e231,
+        0x3889b8e,0x3b0aeaf,0x00ee67c } },
+    /* 239 */
+    { { 0x3e46c65,0x0eb3d46,0x1d7ae18,0x23f9d59,0x2978953,0x2589ed3,
+        0x073391d,0x2461e1e,0x0c19f1d,0x22fd2b1,0x0691f5c,0x2e67d8d,
+        0x1fb985d,0x200dd28,0x00a68df },
+      { 0x392b5fa,0x123b46f,0x1c323c4,0x104f82f,0x0a098c8,0x26fc05b,
+        0x34cd557,0x0913639,0x09c115e,0x3977c34,0x3410b66,0x062b404,
+        0x0213094,0x132c5e8,0x008b612 } },
+    /* 240 */
+    { { 0x26e3392,0x3b0ebf0,0x2e00425,0x1c285c8,0x3c07f84,0x08d5ad0,
+        0x028190e,0x1669b73,0x1ffb1ef,0x053b65f,0x063028c,0x0aceb47,
+        0x18988c2,0x0f09a30,0x0007072 },
+      { 0x0f49e7d,0x28c0bd3,0x252270d,0x24cfc4a,0x0c5e87c,0x2165052,
+        0x2cdd1d1,0x04931d2,0x3abca74,0x22b57dc,0x169fd47,0x0b928fb,
+        0x17cc3e7,0x21a1ec4,0x0061593 } },
+    /* 241 */
+    { { 0x1aa0486,0x2e55dea,0x15577b7,0x0d6818f,0x36e41fb,0x2a411f5,
+        0x17d5c7d,0x1eea6c0,0x28068a8,0x0e31d20,0x1f08ad9,0x117e973,
+        0x08a28ab,0x085d30a,0x00cd9fb },
+      { 0x347843d,0x1119095,0x11e3595,0x1b29584,0x134d64c,0x2ff3a35,
+        0x247ea14,0x099fc4b,0x2056169,0x145dd03,0x2ed03fb,0x1250e3b,
+        0x3f5135c,0x2b753f0,0x009da30 } },
+    /* 242 */
+    { { 0x0fa5200,0x214a0b3,0x313dc4e,0x23da866,0x3270760,0x15c9b8b,
+        0x39a53df,0x1f79772,0x3c9e942,0x2984901,0x154d582,0x1685f87,
+        0x2e1183e,0x1f79956,0x00b9987 },
+      { 0x15254de,0x3a5cac0,0x37c56f0,0x2c7c29b,0x292a56d,0x195be2c,
+        0x17e4e1a,0x0660f4a,0x052ad98,0x1267f80,0x07cfed8,0x194b4bc,
+        0x01738d3,0x14ba10f,0x00c7843 } },
+    /* 243 */
+    { { 0x29b2d8a,0x242bc1f,0x19646ee,0x0615f3c,0x0ac8d70,0x07ca3bf,
+        0x2d90317,0x2c83bdb,0x1a96812,0x39fdc35,0x31c61ee,0x2d55fd3,
+        0x2375827,0x355f189,0x00f1c9b },
+      { 0x21a6194,0x1f4050a,0x2b845cf,0x02c6242,0x2dd614e,0x3a4f0a9,
+        0x39de100,0x24714fb,0x175e0cd,0x0be633d,0x14befc3,0x13b0318,
+        0x1d68c50,0x299989e,0x00d0513 } },
+    /* 244 */
+    { { 0x059fb6a,0x2b6eb6a,0x3666a8e,0x39f6ca0,0x1cf8346,0x388b8d5,
+        0x35e61a3,0x271adec,0x22c9963,0x20a4fb3,0x16f241c,0x0058b89,
+        0x21ddafa,0x1ee6fde,0x00d2e6c },
+      { 0x0075e63,0x39894d0,0x0286d0d,0x187e7b2,0x02405aa,0x3f91525,
+        0x37830a8,0x2723088,0x2c7364e,0x013f406,0x104ba75,0x270f486,
+        0x3520b4d,0x3852bc6,0x00d589b } },
+    /* 245 */
+    { { 0x262e53b,0x1da93d1,0x3676135,0x147e41d,0x335ec2f,0x1f02be5,
+        0x297d139,0x22d6198,0x1fe9e59,0x13b4c80,0x1e70f60,0x2f1d4a9,
+        0x2d95149,0x14d6ec4,0x00b54af },
+      { 0x12c1c76,0x2930ac8,0x0dfd36e,0x31fac94,0x218f5bb,0x2828691,
+        0x1466cc9,0x3645e83,0x1a4dac2,0x1549593,0x0e95fab,0x19567d2,
+        0x27a3320,0x0642729,0x007487c } },
+    /* 246 */
+    { { 0x1e98e9c,0x2ff8df7,0x119975a,0x098a904,0x099b90b,0x336c7df,
+        0x010996d,0x159d46d,0x3118b3b,0x3aacd1b,0x31f8ae1,0x214864f,
+        0x398c104,0x089dae2,0x001ec4d },
+      { 0x1452baa,0x2f24991,0x2572ba3,0x162b312,0x2387d18,0x147c5c7,
+        0x38eff6e,0x0700251,0x37d931e,0x23cd5c1,0x254c8ca,0x3b9df37,
+        0x1c9a4ff,0x0bfd547,0x00fb489 } },
+    /* 247 */
+    { { 0x1b8dff8,0x2f6b40b,0x05a25b1,0x3f5688a,0x1d462f4,0x2802d18,
+        0x2aad8ed,0x1b46c75,0x3cf4130,0x250fefb,0x2a13fe1,0x23a1bcd,
+        0x0940442,0x04605fe,0x00c8b2f },
+      { 0x0d51afb,0x14a2abc,0x1d06762,0x291526c,0x2a3e2fe,0x28f77d9,
+        0x3ad8f2e,0x3481a1b,0x04b4fbd,0x2836733,0x0189ff5,0x3a5f533,
+        0x319a6cd,0x0f58667,0x00c3679 } },
+    /* 248 */
+    { { 0x1b85197,0x22426d4,0x2895ea3,0x342d324,0x3ffb17d,0x376cfcf,
+        0x30878b1,0x3c3c83a,0x0ffc57c,0x0ac174a,0x1abd57e,0x2f78b9c,
+        0x01b20d8,0x0a37103,0x007f2be },
+      { 0x19a2d48,0x137288a,0x182d655,0x0ba0dde,0x25130ba,0x01c65c6,
+        0x23205f1,0x2097621,0x2827cf2,0x2c57b98,0x03748f2,0x2db15fc,
+        0x385a0d4,0x13690c0,0x00a9e3f } },
+    /* 249 */
+    { { 0x3fbc9c6,0x2df3b20,0x377e33e,0x31d1505,0x024a311,0x3c1d9ff,
+        0x1377f74,0x00b6b20,0x2364ab7,0x184ab6b,0x2a77969,0x3f2db6c,
+        0x2a6adb7,0x0a10073,0x004a6fb },
+      { 0x1fc73de,0x2c74ab3,0x3d325e8,0x2346c0b,0x1d0efae,0x2076146,
+        0x19c190d,0x225c4fe,0x3fafc80,0x2cf063d,0x11b7ae7,0x3dc4f9d,
+        0x3c3f841,0x10d7c1f,0x000a4b3 } },
+    /* 250 */
+    { { 0x19b7d2e,0x28f1300,0x0b897dd,0x06b5371,0x0631c8d,0x336cc4f,
+        0x09cd6e1,0x2ec1952,0x1104c07,0x07512bb,0x35f000d,0x25f84e9,
+        0x1df4d8f,0x193f769,0x000e9ee },
+      { 0x2346910,0x267cecf,0x0ad7eaa,0x087e8a5,0x1622f69,0x342cbfa,
+        0x2aa20d0,0x206e88a,0x3991e58,0x093fb4b,0x0157180,0x3cecb5b,
+        0x2e17c9a,0x1ea371f,0x00919e6 } },
+    /* 251 */
+    { { 0x2250533,0x13f931d,0x3ef8c72,0x395f605,0x18a2080,0x1cb25d4,
+        0x2fb0f41,0x1c0ba8a,0x1eb17c0,0x266c433,0x09b7e3e,0x0e5d78f,
+        0x0cdc5bf,0x1f7c734,0x0020611 },
+      { 0x205ebd5,0x127986f,0x02c0fb0,0x1705b1e,0x1eb0bb5,0x2dffb42,
+        0x2331b8a,0x18fc04e,0x31d6328,0x17db162,0x0d3b619,0x193bdb9,
+        0x3f11662,0x2d8e694,0x0092c51 } },
+    /* 252 */
+    { { 0x08b364d,0x31ef20a,0x25c4a57,0x021ed07,0x14a562e,0x262a684,
+        0x1d21c66,0x126e5a6,0x181f3f8,0x2a93b65,0x1eb726b,0x08fbbce,
+        0x084f9a2,0x308f30a,0x0013159 },
+      { 0x23f4963,0x0c7960e,0x2a81739,0x2242b69,0x3965003,0x2aca542,
+        0x28a1c65,0x2ad48fb,0x149775f,0x1bbb7d2,0x0f2671b,0x3594b85,
+        0x22f5563,0x2470f13,0x00fed44 } },
+    /* 253 */
+    { { 0x0eb453e,0x3ab70fd,0x1a5b335,0x18f2b74,0x25ff74b,0x3612a46,
+        0x33d0d75,0x28cdda4,0x2b9b49b,0x22728fb,0x004c15b,0x1beb33b,
+        0x1a7e41f,0x0c9b702,0x004ef19 },
+      { 0x1ca3233,0x0b4c90f,0x1d4b53d,0x2428896,0x20ee405,0x151bc00,
+        0x022edb5,0x1adc463,0x00109ea,0x06490a6,0x30e91e6,0x3682b76,
+        0x23c50aa,0x3bd2665,0x005fe53 } },
+    /* 254 */
+    { { 0x0c28c65,0x3741ae4,0x247d372,0x0b04673,0x2176524,0x2c8bf20,
+        0x01fb806,0x3330701,0x307b0a7,0x3999fb7,0x1261bec,0x256679c,
+        0x3f22ac7,0x26e8673,0x00bc69d },
+      { 0x3c06819,0x35df344,0x379d009,0x2bb8a0a,0x0635a66,0x096c6fa,
+        0x1ac4a62,0x023e53b,0x0e45240,0x115f53d,0x3056af8,0x0a66b16,
+        0x3c386ee,0x1130e82,0x00cc384 } },
+    /* 255 */
+    { { 0x14c2356,0x190ec73,0x07be490,0x145d415,0x0740a48,0x1251301,
+        0x3eaf29d,0x2628190,0x079299a,0x26e95c9,0x2e05fdf,0x2ca7c5b,
+        0x32d7b48,0x3d84226,0x0033fb4 },
+      { 0x150f955,0x01240aa,0x3ddf867,0x137fb70,0x297e103,0x17eeda8,
+        0x1320b60,0x266ec84,0x13f4322,0x0c8f5ee,0x0590e4a,0x386815e,
+        0x00ce61f,0x161bd63,0x008e1d0 } },
+};
+
+/* Multiply the base point of P384 by the scalar and return the result.
+ * If map is true then convert result to affine coordinates.
+ *
+ * r     Resulting point.
+ * k     Scalar to multiply by.
+ * map   Indicates whether to convert result to affine.
+ * heap  Heap to use for allocation.
+ * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
+ */
+static int sp_384_ecc_mulmod_base_15(sp_point_384* r, const sp_digit* k,
+        int map, void* heap)
+{
+    return sp_384_ecc_mulmod_stripe_15(r, &p384_base, p384_table,
+                                      k, map, heap);
+}
+
+#endif
+
+/* Multiply the base point of P384 by the scalar and return the result.
+ * If map is true then convert result to affine coordinates.
+ *
+ * km    Scalar to multiply by.
+ * r     Resulting point.
+ * map   Indicates whether to convert result to affine.
+ * heap  Heap to use for allocation.
+ * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
+ */
+int sp_ecc_mulmod_base_384(mp_int* km, ecc_point* r, int map, void* heap)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_point_384 p;
+    sp_digit kd[15];
+#endif
+    sp_point_384* point;
+    sp_digit* k = NULL;
+    int err = MP_OKAY;
+
+    err = sp_384_point_new_15(heap, p, point);
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        k = (sp_digit*)XMALLOC(sizeof(sp_digit) * 15, heap,
+                                                              DYNAMIC_TYPE_ECC);
+        if (k == NULL) {
+            err = MEMORY_E;
+        }
+    }
+#else
+    k = kd;
+#endif
+    if (err == MP_OKAY) {
+        sp_384_from_mp(k, 15, km);
+
+            err = sp_384_ecc_mulmod_base_15(point, k, map, heap);
+    }
+    if (err == MP_OKAY) {
+        err = sp_384_point_to_ecc_point_15(point, r);
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (k != NULL) {
+        XFREE(k, heap, DYNAMIC_TYPE_ECC);
+    }
+#endif
+    sp_384_point_free_15(point, 0, heap);
+
+    return err;
+}
+
+#if defined(WOLFSSL_VALIDATE_ECC_KEYGEN) || defined(HAVE_ECC_SIGN) || \
+                                                        defined(HAVE_ECC_VERIFY)
+/* Returns 1 if the number of zero.
+ * Implementation is constant time.
+ *
+ * a  Number to check.
+ * returns 1 if the number is zero and 0 otherwise.
+ */
+static int sp_384_iszero_15(const sp_digit* a)
+{
+    return (a[0] | a[1] | a[2] | a[3] | a[4] | a[5] | a[6] | a[7] |
+            a[8] | a[9] | a[10] | a[11] | a[12] | a[13] | a[14]) == 0;
+}
+
+#endif /* WOLFSSL_VALIDATE_ECC_KEYGEN || HAVE_ECC_SIGN || HAVE_ECC_VERIFY */
+/* Add 1 to a. (a = a + 1)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ */
+SP_NOINLINE static void sp_384_add_one_15(sp_digit* a)
+{
+    a[0]++;
+    sp_384_norm_15(a);
+}
+
+/* Read big endian unsigned byte array into r.
+ *
+ * r  A single precision integer.
+ * size  Maximum number of bytes to convert
+ * a  Byte array.
+ * n  Number of bytes in array to read.
+ */
+static void sp_384_from_bin(sp_digit* r, int size, const byte* a, int n)
+{
+    int i, j = 0;
+    word32 s = 0;
+
+    r[0] = 0;
+    for (i = n-1; i >= 0; i--) {
+        r[j] |= (((sp_digit)a[i]) << s);
+        if (s >= 18U) {
+            r[j] &= 0x3ffffff;
+            s = 26U - s;
+            if (j + 1 >= size) {
+                break;
+            }
+            r[++j] = (sp_digit)a[i] >> s;
+            s = 8U - s;
+        }
+        else {
+            s += 8U;
+        }
+    }
+
+    for (j++; j < size; j++) {
+        r[j] = 0;
+    }
+}
+
+/* Generates a scalar that is in the range 1..order-1.
+ *
+ * rng  Random number generator.
+ * k    Scalar value.
+ * returns RNG failures, MEMORY_E when memory allocation fails and
+ * MP_OKAY on success.
+ */
+static int sp_384_ecc_gen_k_15(WC_RNG* rng, sp_digit* k)
+{
+    int err;
+    byte buf[48];
+
+    do {
+        err = wc_RNG_GenerateBlock(rng, buf, sizeof(buf));
+        if (err == 0) {
+            sp_384_from_bin(k, 15, buf, (int)sizeof(buf));
+            if (sp_384_cmp_15(k, p384_order2) < 0) {
+                sp_384_add_one_15(k);
+                break;
+            }
+        }
+    }
+    while (err == 0);
+
+    return err;
+}
+
+/* Makes a random EC key pair.
+ *
+ * rng   Random number generator.
+ * priv  Generated private value.
+ * pub   Generated public point.
+ * heap  Heap to use for allocation.
+ * returns ECC_INF_E when the point does not have the correct order, RNG
+ * failures, MEMORY_E when memory allocation fails and MP_OKAY on success.
+ */
+int sp_ecc_make_key_384(WC_RNG* rng, mp_int* priv, ecc_point* pub, void* heap)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_point_384 p;
+    sp_digit kd[15];
+#ifdef WOLFSSL_VALIDATE_ECC_KEYGEN
+    sp_point_384 inf;
+#endif
+#endif
+    sp_point_384* point;
+    sp_digit* k = NULL;
+#ifdef WOLFSSL_VALIDATE_ECC_KEYGEN
+    sp_point_384* infinity;
+#endif
+    int err;
+
+    (void)heap;
+
+    err = sp_384_point_new_15(heap, p, point);
+#ifdef WOLFSSL_VALIDATE_ECC_KEYGEN
+    if (err == MP_OKAY) {
+        err = sp_384_point_new_15(heap, inf, infinity);
+    }
+#endif
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        k = (sp_digit*)XMALLOC(sizeof(sp_digit) * 15, heap,
+                                                              DYNAMIC_TYPE_ECC);
+        if (k == NULL) {
+            err = MEMORY_E;
+        }
+    }
+#else
+    k = kd;
+#endif
+
+    if (err == MP_OKAY) {
+        err = sp_384_ecc_gen_k_15(rng, k);
+    }
+    if (err == MP_OKAY) {
+            err = sp_384_ecc_mulmod_base_15(point, k, 1, NULL);
+    }
+
+#ifdef WOLFSSL_VALIDATE_ECC_KEYGEN
+    if (err == MP_OKAY) {
+            err = sp_384_ecc_mulmod_15(infinity, point, p384_order, 1, NULL);
+    }
+    if (err == MP_OKAY) {
+        if ((sp_384_iszero_15(point->x) == 0) || (sp_384_iszero_15(point->y) == 0)) {
+            err = ECC_INF_E;
+        }
+    }
+#endif
+
+    if (err == MP_OKAY) {
+        err = sp_384_to_mp(k, priv);
+    }
+    if (err == MP_OKAY) {
+        err = sp_384_point_to_ecc_point_15(point, pub);
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (k != NULL) {
+        XFREE(k, heap, DYNAMIC_TYPE_ECC);
+    }
+#endif
+#ifdef WOLFSSL_VALIDATE_ECC_KEYGEN
+    sp_384_point_free_15(infinity, 1, heap);
+#endif
+    sp_384_point_free_15(point, 1, heap);
+
+    return err;
+}
+
+#ifdef HAVE_ECC_DHE
+/* Write r as big endian to byte array.
+ * Fixed length number of bytes written: 48
+ *
+ * r  A single precision integer.
+ * a  Byte array.
+ */
+static void sp_384_to_bin(sp_digit* r, byte* a)
+{
+    int i, j, s = 0, b;
+
+    for (i=0; i<14; i++) {
+        r[i+1] += r[i] >> 26;
+        r[i] &= 0x3ffffff;
+    }
+    j = 384 / 8 - 1;
+    a[j] = 0;
+    for (i=0; i<15 && j>=0; i++) {
+        b = 0;
+        /* lint allow cast of mismatch sp_digit and int */
+        a[j--] |= (byte)(r[i] << s); /*lint !e9033*/
+        b += 8 - s;
+        if (j < 0) {
+            break;
+        }
+        while (b < 26) {
+            a[j--] = (byte)(r[i] >> b);
+            b += 8;
+            if (j < 0) {
+                break;
+            }
+        }
+        s = 8 - (b - 26);
+        if (j >= 0) {
+            a[j] = 0;
+        }
+        if (s != 0) {
+            j++;
+        }
+    }
+}
+
+/* Multiply the point by the scalar and serialize the X ordinate.
+ * The number is 0 padded to maximum size on output.
+ *
+ * priv    Scalar to multiply the point by.
+ * pub     Point to multiply.
+ * out     Buffer to hold X ordinate.
+ * outLen  On entry, size of the buffer in bytes.
+ *         On exit, length of data in buffer in bytes.
+ * heap    Heap to use for allocation.
+ * returns BUFFER_E if the buffer is to small for output size,
+ * MEMORY_E when memory allocation fails and MP_OKAY on success.
+ */
+int sp_ecc_secret_gen_384(mp_int* priv, ecc_point* pub, byte* out,
+                          word32* outLen, void* heap)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_point_384 p;
+    sp_digit kd[15];
+#endif
+    sp_point_384* point = NULL;
+    sp_digit* k = NULL;
+    int err = MP_OKAY;
+
+    if (*outLen < 48U) {
+        err = BUFFER_E;
+    }
+
+    if (err == MP_OKAY) {
+        err = sp_384_point_new_15(heap, p, point);
+    }
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        k = (sp_digit*)XMALLOC(sizeof(sp_digit) * 15, heap,
+                                                              DYNAMIC_TYPE_ECC);
+        if (k == NULL)
+            err = MEMORY_E;
+    }
+#else
+    k = kd;
+#endif
+
+    if (err == MP_OKAY) {
+        sp_384_from_mp(k, 15, priv);
+        sp_384_point_from_ecc_point_15(point, pub);
+            err = sp_384_ecc_mulmod_15(point, point, k, 1, heap);
+    }
+    if (err == MP_OKAY) {
+        sp_384_to_bin(point->x, out);
+        *outLen = 48;
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (k != NULL) {
+        XFREE(k, heap, DYNAMIC_TYPE_ECC);
+    }
+#endif
+    sp_384_point_free_15(point, 0, heap);
+
+    return err;
+}
+#endif /* HAVE_ECC_DHE */
+
+#if defined(HAVE_ECC_SIGN) || defined(HAVE_ECC_VERIFY)
+#endif
+#if defined(HAVE_ECC_SIGN) || defined(HAVE_ECC_VERIFY)
+/* Multiply a by scalar b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A scalar.
+ */
+SP_NOINLINE static void sp_384_mul_d_15(sp_digit* r, const sp_digit* a,
+    sp_digit b)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int64_t tb = b;
+    int64_t t = 0;
+    int i;
+
+    for (i = 0; i < 15; i++) {
+        t += tb * a[i];
+        r[i] = t & 0x3ffffff;
+        t >>= 26;
+    }
+    r[15] = (sp_digit)t;
+#else
+    int64_t tb = b;
+    int64_t t[15];
+
+    t[ 0] = tb * a[ 0];
+    t[ 1] = tb * a[ 1];
+    t[ 2] = tb * a[ 2];
+    t[ 3] = tb * a[ 3];
+    t[ 4] = tb * a[ 4];
+    t[ 5] = tb * a[ 5];
+    t[ 6] = tb * a[ 6];
+    t[ 7] = tb * a[ 7];
+    t[ 8] = tb * a[ 8];
+    t[ 9] = tb * a[ 9];
+    t[10] = tb * a[10];
+    t[11] = tb * a[11];
+    t[12] = tb * a[12];
+    t[13] = tb * a[13];
+    t[14] = tb * a[14];
+    r[ 0] =                           (t[ 0] & 0x3ffffff);
+    r[ 1] = (sp_digit)(t[ 0] >> 26) + (t[ 1] & 0x3ffffff);
+    r[ 2] = (sp_digit)(t[ 1] >> 26) + (t[ 2] & 0x3ffffff);
+    r[ 3] = (sp_digit)(t[ 2] >> 26) + (t[ 3] & 0x3ffffff);
+    r[ 4] = (sp_digit)(t[ 3] >> 26) + (t[ 4] & 0x3ffffff);
+    r[ 5] = (sp_digit)(t[ 4] >> 26) + (t[ 5] & 0x3ffffff);
+    r[ 6] = (sp_digit)(t[ 5] >> 26) + (t[ 6] & 0x3ffffff);
+    r[ 7] = (sp_digit)(t[ 6] >> 26) + (t[ 7] & 0x3ffffff);
+    r[ 8] = (sp_digit)(t[ 7] >> 26) + (t[ 8] & 0x3ffffff);
+    r[ 9] = (sp_digit)(t[ 8] >> 26) + (t[ 9] & 0x3ffffff);
+    r[10] = (sp_digit)(t[ 9] >> 26) + (t[10] & 0x3ffffff);
+    r[11] = (sp_digit)(t[10] >> 26) + (t[11] & 0x3ffffff);
+    r[12] = (sp_digit)(t[11] >> 26) + (t[12] & 0x3ffffff);
+    r[13] = (sp_digit)(t[12] >> 26) + (t[13] & 0x3ffffff);
+    r[14] = (sp_digit)(t[13] >> 26) + (t[14] & 0x3ffffff);
+    r[15] = (sp_digit)(t[14] >> 26);
+#endif /* WOLFSSL_SP_SMALL */
+}
+
+#ifdef WOLFSSL_SP_DIV_32
+static WC_INLINE sp_digit sp_384_div_word_15(sp_digit d1, sp_digit d0,
+    sp_digit dv)
+{
+    sp_digit d, r, t;
+
+    /* All 26 bits from d1 and top 5 bits from d0. */
+    d = (d1 << 5) | (d0 >> 21);
+    r = d / dv;
+    d -= r * dv;
+    /* Up to 6 bits in r */
+    /* Next 5 bits from d0. */
+    r <<= 5;
+    d <<= 5;
+    d |= (d0 >> 16) & ((1 << 5) - 1);
+    t = d / dv;
+    d -= t * dv;
+    r += t;
+    /* Up to 11 bits in r */
+    /* Next 5 bits from d0. */
+    r <<= 5;
+    d <<= 5;
+    d |= (d0 >> 11) & ((1 << 5) - 1);
+    t = d / dv;
+    d -= t * dv;
+    r += t;
+    /* Up to 16 bits in r */
+    /* Next 5 bits from d0. */
+    r <<= 5;
+    d <<= 5;
+    d |= (d0 >> 6) & ((1 << 5) - 1);
+    t = d / dv;
+    d -= t * dv;
+    r += t;
+    /* Up to 21 bits in r */
+    /* Next 5 bits from d0. */
+    r <<= 5;
+    d <<= 5;
+    d |= (d0 >> 1) & ((1 << 5) - 1);
+    t = d / dv;
+    d -= t * dv;
+    r += t;
+    /* Up to 26 bits in r */
+    /* Remaining 1 bits from d0. */
+    r <<= 1;
+    d <<= 1;
+    d |= d0 & ((1 << 1) - 1);
+    t = d / dv;
+    r += t;
+
+    return r;
+}
+#endif /* WOLFSSL_SP_DIV_32 */
+
+/* Divide d in a and put remainder into r (m*d + r = a)
+ * m is not calculated as it is not needed at this time.
+ *
+ * a  Number to be divided.
+ * d  Number to divide with.
+ * m  Multiplier result.
+ * r  Remainder from the division.
+ * returns MEMORY_E when unable to allocate memory and MP_OKAY otherwise.
+ */
+static int sp_384_div_15(const sp_digit* a, const sp_digit* d, sp_digit* m,
+        sp_digit* r)
+{
+    int i;
+#ifndef WOLFSSL_SP_DIV_32
+    int64_t d1;
+#endif
+    sp_digit dv, r1;
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit* td;
+#else
+    sp_digit t1d[30], t2d[15 + 1];
+#endif
+    sp_digit* t1;
+    sp_digit* t2;
+    int err = MP_OKAY;
+
+    (void)m;
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    td = (sp_digit*)XMALLOC(sizeof(sp_digit) * (3 * 15 + 1), NULL,
+                                                       DYNAMIC_TYPE_TMP_BUFFER);
+    if (td == NULL) {
+        err = MEMORY_E;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+        t1 = td;
+        t2 = td + 2 * 15;
+#else
+        t1 = t1d;
+        t2 = t2d;
+#endif
+
+        dv = d[14];
+        XMEMCPY(t1, a, sizeof(*t1) * 2U * 15U);
+        for (i=14; i>=0; i--) {
+            t1[15 + i] += t1[15 + i - 1] >> 26;
+            t1[15 + i - 1] &= 0x3ffffff;
+#ifndef WOLFSSL_SP_DIV_32
+            d1 = t1[15 + i];
+            d1 <<= 26;
+            d1 += t1[15 + i - 1];
+            r1 = (sp_digit)(d1 / dv);
+#else
+            r1 = sp_384_div_word_15(t1[15 + i], t1[15 + i - 1], dv);
+#endif
+
+            sp_384_mul_d_15(t2, d, r1);
+            (void)sp_384_sub_15(&t1[i], &t1[i], t2);
+            t1[15 + i] -= t2[15];
+            t1[15 + i] += t1[15 + i - 1] >> 26;
+            t1[15 + i - 1] &= 0x3ffffff;
+            r1 = (((-t1[15 + i]) << 26) - t1[15 + i - 1]) / dv;
+            r1++;
+            sp_384_mul_d_15(t2, d, r1);
+            (void)sp_384_add_15(&t1[i], &t1[i], t2);
+            t1[15 + i] += t1[15 + i - 1] >> 26;
+            t1[15 + i - 1] &= 0x3ffffff;
+        }
+        t1[15 - 1] += t1[15 - 2] >> 26;
+        t1[15 - 2] &= 0x3ffffff;
+        r1 = t1[15 - 1] / dv;
+
+        sp_384_mul_d_15(t2, d, r1);
+        (void)sp_384_sub_15(t1, t1, t2);
+        XMEMCPY(r, t1, sizeof(*r) * 2U * 15U);
+        for (i=0; i<13; i++) {
+            r[i+1] += r[i] >> 26;
+            r[i] &= 0x3ffffff;
+        }
+        sp_384_cond_add_15(r, r, d, 0 - ((r[14] < 0) ?
+                    (sp_digit)1 : (sp_digit)0));
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (td != NULL) {
+        XFREE(td, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    }
+#endif
+
+    return err;
+}
+
+/* Reduce a modulo m into r. (r = a mod m)
+ *
+ * r  A single precision number that is the reduced result.
+ * a  A single precision number that is to be reduced.
+ * m  A single precision number that is the modulus to reduce with.
+ * returns MEMORY_E when unable to allocate memory and MP_OKAY otherwise.
+ */
+static int sp_384_mod_15(sp_digit* r, const sp_digit* a, const sp_digit* m)
+{
+    return sp_384_div_15(a, m, NULL, r);
+}
+
+#endif
+#if defined(HAVE_ECC_SIGN) || defined(HAVE_ECC_VERIFY)
+#ifdef WOLFSSL_SP_SMALL
+/* Order-2 for the P384 curve. */
+static const uint32_t p384_order_minus_2[12] = {
+    0xccc52971U,0xecec196aU,0x48b0a77aU,0x581a0db2U,0xf4372ddfU,0xc7634d81U,
+    0xffffffffU,0xffffffffU,0xffffffffU,0xffffffffU,0xffffffffU,0xffffffffU
+};
+#else
+/* The low half of the order-2 of the P384 curve. */
+static const uint32_t p384_order_low[6] = {
+    0xccc52971U,0xecec196aU,0x48b0a77aU,0x581a0db2U,0xf4372ddfU,0xc7634d81U
+    
+};
+#endif /* WOLFSSL_SP_SMALL */
+
+/* Multiply two number mod the order of P384 curve. (r = a * b mod order)
+ *
+ * r  Result of the multiplication.
+ * a  First operand of the multiplication.
+ * b  Second operand of the multiplication.
+ */
+static void sp_384_mont_mul_order_15(sp_digit* r, const sp_digit* a, const sp_digit* b)
+{
+    sp_384_mul_15(r, a, b);
+    sp_384_mont_reduce_order_15(r, p384_order, p384_mp_order);
+}
+
+/* Square number mod the order of P384 curve. (r = a * a mod order)
+ *
+ * r  Result of the squaring.
+ * a  Number to square.
+ */
+static void sp_384_mont_sqr_order_15(sp_digit* r, const sp_digit* a)
+{
+    sp_384_sqr_15(r, a);
+    sp_384_mont_reduce_order_15(r, p384_order, p384_mp_order);
+}
+
+#ifndef WOLFSSL_SP_SMALL
+/* Square number mod the order of P384 curve a number of times.
+ * (r = a ^ n mod order)
+ *
+ * r  Result of the squaring.
+ * a  Number to square.
+ */
+static void sp_384_mont_sqr_n_order_15(sp_digit* r, const sp_digit* a, int n)
+{
+    int i;
+
+    sp_384_mont_sqr_order_15(r, a);
+    for (i=1; i<n; i++) {
+        sp_384_mont_sqr_order_15(r, r);
+    }
+}
+#endif /* !WOLFSSL_SP_SMALL */
+
+/* Invert the number, in Montgomery form, modulo the order of the P384 curve.
+ * (r = 1 / a mod order)
+ *
+ * r   Inverse result.
+ * a   Number to invert.
+ * td  Temporary data.
+ */
+static void sp_384_mont_inv_order_15(sp_digit* r, const sp_digit* a,
+        sp_digit* td)
+{
+#ifdef WOLFSSL_SP_SMALL
+    sp_digit* t = td;
+    int i;
+
+    XMEMCPY(t, a, sizeof(sp_digit) * 15);
+    for (i=382; i>=0; i--) {
+        sp_384_mont_sqr_order_15(t, t);
+        if ((p384_order_minus_2[i / 32] & ((sp_int_digit)1 << (i % 32))) != 0) {
+            sp_384_mont_mul_order_15(t, t, a);
+        }
+    }
+    XMEMCPY(r, t, sizeof(sp_digit) * 15U);
+#else
+    sp_digit* t = td;
+    sp_digit* t2 = td + 2 * 15;
+    sp_digit* t3 = td + 4 * 15;
+    int i;
+
+    /* t = a^2 */
+    sp_384_mont_sqr_order_15(t, a);
+    /* t = a^3 = t * a */
+    sp_384_mont_mul_order_15(t, t, a);
+    /* t2= a^c = t ^ 2 ^ 2 */
+    sp_384_mont_sqr_n_order_15(t2, t, 2);
+    /* t = a^f = t2 * t */
+    sp_384_mont_mul_order_15(t, t2, t);
+    /* t2= a^f0 = t ^ 2 ^ 4 */
+    sp_384_mont_sqr_n_order_15(t2, t, 4);
+    /* t = a^ff = t2 * t */
+    sp_384_mont_mul_order_15(t, t2, t);
+    /* t2= a^ff00 = t ^ 2 ^ 8 */
+    sp_384_mont_sqr_n_order_15(t2, t, 8);
+    /* t3= a^ffff = t2 * t */
+    sp_384_mont_mul_order_15(t3, t2, t);
+    /* t2= a^ffff0000 = t3 ^ 2 ^ 16 */
+    sp_384_mont_sqr_n_order_15(t2, t3, 16);
+    /* t = a^ffffffff = t2 * t3 */
+    sp_384_mont_mul_order_15(t, t2, t3);
+    /* t2= a^ffffffff0000 = t ^ 2 ^ 16  */
+    sp_384_mont_sqr_n_order_15(t2, t, 16);
+    /* t = a^ffffffffffff = t2 * t3 */
+    sp_384_mont_mul_order_15(t, t2, t3);
+    /* t2= a^ffffffffffff000000000000 = t ^ 2 ^ 48  */
+    sp_384_mont_sqr_n_order_15(t2, t, 48);
+    /* t= a^fffffffffffffffffffffffff = t2 * t */
+    sp_384_mont_mul_order_15(t, t2, t);
+    /* t2= a^ffffffffffffffffffffffff000000000000000000000000 */
+    sp_384_mont_sqr_n_order_15(t2, t, 96);
+    /* t2= a^ffffffffffffffffffffffffffffffffffffffffffffffff = t2 * t */
+    sp_384_mont_mul_order_15(t2, t2, t);
+    for (i=191; i>=1; i--) {
+        sp_384_mont_sqr_order_15(t2, t2);
+        if (((sp_digit)p384_order_low[i / 32] & ((sp_int_digit)1 << (i % 32))) != 0) {
+            sp_384_mont_mul_order_15(t2, t2, a);
+        }
+    }
+    sp_384_mont_sqr_order_15(t2, t2);
+    sp_384_mont_mul_order_15(r, t2, a);
+#endif /* WOLFSSL_SP_SMALL */
+}
+
+#endif /* HAVE_ECC_SIGN || HAVE_ECC_VERIFY */
+#ifdef HAVE_ECC_SIGN
+#ifndef SP_ECC_MAX_SIG_GEN
+#define SP_ECC_MAX_SIG_GEN  64
+#endif
+
+/* Sign the hash using the private key.
+ *   e = [hash, 384 bits] from binary
+ *   r = (k.G)->x mod order
+ *   s = (r * x + e) / k mod order
+ * The hash is truncated to the first 384 bits.
+ *
+ * hash     Hash to sign.
+ * hashLen  Length of the hash data.
+ * rng      Random number generator.
+ * priv     Private part of key - scalar.
+ * rm       First part of result as an mp_int.
+ * sm       Sirst part of result as an mp_int.
+ * heap     Heap to use for allocation.
+ * returns RNG failures, MEMORY_E when memory allocation fails and
+ * MP_OKAY on success.
+ */
+int sp_ecc_sign_384(const byte* hash, word32 hashLen, WC_RNG* rng, mp_int* priv,
+                    mp_int* rm, mp_int* sm, mp_int* km, void* heap)
+{
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit* d = NULL;
+#else
+    sp_digit ed[2*15];
+    sp_digit xd[2*15];
+    sp_digit kd[2*15];
+    sp_digit rd[2*15];
+    sp_digit td[3 * 2*15];
+    sp_point_384 p;
+#endif
+    sp_digit* e = NULL;
+    sp_digit* x = NULL;
+    sp_digit* k = NULL;
+    sp_digit* r = NULL;
+    sp_digit* tmp = NULL;
+    sp_point_384* point = NULL;
+    sp_digit carry;
+    sp_digit* s = NULL;
+    sp_digit* kInv = NULL;
+    int err = MP_OKAY;
+    int32_t c;
+    int i;
+
+    (void)heap;
+
+    err = sp_384_point_new_15(heap, p, point);
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        d = (sp_digit*)XMALLOC(sizeof(sp_digit) * 7 * 2 * 15, heap,
+                                                              DYNAMIC_TYPE_ECC);
+        if (d == NULL) {
+            err = MEMORY_E;
+        }
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+        e = d + 0 * 15;
+        x = d + 2 * 15;
+        k = d + 4 * 15;
+        r = d + 6 * 15;
+        tmp = d + 8 * 15;
+#else
+        e = ed;
+        x = xd;
+        k = kd;
+        r = rd;
+        tmp = td;
+#endif
+        s = e;
+        kInv = k;
+
+        if (hashLen > 48U) {
+            hashLen = 48U;
+        }
+
+        sp_384_from_bin(e, 15, hash, (int)hashLen);
+    }
+
+    for (i = SP_ECC_MAX_SIG_GEN; err == MP_OKAY && i > 0; i--) {
+        sp_384_from_mp(x, 15, priv);
+
+        /* New random point. */
+        if (km == NULL || mp_iszero(km)) {
+            err = sp_384_ecc_gen_k_15(rng, k);
+        }
+        else {
+            sp_384_from_mp(k, 15, km);
+            mp_zero(km);
+        }
+        if (err == MP_OKAY) {
+                err = sp_384_ecc_mulmod_base_15(point, k, 1, NULL);
+        }
+
+        if (err == MP_OKAY) {
+            /* r = point->x mod order */
+            XMEMCPY(r, point->x, sizeof(sp_digit) * 15U);
+            sp_384_norm_15(r);
+            c = sp_384_cmp_15(r, p384_order);
+            sp_384_cond_sub_15(r, r, p384_order, 0L - (sp_digit)(c >= 0));
+            sp_384_norm_15(r);
+
+            /* Conv k to Montgomery form (mod order) */
+                sp_384_mul_15(k, k, p384_norm_order);
+            err = sp_384_mod_15(k, k, p384_order);
+        }
+        if (err == MP_OKAY) {
+            sp_384_norm_15(k);
+            /* kInv = 1/k mod order */
+                sp_384_mont_inv_order_15(kInv, k, tmp);
+            sp_384_norm_15(kInv);
+
+            /* s = r * x + e */
+                sp_384_mul_15(x, x, r);
+            err = sp_384_mod_15(x, x, p384_order);
+        }
+        if (err == MP_OKAY) {
+            sp_384_norm_15(x);
+            carry = sp_384_add_15(s, e, x);
+            sp_384_cond_sub_15(s, s, p384_order, 0 - carry);
+            sp_384_norm_15(s);
+            c = sp_384_cmp_15(s, p384_order);
+            sp_384_cond_sub_15(s, s, p384_order, 0L - (sp_digit)(c >= 0));
+            sp_384_norm_15(s);
+
+            /* s = s * k^-1 mod order */
+                sp_384_mont_mul_order_15(s, s, kInv);
+            sp_384_norm_15(s);
+
+            /* Check that signature is usable. */
+            if (sp_384_iszero_15(s) == 0) {
+                break;
+            }
+        }
+    }
+
+    if (i == 0) {
+        err = RNG_FAILURE_E;
+    }
+
+    if (err == MP_OKAY) {
+        err = sp_384_to_mp(r, rm);
+    }
+    if (err == MP_OKAY) {
+        err = sp_384_to_mp(s, sm);
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (d != NULL) {
+        XMEMSET(d, 0, sizeof(sp_digit) * 8 * 15);
+        XFREE(d, heap, DYNAMIC_TYPE_ECC);
+    }
+#else
+    XMEMSET(e, 0, sizeof(sp_digit) * 2U * 15U);
+    XMEMSET(x, 0, sizeof(sp_digit) * 2U * 15U);
+    XMEMSET(k, 0, sizeof(sp_digit) * 2U * 15U);
+    XMEMSET(r, 0, sizeof(sp_digit) * 2U * 15U);
+    XMEMSET(r, 0, sizeof(sp_digit) * 2U * 15U);
+    XMEMSET(tmp, 0, sizeof(sp_digit) * 3U * 2U * 15U);
+#endif
+    sp_384_point_free_15(point, 1, heap);
+
+    return err;
+}
+#endif /* HAVE_ECC_SIGN */
+
+#ifdef HAVE_ECC_VERIFY
+/* Verify the signature values with the hash and public key.
+ *   e = Truncate(hash, 384)
+ *   u1 = e/s mod order
+ *   u2 = r/s mod order
+ *   r == (u1.G + u2.Q)->x mod order
+ * Optimization: Leave point in projective form.
+ *   (x, y, 1) == (x' / z'*z', y' / z'*z'*z', z' / z')
+ *   (r + n*order).z'.z' mod prime == (u1.G + u2.Q)->x'
+ * The hash is truncated to the first 384 bits.
+ *
+ * hash     Hash to sign.
+ * hashLen  Length of the hash data.
+ * rng      Random number generator.
+ * priv     Private part of key - scalar.
+ * rm       First part of result as an mp_int.
+ * sm       Sirst part of result as an mp_int.
+ * heap     Heap to use for allocation.
+ * returns RNG failures, MEMORY_E when memory allocation fails and
+ * MP_OKAY on success.
+ */
+int sp_ecc_verify_384(const byte* hash, word32 hashLen, mp_int* pX,
+    mp_int* pY, mp_int* pZ, mp_int* r, mp_int* sm, int* res, void* heap)
+{
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit* d = NULL;
+#else
+    sp_digit u1d[2*15];
+    sp_digit u2d[2*15];
+    sp_digit sd[2*15];
+    sp_digit tmpd[2*15 * 5];
+    sp_point_384 p1d;
+    sp_point_384 p2d;
+#endif
+    sp_digit* u1 = NULL;
+    sp_digit* u2 = NULL;
+    sp_digit* s = NULL;
+    sp_digit* tmp = NULL;
+    sp_point_384* p1;
+    sp_point_384* p2 = NULL;
+    sp_digit carry;
+    int32_t c;
+    int err;
+
+    err = sp_384_point_new_15(heap, p1d, p1);
+    if (err == MP_OKAY) {
+        err = sp_384_point_new_15(heap, p2d, p2);
+    }
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        d = (sp_digit*)XMALLOC(sizeof(sp_digit) * 16 * 15, heap,
+                                                              DYNAMIC_TYPE_ECC);
+        if (d == NULL) {
+            err = MEMORY_E;
+        }
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+        u1  = d + 0 * 15;
+        u2  = d + 2 * 15;
+        s   = d + 4 * 15;
+        tmp = d + 6 * 15;
+#else
+        u1 = u1d;
+        u2 = u2d;
+        s  = sd;
+        tmp = tmpd;
+#endif
+
+        if (hashLen > 48U) {
+            hashLen = 48U;
+        }
+
+        sp_384_from_bin(u1, 15, hash, (int)hashLen);
+        sp_384_from_mp(u2, 15, r);
+        sp_384_from_mp(s, 15, sm);
+        sp_384_from_mp(p2->x, 15, pX);
+        sp_384_from_mp(p2->y, 15, pY);
+        sp_384_from_mp(p2->z, 15, pZ);
+
+        {
+            sp_384_mul_15(s, s, p384_norm_order);
+        }
+        err = sp_384_mod_15(s, s, p384_order);
+    }
+    if (err == MP_OKAY) {
+        sp_384_norm_15(s);
+        {
+            sp_384_mont_inv_order_15(s, s, tmp);
+            sp_384_mont_mul_order_15(u1, u1, s);
+            sp_384_mont_mul_order_15(u2, u2, s);
+        }
+
+            err = sp_384_ecc_mulmod_base_15(p1, u1, 0, heap);
+    }
+    if (err == MP_OKAY) {
+            err = sp_384_ecc_mulmod_15(p2, p2, u2, 0, heap);
+    }
+
+    if (err == MP_OKAY) {
+        {
+            sp_384_proj_point_add_15(p1, p1, p2, tmp);
+            if (sp_384_iszero_15(p1->z)) {
+                if (sp_384_iszero_15(p1->x) && sp_384_iszero_15(p1->y)) {
+                    sp_384_proj_point_dbl_15(p1, p2, tmp);
+                }
+                else {
+                    /* Y ordinate is not used from here - don't set. */
+                    p1->x[0] = 0;
+                    p1->x[1] = 0;
+                    p1->x[2] = 0;
+                    p1->x[3] = 0;
+                    p1->x[4] = 0;
+                    p1->x[5] = 0;
+                    p1->x[6] = 0;
+                    p1->x[7] = 0;
+                    p1->x[8] = 0;
+                    p1->x[9] = 0;
+                    p1->x[10] = 0;
+                    p1->x[11] = 0;
+                    p1->x[12] = 0;
+                    p1->x[13] = 0;
+                    p1->x[14] = 0;
+                    XMEMCPY(p1->z, p384_norm_mod, sizeof(p384_norm_mod));
+                }
+            }
+        }
+
+        /* (r + n*order).z'.z' mod prime == (u1.G + u2.Q)->x' */
+        /* Reload r and convert to Montgomery form. */
+        sp_384_from_mp(u2, 15, r);
+        err = sp_384_mod_mul_norm_15(u2, u2, p384_mod);
+    }
+
+    if (err == MP_OKAY) {
+        /* u1 = r.z'.z' mod prime */
+        sp_384_mont_sqr_15(p1->z, p1->z, p384_mod, p384_mp_mod);
+        sp_384_mont_mul_15(u1, u2, p1->z, p384_mod, p384_mp_mod);
+        *res = (int)(sp_384_cmp_15(p1->x, u1) == 0);
+        if (*res == 0) {
+            /* Reload r and add order. */
+            sp_384_from_mp(u2, 15, r);
+            carry = sp_384_add_15(u2, u2, p384_order);
+            /* Carry means result is greater than mod and is not valid. */
+            if (carry == 0) {
+                sp_384_norm_15(u2);
+
+                /* Compare with mod and if greater or equal then not valid. */
+                c = sp_384_cmp_15(u2, p384_mod);
+                if (c < 0) {
+                    /* Convert to Montogomery form */
+                    err = sp_384_mod_mul_norm_15(u2, u2, p384_mod);
+                    if (err == MP_OKAY) {
+                        /* u1 = (r + 1*order).z'.z' mod prime */
+                        sp_384_mont_mul_15(u1, u2, p1->z, p384_mod,
+                                                                  p384_mp_mod);
+                        *res = (int)(sp_384_cmp_15(p1->x, u1) == 0);
+                    }
+                }
+            }
+        }
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (d != NULL)
+        XFREE(d, heap, DYNAMIC_TYPE_ECC);
+#endif
+    sp_384_point_free_15(p1, 0, heap);
+    sp_384_point_free_15(p2, 0, heap);
+
+    return err;
+}
+#endif /* HAVE_ECC_VERIFY */
+
+#ifdef HAVE_ECC_CHECK_KEY
+/* Check that the x and y oridinates are a valid point on the curve.
+ *
+ * point  EC point.
+ * heap   Heap to use if dynamically allocating.
+ * returns MEMORY_E if dynamic memory allocation fails, MP_VAL if the point is
+ * not on the curve and MP_OKAY otherwise.
+ */
+static int sp_384_ecc_is_point_15(sp_point_384* point, void* heap)
+{
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit* d = NULL;
+#else
+    sp_digit t1d[2*15];
+    sp_digit t2d[2*15];
+#endif
+    sp_digit* t1;
+    sp_digit* t2;
+    int err = MP_OKAY;
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    d = (sp_digit*)XMALLOC(sizeof(sp_digit) * 15 * 4, heap, DYNAMIC_TYPE_ECC);
+    if (d == NULL) {
+        err = MEMORY_E;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+        t1 = d + 0 * 15;
+        t2 = d + 2 * 15;
+#else
+        (void)heap;
+
+        t1 = t1d;
+        t2 = t2d;
+#endif
+
+        sp_384_sqr_15(t1, point->y);
+        (void)sp_384_mod_15(t1, t1, p384_mod);
+        sp_384_sqr_15(t2, point->x);
+        (void)sp_384_mod_15(t2, t2, p384_mod);
+        sp_384_mul_15(t2, t2, point->x);
+        (void)sp_384_mod_15(t2, t2, p384_mod);
+        (void)sp_384_sub_15(t2, p384_mod, t2);
+        sp_384_mont_add_15(t1, t1, t2, p384_mod);
+
+        sp_384_mont_add_15(t1, t1, point->x, p384_mod);
+        sp_384_mont_add_15(t1, t1, point->x, p384_mod);
+        sp_384_mont_add_15(t1, t1, point->x, p384_mod);
+
+        if (sp_384_cmp_15(t1, p384_b) != 0) {
+            err = MP_VAL;
+        }
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (d != NULL) {
+        XFREE(d, heap, DYNAMIC_TYPE_ECC);
+    }
+#endif
+
+    return err;
+}
+
+/* Check that the x and y oridinates are a valid point on the curve.
+ *
+ * pX  X ordinate of EC point.
+ * pY  Y ordinate of EC point.
+ * returns MEMORY_E if dynamic memory allocation fails, MP_VAL if the point is
+ * not on the curve and MP_OKAY otherwise.
+ */
+int sp_ecc_is_point_384(mp_int* pX, mp_int* pY)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_point_384 pubd;
+#endif
+    sp_point_384* pub;
+    byte one[1] = { 1 };
+    int err;
+
+    err = sp_384_point_new_15(NULL, pubd, pub);
+    if (err == MP_OKAY) {
+        sp_384_from_mp(pub->x, 15, pX);
+        sp_384_from_mp(pub->y, 15, pY);
+        sp_384_from_bin(pub->z, 15, one, (int)sizeof(one));
+
+        err = sp_384_ecc_is_point_15(pub, NULL);
+    }
+
+    sp_384_point_free_15(pub, 0, NULL);
+
+    return err;
+}
+
+/* Check that the private scalar generates the EC point (px, py), the point is
+ * on the curve and the point has the correct order.
+ *
+ * pX     X ordinate of EC point.
+ * pY     Y ordinate of EC point.
+ * privm  Private scalar that generates EC point.
+ * returns MEMORY_E if dynamic memory allocation fails, MP_VAL if the point is
+ * not on the curve, ECC_INF_E if the point does not have the correct order,
+ * ECC_PRIV_KEY_E when the private scalar doesn't generate the EC point and
+ * MP_OKAY otherwise.
+ */
+int sp_ecc_check_key_384(mp_int* pX, mp_int* pY, mp_int* privm, void* heap)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit privd[15];
+    sp_point_384 pubd;
+    sp_point_384 pd;
+#endif
+    sp_digit* priv = NULL;
+    sp_point_384* pub;
+    sp_point_384* p = NULL;
+    byte one[1] = { 1 };
+    int err;
+
+    err = sp_384_point_new_15(heap, pubd, pub);
+    if (err == MP_OKAY) {
+        err = sp_384_point_new_15(heap, pd, p);
+    }
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        priv = (sp_digit*)XMALLOC(sizeof(sp_digit) * 15, heap,
+                                                              DYNAMIC_TYPE_ECC);
+        if (priv == NULL) {
+            err = MEMORY_E;
+        }
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+        priv = privd;
+#endif
+
+        sp_384_from_mp(pub->x, 15, pX);
+        sp_384_from_mp(pub->y, 15, pY);
+        sp_384_from_bin(pub->z, 15, one, (int)sizeof(one));
+        sp_384_from_mp(priv, 15, privm);
+
+        /* Check point at infinitiy. */
+        if ((sp_384_iszero_15(pub->x) != 0) &&
+            (sp_384_iszero_15(pub->y) != 0)) {
+            err = ECC_INF_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        /* Check range of X and Y */
+        if (sp_384_cmp_15(pub->x, p384_mod) >= 0 ||
+            sp_384_cmp_15(pub->y, p384_mod) >= 0) {
+            err = ECC_OUT_OF_RANGE_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        /* Check point is on curve */
+        err = sp_384_ecc_is_point_15(pub, heap);
+    }
+
+    if (err == MP_OKAY) {
+        /* Point * order = infinity */
+            err = sp_384_ecc_mulmod_15(p, pub, p384_order, 1, heap);
+    }
+    if (err == MP_OKAY) {
+        /* Check result is infinity */
+        if ((sp_384_iszero_15(p->x) == 0) ||
+            (sp_384_iszero_15(p->y) == 0)) {
+            err = ECC_INF_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        /* Base * private = point */
+            err = sp_384_ecc_mulmod_base_15(p, priv, 1, heap);
+    }
+    if (err == MP_OKAY) {
+        /* Check result is public key */
+        if (sp_384_cmp_15(p->x, pub->x) != 0 ||
+            sp_384_cmp_15(p->y, pub->y) != 0) {
+            err = ECC_PRIV_KEY_E;
+        }
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (priv != NULL) {
+        XFREE(priv, heap, DYNAMIC_TYPE_ECC);
+    }
+#endif
+    sp_384_point_free_15(p, 0, heap);
+    sp_384_point_free_15(pub, 0, heap);
+
+    return err;
+}
+#endif
+#ifdef WOLFSSL_PUBLIC_ECC_ADD_DBL
+/* Add two projective EC points together.
+ * (pX, pY, pZ) + (qX, qY, qZ) = (rX, rY, rZ)
+ *
+ * pX   First EC point's X ordinate.
+ * pY   First EC point's Y ordinate.
+ * pZ   First EC point's Z ordinate.
+ * qX   Second EC point's X ordinate.
+ * qY   Second EC point's Y ordinate.
+ * qZ   Second EC point's Z ordinate.
+ * rX   Resultant EC point's X ordinate.
+ * rY   Resultant EC point's Y ordinate.
+ * rZ   Resultant EC point's Z ordinate.
+ * returns MEMORY_E if dynamic memory allocation fails and MP_OKAY otherwise.
+ */
+int sp_ecc_proj_add_point_384(mp_int* pX, mp_int* pY, mp_int* pZ,
+                              mp_int* qX, mp_int* qY, mp_int* qZ,
+                              mp_int* rX, mp_int* rY, mp_int* rZ)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit tmpd[2 * 15 * 5];
+    sp_point_384 pd;
+    sp_point_384 qd;
+#endif
+    sp_digit* tmp;
+    sp_point_384* p;
+    sp_point_384* q = NULL;
+    int err;
+
+    err = sp_384_point_new_15(NULL, pd, p);
+    if (err == MP_OKAY) {
+        err = sp_384_point_new_15(NULL, qd, q);
+    }
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        tmp = (sp_digit*)XMALLOC(sizeof(sp_digit) * 2 * 15 * 5, NULL,
+                                                              DYNAMIC_TYPE_ECC);
+        if (tmp == NULL) {
+            err = MEMORY_E;
+        }
+    }
+#else
+    tmp = tmpd;
+#endif
+
+    if (err == MP_OKAY) {
+        sp_384_from_mp(p->x, 15, pX);
+        sp_384_from_mp(p->y, 15, pY);
+        sp_384_from_mp(p->z, 15, pZ);
+        sp_384_from_mp(q->x, 15, qX);
+        sp_384_from_mp(q->y, 15, qY);
+        sp_384_from_mp(q->z, 15, qZ);
+
+            sp_384_proj_point_add_15(p, p, q, tmp);
+    }
+
+    if (err == MP_OKAY) {
+        err = sp_384_to_mp(p->x, rX);
+    }
+    if (err == MP_OKAY) {
+        err = sp_384_to_mp(p->y, rY);
+    }
+    if (err == MP_OKAY) {
+        err = sp_384_to_mp(p->z, rZ);
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (tmp != NULL) {
+        XFREE(tmp, NULL, DYNAMIC_TYPE_ECC);
+    }
+#endif
+    sp_384_point_free_15(q, 0, NULL);
+    sp_384_point_free_15(p, 0, NULL);
+
+    return err;
+}
+
+/* Double a projective EC point.
+ * (pX, pY, pZ) + (pX, pY, pZ) = (rX, rY, rZ)
+ *
+ * pX   EC point's X ordinate.
+ * pY   EC point's Y ordinate.
+ * pZ   EC point's Z ordinate.
+ * rX   Resultant EC point's X ordinate.
+ * rY   Resultant EC point's Y ordinate.
+ * rZ   Resultant EC point's Z ordinate.
+ * returns MEMORY_E if dynamic memory allocation fails and MP_OKAY otherwise.
+ */
+int sp_ecc_proj_dbl_point_384(mp_int* pX, mp_int* pY, mp_int* pZ,
+                              mp_int* rX, mp_int* rY, mp_int* rZ)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit tmpd[2 * 15 * 2];
+    sp_point_384 pd;
+#endif
+    sp_digit* tmp;
+    sp_point_384* p;
+    int err;
+
+    err = sp_384_point_new_15(NULL, pd, p);
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        tmp = (sp_digit*)XMALLOC(sizeof(sp_digit) * 2 * 15 * 2, NULL,
+                                                              DYNAMIC_TYPE_ECC);
+        if (tmp == NULL) {
+            err = MEMORY_E;
+        }
+    }
+#else
+    tmp = tmpd;
+#endif
+
+    if (err == MP_OKAY) {
+        sp_384_from_mp(p->x, 15, pX);
+        sp_384_from_mp(p->y, 15, pY);
+        sp_384_from_mp(p->z, 15, pZ);
+
+            sp_384_proj_point_dbl_15(p, p, tmp);
+    }
+
+    if (err == MP_OKAY) {
+        err = sp_384_to_mp(p->x, rX);
+    }
+    if (err == MP_OKAY) {
+        err = sp_384_to_mp(p->y, rY);
+    }
+    if (err == MP_OKAY) {
+        err = sp_384_to_mp(p->z, rZ);
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (tmp != NULL) {
+        XFREE(tmp, NULL, DYNAMIC_TYPE_ECC);
+    }
+#endif
+    sp_384_point_free_15(p, 0, NULL);
+
+    return err;
+}
+
+/* Map a projective EC point to affine in place.
+ * pZ will be one.
+ *
+ * pX   EC point's X ordinate.
+ * pY   EC point's Y ordinate.
+ * pZ   EC point's Z ordinate.
+ * returns MEMORY_E if dynamic memory allocation fails and MP_OKAY otherwise.
+ */
+int sp_ecc_map_384(mp_int* pX, mp_int* pY, mp_int* pZ)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit tmpd[2 * 15 * 6];
+    sp_point_384 pd;
+#endif
+    sp_digit* tmp;
+    sp_point_384* p;
+    int err;
+
+    err = sp_384_point_new_15(NULL, pd, p);
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        tmp = (sp_digit*)XMALLOC(sizeof(sp_digit) * 2 * 15 * 6, NULL,
+                                                              DYNAMIC_TYPE_ECC);
+        if (tmp == NULL) {
+            err = MEMORY_E;
+        }
+    }
+#else
+    tmp = tmpd;
+#endif
+    if (err == MP_OKAY) {
+        sp_384_from_mp(p->x, 15, pX);
+        sp_384_from_mp(p->y, 15, pY);
+        sp_384_from_mp(p->z, 15, pZ);
+
+        sp_384_map_15(p, p, tmp);
+    }
+
+    if (err == MP_OKAY) {
+        err = sp_384_to_mp(p->x, pX);
+    }
+    if (err == MP_OKAY) {
+        err = sp_384_to_mp(p->y, pY);
+    }
+    if (err == MP_OKAY) {
+        err = sp_384_to_mp(p->z, pZ);
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (tmp != NULL) {
+        XFREE(tmp, NULL, DYNAMIC_TYPE_ECC);
+    }
+#endif
+    sp_384_point_free_15(p, 0, NULL);
+
+    return err;
+}
+#endif /* WOLFSSL_PUBLIC_ECC_ADD_DBL */
+#ifdef HAVE_COMP_KEY
+/* Find the square root of a number mod the prime of the curve.
+ *
+ * y  The number to operate on and the result.
+ * returns MEMORY_E if dynamic memory allocation fails and MP_OKAY otherwise.
+ */
+static int sp_384_mont_sqrt_15(sp_digit* y)
+{
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit* d;
+#else
+    sp_digit t1d[2 * 15];
+    sp_digit t2d[2 * 15];
+    sp_digit t3d[2 * 15];
+    sp_digit t4d[2 * 15];
+    sp_digit t5d[2 * 15];
+#endif
+    sp_digit* t1;
+    sp_digit* t2;
+    sp_digit* t3;
+    sp_digit* t4;
+    sp_digit* t5;
+    int err = MP_OKAY;
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    d = (sp_digit*)XMALLOC(sizeof(sp_digit) * 5 * 2 * 15, NULL, DYNAMIC_TYPE_ECC);
+    if (d == NULL) {
+        err = MEMORY_E;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+        t1 = d + 0 * 15;
+        t2 = d + 2 * 15;
+        t3 = d + 4 * 15;
+        t4 = d + 6 * 15;
+        t5 = d + 8 * 15;
+#else
+        t1 = t1d;
+        t2 = t2d;
+        t3 = t3d;
+        t4 = t4d;
+        t5 = t5d;
+#endif
+
+        {
+            /* t2 = y ^ 0x2 */
+            sp_384_mont_sqr_15(t2, y, p384_mod, p384_mp_mod);
+            /* t1 = y ^ 0x3 */
+            sp_384_mont_mul_15(t1, t2, y, p384_mod, p384_mp_mod);
+            /* t5 = y ^ 0xc */
+            sp_384_mont_sqr_n_15(t5, t1, 2, p384_mod, p384_mp_mod);
+            /* t1 = y ^ 0xf */
+            sp_384_mont_mul_15(t1, t1, t5, p384_mod, p384_mp_mod);
+            /* t2 = y ^ 0x1e */
+            sp_384_mont_sqr_15(t2, t1, p384_mod, p384_mp_mod);
+            /* t3 = y ^ 0x1f */
+            sp_384_mont_mul_15(t3, t2, y, p384_mod, p384_mp_mod);
+            /* t2 = y ^ 0x3e0 */
+            sp_384_mont_sqr_n_15(t2, t3, 5, p384_mod, p384_mp_mod);
+            /* t1 = y ^ 0x3ff */
+            sp_384_mont_mul_15(t1, t3, t2, p384_mod, p384_mp_mod);
+            /* t2 = y ^ 0x7fe0 */
+            sp_384_mont_sqr_n_15(t2, t1, 5, p384_mod, p384_mp_mod);
+            /* t3 = y ^ 0x7fff */
+            sp_384_mont_mul_15(t3, t3, t2, p384_mod, p384_mp_mod);
+            /* t2 = y ^ 0x3fff800 */
+            sp_384_mont_sqr_n_15(t2, t3, 15, p384_mod, p384_mp_mod);
+            /* t4 = y ^ 0x3ffffff */
+            sp_384_mont_mul_15(t4, t3, t2, p384_mod, p384_mp_mod);
+            /* t2 = y ^ 0xffffffc000000 */
+            sp_384_mont_sqr_n_15(t2, t4, 30, p384_mod, p384_mp_mod);
+            /* t1 = y ^ 0xfffffffffffff */
+            sp_384_mont_mul_15(t1, t4, t2, p384_mod, p384_mp_mod);
+            /* t2 = y ^ 0xfffffffffffffff000000000000000 */
+            sp_384_mont_sqr_n_15(t2, t1, 60, p384_mod, p384_mp_mod);
+            /* t1 = y ^ 0xffffffffffffffffffffffffffffff */
+            sp_384_mont_mul_15(t1, t1, t2, p384_mod, p384_mp_mod);
+            /* t2 = y ^ 0xffffffffffffffffffffffffffffff000000000000000000000000000000 */
+            sp_384_mont_sqr_n_15(t2, t1, 120, p384_mod, p384_mp_mod);
+            /* t1 = y ^ 0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff */
+            sp_384_mont_mul_15(t1, t1, t2, p384_mod, p384_mp_mod);
+            /* t2 = y ^ 0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffff8000 */
+            sp_384_mont_sqr_n_15(t2, t1, 15, p384_mod, p384_mp_mod);
+            /* t1 = y ^ 0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff */
+            sp_384_mont_mul_15(t1, t3, t2, p384_mod, p384_mp_mod);
+            /* t2 = y ^ 0x3fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff80000000 */
+            sp_384_mont_sqr_n_15(t2, t1, 31, p384_mod, p384_mp_mod);
+            /* t1 = y ^ 0x3fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffbfffffff */
+            sp_384_mont_mul_15(t1, t4, t2, p384_mod, p384_mp_mod);
+            /* t2 = y ^ 0x3fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffbfffffff0 */
+            sp_384_mont_sqr_n_15(t2, t1, 4, p384_mod, p384_mp_mod);
+            /* t1 = y ^ 0x3fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffbfffffffc */
+            sp_384_mont_mul_15(t1, t5, t2, p384_mod, p384_mp_mod);
+            /* t2 = y ^ 0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000 */
+            sp_384_mont_sqr_n_15(t2, t1, 62, p384_mod, p384_mp_mod);
+            /* t1 = y ^ 0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000001 */
+            sp_384_mont_mul_15(t1, y, t2, p384_mod, p384_mp_mod);
+            /* t2 = y ^ 0x3fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffbfffffffc00000000000000040000000 */
+            sp_384_mont_sqr_n_15(y, t1, 30, p384_mod, p384_mp_mod);
+        }
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (d != NULL) {
+        XFREE(d, NULL, DYNAMIC_TYPE_ECC);
+    }
+#endif
+
+    return err;
+}
+
+
+/* Uncompress the point given the X ordinate.
+ *
+ * xm    X ordinate.
+ * odd   Whether the Y ordinate is odd.
+ * ym    Calculated Y ordinate.
+ * returns MEMORY_E if dynamic memory allocation fails and MP_OKAY otherwise.
+ */
+int sp_ecc_uncompress_384(mp_int* xm, int odd, mp_int* ym)
+{
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit* d;
+#else
+    sp_digit xd[2 * 15];
+    sp_digit yd[2 * 15];
+#endif
+    sp_digit* x = NULL;
+    sp_digit* y = NULL;
+    int err = MP_OKAY;
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    d = (sp_digit*)XMALLOC(sizeof(sp_digit) * 4 * 15, NULL, DYNAMIC_TYPE_ECC);
+    if (d == NULL) {
+        err = MEMORY_E;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+        x = d + 0 * 15;
+        y = d + 2 * 15;
+#else
+        x = xd;
+        y = yd;
+#endif
+
+        sp_384_from_mp(x, 15, xm);
+        err = sp_384_mod_mul_norm_15(x, x, p384_mod);
+    }
+    if (err == MP_OKAY) {
+        /* y = x^3 */
+        {
+            sp_384_mont_sqr_15(y, x, p384_mod, p384_mp_mod);
+            sp_384_mont_mul_15(y, y, x, p384_mod, p384_mp_mod);
+        }
+        /* y = x^3 - 3x */
+        sp_384_mont_sub_15(y, y, x, p384_mod);
+        sp_384_mont_sub_15(y, y, x, p384_mod);
+        sp_384_mont_sub_15(y, y, x, p384_mod);
+        /* y = x^3 - 3x + b */
+        err = sp_384_mod_mul_norm_15(x, p384_b, p384_mod);
+    }
+    if (err == MP_OKAY) {
+        sp_384_mont_add_15(y, y, x, p384_mod);
+        /* y = sqrt(x^3 - 3x + b) */
+        err = sp_384_mont_sqrt_15(y);
+    }
+    if (err == MP_OKAY) {
+        XMEMSET(y + 15, 0, 15U * sizeof(sp_digit));
+        sp_384_mont_reduce_15(y, p384_mod, p384_mp_mod);
+        if ((((word32)y[0] ^ (word32)odd) & 1U) != 0U) {
+            sp_384_mont_sub_15(y, p384_mod, y, p384_mod);
+        }
+
+        err = sp_384_to_mp(y, ym);
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (d != NULL) {
+        XFREE(d, NULL, DYNAMIC_TYPE_ECC);
+    }
+#endif
+
+    return err;
+}
+#endif
+#endif /* WOLFSSL_SP_384 */
+#endif /* WOLFSSL_HAVE_SP_ECC */
+#endif /* SP_WORD_SIZE == 32 */
+#endif /* !WOLFSSL_SP_ASM */
+#endif /* WOLFSSL_HAVE_SP_RSA || WOLFSSL_HAVE_SP_DH || WOLFSSL_HAVE_SP_ECC */
diff --git a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/sp_c64.c b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/sp_c64.c
new file mode 100644
index 000000000..9038173ed
--- /dev/null
+++ b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/sp_c64.c
@@ -0,0 +1,23220 @@
+/* sp.c
+ *
+ * Copyright (C) 2006-2020 wolfSSL Inc.
+ *
+ * This file is part of wolfSSL.
+ *
+ * wolfSSL is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * wolfSSL is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
+ */
+
+/* Implementation by Sean Parkinson. */
+
+#ifdef HAVE_CONFIG_H
+    #include <config.h>
+#endif
+
+#include <wolfssl/wolfcrypt/settings.h>
+#include <wolfssl/wolfcrypt/error-crypt.h>
+#include <wolfssl/wolfcrypt/cpuid.h>
+#ifdef NO_INLINE
+    #include <wolfssl/wolfcrypt/misc.h>
+#else
+    #define WOLFSSL_MISC_INCLUDED
+    #include <wolfcrypt/src/misc.c>
+#endif
+
+#if defined(WOLFSSL_HAVE_SP_RSA) || defined(WOLFSSL_HAVE_SP_DH) || \
+                                    defined(WOLFSSL_HAVE_SP_ECC)
+
+#ifdef RSA_LOW_MEM
+#ifndef SP_RSA_PRIVATE_EXP_D
+#define SP_RSA_PRIVATE_EXP_D
+#endif
+
+#ifndef WOLFSSL_SP_SMALL
+#define WOLFSSL_SP_SMALL
+#endif
+#endif
+
+#include <wolfssl/wolfcrypt/sp.h>
+
+#ifndef WOLFSSL_SP_ASM
+#if SP_WORD_SIZE == 64
+#if (defined(WOLFSSL_SP_CACHE_RESISTANT) || defined(WOLFSSL_SP_SMALL)) &&              (defined(WOLFSSL_HAVE_SP_ECC) || !defined(WOLFSSL_RSA_PUBLIC_ONLY))
+/* Mask for address to obfuscate which of the two address will be used. */
+static const size_t addr_mask[2] = { 0, (size_t)-1 };
+#endif
+
+#if defined(WOLFSSL_HAVE_SP_RSA) || defined(WOLFSSL_HAVE_SP_DH)
+#ifndef WOLFSSL_SP_NO_2048
+/* Read big endian unsigned byte array into r.
+ *
+ * r  A single precision integer.
+ * size  Maximum number of bytes to convert
+ * a  Byte array.
+ * n  Number of bytes in array to read.
+ */
+static void sp_2048_from_bin(sp_digit* r, int size, const byte* a, int n)
+{
+    int i, j = 0;
+    word32 s = 0;
+
+    r[0] = 0;
+    for (i = n-1; i >= 0; i--) {
+        r[j] |= (((sp_digit)a[i]) << s);
+        if (s >= 49U) {
+            r[j] &= 0x1ffffffffffffffL;
+            s = 57U - s;
+            if (j + 1 >= size) {
+                break;
+            }
+            r[++j] = (sp_digit)a[i] >> s;
+            s = 8U - s;
+        }
+        else {
+            s += 8U;
+        }
+    }
+
+    for (j++; j < size; j++) {
+        r[j] = 0;
+    }
+}
+
+/* Convert an mp_int to an array of sp_digit.
+ *
+ * r  A single precision integer.
+ * size  Maximum number of bytes to convert
+ * a  A multi-precision integer.
+ */
+static void sp_2048_from_mp(sp_digit* r, int size, const mp_int* a)
+{
+#if DIGIT_BIT == 57
+    int j;
+
+    XMEMCPY(r, a->dp, sizeof(sp_digit) * a->used);
+
+    for (j = a->used; j < size; j++) {
+        r[j] = 0;
+    }
+#elif DIGIT_BIT > 57
+    int i, j = 0;
+    word32 s = 0;
+
+    r[0] = 0;
+    for (i = 0; i < a->used && j < size; i++) {
+        r[j] |= ((sp_digit)a->dp[i] << s);
+        r[j] &= 0x1ffffffffffffffL;
+        s = 57U - s;
+        if (j + 1 >= size) {
+            break;
+        }
+        /* lint allow cast of mismatch word32 and mp_digit */
+        r[++j] = (sp_digit)(a->dp[i] >> s); /*lint !e9033*/
+        while ((s + 57U) <= (word32)DIGIT_BIT) {
+            s += 57U;
+            r[j] &= 0x1ffffffffffffffL;
+            if (j + 1 >= size) {
+                break;
+            }
+            if (s < (word32)DIGIT_BIT) {
+                /* lint allow cast of mismatch word32 and mp_digit */
+                r[++j] = (sp_digit)(a->dp[i] >> s); /*lint !e9033*/
+            }
+            else {
+                r[++j] = 0L;
+            }
+        }
+        s = (word32)DIGIT_BIT - s;
+    }
+
+    for (j++; j < size; j++) {
+        r[j] = 0;
+    }
+#else
+    int i, j = 0, s = 0;
+
+    r[0] = 0;
+    for (i = 0; i < a->used && j < size; i++) {
+        r[j] |= ((sp_digit)a->dp[i]) << s;
+        if (s + DIGIT_BIT >= 57) {
+            r[j] &= 0x1ffffffffffffffL;
+            if (j + 1 >= size) {
+                break;
+            }
+            s = 57 - s;
+            if (s == DIGIT_BIT) {
+                r[++j] = 0;
+                s = 0;
+            }
+            else {
+                r[++j] = a->dp[i] >> s;
+                s = DIGIT_BIT - s;
+            }
+        }
+        else {
+            s += DIGIT_BIT;
+        }
+    }
+
+    for (j++; j < size; j++) {
+        r[j] = 0;
+    }
+#endif
+}
+
+/* Write r as big endian to byte array.
+ * Fixed length number of bytes written: 256
+ *
+ * r  A single precision integer.
+ * a  Byte array.
+ */
+static void sp_2048_to_bin(sp_digit* r, byte* a)
+{
+    int i, j, s = 0, b;
+
+    for (i=0; i<35; i++) {
+        r[i+1] += r[i] >> 57;
+        r[i] &= 0x1ffffffffffffffL;
+    }
+    j = 2048 / 8 - 1;
+    a[j] = 0;
+    for (i=0; i<36 && j>=0; i++) {
+        b = 0;
+        /* lint allow cast of mismatch sp_digit and int */
+        a[j--] |= (byte)(r[i] << s); /*lint !e9033*/
+        b += 8 - s;
+        if (j < 0) {
+            break;
+        }
+        while (b < 57) {
+            a[j--] = (byte)(r[i] >> b);
+            b += 8;
+            if (j < 0) {
+                break;
+            }
+        }
+        s = 8 - (b - 57);
+        if (j >= 0) {
+            a[j] = 0;
+        }
+        if (s != 0) {
+            j++;
+        }
+    }
+}
+
+#ifndef WOLFSSL_SP_SMALL
+/* Multiply a and b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static void sp_2048_mul_9(sp_digit* r, const sp_digit* a,
+    const sp_digit* b)
+{
+    int128_t t0   = ((int128_t)a[ 0]) * b[ 0];
+    int128_t t1   = ((int128_t)a[ 0]) * b[ 1]
+                 + ((int128_t)a[ 1]) * b[ 0];
+    int128_t t2   = ((int128_t)a[ 0]) * b[ 2]
+                 + ((int128_t)a[ 1]) * b[ 1]
+                 + ((int128_t)a[ 2]) * b[ 0];
+    int128_t t3   = ((int128_t)a[ 0]) * b[ 3]
+                 + ((int128_t)a[ 1]) * b[ 2]
+                 + ((int128_t)a[ 2]) * b[ 1]
+                 + ((int128_t)a[ 3]) * b[ 0];
+    int128_t t4   = ((int128_t)a[ 0]) * b[ 4]
+                 + ((int128_t)a[ 1]) * b[ 3]
+                 + ((int128_t)a[ 2]) * b[ 2]
+                 + ((int128_t)a[ 3]) * b[ 1]
+                 + ((int128_t)a[ 4]) * b[ 0];
+    int128_t t5   = ((int128_t)a[ 0]) * b[ 5]
+                 + ((int128_t)a[ 1]) * b[ 4]
+                 + ((int128_t)a[ 2]) * b[ 3]
+                 + ((int128_t)a[ 3]) * b[ 2]
+                 + ((int128_t)a[ 4]) * b[ 1]
+                 + ((int128_t)a[ 5]) * b[ 0];
+    int128_t t6   = ((int128_t)a[ 0]) * b[ 6]
+                 + ((int128_t)a[ 1]) * b[ 5]
+                 + ((int128_t)a[ 2]) * b[ 4]
+                 + ((int128_t)a[ 3]) * b[ 3]
+                 + ((int128_t)a[ 4]) * b[ 2]
+                 + ((int128_t)a[ 5]) * b[ 1]
+                 + ((int128_t)a[ 6]) * b[ 0];
+    int128_t t7   = ((int128_t)a[ 0]) * b[ 7]
+                 + ((int128_t)a[ 1]) * b[ 6]
+                 + ((int128_t)a[ 2]) * b[ 5]
+                 + ((int128_t)a[ 3]) * b[ 4]
+                 + ((int128_t)a[ 4]) * b[ 3]
+                 + ((int128_t)a[ 5]) * b[ 2]
+                 + ((int128_t)a[ 6]) * b[ 1]
+                 + ((int128_t)a[ 7]) * b[ 0];
+    int128_t t8   = ((int128_t)a[ 0]) * b[ 8]
+                 + ((int128_t)a[ 1]) * b[ 7]
+                 + ((int128_t)a[ 2]) * b[ 6]
+                 + ((int128_t)a[ 3]) * b[ 5]
+                 + ((int128_t)a[ 4]) * b[ 4]
+                 + ((int128_t)a[ 5]) * b[ 3]
+                 + ((int128_t)a[ 6]) * b[ 2]
+                 + ((int128_t)a[ 7]) * b[ 1]
+                 + ((int128_t)a[ 8]) * b[ 0];
+    int128_t t9   = ((int128_t)a[ 1]) * b[ 8]
+                 + ((int128_t)a[ 2]) * b[ 7]
+                 + ((int128_t)a[ 3]) * b[ 6]
+                 + ((int128_t)a[ 4]) * b[ 5]
+                 + ((int128_t)a[ 5]) * b[ 4]
+                 + ((int128_t)a[ 6]) * b[ 3]
+                 + ((int128_t)a[ 7]) * b[ 2]
+                 + ((int128_t)a[ 8]) * b[ 1];
+    int128_t t10  = ((int128_t)a[ 2]) * b[ 8]
+                 + ((int128_t)a[ 3]) * b[ 7]
+                 + ((int128_t)a[ 4]) * b[ 6]
+                 + ((int128_t)a[ 5]) * b[ 5]
+                 + ((int128_t)a[ 6]) * b[ 4]
+                 + ((int128_t)a[ 7]) * b[ 3]
+                 + ((int128_t)a[ 8]) * b[ 2];
+    int128_t t11  = ((int128_t)a[ 3]) * b[ 8]
+                 + ((int128_t)a[ 4]) * b[ 7]
+                 + ((int128_t)a[ 5]) * b[ 6]
+                 + ((int128_t)a[ 6]) * b[ 5]
+                 + ((int128_t)a[ 7]) * b[ 4]
+                 + ((int128_t)a[ 8]) * b[ 3];
+    int128_t t12  = ((int128_t)a[ 4]) * b[ 8]
+                 + ((int128_t)a[ 5]) * b[ 7]
+                 + ((int128_t)a[ 6]) * b[ 6]
+                 + ((int128_t)a[ 7]) * b[ 5]
+                 + ((int128_t)a[ 8]) * b[ 4];
+    int128_t t13  = ((int128_t)a[ 5]) * b[ 8]
+                 + ((int128_t)a[ 6]) * b[ 7]
+                 + ((int128_t)a[ 7]) * b[ 6]
+                 + ((int128_t)a[ 8]) * b[ 5];
+    int128_t t14  = ((int128_t)a[ 6]) * b[ 8]
+                 + ((int128_t)a[ 7]) * b[ 7]
+                 + ((int128_t)a[ 8]) * b[ 6];
+    int128_t t15  = ((int128_t)a[ 7]) * b[ 8]
+                 + ((int128_t)a[ 8]) * b[ 7];
+    int128_t t16  = ((int128_t)a[ 8]) * b[ 8];
+
+    t1   += t0  >> 57; r[ 0] = t0  & 0x1ffffffffffffffL;
+    t2   += t1  >> 57; r[ 1] = t1  & 0x1ffffffffffffffL;
+    t3   += t2  >> 57; r[ 2] = t2  & 0x1ffffffffffffffL;
+    t4   += t3  >> 57; r[ 3] = t3  & 0x1ffffffffffffffL;
+    t5   += t4  >> 57; r[ 4] = t4  & 0x1ffffffffffffffL;
+    t6   += t5  >> 57; r[ 5] = t5  & 0x1ffffffffffffffL;
+    t7   += t6  >> 57; r[ 6] = t6  & 0x1ffffffffffffffL;
+    t8   += t7  >> 57; r[ 7] = t7  & 0x1ffffffffffffffL;
+    t9   += t8  >> 57; r[ 8] = t8  & 0x1ffffffffffffffL;
+    t10  += t9  >> 57; r[ 9] = t9  & 0x1ffffffffffffffL;
+    t11  += t10 >> 57; r[10] = t10 & 0x1ffffffffffffffL;
+    t12  += t11 >> 57; r[11] = t11 & 0x1ffffffffffffffL;
+    t13  += t12 >> 57; r[12] = t12 & 0x1ffffffffffffffL;
+    t14  += t13 >> 57; r[13] = t13 & 0x1ffffffffffffffL;
+    t15  += t14 >> 57; r[14] = t14 & 0x1ffffffffffffffL;
+    t16  += t15 >> 57; r[15] = t15 & 0x1ffffffffffffffL;
+    r[17] = (sp_digit)(t16 >> 57);
+                       r[16] = t16 & 0x1ffffffffffffffL;
+}
+
+/* Square a and put result in r. (r = a * a)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ */
+SP_NOINLINE static void sp_2048_sqr_9(sp_digit* r, const sp_digit* a)
+{
+    int128_t t0   =  ((int128_t)a[ 0]) * a[ 0];
+    int128_t t1   = (((int128_t)a[ 0]) * a[ 1]) * 2;
+    int128_t t2   = (((int128_t)a[ 0]) * a[ 2]) * 2
+                 +  ((int128_t)a[ 1]) * a[ 1];
+    int128_t t3   = (((int128_t)a[ 0]) * a[ 3]
+                 +  ((int128_t)a[ 1]) * a[ 2]) * 2;
+    int128_t t4   = (((int128_t)a[ 0]) * a[ 4]
+                 +  ((int128_t)a[ 1]) * a[ 3]) * 2
+                 +  ((int128_t)a[ 2]) * a[ 2];
+    int128_t t5   = (((int128_t)a[ 0]) * a[ 5]
+                 +  ((int128_t)a[ 1]) * a[ 4]
+                 +  ((int128_t)a[ 2]) * a[ 3]) * 2;
+    int128_t t6   = (((int128_t)a[ 0]) * a[ 6]
+                 +  ((int128_t)a[ 1]) * a[ 5]
+                 +  ((int128_t)a[ 2]) * a[ 4]) * 2
+                 +  ((int128_t)a[ 3]) * a[ 3];
+    int128_t t7   = (((int128_t)a[ 0]) * a[ 7]
+                 +  ((int128_t)a[ 1]) * a[ 6]
+                 +  ((int128_t)a[ 2]) * a[ 5]
+                 +  ((int128_t)a[ 3]) * a[ 4]) * 2;
+    int128_t t8   = (((int128_t)a[ 0]) * a[ 8]
+                 +  ((int128_t)a[ 1]) * a[ 7]
+                 +  ((int128_t)a[ 2]) * a[ 6]
+                 +  ((int128_t)a[ 3]) * a[ 5]) * 2
+                 +  ((int128_t)a[ 4]) * a[ 4];
+    int128_t t9   = (((int128_t)a[ 1]) * a[ 8]
+                 +  ((int128_t)a[ 2]) * a[ 7]
+                 +  ((int128_t)a[ 3]) * a[ 6]
+                 +  ((int128_t)a[ 4]) * a[ 5]) * 2;
+    int128_t t10  = (((int128_t)a[ 2]) * a[ 8]
+                 +  ((int128_t)a[ 3]) * a[ 7]
+                 +  ((int128_t)a[ 4]) * a[ 6]) * 2
+                 +  ((int128_t)a[ 5]) * a[ 5];
+    int128_t t11  = (((int128_t)a[ 3]) * a[ 8]
+                 +  ((int128_t)a[ 4]) * a[ 7]
+                 +  ((int128_t)a[ 5]) * a[ 6]) * 2;
+    int128_t t12  = (((int128_t)a[ 4]) * a[ 8]
+                 +  ((int128_t)a[ 5]) * a[ 7]) * 2
+                 +  ((int128_t)a[ 6]) * a[ 6];
+    int128_t t13  = (((int128_t)a[ 5]) * a[ 8]
+                 +  ((int128_t)a[ 6]) * a[ 7]) * 2;
+    int128_t t14  = (((int128_t)a[ 6]) * a[ 8]) * 2
+                 +  ((int128_t)a[ 7]) * a[ 7];
+    int128_t t15  = (((int128_t)a[ 7]) * a[ 8]) * 2;
+    int128_t t16  =  ((int128_t)a[ 8]) * a[ 8];
+
+    t1   += t0  >> 57; r[ 0] = t0  & 0x1ffffffffffffffL;
+    t2   += t1  >> 57; r[ 1] = t1  & 0x1ffffffffffffffL;
+    t3   += t2  >> 57; r[ 2] = t2  & 0x1ffffffffffffffL;
+    t4   += t3  >> 57; r[ 3] = t3  & 0x1ffffffffffffffL;
+    t5   += t4  >> 57; r[ 4] = t4  & 0x1ffffffffffffffL;
+    t6   += t5  >> 57; r[ 5] = t5  & 0x1ffffffffffffffL;
+    t7   += t6  >> 57; r[ 6] = t6  & 0x1ffffffffffffffL;
+    t8   += t7  >> 57; r[ 7] = t7  & 0x1ffffffffffffffL;
+    t9   += t8  >> 57; r[ 8] = t8  & 0x1ffffffffffffffL;
+    t10  += t9  >> 57; r[ 9] = t9  & 0x1ffffffffffffffL;
+    t11  += t10 >> 57; r[10] = t10 & 0x1ffffffffffffffL;
+    t12  += t11 >> 57; r[11] = t11 & 0x1ffffffffffffffL;
+    t13  += t12 >> 57; r[12] = t12 & 0x1ffffffffffffffL;
+    t14  += t13 >> 57; r[13] = t13 & 0x1ffffffffffffffL;
+    t15  += t14 >> 57; r[14] = t14 & 0x1ffffffffffffffL;
+    t16  += t15 >> 57; r[15] = t15 & 0x1ffffffffffffffL;
+    r[17] = (sp_digit)(t16 >> 57);
+                       r[16] = t16 & 0x1ffffffffffffffL;
+}
+
+/* Add b to a into r. (r = a + b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static int sp_2048_add_9(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    r[ 0] = a[ 0] + b[ 0];
+    r[ 1] = a[ 1] + b[ 1];
+    r[ 2] = a[ 2] + b[ 2];
+    r[ 3] = a[ 3] + b[ 3];
+    r[ 4] = a[ 4] + b[ 4];
+    r[ 5] = a[ 5] + b[ 5];
+    r[ 6] = a[ 6] + b[ 6];
+    r[ 7] = a[ 7] + b[ 7];
+    r[ 8] = a[ 8] + b[ 8];
+
+    return 0;
+}
+
+/* Add b to a into r. (r = a + b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static int sp_2048_add_18(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    int i;
+
+    for (i = 0; i < 16; i += 8) {
+        r[i + 0] = a[i + 0] + b[i + 0];
+        r[i + 1] = a[i + 1] + b[i + 1];
+        r[i + 2] = a[i + 2] + b[i + 2];
+        r[i + 3] = a[i + 3] + b[i + 3];
+        r[i + 4] = a[i + 4] + b[i + 4];
+        r[i + 5] = a[i + 5] + b[i + 5];
+        r[i + 6] = a[i + 6] + b[i + 6];
+        r[i + 7] = a[i + 7] + b[i + 7];
+    }
+    r[16] = a[16] + b[16];
+    r[17] = a[17] + b[17];
+
+    return 0;
+}
+
+/* Sub b from a into r. (r = a - b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static int sp_2048_sub_18(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    int i;
+
+    for (i = 0; i < 16; i += 8) {
+        r[i + 0] = a[i + 0] - b[i + 0];
+        r[i + 1] = a[i + 1] - b[i + 1];
+        r[i + 2] = a[i + 2] - b[i + 2];
+        r[i + 3] = a[i + 3] - b[i + 3];
+        r[i + 4] = a[i + 4] - b[i + 4];
+        r[i + 5] = a[i + 5] - b[i + 5];
+        r[i + 6] = a[i + 6] - b[i + 6];
+        r[i + 7] = a[i + 7] - b[i + 7];
+    }
+    r[16] = a[16] - b[16];
+    r[17] = a[17] - b[17];
+
+    return 0;
+}
+
+/* Multiply a and b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static void sp_2048_mul_18(sp_digit* r, const sp_digit* a,
+    const sp_digit* b)
+{
+    sp_digit* z0 = r;
+    sp_digit z1[18];
+    sp_digit* a1 = z1;
+    sp_digit b1[9];
+    sp_digit* z2 = r + 18;
+    (void)sp_2048_add_9(a1, a, &a[9]);
+    (void)sp_2048_add_9(b1, b, &b[9]);
+    sp_2048_mul_9(z2, &a[9], &b[9]);
+    sp_2048_mul_9(z0, a, b);
+    sp_2048_mul_9(z1, a1, b1);
+    (void)sp_2048_sub_18(z1, z1, z2);
+    (void)sp_2048_sub_18(z1, z1, z0);
+    (void)sp_2048_add_18(r + 9, r + 9, z1);
+}
+
+/* Square a and put result in r. (r = a * a)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ */
+SP_NOINLINE static void sp_2048_sqr_18(sp_digit* r, const sp_digit* a)
+{
+    sp_digit* z0 = r;
+    sp_digit z1[18];
+    sp_digit* a1 = z1;
+    sp_digit* z2 = r + 18;
+    (void)sp_2048_add_9(a1, a, &a[9]);
+    sp_2048_sqr_9(z2, &a[9]);
+    sp_2048_sqr_9(z0, a);
+    sp_2048_sqr_9(z1, a1);
+    (void)sp_2048_sub_18(z1, z1, z2);
+    (void)sp_2048_sub_18(z1, z1, z0);
+    (void)sp_2048_add_18(r + 9, r + 9, z1);
+}
+
+/* Add b to a into r. (r = a + b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static int sp_2048_add_36(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    int i;
+
+    for (i = 0; i < 32; i += 8) {
+        r[i + 0] = a[i + 0] + b[i + 0];
+        r[i + 1] = a[i + 1] + b[i + 1];
+        r[i + 2] = a[i + 2] + b[i + 2];
+        r[i + 3] = a[i + 3] + b[i + 3];
+        r[i + 4] = a[i + 4] + b[i + 4];
+        r[i + 5] = a[i + 5] + b[i + 5];
+        r[i + 6] = a[i + 6] + b[i + 6];
+        r[i + 7] = a[i + 7] + b[i + 7];
+    }
+    r[32] = a[32] + b[32];
+    r[33] = a[33] + b[33];
+    r[34] = a[34] + b[34];
+    r[35] = a[35] + b[35];
+
+    return 0;
+}
+
+/* Sub b from a into r. (r = a - b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static int sp_2048_sub_36(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    int i;
+
+    for (i = 0; i < 32; i += 8) {
+        r[i + 0] = a[i + 0] - b[i + 0];
+        r[i + 1] = a[i + 1] - b[i + 1];
+        r[i + 2] = a[i + 2] - b[i + 2];
+        r[i + 3] = a[i + 3] - b[i + 3];
+        r[i + 4] = a[i + 4] - b[i + 4];
+        r[i + 5] = a[i + 5] - b[i + 5];
+        r[i + 6] = a[i + 6] - b[i + 6];
+        r[i + 7] = a[i + 7] - b[i + 7];
+    }
+    r[32] = a[32] - b[32];
+    r[33] = a[33] - b[33];
+    r[34] = a[34] - b[34];
+    r[35] = a[35] - b[35];
+
+    return 0;
+}
+
+/* Multiply a and b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static void sp_2048_mul_36(sp_digit* r, const sp_digit* a,
+    const sp_digit* b)
+{
+    sp_digit* z0 = r;
+    sp_digit z1[36];
+    sp_digit* a1 = z1;
+    sp_digit b1[18];
+    sp_digit* z2 = r + 36;
+    (void)sp_2048_add_18(a1, a, &a[18]);
+    (void)sp_2048_add_18(b1, b, &b[18]);
+    sp_2048_mul_18(z2, &a[18], &b[18]);
+    sp_2048_mul_18(z0, a, b);
+    sp_2048_mul_18(z1, a1, b1);
+    (void)sp_2048_sub_36(z1, z1, z2);
+    (void)sp_2048_sub_36(z1, z1, z0);
+    (void)sp_2048_add_36(r + 18, r + 18, z1);
+}
+
+/* Square a and put result in r. (r = a * a)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ */
+SP_NOINLINE static void sp_2048_sqr_36(sp_digit* r, const sp_digit* a)
+{
+    sp_digit* z0 = r;
+    sp_digit z1[36];
+    sp_digit* a1 = z1;
+    sp_digit* z2 = r + 36;
+    (void)sp_2048_add_18(a1, a, &a[18]);
+    sp_2048_sqr_18(z2, &a[18]);
+    sp_2048_sqr_18(z0, a);
+    sp_2048_sqr_18(z1, a1);
+    (void)sp_2048_sub_36(z1, z1, z2);
+    (void)sp_2048_sub_36(z1, z1, z0);
+    (void)sp_2048_add_36(r + 18, r + 18, z1);
+}
+
+#endif /* !WOLFSSL_SP_SMALL */
+#ifdef WOLFSSL_SP_SMALL
+/* Add b to a into r. (r = a + b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static int sp_2048_add_36(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    int i;
+
+    for (i = 0; i < 36; i++) {
+        r[i] = a[i] + b[i];
+    }
+
+    return 0;
+}
+#endif /* WOLFSSL_SP_SMALL */
+#ifdef WOLFSSL_SP_SMALL
+/* Sub b from a into r. (r = a - b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static int sp_2048_sub_36(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    int i;
+
+    for (i = 0; i < 36; i++) {
+        r[i] = a[i] - b[i];
+    }
+
+    return 0;
+}
+
+#endif /* WOLFSSL_SP_SMALL */
+#ifdef WOLFSSL_SP_SMALL
+/* Multiply a and b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static void sp_2048_mul_36(sp_digit* r, const sp_digit* a,
+    const sp_digit* b)
+{
+    int i, j, k;
+    int128_t c;
+
+    c = ((int128_t)a[35]) * b[35];
+    r[71] = (sp_digit)(c >> 57);
+    c = (c & 0x1ffffffffffffffL) << 57;
+    for (k = 69; k >= 0; k--) {
+        for (i = 35; i >= 0; i--) {
+            j = k - i;
+            if (j >= 36) {
+                break;
+            }
+            if (j < 0) {
+                continue;
+            }
+
+            c += ((int128_t)a[i]) * b[j];
+        }
+        r[k + 2] += c >> 114;
+        r[k + 1] = (c >> 57) & 0x1ffffffffffffffL;
+        c = (c & 0x1ffffffffffffffL) << 57;
+    }
+    r[0] = (sp_digit)(c >> 57);
+}
+
+/* Square a and put result in r. (r = a * a)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ */
+SP_NOINLINE static void sp_2048_sqr_36(sp_digit* r, const sp_digit* a)
+{
+    int i, j, k;
+    int128_t c;
+
+    c = ((int128_t)a[35]) * a[35];
+    r[71] = (sp_digit)(c >> 57);
+    c = (c & 0x1ffffffffffffffL) << 57;
+    for (k = 69; k >= 0; k--) {
+        for (i = 35; i >= 0; i--) {
+            j = k - i;
+            if (j >= 36 || i <= j) {
+                break;
+            }
+            if (j < 0) {
+                continue;
+            }
+
+            c += ((int128_t)a[i]) * a[j] * 2;
+        }
+        if (i == j) {
+           c += ((int128_t)a[i]) * a[i];
+        }
+
+        r[k + 2] += c >> 114;
+        r[k + 1] = (c >> 57) & 0x1ffffffffffffffL;
+        c = (c & 0x1ffffffffffffffL) << 57;
+    }
+    r[0] = (sp_digit)(c >> 57);
+}
+
+#endif /* WOLFSSL_SP_SMALL */
+#if (defined(WOLFSSL_HAVE_SP_RSA) || defined(WOLFSSL_HAVE_SP_DH)) && !defined(WOLFSSL_RSA_PUBLIC_ONLY)
+#ifdef WOLFSSL_SP_SMALL
+/* Add b to a into r. (r = a + b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static int sp_2048_add_18(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    int i;
+
+    for (i = 0; i < 18; i++) {
+        r[i] = a[i] + b[i];
+    }
+
+    return 0;
+}
+#endif /* WOLFSSL_SP_SMALL */
+#ifdef WOLFSSL_SP_SMALL
+/* Sub b from a into r. (r = a - b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static int sp_2048_sub_18(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    int i;
+
+    for (i = 0; i < 18; i++) {
+        r[i] = a[i] - b[i];
+    }
+
+    return 0;
+}
+
+#endif /* WOLFSSL_SP_SMALL */
+#ifdef WOLFSSL_SP_SMALL
+/* Multiply a and b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static void sp_2048_mul_18(sp_digit* r, const sp_digit* a,
+    const sp_digit* b)
+{
+    int i, j, k;
+    int128_t c;
+
+    c = ((int128_t)a[17]) * b[17];
+    r[35] = (sp_digit)(c >> 57);
+    c = (c & 0x1ffffffffffffffL) << 57;
+    for (k = 33; k >= 0; k--) {
+        for (i = 17; i >= 0; i--) {
+            j = k - i;
+            if (j >= 18) {
+                break;
+            }
+            if (j < 0) {
+                continue;
+            }
+
+            c += ((int128_t)a[i]) * b[j];
+        }
+        r[k + 2] += c >> 114;
+        r[k + 1] = (c >> 57) & 0x1ffffffffffffffL;
+        c = (c & 0x1ffffffffffffffL) << 57;
+    }
+    r[0] = (sp_digit)(c >> 57);
+}
+
+/* Square a and put result in r. (r = a * a)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ */
+SP_NOINLINE static void sp_2048_sqr_18(sp_digit* r, const sp_digit* a)
+{
+    int i, j, k;
+    int128_t c;
+
+    c = ((int128_t)a[17]) * a[17];
+    r[35] = (sp_digit)(c >> 57);
+    c = (c & 0x1ffffffffffffffL) << 57;
+    for (k = 33; k >= 0; k--) {
+        for (i = 17; i >= 0; i--) {
+            j = k - i;
+            if (j >= 18 || i <= j) {
+                break;
+            }
+            if (j < 0) {
+                continue;
+            }
+
+            c += ((int128_t)a[i]) * a[j] * 2;
+        }
+        if (i == j) {
+           c += ((int128_t)a[i]) * a[i];
+        }
+
+        r[k + 2] += c >> 114;
+        r[k + 1] = (c >> 57) & 0x1ffffffffffffffL;
+        c = (c & 0x1ffffffffffffffL) << 57;
+    }
+    r[0] = (sp_digit)(c >> 57);
+}
+
+#endif /* WOLFSSL_SP_SMALL */
+#endif /* (WOLFSSL_HAVE_SP_RSA || WOLFSSL_HAVE_SP_DH) && !WOLFSSL_RSA_PUBLIC_ONLY */
+
+/* Caclulate the bottom digit of -1/a mod 2^n.
+ *
+ * a    A single precision number.
+ * rho  Bottom word of inverse.
+ */
+static void sp_2048_mont_setup(const sp_digit* a, sp_digit* rho)
+{
+    sp_digit x, b;
+
+    b = a[0];
+    x = (((b + 2) & 4) << 1) + b; /* here x*a==1 mod 2**4 */
+    x *= 2 - b * x;               /* here x*a==1 mod 2**8 */
+    x *= 2 - b * x;               /* here x*a==1 mod 2**16 */
+    x *= 2 - b * x;               /* here x*a==1 mod 2**32 */
+    x *= 2 - b * x;               /* here x*a==1 mod 2**64 */
+    x &= 0x1ffffffffffffffL;
+
+    /* rho = -1/m mod b */
+    *rho = (1L << 57) - x;
+}
+
+/* Multiply a by scalar b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A scalar.
+ */
+SP_NOINLINE static void sp_2048_mul_d_36(sp_digit* r, const sp_digit* a,
+    sp_digit b)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int128_t tb = b;
+    int128_t t = 0;
+    int i;
+
+    for (i = 0; i < 36; i++) {
+        t += tb * a[i];
+        r[i] = t & 0x1ffffffffffffffL;
+        t >>= 57;
+    }
+    r[36] = (sp_digit)t;
+#else
+    int128_t tb = b;
+    int128_t t[8];
+    int i;
+
+    t[0] = tb * a[0]; r[0] = t[0] & 0x1ffffffffffffffL;
+    for (i = 0; i < 32; i += 8) {
+        t[1] = tb * a[i+1];
+        r[i+1] = (sp_digit)(t[0] >> 57) + (t[1] & 0x1ffffffffffffffL);
+        t[2] = tb * a[i+2];
+        r[i+2] = (sp_digit)(t[1] >> 57) + (t[2] & 0x1ffffffffffffffL);
+        t[3] = tb * a[i+3];
+        r[i+3] = (sp_digit)(t[2] >> 57) + (t[3] & 0x1ffffffffffffffL);
+        t[4] = tb * a[i+4];
+        r[i+4] = (sp_digit)(t[3] >> 57) + (t[4] & 0x1ffffffffffffffL);
+        t[5] = tb * a[i+5];
+        r[i+5] = (sp_digit)(t[4] >> 57) + (t[5] & 0x1ffffffffffffffL);
+        t[6] = tb * a[i+6];
+        r[i+6] = (sp_digit)(t[5] >> 57) + (t[6] & 0x1ffffffffffffffL);
+        t[7] = tb * a[i+7];
+        r[i+7] = (sp_digit)(t[6] >> 57) + (t[7] & 0x1ffffffffffffffL);
+        t[0] = tb * a[i+8];
+        r[i+8] = (sp_digit)(t[7] >> 57) + (t[0] & 0x1ffffffffffffffL);
+    }
+    t[1] = tb * a[33];
+    r[33] = (sp_digit)(t[0] >> 57) + (t[1] & 0x1ffffffffffffffL);
+    t[2] = tb * a[34];
+    r[34] = (sp_digit)(t[1] >> 57) + (t[2] & 0x1ffffffffffffffL);
+    t[3] = tb * a[35];
+    r[35] = (sp_digit)(t[2] >> 57) + (t[3] & 0x1ffffffffffffffL);
+    r[36] =  (sp_digit)(t[3] >> 57);
+#endif /* WOLFSSL_SP_SMALL */
+}
+
+#if (defined(WOLFSSL_HAVE_SP_RSA) || defined(WOLFSSL_HAVE_SP_DH)) && !defined(WOLFSSL_RSA_PUBLIC_ONLY)
+/* r = 2^n mod m where n is the number of bits to reduce by.
+ * Given m must be 2048 bits, just need to subtract.
+ *
+ * r  A single precision number.
+ * m  A single precision number.
+ */
+static void sp_2048_mont_norm_18(sp_digit* r, const sp_digit* m)
+{
+    /* Set r = 2^n - 1. */
+#ifdef WOLFSSL_SP_SMALL
+    int i;
+
+    for (i=0; i<17; i++) {
+        r[i] = 0x1ffffffffffffffL;
+    }
+#else
+    int i;
+
+    for (i = 0; i < 16; i += 8) {
+        r[i + 0] = 0x1ffffffffffffffL;
+        r[i + 1] = 0x1ffffffffffffffL;
+        r[i + 2] = 0x1ffffffffffffffL;
+        r[i + 3] = 0x1ffffffffffffffL;
+        r[i + 4] = 0x1ffffffffffffffL;
+        r[i + 5] = 0x1ffffffffffffffL;
+        r[i + 6] = 0x1ffffffffffffffL;
+        r[i + 7] = 0x1ffffffffffffffL;
+    }
+    r[16] = 0x1ffffffffffffffL;
+#endif
+    r[17] = 0x7fffffffffffffL;
+
+    /* r = (2^n - 1) mod n */
+    (void)sp_2048_sub_18(r, r, m);
+
+    /* Add one so r = 2^n mod m */
+    r[0] += 1;
+}
+
+/* Compare a with b in constant time.
+ *
+ * a  A single precision integer.
+ * b  A single precision integer.
+ * return -ve, 0 or +ve if a is less than, equal to or greater than b
+ * respectively.
+ */
+static sp_digit sp_2048_cmp_18(const sp_digit* a, const sp_digit* b)
+{
+    sp_digit r = 0;
+#ifdef WOLFSSL_SP_SMALL
+    int i;
+
+    for (i=17; i>=0; i--) {
+        r |= (a[i] - b[i]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+    }
+#else
+    int i;
+
+    r |= (a[17] - b[17]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+    r |= (a[16] - b[16]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+    for (i = 8; i >= 0; i -= 8) {
+        r |= (a[i + 7] - b[i + 7]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+        r |= (a[i + 6] - b[i + 6]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+        r |= (a[i + 5] - b[i + 5]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+        r |= (a[i + 4] - b[i + 4]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+        r |= (a[i + 3] - b[i + 3]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+        r |= (a[i + 2] - b[i + 2]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+        r |= (a[i + 1] - b[i + 1]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+        r |= (a[i + 0] - b[i + 0]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+    }
+#endif /* WOLFSSL_SP_SMALL */
+
+    return r;
+}
+
+/* Conditionally subtract b from a using the mask m.
+ * m is -1 to subtract and 0 when not.
+ *
+ * r  A single precision number representing condition subtract result.
+ * a  A single precision number to subtract from.
+ * b  A single precision number to subtract.
+ * m  Mask value to apply.
+ */
+static void sp_2048_cond_sub_18(sp_digit* r, const sp_digit* a,
+        const sp_digit* b, const sp_digit m)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int i;
+
+    for (i = 0; i < 18; i++) {
+        r[i] = a[i] - (b[i] & m);
+    }
+#else
+    int i;
+
+    for (i = 0; i < 16; i += 8) {
+        r[i + 0] = a[i + 0] - (b[i + 0] & m);
+        r[i + 1] = a[i + 1] - (b[i + 1] & m);
+        r[i + 2] = a[i + 2] - (b[i + 2] & m);
+        r[i + 3] = a[i + 3] - (b[i + 3] & m);
+        r[i + 4] = a[i + 4] - (b[i + 4] & m);
+        r[i + 5] = a[i + 5] - (b[i + 5] & m);
+        r[i + 6] = a[i + 6] - (b[i + 6] & m);
+        r[i + 7] = a[i + 7] - (b[i + 7] & m);
+    }
+    r[16] = a[16] - (b[16] & m);
+    r[17] = a[17] - (b[17] & m);
+#endif /* WOLFSSL_SP_SMALL */
+}
+
+/* Mul a by scalar b and add into r. (r += a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A scalar.
+ */
+SP_NOINLINE static void sp_2048_mul_add_18(sp_digit* r, const sp_digit* a,
+        const sp_digit b)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int128_t tb = b;
+    int128_t t = 0;
+    int i;
+
+    for (i = 0; i < 18; i++) {
+        t += (tb * a[i]) + r[i];
+        r[i] = t & 0x1ffffffffffffffL;
+        t >>= 57;
+    }
+    r[18] += t;
+#else
+    int128_t tb = b;
+    int128_t t[8];
+    int i;
+
+    t[0] = tb * a[0]; r[0] += (sp_digit)(t[0] & 0x1ffffffffffffffL);
+    for (i = 0; i < 16; i += 8) {
+        t[1] = tb * a[i+1];
+        r[i+1] += (sp_digit)((t[0] >> 57) + (t[1] & 0x1ffffffffffffffL));
+        t[2] = tb * a[i+2];
+        r[i+2] += (sp_digit)((t[1] >> 57) + (t[2] & 0x1ffffffffffffffL));
+        t[3] = tb * a[i+3];
+        r[i+3] += (sp_digit)((t[2] >> 57) + (t[3] & 0x1ffffffffffffffL));
+        t[4] = tb * a[i+4];
+        r[i+4] += (sp_digit)((t[3] >> 57) + (t[4] & 0x1ffffffffffffffL));
+        t[5] = tb * a[i+5];
+        r[i+5] += (sp_digit)((t[4] >> 57) + (t[5] & 0x1ffffffffffffffL));
+        t[6] = tb * a[i+6];
+        r[i+6] += (sp_digit)((t[5] >> 57) + (t[6] & 0x1ffffffffffffffL));
+        t[7] = tb * a[i+7];
+        r[i+7] += (sp_digit)((t[6] >> 57) + (t[7] & 0x1ffffffffffffffL));
+        t[0] = tb * a[i+8];
+        r[i+8] += (sp_digit)((t[7] >> 57) + (t[0] & 0x1ffffffffffffffL));
+    }
+    t[1] = tb * a[17]; r[17] += (sp_digit)((t[0] >> 57) + (t[1] & 0x1ffffffffffffffL));
+    r[18] +=  (sp_digit)(t[1] >> 57);
+#endif /* WOLFSSL_SP_SMALL */
+}
+
+/* Normalize the values in each word to 57.
+ *
+ * a  Array of sp_digit to normalize.
+ */
+static void sp_2048_norm_18(sp_digit* a)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int i;
+    for (i = 0; i < 17; i++) {
+        a[i+1] += a[i] >> 57;
+        a[i] &= 0x1ffffffffffffffL;
+    }
+#else
+    int i;
+    for (i = 0; i < 16; i += 8) {
+        a[i+1] += a[i+0] >> 57; a[i+0] &= 0x1ffffffffffffffL;
+        a[i+2] += a[i+1] >> 57; a[i+1] &= 0x1ffffffffffffffL;
+        a[i+3] += a[i+2] >> 57; a[i+2] &= 0x1ffffffffffffffL;
+        a[i+4] += a[i+3] >> 57; a[i+3] &= 0x1ffffffffffffffL;
+        a[i+5] += a[i+4] >> 57; a[i+4] &= 0x1ffffffffffffffL;
+        a[i+6] += a[i+5] >> 57; a[i+5] &= 0x1ffffffffffffffL;
+        a[i+7] += a[i+6] >> 57; a[i+6] &= 0x1ffffffffffffffL;
+        a[i+8] += a[i+7] >> 57; a[i+7] &= 0x1ffffffffffffffL;
+        a[i+9] += a[i+8] >> 57; a[i+8] &= 0x1ffffffffffffffL;
+    }
+    a[16+1] += a[16] >> 57;
+    a[16] &= 0x1ffffffffffffffL;
+#endif
+}
+
+/* Shift the result in the high 1024 bits down to the bottom.
+ *
+ * r  A single precision number.
+ * a  A single precision number.
+ */
+static void sp_2048_mont_shift_18(sp_digit* r, const sp_digit* a)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int i;
+    word64 n;
+
+    n = a[17] >> 55;
+    for (i = 0; i < 17; i++) {
+        n += (word64)a[18 + i] << 2;
+        r[i] = n & 0x1ffffffffffffffL;
+        n >>= 57;
+    }
+    n += (word64)a[35] << 2;
+    r[17] = n;
+#else
+    word64 n;
+    int i;
+
+    n  = (word64)a[17];
+    n  = n >> 55U;
+    for (i = 0; i < 16; i += 8) {
+        n += (word64)a[i+18] << 2U; r[i+0] = n & 0x1ffffffffffffffUL; n >>= 57U;
+        n += (word64)a[i+19] << 2U; r[i+1] = n & 0x1ffffffffffffffUL; n >>= 57U;
+        n += (word64)a[i+20] << 2U; r[i+2] = n & 0x1ffffffffffffffUL; n >>= 57U;
+        n += (word64)a[i+21] << 2U; r[i+3] = n & 0x1ffffffffffffffUL; n >>= 57U;
+        n += (word64)a[i+22] << 2U; r[i+4] = n & 0x1ffffffffffffffUL; n >>= 57U;
+        n += (word64)a[i+23] << 2U; r[i+5] = n & 0x1ffffffffffffffUL; n >>= 57U;
+        n += (word64)a[i+24] << 2U; r[i+6] = n & 0x1ffffffffffffffUL; n >>= 57U;
+        n += (word64)a[i+25] << 2U; r[i+7] = n & 0x1ffffffffffffffUL; n >>= 57U;
+    }
+    n += (word64)a[34] << 2U; r[16] = n & 0x1ffffffffffffffUL; n >>= 57U;
+    n += (word64)a[35] << 2U; r[17] = n;
+#endif /* WOLFSSL_SP_SMALL */
+    XMEMSET(&r[18], 0, sizeof(*r) * 18U);
+}
+
+/* Reduce the number back to 2048 bits using Montgomery reduction.
+ *
+ * a   A single precision number to reduce in place.
+ * m   The single precision number representing the modulus.
+ * mp  The digit representing the negative inverse of m mod 2^n.
+ */
+static void sp_2048_mont_reduce_18(sp_digit* a, const sp_digit* m, sp_digit mp)
+{
+    int i;
+    sp_digit mu;
+
+    sp_2048_norm_18(a + 18);
+
+    for (i=0; i<17; i++) {
+        mu = (a[i] * mp) & 0x1ffffffffffffffL;
+        sp_2048_mul_add_18(a+i, m, mu);
+        a[i+1] += a[i] >> 57;
+    }
+    mu = (a[i] * mp) & 0x7fffffffffffffL;
+    sp_2048_mul_add_18(a+i, m, mu);
+    a[i+1] += a[i] >> 57;
+    a[i] &= 0x1ffffffffffffffL;
+
+    sp_2048_mont_shift_18(a, a);
+    sp_2048_cond_sub_18(a, a, m, 0 - (((a[17] >> 55) > 0) ?
+            (sp_digit)1 : (sp_digit)0));
+    sp_2048_norm_18(a);
+}
+
+/* Multiply two Montogmery form numbers mod the modulus (prime).
+ * (r = a * b mod m)
+ *
+ * r   Result of multiplication.
+ * a   First number to multiply in Montogmery form.
+ * b   Second number to multiply in Montogmery form.
+ * m   Modulus (prime).
+ * mp  Montogmery mulitplier.
+ */
+static void sp_2048_mont_mul_18(sp_digit* r, const sp_digit* a, const sp_digit* b,
+        const sp_digit* m, sp_digit mp)
+{
+    sp_2048_mul_18(r, a, b);
+    sp_2048_mont_reduce_18(r, m, mp);
+}
+
+/* Square the Montgomery form number. (r = a * a mod m)
+ *
+ * r   Result of squaring.
+ * a   Number to square in Montogmery form.
+ * m   Modulus (prime).
+ * mp  Montogmery mulitplier.
+ */
+static void sp_2048_mont_sqr_18(sp_digit* r, const sp_digit* a, const sp_digit* m,
+        sp_digit mp)
+{
+    sp_2048_sqr_18(r, a);
+    sp_2048_mont_reduce_18(r, m, mp);
+}
+
+/* Multiply a by scalar b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A scalar.
+ */
+SP_NOINLINE static void sp_2048_mul_d_18(sp_digit* r, const sp_digit* a,
+    sp_digit b)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int128_t tb = b;
+    int128_t t = 0;
+    int i;
+
+    for (i = 0; i < 18; i++) {
+        t += tb * a[i];
+        r[i] = t & 0x1ffffffffffffffL;
+        t >>= 57;
+    }
+    r[18] = (sp_digit)t;
+#else
+    int128_t tb = b;
+    int128_t t[8];
+    int i;
+
+    t[0] = tb * a[0]; r[0] = t[0] & 0x1ffffffffffffffL;
+    for (i = 0; i < 16; i += 8) {
+        t[1] = tb * a[i+1];
+        r[i+1] = (sp_digit)(t[0] >> 57) + (t[1] & 0x1ffffffffffffffL);
+        t[2] = tb * a[i+2];
+        r[i+2] = (sp_digit)(t[1] >> 57) + (t[2] & 0x1ffffffffffffffL);
+        t[3] = tb * a[i+3];
+        r[i+3] = (sp_digit)(t[2] >> 57) + (t[3] & 0x1ffffffffffffffL);
+        t[4] = tb * a[i+4];
+        r[i+4] = (sp_digit)(t[3] >> 57) + (t[4] & 0x1ffffffffffffffL);
+        t[5] = tb * a[i+5];
+        r[i+5] = (sp_digit)(t[4] >> 57) + (t[5] & 0x1ffffffffffffffL);
+        t[6] = tb * a[i+6];
+        r[i+6] = (sp_digit)(t[5] >> 57) + (t[6] & 0x1ffffffffffffffL);
+        t[7] = tb * a[i+7];
+        r[i+7] = (sp_digit)(t[6] >> 57) + (t[7] & 0x1ffffffffffffffL);
+        t[0] = tb * a[i+8];
+        r[i+8] = (sp_digit)(t[7] >> 57) + (t[0] & 0x1ffffffffffffffL);
+    }
+    t[1] = tb * a[17];
+    r[17] = (sp_digit)(t[0] >> 57) + (t[1] & 0x1ffffffffffffffL);
+    r[18] =  (sp_digit)(t[1] >> 57);
+#endif /* WOLFSSL_SP_SMALL */
+}
+
+/* Conditionally add a and b using the mask m.
+ * m is -1 to add and 0 when not.
+ *
+ * r  A single precision number representing conditional add result.
+ * a  A single precision number to add with.
+ * b  A single precision number to add.
+ * m  Mask value to apply.
+ */
+static void sp_2048_cond_add_18(sp_digit* r, const sp_digit* a,
+        const sp_digit* b, const sp_digit m)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int i;
+
+    for (i = 0; i < 18; i++) {
+        r[i] = a[i] + (b[i] & m);
+    }
+#else
+    int i;
+
+    for (i = 0; i < 16; i += 8) {
+        r[i + 0] = a[i + 0] + (b[i + 0] & m);
+        r[i + 1] = a[i + 1] + (b[i + 1] & m);
+        r[i + 2] = a[i + 2] + (b[i + 2] & m);
+        r[i + 3] = a[i + 3] + (b[i + 3] & m);
+        r[i + 4] = a[i + 4] + (b[i + 4] & m);
+        r[i + 5] = a[i + 5] + (b[i + 5] & m);
+        r[i + 6] = a[i + 6] + (b[i + 6] & m);
+        r[i + 7] = a[i + 7] + (b[i + 7] & m);
+    }
+    r[16] = a[16] + (b[16] & m);
+    r[17] = a[17] + (b[17] & m);
+#endif /* WOLFSSL_SP_SMALL */
+}
+
+#ifdef WOLFSSL_SMALL
+/* Sub b from a into r. (r = a - b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static int sp_2048_sub_18(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    int i;
+
+    for (i = 0; i < 18; i++) {
+        r[i] = a[i] - b[i];
+    }
+
+    return 0;
+}
+
+#endif
+#ifdef WOLFSSL_SMALL
+/* Add b to a into r. (r = a + b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static int sp_2048_add_18(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    int i;
+
+    for (i = 0; i < 18; i++) {
+        r[i] = a[i] + b[i];
+    }
+
+    return 0;
+}
+#endif
+#ifdef WOLFSSL_SP_DIV_64
+static WC_INLINE sp_digit sp_2048_div_word_18(sp_digit d1, sp_digit d0,
+    sp_digit dv)
+{
+    sp_digit d, r, t;
+
+    /* All 57 bits from d1 and top 6 bits from d0. */
+    d = (d1 << 6) | (d0 >> 51);
+    r = d / dv;
+    d -= r * dv;
+    /* Up to 7 bits in r */
+    /* Next 6 bits from d0. */
+    r <<= 6;
+    d <<= 6;
+    d |= (d0 >> 45) & ((1 << 6) - 1);
+    t = d / dv;
+    d -= t * dv;
+    r += t;
+    /* Up to 13 bits in r */
+    /* Next 6 bits from d0. */
+    r <<= 6;
+    d <<= 6;
+    d |= (d0 >> 39) & ((1 << 6) - 1);
+    t = d / dv;
+    d -= t * dv;
+    r += t;
+    /* Up to 19 bits in r */
+    /* Next 6 bits from d0. */
+    r <<= 6;
+    d <<= 6;
+    d |= (d0 >> 33) & ((1 << 6) - 1);
+    t = d / dv;
+    d -= t * dv;
+    r += t;
+    /* Up to 25 bits in r */
+    /* Next 6 bits from d0. */
+    r <<= 6;
+    d <<= 6;
+    d |= (d0 >> 27) & ((1 << 6) - 1);
+    t = d / dv;
+    d -= t * dv;
+    r += t;
+    /* Up to 31 bits in r */
+    /* Next 6 bits from d0. */
+    r <<= 6;
+    d <<= 6;
+    d |= (d0 >> 21) & ((1 << 6) - 1);
+    t = d / dv;
+    d -= t * dv;
+    r += t;
+    /* Up to 37 bits in r */
+    /* Next 6 bits from d0. */
+    r <<= 6;
+    d <<= 6;
+    d |= (d0 >> 15) & ((1 << 6) - 1);
+    t = d / dv;
+    d -= t * dv;
+    r += t;
+    /* Up to 43 bits in r */
+    /* Next 6 bits from d0. */
+    r <<= 6;
+    d <<= 6;
+    d |= (d0 >> 9) & ((1 << 6) - 1);
+    t = d / dv;
+    d -= t * dv;
+    r += t;
+    /* Up to 49 bits in r */
+    /* Next 6 bits from d0. */
+    r <<= 6;
+    d <<= 6;
+    d |= (d0 >> 3) & ((1 << 6) - 1);
+    t = d / dv;
+    d -= t * dv;
+    r += t;
+    /* Up to 55 bits in r */
+    /* Remaining 3 bits from d0. */
+    r <<= 3;
+    d <<= 3;
+    d |= d0 & ((1 << 3) - 1);
+    t = d / dv;
+    r += t;
+
+    return r;
+}
+#endif /* WOLFSSL_SP_DIV_64 */
+
+/* Divide d in a and put remainder into r (m*d + r = a)
+ * m is not calculated as it is not needed at this time.
+ *
+ * a  Number to be divided.
+ * d  Number to divide with.
+ * m  Multiplier result.
+ * r  Remainder from the division.
+ * returns MEMORY_E when unable to allocate memory and MP_OKAY otherwise.
+ */
+static int sp_2048_div_18(const sp_digit* a, const sp_digit* d, sp_digit* m,
+        sp_digit* r)
+{
+    int i;
+#ifndef WOLFSSL_SP_DIV_64
+    int128_t d1;
+#endif
+    sp_digit dv, r1;
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit* td;
+#else
+    sp_digit t1d[36], t2d[18 + 1];
+#endif
+    sp_digit* t1;
+    sp_digit* t2;
+    int err = MP_OKAY;
+
+    (void)m;
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    td = (sp_digit*)XMALLOC(sizeof(sp_digit) * (3 * 18 + 1), NULL,
+                                                       DYNAMIC_TYPE_TMP_BUFFER);
+    if (td == NULL) {
+        err = MEMORY_E;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+        t1 = td;
+        t2 = td + 2 * 18;
+#else
+        t1 = t1d;
+        t2 = t2d;
+#endif
+
+        dv = d[17];
+        XMEMCPY(t1, a, sizeof(*t1) * 2U * 18U);
+        for (i=17; i>=0; i--) {
+            t1[18 + i] += t1[18 + i - 1] >> 57;
+            t1[18 + i - 1] &= 0x1ffffffffffffffL;
+#ifndef WOLFSSL_SP_DIV_64
+            d1 = t1[18 + i];
+            d1 <<= 57;
+            d1 += t1[18 + i - 1];
+            r1 = (sp_digit)(d1 / dv);
+#else
+            r1 = sp_2048_div_word_18(t1[18 + i], t1[18 + i - 1], dv);
+#endif
+
+            sp_2048_mul_d_18(t2, d, r1);
+            (void)sp_2048_sub_18(&t1[i], &t1[i], t2);
+            t1[18 + i] -= t2[18];
+            t1[18 + i] += t1[18 + i - 1] >> 57;
+            t1[18 + i - 1] &= 0x1ffffffffffffffL;
+            r1 = (((-t1[18 + i]) << 57) - t1[18 + i - 1]) / dv;
+            r1++;
+            sp_2048_mul_d_18(t2, d, r1);
+            (void)sp_2048_add_18(&t1[i], &t1[i], t2);
+            t1[18 + i] += t1[18 + i - 1] >> 57;
+            t1[18 + i - 1] &= 0x1ffffffffffffffL;
+        }
+        t1[18 - 1] += t1[18 - 2] >> 57;
+        t1[18 - 2] &= 0x1ffffffffffffffL;
+        r1 = t1[18 - 1] / dv;
+
+        sp_2048_mul_d_18(t2, d, r1);
+        (void)sp_2048_sub_18(t1, t1, t2);
+        XMEMCPY(r, t1, sizeof(*r) * 2U * 18U);
+        for (i=0; i<16; i++) {
+            r[i+1] += r[i] >> 57;
+            r[i] &= 0x1ffffffffffffffL;
+        }
+        sp_2048_cond_add_18(r, r, d, 0 - ((r[17] < 0) ?
+                    (sp_digit)1 : (sp_digit)0));
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (td != NULL) {
+        XFREE(td, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    }
+#endif
+
+    return err;
+}
+
+/* Reduce a modulo m into r. (r = a mod m)
+ *
+ * r  A single precision number that is the reduced result.
+ * a  A single precision number that is to be reduced.
+ * m  A single precision number that is the modulus to reduce with.
+ * returns MEMORY_E when unable to allocate memory and MP_OKAY otherwise.
+ */
+static int sp_2048_mod_18(sp_digit* r, const sp_digit* a, const sp_digit* m)
+{
+    return sp_2048_div_18(a, m, NULL, r);
+}
+
+/* Modular exponentiate a to the e mod m. (r = a^e mod m)
+ *
+ * r     A single precision number that is the result of the operation.
+ * a     A single precision number being exponentiated.
+ * e     A single precision number that is the exponent.
+ * bits  The number of bits in the exponent.
+ * m     A single precision number that is the modulus.
+ * returns 0 on success and MEMORY_E on dynamic memory allocation failure.
+ */
+static int sp_2048_mod_exp_18(sp_digit* r, const sp_digit* a, const sp_digit* e, int bits,
+    const sp_digit* m, int reduceA)
+{
+#ifdef WOLFSSL_SP_SMALL
+    sp_digit* td;
+    sp_digit* t[3];
+    sp_digit* norm;
+    sp_digit mp = 1;
+    sp_digit n;
+    int i;
+    int c, y;
+    int err = MP_OKAY;
+
+    td = (sp_digit*)XMALLOC(sizeof(*td) * 3 * 18 * 2, NULL,
+                            DYNAMIC_TYPE_TMP_BUFFER);
+    if (td == NULL) {
+        err = MEMORY_E;
+    }
+
+    if (err == MP_OKAY) {
+        XMEMSET(td, 0, sizeof(*td) * 3U * 18U * 2U);
+
+        norm = t[0] = td;
+        t[1] = &td[18 * 2];
+        t[2] = &td[2 * 18 * 2];
+
+        sp_2048_mont_setup(m, &mp);
+        sp_2048_mont_norm_18(norm, m);
+
+        if (reduceA != 0) {
+            err = sp_2048_mod_18(t[1], a, m);
+        }
+        else {
+            XMEMCPY(t[1], a, sizeof(sp_digit) * 18U);
+        }
+    }
+    if (err == MP_OKAY) {
+        sp_2048_mul_18(t[1], t[1], norm);
+        err = sp_2048_mod_18(t[1], t[1], m);
+    }
+
+    if (err == MP_OKAY) {
+        i = bits / 57;
+        c = bits % 57;
+        n = e[i--] << (57 - c);
+        for (; ; c--) {
+            if (c == 0) {
+                if (i == -1) {
+                    break;
+                }
+
+                n = e[i--];
+                c = 57;
+            }
+
+            y = (n >> 56) & 1;
+            n <<= 1;
+
+            sp_2048_mont_mul_18(t[y^1], t[0], t[1], m, mp);
+
+            XMEMCPY(t[2], (void*)(((size_t)t[0] & addr_mask[y^1]) +
+                                  ((size_t)t[1] & addr_mask[y])),
+                    sizeof(*t[2]) * 18 * 2);
+            sp_2048_mont_sqr_18(t[2], t[2], m, mp);
+            XMEMCPY((void*)(((size_t)t[0] & addr_mask[y^1]) +
+                            ((size_t)t[1] & addr_mask[y])), t[2],
+                    sizeof(*t[2]) * 18 * 2);
+        }
+
+        sp_2048_mont_reduce_18(t[0], m, mp);
+        n = sp_2048_cmp_18(t[0], m);
+        sp_2048_cond_sub_18(t[0], t[0], m, ((n < 0) ?
+                    (sp_digit)1 : (sp_digit)0) - 1);
+        XMEMCPY(r, t[0], sizeof(*r) * 18 * 2);
+
+    }
+
+    if (td != NULL) {
+        XFREE(td, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    }
+
+    return err;
+#elif defined(WOLFSSL_SP_CACHE_RESISTANT)
+#ifndef WOLFSSL_SMALL_STACK
+    sp_digit t[3][36];
+#else
+    sp_digit* td;
+    sp_digit* t[3];
+#endif
+    sp_digit* norm;
+    sp_digit mp = 1;
+    sp_digit n;
+    int i;
+    int c, y;
+    int err = MP_OKAY;
+
+#ifdef WOLFSSL_SMALL_STACK
+    td = (sp_digit*)XMALLOC(sizeof(*td) * 3 * 18 * 2, NULL,
+                            DYNAMIC_TYPE_TMP_BUFFER);
+    if (td == NULL) {
+        err = MEMORY_E;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#ifdef WOLFSSL_SMALL_STACK
+        t[0] = td;
+        t[1] = &td[18 * 2];
+        t[2] = &td[2 * 18 * 2];
+#endif
+        norm = t[0];
+
+        sp_2048_mont_setup(m, &mp);
+        sp_2048_mont_norm_18(norm, m);
+
+        if (reduceA != 0) {
+            err = sp_2048_mod_18(t[1], a, m);
+            if (err == MP_OKAY) {
+                sp_2048_mul_18(t[1], t[1], norm);
+                err = sp_2048_mod_18(t[1], t[1], m);
+            }
+        }
+        else {
+            sp_2048_mul_18(t[1], a, norm);
+            err = sp_2048_mod_18(t[1], t[1], m);
+        }
+    }
+
+    if (err == MP_OKAY) {
+        i = bits / 57;
+        c = bits % 57;
+        n = e[i--] << (57 - c);
+        for (; ; c--) {
+            if (c == 0) {
+                if (i == -1) {
+                    break;
+                }
+
+                n = e[i--];
+                c = 57;
+            }
+
+            y = (n >> 56) & 1;
+            n <<= 1;
+
+            sp_2048_mont_mul_18(t[y^1], t[0], t[1], m, mp);
+
+            XMEMCPY(t[2], (void*)(((size_t)t[0] & addr_mask[y^1]) +
+                                 ((size_t)t[1] & addr_mask[y])), sizeof(t[2]));
+            sp_2048_mont_sqr_18(t[2], t[2], m, mp);
+            XMEMCPY((void*)(((size_t)t[0] & addr_mask[y^1]) +
+                           ((size_t)t[1] & addr_mask[y])), t[2], sizeof(t[2]));
+        }
+
+        sp_2048_mont_reduce_18(t[0], m, mp);
+        n = sp_2048_cmp_18(t[0], m);
+        sp_2048_cond_sub_18(t[0], t[0], m, ((n < 0) ?
+                   (sp_digit)1 : (sp_digit)0) - 1);
+        XMEMCPY(r, t[0], sizeof(t[0]));
+    }
+
+#ifdef WOLFSSL_SMALL_STACK
+    if (td != NULL) {
+        XFREE(td, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    }
+#endif
+
+    return err;
+#else
+#ifndef WOLFSSL_SMALL_STACK
+    sp_digit t[32][36];
+#else
+    sp_digit* t[32];
+    sp_digit* td;
+#endif
+    sp_digit* norm;
+    sp_digit rt[36];
+    sp_digit mp = 1;
+    sp_digit n;
+    int i;
+    int c, y;
+    int err = MP_OKAY;
+
+#ifdef WOLFSSL_SMALL_STACK
+    td = (sp_digit*)XMALLOC(sizeof(sp_digit) * 32 * 36, NULL,
+                            DYNAMIC_TYPE_TMP_BUFFER);
+    if (td == NULL) {
+        err = MEMORY_E;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#ifdef WOLFSSL_SMALL_STACK
+        for (i=0; i<32; i++)
+            t[i] = td + i * 36;
+#endif
+        norm = t[0];
+
+        sp_2048_mont_setup(m, &mp);
+        sp_2048_mont_norm_18(norm, m);
+
+        if (reduceA != 0) {
+            err = sp_2048_mod_18(t[1], a, m);
+            if (err == MP_OKAY) {
+                sp_2048_mul_18(t[1], t[1], norm);
+                err = sp_2048_mod_18(t[1], t[1], m);
+            }
+        }
+        else {
+            sp_2048_mul_18(t[1], a, norm);
+            err = sp_2048_mod_18(t[1], t[1], m);
+        }
+    }
+
+    if (err == MP_OKAY) {
+        sp_2048_mont_sqr_18(t[ 2], t[ 1], m, mp);
+        sp_2048_mont_mul_18(t[ 3], t[ 2], t[ 1], m, mp);
+        sp_2048_mont_sqr_18(t[ 4], t[ 2], m, mp);
+        sp_2048_mont_mul_18(t[ 5], t[ 3], t[ 2], m, mp);
+        sp_2048_mont_sqr_18(t[ 6], t[ 3], m, mp);
+        sp_2048_mont_mul_18(t[ 7], t[ 4], t[ 3], m, mp);
+        sp_2048_mont_sqr_18(t[ 8], t[ 4], m, mp);
+        sp_2048_mont_mul_18(t[ 9], t[ 5], t[ 4], m, mp);
+        sp_2048_mont_sqr_18(t[10], t[ 5], m, mp);
+        sp_2048_mont_mul_18(t[11], t[ 6], t[ 5], m, mp);
+        sp_2048_mont_sqr_18(t[12], t[ 6], m, mp);
+        sp_2048_mont_mul_18(t[13], t[ 7], t[ 6], m, mp);
+        sp_2048_mont_sqr_18(t[14], t[ 7], m, mp);
+        sp_2048_mont_mul_18(t[15], t[ 8], t[ 7], m, mp);
+        sp_2048_mont_sqr_18(t[16], t[ 8], m, mp);
+        sp_2048_mont_mul_18(t[17], t[ 9], t[ 8], m, mp);
+        sp_2048_mont_sqr_18(t[18], t[ 9], m, mp);
+        sp_2048_mont_mul_18(t[19], t[10], t[ 9], m, mp);
+        sp_2048_mont_sqr_18(t[20], t[10], m, mp);
+        sp_2048_mont_mul_18(t[21], t[11], t[10], m, mp);
+        sp_2048_mont_sqr_18(t[22], t[11], m, mp);
+        sp_2048_mont_mul_18(t[23], t[12], t[11], m, mp);
+        sp_2048_mont_sqr_18(t[24], t[12], m, mp);
+        sp_2048_mont_mul_18(t[25], t[13], t[12], m, mp);
+        sp_2048_mont_sqr_18(t[26], t[13], m, mp);
+        sp_2048_mont_mul_18(t[27], t[14], t[13], m, mp);
+        sp_2048_mont_sqr_18(t[28], t[14], m, mp);
+        sp_2048_mont_mul_18(t[29], t[15], t[14], m, mp);
+        sp_2048_mont_sqr_18(t[30], t[15], m, mp);
+        sp_2048_mont_mul_18(t[31], t[16], t[15], m, mp);
+
+        bits = ((bits + 4) / 5) * 5;
+        i = ((bits + 56) / 57) - 1;
+        c = bits % 57;
+        if (c == 0) {
+            c = 57;
+        }
+        if (i < 18) {
+            n = e[i--] << (64 - c);
+        }
+        else {
+            n = 0;
+            i--;
+        }
+        if (c < 5) {
+            n |= e[i--] << (7 - c);
+            c += 57;
+        }
+        y = (n >> 59) & 0x1f;
+        n <<= 5;
+        c -= 5;
+        XMEMCPY(rt, t[y], sizeof(rt));
+        for (; i>=0 || c>=5; ) {
+            if (c < 5) {
+                n |= e[i--] << (7 - c);
+                c += 57;
+            }
+            y = (n >> 59) & 0x1f;
+            n <<= 5;
+            c -= 5;
+
+            sp_2048_mont_sqr_18(rt, rt, m, mp);
+            sp_2048_mont_sqr_18(rt, rt, m, mp);
+            sp_2048_mont_sqr_18(rt, rt, m, mp);
+            sp_2048_mont_sqr_18(rt, rt, m, mp);
+            sp_2048_mont_sqr_18(rt, rt, m, mp);
+
+            sp_2048_mont_mul_18(rt, rt, t[y], m, mp);
+        }
+
+        sp_2048_mont_reduce_18(rt, m, mp);
+        n = sp_2048_cmp_18(rt, m);
+        sp_2048_cond_sub_18(rt, rt, m, ((n < 0) ?
+                   (sp_digit)1 : (sp_digit)0) - 1);
+        XMEMCPY(r, rt, sizeof(rt));
+    }
+
+#ifdef WOLFSSL_SMALL_STACK
+    if (td != NULL) {
+        XFREE(td, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    }
+#endif
+
+    return err;
+#endif
+}
+
+#endif /* (WOLFSSL_HAVE_SP_RSA || WOLFSSL_HAVE_SP_DH) && !WOLFSSL_RSA_PUBLIC_ONLY */
+
+/* r = 2^n mod m where n is the number of bits to reduce by.
+ * Given m must be 2048 bits, just need to subtract.
+ *
+ * r  A single precision number.
+ * m  A single precision number.
+ */
+static void sp_2048_mont_norm_36(sp_digit* r, const sp_digit* m)
+{
+    /* Set r = 2^n - 1. */
+#ifdef WOLFSSL_SP_SMALL
+    int i;
+
+    for (i=0; i<35; i++) {
+        r[i] = 0x1ffffffffffffffL;
+    }
+#else
+    int i;
+
+    for (i = 0; i < 32; i += 8) {
+        r[i + 0] = 0x1ffffffffffffffL;
+        r[i + 1] = 0x1ffffffffffffffL;
+        r[i + 2] = 0x1ffffffffffffffL;
+        r[i + 3] = 0x1ffffffffffffffL;
+        r[i + 4] = 0x1ffffffffffffffL;
+        r[i + 5] = 0x1ffffffffffffffL;
+        r[i + 6] = 0x1ffffffffffffffL;
+        r[i + 7] = 0x1ffffffffffffffL;
+    }
+    r[32] = 0x1ffffffffffffffL;
+    r[33] = 0x1ffffffffffffffL;
+    r[34] = 0x1ffffffffffffffL;
+#endif
+    r[35] = 0x1fffffffffffffL;
+
+    /* r = (2^n - 1) mod n */
+    (void)sp_2048_sub_36(r, r, m);
+
+    /* Add one so r = 2^n mod m */
+    r[0] += 1;
+}
+
+/* Compare a with b in constant time.
+ *
+ * a  A single precision integer.
+ * b  A single precision integer.
+ * return -ve, 0 or +ve if a is less than, equal to or greater than b
+ * respectively.
+ */
+static sp_digit sp_2048_cmp_36(const sp_digit* a, const sp_digit* b)
+{
+    sp_digit r = 0;
+#ifdef WOLFSSL_SP_SMALL
+    int i;
+
+    for (i=35; i>=0; i--) {
+        r |= (a[i] - b[i]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+    }
+#else
+    int i;
+
+    r |= (a[35] - b[35]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+    r |= (a[34] - b[34]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+    r |= (a[33] - b[33]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+    r |= (a[32] - b[32]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+    for (i = 24; i >= 0; i -= 8) {
+        r |= (a[i + 7] - b[i + 7]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+        r |= (a[i + 6] - b[i + 6]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+        r |= (a[i + 5] - b[i + 5]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+        r |= (a[i + 4] - b[i + 4]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+        r |= (a[i + 3] - b[i + 3]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+        r |= (a[i + 2] - b[i + 2]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+        r |= (a[i + 1] - b[i + 1]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+        r |= (a[i + 0] - b[i + 0]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+    }
+#endif /* WOLFSSL_SP_SMALL */
+
+    return r;
+}
+
+/* Conditionally subtract b from a using the mask m.
+ * m is -1 to subtract and 0 when not.
+ *
+ * r  A single precision number representing condition subtract result.
+ * a  A single precision number to subtract from.
+ * b  A single precision number to subtract.
+ * m  Mask value to apply.
+ */
+static void sp_2048_cond_sub_36(sp_digit* r, const sp_digit* a,
+        const sp_digit* b, const sp_digit m)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int i;
+
+    for (i = 0; i < 36; i++) {
+        r[i] = a[i] - (b[i] & m);
+    }
+#else
+    int i;
+
+    for (i = 0; i < 32; i += 8) {
+        r[i + 0] = a[i + 0] - (b[i + 0] & m);
+        r[i + 1] = a[i + 1] - (b[i + 1] & m);
+        r[i + 2] = a[i + 2] - (b[i + 2] & m);
+        r[i + 3] = a[i + 3] - (b[i + 3] & m);
+        r[i + 4] = a[i + 4] - (b[i + 4] & m);
+        r[i + 5] = a[i + 5] - (b[i + 5] & m);
+        r[i + 6] = a[i + 6] - (b[i + 6] & m);
+        r[i + 7] = a[i + 7] - (b[i + 7] & m);
+    }
+    r[32] = a[32] - (b[32] & m);
+    r[33] = a[33] - (b[33] & m);
+    r[34] = a[34] - (b[34] & m);
+    r[35] = a[35] - (b[35] & m);
+#endif /* WOLFSSL_SP_SMALL */
+}
+
+/* Mul a by scalar b and add into r. (r += a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A scalar.
+ */
+SP_NOINLINE static void sp_2048_mul_add_36(sp_digit* r, const sp_digit* a,
+        const sp_digit b)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int128_t tb = b;
+    int128_t t = 0;
+    int i;
+
+    for (i = 0; i < 36; i++) {
+        t += (tb * a[i]) + r[i];
+        r[i] = t & 0x1ffffffffffffffL;
+        t >>= 57;
+    }
+    r[36] += t;
+#else
+    int128_t tb = b;
+    int128_t t[8];
+    int i;
+
+    t[0] = tb * a[0]; r[0] += (sp_digit)(t[0] & 0x1ffffffffffffffL);
+    for (i = 0; i < 32; i += 8) {
+        t[1] = tb * a[i+1];
+        r[i+1] += (sp_digit)((t[0] >> 57) + (t[1] & 0x1ffffffffffffffL));
+        t[2] = tb * a[i+2];
+        r[i+2] += (sp_digit)((t[1] >> 57) + (t[2] & 0x1ffffffffffffffL));
+        t[3] = tb * a[i+3];
+        r[i+3] += (sp_digit)((t[2] >> 57) + (t[3] & 0x1ffffffffffffffL));
+        t[4] = tb * a[i+4];
+        r[i+4] += (sp_digit)((t[3] >> 57) + (t[4] & 0x1ffffffffffffffL));
+        t[5] = tb * a[i+5];
+        r[i+5] += (sp_digit)((t[4] >> 57) + (t[5] & 0x1ffffffffffffffL));
+        t[6] = tb * a[i+6];
+        r[i+6] += (sp_digit)((t[5] >> 57) + (t[6] & 0x1ffffffffffffffL));
+        t[7] = tb * a[i+7];
+        r[i+7] += (sp_digit)((t[6] >> 57) + (t[7] & 0x1ffffffffffffffL));
+        t[0] = tb * a[i+8];
+        r[i+8] += (sp_digit)((t[7] >> 57) + (t[0] & 0x1ffffffffffffffL));
+    }
+    t[1] = tb * a[33]; r[33] += (sp_digit)((t[0] >> 57) + (t[1] & 0x1ffffffffffffffL));
+    t[2] = tb * a[34]; r[34] += (sp_digit)((t[1] >> 57) + (t[2] & 0x1ffffffffffffffL));
+    t[3] = tb * a[35]; r[35] += (sp_digit)((t[2] >> 57) + (t[3] & 0x1ffffffffffffffL));
+    r[36] +=  (sp_digit)(t[3] >> 57);
+#endif /* WOLFSSL_SP_SMALL */
+}
+
+/* Normalize the values in each word to 57.
+ *
+ * a  Array of sp_digit to normalize.
+ */
+static void sp_2048_norm_36(sp_digit* a)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int i;
+    for (i = 0; i < 35; i++) {
+        a[i+1] += a[i] >> 57;
+        a[i] &= 0x1ffffffffffffffL;
+    }
+#else
+    int i;
+    for (i = 0; i < 32; i += 8) {
+        a[i+1] += a[i+0] >> 57; a[i+0] &= 0x1ffffffffffffffL;
+        a[i+2] += a[i+1] >> 57; a[i+1] &= 0x1ffffffffffffffL;
+        a[i+3] += a[i+2] >> 57; a[i+2] &= 0x1ffffffffffffffL;
+        a[i+4] += a[i+3] >> 57; a[i+3] &= 0x1ffffffffffffffL;
+        a[i+5] += a[i+4] >> 57; a[i+4] &= 0x1ffffffffffffffL;
+        a[i+6] += a[i+5] >> 57; a[i+5] &= 0x1ffffffffffffffL;
+        a[i+7] += a[i+6] >> 57; a[i+6] &= 0x1ffffffffffffffL;
+        a[i+8] += a[i+7] >> 57; a[i+7] &= 0x1ffffffffffffffL;
+        a[i+9] += a[i+8] >> 57; a[i+8] &= 0x1ffffffffffffffL;
+    }
+    a[32+1] += a[32] >> 57;
+    a[32] &= 0x1ffffffffffffffL;
+    a[33+1] += a[33] >> 57;
+    a[33] &= 0x1ffffffffffffffL;
+    a[34+1] += a[34] >> 57;
+    a[34] &= 0x1ffffffffffffffL;
+#endif
+}
+
+/* Shift the result in the high 2048 bits down to the bottom.
+ *
+ * r  A single precision number.
+ * a  A single precision number.
+ */
+static void sp_2048_mont_shift_36(sp_digit* r, const sp_digit* a)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int i;
+    sp_digit n, s;
+
+    s = a[36];
+    n = a[35] >> 53;
+    for (i = 0; i < 35; i++) {
+        n += (s & 0x1ffffffffffffffL) << 4;
+        r[i] = n & 0x1ffffffffffffffL;
+        n >>= 57;
+        s = a[37 + i] + (s >> 57);
+    }
+    n += s << 4;
+    r[35] = n;
+#else
+    sp_digit n, s;
+    int i;
+
+    s = a[36]; n = a[35] >> 53;
+    for (i = 0; i < 32; i += 8) {
+        n += (s & 0x1ffffffffffffffL) << 4; r[i+0] = n & 0x1ffffffffffffffL;
+        n >>= 57; s = a[i+37] + (s >> 57);
+        n += (s & 0x1ffffffffffffffL) << 4; r[i+1] = n & 0x1ffffffffffffffL;
+        n >>= 57; s = a[i+38] + (s >> 57);
+        n += (s & 0x1ffffffffffffffL) << 4; r[i+2] = n & 0x1ffffffffffffffL;
+        n >>= 57; s = a[i+39] + (s >> 57);
+        n += (s & 0x1ffffffffffffffL) << 4; r[i+3] = n & 0x1ffffffffffffffL;
+        n >>= 57; s = a[i+40] + (s >> 57);
+        n += (s & 0x1ffffffffffffffL) << 4; r[i+4] = n & 0x1ffffffffffffffL;
+        n >>= 57; s = a[i+41] + (s >> 57);
+        n += (s & 0x1ffffffffffffffL) << 4; r[i+5] = n & 0x1ffffffffffffffL;
+        n >>= 57; s = a[i+42] + (s >> 57);
+        n += (s & 0x1ffffffffffffffL) << 4; r[i+6] = n & 0x1ffffffffffffffL;
+        n >>= 57; s = a[i+43] + (s >> 57);
+        n += (s & 0x1ffffffffffffffL) << 4; r[i+7] = n & 0x1ffffffffffffffL;
+        n >>= 57; s = a[i+44] + (s >> 57);
+    }
+    n += (s & 0x1ffffffffffffffL) << 4; r[32] = n & 0x1ffffffffffffffL;
+    n >>= 57; s = a[69] + (s >> 57);
+    n += (s & 0x1ffffffffffffffL) << 4; r[33] = n & 0x1ffffffffffffffL;
+    n >>= 57; s = a[70] + (s >> 57);
+    n += (s & 0x1ffffffffffffffL) << 4; r[34] = n & 0x1ffffffffffffffL;
+    n >>= 57; s = a[71] + (s >> 57);
+    n += s << 4;              r[35] = n;
+#endif /* WOLFSSL_SP_SMALL */
+    XMEMSET(&r[36], 0, sizeof(*r) * 36U);
+}
+
+/* Reduce the number back to 2048 bits using Montgomery reduction.
+ *
+ * a   A single precision number to reduce in place.
+ * m   The single precision number representing the modulus.
+ * mp  The digit representing the negative inverse of m mod 2^n.
+ */
+static void sp_2048_mont_reduce_36(sp_digit* a, const sp_digit* m, sp_digit mp)
+{
+    int i;
+    sp_digit mu;
+
+    sp_2048_norm_36(a + 36);
+
+#ifdef WOLFSSL_SP_DH
+    if (mp != 1) {
+        for (i=0; i<35; i++) {
+            mu = (a[i] * mp) & 0x1ffffffffffffffL;
+            sp_2048_mul_add_36(a+i, m, mu);
+            a[i+1] += a[i] >> 57;
+        }
+        mu = (a[i] * mp) & 0x1fffffffffffffL;
+        sp_2048_mul_add_36(a+i, m, mu);
+        a[i+1] += a[i] >> 57;
+        a[i] &= 0x1ffffffffffffffL;
+    }
+    else {
+        for (i=0; i<35; i++) {
+            mu = a[i] & 0x1ffffffffffffffL;
+            sp_2048_mul_add_36(a+i, m, mu);
+            a[i+1] += a[i] >> 57;
+        }
+        mu = a[i] & 0x1fffffffffffffL;
+        sp_2048_mul_add_36(a+i, m, mu);
+        a[i+1] += a[i] >> 57;
+        a[i] &= 0x1ffffffffffffffL;
+    }
+#else
+    for (i=0; i<35; i++) {
+        mu = (a[i] * mp) & 0x1ffffffffffffffL;
+        sp_2048_mul_add_36(a+i, m, mu);
+        a[i+1] += a[i] >> 57;
+    }
+    mu = (a[i] * mp) & 0x1fffffffffffffL;
+    sp_2048_mul_add_36(a+i, m, mu);
+    a[i+1] += a[i] >> 57;
+    a[i] &= 0x1ffffffffffffffL;
+#endif
+
+    sp_2048_mont_shift_36(a, a);
+    sp_2048_cond_sub_36(a, a, m, 0 - (((a[35] >> 53) > 0) ?
+            (sp_digit)1 : (sp_digit)0));
+    sp_2048_norm_36(a);
+}
+
+/* Multiply two Montogmery form numbers mod the modulus (prime).
+ * (r = a * b mod m)
+ *
+ * r   Result of multiplication.
+ * a   First number to multiply in Montogmery form.
+ * b   Second number to multiply in Montogmery form.
+ * m   Modulus (prime).
+ * mp  Montogmery mulitplier.
+ */
+static void sp_2048_mont_mul_36(sp_digit* r, const sp_digit* a, const sp_digit* b,
+        const sp_digit* m, sp_digit mp)
+{
+    sp_2048_mul_36(r, a, b);
+    sp_2048_mont_reduce_36(r, m, mp);
+}
+
+/* Square the Montgomery form number. (r = a * a mod m)
+ *
+ * r   Result of squaring.
+ * a   Number to square in Montogmery form.
+ * m   Modulus (prime).
+ * mp  Montogmery mulitplier.
+ */
+static void sp_2048_mont_sqr_36(sp_digit* r, const sp_digit* a, const sp_digit* m,
+        sp_digit mp)
+{
+    sp_2048_sqr_36(r, a);
+    sp_2048_mont_reduce_36(r, m, mp);
+}
+
+/* Conditionally add a and b using the mask m.
+ * m is -1 to add and 0 when not.
+ *
+ * r  A single precision number representing conditional add result.
+ * a  A single precision number to add with.
+ * b  A single precision number to add.
+ * m  Mask value to apply.
+ */
+static void sp_2048_cond_add_36(sp_digit* r, const sp_digit* a,
+        const sp_digit* b, const sp_digit m)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int i;
+
+    for (i = 0; i < 36; i++) {
+        r[i] = a[i] + (b[i] & m);
+    }
+#else
+    int i;
+
+    for (i = 0; i < 32; i += 8) {
+        r[i + 0] = a[i + 0] + (b[i + 0] & m);
+        r[i + 1] = a[i + 1] + (b[i + 1] & m);
+        r[i + 2] = a[i + 2] + (b[i + 2] & m);
+        r[i + 3] = a[i + 3] + (b[i + 3] & m);
+        r[i + 4] = a[i + 4] + (b[i + 4] & m);
+        r[i + 5] = a[i + 5] + (b[i + 5] & m);
+        r[i + 6] = a[i + 6] + (b[i + 6] & m);
+        r[i + 7] = a[i + 7] + (b[i + 7] & m);
+    }
+    r[32] = a[32] + (b[32] & m);
+    r[33] = a[33] + (b[33] & m);
+    r[34] = a[34] + (b[34] & m);
+    r[35] = a[35] + (b[35] & m);
+#endif /* WOLFSSL_SP_SMALL */
+}
+
+#ifdef WOLFSSL_SMALL
+/* Sub b from a into r. (r = a - b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static int sp_2048_sub_36(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    int i;
+
+    for (i = 0; i < 36; i++) {
+        r[i] = a[i] - b[i];
+    }
+
+    return 0;
+}
+
+#endif
+#ifdef WOLFSSL_SMALL
+/* Add b to a into r. (r = a + b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static int sp_2048_add_36(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    int i;
+
+    for (i = 0; i < 36; i++) {
+        r[i] = a[i] + b[i];
+    }
+
+    return 0;
+}
+#endif
+#ifdef WOLFSSL_SP_DIV_64
+static WC_INLINE sp_digit sp_2048_div_word_36(sp_digit d1, sp_digit d0,
+    sp_digit dv)
+{
+    sp_digit d, r, t;
+
+    /* All 57 bits from d1 and top 6 bits from d0. */
+    d = (d1 << 6) | (d0 >> 51);
+    r = d / dv;
+    d -= r * dv;
+    /* Up to 7 bits in r */
+    /* Next 6 bits from d0. */
+    r <<= 6;
+    d <<= 6;
+    d |= (d0 >> 45) & ((1 << 6) - 1);
+    t = d / dv;
+    d -= t * dv;
+    r += t;
+    /* Up to 13 bits in r */
+    /* Next 6 bits from d0. */
+    r <<= 6;
+    d <<= 6;
+    d |= (d0 >> 39) & ((1 << 6) - 1);
+    t = d / dv;
+    d -= t * dv;
+    r += t;
+    /* Up to 19 bits in r */
+    /* Next 6 bits from d0. */
+    r <<= 6;
+    d <<= 6;
+    d |= (d0 >> 33) & ((1 << 6) - 1);
+    t = d / dv;
+    d -= t * dv;
+    r += t;
+    /* Up to 25 bits in r */
+    /* Next 6 bits from d0. */
+    r <<= 6;
+    d <<= 6;
+    d |= (d0 >> 27) & ((1 << 6) - 1);
+    t = d / dv;
+    d -= t * dv;
+    r += t;
+    /* Up to 31 bits in r */
+    /* Next 6 bits from d0. */
+    r <<= 6;
+    d <<= 6;
+    d |= (d0 >> 21) & ((1 << 6) - 1);
+    t = d / dv;
+    d -= t * dv;
+    r += t;
+    /* Up to 37 bits in r */
+    /* Next 6 bits from d0. */
+    r <<= 6;
+    d <<= 6;
+    d |= (d0 >> 15) & ((1 << 6) - 1);
+    t = d / dv;
+    d -= t * dv;
+    r += t;
+    /* Up to 43 bits in r */
+    /* Next 6 bits from d0. */
+    r <<= 6;
+    d <<= 6;
+    d |= (d0 >> 9) & ((1 << 6) - 1);
+    t = d / dv;
+    d -= t * dv;
+    r += t;
+    /* Up to 49 bits in r */
+    /* Next 6 bits from d0. */
+    r <<= 6;
+    d <<= 6;
+    d |= (d0 >> 3) & ((1 << 6) - 1);
+    t = d / dv;
+    d -= t * dv;
+    r += t;
+    /* Up to 55 bits in r */
+    /* Remaining 3 bits from d0. */
+    r <<= 3;
+    d <<= 3;
+    d |= d0 & ((1 << 3) - 1);
+    t = d / dv;
+    r += t;
+
+    return r;
+}
+#endif /* WOLFSSL_SP_DIV_64 */
+
+/* Divide d in a and put remainder into r (m*d + r = a)
+ * m is not calculated as it is not needed at this time.
+ *
+ * a  Number to be divided.
+ * d  Number to divide with.
+ * m  Multiplier result.
+ * r  Remainder from the division.
+ * returns MEMORY_E when unable to allocate memory and MP_OKAY otherwise.
+ */
+static int sp_2048_div_36(const sp_digit* a, const sp_digit* d, sp_digit* m,
+        sp_digit* r)
+{
+    int i;
+#ifndef WOLFSSL_SP_DIV_64
+    int128_t d1;
+#endif
+    sp_digit dv, r1;
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit* td;
+#else
+    sp_digit t1d[72], t2d[36 + 1];
+#endif
+    sp_digit* t1;
+    sp_digit* t2;
+    int err = MP_OKAY;
+
+    (void)m;
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    td = (sp_digit*)XMALLOC(sizeof(sp_digit) * (3 * 36 + 1), NULL,
+                                                       DYNAMIC_TYPE_TMP_BUFFER);
+    if (td == NULL) {
+        err = MEMORY_E;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+        t1 = td;
+        t2 = td + 2 * 36;
+#else
+        t1 = t1d;
+        t2 = t2d;
+#endif
+
+        dv = d[35];
+        XMEMCPY(t1, a, sizeof(*t1) * 2U * 36U);
+        for (i=35; i>=0; i--) {
+            t1[36 + i] += t1[36 + i - 1] >> 57;
+            t1[36 + i - 1] &= 0x1ffffffffffffffL;
+#ifndef WOLFSSL_SP_DIV_64
+            d1 = t1[36 + i];
+            d1 <<= 57;
+            d1 += t1[36 + i - 1];
+            r1 = (sp_digit)(d1 / dv);
+#else
+            r1 = sp_2048_div_word_36(t1[36 + i], t1[36 + i - 1], dv);
+#endif
+
+            sp_2048_mul_d_36(t2, d, r1);
+            (void)sp_2048_sub_36(&t1[i], &t1[i], t2);
+            t1[36 + i] -= t2[36];
+            t1[36 + i] += t1[36 + i - 1] >> 57;
+            t1[36 + i - 1] &= 0x1ffffffffffffffL;
+            r1 = (((-t1[36 + i]) << 57) - t1[36 + i - 1]) / dv;
+            r1++;
+            sp_2048_mul_d_36(t2, d, r1);
+            (void)sp_2048_add_36(&t1[i], &t1[i], t2);
+            t1[36 + i] += t1[36 + i - 1] >> 57;
+            t1[36 + i - 1] &= 0x1ffffffffffffffL;
+        }
+        t1[36 - 1] += t1[36 - 2] >> 57;
+        t1[36 - 2] &= 0x1ffffffffffffffL;
+        r1 = t1[36 - 1] / dv;
+
+        sp_2048_mul_d_36(t2, d, r1);
+        (void)sp_2048_sub_36(t1, t1, t2);
+        XMEMCPY(r, t1, sizeof(*r) * 2U * 36U);
+        for (i=0; i<34; i++) {
+            r[i+1] += r[i] >> 57;
+            r[i] &= 0x1ffffffffffffffL;
+        }
+        sp_2048_cond_add_36(r, r, d, 0 - ((r[35] < 0) ?
+                    (sp_digit)1 : (sp_digit)0));
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (td != NULL) {
+        XFREE(td, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    }
+#endif
+
+    return err;
+}
+
+/* Reduce a modulo m into r. (r = a mod m)
+ *
+ * r  A single precision number that is the reduced result.
+ * a  A single precision number that is to be reduced.
+ * m  A single precision number that is the modulus to reduce with.
+ * returns MEMORY_E when unable to allocate memory and MP_OKAY otherwise.
+ */
+static int sp_2048_mod_36(sp_digit* r, const sp_digit* a, const sp_digit* m)
+{
+    return sp_2048_div_36(a, m, NULL, r);
+}
+
+#if (defined(WOLFSSL_HAVE_SP_RSA) && !defined(WOLFSSL_RSA_PUBLIC_ONLY)) || \
+                                                     defined(WOLFSSL_HAVE_SP_DH)
+/* Modular exponentiate a to the e mod m. (r = a^e mod m)
+ *
+ * r     A single precision number that is the result of the operation.
+ * a     A single precision number being exponentiated.
+ * e     A single precision number that is the exponent.
+ * bits  The number of bits in the exponent.
+ * m     A single precision number that is the modulus.
+ * returns 0 on success and MEMORY_E on dynamic memory allocation failure.
+ */
+static int sp_2048_mod_exp_36(sp_digit* r, const sp_digit* a, const sp_digit* e, int bits,
+    const sp_digit* m, int reduceA)
+{
+#ifdef WOLFSSL_SP_SMALL
+    sp_digit* td;
+    sp_digit* t[3];
+    sp_digit* norm;
+    sp_digit mp = 1;
+    sp_digit n;
+    int i;
+    int c, y;
+    int err = MP_OKAY;
+
+    td = (sp_digit*)XMALLOC(sizeof(*td) * 3 * 36 * 2, NULL,
+                            DYNAMIC_TYPE_TMP_BUFFER);
+    if (td == NULL) {
+        err = MEMORY_E;
+    }
+
+    if (err == MP_OKAY) {
+        XMEMSET(td, 0, sizeof(*td) * 3U * 36U * 2U);
+
+        norm = t[0] = td;
+        t[1] = &td[36 * 2];
+        t[2] = &td[2 * 36 * 2];
+
+        sp_2048_mont_setup(m, &mp);
+        sp_2048_mont_norm_36(norm, m);
+
+        if (reduceA != 0) {
+            err = sp_2048_mod_36(t[1], a, m);
+        }
+        else {
+            XMEMCPY(t[1], a, sizeof(sp_digit) * 36U);
+        }
+    }
+    if (err == MP_OKAY) {
+        sp_2048_mul_36(t[1], t[1], norm);
+        err = sp_2048_mod_36(t[1], t[1], m);
+    }
+
+    if (err == MP_OKAY) {
+        i = bits / 57;
+        c = bits % 57;
+        n = e[i--] << (57 - c);
+        for (; ; c--) {
+            if (c == 0) {
+                if (i == -1) {
+                    break;
+                }
+
+                n = e[i--];
+                c = 57;
+            }
+
+            y = (n >> 56) & 1;
+            n <<= 1;
+
+            sp_2048_mont_mul_36(t[y^1], t[0], t[1], m, mp);
+
+            XMEMCPY(t[2], (void*)(((size_t)t[0] & addr_mask[y^1]) +
+                                  ((size_t)t[1] & addr_mask[y])),
+                    sizeof(*t[2]) * 36 * 2);
+            sp_2048_mont_sqr_36(t[2], t[2], m, mp);
+            XMEMCPY((void*)(((size_t)t[0] & addr_mask[y^1]) +
+                            ((size_t)t[1] & addr_mask[y])), t[2],
+                    sizeof(*t[2]) * 36 * 2);
+        }
+
+        sp_2048_mont_reduce_36(t[0], m, mp);
+        n = sp_2048_cmp_36(t[0], m);
+        sp_2048_cond_sub_36(t[0], t[0], m, ((n < 0) ?
+                    (sp_digit)1 : (sp_digit)0) - 1);
+        XMEMCPY(r, t[0], sizeof(*r) * 36 * 2);
+
+    }
+
+    if (td != NULL) {
+        XFREE(td, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    }
+
+    return err;
+#elif defined(WOLFSSL_SP_CACHE_RESISTANT)
+#ifndef WOLFSSL_SMALL_STACK
+    sp_digit t[3][72];
+#else
+    sp_digit* td;
+    sp_digit* t[3];
+#endif
+    sp_digit* norm;
+    sp_digit mp = 1;
+    sp_digit n;
+    int i;
+    int c, y;
+    int err = MP_OKAY;
+
+#ifdef WOLFSSL_SMALL_STACK
+    td = (sp_digit*)XMALLOC(sizeof(*td) * 3 * 36 * 2, NULL,
+                            DYNAMIC_TYPE_TMP_BUFFER);
+    if (td == NULL) {
+        err = MEMORY_E;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#ifdef WOLFSSL_SMALL_STACK
+        t[0] = td;
+        t[1] = &td[36 * 2];
+        t[2] = &td[2 * 36 * 2];
+#endif
+        norm = t[0];
+
+        sp_2048_mont_setup(m, &mp);
+        sp_2048_mont_norm_36(norm, m);
+
+        if (reduceA != 0) {
+            err = sp_2048_mod_36(t[1], a, m);
+            if (err == MP_OKAY) {
+                sp_2048_mul_36(t[1], t[1], norm);
+                err = sp_2048_mod_36(t[1], t[1], m);
+            }
+        }
+        else {
+            sp_2048_mul_36(t[1], a, norm);
+            err = sp_2048_mod_36(t[1], t[1], m);
+        }
+    }
+
+    if (err == MP_OKAY) {
+        i = bits / 57;
+        c = bits % 57;
+        n = e[i--] << (57 - c);
+        for (; ; c--) {
+            if (c == 0) {
+                if (i == -1) {
+                    break;
+                }
+
+                n = e[i--];
+                c = 57;
+            }
+
+            y = (n >> 56) & 1;
+            n <<= 1;
+
+            sp_2048_mont_mul_36(t[y^1], t[0], t[1], m, mp);
+
+            XMEMCPY(t[2], (void*)(((size_t)t[0] & addr_mask[y^1]) +
+                                 ((size_t)t[1] & addr_mask[y])), sizeof(t[2]));
+            sp_2048_mont_sqr_36(t[2], t[2], m, mp);
+            XMEMCPY((void*)(((size_t)t[0] & addr_mask[y^1]) +
+                           ((size_t)t[1] & addr_mask[y])), t[2], sizeof(t[2]));
+        }
+
+        sp_2048_mont_reduce_36(t[0], m, mp);
+        n = sp_2048_cmp_36(t[0], m);
+        sp_2048_cond_sub_36(t[0], t[0], m, ((n < 0) ?
+                   (sp_digit)1 : (sp_digit)0) - 1);
+        XMEMCPY(r, t[0], sizeof(t[0]));
+    }
+
+#ifdef WOLFSSL_SMALL_STACK
+    if (td != NULL) {
+        XFREE(td, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    }
+#endif
+
+    return err;
+#else
+#ifndef WOLFSSL_SMALL_STACK
+    sp_digit t[32][72];
+#else
+    sp_digit* t[32];
+    sp_digit* td;
+#endif
+    sp_digit* norm;
+    sp_digit rt[72];
+    sp_digit mp = 1;
+    sp_digit n;
+    int i;
+    int c, y;
+    int err = MP_OKAY;
+
+#ifdef WOLFSSL_SMALL_STACK
+    td = (sp_digit*)XMALLOC(sizeof(sp_digit) * 32 * 72, NULL,
+                            DYNAMIC_TYPE_TMP_BUFFER);
+    if (td == NULL) {
+        err = MEMORY_E;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#ifdef WOLFSSL_SMALL_STACK
+        for (i=0; i<32; i++)
+            t[i] = td + i * 72;
+#endif
+        norm = t[0];
+
+        sp_2048_mont_setup(m, &mp);
+        sp_2048_mont_norm_36(norm, m);
+
+        if (reduceA != 0) {
+            err = sp_2048_mod_36(t[1], a, m);
+            if (err == MP_OKAY) {
+                sp_2048_mul_36(t[1], t[1], norm);
+                err = sp_2048_mod_36(t[1], t[1], m);
+            }
+        }
+        else {
+            sp_2048_mul_36(t[1], a, norm);
+            err = sp_2048_mod_36(t[1], t[1], m);
+        }
+    }
+
+    if (err == MP_OKAY) {
+        sp_2048_mont_sqr_36(t[ 2], t[ 1], m, mp);
+        sp_2048_mont_mul_36(t[ 3], t[ 2], t[ 1], m, mp);
+        sp_2048_mont_sqr_36(t[ 4], t[ 2], m, mp);
+        sp_2048_mont_mul_36(t[ 5], t[ 3], t[ 2], m, mp);
+        sp_2048_mont_sqr_36(t[ 6], t[ 3], m, mp);
+        sp_2048_mont_mul_36(t[ 7], t[ 4], t[ 3], m, mp);
+        sp_2048_mont_sqr_36(t[ 8], t[ 4], m, mp);
+        sp_2048_mont_mul_36(t[ 9], t[ 5], t[ 4], m, mp);
+        sp_2048_mont_sqr_36(t[10], t[ 5], m, mp);
+        sp_2048_mont_mul_36(t[11], t[ 6], t[ 5], m, mp);
+        sp_2048_mont_sqr_36(t[12], t[ 6], m, mp);
+        sp_2048_mont_mul_36(t[13], t[ 7], t[ 6], m, mp);
+        sp_2048_mont_sqr_36(t[14], t[ 7], m, mp);
+        sp_2048_mont_mul_36(t[15], t[ 8], t[ 7], m, mp);
+        sp_2048_mont_sqr_36(t[16], t[ 8], m, mp);
+        sp_2048_mont_mul_36(t[17], t[ 9], t[ 8], m, mp);
+        sp_2048_mont_sqr_36(t[18], t[ 9], m, mp);
+        sp_2048_mont_mul_36(t[19], t[10], t[ 9], m, mp);
+        sp_2048_mont_sqr_36(t[20], t[10], m, mp);
+        sp_2048_mont_mul_36(t[21], t[11], t[10], m, mp);
+        sp_2048_mont_sqr_36(t[22], t[11], m, mp);
+        sp_2048_mont_mul_36(t[23], t[12], t[11], m, mp);
+        sp_2048_mont_sqr_36(t[24], t[12], m, mp);
+        sp_2048_mont_mul_36(t[25], t[13], t[12], m, mp);
+        sp_2048_mont_sqr_36(t[26], t[13], m, mp);
+        sp_2048_mont_mul_36(t[27], t[14], t[13], m, mp);
+        sp_2048_mont_sqr_36(t[28], t[14], m, mp);
+        sp_2048_mont_mul_36(t[29], t[15], t[14], m, mp);
+        sp_2048_mont_sqr_36(t[30], t[15], m, mp);
+        sp_2048_mont_mul_36(t[31], t[16], t[15], m, mp);
+
+        bits = ((bits + 4) / 5) * 5;
+        i = ((bits + 56) / 57) - 1;
+        c = bits % 57;
+        if (c == 0) {
+            c = 57;
+        }
+        if (i < 36) {
+            n = e[i--] << (64 - c);
+        }
+        else {
+            n = 0;
+            i--;
+        }
+        if (c < 5) {
+            n |= e[i--] << (7 - c);
+            c += 57;
+        }
+        y = (n >> 59) & 0x1f;
+        n <<= 5;
+        c -= 5;
+        XMEMCPY(rt, t[y], sizeof(rt));
+        for (; i>=0 || c>=5; ) {
+            if (c < 5) {
+                n |= e[i--] << (7 - c);
+                c += 57;
+            }
+            y = (n >> 59) & 0x1f;
+            n <<= 5;
+            c -= 5;
+
+            sp_2048_mont_sqr_36(rt, rt, m, mp);
+            sp_2048_mont_sqr_36(rt, rt, m, mp);
+            sp_2048_mont_sqr_36(rt, rt, m, mp);
+            sp_2048_mont_sqr_36(rt, rt, m, mp);
+            sp_2048_mont_sqr_36(rt, rt, m, mp);
+
+            sp_2048_mont_mul_36(rt, rt, t[y], m, mp);
+        }
+
+        sp_2048_mont_reduce_36(rt, m, mp);
+        n = sp_2048_cmp_36(rt, m);
+        sp_2048_cond_sub_36(rt, rt, m, ((n < 0) ?
+                   (sp_digit)1 : (sp_digit)0) - 1);
+        XMEMCPY(r, rt, sizeof(rt));
+    }
+
+#ifdef WOLFSSL_SMALL_STACK
+    if (td != NULL) {
+        XFREE(td, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    }
+#endif
+
+    return err;
+#endif
+}
+#endif /* (WOLFSSL_HAVE_SP_RSA && !WOLFSSL_RSA_PUBLIC_ONLY) || */
+       /* WOLFSSL_HAVE_SP_DH */
+
+#ifdef WOLFSSL_HAVE_SP_RSA
+/* RSA public key operation.
+ *
+ * in      Array of bytes representing the number to exponentiate, base.
+ * inLen   Number of bytes in base.
+ * em      Public exponent.
+ * mm      Modulus.
+ * out     Buffer to hold big-endian bytes of exponentiation result.
+ *         Must be at least 256 bytes long.
+ * outLen  Number of bytes in result.
+ * returns 0 on success, MP_TO_E when the outLen is too small, MP_READ_E when
+ * an array is too long and MEMORY_E when dynamic memory allocation fails.
+ */
+int sp_RsaPublic_2048(const byte* in, word32 inLen, mp_int* em, mp_int* mm,
+    byte* out, word32* outLen)
+{
+#ifdef WOLFSSL_SP_SMALL
+    sp_digit* d = NULL;
+    sp_digit* a;
+    sp_digit* m;
+    sp_digit* r;
+    sp_digit* norm;
+    sp_digit e[1] = {0};
+    sp_digit mp;
+    int i;
+    int err = MP_OKAY;
+
+    if (*outLen < 256U) {
+        err = MP_TO_E;
+    }
+
+    if (err == MP_OKAY) {
+        if (mp_count_bits(em) > 57) {
+            err = MP_READ_E;
+        }
+        if (inLen > 256U) {
+            err = MP_READ_E;
+        }
+        if (mp_count_bits(mm) != 2048) {
+            err = MP_READ_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        d = (sp_digit*)XMALLOC(sizeof(sp_digit) * 36 * 5, NULL,
+                                                              DYNAMIC_TYPE_RSA);
+        if (d == NULL)
+            err = MEMORY_E;
+    }
+
+    if (err == MP_OKAY) {
+        a = d;
+        r = a + 36 * 2;
+        m = r + 36 * 2;
+        norm = r;
+
+        sp_2048_from_bin(a, 36, in, inLen);
+#if DIGIT_BIT >= 57
+        e[0] = (sp_digit)em->dp[0];
+#else
+        e[0] = (sp_digit)em->dp[0];
+        if (em->used > 1) {
+            e[0] |= ((sp_digit)em->dp[1]) << DIGIT_BIT;
+        }
+#endif
+        if (e[0] == 0) {
+            err = MP_EXPTMOD_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        sp_2048_from_mp(m, 36, mm);
+
+        sp_2048_mont_setup(m, &mp);
+        sp_2048_mont_norm_36(norm, m);
+    }
+    if (err == MP_OKAY) {
+        sp_2048_mul_36(a, a, norm);
+        err = sp_2048_mod_36(a, a, m);
+    }
+    if (err == MP_OKAY) {
+        for (i=56; i>=0; i--) {
+            if ((e[0] >> i) != 0) {
+                break;
+            }
+        }
+
+        XMEMCPY(r, a, sizeof(sp_digit) * 36 * 2);
+        for (i--; i>=0; i--) {
+            sp_2048_mont_sqr_36(r, r, m, mp);
+
+            if (((e[0] >> i) & 1) == 1) {
+                sp_2048_mont_mul_36(r, r, a, m, mp);
+            }
+        }
+        sp_2048_mont_reduce_36(r, m, mp);
+        mp = sp_2048_cmp_36(r, m);
+        sp_2048_cond_sub_36(r, r, m, ((mp < 0) ?
+                    (sp_digit)1 : (sp_digit)0)- 1);
+
+        sp_2048_to_bin(r, out);
+        *outLen = 256;
+    }
+
+    if (d != NULL) {
+        XFREE(d, NULL, DYNAMIC_TYPE_RSA);
+    }
+
+    return err;
+#else
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit ad[72], md[36], rd[72];
+#else
+    sp_digit* d = NULL;
+#endif
+    sp_digit* a;
+    sp_digit* m;
+    sp_digit* r;
+    sp_digit e[1] = {0};
+    int err = MP_OKAY;
+
+    if (*outLen < 256U) {
+        err = MP_TO_E;
+    }
+    if (err == MP_OKAY) {
+        if (mp_count_bits(em) > 57) {
+            err = MP_READ_E;
+        }
+        if (inLen > 256U) {
+            err = MP_READ_E;
+        }
+        if (mp_count_bits(mm) != 2048) {
+            err = MP_READ_E;
+        }
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        d = (sp_digit*)XMALLOC(sizeof(sp_digit) * 36 * 5, NULL,
+                                                              DYNAMIC_TYPE_RSA);
+        if (d == NULL) {
+            err = MEMORY_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        a = d;
+        r = a + 36 * 2;
+        m = r + 36 * 2;
+    }
+#else
+    a = ad;
+    m = md;
+    r = rd;
+#endif
+
+    if (err == MP_OKAY) {
+        sp_2048_from_bin(a, 36, in, inLen);
+#if DIGIT_BIT >= 57
+        e[0] = (sp_digit)em->dp[0];
+#else
+        e[0] = (sp_digit)em->dp[0];
+        if (em->used > 1) {
+            e[0] |= ((sp_digit)em->dp[1]) << DIGIT_BIT;
+        }
+#endif
+        if (e[0] == 0) {
+            err = MP_EXPTMOD_E;
+        }
+    }
+    if (err == MP_OKAY) {
+        sp_2048_from_mp(m, 36, mm);
+
+        if (e[0] == 0x3) {
+            sp_2048_sqr_36(r, a);
+            err = sp_2048_mod_36(r, r, m);
+            if (err == MP_OKAY) {
+                sp_2048_mul_36(r, a, r);
+                err = sp_2048_mod_36(r, r, m);
+            }
+        }
+        else {
+            sp_digit* norm = r;
+            int i;
+            sp_digit mp;
+
+            sp_2048_mont_setup(m, &mp);
+            sp_2048_mont_norm_36(norm, m);
+
+            sp_2048_mul_36(a, a, norm);
+            err = sp_2048_mod_36(a, a, m);
+
+            if (err == MP_OKAY) {
+                for (i=56; i>=0; i--) {
+                    if ((e[0] >> i) != 0) {
+                        break;
+                    }
+                }
+
+                XMEMCPY(r, a, sizeof(sp_digit) * 72U);
+                for (i--; i>=0; i--) {
+                    sp_2048_mont_sqr_36(r, r, m, mp);
+
+                    if (((e[0] >> i) & 1) == 1) {
+                        sp_2048_mont_mul_36(r, r, a, m, mp);
+                    }
+                }
+                sp_2048_mont_reduce_36(r, m, mp);
+                mp = sp_2048_cmp_36(r, m);
+                sp_2048_cond_sub_36(r, r, m, ((mp < 0) ?
+                           (sp_digit)1 : (sp_digit)0) - 1);
+            }
+        }
+    }
+
+    if (err == MP_OKAY) {
+        sp_2048_to_bin(r, out);
+        *outLen = 256;
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (d != NULL) {
+        XFREE(d, NULL, DYNAMIC_TYPE_RSA);
+    }
+#endif
+
+    return err;
+#endif /* WOLFSSL_SP_SMALL */
+}
+
+#ifndef WOLFSSL_RSA_PUBLIC_ONLY
+#if !defined(SP_RSA_PRIVATE_EXP_D) && !defined(RSA_LOW_MEM)
+#endif /* !SP_RSA_PRIVATE_EXP_D && !RSA_LOW_MEM */
+/* RSA private key operation.
+ *
+ * in      Array of bytes representing the number to exponentiate, base.
+ * inLen   Number of bytes in base.
+ * dm      Private exponent.
+ * pm      First prime.
+ * qm      Second prime.
+ * dpm     First prime's CRT exponent.
+ * dqm     Second prime's CRT exponent.
+ * qim     Inverse of second prime mod p.
+ * mm      Modulus.
+ * out     Buffer to hold big-endian bytes of exponentiation result.
+ *         Must be at least 256 bytes long.
+ * outLen  Number of bytes in result.
+ * returns 0 on success, MP_TO_E when the outLen is too small, MP_READ_E when
+ * an array is too long and MEMORY_E when dynamic memory allocation fails.
+ */
+int sp_RsaPrivate_2048(const byte* in, word32 inLen, mp_int* dm,
+    mp_int* pm, mp_int* qm, mp_int* dpm, mp_int* dqm, mp_int* qim, mp_int* mm,
+    byte* out, word32* outLen)
+{
+#if defined(SP_RSA_PRIVATE_EXP_D) || defined(RSA_LOW_MEM)
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit* a;
+    sp_digit* d = NULL;
+    sp_digit* m;
+    sp_digit* r;
+    int err = MP_OKAY;
+
+    (void)pm;
+    (void)qm;
+    (void)dpm;
+    (void)dqm;
+    (void)qim;
+
+    if (*outLen < 256U) {
+        err = MP_TO_E;
+    }
+    if (err == MP_OKAY) {
+        if (mp_count_bits(dm) > 2048) {
+           err = MP_READ_E;
+        }
+        if (inLen > 256) {
+            err = MP_READ_E;
+        }
+        if (mp_count_bits(mm) != 2048) {
+            err = MP_READ_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        d = (sp_digit*)XMALLOC(sizeof(sp_digit) * 36 * 4, NULL,
+                                                              DYNAMIC_TYPE_RSA);
+        if (d == NULL) {
+            err = MEMORY_E;
+        }
+    }
+    if (err == MP_OKAY) {
+        a = d + 36;
+        m = a + 72;
+        r = a;
+
+        sp_2048_from_bin(a, 36, in, inLen);
+        sp_2048_from_mp(d, 36, dm);
+        sp_2048_from_mp(m, 36, mm);
+        err = sp_2048_mod_exp_36(r, a, d, 2048, m, 0);
+    }
+    if (err == MP_OKAY) {
+        sp_2048_to_bin(r, out);
+        *outLen = 256;
+    }
+
+    if (d != NULL) {
+        XMEMSET(d, 0, sizeof(sp_digit) * 36);
+        XFREE(d, NULL, DYNAMIC_TYPE_RSA);
+    }
+
+    return err;
+#else
+    sp_digit a[72], d[36], m[36];
+    sp_digit* r = a;
+    int err = MP_OKAY;
+
+    (void)pm;
+    (void)qm;
+    (void)dpm;
+    (void)dqm;
+    (void)qim;
+
+    if (*outLen < 256U) {
+        err = MP_TO_E;
+    }
+    if (err == MP_OKAY) {
+        if (mp_count_bits(dm) > 2048) {
+            err = MP_READ_E;
+        }
+        if (inLen > 256U) {
+            err = MP_READ_E;
+        }
+        if (mp_count_bits(mm) != 2048) {
+            err = MP_READ_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        sp_2048_from_bin(a, 36, in, inLen);
+        sp_2048_from_mp(d, 36, dm);
+        sp_2048_from_mp(m, 36, mm);
+        err = sp_2048_mod_exp_36(r, a, d, 2048, m, 0);
+    }
+
+    if (err == MP_OKAY) {
+        sp_2048_to_bin(r, out);
+        *outLen = 256;
+    }
+
+    XMEMSET(d, 0, sizeof(sp_digit) * 36);
+
+    return err;
+#endif /* WOLFSSL_SP_SMALL || defined(WOLFSSL_SMALL_STACK) */
+#else
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit* t = NULL;
+    sp_digit* a;
+    sp_digit* p;
+    sp_digit* q;
+    sp_digit* dp;
+    sp_digit* dq;
+    sp_digit* qi;
+    sp_digit* tmpa;
+    sp_digit* tmpb;
+    sp_digit* r;
+    int err = MP_OKAY;
+
+    (void)dm;
+    (void)mm;
+
+    if (*outLen < 256U) {
+        err = MP_TO_E;
+    }
+    if (err == MP_OKAY) {
+        if (inLen > 256) {
+            err = MP_READ_E;
+        }
+        if (mp_count_bits(mm) != 2048) {
+            err = MP_READ_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        t = (sp_digit*)XMALLOC(sizeof(sp_digit) * 18 * 11, NULL,
+                                                              DYNAMIC_TYPE_RSA);
+        if (t == NULL) {
+            err = MEMORY_E;
+        }
+    }
+    if (err == MP_OKAY) {
+        a = t;
+        p = a + 36 * 2;
+        q = p + 18;
+        qi = dq = dp = q + 18;
+        tmpa = qi + 18;
+        tmpb = tmpa + 36;
+
+        r = t + 36;
+
+        sp_2048_from_bin(a, 36, in, inLen);
+        sp_2048_from_mp(p, 18, pm);
+        sp_2048_from_mp(q, 18, qm);
+        sp_2048_from_mp(dp, 18, dpm);
+        err = sp_2048_mod_exp_18(tmpa, a, dp, 1024, p, 1);
+    }
+    if (err == MP_OKAY) {
+        sp_2048_from_mp(dq, 18, dqm);
+        err = sp_2048_mod_exp_18(tmpb, a, dq, 1024, q, 1);
+    }
+    if (err == MP_OKAY) {
+        (void)sp_2048_sub_18(tmpa, tmpa, tmpb);
+        sp_2048_cond_add_18(tmpa, tmpa, p, 0 - ((sp_int_digit)tmpa[17] >> 63));
+        sp_2048_cond_add_18(tmpa, tmpa, p, 0 - ((sp_int_digit)tmpa[17] >> 63));
+
+        sp_2048_from_mp(qi, 18, qim);
+        sp_2048_mul_18(tmpa, tmpa, qi);
+        err = sp_2048_mod_18(tmpa, tmpa, p);
+    }
+
+    if (err == MP_OKAY) {
+        sp_2048_mul_18(tmpa, q, tmpa);
+        (void)sp_2048_add_36(r, tmpb, tmpa);
+        sp_2048_norm_36(r);
+
+        sp_2048_to_bin(r, out);
+        *outLen = 256;
+    }
+
+    if (t != NULL) {
+        XMEMSET(t, 0, sizeof(sp_digit) * 18 * 11);
+        XFREE(t, NULL, DYNAMIC_TYPE_RSA);
+    }
+
+    return err;
+#else
+    sp_digit a[36 * 2];
+    sp_digit p[18], q[18], dp[18], dq[18], qi[18];
+    sp_digit tmpa[36], tmpb[36];
+    sp_digit* r = a;
+    int err = MP_OKAY;
+
+    (void)dm;
+    (void)mm;
+
+    if (*outLen < 256U) {
+        err = MP_TO_E;
+    }
+    if (err == MP_OKAY) {
+        if (inLen > 256U) {
+            err = MP_READ_E;
+        }
+        if (mp_count_bits(mm) != 2048) {
+            err = MP_READ_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        sp_2048_from_bin(a, 36, in, inLen);
+        sp_2048_from_mp(p, 18, pm);
+        sp_2048_from_mp(q, 18, qm);
+        sp_2048_from_mp(dp, 18, dpm);
+        sp_2048_from_mp(dq, 18, dqm);
+        sp_2048_from_mp(qi, 18, qim);
+
+        err = sp_2048_mod_exp_18(tmpa, a, dp, 1024, p, 1);
+    }
+    if (err == MP_OKAY) {
+        err = sp_2048_mod_exp_18(tmpb, a, dq, 1024, q, 1);
+    }
+
+    if (err == MP_OKAY) {
+        (void)sp_2048_sub_18(tmpa, tmpa, tmpb);
+        sp_2048_cond_add_18(tmpa, tmpa, p, 0 - ((sp_int_digit)tmpa[17] >> 63));
+        sp_2048_cond_add_18(tmpa, tmpa, p, 0 - ((sp_int_digit)tmpa[17] >> 63));
+        sp_2048_mul_18(tmpa, tmpa, qi);
+        err = sp_2048_mod_18(tmpa, tmpa, p);
+    }
+
+    if (err == MP_OKAY) {
+        sp_2048_mul_18(tmpa, tmpa, q);
+        (void)sp_2048_add_36(r, tmpb, tmpa);
+        sp_2048_norm_36(r);
+
+        sp_2048_to_bin(r, out);
+        *outLen = 256;
+    }
+
+    XMEMSET(tmpa, 0, sizeof(tmpa));
+    XMEMSET(tmpb, 0, sizeof(tmpb));
+    XMEMSET(p, 0, sizeof(p));
+    XMEMSET(q, 0, sizeof(q));
+    XMEMSET(dp, 0, sizeof(dp));
+    XMEMSET(dq, 0, sizeof(dq));
+    XMEMSET(qi, 0, sizeof(qi));
+
+    return err;
+#endif /* WOLFSSL_SP_SMALL || defined(WOLFSSL_SMALL_STACK) */
+#endif /* SP_RSA_PRIVATE_EXP_D || RSA_LOW_MEM */
+}
+
+#endif /* !WOLFSSL_RSA_PUBLIC_ONLY */
+#endif /* WOLFSSL_HAVE_SP_RSA */
+#if defined(WOLFSSL_HAVE_SP_DH) || (defined(WOLFSSL_HAVE_SP_RSA) && \
+                                              !defined(WOLFSSL_RSA_PUBLIC_ONLY))
+/* Convert an array of sp_digit to an mp_int.
+ *
+ * a  A single precision integer.
+ * r  A multi-precision integer.
+ */
+static int sp_2048_to_mp(const sp_digit* a, mp_int* r)
+{
+    int err;
+
+    err = mp_grow(r, (2048 + DIGIT_BIT - 1) / DIGIT_BIT);
+    if (err == MP_OKAY) { /*lint !e774 case where err is always MP_OKAY*/
+#if DIGIT_BIT == 57
+        XMEMCPY(r->dp, a, sizeof(sp_digit) * 36);
+        r->used = 36;
+        mp_clamp(r);
+#elif DIGIT_BIT < 57
+        int i, j = 0, s = 0;
+
+        r->dp[0] = 0;
+        for (i = 0; i < 36; i++) {
+            r->dp[j] |= (mp_digit)(a[i] << s);
+            r->dp[j] &= (1L << DIGIT_BIT) - 1;
+            s = DIGIT_BIT - s;
+            r->dp[++j] = (mp_digit)(a[i] >> s);
+            while (s + DIGIT_BIT <= 57) {
+                s += DIGIT_BIT;
+                r->dp[j++] &= (1L << DIGIT_BIT) - 1;
+                if (s == SP_WORD_SIZE) {
+                    r->dp[j] = 0;
+                }
+                else {
+                    r->dp[j] = (mp_digit)(a[i] >> s);
+                }
+            }
+            s = 57 - s;
+        }
+        r->used = (2048 + DIGIT_BIT - 1) / DIGIT_BIT;
+        mp_clamp(r);
+#else
+        int i, j = 0, s = 0;
+
+        r->dp[0] = 0;
+        for (i = 0; i < 36; i++) {
+            r->dp[j] |= ((mp_digit)a[i]) << s;
+            if (s + 57 >= DIGIT_BIT) {
+    #if DIGIT_BIT != 32 && DIGIT_BIT != 64
+                r->dp[j] &= (1L << DIGIT_BIT) - 1;
+    #endif
+                s = DIGIT_BIT - s;
+                r->dp[++j] = a[i] >> s;
+                s = 57 - s;
+            }
+            else {
+                s += 57;
+            }
+        }
+        r->used = (2048 + DIGIT_BIT - 1) / DIGIT_BIT;
+        mp_clamp(r);
+#endif
+    }
+
+    return err;
+}
+
+/* Perform the modular exponentiation for Diffie-Hellman.
+ *
+ * base  Base. MP integer.
+ * exp   Exponent. MP integer.
+ * mod   Modulus. MP integer.
+ * res   Result. MP integer.
+ * returns 0 on success, MP_READ_E if there are too many bytes in an array
+ * and MEMORY_E if memory allocation fails.
+ */
+int sp_ModExp_2048(mp_int* base, mp_int* exp, mp_int* mod, mp_int* res)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int err = MP_OKAY;
+    sp_digit* d = NULL;
+    sp_digit* b;
+    sp_digit* e;
+    sp_digit* m;
+    sp_digit* r;
+    int expBits = mp_count_bits(exp);
+
+    if (mp_count_bits(base) > 2048) {
+        err = MP_READ_E;
+    }
+
+    if (err == MP_OKAY) {
+        if (expBits > 2048) {
+            err = MP_READ_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        if (mp_count_bits(mod) != 2048) {
+            err = MP_READ_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        d = (sp_digit*)XMALLOC(sizeof(*d) * 36 * 4, NULL, DYNAMIC_TYPE_DH);
+        if (d == NULL) {
+            err = MEMORY_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        b = d;
+        e = b + 36 * 2;
+        m = e + 36;
+        r = b;
+
+        sp_2048_from_mp(b, 36, base);
+        sp_2048_from_mp(e, 36, exp);
+        sp_2048_from_mp(m, 36, mod);
+
+        err = sp_2048_mod_exp_36(r, b, e, mp_count_bits(exp), m, 0);
+    }
+
+    if (err == MP_OKAY) {
+        err = sp_2048_to_mp(r, res);
+    }
+
+    if (d != NULL) {
+        XMEMSET(e, 0, sizeof(sp_digit) * 36U);
+        XFREE(d, NULL, DYNAMIC_TYPE_DH);
+    }
+    return err;
+#else
+#ifndef WOLFSSL_SMALL_STACK
+    sp_digit bd[72], ed[36], md[36];
+#else
+    sp_digit* d = NULL;
+#endif
+    sp_digit* b;
+    sp_digit* e;
+    sp_digit* m;
+    sp_digit* r;
+    int err = MP_OKAY;
+    int expBits = mp_count_bits(exp);
+
+    if (mp_count_bits(base) > 2048) {
+        err = MP_READ_E;
+    }
+
+    if (err == MP_OKAY) {
+        if (expBits > 2048) {
+            err = MP_READ_E;
+        }
+    }
+    
+    if (err == MP_OKAY) {
+        if (mp_count_bits(mod) != 2048) {
+            err = MP_READ_E;
+        }
+    }
+
+#ifdef WOLFSSL_SMALL_STACK
+    if (err == MP_OKAY) {
+        d = (sp_digit*)XMALLOC(sizeof(*d) * 36 * 4, NULL, DYNAMIC_TYPE_DH);
+        if (d == NULL)
+            err = MEMORY_E;
+    }
+
+    if (err == MP_OKAY) {
+        b = d;
+        e = b + 36 * 2;
+        m = e + 36;
+        r = b;
+    }
+#else
+    r = b = bd;
+    e = ed;
+    m = md;
+#endif
+
+    if (err == MP_OKAY) {
+        sp_2048_from_mp(b, 36, base);
+        sp_2048_from_mp(e, 36, exp);
+        sp_2048_from_mp(m, 36, mod);
+
+        err = sp_2048_mod_exp_36(r, b, e, expBits, m, 0);
+    }
+
+    if (err == MP_OKAY) {
+        err = sp_2048_to_mp(r, res);
+    }
+
+
+#ifdef WOLFSSL_SMALL_STACK
+    if (d != NULL) {
+        XMEMSET(e, 0, sizeof(sp_digit) * 36U);
+        XFREE(d, NULL, DYNAMIC_TYPE_DH);
+    }
+#else
+    XMEMSET(e, 0, sizeof(sp_digit) * 36U);
+#endif
+
+    return err;
+#endif
+}
+
+#ifdef WOLFSSL_HAVE_SP_DH
+
+#ifdef HAVE_FFDHE_2048
+SP_NOINLINE static void sp_2048_lshift_36(sp_digit* r, sp_digit* a, byte n)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int i;
+
+    r[36] = a[35] >> (57 - n);
+    for (i=35; i>0; i--) {
+        r[i] = ((a[i] << n) | (a[i-1] >> (57 - n))) & 0x1ffffffffffffffL;
+    }
+#else
+    sp_int_digit s, t;
+
+    s = (sp_int_digit)a[35];
+    r[36] = s >> (57U - n);
+    s = (sp_int_digit)(a[35]); t = (sp_int_digit)(a[34]);
+    r[35] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
+    s = (sp_int_digit)(a[34]); t = (sp_int_digit)(a[33]);
+    r[34] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
+    s = (sp_int_digit)(a[33]); t = (sp_int_digit)(a[32]);
+    r[33] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
+    s = (sp_int_digit)(a[32]); t = (sp_int_digit)(a[31]);
+    r[32] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
+    s = (sp_int_digit)(a[31]); t = (sp_int_digit)(a[30]);
+    r[31] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
+    s = (sp_int_digit)(a[30]); t = (sp_int_digit)(a[29]);
+    r[30] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
+    s = (sp_int_digit)(a[29]); t = (sp_int_digit)(a[28]);
+    r[29] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
+    s = (sp_int_digit)(a[28]); t = (sp_int_digit)(a[27]);
+    r[28] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
+    s = (sp_int_digit)(a[27]); t = (sp_int_digit)(a[26]);
+    r[27] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
+    s = (sp_int_digit)(a[26]); t = (sp_int_digit)(a[25]);
+    r[26] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
+    s = (sp_int_digit)(a[25]); t = (sp_int_digit)(a[24]);
+    r[25] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
+    s = (sp_int_digit)(a[24]); t = (sp_int_digit)(a[23]);
+    r[24] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
+    s = (sp_int_digit)(a[23]); t = (sp_int_digit)(a[22]);
+    r[23] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
+    s = (sp_int_digit)(a[22]); t = (sp_int_digit)(a[21]);
+    r[22] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
+    s = (sp_int_digit)(a[21]); t = (sp_int_digit)(a[20]);
+    r[21] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
+    s = (sp_int_digit)(a[20]); t = (sp_int_digit)(a[19]);
+    r[20] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
+    s = (sp_int_digit)(a[19]); t = (sp_int_digit)(a[18]);
+    r[19] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
+    s = (sp_int_digit)(a[18]); t = (sp_int_digit)(a[17]);
+    r[18] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
+    s = (sp_int_digit)(a[17]); t = (sp_int_digit)(a[16]);
+    r[17] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
+    s = (sp_int_digit)(a[16]); t = (sp_int_digit)(a[15]);
+    r[16] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
+    s = (sp_int_digit)(a[15]); t = (sp_int_digit)(a[14]);
+    r[15] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
+    s = (sp_int_digit)(a[14]); t = (sp_int_digit)(a[13]);
+    r[14] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
+    s = (sp_int_digit)(a[13]); t = (sp_int_digit)(a[12]);
+    r[13] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
+    s = (sp_int_digit)(a[12]); t = (sp_int_digit)(a[11]);
+    r[12] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
+    s = (sp_int_digit)(a[11]); t = (sp_int_digit)(a[10]);
+    r[11] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
+    s = (sp_int_digit)(a[10]); t = (sp_int_digit)(a[9]);
+    r[10] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
+    s = (sp_int_digit)(a[9]); t = (sp_int_digit)(a[8]);
+    r[9] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
+    s = (sp_int_digit)(a[8]); t = (sp_int_digit)(a[7]);
+    r[8] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
+    s = (sp_int_digit)(a[7]); t = (sp_int_digit)(a[6]);
+    r[7] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
+    s = (sp_int_digit)(a[6]); t = (sp_int_digit)(a[5]);
+    r[6] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
+    s = (sp_int_digit)(a[5]); t = (sp_int_digit)(a[4]);
+    r[5] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
+    s = (sp_int_digit)(a[4]); t = (sp_int_digit)(a[3]);
+    r[4] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
+    s = (sp_int_digit)(a[3]); t = (sp_int_digit)(a[2]);
+    r[3] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
+    s = (sp_int_digit)(a[2]); t = (sp_int_digit)(a[1]);
+    r[2] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
+    s = (sp_int_digit)(a[1]); t = (sp_int_digit)(a[0]);
+    r[1] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
+#endif
+    r[0] = (a[0] << n) & 0x1ffffffffffffffL;
+}
+
+/* Modular exponentiate 2 to the e mod m. (r = 2^e mod m)
+ *
+ * r     A single precision number that is the result of the operation.
+ * e     A single precision number that is the exponent.
+ * bits  The number of bits in the exponent.
+ * m     A single precision number that is the modulus.
+ * returns 0 on success and MEMORY_E on dynamic memory allocation failure.
+ */
+static int sp_2048_mod_exp_2_36(sp_digit* r, const sp_digit* e, int bits, const sp_digit* m)
+{
+#ifndef WOLFSSL_SMALL_STACK
+    sp_digit nd[72];
+    sp_digit td[37];
+#else
+    sp_digit* td;
+#endif
+    sp_digit* norm;
+    sp_digit* tmp;
+    sp_digit mp = 1;
+    sp_digit n, o;
+    int i;
+    int c, y;
+    int err = MP_OKAY;
+
+#ifdef WOLFSSL_SMALL_STACK
+    td = (sp_digit*)XMALLOC(sizeof(sp_digit) * 109, NULL,
+                            DYNAMIC_TYPE_TMP_BUFFER);
+    if (td == NULL) {
+        err = MEMORY_E;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#ifdef WOLFSSL_SMALL_STACK
+        norm = td;
+        tmp  = td + 72;
+        XMEMSET(td, 0, sizeof(sp_digit) * 109);
+#else
+        norm = nd;
+        tmp  = td;
+        XMEMSET(td, 0, sizeof(td));
+#endif
+
+        sp_2048_mont_setup(m, &mp);
+        sp_2048_mont_norm_36(norm, m);
+
+        bits = ((bits + 4) / 5) * 5;
+        i = ((bits + 56) / 57) - 1;
+        c = bits % 57;
+        if (c == 0) {
+            c = 57;
+        }
+        if (i < 36) {
+            n = e[i--] << (64 - c);
+        }
+        else {
+            n = 0;
+            i--;
+        }
+        if (c < 5) {
+            n |= e[i--] << (7 - c);
+            c += 57;
+        }
+        y = (n >> 59) & 0x1f;
+        n <<= 5;
+        c -= 5;
+        sp_2048_lshift_36(r, norm, y);
+        for (; i>=0 || c>=5; ) {
+            if (c < 5) {
+                n |= e[i--] << (7 - c);
+                c += 57;
+            }
+            y = (n >> 59) & 0x1f;
+            n <<= 5;
+            c -= 5;
+
+            sp_2048_mont_sqr_36(r, r, m, mp);
+            sp_2048_mont_sqr_36(r, r, m, mp);
+            sp_2048_mont_sqr_36(r, r, m, mp);
+            sp_2048_mont_sqr_36(r, r, m, mp);
+            sp_2048_mont_sqr_36(r, r, m, mp);
+
+            sp_2048_lshift_36(r, r, y);
+            sp_2048_mul_d_36(tmp, norm, (r[36] << 4) + (r[35] >> 53));
+            r[36] = 0;
+            r[35] &= 0x1fffffffffffffL;
+            (void)sp_2048_add_36(r, r, tmp);
+            sp_2048_norm_36(r);
+            o = sp_2048_cmp_36(r, m);
+            sp_2048_cond_sub_36(r, r, m, ((o < 0) ?
+                                          (sp_digit)1 : (sp_digit)0) - 1);
+        }
+
+        sp_2048_mont_reduce_36(r, m, mp);
+        n = sp_2048_cmp_36(r, m);
+        sp_2048_cond_sub_36(r, r, m, ((n < 0) ?
+                                                (sp_digit)1 : (sp_digit)0) - 1);
+    }
+
+#ifdef WOLFSSL_SMALL_STACK
+    if (td != NULL) {
+        XFREE(td, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    }
+#endif
+
+    return err;
+}
+
+#endif /* HAVE_FFDHE_2048 */
+
+/* Perform the modular exponentiation for Diffie-Hellman.
+ *
+ * base     Base.
+ * exp      Array of bytes that is the exponent.
+ * expLen   Length of data, in bytes, in exponent.
+ * mod      Modulus.
+ * out      Buffer to hold big-endian bytes of exponentiation result.
+ *          Must be at least 256 bytes long.
+ * outLen   Length, in bytes, of exponentiation result.
+ * returns 0 on success, MP_READ_E if there are too many bytes in an array
+ * and MEMORY_E if memory allocation fails.
+ */
+int sp_DhExp_2048(mp_int* base, const byte* exp, word32 expLen,
+    mp_int* mod, byte* out, word32* outLen)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int err = MP_OKAY;
+    sp_digit* d = NULL;
+    sp_digit* b;
+    sp_digit* e;
+    sp_digit* m;
+    sp_digit* r;
+    word32 i;
+
+    if (mp_count_bits(base) > 2048) {
+        err = MP_READ_E;
+    }
+
+    if (err == MP_OKAY) {
+        if (expLen > 256) {
+            err = MP_READ_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        if (mp_count_bits(mod) != 2048) {
+            err = MP_READ_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        d = (sp_digit*)XMALLOC(sizeof(*d) * 36 * 4, NULL, DYNAMIC_TYPE_DH);
+        if (d == NULL) {
+            err = MEMORY_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        b = d;
+        e = b + 36 * 2;
+        m = e + 36;
+        r = b;
+
+        sp_2048_from_mp(b, 36, base);
+        sp_2048_from_bin(e, 36, exp, expLen);
+        sp_2048_from_mp(m, 36, mod);
+
+    #ifdef HAVE_FFDHE_2048
+        if (base->used == 1 && base->dp[0] == 2 &&
+                (m[35] >> 21) == 0xffffffffL) {
+            err = sp_2048_mod_exp_2_36(r, e, expLen * 8, m);
+        }
+        else
+    #endif
+            err = sp_2048_mod_exp_36(r, b, e, expLen * 8, m, 0);
+    }
+
+    if (err == MP_OKAY) {
+        sp_2048_to_bin(r, out);
+        *outLen = 256;
+        for (i=0; i<256 && out[i] == 0; i++) {
+        }
+        *outLen -= i;
+        XMEMMOVE(out, out + i, *outLen);
+    }
+
+    if (d != NULL) {
+        XMEMSET(e, 0, sizeof(sp_digit) * 36U);
+        XFREE(d, NULL, DYNAMIC_TYPE_DH);
+    }
+    return err;
+#else
+#ifndef WOLFSSL_SMALL_STACK
+    sp_digit bd[72], ed[36], md[36];
+#else
+    sp_digit* d = NULL;
+#endif
+    sp_digit* b;
+    sp_digit* e;
+    sp_digit* m;
+    sp_digit* r;
+    word32 i;
+    int err = MP_OKAY;
+
+    if (mp_count_bits(base) > 2048) {
+        err = MP_READ_E;
+    }
+
+    if (err == MP_OKAY) {
+        if (expLen > 256U) {
+            err = MP_READ_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        if (mp_count_bits(mod) != 2048) {
+            err = MP_READ_E;
+        }
+    }
+#ifdef WOLFSSL_SMALL_STACK
+    if (err == MP_OKAY) {
+        d = (sp_digit*)XMALLOC(sizeof(*d) * 36 * 4, NULL, DYNAMIC_TYPE_DH);
+        if (d == NULL)
+            err = MEMORY_E;
+    }
+
+    if (err == MP_OKAY) {
+        b = d;
+        e = b + 36 * 2;
+        m = e + 36;
+        r = b;
+    }
+#else
+    r = b = bd;
+    e = ed;
+    m = md;
+#endif
+
+    if (err == MP_OKAY) {
+        sp_2048_from_mp(b, 36, base);
+        sp_2048_from_bin(e, 36, exp, expLen);
+        sp_2048_from_mp(m, 36, mod);
+
+    #ifdef HAVE_FFDHE_2048
+        if (base->used == 1 && base->dp[0] == 2U &&
+                (m[35] >> 21) == 0xffffffffL) {
+            err = sp_2048_mod_exp_2_36(r, e, expLen * 8U, m);
+        }
+        else {
+    #endif
+            err = sp_2048_mod_exp_36(r, b, e, expLen * 8U, m, 0);
+    #ifdef HAVE_FFDHE_2048
+        }
+    #endif
+    }
+
+    if (err == MP_OKAY) {
+        sp_2048_to_bin(r, out);
+        *outLen = 256;
+        for (i=0; i<256U && out[i] == 0U; i++) {
+        }
+        *outLen -= i;
+        XMEMMOVE(out, out + i, *outLen);
+    }
+
+#ifdef WOLFSSL_SMALL_STACK
+    if (d != NULL) {
+        XMEMSET(e, 0, sizeof(sp_digit) * 36U);
+        XFREE(d, NULL, DYNAMIC_TYPE_DH);
+    }
+#else
+    XMEMSET(e, 0, sizeof(sp_digit) * 36U);
+#endif
+
+    return err;
+#endif
+}
+#endif /* WOLFSSL_HAVE_SP_DH */
+
+/* Perform the modular exponentiation for Diffie-Hellman.
+ *
+ * base  Base. MP integer.
+ * exp   Exponent. MP integer.
+ * mod   Modulus. MP integer.
+ * res   Result. MP integer.
+ * returns 0 on success, MP_READ_E if there are too many bytes in an array
+ * and MEMORY_E if memory allocation fails.
+ */
+int sp_ModExp_1024(mp_int* base, mp_int* exp, mp_int* mod, mp_int* res)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int err = MP_OKAY;
+    sp_digit* d = NULL;
+    sp_digit* b;
+    sp_digit* e;
+    sp_digit* m;
+    sp_digit* r;
+    int expBits = mp_count_bits(exp);
+
+    if (mp_count_bits(base) > 1024) {
+        err = MP_READ_E;
+    }
+
+    if (err == MP_OKAY) {
+        if (expBits > 1024) {
+            err = MP_READ_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        if (mp_count_bits(mod) != 1024) {
+            err = MP_READ_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        d = (sp_digit*)XMALLOC(sizeof(*d) * 18 * 4, NULL, DYNAMIC_TYPE_DH);
+        if (d == NULL) {
+            err = MEMORY_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        b = d;
+        e = b + 18 * 2;
+        m = e + 18;
+        r = b;
+
+        sp_2048_from_mp(b, 18, base);
+        sp_2048_from_mp(e, 18, exp);
+        sp_2048_from_mp(m, 18, mod);
+
+        err = sp_2048_mod_exp_18(r, b, e, mp_count_bits(exp), m, 0);
+    }
+
+    if (err == MP_OKAY) {
+        XMEMSET(r + 18, 0, sizeof(*r) * 18U);
+        err = sp_2048_to_mp(r, res);
+    }
+
+    if (d != NULL) {
+        XMEMSET(e, 0, sizeof(sp_digit) * 18U);
+        XFREE(d, NULL, DYNAMIC_TYPE_DH);
+    }
+    return err;
+#else
+#ifndef WOLFSSL_SMALL_STACK
+    sp_digit bd[36], ed[18], md[18];
+#else
+    sp_digit* d = NULL;
+#endif
+    sp_digit* b;
+    sp_digit* e;
+    sp_digit* m;
+    sp_digit* r;
+    int err = MP_OKAY;
+    int expBits = mp_count_bits(exp);
+
+    if (mp_count_bits(base) > 1024) {
+        err = MP_READ_E;
+    }
+
+    if (err == MP_OKAY) {
+        if (expBits > 1024) {
+            err = MP_READ_E;
+        }
+    }
+    
+    if (err == MP_OKAY) {
+        if (mp_count_bits(mod) != 1024) {
+            err = MP_READ_E;
+        }
+    }
+
+#ifdef WOLFSSL_SMALL_STACK
+    if (err == MP_OKAY) {
+        d = (sp_digit*)XMALLOC(sizeof(*d) * 18 * 4, NULL, DYNAMIC_TYPE_DH);
+        if (d == NULL)
+            err = MEMORY_E;
+    }
+
+    if (err == MP_OKAY) {
+        b = d;
+        e = b + 18 * 2;
+        m = e + 18;
+        r = b;
+    }
+#else
+    r = b = bd;
+    e = ed;
+    m = md;
+#endif
+
+    if (err == MP_OKAY) {
+        sp_2048_from_mp(b, 18, base);
+        sp_2048_from_mp(e, 18, exp);
+        sp_2048_from_mp(m, 18, mod);
+
+        err = sp_2048_mod_exp_18(r, b, e, expBits, m, 0);
+    }
+
+    if (err == MP_OKAY) {
+        XMEMSET(r + 18, 0, sizeof(*r) * 18U);
+        err = sp_2048_to_mp(r, res);
+    }
+
+
+#ifdef WOLFSSL_SMALL_STACK
+    if (d != NULL) {
+        XMEMSET(e, 0, sizeof(sp_digit) * 18U);
+        XFREE(d, NULL, DYNAMIC_TYPE_DH);
+    }
+#else
+    XMEMSET(e, 0, sizeof(sp_digit) * 18U);
+#endif
+
+    return err;
+#endif
+}
+
+#endif /* WOLFSSL_HAVE_SP_DH || (WOLFSSL_HAVE_SP_RSA && !WOLFSSL_RSA_PUBLIC_ONLY) */
+
+#endif /* !WOLFSSL_SP_NO_2048 */
+
+#ifndef WOLFSSL_SP_NO_3072
+/* Read big endian unsigned byte array into r.
+ *
+ * r  A single precision integer.
+ * size  Maximum number of bytes to convert
+ * a  Byte array.
+ * n  Number of bytes in array to read.
+ */
+static void sp_3072_from_bin(sp_digit* r, int size, const byte* a, int n)
+{
+    int i, j = 0;
+    word32 s = 0;
+
+    r[0] = 0;
+    for (i = n-1; i >= 0; i--) {
+        r[j] |= (((sp_digit)a[i]) << s);
+        if (s >= 49U) {
+            r[j] &= 0x1ffffffffffffffL;
+            s = 57U - s;
+            if (j + 1 >= size) {
+                break;
+            }
+            r[++j] = (sp_digit)a[i] >> s;
+            s = 8U - s;
+        }
+        else {
+            s += 8U;
+        }
+    }
+
+    for (j++; j < size; j++) {
+        r[j] = 0;
+    }
+}
+
+/* Convert an mp_int to an array of sp_digit.
+ *
+ * r  A single precision integer.
+ * size  Maximum number of bytes to convert
+ * a  A multi-precision integer.
+ */
+static void sp_3072_from_mp(sp_digit* r, int size, const mp_int* a)
+{
+#if DIGIT_BIT == 57
+    int j;
+
+    XMEMCPY(r, a->dp, sizeof(sp_digit) * a->used);
+
+    for (j = a->used; j < size; j++) {
+        r[j] = 0;
+    }
+#elif DIGIT_BIT > 57
+    int i, j = 0;
+    word32 s = 0;
+
+    r[0] = 0;
+    for (i = 0; i < a->used && j < size; i++) {
+        r[j] |= ((sp_digit)a->dp[i] << s);
+        r[j] &= 0x1ffffffffffffffL;
+        s = 57U - s;
+        if (j + 1 >= size) {
+            break;
+        }
+        /* lint allow cast of mismatch word32 and mp_digit */
+        r[++j] = (sp_digit)(a->dp[i] >> s); /*lint !e9033*/
+        while ((s + 57U) <= (word32)DIGIT_BIT) {
+            s += 57U;
+            r[j] &= 0x1ffffffffffffffL;
+            if (j + 1 >= size) {
+                break;
+            }
+            if (s < (word32)DIGIT_BIT) {
+                /* lint allow cast of mismatch word32 and mp_digit */
+                r[++j] = (sp_digit)(a->dp[i] >> s); /*lint !e9033*/
+            }
+            else {
+                r[++j] = 0L;
+            }
+        }
+        s = (word32)DIGIT_BIT - s;
+    }
+
+    for (j++; j < size; j++) {
+        r[j] = 0;
+    }
+#else
+    int i, j = 0, s = 0;
+
+    r[0] = 0;
+    for (i = 0; i < a->used && j < size; i++) {
+        r[j] |= ((sp_digit)a->dp[i]) << s;
+        if (s + DIGIT_BIT >= 57) {
+            r[j] &= 0x1ffffffffffffffL;
+            if (j + 1 >= size) {
+                break;
+            }
+            s = 57 - s;
+            if (s == DIGIT_BIT) {
+                r[++j] = 0;
+                s = 0;
+            }
+            else {
+                r[++j] = a->dp[i] >> s;
+                s = DIGIT_BIT - s;
+            }
+        }
+        else {
+            s += DIGIT_BIT;
+        }
+    }
+
+    for (j++; j < size; j++) {
+        r[j] = 0;
+    }
+#endif
+}
+
+/* Write r as big endian to byte array.
+ * Fixed length number of bytes written: 384
+ *
+ * r  A single precision integer.
+ * a  Byte array.
+ */
+static void sp_3072_to_bin(sp_digit* r, byte* a)
+{
+    int i, j, s = 0, b;
+
+    for (i=0; i<53; i++) {
+        r[i+1] += r[i] >> 57;
+        r[i] &= 0x1ffffffffffffffL;
+    }
+    j = 3072 / 8 - 1;
+    a[j] = 0;
+    for (i=0; i<54 && j>=0; i++) {
+        b = 0;
+        /* lint allow cast of mismatch sp_digit and int */
+        a[j--] |= (byte)(r[i] << s); /*lint !e9033*/
+        b += 8 - s;
+        if (j < 0) {
+            break;
+        }
+        while (b < 57) {
+            a[j--] = (byte)(r[i] >> b);
+            b += 8;
+            if (j < 0) {
+                break;
+            }
+        }
+        s = 8 - (b - 57);
+        if (j >= 0) {
+            a[j] = 0;
+        }
+        if (s != 0) {
+            j++;
+        }
+    }
+}
+
+#ifndef WOLFSSL_SP_SMALL
+/* Multiply a and b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static void sp_3072_mul_9(sp_digit* r, const sp_digit* a,
+    const sp_digit* b)
+{
+    int128_t t0   = ((int128_t)a[ 0]) * b[ 0];
+    int128_t t1   = ((int128_t)a[ 0]) * b[ 1]
+                 + ((int128_t)a[ 1]) * b[ 0];
+    int128_t t2   = ((int128_t)a[ 0]) * b[ 2]
+                 + ((int128_t)a[ 1]) * b[ 1]
+                 + ((int128_t)a[ 2]) * b[ 0];
+    int128_t t3   = ((int128_t)a[ 0]) * b[ 3]
+                 + ((int128_t)a[ 1]) * b[ 2]
+                 + ((int128_t)a[ 2]) * b[ 1]
+                 + ((int128_t)a[ 3]) * b[ 0];
+    int128_t t4   = ((int128_t)a[ 0]) * b[ 4]
+                 + ((int128_t)a[ 1]) * b[ 3]
+                 + ((int128_t)a[ 2]) * b[ 2]
+                 + ((int128_t)a[ 3]) * b[ 1]
+                 + ((int128_t)a[ 4]) * b[ 0];
+    int128_t t5   = ((int128_t)a[ 0]) * b[ 5]
+                 + ((int128_t)a[ 1]) * b[ 4]
+                 + ((int128_t)a[ 2]) * b[ 3]
+                 + ((int128_t)a[ 3]) * b[ 2]
+                 + ((int128_t)a[ 4]) * b[ 1]
+                 + ((int128_t)a[ 5]) * b[ 0];
+    int128_t t6   = ((int128_t)a[ 0]) * b[ 6]
+                 + ((int128_t)a[ 1]) * b[ 5]
+                 + ((int128_t)a[ 2]) * b[ 4]
+                 + ((int128_t)a[ 3]) * b[ 3]
+                 + ((int128_t)a[ 4]) * b[ 2]
+                 + ((int128_t)a[ 5]) * b[ 1]
+                 + ((int128_t)a[ 6]) * b[ 0];
+    int128_t t7   = ((int128_t)a[ 0]) * b[ 7]
+                 + ((int128_t)a[ 1]) * b[ 6]
+                 + ((int128_t)a[ 2]) * b[ 5]
+                 + ((int128_t)a[ 3]) * b[ 4]
+                 + ((int128_t)a[ 4]) * b[ 3]
+                 + ((int128_t)a[ 5]) * b[ 2]
+                 + ((int128_t)a[ 6]) * b[ 1]
+                 + ((int128_t)a[ 7]) * b[ 0];
+    int128_t t8   = ((int128_t)a[ 0]) * b[ 8]
+                 + ((int128_t)a[ 1]) * b[ 7]
+                 + ((int128_t)a[ 2]) * b[ 6]
+                 + ((int128_t)a[ 3]) * b[ 5]
+                 + ((int128_t)a[ 4]) * b[ 4]
+                 + ((int128_t)a[ 5]) * b[ 3]
+                 + ((int128_t)a[ 6]) * b[ 2]
+                 + ((int128_t)a[ 7]) * b[ 1]
+                 + ((int128_t)a[ 8]) * b[ 0];
+    int128_t t9   = ((int128_t)a[ 1]) * b[ 8]
+                 + ((int128_t)a[ 2]) * b[ 7]
+                 + ((int128_t)a[ 3]) * b[ 6]
+                 + ((int128_t)a[ 4]) * b[ 5]
+                 + ((int128_t)a[ 5]) * b[ 4]
+                 + ((int128_t)a[ 6]) * b[ 3]
+                 + ((int128_t)a[ 7]) * b[ 2]
+                 + ((int128_t)a[ 8]) * b[ 1];
+    int128_t t10  = ((int128_t)a[ 2]) * b[ 8]
+                 + ((int128_t)a[ 3]) * b[ 7]
+                 + ((int128_t)a[ 4]) * b[ 6]
+                 + ((int128_t)a[ 5]) * b[ 5]
+                 + ((int128_t)a[ 6]) * b[ 4]
+                 + ((int128_t)a[ 7]) * b[ 3]
+                 + ((int128_t)a[ 8]) * b[ 2];
+    int128_t t11  = ((int128_t)a[ 3]) * b[ 8]
+                 + ((int128_t)a[ 4]) * b[ 7]
+                 + ((int128_t)a[ 5]) * b[ 6]
+                 + ((int128_t)a[ 6]) * b[ 5]
+                 + ((int128_t)a[ 7]) * b[ 4]
+                 + ((int128_t)a[ 8]) * b[ 3];
+    int128_t t12  = ((int128_t)a[ 4]) * b[ 8]
+                 + ((int128_t)a[ 5]) * b[ 7]
+                 + ((int128_t)a[ 6]) * b[ 6]
+                 + ((int128_t)a[ 7]) * b[ 5]
+                 + ((int128_t)a[ 8]) * b[ 4];
+    int128_t t13  = ((int128_t)a[ 5]) * b[ 8]
+                 + ((int128_t)a[ 6]) * b[ 7]
+                 + ((int128_t)a[ 7]) * b[ 6]
+                 + ((int128_t)a[ 8]) * b[ 5];
+    int128_t t14  = ((int128_t)a[ 6]) * b[ 8]
+                 + ((int128_t)a[ 7]) * b[ 7]
+                 + ((int128_t)a[ 8]) * b[ 6];
+    int128_t t15  = ((int128_t)a[ 7]) * b[ 8]
+                 + ((int128_t)a[ 8]) * b[ 7];
+    int128_t t16  = ((int128_t)a[ 8]) * b[ 8];
+
+    t1   += t0  >> 57; r[ 0] = t0  & 0x1ffffffffffffffL;
+    t2   += t1  >> 57; r[ 1] = t1  & 0x1ffffffffffffffL;
+    t3   += t2  >> 57; r[ 2] = t2  & 0x1ffffffffffffffL;
+    t4   += t3  >> 57; r[ 3] = t3  & 0x1ffffffffffffffL;
+    t5   += t4  >> 57; r[ 4] = t4  & 0x1ffffffffffffffL;
+    t6   += t5  >> 57; r[ 5] = t5  & 0x1ffffffffffffffL;
+    t7   += t6  >> 57; r[ 6] = t6  & 0x1ffffffffffffffL;
+    t8   += t7  >> 57; r[ 7] = t7  & 0x1ffffffffffffffL;
+    t9   += t8  >> 57; r[ 8] = t8  & 0x1ffffffffffffffL;
+    t10  += t9  >> 57; r[ 9] = t9  & 0x1ffffffffffffffL;
+    t11  += t10 >> 57; r[10] = t10 & 0x1ffffffffffffffL;
+    t12  += t11 >> 57; r[11] = t11 & 0x1ffffffffffffffL;
+    t13  += t12 >> 57; r[12] = t12 & 0x1ffffffffffffffL;
+    t14  += t13 >> 57; r[13] = t13 & 0x1ffffffffffffffL;
+    t15  += t14 >> 57; r[14] = t14 & 0x1ffffffffffffffL;
+    t16  += t15 >> 57; r[15] = t15 & 0x1ffffffffffffffL;
+    r[17] = (sp_digit)(t16 >> 57);
+                       r[16] = t16 & 0x1ffffffffffffffL;
+}
+
+/* Square a and put result in r. (r = a * a)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ */
+SP_NOINLINE static void sp_3072_sqr_9(sp_digit* r, const sp_digit* a)
+{
+    int128_t t0   =  ((int128_t)a[ 0]) * a[ 0];
+    int128_t t1   = (((int128_t)a[ 0]) * a[ 1]) * 2;
+    int128_t t2   = (((int128_t)a[ 0]) * a[ 2]) * 2
+                 +  ((int128_t)a[ 1]) * a[ 1];
+    int128_t t3   = (((int128_t)a[ 0]) * a[ 3]
+                 +  ((int128_t)a[ 1]) * a[ 2]) * 2;
+    int128_t t4   = (((int128_t)a[ 0]) * a[ 4]
+                 +  ((int128_t)a[ 1]) * a[ 3]) * 2
+                 +  ((int128_t)a[ 2]) * a[ 2];
+    int128_t t5   = (((int128_t)a[ 0]) * a[ 5]
+                 +  ((int128_t)a[ 1]) * a[ 4]
+                 +  ((int128_t)a[ 2]) * a[ 3]) * 2;
+    int128_t t6   = (((int128_t)a[ 0]) * a[ 6]
+                 +  ((int128_t)a[ 1]) * a[ 5]
+                 +  ((int128_t)a[ 2]) * a[ 4]) * 2
+                 +  ((int128_t)a[ 3]) * a[ 3];
+    int128_t t7   = (((int128_t)a[ 0]) * a[ 7]
+                 +  ((int128_t)a[ 1]) * a[ 6]
+                 +  ((int128_t)a[ 2]) * a[ 5]
+                 +  ((int128_t)a[ 3]) * a[ 4]) * 2;
+    int128_t t8   = (((int128_t)a[ 0]) * a[ 8]
+                 +  ((int128_t)a[ 1]) * a[ 7]
+                 +  ((int128_t)a[ 2]) * a[ 6]
+                 +  ((int128_t)a[ 3]) * a[ 5]) * 2
+                 +  ((int128_t)a[ 4]) * a[ 4];
+    int128_t t9   = (((int128_t)a[ 1]) * a[ 8]
+                 +  ((int128_t)a[ 2]) * a[ 7]
+                 +  ((int128_t)a[ 3]) * a[ 6]
+                 +  ((int128_t)a[ 4]) * a[ 5]) * 2;
+    int128_t t10  = (((int128_t)a[ 2]) * a[ 8]
+                 +  ((int128_t)a[ 3]) * a[ 7]
+                 +  ((int128_t)a[ 4]) * a[ 6]) * 2
+                 +  ((int128_t)a[ 5]) * a[ 5];
+    int128_t t11  = (((int128_t)a[ 3]) * a[ 8]
+                 +  ((int128_t)a[ 4]) * a[ 7]
+                 +  ((int128_t)a[ 5]) * a[ 6]) * 2;
+    int128_t t12  = (((int128_t)a[ 4]) * a[ 8]
+                 +  ((int128_t)a[ 5]) * a[ 7]) * 2
+                 +  ((int128_t)a[ 6]) * a[ 6];
+    int128_t t13  = (((int128_t)a[ 5]) * a[ 8]
+                 +  ((int128_t)a[ 6]) * a[ 7]) * 2;
+    int128_t t14  = (((int128_t)a[ 6]) * a[ 8]) * 2
+                 +  ((int128_t)a[ 7]) * a[ 7];
+    int128_t t15  = (((int128_t)a[ 7]) * a[ 8]) * 2;
+    int128_t t16  =  ((int128_t)a[ 8]) * a[ 8];
+
+    t1   += t0  >> 57; r[ 0] = t0  & 0x1ffffffffffffffL;
+    t2   += t1  >> 57; r[ 1] = t1  & 0x1ffffffffffffffL;
+    t3   += t2  >> 57; r[ 2] = t2  & 0x1ffffffffffffffL;
+    t4   += t3  >> 57; r[ 3] = t3  & 0x1ffffffffffffffL;
+    t5   += t4  >> 57; r[ 4] = t4  & 0x1ffffffffffffffL;
+    t6   += t5  >> 57; r[ 5] = t5  & 0x1ffffffffffffffL;
+    t7   += t6  >> 57; r[ 6] = t6  & 0x1ffffffffffffffL;
+    t8   += t7  >> 57; r[ 7] = t7  & 0x1ffffffffffffffL;
+    t9   += t8  >> 57; r[ 8] = t8  & 0x1ffffffffffffffL;
+    t10  += t9  >> 57; r[ 9] = t9  & 0x1ffffffffffffffL;
+    t11  += t10 >> 57; r[10] = t10 & 0x1ffffffffffffffL;
+    t12  += t11 >> 57; r[11] = t11 & 0x1ffffffffffffffL;
+    t13  += t12 >> 57; r[12] = t12 & 0x1ffffffffffffffL;
+    t14  += t13 >> 57; r[13] = t13 & 0x1ffffffffffffffL;
+    t15  += t14 >> 57; r[14] = t14 & 0x1ffffffffffffffL;
+    t16  += t15 >> 57; r[15] = t15 & 0x1ffffffffffffffL;
+    r[17] = (sp_digit)(t16 >> 57);
+                       r[16] = t16 & 0x1ffffffffffffffL;
+}
+
+/* Add b to a into r. (r = a + b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static int sp_3072_add_9(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    r[ 0] = a[ 0] + b[ 0];
+    r[ 1] = a[ 1] + b[ 1];
+    r[ 2] = a[ 2] + b[ 2];
+    r[ 3] = a[ 3] + b[ 3];
+    r[ 4] = a[ 4] + b[ 4];
+    r[ 5] = a[ 5] + b[ 5];
+    r[ 6] = a[ 6] + b[ 6];
+    r[ 7] = a[ 7] + b[ 7];
+    r[ 8] = a[ 8] + b[ 8];
+
+    return 0;
+}
+
+/* Add b to a into r. (r = a + b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static int sp_3072_add_18(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    int i;
+
+    for (i = 0; i < 16; i += 8) {
+        r[i + 0] = a[i + 0] + b[i + 0];
+        r[i + 1] = a[i + 1] + b[i + 1];
+        r[i + 2] = a[i + 2] + b[i + 2];
+        r[i + 3] = a[i + 3] + b[i + 3];
+        r[i + 4] = a[i + 4] + b[i + 4];
+        r[i + 5] = a[i + 5] + b[i + 5];
+        r[i + 6] = a[i + 6] + b[i + 6];
+        r[i + 7] = a[i + 7] + b[i + 7];
+    }
+    r[16] = a[16] + b[16];
+    r[17] = a[17] + b[17];
+
+    return 0;
+}
+
+/* Sub b from a into r. (r = a - b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static int sp_3072_sub_18(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    int i;
+
+    for (i = 0; i < 16; i += 8) {
+        r[i + 0] = a[i + 0] - b[i + 0];
+        r[i + 1] = a[i + 1] - b[i + 1];
+        r[i + 2] = a[i + 2] - b[i + 2];
+        r[i + 3] = a[i + 3] - b[i + 3];
+        r[i + 4] = a[i + 4] - b[i + 4];
+        r[i + 5] = a[i + 5] - b[i + 5];
+        r[i + 6] = a[i + 6] - b[i + 6];
+        r[i + 7] = a[i + 7] - b[i + 7];
+    }
+    r[16] = a[16] - b[16];
+    r[17] = a[17] - b[17];
+
+    return 0;
+}
+
+/* Multiply a and b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static void sp_3072_mul_18(sp_digit* r, const sp_digit* a,
+    const sp_digit* b)
+{
+    sp_digit* z0 = r;
+    sp_digit z1[18];
+    sp_digit* a1 = z1;
+    sp_digit b1[9];
+    sp_digit* z2 = r + 18;
+    (void)sp_3072_add_9(a1, a, &a[9]);
+    (void)sp_3072_add_9(b1, b, &b[9]);
+    sp_3072_mul_9(z2, &a[9], &b[9]);
+    sp_3072_mul_9(z0, a, b);
+    sp_3072_mul_9(z1, a1, b1);
+    (void)sp_3072_sub_18(z1, z1, z2);
+    (void)sp_3072_sub_18(z1, z1, z0);
+    (void)sp_3072_add_18(r + 9, r + 9, z1);
+}
+
+/* Square a and put result in r. (r = a * a)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ */
+SP_NOINLINE static void sp_3072_sqr_18(sp_digit* r, const sp_digit* a)
+{
+    sp_digit* z0 = r;
+    sp_digit z1[18];
+    sp_digit* a1 = z1;
+    sp_digit* z2 = r + 18;
+    (void)sp_3072_add_9(a1, a, &a[9]);
+    sp_3072_sqr_9(z2, &a[9]);
+    sp_3072_sqr_9(z0, a);
+    sp_3072_sqr_9(z1, a1);
+    (void)sp_3072_sub_18(z1, z1, z2);
+    (void)sp_3072_sub_18(z1, z1, z0);
+    (void)sp_3072_add_18(r + 9, r + 9, z1);
+}
+
+/* Sub b from a into r. (r = a - b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static int sp_3072_sub_36(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    int i;
+
+    for (i = 0; i < 32; i += 8) {
+        r[i + 0] = a[i + 0] - b[i + 0];
+        r[i + 1] = a[i + 1] - b[i + 1];
+        r[i + 2] = a[i + 2] - b[i + 2];
+        r[i + 3] = a[i + 3] - b[i + 3];
+        r[i + 4] = a[i + 4] - b[i + 4];
+        r[i + 5] = a[i + 5] - b[i + 5];
+        r[i + 6] = a[i + 6] - b[i + 6];
+        r[i + 7] = a[i + 7] - b[i + 7];
+    }
+    r[32] = a[32] - b[32];
+    r[33] = a[33] - b[33];
+    r[34] = a[34] - b[34];
+    r[35] = a[35] - b[35];
+
+    return 0;
+}
+
+/* Add b to a into r. (r = a + b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static int sp_3072_add_36(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    int i;
+
+    for (i = 0; i < 32; i += 8) {
+        r[i + 0] = a[i + 0] + b[i + 0];
+        r[i + 1] = a[i + 1] + b[i + 1];
+        r[i + 2] = a[i + 2] + b[i + 2];
+        r[i + 3] = a[i + 3] + b[i + 3];
+        r[i + 4] = a[i + 4] + b[i + 4];
+        r[i + 5] = a[i + 5] + b[i + 5];
+        r[i + 6] = a[i + 6] + b[i + 6];
+        r[i + 7] = a[i + 7] + b[i + 7];
+    }
+    r[32] = a[32] + b[32];
+    r[33] = a[33] + b[33];
+    r[34] = a[34] + b[34];
+    r[35] = a[35] + b[35];
+
+    return 0;
+}
+
+/* Multiply a and b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static void sp_3072_mul_54(sp_digit* r, const sp_digit* a,
+    const sp_digit* b)
+{
+    sp_digit p0[36];
+    sp_digit p1[36];
+    sp_digit p2[36];
+    sp_digit p3[36];
+    sp_digit p4[36];
+    sp_digit p5[36];
+    sp_digit t0[36];
+    sp_digit t1[36];
+    sp_digit t2[36];
+    sp_digit a0[18];
+    sp_digit a1[18];
+    sp_digit a2[18];
+    sp_digit b0[18];
+    sp_digit b1[18];
+    sp_digit b2[18];
+    (void)sp_3072_add_18(a0, a, &a[18]);
+    (void)sp_3072_add_18(b0, b, &b[18]);
+    (void)sp_3072_add_18(a1, &a[18], &a[36]);
+    (void)sp_3072_add_18(b1, &b[18], &b[36]);
+    (void)sp_3072_add_18(a2, a0, &a[36]);
+    (void)sp_3072_add_18(b2, b0, &b[36]);
+    sp_3072_mul_18(p0, a, b);
+    sp_3072_mul_18(p2, &a[18], &b[18]);
+    sp_3072_mul_18(p4, &a[36], &b[36]);
+    sp_3072_mul_18(p1, a0, b0);
+    sp_3072_mul_18(p3, a1, b1);
+    sp_3072_mul_18(p5, a2, b2);
+    XMEMSET(r, 0, sizeof(*r)*2U*54U);
+    (void)sp_3072_sub_36(t0, p3, p2);
+    (void)sp_3072_sub_36(t1, p1, p2);
+    (void)sp_3072_sub_36(t2, p5, t0);
+    (void)sp_3072_sub_36(t2, t2, t1);
+    (void)sp_3072_sub_36(t0, t0, p4);
+    (void)sp_3072_sub_36(t1, t1, p0);
+    (void)sp_3072_add_36(r, r, p0);
+    (void)sp_3072_add_36(&r[18], &r[18], t1);
+    (void)sp_3072_add_36(&r[36], &r[36], t2);
+    (void)sp_3072_add_36(&r[54], &r[54], t0);
+    (void)sp_3072_add_36(&r[72], &r[72], p4);
+}
+
+/* Square a into r. (r = a * a)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ */
+SP_NOINLINE static void sp_3072_sqr_54(sp_digit* r, const sp_digit* a)
+{
+    sp_digit p0[36];
+    sp_digit p1[36];
+    sp_digit p2[36];
+    sp_digit p3[36];
+    sp_digit p4[36];
+    sp_digit p5[36];
+    sp_digit t0[36];
+    sp_digit t1[36];
+    sp_digit t2[36];
+    sp_digit a0[18];
+    sp_digit a1[18];
+    sp_digit a2[18];
+    (void)sp_3072_add_18(a0, a, &a[18]);
+    (void)sp_3072_add_18(a1, &a[18], &a[36]);
+    (void)sp_3072_add_18(a2, a0, &a[36]);
+    sp_3072_sqr_18(p0, a);
+    sp_3072_sqr_18(p2, &a[18]);
+    sp_3072_sqr_18(p4, &a[36]);
+    sp_3072_sqr_18(p1, a0);
+    sp_3072_sqr_18(p3, a1);
+    sp_3072_sqr_18(p5, a2);
+    XMEMSET(r, 0, sizeof(*r)*2U*54U);
+    (void)sp_3072_sub_36(t0, p3, p2);
+    (void)sp_3072_sub_36(t1, p1, p2);
+    (void)sp_3072_sub_36(t2, p5, t0);
+    (void)sp_3072_sub_36(t2, t2, t1);
+    (void)sp_3072_sub_36(t0, t0, p4);
+    (void)sp_3072_sub_36(t1, t1, p0);
+    (void)sp_3072_add_36(r, r, p0);
+    (void)sp_3072_add_36(&r[18], &r[18], t1);
+    (void)sp_3072_add_36(&r[36], &r[36], t2);
+    (void)sp_3072_add_36(&r[54], &r[54], t0);
+    (void)sp_3072_add_36(&r[72], &r[72], p4);
+}
+
+#endif /* !WOLFSSL_SP_SMALL */
+#ifdef WOLFSSL_SP_SMALL
+/* Add b to a into r. (r = a + b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static int sp_3072_add_54(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    int i;
+
+    for (i = 0; i < 54; i++) {
+        r[i] = a[i] + b[i];
+    }
+
+    return 0;
+}
+#else
+/* Add b to a into r. (r = a + b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static int sp_3072_add_54(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    int i;
+
+    for (i = 0; i < 48; i += 8) {
+        r[i + 0] = a[i + 0] + b[i + 0];
+        r[i + 1] = a[i + 1] + b[i + 1];
+        r[i + 2] = a[i + 2] + b[i + 2];
+        r[i + 3] = a[i + 3] + b[i + 3];
+        r[i + 4] = a[i + 4] + b[i + 4];
+        r[i + 5] = a[i + 5] + b[i + 5];
+        r[i + 6] = a[i + 6] + b[i + 6];
+        r[i + 7] = a[i + 7] + b[i + 7];
+    }
+    r[48] = a[48] + b[48];
+    r[49] = a[49] + b[49];
+    r[50] = a[50] + b[50];
+    r[51] = a[51] + b[51];
+    r[52] = a[52] + b[52];
+    r[53] = a[53] + b[53];
+
+    return 0;
+}
+
+#endif /* WOLFSSL_SP_SMALL */
+#ifdef WOLFSSL_SP_SMALL
+/* Sub b from a into r. (r = a - b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static int sp_3072_sub_54(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    int i;
+
+    for (i = 0; i < 54; i++) {
+        r[i] = a[i] - b[i];
+    }
+
+    return 0;
+}
+
+#else
+/* Sub b from a into r. (r = a - b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static int sp_3072_sub_54(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    int i;
+
+    for (i = 0; i < 48; i += 8) {
+        r[i + 0] = a[i + 0] - b[i + 0];
+        r[i + 1] = a[i + 1] - b[i + 1];
+        r[i + 2] = a[i + 2] - b[i + 2];
+        r[i + 3] = a[i + 3] - b[i + 3];
+        r[i + 4] = a[i + 4] - b[i + 4];
+        r[i + 5] = a[i + 5] - b[i + 5];
+        r[i + 6] = a[i + 6] - b[i + 6];
+        r[i + 7] = a[i + 7] - b[i + 7];
+    }
+    r[48] = a[48] - b[48];
+    r[49] = a[49] - b[49];
+    r[50] = a[50] - b[50];
+    r[51] = a[51] - b[51];
+    r[52] = a[52] - b[52];
+    r[53] = a[53] - b[53];
+
+    return 0;
+}
+
+#endif /* WOLFSSL_SP_SMALL */
+#ifdef WOLFSSL_SP_SMALL
+/* Multiply a and b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static void sp_3072_mul_54(sp_digit* r, const sp_digit* a,
+    const sp_digit* b)
+{
+    int i, j, k;
+    int128_t c;
+
+    c = ((int128_t)a[53]) * b[53];
+    r[107] = (sp_digit)(c >> 57);
+    c = (c & 0x1ffffffffffffffL) << 57;
+    for (k = 105; k >= 0; k--) {
+        for (i = 53; i >= 0; i--) {
+            j = k - i;
+            if (j >= 54) {
+                break;
+            }
+            if (j < 0) {
+                continue;
+            }
+
+            c += ((int128_t)a[i]) * b[j];
+        }
+        r[k + 2] += c >> 114;
+        r[k + 1] = (c >> 57) & 0x1ffffffffffffffL;
+        c = (c & 0x1ffffffffffffffL) << 57;
+    }
+    r[0] = (sp_digit)(c >> 57);
+}
+
+/* Square a and put result in r. (r = a * a)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ */
+SP_NOINLINE static void sp_3072_sqr_54(sp_digit* r, const sp_digit* a)
+{
+    int i, j, k;
+    int128_t c;
+
+    c = ((int128_t)a[53]) * a[53];
+    r[107] = (sp_digit)(c >> 57);
+    c = (c & 0x1ffffffffffffffL) << 57;
+    for (k = 105; k >= 0; k--) {
+        for (i = 53; i >= 0; i--) {
+            j = k - i;
+            if (j >= 54 || i <= j) {
+                break;
+            }
+            if (j < 0) {
+                continue;
+            }
+
+            c += ((int128_t)a[i]) * a[j] * 2;
+        }
+        if (i == j) {
+           c += ((int128_t)a[i]) * a[i];
+        }
+
+        r[k + 2] += c >> 114;
+        r[k + 1] = (c >> 57) & 0x1ffffffffffffffL;
+        c = (c & 0x1ffffffffffffffL) << 57;
+    }
+    r[0] = (sp_digit)(c >> 57);
+}
+
+#endif /* WOLFSSL_SP_SMALL */
+#if (defined(WOLFSSL_HAVE_SP_RSA) || defined(WOLFSSL_HAVE_SP_DH)) && !defined(WOLFSSL_RSA_PUBLIC_ONLY)
+#ifdef WOLFSSL_SP_SMALL
+/* Add b to a into r. (r = a + b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static int sp_3072_add_27(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    int i;
+
+    for (i = 0; i < 27; i++) {
+        r[i] = a[i] + b[i];
+    }
+
+    return 0;
+}
+#else
+/* Add b to a into r. (r = a + b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static int sp_3072_add_27(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    int i;
+
+    for (i = 0; i < 24; i += 8) {
+        r[i + 0] = a[i + 0] + b[i + 0];
+        r[i + 1] = a[i + 1] + b[i + 1];
+        r[i + 2] = a[i + 2] + b[i + 2];
+        r[i + 3] = a[i + 3] + b[i + 3];
+        r[i + 4] = a[i + 4] + b[i + 4];
+        r[i + 5] = a[i + 5] + b[i + 5];
+        r[i + 6] = a[i + 6] + b[i + 6];
+        r[i + 7] = a[i + 7] + b[i + 7];
+    }
+    r[24] = a[24] + b[24];
+    r[25] = a[25] + b[25];
+    r[26] = a[26] + b[26];
+
+    return 0;
+}
+
+#endif /* WOLFSSL_SP_SMALL */
+#ifdef WOLFSSL_SP_SMALL
+/* Sub b from a into r. (r = a - b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static int sp_3072_sub_27(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    int i;
+
+    for (i = 0; i < 27; i++) {
+        r[i] = a[i] - b[i];
+    }
+
+    return 0;
+}
+
+#else
+/* Sub b from a into r. (r = a - b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static int sp_3072_sub_27(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    int i;
+
+    for (i = 0; i < 24; i += 8) {
+        r[i + 0] = a[i + 0] - b[i + 0];
+        r[i + 1] = a[i + 1] - b[i + 1];
+        r[i + 2] = a[i + 2] - b[i + 2];
+        r[i + 3] = a[i + 3] - b[i + 3];
+        r[i + 4] = a[i + 4] - b[i + 4];
+        r[i + 5] = a[i + 5] - b[i + 5];
+        r[i + 6] = a[i + 6] - b[i + 6];
+        r[i + 7] = a[i + 7] - b[i + 7];
+    }
+    r[24] = a[24] - b[24];
+    r[25] = a[25] - b[25];
+    r[26] = a[26] - b[26];
+
+    return 0;
+}
+
+#endif /* WOLFSSL_SP_SMALL */
+#ifdef WOLFSSL_SP_SMALL
+/* Multiply a and b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static void sp_3072_mul_27(sp_digit* r, const sp_digit* a,
+    const sp_digit* b)
+{
+    int i, j, k;
+    int128_t c;
+
+    c = ((int128_t)a[26]) * b[26];
+    r[53] = (sp_digit)(c >> 57);
+    c = (c & 0x1ffffffffffffffL) << 57;
+    for (k = 51; k >= 0; k--) {
+        for (i = 26; i >= 0; i--) {
+            j = k - i;
+            if (j >= 27) {
+                break;
+            }
+            if (j < 0) {
+                continue;
+            }
+
+            c += ((int128_t)a[i]) * b[j];
+        }
+        r[k + 2] += c >> 114;
+        r[k + 1] = (c >> 57) & 0x1ffffffffffffffL;
+        c = (c & 0x1ffffffffffffffL) << 57;
+    }
+    r[0] = (sp_digit)(c >> 57);
+}
+
+#else
+/* Multiply a and b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static void sp_3072_mul_27(sp_digit* r, const sp_digit* a,
+    const sp_digit* b)
+{
+    int i, j;
+    int128_t t[54];
+
+    XMEMSET(t, 0, sizeof(t));
+    for (i=0; i<27; i++) {
+        for (j=0; j<27; j++) {
+            t[i+j] += ((int128_t)a[i]) * b[j];
+        }
+    }
+    for (i=0; i<53; i++) {
+        r[i] = t[i] & 0x1ffffffffffffffL;
+        t[i+1] += t[i] >> 57;
+    }
+    r[53] = (sp_digit)t[53];
+}
+
+#endif /* WOLFSSL_SP_SMALL */
+#ifdef WOLFSSL_SP_SMALL
+/* Square a and put result in r. (r = a * a)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ */
+SP_NOINLINE static void sp_3072_sqr_27(sp_digit* r, const sp_digit* a)
+{
+    int i, j, k;
+    int128_t c;
+
+    c = ((int128_t)a[26]) * a[26];
+    r[53] = (sp_digit)(c >> 57);
+    c = (c & 0x1ffffffffffffffL) << 57;
+    for (k = 51; k >= 0; k--) {
+        for (i = 26; i >= 0; i--) {
+            j = k - i;
+            if (j >= 27 || i <= j) {
+                break;
+            }
+            if (j < 0) {
+                continue;
+            }
+
+            c += ((int128_t)a[i]) * a[j] * 2;
+        }
+        if (i == j) {
+           c += ((int128_t)a[i]) * a[i];
+        }
+
+        r[k + 2] += c >> 114;
+        r[k + 1] = (c >> 57) & 0x1ffffffffffffffL;
+        c = (c & 0x1ffffffffffffffL) << 57;
+    }
+    r[0] = (sp_digit)(c >> 57);
+}
+
+#else
+/* Square a and put result in r. (r = a * a)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ */
+SP_NOINLINE static void sp_3072_sqr_27(sp_digit* r, const sp_digit* a)
+{
+    int i, j;
+    int128_t t[54];
+
+    XMEMSET(t, 0, sizeof(t));
+    for (i=0; i<27; i++) {
+        for (j=0; j<i; j++) {
+            t[i+j] += (((int128_t)a[i]) * a[j]) * 2;
+        }
+        t[i+i] += ((int128_t)a[i]) * a[i];
+    }
+    for (i=0; i<53; i++) {
+        r[i] = t[i] & 0x1ffffffffffffffL;
+        t[i+1] += t[i] >> 57;
+    }
+    r[53] = (sp_digit)t[53];
+}
+
+#endif /* WOLFSSL_SP_SMALL */
+#endif /* (WOLFSSL_HAVE_SP_RSA || WOLFSSL_HAVE_SP_DH) && !WOLFSSL_RSA_PUBLIC_ONLY */
+
+/* Caclulate the bottom digit of -1/a mod 2^n.
+ *
+ * a    A single precision number.
+ * rho  Bottom word of inverse.
+ */
+static void sp_3072_mont_setup(const sp_digit* a, sp_digit* rho)
+{
+    sp_digit x, b;
+
+    b = a[0];
+    x = (((b + 2) & 4) << 1) + b; /* here x*a==1 mod 2**4 */
+    x *= 2 - b * x;               /* here x*a==1 mod 2**8 */
+    x *= 2 - b * x;               /* here x*a==1 mod 2**16 */
+    x *= 2 - b * x;               /* here x*a==1 mod 2**32 */
+    x *= 2 - b * x;               /* here x*a==1 mod 2**64 */
+    x &= 0x1ffffffffffffffL;
+
+    /* rho = -1/m mod b */
+    *rho = (1L << 57) - x;
+}
+
+/* Multiply a by scalar b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A scalar.
+ */
+SP_NOINLINE static void sp_3072_mul_d_54(sp_digit* r, const sp_digit* a,
+    sp_digit b)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int128_t tb = b;
+    int128_t t = 0;
+    int i;
+
+    for (i = 0; i < 54; i++) {
+        t += tb * a[i];
+        r[i] = t & 0x1ffffffffffffffL;
+        t >>= 57;
+    }
+    r[54] = (sp_digit)t;
+#else
+    int128_t tb = b;
+    int128_t t[8];
+    int i;
+
+    t[0] = tb * a[0]; r[0] = t[0] & 0x1ffffffffffffffL;
+    for (i = 0; i < 48; i += 8) {
+        t[1] = tb * a[i+1];
+        r[i+1] = (sp_digit)(t[0] >> 57) + (t[1] & 0x1ffffffffffffffL);
+        t[2] = tb * a[i+2];
+        r[i+2] = (sp_digit)(t[1] >> 57) + (t[2] & 0x1ffffffffffffffL);
+        t[3] = tb * a[i+3];
+        r[i+3] = (sp_digit)(t[2] >> 57) + (t[3] & 0x1ffffffffffffffL);
+        t[4] = tb * a[i+4];
+        r[i+4] = (sp_digit)(t[3] >> 57) + (t[4] & 0x1ffffffffffffffL);
+        t[5] = tb * a[i+5];
+        r[i+5] = (sp_digit)(t[4] >> 57) + (t[5] & 0x1ffffffffffffffL);
+        t[6] = tb * a[i+6];
+        r[i+6] = (sp_digit)(t[5] >> 57) + (t[6] & 0x1ffffffffffffffL);
+        t[7] = tb * a[i+7];
+        r[i+7] = (sp_digit)(t[6] >> 57) + (t[7] & 0x1ffffffffffffffL);
+        t[0] = tb * a[i+8];
+        r[i+8] = (sp_digit)(t[7] >> 57) + (t[0] & 0x1ffffffffffffffL);
+    }
+    t[1] = tb * a[49];
+    r[49] = (sp_digit)(t[0] >> 57) + (t[1] & 0x1ffffffffffffffL);
+    t[2] = tb * a[50];
+    r[50] = (sp_digit)(t[1] >> 57) + (t[2] & 0x1ffffffffffffffL);
+    t[3] = tb * a[51];
+    r[51] = (sp_digit)(t[2] >> 57) + (t[3] & 0x1ffffffffffffffL);
+    t[4] = tb * a[52];
+    r[52] = (sp_digit)(t[3] >> 57) + (t[4] & 0x1ffffffffffffffL);
+    t[5] = tb * a[53];
+    r[53] = (sp_digit)(t[4] >> 57) + (t[5] & 0x1ffffffffffffffL);
+    r[54] =  (sp_digit)(t[5] >> 57);
+#endif /* WOLFSSL_SP_SMALL */
+}
+
+#if (defined(WOLFSSL_HAVE_SP_RSA) || defined(WOLFSSL_HAVE_SP_DH)) && !defined(WOLFSSL_RSA_PUBLIC_ONLY)
+/* r = 2^n mod m where n is the number of bits to reduce by.
+ * Given m must be 3072 bits, just need to subtract.
+ *
+ * r  A single precision number.
+ * m  A single precision number.
+ */
+static void sp_3072_mont_norm_27(sp_digit* r, const sp_digit* m)
+{
+    /* Set r = 2^n - 1. */
+#ifdef WOLFSSL_SP_SMALL
+    int i;
+
+    for (i=0; i<26; i++) {
+        r[i] = 0x1ffffffffffffffL;
+    }
+#else
+    int i;
+
+    for (i = 0; i < 24; i += 8) {
+        r[i + 0] = 0x1ffffffffffffffL;
+        r[i + 1] = 0x1ffffffffffffffL;
+        r[i + 2] = 0x1ffffffffffffffL;
+        r[i + 3] = 0x1ffffffffffffffL;
+        r[i + 4] = 0x1ffffffffffffffL;
+        r[i + 5] = 0x1ffffffffffffffL;
+        r[i + 6] = 0x1ffffffffffffffL;
+        r[i + 7] = 0x1ffffffffffffffL;
+    }
+    r[24] = 0x1ffffffffffffffL;
+    r[25] = 0x1ffffffffffffffL;
+#endif
+    r[26] = 0x3fffffffffffffL;
+
+    /* r = (2^n - 1) mod n */
+    (void)sp_3072_sub_27(r, r, m);
+
+    /* Add one so r = 2^n mod m */
+    r[0] += 1;
+}
+
+/* Compare a with b in constant time.
+ *
+ * a  A single precision integer.
+ * b  A single precision integer.
+ * return -ve, 0 or +ve if a is less than, equal to or greater than b
+ * respectively.
+ */
+static sp_digit sp_3072_cmp_27(const sp_digit* a, const sp_digit* b)
+{
+    sp_digit r = 0;
+#ifdef WOLFSSL_SP_SMALL
+    int i;
+
+    for (i=26; i>=0; i--) {
+        r |= (a[i] - b[i]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+    }
+#else
+    int i;
+
+    r |= (a[26] - b[26]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+    r |= (a[25] - b[25]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+    r |= (a[24] - b[24]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+    for (i = 16; i >= 0; i -= 8) {
+        r |= (a[i + 7] - b[i + 7]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+        r |= (a[i + 6] - b[i + 6]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+        r |= (a[i + 5] - b[i + 5]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+        r |= (a[i + 4] - b[i + 4]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+        r |= (a[i + 3] - b[i + 3]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+        r |= (a[i + 2] - b[i + 2]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+        r |= (a[i + 1] - b[i + 1]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+        r |= (a[i + 0] - b[i + 0]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+    }
+#endif /* WOLFSSL_SP_SMALL */
+
+    return r;
+}
+
+/* Conditionally subtract b from a using the mask m.
+ * m is -1 to subtract and 0 when not.
+ *
+ * r  A single precision number representing condition subtract result.
+ * a  A single precision number to subtract from.
+ * b  A single precision number to subtract.
+ * m  Mask value to apply.
+ */
+static void sp_3072_cond_sub_27(sp_digit* r, const sp_digit* a,
+        const sp_digit* b, const sp_digit m)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int i;
+
+    for (i = 0; i < 27; i++) {
+        r[i] = a[i] - (b[i] & m);
+    }
+#else
+    int i;
+
+    for (i = 0; i < 24; i += 8) {
+        r[i + 0] = a[i + 0] - (b[i + 0] & m);
+        r[i + 1] = a[i + 1] - (b[i + 1] & m);
+        r[i + 2] = a[i + 2] - (b[i + 2] & m);
+        r[i + 3] = a[i + 3] - (b[i + 3] & m);
+        r[i + 4] = a[i + 4] - (b[i + 4] & m);
+        r[i + 5] = a[i + 5] - (b[i + 5] & m);
+        r[i + 6] = a[i + 6] - (b[i + 6] & m);
+        r[i + 7] = a[i + 7] - (b[i + 7] & m);
+    }
+    r[24] = a[24] - (b[24] & m);
+    r[25] = a[25] - (b[25] & m);
+    r[26] = a[26] - (b[26] & m);
+#endif /* WOLFSSL_SP_SMALL */
+}
+
+/* Mul a by scalar b and add into r. (r += a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A scalar.
+ */
+SP_NOINLINE static void sp_3072_mul_add_27(sp_digit* r, const sp_digit* a,
+        const sp_digit b)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int128_t tb = b;
+    int128_t t = 0;
+    int i;
+
+    for (i = 0; i < 27; i++) {
+        t += (tb * a[i]) + r[i];
+        r[i] = t & 0x1ffffffffffffffL;
+        t >>= 57;
+    }
+    r[27] += t;
+#else
+    int128_t tb = b;
+    int128_t t[8];
+    int i;
+
+    t[0] = tb * a[0]; r[0] += (sp_digit)(t[0] & 0x1ffffffffffffffL);
+    for (i = 0; i < 24; i += 8) {
+        t[1] = tb * a[i+1];
+        r[i+1] += (sp_digit)((t[0] >> 57) + (t[1] & 0x1ffffffffffffffL));
+        t[2] = tb * a[i+2];
+        r[i+2] += (sp_digit)((t[1] >> 57) + (t[2] & 0x1ffffffffffffffL));
+        t[3] = tb * a[i+3];
+        r[i+3] += (sp_digit)((t[2] >> 57) + (t[3] & 0x1ffffffffffffffL));
+        t[4] = tb * a[i+4];
+        r[i+4] += (sp_digit)((t[3] >> 57) + (t[4] & 0x1ffffffffffffffL));
+        t[5] = tb * a[i+5];
+        r[i+5] += (sp_digit)((t[4] >> 57) + (t[5] & 0x1ffffffffffffffL));
+        t[6] = tb * a[i+6];
+        r[i+6] += (sp_digit)((t[5] >> 57) + (t[6] & 0x1ffffffffffffffL));
+        t[7] = tb * a[i+7];
+        r[i+7] += (sp_digit)((t[6] >> 57) + (t[7] & 0x1ffffffffffffffL));
+        t[0] = tb * a[i+8];
+        r[i+8] += (sp_digit)((t[7] >> 57) + (t[0] & 0x1ffffffffffffffL));
+    }
+    t[1] = tb * a[25]; r[25] += (sp_digit)((t[0] >> 57) + (t[1] & 0x1ffffffffffffffL));
+    t[2] = tb * a[26]; r[26] += (sp_digit)((t[1] >> 57) + (t[2] & 0x1ffffffffffffffL));
+    r[27] +=  (sp_digit)(t[2] >> 57);
+#endif /* WOLFSSL_SP_SMALL */
+}
+
+/* Normalize the values in each word to 57.
+ *
+ * a  Array of sp_digit to normalize.
+ */
+static void sp_3072_norm_27(sp_digit* a)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int i;
+    for (i = 0; i < 26; i++) {
+        a[i+1] += a[i] >> 57;
+        a[i] &= 0x1ffffffffffffffL;
+    }
+#else
+    int i;
+    for (i = 0; i < 24; i += 8) {
+        a[i+1] += a[i+0] >> 57; a[i+0] &= 0x1ffffffffffffffL;
+        a[i+2] += a[i+1] >> 57; a[i+1] &= 0x1ffffffffffffffL;
+        a[i+3] += a[i+2] >> 57; a[i+2] &= 0x1ffffffffffffffL;
+        a[i+4] += a[i+3] >> 57; a[i+3] &= 0x1ffffffffffffffL;
+        a[i+5] += a[i+4] >> 57; a[i+4] &= 0x1ffffffffffffffL;
+        a[i+6] += a[i+5] >> 57; a[i+5] &= 0x1ffffffffffffffL;
+        a[i+7] += a[i+6] >> 57; a[i+6] &= 0x1ffffffffffffffL;
+        a[i+8] += a[i+7] >> 57; a[i+7] &= 0x1ffffffffffffffL;
+        a[i+9] += a[i+8] >> 57; a[i+8] &= 0x1ffffffffffffffL;
+    }
+    a[24+1] += a[24] >> 57;
+    a[24] &= 0x1ffffffffffffffL;
+    a[25+1] += a[25] >> 57;
+    a[25] &= 0x1ffffffffffffffL;
+#endif
+}
+
+/* Shift the result in the high 1536 bits down to the bottom.
+ *
+ * r  A single precision number.
+ * a  A single precision number.
+ */
+static void sp_3072_mont_shift_27(sp_digit* r, const sp_digit* a)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int i;
+    sp_digit n, s;
+
+    s = a[27];
+    n = a[26] >> 54;
+    for (i = 0; i < 26; i++) {
+        n += (s & 0x1ffffffffffffffL) << 3;
+        r[i] = n & 0x1ffffffffffffffL;
+        n >>= 57;
+        s = a[28 + i] + (s >> 57);
+    }
+    n += s << 3;
+    r[26] = n;
+#else
+    sp_digit n, s;
+    int i;
+
+    s = a[27]; n = a[26] >> 54;
+    for (i = 0; i < 24; i += 8) {
+        n += (s & 0x1ffffffffffffffL) << 3; r[i+0] = n & 0x1ffffffffffffffL;
+        n >>= 57; s = a[i+28] + (s >> 57);
+        n += (s & 0x1ffffffffffffffL) << 3; r[i+1] = n & 0x1ffffffffffffffL;
+        n >>= 57; s = a[i+29] + (s >> 57);
+        n += (s & 0x1ffffffffffffffL) << 3; r[i+2] = n & 0x1ffffffffffffffL;
+        n >>= 57; s = a[i+30] + (s >> 57);
+        n += (s & 0x1ffffffffffffffL) << 3; r[i+3] = n & 0x1ffffffffffffffL;
+        n >>= 57; s = a[i+31] + (s >> 57);
+        n += (s & 0x1ffffffffffffffL) << 3; r[i+4] = n & 0x1ffffffffffffffL;
+        n >>= 57; s = a[i+32] + (s >> 57);
+        n += (s & 0x1ffffffffffffffL) << 3; r[i+5] = n & 0x1ffffffffffffffL;
+        n >>= 57; s = a[i+33] + (s >> 57);
+        n += (s & 0x1ffffffffffffffL) << 3; r[i+6] = n & 0x1ffffffffffffffL;
+        n >>= 57; s = a[i+34] + (s >> 57);
+        n += (s & 0x1ffffffffffffffL) << 3; r[i+7] = n & 0x1ffffffffffffffL;
+        n >>= 57; s = a[i+35] + (s >> 57);
+    }
+    n += (s & 0x1ffffffffffffffL) << 3; r[24] = n & 0x1ffffffffffffffL;
+    n >>= 57; s = a[52] + (s >> 57);
+    n += (s & 0x1ffffffffffffffL) << 3; r[25] = n & 0x1ffffffffffffffL;
+    n >>= 57; s = a[53] + (s >> 57);
+    n += s << 3;              r[26] = n;
+#endif /* WOLFSSL_SP_SMALL */
+    XMEMSET(&r[27], 0, sizeof(*r) * 27U);
+}
+
+/* Reduce the number back to 3072 bits using Montgomery reduction.
+ *
+ * a   A single precision number to reduce in place.
+ * m   The single precision number representing the modulus.
+ * mp  The digit representing the negative inverse of m mod 2^n.
+ */
+static void sp_3072_mont_reduce_27(sp_digit* a, const sp_digit* m, sp_digit mp)
+{
+    int i;
+    sp_digit mu;
+
+    sp_3072_norm_27(a + 27);
+
+    for (i=0; i<26; i++) {
+        mu = (a[i] * mp) & 0x1ffffffffffffffL;
+        sp_3072_mul_add_27(a+i, m, mu);
+        a[i+1] += a[i] >> 57;
+    }
+    mu = (a[i] * mp) & 0x3fffffffffffffL;
+    sp_3072_mul_add_27(a+i, m, mu);
+    a[i+1] += a[i] >> 57;
+    a[i] &= 0x1ffffffffffffffL;
+
+    sp_3072_mont_shift_27(a, a);
+    sp_3072_cond_sub_27(a, a, m, 0 - (((a[26] >> 54) > 0) ?
+            (sp_digit)1 : (sp_digit)0));
+    sp_3072_norm_27(a);
+}
+
+/* Multiply two Montogmery form numbers mod the modulus (prime).
+ * (r = a * b mod m)
+ *
+ * r   Result of multiplication.
+ * a   First number to multiply in Montogmery form.
+ * b   Second number to multiply in Montogmery form.
+ * m   Modulus (prime).
+ * mp  Montogmery mulitplier.
+ */
+static void sp_3072_mont_mul_27(sp_digit* r, const sp_digit* a, const sp_digit* b,
+        const sp_digit* m, sp_digit mp)
+{
+    sp_3072_mul_27(r, a, b);
+    sp_3072_mont_reduce_27(r, m, mp);
+}
+
+/* Square the Montgomery form number. (r = a * a mod m)
+ *
+ * r   Result of squaring.
+ * a   Number to square in Montogmery form.
+ * m   Modulus (prime).
+ * mp  Montogmery mulitplier.
+ */
+static void sp_3072_mont_sqr_27(sp_digit* r, const sp_digit* a, const sp_digit* m,
+        sp_digit mp)
+{
+    sp_3072_sqr_27(r, a);
+    sp_3072_mont_reduce_27(r, m, mp);
+}
+
+/* Multiply a by scalar b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A scalar.
+ */
+SP_NOINLINE static void sp_3072_mul_d_27(sp_digit* r, const sp_digit* a,
+    sp_digit b)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int128_t tb = b;
+    int128_t t = 0;
+    int i;
+
+    for (i = 0; i < 27; i++) {
+        t += tb * a[i];
+        r[i] = t & 0x1ffffffffffffffL;
+        t >>= 57;
+    }
+    r[27] = (sp_digit)t;
+#else
+    int128_t tb = b;
+    int128_t t[8];
+    int i;
+
+    t[0] = tb * a[0]; r[0] = t[0] & 0x1ffffffffffffffL;
+    for (i = 0; i < 24; i += 8) {
+        t[1] = tb * a[i+1];
+        r[i+1] = (sp_digit)(t[0] >> 57) + (t[1] & 0x1ffffffffffffffL);
+        t[2] = tb * a[i+2];
+        r[i+2] = (sp_digit)(t[1] >> 57) + (t[2] & 0x1ffffffffffffffL);
+        t[3] = tb * a[i+3];
+        r[i+3] = (sp_digit)(t[2] >> 57) + (t[3] & 0x1ffffffffffffffL);
+        t[4] = tb * a[i+4];
+        r[i+4] = (sp_digit)(t[3] >> 57) + (t[4] & 0x1ffffffffffffffL);
+        t[5] = tb * a[i+5];
+        r[i+5] = (sp_digit)(t[4] >> 57) + (t[5] & 0x1ffffffffffffffL);
+        t[6] = tb * a[i+6];
+        r[i+6] = (sp_digit)(t[5] >> 57) + (t[6] & 0x1ffffffffffffffL);
+        t[7] = tb * a[i+7];
+        r[i+7] = (sp_digit)(t[6] >> 57) + (t[7] & 0x1ffffffffffffffL);
+        t[0] = tb * a[i+8];
+        r[i+8] = (sp_digit)(t[7] >> 57) + (t[0] & 0x1ffffffffffffffL);
+    }
+    t[1] = tb * a[25];
+    r[25] = (sp_digit)(t[0] >> 57) + (t[1] & 0x1ffffffffffffffL);
+    t[2] = tb * a[26];
+    r[26] = (sp_digit)(t[1] >> 57) + (t[2] & 0x1ffffffffffffffL);
+    r[27] =  (sp_digit)(t[2] >> 57);
+#endif /* WOLFSSL_SP_SMALL */
+}
+
+/* Conditionally add a and b using the mask m.
+ * m is -1 to add and 0 when not.
+ *
+ * r  A single precision number representing conditional add result.
+ * a  A single precision number to add with.
+ * b  A single precision number to add.
+ * m  Mask value to apply.
+ */
+static void sp_3072_cond_add_27(sp_digit* r, const sp_digit* a,
+        const sp_digit* b, const sp_digit m)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int i;
+
+    for (i = 0; i < 27; i++) {
+        r[i] = a[i] + (b[i] & m);
+    }
+#else
+    int i;
+
+    for (i = 0; i < 24; i += 8) {
+        r[i + 0] = a[i + 0] + (b[i + 0] & m);
+        r[i + 1] = a[i + 1] + (b[i + 1] & m);
+        r[i + 2] = a[i + 2] + (b[i + 2] & m);
+        r[i + 3] = a[i + 3] + (b[i + 3] & m);
+        r[i + 4] = a[i + 4] + (b[i + 4] & m);
+        r[i + 5] = a[i + 5] + (b[i + 5] & m);
+        r[i + 6] = a[i + 6] + (b[i + 6] & m);
+        r[i + 7] = a[i + 7] + (b[i + 7] & m);
+    }
+    r[24] = a[24] + (b[24] & m);
+    r[25] = a[25] + (b[25] & m);
+    r[26] = a[26] + (b[26] & m);
+#endif /* WOLFSSL_SP_SMALL */
+}
+
+#ifdef WOLFSSL_SP_DIV_64
+static WC_INLINE sp_digit sp_3072_div_word_27(sp_digit d1, sp_digit d0,
+    sp_digit dv)
+{
+    sp_digit d, r, t;
+
+    /* All 57 bits from d1 and top 6 bits from d0. */
+    d = (d1 << 6) | (d0 >> 51);
+    r = d / dv;
+    d -= r * dv;
+    /* Up to 7 bits in r */
+    /* Next 6 bits from d0. */
+    r <<= 6;
+    d <<= 6;
+    d |= (d0 >> 45) & ((1 << 6) - 1);
+    t = d / dv;
+    d -= t * dv;
+    r += t;
+    /* Up to 13 bits in r */
+    /* Next 6 bits from d0. */
+    r <<= 6;
+    d <<= 6;
+    d |= (d0 >> 39) & ((1 << 6) - 1);
+    t = d / dv;
+    d -= t * dv;
+    r += t;
+    /* Up to 19 bits in r */
+    /* Next 6 bits from d0. */
+    r <<= 6;
+    d <<= 6;
+    d |= (d0 >> 33) & ((1 << 6) - 1);
+    t = d / dv;
+    d -= t * dv;
+    r += t;
+    /* Up to 25 bits in r */
+    /* Next 6 bits from d0. */
+    r <<= 6;
+    d <<= 6;
+    d |= (d0 >> 27) & ((1 << 6) - 1);
+    t = d / dv;
+    d -= t * dv;
+    r += t;
+    /* Up to 31 bits in r */
+    /* Next 6 bits from d0. */
+    r <<= 6;
+    d <<= 6;
+    d |= (d0 >> 21) & ((1 << 6) - 1);
+    t = d / dv;
+    d -= t * dv;
+    r += t;
+    /* Up to 37 bits in r */
+    /* Next 6 bits from d0. */
+    r <<= 6;
+    d <<= 6;
+    d |= (d0 >> 15) & ((1 << 6) - 1);
+    t = d / dv;
+    d -= t * dv;
+    r += t;
+    /* Up to 43 bits in r */
+    /* Next 6 bits from d0. */
+    r <<= 6;
+    d <<= 6;
+    d |= (d0 >> 9) & ((1 << 6) - 1);
+    t = d / dv;
+    d -= t * dv;
+    r += t;
+    /* Up to 49 bits in r */
+    /* Next 6 bits from d0. */
+    r <<= 6;
+    d <<= 6;
+    d |= (d0 >> 3) & ((1 << 6) - 1);
+    t = d / dv;
+    d -= t * dv;
+    r += t;
+    /* Up to 55 bits in r */
+    /* Remaining 3 bits from d0. */
+    r <<= 3;
+    d <<= 3;
+    d |= d0 & ((1 << 3) - 1);
+    t = d / dv;
+    r += t;
+
+    return r;
+}
+#endif /* WOLFSSL_SP_DIV_64 */
+
+/* Divide d in a and put remainder into r (m*d + r = a)
+ * m is not calculated as it is not needed at this time.
+ *
+ * a  Number to be divided.
+ * d  Number to divide with.
+ * m  Multiplier result.
+ * r  Remainder from the division.
+ * returns MEMORY_E when unable to allocate memory and MP_OKAY otherwise.
+ */
+static int sp_3072_div_27(const sp_digit* a, const sp_digit* d, sp_digit* m,
+        sp_digit* r)
+{
+    int i;
+#ifndef WOLFSSL_SP_DIV_64
+    int128_t d1;
+#endif
+    sp_digit dv, r1;
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit* td;
+#else
+    sp_digit t1d[54], t2d[27 + 1];
+#endif
+    sp_digit* t1;
+    sp_digit* t2;
+    int err = MP_OKAY;
+
+    (void)m;
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    td = (sp_digit*)XMALLOC(sizeof(sp_digit) * (3 * 27 + 1), NULL,
+                                                       DYNAMIC_TYPE_TMP_BUFFER);
+    if (td == NULL) {
+        err = MEMORY_E;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+        t1 = td;
+        t2 = td + 2 * 27;
+#else
+        t1 = t1d;
+        t2 = t2d;
+#endif
+
+        dv = d[26];
+        XMEMCPY(t1, a, sizeof(*t1) * 2U * 27U);
+        for (i=26; i>=0; i--) {
+            t1[27 + i] += t1[27 + i - 1] >> 57;
+            t1[27 + i - 1] &= 0x1ffffffffffffffL;
+#ifndef WOLFSSL_SP_DIV_64
+            d1 = t1[27 + i];
+            d1 <<= 57;
+            d1 += t1[27 + i - 1];
+            r1 = (sp_digit)(d1 / dv);
+#else
+            r1 = sp_3072_div_word_27(t1[27 + i], t1[27 + i - 1], dv);
+#endif
+
+            sp_3072_mul_d_27(t2, d, r1);
+            (void)sp_3072_sub_27(&t1[i], &t1[i], t2);
+            t1[27 + i] -= t2[27];
+            t1[27 + i] += t1[27 + i - 1] >> 57;
+            t1[27 + i - 1] &= 0x1ffffffffffffffL;
+            r1 = (((-t1[27 + i]) << 57) - t1[27 + i - 1]) / dv;
+            r1++;
+            sp_3072_mul_d_27(t2, d, r1);
+            (void)sp_3072_add_27(&t1[i], &t1[i], t2);
+            t1[27 + i] += t1[27 + i - 1] >> 57;
+            t1[27 + i - 1] &= 0x1ffffffffffffffL;
+        }
+        t1[27 - 1] += t1[27 - 2] >> 57;
+        t1[27 - 2] &= 0x1ffffffffffffffL;
+        r1 = t1[27 - 1] / dv;
+
+        sp_3072_mul_d_27(t2, d, r1);
+        (void)sp_3072_sub_27(t1, t1, t2);
+        XMEMCPY(r, t1, sizeof(*r) * 2U * 27U);
+        for (i=0; i<25; i++) {
+            r[i+1] += r[i] >> 57;
+            r[i] &= 0x1ffffffffffffffL;
+        }
+        sp_3072_cond_add_27(r, r, d, 0 - ((r[26] < 0) ?
+                    (sp_digit)1 : (sp_digit)0));
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (td != NULL) {
+        XFREE(td, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    }
+#endif
+
+    return err;
+}
+
+/* Reduce a modulo m into r. (r = a mod m)
+ *
+ * r  A single precision number that is the reduced result.
+ * a  A single precision number that is to be reduced.
+ * m  A single precision number that is the modulus to reduce with.
+ * returns MEMORY_E when unable to allocate memory and MP_OKAY otherwise.
+ */
+static int sp_3072_mod_27(sp_digit* r, const sp_digit* a, const sp_digit* m)
+{
+    return sp_3072_div_27(a, m, NULL, r);
+}
+
+/* Modular exponentiate a to the e mod m. (r = a^e mod m)
+ *
+ * r     A single precision number that is the result of the operation.
+ * a     A single precision number being exponentiated.
+ * e     A single precision number that is the exponent.
+ * bits  The number of bits in the exponent.
+ * m     A single precision number that is the modulus.
+ * returns 0 on success and MEMORY_E on dynamic memory allocation failure.
+ */
+static int sp_3072_mod_exp_27(sp_digit* r, const sp_digit* a, const sp_digit* e, int bits,
+    const sp_digit* m, int reduceA)
+{
+#ifdef WOLFSSL_SP_SMALL
+    sp_digit* td;
+    sp_digit* t[3];
+    sp_digit* norm;
+    sp_digit mp = 1;
+    sp_digit n;
+    int i;
+    int c, y;
+    int err = MP_OKAY;
+
+    td = (sp_digit*)XMALLOC(sizeof(*td) * 3 * 27 * 2, NULL,
+                            DYNAMIC_TYPE_TMP_BUFFER);
+    if (td == NULL) {
+        err = MEMORY_E;
+    }
+
+    if (err == MP_OKAY) {
+        XMEMSET(td, 0, sizeof(*td) * 3U * 27U * 2U);
+
+        norm = t[0] = td;
+        t[1] = &td[27 * 2];
+        t[2] = &td[2 * 27 * 2];
+
+        sp_3072_mont_setup(m, &mp);
+        sp_3072_mont_norm_27(norm, m);
+
+        if (reduceA != 0) {
+            err = sp_3072_mod_27(t[1], a, m);
+        }
+        else {
+            XMEMCPY(t[1], a, sizeof(sp_digit) * 27U);
+        }
+    }
+    if (err == MP_OKAY) {
+        sp_3072_mul_27(t[1], t[1], norm);
+        err = sp_3072_mod_27(t[1], t[1], m);
+    }
+
+    if (err == MP_OKAY) {
+        i = bits / 57;
+        c = bits % 57;
+        n = e[i--] << (57 - c);
+        for (; ; c--) {
+            if (c == 0) {
+                if (i == -1) {
+                    break;
+                }
+
+                n = e[i--];
+                c = 57;
+            }
+
+            y = (n >> 56) & 1;
+            n <<= 1;
+
+            sp_3072_mont_mul_27(t[y^1], t[0], t[1], m, mp);
+
+            XMEMCPY(t[2], (void*)(((size_t)t[0] & addr_mask[y^1]) +
+                                  ((size_t)t[1] & addr_mask[y])),
+                    sizeof(*t[2]) * 27 * 2);
+            sp_3072_mont_sqr_27(t[2], t[2], m, mp);
+            XMEMCPY((void*)(((size_t)t[0] & addr_mask[y^1]) +
+                            ((size_t)t[1] & addr_mask[y])), t[2],
+                    sizeof(*t[2]) * 27 * 2);
+        }
+
+        sp_3072_mont_reduce_27(t[0], m, mp);
+        n = sp_3072_cmp_27(t[0], m);
+        sp_3072_cond_sub_27(t[0], t[0], m, ((n < 0) ?
+                    (sp_digit)1 : (sp_digit)0) - 1);
+        XMEMCPY(r, t[0], sizeof(*r) * 27 * 2);
+
+    }
+
+    if (td != NULL) {
+        XFREE(td, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    }
+
+    return err;
+#elif defined(WOLFSSL_SP_CACHE_RESISTANT)
+#ifndef WOLFSSL_SMALL_STACK
+    sp_digit t[3][54];
+#else
+    sp_digit* td;
+    sp_digit* t[3];
+#endif
+    sp_digit* norm;
+    sp_digit mp = 1;
+    sp_digit n;
+    int i;
+    int c, y;
+    int err = MP_OKAY;
+
+#ifdef WOLFSSL_SMALL_STACK
+    td = (sp_digit*)XMALLOC(sizeof(*td) * 3 * 27 * 2, NULL,
+                            DYNAMIC_TYPE_TMP_BUFFER);
+    if (td == NULL) {
+        err = MEMORY_E;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#ifdef WOLFSSL_SMALL_STACK
+        t[0] = td;
+        t[1] = &td[27 * 2];
+        t[2] = &td[2 * 27 * 2];
+#endif
+        norm = t[0];
+
+        sp_3072_mont_setup(m, &mp);
+        sp_3072_mont_norm_27(norm, m);
+
+        if (reduceA != 0) {
+            err = sp_3072_mod_27(t[1], a, m);
+            if (err == MP_OKAY) {
+                sp_3072_mul_27(t[1], t[1], norm);
+                err = sp_3072_mod_27(t[1], t[1], m);
+            }
+        }
+        else {
+            sp_3072_mul_27(t[1], a, norm);
+            err = sp_3072_mod_27(t[1], t[1], m);
+        }
+    }
+
+    if (err == MP_OKAY) {
+        i = bits / 57;
+        c = bits % 57;
+        n = e[i--] << (57 - c);
+        for (; ; c--) {
+            if (c == 0) {
+                if (i == -1) {
+                    break;
+                }
+
+                n = e[i--];
+                c = 57;
+            }
+
+            y = (n >> 56) & 1;
+            n <<= 1;
+
+            sp_3072_mont_mul_27(t[y^1], t[0], t[1], m, mp);
+
+            XMEMCPY(t[2], (void*)(((size_t)t[0] & addr_mask[y^1]) +
+                                 ((size_t)t[1] & addr_mask[y])), sizeof(t[2]));
+            sp_3072_mont_sqr_27(t[2], t[2], m, mp);
+            XMEMCPY((void*)(((size_t)t[0] & addr_mask[y^1]) +
+                           ((size_t)t[1] & addr_mask[y])), t[2], sizeof(t[2]));
+        }
+
+        sp_3072_mont_reduce_27(t[0], m, mp);
+        n = sp_3072_cmp_27(t[0], m);
+        sp_3072_cond_sub_27(t[0], t[0], m, ((n < 0) ?
+                   (sp_digit)1 : (sp_digit)0) - 1);
+        XMEMCPY(r, t[0], sizeof(t[0]));
+    }
+
+#ifdef WOLFSSL_SMALL_STACK
+    if (td != NULL) {
+        XFREE(td, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    }
+#endif
+
+    return err;
+#else
+#ifndef WOLFSSL_SMALL_STACK
+    sp_digit t[32][54];
+#else
+    sp_digit* t[32];
+    sp_digit* td;
+#endif
+    sp_digit* norm;
+    sp_digit rt[54];
+    sp_digit mp = 1;
+    sp_digit n;
+    int i;
+    int c, y;
+    int err = MP_OKAY;
+
+#ifdef WOLFSSL_SMALL_STACK
+    td = (sp_digit*)XMALLOC(sizeof(sp_digit) * 32 * 54, NULL,
+                            DYNAMIC_TYPE_TMP_BUFFER);
+    if (td == NULL) {
+        err = MEMORY_E;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#ifdef WOLFSSL_SMALL_STACK
+        for (i=0; i<32; i++)
+            t[i] = td + i * 54;
+#endif
+        norm = t[0];
+
+        sp_3072_mont_setup(m, &mp);
+        sp_3072_mont_norm_27(norm, m);
+
+        if (reduceA != 0) {
+            err = sp_3072_mod_27(t[1], a, m);
+            if (err == MP_OKAY) {
+                sp_3072_mul_27(t[1], t[1], norm);
+                err = sp_3072_mod_27(t[1], t[1], m);
+            }
+        }
+        else {
+            sp_3072_mul_27(t[1], a, norm);
+            err = sp_3072_mod_27(t[1], t[1], m);
+        }
+    }
+
+    if (err == MP_OKAY) {
+        sp_3072_mont_sqr_27(t[ 2], t[ 1], m, mp);
+        sp_3072_mont_mul_27(t[ 3], t[ 2], t[ 1], m, mp);
+        sp_3072_mont_sqr_27(t[ 4], t[ 2], m, mp);
+        sp_3072_mont_mul_27(t[ 5], t[ 3], t[ 2], m, mp);
+        sp_3072_mont_sqr_27(t[ 6], t[ 3], m, mp);
+        sp_3072_mont_mul_27(t[ 7], t[ 4], t[ 3], m, mp);
+        sp_3072_mont_sqr_27(t[ 8], t[ 4], m, mp);
+        sp_3072_mont_mul_27(t[ 9], t[ 5], t[ 4], m, mp);
+        sp_3072_mont_sqr_27(t[10], t[ 5], m, mp);
+        sp_3072_mont_mul_27(t[11], t[ 6], t[ 5], m, mp);
+        sp_3072_mont_sqr_27(t[12], t[ 6], m, mp);
+        sp_3072_mont_mul_27(t[13], t[ 7], t[ 6], m, mp);
+        sp_3072_mont_sqr_27(t[14], t[ 7], m, mp);
+        sp_3072_mont_mul_27(t[15], t[ 8], t[ 7], m, mp);
+        sp_3072_mont_sqr_27(t[16], t[ 8], m, mp);
+        sp_3072_mont_mul_27(t[17], t[ 9], t[ 8], m, mp);
+        sp_3072_mont_sqr_27(t[18], t[ 9], m, mp);
+        sp_3072_mont_mul_27(t[19], t[10], t[ 9], m, mp);
+        sp_3072_mont_sqr_27(t[20], t[10], m, mp);
+        sp_3072_mont_mul_27(t[21], t[11], t[10], m, mp);
+        sp_3072_mont_sqr_27(t[22], t[11], m, mp);
+        sp_3072_mont_mul_27(t[23], t[12], t[11], m, mp);
+        sp_3072_mont_sqr_27(t[24], t[12], m, mp);
+        sp_3072_mont_mul_27(t[25], t[13], t[12], m, mp);
+        sp_3072_mont_sqr_27(t[26], t[13], m, mp);
+        sp_3072_mont_mul_27(t[27], t[14], t[13], m, mp);
+        sp_3072_mont_sqr_27(t[28], t[14], m, mp);
+        sp_3072_mont_mul_27(t[29], t[15], t[14], m, mp);
+        sp_3072_mont_sqr_27(t[30], t[15], m, mp);
+        sp_3072_mont_mul_27(t[31], t[16], t[15], m, mp);
+
+        bits = ((bits + 4) / 5) * 5;
+        i = ((bits + 56) / 57) - 1;
+        c = bits % 57;
+        if (c == 0) {
+            c = 57;
+        }
+        if (i < 27) {
+            n = e[i--] << (64 - c);
+        }
+        else {
+            n = 0;
+            i--;
+        }
+        if (c < 5) {
+            n |= e[i--] << (7 - c);
+            c += 57;
+        }
+        y = (n >> 59) & 0x1f;
+        n <<= 5;
+        c -= 5;
+        XMEMCPY(rt, t[y], sizeof(rt));
+        for (; i>=0 || c>=5; ) {
+            if (c < 5) {
+                n |= e[i--] << (7 - c);
+                c += 57;
+            }
+            y = (n >> 59) & 0x1f;
+            n <<= 5;
+            c -= 5;
+
+            sp_3072_mont_sqr_27(rt, rt, m, mp);
+            sp_3072_mont_sqr_27(rt, rt, m, mp);
+            sp_3072_mont_sqr_27(rt, rt, m, mp);
+            sp_3072_mont_sqr_27(rt, rt, m, mp);
+            sp_3072_mont_sqr_27(rt, rt, m, mp);
+
+            sp_3072_mont_mul_27(rt, rt, t[y], m, mp);
+        }
+
+        sp_3072_mont_reduce_27(rt, m, mp);
+        n = sp_3072_cmp_27(rt, m);
+        sp_3072_cond_sub_27(rt, rt, m, ((n < 0) ?
+                   (sp_digit)1 : (sp_digit)0) - 1);
+        XMEMCPY(r, rt, sizeof(rt));
+    }
+
+#ifdef WOLFSSL_SMALL_STACK
+    if (td != NULL) {
+        XFREE(td, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    }
+#endif
+
+    return err;
+#endif
+}
+
+#endif /* (WOLFSSL_HAVE_SP_RSA || WOLFSSL_HAVE_SP_DH) && !WOLFSSL_RSA_PUBLIC_ONLY */
+
+/* r = 2^n mod m where n is the number of bits to reduce by.
+ * Given m must be 3072 bits, just need to subtract.
+ *
+ * r  A single precision number.
+ * m  A single precision number.
+ */
+static void sp_3072_mont_norm_54(sp_digit* r, const sp_digit* m)
+{
+    /* Set r = 2^n - 1. */
+#ifdef WOLFSSL_SP_SMALL
+    int i;
+
+    for (i=0; i<53; i++) {
+        r[i] = 0x1ffffffffffffffL;
+    }
+#else
+    int i;
+
+    for (i = 0; i < 48; i += 8) {
+        r[i + 0] = 0x1ffffffffffffffL;
+        r[i + 1] = 0x1ffffffffffffffL;
+        r[i + 2] = 0x1ffffffffffffffL;
+        r[i + 3] = 0x1ffffffffffffffL;
+        r[i + 4] = 0x1ffffffffffffffL;
+        r[i + 5] = 0x1ffffffffffffffL;
+        r[i + 6] = 0x1ffffffffffffffL;
+        r[i + 7] = 0x1ffffffffffffffL;
+    }
+    r[48] = 0x1ffffffffffffffL;
+    r[49] = 0x1ffffffffffffffL;
+    r[50] = 0x1ffffffffffffffL;
+    r[51] = 0x1ffffffffffffffL;
+    r[52] = 0x1ffffffffffffffL;
+#endif
+    r[53] = 0x7ffffffffffffL;
+
+    /* r = (2^n - 1) mod n */
+    (void)sp_3072_sub_54(r, r, m);
+
+    /* Add one so r = 2^n mod m */
+    r[0] += 1;
+}
+
+/* Compare a with b in constant time.
+ *
+ * a  A single precision integer.
+ * b  A single precision integer.
+ * return -ve, 0 or +ve if a is less than, equal to or greater than b
+ * respectively.
+ */
+static sp_digit sp_3072_cmp_54(const sp_digit* a, const sp_digit* b)
+{
+    sp_digit r = 0;
+#ifdef WOLFSSL_SP_SMALL
+    int i;
+
+    for (i=53; i>=0; i--) {
+        r |= (a[i] - b[i]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+    }
+#else
+    int i;
+
+    r |= (a[53] - b[53]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+    r |= (a[52] - b[52]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+    r |= (a[51] - b[51]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+    r |= (a[50] - b[50]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+    r |= (a[49] - b[49]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+    r |= (a[48] - b[48]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+    for (i = 40; i >= 0; i -= 8) {
+        r |= (a[i + 7] - b[i + 7]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+        r |= (a[i + 6] - b[i + 6]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+        r |= (a[i + 5] - b[i + 5]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+        r |= (a[i + 4] - b[i + 4]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+        r |= (a[i + 3] - b[i + 3]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+        r |= (a[i + 2] - b[i + 2]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+        r |= (a[i + 1] - b[i + 1]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+        r |= (a[i + 0] - b[i + 0]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+    }
+#endif /* WOLFSSL_SP_SMALL */
+
+    return r;
+}
+
+/* Conditionally subtract b from a using the mask m.
+ * m is -1 to subtract and 0 when not.
+ *
+ * r  A single precision number representing condition subtract result.
+ * a  A single precision number to subtract from.
+ * b  A single precision number to subtract.
+ * m  Mask value to apply.
+ */
+static void sp_3072_cond_sub_54(sp_digit* r, const sp_digit* a,
+        const sp_digit* b, const sp_digit m)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int i;
+
+    for (i = 0; i < 54; i++) {
+        r[i] = a[i] - (b[i] & m);
+    }
+#else
+    int i;
+
+    for (i = 0; i < 48; i += 8) {
+        r[i + 0] = a[i + 0] - (b[i + 0] & m);
+        r[i + 1] = a[i + 1] - (b[i + 1] & m);
+        r[i + 2] = a[i + 2] - (b[i + 2] & m);
+        r[i + 3] = a[i + 3] - (b[i + 3] & m);
+        r[i + 4] = a[i + 4] - (b[i + 4] & m);
+        r[i + 5] = a[i + 5] - (b[i + 5] & m);
+        r[i + 6] = a[i + 6] - (b[i + 6] & m);
+        r[i + 7] = a[i + 7] - (b[i + 7] & m);
+    }
+    r[48] = a[48] - (b[48] & m);
+    r[49] = a[49] - (b[49] & m);
+    r[50] = a[50] - (b[50] & m);
+    r[51] = a[51] - (b[51] & m);
+    r[52] = a[52] - (b[52] & m);
+    r[53] = a[53] - (b[53] & m);
+#endif /* WOLFSSL_SP_SMALL */
+}
+
+/* Mul a by scalar b and add into r. (r += a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A scalar.
+ */
+SP_NOINLINE static void sp_3072_mul_add_54(sp_digit* r, const sp_digit* a,
+        const sp_digit b)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int128_t tb = b;
+    int128_t t = 0;
+    int i;
+
+    for (i = 0; i < 54; i++) {
+        t += (tb * a[i]) + r[i];
+        r[i] = t & 0x1ffffffffffffffL;
+        t >>= 57;
+    }
+    r[54] += t;
+#else
+    int128_t tb = b;
+    int128_t t[8];
+    int i;
+
+    t[0] = tb * a[0]; r[0] += (sp_digit)(t[0] & 0x1ffffffffffffffL);
+    for (i = 0; i < 48; i += 8) {
+        t[1] = tb * a[i+1];
+        r[i+1] += (sp_digit)((t[0] >> 57) + (t[1] & 0x1ffffffffffffffL));
+        t[2] = tb * a[i+2];
+        r[i+2] += (sp_digit)((t[1] >> 57) + (t[2] & 0x1ffffffffffffffL));
+        t[3] = tb * a[i+3];
+        r[i+3] += (sp_digit)((t[2] >> 57) + (t[3] & 0x1ffffffffffffffL));
+        t[4] = tb * a[i+4];
+        r[i+4] += (sp_digit)((t[3] >> 57) + (t[4] & 0x1ffffffffffffffL));
+        t[5] = tb * a[i+5];
+        r[i+5] += (sp_digit)((t[4] >> 57) + (t[5] & 0x1ffffffffffffffL));
+        t[6] = tb * a[i+6];
+        r[i+6] += (sp_digit)((t[5] >> 57) + (t[6] & 0x1ffffffffffffffL));
+        t[7] = tb * a[i+7];
+        r[i+7] += (sp_digit)((t[6] >> 57) + (t[7] & 0x1ffffffffffffffL));
+        t[0] = tb * a[i+8];
+        r[i+8] += (sp_digit)((t[7] >> 57) + (t[0] & 0x1ffffffffffffffL));
+    }
+    t[1] = tb * a[49]; r[49] += (sp_digit)((t[0] >> 57) + (t[1] & 0x1ffffffffffffffL));
+    t[2] = tb * a[50]; r[50] += (sp_digit)((t[1] >> 57) + (t[2] & 0x1ffffffffffffffL));
+    t[3] = tb * a[51]; r[51] += (sp_digit)((t[2] >> 57) + (t[3] & 0x1ffffffffffffffL));
+    t[4] = tb * a[52]; r[52] += (sp_digit)((t[3] >> 57) + (t[4] & 0x1ffffffffffffffL));
+    t[5] = tb * a[53]; r[53] += (sp_digit)((t[4] >> 57) + (t[5] & 0x1ffffffffffffffL));
+    r[54] +=  (sp_digit)(t[5] >> 57);
+#endif /* WOLFSSL_SP_SMALL */
+}
+
+/* Normalize the values in each word to 57.
+ *
+ * a  Array of sp_digit to normalize.
+ */
+static void sp_3072_norm_54(sp_digit* a)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int i;
+    for (i = 0; i < 53; i++) {
+        a[i+1] += a[i] >> 57;
+        a[i] &= 0x1ffffffffffffffL;
+    }
+#else
+    int i;
+    for (i = 0; i < 48; i += 8) {
+        a[i+1] += a[i+0] >> 57; a[i+0] &= 0x1ffffffffffffffL;
+        a[i+2] += a[i+1] >> 57; a[i+1] &= 0x1ffffffffffffffL;
+        a[i+3] += a[i+2] >> 57; a[i+2] &= 0x1ffffffffffffffL;
+        a[i+4] += a[i+3] >> 57; a[i+3] &= 0x1ffffffffffffffL;
+        a[i+5] += a[i+4] >> 57; a[i+4] &= 0x1ffffffffffffffL;
+        a[i+6] += a[i+5] >> 57; a[i+5] &= 0x1ffffffffffffffL;
+        a[i+7] += a[i+6] >> 57; a[i+6] &= 0x1ffffffffffffffL;
+        a[i+8] += a[i+7] >> 57; a[i+7] &= 0x1ffffffffffffffL;
+        a[i+9] += a[i+8] >> 57; a[i+8] &= 0x1ffffffffffffffL;
+    }
+    a[48+1] += a[48] >> 57;
+    a[48] &= 0x1ffffffffffffffL;
+    a[49+1] += a[49] >> 57;
+    a[49] &= 0x1ffffffffffffffL;
+    a[50+1] += a[50] >> 57;
+    a[50] &= 0x1ffffffffffffffL;
+    a[51+1] += a[51] >> 57;
+    a[51] &= 0x1ffffffffffffffL;
+    a[52+1] += a[52] >> 57;
+    a[52] &= 0x1ffffffffffffffL;
+#endif
+}
+
+/* Shift the result in the high 3072 bits down to the bottom.
+ *
+ * r  A single precision number.
+ * a  A single precision number.
+ */
+static void sp_3072_mont_shift_54(sp_digit* r, const sp_digit* a)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int i;
+    int128_t n = a[53] >> 51;
+    n += ((int128_t)a[54]) << 6;
+
+    for (i = 0; i < 53; i++) {
+        r[i] = n & 0x1ffffffffffffffL;
+        n >>= 57;
+        n += ((int128_t)a[55 + i]) << 6;
+    }
+    r[53] = (sp_digit)n;
+#else
+    int i;
+    int128_t n = a[53] >> 51;
+    n += ((int128_t)a[54]) << 6;
+    for (i = 0; i < 48; i += 8) {
+        r[i + 0] = n & 0x1ffffffffffffffL;
+        n >>= 57; n += ((int128_t)a[i + 55]) << 6;
+        r[i + 1] = n & 0x1ffffffffffffffL;
+        n >>= 57; n += ((int128_t)a[i + 56]) << 6;
+        r[i + 2] = n & 0x1ffffffffffffffL;
+        n >>= 57; n += ((int128_t)a[i + 57]) << 6;
+        r[i + 3] = n & 0x1ffffffffffffffL;
+        n >>= 57; n += ((int128_t)a[i + 58]) << 6;
+        r[i + 4] = n & 0x1ffffffffffffffL;
+        n >>= 57; n += ((int128_t)a[i + 59]) << 6;
+        r[i + 5] = n & 0x1ffffffffffffffL;
+        n >>= 57; n += ((int128_t)a[i + 60]) << 6;
+        r[i + 6] = n & 0x1ffffffffffffffL;
+        n >>= 57; n += ((int128_t)a[i + 61]) << 6;
+        r[i + 7] = n & 0x1ffffffffffffffL;
+        n >>= 57; n += ((int128_t)a[i + 62]) << 6;
+    }
+    r[48] = n & 0x1ffffffffffffffL; n >>= 57; n += ((int128_t)a[103]) << 6;
+    r[49] = n & 0x1ffffffffffffffL; n >>= 57; n += ((int128_t)a[104]) << 6;
+    r[50] = n & 0x1ffffffffffffffL; n >>= 57; n += ((int128_t)a[105]) << 6;
+    r[51] = n & 0x1ffffffffffffffL; n >>= 57; n += ((int128_t)a[106]) << 6;
+    r[52] = n & 0x1ffffffffffffffL; n >>= 57; n += ((int128_t)a[107]) << 6;
+    r[53] = (sp_digit)n;
+#endif /* WOLFSSL_SP_SMALL */
+    XMEMSET(&r[54], 0, sizeof(*r) * 54U);
+}
+
+/* Reduce the number back to 3072 bits using Montgomery reduction.
+ *
+ * a   A single precision number to reduce in place.
+ * m   The single precision number representing the modulus.
+ * mp  The digit representing the negative inverse of m mod 2^n.
+ */
+static void sp_3072_mont_reduce_54(sp_digit* a, const sp_digit* m, sp_digit mp)
+{
+    int i;
+    sp_digit mu;
+
+    sp_3072_norm_54(a + 54);
+
+#ifdef WOLFSSL_SP_DH
+    if (mp != 1) {
+        for (i=0; i<53; i++) {
+            mu = (a[i] * mp) & 0x1ffffffffffffffL;
+            sp_3072_mul_add_54(a+i, m, mu);
+            a[i+1] += a[i] >> 57;
+        }
+        mu = (a[i] * mp) & 0x7ffffffffffffL;
+        sp_3072_mul_add_54(a+i, m, mu);
+        a[i+1] += a[i] >> 57;
+        a[i] &= 0x1ffffffffffffffL;
+    }
+    else {
+        for (i=0; i<53; i++) {
+            mu = a[i] & 0x1ffffffffffffffL;
+            sp_3072_mul_add_54(a+i, m, mu);
+            a[i+1] += a[i] >> 57;
+        }
+        mu = a[i] & 0x7ffffffffffffL;
+        sp_3072_mul_add_54(a+i, m, mu);
+        a[i+1] += a[i] >> 57;
+        a[i] &= 0x1ffffffffffffffL;
+    }
+#else
+    for (i=0; i<53; i++) {
+        mu = (a[i] * mp) & 0x1ffffffffffffffL;
+        sp_3072_mul_add_54(a+i, m, mu);
+        a[i+1] += a[i] >> 57;
+    }
+    mu = (a[i] * mp) & 0x7ffffffffffffL;
+    sp_3072_mul_add_54(a+i, m, mu);
+    a[i+1] += a[i] >> 57;
+    a[i] &= 0x1ffffffffffffffL;
+#endif
+
+    sp_3072_mont_shift_54(a, a);
+    sp_3072_cond_sub_54(a, a, m, 0 - (((a[53] >> 51) > 0) ?
+            (sp_digit)1 : (sp_digit)0));
+    sp_3072_norm_54(a);
+}
+
+/* Multiply two Montogmery form numbers mod the modulus (prime).
+ * (r = a * b mod m)
+ *
+ * r   Result of multiplication.
+ * a   First number to multiply in Montogmery form.
+ * b   Second number to multiply in Montogmery form.
+ * m   Modulus (prime).
+ * mp  Montogmery mulitplier.
+ */
+static void sp_3072_mont_mul_54(sp_digit* r, const sp_digit* a, const sp_digit* b,
+        const sp_digit* m, sp_digit mp)
+{
+    sp_3072_mul_54(r, a, b);
+    sp_3072_mont_reduce_54(r, m, mp);
+}
+
+/* Square the Montgomery form number. (r = a * a mod m)
+ *
+ * r   Result of squaring.
+ * a   Number to square in Montogmery form.
+ * m   Modulus (prime).
+ * mp  Montogmery mulitplier.
+ */
+static void sp_3072_mont_sqr_54(sp_digit* r, const sp_digit* a, const sp_digit* m,
+        sp_digit mp)
+{
+    sp_3072_sqr_54(r, a);
+    sp_3072_mont_reduce_54(r, m, mp);
+}
+
+/* Conditionally add a and b using the mask m.
+ * m is -1 to add and 0 when not.
+ *
+ * r  A single precision number representing conditional add result.
+ * a  A single precision number to add with.
+ * b  A single precision number to add.
+ * m  Mask value to apply.
+ */
+static void sp_3072_cond_add_54(sp_digit* r, const sp_digit* a,
+        const sp_digit* b, const sp_digit m)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int i;
+
+    for (i = 0; i < 54; i++) {
+        r[i] = a[i] + (b[i] & m);
+    }
+#else
+    int i;
+
+    for (i = 0; i < 48; i += 8) {
+        r[i + 0] = a[i + 0] + (b[i + 0] & m);
+        r[i + 1] = a[i + 1] + (b[i + 1] & m);
+        r[i + 2] = a[i + 2] + (b[i + 2] & m);
+        r[i + 3] = a[i + 3] + (b[i + 3] & m);
+        r[i + 4] = a[i + 4] + (b[i + 4] & m);
+        r[i + 5] = a[i + 5] + (b[i + 5] & m);
+        r[i + 6] = a[i + 6] + (b[i + 6] & m);
+        r[i + 7] = a[i + 7] + (b[i + 7] & m);
+    }
+    r[48] = a[48] + (b[48] & m);
+    r[49] = a[49] + (b[49] & m);
+    r[50] = a[50] + (b[50] & m);
+    r[51] = a[51] + (b[51] & m);
+    r[52] = a[52] + (b[52] & m);
+    r[53] = a[53] + (b[53] & m);
+#endif /* WOLFSSL_SP_SMALL */
+}
+
+#ifdef WOLFSSL_SP_DIV_64
+static WC_INLINE sp_digit sp_3072_div_word_54(sp_digit d1, sp_digit d0,
+    sp_digit dv)
+{
+    sp_digit d, r, t;
+
+    /* All 57 bits from d1 and top 6 bits from d0. */
+    d = (d1 << 6) | (d0 >> 51);
+    r = d / dv;
+    d -= r * dv;
+    /* Up to 7 bits in r */
+    /* Next 6 bits from d0. */
+    r <<= 6;
+    d <<= 6;
+    d |= (d0 >> 45) & ((1 << 6) - 1);
+    t = d / dv;
+    d -= t * dv;
+    r += t;
+    /* Up to 13 bits in r */
+    /* Next 6 bits from d0. */
+    r <<= 6;
+    d <<= 6;
+    d |= (d0 >> 39) & ((1 << 6) - 1);
+    t = d / dv;
+    d -= t * dv;
+    r += t;
+    /* Up to 19 bits in r */
+    /* Next 6 bits from d0. */
+    r <<= 6;
+    d <<= 6;
+    d |= (d0 >> 33) & ((1 << 6) - 1);
+    t = d / dv;
+    d -= t * dv;
+    r += t;
+    /* Up to 25 bits in r */
+    /* Next 6 bits from d0. */
+    r <<= 6;
+    d <<= 6;
+    d |= (d0 >> 27) & ((1 << 6) - 1);
+    t = d / dv;
+    d -= t * dv;
+    r += t;
+    /* Up to 31 bits in r */
+    /* Next 6 bits from d0. */
+    r <<= 6;
+    d <<= 6;
+    d |= (d0 >> 21) & ((1 << 6) - 1);
+    t = d / dv;
+    d -= t * dv;
+    r += t;
+    /* Up to 37 bits in r */
+    /* Next 6 bits from d0. */
+    r <<= 6;
+    d <<= 6;
+    d |= (d0 >> 15) & ((1 << 6) - 1);
+    t = d / dv;
+    d -= t * dv;
+    r += t;
+    /* Up to 43 bits in r */
+    /* Next 6 bits from d0. */
+    r <<= 6;
+    d <<= 6;
+    d |= (d0 >> 9) & ((1 << 6) - 1);
+    t = d / dv;
+    d -= t * dv;
+    r += t;
+    /* Up to 49 bits in r */
+    /* Next 6 bits from d0. */
+    r <<= 6;
+    d <<= 6;
+    d |= (d0 >> 3) & ((1 << 6) - 1);
+    t = d / dv;
+    d -= t * dv;
+    r += t;
+    /* Up to 55 bits in r */
+    /* Remaining 3 bits from d0. */
+    r <<= 3;
+    d <<= 3;
+    d |= d0 & ((1 << 3) - 1);
+    t = d / dv;
+    r += t;
+
+    return r;
+}
+#endif /* WOLFSSL_SP_DIV_64 */
+
+/* Divide d in a and put remainder into r (m*d + r = a)
+ * m is not calculated as it is not needed at this time.
+ *
+ * a  Number to be divided.
+ * d  Number to divide with.
+ * m  Multiplier result.
+ * r  Remainder from the division.
+ * returns MEMORY_E when unable to allocate memory and MP_OKAY otherwise.
+ */
+static int sp_3072_div_54(const sp_digit* a, const sp_digit* d, sp_digit* m,
+        sp_digit* r)
+{
+    int i;
+#ifndef WOLFSSL_SP_DIV_64
+    int128_t d1;
+#endif
+    sp_digit dv, r1;
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit* td;
+#else
+    sp_digit t1d[108], t2d[54 + 1];
+#endif
+    sp_digit* t1;
+    sp_digit* t2;
+    int err = MP_OKAY;
+
+    (void)m;
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    td = (sp_digit*)XMALLOC(sizeof(sp_digit) * (3 * 54 + 1), NULL,
+                                                       DYNAMIC_TYPE_TMP_BUFFER);
+    if (td == NULL) {
+        err = MEMORY_E;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+        t1 = td;
+        t2 = td + 2 * 54;
+#else
+        t1 = t1d;
+        t2 = t2d;
+#endif
+
+        dv = d[53];
+        XMEMCPY(t1, a, sizeof(*t1) * 2U * 54U);
+        for (i=53; i>=0; i--) {
+            t1[54 + i] += t1[54 + i - 1] >> 57;
+            t1[54 + i - 1] &= 0x1ffffffffffffffL;
+#ifndef WOLFSSL_SP_DIV_64
+            d1 = t1[54 + i];
+            d1 <<= 57;
+            d1 += t1[54 + i - 1];
+            r1 = (sp_digit)(d1 / dv);
+#else
+            r1 = sp_3072_div_word_54(t1[54 + i], t1[54 + i - 1], dv);
+#endif
+
+            sp_3072_mul_d_54(t2, d, r1);
+            (void)sp_3072_sub_54(&t1[i], &t1[i], t2);
+            t1[54 + i] -= t2[54];
+            t1[54 + i] += t1[54 + i - 1] >> 57;
+            t1[54 + i - 1] &= 0x1ffffffffffffffL;
+            r1 = (((-t1[54 + i]) << 57) - t1[54 + i - 1]) / dv;
+            r1++;
+            sp_3072_mul_d_54(t2, d, r1);
+            (void)sp_3072_add_54(&t1[i], &t1[i], t2);
+            t1[54 + i] += t1[54 + i - 1] >> 57;
+            t1[54 + i - 1] &= 0x1ffffffffffffffL;
+        }
+        t1[54 - 1] += t1[54 - 2] >> 57;
+        t1[54 - 2] &= 0x1ffffffffffffffL;
+        r1 = t1[54 - 1] / dv;
+
+        sp_3072_mul_d_54(t2, d, r1);
+        (void)sp_3072_sub_54(t1, t1, t2);
+        XMEMCPY(r, t1, sizeof(*r) * 2U * 54U);
+        for (i=0; i<52; i++) {
+            r[i+1] += r[i] >> 57;
+            r[i] &= 0x1ffffffffffffffL;
+        }
+        sp_3072_cond_add_54(r, r, d, 0 - ((r[53] < 0) ?
+                    (sp_digit)1 : (sp_digit)0));
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (td != NULL) {
+        XFREE(td, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    }
+#endif
+
+    return err;
+}
+
+/* Reduce a modulo m into r. (r = a mod m)
+ *
+ * r  A single precision number that is the reduced result.
+ * a  A single precision number that is to be reduced.
+ * m  A single precision number that is the modulus to reduce with.
+ * returns MEMORY_E when unable to allocate memory and MP_OKAY otherwise.
+ */
+static int sp_3072_mod_54(sp_digit* r, const sp_digit* a, const sp_digit* m)
+{
+    return sp_3072_div_54(a, m, NULL, r);
+}
+
+#if (defined(WOLFSSL_HAVE_SP_RSA) && !defined(WOLFSSL_RSA_PUBLIC_ONLY)) || \
+                                                     defined(WOLFSSL_HAVE_SP_DH)
+/* Modular exponentiate a to the e mod m. (r = a^e mod m)
+ *
+ * r     A single precision number that is the result of the operation.
+ * a     A single precision number being exponentiated.
+ * e     A single precision number that is the exponent.
+ * bits  The number of bits in the exponent.
+ * m     A single precision number that is the modulus.
+ * returns 0 on success and MEMORY_E on dynamic memory allocation failure.
+ */
+static int sp_3072_mod_exp_54(sp_digit* r, const sp_digit* a, const sp_digit* e, int bits,
+    const sp_digit* m, int reduceA)
+{
+#ifdef WOLFSSL_SP_SMALL
+    sp_digit* td;
+    sp_digit* t[3];
+    sp_digit* norm;
+    sp_digit mp = 1;
+    sp_digit n;
+    int i;
+    int c, y;
+    int err = MP_OKAY;
+
+    td = (sp_digit*)XMALLOC(sizeof(*td) * 3 * 54 * 2, NULL,
+                            DYNAMIC_TYPE_TMP_BUFFER);
+    if (td == NULL) {
+        err = MEMORY_E;
+    }
+
+    if (err == MP_OKAY) {
+        XMEMSET(td, 0, sizeof(*td) * 3U * 54U * 2U);
+
+        norm = t[0] = td;
+        t[1] = &td[54 * 2];
+        t[2] = &td[2 * 54 * 2];
+
+        sp_3072_mont_setup(m, &mp);
+        sp_3072_mont_norm_54(norm, m);
+
+        if (reduceA != 0) {
+            err = sp_3072_mod_54(t[1], a, m);
+        }
+        else {
+            XMEMCPY(t[1], a, sizeof(sp_digit) * 54U);
+        }
+    }
+    if (err == MP_OKAY) {
+        sp_3072_mul_54(t[1], t[1], norm);
+        err = sp_3072_mod_54(t[1], t[1], m);
+    }
+
+    if (err == MP_OKAY) {
+        i = bits / 57;
+        c = bits % 57;
+        n = e[i--] << (57 - c);
+        for (; ; c--) {
+            if (c == 0) {
+                if (i == -1) {
+                    break;
+                }
+
+                n = e[i--];
+                c = 57;
+            }
+
+            y = (n >> 56) & 1;
+            n <<= 1;
+
+            sp_3072_mont_mul_54(t[y^1], t[0], t[1], m, mp);
+
+            XMEMCPY(t[2], (void*)(((size_t)t[0] & addr_mask[y^1]) +
+                                  ((size_t)t[1] & addr_mask[y])),
+                    sizeof(*t[2]) * 54 * 2);
+            sp_3072_mont_sqr_54(t[2], t[2], m, mp);
+            XMEMCPY((void*)(((size_t)t[0] & addr_mask[y^1]) +
+                            ((size_t)t[1] & addr_mask[y])), t[2],
+                    sizeof(*t[2]) * 54 * 2);
+        }
+
+        sp_3072_mont_reduce_54(t[0], m, mp);
+        n = sp_3072_cmp_54(t[0], m);
+        sp_3072_cond_sub_54(t[0], t[0], m, ((n < 0) ?
+                    (sp_digit)1 : (sp_digit)0) - 1);
+        XMEMCPY(r, t[0], sizeof(*r) * 54 * 2);
+
+    }
+
+    if (td != NULL) {
+        XFREE(td, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    }
+
+    return err;
+#elif defined(WOLFSSL_SP_CACHE_RESISTANT)
+#ifndef WOLFSSL_SMALL_STACK
+    sp_digit t[3][108];
+#else
+    sp_digit* td;
+    sp_digit* t[3];
+#endif
+    sp_digit* norm;
+    sp_digit mp = 1;
+    sp_digit n;
+    int i;
+    int c, y;
+    int err = MP_OKAY;
+
+#ifdef WOLFSSL_SMALL_STACK
+    td = (sp_digit*)XMALLOC(sizeof(*td) * 3 * 54 * 2, NULL,
+                            DYNAMIC_TYPE_TMP_BUFFER);
+    if (td == NULL) {
+        err = MEMORY_E;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#ifdef WOLFSSL_SMALL_STACK
+        t[0] = td;
+        t[1] = &td[54 * 2];
+        t[2] = &td[2 * 54 * 2];
+#endif
+        norm = t[0];
+
+        sp_3072_mont_setup(m, &mp);
+        sp_3072_mont_norm_54(norm, m);
+
+        if (reduceA != 0) {
+            err = sp_3072_mod_54(t[1], a, m);
+            if (err == MP_OKAY) {
+                sp_3072_mul_54(t[1], t[1], norm);
+                err = sp_3072_mod_54(t[1], t[1], m);
+            }
+        }
+        else {
+            sp_3072_mul_54(t[1], a, norm);
+            err = sp_3072_mod_54(t[1], t[1], m);
+        }
+    }
+
+    if (err == MP_OKAY) {
+        i = bits / 57;
+        c = bits % 57;
+        n = e[i--] << (57 - c);
+        for (; ; c--) {
+            if (c == 0) {
+                if (i == -1) {
+                    break;
+                }
+
+                n = e[i--];
+                c = 57;
+            }
+
+            y = (n >> 56) & 1;
+            n <<= 1;
+
+            sp_3072_mont_mul_54(t[y^1], t[0], t[1], m, mp);
+
+            XMEMCPY(t[2], (void*)(((size_t)t[0] & addr_mask[y^1]) +
+                                 ((size_t)t[1] & addr_mask[y])), sizeof(t[2]));
+            sp_3072_mont_sqr_54(t[2], t[2], m, mp);
+            XMEMCPY((void*)(((size_t)t[0] & addr_mask[y^1]) +
+                           ((size_t)t[1] & addr_mask[y])), t[2], sizeof(t[2]));
+        }
+
+        sp_3072_mont_reduce_54(t[0], m, mp);
+        n = sp_3072_cmp_54(t[0], m);
+        sp_3072_cond_sub_54(t[0], t[0], m, ((n < 0) ?
+                   (sp_digit)1 : (sp_digit)0) - 1);
+        XMEMCPY(r, t[0], sizeof(t[0]));
+    }
+
+#ifdef WOLFSSL_SMALL_STACK
+    if (td != NULL) {
+        XFREE(td, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    }
+#endif
+
+    return err;
+#else
+#ifndef WOLFSSL_SMALL_STACK
+    sp_digit t[32][108];
+#else
+    sp_digit* t[32];
+    sp_digit* td;
+#endif
+    sp_digit* norm;
+    sp_digit rt[108];
+    sp_digit mp = 1;
+    sp_digit n;
+    int i;
+    int c, y;
+    int err = MP_OKAY;
+
+#ifdef WOLFSSL_SMALL_STACK
+    td = (sp_digit*)XMALLOC(sizeof(sp_digit) * 32 * 108, NULL,
+                            DYNAMIC_TYPE_TMP_BUFFER);
+    if (td == NULL) {
+        err = MEMORY_E;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#ifdef WOLFSSL_SMALL_STACK
+        for (i=0; i<32; i++)
+            t[i] = td + i * 108;
+#endif
+        norm = t[0];
+
+        sp_3072_mont_setup(m, &mp);
+        sp_3072_mont_norm_54(norm, m);
+
+        if (reduceA != 0) {
+            err = sp_3072_mod_54(t[1], a, m);
+            if (err == MP_OKAY) {
+                sp_3072_mul_54(t[1], t[1], norm);
+                err = sp_3072_mod_54(t[1], t[1], m);
+            }
+        }
+        else {
+            sp_3072_mul_54(t[1], a, norm);
+            err = sp_3072_mod_54(t[1], t[1], m);
+        }
+    }
+
+    if (err == MP_OKAY) {
+        sp_3072_mont_sqr_54(t[ 2], t[ 1], m, mp);
+        sp_3072_mont_mul_54(t[ 3], t[ 2], t[ 1], m, mp);
+        sp_3072_mont_sqr_54(t[ 4], t[ 2], m, mp);
+        sp_3072_mont_mul_54(t[ 5], t[ 3], t[ 2], m, mp);
+        sp_3072_mont_sqr_54(t[ 6], t[ 3], m, mp);
+        sp_3072_mont_mul_54(t[ 7], t[ 4], t[ 3], m, mp);
+        sp_3072_mont_sqr_54(t[ 8], t[ 4], m, mp);
+        sp_3072_mont_mul_54(t[ 9], t[ 5], t[ 4], m, mp);
+        sp_3072_mont_sqr_54(t[10], t[ 5], m, mp);
+        sp_3072_mont_mul_54(t[11], t[ 6], t[ 5], m, mp);
+        sp_3072_mont_sqr_54(t[12], t[ 6], m, mp);
+        sp_3072_mont_mul_54(t[13], t[ 7], t[ 6], m, mp);
+        sp_3072_mont_sqr_54(t[14], t[ 7], m, mp);
+        sp_3072_mont_mul_54(t[15], t[ 8], t[ 7], m, mp);
+        sp_3072_mont_sqr_54(t[16], t[ 8], m, mp);
+        sp_3072_mont_mul_54(t[17], t[ 9], t[ 8], m, mp);
+        sp_3072_mont_sqr_54(t[18], t[ 9], m, mp);
+        sp_3072_mont_mul_54(t[19], t[10], t[ 9], m, mp);
+        sp_3072_mont_sqr_54(t[20], t[10], m, mp);
+        sp_3072_mont_mul_54(t[21], t[11], t[10], m, mp);
+        sp_3072_mont_sqr_54(t[22], t[11], m, mp);
+        sp_3072_mont_mul_54(t[23], t[12], t[11], m, mp);
+        sp_3072_mont_sqr_54(t[24], t[12], m, mp);
+        sp_3072_mont_mul_54(t[25], t[13], t[12], m, mp);
+        sp_3072_mont_sqr_54(t[26], t[13], m, mp);
+        sp_3072_mont_mul_54(t[27], t[14], t[13], m, mp);
+        sp_3072_mont_sqr_54(t[28], t[14], m, mp);
+        sp_3072_mont_mul_54(t[29], t[15], t[14], m, mp);
+        sp_3072_mont_sqr_54(t[30], t[15], m, mp);
+        sp_3072_mont_mul_54(t[31], t[16], t[15], m, mp);
+
+        bits = ((bits + 4) / 5) * 5;
+        i = ((bits + 56) / 57) - 1;
+        c = bits % 57;
+        if (c == 0) {
+            c = 57;
+        }
+        if (i < 54) {
+            n = e[i--] << (64 - c);
+        }
+        else {
+            n = 0;
+            i--;
+        }
+        if (c < 5) {
+            n |= e[i--] << (7 - c);
+            c += 57;
+        }
+        y = (n >> 59) & 0x1f;
+        n <<= 5;
+        c -= 5;
+        XMEMCPY(rt, t[y], sizeof(rt));
+        for (; i>=0 || c>=5; ) {
+            if (c < 5) {
+                n |= e[i--] << (7 - c);
+                c += 57;
+            }
+            y = (n >> 59) & 0x1f;
+            n <<= 5;
+            c -= 5;
+
+            sp_3072_mont_sqr_54(rt, rt, m, mp);
+            sp_3072_mont_sqr_54(rt, rt, m, mp);
+            sp_3072_mont_sqr_54(rt, rt, m, mp);
+            sp_3072_mont_sqr_54(rt, rt, m, mp);
+            sp_3072_mont_sqr_54(rt, rt, m, mp);
+
+            sp_3072_mont_mul_54(rt, rt, t[y], m, mp);
+        }
+
+        sp_3072_mont_reduce_54(rt, m, mp);
+        n = sp_3072_cmp_54(rt, m);
+        sp_3072_cond_sub_54(rt, rt, m, ((n < 0) ?
+                   (sp_digit)1 : (sp_digit)0) - 1);
+        XMEMCPY(r, rt, sizeof(rt));
+    }
+
+#ifdef WOLFSSL_SMALL_STACK
+    if (td != NULL) {
+        XFREE(td, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    }
+#endif
+
+    return err;
+#endif
+}
+#endif /* (WOLFSSL_HAVE_SP_RSA && !WOLFSSL_RSA_PUBLIC_ONLY) || */
+       /* WOLFSSL_HAVE_SP_DH */
+
+#ifdef WOLFSSL_HAVE_SP_RSA
+/* RSA public key operation.
+ *
+ * in      Array of bytes representing the number to exponentiate, base.
+ * inLen   Number of bytes in base.
+ * em      Public exponent.
+ * mm      Modulus.
+ * out     Buffer to hold big-endian bytes of exponentiation result.
+ *         Must be at least 384 bytes long.
+ * outLen  Number of bytes in result.
+ * returns 0 on success, MP_TO_E when the outLen is too small, MP_READ_E when
+ * an array is too long and MEMORY_E when dynamic memory allocation fails.
+ */
+int sp_RsaPublic_3072(const byte* in, word32 inLen, mp_int* em, mp_int* mm,
+    byte* out, word32* outLen)
+{
+#ifdef WOLFSSL_SP_SMALL
+    sp_digit* d = NULL;
+    sp_digit* a;
+    sp_digit* m;
+    sp_digit* r;
+    sp_digit* norm;
+    sp_digit e[1] = {0};
+    sp_digit mp;
+    int i;
+    int err = MP_OKAY;
+
+    if (*outLen < 384U) {
+        err = MP_TO_E;
+    }
+
+    if (err == MP_OKAY) {
+        if (mp_count_bits(em) > 57) {
+            err = MP_READ_E;
+        }
+        if (inLen > 384U) {
+            err = MP_READ_E;
+        }
+        if (mp_count_bits(mm) != 3072) {
+            err = MP_READ_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        d = (sp_digit*)XMALLOC(sizeof(sp_digit) * 54 * 5, NULL,
+                                                              DYNAMIC_TYPE_RSA);
+        if (d == NULL)
+            err = MEMORY_E;
+    }
+
+    if (err == MP_OKAY) {
+        a = d;
+        r = a + 54 * 2;
+        m = r + 54 * 2;
+        norm = r;
+
+        sp_3072_from_bin(a, 54, in, inLen);
+#if DIGIT_BIT >= 57
+        e[0] = (sp_digit)em->dp[0];
+#else
+        e[0] = (sp_digit)em->dp[0];
+        if (em->used > 1) {
+            e[0] |= ((sp_digit)em->dp[1]) << DIGIT_BIT;
+        }
+#endif
+        if (e[0] == 0) {
+            err = MP_EXPTMOD_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        sp_3072_from_mp(m, 54, mm);
+
+        sp_3072_mont_setup(m, &mp);
+        sp_3072_mont_norm_54(norm, m);
+    }
+    if (err == MP_OKAY) {
+        sp_3072_mul_54(a, a, norm);
+        err = sp_3072_mod_54(a, a, m);
+    }
+    if (err == MP_OKAY) {
+        for (i=56; i>=0; i--) {
+            if ((e[0] >> i) != 0) {
+                break;
+            }
+        }
+
+        XMEMCPY(r, a, sizeof(sp_digit) * 54 * 2);
+        for (i--; i>=0; i--) {
+            sp_3072_mont_sqr_54(r, r, m, mp);
+
+            if (((e[0] >> i) & 1) == 1) {
+                sp_3072_mont_mul_54(r, r, a, m, mp);
+            }
+        }
+        sp_3072_mont_reduce_54(r, m, mp);
+        mp = sp_3072_cmp_54(r, m);
+        sp_3072_cond_sub_54(r, r, m, ((mp < 0) ?
+                    (sp_digit)1 : (sp_digit)0)- 1);
+
+        sp_3072_to_bin(r, out);
+        *outLen = 384;
+    }
+
+    if (d != NULL) {
+        XFREE(d, NULL, DYNAMIC_TYPE_RSA);
+    }
+
+    return err;
+#else
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit ad[108], md[54], rd[108];
+#else
+    sp_digit* d = NULL;
+#endif
+    sp_digit* a;
+    sp_digit* m;
+    sp_digit* r;
+    sp_digit e[1] = {0};
+    int err = MP_OKAY;
+
+    if (*outLen < 384U) {
+        err = MP_TO_E;
+    }
+    if (err == MP_OKAY) {
+        if (mp_count_bits(em) > 57) {
+            err = MP_READ_E;
+        }
+        if (inLen > 384U) {
+            err = MP_READ_E;
+        }
+        if (mp_count_bits(mm) != 3072) {
+            err = MP_READ_E;
+        }
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        d = (sp_digit*)XMALLOC(sizeof(sp_digit) * 54 * 5, NULL,
+                                                              DYNAMIC_TYPE_RSA);
+        if (d == NULL) {
+            err = MEMORY_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        a = d;
+        r = a + 54 * 2;
+        m = r + 54 * 2;
+    }
+#else
+    a = ad;
+    m = md;
+    r = rd;
+#endif
+
+    if (err == MP_OKAY) {
+        sp_3072_from_bin(a, 54, in, inLen);
+#if DIGIT_BIT >= 57
+        e[0] = (sp_digit)em->dp[0];
+#else
+        e[0] = (sp_digit)em->dp[0];
+        if (em->used > 1) {
+            e[0] |= ((sp_digit)em->dp[1]) << DIGIT_BIT;
+        }
+#endif
+        if (e[0] == 0) {
+            err = MP_EXPTMOD_E;
+        }
+    }
+    if (err == MP_OKAY) {
+        sp_3072_from_mp(m, 54, mm);
+
+        if (e[0] == 0x3) {
+            sp_3072_sqr_54(r, a);
+            err = sp_3072_mod_54(r, r, m);
+            if (err == MP_OKAY) {
+                sp_3072_mul_54(r, a, r);
+                err = sp_3072_mod_54(r, r, m);
+            }
+        }
+        else {
+            sp_digit* norm = r;
+            int i;
+            sp_digit mp;
+
+            sp_3072_mont_setup(m, &mp);
+            sp_3072_mont_norm_54(norm, m);
+
+            sp_3072_mul_54(a, a, norm);
+            err = sp_3072_mod_54(a, a, m);
+
+            if (err == MP_OKAY) {
+                for (i=56; i>=0; i--) {
+                    if ((e[0] >> i) != 0) {
+                        break;
+                    }
+                }
+
+                XMEMCPY(r, a, sizeof(sp_digit) * 108U);
+                for (i--; i>=0; i--) {
+                    sp_3072_mont_sqr_54(r, r, m, mp);
+
+                    if (((e[0] >> i) & 1) == 1) {
+                        sp_3072_mont_mul_54(r, r, a, m, mp);
+                    }
+                }
+                sp_3072_mont_reduce_54(r, m, mp);
+                mp = sp_3072_cmp_54(r, m);
+                sp_3072_cond_sub_54(r, r, m, ((mp < 0) ?
+                           (sp_digit)1 : (sp_digit)0) - 1);
+            }
+        }
+    }
+
+    if (err == MP_OKAY) {
+        sp_3072_to_bin(r, out);
+        *outLen = 384;
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (d != NULL) {
+        XFREE(d, NULL, DYNAMIC_TYPE_RSA);
+    }
+#endif
+
+    return err;
+#endif /* WOLFSSL_SP_SMALL */
+}
+
+#ifndef WOLFSSL_RSA_PUBLIC_ONLY
+#if !defined(SP_RSA_PRIVATE_EXP_D) && !defined(RSA_LOW_MEM)
+#endif /* !SP_RSA_PRIVATE_EXP_D && !RSA_LOW_MEM */
+/* RSA private key operation.
+ *
+ * in      Array of bytes representing the number to exponentiate, base.
+ * inLen   Number of bytes in base.
+ * dm      Private exponent.
+ * pm      First prime.
+ * qm      Second prime.
+ * dpm     First prime's CRT exponent.
+ * dqm     Second prime's CRT exponent.
+ * qim     Inverse of second prime mod p.
+ * mm      Modulus.
+ * out     Buffer to hold big-endian bytes of exponentiation result.
+ *         Must be at least 384 bytes long.
+ * outLen  Number of bytes in result.
+ * returns 0 on success, MP_TO_E when the outLen is too small, MP_READ_E when
+ * an array is too long and MEMORY_E when dynamic memory allocation fails.
+ */
+int sp_RsaPrivate_3072(const byte* in, word32 inLen, mp_int* dm,
+    mp_int* pm, mp_int* qm, mp_int* dpm, mp_int* dqm, mp_int* qim, mp_int* mm,
+    byte* out, word32* outLen)
+{
+#if defined(SP_RSA_PRIVATE_EXP_D) || defined(RSA_LOW_MEM)
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit* a;
+    sp_digit* d = NULL;
+    sp_digit* m;
+    sp_digit* r;
+    int err = MP_OKAY;
+
+    (void)pm;
+    (void)qm;
+    (void)dpm;
+    (void)dqm;
+    (void)qim;
+
+    if (*outLen < 384U) {
+        err = MP_TO_E;
+    }
+    if (err == MP_OKAY) {
+        if (mp_count_bits(dm) > 3072) {
+           err = MP_READ_E;
+        }
+        if (inLen > 384) {
+            err = MP_READ_E;
+        }
+        if (mp_count_bits(mm) != 3072) {
+            err = MP_READ_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        d = (sp_digit*)XMALLOC(sizeof(sp_digit) * 54 * 4, NULL,
+                                                              DYNAMIC_TYPE_RSA);
+        if (d == NULL) {
+            err = MEMORY_E;
+        }
+    }
+    if (err == MP_OKAY) {
+        a = d + 54;
+        m = a + 108;
+        r = a;
+
+        sp_3072_from_bin(a, 54, in, inLen);
+        sp_3072_from_mp(d, 54, dm);
+        sp_3072_from_mp(m, 54, mm);
+        err = sp_3072_mod_exp_54(r, a, d, 3072, m, 0);
+    }
+    if (err == MP_OKAY) {
+        sp_3072_to_bin(r, out);
+        *outLen = 384;
+    }
+
+    if (d != NULL) {
+        XMEMSET(d, 0, sizeof(sp_digit) * 54);
+        XFREE(d, NULL, DYNAMIC_TYPE_RSA);
+    }
+
+    return err;
+#else
+    sp_digit a[108], d[54], m[54];
+    sp_digit* r = a;
+    int err = MP_OKAY;
+
+    (void)pm;
+    (void)qm;
+    (void)dpm;
+    (void)dqm;
+    (void)qim;
+
+    if (*outLen < 384U) {
+        err = MP_TO_E;
+    }
+    if (err == MP_OKAY) {
+        if (mp_count_bits(dm) > 3072) {
+            err = MP_READ_E;
+        }
+        if (inLen > 384U) {
+            err = MP_READ_E;
+        }
+        if (mp_count_bits(mm) != 3072) {
+            err = MP_READ_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        sp_3072_from_bin(a, 54, in, inLen);
+        sp_3072_from_mp(d, 54, dm);
+        sp_3072_from_mp(m, 54, mm);
+        err = sp_3072_mod_exp_54(r, a, d, 3072, m, 0);
+    }
+
+    if (err == MP_OKAY) {
+        sp_3072_to_bin(r, out);
+        *outLen = 384;
+    }
+
+    XMEMSET(d, 0, sizeof(sp_digit) * 54);
+
+    return err;
+#endif /* WOLFSSL_SP_SMALL || defined(WOLFSSL_SMALL_STACK) */
+#else
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit* t = NULL;
+    sp_digit* a;
+    sp_digit* p;
+    sp_digit* q;
+    sp_digit* dp;
+    sp_digit* dq;
+    sp_digit* qi;
+    sp_digit* tmpa;
+    sp_digit* tmpb;
+    sp_digit* r;
+    int err = MP_OKAY;
+
+    (void)dm;
+    (void)mm;
+
+    if (*outLen < 384U) {
+        err = MP_TO_E;
+    }
+    if (err == MP_OKAY) {
+        if (inLen > 384) {
+            err = MP_READ_E;
+        }
+        if (mp_count_bits(mm) != 3072) {
+            err = MP_READ_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        t = (sp_digit*)XMALLOC(sizeof(sp_digit) * 27 * 11, NULL,
+                                                              DYNAMIC_TYPE_RSA);
+        if (t == NULL) {
+            err = MEMORY_E;
+        }
+    }
+    if (err == MP_OKAY) {
+        a = t;
+        p = a + 54 * 2;
+        q = p + 27;
+        qi = dq = dp = q + 27;
+        tmpa = qi + 27;
+        tmpb = tmpa + 54;
+
+        r = t + 54;
+
+        sp_3072_from_bin(a, 54, in, inLen);
+        sp_3072_from_mp(p, 27, pm);
+        sp_3072_from_mp(q, 27, qm);
+        sp_3072_from_mp(dp, 27, dpm);
+        err = sp_3072_mod_exp_27(tmpa, a, dp, 1536, p, 1);
+    }
+    if (err == MP_OKAY) {
+        sp_3072_from_mp(dq, 27, dqm);
+        err = sp_3072_mod_exp_27(tmpb, a, dq, 1536, q, 1);
+    }
+    if (err == MP_OKAY) {
+        (void)sp_3072_sub_27(tmpa, tmpa, tmpb);
+        sp_3072_cond_add_27(tmpa, tmpa, p, 0 - ((sp_int_digit)tmpa[26] >> 63));
+        sp_3072_cond_add_27(tmpa, tmpa, p, 0 - ((sp_int_digit)tmpa[26] >> 63));
+
+        sp_3072_from_mp(qi, 27, qim);
+        sp_3072_mul_27(tmpa, tmpa, qi);
+        err = sp_3072_mod_27(tmpa, tmpa, p);
+    }
+
+    if (err == MP_OKAY) {
+        sp_3072_mul_27(tmpa, q, tmpa);
+        (void)sp_3072_add_54(r, tmpb, tmpa);
+        sp_3072_norm_54(r);
+
+        sp_3072_to_bin(r, out);
+        *outLen = 384;
+    }
+
+    if (t != NULL) {
+        XMEMSET(t, 0, sizeof(sp_digit) * 27 * 11);
+        XFREE(t, NULL, DYNAMIC_TYPE_RSA);
+    }
+
+    return err;
+#else
+    sp_digit a[54 * 2];
+    sp_digit p[27], q[27], dp[27], dq[27], qi[27];
+    sp_digit tmpa[54], tmpb[54];
+    sp_digit* r = a;
+    int err = MP_OKAY;
+
+    (void)dm;
+    (void)mm;
+
+    if (*outLen < 384U) {
+        err = MP_TO_E;
+    }
+    if (err == MP_OKAY) {
+        if (inLen > 384U) {
+            err = MP_READ_E;
+        }
+        if (mp_count_bits(mm) != 3072) {
+            err = MP_READ_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        sp_3072_from_bin(a, 54, in, inLen);
+        sp_3072_from_mp(p, 27, pm);
+        sp_3072_from_mp(q, 27, qm);
+        sp_3072_from_mp(dp, 27, dpm);
+        sp_3072_from_mp(dq, 27, dqm);
+        sp_3072_from_mp(qi, 27, qim);
+
+        err = sp_3072_mod_exp_27(tmpa, a, dp, 1536, p, 1);
+    }
+    if (err == MP_OKAY) {
+        err = sp_3072_mod_exp_27(tmpb, a, dq, 1536, q, 1);
+    }
+
+    if (err == MP_OKAY) {
+        (void)sp_3072_sub_27(tmpa, tmpa, tmpb);
+        sp_3072_cond_add_27(tmpa, tmpa, p, 0 - ((sp_int_digit)tmpa[26] >> 63));
+        sp_3072_cond_add_27(tmpa, tmpa, p, 0 - ((sp_int_digit)tmpa[26] >> 63));
+        sp_3072_mul_27(tmpa, tmpa, qi);
+        err = sp_3072_mod_27(tmpa, tmpa, p);
+    }
+
+    if (err == MP_OKAY) {
+        sp_3072_mul_27(tmpa, tmpa, q);
+        (void)sp_3072_add_54(r, tmpb, tmpa);
+        sp_3072_norm_54(r);
+
+        sp_3072_to_bin(r, out);
+        *outLen = 384;
+    }
+
+    XMEMSET(tmpa, 0, sizeof(tmpa));
+    XMEMSET(tmpb, 0, sizeof(tmpb));
+    XMEMSET(p, 0, sizeof(p));
+    XMEMSET(q, 0, sizeof(q));
+    XMEMSET(dp, 0, sizeof(dp));
+    XMEMSET(dq, 0, sizeof(dq));
+    XMEMSET(qi, 0, sizeof(qi));
+
+    return err;
+#endif /* WOLFSSL_SP_SMALL || defined(WOLFSSL_SMALL_STACK) */
+#endif /* SP_RSA_PRIVATE_EXP_D || RSA_LOW_MEM */
+}
+
+#endif /* !WOLFSSL_RSA_PUBLIC_ONLY */
+#endif /* WOLFSSL_HAVE_SP_RSA */
+#if defined(WOLFSSL_HAVE_SP_DH) || (defined(WOLFSSL_HAVE_SP_RSA) && \
+                                              !defined(WOLFSSL_RSA_PUBLIC_ONLY))
+/* Convert an array of sp_digit to an mp_int.
+ *
+ * a  A single precision integer.
+ * r  A multi-precision integer.
+ */
+static int sp_3072_to_mp(const sp_digit* a, mp_int* r)
+{
+    int err;
+
+    err = mp_grow(r, (3072 + DIGIT_BIT - 1) / DIGIT_BIT);
+    if (err == MP_OKAY) { /*lint !e774 case where err is always MP_OKAY*/
+#if DIGIT_BIT == 57
+        XMEMCPY(r->dp, a, sizeof(sp_digit) * 54);
+        r->used = 54;
+        mp_clamp(r);
+#elif DIGIT_BIT < 57
+        int i, j = 0, s = 0;
+
+        r->dp[0] = 0;
+        for (i = 0; i < 54; i++) {
+            r->dp[j] |= (mp_digit)(a[i] << s);
+            r->dp[j] &= (1L << DIGIT_BIT) - 1;
+            s = DIGIT_BIT - s;
+            r->dp[++j] = (mp_digit)(a[i] >> s);
+            while (s + DIGIT_BIT <= 57) {
+                s += DIGIT_BIT;
+                r->dp[j++] &= (1L << DIGIT_BIT) - 1;
+                if (s == SP_WORD_SIZE) {
+                    r->dp[j] = 0;
+                }
+                else {
+                    r->dp[j] = (mp_digit)(a[i] >> s);
+                }
+            }
+            s = 57 - s;
+        }
+        r->used = (3072 + DIGIT_BIT - 1) / DIGIT_BIT;
+        mp_clamp(r);
+#else
+        int i, j = 0, s = 0;
+
+        r->dp[0] = 0;
+        for (i = 0; i < 54; i++) {
+            r->dp[j] |= ((mp_digit)a[i]) << s;
+            if (s + 57 >= DIGIT_BIT) {
+    #if DIGIT_BIT != 32 && DIGIT_BIT != 64
+                r->dp[j] &= (1L << DIGIT_BIT) - 1;
+    #endif
+                s = DIGIT_BIT - s;
+                r->dp[++j] = a[i] >> s;
+                s = 57 - s;
+            }
+            else {
+                s += 57;
+            }
+        }
+        r->used = (3072 + DIGIT_BIT - 1) / DIGIT_BIT;
+        mp_clamp(r);
+#endif
+    }
+
+    return err;
+}
+
+/* Perform the modular exponentiation for Diffie-Hellman.
+ *
+ * base  Base. MP integer.
+ * exp   Exponent. MP integer.
+ * mod   Modulus. MP integer.
+ * res   Result. MP integer.
+ * returns 0 on success, MP_READ_E if there are too many bytes in an array
+ * and MEMORY_E if memory allocation fails.
+ */
+int sp_ModExp_3072(mp_int* base, mp_int* exp, mp_int* mod, mp_int* res)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int err = MP_OKAY;
+    sp_digit* d = NULL;
+    sp_digit* b;
+    sp_digit* e;
+    sp_digit* m;
+    sp_digit* r;
+    int expBits = mp_count_bits(exp);
+
+    if (mp_count_bits(base) > 3072) {
+        err = MP_READ_E;
+    }
+
+    if (err == MP_OKAY) {
+        if (expBits > 3072) {
+            err = MP_READ_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        if (mp_count_bits(mod) != 3072) {
+            err = MP_READ_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        d = (sp_digit*)XMALLOC(sizeof(*d) * 54 * 4, NULL, DYNAMIC_TYPE_DH);
+        if (d == NULL) {
+            err = MEMORY_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        b = d;
+        e = b + 54 * 2;
+        m = e + 54;
+        r = b;
+
+        sp_3072_from_mp(b, 54, base);
+        sp_3072_from_mp(e, 54, exp);
+        sp_3072_from_mp(m, 54, mod);
+
+        err = sp_3072_mod_exp_54(r, b, e, mp_count_bits(exp), m, 0);
+    }
+
+    if (err == MP_OKAY) {
+        err = sp_3072_to_mp(r, res);
+    }
+
+    if (d != NULL) {
+        XMEMSET(e, 0, sizeof(sp_digit) * 54U);
+        XFREE(d, NULL, DYNAMIC_TYPE_DH);
+    }
+    return err;
+#else
+#ifndef WOLFSSL_SMALL_STACK
+    sp_digit bd[108], ed[54], md[54];
+#else
+    sp_digit* d = NULL;
+#endif
+    sp_digit* b;
+    sp_digit* e;
+    sp_digit* m;
+    sp_digit* r;
+    int err = MP_OKAY;
+    int expBits = mp_count_bits(exp);
+
+    if (mp_count_bits(base) > 3072) {
+        err = MP_READ_E;
+    }
+
+    if (err == MP_OKAY) {
+        if (expBits > 3072) {
+            err = MP_READ_E;
+        }
+    }
+    
+    if (err == MP_OKAY) {
+        if (mp_count_bits(mod) != 3072) {
+            err = MP_READ_E;
+        }
+    }
+
+#ifdef WOLFSSL_SMALL_STACK
+    if (err == MP_OKAY) {
+        d = (sp_digit*)XMALLOC(sizeof(*d) * 54 * 4, NULL, DYNAMIC_TYPE_DH);
+        if (d == NULL)
+            err = MEMORY_E;
+    }
+
+    if (err == MP_OKAY) {
+        b = d;
+        e = b + 54 * 2;
+        m = e + 54;
+        r = b;
+    }
+#else
+    r = b = bd;
+    e = ed;
+    m = md;
+#endif
+
+    if (err == MP_OKAY) {
+        sp_3072_from_mp(b, 54, base);
+        sp_3072_from_mp(e, 54, exp);
+        sp_3072_from_mp(m, 54, mod);
+
+        err = sp_3072_mod_exp_54(r, b, e, expBits, m, 0);
+    }
+
+    if (err == MP_OKAY) {
+        err = sp_3072_to_mp(r, res);
+    }
+
+
+#ifdef WOLFSSL_SMALL_STACK
+    if (d != NULL) {
+        XMEMSET(e, 0, sizeof(sp_digit) * 54U);
+        XFREE(d, NULL, DYNAMIC_TYPE_DH);
+    }
+#else
+    XMEMSET(e, 0, sizeof(sp_digit) * 54U);
+#endif
+
+    return err;
+#endif
+}
+
+#ifdef WOLFSSL_HAVE_SP_DH
+
+#ifdef HAVE_FFDHE_3072
+SP_NOINLINE static void sp_3072_lshift_54(sp_digit* r, sp_digit* a, byte n)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int i;
+
+    r[54] = a[53] >> (57 - n);
+    for (i=53; i>0; i--) {
+        r[i] = ((a[i] << n) | (a[i-1] >> (57 - n))) & 0x1ffffffffffffffL;
+    }
+#else
+    sp_int_digit s, t;
+
+    s = (sp_int_digit)a[53];
+    r[54] = s >> (57U - n);
+    s = (sp_int_digit)(a[53]); t = (sp_int_digit)(a[52]);
+    r[53] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
+    s = (sp_int_digit)(a[52]); t = (sp_int_digit)(a[51]);
+    r[52] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
+    s = (sp_int_digit)(a[51]); t = (sp_int_digit)(a[50]);
+    r[51] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
+    s = (sp_int_digit)(a[50]); t = (sp_int_digit)(a[49]);
+    r[50] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
+    s = (sp_int_digit)(a[49]); t = (sp_int_digit)(a[48]);
+    r[49] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
+    s = (sp_int_digit)(a[48]); t = (sp_int_digit)(a[47]);
+    r[48] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
+    s = (sp_int_digit)(a[47]); t = (sp_int_digit)(a[46]);
+    r[47] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
+    s = (sp_int_digit)(a[46]); t = (sp_int_digit)(a[45]);
+    r[46] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
+    s = (sp_int_digit)(a[45]); t = (sp_int_digit)(a[44]);
+    r[45] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
+    s = (sp_int_digit)(a[44]); t = (sp_int_digit)(a[43]);
+    r[44] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
+    s = (sp_int_digit)(a[43]); t = (sp_int_digit)(a[42]);
+    r[43] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
+    s = (sp_int_digit)(a[42]); t = (sp_int_digit)(a[41]);
+    r[42] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
+    s = (sp_int_digit)(a[41]); t = (sp_int_digit)(a[40]);
+    r[41] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
+    s = (sp_int_digit)(a[40]); t = (sp_int_digit)(a[39]);
+    r[40] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
+    s = (sp_int_digit)(a[39]); t = (sp_int_digit)(a[38]);
+    r[39] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
+    s = (sp_int_digit)(a[38]); t = (sp_int_digit)(a[37]);
+    r[38] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
+    s = (sp_int_digit)(a[37]); t = (sp_int_digit)(a[36]);
+    r[37] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
+    s = (sp_int_digit)(a[36]); t = (sp_int_digit)(a[35]);
+    r[36] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
+    s = (sp_int_digit)(a[35]); t = (sp_int_digit)(a[34]);
+    r[35] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
+    s = (sp_int_digit)(a[34]); t = (sp_int_digit)(a[33]);
+    r[34] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
+    s = (sp_int_digit)(a[33]); t = (sp_int_digit)(a[32]);
+    r[33] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
+    s = (sp_int_digit)(a[32]); t = (sp_int_digit)(a[31]);
+    r[32] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
+    s = (sp_int_digit)(a[31]); t = (sp_int_digit)(a[30]);
+    r[31] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
+    s = (sp_int_digit)(a[30]); t = (sp_int_digit)(a[29]);
+    r[30] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
+    s = (sp_int_digit)(a[29]); t = (sp_int_digit)(a[28]);
+    r[29] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
+    s = (sp_int_digit)(a[28]); t = (sp_int_digit)(a[27]);
+    r[28] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
+    s = (sp_int_digit)(a[27]); t = (sp_int_digit)(a[26]);
+    r[27] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
+    s = (sp_int_digit)(a[26]); t = (sp_int_digit)(a[25]);
+    r[26] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
+    s = (sp_int_digit)(a[25]); t = (sp_int_digit)(a[24]);
+    r[25] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
+    s = (sp_int_digit)(a[24]); t = (sp_int_digit)(a[23]);
+    r[24] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
+    s = (sp_int_digit)(a[23]); t = (sp_int_digit)(a[22]);
+    r[23] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
+    s = (sp_int_digit)(a[22]); t = (sp_int_digit)(a[21]);
+    r[22] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
+    s = (sp_int_digit)(a[21]); t = (sp_int_digit)(a[20]);
+    r[21] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
+    s = (sp_int_digit)(a[20]); t = (sp_int_digit)(a[19]);
+    r[20] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
+    s = (sp_int_digit)(a[19]); t = (sp_int_digit)(a[18]);
+    r[19] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
+    s = (sp_int_digit)(a[18]); t = (sp_int_digit)(a[17]);
+    r[18] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
+    s = (sp_int_digit)(a[17]); t = (sp_int_digit)(a[16]);
+    r[17] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
+    s = (sp_int_digit)(a[16]); t = (sp_int_digit)(a[15]);
+    r[16] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
+    s = (sp_int_digit)(a[15]); t = (sp_int_digit)(a[14]);
+    r[15] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
+    s = (sp_int_digit)(a[14]); t = (sp_int_digit)(a[13]);
+    r[14] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
+    s = (sp_int_digit)(a[13]); t = (sp_int_digit)(a[12]);
+    r[13] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
+    s = (sp_int_digit)(a[12]); t = (sp_int_digit)(a[11]);
+    r[12] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
+    s = (sp_int_digit)(a[11]); t = (sp_int_digit)(a[10]);
+    r[11] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
+    s = (sp_int_digit)(a[10]); t = (sp_int_digit)(a[9]);
+    r[10] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
+    s = (sp_int_digit)(a[9]); t = (sp_int_digit)(a[8]);
+    r[9] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
+    s = (sp_int_digit)(a[8]); t = (sp_int_digit)(a[7]);
+    r[8] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
+    s = (sp_int_digit)(a[7]); t = (sp_int_digit)(a[6]);
+    r[7] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
+    s = (sp_int_digit)(a[6]); t = (sp_int_digit)(a[5]);
+    r[6] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
+    s = (sp_int_digit)(a[5]); t = (sp_int_digit)(a[4]);
+    r[5] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
+    s = (sp_int_digit)(a[4]); t = (sp_int_digit)(a[3]);
+    r[4] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
+    s = (sp_int_digit)(a[3]); t = (sp_int_digit)(a[2]);
+    r[3] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
+    s = (sp_int_digit)(a[2]); t = (sp_int_digit)(a[1]);
+    r[2] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
+    s = (sp_int_digit)(a[1]); t = (sp_int_digit)(a[0]);
+    r[1] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
+#endif
+    r[0] = (a[0] << n) & 0x1ffffffffffffffL;
+}
+
+/* Modular exponentiate 2 to the e mod m. (r = 2^e mod m)
+ *
+ * r     A single precision number that is the result of the operation.
+ * e     A single precision number that is the exponent.
+ * bits  The number of bits in the exponent.
+ * m     A single precision number that is the modulus.
+ * returns 0 on success and MEMORY_E on dynamic memory allocation failure.
+ */
+static int sp_3072_mod_exp_2_54(sp_digit* r, const sp_digit* e, int bits, const sp_digit* m)
+{
+#ifndef WOLFSSL_SMALL_STACK
+    sp_digit nd[108];
+    sp_digit td[55];
+#else
+    sp_digit* td;
+#endif
+    sp_digit* norm;
+    sp_digit* tmp;
+    sp_digit mp = 1;
+    sp_digit n, o;
+    int i;
+    int c, y;
+    int err = MP_OKAY;
+
+#ifdef WOLFSSL_SMALL_STACK
+    td = (sp_digit*)XMALLOC(sizeof(sp_digit) * 163, NULL,
+                            DYNAMIC_TYPE_TMP_BUFFER);
+    if (td == NULL) {
+        err = MEMORY_E;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#ifdef WOLFSSL_SMALL_STACK
+        norm = td;
+        tmp  = td + 108;
+        XMEMSET(td, 0, sizeof(sp_digit) * 163);
+#else
+        norm = nd;
+        tmp  = td;
+        XMEMSET(td, 0, sizeof(td));
+#endif
+
+        sp_3072_mont_setup(m, &mp);
+        sp_3072_mont_norm_54(norm, m);
+
+        bits = ((bits + 4) / 5) * 5;
+        i = ((bits + 56) / 57) - 1;
+        c = bits % 57;
+        if (c == 0) {
+            c = 57;
+        }
+        if (i < 54) {
+            n = e[i--] << (64 - c);
+        }
+        else {
+            n = 0;
+            i--;
+        }
+        if (c < 5) {
+            n |= e[i--] << (7 - c);
+            c += 57;
+        }
+        y = (n >> 59) & 0x1f;
+        n <<= 5;
+        c -= 5;
+        sp_3072_lshift_54(r, norm, y);
+        for (; i>=0 || c>=5; ) {
+            if (c < 5) {
+                n |= e[i--] << (7 - c);
+                c += 57;
+            }
+            y = (n >> 59) & 0x1f;
+            n <<= 5;
+            c -= 5;
+
+            sp_3072_mont_sqr_54(r, r, m, mp);
+            sp_3072_mont_sqr_54(r, r, m, mp);
+            sp_3072_mont_sqr_54(r, r, m, mp);
+            sp_3072_mont_sqr_54(r, r, m, mp);
+            sp_3072_mont_sqr_54(r, r, m, mp);
+
+            sp_3072_lshift_54(r, r, y);
+            sp_3072_mul_d_54(tmp, norm, (r[54] << 6) + (r[53] >> 51));
+            r[54] = 0;
+            r[53] &= 0x7ffffffffffffL;
+            (void)sp_3072_add_54(r, r, tmp);
+            sp_3072_norm_54(r);
+            o = sp_3072_cmp_54(r, m);
+            sp_3072_cond_sub_54(r, r, m, ((o < 0) ?
+                                          (sp_digit)1 : (sp_digit)0) - 1);
+        }
+
+        sp_3072_mont_reduce_54(r, m, mp);
+        n = sp_3072_cmp_54(r, m);
+        sp_3072_cond_sub_54(r, r, m, ((n < 0) ?
+                                                (sp_digit)1 : (sp_digit)0) - 1);
+    }
+
+#ifdef WOLFSSL_SMALL_STACK
+    if (td != NULL) {
+        XFREE(td, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    }
+#endif
+
+    return err;
+}
+
+#endif /* HAVE_FFDHE_3072 */
+
+/* Perform the modular exponentiation for Diffie-Hellman.
+ *
+ * base     Base.
+ * exp      Array of bytes that is the exponent.
+ * expLen   Length of data, in bytes, in exponent.
+ * mod      Modulus.
+ * out      Buffer to hold big-endian bytes of exponentiation result.
+ *          Must be at least 384 bytes long.
+ * outLen   Length, in bytes, of exponentiation result.
+ * returns 0 on success, MP_READ_E if there are too many bytes in an array
+ * and MEMORY_E if memory allocation fails.
+ */
+int sp_DhExp_3072(mp_int* base, const byte* exp, word32 expLen,
+    mp_int* mod, byte* out, word32* outLen)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int err = MP_OKAY;
+    sp_digit* d = NULL;
+    sp_digit* b;
+    sp_digit* e;
+    sp_digit* m;
+    sp_digit* r;
+    word32 i;
+
+    if (mp_count_bits(base) > 3072) {
+        err = MP_READ_E;
+    }
+
+    if (err == MP_OKAY) {
+        if (expLen > 384) {
+            err = MP_READ_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        if (mp_count_bits(mod) != 3072) {
+            err = MP_READ_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        d = (sp_digit*)XMALLOC(sizeof(*d) * 54 * 4, NULL, DYNAMIC_TYPE_DH);
+        if (d == NULL) {
+            err = MEMORY_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        b = d;
+        e = b + 54 * 2;
+        m = e + 54;
+        r = b;
+
+        sp_3072_from_mp(b, 54, base);
+        sp_3072_from_bin(e, 54, exp, expLen);
+        sp_3072_from_mp(m, 54, mod);
+
+    #ifdef HAVE_FFDHE_3072
+        if (base->used == 1 && base->dp[0] == 2 &&
+                (m[53] >> 19) == 0xffffffffL) {
+            err = sp_3072_mod_exp_2_54(r, e, expLen * 8, m);
+        }
+        else
+    #endif
+            err = sp_3072_mod_exp_54(r, b, e, expLen * 8, m, 0);
+    }
+
+    if (err == MP_OKAY) {
+        sp_3072_to_bin(r, out);
+        *outLen = 384;
+        for (i=0; i<384 && out[i] == 0; i++) {
+        }
+        *outLen -= i;
+        XMEMMOVE(out, out + i, *outLen);
+    }
+
+    if (d != NULL) {
+        XMEMSET(e, 0, sizeof(sp_digit) * 54U);
+        XFREE(d, NULL, DYNAMIC_TYPE_DH);
+    }
+    return err;
+#else
+#ifndef WOLFSSL_SMALL_STACK
+    sp_digit bd[108], ed[54], md[54];
+#else
+    sp_digit* d = NULL;
+#endif
+    sp_digit* b;
+    sp_digit* e;
+    sp_digit* m;
+    sp_digit* r;
+    word32 i;
+    int err = MP_OKAY;
+
+    if (mp_count_bits(base) > 3072) {
+        err = MP_READ_E;
+    }
+
+    if (err == MP_OKAY) {
+        if (expLen > 384U) {
+            err = MP_READ_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        if (mp_count_bits(mod) != 3072) {
+            err = MP_READ_E;
+        }
+    }
+#ifdef WOLFSSL_SMALL_STACK
+    if (err == MP_OKAY) {
+        d = (sp_digit*)XMALLOC(sizeof(*d) * 54 * 4, NULL, DYNAMIC_TYPE_DH);
+        if (d == NULL)
+            err = MEMORY_E;
+    }
+
+    if (err == MP_OKAY) {
+        b = d;
+        e = b + 54 * 2;
+        m = e + 54;
+        r = b;
+    }
+#else
+    r = b = bd;
+    e = ed;
+    m = md;
+#endif
+
+    if (err == MP_OKAY) {
+        sp_3072_from_mp(b, 54, base);
+        sp_3072_from_bin(e, 54, exp, expLen);
+        sp_3072_from_mp(m, 54, mod);
+
+    #ifdef HAVE_FFDHE_3072
+        if (base->used == 1 && base->dp[0] == 2U &&
+                (m[53] >> 19) == 0xffffffffL) {
+            err = sp_3072_mod_exp_2_54(r, e, expLen * 8U, m);
+        }
+        else {
+    #endif
+            err = sp_3072_mod_exp_54(r, b, e, expLen * 8U, m, 0);
+    #ifdef HAVE_FFDHE_3072
+        }
+    #endif
+    }
+
+    if (err == MP_OKAY) {
+        sp_3072_to_bin(r, out);
+        *outLen = 384;
+        for (i=0; i<384U && out[i] == 0U; i++) {
+        }
+        *outLen -= i;
+        XMEMMOVE(out, out + i, *outLen);
+    }
+
+#ifdef WOLFSSL_SMALL_STACK
+    if (d != NULL) {
+        XMEMSET(e, 0, sizeof(sp_digit) * 54U);
+        XFREE(d, NULL, DYNAMIC_TYPE_DH);
+    }
+#else
+    XMEMSET(e, 0, sizeof(sp_digit) * 54U);
+#endif
+
+    return err;
+#endif
+}
+#endif /* WOLFSSL_HAVE_SP_DH */
+
+/* Perform the modular exponentiation for Diffie-Hellman.
+ *
+ * base  Base. MP integer.
+ * exp   Exponent. MP integer.
+ * mod   Modulus. MP integer.
+ * res   Result. MP integer.
+ * returns 0 on success, MP_READ_E if there are too many bytes in an array
+ * and MEMORY_E if memory allocation fails.
+ */
+int sp_ModExp_1536(mp_int* base, mp_int* exp, mp_int* mod, mp_int* res)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int err = MP_OKAY;
+    sp_digit* d = NULL;
+    sp_digit* b;
+    sp_digit* e;
+    sp_digit* m;
+    sp_digit* r;
+    int expBits = mp_count_bits(exp);
+
+    if (mp_count_bits(base) > 1536) {
+        err = MP_READ_E;
+    }
+
+    if (err == MP_OKAY) {
+        if (expBits > 1536) {
+            err = MP_READ_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        if (mp_count_bits(mod) != 1536) {
+            err = MP_READ_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        d = (sp_digit*)XMALLOC(sizeof(*d) * 27 * 4, NULL, DYNAMIC_TYPE_DH);
+        if (d == NULL) {
+            err = MEMORY_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        b = d;
+        e = b + 27 * 2;
+        m = e + 27;
+        r = b;
+
+        sp_3072_from_mp(b, 27, base);
+        sp_3072_from_mp(e, 27, exp);
+        sp_3072_from_mp(m, 27, mod);
+
+        err = sp_3072_mod_exp_27(r, b, e, mp_count_bits(exp), m, 0);
+    }
+
+    if (err == MP_OKAY) {
+        XMEMSET(r + 27, 0, sizeof(*r) * 27U);
+        err = sp_3072_to_mp(r, res);
+    }
+
+    if (d != NULL) {
+        XMEMSET(e, 0, sizeof(sp_digit) * 27U);
+        XFREE(d, NULL, DYNAMIC_TYPE_DH);
+    }
+    return err;
+#else
+#ifndef WOLFSSL_SMALL_STACK
+    sp_digit bd[54], ed[27], md[27];
+#else
+    sp_digit* d = NULL;
+#endif
+    sp_digit* b;
+    sp_digit* e;
+    sp_digit* m;
+    sp_digit* r;
+    int err = MP_OKAY;
+    int expBits = mp_count_bits(exp);
+
+    if (mp_count_bits(base) > 1536) {
+        err = MP_READ_E;
+    }
+
+    if (err == MP_OKAY) {
+        if (expBits > 1536) {
+            err = MP_READ_E;
+        }
+    }
+    
+    if (err == MP_OKAY) {
+        if (mp_count_bits(mod) != 1536) {
+            err = MP_READ_E;
+        }
+    }
+
+#ifdef WOLFSSL_SMALL_STACK
+    if (err == MP_OKAY) {
+        d = (sp_digit*)XMALLOC(sizeof(*d) * 27 * 4, NULL, DYNAMIC_TYPE_DH);
+        if (d == NULL)
+            err = MEMORY_E;
+    }
+
+    if (err == MP_OKAY) {
+        b = d;
+        e = b + 27 * 2;
+        m = e + 27;
+        r = b;
+    }
+#else
+    r = b = bd;
+    e = ed;
+    m = md;
+#endif
+
+    if (err == MP_OKAY) {
+        sp_3072_from_mp(b, 27, base);
+        sp_3072_from_mp(e, 27, exp);
+        sp_3072_from_mp(m, 27, mod);
+
+        err = sp_3072_mod_exp_27(r, b, e, expBits, m, 0);
+    }
+
+    if (err == MP_OKAY) {
+        XMEMSET(r + 27, 0, sizeof(*r) * 27U);
+        err = sp_3072_to_mp(r, res);
+    }
+
+
+#ifdef WOLFSSL_SMALL_STACK
+    if (d != NULL) {
+        XMEMSET(e, 0, sizeof(sp_digit) * 27U);
+        XFREE(d, NULL, DYNAMIC_TYPE_DH);
+    }
+#else
+    XMEMSET(e, 0, sizeof(sp_digit) * 27U);
+#endif
+
+    return err;
+#endif
+}
+
+#endif /* WOLFSSL_HAVE_SP_DH || (WOLFSSL_HAVE_SP_RSA && !WOLFSSL_RSA_PUBLIC_ONLY) */
+
+#endif /* !WOLFSSL_SP_NO_3072 */
+
+#ifdef WOLFSSL_SP_4096
+/* Read big endian unsigned byte array into r.
+ *
+ * r  A single precision integer.
+ * size  Maximum number of bytes to convert
+ * a  Byte array.
+ * n  Number of bytes in array to read.
+ */
+static void sp_4096_from_bin(sp_digit* r, int size, const byte* a, int n)
+{
+    int i, j = 0;
+    word32 s = 0;
+
+    r[0] = 0;
+    for (i = n-1; i >= 0; i--) {
+        r[j] |= (((sp_digit)a[i]) << s);
+        if (s >= 45U) {
+            r[j] &= 0x1fffffffffffffL;
+            s = 53U - s;
+            if (j + 1 >= size) {
+                break;
+            }
+            r[++j] = (sp_digit)a[i] >> s;
+            s = 8U - s;
+        }
+        else {
+            s += 8U;
+        }
+    }
+
+    for (j++; j < size; j++) {
+        r[j] = 0;
+    }
+}
+
+/* Convert an mp_int to an array of sp_digit.
+ *
+ * r  A single precision integer.
+ * size  Maximum number of bytes to convert
+ * a  A multi-precision integer.
+ */
+static void sp_4096_from_mp(sp_digit* r, int size, const mp_int* a)
+{
+#if DIGIT_BIT == 53
+    int j;
+
+    XMEMCPY(r, a->dp, sizeof(sp_digit) * a->used);
+
+    for (j = a->used; j < size; j++) {
+        r[j] = 0;
+    }
+#elif DIGIT_BIT > 53
+    int i, j = 0;
+    word32 s = 0;
+
+    r[0] = 0;
+    for (i = 0; i < a->used && j < size; i++) {
+        r[j] |= ((sp_digit)a->dp[i] << s);
+        r[j] &= 0x1fffffffffffffL;
+        s = 53U - s;
+        if (j + 1 >= size) {
+            break;
+        }
+        /* lint allow cast of mismatch word32 and mp_digit */
+        r[++j] = (sp_digit)(a->dp[i] >> s); /*lint !e9033*/
+        while ((s + 53U) <= (word32)DIGIT_BIT) {
+            s += 53U;
+            r[j] &= 0x1fffffffffffffL;
+            if (j + 1 >= size) {
+                break;
+            }
+            if (s < (word32)DIGIT_BIT) {
+                /* lint allow cast of mismatch word32 and mp_digit */
+                r[++j] = (sp_digit)(a->dp[i] >> s); /*lint !e9033*/
+            }
+            else {
+                r[++j] = 0L;
+            }
+        }
+        s = (word32)DIGIT_BIT - s;
+    }
+
+    for (j++; j < size; j++) {
+        r[j] = 0;
+    }
+#else
+    int i, j = 0, s = 0;
+
+    r[0] = 0;
+    for (i = 0; i < a->used && j < size; i++) {
+        r[j] |= ((sp_digit)a->dp[i]) << s;
+        if (s + DIGIT_BIT >= 53) {
+            r[j] &= 0x1fffffffffffffL;
+            if (j + 1 >= size) {
+                break;
+            }
+            s = 53 - s;
+            if (s == DIGIT_BIT) {
+                r[++j] = 0;
+                s = 0;
+            }
+            else {
+                r[++j] = a->dp[i] >> s;
+                s = DIGIT_BIT - s;
+            }
+        }
+        else {
+            s += DIGIT_BIT;
+        }
+    }
+
+    for (j++; j < size; j++) {
+        r[j] = 0;
+    }
+#endif
+}
+
+/* Write r as big endian to byte array.
+ * Fixed length number of bytes written: 512
+ *
+ * r  A single precision integer.
+ * a  Byte array.
+ */
+static void sp_4096_to_bin(sp_digit* r, byte* a)
+{
+    int i, j, s = 0, b;
+
+    for (i=0; i<77; i++) {
+        r[i+1] += r[i] >> 53;
+        r[i] &= 0x1fffffffffffffL;
+    }
+    j = 4096 / 8 - 1;
+    a[j] = 0;
+    for (i=0; i<78 && j>=0; i++) {
+        b = 0;
+        /* lint allow cast of mismatch sp_digit and int */
+        a[j--] |= (byte)(r[i] << s); /*lint !e9033*/
+        b += 8 - s;
+        if (j < 0) {
+            break;
+        }
+        while (b < 53) {
+            a[j--] = (byte)(r[i] >> b);
+            b += 8;
+            if (j < 0) {
+                break;
+            }
+        }
+        s = 8 - (b - 53);
+        if (j >= 0) {
+            a[j] = 0;
+        }
+        if (s != 0) {
+            j++;
+        }
+    }
+}
+
+#ifndef WOLFSSL_SP_SMALL
+/* Multiply a and b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static void sp_4096_mul_13(sp_digit* r, const sp_digit* a,
+    const sp_digit* b)
+{
+    int128_t t0   = ((int128_t)a[ 0]) * b[ 0];
+    int128_t t1   = ((int128_t)a[ 0]) * b[ 1]
+                 + ((int128_t)a[ 1]) * b[ 0];
+    int128_t t2   = ((int128_t)a[ 0]) * b[ 2]
+                 + ((int128_t)a[ 1]) * b[ 1]
+                 + ((int128_t)a[ 2]) * b[ 0];
+    int128_t t3   = ((int128_t)a[ 0]) * b[ 3]
+                 + ((int128_t)a[ 1]) * b[ 2]
+                 + ((int128_t)a[ 2]) * b[ 1]
+                 + ((int128_t)a[ 3]) * b[ 0];
+    int128_t t4   = ((int128_t)a[ 0]) * b[ 4]
+                 + ((int128_t)a[ 1]) * b[ 3]
+                 + ((int128_t)a[ 2]) * b[ 2]
+                 + ((int128_t)a[ 3]) * b[ 1]
+                 + ((int128_t)a[ 4]) * b[ 0];
+    int128_t t5   = ((int128_t)a[ 0]) * b[ 5]
+                 + ((int128_t)a[ 1]) * b[ 4]
+                 + ((int128_t)a[ 2]) * b[ 3]
+                 + ((int128_t)a[ 3]) * b[ 2]
+                 + ((int128_t)a[ 4]) * b[ 1]
+                 + ((int128_t)a[ 5]) * b[ 0];
+    int128_t t6   = ((int128_t)a[ 0]) * b[ 6]
+                 + ((int128_t)a[ 1]) * b[ 5]
+                 + ((int128_t)a[ 2]) * b[ 4]
+                 + ((int128_t)a[ 3]) * b[ 3]
+                 + ((int128_t)a[ 4]) * b[ 2]
+                 + ((int128_t)a[ 5]) * b[ 1]
+                 + ((int128_t)a[ 6]) * b[ 0];
+    int128_t t7   = ((int128_t)a[ 0]) * b[ 7]
+                 + ((int128_t)a[ 1]) * b[ 6]
+                 + ((int128_t)a[ 2]) * b[ 5]
+                 + ((int128_t)a[ 3]) * b[ 4]
+                 + ((int128_t)a[ 4]) * b[ 3]
+                 + ((int128_t)a[ 5]) * b[ 2]
+                 + ((int128_t)a[ 6]) * b[ 1]
+                 + ((int128_t)a[ 7]) * b[ 0];
+    int128_t t8   = ((int128_t)a[ 0]) * b[ 8]
+                 + ((int128_t)a[ 1]) * b[ 7]
+                 + ((int128_t)a[ 2]) * b[ 6]
+                 + ((int128_t)a[ 3]) * b[ 5]
+                 + ((int128_t)a[ 4]) * b[ 4]
+                 + ((int128_t)a[ 5]) * b[ 3]
+                 + ((int128_t)a[ 6]) * b[ 2]
+                 + ((int128_t)a[ 7]) * b[ 1]
+                 + ((int128_t)a[ 8]) * b[ 0];
+    int128_t t9   = ((int128_t)a[ 0]) * b[ 9]
+                 + ((int128_t)a[ 1]) * b[ 8]
+                 + ((int128_t)a[ 2]) * b[ 7]
+                 + ((int128_t)a[ 3]) * b[ 6]
+                 + ((int128_t)a[ 4]) * b[ 5]
+                 + ((int128_t)a[ 5]) * b[ 4]
+                 + ((int128_t)a[ 6]) * b[ 3]
+                 + ((int128_t)a[ 7]) * b[ 2]
+                 + ((int128_t)a[ 8]) * b[ 1]
+                 + ((int128_t)a[ 9]) * b[ 0];
+    int128_t t10  = ((int128_t)a[ 0]) * b[10]
+                 + ((int128_t)a[ 1]) * b[ 9]
+                 + ((int128_t)a[ 2]) * b[ 8]
+                 + ((int128_t)a[ 3]) * b[ 7]
+                 + ((int128_t)a[ 4]) * b[ 6]
+                 + ((int128_t)a[ 5]) * b[ 5]
+                 + ((int128_t)a[ 6]) * b[ 4]
+                 + ((int128_t)a[ 7]) * b[ 3]
+                 + ((int128_t)a[ 8]) * b[ 2]
+                 + ((int128_t)a[ 9]) * b[ 1]
+                 + ((int128_t)a[10]) * b[ 0];
+    int128_t t11  = ((int128_t)a[ 0]) * b[11]
+                 + ((int128_t)a[ 1]) * b[10]
+                 + ((int128_t)a[ 2]) * b[ 9]
+                 + ((int128_t)a[ 3]) * b[ 8]
+                 + ((int128_t)a[ 4]) * b[ 7]
+                 + ((int128_t)a[ 5]) * b[ 6]
+                 + ((int128_t)a[ 6]) * b[ 5]
+                 + ((int128_t)a[ 7]) * b[ 4]
+                 + ((int128_t)a[ 8]) * b[ 3]
+                 + ((int128_t)a[ 9]) * b[ 2]
+                 + ((int128_t)a[10]) * b[ 1]
+                 + ((int128_t)a[11]) * b[ 0];
+    int128_t t12  = ((int128_t)a[ 0]) * b[12]
+                 + ((int128_t)a[ 1]) * b[11]
+                 + ((int128_t)a[ 2]) * b[10]
+                 + ((int128_t)a[ 3]) * b[ 9]
+                 + ((int128_t)a[ 4]) * b[ 8]
+                 + ((int128_t)a[ 5]) * b[ 7]
+                 + ((int128_t)a[ 6]) * b[ 6]
+                 + ((int128_t)a[ 7]) * b[ 5]
+                 + ((int128_t)a[ 8]) * b[ 4]
+                 + ((int128_t)a[ 9]) * b[ 3]
+                 + ((int128_t)a[10]) * b[ 2]
+                 + ((int128_t)a[11]) * b[ 1]
+                 + ((int128_t)a[12]) * b[ 0];
+    int128_t t13  = ((int128_t)a[ 1]) * b[12]
+                 + ((int128_t)a[ 2]) * b[11]
+                 + ((int128_t)a[ 3]) * b[10]
+                 + ((int128_t)a[ 4]) * b[ 9]
+                 + ((int128_t)a[ 5]) * b[ 8]
+                 + ((int128_t)a[ 6]) * b[ 7]
+                 + ((int128_t)a[ 7]) * b[ 6]
+                 + ((int128_t)a[ 8]) * b[ 5]
+                 + ((int128_t)a[ 9]) * b[ 4]
+                 + ((int128_t)a[10]) * b[ 3]
+                 + ((int128_t)a[11]) * b[ 2]
+                 + ((int128_t)a[12]) * b[ 1];
+    int128_t t14  = ((int128_t)a[ 2]) * b[12]
+                 + ((int128_t)a[ 3]) * b[11]
+                 + ((int128_t)a[ 4]) * b[10]
+                 + ((int128_t)a[ 5]) * b[ 9]
+                 + ((int128_t)a[ 6]) * b[ 8]
+                 + ((int128_t)a[ 7]) * b[ 7]
+                 + ((int128_t)a[ 8]) * b[ 6]
+                 + ((int128_t)a[ 9]) * b[ 5]
+                 + ((int128_t)a[10]) * b[ 4]
+                 + ((int128_t)a[11]) * b[ 3]
+                 + ((int128_t)a[12]) * b[ 2];
+    int128_t t15  = ((int128_t)a[ 3]) * b[12]
+                 + ((int128_t)a[ 4]) * b[11]
+                 + ((int128_t)a[ 5]) * b[10]
+                 + ((int128_t)a[ 6]) * b[ 9]
+                 + ((int128_t)a[ 7]) * b[ 8]
+                 + ((int128_t)a[ 8]) * b[ 7]
+                 + ((int128_t)a[ 9]) * b[ 6]
+                 + ((int128_t)a[10]) * b[ 5]
+                 + ((int128_t)a[11]) * b[ 4]
+                 + ((int128_t)a[12]) * b[ 3];
+    int128_t t16  = ((int128_t)a[ 4]) * b[12]
+                 + ((int128_t)a[ 5]) * b[11]
+                 + ((int128_t)a[ 6]) * b[10]
+                 + ((int128_t)a[ 7]) * b[ 9]
+                 + ((int128_t)a[ 8]) * b[ 8]
+                 + ((int128_t)a[ 9]) * b[ 7]
+                 + ((int128_t)a[10]) * b[ 6]
+                 + ((int128_t)a[11]) * b[ 5]
+                 + ((int128_t)a[12]) * b[ 4];
+    int128_t t17  = ((int128_t)a[ 5]) * b[12]
+                 + ((int128_t)a[ 6]) * b[11]
+                 + ((int128_t)a[ 7]) * b[10]
+                 + ((int128_t)a[ 8]) * b[ 9]
+                 + ((int128_t)a[ 9]) * b[ 8]
+                 + ((int128_t)a[10]) * b[ 7]
+                 + ((int128_t)a[11]) * b[ 6]
+                 + ((int128_t)a[12]) * b[ 5];
+    int128_t t18  = ((int128_t)a[ 6]) * b[12]
+                 + ((int128_t)a[ 7]) * b[11]
+                 + ((int128_t)a[ 8]) * b[10]
+                 + ((int128_t)a[ 9]) * b[ 9]
+                 + ((int128_t)a[10]) * b[ 8]
+                 + ((int128_t)a[11]) * b[ 7]
+                 + ((int128_t)a[12]) * b[ 6];
+    int128_t t19  = ((int128_t)a[ 7]) * b[12]
+                 + ((int128_t)a[ 8]) * b[11]
+                 + ((int128_t)a[ 9]) * b[10]
+                 + ((int128_t)a[10]) * b[ 9]
+                 + ((int128_t)a[11]) * b[ 8]
+                 + ((int128_t)a[12]) * b[ 7];
+    int128_t t20  = ((int128_t)a[ 8]) * b[12]
+                 + ((int128_t)a[ 9]) * b[11]
+                 + ((int128_t)a[10]) * b[10]
+                 + ((int128_t)a[11]) * b[ 9]
+                 + ((int128_t)a[12]) * b[ 8];
+    int128_t t21  = ((int128_t)a[ 9]) * b[12]
+                 + ((int128_t)a[10]) * b[11]
+                 + ((int128_t)a[11]) * b[10]
+                 + ((int128_t)a[12]) * b[ 9];
+    int128_t t22  = ((int128_t)a[10]) * b[12]
+                 + ((int128_t)a[11]) * b[11]
+                 + ((int128_t)a[12]) * b[10];
+    int128_t t23  = ((int128_t)a[11]) * b[12]
+                 + ((int128_t)a[12]) * b[11];
+    int128_t t24  = ((int128_t)a[12]) * b[12];
+
+    t1   += t0  >> 53; r[ 0] = t0  & 0x1fffffffffffffL;
+    t2   += t1  >> 53; r[ 1] = t1  & 0x1fffffffffffffL;
+    t3   += t2  >> 53; r[ 2] = t2  & 0x1fffffffffffffL;
+    t4   += t3  >> 53; r[ 3] = t3  & 0x1fffffffffffffL;
+    t5   += t4  >> 53; r[ 4] = t4  & 0x1fffffffffffffL;
+    t6   += t5  >> 53; r[ 5] = t5  & 0x1fffffffffffffL;
+    t7   += t6  >> 53; r[ 6] = t6  & 0x1fffffffffffffL;
+    t8   += t7  >> 53; r[ 7] = t7  & 0x1fffffffffffffL;
+    t9   += t8  >> 53; r[ 8] = t8  & 0x1fffffffffffffL;
+    t10  += t9  >> 53; r[ 9] = t9  & 0x1fffffffffffffL;
+    t11  += t10 >> 53; r[10] = t10 & 0x1fffffffffffffL;
+    t12  += t11 >> 53; r[11] = t11 & 0x1fffffffffffffL;
+    t13  += t12 >> 53; r[12] = t12 & 0x1fffffffffffffL;
+    t14  += t13 >> 53; r[13] = t13 & 0x1fffffffffffffL;
+    t15  += t14 >> 53; r[14] = t14 & 0x1fffffffffffffL;
+    t16  += t15 >> 53; r[15] = t15 & 0x1fffffffffffffL;
+    t17  += t16 >> 53; r[16] = t16 & 0x1fffffffffffffL;
+    t18  += t17 >> 53; r[17] = t17 & 0x1fffffffffffffL;
+    t19  += t18 >> 53; r[18] = t18 & 0x1fffffffffffffL;
+    t20  += t19 >> 53; r[19] = t19 & 0x1fffffffffffffL;
+    t21  += t20 >> 53; r[20] = t20 & 0x1fffffffffffffL;
+    t22  += t21 >> 53; r[21] = t21 & 0x1fffffffffffffL;
+    t23  += t22 >> 53; r[22] = t22 & 0x1fffffffffffffL;
+    t24  += t23 >> 53; r[23] = t23 & 0x1fffffffffffffL;
+    r[25] = (sp_digit)(t24 >> 53);
+                       r[24] = t24 & 0x1fffffffffffffL;
+}
+
+/* Square a and put result in r. (r = a * a)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ */
+SP_NOINLINE static void sp_4096_sqr_13(sp_digit* r, const sp_digit* a)
+{
+    int128_t t0   =  ((int128_t)a[ 0]) * a[ 0];
+    int128_t t1   = (((int128_t)a[ 0]) * a[ 1]) * 2;
+    int128_t t2   = (((int128_t)a[ 0]) * a[ 2]) * 2
+                 +  ((int128_t)a[ 1]) * a[ 1];
+    int128_t t3   = (((int128_t)a[ 0]) * a[ 3]
+                 +  ((int128_t)a[ 1]) * a[ 2]) * 2;
+    int128_t t4   = (((int128_t)a[ 0]) * a[ 4]
+                 +  ((int128_t)a[ 1]) * a[ 3]) * 2
+                 +  ((int128_t)a[ 2]) * a[ 2];
+    int128_t t5   = (((int128_t)a[ 0]) * a[ 5]
+                 +  ((int128_t)a[ 1]) * a[ 4]
+                 +  ((int128_t)a[ 2]) * a[ 3]) * 2;
+    int128_t t6   = (((int128_t)a[ 0]) * a[ 6]
+                 +  ((int128_t)a[ 1]) * a[ 5]
+                 +  ((int128_t)a[ 2]) * a[ 4]) * 2
+                 +  ((int128_t)a[ 3]) * a[ 3];
+    int128_t t7   = (((int128_t)a[ 0]) * a[ 7]
+                 +  ((int128_t)a[ 1]) * a[ 6]
+                 +  ((int128_t)a[ 2]) * a[ 5]
+                 +  ((int128_t)a[ 3]) * a[ 4]) * 2;
+    int128_t t8   = (((int128_t)a[ 0]) * a[ 8]
+                 +  ((int128_t)a[ 1]) * a[ 7]
+                 +  ((int128_t)a[ 2]) * a[ 6]
+                 +  ((int128_t)a[ 3]) * a[ 5]) * 2
+                 +  ((int128_t)a[ 4]) * a[ 4];
+    int128_t t9   = (((int128_t)a[ 0]) * a[ 9]
+                 +  ((int128_t)a[ 1]) * a[ 8]
+                 +  ((int128_t)a[ 2]) * a[ 7]
+                 +  ((int128_t)a[ 3]) * a[ 6]
+                 +  ((int128_t)a[ 4]) * a[ 5]) * 2;
+    int128_t t10  = (((int128_t)a[ 0]) * a[10]
+                 +  ((int128_t)a[ 1]) * a[ 9]
+                 +  ((int128_t)a[ 2]) * a[ 8]
+                 +  ((int128_t)a[ 3]) * a[ 7]
+                 +  ((int128_t)a[ 4]) * a[ 6]) * 2
+                 +  ((int128_t)a[ 5]) * a[ 5];
+    int128_t t11  = (((int128_t)a[ 0]) * a[11]
+                 +  ((int128_t)a[ 1]) * a[10]
+                 +  ((int128_t)a[ 2]) * a[ 9]
+                 +  ((int128_t)a[ 3]) * a[ 8]
+                 +  ((int128_t)a[ 4]) * a[ 7]
+                 +  ((int128_t)a[ 5]) * a[ 6]) * 2;
+    int128_t t12  = (((int128_t)a[ 0]) * a[12]
+                 +  ((int128_t)a[ 1]) * a[11]
+                 +  ((int128_t)a[ 2]) * a[10]
+                 +  ((int128_t)a[ 3]) * a[ 9]
+                 +  ((int128_t)a[ 4]) * a[ 8]
+                 +  ((int128_t)a[ 5]) * a[ 7]) * 2
+                 +  ((int128_t)a[ 6]) * a[ 6];
+    int128_t t13  = (((int128_t)a[ 1]) * a[12]
+                 +  ((int128_t)a[ 2]) * a[11]
+                 +  ((int128_t)a[ 3]) * a[10]
+                 +  ((int128_t)a[ 4]) * a[ 9]
+                 +  ((int128_t)a[ 5]) * a[ 8]
+                 +  ((int128_t)a[ 6]) * a[ 7]) * 2;
+    int128_t t14  = (((int128_t)a[ 2]) * a[12]
+                 +  ((int128_t)a[ 3]) * a[11]
+                 +  ((int128_t)a[ 4]) * a[10]
+                 +  ((int128_t)a[ 5]) * a[ 9]
+                 +  ((int128_t)a[ 6]) * a[ 8]) * 2
+                 +  ((int128_t)a[ 7]) * a[ 7];
+    int128_t t15  = (((int128_t)a[ 3]) * a[12]
+                 +  ((int128_t)a[ 4]) * a[11]
+                 +  ((int128_t)a[ 5]) * a[10]
+                 +  ((int128_t)a[ 6]) * a[ 9]
+                 +  ((int128_t)a[ 7]) * a[ 8]) * 2;
+    int128_t t16  = (((int128_t)a[ 4]) * a[12]
+                 +  ((int128_t)a[ 5]) * a[11]
+                 +  ((int128_t)a[ 6]) * a[10]
+                 +  ((int128_t)a[ 7]) * a[ 9]) * 2
+                 +  ((int128_t)a[ 8]) * a[ 8];
+    int128_t t17  = (((int128_t)a[ 5]) * a[12]
+                 +  ((int128_t)a[ 6]) * a[11]
+                 +  ((int128_t)a[ 7]) * a[10]
+                 +  ((int128_t)a[ 8]) * a[ 9]) * 2;
+    int128_t t18  = (((int128_t)a[ 6]) * a[12]
+                 +  ((int128_t)a[ 7]) * a[11]
+                 +  ((int128_t)a[ 8]) * a[10]) * 2
+                 +  ((int128_t)a[ 9]) * a[ 9];
+    int128_t t19  = (((int128_t)a[ 7]) * a[12]
+                 +  ((int128_t)a[ 8]) * a[11]
+                 +  ((int128_t)a[ 9]) * a[10]) * 2;
+    int128_t t20  = (((int128_t)a[ 8]) * a[12]
+                 +  ((int128_t)a[ 9]) * a[11]) * 2
+                 +  ((int128_t)a[10]) * a[10];
+    int128_t t21  = (((int128_t)a[ 9]) * a[12]
+                 +  ((int128_t)a[10]) * a[11]) * 2;
+    int128_t t22  = (((int128_t)a[10]) * a[12]) * 2
+                 +  ((int128_t)a[11]) * a[11];
+    int128_t t23  = (((int128_t)a[11]) * a[12]) * 2;
+    int128_t t24  =  ((int128_t)a[12]) * a[12];
+
+    t1   += t0  >> 53; r[ 0] = t0  & 0x1fffffffffffffL;
+    t2   += t1  >> 53; r[ 1] = t1  & 0x1fffffffffffffL;
+    t3   += t2  >> 53; r[ 2] = t2  & 0x1fffffffffffffL;
+    t4   += t3  >> 53; r[ 3] = t3  & 0x1fffffffffffffL;
+    t5   += t4  >> 53; r[ 4] = t4  & 0x1fffffffffffffL;
+    t6   += t5  >> 53; r[ 5] = t5  & 0x1fffffffffffffL;
+    t7   += t6  >> 53; r[ 6] = t6  & 0x1fffffffffffffL;
+    t8   += t7  >> 53; r[ 7] = t7  & 0x1fffffffffffffL;
+    t9   += t8  >> 53; r[ 8] = t8  & 0x1fffffffffffffL;
+    t10  += t9  >> 53; r[ 9] = t9  & 0x1fffffffffffffL;
+    t11  += t10 >> 53; r[10] = t10 & 0x1fffffffffffffL;
+    t12  += t11 >> 53; r[11] = t11 & 0x1fffffffffffffL;
+    t13  += t12 >> 53; r[12] = t12 & 0x1fffffffffffffL;
+    t14  += t13 >> 53; r[13] = t13 & 0x1fffffffffffffL;
+    t15  += t14 >> 53; r[14] = t14 & 0x1fffffffffffffL;
+    t16  += t15 >> 53; r[15] = t15 & 0x1fffffffffffffL;
+    t17  += t16 >> 53; r[16] = t16 & 0x1fffffffffffffL;
+    t18  += t17 >> 53; r[17] = t17 & 0x1fffffffffffffL;
+    t19  += t18 >> 53; r[18] = t18 & 0x1fffffffffffffL;
+    t20  += t19 >> 53; r[19] = t19 & 0x1fffffffffffffL;
+    t21  += t20 >> 53; r[20] = t20 & 0x1fffffffffffffL;
+    t22  += t21 >> 53; r[21] = t21 & 0x1fffffffffffffL;
+    t23  += t22 >> 53; r[22] = t22 & 0x1fffffffffffffL;
+    t24  += t23 >> 53; r[23] = t23 & 0x1fffffffffffffL;
+    r[25] = (sp_digit)(t24 >> 53);
+                       r[24] = t24 & 0x1fffffffffffffL;
+}
+
+/* Add b to a into r. (r = a + b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static int sp_4096_add_13(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    r[ 0] = a[ 0] + b[ 0];
+    r[ 1] = a[ 1] + b[ 1];
+    r[ 2] = a[ 2] + b[ 2];
+    r[ 3] = a[ 3] + b[ 3];
+    r[ 4] = a[ 4] + b[ 4];
+    r[ 5] = a[ 5] + b[ 5];
+    r[ 6] = a[ 6] + b[ 6];
+    r[ 7] = a[ 7] + b[ 7];
+    r[ 8] = a[ 8] + b[ 8];
+    r[ 9] = a[ 9] + b[ 9];
+    r[10] = a[10] + b[10];
+    r[11] = a[11] + b[11];
+    r[12] = a[12] + b[12];
+
+    return 0;
+}
+
+/* Sub b from a into r. (r = a - b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static int sp_4096_sub_26(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    int i;
+
+    for (i = 0; i < 24; i += 8) {
+        r[i + 0] = a[i + 0] - b[i + 0];
+        r[i + 1] = a[i + 1] - b[i + 1];
+        r[i + 2] = a[i + 2] - b[i + 2];
+        r[i + 3] = a[i + 3] - b[i + 3];
+        r[i + 4] = a[i + 4] - b[i + 4];
+        r[i + 5] = a[i + 5] - b[i + 5];
+        r[i + 6] = a[i + 6] - b[i + 6];
+        r[i + 7] = a[i + 7] - b[i + 7];
+    }
+    r[24] = a[24] - b[24];
+    r[25] = a[25] - b[25];
+
+    return 0;
+}
+
+/* Add b to a into r. (r = a + b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static int sp_4096_add_26(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    int i;
+
+    for (i = 0; i < 24; i += 8) {
+        r[i + 0] = a[i + 0] + b[i + 0];
+        r[i + 1] = a[i + 1] + b[i + 1];
+        r[i + 2] = a[i + 2] + b[i + 2];
+        r[i + 3] = a[i + 3] + b[i + 3];
+        r[i + 4] = a[i + 4] + b[i + 4];
+        r[i + 5] = a[i + 5] + b[i + 5];
+        r[i + 6] = a[i + 6] + b[i + 6];
+        r[i + 7] = a[i + 7] + b[i + 7];
+    }
+    r[24] = a[24] + b[24];
+    r[25] = a[25] + b[25];
+
+    return 0;
+}
+
+/* Multiply a and b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static void sp_4096_mul_39(sp_digit* r, const sp_digit* a,
+    const sp_digit* b)
+{
+    sp_digit p0[26];
+    sp_digit p1[26];
+    sp_digit p2[26];
+    sp_digit p3[26];
+    sp_digit p4[26];
+    sp_digit p5[26];
+    sp_digit t0[26];
+    sp_digit t1[26];
+    sp_digit t2[26];
+    sp_digit a0[13];
+    sp_digit a1[13];
+    sp_digit a2[13];
+    sp_digit b0[13];
+    sp_digit b1[13];
+    sp_digit b2[13];
+    (void)sp_4096_add_13(a0, a, &a[13]);
+    (void)sp_4096_add_13(b0, b, &b[13]);
+    (void)sp_4096_add_13(a1, &a[13], &a[26]);
+    (void)sp_4096_add_13(b1, &b[13], &b[26]);
+    (void)sp_4096_add_13(a2, a0, &a[26]);
+    (void)sp_4096_add_13(b2, b0, &b[26]);
+    sp_4096_mul_13(p0, a, b);
+    sp_4096_mul_13(p2, &a[13], &b[13]);
+    sp_4096_mul_13(p4, &a[26], &b[26]);
+    sp_4096_mul_13(p1, a0, b0);
+    sp_4096_mul_13(p3, a1, b1);
+    sp_4096_mul_13(p5, a2, b2);
+    XMEMSET(r, 0, sizeof(*r)*2U*39U);
+    (void)sp_4096_sub_26(t0, p3, p2);
+    (void)sp_4096_sub_26(t1, p1, p2);
+    (void)sp_4096_sub_26(t2, p5, t0);
+    (void)sp_4096_sub_26(t2, t2, t1);
+    (void)sp_4096_sub_26(t0, t0, p4);
+    (void)sp_4096_sub_26(t1, t1, p0);
+    (void)sp_4096_add_26(r, r, p0);
+    (void)sp_4096_add_26(&r[13], &r[13], t1);
+    (void)sp_4096_add_26(&r[26], &r[26], t2);
+    (void)sp_4096_add_26(&r[39], &r[39], t0);
+    (void)sp_4096_add_26(&r[52], &r[52], p4);
+}
+
+/* Square a into r. (r = a * a)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ */
+SP_NOINLINE static void sp_4096_sqr_39(sp_digit* r, const sp_digit* a)
+{
+    sp_digit p0[26];
+    sp_digit p1[26];
+    sp_digit p2[26];
+    sp_digit p3[26];
+    sp_digit p4[26];
+    sp_digit p5[26];
+    sp_digit t0[26];
+    sp_digit t1[26];
+    sp_digit t2[26];
+    sp_digit a0[13];
+    sp_digit a1[13];
+    sp_digit a2[13];
+    (void)sp_4096_add_13(a0, a, &a[13]);
+    (void)sp_4096_add_13(a1, &a[13], &a[26]);
+    (void)sp_4096_add_13(a2, a0, &a[26]);
+    sp_4096_sqr_13(p0, a);
+    sp_4096_sqr_13(p2, &a[13]);
+    sp_4096_sqr_13(p4, &a[26]);
+    sp_4096_sqr_13(p1, a0);
+    sp_4096_sqr_13(p3, a1);
+    sp_4096_sqr_13(p5, a2);
+    XMEMSET(r, 0, sizeof(*r)*2U*39U);
+    (void)sp_4096_sub_26(t0, p3, p2);
+    (void)sp_4096_sub_26(t1, p1, p2);
+    (void)sp_4096_sub_26(t2, p5, t0);
+    (void)sp_4096_sub_26(t2, t2, t1);
+    (void)sp_4096_sub_26(t0, t0, p4);
+    (void)sp_4096_sub_26(t1, t1, p0);
+    (void)sp_4096_add_26(r, r, p0);
+    (void)sp_4096_add_26(&r[13], &r[13], t1);
+    (void)sp_4096_add_26(&r[26], &r[26], t2);
+    (void)sp_4096_add_26(&r[39], &r[39], t0);
+    (void)sp_4096_add_26(&r[52], &r[52], p4);
+}
+
+/* Add b to a into r. (r = a + b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static int sp_4096_add_39(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    int i;
+
+    for (i = 0; i < 32; i += 8) {
+        r[i + 0] = a[i + 0] + b[i + 0];
+        r[i + 1] = a[i + 1] + b[i + 1];
+        r[i + 2] = a[i + 2] + b[i + 2];
+        r[i + 3] = a[i + 3] + b[i + 3];
+        r[i + 4] = a[i + 4] + b[i + 4];
+        r[i + 5] = a[i + 5] + b[i + 5];
+        r[i + 6] = a[i + 6] + b[i + 6];
+        r[i + 7] = a[i + 7] + b[i + 7];
+    }
+    r[32] = a[32] + b[32];
+    r[33] = a[33] + b[33];
+    r[34] = a[34] + b[34];
+    r[35] = a[35] + b[35];
+    r[36] = a[36] + b[36];
+    r[37] = a[37] + b[37];
+    r[38] = a[38] + b[38];
+
+    return 0;
+}
+
+/* Add b to a into r. (r = a + b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static int sp_4096_add_78(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    int i;
+
+    for (i = 0; i < 72; i += 8) {
+        r[i + 0] = a[i + 0] + b[i + 0];
+        r[i + 1] = a[i + 1] + b[i + 1];
+        r[i + 2] = a[i + 2] + b[i + 2];
+        r[i + 3] = a[i + 3] + b[i + 3];
+        r[i + 4] = a[i + 4] + b[i + 4];
+        r[i + 5] = a[i + 5] + b[i + 5];
+        r[i + 6] = a[i + 6] + b[i + 6];
+        r[i + 7] = a[i + 7] + b[i + 7];
+    }
+    r[72] = a[72] + b[72];
+    r[73] = a[73] + b[73];
+    r[74] = a[74] + b[74];
+    r[75] = a[75] + b[75];
+    r[76] = a[76] + b[76];
+    r[77] = a[77] + b[77];
+
+    return 0;
+}
+
+/* Sub b from a into r. (r = a - b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static int sp_4096_sub_78(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    int i;
+
+    for (i = 0; i < 72; i += 8) {
+        r[i + 0] = a[i + 0] - b[i + 0];
+        r[i + 1] = a[i + 1] - b[i + 1];
+        r[i + 2] = a[i + 2] - b[i + 2];
+        r[i + 3] = a[i + 3] - b[i + 3];
+        r[i + 4] = a[i + 4] - b[i + 4];
+        r[i + 5] = a[i + 5] - b[i + 5];
+        r[i + 6] = a[i + 6] - b[i + 6];
+        r[i + 7] = a[i + 7] - b[i + 7];
+    }
+    r[72] = a[72] - b[72];
+    r[73] = a[73] - b[73];
+    r[74] = a[74] - b[74];
+    r[75] = a[75] - b[75];
+    r[76] = a[76] - b[76];
+    r[77] = a[77] - b[77];
+
+    return 0;
+}
+
+/* Multiply a and b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static void sp_4096_mul_78(sp_digit* r, const sp_digit* a,
+    const sp_digit* b)
+{
+    sp_digit* z0 = r;
+    sp_digit z1[78];
+    sp_digit* a1 = z1;
+    sp_digit b1[39];
+    sp_digit* z2 = r + 78;
+    (void)sp_4096_add_39(a1, a, &a[39]);
+    (void)sp_4096_add_39(b1, b, &b[39]);
+    sp_4096_mul_39(z2, &a[39], &b[39]);
+    sp_4096_mul_39(z0, a, b);
+    sp_4096_mul_39(z1, a1, b1);
+    (void)sp_4096_sub_78(z1, z1, z2);
+    (void)sp_4096_sub_78(z1, z1, z0);
+    (void)sp_4096_add_78(r + 39, r + 39, z1);
+}
+
+/* Square a and put result in r. (r = a * a)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ */
+SP_NOINLINE static void sp_4096_sqr_78(sp_digit* r, const sp_digit* a)
+{
+    sp_digit* z0 = r;
+    sp_digit z1[78];
+    sp_digit* a1 = z1;
+    sp_digit* z2 = r + 78;
+    (void)sp_4096_add_39(a1, a, &a[39]);
+    sp_4096_sqr_39(z2, &a[39]);
+    sp_4096_sqr_39(z0, a);
+    sp_4096_sqr_39(z1, a1);
+    (void)sp_4096_sub_78(z1, z1, z2);
+    (void)sp_4096_sub_78(z1, z1, z0);
+    (void)sp_4096_add_78(r + 39, r + 39, z1);
+}
+
+#endif /* !WOLFSSL_SP_SMALL */
+#ifdef WOLFSSL_SP_SMALL
+/* Add b to a into r. (r = a + b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static int sp_4096_add_78(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    int i;
+
+    for (i = 0; i < 78; i++) {
+        r[i] = a[i] + b[i];
+    }
+
+    return 0;
+}
+#endif /* WOLFSSL_SP_SMALL */
+#ifdef WOLFSSL_SP_SMALL
+/* Sub b from a into r. (r = a - b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static int sp_4096_sub_78(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    int i;
+
+    for (i = 0; i < 78; i++) {
+        r[i] = a[i] - b[i];
+    }
+
+    return 0;
+}
+
+#endif /* WOLFSSL_SP_SMALL */
+#ifdef WOLFSSL_SP_SMALL
+/* Multiply a and b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static void sp_4096_mul_78(sp_digit* r, const sp_digit* a,
+    const sp_digit* b)
+{
+    int i, j, k;
+    int128_t c;
+
+    c = ((int128_t)a[77]) * b[77];
+    r[155] = (sp_digit)(c >> 53);
+    c = (c & 0x1fffffffffffffL) << 53;
+    for (k = 153; k >= 0; k--) {
+        for (i = 77; i >= 0; i--) {
+            j = k - i;
+            if (j >= 78) {
+                break;
+            }
+            if (j < 0) {
+                continue;
+            }
+
+            c += ((int128_t)a[i]) * b[j];
+        }
+        r[k + 2] += c >> 106;
+        r[k + 1] = (c >> 53) & 0x1fffffffffffffL;
+        c = (c & 0x1fffffffffffffL) << 53;
+    }
+    r[0] = (sp_digit)(c >> 53);
+}
+
+/* Square a and put result in r. (r = a * a)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ */
+SP_NOINLINE static void sp_4096_sqr_78(sp_digit* r, const sp_digit* a)
+{
+    int i, j, k;
+    int128_t c;
+
+    c = ((int128_t)a[77]) * a[77];
+    r[155] = (sp_digit)(c >> 53);
+    c = (c & 0x1fffffffffffffL) << 53;
+    for (k = 153; k >= 0; k--) {
+        for (i = 77; i >= 0; i--) {
+            j = k - i;
+            if (j >= 78 || i <= j) {
+                break;
+            }
+            if (j < 0) {
+                continue;
+            }
+
+            c += ((int128_t)a[i]) * a[j] * 2;
+        }
+        if (i == j) {
+           c += ((int128_t)a[i]) * a[i];
+        }
+
+        r[k + 2] += c >> 106;
+        r[k + 1] = (c >> 53) & 0x1fffffffffffffL;
+        c = (c & 0x1fffffffffffffL) << 53;
+    }
+    r[0] = (sp_digit)(c >> 53);
+}
+
+#endif /* WOLFSSL_SP_SMALL */
+#if (defined(WOLFSSL_HAVE_SP_RSA) || defined(WOLFSSL_HAVE_SP_DH)) && !defined(WOLFSSL_RSA_PUBLIC_ONLY)
+#if defined(WOLFSSL_HAVE_SP_RSA) && !defined(SP_RSA_PRIVATE_EXP_D)
+#ifdef WOLFSSL_SP_SMALL
+/* Add b to a into r. (r = a + b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static int sp_4096_add_39(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    int i;
+
+    for (i = 0; i < 39; i++) {
+        r[i] = a[i] + b[i];
+    }
+
+    return 0;
+}
+#endif /* WOLFSSL_SP_SMALL */
+#ifdef WOLFSSL_SP_SMALL
+/* Sub b from a into r. (r = a - b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static int sp_4096_sub_39(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    int i;
+
+    for (i = 0; i < 39; i++) {
+        r[i] = a[i] - b[i];
+    }
+
+    return 0;
+}
+
+#else
+/* Sub b from a into r. (r = a - b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static int sp_4096_sub_39(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    int i;
+
+    for (i = 0; i < 32; i += 8) {
+        r[i + 0] = a[i + 0] - b[i + 0];
+        r[i + 1] = a[i + 1] - b[i + 1];
+        r[i + 2] = a[i + 2] - b[i + 2];
+        r[i + 3] = a[i + 3] - b[i + 3];
+        r[i + 4] = a[i + 4] - b[i + 4];
+        r[i + 5] = a[i + 5] - b[i + 5];
+        r[i + 6] = a[i + 6] - b[i + 6];
+        r[i + 7] = a[i + 7] - b[i + 7];
+    }
+    r[32] = a[32] - b[32];
+    r[33] = a[33] - b[33];
+    r[34] = a[34] - b[34];
+    r[35] = a[35] - b[35];
+    r[36] = a[36] - b[36];
+    r[37] = a[37] - b[37];
+    r[38] = a[38] - b[38];
+
+    return 0;
+}
+
+#endif /* WOLFSSL_SP_SMALL */
+#ifdef WOLFSSL_SP_SMALL
+/* Multiply a and b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static void sp_4096_mul_39(sp_digit* r, const sp_digit* a,
+    const sp_digit* b)
+{
+    int i, j, k;
+    int128_t c;
+
+    c = ((int128_t)a[38]) * b[38];
+    r[77] = (sp_digit)(c >> 53);
+    c = (c & 0x1fffffffffffffL) << 53;
+    for (k = 75; k >= 0; k--) {
+        for (i = 38; i >= 0; i--) {
+            j = k - i;
+            if (j >= 39) {
+                break;
+            }
+            if (j < 0) {
+                continue;
+            }
+
+            c += ((int128_t)a[i]) * b[j];
+        }
+        r[k + 2] += c >> 106;
+        r[k + 1] = (c >> 53) & 0x1fffffffffffffL;
+        c = (c & 0x1fffffffffffffL) << 53;
+    }
+    r[0] = (sp_digit)(c >> 53);
+}
+
+/* Square a and put result in r. (r = a * a)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ */
+SP_NOINLINE static void sp_4096_sqr_39(sp_digit* r, const sp_digit* a)
+{
+    int i, j, k;
+    int128_t c;
+
+    c = ((int128_t)a[38]) * a[38];
+    r[77] = (sp_digit)(c >> 53);
+    c = (c & 0x1fffffffffffffL) << 53;
+    for (k = 75; k >= 0; k--) {
+        for (i = 38; i >= 0; i--) {
+            j = k - i;
+            if (j >= 39 || i <= j) {
+                break;
+            }
+            if (j < 0) {
+                continue;
+            }
+
+            c += ((int128_t)a[i]) * a[j] * 2;
+        }
+        if (i == j) {
+           c += ((int128_t)a[i]) * a[i];
+        }
+
+        r[k + 2] += c >> 106;
+        r[k + 1] = (c >> 53) & 0x1fffffffffffffL;
+        c = (c & 0x1fffffffffffffL) << 53;
+    }
+    r[0] = (sp_digit)(c >> 53);
+}
+
+#endif /* WOLFSSL_SP_SMALL */
+#endif /* WOLFSSL_HAVE_SP_RSA && !SP_RSA_PRIVATE_EXP_D */
+#endif /* (WOLFSSL_HAVE_SP_RSA || WOLFSSL_HAVE_SP_DH) && !WOLFSSL_RSA_PUBLIC_ONLY */
+
+/* Caclulate the bottom digit of -1/a mod 2^n.
+ *
+ * a    A single precision number.
+ * rho  Bottom word of inverse.
+ */
+static void sp_4096_mont_setup(const sp_digit* a, sp_digit* rho)
+{
+    sp_digit x, b;
+
+    b = a[0];
+    x = (((b + 2) & 4) << 1) + b; /* here x*a==1 mod 2**4 */
+    x *= 2 - b * x;               /* here x*a==1 mod 2**8 */
+    x *= 2 - b * x;               /* here x*a==1 mod 2**16 */
+    x *= 2 - b * x;               /* here x*a==1 mod 2**32 */
+    x *= 2 - b * x;               /* here x*a==1 mod 2**64 */
+    x &= 0x1fffffffffffffL;
+
+    /* rho = -1/m mod b */
+    *rho = (1L << 53) - x;
+}
+
+/* Multiply a by scalar b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A scalar.
+ */
+SP_NOINLINE static void sp_4096_mul_d_78(sp_digit* r, const sp_digit* a,
+    sp_digit b)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int128_t tb = b;
+    int128_t t = 0;
+    int i;
+
+    for (i = 0; i < 78; i++) {
+        t += tb * a[i];
+        r[i] = t & 0x1fffffffffffffL;
+        t >>= 53;
+    }
+    r[78] = (sp_digit)t;
+#else
+    int128_t tb = b;
+    int128_t t[8];
+    int i;
+
+    t[0] = tb * a[0]; r[0] = t[0] & 0x1fffffffffffffL;
+    for (i = 0; i < 72; i += 8) {
+        t[1] = tb * a[i+1];
+        r[i+1] = (sp_digit)(t[0] >> 53) + (t[1] & 0x1fffffffffffffL);
+        t[2] = tb * a[i+2];
+        r[i+2] = (sp_digit)(t[1] >> 53) + (t[2] & 0x1fffffffffffffL);
+        t[3] = tb * a[i+3];
+        r[i+3] = (sp_digit)(t[2] >> 53) + (t[3] & 0x1fffffffffffffL);
+        t[4] = tb * a[i+4];
+        r[i+4] = (sp_digit)(t[3] >> 53) + (t[4] & 0x1fffffffffffffL);
+        t[5] = tb * a[i+5];
+        r[i+5] = (sp_digit)(t[4] >> 53) + (t[5] & 0x1fffffffffffffL);
+        t[6] = tb * a[i+6];
+        r[i+6] = (sp_digit)(t[5] >> 53) + (t[6] & 0x1fffffffffffffL);
+        t[7] = tb * a[i+7];
+        r[i+7] = (sp_digit)(t[6] >> 53) + (t[7] & 0x1fffffffffffffL);
+        t[0] = tb * a[i+8];
+        r[i+8] = (sp_digit)(t[7] >> 53) + (t[0] & 0x1fffffffffffffL);
+    }
+    t[1] = tb * a[73];
+    r[73] = (sp_digit)(t[0] >> 53) + (t[1] & 0x1fffffffffffffL);
+    t[2] = tb * a[74];
+    r[74] = (sp_digit)(t[1] >> 53) + (t[2] & 0x1fffffffffffffL);
+    t[3] = tb * a[75];
+    r[75] = (sp_digit)(t[2] >> 53) + (t[3] & 0x1fffffffffffffL);
+    t[4] = tb * a[76];
+    r[76] = (sp_digit)(t[3] >> 53) + (t[4] & 0x1fffffffffffffL);
+    t[5] = tb * a[77];
+    r[77] = (sp_digit)(t[4] >> 53) + (t[5] & 0x1fffffffffffffL);
+    r[78] =  (sp_digit)(t[5] >> 53);
+#endif /* WOLFSSL_SP_SMALL */
+}
+
+#if (defined(WOLFSSL_HAVE_SP_RSA) || defined(WOLFSSL_HAVE_SP_DH)) && !defined(WOLFSSL_RSA_PUBLIC_ONLY)
+#if defined(WOLFSSL_HAVE_SP_RSA) && !defined(SP_RSA_PRIVATE_EXP_D)
+/* r = 2^n mod m where n is the number of bits to reduce by.
+ * Given m must be 4096 bits, just need to subtract.
+ *
+ * r  A single precision number.
+ * m  A single precision number.
+ */
+static void sp_4096_mont_norm_39(sp_digit* r, const sp_digit* m)
+{
+    /* Set r = 2^n - 1. */
+#ifdef WOLFSSL_SP_SMALL
+    int i;
+
+    for (i=0; i<38; i++) {
+        r[i] = 0x1fffffffffffffL;
+    }
+#else
+    int i;
+
+    for (i = 0; i < 32; i += 8) {
+        r[i + 0] = 0x1fffffffffffffL;
+        r[i + 1] = 0x1fffffffffffffL;
+        r[i + 2] = 0x1fffffffffffffL;
+        r[i + 3] = 0x1fffffffffffffL;
+        r[i + 4] = 0x1fffffffffffffL;
+        r[i + 5] = 0x1fffffffffffffL;
+        r[i + 6] = 0x1fffffffffffffL;
+        r[i + 7] = 0x1fffffffffffffL;
+    }
+    r[32] = 0x1fffffffffffffL;
+    r[33] = 0x1fffffffffffffL;
+    r[34] = 0x1fffffffffffffL;
+    r[35] = 0x1fffffffffffffL;
+    r[36] = 0x1fffffffffffffL;
+    r[37] = 0x1fffffffffffffL;
+#endif
+    r[38] = 0x3ffffffffL;
+
+    /* r = (2^n - 1) mod n */
+    (void)sp_4096_sub_39(r, r, m);
+
+    /* Add one so r = 2^n mod m */
+    r[0] += 1;
+}
+
+/* Compare a with b in constant time.
+ *
+ * a  A single precision integer.
+ * b  A single precision integer.
+ * return -ve, 0 or +ve if a is less than, equal to or greater than b
+ * respectively.
+ */
+static sp_digit sp_4096_cmp_39(const sp_digit* a, const sp_digit* b)
+{
+    sp_digit r = 0;
+#ifdef WOLFSSL_SP_SMALL
+    int i;
+
+    for (i=38; i>=0; i--) {
+        r |= (a[i] - b[i]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+    }
+#else
+    int i;
+
+    r |= (a[38] - b[38]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+    r |= (a[37] - b[37]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+    r |= (a[36] - b[36]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+    r |= (a[35] - b[35]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+    r |= (a[34] - b[34]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+    r |= (a[33] - b[33]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+    r |= (a[32] - b[32]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+    for (i = 24; i >= 0; i -= 8) {
+        r |= (a[i + 7] - b[i + 7]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+        r |= (a[i + 6] - b[i + 6]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+        r |= (a[i + 5] - b[i + 5]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+        r |= (a[i + 4] - b[i + 4]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+        r |= (a[i + 3] - b[i + 3]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+        r |= (a[i + 2] - b[i + 2]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+        r |= (a[i + 1] - b[i + 1]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+        r |= (a[i + 0] - b[i + 0]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+    }
+#endif /* WOLFSSL_SP_SMALL */
+
+    return r;
+}
+
+/* Conditionally subtract b from a using the mask m.
+ * m is -1 to subtract and 0 when not.
+ *
+ * r  A single precision number representing condition subtract result.
+ * a  A single precision number to subtract from.
+ * b  A single precision number to subtract.
+ * m  Mask value to apply.
+ */
+static void sp_4096_cond_sub_39(sp_digit* r, const sp_digit* a,
+        const sp_digit* b, const sp_digit m)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int i;
+
+    for (i = 0; i < 39; i++) {
+        r[i] = a[i] - (b[i] & m);
+    }
+#else
+    int i;
+
+    for (i = 0; i < 32; i += 8) {
+        r[i + 0] = a[i + 0] - (b[i + 0] & m);
+        r[i + 1] = a[i + 1] - (b[i + 1] & m);
+        r[i + 2] = a[i + 2] - (b[i + 2] & m);
+        r[i + 3] = a[i + 3] - (b[i + 3] & m);
+        r[i + 4] = a[i + 4] - (b[i + 4] & m);
+        r[i + 5] = a[i + 5] - (b[i + 5] & m);
+        r[i + 6] = a[i + 6] - (b[i + 6] & m);
+        r[i + 7] = a[i + 7] - (b[i + 7] & m);
+    }
+    r[32] = a[32] - (b[32] & m);
+    r[33] = a[33] - (b[33] & m);
+    r[34] = a[34] - (b[34] & m);
+    r[35] = a[35] - (b[35] & m);
+    r[36] = a[36] - (b[36] & m);
+    r[37] = a[37] - (b[37] & m);
+    r[38] = a[38] - (b[38] & m);
+#endif /* WOLFSSL_SP_SMALL */
+}
+
+/* Mul a by scalar b and add into r. (r += a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A scalar.
+ */
+SP_NOINLINE static void sp_4096_mul_add_39(sp_digit* r, const sp_digit* a,
+        const sp_digit b)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int128_t tb = b;
+    int128_t t = 0;
+    int i;
+
+    for (i = 0; i < 39; i++) {
+        t += (tb * a[i]) + r[i];
+        r[i] = t & 0x1fffffffffffffL;
+        t >>= 53;
+    }
+    r[39] += t;
+#else
+    int128_t tb = b;
+    int128_t t[8];
+    int i;
+
+    t[0] = tb * a[0]; r[0] += (sp_digit)(t[0] & 0x1fffffffffffffL);
+    for (i = 0; i < 32; i += 8) {
+        t[1] = tb * a[i+1];
+        r[i+1] += (sp_digit)((t[0] >> 53) + (t[1] & 0x1fffffffffffffL));
+        t[2] = tb * a[i+2];
+        r[i+2] += (sp_digit)((t[1] >> 53) + (t[2] & 0x1fffffffffffffL));
+        t[3] = tb * a[i+3];
+        r[i+3] += (sp_digit)((t[2] >> 53) + (t[3] & 0x1fffffffffffffL));
+        t[4] = tb * a[i+4];
+        r[i+4] += (sp_digit)((t[3] >> 53) + (t[4] & 0x1fffffffffffffL));
+        t[5] = tb * a[i+5];
+        r[i+5] += (sp_digit)((t[4] >> 53) + (t[5] & 0x1fffffffffffffL));
+        t[6] = tb * a[i+6];
+        r[i+6] += (sp_digit)((t[5] >> 53) + (t[6] & 0x1fffffffffffffL));
+        t[7] = tb * a[i+7];
+        r[i+7] += (sp_digit)((t[6] >> 53) + (t[7] & 0x1fffffffffffffL));
+        t[0] = tb * a[i+8];
+        r[i+8] += (sp_digit)((t[7] >> 53) + (t[0] & 0x1fffffffffffffL));
+    }
+    t[1] = tb * a[33]; r[33] += (sp_digit)((t[0] >> 53) + (t[1] & 0x1fffffffffffffL));
+    t[2] = tb * a[34]; r[34] += (sp_digit)((t[1] >> 53) + (t[2] & 0x1fffffffffffffL));
+    t[3] = tb * a[35]; r[35] += (sp_digit)((t[2] >> 53) + (t[3] & 0x1fffffffffffffL));
+    t[4] = tb * a[36]; r[36] += (sp_digit)((t[3] >> 53) + (t[4] & 0x1fffffffffffffL));
+    t[5] = tb * a[37]; r[37] += (sp_digit)((t[4] >> 53) + (t[5] & 0x1fffffffffffffL));
+    t[6] = tb * a[38]; r[38] += (sp_digit)((t[5] >> 53) + (t[6] & 0x1fffffffffffffL));
+    r[39] +=  (sp_digit)(t[6] >> 53);
+#endif /* WOLFSSL_SP_SMALL */
+}
+
+/* Normalize the values in each word to 53.
+ *
+ * a  Array of sp_digit to normalize.
+ */
+static void sp_4096_norm_39(sp_digit* a)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int i;
+    for (i = 0; i < 38; i++) {
+        a[i+1] += a[i] >> 53;
+        a[i] &= 0x1fffffffffffffL;
+    }
+#else
+    int i;
+    for (i = 0; i < 32; i += 8) {
+        a[i+1] += a[i+0] >> 53; a[i+0] &= 0x1fffffffffffffL;
+        a[i+2] += a[i+1] >> 53; a[i+1] &= 0x1fffffffffffffL;
+        a[i+3] += a[i+2] >> 53; a[i+2] &= 0x1fffffffffffffL;
+        a[i+4] += a[i+3] >> 53; a[i+3] &= 0x1fffffffffffffL;
+        a[i+5] += a[i+4] >> 53; a[i+4] &= 0x1fffffffffffffL;
+        a[i+6] += a[i+5] >> 53; a[i+5] &= 0x1fffffffffffffL;
+        a[i+7] += a[i+6] >> 53; a[i+6] &= 0x1fffffffffffffL;
+        a[i+8] += a[i+7] >> 53; a[i+7] &= 0x1fffffffffffffL;
+        a[i+9] += a[i+8] >> 53; a[i+8] &= 0x1fffffffffffffL;
+    }
+    a[32+1] += a[32] >> 53;
+    a[32] &= 0x1fffffffffffffL;
+    a[33+1] += a[33] >> 53;
+    a[33] &= 0x1fffffffffffffL;
+    a[34+1] += a[34] >> 53;
+    a[34] &= 0x1fffffffffffffL;
+    a[35+1] += a[35] >> 53;
+    a[35] &= 0x1fffffffffffffL;
+    a[36+1] += a[36] >> 53;
+    a[36] &= 0x1fffffffffffffL;
+    a[37+1] += a[37] >> 53;
+    a[37] &= 0x1fffffffffffffL;
+#endif
+}
+
+/* Shift the result in the high 2048 bits down to the bottom.
+ *
+ * r  A single precision number.
+ * a  A single precision number.
+ */
+static void sp_4096_mont_shift_39(sp_digit* r, const sp_digit* a)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int i;
+    int128_t n = a[38] >> 34;
+    n += ((int128_t)a[39]) << 19;
+
+    for (i = 0; i < 38; i++) {
+        r[i] = n & 0x1fffffffffffffL;
+        n >>= 53;
+        n += ((int128_t)a[40 + i]) << 19;
+    }
+    r[38] = (sp_digit)n;
+#else
+    int i;
+    int128_t n = a[38] >> 34;
+    n += ((int128_t)a[39]) << 19;
+    for (i = 0; i < 32; i += 8) {
+        r[i + 0] = n & 0x1fffffffffffffL;
+        n >>= 53; n += ((int128_t)a[i + 40]) << 19;
+        r[i + 1] = n & 0x1fffffffffffffL;
+        n >>= 53; n += ((int128_t)a[i + 41]) << 19;
+        r[i + 2] = n & 0x1fffffffffffffL;
+        n >>= 53; n += ((int128_t)a[i + 42]) << 19;
+        r[i + 3] = n & 0x1fffffffffffffL;
+        n >>= 53; n += ((int128_t)a[i + 43]) << 19;
+        r[i + 4] = n & 0x1fffffffffffffL;
+        n >>= 53; n += ((int128_t)a[i + 44]) << 19;
+        r[i + 5] = n & 0x1fffffffffffffL;
+        n >>= 53; n += ((int128_t)a[i + 45]) << 19;
+        r[i + 6] = n & 0x1fffffffffffffL;
+        n >>= 53; n += ((int128_t)a[i + 46]) << 19;
+        r[i + 7] = n & 0x1fffffffffffffL;
+        n >>= 53; n += ((int128_t)a[i + 47]) << 19;
+    }
+    r[32] = n & 0x1fffffffffffffL; n >>= 53; n += ((int128_t)a[72]) << 19;
+    r[33] = n & 0x1fffffffffffffL; n >>= 53; n += ((int128_t)a[73]) << 19;
+    r[34] = n & 0x1fffffffffffffL; n >>= 53; n += ((int128_t)a[74]) << 19;
+    r[35] = n & 0x1fffffffffffffL; n >>= 53; n += ((int128_t)a[75]) << 19;
+    r[36] = n & 0x1fffffffffffffL; n >>= 53; n += ((int128_t)a[76]) << 19;
+    r[37] = n & 0x1fffffffffffffL; n >>= 53; n += ((int128_t)a[77]) << 19;
+    r[38] = (sp_digit)n;
+#endif /* WOLFSSL_SP_SMALL */
+    XMEMSET(&r[39], 0, sizeof(*r) * 39U);
+}
+
+/* Reduce the number back to 4096 bits using Montgomery reduction.
+ *
+ * a   A single precision number to reduce in place.
+ * m   The single precision number representing the modulus.
+ * mp  The digit representing the negative inverse of m mod 2^n.
+ */
+static void sp_4096_mont_reduce_39(sp_digit* a, const sp_digit* m, sp_digit mp)
+{
+    int i;
+    sp_digit mu;
+
+    sp_4096_norm_39(a + 39);
+
+    for (i=0; i<38; i++) {
+        mu = (a[i] * mp) & 0x1fffffffffffffL;
+        sp_4096_mul_add_39(a+i, m, mu);
+        a[i+1] += a[i] >> 53;
+    }
+    mu = (a[i] * mp) & 0x3ffffffffL;
+    sp_4096_mul_add_39(a+i, m, mu);
+    a[i+1] += a[i] >> 53;
+    a[i] &= 0x1fffffffffffffL;
+
+    sp_4096_mont_shift_39(a, a);
+    sp_4096_cond_sub_39(a, a, m, 0 - (((a[38] >> 34) > 0) ?
+            (sp_digit)1 : (sp_digit)0));
+    sp_4096_norm_39(a);
+}
+
+/* Multiply two Montogmery form numbers mod the modulus (prime).
+ * (r = a * b mod m)
+ *
+ * r   Result of multiplication.
+ * a   First number to multiply in Montogmery form.
+ * b   Second number to multiply in Montogmery form.
+ * m   Modulus (prime).
+ * mp  Montogmery mulitplier.
+ */
+static void sp_4096_mont_mul_39(sp_digit* r, const sp_digit* a, const sp_digit* b,
+        const sp_digit* m, sp_digit mp)
+{
+    sp_4096_mul_39(r, a, b);
+    sp_4096_mont_reduce_39(r, m, mp);
+}
+
+/* Square the Montgomery form number. (r = a * a mod m)
+ *
+ * r   Result of squaring.
+ * a   Number to square in Montogmery form.
+ * m   Modulus (prime).
+ * mp  Montogmery mulitplier.
+ */
+static void sp_4096_mont_sqr_39(sp_digit* r, const sp_digit* a, const sp_digit* m,
+        sp_digit mp)
+{
+    sp_4096_sqr_39(r, a);
+    sp_4096_mont_reduce_39(r, m, mp);
+}
+
+/* Multiply a by scalar b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A scalar.
+ */
+SP_NOINLINE static void sp_4096_mul_d_39(sp_digit* r, const sp_digit* a,
+    sp_digit b)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int128_t tb = b;
+    int128_t t = 0;
+    int i;
+
+    for (i = 0; i < 39; i++) {
+        t += tb * a[i];
+        r[i] = t & 0x1fffffffffffffL;
+        t >>= 53;
+    }
+    r[39] = (sp_digit)t;
+#else
+    int128_t tb = b;
+    int128_t t[8];
+    int i;
+
+    t[0] = tb * a[0]; r[0] = t[0] & 0x1fffffffffffffL;
+    for (i = 0; i < 32; i += 8) {
+        t[1] = tb * a[i+1];
+        r[i+1] = (sp_digit)(t[0] >> 53) + (t[1] & 0x1fffffffffffffL);
+        t[2] = tb * a[i+2];
+        r[i+2] = (sp_digit)(t[1] >> 53) + (t[2] & 0x1fffffffffffffL);
+        t[3] = tb * a[i+3];
+        r[i+3] = (sp_digit)(t[2] >> 53) + (t[3] & 0x1fffffffffffffL);
+        t[4] = tb * a[i+4];
+        r[i+4] = (sp_digit)(t[3] >> 53) + (t[4] & 0x1fffffffffffffL);
+        t[5] = tb * a[i+5];
+        r[i+5] = (sp_digit)(t[4] >> 53) + (t[5] & 0x1fffffffffffffL);
+        t[6] = tb * a[i+6];
+        r[i+6] = (sp_digit)(t[5] >> 53) + (t[6] & 0x1fffffffffffffL);
+        t[7] = tb * a[i+7];
+        r[i+7] = (sp_digit)(t[6] >> 53) + (t[7] & 0x1fffffffffffffL);
+        t[0] = tb * a[i+8];
+        r[i+8] = (sp_digit)(t[7] >> 53) + (t[0] & 0x1fffffffffffffL);
+    }
+    t[1] = tb * a[33];
+    r[33] = (sp_digit)(t[0] >> 53) + (t[1] & 0x1fffffffffffffL);
+    t[2] = tb * a[34];
+    r[34] = (sp_digit)(t[1] >> 53) + (t[2] & 0x1fffffffffffffL);
+    t[3] = tb * a[35];
+    r[35] = (sp_digit)(t[2] >> 53) + (t[3] & 0x1fffffffffffffL);
+    t[4] = tb * a[36];
+    r[36] = (sp_digit)(t[3] >> 53) + (t[4] & 0x1fffffffffffffL);
+    t[5] = tb * a[37];
+    r[37] = (sp_digit)(t[4] >> 53) + (t[5] & 0x1fffffffffffffL);
+    t[6] = tb * a[38];
+    r[38] = (sp_digit)(t[5] >> 53) + (t[6] & 0x1fffffffffffffL);
+    r[39] =  (sp_digit)(t[6] >> 53);
+#endif /* WOLFSSL_SP_SMALL */
+}
+
+/* Conditionally add a and b using the mask m.
+ * m is -1 to add and 0 when not.
+ *
+ * r  A single precision number representing conditional add result.
+ * a  A single precision number to add with.
+ * b  A single precision number to add.
+ * m  Mask value to apply.
+ */
+static void sp_4096_cond_add_39(sp_digit* r, const sp_digit* a,
+        const sp_digit* b, const sp_digit m)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int i;
+
+    for (i = 0; i < 39; i++) {
+        r[i] = a[i] + (b[i] & m);
+    }
+#else
+    int i;
+
+    for (i = 0; i < 32; i += 8) {
+        r[i + 0] = a[i + 0] + (b[i + 0] & m);
+        r[i + 1] = a[i + 1] + (b[i + 1] & m);
+        r[i + 2] = a[i + 2] + (b[i + 2] & m);
+        r[i + 3] = a[i + 3] + (b[i + 3] & m);
+        r[i + 4] = a[i + 4] + (b[i + 4] & m);
+        r[i + 5] = a[i + 5] + (b[i + 5] & m);
+        r[i + 6] = a[i + 6] + (b[i + 6] & m);
+        r[i + 7] = a[i + 7] + (b[i + 7] & m);
+    }
+    r[32] = a[32] + (b[32] & m);
+    r[33] = a[33] + (b[33] & m);
+    r[34] = a[34] + (b[34] & m);
+    r[35] = a[35] + (b[35] & m);
+    r[36] = a[36] + (b[36] & m);
+    r[37] = a[37] + (b[37] & m);
+    r[38] = a[38] + (b[38] & m);
+#endif /* WOLFSSL_SP_SMALL */
+}
+
+#ifdef WOLFSSL_SMALL
+/* Add b to a into r. (r = a + b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static int sp_4096_add_39(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    int i;
+
+    for (i = 0; i < 39; i++) {
+        r[i] = a[i] + b[i];
+    }
+
+    return 0;
+}
+#endif
+SP_NOINLINE static void sp_4096_rshift_39(sp_digit* r, sp_digit* a, byte n)
+{
+    int i;
+
+#ifdef WOLFSSL_SP_SMALL
+    for (i=0; i<38; i++) {
+        r[i] = ((a[i] >> n) | (a[i + 1] << (53 - n))) & 0x1fffffffffffffL;
+    }
+#else
+    for (i=0; i<32; i += 8) {
+        r[i+0] = ((a[i+0] >> n) | (a[i+1] << (53 - n))) & 0x1fffffffffffffL;
+        r[i+1] = ((a[i+1] >> n) | (a[i+2] << (53 - n))) & 0x1fffffffffffffL;
+        r[i+2] = ((a[i+2] >> n) | (a[i+3] << (53 - n))) & 0x1fffffffffffffL;
+        r[i+3] = ((a[i+3] >> n) | (a[i+4] << (53 - n))) & 0x1fffffffffffffL;
+        r[i+4] = ((a[i+4] >> n) | (a[i+5] << (53 - n))) & 0x1fffffffffffffL;
+        r[i+5] = ((a[i+5] >> n) | (a[i+6] << (53 - n))) & 0x1fffffffffffffL;
+        r[i+6] = ((a[i+6] >> n) | (a[i+7] << (53 - n))) & 0x1fffffffffffffL;
+        r[i+7] = ((a[i+7] >> n) | (a[i+8] << (53 - n))) & 0x1fffffffffffffL;
+    }
+    r[32] = ((a[32] >> n) | (a[33] << (53 - n))) & 0x1fffffffffffffL;
+    r[33] = ((a[33] >> n) | (a[34] << (53 - n))) & 0x1fffffffffffffL;
+    r[34] = ((a[34] >> n) | (a[35] << (53 - n))) & 0x1fffffffffffffL;
+    r[35] = ((a[35] >> n) | (a[36] << (53 - n))) & 0x1fffffffffffffL;
+    r[36] = ((a[36] >> n) | (a[37] << (53 - n))) & 0x1fffffffffffffL;
+    r[37] = ((a[37] >> n) | (a[38] << (53 - n))) & 0x1fffffffffffffL;
+#endif
+    r[38] = a[38] >> n;
+}
+
+#ifdef WOLFSSL_SP_DIV_64
+static WC_INLINE sp_digit sp_4096_div_word_39(sp_digit d1, sp_digit d0,
+    sp_digit dv)
+{
+    sp_digit d, r, t;
+
+    /* All 53 bits from d1 and top 10 bits from d0. */
+    d = (d1 << 10) | (d0 >> 43);
+    r = d / dv;
+    d -= r * dv;
+    /* Up to 11 bits in r */
+    /* Next 10 bits from d0. */
+    r <<= 10;
+    d <<= 10;
+    d |= (d0 >> 33) & ((1 << 10) - 1);
+    t = d / dv;
+    d -= t * dv;
+    r += t;
+    /* Up to 21 bits in r */
+    /* Next 10 bits from d0. */
+    r <<= 10;
+    d <<= 10;
+    d |= (d0 >> 23) & ((1 << 10) - 1);
+    t = d / dv;
+    d -= t * dv;
+    r += t;
+    /* Up to 31 bits in r */
+    /* Next 10 bits from d0. */
+    r <<= 10;
+    d <<= 10;
+    d |= (d0 >> 13) & ((1 << 10) - 1);
+    t = d / dv;
+    d -= t * dv;
+    r += t;
+    /* Up to 41 bits in r */
+    /* Next 10 bits from d0. */
+    r <<= 10;
+    d <<= 10;
+    d |= (d0 >> 3) & ((1 << 10) - 1);
+    t = d / dv;
+    d -= t * dv;
+    r += t;
+    /* Up to 51 bits in r */
+    /* Remaining 3 bits from d0. */
+    r <<= 3;
+    d <<= 3;
+    d |= d0 & ((1 << 3) - 1);
+    t = d / dv;
+    r += t;
+
+    return r;
+}
+#endif /* WOLFSSL_SP_DIV_64 */
+
+/* Divide d in a and put remainder into r (m*d + r = a)
+ * m is not calculated as it is not needed at this time.
+ *
+ * a  Nmber to be divided.
+ * d  Number to divide with.
+ * m  Multiplier result.
+ * r  Remainder from the division.
+ * returns MEMORY_E when unable to allocate memory and MP_OKAY otherwise.
+ */
+static int sp_4096_div_39(const sp_digit* a, const sp_digit* d, sp_digit* m,
+        sp_digit* r)
+{
+    int i;
+#ifndef WOLFSSL_SP_DIV_64
+    int128_t d1;
+#endif
+    sp_digit dv, r1;
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit* td;
+#else
+    sp_digit t1d[78 + 1], t2d[39 + 1], sdd[39 + 1];
+#endif
+    sp_digit* t1;
+    sp_digit* t2;
+    sp_digit* sd;
+    int err = MP_OKAY;
+
+    (void)m;
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    td = (sp_digit*)XMALLOC(sizeof(sp_digit) * (4 * 39 + 3), NULL,
+                                                       DYNAMIC_TYPE_TMP_BUFFER);
+    if (td == NULL) {
+        err = MEMORY_E;
+    }
+#endif
+
+    (void)m;
+
+    if (err == MP_OKAY) {
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+        t1 = td;
+        t2 = td + 78 + 1;
+        sd = t2 + 39 + 1;
+#else
+        t1 = t1d;
+        t2 = t2d;
+        sd = sdd;
+#endif
+
+        sp_4096_mul_d_39(sd, d, 1L << 19);
+        sp_4096_mul_d_78(t1, a, 1L << 19);
+        dv = sd[38];
+        for (i=39; i>=0; i--) {
+            t1[39 + i] += t1[39 + i - 1] >> 53;
+            t1[39 + i - 1] &= 0x1fffffffffffffL;
+#ifndef WOLFSSL_SP_DIV_64
+            d1 = t1[39 + i];
+            d1 <<= 53;
+            d1 += t1[39 + i - 1];
+            r1 = (sp_digit)(d1 / dv);
+#else
+            r1 = sp_4096_div_word_39(t1[39 + i], t1[39 + i - 1], dv);
+#endif
+
+            sp_4096_mul_d_39(t2, sd, r1);
+            (void)sp_4096_sub_39(&t1[i], &t1[i], t2);
+            t1[39 + i] -= t2[39];
+            t1[39 + i] += t1[39 + i - 1] >> 53;
+            t1[39 + i - 1] &= 0x1fffffffffffffL;
+            r1 = (((-t1[39 + i]) << 53) - t1[39 + i - 1]) / dv;
+            r1 -= t1[39 + i];
+            sp_4096_mul_d_39(t2, sd, r1);
+            (void)sp_4096_add_39(&t1[i], &t1[i], t2);
+            t1[39 + i] += t1[39 + i - 1] >> 53;
+            t1[39 + i - 1] &= 0x1fffffffffffffL;
+        }
+        t1[39 - 1] += t1[39 - 2] >> 53;
+        t1[39 - 2] &= 0x1fffffffffffffL;
+        r1 = t1[39 - 1] / dv;
+
+        sp_4096_mul_d_39(t2, sd, r1);
+        sp_4096_sub_39(t1, t1, t2);
+        XMEMCPY(r, t1, sizeof(*r) * 2U * 39U);
+        for (i=0; i<37; i++) {
+            r[i+1] += r[i] >> 53;
+            r[i] &= 0x1fffffffffffffL;
+        }
+        sp_4096_cond_add_39(r, r, sd, 0 - ((r[38] < 0) ?
+                    (sp_digit)1 : (sp_digit)0));
+
+        sp_4096_norm_39(r);
+        sp_4096_rshift_39(r, r, 19);
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (td != NULL) {
+        XFREE(td, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    }
+#endif
+
+    return err;
+}
+
+/* Reduce a modulo m into r. (r = a mod m)
+ *
+ * r  A single precision number that is the reduced result.
+ * a  A single precision number that is to be reduced.
+ * m  A single precision number that is the modulus to reduce with.
+ * returns MEMORY_E when unable to allocate memory and MP_OKAY otherwise.
+ */
+static int sp_4096_mod_39(sp_digit* r, const sp_digit* a, const sp_digit* m)
+{
+    return sp_4096_div_39(a, m, NULL, r);
+}
+
+/* Modular exponentiate a to the e mod m. (r = a^e mod m)
+ *
+ * r     A single precision number that is the result of the operation.
+ * a     A single precision number being exponentiated.
+ * e     A single precision number that is the exponent.
+ * bits  The number of bits in the exponent.
+ * m     A single precision number that is the modulus.
+ * returns 0 on success and MEMORY_E on dynamic memory allocation failure.
+ */
+static int sp_4096_mod_exp_39(sp_digit* r, const sp_digit* a, const sp_digit* e, int bits,
+    const sp_digit* m, int reduceA)
+{
+#ifdef WOLFSSL_SP_SMALL
+    sp_digit* td;
+    sp_digit* t[3];
+    sp_digit* norm;
+    sp_digit mp = 1;
+    sp_digit n;
+    int i;
+    int c, y;
+    int err = MP_OKAY;
+
+    td = (sp_digit*)XMALLOC(sizeof(*td) * 3 * 39 * 2, NULL,
+                            DYNAMIC_TYPE_TMP_BUFFER);
+    if (td == NULL) {
+        err = MEMORY_E;
+    }
+
+    if (err == MP_OKAY) {
+        XMEMSET(td, 0, sizeof(*td) * 3U * 39U * 2U);
+
+        norm = t[0] = td;
+        t[1] = &td[39 * 2];
+        t[2] = &td[2 * 39 * 2];
+
+        sp_4096_mont_setup(m, &mp);
+        sp_4096_mont_norm_39(norm, m);
+
+        if (reduceA != 0) {
+            err = sp_4096_mod_39(t[1], a, m);
+        }
+        else {
+            XMEMCPY(t[1], a, sizeof(sp_digit) * 39U);
+        }
+    }
+    if (err == MP_OKAY) {
+        sp_4096_mul_39(t[1], t[1], norm);
+        err = sp_4096_mod_39(t[1], t[1], m);
+    }
+
+    if (err == MP_OKAY) {
+        i = bits / 53;
+        c = bits % 53;
+        n = e[i--] << (53 - c);
+        for (; ; c--) {
+            if (c == 0) {
+                if (i == -1) {
+                    break;
+                }
+
+                n = e[i--];
+                c = 53;
+            }
+
+            y = (n >> 52) & 1;
+            n <<= 1;
+
+            sp_4096_mont_mul_39(t[y^1], t[0], t[1], m, mp);
+
+            XMEMCPY(t[2], (void*)(((size_t)t[0] & addr_mask[y^1]) +
+                                  ((size_t)t[1] & addr_mask[y])),
+                    sizeof(*t[2]) * 39 * 2);
+            sp_4096_mont_sqr_39(t[2], t[2], m, mp);
+            XMEMCPY((void*)(((size_t)t[0] & addr_mask[y^1]) +
+                            ((size_t)t[1] & addr_mask[y])), t[2],
+                    sizeof(*t[2]) * 39 * 2);
+        }
+
+        sp_4096_mont_reduce_39(t[0], m, mp);
+        n = sp_4096_cmp_39(t[0], m);
+        sp_4096_cond_sub_39(t[0], t[0], m, ((n < 0) ?
+                    (sp_digit)1 : (sp_digit)0) - 1);
+        XMEMCPY(r, t[0], sizeof(*r) * 39 * 2);
+
+    }
+
+    if (td != NULL) {
+        XFREE(td, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    }
+
+    return err;
+#elif defined(WOLFSSL_SP_CACHE_RESISTANT)
+#ifndef WOLFSSL_SMALL_STACK
+    sp_digit t[3][78];
+#else
+    sp_digit* td;
+    sp_digit* t[3];
+#endif
+    sp_digit* norm;
+    sp_digit mp = 1;
+    sp_digit n;
+    int i;
+    int c, y;
+    int err = MP_OKAY;
+
+#ifdef WOLFSSL_SMALL_STACK
+    td = (sp_digit*)XMALLOC(sizeof(*td) * 3 * 39 * 2, NULL,
+                            DYNAMIC_TYPE_TMP_BUFFER);
+    if (td == NULL) {
+        err = MEMORY_E;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#ifdef WOLFSSL_SMALL_STACK
+        t[0] = td;
+        t[1] = &td[39 * 2];
+        t[2] = &td[2 * 39 * 2];
+#endif
+        norm = t[0];
+
+        sp_4096_mont_setup(m, &mp);
+        sp_4096_mont_norm_39(norm, m);
+
+        if (reduceA != 0) {
+            err = sp_4096_mod_39(t[1], a, m);
+            if (err == MP_OKAY) {
+                sp_4096_mul_39(t[1], t[1], norm);
+                err = sp_4096_mod_39(t[1], t[1], m);
+            }
+        }
+        else {
+            sp_4096_mul_39(t[1], a, norm);
+            err = sp_4096_mod_39(t[1], t[1], m);
+        }
+    }
+
+    if (err == MP_OKAY) {
+        i = bits / 53;
+        c = bits % 53;
+        n = e[i--] << (53 - c);
+        for (; ; c--) {
+            if (c == 0) {
+                if (i == -1) {
+                    break;
+                }
+
+                n = e[i--];
+                c = 53;
+            }
+
+            y = (n >> 52) & 1;
+            n <<= 1;
+
+            sp_4096_mont_mul_39(t[y^1], t[0], t[1], m, mp);
+
+            XMEMCPY(t[2], (void*)(((size_t)t[0] & addr_mask[y^1]) +
+                                 ((size_t)t[1] & addr_mask[y])), sizeof(t[2]));
+            sp_4096_mont_sqr_39(t[2], t[2], m, mp);
+            XMEMCPY((void*)(((size_t)t[0] & addr_mask[y^1]) +
+                           ((size_t)t[1] & addr_mask[y])), t[2], sizeof(t[2]));
+        }
+
+        sp_4096_mont_reduce_39(t[0], m, mp);
+        n = sp_4096_cmp_39(t[0], m);
+        sp_4096_cond_sub_39(t[0], t[0], m, ((n < 0) ?
+                   (sp_digit)1 : (sp_digit)0) - 1);
+        XMEMCPY(r, t[0], sizeof(t[0]));
+    }
+
+#ifdef WOLFSSL_SMALL_STACK
+    if (td != NULL) {
+        XFREE(td, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    }
+#endif
+
+    return err;
+#else
+#ifndef WOLFSSL_SMALL_STACK
+    sp_digit t[32][78];
+#else
+    sp_digit* t[32];
+    sp_digit* td;
+#endif
+    sp_digit* norm;
+    sp_digit rt[78];
+    sp_digit mp = 1;
+    sp_digit n;
+    int i;
+    int c, y;
+    int err = MP_OKAY;
+
+#ifdef WOLFSSL_SMALL_STACK
+    td = (sp_digit*)XMALLOC(sizeof(sp_digit) * 32 * 78, NULL,
+                            DYNAMIC_TYPE_TMP_BUFFER);
+    if (td == NULL) {
+        err = MEMORY_E;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#ifdef WOLFSSL_SMALL_STACK
+        for (i=0; i<32; i++)
+            t[i] = td + i * 78;
+#endif
+        norm = t[0];
+
+        sp_4096_mont_setup(m, &mp);
+        sp_4096_mont_norm_39(norm, m);
+
+        if (reduceA != 0) {
+            err = sp_4096_mod_39(t[1], a, m);
+            if (err == MP_OKAY) {
+                sp_4096_mul_39(t[1], t[1], norm);
+                err = sp_4096_mod_39(t[1], t[1], m);
+            }
+        }
+        else {
+            sp_4096_mul_39(t[1], a, norm);
+            err = sp_4096_mod_39(t[1], t[1], m);
+        }
+    }
+
+    if (err == MP_OKAY) {
+        sp_4096_mont_sqr_39(t[ 2], t[ 1], m, mp);
+        sp_4096_mont_mul_39(t[ 3], t[ 2], t[ 1], m, mp);
+        sp_4096_mont_sqr_39(t[ 4], t[ 2], m, mp);
+        sp_4096_mont_mul_39(t[ 5], t[ 3], t[ 2], m, mp);
+        sp_4096_mont_sqr_39(t[ 6], t[ 3], m, mp);
+        sp_4096_mont_mul_39(t[ 7], t[ 4], t[ 3], m, mp);
+        sp_4096_mont_sqr_39(t[ 8], t[ 4], m, mp);
+        sp_4096_mont_mul_39(t[ 9], t[ 5], t[ 4], m, mp);
+        sp_4096_mont_sqr_39(t[10], t[ 5], m, mp);
+        sp_4096_mont_mul_39(t[11], t[ 6], t[ 5], m, mp);
+        sp_4096_mont_sqr_39(t[12], t[ 6], m, mp);
+        sp_4096_mont_mul_39(t[13], t[ 7], t[ 6], m, mp);
+        sp_4096_mont_sqr_39(t[14], t[ 7], m, mp);
+        sp_4096_mont_mul_39(t[15], t[ 8], t[ 7], m, mp);
+        sp_4096_mont_sqr_39(t[16], t[ 8], m, mp);
+        sp_4096_mont_mul_39(t[17], t[ 9], t[ 8], m, mp);
+        sp_4096_mont_sqr_39(t[18], t[ 9], m, mp);
+        sp_4096_mont_mul_39(t[19], t[10], t[ 9], m, mp);
+        sp_4096_mont_sqr_39(t[20], t[10], m, mp);
+        sp_4096_mont_mul_39(t[21], t[11], t[10], m, mp);
+        sp_4096_mont_sqr_39(t[22], t[11], m, mp);
+        sp_4096_mont_mul_39(t[23], t[12], t[11], m, mp);
+        sp_4096_mont_sqr_39(t[24], t[12], m, mp);
+        sp_4096_mont_mul_39(t[25], t[13], t[12], m, mp);
+        sp_4096_mont_sqr_39(t[26], t[13], m, mp);
+        sp_4096_mont_mul_39(t[27], t[14], t[13], m, mp);
+        sp_4096_mont_sqr_39(t[28], t[14], m, mp);
+        sp_4096_mont_mul_39(t[29], t[15], t[14], m, mp);
+        sp_4096_mont_sqr_39(t[30], t[15], m, mp);
+        sp_4096_mont_mul_39(t[31], t[16], t[15], m, mp);
+
+        bits = ((bits + 4) / 5) * 5;
+        i = ((bits + 52) / 53) - 1;
+        c = bits % 53;
+        if (c == 0) {
+            c = 53;
+        }
+        if (i < 39) {
+            n = e[i--] << (64 - c);
+        }
+        else {
+            n = 0;
+            i--;
+        }
+        if (c < 5) {
+            n |= e[i--] << (11 - c);
+            c += 53;
+        }
+        y = (n >> 59) & 0x1f;
+        n <<= 5;
+        c -= 5;
+        XMEMCPY(rt, t[y], sizeof(rt));
+        for (; i>=0 || c>=5; ) {
+            if (c < 5) {
+                n |= e[i--] << (11 - c);
+                c += 53;
+            }
+            y = (n >> 59) & 0x1f;
+            n <<= 5;
+            c -= 5;
+
+            sp_4096_mont_sqr_39(rt, rt, m, mp);
+            sp_4096_mont_sqr_39(rt, rt, m, mp);
+            sp_4096_mont_sqr_39(rt, rt, m, mp);
+            sp_4096_mont_sqr_39(rt, rt, m, mp);
+            sp_4096_mont_sqr_39(rt, rt, m, mp);
+
+            sp_4096_mont_mul_39(rt, rt, t[y], m, mp);
+        }
+
+        sp_4096_mont_reduce_39(rt, m, mp);
+        n = sp_4096_cmp_39(rt, m);
+        sp_4096_cond_sub_39(rt, rt, m, ((n < 0) ?
+                   (sp_digit)1 : (sp_digit)0) - 1);
+        XMEMCPY(r, rt, sizeof(rt));
+    }
+
+#ifdef WOLFSSL_SMALL_STACK
+    if (td != NULL) {
+        XFREE(td, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    }
+#endif
+
+    return err;
+#endif
+}
+
+#endif /* WOLFSSL_HAVE_SP_RSA && !SP_RSA_PRIVATE_EXP_D */
+#endif /* (WOLFSSL_HAVE_SP_RSA || WOLFSSL_HAVE_SP_DH) && !WOLFSSL_RSA_PUBLIC_ONLY */
+
+/* r = 2^n mod m where n is the number of bits to reduce by.
+ * Given m must be 4096 bits, just need to subtract.
+ *
+ * r  A single precision number.
+ * m  A single precision number.
+ */
+static void sp_4096_mont_norm_78(sp_digit* r, const sp_digit* m)
+{
+    /* Set r = 2^n - 1. */
+#ifdef WOLFSSL_SP_SMALL
+    int i;
+
+    for (i=0; i<77; i++) {
+        r[i] = 0x1fffffffffffffL;
+    }
+#else
+    int i;
+
+    for (i = 0; i < 72; i += 8) {
+        r[i + 0] = 0x1fffffffffffffL;
+        r[i + 1] = 0x1fffffffffffffL;
+        r[i + 2] = 0x1fffffffffffffL;
+        r[i + 3] = 0x1fffffffffffffL;
+        r[i + 4] = 0x1fffffffffffffL;
+        r[i + 5] = 0x1fffffffffffffL;
+        r[i + 6] = 0x1fffffffffffffL;
+        r[i + 7] = 0x1fffffffffffffL;
+    }
+    r[72] = 0x1fffffffffffffL;
+    r[73] = 0x1fffffffffffffL;
+    r[74] = 0x1fffffffffffffL;
+    r[75] = 0x1fffffffffffffL;
+    r[76] = 0x1fffffffffffffL;
+#endif
+    r[77] = 0x7fffL;
+
+    /* r = (2^n - 1) mod n */
+    (void)sp_4096_sub_78(r, r, m);
+
+    /* Add one so r = 2^n mod m */
+    r[0] += 1;
+}
+
+/* Compare a with b in constant time.
+ *
+ * a  A single precision integer.
+ * b  A single precision integer.
+ * return -ve, 0 or +ve if a is less than, equal to or greater than b
+ * respectively.
+ */
+static sp_digit sp_4096_cmp_78(const sp_digit* a, const sp_digit* b)
+{
+    sp_digit r = 0;
+#ifdef WOLFSSL_SP_SMALL
+    int i;
+
+    for (i=77; i>=0; i--) {
+        r |= (a[i] - b[i]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+    }
+#else
+    int i;
+
+    r |= (a[77] - b[77]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+    r |= (a[76] - b[76]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+    r |= (a[75] - b[75]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+    r |= (a[74] - b[74]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+    r |= (a[73] - b[73]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+    r |= (a[72] - b[72]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+    for (i = 64; i >= 0; i -= 8) {
+        r |= (a[i + 7] - b[i + 7]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+        r |= (a[i + 6] - b[i + 6]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+        r |= (a[i + 5] - b[i + 5]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+        r |= (a[i + 4] - b[i + 4]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+        r |= (a[i + 3] - b[i + 3]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+        r |= (a[i + 2] - b[i + 2]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+        r |= (a[i + 1] - b[i + 1]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+        r |= (a[i + 0] - b[i + 0]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+    }
+#endif /* WOLFSSL_SP_SMALL */
+
+    return r;
+}
+
+/* Conditionally subtract b from a using the mask m.
+ * m is -1 to subtract and 0 when not.
+ *
+ * r  A single precision number representing condition subtract result.
+ * a  A single precision number to subtract from.
+ * b  A single precision number to subtract.
+ * m  Mask value to apply.
+ */
+static void sp_4096_cond_sub_78(sp_digit* r, const sp_digit* a,
+        const sp_digit* b, const sp_digit m)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int i;
+
+    for (i = 0; i < 78; i++) {
+        r[i] = a[i] - (b[i] & m);
+    }
+#else
+    int i;
+
+    for (i = 0; i < 72; i += 8) {
+        r[i + 0] = a[i + 0] - (b[i + 0] & m);
+        r[i + 1] = a[i + 1] - (b[i + 1] & m);
+        r[i + 2] = a[i + 2] - (b[i + 2] & m);
+        r[i + 3] = a[i + 3] - (b[i + 3] & m);
+        r[i + 4] = a[i + 4] - (b[i + 4] & m);
+        r[i + 5] = a[i + 5] - (b[i + 5] & m);
+        r[i + 6] = a[i + 6] - (b[i + 6] & m);
+        r[i + 7] = a[i + 7] - (b[i + 7] & m);
+    }
+    r[72] = a[72] - (b[72] & m);
+    r[73] = a[73] - (b[73] & m);
+    r[74] = a[74] - (b[74] & m);
+    r[75] = a[75] - (b[75] & m);
+    r[76] = a[76] - (b[76] & m);
+    r[77] = a[77] - (b[77] & m);
+#endif /* WOLFSSL_SP_SMALL */
+}
+
+/* Mul a by scalar b and add into r. (r += a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A scalar.
+ */
+SP_NOINLINE static void sp_4096_mul_add_78(sp_digit* r, const sp_digit* a,
+        const sp_digit b)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int128_t tb = b;
+    int128_t t = 0;
+    int i;
+
+    for (i = 0; i < 78; i++) {
+        t += (tb * a[i]) + r[i];
+        r[i] = t & 0x1fffffffffffffL;
+        t >>= 53;
+    }
+    r[78] += t;
+#else
+    int128_t tb = b;
+    int128_t t[8];
+    int i;
+
+    t[0] = tb * a[0]; r[0] += (sp_digit)(t[0] & 0x1fffffffffffffL);
+    for (i = 0; i < 72; i += 8) {
+        t[1] = tb * a[i+1];
+        r[i+1] += (sp_digit)((t[0] >> 53) + (t[1] & 0x1fffffffffffffL));
+        t[2] = tb * a[i+2];
+        r[i+2] += (sp_digit)((t[1] >> 53) + (t[2] & 0x1fffffffffffffL));
+        t[3] = tb * a[i+3];
+        r[i+3] += (sp_digit)((t[2] >> 53) + (t[3] & 0x1fffffffffffffL));
+        t[4] = tb * a[i+4];
+        r[i+4] += (sp_digit)((t[3] >> 53) + (t[4] & 0x1fffffffffffffL));
+        t[5] = tb * a[i+5];
+        r[i+5] += (sp_digit)((t[4] >> 53) + (t[5] & 0x1fffffffffffffL));
+        t[6] = tb * a[i+6];
+        r[i+6] += (sp_digit)((t[5] >> 53) + (t[6] & 0x1fffffffffffffL));
+        t[7] = tb * a[i+7];
+        r[i+7] += (sp_digit)((t[6] >> 53) + (t[7] & 0x1fffffffffffffL));
+        t[0] = tb * a[i+8];
+        r[i+8] += (sp_digit)((t[7] >> 53) + (t[0] & 0x1fffffffffffffL));
+    }
+    t[1] = tb * a[73]; r[73] += (sp_digit)((t[0] >> 53) + (t[1] & 0x1fffffffffffffL));
+    t[2] = tb * a[74]; r[74] += (sp_digit)((t[1] >> 53) + (t[2] & 0x1fffffffffffffL));
+    t[3] = tb * a[75]; r[75] += (sp_digit)((t[2] >> 53) + (t[3] & 0x1fffffffffffffL));
+    t[4] = tb * a[76]; r[76] += (sp_digit)((t[3] >> 53) + (t[4] & 0x1fffffffffffffL));
+    t[5] = tb * a[77]; r[77] += (sp_digit)((t[4] >> 53) + (t[5] & 0x1fffffffffffffL));
+    r[78] +=  (sp_digit)(t[5] >> 53);
+#endif /* WOLFSSL_SP_SMALL */
+}
+
+/* Normalize the values in each word to 53.
+ *
+ * a  Array of sp_digit to normalize.
+ */
+static void sp_4096_norm_78(sp_digit* a)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int i;
+    for (i = 0; i < 77; i++) {
+        a[i+1] += a[i] >> 53;
+        a[i] &= 0x1fffffffffffffL;
+    }
+#else
+    int i;
+    for (i = 0; i < 72; i += 8) {
+        a[i+1] += a[i+0] >> 53; a[i+0] &= 0x1fffffffffffffL;
+        a[i+2] += a[i+1] >> 53; a[i+1] &= 0x1fffffffffffffL;
+        a[i+3] += a[i+2] >> 53; a[i+2] &= 0x1fffffffffffffL;
+        a[i+4] += a[i+3] >> 53; a[i+3] &= 0x1fffffffffffffL;
+        a[i+5] += a[i+4] >> 53; a[i+4] &= 0x1fffffffffffffL;
+        a[i+6] += a[i+5] >> 53; a[i+5] &= 0x1fffffffffffffL;
+        a[i+7] += a[i+6] >> 53; a[i+6] &= 0x1fffffffffffffL;
+        a[i+8] += a[i+7] >> 53; a[i+7] &= 0x1fffffffffffffL;
+        a[i+9] += a[i+8] >> 53; a[i+8] &= 0x1fffffffffffffL;
+    }
+    a[72+1] += a[72] >> 53;
+    a[72] &= 0x1fffffffffffffL;
+    a[73+1] += a[73] >> 53;
+    a[73] &= 0x1fffffffffffffL;
+    a[74+1] += a[74] >> 53;
+    a[74] &= 0x1fffffffffffffL;
+    a[75+1] += a[75] >> 53;
+    a[75] &= 0x1fffffffffffffL;
+    a[76+1] += a[76] >> 53;
+    a[76] &= 0x1fffffffffffffL;
+#endif
+}
+
+/* Shift the result in the high 4096 bits down to the bottom.
+ *
+ * r  A single precision number.
+ * a  A single precision number.
+ */
+static void sp_4096_mont_shift_78(sp_digit* r, const sp_digit* a)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int i;
+    int128_t n = a[77] >> 15;
+    n += ((int128_t)a[78]) << 38;
+
+    for (i = 0; i < 77; i++) {
+        r[i] = n & 0x1fffffffffffffL;
+        n >>= 53;
+        n += ((int128_t)a[79 + i]) << 38;
+    }
+    r[77] = (sp_digit)n;
+#else
+    int i;
+    int128_t n = a[77] >> 15;
+    n += ((int128_t)a[78]) << 38;
+    for (i = 0; i < 72; i += 8) {
+        r[i + 0] = n & 0x1fffffffffffffL;
+        n >>= 53; n += ((int128_t)a[i + 79]) << 38;
+        r[i + 1] = n & 0x1fffffffffffffL;
+        n >>= 53; n += ((int128_t)a[i + 80]) << 38;
+        r[i + 2] = n & 0x1fffffffffffffL;
+        n >>= 53; n += ((int128_t)a[i + 81]) << 38;
+        r[i + 3] = n & 0x1fffffffffffffL;
+        n >>= 53; n += ((int128_t)a[i + 82]) << 38;
+        r[i + 4] = n & 0x1fffffffffffffL;
+        n >>= 53; n += ((int128_t)a[i + 83]) << 38;
+        r[i + 5] = n & 0x1fffffffffffffL;
+        n >>= 53; n += ((int128_t)a[i + 84]) << 38;
+        r[i + 6] = n & 0x1fffffffffffffL;
+        n >>= 53; n += ((int128_t)a[i + 85]) << 38;
+        r[i + 7] = n & 0x1fffffffffffffL;
+        n >>= 53; n += ((int128_t)a[i + 86]) << 38;
+    }
+    r[72] = n & 0x1fffffffffffffL; n >>= 53; n += ((int128_t)a[151]) << 38;
+    r[73] = n & 0x1fffffffffffffL; n >>= 53; n += ((int128_t)a[152]) << 38;
+    r[74] = n & 0x1fffffffffffffL; n >>= 53; n += ((int128_t)a[153]) << 38;
+    r[75] = n & 0x1fffffffffffffL; n >>= 53; n += ((int128_t)a[154]) << 38;
+    r[76] = n & 0x1fffffffffffffL; n >>= 53; n += ((int128_t)a[155]) << 38;
+    r[77] = (sp_digit)n;
+#endif /* WOLFSSL_SP_SMALL */
+    XMEMSET(&r[78], 0, sizeof(*r) * 78U);
+}
+
+/* Reduce the number back to 4096 bits using Montgomery reduction.
+ *
+ * a   A single precision number to reduce in place.
+ * m   The single precision number representing the modulus.
+ * mp  The digit representing the negative inverse of m mod 2^n.
+ */
+static void sp_4096_mont_reduce_78(sp_digit* a, const sp_digit* m, sp_digit mp)
+{
+    int i;
+    sp_digit mu;
+
+    sp_4096_norm_78(a + 78);
+
+#ifdef WOLFSSL_SP_DH
+    if (mp != 1) {
+        for (i=0; i<77; i++) {
+            mu = (a[i] * mp) & 0x1fffffffffffffL;
+            sp_4096_mul_add_78(a+i, m, mu);
+            a[i+1] += a[i] >> 53;
+        }
+        mu = (a[i] * mp) & 0x7fffL;
+        sp_4096_mul_add_78(a+i, m, mu);
+        a[i+1] += a[i] >> 53;
+        a[i] &= 0x1fffffffffffffL;
+    }
+    else {
+        for (i=0; i<77; i++) {
+            mu = a[i] & 0x1fffffffffffffL;
+            sp_4096_mul_add_78(a+i, m, mu);
+            a[i+1] += a[i] >> 53;
+        }
+        mu = a[i] & 0x7fffL;
+        sp_4096_mul_add_78(a+i, m, mu);
+        a[i+1] += a[i] >> 53;
+        a[i] &= 0x1fffffffffffffL;
+    }
+#else
+    for (i=0; i<77; i++) {
+        mu = (a[i] * mp) & 0x1fffffffffffffL;
+        sp_4096_mul_add_78(a+i, m, mu);
+        a[i+1] += a[i] >> 53;
+    }
+    mu = (a[i] * mp) & 0x7fffL;
+    sp_4096_mul_add_78(a+i, m, mu);
+    a[i+1] += a[i] >> 53;
+    a[i] &= 0x1fffffffffffffL;
+#endif
+
+    sp_4096_mont_shift_78(a, a);
+    sp_4096_cond_sub_78(a, a, m, 0 - (((a[77] >> 15) > 0) ?
+            (sp_digit)1 : (sp_digit)0));
+    sp_4096_norm_78(a);
+}
+
+/* Multiply two Montogmery form numbers mod the modulus (prime).
+ * (r = a * b mod m)
+ *
+ * r   Result of multiplication.
+ * a   First number to multiply in Montogmery form.
+ * b   Second number to multiply in Montogmery form.
+ * m   Modulus (prime).
+ * mp  Montogmery mulitplier.
+ */
+static void sp_4096_mont_mul_78(sp_digit* r, const sp_digit* a, const sp_digit* b,
+        const sp_digit* m, sp_digit mp)
+{
+    sp_4096_mul_78(r, a, b);
+    sp_4096_mont_reduce_78(r, m, mp);
+}
+
+/* Square the Montgomery form number. (r = a * a mod m)
+ *
+ * r   Result of squaring.
+ * a   Number to square in Montogmery form.
+ * m   Modulus (prime).
+ * mp  Montogmery mulitplier.
+ */
+static void sp_4096_mont_sqr_78(sp_digit* r, const sp_digit* a, const sp_digit* m,
+        sp_digit mp)
+{
+    sp_4096_sqr_78(r, a);
+    sp_4096_mont_reduce_78(r, m, mp);
+}
+
+/* Multiply a by scalar b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A scalar.
+ */
+SP_NOINLINE static void sp_4096_mul_d_156(sp_digit* r, const sp_digit* a,
+    sp_digit b)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int128_t tb = b;
+    int128_t t = 0;
+    int i;
+
+    for (i = 0; i < 156; i++) {
+        t += tb * a[i];
+        r[i] = t & 0x1fffffffffffffL;
+        t >>= 53;
+    }
+    r[156] = (sp_digit)t;
+#else
+    int128_t tb = b;
+    int128_t t[8];
+    int i;
+
+    t[0] = tb * a[0]; r[0] = t[0] & 0x1fffffffffffffL;
+    for (i = 0; i < 152; i += 8) {
+        t[1] = tb * a[i+1];
+        r[i+1] = (sp_digit)(t[0] >> 53) + (t[1] & 0x1fffffffffffffL);
+        t[2] = tb * a[i+2];
+        r[i+2] = (sp_digit)(t[1] >> 53) + (t[2] & 0x1fffffffffffffL);
+        t[3] = tb * a[i+3];
+        r[i+3] = (sp_digit)(t[2] >> 53) + (t[3] & 0x1fffffffffffffL);
+        t[4] = tb * a[i+4];
+        r[i+4] = (sp_digit)(t[3] >> 53) + (t[4] & 0x1fffffffffffffL);
+        t[5] = tb * a[i+5];
+        r[i+5] = (sp_digit)(t[4] >> 53) + (t[5] & 0x1fffffffffffffL);
+        t[6] = tb * a[i+6];
+        r[i+6] = (sp_digit)(t[5] >> 53) + (t[6] & 0x1fffffffffffffL);
+        t[7] = tb * a[i+7];
+        r[i+7] = (sp_digit)(t[6] >> 53) + (t[7] & 0x1fffffffffffffL);
+        t[0] = tb * a[i+8];
+        r[i+8] = (sp_digit)(t[7] >> 53) + (t[0] & 0x1fffffffffffffL);
+    }
+    t[1] = tb * a[153];
+    r[153] = (sp_digit)(t[0] >> 53) + (t[1] & 0x1fffffffffffffL);
+    t[2] = tb * a[154];
+    r[154] = (sp_digit)(t[1] >> 53) + (t[2] & 0x1fffffffffffffL);
+    t[3] = tb * a[155];
+    r[155] = (sp_digit)(t[2] >> 53) + (t[3] & 0x1fffffffffffffL);
+    r[156] =  (sp_digit)(t[3] >> 53);
+#endif /* WOLFSSL_SP_SMALL */
+}
+
+/* Conditionally add a and b using the mask m.
+ * m is -1 to add and 0 when not.
+ *
+ * r  A single precision number representing conditional add result.
+ * a  A single precision number to add with.
+ * b  A single precision number to add.
+ * m  Mask value to apply.
+ */
+static void sp_4096_cond_add_78(sp_digit* r, const sp_digit* a,
+        const sp_digit* b, const sp_digit m)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int i;
+
+    for (i = 0; i < 78; i++) {
+        r[i] = a[i] + (b[i] & m);
+    }
+#else
+    int i;
+
+    for (i = 0; i < 72; i += 8) {
+        r[i + 0] = a[i + 0] + (b[i + 0] & m);
+        r[i + 1] = a[i + 1] + (b[i + 1] & m);
+        r[i + 2] = a[i + 2] + (b[i + 2] & m);
+        r[i + 3] = a[i + 3] + (b[i + 3] & m);
+        r[i + 4] = a[i + 4] + (b[i + 4] & m);
+        r[i + 5] = a[i + 5] + (b[i + 5] & m);
+        r[i + 6] = a[i + 6] + (b[i + 6] & m);
+        r[i + 7] = a[i + 7] + (b[i + 7] & m);
+    }
+    r[72] = a[72] + (b[72] & m);
+    r[73] = a[73] + (b[73] & m);
+    r[74] = a[74] + (b[74] & m);
+    r[75] = a[75] + (b[75] & m);
+    r[76] = a[76] + (b[76] & m);
+    r[77] = a[77] + (b[77] & m);
+#endif /* WOLFSSL_SP_SMALL */
+}
+
+#ifdef WOLFSSL_SMALL
+/* Sub b from a into r. (r = a - b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static int sp_4096_sub_78(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    int i;
+
+    for (i = 0; i < 78; i++) {
+        r[i] = a[i] - b[i];
+    }
+
+    return 0;
+}
+
+#endif
+#ifdef WOLFSSL_SMALL
+/* Add b to a into r. (r = a + b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static int sp_4096_add_78(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    int i;
+
+    for (i = 0; i < 78; i++) {
+        r[i] = a[i] + b[i];
+    }
+
+    return 0;
+}
+#endif
+SP_NOINLINE static void sp_4096_rshift_78(sp_digit* r, sp_digit* a, byte n)
+{
+    int i;
+
+#ifdef WOLFSSL_SP_SMALL
+    for (i=0; i<77; i++) {
+        r[i] = ((a[i] >> n) | (a[i + 1] << (53 - n))) & 0x1fffffffffffffL;
+    }
+#else
+    for (i=0; i<72; i += 8) {
+        r[i+0] = ((a[i+0] >> n) | (a[i+1] << (53 - n))) & 0x1fffffffffffffL;
+        r[i+1] = ((a[i+1] >> n) | (a[i+2] << (53 - n))) & 0x1fffffffffffffL;
+        r[i+2] = ((a[i+2] >> n) | (a[i+3] << (53 - n))) & 0x1fffffffffffffL;
+        r[i+3] = ((a[i+3] >> n) | (a[i+4] << (53 - n))) & 0x1fffffffffffffL;
+        r[i+4] = ((a[i+4] >> n) | (a[i+5] << (53 - n))) & 0x1fffffffffffffL;
+        r[i+5] = ((a[i+5] >> n) | (a[i+6] << (53 - n))) & 0x1fffffffffffffL;
+        r[i+6] = ((a[i+6] >> n) | (a[i+7] << (53 - n))) & 0x1fffffffffffffL;
+        r[i+7] = ((a[i+7] >> n) | (a[i+8] << (53 - n))) & 0x1fffffffffffffL;
+    }
+    r[72] = ((a[72] >> n) | (a[73] << (53 - n))) & 0x1fffffffffffffL;
+    r[73] = ((a[73] >> n) | (a[74] << (53 - n))) & 0x1fffffffffffffL;
+    r[74] = ((a[74] >> n) | (a[75] << (53 - n))) & 0x1fffffffffffffL;
+    r[75] = ((a[75] >> n) | (a[76] << (53 - n))) & 0x1fffffffffffffL;
+    r[76] = ((a[76] >> n) | (a[77] << (53 - n))) & 0x1fffffffffffffL;
+#endif
+    r[77] = a[77] >> n;
+}
+
+#ifdef WOLFSSL_SP_DIV_64
+static WC_INLINE sp_digit sp_4096_div_word_78(sp_digit d1, sp_digit d0,
+    sp_digit dv)
+{
+    sp_digit d, r, t;
+
+    /* All 53 bits from d1 and top 10 bits from d0. */
+    d = (d1 << 10) | (d0 >> 43);
+    r = d / dv;
+    d -= r * dv;
+    /* Up to 11 bits in r */
+    /* Next 10 bits from d0. */
+    r <<= 10;
+    d <<= 10;
+    d |= (d0 >> 33) & ((1 << 10) - 1);
+    t = d / dv;
+    d -= t * dv;
+    r += t;
+    /* Up to 21 bits in r */
+    /* Next 10 bits from d0. */
+    r <<= 10;
+    d <<= 10;
+    d |= (d0 >> 23) & ((1 << 10) - 1);
+    t = d / dv;
+    d -= t * dv;
+    r += t;
+    /* Up to 31 bits in r */
+    /* Next 10 bits from d0. */
+    r <<= 10;
+    d <<= 10;
+    d |= (d0 >> 13) & ((1 << 10) - 1);
+    t = d / dv;
+    d -= t * dv;
+    r += t;
+    /* Up to 41 bits in r */
+    /* Next 10 bits from d0. */
+    r <<= 10;
+    d <<= 10;
+    d |= (d0 >> 3) & ((1 << 10) - 1);
+    t = d / dv;
+    d -= t * dv;
+    r += t;
+    /* Up to 51 bits in r */
+    /* Remaining 3 bits from d0. */
+    r <<= 3;
+    d <<= 3;
+    d |= d0 & ((1 << 3) - 1);
+    t = d / dv;
+    r += t;
+
+    return r;
+}
+#endif /* WOLFSSL_SP_DIV_64 */
+
+/* Divide d in a and put remainder into r (m*d + r = a)
+ * m is not calculated as it is not needed at this time.
+ *
+ * a  Nmber to be divided.
+ * d  Number to divide with.
+ * m  Multiplier result.
+ * r  Remainder from the division.
+ * returns MEMORY_E when unable to allocate memory and MP_OKAY otherwise.
+ */
+static int sp_4096_div_78(const sp_digit* a, const sp_digit* d, sp_digit* m,
+        sp_digit* r)
+{
+    int i;
+#ifndef WOLFSSL_SP_DIV_64
+    int128_t d1;
+#endif
+    sp_digit dv, r1;
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit* td;
+#else
+    sp_digit t1d[156 + 1], t2d[78 + 1], sdd[78 + 1];
+#endif
+    sp_digit* t1;
+    sp_digit* t2;
+    sp_digit* sd;
+    int err = MP_OKAY;
+
+    (void)m;
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    td = (sp_digit*)XMALLOC(sizeof(sp_digit) * (4 * 78 + 3), NULL,
+                                                       DYNAMIC_TYPE_TMP_BUFFER);
+    if (td == NULL) {
+        err = MEMORY_E;
+    }
+#endif
+
+    (void)m;
+
+    if (err == MP_OKAY) {
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+        t1 = td;
+        t2 = td + 156 + 1;
+        sd = t2 + 78 + 1;
+#else
+        t1 = t1d;
+        t2 = t2d;
+        sd = sdd;
+#endif
+
+        sp_4096_mul_d_78(sd, d, 1L << 38);
+        sp_4096_mul_d_156(t1, a, 1L << 38);
+        dv = sd[77];
+        for (i=78; i>=0; i--) {
+            t1[78 + i] += t1[78 + i - 1] >> 53;
+            t1[78 + i - 1] &= 0x1fffffffffffffL;
+#ifndef WOLFSSL_SP_DIV_64
+            d1 = t1[78 + i];
+            d1 <<= 53;
+            d1 += t1[78 + i - 1];
+            r1 = (sp_digit)(d1 / dv);
+#else
+            r1 = sp_4096_div_word_78(t1[78 + i], t1[78 + i - 1], dv);
+#endif
+
+            sp_4096_mul_d_78(t2, sd, r1);
+            (void)sp_4096_sub_78(&t1[i], &t1[i], t2);
+            t1[78 + i] -= t2[78];
+            t1[78 + i] += t1[78 + i - 1] >> 53;
+            t1[78 + i - 1] &= 0x1fffffffffffffL;
+            r1 = (((-t1[78 + i]) << 53) - t1[78 + i - 1]) / dv;
+            r1 -= t1[78 + i];
+            sp_4096_mul_d_78(t2, sd, r1);
+            (void)sp_4096_add_78(&t1[i], &t1[i], t2);
+            t1[78 + i] += t1[78 + i - 1] >> 53;
+            t1[78 + i - 1] &= 0x1fffffffffffffL;
+        }
+        t1[78 - 1] += t1[78 - 2] >> 53;
+        t1[78 - 2] &= 0x1fffffffffffffL;
+        r1 = t1[78 - 1] / dv;
+
+        sp_4096_mul_d_78(t2, sd, r1);
+        sp_4096_sub_78(t1, t1, t2);
+        XMEMCPY(r, t1, sizeof(*r) * 2U * 78U);
+        for (i=0; i<76; i++) {
+            r[i+1] += r[i] >> 53;
+            r[i] &= 0x1fffffffffffffL;
+        }
+        sp_4096_cond_add_78(r, r, sd, 0 - ((r[77] < 0) ?
+                    (sp_digit)1 : (sp_digit)0));
+
+        sp_4096_norm_78(r);
+        sp_4096_rshift_78(r, r, 38);
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (td != NULL) {
+        XFREE(td, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    }
+#endif
+
+    return err;
+}
+
+/* Reduce a modulo m into r. (r = a mod m)
+ *
+ * r  A single precision number that is the reduced result.
+ * a  A single precision number that is to be reduced.
+ * m  A single precision number that is the modulus to reduce with.
+ * returns MEMORY_E when unable to allocate memory and MP_OKAY otherwise.
+ */
+static int sp_4096_mod_78(sp_digit* r, const sp_digit* a, const sp_digit* m)
+{
+    return sp_4096_div_78(a, m, NULL, r);
+}
+
+#if (defined(WOLFSSL_HAVE_SP_RSA) && !defined(WOLFSSL_RSA_PUBLIC_ONLY)) || \
+                                                     defined(WOLFSSL_HAVE_SP_DH)
+/* Modular exponentiate a to the e mod m. (r = a^e mod m)
+ *
+ * r     A single precision number that is the result of the operation.
+ * a     A single precision number being exponentiated.
+ * e     A single precision number that is the exponent.
+ * bits  The number of bits in the exponent.
+ * m     A single precision number that is the modulus.
+ * returns 0 on success and MEMORY_E on dynamic memory allocation failure.
+ */
+static int sp_4096_mod_exp_78(sp_digit* r, const sp_digit* a, const sp_digit* e, int bits,
+    const sp_digit* m, int reduceA)
+{
+#ifdef WOLFSSL_SP_SMALL
+    sp_digit* td;
+    sp_digit* t[3];
+    sp_digit* norm;
+    sp_digit mp = 1;
+    sp_digit n;
+    int i;
+    int c, y;
+    int err = MP_OKAY;
+
+    td = (sp_digit*)XMALLOC(sizeof(*td) * 3 * 78 * 2, NULL,
+                            DYNAMIC_TYPE_TMP_BUFFER);
+    if (td == NULL) {
+        err = MEMORY_E;
+    }
+
+    if (err == MP_OKAY) {
+        XMEMSET(td, 0, sizeof(*td) * 3U * 78U * 2U);
+
+        norm = t[0] = td;
+        t[1] = &td[78 * 2];
+        t[2] = &td[2 * 78 * 2];
+
+        sp_4096_mont_setup(m, &mp);
+        sp_4096_mont_norm_78(norm, m);
+
+        if (reduceA != 0) {
+            err = sp_4096_mod_78(t[1], a, m);
+        }
+        else {
+            XMEMCPY(t[1], a, sizeof(sp_digit) * 78U);
+        }
+    }
+    if (err == MP_OKAY) {
+        sp_4096_mul_78(t[1], t[1], norm);
+        err = sp_4096_mod_78(t[1], t[1], m);
+    }
+
+    if (err == MP_OKAY) {
+        i = bits / 53;
+        c = bits % 53;
+        n = e[i--] << (53 - c);
+        for (; ; c--) {
+            if (c == 0) {
+                if (i == -1) {
+                    break;
+                }
+
+                n = e[i--];
+                c = 53;
+            }
+
+            y = (n >> 52) & 1;
+            n <<= 1;
+
+            sp_4096_mont_mul_78(t[y^1], t[0], t[1], m, mp);
+
+            XMEMCPY(t[2], (void*)(((size_t)t[0] & addr_mask[y^1]) +
+                                  ((size_t)t[1] & addr_mask[y])),
+                    sizeof(*t[2]) * 78 * 2);
+            sp_4096_mont_sqr_78(t[2], t[2], m, mp);
+            XMEMCPY((void*)(((size_t)t[0] & addr_mask[y^1]) +
+                            ((size_t)t[1] & addr_mask[y])), t[2],
+                    sizeof(*t[2]) * 78 * 2);
+        }
+
+        sp_4096_mont_reduce_78(t[0], m, mp);
+        n = sp_4096_cmp_78(t[0], m);
+        sp_4096_cond_sub_78(t[0], t[0], m, ((n < 0) ?
+                    (sp_digit)1 : (sp_digit)0) - 1);
+        XMEMCPY(r, t[0], sizeof(*r) * 78 * 2);
+
+    }
+
+    if (td != NULL) {
+        XFREE(td, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    }
+
+    return err;
+#elif defined(WOLFSSL_SP_CACHE_RESISTANT)
+#ifndef WOLFSSL_SMALL_STACK
+    sp_digit t[3][156];
+#else
+    sp_digit* td;
+    sp_digit* t[3];
+#endif
+    sp_digit* norm;
+    sp_digit mp = 1;
+    sp_digit n;
+    int i;
+    int c, y;
+    int err = MP_OKAY;
+
+#ifdef WOLFSSL_SMALL_STACK
+    td = (sp_digit*)XMALLOC(sizeof(*td) * 3 * 78 * 2, NULL,
+                            DYNAMIC_TYPE_TMP_BUFFER);
+    if (td == NULL) {
+        err = MEMORY_E;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#ifdef WOLFSSL_SMALL_STACK
+        t[0] = td;
+        t[1] = &td[78 * 2];
+        t[2] = &td[2 * 78 * 2];
+#endif
+        norm = t[0];
+
+        sp_4096_mont_setup(m, &mp);
+        sp_4096_mont_norm_78(norm, m);
+
+        if (reduceA != 0) {
+            err = sp_4096_mod_78(t[1], a, m);
+            if (err == MP_OKAY) {
+                sp_4096_mul_78(t[1], t[1], norm);
+                err = sp_4096_mod_78(t[1], t[1], m);
+            }
+        }
+        else {
+            sp_4096_mul_78(t[1], a, norm);
+            err = sp_4096_mod_78(t[1], t[1], m);
+        }
+    }
+
+    if (err == MP_OKAY) {
+        i = bits / 53;
+        c = bits % 53;
+        n = e[i--] << (53 - c);
+        for (; ; c--) {
+            if (c == 0) {
+                if (i == -1) {
+                    break;
+                }
+
+                n = e[i--];
+                c = 53;
+            }
+
+            y = (n >> 52) & 1;
+            n <<= 1;
+
+            sp_4096_mont_mul_78(t[y^1], t[0], t[1], m, mp);
+
+            XMEMCPY(t[2], (void*)(((size_t)t[0] & addr_mask[y^1]) +
+                                 ((size_t)t[1] & addr_mask[y])), sizeof(t[2]));
+            sp_4096_mont_sqr_78(t[2], t[2], m, mp);
+            XMEMCPY((void*)(((size_t)t[0] & addr_mask[y^1]) +
+                           ((size_t)t[1] & addr_mask[y])), t[2], sizeof(t[2]));
+        }
+
+        sp_4096_mont_reduce_78(t[0], m, mp);
+        n = sp_4096_cmp_78(t[0], m);
+        sp_4096_cond_sub_78(t[0], t[0], m, ((n < 0) ?
+                   (sp_digit)1 : (sp_digit)0) - 1);
+        XMEMCPY(r, t[0], sizeof(t[0]));
+    }
+
+#ifdef WOLFSSL_SMALL_STACK
+    if (td != NULL) {
+        XFREE(td, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    }
+#endif
+
+    return err;
+#else
+#ifndef WOLFSSL_SMALL_STACK
+    sp_digit t[32][156];
+#else
+    sp_digit* t[32];
+    sp_digit* td;
+#endif
+    sp_digit* norm;
+    sp_digit rt[156];
+    sp_digit mp = 1;
+    sp_digit n;
+    int i;
+    int c, y;
+    int err = MP_OKAY;
+
+#ifdef WOLFSSL_SMALL_STACK
+    td = (sp_digit*)XMALLOC(sizeof(sp_digit) * 32 * 156, NULL,
+                            DYNAMIC_TYPE_TMP_BUFFER);
+    if (td == NULL) {
+        err = MEMORY_E;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#ifdef WOLFSSL_SMALL_STACK
+        for (i=0; i<32; i++)
+            t[i] = td + i * 156;
+#endif
+        norm = t[0];
+
+        sp_4096_mont_setup(m, &mp);
+        sp_4096_mont_norm_78(norm, m);
+
+        if (reduceA != 0) {
+            err = sp_4096_mod_78(t[1], a, m);
+            if (err == MP_OKAY) {
+                sp_4096_mul_78(t[1], t[1], norm);
+                err = sp_4096_mod_78(t[1], t[1], m);
+            }
+        }
+        else {
+            sp_4096_mul_78(t[1], a, norm);
+            err = sp_4096_mod_78(t[1], t[1], m);
+        }
+    }
+
+    if (err == MP_OKAY) {
+        sp_4096_mont_sqr_78(t[ 2], t[ 1], m, mp);
+        sp_4096_mont_mul_78(t[ 3], t[ 2], t[ 1], m, mp);
+        sp_4096_mont_sqr_78(t[ 4], t[ 2], m, mp);
+        sp_4096_mont_mul_78(t[ 5], t[ 3], t[ 2], m, mp);
+        sp_4096_mont_sqr_78(t[ 6], t[ 3], m, mp);
+        sp_4096_mont_mul_78(t[ 7], t[ 4], t[ 3], m, mp);
+        sp_4096_mont_sqr_78(t[ 8], t[ 4], m, mp);
+        sp_4096_mont_mul_78(t[ 9], t[ 5], t[ 4], m, mp);
+        sp_4096_mont_sqr_78(t[10], t[ 5], m, mp);
+        sp_4096_mont_mul_78(t[11], t[ 6], t[ 5], m, mp);
+        sp_4096_mont_sqr_78(t[12], t[ 6], m, mp);
+        sp_4096_mont_mul_78(t[13], t[ 7], t[ 6], m, mp);
+        sp_4096_mont_sqr_78(t[14], t[ 7], m, mp);
+        sp_4096_mont_mul_78(t[15], t[ 8], t[ 7], m, mp);
+        sp_4096_mont_sqr_78(t[16], t[ 8], m, mp);
+        sp_4096_mont_mul_78(t[17], t[ 9], t[ 8], m, mp);
+        sp_4096_mont_sqr_78(t[18], t[ 9], m, mp);
+        sp_4096_mont_mul_78(t[19], t[10], t[ 9], m, mp);
+        sp_4096_mont_sqr_78(t[20], t[10], m, mp);
+        sp_4096_mont_mul_78(t[21], t[11], t[10], m, mp);
+        sp_4096_mont_sqr_78(t[22], t[11], m, mp);
+        sp_4096_mont_mul_78(t[23], t[12], t[11], m, mp);
+        sp_4096_mont_sqr_78(t[24], t[12], m, mp);
+        sp_4096_mont_mul_78(t[25], t[13], t[12], m, mp);
+        sp_4096_mont_sqr_78(t[26], t[13], m, mp);
+        sp_4096_mont_mul_78(t[27], t[14], t[13], m, mp);
+        sp_4096_mont_sqr_78(t[28], t[14], m, mp);
+        sp_4096_mont_mul_78(t[29], t[15], t[14], m, mp);
+        sp_4096_mont_sqr_78(t[30], t[15], m, mp);
+        sp_4096_mont_mul_78(t[31], t[16], t[15], m, mp);
+
+        bits = ((bits + 4) / 5) * 5;
+        i = ((bits + 52) / 53) - 1;
+        c = bits % 53;
+        if (c == 0) {
+            c = 53;
+        }
+        if (i < 78) {
+            n = e[i--] << (64 - c);
+        }
+        else {
+            n = 0;
+            i--;
+        }
+        if (c < 5) {
+            n |= e[i--] << (11 - c);
+            c += 53;
+        }
+        y = (n >> 59) & 0x1f;
+        n <<= 5;
+        c -= 5;
+        XMEMCPY(rt, t[y], sizeof(rt));
+        for (; i>=0 || c>=5; ) {
+            if (c < 5) {
+                n |= e[i--] << (11 - c);
+                c += 53;
+            }
+            y = (n >> 59) & 0x1f;
+            n <<= 5;
+            c -= 5;
+
+            sp_4096_mont_sqr_78(rt, rt, m, mp);
+            sp_4096_mont_sqr_78(rt, rt, m, mp);
+            sp_4096_mont_sqr_78(rt, rt, m, mp);
+            sp_4096_mont_sqr_78(rt, rt, m, mp);
+            sp_4096_mont_sqr_78(rt, rt, m, mp);
+
+            sp_4096_mont_mul_78(rt, rt, t[y], m, mp);
+        }
+
+        sp_4096_mont_reduce_78(rt, m, mp);
+        n = sp_4096_cmp_78(rt, m);
+        sp_4096_cond_sub_78(rt, rt, m, ((n < 0) ?
+                   (sp_digit)1 : (sp_digit)0) - 1);
+        XMEMCPY(r, rt, sizeof(rt));
+    }
+
+#ifdef WOLFSSL_SMALL_STACK
+    if (td != NULL) {
+        XFREE(td, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    }
+#endif
+
+    return err;
+#endif
+}
+#endif /* (WOLFSSL_HAVE_SP_RSA && !WOLFSSL_RSA_PUBLIC_ONLY) || */
+       /* WOLFSSL_HAVE_SP_DH */
+
+#ifdef WOLFSSL_HAVE_SP_RSA
+/* RSA public key operation.
+ *
+ * in      Array of bytes representing the number to exponentiate, base.
+ * inLen   Number of bytes in base.
+ * em      Public exponent.
+ * mm      Modulus.
+ * out     Buffer to hold big-endian bytes of exponentiation result.
+ *         Must be at least 512 bytes long.
+ * outLen  Number of bytes in result.
+ * returns 0 on success, MP_TO_E when the outLen is too small, MP_READ_E when
+ * an array is too long and MEMORY_E when dynamic memory allocation fails.
+ */
+int sp_RsaPublic_4096(const byte* in, word32 inLen, mp_int* em, mp_int* mm,
+    byte* out, word32* outLen)
+{
+#ifdef WOLFSSL_SP_SMALL
+    sp_digit* d = NULL;
+    sp_digit* a;
+    sp_digit* m;
+    sp_digit* r;
+    sp_digit* norm;
+    sp_digit e[1] = {0};
+    sp_digit mp;
+    int i;
+    int err = MP_OKAY;
+
+    if (*outLen < 512U) {
+        err = MP_TO_E;
+    }
+
+    if (err == MP_OKAY) {
+        if (mp_count_bits(em) > 53) {
+            err = MP_READ_E;
+        }
+        if (inLen > 512U) {
+            err = MP_READ_E;
+        }
+        if (mp_count_bits(mm) != 4096) {
+            err = MP_READ_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        d = (sp_digit*)XMALLOC(sizeof(sp_digit) * 78 * 5, NULL,
+                                                              DYNAMIC_TYPE_RSA);
+        if (d == NULL)
+            err = MEMORY_E;
+    }
+
+    if (err == MP_OKAY) {
+        a = d;
+        r = a + 78 * 2;
+        m = r + 78 * 2;
+        norm = r;
+
+        sp_4096_from_bin(a, 78, in, inLen);
+#if DIGIT_BIT >= 53
+        e[0] = (sp_digit)em->dp[0];
+#else
+        e[0] = (sp_digit)em->dp[0];
+        if (em->used > 1) {
+            e[0] |= ((sp_digit)em->dp[1]) << DIGIT_BIT;
+        }
+#endif
+        if (e[0] == 0) {
+            err = MP_EXPTMOD_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        sp_4096_from_mp(m, 78, mm);
+
+        sp_4096_mont_setup(m, &mp);
+        sp_4096_mont_norm_78(norm, m);
+    }
+    if (err == MP_OKAY) {
+        sp_4096_mul_78(a, a, norm);
+        err = sp_4096_mod_78(a, a, m);
+    }
+    if (err == MP_OKAY) {
+        for (i=52; i>=0; i--) {
+            if ((e[0] >> i) != 0) {
+                break;
+            }
+        }
+
+        XMEMCPY(r, a, sizeof(sp_digit) * 78 * 2);
+        for (i--; i>=0; i--) {
+            sp_4096_mont_sqr_78(r, r, m, mp);
+
+            if (((e[0] >> i) & 1) == 1) {
+                sp_4096_mont_mul_78(r, r, a, m, mp);
+            }
+        }
+        sp_4096_mont_reduce_78(r, m, mp);
+        mp = sp_4096_cmp_78(r, m);
+        sp_4096_cond_sub_78(r, r, m, ((mp < 0) ?
+                    (sp_digit)1 : (sp_digit)0)- 1);
+
+        sp_4096_to_bin(r, out);
+        *outLen = 512;
+    }
+
+    if (d != NULL) {
+        XFREE(d, NULL, DYNAMIC_TYPE_RSA);
+    }
+
+    return err;
+#else
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit ad[156], md[78], rd[156];
+#else
+    sp_digit* d = NULL;
+#endif
+    sp_digit* a;
+    sp_digit* m;
+    sp_digit* r;
+    sp_digit e[1] = {0};
+    int err = MP_OKAY;
+
+    if (*outLen < 512U) {
+        err = MP_TO_E;
+    }
+    if (err == MP_OKAY) {
+        if (mp_count_bits(em) > 53) {
+            err = MP_READ_E;
+        }
+        if (inLen > 512U) {
+            err = MP_READ_E;
+        }
+        if (mp_count_bits(mm) != 4096) {
+            err = MP_READ_E;
+        }
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        d = (sp_digit*)XMALLOC(sizeof(sp_digit) * 78 * 5, NULL,
+                                                              DYNAMIC_TYPE_RSA);
+        if (d == NULL) {
+            err = MEMORY_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        a = d;
+        r = a + 78 * 2;
+        m = r + 78 * 2;
+    }
+#else
+    a = ad;
+    m = md;
+    r = rd;
+#endif
+
+    if (err == MP_OKAY) {
+        sp_4096_from_bin(a, 78, in, inLen);
+#if DIGIT_BIT >= 53
+        e[0] = (sp_digit)em->dp[0];
+#else
+        e[0] = (sp_digit)em->dp[0];
+        if (em->used > 1) {
+            e[0] |= ((sp_digit)em->dp[1]) << DIGIT_BIT;
+        }
+#endif
+        if (e[0] == 0) {
+            err = MP_EXPTMOD_E;
+        }
+    }
+    if (err == MP_OKAY) {
+        sp_4096_from_mp(m, 78, mm);
+
+        if (e[0] == 0x3) {
+            sp_4096_sqr_78(r, a);
+            err = sp_4096_mod_78(r, r, m);
+            if (err == MP_OKAY) {
+                sp_4096_mul_78(r, a, r);
+                err = sp_4096_mod_78(r, r, m);
+            }
+        }
+        else {
+            sp_digit* norm = r;
+            int i;
+            sp_digit mp;
+
+            sp_4096_mont_setup(m, &mp);
+            sp_4096_mont_norm_78(norm, m);
+
+            sp_4096_mul_78(a, a, norm);
+            err = sp_4096_mod_78(a, a, m);
+
+            if (err == MP_OKAY) {
+                for (i=52; i>=0; i--) {
+                    if ((e[0] >> i) != 0) {
+                        break;
+                    }
+                }
+
+                XMEMCPY(r, a, sizeof(sp_digit) * 156U);
+                for (i--; i>=0; i--) {
+                    sp_4096_mont_sqr_78(r, r, m, mp);
+
+                    if (((e[0] >> i) & 1) == 1) {
+                        sp_4096_mont_mul_78(r, r, a, m, mp);
+                    }
+                }
+                sp_4096_mont_reduce_78(r, m, mp);
+                mp = sp_4096_cmp_78(r, m);
+                sp_4096_cond_sub_78(r, r, m, ((mp < 0) ?
+                           (sp_digit)1 : (sp_digit)0) - 1);
+            }
+        }
+    }
+
+    if (err == MP_OKAY) {
+        sp_4096_to_bin(r, out);
+        *outLen = 512;
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (d != NULL) {
+        XFREE(d, NULL, DYNAMIC_TYPE_RSA);
+    }
+#endif
+
+    return err;
+#endif /* WOLFSSL_SP_SMALL */
+}
+
+#ifndef WOLFSSL_RSA_PUBLIC_ONLY
+#if !defined(SP_RSA_PRIVATE_EXP_D) && !defined(RSA_LOW_MEM)
+#endif /* !SP_RSA_PRIVATE_EXP_D && !RSA_LOW_MEM */
+/* RSA private key operation.
+ *
+ * in      Array of bytes representing the number to exponentiate, base.
+ * inLen   Number of bytes in base.
+ * dm      Private exponent.
+ * pm      First prime.
+ * qm      Second prime.
+ * dpm     First prime's CRT exponent.
+ * dqm     Second prime's CRT exponent.
+ * qim     Inverse of second prime mod p.
+ * mm      Modulus.
+ * out     Buffer to hold big-endian bytes of exponentiation result.
+ *         Must be at least 512 bytes long.
+ * outLen  Number of bytes in result.
+ * returns 0 on success, MP_TO_E when the outLen is too small, MP_READ_E when
+ * an array is too long and MEMORY_E when dynamic memory allocation fails.
+ */
+int sp_RsaPrivate_4096(const byte* in, word32 inLen, mp_int* dm,
+    mp_int* pm, mp_int* qm, mp_int* dpm, mp_int* dqm, mp_int* qim, mp_int* mm,
+    byte* out, word32* outLen)
+{
+#if defined(SP_RSA_PRIVATE_EXP_D) || defined(RSA_LOW_MEM)
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit* a;
+    sp_digit* d = NULL;
+    sp_digit* m;
+    sp_digit* r;
+    int err = MP_OKAY;
+
+    (void)pm;
+    (void)qm;
+    (void)dpm;
+    (void)dqm;
+    (void)qim;
+
+    if (*outLen < 512U) {
+        err = MP_TO_E;
+    }
+    if (err == MP_OKAY) {
+        if (mp_count_bits(dm) > 4096) {
+           err = MP_READ_E;
+        }
+        if (inLen > 512) {
+            err = MP_READ_E;
+        }
+        if (mp_count_bits(mm) != 4096) {
+            err = MP_READ_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        d = (sp_digit*)XMALLOC(sizeof(sp_digit) * 78 * 4, NULL,
+                                                              DYNAMIC_TYPE_RSA);
+        if (d == NULL) {
+            err = MEMORY_E;
+        }
+    }
+    if (err == MP_OKAY) {
+        a = d + 78;
+        m = a + 156;
+        r = a;
+
+        sp_4096_from_bin(a, 78, in, inLen);
+        sp_4096_from_mp(d, 78, dm);
+        sp_4096_from_mp(m, 78, mm);
+        err = sp_4096_mod_exp_78(r, a, d, 4096, m, 0);
+    }
+    if (err == MP_OKAY) {
+        sp_4096_to_bin(r, out);
+        *outLen = 512;
+    }
+
+    if (d != NULL) {
+        XMEMSET(d, 0, sizeof(sp_digit) * 78);
+        XFREE(d, NULL, DYNAMIC_TYPE_RSA);
+    }
+
+    return err;
+#else
+    sp_digit a[156], d[78], m[78];
+    sp_digit* r = a;
+    int err = MP_OKAY;
+
+    (void)pm;
+    (void)qm;
+    (void)dpm;
+    (void)dqm;
+    (void)qim;
+
+    if (*outLen < 512U) {
+        err = MP_TO_E;
+    }
+    if (err == MP_OKAY) {
+        if (mp_count_bits(dm) > 4096) {
+            err = MP_READ_E;
+        }
+        if (inLen > 512U) {
+            err = MP_READ_E;
+        }
+        if (mp_count_bits(mm) != 4096) {
+            err = MP_READ_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        sp_4096_from_bin(a, 78, in, inLen);
+        sp_4096_from_mp(d, 78, dm);
+        sp_4096_from_mp(m, 78, mm);
+        err = sp_4096_mod_exp_78(r, a, d, 4096, m, 0);
+    }
+
+    if (err == MP_OKAY) {
+        sp_4096_to_bin(r, out);
+        *outLen = 512;
+    }
+
+    XMEMSET(d, 0, sizeof(sp_digit) * 78);
+
+    return err;
+#endif /* WOLFSSL_SP_SMALL || defined(WOLFSSL_SMALL_STACK) */
+#else
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit* t = NULL;
+    sp_digit* a;
+    sp_digit* p;
+    sp_digit* q;
+    sp_digit* dp;
+    sp_digit* dq;
+    sp_digit* qi;
+    sp_digit* tmpa;
+    sp_digit* tmpb;
+    sp_digit* r;
+    int err = MP_OKAY;
+
+    (void)dm;
+    (void)mm;
+
+    if (*outLen < 512U) {
+        err = MP_TO_E;
+    }
+    if (err == MP_OKAY) {
+        if (inLen > 512) {
+            err = MP_READ_E;
+        }
+        if (mp_count_bits(mm) != 4096) {
+            err = MP_READ_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        t = (sp_digit*)XMALLOC(sizeof(sp_digit) * 39 * 11, NULL,
+                                                              DYNAMIC_TYPE_RSA);
+        if (t == NULL) {
+            err = MEMORY_E;
+        }
+    }
+    if (err == MP_OKAY) {
+        a = t;
+        p = a + 78 * 2;
+        q = p + 39;
+        qi = dq = dp = q + 39;
+        tmpa = qi + 39;
+        tmpb = tmpa + 78;
+
+        r = t + 78;
+
+        sp_4096_from_bin(a, 78, in, inLen);
+        sp_4096_from_mp(p, 39, pm);
+        sp_4096_from_mp(q, 39, qm);
+        sp_4096_from_mp(dp, 39, dpm);
+        err = sp_4096_mod_exp_39(tmpa, a, dp, 2048, p, 1);
+    }
+    if (err == MP_OKAY) {
+        sp_4096_from_mp(dq, 39, dqm);
+        err = sp_4096_mod_exp_39(tmpb, a, dq, 2048, q, 1);
+    }
+    if (err == MP_OKAY) {
+        (void)sp_4096_sub_39(tmpa, tmpa, tmpb);
+        sp_4096_cond_add_39(tmpa, tmpa, p, 0 - ((sp_int_digit)tmpa[38] >> 63));
+        sp_4096_cond_add_39(tmpa, tmpa, p, 0 - ((sp_int_digit)tmpa[38] >> 63));
+
+        sp_4096_from_mp(qi, 39, qim);
+        sp_4096_mul_39(tmpa, tmpa, qi);
+        err = sp_4096_mod_39(tmpa, tmpa, p);
+    }
+
+    if (err == MP_OKAY) {
+        sp_4096_mul_39(tmpa, q, tmpa);
+        (void)sp_4096_add_78(r, tmpb, tmpa);
+        sp_4096_norm_78(r);
+
+        sp_4096_to_bin(r, out);
+        *outLen = 512;
+    }
+
+    if (t != NULL) {
+        XMEMSET(t, 0, sizeof(sp_digit) * 39 * 11);
+        XFREE(t, NULL, DYNAMIC_TYPE_RSA);
+    }
+
+    return err;
+#else
+    sp_digit a[78 * 2];
+    sp_digit p[39], q[39], dp[39], dq[39], qi[39];
+    sp_digit tmpa[78], tmpb[78];
+    sp_digit* r = a;
+    int err = MP_OKAY;
+
+    (void)dm;
+    (void)mm;
+
+    if (*outLen < 512U) {
+        err = MP_TO_E;
+    }
+    if (err == MP_OKAY) {
+        if (inLen > 512U) {
+            err = MP_READ_E;
+        }
+        if (mp_count_bits(mm) != 4096) {
+            err = MP_READ_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        sp_4096_from_bin(a, 78, in, inLen);
+        sp_4096_from_mp(p, 39, pm);
+        sp_4096_from_mp(q, 39, qm);
+        sp_4096_from_mp(dp, 39, dpm);
+        sp_4096_from_mp(dq, 39, dqm);
+        sp_4096_from_mp(qi, 39, qim);
+
+        err = sp_4096_mod_exp_39(tmpa, a, dp, 2048, p, 1);
+    }
+    if (err == MP_OKAY) {
+        err = sp_4096_mod_exp_39(tmpb, a, dq, 2048, q, 1);
+    }
+
+    if (err == MP_OKAY) {
+        (void)sp_4096_sub_39(tmpa, tmpa, tmpb);
+        sp_4096_cond_add_39(tmpa, tmpa, p, 0 - ((sp_int_digit)tmpa[38] >> 63));
+        sp_4096_cond_add_39(tmpa, tmpa, p, 0 - ((sp_int_digit)tmpa[38] >> 63));
+        sp_4096_mul_39(tmpa, tmpa, qi);
+        err = sp_4096_mod_39(tmpa, tmpa, p);
+    }
+
+    if (err == MP_OKAY) {
+        sp_4096_mul_39(tmpa, tmpa, q);
+        (void)sp_4096_add_78(r, tmpb, tmpa);
+        sp_4096_norm_78(r);
+
+        sp_4096_to_bin(r, out);
+        *outLen = 512;
+    }
+
+    XMEMSET(tmpa, 0, sizeof(tmpa));
+    XMEMSET(tmpb, 0, sizeof(tmpb));
+    XMEMSET(p, 0, sizeof(p));
+    XMEMSET(q, 0, sizeof(q));
+    XMEMSET(dp, 0, sizeof(dp));
+    XMEMSET(dq, 0, sizeof(dq));
+    XMEMSET(qi, 0, sizeof(qi));
+
+    return err;
+#endif /* WOLFSSL_SP_SMALL || defined(WOLFSSL_SMALL_STACK) */
+#endif /* SP_RSA_PRIVATE_EXP_D || RSA_LOW_MEM */
+}
+
+#endif /* !WOLFSSL_RSA_PUBLIC_ONLY */
+#endif /* WOLFSSL_HAVE_SP_RSA */
+#if defined(WOLFSSL_HAVE_SP_DH) || (defined(WOLFSSL_HAVE_SP_RSA) && \
+                                              !defined(WOLFSSL_RSA_PUBLIC_ONLY))
+/* Convert an array of sp_digit to an mp_int.
+ *
+ * a  A single precision integer.
+ * r  A multi-precision integer.
+ */
+static int sp_4096_to_mp(const sp_digit* a, mp_int* r)
+{
+    int err;
+
+    err = mp_grow(r, (4096 + DIGIT_BIT - 1) / DIGIT_BIT);
+    if (err == MP_OKAY) { /*lint !e774 case where err is always MP_OKAY*/
+#if DIGIT_BIT == 53
+        XMEMCPY(r->dp, a, sizeof(sp_digit) * 78);
+        r->used = 78;
+        mp_clamp(r);
+#elif DIGIT_BIT < 53
+        int i, j = 0, s = 0;
+
+        r->dp[0] = 0;
+        for (i = 0; i < 78; i++) {
+            r->dp[j] |= (mp_digit)(a[i] << s);
+            r->dp[j] &= (1L << DIGIT_BIT) - 1;
+            s = DIGIT_BIT - s;
+            r->dp[++j] = (mp_digit)(a[i] >> s);
+            while (s + DIGIT_BIT <= 53) {
+                s += DIGIT_BIT;
+                r->dp[j++] &= (1L << DIGIT_BIT) - 1;
+                if (s == SP_WORD_SIZE) {
+                    r->dp[j] = 0;
+                }
+                else {
+                    r->dp[j] = (mp_digit)(a[i] >> s);
+                }
+            }
+            s = 53 - s;
+        }
+        r->used = (4096 + DIGIT_BIT - 1) / DIGIT_BIT;
+        mp_clamp(r);
+#else
+        int i, j = 0, s = 0;
+
+        r->dp[0] = 0;
+        for (i = 0; i < 78; i++) {
+            r->dp[j] |= ((mp_digit)a[i]) << s;
+            if (s + 53 >= DIGIT_BIT) {
+    #if DIGIT_BIT != 32 && DIGIT_BIT != 64
+                r->dp[j] &= (1L << DIGIT_BIT) - 1;
+    #endif
+                s = DIGIT_BIT - s;
+                r->dp[++j] = a[i] >> s;
+                s = 53 - s;
+            }
+            else {
+                s += 53;
+            }
+        }
+        r->used = (4096 + DIGIT_BIT - 1) / DIGIT_BIT;
+        mp_clamp(r);
+#endif
+    }
+
+    return err;
+}
+
+/* Perform the modular exponentiation for Diffie-Hellman.
+ *
+ * base  Base. MP integer.
+ * exp   Exponent. MP integer.
+ * mod   Modulus. MP integer.
+ * res   Result. MP integer.
+ * returns 0 on success, MP_READ_E if there are too many bytes in an array
+ * and MEMORY_E if memory allocation fails.
+ */
+int sp_ModExp_4096(mp_int* base, mp_int* exp, mp_int* mod, mp_int* res)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int err = MP_OKAY;
+    sp_digit* d = NULL;
+    sp_digit* b;
+    sp_digit* e;
+    sp_digit* m;
+    sp_digit* r;
+    int expBits = mp_count_bits(exp);
+
+    if (mp_count_bits(base) > 4096) {
+        err = MP_READ_E;
+    }
+
+    if (err == MP_OKAY) {
+        if (expBits > 4096) {
+            err = MP_READ_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        if (mp_count_bits(mod) != 4096) {
+            err = MP_READ_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        d = (sp_digit*)XMALLOC(sizeof(*d) * 78 * 4, NULL, DYNAMIC_TYPE_DH);
+        if (d == NULL) {
+            err = MEMORY_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        b = d;
+        e = b + 78 * 2;
+        m = e + 78;
+        r = b;
+
+        sp_4096_from_mp(b, 78, base);
+        sp_4096_from_mp(e, 78, exp);
+        sp_4096_from_mp(m, 78, mod);
+
+        err = sp_4096_mod_exp_78(r, b, e, mp_count_bits(exp), m, 0);
+    }
+
+    if (err == MP_OKAY) {
+        err = sp_4096_to_mp(r, res);
+    }
+
+    if (d != NULL) {
+        XMEMSET(e, 0, sizeof(sp_digit) * 78U);
+        XFREE(d, NULL, DYNAMIC_TYPE_DH);
+    }
+    return err;
+#else
+#ifndef WOLFSSL_SMALL_STACK
+    sp_digit bd[156], ed[78], md[78];
+#else
+    sp_digit* d = NULL;
+#endif
+    sp_digit* b;
+    sp_digit* e;
+    sp_digit* m;
+    sp_digit* r;
+    int err = MP_OKAY;
+    int expBits = mp_count_bits(exp);
+
+    if (mp_count_bits(base) > 4096) {
+        err = MP_READ_E;
+    }
+
+    if (err == MP_OKAY) {
+        if (expBits > 4096) {
+            err = MP_READ_E;
+        }
+    }
+    
+    if (err == MP_OKAY) {
+        if (mp_count_bits(mod) != 4096) {
+            err = MP_READ_E;
+        }
+    }
+
+#ifdef WOLFSSL_SMALL_STACK
+    if (err == MP_OKAY) {
+        d = (sp_digit*)XMALLOC(sizeof(*d) * 78 * 4, NULL, DYNAMIC_TYPE_DH);
+        if (d == NULL)
+            err = MEMORY_E;
+    }
+
+    if (err == MP_OKAY) {
+        b = d;
+        e = b + 78 * 2;
+        m = e + 78;
+        r = b;
+    }
+#else
+    r = b = bd;
+    e = ed;
+    m = md;
+#endif
+
+    if (err == MP_OKAY) {
+        sp_4096_from_mp(b, 78, base);
+        sp_4096_from_mp(e, 78, exp);
+        sp_4096_from_mp(m, 78, mod);
+
+        err = sp_4096_mod_exp_78(r, b, e, expBits, m, 0);
+    }
+
+    if (err == MP_OKAY) {
+        err = sp_4096_to_mp(r, res);
+    }
+
+
+#ifdef WOLFSSL_SMALL_STACK
+    if (d != NULL) {
+        XMEMSET(e, 0, sizeof(sp_digit) * 78U);
+        XFREE(d, NULL, DYNAMIC_TYPE_DH);
+    }
+#else
+    XMEMSET(e, 0, sizeof(sp_digit) * 78U);
+#endif
+
+    return err;
+#endif
+}
+
+#ifdef WOLFSSL_HAVE_SP_DH
+
+#ifdef HAVE_FFDHE_4096
+SP_NOINLINE static void sp_4096_lshift_78(sp_digit* r, sp_digit* a, byte n)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int i;
+
+    r[78] = a[77] >> (53 - n);
+    for (i=77; i>0; i--) {
+        r[i] = ((a[i] << n) | (a[i-1] >> (53 - n))) & 0x1fffffffffffffL;
+    }
+#else
+    sp_int_digit s, t;
+
+    s = (sp_int_digit)a[77];
+    r[78] = s >> (53U - n);
+    s = (sp_int_digit)(a[77]); t = (sp_int_digit)(a[76]);
+    r[77] = ((s << n) | (t >> (53U - n))) & 0x1fffffffffffffUL;
+    s = (sp_int_digit)(a[76]); t = (sp_int_digit)(a[75]);
+    r[76] = ((s << n) | (t >> (53U - n))) & 0x1fffffffffffffUL;
+    s = (sp_int_digit)(a[75]); t = (sp_int_digit)(a[74]);
+    r[75] = ((s << n) | (t >> (53U - n))) & 0x1fffffffffffffUL;
+    s = (sp_int_digit)(a[74]); t = (sp_int_digit)(a[73]);
+    r[74] = ((s << n) | (t >> (53U - n))) & 0x1fffffffffffffUL;
+    s = (sp_int_digit)(a[73]); t = (sp_int_digit)(a[72]);
+    r[73] = ((s << n) | (t >> (53U - n))) & 0x1fffffffffffffUL;
+    s = (sp_int_digit)(a[72]); t = (sp_int_digit)(a[71]);
+    r[72] = ((s << n) | (t >> (53U - n))) & 0x1fffffffffffffUL;
+    s = (sp_int_digit)(a[71]); t = (sp_int_digit)(a[70]);
+    r[71] = ((s << n) | (t >> (53U - n))) & 0x1fffffffffffffUL;
+    s = (sp_int_digit)(a[70]); t = (sp_int_digit)(a[69]);
+    r[70] = ((s << n) | (t >> (53U - n))) & 0x1fffffffffffffUL;
+    s = (sp_int_digit)(a[69]); t = (sp_int_digit)(a[68]);
+    r[69] = ((s << n) | (t >> (53U - n))) & 0x1fffffffffffffUL;
+    s = (sp_int_digit)(a[68]); t = (sp_int_digit)(a[67]);
+    r[68] = ((s << n) | (t >> (53U - n))) & 0x1fffffffffffffUL;
+    s = (sp_int_digit)(a[67]); t = (sp_int_digit)(a[66]);
+    r[67] = ((s << n) | (t >> (53U - n))) & 0x1fffffffffffffUL;
+    s = (sp_int_digit)(a[66]); t = (sp_int_digit)(a[65]);
+    r[66] = ((s << n) | (t >> (53U - n))) & 0x1fffffffffffffUL;
+    s = (sp_int_digit)(a[65]); t = (sp_int_digit)(a[64]);
+    r[65] = ((s << n) | (t >> (53U - n))) & 0x1fffffffffffffUL;
+    s = (sp_int_digit)(a[64]); t = (sp_int_digit)(a[63]);
+    r[64] = ((s << n) | (t >> (53U - n))) & 0x1fffffffffffffUL;
+    s = (sp_int_digit)(a[63]); t = (sp_int_digit)(a[62]);
+    r[63] = ((s << n) | (t >> (53U - n))) & 0x1fffffffffffffUL;
+    s = (sp_int_digit)(a[62]); t = (sp_int_digit)(a[61]);
+    r[62] = ((s << n) | (t >> (53U - n))) & 0x1fffffffffffffUL;
+    s = (sp_int_digit)(a[61]); t = (sp_int_digit)(a[60]);
+    r[61] = ((s << n) | (t >> (53U - n))) & 0x1fffffffffffffUL;
+    s = (sp_int_digit)(a[60]); t = (sp_int_digit)(a[59]);
+    r[60] = ((s << n) | (t >> (53U - n))) & 0x1fffffffffffffUL;
+    s = (sp_int_digit)(a[59]); t = (sp_int_digit)(a[58]);
+    r[59] = ((s << n) | (t >> (53U - n))) & 0x1fffffffffffffUL;
+    s = (sp_int_digit)(a[58]); t = (sp_int_digit)(a[57]);
+    r[58] = ((s << n) | (t >> (53U - n))) & 0x1fffffffffffffUL;
+    s = (sp_int_digit)(a[57]); t = (sp_int_digit)(a[56]);
+    r[57] = ((s << n) | (t >> (53U - n))) & 0x1fffffffffffffUL;
+    s = (sp_int_digit)(a[56]); t = (sp_int_digit)(a[55]);
+    r[56] = ((s << n) | (t >> (53U - n))) & 0x1fffffffffffffUL;
+    s = (sp_int_digit)(a[55]); t = (sp_int_digit)(a[54]);
+    r[55] = ((s << n) | (t >> (53U - n))) & 0x1fffffffffffffUL;
+    s = (sp_int_digit)(a[54]); t = (sp_int_digit)(a[53]);
+    r[54] = ((s << n) | (t >> (53U - n))) & 0x1fffffffffffffUL;
+    s = (sp_int_digit)(a[53]); t = (sp_int_digit)(a[52]);
+    r[53] = ((s << n) | (t >> (53U - n))) & 0x1fffffffffffffUL;
+    s = (sp_int_digit)(a[52]); t = (sp_int_digit)(a[51]);
+    r[52] = ((s << n) | (t >> (53U - n))) & 0x1fffffffffffffUL;
+    s = (sp_int_digit)(a[51]); t = (sp_int_digit)(a[50]);
+    r[51] = ((s << n) | (t >> (53U - n))) & 0x1fffffffffffffUL;
+    s = (sp_int_digit)(a[50]); t = (sp_int_digit)(a[49]);
+    r[50] = ((s << n) | (t >> (53U - n))) & 0x1fffffffffffffUL;
+    s = (sp_int_digit)(a[49]); t = (sp_int_digit)(a[48]);
+    r[49] = ((s << n) | (t >> (53U - n))) & 0x1fffffffffffffUL;
+    s = (sp_int_digit)(a[48]); t = (sp_int_digit)(a[47]);
+    r[48] = ((s << n) | (t >> (53U - n))) & 0x1fffffffffffffUL;
+    s = (sp_int_digit)(a[47]); t = (sp_int_digit)(a[46]);
+    r[47] = ((s << n) | (t >> (53U - n))) & 0x1fffffffffffffUL;
+    s = (sp_int_digit)(a[46]); t = (sp_int_digit)(a[45]);
+    r[46] = ((s << n) | (t >> (53U - n))) & 0x1fffffffffffffUL;
+    s = (sp_int_digit)(a[45]); t = (sp_int_digit)(a[44]);
+    r[45] = ((s << n) | (t >> (53U - n))) & 0x1fffffffffffffUL;
+    s = (sp_int_digit)(a[44]); t = (sp_int_digit)(a[43]);
+    r[44] = ((s << n) | (t >> (53U - n))) & 0x1fffffffffffffUL;
+    s = (sp_int_digit)(a[43]); t = (sp_int_digit)(a[42]);
+    r[43] = ((s << n) | (t >> (53U - n))) & 0x1fffffffffffffUL;
+    s = (sp_int_digit)(a[42]); t = (sp_int_digit)(a[41]);
+    r[42] = ((s << n) | (t >> (53U - n))) & 0x1fffffffffffffUL;
+    s = (sp_int_digit)(a[41]); t = (sp_int_digit)(a[40]);
+    r[41] = ((s << n) | (t >> (53U - n))) & 0x1fffffffffffffUL;
+    s = (sp_int_digit)(a[40]); t = (sp_int_digit)(a[39]);
+    r[40] = ((s << n) | (t >> (53U - n))) & 0x1fffffffffffffUL;
+    s = (sp_int_digit)(a[39]); t = (sp_int_digit)(a[38]);
+    r[39] = ((s << n) | (t >> (53U - n))) & 0x1fffffffffffffUL;
+    s = (sp_int_digit)(a[38]); t = (sp_int_digit)(a[37]);
+    r[38] = ((s << n) | (t >> (53U - n))) & 0x1fffffffffffffUL;
+    s = (sp_int_digit)(a[37]); t = (sp_int_digit)(a[36]);
+    r[37] = ((s << n) | (t >> (53U - n))) & 0x1fffffffffffffUL;
+    s = (sp_int_digit)(a[36]); t = (sp_int_digit)(a[35]);
+    r[36] = ((s << n) | (t >> (53U - n))) & 0x1fffffffffffffUL;
+    s = (sp_int_digit)(a[35]); t = (sp_int_digit)(a[34]);
+    r[35] = ((s << n) | (t >> (53U - n))) & 0x1fffffffffffffUL;
+    s = (sp_int_digit)(a[34]); t = (sp_int_digit)(a[33]);
+    r[34] = ((s << n) | (t >> (53U - n))) & 0x1fffffffffffffUL;
+    s = (sp_int_digit)(a[33]); t = (sp_int_digit)(a[32]);
+    r[33] = ((s << n) | (t >> (53U - n))) & 0x1fffffffffffffUL;
+    s = (sp_int_digit)(a[32]); t = (sp_int_digit)(a[31]);
+    r[32] = ((s << n) | (t >> (53U - n))) & 0x1fffffffffffffUL;
+    s = (sp_int_digit)(a[31]); t = (sp_int_digit)(a[30]);
+    r[31] = ((s << n) | (t >> (53U - n))) & 0x1fffffffffffffUL;
+    s = (sp_int_digit)(a[30]); t = (sp_int_digit)(a[29]);
+    r[30] = ((s << n) | (t >> (53U - n))) & 0x1fffffffffffffUL;
+    s = (sp_int_digit)(a[29]); t = (sp_int_digit)(a[28]);
+    r[29] = ((s << n) | (t >> (53U - n))) & 0x1fffffffffffffUL;
+    s = (sp_int_digit)(a[28]); t = (sp_int_digit)(a[27]);
+    r[28] = ((s << n) | (t >> (53U - n))) & 0x1fffffffffffffUL;
+    s = (sp_int_digit)(a[27]); t = (sp_int_digit)(a[26]);
+    r[27] = ((s << n) | (t >> (53U - n))) & 0x1fffffffffffffUL;
+    s = (sp_int_digit)(a[26]); t = (sp_int_digit)(a[25]);
+    r[26] = ((s << n) | (t >> (53U - n))) & 0x1fffffffffffffUL;
+    s = (sp_int_digit)(a[25]); t = (sp_int_digit)(a[24]);
+    r[25] = ((s << n) | (t >> (53U - n))) & 0x1fffffffffffffUL;
+    s = (sp_int_digit)(a[24]); t = (sp_int_digit)(a[23]);
+    r[24] = ((s << n) | (t >> (53U - n))) & 0x1fffffffffffffUL;
+    s = (sp_int_digit)(a[23]); t = (sp_int_digit)(a[22]);
+    r[23] = ((s << n) | (t >> (53U - n))) & 0x1fffffffffffffUL;
+    s = (sp_int_digit)(a[22]); t = (sp_int_digit)(a[21]);
+    r[22] = ((s << n) | (t >> (53U - n))) & 0x1fffffffffffffUL;
+    s = (sp_int_digit)(a[21]); t = (sp_int_digit)(a[20]);
+    r[21] = ((s << n) | (t >> (53U - n))) & 0x1fffffffffffffUL;
+    s = (sp_int_digit)(a[20]); t = (sp_int_digit)(a[19]);
+    r[20] = ((s << n) | (t >> (53U - n))) & 0x1fffffffffffffUL;
+    s = (sp_int_digit)(a[19]); t = (sp_int_digit)(a[18]);
+    r[19] = ((s << n) | (t >> (53U - n))) & 0x1fffffffffffffUL;
+    s = (sp_int_digit)(a[18]); t = (sp_int_digit)(a[17]);
+    r[18] = ((s << n) | (t >> (53U - n))) & 0x1fffffffffffffUL;
+    s = (sp_int_digit)(a[17]); t = (sp_int_digit)(a[16]);
+    r[17] = ((s << n) | (t >> (53U - n))) & 0x1fffffffffffffUL;
+    s = (sp_int_digit)(a[16]); t = (sp_int_digit)(a[15]);
+    r[16] = ((s << n) | (t >> (53U - n))) & 0x1fffffffffffffUL;
+    s = (sp_int_digit)(a[15]); t = (sp_int_digit)(a[14]);
+    r[15] = ((s << n) | (t >> (53U - n))) & 0x1fffffffffffffUL;
+    s = (sp_int_digit)(a[14]); t = (sp_int_digit)(a[13]);
+    r[14] = ((s << n) | (t >> (53U - n))) & 0x1fffffffffffffUL;
+    s = (sp_int_digit)(a[13]); t = (sp_int_digit)(a[12]);
+    r[13] = ((s << n) | (t >> (53U - n))) & 0x1fffffffffffffUL;
+    s = (sp_int_digit)(a[12]); t = (sp_int_digit)(a[11]);
+    r[12] = ((s << n) | (t >> (53U - n))) & 0x1fffffffffffffUL;
+    s = (sp_int_digit)(a[11]); t = (sp_int_digit)(a[10]);
+    r[11] = ((s << n) | (t >> (53U - n))) & 0x1fffffffffffffUL;
+    s = (sp_int_digit)(a[10]); t = (sp_int_digit)(a[9]);
+    r[10] = ((s << n) | (t >> (53U - n))) & 0x1fffffffffffffUL;
+    s = (sp_int_digit)(a[9]); t = (sp_int_digit)(a[8]);
+    r[9] = ((s << n) | (t >> (53U - n))) & 0x1fffffffffffffUL;
+    s = (sp_int_digit)(a[8]); t = (sp_int_digit)(a[7]);
+    r[8] = ((s << n) | (t >> (53U - n))) & 0x1fffffffffffffUL;
+    s = (sp_int_digit)(a[7]); t = (sp_int_digit)(a[6]);
+    r[7] = ((s << n) | (t >> (53U - n))) & 0x1fffffffffffffUL;
+    s = (sp_int_digit)(a[6]); t = (sp_int_digit)(a[5]);
+    r[6] = ((s << n) | (t >> (53U - n))) & 0x1fffffffffffffUL;
+    s = (sp_int_digit)(a[5]); t = (sp_int_digit)(a[4]);
+    r[5] = ((s << n) | (t >> (53U - n))) & 0x1fffffffffffffUL;
+    s = (sp_int_digit)(a[4]); t = (sp_int_digit)(a[3]);
+    r[4] = ((s << n) | (t >> (53U - n))) & 0x1fffffffffffffUL;
+    s = (sp_int_digit)(a[3]); t = (sp_int_digit)(a[2]);
+    r[3] = ((s << n) | (t >> (53U - n))) & 0x1fffffffffffffUL;
+    s = (sp_int_digit)(a[2]); t = (sp_int_digit)(a[1]);
+    r[2] = ((s << n) | (t >> (53U - n))) & 0x1fffffffffffffUL;
+    s = (sp_int_digit)(a[1]); t = (sp_int_digit)(a[0]);
+    r[1] = ((s << n) | (t >> (53U - n))) & 0x1fffffffffffffUL;
+#endif
+    r[0] = (a[0] << n) & 0x1fffffffffffffL;
+}
+
+/* Modular exponentiate 2 to the e mod m. (r = 2^e mod m)
+ *
+ * r     A single precision number that is the result of the operation.
+ * e     A single precision number that is the exponent.
+ * bits  The number of bits in the exponent.
+ * m     A single precision number that is the modulus.
+ * returns 0 on success and MEMORY_E on dynamic memory allocation failure.
+ */
+static int sp_4096_mod_exp_2_78(sp_digit* r, const sp_digit* e, int bits, const sp_digit* m)
+{
+#ifndef WOLFSSL_SMALL_STACK
+    sp_digit nd[156];
+    sp_digit td[79];
+#else
+    sp_digit* td;
+#endif
+    sp_digit* norm;
+    sp_digit* tmp;
+    sp_digit mp = 1;
+    sp_digit n, o;
+    int i;
+    int c, y;
+    int err = MP_OKAY;
+
+#ifdef WOLFSSL_SMALL_STACK
+    td = (sp_digit*)XMALLOC(sizeof(sp_digit) * 235, NULL,
+                            DYNAMIC_TYPE_TMP_BUFFER);
+    if (td == NULL) {
+        err = MEMORY_E;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#ifdef WOLFSSL_SMALL_STACK
+        norm = td;
+        tmp  = td + 156;
+        XMEMSET(td, 0, sizeof(sp_digit) * 235);
+#else
+        norm = nd;
+        tmp  = td;
+        XMEMSET(td, 0, sizeof(td));
+#endif
+
+        sp_4096_mont_setup(m, &mp);
+        sp_4096_mont_norm_78(norm, m);
+
+        bits = ((bits + 4) / 5) * 5;
+        i = ((bits + 52) / 53) - 1;
+        c = bits % 53;
+        if (c == 0) {
+            c = 53;
+        }
+        if (i < 78) {
+            n = e[i--] << (64 - c);
+        }
+        else {
+            n = 0;
+            i--;
+        }
+        if (c < 5) {
+            n |= e[i--] << (11 - c);
+            c += 53;
+        }
+        y = (n >> 59) & 0x1f;
+        n <<= 5;
+        c -= 5;
+        sp_4096_lshift_78(r, norm, y);
+        for (; i>=0 || c>=5; ) {
+            if (c < 5) {
+                n |= e[i--] << (11 - c);
+                c += 53;
+            }
+            y = (n >> 59) & 0x1f;
+            n <<= 5;
+            c -= 5;
+
+            sp_4096_mont_sqr_78(r, r, m, mp);
+            sp_4096_mont_sqr_78(r, r, m, mp);
+            sp_4096_mont_sqr_78(r, r, m, mp);
+            sp_4096_mont_sqr_78(r, r, m, mp);
+            sp_4096_mont_sqr_78(r, r, m, mp);
+
+            sp_4096_lshift_78(r, r, y);
+            sp_4096_mul_d_78(tmp, norm, (r[78] << 38) + (r[77] >> 15));
+            r[78] = 0;
+            r[77] &= 0x7fffL;
+            (void)sp_4096_add_78(r, r, tmp);
+            sp_4096_norm_78(r);
+            o = sp_4096_cmp_78(r, m);
+            sp_4096_cond_sub_78(r, r, m, ((o < 0) ?
+                                          (sp_digit)1 : (sp_digit)0) - 1);
+        }
+
+        sp_4096_mont_reduce_78(r, m, mp);
+        n = sp_4096_cmp_78(r, m);
+        sp_4096_cond_sub_78(r, r, m, ((n < 0) ?
+                                                (sp_digit)1 : (sp_digit)0) - 1);
+    }
+
+#ifdef WOLFSSL_SMALL_STACK
+    if (td != NULL) {
+        XFREE(td, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    }
+#endif
+
+    return err;
+}
+
+#endif /* HAVE_FFDHE_4096 */
+
+/* Perform the modular exponentiation for Diffie-Hellman.
+ *
+ * base     Base.
+ * exp      Array of bytes that is the exponent.
+ * expLen   Length of data, in bytes, in exponent.
+ * mod      Modulus.
+ * out      Buffer to hold big-endian bytes of exponentiation result.
+ *          Must be at least 512 bytes long.
+ * outLen   Length, in bytes, of exponentiation result.
+ * returns 0 on success, MP_READ_E if there are too many bytes in an array
+ * and MEMORY_E if memory allocation fails.
+ */
+int sp_DhExp_4096(mp_int* base, const byte* exp, word32 expLen,
+    mp_int* mod, byte* out, word32* outLen)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int err = MP_OKAY;
+    sp_digit* d = NULL;
+    sp_digit* b;
+    sp_digit* e;
+    sp_digit* m;
+    sp_digit* r;
+    word32 i;
+
+    if (mp_count_bits(base) > 4096) {
+        err = MP_READ_E;
+    }
+
+    if (err == MP_OKAY) {
+        if (expLen > 512) {
+            err = MP_READ_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        if (mp_count_bits(mod) != 4096) {
+            err = MP_READ_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        d = (sp_digit*)XMALLOC(sizeof(*d) * 78 * 4, NULL, DYNAMIC_TYPE_DH);
+        if (d == NULL) {
+            err = MEMORY_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        b = d;
+        e = b + 78 * 2;
+        m = e + 78;
+        r = b;
+
+        sp_4096_from_mp(b, 78, base);
+        sp_4096_from_bin(e, 78, exp, expLen);
+        sp_4096_from_mp(m, 78, mod);
+
+    #ifdef HAVE_FFDHE_4096
+        if (base->used == 1 && base->dp[0] == 2 &&
+                ((m[77] << 17) | (m[76] >> 36)) == 0xffffffffL) {
+            err = sp_4096_mod_exp_2_78(r, e, expLen * 8, m);
+        }
+        else
+    #endif
+            err = sp_4096_mod_exp_78(r, b, e, expLen * 8, m, 0);
+    }
+
+    if (err == MP_OKAY) {
+        sp_4096_to_bin(r, out);
+        *outLen = 512;
+        for (i=0; i<512 && out[i] == 0; i++) {
+        }
+        *outLen -= i;
+        XMEMMOVE(out, out + i, *outLen);
+    }
+
+    if (d != NULL) {
+        XMEMSET(e, 0, sizeof(sp_digit) * 78U);
+        XFREE(d, NULL, DYNAMIC_TYPE_DH);
+    }
+    return err;
+#else
+#ifndef WOLFSSL_SMALL_STACK
+    sp_digit bd[156], ed[78], md[78];
+#else
+    sp_digit* d = NULL;
+#endif
+    sp_digit* b;
+    sp_digit* e;
+    sp_digit* m;
+    sp_digit* r;
+    word32 i;
+    int err = MP_OKAY;
+
+    if (mp_count_bits(base) > 4096) {
+        err = MP_READ_E;
+    }
+
+    if (err == MP_OKAY) {
+        if (expLen > 512U) {
+            err = MP_READ_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        if (mp_count_bits(mod) != 4096) {
+            err = MP_READ_E;
+        }
+    }
+#ifdef WOLFSSL_SMALL_STACK
+    if (err == MP_OKAY) {
+        d = (sp_digit*)XMALLOC(sizeof(*d) * 78 * 4, NULL, DYNAMIC_TYPE_DH);
+        if (d == NULL)
+            err = MEMORY_E;
+    }
+
+    if (err == MP_OKAY) {
+        b = d;
+        e = b + 78 * 2;
+        m = e + 78;
+        r = b;
+    }
+#else
+    r = b = bd;
+    e = ed;
+    m = md;
+#endif
+
+    if (err == MP_OKAY) {
+        sp_4096_from_mp(b, 78, base);
+        sp_4096_from_bin(e, 78, exp, expLen);
+        sp_4096_from_mp(m, 78, mod);
+
+    #ifdef HAVE_FFDHE_4096
+        if (base->used == 1 && base->dp[0] == 2U &&
+                ((m[77] << 17) | (m[76] >> 36)) == 0xffffffffL) {
+            err = sp_4096_mod_exp_2_78(r, e, expLen * 8U, m);
+        }
+        else {
+    #endif
+            err = sp_4096_mod_exp_78(r, b, e, expLen * 8U, m, 0);
+    #ifdef HAVE_FFDHE_4096
+        }
+    #endif
+    }
+
+    if (err == MP_OKAY) {
+        sp_4096_to_bin(r, out);
+        *outLen = 512;
+        for (i=0; i<512U && out[i] == 0U; i++) {
+        }
+        *outLen -= i;
+        XMEMMOVE(out, out + i, *outLen);
+    }
+
+#ifdef WOLFSSL_SMALL_STACK
+    if (d != NULL) {
+        XMEMSET(e, 0, sizeof(sp_digit) * 78U);
+        XFREE(d, NULL, DYNAMIC_TYPE_DH);
+    }
+#else
+    XMEMSET(e, 0, sizeof(sp_digit) * 78U);
+#endif
+
+    return err;
+#endif
+}
+#endif /* WOLFSSL_HAVE_SP_DH */
+
+#endif /* WOLFSSL_HAVE_SP_DH || (WOLFSSL_HAVE_SP_RSA && !WOLFSSL_RSA_PUBLIC_ONLY) */
+
+#endif /* WOLFSSL_SP_4096 */
+
+#endif /* WOLFSSL_HAVE_SP_RSA || WOLFSSL_HAVE_SP_DH */
+#ifdef WOLFSSL_HAVE_SP_ECC
+#ifndef WOLFSSL_SP_NO_256
+
+/* Point structure to use. */
+typedef struct sp_point_256 {
+    sp_digit x[2 * 5];
+    sp_digit y[2 * 5];
+    sp_digit z[2 * 5];
+    int infinity;
+} sp_point_256;
+
+/* The modulus (prime) of the curve P256. */
+static const sp_digit p256_mod[5] = {
+    0xfffffffffffffL,0x00fffffffffffL,0x0000000000000L,0x0001000000000L,
+    0x0ffffffff0000L
+};
+/* The Montogmery normalizer for modulus of the curve P256. */
+static const sp_digit p256_norm_mod[5] = {
+    0x0000000000001L,0xff00000000000L,0xfffffffffffffL,0xfffefffffffffL,
+    0x000000000ffffL
+};
+/* The Montogmery multiplier for modulus of the curve P256. */
+static const sp_digit p256_mp_mod = 0x0000000000001;
+#if defined(WOLFSSL_VALIDATE_ECC_KEYGEN) || defined(HAVE_ECC_SIGN) || \
+                                            defined(HAVE_ECC_VERIFY)
+/* The order of the curve P256. */
+static const sp_digit p256_order[5] = {
+    0x9cac2fc632551L,0xada7179e84f3bL,0xfffffffbce6faL,0x0000fffffffffL,
+    0x0ffffffff0000L
+};
+#endif
+/* The order of the curve P256 minus 2. */
+static const sp_digit p256_order2[5] = {
+    0x9cac2fc63254fL,0xada7179e84f3bL,0xfffffffbce6faL,0x0000fffffffffL,
+    0x0ffffffff0000L
+};
+#if defined(HAVE_ECC_SIGN) || defined(HAVE_ECC_VERIFY)
+/* The Montogmery normalizer for order of the curve P256. */
+static const sp_digit p256_norm_order[5] = {
+    0x6353d039cdaafL,0x5258e8617b0c4L,0x0000000431905L,0xffff000000000L,
+    0x000000000ffffL
+};
+#endif
+#if defined(HAVE_ECC_SIGN) || defined(HAVE_ECC_VERIFY)
+/* The Montogmery multiplier for order of the curve P256. */
+static const sp_digit p256_mp_order = 0x1c8aaee00bc4fL;
+#endif
+/* The base point of curve P256. */
+static const sp_point_256 p256_base = {
+    /* X ordinate */
+    {
+        0x13945d898c296L,0x812deb33a0f4aL,0x3a440f277037dL,0x4247f8bce6e56L,
+        0x06b17d1f2e12cL,
+        0L, 0L, 0L, 0L, 0L
+    },
+    /* Y ordinate */
+    {
+        0x6406837bf51f5L,0x576b315ececbbL,0xc0f9e162bce33L,0x7f9b8ee7eb4a7L,
+        0x04fe342e2fe1aL,
+        0L, 0L, 0L, 0L, 0L
+    },
+    /* Z ordinate */
+    {
+        0x0000000000001L,0x0000000000000L,0x0000000000000L,0x0000000000000L,
+        0x0000000000000L,
+        0L, 0L, 0L, 0L, 0L
+    },
+    /* infinity */
+    0
+};
+#if defined(HAVE_ECC_CHECK_KEY) || defined(HAVE_COMP_KEY)
+static const sp_digit p256_b[5] = {
+    0xe3c3e27d2604bL,0xb0cc53b0f63bcL,0x69886bc651d06L,0x93e7b3ebbd557L,
+    0x05ac635d8aa3aL
+};
+#endif
+
+static int sp_256_point_new_ex_5(void* heap, sp_point_256* sp, sp_point_256** p)
+{
+    int ret = MP_OKAY;
+    (void)heap;
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    (void)sp;
+    *p = (sp_point_256*)XMALLOC(sizeof(sp_point_256), heap, DYNAMIC_TYPE_ECC);
+#else
+    *p = sp;
+#endif
+    if (*p == NULL) {
+        ret = MEMORY_E;
+    }
+    return ret;
+}
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+/* Allocate memory for point and return error. */
+#define sp_256_point_new_5(heap, sp, p) sp_256_point_new_ex_5((heap), NULL, &(p))
+#else
+/* Set pointer to data and return no error. */
+#define sp_256_point_new_5(heap, sp, p) sp_256_point_new_ex_5((heap), &(sp), &(p))
+#endif
+
+
+static void sp_256_point_free_5(sp_point_256* p, int clear, void* heap)
+{
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+/* If valid pointer then clear point data if requested and free data. */
+    if (p != NULL) {
+        if (clear != 0) {
+            XMEMSET(p, 0, sizeof(*p));
+        }
+        XFREE(p, heap, DYNAMIC_TYPE_ECC);
+    }
+#else
+/* Clear point data if requested. */
+    if (clear != 0) {
+        XMEMSET(p, 0, sizeof(*p));
+    }
+#endif
+    (void)heap;
+}
+
+/* Multiply a number by Montogmery normalizer mod modulus (prime).
+ *
+ * r  The resulting Montgomery form number.
+ * a  The number to convert.
+ * m  The modulus (prime).
+ * returns MEMORY_E when memory allocation fails and MP_OKAY otherwise.
+ */
+static int sp_256_mod_mul_norm_5(sp_digit* r, const sp_digit* a, const sp_digit* m)
+{
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    int64_t* td;
+#else
+    int64_t td[8];
+    int64_t a32d[8];
+#endif
+    int64_t* t;
+    int64_t* a32;
+    int64_t o;
+    int err = MP_OKAY;
+
+    (void)m;
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    td = (int64_t*)XMALLOC(sizeof(int64_t) * 2 * 8, NULL, DYNAMIC_TYPE_ECC);
+    if (td == NULL) {
+        return MEMORY_E;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+        t = td;
+        a32 = td + 8;
+#else
+        t = td;
+        a32 = a32d;
+#endif
+
+        a32[0] = (sp_digit)(a[0]) & 0xffffffffL;
+        a32[1] = (sp_digit)(a[0] >> 32U);
+        a32[1] |= a[1] << 20U;
+        a32[1] &= 0xffffffffL;
+        a32[2] = (sp_digit)(a[1] >> 12U) & 0xffffffffL;
+        a32[3] = (sp_digit)(a[1] >> 44U);
+        a32[3] |= a[2] << 8U;
+        a32[3] &= 0xffffffffL;
+        a32[4] = (sp_digit)(a[2] >> 24U);
+        a32[4] |= a[3] << 28U;
+        a32[4] &= 0xffffffffL;
+        a32[5] = (sp_digit)(a[3] >> 4U) & 0xffffffffL;
+        a32[6] = (sp_digit)(a[3] >> 36U);
+        a32[6] |= a[4] << 16U;
+        a32[6] &= 0xffffffffL;
+        a32[7] = (sp_digit)(a[4] >> 16U) & 0xffffffffL;
+
+        /*  1  1  0 -1 -1 -1 -1  0 */
+            t[0] = 0 + a32[0] + a32[1] - a32[3] - a32[4] - a32[5] - a32[6];
+        /*  0  1  1  0 -1 -1 -1 -1 */
+            t[1] = 0 + a32[1] + a32[2] - a32[4] - a32[5] - a32[6] - a32[7];
+        /*  0  0  1  1  0 -1 -1 -1 */
+            t[2] = 0 + a32[2] + a32[3] - a32[5] - a32[6] - a32[7];
+        /* -1 -1  0  2  2  1  0 -1 */
+            t[3] = 0 - a32[0] - a32[1] + 2 * a32[3] + 2 * a32[4] + a32[5] - a32[7];
+        /*  0 -1 -1  0  2  2  1  0 */
+            t[4] = 0 - a32[1] - a32[2] + 2 * a32[4] + 2 * a32[5] + a32[6];
+        /*  0  0 -1 -1  0  2  2  1 */
+            t[5] = 0 - a32[2] - a32[3] + 2 * a32[5] + 2 * a32[6] + a32[7];
+        /* -1 -1  0  0  0  1  3  2 */
+            t[6] = 0 - a32[0] - a32[1] + a32[5] + 3 * a32[6] + 2 * a32[7];
+        /*  1  0 -1 -1 -1 -1  0  3 */
+            t[7] = 0 + a32[0] - a32[2] - a32[3] - a32[4] - a32[5] + 3 * a32[7];
+
+            t[1] += t[0] >> 32U; t[0] &= 0xffffffffL;
+            t[2] += t[1] >> 32U; t[1] &= 0xffffffffL;
+            t[3] += t[2] >> 32U; t[2] &= 0xffffffffL;
+            t[4] += t[3] >> 32U; t[3] &= 0xffffffffL;
+            t[5] += t[4] >> 32U; t[4] &= 0xffffffffL;
+            t[6] += t[5] >> 32U; t[5] &= 0xffffffffL;
+            t[7] += t[6] >> 32U; t[6] &= 0xffffffffL;
+            o     = t[7] >> 32U; t[7] &= 0xffffffffL;
+            t[0] += o;
+            t[3] -= o;
+            t[6] -= o;
+            t[7] += o;
+            t[1] += t[0] >> 32U; t[0] &= 0xffffffffL;
+            t[2] += t[1] >> 32U; t[1] &= 0xffffffffL;
+            t[3] += t[2] >> 32U; t[2] &= 0xffffffffL;
+            t[4] += t[3] >> 32U; t[3] &= 0xffffffffL;
+            t[5] += t[4] >> 32U; t[4] &= 0xffffffffL;
+            t[6] += t[5] >> 32U; t[5] &= 0xffffffffL;
+            t[7] += t[6] >> 32U; t[6] &= 0xffffffffL;
+
+        r[0] = t[0];
+        r[0] |= t[1] << 32U;
+        r[0] &= 0xfffffffffffffLL;
+        r[1] = (sp_digit)(t[1] >> 20);
+        r[1] |= t[2] << 12U;
+        r[1] |= t[3] << 44U;
+        r[1] &= 0xfffffffffffffLL;
+        r[2] = (sp_digit)(t[3] >> 8);
+        r[2] |= t[4] << 24U;
+        r[2] &= 0xfffffffffffffLL;
+        r[3] = (sp_digit)(t[4] >> 28);
+        r[3] |= t[5] << 4U;
+        r[3] |= t[6] << 36U;
+        r[3] &= 0xfffffffffffffLL;
+        r[4] = (sp_digit)(t[6] >> 16);
+        r[4] |= t[7] << 16U;
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (td != NULL) {
+        XFREE(td, NULL, DYNAMIC_TYPE_ECC);
+    }
+#endif
+
+    return err;
+}
+
+/* Convert an mp_int to an array of sp_digit.
+ *
+ * r  A single precision integer.
+ * size  Maximum number of bytes to convert
+ * a  A multi-precision integer.
+ */
+static void sp_256_from_mp(sp_digit* r, int size, const mp_int* a)
+{
+#if DIGIT_BIT == 52
+    int j;
+
+    XMEMCPY(r, a->dp, sizeof(sp_digit) * a->used);
+
+    for (j = a->used; j < size; j++) {
+        r[j] = 0;
+    }
+#elif DIGIT_BIT > 52
+    int i, j = 0;
+    word32 s = 0;
+
+    r[0] = 0;
+    for (i = 0; i < a->used && j < size; i++) {
+        r[j] |= ((sp_digit)a->dp[i] << s);
+        r[j] &= 0xfffffffffffffL;
+        s = 52U - s;
+        if (j + 1 >= size) {
+            break;
+        }
+        /* lint allow cast of mismatch word32 and mp_digit */
+        r[++j] = (sp_digit)(a->dp[i] >> s); /*lint !e9033*/
+        while ((s + 52U) <= (word32)DIGIT_BIT) {
+            s += 52U;
+            r[j] &= 0xfffffffffffffL;
+            if (j + 1 >= size) {
+                break;
+            }
+            if (s < (word32)DIGIT_BIT) {
+                /* lint allow cast of mismatch word32 and mp_digit */
+                r[++j] = (sp_digit)(a->dp[i] >> s); /*lint !e9033*/
+            }
+            else {
+                r[++j] = 0L;
+            }
+        }
+        s = (word32)DIGIT_BIT - s;
+    }
+
+    for (j++; j < size; j++) {
+        r[j] = 0;
+    }
+#else
+    int i, j = 0, s = 0;
+
+    r[0] = 0;
+    for (i = 0; i < a->used && j < size; i++) {
+        r[j] |= ((sp_digit)a->dp[i]) << s;
+        if (s + DIGIT_BIT >= 52) {
+            r[j] &= 0xfffffffffffffL;
+            if (j + 1 >= size) {
+                break;
+            }
+            s = 52 - s;
+            if (s == DIGIT_BIT) {
+                r[++j] = 0;
+                s = 0;
+            }
+            else {
+                r[++j] = a->dp[i] >> s;
+                s = DIGIT_BIT - s;
+            }
+        }
+        else {
+            s += DIGIT_BIT;
+        }
+    }
+
+    for (j++; j < size; j++) {
+        r[j] = 0;
+    }
+#endif
+}
+
+/* Convert a point of type ecc_point to type sp_point_256.
+ *
+ * p   Point of type sp_point_256 (result).
+ * pm  Point of type ecc_point.
+ */
+static void sp_256_point_from_ecc_point_5(sp_point_256* p, const ecc_point* pm)
+{
+    XMEMSET(p->x, 0, sizeof(p->x));
+    XMEMSET(p->y, 0, sizeof(p->y));
+    XMEMSET(p->z, 0, sizeof(p->z));
+    sp_256_from_mp(p->x, 5, pm->x);
+    sp_256_from_mp(p->y, 5, pm->y);
+    sp_256_from_mp(p->z, 5, pm->z);
+    p->infinity = 0;
+}
+
+/* Convert an array of sp_digit to an mp_int.
+ *
+ * a  A single precision integer.
+ * r  A multi-precision integer.
+ */
+static int sp_256_to_mp(const sp_digit* a, mp_int* r)
+{
+    int err;
+
+    err = mp_grow(r, (256 + DIGIT_BIT - 1) / DIGIT_BIT);
+    if (err == MP_OKAY) { /*lint !e774 case where err is always MP_OKAY*/
+#if DIGIT_BIT == 52
+        XMEMCPY(r->dp, a, sizeof(sp_digit) * 5);
+        r->used = 5;
+        mp_clamp(r);
+#elif DIGIT_BIT < 52
+        int i, j = 0, s = 0;
+
+        r->dp[0] = 0;
+        for (i = 0; i < 5; i++) {
+            r->dp[j] |= (mp_digit)(a[i] << s);
+            r->dp[j] &= (1L << DIGIT_BIT) - 1;
+            s = DIGIT_BIT - s;
+            r->dp[++j] = (mp_digit)(a[i] >> s);
+            while (s + DIGIT_BIT <= 52) {
+                s += DIGIT_BIT;
+                r->dp[j++] &= (1L << DIGIT_BIT) - 1;
+                if (s == SP_WORD_SIZE) {
+                    r->dp[j] = 0;
+                }
+                else {
+                    r->dp[j] = (mp_digit)(a[i] >> s);
+                }
+            }
+            s = 52 - s;
+        }
+        r->used = (256 + DIGIT_BIT - 1) / DIGIT_BIT;
+        mp_clamp(r);
+#else
+        int i, j = 0, s = 0;
+
+        r->dp[0] = 0;
+        for (i = 0; i < 5; i++) {
+            r->dp[j] |= ((mp_digit)a[i]) << s;
+            if (s + 52 >= DIGIT_BIT) {
+    #if DIGIT_BIT != 32 && DIGIT_BIT != 64
+                r->dp[j] &= (1L << DIGIT_BIT) - 1;
+    #endif
+                s = DIGIT_BIT - s;
+                r->dp[++j] = a[i] >> s;
+                s = 52 - s;
+            }
+            else {
+                s += 52;
+            }
+        }
+        r->used = (256 + DIGIT_BIT - 1) / DIGIT_BIT;
+        mp_clamp(r);
+#endif
+    }
+
+    return err;
+}
+
+/* Convert a point of type sp_point_256 to type ecc_point.
+ *
+ * p   Point of type sp_point_256.
+ * pm  Point of type ecc_point (result).
+ * returns MEMORY_E when allocation of memory in ecc_point fails otherwise
+ * MP_OKAY.
+ */
+static int sp_256_point_to_ecc_point_5(const sp_point_256* p, ecc_point* pm)
+{
+    int err;
+
+    err = sp_256_to_mp(p->x, pm->x);
+    if (err == MP_OKAY) {
+        err = sp_256_to_mp(p->y, pm->y);
+    }
+    if (err == MP_OKAY) {
+        err = sp_256_to_mp(p->z, pm->z);
+    }
+
+    return err;
+}
+
+#ifdef WOLFSSL_SP_SMALL
+/* Multiply a and b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static void sp_256_mul_5(sp_digit* r, const sp_digit* a,
+    const sp_digit* b)
+{
+    int i, j, k;
+    int128_t c;
+
+    c = ((int128_t)a[4]) * b[4];
+    r[9] = (sp_digit)(c >> 52);
+    c = (c & 0xfffffffffffffL) << 52;
+    for (k = 7; k >= 0; k--) {
+        for (i = 4; i >= 0; i--) {
+            j = k - i;
+            if (j >= 5) {
+                break;
+            }
+            if (j < 0) {
+                continue;
+            }
+
+            c += ((int128_t)a[i]) * b[j];
+        }
+        r[k + 2] += c >> 104;
+        r[k + 1] = (c >> 52) & 0xfffffffffffffL;
+        c = (c & 0xfffffffffffffL) << 52;
+    }
+    r[0] = (sp_digit)(c >> 52);
+}
+
+#else
+/* Multiply a and b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static void sp_256_mul_5(sp_digit* r, const sp_digit* a,
+    const sp_digit* b)
+{
+    int128_t t0   = ((int128_t)a[ 0]) * b[ 0];
+    int128_t t1   = ((int128_t)a[ 0]) * b[ 1]
+                 + ((int128_t)a[ 1]) * b[ 0];
+    int128_t t2   = ((int128_t)a[ 0]) * b[ 2]
+                 + ((int128_t)a[ 1]) * b[ 1]
+                 + ((int128_t)a[ 2]) * b[ 0];
+    int128_t t3   = ((int128_t)a[ 0]) * b[ 3]
+                 + ((int128_t)a[ 1]) * b[ 2]
+                 + ((int128_t)a[ 2]) * b[ 1]
+                 + ((int128_t)a[ 3]) * b[ 0];
+    int128_t t4   = ((int128_t)a[ 0]) * b[ 4]
+                 + ((int128_t)a[ 1]) * b[ 3]
+                 + ((int128_t)a[ 2]) * b[ 2]
+                 + ((int128_t)a[ 3]) * b[ 1]
+                 + ((int128_t)a[ 4]) * b[ 0];
+    int128_t t5   = ((int128_t)a[ 1]) * b[ 4]
+                 + ((int128_t)a[ 2]) * b[ 3]
+                 + ((int128_t)a[ 3]) * b[ 2]
+                 + ((int128_t)a[ 4]) * b[ 1];
+    int128_t t6   = ((int128_t)a[ 2]) * b[ 4]
+                 + ((int128_t)a[ 3]) * b[ 3]
+                 + ((int128_t)a[ 4]) * b[ 2];
+    int128_t t7   = ((int128_t)a[ 3]) * b[ 4]
+                 + ((int128_t)a[ 4]) * b[ 3];
+    int128_t t8   = ((int128_t)a[ 4]) * b[ 4];
+
+    t1   += t0  >> 52; r[ 0] = t0  & 0xfffffffffffffL;
+    t2   += t1  >> 52; r[ 1] = t1  & 0xfffffffffffffL;
+    t3   += t2  >> 52; r[ 2] = t2  & 0xfffffffffffffL;
+    t4   += t3  >> 52; r[ 3] = t3  & 0xfffffffffffffL;
+    t5   += t4  >> 52; r[ 4] = t4  & 0xfffffffffffffL;
+    t6   += t5  >> 52; r[ 5] = t5  & 0xfffffffffffffL;
+    t7   += t6  >> 52; r[ 6] = t6  & 0xfffffffffffffL;
+    t8   += t7  >> 52; r[ 7] = t7  & 0xfffffffffffffL;
+    r[9] = (sp_digit)(t8 >> 52);
+                       r[8] = t8 & 0xfffffffffffffL;
+}
+
+#endif /* WOLFSSL_SP_SMALL */
+#define sp_256_mont_reduce_order_5         sp_256_mont_reduce_5
+
+/* Compare a with b in constant time.
+ *
+ * a  A single precision integer.
+ * b  A single precision integer.
+ * return -ve, 0 or +ve if a is less than, equal to or greater than b
+ * respectively.
+ */
+static sp_digit sp_256_cmp_5(const sp_digit* a, const sp_digit* b)
+{
+    sp_digit r = 0;
+#ifdef WOLFSSL_SP_SMALL
+    int i;
+
+    for (i=4; i>=0; i--) {
+        r |= (a[i] - b[i]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+    }
+#else
+    r |= (a[ 4] - b[ 4]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+    r |= (a[ 3] - b[ 3]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+    r |= (a[ 2] - b[ 2]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+    r |= (a[ 1] - b[ 1]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+    r |= (a[ 0] - b[ 0]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+#endif /* WOLFSSL_SP_SMALL */
+
+    return r;
+}
+
+/* Conditionally subtract b from a using the mask m.
+ * m is -1 to subtract and 0 when not.
+ *
+ * r  A single precision number representing condition subtract result.
+ * a  A single precision number to subtract from.
+ * b  A single precision number to subtract.
+ * m  Mask value to apply.
+ */
+static void sp_256_cond_sub_5(sp_digit* r, const sp_digit* a,
+        const sp_digit* b, const sp_digit m)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int i;
+
+    for (i = 0; i < 5; i++) {
+        r[i] = a[i] - (b[i] & m);
+    }
+#else
+    r[ 0] = a[ 0] - (b[ 0] & m);
+    r[ 1] = a[ 1] - (b[ 1] & m);
+    r[ 2] = a[ 2] - (b[ 2] & m);
+    r[ 3] = a[ 3] - (b[ 3] & m);
+    r[ 4] = a[ 4] - (b[ 4] & m);
+#endif /* WOLFSSL_SP_SMALL */
+}
+
+/* Mul a by scalar b and add into r. (r += a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A scalar.
+ */
+SP_NOINLINE static void sp_256_mul_add_5(sp_digit* r, const sp_digit* a,
+        const sp_digit b)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int128_t tb = b;
+    int128_t t = 0;
+    int i;
+
+    for (i = 0; i < 5; i++) {
+        t += (tb * a[i]) + r[i];
+        r[i] = t & 0xfffffffffffffL;
+        t >>= 52;
+    }
+    r[5] += t;
+#else
+    int128_t tb = b;
+    int128_t t[5];
+
+    t[ 0] = tb * a[ 0];
+    t[ 1] = tb * a[ 1];
+    t[ 2] = tb * a[ 2];
+    t[ 3] = tb * a[ 3];
+    t[ 4] = tb * a[ 4];
+    r[ 0] += (sp_digit)                 (t[ 0] & 0xfffffffffffffL);
+    r[ 1] += (sp_digit)((t[ 0] >> 52) + (t[ 1] & 0xfffffffffffffL));
+    r[ 2] += (sp_digit)((t[ 1] >> 52) + (t[ 2] & 0xfffffffffffffL));
+    r[ 3] += (sp_digit)((t[ 2] >> 52) + (t[ 3] & 0xfffffffffffffL));
+    r[ 4] += (sp_digit)((t[ 3] >> 52) + (t[ 4] & 0xfffffffffffffL));
+    r[ 5] += (sp_digit) (t[ 4] >> 52);
+#endif /* WOLFSSL_SP_SMALL */
+}
+
+/* Normalize the values in each word to 52.
+ *
+ * a  Array of sp_digit to normalize.
+ */
+static void sp_256_norm_5(sp_digit* a)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int i;
+    for (i = 0; i < 4; i++) {
+        a[i+1] += a[i] >> 52;
+        a[i] &= 0xfffffffffffffL;
+    }
+#else
+    a[1] += a[0] >> 52; a[0] &= 0xfffffffffffffL;
+    a[2] += a[1] >> 52; a[1] &= 0xfffffffffffffL;
+    a[3] += a[2] >> 52; a[2] &= 0xfffffffffffffL;
+    a[4] += a[3] >> 52; a[3] &= 0xfffffffffffffL;
+#endif
+}
+
+/* Shift the result in the high 256 bits down to the bottom.
+ *
+ * r  A single precision number.
+ * a  A single precision number.
+ */
+static void sp_256_mont_shift_5(sp_digit* r, const sp_digit* a)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int i;
+    word64 n;
+
+    n = a[4] >> 48;
+    for (i = 0; i < 4; i++) {
+        n += (word64)a[5 + i] << 4;
+        r[i] = n & 0xfffffffffffffL;
+        n >>= 52;
+    }
+    n += (word64)a[9] << 4;
+    r[4] = n;
+#else
+    word64 n;
+
+    n  = a[4] >> 48;
+    n += (word64)a[ 5] << 4U; r[ 0] = n & 0xfffffffffffffUL; n >>= 52U;
+    n += (word64)a[ 6] << 4U; r[ 1] = n & 0xfffffffffffffUL; n >>= 52U;
+    n += (word64)a[ 7] << 4U; r[ 2] = n & 0xfffffffffffffUL; n >>= 52U;
+    n += (word64)a[ 8] << 4U; r[ 3] = n & 0xfffffffffffffUL; n >>= 52U;
+    n += (word64)a[ 9] << 4U; r[ 4] = n;
+#endif /* WOLFSSL_SP_SMALL */
+    XMEMSET(&r[5], 0, sizeof(*r) * 5U);
+}
+
+/* Reduce the number back to 256 bits using Montgomery reduction.
+ *
+ * a   A single precision number to reduce in place.
+ * m   The single precision number representing the modulus.
+ * mp  The digit representing the negative inverse of m mod 2^n.
+ */
+static void sp_256_mont_reduce_5(sp_digit* a, const sp_digit* m, sp_digit mp)
+{
+    int i;
+    sp_digit mu;
+
+    if (mp != 1) {
+        for (i=0; i<4; i++) {
+            mu = (a[i] * mp) & 0xfffffffffffffL;
+            sp_256_mul_add_5(a+i, m, mu);
+            a[i+1] += a[i] >> 52;
+        }
+        mu = (a[i] * mp) & 0xffffffffffffL;
+        sp_256_mul_add_5(a+i, m, mu);
+        a[i+1] += a[i] >> 52;
+        a[i] &= 0xfffffffffffffL;
+    }
+    else {
+        for (i=0; i<4; i++) {
+            mu = a[i] & 0xfffffffffffffL;
+            sp_256_mul_add_5(a+i, p256_mod, mu);
+            a[i+1] += a[i] >> 52;
+        }
+        mu = a[i] & 0xffffffffffffL;
+        sp_256_mul_add_5(a+i, p256_mod, mu);
+        a[i+1] += a[i] >> 52;
+        a[i] &= 0xfffffffffffffL;
+    }
+
+    sp_256_mont_shift_5(a, a);
+    sp_256_cond_sub_5(a, a, m, 0 - (((a[4] >> 48) > 0) ?
+            (sp_digit)1 : (sp_digit)0));
+    sp_256_norm_5(a);
+}
+
+/* Multiply two Montogmery form numbers mod the modulus (prime).
+ * (r = a * b mod m)
+ *
+ * r   Result of multiplication.
+ * a   First number to multiply in Montogmery form.
+ * b   Second number to multiply in Montogmery form.
+ * m   Modulus (prime).
+ * mp  Montogmery mulitplier.
+ */
+static void sp_256_mont_mul_5(sp_digit* r, const sp_digit* a, const sp_digit* b,
+        const sp_digit* m, sp_digit mp)
+{
+    sp_256_mul_5(r, a, b);
+    sp_256_mont_reduce_5(r, m, mp);
+}
+
+#ifdef WOLFSSL_SP_SMALL
+/* Square a and put result in r. (r = a * a)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ */
+SP_NOINLINE static void sp_256_sqr_5(sp_digit* r, const sp_digit* a)
+{
+    int i, j, k;
+    int128_t c;
+
+    c = ((int128_t)a[4]) * a[4];
+    r[9] = (sp_digit)(c >> 52);
+    c = (c & 0xfffffffffffffL) << 52;
+    for (k = 7; k >= 0; k--) {
+        for (i = 4; i >= 0; i--) {
+            j = k - i;
+            if (j >= 5 || i <= j) {
+                break;
+            }
+            if (j < 0) {
+                continue;
+            }
+
+            c += ((int128_t)a[i]) * a[j] * 2;
+        }
+        if (i == j) {
+           c += ((int128_t)a[i]) * a[i];
+        }
+
+        r[k + 2] += c >> 104;
+        r[k + 1] = (c >> 52) & 0xfffffffffffffL;
+        c = (c & 0xfffffffffffffL) << 52;
+    }
+    r[0] = (sp_digit)(c >> 52);
+}
+
+#else
+/* Square a and put result in r. (r = a * a)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ */
+SP_NOINLINE static void sp_256_sqr_5(sp_digit* r, const sp_digit* a)
+{
+    int128_t t0   =  ((int128_t)a[ 0]) * a[ 0];
+    int128_t t1   = (((int128_t)a[ 0]) * a[ 1]) * 2;
+    int128_t t2   = (((int128_t)a[ 0]) * a[ 2]) * 2
+                 +  ((int128_t)a[ 1]) * a[ 1];
+    int128_t t3   = (((int128_t)a[ 0]) * a[ 3]
+                 +  ((int128_t)a[ 1]) * a[ 2]) * 2;
+    int128_t t4   = (((int128_t)a[ 0]) * a[ 4]
+                 +  ((int128_t)a[ 1]) * a[ 3]) * 2
+                 +  ((int128_t)a[ 2]) * a[ 2];
+    int128_t t5   = (((int128_t)a[ 1]) * a[ 4]
+                 +  ((int128_t)a[ 2]) * a[ 3]) * 2;
+    int128_t t6   = (((int128_t)a[ 2]) * a[ 4]) * 2
+                 +  ((int128_t)a[ 3]) * a[ 3];
+    int128_t t7   = (((int128_t)a[ 3]) * a[ 4]) * 2;
+    int128_t t8   =  ((int128_t)a[ 4]) * a[ 4];
+
+    t1   += t0  >> 52; r[ 0] = t0  & 0xfffffffffffffL;
+    t2   += t1  >> 52; r[ 1] = t1  & 0xfffffffffffffL;
+    t3   += t2  >> 52; r[ 2] = t2  & 0xfffffffffffffL;
+    t4   += t3  >> 52; r[ 3] = t3  & 0xfffffffffffffL;
+    t5   += t4  >> 52; r[ 4] = t4  & 0xfffffffffffffL;
+    t6   += t5  >> 52; r[ 5] = t5  & 0xfffffffffffffL;
+    t7   += t6  >> 52; r[ 6] = t6  & 0xfffffffffffffL;
+    t8   += t7  >> 52; r[ 7] = t7  & 0xfffffffffffffL;
+    r[9] = (sp_digit)(t8 >> 52);
+                       r[8] = t8 & 0xfffffffffffffL;
+}
+
+#endif /* WOLFSSL_SP_SMALL */
+/* Square the Montgomery form number. (r = a * a mod m)
+ *
+ * r   Result of squaring.
+ * a   Number to square in Montogmery form.
+ * m   Modulus (prime).
+ * mp  Montogmery mulitplier.
+ */
+static void sp_256_mont_sqr_5(sp_digit* r, const sp_digit* a, const sp_digit* m,
+        sp_digit mp)
+{
+    sp_256_sqr_5(r, a);
+    sp_256_mont_reduce_5(r, m, mp);
+}
+
+#if !defined(WOLFSSL_SP_SMALL) || defined(HAVE_COMP_KEY)
+/* Square the Montgomery form number a number of times. (r = a ^ n mod m)
+ *
+ * r   Result of squaring.
+ * a   Number to square in Montogmery form.
+ * n   Number of times to square.
+ * m   Modulus (prime).
+ * mp  Montogmery mulitplier.
+ */
+static void sp_256_mont_sqr_n_5(sp_digit* r, const sp_digit* a, int n,
+        const sp_digit* m, sp_digit mp)
+{
+    sp_256_mont_sqr_5(r, a, m, mp);
+    for (; n > 1; n--) {
+        sp_256_mont_sqr_5(r, r, m, mp);
+    }
+}
+
+#endif /* !WOLFSSL_SP_SMALL || HAVE_COMP_KEY */
+#ifdef WOLFSSL_SP_SMALL
+/* Mod-2 for the P256 curve. */
+static const uint64_t p256_mod_minus_2[4] = {
+    0xfffffffffffffffdU,0x00000000ffffffffU,0x0000000000000000U,
+    0xffffffff00000001U
+};
+#endif /* !WOLFSSL_SP_SMALL */
+
+/* Invert the number, in Montgomery form, modulo the modulus (prime) of the
+ * P256 curve. (r = 1 / a mod m)
+ *
+ * r   Inverse result.
+ * a   Number to invert.
+ * td  Temporary data.
+ */
+static void sp_256_mont_inv_5(sp_digit* r, const sp_digit* a, sp_digit* td)
+{
+#ifdef WOLFSSL_SP_SMALL
+    sp_digit* t = td;
+    int i;
+
+    XMEMCPY(t, a, sizeof(sp_digit) * 5);
+    for (i=254; i>=0; i--) {
+        sp_256_mont_sqr_5(t, t, p256_mod, p256_mp_mod);
+        if (p256_mod_minus_2[i / 64] & ((sp_digit)1 << (i % 64)))
+            sp_256_mont_mul_5(t, t, a, p256_mod, p256_mp_mod);
+    }
+    XMEMCPY(r, t, sizeof(sp_digit) * 5);
+#else
+    sp_digit* t1 = td;
+    sp_digit* t2 = td + 2 * 5;
+    sp_digit* t3 = td + 4 * 5;
+    /* 0x2 */
+    sp_256_mont_sqr_5(t1, a, p256_mod, p256_mp_mod);
+    /* 0x3 */
+    sp_256_mont_mul_5(t2, t1, a, p256_mod, p256_mp_mod);
+    /* 0xc */
+    sp_256_mont_sqr_n_5(t1, t2, 2, p256_mod, p256_mp_mod);
+    /* 0xd */
+    sp_256_mont_mul_5(t3, t1, a, p256_mod, p256_mp_mod);
+    /* 0xf */
+    sp_256_mont_mul_5(t2, t2, t1, p256_mod, p256_mp_mod);
+    /* 0xf0 */
+    sp_256_mont_sqr_n_5(t1, t2, 4, p256_mod, p256_mp_mod);
+    /* 0xfd */
+    sp_256_mont_mul_5(t3, t3, t1, p256_mod, p256_mp_mod);
+    /* 0xff */
+    sp_256_mont_mul_5(t2, t2, t1, p256_mod, p256_mp_mod);
+    /* 0xff00 */
+    sp_256_mont_sqr_n_5(t1, t2, 8, p256_mod, p256_mp_mod);
+    /* 0xfffd */
+    sp_256_mont_mul_5(t3, t3, t1, p256_mod, p256_mp_mod);
+    /* 0xffff */
+    sp_256_mont_mul_5(t2, t2, t1, p256_mod, p256_mp_mod);
+    /* 0xffff0000 */
+    sp_256_mont_sqr_n_5(t1, t2, 16, p256_mod, p256_mp_mod);
+    /* 0xfffffffd */
+    sp_256_mont_mul_5(t3, t3, t1, p256_mod, p256_mp_mod);
+    /* 0xffffffff */
+    sp_256_mont_mul_5(t2, t2, t1, p256_mod, p256_mp_mod);
+    /* 0xffffffff00000000 */
+    sp_256_mont_sqr_n_5(t1, t2, 32, p256_mod, p256_mp_mod);
+    /* 0xffffffffffffffff */
+    sp_256_mont_mul_5(t2, t2, t1, p256_mod, p256_mp_mod);
+    /* 0xffffffff00000001 */
+    sp_256_mont_mul_5(r, t1, a, p256_mod, p256_mp_mod);
+    /* 0xffffffff000000010000000000000000000000000000000000000000 */
+    sp_256_mont_sqr_n_5(r, r, 160, p256_mod, p256_mp_mod);
+    /* 0xffffffff00000001000000000000000000000000ffffffffffffffff */
+    sp_256_mont_mul_5(r, r, t2, p256_mod, p256_mp_mod);
+    /* 0xffffffff00000001000000000000000000000000ffffffffffffffff00000000 */
+    sp_256_mont_sqr_n_5(r, r, 32, p256_mod, p256_mp_mod);
+    /* 0xffffffff00000001000000000000000000000000fffffffffffffffffffffffd */
+    sp_256_mont_mul_5(r, r, t3, p256_mod, p256_mp_mod);
+#endif /* WOLFSSL_SP_SMALL */
+}
+
+/* Map the Montgomery form projective coordinate point to an affine point.
+ *
+ * r  Resulting affine coordinate point.
+ * p  Montgomery form projective coordinate point.
+ * t  Temporary ordinate data.
+ */
+static void sp_256_map_5(sp_point_256* r, const sp_point_256* p, sp_digit* t)
+{
+    sp_digit* t1 = t;
+    sp_digit* t2 = t + 2*5;
+    int64_t n;
+
+    sp_256_mont_inv_5(t1, p->z, t + 2*5);
+
+    sp_256_mont_sqr_5(t2, t1, p256_mod, p256_mp_mod);
+    sp_256_mont_mul_5(t1, t2, t1, p256_mod, p256_mp_mod);
+
+    /* x /= z^2 */
+    sp_256_mont_mul_5(r->x, p->x, t2, p256_mod, p256_mp_mod);
+    XMEMSET(r->x + 5, 0, sizeof(r->x) / 2U);
+    sp_256_mont_reduce_5(r->x, p256_mod, p256_mp_mod);
+    /* Reduce x to less than modulus */
+    n = sp_256_cmp_5(r->x, p256_mod);
+    sp_256_cond_sub_5(r->x, r->x, p256_mod, 0 - ((n >= 0) ?
+                (sp_digit)1 : (sp_digit)0));
+    sp_256_norm_5(r->x);
+
+    /* y /= z^3 */
+    sp_256_mont_mul_5(r->y, p->y, t1, p256_mod, p256_mp_mod);
+    XMEMSET(r->y + 5, 0, sizeof(r->y) / 2U);
+    sp_256_mont_reduce_5(r->y, p256_mod, p256_mp_mod);
+    /* Reduce y to less than modulus */
+    n = sp_256_cmp_5(r->y, p256_mod);
+    sp_256_cond_sub_5(r->y, r->y, p256_mod, 0 - ((n >= 0) ?
+                (sp_digit)1 : (sp_digit)0));
+    sp_256_norm_5(r->y);
+
+    XMEMSET(r->z, 0, sizeof(r->z));
+    r->z[0] = 1;
+
+}
+
+#ifdef WOLFSSL_SP_SMALL
+/* Add b to a into r. (r = a + b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static int sp_256_add_5(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    int i;
+
+    for (i = 0; i < 5; i++) {
+        r[i] = a[i] + b[i];
+    }
+
+    return 0;
+}
+#else
+/* Add b to a into r. (r = a + b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static int sp_256_add_5(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    r[ 0] = a[ 0] + b[ 0];
+    r[ 1] = a[ 1] + b[ 1];
+    r[ 2] = a[ 2] + b[ 2];
+    r[ 3] = a[ 3] + b[ 3];
+    r[ 4] = a[ 4] + b[ 4];
+
+    return 0;
+}
+
+#endif /* WOLFSSL_SP_SMALL */
+/* Add two Montgomery form numbers (r = a + b % m).
+ *
+ * r   Result of addition.
+ * a   First number to add in Montogmery form.
+ * b   Second number to add in Montogmery form.
+ * m   Modulus (prime).
+ */
+static void sp_256_mont_add_5(sp_digit* r, const sp_digit* a, const sp_digit* b,
+        const sp_digit* m)
+{
+    (void)sp_256_add_5(r, a, b);
+    sp_256_norm_5(r);
+    sp_256_cond_sub_5(r, r, m, 0 - (((r[4] >> 48) > 0) ?
+                (sp_digit)1 : (sp_digit)0));
+    sp_256_norm_5(r);
+}
+
+/* Double a Montgomery form number (r = a + a % m).
+ *
+ * r   Result of doubling.
+ * a   Number to double in Montogmery form.
+ * m   Modulus (prime).
+ */
+static void sp_256_mont_dbl_5(sp_digit* r, const sp_digit* a, const sp_digit* m)
+{
+    (void)sp_256_add_5(r, a, a);
+    sp_256_norm_5(r);
+    sp_256_cond_sub_5(r, r, m, 0 - (((r[4] >> 48) > 0) ?
+                (sp_digit)1 : (sp_digit)0));
+    sp_256_norm_5(r);
+}
+
+/* Triple a Montgomery form number (r = a + a + a % m).
+ *
+ * r   Result of Tripling.
+ * a   Number to triple in Montogmery form.
+ * m   Modulus (prime).
+ */
+static void sp_256_mont_tpl_5(sp_digit* r, const sp_digit* a, const sp_digit* m)
+{
+    (void)sp_256_add_5(r, a, a);
+    sp_256_norm_5(r);
+    sp_256_cond_sub_5(r, r, m, 0 - (((r[4] >> 48) > 0) ?
+                (sp_digit)1 : (sp_digit)0));
+    sp_256_norm_5(r);
+    (void)sp_256_add_5(r, r, a);
+    sp_256_norm_5(r);
+    sp_256_cond_sub_5(r, r, m, 0 - (((r[4] >> 48) > 0) ?
+                (sp_digit)1 : (sp_digit)0));
+    sp_256_norm_5(r);
+}
+
+#ifdef WOLFSSL_SP_SMALL
+/* Sub b from a into r. (r = a - b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static int sp_256_sub_5(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    int i;
+
+    for (i = 0; i < 5; i++) {
+        r[i] = a[i] - b[i];
+    }
+
+    return 0;
+}
+
+#else
+/* Sub b from a into r. (r = a - b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static int sp_256_sub_5(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    r[ 0] = a[ 0] - b[ 0];
+    r[ 1] = a[ 1] - b[ 1];
+    r[ 2] = a[ 2] - b[ 2];
+    r[ 3] = a[ 3] - b[ 3];
+    r[ 4] = a[ 4] - b[ 4];
+
+    return 0;
+}
+
+#endif /* WOLFSSL_SP_SMALL */
+/* Conditionally add a and b using the mask m.
+ * m is -1 to add and 0 when not.
+ *
+ * r  A single precision number representing conditional add result.
+ * a  A single precision number to add with.
+ * b  A single precision number to add.
+ * m  Mask value to apply.
+ */
+static void sp_256_cond_add_5(sp_digit* r, const sp_digit* a,
+        const sp_digit* b, const sp_digit m)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int i;
+
+    for (i = 0; i < 5; i++) {
+        r[i] = a[i] + (b[i] & m);
+    }
+#else
+    r[ 0] = a[ 0] + (b[ 0] & m);
+    r[ 1] = a[ 1] + (b[ 1] & m);
+    r[ 2] = a[ 2] + (b[ 2] & m);
+    r[ 3] = a[ 3] + (b[ 3] & m);
+    r[ 4] = a[ 4] + (b[ 4] & m);
+#endif /* WOLFSSL_SP_SMALL */
+}
+
+/* Subtract two Montgomery form numbers (r = a - b % m).
+ *
+ * r   Result of subtration.
+ * a   Number to subtract from in Montogmery form.
+ * b   Number to subtract with in Montogmery form.
+ * m   Modulus (prime).
+ */
+static void sp_256_mont_sub_5(sp_digit* r, const sp_digit* a, const sp_digit* b,
+        const sp_digit* m)
+{
+    (void)sp_256_sub_5(r, a, b);
+    sp_256_cond_add_5(r, r, m, r[4] >> 48);
+    sp_256_norm_5(r);
+}
+
+/* Shift number left one bit.
+ * Bottom bit is lost.
+ *
+ * r  Result of shift.
+ * a  Number to shift.
+ */
+SP_NOINLINE static void sp_256_rshift1_5(sp_digit* r, sp_digit* a)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int i;
+
+    for (i=0; i<4; i++) {
+        r[i] = ((a[i] >> 1) | (a[i + 1] << 51)) & 0xfffffffffffffL;
+    }
+#else
+    r[0] = ((a[0] >> 1) | (a[1] << 51)) & 0xfffffffffffffL;
+    r[1] = ((a[1] >> 1) | (a[2] << 51)) & 0xfffffffffffffL;
+    r[2] = ((a[2] >> 1) | (a[3] << 51)) & 0xfffffffffffffL;
+    r[3] = ((a[3] >> 1) | (a[4] << 51)) & 0xfffffffffffffL;
+#endif
+    r[4] = a[4] >> 1;
+}
+
+/* Divide the number by 2 mod the modulus (prime). (r = a / 2 % m)
+ *
+ * r  Result of division by 2.
+ * a  Number to divide.
+ * m  Modulus (prime).
+ */
+static void sp_256_div2_5(sp_digit* r, const sp_digit* a, const sp_digit* m)
+{
+    sp_256_cond_add_5(r, a, m, 0 - (a[0] & 1));
+    sp_256_norm_5(r);
+    sp_256_rshift1_5(r, r);
+}
+
+/* Double the Montgomery form projective point p.
+ *
+ * r  Result of doubling point.
+ * p  Point to double.
+ * t  Temporary ordinate data.
+ */
+static void sp_256_proj_point_dbl_5(sp_point_256* r, const sp_point_256* p, sp_digit* t)
+{
+    sp_digit* t1 = t;
+    sp_digit* t2 = t + 2*5;
+    sp_digit* x;
+    sp_digit* y;
+    sp_digit* z;
+
+    x = r->x;
+    y = r->y;
+    z = r->z;
+    /* Put infinity into result. */
+    if (r != p) {
+        r->infinity = p->infinity;
+    }
+
+    /* T1 = Z * Z */
+    sp_256_mont_sqr_5(t1, p->z, p256_mod, p256_mp_mod);
+    /* Z = Y * Z */
+    sp_256_mont_mul_5(z, p->y, p->z, p256_mod, p256_mp_mod);
+    /* Z = 2Z */
+    sp_256_mont_dbl_5(z, z, p256_mod);
+    /* T2 = X - T1 */
+    sp_256_mont_sub_5(t2, p->x, t1, p256_mod);
+    /* T1 = X + T1 */
+    sp_256_mont_add_5(t1, p->x, t1, p256_mod);
+    /* T2 = T1 * T2 */
+    sp_256_mont_mul_5(t2, t1, t2, p256_mod, p256_mp_mod);
+    /* T1 = 3T2 */
+    sp_256_mont_tpl_5(t1, t2, p256_mod);
+    /* Y = 2Y */
+    sp_256_mont_dbl_5(y, p->y, p256_mod);
+    /* Y = Y * Y */
+    sp_256_mont_sqr_5(y, y, p256_mod, p256_mp_mod);
+    /* T2 = Y * Y */
+    sp_256_mont_sqr_5(t2, y, p256_mod, p256_mp_mod);
+    /* T2 = T2/2 */
+    sp_256_div2_5(t2, t2, p256_mod);
+    /* Y = Y * X */
+    sp_256_mont_mul_5(y, y, p->x, p256_mod, p256_mp_mod);
+    /* X = T1 * T1 */
+    sp_256_mont_sqr_5(x, t1, p256_mod, p256_mp_mod);
+    /* X = X - Y */
+    sp_256_mont_sub_5(x, x, y, p256_mod);
+    /* X = X - Y */
+    sp_256_mont_sub_5(x, x, y, p256_mod);
+    /* Y = Y - X */
+    sp_256_mont_sub_5(y, y, x, p256_mod);
+    /* Y = Y * T1 */
+    sp_256_mont_mul_5(y, y, t1, p256_mod, p256_mp_mod);
+    /* Y = Y - T2 */
+    sp_256_mont_sub_5(y, y, t2, p256_mod);
+}
+
+/* Compare two numbers to determine if they are equal.
+ * Constant time implementation.
+ *
+ * a  First number to compare.
+ * b  Second number to compare.
+ * returns 1 when equal and 0 otherwise.
+ */
+static int sp_256_cmp_equal_5(const sp_digit* a, const sp_digit* b)
+{
+    return ((a[0] ^ b[0]) | (a[1] ^ b[1]) | (a[2] ^ b[2]) | (a[3] ^ b[3]) |
+            (a[4] ^ b[4])) == 0;
+}
+
+/* Add two Montgomery form projective points.
+ *
+ * r  Result of addition.
+ * p  First point to add.
+ * q  Second point to add.
+ * t  Temporary ordinate data.
+ */
+static void sp_256_proj_point_add_5(sp_point_256* r, const sp_point_256* p, const sp_point_256* q,
+        sp_digit* t)
+{
+    const sp_point_256* ap[2];
+    sp_point_256* rp[2];
+    sp_digit* t1 = t;
+    sp_digit* t2 = t + 2*5;
+    sp_digit* t3 = t + 4*5;
+    sp_digit* t4 = t + 6*5;
+    sp_digit* t5 = t + 8*5;
+    sp_digit* x;
+    sp_digit* y;
+    sp_digit* z;
+    int i;
+
+    /* Ensure only the first point is the same as the result. */
+    if (q == r) {
+        const sp_point_256* a = p;
+        p = q;
+        q = a;
+    }
+
+    /* Check double */
+    (void)sp_256_sub_5(t1, p256_mod, q->y);
+    sp_256_norm_5(t1);
+    if ((sp_256_cmp_equal_5(p->x, q->x) & sp_256_cmp_equal_5(p->z, q->z) &
+        (sp_256_cmp_equal_5(p->y, q->y) | sp_256_cmp_equal_5(p->y, t1))) != 0) {
+        sp_256_proj_point_dbl_5(r, p, t);
+    }
+    else {
+        rp[0] = r;
+
+        /*lint allow cast to different type of pointer*/
+        rp[1] = (sp_point_256*)t; /*lint !e9087 !e740*/
+        XMEMSET(rp[1], 0, sizeof(sp_point_256));
+        x = rp[p->infinity | q->infinity]->x;
+        y = rp[p->infinity | q->infinity]->y;
+        z = rp[p->infinity | q->infinity]->z;
+
+        ap[0] = p;
+        ap[1] = q;
+        for (i=0; i<5; i++) {
+            r->x[i] = ap[p->infinity]->x[i];
+        }
+        for (i=0; i<5; i++) {
+            r->y[i] = ap[p->infinity]->y[i];
+        }
+        for (i=0; i<5; i++) {
+            r->z[i] = ap[p->infinity]->z[i];
+        }
+        r->infinity = ap[p->infinity]->infinity;
+
+        /* U1 = X1*Z2^2 */
+        sp_256_mont_sqr_5(t1, q->z, p256_mod, p256_mp_mod);
+        sp_256_mont_mul_5(t3, t1, q->z, p256_mod, p256_mp_mod);
+        sp_256_mont_mul_5(t1, t1, x, p256_mod, p256_mp_mod);
+        /* U2 = X2*Z1^2 */
+        sp_256_mont_sqr_5(t2, z, p256_mod, p256_mp_mod);
+        sp_256_mont_mul_5(t4, t2, z, p256_mod, p256_mp_mod);
+        sp_256_mont_mul_5(t2, t2, q->x, p256_mod, p256_mp_mod);
+        /* S1 = Y1*Z2^3 */
+        sp_256_mont_mul_5(t3, t3, y, p256_mod, p256_mp_mod);
+        /* S2 = Y2*Z1^3 */
+        sp_256_mont_mul_5(t4, t4, q->y, p256_mod, p256_mp_mod);
+        /* H = U2 - U1 */
+        sp_256_mont_sub_5(t2, t2, t1, p256_mod);
+        /* R = S2 - S1 */
+        sp_256_mont_sub_5(t4, t4, t3, p256_mod);
+        /* Z3 = H*Z1*Z2 */
+        sp_256_mont_mul_5(z, z, q->z, p256_mod, p256_mp_mod);
+        sp_256_mont_mul_5(z, z, t2, p256_mod, p256_mp_mod);
+        /* X3 = R^2 - H^3 - 2*U1*H^2 */
+        sp_256_mont_sqr_5(x, t4, p256_mod, p256_mp_mod);
+        sp_256_mont_sqr_5(t5, t2, p256_mod, p256_mp_mod);
+        sp_256_mont_mul_5(y, t1, t5, p256_mod, p256_mp_mod);
+        sp_256_mont_mul_5(t5, t5, t2, p256_mod, p256_mp_mod);
+        sp_256_mont_sub_5(x, x, t5, p256_mod);
+        sp_256_mont_dbl_5(t1, y, p256_mod);
+        sp_256_mont_sub_5(x, x, t1, p256_mod);
+        /* Y3 = R*(U1*H^2 - X3) - S1*H^3 */
+        sp_256_mont_sub_5(y, y, x, p256_mod);
+        sp_256_mont_mul_5(y, y, t4, p256_mod, p256_mp_mod);
+        sp_256_mont_mul_5(t5, t5, t3, p256_mod, p256_mp_mod);
+        sp_256_mont_sub_5(y, y, t5, p256_mod);
+    }
+}
+
+#ifdef WOLFSSL_SP_SMALL
+/* Multiply the point by the scalar and return the result.
+ * If map is true then convert result to affine coordinates.
+ *
+ * r     Resulting point.
+ * g     Point to multiply.
+ * k     Scalar to multiply by.
+ * map   Indicates whether to convert result to affine.
+ * heap  Heap to use for allocation.
+ * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
+ */
+static int sp_256_ecc_mulmod_5(sp_point_256* r, const sp_point_256* g, const sp_digit* k,
+        int map, void* heap)
+{
+#ifdef WOLFSSL_SP_NO_MALLOC
+    sp_point_256 t[3];
+    sp_digit tmp[2 * 5 * 5];
+#else
+    sp_point_256* t;
+    sp_digit* tmp;
+#endif
+    sp_digit n;
+    int i;
+    int c, y;
+    int err = MP_OKAY;
+
+    (void)heap;
+
+#ifndef WOLFSSL_SP_NO_MALLOC
+    t = (sp_point_256*)XMALLOC(sizeof(sp_point_256) * 3, heap, DYNAMIC_TYPE_ECC);
+    if (t == NULL)
+        err = MEMORY_E;
+    tmp = (sp_digit*)XMALLOC(sizeof(sp_digit) * 2 * 5 * 5, heap,
+                                                              DYNAMIC_TYPE_ECC);
+    if (tmp == NULL)
+        err = MEMORY_E;
+#endif
+
+    if (err == MP_OKAY) {
+        XMEMSET(t, 0, sizeof(sp_point_256) * 3);
+
+        /* t[0] = {0, 0, 1} * norm */
+        t[0].infinity = 1;
+        /* t[1] = {g->x, g->y, g->z} * norm */
+        err = sp_256_mod_mul_norm_5(t[1].x, g->x, p256_mod);
+    }
+    if (err == MP_OKAY)
+        err = sp_256_mod_mul_norm_5(t[1].y, g->y, p256_mod);
+    if (err == MP_OKAY)
+        err = sp_256_mod_mul_norm_5(t[1].z, g->z, p256_mod);
+
+    if (err == MP_OKAY) {
+        i = 4;
+        c = 48;
+        n = k[i--] << (52 - c);
+        for (; ; c--) {
+            if (c == 0) {
+                if (i == -1)
+                    break;
+
+                n = k[i--];
+                c = 52;
+            }
+
+            y = (n >> 51) & 1;
+            n <<= 1;
+
+            sp_256_proj_point_add_5(&t[y^1], &t[0], &t[1], tmp);
+
+            XMEMCPY(&t[2], (void*)(((size_t)&t[0] & addr_mask[y^1]) +
+                                   ((size_t)&t[1] & addr_mask[y])),
+                    sizeof(sp_point_256));
+            sp_256_proj_point_dbl_5(&t[2], &t[2], tmp);
+            XMEMCPY((void*)(((size_t)&t[0] & addr_mask[y^1]) +
+                            ((size_t)&t[1] & addr_mask[y])), &t[2],
+                    sizeof(sp_point_256));
+        }
+
+        if (map != 0) {
+            sp_256_map_5(r, &t[0], tmp);
+        }
+        else {
+            XMEMCPY(r, &t[0], sizeof(sp_point_256));
+        }
+    }
+
+#ifndef WOLFSSL_SP_NO_MALLOC
+    if (tmp != NULL) {
+        XMEMSET(tmp, 0, sizeof(sp_digit) * 2 * 5 * 5);
+        XFREE(tmp, NULL, DYNAMIC_TYPE_ECC);
+    }
+    if (t != NULL) {
+        XMEMSET(t, 0, sizeof(sp_point_256) * 3);
+        XFREE(t, NULL, DYNAMIC_TYPE_ECC);
+    }
+#else
+    ForceZero(tmp, sizeof(tmp));
+    ForceZero(t, sizeof(t));
+#endif
+
+    return err;
+}
+
+#elif defined(WOLFSSL_SP_CACHE_RESISTANT)
+/* Multiply the point by the scalar and return the result.
+ * If map is true then convert result to affine coordinates.
+ *
+ * r     Resulting point.
+ * g     Point to multiply.
+ * k     Scalar to multiply by.
+ * map   Indicates whether to convert result to affine.
+ * heap  Heap to use for allocation.
+ * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
+ */
+static int sp_256_ecc_mulmod_5(sp_point_256* r, const sp_point_256* g, const sp_digit* k,
+        int map, void* heap)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_point_256 t[3];
+    sp_digit tmp[2 * 5 * 5];
+#else
+    sp_point_256* t;
+    sp_digit* tmp;
+#endif
+    sp_digit n;
+    int i;
+    int c, y;
+    int err = MP_OKAY;
+
+    (void)heap;
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    t = (sp_point*)XMALLOC(sizeof(*t) * 3, heap, DYNAMIC_TYPE_ECC);
+    if (t == NULL)
+        err = MEMORY_E;
+    tmp = (sp_digit*)XMALLOC(sizeof(sp_digit) * 2 * 5 * 5, heap,
+                             DYNAMIC_TYPE_ECC);
+    if (tmp == NULL)
+        err = MEMORY_E;
+#endif
+
+    if (err == MP_OKAY) {
+        /* t[0] = {0, 0, 1} * norm */
+        XMEMSET(&t[0], 0, sizeof(t[0]));
+        t[0].infinity = 1;
+        /* t[1] = {g->x, g->y, g->z} * norm */
+        t[1].infinity = 0;
+        err = sp_256_mod_mul_norm_5(t[1].x, g->x, p256_mod);
+    }
+    if (err == MP_OKAY)
+        err = sp_256_mod_mul_norm_5(t[1].y, g->y, p256_mod);
+    if (err == MP_OKAY)
+        err = sp_256_mod_mul_norm_5(t[1].z, g->z, p256_mod);
+
+    if (err == MP_OKAY) {
+        i = 4;
+        c = 48;
+        n = k[i--] << (52 - c);
+        for (; ; c--) {
+            if (c == 0) {
+                if (i == -1)
+                    break;
+
+                n = k[i--];
+                c = 52;
+            }
+
+            y = (n >> 51) & 1;
+            n <<= 1;
+
+            sp_256_proj_point_add_5(&t[y^1], &t[0], &t[1], tmp);
+
+            XMEMCPY(&t[2], (void*)(((size_t)&t[0] & addr_mask[y^1]) +
+                                 ((size_t)&t[1] & addr_mask[y])), sizeof(t[2]));
+            sp_256_proj_point_dbl_5(&t[2], &t[2], tmp);
+            XMEMCPY((void*)(((size_t)&t[0] & addr_mask[y^1]) +
+                          ((size_t)&t[1] & addr_mask[y])), &t[2], sizeof(t[2]));
+        }
+
+        if (map != 0) {
+            sp_256_map_5(r, &t[0], tmp);
+        }
+        else {
+            XMEMCPY(r, &t[0], sizeof(sp_point_256));
+        }
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (tmp != NULL) {
+        XMEMSET(tmp, 0, sizeof(sp_digit) * 2 * 5 * 5);
+        XFREE(tmp, heap, DYNAMIC_TYPE_ECC);
+    }
+    if (t != NULL) {
+        XMEMSET(t, 0, sizeof(sp_point_256) * 3);
+        XFREE(t, heap, DYNAMIC_TYPE_ECC);
+    }
+#else
+    ForceZero(tmp, sizeof(tmp));
+    ForceZero(t, sizeof(t));
+#endif
+
+    return err;
+}
+
+#else
+/* A table entry for pre-computed points. */
+typedef struct sp_table_entry_256 {
+    sp_digit x[5];
+    sp_digit y[5];
+} sp_table_entry_256;
+
+/* Multiply the point by the scalar and return the result.
+ * If map is true then convert result to affine coordinates.
+ *
+ * r     Resulting point.
+ * g     Point to multiply.
+ * k     Scalar to multiply by.
+ * map   Indicates whether to convert result to affine.
+ * heap  Heap to use for allocation.
+ * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
+ */
+static int sp_256_ecc_mulmod_fast_5(sp_point_256* r, const sp_point_256* g, const sp_digit* k,
+        int map, void* heap)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_point_256 td[16];
+    sp_point_256 rtd;
+    sp_digit tmpd[2 * 5 * 5];
+#endif
+    sp_point_256* t;
+    sp_point_256* rt;
+    sp_digit* tmp;
+    sp_digit n;
+    int i;
+    int c, y;
+    int err;
+
+    (void)heap;
+
+    err = sp_256_point_new_5(heap, rtd, rt);
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    t = (sp_point_256*)XMALLOC(sizeof(sp_point_256) * 16, heap, DYNAMIC_TYPE_ECC);
+    if (t == NULL)
+        err = MEMORY_E;
+    tmp = (sp_digit*)XMALLOC(sizeof(sp_digit) * 2 * 5 * 5, heap,
+                             DYNAMIC_TYPE_ECC);
+    if (tmp == NULL)
+        err = MEMORY_E;
+#else
+    t = td;
+    tmp = tmpd;
+#endif
+
+    if (err == MP_OKAY) {
+        /* t[0] = {0, 0, 1} * norm */
+        XMEMSET(&t[0], 0, sizeof(t[0]));
+        t[0].infinity = 1;
+        /* t[1] = {g->x, g->y, g->z} * norm */
+        (void)sp_256_mod_mul_norm_5(t[1].x, g->x, p256_mod);
+        (void)sp_256_mod_mul_norm_5(t[1].y, g->y, p256_mod);
+        (void)sp_256_mod_mul_norm_5(t[1].z, g->z, p256_mod);
+        t[1].infinity = 0;
+        sp_256_proj_point_dbl_5(&t[ 2], &t[ 1], tmp);
+        t[ 2].infinity = 0;
+        sp_256_proj_point_add_5(&t[ 3], &t[ 2], &t[ 1], tmp);
+        t[ 3].infinity = 0;
+        sp_256_proj_point_dbl_5(&t[ 4], &t[ 2], tmp);
+        t[ 4].infinity = 0;
+        sp_256_proj_point_add_5(&t[ 5], &t[ 3], &t[ 2], tmp);
+        t[ 5].infinity = 0;
+        sp_256_proj_point_dbl_5(&t[ 6], &t[ 3], tmp);
+        t[ 6].infinity = 0;
+        sp_256_proj_point_add_5(&t[ 7], &t[ 4], &t[ 3], tmp);
+        t[ 7].infinity = 0;
+        sp_256_proj_point_dbl_5(&t[ 8], &t[ 4], tmp);
+        t[ 8].infinity = 0;
+        sp_256_proj_point_add_5(&t[ 9], &t[ 5], &t[ 4], tmp);
+        t[ 9].infinity = 0;
+        sp_256_proj_point_dbl_5(&t[10], &t[ 5], tmp);
+        t[10].infinity = 0;
+        sp_256_proj_point_add_5(&t[11], &t[ 6], &t[ 5], tmp);
+        t[11].infinity = 0;
+        sp_256_proj_point_dbl_5(&t[12], &t[ 6], tmp);
+        t[12].infinity = 0;
+        sp_256_proj_point_add_5(&t[13], &t[ 7], &t[ 6], tmp);
+        t[13].infinity = 0;
+        sp_256_proj_point_dbl_5(&t[14], &t[ 7], tmp);
+        t[14].infinity = 0;
+        sp_256_proj_point_add_5(&t[15], &t[ 8], &t[ 7], tmp);
+        t[15].infinity = 0;
+
+        i = 3;
+        n = k[i+1] << 12;
+        c = 44;
+        y = n >> 56;
+        XMEMCPY(rt, &t[y], sizeof(sp_point_256));
+        n <<= 8;
+        for (; i>=0 || c>=4; ) {
+            if (c < 4) {
+                n |= k[i--] << (12 - c);
+                c += 52;
+            }
+            y = (n >> 60) & 0xf;
+            n <<= 4;
+            c -= 4;
+
+            sp_256_proj_point_dbl_5(rt, rt, tmp);
+            sp_256_proj_point_dbl_5(rt, rt, tmp);
+            sp_256_proj_point_dbl_5(rt, rt, tmp);
+            sp_256_proj_point_dbl_5(rt, rt, tmp);
+
+            sp_256_proj_point_add_5(rt, rt, &t[y], tmp);
+        }
+
+        if (map != 0) {
+            sp_256_map_5(r, rt, tmp);
+        }
+        else {
+            XMEMCPY(r, rt, sizeof(sp_point_256));
+        }
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (tmp != NULL) {
+        XMEMSET(tmp, 0, sizeof(sp_digit) * 2 * 5 * 5);
+        XFREE(tmp, heap, DYNAMIC_TYPE_ECC);
+    }
+    if (t != NULL) {
+        XMEMSET(t, 0, sizeof(sp_point_256) * 16);
+        XFREE(t, heap, DYNAMIC_TYPE_ECC);
+    }
+#else
+    ForceZero(tmpd, sizeof(tmpd));
+    ForceZero(td, sizeof(td));
+#endif
+    sp_256_point_free_5(rt, 1, heap);
+
+    return err;
+}
+
+#ifdef FP_ECC
+/* Double the Montgomery form projective point p a number of times.
+ *
+ * r  Result of repeated doubling of point.
+ * p  Point to double.
+ * n  Number of times to double
+ * t  Temporary ordinate data.
+ */
+static void sp_256_proj_point_dbl_n_5(sp_point_256* p, int n, sp_digit* t)
+{
+    sp_digit* w = t;
+    sp_digit* a = t + 2*5;
+    sp_digit* b = t + 4*5;
+    sp_digit* t1 = t + 6*5;
+    sp_digit* t2 = t + 8*5;
+    sp_digit* x;
+    sp_digit* y;
+    sp_digit* z;
+
+    x = p->x;
+    y = p->y;
+    z = p->z;
+
+    /* Y = 2*Y */
+    sp_256_mont_dbl_5(y, y, p256_mod);
+    /* W = Z^4 */
+    sp_256_mont_sqr_5(w, z, p256_mod, p256_mp_mod);
+    sp_256_mont_sqr_5(w, w, p256_mod, p256_mp_mod);
+
+#ifndef WOLFSSL_SP_SMALL
+    while (--n > 0)
+#else
+    while (--n >= 0)
+#endif
+    {
+        /* A = 3*(X^2 - W) */
+        sp_256_mont_sqr_5(t1, x, p256_mod, p256_mp_mod);
+        sp_256_mont_sub_5(t1, t1, w, p256_mod);
+        sp_256_mont_tpl_5(a, t1, p256_mod);
+        /* B = X*Y^2 */
+        sp_256_mont_sqr_5(t1, y, p256_mod, p256_mp_mod);
+        sp_256_mont_mul_5(b, t1, x, p256_mod, p256_mp_mod);
+        /* X = A^2 - 2B */
+        sp_256_mont_sqr_5(x, a, p256_mod, p256_mp_mod);
+        sp_256_mont_dbl_5(t2, b, p256_mod);
+        sp_256_mont_sub_5(x, x, t2, p256_mod);
+        /* Z = Z*Y */
+        sp_256_mont_mul_5(z, z, y, p256_mod, p256_mp_mod);
+        /* t2 = Y^4 */
+        sp_256_mont_sqr_5(t1, t1, p256_mod, p256_mp_mod);
+#ifdef WOLFSSL_SP_SMALL
+        if (n != 0)
+#endif
+        {
+            /* W = W*Y^4 */
+            sp_256_mont_mul_5(w, w, t1, p256_mod, p256_mp_mod);
+        }
+        /* y = 2*A*(B - X) - Y^4 */
+        sp_256_mont_sub_5(y, b, x, p256_mod);
+        sp_256_mont_mul_5(y, y, a, p256_mod, p256_mp_mod);
+        sp_256_mont_dbl_5(y, y, p256_mod);
+        sp_256_mont_sub_5(y, y, t1, p256_mod);
+    }
+#ifndef WOLFSSL_SP_SMALL
+    /* A = 3*(X^2 - W) */
+    sp_256_mont_sqr_5(t1, x, p256_mod, p256_mp_mod);
+    sp_256_mont_sub_5(t1, t1, w, p256_mod);
+    sp_256_mont_tpl_5(a, t1, p256_mod);
+    /* B = X*Y^2 */
+    sp_256_mont_sqr_5(t1, y, p256_mod, p256_mp_mod);
+    sp_256_mont_mul_5(b, t1, x, p256_mod, p256_mp_mod);
+    /* X = A^2 - 2B */
+    sp_256_mont_sqr_5(x, a, p256_mod, p256_mp_mod);
+    sp_256_mont_dbl_5(t2, b, p256_mod);
+    sp_256_mont_sub_5(x, x, t2, p256_mod);
+    /* Z = Z*Y */
+    sp_256_mont_mul_5(z, z, y, p256_mod, p256_mp_mod);
+    /* t2 = Y^4 */
+    sp_256_mont_sqr_5(t1, t1, p256_mod, p256_mp_mod);
+    /* y = 2*A*(B - X) - Y^4 */
+    sp_256_mont_sub_5(y, b, x, p256_mod);
+    sp_256_mont_mul_5(y, y, a, p256_mod, p256_mp_mod);
+    sp_256_mont_dbl_5(y, y, p256_mod);
+    sp_256_mont_sub_5(y, y, t1, p256_mod);
+#endif
+    /* Y = Y/2 */
+    sp_256_div2_5(y, y, p256_mod);
+}
+
+#endif /* FP_ECC */
+/* Add two Montgomery form projective points. The second point has a q value of
+ * one.
+ * Only the first point can be the same pointer as the result point.
+ *
+ * r  Result of addition.
+ * p  First point to add.
+ * q  Second point to add.
+ * t  Temporary ordinate data.
+ */
+static void sp_256_proj_point_add_qz1_5(sp_point_256* r, const sp_point_256* p,
+        const sp_point_256* q, sp_digit* t)
+{
+    const sp_point_256* ap[2];
+    sp_point_256* rp[2];
+    sp_digit* t1 = t;
+    sp_digit* t2 = t + 2*5;
+    sp_digit* t3 = t + 4*5;
+    sp_digit* t4 = t + 6*5;
+    sp_digit* t5 = t + 8*5;
+    sp_digit* x;
+    sp_digit* y;
+    sp_digit* z;
+    int i;
+
+    /* Check double */
+    (void)sp_256_sub_5(t1, p256_mod, q->y);
+    sp_256_norm_5(t1);
+    if ((sp_256_cmp_equal_5(p->x, q->x) & sp_256_cmp_equal_5(p->z, q->z) &
+        (sp_256_cmp_equal_5(p->y, q->y) | sp_256_cmp_equal_5(p->y, t1))) != 0) {
+        sp_256_proj_point_dbl_5(r, p, t);
+    }
+    else {
+        rp[0] = r;
+
+        /*lint allow cast to different type of pointer*/
+        rp[1] = (sp_point_256*)t; /*lint !e9087 !e740*/
+        XMEMSET(rp[1], 0, sizeof(sp_point_256));
+        x = rp[p->infinity | q->infinity]->x;
+        y = rp[p->infinity | q->infinity]->y;
+        z = rp[p->infinity | q->infinity]->z;
+
+        ap[0] = p;
+        ap[1] = q;
+        for (i=0; i<5; i++) {
+            r->x[i] = ap[p->infinity]->x[i];
+        }
+        for (i=0; i<5; i++) {
+            r->y[i] = ap[p->infinity]->y[i];
+        }
+        for (i=0; i<5; i++) {
+            r->z[i] = ap[p->infinity]->z[i];
+        }
+        r->infinity = ap[p->infinity]->infinity;
+
+        /* U2 = X2*Z1^2 */
+        sp_256_mont_sqr_5(t2, z, p256_mod, p256_mp_mod);
+        sp_256_mont_mul_5(t4, t2, z, p256_mod, p256_mp_mod);
+        sp_256_mont_mul_5(t2, t2, q->x, p256_mod, p256_mp_mod);
+        /* S2 = Y2*Z1^3 */
+        sp_256_mont_mul_5(t4, t4, q->y, p256_mod, p256_mp_mod);
+        /* H = U2 - X1 */
+        sp_256_mont_sub_5(t2, t2, x, p256_mod);
+        /* R = S2 - Y1 */
+        sp_256_mont_sub_5(t4, t4, y, p256_mod);
+        /* Z3 = H*Z1 */
+        sp_256_mont_mul_5(z, z, t2, p256_mod, p256_mp_mod);
+        /* X3 = R^2 - H^3 - 2*X1*H^2 */
+        sp_256_mont_sqr_5(t1, t4, p256_mod, p256_mp_mod);
+        sp_256_mont_sqr_5(t5, t2, p256_mod, p256_mp_mod);
+        sp_256_mont_mul_5(t3, x, t5, p256_mod, p256_mp_mod);
+        sp_256_mont_mul_5(t5, t5, t2, p256_mod, p256_mp_mod);
+        sp_256_mont_sub_5(x, t1, t5, p256_mod);
+        sp_256_mont_dbl_5(t1, t3, p256_mod);
+        sp_256_mont_sub_5(x, x, t1, p256_mod);
+        /* Y3 = R*(X1*H^2 - X3) - Y1*H^3 */
+        sp_256_mont_sub_5(t3, t3, x, p256_mod);
+        sp_256_mont_mul_5(t3, t3, t4, p256_mod, p256_mp_mod);
+        sp_256_mont_mul_5(t5, t5, y, p256_mod, p256_mp_mod);
+        sp_256_mont_sub_5(y, t3, t5, p256_mod);
+    }
+}
+
+#ifdef FP_ECC
+/* Convert the projective point to affine.
+ * Ordinates are in Montgomery form.
+ *
+ * a  Point to convert.
+ * t  Temporary data.
+ */
+static void sp_256_proj_to_affine_5(sp_point_256* a, sp_digit* t)
+{
+    sp_digit* t1 = t;
+    sp_digit* t2 = t + 2 * 5;
+    sp_digit* tmp = t + 4 * 5;
+
+    sp_256_mont_inv_5(t1, a->z, tmp);
+
+    sp_256_mont_sqr_5(t2, t1, p256_mod, p256_mp_mod);
+    sp_256_mont_mul_5(t1, t2, t1, p256_mod, p256_mp_mod);
+
+    sp_256_mont_mul_5(a->x, a->x, t2, p256_mod, p256_mp_mod);
+    sp_256_mont_mul_5(a->y, a->y, t1, p256_mod, p256_mp_mod);
+    XMEMCPY(a->z, p256_norm_mod, sizeof(p256_norm_mod));
+}
+
+/* Generate the pre-computed table of points for the base point.
+ *
+ * a      The base point.
+ * table  Place to store generated point data.
+ * tmp    Temporary data.
+ * heap  Heap to use for allocation.
+ */
+static int sp_256_gen_stripe_table_5(const sp_point_256* a,
+        sp_table_entry_256* table, sp_digit* tmp, void* heap)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_point_256 td, s1d, s2d;
+#endif
+    sp_point_256* t;
+    sp_point_256* s1 = NULL;
+    sp_point_256* s2 = NULL;
+    int i, j;
+    int err;
+
+    (void)heap;
+
+    err = sp_256_point_new_5(heap, td, t);
+    if (err == MP_OKAY) {
+        err = sp_256_point_new_5(heap, s1d, s1);
+    }
+    if (err == MP_OKAY) {
+        err = sp_256_point_new_5(heap, s2d, s2);
+    }
+
+    if (err == MP_OKAY) {
+        err = sp_256_mod_mul_norm_5(t->x, a->x, p256_mod);
+    }
+    if (err == MP_OKAY) {
+        err = sp_256_mod_mul_norm_5(t->y, a->y, p256_mod);
+    }
+    if (err == MP_OKAY) {
+        err = sp_256_mod_mul_norm_5(t->z, a->z, p256_mod);
+    }
+    if (err == MP_OKAY) {
+        t->infinity = 0;
+        sp_256_proj_to_affine_5(t, tmp);
+
+        XMEMCPY(s1->z, p256_norm_mod, sizeof(p256_norm_mod));
+        s1->infinity = 0;
+        XMEMCPY(s2->z, p256_norm_mod, sizeof(p256_norm_mod));
+        s2->infinity = 0;
+
+        /* table[0] = {0, 0, infinity} */
+        XMEMSET(&table[0], 0, sizeof(sp_table_entry_256));
+        /* table[1] = Affine version of 'a' in Montgomery form */
+        XMEMCPY(table[1].x, t->x, sizeof(table->x));
+        XMEMCPY(table[1].y, t->y, sizeof(table->y));
+
+        for (i=1; i<8; i++) {
+            sp_256_proj_point_dbl_n_5(t, 32, tmp);
+            sp_256_proj_to_affine_5(t, tmp);
+            XMEMCPY(table[1<<i].x, t->x, sizeof(table->x));
+            XMEMCPY(table[1<<i].y, t->y, sizeof(table->y));
+        }
+
+        for (i=1; i<8; i++) {
+            XMEMCPY(s1->x, table[1<<i].x, sizeof(table->x));
+            XMEMCPY(s1->y, table[1<<i].y, sizeof(table->y));
+            for (j=(1<<i)+1; j<(1<<(i+1)); j++) {
+                XMEMCPY(s2->x, table[j-(1<<i)].x, sizeof(table->x));
+                XMEMCPY(s2->y, table[j-(1<<i)].y, sizeof(table->y));
+                sp_256_proj_point_add_qz1_5(t, s1, s2, tmp);
+                sp_256_proj_to_affine_5(t, tmp);
+                XMEMCPY(table[j].x, t->x, sizeof(table->x));
+                XMEMCPY(table[j].y, t->y, sizeof(table->y));
+            }
+        }
+    }
+
+    sp_256_point_free_5(s2, 0, heap);
+    sp_256_point_free_5(s1, 0, heap);
+    sp_256_point_free_5( t, 0, heap);
+
+    return err;
+}
+
+#endif /* FP_ECC */
+/* Multiply the point by the scalar and return the result.
+ * If map is true then convert result to affine coordinates.
+ *
+ * r     Resulting point.
+ * k     Scalar to multiply by.
+ * map   Indicates whether to convert result to affine.
+ * heap  Heap to use for allocation.
+ * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
+ */
+static int sp_256_ecc_mulmod_stripe_5(sp_point_256* r, const sp_point_256* g,
+        const sp_table_entry_256* table, const sp_digit* k, int map, void* heap)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_point_256 rtd;
+    sp_point_256 pd;
+    sp_digit td[2 * 5 * 5];
+#endif
+    sp_point_256* rt;
+    sp_point_256* p = NULL;
+    sp_digit* t;
+    int i, j;
+    int y, x;
+    int err;
+
+    (void)g;
+    (void)heap;
+
+
+    err = sp_256_point_new_5(heap, rtd, rt);
+    if (err == MP_OKAY) {
+        err = sp_256_point_new_5(heap, pd, p);
+    }
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    t = (sp_digit*)XMALLOC(sizeof(sp_digit) * 2 * 5 * 5, heap,
+                           DYNAMIC_TYPE_ECC);
+    if (t == NULL) {
+        err = MEMORY_E;
+    }
+#else
+    t = td;
+#endif
+
+    if (err == MP_OKAY) {
+        XMEMCPY(p->z, p256_norm_mod, sizeof(p256_norm_mod));
+        XMEMCPY(rt->z, p256_norm_mod, sizeof(p256_norm_mod));
+
+        y = 0;
+        for (j=0,x=31; j<8; j++,x+=32) {
+            y |= ((k[x / 52] >> (x % 52)) & 1) << j;
+        }
+        XMEMCPY(rt->x, table[y].x, sizeof(table[y].x));
+        XMEMCPY(rt->y, table[y].y, sizeof(table[y].y));
+        rt->infinity = !y;
+        for (i=30; i>=0; i--) {
+            y = 0;
+            for (j=0,x=i; j<8; j++,x+=32) {
+                y |= ((k[x / 52] >> (x % 52)) & 1) << j;
+            }
+
+            sp_256_proj_point_dbl_5(rt, rt, t);
+            XMEMCPY(p->x, table[y].x, sizeof(table[y].x));
+            XMEMCPY(p->y, table[y].y, sizeof(table[y].y));
+            p->infinity = !y;
+            sp_256_proj_point_add_qz1_5(rt, rt, p, t);
+        }
+
+        if (map != 0) {
+            sp_256_map_5(r, rt, t);
+        }
+        else {
+            XMEMCPY(r, rt, sizeof(sp_point_256));
+        }
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (t != NULL) {
+        XFREE(t, heap, DYNAMIC_TYPE_ECC);
+    }
+#endif
+    sp_256_point_free_5(p, 0, heap);
+    sp_256_point_free_5(rt, 0, heap);
+
+    return err;
+}
+
+#ifdef FP_ECC
+#ifndef FP_ENTRIES
+    #define FP_ENTRIES 16
+#endif
+
+typedef struct sp_cache_256_t {
+    sp_digit x[5];
+    sp_digit y[5];
+    sp_table_entry_256 table[256];
+    uint32_t cnt;
+    int set;
+} sp_cache_256_t;
+
+static THREAD_LS_T sp_cache_256_t sp_cache_256[FP_ENTRIES];
+static THREAD_LS_T int sp_cache_256_last = -1;
+static THREAD_LS_T int sp_cache_256_inited = 0;
+
+#ifndef HAVE_THREAD_LS
+    static volatile int initCacheMutex_256 = 0;
+    static wolfSSL_Mutex sp_cache_256_lock;
+#endif
+
+static void sp_ecc_get_cache_256(const sp_point_256* g, sp_cache_256_t** cache)
+{
+    int i, j;
+    uint32_t least;
+
+    if (sp_cache_256_inited == 0) {
+        for (i=0; i<FP_ENTRIES; i++) {
+            sp_cache_256[i].set = 0;
+        }
+        sp_cache_256_inited = 1;
+    }
+
+    /* Compare point with those in cache. */
+    for (i=0; i<FP_ENTRIES; i++) {
+        if (!sp_cache_256[i].set)
+            continue;
+
+        if (sp_256_cmp_equal_5(g->x, sp_cache_256[i].x) &
+                           sp_256_cmp_equal_5(g->y, sp_cache_256[i].y)) {
+            sp_cache_256[i].cnt++;
+            break;
+        }
+    }
+
+    /* No match. */
+    if (i == FP_ENTRIES) {
+        /* Find empty entry. */
+        i = (sp_cache_256_last + 1) % FP_ENTRIES;
+        for (; i != sp_cache_256_last; i=(i+1)%FP_ENTRIES) {
+            if (!sp_cache_256[i].set) {
+                break;
+            }
+        }
+
+        /* Evict least used. */
+        if (i == sp_cache_256_last) {
+            least = sp_cache_256[0].cnt;
+            for (j=1; j<FP_ENTRIES; j++) {
+                if (sp_cache_256[j].cnt < least) {
+                    i = j;
+                    least = sp_cache_256[i].cnt;
+                }
+            }
+        }
+
+        XMEMCPY(sp_cache_256[i].x, g->x, sizeof(sp_cache_256[i].x));
+        XMEMCPY(sp_cache_256[i].y, g->y, sizeof(sp_cache_256[i].y));
+        sp_cache_256[i].set = 1;
+        sp_cache_256[i].cnt = 1;
+    }
+
+    *cache = &sp_cache_256[i];
+    sp_cache_256_last = i;
+}
+#endif /* FP_ECC */
+
+/* Multiply the base point of P256 by the scalar and return the result.
+ * If map is true then convert result to affine coordinates.
+ *
+ * r     Resulting point.
+ * g     Point to multiply.
+ * k     Scalar to multiply by.
+ * map   Indicates whether to convert result to affine.
+ * heap  Heap to use for allocation.
+ * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
+ */
+static int sp_256_ecc_mulmod_5(sp_point_256* r, const sp_point_256* g, const sp_digit* k,
+        int map, void* heap)
+{
+#ifndef FP_ECC
+    return sp_256_ecc_mulmod_fast_5(r, g, k, map, heap);
+#else
+    sp_digit tmp[2 * 5 * 5];
+    sp_cache_256_t* cache;
+    int err = MP_OKAY;
+
+#ifndef HAVE_THREAD_LS
+    if (initCacheMutex_256 == 0) {
+         wc_InitMutex(&sp_cache_256_lock);
+         initCacheMutex_256 = 1;
+    }
+    if (wc_LockMutex(&sp_cache_256_lock) != 0)
+       err = BAD_MUTEX_E;
+#endif /* HAVE_THREAD_LS */
+
+    if (err == MP_OKAY) {
+        sp_ecc_get_cache_256(g, &cache);
+        if (cache->cnt == 2)
+            sp_256_gen_stripe_table_5(g, cache->table, tmp, heap);
+
+#ifndef HAVE_THREAD_LS
+        wc_UnLockMutex(&sp_cache_256_lock);
+#endif /* HAVE_THREAD_LS */
+
+        if (cache->cnt < 2) {
+            err = sp_256_ecc_mulmod_fast_5(r, g, k, map, heap);
+        }
+        else {
+            err = sp_256_ecc_mulmod_stripe_5(r, g, cache->table, k,
+                    map, heap);
+        }
+    }
+
+    return err;
+#endif
+}
+
+#endif
+/* Multiply the point by the scalar and return the result.
+ * If map is true then convert result to affine coordinates.
+ *
+ * km    Scalar to multiply by.
+ * p     Point to multiply.
+ * r     Resulting point.
+ * map   Indicates whether to convert result to affine.
+ * heap  Heap to use for allocation.
+ * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
+ */
+int sp_ecc_mulmod_256(mp_int* km, ecc_point* gm, ecc_point* r, int map,
+        void* heap)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_point_256 p;
+    sp_digit kd[5];
+#endif
+    sp_point_256* point;
+    sp_digit* k = NULL;
+    int err = MP_OKAY;
+
+    err = sp_256_point_new_5(heap, p, point);
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        k = (sp_digit*)XMALLOC(sizeof(sp_digit) * 5, heap,
+                                                              DYNAMIC_TYPE_ECC);
+        if (k == NULL)
+            err = MEMORY_E;
+    }
+#else
+    k = kd;
+#endif
+    if (err == MP_OKAY) {
+        sp_256_from_mp(k, 5, km);
+        sp_256_point_from_ecc_point_5(point, gm);
+
+            err = sp_256_ecc_mulmod_5(point, point, k, map, heap);
+    }
+    if (err == MP_OKAY) {
+        err = sp_256_point_to_ecc_point_5(point, r);
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (k != NULL) {
+        XFREE(k, heap, DYNAMIC_TYPE_ECC);
+    }
+#endif
+    sp_256_point_free_5(point, 0, heap);
+
+    return err;
+}
+
+#ifdef WOLFSSL_SP_SMALL
+/* Multiply the base point of P256 by the scalar and return the result.
+ * If map is true then convert result to affine coordinates.
+ *
+ * r     Resulting point.
+ * k     Scalar to multiply by.
+ * map   Indicates whether to convert result to affine.
+ * heap  Heap to use for allocation.
+ * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
+ */
+static int sp_256_ecc_mulmod_base_5(sp_point_256* r, const sp_digit* k,
+        int map, void* heap)
+{
+    /* No pre-computed values. */
+    return sp_256_ecc_mulmod_5(r, &p256_base, k, map, heap);
+}
+
+#elif defined(WOLFSSL_SP_CACHE_RESISTANT)
+/* Multiply the base point of P256 by the scalar and return the result.
+ * If map is true then convert result to affine coordinates.
+ *
+ * r     Resulting point.
+ * k     Scalar to multiply by.
+ * map   Indicates whether to convert result to affine.
+ * heap  Heap to use for allocation.
+ * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
+ */
+static int sp_256_ecc_mulmod_base_5(sp_point_256* r, const sp_digit* k,
+        int map, void* heap)
+{
+    /* No pre-computed values. */
+    return sp_256_ecc_mulmod_5(r, &p256_base, k, map, heap);
+}
+
+#else
+static const sp_table_entry_256 p256_table[256] = {
+    /* 0 */
+    { { 0x00, 0x00, 0x00, 0x00, 0x00 },
+      { 0x00, 0x00, 0x00, 0x00, 0x00 } },
+    /* 1 */
+    { { 0x730d418a9143cL,0xfc5fedb60179eL,0x762251075ba95L,0x55c679fb732b7L,
+        0x018905f76a537L },
+      { 0x25357ce95560aL,0xe4ba19e45cddfL,0xd21f3258b4ab8L,0x5d85d2e88688dL,
+        0x08571ff182588L } },
+    /* 2 */
+    { { 0x886024147519aL,0xac26b372f0202L,0x785ebc8d0981eL,0x58e9a9d4a7caaL,
+        0x0d953c50ddbdfL },
+      { 0x361ccfd590f8fL,0x6b44e6c9179d6L,0x2eb64cf72e962L,0x88f37fd961102L,
+        0x0863ebb7e9eb2L } },
+    /* 3 */
+    { { 0x6b6235cdb6485L,0xa22f0a2f97785L,0xf7e300b808f0eL,0x80a03e68d9544L,
+        0x000076055b5ffL },
+      { 0x4eb9b838d2010L,0xbb3243708a763L,0x42a660654014fL,0x3ee0e0e47d398L,
+        0x0830877613437L } },
+    /* 4 */
+    { { 0x22fc516a0d2bbL,0x6c1a6234994f9L,0x7c62c8b0d5cc1L,0x667f9241cf3a5L,
+        0x02f5e6961fd1bL },
+      { 0x5c70bf5a01797L,0x4d609561925c1L,0x71fdb523d20b4L,0x0f7b04911b370L,
+        0x0f648f9168d6fL } },
+    /* 5 */
+    { { 0x66847e137bbbcL,0x9e8a6a0bec9e5L,0x9d73463e43446L,0x0015b1c427617L,
+        0x05abe0285133dL },
+      { 0xa837cc04c7dabL,0x4c43260c0792aL,0x8e6cc37573d9fL,0x73830c9315627L,
+        0x094bb725b6b6fL } },
+    /* 6 */
+    { { 0x9b48f720f141cL,0xcd2df5bc74bbfL,0x11045c46199b3L,0xc4efdc3f61294L,
+        0x0cdd6bbcb2f7dL },
+      { 0x6700beaf436fdL,0x6db99326beccaL,0x14f25226f647fL,0xe5f60c0fa7920L,
+        0x0a361bebd4bdaL } },
+    /* 7 */
+    { { 0xa2558597c13c7L,0x5f50b7c3e128aL,0x3c09d1dc38d63L,0x292c07039aecfL,
+        0x0ba12ca09c4b5L },
+      { 0x08fa459f91dfdL,0x66ceea07fb9e4L,0xd780b293af43bL,0xef4b1eceb0899L,
+        0x053ebb99d701fL } },
+    /* 8 */
+    { { 0x7ee31b0e63d34L,0x72a9e54fab4feL,0x5e7b5a4f46005L,0x4831c0493334dL,
+        0x08589fb9206d5L },
+      { 0x0f5cc6583553aL,0x4ae25649e5aa7L,0x0044652087909L,0x1c4fcc9045071L,
+        0x0ebb0696d0254L } },
+    /* 9 */
+    { { 0x6ca15ac1647c5L,0x47c4cf5799461L,0x64dfbacb8127dL,0x7da3dc666aa37L,
+        0x0eb2820cbd1b2L },
+      { 0x6f8d86a87e008L,0x9d922378f3940L,0x0ccecb2d87dfaL,0xda1d56ed2e428L,
+        0x01f28289b55a7L } },
+    /* 10 */
+    { { 0xaa0c03b89da99L,0x9eb8284022abbL,0x81c05e8a6f2d7L,0x4d6327847862bL,
+        0x0337a4b5905e5L },
+      { 0x7500d21f7794aL,0xb77d6d7f613c6L,0x4cfd6e8207005L,0xfbd60a5a37810L,
+        0x00d65e0d5f4c2L } },
+    /* 11 */
+    { { 0x09bbeb5275d38L,0x450be0a358d9dL,0x73eb2654268a7L,0xa232f0762ff49L,
+        0x0c23da24252f4L },
+      { 0x1b84f0b94520cL,0x63b05bd78e5daL,0x4d29ea1096667L,0xcff13a4dcb869L,
+        0x019de3b8cc790L } },
+    /* 12 */
+    { { 0xa716c26c5fe04L,0x0b3bba1bdb183L,0x4cb712c3b28deL,0xcbfd7432c586aL,
+        0x0e34dcbd491fcL },
+      { 0x8d46baaa58403L,0x8682e97a53b40L,0x6aaa8af9a6974L,0x0f7f9e3901273L,
+        0x0e7641f447b4eL } },
+    /* 13 */
+    { { 0x53941df64ba59L,0xec0b0242fc7d7L,0x1581859d33f10L,0x57bf4f06dfc6aL,
+        0x04a12df57052aL },
+      { 0x6338f9439dbd0L,0xd4bde53e1fbfaL,0x1f1b314d3c24bL,0xea46fd5e4ffa2L,
+        0x06af5aa93bb5bL } },
+    /* 14 */
+    { { 0x0b69910c91999L,0x402a580491da1L,0x8cc20900a24b4L,0x40133e0094b4bL,
+        0x05fe3475a66a4L },
+      { 0x8cabdf93e7b4bL,0x1a7c23f91ab0fL,0xd1e6263292b50L,0xa91642e889aecL,
+        0x0b544e308ecfeL } },
+    /* 15 */
+    { { 0x8c6e916ddfdceL,0x66f89179e6647L,0xd4e67e12c3291L,0xc20b4e8d6e764L,
+        0x0e0b6b2bda6b0L },
+      { 0x12df2bb7efb57L,0xde790c40070d3L,0x79bc9441aac0dL,0x3774f90336ad6L,
+        0x071c023de25a6L } },
+    /* 16 */
+    { { 0x8c244bfe20925L,0xc38fdce86762aL,0xd38706391c19aL,0x24f65a96a5d5dL,
+        0x061d587d421d3L },
+      { 0x673a2a37173eaL,0x0853778b65e87L,0x5bab43e238480L,0xefbe10f8441e0L,
+        0x0fa11fe124621L } },
+    /* 17 */
+    { { 0x91f2b2cb19ffdL,0x5bb1923c231c8L,0xac5ca8e01ba8dL,0xbedcb6d03d678L,
+        0x0586eb04c1f13L },
+      { 0x5c6e527e8ed09L,0x3c1819ede20c3L,0x6c652fa1e81a3L,0x4f11278fd6c05L,
+        0x019d5ac087086L } },
+    /* 18 */
+    { { 0x9f581309a4e1fL,0x1be92700741e9L,0xfd28d20ab7de7L,0x563f26a5ef0beL,
+        0x0e7c0073f7f9cL },
+      { 0xd663a0ef59f76L,0x5420fcb0501f6L,0xa6602d4669b3bL,0x3c0ac08c1f7a7L,
+        0x0e08504fec65bL } },
+    /* 19 */
+    { { 0x8f68da031b3caL,0x9ee6da6d66f09L,0x4f246e86d1cabL,0x96b45bfd81fa9L,
+        0x078f018825b09L },
+      { 0xefde43a25787fL,0x0d1dccac9bb7eL,0x35bfc368016f8L,0x747a0cea4877bL,
+        0x043a773b87e94L } },
+    /* 20 */
+    { { 0x77734d2b533d5L,0xf6a1bdddc0625L,0x79ec293673b8aL,0x66b1577e7c9aaL,
+        0x0bb6de651c3b2L },
+      { 0x9303ab65259b3L,0xd3d03a7480e7eL,0xb3cfc27d6a0afL,0xb99bc5ac83d19L,
+        0x060b4619a5d18L } },
+    /* 21 */
+    { { 0xa38e11ae5aa1cL,0x2b49e73658bd6L,0xe5f87edb8b765L,0xffcd0b130014eL,
+        0x09d0f27b2aeebL },
+      { 0x246317a730a55L,0x2fddbbc83aca9L,0xc019a719c955bL,0xc48d07c1dfe0aL,
+        0x0244a566d356eL } },
+    /* 22 */
+    { { 0x0394aeacf1f96L,0xa9024c271c6dbL,0x2cbd3b99f2122L,0xef692626ac1b8L,
+        0x045e58c873581L },
+      { 0xf479da38f9dbcL,0x46e888a040d3fL,0x6e0bed7a8aaf1L,0xb7a4945adfb24L,
+        0x0c040e21cc1e4L } },
+    /* 23 */
+    { { 0xaf0006f8117b6L,0xff73a35433847L,0xd9475eb651969L,0x6ec7482b35761L,
+        0x01cdf5c97682cL },
+      { 0x775b411f04839L,0xf448de16987dbL,0x70b32197dbeacL,0xff3db2921dd1bL,
+        0x0046755f8a92dL } },
+    /* 24 */
+    { { 0xac5d2bce8ffcdL,0x8b2fe61a82cc8L,0x202d6c70d53c4L,0xa5f3f6f161727L,
+        0x0046e5e113b83L },
+      { 0x8ff64d8007f01L,0x125af43183e7bL,0x5e1a03c7fb1efL,0x005b045c5ea63L,
+        0x06e0106c3303dL } },
+    /* 25 */
+    { { 0x7358488dd73b1L,0x8f995ed0d948cL,0x56a2ab7767070L,0xcf1f38385ea8cL,
+        0x0442594ede901L },
+      { 0xaa2c912d4b65bL,0x3b96c90c37f8fL,0xe978d1f94c234L,0xe68ed326e4a15L,
+        0x0a796fa514c2eL } },
+    /* 26 */
+    { { 0xfb604823addd7L,0x83e56693b3359L,0xcbf3c809e2a61L,0x66e9f885b78e3L,
+        0x0e4ad2da9c697L },
+      { 0xf7f428e048a61L,0x8cc092d9a0357L,0x03ed8ef082d19L,0x5143fc3a1af4cL,
+        0x0c5e94046c37bL } },
+    /* 27 */
+    { { 0xa538c2be75f9eL,0xe8cb123a78476L,0x109c04b6fd1a9L,0x4747d85e4df0bL,
+        0x063283dafdb46L },
+      { 0x28cf7baf2df15L,0x550ad9a7f4ce7L,0x834bcc3e592c4L,0xa938fab226adeL,
+        0x068bd19ab1981L } },
+    /* 28 */
+    { { 0xead511887d659L,0xf4b359305ac08L,0xfe74fe33374d5L,0xdfd696986981cL,
+        0x0495292f53c6fL },
+      { 0x78c9e1acec896L,0x10ec5b44844a8L,0x64d60a7d964b2L,0x68376696f7e26L,
+        0x00ec7530d2603L } },
+    /* 29 */
+    { { 0x13a05ad2687bbL,0x6af32e21fa2daL,0xdd4607ba1f83bL,0x3f0b390f5ef51L,
+        0x00f6207a66486L },
+      { 0x7e3bb0f138233L,0x6c272aa718bd6L,0x6ec88aedd66b9L,0x6dcf8ed004072L,
+        0x0ff0db07208edL } },
+    /* 30 */
+    { { 0xfa1014c95d553L,0xfd5d680a8a749L,0xf3b566fa44052L,0x0ea3183b4317fL,
+        0x0313b513c8874L },
+      { 0x2e2ac08d11549L,0x0bb4dee21cb40L,0x7f2320e071ee1L,0x9f8126b987dd4L,
+        0x02d3abcf986f1L } },
+    /* 31 */
+    { { 0x88501815581a2L,0x56632211af4c2L,0xcab2e999a0a6dL,0x8cdf19ba7a0f0L,
+        0x0c036fa10ded9L },
+      { 0xe08bac1fbd009L,0x9006d1581629aL,0xb9e0d8f0b68b1L,0x0194c2eb32779L,
+        0x0a6b2a2c4b6d4L } },
+    /* 32 */
+    { { 0x3e50f6d3549cfL,0x6ffacd665ed43L,0xe11fcb46f3369L,0x9860695bfdaccL,
+        0x0810ee252af7cL },
+      { 0x50fe17159bb2cL,0xbe758b357b654L,0x69fea72f7dfbeL,0x17452b057e74dL,
+        0x0d485717a9273L } },
+    /* 33 */
+    { { 0x41a8af0cb5a98L,0x931f3110bf117L,0xb382adfd3da8fL,0x604e1994e2cbaL,
+        0x06a6045a72f9aL },
+      { 0xc0d3fa2b2411dL,0x3e510e96e0170L,0x865b3ccbe0eb8L,0x57903bcc9f738L,
+        0x0d3e45cfaf9e1L } },
+    /* 34 */
+    { { 0xf69bbe83f7669L,0x8272877d6bce1L,0x244278d09f8aeL,0xc19c9548ae543L,
+        0x0207755dee3c2L },
+      { 0xd61d96fef1945L,0xefb12d28c387bL,0x2df64aa18813cL,0xb00d9fbcd1d67L,
+        0x048dc5ee57154L } },
+    /* 35 */
+    { { 0x790bff7e5a199L,0xcf989ccbb7123L,0xa519c79e0efb8L,0xf445c27a2bfe0L,
+        0x0f2fb0aeddff6L },
+      { 0x09575f0b5025fL,0xd740fa9f2241cL,0x80bfbd0550543L,0xd5258fa3c8ad3L,
+        0x0a13e9015db28L } },
+    /* 36 */
+    { { 0x7a350a2b65cbcL,0x722a464226f9fL,0x23f07a10b04b9L,0x526f265ce241eL,
+        0x02bf0d6b01497L },
+      { 0x4dd3f4b216fb7L,0x67fbdda26ad3dL,0x708505cf7d7b8L,0xe89faeb7b83f6L,
+        0x042a94a5a162fL } },
+    /* 37 */
+    { { 0x6ad0beaadf191L,0x9025a268d7584L,0x94dc1f60f8a48L,0xde3de86030504L,
+        0x02c2dd969c65eL },
+      { 0x2171d93849c17L,0xba1da250dd6d0L,0xc3a5485460488L,0x6dbc4810c7063L,
+        0x0f437fa1f42c5L } },
+    /* 38 */
+    { { 0x0d7144a0f7dabL,0x931776e9ac6aaL,0x5f397860f0497L,0x7aa852c0a050fL,
+        0x0aaf45b335470L },
+      { 0x37c33c18d364aL,0x063e49716585eL,0x5ec5444d40b9bL,0x72bcf41716811L,
+        0x0cdf6310df4f2L } },
+    /* 39 */
+    { { 0x3c6238ea8b7efL,0x1885bc2287747L,0xbda8e3408e935L,0x2ff2419567722L,
+        0x0f0d008bada9eL },
+      { 0x2671d2414d3b1L,0x85b019ea76291L,0x53bcbdbb37549L,0x7b8b5c61b96d4L,
+        0x05bd5c2f5ca88L } },
+    /* 40 */
+    { { 0xf469ef49a3154L,0x956e2b2e9aef0L,0xa924a9c3e85a5L,0x471945aaec1eaL,
+        0x0aa12dfc8a09eL },
+      { 0x272274df69f1dL,0x2ca2ff5e7326fL,0x7a9dd44e0e4c8L,0xa901b9d8ce73bL,
+        0x06c036e73e48cL } },
+    /* 41 */
+    { { 0xae12a0f6e3138L,0x0025ad345a5cfL,0x5672bc56966efL,0xbe248993c64b4L,
+        0x0292ff65896afL },
+      { 0x50d445e213402L,0x274392c9fed52L,0xa1c72e8f6580eL,0x7276097b397fdL,
+        0x0644e0c90311bL } },
+    /* 42 */
+    { { 0x421e1a47153f0L,0x79920418c9e1eL,0x05d7672b86c3bL,0x9a7793bdce877L,
+        0x0f25ae793cab7L },
+      { 0x194a36d869d0cL,0x824986c2641f3L,0x96e945e9d55c8L,0x0a3e49fb5ea30L,
+        0x039b8e65313dbL } },
+    /* 43 */
+    { { 0x54200b6fd2e59L,0x669255c98f377L,0xe2a573935e2c0L,0xdb06d9dab21a0L,
+        0x039122f2f0f19L },
+      { 0xce1e003cad53cL,0x0fe65c17e3cfbL,0xaa13877225b2cL,0xff8d72baf1d29L,
+        0x08de80af8ce80L } },
+    /* 44 */
+    { { 0xea8d9207bbb76L,0x7c21782758afbL,0xc0436b1921c7eL,0x8c04dfa2b74b1L,
+        0x0871949062e36L },
+      { 0x928bba3993df5L,0xb5f3b3d26ab5fL,0x5b55050639d75L,0xfde1011aa78a8L,
+        0x0fc315e6a5b74L } },
+    /* 45 */
+    { { 0xfd41ae8d6ecfaL,0xf61aec7f86561L,0x924741d5f8c44L,0x908898452a7b4L,
+        0x0e6d4a7adee38L },
+      { 0x52ed14593c75dL,0xa4dd271162605L,0xba2c7db70a70dL,0xae57d2aede937L,
+        0x035dfaf9a9be2L } },
+    /* 46 */
+    { { 0x56fcdaa736636L,0x97ae2cab7e6b9L,0xf34996609f51dL,0x0d2bfb10bf410L,
+        0x01da5c7d71c83L },
+      { 0x1e4833cce6825L,0x8ff9573c3b5c4L,0x23036b815ad11L,0xb9d6a28552c7fL,
+        0x07077c0fddbf4L } },
+    /* 47 */
+    { { 0x3ff8d46b9661cL,0x6b0d2cfd71bf6L,0x847f8f7a1dfd3L,0xfe440373e140aL,
+        0x053a8632ee50eL },
+      { 0x6ff68696d8051L,0x95c74f468a097L,0xe4e26bddaec0cL,0xfcc162994dc35L,
+        0x0028ca76d34e1L } },
+    /* 48 */
+    { { 0xd47dcfc9877eeL,0x10801d0002d11L,0x4c260b6c8b362L,0xf046d002c1175L,
+        0x004c17cd86962L },
+      { 0xbd094b0daddf5L,0x7524ce55c06d9L,0x2da03b5bea235L,0x7474663356e67L,
+        0x0f7ba4de9fed9L } },
+    /* 49 */
+    { { 0xbfa34ebe1263fL,0x3571ae7ce6d0dL,0x2a6f523557637L,0x1c41d24405538L,
+        0x0e31f96005213L },
+      { 0xb9216ea6b6ec6L,0x2e73c2fc44d1bL,0x9d0a29437a1d1L,0xd47bc10e7eac8L,
+        0x0aa3a6259ce34L } },
+    /* 50 */
+    { { 0xf9df536f3dcd3L,0x50d2bf7360fbcL,0xf504f5b6cededL,0xdaee491710fadL,
+        0x02398dd627e79L },
+      { 0x705a36d09569eL,0xbb5149f769cf4L,0x5f6034cea0619L,0x6210ff9c03773L,
+        0x05717f5b21c04L } },
+    /* 51 */
+    { { 0x229c921dd895eL,0x0040c284519feL,0xd637ecd8e5185L,0x28defa13d2391L,
+        0x0660a2c560e3cL },
+      { 0xa88aed67fcbd0L,0x780ea9f0969ccL,0x2e92b4dc84724L,0x245332b2f4817L,
+        0x0624ee54c4f52L } },
+    /* 52 */
+    { { 0x49ce4d897ecccL,0xd93f9880aa095L,0x43a7c204d49d1L,0xfbc0723c24230L,
+        0x04f392afb92bdL },
+      { 0x9f8fa7de44fd9L,0xe457b32156696L,0x68ebc3cb66cfbL,0x399cdb2fa8033L,
+        0x08a3e7977ccdbL } },
+    /* 53 */
+    { { 0x1881f06c4b125L,0x00f6e3ca8cddeL,0xc7a13e9ae34e3L,0x4404ef6999de5L,
+        0x03888d02370c2L },
+      { 0x8035644f91081L,0x615f015504762L,0x32cd36e3d9fcfL,0x23361827edc86L,
+        0x0a5e62e471810L } },
+    /* 54 */
+    { { 0x25ee32facd6c8L,0x5454bcbc661a8L,0x8df9931699c63L,0x5adc0ce3edf79L,
+        0x02c4768e6466aL },
+      { 0x6ff8c90a64bc9L,0x20e4779f5cb34L,0xc05e884630a60L,0x52a0d949d064bL,
+        0x07b5e6441f9e6L } },
+    /* 55 */
+    { { 0x9422c1d28444aL,0xd8be136a39216L,0xb0c7fcee996c5L,0x744a2387afe5fL,
+        0x0b8af73cb0c8dL },
+      { 0xe83aa338b86fdL,0x58a58a5cff5fdL,0x0ac9433fee3f1L,0x0895c9ee8f6f2L,
+        0x0a036395f7f3fL } },
+    /* 56 */
+    { { 0x3c6bba10f7770L,0x81a12a0e248c7L,0x1bc2b9fa6f16dL,0xb533100df6825L,
+        0x04be36b01875fL },
+      { 0x6086e9fb56dbbL,0x8b07e7a4f8922L,0x6d52f20306fefL,0x00c0eeaccc056L,
+        0x08cbc9a871bdcL } },
+    /* 57 */
+    { { 0x1895cc0dac4abL,0x40712ff112e13L,0xa1cee57a874a4L,0x35f86332ae7c6L,
+        0x044e7553e0c08L },
+      { 0x03fff7734002dL,0x8b0b34425c6d5L,0xe8738b59d35cbL,0xfc1895f702760L,
+        0x0470a683a5eb8L } },
+    /* 58 */
+    { { 0x761dc90513482L,0x2a01e9276a81bL,0xce73083028720L,0xc6efcda441ee0L,
+        0x016410690c63dL },
+      { 0x34a066d06a2edL,0x45189b100bf50L,0xb8218c9dd4d77L,0xbb4fd914ae72aL,
+        0x0d73479fd7abcL } },
+    /* 59 */
+    { { 0xefb165ad4c6e5L,0x8f5b06d04d7edL,0x575cb14262cf0L,0x666b12ed5bb18L,
+        0x0816469e30771L },
+      { 0xb9d79561e291eL,0x22c1de1661d7aL,0x35e0513eb9dafL,0x3f9cf49827eb1L,
+        0x00a36dd23f0ddL } },
+    /* 60 */
+    { { 0xd32c741d5533cL,0x9e8684628f098L,0x349bd117c5f5aL,0xb11839a228adeL,
+        0x0e331dfd6fdbaL },
+      { 0x0ab686bcc6ed8L,0xbdef7a260e510L,0xce850d77160c3L,0x33899063d9a7bL,
+        0x0d3b4782a492eL } },
+    /* 61 */
+    { { 0x9b6e8f3821f90L,0xed66eb7aada14L,0xa01311692edd9L,0xa5bd0bb669531L,
+        0x07281275a4c86L },
+      { 0x858f7d3ff47e5L,0xbc61016441503L,0xdfd9bb15e1616L,0x505962b0f11a7L,
+        0x02c062e7ece14L } },
+    /* 62 */
+    { { 0xf996f0159ac2eL,0x36cbdb2713a76L,0x8e46047281e77L,0x7ef12ad6d2880L,
+        0x0282a35f92c4eL },
+      { 0x54b1ec0ce5cd2L,0xc91379c2299c3L,0xe82c11ecf99efL,0x2abd992caf383L,
+        0x0c71cd513554dL } },
+    /* 63 */
+    { { 0x5de9c09b578f4L,0x58e3affa7a488L,0x9182f1f1884e2L,0xf3a38f76b1b75L,
+        0x0c50f6740cf47L },
+      { 0x4adf3374b68eaL,0x2369965fe2a9cL,0x5a53050a406f3L,0x58dc2f86a2228L,
+        0x0b9ecb3a72129L } },
+    /* 64 */
+    { { 0x8410ef4f8b16aL,0xfec47b266a56fL,0xd9c87c197241aL,0xab1b0a406b8e6L,
+        0x0803f3e02cd42L },
+      { 0x309a804dbec69L,0xf73bbad05f7f0L,0xd8e197fa83b85L,0xadc1c6097273aL,
+        0x0c097440e5067L } },
+    /* 65 */
+    { { 0xa56f2c379ab34L,0x8b841df8d1846L,0x76c68efa8ee06L,0x1f30203144591L,
+        0x0f1af32d5915fL },
+      { 0x375315d75bd50L,0xbaf72f67bc99cL,0x8d7723f837cffL,0x1c8b0613a4184L,
+        0x023d0f130e2d4L } },
+    /* 66 */
+    { { 0xab6edf41500d9L,0xe5fcbeada8857L,0x97259510d890aL,0xfadd52fe86488L,
+        0x0b0288dd6c0a3L },
+      { 0x20f30650bcb08L,0x13695d6e16853L,0x989aa7671af63L,0xc8d231f520a7bL,
+        0x0ffd3724ff408L } },
+    /* 67 */
+    { { 0x68e64b458e6cbL,0x20317a5d28539L,0xaa75f56992dadL,0x26df3814ae0b7L,
+        0x0f5590f4ad78cL },
+      { 0x24bd3cf0ba55aL,0x4a0c778bae0fcL,0x83b674a0fc472L,0x4a201ce9864f6L,
+        0x018d6da54f6f7L } },
+    /* 68 */
+    { { 0x3e225d5be5a2bL,0x835934f3c6ed9L,0x2626ffc6fe799L,0x216a431409262L,
+        0x050bbb4d97990L },
+      { 0x191c6e57ec63eL,0x40181dcdb2378L,0x236e0f665422cL,0x49c341a8099b0L,
+        0x02b10011801feL } },
+    /* 69 */
+    { { 0x8b5c59b391593L,0xa2598270fcfc6L,0x19adcbbc385f5L,0xae0c7144f3aadL,
+        0x0dd55899983fbL },
+      { 0x88b8e74b82ff4L,0x4071e734c993bL,0x3c0322ad2e03cL,0x60419a7a9eaf4L,
+        0x0e6e4c551149dL } },
+    /* 70 */
+    { { 0x655bb1e9af288L,0x64f7ada93155fL,0xb2820e5647e1aL,0x56ff43697e4bcL,
+        0x051e00db107edL },
+      { 0x169b8771c327eL,0x0b4a96c2ad43dL,0xdeb477929cdb2L,0x9177c07d51f53L,
+        0x0e22f42414982L } },
+    /* 71 */
+    { { 0x5e8f4635f1abbL,0xb568538874cd4L,0x5a8034d7edc0cL,0x48c9c9472c1fbL,
+        0x0f709373d52dcL },
+      { 0x966bba8af30d6L,0x4af137b69c401L,0x361c47e95bf5fL,0x5b113966162a9L,
+        0x0bd52d288e727L } },
+    /* 72 */
+    { { 0x55c7a9c5fa877L,0x727d3a3d48ab1L,0x3d189d817dad6L,0x77a643f43f9e7L,
+        0x0a0d0f8e4c8aaL },
+      { 0xeafd8cc94f92dL,0xbe0c4ddb3a0bbL,0x82eba14d818c8L,0x6a0022cc65f8bL,
+        0x0a56c78c7946dL } },
+    /* 73 */
+    { { 0x2391b0dd09529L,0xa63daddfcf296L,0xb5bf481803e0eL,0x367a2c77351f5L,
+        0x0d8befdf8731aL },
+      { 0x19d42fc0157f4L,0xd7fec8e650ab9L,0x2d48b0af51caeL,0x6478cdf9cb400L,
+        0x0854a68a5ce9fL } },
+    /* 74 */
+    { { 0x5f67b63506ea5L,0x89a4fe0d66dc3L,0xe95cd4d9286c4L,0x6a953f101d3bfL,
+        0x05cacea0b9884L },
+      { 0xdf60c9ceac44dL,0xf4354d1c3aa90L,0xd5dbabe3db29aL,0xefa908dd3de8aL,
+        0x0e4982d1235e4L } },
+    /* 75 */
+    { { 0x04a22c34cd55eL,0xb32680d132231L,0xfa1d94358695bL,0x0499fb345afa1L,
+        0x08046b7f616b2L },
+      { 0x3581e38e7d098L,0x8df46f0b70b53L,0x4cb78c4d7f61eL,0xaf5530dea9ea4L,
+        0x0eb17ca7b9082L } },
+    /* 76 */
+    { { 0x1b59876a145b9L,0x0fc1bc71ec175L,0x92715bba5cf6bL,0xe131d3e035653L,
+        0x0097b00bafab5L },
+      { 0x6c8e9565f69e1L,0x5ab5be5199aa6L,0xa4fd98477e8f7L,0xcc9e6033ba11dL,
+        0x0f95c747bafdbL } },
+    /* 77 */
+    { { 0xf01d3bebae45eL,0xf0c4bc6955558L,0xbc64fc6a8ebe9L,0xd837aeb705b1dL,
+        0x03512601e566eL },
+      { 0x6f1e1fa1161cdL,0xd54c65ef87933L,0x24f21e5328ab8L,0xab6b4757eee27L,
+        0x00ef971236068L } },
+    /* 78 */
+    { { 0x98cf754ca4226L,0x38f8642c8e025L,0x68e17905eede1L,0xbc9548963f744L,
+        0x0fc16d9333b4fL },
+      { 0x6fb31e7c800caL,0x312678adaabe9L,0xff3e8b5138063L,0x7a173d6244976L,
+        0x014ca4af1b95dL } },
+    /* 79 */
+    { { 0x771babd2f81d5L,0x6901f7d1967a4L,0xad9c9071a5f9dL,0x231dd898bef7cL,
+        0x04057b063f59cL },
+      { 0xd82fe89c05c0aL,0x6f1dc0df85bffL,0x35a16dbe4911cL,0x0b133befccaeaL,
+        0x01c3b5d64f133L } },
+    /* 80 */
+    { { 0x14bfe80ec21feL,0x6ac255be825feL,0xf4a5d67f6ce11L,0x63af98bc5a072L,
+        0x0fad27148db7eL },
+      { 0x0b6ac29ab05b3L,0x3c4e251ae690cL,0x2aade7d37a9a8L,0x1a840a7dc875cL,
+        0x077387de39f0eL } },
+    /* 81 */
+    { { 0xecc49a56c0dd7L,0xd846086c741e9L,0x505aecea5cffcL,0xc47e8f7a1408fL,
+        0x0b37b85c0bef0L },
+      { 0x6b6e4cc0e6a8fL,0xbf6b388f23359L,0x39cef4efd6d4bL,0x28d5aba453facL,
+        0x09c135ac8f9f6L } },
+    /* 82 */
+    { { 0xa320284e35743L,0xb185a3cdef32aL,0xdf19819320d6aL,0x851fb821b1761L,
+        0x05721361fc433L },
+      { 0xdb36a71fc9168L,0x735e5c403c1f0L,0x7bcd8f55f98baL,0x11bdf64ca87e3L,
+        0x0dcbac3c9e6bbL } },
+    /* 83 */
+    { { 0xd99684518cbe2L,0x189c9eb04ef01L,0x47feebfd242fcL,0x6862727663c7eL,
+        0x0b8c1c89e2d62L },
+      { 0x58bddc8e1d569L,0xc8b7d88cd051aL,0x11f31eb563809L,0x22d426c27fd9fL,
+        0x05d23bbda2f94L } },
+    /* 84 */
+    { { 0xc729495c8f8beL,0x803bf362bf0a1L,0xf63d4ac2961c4L,0xe9009e418403dL,
+        0x0c109f9cb91ecL },
+      { 0x095d058945705L,0x96ddeb85c0c2dL,0xa40449bb9083dL,0x1ee184692b8d7L,
+        0x09bc3344f2eeeL } },
+    /* 85 */
+    { { 0xae35642913074L,0x2748a542b10d5L,0x310732a55491bL,0x4cc1469ca665bL,
+        0x029591d525f1aL },
+      { 0xf5b6bb84f983fL,0x419f5f84e1e76L,0x0baa189be7eefL,0x332c1200d4968L,
+        0x06376551f18efL } },
+    /* 86 */
+    { { 0x5f14e562976ccL,0xe60ef12c38bdaL,0xcca985222bca3L,0x987abbfa30646L,
+        0x0bdb79dc808e2L },
+      { 0xcb5c9cb06a772L,0xaafe536dcefd2L,0xc2b5db838f475L,0xc14ac2a3e0227L,
+        0x08ee86001add3L } },
+    /* 87 */
+    { { 0x96981a4ade873L,0x4dc4fba48ccbeL,0xa054ba57ee9aaL,0xaa4b2cee28995L,
+        0x092e51d7a6f77L },
+      { 0xbafa87190a34dL,0x5bf6bd1ed1948L,0xcaf1144d698f7L,0xaaaad00ee6e30L,
+        0x05182f86f0a56L } },
+    /* 88 */
+    { { 0x6212c7a4cc99cL,0x683e6d9ca1fbaL,0xac98c5aff609bL,0xa6f25dbb27cb5L,
+        0x091dcab5d4073L },
+      { 0x6cc3d5f575a70L,0x396f8d87fa01bL,0x99817360cb361L,0x4f2b165d4e8c8L,
+        0x017a0cedb9797L } },
+    /* 89 */
+    { { 0x61e2a076c8d3aL,0x39210f924b388L,0x3a835d9701aadL,0xdf4194d0eae41L,
+        0x02e8ce36c7f4cL },
+      { 0x73dab037a862bL,0xb760e4c8fa912L,0x3baf2dd01ba9bL,0x68f3f96453883L,
+        0x0f4ccc6cb34f6L } },
+    /* 90 */
+    { { 0xf525cf1f79687L,0x9592efa81544eL,0x5c78d297c5954L,0xf3c9e1231741aL,
+        0x0ac0db4889a0dL },
+      { 0xfc711df01747fL,0x58ef17df1386bL,0xccb6bb5592b93L,0x74a2e5880e4f5L,
+        0x095a64a6194c9L } },
+    /* 91 */
+    { { 0x1efdac15a4c93L,0x738258514172cL,0x6cb0bad40269bL,0x06776a8dfb1c1L,
+        0x0231e54ba2921L },
+      { 0xdf9178ae6d2dcL,0x3f39112918a70L,0xe5b72234d6aa6L,0x31e1f627726b5L,
+        0x0ab0be032d8a7L } },
+    /* 92 */
+    { { 0xad0e98d131f2dL,0xe33b04f101097L,0x5e9a748637f09L,0xa6791ac86196dL,
+        0x0f1bcc8802cf6L },
+      { 0x69140e8daacb4L,0x5560f6500925cL,0x77937a63c4e40L,0xb271591cc8fc4L,
+        0x0851694695aebL } },
+    /* 93 */
+    { { 0x5c143f1dcf593L,0x29b018be3bde3L,0xbdd9d3d78202bL,0x55d8e9cdadc29L,
+        0x08f67d9d2daadL },
+      { 0x116567481ea5fL,0xe9e34c590c841L,0x5053fa8e7d2ddL,0x8b5dffdd43f40L,
+        0x0f84572b9c072L } },
+    /* 94 */
+    { { 0xa7a7197af71c9L,0x447a7365655e1L,0xe1d5063a14494L,0x2c19a1b4ae070L,
+        0x0edee2710616bL },
+      { 0x034f511734121L,0x554a25e9f0b2fL,0x40c2ecf1cac6eL,0xd7f48dc148f3aL,
+        0x09fd27e9b44ebL } },
+    /* 95 */
+    { { 0x7658af6e2cb16L,0x2cfe5919b63ccL,0x68d5583e3eb7dL,0xf3875a8c58161L,
+        0x0a40c2fb6958fL },
+      { 0xec560fedcc158L,0xc655f230568c9L,0xa307e127ad804L,0xdecfd93967049L,
+        0x099bc9bb87dc6L } },
+    /* 96 */
+    { { 0x9521d927dafc6L,0x695c09cd1984aL,0x9366dde52c1fbL,0x7e649d9581a0fL,
+        0x09abe210ba16dL },
+      { 0xaf84a48915220L,0x6a4dd816c6480L,0x681ca5afa7317L,0x44b0c7d539871L,
+        0x07881c25787f3L } },
+    /* 97 */
+    { { 0x99b51e0bcf3ffL,0xc5127f74f6933L,0xd01d9680d02cbL,0x89408fb465a2dL,
+        0x015e6e319a30eL },
+      { 0xd6e0d3e0e05f4L,0xdc43588404646L,0x4f850d3fad7bdL,0x72cebe61c7d1cL,
+        0x00e55facf1911L } },
+    /* 98 */
+    { { 0xd9806f8787564L,0x2131e85ce67e9L,0x819e8d61a3317L,0x65776b0158cabL,
+        0x0d73d09766fe9L },
+      { 0x834251eb7206eL,0x0fc618bb42424L,0xe30a520a51929L,0xa50b5dcbb8595L,
+        0x09250a3748f15L } },
+    /* 99 */
+    { { 0xf08f8be577410L,0x035077a8c6cafL,0xc0a63a4fd408aL,0x8c0bf1f63289eL,
+        0x077414082c1ccL },
+      { 0x40fa6eb0991cdL,0x6649fdc29605aL,0x324fd40c1ca08L,0x20b93a68a3c7bL,
+        0x08cb04f4d12ebL } },
+    /* 100 */
+    { { 0x2d0556906171cL,0xcdb0240c3fb1cL,0x89068419073e9L,0x3b51db8e6b4fdL,
+        0x0e4e429ef4712L },
+      { 0xdd53c38ec36f4L,0x01ff4b6a270b8L,0x79a9a48f9d2dcL,0x65525d066e078L,
+        0x037bca2ff3c6eL } },
+    /* 101 */
+    { { 0x2e3c7df562470L,0xa2c0964ac94cdL,0x0c793be44f272L,0xb22a7c6d5df98L,
+        0x059913edc3002L },
+      { 0x39a835750592aL,0x80e783de027a1L,0xa05d64f99e01dL,0xe226cf8c0375eL,
+        0x043786e4ab013L } },
+    /* 102 */
+    { { 0x2b0ed9e56b5a6L,0xa6d9fc68f9ff3L,0x97846a70750d9L,0x9e7aec15e8455L,
+        0x08638ca98b7e7L },
+      { 0xae0960afc24b2L,0xaf4dace8f22f5L,0xecba78f05398eL,0xa6f03b765dd0aL,
+        0x01ecdd36a7b3aL } },
+    /* 103 */
+    { { 0xacd626c5ff2f3L,0xc02873a9785d3L,0x2110d54a2d516L,0xf32dad94c9fadL,
+        0x0d85d0f85d459L },
+      { 0x00b8d10b11da3L,0x30a78318c49f7L,0x208decdd2c22cL,0x3c62556988f49L,
+        0x0a04f19c3b4edL } },
+    /* 104 */
+    { { 0x924c8ed7f93bdL,0x5d392f51f6087L,0x21b71afcb64acL,0x50b07cae330a8L,
+        0x092b2eeea5c09L },
+      { 0xc4c9485b6e235L,0xa92936c0f085aL,0x0508891ab2ca4L,0x276c80faa6b3eL,
+        0x01ee782215834L } },
+    /* 105 */
+    { { 0xa2e00e63e79f7L,0xb2f399d906a60L,0x607c09df590e7L,0xe1509021054a6L,
+        0x0f3f2ced857a6L },
+      { 0x510f3f10d9b55L,0xacd8642648200L,0x8bd0e7c9d2fcfL,0xe210e5631aa7eL,
+        0x00f56a4543da3L } },
+    /* 106 */
+    { { 0x1bffa1043e0dfL,0xcc9c007e6d5b2L,0x4a8517a6c74b6L,0xe2631a656ec0dL,
+        0x0bd8f17411969L },
+      { 0xbbb86beb7494aL,0x6f45f3b8388a9L,0x4e5a79a1567d4L,0xfa09df7a12a7aL,
+        0x02d1a1c3530ccL } },
+    /* 107 */
+    { { 0xe3813506508daL,0xc4a1d795a7192L,0xa9944b3336180L,0xba46cddb59497L,
+        0x0a107a65eb91fL },
+      { 0x1d1c50f94d639L,0x758a58b7d7e6dL,0xd37ca1c8b4af3L,0x9af21a7c5584bL,
+        0x0183d760af87aL } },
+    /* 108 */
+    { { 0x697110dde59a4L,0x070e8bef8729dL,0xf2ebe78f1ad8dL,0xd754229b49634L,
+        0x01d44179dc269L },
+      { 0xdc0cf8390d30eL,0x530de8110cb32L,0xbc0339a0a3b27L,0xd26231af1dc52L,
+        0x0771f9cc29606L } },
+    /* 109 */
+    { { 0x93e7785040739L,0xb98026a939999L,0x5f8fc2644539dL,0x718ecf40f6f2fL,
+        0x064427a310362L },
+      { 0xf2d8785428aa8L,0x3febfb49a84f4L,0x23d01ac7b7adcL,0x0d6d201b2c6dfL,
+        0x049d9b7496ae9L } },
+    /* 110 */
+    { { 0x8d8bc435d1099L,0x4e8e8d1a08cc7L,0xcb68a412adbcdL,0x544502c2e2a02L,
+        0x09037d81b3f60L },
+      { 0xbac27074c7b61L,0xab57bfd72e7cdL,0x96d5352fe2031L,0x639c61ccec965L,
+        0x008c3de6a7cc0L } },
+    /* 111 */
+    { { 0xdd020f6d552abL,0x9805cd81f120fL,0x135129156baffL,0x6b2f06fb7c3e9L,
+        0x0c69094424579L },
+      { 0x3ae9c41231bd1L,0x875cc5820517bL,0x9d6a1221eac6eL,0x3ac0208837abfL,
+        0x03fa3db02cafeL } },
+    /* 112 */
+    { { 0xa3e6505058880L,0xef643943f2d75L,0xab249257da365L,0x08ff4147861cfL,
+        0x0c5c4bdb0fdb8L },
+      { 0x13e34b272b56bL,0x9511b9043a735L,0x8844969c8327eL,0xb6b5fd8ce37dfL,
+        0x02d56db9446c2L } },
+    /* 113 */
+    { { 0x1782fff46ac6bL,0x2607a2e425246L,0x9a48de1d19f79L,0xba42fafea3c40L,
+        0x00f56bd9de503L },
+      { 0xd4ed1345cda49L,0xfc816f299d137L,0xeb43402821158L,0xb5f1e7c6a54aaL,
+        0x04003bb9d1173L } },
+    /* 114 */
+    { { 0xe8189a0803387L,0xf539cbd4043b8L,0x2877f21ece115L,0x2f9e4297208ddL,
+        0x053765522a07fL },
+      { 0x80a21a8a4182dL,0x7a3219df79a49L,0xa19a2d4a2bbd0L,0x4549674d0a2e1L,
+        0x07a056f586c5dL } },
+    /* 115 */
+    { { 0xb25589d8a2a47L,0x48c3df2773646L,0xbf0d5395b5829L,0x267551ec000eaL,
+        0x077d482f17a1aL },
+      { 0x1bd9587853948L,0xbd6cfbffeeb8aL,0x0681e47a6f817L,0xb0e4ab6ec0578L,
+        0x04115012b2b38L } },
+    /* 116 */
+    { { 0x3f0f46de28cedL,0x609b13ec473c7L,0xe5c63921d5da7L,0x094661b8ce9e6L,
+        0x0cdf04572fbeaL },
+      { 0x3c58b6c53c3b0L,0x10447b843c1cbL,0xcb9780e97fe3cL,0x3109fb2b8ae12L,
+        0x0ee703dda9738L } },
+    /* 117 */
+    { { 0x15140ff57e43aL,0xd3b1b811b8345L,0xf42b986d44660L,0xce212b3b5dff8L,
+        0x02a0ad89da162L },
+      { 0x4a6946bc277baL,0x54c141c27664eL,0xabf6274c788c9L,0x4659141aa64ccL,
+        0x0d62d0b67ac2bL } },
+    /* 118 */
+    { { 0x5d87b2c054ac4L,0x59f27df78839cL,0x18128d6570058L,0x2426edf7cbf3bL,
+        0x0b39a23f2991cL },
+      { 0x84a15f0b16ae5L,0xb1a136f51b952L,0x27007830c6a05L,0x4cc51d63c137fL,
+        0x004ed0092c067L } },
+    /* 119 */
+    { { 0x185d19ae90393L,0x294a3d64e61f4L,0x854fc143047b4L,0xc387ae0001a69L,
+        0x0a0a91fc10177L },
+      { 0xa3f01ae2c831eL,0x822b727e16ff0L,0xa3075b4bb76aeL,0x0c418f12c8a15L,
+        0x0084cf9889ed2L } },
+    /* 120 */
+    { { 0x509defca6becfL,0x807dffb328d98L,0x778e8b92fceaeL,0xf77e5d8a15c44L,
+        0x0d57955b273abL },
+      { 0xda79e31b5d4f1L,0x4b3cfa7a1c210L,0xc27c20baa52f0L,0x41f1d4d12089dL,
+        0x08e14ea4202d1L } },
+    /* 121 */
+    { { 0x50345f2897042L,0x1f43402c4aeedL,0x8bdfb218d0533L,0xd158c8d9c194cL,
+        0x0597e1a372aa4L },
+      { 0x7ec1acf0bd68cL,0xdcab024945032L,0x9fe3e846d4be0L,0x4dea5b9c8d7acL,
+        0x0ca3f0236199bL } },
+    /* 122 */
+    { { 0xa10b56170bd20L,0xf16d3f5de7592L,0x4b2ade20ea897L,0x07e4a3363ff14L,
+        0x0bde7fd7e309cL },
+      { 0xbb6d2b8f5432cL,0xcbe043444b516L,0x8f95b5a210dc1L,0xd1983db01e6ffL,
+        0x0b623ad0e0a7dL } },
+    /* 123 */
+    { { 0xbd67560c7b65bL,0x9023a4a289a75L,0x7b26795ab8c55L,0x137bf8220fd0dL,
+        0x0d6aa2e4658ecL },
+      { 0xbc00b5138bb85L,0x21d833a95c10aL,0x702a32e8c31d1L,0x513ab24ff00b1L,
+        0x0111662e02dccL } },
+    /* 124 */
+    { { 0x14015efb42b87L,0x701b6c4dff781L,0x7d7c129bd9f5dL,0x50f866ecccd7aL,
+        0x0db3ee1cb94b7L },
+      { 0xf3db0f34837cfL,0x8bb9578d4fb26L,0xc56657de7eed1L,0x6a595d2cdf937L,
+        0x0886a64425220L } },
+    /* 125 */
+    { { 0x34cfb65b569eaL,0x41f72119c13c2L,0x15a619e200111L,0x17bc8badc85daL,
+        0x0a70cf4eb018aL },
+      { 0xf97ae8c4a6a65L,0x270134378f224L,0xf7e096036e5cfL,0x7b77be3a609e4L,
+        0x0aa4772abd174L } },
+    /* 126 */
+    { { 0x761317aa60cc0L,0x610368115f676L,0xbc1bb5ac79163L,0xf974ded98bb4bL,
+        0x0611a6ddc30faL },
+      { 0x78cbcc15ee47aL,0x824e0d96a530eL,0xdd9ed882e8962L,0x9c8836f35adf3L,
+        0x05cfffaf81642L } },
+    /* 127 */
+    { { 0x54cff9b7a99cdL,0x9d843c45a1c0dL,0x2c739e17bf3b9L,0x994c038a908f6L,
+        0x06e5a6b237dc1L },
+      { 0xb454e0ba5db77L,0x7facf60d63ef8L,0x6608378b7b880L,0xabcce591c0c67L,
+        0x0481a238d242dL } },
+    /* 128 */
+    { { 0x17bc035d0b34aL,0x6b8327c0a7e34L,0xc0362d1440b38L,0xf9438fb7262daL,
+        0x02c41114ce0cdL },
+      { 0x5cef1ad95a0b1L,0xa867d543622baL,0x1e486c9c09b37L,0x929726d6cdd20L,
+        0x020477abf42ffL } },
+    /* 129 */
+    { { 0x5173c18d65dbfL,0x0e339edad82f7L,0xcf1001c77bf94L,0x96b67022d26bdL,
+        0x0ac66409ac773L },
+      { 0xbb36fc6261cc3L,0xc9190e7e908b0L,0x45e6c10213f7bL,0x2f856541cebaaL,
+        0x0ce8e6975cc12L } },
+    /* 130 */
+    { { 0x21b41bc0a67d2L,0x0a444d248a0f1L,0x59b473762d476L,0xb4a80e044f1d6L,
+        0x008fde365250bL },
+      { 0xec3da848bf287L,0x82d3369d6eaceL,0x2449482c2a621L,0x6cd73582dfdc9L,
+        0x02f7e2fd2565dL } },
+    /* 131 */
+    { { 0xb92dbc3770fa7L,0x5c379043f9ae4L,0x7761171095e8dL,0x02ae54f34e9d1L,
+        0x0c65be92e9077L },
+      { 0x8a303f6fd0a40L,0xe3bcce784b275L,0xf9767bfe7d822L,0x3b3a7ae4f5854L,
+        0x04bff8e47d119L } },
+    /* 132 */
+    { { 0x1d21f00ff1480L,0x7d0754db16cd4L,0xbe0f3ea2ab8fbL,0x967dac81d2efbL,
+        0x03e4e4ae65772L },
+      { 0x8f36d3c5303e6L,0x4b922623977e1L,0x324c3c03bd999L,0x60289ed70e261L,
+        0x05388aefd58ecL } },
+    /* 133 */
+    { { 0x317eb5e5d7713L,0xee75de49daad1L,0x74fb26109b985L,0xbe0e32f5bc4fcL,
+        0x05cf908d14f75L },
+      { 0x435108e657b12L,0xa5b96ed9e6760L,0x970ccc2bfd421L,0x0ce20e29f51f8L,
+        0x0a698ba4060f0L } },
+    /* 134 */
+    { { 0xb1686ef748fecL,0xa27e9d2cf973dL,0xe265effe6e755L,0xad8d630b6544cL,
+        0x0b142ef8a7aebL },
+      { 0x1af9f17d5770aL,0x672cb3412fad3L,0xf3359de66af3bL,0x50756bd60d1bdL,
+        0x0d1896a965851L } },
+    /* 135 */
+    { { 0x957ab33c41c08L,0xac5468e2e1ec5L,0xc472f6c87de94L,0xda3918816b73aL,
+        0x0267b0e0b7981L },
+      { 0x54e5d8e62b988L,0x55116d21e76e5L,0xd2a6f99d8ddc7L,0x93934610faf03L,
+        0x0b54e287aa111L } },
+    /* 136 */
+    { { 0x122b5178a876bL,0xff085104b40a0L,0x4f29f7651ff96L,0xd4e6050b31ab1L,
+        0x084abb28b5f87L },
+      { 0xd439f8270790aL,0x9d85e3f46bd5eL,0xc1e22122d6cb5L,0x564075f55c1b6L,
+        0x0e5436f671765L } },
+    /* 137 */
+    { { 0x9025e2286e8d5L,0xb4864453be53fL,0x408e3a0353c95L,0xe99ed832f5bdeL,
+        0x00404f68b5b9cL },
+      { 0x33bdea781e8e5L,0x18163c2f5bcadL,0x119caa33cdf50L,0xc701575769600L,
+        0x03a4263df0ac1L } },
+    /* 138 */
+    { { 0x65ecc9aeb596dL,0xe7023c92b4c29L,0xe01396101ea03L,0xa3674704b4b62L,
+        0x00ca8fd3f905eL },
+      { 0x23a42551b2b61L,0x9c390fcd06925L,0x392a63e1eb7a8L,0x0c33e7f1d2be0L,
+        0x096dca2644ddbL } },
+    /* 139 */
+    { { 0xbb43a387510afL,0xa8a9a36a01203L,0xf950378846feaL,0x59dcd23a57702L,
+        0x04363e2123aadL },
+      { 0x3a1c740246a47L,0xd2e55dd24dca4L,0xd8faf96b362b8L,0x98c4f9b086045L,
+        0x0840e115cd8bbL } },
+    /* 140 */
+    { { 0x205e21023e8a7L,0xcdd8dc7a0bf12L,0x63a5ddfc808a8L,0xd6d4e292a2721L,
+        0x05e0d6abd30deL },
+      { 0x721c27cfc0f64L,0x1d0e55ed8807aL,0xd1f9db242eec0L,0xa25a26a7bef91L,
+        0x07dea48f42945L } },
+    /* 141 */
+    { { 0xf6f1ce5060a81L,0x72f8f95615abdL,0x6ac268be79f9cL,0x16d1cfd36c540L,
+        0x0abc2a2beebfdL },
+      { 0x66f91d3e2eac7L,0x63d2dd04668acL,0x282d31b6f10baL,0xefc16790e3770L,
+        0x04ea353946c7eL } },
+    /* 142 */
+    { { 0xa2f8d5266309dL,0xc081945a3eed8L,0x78c5dc10a51c6L,0xffc3cecaf45a5L,
+        0x03a76e6891c94L },
+      { 0xce8a47d7b0d0fL,0x968f584a5f9aaL,0xe697fbe963aceL,0x646451a30c724L,
+        0x08212a10a465eL } },
+    /* 143 */
+    { { 0xc61c3cfab8caaL,0x840e142390ef7L,0xe9733ca18eb8eL,0xb164cd1dff677L,
+        0x0aa7cab71599cL },
+      { 0xc9273bc837bd1L,0xd0c36af5d702fL,0x423da49c06407L,0x17c317621292fL,
+        0x040e38073fe06L } },
+    /* 144 */
+    { { 0x80824a7bf9b7cL,0x203fbe30d0f4fL,0x7cf9ce3365d23L,0x5526bfbe53209L,
+        0x0e3604700b305L },
+      { 0xb99116cc6c2c7L,0x08ba4cbee64dcL,0x37ad9ec726837L,0xe15fdcded4346L,
+        0x06542d677a3deL } },
+    /* 145 */
+    { { 0x2b6d07b6c377aL,0x47903448be3f3L,0x0da8af76cb038L,0x6f21d6fdd3a82L,
+        0x0a6534aee09bbL },
+      { 0x1780d1035facfL,0x339dcb47e630aL,0x447f39335e55aL,0xef226ea50fe1cL,
+        0x0f3cb672fdc9aL } },
+    /* 146 */
+    { { 0x719fe3b55fd83L,0x6c875ddd10eb3L,0x5cea784e0d7a4L,0x70e733ac9fa90L,
+        0x07cafaa2eaae8L },
+      { 0x14d041d53b338L,0xa0ef87e6c69b8L,0x1672b0fe0acc0L,0x522efb93d1081L,
+        0x00aab13c1b9bdL } },
+    /* 147 */
+    { { 0xce278d2681297L,0xb1b509546addcL,0x661aaf2cb350eL,0x12e92dc431737L,
+        0x04b91a6028470L },
+      { 0xf109572f8ddcfL,0x1e9a911af4dcfL,0x372430e08ebf6L,0x1cab48f4360acL,
+        0x049534c537232L } },
+    /* 148 */
+    { { 0xf7d71f07b7e9dL,0xa313cd516f83dL,0xc047ee3a478efL,0xc5ee78ef264b6L,
+        0x0caf46c4fd65aL },
+      { 0xd0c7792aa8266L,0x66913684bba04L,0xe4b16b0edf454L,0x770f56e65168aL,
+        0x014ce9e5704c6L } },
+    /* 149 */
+    { { 0x45e3e965e8f91L,0xbacb0f2492994L,0x0c8a0a0d3aca1L,0x9a71d31cc70f9L,
+        0x01bb708a53e4cL },
+      { 0xa9e69558bdd7aL,0x08018a26b1d5cL,0xc9cf1ec734a05L,0x0102b093aa714L,
+        0x0f9d126f2da30L } },
+    /* 150 */
+    { { 0xbca7aaff9563eL,0xfeb49914a0749L,0xf5f1671dd077aL,0xcc69e27a0311bL,
+        0x0807afcb9729eL },
+      { 0xa9337c9b08b77L,0x85443c7e387f8L,0x76fd8ba86c3a7L,0xcd8c85fafa594L,
+        0x0751adcd16568L } },
+    /* 151 */
+    { { 0xa38b410715c0dL,0x718f7697f78aeL,0x3fbf06dd113eaL,0x743f665eab149L,
+        0x029ec44682537L },
+      { 0x4719cb50bebbcL,0xbfe45054223d9L,0xd2dedb1399ee5L,0x077d90cd5b3a8L,
+        0x0ff9370e392a4L } },
+    /* 152 */
+    { { 0x2d69bc6b75b65L,0xd5266651c559aL,0xde9d7d24188f8L,0xd01a28a9f33e3L,
+        0x09776478ba2a9L },
+      { 0x2622d929af2c7L,0x6d4e690923885L,0x89a51e9334f5dL,0x82face6cc7e5aL,
+        0x074a6313fac2fL } },
+    /* 153 */
+    { { 0x4dfddb75f079cL,0x9518e36fbbb2fL,0x7cd36dd85b07cL,0x863d1b6cfcf0eL,
+        0x0ab75be150ff4L },
+      { 0x367c0173fc9b7L,0x20d2594fd081bL,0x4091236b90a74L,0x59f615fdbf03cL,
+        0x04ebeac2e0b44L } },
+    /* 154 */
+    { { 0xc5fe75c9f2c53L,0x118eae9411eb6L,0x95ac5d8d25220L,0xaffcc8887633fL,
+        0x0df99887b2c1bL },
+      { 0x8eed2850aaecbL,0x1b01d6a272bb7L,0x1cdbcac9d4918L,0x4058978dd511bL,
+        0x027b040a7779fL } },
+    /* 155 */
+    { { 0x05db7f73b2eb2L,0x088e1b2118904L,0x962327ee0df85L,0xa3f5501b71525L,
+        0x0b393dd37e4cfL },
+      { 0x30e7b3fd75165L,0xc2bcd33554a12L,0xf7b5022d66344L,0x34196c36f1be0L,
+        0x009588c12d046L } },
+    /* 156 */
+    { { 0x6093f02601c3bL,0xf8cf5c335fe08L,0x94aff28fb0252L,0x648b955cf2808L,
+        0x081c879a9db9fL },
+      { 0xe687cc6f56c51L,0x693f17618c040L,0x059353bfed471L,0x1bc444f88a419L,
+        0x0fa0d48f55fc1L } },
+    /* 157 */
+    { { 0xe1c9de1608e4dL,0x113582822cbc6L,0x57ec2d7010ddaL,0x67d6f6b7ddc11L,
+        0x08ea0e156b6a3L },
+      { 0x4e02f2383b3b4L,0x943f01f53ca35L,0xde03ca569966bL,0xb5ac4ff6632b2L,
+        0x03f5ab924fa00L } },
+    /* 158 */
+    { { 0xbb0d959739efbL,0xf4e7ebec0d337L,0x11a67d1c751b0L,0x256e2da52dd64L,
+        0x08bc768872b74L },
+      { 0xe3b7282d3d253L,0xa1f58d779fa5bL,0x16767bba9f679L,0xf34fa1cac168eL,
+        0x0b386f19060fcL } },
+    /* 159 */
+    { { 0x3c1352fedcfc2L,0x6262f8af0d31fL,0x57288c25396bfL,0x9c4d9a02b4eaeL,
+        0x04cb460f71b06L },
+      { 0x7b4d35b8095eaL,0x596fc07603ae6L,0x614a16592bbf8L,0x5223e1475f66bL,
+        0x052c0d50895efL } },
+    /* 160 */
+    { { 0xc210e15339848L,0xe870778c8d231L,0x956e170e87a28L,0x9c0b9d1de6616L,
+        0x04ac3c9382bb0L },
+      { 0xe05516998987dL,0xc4ae09f4d619bL,0xa3f933d8b2376L,0x05f41de0b7651L,
+        0x0380d94c7e397L } },
+    /* 161 */
+    { { 0x355aa81542e75L,0xa1ee01b9b701aL,0x24d708796c724L,0x37af6b3a29776L,
+        0x02ce3e171de26L },
+      { 0xfeb49f5d5bc1aL,0x7e2777e2b5cfeL,0x513756ca65560L,0x4e4d4feaac2f9L,
+        0x02e6cd8520b62L } },
+    /* 162 */
+    { { 0x5954b8c31c31dL,0x005bf21a0c368L,0x5c79ec968533dL,0x9d540bd7626e7L,
+        0x0ca17754742c6L },
+      { 0xedafff6d2dbb2L,0xbd174a9d18cc6L,0xa4578e8fd0d8cL,0x2ce6875e8793aL,
+        0x0a976a7139cabL } },
+    /* 163 */
+    { { 0x51f1b93fb353dL,0x8b57fcfa720a6L,0x1b15281d75cabL,0x4999aa88cfa73L,
+        0x08720a7170a1fL },
+      { 0xe8d37693e1b90L,0x0b16f6dfc38c3L,0x52a8742d345dcL,0x893c8ea8d00abL,
+        0x09719ef29c769L } },
+    /* 164 */
+    { { 0xeed8d58e35909L,0xdc33ddc116820L,0xe2050269366d8L,0x04c1d7f999d06L,
+        0x0a5072976e157L },
+      { 0xa37eac4e70b2eL,0x576890aa8a002L,0x45b2a5c84dcf6L,0x7725cd71bf186L,
+        0x099389c9df7b7L } },
+    /* 165 */
+    { { 0xc08f27ada7a4bL,0x03fd389366238L,0x66f512c3abe9dL,0x82e46b672e897L,
+        0x0a88806aa202cL },
+      { 0x2044ad380184eL,0xc4126a8b85660L,0xd844f17a8cb78L,0xdcfe79d670c0aL,
+        0x00043bffb4738L } },
+    /* 166 */
+    { { 0x9b5dc36d5192eL,0xd34590b2af8d5L,0x1601781acf885L,0x486683566d0a1L,
+        0x052f3ef01ba6cL },
+      { 0x6732a0edcb64dL,0x238068379f398L,0x040f3090a482cL,0x7e7516cbe5fa7L,
+        0x03296bd899ef2L } },
+    /* 167 */
+    { { 0xaba89454d81d7L,0xef51eb9b3c476L,0x1c579869eade7L,0x71e9619a21cd8L,
+        0x03b90febfaee5L },
+      { 0x3023e5496f7cbL,0xd87fb51bc4939L,0x9beb5ce55be41L,0x0b1803f1dd489L,
+        0x06e88069d9f81L } },
+    /* 168 */
+    { { 0x7ab11b43ea1dbL,0xa95259d292ce3L,0xf84f1860a7ff1L,0xad13851b02218L,
+        0x0a7222beadefaL },
+      { 0xc78ec2b0a9144L,0x51f2fa59c5a2aL,0x147ce385a0240L,0xc69091d1eca56L,
+        0x0be94d523bc2aL } },
+    /* 169 */
+    { { 0x4945e0b226ce7L,0x47967e8b7072fL,0x5a6c63eb8afd7L,0xc766edea46f18L,
+        0x07782defe9be8L },
+      { 0xd2aa43db38626L,0x8776f67ad1760L,0x4499cdb460ae7L,0x2e4b341b86fc5L,
+        0x003838567a289L } },
+    /* 170 */
+    { { 0xdaefd79ec1a0fL,0xfdceb39c972d8L,0x8f61a953bbcd6L,0xb420f5575ffc5L,
+        0x0dbd986c4adf7L },
+      { 0xa881415f39eb7L,0xf5b98d976c81aL,0xf2f717d6ee2fcL,0xbbd05465475dcL,
+        0x08e24d3c46860L } },
+    /* 171 */
+    { { 0xd8e549a587390L,0x4f0cbec588749L,0x25983c612bb19L,0xafc846e07da4bL,
+        0x0541a99c4407bL },
+      { 0x41692624c8842L,0x2ad86c05ffdb2L,0xf7fcf626044c1L,0x35d1c59d14b44L,
+        0x0c0092c49f57dL } },
+    /* 172 */
+    { { 0xc75c3df2e61efL,0xc82e1b35cad3cL,0x09f29f47e8841L,0x944dc62d30d19L,
+        0x075e406347286L },
+      { 0x41fc5bbc237d0L,0xf0ec4f01c9e7dL,0x82bd534c9537bL,0x858691c51a162L,
+        0x05b7cb658c784L } },
+    /* 173 */
+    { { 0xa70848a28ead1L,0x08fd3b47f6964L,0x67e5b39802dc5L,0x97a19ae4bfd17L,
+        0x07ae13eba8df0L },
+      { 0x16ef8eadd384eL,0xd9b6b2ff06fd2L,0xbcdb5f30361a2L,0xe3fd204b98784L,
+        0x0787d8074e2a8L } },
+    /* 174 */
+    { { 0x25d6b757fbb1cL,0xb2ca201debc5eL,0xd2233ffe47bddL,0x84844a55e9a36L,
+        0x05c2228199ef2L },
+      { 0xd4a8588315250L,0x2b827097c1773L,0xef5d33f21b21aL,0xf2b0ab7c4ea1dL,
+        0x0e45d37abbaf0L } },
+    /* 175 */
+    { { 0xf1e3428511c8aL,0xc8bdca6cd3d2dL,0x27c39a7ebb229L,0xb9d3578a71a76L,
+        0x0ed7bc12284dfL },
+      { 0x2a6df93dea561L,0x8dd48f0ed1cf2L,0xbad23e85443f1L,0x6d27d8b861405L,
+        0x0aac97cc945caL } },
+    /* 176 */
+    { { 0x4ea74a16bd00aL,0xadf5c0bcc1eb5L,0xf9bfc06d839e9L,0xdc4e092bb7f11L,
+        0x0318f97b31163L },
+      { 0x0c5bec30d7138L,0x23abc30220eccL,0x022360644e8dfL,0xff4d2bb7972fbL,
+        0x0fa41faa19a84L } },
+    /* 177 */
+    { { 0x2d974a6642269L,0xce9bb783bd440L,0x941e60bc81814L,0xe9e2398d38e47L,
+        0x038bb6b2c1d26L },
+      { 0xe4a256a577f87L,0x53dc11fe1cc64L,0x22807288b52d2L,0x01a5ff336abf6L,
+        0x094dd0905ce76L } },
+    /* 178 */
+    { { 0xcf7dcde93f92aL,0xcb89b5f315156L,0x995e750a01333L,0x2ae902404df9cL,
+        0x092077867d25cL },
+      { 0x71e010bf39d44L,0x2096bb53d7e24L,0xc9c3d8f5f2c90L,0xeb514c44b7b35L,
+        0x081e8428bd29bL } },
+    /* 179 */
+    { { 0x9c2bac477199fL,0xee6b5ecdd96ddL,0xe40fd0e8cb8eeL,0xa4b18af7db3feL,
+        0x01b94ab62dbbfL },
+      { 0x0d8b3ce47f143L,0xfc63f4616344fL,0xc59938351e623L,0x90eef18f270fcL,
+        0x006a38e280555L } },
+    /* 180 */
+    { { 0xb0139b3355b49L,0x60b4ebf99b2e5L,0x269f3dc20e265L,0xd4f8c08ffa6bdL,
+        0x0a7b36c2083d9L },
+      { 0x15c3a1b3e8830L,0xe1a89f9c0b64dL,0x2d16930d5fceaL,0x2a20cfeee4a2eL,
+        0x0be54c6b4a282L } },
+    /* 181 */
+    { { 0xdb3df8d91167cL,0x79e7a6625ed6cL,0x46ac7f4517c3fL,0x22bb7105648f3L,
+        0x0bf30a5abeae0L },
+      { 0x785be93828a68L,0x327f3ef0368e7L,0x92146b25161c3L,0xd13ae11b5feb5L,
+        0x0d1c820de2732L } },
+    /* 182 */
+    { { 0xe13479038b363L,0x546b05e519043L,0x026cad158c11fL,0x8da34fe57abe6L,
+        0x0b7d17bed68a1L },
+      { 0xa5891e29c2559L,0x765bfffd8444cL,0x4e469484f7a03L,0xcc64498de4af7L,
+        0x03997fd5e6412L } },
+    /* 183 */
+    { { 0x746828bd61507L,0xd534a64d2af20L,0xa8a15e329e132L,0x13e8ffeddfb08L,
+        0x00eeb89293c6cL },
+      { 0x69a3ea7e259f8L,0xe6d13e7e67e9bL,0xd1fa685ce1db7L,0xb6ef277318f6aL,
+        0x0228916f8c922L } },
+    /* 184 */
+    { { 0xae25b0a12ab5bL,0x1f957bc136959L,0x16e2b0ccc1117L,0x097e8058429edL,
+        0x0ec05ad1d6e93L },
+      { 0xba5beac3f3708L,0x3530b59d77157L,0x18234e531baf9L,0x1b3747b552371L,
+        0x07d3141567ff1L } },
+    /* 185 */
+    { { 0x9c05cf6dfefabL,0x68dcb377077bdL,0xa38bb95be2f22L,0xd7a3e53ead973L,
+        0x0e9ce66fc9bc1L },
+      { 0xa15766f6a02a1L,0xdf60e600ed75aL,0x8cdc1b938c087L,0x0651f8947f346L,
+        0x0d9650b017228L } },
+    /* 186 */
+    { { 0xb4c4a5a057e60L,0xbe8def25e4504L,0x7c1ccbdcbccc3L,0xb7a2a63532081L,
+        0x014d6699a804eL },
+      { 0xa8415db1f411aL,0x0bf80d769c2c8L,0xc2f77ad09fbafL,0x598ab4deef901L,
+        0x06f4c68410d43L } },
+    /* 187 */
+    { { 0x6df4e96c24a96L,0x85fcbd99a3872L,0xb2ae30a534dbcL,0x9abb3c466ef28L,
+        0x04c4350fd6118L },
+      { 0x7f716f855b8daL,0x94463c38a1296L,0xae9334341a423L,0x18b5c37e1413eL,
+        0x0a726d2425a31L } },
+    /* 188 */
+    { { 0x6b3ee948c1086L,0x3dcbd3a2e1daeL,0x3d022f3f1de50L,0xf3923f35ed3f0L,
+        0x013639e82cc6cL },
+      { 0x938fbcdafaa86L,0xfb2654a2589acL,0x5051329f45bc5L,0x35a31963b26e4L,
+        0x0ca9365e1c1a3L } },
+    /* 189 */
+    { { 0x5ac754c3b2d20L,0x17904e241b361L,0xc9d071d742a54L,0x72a5b08521c4cL,
+        0x09ce29c34970bL },
+      { 0x81f736d3e0ad6L,0x9ef2f8434c8ccL,0xce862d98060daL,0xaf9835ed1d1a6L,
+        0x048c4abd7ab42L } },
+    /* 190 */
+    { { 0x1b0cc40c7485aL,0xbbe5274dbfd22L,0x263d2e8ead455L,0x33cb493c76989L,
+        0x078017c32f67bL },
+      { 0x35769930cb5eeL,0x940c408ed2b9dL,0x72f1a4dc0d14eL,0x1c04f8b7bf552L,
+        0x053cd0454de5cL } },
+    /* 191 */
+    { { 0x585fa5d28ccacL,0x56005b746ebcdL,0xd0123aa5f823eL,0xfa8f7c79f0a1cL,
+        0x0eea465c1d3d7L },
+      { 0x0659f0551803bL,0x9f7ce6af70781L,0x9288e706c0b59L,0x91934195a7702L,
+        0x01b6e42a47ae6L } },
+    /* 192 */
+    { { 0x0937cf67d04c3L,0xe289eeb8112e8L,0x2594d601e312bL,0xbd3d56b5d8879L,
+        0x00224da14187fL },
+      { 0xbb8630c5fe36fL,0x604ef51f5f87aL,0x3b429ec580f3cL,0xff33964fb1bfbL,
+        0x060838ef042bfL } },
+    /* 193 */
+    { { 0xcb2f27e0bbe99L,0xf304aa39ee432L,0xfa939037bda44L,0x16435f497c7a9L,
+        0x0636eb2022d33L },
+      { 0xd0e6193ae00aaL,0xfe31ae6d2ffcfL,0xf93901c875a00L,0x8bacf43658a29L,
+        0x08844eeb63921L } },
+    /* 194 */
+    { { 0x171d26b3bae58L,0x7117e39f3e114L,0x1a8eada7db3dfL,0x789ecd37bc7f8L,
+        0x027ba83dc51fbL },
+      { 0xf439ffbf54de5L,0x0bb5fe1a71a7dL,0xb297a48727703L,0xa4ab42ee8e35dL,
+        0x0adb62d3487f3L } },
+    /* 195 */
+    { { 0x168a2a175df2aL,0x4f618c32e99b1L,0x46b0916082aa0L,0xc8b2c9e4f2e71L,
+        0x0b990fd7675e7L },
+      { 0x9d96b4df37313L,0x79d0b40789082L,0x80877111c2055L,0xd18d66c9ae4a7L,
+        0x081707ef94d10L } },
+    /* 196 */
+    { { 0x7cab203d6ff96L,0xfc0d84336097dL,0x042db4b5b851bL,0xaa5c268823c4dL,
+        0x03792daead5a8L },
+      { 0x18865941afa0bL,0x4142d83671528L,0xbe4e0a7f3e9e7L,0x01ba17c825275L,
+        0x05abd635e94b0L } },
+    /* 197 */
+    { { 0xfa84e0ac4927cL,0x35a7c8cf23727L,0xadca0dfe38860L,0xb610a4bcd5ea4L,
+        0x05995bf21846aL },
+      { 0xf860b829dfa33L,0xae958fc18be90L,0x8630366caafe2L,0x411e9b3baf447L,
+        0x044c32ca2d483L } },
+    /* 198 */
+    { { 0xa97f1e40ed80cL,0xb131d2ca82a74L,0xc2d6ad95f938cL,0xa54c53f2124b7L,
+        0x01f2162fb8082L },
+      { 0x67cc5720b173eL,0x66085f12f97e4L,0xc9d65dc40e8a6L,0x07c98cebc20e4L,
+        0x08f1d402bc3e9L } },
+    /* 199 */
+    { { 0x92f9cfbc4058aL,0xb6292f56704f5L,0xc1d8c57b15e14L,0xdbf9c55cfe37bL,
+        0x0b1980f43926eL },
+      { 0x33e0932c76b09L,0x9d33b07f7898cL,0x63bb4611df527L,0x8e456f08ead48L,
+        0x02828ad9b3744L } },
+    /* 200 */
+    { { 0x722c4c4cf4ac5L,0x3fdde64afb696L,0x0890832f5ac1aL,0xb3900551baa2eL,
+        0x04973f1275a14L },
+      { 0xd8335322eac5dL,0xf50bd9b568e59L,0x25883935e07eeL,0x8ac7ab36720faL,
+        0x06dac8ed0db16L } },
+    /* 201 */
+    { { 0x545aeeda835efL,0xd21d10ed51f7bL,0x3741b094aa113L,0xde4c035a65e01L,
+        0x04b23ef5920b9L },
+      { 0xbb6803c4c7341L,0x6d3f58bc37e82L,0x51e3ee8d45770L,0x9a4e73527863aL,
+        0x04dd71534ddf4L } },
+    /* 202 */
+    { { 0x4467295476cd9L,0x2fe31a725bbf9L,0xc4b67e0648d07L,0x4dbb1441c8b8fL,
+        0x0fd3170002f4aL },
+      { 0x43ff48995d0e1L,0xd10ef729aa1cbL,0x179898276e695L,0xf365e0d5f9764L,
+        0x014fac58c9569L } },
+    /* 203 */
+    { { 0xa0065f312ae18L,0xc0fcc93fc9ad9L,0xa7d284651958dL,0xda50d9a142408L,
+        0x0ed7c765136abL },
+      { 0x70f1a25d4abbcL,0xf3f1a113ea462L,0xb51952f9b5dd8L,0x9f53c609b0755L,
+        0x0fefcb7f74d2eL } },
+    /* 204 */
+    { { 0x9497aba119185L,0x30aac45ba4bd0L,0xa521179d54e8cL,0xd80b492479deaL,
+        0x01801a57e87e0L },
+      { 0xd3f8dfcafffb0L,0x0bae255240073L,0xb5fdfbc6cf33cL,0x1064781d763b5L,
+        0x09f8fc11e1eadL } },
+    /* 205 */
+    { { 0x3a1715e69544cL,0x67f04b7813158L,0x78a4c320eaf85L,0x69a91e22a8fd2L,
+        0x0a9d3809d3d3aL },
+      { 0xc2c2c59a2da3bL,0xf61895c847936L,0x3d5086938ccbcL,0x8ef75e65244e6L,
+        0x03006b9aee117L } },
+    /* 206 */
+    { { 0x1f2b0c9eead28L,0x5d89f4dfbc0bbL,0x2ce89397eef63L,0xf761074757fdbL,
+        0x00ab85fd745f8L },
+      { 0xa7c933e5b4549L,0x5c97922f21ecdL,0x43b80404be2bbL,0x42c2261a1274bL,
+        0x0b122d67511e9L } },
+    /* 207 */
+    { { 0x607be66a5ae7aL,0xfa76adcbe33beL,0xeb6e5c501e703L,0xbaecaf9043014L,
+        0x09f599dc1097dL },
+      { 0x5b7180ff250edL,0x74349a20dc6d7L,0x0b227a38eb915L,0x4b78425605a41L,
+        0x07d5528e08a29L } },
+    /* 208 */
+    { { 0x58f6620c26defL,0xea582b2d1ef0fL,0x1ce3881025585L,0x1730fbe7d79b0L,
+        0x028ccea01303fL },
+      { 0xabcd179644ba5L,0xe806fff0b8d1dL,0x6b3e17b1fc643L,0x13bfa60a76fc6L,
+        0x0c18baf48a1d0L } },
+    /* 209 */
+    { { 0x638c85dc4216dL,0x67206142ac34eL,0x5f5064a00c010L,0x596bd453a1719L,
+        0x09def809db7a9L },
+      { 0x8642e67ab8d2cL,0x336237a2b641eL,0x4c4218bb42404L,0x8ce57d506a6d6L,
+        0x00357f8b06880L } },
+    /* 210 */
+    { { 0xdbe644cd2cc88L,0x8df0b8f39d8e9L,0xd30a0c8cc61c2L,0x98874a309874cL,
+        0x0e4a01add1b48L },
+      { 0x1eeacf57cd8f9L,0x3ebd594c482edL,0xbd2f7871b767dL,0xcc30a7295c717L,
+        0x0466d7d79ce10L } },
+    /* 211 */
+    { { 0x318929dada2c7L,0xc38f9aa27d47dL,0x20a59e14fa0a6L,0xad1a90e4fd288L,
+        0x0c672a522451eL },
+      { 0x07cc85d86b655L,0x3bf9ad4af1306L,0x71172a6f0235dL,0x751399a086805L,
+        0x05e3d64faf2a6L } },
+    /* 212 */
+    { { 0x410c79b3b4416L,0x85eab26d99aa6L,0xb656a74cd8fcfL,0x42fc5ebff74adL,
+        0x06c8a7a95eb8eL },
+      { 0x60ba7b02a63bdL,0x038b8f004710cL,0x12d90b06b2f23L,0xca918c6c37383L,
+        0x0348ae422ad82L } },
+    /* 213 */
+    { { 0x746635ccda2fbL,0xa18e0726d27f4L,0x92b1f2022accaL,0x2d2e85adf7824L,
+        0x0c1074de0d9efL },
+      { 0x3ce44ae9a65b3L,0xac05d7151bfcfL,0xe6a9788fd71e4L,0x4ffcd4711f50cL,
+        0x0fbadfbdbc9e5L } },
+    /* 214 */
+    { { 0x3f1cd20a99363L,0x8f6cf22775171L,0x4d359b2b91565L,0x6fcd968175cd2L,
+        0x0b7f976b48371L },
+      { 0x8e24d5d6dbf74L,0xfd71c3af36575L,0x243dfe38d23baL,0xc80548f477600L,
+        0x0f4d41b2ecafcL } },
+    /* 215 */
+    { { 0x1cf28fdabd48dL,0x3632c078a451fL,0x17146e9ce81beL,0x0f106ace29741L,
+        0x0180824eae016L },
+      { 0x7698b66e58358L,0x52ce6ca358038L,0xe41e6c5635687L,0x6d2582380e345L,
+        0x067e5f63983cfL } },
+    /* 216 */
+    { { 0xccb8dcf4899efL,0xf09ebb44c0f89L,0x2598ec9949015L,0x1fc6546f9276bL,
+        0x09fef789a04c1L },
+      { 0x67ecf53d2a071L,0x7fa4519b096d3L,0x11e2eefb10e1aL,0x4e20ca6b3fb06L,
+        0x0bc80c181a99cL } },
+    /* 217 */
+    { { 0x536f8e5eb82e6L,0xc7f56cb920972L,0x0b5da5e1a484fL,0xdf10c78e21715L,
+        0x049270e629f8cL },
+      { 0x9b7bbea6b50adL,0xc1a2388ffc1a3L,0x107197b9a0284L,0x2f7f5403eb178L,
+        0x0d2ee52f96137L } },
+    /* 218 */
+    { { 0xcd28588e0362aL,0xa78fa5d94dd37L,0x434a526442fa8L,0xb733aff836e5aL,
+        0x0dfb478bee5abL },
+      { 0xf1ce7673eede6L,0xd42b5b2f04a91L,0x530da2fa5390aL,0x473a5e66f7bf5L,
+        0x0d9a140b408dfL } },
+    /* 219 */
+    { { 0x221b56e8ea498L,0x293563ee090e0L,0x35d2ade623478L,0x4b1ae06b83913L,
+        0x0760c058d623fL },
+      { 0x9b58cc198aa79L,0xd2f07aba7f0b8L,0xde2556af74890L,0x04094e204110fL,
+        0x07141982d8f19L } },
+    /* 220 */
+    { { 0xa0e334d4b0f45L,0x38392a94e16f0L,0x3c61d5ed9280bL,0x4e473af324c6bL,
+        0x03af9d1ce89d5L },
+      { 0xf798120930371L,0x4c21c17097fd8L,0xc42309beda266L,0x7dd60e9545dcdL,
+        0x0b1f815c37395L } },
+    /* 221 */
+    { { 0xaa78e89fec44aL,0x473caa4caf84fL,0x1b6a624c8c2aeL,0xf052691c807dcL,
+        0x0a41aed141543L },
+      { 0x353997d5ffe04L,0xdf625b6e20424L,0x78177758bacb2L,0x60ef85d660be8L,
+        0x0d6e9c1dd86fbL } },
+    /* 222 */
+    { { 0x2e97ec6853264L,0xb7e2304a0b3aaL,0x8eae9be771533L,0xf8c21b912bb7bL,
+        0x09c9c6e10ae9bL },
+      { 0x09a59e030b74cL,0x4d6a631e90a23L,0x49b79f24ed749L,0x61b689f44b23aL,
+        0x0566bd59640faL } },
+    /* 223 */
+    { { 0xc0118c18061f3L,0xd37c83fc70066L,0x7273245190b25L,0x345ef05fc8e02L,
+        0x0cf2c7390f525L },
+      { 0xbceb410eb30cfL,0xba0d77703aa09L,0x50ff255cfd2ebL,0x0979e842c43a1L,
+        0x002f517558aa2L } },
+    /* 224 */
+    { { 0xef794addb7d07L,0x4224455500396L,0x78aa3ce0b4fc7L,0xd97dfaff8eaccL,
+        0x014e9ada5e8d4L },
+      { 0x480a12f7079e2L,0xcde4b0800edaaL,0x838157d45baa3L,0x9ae801765e2d7L,
+        0x0a0ad4fab8e9dL } },
+    /* 225 */
+    { { 0xb76214a653618L,0x3c31eaaa5f0bfL,0x4949d5e187281L,0xed1e1553e7374L,
+        0x0bcd530b86e56L },
+      { 0xbe85332e9c47bL,0xfeb50059ab169L,0x92bfbb4dc2776L,0x341dcdba97611L,
+        0x0909283cf6979L } },
+    /* 226 */
+    { { 0x0032476e81a13L,0x996217123967bL,0x32e19d69bee1aL,0x549a08ed361bdL,
+        0x035eeb7c9ace1L },
+      { 0x0ae5a7e4e5bdcL,0xd3b6ceec6e128L,0xe266bc12dcd2cL,0xe86452e4224c6L,
+        0x09a8b2cf4448aL } },
+    /* 227 */
+    { { 0x71bf209d03b59L,0xa3b65af2abf64L,0xbd5eec9c90e62L,0x1379ff7ff168eL,
+        0x06bdb60f4d449L },
+      { 0xafebc8a55bc30L,0x1610097fe0dadL,0xc1e3bddc79eadL,0x08a942e197414L,
+        0x001ec3cfd94baL } },
+    /* 228 */
+    { { 0x277ebdc9485c2L,0x7922fb10c7ba6L,0x0a28d8a48cc9aL,0x64f64f61d60f7L,
+        0x0d1acb1c04754L },
+      { 0x902b126f36612L,0x4ee0618d8bd26L,0x08357ee59c3a4L,0x26c24df8a8133L,
+        0x07dcd079d4056L } },
+    /* 229 */
+    { { 0x7d4d3f05a4b48L,0x52372307725ceL,0x12a915aadcd29L,0x19b8d18f79718L,
+        0x00bf53589377dL },
+      { 0xcd95a6c68ea73L,0xca823a584d35eL,0x473a723c7f3bbL,0x86fc9fb674c6fL,
+        0x0d28be4d9e166L } },
+    /* 230 */
+    { { 0xb990638fa8e4bL,0x6e893fd8fc5d2L,0x36fb6fc559f18L,0x88ce3a6de2aa4L,
+        0x0d76007aa510fL },
+      { 0x0aab6523a4988L,0x4474dd02732d1L,0x3407278b455cfL,0xbb017f467082aL,
+        0x0f2b52f68b303L } },
+    /* 231 */
+    { { 0x7eafa9835b4caL,0xfcbb669cbc0d5L,0x66431982d2232L,0xed3a8eeeb680cL,
+        0x0d8dbe98ecc5aL },
+      { 0x9be3fc5a02709L,0xe5f5ba1fa8cbaL,0x10ea85230be68L,0x9705febd43cdfL,
+        0x0e01593a3ee55L } },
+    /* 232 */
+    { { 0x5af50ea75a0a6L,0xac57858033d3eL,0x0176406512226L,0xef066fe6d50fdL,
+        0x0afec07b1aeb8L },
+      { 0x9956780bb0a31L,0xcc37309aae7fbL,0x1abf3896f1af3L,0xbfdd9153a15a0L,
+        0x0a71b93546e2dL } },
+    /* 233 */
+    { { 0xe12e018f593d2L,0x28a078122bbf8L,0xba4f2add1a904L,0x23d9150505db0L,
+        0x053a2005c6285L },
+      { 0x8b639e7f2b935L,0x5ac182961a07cL,0x518ca2c2bff97L,0x8e3d86bceea77L,
+        0x0bf47d19b3d58L } },
+    /* 234 */
+    { { 0x967a7dd7665d5L,0x572f2f4de5672L,0x0d4903f4e3030L,0xa1b6144005ae8L,
+        0x0001c2c7f39c9L },
+      { 0xa801469efc6d6L,0xaa7bc7a724143L,0x78150a4c810bdL,0xb99b5f65670baL,
+        0x0fdadf8e786ffL } },
+    /* 235 */
+    { { 0x8cb88ffc00785L,0x913b48eb67fd3L,0xf368fbc77fa75L,0x3c940454d055bL,
+        0x03a838e4d5aa4L },
+      { 0x663293e97bb9aL,0x63441d94d9561L,0xadb2a839eb933L,0x1da3515591a60L,
+        0x03cdb8257873eL } },
+    /* 236 */
+    { { 0x140a97de77eabL,0x0d41648109137L,0xeb1d0dff7e1c5L,0x7fba762dcad2cL,
+        0x05a60cc89f1f5L },
+      { 0x3638240d45673L,0x195913c65580bL,0xd64b7411b82beL,0x8fc0057284b8dL,
+        0x0922ff56fdbfdL } },
+    /* 237 */
+    { { 0x65deec9a129a1L,0x57cc284e041b2L,0xebfbe3ca5b1ceL,0xcd6204380c46cL,
+        0x072919a7df6c5L },
+      { 0xf453a8fb90f9aL,0x0b88e4031b298L,0x96f1856d719c0L,0x089ae32c0e777L,
+        0x05e7917803624L } },
+    /* 238 */
+    { { 0x6ec557f63cdfbL,0x71f1cae4fd5c1L,0x60597ca8e6a35L,0x2fabfce26bea5L,
+        0x04e0a5371e24cL },
+      { 0xa40d3a5765357L,0x440d73a2b4276L,0x1d11a323c89afL,0x04eeb8f370ae4L,
+        0x0f5ff7818d566L } },
+    /* 239 */
+    { { 0x3e3fe1a09df21L,0x8ee66e8e47fbfL,0x9c8901526d5d2L,0x5e642096bd0a2L,
+        0x0e41df0e9533fL },
+      { 0xfda40b3ba9e3fL,0xeb2604d895305L,0xf0367c7f2340cL,0x155f0866e1927L,
+        0x08edd7d6eac4fL } },
+    /* 240 */
+    { { 0x1dc0e0bfc8ff3L,0x2be936f42fc9aL,0xca381ef14efd8L,0xee9667016f7ccL,
+        0x01432c1caed8aL },
+      { 0x8482970b23c26L,0x730735b273ec6L,0xaef0f5aa64fe8L,0xd2c6e389f6e5eL,
+        0x0caef480b5ac8L } },
+    /* 241 */
+    { { 0x5c97875315922L,0x713063cca5524L,0x64ef2cbd82951L,0xe236f3ce60d0bL,
+        0x0d0ba177e8efaL },
+      { 0x9ae8fb1b3af60L,0xe53d2da20e53aL,0xf9eef281a796aL,0xae1601d63605dL,
+        0x0f31c957c1c54L } },
+    /* 242 */
+    { { 0x58d5249cc4597L,0xb0bae0a028c0fL,0x34a814adc5015L,0x7c3aefc5fc557L,
+        0x0013404cb96e1L },
+      { 0xe2585c9a824bfL,0x5e001eaed7b29L,0x1ef68acd59318L,0x3e6c8d6ee6826L,
+        0x06f377c4b9193L } },
+    /* 243 */
+    { { 0x3bad1a8333fd2L,0x025a2a95b89f9L,0xaf75acea89302L,0x9506211e5037eL,
+        0x06dba3e4ed2d0L },
+      { 0xef98cd04399cdL,0x6ee6b73adea48L,0x17ecaf31811c6L,0xf4a772f60752cL,
+        0x0f13cf3423becL } },
+    /* 244 */
+    { { 0xb9ec0a919e2ebL,0x95f62c0f68ceeL,0xaba229983a9a1L,0xbad3cfba3bb67L,
+        0x0c83fa9a9274bL },
+      { 0xd1b0b62fa1ce0L,0xf53418efbf0d7L,0x2706f04e58b60L,0x2683bfa8ef9e5L,
+        0x0b49d70f45d70L } },
+    /* 245 */
+    { { 0xc7510fad5513bL,0xecb1751e2d914L,0x9fb9d5905f32eL,0xf1cf6d850418dL,
+        0x059cfadbb0c30L },
+      { 0x7ac2355cb7fd6L,0xb8820426a3e16L,0x0a78864249367L,0x4b67eaeec58c9L,
+        0x05babf362354aL } },
+    /* 246 */
+    { { 0x981d1ee424865L,0x78f2e5577f37cL,0x9e0c0588b0028L,0xc8f0702970f1bL,
+        0x06188c6a79026L },
+      { 0x9a19bd0f244daL,0x5cfb08087306fL,0xf2136371eccedL,0xb9d935470f9b9L,
+        0x0993fe475df50L } },
+    /* 247 */
+    { { 0x31cdf9b2c3609L,0xc02c46d4ea68eL,0xa77510184eb19L,0x616b7ac9ec1a9L,
+        0x081f764664c80L },
+      { 0xc2a5a75fbe978L,0xd3f183b3561d7L,0x01dd2bf6743feL,0x060d838d1f045L,
+        0x0564a812a5fe9L } },
+    /* 248 */
+    { { 0xa64f4fa817d1dL,0x44bea82e0f7a5L,0xd57f9aa55f968L,0x1d6cb5ff5a0fcL,
+        0x0226bf3cf00e5L },
+      { 0x1a9f92f2833cfL,0x5a4f4f89a8d6dL,0xf3f7f7720a0a3L,0x783611536c498L,
+        0x068779f47ff25L } },
+    /* 249 */
+    { { 0x0c1c173043d08L,0x741fc020fa79bL,0xa6d26d0a54467L,0x2e0bd3767e289L,
+        0x097bcb0d1eb09L },
+      { 0x6eaa8f32ed3c3L,0x51b281bc482abL,0xfa178f3c8a4f1L,0x46554d1bf4f3bL,
+        0x0a872ffe80a78L } },
+    /* 250 */
+    { { 0xb7935a32b2086L,0x0e8160f486b1aL,0xb6ae6bee1eb71L,0xa36a9bd0cd913L,
+        0x002812bfcb732L },
+      { 0xfd7cacf605318L,0x50fdfd6d1da63L,0x102d619646e5dL,0x96afa1d683982L,
+        0x007391cc9fe53L } },
+    /* 251 */
+    { { 0x157f08b80d02bL,0xd162877f7fc50L,0x8d542ae6b8333L,0x2a087aca1af87L,
+        0x0355d2adc7e6dL },
+      { 0xf335a287386e1L,0x94f8e43275b41L,0x79989eafd272aL,0x3a79286ca2cdeL,
+        0x03dc2b1e37c2aL } },
+    /* 252 */
+    { { 0x9d21c04581352L,0x25376782bed68L,0xfed701f0a00c8L,0x846b203bd5909L,
+        0x0c47869103ccdL },
+      { 0xa770824c768edL,0x026841f6575dbL,0xaccce0e72feeaL,0x4d3273313ed56L,
+        0x0ccc42968d5bbL } },
+    /* 253 */
+    { { 0x50de13d7620b9L,0x8a5992a56a94eL,0x75487c9d89a5cL,0x71cfdc0076406L,
+        0x0e147eb42aa48L },
+      { 0xab4eeacf3ae46L,0xfb50350fbe274L,0x8c840eafd4936L,0x96e3df2afe474L,
+        0x0239ac047080eL } },
+    /* 254 */
+    { { 0xd1f352bfee8d4L,0xcffa7b0fec481L,0xce9af3cce80b5L,0xe59d105c4c9e2L,
+        0x0c55fa1a3f5f7L },
+      { 0x6f14e8257c227L,0x3f342be00b318L,0xa904fb2c5b165L,0xb69909afc998aL,
+        0x0094cd99cd4f4L } },
+    /* 255 */
+    { { 0x81c84d703bebaL,0x5032ceb2918a9L,0x3bd49ec8631d1L,0xad33a445f2c9eL,
+        0x0b90a30b642abL },
+      { 0x5404fb4a5abf9L,0xc375db7603b46L,0xa35d89f004750L,0x24f76f9a42cccL,
+        0x0019f8b9a1b79L } },
+};
+
+/* Multiply the base point of P256 by the scalar and return the result.
+ * If map is true then convert result to affine coordinates.
+ *
+ * r     Resulting point.
+ * k     Scalar to multiply by.
+ * map   Indicates whether to convert result to affine.
+ * heap  Heap to use for allocation.
+ * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
+ */
+static int sp_256_ecc_mulmod_base_5(sp_point_256* r, const sp_digit* k,
+        int map, void* heap)
+{
+    return sp_256_ecc_mulmod_stripe_5(r, &p256_base, p256_table,
+                                      k, map, heap);
+}
+
+#endif
+
+/* Multiply the base point of P256 by the scalar and return the result.
+ * If map is true then convert result to affine coordinates.
+ *
+ * km    Scalar to multiply by.
+ * r     Resulting point.
+ * map   Indicates whether to convert result to affine.
+ * heap  Heap to use for allocation.
+ * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
+ */
+int sp_ecc_mulmod_base_256(mp_int* km, ecc_point* r, int map, void* heap)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_point_256 p;
+    sp_digit kd[5];
+#endif
+    sp_point_256* point;
+    sp_digit* k = NULL;
+    int err = MP_OKAY;
+
+    err = sp_256_point_new_5(heap, p, point);
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        k = (sp_digit*)XMALLOC(sizeof(sp_digit) * 5, heap,
+                                                              DYNAMIC_TYPE_ECC);
+        if (k == NULL) {
+            err = MEMORY_E;
+        }
+    }
+#else
+    k = kd;
+#endif
+    if (err == MP_OKAY) {
+        sp_256_from_mp(k, 5, km);
+
+            err = sp_256_ecc_mulmod_base_5(point, k, map, heap);
+    }
+    if (err == MP_OKAY) {
+        err = sp_256_point_to_ecc_point_5(point, r);
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (k != NULL) {
+        XFREE(k, heap, DYNAMIC_TYPE_ECC);
+    }
+#endif
+    sp_256_point_free_5(point, 0, heap);
+
+    return err;
+}
+
+#if defined(WOLFSSL_VALIDATE_ECC_KEYGEN) || defined(HAVE_ECC_SIGN) || \
+                                                        defined(HAVE_ECC_VERIFY)
+/* Returns 1 if the number of zero.
+ * Implementation is constant time.
+ *
+ * a  Number to check.
+ * returns 1 if the number is zero and 0 otherwise.
+ */
+static int sp_256_iszero_5(const sp_digit* a)
+{
+    return (a[0] | a[1] | a[2] | a[3] | a[4]) == 0;
+}
+
+#endif /* WOLFSSL_VALIDATE_ECC_KEYGEN || HAVE_ECC_SIGN || HAVE_ECC_VERIFY */
+/* Add 1 to a. (a = a + 1)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ */
+SP_NOINLINE static void sp_256_add_one_5(sp_digit* a)
+{
+    a[0]++;
+    sp_256_norm_5(a);
+}
+
+/* Read big endian unsigned byte array into r.
+ *
+ * r  A single precision integer.
+ * size  Maximum number of bytes to convert
+ * a  Byte array.
+ * n  Number of bytes in array to read.
+ */
+static void sp_256_from_bin(sp_digit* r, int size, const byte* a, int n)
+{
+    int i, j = 0;
+    word32 s = 0;
+
+    r[0] = 0;
+    for (i = n-1; i >= 0; i--) {
+        r[j] |= (((sp_digit)a[i]) << s);
+        if (s >= 44U) {
+            r[j] &= 0xfffffffffffffL;
+            s = 52U - s;
+            if (j + 1 >= size) {
+                break;
+            }
+            r[++j] = (sp_digit)a[i] >> s;
+            s = 8U - s;
+        }
+        else {
+            s += 8U;
+        }
+    }
+
+    for (j++; j < size; j++) {
+        r[j] = 0;
+    }
+}
+
+/* Generates a scalar that is in the range 1..order-1.
+ *
+ * rng  Random number generator.
+ * k    Scalar value.
+ * returns RNG failures, MEMORY_E when memory allocation fails and
+ * MP_OKAY on success.
+ */
+static int sp_256_ecc_gen_k_5(WC_RNG* rng, sp_digit* k)
+{
+    int err;
+    byte buf[32];
+
+    do {
+        err = wc_RNG_GenerateBlock(rng, buf, sizeof(buf));
+        if (err == 0) {
+            sp_256_from_bin(k, 5, buf, (int)sizeof(buf));
+            if (sp_256_cmp_5(k, p256_order2) < 0) {
+                sp_256_add_one_5(k);
+                break;
+            }
+        }
+    }
+    while (err == 0);
+
+    return err;
+}
+
+/* Makes a random EC key pair.
+ *
+ * rng   Random number generator.
+ * priv  Generated private value.
+ * pub   Generated public point.
+ * heap  Heap to use for allocation.
+ * returns ECC_INF_E when the point does not have the correct order, RNG
+ * failures, MEMORY_E when memory allocation fails and MP_OKAY on success.
+ */
+int sp_ecc_make_key_256(WC_RNG* rng, mp_int* priv, ecc_point* pub, void* heap)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_point_256 p;
+    sp_digit kd[5];
+#ifdef WOLFSSL_VALIDATE_ECC_KEYGEN
+    sp_point_256 inf;
+#endif
+#endif
+    sp_point_256* point;
+    sp_digit* k = NULL;
+#ifdef WOLFSSL_VALIDATE_ECC_KEYGEN
+    sp_point_256* infinity;
+#endif
+    int err;
+
+    (void)heap;
+
+    err = sp_256_point_new_5(heap, p, point);
+#ifdef WOLFSSL_VALIDATE_ECC_KEYGEN
+    if (err == MP_OKAY) {
+        err = sp_256_point_new_5(heap, inf, infinity);
+    }
+#endif
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        k = (sp_digit*)XMALLOC(sizeof(sp_digit) * 5, heap,
+                                                              DYNAMIC_TYPE_ECC);
+        if (k == NULL) {
+            err = MEMORY_E;
+        }
+    }
+#else
+    k = kd;
+#endif
+
+    if (err == MP_OKAY) {
+        err = sp_256_ecc_gen_k_5(rng, k);
+    }
+    if (err == MP_OKAY) {
+            err = sp_256_ecc_mulmod_base_5(point, k, 1, NULL);
+    }
+
+#ifdef WOLFSSL_VALIDATE_ECC_KEYGEN
+    if (err == MP_OKAY) {
+            err = sp_256_ecc_mulmod_5(infinity, point, p256_order, 1, NULL);
+    }
+    if (err == MP_OKAY) {
+        if ((sp_256_iszero_5(point->x) == 0) || (sp_256_iszero_5(point->y) == 0)) {
+            err = ECC_INF_E;
+        }
+    }
+#endif
+
+    if (err == MP_OKAY) {
+        err = sp_256_to_mp(k, priv);
+    }
+    if (err == MP_OKAY) {
+        err = sp_256_point_to_ecc_point_5(point, pub);
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (k != NULL) {
+        XFREE(k, heap, DYNAMIC_TYPE_ECC);
+    }
+#endif
+#ifdef WOLFSSL_VALIDATE_ECC_KEYGEN
+    sp_256_point_free_5(infinity, 1, heap);
+#endif
+    sp_256_point_free_5(point, 1, heap);
+
+    return err;
+}
+
+#ifdef HAVE_ECC_DHE
+/* Write r as big endian to byte array.
+ * Fixed length number of bytes written: 32
+ *
+ * r  A single precision integer.
+ * a  Byte array.
+ */
+static void sp_256_to_bin(sp_digit* r, byte* a)
+{
+    int i, j, s = 0, b;
+
+    for (i=0; i<4; i++) {
+        r[i+1] += r[i] >> 52;
+        r[i] &= 0xfffffffffffffL;
+    }
+    j = 256 / 8 - 1;
+    a[j] = 0;
+    for (i=0; i<5 && j>=0; i++) {
+        b = 0;
+        /* lint allow cast of mismatch sp_digit and int */
+        a[j--] |= (byte)(r[i] << s); /*lint !e9033*/
+        b += 8 - s;
+        if (j < 0) {
+            break;
+        }
+        while (b < 52) {
+            a[j--] = (byte)(r[i] >> b);
+            b += 8;
+            if (j < 0) {
+                break;
+            }
+        }
+        s = 8 - (b - 52);
+        if (j >= 0) {
+            a[j] = 0;
+        }
+        if (s != 0) {
+            j++;
+        }
+    }
+}
+
+/* Multiply the point by the scalar and serialize the X ordinate.
+ * The number is 0 padded to maximum size on output.
+ *
+ * priv    Scalar to multiply the point by.
+ * pub     Point to multiply.
+ * out     Buffer to hold X ordinate.
+ * outLen  On entry, size of the buffer in bytes.
+ *         On exit, length of data in buffer in bytes.
+ * heap    Heap to use for allocation.
+ * returns BUFFER_E if the buffer is to small for output size,
+ * MEMORY_E when memory allocation fails and MP_OKAY on success.
+ */
+int sp_ecc_secret_gen_256(mp_int* priv, ecc_point* pub, byte* out,
+                          word32* outLen, void* heap)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_point_256 p;
+    sp_digit kd[5];
+#endif
+    sp_point_256* point = NULL;
+    sp_digit* k = NULL;
+    int err = MP_OKAY;
+
+    if (*outLen < 32U) {
+        err = BUFFER_E;
+    }
+
+    if (err == MP_OKAY) {
+        err = sp_256_point_new_5(heap, p, point);
+    }
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        k = (sp_digit*)XMALLOC(sizeof(sp_digit) * 5, heap,
+                                                              DYNAMIC_TYPE_ECC);
+        if (k == NULL)
+            err = MEMORY_E;
+    }
+#else
+    k = kd;
+#endif
+
+    if (err == MP_OKAY) {
+        sp_256_from_mp(k, 5, priv);
+        sp_256_point_from_ecc_point_5(point, pub);
+            err = sp_256_ecc_mulmod_5(point, point, k, 1, heap);
+    }
+    if (err == MP_OKAY) {
+        sp_256_to_bin(point->x, out);
+        *outLen = 32;
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (k != NULL) {
+        XFREE(k, heap, DYNAMIC_TYPE_ECC);
+    }
+#endif
+    sp_256_point_free_5(point, 0, heap);
+
+    return err;
+}
+#endif /* HAVE_ECC_DHE */
+
+#if defined(HAVE_ECC_SIGN) || defined(HAVE_ECC_VERIFY)
+#endif
+#if defined(HAVE_ECC_SIGN) || defined(HAVE_ECC_VERIFY)
+/* Multiply a by scalar b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A scalar.
+ */
+SP_NOINLINE static void sp_256_mul_d_5(sp_digit* r, const sp_digit* a,
+    sp_digit b)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int128_t tb = b;
+    int128_t t = 0;
+    int i;
+
+    for (i = 0; i < 5; i++) {
+        t += tb * a[i];
+        r[i] = t & 0xfffffffffffffL;
+        t >>= 52;
+    }
+    r[5] = (sp_digit)t;
+#else
+    int128_t tb = b;
+    int128_t t[5];
+
+    t[ 0] = tb * a[ 0];
+    t[ 1] = tb * a[ 1];
+    t[ 2] = tb * a[ 2];
+    t[ 3] = tb * a[ 3];
+    t[ 4] = tb * a[ 4];
+    r[ 0] =                           (t[ 0] & 0xfffffffffffffL);
+    r[ 1] = (sp_digit)(t[ 0] >> 52) + (t[ 1] & 0xfffffffffffffL);
+    r[ 2] = (sp_digit)(t[ 1] >> 52) + (t[ 2] & 0xfffffffffffffL);
+    r[ 3] = (sp_digit)(t[ 2] >> 52) + (t[ 3] & 0xfffffffffffffL);
+    r[ 4] = (sp_digit)(t[ 3] >> 52) + (t[ 4] & 0xfffffffffffffL);
+    r[ 5] = (sp_digit)(t[ 4] >> 52);
+#endif /* WOLFSSL_SP_SMALL */
+}
+
+#ifdef WOLFSSL_SP_DIV_64
+static WC_INLINE sp_digit sp_256_div_word_5(sp_digit d1, sp_digit d0,
+    sp_digit dv)
+{
+    sp_digit d, r, t;
+
+    /* All 52 bits from d1 and top 11 bits from d0. */
+    d = (d1 << 11) | (d0 >> 41);
+    r = d / dv;
+    d -= r * dv;
+    /* Up to 12 bits in r */
+    /* Next 11 bits from d0. */
+    r <<= 11;
+    d <<= 11;
+    d |= (d0 >> 30) & ((1 << 11) - 1);
+    t = d / dv;
+    d -= t * dv;
+    r += t;
+    /* Up to 23 bits in r */
+    /* Next 11 bits from d0. */
+    r <<= 11;
+    d <<= 11;
+    d |= (d0 >> 19) & ((1 << 11) - 1);
+    t = d / dv;
+    d -= t * dv;
+    r += t;
+    /* Up to 34 bits in r */
+    /* Next 11 bits from d0. */
+    r <<= 11;
+    d <<= 11;
+    d |= (d0 >> 8) & ((1 << 11) - 1);
+    t = d / dv;
+    d -= t * dv;
+    r += t;
+    /* Up to 45 bits in r */
+    /* Remaining 8 bits from d0. */
+    r <<= 8;
+    d <<= 8;
+    d |= d0 & ((1 << 8) - 1);
+    t = d / dv;
+    r += t;
+
+    return r;
+}
+#endif /* WOLFSSL_SP_DIV_64 */
+
+/* Divide d in a and put remainder into r (m*d + r = a)
+ * m is not calculated as it is not needed at this time.
+ *
+ * a  Number to be divided.
+ * d  Number to divide with.
+ * m  Multiplier result.
+ * r  Remainder from the division.
+ * returns MEMORY_E when unable to allocate memory and MP_OKAY otherwise.
+ */
+static int sp_256_div_5(const sp_digit* a, const sp_digit* d, sp_digit* m,
+        sp_digit* r)
+{
+    int i;
+#ifndef WOLFSSL_SP_DIV_64
+    int128_t d1;
+#endif
+    sp_digit dv, r1;
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit* td;
+#else
+    sp_digit t1d[10], t2d[5 + 1];
+#endif
+    sp_digit* t1;
+    sp_digit* t2;
+    int err = MP_OKAY;
+
+    (void)m;
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    td = (sp_digit*)XMALLOC(sizeof(sp_digit) * (3 * 5 + 1), NULL,
+                                                       DYNAMIC_TYPE_TMP_BUFFER);
+    if (td == NULL) {
+        err = MEMORY_E;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+        t1 = td;
+        t2 = td + 2 * 5;
+#else
+        t1 = t1d;
+        t2 = t2d;
+#endif
+
+        dv = d[4];
+        XMEMCPY(t1, a, sizeof(*t1) * 2U * 5U);
+        for (i=4; i>=0; i--) {
+            t1[5 + i] += t1[5 + i - 1] >> 52;
+            t1[5 + i - 1] &= 0xfffffffffffffL;
+#ifndef WOLFSSL_SP_DIV_64
+            d1 = t1[5 + i];
+            d1 <<= 52;
+            d1 += t1[5 + i - 1];
+            r1 = (sp_digit)(d1 / dv);
+#else
+            r1 = sp_256_div_word_5(t1[5 + i], t1[5 + i - 1], dv);
+#endif
+
+            sp_256_mul_d_5(t2, d, r1);
+            (void)sp_256_sub_5(&t1[i], &t1[i], t2);
+            t1[5 + i] -= t2[5];
+            t1[5 + i] += t1[5 + i - 1] >> 52;
+            t1[5 + i - 1] &= 0xfffffffffffffL;
+            r1 = (((-t1[5 + i]) << 52) - t1[5 + i - 1]) / dv;
+            r1++;
+            sp_256_mul_d_5(t2, d, r1);
+            (void)sp_256_add_5(&t1[i], &t1[i], t2);
+            t1[5 + i] += t1[5 + i - 1] >> 52;
+            t1[5 + i - 1] &= 0xfffffffffffffL;
+        }
+        t1[5 - 1] += t1[5 - 2] >> 52;
+        t1[5 - 2] &= 0xfffffffffffffL;
+        r1 = t1[5 - 1] / dv;
+
+        sp_256_mul_d_5(t2, d, r1);
+        (void)sp_256_sub_5(t1, t1, t2);
+        XMEMCPY(r, t1, sizeof(*r) * 2U * 5U);
+        for (i=0; i<3; i++) {
+            r[i+1] += r[i] >> 52;
+            r[i] &= 0xfffffffffffffL;
+        }
+        sp_256_cond_add_5(r, r, d, 0 - ((r[4] < 0) ?
+                    (sp_digit)1 : (sp_digit)0));
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (td != NULL) {
+        XFREE(td, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    }
+#endif
+
+    return err;
+}
+
+/* Reduce a modulo m into r. (r = a mod m)
+ *
+ * r  A single precision number that is the reduced result.
+ * a  A single precision number that is to be reduced.
+ * m  A single precision number that is the modulus to reduce with.
+ * returns MEMORY_E when unable to allocate memory and MP_OKAY otherwise.
+ */
+static int sp_256_mod_5(sp_digit* r, const sp_digit* a, const sp_digit* m)
+{
+    return sp_256_div_5(a, m, NULL, r);
+}
+
+#endif
+#if defined(HAVE_ECC_SIGN) || defined(HAVE_ECC_VERIFY)
+#ifdef WOLFSSL_SP_SMALL
+/* Order-2 for the P256 curve. */
+static const uint64_t p256_order_minus_2[4] = {
+    0xf3b9cac2fc63254fU,0xbce6faada7179e84U,0xffffffffffffffffU,
+    0xffffffff00000000U
+};
+#else
+/* The low half of the order-2 of the P256 curve. */
+static const uint64_t p256_order_low[2] = {
+    0xf3b9cac2fc63254fU,0xbce6faada7179e84U
+};
+#endif /* WOLFSSL_SP_SMALL */
+
+/* Multiply two number mod the order of P256 curve. (r = a * b mod order)
+ *
+ * r  Result of the multiplication.
+ * a  First operand of the multiplication.
+ * b  Second operand of the multiplication.
+ */
+static void sp_256_mont_mul_order_5(sp_digit* r, const sp_digit* a, const sp_digit* b)
+{
+    sp_256_mul_5(r, a, b);
+    sp_256_mont_reduce_order_5(r, p256_order, p256_mp_order);
+}
+
+/* Square number mod the order of P256 curve. (r = a * a mod order)
+ *
+ * r  Result of the squaring.
+ * a  Number to square.
+ */
+static void sp_256_mont_sqr_order_5(sp_digit* r, const sp_digit* a)
+{
+    sp_256_sqr_5(r, a);
+    sp_256_mont_reduce_order_5(r, p256_order, p256_mp_order);
+}
+
+#ifndef WOLFSSL_SP_SMALL
+/* Square number mod the order of P256 curve a number of times.
+ * (r = a ^ n mod order)
+ *
+ * r  Result of the squaring.
+ * a  Number to square.
+ */
+static void sp_256_mont_sqr_n_order_5(sp_digit* r, const sp_digit* a, int n)
+{
+    int i;
+
+    sp_256_mont_sqr_order_5(r, a);
+    for (i=1; i<n; i++) {
+        sp_256_mont_sqr_order_5(r, r);
+    }
+}
+#endif /* !WOLFSSL_SP_SMALL */
+
+/* Invert the number, in Montgomery form, modulo the order of the P256 curve.
+ * (r = 1 / a mod order)
+ *
+ * r   Inverse result.
+ * a   Number to invert.
+ * td  Temporary data.
+ */
+static void sp_256_mont_inv_order_5(sp_digit* r, const sp_digit* a,
+        sp_digit* td)
+{
+#ifdef WOLFSSL_SP_SMALL
+    sp_digit* t = td;
+    int i;
+
+    XMEMCPY(t, a, sizeof(sp_digit) * 5);
+    for (i=254; i>=0; i--) {
+        sp_256_mont_sqr_order_5(t, t);
+        if ((p256_order_minus_2[i / 64] & ((sp_int_digit)1 << (i % 64))) != 0) {
+            sp_256_mont_mul_order_5(t, t, a);
+        }
+    }
+    XMEMCPY(r, t, sizeof(sp_digit) * 5U);
+#else
+    sp_digit* t = td;
+    sp_digit* t2 = td + 2 * 5;
+    sp_digit* t3 = td + 4 * 5;
+    int i;
+
+    /* t = a^2 */
+    sp_256_mont_sqr_order_5(t, a);
+    /* t = a^3 = t * a */
+    sp_256_mont_mul_order_5(t, t, a);
+    /* t2= a^c = t ^ 2 ^ 2 */
+    sp_256_mont_sqr_n_order_5(t2, t, 2);
+    /* t3= a^f = t2 * t */
+    sp_256_mont_mul_order_5(t3, t2, t);
+    /* t2= a^f0 = t3 ^ 2 ^ 4 */
+    sp_256_mont_sqr_n_order_5(t2, t3, 4);
+    /* t = a^ff = t2 * t3 */
+    sp_256_mont_mul_order_5(t, t2, t3);
+    /* t3= a^ff00 = t ^ 2 ^ 8 */
+    sp_256_mont_sqr_n_order_5(t2, t, 8);
+    /* t = a^ffff = t2 * t */
+    sp_256_mont_mul_order_5(t, t2, t);
+    /* t2= a^ffff0000 = t ^ 2 ^ 16 */
+    sp_256_mont_sqr_n_order_5(t2, t, 16);
+    /* t = a^ffffffff = t2 * t */
+    sp_256_mont_mul_order_5(t, t2, t);
+    /* t2= a^ffffffff0000000000000000 = t ^ 2 ^ 64  */
+    sp_256_mont_sqr_n_order_5(t2, t, 64);
+    /* t2= a^ffffffff00000000ffffffff = t2 * t */
+    sp_256_mont_mul_order_5(t2, t2, t);
+    /* t2= a^ffffffff00000000ffffffff00000000 = t2 ^ 2 ^ 32  */
+    sp_256_mont_sqr_n_order_5(t2, t2, 32);
+    /* t2= a^ffffffff00000000ffffffffffffffff = t2 * t */
+    sp_256_mont_mul_order_5(t2, t2, t);
+    /* t2= a^ffffffff00000000ffffffffffffffffbce6 */
+    for (i=127; i>=112; i--) {
+        sp_256_mont_sqr_order_5(t2, t2);
+        if (((sp_digit)p256_order_low[i / 64] & ((sp_int_digit)1 << (i % 64))) != 0) {
+            sp_256_mont_mul_order_5(t2, t2, a);
+        }
+    }
+    /* t2= a^ffffffff00000000ffffffffffffffffbce6f */
+    sp_256_mont_sqr_n_order_5(t2, t2, 4);
+    sp_256_mont_mul_order_5(t2, t2, t3);
+    /* t2= a^ffffffff00000000ffffffffffffffffbce6faada7179e84 */
+    for (i=107; i>=64; i--) {
+        sp_256_mont_sqr_order_5(t2, t2);
+        if (((sp_digit)p256_order_low[i / 64] & ((sp_int_digit)1 << (i % 64))) != 0) {
+            sp_256_mont_mul_order_5(t2, t2, a);
+        }
+    }
+    /* t2= a^ffffffff00000000ffffffffffffffffbce6faada7179e84f */
+    sp_256_mont_sqr_n_order_5(t2, t2, 4);
+    sp_256_mont_mul_order_5(t2, t2, t3);
+    /* t2= a^ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2 */
+    for (i=59; i>=32; i--) {
+        sp_256_mont_sqr_order_5(t2, t2);
+        if (((sp_digit)p256_order_low[i / 64] & ((sp_int_digit)1 << (i % 64))) != 0) {
+            sp_256_mont_mul_order_5(t2, t2, a);
+        }
+    }
+    /* t2= a^ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2f */
+    sp_256_mont_sqr_n_order_5(t2, t2, 4);
+    sp_256_mont_mul_order_5(t2, t2, t3);
+    /* t2= a^ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc63254 */
+    for (i=27; i>=0; i--) {
+        sp_256_mont_sqr_order_5(t2, t2);
+        if (((sp_digit)p256_order_low[i / 64] & ((sp_int_digit)1 << (i % 64))) != 0) {
+            sp_256_mont_mul_order_5(t2, t2, a);
+        }
+    }
+    /* t2= a^ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632540 */
+    sp_256_mont_sqr_n_order_5(t2, t2, 4);
+    /* r = a^ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc63254f */
+    sp_256_mont_mul_order_5(r, t2, t3);
+#endif /* WOLFSSL_SP_SMALL */
+}
+
+#endif /* HAVE_ECC_SIGN || HAVE_ECC_VERIFY */
+#ifdef HAVE_ECC_SIGN
+#ifndef SP_ECC_MAX_SIG_GEN
+#define SP_ECC_MAX_SIG_GEN  64
+#endif
+
+/* Sign the hash using the private key.
+ *   e = [hash, 256 bits] from binary
+ *   r = (k.G)->x mod order
+ *   s = (r * x + e) / k mod order
+ * The hash is truncated to the first 256 bits.
+ *
+ * hash     Hash to sign.
+ * hashLen  Length of the hash data.
+ * rng      Random number generator.
+ * priv     Private part of key - scalar.
+ * rm       First part of result as an mp_int.
+ * sm       Sirst part of result as an mp_int.
+ * heap     Heap to use for allocation.
+ * returns RNG failures, MEMORY_E when memory allocation fails and
+ * MP_OKAY on success.
+ */
+int sp_ecc_sign_256(const byte* hash, word32 hashLen, WC_RNG* rng, mp_int* priv,
+                    mp_int* rm, mp_int* sm, mp_int* km, void* heap)
+{
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit* d = NULL;
+#else
+    sp_digit ed[2*5];
+    sp_digit xd[2*5];
+    sp_digit kd[2*5];
+    sp_digit rd[2*5];
+    sp_digit td[3 * 2*5];
+    sp_point_256 p;
+#endif
+    sp_digit* e = NULL;
+    sp_digit* x = NULL;
+    sp_digit* k = NULL;
+    sp_digit* r = NULL;
+    sp_digit* tmp = NULL;
+    sp_point_256* point = NULL;
+    sp_digit carry;
+    sp_digit* s = NULL;
+    sp_digit* kInv = NULL;
+    int err = MP_OKAY;
+    int64_t c;
+    int i;
+
+    (void)heap;
+
+    err = sp_256_point_new_5(heap, p, point);
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        d = (sp_digit*)XMALLOC(sizeof(sp_digit) * 7 * 2 * 5, heap,
+                                                              DYNAMIC_TYPE_ECC);
+        if (d == NULL) {
+            err = MEMORY_E;
+        }
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+        e = d + 0 * 5;
+        x = d + 2 * 5;
+        k = d + 4 * 5;
+        r = d + 6 * 5;
+        tmp = d + 8 * 5;
+#else
+        e = ed;
+        x = xd;
+        k = kd;
+        r = rd;
+        tmp = td;
+#endif
+        s = e;
+        kInv = k;
+
+        if (hashLen > 32U) {
+            hashLen = 32U;
+        }
+
+        sp_256_from_bin(e, 5, hash, (int)hashLen);
+    }
+
+    for (i = SP_ECC_MAX_SIG_GEN; err == MP_OKAY && i > 0; i--) {
+        sp_256_from_mp(x, 5, priv);
+
+        /* New random point. */
+        if (km == NULL || mp_iszero(km)) {
+            err = sp_256_ecc_gen_k_5(rng, k);
+        }
+        else {
+            sp_256_from_mp(k, 5, km);
+            mp_zero(km);
+        }
+        if (err == MP_OKAY) {
+                err = sp_256_ecc_mulmod_base_5(point, k, 1, NULL);
+        }
+
+        if (err == MP_OKAY) {
+            /* r = point->x mod order */
+            XMEMCPY(r, point->x, sizeof(sp_digit) * 5U);
+            sp_256_norm_5(r);
+            c = sp_256_cmp_5(r, p256_order);
+            sp_256_cond_sub_5(r, r, p256_order, 0L - (sp_digit)(c >= 0));
+            sp_256_norm_5(r);
+
+            /* Conv k to Montgomery form (mod order) */
+                sp_256_mul_5(k, k, p256_norm_order);
+            err = sp_256_mod_5(k, k, p256_order);
+        }
+        if (err == MP_OKAY) {
+            sp_256_norm_5(k);
+            /* kInv = 1/k mod order */
+                sp_256_mont_inv_order_5(kInv, k, tmp);
+            sp_256_norm_5(kInv);
+
+            /* s = r * x + e */
+                sp_256_mul_5(x, x, r);
+            err = sp_256_mod_5(x, x, p256_order);
+        }
+        if (err == MP_OKAY) {
+            sp_256_norm_5(x);
+            carry = sp_256_add_5(s, e, x);
+            sp_256_cond_sub_5(s, s, p256_order, 0 - carry);
+            sp_256_norm_5(s);
+            c = sp_256_cmp_5(s, p256_order);
+            sp_256_cond_sub_5(s, s, p256_order, 0L - (sp_digit)(c >= 0));
+            sp_256_norm_5(s);
+
+            /* s = s * k^-1 mod order */
+                sp_256_mont_mul_order_5(s, s, kInv);
+            sp_256_norm_5(s);
+
+            /* Check that signature is usable. */
+            if (sp_256_iszero_5(s) == 0) {
+                break;
+            }
+        }
+    }
+
+    if (i == 0) {
+        err = RNG_FAILURE_E;
+    }
+
+    if (err == MP_OKAY) {
+        err = sp_256_to_mp(r, rm);
+    }
+    if (err == MP_OKAY) {
+        err = sp_256_to_mp(s, sm);
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (d != NULL) {
+        XMEMSET(d, 0, sizeof(sp_digit) * 8 * 5);
+        XFREE(d, heap, DYNAMIC_TYPE_ECC);
+    }
+#else
+    XMEMSET(e, 0, sizeof(sp_digit) * 2U * 5U);
+    XMEMSET(x, 0, sizeof(sp_digit) * 2U * 5U);
+    XMEMSET(k, 0, sizeof(sp_digit) * 2U * 5U);
+    XMEMSET(r, 0, sizeof(sp_digit) * 2U * 5U);
+    XMEMSET(r, 0, sizeof(sp_digit) * 2U * 5U);
+    XMEMSET(tmp, 0, sizeof(sp_digit) * 3U * 2U * 5U);
+#endif
+    sp_256_point_free_5(point, 1, heap);
+
+    return err;
+}
+#endif /* HAVE_ECC_SIGN */
+
+#ifdef HAVE_ECC_VERIFY
+/* Verify the signature values with the hash and public key.
+ *   e = Truncate(hash, 256)
+ *   u1 = e/s mod order
+ *   u2 = r/s mod order
+ *   r == (u1.G + u2.Q)->x mod order
+ * Optimization: Leave point in projective form.
+ *   (x, y, 1) == (x' / z'*z', y' / z'*z'*z', z' / z')
+ *   (r + n*order).z'.z' mod prime == (u1.G + u2.Q)->x'
+ * The hash is truncated to the first 256 bits.
+ *
+ * hash     Hash to sign.
+ * hashLen  Length of the hash data.
+ * rng      Random number generator.
+ * priv     Private part of key - scalar.
+ * rm       First part of result as an mp_int.
+ * sm       Sirst part of result as an mp_int.
+ * heap     Heap to use for allocation.
+ * returns RNG failures, MEMORY_E when memory allocation fails and
+ * MP_OKAY on success.
+ */
+int sp_ecc_verify_256(const byte* hash, word32 hashLen, mp_int* pX,
+    mp_int* pY, mp_int* pZ, mp_int* r, mp_int* sm, int* res, void* heap)
+{
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit* d = NULL;
+#else
+    sp_digit u1d[2*5];
+    sp_digit u2d[2*5];
+    sp_digit sd[2*5];
+    sp_digit tmpd[2*5 * 5];
+    sp_point_256 p1d;
+    sp_point_256 p2d;
+#endif
+    sp_digit* u1 = NULL;
+    sp_digit* u2 = NULL;
+    sp_digit* s = NULL;
+    sp_digit* tmp = NULL;
+    sp_point_256* p1;
+    sp_point_256* p2 = NULL;
+    sp_digit carry;
+    int64_t c;
+    int err;
+
+    err = sp_256_point_new_5(heap, p1d, p1);
+    if (err == MP_OKAY) {
+        err = sp_256_point_new_5(heap, p2d, p2);
+    }
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        d = (sp_digit*)XMALLOC(sizeof(sp_digit) * 16 * 5, heap,
+                                                              DYNAMIC_TYPE_ECC);
+        if (d == NULL) {
+            err = MEMORY_E;
+        }
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+        u1  = d + 0 * 5;
+        u2  = d + 2 * 5;
+        s   = d + 4 * 5;
+        tmp = d + 6 * 5;
+#else
+        u1 = u1d;
+        u2 = u2d;
+        s  = sd;
+        tmp = tmpd;
+#endif
+
+        if (hashLen > 32U) {
+            hashLen = 32U;
+        }
+
+        sp_256_from_bin(u1, 5, hash, (int)hashLen);
+        sp_256_from_mp(u2, 5, r);
+        sp_256_from_mp(s, 5, sm);
+        sp_256_from_mp(p2->x, 5, pX);
+        sp_256_from_mp(p2->y, 5, pY);
+        sp_256_from_mp(p2->z, 5, pZ);
+
+        {
+            sp_256_mul_5(s, s, p256_norm_order);
+        }
+        err = sp_256_mod_5(s, s, p256_order);
+    }
+    if (err == MP_OKAY) {
+        sp_256_norm_5(s);
+        {
+            sp_256_mont_inv_order_5(s, s, tmp);
+            sp_256_mont_mul_order_5(u1, u1, s);
+            sp_256_mont_mul_order_5(u2, u2, s);
+        }
+
+            err = sp_256_ecc_mulmod_base_5(p1, u1, 0, heap);
+    }
+    if (err == MP_OKAY) {
+            err = sp_256_ecc_mulmod_5(p2, p2, u2, 0, heap);
+    }
+
+    if (err == MP_OKAY) {
+        {
+            sp_256_proj_point_add_5(p1, p1, p2, tmp);
+            if (sp_256_iszero_5(p1->z)) {
+                if (sp_256_iszero_5(p1->x) && sp_256_iszero_5(p1->y)) {
+                    sp_256_proj_point_dbl_5(p1, p2, tmp);
+                }
+                else {
+                    /* Y ordinate is not used from here - don't set. */
+                    p1->x[0] = 0;
+                    p1->x[1] = 0;
+                    p1->x[2] = 0;
+                    p1->x[3] = 0;
+                    p1->x[4] = 0;
+                    XMEMCPY(p1->z, p256_norm_mod, sizeof(p256_norm_mod));
+                }
+            }
+        }
+
+        /* (r + n*order).z'.z' mod prime == (u1.G + u2.Q)->x' */
+        /* Reload r and convert to Montgomery form. */
+        sp_256_from_mp(u2, 5, r);
+        err = sp_256_mod_mul_norm_5(u2, u2, p256_mod);
+    }
+
+    if (err == MP_OKAY) {
+        /* u1 = r.z'.z' mod prime */
+        sp_256_mont_sqr_5(p1->z, p1->z, p256_mod, p256_mp_mod);
+        sp_256_mont_mul_5(u1, u2, p1->z, p256_mod, p256_mp_mod);
+        *res = (int)(sp_256_cmp_5(p1->x, u1) == 0);
+        if (*res == 0) {
+            /* Reload r and add order. */
+            sp_256_from_mp(u2, 5, r);
+            carry = sp_256_add_5(u2, u2, p256_order);
+            /* Carry means result is greater than mod and is not valid. */
+            if (carry == 0) {
+                sp_256_norm_5(u2);
+
+                /* Compare with mod and if greater or equal then not valid. */
+                c = sp_256_cmp_5(u2, p256_mod);
+                if (c < 0) {
+                    /* Convert to Montogomery form */
+                    err = sp_256_mod_mul_norm_5(u2, u2, p256_mod);
+                    if (err == MP_OKAY) {
+                        /* u1 = (r + 1*order).z'.z' mod prime */
+                        sp_256_mont_mul_5(u1, u2, p1->z, p256_mod,
+                                                                  p256_mp_mod);
+                        *res = (int)(sp_256_cmp_5(p1->x, u1) == 0);
+                    }
+                }
+            }
+        }
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (d != NULL)
+        XFREE(d, heap, DYNAMIC_TYPE_ECC);
+#endif
+    sp_256_point_free_5(p1, 0, heap);
+    sp_256_point_free_5(p2, 0, heap);
+
+    return err;
+}
+#endif /* HAVE_ECC_VERIFY */
+
+#ifdef HAVE_ECC_CHECK_KEY
+/* Check that the x and y oridinates are a valid point on the curve.
+ *
+ * point  EC point.
+ * heap   Heap to use if dynamically allocating.
+ * returns MEMORY_E if dynamic memory allocation fails, MP_VAL if the point is
+ * not on the curve and MP_OKAY otherwise.
+ */
+static int sp_256_ecc_is_point_5(sp_point_256* point, void* heap)
+{
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit* d = NULL;
+#else
+    sp_digit t1d[2*5];
+    sp_digit t2d[2*5];
+#endif
+    sp_digit* t1;
+    sp_digit* t2;
+    int err = MP_OKAY;
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    d = (sp_digit*)XMALLOC(sizeof(sp_digit) * 5 * 4, heap, DYNAMIC_TYPE_ECC);
+    if (d == NULL) {
+        err = MEMORY_E;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+        t1 = d + 0 * 5;
+        t2 = d + 2 * 5;
+#else
+        (void)heap;
+
+        t1 = t1d;
+        t2 = t2d;
+#endif
+
+        sp_256_sqr_5(t1, point->y);
+        (void)sp_256_mod_5(t1, t1, p256_mod);
+        sp_256_sqr_5(t2, point->x);
+        (void)sp_256_mod_5(t2, t2, p256_mod);
+        sp_256_mul_5(t2, t2, point->x);
+        (void)sp_256_mod_5(t2, t2, p256_mod);
+        (void)sp_256_sub_5(t2, p256_mod, t2);
+        sp_256_mont_add_5(t1, t1, t2, p256_mod);
+
+        sp_256_mont_add_5(t1, t1, point->x, p256_mod);
+        sp_256_mont_add_5(t1, t1, point->x, p256_mod);
+        sp_256_mont_add_5(t1, t1, point->x, p256_mod);
+
+        if (sp_256_cmp_5(t1, p256_b) != 0) {
+            err = MP_VAL;
+        }
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (d != NULL) {
+        XFREE(d, heap, DYNAMIC_TYPE_ECC);
+    }
+#endif
+
+    return err;
+}
+
+/* Check that the x and y oridinates are a valid point on the curve.
+ *
+ * pX  X ordinate of EC point.
+ * pY  Y ordinate of EC point.
+ * returns MEMORY_E if dynamic memory allocation fails, MP_VAL if the point is
+ * not on the curve and MP_OKAY otherwise.
+ */
+int sp_ecc_is_point_256(mp_int* pX, mp_int* pY)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_point_256 pubd;
+#endif
+    sp_point_256* pub;
+    byte one[1] = { 1 };
+    int err;
+
+    err = sp_256_point_new_5(NULL, pubd, pub);
+    if (err == MP_OKAY) {
+        sp_256_from_mp(pub->x, 5, pX);
+        sp_256_from_mp(pub->y, 5, pY);
+        sp_256_from_bin(pub->z, 5, one, (int)sizeof(one));
+
+        err = sp_256_ecc_is_point_5(pub, NULL);
+    }
+
+    sp_256_point_free_5(pub, 0, NULL);
+
+    return err;
+}
+
+/* Check that the private scalar generates the EC point (px, py), the point is
+ * on the curve and the point has the correct order.
+ *
+ * pX     X ordinate of EC point.
+ * pY     Y ordinate of EC point.
+ * privm  Private scalar that generates EC point.
+ * returns MEMORY_E if dynamic memory allocation fails, MP_VAL if the point is
+ * not on the curve, ECC_INF_E if the point does not have the correct order,
+ * ECC_PRIV_KEY_E when the private scalar doesn't generate the EC point and
+ * MP_OKAY otherwise.
+ */
+int sp_ecc_check_key_256(mp_int* pX, mp_int* pY, mp_int* privm, void* heap)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit privd[5];
+    sp_point_256 pubd;
+    sp_point_256 pd;
+#endif
+    sp_digit* priv = NULL;
+    sp_point_256* pub;
+    sp_point_256* p = NULL;
+    byte one[1] = { 1 };
+    int err;
+
+    err = sp_256_point_new_5(heap, pubd, pub);
+    if (err == MP_OKAY) {
+        err = sp_256_point_new_5(heap, pd, p);
+    }
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        priv = (sp_digit*)XMALLOC(sizeof(sp_digit) * 5, heap,
+                                                              DYNAMIC_TYPE_ECC);
+        if (priv == NULL) {
+            err = MEMORY_E;
+        }
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+        priv = privd;
+#endif
+
+        sp_256_from_mp(pub->x, 5, pX);
+        sp_256_from_mp(pub->y, 5, pY);
+        sp_256_from_bin(pub->z, 5, one, (int)sizeof(one));
+        sp_256_from_mp(priv, 5, privm);
+
+        /* Check point at infinitiy. */
+        if ((sp_256_iszero_5(pub->x) != 0) &&
+            (sp_256_iszero_5(pub->y) != 0)) {
+            err = ECC_INF_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        /* Check range of X and Y */
+        if (sp_256_cmp_5(pub->x, p256_mod) >= 0 ||
+            sp_256_cmp_5(pub->y, p256_mod) >= 0) {
+            err = ECC_OUT_OF_RANGE_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        /* Check point is on curve */
+        err = sp_256_ecc_is_point_5(pub, heap);
+    }
+
+    if (err == MP_OKAY) {
+        /* Point * order = infinity */
+            err = sp_256_ecc_mulmod_5(p, pub, p256_order, 1, heap);
+    }
+    if (err == MP_OKAY) {
+        /* Check result is infinity */
+        if ((sp_256_iszero_5(p->x) == 0) ||
+            (sp_256_iszero_5(p->y) == 0)) {
+            err = ECC_INF_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        /* Base * private = point */
+            err = sp_256_ecc_mulmod_base_5(p, priv, 1, heap);
+    }
+    if (err == MP_OKAY) {
+        /* Check result is public key */
+        if (sp_256_cmp_5(p->x, pub->x) != 0 ||
+            sp_256_cmp_5(p->y, pub->y) != 0) {
+            err = ECC_PRIV_KEY_E;
+        }
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (priv != NULL) {
+        XFREE(priv, heap, DYNAMIC_TYPE_ECC);
+    }
+#endif
+    sp_256_point_free_5(p, 0, heap);
+    sp_256_point_free_5(pub, 0, heap);
+
+    return err;
+}
+#endif
+#ifdef WOLFSSL_PUBLIC_ECC_ADD_DBL
+/* Add two projective EC points together.
+ * (pX, pY, pZ) + (qX, qY, qZ) = (rX, rY, rZ)
+ *
+ * pX   First EC point's X ordinate.
+ * pY   First EC point's Y ordinate.
+ * pZ   First EC point's Z ordinate.
+ * qX   Second EC point's X ordinate.
+ * qY   Second EC point's Y ordinate.
+ * qZ   Second EC point's Z ordinate.
+ * rX   Resultant EC point's X ordinate.
+ * rY   Resultant EC point's Y ordinate.
+ * rZ   Resultant EC point's Z ordinate.
+ * returns MEMORY_E if dynamic memory allocation fails and MP_OKAY otherwise.
+ */
+int sp_ecc_proj_add_point_256(mp_int* pX, mp_int* pY, mp_int* pZ,
+                              mp_int* qX, mp_int* qY, mp_int* qZ,
+                              mp_int* rX, mp_int* rY, mp_int* rZ)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit tmpd[2 * 5 * 5];
+    sp_point_256 pd;
+    sp_point_256 qd;
+#endif
+    sp_digit* tmp;
+    sp_point_256* p;
+    sp_point_256* q = NULL;
+    int err;
+
+    err = sp_256_point_new_5(NULL, pd, p);
+    if (err == MP_OKAY) {
+        err = sp_256_point_new_5(NULL, qd, q);
+    }
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        tmp = (sp_digit*)XMALLOC(sizeof(sp_digit) * 2 * 5 * 5, NULL,
+                                                              DYNAMIC_TYPE_ECC);
+        if (tmp == NULL) {
+            err = MEMORY_E;
+        }
+    }
+#else
+    tmp = tmpd;
+#endif
+
+    if (err == MP_OKAY) {
+        sp_256_from_mp(p->x, 5, pX);
+        sp_256_from_mp(p->y, 5, pY);
+        sp_256_from_mp(p->z, 5, pZ);
+        sp_256_from_mp(q->x, 5, qX);
+        sp_256_from_mp(q->y, 5, qY);
+        sp_256_from_mp(q->z, 5, qZ);
+
+            sp_256_proj_point_add_5(p, p, q, tmp);
+    }
+
+    if (err == MP_OKAY) {
+        err = sp_256_to_mp(p->x, rX);
+    }
+    if (err == MP_OKAY) {
+        err = sp_256_to_mp(p->y, rY);
+    }
+    if (err == MP_OKAY) {
+        err = sp_256_to_mp(p->z, rZ);
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (tmp != NULL) {
+        XFREE(tmp, NULL, DYNAMIC_TYPE_ECC);
+    }
+#endif
+    sp_256_point_free_5(q, 0, NULL);
+    sp_256_point_free_5(p, 0, NULL);
+
+    return err;
+}
+
+/* Double a projective EC point.
+ * (pX, pY, pZ) + (pX, pY, pZ) = (rX, rY, rZ)
+ *
+ * pX   EC point's X ordinate.
+ * pY   EC point's Y ordinate.
+ * pZ   EC point's Z ordinate.
+ * rX   Resultant EC point's X ordinate.
+ * rY   Resultant EC point's Y ordinate.
+ * rZ   Resultant EC point's Z ordinate.
+ * returns MEMORY_E if dynamic memory allocation fails and MP_OKAY otherwise.
+ */
+int sp_ecc_proj_dbl_point_256(mp_int* pX, mp_int* pY, mp_int* pZ,
+                              mp_int* rX, mp_int* rY, mp_int* rZ)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit tmpd[2 * 5 * 2];
+    sp_point_256 pd;
+#endif
+    sp_digit* tmp;
+    sp_point_256* p;
+    int err;
+
+    err = sp_256_point_new_5(NULL, pd, p);
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        tmp = (sp_digit*)XMALLOC(sizeof(sp_digit) * 2 * 5 * 2, NULL,
+                                                              DYNAMIC_TYPE_ECC);
+        if (tmp == NULL) {
+            err = MEMORY_E;
+        }
+    }
+#else
+    tmp = tmpd;
+#endif
+
+    if (err == MP_OKAY) {
+        sp_256_from_mp(p->x, 5, pX);
+        sp_256_from_mp(p->y, 5, pY);
+        sp_256_from_mp(p->z, 5, pZ);
+
+            sp_256_proj_point_dbl_5(p, p, tmp);
+    }
+
+    if (err == MP_OKAY) {
+        err = sp_256_to_mp(p->x, rX);
+    }
+    if (err == MP_OKAY) {
+        err = sp_256_to_mp(p->y, rY);
+    }
+    if (err == MP_OKAY) {
+        err = sp_256_to_mp(p->z, rZ);
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (tmp != NULL) {
+        XFREE(tmp, NULL, DYNAMIC_TYPE_ECC);
+    }
+#endif
+    sp_256_point_free_5(p, 0, NULL);
+
+    return err;
+}
+
+/* Map a projective EC point to affine in place.
+ * pZ will be one.
+ *
+ * pX   EC point's X ordinate.
+ * pY   EC point's Y ordinate.
+ * pZ   EC point's Z ordinate.
+ * returns MEMORY_E if dynamic memory allocation fails and MP_OKAY otherwise.
+ */
+int sp_ecc_map_256(mp_int* pX, mp_int* pY, mp_int* pZ)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit tmpd[2 * 5 * 4];
+    sp_point_256 pd;
+#endif
+    sp_digit* tmp;
+    sp_point_256* p;
+    int err;
+
+    err = sp_256_point_new_5(NULL, pd, p);
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        tmp = (sp_digit*)XMALLOC(sizeof(sp_digit) * 2 * 5 * 4, NULL,
+                                                              DYNAMIC_TYPE_ECC);
+        if (tmp == NULL) {
+            err = MEMORY_E;
+        }
+    }
+#else
+    tmp = tmpd;
+#endif
+    if (err == MP_OKAY) {
+        sp_256_from_mp(p->x, 5, pX);
+        sp_256_from_mp(p->y, 5, pY);
+        sp_256_from_mp(p->z, 5, pZ);
+
+        sp_256_map_5(p, p, tmp);
+    }
+
+    if (err == MP_OKAY) {
+        err = sp_256_to_mp(p->x, pX);
+    }
+    if (err == MP_OKAY) {
+        err = sp_256_to_mp(p->y, pY);
+    }
+    if (err == MP_OKAY) {
+        err = sp_256_to_mp(p->z, pZ);
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (tmp != NULL) {
+        XFREE(tmp, NULL, DYNAMIC_TYPE_ECC);
+    }
+#endif
+    sp_256_point_free_5(p, 0, NULL);
+
+    return err;
+}
+#endif /* WOLFSSL_PUBLIC_ECC_ADD_DBL */
+#ifdef HAVE_COMP_KEY
+/* Find the square root of a number mod the prime of the curve.
+ *
+ * y  The number to operate on and the result.
+ * returns MEMORY_E if dynamic memory allocation fails and MP_OKAY otherwise.
+ */
+static int sp_256_mont_sqrt_5(sp_digit* y)
+{
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit* d;
+#else
+    sp_digit t1d[2 * 5];
+    sp_digit t2d[2 * 5];
+#endif
+    sp_digit* t1;
+    sp_digit* t2;
+    int err = MP_OKAY;
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    d = (sp_digit*)XMALLOC(sizeof(sp_digit) * 4 * 5, NULL, DYNAMIC_TYPE_ECC);
+    if (d == NULL) {
+        err = MEMORY_E;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+        t1 = d + 0 * 5;
+        t2 = d + 2 * 5;
+#else
+        t1 = t1d;
+        t2 = t2d;
+#endif
+
+        {
+            /* t2 = y ^ 0x2 */
+            sp_256_mont_sqr_5(t2, y, p256_mod, p256_mp_mod);
+            /* t1 = y ^ 0x3 */
+            sp_256_mont_mul_5(t1, t2, y, p256_mod, p256_mp_mod);
+            /* t2 = y ^ 0xc */
+            sp_256_mont_sqr_n_5(t2, t1, 2, p256_mod, p256_mp_mod);
+            /* t1 = y ^ 0xf */
+            sp_256_mont_mul_5(t1, t1, t2, p256_mod, p256_mp_mod);
+            /* t2 = y ^ 0xf0 */
+            sp_256_mont_sqr_n_5(t2, t1, 4, p256_mod, p256_mp_mod);
+            /* t1 = y ^ 0xff */
+            sp_256_mont_mul_5(t1, t1, t2, p256_mod, p256_mp_mod);
+            /* t2 = y ^ 0xff00 */
+            sp_256_mont_sqr_n_5(t2, t1, 8, p256_mod, p256_mp_mod);
+            /* t1 = y ^ 0xffff */
+            sp_256_mont_mul_5(t1, t1, t2, p256_mod, p256_mp_mod);
+            /* t2 = y ^ 0xffff0000 */
+            sp_256_mont_sqr_n_5(t2, t1, 16, p256_mod, p256_mp_mod);
+            /* t1 = y ^ 0xffffffff */
+            sp_256_mont_mul_5(t1, t1, t2, p256_mod, p256_mp_mod);
+            /* t1 = y ^ 0xffffffff00000000 */
+            sp_256_mont_sqr_n_5(t1, t1, 32, p256_mod, p256_mp_mod);
+            /* t1 = y ^ 0xffffffff00000001 */
+            sp_256_mont_mul_5(t1, t1, y, p256_mod, p256_mp_mod);
+            /* t1 = y ^ 0xffffffff00000001000000000000000000000000 */
+            sp_256_mont_sqr_n_5(t1, t1, 96, p256_mod, p256_mp_mod);
+            /* t1 = y ^ 0xffffffff00000001000000000000000000000001 */
+            sp_256_mont_mul_5(t1, t1, y, p256_mod, p256_mp_mod);
+            sp_256_mont_sqr_n_5(y, t1, 94, p256_mod, p256_mp_mod);
+        }
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (d != NULL) {
+        XFREE(d, NULL, DYNAMIC_TYPE_ECC);
+    }
+#endif
+
+    return err;
+}
+
+
+/* Uncompress the point given the X ordinate.
+ *
+ * xm    X ordinate.
+ * odd   Whether the Y ordinate is odd.
+ * ym    Calculated Y ordinate.
+ * returns MEMORY_E if dynamic memory allocation fails and MP_OKAY otherwise.
+ */
+int sp_ecc_uncompress_256(mp_int* xm, int odd, mp_int* ym)
+{
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit* d;
+#else
+    sp_digit xd[2 * 5];
+    sp_digit yd[2 * 5];
+#endif
+    sp_digit* x = NULL;
+    sp_digit* y = NULL;
+    int err = MP_OKAY;
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    d = (sp_digit*)XMALLOC(sizeof(sp_digit) * 4 * 5, NULL, DYNAMIC_TYPE_ECC);
+    if (d == NULL) {
+        err = MEMORY_E;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+        x = d + 0 * 5;
+        y = d + 2 * 5;
+#else
+        x = xd;
+        y = yd;
+#endif
+
+        sp_256_from_mp(x, 5, xm);
+        err = sp_256_mod_mul_norm_5(x, x, p256_mod);
+    }
+    if (err == MP_OKAY) {
+        /* y = x^3 */
+        {
+            sp_256_mont_sqr_5(y, x, p256_mod, p256_mp_mod);
+            sp_256_mont_mul_5(y, y, x, p256_mod, p256_mp_mod);
+        }
+        /* y = x^3 - 3x */
+        sp_256_mont_sub_5(y, y, x, p256_mod);
+        sp_256_mont_sub_5(y, y, x, p256_mod);
+        sp_256_mont_sub_5(y, y, x, p256_mod);
+        /* y = x^3 - 3x + b */
+        err = sp_256_mod_mul_norm_5(x, p256_b, p256_mod);
+    }
+    if (err == MP_OKAY) {
+        sp_256_mont_add_5(y, y, x, p256_mod);
+        /* y = sqrt(x^3 - 3x + b) */
+        err = sp_256_mont_sqrt_5(y);
+    }
+    if (err == MP_OKAY) {
+        XMEMSET(y + 5, 0, 5U * sizeof(sp_digit));
+        sp_256_mont_reduce_5(y, p256_mod, p256_mp_mod);
+        if ((((word32)y[0] ^ (word32)odd) & 1U) != 0U) {
+            sp_256_mont_sub_5(y, p256_mod, y, p256_mod);
+        }
+
+        err = sp_256_to_mp(y, ym);
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (d != NULL) {
+        XFREE(d, NULL, DYNAMIC_TYPE_ECC);
+    }
+#endif
+
+    return err;
+}
+#endif
+#endif /* !WOLFSSL_SP_NO_256 */
+#ifdef WOLFSSL_SP_384
+
+/* Point structure to use. */
+typedef struct sp_point_384 {
+    sp_digit x[2 * 7];
+    sp_digit y[2 * 7];
+    sp_digit z[2 * 7];
+    int infinity;
+} sp_point_384;
+
+/* The modulus (prime) of the curve P384. */
+static const sp_digit p384_mod[7] = {
+    0x000000ffffffffL,0x7ffe0000000000L,0x7ffffffffbffffL,0x7fffffffffffffL,
+    0x7fffffffffffffL,0x7fffffffffffffL,0x3fffffffffffffL
+};
+/* The Montogmery normalizer for modulus of the curve P384. */
+static const sp_digit p384_norm_mod[7] = {
+    0x7fffff00000001L,0x0001ffffffffffL,0x00000000040000L,0x00000000000000L,
+    0x00000000000000L,0x00000000000000L,0x00000000000000L
+};
+/* The Montogmery multiplier for modulus of the curve P384. */
+static sp_digit p384_mp_mod = 0x0000100000001;
+#if defined(WOLFSSL_VALIDATE_ECC_KEYGEN) || defined(HAVE_ECC_SIGN) || \
+                                            defined(HAVE_ECC_VERIFY)
+/* The order of the curve P384. */
+static const sp_digit p384_order[7] = {
+    0x6c196accc52973L,0x1b6491614ef5d9L,0x07d0dcb77d6068L,0x7ffffffe3b1a6cL,
+    0x7fffffffffffffL,0x7fffffffffffffL,0x3fffffffffffffL
+};
+#endif
+/* The order of the curve P384 minus 2. */
+static const sp_digit p384_order2[7] = {
+    0x6c196accc52971L,0x1b6491614ef5d9L,0x07d0dcb77d6068L,0x7ffffffe3b1a6cL,
+    0x7fffffffffffffL,0x7fffffffffffffL,0x3fffffffffffffL
+};
+#if defined(HAVE_ECC_SIGN) || defined(HAVE_ECC_VERIFY)
+/* The Montogmery normalizer for order of the curve P384. */
+static const sp_digit p384_norm_order[7] = {
+    0x13e695333ad68dL,0x649b6e9eb10a26L,0x782f2348829f97L,0x00000001c4e593L,
+    0x00000000000000L,0x00000000000000L,0x00000000000000L
+};
+#endif
+#if defined(HAVE_ECC_SIGN) || defined(HAVE_ECC_VERIFY)
+/* The Montogmery multiplier for order of the curve P384. */
+static sp_digit p384_mp_order = 0x546089e88fdc45l;
+#endif
+/* The base point of curve P384. */
+static const sp_point_384 p384_base = {
+    /* X ordinate */
+    {
+        0x545e3872760ab7L,0x64bb7eaa52d874L,0x020950a8e1540bL,
+        0x5d3cdcc2cfba0fL,0x0ad746e1d3b628L,0x26f1d638e3de64L,0x2aa1f288afa2c1L,
+        0L, 0L, 0L, 0L, 0L, 0L, 0L
+    },
+    /* Y ordinate */
+    {
+        0x431d7c90ea0e5fL,0x639c3afd033af4L,0x4ed7c2e3002982L,
+        0x44d0a3e74ed188L,0x2dc29f8f41dbd2L,0x0debb3d317f252L,0x0d85f792a5898bL,
+        0L, 0L, 0L, 0L, 0L, 0L, 0L
+    },
+    /* Z ordinate */
+    {
+        0x00000000000001L,0x00000000000000L,0x00000000000000L,
+        0x00000000000000L,0x00000000000000L,0x00000000000000L,0x00000000000000L,
+        0L, 0L, 0L, 0L, 0L, 0L, 0L
+    },
+    /* infinity */
+    0
+};
+#if defined(HAVE_ECC_CHECK_KEY) || defined(HAVE_COMP_KEY)
+static const sp_digit p384_b[7] = {
+    0x05c8edd3ec2aefL,0x731b145da33a55L,0x3d404e1d6b1958L,0x740a089018a044L,
+    0x02d19181d9c6efL,0x7c9311c0ad7c7fL,0x2ccc4be9f88fb9L
+};
+#endif
+
+static int sp_384_point_new_ex_7(void* heap, sp_point_384* sp, sp_point_384** p)
+{
+    int ret = MP_OKAY;
+    (void)heap;
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    (void)sp;
+    *p = (sp_point_384*)XMALLOC(sizeof(sp_point_384), heap, DYNAMIC_TYPE_ECC);
+#else
+    *p = sp;
+#endif
+    if (*p == NULL) {
+        ret = MEMORY_E;
+    }
+    return ret;
+}
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+/* Allocate memory for point and return error. */
+#define sp_384_point_new_7(heap, sp, p) sp_384_point_new_ex_7((heap), NULL, &(p))
+#else
+/* Set pointer to data and return no error. */
+#define sp_384_point_new_7(heap, sp, p) sp_384_point_new_ex_7((heap), &(sp), &(p))
+#endif
+
+
+static void sp_384_point_free_7(sp_point_384* p, int clear, void* heap)
+{
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+/* If valid pointer then clear point data if requested and free data. */
+    if (p != NULL) {
+        if (clear != 0) {
+            XMEMSET(p, 0, sizeof(*p));
+        }
+        XFREE(p, heap, DYNAMIC_TYPE_ECC);
+    }
+#else
+/* Clear point data if requested. */
+    if (clear != 0) {
+        XMEMSET(p, 0, sizeof(*p));
+    }
+#endif
+    (void)heap;
+}
+
+/* Multiply a number by Montogmery normalizer mod modulus (prime).
+ *
+ * r  The resulting Montgomery form number.
+ * a  The number to convert.
+ * m  The modulus (prime).
+ * returns MEMORY_E when memory allocation fails and MP_OKAY otherwise.
+ */
+static int sp_384_mod_mul_norm_7(sp_digit* r, const sp_digit* a, const sp_digit* m)
+{
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    int64_t* td;
+#else
+    int64_t td[12];
+    int64_t a32d[12];
+#endif
+    int64_t* t;
+    int64_t* a32;
+    int64_t o;
+    int err = MP_OKAY;
+
+    (void)m;
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    td = (int64_t*)XMALLOC(sizeof(int64_t) * 2 * 12, NULL, DYNAMIC_TYPE_ECC);
+    if (td == NULL) {
+        err = MEMORY_E;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+        t = td;
+        a32 = td + 12;
+#else
+        t = td;
+        a32 = a32d;
+#endif
+
+        a32[0] = (sp_digit)(a[0]) & 0xffffffffL;
+        a32[1] = (sp_digit)(a[0] >> 32U);
+        a32[1] |= a[1] << 23U;
+        a32[1] &= 0xffffffffL;
+        a32[2] = (sp_digit)(a[1] >> 9U) & 0xffffffffL;
+        a32[3] = (sp_digit)(a[1] >> 41U);
+        a32[3] |= a[2] << 14U;
+        a32[3] &= 0xffffffffL;
+        a32[4] = (sp_digit)(a[2] >> 18U) & 0xffffffffL;
+        a32[5] = (sp_digit)(a[2] >> 50U);
+        a32[5] |= a[3] << 5U;
+        a32[5] &= 0xffffffffL;
+        a32[6] = (sp_digit)(a[3] >> 27U);
+        a32[6] |= a[4] << 28U;
+        a32[6] &= 0xffffffffL;
+        a32[7] = (sp_digit)(a[4] >> 4U) & 0xffffffffL;
+        a32[8] = (sp_digit)(a[4] >> 36U);
+        a32[8] |= a[5] << 19U;
+        a32[8] &= 0xffffffffL;
+        a32[9] = (sp_digit)(a[5] >> 13U) & 0xffffffffL;
+        a32[10] = (sp_digit)(a[5] >> 45U);
+        a32[10] |= a[6] << 10U;
+        a32[10] &= 0xffffffffL;
+        a32[11] = (sp_digit)(a[6] >> 22U) & 0xffffffffL;
+
+        /*  1  0  0  0  0  0  0  0  1  1  0 -1 */
+        t[0] = 0 + a32[0] + a32[8] + a32[9] - a32[11];
+        /* -1  1  0  0  0  0  0  0 -1  0  1  1 */
+        t[1] = 0 - a32[0] + a32[1] - a32[8] + a32[10] + a32[11];
+        /*  0 -1  1  0  0  0  0  0  0 -1  0  1 */
+        t[2] = 0 - a32[1] + a32[2] - a32[9] + a32[11];
+        /*  1  0 -1  1  0  0  0  0  1  1 -1 -1 */
+        t[3] = 0 + a32[0] - a32[2] + a32[3] + a32[8] + a32[9] - a32[10] - a32[11];
+        /*  1  1  0 -1  1  0  0  0  1  2  1 -2 */
+        t[4] = 0 + a32[0] + a32[1] - a32[3] + a32[4] + a32[8] + 2 * a32[9] + a32[10] -  2 * a32[11];
+        /*  0  1  1  0 -1  1  0  0  0  1  2  1 */
+        t[5] = 0 + a32[1] + a32[2] - a32[4] + a32[5] + a32[9] + 2 * a32[10] + a32[11];
+        /*  0  0  1  1  0 -1  1  0  0  0  1  2 */
+        t[6] = 0 + a32[2] + a32[3] - a32[5] + a32[6] + a32[10] + 2 * a32[11];
+        /*  0  0  0  1  1  0 -1  1  0  0  0  1 */
+        t[7] = 0 + a32[3] + a32[4] - a32[6] + a32[7] + a32[11];
+        /*  0  0  0  0  1  1  0 -1  1  0  0  0 */
+        t[8] = 0 + a32[4] + a32[5] - a32[7] + a32[8];
+        /*  0  0  0  0  0  1  1  0 -1  1  0  0 */
+        t[9] = 0 + a32[5] + a32[6] - a32[8] + a32[9];
+        /*  0  0  0  0  0  0  1  1  0 -1  1  0 */
+        t[10] = 0 + a32[6] + a32[7] - a32[9] + a32[10];
+        /*  0  0  0  0  0  0  0  1  1  0 -1  1 */
+        t[11] = 0 + a32[7] + a32[8] - a32[10] + a32[11];
+
+        t[1] += t[0] >> 32; t[0] &= 0xffffffff;
+        t[2] += t[1] >> 32; t[1] &= 0xffffffff;
+        t[3] += t[2] >> 32; t[2] &= 0xffffffff;
+        t[4] += t[3] >> 32; t[3] &= 0xffffffff;
+        t[5] += t[4] >> 32; t[4] &= 0xffffffff;
+        t[6] += t[5] >> 32; t[5] &= 0xffffffff;
+        t[7] += t[6] >> 32; t[6] &= 0xffffffff;
+        t[8] += t[7] >> 32; t[7] &= 0xffffffff;
+        t[9] += t[8] >> 32; t[8] &= 0xffffffff;
+        t[10] += t[9] >> 32; t[9] &= 0xffffffff;
+        t[11] += t[10] >> 32; t[10] &= 0xffffffff;
+        o     = t[11] >> 32; t[11] &= 0xffffffff;
+        t[0] += o;
+        t[1] -= o;
+        t[3] += o;
+        t[4] += o;
+        t[1] += t[0] >> 32; t[0] &= 0xffffffff;
+        t[2] += t[1] >> 32; t[1] &= 0xffffffff;
+        t[3] += t[2] >> 32; t[2] &= 0xffffffff;
+        t[4] += t[3] >> 32; t[3] &= 0xffffffff;
+        t[5] += t[4] >> 32; t[4] &= 0xffffffff;
+        t[6] += t[5] >> 32; t[5] &= 0xffffffff;
+        t[7] += t[6] >> 32; t[6] &= 0xffffffff;
+        t[8] += t[7] >> 32; t[7] &= 0xffffffff;
+        t[9] += t[8] >> 32; t[8] &= 0xffffffff;
+        t[10] += t[9] >> 32; t[9] &= 0xffffffff;
+        t[11] += t[10] >> 32; t[10] &= 0xffffffff;
+
+        r[0] = t[0];
+        r[0] |= t[1] << 32U;
+        r[0] &= 0x7fffffffffffffLL;
+        r[1] = (sp_digit)(t[1] >> 23);
+        r[1] |= t[2] << 9U;
+        r[1] |= t[3] << 41U;
+        r[1] &= 0x7fffffffffffffLL;
+        r[2] = (sp_digit)(t[3] >> 14);
+        r[2] |= t[4] << 18U;
+        r[2] |= t[5] << 50U;
+        r[2] &= 0x7fffffffffffffLL;
+        r[3] = (sp_digit)(t[5] >> 5);
+        r[3] |= t[6] << 27U;
+        r[3] &= 0x7fffffffffffffLL;
+        r[4] = (sp_digit)(t[6] >> 28);
+        r[4] |= t[7] << 4U;
+        r[4] |= t[8] << 36U;
+        r[4] &= 0x7fffffffffffffLL;
+        r[5] = (sp_digit)(t[8] >> 19);
+        r[5] |= t[9] << 13U;
+        r[5] |= t[10] << 45U;
+        r[5] &= 0x7fffffffffffffLL;
+        r[6] = (sp_digit)(t[10] >> 10);
+        r[6] |= t[11] << 22U;
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (td != NULL)
+        XFREE(td, NULL, DYNAMIC_TYPE_ECC);
+#endif
+
+    return err;
+}
+
+/* Convert an mp_int to an array of sp_digit.
+ *
+ * r  A single precision integer.
+ * size  Maximum number of bytes to convert
+ * a  A multi-precision integer.
+ */
+static void sp_384_from_mp(sp_digit* r, int size, const mp_int* a)
+{
+#if DIGIT_BIT == 55
+    int j;
+
+    XMEMCPY(r, a->dp, sizeof(sp_digit) * a->used);
+
+    for (j = a->used; j < size; j++) {
+        r[j] = 0;
+    }
+#elif DIGIT_BIT > 55
+    int i, j = 0;
+    word32 s = 0;
+
+    r[0] = 0;
+    for (i = 0; i < a->used && j < size; i++) {
+        r[j] |= ((sp_digit)a->dp[i] << s);
+        r[j] &= 0x7fffffffffffffL;
+        s = 55U - s;
+        if (j + 1 >= size) {
+            break;
+        }
+        /* lint allow cast of mismatch word32 and mp_digit */
+        r[++j] = (sp_digit)(a->dp[i] >> s); /*lint !e9033*/
+        while ((s + 55U) <= (word32)DIGIT_BIT) {
+            s += 55U;
+            r[j] &= 0x7fffffffffffffL;
+            if (j + 1 >= size) {
+                break;
+            }
+            if (s < (word32)DIGIT_BIT) {
+                /* lint allow cast of mismatch word32 and mp_digit */
+                r[++j] = (sp_digit)(a->dp[i] >> s); /*lint !e9033*/
+            }
+            else {
+                r[++j] = 0L;
+            }
+        }
+        s = (word32)DIGIT_BIT - s;
+    }
+
+    for (j++; j < size; j++) {
+        r[j] = 0;
+    }
+#else
+    int i, j = 0, s = 0;
+
+    r[0] = 0;
+    for (i = 0; i < a->used && j < size; i++) {
+        r[j] |= ((sp_digit)a->dp[i]) << s;
+        if (s + DIGIT_BIT >= 55) {
+            r[j] &= 0x7fffffffffffffL;
+            if (j + 1 >= size) {
+                break;
+            }
+            s = 55 - s;
+            if (s == DIGIT_BIT) {
+                r[++j] = 0;
+                s = 0;
+            }
+            else {
+                r[++j] = a->dp[i] >> s;
+                s = DIGIT_BIT - s;
+            }
+        }
+        else {
+            s += DIGIT_BIT;
+        }
+    }
+
+    for (j++; j < size; j++) {
+        r[j] = 0;
+    }
+#endif
+}
+
+/* Convert a point of type ecc_point to type sp_point_384.
+ *
+ * p   Point of type sp_point_384 (result).
+ * pm  Point of type ecc_point.
+ */
+static void sp_384_point_from_ecc_point_7(sp_point_384* p, const ecc_point* pm)
+{
+    XMEMSET(p->x, 0, sizeof(p->x));
+    XMEMSET(p->y, 0, sizeof(p->y));
+    XMEMSET(p->z, 0, sizeof(p->z));
+    sp_384_from_mp(p->x, 7, pm->x);
+    sp_384_from_mp(p->y, 7, pm->y);
+    sp_384_from_mp(p->z, 7, pm->z);
+    p->infinity = 0;
+}
+
+/* Convert an array of sp_digit to an mp_int.
+ *
+ * a  A single precision integer.
+ * r  A multi-precision integer.
+ */
+static int sp_384_to_mp(const sp_digit* a, mp_int* r)
+{
+    int err;
+
+    err = mp_grow(r, (384 + DIGIT_BIT - 1) / DIGIT_BIT);
+    if (err == MP_OKAY) { /*lint !e774 case where err is always MP_OKAY*/
+#if DIGIT_BIT == 55
+        XMEMCPY(r->dp, a, sizeof(sp_digit) * 7);
+        r->used = 7;
+        mp_clamp(r);
+#elif DIGIT_BIT < 55
+        int i, j = 0, s = 0;
+
+        r->dp[0] = 0;
+        for (i = 0; i < 7; i++) {
+            r->dp[j] |= (mp_digit)(a[i] << s);
+            r->dp[j] &= (1L << DIGIT_BIT) - 1;
+            s = DIGIT_BIT - s;
+            r->dp[++j] = (mp_digit)(a[i] >> s);
+            while (s + DIGIT_BIT <= 55) {
+                s += DIGIT_BIT;
+                r->dp[j++] &= (1L << DIGIT_BIT) - 1;
+                if (s == SP_WORD_SIZE) {
+                    r->dp[j] = 0;
+                }
+                else {
+                    r->dp[j] = (mp_digit)(a[i] >> s);
+                }
+            }
+            s = 55 - s;
+        }
+        r->used = (384 + DIGIT_BIT - 1) / DIGIT_BIT;
+        mp_clamp(r);
+#else
+        int i, j = 0, s = 0;
+
+        r->dp[0] = 0;
+        for (i = 0; i < 7; i++) {
+            r->dp[j] |= ((mp_digit)a[i]) << s;
+            if (s + 55 >= DIGIT_BIT) {
+    #if DIGIT_BIT != 32 && DIGIT_BIT != 64
+                r->dp[j] &= (1L << DIGIT_BIT) - 1;
+    #endif
+                s = DIGIT_BIT - s;
+                r->dp[++j] = a[i] >> s;
+                s = 55 - s;
+            }
+            else {
+                s += 55;
+            }
+        }
+        r->used = (384 + DIGIT_BIT - 1) / DIGIT_BIT;
+        mp_clamp(r);
+#endif
+    }
+
+    return err;
+}
+
+/* Convert a point of type sp_point_384 to type ecc_point.
+ *
+ * p   Point of type sp_point_384.
+ * pm  Point of type ecc_point (result).
+ * returns MEMORY_E when allocation of memory in ecc_point fails otherwise
+ * MP_OKAY.
+ */
+static int sp_384_point_to_ecc_point_7(const sp_point_384* p, ecc_point* pm)
+{
+    int err;
+
+    err = sp_384_to_mp(p->x, pm->x);
+    if (err == MP_OKAY) {
+        err = sp_384_to_mp(p->y, pm->y);
+    }
+    if (err == MP_OKAY) {
+        err = sp_384_to_mp(p->z, pm->z);
+    }
+
+    return err;
+}
+
+#ifdef WOLFSSL_SP_SMALL
+/* Multiply a and b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static void sp_384_mul_7(sp_digit* r, const sp_digit* a,
+    const sp_digit* b)
+{
+    int i, j, k;
+    int128_t c;
+
+    c = ((int128_t)a[6]) * b[6];
+    r[13] = (sp_digit)(c >> 55);
+    c = (c & 0x7fffffffffffffL) << 55;
+    for (k = 11; k >= 0; k--) {
+        for (i = 6; i >= 0; i--) {
+            j = k - i;
+            if (j >= 7) {
+                break;
+            }
+            if (j < 0) {
+                continue;
+            }
+
+            c += ((int128_t)a[i]) * b[j];
+        }
+        r[k + 2] += c >> 110;
+        r[k + 1] = (c >> 55) & 0x7fffffffffffffL;
+        c = (c & 0x7fffffffffffffL) << 55;
+    }
+    r[0] = (sp_digit)(c >> 55);
+}
+
+#else
+/* Multiply a and b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static void sp_384_mul_7(sp_digit* r, const sp_digit* a,
+    const sp_digit* b)
+{
+    int128_t t0   = ((int128_t)a[ 0]) * b[ 0];
+    int128_t t1   = ((int128_t)a[ 0]) * b[ 1]
+                 + ((int128_t)a[ 1]) * b[ 0];
+    int128_t t2   = ((int128_t)a[ 0]) * b[ 2]
+                 + ((int128_t)a[ 1]) * b[ 1]
+                 + ((int128_t)a[ 2]) * b[ 0];
+    int128_t t3   = ((int128_t)a[ 0]) * b[ 3]
+                 + ((int128_t)a[ 1]) * b[ 2]
+                 + ((int128_t)a[ 2]) * b[ 1]
+                 + ((int128_t)a[ 3]) * b[ 0];
+    int128_t t4   = ((int128_t)a[ 0]) * b[ 4]
+                 + ((int128_t)a[ 1]) * b[ 3]
+                 + ((int128_t)a[ 2]) * b[ 2]
+                 + ((int128_t)a[ 3]) * b[ 1]
+                 + ((int128_t)a[ 4]) * b[ 0];
+    int128_t t5   = ((int128_t)a[ 0]) * b[ 5]
+                 + ((int128_t)a[ 1]) * b[ 4]
+                 + ((int128_t)a[ 2]) * b[ 3]
+                 + ((int128_t)a[ 3]) * b[ 2]
+                 + ((int128_t)a[ 4]) * b[ 1]
+                 + ((int128_t)a[ 5]) * b[ 0];
+    int128_t t6   = ((int128_t)a[ 0]) * b[ 6]
+                 + ((int128_t)a[ 1]) * b[ 5]
+                 + ((int128_t)a[ 2]) * b[ 4]
+                 + ((int128_t)a[ 3]) * b[ 3]
+                 + ((int128_t)a[ 4]) * b[ 2]
+                 + ((int128_t)a[ 5]) * b[ 1]
+                 + ((int128_t)a[ 6]) * b[ 0];
+    int128_t t7   = ((int128_t)a[ 1]) * b[ 6]
+                 + ((int128_t)a[ 2]) * b[ 5]
+                 + ((int128_t)a[ 3]) * b[ 4]
+                 + ((int128_t)a[ 4]) * b[ 3]
+                 + ((int128_t)a[ 5]) * b[ 2]
+                 + ((int128_t)a[ 6]) * b[ 1];
+    int128_t t8   = ((int128_t)a[ 2]) * b[ 6]
+                 + ((int128_t)a[ 3]) * b[ 5]
+                 + ((int128_t)a[ 4]) * b[ 4]
+                 + ((int128_t)a[ 5]) * b[ 3]
+                 + ((int128_t)a[ 6]) * b[ 2];
+    int128_t t9   = ((int128_t)a[ 3]) * b[ 6]
+                 + ((int128_t)a[ 4]) * b[ 5]
+                 + ((int128_t)a[ 5]) * b[ 4]
+                 + ((int128_t)a[ 6]) * b[ 3];
+    int128_t t10  = ((int128_t)a[ 4]) * b[ 6]
+                 + ((int128_t)a[ 5]) * b[ 5]
+                 + ((int128_t)a[ 6]) * b[ 4];
+    int128_t t11  = ((int128_t)a[ 5]) * b[ 6]
+                 + ((int128_t)a[ 6]) * b[ 5];
+    int128_t t12  = ((int128_t)a[ 6]) * b[ 6];
+
+    t1   += t0  >> 55; r[ 0] = t0  & 0x7fffffffffffffL;
+    t2   += t1  >> 55; r[ 1] = t1  & 0x7fffffffffffffL;
+    t3   += t2  >> 55; r[ 2] = t2  & 0x7fffffffffffffL;
+    t4   += t3  >> 55; r[ 3] = t3  & 0x7fffffffffffffL;
+    t5   += t4  >> 55; r[ 4] = t4  & 0x7fffffffffffffL;
+    t6   += t5  >> 55; r[ 5] = t5  & 0x7fffffffffffffL;
+    t7   += t6  >> 55; r[ 6] = t6  & 0x7fffffffffffffL;
+    t8   += t7  >> 55; r[ 7] = t7  & 0x7fffffffffffffL;
+    t9   += t8  >> 55; r[ 8] = t8  & 0x7fffffffffffffL;
+    t10  += t9  >> 55; r[ 9] = t9  & 0x7fffffffffffffL;
+    t11  += t10 >> 55; r[10] = t10 & 0x7fffffffffffffL;
+    t12  += t11 >> 55; r[11] = t11 & 0x7fffffffffffffL;
+    r[13] = (sp_digit)(t12 >> 55);
+                       r[12] = t12 & 0x7fffffffffffffL;
+}
+
+#endif /* WOLFSSL_SP_SMALL */
+#define sp_384_mont_reduce_order_7         sp_384_mont_reduce_7
+
+/* Compare a with b in constant time.
+ *
+ * a  A single precision integer.
+ * b  A single precision integer.
+ * return -ve, 0 or +ve if a is less than, equal to or greater than b
+ * respectively.
+ */
+static sp_digit sp_384_cmp_7(const sp_digit* a, const sp_digit* b)
+{
+    sp_digit r = 0;
+#ifdef WOLFSSL_SP_SMALL
+    int i;
+
+    for (i=6; i>=0; i--) {
+        r |= (a[i] - b[i]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+    }
+#else
+    r |= (a[ 6] - b[ 6]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+    r |= (a[ 5] - b[ 5]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+    r |= (a[ 4] - b[ 4]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+    r |= (a[ 3] - b[ 3]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+    r |= (a[ 2] - b[ 2]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+    r |= (a[ 1] - b[ 1]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+    r |= (a[ 0] - b[ 0]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+#endif /* WOLFSSL_SP_SMALL */
+
+    return r;
+}
+
+/* Conditionally subtract b from a using the mask m.
+ * m is -1 to subtract and 0 when not.
+ *
+ * r  A single precision number representing condition subtract result.
+ * a  A single precision number to subtract from.
+ * b  A single precision number to subtract.
+ * m  Mask value to apply.
+ */
+static void sp_384_cond_sub_7(sp_digit* r, const sp_digit* a,
+        const sp_digit* b, const sp_digit m)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int i;
+
+    for (i = 0; i < 7; i++) {
+        r[i] = a[i] - (b[i] & m);
+    }
+#else
+    r[ 0] = a[ 0] - (b[ 0] & m);
+    r[ 1] = a[ 1] - (b[ 1] & m);
+    r[ 2] = a[ 2] - (b[ 2] & m);
+    r[ 3] = a[ 3] - (b[ 3] & m);
+    r[ 4] = a[ 4] - (b[ 4] & m);
+    r[ 5] = a[ 5] - (b[ 5] & m);
+    r[ 6] = a[ 6] - (b[ 6] & m);
+#endif /* WOLFSSL_SP_SMALL */
+}
+
+/* Mul a by scalar b and add into r. (r += a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A scalar.
+ */
+SP_NOINLINE static void sp_384_mul_add_7(sp_digit* r, const sp_digit* a,
+        const sp_digit b)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int128_t tb = b;
+    int128_t t = 0;
+    int i;
+
+    for (i = 0; i < 7; i++) {
+        t += (tb * a[i]) + r[i];
+        r[i] = t & 0x7fffffffffffffL;
+        t >>= 55;
+    }
+    r[7] += t;
+#else
+    int128_t tb = b;
+    int128_t t[7];
+
+    t[ 0] = tb * a[ 0];
+    t[ 1] = tb * a[ 1];
+    t[ 2] = tb * a[ 2];
+    t[ 3] = tb * a[ 3];
+    t[ 4] = tb * a[ 4];
+    t[ 5] = tb * a[ 5];
+    t[ 6] = tb * a[ 6];
+    r[ 0] += (sp_digit)                 (t[ 0] & 0x7fffffffffffffL);
+    r[ 1] += (sp_digit)((t[ 0] >> 55) + (t[ 1] & 0x7fffffffffffffL));
+    r[ 2] += (sp_digit)((t[ 1] >> 55) + (t[ 2] & 0x7fffffffffffffL));
+    r[ 3] += (sp_digit)((t[ 2] >> 55) + (t[ 3] & 0x7fffffffffffffL));
+    r[ 4] += (sp_digit)((t[ 3] >> 55) + (t[ 4] & 0x7fffffffffffffL));
+    r[ 5] += (sp_digit)((t[ 4] >> 55) + (t[ 5] & 0x7fffffffffffffL));
+    r[ 6] += (sp_digit)((t[ 5] >> 55) + (t[ 6] & 0x7fffffffffffffL));
+    r[ 7] += (sp_digit) (t[ 6] >> 55);
+#endif /* WOLFSSL_SP_SMALL */
+}
+
+/* Normalize the values in each word to 55.
+ *
+ * a  Array of sp_digit to normalize.
+ */
+static void sp_384_norm_7(sp_digit* a)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int i;
+    for (i = 0; i < 6; i++) {
+        a[i+1] += a[i] >> 55;
+        a[i] &= 0x7fffffffffffffL;
+    }
+#else
+    a[1] += a[0] >> 55; a[0] &= 0x7fffffffffffffL;
+    a[2] += a[1] >> 55; a[1] &= 0x7fffffffffffffL;
+    a[3] += a[2] >> 55; a[2] &= 0x7fffffffffffffL;
+    a[4] += a[3] >> 55; a[3] &= 0x7fffffffffffffL;
+    a[5] += a[4] >> 55; a[4] &= 0x7fffffffffffffL;
+    a[6] += a[5] >> 55; a[5] &= 0x7fffffffffffffL;
+#endif
+}
+
+/* Shift the result in the high 384 bits down to the bottom.
+ *
+ * r  A single precision number.
+ * a  A single precision number.
+ */
+static void sp_384_mont_shift_7(sp_digit* r, const sp_digit* a)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int i;
+    word64 n;
+
+    n = a[6] >> 54;
+    for (i = 0; i < 6; i++) {
+        n += (word64)a[7 + i] << 1;
+        r[i] = n & 0x7fffffffffffffL;
+        n >>= 55;
+    }
+    n += (word64)a[13] << 1;
+    r[6] = n;
+#else
+    word64 n;
+
+    n  = a[6] >> 54;
+    n += (word64)a[ 7] << 1U; r[ 0] = n & 0x7fffffffffffffUL; n >>= 55U;
+    n += (word64)a[ 8] << 1U; r[ 1] = n & 0x7fffffffffffffUL; n >>= 55U;
+    n += (word64)a[ 9] << 1U; r[ 2] = n & 0x7fffffffffffffUL; n >>= 55U;
+    n += (word64)a[10] << 1U; r[ 3] = n & 0x7fffffffffffffUL; n >>= 55U;
+    n += (word64)a[11] << 1U; r[ 4] = n & 0x7fffffffffffffUL; n >>= 55U;
+    n += (word64)a[12] << 1U; r[ 5] = n & 0x7fffffffffffffUL; n >>= 55U;
+    n += (word64)a[13] << 1U; r[ 6] = n;
+#endif /* WOLFSSL_SP_SMALL */
+    XMEMSET(&r[7], 0, sizeof(*r) * 7U);
+}
+
+/* Reduce the number back to 384 bits using Montgomery reduction.
+ *
+ * a   A single precision number to reduce in place.
+ * m   The single precision number representing the modulus.
+ * mp  The digit representing the negative inverse of m mod 2^n.
+ */
+static void sp_384_mont_reduce_7(sp_digit* a, const sp_digit* m, sp_digit mp)
+{
+    int i;
+    sp_digit mu;
+
+    sp_384_norm_7(a + 7);
+
+    for (i=0; i<6; i++) {
+        mu = (a[i] * mp) & 0x7fffffffffffffL;
+        sp_384_mul_add_7(a+i, m, mu);
+        a[i+1] += a[i] >> 55;
+    }
+    mu = (a[i] * mp) & 0x3fffffffffffffL;
+    sp_384_mul_add_7(a+i, m, mu);
+    a[i+1] += a[i] >> 55;
+    a[i] &= 0x7fffffffffffffL;
+
+    sp_384_mont_shift_7(a, a);
+    sp_384_cond_sub_7(a, a, m, 0 - (((a[6] >> 54) > 0) ?
+            (sp_digit)1 : (sp_digit)0));
+    sp_384_norm_7(a);
+}
+
+/* Multiply two Montogmery form numbers mod the modulus (prime).
+ * (r = a * b mod m)
+ *
+ * r   Result of multiplication.
+ * a   First number to multiply in Montogmery form.
+ * b   Second number to multiply in Montogmery form.
+ * m   Modulus (prime).
+ * mp  Montogmery mulitplier.
+ */
+static void sp_384_mont_mul_7(sp_digit* r, const sp_digit* a, const sp_digit* b,
+        const sp_digit* m, sp_digit mp)
+{
+    sp_384_mul_7(r, a, b);
+    sp_384_mont_reduce_7(r, m, mp);
+}
+
+#ifdef WOLFSSL_SP_SMALL
+/* Square a and put result in r. (r = a * a)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ */
+SP_NOINLINE static void sp_384_sqr_7(sp_digit* r, const sp_digit* a)
+{
+    int i, j, k;
+    int128_t c;
+
+    c = ((int128_t)a[6]) * a[6];
+    r[13] = (sp_digit)(c >> 55);
+    c = (c & 0x7fffffffffffffL) << 55;
+    for (k = 11; k >= 0; k--) {
+        for (i = 6; i >= 0; i--) {
+            j = k - i;
+            if (j >= 7 || i <= j) {
+                break;
+            }
+            if (j < 0) {
+                continue;
+            }
+
+            c += ((int128_t)a[i]) * a[j] * 2;
+        }
+        if (i == j) {
+           c += ((int128_t)a[i]) * a[i];
+        }
+
+        r[k + 2] += c >> 110;
+        r[k + 1] = (c >> 55) & 0x7fffffffffffffL;
+        c = (c & 0x7fffffffffffffL) << 55;
+    }
+    r[0] = (sp_digit)(c >> 55);
+}
+
+#else
+/* Square a and put result in r. (r = a * a)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ */
+SP_NOINLINE static void sp_384_sqr_7(sp_digit* r, const sp_digit* a)
+{
+    int128_t t0   =  ((int128_t)a[ 0]) * a[ 0];
+    int128_t t1   = (((int128_t)a[ 0]) * a[ 1]) * 2;
+    int128_t t2   = (((int128_t)a[ 0]) * a[ 2]) * 2
+                 +  ((int128_t)a[ 1]) * a[ 1];
+    int128_t t3   = (((int128_t)a[ 0]) * a[ 3]
+                 +  ((int128_t)a[ 1]) * a[ 2]) * 2;
+    int128_t t4   = (((int128_t)a[ 0]) * a[ 4]
+                 +  ((int128_t)a[ 1]) * a[ 3]) * 2
+                 +  ((int128_t)a[ 2]) * a[ 2];
+    int128_t t5   = (((int128_t)a[ 0]) * a[ 5]
+                 +  ((int128_t)a[ 1]) * a[ 4]
+                 +  ((int128_t)a[ 2]) * a[ 3]) * 2;
+    int128_t t6   = (((int128_t)a[ 0]) * a[ 6]
+                 +  ((int128_t)a[ 1]) * a[ 5]
+                 +  ((int128_t)a[ 2]) * a[ 4]) * 2
+                 +  ((int128_t)a[ 3]) * a[ 3];
+    int128_t t7   = (((int128_t)a[ 1]) * a[ 6]
+                 +  ((int128_t)a[ 2]) * a[ 5]
+                 +  ((int128_t)a[ 3]) * a[ 4]) * 2;
+    int128_t t8   = (((int128_t)a[ 2]) * a[ 6]
+                 +  ((int128_t)a[ 3]) * a[ 5]) * 2
+                 +  ((int128_t)a[ 4]) * a[ 4];
+    int128_t t9   = (((int128_t)a[ 3]) * a[ 6]
+                 +  ((int128_t)a[ 4]) * a[ 5]) * 2;
+    int128_t t10  = (((int128_t)a[ 4]) * a[ 6]) * 2
+                 +  ((int128_t)a[ 5]) * a[ 5];
+    int128_t t11  = (((int128_t)a[ 5]) * a[ 6]) * 2;
+    int128_t t12  =  ((int128_t)a[ 6]) * a[ 6];
+
+    t1   += t0  >> 55; r[ 0] = t0  & 0x7fffffffffffffL;
+    t2   += t1  >> 55; r[ 1] = t1  & 0x7fffffffffffffL;
+    t3   += t2  >> 55; r[ 2] = t2  & 0x7fffffffffffffL;
+    t4   += t3  >> 55; r[ 3] = t3  & 0x7fffffffffffffL;
+    t5   += t4  >> 55; r[ 4] = t4  & 0x7fffffffffffffL;
+    t6   += t5  >> 55; r[ 5] = t5  & 0x7fffffffffffffL;
+    t7   += t6  >> 55; r[ 6] = t6  & 0x7fffffffffffffL;
+    t8   += t7  >> 55; r[ 7] = t7  & 0x7fffffffffffffL;
+    t9   += t8  >> 55; r[ 8] = t8  & 0x7fffffffffffffL;
+    t10  += t9  >> 55; r[ 9] = t9  & 0x7fffffffffffffL;
+    t11  += t10 >> 55; r[10] = t10 & 0x7fffffffffffffL;
+    t12  += t11 >> 55; r[11] = t11 & 0x7fffffffffffffL;
+    r[13] = (sp_digit)(t12 >> 55);
+                       r[12] = t12 & 0x7fffffffffffffL;
+}
+
+#endif /* WOLFSSL_SP_SMALL */
+/* Square the Montgomery form number. (r = a * a mod m)
+ *
+ * r   Result of squaring.
+ * a   Number to square in Montogmery form.
+ * m   Modulus (prime).
+ * mp  Montogmery mulitplier.
+ */
+static void sp_384_mont_sqr_7(sp_digit* r, const sp_digit* a, const sp_digit* m,
+        sp_digit mp)
+{
+    sp_384_sqr_7(r, a);
+    sp_384_mont_reduce_7(r, m, mp);
+}
+
+#if !defined(WOLFSSL_SP_SMALL) || defined(HAVE_COMP_KEY)
+/* Square the Montgomery form number a number of times. (r = a ^ n mod m)
+ *
+ * r   Result of squaring.
+ * a   Number to square in Montogmery form.
+ * n   Number of times to square.
+ * m   Modulus (prime).
+ * mp  Montogmery mulitplier.
+ */
+static void sp_384_mont_sqr_n_7(sp_digit* r, const sp_digit* a, int n,
+        const sp_digit* m, sp_digit mp)
+{
+    sp_384_mont_sqr_7(r, a, m, mp);
+    for (; n > 1; n--) {
+        sp_384_mont_sqr_7(r, r, m, mp);
+    }
+}
+
+#endif /* !WOLFSSL_SP_SMALL || HAVE_COMP_KEY */
+#ifdef WOLFSSL_SP_SMALL
+/* Mod-2 for the P384 curve. */
+static const uint64_t p384_mod_minus_2[6] = {
+    0x00000000fffffffdU,0xffffffff00000000U,0xfffffffffffffffeU,
+    0xffffffffffffffffU,0xffffffffffffffffU,0xffffffffffffffffU
+};
+#endif /* !WOLFSSL_SP_SMALL */
+
+/* Invert the number, in Montgomery form, modulo the modulus (prime) of the
+ * P384 curve. (r = 1 / a mod m)
+ *
+ * r   Inverse result.
+ * a   Number to invert.
+ * td  Temporary data.
+ */
+static void sp_384_mont_inv_7(sp_digit* r, const sp_digit* a, sp_digit* td)
+{
+#ifdef WOLFSSL_SP_SMALL
+    sp_digit* t = td;
+    int i;
+
+    XMEMCPY(t, a, sizeof(sp_digit) * 7);
+    for (i=382; i>=0; i--) {
+        sp_384_mont_sqr_7(t, t, p384_mod, p384_mp_mod);
+        if (p384_mod_minus_2[i / 64] & ((sp_digit)1 << (i % 64)))
+            sp_384_mont_mul_7(t, t, a, p384_mod, p384_mp_mod);
+    }
+    XMEMCPY(r, t, sizeof(sp_digit) * 7);
+#else
+    sp_digit* t1 = td;
+    sp_digit* t2 = td + 2 * 7;
+    sp_digit* t3 = td + 4 * 7;
+    sp_digit* t4 = td + 6 * 7;
+    sp_digit* t5 = td + 8 * 7;
+
+    /* 0x2 */
+    sp_384_mont_sqr_7(t1, a, p384_mod, p384_mp_mod);
+    /* 0x3 */
+    sp_384_mont_mul_7(t5, t1, a, p384_mod, p384_mp_mod);
+    /* 0xc */
+    sp_384_mont_sqr_n_7(t1, t5, 2, p384_mod, p384_mp_mod);
+    /* 0xf */
+    sp_384_mont_mul_7(t2, t5, t1, p384_mod, p384_mp_mod);
+    /* 0x1e */
+    sp_384_mont_sqr_7(t1, t2, p384_mod, p384_mp_mod);
+    /* 0x1f */
+    sp_384_mont_mul_7(t4, t1, a, p384_mod, p384_mp_mod);
+    /* 0x3e0 */
+    sp_384_mont_sqr_n_7(t1, t4, 5, p384_mod, p384_mp_mod);
+    /* 0x3ff */
+    sp_384_mont_mul_7(t2, t4, t1, p384_mod, p384_mp_mod);
+    /* 0x7fe0 */
+    sp_384_mont_sqr_n_7(t1, t2, 5, p384_mod, p384_mp_mod);
+    /* 0x7fff */
+    sp_384_mont_mul_7(t4, t4, t1, p384_mod, p384_mp_mod);
+    /* 0x3fff8000 */
+    sp_384_mont_sqr_n_7(t1, t4, 15, p384_mod, p384_mp_mod);
+    /* 0x3fffffff */
+    sp_384_mont_mul_7(t2, t4, t1, p384_mod, p384_mp_mod);
+    /* 0xfffffffc */
+    sp_384_mont_sqr_n_7(t3, t2, 2, p384_mod, p384_mp_mod);
+    /* 0xfffffffd */
+    sp_384_mont_mul_7(r, t3, a, p384_mod, p384_mp_mod);
+    /* 0xffffffff */
+    sp_384_mont_mul_7(t3, t5, t3, p384_mod, p384_mp_mod);
+    /* 0xfffffffc0000000 */
+    sp_384_mont_sqr_n_7(t1, t2, 30, p384_mod, p384_mp_mod);
+    /* 0xfffffffffffffff */
+    sp_384_mont_mul_7(t2, t2, t1, p384_mod, p384_mp_mod);
+    /* 0xfffffffffffffff000000000000000 */
+    sp_384_mont_sqr_n_7(t1, t2, 60, p384_mod, p384_mp_mod);
+    /* 0xffffffffffffffffffffffffffffff */
+    sp_384_mont_mul_7(t2, t2, t1, p384_mod, p384_mp_mod);
+    /* 0xffffffffffffffffffffffffffffff000000000000000000000000000000 */
+    sp_384_mont_sqr_n_7(t1, t2, 120, p384_mod, p384_mp_mod);
+    /* 0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff */
+    sp_384_mont_mul_7(t2, t2, t1, p384_mod, p384_mp_mod);
+    /* 0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffff8000 */
+    sp_384_mont_sqr_n_7(t1, t2, 15, p384_mod, p384_mp_mod);
+    /* 0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff */
+    sp_384_mont_mul_7(t2, t4, t1, p384_mod, p384_mp_mod);
+    /* 0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffe00000000 */
+    sp_384_mont_sqr_n_7(t1, t2, 33, p384_mod, p384_mp_mod);
+    /* 0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff */
+    sp_384_mont_mul_7(t2, t3, t1, p384_mod, p384_mp_mod);
+    /* 0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff000000000000000000000000 */
+    sp_384_mont_sqr_n_7(t1, t2, 96, p384_mod, p384_mp_mod);
+    /* 0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000fffffffd */
+    sp_384_mont_mul_7(r, r, t1, p384_mod, p384_mp_mod);
+
+#endif /* WOLFSSL_SP_SMALL */
+}
+
+/* Map the Montgomery form projective coordinate point to an affine point.
+ *
+ * r  Resulting affine coordinate point.
+ * p  Montgomery form projective coordinate point.
+ * t  Temporary ordinate data.
+ */
+static void sp_384_map_7(sp_point_384* r, const sp_point_384* p, sp_digit* t)
+{
+    sp_digit* t1 = t;
+    sp_digit* t2 = t + 2*7;
+    int64_t n;
+
+    sp_384_mont_inv_7(t1, p->z, t + 2*7);
+
+    sp_384_mont_sqr_7(t2, t1, p384_mod, p384_mp_mod);
+    sp_384_mont_mul_7(t1, t2, t1, p384_mod, p384_mp_mod);
+
+    /* x /= z^2 */
+    sp_384_mont_mul_7(r->x, p->x, t2, p384_mod, p384_mp_mod);
+    XMEMSET(r->x + 7, 0, sizeof(r->x) / 2U);
+    sp_384_mont_reduce_7(r->x, p384_mod, p384_mp_mod);
+    /* Reduce x to less than modulus */
+    n = sp_384_cmp_7(r->x, p384_mod);
+    sp_384_cond_sub_7(r->x, r->x, p384_mod, 0 - ((n >= 0) ?
+                (sp_digit)1 : (sp_digit)0));
+    sp_384_norm_7(r->x);
+
+    /* y /= z^3 */
+    sp_384_mont_mul_7(r->y, p->y, t1, p384_mod, p384_mp_mod);
+    XMEMSET(r->y + 7, 0, sizeof(r->y) / 2U);
+    sp_384_mont_reduce_7(r->y, p384_mod, p384_mp_mod);
+    /* Reduce y to less than modulus */
+    n = sp_384_cmp_7(r->y, p384_mod);
+    sp_384_cond_sub_7(r->y, r->y, p384_mod, 0 - ((n >= 0) ?
+                (sp_digit)1 : (sp_digit)0));
+    sp_384_norm_7(r->y);
+
+    XMEMSET(r->z, 0, sizeof(r->z));
+    r->z[0] = 1;
+
+}
+
+#ifdef WOLFSSL_SP_SMALL
+/* Add b to a into r. (r = a + b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static int sp_384_add_7(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    int i;
+
+    for (i = 0; i < 7; i++) {
+        r[i] = a[i] + b[i];
+    }
+
+    return 0;
+}
+#else
+/* Add b to a into r. (r = a + b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static int sp_384_add_7(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    r[ 0] = a[ 0] + b[ 0];
+    r[ 1] = a[ 1] + b[ 1];
+    r[ 2] = a[ 2] + b[ 2];
+    r[ 3] = a[ 3] + b[ 3];
+    r[ 4] = a[ 4] + b[ 4];
+    r[ 5] = a[ 5] + b[ 5];
+    r[ 6] = a[ 6] + b[ 6];
+
+    return 0;
+}
+
+#endif /* WOLFSSL_SP_SMALL */
+/* Add two Montgomery form numbers (r = a + b % m).
+ *
+ * r   Result of addition.
+ * a   First number to add in Montogmery form.
+ * b   Second number to add in Montogmery form.
+ * m   Modulus (prime).
+ */
+static void sp_384_mont_add_7(sp_digit* r, const sp_digit* a, const sp_digit* b,
+        const sp_digit* m)
+{
+    (void)sp_384_add_7(r, a, b);
+    sp_384_norm_7(r);
+    sp_384_cond_sub_7(r, r, m, 0 - (((r[6] >> 54) > 0) ?
+                (sp_digit)1 : (sp_digit)0));
+    sp_384_norm_7(r);
+}
+
+/* Double a Montgomery form number (r = a + a % m).
+ *
+ * r   Result of doubling.
+ * a   Number to double in Montogmery form.
+ * m   Modulus (prime).
+ */
+static void sp_384_mont_dbl_7(sp_digit* r, const sp_digit* a, const sp_digit* m)
+{
+    (void)sp_384_add_7(r, a, a);
+    sp_384_norm_7(r);
+    sp_384_cond_sub_7(r, r, m, 0 - (((r[6] >> 54) > 0) ?
+                (sp_digit)1 : (sp_digit)0));
+    sp_384_norm_7(r);
+}
+
+/* Triple a Montgomery form number (r = a + a + a % m).
+ *
+ * r   Result of Tripling.
+ * a   Number to triple in Montogmery form.
+ * m   Modulus (prime).
+ */
+static void sp_384_mont_tpl_7(sp_digit* r, const sp_digit* a, const sp_digit* m)
+{
+    (void)sp_384_add_7(r, a, a);
+    sp_384_norm_7(r);
+    sp_384_cond_sub_7(r, r, m, 0 - (((r[6] >> 54) > 0) ?
+                (sp_digit)1 : (sp_digit)0));
+    sp_384_norm_7(r);
+    (void)sp_384_add_7(r, r, a);
+    sp_384_norm_7(r);
+    sp_384_cond_sub_7(r, r, m, 0 - (((r[6] >> 54) > 0) ?
+                (sp_digit)1 : (sp_digit)0));
+    sp_384_norm_7(r);
+}
+
+#ifdef WOLFSSL_SP_SMALL
+/* Sub b from a into r. (r = a - b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static int sp_384_sub_7(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    int i;
+
+    for (i = 0; i < 7; i++) {
+        r[i] = a[i] - b[i];
+    }
+
+    return 0;
+}
+
+#else
+/* Sub b from a into r. (r = a - b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static int sp_384_sub_7(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    r[ 0] = a[ 0] - b[ 0];
+    r[ 1] = a[ 1] - b[ 1];
+    r[ 2] = a[ 2] - b[ 2];
+    r[ 3] = a[ 3] - b[ 3];
+    r[ 4] = a[ 4] - b[ 4];
+    r[ 5] = a[ 5] - b[ 5];
+    r[ 6] = a[ 6] - b[ 6];
+
+    return 0;
+}
+
+#endif /* WOLFSSL_SP_SMALL */
+/* Conditionally add a and b using the mask m.
+ * m is -1 to add and 0 when not.
+ *
+ * r  A single precision number representing conditional add result.
+ * a  A single precision number to add with.
+ * b  A single precision number to add.
+ * m  Mask value to apply.
+ */
+static void sp_384_cond_add_7(sp_digit* r, const sp_digit* a,
+        const sp_digit* b, const sp_digit m)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int i;
+
+    for (i = 0; i < 7; i++) {
+        r[i] = a[i] + (b[i] & m);
+    }
+#else
+    r[ 0] = a[ 0] + (b[ 0] & m);
+    r[ 1] = a[ 1] + (b[ 1] & m);
+    r[ 2] = a[ 2] + (b[ 2] & m);
+    r[ 3] = a[ 3] + (b[ 3] & m);
+    r[ 4] = a[ 4] + (b[ 4] & m);
+    r[ 5] = a[ 5] + (b[ 5] & m);
+    r[ 6] = a[ 6] + (b[ 6] & m);
+#endif /* WOLFSSL_SP_SMALL */
+}
+
+/* Subtract two Montgomery form numbers (r = a - b % m).
+ *
+ * r   Result of subtration.
+ * a   Number to subtract from in Montogmery form.
+ * b   Number to subtract with in Montogmery form.
+ * m   Modulus (prime).
+ */
+static void sp_384_mont_sub_7(sp_digit* r, const sp_digit* a, const sp_digit* b,
+        const sp_digit* m)
+{
+    (void)sp_384_sub_7(r, a, b);
+    sp_384_cond_add_7(r, r, m, r[6] >> 54);
+    sp_384_norm_7(r);
+}
+
+/* Shift number left one bit.
+ * Bottom bit is lost.
+ *
+ * r  Result of shift.
+ * a  Number to shift.
+ */
+SP_NOINLINE static void sp_384_rshift1_7(sp_digit* r, sp_digit* a)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int i;
+
+    for (i=0; i<6; i++) {
+        r[i] = ((a[i] >> 1) | (a[i + 1] << 54)) & 0x7fffffffffffffL;
+    }
+#else
+    r[0] = ((a[0] >> 1) | (a[1] << 54)) & 0x7fffffffffffffL;
+    r[1] = ((a[1] >> 1) | (a[2] << 54)) & 0x7fffffffffffffL;
+    r[2] = ((a[2] >> 1) | (a[3] << 54)) & 0x7fffffffffffffL;
+    r[3] = ((a[3] >> 1) | (a[4] << 54)) & 0x7fffffffffffffL;
+    r[4] = ((a[4] >> 1) | (a[5] << 54)) & 0x7fffffffffffffL;
+    r[5] = ((a[5] >> 1) | (a[6] << 54)) & 0x7fffffffffffffL;
+#endif
+    r[6] = a[6] >> 1;
+}
+
+/* Divide the number by 2 mod the modulus (prime). (r = a / 2 % m)
+ *
+ * r  Result of division by 2.
+ * a  Number to divide.
+ * m  Modulus (prime).
+ */
+static void sp_384_div2_7(sp_digit* r, const sp_digit* a, const sp_digit* m)
+{
+    sp_384_cond_add_7(r, a, m, 0 - (a[0] & 1));
+    sp_384_norm_7(r);
+    sp_384_rshift1_7(r, r);
+}
+
+/* Double the Montgomery form projective point p.
+ *
+ * r  Result of doubling point.
+ * p  Point to double.
+ * t  Temporary ordinate data.
+ */
+static void sp_384_proj_point_dbl_7(sp_point_384* r, const sp_point_384* p, sp_digit* t)
+{
+    sp_digit* t1 = t;
+    sp_digit* t2 = t + 2*7;
+    sp_digit* x;
+    sp_digit* y;
+    sp_digit* z;
+
+    x = r->x;
+    y = r->y;
+    z = r->z;
+    /* Put infinity into result. */
+    if (r != p) {
+        r->infinity = p->infinity;
+    }
+
+    /* T1 = Z * Z */
+    sp_384_mont_sqr_7(t1, p->z, p384_mod, p384_mp_mod);
+    /* Z = Y * Z */
+    sp_384_mont_mul_7(z, p->y, p->z, p384_mod, p384_mp_mod);
+    /* Z = 2Z */
+    sp_384_mont_dbl_7(z, z, p384_mod);
+    /* T2 = X - T1 */
+    sp_384_mont_sub_7(t2, p->x, t1, p384_mod);
+    /* T1 = X + T1 */
+    sp_384_mont_add_7(t1, p->x, t1, p384_mod);
+    /* T2 = T1 * T2 */
+    sp_384_mont_mul_7(t2, t1, t2, p384_mod, p384_mp_mod);
+    /* T1 = 3T2 */
+    sp_384_mont_tpl_7(t1, t2, p384_mod);
+    /* Y = 2Y */
+    sp_384_mont_dbl_7(y, p->y, p384_mod);
+    /* Y = Y * Y */
+    sp_384_mont_sqr_7(y, y, p384_mod, p384_mp_mod);
+    /* T2 = Y * Y */
+    sp_384_mont_sqr_7(t2, y, p384_mod, p384_mp_mod);
+    /* T2 = T2/2 */
+    sp_384_div2_7(t2, t2, p384_mod);
+    /* Y = Y * X */
+    sp_384_mont_mul_7(y, y, p->x, p384_mod, p384_mp_mod);
+    /* X = T1 * T1 */
+    sp_384_mont_sqr_7(x, t1, p384_mod, p384_mp_mod);
+    /* X = X - Y */
+    sp_384_mont_sub_7(x, x, y, p384_mod);
+    /* X = X - Y */
+    sp_384_mont_sub_7(x, x, y, p384_mod);
+    /* Y = Y - X */
+    sp_384_mont_sub_7(y, y, x, p384_mod);
+    /* Y = Y * T1 */
+    sp_384_mont_mul_7(y, y, t1, p384_mod, p384_mp_mod);
+    /* Y = Y - T2 */
+    sp_384_mont_sub_7(y, y, t2, p384_mod);
+}
+
+/* Compare two numbers to determine if they are equal.
+ * Constant time implementation.
+ *
+ * a  First number to compare.
+ * b  Second number to compare.
+ * returns 1 when equal and 0 otherwise.
+ */
+static int sp_384_cmp_equal_7(const sp_digit* a, const sp_digit* b)
+{
+    return ((a[0] ^ b[0]) | (a[1] ^ b[1]) | (a[2] ^ b[2]) | (a[3] ^ b[3]) |
+            (a[4] ^ b[4]) | (a[5] ^ b[5]) | (a[6] ^ b[6])) == 0;
+}
+
+/* Add two Montgomery form projective points.
+ *
+ * r  Result of addition.
+ * p  First point to add.
+ * q  Second point to add.
+ * t  Temporary ordinate data.
+ */
+static void sp_384_proj_point_add_7(sp_point_384* r, const sp_point_384* p, const sp_point_384* q,
+        sp_digit* t)
+{
+    const sp_point_384* ap[2];
+    sp_point_384* rp[2];
+    sp_digit* t1 = t;
+    sp_digit* t2 = t + 2*7;
+    sp_digit* t3 = t + 4*7;
+    sp_digit* t4 = t + 6*7;
+    sp_digit* t5 = t + 8*7;
+    sp_digit* x;
+    sp_digit* y;
+    sp_digit* z;
+    int i;
+
+    /* Ensure only the first point is the same as the result. */
+    if (q == r) {
+        const sp_point_384* a = p;
+        p = q;
+        q = a;
+    }
+
+    /* Check double */
+    (void)sp_384_sub_7(t1, p384_mod, q->y);
+    sp_384_norm_7(t1);
+    if ((sp_384_cmp_equal_7(p->x, q->x) & sp_384_cmp_equal_7(p->z, q->z) &
+        (sp_384_cmp_equal_7(p->y, q->y) | sp_384_cmp_equal_7(p->y, t1))) != 0) {
+        sp_384_proj_point_dbl_7(r, p, t);
+    }
+    else {
+        rp[0] = r;
+
+        /*lint allow cast to different type of pointer*/
+        rp[1] = (sp_point_384*)t; /*lint !e9087 !e740*/
+        XMEMSET(rp[1], 0, sizeof(sp_point_384));
+        x = rp[p->infinity | q->infinity]->x;
+        y = rp[p->infinity | q->infinity]->y;
+        z = rp[p->infinity | q->infinity]->z;
+
+        ap[0] = p;
+        ap[1] = q;
+        for (i=0; i<7; i++) {
+            r->x[i] = ap[p->infinity]->x[i];
+        }
+        for (i=0; i<7; i++) {
+            r->y[i] = ap[p->infinity]->y[i];
+        }
+        for (i=0; i<7; i++) {
+            r->z[i] = ap[p->infinity]->z[i];
+        }
+        r->infinity = ap[p->infinity]->infinity;
+
+        /* U1 = X1*Z2^2 */
+        sp_384_mont_sqr_7(t1, q->z, p384_mod, p384_mp_mod);
+        sp_384_mont_mul_7(t3, t1, q->z, p384_mod, p384_mp_mod);
+        sp_384_mont_mul_7(t1, t1, x, p384_mod, p384_mp_mod);
+        /* U2 = X2*Z1^2 */
+        sp_384_mont_sqr_7(t2, z, p384_mod, p384_mp_mod);
+        sp_384_mont_mul_7(t4, t2, z, p384_mod, p384_mp_mod);
+        sp_384_mont_mul_7(t2, t2, q->x, p384_mod, p384_mp_mod);
+        /* S1 = Y1*Z2^3 */
+        sp_384_mont_mul_7(t3, t3, y, p384_mod, p384_mp_mod);
+        /* S2 = Y2*Z1^3 */
+        sp_384_mont_mul_7(t4, t4, q->y, p384_mod, p384_mp_mod);
+        /* H = U2 - U1 */
+        sp_384_mont_sub_7(t2, t2, t1, p384_mod);
+        /* R = S2 - S1 */
+        sp_384_mont_sub_7(t4, t4, t3, p384_mod);
+        /* Z3 = H*Z1*Z2 */
+        sp_384_mont_mul_7(z, z, q->z, p384_mod, p384_mp_mod);
+        sp_384_mont_mul_7(z, z, t2, p384_mod, p384_mp_mod);
+        /* X3 = R^2 - H^3 - 2*U1*H^2 */
+        sp_384_mont_sqr_7(x, t4, p384_mod, p384_mp_mod);
+        sp_384_mont_sqr_7(t5, t2, p384_mod, p384_mp_mod);
+        sp_384_mont_mul_7(y, t1, t5, p384_mod, p384_mp_mod);
+        sp_384_mont_mul_7(t5, t5, t2, p384_mod, p384_mp_mod);
+        sp_384_mont_sub_7(x, x, t5, p384_mod);
+        sp_384_mont_dbl_7(t1, y, p384_mod);
+        sp_384_mont_sub_7(x, x, t1, p384_mod);
+        /* Y3 = R*(U1*H^2 - X3) - S1*H^3 */
+        sp_384_mont_sub_7(y, y, x, p384_mod);
+        sp_384_mont_mul_7(y, y, t4, p384_mod, p384_mp_mod);
+        sp_384_mont_mul_7(t5, t5, t3, p384_mod, p384_mp_mod);
+        sp_384_mont_sub_7(y, y, t5, p384_mod);
+    }
+}
+
+#ifdef WOLFSSL_SP_SMALL
+/* Multiply the point by the scalar and return the result.
+ * If map is true then convert result to affine coordinates.
+ *
+ * r     Resulting point.
+ * g     Point to multiply.
+ * k     Scalar to multiply by.
+ * map   Indicates whether to convert result to affine.
+ * heap  Heap to use for allocation.
+ * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
+ */
+static int sp_384_ecc_mulmod_7(sp_point_384* r, const sp_point_384* g, const sp_digit* k,
+        int map, void* heap)
+{
+#ifdef WOLFSSL_SP_NO_MALLOC
+    sp_point_384 t[3];
+    sp_digit tmp[2 * 7 * 6];
+#else
+    sp_point_384* t;
+    sp_digit* tmp;
+#endif
+    sp_digit n;
+    int i;
+    int c, y;
+    int err = MP_OKAY;
+
+    (void)heap;
+
+#ifndef WOLFSSL_SP_NO_MALLOC
+    t = (sp_point_384*)XMALLOC(sizeof(sp_point_384) * 3, heap, DYNAMIC_TYPE_ECC);
+    if (t == NULL)
+        err = MEMORY_E;
+    tmp = (sp_digit*)XMALLOC(sizeof(sp_digit) * 2 * 7 * 6, heap,
+                                                              DYNAMIC_TYPE_ECC);
+    if (tmp == NULL)
+        err = MEMORY_E;
+#endif
+
+    if (err == MP_OKAY) {
+        XMEMSET(t, 0, sizeof(sp_point_384) * 3);
+
+        /* t[0] = {0, 0, 1} * norm */
+        t[0].infinity = 1;
+        /* t[1] = {g->x, g->y, g->z} * norm */
+        err = sp_384_mod_mul_norm_7(t[1].x, g->x, p384_mod);
+    }
+    if (err == MP_OKAY)
+        err = sp_384_mod_mul_norm_7(t[1].y, g->y, p384_mod);
+    if (err == MP_OKAY)
+        err = sp_384_mod_mul_norm_7(t[1].z, g->z, p384_mod);
+
+    if (err == MP_OKAY) {
+        i = 6;
+        c = 54;
+        n = k[i--] << (55 - c);
+        for (; ; c--) {
+            if (c == 0) {
+                if (i == -1)
+                    break;
+
+                n = k[i--];
+                c = 55;
+            }
+
+            y = (n >> 54) & 1;
+            n <<= 1;
+
+            sp_384_proj_point_add_7(&t[y^1], &t[0], &t[1], tmp);
+
+            XMEMCPY(&t[2], (void*)(((size_t)&t[0] & addr_mask[y^1]) +
+                                   ((size_t)&t[1] & addr_mask[y])),
+                    sizeof(sp_point_384));
+            sp_384_proj_point_dbl_7(&t[2], &t[2], tmp);
+            XMEMCPY((void*)(((size_t)&t[0] & addr_mask[y^1]) +
+                            ((size_t)&t[1] & addr_mask[y])), &t[2],
+                    sizeof(sp_point_384));
+        }
+
+        if (map != 0) {
+            sp_384_map_7(r, &t[0], tmp);
+        }
+        else {
+            XMEMCPY(r, &t[0], sizeof(sp_point_384));
+        }
+    }
+
+#ifndef WOLFSSL_SP_NO_MALLOC
+    if (tmp != NULL) {
+        XMEMSET(tmp, 0, sizeof(sp_digit) * 2 * 7 * 6);
+        XFREE(tmp, NULL, DYNAMIC_TYPE_ECC);
+    }
+    if (t != NULL) {
+        XMEMSET(t, 0, sizeof(sp_point_384) * 3);
+        XFREE(t, NULL, DYNAMIC_TYPE_ECC);
+    }
+#else
+    ForceZero(tmp, sizeof(tmp));
+    ForceZero(t, sizeof(t));
+#endif
+
+    return err;
+}
+
+#elif defined(WOLFSSL_SP_CACHE_RESISTANT)
+/* Multiply the point by the scalar and return the result.
+ * If map is true then convert result to affine coordinates.
+ *
+ * r     Resulting point.
+ * g     Point to multiply.
+ * k     Scalar to multiply by.
+ * map   Indicates whether to convert result to affine.
+ * heap  Heap to use for allocation.
+ * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
+ */
+static int sp_384_ecc_mulmod_7(sp_point_384* r, const sp_point_384* g, const sp_digit* k,
+        int map, void* heap)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_point_384 t[3];
+    sp_digit tmp[2 * 7 * 6];
+#else
+    sp_point_384* t;
+    sp_digit* tmp;
+#endif
+    sp_digit n;
+    int i;
+    int c, y;
+    int err = MP_OKAY;
+
+    (void)heap;
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    t = (sp_point*)XMALLOC(sizeof(*t) * 3, heap, DYNAMIC_TYPE_ECC);
+    if (t == NULL)
+        err = MEMORY_E;
+    tmp = (sp_digit*)XMALLOC(sizeof(sp_digit) * 2 * 7 * 6, heap,
+                             DYNAMIC_TYPE_ECC);
+    if (tmp == NULL)
+        err = MEMORY_E;
+#endif
+
+    if (err == MP_OKAY) {
+        /* t[0] = {0, 0, 1} * norm */
+        XMEMSET(&t[0], 0, sizeof(t[0]));
+        t[0].infinity = 1;
+        /* t[1] = {g->x, g->y, g->z} * norm */
+        t[1].infinity = 0;
+        err = sp_384_mod_mul_norm_7(t[1].x, g->x, p384_mod);
+    }
+    if (err == MP_OKAY)
+        err = sp_384_mod_mul_norm_7(t[1].y, g->y, p384_mod);
+    if (err == MP_OKAY)
+        err = sp_384_mod_mul_norm_7(t[1].z, g->z, p384_mod);
+
+    if (err == MP_OKAY) {
+        i = 6;
+        c = 54;
+        n = k[i--] << (55 - c);
+        for (; ; c--) {
+            if (c == 0) {
+                if (i == -1)
+                    break;
+
+                n = k[i--];
+                c = 55;
+            }
+
+            y = (n >> 54) & 1;
+            n <<= 1;
+
+            sp_384_proj_point_add_7(&t[y^1], &t[0], &t[1], tmp);
+
+            XMEMCPY(&t[2], (void*)(((size_t)&t[0] & addr_mask[y^1]) +
+                                 ((size_t)&t[1] & addr_mask[y])), sizeof(t[2]));
+            sp_384_proj_point_dbl_7(&t[2], &t[2], tmp);
+            XMEMCPY((void*)(((size_t)&t[0] & addr_mask[y^1]) +
+                          ((size_t)&t[1] & addr_mask[y])), &t[2], sizeof(t[2]));
+        }
+
+        if (map != 0) {
+            sp_384_map_7(r, &t[0], tmp);
+        }
+        else {
+            XMEMCPY(r, &t[0], sizeof(sp_point_384));
+        }
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (tmp != NULL) {
+        XMEMSET(tmp, 0, sizeof(sp_digit) * 2 * 7 * 6);
+        XFREE(tmp, heap, DYNAMIC_TYPE_ECC);
+    }
+    if (t != NULL) {
+        XMEMSET(t, 0, sizeof(sp_point_384) * 3);
+        XFREE(t, heap, DYNAMIC_TYPE_ECC);
+    }
+#else
+    ForceZero(tmp, sizeof(tmp));
+    ForceZero(t, sizeof(t));
+#endif
+
+    return err;
+}
+
+#else
+/* A table entry for pre-computed points. */
+typedef struct sp_table_entry_384 {
+    sp_digit x[7];
+    sp_digit y[7];
+} sp_table_entry_384;
+
+/* Multiply the point by the scalar and return the result.
+ * If map is true then convert result to affine coordinates.
+ *
+ * r     Resulting point.
+ * g     Point to multiply.
+ * k     Scalar to multiply by.
+ * map   Indicates whether to convert result to affine.
+ * heap  Heap to use for allocation.
+ * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
+ */
+static int sp_384_ecc_mulmod_fast_7(sp_point_384* r, const sp_point_384* g, const sp_digit* k,
+        int map, void* heap)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_point_384 td[16];
+    sp_point_384 rtd;
+    sp_digit tmpd[2 * 7 * 6];
+#endif
+    sp_point_384* t;
+    sp_point_384* rt;
+    sp_digit* tmp;
+    sp_digit n;
+    int i;
+    int c, y;
+    int err;
+
+    (void)heap;
+
+    err = sp_384_point_new_7(heap, rtd, rt);
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    t = (sp_point_384*)XMALLOC(sizeof(sp_point_384) * 16, heap, DYNAMIC_TYPE_ECC);
+    if (t == NULL)
+        err = MEMORY_E;
+    tmp = (sp_digit*)XMALLOC(sizeof(sp_digit) * 2 * 7 * 6, heap,
+                             DYNAMIC_TYPE_ECC);
+    if (tmp == NULL)
+        err = MEMORY_E;
+#else
+    t = td;
+    tmp = tmpd;
+#endif
+
+    if (err == MP_OKAY) {
+        /* t[0] = {0, 0, 1} * norm */
+        XMEMSET(&t[0], 0, sizeof(t[0]));
+        t[0].infinity = 1;
+        /* t[1] = {g->x, g->y, g->z} * norm */
+        (void)sp_384_mod_mul_norm_7(t[1].x, g->x, p384_mod);
+        (void)sp_384_mod_mul_norm_7(t[1].y, g->y, p384_mod);
+        (void)sp_384_mod_mul_norm_7(t[1].z, g->z, p384_mod);
+        t[1].infinity = 0;
+        sp_384_proj_point_dbl_7(&t[ 2], &t[ 1], tmp);
+        t[ 2].infinity = 0;
+        sp_384_proj_point_add_7(&t[ 3], &t[ 2], &t[ 1], tmp);
+        t[ 3].infinity = 0;
+        sp_384_proj_point_dbl_7(&t[ 4], &t[ 2], tmp);
+        t[ 4].infinity = 0;
+        sp_384_proj_point_add_7(&t[ 5], &t[ 3], &t[ 2], tmp);
+        t[ 5].infinity = 0;
+        sp_384_proj_point_dbl_7(&t[ 6], &t[ 3], tmp);
+        t[ 6].infinity = 0;
+        sp_384_proj_point_add_7(&t[ 7], &t[ 4], &t[ 3], tmp);
+        t[ 7].infinity = 0;
+        sp_384_proj_point_dbl_7(&t[ 8], &t[ 4], tmp);
+        t[ 8].infinity = 0;
+        sp_384_proj_point_add_7(&t[ 9], &t[ 5], &t[ 4], tmp);
+        t[ 9].infinity = 0;
+        sp_384_proj_point_dbl_7(&t[10], &t[ 5], tmp);
+        t[10].infinity = 0;
+        sp_384_proj_point_add_7(&t[11], &t[ 6], &t[ 5], tmp);
+        t[11].infinity = 0;
+        sp_384_proj_point_dbl_7(&t[12], &t[ 6], tmp);
+        t[12].infinity = 0;
+        sp_384_proj_point_add_7(&t[13], &t[ 7], &t[ 6], tmp);
+        t[13].infinity = 0;
+        sp_384_proj_point_dbl_7(&t[14], &t[ 7], tmp);
+        t[14].infinity = 0;
+        sp_384_proj_point_add_7(&t[15], &t[ 8], &t[ 7], tmp);
+        t[15].infinity = 0;
+
+        i = 5;
+        n = k[i+1] << 9;
+        c = 50;
+        y = n >> 59;
+        XMEMCPY(rt, &t[y], sizeof(sp_point_384));
+        n <<= 5;
+        for (; i>=0 || c>=4; ) {
+            if (c < 4) {
+                n |= k[i--] << (9 - c);
+                c += 55;
+            }
+            y = (n >> 60) & 0xf;
+            n <<= 4;
+            c -= 4;
+
+            sp_384_proj_point_dbl_7(rt, rt, tmp);
+            sp_384_proj_point_dbl_7(rt, rt, tmp);
+            sp_384_proj_point_dbl_7(rt, rt, tmp);
+            sp_384_proj_point_dbl_7(rt, rt, tmp);
+
+            sp_384_proj_point_add_7(rt, rt, &t[y], tmp);
+        }
+
+        if (map != 0) {
+            sp_384_map_7(r, rt, tmp);
+        }
+        else {
+            XMEMCPY(r, rt, sizeof(sp_point_384));
+        }
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (tmp != NULL) {
+        XMEMSET(tmp, 0, sizeof(sp_digit) * 2 * 7 * 6);
+        XFREE(tmp, heap, DYNAMIC_TYPE_ECC);
+    }
+    if (t != NULL) {
+        XMEMSET(t, 0, sizeof(sp_point_384) * 16);
+        XFREE(t, heap, DYNAMIC_TYPE_ECC);
+    }
+#else
+    ForceZero(tmpd, sizeof(tmpd));
+    ForceZero(td, sizeof(td));
+#endif
+    sp_384_point_free_7(rt, 1, heap);
+
+    return err;
+}
+
+#ifdef FP_ECC
+/* Double the Montgomery form projective point p a number of times.
+ *
+ * r  Result of repeated doubling of point.
+ * p  Point to double.
+ * n  Number of times to double
+ * t  Temporary ordinate data.
+ */
+static void sp_384_proj_point_dbl_n_7(sp_point_384* p, int n, sp_digit* t)
+{
+    sp_digit* w = t;
+    sp_digit* a = t + 2*7;
+    sp_digit* b = t + 4*7;
+    sp_digit* t1 = t + 6*7;
+    sp_digit* t2 = t + 8*7;
+    sp_digit* x;
+    sp_digit* y;
+    sp_digit* z;
+
+    x = p->x;
+    y = p->y;
+    z = p->z;
+
+    /* Y = 2*Y */
+    sp_384_mont_dbl_7(y, y, p384_mod);
+    /* W = Z^4 */
+    sp_384_mont_sqr_7(w, z, p384_mod, p384_mp_mod);
+    sp_384_mont_sqr_7(w, w, p384_mod, p384_mp_mod);
+
+#ifndef WOLFSSL_SP_SMALL
+    while (--n > 0)
+#else
+    while (--n >= 0)
+#endif
+    {
+        /* A = 3*(X^2 - W) */
+        sp_384_mont_sqr_7(t1, x, p384_mod, p384_mp_mod);
+        sp_384_mont_sub_7(t1, t1, w, p384_mod);
+        sp_384_mont_tpl_7(a, t1, p384_mod);
+        /* B = X*Y^2 */
+        sp_384_mont_sqr_7(t1, y, p384_mod, p384_mp_mod);
+        sp_384_mont_mul_7(b, t1, x, p384_mod, p384_mp_mod);
+        /* X = A^2 - 2B */
+        sp_384_mont_sqr_7(x, a, p384_mod, p384_mp_mod);
+        sp_384_mont_dbl_7(t2, b, p384_mod);
+        sp_384_mont_sub_7(x, x, t2, p384_mod);
+        /* Z = Z*Y */
+        sp_384_mont_mul_7(z, z, y, p384_mod, p384_mp_mod);
+        /* t2 = Y^4 */
+        sp_384_mont_sqr_7(t1, t1, p384_mod, p384_mp_mod);
+#ifdef WOLFSSL_SP_SMALL
+        if (n != 0)
+#endif
+        {
+            /* W = W*Y^4 */
+            sp_384_mont_mul_7(w, w, t1, p384_mod, p384_mp_mod);
+        }
+        /* y = 2*A*(B - X) - Y^4 */
+        sp_384_mont_sub_7(y, b, x, p384_mod);
+        sp_384_mont_mul_7(y, y, a, p384_mod, p384_mp_mod);
+        sp_384_mont_dbl_7(y, y, p384_mod);
+        sp_384_mont_sub_7(y, y, t1, p384_mod);
+    }
+#ifndef WOLFSSL_SP_SMALL
+    /* A = 3*(X^2 - W) */
+    sp_384_mont_sqr_7(t1, x, p384_mod, p384_mp_mod);
+    sp_384_mont_sub_7(t1, t1, w, p384_mod);
+    sp_384_mont_tpl_7(a, t1, p384_mod);
+    /* B = X*Y^2 */
+    sp_384_mont_sqr_7(t1, y, p384_mod, p384_mp_mod);
+    sp_384_mont_mul_7(b, t1, x, p384_mod, p384_mp_mod);
+    /* X = A^2 - 2B */
+    sp_384_mont_sqr_7(x, a, p384_mod, p384_mp_mod);
+    sp_384_mont_dbl_7(t2, b, p384_mod);
+    sp_384_mont_sub_7(x, x, t2, p384_mod);
+    /* Z = Z*Y */
+    sp_384_mont_mul_7(z, z, y, p384_mod, p384_mp_mod);
+    /* t2 = Y^4 */
+    sp_384_mont_sqr_7(t1, t1, p384_mod, p384_mp_mod);
+    /* y = 2*A*(B - X) - Y^4 */
+    sp_384_mont_sub_7(y, b, x, p384_mod);
+    sp_384_mont_mul_7(y, y, a, p384_mod, p384_mp_mod);
+    sp_384_mont_dbl_7(y, y, p384_mod);
+    sp_384_mont_sub_7(y, y, t1, p384_mod);
+#endif
+    /* Y = Y/2 */
+    sp_384_div2_7(y, y, p384_mod);
+}
+
+#endif /* FP_ECC */
+/* Add two Montgomery form projective points. The second point has a q value of
+ * one.
+ * Only the first point can be the same pointer as the result point.
+ *
+ * r  Result of addition.
+ * p  First point to add.
+ * q  Second point to add.
+ * t  Temporary ordinate data.
+ */
+static void sp_384_proj_point_add_qz1_7(sp_point_384* r, const sp_point_384* p,
+        const sp_point_384* q, sp_digit* t)
+{
+    const sp_point_384* ap[2];
+    sp_point_384* rp[2];
+    sp_digit* t1 = t;
+    sp_digit* t2 = t + 2*7;
+    sp_digit* t3 = t + 4*7;
+    sp_digit* t4 = t + 6*7;
+    sp_digit* t5 = t + 8*7;
+    sp_digit* x;
+    sp_digit* y;
+    sp_digit* z;
+    int i;
+
+    /* Check double */
+    (void)sp_384_sub_7(t1, p384_mod, q->y);
+    sp_384_norm_7(t1);
+    if ((sp_384_cmp_equal_7(p->x, q->x) & sp_384_cmp_equal_7(p->z, q->z) &
+        (sp_384_cmp_equal_7(p->y, q->y) | sp_384_cmp_equal_7(p->y, t1))) != 0) {
+        sp_384_proj_point_dbl_7(r, p, t);
+    }
+    else {
+        rp[0] = r;
+
+        /*lint allow cast to different type of pointer*/
+        rp[1] = (sp_point_384*)t; /*lint !e9087 !e740*/
+        XMEMSET(rp[1], 0, sizeof(sp_point_384));
+        x = rp[p->infinity | q->infinity]->x;
+        y = rp[p->infinity | q->infinity]->y;
+        z = rp[p->infinity | q->infinity]->z;
+
+        ap[0] = p;
+        ap[1] = q;
+        for (i=0; i<7; i++) {
+            r->x[i] = ap[p->infinity]->x[i];
+        }
+        for (i=0; i<7; i++) {
+            r->y[i] = ap[p->infinity]->y[i];
+        }
+        for (i=0; i<7; i++) {
+            r->z[i] = ap[p->infinity]->z[i];
+        }
+        r->infinity = ap[p->infinity]->infinity;
+
+        /* U2 = X2*Z1^2 */
+        sp_384_mont_sqr_7(t2, z, p384_mod, p384_mp_mod);
+        sp_384_mont_mul_7(t4, t2, z, p384_mod, p384_mp_mod);
+        sp_384_mont_mul_7(t2, t2, q->x, p384_mod, p384_mp_mod);
+        /* S2 = Y2*Z1^3 */
+        sp_384_mont_mul_7(t4, t4, q->y, p384_mod, p384_mp_mod);
+        /* H = U2 - X1 */
+        sp_384_mont_sub_7(t2, t2, x, p384_mod);
+        /* R = S2 - Y1 */
+        sp_384_mont_sub_7(t4, t4, y, p384_mod);
+        /* Z3 = H*Z1 */
+        sp_384_mont_mul_7(z, z, t2, p384_mod, p384_mp_mod);
+        /* X3 = R^2 - H^3 - 2*X1*H^2 */
+        sp_384_mont_sqr_7(t1, t4, p384_mod, p384_mp_mod);
+        sp_384_mont_sqr_7(t5, t2, p384_mod, p384_mp_mod);
+        sp_384_mont_mul_7(t3, x, t5, p384_mod, p384_mp_mod);
+        sp_384_mont_mul_7(t5, t5, t2, p384_mod, p384_mp_mod);
+        sp_384_mont_sub_7(x, t1, t5, p384_mod);
+        sp_384_mont_dbl_7(t1, t3, p384_mod);
+        sp_384_mont_sub_7(x, x, t1, p384_mod);
+        /* Y3 = R*(X1*H^2 - X3) - Y1*H^3 */
+        sp_384_mont_sub_7(t3, t3, x, p384_mod);
+        sp_384_mont_mul_7(t3, t3, t4, p384_mod, p384_mp_mod);
+        sp_384_mont_mul_7(t5, t5, y, p384_mod, p384_mp_mod);
+        sp_384_mont_sub_7(y, t3, t5, p384_mod);
+    }
+}
+
+#ifdef FP_ECC
+/* Convert the projective point to affine.
+ * Ordinates are in Montgomery form.
+ *
+ * a  Point to convert.
+ * t  Temporary data.
+ */
+static void sp_384_proj_to_affine_7(sp_point_384* a, sp_digit* t)
+{
+    sp_digit* t1 = t;
+    sp_digit* t2 = t + 2 * 7;
+    sp_digit* tmp = t + 4 * 7;
+
+    sp_384_mont_inv_7(t1, a->z, tmp);
+
+    sp_384_mont_sqr_7(t2, t1, p384_mod, p384_mp_mod);
+    sp_384_mont_mul_7(t1, t2, t1, p384_mod, p384_mp_mod);
+
+    sp_384_mont_mul_7(a->x, a->x, t2, p384_mod, p384_mp_mod);
+    sp_384_mont_mul_7(a->y, a->y, t1, p384_mod, p384_mp_mod);
+    XMEMCPY(a->z, p384_norm_mod, sizeof(p384_norm_mod));
+}
+
+/* Generate the pre-computed table of points for the base point.
+ *
+ * a      The base point.
+ * table  Place to store generated point data.
+ * tmp    Temporary data.
+ * heap  Heap to use for allocation.
+ */
+static int sp_384_gen_stripe_table_7(const sp_point_384* a,
+        sp_table_entry_384* table, sp_digit* tmp, void* heap)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_point_384 td, s1d, s2d;
+#endif
+    sp_point_384* t;
+    sp_point_384* s1 = NULL;
+    sp_point_384* s2 = NULL;
+    int i, j;
+    int err;
+
+    (void)heap;
+
+    err = sp_384_point_new_7(heap, td, t);
+    if (err == MP_OKAY) {
+        err = sp_384_point_new_7(heap, s1d, s1);
+    }
+    if (err == MP_OKAY) {
+        err = sp_384_point_new_7(heap, s2d, s2);
+    }
+
+    if (err == MP_OKAY) {
+        err = sp_384_mod_mul_norm_7(t->x, a->x, p384_mod);
+    }
+    if (err == MP_OKAY) {
+        err = sp_384_mod_mul_norm_7(t->y, a->y, p384_mod);
+    }
+    if (err == MP_OKAY) {
+        err = sp_384_mod_mul_norm_7(t->z, a->z, p384_mod);
+    }
+    if (err == MP_OKAY) {
+        t->infinity = 0;
+        sp_384_proj_to_affine_7(t, tmp);
+
+        XMEMCPY(s1->z, p384_norm_mod, sizeof(p384_norm_mod));
+        s1->infinity = 0;
+        XMEMCPY(s2->z, p384_norm_mod, sizeof(p384_norm_mod));
+        s2->infinity = 0;
+
+        /* table[0] = {0, 0, infinity} */
+        XMEMSET(&table[0], 0, sizeof(sp_table_entry_384));
+        /* table[1] = Affine version of 'a' in Montgomery form */
+        XMEMCPY(table[1].x, t->x, sizeof(table->x));
+        XMEMCPY(table[1].y, t->y, sizeof(table->y));
+
+        for (i=1; i<8; i++) {
+            sp_384_proj_point_dbl_n_7(t, 48, tmp);
+            sp_384_proj_to_affine_7(t, tmp);
+            XMEMCPY(table[1<<i].x, t->x, sizeof(table->x));
+            XMEMCPY(table[1<<i].y, t->y, sizeof(table->y));
+        }
+
+        for (i=1; i<8; i++) {
+            XMEMCPY(s1->x, table[1<<i].x, sizeof(table->x));
+            XMEMCPY(s1->y, table[1<<i].y, sizeof(table->y));
+            for (j=(1<<i)+1; j<(1<<(i+1)); j++) {
+                XMEMCPY(s2->x, table[j-(1<<i)].x, sizeof(table->x));
+                XMEMCPY(s2->y, table[j-(1<<i)].y, sizeof(table->y));
+                sp_384_proj_point_add_qz1_7(t, s1, s2, tmp);
+                sp_384_proj_to_affine_7(t, tmp);
+                XMEMCPY(table[j].x, t->x, sizeof(table->x));
+                XMEMCPY(table[j].y, t->y, sizeof(table->y));
+            }
+        }
+    }
+
+    sp_384_point_free_7(s2, 0, heap);
+    sp_384_point_free_7(s1, 0, heap);
+    sp_384_point_free_7( t, 0, heap);
+
+    return err;
+}
+
+#endif /* FP_ECC */
+/* Multiply the point by the scalar and return the result.
+ * If map is true then convert result to affine coordinates.
+ *
+ * r     Resulting point.
+ * k     Scalar to multiply by.
+ * map   Indicates whether to convert result to affine.
+ * heap  Heap to use for allocation.
+ * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
+ */
+static int sp_384_ecc_mulmod_stripe_7(sp_point_384* r, const sp_point_384* g,
+        const sp_table_entry_384* table, const sp_digit* k, int map, void* heap)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_point_384 rtd;
+    sp_point_384 pd;
+    sp_digit td[2 * 7 * 6];
+#endif
+    sp_point_384* rt;
+    sp_point_384* p = NULL;
+    sp_digit* t;
+    int i, j;
+    int y, x;
+    int err;
+
+    (void)g;
+    (void)heap;
+
+
+    err = sp_384_point_new_7(heap, rtd, rt);
+    if (err == MP_OKAY) {
+        err = sp_384_point_new_7(heap, pd, p);
+    }
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    t = (sp_digit*)XMALLOC(sizeof(sp_digit) * 2 * 7 * 6, heap,
+                           DYNAMIC_TYPE_ECC);
+    if (t == NULL) {
+        err = MEMORY_E;
+    }
+#else
+    t = td;
+#endif
+
+    if (err == MP_OKAY) {
+        XMEMCPY(p->z, p384_norm_mod, sizeof(p384_norm_mod));
+        XMEMCPY(rt->z, p384_norm_mod, sizeof(p384_norm_mod));
+
+        y = 0;
+        for (j=0,x=47; j<8; j++,x+=48) {
+            y |= ((k[x / 55] >> (x % 55)) & 1) << j;
+        }
+        XMEMCPY(rt->x, table[y].x, sizeof(table[y].x));
+        XMEMCPY(rt->y, table[y].y, sizeof(table[y].y));
+        rt->infinity = !y;
+        for (i=46; i>=0; i--) {
+            y = 0;
+            for (j=0,x=i; j<8; j++,x+=48) {
+                y |= ((k[x / 55] >> (x % 55)) & 1) << j;
+            }
+
+            sp_384_proj_point_dbl_7(rt, rt, t);
+            XMEMCPY(p->x, table[y].x, sizeof(table[y].x));
+            XMEMCPY(p->y, table[y].y, sizeof(table[y].y));
+            p->infinity = !y;
+            sp_384_proj_point_add_qz1_7(rt, rt, p, t);
+        }
+
+        if (map != 0) {
+            sp_384_map_7(r, rt, t);
+        }
+        else {
+            XMEMCPY(r, rt, sizeof(sp_point_384));
+        }
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (t != NULL) {
+        XFREE(t, heap, DYNAMIC_TYPE_ECC);
+    }
+#endif
+    sp_384_point_free_7(p, 0, heap);
+    sp_384_point_free_7(rt, 0, heap);
+
+    return err;
+}
+
+#ifdef FP_ECC
+#ifndef FP_ENTRIES
+    #define FP_ENTRIES 16
+#endif
+
+typedef struct sp_cache_384_t {
+    sp_digit x[7];
+    sp_digit y[7];
+    sp_table_entry_384 table[256];
+    uint32_t cnt;
+    int set;
+} sp_cache_384_t;
+
+static THREAD_LS_T sp_cache_384_t sp_cache_384[FP_ENTRIES];
+static THREAD_LS_T int sp_cache_384_last = -1;
+static THREAD_LS_T int sp_cache_384_inited = 0;
+
+#ifndef HAVE_THREAD_LS
+    static volatile int initCacheMutex_384 = 0;
+    static wolfSSL_Mutex sp_cache_384_lock;
+#endif
+
+static void sp_ecc_get_cache_384(const sp_point_384* g, sp_cache_384_t** cache)
+{
+    int i, j;
+    uint32_t least;
+
+    if (sp_cache_384_inited == 0) {
+        for (i=0; i<FP_ENTRIES; i++) {
+            sp_cache_384[i].set = 0;
+        }
+        sp_cache_384_inited = 1;
+    }
+
+    /* Compare point with those in cache. */
+    for (i=0; i<FP_ENTRIES; i++) {
+        if (!sp_cache_384[i].set)
+            continue;
+
+        if (sp_384_cmp_equal_7(g->x, sp_cache_384[i].x) &
+                           sp_384_cmp_equal_7(g->y, sp_cache_384[i].y)) {
+            sp_cache_384[i].cnt++;
+            break;
+        }
+    }
+
+    /* No match. */
+    if (i == FP_ENTRIES) {
+        /* Find empty entry. */
+        i = (sp_cache_384_last + 1) % FP_ENTRIES;
+        for (; i != sp_cache_384_last; i=(i+1)%FP_ENTRIES) {
+            if (!sp_cache_384[i].set) {
+                break;
+            }
+        }
+
+        /* Evict least used. */
+        if (i == sp_cache_384_last) {
+            least = sp_cache_384[0].cnt;
+            for (j=1; j<FP_ENTRIES; j++) {
+                if (sp_cache_384[j].cnt < least) {
+                    i = j;
+                    least = sp_cache_384[i].cnt;
+                }
+            }
+        }
+
+        XMEMCPY(sp_cache_384[i].x, g->x, sizeof(sp_cache_384[i].x));
+        XMEMCPY(sp_cache_384[i].y, g->y, sizeof(sp_cache_384[i].y));
+        sp_cache_384[i].set = 1;
+        sp_cache_384[i].cnt = 1;
+    }
+
+    *cache = &sp_cache_384[i];
+    sp_cache_384_last = i;
+}
+#endif /* FP_ECC */
+
+/* Multiply the base point of P384 by the scalar and return the result.
+ * If map is true then convert result to affine coordinates.
+ *
+ * r     Resulting point.
+ * g     Point to multiply.
+ * k     Scalar to multiply by.
+ * map   Indicates whether to convert result to affine.
+ * heap  Heap to use for allocation.
+ * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
+ */
+static int sp_384_ecc_mulmod_7(sp_point_384* r, const sp_point_384* g, const sp_digit* k,
+        int map, void* heap)
+{
+#ifndef FP_ECC
+    return sp_384_ecc_mulmod_fast_7(r, g, k, map, heap);
+#else
+    sp_digit tmp[2 * 7 * 7];
+    sp_cache_384_t* cache;
+    int err = MP_OKAY;
+
+#ifndef HAVE_THREAD_LS
+    if (initCacheMutex_384 == 0) {
+         wc_InitMutex(&sp_cache_384_lock);
+         initCacheMutex_384 = 1;
+    }
+    if (wc_LockMutex(&sp_cache_384_lock) != 0)
+       err = BAD_MUTEX_E;
+#endif /* HAVE_THREAD_LS */
+
+    if (err == MP_OKAY) {
+        sp_ecc_get_cache_384(g, &cache);
+        if (cache->cnt == 2)
+            sp_384_gen_stripe_table_7(g, cache->table, tmp, heap);
+
+#ifndef HAVE_THREAD_LS
+        wc_UnLockMutex(&sp_cache_384_lock);
+#endif /* HAVE_THREAD_LS */
+
+        if (cache->cnt < 2) {
+            err = sp_384_ecc_mulmod_fast_7(r, g, k, map, heap);
+        }
+        else {
+            err = sp_384_ecc_mulmod_stripe_7(r, g, cache->table, k,
+                    map, heap);
+        }
+    }
+
+    return err;
+#endif
+}
+
+#endif
+/* Multiply the point by the scalar and return the result.
+ * If map is true then convert result to affine coordinates.
+ *
+ * km    Scalar to multiply by.
+ * p     Point to multiply.
+ * r     Resulting point.
+ * map   Indicates whether to convert result to affine.
+ * heap  Heap to use for allocation.
+ * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
+ */
+int sp_ecc_mulmod_384(mp_int* km, ecc_point* gm, ecc_point* r, int map,
+        void* heap)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_point_384 p;
+    sp_digit kd[7];
+#endif
+    sp_point_384* point;
+    sp_digit* k = NULL;
+    int err = MP_OKAY;
+
+    err = sp_384_point_new_7(heap, p, point);
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        k = (sp_digit*)XMALLOC(sizeof(sp_digit) * 7, heap,
+                                                              DYNAMIC_TYPE_ECC);
+        if (k == NULL)
+            err = MEMORY_E;
+    }
+#else
+    k = kd;
+#endif
+    if (err == MP_OKAY) {
+        sp_384_from_mp(k, 7, km);
+        sp_384_point_from_ecc_point_7(point, gm);
+
+            err = sp_384_ecc_mulmod_7(point, point, k, map, heap);
+    }
+    if (err == MP_OKAY) {
+        err = sp_384_point_to_ecc_point_7(point, r);
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (k != NULL) {
+        XFREE(k, heap, DYNAMIC_TYPE_ECC);
+    }
+#endif
+    sp_384_point_free_7(point, 0, heap);
+
+    return err;
+}
+
+#ifdef WOLFSSL_SP_SMALL
+/* Multiply the base point of P384 by the scalar and return the result.
+ * If map is true then convert result to affine coordinates.
+ *
+ * r     Resulting point.
+ * k     Scalar to multiply by.
+ * map   Indicates whether to convert result to affine.
+ * heap  Heap to use for allocation.
+ * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
+ */
+static int sp_384_ecc_mulmod_base_7(sp_point_384* r, const sp_digit* k,
+        int map, void* heap)
+{
+    /* No pre-computed values. */
+    return sp_384_ecc_mulmod_7(r, &p384_base, k, map, heap);
+}
+
+#elif defined(WOLFSSL_SP_CACHE_RESISTANT)
+/* Multiply the base point of P384 by the scalar and return the result.
+ * If map is true then convert result to affine coordinates.
+ *
+ * r     Resulting point.
+ * k     Scalar to multiply by.
+ * map   Indicates whether to convert result to affine.
+ * heap  Heap to use for allocation.
+ * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
+ */
+static int sp_384_ecc_mulmod_base_7(sp_point_384* r, const sp_digit* k,
+        int map, void* heap)
+{
+    /* No pre-computed values. */
+    return sp_384_ecc_mulmod_7(r, &p384_base, k, map, heap);
+}
+
+#else
+static const sp_table_entry_384 p384_table[256] = {
+    /* 0 */
+    { { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
+      { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 } },
+    /* 1 */
+    { { 0x50756649c0b528L,0x71c541ad9c707bL,0x71506d35b8838dL,
+        0x4d1877fc3ce1d7L,0x6de2b645486845L,0x227025fee46c29L,
+        0x134eab708a6785L },
+      { 0x043dad4b03a4feL,0x517ef769535846L,0x58ba0ec14286feL,
+        0x47a7fecc5d6f3aL,0x1a840c6c352196L,0x3d3bb00044c72dL,
+        0x0ade2af0968571L } },
+    /* 2 */
+    { { 0x0647532b0c535bL,0x52a6e0a0c52c53L,0x5085aae6b24375L,
+        0x7096bb501c66b5L,0x47bdb3df9b7b7bL,0x11227e9b2f0be6L,
+        0x088b172704fa51L },
+      { 0x0e796f2680dc64L,0x796eb06a482ebfL,0x2b441d02e04839L,
+        0x19bef7312a5aecL,0x02247c38b8efb5L,0x099ed1185c329eL,
+        0x1ed71d7cdb096fL } },
+    /* 3 */
+    { { 0x6a3cc39edffea5L,0x7a386fafd3f9c4L,0x366f78fbd8d6efL,
+        0x529c7ad7873b80L,0x79eb30380eb471L,0x07c5d3b51760b7L,
+        0x36ee4f1cc69183L },
+      { 0x5ba260f526b605L,0x2f1dfaf0aa6e6fL,0x6bb5ca812a5752L,
+        0x3002d8d1276bc9L,0x01f82269483777L,0x1df33eaaf733cdL,
+        0x2b97e555f59255L } },
+    /* 4 */
+    { { 0x480c57f26feef9L,0x4d28741c248048L,0x0c9cf8af1f0c68L,
+        0x778f6a639a8016L,0x148e88c42e9c53L,0x464051757ecfe9L,
+        0x1a940bd0e2a5e1L },
+      { 0x713a46b74536feL,0x1757b153e1d7ebL,0x30dc8c9da07486L,
+        0x3b7460c1879b5eL,0x4b766c5317b315L,0x1b9de3aaf4d377L,
+        0x245f124c2cf8f5L } },
+    /* 5 */
+    { { 0x426e2ee349ddd0L,0x7df3365f84a022L,0x03b005d29a7c45L,
+        0x422c2337f9b5a4L,0x060494f4bde761L,0x5245e5db6da0b0L,
+        0x22b71d744677f2L },
+      { 0x19d097b7d5a7ceL,0x6bcb468823d34cL,0x1c3692d3be1d09L,
+        0x3c80ec7aa01f02L,0x7170f2ebaafd97L,0x06cbcc7d79d4e8L,
+        0x04a8da511fe760L } },
+    /* 6 */
+    { { 0x79c07a4fc52870L,0x6e9034a752c251L,0x603860a367382cL,
+        0x56d912d6aa87d0L,0x0a348a24abaf76L,0x6c5a23da14adcbL,
+        0x3cf60479a522b2L },
+      { 0x18dd774c61ed22L,0x0ff30168f93b0cL,0x3f79ae15642eddL,
+        0x40510f4915fbcbL,0x2c9ddfdfd1c6d6L,0x67b81b62aee55eL,
+        0x2824de79b07a43L } },
+    /* 7 */
+    { { 0x6c66efe085c629L,0x48c212b7913470L,0x4480fd2d057f0aL,
+        0x725ec7a89a9eb1L,0x78ce97ca1972b7L,0x54760ee70154fbL,
+        0x362a40e27b9f93L },
+      { 0x474dc7e7b14461L,0x602819389ef037L,0x1a13bc284370b2L,
+        0x0193ff1295a59dL,0x79615bde6ea5d2L,0x2e76e3d886acc1L,
+        0x3bb796812e2b60L } },
+    /* 8 */
+    { { 0x04cbb3893b9a2dL,0x4c16010a18baabL,0x19f7cb50f60831L,
+        0x084f400a0936c1L,0x72f1cdd5bbbf00L,0x1b30b725dc6702L,
+        0x182753e4fcc50cL },
+      { 0x059a07eadaf9d6L,0x26d81e24bf603cL,0x45583c839dc399L,
+        0x5579d4d6b1103aL,0x2e14ea59489ae7L,0x492f6e1c5ecc97L,
+        0x03740dc05db420L } },
+    /* 9 */
+    { { 0x413be88510521fL,0x3753ee49982e99L,0x6cd4f7098e1cc5L,
+        0x613c92bda4ec1dL,0x495378b677efe0L,0x132a2143839927L,
+        0x0cf8c336291c0bL },
+      { 0x7fc89d2208353fL,0x751b9da85657e1L,0x349b8a97d405c3L,
+        0x65a964b048428fL,0x1adf481276455eL,0x5560c8d89c2ffcL,
+        0x144fc11fac21a3L } },
+    /* 10 */
+    { { 0x7611f4df5bdf53L,0x634eb16234db80L,0x3c713b8e51174cL,
+        0x52c3c68ac4b2edL,0x53025ba8bebe75L,0x7175d98143105bL,
+        0x33ca8e266a48faL },
+      { 0x0c9281d24fd048L,0x76b3177604bbf3L,0x3b26ae754e106fL,
+        0x7f782275c6efc6L,0x36662538a4cb67L,0x0ca1255843e464L,
+        0x2a4674e142d9bcL } },
+    /* 11 */
+    { { 0x303b4085d480d8L,0x68f23650f4fa7bL,0x552a3ceeba3367L,
+        0x6da0c4947926e3L,0x6e0f5482eb8003L,0x0de717f3d6738aL,
+        0x22e5dcc826a477L },
+      { 0x1b05b27209cfc2L,0x7f0a0b65b6e146L,0x63586549ed3126L,
+        0x7d628dd2b23124L,0x383423fe510391L,0x57ff609eabd569L,
+        0x301f04370131baL } },
+    /* 12 */
+    { { 0x22fe4cdb32f048L,0x7f228ebdadbf5aL,0x02a99adb2d7c8eL,
+        0x01a02e05286706L,0x62d6adf627a89fL,0x49c6ce906fbf2bL,
+        0x0207256dae90b9L },
+      { 0x23e036e71d6cebL,0x199ed8d604e3d7L,0x0c1a11c076d16fL,
+        0x389291fb3da3f3L,0x47adc60f8f942eL,0x177048468e4b9aL,
+        0x20c09f5e61d927L } },
+    /* 13 */
+    { { 0x129ea63615b0b8L,0x03fb4a9b588367L,0x5ad6da8da2d051L,
+        0x33f782f44caeaaL,0x5a27fa80d45291L,0x6d1ed796942da4L,
+        0x08435a931ef556L },
+      { 0x004abb25351130L,0x6d33207c6fd7e7L,0x702130972074b7L,
+        0x0e34748af900f7L,0x762a531a28c87aL,0x3a903b5a4a6ac7L,
+        0x1775b79c35b105L } },
+    /* 14 */
+    { { 0x7470fd846612ceL,0x7dd9b431b32e53L,0x04bcd2be1a61bcL,
+        0x36ed7c5b5c260bL,0x6795f5ef0a4084L,0x46e2880b401c93L,
+        0x17d246c5aa8bdeL },
+      { 0x707ae4db41b38dL,0x233c31f7f9558fL,0x585110ec67bdf4L,
+        0x4d0cc931d0c703L,0x26fbe4356841a7L,0x64323e95239c44L,
+        0x371dc9230f3221L } },
+    /* 15 */
+    { { 0x70ff1ae4b1ec9dL,0x7c1dcfddee0daaL,0x53286782188748L,
+        0x6a5d9381e6f207L,0x3aa6c7d6523c4cL,0x6c02d83e0d97e2L,
+        0x16a9c916b45312L },
+      { 0x78146744b74de8L,0x742ec415269c6fL,0x237a2c6a860e79L,
+        0x186baf17ba68a7L,0x4261e8789fa51fL,0x3dc136480a5903L,
+        0x1953899e0cf159L } },
+    /* 16 */
+    { { 0x0205de2f9fbe67L,0x1706fee51c886fL,0x31a0b803c712bfL,
+        0x0a6aa11ede7603L,0x2463ef2a145c31L,0x615403b30e8f4aL,
+        0x3f024d6c5f5c5eL },
+      { 0x53bc4fd4d01f95L,0x7d512ac15a692cL,0x72be38fcfe6aa0L,
+        0x437f0b77bbca1eL,0x7fdcf70774a10eL,0x392d6c5cde37f3L,
+        0x229cbce79621d1L } },
+    /* 17 */
+    { { 0x2de4da2341c342L,0x5ca9d4e08844e7L,0x60dd073bcf74c9L,
+        0x4f30aa499b63ecL,0x23efd1eafa00d5L,0x7c99a7db1257b3L,
+        0x00febc9b3171b1L },
+      { 0x7e2fcf3045f8acL,0x2a642e9e3ce610L,0x23f82be69c5299L,
+        0x66e49ad967c279L,0x1c895ddfd7a842L,0x798981e22f6d25L,
+        0x0d595cb59322f3L } },
+    /* 18 */
+    { { 0x4bac017d8c1bbaL,0x73872161e7aafdL,0x0fd865f43d8163L,
+        0x019d89457708b7L,0x1b983c4dd70684L,0x095e109b74d841L,
+        0x25f1f0b3e0c76fL },
+      { 0x4e61ddf96010e8L,0x1c40a53f542e5eL,0x01a74dfc8365f9L,
+        0x69b36b92773333L,0x08e0fccc139ed3L,0x266d216ddc4269L,
+        0x1f2b47717ce9b5L } },
+    /* 19 */
+    { { 0x0a9a81da57a41fL,0x0825d800736cccL,0x2d7876b4579d28L,
+        0x3340ea6211a1e3L,0x49e89284f3ff54L,0x6276a210fe2c6eL,
+        0x01c3c8f31be7cbL },
+      { 0x2211da5d186e14L,0x1e6ffbb61bfea8L,0x536c7d060211d2L,
+        0x320168720d1d55L,0x5835525ed667baL,0x5125e52495205eL,
+        0x16113b9f3e9129L } },
+    /* 20 */
+    { { 0x3086073f3b236fL,0x283b03c443b5f5L,0x78e49ed0a067a7L,
+        0x2a878fb79fb2b8L,0x662f04348a9337L,0x57ee2cf732d50bL,
+        0x18b50dd65fd514L },
+      { 0x5feb9ef2955926L,0x2c3edbef06a7b0L,0x32728dad651029L,
+        0x116d00b1c4b347L,0x13254052bf1a1aL,0x3e77bf7fee5ec1L,
+        0x253943ca388882L } },
+    /* 21 */
+    { { 0x32e5b33062e8afL,0x46ebd147a6d321L,0x2c8076dec6a15cL,
+        0x7328d511ff0d80L,0x10ad7e926def0eL,0x4e8ca85937d736L,
+        0x02638c26e8bf2fL },
+      { 0x1deeb3fff1d63fL,0x5014417fa6e8efL,0x6e1da3de5c8f43L,
+        0x7ca942b42295d9L,0x23faacf75bb4d1L,0x4a71fcd680053dL,
+        0x04af4f90204dceL } },
+    /* 22 */
+    { { 0x23780d104cbba5L,0x4e8ff46bba9980L,0x2072a6da8d881fL,
+        0x3cc3d881ae11c9L,0x2eee84ff19be89L,0x69b708ed77f004L,
+        0x2a82928534eef9L },
+      { 0x794331187d4543L,0x70e0f3edc0cc41L,0x3ab1fa0b84c854L,
+        0x1478355c1d87baL,0x6f35fa7748ba28L,0x37b8be0531584dL,
+        0x03c3141c23a69fL } },
+    /* 23 */
+    { { 0x5c244cdef029ddL,0x0d0f0a0cc37018L,0x17f8476604f6afL,
+        0x13a6dd6ccc95c3L,0x5a242e9801b8f6L,0x211ca9cc632131L,
+        0x264a6a46a4694fL },
+      { 0x3ffd7235285887L,0x284be28302046fL,0x57f4b9b882f1d6L,
+        0x5e21772c940661L,0x7619a735c600cfL,0x2f76f5a50c9106L,
+        0x28d89c8c69de31L } },
+    /* 24 */
+    { { 0x799b5c91361ed8L,0x36ead8c66cd95cL,0x046c9969a91f5cL,
+        0x46bbdba2a66ea9L,0x29db0e0215a599L,0x26c8849b36f756L,
+        0x22c3feb31ff679L },
+      { 0x585d1237b5d9efL,0x5ac57f522e8e8dL,0x617e66e8b56c41L,
+        0x68826f276823cfL,0x0983f0e6f39231L,0x4e1075099084bdL,
+        0x2a541f82be0416L } },
+    /* 25 */
+    { { 0x468a6e14cf381cL,0x4f7b845c6399edL,0x36aa29732ebe74L,
+        0x19c726911ab46aL,0x2ad1fe431eec0eL,0x301e35051fd1eaL,
+        0x36da815e7a1ab3L },
+      { 0x05672e4507832aL,0x4ebf10fca51251L,0x6015843421cff0L,
+        0x3affad832fc013L,0x712b58d9b45540L,0x1e4751d1f6213eL,
+        0x0e7c2b218bafa7L } },
+    /* 26 */
+    { { 0x7abf784c52edf5L,0x6fcb4b135ca7b1L,0x435e46ac5f735cL,
+        0x67f8364ca48c5fL,0x46d45b5fbd956bL,0x10deda6065db94L,
+        0x0b37fdf85068f9L },
+      { 0x74b3ba61f47ec8L,0x42c7ddf08c10ccL,0x1531a1fe422a20L,
+        0x366f913d12be38L,0x6a846e30cb2edfL,0x2785898c994fedL,
+        0x061be85f331af3L } },
+    /* 27 */
+    { { 0x23f5361dfcb91eL,0x3c26c8da6b1491L,0x6e444a1e620d65L,
+        0x0c3babd5e8ac13L,0x573723ce612b82L,0x2d10e62a142c37L,
+        0x3d1a114c2d98bdL },
+      { 0x33950b401896f6L,0x7134efe7c12110L,0x31239fd2978472L,
+        0x30333bf5978965L,0x79f93313dd769fL,0x457fb9e11662caL,
+        0x190a73b251ae3cL } },
+    /* 28 */
+    { { 0x04dd54bb75f9a4L,0x0d7253a76ae093L,0x08f5b930792bbcL,
+        0x041f79adafc265L,0x4a9ff24c61c11bL,0x0019c94e724725L,
+        0x21975945d9cc2aL },
+      { 0x3dfe76722b4a2bL,0x17f2f6107c1d94L,0x546e1ae2944b01L,
+        0x53f1f06401e72dL,0x2dbe43fc7632d6L,0x5639132e185903L,
+        0x0f2f34eb448385L } },
+    /* 29 */
+    { { 0x7b4cc7ec30ce93L,0x58fb6e4e4145f7L,0x5d1ed5540043b5L,
+        0x19ffbe1f633adfL,0x5bfc0907259033L,0x6378f872e7ca0eL,
+        0x2c127b2c01eb3cL },
+      { 0x076eaf4f58839cL,0x2db54560bc9f68L,0x42ad0319b84062L,
+        0x46c325d1fb019dL,0x76d2a19ee9eebcL,0x6fbd6d9e2aa8f7L,
+        0x2396a598fe0991L } },
+    /* 30 */
+    { { 0x662fddf7fbd5e1L,0x7ca8ed22563ad3L,0x5b4768efece3b3L,
+        0x643786a422d1eaL,0x36ce80494950e1L,0x1a30795b7f2778L,
+        0x107f395c93f332L },
+      { 0x7939c28332c144L,0x491610e3c8dc0bL,0x099ba2bfdac5fcL,
+        0x5c2e3149ec29a7L,0x31b731d06f1dc3L,0x1cbb60d465d462L,
+        0x3ca5461362cfd9L } },
+    /* 31 */
+    { { 0x653ff736ddc103L,0x7c6f2bdec0dfb2L,0x73f81b73a097d0L,
+        0x05b775f84f180fL,0x56b2085af23413L,0x0d6f36256a61feL,
+        0x26d3ed267fa68fL },
+      { 0x54f89251d27ac2L,0x4fc6ad94a71202L,0x7ebf01969b4cc5L,
+        0x7ba364dbc14760L,0x4f8370959a2587L,0x7b7631e37c6188L,
+        0x29e51845f104cbL } },
+    /* 32 */
+    { { 0x426b775e3c647bL,0x327319e0a69180L,0x0c5cb034f6ff2fL,
+        0x73aa39b98e9897L,0x7ee615f49fde6eL,0x3f712aa61e0db4L,
+        0x33ca06c2ba2ce9L },
+      { 0x14973541b8a543L,0x4b4e6101ba61faL,0x1d94e4233d0698L,
+        0x501513c715d570L,0x1b8f8c3d01436bL,0x52f41a0445cf64L,
+        0x3f709c3a75fb04L } },
+    /* 33 */
+    { { 0x073c0cbc7f41d6L,0x227c36f5ac8201L,0x508e110fef65d8L,
+        0x0f317229529b7fL,0x45fc6030d00e24L,0x118a65d30cebeaL,
+        0x3340cc4223a448L },
+      { 0x204c999797612cL,0x7c05dd4ce9c5a3L,0x7b865d0a8750e4L,
+        0x2f82c876ab7d34L,0x2243ddd2ab4808L,0x6834b9df8a4914L,
+        0x123319ed950e0fL } },
+    /* 34 */
+    { { 0x50430efc14ab48L,0x7e9e4ce0d4e89cL,0x2332207fd8656dL,
+        0x4a2809e97f4511L,0x2162bb1b968e2dL,0x29526d54af2972L,
+        0x13edd9adcd939dL },
+      { 0x793bca31e1ff7fL,0x6b959c9e4d2227L,0x628ac27809a5baL,
+        0x2c71ffc7fbaa5fL,0x0c0b058f13c9ceL,0x5676eae68de2cfL,
+        0x35508036ea19a4L } },
+    /* 35 */
+    { { 0x030bbd6dda1265L,0x67f9d12e31bb34L,0x7e4d8196e3ded3L,
+        0x7b9120e5352498L,0x75857bce72d875L,0x4ead976a396caeL,
+        0x31c5860553a64dL },
+      { 0x1a0f792ee32189L,0x564c4efb8165d0L,0x7adc7d1a7fbcbeL,
+        0x7ed7c2ccf327b7L,0x35df1b448ce33dL,0x6f67eb838997cdL,
+        0x3ee37ec0077917L } },
+    /* 36 */
+    { { 0x345fa74d5bb921L,0x097c9a56ccfd8eL,0x00a0b5e8f971f8L,
+        0x723d95223f69d4L,0x08e2e5c2777f87L,0x68b13676200109L,
+        0x26ab5df0acbad6L },
+      { 0x01bca7daac34aeL,0x49ca4d5f664dadL,0x110687b850914bL,
+        0x1203d6f06443c9L,0x7a2ac743b04d4cL,0x40d96bd3337f82L,
+        0x13728be0929c06L } },
+    /* 37 */
+    { { 0x631ca61127bc1aL,0x2b362fd5a77cd1L,0x17897d68568fb7L,
+        0x21070af33db5b2L,0x6872e76221794aL,0x436f29fb076963L,
+        0x1f2acfc0ecb7b3L },
+      { 0x19bf15ca9b3586L,0x32489a4a17aee2L,0x2b31af3c929551L,
+        0x0db7c420b9b19fL,0x538c39bd308c2bL,0x438775c0dea88fL,
+        0x1537304d7cd07fL } },
+    /* 38 */
+    { { 0x53598d943caf0dL,0x1d5244bfe266adL,0x7158feb7ab3811L,
+        0x1f46e13cf6fb53L,0x0dcab632eb9447L,0x46302968cfc632L,
+        0x0b53d3cc5b6ec7L },
+      { 0x69811ca143b7caL,0x5865bcf9f2a11aL,0x74ded7fa093b06L,
+        0x1c878ec911d5afL,0x04610e82616e49L,0x1e157fe9640eb0L,
+        0x046e6f8561d6c2L } },
+    /* 39 */
+    { { 0x631a3d3bbe682cL,0x3a4ce9dde5ba95L,0x28f11f7502f1f1L,
+        0x0a55cf0c957e88L,0x495e4ec7e0a3bcL,0x30ad4d87ba365cL,
+        0x0217b97a4c26f3L },
+      { 0x01a9088c2e67fdL,0x7501c4c3d5e5e7L,0x265b7bb854c820L,
+        0x729263c87e6b52L,0x308b9e3b8fb035L,0x33f1b86c1b23abL,
+        0x0e81b8b21fc99cL } },
+    /* 40 */
+    { { 0x59f5a87237cac0L,0x6b3a86b0cf28b9L,0x13a53db13a4fc2L,
+        0x313c169a1c253bL,0x060158304ed2bbL,0x21e171b71679bcL,
+        0x10cdb754d76f86L },
+      { 0x44355392ab473aL,0x64eb7cbda08caeL,0x3086426a900c71L,
+        0x49016ed9f3c33cL,0x7e6354ab7e04f9L,0x17c4c91a40cd2eL,
+        0x3509f461024c66L } },
+    /* 41 */
+    { { 0x2848f50f9b5a31L,0x68d1755b6c5504L,0x48cd5d5672ec00L,
+        0x4d77421919d023L,0x1e1e349ef68807L,0x4ab5130cf415d7L,
+        0x305464c6c7dbe6L },
+      { 0x64eb0bad74251eL,0x64c6957e52bda4L,0x6c12583440dee6L,
+        0x6d3bee05b00490L,0x186970de53dbc4L,0x3be03b37567a56L,
+        0x2b553b1ebdc55bL } },
+    /* 42 */
+    { { 0x74dc3579efdc58L,0x26d29fed1bb71cL,0x334c825a9515afL,
+        0x433c1e839273a6L,0x0d8a4e41cff423L,0x3454098fe42f8eL,
+        0x1046674bf98686L },
+      { 0x09a3e029c05dd2L,0x54d7cfc7fb53a7L,0x35f0ad37e14d7cL,
+        0x73a294a13767b9L,0x3f519678275f4fL,0x788c63393993a4L,
+        0x0781680b620123L } },
+    /* 43 */
+    { { 0x4c8e2ed4d5ffe8L,0x112db7d42fe4ebL,0x433b8f2d2be2edL,
+        0x23e30b29a82cbcL,0x35d2f4c06ee85aL,0x78ff31ffe4b252L,
+        0x0d31295c8cbff5L },
+      { 0x314806ea0376a2L,0x4ea09e22bc0589L,0x0879575f00ba97L,
+        0x188226d2996bb7L,0x7799368dc9411fL,0x7ab24e5c8cae36L,
+        0x2b6a8e2ee4ea33L } },
+    /* 44 */
+    { { 0x70c7127d4ed72aL,0x24c9743ef34697L,0x2fd30e7a93683aL,
+        0x538a89c246012cL,0x6c660a5394ed82L,0x79a95ea239d7e0L,
+        0x3f3af3bbfb170dL },
+      { 0x3b75aa779ae8c1L,0x33995a3cc0dde4L,0x7489d5720b7bfdL,
+        0x599677ef9fa937L,0x3defd64c5ab44bL,0x27d52dc234522bL,
+        0x2ac65d1a8450e0L } },
+    /* 45 */
+    { { 0x478585ec837d7dL,0x5f7971dc174887L,0x67576ed7bb296dL,
+        0x5a78e529a74926L,0x640f73f4fa104bL,0x7d42a8b16e4730L,
+        0x108c7eaa75fd01L },
+      { 0x60661ef96e6896L,0x18d3a0761f3aa7L,0x6e71e163455539L,
+        0x165827d6a7e583L,0x4e7f77e9527935L,0x790bebe2ae912eL,
+        0x0b8fe9561adb55L } },
+    /* 46 */
+    { { 0x4d48036a9951a8L,0x371084f255a085L,0x66aeca69cea2c5L,
+        0x04c99f40c745e7L,0x08dc4bfd9a0924L,0x0b0ec146b29df7L,
+        0x05106218d01c91L },
+      { 0x2a56ee99caedc7L,0x5d9b23a203922cL,0x1ce4c80b6a3ec4L,
+        0x2666bcb75338cbL,0x185a81aac8c4aaL,0x2b4fb60a06c39eL,
+        0x0327e1b3633f42L } },
+    /* 47 */
+    { { 0x72814710b2a556L,0x52c864f6e16534L,0x4978de66ddd9f2L,
+        0x151f5950276cf0L,0x450ac6781d2dc2L,0x114b7a22dd61b2L,
+        0x3b32b07f29faf8L },
+      { 0x68444fdc2d6e94L,0x68526bd9e437bcL,0x0ca780e8b0d887L,
+        0x69f3f850a716aaL,0x500b953e42cd57L,0x4e57744d812e7dL,
+        0x000a5f0e715f48L } },
+    /* 48 */
+    { { 0x2aab10b8243a7dL,0x727d1f4b18b675L,0x0e6b9fdd91bbbbL,
+        0x0d58269fc337e5L,0x45d6664105a266L,0x11946af1b14072L,
+        0x2c2334f91e46e1L },
+      { 0x6dc5f8756d2411L,0x21b34eaa25188bL,0x0d2797da83529eL,
+        0x324df55616784bL,0x7039ec66d267dfL,0x2de79cdb2d108cL,
+        0x14011b1ad0bde0L } },
+    /* 49 */
+    { { 0x2e160266425043L,0x55fbe11b712125L,0x7e3c58b3947fd9L,
+        0x67aacc79c37ad3L,0x4a18e18d2dea0fL,0x5eef06e5674351L,
+        0x37c3483ae33439L },
+      { 0x5d5e1d75bb4045L,0x0f9d72db296efdL,0x60b1899dd894a9L,
+        0x06e8818ded949aL,0x747fd853c39434L,0x0953b937d9efabL,
+        0x09f08c0beeb901L } },
+    /* 50 */
+    { { 0x1d208a8f2d49ceL,0x54042c5be1445aL,0x1c2681fd943646L,
+        0x219c8094e2e674L,0x442cddf07238b8L,0x574a051c590832L,
+        0x0b72f4d61c818aL },
+      { 0x7bc3cbe4680967L,0x0c8b3f25ae596bL,0x0445b0da74a9efL,
+        0x0bbf46c40363b7L,0x1df575c50677a3L,0x016ea6e73d68adL,
+        0x0b5207bd8db0fdL } },
+    /* 51 */
+    { { 0x2d39fdfea1103eL,0x2b252bf0362e34L,0x63d66c992baab9L,
+        0x5ac97706de8550L,0x0cca390c39c1acL,0x0d9bec5f01b2eaL,
+        0x369360a0f7e5f3L },
+      { 0x6dd3461e201067L,0x70b2d3f63ed614L,0x487580487c54c7L,
+        0x6020e48a44af2aL,0x1ccf80b21aab04L,0x3cf3b12d88d798L,
+        0x349368eccc506fL } },
+    /* 52 */
+    { { 0x5a053753b0a354L,0x65e818dbb9b0aeL,0x7d5855ee50e4bfL,
+        0x58dc06885c7467L,0x5ee15073e57bd3L,0x63254ebc1e07fdL,
+        0x1d48e0392aa39bL },
+      { 0x4e227c6558ffe9L,0x0c3033d8a82a3eL,0x7bde65c214e8d2L,
+        0x6e23561559c16aL,0x5094c5e6deaffdL,0x78dca2880f1f91L,
+        0x3d9d3f947d838dL } },
+    /* 53 */
+    { { 0x387ae5af63408fL,0x6d539aeb4e6edfL,0x7f3d3186368e70L,
+        0x01a6446bc19989L,0x35288fbcd4482fL,0x39288d34ec2736L,
+        0x1de9c47159ad76L },
+      { 0x695dc7944f8d65L,0x3eca2c35575094L,0x0c918059a79b69L,
+        0x4573a48c32a74eL,0x580d8bc8b93f52L,0x190be3a3d071eaL,
+        0x2333e686b3a8cbL } },
+    /* 54 */
+    { { 0x2b110c7196fee2L,0x3ac70e99128a51L,0x20a6bb6b75d5e6L,
+        0x5f447fa513149aL,0x560d69714cc7b2L,0x1d3ee25279fab1L,
+        0x369adb2ccca959L },
+      { 0x3fddb13dd821c2L,0x70bf21ba647be8L,0x64121227e3cbc9L,
+        0x12633a4c892320L,0x3c15c61660f26dL,0x1932c3b3d19900L,
+        0x18c718563eab71L } },
+    /* 55 */
+    { { 0x72ebe0fd752366L,0x681c2737d11759L,0x143c805e7ae4f0L,
+        0x78ed3c2cc7b324L,0x5c16e14820254fL,0x226a4f1c4ec9f0L,
+        0x2891bb915eaac6L },
+      { 0x061eb453763b33L,0x07f88b81781a87L,0x72b5ac7a87127cL,
+        0x7ea4e4cd7ff8b5L,0x5e8c3ce33908b6L,0x0bcb8a3d37feffL,
+        0x01da9e8e7fc50bL } },
+    /* 56 */
+    { { 0x639dfe9e338d10L,0x32dfe856823608L,0x46a1d73bca3b9aL,
+        0x2da685d4b0230eL,0x6e0bc1057b6d69L,0x7144ec724a5520L,
+        0x0b067c26b87083L },
+      { 0x0fc3f0eef4c43dL,0x63500f509552b7L,0x220d74af6f8b86L,
+        0x038996eafa2aa9L,0x7f6750f4aee4d2L,0x3e1d3f06718720L,
+        0x1ea1d37243814cL } },
+    /* 57 */
+    { { 0x322d4597c27050L,0x1beeb3ce17f109L,0x15e5ce2e6ef42eL,
+        0x6c8be27da6b3a0L,0x66e3347f4d5f5cL,0x7172133899c279L,
+        0x250aff4e548743L },
+      { 0x28f0f6a43b566dL,0x0cd2437fefbca0L,0x5b1108cb36bdbaL,
+        0x48a834d41fb7c2L,0x6cb8565680579fL,0x42da2412b45d9fL,
+        0x33dfc1abb6c06eL } },
+    /* 58 */
+    { { 0x56e3c48ef96c80L,0x65667bb6c1381eL,0x09f70514375487L,
+        0x1548ff115f4a08L,0x237de2d21a0710L,0x1425cdee9f43dfL,
+        0x26a6a42e055b0aL },
+      { 0x4ea9ea9dc7dfcbL,0x4df858583ac58aL,0x1d274f819f1d39L,
+        0x26e9c56cf91fcbL,0x6cee31c7c3a465L,0x0bb8e00b108b28L,
+        0x226158da117301L } },
+    /* 59 */
+    { { 0x5a7cd4fce73946L,0x7b6a462d0ac653L,0x732ea4bb1a3da5L,
+        0x7c8e9f54711af4L,0x0a6cd55d4655f9L,0x341e6d13e4754aL,
+        0x373c87098879a8L },
+      { 0x7bc82e61b818bfL,0x5f2db48f44879fL,0x2a2f06833f1d28L,
+        0x494e5b691a74c0L,0x17d6cf35fd6b57L,0x5f7028d1c25dfcL,
+        0x377a9ab9562cb6L } },
+    /* 60 */
+    { { 0x4de8877e787b2eL,0x183e7352621a52L,0x2ab0509974962bL,
+        0x045a450496cb8aL,0x3bf7118b5591c7L,0x7724f98d761c35L,
+        0x301607e8d5a0c1L },
+      { 0x0f58a3f24d4d58L,0x3771c19c464f3cL,0x06746f9c0bfafaL,
+        0x56564c9c8feb52L,0x0d66d9a7d8a45fL,0x403578141193caL,
+        0x00b0d0bdc19260L } },
+    /* 61 */
+    { { 0x571407157bdbc2L,0x138d5a1c2c0b99L,0x2ee4a8057dcbeaL,
+        0x051ff2b58e9ed1L,0x067378ad9e7cdaL,0x7cc2c1db97a49eL,
+        0x1e7536ccd849d6L },
+      { 0x531fd95f3497c4L,0x55dc08325f61a7L,0x144e942bce32bfL,
+        0x642d572f09e53aL,0x556ff188261678L,0x3e79c0d9d513d6L,
+        0x0bbbc6656f6d52L } },
+    /* 62 */
+    { { 0x57d3eb50596edcL,0x26c520a487451dL,0x0a92db40aea8d6L,
+        0x27df6345109616L,0x7733d611fd727cL,0x61d14171fef709L,
+        0x36169ae417c36bL },
+      { 0x6899f5d4091cf7L,0x56ce5dfe4ed0c1L,0x2c430ce5913fbcL,
+        0x1b13547e0f8caeL,0x4840a8275d3699L,0x59b8ef209e81adL,
+        0x22362dff5ea1a2L } },
+    /* 63 */
+    { { 0x7237237bd98425L,0x73258e162a9d0bL,0x0a59a1e8bb5118L,
+        0x4190a7ee5d8077L,0x13684905fdbf7cL,0x31c4033a52626bL,
+        0x010a30e4fbd448L },
+      { 0x47623f981e909aL,0x670af7c325b481L,0x3d004241fa4944L,
+        0x0905a2ca47f240L,0x58f3cdd7a187c3L,0x78b93aee05b43fL,
+        0x19b91d4ef8d63bL } },
+    /* 64 */
+    { { 0x0d34e116973cf4L,0x4116fc9e69ee0eL,0x657ae2b4a482bbL,
+        0x3522eed134d7cdL,0x741e0dde0a036aL,0x6554316a51cc7bL,
+        0x00f31c6ca89837L },
+      { 0x26770aa06b1dd7L,0x38233a4ceba649L,0x065a1110c96feaL,
+        0x18d367839e0f15L,0x794543660558d1L,0x39b605139065dcL,
+        0x29abbec071b637L } },
+    /* 65 */
+    { { 0x1464b401ab5245L,0x16db891b27ff74L,0x724eb49cb26e34L,
+        0x74fee3bc9cc33eL,0x6a8bdbebe085eaL,0x5c2e75ca207129L,
+        0x1d03f2268e6b08L },
+      { 0x28b0a328e23b23L,0x645dc26209a0bcL,0x62c28990348d49L,
+        0x4dd9be1fa333d0L,0x6183aac74a72e4L,0x1d6f3ee69e1d03L,
+        0x2fff96db0ff670L } },
+    /* 66 */
+    { { 0x2358f5c6a2123fL,0x5b2bfc51bedb63L,0x4fc6674be649ecL,
+        0x51fc16e44b813aL,0x2ffe10a73754c1L,0x69a0c7a053aeefL,
+        0x150e605fb6b9b4L },
+      { 0x179eef6b8b83c4L,0x64293b28ad05efL,0x331795fab98572L,
+        0x09823eec78727dL,0x36508042b89b81L,0x65f1106adb927eL,
+        0x2fc0234617f47cL } },
+    /* 67 */
+    { { 0x12aa244e8068dbL,0x0c834ae5348f00L,0x310fc1a4771cb3L,
+        0x6c90a2f9e19ef9L,0x77946fa0573471L,0x37f5df81e5f72fL,
+        0x204f5d72cbe048L },
+      { 0x613c724383bba6L,0x1ce14844967e0aL,0x797c85e69aa493L,
+        0x4fb15b0f2ce765L,0x5807978e2e8aa7L,0x52c75859876a75L,
+        0x1554635c763d3eL } },
+    /* 68 */
+    { { 0x4f292200623f3bL,0x6222be53d7fe07L,0x1e02a9a08c2571L,
+        0x22c6058216b912L,0x1ec20044c7ba17L,0x53f94c5efde12bL,
+        0x102b8aadfe32a4L },
+      { 0x45377aa927b102L,0x0d41b8062ee371L,0x77085a9018e62aL,
+        0x0c69980024847cL,0x14739b423a73a9L,0x52ec6961fe3c17L,
+        0x38a779c94b5a7dL } },
+    /* 69 */
+    { { 0x4d14008435af04L,0x363bfd8325b4e8L,0x48cdb715097c95L,
+        0x1b534540f8bee0L,0x4ca1e5c90c2a76L,0x4b52c193d6eee0L,
+        0x277a33c79becf5L },
+      { 0x0fee0d511d3d06L,0x4627f3d6a58f8cL,0x7c81ac245119b8L,
+        0x0c8d526ba1e07aL,0x3dbc242f55bac2L,0x2399df8f91fffdL,
+        0x353e982079ba3bL } },
+    /* 70 */
+    { { 0x6405d3b0ab9645L,0x7f31abe3ee236bL,0x456170a9babbb1L,
+        0x09634a2456a118L,0x5b1c6045acb9e5L,0x2c75c20d89d521L,
+        0x2e27ccf5626399L },
+      { 0x307cd97fed2ce4L,0x1c2fbb02b64087L,0x542a068d27e64dL,
+        0x148c030b3bc6a6L,0x671129e616ade5L,0x123f40db60dafcL,
+        0x07688f3c621220L } },
+    /* 71 */
+    { { 0x1c46b342f2c4b5L,0x27decc0b3c8f04L,0x0d9bd433464c54L,
+        0x1f3d893b818572L,0x2536043b536c94L,0x57e00c4b19ebf9L,
+        0x3938fb9e5ad55eL },
+      { 0x6b390024c8b22fL,0x4583f97e20a976L,0x2559d24abcbad7L,
+        0x67a9cabc9bd8c6L,0x73a56f09432e4aL,0x79eb0beb53a3b7L,
+        0x3e19d47f6f8221L } },
+    /* 72 */
+    { { 0x7399cb9d10e0b2L,0x32acc1b8a36e2aL,0x287d60c2407035L,
+        0x42c82420ea4b5cL,0x13f286658bc268L,0x3c91181156e064L,
+        0x234b83dcdeb963L },
+      { 0x79bc95486cfee6L,0x4d8fd3cb78af36L,0x07362ba5e80da8L,
+        0x79d024a0d681b0L,0x6b58406907f87fL,0x4b40f1e977e58fL,
+        0x38dcc6fd5fa342L } },
+    /* 73 */
+    { { 0x72282be1cd0abeL,0x02bd0fdfdf44e5L,0x19b0e0d2f753e4L,
+        0x4514e76ce8c4c0L,0x02ebc9c8cdcc1bL,0x6ac0c0373e9fddL,
+        0x0dc414af1c81a9L },
+      { 0x7a109246f32562L,0x26982e6a3768edL,0x5ecd8daed76ab5L,
+        0x2eaa70061eb261L,0x09e7c038a8c514L,0x2a2603cc300658L,
+        0x25d93ab9e55cd4L } },
+    /* 74 */
+    { { 0x11b19fcbd5256aL,0x41e4d94274770fL,0x0133c1a411001fL,
+        0x360bac481dbca3L,0x45908b18a9c22bL,0x1e34396fafb03aL,
+        0x1b84fea7486edaL },
+      { 0x183c62a71e6e16L,0x5f1dc30e93da8eL,0x6cb97b502573c3L,
+        0x3708bf0964e3fcL,0x35a7f042eeacceL,0x56370da902c27fL,
+        0x3a873c3b72797fL } },
+    /* 75 */
+    { { 0x6573c9cea4cc9bL,0x2c3b5f9d91e6dcL,0x2a90e2dbd9505eL,
+        0x66a75444025f81L,0x1571fb894b03cdL,0x5d1a1f00fd26f3L,
+        0x0d19a9fd618855L },
+      { 0x659acd56515664L,0x7279478bd616a3L,0x09a909e76d56c3L,
+        0x2fd70474250358L,0x3a1a25c850579cL,0x11b9e0f71b74ccL,
+        0x1268daef3d1bffL } },
+    /* 76 */
+    { { 0x7f5acc46d93106L,0x5bc15512f939c8L,0x504b5f92f996deL,
+        0x25965549be7a64L,0x357a3a2ae9b80dL,0x3f2bcf9c139cc0L,
+        0x0a7ddd99f23b35L },
+      { 0x6868f5a8a0b1c5L,0x319ec52f15b1beL,0x0770000a849021L,
+        0x7f4d50287bd608L,0x62c971d28a9d7fL,0x164e89309acb72L,
+        0x2a29f002cf4a32L } },
+    /* 77 */
+    { { 0x58a852ae11a338L,0x27e3a35f2dcef8L,0x494d5731ce9e18L,
+        0x49516f33f4bb3eL,0x386b26ba370097L,0x4e8fac1ec30248L,
+        0x2ac26d4c44455dL },
+      { 0x20484198eb9dd0L,0x75982a0e06512bL,0x152271b9279b05L,
+        0x5908a9857e36d2L,0x6a933ab45a60abL,0x58d8b1acb24fafL,
+        0x28fbcf19425590L } },
+    /* 78 */
+    { { 0x5420e9df010879L,0x4aba72aec2f313L,0x438e544eda7494L,
+        0x2e8e189ce6f7eaL,0x2f771e4efe45bdL,0x0d780293bce7efL,
+        0x1569ad3d0d02acL },
+      { 0x325251ebeaf771L,0x02510f1a8511e2L,0x3863816bf8aad1L,
+        0x60fdb15fe6ac19L,0x4792aef52a348cL,0x38e57a104e9838L,
+        0x0d171611a1df1bL } },
+    /* 79 */
+    { { 0x15ceb0bea65e90L,0x6e56482db339bcL,0x37f618f7b0261fL,
+        0x6351abc226dabcL,0x0e999f617b74baL,0x37d3cc57af5b69L,
+        0x21df2b987aac68L },
+      { 0x2dddaa3a358610L,0x2da264bc560e47L,0x545615d538bf13L,
+        0x1c95ac244b8cc7L,0x77de1f741852cbL,0x75d324f00996abL,
+        0x3a79b13b46aa3bL } },
+    /* 80 */
+    { { 0x7db63998683186L,0x6849bb989d530cL,0x7b53c39ef7ed73L,
+        0x53bcfbf664d3ffL,0x25ef27c57f71c7L,0x50120ee80f3ad6L,
+        0x243aba40ed0205L },
+      { 0x2aae5e0ee1fcebL,0x3449d0d8343fbeL,0x5b2864fb7cffc7L,
+        0x64dceb5407ac3eL,0x20303a5695523dL,0x3def70812010b2L,
+        0x07be937f2e9b6fL } },
+    /* 81 */
+    { { 0x5838f9e0540015L,0x728d8720efb9f7L,0x1ab5864490b0c8L,
+        0x6531754458fdcfL,0x600ff9612440c0L,0x48735b36a585b7L,
+        0x3d4aaea86b865dL },
+      { 0x6898942cac32adL,0x3c84c5531f23a1L,0x3c9dbd572f7edeL,
+        0x5691f0932a2976L,0x186f0db1ac0d27L,0x4fbed18bed5bc9L,
+        0x0e26b0dee0b38cL } },
+    /* 82 */
+    { { 0x1188b4f8e60f5bL,0x602a915455b4a2L,0x60e06af289ff99L,
+        0x579fe4bed999e5L,0x2bc03b15e6d9ddL,0x1689649edd66d5L,
+        0x3165e277dca9d2L },
+      { 0x7cb8a529cf5279L,0x57f8035b34d84dL,0x352e2eb26de8f1L,
+        0x6406820c3367c4L,0x5d148f4c899899L,0x483e1408482e15L,
+        0x1680bd1e517606L } },
+    /* 83 */
+    { { 0x5c877cc1c90202L,0x2881f158eae1f4L,0x6f45e207df4267L,
+        0x59280eba1452d8L,0x4465b61e267db5L,0x171f1137e09e5cL,
+        0x1368eb821daa93L },
+      { 0x70fe26e3e66861L,0x52a6663170da7dL,0x71d1ce5b7d79dcL,
+        0x1cffe9be1e1afdL,0x703745115a29c4L,0x73b7f897b2f65aL,
+        0x02218c3a95891aL } },
+    /* 84 */
+    { { 0x16866db8a9e8c9L,0x4770b770123d9bL,0x4c116cf34a8465L,
+        0x079b28263fc86aL,0x3751c755a72b58L,0x7bc8df1673243aL,
+        0x12fff72454f064L },
+      { 0x15c049b89554e7L,0x4ea9ef44d7cd9aL,0x42f50765c0d4f1L,
+        0x158bb603cb011bL,0x0809dde16470b1L,0x63cad7422ea819L,
+        0x38b6cd70f90d7eL } },
+    /* 85 */
+    { { 0x1e4aab6328e33fL,0x70575f026da3aeL,0x7e1b55c8c55219L,
+        0x328d4b403d24caL,0x03b6df1f0a5bd1L,0x26b4bb8b648ed0L,
+        0x17161f2f10b76aL },
+      { 0x6cdb32bae8b4c0L,0x33176266227056L,0x4975fa58519b45L,
+        0x254602ea511d96L,0x4e82e93e402a67L,0x0ca8b5929cdb4fL,
+        0x3ae7e0a07918f5L } },
+    /* 86 */
+    { { 0x60f9d1fecf5b9bL,0x6257e40d2cd469L,0x6c7aa814d28456L,
+        0x58aac7caac8e79L,0x703a55f0293cbfL,0x702390a0f48378L,
+        0x24b9ae07218b07L },
+      { 0x1ebc66cdaf24e3L,0x7d9ae5f9f8e199L,0x42055ee921a245L,
+        0x035595936e4d49L,0x129c45d425c08bL,0x6486c5f19ce6ddL,
+        0x027dbd5f18ba24L } },
+    /* 87 */
+    { { 0x7d6b78d29375fbL,0x0a3dc6ba22ae38L,0x35090fa91feaf6L,
+        0x7f18587fb7b16eL,0x6e7091dd924608L,0x54e102cdbf5ff8L,
+        0x31b131a4c22079L },
+      { 0x368f87d6a53fb0L,0x1d3f3d69a3f240L,0x36bf5f9e40e1c6L,
+        0x17f150e01f8456L,0x76e5d0835eb447L,0x662fc0a1207100L,
+        0x14e3dd97a98e39L } },
+    /* 88 */
+    { { 0x0249d9c2663b4bL,0x56b68f9a71ba1cL,0x74b119567f9c02L,
+        0x5e6f336d8c92acL,0x2ced58f9f74a84L,0x4b75a2c2a467c5L,
+        0x30557011cf740eL },
+      { 0x6a87993be454ebL,0x29b7076fb99a68L,0x62ae74aaf99bbaL,
+        0x399f9aa8fb6c1bL,0x553c24a396dd27L,0x2868337a815ea6L,
+        0x343ab6635cc776L } },
+    /* 89 */
+    { { 0x0e0b0eec142408L,0x79728229662121L,0x605d0ac75e6250L,
+        0x49a097a01edfbeL,0x1e20cd270df6b6L,0x7438a0ca9291edL,
+        0x29daa430da5f90L },
+      { 0x7a33844624825aL,0x181715986985c1L,0x53a6853cae0b92L,
+        0x6d98401bd925e8L,0x5a0a34f5dd5e24L,0x7b818ef53cf265L,
+        0x0836e43c9d3194L } },
+    /* 90 */
+    { { 0x1179b70e6c5fd9L,0x0246d9305dd44cL,0x635255edfbe2fbL,
+        0x5397b3523b4199L,0x59350cc47e6640L,0x2b57aa97ed4375L,
+        0x37efd31abd153aL },
+      { 0x7a7afa6907f4faL,0x75c10cb94e6a7eL,0x60a925ab69cc47L,
+        0x2ff5bcd9239bd5L,0x13c2113e425f11L,0x56bd3d2f8a1437L,
+        0x2c9adbab13774fL } },
+    /* 91 */
+    { { 0x4ab9f52a2e5f2bL,0x5e537e70b58903L,0x0f242658ebe4f2L,
+        0x2648a1e7a5f9aeL,0x1b4c5081e73007L,0x6827d4aff51850L,
+        0x3925e41726cd01L },
+      { 0x56dd8a55ab3cfbL,0x72d6a31b6d5beaL,0x697bd2e5575112L,
+        0x66935519a7aa12L,0x55e97dda7a3aceL,0x0e16afb4237b4cL,
+        0x00b68fbff08093L } },
+    /* 92 */
+    { { 0x4b00366481d0d9L,0x37cb031fbfc5c4L,0x14643f6800dd03L,
+        0x6793fef60fe0faL,0x4f43e329c92803L,0x1fce86b96a6d26L,
+        0x0ad416975e213aL },
+      { 0x7cc6a6711adcc9L,0x64b8a63c43c2d9L,0x1e6caa2a67c0d0L,
+        0x610deffd17a54bL,0x57d669d5f38423L,0x77364b8f022636L,
+        0x36d4d13602e024L } },
+    /* 93 */
+    { { 0x72e667ae50a2f5L,0x1b15c950c3a21aL,0x3ccc37c72e6dfeL,
+        0x027f7e1d094fb8L,0x43ae1e90aa5d7eL,0x3f5feac3d97ce5L,
+        0x0363ed0a336e55L },
+      { 0x235f73d7663784L,0x5d8cfc588ad5a4L,0x10ab6ff333016eL,
+        0x7d8886af2e1497L,0x549f34fd17988eL,0x3fc4fcaee69a33L,
+        0x0622b133a13d9eL } },
+    /* 94 */
+    { { 0x6344cfa796c53eL,0x0e9a10d00136fdL,0x5d1d284a56efd8L,
+        0x608b1968f8aca7L,0x2fa5a66776edcaL,0x13430c44f1609cL,
+        0x1499973cb2152aL },
+      { 0x3764648104ab58L,0x3226e409fadafcL,0x1513a8466459ddL,
+        0x649206ec365035L,0x46149aa3f765b1L,0x3aebf0a035248eL,
+        0x1ee60b8c373494L } },
+    /* 95 */
+    { { 0x4e9efcc15f3060L,0x5e5d50fd77cdc8L,0x071e5403516b58L,
+        0x1b7d4e89b24ceaL,0x53b1fa66d6dc03L,0x457f15f892ab5fL,
+        0x076332c9397260L },
+      { 0x31422b79d7584bL,0x0b01d47e41ba80L,0x3e5611a3171528L,
+        0x5f53b9a9fc1be4L,0x7e2fc3d82f110fL,0x006cf350ef0fbfL,
+        0x123ae98ec81c12L } },
+    /* 96 */
+    { { 0x310d41df46e2f6L,0x2ff032a286cf13L,0x64751a721c4eadL,
+        0x7b62bcc0339b95L,0x49acf0c195afa4L,0x359d48742544e5L,
+        0x276b7632d9e2afL },
+      { 0x656c6be182579aL,0x75b65a4d85b199L,0x04a911d1721bfaL,
+        0x46e023d0e33477L,0x1ec2d580acd869L,0x540b456f398a37L,
+        0x001f698210153dL } },
+    /* 97 */
+    { { 0x3ca35217b00dd0L,0x73961d034f4d3cL,0x4f520b61c4119dL,
+        0x4919fde5cccff7L,0x4d0e0e6f38134dL,0x55c22586003e91L,
+        0x24d39d5d8f1b19L },
+      { 0x4d4fc3d73234dcL,0x40c50c9d5f8368L,0x149afbc86bf2b8L,
+        0x1dbafefc21d7f1L,0x42e6b61355107fL,0x6e506cf4b54f29L,
+        0x0f498a6c615228L } },
+    /* 98 */
+    { { 0x30618f437cfaf8L,0x059640658532c4L,0x1c8a4d90e96e1dL,
+        0x4a327bcca4fb92L,0x54143b8040f1a0L,0x4ec0928c5a49e4L,
+        0x2af5ad488d9b1fL },
+      { 0x1b392bd5338f55L,0x539c0292b41823L,0x1fe35d4df86a02L,
+        0x5fa5bb17988c65L,0x02b6cb715adc26L,0x09a48a0c2cb509L,
+        0x365635f1a5a9f2L } },
+    /* 99 */
+    { { 0x58aa87bdc21f31L,0x156900c7cb1935L,0x0ec1f75ee2b6cfL,
+        0x5f3e35a77ec314L,0x582dec7b9b7621L,0x3e65deb0e8202aL,
+        0x325c314b8a66b7L },
+      { 0x702e2a22f24d66L,0x3a20e9982014f1L,0x6424c5b86bbfb0L,
+        0x424eea4d795351L,0x7fc4cce7c22055L,0x581383fceb92d7L,
+        0x32b663f49ee81bL } },
+    /* 100 */
+    { { 0x76e2d0b648b73eL,0x59ca39fa50bddaL,0x18bb44f786a7e4L,
+        0x28c8d49d464360L,0x1b8bf1d3a574eaL,0x7c670b9bf1635aL,
+        0x2efb30a291f4b3L },
+      { 0x5326c069cec548L,0x03bbe481416531L,0x08a415c8d93d6fL,
+        0x3414a52120d383L,0x1f17a0fc6e9c5cL,0x0de9a090717463L,
+        0x22d84b3c67ff07L } },
+    /* 101 */
+    { { 0x30b5014c3830ebL,0x70791dc1a18b37L,0x09e6ea4e24f423L,
+        0x65e148a5253132L,0x446f05d5d40449L,0x7ad5d3d707c0e9L,
+        0x18eedd63dd3ab5L },
+      { 0x40d2eac6bb29e0L,0x5b0e9605e83c38L,0x554f2c666a56a8L,
+        0x0ac27b6c94c48bL,0x1aaecdd91bafe5L,0x73c6e2bdf72634L,
+        0x306dab96d19e03L } },
+    /* 102 */
+    { { 0x6d3e4b42772f41L,0x1aba7796f3a39bL,0x3a03fbb980e9c0L,
+        0x2f2ea5da2186a8L,0x358ff444ef1fcfL,0x0798cc0329fcdcL,
+        0x39a28bcc9aa46dL },
+      { 0x42775c977fe4d2L,0x5eb8fc5483d6b0L,0x0bfe37c039e3f7L,
+        0x429292eaf9df60L,0x188bdf4b840cd5L,0x06e10e090749cdL,
+        0x0e52678e73192eL } },
+    /* 103 */
+    { { 0x05de80b08df5feL,0x2af8c77406c5f8L,0x53573c50a0304aL,
+        0x277b10b751bca0L,0x65cf8c559132a5L,0x4c667abe25f73cL,
+        0x0271809e05a575L },
+      { 0x41ced461f7a2fbL,0x0889a9ebdd7075L,0x320c63f2b7760eL,
+        0x4f8d4324151c63L,0x5af47315be2e5eL,0x73c62f6aee2885L,
+        0x206d6412a56a97L } },
+    /* 104 */
+    { { 0x6b1c508b21d232L,0x3781185974ead6L,0x1aba7c3ebe1fcfL,
+        0x5bdc03cd3f3a5aL,0x74a25036a0985bL,0x5929e30b7211b2L,
+        0x16a9f3bc366bd7L },
+      { 0x566a7057dcfffcL,0x23b5708a644bc0L,0x348cda2aa5ba8cL,
+        0x466aa96b9750d4L,0x6a435ed9b20834L,0x2e7730f2cf9901L,
+        0x2b5cd71d5b0410L } },
+    /* 105 */
+    { { 0x285ab3cee76ef4L,0x68895e3a57275dL,0x6fab2e48fd1265L,
+        0x0f1de060428c94L,0x668a2b080b5905L,0x1b589dc3b0cb37L,
+        0x3c037886592c9bL },
+      { 0x7fb5c0f2e90d4dL,0x334eefb3d8c91aL,0x75747124700388L,
+        0x547a2c2e2737f5L,0x2af9c080e37541L,0x0a295370d9091aL,
+        0x0bb5c36dad99e6L } },
+    /* 106 */
+    { { 0x644116586f25cbL,0x0c3f41f9ee1f5dL,0x00628d43a3dedaL,
+        0x16e1437aae9669L,0x6aba7861bf3e59L,0x60735631ff4c44L,
+        0x345609efaa615eL },
+      { 0x41f54792e6acefL,0x4791583f75864dL,0x37f2ff5c7508b1L,
+        0x1288912516c3b0L,0x51a2135f6a539bL,0x3b775511f42091L,
+        0x127c6afa7afe66L } },
+    /* 107 */
+    { { 0x79f4f4f7492b73L,0x583d967256342dL,0x51a729bff33ca3L,
+        0x3977d2c22d8986L,0x066f528ba8d40bL,0x5d759d30f8eb94L,
+        0x0f8e649192b408L },
+      { 0x22d84e752555bbL,0x76953855c728c7L,0x3b2254e72aaaa4L,
+        0x508cd4ce6c0212L,0x726296d6b5a6daL,0x7a77aa066986f3L,
+        0x2267a497bbcf31L } },
+    /* 108 */
+    { { 0x7f3651bf825dc4L,0x3988817388c56fL,0x257313ed6c3dd0L,
+        0x3feab7f3b8ffadL,0x6c0d3cb9e9c9b4L,0x1317be0a7b6ac4L,
+        0x2a5f399d7df850L },
+      { 0x2fe5a36c934f5eL,0x429199df88ded1L,0x435ea21619b357L,
+        0x6aac6a063bac2bL,0x600c149978f5edL,0x76543aa1114c95L,
+        0x163ca9c83c7596L } },
+    /* 109 */
+    { { 0x7dda4a3e4daedbL,0x1824cba360a4cdL,0x09312efd70e0c6L,
+        0x454e68a146c885L,0x40aee762fe5c47L,0x29811cbd755a59L,
+        0x34b37c95f28319L },
+      { 0x77c58b08b717d2L,0x309470d9a0f491L,0x1ab9f40448e01cL,
+        0x21c8bd819207b1L,0x6a01803e9361bcL,0x6e5e4c350ec415L,
+        0x14fd55a91f8798L } },
+    /* 110 */
+    { { 0x4cee562f512a90L,0x0008361d53e390L,0x3789b307a892cfL,
+        0x064f7be8770ae9L,0x41435d848762cfL,0x662204dd38baa6L,
+        0x23d6dcf73f6c5aL },
+      { 0x69bef2d2c75d95L,0x2b037c0c9bb43eL,0x495fb4d79a34cfL,
+        0x184e140c601260L,0x60193f8d435f9cL,0x283fa52a0c3ad2L,
+        0x1998635e3a7925L } },
+    /* 111 */
+    { { 0x1cfd458ce382deL,0x0dddbd201bbcaeL,0x14d2ae8ed45d60L,
+        0x73d764ab0c24cbL,0x2a97fe899778adL,0x0dbd1e01eddfe9L,
+        0x2ba5c72d4042c3L },
+      { 0x27eebc3af788f1L,0x53ffc827fc5a30L,0x6d1d0726d35188L,
+        0x4721275c50aa2aL,0x077125f02e690fL,0x6da8142405db5dL,
+        0x126cef68992513L } },
+    /* 112 */
+    { { 0x3c6067035b2d69L,0x2a1ad7db2361acL,0x3debece6cad41cL,
+        0x30095b30f9afc1L,0x25f50b9bd9c011L,0x79201b2f2c1da1L,
+        0x3b5c151449c5bdL },
+      { 0x76eff4127abdb4L,0x2d31e03ce0382aL,0x24ff21f8bda143L,
+        0x0671f244fd3ebaL,0x0c1c00b6bcc6fbL,0x18de9f7c3ebefbL,
+        0x33dd48c3809c67L } },
+    /* 113 */
+    { { 0x61d6c2722d94edL,0x7e426e31041cceL,0x4097439f1b47b0L,
+        0x579e798b2d205bL,0x6a430d67f830ebL,0x0d2c676700f727L,
+        0x05fea83a82f25bL },
+      { 0x3f3482df866b98L,0x3dd353b6a5a9cdL,0x77fe6ae1a48170L,
+        0x2f75cc2a8f7cddL,0x7442a3863dad17L,0x643de42d877a79L,
+        0x0fec8a38fe7238L } },
+    /* 114 */
+    { { 0x79b70c0760ac07L,0x195d3af37e9b29L,0x1317ff20f7cf27L,
+        0x624e1c739e7504L,0x67330ef50f943dL,0x775e8cf455d793L,
+        0x17b94d2d913a9fL },
+      { 0x4b627203609e7fL,0x06aac5fb93e041L,0x603c515fdc2611L,
+        0x2592ca0d7ae472L,0x02395d1f50a6cbL,0x466ef9648f85d9L,
+        0x297cf879768f72L } },
+    /* 115 */
+    { { 0x3489d67d85fa94L,0x0a6e5b739c8e04L,0x7ebb5eab442e90L,
+        0x52665a007efbd0L,0x0967ca57b0d739L,0x24891f9d932b63L,
+        0x3cc2d6dbadc9d3L },
+      { 0x4b4773c81c5338L,0x73cd47dad7a0f9L,0x7c755bab6ae158L,
+        0x50b03d6becefcaL,0x574d6e256d57f0L,0x188db4fffb92aeL,
+        0x197e10118071eaL } },
+    /* 116 */
+    { { 0x45d0cbcba1e7f1L,0x1180056abec91aL,0x6c5f86624bbc28L,
+        0x442c83f3b8e518L,0x4e16ae1843ecb4L,0x670cef2fd786c9L,
+        0x205b4acb637d2cL },
+      { 0x70b0e539aa8671L,0x67c982056bebd0L,0x645c831a5e7c36L,
+        0x09e06951a14b32L,0x5dd610ad4c89e6L,0x41c35f20164831L,
+        0x3821f29cb4cdb8L } },
+    /* 117 */
+    { { 0x2831ffaba10079L,0x70f6dac9ffe444L,0x1cfa32ccc03717L,
+        0x01519fda22a3c8L,0x23215e815aaa27L,0x390671ad65cbf7L,
+        0x03dd4d72de7d52L },
+      { 0x1ecd972ee95923L,0x166f8da3813e8eL,0x33199bbd387a1aL,
+        0x04525fe15e3dc7L,0x44d2ef54165898L,0x4b7e47d3dc47f7L,
+        0x10d5c8db0b5d44L } },
+    /* 118 */
+    { { 0x176d95ba9cdb1bL,0x14025f04f23dfcL,0x49379332891687L,
+        0x6625e5ccbb2a57L,0x7ac0abdbf9d0e5L,0x7aded4fbea15b2L,
+        0x314844ac184d67L },
+      { 0x6d9ce34f05eae3L,0x3805d2875856d2L,0x1c2122f85e40ebL,
+        0x51cb9f2d483a9aL,0x367e91e20f1702L,0x573c3559838dfdL,
+        0x0b282b0cb85af1L } },
+    /* 119 */
+    { { 0x6a12e4ef871eb5L,0x64bb517e14f5ffL,0x29e04d3aaa530bL,
+        0x1b07d88268f261L,0x411be11ed16fb0L,0x1f480536db70bfL,
+        0x17a7deadfd34e4L },
+      { 0x76d72f30646612L,0x5a3bbb43a1b0a0L,0x5e1687440e82bfL,
+        0x713b5e69481112L,0x46c3dcb499e174L,0x0862da3b4e2a24L,
+        0x31cb55b4d62681L } },
+    /* 120 */
+    { { 0x5ffc74dae5bb45L,0x18944c37adb9beL,0x6aaa63b1ee641aL,
+        0x090f4b6ee057d3L,0x4045cedd2ee00fL,0x21c2c798f7c282L,
+        0x2c2c6ef38cd6bdL },
+      { 0x40d78501a06293L,0x56f8caa5cc89a8L,0x7231d5f91b37aeL,
+        0x655f1e5a465c6dL,0x3f59a81f9cf783L,0x09bbba04c23624L,
+        0x0f71ee23bbacdeL } },
+    /* 121 */
+    { { 0x38d398c4741456L,0x5204c0654243c3L,0x34498c916ea77eL,
+        0x12238c60e5fe43L,0x0fc54f411c7625L,0x30b2ca43aa80b6L,
+        0x06bead1bb6ea92L },
+      { 0x5902ba8674b4adL,0x075ab5b0fa254eL,0x58db83426521adL,
+        0x5b66b6b3958e39L,0x2ce4e39890e07bL,0x46702513338b37L,
+        0x363690c2ded4d7L } },
+    /* 122 */
+    { { 0x765642c6b75791L,0x0f4c4300d7f673L,0x404d8bbe101425L,
+        0x61e91c88651f1bL,0x61ddc9bc60aed8L,0x0ef36910ce2e65L,
+        0x04b44367aa63b8L },
+      { 0x72822d3651b7dcL,0x4b750157a2716dL,0x091cb4f2118d16L,
+        0x662ba93b101993L,0x447cbd54a1d40aL,0x12cdd48d674848L,
+        0x16f10415cbec69L } },
+    /* 123 */
+    { { 0x0c57a3a751cd0eL,0x0833d7478fadceL,0x1e751f55686436L,
+        0x489636c58e1df7L,0x26ad6da941266fL,0x22225d3559880fL,
+        0x35b397c45ba0e2L },
+      { 0x3ca97b70e1f2ceL,0x78e50427a8680cL,0x06137e042a8f91L,
+        0x7ec40d2500b712L,0x3f0ad688ad7b0dL,0x24746fb33f9513L,
+        0x3638fcce688f0bL } },
+    /* 124 */
+    { { 0x753163750bed6fL,0x786507cd16157bL,0x1d6ec228ce022aL,
+        0x587255f42d1b31L,0x0c6adf72a3a0f6L,0x4bfeee2da33f5eL,
+        0x08b7300814de6cL },
+      { 0x00bf8df9a56e11L,0x75aead48fe42e8L,0x3de9bad911b2e2L,
+        0x0fadb233e4b8bbL,0x5b054e8fd84f7dL,0x5eb3064152889bL,
+        0x01c1c6e8c777a1L } },
+    /* 125 */
+    { { 0x5fa0e598f8fcb9L,0x11c129a1ae18dfL,0x5c41b482a2273bL,
+        0x545664e5044c9cL,0x7e01c915bfb9abL,0x7f626e19296aa0L,
+        0x20c91a9822a087L },
+      { 0x273a9fbe3c378fL,0x0f126b44b7d350L,0x493764a75df951L,
+        0x32dec3c367d24bL,0x1a7ae987fed9d3L,0x58a93055928b85L,
+        0x11626975d7775fL } },
+    /* 126 */
+    { { 0x2bb174a95540a9L,0x10de02c58b613fL,0x2fa8f7b861f3eeL,
+        0x44731260bdf3b3L,0x19c38ff7da41feL,0x3535a16e3d7172L,
+        0x21a948b83cc7feL },
+      { 0x0e6f72868bc259L,0x0c70799df3c979L,0x526919955584c3L,
+        0x4d95fda04f8fa2L,0x7bb228e6c0f091L,0x4f728b88d92194L,
+        0x2b361c5a136bedL } },
+    /* 127 */
+    { { 0x0c72ca10c53841L,0x4036ab49f9da12L,0x578408d2b7082bL,
+        0x2c4903201fbf5eL,0x14722b3f42a6a8L,0x1997b786181694L,
+        0x25c6f10de32849L },
+      { 0x79f46d517ff2ffL,0x2dc5d97528f6deL,0x518a494489aa72L,
+        0x52748f8af3cf97L,0x472da30a96bb16L,0x1be228f92465a9L,
+        0x196f0c47d60479L } },
+    /* 128 */
+    { { 0x47dd7d139b3239L,0x049c9b06775d0fL,0x627ffc00562d5eL,
+        0x04f578d5e5e243L,0x43a788ffcef8b9L,0x7db320be9dde28L,
+        0x00837528b8572fL },
+      { 0x2969eca306d695L,0x195b72795ec194L,0x5e1fa9b8e77e50L,
+        0x4c627f2b3fbfd5L,0x4b91e0d0ee10ffL,0x5698c8d0f35833L,
+        0x12d3a9431f475eL } },
+    /* 129 */
+    { { 0x6409457a0db57eL,0x795b35192e0433L,0x146f973fe79805L,
+        0x3d49c516dfb9cfL,0x50dfc3646b3cdaL,0x16a08a2210ad06L,
+        0x2b4ef5bcd5b826L },
+      { 0x5ebabfee2e3e3eL,0x2e048e724d9726L,0x0a7a7ed6abef40L,
+        0x71ff7f83e39ad8L,0x3405ac52a1b852L,0x2e3233357a608dL,
+        0x38c1bf3b0e40e6L } },
+    /* 130 */
+    { { 0x59aec823e4712cL,0x6ed9878331ddadL,0x1cc6faf629f2a0L,
+        0x445ff79f36c18cL,0x4edc7ed57aff3dL,0x22ee54c8bdd9e8L,
+        0x35398f42d72ec5L },
+      { 0x4e7a1cceee0ecfL,0x4c66a707dd1d31L,0x629ad157a23c04L,
+        0x3b2c6031dc3c83L,0x3336acbcd3d96cL,0x26ce43adfce0f0L,
+        0x3c869c98d699dcL } },
+    /* 131 */
+    { { 0x58b3cd9586ba11L,0x5d6514b8090033L,0x7c88c3bd736782L,
+        0x1735f84f2130edL,0x47784095a9dee0L,0x76312c6e47901bL,
+        0x1725f6ebc51455L },
+      { 0x6744344bc4503eL,0x16630b4d66e12fL,0x7b3481752c3ec7L,
+        0x47bb2ed1f46f95L,0x08a1a497dd1bcfL,0x1f525df2b8ed93L,
+        0x0fe492ea993713L } },
+    /* 132 */
+    { { 0x71b8dd7268b448L,0x1743dfaf3728d7L,0x23938d547f530aL,
+        0x648c3d497d0fc6L,0x26c0d769e3ad45L,0x4d25108769a806L,
+        0x3fbf2025143575L },
+      { 0x485bfd90339366L,0x2de2b99ed87461L,0x24a33347713badL,
+        0x1674bc7073958aL,0x5bb2373ee85b5fL,0x57f9bd657e662cL,
+        0x2041b248d39042L } },
+    /* 133 */
+    { { 0x5f01617d02f4eeL,0x2a8e31c4244b91L,0x2dab3e790229e0L,
+        0x72d319ea7544afL,0x01ffb8b000cb56L,0x065e63b0daafd3L,
+        0x3d7200a7111d6fL },
+      { 0x4561ce1b568973L,0x37034c532dd8ecL,0x1368215020be02L,
+        0x30e7184cf289ebL,0x199e0c27d815deL,0x7ee1b4dff324e5L,
+        0x2f4a11de7fab5cL } },
+    /* 134 */
+    { { 0x33c2f99b1cdf2bL,0x1e0d78bf42a2c0L,0x64485dececaa67L,
+        0x2242a41be93e92L,0x62297b1f15273cL,0x16ebfaafb02205L,
+        0x0f50f805f1fdabL },
+      { 0x28bb0b3a70eb28L,0x5b1c7d0160d683L,0x05c30a37959f78L,
+        0x3d9301184922d2L,0x46c1ead7dbcb1aL,0x03ee161146a597L,
+        0x2d413ed9a6ccc1L } },
+    /* 135 */
+    { { 0x685ab5f97a27c2L,0x59178214023751L,0x4ffef3c585ab17L,
+        0x2bc85302aba2a9L,0x675b001780e856L,0x103c8a37f0b33dL,
+        0x2241e98ece70a6L },
+      { 0x546738260189edL,0x086c8f7a6b96edL,0x00832ad878a129L,
+        0x0b679056ba7462L,0x020ce6264bf8c4L,0x3f9f4b4d92abfbL,
+        0x3e9c55343c92edL } },
+    /* 136 */
+    { { 0x482cec9b3f5034L,0x08b59b3cd1fa30L,0x5a55d1bc8e58b5L,
+        0x464a5259337d8eL,0x0a5b6c66ade5a5L,0x55db77b504ddadL,
+        0x015992935eac35L },
+      { 0x54fe51025e32fcL,0x5d7f52dbe4a579L,0x08c564a8c58696L,
+        0x4482a8bec4503fL,0x440e75d9d94de9L,0x6992d768020bfaL,
+        0x06c311e8ba01f6L } },
+    /* 137 */
+    { { 0x2a6ac808223878L,0x04d3ccb4aab0b8L,0x6e6ef09ff6e823L,
+        0x15cb03ee9158dcL,0x0dc58919171bf7L,0x3273568abf3cb1L,
+        0x1b55245b88d98bL },
+      { 0x28e9383b1de0c1L,0x30d5009e4f1f1bL,0x334d185a56a134L,
+        0x0875865dfa4c46L,0x266edf5eae3beeL,0x2e03ff16d1f7e5L,
+        0x29a36bd9f0c16dL } },
+    /* 138 */
+    { { 0x004cff44b2e045L,0x426c96380ba982L,0x422292281e46d7L,
+        0x508dd8d29d7204L,0x3a4ea73fb2995eL,0x4be64090ae07b2L,
+        0x3339177a0eff22L },
+      { 0x74a97ec2b3106eL,0x0c616d09169f5fL,0x1bb5d8907241a7L,
+        0x661fb67f6d41bdL,0x018a88a0daf136L,0x746333a093a7b4L,
+        0x3e19f1ac76424eL } },
+    /* 139 */
+    { { 0x542a5656527296L,0x0e7b9ce22f1bc9L,0x31b0945992b89bL,
+        0x6e0570eb85056dL,0x32daf813483ae5L,0x69eeae9d59bb55L,
+        0x315ad4b730b557L },
+      { 0x2bc16795f32923L,0x6b02b7ba55130eL,0x1e9da67c012f85L,
+        0x5616f014dabf8fL,0x777395fcd9c723L,0x2ff075e7743246L,
+        0x2993538aff142eL } },
+    /* 140 */
+    { { 0x72dae20e552b40L,0x2e4ba69aa5d042L,0x001e563e618bd2L,
+        0x28feeba3c98772L,0x648c356da2a907L,0x687e2325069ea7L,
+        0x0d34ab09a394f0L },
+      { 0x73c21813111286L,0x5829b53b304e20L,0x6fba574de08076L,
+        0x79f7058f61614eL,0x4e71c9316f1191L,0x24ef12193e0a89L,
+        0x35dc4e2bc9d848L } },
+    /* 141 */
+    { { 0x045e6d3b4ad1cdL,0x729c95493782f0L,0x77f59de85b361aL,
+        0x5309b4babf28f8L,0x4d893d9290935fL,0x736f47f2b2669eL,
+        0x23270922d757f3L },
+      { 0x23a4826f70d4e9L,0x68a8c63215d33eL,0x4d6c2069205c9cL,
+        0x46b2938a5eebe0L,0x41d1f1e2de3892L,0x5ca1775544bcb0L,
+        0x3130629e5d19dcL } },
+    /* 142 */
+    { { 0x6e2681593375acL,0x117cfbabc22621L,0x6c903cd4e13ccaL,
+        0x6f358f14d4bd97L,0x1bc58fa11089f1L,0x36aa2db4ac426aL,
+        0x15ced8464b7ea1L },
+      { 0x6966836cba7df5L,0x7c2b1851568113L,0x22b50ff2ffca66L,
+        0x50e77d9f48e49aL,0x32775e9bbc7cc9L,0x403915bb0ece71L,
+        0x1b8ec7cb9dd7aaL } },
+    /* 143 */
+    { { 0x65a888b677788bL,0x51887fac2e7806L,0x06792636f98d2bL,
+        0x47bbcd59824c3bL,0x1aca908c43e6dcL,0x2e00d15c708981L,
+        0x08e031c2c80634L },
+      { 0x77fbc3a297c5ecL,0x10a7948af2919eL,0x10cdafb1fb6b2fL,
+        0x27762309b486f0L,0x13abf26bbac641L,0x53da38478fc3eeL,
+        0x3c22eff379bf55L } },
+    /* 144 */
+    { { 0x0163f484770ee3L,0x7f28e8942e0cbfL,0x5f86cb51b43831L,
+        0x00feccd4e4782fL,0x40e5b417eafe7dL,0x79e5742bbea228L,
+        0x3717154aa469beL },
+      { 0x271d74a270f721L,0x40eb400890b70cL,0x0e37be81d4cb02L,
+        0x786907f4e8d43fL,0x5a1f5b590a7acbL,0x048861883851fdL,
+        0x11534a1e563dbbL } },
+    /* 145 */
+    { { 0x37a6357c525435L,0x6afe6f897b78a5L,0x7b7ff311d4f67bL,
+        0x38879df15dc9f4L,0x727def7b8ba987L,0x20285dd0db4436L,
+        0x156b0fc64b9243L },
+      { 0x7e3a6ec0c1c390L,0x668a88d9bcf690L,0x5925aba5440dbeL,
+        0x0f6891a044f593L,0x70b46edfed4d97L,0x1a6cc361bab201L,
+        0x046f5bc6e160bcL } },
+    /* 146 */
+    { { 0x79350f076bc9d1L,0x077d9e79a586b9L,0x0896bc0c705764L,
+        0x58e632b90e7e46L,0x14e87e0ad32488L,0x4b1bb3f72c6e00L,
+        0x3c3ce9684a5fc5L },
+      { 0x108fbaf1f703aaL,0x08405ecec17577L,0x199a8e2d44be73L,
+        0x2eb22ed0067763L,0x633944deda3300L,0x20d739eb8e5efbL,
+        0x2bbbd94086b532L } },
+    /* 147 */
+    { { 0x03c8b17a19045dL,0x6205a0a504980bL,0x67fdb3e962b9f0L,
+        0x16399e01511a4bL,0x44b09fe9dffc96L,0x00a74ff44a1381L,
+        0x14590deed3f886L },
+      { 0x54e3d5c2a23ddbL,0x310e5138209d28L,0x613f45490c1c9bL,
+        0x6bbc85d44bbec8L,0x2f85fc559e73f6L,0x0d71fa7d0fa8cbL,
+        0x2898571d17fbb9L } },
+    /* 148 */
+    { { 0x5607a84335167dL,0x3009c1eb910f91L,0x7ce63447e62d0bL,
+        0x03a0633afcf89eL,0x1234b5aaa50872L,0x5a307b534d547bL,
+        0x2f4e97138a952eL },
+      { 0x13914c2db0f658L,0x6cdcb47e6e75baL,0x5549169caca772L,
+        0x0f20423dfeb16fL,0x6b1ae19d180239L,0x0b7b3bee9b7626L,
+        0x1ca81adacfe4efL } },
+    /* 149 */
+    { { 0x219ec3ad19d96fL,0x3549f6548132dbL,0x699889c7aacd0bL,
+        0x74602a58730b19L,0x62dc63bcece81cL,0x316f991c0c317aL,
+        0x2b8627867b95e3L },
+      { 0x67a25ddced1eedL,0x7e14f0eba756e7L,0x0873fbc09b0495L,
+        0x0fefb0e16596adL,0x03e6cd98ef39bbL,0x1179b1cded249dL,
+        0x35c79c1db1edc2L } },
+    /* 150 */
+    { { 0x1368309d4245bfL,0x442e55852a7667L,0x095b0f0f348b65L,
+        0x6834cf459dfad4L,0x6645950c9be910L,0x06bd81288c71e6L,
+        0x1b015b6e944edfL },
+      { 0x7a6a83045ab0e3L,0x6afe88b9252ad0L,0x2285bd65523502L,
+        0x6c78543879a282L,0x1c5e264b5c6393L,0x3a820c6a7453eeL,
+        0x37562d1d61d3c3L } },
+    /* 151 */
+    { { 0x6c084f62230c72L,0x599490270bc6cfL,0x1d3369ddd3c53dL,
+        0x516ddb5fac5da0L,0x35ab1e15011b1aL,0x5fba9106d3a180L,
+        0x3be0f092a0917cL },
+      { 0x57328f9fdc2538L,0x0526323fc8d5f6L,0x10cbb79521e602L,
+        0x50d01167147ae2L,0x2ec7f1b3cda99eL,0x43073cc736e7beL,
+        0x1ded89cadd83a6L } },
+    /* 152 */
+    { { 0x1d51bda65d56d5L,0x63f2fd4d2dc056L,0x326413d310ea6dL,
+        0x3abba5bca92876L,0x6b9aa8bc4d6ebeL,0x1961c687f15d5dL,
+        0x311cf07464c381L },
+      { 0x2321b1064cd8aeL,0x6e3caac4443850L,0x3346fc4887d2d0L,
+        0x1640417e0e640fL,0x4a958a52a07a9eL,0x1346a1b1cb374cL,
+        0x0a793cf79beccbL } },
+    /* 153 */
+    { { 0x29d56cba89aaa5L,0x1581898c0b3c15L,0x1af5b77293c082L,
+        0x1617ba53a006ceL,0x62dd3b384e475fL,0x71a9820c3f962aL,
+        0x0e4938920b854eL },
+      { 0x0b8d98849808abL,0x64c14923546de7L,0x6a20883b78a6fcL,
+        0x72de211428acd6L,0x009678b47915bbL,0x21b5269ae5dae6L,
+        0x313cc0e60b9457L } },
+    /* 154 */
+    { { 0x69ee421b1de38bL,0x44b484c6cec1c7L,0x0240596c6a8493L,
+        0x2321a62c85fb9eL,0x7a10921802a341L,0x3d2a95507e45c3L,
+        0x0752f40f3b6714L },
+      { 0x596a38798751e6L,0x46bf186a0feb85L,0x0b23093e23b49cL,
+        0x1bfa7bc5afdc07L,0x4ba96f873eefadL,0x292e453fae9e44L,
+        0x2773646667b75cL } },
+    /* 155 */
+    { { 0x1f81a64e94f22aL,0x3125ee3d8683ddL,0x76a660a13b9582L,
+        0x5aa584c3640c6eL,0x27cc99fd472953L,0x7048f4d58061d1L,
+        0x379a1397ac81e8L },
+      { 0x5d1ecd2b6b956bL,0x0829e0366b0697L,0x49548cec502421L,
+        0x7af5e2f717c059L,0x329a25a0fec54eL,0x028e99e4bcd7f1L,
+        0x071d5fe81fca78L } },
+    /* 156 */
+    { { 0x4b5c4aeb0fdfe4L,0x1367e11326ce37L,0x7c16f020ef5f19L,
+        0x3c55303d77b471L,0x23a4457a06e46aL,0x2174426dd98424L,
+        0x226f592114bd69L },
+      { 0x4411b94455f15aL,0x52e0115381fae4L,0x45b6d8efbc8f7eL,
+        0x58b1221bd86d26L,0x284fb6f8a7ec1fL,0x045835939ddd30L,
+        0x0216960accd598L } },
+    /* 157 */
+    { { 0x4b61f9ec1f138aL,0x4460cd1e18502bL,0x277e4fce3c4726L,
+        0x0244246d6414b9L,0x28fbfcef256984L,0x3347ed0db40577L,
+        0x3b57fa9e044718L },
+      { 0x4f73bcd6d1c833L,0x2c0d0dcf7f0136L,0x2010ac75454254L,
+        0x7dc4f6151539a8L,0x0b8929ef6ea495L,0x517e20119d2bdfL,
+        0x1e29f9a126ba15L } },
+    /* 158 */
+    { { 0x683a7c10470cd8L,0x0d05f0dbe0007fL,0x2f6a5026d649cdL,
+        0x249ce2fdaed603L,0x116dc1e7a96609L,0x199bd8d82a0b98L,
+        0x0694ad0219aeb2L },
+      { 0x03a3656e864045L,0x4e552273df82a6L,0x19bcc7553d17abL,
+        0x74ac536c1df632L,0x440302fb4a86f6L,0x1becec0e31c9feL,
+        0x002045f8fa46b8L } },
+    /* 159 */
+    { { 0x5833ba384310a2L,0x1db83fad93f8baL,0x0a12713ee2f7edL,
+        0x40e0f0fdcd2788L,0x1746de5fb239a5L,0x573748965cfa15L,
+        0x1e3dedda0ef650L },
+      { 0x6c8ca1c87607aeL,0x785dab9554fc0eL,0x649d8f91860ac8L,
+        0x4436f88b52c0f9L,0x67f22ca8a5e4a3L,0x1f990fd219e4c9L,
+        0x013dd21c08573fL } },
+    /* 160 */
+    { { 0x05d116141d161cL,0x5c1d2789da2ea5L,0x11f0d861f99f34L,
+        0x692c2650963153L,0x3bd69f5329539eL,0x215898eef8885fL,
+        0x041f79dd86f7f1L },
+      { 0x76dcc5e96beebdL,0x7f2b50cb42a332L,0x067621cabef8abL,
+        0x31e0be607054edL,0x4c67c5e357a3daL,0x5b1a63fbfb1c2bL,
+        0x3112efbf5e5c31L } },
+    /* 161 */
+    { { 0x3f83e24c0c62f1L,0x51dc9c32aae4e0L,0x2ff89b33b66c78L,
+        0x21b1c7d354142cL,0x243d8d381c84bcL,0x68729ee50cf4b7L,
+        0x0ed29e0f442e09L },
+      { 0x1ad7b57576451eL,0x6b2e296d6b91dcL,0x53f2b306e30f42L,
+        0x3964ebd9ee184aL,0x0a32855df110e4L,0x31f2f90ddae05fL,
+        0x3410cd04e23702L } },
+    /* 162 */
+    { { 0x60d1522ca8f2feL,0x12909237a83e34L,0x15637f80d58590L,
+        0x3c72431b6d714dL,0x7c8e59a615bea2L,0x5f977b688ef35aL,
+        0x071c198c0b3ab0L },
+      { 0x2b54c699699b4bL,0x14da473c2fd0bcL,0x7ba818ea0ad427L,
+        0x35117013940b2fL,0x6e1df6b5e609dbL,0x3f42502720b64dL,
+        0x01ee7dc890e524L } },
+    /* 163 */
+    { { 0x12ec1448ff4e49L,0x3e2edac882522bL,0x20455ab300f93aL,
+        0x5849585bd67c14L,0x0393d5aa34ba8bL,0x30f9a1f2044fa7L,
+        0x1059c9377a93e0L },
+      { 0x4e641cc0139e73L,0x0d9f23c9b0fa78L,0x4b2ad87e2b83f9L,
+        0x1c343a9f6d9e3cL,0x1098a4cb46de4dL,0x4ddc893843a41eL,
+        0x1797f4167d6e3aL } },
+    /* 164 */
+    { { 0x4add4675856031L,0x499bd5e5f7a0ffL,0x39ea1f1202271eL,
+        0x0ecd7480d7a91eL,0x395f5e5fc10956L,0x0fa7f6b0c9f79bL,
+        0x2fad4623aed6cbL },
+      { 0x1563c33ae65825L,0x29881cafac827aL,0x50650baf4c45a1L,
+        0x034aad988fb9e9L,0x20a6224dc5904cL,0x6fb141a990732bL,
+        0x3ec9ae1b5755deL } },
+    /* 165 */
+    { { 0x3108e7c686ae17L,0x2e73a383b4ad8aL,0x4e6bb142ba4243L,
+        0x24d355922c1d80L,0x2f850dd9a088baL,0x21c50325dd5e70L,
+        0x33237dd5bd7fa4L },
+      { 0x7823a39cab7630L,0x1535f71cff830eL,0x70d92ff0599261L,
+        0x227154d2a2477cL,0x495e9bbb4f871cL,0x40d2034835686bL,
+        0x31b08f97eaa942L } },
+    /* 166 */
+    { { 0x0016c19034d8ddL,0x68961627cf376fL,0x6acc90681615aeL,
+        0x6bc7690c2e3204L,0x6ddf28d2fe19a2L,0x609b98f84dae4dL,
+        0x0f32bfd7c94413L },
+      { 0x7d7edc6b21f843L,0x49bbd2ebbc9872L,0x593d6ada7b6a23L,
+        0x55736602939e9cL,0x79461537680e39L,0x7a7ee9399ca7cdL,
+        0x008776f6655effL } },
+    /* 167 */
+    { { 0x64585f777233cfL,0x63ec12854de0f6L,0x6b7f9bbbc3f99dL,
+        0x301c014b1b55d3L,0x7cf3663bbeb568L,0x24959dcb085bd1L,
+        0x12366aa6752881L },
+      { 0x77a74c0da5e57aL,0x3279ca93ad939fL,0x33c3c8a1ef08c9L,
+        0x641b05ab42825eL,0x02f416d7d098dbL,0x7e3d58be292b68L,
+        0x1864dbc46e1f46L } },
+    /* 168 */
+    { { 0x1da167b8153a9dL,0x47593d07d9e155L,0x386d984e12927fL,
+        0x421a6f08a60c7cL,0x5ae9661c24dab3L,0x7927b2e7874507L,
+        0x3266ea80609d53L },
+      { 0x7d198f4c26b1e3L,0x430d4ea2c4048eL,0x58d8ab77e84ba3L,
+        0x1cb14299c37297L,0x6db6031e8f695cL,0x159bd855e26d55L,
+        0x3f3f6d318a73ddL } },
+    /* 169 */
+    { { 0x3ee958cca40298L,0x02a7e5eba32ad6L,0x43b4bab96f0e1eL,
+        0x534be79062b2b1L,0x029ead089b37e3L,0x4d585da558f5aaL,
+        0x1f9737eb43c376L },
+      { 0x0426dfd9b86202L,0x4162866bc0a9f3L,0x18fc518e7bb465L,
+        0x6db63380fed812L,0x421e117f709c30L,0x1597f8d0f5cee6L,
+        0x04ffbf1289b06aL } },
+    /* 170 */
+    { { 0x61a1987ffa0a5fL,0x42058c7fc213c6L,0x15b1d38447d2c9L,
+        0x3d5f5d7932565eL,0x5db754af445fa7L,0x5d489189fba499L,
+        0x02c4c55f51141bL },
+      { 0x26b15972e9993dL,0x2fc90bcbd97c45L,0x2ff60f8684b0f1L,
+        0x1dc641dd339ab0L,0x3e38e6be23f82cL,0x3368162752c817L,
+        0x19bba80ceb45ceL } },
+    /* 171 */
+    { { 0x7c6e95b4c6c693L,0x6bbc6d5efa7093L,0x74d7f90bf3bf1cL,
+        0x54d5be1f0299a1L,0x7cb24f0aa427c6L,0x0a18f3e086c941L,
+        0x058a1c90e4faefL },
+      { 0x3d6bd016927e1eL,0x1da4ce773098b8L,0x2133522e690056L,
+        0x0751416d3fc37eL,0x1beed1643eda66L,0x5288b6727d5c54L,
+        0x199320e78655c6L } },
+    /* 172 */
+    { { 0x74575027eeaf94L,0x124bd533c3ceaeL,0x69421ab7a8a1d7L,
+        0x37f2127e093f3dL,0x40281765252a08L,0x25a228798d856dL,
+        0x326eca62759c4cL },
+      { 0x0c337c51acb0a5L,0x122ba78c1ef110L,0x02498adbb68dc4L,
+        0x67240c124b089eL,0x135865d25d9f89L,0x338a76d5ae5670L,
+        0x03a8efaf130385L } },
+    /* 173 */
+    { { 0x3a450ac5e49beaL,0x282af80bb4b395L,0x6779eb0db1a139L,
+        0x737cabdd174e55L,0x017b14ca79b5f2L,0x61fdef6048e137L,
+        0x3acc12641f6277L },
+      { 0x0f730746fe5096L,0x21d05c09d55ea1L,0x64d44bddb1a560L,
+        0x75e5035c4778deL,0x158b7776613513L,0x7b5efa90c7599eL,
+        0x2caa0791253b95L } },
+    /* 174 */
+    { { 0x288e5b6d53e6baL,0x435228909d45feL,0x33b4cf23b2a437L,
+        0x45b352017d6db0L,0x4372d579d6ef32L,0x0fa9e5badbbd84L,
+        0x3a78cff24759bbL },
+      { 0x0899d2039eab6eL,0x4cf47d2f76bc22L,0x373f739a3a8c69L,
+        0x09beaa5b1000b3L,0x0acdfbe83ebae5L,0x10c10befb0e900L,
+        0x33d2ac4cc31be3L } },
+    /* 175 */
+    { { 0x765845931e08fbL,0x2a3c2a0dc58007L,0x7270da587d90e1L,
+        0x1ee648b2bc8f86L,0x5d2ca68107b29eL,0x2b7064846e9e92L,
+        0x3633ed98dbb962L },
+      { 0x5e0f16a0349b1bL,0x58d8941f570ca4L,0x20abe376a4cf34L,
+        0x0f4bd69a360977L,0x21eb07cc424ba7L,0x720d2ecdbbe6ecL,
+        0x255597d5a97c34L } },
+    /* 176 */
+    { { 0x67bbf21a0f5e94L,0x422a3b05a64fc1L,0x773ac447ebddc7L,
+        0x1a1331c08019f1L,0x01ef6d269744ddL,0x55f7be5b3b401aL,
+        0x072e031c681273L },
+      { 0x7183289e21c677L,0x5e0a3391f3162fL,0x5e02d9e65d914aL,
+        0x07c79ea1adce2fL,0x667ca5c2e1cbe4L,0x4f287f22caccdaL,
+        0x27eaa81673e75bL } },
+    /* 177 */
+    { { 0x5246180a078fe6L,0x67cc8c9fa3bb15L,0x370f8dd123db31L,
+        0x1938dafa69671aL,0x5af72624950c5eL,0x78cc5221ebddf8L,
+        0x22d616fe2a84caL },
+      { 0x723985a839327fL,0x24fa95584a5e22L,0x3d8a5b3138d38bL,
+        0x3829ef4a017acfL,0x4f09b00ae055c4L,0x01df84552e4516L,
+        0x2a7a18993e8306L } },
+    /* 178 */
+    { { 0x7b6224bc310eccL,0x69e2cff429da16L,0x01c850e5722869L,
+        0x2e4889443ee84bL,0x264a8df1b3d09fL,0x18a73fe478d0d6L,
+        0x370b52740f9635L },
+      { 0x52b7d3a9d6f501L,0x5c49808129ee42L,0x5b64e2643fd30cL,
+        0x27d903fe31b32cL,0x594cb084d078f9L,0x567fb33e3ae650L,
+        0x0db7be9932cb65L } },
+    /* 179 */
+    { { 0x19b78113ed7cbeL,0x002b2f097a1c8cL,0x70b1dc17fa5794L,
+        0x786e8419519128L,0x1a45ba376af995L,0x4f6aa84b8d806cL,
+        0x204b4b3bc7ca47L },
+      { 0x7581a05fd94972L,0x1c73cadb870799L,0x758f6fefc09b88L,
+        0x35c62ba8049b42L,0x6f5e71fc164cc3L,0x0cd738b5702721L,
+        0x10021afac9a423L } },
+    /* 180 */
+    { { 0x654f7937e3c115L,0x5d198288b515cbL,0x4add965c25a6e3L,
+        0x5a37df33cd76ffL,0x57bb7e288e1631L,0x049b69089e1a31L,
+        0x383a88f4122a99L },
+      { 0x4c0e4ef3d80a73L,0x553c77ac9f30e2L,0x20bb18c2021e82L,
+        0x2aec0d1c4225c5L,0x397fce0ac9c302L,0x2ab0c2a246e8aaL,
+        0x02e5e5190be080L } },
+    /* 181 */
+    { { 0x7a255a4ae03080L,0x0d68b01513f624L,0x29905bd4e48c8cL,
+        0x1d81507027466bL,0x1684aaeb70dee1L,0x7dd460719f0981L,
+        0x29c43b0f0a390cL },
+      { 0x272567681b1f7dL,0x1d2a5f8502e0efL,0x0fd5cd6b221befL,
+        0x5eb4749e9a0434L,0x7d1553a324e2a6L,0x2eefd8e86a7804L,
+        0x2ad80d5335109cL } },
+    /* 182 */
+    { { 0x25342aef4c209dL,0x24e811ac4e0865L,0x3f209757f8ae9dL,
+        0x1473ff8a5da57bL,0x340f61c3919cedL,0x7523bf85fb9bc0L,
+        0x319602ebca7cceL },
+      { 0x121e7541d442cbL,0x4ffa748e49c95cL,0x11493cd1d131dcL,
+        0x42b215172ab6b5L,0x045fd87e13cc77L,0x0ae305df76342fL,
+        0x373b033c538512L } },
+    /* 183 */
+    { { 0x389541e9539819L,0x769f3b29b7e239L,0x0d05f695e3232cL,
+        0x029d04f0e9a9fbL,0x58b78b7a697fb8L,0x7531b082e6386bL,
+        0x215d235bed95a9L },
+      { 0x503947c1859c5dL,0x4b82a6ba45443fL,0x78328eab71b3a5L,
+        0x7d8a77f8cb3509L,0x53fcd9802e41d4L,0x77552091976edbL,
+        0x226c60ad7a5156L } },
+    /* 184 */
+    { { 0x77ad6a43360710L,0x0fdeabd326d7aeL,0x4012886c92104aL,
+        0x2d6c378dd7ae33L,0x7e72ef2c0725f3L,0x4a4671f4ca18e0L,
+        0x0afe3b4bb6220fL },
+      { 0x212cf4b56e0d6aL,0x7c24d086521960L,0x0662cf71bd414dL,
+        0x1085b916c58c25L,0x781eed2be9a350L,0x26880e80db6ab2L,
+        0x169e356442f061L } },
+    /* 185 */
+    { { 0x57aa2ad748b02cL,0x68a34256772a9aL,0x1591c44962f96cL,
+        0x110a9edd6e53d2L,0x31eab597e091a3L,0x603e64e200c65dL,
+        0x2f66b72e8a1cfcL },
+      { 0x5c79d138543f7fL,0x412524363fdfa3L,0x547977e3b40008L,
+        0x735ca25436d9f7L,0x232b4888cae049L,0x27ce37a53d8f23L,
+        0x34d45881a9b470L } },
+    /* 186 */
+    { { 0x76b95255924f43L,0x035c9f3bd1aa5dL,0x5eb71a010b4bd0L,
+        0x6ce8dda7e39f46L,0x35679627ea70c0L,0x5c987767c7d77eL,
+        0x1fa28952b620b7L },
+      { 0x106f50b5924407L,0x1cc3435a889411L,0x0597cdce3bc528L,
+        0x738f8b0d5077d1L,0x5894dd60c7dd6aL,0x0013d0721f5e2eL,
+        0x344573480527d3L } },
+    /* 187 */
+    { { 0x2e2c1da52abf77L,0x394aa8464ad05eL,0x095259b7330a83L,
+        0x686e81cf6a11f5L,0x405c7e48c93c7cL,0x65c3ca9444a2ecL,
+        0x07bed6c59c3563L },
+      { 0x51f9d994fb1471L,0x3c3ecfa5283b4eL,0x494dccda63f6ccL,
+        0x4d07b255363a75L,0x0d2b6d3155d118L,0x3c688299fc9497L,
+        0x235692fa3dea3aL } },
+    /* 188 */
+    { { 0x16b4d452669e98L,0x72451fa85406b9L,0x674a145d39151fL,
+        0x325ffd067ae098L,0x527e7805cd1ae0L,0x422a1d1789e48dL,
+        0x3e27be63f55e07L },
+      { 0x7f95f6dee0b63fL,0x008e444cc74969L,0x01348f3a72b614L,
+        0x000cfac81348c3L,0x508ae3e5309ce5L,0x2584fcdee44d34L,
+        0x3a4dd994899ee9L } },
+    /* 189 */
+    { { 0x4d289cc0368708L,0x0e5ebc60dc3b40L,0x78cc44bfab1162L,
+        0x77ef2173b7d11eL,0x06091718e39746L,0x30fe19319b83a4L,
+        0x17e8f2988529c6L },
+      { 0x68188bdcaa9f2aL,0x0e64b1350c1bddL,0x5b18ebac7cc4b3L,
+        0x75315a9fcc046eL,0x36e9770fd43db4L,0x54c5857fc69121L,
+        0x0417e18f3e909aL } },
+    /* 190 */
+    { { 0x29795db38059adL,0x6efd20c8fd4016L,0x3b6d1ce8f95a1aL,
+        0x4db68f177f8238L,0x14ec7278d2340fL,0x47bd77ff2b77abL,
+        0x3d2dc8cd34e9fcL },
+      { 0x285980a5a83f0bL,0x08352e2d516654L,0x74894460481e1bL,
+        0x17f6f3709c480dL,0x6b590d1b55221eL,0x45c100dc4c9be9L,
+        0x1b13225f9d8b91L } },
+    /* 191 */
+    { { 0x0b905fb4b41d9dL,0x48cc8a474cb7a2L,0x4eda67e8de09b2L,
+        0x1de47c829adde8L,0x118ad5b9933d77L,0x7a12665ac3f9a4L,
+        0x05631a4fb52997L },
+      { 0x5fb2a8e6806e63L,0x27d96bbcca369bL,0x46066f1a6b8c7bL,
+        0x63b58fc7ca3072L,0x170a36229c0d62L,0x57176f1e463203L,
+        0x0c7ce083e73b9cL } },
+    /* 192 */
+    { { 0x31caf2c09e1c72L,0x6530253219e9d2L,0x7650c98b601c57L,
+        0x182469f99d56c0L,0x415f65d292b7a7L,0x30f62a55549b8eL,
+        0x30f443f643f465L },
+      { 0x6b35c575ddadd0L,0x14a23cf6d299eeL,0x2f0198c0967d7dL,
+        0x1013058178d5bfL,0x39da601c9cc879L,0x09d8963ec340baL,
+        0x1b735db13ad2a7L } },
+    /* 193 */
+    { { 0x20916ffdc83f01L,0x16892aa7c9f217L,0x6bff179888d532L,
+        0x4adf3c3d366288L,0x41a62b954726aeL,0x3139609022aeb6L,
+        0x3e8ab9b37aff7aL },
+      { 0x76bbc70f24659aL,0x33fa98513886c6L,0x13b26af62c4ea6L,
+        0x3c4d5826389a0cL,0x526ec28c02bf6aL,0x751ff083d79a7cL,
+        0x110ac647990224L } },
+    /* 194 */
+    { { 0x2c6c62fa2b6e20L,0x3d37edad30c299L,0x6ef25b44b65fcaL,
+        0x7470846914558eL,0x712456eb913275L,0x075a967a9a280eL,
+        0x186c8188f2a2a0L },
+      { 0x2f3b41a6a560b1L,0x3a8070b3f9e858L,0x140936ff0e1e78L,
+        0x5fd298abe6da8aL,0x3823a55d08f153L,0x3445eafaee7552L,
+        0x2a5fc96731a8b2L } },
+    /* 195 */
+    { { 0x06317be58edbbbL,0x4a38f3bfbe2786L,0x445b60f75896b7L,
+        0x6ec7c92b5adf57L,0x07b6be8038a441L,0x1bcfe002879655L,
+        0x2a2174037d6d0eL },
+      { 0x776790cf9e48bdL,0x73e14a2c4ed1d3L,0x7eb5ed5f2fc2f7L,
+        0x3e0aedb821b384L,0x0ee3b7e151c12fL,0x51a6a29e044bb2L,
+        0x0ba13a00cb0d86L } },
+    /* 196 */
+    { { 0x77607d563ec8d8L,0x023fc726996e44L,0x6bd63f577a9986L,
+        0x114a6351e53973L,0x3efe97989da046L,0x1051166e117ed7L,
+        0x0354933dd4fb5fL },
+      { 0x7699ca2f30c073L,0x4c973b83b9e6d3L,0x2017c2abdbc3e8L,
+        0x0cdcdd7a26522bL,0x511070f5b23c7dL,0x70672327e83d57L,
+        0x278f842b4a9f26L } },
+    /* 197 */
+    { { 0x0824f0d4ae972fL,0x60578dd08dcf52L,0x48a74858290fbbL,
+        0x7302748bf23030L,0x184b229a178acfL,0x3e8460ade089d6L,
+        0x13f2b557fad533L },
+      { 0x7f96f3ae728d15L,0x018d8d40066341L,0x01fb94955a289aL,
+        0x2d32ed6afc2657L,0x23f4f5e462c3acL,0x60eba5703bfc5aL,
+        0x1b91cc06f16c7aL } },
+    /* 198 */
+    { { 0x411d68af8219b9L,0x79cca36320f4eeL,0x5c404e0ed72e20L,
+        0x417cb8692e43f2L,0x305d29c7d98599L,0x3b754d5794a230L,
+        0x1c97fb4be404e9L },
+      { 0x7cdbafababd109L,0x1ead0eb0ca5090L,0x1a2b56095303e3L,
+        0x75dea935012c8fL,0x67e31c071b1d1dL,0x7c324fbfd172c3L,
+        0x157e257e6498f7L } },
+    /* 199 */
+    { { 0x19b00db175645bL,0x4c4f6cb69725f1L,0x36d9ce67bd47ceL,
+        0x2005e105179d64L,0x7b952e717867feL,0x3c28599204032cL,
+        0x0f5659d44fb347L },
+      { 0x1ebcdedb979775L,0x4378d45cfd11a8L,0x14c85413ca66e9L,
+        0x3dd17d681c8a4dL,0x58368e7dc23142L,0x14f3eaac6116afL,
+        0x0adb45b255f6a0L } },
+    /* 200 */
+    { { 0x2f5e76279ad982L,0x125b3917034d09L,0x3839a6399e6ed3L,
+        0x32fe0b3ebcd6a2L,0x24ccce8be90482L,0x467e26befcc187L,
+        0x2828434e2e218eL },
+      { 0x17247cd386efd9L,0x27f36a468d85c3L,0x65e181ef203bbfL,
+        0x0433a6761120afL,0x1d607a2a8f8625L,0x49f4e55a13d919L,
+        0x3367c3b7943e9dL } },
+    /* 201 */
+    { { 0x3391c7d1a46d4dL,0x38233d602d260cL,0x02127a0f78b7d4L,
+        0x56841c162c24c0L,0x4273648fd09aa8L,0x019480bb0e754eL,
+        0x3b927987b87e58L },
+      { 0x6676be48c76f73L,0x01ec024e9655aeL,0x720fe1c6376704L,
+        0x17e06b98885db3L,0x656adec85a4200L,0x73780893c3ce88L,
+        0x0a339cdd8df664L } },
+    /* 202 */
+    { { 0x69af7244544ac7L,0x31ab7402084d2fL,0x67eceb7ef7cb19L,
+        0x16f8583b996f61L,0x1e208d12faf91aL,0x4a91584ce4a42eL,
+        0x3e08337216c93eL },
+      { 0x7a6eea94f4cf77L,0x07a52894678c60L,0x302dd06b14631eL,
+        0x7fddb7225c9ceaL,0x55e441d7acd153L,0x2a00d4490b0f44L,
+        0x053ef125338cdbL } },
+    /* 203 */
+    { { 0x120c0c51584e3cL,0x78b3efca804f37L,0x662108aefb1dccL,
+        0x11deb55f126709L,0x66def11ada8125L,0x05bbc0d1001711L,
+        0x1ee1c99c7fa316L },
+      { 0x746f287de53510L,0x1733ef2e32d09cL,0x1df64a2b0924beL,
+        0x19758da8f6405eL,0x28f6eb3913e484L,0x7175a1090cc640L,
+        0x048aee0d63f0bcL } },
+    /* 204 */
+    { { 0x1f3b1e3b0b29c3L,0x48649f4882a215L,0x485eca3a9e0dedL,
+        0x4228ba85cc82e4L,0x36da1f39bc9379L,0x1659a7078499d1L,
+        0x0a67d5f6c04188L },
+      { 0x6ac39658afdce3L,0x0d667a0bde8ef6L,0x0ae6ec0bfe8548L,
+        0x6d9cb2650571bfL,0x54bea107760ab9L,0x705c53bd340cf2L,
+        0x111a86b610c70fL } },
+    /* 205 */
+    { { 0x7ecea05c6b8195L,0x4f8be93ce3738dL,0x305de9eb9f5d12L,
+        0x2c3b9d3d474b56L,0x673691a05746c3L,0x2e3482c428c6eaL,
+        0x2a8085fde1f472L },
+      { 0x69d15877fd3226L,0x4609c9ec017cc3L,0x71e9b7fc1c3dbcL,
+        0x4f8951254e2675L,0x63ee9d15afa010L,0x0f05775b645190L,
+        0x28a0a439397ae3L } },
+    /* 206 */
+    { { 0x387fa03e9de330L,0x40cc32b828b6abL,0x02a482fbc04ac9L,
+        0x68cad6e70429b7L,0x741877bff6f2c4L,0x48efe633d3b28bL,
+        0x3e612218fe24b3L },
+      { 0x6fc1d34fe37657L,0x3d04b9e1c8b5a1L,0x6a2c332ef8f163L,
+        0x7ca97e2b135690L,0x37357d2a31208aL,0x29f02f2332bd68L,
+        0x17c674c3e63a57L } },
+    /* 207 */
+    { { 0x683d9a0e6865bbL,0x5e77ec68ad4ce5L,0x4d18f236788bd6L,
+        0x7f34b87204f4e3L,0x391ca40e9e578dL,0x3470ed6ddf4e23L,
+        0x225544b3e50989L },
+      { 0x48eda8cb4e462bL,0x2a948825cf9109L,0x473adedc7e1300L,
+        0x37b843b82192edL,0x2b9ac1537dde36L,0x4efe7412732332L,
+        0x29cc5981b5262bL } },
+    /* 208 */
+    { { 0x190d2fcad260f5L,0x7c53dd81d18027L,0x003def5f55db0eL,
+        0x7f5ed25bee2df7L,0x2b87e9be167d2eL,0x2b999c7bbcd224L,
+        0x1d68a2c260ad50L },
+      { 0x010bcde84607a6L,0x0250de9b7e1bedL,0x746d36bfaf1b56L,
+        0x3359475ff56abbL,0x7e84b9bc440b20L,0x2eaa7e3b52f162L,
+        0x01165412f36a69L } },
+    /* 209 */
+    { { 0x639a02329e5836L,0x7aa3ee2e4d3a27L,0x5bc9b258ecb279L,
+        0x4cb3dfae2d62c6L,0x08d9d3b0c6c437L,0x5a2c177d47eab2L,
+        0x36120479fc1f26L },
+      { 0x7609a75bd20e4aL,0x3ba414e17551fcL,0x42cd800e1b90c9L,
+        0x04921811b88f9bL,0x4443697f9562fdL,0x3a8081b8186959L,
+        0x3f5b5c97379e73L } },
+    /* 210 */
+    { { 0x6fd0e3cf13eafbL,0x3976b5415cbf67L,0x4de40889e48402L,
+        0x17e4d36f24062aL,0x16ae7755cf334bL,0x2730ac94b7e0e1L,
+        0x377592742f48e0L },
+      { 0x5e10b18a045041L,0x682792afaae5a1L,0x19383ec971b816L,
+        0x208b17dae2ffc0L,0x439f9d933179b6L,0x55485a9090bcaeL,
+        0x1c316f42a2a35cL } },
+    /* 211 */
+    { { 0x67173897bdf646L,0x0b6956653ef94eL,0x5be3c97f7ea852L,
+        0x3110c12671f08eL,0x2474076a3fc7ecL,0x53408be503fe72L,
+        0x09155f53a5b44eL },
+      { 0x5c804bdd4c27cdL,0x61e81eb8ffd50eL,0x2f7157fdf84717L,
+        0x081f880d646440L,0x7aa892acddec51L,0x6ae70683443f33L,
+        0x31ed9e8b33a75aL } },
+    /* 212 */
+    { { 0x0d724f8e357586L,0x1febbec91b4134L,0x6ff7b98a9475fdL,
+        0x1c4d9b94e1f364L,0x2b8790499cef00L,0x42fd2080a1b31dL,
+        0x3a3bbc6d9b0145L },
+      { 0x75bfebc37e3ca9L,0x28db49c1723bd7L,0x50b12fa8a1f17aL,
+        0x733d95bbc84b98L,0x45ede81f6c109eL,0x18f5e46fb37b5fL,
+        0x34b980804aaec1L } },
+    /* 213 */
+    { { 0x56060c8a4f57bfL,0x0d2dfe223054c2L,0x718a5bbc03e5d6L,
+        0x7b3344cc19b3b9L,0x4d11c9c054bcefL,0x1f5ad422c22e33L,
+        0x2609299076f86bL },
+      { 0x7b7a5fba89fd01L,0x7013113ef3b016L,0x23d5e0a173e34eL,
+        0x736c14462f0f50L,0x1ef5f7ac74536aL,0x4baba6f4400ea4L,
+        0x17b310612c9828L } },
+    /* 214 */
+    { { 0x4ebb19a708c8d3L,0x209f8c7f03d9bbL,0x00461cfe5798fbL,
+        0x4f93b6ae822fadL,0x2e5b33b5ad5447L,0x40b024e547a84bL,
+        0x22ffad40443385L },
+      { 0x33809c888228bfL,0x559f655fefbe84L,0x0032f529fd2f60L,
+        0x5a2191ece3478cL,0x5b957fcd771246L,0x6fec181f9ed123L,
+        0x33eed3624136a3L } },
+    /* 215 */
+    { { 0x6a5df93b26139aL,0x55076598fd7134L,0x356a592f34f81dL,
+        0x493c6b5a3d4741L,0x435498a4e2a39bL,0x2cd26a0d931c88L,
+        0x01925ea3fc7835L },
+      { 0x6e8d992b1efa05L,0x79508a727c667bL,0x5f3c15e6b4b698L,
+        0x11b6c755257b93L,0x617f5af4b46393L,0x248d995b2b6656L,
+        0x339db62e2e22ecL } },
+    /* 216 */
+    { { 0x52537a083843dcL,0x6a283c82a768c7L,0x13aa6bf25227acL,
+        0x768d76ba8baf5eL,0x682977a6525808L,0x67ace52ac23b0bL,
+        0x2374b5a2ed612dL },
+      { 0x7139e60133c3a4L,0x715697a4f1d446L,0x4b018bf36677a0L,
+        0x1dd43837414d83L,0x505ec70730d4f6L,0x09ac100907fa79L,
+        0x21caad6e03217eL } },
+    /* 217 */
+    { { 0x0776d3999d4d49L,0x33bdd87e8bcff8L,0x1036b87f068fadL,
+        0x0a9b8ffde4c872L,0x7ab2533596b1eaL,0x305a88fb965378L,
+        0x3356d8fa4d65e5L },
+      { 0x3366fa77d1ff11L,0x1e0bdbdcd2075cL,0x46910cefc967caL,
+        0x7ce700737a1ff6L,0x1c5dc15409c9bdL,0x368436b9bdb595L,
+        0x3e7ccd6560b5efL } },
+    /* 218 */
+    { { 0x1443789422c792L,0x524792b1717f2bL,0x1f7c1d95048e7aL,
+        0x5cfe2a225b0d12L,0x245594d29ce85bL,0x20134d254ce168L,
+        0x1b83296803921aL },
+      { 0x79a78285b3beceL,0x3c738c3f3124d6L,0x6ab9d1fe0907cdL,
+        0x0652ceb7fc104cL,0x06b5f58c8ae3fdL,0x486959261c5328L,
+        0x0b3813ae677c90L } },
+    /* 219 */
+    { { 0x66b9941ac37b82L,0x651a4b609b0686L,0x046711edf3fc31L,
+        0x77f89f38faa89bL,0x2683ddbf2d5edbL,0x389ef1dfaa3c25L,
+        0x20b3616e66273eL },
+      { 0x3c6db6e0cb5d37L,0x5d7ae5dc342bc4L,0x74a1dc6c52062bL,
+        0x6f7c0bec109557L,0x5c51f7bc221d91L,0x0d7b5880745288L,
+        0x1c46c145c4b0ddL } },
+    /* 220 */
+    { { 0x59ed485ea99eccL,0x201b71956bc21dL,0x72d5c32f73de65L,
+        0x1aefd76547643eL,0x580a452cfb2c2dL,0x7cb1a63f5c4dc9L,
+        0x39a8df727737aaL },
+      { 0x365a341deca452L,0x714a1ad1689cbaL,0x16981d12c42697L,
+        0x5a124f4ac91c75L,0x1b2e3f2fedc0dbL,0x4a1c72b8e9d521L,
+        0x3855b4694e4e20L } },
+    /* 221 */
+    { { 0x16b3d047181ae9L,0x17508832f011afL,0x50d33cfeb2ebd1L,
+        0x1deae237349984L,0x147c641aa6adecL,0x24a9fb4ebb1ddbL,
+        0x2b367504a7a969L },
+      { 0x4c55a3d430301bL,0x379ef6a5d492cbL,0x3c56541fc0f269L,
+        0x73a546e91698ceL,0x2c2b62ee0b9b5dL,0x6284184d43d0efL,
+        0x0e1f5cf6a4b9f0L } },
+    /* 222 */
+    { { 0x44833e8cd3fdacL,0x28e6665cb71c27L,0x2f8bf87f4ddbf3L,
+        0x6cc6c767fb38daL,0x3bc114d734e8b5L,0x12963d5a78ca29L,
+        0x34532a161ece41L },
+      { 0x2443af5d2d37e9L,0x54e6008c8c452bL,0x2c55d54111cf1bL,
+        0x55ac7f7522575aL,0x00a6fba3f8575fL,0x3f92ef3b793b8dL,
+        0x387b97d69ecdf7L } },
+    /* 223 */
+    { { 0x0b464812d29f46L,0x36161daa626f9aL,0x5202fbdb264ca5L,
+        0x21245805ff1304L,0x7f9c4a65657885L,0x542d3887f9501cL,
+        0x086420deef8507L },
+      { 0x5e159aa1b26cfbL,0x3f0ef5ffd0a50eL,0x364b29663a432aL,
+        0x49c56888af32a8L,0x6f937e3e0945d1L,0x3cbdeec6d766cdL,
+        0x2d80d342ece61aL } },
+    /* 224 */
+    { { 0x255e3026d8356eL,0x4ddba628c4de9aL,0x074323b593e0d9L,
+        0x333bdb0a10eefbL,0x318b396e473c52L,0x6ebb5a95efd3d3L,
+        0x3f3bff52aa4e4fL },
+      { 0x3138a111c731d5L,0x674365e283b308L,0x5585edd9c416f2L,
+        0x466763d9070fd4L,0x1b568befce8128L,0x16eb040e7b921eL,
+        0x3d5c898687c157L } },
+    /* 225 */
+    { { 0x14827736973088L,0x4e110d53f301e6L,0x1f811b09870023L,
+        0x53b5e500dbcacaL,0x4ddf0df1e6a7dcL,0x1e9575fb10ce35L,
+        0x3fdc153644d936L },
+      { 0x763547e2260594L,0x26e5ae764efc59L,0x13be6f4d791a29L,
+        0x2021e61e3a0cf1L,0x339cd2b4a1c202L,0x5c7451e08f5121L,
+        0x3728b3a851be68L } },
+    /* 226 */
+    { { 0x78873653277538L,0x444b9ed2ee7156L,0x79ac8b8b069cd3L,
+        0x5f0e90933770e8L,0x307662c615389eL,0x40fe6d95a80057L,
+        0x04822170cf993cL },
+      { 0x677d5690fbfec2L,0x0355af4ae95cb3L,0x417411794fe79eL,
+        0x48daf87400a085L,0x33521d3b5f0aaaL,0x53567a3be00ff7L,
+        0x04712ccfb1cafbL } },
+    /* 227 */
+    { { 0x2b983283c3a7f3L,0x579f11b146a9a6L,0x1143d3b16a020eL,
+        0x20f1483ef58b20L,0x3f03e18d747f06L,0x3129d12f15de37L,
+        0x24c911f7222833L },
+      { 0x1e0febcf3d5897L,0x505e26c01cdaacL,0x4f45a9adcff0e9L,
+        0x14dfac063c5cebL,0x69e5ce713fededL,0x3481444a44611aL,
+        0x0ea49295c7fdffL } },
+    /* 228 */
+    { { 0x64554cb4093beeL,0x344b4b18dd81f6L,0x350f43b4de9b59L,
+        0x28a96a220934caL,0x4aa8da5689a515L,0x27171cbd518509L,
+        0x0cfc1753f47c95L },
+      { 0x7dfe091b615d6eL,0x7d1ee0aa0fb5c1L,0x145eef3200b7b5L,
+        0x33fe88feeab18fL,0x1d62d4f87453e2L,0x43b8db4e47fff1L,
+        0x1572f2b8b8f368L } },
+    /* 229 */
+    { { 0x6bc94e6b4e84f3L,0x60629dee586a66L,0x3bbad5fe65ca18L,
+        0x217670db6c2fefL,0x0320a7f4e3272aL,0x3ccff0d976a6deL,
+        0x3c26da8ae48cccL },
+      { 0x53ecf156778435L,0x7533064765a443L,0x6c5c12f03ca5deL,
+        0x44f8245350dabfL,0x342cdd777cf8b3L,0x2b539c42e9f58dL,
+        0x10138affc279b1L } },
+    /* 230 */
+    { { 0x1b135e204c5ddbL,0x40887dfeaa1d37L,0x7fb0ef83da76ffL,
+        0x521f2b79af55a5L,0x3f9b38b4c3f0d0L,0x20a9838cce61ceL,
+        0x24bb4e2f4b1e32L },
+      { 0x003f6aa386e27cL,0x68df59db0a0f8eL,0x21677d5192e713L,
+        0x14ab9757501276L,0x411944af961524L,0x3184f39abc5c3fL,
+        0x2a8dda80ca078dL } },
+    /* 231 */
+    { { 0x0592233cdbc95cL,0x54d5de5c66f40fL,0x351caa1512ab86L,
+        0x681bdbee020084L,0x6ee2480c853e68L,0x6a5a44262b918fL,
+        0x06574e15a3b91dL },
+      { 0x31ba03dacd7fbeL,0x0c3da7c18a57a9L,0x49aaaded492d6bL,
+        0x3071ff53469e02L,0x5efb4f0d7248c6L,0x6db5fb67f12628L,
+        0x29cff668e3d024L } },
+    /* 232 */
+    { { 0x1b9ef3bb1b17ceL,0x6ccf8c24fe6312L,0x34c15487f45008L,
+        0x1a84044095972cL,0x515073a47e449eL,0x2ddc93f9097feeL,
+        0x1008fdc894c434L },
+      { 0x08e5edb73399faL,0x65b1aa65547d4cL,0x3a117a1057c498L,
+        0x7e16c3089d13acL,0x502f2ae4b6f851L,0x57a70f3eb62673L,
+        0x111b48a9a03667L } },
+    /* 233 */
+    { { 0x5023024be164f1L,0x25ad117032401eL,0x46612b3bfe3427L,
+        0x2f4f406a8a02b7L,0x16a93a5c4ddf07L,0x7ee71968fcdbe9L,
+        0x2267875ace37daL },
+      { 0x687e88b59eb2a6L,0x3ac7368fe716d3L,0x28d953a554a036L,
+        0x34d52c0acca08fL,0x742a7cf8dd4fd9L,0x10bfeb8575ea60L,
+        0x290e454d868dccL } },
+    /* 234 */
+    { { 0x4e72a3a8a4bdd2L,0x1ba36d1dee04d5L,0x7a43136b63195bL,
+        0x6ca8e286a519f3L,0x568e64aece08a9L,0x571d5000b5c10bL,
+        0x3f75e9f5dbdd40L },
+      { 0x6fb0a698d6fa45L,0x0ce42209d7199cL,0x1f68275f708a3eL,
+        0x5749832e91ec3cL,0x6c3665521428b2L,0x14b2bf5747bd4aL,
+        0x3b6f940e42a22bL } },
+    /* 235 */
+    { { 0x4da0adbfb26c82L,0x16792a585f39acL,0x17df9dfda3975cL,
+        0x4796b4afaf479bL,0x67be67234e0020L,0x69df5f201dda25L,
+        0x09f71a4d12b3dcL },
+      { 0x64ff5ec260a46aL,0x579c5b86385101L,0x4f29a7d549f697L,
+        0x4e64261242e2ebL,0x54ecacdfb6b296L,0x46e0638b5fddadL,
+        0x31eefd3208891dL } },
+    /* 236 */
+    { { 0x5b72c749fe01b2L,0x230cf27523713aL,0x533d1810e0d1e1L,
+        0x5590db7d1dd1e2L,0x7b8ab73e8e43d3L,0x4c8a19bd1c17caL,
+        0x19222ce9f74810L },
+      { 0x6398b3dddc4582L,0x0352b7d88dfd53L,0x3c55b4e10c5a63L,
+        0x38194d13f8a237L,0x106683fd25dd87L,0x59e0b62443458eL,
+        0x196cb70aa9cbb9L } },
+    /* 237 */
+    { { 0x2885f7cd021d63L,0x162bfd4c3e1043L,0x77173dcf98fcd1L,
+        0x13d4591d6add36L,0x59311154d0d8f2L,0x74336e86e79b8aL,
+        0x13faadc5661883L },
+      { 0x18938e7d9ec924L,0x14bcda8fcaa0a1L,0x706d85d41a1355L,
+        0x0ac34520d168deL,0x5a92499fe17826L,0x36c2e3b4f00600L,
+        0x29c2fd7b5f63deL } },
+    /* 238 */
+    { { 0x41250dfe2216c5L,0x44a0ec0366a217L,0x575bc1adf8b0dfL,
+        0x5ff5cdbdb1800bL,0x7843d4dde8ca18L,0x5fa9e420865705L,
+        0x235c38be6c6b02L },
+      { 0x473b78aae91abbL,0x39470c6051e44bL,0x3f973cc2dc08c3L,
+        0x2837932c5c91f6L,0x25e39ed754ec25L,0x1371c837118e53L,
+        0x3b99f3b0aeafe2L } },
+    /* 239 */
+    { { 0x03acf51be46c65L,0x271fceacbaf5c3L,0x476589ed3a5e25L,
+        0x78ec8c3c3c399cL,0x1f5c8bf4ac4c19L,0x730bb733ec68d2L,
+        0x29a37e00dd287eL },
+      { 0x448ed1bf92b5faL,0x10827c17b86478L,0x55e6fc05b28263L,
+        0x0af1226c73a66aL,0x0b66e5df0d09c1L,0x26128315a02682L,
+        0x22d84932c5e808L } },
+    /* 240 */
+    { { 0x5ec3afc26e3392L,0x08e142e45c0084L,0x4388d5ad0f01feL,
+        0x0f7acd36e6140cL,0x028c14ed97dffbL,0x311845675a38c6L,
+        0x01c1c8f09a3062L },
+      { 0x5a302f4cf49e7dL,0x79267e254a44e1L,0x746165052317a1L,
+        0x53a09263a566e8L,0x7d478ad5f73abcL,0x187ce5c947dad3L,
+        0x18564e1a1ec45fL } },
+    /* 241 */
+    { { 0x7b9577a9aa0486L,0x766b40c7aaaef6L,0x1f6a411f5db907L,
+        0x4543dd4d80beaeL,0x0ad938c7482806L,0x451568bf4b9be1L,
+        0x3367ec85d30a22L },
+      { 0x5446425747843dL,0x18d94ac223c6b2L,0x052ff3a354d359L,
+        0x0b4933f89723f5L,0x03fb517740e056L,0x226b892871dddaL,
+        0x2768c2b753f0fdL } },
+    /* 242 */
+    { { 0x685282ccfa5200L,0x411ed433627b89L,0x77d5c9b8bc9c1dL,
+        0x4a13ef2ee5cd29L,0x5582a612407c9eL,0x2307cb42fc3aa9L,
+        0x2e661df79956b8L },
+      { 0x0e972b015254deL,0x5b63e14def8adeL,0x06995be2ca4a95L,
+        0x6cc0cc1e94bf27L,0x7ed8499fe0052aL,0x671a6ca5a5e0f9L,
+        0x31e10d4ba10f05L } },
+    /* 243 */
+    { { 0x690af07e9b2d8aL,0x6030af9e32c8ddL,0x45c7ca3bf2b235L,
+        0x40959077b76c81L,0x61eee7f70d5a96L,0x6b04f6aafe9e38L,
+        0x3c726f55f1898dL },
+      { 0x77d0142a1a6194L,0x1c1631215708b9L,0x403a4f0a9b7585L,
+        0x066c8e29f7cef0L,0x6fc32f98cf575eL,0x518a09d818c297L,
+        0x34144e99989e75L } },
+    /* 244 */
+    { { 0x6adbada859fb6aL,0x0dcfb6506ccd51L,0x68f88b8d573e0dL,
+        0x4b1ce35bd9af30L,0x241c8293ece2c9L,0x3b5f402c5c4adeL,
+        0x34b9b1ee6fde87L },
+      { 0x5e625340075e63L,0x54c3f3d9050da1L,0x2a3f9152509016L,
+        0x3274e46111bc18L,0x3a7504fd01ac73L,0x4169b387a43209L,
+        0x35626f852bc6d4L } },
+    /* 245 */
+    { { 0x576a4f4662e53bL,0x5ea3f20eecec26L,0x4e5f02be5cd7b0L,
+        0x72cc5ac3314be8L,0x0f604ed3201fe9L,0x2a29378ea54bceL,
+        0x2d52bd4d6ec4b6L },
+      { 0x6a4c2b212c1c76L,0x778fd64a1bfa6dL,0x326828691863d6L,
+        0x5616c8bd06a336L,0x5fab552564da4dL,0x46640cab3e91d2L,
+        0x1d21f06427299eL } },
+    /* 246 */
+    { { 0x2bfe37dde98e9cL,0x164c54822332ebL,0x5b736c7df266e4L,
+        0x59dab3a8da084cL,0x0ae1eab346f118L,0x182090a4327e3fL,
+        0x07b13489dae2e6L },
+      { 0x3bc92645452baaL,0x30b159894ae574L,0x5b947c5c78e1f4L,
+        0x18f0e004a3c77fL,0x48ca8f357077d9L,0x349ffdcef9bca9L,
+        0x3ed224bfd54772L } },
+    /* 247 */
+    { { 0x1bdad02db8dff8L,0x69fab4450b44b6L,0x3b6802d187518bL,
+        0x098368d8eb556cL,0x3fe1943fbefcf4L,0x008851d0de6d42L,
+        0x322cbc4605fe25L },
+      { 0x2528aaf0d51afbL,0x7d48a9363a0cecL,0x4ba8f77d9a8f8bL,
+        0x7dee903437d6c7L,0x1ff5a0d9ccc4b4L,0x34d9bd2fa99831L,
+        0x30d9e4f58667c6L } },
+    /* 248 */
+    { { 0x38909b51b85197L,0x7ba16992512bd4L,0x2c776cfcfffec5L,
+        0x2be7879075843cL,0x557e2b05d28ffcL,0x641b17bc5ce357L,
+        0x1fcaf8a3710306L },
+      { 0x54dca2299a2d48L,0x745d06ef305acaL,0x7c41c65c6944c2L,
+        0x679412ec431902L,0x48f2b15ee62827L,0x341a96d8afe06eL,
+        0x2a78fd3690c0e1L } },
+    /* 249 */
+    { { 0x6b7cec83fbc9c6L,0x238e8a82eefc67L,0x5d3c1d9ff0928cL,
+        0x55b816d6409bbfL,0x7969612adae364L,0x55b6ff96db654eL,
+        0x129beca10073a9L },
+      { 0x0b1d2acdfc73deL,0x5d1a3605fa64bdL,0x436076146743beL,
+        0x64044b89fcce0cL,0x7ae7b3c18f7fafL,0x7f083ee27cea36L,
+        0x0292cd0d7c1ff0L } },
+    /* 250 */
+    { { 0x5a3c4c019b7d2eL,0x1a35a9b89712fbL,0x38736cc4f18c72L,
+        0x603dd832a44e6bL,0x000d1d44aed104L,0x69b1f2fc274ebeL,
+        0x03a7b993f76977L },
+      { 0x299f3b3e346910L,0x5243f45295afd5L,0x34342cbfa588bdL,
+        0x72c40dd1155510L,0x718024fed2f991L,0x2f935e765ad82aL,
+        0x246799ea371fb8L } },
+    /* 251 */
+    { { 0x24fe4c76250533L,0x01cafb02fdf18eL,0x505cb25d462882L,
+        0x3e038175157d87L,0x7e3e99b10cdeb1L,0x38b7e72ebc7936L,
+        0x081845f7c73433L },
+      { 0x049e61be05ebd5L,0x6ab82d8f0581f6L,0x62adffb427ac2eL,
+        0x19431f809d198dL,0x36195f6c58b1d6L,0x22cc4c9dedc9a7L,
+        0x24b146d8e694fcL } },
+    /* 252 */
+    { { 0x7c7bc8288b364dL,0x5c10f683cb894aL,0x19a62a68452958L,
+        0x1fc24dcb4ce90eL,0x726baa4ed9581fL,0x1f34447dde73d6L,
+        0x04c56708f30a21L },
+      { 0x131e583a3f4963L,0x071215b4d502e7L,0x196aca542e5940L,
+        0x3afd5a91f7450eL,0x671b6eedf49497L,0x6aac7aca5c29e4L,
+        0x3fb512470f138bL } },
+    /* 253 */
+    { { 0x5eadc3f4eb453eL,0x16c795ba34b666L,0x5d7612a4697fddL,
+        0x24dd19bb499e86L,0x415b89ca3eeb9bL,0x7c83edf599d809L,
+        0x13bc64c9b70269L },
+      { 0x52d3243dca3233L,0x0b21444b3a96a7L,0x6d551bc0083b90L,
+        0x4f535b88c61176L,0x11e61924298010L,0x0a155b415bb61dL,
+        0x17f94fbd26658fL } },
+    /* 254 */
+    { { 0x2dd06b90c28c65L,0x48582339c8fa6eL,0x01ac8bf2085d94L,
+        0x053e660e020fdcL,0x1bece667edf07bL,0x4558f2b33ce24cL,
+        0x2f1a766e8673fcL },
+      { 0x1d77cd13c06819L,0x4d5dc5056f3a01L,0x18896c6fa18d69L,
+        0x120047ca76d625L,0x6af8457d4f4e45L,0x70ddc53358b60aL,
+        0x330e11130e82f0L } },
+    /* 255 */
+    { { 0x0643b1cd4c2356L,0x10a2ea0a8f7c92L,0x2752513011d029L,
+        0x4cd4c50321f579L,0x5fdf9ba5724792L,0x2f691653e2ddc0L,
+        0x0cfed3d84226cbL },
+      { 0x704902a950f955L,0x069bfdb87bbf0cL,0x5817eeda8a5f84L,
+        0x1914cdd9089905L,0x0e4a323d7b93f4L,0x1cc3fc340af0b2L,
+        0x23874161bd6303L } },
+};
+
+/* Multiply the base point of P384 by the scalar and return the result.
+ * If map is true then convert result to affine coordinates.
+ *
+ * r     Resulting point.
+ * k     Scalar to multiply by.
+ * map   Indicates whether to convert result to affine.
+ * heap  Heap to use for allocation.
+ * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
+ */
+static int sp_384_ecc_mulmod_base_7(sp_point_384* r, const sp_digit* k,
+        int map, void* heap)
+{
+    return sp_384_ecc_mulmod_stripe_7(r, &p384_base, p384_table,
+                                      k, map, heap);
+}
+
+#endif
+
+/* Multiply the base point of P384 by the scalar and return the result.
+ * If map is true then convert result to affine coordinates.
+ *
+ * km    Scalar to multiply by.
+ * r     Resulting point.
+ * map   Indicates whether to convert result to affine.
+ * heap  Heap to use for allocation.
+ * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
+ */
+int sp_ecc_mulmod_base_384(mp_int* km, ecc_point* r, int map, void* heap)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_point_384 p;
+    sp_digit kd[7];
+#endif
+    sp_point_384* point;
+    sp_digit* k = NULL;
+    int err = MP_OKAY;
+
+    err = sp_384_point_new_7(heap, p, point);
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        k = (sp_digit*)XMALLOC(sizeof(sp_digit) * 7, heap,
+                                                              DYNAMIC_TYPE_ECC);
+        if (k == NULL) {
+            err = MEMORY_E;
+        }
+    }
+#else
+    k = kd;
+#endif
+    if (err == MP_OKAY) {
+        sp_384_from_mp(k, 7, km);
+
+            err = sp_384_ecc_mulmod_base_7(point, k, map, heap);
+    }
+    if (err == MP_OKAY) {
+        err = sp_384_point_to_ecc_point_7(point, r);
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (k != NULL) {
+        XFREE(k, heap, DYNAMIC_TYPE_ECC);
+    }
+#endif
+    sp_384_point_free_7(point, 0, heap);
+
+    return err;
+}
+
+#if defined(WOLFSSL_VALIDATE_ECC_KEYGEN) || defined(HAVE_ECC_SIGN) || \
+                                                        defined(HAVE_ECC_VERIFY)
+/* Returns 1 if the number of zero.
+ * Implementation is constant time.
+ *
+ * a  Number to check.
+ * returns 1 if the number is zero and 0 otherwise.
+ */
+static int sp_384_iszero_7(const sp_digit* a)
+{
+    return (a[0] | a[1] | a[2] | a[3] | a[4] | a[5] | a[6]) == 0;
+}
+
+#endif /* WOLFSSL_VALIDATE_ECC_KEYGEN || HAVE_ECC_SIGN || HAVE_ECC_VERIFY */
+/* Add 1 to a. (a = a + 1)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ */
+SP_NOINLINE static void sp_384_add_one_7(sp_digit* a)
+{
+    a[0]++;
+    sp_384_norm_7(a);
+}
+
+/* Read big endian unsigned byte array into r.
+ *
+ * r  A single precision integer.
+ * size  Maximum number of bytes to convert
+ * a  Byte array.
+ * n  Number of bytes in array to read.
+ */
+static void sp_384_from_bin(sp_digit* r, int size, const byte* a, int n)
+{
+    int i, j = 0;
+    word32 s = 0;
+
+    r[0] = 0;
+    for (i = n-1; i >= 0; i--) {
+        r[j] |= (((sp_digit)a[i]) << s);
+        if (s >= 47U) {
+            r[j] &= 0x7fffffffffffffL;
+            s = 55U - s;
+            if (j + 1 >= size) {
+                break;
+            }
+            r[++j] = (sp_digit)a[i] >> s;
+            s = 8U - s;
+        }
+        else {
+            s += 8U;
+        }
+    }
+
+    for (j++; j < size; j++) {
+        r[j] = 0;
+    }
+}
+
+/* Generates a scalar that is in the range 1..order-1.
+ *
+ * rng  Random number generator.
+ * k    Scalar value.
+ * returns RNG failures, MEMORY_E when memory allocation fails and
+ * MP_OKAY on success.
+ */
+static int sp_384_ecc_gen_k_7(WC_RNG* rng, sp_digit* k)
+{
+    int err;
+    byte buf[48];
+
+    do {
+        err = wc_RNG_GenerateBlock(rng, buf, sizeof(buf));
+        if (err == 0) {
+            sp_384_from_bin(k, 7, buf, (int)sizeof(buf));
+            if (sp_384_cmp_7(k, p384_order2) < 0) {
+                sp_384_add_one_7(k);
+                break;
+            }
+        }
+    }
+    while (err == 0);
+
+    return err;
+}
+
+/* Makes a random EC key pair.
+ *
+ * rng   Random number generator.
+ * priv  Generated private value.
+ * pub   Generated public point.
+ * heap  Heap to use for allocation.
+ * returns ECC_INF_E when the point does not have the correct order, RNG
+ * failures, MEMORY_E when memory allocation fails and MP_OKAY on success.
+ */
+int sp_ecc_make_key_384(WC_RNG* rng, mp_int* priv, ecc_point* pub, void* heap)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_point_384 p;
+    sp_digit kd[7];
+#ifdef WOLFSSL_VALIDATE_ECC_KEYGEN
+    sp_point_384 inf;
+#endif
+#endif
+    sp_point_384* point;
+    sp_digit* k = NULL;
+#ifdef WOLFSSL_VALIDATE_ECC_KEYGEN
+    sp_point_384* infinity;
+#endif
+    int err;
+
+    (void)heap;
+
+    err = sp_384_point_new_7(heap, p, point);
+#ifdef WOLFSSL_VALIDATE_ECC_KEYGEN
+    if (err == MP_OKAY) {
+        err = sp_384_point_new_7(heap, inf, infinity);
+    }
+#endif
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        k = (sp_digit*)XMALLOC(sizeof(sp_digit) * 7, heap,
+                                                              DYNAMIC_TYPE_ECC);
+        if (k == NULL) {
+            err = MEMORY_E;
+        }
+    }
+#else
+    k = kd;
+#endif
+
+    if (err == MP_OKAY) {
+        err = sp_384_ecc_gen_k_7(rng, k);
+    }
+    if (err == MP_OKAY) {
+            err = sp_384_ecc_mulmod_base_7(point, k, 1, NULL);
+    }
+
+#ifdef WOLFSSL_VALIDATE_ECC_KEYGEN
+    if (err == MP_OKAY) {
+            err = sp_384_ecc_mulmod_7(infinity, point, p384_order, 1, NULL);
+    }
+    if (err == MP_OKAY) {
+        if ((sp_384_iszero_7(point->x) == 0) || (sp_384_iszero_7(point->y) == 0)) {
+            err = ECC_INF_E;
+        }
+    }
+#endif
+
+    if (err == MP_OKAY) {
+        err = sp_384_to_mp(k, priv);
+    }
+    if (err == MP_OKAY) {
+        err = sp_384_point_to_ecc_point_7(point, pub);
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (k != NULL) {
+        XFREE(k, heap, DYNAMIC_TYPE_ECC);
+    }
+#endif
+#ifdef WOLFSSL_VALIDATE_ECC_KEYGEN
+    sp_384_point_free_7(infinity, 1, heap);
+#endif
+    sp_384_point_free_7(point, 1, heap);
+
+    return err;
+}
+
+#ifdef HAVE_ECC_DHE
+/* Write r as big endian to byte array.
+ * Fixed length number of bytes written: 48
+ *
+ * r  A single precision integer.
+ * a  Byte array.
+ */
+static void sp_384_to_bin(sp_digit* r, byte* a)
+{
+    int i, j, s = 0, b;
+
+    for (i=0; i<6; i++) {
+        r[i+1] += r[i] >> 55;
+        r[i] &= 0x7fffffffffffffL;
+    }
+    j = 384 / 8 - 1;
+    a[j] = 0;
+    for (i=0; i<7 && j>=0; i++) {
+        b = 0;
+        /* lint allow cast of mismatch sp_digit and int */
+        a[j--] |= (byte)(r[i] << s); /*lint !e9033*/
+        b += 8 - s;
+        if (j < 0) {
+            break;
+        }
+        while (b < 55) {
+            a[j--] = (byte)(r[i] >> b);
+            b += 8;
+            if (j < 0) {
+                break;
+            }
+        }
+        s = 8 - (b - 55);
+        if (j >= 0) {
+            a[j] = 0;
+        }
+        if (s != 0) {
+            j++;
+        }
+    }
+}
+
+/* Multiply the point by the scalar and serialize the X ordinate.
+ * The number is 0 padded to maximum size on output.
+ *
+ * priv    Scalar to multiply the point by.
+ * pub     Point to multiply.
+ * out     Buffer to hold X ordinate.
+ * outLen  On entry, size of the buffer in bytes.
+ *         On exit, length of data in buffer in bytes.
+ * heap    Heap to use for allocation.
+ * returns BUFFER_E if the buffer is to small for output size,
+ * MEMORY_E when memory allocation fails and MP_OKAY on success.
+ */
+int sp_ecc_secret_gen_384(mp_int* priv, ecc_point* pub, byte* out,
+                          word32* outLen, void* heap)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_point_384 p;
+    sp_digit kd[7];
+#endif
+    sp_point_384* point = NULL;
+    sp_digit* k = NULL;
+    int err = MP_OKAY;
+
+    if (*outLen < 48U) {
+        err = BUFFER_E;
+    }
+
+    if (err == MP_OKAY) {
+        err = sp_384_point_new_7(heap, p, point);
+    }
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        k = (sp_digit*)XMALLOC(sizeof(sp_digit) * 7, heap,
+                                                              DYNAMIC_TYPE_ECC);
+        if (k == NULL)
+            err = MEMORY_E;
+    }
+#else
+    k = kd;
+#endif
+
+    if (err == MP_OKAY) {
+        sp_384_from_mp(k, 7, priv);
+        sp_384_point_from_ecc_point_7(point, pub);
+            err = sp_384_ecc_mulmod_7(point, point, k, 1, heap);
+    }
+    if (err == MP_OKAY) {
+        sp_384_to_bin(point->x, out);
+        *outLen = 48;
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (k != NULL) {
+        XFREE(k, heap, DYNAMIC_TYPE_ECC);
+    }
+#endif
+    sp_384_point_free_7(point, 0, heap);
+
+    return err;
+}
+#endif /* HAVE_ECC_DHE */
+
+#if defined(HAVE_ECC_SIGN) || defined(HAVE_ECC_VERIFY)
+#endif
+#if defined(HAVE_ECC_SIGN) || defined(HAVE_ECC_VERIFY)
+/* Multiply a by scalar b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A scalar.
+ */
+SP_NOINLINE static void sp_384_mul_d_7(sp_digit* r, const sp_digit* a,
+    sp_digit b)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int128_t tb = b;
+    int128_t t = 0;
+    int i;
+
+    for (i = 0; i < 7; i++) {
+        t += tb * a[i];
+        r[i] = t & 0x7fffffffffffffL;
+        t >>= 55;
+    }
+    r[7] = (sp_digit)t;
+#else
+    int128_t tb = b;
+    int128_t t[7];
+
+    t[ 0] = tb * a[ 0];
+    t[ 1] = tb * a[ 1];
+    t[ 2] = tb * a[ 2];
+    t[ 3] = tb * a[ 3];
+    t[ 4] = tb * a[ 4];
+    t[ 5] = tb * a[ 5];
+    t[ 6] = tb * a[ 6];
+    r[ 0] =                           (t[ 0] & 0x7fffffffffffffL);
+    r[ 1] = (sp_digit)(t[ 0] >> 55) + (t[ 1] & 0x7fffffffffffffL);
+    r[ 2] = (sp_digit)(t[ 1] >> 55) + (t[ 2] & 0x7fffffffffffffL);
+    r[ 3] = (sp_digit)(t[ 2] >> 55) + (t[ 3] & 0x7fffffffffffffL);
+    r[ 4] = (sp_digit)(t[ 3] >> 55) + (t[ 4] & 0x7fffffffffffffL);
+    r[ 5] = (sp_digit)(t[ 4] >> 55) + (t[ 5] & 0x7fffffffffffffL);
+    r[ 6] = (sp_digit)(t[ 5] >> 55) + (t[ 6] & 0x7fffffffffffffL);
+    r[ 7] = (sp_digit)(t[ 6] >> 55);
+#endif /* WOLFSSL_SP_SMALL */
+}
+
+#ifdef WOLFSSL_SP_DIV_64
+static WC_INLINE sp_digit sp_384_div_word_7(sp_digit d1, sp_digit d0,
+    sp_digit dv)
+{
+    sp_digit d, r, t;
+
+    /* All 55 bits from d1 and top 8 bits from d0. */
+    d = (d1 << 8) | (d0 >> 47);
+    r = d / dv;
+    d -= r * dv;
+    /* Up to 9 bits in r */
+    /* Next 8 bits from d0. */
+    r <<= 8;
+    d <<= 8;
+    d |= (d0 >> 39) & ((1 << 8) - 1);
+    t = d / dv;
+    d -= t * dv;
+    r += t;
+    /* Up to 17 bits in r */
+    /* Next 8 bits from d0. */
+    r <<= 8;
+    d <<= 8;
+    d |= (d0 >> 31) & ((1 << 8) - 1);
+    t = d / dv;
+    d -= t * dv;
+    r += t;
+    /* Up to 25 bits in r */
+    /* Next 8 bits from d0. */
+    r <<= 8;
+    d <<= 8;
+    d |= (d0 >> 23) & ((1 << 8) - 1);
+    t = d / dv;
+    d -= t * dv;
+    r += t;
+    /* Up to 33 bits in r */
+    /* Next 8 bits from d0. */
+    r <<= 8;
+    d <<= 8;
+    d |= (d0 >> 15) & ((1 << 8) - 1);
+    t = d / dv;
+    d -= t * dv;
+    r += t;
+    /* Up to 41 bits in r */
+    /* Next 8 bits from d0. */
+    r <<= 8;
+    d <<= 8;
+    d |= (d0 >> 7) & ((1 << 8) - 1);
+    t = d / dv;
+    d -= t * dv;
+    r += t;
+    /* Up to 49 bits in r */
+    /* Remaining 7 bits from d0. */
+    r <<= 7;
+    d <<= 7;
+    d |= d0 & ((1 << 7) - 1);
+    t = d / dv;
+    r += t;
+
+    return r;
+}
+#endif /* WOLFSSL_SP_DIV_64 */
+
+/* Divide d in a and put remainder into r (m*d + r = a)
+ * m is not calculated as it is not needed at this time.
+ *
+ * a  Number to be divided.
+ * d  Number to divide with.
+ * m  Multiplier result.
+ * r  Remainder from the division.
+ * returns MEMORY_E when unable to allocate memory and MP_OKAY otherwise.
+ */
+static int sp_384_div_7(const sp_digit* a, const sp_digit* d, sp_digit* m,
+        sp_digit* r)
+{
+    int i;
+#ifndef WOLFSSL_SP_DIV_64
+    int128_t d1;
+#endif
+    sp_digit dv, r1;
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit* td;
+#else
+    sp_digit t1d[14], t2d[7 + 1];
+#endif
+    sp_digit* t1;
+    sp_digit* t2;
+    int err = MP_OKAY;
+
+    (void)m;
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    td = (sp_digit*)XMALLOC(sizeof(sp_digit) * (3 * 7 + 1), NULL,
+                                                       DYNAMIC_TYPE_TMP_BUFFER);
+    if (td == NULL) {
+        err = MEMORY_E;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+        t1 = td;
+        t2 = td + 2 * 7;
+#else
+        t1 = t1d;
+        t2 = t2d;
+#endif
+
+        dv = d[6];
+        XMEMCPY(t1, a, sizeof(*t1) * 2U * 7U);
+        for (i=6; i>=0; i--) {
+            t1[7 + i] += t1[7 + i - 1] >> 55;
+            t1[7 + i - 1] &= 0x7fffffffffffffL;
+#ifndef WOLFSSL_SP_DIV_64
+            d1 = t1[7 + i];
+            d1 <<= 55;
+            d1 += t1[7 + i - 1];
+            r1 = (sp_digit)(d1 / dv);
+#else
+            r1 = sp_384_div_word_7(t1[7 + i], t1[7 + i - 1], dv);
+#endif
+
+            sp_384_mul_d_7(t2, d, r1);
+            (void)sp_384_sub_7(&t1[i], &t1[i], t2);
+            t1[7 + i] -= t2[7];
+            t1[7 + i] += t1[7 + i - 1] >> 55;
+            t1[7 + i - 1] &= 0x7fffffffffffffL;
+            r1 = (((-t1[7 + i]) << 55) - t1[7 + i - 1]) / dv;
+            r1++;
+            sp_384_mul_d_7(t2, d, r1);
+            (void)sp_384_add_7(&t1[i], &t1[i], t2);
+            t1[7 + i] += t1[7 + i - 1] >> 55;
+            t1[7 + i - 1] &= 0x7fffffffffffffL;
+        }
+        t1[7 - 1] += t1[7 - 2] >> 55;
+        t1[7 - 2] &= 0x7fffffffffffffL;
+        r1 = t1[7 - 1] / dv;
+
+        sp_384_mul_d_7(t2, d, r1);
+        (void)sp_384_sub_7(t1, t1, t2);
+        XMEMCPY(r, t1, sizeof(*r) * 2U * 7U);
+        for (i=0; i<5; i++) {
+            r[i+1] += r[i] >> 55;
+            r[i] &= 0x7fffffffffffffL;
+        }
+        sp_384_cond_add_7(r, r, d, 0 - ((r[6] < 0) ?
+                    (sp_digit)1 : (sp_digit)0));
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (td != NULL) {
+        XFREE(td, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    }
+#endif
+
+    return err;
+}
+
+/* Reduce a modulo m into r. (r = a mod m)
+ *
+ * r  A single precision number that is the reduced result.
+ * a  A single precision number that is to be reduced.
+ * m  A single precision number that is the modulus to reduce with.
+ * returns MEMORY_E when unable to allocate memory and MP_OKAY otherwise.
+ */
+static int sp_384_mod_7(sp_digit* r, const sp_digit* a, const sp_digit* m)
+{
+    return sp_384_div_7(a, m, NULL, r);
+}
+
+#endif
+#if defined(HAVE_ECC_SIGN) || defined(HAVE_ECC_VERIFY)
+#ifdef WOLFSSL_SP_SMALL
+/* Order-2 for the P384 curve. */
+static const uint64_t p384_order_minus_2[6] = {
+    0xecec196accc52971U,0x581a0db248b0a77aU,0xc7634d81f4372ddfU,
+    0xffffffffffffffffU,0xffffffffffffffffU,0xffffffffffffffffU
+};
+#else
+/* The low half of the order-2 of the P384 curve. */
+static const uint64_t p384_order_low[3] = {
+    0xecec196accc52971U,0x581a0db248b0a77aU,0xc7634d81f4372ddfU
+    
+};
+#endif /* WOLFSSL_SP_SMALL */
+
+/* Multiply two number mod the order of P384 curve. (r = a * b mod order)
+ *
+ * r  Result of the multiplication.
+ * a  First operand of the multiplication.
+ * b  Second operand of the multiplication.
+ */
+static void sp_384_mont_mul_order_7(sp_digit* r, const sp_digit* a, const sp_digit* b)
+{
+    sp_384_mul_7(r, a, b);
+    sp_384_mont_reduce_order_7(r, p384_order, p384_mp_order);
+}
+
+/* Square number mod the order of P384 curve. (r = a * a mod order)
+ *
+ * r  Result of the squaring.
+ * a  Number to square.
+ */
+static void sp_384_mont_sqr_order_7(sp_digit* r, const sp_digit* a)
+{
+    sp_384_sqr_7(r, a);
+    sp_384_mont_reduce_order_7(r, p384_order, p384_mp_order);
+}
+
+#ifndef WOLFSSL_SP_SMALL
+/* Square number mod the order of P384 curve a number of times.
+ * (r = a ^ n mod order)
+ *
+ * r  Result of the squaring.
+ * a  Number to square.
+ */
+static void sp_384_mont_sqr_n_order_7(sp_digit* r, const sp_digit* a, int n)
+{
+    int i;
+
+    sp_384_mont_sqr_order_7(r, a);
+    for (i=1; i<n; i++) {
+        sp_384_mont_sqr_order_7(r, r);
+    }
+}
+#endif /* !WOLFSSL_SP_SMALL */
+
+/* Invert the number, in Montgomery form, modulo the order of the P384 curve.
+ * (r = 1 / a mod order)
+ *
+ * r   Inverse result.
+ * a   Number to invert.
+ * td  Temporary data.
+ */
+static void sp_384_mont_inv_order_7(sp_digit* r, const sp_digit* a,
+        sp_digit* td)
+{
+#ifdef WOLFSSL_SP_SMALL
+    sp_digit* t = td;
+    int i;
+
+    XMEMCPY(t, a, sizeof(sp_digit) * 7);
+    for (i=382; i>=0; i--) {
+        sp_384_mont_sqr_order_7(t, t);
+        if ((p384_order_minus_2[i / 64] & ((sp_int_digit)1 << (i % 64))) != 0) {
+            sp_384_mont_mul_order_7(t, t, a);
+        }
+    }
+    XMEMCPY(r, t, sizeof(sp_digit) * 7U);
+#else
+    sp_digit* t = td;
+    sp_digit* t2 = td + 2 * 7;
+    sp_digit* t3 = td + 4 * 7;
+    int i;
+
+    /* t = a^2 */
+    sp_384_mont_sqr_order_7(t, a);
+    /* t = a^3 = t * a */
+    sp_384_mont_mul_order_7(t, t, a);
+    /* t2= a^c = t ^ 2 ^ 2 */
+    sp_384_mont_sqr_n_order_7(t2, t, 2);
+    /* t = a^f = t2 * t */
+    sp_384_mont_mul_order_7(t, t2, t);
+    /* t2= a^f0 = t ^ 2 ^ 4 */
+    sp_384_mont_sqr_n_order_7(t2, t, 4);
+    /* t = a^ff = t2 * t */
+    sp_384_mont_mul_order_7(t, t2, t);
+    /* t2= a^ff00 = t ^ 2 ^ 8 */
+    sp_384_mont_sqr_n_order_7(t2, t, 8);
+    /* t3= a^ffff = t2 * t */
+    sp_384_mont_mul_order_7(t3, t2, t);
+    /* t2= a^ffff0000 = t3 ^ 2 ^ 16 */
+    sp_384_mont_sqr_n_order_7(t2, t3, 16);
+    /* t = a^ffffffff = t2 * t3 */
+    sp_384_mont_mul_order_7(t, t2, t3);
+    /* t2= a^ffffffff0000 = t ^ 2 ^ 16  */
+    sp_384_mont_sqr_n_order_7(t2, t, 16);
+    /* t = a^ffffffffffff = t2 * t3 */
+    sp_384_mont_mul_order_7(t, t2, t3);
+    /* t2= a^ffffffffffff000000000000 = t ^ 2 ^ 48  */
+    sp_384_mont_sqr_n_order_7(t2, t, 48);
+    /* t= a^fffffffffffffffffffffffff = t2 * t */
+    sp_384_mont_mul_order_7(t, t2, t);
+    /* t2= a^ffffffffffffffffffffffff000000000000000000000000 */
+    sp_384_mont_sqr_n_order_7(t2, t, 96);
+    /* t2= a^ffffffffffffffffffffffffffffffffffffffffffffffff = t2 * t */
+    sp_384_mont_mul_order_7(t2, t2, t);
+    for (i=191; i>=1; i--) {
+        sp_384_mont_sqr_order_7(t2, t2);
+        if (((sp_digit)p384_order_low[i / 64] & ((sp_int_digit)1 << (i % 64))) != 0) {
+            sp_384_mont_mul_order_7(t2, t2, a);
+        }
+    }
+    sp_384_mont_sqr_order_7(t2, t2);
+    sp_384_mont_mul_order_7(r, t2, a);
+#endif /* WOLFSSL_SP_SMALL */
+}
+
+#endif /* HAVE_ECC_SIGN || HAVE_ECC_VERIFY */
+#ifdef HAVE_ECC_SIGN
+#ifndef SP_ECC_MAX_SIG_GEN
+#define SP_ECC_MAX_SIG_GEN  64
+#endif
+
+/* Sign the hash using the private key.
+ *   e = [hash, 384 bits] from binary
+ *   r = (k.G)->x mod order
+ *   s = (r * x + e) / k mod order
+ * The hash is truncated to the first 384 bits.
+ *
+ * hash     Hash to sign.
+ * hashLen  Length of the hash data.
+ * rng      Random number generator.
+ * priv     Private part of key - scalar.
+ * rm       First part of result as an mp_int.
+ * sm       Sirst part of result as an mp_int.
+ * heap     Heap to use for allocation.
+ * returns RNG failures, MEMORY_E when memory allocation fails and
+ * MP_OKAY on success.
+ */
+int sp_ecc_sign_384(const byte* hash, word32 hashLen, WC_RNG* rng, mp_int* priv,
+                    mp_int* rm, mp_int* sm, mp_int* km, void* heap)
+{
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit* d = NULL;
+#else
+    sp_digit ed[2*7];
+    sp_digit xd[2*7];
+    sp_digit kd[2*7];
+    sp_digit rd[2*7];
+    sp_digit td[3 * 2*7];
+    sp_point_384 p;
+#endif
+    sp_digit* e = NULL;
+    sp_digit* x = NULL;
+    sp_digit* k = NULL;
+    sp_digit* r = NULL;
+    sp_digit* tmp = NULL;
+    sp_point_384* point = NULL;
+    sp_digit carry;
+    sp_digit* s = NULL;
+    sp_digit* kInv = NULL;
+    int err = MP_OKAY;
+    int64_t c;
+    int i;
+
+    (void)heap;
+
+    err = sp_384_point_new_7(heap, p, point);
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        d = (sp_digit*)XMALLOC(sizeof(sp_digit) * 7 * 2 * 7, heap,
+                                                              DYNAMIC_TYPE_ECC);
+        if (d == NULL) {
+            err = MEMORY_E;
+        }
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+        e = d + 0 * 7;
+        x = d + 2 * 7;
+        k = d + 4 * 7;
+        r = d + 6 * 7;
+        tmp = d + 8 * 7;
+#else
+        e = ed;
+        x = xd;
+        k = kd;
+        r = rd;
+        tmp = td;
+#endif
+        s = e;
+        kInv = k;
+
+        if (hashLen > 48U) {
+            hashLen = 48U;
+        }
+
+        sp_384_from_bin(e, 7, hash, (int)hashLen);
+    }
+
+    for (i = SP_ECC_MAX_SIG_GEN; err == MP_OKAY && i > 0; i--) {
+        sp_384_from_mp(x, 7, priv);
+
+        /* New random point. */
+        if (km == NULL || mp_iszero(km)) {
+            err = sp_384_ecc_gen_k_7(rng, k);
+        }
+        else {
+            sp_384_from_mp(k, 7, km);
+            mp_zero(km);
+        }
+        if (err == MP_OKAY) {
+                err = sp_384_ecc_mulmod_base_7(point, k, 1, NULL);
+        }
+
+        if (err == MP_OKAY) {
+            /* r = point->x mod order */
+            XMEMCPY(r, point->x, sizeof(sp_digit) * 7U);
+            sp_384_norm_7(r);
+            c = sp_384_cmp_7(r, p384_order);
+            sp_384_cond_sub_7(r, r, p384_order, 0L - (sp_digit)(c >= 0));
+            sp_384_norm_7(r);
+
+            /* Conv k to Montgomery form (mod order) */
+                sp_384_mul_7(k, k, p384_norm_order);
+            err = sp_384_mod_7(k, k, p384_order);
+        }
+        if (err == MP_OKAY) {
+            sp_384_norm_7(k);
+            /* kInv = 1/k mod order */
+                sp_384_mont_inv_order_7(kInv, k, tmp);
+            sp_384_norm_7(kInv);
+
+            /* s = r * x + e */
+                sp_384_mul_7(x, x, r);
+            err = sp_384_mod_7(x, x, p384_order);
+        }
+        if (err == MP_OKAY) {
+            sp_384_norm_7(x);
+            carry = sp_384_add_7(s, e, x);
+            sp_384_cond_sub_7(s, s, p384_order, 0 - carry);
+            sp_384_norm_7(s);
+            c = sp_384_cmp_7(s, p384_order);
+            sp_384_cond_sub_7(s, s, p384_order, 0L - (sp_digit)(c >= 0));
+            sp_384_norm_7(s);
+
+            /* s = s * k^-1 mod order */
+                sp_384_mont_mul_order_7(s, s, kInv);
+            sp_384_norm_7(s);
+
+            /* Check that signature is usable. */
+            if (sp_384_iszero_7(s) == 0) {
+                break;
+            }
+        }
+    }
+
+    if (i == 0) {
+        err = RNG_FAILURE_E;
+    }
+
+    if (err == MP_OKAY) {
+        err = sp_384_to_mp(r, rm);
+    }
+    if (err == MP_OKAY) {
+        err = sp_384_to_mp(s, sm);
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (d != NULL) {
+        XMEMSET(d, 0, sizeof(sp_digit) * 8 * 7);
+        XFREE(d, heap, DYNAMIC_TYPE_ECC);
+    }
+#else
+    XMEMSET(e, 0, sizeof(sp_digit) * 2U * 7U);
+    XMEMSET(x, 0, sizeof(sp_digit) * 2U * 7U);
+    XMEMSET(k, 0, sizeof(sp_digit) * 2U * 7U);
+    XMEMSET(r, 0, sizeof(sp_digit) * 2U * 7U);
+    XMEMSET(r, 0, sizeof(sp_digit) * 2U * 7U);
+    XMEMSET(tmp, 0, sizeof(sp_digit) * 3U * 2U * 7U);
+#endif
+    sp_384_point_free_7(point, 1, heap);
+
+    return err;
+}
+#endif /* HAVE_ECC_SIGN */
+
+#ifdef HAVE_ECC_VERIFY
+/* Verify the signature values with the hash and public key.
+ *   e = Truncate(hash, 384)
+ *   u1 = e/s mod order
+ *   u2 = r/s mod order
+ *   r == (u1.G + u2.Q)->x mod order
+ * Optimization: Leave point in projective form.
+ *   (x, y, 1) == (x' / z'*z', y' / z'*z'*z', z' / z')
+ *   (r + n*order).z'.z' mod prime == (u1.G + u2.Q)->x'
+ * The hash is truncated to the first 384 bits.
+ *
+ * hash     Hash to sign.
+ * hashLen  Length of the hash data.
+ * rng      Random number generator.
+ * priv     Private part of key - scalar.
+ * rm       First part of result as an mp_int.
+ * sm       Sirst part of result as an mp_int.
+ * heap     Heap to use for allocation.
+ * returns RNG failures, MEMORY_E when memory allocation fails and
+ * MP_OKAY on success.
+ */
+int sp_ecc_verify_384(const byte* hash, word32 hashLen, mp_int* pX,
+    mp_int* pY, mp_int* pZ, mp_int* r, mp_int* sm, int* res, void* heap)
+{
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit* d = NULL;
+#else
+    sp_digit u1d[2*7];
+    sp_digit u2d[2*7];
+    sp_digit sd[2*7];
+    sp_digit tmpd[2*7 * 5];
+    sp_point_384 p1d;
+    sp_point_384 p2d;
+#endif
+    sp_digit* u1 = NULL;
+    sp_digit* u2 = NULL;
+    sp_digit* s = NULL;
+    sp_digit* tmp = NULL;
+    sp_point_384* p1;
+    sp_point_384* p2 = NULL;
+    sp_digit carry;
+    int64_t c;
+    int err;
+
+    err = sp_384_point_new_7(heap, p1d, p1);
+    if (err == MP_OKAY) {
+        err = sp_384_point_new_7(heap, p2d, p2);
+    }
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        d = (sp_digit*)XMALLOC(sizeof(sp_digit) * 16 * 7, heap,
+                                                              DYNAMIC_TYPE_ECC);
+        if (d == NULL) {
+            err = MEMORY_E;
+        }
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+        u1  = d + 0 * 7;
+        u2  = d + 2 * 7;
+        s   = d + 4 * 7;
+        tmp = d + 6 * 7;
+#else
+        u1 = u1d;
+        u2 = u2d;
+        s  = sd;
+        tmp = tmpd;
+#endif
+
+        if (hashLen > 48U) {
+            hashLen = 48U;
+        }
+
+        sp_384_from_bin(u1, 7, hash, (int)hashLen);
+        sp_384_from_mp(u2, 7, r);
+        sp_384_from_mp(s, 7, sm);
+        sp_384_from_mp(p2->x, 7, pX);
+        sp_384_from_mp(p2->y, 7, pY);
+        sp_384_from_mp(p2->z, 7, pZ);
+
+        {
+            sp_384_mul_7(s, s, p384_norm_order);
+        }
+        err = sp_384_mod_7(s, s, p384_order);
+    }
+    if (err == MP_OKAY) {
+        sp_384_norm_7(s);
+        {
+            sp_384_mont_inv_order_7(s, s, tmp);
+            sp_384_mont_mul_order_7(u1, u1, s);
+            sp_384_mont_mul_order_7(u2, u2, s);
+        }
+
+            err = sp_384_ecc_mulmod_base_7(p1, u1, 0, heap);
+    }
+    if (err == MP_OKAY) {
+            err = sp_384_ecc_mulmod_7(p2, p2, u2, 0, heap);
+    }
+
+    if (err == MP_OKAY) {
+        {
+            sp_384_proj_point_add_7(p1, p1, p2, tmp);
+            if (sp_384_iszero_7(p1->z)) {
+                if (sp_384_iszero_7(p1->x) && sp_384_iszero_7(p1->y)) {
+                    sp_384_proj_point_dbl_7(p1, p2, tmp);
+                }
+                else {
+                    /* Y ordinate is not used from here - don't set. */
+                    p1->x[0] = 0;
+                    p1->x[1] = 0;
+                    p1->x[2] = 0;
+                    p1->x[3] = 0;
+                    p1->x[4] = 0;
+                    p1->x[5] = 0;
+                    p1->x[6] = 0;
+                    XMEMCPY(p1->z, p384_norm_mod, sizeof(p384_norm_mod));
+                }
+            }
+        }
+
+        /* (r + n*order).z'.z' mod prime == (u1.G + u2.Q)->x' */
+        /* Reload r and convert to Montgomery form. */
+        sp_384_from_mp(u2, 7, r);
+        err = sp_384_mod_mul_norm_7(u2, u2, p384_mod);
+    }
+
+    if (err == MP_OKAY) {
+        /* u1 = r.z'.z' mod prime */
+        sp_384_mont_sqr_7(p1->z, p1->z, p384_mod, p384_mp_mod);
+        sp_384_mont_mul_7(u1, u2, p1->z, p384_mod, p384_mp_mod);
+        *res = (int)(sp_384_cmp_7(p1->x, u1) == 0);
+        if (*res == 0) {
+            /* Reload r and add order. */
+            sp_384_from_mp(u2, 7, r);
+            carry = sp_384_add_7(u2, u2, p384_order);
+            /* Carry means result is greater than mod and is not valid. */
+            if (carry == 0) {
+                sp_384_norm_7(u2);
+
+                /* Compare with mod and if greater or equal then not valid. */
+                c = sp_384_cmp_7(u2, p384_mod);
+                if (c < 0) {
+                    /* Convert to Montogomery form */
+                    err = sp_384_mod_mul_norm_7(u2, u2, p384_mod);
+                    if (err == MP_OKAY) {
+                        /* u1 = (r + 1*order).z'.z' mod prime */
+                        sp_384_mont_mul_7(u1, u2, p1->z, p384_mod,
+                                                                  p384_mp_mod);
+                        *res = (int)(sp_384_cmp_7(p1->x, u1) == 0);
+                    }
+                }
+            }
+        }
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (d != NULL)
+        XFREE(d, heap, DYNAMIC_TYPE_ECC);
+#endif
+    sp_384_point_free_7(p1, 0, heap);
+    sp_384_point_free_7(p2, 0, heap);
+
+    return err;
+}
+#endif /* HAVE_ECC_VERIFY */
+
+#ifdef HAVE_ECC_CHECK_KEY
+/* Check that the x and y oridinates are a valid point on the curve.
+ *
+ * point  EC point.
+ * heap   Heap to use if dynamically allocating.
+ * returns MEMORY_E if dynamic memory allocation fails, MP_VAL if the point is
+ * not on the curve and MP_OKAY otherwise.
+ */
+static int sp_384_ecc_is_point_7(sp_point_384* point, void* heap)
+{
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit* d = NULL;
+#else
+    sp_digit t1d[2*7];
+    sp_digit t2d[2*7];
+#endif
+    sp_digit* t1;
+    sp_digit* t2;
+    int err = MP_OKAY;
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    d = (sp_digit*)XMALLOC(sizeof(sp_digit) * 7 * 4, heap, DYNAMIC_TYPE_ECC);
+    if (d == NULL) {
+        err = MEMORY_E;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+        t1 = d + 0 * 7;
+        t2 = d + 2 * 7;
+#else
+        (void)heap;
+
+        t1 = t1d;
+        t2 = t2d;
+#endif
+
+        sp_384_sqr_7(t1, point->y);
+        (void)sp_384_mod_7(t1, t1, p384_mod);
+        sp_384_sqr_7(t2, point->x);
+        (void)sp_384_mod_7(t2, t2, p384_mod);
+        sp_384_mul_7(t2, t2, point->x);
+        (void)sp_384_mod_7(t2, t2, p384_mod);
+        (void)sp_384_sub_7(t2, p384_mod, t2);
+        sp_384_mont_add_7(t1, t1, t2, p384_mod);
+
+        sp_384_mont_add_7(t1, t1, point->x, p384_mod);
+        sp_384_mont_add_7(t1, t1, point->x, p384_mod);
+        sp_384_mont_add_7(t1, t1, point->x, p384_mod);
+
+        if (sp_384_cmp_7(t1, p384_b) != 0) {
+            err = MP_VAL;
+        }
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (d != NULL) {
+        XFREE(d, heap, DYNAMIC_TYPE_ECC);
+    }
+#endif
+
+    return err;
+}
+
+/* Check that the x and y oridinates are a valid point on the curve.
+ *
+ * pX  X ordinate of EC point.
+ * pY  Y ordinate of EC point.
+ * returns MEMORY_E if dynamic memory allocation fails, MP_VAL if the point is
+ * not on the curve and MP_OKAY otherwise.
+ */
+int sp_ecc_is_point_384(mp_int* pX, mp_int* pY)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_point_384 pubd;
+#endif
+    sp_point_384* pub;
+    byte one[1] = { 1 };
+    int err;
+
+    err = sp_384_point_new_7(NULL, pubd, pub);
+    if (err == MP_OKAY) {
+        sp_384_from_mp(pub->x, 7, pX);
+        sp_384_from_mp(pub->y, 7, pY);
+        sp_384_from_bin(pub->z, 7, one, (int)sizeof(one));
+
+        err = sp_384_ecc_is_point_7(pub, NULL);
+    }
+
+    sp_384_point_free_7(pub, 0, NULL);
+
+    return err;
+}
+
+/* Check that the private scalar generates the EC point (px, py), the point is
+ * on the curve and the point has the correct order.
+ *
+ * pX     X ordinate of EC point.
+ * pY     Y ordinate of EC point.
+ * privm  Private scalar that generates EC point.
+ * returns MEMORY_E if dynamic memory allocation fails, MP_VAL if the point is
+ * not on the curve, ECC_INF_E if the point does not have the correct order,
+ * ECC_PRIV_KEY_E when the private scalar doesn't generate the EC point and
+ * MP_OKAY otherwise.
+ */
+int sp_ecc_check_key_384(mp_int* pX, mp_int* pY, mp_int* privm, void* heap)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit privd[7];
+    sp_point_384 pubd;
+    sp_point_384 pd;
+#endif
+    sp_digit* priv = NULL;
+    sp_point_384* pub;
+    sp_point_384* p = NULL;
+    byte one[1] = { 1 };
+    int err;
+
+    err = sp_384_point_new_7(heap, pubd, pub);
+    if (err == MP_OKAY) {
+        err = sp_384_point_new_7(heap, pd, p);
+    }
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        priv = (sp_digit*)XMALLOC(sizeof(sp_digit) * 7, heap,
+                                                              DYNAMIC_TYPE_ECC);
+        if (priv == NULL) {
+            err = MEMORY_E;
+        }
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+        priv = privd;
+#endif
+
+        sp_384_from_mp(pub->x, 7, pX);
+        sp_384_from_mp(pub->y, 7, pY);
+        sp_384_from_bin(pub->z, 7, one, (int)sizeof(one));
+        sp_384_from_mp(priv, 7, privm);
+
+        /* Check point at infinitiy. */
+        if ((sp_384_iszero_7(pub->x) != 0) &&
+            (sp_384_iszero_7(pub->y) != 0)) {
+            err = ECC_INF_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        /* Check range of X and Y */
+        if (sp_384_cmp_7(pub->x, p384_mod) >= 0 ||
+            sp_384_cmp_7(pub->y, p384_mod) >= 0) {
+            err = ECC_OUT_OF_RANGE_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        /* Check point is on curve */
+        err = sp_384_ecc_is_point_7(pub, heap);
+    }
+
+    if (err == MP_OKAY) {
+        /* Point * order = infinity */
+            err = sp_384_ecc_mulmod_7(p, pub, p384_order, 1, heap);
+    }
+    if (err == MP_OKAY) {
+        /* Check result is infinity */
+        if ((sp_384_iszero_7(p->x) == 0) ||
+            (sp_384_iszero_7(p->y) == 0)) {
+            err = ECC_INF_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        /* Base * private = point */
+            err = sp_384_ecc_mulmod_base_7(p, priv, 1, heap);
+    }
+    if (err == MP_OKAY) {
+        /* Check result is public key */
+        if (sp_384_cmp_7(p->x, pub->x) != 0 ||
+            sp_384_cmp_7(p->y, pub->y) != 0) {
+            err = ECC_PRIV_KEY_E;
+        }
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (priv != NULL) {
+        XFREE(priv, heap, DYNAMIC_TYPE_ECC);
+    }
+#endif
+    sp_384_point_free_7(p, 0, heap);
+    sp_384_point_free_7(pub, 0, heap);
+
+    return err;
+}
+#endif
+#ifdef WOLFSSL_PUBLIC_ECC_ADD_DBL
+/* Add two projective EC points together.
+ * (pX, pY, pZ) + (qX, qY, qZ) = (rX, rY, rZ)
+ *
+ * pX   First EC point's X ordinate.
+ * pY   First EC point's Y ordinate.
+ * pZ   First EC point's Z ordinate.
+ * qX   Second EC point's X ordinate.
+ * qY   Second EC point's Y ordinate.
+ * qZ   Second EC point's Z ordinate.
+ * rX   Resultant EC point's X ordinate.
+ * rY   Resultant EC point's Y ordinate.
+ * rZ   Resultant EC point's Z ordinate.
+ * returns MEMORY_E if dynamic memory allocation fails and MP_OKAY otherwise.
+ */
+int sp_ecc_proj_add_point_384(mp_int* pX, mp_int* pY, mp_int* pZ,
+                              mp_int* qX, mp_int* qY, mp_int* qZ,
+                              mp_int* rX, mp_int* rY, mp_int* rZ)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit tmpd[2 * 7 * 5];
+    sp_point_384 pd;
+    sp_point_384 qd;
+#endif
+    sp_digit* tmp;
+    sp_point_384* p;
+    sp_point_384* q = NULL;
+    int err;
+
+    err = sp_384_point_new_7(NULL, pd, p);
+    if (err == MP_OKAY) {
+        err = sp_384_point_new_7(NULL, qd, q);
+    }
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        tmp = (sp_digit*)XMALLOC(sizeof(sp_digit) * 2 * 7 * 5, NULL,
+                                                              DYNAMIC_TYPE_ECC);
+        if (tmp == NULL) {
+            err = MEMORY_E;
+        }
+    }
+#else
+    tmp = tmpd;
+#endif
+
+    if (err == MP_OKAY) {
+        sp_384_from_mp(p->x, 7, pX);
+        sp_384_from_mp(p->y, 7, pY);
+        sp_384_from_mp(p->z, 7, pZ);
+        sp_384_from_mp(q->x, 7, qX);
+        sp_384_from_mp(q->y, 7, qY);
+        sp_384_from_mp(q->z, 7, qZ);
+
+            sp_384_proj_point_add_7(p, p, q, tmp);
+    }
+
+    if (err == MP_OKAY) {
+        err = sp_384_to_mp(p->x, rX);
+    }
+    if (err == MP_OKAY) {
+        err = sp_384_to_mp(p->y, rY);
+    }
+    if (err == MP_OKAY) {
+        err = sp_384_to_mp(p->z, rZ);
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (tmp != NULL) {
+        XFREE(tmp, NULL, DYNAMIC_TYPE_ECC);
+    }
+#endif
+    sp_384_point_free_7(q, 0, NULL);
+    sp_384_point_free_7(p, 0, NULL);
+
+    return err;
+}
+
+/* Double a projective EC point.
+ * (pX, pY, pZ) + (pX, pY, pZ) = (rX, rY, rZ)
+ *
+ * pX   EC point's X ordinate.
+ * pY   EC point's Y ordinate.
+ * pZ   EC point's Z ordinate.
+ * rX   Resultant EC point's X ordinate.
+ * rY   Resultant EC point's Y ordinate.
+ * rZ   Resultant EC point's Z ordinate.
+ * returns MEMORY_E if dynamic memory allocation fails and MP_OKAY otherwise.
+ */
+int sp_ecc_proj_dbl_point_384(mp_int* pX, mp_int* pY, mp_int* pZ,
+                              mp_int* rX, mp_int* rY, mp_int* rZ)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit tmpd[2 * 7 * 2];
+    sp_point_384 pd;
+#endif
+    sp_digit* tmp;
+    sp_point_384* p;
+    int err;
+
+    err = sp_384_point_new_7(NULL, pd, p);
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        tmp = (sp_digit*)XMALLOC(sizeof(sp_digit) * 2 * 7 * 2, NULL,
+                                                              DYNAMIC_TYPE_ECC);
+        if (tmp == NULL) {
+            err = MEMORY_E;
+        }
+    }
+#else
+    tmp = tmpd;
+#endif
+
+    if (err == MP_OKAY) {
+        sp_384_from_mp(p->x, 7, pX);
+        sp_384_from_mp(p->y, 7, pY);
+        sp_384_from_mp(p->z, 7, pZ);
+
+            sp_384_proj_point_dbl_7(p, p, tmp);
+    }
+
+    if (err == MP_OKAY) {
+        err = sp_384_to_mp(p->x, rX);
+    }
+    if (err == MP_OKAY) {
+        err = sp_384_to_mp(p->y, rY);
+    }
+    if (err == MP_OKAY) {
+        err = sp_384_to_mp(p->z, rZ);
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (tmp != NULL) {
+        XFREE(tmp, NULL, DYNAMIC_TYPE_ECC);
+    }
+#endif
+    sp_384_point_free_7(p, 0, NULL);
+
+    return err;
+}
+
+/* Map a projective EC point to affine in place.
+ * pZ will be one.
+ *
+ * pX   EC point's X ordinate.
+ * pY   EC point's Y ordinate.
+ * pZ   EC point's Z ordinate.
+ * returns MEMORY_E if dynamic memory allocation fails and MP_OKAY otherwise.
+ */
+int sp_ecc_map_384(mp_int* pX, mp_int* pY, mp_int* pZ)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit tmpd[2 * 7 * 6];
+    sp_point_384 pd;
+#endif
+    sp_digit* tmp;
+    sp_point_384* p;
+    int err;
+
+    err = sp_384_point_new_7(NULL, pd, p);
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        tmp = (sp_digit*)XMALLOC(sizeof(sp_digit) * 2 * 7 * 6, NULL,
+                                                              DYNAMIC_TYPE_ECC);
+        if (tmp == NULL) {
+            err = MEMORY_E;
+        }
+    }
+#else
+    tmp = tmpd;
+#endif
+    if (err == MP_OKAY) {
+        sp_384_from_mp(p->x, 7, pX);
+        sp_384_from_mp(p->y, 7, pY);
+        sp_384_from_mp(p->z, 7, pZ);
+
+        sp_384_map_7(p, p, tmp);
+    }
+
+    if (err == MP_OKAY) {
+        err = sp_384_to_mp(p->x, pX);
+    }
+    if (err == MP_OKAY) {
+        err = sp_384_to_mp(p->y, pY);
+    }
+    if (err == MP_OKAY) {
+        err = sp_384_to_mp(p->z, pZ);
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (tmp != NULL) {
+        XFREE(tmp, NULL, DYNAMIC_TYPE_ECC);
+    }
+#endif
+    sp_384_point_free_7(p, 0, NULL);
+
+    return err;
+}
+#endif /* WOLFSSL_PUBLIC_ECC_ADD_DBL */
+#ifdef HAVE_COMP_KEY
+/* Find the square root of a number mod the prime of the curve.
+ *
+ * y  The number to operate on and the result.
+ * returns MEMORY_E if dynamic memory allocation fails and MP_OKAY otherwise.
+ */
+static int sp_384_mont_sqrt_7(sp_digit* y)
+{
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit* d;
+#else
+    sp_digit t1d[2 * 7];
+    sp_digit t2d[2 * 7];
+    sp_digit t3d[2 * 7];
+    sp_digit t4d[2 * 7];
+    sp_digit t5d[2 * 7];
+#endif
+    sp_digit* t1;
+    sp_digit* t2;
+    sp_digit* t3;
+    sp_digit* t4;
+    sp_digit* t5;
+    int err = MP_OKAY;
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    d = (sp_digit*)XMALLOC(sizeof(sp_digit) * 5 * 2 * 7, NULL, DYNAMIC_TYPE_ECC);
+    if (d == NULL) {
+        err = MEMORY_E;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+        t1 = d + 0 * 7;
+        t2 = d + 2 * 7;
+        t3 = d + 4 * 7;
+        t4 = d + 6 * 7;
+        t5 = d + 8 * 7;
+#else
+        t1 = t1d;
+        t2 = t2d;
+        t3 = t3d;
+        t4 = t4d;
+        t5 = t5d;
+#endif
+
+        {
+            /* t2 = y ^ 0x2 */
+            sp_384_mont_sqr_7(t2, y, p384_mod, p384_mp_mod);
+            /* t1 = y ^ 0x3 */
+            sp_384_mont_mul_7(t1, t2, y, p384_mod, p384_mp_mod);
+            /* t5 = y ^ 0xc */
+            sp_384_mont_sqr_n_7(t5, t1, 2, p384_mod, p384_mp_mod);
+            /* t1 = y ^ 0xf */
+            sp_384_mont_mul_7(t1, t1, t5, p384_mod, p384_mp_mod);
+            /* t2 = y ^ 0x1e */
+            sp_384_mont_sqr_7(t2, t1, p384_mod, p384_mp_mod);
+            /* t3 = y ^ 0x1f */
+            sp_384_mont_mul_7(t3, t2, y, p384_mod, p384_mp_mod);
+            /* t2 = y ^ 0x3e0 */
+            sp_384_mont_sqr_n_7(t2, t3, 5, p384_mod, p384_mp_mod);
+            /* t1 = y ^ 0x3ff */
+            sp_384_mont_mul_7(t1, t3, t2, p384_mod, p384_mp_mod);
+            /* t2 = y ^ 0x7fe0 */
+            sp_384_mont_sqr_n_7(t2, t1, 5, p384_mod, p384_mp_mod);
+            /* t3 = y ^ 0x7fff */
+            sp_384_mont_mul_7(t3, t3, t2, p384_mod, p384_mp_mod);
+            /* t2 = y ^ 0x3fff800 */
+            sp_384_mont_sqr_n_7(t2, t3, 15, p384_mod, p384_mp_mod);
+            /* t4 = y ^ 0x3ffffff */
+            sp_384_mont_mul_7(t4, t3, t2, p384_mod, p384_mp_mod);
+            /* t2 = y ^ 0xffffffc000000 */
+            sp_384_mont_sqr_n_7(t2, t4, 30, p384_mod, p384_mp_mod);
+            /* t1 = y ^ 0xfffffffffffff */
+            sp_384_mont_mul_7(t1, t4, t2, p384_mod, p384_mp_mod);
+            /* t2 = y ^ 0xfffffffffffffff000000000000000 */
+            sp_384_mont_sqr_n_7(t2, t1, 60, p384_mod, p384_mp_mod);
+            /* t1 = y ^ 0xffffffffffffffffffffffffffffff */
+            sp_384_mont_mul_7(t1, t1, t2, p384_mod, p384_mp_mod);
+            /* t2 = y ^ 0xffffffffffffffffffffffffffffff000000000000000000000000000000 */
+            sp_384_mont_sqr_n_7(t2, t1, 120, p384_mod, p384_mp_mod);
+            /* t1 = y ^ 0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff */
+            sp_384_mont_mul_7(t1, t1, t2, p384_mod, p384_mp_mod);
+            /* t2 = y ^ 0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffff8000 */
+            sp_384_mont_sqr_n_7(t2, t1, 15, p384_mod, p384_mp_mod);
+            /* t1 = y ^ 0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff */
+            sp_384_mont_mul_7(t1, t3, t2, p384_mod, p384_mp_mod);
+            /* t2 = y ^ 0x3fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff80000000 */
+            sp_384_mont_sqr_n_7(t2, t1, 31, p384_mod, p384_mp_mod);
+            /* t1 = y ^ 0x3fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffbfffffff */
+            sp_384_mont_mul_7(t1, t4, t2, p384_mod, p384_mp_mod);
+            /* t2 = y ^ 0x3fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffbfffffff0 */
+            sp_384_mont_sqr_n_7(t2, t1, 4, p384_mod, p384_mp_mod);
+            /* t1 = y ^ 0x3fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffbfffffffc */
+            sp_384_mont_mul_7(t1, t5, t2, p384_mod, p384_mp_mod);
+            /* t2 = y ^ 0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000 */
+            sp_384_mont_sqr_n_7(t2, t1, 62, p384_mod, p384_mp_mod);
+            /* t1 = y ^ 0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000001 */
+            sp_384_mont_mul_7(t1, y, t2, p384_mod, p384_mp_mod);
+            /* t2 = y ^ 0x3fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffbfffffffc00000000000000040000000 */
+            sp_384_mont_sqr_n_7(y, t1, 30, p384_mod, p384_mp_mod);
+        }
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (d != NULL) {
+        XFREE(d, NULL, DYNAMIC_TYPE_ECC);
+    }
+#endif
+
+    return err;
+}
+
+
+/* Uncompress the point given the X ordinate.
+ *
+ * xm    X ordinate.
+ * odd   Whether the Y ordinate is odd.
+ * ym    Calculated Y ordinate.
+ * returns MEMORY_E if dynamic memory allocation fails and MP_OKAY otherwise.
+ */
+int sp_ecc_uncompress_384(mp_int* xm, int odd, mp_int* ym)
+{
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit* d;
+#else
+    sp_digit xd[2 * 7];
+    sp_digit yd[2 * 7];
+#endif
+    sp_digit* x = NULL;
+    sp_digit* y = NULL;
+    int err = MP_OKAY;
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    d = (sp_digit*)XMALLOC(sizeof(sp_digit) * 4 * 7, NULL, DYNAMIC_TYPE_ECC);
+    if (d == NULL) {
+        err = MEMORY_E;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+        x = d + 0 * 7;
+        y = d + 2 * 7;
+#else
+        x = xd;
+        y = yd;
+#endif
+
+        sp_384_from_mp(x, 7, xm);
+        err = sp_384_mod_mul_norm_7(x, x, p384_mod);
+    }
+    if (err == MP_OKAY) {
+        /* y = x^3 */
+        {
+            sp_384_mont_sqr_7(y, x, p384_mod, p384_mp_mod);
+            sp_384_mont_mul_7(y, y, x, p384_mod, p384_mp_mod);
+        }
+        /* y = x^3 - 3x */
+        sp_384_mont_sub_7(y, y, x, p384_mod);
+        sp_384_mont_sub_7(y, y, x, p384_mod);
+        sp_384_mont_sub_7(y, y, x, p384_mod);
+        /* y = x^3 - 3x + b */
+        err = sp_384_mod_mul_norm_7(x, p384_b, p384_mod);
+    }
+    if (err == MP_OKAY) {
+        sp_384_mont_add_7(y, y, x, p384_mod);
+        /* y = sqrt(x^3 - 3x + b) */
+        err = sp_384_mont_sqrt_7(y);
+    }
+    if (err == MP_OKAY) {
+        XMEMSET(y + 7, 0, 7U * sizeof(sp_digit));
+        sp_384_mont_reduce_7(y, p384_mod, p384_mp_mod);
+        if ((((word32)y[0] ^ (word32)odd) & 1U) != 0U) {
+            sp_384_mont_sub_7(y, p384_mod, y, p384_mod);
+        }
+
+        err = sp_384_to_mp(y, ym);
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (d != NULL) {
+        XFREE(d, NULL, DYNAMIC_TYPE_ECC);
+    }
+#endif
+
+    return err;
+}
+#endif
+#endif /* WOLFSSL_SP_384 */
+#endif /* WOLFSSL_HAVE_SP_ECC */
+#endif /* SP_WORD_SIZE == 64 */
+#endif /* !WOLFSSL_SP_ASM */
+#endif /* WOLFSSL_HAVE_SP_RSA || WOLFSSL_HAVE_SP_DH || WOLFSSL_HAVE_SP_ECC */
diff --git a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/sp_cortexm.c b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/sp_cortexm.c
new file mode 100644
index 000000000..b03de8ab4
--- /dev/null
+++ b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/sp_cortexm.c
@@ -0,0 +1,25687 @@
+/* sp.c
+ *
+ * Copyright (C) 2006-2020 wolfSSL Inc.
+ *
+ * This file is part of wolfSSL.
+ *
+ * wolfSSL is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * wolfSSL is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
+ */
+
+/* Implementation by Sean Parkinson. */
+
+#ifdef HAVE_CONFIG_H
+    #include <config.h>
+#endif
+
+#include <wolfssl/wolfcrypt/settings.h>
+#include <wolfssl/wolfcrypt/error-crypt.h>
+#include <wolfssl/wolfcrypt/cpuid.h>
+#ifdef NO_INLINE
+    #include <wolfssl/wolfcrypt/misc.h>
+#else
+    #define WOLFSSL_MISC_INCLUDED
+    #include <wolfcrypt/src/misc.c>
+#endif
+
+#if defined(WOLFSSL_HAVE_SP_RSA) || defined(WOLFSSL_HAVE_SP_DH) || \
+                                    defined(WOLFSSL_HAVE_SP_ECC)
+
+#ifdef RSA_LOW_MEM
+#ifndef WOLFSSL_SP_SMALL
+#define WOLFSSL_SP_SMALL
+#endif
+#endif
+
+#include <wolfssl/wolfcrypt/sp.h>
+
+#ifdef __IAR_SYSTEMS_ICC__
+#define __asm__        asm
+#define __volatile__   volatile
+#endif /* __IAR_SYSTEMS_ICC__ */
+#ifdef __KEIL__
+#define __asm__        __asm
+#define __volatile__   volatile
+#endif
+
+#ifdef WOLFSSL_SP_ARM_CORTEX_M_ASM
+#if defined(WOLFSSL_HAVE_SP_RSA) || defined(WOLFSSL_HAVE_SP_DH)
+#ifndef WOLFSSL_SP_NO_2048
+/* Read big endian unsigned byte array into r.
+ *
+ * r  A single precision integer.
+ * size  Maximum number of bytes to convert
+ * a  Byte array.
+ * n  Number of bytes in array to read.
+ */
+static void sp_2048_from_bin(sp_digit* r, int size, const byte* a, int n)
+{
+    int i, j = 0;
+    word32 s = 0;
+
+    r[0] = 0;
+    for (i = n-1; i >= 0; i--) {
+        r[j] |= (((sp_digit)a[i]) << s);
+        if (s >= 24U) {
+            r[j] &= 0xffffffff;
+            s = 32U - s;
+            if (j + 1 >= size) {
+                break;
+            }
+            r[++j] = (sp_digit)a[i] >> s;
+            s = 8U - s;
+        }
+        else {
+            s += 8U;
+        }
+    }
+
+    for (j++; j < size; j++) {
+        r[j] = 0;
+    }
+}
+
+/* Convert an mp_int to an array of sp_digit.
+ *
+ * r  A single precision integer.
+ * size  Maximum number of bytes to convert
+ * a  A multi-precision integer.
+ */
+static void sp_2048_from_mp(sp_digit* r, int size, const mp_int* a)
+{
+#if DIGIT_BIT == 32
+    int j;
+
+    XMEMCPY(r, a->dp, sizeof(sp_digit) * a->used);
+
+    for (j = a->used; j < size; j++) {
+        r[j] = 0;
+    }
+#elif DIGIT_BIT > 32
+    int i, j = 0;
+    word32 s = 0;
+
+    r[0] = 0;
+    for (i = 0; i < a->used && j < size; i++) {
+        r[j] |= ((sp_digit)a->dp[i] << s);
+        r[j] &= 0xffffffff;
+        s = 32U - s;
+        if (j + 1 >= size) {
+            break;
+        }
+        /* lint allow cast of mismatch word32 and mp_digit */
+        r[++j] = (sp_digit)(a->dp[i] >> s); /*lint !e9033*/
+        while ((s + 32U) <= (word32)DIGIT_BIT) {
+            s += 32U;
+            r[j] &= 0xffffffff;
+            if (j + 1 >= size) {
+                break;
+            }
+            if (s < (word32)DIGIT_BIT) {
+                /* lint allow cast of mismatch word32 and mp_digit */
+                r[++j] = (sp_digit)(a->dp[i] >> s); /*lint !e9033*/
+            }
+            else {
+                r[++j] = 0L;
+            }
+        }
+        s = (word32)DIGIT_BIT - s;
+    }
+
+    for (j++; j < size; j++) {
+        r[j] = 0;
+    }
+#else
+    int i, j = 0, s = 0;
+
+    r[0] = 0;
+    for (i = 0; i < a->used && j < size; i++) {
+        r[j] |= ((sp_digit)a->dp[i]) << s;
+        if (s + DIGIT_BIT >= 32) {
+            r[j] &= 0xffffffff;
+            if (j + 1 >= size) {
+                break;
+            }
+            s = 32 - s;
+            if (s == DIGIT_BIT) {
+                r[++j] = 0;
+                s = 0;
+            }
+            else {
+                r[++j] = a->dp[i] >> s;
+                s = DIGIT_BIT - s;
+            }
+        }
+        else {
+            s += DIGIT_BIT;
+        }
+    }
+
+    for (j++; j < size; j++) {
+        r[j] = 0;
+    }
+#endif
+}
+
+/* Write r as big endian to byte array.
+ * Fixed length number of bytes written: 256
+ *
+ * r  A single precision integer.
+ * a  Byte array.
+ */
+static void sp_2048_to_bin(sp_digit* r, byte* a)
+{
+    int i, j, s = 0, b;
+
+    j = 2048 / 8 - 1;
+    a[j] = 0;
+    for (i=0; i<64 && j>=0; i++) {
+        b = 0;
+        /* lint allow cast of mismatch sp_digit and int */
+        a[j--] |= (byte)(r[i] << s); /*lint !e9033*/
+        b += 8 - s;
+        if (j < 0) {
+            break;
+        }
+        while (b < 32) {
+            a[j--] = (byte)(r[i] >> b);
+            b += 8;
+            if (j < 0) {
+                break;
+            }
+        }
+        s = 8 - (b - 32);
+        if (j >= 0) {
+            a[j] = 0;
+        }
+        if (s != 0) {
+            j++;
+        }
+    }
+}
+
+#ifndef WOLFSSL_SP_SMALL
+/* Multiply a and b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static void sp_2048_mul_8(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    sp_digit tmp[8];
+
+    __asm__ __volatile__ (
+        /* A[0] * B[0] */
+        "ldr	r6, [%[a], #0]\n\t"
+        "ldr	r8, [%[b], #0]\n\t"
+        "umull	r3, r4, r6, r8\n\t"
+        "mov	r5, #0\n\t"
+        "str	r3, [%[tmp], #0]\n\t"
+        "mov	r3, #0\n\t"
+        /* A[0] * B[1] */
+        "ldr	r8, [%[b], #4]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adc	r5, r5, r8\n\t"
+        /* A[1] * B[0] */
+        "ldr	r6, [%[a], #4]\n\t"
+        "ldr	r8, [%[b], #0]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs 	r5, r5, r8\n\t"
+        "adc	r3, r3, #0\n\t"
+        "str	r4, [%[tmp], #4]\n\t"
+        "mov	r4, #0\n\t"
+        /* A[0] * B[2] */
+        "ldr	r6, [%[a], #0]\n\t"
+        "ldr	r8, [%[b], #8]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs 	r3, r3, r8\n\t"
+        "adc	r4, r4, #0\n\t"
+        /* A[1] * B[1] */
+        "ldr	r6, [%[a], #4]\n\t"
+        "ldr	r8, [%[b], #4]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs 	r3, r3, r8\n\t"
+        "adc	r4, r4, #0\n\t"
+        /* A[2] * B[0] */
+        "ldr	r6, [%[a], #8]\n\t"
+        "ldr	r8, [%[b], #0]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs 	r3, r3, r8\n\t"
+        "adc	r4, r4, #0\n\t"
+        "str	r5, [%[tmp], #8]\n\t"
+        "mov	r5, #0\n\t"
+        /* A[0] * B[3] */
+        "ldr	r6, [%[a], #0]\n\t"
+        "ldr	r8, [%[b], #12]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs 	r4, r4, r8\n\t"
+        "adc	r5, r5, #0\n\t"
+        /* A[1] * B[2] */
+        "ldr	r6, [%[a], #4]\n\t"
+        "ldr	r8, [%[b], #8]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs 	r4, r4, r8\n\t"
+        "adc	r5, r5, #0\n\t"
+        /* A[2] * B[1] */
+        "ldr	r6, [%[a], #8]\n\t"
+        "ldr	r8, [%[b], #4]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs 	r4, r4, r8\n\t"
+        "adc	r5, r5, #0\n\t"
+        /* A[3] * B[0] */
+        "ldr	r6, [%[a], #12]\n\t"
+        "ldr	r8, [%[b], #0]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs 	r4, r4, r8\n\t"
+        "adc	r5, r5, #0\n\t"
+        "str	r3, [%[tmp], #12]\n\t"
+        "mov	r3, #0\n\t"
+        /* A[0] * B[4] */
+        "ldr	r6, [%[a], #0]\n\t"
+        "ldr	r8, [%[b], #16]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs 	r5, r5, r8\n\t"
+        "adc	r3, r3, #0\n\t"
+        /* A[1] * B[3] */
+        "ldr	r6, [%[a], #4]\n\t"
+        "ldr	r8, [%[b], #12]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs 	r5, r5, r8\n\t"
+        "adc	r3, r3, #0\n\t"
+        /* A[2] * B[2] */
+        "ldr	r6, [%[a], #8]\n\t"
+        "ldr	r8, [%[b], #8]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs 	r5, r5, r8\n\t"
+        "adc	r3, r3, #0\n\t"
+        /* A[3] * B[1] */
+        "ldr	r6, [%[a], #12]\n\t"
+        "ldr	r8, [%[b], #4]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs 	r5, r5, r8\n\t"
+        "adc	r3, r3, #0\n\t"
+        /* A[4] * B[0] */
+        "ldr	r6, [%[a], #16]\n\t"
+        "ldr	r8, [%[b], #0]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs 	r5, r5, r8\n\t"
+        "adc	r3, r3, #0\n\t"
+        "str	r4, [%[tmp], #16]\n\t"
+        "mov	r4, #0\n\t"
+        /* A[0] * B[5] */
+        "ldr	r6, [%[a], #0]\n\t"
+        "ldr	r8, [%[b], #20]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs 	r3, r3, r8\n\t"
+        "adc	r4, r4, #0\n\t"
+        /* A[1] * B[4] */
+        "ldr	r6, [%[a], #4]\n\t"
+        "ldr	r8, [%[b], #16]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs 	r3, r3, r8\n\t"
+        "adc	r4, r4, #0\n\t"
+        /* A[2] * B[3] */
+        "ldr	r6, [%[a], #8]\n\t"
+        "ldr	r8, [%[b], #12]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs 	r3, r3, r8\n\t"
+        "adc	r4, r4, #0\n\t"
+        /* A[3] * B[2] */
+        "ldr	r6, [%[a], #12]\n\t"
+        "ldr	r8, [%[b], #8]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs 	r3, r3, r8\n\t"
+        "adc	r4, r4, #0\n\t"
+        /* A[4] * B[1] */
+        "ldr	r6, [%[a], #16]\n\t"
+        "ldr	r8, [%[b], #4]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs 	r3, r3, r8\n\t"
+        "adc	r4, r4, #0\n\t"
+        /* A[5] * B[0] */
+        "ldr	r6, [%[a], #20]\n\t"
+        "ldr	r8, [%[b], #0]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs 	r3, r3, r8\n\t"
+        "adc	r4, r4, #0\n\t"
+        "str	r5, [%[tmp], #20]\n\t"
+        "mov	r5, #0\n\t"
+        /* A[0] * B[6] */
+        "ldr	r6, [%[a], #0]\n\t"
+        "ldr	r8, [%[b], #24]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs 	r4, r4, r8\n\t"
+        "adc	r5, r5, #0\n\t"
+        /* A[1] * B[5] */
+        "ldr	r6, [%[a], #4]\n\t"
+        "ldr	r8, [%[b], #20]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs 	r4, r4, r8\n\t"
+        "adc	r5, r5, #0\n\t"
+        /* A[2] * B[4] */
+        "ldr	r6, [%[a], #8]\n\t"
+        "ldr	r8, [%[b], #16]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs 	r4, r4, r8\n\t"
+        "adc	r5, r5, #0\n\t"
+        /* A[3] * B[3] */
+        "ldr	r6, [%[a], #12]\n\t"
+        "ldr	r8, [%[b], #12]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs 	r4, r4, r8\n\t"
+        "adc	r5, r5, #0\n\t"
+        /* A[4] * B[2] */
+        "ldr	r6, [%[a], #16]\n\t"
+        "ldr	r8, [%[b], #8]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs 	r4, r4, r8\n\t"
+        "adc	r5, r5, #0\n\t"
+        /* A[5] * B[1] */
+        "ldr	r6, [%[a], #20]\n\t"
+        "ldr	r8, [%[b], #4]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs 	r4, r4, r8\n\t"
+        "adc	r5, r5, #0\n\t"
+        /* A[6] * B[0] */
+        "ldr	r6, [%[a], #24]\n\t"
+        "ldr	r8, [%[b], #0]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs 	r4, r4, r8\n\t"
+        "adc	r5, r5, #0\n\t"
+        "str	r3, [%[tmp], #24]\n\t"
+        "mov	r3, #0\n\t"
+        /* A[0] * B[7] */
+        "ldr	r6, [%[a], #0]\n\t"
+        "ldr	r8, [%[b], #28]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs 	r5, r5, r8\n\t"
+        "adc	r3, r3, #0\n\t"
+        /* A[1] * B[6] */
+        "ldr	r6, [%[a], #4]\n\t"
+        "ldr	r8, [%[b], #24]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs 	r5, r5, r8\n\t"
+        "adc	r3, r3, #0\n\t"
+        /* A[2] * B[5] */
+        "ldr	r6, [%[a], #8]\n\t"
+        "ldr	r8, [%[b], #20]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs 	r5, r5, r8\n\t"
+        "adc	r3, r3, #0\n\t"
+        /* A[3] * B[4] */
+        "ldr	r6, [%[a], #12]\n\t"
+        "ldr	r8, [%[b], #16]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs 	r5, r5, r8\n\t"
+        "adc	r3, r3, #0\n\t"
+        /* A[4] * B[3] */
+        "ldr	r6, [%[a], #16]\n\t"
+        "ldr	r8, [%[b], #12]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs 	r5, r5, r8\n\t"
+        "adc	r3, r3, #0\n\t"
+        /* A[5] * B[2] */
+        "ldr	r6, [%[a], #20]\n\t"
+        "ldr	r8, [%[b], #8]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs 	r5, r5, r8\n\t"
+        "adc	r3, r3, #0\n\t"
+        /* A[6] * B[1] */
+        "ldr	r6, [%[a], #24]\n\t"
+        "ldr	r8, [%[b], #4]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs 	r5, r5, r8\n\t"
+        "adc	r3, r3, #0\n\t"
+        /* A[7] * B[0] */
+        "ldr	r6, [%[a], #28]\n\t"
+        "ldr	r8, [%[b], #0]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs 	r5, r5, r8\n\t"
+        "adc	r3, r3, #0\n\t"
+        "str	r4, [%[tmp], #28]\n\t"
+        "mov	r4, #0\n\t"
+        /* A[1] * B[7] */
+        "ldr	r6, [%[a], #4]\n\t"
+        "ldr	r8, [%[b], #28]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs 	r3, r3, r8\n\t"
+        "adc	r4, r4, #0\n\t"
+        /* A[2] * B[6] */
+        "ldr	r6, [%[a], #8]\n\t"
+        "ldr	r8, [%[b], #24]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs 	r3, r3, r8\n\t"
+        "adc	r4, r4, #0\n\t"
+        /* A[3] * B[5] */
+        "ldr	r6, [%[a], #12]\n\t"
+        "ldr	r8, [%[b], #20]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs 	r3, r3, r8\n\t"
+        "adc	r4, r4, #0\n\t"
+        /* A[4] * B[4] */
+        "ldr	r6, [%[a], #16]\n\t"
+        "ldr	r8, [%[b], #16]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs 	r3, r3, r8\n\t"
+        "adc	r4, r4, #0\n\t"
+        /* A[5] * B[3] */
+        "ldr	r6, [%[a], #20]\n\t"
+        "ldr	r8, [%[b], #12]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs 	r3, r3, r8\n\t"
+        "adc	r4, r4, #0\n\t"
+        /* A[6] * B[2] */
+        "ldr	r6, [%[a], #24]\n\t"
+        "ldr	r8, [%[b], #8]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs 	r3, r3, r8\n\t"
+        "adc	r4, r4, #0\n\t"
+        /* A[7] * B[1] */
+        "ldr	r6, [%[a], #28]\n\t"
+        "ldr	r8, [%[b], #4]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs 	r3, r3, r8\n\t"
+        "adc	r4, r4, #0\n\t"
+        "str	r5, [%[r], #32]\n\t"
+        "mov	r5, #0\n\t"
+        /* A[2] * B[7] */
+        "ldr	r6, [%[a], #8]\n\t"
+        "ldr	r8, [%[b], #28]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs 	r4, r4, r8\n\t"
+        "adc	r5, r5, #0\n\t"
+        /* A[3] * B[6] */
+        "ldr	r6, [%[a], #12]\n\t"
+        "ldr	r8, [%[b], #24]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs 	r4, r4, r8\n\t"
+        "adc	r5, r5, #0\n\t"
+        /* A[4] * B[5] */
+        "ldr	r6, [%[a], #16]\n\t"
+        "ldr	r8, [%[b], #20]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs 	r4, r4, r8\n\t"
+        "adc	r5, r5, #0\n\t"
+        /* A[5] * B[4] */
+        "ldr	r6, [%[a], #20]\n\t"
+        "ldr	r8, [%[b], #16]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs 	r4, r4, r8\n\t"
+        "adc	r5, r5, #0\n\t"
+        /* A[6] * B[3] */
+        "ldr	r6, [%[a], #24]\n\t"
+        "ldr	r8, [%[b], #12]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs 	r4, r4, r8\n\t"
+        "adc	r5, r5, #0\n\t"
+        /* A[7] * B[2] */
+        "ldr	r6, [%[a], #28]\n\t"
+        "ldr	r8, [%[b], #8]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs 	r4, r4, r8\n\t"
+        "adc	r5, r5, #0\n\t"
+        "str	r3, [%[r], #36]\n\t"
+        "mov	r3, #0\n\t"
+        /* A[3] * B[7] */
+        "ldr	r6, [%[a], #12]\n\t"
+        "ldr	r8, [%[b], #28]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs 	r5, r5, r8\n\t"
+        "adc	r3, r3, #0\n\t"
+        /* A[4] * B[6] */
+        "ldr	r6, [%[a], #16]\n\t"
+        "ldr	r8, [%[b], #24]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs 	r5, r5, r8\n\t"
+        "adc	r3, r3, #0\n\t"
+        /* A[5] * B[5] */
+        "ldr	r6, [%[a], #20]\n\t"
+        "ldr	r8, [%[b], #20]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs 	r5, r5, r8\n\t"
+        "adc	r3, r3, #0\n\t"
+        /* A[6] * B[4] */
+        "ldr	r6, [%[a], #24]\n\t"
+        "ldr	r8, [%[b], #16]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs 	r5, r5, r8\n\t"
+        "adc	r3, r3, #0\n\t"
+        /* A[7] * B[3] */
+        "ldr	r6, [%[a], #28]\n\t"
+        "ldr	r8, [%[b], #12]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs 	r5, r5, r8\n\t"
+        "adc	r3, r3, #0\n\t"
+        "str	r4, [%[r], #40]\n\t"
+        "mov	r4, #0\n\t"
+        /* A[4] * B[7] */
+        "ldr	r6, [%[a], #16]\n\t"
+        "ldr	r8, [%[b], #28]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs 	r3, r3, r8\n\t"
+        "adc	r4, r4, #0\n\t"
+        /* A[5] * B[6] */
+        "ldr	r6, [%[a], #20]\n\t"
+        "ldr	r8, [%[b], #24]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs 	r3, r3, r8\n\t"
+        "adc	r4, r4, #0\n\t"
+        /* A[6] * B[5] */
+        "ldr	r6, [%[a], #24]\n\t"
+        "ldr	r8, [%[b], #20]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs 	r3, r3, r8\n\t"
+        "adc	r4, r4, #0\n\t"
+        /* A[7] * B[4] */
+        "ldr	r6, [%[a], #28]\n\t"
+        "ldr	r8, [%[b], #16]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs 	r3, r3, r8\n\t"
+        "adc	r4, r4, #0\n\t"
+        "str	r5, [%[r], #44]\n\t"
+        "mov	r5, #0\n\t"
+        /* A[5] * B[7] */
+        "ldr	r6, [%[a], #20]\n\t"
+        "ldr	r8, [%[b], #28]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs 	r4, r4, r8\n\t"
+        "adc	r5, r5, #0\n\t"
+        /* A[6] * B[6] */
+        "ldr	r6, [%[a], #24]\n\t"
+        "ldr	r8, [%[b], #24]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs 	r4, r4, r8\n\t"
+        "adc	r5, r5, #0\n\t"
+        /* A[7] * B[5] */
+        "ldr	r6, [%[a], #28]\n\t"
+        "ldr	r8, [%[b], #20]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs 	r4, r4, r8\n\t"
+        "adc	r5, r5, #0\n\t"
+        "str	r3, [%[r], #48]\n\t"
+        "mov	r3, #0\n\t"
+        /* A[6] * B[7] */
+        "ldr	r6, [%[a], #24]\n\t"
+        "ldr	r8, [%[b], #28]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs 	r5, r5, r8\n\t"
+        "adc	r3, r3, #0\n\t"
+        /* A[7] * B[6] */
+        "ldr	r6, [%[a], #28]\n\t"
+        "ldr	r8, [%[b], #24]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs 	r5, r5, r8\n\t"
+        "adc	r3, r3, #0\n\t"
+        "str	r4, [%[r], #52]\n\t"
+        "mov	r4, #0\n\t"
+        /* A[7] * B[7] */
+        "ldr	r6, [%[a], #28]\n\t"
+        "ldr	r8, [%[b], #28]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adc	r3, r3, r8\n\t"
+        "str	r5, [%[r], #56]\n\t"
+        "str	r3, [%[r], #60]\n\t"
+        /* Transfer tmp to r */
+        "ldr	r3, [%[tmp], #0]\n\t"
+        "ldr	r4, [%[tmp], #4]\n\t"
+        "ldr	r5, [%[tmp], #8]\n\t"
+        "ldr	r6, [%[tmp], #12]\n\t"
+        "str	r3, [%[r], #0]\n\t"
+        "str	r4, [%[r], #4]\n\t"
+        "str	r5, [%[r], #8]\n\t"
+        "str	r6, [%[r], #12]\n\t"
+        "ldr	r3, [%[tmp], #16]\n\t"
+        "ldr	r4, [%[tmp], #20]\n\t"
+        "ldr	r5, [%[tmp], #24]\n\t"
+        "ldr	r6, [%[tmp], #28]\n\t"
+        "str	r3, [%[r], #16]\n\t"
+        "str	r4, [%[r], #20]\n\t"
+        "str	r5, [%[r], #24]\n\t"
+        "str	r6, [%[r], #28]\n\t"
+        :
+        : [r] "r" (r), [a] "r" (a), [b] "r" (b), [tmp] "r" (tmp)
+        : "memory", "r3", "r4", "r5", "r6", "r8"
+    );
+}
+
+/* Square a and put result in r. (r = a * a)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ */
+SP_NOINLINE static void sp_2048_sqr_8(sp_digit* r, const sp_digit* a)
+{
+    sp_digit tmp[8];
+    __asm__ __volatile__ (
+        /* A[0] * A[0] */
+        "ldr	r6, [%[a], #0]\n\t"
+        "umull	r3, r4, r6, r6\n\t"
+        "mov	r5, #0\n\t"
+        "str	r3, [%[tmp], #0]\n\t"
+        "mov	r3, #0\n\t"
+        /* A[0] * A[1] */
+        "ldr	r8, [%[a], #4]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adc	r5, r5, r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs 	r5, r5, r8\n\t"
+        "adc	r3, r3, #0\n\t"
+        "str	r4, [%[tmp], #4]\n\t"
+        "mov	r4, #0\n\t"
+        /* A[0] * A[2] */
+        "ldr	r6, [%[a], #0]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adc	r3, r3, r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs 	r3, r3, r8\n\t"
+        "adc	r4, r4, #0\n\t"
+        /* A[1] * A[1] */
+        "ldr	r6, [%[a], #4]\n\t"
+        "umull	r6, r8, r6, r6\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r8\n\t"
+        "adc	r4, r4, #0\n\t"
+        "str	r5, [%[tmp], #8]\n\t"
+        "mov	r5, #0\n\t"
+        /* A[0] * A[3] */
+        "ldr	r6, [%[a], #0]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "umull	r9, r10, r6, r8\n\t"
+        "mov	r11, #0\n\t"
+        /* A[1] * A[2] */
+        "ldr	r6, [%[a], #4]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adcs 	r10, r10, r8\n\t"
+        "adc	r11, r11, #0\n\t"
+        "adds	r9, r9, r9\n\t"
+        "adcs	r10, r10, r10\n\t"
+        "adc	r11, r11, r11\n\t"
+        "adds	r3, r3, r9\n\t"
+        "adcs	r4, r4, r10\n\t"
+        "adc	r5, r5, r11\n\t"
+        "str	r3, [%[tmp], #12]\n\t"
+        "mov	r3, #0\n\t"
+        /* A[0] * A[4] */
+        "ldr	r6, [%[a], #0]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "umull	r9, r10, r6, r8\n\t"
+        "mov	r11, #0\n\t"
+        /* A[1] * A[3] */
+        "ldr	r6, [%[a], #4]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adcs 	r10, r10, r8\n\t"
+        "adc	r11, r11, #0\n\t"
+        /* A[2] * A[2] */
+        "ldr	r6, [%[a], #8]\n\t"
+        "umull	r6, r8, r6, r6\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "adc	r3, r3, #0\n\t"
+        "adds	r9, r9, r9\n\t"
+        "adcs	r10, r10, r10\n\t"
+        "adc	r11, r11, r11\n\t"
+        "adds	r4, r4, r9\n\t"
+        "adcs	r5, r5, r10\n\t"
+        "adc	r3, r3, r11\n\t"
+        "str	r4, [%[tmp], #16]\n\t"
+        "mov	r4, #0\n\t"
+        /* A[0] * A[5] */
+        "ldr	r6, [%[a], #0]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "umull	r9, r10, r6, r8\n\t"
+        "mov	r11, #0\n\t"
+        /* A[1] * A[4] */
+        "ldr	r6, [%[a], #4]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adcs 	r10, r10, r8\n\t"
+        "adc	r11, r11, #0\n\t"
+        /* A[2] * A[3] */
+        "ldr	r6, [%[a], #8]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adcs 	r10, r10, r8\n\t"
+        "adc	r11, r11, #0\n\t"
+        "adds	r9, r9, r9\n\t"
+        "adcs	r10, r10, r10\n\t"
+        "adc	r11, r11, r11\n\t"
+        "adds	r5, r5, r9\n\t"
+        "adcs	r3, r3, r10\n\t"
+        "adc	r4, r4, r11\n\t"
+        "str	r5, [%[tmp], #20]\n\t"
+        "mov	r5, #0\n\t"
+        /* A[0] * A[6] */
+        "ldr	r6, [%[a], #0]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "umull	r9, r10, r6, r8\n\t"
+        "mov	r11, #0\n\t"
+        /* A[1] * A[5] */
+        "ldr	r6, [%[a], #4]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adcs 	r10, r10, r8\n\t"
+        "adc	r11, r11, #0\n\t"
+        /* A[2] * A[4] */
+        "ldr	r6, [%[a], #8]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adcs 	r10, r10, r8\n\t"
+        "adc	r11, r11, #0\n\t"
+        /* A[3] * A[3] */
+        "ldr	r6, [%[a], #12]\n\t"
+        "umull	r6, r8, r6, r6\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r8\n\t"
+        "adc	r5, r5, #0\n\t"
+        "adds	r9, r9, r9\n\t"
+        "adcs	r10, r10, r10\n\t"
+        "adc	r11, r11, r11\n\t"
+        "adds	r3, r3, r9\n\t"
+        "adcs	r4, r4, r10\n\t"
+        "adc	r5, r5, r11\n\t"
+        "str	r3, [%[tmp], #24]\n\t"
+        "mov	r3, #0\n\t"
+        /* A[0] * A[7] */
+        "ldr	r6, [%[a], #0]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "umull	r9, r10, r6, r8\n\t"
+        "mov	r11, #0\n\t"
+        /* A[1] * A[6] */
+        "ldr	r6, [%[a], #4]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adcs 	r10, r10, r8\n\t"
+        "adc	r11, r11, #0\n\t"
+        /* A[2] * A[5] */
+        "ldr	r6, [%[a], #8]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adcs 	r10, r10, r8\n\t"
+        "adc	r11, r11, #0\n\t"
+        /* A[3] * A[4] */
+        "ldr	r6, [%[a], #12]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adcs 	r10, r10, r8\n\t"
+        "adc	r11, r11, #0\n\t"
+        "adds	r9, r9, r9\n\t"
+        "adcs	r10, r10, r10\n\t"
+        "adc	r11, r11, r11\n\t"
+        "adds	r4, r4, r9\n\t"
+        "adcs	r5, r5, r10\n\t"
+        "adc	r3, r3, r11\n\t"
+        "str	r4, [%[tmp], #28]\n\t"
+        "mov	r4, #0\n\t"
+        /* A[1] * A[7] */
+        "ldr	r6, [%[a], #4]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "umull	r9, r10, r6, r8\n\t"
+        "mov	r11, #0\n\t"
+        /* A[2] * A[6] */
+        "ldr	r6, [%[a], #8]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adcs 	r10, r10, r8\n\t"
+        "adc	r11, r11, #0\n\t"
+        /* A[3] * A[5] */
+        "ldr	r6, [%[a], #12]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adcs 	r10, r10, r8\n\t"
+        "adc	r11, r11, #0\n\t"
+        /* A[4] * A[4] */
+        "ldr	r6, [%[a], #16]\n\t"
+        "umull	r6, r8, r6, r6\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r8\n\t"
+        "adc	r4, r4, #0\n\t"
+        "adds	r9, r9, r9\n\t"
+        "adcs	r10, r10, r10\n\t"
+        "adc	r11, r11, r11\n\t"
+        "adds	r5, r5, r9\n\t"
+        "adcs	r3, r3, r10\n\t"
+        "adc	r4, r4, r11\n\t"
+        "str	r5, [%[r], #32]\n\t"
+        "mov	r5, #0\n\t"
+        /* A[2] * A[7] */
+        "ldr	r6, [%[a], #8]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "umull	r9, r10, r6, r8\n\t"
+        "mov	r11, #0\n\t"
+        /* A[3] * A[6] */
+        "ldr	r6, [%[a], #12]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adcs 	r10, r10, r8\n\t"
+        "adc	r11, r11, #0\n\t"
+        /* A[4] * A[5] */
+        "ldr	r6, [%[a], #16]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adcs 	r10, r10, r8\n\t"
+        "adc	r11, r11, #0\n\t"
+        "adds	r9, r9, r9\n\t"
+        "adcs	r10, r10, r10\n\t"
+        "adc	r11, r11, r11\n\t"
+        "adds	r3, r3, r9\n\t"
+        "adcs	r4, r4, r10\n\t"
+        "adc	r5, r5, r11\n\t"
+        "str	r3, [%[r], #36]\n\t"
+        "mov	r3, #0\n\t"
+        /* A[3] * A[7] */
+        "ldr	r6, [%[a], #12]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "umull	r9, r10, r6, r8\n\t"
+        "mov	r11, #0\n\t"
+        /* A[4] * A[6] */
+        "ldr	r6, [%[a], #16]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adcs 	r10, r10, r8\n\t"
+        "adc	r11, r11, #0\n\t"
+        /* A[5] * A[5] */
+        "ldr	r6, [%[a], #20]\n\t"
+        "umull	r6, r8, r6, r6\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "adc	r3, r3, #0\n\t"
+        "adds	r9, r9, r9\n\t"
+        "adcs	r10, r10, r10\n\t"
+        "adc	r11, r11, r11\n\t"
+        "adds	r4, r4, r9\n\t"
+        "adcs	r5, r5, r10\n\t"
+        "adc	r3, r3, r11\n\t"
+        "str	r4, [%[r], #40]\n\t"
+        "mov	r4, #0\n\t"
+        /* A[4] * A[7] */
+        "ldr	r6, [%[a], #16]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs 	r3, r3, r8\n\t"
+        "adc	r4, r4, #0\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs 	r3, r3, r8\n\t"
+        "adc	r4, r4, #0\n\t"
+        /* A[5] * A[6] */
+        "ldr	r6, [%[a], #20]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs 	r3, r3, r8\n\t"
+        "adc	r4, r4, #0\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs 	r3, r3, r8\n\t"
+        "adc	r4, r4, #0\n\t"
+        "str	r5, [%[r], #44]\n\t"
+        "mov	r5, #0\n\t"
+        /* A[5] * A[7] */
+        "ldr	r6, [%[a], #20]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs 	r4, r4, r8\n\t"
+        "adc	r5, r5, #0\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs 	r4, r4, r8\n\t"
+        "adc	r5, r5, #0\n\t"
+        /* A[6] * A[6] */
+        "ldr	r6, [%[a], #24]\n\t"
+        "umull	r6, r8, r6, r6\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r8\n\t"
+        "adc	r5, r5, #0\n\t"
+        "str	r3, [%[r], #48]\n\t"
+        "mov	r3, #0\n\t"
+        /* A[6] * A[7] */
+        "ldr	r6, [%[a], #24]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs 	r5, r5, r8\n\t"
+        "adc	r3, r3, #0\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs 	r5, r5, r8\n\t"
+        "adc	r3, r3, #0\n\t"
+        "str	r4, [%[r], #52]\n\t"
+        "mov	r4, #0\n\t"
+        /* A[7] * A[7] */
+        "ldr	r6, [%[a], #28]\n\t"
+        "umull	r6, r8, r6, r6\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adc	r3, r3, r8\n\t"
+        "str	r5, [%[r], #56]\n\t"
+        "str	r3, [%[r], #60]\n\t"
+        /* Transfer tmp to r */
+        "ldr	r3, [%[tmp], #0]\n\t"
+        "ldr	r4, [%[tmp], #4]\n\t"
+        "ldr	r5, [%[tmp], #8]\n\t"
+        "ldr	r6, [%[tmp], #12]\n\t"
+        "str	r3, [%[r], #0]\n\t"
+        "str	r4, [%[r], #4]\n\t"
+        "str	r5, [%[r], #8]\n\t"
+        "str	r6, [%[r], #12]\n\t"
+        "ldr	r3, [%[tmp], #16]\n\t"
+        "ldr	r4, [%[tmp], #20]\n\t"
+        "ldr	r5, [%[tmp], #24]\n\t"
+        "ldr	r6, [%[tmp], #28]\n\t"
+        "str	r3, [%[r], #16]\n\t"
+        "str	r4, [%[r], #20]\n\t"
+        "str	r5, [%[r], #24]\n\t"
+        "str	r6, [%[r], #28]\n\t"
+        :
+        : [r] "r" (r), [a] "r" (a), [tmp] "r" (tmp)
+        : "memory", "r3", "r4", "r5", "r6", "r8", "r9", "r10", "r11"
+    );
+}
+
+/* Add b to a into r. (r = a + b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static sp_digit sp_2048_add_8(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    sp_digit c = 0;
+
+    __asm__ __volatile__ (
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "mov	%[c], #0\n\t"
+        "adc	%[c], %[c], %[c]\n\t"
+        : [c] "+r" (c), [r] "+r" (r), [a] "+r" (a), [b] "+r" (b)
+        :
+        : "memory", "r4", "r5", "r6", "r8"
+    );
+
+    return c;
+}
+
+/* Sub b from a into r. (r = a - b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static sp_digit sp_2048_sub_in_place_16(sp_digit* a,
+        const sp_digit* b)
+{
+    sp_digit c = 0;
+
+    __asm__ __volatile__ (
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "subs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "sbc	%[c], %[c], %[c]\n\t"
+        : [c] "+r" (c), [a] "+r" (a), [b] "+r" (b)
+        :
+        : "memory", "r3", "r4", "r5", "r6"
+    );
+
+    return c;
+}
+
+/* Add b to a into r. (r = a + b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static sp_digit sp_2048_add_16(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    sp_digit c = 0;
+
+    __asm__ __volatile__ (
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "mov	%[c], #0\n\t"
+        "adc	%[c], %[c], %[c]\n\t"
+        : [c] "+r" (c), [r] "+r" (r), [a] "+r" (a), [b] "+r" (b)
+        :
+        : "memory", "r4", "r5", "r6", "r8"
+    );
+
+    return c;
+}
+
+/* AND m into each word of a and store in r.
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * m  Mask to AND against each digit.
+ */
+static void sp_2048_mask_8(sp_digit* r, const sp_digit* a, sp_digit m)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int i;
+
+    for (i=0; i<8; i++) {
+        r[i] = a[i] & m;
+    }
+#else
+    r[0] = a[0] & m;
+    r[1] = a[1] & m;
+    r[2] = a[2] & m;
+    r[3] = a[3] & m;
+    r[4] = a[4] & m;
+    r[5] = a[5] & m;
+    r[6] = a[6] & m;
+    r[7] = a[7] & m;
+#endif
+}
+
+/* Multiply a and b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static void sp_2048_mul_16(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    sp_digit* z0 = r;
+    sp_digit z1[16];
+    sp_digit a1[8];
+    sp_digit b1[8];
+    sp_digit z2[16];
+    sp_digit u, ca, cb;
+
+    ca = sp_2048_add_8(a1, a, &a[8]);
+    cb = sp_2048_add_8(b1, b, &b[8]);
+    u  = ca & cb;
+    sp_2048_mul_8(z1, a1, b1);
+    sp_2048_mul_8(z2, &a[8], &b[8]);
+    sp_2048_mul_8(z0, a, b);
+    sp_2048_mask_8(r + 16, a1, 0 - cb);
+    sp_2048_mask_8(b1, b1, 0 - ca);
+    u += sp_2048_add_8(r + 16, r + 16, b1);
+    u += sp_2048_sub_in_place_16(z1, z2);
+    u += sp_2048_sub_in_place_16(z1, z0);
+    u += sp_2048_add_16(r + 8, r + 8, z1);
+    r[24] = u;
+    XMEMSET(r + 24 + 1, 0, sizeof(sp_digit) * (8 - 1));
+    (void)sp_2048_add_16(r + 16, r + 16, z2);
+}
+
+/* Square a and put result in r. (r = a * a)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ */
+SP_NOINLINE static void sp_2048_sqr_16(sp_digit* r, const sp_digit* a)
+{
+    sp_digit* z0 = r;
+    sp_digit z2[16];
+    sp_digit z1[16];
+    sp_digit a1[8];
+    sp_digit u;
+
+    u = sp_2048_add_8(a1, a, &a[8]);
+    sp_2048_sqr_8(z1, a1);
+    sp_2048_sqr_8(z2, &a[8]);
+    sp_2048_sqr_8(z0, a);
+    sp_2048_mask_8(r + 16, a1, 0 - u);
+    u += sp_2048_add_8(r + 16, r + 16, r + 16);
+    u += sp_2048_sub_in_place_16(z1, z2);
+    u += sp_2048_sub_in_place_16(z1, z0);
+    u += sp_2048_add_16(r + 8, r + 8, z1);
+    r[24] = u;
+    XMEMSET(r + 24 + 1, 0, sizeof(sp_digit) * (8 - 1));
+    (void)sp_2048_add_16(r + 16, r + 16, z2);
+}
+
+/* Sub b from a into r. (r = a - b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static sp_digit sp_2048_sub_in_place_32(sp_digit* a,
+        const sp_digit* b)
+{
+    sp_digit c = 0;
+
+    __asm__ __volatile__ (
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "subs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "sbc	%[c], %[c], %[c]\n\t"
+        : [c] "+r" (c), [a] "+r" (a), [b] "+r" (b)
+        :
+        : "memory", "r3", "r4", "r5", "r6"
+    );
+
+    return c;
+}
+
+/* Add b to a into r. (r = a + b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static sp_digit sp_2048_add_32(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    sp_digit c = 0;
+
+    __asm__ __volatile__ (
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "mov	%[c], #0\n\t"
+        "adc	%[c], %[c], %[c]\n\t"
+        : [c] "+r" (c), [r] "+r" (r), [a] "+r" (a), [b] "+r" (b)
+        :
+        : "memory", "r4", "r5", "r6", "r8"
+    );
+
+    return c;
+}
+
+/* AND m into each word of a and store in r.
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * m  Mask to AND against each digit.
+ */
+static void sp_2048_mask_16(sp_digit* r, const sp_digit* a, sp_digit m)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int i;
+
+    for (i=0; i<16; i++) {
+        r[i] = a[i] & m;
+    }
+#else
+    int i;
+
+    for (i = 0; i < 16; i += 8) {
+        r[i+0] = a[i+0] & m;
+        r[i+1] = a[i+1] & m;
+        r[i+2] = a[i+2] & m;
+        r[i+3] = a[i+3] & m;
+        r[i+4] = a[i+4] & m;
+        r[i+5] = a[i+5] & m;
+        r[i+6] = a[i+6] & m;
+        r[i+7] = a[i+7] & m;
+    }
+#endif
+}
+
+/* Multiply a and b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static void sp_2048_mul_32(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    sp_digit* z0 = r;
+    sp_digit z1[32];
+    sp_digit a1[16];
+    sp_digit b1[16];
+    sp_digit z2[32];
+    sp_digit u, ca, cb;
+
+    ca = sp_2048_add_16(a1, a, &a[16]);
+    cb = sp_2048_add_16(b1, b, &b[16]);
+    u  = ca & cb;
+    sp_2048_mul_16(z1, a1, b1);
+    sp_2048_mul_16(z2, &a[16], &b[16]);
+    sp_2048_mul_16(z0, a, b);
+    sp_2048_mask_16(r + 32, a1, 0 - cb);
+    sp_2048_mask_16(b1, b1, 0 - ca);
+    u += sp_2048_add_16(r + 32, r + 32, b1);
+    u += sp_2048_sub_in_place_32(z1, z2);
+    u += sp_2048_sub_in_place_32(z1, z0);
+    u += sp_2048_add_32(r + 16, r + 16, z1);
+    r[48] = u;
+    XMEMSET(r + 48 + 1, 0, sizeof(sp_digit) * (16 - 1));
+    (void)sp_2048_add_32(r + 32, r + 32, z2);
+}
+
+/* Square a and put result in r. (r = a * a)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ */
+SP_NOINLINE static void sp_2048_sqr_32(sp_digit* r, const sp_digit* a)
+{
+    sp_digit* z0 = r;
+    sp_digit z2[32];
+    sp_digit z1[32];
+    sp_digit a1[16];
+    sp_digit u;
+
+    u = sp_2048_add_16(a1, a, &a[16]);
+    sp_2048_sqr_16(z1, a1);
+    sp_2048_sqr_16(z2, &a[16]);
+    sp_2048_sqr_16(z0, a);
+    sp_2048_mask_16(r + 32, a1, 0 - u);
+    u += sp_2048_add_16(r + 32, r + 32, r + 32);
+    u += sp_2048_sub_in_place_32(z1, z2);
+    u += sp_2048_sub_in_place_32(z1, z0);
+    u += sp_2048_add_32(r + 16, r + 16, z1);
+    r[48] = u;
+    XMEMSET(r + 48 + 1, 0, sizeof(sp_digit) * (16 - 1));
+    (void)sp_2048_add_32(r + 32, r + 32, z2);
+}
+
+/* Sub b from a into r. (r = a - b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static sp_digit sp_2048_sub_in_place_64(sp_digit* a,
+        const sp_digit* b)
+{
+    sp_digit c = 0;
+
+    __asm__ __volatile__ (
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "subs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "sbc	%[c], %[c], %[c]\n\t"
+        : [c] "+r" (c), [a] "+r" (a), [b] "+r" (b)
+        :
+        : "memory", "r3", "r4", "r5", "r6"
+    );
+
+    return c;
+}
+
+/* Add b to a into r. (r = a + b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static sp_digit sp_2048_add_64(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    sp_digit c = 0;
+
+    __asm__ __volatile__ (
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "mov	%[c], #0\n\t"
+        "adc	%[c], %[c], %[c]\n\t"
+        : [c] "+r" (c), [r] "+r" (r), [a] "+r" (a), [b] "+r" (b)
+        :
+        : "memory", "r4", "r5", "r6", "r8"
+    );
+
+    return c;
+}
+
+/* AND m into each word of a and store in r.
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * m  Mask to AND against each digit.
+ */
+static void sp_2048_mask_32(sp_digit* r, const sp_digit* a, sp_digit m)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int i;
+
+    for (i=0; i<32; i++) {
+        r[i] = a[i] & m;
+    }
+#else
+    int i;
+
+    for (i = 0; i < 32; i += 8) {
+        r[i+0] = a[i+0] & m;
+        r[i+1] = a[i+1] & m;
+        r[i+2] = a[i+2] & m;
+        r[i+3] = a[i+3] & m;
+        r[i+4] = a[i+4] & m;
+        r[i+5] = a[i+5] & m;
+        r[i+6] = a[i+6] & m;
+        r[i+7] = a[i+7] & m;
+    }
+#endif
+}
+
+/* Multiply a and b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static void sp_2048_mul_64(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    sp_digit* z0 = r;
+    sp_digit z1[64];
+    sp_digit a1[32];
+    sp_digit b1[32];
+    sp_digit z2[64];
+    sp_digit u, ca, cb;
+
+    ca = sp_2048_add_32(a1, a, &a[32]);
+    cb = sp_2048_add_32(b1, b, &b[32]);
+    u  = ca & cb;
+    sp_2048_mul_32(z1, a1, b1);
+    sp_2048_mul_32(z2, &a[32], &b[32]);
+    sp_2048_mul_32(z0, a, b);
+    sp_2048_mask_32(r + 64, a1, 0 - cb);
+    sp_2048_mask_32(b1, b1, 0 - ca);
+    u += sp_2048_add_32(r + 64, r + 64, b1);
+    u += sp_2048_sub_in_place_64(z1, z2);
+    u += sp_2048_sub_in_place_64(z1, z0);
+    u += sp_2048_add_64(r + 32, r + 32, z1);
+    r[96] = u;
+    XMEMSET(r + 96 + 1, 0, sizeof(sp_digit) * (32 - 1));
+    (void)sp_2048_add_64(r + 64, r + 64, z2);
+}
+
+/* Square a and put result in r. (r = a * a)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ */
+SP_NOINLINE static void sp_2048_sqr_64(sp_digit* r, const sp_digit* a)
+{
+    sp_digit* z0 = r;
+    sp_digit z2[64];
+    sp_digit z1[64];
+    sp_digit a1[32];
+    sp_digit u;
+
+    u = sp_2048_add_32(a1, a, &a[32]);
+    sp_2048_sqr_32(z1, a1);
+    sp_2048_sqr_32(z2, &a[32]);
+    sp_2048_sqr_32(z0, a);
+    sp_2048_mask_32(r + 64, a1, 0 - u);
+    u += sp_2048_add_32(r + 64, r + 64, r + 64);
+    u += sp_2048_sub_in_place_64(z1, z2);
+    u += sp_2048_sub_in_place_64(z1, z0);
+    u += sp_2048_add_64(r + 32, r + 32, z1);
+    r[96] = u;
+    XMEMSET(r + 96 + 1, 0, sizeof(sp_digit) * (32 - 1));
+    (void)sp_2048_add_64(r + 64, r + 64, z2);
+}
+
+#endif /* !WOLFSSL_SP_SMALL */
+#ifdef WOLFSSL_SP_SMALL
+/* Add b to a into r. (r = a + b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static sp_digit sp_2048_add_64(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    sp_digit c = 0;
+
+    __asm__ __volatile__ (
+        "mov	r6, %[a]\n\t"
+        "mov	r8, #0\n\t"
+        "add	r6, r6, #256\n\t"
+        "sub	r8, r8, #1\n\t"
+        "\n1:\n\t"
+        "adds	%[c], %[c], r8\n\t"
+        "ldr	r4, [%[a]]\n\t"
+        "ldr	r5, [%[b]]\n\t"
+        "adcs	r4, r4, r5\n\t"
+        "str	r4, [%[r]]\n\t"
+        "mov	%[c], #0\n\t"
+        "adc	%[c], %[c], %[c]\n\t"
+        "add	%[a], %[a], #4\n\t"
+        "add	%[b], %[b], #4\n\t"
+        "add	%[r], %[r], #4\n\t"
+        "cmp	%[a], r6\n\t"
+        "bne	1b\n\t"
+        : [c] "+r" (c), [r] "+r" (r), [a] "+r" (a), [b] "+r" (b)
+        :
+        : "memory", "r4", "r5", "r6", "r8"
+    );
+
+    return c;
+}
+
+#endif /* WOLFSSL_SP_SMALL */
+#ifdef WOLFSSL_SP_SMALL
+/* Sub b from a into a. (a -= b)
+ *
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static sp_digit sp_2048_sub_in_place_64(sp_digit* a,
+        const sp_digit* b)
+{
+    sp_digit c = 0;
+    __asm__ __volatile__ (
+        "mov	r8, %[a]\n\t"
+        "add	r8, r8, #256\n\t"
+        "\n1:\n\t"
+        "mov	r5, #0\n\t"
+        "subs	r5, r5, %[c]\n\t"
+        "ldr	r3, [%[a]]\n\t"
+        "ldr	r4, [%[a], #4]\n\t"
+        "ldr	r5, [%[b]]\n\t"
+        "ldr	r6, [%[b], #4]\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "str	r3, [%[a]]\n\t"
+        "str	r4, [%[a], #4]\n\t"
+        "sbc	%[c], %[c], %[c]\n\t"
+        "add	%[a], %[a], #8\n\t"
+        "add	%[b], %[b], #8\n\t"
+        "cmp	%[a], r8\n\t"
+        "bne	1b\n\t"
+        : [c] "+r" (c), [a] "+r" (a), [b] "+r" (b)
+        :
+        : "memory", "r3", "r4", "r5", "r6", "r8"
+    );
+
+    return c;
+}
+
+#endif /* WOLFSSL_SP_SMALL */
+#ifdef WOLFSSL_SP_SMALL
+/* Multiply a and b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static void sp_2048_mul_64(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    sp_digit tmp[64 * 2];
+    __asm__ __volatile__ (
+        "mov	r3, #0\n\t"
+        "mov	r4, #0\n\t"
+        "mov	r9, r3\n\t"
+        "mov	r12, %[r]\n\t"
+        "mov	r10, %[a]\n\t"
+        "mov	r11, %[b]\n\t"
+        "mov	r6, #1\n\t"
+        "lsl	r6, r6, #8\n\t"
+        "add	r6, r6, r10\n\t"
+        "mov	r14, r6\n\t"
+        "\n1:\n\t"
+        "mov	%[r], #0\n\t"
+        "mov	r5, #0\n\t"
+        "mov	r6, #252\n\t"
+        "mov	%[a], r9\n\t"
+        "subs	%[a], %[a], r6\n\t"
+        "sbc	r6, r6, r6\n\t"
+        "mvn	r6, r6\n\t"
+        "and	%[a], %[a], r6\n\t"
+        "mov	%[b], r9\n\t"
+        "sub	%[b], %[b], %[a]\n\t"
+        "add	%[a], %[a], r10\n\t"
+        "add	%[b], %[b], r11\n\t"
+        "\n2:\n\t"
+        /* Multiply Start */
+        "ldr	r6, [%[a]]\n\t"
+        "ldr	r8, [%[b]]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs 	r4, r4, r8\n\t"
+        "adc	r5, r5, %[r]\n\t"
+        /* Multiply Done */
+        "add	%[a], %[a], #4\n\t"
+        "sub	%[b], %[b], #4\n\t"
+        "cmp	%[a], r14\n\t"
+        "beq	3f\n\t"
+        "mov	r6, r9\n\t"
+        "add	r6, r6, r10\n\t"
+        "cmp	%[a], r6\n\t"
+        "ble	2b\n\t"
+        "\n3:\n\t"
+        "mov	%[r], r12\n\t"
+        "mov	r8, r9\n\t"
+        "str	r3, [%[r], r8]\n\t"
+        "mov	r3, r4\n\t"
+        "mov	r4, r5\n\t"
+        "add	r8, r8, #4\n\t"
+        "mov	r9, r8\n\t"
+        "mov	r6, #1\n\t"
+        "lsl	r6, r6, #8\n\t"
+        "add	r6, r6, #248\n\t"
+        "cmp	r8, r6\n\t"
+        "ble	1b\n\t"
+        "str	r3, [%[r], r8]\n\t"
+        "mov	%[a], r10\n\t"
+        "mov	%[b], r11\n\t"
+        :
+        : [r] "r" (tmp), [a] "r" (a), [b] "r" (b)
+        : "memory", "r3", "r4", "r5", "r6", "r8", "r9", "r10", "r11", "r12", "r14"
+    );
+
+    XMEMCPY(r, tmp, sizeof(tmp));
+}
+
+/* Square a and put result in r. (r = a * a)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ */
+SP_NOINLINE static void sp_2048_sqr_64(sp_digit* r, const sp_digit* a)
+{
+    __asm__ __volatile__ (
+        "mov	r3, #0\n\t"
+        "mov	r4, #0\n\t"
+        "mov	r5, #0\n\t"
+        "mov	r9, r3\n\t"
+        "mov	r12, %[r]\n\t"
+        "mov	r6, #2\n\t"
+        "lsl	r6, r6, #8\n\t"
+        "neg	r6, r6\n\t"
+        "add	sp, sp, r6\n\t"
+        "mov	r11, sp\n\t"
+        "mov	r10, %[a]\n\t"
+        "\n1:\n\t"
+        "mov	%[r], #0\n\t"
+        "mov	r6, #252\n\t"
+        "mov	%[a], r9\n\t"
+        "subs	%[a], %[a], r6\n\t"
+        "sbc	r6, r6, r6\n\t"
+        "mvn	r6, r6\n\t"
+        "and	%[a], %[a], r6\n\t"
+        "mov	r2, r9\n\t"
+        "sub	r2, r2, %[a]\n\t"
+        "add	%[a], %[a], r10\n\t"
+        "add	r2, r2, r10\n\t"
+        "\n2:\n\t"
+        "cmp	r2, %[a]\n\t"
+        "beq	4f\n\t"
+        /* Multiply * 2: Start */
+        "ldr	r6, [%[a]]\n\t"
+        "ldr	r8, [r2]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs 	r4, r4, r8\n\t"
+        "adc	r5, r5, %[r]\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs 	r4, r4, r8\n\t"
+        "adc	r5, r5, %[r]\n\t"
+        /* Multiply * 2: Done */
+        "bal	5f\n\t"
+        "\n4:\n\t"
+        /* Square: Start */
+        "ldr	r6, [%[a]]\n\t"
+        "umull	r6, r8, r6, r6\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r8\n\t"
+        "adc	r5, r5, %[r]\n\t"
+        /* Square: Done */
+        "\n5:\n\t"
+        "add	%[a], %[a], #4\n\t"
+        "sub	r2, r2, #4\n\t"
+        "mov	r6, #1\n\t"
+        "lsl	r6, r6, #8\n\t"
+        "add	r6, r6, r10\n\t"
+        "cmp	%[a], r6\n\t"
+        "beq	3f\n\t"
+        "cmp	%[a], r2\n\t"
+        "bgt	3f\n\t"
+        "mov	r8, r9\n\t"
+        "add	r8, r8, r10\n\t"
+        "cmp	%[a], r8\n\t"
+        "ble	2b\n\t"
+        "\n3:\n\t"
+        "mov	%[r], r11\n\t"
+        "mov	r8, r9\n\t"
+        "str	r3, [%[r], r8]\n\t"
+        "mov	r3, r4\n\t"
+        "mov	r4, r5\n\t"
+        "mov	r5, #0\n\t"
+        "add	r8, r8, #4\n\t"
+        "mov	r9, r8\n\t"
+        "mov	r6, #1\n\t"
+        "lsl	r6, r6, #8\n\t"
+        "add	r6, r6, #248\n\t"
+        "cmp	r8, r6\n\t"
+        "ble	1b\n\t"
+        "mov	%[a], r10\n\t"
+        "str	r3, [%[r], r8]\n\t"
+        "mov	%[r], r12\n\t"
+        "mov	%[a], r11\n\t"
+        "mov	r3, #1\n\t"
+        "lsl	r3, r3, #8\n\t"
+        "add	r3, r3, #252\n\t"
+        "\n4:\n\t"
+        "ldr	r6, [%[a], r3]\n\t"
+        "str	r6, [%[r], r3]\n\t"
+        "subs	r3, r3, #4\n\t"
+        "bge	4b\n\t"
+        "mov	r6, #2\n\t"
+        "lsl	r6, r6, #8\n\t"
+        "add	sp, sp, r6\n\t"
+        :
+        : [r] "r" (r), [a] "r" (a)
+        : "memory", "r2", "r3", "r4", "r5", "r6", "r8", "r9", "r10", "r11", "r12"
+    );
+}
+
+#endif /* WOLFSSL_SP_SMALL */
+#if (defined(WOLFSSL_HAVE_SP_RSA) || defined(WOLFSSL_HAVE_SP_DH)) && !defined(WOLFSSL_RSA_PUBLIC_ONLY)
+#ifdef WOLFSSL_SP_SMALL
+/* AND m into each word of a and store in r.
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * m  Mask to AND against each digit.
+ */
+static void sp_2048_mask_32(sp_digit* r, const sp_digit* a, sp_digit m)
+{
+    int i;
+
+    for (i=0; i<32; i++) {
+        r[i] = a[i] & m;
+    }
+}
+
+#endif /* WOLFSSL_SP_SMALL */
+#ifdef WOLFSSL_SP_SMALL
+/* Add b to a into r. (r = a + b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static sp_digit sp_2048_add_32(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    sp_digit c = 0;
+
+    __asm__ __volatile__ (
+        "mov	r6, %[a]\n\t"
+        "mov	r8, #0\n\t"
+        "add	r6, r6, #128\n\t"
+        "sub	r8, r8, #1\n\t"
+        "\n1:\n\t"
+        "adds	%[c], %[c], r8\n\t"
+        "ldr	r4, [%[a]]\n\t"
+        "ldr	r5, [%[b]]\n\t"
+        "adcs	r4, r4, r5\n\t"
+        "str	r4, [%[r]]\n\t"
+        "mov	%[c], #0\n\t"
+        "adc	%[c], %[c], %[c]\n\t"
+        "add	%[a], %[a], #4\n\t"
+        "add	%[b], %[b], #4\n\t"
+        "add	%[r], %[r], #4\n\t"
+        "cmp	%[a], r6\n\t"
+        "bne	1b\n\t"
+        : [c] "+r" (c), [r] "+r" (r), [a] "+r" (a), [b] "+r" (b)
+        :
+        : "memory", "r4", "r5", "r6", "r8"
+    );
+
+    return c;
+}
+
+#endif /* WOLFSSL_SP_SMALL */
+#ifdef WOLFSSL_SP_SMALL
+/* Sub b from a into a. (a -= b)
+ *
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static sp_digit sp_2048_sub_in_place_32(sp_digit* a,
+        const sp_digit* b)
+{
+    sp_digit c = 0;
+    __asm__ __volatile__ (
+        "mov	r8, %[a]\n\t"
+        "add	r8, r8, #128\n\t"
+        "\n1:\n\t"
+        "mov	r5, #0\n\t"
+        "subs	r5, r5, %[c]\n\t"
+        "ldr	r3, [%[a]]\n\t"
+        "ldr	r4, [%[a], #4]\n\t"
+        "ldr	r5, [%[b]]\n\t"
+        "ldr	r6, [%[b], #4]\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "str	r3, [%[a]]\n\t"
+        "str	r4, [%[a], #4]\n\t"
+        "sbc	%[c], %[c], %[c]\n\t"
+        "add	%[a], %[a], #8\n\t"
+        "add	%[b], %[b], #8\n\t"
+        "cmp	%[a], r8\n\t"
+        "bne	1b\n\t"
+        : [c] "+r" (c), [a] "+r" (a), [b] "+r" (b)
+        :
+        : "memory", "r3", "r4", "r5", "r6", "r8"
+    );
+
+    return c;
+}
+
+#endif /* WOLFSSL_SP_SMALL */
+#ifdef WOLFSSL_SP_SMALL
+/* Multiply a and b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static void sp_2048_mul_32(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    sp_digit tmp[32 * 2];
+    __asm__ __volatile__ (
+        "mov	r3, #0\n\t"
+        "mov	r4, #0\n\t"
+        "mov	r9, r3\n\t"
+        "mov	r12, %[r]\n\t"
+        "mov	r10, %[a]\n\t"
+        "mov	r11, %[b]\n\t"
+        "mov	r6, #128\n\t"
+        "add	r6, r6, r10\n\t"
+        "mov	r14, r6\n\t"
+        "\n1:\n\t"
+        "mov	%[r], #0\n\t"
+        "mov	r5, #0\n\t"
+        "mov	r6, #124\n\t"
+        "mov	%[a], r9\n\t"
+        "subs	%[a], %[a], r6\n\t"
+        "sbc	r6, r6, r6\n\t"
+        "mvn	r6, r6\n\t"
+        "and	%[a], %[a], r6\n\t"
+        "mov	%[b], r9\n\t"
+        "sub	%[b], %[b], %[a]\n\t"
+        "add	%[a], %[a], r10\n\t"
+        "add	%[b], %[b], r11\n\t"
+        "\n2:\n\t"
+        /* Multiply Start */
+        "ldr	r6, [%[a]]\n\t"
+        "ldr	r8, [%[b]]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs 	r4, r4, r8\n\t"
+        "adc	r5, r5, %[r]\n\t"
+        /* Multiply Done */
+        "add	%[a], %[a], #4\n\t"
+        "sub	%[b], %[b], #4\n\t"
+        "cmp	%[a], r14\n\t"
+        "beq	3f\n\t"
+        "mov	r6, r9\n\t"
+        "add	r6, r6, r10\n\t"
+        "cmp	%[a], r6\n\t"
+        "ble	2b\n\t"
+        "\n3:\n\t"
+        "mov	%[r], r12\n\t"
+        "mov	r8, r9\n\t"
+        "str	r3, [%[r], r8]\n\t"
+        "mov	r3, r4\n\t"
+        "mov	r4, r5\n\t"
+        "add	r8, r8, #4\n\t"
+        "mov	r9, r8\n\t"
+        "mov	r6, #248\n\t"
+        "cmp	r8, r6\n\t"
+        "ble	1b\n\t"
+        "str	r3, [%[r], r8]\n\t"
+        "mov	%[a], r10\n\t"
+        "mov	%[b], r11\n\t"
+        :
+        : [r] "r" (tmp), [a] "r" (a), [b] "r" (b)
+        : "memory", "r3", "r4", "r5", "r6", "r8", "r9", "r10", "r11", "r12", "r14"
+    );
+
+    XMEMCPY(r, tmp, sizeof(tmp));
+}
+
+/* Square a and put result in r. (r = a * a)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ */
+SP_NOINLINE static void sp_2048_sqr_32(sp_digit* r, const sp_digit* a)
+{
+    __asm__ __volatile__ (
+        "mov	r3, #0\n\t"
+        "mov	r4, #0\n\t"
+        "mov	r5, #0\n\t"
+        "mov	r9, r3\n\t"
+        "mov	r12, %[r]\n\t"
+        "mov	r6, #1\n\t"
+        "lsl	r6, r6, #8\n\t"
+        "neg	r6, r6\n\t"
+        "add	sp, sp, r6\n\t"
+        "mov	r11, sp\n\t"
+        "mov	r10, %[a]\n\t"
+        "\n1:\n\t"
+        "mov	%[r], #0\n\t"
+        "mov	r6, #124\n\t"
+        "mov	%[a], r9\n\t"
+        "subs	%[a], %[a], r6\n\t"
+        "sbc	r6, r6, r6\n\t"
+        "mvn	r6, r6\n\t"
+        "and	%[a], %[a], r6\n\t"
+        "mov	r2, r9\n\t"
+        "sub	r2, r2, %[a]\n\t"
+        "add	%[a], %[a], r10\n\t"
+        "add	r2, r2, r10\n\t"
+        "\n2:\n\t"
+        "cmp	r2, %[a]\n\t"
+        "beq	4f\n\t"
+        /* Multiply * 2: Start */
+        "ldr	r6, [%[a]]\n\t"
+        "ldr	r8, [r2]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs 	r4, r4, r8\n\t"
+        "adc	r5, r5, %[r]\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs 	r4, r4, r8\n\t"
+        "adc	r5, r5, %[r]\n\t"
+        /* Multiply * 2: Done */
+        "bal	5f\n\t"
+        "\n4:\n\t"
+        /* Square: Start */
+        "ldr	r6, [%[a]]\n\t"
+        "umull	r6, r8, r6, r6\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r8\n\t"
+        "adc	r5, r5, %[r]\n\t"
+        /* Square: Done */
+        "\n5:\n\t"
+        "add	%[a], %[a], #4\n\t"
+        "sub	r2, r2, #4\n\t"
+        "mov	r6, #128\n\t"
+        "add	r6, r6, r10\n\t"
+        "cmp	%[a], r6\n\t"
+        "beq	3f\n\t"
+        "cmp	%[a], r2\n\t"
+        "bgt	3f\n\t"
+        "mov	r8, r9\n\t"
+        "add	r8, r8, r10\n\t"
+        "cmp	%[a], r8\n\t"
+        "ble	2b\n\t"
+        "\n3:\n\t"
+        "mov	%[r], r11\n\t"
+        "mov	r8, r9\n\t"
+        "str	r3, [%[r], r8]\n\t"
+        "mov	r3, r4\n\t"
+        "mov	r4, r5\n\t"
+        "mov	r5, #0\n\t"
+        "add	r8, r8, #4\n\t"
+        "mov	r9, r8\n\t"
+        "mov	r6, #248\n\t"
+        "cmp	r8, r6\n\t"
+        "ble	1b\n\t"
+        "mov	%[a], r10\n\t"
+        "str	r3, [%[r], r8]\n\t"
+        "mov	%[r], r12\n\t"
+        "mov	%[a], r11\n\t"
+        "mov	r3, #252\n\t"
+        "\n4:\n\t"
+        "ldr	r6, [%[a], r3]\n\t"
+        "str	r6, [%[r], r3]\n\t"
+        "subs	r3, r3, #4\n\t"
+        "bge	4b\n\t"
+        "mov	r6, #1\n\t"
+        "lsl	r6, r6, #8\n\t"
+        "add	sp, sp, r6\n\t"
+        :
+        : [r] "r" (r), [a] "r" (a)
+        : "memory", "r2", "r3", "r4", "r5", "r6", "r8", "r9", "r10", "r11", "r12"
+    );
+}
+
+#endif /* WOLFSSL_SP_SMALL */
+#endif /* (WOLFSSL_HAVE_SP_RSA || WOLFSSL_HAVE_SP_DH) && !WOLFSSL_RSA_PUBLIC_ONLY */
+
+/* Caclulate the bottom digit of -1/a mod 2^n.
+ *
+ * a    A single precision number.
+ * rho  Bottom word of inverse.
+ */
+static void sp_2048_mont_setup(const sp_digit* a, sp_digit* rho)
+{
+    sp_digit x, b;
+
+    b = a[0];
+    x = (((b + 2) & 4) << 1) + b; /* here x*a==1 mod 2**4 */
+    x *= 2 - b * x;               /* here x*a==1 mod 2**8 */
+    x *= 2 - b * x;               /* here x*a==1 mod 2**16 */
+    x *= 2 - b * x;               /* here x*a==1 mod 2**32 */
+
+    /* rho = -1/m mod b */
+    *rho = -x;
+}
+
+/* Mul a by digit b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision digit.
+ */
+SP_NOINLINE static void sp_2048_mul_d_64(sp_digit* r, const sp_digit* a,
+        sp_digit b)
+{
+    __asm__ __volatile__ (
+        "add	r9, %[a], #256\n\t"
+        /* A[0] * B */
+        "ldr	r6, [%[a]], #4\n\t"
+        "umull	r5, r3, r6, %[b]\n\t"
+        "mov	r4, #0\n\t"
+        "str	r5, [%[r]], #4\n\t"
+        /* A[0] * B - Done */
+        "\n1:\n\t"
+        "mov	r5, #0\n\t"
+        /* A[] * B */
+        "ldr	r6, [%[a]], #4\n\t"
+        "umull	r6, r8, r6, %[b]\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs 	r4, r4, r8\n\t"
+        "adc	r5, r5, #0\n\t"
+        /* A[] * B - Done */
+        "str	r3, [%[r]], #4\n\t"
+        "mov	r3, r4\n\t"
+        "mov	r4, r5\n\t"
+        "cmp	%[a], r9\n\t"
+        "blt	1b\n\t"
+        "str	r3, [%[r]]\n\t"
+        : [r] "+r" (r), [a] "+r" (a)
+        : [b] "r" (b)
+        : "memory", "r3", "r4", "r5", "r6", "r8", "r9"
+    );
+}
+
+#if (defined(WOLFSSL_HAVE_SP_RSA) || defined(WOLFSSL_HAVE_SP_DH)) && !defined(WOLFSSL_RSA_PUBLIC_ONLY)
+/* r = 2^n mod m where n is the number of bits to reduce by.
+ * Given m must be 2048 bits, just need to subtract.
+ *
+ * r  A single precision number.
+ * m  A single precision number.
+ */
+static void sp_2048_mont_norm_32(sp_digit* r, const sp_digit* m)
+{
+    XMEMSET(r, 0, sizeof(sp_digit) * 32);
+
+    /* r = 2^n mod m */
+    sp_2048_sub_in_place_32(r, m);
+}
+
+/* Conditionally subtract b from a using the mask m.
+ * m is -1 to subtract and 0 when not copying.
+ *
+ * r  A single precision number representing condition subtract result.
+ * a  A single precision number to subtract from.
+ * b  A single precision number to subtract.
+ * m  Mask value to apply.
+ */
+SP_NOINLINE static sp_digit sp_2048_cond_sub_32(sp_digit* r, const sp_digit* a,
+        const sp_digit* b, sp_digit m)
+{
+    sp_digit c = 0;
+
+    __asm__ __volatile__ (
+        "mov	r5, #128\n\t"
+        "mov	r9, r5\n\t"
+        "mov	r8, #0\n\t"
+        "\n1:\n\t"
+        "ldr	r6, [%[b], r8]\n\t"
+        "and	r6, r6, %[m]\n\t"
+        "mov	r5, #0\n\t"
+        "subs	r5, r5, %[c]\n\t"
+        "ldr	r5, [%[a], r8]\n\t"
+        "sbcs	r5, r5, r6\n\t"
+        "sbcs	%[c], %[c], %[c]\n\t"
+        "str	r5, [%[r], r8]\n\t"
+        "add	r8, r8, #4\n\t"
+        "cmp	r8, r9\n\t"
+        "blt	1b\n\t"
+        : [c] "+r" (c)
+        : [r] "r" (r), [a] "r" (a), [b] "r" (b), [m] "r" (m)
+        : "memory", "r5", "r6", "r8", "r9"
+    );
+
+    return c;
+}
+
+/* Reduce the number back to 2048 bits using Montgomery reduction.
+ *
+ * a   A single precision number to reduce in place.
+ * m   The single precision number representing the modulus.
+ * mp  The digit representing the negative inverse of m mod 2^n.
+ */
+SP_NOINLINE static void sp_2048_mont_reduce_32(sp_digit* a, const sp_digit* m,
+        sp_digit mp)
+{
+    sp_digit ca = 0;
+
+    __asm__ __volatile__ (
+        "mov	r9, %[mp]\n\t"
+        "mov	r12, %[m]\n\t"
+        "mov	r10, %[a]\n\t"
+        "mov	r4, #0\n\t"
+        "add	r11, r10, #128\n\t"
+        "\n1:\n\t"
+        /* mu = a[i] * mp */
+        "mov	%[mp], r9\n\t"
+        "ldr	%[a], [r10]\n\t"
+        "mul	%[mp], %[mp], %[a]\n\t"
+        "mov	%[m], r12\n\t"
+        "add	r14, r10, #120\n\t"
+        "\n2:\n\t"
+        /* a[i+j] += m[j] * mu */
+        "ldr	%[a], [r10]\n\t"
+        "mov	r5, #0\n\t"
+        /* Multiply m[j] and mu - Start */
+        "ldr	r8, [%[m]], #4\n\t"
+        "umull	r6, r8, %[mp], r8\n\t"
+        "adds	%[a], %[a], r6\n\t"
+        "adc	r5, r5, r8\n\t"
+        /* Multiply m[j] and mu - Done */
+        "adds	r4, r4, %[a]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "str	r4, [r10], #4\n\t"
+        /* a[i+j+1] += m[j+1] * mu */
+        "ldr	%[a], [r10]\n\t"
+        "mov	r4, #0\n\t"
+        /* Multiply m[j] and mu - Start */
+        "ldr	r8, [%[m]], #4\n\t"
+        "umull	r6, r8, %[mp], r8\n\t"
+        "adds	%[a], %[a], r6\n\t"
+        "adc	r4, r4, r8\n\t"
+        /* Multiply m[j] and mu - Done */
+        "adds	r5, r5, %[a]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "str	r5, [r10], #4\n\t"
+        "cmp	r10, r14\n\t"
+        "blt	2b\n\t"
+        /* a[i+30] += m[30] * mu */
+        "ldr	%[a], [r10]\n\t"
+        "mov	r5, #0\n\t"
+        /* Multiply m[j] and mu - Start */
+        "ldr	r8, [%[m]], #4\n\t"
+        "umull	r6, r8, %[mp], r8\n\t"
+        "adds	%[a], %[a], r6\n\t"
+        "adc	r5, r5, r8\n\t"
+        /* Multiply m[j] and mu - Done */
+        "adds	r4, r4, %[a]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "str	r4, [r10], #4\n\t"
+        /* a[i+31] += m[31] * mu */
+        "mov	r4, %[ca]\n\t"
+        "mov	%[ca], #0\n\t"
+        /* Multiply m[31] and mu - Start */
+        "ldr	r8, [%[m]]\n\t"
+        "umull	r6, r8, %[mp], r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs 	r4, r4, r8\n\t"
+        "adc	%[ca], %[ca], #0\n\t"
+        /* Multiply m[31] and mu - Done */
+        "ldr	r6, [r10]\n\t"
+        "ldr	r8, [r10, #4]\n\t"
+        "adds	r6, r6, r5\n\t"
+        "adcs	r8, r8, r4\n\t"
+        "adc	%[ca], %[ca], #0\n\t"
+        "str	r6, [r10]\n\t"
+        "str	r8, [r10, #4]\n\t"
+        /* Next word in a */
+        "sub	r10, r10, #120\n\t"
+        "cmp	r10, r11\n\t"
+        "blt	1b\n\t"
+        "mov	%[a], r10\n\t"
+        "mov	%[m], r12\n\t"
+        : [ca] "+r" (ca), [a] "+r" (a)
+        : [m] "r" (m), [mp] "r" (mp)
+        : "memory", "r4", "r5", "r6", "r8", "r9", "r10", "r11", "r12", "r14"
+    );
+
+    sp_2048_cond_sub_32(a - 32, a, m, (sp_digit)0 - ca);
+}
+
+/* Multiply two Montogmery form numbers mod the modulus (prime).
+ * (r = a * b mod m)
+ *
+ * r   Result of multiplication.
+ * a   First number to multiply in Montogmery form.
+ * b   Second number to multiply in Montogmery form.
+ * m   Modulus (prime).
+ * mp  Montogmery mulitplier.
+ */
+static void sp_2048_mont_mul_32(sp_digit* r, const sp_digit* a, const sp_digit* b,
+        const sp_digit* m, sp_digit mp)
+{
+    sp_2048_mul_32(r, a, b);
+    sp_2048_mont_reduce_32(r, m, mp);
+}
+
+/* Square the Montgomery form number. (r = a * a mod m)
+ *
+ * r   Result of squaring.
+ * a   Number to square in Montogmery form.
+ * m   Modulus (prime).
+ * mp  Montogmery mulitplier.
+ */
+static void sp_2048_mont_sqr_32(sp_digit* r, const sp_digit* a, const sp_digit* m,
+        sp_digit mp)
+{
+    sp_2048_sqr_32(r, a);
+    sp_2048_mont_reduce_32(r, m, mp);
+}
+
+/* Mul a by digit b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision digit.
+ */
+SP_NOINLINE static void sp_2048_mul_d_32(sp_digit* r, const sp_digit* a,
+        sp_digit b)
+{
+    __asm__ __volatile__ (
+        "add	r9, %[a], #128\n\t"
+        /* A[0] * B */
+        "ldr	r6, [%[a]], #4\n\t"
+        "umull	r5, r3, r6, %[b]\n\t"
+        "mov	r4, #0\n\t"
+        "str	r5, [%[r]], #4\n\t"
+        /* A[0] * B - Done */
+        "\n1:\n\t"
+        "mov	r5, #0\n\t"
+        /* A[] * B */
+        "ldr	r6, [%[a]], #4\n\t"
+        "umull	r6, r8, r6, %[b]\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs 	r4, r4, r8\n\t"
+        "adc	r5, r5, #0\n\t"
+        /* A[] * B - Done */
+        "str	r3, [%[r]], #4\n\t"
+        "mov	r3, r4\n\t"
+        "mov	r4, r5\n\t"
+        "cmp	%[a], r9\n\t"
+        "blt	1b\n\t"
+        "str	r3, [%[r]]\n\t"
+        : [r] "+r" (r), [a] "+r" (a)
+        : [b] "r" (b)
+        : "memory", "r3", "r4", "r5", "r6", "r8", "r9"
+    );
+}
+
+/* Divide the double width number (d1|d0) by the dividend. (d1|d0 / div)
+ *
+ * d1   The high order half of the number to divide.
+ * d0   The low order half of the number to divide.
+ * div  The dividend.
+ * returns the result of the division.
+ *
+ * Note that this is an approximate div. It may give an answer 1 larger.
+ */
+SP_NOINLINE static sp_digit div_2048_word_32(sp_digit d1, sp_digit d0,
+        sp_digit div)
+{
+    sp_digit r = 0;
+
+    __asm__ __volatile__ (
+        "lsr	r6, %[div], #16\n\t"
+        "add	r6, r6, #1\n\t"
+        "udiv	r4, %[d1], r6\n\t"
+        "lsl	r8, r4, #16\n\t"
+        "umull	r4, r5, %[div], r8\n\t"
+        "subs	%[d0], %[d0], r4\n\t"
+        "sbc	%[d1], %[d1], r5\n\t"
+        "udiv	r5, %[d1], r6\n\t"
+        "lsl	r4, r5, #16\n\t"
+        "add	r8, r8, r4\n\t"
+        "umull	r4, r5, %[div], r4\n\t"
+        "subs	%[d0], %[d0], r4\n\t"
+        "sbc	%[d1], %[d1], r5\n\t"
+        "lsl	r4, %[d1], #16\n\t"
+        "orr	r4, r4, %[d0], lsr #16\n\t"
+        "udiv	r4, r4, r6\n\t"
+        "add	r8, r8, r4\n\t"
+        "umull	r4, r5, %[div], r4\n\t"
+        "subs	%[d0], %[d0], r4\n\t"
+        "sbc	%[d1], %[d1], r5\n\t"
+        "lsl	r4, %[d1], #16\n\t"
+        "orr	r4, r4, %[d0], lsr #16\n\t"
+        "udiv	r4, r4, r6\n\t"
+        "add	r8, r8, r4\n\t"
+        "umull	r4, r5, %[div], r4\n\t"
+        "subs	%[d0], %[d0], r4\n\t"
+        "sbc	%[d1], %[d1], r5\n\t"
+        "udiv	r4, %[d0], %[div]\n\t"
+        "add	r8, r8, r4\n\t"
+        "mov	%[r], r8\n\t"
+        : [r] "+r" (r)
+        : [d1] "r" (d1), [d0] "r" (d0), [div] "r" (div)
+        : "r4", "r5", "r6", "r8"
+    );
+    return r;
+}
+
+/* Compare a with b in constant time.
+ *
+ * a  A single precision integer.
+ * b  A single precision integer.
+ * return -ve, 0 or +ve if a is less than, equal to or greater than b
+ * respectively.
+ */
+SP_NOINLINE static int32_t sp_2048_cmp_32(const sp_digit* a, const sp_digit* b)
+{
+    sp_digit r = 0;
+
+
+    __asm__ __volatile__ (
+        "mov	r3, #0\n\t"
+        "mvn	r3, r3\n\t"
+        "mov	r6, #124\n\t"
+        "\n1:\n\t"
+        "ldr	r8, [%[a], r6]\n\t"
+        "ldr	r5, [%[b], r6]\n\t"
+        "and	r8, r8, r3\n\t"
+        "and	r5, r5, r3\n\t"
+        "mov	r4, r8\n\t"
+        "subs	r8, r8, r5\n\t"
+        "sbc	r8, r8, r8\n\t"
+        "add	%[r], %[r], r8\n\t"
+        "mvn	r8, r8\n\t"
+        "and	r3, r3, r8\n\t"
+        "subs	r5, r5, r4\n\t"
+        "sbc	r8, r8, r8\n\t"
+        "sub	%[r], %[r], r8\n\t"
+        "mvn	r8, r8\n\t"
+        "and	r3, r3, r8\n\t"
+        "sub	r6, r6, #4\n\t"
+        "cmp	r6, #0\n\t"
+        "bge	1b\n\t"
+        : [r] "+r" (r)
+        : [a] "r" (a), [b] "r" (b)
+        : "r3", "r4", "r5", "r6", "r8"
+    );
+
+    return r;
+}
+
+/* Divide d in a and put remainder into r (m*d + r = a)
+ * m is not calculated as it is not needed at this time.
+ *
+ * a  Nmber to be divided.
+ * d  Number to divide with.
+ * m  Multiplier result.
+ * r  Remainder from the division.
+ * returns MP_OKAY indicating success.
+ */
+static WC_INLINE int sp_2048_div_32(const sp_digit* a, const sp_digit* d, sp_digit* m,
+        sp_digit* r)
+{
+    sp_digit t1[64], t2[33];
+    sp_digit div, r1;
+    int i;
+
+    (void)m;
+
+    div = d[31];
+    XMEMCPY(t1, a, sizeof(*t1) * 2 * 32);
+    for (i=31; i>=0; i--) {
+        r1 = div_2048_word_32(t1[32 + i], t1[32 + i - 1], div);
+
+        sp_2048_mul_d_32(t2, d, r1);
+        t1[32 + i] += sp_2048_sub_in_place_32(&t1[i], t2);
+        t1[32 + i] -= t2[32];
+        sp_2048_mask_32(t2, d, t1[32 + i]);
+        t1[32 + i] += sp_2048_add_32(&t1[i], &t1[i], t2);
+        sp_2048_mask_32(t2, d, t1[32 + i]);
+        t1[32 + i] += sp_2048_add_32(&t1[i], &t1[i], t2);
+    }
+
+    r1 = sp_2048_cmp_32(t1, d) >= 0;
+    sp_2048_cond_sub_32(r, t1, d, (sp_digit)0 - r1);
+
+    return MP_OKAY;
+}
+
+/* Reduce a modulo m into r. (r = a mod m)
+ *
+ * r  A single precision number that is the reduced result.
+ * a  A single precision number that is to be reduced.
+ * m  A single precision number that is the modulus to reduce with.
+ * returns MP_OKAY indicating success.
+ */
+static WC_INLINE int sp_2048_mod_32(sp_digit* r, const sp_digit* a, const sp_digit* m)
+{
+    return sp_2048_div_32(a, m, NULL, r);
+}
+
+#ifdef WOLFSSL_SP_SMALL
+/* Modular exponentiate a to the e mod m. (r = a^e mod m)
+ *
+ * r     A single precision number that is the result of the operation.
+ * a     A single precision number being exponentiated.
+ * e     A single precision number that is the exponent.
+ * bits  The number of bits in the exponent.
+ * m     A single precision number that is the modulus.
+ * returns 0 on success and MEMORY_E on dynamic memory allocation failure.
+ */
+static int sp_2048_mod_exp_32(sp_digit* r, const sp_digit* a, const sp_digit* e,
+        int bits, const sp_digit* m, int reduceA)
+{
+#ifndef WOLFSSL_SMALL_STACK
+    sp_digit t[16][64];
+#else
+    sp_digit* t[16];
+    sp_digit* td;
+#endif
+    sp_digit* norm;
+    sp_digit mp = 1;
+    sp_digit n;
+    sp_digit mask;
+    int i;
+    int c, y;
+    int err = MP_OKAY;
+
+#ifdef WOLFSSL_SMALL_STACK
+    td = (sp_digit*)XMALLOC(sizeof(sp_digit) * 16 * 64, NULL,
+                            DYNAMIC_TYPE_TMP_BUFFER);
+    if (td == NULL) {
+        err = MEMORY_E;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#ifdef WOLFSSL_SMALL_STACK
+        for (i=0; i<16; i++) {
+            t[i] = td + i * 64;
+        }
+#endif
+        norm = t[0];
+
+        sp_2048_mont_setup(m, &mp);
+        sp_2048_mont_norm_32(norm, m);
+
+        XMEMSET(t[1], 0, sizeof(sp_digit) * 32U);
+        if (reduceA != 0) {
+            err = sp_2048_mod_32(t[1] + 32, a, m);
+            if (err == MP_OKAY) {
+                err = sp_2048_mod_32(t[1], t[1], m);
+            }
+        }
+        else {
+            XMEMCPY(t[1] + 32, a, sizeof(sp_digit) * 32);
+            err = sp_2048_mod_32(t[1], t[1], m);
+        }
+    }
+
+    if (err == MP_OKAY) {
+        sp_2048_mont_sqr_32(t[ 2], t[ 1], m, mp);
+        sp_2048_mont_mul_32(t[ 3], t[ 2], t[ 1], m, mp);
+        sp_2048_mont_sqr_32(t[ 4], t[ 2], m, mp);
+        sp_2048_mont_mul_32(t[ 5], t[ 3], t[ 2], m, mp);
+        sp_2048_mont_sqr_32(t[ 6], t[ 3], m, mp);
+        sp_2048_mont_mul_32(t[ 7], t[ 4], t[ 3], m, mp);
+        sp_2048_mont_sqr_32(t[ 8], t[ 4], m, mp);
+        sp_2048_mont_mul_32(t[ 9], t[ 5], t[ 4], m, mp);
+        sp_2048_mont_sqr_32(t[10], t[ 5], m, mp);
+        sp_2048_mont_mul_32(t[11], t[ 6], t[ 5], m, mp);
+        sp_2048_mont_sqr_32(t[12], t[ 6], m, mp);
+        sp_2048_mont_mul_32(t[13], t[ 7], t[ 6], m, mp);
+        sp_2048_mont_sqr_32(t[14], t[ 7], m, mp);
+        sp_2048_mont_mul_32(t[15], t[ 8], t[ 7], m, mp);
+
+        i = (bits - 1) / 32;
+        n = e[i--];
+        c = bits & 31;
+        if (c == 0) {
+            c = 32;
+        }
+        c -= bits % 4;
+        if (c == 32) {
+            c = 28;
+        }
+        y = (int)(n >> c);
+        n <<= 32 - c;
+        XMEMCPY(r, t[y], sizeof(sp_digit) * 32);
+        for (; i>=0 || c>=4; ) {
+            if (c == 0) {
+                n = e[i--];
+                y = n >> 28;
+                n <<= 4;
+                c = 28;
+            }
+            else if (c < 4) {
+                y = n >> 28;
+                n = e[i--];
+                c = 4 - c;
+                y |= n >> (32 - c);
+                n <<= c;
+                c = 32 - c;
+            }
+            else {
+                y = (n >> 28) & 0xf;
+                n <<= 4;
+                c -= 4;
+            }
+
+            sp_2048_mont_sqr_32(r, r, m, mp);
+            sp_2048_mont_sqr_32(r, r, m, mp);
+            sp_2048_mont_sqr_32(r, r, m, mp);
+            sp_2048_mont_sqr_32(r, r, m, mp);
+
+            sp_2048_mont_mul_32(r, r, t[y], m, mp);
+        }
+
+        XMEMSET(&r[32], 0, sizeof(sp_digit) * 32U);
+        sp_2048_mont_reduce_32(r, m, mp);
+
+        mask = 0 - (sp_2048_cmp_32(r, m) >= 0);
+        sp_2048_cond_sub_32(r, r, m, mask);
+    }
+
+#ifdef WOLFSSL_SMALL_STACK
+    if (td != NULL) {
+        XFREE(td, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    }
+#endif
+
+    return err;
+}
+#else
+/* Modular exponentiate a to the e mod m. (r = a^e mod m)
+ *
+ * r     A single precision number that is the result of the operation.
+ * a     A single precision number being exponentiated.
+ * e     A single precision number that is the exponent.
+ * bits  The number of bits in the exponent.
+ * m     A single precision number that is the modulus.
+ * returns 0 on success and MEMORY_E on dynamic memory allocation failure.
+ */
+static int sp_2048_mod_exp_32(sp_digit* r, const sp_digit* a, const sp_digit* e,
+        int bits, const sp_digit* m, int reduceA)
+{
+#ifndef WOLFSSL_SMALL_STACK
+    sp_digit t[32][64];
+#else
+    sp_digit* t[32];
+    sp_digit* td;
+#endif
+    sp_digit* norm;
+    sp_digit mp = 1;
+    sp_digit n;
+    sp_digit mask;
+    int i;
+    int c, y;
+    int err = MP_OKAY;
+
+#ifdef WOLFSSL_SMALL_STACK
+    td = (sp_digit*)XMALLOC(sizeof(sp_digit) * 32 * 64, NULL,
+                            DYNAMIC_TYPE_TMP_BUFFER);
+    if (td == NULL) {
+        err = MEMORY_E;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#ifdef WOLFSSL_SMALL_STACK
+        for (i=0; i<32; i++) {
+            t[i] = td + i * 64;
+        }
+#endif
+        norm = t[0];
+
+        sp_2048_mont_setup(m, &mp);
+        sp_2048_mont_norm_32(norm, m);
+
+        XMEMSET(t[1], 0, sizeof(sp_digit) * 32U);
+        if (reduceA != 0) {
+            err = sp_2048_mod_32(t[1] + 32, a, m);
+            if (err == MP_OKAY) {
+                err = sp_2048_mod_32(t[1], t[1], m);
+            }
+        }
+        else {
+            XMEMCPY(t[1] + 32, a, sizeof(sp_digit) * 32);
+            err = sp_2048_mod_32(t[1], t[1], m);
+        }
+    }
+
+    if (err == MP_OKAY) {
+        sp_2048_mont_sqr_32(t[ 2], t[ 1], m, mp);
+        sp_2048_mont_mul_32(t[ 3], t[ 2], t[ 1], m, mp);
+        sp_2048_mont_sqr_32(t[ 4], t[ 2], m, mp);
+        sp_2048_mont_mul_32(t[ 5], t[ 3], t[ 2], m, mp);
+        sp_2048_mont_sqr_32(t[ 6], t[ 3], m, mp);
+        sp_2048_mont_mul_32(t[ 7], t[ 4], t[ 3], m, mp);
+        sp_2048_mont_sqr_32(t[ 8], t[ 4], m, mp);
+        sp_2048_mont_mul_32(t[ 9], t[ 5], t[ 4], m, mp);
+        sp_2048_mont_sqr_32(t[10], t[ 5], m, mp);
+        sp_2048_mont_mul_32(t[11], t[ 6], t[ 5], m, mp);
+        sp_2048_mont_sqr_32(t[12], t[ 6], m, mp);
+        sp_2048_mont_mul_32(t[13], t[ 7], t[ 6], m, mp);
+        sp_2048_mont_sqr_32(t[14], t[ 7], m, mp);
+        sp_2048_mont_mul_32(t[15], t[ 8], t[ 7], m, mp);
+        sp_2048_mont_sqr_32(t[16], t[ 8], m, mp);
+        sp_2048_mont_mul_32(t[17], t[ 9], t[ 8], m, mp);
+        sp_2048_mont_sqr_32(t[18], t[ 9], m, mp);
+        sp_2048_mont_mul_32(t[19], t[10], t[ 9], m, mp);
+        sp_2048_mont_sqr_32(t[20], t[10], m, mp);
+        sp_2048_mont_mul_32(t[21], t[11], t[10], m, mp);
+        sp_2048_mont_sqr_32(t[22], t[11], m, mp);
+        sp_2048_mont_mul_32(t[23], t[12], t[11], m, mp);
+        sp_2048_mont_sqr_32(t[24], t[12], m, mp);
+        sp_2048_mont_mul_32(t[25], t[13], t[12], m, mp);
+        sp_2048_mont_sqr_32(t[26], t[13], m, mp);
+        sp_2048_mont_mul_32(t[27], t[14], t[13], m, mp);
+        sp_2048_mont_sqr_32(t[28], t[14], m, mp);
+        sp_2048_mont_mul_32(t[29], t[15], t[14], m, mp);
+        sp_2048_mont_sqr_32(t[30], t[15], m, mp);
+        sp_2048_mont_mul_32(t[31], t[16], t[15], m, mp);
+
+        i = (bits - 1) / 32;
+        n = e[i--];
+        c = bits & 31;
+        if (c == 0) {
+            c = 32;
+        }
+        c -= bits % 5;
+        if (c == 32) {
+            c = 27;
+        }
+        y = (int)(n >> c);
+        n <<= 32 - c;
+        XMEMCPY(r, t[y], sizeof(sp_digit) * 32);
+        for (; i>=0 || c>=5; ) {
+            if (c == 0) {
+                n = e[i--];
+                y = n >> 27;
+                n <<= 5;
+                c = 27;
+            }
+            else if (c < 5) {
+                y = n >> 27;
+                n = e[i--];
+                c = 5 - c;
+                y |= n >> (32 - c);
+                n <<= c;
+                c = 32 - c;
+            }
+            else {
+                y = (n >> 27) & 0x1f;
+                n <<= 5;
+                c -= 5;
+            }
+
+            sp_2048_mont_sqr_32(r, r, m, mp);
+            sp_2048_mont_sqr_32(r, r, m, mp);
+            sp_2048_mont_sqr_32(r, r, m, mp);
+            sp_2048_mont_sqr_32(r, r, m, mp);
+            sp_2048_mont_sqr_32(r, r, m, mp);
+
+            sp_2048_mont_mul_32(r, r, t[y], m, mp);
+        }
+
+        XMEMSET(&r[32], 0, sizeof(sp_digit) * 32U);
+        sp_2048_mont_reduce_32(r, m, mp);
+
+        mask = 0 - (sp_2048_cmp_32(r, m) >= 0);
+        sp_2048_cond_sub_32(r, r, m, mask);
+    }
+
+#ifdef WOLFSSL_SMALL_STACK
+    if (td != NULL) {
+        XFREE(td, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    }
+#endif
+
+    return err;
+}
+#endif /* WOLFSSL_SP_SMALL */
+
+#endif /* (WOLFSSL_HAVE_SP_RSA || WOLFSSL_HAVE_SP_DH) && !WOLFSSL_RSA_PUBLIC_ONLY */
+
+#if defined(WOLFSSL_HAVE_SP_RSA) || defined(WOLFSSL_HAVE_SP_DH)
+/* r = 2^n mod m where n is the number of bits to reduce by.
+ * Given m must be 2048 bits, just need to subtract.
+ *
+ * r  A single precision number.
+ * m  A single precision number.
+ */
+static void sp_2048_mont_norm_64(sp_digit* r, const sp_digit* m)
+{
+    XMEMSET(r, 0, sizeof(sp_digit) * 64);
+
+    /* r = 2^n mod m */
+    sp_2048_sub_in_place_64(r, m);
+}
+
+#endif /* WOLFSSL_HAVE_SP_RSA || WOLFSSL_HAVE_SP_DH */
+/* Conditionally subtract b from a using the mask m.
+ * m is -1 to subtract and 0 when not copying.
+ *
+ * r  A single precision number representing condition subtract result.
+ * a  A single precision number to subtract from.
+ * b  A single precision number to subtract.
+ * m  Mask value to apply.
+ */
+SP_NOINLINE static sp_digit sp_2048_cond_sub_64(sp_digit* r, const sp_digit* a,
+        const sp_digit* b, sp_digit m)
+{
+    sp_digit c = 0;
+
+    __asm__ __volatile__ (
+        "mov	r5, #1\n\t"
+        "lsl	r5, r5, #8\n\t"
+        "mov	r9, r5\n\t"
+        "mov	r8, #0\n\t"
+        "\n1:\n\t"
+        "ldr	r6, [%[b], r8]\n\t"
+        "and	r6, r6, %[m]\n\t"
+        "mov	r5, #0\n\t"
+        "subs	r5, r5, %[c]\n\t"
+        "ldr	r5, [%[a], r8]\n\t"
+        "sbcs	r5, r5, r6\n\t"
+        "sbcs	%[c], %[c], %[c]\n\t"
+        "str	r5, [%[r], r8]\n\t"
+        "add	r8, r8, #4\n\t"
+        "cmp	r8, r9\n\t"
+        "blt	1b\n\t"
+        : [c] "+r" (c)
+        : [r] "r" (r), [a] "r" (a), [b] "r" (b), [m] "r" (m)
+        : "memory", "r5", "r6", "r8", "r9"
+    );
+
+    return c;
+}
+
+/* Reduce the number back to 2048 bits using Montgomery reduction.
+ *
+ * a   A single precision number to reduce in place.
+ * m   The single precision number representing the modulus.
+ * mp  The digit representing the negative inverse of m mod 2^n.
+ */
+SP_NOINLINE static void sp_2048_mont_reduce_64(sp_digit* a, const sp_digit* m,
+        sp_digit mp)
+{
+    sp_digit ca = 0;
+
+    __asm__ __volatile__ (
+        "mov	r9, %[mp]\n\t"
+        "mov	r12, %[m]\n\t"
+        "mov	r10, %[a]\n\t"
+        "mov	r4, #0\n\t"
+        "add	r11, r10, #256\n\t"
+        "\n1:\n\t"
+        /* mu = a[i] * mp */
+        "mov	%[mp], r9\n\t"
+        "ldr	%[a], [r10]\n\t"
+        "mul	%[mp], %[mp], %[a]\n\t"
+        "mov	%[m], r12\n\t"
+        "add	r14, r10, #248\n\t"
+        "\n2:\n\t"
+        /* a[i+j] += m[j] * mu */
+        "ldr	%[a], [r10]\n\t"
+        "mov	r5, #0\n\t"
+        /* Multiply m[j] and mu - Start */
+        "ldr	r8, [%[m]], #4\n\t"
+        "umull	r6, r8, %[mp], r8\n\t"
+        "adds	%[a], %[a], r6\n\t"
+        "adc	r5, r5, r8\n\t"
+        /* Multiply m[j] and mu - Done */
+        "adds	r4, r4, %[a]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "str	r4, [r10], #4\n\t"
+        /* a[i+j+1] += m[j+1] * mu */
+        "ldr	%[a], [r10]\n\t"
+        "mov	r4, #0\n\t"
+        /* Multiply m[j] and mu - Start */
+        "ldr	r8, [%[m]], #4\n\t"
+        "umull	r6, r8, %[mp], r8\n\t"
+        "adds	%[a], %[a], r6\n\t"
+        "adc	r4, r4, r8\n\t"
+        /* Multiply m[j] and mu - Done */
+        "adds	r5, r5, %[a]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "str	r5, [r10], #4\n\t"
+        "cmp	r10, r14\n\t"
+        "blt	2b\n\t"
+        /* a[i+62] += m[62] * mu */
+        "ldr	%[a], [r10]\n\t"
+        "mov	r5, #0\n\t"
+        /* Multiply m[j] and mu - Start */
+        "ldr	r8, [%[m]], #4\n\t"
+        "umull	r6, r8, %[mp], r8\n\t"
+        "adds	%[a], %[a], r6\n\t"
+        "adc	r5, r5, r8\n\t"
+        /* Multiply m[j] and mu - Done */
+        "adds	r4, r4, %[a]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "str	r4, [r10], #4\n\t"
+        /* a[i+63] += m[63] * mu */
+        "mov	r4, %[ca]\n\t"
+        "mov	%[ca], #0\n\t"
+        /* Multiply m[63] and mu - Start */
+        "ldr	r8, [%[m]]\n\t"
+        "umull	r6, r8, %[mp], r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs 	r4, r4, r8\n\t"
+        "adc	%[ca], %[ca], #0\n\t"
+        /* Multiply m[63] and mu - Done */
+        "ldr	r6, [r10]\n\t"
+        "ldr	r8, [r10, #4]\n\t"
+        "adds	r6, r6, r5\n\t"
+        "adcs	r8, r8, r4\n\t"
+        "adc	%[ca], %[ca], #0\n\t"
+        "str	r6, [r10]\n\t"
+        "str	r8, [r10, #4]\n\t"
+        /* Next word in a */
+        "sub	r10, r10, #248\n\t"
+        "cmp	r10, r11\n\t"
+        "blt	1b\n\t"
+        "mov	%[a], r10\n\t"
+        "mov	%[m], r12\n\t"
+        : [ca] "+r" (ca), [a] "+r" (a)
+        : [m] "r" (m), [mp] "r" (mp)
+        : "memory", "r4", "r5", "r6", "r8", "r9", "r10", "r11", "r12", "r14"
+    );
+
+    sp_2048_cond_sub_64(a - 64, a, m, (sp_digit)0 - ca);
+}
+
+/* Multiply two Montogmery form numbers mod the modulus (prime).
+ * (r = a * b mod m)
+ *
+ * r   Result of multiplication.
+ * a   First number to multiply in Montogmery form.
+ * b   Second number to multiply in Montogmery form.
+ * m   Modulus (prime).
+ * mp  Montogmery mulitplier.
+ */
+static void sp_2048_mont_mul_64(sp_digit* r, const sp_digit* a, const sp_digit* b,
+        const sp_digit* m, sp_digit mp)
+{
+    sp_2048_mul_64(r, a, b);
+    sp_2048_mont_reduce_64(r, m, mp);
+}
+
+/* Square the Montgomery form number. (r = a * a mod m)
+ *
+ * r   Result of squaring.
+ * a   Number to square in Montogmery form.
+ * m   Modulus (prime).
+ * mp  Montogmery mulitplier.
+ */
+static void sp_2048_mont_sqr_64(sp_digit* r, const sp_digit* a, const sp_digit* m,
+        sp_digit mp)
+{
+    sp_2048_sqr_64(r, a);
+    sp_2048_mont_reduce_64(r, m, mp);
+}
+
+/* Divide the double width number (d1|d0) by the dividend. (d1|d0 / div)
+ *
+ * d1   The high order half of the number to divide.
+ * d0   The low order half of the number to divide.
+ * div  The dividend.
+ * returns the result of the division.
+ *
+ * Note that this is an approximate div. It may give an answer 1 larger.
+ */
+SP_NOINLINE static sp_digit div_2048_word_64(sp_digit d1, sp_digit d0,
+        sp_digit div)
+{
+    sp_digit r = 0;
+
+    __asm__ __volatile__ (
+        "lsr	r6, %[div], #16\n\t"
+        "add	r6, r6, #1\n\t"
+        "udiv	r4, %[d1], r6\n\t"
+        "lsl	r8, r4, #16\n\t"
+        "umull	r4, r5, %[div], r8\n\t"
+        "subs	%[d0], %[d0], r4\n\t"
+        "sbc	%[d1], %[d1], r5\n\t"
+        "udiv	r5, %[d1], r6\n\t"
+        "lsl	r4, r5, #16\n\t"
+        "add	r8, r8, r4\n\t"
+        "umull	r4, r5, %[div], r4\n\t"
+        "subs	%[d0], %[d0], r4\n\t"
+        "sbc	%[d1], %[d1], r5\n\t"
+        "lsl	r4, %[d1], #16\n\t"
+        "orr	r4, r4, %[d0], lsr #16\n\t"
+        "udiv	r4, r4, r6\n\t"
+        "add	r8, r8, r4\n\t"
+        "umull	r4, r5, %[div], r4\n\t"
+        "subs	%[d0], %[d0], r4\n\t"
+        "sbc	%[d1], %[d1], r5\n\t"
+        "lsl	r4, %[d1], #16\n\t"
+        "orr	r4, r4, %[d0], lsr #16\n\t"
+        "udiv	r4, r4, r6\n\t"
+        "add	r8, r8, r4\n\t"
+        "umull	r4, r5, %[div], r4\n\t"
+        "subs	%[d0], %[d0], r4\n\t"
+        "sbc	%[d1], %[d1], r5\n\t"
+        "udiv	r4, %[d0], %[div]\n\t"
+        "add	r8, r8, r4\n\t"
+        "mov	%[r], r8\n\t"
+        : [r] "+r" (r)
+        : [d1] "r" (d1), [d0] "r" (d0), [div] "r" (div)
+        : "r4", "r5", "r6", "r8"
+    );
+    return r;
+}
+
+/* AND m into each word of a and store in r.
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * m  Mask to AND against each digit.
+ */
+static void sp_2048_mask_64(sp_digit* r, const sp_digit* a, sp_digit m)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int i;
+
+    for (i=0; i<64; i++) {
+        r[i] = a[i] & m;
+    }
+#else
+    int i;
+
+    for (i = 0; i < 64; i += 8) {
+        r[i+0] = a[i+0] & m;
+        r[i+1] = a[i+1] & m;
+        r[i+2] = a[i+2] & m;
+        r[i+3] = a[i+3] & m;
+        r[i+4] = a[i+4] & m;
+        r[i+5] = a[i+5] & m;
+        r[i+6] = a[i+6] & m;
+        r[i+7] = a[i+7] & m;
+    }
+#endif
+}
+
+/* Compare a with b in constant time.
+ *
+ * a  A single precision integer.
+ * b  A single precision integer.
+ * return -ve, 0 or +ve if a is less than, equal to or greater than b
+ * respectively.
+ */
+SP_NOINLINE static int32_t sp_2048_cmp_64(const sp_digit* a, const sp_digit* b)
+{
+    sp_digit r = 0;
+
+
+    __asm__ __volatile__ (
+        "mov	r3, #0\n\t"
+        "mvn	r3, r3\n\t"
+        "mov	r6, #252\n\t"
+        "\n1:\n\t"
+        "ldr	r8, [%[a], r6]\n\t"
+        "ldr	r5, [%[b], r6]\n\t"
+        "and	r8, r8, r3\n\t"
+        "and	r5, r5, r3\n\t"
+        "mov	r4, r8\n\t"
+        "subs	r8, r8, r5\n\t"
+        "sbc	r8, r8, r8\n\t"
+        "add	%[r], %[r], r8\n\t"
+        "mvn	r8, r8\n\t"
+        "and	r3, r3, r8\n\t"
+        "subs	r5, r5, r4\n\t"
+        "sbc	r8, r8, r8\n\t"
+        "sub	%[r], %[r], r8\n\t"
+        "mvn	r8, r8\n\t"
+        "and	r3, r3, r8\n\t"
+        "sub	r6, r6, #4\n\t"
+        "cmp	r6, #0\n\t"
+        "bge	1b\n\t"
+        : [r] "+r" (r)
+        : [a] "r" (a), [b] "r" (b)
+        : "r3", "r4", "r5", "r6", "r8"
+    );
+
+    return r;
+}
+
+/* Divide d in a and put remainder into r (m*d + r = a)
+ * m is not calculated as it is not needed at this time.
+ *
+ * a  Nmber to be divided.
+ * d  Number to divide with.
+ * m  Multiplier result.
+ * r  Remainder from the division.
+ * returns MP_OKAY indicating success.
+ */
+static WC_INLINE int sp_2048_div_64(const sp_digit* a, const sp_digit* d, sp_digit* m,
+        sp_digit* r)
+{
+    sp_digit t1[128], t2[65];
+    sp_digit div, r1;
+    int i;
+
+    (void)m;
+
+    div = d[63];
+    XMEMCPY(t1, a, sizeof(*t1) * 2 * 64);
+    for (i=63; i>=0; i--) {
+        r1 = div_2048_word_64(t1[64 + i], t1[64 + i - 1], div);
+
+        sp_2048_mul_d_64(t2, d, r1);
+        t1[64 + i] += sp_2048_sub_in_place_64(&t1[i], t2);
+        t1[64 + i] -= t2[64];
+        sp_2048_mask_64(t2, d, t1[64 + i]);
+        t1[64 + i] += sp_2048_add_64(&t1[i], &t1[i], t2);
+        sp_2048_mask_64(t2, d, t1[64 + i]);
+        t1[64 + i] += sp_2048_add_64(&t1[i], &t1[i], t2);
+    }
+
+    r1 = sp_2048_cmp_64(t1, d) >= 0;
+    sp_2048_cond_sub_64(r, t1, d, (sp_digit)0 - r1);
+
+    return MP_OKAY;
+}
+
+/* Reduce a modulo m into r. (r = a mod m)
+ *
+ * r  A single precision number that is the reduced result.
+ * a  A single precision number that is to be reduced.
+ * m  A single precision number that is the modulus to reduce with.
+ * returns MP_OKAY indicating success.
+ */
+static WC_INLINE int sp_2048_mod_64(sp_digit* r, const sp_digit* a, const sp_digit* m)
+{
+    return sp_2048_div_64(a, m, NULL, r);
+}
+
+/* Divide d in a and put remainder into r (m*d + r = a)
+ * m is not calculated as it is not needed at this time.
+ *
+ * a  Nmber to be divided.
+ * d  Number to divide with.
+ * m  Multiplier result.
+ * r  Remainder from the division.
+ * returns MP_OKAY indicating success.
+ */
+static WC_INLINE int sp_2048_div_64_cond(const sp_digit* a, const sp_digit* d, sp_digit* m,
+        sp_digit* r)
+{
+    sp_digit t1[128], t2[65];
+    sp_digit div, r1;
+    int i;
+
+    (void)m;
+
+    div = d[63];
+    XMEMCPY(t1, a, sizeof(*t1) * 2 * 64);
+    for (i=63; i>=0; i--) {
+        r1 = div_2048_word_64(t1[64 + i], t1[64 + i - 1], div);
+
+        sp_2048_mul_d_64(t2, d, r1);
+        t1[64 + i] += sp_2048_sub_in_place_64(&t1[i], t2);
+        t1[64 + i] -= t2[64];
+        if (t1[64 + i] != 0) {
+            t1[64 + i] += sp_2048_add_64(&t1[i], &t1[i], d);
+            if (t1[64 + i] != 0)
+                t1[64 + i] += sp_2048_add_64(&t1[i], &t1[i], d);
+        }
+    }
+
+    r1 = sp_2048_cmp_64(t1, d) >= 0;
+    sp_2048_cond_sub_64(r, t1, d, (sp_digit)0 - r1);
+
+    return MP_OKAY;
+}
+
+/* Reduce a modulo m into r. (r = a mod m)
+ *
+ * r  A single precision number that is the reduced result.
+ * a  A single precision number that is to be reduced.
+ * m  A single precision number that is the modulus to reduce with.
+ * returns MP_OKAY indicating success.
+ */
+static WC_INLINE int sp_2048_mod_64_cond(sp_digit* r, const sp_digit* a, const sp_digit* m)
+{
+    return sp_2048_div_64_cond(a, m, NULL, r);
+}
+
+#if (defined(WOLFSSL_HAVE_SP_RSA) && !defined(WOLFSSL_RSA_PUBLIC_ONLY)) || \
+                                                     defined(WOLFSSL_HAVE_SP_DH)
+#ifdef WOLFSSL_SP_SMALL
+/* Modular exponentiate a to the e mod m. (r = a^e mod m)
+ *
+ * r     A single precision number that is the result of the operation.
+ * a     A single precision number being exponentiated.
+ * e     A single precision number that is the exponent.
+ * bits  The number of bits in the exponent.
+ * m     A single precision number that is the modulus.
+ * returns 0 on success and MEMORY_E on dynamic memory allocation failure.
+ */
+static int sp_2048_mod_exp_64(sp_digit* r, const sp_digit* a, const sp_digit* e,
+        int bits, const sp_digit* m, int reduceA)
+{
+#ifndef WOLFSSL_SMALL_STACK
+    sp_digit t[16][128];
+#else
+    sp_digit* t[16];
+    sp_digit* td;
+#endif
+    sp_digit* norm;
+    sp_digit mp = 1;
+    sp_digit n;
+    sp_digit mask;
+    int i;
+    int c, y;
+    int err = MP_OKAY;
+
+#ifdef WOLFSSL_SMALL_STACK
+    td = (sp_digit*)XMALLOC(sizeof(sp_digit) * 16 * 128, NULL,
+                            DYNAMIC_TYPE_TMP_BUFFER);
+    if (td == NULL) {
+        err = MEMORY_E;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#ifdef WOLFSSL_SMALL_STACK
+        for (i=0; i<16; i++) {
+            t[i] = td + i * 128;
+        }
+#endif
+        norm = t[0];
+
+        sp_2048_mont_setup(m, &mp);
+        sp_2048_mont_norm_64(norm, m);
+
+        XMEMSET(t[1], 0, sizeof(sp_digit) * 64U);
+        if (reduceA != 0) {
+            err = sp_2048_mod_64(t[1] + 64, a, m);
+            if (err == MP_OKAY) {
+                err = sp_2048_mod_64(t[1], t[1], m);
+            }
+        }
+        else {
+            XMEMCPY(t[1] + 64, a, sizeof(sp_digit) * 64);
+            err = sp_2048_mod_64(t[1], t[1], m);
+        }
+    }
+
+    if (err == MP_OKAY) {
+        sp_2048_mont_sqr_64(t[ 2], t[ 1], m, mp);
+        sp_2048_mont_mul_64(t[ 3], t[ 2], t[ 1], m, mp);
+        sp_2048_mont_sqr_64(t[ 4], t[ 2], m, mp);
+        sp_2048_mont_mul_64(t[ 5], t[ 3], t[ 2], m, mp);
+        sp_2048_mont_sqr_64(t[ 6], t[ 3], m, mp);
+        sp_2048_mont_mul_64(t[ 7], t[ 4], t[ 3], m, mp);
+        sp_2048_mont_sqr_64(t[ 8], t[ 4], m, mp);
+        sp_2048_mont_mul_64(t[ 9], t[ 5], t[ 4], m, mp);
+        sp_2048_mont_sqr_64(t[10], t[ 5], m, mp);
+        sp_2048_mont_mul_64(t[11], t[ 6], t[ 5], m, mp);
+        sp_2048_mont_sqr_64(t[12], t[ 6], m, mp);
+        sp_2048_mont_mul_64(t[13], t[ 7], t[ 6], m, mp);
+        sp_2048_mont_sqr_64(t[14], t[ 7], m, mp);
+        sp_2048_mont_mul_64(t[15], t[ 8], t[ 7], m, mp);
+
+        i = (bits - 1) / 32;
+        n = e[i--];
+        c = bits & 31;
+        if (c == 0) {
+            c = 32;
+        }
+        c -= bits % 4;
+        if (c == 32) {
+            c = 28;
+        }
+        y = (int)(n >> c);
+        n <<= 32 - c;
+        XMEMCPY(r, t[y], sizeof(sp_digit) * 64);
+        for (; i>=0 || c>=4; ) {
+            if (c == 0) {
+                n = e[i--];
+                y = n >> 28;
+                n <<= 4;
+                c = 28;
+            }
+            else if (c < 4) {
+                y = n >> 28;
+                n = e[i--];
+                c = 4 - c;
+                y |= n >> (32 - c);
+                n <<= c;
+                c = 32 - c;
+            }
+            else {
+                y = (n >> 28) & 0xf;
+                n <<= 4;
+                c -= 4;
+            }
+
+            sp_2048_mont_sqr_64(r, r, m, mp);
+            sp_2048_mont_sqr_64(r, r, m, mp);
+            sp_2048_mont_sqr_64(r, r, m, mp);
+            sp_2048_mont_sqr_64(r, r, m, mp);
+
+            sp_2048_mont_mul_64(r, r, t[y], m, mp);
+        }
+
+        XMEMSET(&r[64], 0, sizeof(sp_digit) * 64U);
+        sp_2048_mont_reduce_64(r, m, mp);
+
+        mask = 0 - (sp_2048_cmp_64(r, m) >= 0);
+        sp_2048_cond_sub_64(r, r, m, mask);
+    }
+
+#ifdef WOLFSSL_SMALL_STACK
+    if (td != NULL) {
+        XFREE(td, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    }
+#endif
+
+    return err;
+}
+#else
+/* Modular exponentiate a to the e mod m. (r = a^e mod m)
+ *
+ * r     A single precision number that is the result of the operation.
+ * a     A single precision number being exponentiated.
+ * e     A single precision number that is the exponent.
+ * bits  The number of bits in the exponent.
+ * m     A single precision number that is the modulus.
+ * returns 0 on success and MEMORY_E on dynamic memory allocation failure.
+ */
+static int sp_2048_mod_exp_64(sp_digit* r, const sp_digit* a, const sp_digit* e,
+        int bits, const sp_digit* m, int reduceA)
+{
+#ifndef WOLFSSL_SMALL_STACK
+    sp_digit t[32][128];
+#else
+    sp_digit* t[32];
+    sp_digit* td;
+#endif
+    sp_digit* norm;
+    sp_digit mp = 1;
+    sp_digit n;
+    sp_digit mask;
+    int i;
+    int c, y;
+    int err = MP_OKAY;
+
+#ifdef WOLFSSL_SMALL_STACK
+    td = (sp_digit*)XMALLOC(sizeof(sp_digit) * 32 * 128, NULL,
+                            DYNAMIC_TYPE_TMP_BUFFER);
+    if (td == NULL) {
+        err = MEMORY_E;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#ifdef WOLFSSL_SMALL_STACK
+        for (i=0; i<32; i++) {
+            t[i] = td + i * 128;
+        }
+#endif
+        norm = t[0];
+
+        sp_2048_mont_setup(m, &mp);
+        sp_2048_mont_norm_64(norm, m);
+
+        XMEMSET(t[1], 0, sizeof(sp_digit) * 64U);
+        if (reduceA != 0) {
+            err = sp_2048_mod_64(t[1] + 64, a, m);
+            if (err == MP_OKAY) {
+                err = sp_2048_mod_64(t[1], t[1], m);
+            }
+        }
+        else {
+            XMEMCPY(t[1] + 64, a, sizeof(sp_digit) * 64);
+            err = sp_2048_mod_64(t[1], t[1], m);
+        }
+    }
+
+    if (err == MP_OKAY) {
+        sp_2048_mont_sqr_64(t[ 2], t[ 1], m, mp);
+        sp_2048_mont_mul_64(t[ 3], t[ 2], t[ 1], m, mp);
+        sp_2048_mont_sqr_64(t[ 4], t[ 2], m, mp);
+        sp_2048_mont_mul_64(t[ 5], t[ 3], t[ 2], m, mp);
+        sp_2048_mont_sqr_64(t[ 6], t[ 3], m, mp);
+        sp_2048_mont_mul_64(t[ 7], t[ 4], t[ 3], m, mp);
+        sp_2048_mont_sqr_64(t[ 8], t[ 4], m, mp);
+        sp_2048_mont_mul_64(t[ 9], t[ 5], t[ 4], m, mp);
+        sp_2048_mont_sqr_64(t[10], t[ 5], m, mp);
+        sp_2048_mont_mul_64(t[11], t[ 6], t[ 5], m, mp);
+        sp_2048_mont_sqr_64(t[12], t[ 6], m, mp);
+        sp_2048_mont_mul_64(t[13], t[ 7], t[ 6], m, mp);
+        sp_2048_mont_sqr_64(t[14], t[ 7], m, mp);
+        sp_2048_mont_mul_64(t[15], t[ 8], t[ 7], m, mp);
+        sp_2048_mont_sqr_64(t[16], t[ 8], m, mp);
+        sp_2048_mont_mul_64(t[17], t[ 9], t[ 8], m, mp);
+        sp_2048_mont_sqr_64(t[18], t[ 9], m, mp);
+        sp_2048_mont_mul_64(t[19], t[10], t[ 9], m, mp);
+        sp_2048_mont_sqr_64(t[20], t[10], m, mp);
+        sp_2048_mont_mul_64(t[21], t[11], t[10], m, mp);
+        sp_2048_mont_sqr_64(t[22], t[11], m, mp);
+        sp_2048_mont_mul_64(t[23], t[12], t[11], m, mp);
+        sp_2048_mont_sqr_64(t[24], t[12], m, mp);
+        sp_2048_mont_mul_64(t[25], t[13], t[12], m, mp);
+        sp_2048_mont_sqr_64(t[26], t[13], m, mp);
+        sp_2048_mont_mul_64(t[27], t[14], t[13], m, mp);
+        sp_2048_mont_sqr_64(t[28], t[14], m, mp);
+        sp_2048_mont_mul_64(t[29], t[15], t[14], m, mp);
+        sp_2048_mont_sqr_64(t[30], t[15], m, mp);
+        sp_2048_mont_mul_64(t[31], t[16], t[15], m, mp);
+
+        i = (bits - 1) / 32;
+        n = e[i--];
+        c = bits & 31;
+        if (c == 0) {
+            c = 32;
+        }
+        c -= bits % 5;
+        if (c == 32) {
+            c = 27;
+        }
+        y = (int)(n >> c);
+        n <<= 32 - c;
+        XMEMCPY(r, t[y], sizeof(sp_digit) * 64);
+        for (; i>=0 || c>=5; ) {
+            if (c == 0) {
+                n = e[i--];
+                y = n >> 27;
+                n <<= 5;
+                c = 27;
+            }
+            else if (c < 5) {
+                y = n >> 27;
+                n = e[i--];
+                c = 5 - c;
+                y |= n >> (32 - c);
+                n <<= c;
+                c = 32 - c;
+            }
+            else {
+                y = (n >> 27) & 0x1f;
+                n <<= 5;
+                c -= 5;
+            }
+
+            sp_2048_mont_sqr_64(r, r, m, mp);
+            sp_2048_mont_sqr_64(r, r, m, mp);
+            sp_2048_mont_sqr_64(r, r, m, mp);
+            sp_2048_mont_sqr_64(r, r, m, mp);
+            sp_2048_mont_sqr_64(r, r, m, mp);
+
+            sp_2048_mont_mul_64(r, r, t[y], m, mp);
+        }
+
+        XMEMSET(&r[64], 0, sizeof(sp_digit) * 64U);
+        sp_2048_mont_reduce_64(r, m, mp);
+
+        mask = 0 - (sp_2048_cmp_64(r, m) >= 0);
+        sp_2048_cond_sub_64(r, r, m, mask);
+    }
+
+#ifdef WOLFSSL_SMALL_STACK
+    if (td != NULL) {
+        XFREE(td, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    }
+#endif
+
+    return err;
+}
+#endif /* WOLFSSL_SP_SMALL */
+#endif /* (WOLFSSL_HAVE_SP_RSA && !WOLFSSL_RSA_PUBLIC_ONLY) || WOLFSSL_HAVE_SP_DH */
+
+#ifdef WOLFSSL_HAVE_SP_RSA
+/* RSA public key operation.
+ *
+ * in      Array of bytes representing the number to exponentiate, base.
+ * inLen   Number of bytes in base.
+ * em      Public exponent.
+ * mm      Modulus.
+ * out     Buffer to hold big-endian bytes of exponentiation result.
+ *         Must be at least 256 bytes long.
+ * outLen  Number of bytes in result.
+ * returns 0 on success, MP_TO_E when the outLen is too small, MP_READ_E when
+ * an array is too long and MEMORY_E when dynamic memory allocation fails.
+ */
+int sp_RsaPublic_2048(const byte* in, word32 inLen, mp_int* em, mp_int* mm,
+    byte* out, word32* outLen)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit a[128], m[64], r[128];
+#else
+    sp_digit* d = NULL;
+    sp_digit* a;
+    sp_digit* m;
+    sp_digit* r;
+#endif
+    sp_digit *ah;
+    sp_digit e[1];
+    int err = MP_OKAY;
+
+    if (*outLen < 256)
+        err = MP_TO_E;
+    if (err == MP_OKAY && (mp_count_bits(em) > 32 || inLen > 256 ||
+                                                     mp_count_bits(mm) != 2048))
+        err = MP_READ_E;
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        d = (sp_digit*)XMALLOC(sizeof(sp_digit) * 64 * 5, NULL,
+                                                              DYNAMIC_TYPE_RSA);
+        if (d == NULL)
+            err = MEMORY_E;
+    }
+
+    if (err == MP_OKAY) {
+        a = d;
+        r = a + 64 * 2;
+        m = r + 64 * 2;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+        ah = a + 64;
+
+        sp_2048_from_bin(ah, 64, in, inLen);
+#if DIGIT_BIT >= 32
+        e[0] = em->dp[0];
+#else
+        e[0] = em->dp[0];
+        if (em->used > 1) {
+            e[0] |= ((sp_digit)em->dp[1]) << DIGIT_BIT;
+        }
+#endif
+        if (e[0] == 0) {
+            err = MP_EXPTMOD_E;
+        }
+    }
+    if (err == MP_OKAY) {
+        sp_2048_from_mp(m, 64, mm);
+
+        if (e[0] == 0x3) {
+            if (err == MP_OKAY) {
+                sp_2048_sqr_64(r, ah);
+                err = sp_2048_mod_64_cond(r, r, m);
+            }
+            if (err == MP_OKAY) {
+                sp_2048_mul_64(r, ah, r);
+                err = sp_2048_mod_64_cond(r, r, m);
+            }
+        }
+        else {
+            int i;
+            sp_digit mp;
+
+            sp_2048_mont_setup(m, &mp);
+
+            /* Convert to Montgomery form. */
+            XMEMSET(a, 0, sizeof(sp_digit) * 64);
+            err = sp_2048_mod_64_cond(a, a, m);
+
+            if (err == MP_OKAY) {
+                for (i = 31; i >= 0; i--) {
+                    if (e[0] >> i) {
+                        break;
+                    }
+                }
+
+                XMEMCPY(r, a, sizeof(sp_digit) * 64);
+                for (i--; i>=0; i--) {
+                    sp_2048_mont_sqr_64(r, r, m, mp);
+                    if (((e[0] >> i) & 1) == 1) {
+                        sp_2048_mont_mul_64(r, r, a, m, mp);
+                    }
+                }
+                XMEMSET(&r[64], 0, sizeof(sp_digit) * 64);
+                sp_2048_mont_reduce_64(r, m, mp);
+
+                for (i = 63; i > 0; i--) {
+                    if (r[i] != m[i]) {
+                        break;
+                    }
+                }
+                if (r[i] >= m[i]) {
+                    sp_2048_sub_in_place_64(r, m);
+                }
+            }
+        }
+    }
+
+    if (err == MP_OKAY) {
+        sp_2048_to_bin(r, out);
+        *outLen = 256;
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (d != NULL) {
+        XFREE(d, NULL, DYNAMIC_TYPE_RSA);
+    }
+#endif
+
+    return err;
+}
+
+#if defined(SP_RSA_PRIVATE_EXP_D) || defined(RSA_LOW_MEM)
+    sp_digit* a;
+    sp_digit* d = NULL;
+    sp_digit* m;
+    sp_digit* r;
+    int err = MP_OKAY;
+
+    (void)pm;
+    (void)qm;
+    (void)dpm;
+    (void)dqm;
+    (void)qim;
+
+    if (*outLen < 256U) {
+        err = MP_TO_E;
+    }
+    if (err == MP_OKAY) {
+        if (mp_count_bits(dm) > 2048) {
+           err = MP_READ_E;
+        }
+        if (inLen > 256) {
+            err = MP_READ_E;
+        }
+        if (mp_count_bits(mm) != 2048) {
+            err = MP_READ_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        d = (sp_digit*)XMALLOC(sizeof(sp_digit) * 64 * 4, NULL,
+                                                              DYNAMIC_TYPE_RSA);
+        if (d == NULL) {
+            err = MEMORY_E;
+        }
+    }
+    if (err == MP_OKAY) {
+        a = d + 64;
+        m = a + 128;
+        r = a;
+
+        sp_2048_from_bin(a, 64, in, inLen);
+        sp_2048_from_mp(d, 64, dm);
+        sp_2048_from_mp(m, 64, mm);
+        err = sp_2048_mod_exp_64(r, a, d, 2048, m, 0);
+    }
+    if (err == MP_OKAY) {
+        sp_2048_to_bin(r, out);
+        *outLen = 256;
+    }
+
+    if (d != NULL) {
+        XMEMSET(d, 0, sizeof(sp_digit) * 64);
+        XFREE(d, NULL, DYNAMIC_TYPE_RSA);
+    }
+
+    return err;
+#else
+#ifndef WOLFSSL_RSA_PUBLIC_ONLY
+/* Conditionally add a and b using the mask m.
+ * m is -1 to add and 0 when not.
+ *
+ * r  A single precision number representing conditional add result.
+ * a  A single precision number to add with.
+ * b  A single precision number to add.
+ * m  Mask value to apply.
+ */
+SP_NOINLINE static sp_digit sp_2048_cond_add_32(sp_digit* r, const sp_digit* a, const sp_digit* b,
+        sp_digit m)
+{
+    sp_digit c = 0;
+
+    __asm__ __volatile__ (
+        "mov	r5, #128\n\t"
+        "mov	r9, r5\n\t"
+        "mov	r8, #0\n\t"
+        "\n1:\n\t"
+        "ldr	r6, [%[b], r8]\n\t"
+        "and	r6, r6, %[m]\n\t"
+        "adds	r5, %[c], #-1\n\t"
+        "ldr	r5, [%[a], r8]\n\t"
+        "adcs	r5, r5, r6\n\t"
+        "mov	%[c], #0\n\t"
+        "adcs	%[c], %[c], %[c]\n\t"
+        "str	r5, [%[r], r8]\n\t"
+        "add	r8, r8, #4\n\t"
+        "cmp	r8, r9\n\t"
+        "blt	1b\n\t"
+        : [c] "+r" (c)
+        : [r] "r" (r), [a] "r" (a), [b] "r" (b), [m] "r" (m)
+        : "memory", "r5", "r6", "r8", "r9"
+    );
+
+    return c;
+}
+
+/* RSA private key operation.
+ *
+ * in      Array of bytes representing the number to exponentiate, base.
+ * inLen   Number of bytes in base.
+ * dm      Private exponent.
+ * pm      First prime.
+ * qm      Second prime.
+ * dpm     First prime's CRT exponent.
+ * dqm     Second prime's CRT exponent.
+ * qim     Inverse of second prime mod p.
+ * mm      Modulus.
+ * out     Buffer to hold big-endian bytes of exponentiation result.
+ *         Must be at least 256 bytes long.
+ * outLen  Number of bytes in result.
+ * returns 0 on success, MP_TO_E when the outLen is too small, MP_READ_E when
+ * an array is too long and MEMORY_E when dynamic memory allocation fails.
+ */
+int sp_RsaPrivate_2048(const byte* in, word32 inLen, mp_int* dm,
+    mp_int* pm, mp_int* qm, mp_int* dpm, mp_int* dqm, mp_int* qim, mp_int* mm,
+    byte* out, word32* outLen)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit a[64 * 2];
+    sp_digit p[32], q[32], dp[32];
+    sp_digit tmpa[64], tmpb[64];
+#else
+    sp_digit* t = NULL;
+    sp_digit* a;
+    sp_digit* p;
+    sp_digit* q;
+    sp_digit* dp;
+    sp_digit* tmpa;
+    sp_digit* tmpb;
+#endif
+    sp_digit* r;
+    sp_digit* qi;
+    sp_digit* dq;
+    sp_digit c;
+    int err = MP_OKAY;
+
+    (void)dm;
+    (void)mm;
+
+    if (*outLen < 256)
+        err = MP_TO_E;
+    if (err == MP_OKAY && (inLen > 256 || mp_count_bits(mm) != 2048))
+        err = MP_READ_E;
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        t = (sp_digit*)XMALLOC(sizeof(sp_digit) * 32 * 11, NULL,
+                                                              DYNAMIC_TYPE_RSA);
+        if (t == NULL)
+            err = MEMORY_E;
+    }
+    if (err == MP_OKAY) {
+        a = t;
+        p = a + 64 * 2;
+        q = p + 32;
+        qi = dq = dp = q + 32;
+        tmpa = qi + 32;
+        tmpb = tmpa + 64;
+
+        r = t + 64;
+    }
+#else
+#endif
+
+    if (err == MP_OKAY) {
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+        r = a;
+        qi = dq = dp;
+#endif
+        sp_2048_from_bin(a, 64, in, inLen);
+        sp_2048_from_mp(p, 32, pm);
+        sp_2048_from_mp(q, 32, qm);
+        sp_2048_from_mp(dp, 32, dpm);
+
+        err = sp_2048_mod_exp_32(tmpa, a, dp, 1024, p, 1);
+    }
+    if (err == MP_OKAY) {
+        sp_2048_from_mp(dq, 32, dqm);
+        err = sp_2048_mod_exp_32(tmpb, a, dq, 1024, q, 1);
+    }
+
+    if (err == MP_OKAY) {
+        c = sp_2048_sub_in_place_32(tmpa, tmpb);
+        c += sp_2048_cond_add_32(tmpa, tmpa, p, c);
+        sp_2048_cond_add_32(tmpa, tmpa, p, c);
+
+        sp_2048_from_mp(qi, 32, qim);
+        sp_2048_mul_32(tmpa, tmpa, qi);
+        err = sp_2048_mod_32(tmpa, tmpa, p);
+    }
+
+    if (err == MP_OKAY) {
+        sp_2048_mul_32(tmpa, q, tmpa);
+        XMEMSET(&tmpb[32], 0, sizeof(sp_digit) * 32);
+        sp_2048_add_64(r, tmpb, tmpa);
+
+        sp_2048_to_bin(r, out);
+        *outLen = 256;
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (t != NULL) {
+        XMEMSET(t, 0, sizeof(sp_digit) * 32 * 11);
+        XFREE(t, NULL, DYNAMIC_TYPE_RSA);
+    }
+#else
+    XMEMSET(tmpa, 0, sizeof(tmpa));
+    XMEMSET(tmpb, 0, sizeof(tmpb));
+    XMEMSET(p,    0, sizeof(p));
+    XMEMSET(q,    0, sizeof(q));
+    XMEMSET(dp,   0, sizeof(dp));
+#endif
+
+    return err;
+}
+#endif /* WOLFSSL_RSA_PUBLIC_ONLY */
+#endif /* SP_RSA_PRIVATE_EXP_D || RSA_LOW_MEM */
+#endif /* WOLFSSL_HAVE_SP_RSA */
+#if defined(WOLFSSL_HAVE_SP_DH) || (defined(WOLFSSL_HAVE_SP_RSA) && \
+                                              !defined(WOLFSSL_RSA_PUBLIC_ONLY))
+/* Convert an array of sp_digit to an mp_int.
+ *
+ * a  A single precision integer.
+ * r  A multi-precision integer.
+ */
+static int sp_2048_to_mp(const sp_digit* a, mp_int* r)
+{
+    int err;
+
+    err = mp_grow(r, (2048 + DIGIT_BIT - 1) / DIGIT_BIT);
+    if (err == MP_OKAY) { /*lint !e774 case where err is always MP_OKAY*/
+#if DIGIT_BIT == 32
+        XMEMCPY(r->dp, a, sizeof(sp_digit) * 64);
+        r->used = 64;
+        mp_clamp(r);
+#elif DIGIT_BIT < 32
+        int i, j = 0, s = 0;
+
+        r->dp[0] = 0;
+        for (i = 0; i < 64; i++) {
+            r->dp[j] |= (mp_digit)(a[i] << s);
+            r->dp[j] &= (1L << DIGIT_BIT) - 1;
+            s = DIGIT_BIT - s;
+            r->dp[++j] = (mp_digit)(a[i] >> s);
+            while (s + DIGIT_BIT <= 32) {
+                s += DIGIT_BIT;
+                r->dp[j++] &= (1L << DIGIT_BIT) - 1;
+                if (s == SP_WORD_SIZE) {
+                    r->dp[j] = 0;
+                }
+                else {
+                    r->dp[j] = (mp_digit)(a[i] >> s);
+                }
+            }
+            s = 32 - s;
+        }
+        r->used = (2048 + DIGIT_BIT - 1) / DIGIT_BIT;
+        mp_clamp(r);
+#else
+        int i, j = 0, s = 0;
+
+        r->dp[0] = 0;
+        for (i = 0; i < 64; i++) {
+            r->dp[j] |= ((mp_digit)a[i]) << s;
+            if (s + 32 >= DIGIT_BIT) {
+    #if DIGIT_BIT != 32 && DIGIT_BIT != 64
+                r->dp[j] &= (1L << DIGIT_BIT) - 1;
+    #endif
+                s = DIGIT_BIT - s;
+                r->dp[++j] = a[i] >> s;
+                s = 32 - s;
+            }
+            else {
+                s += 32;
+            }
+        }
+        r->used = (2048 + DIGIT_BIT - 1) / DIGIT_BIT;
+        mp_clamp(r);
+#endif
+    }
+
+    return err;
+}
+
+/* Perform the modular exponentiation for Diffie-Hellman.
+ *
+ * base  Base. MP integer.
+ * exp   Exponent. MP integer.
+ * mod   Modulus. MP integer.
+ * res   Result. MP integer.
+ * returns 0 on success, MP_READ_E if there are too many bytes in an array
+ * and MEMORY_E if memory allocation fails.
+ */
+int sp_ModExp_2048(mp_int* base, mp_int* exp, mp_int* mod, mp_int* res)
+{
+    int err = MP_OKAY;
+    sp_digit b[128], e[64], m[64];
+    sp_digit* r = b;
+    int expBits = mp_count_bits(exp);
+
+    if (mp_count_bits(base) > 2048) {
+        err = MP_READ_E;
+    }
+
+    if (err == MP_OKAY) {
+        if (expBits > 2048) {
+            err = MP_READ_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        if (mp_count_bits(mod) != 2048) {
+            err = MP_READ_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        sp_2048_from_mp(b, 64, base);
+        sp_2048_from_mp(e, 64, exp);
+        sp_2048_from_mp(m, 64, mod);
+
+        err = sp_2048_mod_exp_64(r, b, e, expBits, m, 0);
+    }
+
+    if (err == MP_OKAY) {
+        err = sp_2048_to_mp(r, res);
+    }
+
+    XMEMSET(e, 0, sizeof(e));
+
+    return err;
+}
+
+#ifdef WOLFSSL_HAVE_SP_DH
+
+#ifdef HAVE_FFDHE_2048
+static void sp_2048_lshift_64(sp_digit* r, sp_digit* a, byte n)
+{
+    __asm__ __volatile__ (
+        "mov r6, #31\n\t"
+        "sub r6, r6, %[n]\n\t"
+        "add       %[a], %[a], #192\n\t"
+        "add       %[r], %[r], #192\n\t"
+        "ldr r3, [%[a], #60]\n\t"
+        "lsr r4, r3, #1\n\t"
+        "lsl r3, r3, %[n]\n\t"
+        "lsr r4, r4, r6\n\t"
+        "ldr       r2, [%[a], #56]\n\t"
+        "str       r4, [%[r], #64]\n\t"
+        "lsr       r5, r2, #1\n\t"
+        "lsl       r2, r2, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r3, r3, r5\n\t"
+        "ldr       r4, [%[a], #52]\n\t"
+        "str       r3, [%[r], #60]\n\t"
+        "lsr       r5, r4, #1\n\t"
+        "lsl       r4, r4, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r2, r2, r5\n\t"
+        "ldr       r3, [%[a], #48]\n\t"
+        "str       r2, [%[r], #56]\n\t"
+        "lsr       r5, r3, #1\n\t"
+        "lsl       r3, r3, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r4, r4, r5\n\t"
+        "ldr       r2, [%[a], #44]\n\t"
+        "str       r4, [%[r], #52]\n\t"
+        "lsr       r5, r2, #1\n\t"
+        "lsl       r2, r2, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r3, r3, r5\n\t"
+        "ldr       r4, [%[a], #40]\n\t"
+        "str       r3, [%[r], #48]\n\t"
+        "lsr       r5, r4, #1\n\t"
+        "lsl       r4, r4, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r2, r2, r5\n\t"
+        "ldr       r3, [%[a], #36]\n\t"
+        "str       r2, [%[r], #44]\n\t"
+        "lsr       r5, r3, #1\n\t"
+        "lsl       r3, r3, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r4, r4, r5\n\t"
+        "ldr       r2, [%[a], #32]\n\t"
+        "str       r4, [%[r], #40]\n\t"
+        "lsr       r5, r2, #1\n\t"
+        "lsl       r2, r2, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r3, r3, r5\n\t"
+        "ldr       r4, [%[a], #28]\n\t"
+        "str       r3, [%[r], #36]\n\t"
+        "lsr       r5, r4, #1\n\t"
+        "lsl       r4, r4, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r2, r2, r5\n\t"
+        "ldr       r3, [%[a], #24]\n\t"
+        "str       r2, [%[r], #32]\n\t"
+        "lsr       r5, r3, #1\n\t"
+        "lsl       r3, r3, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r4, r4, r5\n\t"
+        "ldr       r2, [%[a], #20]\n\t"
+        "str       r4, [%[r], #28]\n\t"
+        "lsr       r5, r2, #1\n\t"
+        "lsl       r2, r2, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r3, r3, r5\n\t"
+        "ldr       r4, [%[a], #16]\n\t"
+        "str       r3, [%[r], #24]\n\t"
+        "lsr       r5, r4, #1\n\t"
+        "lsl       r4, r4, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r2, r2, r5\n\t"
+        "ldr       r3, [%[a], #12]\n\t"
+        "str       r2, [%[r], #20]\n\t"
+        "lsr       r5, r3, #1\n\t"
+        "lsl       r3, r3, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r4, r4, r5\n\t"
+        "ldr       r2, [%[a], #8]\n\t"
+        "str       r4, [%[r], #16]\n\t"
+        "lsr       r5, r2, #1\n\t"
+        "lsl       r2, r2, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r3, r3, r5\n\t"
+        "ldr       r4, [%[a], #4]\n\t"
+        "str       r3, [%[r], #12]\n\t"
+        "lsr       r5, r4, #1\n\t"
+        "lsl       r4, r4, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r2, r2, r5\n\t"
+        "ldr       r3, [%[a], #0]\n\t"
+        "str       r2, [%[r], #8]\n\t"
+        "lsr       r5, r3, #1\n\t"
+        "lsl       r3, r3, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r4, r4, r5\n\t"
+        "sub     %[a], %[a], #64\n\t"
+        "sub     %[r], %[r], #64\n\t"
+        "ldr       r2, [%[a], #60]\n\t"
+        "str       r4, [%[r], #68]\n\t"
+        "lsr       r5, r2, #1\n\t"
+        "lsl       r2, r2, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r3, r3, r5\n\t"
+        "ldr       r4, [%[a], #56]\n\t"
+        "str       r3, [%[r], #64]\n\t"
+        "lsr       r5, r4, #1\n\t"
+        "lsl       r4, r4, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r2, r2, r5\n\t"
+        "ldr       r3, [%[a], #52]\n\t"
+        "str       r2, [%[r], #60]\n\t"
+        "lsr       r5, r3, #1\n\t"
+        "lsl       r3, r3, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r4, r4, r5\n\t"
+        "ldr       r2, [%[a], #48]\n\t"
+        "str       r4, [%[r], #56]\n\t"
+        "lsr       r5, r2, #1\n\t"
+        "lsl       r2, r2, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r3, r3, r5\n\t"
+        "ldr       r4, [%[a], #44]\n\t"
+        "str       r3, [%[r], #52]\n\t"
+        "lsr       r5, r4, #1\n\t"
+        "lsl       r4, r4, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r2, r2, r5\n\t"
+        "ldr       r3, [%[a], #40]\n\t"
+        "str       r2, [%[r], #48]\n\t"
+        "lsr       r5, r3, #1\n\t"
+        "lsl       r3, r3, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r4, r4, r5\n\t"
+        "ldr       r2, [%[a], #36]\n\t"
+        "str       r4, [%[r], #44]\n\t"
+        "lsr       r5, r2, #1\n\t"
+        "lsl       r2, r2, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r3, r3, r5\n\t"
+        "ldr       r4, [%[a], #32]\n\t"
+        "str       r3, [%[r], #40]\n\t"
+        "lsr       r5, r4, #1\n\t"
+        "lsl       r4, r4, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r2, r2, r5\n\t"
+        "ldr       r3, [%[a], #28]\n\t"
+        "str       r2, [%[r], #36]\n\t"
+        "lsr       r5, r3, #1\n\t"
+        "lsl       r3, r3, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r4, r4, r5\n\t"
+        "ldr       r2, [%[a], #24]\n\t"
+        "str       r4, [%[r], #32]\n\t"
+        "lsr       r5, r2, #1\n\t"
+        "lsl       r2, r2, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r3, r3, r5\n\t"
+        "ldr       r4, [%[a], #20]\n\t"
+        "str       r3, [%[r], #28]\n\t"
+        "lsr       r5, r4, #1\n\t"
+        "lsl       r4, r4, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r2, r2, r5\n\t"
+        "ldr       r3, [%[a], #16]\n\t"
+        "str       r2, [%[r], #24]\n\t"
+        "lsr       r5, r3, #1\n\t"
+        "lsl       r3, r3, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r4, r4, r5\n\t"
+        "ldr       r2, [%[a], #12]\n\t"
+        "str       r4, [%[r], #20]\n\t"
+        "lsr       r5, r2, #1\n\t"
+        "lsl       r2, r2, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r3, r3, r5\n\t"
+        "ldr       r4, [%[a], #8]\n\t"
+        "str       r3, [%[r], #16]\n\t"
+        "lsr       r5, r4, #1\n\t"
+        "lsl       r4, r4, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r2, r2, r5\n\t"
+        "ldr       r3, [%[a], #4]\n\t"
+        "str       r2, [%[r], #12]\n\t"
+        "lsr       r5, r3, #1\n\t"
+        "lsl       r3, r3, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r4, r4, r5\n\t"
+        "ldr       r2, [%[a], #0]\n\t"
+        "str       r4, [%[r], #8]\n\t"
+        "lsr       r5, r2, #1\n\t"
+        "lsl       r2, r2, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r3, r3, r5\n\t"
+        "sub     %[a], %[a], #64\n\t"
+        "sub     %[r], %[r], #64\n\t"
+        "ldr       r4, [%[a], #60]\n\t"
+        "str       r3, [%[r], #68]\n\t"
+        "lsr       r5, r4, #1\n\t"
+        "lsl       r4, r4, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r2, r2, r5\n\t"
+        "ldr       r3, [%[a], #56]\n\t"
+        "str       r2, [%[r], #64]\n\t"
+        "lsr       r5, r3, #1\n\t"
+        "lsl       r3, r3, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r4, r4, r5\n\t"
+        "ldr       r2, [%[a], #52]\n\t"
+        "str       r4, [%[r], #60]\n\t"
+        "lsr       r5, r2, #1\n\t"
+        "lsl       r2, r2, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r3, r3, r5\n\t"
+        "ldr       r4, [%[a], #48]\n\t"
+        "str       r3, [%[r], #56]\n\t"
+        "lsr       r5, r4, #1\n\t"
+        "lsl       r4, r4, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r2, r2, r5\n\t"
+        "ldr       r3, [%[a], #44]\n\t"
+        "str       r2, [%[r], #52]\n\t"
+        "lsr       r5, r3, #1\n\t"
+        "lsl       r3, r3, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r4, r4, r5\n\t"
+        "ldr       r2, [%[a], #40]\n\t"
+        "str       r4, [%[r], #48]\n\t"
+        "lsr       r5, r2, #1\n\t"
+        "lsl       r2, r2, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r3, r3, r5\n\t"
+        "ldr       r4, [%[a], #36]\n\t"
+        "str       r3, [%[r], #44]\n\t"
+        "lsr       r5, r4, #1\n\t"
+        "lsl       r4, r4, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r2, r2, r5\n\t"
+        "ldr       r3, [%[a], #32]\n\t"
+        "str       r2, [%[r], #40]\n\t"
+        "lsr       r5, r3, #1\n\t"
+        "lsl       r3, r3, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r4, r4, r5\n\t"
+        "ldr       r2, [%[a], #28]\n\t"
+        "str       r4, [%[r], #36]\n\t"
+        "lsr       r5, r2, #1\n\t"
+        "lsl       r2, r2, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r3, r3, r5\n\t"
+        "ldr       r4, [%[a], #24]\n\t"
+        "str       r3, [%[r], #32]\n\t"
+        "lsr       r5, r4, #1\n\t"
+        "lsl       r4, r4, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r2, r2, r5\n\t"
+        "ldr       r3, [%[a], #20]\n\t"
+        "str       r2, [%[r], #28]\n\t"
+        "lsr       r5, r3, #1\n\t"
+        "lsl       r3, r3, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r4, r4, r5\n\t"
+        "ldr       r2, [%[a], #16]\n\t"
+        "str       r4, [%[r], #24]\n\t"
+        "lsr       r5, r2, #1\n\t"
+        "lsl       r2, r2, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r3, r3, r5\n\t"
+        "ldr       r4, [%[a], #12]\n\t"
+        "str       r3, [%[r], #20]\n\t"
+        "lsr       r5, r4, #1\n\t"
+        "lsl       r4, r4, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r2, r2, r5\n\t"
+        "ldr       r3, [%[a], #8]\n\t"
+        "str       r2, [%[r], #16]\n\t"
+        "lsr       r5, r3, #1\n\t"
+        "lsl       r3, r3, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r4, r4, r5\n\t"
+        "ldr       r2, [%[a], #4]\n\t"
+        "str       r4, [%[r], #12]\n\t"
+        "lsr       r5, r2, #1\n\t"
+        "lsl       r2, r2, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r3, r3, r5\n\t"
+        "ldr       r4, [%[a], #0]\n\t"
+        "str       r3, [%[r], #8]\n\t"
+        "lsr       r5, r4, #1\n\t"
+        "lsl       r4, r4, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r2, r2, r5\n\t"
+        "sub     %[a], %[a], #64\n\t"
+        "sub     %[r], %[r], #64\n\t"
+        "ldr       r3, [%[a], #60]\n\t"
+        "str       r2, [%[r], #68]\n\t"
+        "lsr       r5, r3, #1\n\t"
+        "lsl       r3, r3, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r4, r4, r5\n\t"
+        "ldr       r2, [%[a], #56]\n\t"
+        "str       r4, [%[r], #64]\n\t"
+        "lsr       r5, r2, #1\n\t"
+        "lsl       r2, r2, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r3, r3, r5\n\t"
+        "ldr       r4, [%[a], #52]\n\t"
+        "str       r3, [%[r], #60]\n\t"
+        "lsr       r5, r4, #1\n\t"
+        "lsl       r4, r4, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r2, r2, r5\n\t"
+        "ldr       r3, [%[a], #48]\n\t"
+        "str       r2, [%[r], #56]\n\t"
+        "lsr       r5, r3, #1\n\t"
+        "lsl       r3, r3, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r4, r4, r5\n\t"
+        "ldr       r2, [%[a], #44]\n\t"
+        "str       r4, [%[r], #52]\n\t"
+        "lsr       r5, r2, #1\n\t"
+        "lsl       r2, r2, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r3, r3, r5\n\t"
+        "ldr       r4, [%[a], #40]\n\t"
+        "str       r3, [%[r], #48]\n\t"
+        "lsr       r5, r4, #1\n\t"
+        "lsl       r4, r4, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r2, r2, r5\n\t"
+        "ldr       r3, [%[a], #36]\n\t"
+        "str       r2, [%[r], #44]\n\t"
+        "lsr       r5, r3, #1\n\t"
+        "lsl       r3, r3, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r4, r4, r5\n\t"
+        "ldr       r2, [%[a], #32]\n\t"
+        "str       r4, [%[r], #40]\n\t"
+        "lsr       r5, r2, #1\n\t"
+        "lsl       r2, r2, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r3, r3, r5\n\t"
+        "ldr       r4, [%[a], #28]\n\t"
+        "str       r3, [%[r], #36]\n\t"
+        "lsr       r5, r4, #1\n\t"
+        "lsl       r4, r4, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r2, r2, r5\n\t"
+        "ldr       r3, [%[a], #24]\n\t"
+        "str       r2, [%[r], #32]\n\t"
+        "lsr       r5, r3, #1\n\t"
+        "lsl       r3, r3, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r4, r4, r5\n\t"
+        "ldr       r2, [%[a], #20]\n\t"
+        "str       r4, [%[r], #28]\n\t"
+        "lsr       r5, r2, #1\n\t"
+        "lsl       r2, r2, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r3, r3, r5\n\t"
+        "ldr       r4, [%[a], #16]\n\t"
+        "str       r3, [%[r], #24]\n\t"
+        "lsr       r5, r4, #1\n\t"
+        "lsl       r4, r4, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r2, r2, r5\n\t"
+        "ldr       r3, [%[a], #12]\n\t"
+        "str       r2, [%[r], #20]\n\t"
+        "lsr       r5, r3, #1\n\t"
+        "lsl       r3, r3, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r4, r4, r5\n\t"
+        "ldr       r2, [%[a], #8]\n\t"
+        "str       r4, [%[r], #16]\n\t"
+        "lsr       r5, r2, #1\n\t"
+        "lsl       r2, r2, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r3, r3, r5\n\t"
+        "ldr       r4, [%[a], #4]\n\t"
+        "str       r3, [%[r], #12]\n\t"
+        "lsr       r5, r4, #1\n\t"
+        "lsl       r4, r4, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r2, r2, r5\n\t"
+        "ldr       r3, [%[a], #0]\n\t"
+        "str       r2, [%[r], #8]\n\t"
+        "lsr       r5, r3, #1\n\t"
+        "lsl       r3, r3, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r4, r4, r5\n\t"
+        "str r3, [%[r]]\n\t"
+        "str r4, [%[r], #4]\n\t"
+        :
+        : [r] "r" (r), [a] "r" (a), [n] "r" (n)
+        : "memory", "r2", "r3", "r4", "r5", "r6"
+    );
+}
+
+/* Modular exponentiate 2 to the e mod m. (r = 2^e mod m)
+ *
+ * r     A single precision number that is the result of the operation.
+ * e     A single precision number that is the exponent.
+ * bits  The number of bits in the exponent.
+ * m     A single precision number that is the modulus.
+ * returns 0 on success and MEMORY_E on dynamic memory allocation failure.
+ */
+static int sp_2048_mod_exp_2_64(sp_digit* r, const sp_digit* e, int bits,
+        const sp_digit* m)
+{
+#ifndef WOLFSSL_SMALL_STACK
+    sp_digit nd[128];
+    sp_digit td[65];
+#else
+    sp_digit* td;
+#endif
+    sp_digit* norm;
+    sp_digit* tmp;
+    sp_digit mp = 1;
+    sp_digit n, o;
+    sp_digit mask;
+    int i;
+    int c, y;
+    int err = MP_OKAY;
+
+#ifdef WOLFSSL_SMALL_STACK
+    td = (sp_digit*)XMALLOC(sizeof(sp_digit) * 193, NULL,
+                            DYNAMIC_TYPE_TMP_BUFFER);
+    if (td == NULL) {
+        err = MEMORY_E;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#ifdef WOLFSSL_SMALL_STACK
+        norm = td;
+        tmp  = td + 128;
+#else
+        norm = nd;
+        tmp  = td;
+#endif
+
+        sp_2048_mont_setup(m, &mp);
+        sp_2048_mont_norm_64(norm, m);
+
+        i = (bits - 1) / 32;
+        n = e[i--];
+        c = bits & 31;
+        if (c == 0) {
+            c = 32;
+        }
+        c -= bits % 5;
+        if (c == 32) {
+            c = 27;
+        }
+        y = (int)(n >> c);
+        n <<= 32 - c;
+        sp_2048_lshift_64(r, norm, y);
+        for (; i>=0 || c>=5; ) {
+            if (c == 0) {
+                n = e[i--];
+                y = n >> 27;
+                n <<= 5;
+                c = 27;
+            }
+            else if (c < 5) {
+                y = n >> 27;
+                n = e[i--];
+                c = 5 - c;
+                y |= n >> (32 - c);
+                n <<= c;
+                c = 32 - c;
+            }
+            else {
+                y = (n >> 27) & 0x1f;
+                n <<= 5;
+                c -= 5;
+            }
+
+            sp_2048_mont_sqr_64(r, r, m, mp);
+            sp_2048_mont_sqr_64(r, r, m, mp);
+            sp_2048_mont_sqr_64(r, r, m, mp);
+            sp_2048_mont_sqr_64(r, r, m, mp);
+            sp_2048_mont_sqr_64(r, r, m, mp);
+
+            sp_2048_lshift_64(r, r, y);
+            sp_2048_mul_d_64(tmp, norm, r[64]);
+            r[64] = 0;
+            o = sp_2048_add_64(r, r, tmp);
+            sp_2048_cond_sub_64(r, r, m, (sp_digit)0 - o);
+        }
+
+        XMEMSET(&r[64], 0, sizeof(sp_digit) * 64U);
+        sp_2048_mont_reduce_64(r, m, mp);
+
+        mask = 0 - (sp_2048_cmp_64(r, m) >= 0);
+        sp_2048_cond_sub_64(r, r, m, mask);
+    }
+
+#ifdef WOLFSSL_SMALL_STACK
+    if (td != NULL) {
+        XFREE(td, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    }
+#endif
+
+    return err;
+}
+#endif /* HAVE_FFDHE_2048 */
+
+/* Perform the modular exponentiation for Diffie-Hellman.
+ *
+ * base     Base.
+ * exp      Array of bytes that is the exponent.
+ * expLen   Length of data, in bytes, in exponent.
+ * mod      Modulus.
+ * out      Buffer to hold big-endian bytes of exponentiation result.
+ *          Must be at least 256 bytes long.
+ * outLen   Length, in bytes, of exponentiation result.
+ * returns 0 on success, MP_READ_E if there are too many bytes in an array
+ * and MEMORY_E if memory allocation fails.
+ */
+int sp_DhExp_2048(mp_int* base, const byte* exp, word32 expLen,
+    mp_int* mod, byte* out, word32* outLen)
+{
+    int err = MP_OKAY;
+    sp_digit b[128], e[64], m[64];
+    sp_digit* r = b;
+    word32 i;
+
+    if (mp_count_bits(base) > 2048) {
+        err = MP_READ_E;
+    }
+
+    if (err == MP_OKAY) {
+        if (expLen > 256) {
+            err = MP_READ_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        if (mp_count_bits(mod) != 2048) {
+            err = MP_READ_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        sp_2048_from_mp(b, 64, base);
+        sp_2048_from_bin(e, 64, exp, expLen);
+        sp_2048_from_mp(m, 64, mod);
+
+    #ifdef HAVE_FFDHE_2048
+        if (base->used == 1 && base->dp[0] == 2 && m[63] == (sp_digit)-1)
+            err = sp_2048_mod_exp_2_64(r, e, expLen * 8, m);
+        else
+    #endif
+            err = sp_2048_mod_exp_64(r, b, e, expLen * 8, m, 0);
+
+    }
+
+    if (err == MP_OKAY) {
+        sp_2048_to_bin(r, out);
+        *outLen = 256;
+        for (i=0; i<256 && out[i] == 0; i++) {
+        }
+        *outLen -= i;
+        XMEMMOVE(out, out + i, *outLen);
+
+    }
+
+    XMEMSET(e, 0, sizeof(e));
+
+    return err;
+}
+#endif /* WOLFSSL_HAVE_SP_DH */
+
+/* Perform the modular exponentiation for Diffie-Hellman.
+ *
+ * base  Base. MP integer.
+ * exp   Exponent. MP integer.
+ * mod   Modulus. MP integer.
+ * res   Result. MP integer.
+ * returns 0 on success, MP_READ_E if there are too many bytes in an array
+ * and MEMORY_E if memory allocation fails.
+ */
+int sp_ModExp_1024(mp_int* base, mp_int* exp, mp_int* mod, mp_int* res)
+{
+    int err = MP_OKAY;
+    sp_digit b[64], e[32], m[32];
+    sp_digit* r = b;
+    int expBits = mp_count_bits(exp);
+
+    if (mp_count_bits(base) > 1024) {
+        err = MP_READ_E;
+    }
+
+    if (err == MP_OKAY) {
+        if (expBits > 1024) {
+            err = MP_READ_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        if (mp_count_bits(mod) != 1024) {
+            err = MP_READ_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        sp_2048_from_mp(b, 32, base);
+        sp_2048_from_mp(e, 32, exp);
+        sp_2048_from_mp(m, 32, mod);
+
+        err = sp_2048_mod_exp_32(r, b, e, expBits, m, 0);
+    }
+
+    if (err == MP_OKAY) {
+        XMEMSET(r + 32, 0, sizeof(*r) * 32U);
+        err = sp_2048_to_mp(r, res);
+        res->used = mod->used;
+        mp_clamp(res);
+    }
+
+    XMEMSET(e, 0, sizeof(e));
+
+    return err;
+}
+
+#endif /* WOLFSSL_HAVE_SP_DH || (WOLFSSL_HAVE_SP_RSA && !WOLFSSL_RSA_PUBLIC_ONLY) */
+
+#endif /* !WOLFSSL_SP_NO_2048 */
+
+#ifndef WOLFSSL_SP_NO_3072
+/* Read big endian unsigned byte array into r.
+ *
+ * r  A single precision integer.
+ * size  Maximum number of bytes to convert
+ * a  Byte array.
+ * n  Number of bytes in array to read.
+ */
+static void sp_3072_from_bin(sp_digit* r, int size, const byte* a, int n)
+{
+    int i, j = 0;
+    word32 s = 0;
+
+    r[0] = 0;
+    for (i = n-1; i >= 0; i--) {
+        r[j] |= (((sp_digit)a[i]) << s);
+        if (s >= 24U) {
+            r[j] &= 0xffffffff;
+            s = 32U - s;
+            if (j + 1 >= size) {
+                break;
+            }
+            r[++j] = (sp_digit)a[i] >> s;
+            s = 8U - s;
+        }
+        else {
+            s += 8U;
+        }
+    }
+
+    for (j++; j < size; j++) {
+        r[j] = 0;
+    }
+}
+
+/* Convert an mp_int to an array of sp_digit.
+ *
+ * r  A single precision integer.
+ * size  Maximum number of bytes to convert
+ * a  A multi-precision integer.
+ */
+static void sp_3072_from_mp(sp_digit* r, int size, const mp_int* a)
+{
+#if DIGIT_BIT == 32
+    int j;
+
+    XMEMCPY(r, a->dp, sizeof(sp_digit) * a->used);
+
+    for (j = a->used; j < size; j++) {
+        r[j] = 0;
+    }
+#elif DIGIT_BIT > 32
+    int i, j = 0;
+    word32 s = 0;
+
+    r[0] = 0;
+    for (i = 0; i < a->used && j < size; i++) {
+        r[j] |= ((sp_digit)a->dp[i] << s);
+        r[j] &= 0xffffffff;
+        s = 32U - s;
+        if (j + 1 >= size) {
+            break;
+        }
+        /* lint allow cast of mismatch word32 and mp_digit */
+        r[++j] = (sp_digit)(a->dp[i] >> s); /*lint !e9033*/
+        while ((s + 32U) <= (word32)DIGIT_BIT) {
+            s += 32U;
+            r[j] &= 0xffffffff;
+            if (j + 1 >= size) {
+                break;
+            }
+            if (s < (word32)DIGIT_BIT) {
+                /* lint allow cast of mismatch word32 and mp_digit */
+                r[++j] = (sp_digit)(a->dp[i] >> s); /*lint !e9033*/
+            }
+            else {
+                r[++j] = 0L;
+            }
+        }
+        s = (word32)DIGIT_BIT - s;
+    }
+
+    for (j++; j < size; j++) {
+        r[j] = 0;
+    }
+#else
+    int i, j = 0, s = 0;
+
+    r[0] = 0;
+    for (i = 0; i < a->used && j < size; i++) {
+        r[j] |= ((sp_digit)a->dp[i]) << s;
+        if (s + DIGIT_BIT >= 32) {
+            r[j] &= 0xffffffff;
+            if (j + 1 >= size) {
+                break;
+            }
+            s = 32 - s;
+            if (s == DIGIT_BIT) {
+                r[++j] = 0;
+                s = 0;
+            }
+            else {
+                r[++j] = a->dp[i] >> s;
+                s = DIGIT_BIT - s;
+            }
+        }
+        else {
+            s += DIGIT_BIT;
+        }
+    }
+
+    for (j++; j < size; j++) {
+        r[j] = 0;
+    }
+#endif
+}
+
+/* Write r as big endian to byte array.
+ * Fixed length number of bytes written: 384
+ *
+ * r  A single precision integer.
+ * a  Byte array.
+ */
+static void sp_3072_to_bin(sp_digit* r, byte* a)
+{
+    int i, j, s = 0, b;
+
+    j = 3072 / 8 - 1;
+    a[j] = 0;
+    for (i=0; i<96 && j>=0; i++) {
+        b = 0;
+        /* lint allow cast of mismatch sp_digit and int */
+        a[j--] |= (byte)(r[i] << s); /*lint !e9033*/
+        b += 8 - s;
+        if (j < 0) {
+            break;
+        }
+        while (b < 32) {
+            a[j--] = (byte)(r[i] >> b);
+            b += 8;
+            if (j < 0) {
+                break;
+            }
+        }
+        s = 8 - (b - 32);
+        if (j >= 0) {
+            a[j] = 0;
+        }
+        if (s != 0) {
+            j++;
+        }
+    }
+}
+
+#ifndef WOLFSSL_SP_SMALL
+/* Multiply a and b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static void sp_3072_mul_12(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    sp_digit tmp[12 * 2];
+    __asm__ __volatile__ (
+        "mov	r3, #0\n\t"
+        "mov	r4, #0\n\t"
+        "mov	r9, r3\n\t"
+        "mov	r12, %[r]\n\t"
+        "mov	r10, %[a]\n\t"
+        "mov	r11, %[b]\n\t"
+        "mov	r6, #48\n\t"
+        "add	r6, r6, r10\n\t"
+        "mov	r14, r6\n\t"
+        "\n1:\n\t"
+        "mov	%[r], #0\n\t"
+        "mov	r5, #0\n\t"
+        "mov	r6, #44\n\t"
+        "mov	%[a], r9\n\t"
+        "subs	%[a], %[a], r6\n\t"
+        "sbc	r6, r6, r6\n\t"
+        "mvn	r6, r6\n\t"
+        "and	%[a], %[a], r6\n\t"
+        "mov	%[b], r9\n\t"
+        "sub	%[b], %[b], %[a]\n\t"
+        "add	%[a], %[a], r10\n\t"
+        "add	%[b], %[b], r11\n\t"
+        "\n2:\n\t"
+        /* Multiply Start */
+        "ldr	r6, [%[a]]\n\t"
+        "ldr	r8, [%[b]]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs 	r4, r4, r8\n\t"
+        "adc	r5, r5, %[r]\n\t"
+        /* Multiply Done */
+        "add	%[a], %[a], #4\n\t"
+        "sub	%[b], %[b], #4\n\t"
+        "cmp	%[a], r14\n\t"
+        "beq	3f\n\t"
+        "mov	r6, r9\n\t"
+        "add	r6, r6, r10\n\t"
+        "cmp	%[a], r6\n\t"
+        "ble	2b\n\t"
+        "\n3:\n\t"
+        "mov	%[r], r12\n\t"
+        "mov	r8, r9\n\t"
+        "str	r3, [%[r], r8]\n\t"
+        "mov	r3, r4\n\t"
+        "mov	r4, r5\n\t"
+        "add	r8, r8, #4\n\t"
+        "mov	r9, r8\n\t"
+        "mov	r6, #88\n\t"
+        "cmp	r8, r6\n\t"
+        "ble	1b\n\t"
+        "str	r3, [%[r], r8]\n\t"
+        "mov	%[a], r10\n\t"
+        "mov	%[b], r11\n\t"
+        :
+        : [r] "r" (tmp), [a] "r" (a), [b] "r" (b)
+        : "memory", "r3", "r4", "r5", "r6", "r8", "r9", "r10", "r11", "r12", "r14"
+    );
+
+    XMEMCPY(r, tmp, sizeof(tmp));
+}
+
+/* Square a and put result in r. (r = a * a)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ */
+SP_NOINLINE static void sp_3072_sqr_12(sp_digit* r, const sp_digit* a)
+{
+    __asm__ __volatile__ (
+        "mov	r3, #0\n\t"
+        "mov	r4, #0\n\t"
+        "mov	r5, #0\n\t"
+        "mov	r9, r3\n\t"
+        "mov	r12, %[r]\n\t"
+        "mov	r6, #96\n\t"
+        "neg	r6, r6\n\t"
+        "add	sp, sp, r6\n\t"
+        "mov	r11, sp\n\t"
+        "mov	r10, %[a]\n\t"
+        "\n1:\n\t"
+        "mov	%[r], #0\n\t"
+        "mov	r6, #44\n\t"
+        "mov	%[a], r9\n\t"
+        "subs	%[a], %[a], r6\n\t"
+        "sbc	r6, r6, r6\n\t"
+        "mvn	r6, r6\n\t"
+        "and	%[a], %[a], r6\n\t"
+        "mov	r2, r9\n\t"
+        "sub	r2, r2, %[a]\n\t"
+        "add	%[a], %[a], r10\n\t"
+        "add	r2, r2, r10\n\t"
+        "\n2:\n\t"
+        "cmp	r2, %[a]\n\t"
+        "beq	4f\n\t"
+        /* Multiply * 2: Start */
+        "ldr	r6, [%[a]]\n\t"
+        "ldr	r8, [r2]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs 	r4, r4, r8\n\t"
+        "adc	r5, r5, %[r]\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs 	r4, r4, r8\n\t"
+        "adc	r5, r5, %[r]\n\t"
+        /* Multiply * 2: Done */
+        "bal	5f\n\t"
+        "\n4:\n\t"
+        /* Square: Start */
+        "ldr	r6, [%[a]]\n\t"
+        "umull	r6, r8, r6, r6\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r8\n\t"
+        "adc	r5, r5, %[r]\n\t"
+        /* Square: Done */
+        "\n5:\n\t"
+        "add	%[a], %[a], #4\n\t"
+        "sub	r2, r2, #4\n\t"
+        "mov	r6, #48\n\t"
+        "add	r6, r6, r10\n\t"
+        "cmp	%[a], r6\n\t"
+        "beq	3f\n\t"
+        "cmp	%[a], r2\n\t"
+        "bgt	3f\n\t"
+        "mov	r8, r9\n\t"
+        "add	r8, r8, r10\n\t"
+        "cmp	%[a], r8\n\t"
+        "ble	2b\n\t"
+        "\n3:\n\t"
+        "mov	%[r], r11\n\t"
+        "mov	r8, r9\n\t"
+        "str	r3, [%[r], r8]\n\t"
+        "mov	r3, r4\n\t"
+        "mov	r4, r5\n\t"
+        "mov	r5, #0\n\t"
+        "add	r8, r8, #4\n\t"
+        "mov	r9, r8\n\t"
+        "mov	r6, #88\n\t"
+        "cmp	r8, r6\n\t"
+        "ble	1b\n\t"
+        "mov	%[a], r10\n\t"
+        "str	r3, [%[r], r8]\n\t"
+        "mov	%[r], r12\n\t"
+        "mov	%[a], r11\n\t"
+        "mov	r3, #92\n\t"
+        "\n4:\n\t"
+        "ldr	r6, [%[a], r3]\n\t"
+        "str	r6, [%[r], r3]\n\t"
+        "subs	r3, r3, #4\n\t"
+        "bge	4b\n\t"
+        "mov	r6, #96\n\t"
+        "add	sp, sp, r6\n\t"
+        :
+        : [r] "r" (r), [a] "r" (a)
+        : "memory", "r2", "r3", "r4", "r5", "r6", "r8", "r9", "r10", "r11", "r12"
+    );
+}
+
+/* Add b to a into r. (r = a + b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static sp_digit sp_3072_add_12(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    sp_digit c = 0;
+
+    __asm__ __volatile__ (
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "mov	%[c], #0\n\t"
+        "adc	%[c], %[c], %[c]\n\t"
+        : [c] "+r" (c), [r] "+r" (r), [a] "+r" (a), [b] "+r" (b)
+        :
+        : "memory", "r4", "r5", "r6", "r8"
+    );
+
+    return c;
+}
+
+/* Sub b from a into r. (r = a - b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static sp_digit sp_3072_sub_in_place_24(sp_digit* a,
+        const sp_digit* b)
+{
+    sp_digit c = 0;
+
+    __asm__ __volatile__ (
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "subs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "sbc	%[c], %[c], %[c]\n\t"
+        : [c] "+r" (c), [a] "+r" (a), [b] "+r" (b)
+        :
+        : "memory", "r3", "r4", "r5", "r6"
+    );
+
+    return c;
+}
+
+/* Add b to a into r. (r = a + b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static sp_digit sp_3072_add_24(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    sp_digit c = 0;
+
+    __asm__ __volatile__ (
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "mov	%[c], #0\n\t"
+        "adc	%[c], %[c], %[c]\n\t"
+        : [c] "+r" (c), [r] "+r" (r), [a] "+r" (a), [b] "+r" (b)
+        :
+        : "memory", "r4", "r5", "r6", "r8"
+    );
+
+    return c;
+}
+
+/* AND m into each word of a and store in r.
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * m  Mask to AND against each digit.
+ */
+static void sp_3072_mask_12(sp_digit* r, const sp_digit* a, sp_digit m)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int i;
+
+    for (i=0; i<12; i++) {
+        r[i] = a[i] & m;
+    }
+#else
+    r[0] = a[0] & m;
+    r[1] = a[1] & m;
+    r[2] = a[2] & m;
+    r[3] = a[3] & m;
+    r[4] = a[4] & m;
+    r[5] = a[5] & m;
+    r[6] = a[6] & m;
+    r[7] = a[7] & m;
+    r[8] = a[8] & m;
+    r[9] = a[9] & m;
+    r[10] = a[10] & m;
+    r[11] = a[11] & m;
+#endif
+}
+
+/* Multiply a and b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static void sp_3072_mul_24(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    sp_digit* z0 = r;
+    sp_digit z1[24];
+    sp_digit a1[12];
+    sp_digit b1[12];
+    sp_digit z2[24];
+    sp_digit u, ca, cb;
+
+    ca = sp_3072_add_12(a1, a, &a[12]);
+    cb = sp_3072_add_12(b1, b, &b[12]);
+    u  = ca & cb;
+    sp_3072_mul_12(z1, a1, b1);
+    sp_3072_mul_12(z2, &a[12], &b[12]);
+    sp_3072_mul_12(z0, a, b);
+    sp_3072_mask_12(r + 24, a1, 0 - cb);
+    sp_3072_mask_12(b1, b1, 0 - ca);
+    u += sp_3072_add_12(r + 24, r + 24, b1);
+    u += sp_3072_sub_in_place_24(z1, z2);
+    u += sp_3072_sub_in_place_24(z1, z0);
+    u += sp_3072_add_24(r + 12, r + 12, z1);
+    r[36] = u;
+    XMEMSET(r + 36 + 1, 0, sizeof(sp_digit) * (12 - 1));
+    (void)sp_3072_add_24(r + 24, r + 24, z2);
+}
+
+/* Square a and put result in r. (r = a * a)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ */
+SP_NOINLINE static void sp_3072_sqr_24(sp_digit* r, const sp_digit* a)
+{
+    sp_digit* z0 = r;
+    sp_digit z2[24];
+    sp_digit z1[24];
+    sp_digit a1[12];
+    sp_digit u;
+
+    u = sp_3072_add_12(a1, a, &a[12]);
+    sp_3072_sqr_12(z1, a1);
+    sp_3072_sqr_12(z2, &a[12]);
+    sp_3072_sqr_12(z0, a);
+    sp_3072_mask_12(r + 24, a1, 0 - u);
+    u += sp_3072_add_12(r + 24, r + 24, r + 24);
+    u += sp_3072_sub_in_place_24(z1, z2);
+    u += sp_3072_sub_in_place_24(z1, z0);
+    u += sp_3072_add_24(r + 12, r + 12, z1);
+    r[36] = u;
+    XMEMSET(r + 36 + 1, 0, sizeof(sp_digit) * (12 - 1));
+    (void)sp_3072_add_24(r + 24, r + 24, z2);
+}
+
+/* Sub b from a into r. (r = a - b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static sp_digit sp_3072_sub_in_place_48(sp_digit* a,
+        const sp_digit* b)
+{
+    sp_digit c = 0;
+
+    __asm__ __volatile__ (
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "subs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "sbc	%[c], %[c], %[c]\n\t"
+        : [c] "+r" (c), [a] "+r" (a), [b] "+r" (b)
+        :
+        : "memory", "r3", "r4", "r5", "r6"
+    );
+
+    return c;
+}
+
+/* Add b to a into r. (r = a + b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static sp_digit sp_3072_add_48(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    sp_digit c = 0;
+
+    __asm__ __volatile__ (
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "mov	%[c], #0\n\t"
+        "adc	%[c], %[c], %[c]\n\t"
+        : [c] "+r" (c), [r] "+r" (r), [a] "+r" (a), [b] "+r" (b)
+        :
+        : "memory", "r4", "r5", "r6", "r8"
+    );
+
+    return c;
+}
+
+/* AND m into each word of a and store in r.
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * m  Mask to AND against each digit.
+ */
+static void sp_3072_mask_24(sp_digit* r, const sp_digit* a, sp_digit m)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int i;
+
+    for (i=0; i<24; i++) {
+        r[i] = a[i] & m;
+    }
+#else
+    int i;
+
+    for (i = 0; i < 24; i += 8) {
+        r[i+0] = a[i+0] & m;
+        r[i+1] = a[i+1] & m;
+        r[i+2] = a[i+2] & m;
+        r[i+3] = a[i+3] & m;
+        r[i+4] = a[i+4] & m;
+        r[i+5] = a[i+5] & m;
+        r[i+6] = a[i+6] & m;
+        r[i+7] = a[i+7] & m;
+    }
+#endif
+}
+
+/* Multiply a and b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static void sp_3072_mul_48(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    sp_digit* z0 = r;
+    sp_digit z1[48];
+    sp_digit a1[24];
+    sp_digit b1[24];
+    sp_digit z2[48];
+    sp_digit u, ca, cb;
+
+    ca = sp_3072_add_24(a1, a, &a[24]);
+    cb = sp_3072_add_24(b1, b, &b[24]);
+    u  = ca & cb;
+    sp_3072_mul_24(z1, a1, b1);
+    sp_3072_mul_24(z2, &a[24], &b[24]);
+    sp_3072_mul_24(z0, a, b);
+    sp_3072_mask_24(r + 48, a1, 0 - cb);
+    sp_3072_mask_24(b1, b1, 0 - ca);
+    u += sp_3072_add_24(r + 48, r + 48, b1);
+    u += sp_3072_sub_in_place_48(z1, z2);
+    u += sp_3072_sub_in_place_48(z1, z0);
+    u += sp_3072_add_48(r + 24, r + 24, z1);
+    r[72] = u;
+    XMEMSET(r + 72 + 1, 0, sizeof(sp_digit) * (24 - 1));
+    (void)sp_3072_add_48(r + 48, r + 48, z2);
+}
+
+/* Square a and put result in r. (r = a * a)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ */
+SP_NOINLINE static void sp_3072_sqr_48(sp_digit* r, const sp_digit* a)
+{
+    sp_digit* z0 = r;
+    sp_digit z2[48];
+    sp_digit z1[48];
+    sp_digit a1[24];
+    sp_digit u;
+
+    u = sp_3072_add_24(a1, a, &a[24]);
+    sp_3072_sqr_24(z1, a1);
+    sp_3072_sqr_24(z2, &a[24]);
+    sp_3072_sqr_24(z0, a);
+    sp_3072_mask_24(r + 48, a1, 0 - u);
+    u += sp_3072_add_24(r + 48, r + 48, r + 48);
+    u += sp_3072_sub_in_place_48(z1, z2);
+    u += sp_3072_sub_in_place_48(z1, z0);
+    u += sp_3072_add_48(r + 24, r + 24, z1);
+    r[72] = u;
+    XMEMSET(r + 72 + 1, 0, sizeof(sp_digit) * (24 - 1));
+    (void)sp_3072_add_48(r + 48, r + 48, z2);
+}
+
+/* Sub b from a into r. (r = a - b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static sp_digit sp_3072_sub_in_place_96(sp_digit* a,
+        const sp_digit* b)
+{
+    sp_digit c = 0;
+
+    __asm__ __volatile__ (
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "subs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "sbc	%[c], %[c], %[c]\n\t"
+        : [c] "+r" (c), [a] "+r" (a), [b] "+r" (b)
+        :
+        : "memory", "r3", "r4", "r5", "r6"
+    );
+
+    return c;
+}
+
+/* Add b to a into r. (r = a + b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static sp_digit sp_3072_add_96(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    sp_digit c = 0;
+
+    __asm__ __volatile__ (
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "mov	%[c], #0\n\t"
+        "adc	%[c], %[c], %[c]\n\t"
+        : [c] "+r" (c), [r] "+r" (r), [a] "+r" (a), [b] "+r" (b)
+        :
+        : "memory", "r4", "r5", "r6", "r8"
+    );
+
+    return c;
+}
+
+/* AND m into each word of a and store in r.
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * m  Mask to AND against each digit.
+ */
+static void sp_3072_mask_48(sp_digit* r, const sp_digit* a, sp_digit m)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int i;
+
+    for (i=0; i<48; i++) {
+        r[i] = a[i] & m;
+    }
+#else
+    int i;
+
+    for (i = 0; i < 48; i += 8) {
+        r[i+0] = a[i+0] & m;
+        r[i+1] = a[i+1] & m;
+        r[i+2] = a[i+2] & m;
+        r[i+3] = a[i+3] & m;
+        r[i+4] = a[i+4] & m;
+        r[i+5] = a[i+5] & m;
+        r[i+6] = a[i+6] & m;
+        r[i+7] = a[i+7] & m;
+    }
+#endif
+}
+
+/* Multiply a and b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static void sp_3072_mul_96(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    sp_digit* z0 = r;
+    sp_digit z1[96];
+    sp_digit a1[48];
+    sp_digit b1[48];
+    sp_digit z2[96];
+    sp_digit u, ca, cb;
+
+    ca = sp_3072_add_48(a1, a, &a[48]);
+    cb = sp_3072_add_48(b1, b, &b[48]);
+    u  = ca & cb;
+    sp_3072_mul_48(z1, a1, b1);
+    sp_3072_mul_48(z2, &a[48], &b[48]);
+    sp_3072_mul_48(z0, a, b);
+    sp_3072_mask_48(r + 96, a1, 0 - cb);
+    sp_3072_mask_48(b1, b1, 0 - ca);
+    u += sp_3072_add_48(r + 96, r + 96, b1);
+    u += sp_3072_sub_in_place_96(z1, z2);
+    u += sp_3072_sub_in_place_96(z1, z0);
+    u += sp_3072_add_96(r + 48, r + 48, z1);
+    r[144] = u;
+    XMEMSET(r + 144 + 1, 0, sizeof(sp_digit) * (48 - 1));
+    (void)sp_3072_add_96(r + 96, r + 96, z2);
+}
+
+/* Square a and put result in r. (r = a * a)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ */
+SP_NOINLINE static void sp_3072_sqr_96(sp_digit* r, const sp_digit* a)
+{
+    sp_digit* z0 = r;
+    sp_digit z2[96];
+    sp_digit z1[96];
+    sp_digit a1[48];
+    sp_digit u;
+
+    u = sp_3072_add_48(a1, a, &a[48]);
+    sp_3072_sqr_48(z1, a1);
+    sp_3072_sqr_48(z2, &a[48]);
+    sp_3072_sqr_48(z0, a);
+    sp_3072_mask_48(r + 96, a1, 0 - u);
+    u += sp_3072_add_48(r + 96, r + 96, r + 96);
+    u += sp_3072_sub_in_place_96(z1, z2);
+    u += sp_3072_sub_in_place_96(z1, z0);
+    u += sp_3072_add_96(r + 48, r + 48, z1);
+    r[144] = u;
+    XMEMSET(r + 144 + 1, 0, sizeof(sp_digit) * (48 - 1));
+    (void)sp_3072_add_96(r + 96, r + 96, z2);
+}
+
+#endif /* !WOLFSSL_SP_SMALL */
+#ifdef WOLFSSL_SP_SMALL
+/* Add b to a into r. (r = a + b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static sp_digit sp_3072_add_96(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    sp_digit c = 0;
+
+    __asm__ __volatile__ (
+        "mov	r6, %[a]\n\t"
+        "mov	r8, #0\n\t"
+        "add	r6, r6, #384\n\t"
+        "sub	r8, r8, #1\n\t"
+        "\n1:\n\t"
+        "adds	%[c], %[c], r8\n\t"
+        "ldr	r4, [%[a]]\n\t"
+        "ldr	r5, [%[b]]\n\t"
+        "adcs	r4, r4, r5\n\t"
+        "str	r4, [%[r]]\n\t"
+        "mov	%[c], #0\n\t"
+        "adc	%[c], %[c], %[c]\n\t"
+        "add	%[a], %[a], #4\n\t"
+        "add	%[b], %[b], #4\n\t"
+        "add	%[r], %[r], #4\n\t"
+        "cmp	%[a], r6\n\t"
+        "bne	1b\n\t"
+        : [c] "+r" (c), [r] "+r" (r), [a] "+r" (a), [b] "+r" (b)
+        :
+        : "memory", "r4", "r5", "r6", "r8"
+    );
+
+    return c;
+}
+
+#endif /* WOLFSSL_SP_SMALL */
+#ifdef WOLFSSL_SP_SMALL
+/* Sub b from a into a. (a -= b)
+ *
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static sp_digit sp_3072_sub_in_place_96(sp_digit* a,
+        const sp_digit* b)
+{
+    sp_digit c = 0;
+    __asm__ __volatile__ (
+        "mov	r8, %[a]\n\t"
+        "add	r8, r8, #384\n\t"
+        "\n1:\n\t"
+        "mov	r5, #0\n\t"
+        "subs	r5, r5, %[c]\n\t"
+        "ldr	r3, [%[a]]\n\t"
+        "ldr	r4, [%[a], #4]\n\t"
+        "ldr	r5, [%[b]]\n\t"
+        "ldr	r6, [%[b], #4]\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "str	r3, [%[a]]\n\t"
+        "str	r4, [%[a], #4]\n\t"
+        "sbc	%[c], %[c], %[c]\n\t"
+        "add	%[a], %[a], #8\n\t"
+        "add	%[b], %[b], #8\n\t"
+        "cmp	%[a], r8\n\t"
+        "bne	1b\n\t"
+        : [c] "+r" (c), [a] "+r" (a), [b] "+r" (b)
+        :
+        : "memory", "r3", "r4", "r5", "r6", "r8"
+    );
+
+    return c;
+}
+
+#endif /* WOLFSSL_SP_SMALL */
+#ifdef WOLFSSL_SP_SMALL
+/* Multiply a and b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static void sp_3072_mul_96(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    sp_digit tmp[96 * 2];
+    __asm__ __volatile__ (
+        "mov	r3, #0\n\t"
+        "mov	r4, #0\n\t"
+        "mov	r9, r3\n\t"
+        "mov	r12, %[r]\n\t"
+        "mov	r10, %[a]\n\t"
+        "mov	r11, %[b]\n\t"
+        "mov	r6, #1\n\t"
+        "lsl	r6, r6, #8\n\t"
+        "add	r6, r6, #128\n\t"
+        "add	r6, r6, r10\n\t"
+        "mov	r14, r6\n\t"
+        "\n1:\n\t"
+        "mov	%[r], #0\n\t"
+        "mov	r5, #0\n\t"
+        "mov	r6, #1\n\t"
+        "lsl	r6, r6, #8\n\t"
+        "add	r6, r6, #124\n\t"
+        "mov	%[a], r9\n\t"
+        "subs	%[a], %[a], r6\n\t"
+        "sbc	r6, r6, r6\n\t"
+        "mvn	r6, r6\n\t"
+        "and	%[a], %[a], r6\n\t"
+        "mov	%[b], r9\n\t"
+        "sub	%[b], %[b], %[a]\n\t"
+        "add	%[a], %[a], r10\n\t"
+        "add	%[b], %[b], r11\n\t"
+        "\n2:\n\t"
+        /* Multiply Start */
+        "ldr	r6, [%[a]]\n\t"
+        "ldr	r8, [%[b]]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs 	r4, r4, r8\n\t"
+        "adc	r5, r5, %[r]\n\t"
+        /* Multiply Done */
+        "add	%[a], %[a], #4\n\t"
+        "sub	%[b], %[b], #4\n\t"
+        "cmp	%[a], r14\n\t"
+        "beq	3f\n\t"
+        "mov	r6, r9\n\t"
+        "add	r6, r6, r10\n\t"
+        "cmp	%[a], r6\n\t"
+        "ble	2b\n\t"
+        "\n3:\n\t"
+        "mov	%[r], r12\n\t"
+        "mov	r8, r9\n\t"
+        "str	r3, [%[r], r8]\n\t"
+        "mov	r3, r4\n\t"
+        "mov	r4, r5\n\t"
+        "add	r8, r8, #4\n\t"
+        "mov	r9, r8\n\t"
+        "mov	r6, #2\n\t"
+        "lsl	r6, r6, #8\n\t"
+        "add	r6, r6, #248\n\t"
+        "cmp	r8, r6\n\t"
+        "ble	1b\n\t"
+        "str	r3, [%[r], r8]\n\t"
+        "mov	%[a], r10\n\t"
+        "mov	%[b], r11\n\t"
+        :
+        : [r] "r" (tmp), [a] "r" (a), [b] "r" (b)
+        : "memory", "r3", "r4", "r5", "r6", "r8", "r9", "r10", "r11", "r12", "r14"
+    );
+
+    XMEMCPY(r, tmp, sizeof(tmp));
+}
+
+/* Square a and put result in r. (r = a * a)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ */
+SP_NOINLINE static void sp_3072_sqr_96(sp_digit* r, const sp_digit* a)
+{
+    __asm__ __volatile__ (
+        "mov	r3, #0\n\t"
+        "mov	r4, #0\n\t"
+        "mov	r5, #0\n\t"
+        "mov	r9, r3\n\t"
+        "mov	r12, %[r]\n\t"
+        "mov	r6, #3\n\t"
+        "lsl	r6, r6, #8\n\t"
+        "neg	r6, r6\n\t"
+        "add	sp, sp, r6\n\t"
+        "mov	r11, sp\n\t"
+        "mov	r10, %[a]\n\t"
+        "\n1:\n\t"
+        "mov	%[r], #0\n\t"
+        "mov	r6, #1\n\t"
+        "lsl	r6, r6, #8\n\t"
+        "add	r6, r6, #124\n\t"
+        "mov	%[a], r9\n\t"
+        "subs	%[a], %[a], r6\n\t"
+        "sbc	r6, r6, r6\n\t"
+        "mvn	r6, r6\n\t"
+        "and	%[a], %[a], r6\n\t"
+        "mov	r2, r9\n\t"
+        "sub	r2, r2, %[a]\n\t"
+        "add	%[a], %[a], r10\n\t"
+        "add	r2, r2, r10\n\t"
+        "\n2:\n\t"
+        "cmp	r2, %[a]\n\t"
+        "beq	4f\n\t"
+        /* Multiply * 2: Start */
+        "ldr	r6, [%[a]]\n\t"
+        "ldr	r8, [r2]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs 	r4, r4, r8\n\t"
+        "adc	r5, r5, %[r]\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs 	r4, r4, r8\n\t"
+        "adc	r5, r5, %[r]\n\t"
+        /* Multiply * 2: Done */
+        "bal	5f\n\t"
+        "\n4:\n\t"
+        /* Square: Start */
+        "ldr	r6, [%[a]]\n\t"
+        "umull	r6, r8, r6, r6\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r8\n\t"
+        "adc	r5, r5, %[r]\n\t"
+        /* Square: Done */
+        "\n5:\n\t"
+        "add	%[a], %[a], #4\n\t"
+        "sub	r2, r2, #4\n\t"
+        "mov	r6, #1\n\t"
+        "lsl	r6, r6, #8\n\t"
+        "add	r6, r6, #128\n\t"
+        "add	r6, r6, r10\n\t"
+        "cmp	%[a], r6\n\t"
+        "beq	3f\n\t"
+        "cmp	%[a], r2\n\t"
+        "bgt	3f\n\t"
+        "mov	r8, r9\n\t"
+        "add	r8, r8, r10\n\t"
+        "cmp	%[a], r8\n\t"
+        "ble	2b\n\t"
+        "\n3:\n\t"
+        "mov	%[r], r11\n\t"
+        "mov	r8, r9\n\t"
+        "str	r3, [%[r], r8]\n\t"
+        "mov	r3, r4\n\t"
+        "mov	r4, r5\n\t"
+        "mov	r5, #0\n\t"
+        "add	r8, r8, #4\n\t"
+        "mov	r9, r8\n\t"
+        "mov	r6, #2\n\t"
+        "lsl	r6, r6, #8\n\t"
+        "add	r6, r6, #248\n\t"
+        "cmp	r8, r6\n\t"
+        "ble	1b\n\t"
+        "mov	%[a], r10\n\t"
+        "str	r3, [%[r], r8]\n\t"
+        "mov	%[r], r12\n\t"
+        "mov	%[a], r11\n\t"
+        "mov	r3, #2\n\t"
+        "lsl	r3, r3, #8\n\t"
+        "add	r3, r3, #252\n\t"
+        "\n4:\n\t"
+        "ldr	r6, [%[a], r3]\n\t"
+        "str	r6, [%[r], r3]\n\t"
+        "subs	r3, r3, #4\n\t"
+        "bge	4b\n\t"
+        "mov	r6, #3\n\t"
+        "lsl	r6, r6, #8\n\t"
+        "add	sp, sp, r6\n\t"
+        :
+        : [r] "r" (r), [a] "r" (a)
+        : "memory", "r2", "r3", "r4", "r5", "r6", "r8", "r9", "r10", "r11", "r12"
+    );
+}
+
+#endif /* WOLFSSL_SP_SMALL */
+#if (defined(WOLFSSL_HAVE_SP_RSA) || defined(WOLFSSL_HAVE_SP_DH)) && !defined(WOLFSSL_RSA_PUBLIC_ONLY)
+#ifdef WOLFSSL_SP_SMALL
+/* AND m into each word of a and store in r.
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * m  Mask to AND against each digit.
+ */
+static void sp_3072_mask_48(sp_digit* r, const sp_digit* a, sp_digit m)
+{
+    int i;
+
+    for (i=0; i<48; i++) {
+        r[i] = a[i] & m;
+    }
+}
+
+#endif /* WOLFSSL_SP_SMALL */
+#ifdef WOLFSSL_SP_SMALL
+/* Add b to a into r. (r = a + b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static sp_digit sp_3072_add_48(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    sp_digit c = 0;
+
+    __asm__ __volatile__ (
+        "mov	r6, %[a]\n\t"
+        "mov	r8, #0\n\t"
+        "add	r6, r6, #192\n\t"
+        "sub	r8, r8, #1\n\t"
+        "\n1:\n\t"
+        "adds	%[c], %[c], r8\n\t"
+        "ldr	r4, [%[a]]\n\t"
+        "ldr	r5, [%[b]]\n\t"
+        "adcs	r4, r4, r5\n\t"
+        "str	r4, [%[r]]\n\t"
+        "mov	%[c], #0\n\t"
+        "adc	%[c], %[c], %[c]\n\t"
+        "add	%[a], %[a], #4\n\t"
+        "add	%[b], %[b], #4\n\t"
+        "add	%[r], %[r], #4\n\t"
+        "cmp	%[a], r6\n\t"
+        "bne	1b\n\t"
+        : [c] "+r" (c), [r] "+r" (r), [a] "+r" (a), [b] "+r" (b)
+        :
+        : "memory", "r4", "r5", "r6", "r8"
+    );
+
+    return c;
+}
+
+#endif /* WOLFSSL_SP_SMALL */
+#ifdef WOLFSSL_SP_SMALL
+/* Sub b from a into a. (a -= b)
+ *
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static sp_digit sp_3072_sub_in_place_48(sp_digit* a,
+        const sp_digit* b)
+{
+    sp_digit c = 0;
+    __asm__ __volatile__ (
+        "mov	r8, %[a]\n\t"
+        "add	r8, r8, #192\n\t"
+        "\n1:\n\t"
+        "mov	r5, #0\n\t"
+        "subs	r5, r5, %[c]\n\t"
+        "ldr	r3, [%[a]]\n\t"
+        "ldr	r4, [%[a], #4]\n\t"
+        "ldr	r5, [%[b]]\n\t"
+        "ldr	r6, [%[b], #4]\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "str	r3, [%[a]]\n\t"
+        "str	r4, [%[a], #4]\n\t"
+        "sbc	%[c], %[c], %[c]\n\t"
+        "add	%[a], %[a], #8\n\t"
+        "add	%[b], %[b], #8\n\t"
+        "cmp	%[a], r8\n\t"
+        "bne	1b\n\t"
+        : [c] "+r" (c), [a] "+r" (a), [b] "+r" (b)
+        :
+        : "memory", "r3", "r4", "r5", "r6", "r8"
+    );
+
+    return c;
+}
+
+#endif /* WOLFSSL_SP_SMALL */
+#ifdef WOLFSSL_SP_SMALL
+/* Multiply a and b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static void sp_3072_mul_48(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    sp_digit tmp[48 * 2];
+    __asm__ __volatile__ (
+        "mov	r3, #0\n\t"
+        "mov	r4, #0\n\t"
+        "mov	r9, r3\n\t"
+        "mov	r12, %[r]\n\t"
+        "mov	r10, %[a]\n\t"
+        "mov	r11, %[b]\n\t"
+        "mov	r6, #192\n\t"
+        "add	r6, r6, r10\n\t"
+        "mov	r14, r6\n\t"
+        "\n1:\n\t"
+        "mov	%[r], #0\n\t"
+        "mov	r5, #0\n\t"
+        "mov	r6, #188\n\t"
+        "mov	%[a], r9\n\t"
+        "subs	%[a], %[a], r6\n\t"
+        "sbc	r6, r6, r6\n\t"
+        "mvn	r6, r6\n\t"
+        "and	%[a], %[a], r6\n\t"
+        "mov	%[b], r9\n\t"
+        "sub	%[b], %[b], %[a]\n\t"
+        "add	%[a], %[a], r10\n\t"
+        "add	%[b], %[b], r11\n\t"
+        "\n2:\n\t"
+        /* Multiply Start */
+        "ldr	r6, [%[a]]\n\t"
+        "ldr	r8, [%[b]]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs 	r4, r4, r8\n\t"
+        "adc	r5, r5, %[r]\n\t"
+        /* Multiply Done */
+        "add	%[a], %[a], #4\n\t"
+        "sub	%[b], %[b], #4\n\t"
+        "cmp	%[a], r14\n\t"
+        "beq	3f\n\t"
+        "mov	r6, r9\n\t"
+        "add	r6, r6, r10\n\t"
+        "cmp	%[a], r6\n\t"
+        "ble	2b\n\t"
+        "\n3:\n\t"
+        "mov	%[r], r12\n\t"
+        "mov	r8, r9\n\t"
+        "str	r3, [%[r], r8]\n\t"
+        "mov	r3, r4\n\t"
+        "mov	r4, r5\n\t"
+        "add	r8, r8, #4\n\t"
+        "mov	r9, r8\n\t"
+        "mov	r6, #1\n\t"
+        "lsl	r6, r6, #8\n\t"
+        "add	r6, r6, #120\n\t"
+        "cmp	r8, r6\n\t"
+        "ble	1b\n\t"
+        "str	r3, [%[r], r8]\n\t"
+        "mov	%[a], r10\n\t"
+        "mov	%[b], r11\n\t"
+        :
+        : [r] "r" (tmp), [a] "r" (a), [b] "r" (b)
+        : "memory", "r3", "r4", "r5", "r6", "r8", "r9", "r10", "r11", "r12", "r14"
+    );
+
+    XMEMCPY(r, tmp, sizeof(tmp));
+}
+
+/* Square a and put result in r. (r = a * a)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ */
+SP_NOINLINE static void sp_3072_sqr_48(sp_digit* r, const sp_digit* a)
+{
+    __asm__ __volatile__ (
+        "mov	r3, #0\n\t"
+        "mov	r4, #0\n\t"
+        "mov	r5, #0\n\t"
+        "mov	r9, r3\n\t"
+        "mov	r12, %[r]\n\t"
+        "mov	r6, #1\n\t"
+        "lsl	r6, r6, #8\n\t"
+        "add	r6, r6, #128\n\t"
+        "neg	r6, r6\n\t"
+        "add	sp, sp, r6\n\t"
+        "mov	r11, sp\n\t"
+        "mov	r10, %[a]\n\t"
+        "\n1:\n\t"
+        "mov	%[r], #0\n\t"
+        "mov	r6, #188\n\t"
+        "mov	%[a], r9\n\t"
+        "subs	%[a], %[a], r6\n\t"
+        "sbc	r6, r6, r6\n\t"
+        "mvn	r6, r6\n\t"
+        "and	%[a], %[a], r6\n\t"
+        "mov	r2, r9\n\t"
+        "sub	r2, r2, %[a]\n\t"
+        "add	%[a], %[a], r10\n\t"
+        "add	r2, r2, r10\n\t"
+        "\n2:\n\t"
+        "cmp	r2, %[a]\n\t"
+        "beq	4f\n\t"
+        /* Multiply * 2: Start */
+        "ldr	r6, [%[a]]\n\t"
+        "ldr	r8, [r2]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs 	r4, r4, r8\n\t"
+        "adc	r5, r5, %[r]\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs 	r4, r4, r8\n\t"
+        "adc	r5, r5, %[r]\n\t"
+        /* Multiply * 2: Done */
+        "bal	5f\n\t"
+        "\n4:\n\t"
+        /* Square: Start */
+        "ldr	r6, [%[a]]\n\t"
+        "umull	r6, r8, r6, r6\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r8\n\t"
+        "adc	r5, r5, %[r]\n\t"
+        /* Square: Done */
+        "\n5:\n\t"
+        "add	%[a], %[a], #4\n\t"
+        "sub	r2, r2, #4\n\t"
+        "mov	r6, #192\n\t"
+        "add	r6, r6, r10\n\t"
+        "cmp	%[a], r6\n\t"
+        "beq	3f\n\t"
+        "cmp	%[a], r2\n\t"
+        "bgt	3f\n\t"
+        "mov	r8, r9\n\t"
+        "add	r8, r8, r10\n\t"
+        "cmp	%[a], r8\n\t"
+        "ble	2b\n\t"
+        "\n3:\n\t"
+        "mov	%[r], r11\n\t"
+        "mov	r8, r9\n\t"
+        "str	r3, [%[r], r8]\n\t"
+        "mov	r3, r4\n\t"
+        "mov	r4, r5\n\t"
+        "mov	r5, #0\n\t"
+        "add	r8, r8, #4\n\t"
+        "mov	r9, r8\n\t"
+        "mov	r6, #1\n\t"
+        "lsl	r6, r6, #8\n\t"
+        "add	r6, r6, #120\n\t"
+        "cmp	r8, r6\n\t"
+        "ble	1b\n\t"
+        "mov	%[a], r10\n\t"
+        "str	r3, [%[r], r8]\n\t"
+        "mov	%[r], r12\n\t"
+        "mov	%[a], r11\n\t"
+        "mov	r3, #1\n\t"
+        "lsl	r3, r3, #8\n\t"
+        "add	r3, r3, #124\n\t"
+        "\n4:\n\t"
+        "ldr	r6, [%[a], r3]\n\t"
+        "str	r6, [%[r], r3]\n\t"
+        "subs	r3, r3, #4\n\t"
+        "bge	4b\n\t"
+        "mov	r6, #1\n\t"
+        "lsl	r6, r6, #8\n\t"
+        "add	r6, r6, #128\n\t"
+        "add	sp, sp, r6\n\t"
+        :
+        : [r] "r" (r), [a] "r" (a)
+        : "memory", "r2", "r3", "r4", "r5", "r6", "r8", "r9", "r10", "r11", "r12"
+    );
+}
+
+#endif /* WOLFSSL_SP_SMALL */
+#endif /* (WOLFSSL_HAVE_SP_RSA || WOLFSSL_HAVE_SP_DH) && !WOLFSSL_RSA_PUBLIC_ONLY */
+
+/* Caclulate the bottom digit of -1/a mod 2^n.
+ *
+ * a    A single precision number.
+ * rho  Bottom word of inverse.
+ */
+static void sp_3072_mont_setup(const sp_digit* a, sp_digit* rho)
+{
+    sp_digit x, b;
+
+    b = a[0];
+    x = (((b + 2) & 4) << 1) + b; /* here x*a==1 mod 2**4 */
+    x *= 2 - b * x;               /* here x*a==1 mod 2**8 */
+    x *= 2 - b * x;               /* here x*a==1 mod 2**16 */
+    x *= 2 - b * x;               /* here x*a==1 mod 2**32 */
+
+    /* rho = -1/m mod b */
+    *rho = -x;
+}
+
+/* Mul a by digit b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision digit.
+ */
+SP_NOINLINE static void sp_3072_mul_d_96(sp_digit* r, const sp_digit* a,
+        sp_digit b)
+{
+    __asm__ __volatile__ (
+        "add	r9, %[a], #384\n\t"
+        /* A[0] * B */
+        "ldr	r6, [%[a]], #4\n\t"
+        "umull	r5, r3, r6, %[b]\n\t"
+        "mov	r4, #0\n\t"
+        "str	r5, [%[r]], #4\n\t"
+        /* A[0] * B - Done */
+        "\n1:\n\t"
+        "mov	r5, #0\n\t"
+        /* A[] * B */
+        "ldr	r6, [%[a]], #4\n\t"
+        "umull	r6, r8, r6, %[b]\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs 	r4, r4, r8\n\t"
+        "adc	r5, r5, #0\n\t"
+        /* A[] * B - Done */
+        "str	r3, [%[r]], #4\n\t"
+        "mov	r3, r4\n\t"
+        "mov	r4, r5\n\t"
+        "cmp	%[a], r9\n\t"
+        "blt	1b\n\t"
+        "str	r3, [%[r]]\n\t"
+        : [r] "+r" (r), [a] "+r" (a)
+        : [b] "r" (b)
+        : "memory", "r3", "r4", "r5", "r6", "r8", "r9"
+    );
+}
+
+#if (defined(WOLFSSL_HAVE_SP_RSA) || defined(WOLFSSL_HAVE_SP_DH)) && !defined(WOLFSSL_RSA_PUBLIC_ONLY)
+/* r = 2^n mod m where n is the number of bits to reduce by.
+ * Given m must be 3072 bits, just need to subtract.
+ *
+ * r  A single precision number.
+ * m  A single precision number.
+ */
+static void sp_3072_mont_norm_48(sp_digit* r, const sp_digit* m)
+{
+    XMEMSET(r, 0, sizeof(sp_digit) * 48);
+
+    /* r = 2^n mod m */
+    sp_3072_sub_in_place_48(r, m);
+}
+
+/* Conditionally subtract b from a using the mask m.
+ * m is -1 to subtract and 0 when not copying.
+ *
+ * r  A single precision number representing condition subtract result.
+ * a  A single precision number to subtract from.
+ * b  A single precision number to subtract.
+ * m  Mask value to apply.
+ */
+SP_NOINLINE static sp_digit sp_3072_cond_sub_48(sp_digit* r, const sp_digit* a,
+        const sp_digit* b, sp_digit m)
+{
+    sp_digit c = 0;
+
+    __asm__ __volatile__ (
+        "mov	r5, #192\n\t"
+        "mov	r9, r5\n\t"
+        "mov	r8, #0\n\t"
+        "\n1:\n\t"
+        "ldr	r6, [%[b], r8]\n\t"
+        "and	r6, r6, %[m]\n\t"
+        "mov	r5, #0\n\t"
+        "subs	r5, r5, %[c]\n\t"
+        "ldr	r5, [%[a], r8]\n\t"
+        "sbcs	r5, r5, r6\n\t"
+        "sbcs	%[c], %[c], %[c]\n\t"
+        "str	r5, [%[r], r8]\n\t"
+        "add	r8, r8, #4\n\t"
+        "cmp	r8, r9\n\t"
+        "blt	1b\n\t"
+        : [c] "+r" (c)
+        : [r] "r" (r), [a] "r" (a), [b] "r" (b), [m] "r" (m)
+        : "memory", "r5", "r6", "r8", "r9"
+    );
+
+    return c;
+}
+
+/* Reduce the number back to 3072 bits using Montgomery reduction.
+ *
+ * a   A single precision number to reduce in place.
+ * m   The single precision number representing the modulus.
+ * mp  The digit representing the negative inverse of m mod 2^n.
+ */
+SP_NOINLINE static void sp_3072_mont_reduce_48(sp_digit* a, const sp_digit* m,
+        sp_digit mp)
+{
+    sp_digit ca = 0;
+
+    __asm__ __volatile__ (
+        "mov	r9, %[mp]\n\t"
+        "mov	r12, %[m]\n\t"
+        "mov	r10, %[a]\n\t"
+        "mov	r4, #0\n\t"
+        "add	r11, r10, #192\n\t"
+        "\n1:\n\t"
+        /* mu = a[i] * mp */
+        "mov	%[mp], r9\n\t"
+        "ldr	%[a], [r10]\n\t"
+        "mul	%[mp], %[mp], %[a]\n\t"
+        "mov	%[m], r12\n\t"
+        "add	r14, r10, #184\n\t"
+        "\n2:\n\t"
+        /* a[i+j] += m[j] * mu */
+        "ldr	%[a], [r10]\n\t"
+        "mov	r5, #0\n\t"
+        /* Multiply m[j] and mu - Start */
+        "ldr	r8, [%[m]], #4\n\t"
+        "umull	r6, r8, %[mp], r8\n\t"
+        "adds	%[a], %[a], r6\n\t"
+        "adc	r5, r5, r8\n\t"
+        /* Multiply m[j] and mu - Done */
+        "adds	r4, r4, %[a]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "str	r4, [r10], #4\n\t"
+        /* a[i+j+1] += m[j+1] * mu */
+        "ldr	%[a], [r10]\n\t"
+        "mov	r4, #0\n\t"
+        /* Multiply m[j] and mu - Start */
+        "ldr	r8, [%[m]], #4\n\t"
+        "umull	r6, r8, %[mp], r8\n\t"
+        "adds	%[a], %[a], r6\n\t"
+        "adc	r4, r4, r8\n\t"
+        /* Multiply m[j] and mu - Done */
+        "adds	r5, r5, %[a]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "str	r5, [r10], #4\n\t"
+        "cmp	r10, r14\n\t"
+        "blt	2b\n\t"
+        /* a[i+46] += m[46] * mu */
+        "ldr	%[a], [r10]\n\t"
+        "mov	r5, #0\n\t"
+        /* Multiply m[j] and mu - Start */
+        "ldr	r8, [%[m]], #4\n\t"
+        "umull	r6, r8, %[mp], r8\n\t"
+        "adds	%[a], %[a], r6\n\t"
+        "adc	r5, r5, r8\n\t"
+        /* Multiply m[j] and mu - Done */
+        "adds	r4, r4, %[a]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "str	r4, [r10], #4\n\t"
+        /* a[i+47] += m[47] * mu */
+        "mov	r4, %[ca]\n\t"
+        "mov	%[ca], #0\n\t"
+        /* Multiply m[47] and mu - Start */
+        "ldr	r8, [%[m]]\n\t"
+        "umull	r6, r8, %[mp], r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs 	r4, r4, r8\n\t"
+        "adc	%[ca], %[ca], #0\n\t"
+        /* Multiply m[47] and mu - Done */
+        "ldr	r6, [r10]\n\t"
+        "ldr	r8, [r10, #4]\n\t"
+        "adds	r6, r6, r5\n\t"
+        "adcs	r8, r8, r4\n\t"
+        "adc	%[ca], %[ca], #0\n\t"
+        "str	r6, [r10]\n\t"
+        "str	r8, [r10, #4]\n\t"
+        /* Next word in a */
+        "sub	r10, r10, #184\n\t"
+        "cmp	r10, r11\n\t"
+        "blt	1b\n\t"
+        "mov	%[a], r10\n\t"
+        "mov	%[m], r12\n\t"
+        : [ca] "+r" (ca), [a] "+r" (a)
+        : [m] "r" (m), [mp] "r" (mp)
+        : "memory", "r4", "r5", "r6", "r8", "r9", "r10", "r11", "r12", "r14"
+    );
+
+    sp_3072_cond_sub_48(a - 48, a, m, (sp_digit)0 - ca);
+}
+
+/* Multiply two Montogmery form numbers mod the modulus (prime).
+ * (r = a * b mod m)
+ *
+ * r   Result of multiplication.
+ * a   First number to multiply in Montogmery form.
+ * b   Second number to multiply in Montogmery form.
+ * m   Modulus (prime).
+ * mp  Montogmery mulitplier.
+ */
+static void sp_3072_mont_mul_48(sp_digit* r, const sp_digit* a, const sp_digit* b,
+        const sp_digit* m, sp_digit mp)
+{
+    sp_3072_mul_48(r, a, b);
+    sp_3072_mont_reduce_48(r, m, mp);
+}
+
+/* Square the Montgomery form number. (r = a * a mod m)
+ *
+ * r   Result of squaring.
+ * a   Number to square in Montogmery form.
+ * m   Modulus (prime).
+ * mp  Montogmery mulitplier.
+ */
+static void sp_3072_mont_sqr_48(sp_digit* r, const sp_digit* a, const sp_digit* m,
+        sp_digit mp)
+{
+    sp_3072_sqr_48(r, a);
+    sp_3072_mont_reduce_48(r, m, mp);
+}
+
+/* Mul a by digit b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision digit.
+ */
+SP_NOINLINE static void sp_3072_mul_d_48(sp_digit* r, const sp_digit* a,
+        sp_digit b)
+{
+    __asm__ __volatile__ (
+        "add	r9, %[a], #192\n\t"
+        /* A[0] * B */
+        "ldr	r6, [%[a]], #4\n\t"
+        "umull	r5, r3, r6, %[b]\n\t"
+        "mov	r4, #0\n\t"
+        "str	r5, [%[r]], #4\n\t"
+        /* A[0] * B - Done */
+        "\n1:\n\t"
+        "mov	r5, #0\n\t"
+        /* A[] * B */
+        "ldr	r6, [%[a]], #4\n\t"
+        "umull	r6, r8, r6, %[b]\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs 	r4, r4, r8\n\t"
+        "adc	r5, r5, #0\n\t"
+        /* A[] * B - Done */
+        "str	r3, [%[r]], #4\n\t"
+        "mov	r3, r4\n\t"
+        "mov	r4, r5\n\t"
+        "cmp	%[a], r9\n\t"
+        "blt	1b\n\t"
+        "str	r3, [%[r]]\n\t"
+        : [r] "+r" (r), [a] "+r" (a)
+        : [b] "r" (b)
+        : "memory", "r3", "r4", "r5", "r6", "r8", "r9"
+    );
+}
+
+/* Divide the double width number (d1|d0) by the dividend. (d1|d0 / div)
+ *
+ * d1   The high order half of the number to divide.
+ * d0   The low order half of the number to divide.
+ * div  The dividend.
+ * returns the result of the division.
+ *
+ * Note that this is an approximate div. It may give an answer 1 larger.
+ */
+SP_NOINLINE static sp_digit div_3072_word_48(sp_digit d1, sp_digit d0,
+        sp_digit div)
+{
+    sp_digit r = 0;
+
+    __asm__ __volatile__ (
+        "lsr	r6, %[div], #16\n\t"
+        "add	r6, r6, #1\n\t"
+        "udiv	r4, %[d1], r6\n\t"
+        "lsl	r8, r4, #16\n\t"
+        "umull	r4, r5, %[div], r8\n\t"
+        "subs	%[d0], %[d0], r4\n\t"
+        "sbc	%[d1], %[d1], r5\n\t"
+        "udiv	r5, %[d1], r6\n\t"
+        "lsl	r4, r5, #16\n\t"
+        "add	r8, r8, r4\n\t"
+        "umull	r4, r5, %[div], r4\n\t"
+        "subs	%[d0], %[d0], r4\n\t"
+        "sbc	%[d1], %[d1], r5\n\t"
+        "lsl	r4, %[d1], #16\n\t"
+        "orr	r4, r4, %[d0], lsr #16\n\t"
+        "udiv	r4, r4, r6\n\t"
+        "add	r8, r8, r4\n\t"
+        "umull	r4, r5, %[div], r4\n\t"
+        "subs	%[d0], %[d0], r4\n\t"
+        "sbc	%[d1], %[d1], r5\n\t"
+        "lsl	r4, %[d1], #16\n\t"
+        "orr	r4, r4, %[d0], lsr #16\n\t"
+        "udiv	r4, r4, r6\n\t"
+        "add	r8, r8, r4\n\t"
+        "umull	r4, r5, %[div], r4\n\t"
+        "subs	%[d0], %[d0], r4\n\t"
+        "sbc	%[d1], %[d1], r5\n\t"
+        "udiv	r4, %[d0], %[div]\n\t"
+        "add	r8, r8, r4\n\t"
+        "mov	%[r], r8\n\t"
+        : [r] "+r" (r)
+        : [d1] "r" (d1), [d0] "r" (d0), [div] "r" (div)
+        : "r4", "r5", "r6", "r8"
+    );
+    return r;
+}
+
+/* Compare a with b in constant time.
+ *
+ * a  A single precision integer.
+ * b  A single precision integer.
+ * return -ve, 0 or +ve if a is less than, equal to or greater than b
+ * respectively.
+ */
+SP_NOINLINE static int32_t sp_3072_cmp_48(const sp_digit* a, const sp_digit* b)
+{
+    sp_digit r = 0;
+
+
+    __asm__ __volatile__ (
+        "mov	r3, #0\n\t"
+        "mvn	r3, r3\n\t"
+        "mov	r6, #188\n\t"
+        "\n1:\n\t"
+        "ldr	r8, [%[a], r6]\n\t"
+        "ldr	r5, [%[b], r6]\n\t"
+        "and	r8, r8, r3\n\t"
+        "and	r5, r5, r3\n\t"
+        "mov	r4, r8\n\t"
+        "subs	r8, r8, r5\n\t"
+        "sbc	r8, r8, r8\n\t"
+        "add	%[r], %[r], r8\n\t"
+        "mvn	r8, r8\n\t"
+        "and	r3, r3, r8\n\t"
+        "subs	r5, r5, r4\n\t"
+        "sbc	r8, r8, r8\n\t"
+        "sub	%[r], %[r], r8\n\t"
+        "mvn	r8, r8\n\t"
+        "and	r3, r3, r8\n\t"
+        "sub	r6, r6, #4\n\t"
+        "cmp	r6, #0\n\t"
+        "bge	1b\n\t"
+        : [r] "+r" (r)
+        : [a] "r" (a), [b] "r" (b)
+        : "r3", "r4", "r5", "r6", "r8"
+    );
+
+    return r;
+}
+
+/* Divide d in a and put remainder into r (m*d + r = a)
+ * m is not calculated as it is not needed at this time.
+ *
+ * a  Nmber to be divided.
+ * d  Number to divide with.
+ * m  Multiplier result.
+ * r  Remainder from the division.
+ * returns MP_OKAY indicating success.
+ */
+static WC_INLINE int sp_3072_div_48(const sp_digit* a, const sp_digit* d, sp_digit* m,
+        sp_digit* r)
+{
+    sp_digit t1[96], t2[49];
+    sp_digit div, r1;
+    int i;
+
+    (void)m;
+
+    div = d[47];
+    XMEMCPY(t1, a, sizeof(*t1) * 2 * 48);
+    for (i=47; i>=0; i--) {
+        r1 = div_3072_word_48(t1[48 + i], t1[48 + i - 1], div);
+
+        sp_3072_mul_d_48(t2, d, r1);
+        t1[48 + i] += sp_3072_sub_in_place_48(&t1[i], t2);
+        t1[48 + i] -= t2[48];
+        sp_3072_mask_48(t2, d, t1[48 + i]);
+        t1[48 + i] += sp_3072_add_48(&t1[i], &t1[i], t2);
+        sp_3072_mask_48(t2, d, t1[48 + i]);
+        t1[48 + i] += sp_3072_add_48(&t1[i], &t1[i], t2);
+    }
+
+    r1 = sp_3072_cmp_48(t1, d) >= 0;
+    sp_3072_cond_sub_48(r, t1, d, (sp_digit)0 - r1);
+
+    return MP_OKAY;
+}
+
+/* Reduce a modulo m into r. (r = a mod m)
+ *
+ * r  A single precision number that is the reduced result.
+ * a  A single precision number that is to be reduced.
+ * m  A single precision number that is the modulus to reduce with.
+ * returns MP_OKAY indicating success.
+ */
+static WC_INLINE int sp_3072_mod_48(sp_digit* r, const sp_digit* a, const sp_digit* m)
+{
+    return sp_3072_div_48(a, m, NULL, r);
+}
+
+#ifdef WOLFSSL_SP_SMALL
+/* Modular exponentiate a to the e mod m. (r = a^e mod m)
+ *
+ * r     A single precision number that is the result of the operation.
+ * a     A single precision number being exponentiated.
+ * e     A single precision number that is the exponent.
+ * bits  The number of bits in the exponent.
+ * m     A single precision number that is the modulus.
+ * returns 0 on success and MEMORY_E on dynamic memory allocation failure.
+ */
+static int sp_3072_mod_exp_48(sp_digit* r, const sp_digit* a, const sp_digit* e,
+        int bits, const sp_digit* m, int reduceA)
+{
+#ifndef WOLFSSL_SMALL_STACK
+    sp_digit t[16][96];
+#else
+    sp_digit* t[16];
+    sp_digit* td;
+#endif
+    sp_digit* norm;
+    sp_digit mp = 1;
+    sp_digit n;
+    sp_digit mask;
+    int i;
+    int c, y;
+    int err = MP_OKAY;
+
+#ifdef WOLFSSL_SMALL_STACK
+    td = (sp_digit*)XMALLOC(sizeof(sp_digit) * 16 * 96, NULL,
+                            DYNAMIC_TYPE_TMP_BUFFER);
+    if (td == NULL) {
+        err = MEMORY_E;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#ifdef WOLFSSL_SMALL_STACK
+        for (i=0; i<16; i++) {
+            t[i] = td + i * 96;
+        }
+#endif
+        norm = t[0];
+
+        sp_3072_mont_setup(m, &mp);
+        sp_3072_mont_norm_48(norm, m);
+
+        XMEMSET(t[1], 0, sizeof(sp_digit) * 48U);
+        if (reduceA != 0) {
+            err = sp_3072_mod_48(t[1] + 48, a, m);
+            if (err == MP_OKAY) {
+                err = sp_3072_mod_48(t[1], t[1], m);
+            }
+        }
+        else {
+            XMEMCPY(t[1] + 48, a, sizeof(sp_digit) * 48);
+            err = sp_3072_mod_48(t[1], t[1], m);
+        }
+    }
+
+    if (err == MP_OKAY) {
+        sp_3072_mont_sqr_48(t[ 2], t[ 1], m, mp);
+        sp_3072_mont_mul_48(t[ 3], t[ 2], t[ 1], m, mp);
+        sp_3072_mont_sqr_48(t[ 4], t[ 2], m, mp);
+        sp_3072_mont_mul_48(t[ 5], t[ 3], t[ 2], m, mp);
+        sp_3072_mont_sqr_48(t[ 6], t[ 3], m, mp);
+        sp_3072_mont_mul_48(t[ 7], t[ 4], t[ 3], m, mp);
+        sp_3072_mont_sqr_48(t[ 8], t[ 4], m, mp);
+        sp_3072_mont_mul_48(t[ 9], t[ 5], t[ 4], m, mp);
+        sp_3072_mont_sqr_48(t[10], t[ 5], m, mp);
+        sp_3072_mont_mul_48(t[11], t[ 6], t[ 5], m, mp);
+        sp_3072_mont_sqr_48(t[12], t[ 6], m, mp);
+        sp_3072_mont_mul_48(t[13], t[ 7], t[ 6], m, mp);
+        sp_3072_mont_sqr_48(t[14], t[ 7], m, mp);
+        sp_3072_mont_mul_48(t[15], t[ 8], t[ 7], m, mp);
+
+        i = (bits - 1) / 32;
+        n = e[i--];
+        c = bits & 31;
+        if (c == 0) {
+            c = 32;
+        }
+        c -= bits % 4;
+        if (c == 32) {
+            c = 28;
+        }
+        y = (int)(n >> c);
+        n <<= 32 - c;
+        XMEMCPY(r, t[y], sizeof(sp_digit) * 48);
+        for (; i>=0 || c>=4; ) {
+            if (c == 0) {
+                n = e[i--];
+                y = n >> 28;
+                n <<= 4;
+                c = 28;
+            }
+            else if (c < 4) {
+                y = n >> 28;
+                n = e[i--];
+                c = 4 - c;
+                y |= n >> (32 - c);
+                n <<= c;
+                c = 32 - c;
+            }
+            else {
+                y = (n >> 28) & 0xf;
+                n <<= 4;
+                c -= 4;
+            }
+
+            sp_3072_mont_sqr_48(r, r, m, mp);
+            sp_3072_mont_sqr_48(r, r, m, mp);
+            sp_3072_mont_sqr_48(r, r, m, mp);
+            sp_3072_mont_sqr_48(r, r, m, mp);
+
+            sp_3072_mont_mul_48(r, r, t[y], m, mp);
+        }
+
+        XMEMSET(&r[48], 0, sizeof(sp_digit) * 48U);
+        sp_3072_mont_reduce_48(r, m, mp);
+
+        mask = 0 - (sp_3072_cmp_48(r, m) >= 0);
+        sp_3072_cond_sub_48(r, r, m, mask);
+    }
+
+#ifdef WOLFSSL_SMALL_STACK
+    if (td != NULL) {
+        XFREE(td, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    }
+#endif
+
+    return err;
+}
+#else
+/* Modular exponentiate a to the e mod m. (r = a^e mod m)
+ *
+ * r     A single precision number that is the result of the operation.
+ * a     A single precision number being exponentiated.
+ * e     A single precision number that is the exponent.
+ * bits  The number of bits in the exponent.
+ * m     A single precision number that is the modulus.
+ * returns 0 on success and MEMORY_E on dynamic memory allocation failure.
+ */
+static int sp_3072_mod_exp_48(sp_digit* r, const sp_digit* a, const sp_digit* e,
+        int bits, const sp_digit* m, int reduceA)
+{
+#ifndef WOLFSSL_SMALL_STACK
+    sp_digit t[32][96];
+#else
+    sp_digit* t[32];
+    sp_digit* td;
+#endif
+    sp_digit* norm;
+    sp_digit mp = 1;
+    sp_digit n;
+    sp_digit mask;
+    int i;
+    int c, y;
+    int err = MP_OKAY;
+
+#ifdef WOLFSSL_SMALL_STACK
+    td = (sp_digit*)XMALLOC(sizeof(sp_digit) * 32 * 96, NULL,
+                            DYNAMIC_TYPE_TMP_BUFFER);
+    if (td == NULL) {
+        err = MEMORY_E;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#ifdef WOLFSSL_SMALL_STACK
+        for (i=0; i<32; i++) {
+            t[i] = td + i * 96;
+        }
+#endif
+        norm = t[0];
+
+        sp_3072_mont_setup(m, &mp);
+        sp_3072_mont_norm_48(norm, m);
+
+        XMEMSET(t[1], 0, sizeof(sp_digit) * 48U);
+        if (reduceA != 0) {
+            err = sp_3072_mod_48(t[1] + 48, a, m);
+            if (err == MP_OKAY) {
+                err = sp_3072_mod_48(t[1], t[1], m);
+            }
+        }
+        else {
+            XMEMCPY(t[1] + 48, a, sizeof(sp_digit) * 48);
+            err = sp_3072_mod_48(t[1], t[1], m);
+        }
+    }
+
+    if (err == MP_OKAY) {
+        sp_3072_mont_sqr_48(t[ 2], t[ 1], m, mp);
+        sp_3072_mont_mul_48(t[ 3], t[ 2], t[ 1], m, mp);
+        sp_3072_mont_sqr_48(t[ 4], t[ 2], m, mp);
+        sp_3072_mont_mul_48(t[ 5], t[ 3], t[ 2], m, mp);
+        sp_3072_mont_sqr_48(t[ 6], t[ 3], m, mp);
+        sp_3072_mont_mul_48(t[ 7], t[ 4], t[ 3], m, mp);
+        sp_3072_mont_sqr_48(t[ 8], t[ 4], m, mp);
+        sp_3072_mont_mul_48(t[ 9], t[ 5], t[ 4], m, mp);
+        sp_3072_mont_sqr_48(t[10], t[ 5], m, mp);
+        sp_3072_mont_mul_48(t[11], t[ 6], t[ 5], m, mp);
+        sp_3072_mont_sqr_48(t[12], t[ 6], m, mp);
+        sp_3072_mont_mul_48(t[13], t[ 7], t[ 6], m, mp);
+        sp_3072_mont_sqr_48(t[14], t[ 7], m, mp);
+        sp_3072_mont_mul_48(t[15], t[ 8], t[ 7], m, mp);
+        sp_3072_mont_sqr_48(t[16], t[ 8], m, mp);
+        sp_3072_mont_mul_48(t[17], t[ 9], t[ 8], m, mp);
+        sp_3072_mont_sqr_48(t[18], t[ 9], m, mp);
+        sp_3072_mont_mul_48(t[19], t[10], t[ 9], m, mp);
+        sp_3072_mont_sqr_48(t[20], t[10], m, mp);
+        sp_3072_mont_mul_48(t[21], t[11], t[10], m, mp);
+        sp_3072_mont_sqr_48(t[22], t[11], m, mp);
+        sp_3072_mont_mul_48(t[23], t[12], t[11], m, mp);
+        sp_3072_mont_sqr_48(t[24], t[12], m, mp);
+        sp_3072_mont_mul_48(t[25], t[13], t[12], m, mp);
+        sp_3072_mont_sqr_48(t[26], t[13], m, mp);
+        sp_3072_mont_mul_48(t[27], t[14], t[13], m, mp);
+        sp_3072_mont_sqr_48(t[28], t[14], m, mp);
+        sp_3072_mont_mul_48(t[29], t[15], t[14], m, mp);
+        sp_3072_mont_sqr_48(t[30], t[15], m, mp);
+        sp_3072_mont_mul_48(t[31], t[16], t[15], m, mp);
+
+        i = (bits - 1) / 32;
+        n = e[i--];
+        c = bits & 31;
+        if (c == 0) {
+            c = 32;
+        }
+        c -= bits % 5;
+        if (c == 32) {
+            c = 27;
+        }
+        y = (int)(n >> c);
+        n <<= 32 - c;
+        XMEMCPY(r, t[y], sizeof(sp_digit) * 48);
+        for (; i>=0 || c>=5; ) {
+            if (c == 0) {
+                n = e[i--];
+                y = n >> 27;
+                n <<= 5;
+                c = 27;
+            }
+            else if (c < 5) {
+                y = n >> 27;
+                n = e[i--];
+                c = 5 - c;
+                y |= n >> (32 - c);
+                n <<= c;
+                c = 32 - c;
+            }
+            else {
+                y = (n >> 27) & 0x1f;
+                n <<= 5;
+                c -= 5;
+            }
+
+            sp_3072_mont_sqr_48(r, r, m, mp);
+            sp_3072_mont_sqr_48(r, r, m, mp);
+            sp_3072_mont_sqr_48(r, r, m, mp);
+            sp_3072_mont_sqr_48(r, r, m, mp);
+            sp_3072_mont_sqr_48(r, r, m, mp);
+
+            sp_3072_mont_mul_48(r, r, t[y], m, mp);
+        }
+
+        XMEMSET(&r[48], 0, sizeof(sp_digit) * 48U);
+        sp_3072_mont_reduce_48(r, m, mp);
+
+        mask = 0 - (sp_3072_cmp_48(r, m) >= 0);
+        sp_3072_cond_sub_48(r, r, m, mask);
+    }
+
+#ifdef WOLFSSL_SMALL_STACK
+    if (td != NULL) {
+        XFREE(td, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    }
+#endif
+
+    return err;
+}
+#endif /* WOLFSSL_SP_SMALL */
+
+#endif /* (WOLFSSL_HAVE_SP_RSA || WOLFSSL_HAVE_SP_DH) && !WOLFSSL_RSA_PUBLIC_ONLY */
+
+#if defined(WOLFSSL_HAVE_SP_RSA) || defined(WOLFSSL_HAVE_SP_DH)
+/* r = 2^n mod m where n is the number of bits to reduce by.
+ * Given m must be 3072 bits, just need to subtract.
+ *
+ * r  A single precision number.
+ * m  A single precision number.
+ */
+static void sp_3072_mont_norm_96(sp_digit* r, const sp_digit* m)
+{
+    XMEMSET(r, 0, sizeof(sp_digit) * 96);
+
+    /* r = 2^n mod m */
+    sp_3072_sub_in_place_96(r, m);
+}
+
+#endif /* WOLFSSL_HAVE_SP_RSA || WOLFSSL_HAVE_SP_DH */
+/* Conditionally subtract b from a using the mask m.
+ * m is -1 to subtract and 0 when not copying.
+ *
+ * r  A single precision number representing condition subtract result.
+ * a  A single precision number to subtract from.
+ * b  A single precision number to subtract.
+ * m  Mask value to apply.
+ */
+SP_NOINLINE static sp_digit sp_3072_cond_sub_96(sp_digit* r, const sp_digit* a,
+        const sp_digit* b, sp_digit m)
+{
+    sp_digit c = 0;
+
+    __asm__ __volatile__ (
+        "mov	r5, #1\n\t"
+        "lsl	r5, r5, #8\n\t"
+        "add	r5, r5, #128\n\t"
+        "mov	r9, r5\n\t"
+        "mov	r8, #0\n\t"
+        "\n1:\n\t"
+        "ldr	r6, [%[b], r8]\n\t"
+        "and	r6, r6, %[m]\n\t"
+        "mov	r5, #0\n\t"
+        "subs	r5, r5, %[c]\n\t"
+        "ldr	r5, [%[a], r8]\n\t"
+        "sbcs	r5, r5, r6\n\t"
+        "sbcs	%[c], %[c], %[c]\n\t"
+        "str	r5, [%[r], r8]\n\t"
+        "add	r8, r8, #4\n\t"
+        "cmp	r8, r9\n\t"
+        "blt	1b\n\t"
+        : [c] "+r" (c)
+        : [r] "r" (r), [a] "r" (a), [b] "r" (b), [m] "r" (m)
+        : "memory", "r5", "r6", "r8", "r9"
+    );
+
+    return c;
+}
+
+/* Reduce the number back to 3072 bits using Montgomery reduction.
+ *
+ * a   A single precision number to reduce in place.
+ * m   The single precision number representing the modulus.
+ * mp  The digit representing the negative inverse of m mod 2^n.
+ */
+SP_NOINLINE static void sp_3072_mont_reduce_96(sp_digit* a, const sp_digit* m,
+        sp_digit mp)
+{
+    sp_digit ca = 0;
+
+    __asm__ __volatile__ (
+        "mov	r9, %[mp]\n\t"
+        "mov	r12, %[m]\n\t"
+        "mov	r10, %[a]\n\t"
+        "mov	r4, #0\n\t"
+        "add	r11, r10, #384\n\t"
+        "\n1:\n\t"
+        /* mu = a[i] * mp */
+        "mov	%[mp], r9\n\t"
+        "ldr	%[a], [r10]\n\t"
+        "mul	%[mp], %[mp], %[a]\n\t"
+        "mov	%[m], r12\n\t"
+        "add	r14, r10, #376\n\t"
+        "\n2:\n\t"
+        /* a[i+j] += m[j] * mu */
+        "ldr	%[a], [r10]\n\t"
+        "mov	r5, #0\n\t"
+        /* Multiply m[j] and mu - Start */
+        "ldr	r8, [%[m]], #4\n\t"
+        "umull	r6, r8, %[mp], r8\n\t"
+        "adds	%[a], %[a], r6\n\t"
+        "adc	r5, r5, r8\n\t"
+        /* Multiply m[j] and mu - Done */
+        "adds	r4, r4, %[a]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "str	r4, [r10], #4\n\t"
+        /* a[i+j+1] += m[j+1] * mu */
+        "ldr	%[a], [r10]\n\t"
+        "mov	r4, #0\n\t"
+        /* Multiply m[j] and mu - Start */
+        "ldr	r8, [%[m]], #4\n\t"
+        "umull	r6, r8, %[mp], r8\n\t"
+        "adds	%[a], %[a], r6\n\t"
+        "adc	r4, r4, r8\n\t"
+        /* Multiply m[j] and mu - Done */
+        "adds	r5, r5, %[a]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "str	r5, [r10], #4\n\t"
+        "cmp	r10, r14\n\t"
+        "blt	2b\n\t"
+        /* a[i+94] += m[94] * mu */
+        "ldr	%[a], [r10]\n\t"
+        "mov	r5, #0\n\t"
+        /* Multiply m[j] and mu - Start */
+        "ldr	r8, [%[m]], #4\n\t"
+        "umull	r6, r8, %[mp], r8\n\t"
+        "adds	%[a], %[a], r6\n\t"
+        "adc	r5, r5, r8\n\t"
+        /* Multiply m[j] and mu - Done */
+        "adds	r4, r4, %[a]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "str	r4, [r10], #4\n\t"
+        /* a[i+95] += m[95] * mu */
+        "mov	r4, %[ca]\n\t"
+        "mov	%[ca], #0\n\t"
+        /* Multiply m[95] and mu - Start */
+        "ldr	r8, [%[m]]\n\t"
+        "umull	r6, r8, %[mp], r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs 	r4, r4, r8\n\t"
+        "adc	%[ca], %[ca], #0\n\t"
+        /* Multiply m[95] and mu - Done */
+        "ldr	r6, [r10]\n\t"
+        "ldr	r8, [r10, #4]\n\t"
+        "adds	r6, r6, r5\n\t"
+        "adcs	r8, r8, r4\n\t"
+        "adc	%[ca], %[ca], #0\n\t"
+        "str	r6, [r10]\n\t"
+        "str	r8, [r10, #4]\n\t"
+        /* Next word in a */
+        "sub	r10, r10, #376\n\t"
+        "cmp	r10, r11\n\t"
+        "blt	1b\n\t"
+        "mov	%[a], r10\n\t"
+        "mov	%[m], r12\n\t"
+        : [ca] "+r" (ca), [a] "+r" (a)
+        : [m] "r" (m), [mp] "r" (mp)
+        : "memory", "r4", "r5", "r6", "r8", "r9", "r10", "r11", "r12", "r14"
+    );
+
+    sp_3072_cond_sub_96(a - 96, a, m, (sp_digit)0 - ca);
+}
+
+/* Multiply two Montogmery form numbers mod the modulus (prime).
+ * (r = a * b mod m)
+ *
+ * r   Result of multiplication.
+ * a   First number to multiply in Montogmery form.
+ * b   Second number to multiply in Montogmery form.
+ * m   Modulus (prime).
+ * mp  Montogmery mulitplier.
+ */
+static void sp_3072_mont_mul_96(sp_digit* r, const sp_digit* a, const sp_digit* b,
+        const sp_digit* m, sp_digit mp)
+{
+    sp_3072_mul_96(r, a, b);
+    sp_3072_mont_reduce_96(r, m, mp);
+}
+
+/* Square the Montgomery form number. (r = a * a mod m)
+ *
+ * r   Result of squaring.
+ * a   Number to square in Montogmery form.
+ * m   Modulus (prime).
+ * mp  Montogmery mulitplier.
+ */
+static void sp_3072_mont_sqr_96(sp_digit* r, const sp_digit* a, const sp_digit* m,
+        sp_digit mp)
+{
+    sp_3072_sqr_96(r, a);
+    sp_3072_mont_reduce_96(r, m, mp);
+}
+
+/* Divide the double width number (d1|d0) by the dividend. (d1|d0 / div)
+ *
+ * d1   The high order half of the number to divide.
+ * d0   The low order half of the number to divide.
+ * div  The dividend.
+ * returns the result of the division.
+ *
+ * Note that this is an approximate div. It may give an answer 1 larger.
+ */
+SP_NOINLINE static sp_digit div_3072_word_96(sp_digit d1, sp_digit d0,
+        sp_digit div)
+{
+    sp_digit r = 0;
+
+    __asm__ __volatile__ (
+        "lsr	r6, %[div], #16\n\t"
+        "add	r6, r6, #1\n\t"
+        "udiv	r4, %[d1], r6\n\t"
+        "lsl	r8, r4, #16\n\t"
+        "umull	r4, r5, %[div], r8\n\t"
+        "subs	%[d0], %[d0], r4\n\t"
+        "sbc	%[d1], %[d1], r5\n\t"
+        "udiv	r5, %[d1], r6\n\t"
+        "lsl	r4, r5, #16\n\t"
+        "add	r8, r8, r4\n\t"
+        "umull	r4, r5, %[div], r4\n\t"
+        "subs	%[d0], %[d0], r4\n\t"
+        "sbc	%[d1], %[d1], r5\n\t"
+        "lsl	r4, %[d1], #16\n\t"
+        "orr	r4, r4, %[d0], lsr #16\n\t"
+        "udiv	r4, r4, r6\n\t"
+        "add	r8, r8, r4\n\t"
+        "umull	r4, r5, %[div], r4\n\t"
+        "subs	%[d0], %[d0], r4\n\t"
+        "sbc	%[d1], %[d1], r5\n\t"
+        "lsl	r4, %[d1], #16\n\t"
+        "orr	r4, r4, %[d0], lsr #16\n\t"
+        "udiv	r4, r4, r6\n\t"
+        "add	r8, r8, r4\n\t"
+        "umull	r4, r5, %[div], r4\n\t"
+        "subs	%[d0], %[d0], r4\n\t"
+        "sbc	%[d1], %[d1], r5\n\t"
+        "udiv	r4, %[d0], %[div]\n\t"
+        "add	r8, r8, r4\n\t"
+        "mov	%[r], r8\n\t"
+        : [r] "+r" (r)
+        : [d1] "r" (d1), [d0] "r" (d0), [div] "r" (div)
+        : "r4", "r5", "r6", "r8"
+    );
+    return r;
+}
+
+/* AND m into each word of a and store in r.
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * m  Mask to AND against each digit.
+ */
+static void sp_3072_mask_96(sp_digit* r, const sp_digit* a, sp_digit m)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int i;
+
+    for (i=0; i<96; i++) {
+        r[i] = a[i] & m;
+    }
+#else
+    int i;
+
+    for (i = 0; i < 96; i += 8) {
+        r[i+0] = a[i+0] & m;
+        r[i+1] = a[i+1] & m;
+        r[i+2] = a[i+2] & m;
+        r[i+3] = a[i+3] & m;
+        r[i+4] = a[i+4] & m;
+        r[i+5] = a[i+5] & m;
+        r[i+6] = a[i+6] & m;
+        r[i+7] = a[i+7] & m;
+    }
+#endif
+}
+
+/* Compare a with b in constant time.
+ *
+ * a  A single precision integer.
+ * b  A single precision integer.
+ * return -ve, 0 or +ve if a is less than, equal to or greater than b
+ * respectively.
+ */
+SP_NOINLINE static int32_t sp_3072_cmp_96(const sp_digit* a, const sp_digit* b)
+{
+    sp_digit r = 0;
+
+
+    __asm__ __volatile__ (
+        "mov	r3, #0\n\t"
+        "mvn	r3, r3\n\t"
+        "mov	r6, #1\n\t"
+        "lsl	r6, r6, #8\n\t"
+        "add	r6, r6, #124\n\t"
+        "\n1:\n\t"
+        "ldr	r8, [%[a], r6]\n\t"
+        "ldr	r5, [%[b], r6]\n\t"
+        "and	r8, r8, r3\n\t"
+        "and	r5, r5, r3\n\t"
+        "mov	r4, r8\n\t"
+        "subs	r8, r8, r5\n\t"
+        "sbc	r8, r8, r8\n\t"
+        "add	%[r], %[r], r8\n\t"
+        "mvn	r8, r8\n\t"
+        "and	r3, r3, r8\n\t"
+        "subs	r5, r5, r4\n\t"
+        "sbc	r8, r8, r8\n\t"
+        "sub	%[r], %[r], r8\n\t"
+        "mvn	r8, r8\n\t"
+        "and	r3, r3, r8\n\t"
+        "sub	r6, r6, #4\n\t"
+        "cmp	r6, #0\n\t"
+        "bge	1b\n\t"
+        : [r] "+r" (r)
+        : [a] "r" (a), [b] "r" (b)
+        : "r3", "r4", "r5", "r6", "r8"
+    );
+
+    return r;
+}
+
+/* Divide d in a and put remainder into r (m*d + r = a)
+ * m is not calculated as it is not needed at this time.
+ *
+ * a  Nmber to be divided.
+ * d  Number to divide with.
+ * m  Multiplier result.
+ * r  Remainder from the division.
+ * returns MP_OKAY indicating success.
+ */
+static WC_INLINE int sp_3072_div_96(const sp_digit* a, const sp_digit* d, sp_digit* m,
+        sp_digit* r)
+{
+    sp_digit t1[192], t2[97];
+    sp_digit div, r1;
+    int i;
+
+    (void)m;
+
+    div = d[95];
+    XMEMCPY(t1, a, sizeof(*t1) * 2 * 96);
+    for (i=95; i>=0; i--) {
+        r1 = div_3072_word_96(t1[96 + i], t1[96 + i - 1], div);
+
+        sp_3072_mul_d_96(t2, d, r1);
+        t1[96 + i] += sp_3072_sub_in_place_96(&t1[i], t2);
+        t1[96 + i] -= t2[96];
+        sp_3072_mask_96(t2, d, t1[96 + i]);
+        t1[96 + i] += sp_3072_add_96(&t1[i], &t1[i], t2);
+        sp_3072_mask_96(t2, d, t1[96 + i]);
+        t1[96 + i] += sp_3072_add_96(&t1[i], &t1[i], t2);
+    }
+
+    r1 = sp_3072_cmp_96(t1, d) >= 0;
+    sp_3072_cond_sub_96(r, t1, d, (sp_digit)0 - r1);
+
+    return MP_OKAY;
+}
+
+/* Reduce a modulo m into r. (r = a mod m)
+ *
+ * r  A single precision number that is the reduced result.
+ * a  A single precision number that is to be reduced.
+ * m  A single precision number that is the modulus to reduce with.
+ * returns MP_OKAY indicating success.
+ */
+static WC_INLINE int sp_3072_mod_96(sp_digit* r, const sp_digit* a, const sp_digit* m)
+{
+    return sp_3072_div_96(a, m, NULL, r);
+}
+
+/* Divide d in a and put remainder into r (m*d + r = a)
+ * m is not calculated as it is not needed at this time.
+ *
+ * a  Nmber to be divided.
+ * d  Number to divide with.
+ * m  Multiplier result.
+ * r  Remainder from the division.
+ * returns MP_OKAY indicating success.
+ */
+static WC_INLINE int sp_3072_div_96_cond(const sp_digit* a, const sp_digit* d, sp_digit* m,
+        sp_digit* r)
+{
+    sp_digit t1[192], t2[97];
+    sp_digit div, r1;
+    int i;
+
+    (void)m;
+
+    div = d[95];
+    XMEMCPY(t1, a, sizeof(*t1) * 2 * 96);
+    for (i=95; i>=0; i--) {
+        r1 = div_3072_word_96(t1[96 + i], t1[96 + i - 1], div);
+
+        sp_3072_mul_d_96(t2, d, r1);
+        t1[96 + i] += sp_3072_sub_in_place_96(&t1[i], t2);
+        t1[96 + i] -= t2[96];
+        if (t1[96 + i] != 0) {
+            t1[96 + i] += sp_3072_add_96(&t1[i], &t1[i], d);
+            if (t1[96 + i] != 0)
+                t1[96 + i] += sp_3072_add_96(&t1[i], &t1[i], d);
+        }
+    }
+
+    r1 = sp_3072_cmp_96(t1, d) >= 0;
+    sp_3072_cond_sub_96(r, t1, d, (sp_digit)0 - r1);
+
+    return MP_OKAY;
+}
+
+/* Reduce a modulo m into r. (r = a mod m)
+ *
+ * r  A single precision number that is the reduced result.
+ * a  A single precision number that is to be reduced.
+ * m  A single precision number that is the modulus to reduce with.
+ * returns MP_OKAY indicating success.
+ */
+static WC_INLINE int sp_3072_mod_96_cond(sp_digit* r, const sp_digit* a, const sp_digit* m)
+{
+    return sp_3072_div_96_cond(a, m, NULL, r);
+}
+
+#if (defined(WOLFSSL_HAVE_SP_RSA) && !defined(WOLFSSL_RSA_PUBLIC_ONLY)) || \
+                                                     defined(WOLFSSL_HAVE_SP_DH)
+#ifdef WOLFSSL_SP_SMALL
+/* Modular exponentiate a to the e mod m. (r = a^e mod m)
+ *
+ * r     A single precision number that is the result of the operation.
+ * a     A single precision number being exponentiated.
+ * e     A single precision number that is the exponent.
+ * bits  The number of bits in the exponent.
+ * m     A single precision number that is the modulus.
+ * returns 0 on success and MEMORY_E on dynamic memory allocation failure.
+ */
+static int sp_3072_mod_exp_96(sp_digit* r, const sp_digit* a, const sp_digit* e,
+        int bits, const sp_digit* m, int reduceA)
+{
+#ifndef WOLFSSL_SMALL_STACK
+    sp_digit t[16][192];
+#else
+    sp_digit* t[16];
+    sp_digit* td;
+#endif
+    sp_digit* norm;
+    sp_digit mp = 1;
+    sp_digit n;
+    sp_digit mask;
+    int i;
+    int c, y;
+    int err = MP_OKAY;
+
+#ifdef WOLFSSL_SMALL_STACK
+    td = (sp_digit*)XMALLOC(sizeof(sp_digit) * 16 * 192, NULL,
+                            DYNAMIC_TYPE_TMP_BUFFER);
+    if (td == NULL) {
+        err = MEMORY_E;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#ifdef WOLFSSL_SMALL_STACK
+        for (i=0; i<16; i++) {
+            t[i] = td + i * 192;
+        }
+#endif
+        norm = t[0];
+
+        sp_3072_mont_setup(m, &mp);
+        sp_3072_mont_norm_96(norm, m);
+
+        XMEMSET(t[1], 0, sizeof(sp_digit) * 96U);
+        if (reduceA != 0) {
+            err = sp_3072_mod_96(t[1] + 96, a, m);
+            if (err == MP_OKAY) {
+                err = sp_3072_mod_96(t[1], t[1], m);
+            }
+        }
+        else {
+            XMEMCPY(t[1] + 96, a, sizeof(sp_digit) * 96);
+            err = sp_3072_mod_96(t[1], t[1], m);
+        }
+    }
+
+    if (err == MP_OKAY) {
+        sp_3072_mont_sqr_96(t[ 2], t[ 1], m, mp);
+        sp_3072_mont_mul_96(t[ 3], t[ 2], t[ 1], m, mp);
+        sp_3072_mont_sqr_96(t[ 4], t[ 2], m, mp);
+        sp_3072_mont_mul_96(t[ 5], t[ 3], t[ 2], m, mp);
+        sp_3072_mont_sqr_96(t[ 6], t[ 3], m, mp);
+        sp_3072_mont_mul_96(t[ 7], t[ 4], t[ 3], m, mp);
+        sp_3072_mont_sqr_96(t[ 8], t[ 4], m, mp);
+        sp_3072_mont_mul_96(t[ 9], t[ 5], t[ 4], m, mp);
+        sp_3072_mont_sqr_96(t[10], t[ 5], m, mp);
+        sp_3072_mont_mul_96(t[11], t[ 6], t[ 5], m, mp);
+        sp_3072_mont_sqr_96(t[12], t[ 6], m, mp);
+        sp_3072_mont_mul_96(t[13], t[ 7], t[ 6], m, mp);
+        sp_3072_mont_sqr_96(t[14], t[ 7], m, mp);
+        sp_3072_mont_mul_96(t[15], t[ 8], t[ 7], m, mp);
+
+        i = (bits - 1) / 32;
+        n = e[i--];
+        c = bits & 31;
+        if (c == 0) {
+            c = 32;
+        }
+        c -= bits % 4;
+        if (c == 32) {
+            c = 28;
+        }
+        y = (int)(n >> c);
+        n <<= 32 - c;
+        XMEMCPY(r, t[y], sizeof(sp_digit) * 96);
+        for (; i>=0 || c>=4; ) {
+            if (c == 0) {
+                n = e[i--];
+                y = n >> 28;
+                n <<= 4;
+                c = 28;
+            }
+            else if (c < 4) {
+                y = n >> 28;
+                n = e[i--];
+                c = 4 - c;
+                y |= n >> (32 - c);
+                n <<= c;
+                c = 32 - c;
+            }
+            else {
+                y = (n >> 28) & 0xf;
+                n <<= 4;
+                c -= 4;
+            }
+
+            sp_3072_mont_sqr_96(r, r, m, mp);
+            sp_3072_mont_sqr_96(r, r, m, mp);
+            sp_3072_mont_sqr_96(r, r, m, mp);
+            sp_3072_mont_sqr_96(r, r, m, mp);
+
+            sp_3072_mont_mul_96(r, r, t[y], m, mp);
+        }
+
+        XMEMSET(&r[96], 0, sizeof(sp_digit) * 96U);
+        sp_3072_mont_reduce_96(r, m, mp);
+
+        mask = 0 - (sp_3072_cmp_96(r, m) >= 0);
+        sp_3072_cond_sub_96(r, r, m, mask);
+    }
+
+#ifdef WOLFSSL_SMALL_STACK
+    if (td != NULL) {
+        XFREE(td, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    }
+#endif
+
+    return err;
+}
+#else
+/* Modular exponentiate a to the e mod m. (r = a^e mod m)
+ *
+ * r     A single precision number that is the result of the operation.
+ * a     A single precision number being exponentiated.
+ * e     A single precision number that is the exponent.
+ * bits  The number of bits in the exponent.
+ * m     A single precision number that is the modulus.
+ * returns 0 on success and MEMORY_E on dynamic memory allocation failure.
+ */
+static int sp_3072_mod_exp_96(sp_digit* r, const sp_digit* a, const sp_digit* e,
+        int bits, const sp_digit* m, int reduceA)
+{
+#ifndef WOLFSSL_SMALL_STACK
+    sp_digit t[32][192];
+#else
+    sp_digit* t[32];
+    sp_digit* td;
+#endif
+    sp_digit* norm;
+    sp_digit mp = 1;
+    sp_digit n;
+    sp_digit mask;
+    int i;
+    int c, y;
+    int err = MP_OKAY;
+
+#ifdef WOLFSSL_SMALL_STACK
+    td = (sp_digit*)XMALLOC(sizeof(sp_digit) * 32 * 192, NULL,
+                            DYNAMIC_TYPE_TMP_BUFFER);
+    if (td == NULL) {
+        err = MEMORY_E;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#ifdef WOLFSSL_SMALL_STACK
+        for (i=0; i<32; i++) {
+            t[i] = td + i * 192;
+        }
+#endif
+        norm = t[0];
+
+        sp_3072_mont_setup(m, &mp);
+        sp_3072_mont_norm_96(norm, m);
+
+        XMEMSET(t[1], 0, sizeof(sp_digit) * 96U);
+        if (reduceA != 0) {
+            err = sp_3072_mod_96(t[1] + 96, a, m);
+            if (err == MP_OKAY) {
+                err = sp_3072_mod_96(t[1], t[1], m);
+            }
+        }
+        else {
+            XMEMCPY(t[1] + 96, a, sizeof(sp_digit) * 96);
+            err = sp_3072_mod_96(t[1], t[1], m);
+        }
+    }
+
+    if (err == MP_OKAY) {
+        sp_3072_mont_sqr_96(t[ 2], t[ 1], m, mp);
+        sp_3072_mont_mul_96(t[ 3], t[ 2], t[ 1], m, mp);
+        sp_3072_mont_sqr_96(t[ 4], t[ 2], m, mp);
+        sp_3072_mont_mul_96(t[ 5], t[ 3], t[ 2], m, mp);
+        sp_3072_mont_sqr_96(t[ 6], t[ 3], m, mp);
+        sp_3072_mont_mul_96(t[ 7], t[ 4], t[ 3], m, mp);
+        sp_3072_mont_sqr_96(t[ 8], t[ 4], m, mp);
+        sp_3072_mont_mul_96(t[ 9], t[ 5], t[ 4], m, mp);
+        sp_3072_mont_sqr_96(t[10], t[ 5], m, mp);
+        sp_3072_mont_mul_96(t[11], t[ 6], t[ 5], m, mp);
+        sp_3072_mont_sqr_96(t[12], t[ 6], m, mp);
+        sp_3072_mont_mul_96(t[13], t[ 7], t[ 6], m, mp);
+        sp_3072_mont_sqr_96(t[14], t[ 7], m, mp);
+        sp_3072_mont_mul_96(t[15], t[ 8], t[ 7], m, mp);
+        sp_3072_mont_sqr_96(t[16], t[ 8], m, mp);
+        sp_3072_mont_mul_96(t[17], t[ 9], t[ 8], m, mp);
+        sp_3072_mont_sqr_96(t[18], t[ 9], m, mp);
+        sp_3072_mont_mul_96(t[19], t[10], t[ 9], m, mp);
+        sp_3072_mont_sqr_96(t[20], t[10], m, mp);
+        sp_3072_mont_mul_96(t[21], t[11], t[10], m, mp);
+        sp_3072_mont_sqr_96(t[22], t[11], m, mp);
+        sp_3072_mont_mul_96(t[23], t[12], t[11], m, mp);
+        sp_3072_mont_sqr_96(t[24], t[12], m, mp);
+        sp_3072_mont_mul_96(t[25], t[13], t[12], m, mp);
+        sp_3072_mont_sqr_96(t[26], t[13], m, mp);
+        sp_3072_mont_mul_96(t[27], t[14], t[13], m, mp);
+        sp_3072_mont_sqr_96(t[28], t[14], m, mp);
+        sp_3072_mont_mul_96(t[29], t[15], t[14], m, mp);
+        sp_3072_mont_sqr_96(t[30], t[15], m, mp);
+        sp_3072_mont_mul_96(t[31], t[16], t[15], m, mp);
+
+        i = (bits - 1) / 32;
+        n = e[i--];
+        c = bits & 31;
+        if (c == 0) {
+            c = 32;
+        }
+        c -= bits % 5;
+        if (c == 32) {
+            c = 27;
+        }
+        y = (int)(n >> c);
+        n <<= 32 - c;
+        XMEMCPY(r, t[y], sizeof(sp_digit) * 96);
+        for (; i>=0 || c>=5; ) {
+            if (c == 0) {
+                n = e[i--];
+                y = n >> 27;
+                n <<= 5;
+                c = 27;
+            }
+            else if (c < 5) {
+                y = n >> 27;
+                n = e[i--];
+                c = 5 - c;
+                y |= n >> (32 - c);
+                n <<= c;
+                c = 32 - c;
+            }
+            else {
+                y = (n >> 27) & 0x1f;
+                n <<= 5;
+                c -= 5;
+            }
+
+            sp_3072_mont_sqr_96(r, r, m, mp);
+            sp_3072_mont_sqr_96(r, r, m, mp);
+            sp_3072_mont_sqr_96(r, r, m, mp);
+            sp_3072_mont_sqr_96(r, r, m, mp);
+            sp_3072_mont_sqr_96(r, r, m, mp);
+
+            sp_3072_mont_mul_96(r, r, t[y], m, mp);
+        }
+
+        XMEMSET(&r[96], 0, sizeof(sp_digit) * 96U);
+        sp_3072_mont_reduce_96(r, m, mp);
+
+        mask = 0 - (sp_3072_cmp_96(r, m) >= 0);
+        sp_3072_cond_sub_96(r, r, m, mask);
+    }
+
+#ifdef WOLFSSL_SMALL_STACK
+    if (td != NULL) {
+        XFREE(td, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    }
+#endif
+
+    return err;
+}
+#endif /* WOLFSSL_SP_SMALL */
+#endif /* (WOLFSSL_HAVE_SP_RSA && !WOLFSSL_RSA_PUBLIC_ONLY) || WOLFSSL_HAVE_SP_DH */
+
+#ifdef WOLFSSL_HAVE_SP_RSA
+/* RSA public key operation.
+ *
+ * in      Array of bytes representing the number to exponentiate, base.
+ * inLen   Number of bytes in base.
+ * em      Public exponent.
+ * mm      Modulus.
+ * out     Buffer to hold big-endian bytes of exponentiation result.
+ *         Must be at least 384 bytes long.
+ * outLen  Number of bytes in result.
+ * returns 0 on success, MP_TO_E when the outLen is too small, MP_READ_E when
+ * an array is too long and MEMORY_E when dynamic memory allocation fails.
+ */
+int sp_RsaPublic_3072(const byte* in, word32 inLen, mp_int* em, mp_int* mm,
+    byte* out, word32* outLen)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit a[192], m[96], r[192];
+#else
+    sp_digit* d = NULL;
+    sp_digit* a;
+    sp_digit* m;
+    sp_digit* r;
+#endif
+    sp_digit *ah;
+    sp_digit e[1];
+    int err = MP_OKAY;
+
+    if (*outLen < 384)
+        err = MP_TO_E;
+    if (err == MP_OKAY && (mp_count_bits(em) > 32 || inLen > 384 ||
+                                                     mp_count_bits(mm) != 3072))
+        err = MP_READ_E;
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        d = (sp_digit*)XMALLOC(sizeof(sp_digit) * 96 * 5, NULL,
+                                                              DYNAMIC_TYPE_RSA);
+        if (d == NULL)
+            err = MEMORY_E;
+    }
+
+    if (err == MP_OKAY) {
+        a = d;
+        r = a + 96 * 2;
+        m = r + 96 * 2;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+        ah = a + 96;
+
+        sp_3072_from_bin(ah, 96, in, inLen);
+#if DIGIT_BIT >= 32
+        e[0] = em->dp[0];
+#else
+        e[0] = em->dp[0];
+        if (em->used > 1) {
+            e[0] |= ((sp_digit)em->dp[1]) << DIGIT_BIT;
+        }
+#endif
+        if (e[0] == 0) {
+            err = MP_EXPTMOD_E;
+        }
+    }
+    if (err == MP_OKAY) {
+        sp_3072_from_mp(m, 96, mm);
+
+        if (e[0] == 0x3) {
+            if (err == MP_OKAY) {
+                sp_3072_sqr_96(r, ah);
+                err = sp_3072_mod_96_cond(r, r, m);
+            }
+            if (err == MP_OKAY) {
+                sp_3072_mul_96(r, ah, r);
+                err = sp_3072_mod_96_cond(r, r, m);
+            }
+        }
+        else {
+            int i;
+            sp_digit mp;
+
+            sp_3072_mont_setup(m, &mp);
+
+            /* Convert to Montgomery form. */
+            XMEMSET(a, 0, sizeof(sp_digit) * 96);
+            err = sp_3072_mod_96_cond(a, a, m);
+
+            if (err == MP_OKAY) {
+                for (i = 31; i >= 0; i--) {
+                    if (e[0] >> i) {
+                        break;
+                    }
+                }
+
+                XMEMCPY(r, a, sizeof(sp_digit) * 96);
+                for (i--; i>=0; i--) {
+                    sp_3072_mont_sqr_96(r, r, m, mp);
+                    if (((e[0] >> i) & 1) == 1) {
+                        sp_3072_mont_mul_96(r, r, a, m, mp);
+                    }
+                }
+                XMEMSET(&r[96], 0, sizeof(sp_digit) * 96);
+                sp_3072_mont_reduce_96(r, m, mp);
+
+                for (i = 95; i > 0; i--) {
+                    if (r[i] != m[i]) {
+                        break;
+                    }
+                }
+                if (r[i] >= m[i]) {
+                    sp_3072_sub_in_place_96(r, m);
+                }
+            }
+        }
+    }
+
+    if (err == MP_OKAY) {
+        sp_3072_to_bin(r, out);
+        *outLen = 384;
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (d != NULL) {
+        XFREE(d, NULL, DYNAMIC_TYPE_RSA);
+    }
+#endif
+
+    return err;
+}
+
+#if defined(SP_RSA_PRIVATE_EXP_D) || defined(RSA_LOW_MEM)
+    sp_digit* a;
+    sp_digit* d = NULL;
+    sp_digit* m;
+    sp_digit* r;
+    int err = MP_OKAY;
+
+    (void)pm;
+    (void)qm;
+    (void)dpm;
+    (void)dqm;
+    (void)qim;
+
+    if (*outLen < 384U) {
+        err = MP_TO_E;
+    }
+    if (err == MP_OKAY) {
+        if (mp_count_bits(dm) > 3072) {
+           err = MP_READ_E;
+        }
+        if (inLen > 384) {
+            err = MP_READ_E;
+        }
+        if (mp_count_bits(mm) != 3072) {
+            err = MP_READ_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        d = (sp_digit*)XMALLOC(sizeof(sp_digit) * 96 * 4, NULL,
+                                                              DYNAMIC_TYPE_RSA);
+        if (d == NULL) {
+            err = MEMORY_E;
+        }
+    }
+    if (err == MP_OKAY) {
+        a = d + 96;
+        m = a + 192;
+        r = a;
+
+        sp_3072_from_bin(a, 96, in, inLen);
+        sp_3072_from_mp(d, 96, dm);
+        sp_3072_from_mp(m, 96, mm);
+        err = sp_3072_mod_exp_96(r, a, d, 3072, m, 0);
+    }
+    if (err == MP_OKAY) {
+        sp_3072_to_bin(r, out);
+        *outLen = 384;
+    }
+
+    if (d != NULL) {
+        XMEMSET(d, 0, sizeof(sp_digit) * 96);
+        XFREE(d, NULL, DYNAMIC_TYPE_RSA);
+    }
+
+    return err;
+#else
+#ifndef WOLFSSL_RSA_PUBLIC_ONLY
+/* Conditionally add a and b using the mask m.
+ * m is -1 to add and 0 when not.
+ *
+ * r  A single precision number representing conditional add result.
+ * a  A single precision number to add with.
+ * b  A single precision number to add.
+ * m  Mask value to apply.
+ */
+SP_NOINLINE static sp_digit sp_3072_cond_add_48(sp_digit* r, const sp_digit* a, const sp_digit* b,
+        sp_digit m)
+{
+    sp_digit c = 0;
+
+    __asm__ __volatile__ (
+        "mov	r5, #192\n\t"
+        "mov	r9, r5\n\t"
+        "mov	r8, #0\n\t"
+        "\n1:\n\t"
+        "ldr	r6, [%[b], r8]\n\t"
+        "and	r6, r6, %[m]\n\t"
+        "adds	r5, %[c], #-1\n\t"
+        "ldr	r5, [%[a], r8]\n\t"
+        "adcs	r5, r5, r6\n\t"
+        "mov	%[c], #0\n\t"
+        "adcs	%[c], %[c], %[c]\n\t"
+        "str	r5, [%[r], r8]\n\t"
+        "add	r8, r8, #4\n\t"
+        "cmp	r8, r9\n\t"
+        "blt	1b\n\t"
+        : [c] "+r" (c)
+        : [r] "r" (r), [a] "r" (a), [b] "r" (b), [m] "r" (m)
+        : "memory", "r5", "r6", "r8", "r9"
+    );
+
+    return c;
+}
+
+/* RSA private key operation.
+ *
+ * in      Array of bytes representing the number to exponentiate, base.
+ * inLen   Number of bytes in base.
+ * dm      Private exponent.
+ * pm      First prime.
+ * qm      Second prime.
+ * dpm     First prime's CRT exponent.
+ * dqm     Second prime's CRT exponent.
+ * qim     Inverse of second prime mod p.
+ * mm      Modulus.
+ * out     Buffer to hold big-endian bytes of exponentiation result.
+ *         Must be at least 384 bytes long.
+ * outLen  Number of bytes in result.
+ * returns 0 on success, MP_TO_E when the outLen is too small, MP_READ_E when
+ * an array is too long and MEMORY_E when dynamic memory allocation fails.
+ */
+int sp_RsaPrivate_3072(const byte* in, word32 inLen, mp_int* dm,
+    mp_int* pm, mp_int* qm, mp_int* dpm, mp_int* dqm, mp_int* qim, mp_int* mm,
+    byte* out, word32* outLen)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit a[96 * 2];
+    sp_digit p[48], q[48], dp[48];
+    sp_digit tmpa[96], tmpb[96];
+#else
+    sp_digit* t = NULL;
+    sp_digit* a;
+    sp_digit* p;
+    sp_digit* q;
+    sp_digit* dp;
+    sp_digit* tmpa;
+    sp_digit* tmpb;
+#endif
+    sp_digit* r;
+    sp_digit* qi;
+    sp_digit* dq;
+    sp_digit c;
+    int err = MP_OKAY;
+
+    (void)dm;
+    (void)mm;
+
+    if (*outLen < 384)
+        err = MP_TO_E;
+    if (err == MP_OKAY && (inLen > 384 || mp_count_bits(mm) != 3072))
+        err = MP_READ_E;
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        t = (sp_digit*)XMALLOC(sizeof(sp_digit) * 48 * 11, NULL,
+                                                              DYNAMIC_TYPE_RSA);
+        if (t == NULL)
+            err = MEMORY_E;
+    }
+    if (err == MP_OKAY) {
+        a = t;
+        p = a + 96 * 2;
+        q = p + 48;
+        qi = dq = dp = q + 48;
+        tmpa = qi + 48;
+        tmpb = tmpa + 96;
+
+        r = t + 96;
+    }
+#else
+#endif
+
+    if (err == MP_OKAY) {
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+        r = a;
+        qi = dq = dp;
+#endif
+        sp_3072_from_bin(a, 96, in, inLen);
+        sp_3072_from_mp(p, 48, pm);
+        sp_3072_from_mp(q, 48, qm);
+        sp_3072_from_mp(dp, 48, dpm);
+
+        err = sp_3072_mod_exp_48(tmpa, a, dp, 1536, p, 1);
+    }
+    if (err == MP_OKAY) {
+        sp_3072_from_mp(dq, 48, dqm);
+        err = sp_3072_mod_exp_48(tmpb, a, dq, 1536, q, 1);
+    }
+
+    if (err == MP_OKAY) {
+        c = sp_3072_sub_in_place_48(tmpa, tmpb);
+        c += sp_3072_cond_add_48(tmpa, tmpa, p, c);
+        sp_3072_cond_add_48(tmpa, tmpa, p, c);
+
+        sp_3072_from_mp(qi, 48, qim);
+        sp_3072_mul_48(tmpa, tmpa, qi);
+        err = sp_3072_mod_48(tmpa, tmpa, p);
+    }
+
+    if (err == MP_OKAY) {
+        sp_3072_mul_48(tmpa, q, tmpa);
+        XMEMSET(&tmpb[48], 0, sizeof(sp_digit) * 48);
+        sp_3072_add_96(r, tmpb, tmpa);
+
+        sp_3072_to_bin(r, out);
+        *outLen = 384;
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (t != NULL) {
+        XMEMSET(t, 0, sizeof(sp_digit) * 48 * 11);
+        XFREE(t, NULL, DYNAMIC_TYPE_RSA);
+    }
+#else
+    XMEMSET(tmpa, 0, sizeof(tmpa));
+    XMEMSET(tmpb, 0, sizeof(tmpb));
+    XMEMSET(p,    0, sizeof(p));
+    XMEMSET(q,    0, sizeof(q));
+    XMEMSET(dp,   0, sizeof(dp));
+#endif
+
+    return err;
+}
+#endif /* WOLFSSL_RSA_PUBLIC_ONLY */
+#endif /* SP_RSA_PRIVATE_EXP_D || RSA_LOW_MEM */
+#endif /* WOLFSSL_HAVE_SP_RSA */
+#if defined(WOLFSSL_HAVE_SP_DH) || (defined(WOLFSSL_HAVE_SP_RSA) && \
+                                              !defined(WOLFSSL_RSA_PUBLIC_ONLY))
+/* Convert an array of sp_digit to an mp_int.
+ *
+ * a  A single precision integer.
+ * r  A multi-precision integer.
+ */
+static int sp_3072_to_mp(const sp_digit* a, mp_int* r)
+{
+    int err;
+
+    err = mp_grow(r, (3072 + DIGIT_BIT - 1) / DIGIT_BIT);
+    if (err == MP_OKAY) { /*lint !e774 case where err is always MP_OKAY*/
+#if DIGIT_BIT == 32
+        XMEMCPY(r->dp, a, sizeof(sp_digit) * 96);
+        r->used = 96;
+        mp_clamp(r);
+#elif DIGIT_BIT < 32
+        int i, j = 0, s = 0;
+
+        r->dp[0] = 0;
+        for (i = 0; i < 96; i++) {
+            r->dp[j] |= (mp_digit)(a[i] << s);
+            r->dp[j] &= (1L << DIGIT_BIT) - 1;
+            s = DIGIT_BIT - s;
+            r->dp[++j] = (mp_digit)(a[i] >> s);
+            while (s + DIGIT_BIT <= 32) {
+                s += DIGIT_BIT;
+                r->dp[j++] &= (1L << DIGIT_BIT) - 1;
+                if (s == SP_WORD_SIZE) {
+                    r->dp[j] = 0;
+                }
+                else {
+                    r->dp[j] = (mp_digit)(a[i] >> s);
+                }
+            }
+            s = 32 - s;
+        }
+        r->used = (3072 + DIGIT_BIT - 1) / DIGIT_BIT;
+        mp_clamp(r);
+#else
+        int i, j = 0, s = 0;
+
+        r->dp[0] = 0;
+        for (i = 0; i < 96; i++) {
+            r->dp[j] |= ((mp_digit)a[i]) << s;
+            if (s + 32 >= DIGIT_BIT) {
+    #if DIGIT_BIT != 32 && DIGIT_BIT != 64
+                r->dp[j] &= (1L << DIGIT_BIT) - 1;
+    #endif
+                s = DIGIT_BIT - s;
+                r->dp[++j] = a[i] >> s;
+                s = 32 - s;
+            }
+            else {
+                s += 32;
+            }
+        }
+        r->used = (3072 + DIGIT_BIT - 1) / DIGIT_BIT;
+        mp_clamp(r);
+#endif
+    }
+
+    return err;
+}
+
+/* Perform the modular exponentiation for Diffie-Hellman.
+ *
+ * base  Base. MP integer.
+ * exp   Exponent. MP integer.
+ * mod   Modulus. MP integer.
+ * res   Result. MP integer.
+ * returns 0 on success, MP_READ_E if there are too many bytes in an array
+ * and MEMORY_E if memory allocation fails.
+ */
+int sp_ModExp_3072(mp_int* base, mp_int* exp, mp_int* mod, mp_int* res)
+{
+    int err = MP_OKAY;
+    sp_digit b[192], e[96], m[96];
+    sp_digit* r = b;
+    int expBits = mp_count_bits(exp);
+
+    if (mp_count_bits(base) > 3072) {
+        err = MP_READ_E;
+    }
+
+    if (err == MP_OKAY) {
+        if (expBits > 3072) {
+            err = MP_READ_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        if (mp_count_bits(mod) != 3072) {
+            err = MP_READ_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        sp_3072_from_mp(b, 96, base);
+        sp_3072_from_mp(e, 96, exp);
+        sp_3072_from_mp(m, 96, mod);
+
+        err = sp_3072_mod_exp_96(r, b, e, expBits, m, 0);
+    }
+
+    if (err == MP_OKAY) {
+        err = sp_3072_to_mp(r, res);
+    }
+
+    XMEMSET(e, 0, sizeof(e));
+
+    return err;
+}
+
+#ifdef WOLFSSL_HAVE_SP_DH
+
+#ifdef HAVE_FFDHE_3072
+static void sp_3072_lshift_96(sp_digit* r, sp_digit* a, byte n)
+{
+    __asm__ __volatile__ (
+        "mov r6, #31\n\t"
+        "sub r6, r6, %[n]\n\t"
+        "add       %[a], %[a], #320\n\t"
+        "add       %[r], %[r], #320\n\t"
+        "ldr r3, [%[a], #60]\n\t"
+        "lsr r4, r3, #1\n\t"
+        "lsl r3, r3, %[n]\n\t"
+        "lsr r4, r4, r6\n\t"
+        "ldr       r2, [%[a], #56]\n\t"
+        "str       r4, [%[r], #64]\n\t"
+        "lsr       r5, r2, #1\n\t"
+        "lsl       r2, r2, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r3, r3, r5\n\t"
+        "ldr       r4, [%[a], #52]\n\t"
+        "str       r3, [%[r], #60]\n\t"
+        "lsr       r5, r4, #1\n\t"
+        "lsl       r4, r4, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r2, r2, r5\n\t"
+        "ldr       r3, [%[a], #48]\n\t"
+        "str       r2, [%[r], #56]\n\t"
+        "lsr       r5, r3, #1\n\t"
+        "lsl       r3, r3, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r4, r4, r5\n\t"
+        "ldr       r2, [%[a], #44]\n\t"
+        "str       r4, [%[r], #52]\n\t"
+        "lsr       r5, r2, #1\n\t"
+        "lsl       r2, r2, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r3, r3, r5\n\t"
+        "ldr       r4, [%[a], #40]\n\t"
+        "str       r3, [%[r], #48]\n\t"
+        "lsr       r5, r4, #1\n\t"
+        "lsl       r4, r4, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r2, r2, r5\n\t"
+        "ldr       r3, [%[a], #36]\n\t"
+        "str       r2, [%[r], #44]\n\t"
+        "lsr       r5, r3, #1\n\t"
+        "lsl       r3, r3, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r4, r4, r5\n\t"
+        "ldr       r2, [%[a], #32]\n\t"
+        "str       r4, [%[r], #40]\n\t"
+        "lsr       r5, r2, #1\n\t"
+        "lsl       r2, r2, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r3, r3, r5\n\t"
+        "ldr       r4, [%[a], #28]\n\t"
+        "str       r3, [%[r], #36]\n\t"
+        "lsr       r5, r4, #1\n\t"
+        "lsl       r4, r4, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r2, r2, r5\n\t"
+        "ldr       r3, [%[a], #24]\n\t"
+        "str       r2, [%[r], #32]\n\t"
+        "lsr       r5, r3, #1\n\t"
+        "lsl       r3, r3, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r4, r4, r5\n\t"
+        "ldr       r2, [%[a], #20]\n\t"
+        "str       r4, [%[r], #28]\n\t"
+        "lsr       r5, r2, #1\n\t"
+        "lsl       r2, r2, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r3, r3, r5\n\t"
+        "ldr       r4, [%[a], #16]\n\t"
+        "str       r3, [%[r], #24]\n\t"
+        "lsr       r5, r4, #1\n\t"
+        "lsl       r4, r4, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r2, r2, r5\n\t"
+        "ldr       r3, [%[a], #12]\n\t"
+        "str       r2, [%[r], #20]\n\t"
+        "lsr       r5, r3, #1\n\t"
+        "lsl       r3, r3, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r4, r4, r5\n\t"
+        "ldr       r2, [%[a], #8]\n\t"
+        "str       r4, [%[r], #16]\n\t"
+        "lsr       r5, r2, #1\n\t"
+        "lsl       r2, r2, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r3, r3, r5\n\t"
+        "ldr       r4, [%[a], #4]\n\t"
+        "str       r3, [%[r], #12]\n\t"
+        "lsr       r5, r4, #1\n\t"
+        "lsl       r4, r4, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r2, r2, r5\n\t"
+        "ldr       r3, [%[a], #0]\n\t"
+        "str       r2, [%[r], #8]\n\t"
+        "lsr       r5, r3, #1\n\t"
+        "lsl       r3, r3, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r4, r4, r5\n\t"
+        "sub     %[a], %[a], #64\n\t"
+        "sub     %[r], %[r], #64\n\t"
+        "ldr       r2, [%[a], #60]\n\t"
+        "str       r4, [%[r], #68]\n\t"
+        "lsr       r5, r2, #1\n\t"
+        "lsl       r2, r2, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r3, r3, r5\n\t"
+        "ldr       r4, [%[a], #56]\n\t"
+        "str       r3, [%[r], #64]\n\t"
+        "lsr       r5, r4, #1\n\t"
+        "lsl       r4, r4, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r2, r2, r5\n\t"
+        "ldr       r3, [%[a], #52]\n\t"
+        "str       r2, [%[r], #60]\n\t"
+        "lsr       r5, r3, #1\n\t"
+        "lsl       r3, r3, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r4, r4, r5\n\t"
+        "ldr       r2, [%[a], #48]\n\t"
+        "str       r4, [%[r], #56]\n\t"
+        "lsr       r5, r2, #1\n\t"
+        "lsl       r2, r2, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r3, r3, r5\n\t"
+        "ldr       r4, [%[a], #44]\n\t"
+        "str       r3, [%[r], #52]\n\t"
+        "lsr       r5, r4, #1\n\t"
+        "lsl       r4, r4, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r2, r2, r5\n\t"
+        "ldr       r3, [%[a], #40]\n\t"
+        "str       r2, [%[r], #48]\n\t"
+        "lsr       r5, r3, #1\n\t"
+        "lsl       r3, r3, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r4, r4, r5\n\t"
+        "ldr       r2, [%[a], #36]\n\t"
+        "str       r4, [%[r], #44]\n\t"
+        "lsr       r5, r2, #1\n\t"
+        "lsl       r2, r2, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r3, r3, r5\n\t"
+        "ldr       r4, [%[a], #32]\n\t"
+        "str       r3, [%[r], #40]\n\t"
+        "lsr       r5, r4, #1\n\t"
+        "lsl       r4, r4, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r2, r2, r5\n\t"
+        "ldr       r3, [%[a], #28]\n\t"
+        "str       r2, [%[r], #36]\n\t"
+        "lsr       r5, r3, #1\n\t"
+        "lsl       r3, r3, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r4, r4, r5\n\t"
+        "ldr       r2, [%[a], #24]\n\t"
+        "str       r4, [%[r], #32]\n\t"
+        "lsr       r5, r2, #1\n\t"
+        "lsl       r2, r2, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r3, r3, r5\n\t"
+        "ldr       r4, [%[a], #20]\n\t"
+        "str       r3, [%[r], #28]\n\t"
+        "lsr       r5, r4, #1\n\t"
+        "lsl       r4, r4, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r2, r2, r5\n\t"
+        "ldr       r3, [%[a], #16]\n\t"
+        "str       r2, [%[r], #24]\n\t"
+        "lsr       r5, r3, #1\n\t"
+        "lsl       r3, r3, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r4, r4, r5\n\t"
+        "ldr       r2, [%[a], #12]\n\t"
+        "str       r4, [%[r], #20]\n\t"
+        "lsr       r5, r2, #1\n\t"
+        "lsl       r2, r2, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r3, r3, r5\n\t"
+        "ldr       r4, [%[a], #8]\n\t"
+        "str       r3, [%[r], #16]\n\t"
+        "lsr       r5, r4, #1\n\t"
+        "lsl       r4, r4, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r2, r2, r5\n\t"
+        "ldr       r3, [%[a], #4]\n\t"
+        "str       r2, [%[r], #12]\n\t"
+        "lsr       r5, r3, #1\n\t"
+        "lsl       r3, r3, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r4, r4, r5\n\t"
+        "ldr       r2, [%[a], #0]\n\t"
+        "str       r4, [%[r], #8]\n\t"
+        "lsr       r5, r2, #1\n\t"
+        "lsl       r2, r2, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r3, r3, r5\n\t"
+        "sub     %[a], %[a], #64\n\t"
+        "sub     %[r], %[r], #64\n\t"
+        "ldr       r4, [%[a], #60]\n\t"
+        "str       r3, [%[r], #68]\n\t"
+        "lsr       r5, r4, #1\n\t"
+        "lsl       r4, r4, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r2, r2, r5\n\t"
+        "ldr       r3, [%[a], #56]\n\t"
+        "str       r2, [%[r], #64]\n\t"
+        "lsr       r5, r3, #1\n\t"
+        "lsl       r3, r3, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r4, r4, r5\n\t"
+        "ldr       r2, [%[a], #52]\n\t"
+        "str       r4, [%[r], #60]\n\t"
+        "lsr       r5, r2, #1\n\t"
+        "lsl       r2, r2, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r3, r3, r5\n\t"
+        "ldr       r4, [%[a], #48]\n\t"
+        "str       r3, [%[r], #56]\n\t"
+        "lsr       r5, r4, #1\n\t"
+        "lsl       r4, r4, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r2, r2, r5\n\t"
+        "ldr       r3, [%[a], #44]\n\t"
+        "str       r2, [%[r], #52]\n\t"
+        "lsr       r5, r3, #1\n\t"
+        "lsl       r3, r3, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r4, r4, r5\n\t"
+        "ldr       r2, [%[a], #40]\n\t"
+        "str       r4, [%[r], #48]\n\t"
+        "lsr       r5, r2, #1\n\t"
+        "lsl       r2, r2, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r3, r3, r5\n\t"
+        "ldr       r4, [%[a], #36]\n\t"
+        "str       r3, [%[r], #44]\n\t"
+        "lsr       r5, r4, #1\n\t"
+        "lsl       r4, r4, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r2, r2, r5\n\t"
+        "ldr       r3, [%[a], #32]\n\t"
+        "str       r2, [%[r], #40]\n\t"
+        "lsr       r5, r3, #1\n\t"
+        "lsl       r3, r3, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r4, r4, r5\n\t"
+        "ldr       r2, [%[a], #28]\n\t"
+        "str       r4, [%[r], #36]\n\t"
+        "lsr       r5, r2, #1\n\t"
+        "lsl       r2, r2, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r3, r3, r5\n\t"
+        "ldr       r4, [%[a], #24]\n\t"
+        "str       r3, [%[r], #32]\n\t"
+        "lsr       r5, r4, #1\n\t"
+        "lsl       r4, r4, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r2, r2, r5\n\t"
+        "ldr       r3, [%[a], #20]\n\t"
+        "str       r2, [%[r], #28]\n\t"
+        "lsr       r5, r3, #1\n\t"
+        "lsl       r3, r3, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r4, r4, r5\n\t"
+        "ldr       r2, [%[a], #16]\n\t"
+        "str       r4, [%[r], #24]\n\t"
+        "lsr       r5, r2, #1\n\t"
+        "lsl       r2, r2, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r3, r3, r5\n\t"
+        "ldr       r4, [%[a], #12]\n\t"
+        "str       r3, [%[r], #20]\n\t"
+        "lsr       r5, r4, #1\n\t"
+        "lsl       r4, r4, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r2, r2, r5\n\t"
+        "ldr       r3, [%[a], #8]\n\t"
+        "str       r2, [%[r], #16]\n\t"
+        "lsr       r5, r3, #1\n\t"
+        "lsl       r3, r3, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r4, r4, r5\n\t"
+        "ldr       r2, [%[a], #4]\n\t"
+        "str       r4, [%[r], #12]\n\t"
+        "lsr       r5, r2, #1\n\t"
+        "lsl       r2, r2, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r3, r3, r5\n\t"
+        "ldr       r4, [%[a], #0]\n\t"
+        "str       r3, [%[r], #8]\n\t"
+        "lsr       r5, r4, #1\n\t"
+        "lsl       r4, r4, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r2, r2, r5\n\t"
+        "sub     %[a], %[a], #64\n\t"
+        "sub     %[r], %[r], #64\n\t"
+        "ldr       r3, [%[a], #60]\n\t"
+        "str       r2, [%[r], #68]\n\t"
+        "lsr       r5, r3, #1\n\t"
+        "lsl       r3, r3, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r4, r4, r5\n\t"
+        "ldr       r2, [%[a], #56]\n\t"
+        "str       r4, [%[r], #64]\n\t"
+        "lsr       r5, r2, #1\n\t"
+        "lsl       r2, r2, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r3, r3, r5\n\t"
+        "ldr       r4, [%[a], #52]\n\t"
+        "str       r3, [%[r], #60]\n\t"
+        "lsr       r5, r4, #1\n\t"
+        "lsl       r4, r4, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r2, r2, r5\n\t"
+        "ldr       r3, [%[a], #48]\n\t"
+        "str       r2, [%[r], #56]\n\t"
+        "lsr       r5, r3, #1\n\t"
+        "lsl       r3, r3, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r4, r4, r5\n\t"
+        "ldr       r2, [%[a], #44]\n\t"
+        "str       r4, [%[r], #52]\n\t"
+        "lsr       r5, r2, #1\n\t"
+        "lsl       r2, r2, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r3, r3, r5\n\t"
+        "ldr       r4, [%[a], #40]\n\t"
+        "str       r3, [%[r], #48]\n\t"
+        "lsr       r5, r4, #1\n\t"
+        "lsl       r4, r4, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r2, r2, r5\n\t"
+        "ldr       r3, [%[a], #36]\n\t"
+        "str       r2, [%[r], #44]\n\t"
+        "lsr       r5, r3, #1\n\t"
+        "lsl       r3, r3, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r4, r4, r5\n\t"
+        "ldr       r2, [%[a], #32]\n\t"
+        "str       r4, [%[r], #40]\n\t"
+        "lsr       r5, r2, #1\n\t"
+        "lsl       r2, r2, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r3, r3, r5\n\t"
+        "ldr       r4, [%[a], #28]\n\t"
+        "str       r3, [%[r], #36]\n\t"
+        "lsr       r5, r4, #1\n\t"
+        "lsl       r4, r4, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r2, r2, r5\n\t"
+        "ldr       r3, [%[a], #24]\n\t"
+        "str       r2, [%[r], #32]\n\t"
+        "lsr       r5, r3, #1\n\t"
+        "lsl       r3, r3, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r4, r4, r5\n\t"
+        "ldr       r2, [%[a], #20]\n\t"
+        "str       r4, [%[r], #28]\n\t"
+        "lsr       r5, r2, #1\n\t"
+        "lsl       r2, r2, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r3, r3, r5\n\t"
+        "ldr       r4, [%[a], #16]\n\t"
+        "str       r3, [%[r], #24]\n\t"
+        "lsr       r5, r4, #1\n\t"
+        "lsl       r4, r4, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r2, r2, r5\n\t"
+        "ldr       r3, [%[a], #12]\n\t"
+        "str       r2, [%[r], #20]\n\t"
+        "lsr       r5, r3, #1\n\t"
+        "lsl       r3, r3, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r4, r4, r5\n\t"
+        "ldr       r2, [%[a], #8]\n\t"
+        "str       r4, [%[r], #16]\n\t"
+        "lsr       r5, r2, #1\n\t"
+        "lsl       r2, r2, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r3, r3, r5\n\t"
+        "ldr       r4, [%[a], #4]\n\t"
+        "str       r3, [%[r], #12]\n\t"
+        "lsr       r5, r4, #1\n\t"
+        "lsl       r4, r4, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r2, r2, r5\n\t"
+        "ldr       r3, [%[a], #0]\n\t"
+        "str       r2, [%[r], #8]\n\t"
+        "lsr       r5, r3, #1\n\t"
+        "lsl       r3, r3, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r4, r4, r5\n\t"
+        "sub     %[a], %[a], #64\n\t"
+        "sub     %[r], %[r], #64\n\t"
+        "ldr       r2, [%[a], #60]\n\t"
+        "str       r4, [%[r], #68]\n\t"
+        "lsr       r5, r2, #1\n\t"
+        "lsl       r2, r2, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r3, r3, r5\n\t"
+        "ldr       r4, [%[a], #56]\n\t"
+        "str       r3, [%[r], #64]\n\t"
+        "lsr       r5, r4, #1\n\t"
+        "lsl       r4, r4, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r2, r2, r5\n\t"
+        "ldr       r3, [%[a], #52]\n\t"
+        "str       r2, [%[r], #60]\n\t"
+        "lsr       r5, r3, #1\n\t"
+        "lsl       r3, r3, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r4, r4, r5\n\t"
+        "ldr       r2, [%[a], #48]\n\t"
+        "str       r4, [%[r], #56]\n\t"
+        "lsr       r5, r2, #1\n\t"
+        "lsl       r2, r2, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r3, r3, r5\n\t"
+        "ldr       r4, [%[a], #44]\n\t"
+        "str       r3, [%[r], #52]\n\t"
+        "lsr       r5, r4, #1\n\t"
+        "lsl       r4, r4, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r2, r2, r5\n\t"
+        "ldr       r3, [%[a], #40]\n\t"
+        "str       r2, [%[r], #48]\n\t"
+        "lsr       r5, r3, #1\n\t"
+        "lsl       r3, r3, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r4, r4, r5\n\t"
+        "ldr       r2, [%[a], #36]\n\t"
+        "str       r4, [%[r], #44]\n\t"
+        "lsr       r5, r2, #1\n\t"
+        "lsl       r2, r2, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r3, r3, r5\n\t"
+        "ldr       r4, [%[a], #32]\n\t"
+        "str       r3, [%[r], #40]\n\t"
+        "lsr       r5, r4, #1\n\t"
+        "lsl       r4, r4, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r2, r2, r5\n\t"
+        "ldr       r3, [%[a], #28]\n\t"
+        "str       r2, [%[r], #36]\n\t"
+        "lsr       r5, r3, #1\n\t"
+        "lsl       r3, r3, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r4, r4, r5\n\t"
+        "ldr       r2, [%[a], #24]\n\t"
+        "str       r4, [%[r], #32]\n\t"
+        "lsr       r5, r2, #1\n\t"
+        "lsl       r2, r2, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r3, r3, r5\n\t"
+        "ldr       r4, [%[a], #20]\n\t"
+        "str       r3, [%[r], #28]\n\t"
+        "lsr       r5, r4, #1\n\t"
+        "lsl       r4, r4, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r2, r2, r5\n\t"
+        "ldr       r3, [%[a], #16]\n\t"
+        "str       r2, [%[r], #24]\n\t"
+        "lsr       r5, r3, #1\n\t"
+        "lsl       r3, r3, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r4, r4, r5\n\t"
+        "ldr       r2, [%[a], #12]\n\t"
+        "str       r4, [%[r], #20]\n\t"
+        "lsr       r5, r2, #1\n\t"
+        "lsl       r2, r2, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r3, r3, r5\n\t"
+        "ldr       r4, [%[a], #8]\n\t"
+        "str       r3, [%[r], #16]\n\t"
+        "lsr       r5, r4, #1\n\t"
+        "lsl       r4, r4, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r2, r2, r5\n\t"
+        "ldr       r3, [%[a], #4]\n\t"
+        "str       r2, [%[r], #12]\n\t"
+        "lsr       r5, r3, #1\n\t"
+        "lsl       r3, r3, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r4, r4, r5\n\t"
+        "ldr       r2, [%[a], #0]\n\t"
+        "str       r4, [%[r], #8]\n\t"
+        "lsr       r5, r2, #1\n\t"
+        "lsl       r2, r2, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r3, r3, r5\n\t"
+        "sub     %[a], %[a], #64\n\t"
+        "sub     %[r], %[r], #64\n\t"
+        "ldr       r4, [%[a], #60]\n\t"
+        "str       r3, [%[r], #68]\n\t"
+        "lsr       r5, r4, #1\n\t"
+        "lsl       r4, r4, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r2, r2, r5\n\t"
+        "ldr       r3, [%[a], #56]\n\t"
+        "str       r2, [%[r], #64]\n\t"
+        "lsr       r5, r3, #1\n\t"
+        "lsl       r3, r3, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r4, r4, r5\n\t"
+        "ldr       r2, [%[a], #52]\n\t"
+        "str       r4, [%[r], #60]\n\t"
+        "lsr       r5, r2, #1\n\t"
+        "lsl       r2, r2, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r3, r3, r5\n\t"
+        "ldr       r4, [%[a], #48]\n\t"
+        "str       r3, [%[r], #56]\n\t"
+        "lsr       r5, r4, #1\n\t"
+        "lsl       r4, r4, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r2, r2, r5\n\t"
+        "ldr       r3, [%[a], #44]\n\t"
+        "str       r2, [%[r], #52]\n\t"
+        "lsr       r5, r3, #1\n\t"
+        "lsl       r3, r3, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r4, r4, r5\n\t"
+        "ldr       r2, [%[a], #40]\n\t"
+        "str       r4, [%[r], #48]\n\t"
+        "lsr       r5, r2, #1\n\t"
+        "lsl       r2, r2, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r3, r3, r5\n\t"
+        "ldr       r4, [%[a], #36]\n\t"
+        "str       r3, [%[r], #44]\n\t"
+        "lsr       r5, r4, #1\n\t"
+        "lsl       r4, r4, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r2, r2, r5\n\t"
+        "ldr       r3, [%[a], #32]\n\t"
+        "str       r2, [%[r], #40]\n\t"
+        "lsr       r5, r3, #1\n\t"
+        "lsl       r3, r3, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r4, r4, r5\n\t"
+        "ldr       r2, [%[a], #28]\n\t"
+        "str       r4, [%[r], #36]\n\t"
+        "lsr       r5, r2, #1\n\t"
+        "lsl       r2, r2, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r3, r3, r5\n\t"
+        "ldr       r4, [%[a], #24]\n\t"
+        "str       r3, [%[r], #32]\n\t"
+        "lsr       r5, r4, #1\n\t"
+        "lsl       r4, r4, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r2, r2, r5\n\t"
+        "ldr       r3, [%[a], #20]\n\t"
+        "str       r2, [%[r], #28]\n\t"
+        "lsr       r5, r3, #1\n\t"
+        "lsl       r3, r3, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r4, r4, r5\n\t"
+        "ldr       r2, [%[a], #16]\n\t"
+        "str       r4, [%[r], #24]\n\t"
+        "lsr       r5, r2, #1\n\t"
+        "lsl       r2, r2, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r3, r3, r5\n\t"
+        "ldr       r4, [%[a], #12]\n\t"
+        "str       r3, [%[r], #20]\n\t"
+        "lsr       r5, r4, #1\n\t"
+        "lsl       r4, r4, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r2, r2, r5\n\t"
+        "ldr       r3, [%[a], #8]\n\t"
+        "str       r2, [%[r], #16]\n\t"
+        "lsr       r5, r3, #1\n\t"
+        "lsl       r3, r3, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r4, r4, r5\n\t"
+        "ldr       r2, [%[a], #4]\n\t"
+        "str       r4, [%[r], #12]\n\t"
+        "lsr       r5, r2, #1\n\t"
+        "lsl       r2, r2, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r3, r3, r5\n\t"
+        "ldr       r4, [%[a], #0]\n\t"
+        "str       r3, [%[r], #8]\n\t"
+        "lsr       r5, r4, #1\n\t"
+        "lsl       r4, r4, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r2, r2, r5\n\t"
+        "str r4, [%[r]]\n\t"
+        "str r2, [%[r], #4]\n\t"
+        :
+        : [r] "r" (r), [a] "r" (a), [n] "r" (n)
+        : "memory", "r2", "r3", "r4", "r5", "r6"
+    );
+}
+
+/* Modular exponentiate 2 to the e mod m. (r = 2^e mod m)
+ *
+ * r     A single precision number that is the result of the operation.
+ * e     A single precision number that is the exponent.
+ * bits  The number of bits in the exponent.
+ * m     A single precision number that is the modulus.
+ * returns 0 on success and MEMORY_E on dynamic memory allocation failure.
+ */
+static int sp_3072_mod_exp_2_96(sp_digit* r, const sp_digit* e, int bits,
+        const sp_digit* m)
+{
+#ifndef WOLFSSL_SMALL_STACK
+    sp_digit nd[192];
+    sp_digit td[97];
+#else
+    sp_digit* td;
+#endif
+    sp_digit* norm;
+    sp_digit* tmp;
+    sp_digit mp = 1;
+    sp_digit n, o;
+    sp_digit mask;
+    int i;
+    int c, y;
+    int err = MP_OKAY;
+
+#ifdef WOLFSSL_SMALL_STACK
+    td = (sp_digit*)XMALLOC(sizeof(sp_digit) * 289, NULL,
+                            DYNAMIC_TYPE_TMP_BUFFER);
+    if (td == NULL) {
+        err = MEMORY_E;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#ifdef WOLFSSL_SMALL_STACK
+        norm = td;
+        tmp  = td + 192;
+#else
+        norm = nd;
+        tmp  = td;
+#endif
+
+        sp_3072_mont_setup(m, &mp);
+        sp_3072_mont_norm_96(norm, m);
+
+        i = (bits - 1) / 32;
+        n = e[i--];
+        c = bits & 31;
+        if (c == 0) {
+            c = 32;
+        }
+        c -= bits % 5;
+        if (c == 32) {
+            c = 27;
+        }
+        y = (int)(n >> c);
+        n <<= 32 - c;
+        sp_3072_lshift_96(r, norm, y);
+        for (; i>=0 || c>=5; ) {
+            if (c == 0) {
+                n = e[i--];
+                y = n >> 27;
+                n <<= 5;
+                c = 27;
+            }
+            else if (c < 5) {
+                y = n >> 27;
+                n = e[i--];
+                c = 5 - c;
+                y |= n >> (32 - c);
+                n <<= c;
+                c = 32 - c;
+            }
+            else {
+                y = (n >> 27) & 0x1f;
+                n <<= 5;
+                c -= 5;
+            }
+
+            sp_3072_mont_sqr_96(r, r, m, mp);
+            sp_3072_mont_sqr_96(r, r, m, mp);
+            sp_3072_mont_sqr_96(r, r, m, mp);
+            sp_3072_mont_sqr_96(r, r, m, mp);
+            sp_3072_mont_sqr_96(r, r, m, mp);
+
+            sp_3072_lshift_96(r, r, y);
+            sp_3072_mul_d_96(tmp, norm, r[96]);
+            r[96] = 0;
+            o = sp_3072_add_96(r, r, tmp);
+            sp_3072_cond_sub_96(r, r, m, (sp_digit)0 - o);
+        }
+
+        XMEMSET(&r[96], 0, sizeof(sp_digit) * 96U);
+        sp_3072_mont_reduce_96(r, m, mp);
+
+        mask = 0 - (sp_3072_cmp_96(r, m) >= 0);
+        sp_3072_cond_sub_96(r, r, m, mask);
+    }
+
+#ifdef WOLFSSL_SMALL_STACK
+    if (td != NULL) {
+        XFREE(td, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    }
+#endif
+
+    return err;
+}
+#endif /* HAVE_FFDHE_3072 */
+
+/* Perform the modular exponentiation for Diffie-Hellman.
+ *
+ * base     Base.
+ * exp      Array of bytes that is the exponent.
+ * expLen   Length of data, in bytes, in exponent.
+ * mod      Modulus.
+ * out      Buffer to hold big-endian bytes of exponentiation result.
+ *          Must be at least 384 bytes long.
+ * outLen   Length, in bytes, of exponentiation result.
+ * returns 0 on success, MP_READ_E if there are too many bytes in an array
+ * and MEMORY_E if memory allocation fails.
+ */
+int sp_DhExp_3072(mp_int* base, const byte* exp, word32 expLen,
+    mp_int* mod, byte* out, word32* outLen)
+{
+    int err = MP_OKAY;
+    sp_digit b[192], e[96], m[96];
+    sp_digit* r = b;
+    word32 i;
+
+    if (mp_count_bits(base) > 3072) {
+        err = MP_READ_E;
+    }
+
+    if (err == MP_OKAY) {
+        if (expLen > 384) {
+            err = MP_READ_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        if (mp_count_bits(mod) != 3072) {
+            err = MP_READ_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        sp_3072_from_mp(b, 96, base);
+        sp_3072_from_bin(e, 96, exp, expLen);
+        sp_3072_from_mp(m, 96, mod);
+
+    #ifdef HAVE_FFDHE_3072
+        if (base->used == 1 && base->dp[0] == 2 && m[95] == (sp_digit)-1)
+            err = sp_3072_mod_exp_2_96(r, e, expLen * 8, m);
+        else
+    #endif
+            err = sp_3072_mod_exp_96(r, b, e, expLen * 8, m, 0);
+
+    }
+
+    if (err == MP_OKAY) {
+        sp_3072_to_bin(r, out);
+        *outLen = 384;
+        for (i=0; i<384 && out[i] == 0; i++) {
+        }
+        *outLen -= i;
+        XMEMMOVE(out, out + i, *outLen);
+
+    }
+
+    XMEMSET(e, 0, sizeof(e));
+
+    return err;
+}
+#endif /* WOLFSSL_HAVE_SP_DH */
+
+/* Perform the modular exponentiation for Diffie-Hellman.
+ *
+ * base  Base. MP integer.
+ * exp   Exponent. MP integer.
+ * mod   Modulus. MP integer.
+ * res   Result. MP integer.
+ * returns 0 on success, MP_READ_E if there are too many bytes in an array
+ * and MEMORY_E if memory allocation fails.
+ */
+int sp_ModExp_1536(mp_int* base, mp_int* exp, mp_int* mod, mp_int* res)
+{
+    int err = MP_OKAY;
+    sp_digit b[96], e[48], m[48];
+    sp_digit* r = b;
+    int expBits = mp_count_bits(exp);
+
+    if (mp_count_bits(base) > 1536) {
+        err = MP_READ_E;
+    }
+
+    if (err == MP_OKAY) {
+        if (expBits > 1536) {
+            err = MP_READ_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        if (mp_count_bits(mod) != 1536) {
+            err = MP_READ_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        sp_3072_from_mp(b, 48, base);
+        sp_3072_from_mp(e, 48, exp);
+        sp_3072_from_mp(m, 48, mod);
+
+        err = sp_3072_mod_exp_48(r, b, e, expBits, m, 0);
+    }
+
+    if (err == MP_OKAY) {
+        XMEMSET(r + 48, 0, sizeof(*r) * 48U);
+        err = sp_3072_to_mp(r, res);
+        res->used = mod->used;
+        mp_clamp(res);
+    }
+
+    XMEMSET(e, 0, sizeof(e));
+
+    return err;
+}
+
+#endif /* WOLFSSL_HAVE_SP_DH || (WOLFSSL_HAVE_SP_RSA && !WOLFSSL_RSA_PUBLIC_ONLY) */
+
+#endif /* !WOLFSSL_SP_NO_3072 */
+
+#ifdef WOLFSSL_SP_4096
+/* Read big endian unsigned byte array into r.
+ *
+ * r  A single precision integer.
+ * size  Maximum number of bytes to convert
+ * a  Byte array.
+ * n  Number of bytes in array to read.
+ */
+static void sp_4096_from_bin(sp_digit* r, int size, const byte* a, int n)
+{
+    int i, j = 0;
+    word32 s = 0;
+
+    r[0] = 0;
+    for (i = n-1; i >= 0; i--) {
+        r[j] |= (((sp_digit)a[i]) << s);
+        if (s >= 24U) {
+            r[j] &= 0xffffffff;
+            s = 32U - s;
+            if (j + 1 >= size) {
+                break;
+            }
+            r[++j] = (sp_digit)a[i] >> s;
+            s = 8U - s;
+        }
+        else {
+            s += 8U;
+        }
+    }
+
+    for (j++; j < size; j++) {
+        r[j] = 0;
+    }
+}
+
+/* Convert an mp_int to an array of sp_digit.
+ *
+ * r  A single precision integer.
+ * size  Maximum number of bytes to convert
+ * a  A multi-precision integer.
+ */
+static void sp_4096_from_mp(sp_digit* r, int size, const mp_int* a)
+{
+#if DIGIT_BIT == 32
+    int j;
+
+    XMEMCPY(r, a->dp, sizeof(sp_digit) * a->used);
+
+    for (j = a->used; j < size; j++) {
+        r[j] = 0;
+    }
+#elif DIGIT_BIT > 32
+    int i, j = 0;
+    word32 s = 0;
+
+    r[0] = 0;
+    for (i = 0; i < a->used && j < size; i++) {
+        r[j] |= ((sp_digit)a->dp[i] << s);
+        r[j] &= 0xffffffff;
+        s = 32U - s;
+        if (j + 1 >= size) {
+            break;
+        }
+        /* lint allow cast of mismatch word32 and mp_digit */
+        r[++j] = (sp_digit)(a->dp[i] >> s); /*lint !e9033*/
+        while ((s + 32U) <= (word32)DIGIT_BIT) {
+            s += 32U;
+            r[j] &= 0xffffffff;
+            if (j + 1 >= size) {
+                break;
+            }
+            if (s < (word32)DIGIT_BIT) {
+                /* lint allow cast of mismatch word32 and mp_digit */
+                r[++j] = (sp_digit)(a->dp[i] >> s); /*lint !e9033*/
+            }
+            else {
+                r[++j] = 0L;
+            }
+        }
+        s = (word32)DIGIT_BIT - s;
+    }
+
+    for (j++; j < size; j++) {
+        r[j] = 0;
+    }
+#else
+    int i, j = 0, s = 0;
+
+    r[0] = 0;
+    for (i = 0; i < a->used && j < size; i++) {
+        r[j] |= ((sp_digit)a->dp[i]) << s;
+        if (s + DIGIT_BIT >= 32) {
+            r[j] &= 0xffffffff;
+            if (j + 1 >= size) {
+                break;
+            }
+            s = 32 - s;
+            if (s == DIGIT_BIT) {
+                r[++j] = 0;
+                s = 0;
+            }
+            else {
+                r[++j] = a->dp[i] >> s;
+                s = DIGIT_BIT - s;
+            }
+        }
+        else {
+            s += DIGIT_BIT;
+        }
+    }
+
+    for (j++; j < size; j++) {
+        r[j] = 0;
+    }
+#endif
+}
+
+/* Write r as big endian to byte array.
+ * Fixed length number of bytes written: 512
+ *
+ * r  A single precision integer.
+ * a  Byte array.
+ */
+static void sp_4096_to_bin(sp_digit* r, byte* a)
+{
+    int i, j, s = 0, b;
+
+    j = 4096 / 8 - 1;
+    a[j] = 0;
+    for (i=0; i<128 && j>=0; i++) {
+        b = 0;
+        /* lint allow cast of mismatch sp_digit and int */
+        a[j--] |= (byte)(r[i] << s); /*lint !e9033*/
+        b += 8 - s;
+        if (j < 0) {
+            break;
+        }
+        while (b < 32) {
+            a[j--] = (byte)(r[i] >> b);
+            b += 8;
+            if (j < 0) {
+                break;
+            }
+        }
+        s = 8 - (b - 32);
+        if (j >= 0) {
+            a[j] = 0;
+        }
+        if (s != 0) {
+            j++;
+        }
+    }
+}
+
+#ifndef WOLFSSL_SP_SMALL
+/* Add b to a into r. (r = a + b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static sp_digit sp_4096_add_64(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    sp_digit c = 0;
+
+    __asm__ __volatile__ (
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "mov	%[c], #0\n\t"
+        "adc	%[c], %[c], %[c]\n\t"
+        : [c] "+r" (c), [r] "+r" (r), [a] "+r" (a), [b] "+r" (b)
+        :
+        : "memory", "r4", "r5", "r6", "r8"
+    );
+
+    return c;
+}
+
+/* Sub b from a into r. (r = a - b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static sp_digit sp_4096_sub_in_place_128(sp_digit* a,
+        const sp_digit* b)
+{
+    sp_digit c = 0;
+
+    __asm__ __volatile__ (
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "subs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "sbc	%[c], %[c], %[c]\n\t"
+        : [c] "+r" (c), [a] "+r" (a), [b] "+r" (b)
+        :
+        : "memory", "r3", "r4", "r5", "r6"
+    );
+
+    return c;
+}
+
+/* Add b to a into r. (r = a + b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static sp_digit sp_4096_add_128(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    sp_digit c = 0;
+
+    __asm__ __volatile__ (
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "mov	%[c], #0\n\t"
+        "adc	%[c], %[c], %[c]\n\t"
+        : [c] "+r" (c), [r] "+r" (r), [a] "+r" (a), [b] "+r" (b)
+        :
+        : "memory", "r4", "r5", "r6", "r8"
+    );
+
+    return c;
+}
+
+/* Multiply a and b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static void sp_4096_mul_64(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    sp_digit tmp[64 * 2];
+    __asm__ __volatile__ (
+        "mov	r3, #0\n\t"
+        "mov	r4, #0\n\t"
+        "mov	r9, r3\n\t"
+        "mov	r12, %[r]\n\t"
+        "mov	r10, %[a]\n\t"
+        "mov	r11, %[b]\n\t"
+        "mov	r6, #1\n\t"
+        "lsl	r6, r6, #8\n\t"
+        "add	r6, r6, r10\n\t"
+        "mov	r14, r6\n\t"
+        "\n1:\n\t"
+        "mov	%[r], #0\n\t"
+        "mov	r5, #0\n\t"
+        "mov	r6, #252\n\t"
+        "mov	%[a], r9\n\t"
+        "subs	%[a], %[a], r6\n\t"
+        "sbc	r6, r6, r6\n\t"
+        "mvn	r6, r6\n\t"
+        "and	%[a], %[a], r6\n\t"
+        "mov	%[b], r9\n\t"
+        "sub	%[b], %[b], %[a]\n\t"
+        "add	%[a], %[a], r10\n\t"
+        "add	%[b], %[b], r11\n\t"
+        "\n2:\n\t"
+        /* Multiply Start */
+        "ldr	r6, [%[a]]\n\t"
+        "ldr	r8, [%[b]]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs 	r4, r4, r8\n\t"
+        "adc	r5, r5, %[r]\n\t"
+        /* Multiply Done */
+        "add	%[a], %[a], #4\n\t"
+        "sub	%[b], %[b], #4\n\t"
+        "cmp	%[a], r14\n\t"
+        "beq	3f\n\t"
+        "mov	r6, r9\n\t"
+        "add	r6, r6, r10\n\t"
+        "cmp	%[a], r6\n\t"
+        "ble	2b\n\t"
+        "\n3:\n\t"
+        "mov	%[r], r12\n\t"
+        "mov	r8, r9\n\t"
+        "str	r3, [%[r], r8]\n\t"
+        "mov	r3, r4\n\t"
+        "mov	r4, r5\n\t"
+        "add	r8, r8, #4\n\t"
+        "mov	r9, r8\n\t"
+        "mov	r6, #1\n\t"
+        "lsl	r6, r6, #8\n\t"
+        "add	r6, r6, #248\n\t"
+        "cmp	r8, r6\n\t"
+        "ble	1b\n\t"
+        "str	r3, [%[r], r8]\n\t"
+        "mov	%[a], r10\n\t"
+        "mov	%[b], r11\n\t"
+        :
+        : [r] "r" (tmp), [a] "r" (a), [b] "r" (b)
+        : "memory", "r3", "r4", "r5", "r6", "r8", "r9", "r10", "r11", "r12", "r14"
+    );
+
+    XMEMCPY(r, tmp, sizeof(tmp));
+}
+
+/* AND m into each word of a and store in r.
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * m  Mask to AND against each digit.
+ */
+static void sp_4096_mask_64(sp_digit* r, const sp_digit* a, sp_digit m)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int i;
+
+    for (i=0; i<64; i++) {
+        r[i] = a[i] & m;
+    }
+#else
+    int i;
+
+    for (i = 0; i < 64; i += 8) {
+        r[i+0] = a[i+0] & m;
+        r[i+1] = a[i+1] & m;
+        r[i+2] = a[i+2] & m;
+        r[i+3] = a[i+3] & m;
+        r[i+4] = a[i+4] & m;
+        r[i+5] = a[i+5] & m;
+        r[i+6] = a[i+6] & m;
+        r[i+7] = a[i+7] & m;
+    }
+#endif
+}
+
+/* Multiply a and b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static void sp_4096_mul_128(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    sp_digit* z0 = r;
+    sp_digit z1[128];
+    sp_digit a1[64];
+    sp_digit b1[64];
+    sp_digit z2[128];
+    sp_digit u, ca, cb;
+
+    ca = sp_2048_add_64(a1, a, &a[64]);
+    cb = sp_2048_add_64(b1, b, &b[64]);
+    u  = ca & cb;
+    sp_2048_mul_64(z1, a1, b1);
+    sp_2048_mul_64(z2, &a[64], &b[64]);
+    sp_2048_mul_64(z0, a, b);
+    sp_2048_mask_64(r + 128, a1, 0 - cb);
+    sp_2048_mask_64(b1, b1, 0 - ca);
+    u += sp_2048_add_64(r + 128, r + 128, b1);
+    u += sp_4096_sub_in_place_128(z1, z2);
+    u += sp_4096_sub_in_place_128(z1, z0);
+    u += sp_4096_add_128(r + 64, r + 64, z1);
+    r[192] = u;
+    XMEMSET(r + 192 + 1, 0, sizeof(sp_digit) * (64 - 1));
+    (void)sp_4096_add_128(r + 128, r + 128, z2);
+}
+
+/* Square a and put result in r. (r = a * a)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ */
+SP_NOINLINE static void sp_4096_sqr_64(sp_digit* r, const sp_digit* a)
+{
+    __asm__ __volatile__ (
+        "mov	r3, #0\n\t"
+        "mov	r4, #0\n\t"
+        "mov	r5, #0\n\t"
+        "mov	r9, r3\n\t"
+        "mov	r12, %[r]\n\t"
+        "mov	r6, #2\n\t"
+        "lsl	r6, r6, #8\n\t"
+        "neg	r6, r6\n\t"
+        "add	sp, sp, r6\n\t"
+        "mov	r11, sp\n\t"
+        "mov	r10, %[a]\n\t"
+        "\n1:\n\t"
+        "mov	%[r], #0\n\t"
+        "mov	r6, #252\n\t"
+        "mov	%[a], r9\n\t"
+        "subs	%[a], %[a], r6\n\t"
+        "sbc	r6, r6, r6\n\t"
+        "mvn	r6, r6\n\t"
+        "and	%[a], %[a], r6\n\t"
+        "mov	r2, r9\n\t"
+        "sub	r2, r2, %[a]\n\t"
+        "add	%[a], %[a], r10\n\t"
+        "add	r2, r2, r10\n\t"
+        "\n2:\n\t"
+        "cmp	r2, %[a]\n\t"
+        "beq	4f\n\t"
+        /* Multiply * 2: Start */
+        "ldr	r6, [%[a]]\n\t"
+        "ldr	r8, [r2]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs 	r4, r4, r8\n\t"
+        "adc	r5, r5, %[r]\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs 	r4, r4, r8\n\t"
+        "adc	r5, r5, %[r]\n\t"
+        /* Multiply * 2: Done */
+        "bal	5f\n\t"
+        "\n4:\n\t"
+        /* Square: Start */
+        "ldr	r6, [%[a]]\n\t"
+        "umull	r6, r8, r6, r6\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r8\n\t"
+        "adc	r5, r5, %[r]\n\t"
+        /* Square: Done */
+        "\n5:\n\t"
+        "add	%[a], %[a], #4\n\t"
+        "sub	r2, r2, #4\n\t"
+        "mov	r6, #1\n\t"
+        "lsl	r6, r6, #8\n\t"
+        "add	r6, r6, r10\n\t"
+        "cmp	%[a], r6\n\t"
+        "beq	3f\n\t"
+        "cmp	%[a], r2\n\t"
+        "bgt	3f\n\t"
+        "mov	r8, r9\n\t"
+        "add	r8, r8, r10\n\t"
+        "cmp	%[a], r8\n\t"
+        "ble	2b\n\t"
+        "\n3:\n\t"
+        "mov	%[r], r11\n\t"
+        "mov	r8, r9\n\t"
+        "str	r3, [%[r], r8]\n\t"
+        "mov	r3, r4\n\t"
+        "mov	r4, r5\n\t"
+        "mov	r5, #0\n\t"
+        "add	r8, r8, #4\n\t"
+        "mov	r9, r8\n\t"
+        "mov	r6, #1\n\t"
+        "lsl	r6, r6, #8\n\t"
+        "add	r6, r6, #248\n\t"
+        "cmp	r8, r6\n\t"
+        "ble	1b\n\t"
+        "mov	%[a], r10\n\t"
+        "str	r3, [%[r], r8]\n\t"
+        "mov	%[r], r12\n\t"
+        "mov	%[a], r11\n\t"
+        "mov	r3, #1\n\t"
+        "lsl	r3, r3, #8\n\t"
+        "add	r3, r3, #252\n\t"
+        "\n4:\n\t"
+        "ldr	r6, [%[a], r3]\n\t"
+        "str	r6, [%[r], r3]\n\t"
+        "subs	r3, r3, #4\n\t"
+        "bge	4b\n\t"
+        "mov	r6, #2\n\t"
+        "lsl	r6, r6, #8\n\t"
+        "add	sp, sp, r6\n\t"
+        :
+        : [r] "r" (r), [a] "r" (a)
+        : "memory", "r2", "r3", "r4", "r5", "r6", "r8", "r9", "r10", "r11", "r12"
+    );
+}
+
+/* Square a and put result in r. (r = a * a)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ */
+SP_NOINLINE static void sp_4096_sqr_128(sp_digit* r, const sp_digit* a)
+{
+    sp_digit* z0 = r;
+    sp_digit z2[128];
+    sp_digit z1[128];
+    sp_digit a1[64];
+    sp_digit u;
+
+    u = sp_2048_add_64(a1, a, &a[64]);
+    sp_2048_sqr_64(z1, a1);
+    sp_2048_sqr_64(z2, &a[64]);
+    sp_2048_sqr_64(z0, a);
+    sp_2048_mask_64(r + 128, a1, 0 - u);
+    u += sp_2048_add_64(r + 128, r + 128, r + 128);
+    u += sp_4096_sub_in_place_128(z1, z2);
+    u += sp_4096_sub_in_place_128(z1, z0);
+    u += sp_4096_add_128(r + 64, r + 64, z1);
+    r[192] = u;
+    XMEMSET(r + 192 + 1, 0, sizeof(sp_digit) * (64 - 1));
+    (void)sp_4096_add_128(r + 128, r + 128, z2);
+}
+
+#endif /* !WOLFSSL_SP_SMALL */
+#ifdef WOLFSSL_SP_SMALL
+/* Add b to a into r. (r = a + b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static sp_digit sp_4096_add_128(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    sp_digit c = 0;
+
+    __asm__ __volatile__ (
+        "mov	r6, %[a]\n\t"
+        "mov	r8, #0\n\t"
+        "add	r6, r6, #512\n\t"
+        "sub	r8, r8, #1\n\t"
+        "\n1:\n\t"
+        "adds	%[c], %[c], r8\n\t"
+        "ldr	r4, [%[a]]\n\t"
+        "ldr	r5, [%[b]]\n\t"
+        "adcs	r4, r4, r5\n\t"
+        "str	r4, [%[r]]\n\t"
+        "mov	%[c], #0\n\t"
+        "adc	%[c], %[c], %[c]\n\t"
+        "add	%[a], %[a], #4\n\t"
+        "add	%[b], %[b], #4\n\t"
+        "add	%[r], %[r], #4\n\t"
+        "cmp	%[a], r6\n\t"
+        "bne	1b\n\t"
+        : [c] "+r" (c), [r] "+r" (r), [a] "+r" (a), [b] "+r" (b)
+        :
+        : "memory", "r4", "r5", "r6", "r8"
+    );
+
+    return c;
+}
+
+#endif /* WOLFSSL_SP_SMALL */
+#ifdef WOLFSSL_SP_SMALL
+/* Sub b from a into a. (a -= b)
+ *
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static sp_digit sp_4096_sub_in_place_128(sp_digit* a,
+        const sp_digit* b)
+{
+    sp_digit c = 0;
+    __asm__ __volatile__ (
+        "mov	r8, %[a]\n\t"
+        "add	r8, r8, #512\n\t"
+        "\n1:\n\t"
+        "mov	r5, #0\n\t"
+        "subs	r5, r5, %[c]\n\t"
+        "ldr	r3, [%[a]]\n\t"
+        "ldr	r4, [%[a], #4]\n\t"
+        "ldr	r5, [%[b]]\n\t"
+        "ldr	r6, [%[b], #4]\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "str	r3, [%[a]]\n\t"
+        "str	r4, [%[a], #4]\n\t"
+        "sbc	%[c], %[c], %[c]\n\t"
+        "add	%[a], %[a], #8\n\t"
+        "add	%[b], %[b], #8\n\t"
+        "cmp	%[a], r8\n\t"
+        "bne	1b\n\t"
+        : [c] "+r" (c), [a] "+r" (a), [b] "+r" (b)
+        :
+        : "memory", "r3", "r4", "r5", "r6", "r8"
+    );
+
+    return c;
+}
+
+#endif /* WOLFSSL_SP_SMALL */
+#ifdef WOLFSSL_SP_SMALL
+/* Multiply a and b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static void sp_4096_mul_128(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    sp_digit tmp[128 * 2];
+    __asm__ __volatile__ (
+        "mov	r3, #0\n\t"
+        "mov	r4, #0\n\t"
+        "mov	r9, r3\n\t"
+        "mov	r12, %[r]\n\t"
+        "mov	r10, %[a]\n\t"
+        "mov	r11, %[b]\n\t"
+        "mov	r6, #2\n\t"
+        "lsl	r6, r6, #8\n\t"
+        "add	r6, r6, r10\n\t"
+        "mov	r14, r6\n\t"
+        "\n1:\n\t"
+        "mov	%[r], #0\n\t"
+        "mov	r5, #0\n\t"
+        "mov	r6, #1\n\t"
+        "lsl	r6, r6, #8\n\t"
+        "add	r6, r6, #252\n\t"
+        "mov	%[a], r9\n\t"
+        "subs	%[a], %[a], r6\n\t"
+        "sbc	r6, r6, r6\n\t"
+        "mvn	r6, r6\n\t"
+        "and	%[a], %[a], r6\n\t"
+        "mov	%[b], r9\n\t"
+        "sub	%[b], %[b], %[a]\n\t"
+        "add	%[a], %[a], r10\n\t"
+        "add	%[b], %[b], r11\n\t"
+        "\n2:\n\t"
+        /* Multiply Start */
+        "ldr	r6, [%[a]]\n\t"
+        "ldr	r8, [%[b]]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs 	r4, r4, r8\n\t"
+        "adc	r5, r5, %[r]\n\t"
+        /* Multiply Done */
+        "add	%[a], %[a], #4\n\t"
+        "sub	%[b], %[b], #4\n\t"
+        "cmp	%[a], r14\n\t"
+        "beq	3f\n\t"
+        "mov	r6, r9\n\t"
+        "add	r6, r6, r10\n\t"
+        "cmp	%[a], r6\n\t"
+        "ble	2b\n\t"
+        "\n3:\n\t"
+        "mov	%[r], r12\n\t"
+        "mov	r8, r9\n\t"
+        "str	r3, [%[r], r8]\n\t"
+        "mov	r3, r4\n\t"
+        "mov	r4, r5\n\t"
+        "add	r8, r8, #4\n\t"
+        "mov	r9, r8\n\t"
+        "mov	r6, #3\n\t"
+        "lsl	r6, r6, #8\n\t"
+        "add	r6, r6, #248\n\t"
+        "cmp	r8, r6\n\t"
+        "ble	1b\n\t"
+        "str	r3, [%[r], r8]\n\t"
+        "mov	%[a], r10\n\t"
+        "mov	%[b], r11\n\t"
+        :
+        : [r] "r" (tmp), [a] "r" (a), [b] "r" (b)
+        : "memory", "r3", "r4", "r5", "r6", "r8", "r9", "r10", "r11", "r12", "r14"
+    );
+
+    XMEMCPY(r, tmp, sizeof(tmp));
+}
+
+/* Square a and put result in r. (r = a * a)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ */
+SP_NOINLINE static void sp_4096_sqr_128(sp_digit* r, const sp_digit* a)
+{
+    __asm__ __volatile__ (
+        "mov	r3, #0\n\t"
+        "mov	r4, #0\n\t"
+        "mov	r5, #0\n\t"
+        "mov	r9, r3\n\t"
+        "mov	r12, %[r]\n\t"
+        "mov	r6, #4\n\t"
+        "lsl	r6, r6, #8\n\t"
+        "neg	r6, r6\n\t"
+        "add	sp, sp, r6\n\t"
+        "mov	r11, sp\n\t"
+        "mov	r10, %[a]\n\t"
+        "\n1:\n\t"
+        "mov	%[r], #0\n\t"
+        "mov	r6, #1\n\t"
+        "lsl	r6, r6, #8\n\t"
+        "add	r6, r6, #252\n\t"
+        "mov	%[a], r9\n\t"
+        "subs	%[a], %[a], r6\n\t"
+        "sbc	r6, r6, r6\n\t"
+        "mvn	r6, r6\n\t"
+        "and	%[a], %[a], r6\n\t"
+        "mov	r2, r9\n\t"
+        "sub	r2, r2, %[a]\n\t"
+        "add	%[a], %[a], r10\n\t"
+        "add	r2, r2, r10\n\t"
+        "\n2:\n\t"
+        "cmp	r2, %[a]\n\t"
+        "beq	4f\n\t"
+        /* Multiply * 2: Start */
+        "ldr	r6, [%[a]]\n\t"
+        "ldr	r8, [r2]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs 	r4, r4, r8\n\t"
+        "adc	r5, r5, %[r]\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs 	r4, r4, r8\n\t"
+        "adc	r5, r5, %[r]\n\t"
+        /* Multiply * 2: Done */
+        "bal	5f\n\t"
+        "\n4:\n\t"
+        /* Square: Start */
+        "ldr	r6, [%[a]]\n\t"
+        "umull	r6, r8, r6, r6\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r8\n\t"
+        "adc	r5, r5, %[r]\n\t"
+        /* Square: Done */
+        "\n5:\n\t"
+        "add	%[a], %[a], #4\n\t"
+        "sub	r2, r2, #4\n\t"
+        "mov	r6, #2\n\t"
+        "lsl	r6, r6, #8\n\t"
+        "add	r6, r6, r10\n\t"
+        "cmp	%[a], r6\n\t"
+        "beq	3f\n\t"
+        "cmp	%[a], r2\n\t"
+        "bgt	3f\n\t"
+        "mov	r8, r9\n\t"
+        "add	r8, r8, r10\n\t"
+        "cmp	%[a], r8\n\t"
+        "ble	2b\n\t"
+        "\n3:\n\t"
+        "mov	%[r], r11\n\t"
+        "mov	r8, r9\n\t"
+        "str	r3, [%[r], r8]\n\t"
+        "mov	r3, r4\n\t"
+        "mov	r4, r5\n\t"
+        "mov	r5, #0\n\t"
+        "add	r8, r8, #4\n\t"
+        "mov	r9, r8\n\t"
+        "mov	r6, #3\n\t"
+        "lsl	r6, r6, #8\n\t"
+        "add	r6, r6, #248\n\t"
+        "cmp	r8, r6\n\t"
+        "ble	1b\n\t"
+        "mov	%[a], r10\n\t"
+        "str	r3, [%[r], r8]\n\t"
+        "mov	%[r], r12\n\t"
+        "mov	%[a], r11\n\t"
+        "mov	r3, #3\n\t"
+        "lsl	r3, r3, #8\n\t"
+        "add	r3, r3, #252\n\t"
+        "\n4:\n\t"
+        "ldr	r6, [%[a], r3]\n\t"
+        "str	r6, [%[r], r3]\n\t"
+        "subs	r3, r3, #4\n\t"
+        "bge	4b\n\t"
+        "mov	r6, #4\n\t"
+        "lsl	r6, r6, #8\n\t"
+        "add	sp, sp, r6\n\t"
+        :
+        : [r] "r" (r), [a] "r" (a)
+        : "memory", "r2", "r3", "r4", "r5", "r6", "r8", "r9", "r10", "r11", "r12"
+    );
+}
+
+#endif /* WOLFSSL_SP_SMALL */
+/* Caclulate the bottom digit of -1/a mod 2^n.
+ *
+ * a    A single precision number.
+ * rho  Bottom word of inverse.
+ */
+static void sp_4096_mont_setup(const sp_digit* a, sp_digit* rho)
+{
+    sp_digit x, b;
+
+    b = a[0];
+    x = (((b + 2) & 4) << 1) + b; /* here x*a==1 mod 2**4 */
+    x *= 2 - b * x;               /* here x*a==1 mod 2**8 */
+    x *= 2 - b * x;               /* here x*a==1 mod 2**16 */
+    x *= 2 - b * x;               /* here x*a==1 mod 2**32 */
+
+    /* rho = -1/m mod b */
+    *rho = -x;
+}
+
+/* Mul a by digit b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision digit.
+ */
+SP_NOINLINE static void sp_4096_mul_d_128(sp_digit* r, const sp_digit* a,
+        sp_digit b)
+{
+    __asm__ __volatile__ (
+        "add	r9, %[a], #512\n\t"
+        /* A[0] * B */
+        "ldr	r6, [%[a]], #4\n\t"
+        "umull	r5, r3, r6, %[b]\n\t"
+        "mov	r4, #0\n\t"
+        "str	r5, [%[r]], #4\n\t"
+        /* A[0] * B - Done */
+        "\n1:\n\t"
+        "mov	r5, #0\n\t"
+        /* A[] * B */
+        "ldr	r6, [%[a]], #4\n\t"
+        "umull	r6, r8, r6, %[b]\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs 	r4, r4, r8\n\t"
+        "adc	r5, r5, #0\n\t"
+        /* A[] * B - Done */
+        "str	r3, [%[r]], #4\n\t"
+        "mov	r3, r4\n\t"
+        "mov	r4, r5\n\t"
+        "cmp	%[a], r9\n\t"
+        "blt	1b\n\t"
+        "str	r3, [%[r]]\n\t"
+        : [r] "+r" (r), [a] "+r" (a)
+        : [b] "r" (b)
+        : "memory", "r3", "r4", "r5", "r6", "r8", "r9"
+    );
+}
+
+#if defined(WOLFSSL_HAVE_SP_RSA) || defined(WOLFSSL_HAVE_SP_DH)
+/* r = 2^n mod m where n is the number of bits to reduce by.
+ * Given m must be 4096 bits, just need to subtract.
+ *
+ * r  A single precision number.
+ * m  A single precision number.
+ */
+static void sp_4096_mont_norm_128(sp_digit* r, const sp_digit* m)
+{
+    XMEMSET(r, 0, sizeof(sp_digit) * 128);
+
+    /* r = 2^n mod m */
+    sp_4096_sub_in_place_128(r, m);
+}
+
+#endif /* WOLFSSL_HAVE_SP_RSA || WOLFSSL_HAVE_SP_DH */
+/* Conditionally subtract b from a using the mask m.
+ * m is -1 to subtract and 0 when not copying.
+ *
+ * r  A single precision number representing condition subtract result.
+ * a  A single precision number to subtract from.
+ * b  A single precision number to subtract.
+ * m  Mask value to apply.
+ */
+SP_NOINLINE static sp_digit sp_4096_cond_sub_128(sp_digit* r, const sp_digit* a,
+        const sp_digit* b, sp_digit m)
+{
+    sp_digit c = 0;
+
+    __asm__ __volatile__ (
+        "mov	r5, #2\n\t"
+        "lsl	r5, r5, #8\n\t"
+        "mov	r9, r5\n\t"
+        "mov	r8, #0\n\t"
+        "\n1:\n\t"
+        "ldr	r6, [%[b], r8]\n\t"
+        "and	r6, r6, %[m]\n\t"
+        "mov	r5, #0\n\t"
+        "subs	r5, r5, %[c]\n\t"
+        "ldr	r5, [%[a], r8]\n\t"
+        "sbcs	r5, r5, r6\n\t"
+        "sbcs	%[c], %[c], %[c]\n\t"
+        "str	r5, [%[r], r8]\n\t"
+        "add	r8, r8, #4\n\t"
+        "cmp	r8, r9\n\t"
+        "blt	1b\n\t"
+        : [c] "+r" (c)
+        : [r] "r" (r), [a] "r" (a), [b] "r" (b), [m] "r" (m)
+        : "memory", "r5", "r6", "r8", "r9"
+    );
+
+    return c;
+}
+
+/* Reduce the number back to 4096 bits using Montgomery reduction.
+ *
+ * a   A single precision number to reduce in place.
+ * m   The single precision number representing the modulus.
+ * mp  The digit representing the negative inverse of m mod 2^n.
+ */
+SP_NOINLINE static void sp_4096_mont_reduce_128(sp_digit* a, const sp_digit* m,
+        sp_digit mp)
+{
+    sp_digit ca = 0;
+
+    __asm__ __volatile__ (
+        "mov	r9, %[mp]\n\t"
+        "mov	r12, %[m]\n\t"
+        "mov	r10, %[a]\n\t"
+        "mov	r4, #0\n\t"
+        "add	r11, r10, #512\n\t"
+        "\n1:\n\t"
+        /* mu = a[i] * mp */
+        "mov	%[mp], r9\n\t"
+        "ldr	%[a], [r10]\n\t"
+        "mul	%[mp], %[mp], %[a]\n\t"
+        "mov	%[m], r12\n\t"
+        "add	r14, r10, #504\n\t"
+        "\n2:\n\t"
+        /* a[i+j] += m[j] * mu */
+        "ldr	%[a], [r10]\n\t"
+        "mov	r5, #0\n\t"
+        /* Multiply m[j] and mu - Start */
+        "ldr	r8, [%[m]], #4\n\t"
+        "umull	r6, r8, %[mp], r8\n\t"
+        "adds	%[a], %[a], r6\n\t"
+        "adc	r5, r5, r8\n\t"
+        /* Multiply m[j] and mu - Done */
+        "adds	r4, r4, %[a]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "str	r4, [r10], #4\n\t"
+        /* a[i+j+1] += m[j+1] * mu */
+        "ldr	%[a], [r10]\n\t"
+        "mov	r4, #0\n\t"
+        /* Multiply m[j] and mu - Start */
+        "ldr	r8, [%[m]], #4\n\t"
+        "umull	r6, r8, %[mp], r8\n\t"
+        "adds	%[a], %[a], r6\n\t"
+        "adc	r4, r4, r8\n\t"
+        /* Multiply m[j] and mu - Done */
+        "adds	r5, r5, %[a]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "str	r5, [r10], #4\n\t"
+        "cmp	r10, r14\n\t"
+        "blt	2b\n\t"
+        /* a[i+126] += m[126] * mu */
+        "ldr	%[a], [r10]\n\t"
+        "mov	r5, #0\n\t"
+        /* Multiply m[j] and mu - Start */
+        "ldr	r8, [%[m]], #4\n\t"
+        "umull	r6, r8, %[mp], r8\n\t"
+        "adds	%[a], %[a], r6\n\t"
+        "adc	r5, r5, r8\n\t"
+        /* Multiply m[j] and mu - Done */
+        "adds	r4, r4, %[a]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "str	r4, [r10], #4\n\t"
+        /* a[i+127] += m[127] * mu */
+        "mov	r4, %[ca]\n\t"
+        "mov	%[ca], #0\n\t"
+        /* Multiply m[127] and mu - Start */
+        "ldr	r8, [%[m]]\n\t"
+        "umull	r6, r8, %[mp], r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs 	r4, r4, r8\n\t"
+        "adc	%[ca], %[ca], #0\n\t"
+        /* Multiply m[127] and mu - Done */
+        "ldr	r6, [r10]\n\t"
+        "ldr	r8, [r10, #4]\n\t"
+        "adds	r6, r6, r5\n\t"
+        "adcs	r8, r8, r4\n\t"
+        "adc	%[ca], %[ca], #0\n\t"
+        "str	r6, [r10]\n\t"
+        "str	r8, [r10, #4]\n\t"
+        /* Next word in a */
+        "sub	r10, r10, #504\n\t"
+        "cmp	r10, r11\n\t"
+        "blt	1b\n\t"
+        "mov	%[a], r10\n\t"
+        "mov	%[m], r12\n\t"
+        : [ca] "+r" (ca), [a] "+r" (a)
+        : [m] "r" (m), [mp] "r" (mp)
+        : "memory", "r4", "r5", "r6", "r8", "r9", "r10", "r11", "r12", "r14"
+    );
+
+    sp_4096_cond_sub_128(a - 128, a, m, (sp_digit)0 - ca);
+}
+
+/* Multiply two Montogmery form numbers mod the modulus (prime).
+ * (r = a * b mod m)
+ *
+ * r   Result of multiplication.
+ * a   First number to multiply in Montogmery form.
+ * b   Second number to multiply in Montogmery form.
+ * m   Modulus (prime).
+ * mp  Montogmery mulitplier.
+ */
+static void sp_4096_mont_mul_128(sp_digit* r, const sp_digit* a, const sp_digit* b,
+        const sp_digit* m, sp_digit mp)
+{
+    sp_4096_mul_128(r, a, b);
+    sp_4096_mont_reduce_128(r, m, mp);
+}
+
+/* Square the Montgomery form number. (r = a * a mod m)
+ *
+ * r   Result of squaring.
+ * a   Number to square in Montogmery form.
+ * m   Modulus (prime).
+ * mp  Montogmery mulitplier.
+ */
+static void sp_4096_mont_sqr_128(sp_digit* r, const sp_digit* a, const sp_digit* m,
+        sp_digit mp)
+{
+    sp_4096_sqr_128(r, a);
+    sp_4096_mont_reduce_128(r, m, mp);
+}
+
+/* Divide the double width number (d1|d0) by the dividend. (d1|d0 / div)
+ *
+ * d1   The high order half of the number to divide.
+ * d0   The low order half of the number to divide.
+ * div  The dividend.
+ * returns the result of the division.
+ *
+ * Note that this is an approximate div. It may give an answer 1 larger.
+ */
+SP_NOINLINE static sp_digit div_4096_word_128(sp_digit d1, sp_digit d0,
+        sp_digit div)
+{
+    sp_digit r = 0;
+
+    __asm__ __volatile__ (
+        "lsr	r6, %[div], #16\n\t"
+        "add	r6, r6, #1\n\t"
+        "udiv	r4, %[d1], r6\n\t"
+        "lsl	r8, r4, #16\n\t"
+        "umull	r4, r5, %[div], r8\n\t"
+        "subs	%[d0], %[d0], r4\n\t"
+        "sbc	%[d1], %[d1], r5\n\t"
+        "udiv	r5, %[d1], r6\n\t"
+        "lsl	r4, r5, #16\n\t"
+        "add	r8, r8, r4\n\t"
+        "umull	r4, r5, %[div], r4\n\t"
+        "subs	%[d0], %[d0], r4\n\t"
+        "sbc	%[d1], %[d1], r5\n\t"
+        "lsl	r4, %[d1], #16\n\t"
+        "orr	r4, r4, %[d0], lsr #16\n\t"
+        "udiv	r4, r4, r6\n\t"
+        "add	r8, r8, r4\n\t"
+        "umull	r4, r5, %[div], r4\n\t"
+        "subs	%[d0], %[d0], r4\n\t"
+        "sbc	%[d1], %[d1], r5\n\t"
+        "lsl	r4, %[d1], #16\n\t"
+        "orr	r4, r4, %[d0], lsr #16\n\t"
+        "udiv	r4, r4, r6\n\t"
+        "add	r8, r8, r4\n\t"
+        "umull	r4, r5, %[div], r4\n\t"
+        "subs	%[d0], %[d0], r4\n\t"
+        "sbc	%[d1], %[d1], r5\n\t"
+        "udiv	r4, %[d0], %[div]\n\t"
+        "add	r8, r8, r4\n\t"
+        "mov	%[r], r8\n\t"
+        : [r] "+r" (r)
+        : [d1] "r" (d1), [d0] "r" (d0), [div] "r" (div)
+        : "r4", "r5", "r6", "r8"
+    );
+    return r;
+}
+
+/* AND m into each word of a and store in r.
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * m  Mask to AND against each digit.
+ */
+static void sp_4096_mask_128(sp_digit* r, const sp_digit* a, sp_digit m)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int i;
+
+    for (i=0; i<128; i++) {
+        r[i] = a[i] & m;
+    }
+#else
+    int i;
+
+    for (i = 0; i < 128; i += 8) {
+        r[i+0] = a[i+0] & m;
+        r[i+1] = a[i+1] & m;
+        r[i+2] = a[i+2] & m;
+        r[i+3] = a[i+3] & m;
+        r[i+4] = a[i+4] & m;
+        r[i+5] = a[i+5] & m;
+        r[i+6] = a[i+6] & m;
+        r[i+7] = a[i+7] & m;
+    }
+#endif
+}
+
+/* Compare a with b in constant time.
+ *
+ * a  A single precision integer.
+ * b  A single precision integer.
+ * return -ve, 0 or +ve if a is less than, equal to or greater than b
+ * respectively.
+ */
+SP_NOINLINE static int32_t sp_4096_cmp_128(const sp_digit* a, const sp_digit* b)
+{
+    sp_digit r = 0;
+
+
+    __asm__ __volatile__ (
+        "mov	r3, #0\n\t"
+        "mvn	r3, r3\n\t"
+        "mov	r6, #1\n\t"
+        "lsl	r6, r6, #8\n\t"
+        "add	r6, r6, #252\n\t"
+        "\n1:\n\t"
+        "ldr	r8, [%[a], r6]\n\t"
+        "ldr	r5, [%[b], r6]\n\t"
+        "and	r8, r8, r3\n\t"
+        "and	r5, r5, r3\n\t"
+        "mov	r4, r8\n\t"
+        "subs	r8, r8, r5\n\t"
+        "sbc	r8, r8, r8\n\t"
+        "add	%[r], %[r], r8\n\t"
+        "mvn	r8, r8\n\t"
+        "and	r3, r3, r8\n\t"
+        "subs	r5, r5, r4\n\t"
+        "sbc	r8, r8, r8\n\t"
+        "sub	%[r], %[r], r8\n\t"
+        "mvn	r8, r8\n\t"
+        "and	r3, r3, r8\n\t"
+        "sub	r6, r6, #4\n\t"
+        "cmp	r6, #0\n\t"
+        "bge	1b\n\t"
+        : [r] "+r" (r)
+        : [a] "r" (a), [b] "r" (b)
+        : "r3", "r4", "r5", "r6", "r8"
+    );
+
+    return r;
+}
+
+/* Divide d in a and put remainder into r (m*d + r = a)
+ * m is not calculated as it is not needed at this time.
+ *
+ * a  Nmber to be divided.
+ * d  Number to divide with.
+ * m  Multiplier result.
+ * r  Remainder from the division.
+ * returns MP_OKAY indicating success.
+ */
+static WC_INLINE int sp_4096_div_128(const sp_digit* a, const sp_digit* d, sp_digit* m,
+        sp_digit* r)
+{
+    sp_digit t1[256], t2[129];
+    sp_digit div, r1;
+    int i;
+
+    (void)m;
+
+    div = d[127];
+    XMEMCPY(t1, a, sizeof(*t1) * 2 * 128);
+    for (i=127; i>=0; i--) {
+        r1 = div_4096_word_128(t1[128 + i], t1[128 + i - 1], div);
+
+        sp_4096_mul_d_128(t2, d, r1);
+        t1[128 + i] += sp_4096_sub_in_place_128(&t1[i], t2);
+        t1[128 + i] -= t2[128];
+        sp_4096_mask_128(t2, d, t1[128 + i]);
+        t1[128 + i] += sp_4096_add_128(&t1[i], &t1[i], t2);
+        sp_4096_mask_128(t2, d, t1[128 + i]);
+        t1[128 + i] += sp_4096_add_128(&t1[i], &t1[i], t2);
+    }
+
+    r1 = sp_4096_cmp_128(t1, d) >= 0;
+    sp_4096_cond_sub_128(r, t1, d, (sp_digit)0 - r1);
+
+    return MP_OKAY;
+}
+
+/* Reduce a modulo m into r. (r = a mod m)
+ *
+ * r  A single precision number that is the reduced result.
+ * a  A single precision number that is to be reduced.
+ * m  A single precision number that is the modulus to reduce with.
+ * returns MP_OKAY indicating success.
+ */
+static WC_INLINE int sp_4096_mod_128(sp_digit* r, const sp_digit* a, const sp_digit* m)
+{
+    return sp_4096_div_128(a, m, NULL, r);
+}
+
+/* Divide d in a and put remainder into r (m*d + r = a)
+ * m is not calculated as it is not needed at this time.
+ *
+ * a  Nmber to be divided.
+ * d  Number to divide with.
+ * m  Multiplier result.
+ * r  Remainder from the division.
+ * returns MP_OKAY indicating success.
+ */
+static WC_INLINE int sp_4096_div_128_cond(const sp_digit* a, const sp_digit* d, sp_digit* m,
+        sp_digit* r)
+{
+    sp_digit t1[256], t2[129];
+    sp_digit div, r1;
+    int i;
+
+    (void)m;
+
+    div = d[127];
+    XMEMCPY(t1, a, sizeof(*t1) * 2 * 128);
+    for (i=127; i>=0; i--) {
+        r1 = div_4096_word_128(t1[128 + i], t1[128 + i - 1], div);
+
+        sp_4096_mul_d_128(t2, d, r1);
+        t1[128 + i] += sp_4096_sub_in_place_128(&t1[i], t2);
+        t1[128 + i] -= t2[128];
+        if (t1[128 + i] != 0) {
+            t1[128 + i] += sp_4096_add_128(&t1[i], &t1[i], d);
+            if (t1[128 + i] != 0)
+                t1[128 + i] += sp_4096_add_128(&t1[i], &t1[i], d);
+        }
+    }
+
+    r1 = sp_4096_cmp_128(t1, d) >= 0;
+    sp_4096_cond_sub_128(r, t1, d, (sp_digit)0 - r1);
+
+    return MP_OKAY;
+}
+
+/* Reduce a modulo m into r. (r = a mod m)
+ *
+ * r  A single precision number that is the reduced result.
+ * a  A single precision number that is to be reduced.
+ * m  A single precision number that is the modulus to reduce with.
+ * returns MP_OKAY indicating success.
+ */
+static WC_INLINE int sp_4096_mod_128_cond(sp_digit* r, const sp_digit* a, const sp_digit* m)
+{
+    return sp_4096_div_128_cond(a, m, NULL, r);
+}
+
+#if (defined(WOLFSSL_HAVE_SP_RSA) && !defined(WOLFSSL_RSA_PUBLIC_ONLY)) || \
+                                                     defined(WOLFSSL_HAVE_SP_DH)
+#ifdef WOLFSSL_SP_SMALL
+/* Modular exponentiate a to the e mod m. (r = a^e mod m)
+ *
+ * r     A single precision number that is the result of the operation.
+ * a     A single precision number being exponentiated.
+ * e     A single precision number that is the exponent.
+ * bits  The number of bits in the exponent.
+ * m     A single precision number that is the modulus.
+ * returns 0 on success and MEMORY_E on dynamic memory allocation failure.
+ */
+static int sp_4096_mod_exp_128(sp_digit* r, const sp_digit* a, const sp_digit* e,
+        int bits, const sp_digit* m, int reduceA)
+{
+#ifndef WOLFSSL_SMALL_STACK
+    sp_digit t[16][256];
+#else
+    sp_digit* t[16];
+    sp_digit* td;
+#endif
+    sp_digit* norm;
+    sp_digit mp = 1;
+    sp_digit n;
+    sp_digit mask;
+    int i;
+    int c, y;
+    int err = MP_OKAY;
+
+#ifdef WOLFSSL_SMALL_STACK
+    td = (sp_digit*)XMALLOC(sizeof(sp_digit) * 16 * 256, NULL,
+                            DYNAMIC_TYPE_TMP_BUFFER);
+    if (td == NULL) {
+        err = MEMORY_E;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#ifdef WOLFSSL_SMALL_STACK
+        for (i=0; i<16; i++) {
+            t[i] = td + i * 256;
+        }
+#endif
+        norm = t[0];
+
+        sp_4096_mont_setup(m, &mp);
+        sp_4096_mont_norm_128(norm, m);
+
+        XMEMSET(t[1], 0, sizeof(sp_digit) * 128U);
+        if (reduceA != 0) {
+            err = sp_4096_mod_128(t[1] + 128, a, m);
+            if (err == MP_OKAY) {
+                err = sp_4096_mod_128(t[1], t[1], m);
+            }
+        }
+        else {
+            XMEMCPY(t[1] + 128, a, sizeof(sp_digit) * 128);
+            err = sp_4096_mod_128(t[1], t[1], m);
+        }
+    }
+
+    if (err == MP_OKAY) {
+        sp_4096_mont_sqr_128(t[ 2], t[ 1], m, mp);
+        sp_4096_mont_mul_128(t[ 3], t[ 2], t[ 1], m, mp);
+        sp_4096_mont_sqr_128(t[ 4], t[ 2], m, mp);
+        sp_4096_mont_mul_128(t[ 5], t[ 3], t[ 2], m, mp);
+        sp_4096_mont_sqr_128(t[ 6], t[ 3], m, mp);
+        sp_4096_mont_mul_128(t[ 7], t[ 4], t[ 3], m, mp);
+        sp_4096_mont_sqr_128(t[ 8], t[ 4], m, mp);
+        sp_4096_mont_mul_128(t[ 9], t[ 5], t[ 4], m, mp);
+        sp_4096_mont_sqr_128(t[10], t[ 5], m, mp);
+        sp_4096_mont_mul_128(t[11], t[ 6], t[ 5], m, mp);
+        sp_4096_mont_sqr_128(t[12], t[ 6], m, mp);
+        sp_4096_mont_mul_128(t[13], t[ 7], t[ 6], m, mp);
+        sp_4096_mont_sqr_128(t[14], t[ 7], m, mp);
+        sp_4096_mont_mul_128(t[15], t[ 8], t[ 7], m, mp);
+
+        i = (bits - 1) / 32;
+        n = e[i--];
+        c = bits & 31;
+        if (c == 0) {
+            c = 32;
+        }
+        c -= bits % 4;
+        if (c == 32) {
+            c = 28;
+        }
+        y = (int)(n >> c);
+        n <<= 32 - c;
+        XMEMCPY(r, t[y], sizeof(sp_digit) * 128);
+        for (; i>=0 || c>=4; ) {
+            if (c == 0) {
+                n = e[i--];
+                y = n >> 28;
+                n <<= 4;
+                c = 28;
+            }
+            else if (c < 4) {
+                y = n >> 28;
+                n = e[i--];
+                c = 4 - c;
+                y |= n >> (32 - c);
+                n <<= c;
+                c = 32 - c;
+            }
+            else {
+                y = (n >> 28) & 0xf;
+                n <<= 4;
+                c -= 4;
+            }
+
+            sp_4096_mont_sqr_128(r, r, m, mp);
+            sp_4096_mont_sqr_128(r, r, m, mp);
+            sp_4096_mont_sqr_128(r, r, m, mp);
+            sp_4096_mont_sqr_128(r, r, m, mp);
+
+            sp_4096_mont_mul_128(r, r, t[y], m, mp);
+        }
+
+        XMEMSET(&r[128], 0, sizeof(sp_digit) * 128U);
+        sp_4096_mont_reduce_128(r, m, mp);
+
+        mask = 0 - (sp_4096_cmp_128(r, m) >= 0);
+        sp_4096_cond_sub_128(r, r, m, mask);
+    }
+
+#ifdef WOLFSSL_SMALL_STACK
+    if (td != NULL) {
+        XFREE(td, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    }
+#endif
+
+    return err;
+}
+#else
+/* Modular exponentiate a to the e mod m. (r = a^e mod m)
+ *
+ * r     A single precision number that is the result of the operation.
+ * a     A single precision number being exponentiated.
+ * e     A single precision number that is the exponent.
+ * bits  The number of bits in the exponent.
+ * m     A single precision number that is the modulus.
+ * returns 0 on success and MEMORY_E on dynamic memory allocation failure.
+ */
+static int sp_4096_mod_exp_128(sp_digit* r, const sp_digit* a, const sp_digit* e,
+        int bits, const sp_digit* m, int reduceA)
+{
+#ifndef WOLFSSL_SMALL_STACK
+    sp_digit t[32][256];
+#else
+    sp_digit* t[32];
+    sp_digit* td;
+#endif
+    sp_digit* norm;
+    sp_digit mp = 1;
+    sp_digit n;
+    sp_digit mask;
+    int i;
+    int c, y;
+    int err = MP_OKAY;
+
+#ifdef WOLFSSL_SMALL_STACK
+    td = (sp_digit*)XMALLOC(sizeof(sp_digit) * 32 * 256, NULL,
+                            DYNAMIC_TYPE_TMP_BUFFER);
+    if (td == NULL) {
+        err = MEMORY_E;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#ifdef WOLFSSL_SMALL_STACK
+        for (i=0; i<32; i++) {
+            t[i] = td + i * 256;
+        }
+#endif
+        norm = t[0];
+
+        sp_4096_mont_setup(m, &mp);
+        sp_4096_mont_norm_128(norm, m);
+
+        XMEMSET(t[1], 0, sizeof(sp_digit) * 128U);
+        if (reduceA != 0) {
+            err = sp_4096_mod_128(t[1] + 128, a, m);
+            if (err == MP_OKAY) {
+                err = sp_4096_mod_128(t[1], t[1], m);
+            }
+        }
+        else {
+            XMEMCPY(t[1] + 128, a, sizeof(sp_digit) * 128);
+            err = sp_4096_mod_128(t[1], t[1], m);
+        }
+    }
+
+    if (err == MP_OKAY) {
+        sp_4096_mont_sqr_128(t[ 2], t[ 1], m, mp);
+        sp_4096_mont_mul_128(t[ 3], t[ 2], t[ 1], m, mp);
+        sp_4096_mont_sqr_128(t[ 4], t[ 2], m, mp);
+        sp_4096_mont_mul_128(t[ 5], t[ 3], t[ 2], m, mp);
+        sp_4096_mont_sqr_128(t[ 6], t[ 3], m, mp);
+        sp_4096_mont_mul_128(t[ 7], t[ 4], t[ 3], m, mp);
+        sp_4096_mont_sqr_128(t[ 8], t[ 4], m, mp);
+        sp_4096_mont_mul_128(t[ 9], t[ 5], t[ 4], m, mp);
+        sp_4096_mont_sqr_128(t[10], t[ 5], m, mp);
+        sp_4096_mont_mul_128(t[11], t[ 6], t[ 5], m, mp);
+        sp_4096_mont_sqr_128(t[12], t[ 6], m, mp);
+        sp_4096_mont_mul_128(t[13], t[ 7], t[ 6], m, mp);
+        sp_4096_mont_sqr_128(t[14], t[ 7], m, mp);
+        sp_4096_mont_mul_128(t[15], t[ 8], t[ 7], m, mp);
+        sp_4096_mont_sqr_128(t[16], t[ 8], m, mp);
+        sp_4096_mont_mul_128(t[17], t[ 9], t[ 8], m, mp);
+        sp_4096_mont_sqr_128(t[18], t[ 9], m, mp);
+        sp_4096_mont_mul_128(t[19], t[10], t[ 9], m, mp);
+        sp_4096_mont_sqr_128(t[20], t[10], m, mp);
+        sp_4096_mont_mul_128(t[21], t[11], t[10], m, mp);
+        sp_4096_mont_sqr_128(t[22], t[11], m, mp);
+        sp_4096_mont_mul_128(t[23], t[12], t[11], m, mp);
+        sp_4096_mont_sqr_128(t[24], t[12], m, mp);
+        sp_4096_mont_mul_128(t[25], t[13], t[12], m, mp);
+        sp_4096_mont_sqr_128(t[26], t[13], m, mp);
+        sp_4096_mont_mul_128(t[27], t[14], t[13], m, mp);
+        sp_4096_mont_sqr_128(t[28], t[14], m, mp);
+        sp_4096_mont_mul_128(t[29], t[15], t[14], m, mp);
+        sp_4096_mont_sqr_128(t[30], t[15], m, mp);
+        sp_4096_mont_mul_128(t[31], t[16], t[15], m, mp);
+
+        i = (bits - 1) / 32;
+        n = e[i--];
+        c = bits & 31;
+        if (c == 0) {
+            c = 32;
+        }
+        c -= bits % 5;
+        if (c == 32) {
+            c = 27;
+        }
+        y = (int)(n >> c);
+        n <<= 32 - c;
+        XMEMCPY(r, t[y], sizeof(sp_digit) * 128);
+        for (; i>=0 || c>=5; ) {
+            if (c == 0) {
+                n = e[i--];
+                y = n >> 27;
+                n <<= 5;
+                c = 27;
+            }
+            else if (c < 5) {
+                y = n >> 27;
+                n = e[i--];
+                c = 5 - c;
+                y |= n >> (32 - c);
+                n <<= c;
+                c = 32 - c;
+            }
+            else {
+                y = (n >> 27) & 0x1f;
+                n <<= 5;
+                c -= 5;
+            }
+
+            sp_4096_mont_sqr_128(r, r, m, mp);
+            sp_4096_mont_sqr_128(r, r, m, mp);
+            sp_4096_mont_sqr_128(r, r, m, mp);
+            sp_4096_mont_sqr_128(r, r, m, mp);
+            sp_4096_mont_sqr_128(r, r, m, mp);
+
+            sp_4096_mont_mul_128(r, r, t[y], m, mp);
+        }
+
+        XMEMSET(&r[128], 0, sizeof(sp_digit) * 128U);
+        sp_4096_mont_reduce_128(r, m, mp);
+
+        mask = 0 - (sp_4096_cmp_128(r, m) >= 0);
+        sp_4096_cond_sub_128(r, r, m, mask);
+    }
+
+#ifdef WOLFSSL_SMALL_STACK
+    if (td != NULL) {
+        XFREE(td, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    }
+#endif
+
+    return err;
+}
+#endif /* WOLFSSL_SP_SMALL */
+#endif /* (WOLFSSL_HAVE_SP_RSA && !WOLFSSL_RSA_PUBLIC_ONLY) || WOLFSSL_HAVE_SP_DH */
+
+#ifdef WOLFSSL_HAVE_SP_RSA
+/* RSA public key operation.
+ *
+ * in      Array of bytes representing the number to exponentiate, base.
+ * inLen   Number of bytes in base.
+ * em      Public exponent.
+ * mm      Modulus.
+ * out     Buffer to hold big-endian bytes of exponentiation result.
+ *         Must be at least 512 bytes long.
+ * outLen  Number of bytes in result.
+ * returns 0 on success, MP_TO_E when the outLen is too small, MP_READ_E when
+ * an array is too long and MEMORY_E when dynamic memory allocation fails.
+ */
+int sp_RsaPublic_4096(const byte* in, word32 inLen, mp_int* em, mp_int* mm,
+    byte* out, word32* outLen)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit a[256], m[128], r[256];
+#else
+    sp_digit* d = NULL;
+    sp_digit* a;
+    sp_digit* m;
+    sp_digit* r;
+#endif
+    sp_digit *ah;
+    sp_digit e[1];
+    int err = MP_OKAY;
+
+    if (*outLen < 512)
+        err = MP_TO_E;
+    if (err == MP_OKAY && (mp_count_bits(em) > 32 || inLen > 512 ||
+                                                     mp_count_bits(mm) != 4096))
+        err = MP_READ_E;
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        d = (sp_digit*)XMALLOC(sizeof(sp_digit) * 128 * 5, NULL,
+                                                              DYNAMIC_TYPE_RSA);
+        if (d == NULL)
+            err = MEMORY_E;
+    }
+
+    if (err == MP_OKAY) {
+        a = d;
+        r = a + 128 * 2;
+        m = r + 128 * 2;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+        ah = a + 128;
+
+        sp_4096_from_bin(ah, 128, in, inLen);
+#if DIGIT_BIT >= 32
+        e[0] = em->dp[0];
+#else
+        e[0] = em->dp[0];
+        if (em->used > 1) {
+            e[0] |= ((sp_digit)em->dp[1]) << DIGIT_BIT;
+        }
+#endif
+        if (e[0] == 0) {
+            err = MP_EXPTMOD_E;
+        }
+    }
+    if (err == MP_OKAY) {
+        sp_4096_from_mp(m, 128, mm);
+
+        if (e[0] == 0x3) {
+            if (err == MP_OKAY) {
+                sp_4096_sqr_128(r, ah);
+                err = sp_4096_mod_128_cond(r, r, m);
+            }
+            if (err == MP_OKAY) {
+                sp_4096_mul_128(r, ah, r);
+                err = sp_4096_mod_128_cond(r, r, m);
+            }
+        }
+        else {
+            int i;
+            sp_digit mp;
+
+            sp_4096_mont_setup(m, &mp);
+
+            /* Convert to Montgomery form. */
+            XMEMSET(a, 0, sizeof(sp_digit) * 128);
+            err = sp_4096_mod_128_cond(a, a, m);
+
+            if (err == MP_OKAY) {
+                for (i = 31; i >= 0; i--) {
+                    if (e[0] >> i) {
+                        break;
+                    }
+                }
+
+                XMEMCPY(r, a, sizeof(sp_digit) * 128);
+                for (i--; i>=0; i--) {
+                    sp_4096_mont_sqr_128(r, r, m, mp);
+                    if (((e[0] >> i) & 1) == 1) {
+                        sp_4096_mont_mul_128(r, r, a, m, mp);
+                    }
+                }
+                XMEMSET(&r[128], 0, sizeof(sp_digit) * 128);
+                sp_4096_mont_reduce_128(r, m, mp);
+
+                for (i = 127; i > 0; i--) {
+                    if (r[i] != m[i]) {
+                        break;
+                    }
+                }
+                if (r[i] >= m[i]) {
+                    sp_4096_sub_in_place_128(r, m);
+                }
+            }
+        }
+    }
+
+    if (err == MP_OKAY) {
+        sp_4096_to_bin(r, out);
+        *outLen = 512;
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (d != NULL) {
+        XFREE(d, NULL, DYNAMIC_TYPE_RSA);
+    }
+#endif
+
+    return err;
+}
+
+#if defined(SP_RSA_PRIVATE_EXP_D) || defined(RSA_LOW_MEM)
+    sp_digit* a;
+    sp_digit* d = NULL;
+    sp_digit* m;
+    sp_digit* r;
+    int err = MP_OKAY;
+
+    (void)pm;
+    (void)qm;
+    (void)dpm;
+    (void)dqm;
+    (void)qim;
+
+    if (*outLen < 512U) {
+        err = MP_TO_E;
+    }
+    if (err == MP_OKAY) {
+        if (mp_count_bits(dm) > 4096) {
+           err = MP_READ_E;
+        }
+        if (inLen > 512) {
+            err = MP_READ_E;
+        }
+        if (mp_count_bits(mm) != 4096) {
+            err = MP_READ_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        d = (sp_digit*)XMALLOC(sizeof(sp_digit) * 128 * 4, NULL,
+                                                              DYNAMIC_TYPE_RSA);
+        if (d == NULL) {
+            err = MEMORY_E;
+        }
+    }
+    if (err == MP_OKAY) {
+        a = d + 128;
+        m = a + 256;
+        r = a;
+
+        sp_4096_from_bin(a, 128, in, inLen);
+        sp_4096_from_mp(d, 128, dm);
+        sp_4096_from_mp(m, 128, mm);
+        err = sp_4096_mod_exp_128(r, a, d, 4096, m, 0);
+    }
+    if (err == MP_OKAY) {
+        sp_4096_to_bin(r, out);
+        *outLen = 512;
+    }
+
+    if (d != NULL) {
+        XMEMSET(d, 0, sizeof(sp_digit) * 128);
+        XFREE(d, NULL, DYNAMIC_TYPE_RSA);
+    }
+
+    return err;
+#else
+#ifndef WOLFSSL_RSA_PUBLIC_ONLY
+/* Conditionally add a and b using the mask m.
+ * m is -1 to add and 0 when not.
+ *
+ * r  A single precision number representing conditional add result.
+ * a  A single precision number to add with.
+ * b  A single precision number to add.
+ * m  Mask value to apply.
+ */
+SP_NOINLINE static sp_digit sp_4096_cond_add_64(sp_digit* r, const sp_digit* a, const sp_digit* b,
+        sp_digit m)
+{
+    sp_digit c = 0;
+
+    __asm__ __volatile__ (
+        "mov	r5, #1\n\t"
+        "lsl	r5, r5, #8\n\t"
+        "mov	r9, r5\n\t"
+        "mov	r8, #0\n\t"
+        "\n1:\n\t"
+        "ldr	r6, [%[b], r8]\n\t"
+        "and	r6, r6, %[m]\n\t"
+        "adds	r5, %[c], #-1\n\t"
+        "ldr	r5, [%[a], r8]\n\t"
+        "adcs	r5, r5, r6\n\t"
+        "mov	%[c], #0\n\t"
+        "adcs	%[c], %[c], %[c]\n\t"
+        "str	r5, [%[r], r8]\n\t"
+        "add	r8, r8, #4\n\t"
+        "cmp	r8, r9\n\t"
+        "blt	1b\n\t"
+        : [c] "+r" (c)
+        : [r] "r" (r), [a] "r" (a), [b] "r" (b), [m] "r" (m)
+        : "memory", "r5", "r6", "r8", "r9"
+    );
+
+    return c;
+}
+
+/* RSA private key operation.
+ *
+ * in      Array of bytes representing the number to exponentiate, base.
+ * inLen   Number of bytes in base.
+ * dm      Private exponent.
+ * pm      First prime.
+ * qm      Second prime.
+ * dpm     First prime's CRT exponent.
+ * dqm     Second prime's CRT exponent.
+ * qim     Inverse of second prime mod p.
+ * mm      Modulus.
+ * out     Buffer to hold big-endian bytes of exponentiation result.
+ *         Must be at least 512 bytes long.
+ * outLen  Number of bytes in result.
+ * returns 0 on success, MP_TO_E when the outLen is too small, MP_READ_E when
+ * an array is too long and MEMORY_E when dynamic memory allocation fails.
+ */
+int sp_RsaPrivate_4096(const byte* in, word32 inLen, mp_int* dm,
+    mp_int* pm, mp_int* qm, mp_int* dpm, mp_int* dqm, mp_int* qim, mp_int* mm,
+    byte* out, word32* outLen)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit a[128 * 2];
+    sp_digit p[64], q[64], dp[64];
+    sp_digit tmpa[128], tmpb[128];
+#else
+    sp_digit* t = NULL;
+    sp_digit* a;
+    sp_digit* p;
+    sp_digit* q;
+    sp_digit* dp;
+    sp_digit* tmpa;
+    sp_digit* tmpb;
+#endif
+    sp_digit* r;
+    sp_digit* qi;
+    sp_digit* dq;
+    sp_digit c;
+    int err = MP_OKAY;
+
+    (void)dm;
+    (void)mm;
+
+    if (*outLen < 512)
+        err = MP_TO_E;
+    if (err == MP_OKAY && (inLen > 512 || mp_count_bits(mm) != 4096))
+        err = MP_READ_E;
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        t = (sp_digit*)XMALLOC(sizeof(sp_digit) * 64 * 11, NULL,
+                                                              DYNAMIC_TYPE_RSA);
+        if (t == NULL)
+            err = MEMORY_E;
+    }
+    if (err == MP_OKAY) {
+        a = t;
+        p = a + 128 * 2;
+        q = p + 64;
+        qi = dq = dp = q + 64;
+        tmpa = qi + 64;
+        tmpb = tmpa + 128;
+
+        r = t + 128;
+    }
+#else
+#endif
+
+    if (err == MP_OKAY) {
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+        r = a;
+        qi = dq = dp;
+#endif
+        sp_4096_from_bin(a, 128, in, inLen);
+        sp_4096_from_mp(p, 64, pm);
+        sp_4096_from_mp(q, 64, qm);
+        sp_4096_from_mp(dp, 64, dpm);
+
+        err = sp_2048_mod_exp_64(tmpa, a, dp, 2048, p, 1);
+    }
+    if (err == MP_OKAY) {
+        sp_4096_from_mp(dq, 64, dqm);
+        err = sp_2048_mod_exp_64(tmpb, a, dq, 2048, q, 1);
+    }
+
+    if (err == MP_OKAY) {
+        c = sp_2048_sub_in_place_64(tmpa, tmpb);
+        c += sp_4096_cond_add_64(tmpa, tmpa, p, c);
+        sp_4096_cond_add_64(tmpa, tmpa, p, c);
+
+        sp_2048_from_mp(qi, 64, qim);
+        sp_2048_mul_64(tmpa, tmpa, qi);
+        err = sp_2048_mod_64(tmpa, tmpa, p);
+    }
+
+    if (err == MP_OKAY) {
+        sp_2048_mul_64(tmpa, q, tmpa);
+        XMEMSET(&tmpb[64], 0, sizeof(sp_digit) * 64);
+        sp_4096_add_128(r, tmpb, tmpa);
+
+        sp_4096_to_bin(r, out);
+        *outLen = 512;
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (t != NULL) {
+        XMEMSET(t, 0, sizeof(sp_digit) * 64 * 11);
+        XFREE(t, NULL, DYNAMIC_TYPE_RSA);
+    }
+#else
+    XMEMSET(tmpa, 0, sizeof(tmpa));
+    XMEMSET(tmpb, 0, sizeof(tmpb));
+    XMEMSET(p,    0, sizeof(p));
+    XMEMSET(q,    0, sizeof(q));
+    XMEMSET(dp,   0, sizeof(dp));
+#endif
+
+    return err;
+}
+#endif /* WOLFSSL_RSA_PUBLIC_ONLY */
+#endif /* SP_RSA_PRIVATE_EXP_D || RSA_LOW_MEM */
+#endif /* WOLFSSL_HAVE_SP_RSA */
+#if defined(WOLFSSL_HAVE_SP_DH) || (defined(WOLFSSL_HAVE_SP_RSA) && \
+                                              !defined(WOLFSSL_RSA_PUBLIC_ONLY))
+/* Convert an array of sp_digit to an mp_int.
+ *
+ * a  A single precision integer.
+ * r  A multi-precision integer.
+ */
+static int sp_4096_to_mp(const sp_digit* a, mp_int* r)
+{
+    int err;
+
+    err = mp_grow(r, (4096 + DIGIT_BIT - 1) / DIGIT_BIT);
+    if (err == MP_OKAY) { /*lint !e774 case where err is always MP_OKAY*/
+#if DIGIT_BIT == 32
+        XMEMCPY(r->dp, a, sizeof(sp_digit) * 128);
+        r->used = 128;
+        mp_clamp(r);
+#elif DIGIT_BIT < 32
+        int i, j = 0, s = 0;
+
+        r->dp[0] = 0;
+        for (i = 0; i < 128; i++) {
+            r->dp[j] |= (mp_digit)(a[i] << s);
+            r->dp[j] &= (1L << DIGIT_BIT) - 1;
+            s = DIGIT_BIT - s;
+            r->dp[++j] = (mp_digit)(a[i] >> s);
+            while (s + DIGIT_BIT <= 32) {
+                s += DIGIT_BIT;
+                r->dp[j++] &= (1L << DIGIT_BIT) - 1;
+                if (s == SP_WORD_SIZE) {
+                    r->dp[j] = 0;
+                }
+                else {
+                    r->dp[j] = (mp_digit)(a[i] >> s);
+                }
+            }
+            s = 32 - s;
+        }
+        r->used = (4096 + DIGIT_BIT - 1) / DIGIT_BIT;
+        mp_clamp(r);
+#else
+        int i, j = 0, s = 0;
+
+        r->dp[0] = 0;
+        for (i = 0; i < 128; i++) {
+            r->dp[j] |= ((mp_digit)a[i]) << s;
+            if (s + 32 >= DIGIT_BIT) {
+    #if DIGIT_BIT != 32 && DIGIT_BIT != 64
+                r->dp[j] &= (1L << DIGIT_BIT) - 1;
+    #endif
+                s = DIGIT_BIT - s;
+                r->dp[++j] = a[i] >> s;
+                s = 32 - s;
+            }
+            else {
+                s += 32;
+            }
+        }
+        r->used = (4096 + DIGIT_BIT - 1) / DIGIT_BIT;
+        mp_clamp(r);
+#endif
+    }
+
+    return err;
+}
+
+/* Perform the modular exponentiation for Diffie-Hellman.
+ *
+ * base  Base. MP integer.
+ * exp   Exponent. MP integer.
+ * mod   Modulus. MP integer.
+ * res   Result. MP integer.
+ * returns 0 on success, MP_READ_E if there are too many bytes in an array
+ * and MEMORY_E if memory allocation fails.
+ */
+int sp_ModExp_4096(mp_int* base, mp_int* exp, mp_int* mod, mp_int* res)
+{
+    int err = MP_OKAY;
+    sp_digit b[256], e[128], m[128];
+    sp_digit* r = b;
+    int expBits = mp_count_bits(exp);
+
+    if (mp_count_bits(base) > 4096) {
+        err = MP_READ_E;
+    }
+
+    if (err == MP_OKAY) {
+        if (expBits > 4096) {
+            err = MP_READ_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        if (mp_count_bits(mod) != 4096) {
+            err = MP_READ_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        sp_4096_from_mp(b, 128, base);
+        sp_4096_from_mp(e, 128, exp);
+        sp_4096_from_mp(m, 128, mod);
+
+        err = sp_4096_mod_exp_128(r, b, e, expBits, m, 0);
+    }
+
+    if (err == MP_OKAY) {
+        err = sp_4096_to_mp(r, res);
+    }
+
+    XMEMSET(e, 0, sizeof(e));
+
+    return err;
+}
+
+#ifdef WOLFSSL_HAVE_SP_DH
+
+#ifdef HAVE_FFDHE_4096
+static void sp_4096_lshift_128(sp_digit* r, sp_digit* a, byte n)
+{
+    __asm__ __volatile__ (
+        "mov r6, #31\n\t"
+        "sub r6, r6, %[n]\n\t"
+        "add       %[a], %[a], #448\n\t"
+        "add       %[r], %[r], #448\n\t"
+        "ldr r3, [%[a], #60]\n\t"
+        "lsr r4, r3, #1\n\t"
+        "lsl r3, r3, %[n]\n\t"
+        "lsr r4, r4, r6\n\t"
+        "ldr       r2, [%[a], #56]\n\t"
+        "str       r4, [%[r], #64]\n\t"
+        "lsr       r5, r2, #1\n\t"
+        "lsl       r2, r2, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r3, r3, r5\n\t"
+        "ldr       r4, [%[a], #52]\n\t"
+        "str       r3, [%[r], #60]\n\t"
+        "lsr       r5, r4, #1\n\t"
+        "lsl       r4, r4, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r2, r2, r5\n\t"
+        "ldr       r3, [%[a], #48]\n\t"
+        "str       r2, [%[r], #56]\n\t"
+        "lsr       r5, r3, #1\n\t"
+        "lsl       r3, r3, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r4, r4, r5\n\t"
+        "ldr       r2, [%[a], #44]\n\t"
+        "str       r4, [%[r], #52]\n\t"
+        "lsr       r5, r2, #1\n\t"
+        "lsl       r2, r2, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r3, r3, r5\n\t"
+        "ldr       r4, [%[a], #40]\n\t"
+        "str       r3, [%[r], #48]\n\t"
+        "lsr       r5, r4, #1\n\t"
+        "lsl       r4, r4, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r2, r2, r5\n\t"
+        "ldr       r3, [%[a], #36]\n\t"
+        "str       r2, [%[r], #44]\n\t"
+        "lsr       r5, r3, #1\n\t"
+        "lsl       r3, r3, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r4, r4, r5\n\t"
+        "ldr       r2, [%[a], #32]\n\t"
+        "str       r4, [%[r], #40]\n\t"
+        "lsr       r5, r2, #1\n\t"
+        "lsl       r2, r2, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r3, r3, r5\n\t"
+        "ldr       r4, [%[a], #28]\n\t"
+        "str       r3, [%[r], #36]\n\t"
+        "lsr       r5, r4, #1\n\t"
+        "lsl       r4, r4, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r2, r2, r5\n\t"
+        "ldr       r3, [%[a], #24]\n\t"
+        "str       r2, [%[r], #32]\n\t"
+        "lsr       r5, r3, #1\n\t"
+        "lsl       r3, r3, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r4, r4, r5\n\t"
+        "ldr       r2, [%[a], #20]\n\t"
+        "str       r4, [%[r], #28]\n\t"
+        "lsr       r5, r2, #1\n\t"
+        "lsl       r2, r2, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r3, r3, r5\n\t"
+        "ldr       r4, [%[a], #16]\n\t"
+        "str       r3, [%[r], #24]\n\t"
+        "lsr       r5, r4, #1\n\t"
+        "lsl       r4, r4, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r2, r2, r5\n\t"
+        "ldr       r3, [%[a], #12]\n\t"
+        "str       r2, [%[r], #20]\n\t"
+        "lsr       r5, r3, #1\n\t"
+        "lsl       r3, r3, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r4, r4, r5\n\t"
+        "ldr       r2, [%[a], #8]\n\t"
+        "str       r4, [%[r], #16]\n\t"
+        "lsr       r5, r2, #1\n\t"
+        "lsl       r2, r2, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r3, r3, r5\n\t"
+        "ldr       r4, [%[a], #4]\n\t"
+        "str       r3, [%[r], #12]\n\t"
+        "lsr       r5, r4, #1\n\t"
+        "lsl       r4, r4, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r2, r2, r5\n\t"
+        "ldr       r3, [%[a], #0]\n\t"
+        "str       r2, [%[r], #8]\n\t"
+        "lsr       r5, r3, #1\n\t"
+        "lsl       r3, r3, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r4, r4, r5\n\t"
+        "sub     %[a], %[a], #64\n\t"
+        "sub     %[r], %[r], #64\n\t"
+        "ldr       r2, [%[a], #60]\n\t"
+        "str       r4, [%[r], #68]\n\t"
+        "lsr       r5, r2, #1\n\t"
+        "lsl       r2, r2, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r3, r3, r5\n\t"
+        "ldr       r4, [%[a], #56]\n\t"
+        "str       r3, [%[r], #64]\n\t"
+        "lsr       r5, r4, #1\n\t"
+        "lsl       r4, r4, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r2, r2, r5\n\t"
+        "ldr       r3, [%[a], #52]\n\t"
+        "str       r2, [%[r], #60]\n\t"
+        "lsr       r5, r3, #1\n\t"
+        "lsl       r3, r3, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r4, r4, r5\n\t"
+        "ldr       r2, [%[a], #48]\n\t"
+        "str       r4, [%[r], #56]\n\t"
+        "lsr       r5, r2, #1\n\t"
+        "lsl       r2, r2, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r3, r3, r5\n\t"
+        "ldr       r4, [%[a], #44]\n\t"
+        "str       r3, [%[r], #52]\n\t"
+        "lsr       r5, r4, #1\n\t"
+        "lsl       r4, r4, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r2, r2, r5\n\t"
+        "ldr       r3, [%[a], #40]\n\t"
+        "str       r2, [%[r], #48]\n\t"
+        "lsr       r5, r3, #1\n\t"
+        "lsl       r3, r3, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r4, r4, r5\n\t"
+        "ldr       r2, [%[a], #36]\n\t"
+        "str       r4, [%[r], #44]\n\t"
+        "lsr       r5, r2, #1\n\t"
+        "lsl       r2, r2, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r3, r3, r5\n\t"
+        "ldr       r4, [%[a], #32]\n\t"
+        "str       r3, [%[r], #40]\n\t"
+        "lsr       r5, r4, #1\n\t"
+        "lsl       r4, r4, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r2, r2, r5\n\t"
+        "ldr       r3, [%[a], #28]\n\t"
+        "str       r2, [%[r], #36]\n\t"
+        "lsr       r5, r3, #1\n\t"
+        "lsl       r3, r3, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r4, r4, r5\n\t"
+        "ldr       r2, [%[a], #24]\n\t"
+        "str       r4, [%[r], #32]\n\t"
+        "lsr       r5, r2, #1\n\t"
+        "lsl       r2, r2, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r3, r3, r5\n\t"
+        "ldr       r4, [%[a], #20]\n\t"
+        "str       r3, [%[r], #28]\n\t"
+        "lsr       r5, r4, #1\n\t"
+        "lsl       r4, r4, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r2, r2, r5\n\t"
+        "ldr       r3, [%[a], #16]\n\t"
+        "str       r2, [%[r], #24]\n\t"
+        "lsr       r5, r3, #1\n\t"
+        "lsl       r3, r3, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r4, r4, r5\n\t"
+        "ldr       r2, [%[a], #12]\n\t"
+        "str       r4, [%[r], #20]\n\t"
+        "lsr       r5, r2, #1\n\t"
+        "lsl       r2, r2, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r3, r3, r5\n\t"
+        "ldr       r4, [%[a], #8]\n\t"
+        "str       r3, [%[r], #16]\n\t"
+        "lsr       r5, r4, #1\n\t"
+        "lsl       r4, r4, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r2, r2, r5\n\t"
+        "ldr       r3, [%[a], #4]\n\t"
+        "str       r2, [%[r], #12]\n\t"
+        "lsr       r5, r3, #1\n\t"
+        "lsl       r3, r3, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r4, r4, r5\n\t"
+        "ldr       r2, [%[a], #0]\n\t"
+        "str       r4, [%[r], #8]\n\t"
+        "lsr       r5, r2, #1\n\t"
+        "lsl       r2, r2, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r3, r3, r5\n\t"
+        "sub     %[a], %[a], #64\n\t"
+        "sub     %[r], %[r], #64\n\t"
+        "ldr       r4, [%[a], #60]\n\t"
+        "str       r3, [%[r], #68]\n\t"
+        "lsr       r5, r4, #1\n\t"
+        "lsl       r4, r4, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r2, r2, r5\n\t"
+        "ldr       r3, [%[a], #56]\n\t"
+        "str       r2, [%[r], #64]\n\t"
+        "lsr       r5, r3, #1\n\t"
+        "lsl       r3, r3, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r4, r4, r5\n\t"
+        "ldr       r2, [%[a], #52]\n\t"
+        "str       r4, [%[r], #60]\n\t"
+        "lsr       r5, r2, #1\n\t"
+        "lsl       r2, r2, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r3, r3, r5\n\t"
+        "ldr       r4, [%[a], #48]\n\t"
+        "str       r3, [%[r], #56]\n\t"
+        "lsr       r5, r4, #1\n\t"
+        "lsl       r4, r4, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r2, r2, r5\n\t"
+        "ldr       r3, [%[a], #44]\n\t"
+        "str       r2, [%[r], #52]\n\t"
+        "lsr       r5, r3, #1\n\t"
+        "lsl       r3, r3, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r4, r4, r5\n\t"
+        "ldr       r2, [%[a], #40]\n\t"
+        "str       r4, [%[r], #48]\n\t"
+        "lsr       r5, r2, #1\n\t"
+        "lsl       r2, r2, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r3, r3, r5\n\t"
+        "ldr       r4, [%[a], #36]\n\t"
+        "str       r3, [%[r], #44]\n\t"
+        "lsr       r5, r4, #1\n\t"
+        "lsl       r4, r4, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r2, r2, r5\n\t"
+        "ldr       r3, [%[a], #32]\n\t"
+        "str       r2, [%[r], #40]\n\t"
+        "lsr       r5, r3, #1\n\t"
+        "lsl       r3, r3, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r4, r4, r5\n\t"
+        "ldr       r2, [%[a], #28]\n\t"
+        "str       r4, [%[r], #36]\n\t"
+        "lsr       r5, r2, #1\n\t"
+        "lsl       r2, r2, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r3, r3, r5\n\t"
+        "ldr       r4, [%[a], #24]\n\t"
+        "str       r3, [%[r], #32]\n\t"
+        "lsr       r5, r4, #1\n\t"
+        "lsl       r4, r4, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r2, r2, r5\n\t"
+        "ldr       r3, [%[a], #20]\n\t"
+        "str       r2, [%[r], #28]\n\t"
+        "lsr       r5, r3, #1\n\t"
+        "lsl       r3, r3, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r4, r4, r5\n\t"
+        "ldr       r2, [%[a], #16]\n\t"
+        "str       r4, [%[r], #24]\n\t"
+        "lsr       r5, r2, #1\n\t"
+        "lsl       r2, r2, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r3, r3, r5\n\t"
+        "ldr       r4, [%[a], #12]\n\t"
+        "str       r3, [%[r], #20]\n\t"
+        "lsr       r5, r4, #1\n\t"
+        "lsl       r4, r4, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r2, r2, r5\n\t"
+        "ldr       r3, [%[a], #8]\n\t"
+        "str       r2, [%[r], #16]\n\t"
+        "lsr       r5, r3, #1\n\t"
+        "lsl       r3, r3, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r4, r4, r5\n\t"
+        "ldr       r2, [%[a], #4]\n\t"
+        "str       r4, [%[r], #12]\n\t"
+        "lsr       r5, r2, #1\n\t"
+        "lsl       r2, r2, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r3, r3, r5\n\t"
+        "ldr       r4, [%[a], #0]\n\t"
+        "str       r3, [%[r], #8]\n\t"
+        "lsr       r5, r4, #1\n\t"
+        "lsl       r4, r4, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r2, r2, r5\n\t"
+        "sub     %[a], %[a], #64\n\t"
+        "sub     %[r], %[r], #64\n\t"
+        "ldr       r3, [%[a], #60]\n\t"
+        "str       r2, [%[r], #68]\n\t"
+        "lsr       r5, r3, #1\n\t"
+        "lsl       r3, r3, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r4, r4, r5\n\t"
+        "ldr       r2, [%[a], #56]\n\t"
+        "str       r4, [%[r], #64]\n\t"
+        "lsr       r5, r2, #1\n\t"
+        "lsl       r2, r2, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r3, r3, r5\n\t"
+        "ldr       r4, [%[a], #52]\n\t"
+        "str       r3, [%[r], #60]\n\t"
+        "lsr       r5, r4, #1\n\t"
+        "lsl       r4, r4, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r2, r2, r5\n\t"
+        "ldr       r3, [%[a], #48]\n\t"
+        "str       r2, [%[r], #56]\n\t"
+        "lsr       r5, r3, #1\n\t"
+        "lsl       r3, r3, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r4, r4, r5\n\t"
+        "ldr       r2, [%[a], #44]\n\t"
+        "str       r4, [%[r], #52]\n\t"
+        "lsr       r5, r2, #1\n\t"
+        "lsl       r2, r2, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r3, r3, r5\n\t"
+        "ldr       r4, [%[a], #40]\n\t"
+        "str       r3, [%[r], #48]\n\t"
+        "lsr       r5, r4, #1\n\t"
+        "lsl       r4, r4, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r2, r2, r5\n\t"
+        "ldr       r3, [%[a], #36]\n\t"
+        "str       r2, [%[r], #44]\n\t"
+        "lsr       r5, r3, #1\n\t"
+        "lsl       r3, r3, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r4, r4, r5\n\t"
+        "ldr       r2, [%[a], #32]\n\t"
+        "str       r4, [%[r], #40]\n\t"
+        "lsr       r5, r2, #1\n\t"
+        "lsl       r2, r2, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r3, r3, r5\n\t"
+        "ldr       r4, [%[a], #28]\n\t"
+        "str       r3, [%[r], #36]\n\t"
+        "lsr       r5, r4, #1\n\t"
+        "lsl       r4, r4, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r2, r2, r5\n\t"
+        "ldr       r3, [%[a], #24]\n\t"
+        "str       r2, [%[r], #32]\n\t"
+        "lsr       r5, r3, #1\n\t"
+        "lsl       r3, r3, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r4, r4, r5\n\t"
+        "ldr       r2, [%[a], #20]\n\t"
+        "str       r4, [%[r], #28]\n\t"
+        "lsr       r5, r2, #1\n\t"
+        "lsl       r2, r2, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r3, r3, r5\n\t"
+        "ldr       r4, [%[a], #16]\n\t"
+        "str       r3, [%[r], #24]\n\t"
+        "lsr       r5, r4, #1\n\t"
+        "lsl       r4, r4, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r2, r2, r5\n\t"
+        "ldr       r3, [%[a], #12]\n\t"
+        "str       r2, [%[r], #20]\n\t"
+        "lsr       r5, r3, #1\n\t"
+        "lsl       r3, r3, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r4, r4, r5\n\t"
+        "ldr       r2, [%[a], #8]\n\t"
+        "str       r4, [%[r], #16]\n\t"
+        "lsr       r5, r2, #1\n\t"
+        "lsl       r2, r2, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r3, r3, r5\n\t"
+        "ldr       r4, [%[a], #4]\n\t"
+        "str       r3, [%[r], #12]\n\t"
+        "lsr       r5, r4, #1\n\t"
+        "lsl       r4, r4, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r2, r2, r5\n\t"
+        "ldr       r3, [%[a], #0]\n\t"
+        "str       r2, [%[r], #8]\n\t"
+        "lsr       r5, r3, #1\n\t"
+        "lsl       r3, r3, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r4, r4, r5\n\t"
+        "sub     %[a], %[a], #64\n\t"
+        "sub     %[r], %[r], #64\n\t"
+        "ldr       r2, [%[a], #60]\n\t"
+        "str       r4, [%[r], #68]\n\t"
+        "lsr       r5, r2, #1\n\t"
+        "lsl       r2, r2, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r3, r3, r5\n\t"
+        "ldr       r4, [%[a], #56]\n\t"
+        "str       r3, [%[r], #64]\n\t"
+        "lsr       r5, r4, #1\n\t"
+        "lsl       r4, r4, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r2, r2, r5\n\t"
+        "ldr       r3, [%[a], #52]\n\t"
+        "str       r2, [%[r], #60]\n\t"
+        "lsr       r5, r3, #1\n\t"
+        "lsl       r3, r3, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r4, r4, r5\n\t"
+        "ldr       r2, [%[a], #48]\n\t"
+        "str       r4, [%[r], #56]\n\t"
+        "lsr       r5, r2, #1\n\t"
+        "lsl       r2, r2, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r3, r3, r5\n\t"
+        "ldr       r4, [%[a], #44]\n\t"
+        "str       r3, [%[r], #52]\n\t"
+        "lsr       r5, r4, #1\n\t"
+        "lsl       r4, r4, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r2, r2, r5\n\t"
+        "ldr       r3, [%[a], #40]\n\t"
+        "str       r2, [%[r], #48]\n\t"
+        "lsr       r5, r3, #1\n\t"
+        "lsl       r3, r3, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r4, r4, r5\n\t"
+        "ldr       r2, [%[a], #36]\n\t"
+        "str       r4, [%[r], #44]\n\t"
+        "lsr       r5, r2, #1\n\t"
+        "lsl       r2, r2, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r3, r3, r5\n\t"
+        "ldr       r4, [%[a], #32]\n\t"
+        "str       r3, [%[r], #40]\n\t"
+        "lsr       r5, r4, #1\n\t"
+        "lsl       r4, r4, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r2, r2, r5\n\t"
+        "ldr       r3, [%[a], #28]\n\t"
+        "str       r2, [%[r], #36]\n\t"
+        "lsr       r5, r3, #1\n\t"
+        "lsl       r3, r3, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r4, r4, r5\n\t"
+        "ldr       r2, [%[a], #24]\n\t"
+        "str       r4, [%[r], #32]\n\t"
+        "lsr       r5, r2, #1\n\t"
+        "lsl       r2, r2, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r3, r3, r5\n\t"
+        "ldr       r4, [%[a], #20]\n\t"
+        "str       r3, [%[r], #28]\n\t"
+        "lsr       r5, r4, #1\n\t"
+        "lsl       r4, r4, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r2, r2, r5\n\t"
+        "ldr       r3, [%[a], #16]\n\t"
+        "str       r2, [%[r], #24]\n\t"
+        "lsr       r5, r3, #1\n\t"
+        "lsl       r3, r3, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r4, r4, r5\n\t"
+        "ldr       r2, [%[a], #12]\n\t"
+        "str       r4, [%[r], #20]\n\t"
+        "lsr       r5, r2, #1\n\t"
+        "lsl       r2, r2, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r3, r3, r5\n\t"
+        "ldr       r4, [%[a], #8]\n\t"
+        "str       r3, [%[r], #16]\n\t"
+        "lsr       r5, r4, #1\n\t"
+        "lsl       r4, r4, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r2, r2, r5\n\t"
+        "ldr       r3, [%[a], #4]\n\t"
+        "str       r2, [%[r], #12]\n\t"
+        "lsr       r5, r3, #1\n\t"
+        "lsl       r3, r3, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r4, r4, r5\n\t"
+        "ldr       r2, [%[a], #0]\n\t"
+        "str       r4, [%[r], #8]\n\t"
+        "lsr       r5, r2, #1\n\t"
+        "lsl       r2, r2, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r3, r3, r5\n\t"
+        "sub     %[a], %[a], #64\n\t"
+        "sub     %[r], %[r], #64\n\t"
+        "ldr       r4, [%[a], #60]\n\t"
+        "str       r3, [%[r], #68]\n\t"
+        "lsr       r5, r4, #1\n\t"
+        "lsl       r4, r4, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r2, r2, r5\n\t"
+        "ldr       r3, [%[a], #56]\n\t"
+        "str       r2, [%[r], #64]\n\t"
+        "lsr       r5, r3, #1\n\t"
+        "lsl       r3, r3, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r4, r4, r5\n\t"
+        "ldr       r2, [%[a], #52]\n\t"
+        "str       r4, [%[r], #60]\n\t"
+        "lsr       r5, r2, #1\n\t"
+        "lsl       r2, r2, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r3, r3, r5\n\t"
+        "ldr       r4, [%[a], #48]\n\t"
+        "str       r3, [%[r], #56]\n\t"
+        "lsr       r5, r4, #1\n\t"
+        "lsl       r4, r4, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r2, r2, r5\n\t"
+        "ldr       r3, [%[a], #44]\n\t"
+        "str       r2, [%[r], #52]\n\t"
+        "lsr       r5, r3, #1\n\t"
+        "lsl       r3, r3, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r4, r4, r5\n\t"
+        "ldr       r2, [%[a], #40]\n\t"
+        "str       r4, [%[r], #48]\n\t"
+        "lsr       r5, r2, #1\n\t"
+        "lsl       r2, r2, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r3, r3, r5\n\t"
+        "ldr       r4, [%[a], #36]\n\t"
+        "str       r3, [%[r], #44]\n\t"
+        "lsr       r5, r4, #1\n\t"
+        "lsl       r4, r4, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r2, r2, r5\n\t"
+        "ldr       r3, [%[a], #32]\n\t"
+        "str       r2, [%[r], #40]\n\t"
+        "lsr       r5, r3, #1\n\t"
+        "lsl       r3, r3, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r4, r4, r5\n\t"
+        "ldr       r2, [%[a], #28]\n\t"
+        "str       r4, [%[r], #36]\n\t"
+        "lsr       r5, r2, #1\n\t"
+        "lsl       r2, r2, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r3, r3, r5\n\t"
+        "ldr       r4, [%[a], #24]\n\t"
+        "str       r3, [%[r], #32]\n\t"
+        "lsr       r5, r4, #1\n\t"
+        "lsl       r4, r4, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r2, r2, r5\n\t"
+        "ldr       r3, [%[a], #20]\n\t"
+        "str       r2, [%[r], #28]\n\t"
+        "lsr       r5, r3, #1\n\t"
+        "lsl       r3, r3, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r4, r4, r5\n\t"
+        "ldr       r2, [%[a], #16]\n\t"
+        "str       r4, [%[r], #24]\n\t"
+        "lsr       r5, r2, #1\n\t"
+        "lsl       r2, r2, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r3, r3, r5\n\t"
+        "ldr       r4, [%[a], #12]\n\t"
+        "str       r3, [%[r], #20]\n\t"
+        "lsr       r5, r4, #1\n\t"
+        "lsl       r4, r4, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r2, r2, r5\n\t"
+        "ldr       r3, [%[a], #8]\n\t"
+        "str       r2, [%[r], #16]\n\t"
+        "lsr       r5, r3, #1\n\t"
+        "lsl       r3, r3, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r4, r4, r5\n\t"
+        "ldr       r2, [%[a], #4]\n\t"
+        "str       r4, [%[r], #12]\n\t"
+        "lsr       r5, r2, #1\n\t"
+        "lsl       r2, r2, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r3, r3, r5\n\t"
+        "ldr       r4, [%[a], #0]\n\t"
+        "str       r3, [%[r], #8]\n\t"
+        "lsr       r5, r4, #1\n\t"
+        "lsl       r4, r4, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r2, r2, r5\n\t"
+        "sub     %[a], %[a], #64\n\t"
+        "sub     %[r], %[r], #64\n\t"
+        "ldr       r3, [%[a], #60]\n\t"
+        "str       r2, [%[r], #68]\n\t"
+        "lsr       r5, r3, #1\n\t"
+        "lsl       r3, r3, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r4, r4, r5\n\t"
+        "ldr       r2, [%[a], #56]\n\t"
+        "str       r4, [%[r], #64]\n\t"
+        "lsr       r5, r2, #1\n\t"
+        "lsl       r2, r2, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r3, r3, r5\n\t"
+        "ldr       r4, [%[a], #52]\n\t"
+        "str       r3, [%[r], #60]\n\t"
+        "lsr       r5, r4, #1\n\t"
+        "lsl       r4, r4, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r2, r2, r5\n\t"
+        "ldr       r3, [%[a], #48]\n\t"
+        "str       r2, [%[r], #56]\n\t"
+        "lsr       r5, r3, #1\n\t"
+        "lsl       r3, r3, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r4, r4, r5\n\t"
+        "ldr       r2, [%[a], #44]\n\t"
+        "str       r4, [%[r], #52]\n\t"
+        "lsr       r5, r2, #1\n\t"
+        "lsl       r2, r2, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r3, r3, r5\n\t"
+        "ldr       r4, [%[a], #40]\n\t"
+        "str       r3, [%[r], #48]\n\t"
+        "lsr       r5, r4, #1\n\t"
+        "lsl       r4, r4, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r2, r2, r5\n\t"
+        "ldr       r3, [%[a], #36]\n\t"
+        "str       r2, [%[r], #44]\n\t"
+        "lsr       r5, r3, #1\n\t"
+        "lsl       r3, r3, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r4, r4, r5\n\t"
+        "ldr       r2, [%[a], #32]\n\t"
+        "str       r4, [%[r], #40]\n\t"
+        "lsr       r5, r2, #1\n\t"
+        "lsl       r2, r2, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r3, r3, r5\n\t"
+        "ldr       r4, [%[a], #28]\n\t"
+        "str       r3, [%[r], #36]\n\t"
+        "lsr       r5, r4, #1\n\t"
+        "lsl       r4, r4, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r2, r2, r5\n\t"
+        "ldr       r3, [%[a], #24]\n\t"
+        "str       r2, [%[r], #32]\n\t"
+        "lsr       r5, r3, #1\n\t"
+        "lsl       r3, r3, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r4, r4, r5\n\t"
+        "ldr       r2, [%[a], #20]\n\t"
+        "str       r4, [%[r], #28]\n\t"
+        "lsr       r5, r2, #1\n\t"
+        "lsl       r2, r2, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r3, r3, r5\n\t"
+        "ldr       r4, [%[a], #16]\n\t"
+        "str       r3, [%[r], #24]\n\t"
+        "lsr       r5, r4, #1\n\t"
+        "lsl       r4, r4, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r2, r2, r5\n\t"
+        "ldr       r3, [%[a], #12]\n\t"
+        "str       r2, [%[r], #20]\n\t"
+        "lsr       r5, r3, #1\n\t"
+        "lsl       r3, r3, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r4, r4, r5\n\t"
+        "ldr       r2, [%[a], #8]\n\t"
+        "str       r4, [%[r], #16]\n\t"
+        "lsr       r5, r2, #1\n\t"
+        "lsl       r2, r2, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r3, r3, r5\n\t"
+        "ldr       r4, [%[a], #4]\n\t"
+        "str       r3, [%[r], #12]\n\t"
+        "lsr       r5, r4, #1\n\t"
+        "lsl       r4, r4, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r2, r2, r5\n\t"
+        "ldr       r3, [%[a], #0]\n\t"
+        "str       r2, [%[r], #8]\n\t"
+        "lsr       r5, r3, #1\n\t"
+        "lsl       r3, r3, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r4, r4, r5\n\t"
+        "sub     %[a], %[a], #64\n\t"
+        "sub     %[r], %[r], #64\n\t"
+        "ldr       r2, [%[a], #60]\n\t"
+        "str       r4, [%[r], #68]\n\t"
+        "lsr       r5, r2, #1\n\t"
+        "lsl       r2, r2, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r3, r3, r5\n\t"
+        "ldr       r4, [%[a], #56]\n\t"
+        "str       r3, [%[r], #64]\n\t"
+        "lsr       r5, r4, #1\n\t"
+        "lsl       r4, r4, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r2, r2, r5\n\t"
+        "ldr       r3, [%[a], #52]\n\t"
+        "str       r2, [%[r], #60]\n\t"
+        "lsr       r5, r3, #1\n\t"
+        "lsl       r3, r3, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r4, r4, r5\n\t"
+        "ldr       r2, [%[a], #48]\n\t"
+        "str       r4, [%[r], #56]\n\t"
+        "lsr       r5, r2, #1\n\t"
+        "lsl       r2, r2, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r3, r3, r5\n\t"
+        "ldr       r4, [%[a], #44]\n\t"
+        "str       r3, [%[r], #52]\n\t"
+        "lsr       r5, r4, #1\n\t"
+        "lsl       r4, r4, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r2, r2, r5\n\t"
+        "ldr       r3, [%[a], #40]\n\t"
+        "str       r2, [%[r], #48]\n\t"
+        "lsr       r5, r3, #1\n\t"
+        "lsl       r3, r3, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r4, r4, r5\n\t"
+        "ldr       r2, [%[a], #36]\n\t"
+        "str       r4, [%[r], #44]\n\t"
+        "lsr       r5, r2, #1\n\t"
+        "lsl       r2, r2, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r3, r3, r5\n\t"
+        "ldr       r4, [%[a], #32]\n\t"
+        "str       r3, [%[r], #40]\n\t"
+        "lsr       r5, r4, #1\n\t"
+        "lsl       r4, r4, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r2, r2, r5\n\t"
+        "ldr       r3, [%[a], #28]\n\t"
+        "str       r2, [%[r], #36]\n\t"
+        "lsr       r5, r3, #1\n\t"
+        "lsl       r3, r3, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r4, r4, r5\n\t"
+        "ldr       r2, [%[a], #24]\n\t"
+        "str       r4, [%[r], #32]\n\t"
+        "lsr       r5, r2, #1\n\t"
+        "lsl       r2, r2, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r3, r3, r5\n\t"
+        "ldr       r4, [%[a], #20]\n\t"
+        "str       r3, [%[r], #28]\n\t"
+        "lsr       r5, r4, #1\n\t"
+        "lsl       r4, r4, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r2, r2, r5\n\t"
+        "ldr       r3, [%[a], #16]\n\t"
+        "str       r2, [%[r], #24]\n\t"
+        "lsr       r5, r3, #1\n\t"
+        "lsl       r3, r3, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r4, r4, r5\n\t"
+        "ldr       r2, [%[a], #12]\n\t"
+        "str       r4, [%[r], #20]\n\t"
+        "lsr       r5, r2, #1\n\t"
+        "lsl       r2, r2, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r3, r3, r5\n\t"
+        "ldr       r4, [%[a], #8]\n\t"
+        "str       r3, [%[r], #16]\n\t"
+        "lsr       r5, r4, #1\n\t"
+        "lsl       r4, r4, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r2, r2, r5\n\t"
+        "ldr       r3, [%[a], #4]\n\t"
+        "str       r2, [%[r], #12]\n\t"
+        "lsr       r5, r3, #1\n\t"
+        "lsl       r3, r3, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r4, r4, r5\n\t"
+        "ldr       r2, [%[a], #0]\n\t"
+        "str       r4, [%[r], #8]\n\t"
+        "lsr       r5, r2, #1\n\t"
+        "lsl       r2, r2, %[n]\n\t"
+        "lsr       r5, r5, r6\n\t"
+        "orr       r3, r3, r5\n\t"
+        "str r2, [%[r]]\n\t"
+        "str r3, [%[r], #4]\n\t"
+        :
+        : [r] "r" (r), [a] "r" (a), [n] "r" (n)
+        : "memory", "r2", "r3", "r4", "r5", "r6"
+    );
+}
+
+/* Modular exponentiate 2 to the e mod m. (r = 2^e mod m)
+ *
+ * r     A single precision number that is the result of the operation.
+ * e     A single precision number that is the exponent.
+ * bits  The number of bits in the exponent.
+ * m     A single precision number that is the modulus.
+ * returns 0 on success and MEMORY_E on dynamic memory allocation failure.
+ */
+static int sp_4096_mod_exp_2_128(sp_digit* r, const sp_digit* e, int bits,
+        const sp_digit* m)
+{
+#ifndef WOLFSSL_SMALL_STACK
+    sp_digit nd[256];
+    sp_digit td[129];
+#else
+    sp_digit* td;
+#endif
+    sp_digit* norm;
+    sp_digit* tmp;
+    sp_digit mp = 1;
+    sp_digit n, o;
+    sp_digit mask;
+    int i;
+    int c, y;
+    int err = MP_OKAY;
+
+#ifdef WOLFSSL_SMALL_STACK
+    td = (sp_digit*)XMALLOC(sizeof(sp_digit) * 385, NULL,
+                            DYNAMIC_TYPE_TMP_BUFFER);
+    if (td == NULL) {
+        err = MEMORY_E;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#ifdef WOLFSSL_SMALL_STACK
+        norm = td;
+        tmp  = td + 256;
+#else
+        norm = nd;
+        tmp  = td;
+#endif
+
+        sp_4096_mont_setup(m, &mp);
+        sp_4096_mont_norm_128(norm, m);
+
+        i = (bits - 1) / 32;
+        n = e[i--];
+        c = bits & 31;
+        if (c == 0) {
+            c = 32;
+        }
+        c -= bits % 5;
+        if (c == 32) {
+            c = 27;
+        }
+        y = (int)(n >> c);
+        n <<= 32 - c;
+        sp_4096_lshift_128(r, norm, y);
+        for (; i>=0 || c>=5; ) {
+            if (c == 0) {
+                n = e[i--];
+                y = n >> 27;
+                n <<= 5;
+                c = 27;
+            }
+            else if (c < 5) {
+                y = n >> 27;
+                n = e[i--];
+                c = 5 - c;
+                y |= n >> (32 - c);
+                n <<= c;
+                c = 32 - c;
+            }
+            else {
+                y = (n >> 27) & 0x1f;
+                n <<= 5;
+                c -= 5;
+            }
+
+            sp_4096_mont_sqr_128(r, r, m, mp);
+            sp_4096_mont_sqr_128(r, r, m, mp);
+            sp_4096_mont_sqr_128(r, r, m, mp);
+            sp_4096_mont_sqr_128(r, r, m, mp);
+            sp_4096_mont_sqr_128(r, r, m, mp);
+
+            sp_4096_lshift_128(r, r, y);
+            sp_4096_mul_d_128(tmp, norm, r[128]);
+            r[128] = 0;
+            o = sp_4096_add_128(r, r, tmp);
+            sp_4096_cond_sub_128(r, r, m, (sp_digit)0 - o);
+        }
+
+        XMEMSET(&r[128], 0, sizeof(sp_digit) * 128U);
+        sp_4096_mont_reduce_128(r, m, mp);
+
+        mask = 0 - (sp_4096_cmp_128(r, m) >= 0);
+        sp_4096_cond_sub_128(r, r, m, mask);
+    }
+
+#ifdef WOLFSSL_SMALL_STACK
+    if (td != NULL) {
+        XFREE(td, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    }
+#endif
+
+    return err;
+}
+#endif /* HAVE_FFDHE_4096 */
+
+/* Perform the modular exponentiation for Diffie-Hellman.
+ *
+ * base     Base.
+ * exp      Array of bytes that is the exponent.
+ * expLen   Length of data, in bytes, in exponent.
+ * mod      Modulus.
+ * out      Buffer to hold big-endian bytes of exponentiation result.
+ *          Must be at least 512 bytes long.
+ * outLen   Length, in bytes, of exponentiation result.
+ * returns 0 on success, MP_READ_E if there are too many bytes in an array
+ * and MEMORY_E if memory allocation fails.
+ */
+int sp_DhExp_4096(mp_int* base, const byte* exp, word32 expLen,
+    mp_int* mod, byte* out, word32* outLen)
+{
+    int err = MP_OKAY;
+    sp_digit b[256], e[128], m[128];
+    sp_digit* r = b;
+    word32 i;
+
+    if (mp_count_bits(base) > 4096) {
+        err = MP_READ_E;
+    }
+
+    if (err == MP_OKAY) {
+        if (expLen > 512) {
+            err = MP_READ_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        if (mp_count_bits(mod) != 4096) {
+            err = MP_READ_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        sp_4096_from_mp(b, 128, base);
+        sp_4096_from_bin(e, 128, exp, expLen);
+        sp_4096_from_mp(m, 128, mod);
+
+    #ifdef HAVE_FFDHE_4096
+        if (base->used == 1 && base->dp[0] == 2 && m[127] == (sp_digit)-1)
+            err = sp_4096_mod_exp_2_128(r, e, expLen * 8, m);
+        else
+    #endif
+            err = sp_4096_mod_exp_128(r, b, e, expLen * 8, m, 0);
+
+    }
+
+    if (err == MP_OKAY) {
+        sp_4096_to_bin(r, out);
+        *outLen = 512;
+        for (i=0; i<512 && out[i] == 0; i++) {
+        }
+        *outLen -= i;
+        XMEMMOVE(out, out + i, *outLen);
+
+    }
+
+    XMEMSET(e, 0, sizeof(e));
+
+    return err;
+}
+#endif /* WOLFSSL_HAVE_SP_DH */
+
+#endif /* WOLFSSL_HAVE_SP_DH || (WOLFSSL_HAVE_SP_RSA && !WOLFSSL_RSA_PUBLIC_ONLY) */
+
+#endif /* WOLFSSL_SP_4096 */
+
+#endif /* WOLFSSL_HAVE_SP_RSA || WOLFSSL_HAVE_SP_DH */
+#ifdef WOLFSSL_HAVE_SP_ECC
+#ifndef WOLFSSL_SP_NO_256
+
+/* Point structure to use. */
+typedef struct sp_point_256 {
+    sp_digit x[2 * 8];
+    sp_digit y[2 * 8];
+    sp_digit z[2 * 8];
+    int infinity;
+} sp_point_256;
+
+/* The modulus (prime) of the curve P256. */
+static const sp_digit p256_mod[8] = {
+    0xffffffff,0xffffffff,0xffffffff,0x00000000,0x00000000,0x00000000,
+    0x00000001,0xffffffff
+};
+/* The Montogmery normalizer for modulus of the curve P256. */
+static const sp_digit p256_norm_mod[8] = {
+    0x00000001,0x00000000,0x00000000,0xffffffff,0xffffffff,0xffffffff,
+    0xfffffffe,0x00000000
+};
+/* The Montogmery multiplier for modulus of the curve P256. */
+static const sp_digit p256_mp_mod = 0x00000001;
+#if defined(WOLFSSL_VALIDATE_ECC_KEYGEN) || defined(HAVE_ECC_SIGN) || \
+                                            defined(HAVE_ECC_VERIFY)
+/* The order of the curve P256. */
+static const sp_digit p256_order[8] = {
+    0xfc632551,0xf3b9cac2,0xa7179e84,0xbce6faad,0xffffffff,0xffffffff,
+    0x00000000,0xffffffff
+};
+#endif
+/* The order of the curve P256 minus 2. */
+static const sp_digit p256_order2[8] = {
+    0xfc63254f,0xf3b9cac2,0xa7179e84,0xbce6faad,0xffffffff,0xffffffff,
+    0x00000000,0xffffffff
+};
+#if defined(HAVE_ECC_SIGN) || defined(HAVE_ECC_VERIFY)
+/* The Montogmery normalizer for order of the curve P256. */
+static const sp_digit p256_norm_order[8] = {
+    0x039cdaaf,0x0c46353d,0x58e8617b,0x43190552,0x00000000,0x00000000,
+    0xffffffff,0x00000000
+};
+#endif
+#if defined(HAVE_ECC_SIGN) || defined(HAVE_ECC_VERIFY)
+/* The Montogmery multiplier for order of the curve P256. */
+static const sp_digit p256_mp_order = 0xee00bc4f;
+#endif
+/* The base point of curve P256. */
+static const sp_point_256 p256_base = {
+    /* X ordinate */
+    {
+        0xd898c296,0xf4a13945,0x2deb33a0,0x77037d81,0x63a440f2,0xf8bce6e5,
+        0xe12c4247,0x6b17d1f2,
+        0L, 0L, 0L, 0L, 0L, 0L, 0L, 0L
+    },
+    /* Y ordinate */
+    {
+        0x37bf51f5,0xcbb64068,0x6b315ece,0x2bce3357,0x7c0f9e16,0x8ee7eb4a,
+        0xfe1a7f9b,0x4fe342e2,
+        0L, 0L, 0L, 0L, 0L, 0L, 0L, 0L
+    },
+    /* Z ordinate */
+    {
+        0x00000001,0x00000000,0x00000000,0x00000000,0x00000000,0x00000000,
+        0x00000000,0x00000000,
+        0L, 0L, 0L, 0L, 0L, 0L, 0L, 0L
+    },
+    /* infinity */
+    0
+};
+#if defined(HAVE_ECC_CHECK_KEY) || defined(HAVE_COMP_KEY)
+static const sp_digit p256_b[8] = {
+    0x27d2604b,0x3bce3c3e,0xcc53b0f6,0x651d06b0,0x769886bc,0xb3ebbd55,
+    0xaa3a93e7,0x5ac635d8
+};
+#endif
+
+static int sp_256_point_new_ex_8(void* heap, sp_point_256* sp, sp_point_256** p)
+{
+    int ret = MP_OKAY;
+    (void)heap;
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    (void)sp;
+    *p = (sp_point_256*)XMALLOC(sizeof(sp_point_256), heap, DYNAMIC_TYPE_ECC);
+#else
+    *p = sp;
+#endif
+    if (*p == NULL) {
+        ret = MEMORY_E;
+    }
+    return ret;
+}
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+/* Allocate memory for point and return error. */
+#define sp_256_point_new_8(heap, sp, p) sp_256_point_new_ex_8((heap), NULL, &(p))
+#else
+/* Set pointer to data and return no error. */
+#define sp_256_point_new_8(heap, sp, p) sp_256_point_new_ex_8((heap), &(sp), &(p))
+#endif
+
+
+static void sp_256_point_free_8(sp_point_256* p, int clear, void* heap)
+{
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+/* If valid pointer then clear point data if requested and free data. */
+    if (p != NULL) {
+        if (clear != 0) {
+            XMEMSET(p, 0, sizeof(*p));
+        }
+        XFREE(p, heap, DYNAMIC_TYPE_ECC);
+    }
+#else
+/* Clear point data if requested. */
+    if (clear != 0) {
+        XMEMSET(p, 0, sizeof(*p));
+    }
+#endif
+    (void)heap;
+}
+
+/* Multiply a number by Montogmery normalizer mod modulus (prime).
+ *
+ * r  The resulting Montgomery form number.
+ * a  The number to convert.
+ * m  The modulus (prime).
+ */
+static int sp_256_mod_mul_norm_8(sp_digit* r, const sp_digit* a, const sp_digit* m)
+{
+    int64_t t[8];
+    int64_t a64[8];
+    int64_t o;
+
+    (void)m;
+
+    a64[0] = a[0];
+    a64[1] = a[1];
+    a64[2] = a[2];
+    a64[3] = a[3];
+    a64[4] = a[4];
+    a64[5] = a[5];
+    a64[6] = a[6];
+    a64[7] = a[7];
+
+    /*  1  1  0 -1 -1 -1 -1  0 */
+    t[0] = 0 + a64[0] + a64[1] - a64[3] - a64[4] - a64[5] - a64[6];
+    /*  0  1  1  0 -1 -1 -1 -1 */
+    t[1] = 0 + a64[1] + a64[2] - a64[4] - a64[5] - a64[6] - a64[7];
+    /*  0  0  1  1  0 -1 -1 -1 */
+    t[2] = 0 + a64[2] + a64[3] - a64[5] - a64[6] - a64[7];
+    /* -1 -1  0  2  2  1  0 -1 */
+    t[3] = 0 - a64[0] - a64[1] + 2 * a64[3] + 2 * a64[4] + a64[5] - a64[7];
+    /*  0 -1 -1  0  2  2  1  0 */
+    t[4] = 0 - a64[1] - a64[2] + 2 * a64[4] + 2 * a64[5] + a64[6];
+    /*  0  0 -1 -1  0  2  2  1 */
+    t[5] = 0 - a64[2] - a64[3] + 2 * a64[5] + 2 * a64[6] + a64[7];
+    /* -1 -1  0  0  0  1  3  2 */
+    t[6] = 0 - a64[0] - a64[1] + a64[5] + 3 * a64[6] + 2 * a64[7];
+    /*  1  0 -1 -1 -1 -1  0  3 */
+    t[7] = 0 + a64[0] - a64[2] - a64[3] - a64[4] - a64[5] + 3 * a64[7];
+
+    t[1] += t[0] >> 32; t[0] &= 0xffffffff;
+    t[2] += t[1] >> 32; t[1] &= 0xffffffff;
+    t[3] += t[2] >> 32; t[2] &= 0xffffffff;
+    t[4] += t[3] >> 32; t[3] &= 0xffffffff;
+    t[5] += t[4] >> 32; t[4] &= 0xffffffff;
+    t[6] += t[5] >> 32; t[5] &= 0xffffffff;
+    t[7] += t[6] >> 32; t[6] &= 0xffffffff;
+    o     = t[7] >> 32; t[7] &= 0xffffffff;
+    t[0] += o;
+    t[3] -= o;
+    t[6] -= o;
+    t[7] += o;
+    t[1] += t[0] >> 32; t[0] &= 0xffffffff;
+    t[2] += t[1] >> 32; t[1] &= 0xffffffff;
+    t[3] += t[2] >> 32; t[2] &= 0xffffffff;
+    t[4] += t[3] >> 32; t[3] &= 0xffffffff;
+    t[5] += t[4] >> 32; t[4] &= 0xffffffff;
+    t[6] += t[5] >> 32; t[5] &= 0xffffffff;
+    t[7] += t[6] >> 32; t[6] &= 0xffffffff;
+    r[0] = t[0];
+    r[1] = t[1];
+    r[2] = t[2];
+    r[3] = t[3];
+    r[4] = t[4];
+    r[5] = t[5];
+    r[6] = t[6];
+    r[7] = t[7];
+
+    return MP_OKAY;
+}
+
+/* Convert an mp_int to an array of sp_digit.
+ *
+ * r  A single precision integer.
+ * size  Maximum number of bytes to convert
+ * a  A multi-precision integer.
+ */
+static void sp_256_from_mp(sp_digit* r, int size, const mp_int* a)
+{
+#if DIGIT_BIT == 32
+    int j;
+
+    XMEMCPY(r, a->dp, sizeof(sp_digit) * a->used);
+
+    for (j = a->used; j < size; j++) {
+        r[j] = 0;
+    }
+#elif DIGIT_BIT > 32
+    int i, j = 0;
+    word32 s = 0;
+
+    r[0] = 0;
+    for (i = 0; i < a->used && j < size; i++) {
+        r[j] |= ((sp_digit)a->dp[i] << s);
+        r[j] &= 0xffffffff;
+        s = 32U - s;
+        if (j + 1 >= size) {
+            break;
+        }
+        /* lint allow cast of mismatch word32 and mp_digit */
+        r[++j] = (sp_digit)(a->dp[i] >> s); /*lint !e9033*/
+        while ((s + 32U) <= (word32)DIGIT_BIT) {
+            s += 32U;
+            r[j] &= 0xffffffff;
+            if (j + 1 >= size) {
+                break;
+            }
+            if (s < (word32)DIGIT_BIT) {
+                /* lint allow cast of mismatch word32 and mp_digit */
+                r[++j] = (sp_digit)(a->dp[i] >> s); /*lint !e9033*/
+            }
+            else {
+                r[++j] = 0L;
+            }
+        }
+        s = (word32)DIGIT_BIT - s;
+    }
+
+    for (j++; j < size; j++) {
+        r[j] = 0;
+    }
+#else
+    int i, j = 0, s = 0;
+
+    r[0] = 0;
+    for (i = 0; i < a->used && j < size; i++) {
+        r[j] |= ((sp_digit)a->dp[i]) << s;
+        if (s + DIGIT_BIT >= 32) {
+            r[j] &= 0xffffffff;
+            if (j + 1 >= size) {
+                break;
+            }
+            s = 32 - s;
+            if (s == DIGIT_BIT) {
+                r[++j] = 0;
+                s = 0;
+            }
+            else {
+                r[++j] = a->dp[i] >> s;
+                s = DIGIT_BIT - s;
+            }
+        }
+        else {
+            s += DIGIT_BIT;
+        }
+    }
+
+    for (j++; j < size; j++) {
+        r[j] = 0;
+    }
+#endif
+}
+
+/* Convert a point of type ecc_point to type sp_point_256.
+ *
+ * p   Point of type sp_point_256 (result).
+ * pm  Point of type ecc_point.
+ */
+static void sp_256_point_from_ecc_point_8(sp_point_256* p, const ecc_point* pm)
+{
+    XMEMSET(p->x, 0, sizeof(p->x));
+    XMEMSET(p->y, 0, sizeof(p->y));
+    XMEMSET(p->z, 0, sizeof(p->z));
+    sp_256_from_mp(p->x, 8, pm->x);
+    sp_256_from_mp(p->y, 8, pm->y);
+    sp_256_from_mp(p->z, 8, pm->z);
+    p->infinity = 0;
+}
+
+/* Convert an array of sp_digit to an mp_int.
+ *
+ * a  A single precision integer.
+ * r  A multi-precision integer.
+ */
+static int sp_256_to_mp(const sp_digit* a, mp_int* r)
+{
+    int err;
+
+    err = mp_grow(r, (256 + DIGIT_BIT - 1) / DIGIT_BIT);
+    if (err == MP_OKAY) { /*lint !e774 case where err is always MP_OKAY*/
+#if DIGIT_BIT == 32
+        XMEMCPY(r->dp, a, sizeof(sp_digit) * 8);
+        r->used = 8;
+        mp_clamp(r);
+#elif DIGIT_BIT < 32
+        int i, j = 0, s = 0;
+
+        r->dp[0] = 0;
+        for (i = 0; i < 8; i++) {
+            r->dp[j] |= (mp_digit)(a[i] << s);
+            r->dp[j] &= (1L << DIGIT_BIT) - 1;
+            s = DIGIT_BIT - s;
+            r->dp[++j] = (mp_digit)(a[i] >> s);
+            while (s + DIGIT_BIT <= 32) {
+                s += DIGIT_BIT;
+                r->dp[j++] &= (1L << DIGIT_BIT) - 1;
+                if (s == SP_WORD_SIZE) {
+                    r->dp[j] = 0;
+                }
+                else {
+                    r->dp[j] = (mp_digit)(a[i] >> s);
+                }
+            }
+            s = 32 - s;
+        }
+        r->used = (256 + DIGIT_BIT - 1) / DIGIT_BIT;
+        mp_clamp(r);
+#else
+        int i, j = 0, s = 0;
+
+        r->dp[0] = 0;
+        for (i = 0; i < 8; i++) {
+            r->dp[j] |= ((mp_digit)a[i]) << s;
+            if (s + 32 >= DIGIT_BIT) {
+    #if DIGIT_BIT != 32 && DIGIT_BIT != 64
+                r->dp[j] &= (1L << DIGIT_BIT) - 1;
+    #endif
+                s = DIGIT_BIT - s;
+                r->dp[++j] = a[i] >> s;
+                s = 32 - s;
+            }
+            else {
+                s += 32;
+            }
+        }
+        r->used = (256 + DIGIT_BIT - 1) / DIGIT_BIT;
+        mp_clamp(r);
+#endif
+    }
+
+    return err;
+}
+
+/* Convert a point of type sp_point_256 to type ecc_point.
+ *
+ * p   Point of type sp_point_256.
+ * pm  Point of type ecc_point (result).
+ * returns MEMORY_E when allocation of memory in ecc_point fails otherwise
+ * MP_OKAY.
+ */
+static int sp_256_point_to_ecc_point_8(const sp_point_256* p, ecc_point* pm)
+{
+    int err;
+
+    err = sp_256_to_mp(p->x, pm->x);
+    if (err == MP_OKAY) {
+        err = sp_256_to_mp(p->y, pm->y);
+    }
+    if (err == MP_OKAY) {
+        err = sp_256_to_mp(p->z, pm->z);
+    }
+
+    return err;
+}
+
+/* Multiply a and b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static void sp_256_mul_8(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    sp_digit tmp[8];
+
+    __asm__ __volatile__ (
+        /* A[0] * B[0] */
+        "ldr	r6, [%[a], #0]\n\t"
+        "ldr	r8, [%[b], #0]\n\t"
+        "umull	r3, r4, r6, r8\n\t"
+        "mov	r5, #0\n\t"
+        "str	r3, [%[tmp], #0]\n\t"
+        "mov	r3, #0\n\t"
+        /* A[0] * B[1] */
+        "ldr	r8, [%[b], #4]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adc	r5, r5, r8\n\t"
+        /* A[1] * B[0] */
+        "ldr	r6, [%[a], #4]\n\t"
+        "ldr	r8, [%[b], #0]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs 	r5, r5, r8\n\t"
+        "adc	r3, r3, #0\n\t"
+        "str	r4, [%[tmp], #4]\n\t"
+        "mov	r4, #0\n\t"
+        /* A[0] * B[2] */
+        "ldr	r6, [%[a], #0]\n\t"
+        "ldr	r8, [%[b], #8]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs 	r3, r3, r8\n\t"
+        "adc	r4, r4, #0\n\t"
+        /* A[1] * B[1] */
+        "ldr	r6, [%[a], #4]\n\t"
+        "ldr	r8, [%[b], #4]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs 	r3, r3, r8\n\t"
+        "adc	r4, r4, #0\n\t"
+        /* A[2] * B[0] */
+        "ldr	r6, [%[a], #8]\n\t"
+        "ldr	r8, [%[b], #0]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs 	r3, r3, r8\n\t"
+        "adc	r4, r4, #0\n\t"
+        "str	r5, [%[tmp], #8]\n\t"
+        "mov	r5, #0\n\t"
+        /* A[0] * B[3] */
+        "ldr	r6, [%[a], #0]\n\t"
+        "ldr	r8, [%[b], #12]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs 	r4, r4, r8\n\t"
+        "adc	r5, r5, #0\n\t"
+        /* A[1] * B[2] */
+        "ldr	r6, [%[a], #4]\n\t"
+        "ldr	r8, [%[b], #8]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs 	r4, r4, r8\n\t"
+        "adc	r5, r5, #0\n\t"
+        /* A[2] * B[1] */
+        "ldr	r6, [%[a], #8]\n\t"
+        "ldr	r8, [%[b], #4]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs 	r4, r4, r8\n\t"
+        "adc	r5, r5, #0\n\t"
+        /* A[3] * B[0] */
+        "ldr	r6, [%[a], #12]\n\t"
+        "ldr	r8, [%[b], #0]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs 	r4, r4, r8\n\t"
+        "adc	r5, r5, #0\n\t"
+        "str	r3, [%[tmp], #12]\n\t"
+        "mov	r3, #0\n\t"
+        /* A[0] * B[4] */
+        "ldr	r6, [%[a], #0]\n\t"
+        "ldr	r8, [%[b], #16]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs 	r5, r5, r8\n\t"
+        "adc	r3, r3, #0\n\t"
+        /* A[1] * B[3] */
+        "ldr	r6, [%[a], #4]\n\t"
+        "ldr	r8, [%[b], #12]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs 	r5, r5, r8\n\t"
+        "adc	r3, r3, #0\n\t"
+        /* A[2] * B[2] */
+        "ldr	r6, [%[a], #8]\n\t"
+        "ldr	r8, [%[b], #8]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs 	r5, r5, r8\n\t"
+        "adc	r3, r3, #0\n\t"
+        /* A[3] * B[1] */
+        "ldr	r6, [%[a], #12]\n\t"
+        "ldr	r8, [%[b], #4]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs 	r5, r5, r8\n\t"
+        "adc	r3, r3, #0\n\t"
+        /* A[4] * B[0] */
+        "ldr	r6, [%[a], #16]\n\t"
+        "ldr	r8, [%[b], #0]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs 	r5, r5, r8\n\t"
+        "adc	r3, r3, #0\n\t"
+        "str	r4, [%[tmp], #16]\n\t"
+        "mov	r4, #0\n\t"
+        /* A[0] * B[5] */
+        "ldr	r6, [%[a], #0]\n\t"
+        "ldr	r8, [%[b], #20]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs 	r3, r3, r8\n\t"
+        "adc	r4, r4, #0\n\t"
+        /* A[1] * B[4] */
+        "ldr	r6, [%[a], #4]\n\t"
+        "ldr	r8, [%[b], #16]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs 	r3, r3, r8\n\t"
+        "adc	r4, r4, #0\n\t"
+        /* A[2] * B[3] */
+        "ldr	r6, [%[a], #8]\n\t"
+        "ldr	r8, [%[b], #12]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs 	r3, r3, r8\n\t"
+        "adc	r4, r4, #0\n\t"
+        /* A[3] * B[2] */
+        "ldr	r6, [%[a], #12]\n\t"
+        "ldr	r8, [%[b], #8]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs 	r3, r3, r8\n\t"
+        "adc	r4, r4, #0\n\t"
+        /* A[4] * B[1] */
+        "ldr	r6, [%[a], #16]\n\t"
+        "ldr	r8, [%[b], #4]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs 	r3, r3, r8\n\t"
+        "adc	r4, r4, #0\n\t"
+        /* A[5] * B[0] */
+        "ldr	r6, [%[a], #20]\n\t"
+        "ldr	r8, [%[b], #0]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs 	r3, r3, r8\n\t"
+        "adc	r4, r4, #0\n\t"
+        "str	r5, [%[tmp], #20]\n\t"
+        "mov	r5, #0\n\t"
+        /* A[0] * B[6] */
+        "ldr	r6, [%[a], #0]\n\t"
+        "ldr	r8, [%[b], #24]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs 	r4, r4, r8\n\t"
+        "adc	r5, r5, #0\n\t"
+        /* A[1] * B[5] */
+        "ldr	r6, [%[a], #4]\n\t"
+        "ldr	r8, [%[b], #20]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs 	r4, r4, r8\n\t"
+        "adc	r5, r5, #0\n\t"
+        /* A[2] * B[4] */
+        "ldr	r6, [%[a], #8]\n\t"
+        "ldr	r8, [%[b], #16]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs 	r4, r4, r8\n\t"
+        "adc	r5, r5, #0\n\t"
+        /* A[3] * B[3] */
+        "ldr	r6, [%[a], #12]\n\t"
+        "ldr	r8, [%[b], #12]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs 	r4, r4, r8\n\t"
+        "adc	r5, r5, #0\n\t"
+        /* A[4] * B[2] */
+        "ldr	r6, [%[a], #16]\n\t"
+        "ldr	r8, [%[b], #8]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs 	r4, r4, r8\n\t"
+        "adc	r5, r5, #0\n\t"
+        /* A[5] * B[1] */
+        "ldr	r6, [%[a], #20]\n\t"
+        "ldr	r8, [%[b], #4]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs 	r4, r4, r8\n\t"
+        "adc	r5, r5, #0\n\t"
+        /* A[6] * B[0] */
+        "ldr	r6, [%[a], #24]\n\t"
+        "ldr	r8, [%[b], #0]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs 	r4, r4, r8\n\t"
+        "adc	r5, r5, #0\n\t"
+        "str	r3, [%[tmp], #24]\n\t"
+        "mov	r3, #0\n\t"
+        /* A[0] * B[7] */
+        "ldr	r6, [%[a], #0]\n\t"
+        "ldr	r8, [%[b], #28]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs 	r5, r5, r8\n\t"
+        "adc	r3, r3, #0\n\t"
+        /* A[1] * B[6] */
+        "ldr	r6, [%[a], #4]\n\t"
+        "ldr	r8, [%[b], #24]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs 	r5, r5, r8\n\t"
+        "adc	r3, r3, #0\n\t"
+        /* A[2] * B[5] */
+        "ldr	r6, [%[a], #8]\n\t"
+        "ldr	r8, [%[b], #20]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs 	r5, r5, r8\n\t"
+        "adc	r3, r3, #0\n\t"
+        /* A[3] * B[4] */
+        "ldr	r6, [%[a], #12]\n\t"
+        "ldr	r8, [%[b], #16]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs 	r5, r5, r8\n\t"
+        "adc	r3, r3, #0\n\t"
+        /* A[4] * B[3] */
+        "ldr	r6, [%[a], #16]\n\t"
+        "ldr	r8, [%[b], #12]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs 	r5, r5, r8\n\t"
+        "adc	r3, r3, #0\n\t"
+        /* A[5] * B[2] */
+        "ldr	r6, [%[a], #20]\n\t"
+        "ldr	r8, [%[b], #8]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs 	r5, r5, r8\n\t"
+        "adc	r3, r3, #0\n\t"
+        /* A[6] * B[1] */
+        "ldr	r6, [%[a], #24]\n\t"
+        "ldr	r8, [%[b], #4]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs 	r5, r5, r8\n\t"
+        "adc	r3, r3, #0\n\t"
+        /* A[7] * B[0] */
+        "ldr	r6, [%[a], #28]\n\t"
+        "ldr	r8, [%[b], #0]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs 	r5, r5, r8\n\t"
+        "adc	r3, r3, #0\n\t"
+        "str	r4, [%[tmp], #28]\n\t"
+        "mov	r4, #0\n\t"
+        /* A[1] * B[7] */
+        "ldr	r6, [%[a], #4]\n\t"
+        "ldr	r8, [%[b], #28]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs 	r3, r3, r8\n\t"
+        "adc	r4, r4, #0\n\t"
+        /* A[2] * B[6] */
+        "ldr	r6, [%[a], #8]\n\t"
+        "ldr	r8, [%[b], #24]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs 	r3, r3, r8\n\t"
+        "adc	r4, r4, #0\n\t"
+        /* A[3] * B[5] */
+        "ldr	r6, [%[a], #12]\n\t"
+        "ldr	r8, [%[b], #20]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs 	r3, r3, r8\n\t"
+        "adc	r4, r4, #0\n\t"
+        /* A[4] * B[4] */
+        "ldr	r6, [%[a], #16]\n\t"
+        "ldr	r8, [%[b], #16]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs 	r3, r3, r8\n\t"
+        "adc	r4, r4, #0\n\t"
+        /* A[5] * B[3] */
+        "ldr	r6, [%[a], #20]\n\t"
+        "ldr	r8, [%[b], #12]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs 	r3, r3, r8\n\t"
+        "adc	r4, r4, #0\n\t"
+        /* A[6] * B[2] */
+        "ldr	r6, [%[a], #24]\n\t"
+        "ldr	r8, [%[b], #8]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs 	r3, r3, r8\n\t"
+        "adc	r4, r4, #0\n\t"
+        /* A[7] * B[1] */
+        "ldr	r6, [%[a], #28]\n\t"
+        "ldr	r8, [%[b], #4]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs 	r3, r3, r8\n\t"
+        "adc	r4, r4, #0\n\t"
+        "str	r5, [%[r], #32]\n\t"
+        "mov	r5, #0\n\t"
+        /* A[2] * B[7] */
+        "ldr	r6, [%[a], #8]\n\t"
+        "ldr	r8, [%[b], #28]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs 	r4, r4, r8\n\t"
+        "adc	r5, r5, #0\n\t"
+        /* A[3] * B[6] */
+        "ldr	r6, [%[a], #12]\n\t"
+        "ldr	r8, [%[b], #24]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs 	r4, r4, r8\n\t"
+        "adc	r5, r5, #0\n\t"
+        /* A[4] * B[5] */
+        "ldr	r6, [%[a], #16]\n\t"
+        "ldr	r8, [%[b], #20]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs 	r4, r4, r8\n\t"
+        "adc	r5, r5, #0\n\t"
+        /* A[5] * B[4] */
+        "ldr	r6, [%[a], #20]\n\t"
+        "ldr	r8, [%[b], #16]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs 	r4, r4, r8\n\t"
+        "adc	r5, r5, #0\n\t"
+        /* A[6] * B[3] */
+        "ldr	r6, [%[a], #24]\n\t"
+        "ldr	r8, [%[b], #12]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs 	r4, r4, r8\n\t"
+        "adc	r5, r5, #0\n\t"
+        /* A[7] * B[2] */
+        "ldr	r6, [%[a], #28]\n\t"
+        "ldr	r8, [%[b], #8]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs 	r4, r4, r8\n\t"
+        "adc	r5, r5, #0\n\t"
+        "str	r3, [%[r], #36]\n\t"
+        "mov	r3, #0\n\t"
+        /* A[3] * B[7] */
+        "ldr	r6, [%[a], #12]\n\t"
+        "ldr	r8, [%[b], #28]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs 	r5, r5, r8\n\t"
+        "adc	r3, r3, #0\n\t"
+        /* A[4] * B[6] */
+        "ldr	r6, [%[a], #16]\n\t"
+        "ldr	r8, [%[b], #24]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs 	r5, r5, r8\n\t"
+        "adc	r3, r3, #0\n\t"
+        /* A[5] * B[5] */
+        "ldr	r6, [%[a], #20]\n\t"
+        "ldr	r8, [%[b], #20]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs 	r5, r5, r8\n\t"
+        "adc	r3, r3, #0\n\t"
+        /* A[6] * B[4] */
+        "ldr	r6, [%[a], #24]\n\t"
+        "ldr	r8, [%[b], #16]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs 	r5, r5, r8\n\t"
+        "adc	r3, r3, #0\n\t"
+        /* A[7] * B[3] */
+        "ldr	r6, [%[a], #28]\n\t"
+        "ldr	r8, [%[b], #12]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs 	r5, r5, r8\n\t"
+        "adc	r3, r3, #0\n\t"
+        "str	r4, [%[r], #40]\n\t"
+        "mov	r4, #0\n\t"
+        /* A[4] * B[7] */
+        "ldr	r6, [%[a], #16]\n\t"
+        "ldr	r8, [%[b], #28]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs 	r3, r3, r8\n\t"
+        "adc	r4, r4, #0\n\t"
+        /* A[5] * B[6] */
+        "ldr	r6, [%[a], #20]\n\t"
+        "ldr	r8, [%[b], #24]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs 	r3, r3, r8\n\t"
+        "adc	r4, r4, #0\n\t"
+        /* A[6] * B[5] */
+        "ldr	r6, [%[a], #24]\n\t"
+        "ldr	r8, [%[b], #20]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs 	r3, r3, r8\n\t"
+        "adc	r4, r4, #0\n\t"
+        /* A[7] * B[4] */
+        "ldr	r6, [%[a], #28]\n\t"
+        "ldr	r8, [%[b], #16]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs 	r3, r3, r8\n\t"
+        "adc	r4, r4, #0\n\t"
+        "str	r5, [%[r], #44]\n\t"
+        "mov	r5, #0\n\t"
+        /* A[5] * B[7] */
+        "ldr	r6, [%[a], #20]\n\t"
+        "ldr	r8, [%[b], #28]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs 	r4, r4, r8\n\t"
+        "adc	r5, r5, #0\n\t"
+        /* A[6] * B[6] */
+        "ldr	r6, [%[a], #24]\n\t"
+        "ldr	r8, [%[b], #24]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs 	r4, r4, r8\n\t"
+        "adc	r5, r5, #0\n\t"
+        /* A[7] * B[5] */
+        "ldr	r6, [%[a], #28]\n\t"
+        "ldr	r8, [%[b], #20]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs 	r4, r4, r8\n\t"
+        "adc	r5, r5, #0\n\t"
+        "str	r3, [%[r], #48]\n\t"
+        "mov	r3, #0\n\t"
+        /* A[6] * B[7] */
+        "ldr	r6, [%[a], #24]\n\t"
+        "ldr	r8, [%[b], #28]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs 	r5, r5, r8\n\t"
+        "adc	r3, r3, #0\n\t"
+        /* A[7] * B[6] */
+        "ldr	r6, [%[a], #28]\n\t"
+        "ldr	r8, [%[b], #24]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs 	r5, r5, r8\n\t"
+        "adc	r3, r3, #0\n\t"
+        "str	r4, [%[r], #52]\n\t"
+        "mov	r4, #0\n\t"
+        /* A[7] * B[7] */
+        "ldr	r6, [%[a], #28]\n\t"
+        "ldr	r8, [%[b], #28]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adc	r3, r3, r8\n\t"
+        "str	r5, [%[r], #56]\n\t"
+        "str	r3, [%[r], #60]\n\t"
+        /* Transfer tmp to r */
+        "ldr	r3, [%[tmp], #0]\n\t"
+        "ldr	r4, [%[tmp], #4]\n\t"
+        "ldr	r5, [%[tmp], #8]\n\t"
+        "ldr	r6, [%[tmp], #12]\n\t"
+        "str	r3, [%[r], #0]\n\t"
+        "str	r4, [%[r], #4]\n\t"
+        "str	r5, [%[r], #8]\n\t"
+        "str	r6, [%[r], #12]\n\t"
+        "ldr	r3, [%[tmp], #16]\n\t"
+        "ldr	r4, [%[tmp], #20]\n\t"
+        "ldr	r5, [%[tmp], #24]\n\t"
+        "ldr	r6, [%[tmp], #28]\n\t"
+        "str	r3, [%[r], #16]\n\t"
+        "str	r4, [%[r], #20]\n\t"
+        "str	r5, [%[r], #24]\n\t"
+        "str	r6, [%[r], #28]\n\t"
+        :
+        : [r] "r" (r), [a] "r" (a), [b] "r" (b), [tmp] "r" (tmp)
+        : "memory", "r3", "r4", "r5", "r6", "r8"
+    );
+}
+
+/* Conditionally subtract b from a using the mask m.
+ * m is -1 to subtract and 0 when not copying.
+ *
+ * r  A single precision number representing condition subtract result.
+ * a  A single precision number to subtract from.
+ * b  A single precision number to subtract.
+ * m  Mask value to apply.
+ */
+SP_NOINLINE static sp_digit sp_256_cond_sub_8(sp_digit* r, const sp_digit* a,
+        const sp_digit* b, sp_digit m)
+{
+    sp_digit c = 0;
+
+    __asm__ __volatile__ (
+        "mov	r5, #32\n\t"
+        "mov	r9, r5\n\t"
+        "mov	r8, #0\n\t"
+        "\n1:\n\t"
+        "ldr	r6, [%[b], r8]\n\t"
+        "and	r6, r6, %[m]\n\t"
+        "mov	r5, #0\n\t"
+        "subs	r5, r5, %[c]\n\t"
+        "ldr	r5, [%[a], r8]\n\t"
+        "sbcs	r5, r5, r6\n\t"
+        "sbcs	%[c], %[c], %[c]\n\t"
+        "str	r5, [%[r], r8]\n\t"
+        "add	r8, r8, #4\n\t"
+        "cmp	r8, r9\n\t"
+        "blt	1b\n\t"
+        : [c] "+r" (c)
+        : [r] "r" (r), [a] "r" (a), [b] "r" (b), [m] "r" (m)
+        : "memory", "r5", "r6", "r8", "r9"
+    );
+
+    return c;
+}
+
+/* Reduce the number back to 256 bits using Montgomery reduction.
+ *
+ * a   A single precision number to reduce in place.
+ * m   The single precision number representing the modulus.
+ * mp  The digit representing the negative inverse of m mod 2^n.
+ */
+SP_NOINLINE static void sp_256_mont_reduce_8(sp_digit* a, const sp_digit* m,
+        sp_digit mp)
+{
+    (void)mp;
+    (void)m;
+
+    __asm__ __volatile__ (
+        "mov	r2, #0\n\t"
+        "mov	r1, #0\n\t"
+        /* i = 0 */
+        "mov	r9, r2\n\t"
+        "\n1:\n\t"
+        "mov	r4, #0\n\t"
+        /* mu = a[i] * 1 (mp) = a[i] */
+        "ldr	r3, [%[a]]\n\t"
+        /* a[i] += -1 * mu = -1 * a[i] => a[i] = 0 no carry */
+        /* a[i+1] += -1 * mu */
+        "ldr	r6, [%[a], #4]\n\t"
+        "mov	r5, #0\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adc	r5, r5, r2\n\t"
+        "str	r4, [%[a], #4]\n\t"
+        /* a[i+2] += -1 * mu */
+        "ldr	r6, [%[a], #8]\n\t"
+        "mov	r4, #0\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adc	r4, r4, r2\n\t"
+        "str	r5, [%[a], #8]\n\t"
+        /* a[i+3] += 0 * mu */
+        "ldr	r6, [%[a], #12]\n\t"
+        "mov	r5, #0\n\t"
+        "adds	r4, r4, r3\n\t"
+        "adc	r5, r5, r2\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adc	r5, r5, r2\n\t"
+        "str	r4, [%[a], #12]\n\t"
+        /* a[i+4] += 0 * mu */
+        "ldr	r6, [%[a], #16]\n\t"
+        "mov	r4, #0\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adc	r4, r4, r2\n\t"
+        "str	r5, [%[a], #16]\n\t"
+        /* a[i+5] += 0 * mu */
+        "ldr	r6, [%[a], #20]\n\t"
+        "mov	r5, #0\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adc	r5, r5, r2\n\t"
+        "str	r4, [%[a], #20]\n\t"
+        /* a[i+6] += 1 * mu */
+        "ldr	r6, [%[a], #24]\n\t"
+        "mov	r4, #0\n\t"
+        "adds	r5, r5, r3\n\t"
+        "adc	r4, r4, r2\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adc	r4, r4, r2\n\t"
+        "str	r5, [%[a], #24]\n\t"
+        /* a[i+7] += -1 * mu */
+        "ldr	r6, [%[a], #28]\n\t"
+        "ldr	r8, [%[a], #32]\n\t"
+        "adds	r5, r1, r3\n\t"
+        "mov	r1, #0\n\t"
+        "adc	r1, r1, r2\n\t"
+        "subs	r4, r4, r3\n\t"
+        "sbcs	r5, r5, r2\n\t"
+        "sbc	r1, r1, r2\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "adc	r1, r1, r2\n\t"
+        "str	r4, [%[a],  #28]\n\t"
+        "str	r5, [%[a], #32]\n\t"
+        /* i += 1 */
+        "add	r9, r9, #1\n\t"
+        "add	%[a], %[a], #4\n\t"
+        "mov	r6, #8\n\t"
+        "cmp	r9, r6\n\t"
+        "blt	1b\n\t"
+        "sub	%[a], %[a], #32\n\t"
+        "mov	r3, r1\n\t"
+        "sub	r1, r1, #1\n\t"
+        "mvn	r1, r1\n\t"
+        "ldr	r4, [%[a],#32]\n\t"
+        "ldr	r5, [%[a],#36]\n\t"
+        "ldr	r6, [%[a],#40]\n\t"
+        "ldr	r8, [%[a],#44]\n\t"
+        "subs	r4, r4, r1\n\t"
+        "sbcs	r5, r5, r1\n\t"
+        "sbcs	r6, r6, r1\n\t"
+        "sbcs	r8, r8, r2\n\t"
+        "str	r4, [%[a],#0]\n\t"
+        "str	r5, [%[a],#4]\n\t"
+        "str	r6, [%[a],#8]\n\t"
+        "str	r8, [%[a],#12]\n\t"
+        "ldr	r4, [%[a],#48]\n\t"
+        "ldr	r5, [%[a],#52]\n\t"
+        "ldr	r6, [%[a],#56]\n\t"
+        "ldr	r8, [%[a],#60]\n\t"
+        "sbcs	r4, r4, r2\n\t"
+        "sbcs	r5, r5, r2\n\t"
+        "sbcs	r6, r6, r3\n\t"
+        "sbc	r8, r8, r1\n\t"
+        "str	r4, [%[a],#16]\n\t"
+        "str	r5, [%[a],#20]\n\t"
+        "str	r6, [%[a],#24]\n\t"
+        "str	r8, [%[a],#28]\n\t"
+        : [a] "+r" (a)
+        :
+        : "memory", "r1", "r2", "r3", "r4", "r5", "r6", "r8", "r9"
+    );
+
+
+    (void)m;
+    (void)mp;
+}
+
+/* Reduce the number back to 256 bits using Montgomery reduction.
+ *
+ * a   A single precision number to reduce in place.
+ * m   The single precision number representing the modulus.
+ * mp  The digit representing the negative inverse of m mod 2^n.
+ */
+SP_NOINLINE static void sp_256_mont_reduce_order_8(sp_digit* a, const sp_digit* m,
+        sp_digit mp)
+{
+    sp_digit ca = 0;
+
+    __asm__ __volatile__ (
+        "mov	r9, %[mp]\n\t"
+        "mov	r12, %[m]\n\t"
+        "mov	r10, %[a]\n\t"
+        "mov	r4, #0\n\t"
+        "add	r11, r10, #32\n\t"
+        "\n1:\n\t"
+        /* mu = a[i] * mp */
+        "mov	%[mp], r9\n\t"
+        "ldr	%[a], [r10]\n\t"
+        "mul	%[mp], %[mp], %[a]\n\t"
+        "mov	%[m], r12\n\t"
+        "add	r14, r10, #24\n\t"
+        "\n2:\n\t"
+        /* a[i+j] += m[j] * mu */
+        "ldr	%[a], [r10]\n\t"
+        "mov	r5, #0\n\t"
+        /* Multiply m[j] and mu - Start */
+        "ldr	r8, [%[m]], #4\n\t"
+        "umull	r6, r8, %[mp], r8\n\t"
+        "adds	%[a], %[a], r6\n\t"
+        "adc	r5, r5, r8\n\t"
+        /* Multiply m[j] and mu - Done */
+        "adds	r4, r4, %[a]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "str	r4, [r10], #4\n\t"
+        /* a[i+j+1] += m[j+1] * mu */
+        "ldr	%[a], [r10]\n\t"
+        "mov	r4, #0\n\t"
+        /* Multiply m[j] and mu - Start */
+        "ldr	r8, [%[m]], #4\n\t"
+        "umull	r6, r8, %[mp], r8\n\t"
+        "adds	%[a], %[a], r6\n\t"
+        "adc	r4, r4, r8\n\t"
+        /* Multiply m[j] and mu - Done */
+        "adds	r5, r5, %[a]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "str	r5, [r10], #4\n\t"
+        "cmp	r10, r14\n\t"
+        "blt	2b\n\t"
+        /* a[i+6] += m[6] * mu */
+        "ldr	%[a], [r10]\n\t"
+        "mov	r5, #0\n\t"
+        /* Multiply m[j] and mu - Start */
+        "ldr	r8, [%[m]], #4\n\t"
+        "umull	r6, r8, %[mp], r8\n\t"
+        "adds	%[a], %[a], r6\n\t"
+        "adc	r5, r5, r8\n\t"
+        /* Multiply m[j] and mu - Done */
+        "adds	r4, r4, %[a]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "str	r4, [r10], #4\n\t"
+        /* a[i+7] += m[7] * mu */
+        "mov	r4, %[ca]\n\t"
+        "mov	%[ca], #0\n\t"
+        /* Multiply m[7] and mu - Start */
+        "ldr	r8, [%[m]]\n\t"
+        "umull	r6, r8, %[mp], r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs 	r4, r4, r8\n\t"
+        "adc	%[ca], %[ca], #0\n\t"
+        /* Multiply m[7] and mu - Done */
+        "ldr	r6, [r10]\n\t"
+        "ldr	r8, [r10, #4]\n\t"
+        "adds	r6, r6, r5\n\t"
+        "adcs	r8, r8, r4\n\t"
+        "adc	%[ca], %[ca], #0\n\t"
+        "str	r6, [r10]\n\t"
+        "str	r8, [r10, #4]\n\t"
+        /* Next word in a */
+        "sub	r10, r10, #24\n\t"
+        "cmp	r10, r11\n\t"
+        "blt	1b\n\t"
+        "mov	%[a], r10\n\t"
+        "mov	%[m], r12\n\t"
+        : [ca] "+r" (ca), [a] "+r" (a)
+        : [m] "r" (m), [mp] "r" (mp)
+        : "memory", "r4", "r5", "r6", "r8", "r9", "r10", "r11", "r12", "r14"
+    );
+
+    sp_256_cond_sub_8(a - 8, a, m, (sp_digit)0 - ca);
+}
+
+/* Multiply two Montogmery form numbers mod the modulus (prime).
+ * (r = a * b mod m)
+ *
+ * r   Result of multiplication.
+ * a   First number to multiply in Montogmery form.
+ * b   Second number to multiply in Montogmery form.
+ * m   Modulus (prime).
+ * mp  Montogmery mulitplier.
+ */
+static void sp_256_mont_mul_8(sp_digit* r, const sp_digit* a, const sp_digit* b,
+        const sp_digit* m, sp_digit mp)
+{
+    sp_256_mul_8(r, a, b);
+    sp_256_mont_reduce_8(r, m, mp);
+}
+
+/* Square a and put result in r. (r = a * a)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ */
+SP_NOINLINE static void sp_256_sqr_8(sp_digit* r, const sp_digit* a)
+{
+    sp_digit tmp[8];
+    __asm__ __volatile__ (
+        /* A[0] * A[0] */
+        "ldr	r6, [%[a], #0]\n\t"
+        "umull	r3, r4, r6, r6\n\t"
+        "mov	r5, #0\n\t"
+        "str	r3, [%[tmp], #0]\n\t"
+        "mov	r3, #0\n\t"
+        /* A[0] * A[1] */
+        "ldr	r8, [%[a], #4]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adc	r5, r5, r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs 	r5, r5, r8\n\t"
+        "adc	r3, r3, #0\n\t"
+        "str	r4, [%[tmp], #4]\n\t"
+        "mov	r4, #0\n\t"
+        /* A[0] * A[2] */
+        "ldr	r6, [%[a], #0]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adc	r3, r3, r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs 	r3, r3, r8\n\t"
+        "adc	r4, r4, #0\n\t"
+        /* A[1] * A[1] */
+        "ldr	r6, [%[a], #4]\n\t"
+        "umull	r6, r8, r6, r6\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r8\n\t"
+        "adc	r4, r4, #0\n\t"
+        "str	r5, [%[tmp], #8]\n\t"
+        "mov	r5, #0\n\t"
+        /* A[0] * A[3] */
+        "ldr	r6, [%[a], #0]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "umull	r9, r10, r6, r8\n\t"
+        "mov	r11, #0\n\t"
+        /* A[1] * A[2] */
+        "ldr	r6, [%[a], #4]\n\t"
+        "ldr	r8, [%[a], #8]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adcs 	r10, r10, r8\n\t"
+        "adc	r11, r11, #0\n\t"
+        "adds	r9, r9, r9\n\t"
+        "adcs	r10, r10, r10\n\t"
+        "adc	r11, r11, r11\n\t"
+        "adds	r3, r3, r9\n\t"
+        "adcs	r4, r4, r10\n\t"
+        "adc	r5, r5, r11\n\t"
+        "str	r3, [%[tmp], #12]\n\t"
+        "mov	r3, #0\n\t"
+        /* A[0] * A[4] */
+        "ldr	r6, [%[a], #0]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "umull	r9, r10, r6, r8\n\t"
+        "mov	r11, #0\n\t"
+        /* A[1] * A[3] */
+        "ldr	r6, [%[a], #4]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adcs 	r10, r10, r8\n\t"
+        "adc	r11, r11, #0\n\t"
+        /* A[2] * A[2] */
+        "ldr	r6, [%[a], #8]\n\t"
+        "umull	r6, r8, r6, r6\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "adc	r3, r3, #0\n\t"
+        "adds	r9, r9, r9\n\t"
+        "adcs	r10, r10, r10\n\t"
+        "adc	r11, r11, r11\n\t"
+        "adds	r4, r4, r9\n\t"
+        "adcs	r5, r5, r10\n\t"
+        "adc	r3, r3, r11\n\t"
+        "str	r4, [%[tmp], #16]\n\t"
+        "mov	r4, #0\n\t"
+        /* A[0] * A[5] */
+        "ldr	r6, [%[a], #0]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "umull	r9, r10, r6, r8\n\t"
+        "mov	r11, #0\n\t"
+        /* A[1] * A[4] */
+        "ldr	r6, [%[a], #4]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adcs 	r10, r10, r8\n\t"
+        "adc	r11, r11, #0\n\t"
+        /* A[2] * A[3] */
+        "ldr	r6, [%[a], #8]\n\t"
+        "ldr	r8, [%[a], #12]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adcs 	r10, r10, r8\n\t"
+        "adc	r11, r11, #0\n\t"
+        "adds	r9, r9, r9\n\t"
+        "adcs	r10, r10, r10\n\t"
+        "adc	r11, r11, r11\n\t"
+        "adds	r5, r5, r9\n\t"
+        "adcs	r3, r3, r10\n\t"
+        "adc	r4, r4, r11\n\t"
+        "str	r5, [%[tmp], #20]\n\t"
+        "mov	r5, #0\n\t"
+        /* A[0] * A[6] */
+        "ldr	r6, [%[a], #0]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "umull	r9, r10, r6, r8\n\t"
+        "mov	r11, #0\n\t"
+        /* A[1] * A[5] */
+        "ldr	r6, [%[a], #4]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adcs 	r10, r10, r8\n\t"
+        "adc	r11, r11, #0\n\t"
+        /* A[2] * A[4] */
+        "ldr	r6, [%[a], #8]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adcs 	r10, r10, r8\n\t"
+        "adc	r11, r11, #0\n\t"
+        /* A[3] * A[3] */
+        "ldr	r6, [%[a], #12]\n\t"
+        "umull	r6, r8, r6, r6\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r8\n\t"
+        "adc	r5, r5, #0\n\t"
+        "adds	r9, r9, r9\n\t"
+        "adcs	r10, r10, r10\n\t"
+        "adc	r11, r11, r11\n\t"
+        "adds	r3, r3, r9\n\t"
+        "adcs	r4, r4, r10\n\t"
+        "adc	r5, r5, r11\n\t"
+        "str	r3, [%[tmp], #24]\n\t"
+        "mov	r3, #0\n\t"
+        /* A[0] * A[7] */
+        "ldr	r6, [%[a], #0]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "umull	r9, r10, r6, r8\n\t"
+        "mov	r11, #0\n\t"
+        /* A[1] * A[6] */
+        "ldr	r6, [%[a], #4]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adcs 	r10, r10, r8\n\t"
+        "adc	r11, r11, #0\n\t"
+        /* A[2] * A[5] */
+        "ldr	r6, [%[a], #8]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adcs 	r10, r10, r8\n\t"
+        "adc	r11, r11, #0\n\t"
+        /* A[3] * A[4] */
+        "ldr	r6, [%[a], #12]\n\t"
+        "ldr	r8, [%[a], #16]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adcs 	r10, r10, r8\n\t"
+        "adc	r11, r11, #0\n\t"
+        "adds	r9, r9, r9\n\t"
+        "adcs	r10, r10, r10\n\t"
+        "adc	r11, r11, r11\n\t"
+        "adds	r4, r4, r9\n\t"
+        "adcs	r5, r5, r10\n\t"
+        "adc	r3, r3, r11\n\t"
+        "str	r4, [%[tmp], #28]\n\t"
+        "mov	r4, #0\n\t"
+        /* A[1] * A[7] */
+        "ldr	r6, [%[a], #4]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "umull	r9, r10, r6, r8\n\t"
+        "mov	r11, #0\n\t"
+        /* A[2] * A[6] */
+        "ldr	r6, [%[a], #8]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adcs 	r10, r10, r8\n\t"
+        "adc	r11, r11, #0\n\t"
+        /* A[3] * A[5] */
+        "ldr	r6, [%[a], #12]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adcs 	r10, r10, r8\n\t"
+        "adc	r11, r11, #0\n\t"
+        /* A[4] * A[4] */
+        "ldr	r6, [%[a], #16]\n\t"
+        "umull	r6, r8, r6, r6\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs	r3, r3, r8\n\t"
+        "adc	r4, r4, #0\n\t"
+        "adds	r9, r9, r9\n\t"
+        "adcs	r10, r10, r10\n\t"
+        "adc	r11, r11, r11\n\t"
+        "adds	r5, r5, r9\n\t"
+        "adcs	r3, r3, r10\n\t"
+        "adc	r4, r4, r11\n\t"
+        "str	r5, [%[r], #32]\n\t"
+        "mov	r5, #0\n\t"
+        /* A[2] * A[7] */
+        "ldr	r6, [%[a], #8]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "umull	r9, r10, r6, r8\n\t"
+        "mov	r11, #0\n\t"
+        /* A[3] * A[6] */
+        "ldr	r6, [%[a], #12]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adcs 	r10, r10, r8\n\t"
+        "adc	r11, r11, #0\n\t"
+        /* A[4] * A[5] */
+        "ldr	r6, [%[a], #16]\n\t"
+        "ldr	r8, [%[a], #20]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adcs 	r10, r10, r8\n\t"
+        "adc	r11, r11, #0\n\t"
+        "adds	r9, r9, r9\n\t"
+        "adcs	r10, r10, r10\n\t"
+        "adc	r11, r11, r11\n\t"
+        "adds	r3, r3, r9\n\t"
+        "adcs	r4, r4, r10\n\t"
+        "adc	r5, r5, r11\n\t"
+        "str	r3, [%[r], #36]\n\t"
+        "mov	r3, #0\n\t"
+        /* A[3] * A[7] */
+        "ldr	r6, [%[a], #12]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "umull	r9, r10, r6, r8\n\t"
+        "mov	r11, #0\n\t"
+        /* A[4] * A[6] */
+        "ldr	r6, [%[a], #16]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r9, r9, r6\n\t"
+        "adcs 	r10, r10, r8\n\t"
+        "adc	r11, r11, #0\n\t"
+        /* A[5] * A[5] */
+        "ldr	r6, [%[a], #20]\n\t"
+        "umull	r6, r8, r6, r6\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "adc	r3, r3, #0\n\t"
+        "adds	r9, r9, r9\n\t"
+        "adcs	r10, r10, r10\n\t"
+        "adc	r11, r11, r11\n\t"
+        "adds	r4, r4, r9\n\t"
+        "adcs	r5, r5, r10\n\t"
+        "adc	r3, r3, r11\n\t"
+        "str	r4, [%[r], #40]\n\t"
+        "mov	r4, #0\n\t"
+        /* A[4] * A[7] */
+        "ldr	r6, [%[a], #16]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs 	r3, r3, r8\n\t"
+        "adc	r4, r4, #0\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs 	r3, r3, r8\n\t"
+        "adc	r4, r4, #0\n\t"
+        /* A[5] * A[6] */
+        "ldr	r6, [%[a], #20]\n\t"
+        "ldr	r8, [%[a], #24]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs 	r3, r3, r8\n\t"
+        "adc	r4, r4, #0\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs 	r3, r3, r8\n\t"
+        "adc	r4, r4, #0\n\t"
+        "str	r5, [%[r], #44]\n\t"
+        "mov	r5, #0\n\t"
+        /* A[5] * A[7] */
+        "ldr	r6, [%[a], #20]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs 	r4, r4, r8\n\t"
+        "adc	r5, r5, #0\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs 	r4, r4, r8\n\t"
+        "adc	r5, r5, #0\n\t"
+        /* A[6] * A[6] */
+        "ldr	r6, [%[a], #24]\n\t"
+        "umull	r6, r8, r6, r6\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r8\n\t"
+        "adc	r5, r5, #0\n\t"
+        "str	r3, [%[r], #48]\n\t"
+        "mov	r3, #0\n\t"
+        /* A[6] * A[7] */
+        "ldr	r6, [%[a], #24]\n\t"
+        "ldr	r8, [%[a], #28]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs 	r5, r5, r8\n\t"
+        "adc	r3, r3, #0\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs 	r5, r5, r8\n\t"
+        "adc	r3, r3, #0\n\t"
+        "str	r4, [%[r], #52]\n\t"
+        "mov	r4, #0\n\t"
+        /* A[7] * A[7] */
+        "ldr	r6, [%[a], #28]\n\t"
+        "umull	r6, r8, r6, r6\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adc	r3, r3, r8\n\t"
+        "str	r5, [%[r], #56]\n\t"
+        "str	r3, [%[r], #60]\n\t"
+        /* Transfer tmp to r */
+        "ldr	r3, [%[tmp], #0]\n\t"
+        "ldr	r4, [%[tmp], #4]\n\t"
+        "ldr	r5, [%[tmp], #8]\n\t"
+        "ldr	r6, [%[tmp], #12]\n\t"
+        "str	r3, [%[r], #0]\n\t"
+        "str	r4, [%[r], #4]\n\t"
+        "str	r5, [%[r], #8]\n\t"
+        "str	r6, [%[r], #12]\n\t"
+        "ldr	r3, [%[tmp], #16]\n\t"
+        "ldr	r4, [%[tmp], #20]\n\t"
+        "ldr	r5, [%[tmp], #24]\n\t"
+        "ldr	r6, [%[tmp], #28]\n\t"
+        "str	r3, [%[r], #16]\n\t"
+        "str	r4, [%[r], #20]\n\t"
+        "str	r5, [%[r], #24]\n\t"
+        "str	r6, [%[r], #28]\n\t"
+        :
+        : [r] "r" (r), [a] "r" (a), [tmp] "r" (tmp)
+        : "memory", "r3", "r4", "r5", "r6", "r8", "r9", "r10", "r11"
+    );
+}
+
+/* Square the Montgomery form number. (r = a * a mod m)
+ *
+ * r   Result of squaring.
+ * a   Number to square in Montogmery form.
+ * m   Modulus (prime).
+ * mp  Montogmery mulitplier.
+ */
+static void sp_256_mont_sqr_8(sp_digit* r, const sp_digit* a, const sp_digit* m,
+        sp_digit mp)
+{
+    sp_256_sqr_8(r, a);
+    sp_256_mont_reduce_8(r, m, mp);
+}
+
+#if !defined(WOLFSSL_SP_SMALL) || defined(HAVE_COMP_KEY)
+/* Square the Montgomery form number a number of times. (r = a ^ n mod m)
+ *
+ * r   Result of squaring.
+ * a   Number to square in Montogmery form.
+ * n   Number of times to square.
+ * m   Modulus (prime).
+ * mp  Montogmery mulitplier.
+ */
+static void sp_256_mont_sqr_n_8(sp_digit* r, const sp_digit* a, int n,
+        const sp_digit* m, sp_digit mp)
+{
+    sp_256_mont_sqr_8(r, a, m, mp);
+    for (; n > 1; n--) {
+        sp_256_mont_sqr_8(r, r, m, mp);
+    }
+}
+
+#endif /* !WOLFSSL_SP_SMALL || HAVE_COMP_KEY */
+#ifdef WOLFSSL_SP_SMALL
+/* Mod-2 for the P256 curve. */
+static const uint32_t p256_mod_minus_2[8] = {
+    0xfffffffdU,0xffffffffU,0xffffffffU,0x00000000U,0x00000000U,0x00000000U,
+    0x00000001U,0xffffffffU
+};
+#endif /* !WOLFSSL_SP_SMALL */
+
+/* Invert the number, in Montgomery form, modulo the modulus (prime) of the
+ * P256 curve. (r = 1 / a mod m)
+ *
+ * r   Inverse result.
+ * a   Number to invert.
+ * td  Temporary data.
+ */
+static void sp_256_mont_inv_8(sp_digit* r, const sp_digit* a, sp_digit* td)
+{
+#ifdef WOLFSSL_SP_SMALL
+    sp_digit* t = td;
+    int i;
+
+    XMEMCPY(t, a, sizeof(sp_digit) * 8);
+    for (i=254; i>=0; i--) {
+        sp_256_mont_sqr_8(t, t, p256_mod, p256_mp_mod);
+        if (p256_mod_minus_2[i / 32] & ((sp_digit)1 << (i % 32)))
+            sp_256_mont_mul_8(t, t, a, p256_mod, p256_mp_mod);
+    }
+    XMEMCPY(r, t, sizeof(sp_digit) * 8);
+#else
+    sp_digit* t1 = td;
+    sp_digit* t2 = td + 2 * 8;
+    sp_digit* t3 = td + 4 * 8;
+    /* 0x2 */
+    sp_256_mont_sqr_8(t1, a, p256_mod, p256_mp_mod);
+    /* 0x3 */
+    sp_256_mont_mul_8(t2, t1, a, p256_mod, p256_mp_mod);
+    /* 0xc */
+    sp_256_mont_sqr_n_8(t1, t2, 2, p256_mod, p256_mp_mod);
+    /* 0xd */
+    sp_256_mont_mul_8(t3, t1, a, p256_mod, p256_mp_mod);
+    /* 0xf */
+    sp_256_mont_mul_8(t2, t2, t1, p256_mod, p256_mp_mod);
+    /* 0xf0 */
+    sp_256_mont_sqr_n_8(t1, t2, 4, p256_mod, p256_mp_mod);
+    /* 0xfd */
+    sp_256_mont_mul_8(t3, t3, t1, p256_mod, p256_mp_mod);
+    /* 0xff */
+    sp_256_mont_mul_8(t2, t2, t1, p256_mod, p256_mp_mod);
+    /* 0xff00 */
+    sp_256_mont_sqr_n_8(t1, t2, 8, p256_mod, p256_mp_mod);
+    /* 0xfffd */
+    sp_256_mont_mul_8(t3, t3, t1, p256_mod, p256_mp_mod);
+    /* 0xffff */
+    sp_256_mont_mul_8(t2, t2, t1, p256_mod, p256_mp_mod);
+    /* 0xffff0000 */
+    sp_256_mont_sqr_n_8(t1, t2, 16, p256_mod, p256_mp_mod);
+    /* 0xfffffffd */
+    sp_256_mont_mul_8(t3, t3, t1, p256_mod, p256_mp_mod);
+    /* 0xffffffff */
+    sp_256_mont_mul_8(t2, t2, t1, p256_mod, p256_mp_mod);
+    /* 0xffffffff00000000 */
+    sp_256_mont_sqr_n_8(t1, t2, 32, p256_mod, p256_mp_mod);
+    /* 0xffffffffffffffff */
+    sp_256_mont_mul_8(t2, t2, t1, p256_mod, p256_mp_mod);
+    /* 0xffffffff00000001 */
+    sp_256_mont_mul_8(r, t1, a, p256_mod, p256_mp_mod);
+    /* 0xffffffff000000010000000000000000000000000000000000000000 */
+    sp_256_mont_sqr_n_8(r, r, 160, p256_mod, p256_mp_mod);
+    /* 0xffffffff00000001000000000000000000000000ffffffffffffffff */
+    sp_256_mont_mul_8(r, r, t2, p256_mod, p256_mp_mod);
+    /* 0xffffffff00000001000000000000000000000000ffffffffffffffff00000000 */
+    sp_256_mont_sqr_n_8(r, r, 32, p256_mod, p256_mp_mod);
+    /* 0xffffffff00000001000000000000000000000000fffffffffffffffffffffffd */
+    sp_256_mont_mul_8(r, r, t3, p256_mod, p256_mp_mod);
+#endif /* WOLFSSL_SP_SMALL */
+}
+
+/* Compare a with b in constant time.
+ *
+ * a  A single precision integer.
+ * b  A single precision integer.
+ * return -ve, 0 or +ve if a is less than, equal to or greater than b
+ * respectively.
+ */
+SP_NOINLINE static int32_t sp_256_cmp_8(const sp_digit* a, const sp_digit* b)
+{
+    sp_digit r = 0;
+
+
+    __asm__ __volatile__ (
+        "mov	r3, #0\n\t"
+        "mvn	r3, r3\n\t"
+        "mov	r6, #28\n\t"
+        "\n1:\n\t"
+        "ldr	r8, [%[a], r6]\n\t"
+        "ldr	r5, [%[b], r6]\n\t"
+        "and	r8, r8, r3\n\t"
+        "and	r5, r5, r3\n\t"
+        "mov	r4, r8\n\t"
+        "subs	r8, r8, r5\n\t"
+        "sbc	r8, r8, r8\n\t"
+        "add	%[r], %[r], r8\n\t"
+        "mvn	r8, r8\n\t"
+        "and	r3, r3, r8\n\t"
+        "subs	r5, r5, r4\n\t"
+        "sbc	r8, r8, r8\n\t"
+        "sub	%[r], %[r], r8\n\t"
+        "mvn	r8, r8\n\t"
+        "and	r3, r3, r8\n\t"
+        "sub	r6, r6, #4\n\t"
+        "cmp	r6, #0\n\t"
+        "bge	1b\n\t"
+        : [r] "+r" (r)
+        : [a] "r" (a), [b] "r" (b)
+        : "r3", "r4", "r5", "r6", "r8"
+    );
+
+    return r;
+}
+
+/* Normalize the values in each word to 32.
+ *
+ * a  Array of sp_digit to normalize.
+ */
+#define sp_256_norm_8(a)
+
+/* Map the Montgomery form projective coordinate point to an affine point.
+ *
+ * r  Resulting affine coordinate point.
+ * p  Montgomery form projective coordinate point.
+ * t  Temporary ordinate data.
+ */
+static void sp_256_map_8(sp_point_256* r, const sp_point_256* p, sp_digit* t)
+{
+    sp_digit* t1 = t;
+    sp_digit* t2 = t + 2*8;
+    int32_t n;
+
+    sp_256_mont_inv_8(t1, p->z, t + 2*8);
+
+    sp_256_mont_sqr_8(t2, t1, p256_mod, p256_mp_mod);
+    sp_256_mont_mul_8(t1, t2, t1, p256_mod, p256_mp_mod);
+
+    /* x /= z^2 */
+    sp_256_mont_mul_8(r->x, p->x, t2, p256_mod, p256_mp_mod);
+    XMEMSET(r->x + 8, 0, sizeof(r->x) / 2U);
+    sp_256_mont_reduce_8(r->x, p256_mod, p256_mp_mod);
+    /* Reduce x to less than modulus */
+    n = sp_256_cmp_8(r->x, p256_mod);
+    sp_256_cond_sub_8(r->x, r->x, p256_mod, 0 - ((n >= 0) ?
+                (sp_digit)1 : (sp_digit)0));
+    sp_256_norm_8(r->x);
+
+    /* y /= z^3 */
+    sp_256_mont_mul_8(r->y, p->y, t1, p256_mod, p256_mp_mod);
+    XMEMSET(r->y + 8, 0, sizeof(r->y) / 2U);
+    sp_256_mont_reduce_8(r->y, p256_mod, p256_mp_mod);
+    /* Reduce y to less than modulus */
+    n = sp_256_cmp_8(r->y, p256_mod);
+    sp_256_cond_sub_8(r->y, r->y, p256_mod, 0 - ((n >= 0) ?
+                (sp_digit)1 : (sp_digit)0));
+    sp_256_norm_8(r->y);
+
+    XMEMSET(r->z, 0, sizeof(r->z));
+    r->z[0] = 1;
+
+}
+
+#ifdef WOLFSSL_SP_SMALL
+/* Add b to a into r. (r = a + b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static sp_digit sp_256_add_8(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    sp_digit c = 0;
+
+    __asm__ __volatile__ (
+        "mov	r6, %[a]\n\t"
+        "mov	r8, #0\n\t"
+        "add	r6, r6, #32\n\t"
+        "sub	r8, r8, #1\n\t"
+        "\n1:\n\t"
+        "adds	%[c], %[c], r8\n\t"
+        "ldr	r4, [%[a]]\n\t"
+        "ldr	r5, [%[b]]\n\t"
+        "adcs	r4, r4, r5\n\t"
+        "str	r4, [%[r]]\n\t"
+        "mov	%[c], #0\n\t"
+        "adc	%[c], %[c], %[c]\n\t"
+        "add	%[a], %[a], #4\n\t"
+        "add	%[b], %[b], #4\n\t"
+        "add	%[r], %[r], #4\n\t"
+        "cmp	%[a], r6\n\t"
+        "bne	1b\n\t"
+        : [c] "+r" (c), [r] "+r" (r), [a] "+r" (a), [b] "+r" (b)
+        :
+        : "memory", "r4", "r5", "r6", "r8"
+    );
+
+    return c;
+}
+
+#else
+/* Add b to a into r. (r = a + b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static sp_digit sp_256_add_8(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    sp_digit c = 0;
+
+    __asm__ __volatile__ (
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "mov	%[c], #0\n\t"
+        "adc	%[c], %[c], %[c]\n\t"
+        : [c] "+r" (c), [r] "+r" (r), [a] "+r" (a), [b] "+r" (b)
+        :
+        : "memory", "r4", "r5", "r6", "r8"
+    );
+
+    return c;
+}
+
+#endif /* WOLFSSL_SP_SMALL */
+/* Add two Montgomery form numbers (r = a + b % m).
+ *
+ * r   Result of addition.
+ * a   First number to add in Montogmery form.
+ * b   Second number to add in Montogmery form.
+ * m   Modulus (prime).
+ */
+SP_NOINLINE static void sp_256_mont_add_8(sp_digit* r, const sp_digit* a, const sp_digit* b,
+        const sp_digit* m)
+{
+    (void)m;
+
+    __asm__ __volatile__ (
+        "mov	r3, #0\n\t"
+        "ldr	r4, [%[a],#0]\n\t"
+        "ldr	r5, [%[a],#4]\n\t"
+        "ldr	r6, [%[b],#0]\n\t"
+        "ldr	r8, [%[b],#4]\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "str	r4, [%[r],#0]\n\t"
+        "str	r5, [%[r],#4]\n\t"
+        "ldr	r4, [%[a],#8]\n\t"
+        "ldr	r5, [%[a],#12]\n\t"
+        "ldr	r6, [%[b],#8]\n\t"
+        "ldr	r8, [%[b],#12]\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "str	r4, [%[r],#8]\n\t"
+        "str	r5, [%[r],#12]\n\t"
+        "ldr	r4, [%[a],#16]\n\t"
+        "ldr	r5, [%[a],#20]\n\t"
+        "ldr	r6, [%[b],#16]\n\t"
+        "ldr	r8, [%[b],#20]\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "mov	r9, r4\n\t"
+        "mov	r10, r5\n\t"
+        "ldr	r4, [%[a],#24]\n\t"
+        "ldr	r5, [%[a],#28]\n\t"
+        "ldr	r6, [%[b],#24]\n\t"
+        "ldr	r8, [%[b],#28]\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "mov	r11, r4\n\t"
+        "mov	r12, r5\n\t"
+        "adc	r3, r3, r3\n\t"
+        "mov	r6, r3\n\t"
+        "sub	r3, r3, #1\n\t"
+        "mvn	r3, r3\n\t"
+        "mov	r8, #0\n\t"
+        "ldr	r4, [%[r],#0]\n\t"
+        "ldr	r5, [%[r],#4]\n\t"
+        "subs	r4, r4, r3\n\t"
+        "sbcs	r5, r5, r3\n\t"
+        "str	r4, [%[r],#0]\n\t"
+        "str	r5, [%[r],#4]\n\t"
+        "ldr	r4, [%[r],#8]\n\t"
+        "ldr	r5, [%[r],#12]\n\t"
+        "sbcs	r4, r4, r3\n\t"
+        "sbcs	r5, r5, r8\n\t"
+        "str	r4, [%[r],#8]\n\t"
+        "str	r5, [%[r],#12]\n\t"
+        "mov	r4, r9\n\t"
+        "mov	r5, r10\n\t"
+        "sbcs	r4, r4, r8\n\t"
+        "sbcs	r5, r5, r8\n\t"
+        "str	r4, [%[r],#16]\n\t"
+        "str	r5, [%[r],#20]\n\t"
+        "mov	r4, r11\n\t"
+        "mov	r5, r12\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "sbc	r5, r5, r3\n\t"
+        "str	r4, [%[r],#24]\n\t"
+        "str	r5, [%[r],#28]\n\t"
+        :
+        : [r] "r" (r), [a] "r" (a), [b] "r" (b)
+        : "memory", "r3", "r4", "r5", "r6", "r8", "r9", "r10", "r11", "r12"
+    );
+}
+
+/* Double a Montgomery form number (r = a + a % m).
+ *
+ * r   Result of doubling.
+ * a   Number to double in Montogmery form.
+ * m   Modulus (prime).
+ */
+SP_NOINLINE static void sp_256_mont_dbl_8(sp_digit* r, const sp_digit* a, const sp_digit* m)
+{
+    (void)m;
+
+    __asm__ __volatile__ (
+        "ldr	r4, [%[a],#0]\n\t"
+        "ldr	r5, [%[a],#4]\n\t"
+        "ldr	r6, [%[a],#8]\n\t"
+        "ldr	r8, [%[a],#12]\n\t"
+        "adds	r4, r4, r4\n\t"
+        "adcs	r5, r5, r5\n\t"
+        "adcs	r6, r6, r6\n\t"
+        "adcs	r8, r8, r8\n\t"
+        "str	r4, [%[r],#0]\n\t"
+        "str	r5, [%[r],#4]\n\t"
+        "str	r6, [%[r],#8]\n\t"
+        "str	r8, [%[r],#12]\n\t"
+        "ldr	r4, [%[a],#16]\n\t"
+        "ldr	r5, [%[a],#20]\n\t"
+        "ldr	r6, [%[a],#24]\n\t"
+        "ldr	r8, [%[a],#28]\n\t"
+        "adcs	r4, r4, r4\n\t"
+        "adcs	r5, r5, r5\n\t"
+        "adcs	r6, r6, r6\n\t"
+        "adcs	r8, r8, r8\n\t"
+        "mov	r9, r4\n\t"
+        "mov	r10, r5\n\t"
+        "mov	r11, r6\n\t"
+        "mov	r12, r8\n\t"
+        "mov	r3, #0\n\t"
+        "mov	r8, #0\n\t"
+        "adc	r3, r3, r3\n\t"
+        "mov	r2, r3\n\t"
+        "sub	r3, r3, #1\n\t"
+        "mvn	r3, r3\n\t"
+        "ldr	r4, [%[r],#0]\n\t"
+        "ldr	r5, [%[r],#4]\n\t"
+        "ldr	r6, [%[r],#8]\n\t"
+        "subs	r4, r4, r3\n\t"
+        "sbcs	r5, r5, r3\n\t"
+        "sbcs	r6, r6, r3\n\t"
+        "str	r4, [%[r],#0]\n\t"
+        "str	r5, [%[r],#4]\n\t"
+        "str	r6, [%[r],#8]\n\t"
+        "ldr	r4, [%[r],#12]\n\t"
+        "mov	r5, r9\n\t"
+        "mov	r6, r10\n\t"
+        "sbcs	r4, r4, r8\n\t"
+        "sbcs	r5, r5, r8\n\t"
+        "sbcs	r6, r6, r8\n\t"
+        "str	r4, [%[r],#12]\n\t"
+        "str	r5, [%[r],#16]\n\t"
+        "str	r6, [%[r],#20]\n\t"
+        "mov	r4, r11\n\t"
+        "mov	r5, r12\n\t"
+        "sbcs	r4, r4, r2\n\t"
+        "sbc	r5, r5, r3\n\t"
+        "str	r4, [%[r],#24]\n\t"
+        "str	r5, [%[r],#28]\n\t"
+        :
+        : [r] "r" (r), [a] "r" (a)
+        : "memory", "r3", "r2", "r4", "r5", "r6", "r8", "r9", "r10", "r11", "r12"
+    );
+}
+
+/* Triple a Montgomery form number (r = a + a + a % m).
+ *
+ * r   Result of Tripling.
+ * a   Number to triple in Montogmery form.
+ * m   Modulus (prime).
+ */
+SP_NOINLINE static void sp_256_mont_tpl_8(sp_digit* r, const sp_digit* a, const sp_digit* m)
+{
+    (void)m;
+
+    __asm__ __volatile__ (
+        "ldr	r2, [%[a],#0]\n\t"
+        "ldr	r3, [%[a],#4]\n\t"
+        "ldr	r4, [%[a],#8]\n\t"
+        "ldr	r5, [%[a],#12]\n\t"
+        "ldr	r6, [%[a],#16]\n\t"
+        "ldr	r8, [%[a],#20]\n\t"
+        "ldr	r9, [%[a],#24]\n\t"
+        "ldr	r10, [%[a],#28]\n\t"
+        "adds	r2, r2, r2\n\t"
+        "adcs	r3, r3, r3\n\t"
+        "adcs	r4, r4, r4\n\t"
+        "adcs	r5, r5, r5\n\t"
+        "adcs	r6, r6, r6\n\t"
+        "adcs	r8, r8, r8\n\t"
+        "adcs	r9, r9, r9\n\t"
+        "adcs	r10, r10, r10\n\t"
+        "mov	r11, #0\n\t"
+        "mov	r14, #0\n\t"
+        "adc	r11, r11, r11\n\t"
+        "mov	r12, r11\n\t"
+        "sub	r11, r11, #1\n\t"
+        "mvn	r11, r11\n\t"
+        "subs	r2, r2, r11\n\t"
+        "sbcs	r3, r3, r11\n\t"
+        "sbcs	r4, r4, r11\n\t"
+        "sbcs	r5, r5, r14\n\t"
+        "sbcs	r6, r6, r14\n\t"
+        "sbcs	r8, r8, r14\n\t"
+        "sbcs	r9, r9, r12\n\t"
+        "sbc	r10, r10, r11\n\t"
+        "ldr	r12, [%[a],#0]\n\t"
+        "ldr	r14, [%[a],#4]\n\t"
+        "adds	r2, r2, r12\n\t"
+        "adcs	r3, r3, r14\n\t"
+        "ldr	r12, [%[a],#8]\n\t"
+        "ldr	r14, [%[a],#12]\n\t"
+        "adcs	r4, r4, r12\n\t"
+        "adcs	r5, r5, r14\n\t"
+        "ldr	r12, [%[a],#16]\n\t"
+        "ldr	r14, [%[a],#20]\n\t"
+        "adcs	r6, r6, r12\n\t"
+        "adcs	r8, r8, r14\n\t"
+        "ldr	r12, [%[a],#24]\n\t"
+        "ldr	r14, [%[a],#28]\n\t"
+        "adcs	r9, r9, r12\n\t"
+        "adcs	r10, r10, r14\n\t"
+        "mov	r11, #0\n\t"
+        "mov	r14, #0\n\t"
+        "adc	r11, r11, r11\n\t"
+        "mov	r12, r11\n\t"
+        "sub	r11, r11, #1\n\t"
+        "mvn	r11, r11\n\t"
+        "subs	r2, r2, r11\n\t"
+        "str	r2, [%[r],#0]\n\t"
+        "sbcs	r3, r3, r11\n\t"
+        "str	r3, [%[r],#4]\n\t"
+        "sbcs	r4, r4, r11\n\t"
+        "str	r4, [%[r],#8]\n\t"
+        "sbcs	r5, r5, r14\n\t"
+        "str	r5, [%[r],#12]\n\t"
+        "sbcs	r6, r6, r14\n\t"
+        "str	r6, [%[r],#16]\n\t"
+        "sbcs	r8, r8, r14\n\t"
+        "str	r8, [%[r],#20]\n\t"
+        "sbcs	r9, r9, r12\n\t"
+        "str	r9, [%[r],#24]\n\t"
+        "sbc	r10, r10, r11\n\t"
+        "str	r10, [%[r],#28]\n\t"
+        :
+        : [r] "r" (r), [a] "r" (a)
+        : "memory", "r11", "r12", "r14", "r2", "r3", "r4", "r5", "r6", "r8", "r9", "r10"
+    );
+}
+
+/* Subtract two Montgomery form numbers (r = a - b % m).
+ *
+ * r   Result of subtration.
+ * a   Number to subtract from in Montogmery form.
+ * b   Number to subtract with in Montogmery form.
+ * m   Modulus (prime).
+ */
+SP_NOINLINE static void sp_256_mont_sub_8(sp_digit* r, const sp_digit* a, const sp_digit* b,
+        const sp_digit* m)
+{
+    (void)m;
+
+    __asm__ __volatile__ (
+        "ldr	r4, [%[a],#0]\n\t"
+        "ldr	r5, [%[a],#4]\n\t"
+        "ldr	r6, [%[b],#0]\n\t"
+        "ldr	r8, [%[b],#4]\n\t"
+        "subs	r4, r4, r6\n\t"
+        "sbcs	r5, r5, r8\n\t"
+        "str	r4, [%[r],#0]\n\t"
+        "str	r5, [%[r],#4]\n\t"
+        "ldr	r4, [%[a],#8]\n\t"
+        "ldr	r5, [%[a],#12]\n\t"
+        "ldr	r6, [%[b],#8]\n\t"
+        "ldr	r8, [%[b],#12]\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "sbcs	r5, r5, r8\n\t"
+        "str	r4, [%[r],#8]\n\t"
+        "str	r5, [%[r],#12]\n\t"
+        "ldr	r4, [%[a],#16]\n\t"
+        "ldr	r5, [%[a],#20]\n\t"
+        "ldr	r6, [%[b],#16]\n\t"
+        "ldr	r8, [%[b],#20]\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "sbcs	r5, r5, r8\n\t"
+        "mov	r9, r4\n\t"
+        "mov	r10, r5\n\t"
+        "ldr	r4, [%[a],#24]\n\t"
+        "ldr	r5, [%[a],#28]\n\t"
+        "ldr	r6, [%[b],#24]\n\t"
+        "ldr	r8, [%[b],#28]\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "sbcs	r5, r5, r8\n\t"
+        "mov	r11, r4\n\t"
+        "mov	r12, r5\n\t"
+        "sbc   r3, r3, r3\n\t"
+        "lsr   r8, r3, #31\n\t"
+        "mov   r6, #0\n\t"
+        "ldr	r4, [%[r],#0]\n\t"
+        "ldr	r5, [%[r],#4]\n\t"
+        "adds	r4, r4, r3\n\t"
+        "adcs	r5, r5, r3\n\t"
+        "str	r4, [%[r],#0]\n\t"
+        "str	r5, [%[r],#4]\n\t"
+        "ldr	r4, [%[r],#8]\n\t"
+        "ldr	r5, [%[r],#12]\n\t"
+        "adcs	r4, r4, r3\n\t"
+        "adcs	r5, r5, r6\n\t"
+        "str	r4, [%[r],#8]\n\t"
+        "str	r5, [%[r],#12]\n\t"
+        "mov	r4, r9\n\t"
+        "mov	r5, r10\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r6\n\t"
+        "str	r4, [%[r],#16]\n\t"
+        "str	r5, [%[r],#20]\n\t"
+        "mov	r4, r11\n\t"
+        "mov	r5, r12\n\t"
+        "adcs	r4, r4, r8\n\t"
+        "adc	r5, r5, r3\n\t"
+        "str	r4, [%[r],#24]\n\t"
+        "str	r5, [%[r],#28]\n\t"
+        :
+        : [r] "r" (r), [a] "r" (a), [b] "r" (b)
+        : "memory", "r3", "r4", "r5", "r6", "r8", "r9", "r10", "r11", "r12"
+    );
+}
+
+/* Divide the number by 2 mod the modulus (prime). (r = a / 2 % m)
+ *
+ * r  Result of division by 2.
+ * a  Number to divide.
+ * m  Modulus (prime).
+ */
+SP_NOINLINE static void sp_256_div2_8(sp_digit* r, const sp_digit* a, const sp_digit* m)
+{
+    __asm__ __volatile__ (
+        "ldr	r8, [%[a], #0]\n\t"
+        "lsl	r8, r8, #31\n\t"
+        "lsr	r8, r8, #31\n\t"
+        "mov	r5, #0\n\t"
+        "sub	r5, r5, r8\n\t"
+        "mov	r8, #0\n\t"
+        "lsl	r6, r5, #31\n\t"
+        "lsr	r6, r6, #31\n\t"
+        "ldr	r3, [%[a], #0]\n\t"
+        "ldr	r4, [%[a], #4]\n\t"
+        "adds	r3, r3, r5\n\t"
+        "adcs	r4, r4, r5\n\t"
+        "str	r3, [%[r], #0]\n\t"
+        "str	r4, [%[r], #4]\n\t"
+        "ldr	r3, [%[a], #8]\n\t"
+        "ldr	r4, [%[a], #12]\n\t"
+        "adcs	r3, r3, r5\n\t"
+        "adcs	r4, r4, r8\n\t"
+        "str	r3, [%[r], #8]\n\t"
+        "str	r4, [%[r], #12]\n\t"
+        "ldr	r3, [%[a], #16]\n\t"
+        "ldr	r4, [%[a], #20]\n\t"
+        "adcs	r3, r3, r8\n\t"
+        "adcs	r4, r4, r8\n\t"
+        "str	r3, [%[r], #16]\n\t"
+        "str	r4, [%[r], #20]\n\t"
+        "ldr	r3, [%[a], #24]\n\t"
+        "ldr	r4, [%[a], #28]\n\t"
+        "adcs	r3, r3, r6\n\t"
+        "adcs	r4, r4, r5\n\t"
+        "adc	r8, r8, r8\n\t"
+        "lsl	r8, r8, #31\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, #31\n\t"
+        "lsr	r6, r4, #1\n\t"
+        "lsl	r4, r4, #31\n\t"
+        "orr	r5, r5, r4\n\t"
+        "orr	r6, r6, r8\n\t"
+        "mov	r8, r3\n\t"
+        "str	r5, [%[r], #24]\n\t"
+        "str	r6, [%[r], #28]\n\t"
+        "ldr	r3, [%[a], #16]\n\t"
+        "ldr	r4, [%[a], #20]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, #31\n\t"
+        "lsr	r6, r4, #1\n\t"
+        "lsl	r4, r4, #31\n\t"
+        "orr	r5, r5, r4\n\t"
+        "orr	r6, r6, r8\n\t"
+        "mov	r8, r3\n\t"
+        "str	r5, [%[r], #16]\n\t"
+        "str	r6, [%[r], #20]\n\t"
+        "ldr	r3, [%[a], #8]\n\t"
+        "ldr	r4, [%[a], #12]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsl	r3, r3, #31\n\t"
+        "lsr	r6, r4, #1\n\t"
+        "lsl	r4, r4, #31\n\t"
+        "orr	r5, r5, r4\n\t"
+        "orr	r6, r6, r8\n\t"
+        "mov	r8, r3\n\t"
+        "str	r5, [%[r], #8]\n\t"
+        "str	r6, [%[r], #12]\n\t"
+        "ldr	r3, [%[r], #0]\n\t"
+        "ldr	r4, [%[r], #4]\n\t"
+        "lsr	r5, r3, #1\n\t"
+        "lsr	r6, r4, #1\n\t"
+        "lsl	r4, r4, #31\n\t"
+        "orr	r5, r5, r4\n\t"
+        "orr	r6, r6, r8\n\t"
+        "str	r5, [%[r], #0]\n\t"
+        "str	r6, [%[r], #4]\n\t"
+        :
+        : [r] "r" (r), [a] "r" (a), [m] "r" (m)
+        : "memory", "r3", "r4", "r5", "r6", "r8"
+    );
+}
+
+/* Double the Montgomery form projective point p.
+ *
+ * r  Result of doubling point.
+ * p  Point to double.
+ * t  Temporary ordinate data.
+ */
+static void sp_256_proj_point_dbl_8(sp_point_256* r, const sp_point_256* p, sp_digit* t)
+{
+    sp_digit* t1 = t;
+    sp_digit* t2 = t + 2*8;
+    sp_digit* x;
+    sp_digit* y;
+    sp_digit* z;
+
+    x = r->x;
+    y = r->y;
+    z = r->z;
+    /* Put infinity into result. */
+    if (r != p) {
+        r->infinity = p->infinity;
+    }
+
+    /* T1 = Z * Z */
+    sp_256_mont_sqr_8(t1, p->z, p256_mod, p256_mp_mod);
+    /* Z = Y * Z */
+    sp_256_mont_mul_8(z, p->y, p->z, p256_mod, p256_mp_mod);
+    /* Z = 2Z */
+    sp_256_mont_dbl_8(z, z, p256_mod);
+    /* T2 = X - T1 */
+    sp_256_mont_sub_8(t2, p->x, t1, p256_mod);
+    /* T1 = X + T1 */
+    sp_256_mont_add_8(t1, p->x, t1, p256_mod);
+    /* T2 = T1 * T2 */
+    sp_256_mont_mul_8(t2, t1, t2, p256_mod, p256_mp_mod);
+    /* T1 = 3T2 */
+    sp_256_mont_tpl_8(t1, t2, p256_mod);
+    /* Y = 2Y */
+    sp_256_mont_dbl_8(y, p->y, p256_mod);
+    /* Y = Y * Y */
+    sp_256_mont_sqr_8(y, y, p256_mod, p256_mp_mod);
+    /* T2 = Y * Y */
+    sp_256_mont_sqr_8(t2, y, p256_mod, p256_mp_mod);
+    /* T2 = T2/2 */
+    sp_256_div2_8(t2, t2, p256_mod);
+    /* Y = Y * X */
+    sp_256_mont_mul_8(y, y, p->x, p256_mod, p256_mp_mod);
+    /* X = T1 * T1 */
+    sp_256_mont_sqr_8(x, t1, p256_mod, p256_mp_mod);
+    /* X = X - Y */
+    sp_256_mont_sub_8(x, x, y, p256_mod);
+    /* X = X - Y */
+    sp_256_mont_sub_8(x, x, y, p256_mod);
+    /* Y = Y - X */
+    sp_256_mont_sub_8(y, y, x, p256_mod);
+    /* Y = Y * T1 */
+    sp_256_mont_mul_8(y, y, t1, p256_mod, p256_mp_mod);
+    /* Y = Y - T2 */
+    sp_256_mont_sub_8(y, y, t2, p256_mod);
+}
+
+#ifdef WOLFSSL_SP_SMALL
+/* Sub b from a into r. (r = a - b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static sp_digit sp_256_sub_8(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    sp_digit c = 0;
+
+    __asm__ __volatile__ (
+        "mov	r6, %[a]\n\t"
+        "add	r6, r6, #32\n\t"
+        "\n1:\n\t"
+        "mov	r5, #0\n\t"
+        "subs	r5, r5, %[c]\n\t"
+        "ldr	r4, [%[a]]\n\t"
+        "ldr	r5, [%[b]]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "str	r4, [%[r]]\n\t"
+        "sbc	%[c], %[c], %[c]\n\t"
+        "add	%[a], %[a], #4\n\t"
+        "add	%[b], %[b], #4\n\t"
+        "add	%[r], %[r], #4\n\t"
+        "cmp	%[a], r6\n\t"
+        "bne	1b\n\t"
+        : [c] "+r" (c), [r] "+r" (r), [a] "+r" (a), [b] "+r" (b)
+        :
+        : "memory", "r4", "r5", "r6"
+    );
+
+    return c;
+}
+
+#else
+/* Sub b from a into r. (r = a - b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static sp_digit sp_256_sub_8(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    sp_digit c = 0;
+
+    __asm__ __volatile__ (
+        "ldr	r4, [%[a], #0]\n\t"
+        "ldr	r5, [%[a], #4]\n\t"
+        "ldr	r6, [%[b], #0]\n\t"
+        "ldr	r8, [%[b], #4]\n\t"
+        "subs	r4, r4, r6\n\t"
+        "sbcs	r5, r5, r8\n\t"
+        "str	r4, [%[r], #0]\n\t"
+        "str	r5, [%[r], #4]\n\t"
+        "ldr	r4, [%[a], #8]\n\t"
+        "ldr	r5, [%[a], #12]\n\t"
+        "ldr	r6, [%[b], #8]\n\t"
+        "ldr	r8, [%[b], #12]\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "sbcs	r5, r5, r8\n\t"
+        "str	r4, [%[r], #8]\n\t"
+        "str	r5, [%[r], #12]\n\t"
+        "ldr	r4, [%[a], #16]\n\t"
+        "ldr	r5, [%[a], #20]\n\t"
+        "ldr	r6, [%[b], #16]\n\t"
+        "ldr	r8, [%[b], #20]\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "sbcs	r5, r5, r8\n\t"
+        "str	r4, [%[r], #16]\n\t"
+        "str	r5, [%[r], #20]\n\t"
+        "ldr	r4, [%[a], #24]\n\t"
+        "ldr	r5, [%[a], #28]\n\t"
+        "ldr	r6, [%[b], #24]\n\t"
+        "ldr	r8, [%[b], #28]\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "sbcs	r5, r5, r8\n\t"
+        "str	r4, [%[r], #24]\n\t"
+        "str	r5, [%[r], #28]\n\t"
+        "sbc	%[c], %[c], %[c]\n\t"
+        : [c] "+r" (c), [r] "+r" (r), [a] "+r" (a), [b] "+r" (b)
+        :
+        : "memory", "r4", "r5", "r6", "r8"
+    );
+
+    return c;
+}
+
+#endif /* WOLFSSL_SP_SMALL */
+/* Compare two numbers to determine if they are equal.
+ * Constant time implementation.
+ *
+ * a  First number to compare.
+ * b  Second number to compare.
+ * returns 1 when equal and 0 otherwise.
+ */
+static int sp_256_cmp_equal_8(const sp_digit* a, const sp_digit* b)
+{
+    return ((a[0] ^ b[0]) | (a[1] ^ b[1]) | (a[2] ^ b[2]) | (a[3] ^ b[3]) |
+            (a[4] ^ b[4]) | (a[5] ^ b[5]) | (a[6] ^ b[6]) | (a[7] ^ b[7])) == 0;
+}
+
+/* Add two Montgomery form projective points.
+ *
+ * r  Result of addition.
+ * p  First point to add.
+ * q  Second point to add.
+ * t  Temporary ordinate data.
+ */
+static void sp_256_proj_point_add_8(sp_point_256* r, const sp_point_256* p, const sp_point_256* q,
+        sp_digit* t)
+{
+    const sp_point_256* ap[2];
+    sp_point_256* rp[2];
+    sp_digit* t1 = t;
+    sp_digit* t2 = t + 2*8;
+    sp_digit* t3 = t + 4*8;
+    sp_digit* t4 = t + 6*8;
+    sp_digit* t5 = t + 8*8;
+    sp_digit* x;
+    sp_digit* y;
+    sp_digit* z;
+    int i;
+
+    /* Ensure only the first point is the same as the result. */
+    if (q == r) {
+        const sp_point_256* a = p;
+        p = q;
+        q = a;
+    }
+
+    /* Check double */
+    (void)sp_256_sub_8(t1, p256_mod, q->y);
+    sp_256_norm_8(t1);
+    if ((sp_256_cmp_equal_8(p->x, q->x) & sp_256_cmp_equal_8(p->z, q->z) &
+        (sp_256_cmp_equal_8(p->y, q->y) | sp_256_cmp_equal_8(p->y, t1))) != 0) {
+        sp_256_proj_point_dbl_8(r, p, t);
+    }
+    else {
+        rp[0] = r;
+
+        /*lint allow cast to different type of pointer*/
+        rp[1] = (sp_point_256*)t; /*lint !e9087 !e740*/
+        XMEMSET(rp[1], 0, sizeof(sp_point_256));
+        x = rp[p->infinity | q->infinity]->x;
+        y = rp[p->infinity | q->infinity]->y;
+        z = rp[p->infinity | q->infinity]->z;
+
+        ap[0] = p;
+        ap[1] = q;
+        for (i=0; i<8; i++) {
+            r->x[i] = ap[p->infinity]->x[i];
+        }
+        for (i=0; i<8; i++) {
+            r->y[i] = ap[p->infinity]->y[i];
+        }
+        for (i=0; i<8; i++) {
+            r->z[i] = ap[p->infinity]->z[i];
+        }
+        r->infinity = ap[p->infinity]->infinity;
+
+        /* U1 = X1*Z2^2 */
+        sp_256_mont_sqr_8(t1, q->z, p256_mod, p256_mp_mod);
+        sp_256_mont_mul_8(t3, t1, q->z, p256_mod, p256_mp_mod);
+        sp_256_mont_mul_8(t1, t1, x, p256_mod, p256_mp_mod);
+        /* U2 = X2*Z1^2 */
+        sp_256_mont_sqr_8(t2, z, p256_mod, p256_mp_mod);
+        sp_256_mont_mul_8(t4, t2, z, p256_mod, p256_mp_mod);
+        sp_256_mont_mul_8(t2, t2, q->x, p256_mod, p256_mp_mod);
+        /* S1 = Y1*Z2^3 */
+        sp_256_mont_mul_8(t3, t3, y, p256_mod, p256_mp_mod);
+        /* S2 = Y2*Z1^3 */
+        sp_256_mont_mul_8(t4, t4, q->y, p256_mod, p256_mp_mod);
+        /* H = U2 - U1 */
+        sp_256_mont_sub_8(t2, t2, t1, p256_mod);
+        /* R = S2 - S1 */
+        sp_256_mont_sub_8(t4, t4, t3, p256_mod);
+        /* Z3 = H*Z1*Z2 */
+        sp_256_mont_mul_8(z, z, q->z, p256_mod, p256_mp_mod);
+        sp_256_mont_mul_8(z, z, t2, p256_mod, p256_mp_mod);
+        /* X3 = R^2 - H^3 - 2*U1*H^2 */
+        sp_256_mont_sqr_8(x, t4, p256_mod, p256_mp_mod);
+        sp_256_mont_sqr_8(t5, t2, p256_mod, p256_mp_mod);
+        sp_256_mont_mul_8(y, t1, t5, p256_mod, p256_mp_mod);
+        sp_256_mont_mul_8(t5, t5, t2, p256_mod, p256_mp_mod);
+        sp_256_mont_sub_8(x, x, t5, p256_mod);
+        sp_256_mont_dbl_8(t1, y, p256_mod);
+        sp_256_mont_sub_8(x, x, t1, p256_mod);
+        /* Y3 = R*(U1*H^2 - X3) - S1*H^3 */
+        sp_256_mont_sub_8(y, y, x, p256_mod);
+        sp_256_mont_mul_8(y, y, t4, p256_mod, p256_mp_mod);
+        sp_256_mont_mul_8(t5, t5, t3, p256_mod, p256_mp_mod);
+        sp_256_mont_sub_8(y, y, t5, p256_mod);
+    }
+}
+
+/* Multiply the point by the scalar and return the result.
+ * If map is true then convert result to affine coordinates.
+ *
+ * r     Resulting point.
+ * g     Point to multiply.
+ * k     Scalar to multiply by.
+ * map   Indicates whether to convert result to affine.
+ * heap  Heap to use for allocation.
+ * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
+ */
+static int sp_256_ecc_mulmod_fast_8(sp_point_256* r, const sp_point_256* g, const sp_digit* k,
+        int map, void* heap)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_point_256 td[16];
+    sp_point_256 rtd;
+    sp_digit tmpd[2 * 8 * 5];
+#endif
+    sp_point_256* t;
+    sp_point_256* rt;
+    sp_digit* tmp;
+    sp_digit n;
+    int i;
+    int c, y;
+    int err;
+
+    (void)heap;
+
+    err = sp_256_point_new_8(heap, rtd, rt);
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    t = (sp_point_256*)XMALLOC(sizeof(sp_point_256) * 16, heap, DYNAMIC_TYPE_ECC);
+    if (t == NULL)
+        err = MEMORY_E;
+    tmp = (sp_digit*)XMALLOC(sizeof(sp_digit) * 2 * 8 * 5, heap,
+                             DYNAMIC_TYPE_ECC);
+    if (tmp == NULL)
+        err = MEMORY_E;
+#else
+    t = td;
+    tmp = tmpd;
+#endif
+
+    if (err == MP_OKAY) {
+        /* t[0] = {0, 0, 1} * norm */
+        XMEMSET(&t[0], 0, sizeof(t[0]));
+        t[0].infinity = 1;
+        /* t[1] = {g->x, g->y, g->z} * norm */
+        (void)sp_256_mod_mul_norm_8(t[1].x, g->x, p256_mod);
+        (void)sp_256_mod_mul_norm_8(t[1].y, g->y, p256_mod);
+        (void)sp_256_mod_mul_norm_8(t[1].z, g->z, p256_mod);
+        t[1].infinity = 0;
+        sp_256_proj_point_dbl_8(&t[ 2], &t[ 1], tmp);
+        t[ 2].infinity = 0;
+        sp_256_proj_point_add_8(&t[ 3], &t[ 2], &t[ 1], tmp);
+        t[ 3].infinity = 0;
+        sp_256_proj_point_dbl_8(&t[ 4], &t[ 2], tmp);
+        t[ 4].infinity = 0;
+        sp_256_proj_point_add_8(&t[ 5], &t[ 3], &t[ 2], tmp);
+        t[ 5].infinity = 0;
+        sp_256_proj_point_dbl_8(&t[ 6], &t[ 3], tmp);
+        t[ 6].infinity = 0;
+        sp_256_proj_point_add_8(&t[ 7], &t[ 4], &t[ 3], tmp);
+        t[ 7].infinity = 0;
+        sp_256_proj_point_dbl_8(&t[ 8], &t[ 4], tmp);
+        t[ 8].infinity = 0;
+        sp_256_proj_point_add_8(&t[ 9], &t[ 5], &t[ 4], tmp);
+        t[ 9].infinity = 0;
+        sp_256_proj_point_dbl_8(&t[10], &t[ 5], tmp);
+        t[10].infinity = 0;
+        sp_256_proj_point_add_8(&t[11], &t[ 6], &t[ 5], tmp);
+        t[11].infinity = 0;
+        sp_256_proj_point_dbl_8(&t[12], &t[ 6], tmp);
+        t[12].infinity = 0;
+        sp_256_proj_point_add_8(&t[13], &t[ 7], &t[ 6], tmp);
+        t[13].infinity = 0;
+        sp_256_proj_point_dbl_8(&t[14], &t[ 7], tmp);
+        t[14].infinity = 0;
+        sp_256_proj_point_add_8(&t[15], &t[ 8], &t[ 7], tmp);
+        t[15].infinity = 0;
+
+        i = 6;
+        n = k[i+1] << 0;
+        c = 28;
+        y = n >> 28;
+        XMEMCPY(rt, &t[y], sizeof(sp_point_256));
+        n <<= 4;
+        for (; i>=0 || c>=4; ) {
+            if (c < 4) {
+                n |= k[i--];
+                c += 32;
+            }
+            y = (n >> 28) & 0xf;
+            n <<= 4;
+            c -= 4;
+
+            sp_256_proj_point_dbl_8(rt, rt, tmp);
+            sp_256_proj_point_dbl_8(rt, rt, tmp);
+            sp_256_proj_point_dbl_8(rt, rt, tmp);
+            sp_256_proj_point_dbl_8(rt, rt, tmp);
+
+            sp_256_proj_point_add_8(rt, rt, &t[y], tmp);
+        }
+
+        if (map != 0) {
+            sp_256_map_8(r, rt, tmp);
+        }
+        else {
+            XMEMCPY(r, rt, sizeof(sp_point_256));
+        }
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (tmp != NULL) {
+        XMEMSET(tmp, 0, sizeof(sp_digit) * 2 * 8 * 5);
+        XFREE(tmp, heap, DYNAMIC_TYPE_ECC);
+    }
+    if (t != NULL) {
+        XMEMSET(t, 0, sizeof(sp_point_256) * 16);
+        XFREE(t, heap, DYNAMIC_TYPE_ECC);
+    }
+#else
+    ForceZero(tmpd, sizeof(tmpd));
+    ForceZero(td, sizeof(td));
+#endif
+    sp_256_point_free_8(rt, 1, heap);
+
+    return err;
+}
+
+/* A table entry for pre-computed points. */
+typedef struct sp_table_entry_256 {
+    sp_digit x[8];
+    sp_digit y[8];
+} sp_table_entry_256;
+
+#ifdef FP_ECC
+/* Double the Montgomery form projective point p a number of times.
+ *
+ * r  Result of repeated doubling of point.
+ * p  Point to double.
+ * n  Number of times to double
+ * t  Temporary ordinate data.
+ */
+static void sp_256_proj_point_dbl_n_8(sp_point_256* p, int n, sp_digit* t)
+{
+    sp_digit* w = t;
+    sp_digit* a = t + 2*8;
+    sp_digit* b = t + 4*8;
+    sp_digit* t1 = t + 6*8;
+    sp_digit* t2 = t + 8*8;
+    sp_digit* x;
+    sp_digit* y;
+    sp_digit* z;
+
+    x = p->x;
+    y = p->y;
+    z = p->z;
+
+    /* Y = 2*Y */
+    sp_256_mont_dbl_8(y, y, p256_mod);
+    /* W = Z^4 */
+    sp_256_mont_sqr_8(w, z, p256_mod, p256_mp_mod);
+    sp_256_mont_sqr_8(w, w, p256_mod, p256_mp_mod);
+
+#ifndef WOLFSSL_SP_SMALL
+    while (--n > 0)
+#else
+    while (--n >= 0)
+#endif
+    {
+        /* A = 3*(X^2 - W) */
+        sp_256_mont_sqr_8(t1, x, p256_mod, p256_mp_mod);
+        sp_256_mont_sub_8(t1, t1, w, p256_mod);
+        sp_256_mont_tpl_8(a, t1, p256_mod);
+        /* B = X*Y^2 */
+        sp_256_mont_sqr_8(t1, y, p256_mod, p256_mp_mod);
+        sp_256_mont_mul_8(b, t1, x, p256_mod, p256_mp_mod);
+        /* X = A^2 - 2B */
+        sp_256_mont_sqr_8(x, a, p256_mod, p256_mp_mod);
+        sp_256_mont_dbl_8(t2, b, p256_mod);
+        sp_256_mont_sub_8(x, x, t2, p256_mod);
+        /* Z = Z*Y */
+        sp_256_mont_mul_8(z, z, y, p256_mod, p256_mp_mod);
+        /* t2 = Y^4 */
+        sp_256_mont_sqr_8(t1, t1, p256_mod, p256_mp_mod);
+#ifdef WOLFSSL_SP_SMALL
+        if (n != 0)
+#endif
+        {
+            /* W = W*Y^4 */
+            sp_256_mont_mul_8(w, w, t1, p256_mod, p256_mp_mod);
+        }
+        /* y = 2*A*(B - X) - Y^4 */
+        sp_256_mont_sub_8(y, b, x, p256_mod);
+        sp_256_mont_mul_8(y, y, a, p256_mod, p256_mp_mod);
+        sp_256_mont_dbl_8(y, y, p256_mod);
+        sp_256_mont_sub_8(y, y, t1, p256_mod);
+    }
+#ifndef WOLFSSL_SP_SMALL
+    /* A = 3*(X^2 - W) */
+    sp_256_mont_sqr_8(t1, x, p256_mod, p256_mp_mod);
+    sp_256_mont_sub_8(t1, t1, w, p256_mod);
+    sp_256_mont_tpl_8(a, t1, p256_mod);
+    /* B = X*Y^2 */
+    sp_256_mont_sqr_8(t1, y, p256_mod, p256_mp_mod);
+    sp_256_mont_mul_8(b, t1, x, p256_mod, p256_mp_mod);
+    /* X = A^2 - 2B */
+    sp_256_mont_sqr_8(x, a, p256_mod, p256_mp_mod);
+    sp_256_mont_dbl_8(t2, b, p256_mod);
+    sp_256_mont_sub_8(x, x, t2, p256_mod);
+    /* Z = Z*Y */
+    sp_256_mont_mul_8(z, z, y, p256_mod, p256_mp_mod);
+    /* t2 = Y^4 */
+    sp_256_mont_sqr_8(t1, t1, p256_mod, p256_mp_mod);
+    /* y = 2*A*(B - X) - Y^4 */
+    sp_256_mont_sub_8(y, b, x, p256_mod);
+    sp_256_mont_mul_8(y, y, a, p256_mod, p256_mp_mod);
+    sp_256_mont_dbl_8(y, y, p256_mod);
+    sp_256_mont_sub_8(y, y, t1, p256_mod);
+#endif
+    /* Y = Y/2 */
+    sp_256_div2_8(y, y, p256_mod);
+}
+
+/* Convert the projective point to affine.
+ * Ordinates are in Montgomery form.
+ *
+ * a  Point to convert.
+ * t  Temporary data.
+ */
+static void sp_256_proj_to_affine_8(sp_point_256* a, sp_digit* t)
+{
+    sp_digit* t1 = t;
+    sp_digit* t2 = t + 2 * 8;
+    sp_digit* tmp = t + 4 * 8;
+
+    sp_256_mont_inv_8(t1, a->z, tmp);
+
+    sp_256_mont_sqr_8(t2, t1, p256_mod, p256_mp_mod);
+    sp_256_mont_mul_8(t1, t2, t1, p256_mod, p256_mp_mod);
+
+    sp_256_mont_mul_8(a->x, a->x, t2, p256_mod, p256_mp_mod);
+    sp_256_mont_mul_8(a->y, a->y, t1, p256_mod, p256_mp_mod);
+    XMEMCPY(a->z, p256_norm_mod, sizeof(p256_norm_mod));
+}
+
+#endif /* FP_ECC */
+/* Add two Montgomery form projective points. The second point has a q value of
+ * one.
+ * Only the first point can be the same pointer as the result point.
+ *
+ * r  Result of addition.
+ * p  First point to add.
+ * q  Second point to add.
+ * t  Temporary ordinate data.
+ */
+static void sp_256_proj_point_add_qz1_8(sp_point_256* r, const sp_point_256* p,
+        const sp_point_256* q, sp_digit* t)
+{
+    const sp_point_256* ap[2];
+    sp_point_256* rp[2];
+    sp_digit* t1 = t;
+    sp_digit* t2 = t + 2*8;
+    sp_digit* t3 = t + 4*8;
+    sp_digit* t4 = t + 6*8;
+    sp_digit* t5 = t + 8*8;
+    sp_digit* x;
+    sp_digit* y;
+    sp_digit* z;
+    int i;
+
+    /* Check double */
+    (void)sp_256_sub_8(t1, p256_mod, q->y);
+    sp_256_norm_8(t1);
+    if ((sp_256_cmp_equal_8(p->x, q->x) & sp_256_cmp_equal_8(p->z, q->z) &
+        (sp_256_cmp_equal_8(p->y, q->y) | sp_256_cmp_equal_8(p->y, t1))) != 0) {
+        sp_256_proj_point_dbl_8(r, p, t);
+    }
+    else {
+        rp[0] = r;
+
+        /*lint allow cast to different type of pointer*/
+        rp[1] = (sp_point_256*)t; /*lint !e9087 !e740*/
+        XMEMSET(rp[1], 0, sizeof(sp_point_256));
+        x = rp[p->infinity | q->infinity]->x;
+        y = rp[p->infinity | q->infinity]->y;
+        z = rp[p->infinity | q->infinity]->z;
+
+        ap[0] = p;
+        ap[1] = q;
+        for (i=0; i<8; i++) {
+            r->x[i] = ap[p->infinity]->x[i];
+        }
+        for (i=0; i<8; i++) {
+            r->y[i] = ap[p->infinity]->y[i];
+        }
+        for (i=0; i<8; i++) {
+            r->z[i] = ap[p->infinity]->z[i];
+        }
+        r->infinity = ap[p->infinity]->infinity;
+
+        /* U2 = X2*Z1^2 */
+        sp_256_mont_sqr_8(t2, z, p256_mod, p256_mp_mod);
+        sp_256_mont_mul_8(t4, t2, z, p256_mod, p256_mp_mod);
+        sp_256_mont_mul_8(t2, t2, q->x, p256_mod, p256_mp_mod);
+        /* S2 = Y2*Z1^3 */
+        sp_256_mont_mul_8(t4, t4, q->y, p256_mod, p256_mp_mod);
+        /* H = U2 - X1 */
+        sp_256_mont_sub_8(t2, t2, x, p256_mod);
+        /* R = S2 - Y1 */
+        sp_256_mont_sub_8(t4, t4, y, p256_mod);
+        /* Z3 = H*Z1 */
+        sp_256_mont_mul_8(z, z, t2, p256_mod, p256_mp_mod);
+        /* X3 = R^2 - H^3 - 2*X1*H^2 */
+        sp_256_mont_sqr_8(t1, t4, p256_mod, p256_mp_mod);
+        sp_256_mont_sqr_8(t5, t2, p256_mod, p256_mp_mod);
+        sp_256_mont_mul_8(t3, x, t5, p256_mod, p256_mp_mod);
+        sp_256_mont_mul_8(t5, t5, t2, p256_mod, p256_mp_mod);
+        sp_256_mont_sub_8(x, t1, t5, p256_mod);
+        sp_256_mont_dbl_8(t1, t3, p256_mod);
+        sp_256_mont_sub_8(x, x, t1, p256_mod);
+        /* Y3 = R*(X1*H^2 - X3) - Y1*H^3 */
+        sp_256_mont_sub_8(t3, t3, x, p256_mod);
+        sp_256_mont_mul_8(t3, t3, t4, p256_mod, p256_mp_mod);
+        sp_256_mont_mul_8(t5, t5, y, p256_mod, p256_mp_mod);
+        sp_256_mont_sub_8(y, t3, t5, p256_mod);
+    }
+}
+
+#ifdef WOLFSSL_SP_SMALL
+#ifdef FP_ECC
+/* Generate the pre-computed table of points for the base point.
+ *
+ * a      The base point.
+ * table  Place to store generated point data.
+ * tmp    Temporary data.
+ * heap  Heap to use for allocation.
+ */
+static int sp_256_gen_stripe_table_8(const sp_point_256* a,
+        sp_table_entry_256* table, sp_digit* tmp, void* heap)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_point_256 td, s1d, s2d;
+#endif
+    sp_point_256* t;
+    sp_point_256* s1 = NULL;
+    sp_point_256* s2 = NULL;
+    int i, j;
+    int err;
+
+    (void)heap;
+
+    err = sp_256_point_new_8(heap, td, t);
+    if (err == MP_OKAY) {
+        err = sp_256_point_new_8(heap, s1d, s1);
+    }
+    if (err == MP_OKAY) {
+        err = sp_256_point_new_8(heap, s2d, s2);
+    }
+
+    if (err == MP_OKAY) {
+        err = sp_256_mod_mul_norm_8(t->x, a->x, p256_mod);
+    }
+    if (err == MP_OKAY) {
+        err = sp_256_mod_mul_norm_8(t->y, a->y, p256_mod);
+    }
+    if (err == MP_OKAY) {
+        err = sp_256_mod_mul_norm_8(t->z, a->z, p256_mod);
+    }
+    if (err == MP_OKAY) {
+        t->infinity = 0;
+        sp_256_proj_to_affine_8(t, tmp);
+
+        XMEMCPY(s1->z, p256_norm_mod, sizeof(p256_norm_mod));
+        s1->infinity = 0;
+        XMEMCPY(s2->z, p256_norm_mod, sizeof(p256_norm_mod));
+        s2->infinity = 0;
+
+        /* table[0] = {0, 0, infinity} */
+        XMEMSET(&table[0], 0, sizeof(sp_table_entry_256));
+        /* table[1] = Affine version of 'a' in Montgomery form */
+        XMEMCPY(table[1].x, t->x, sizeof(table->x));
+        XMEMCPY(table[1].y, t->y, sizeof(table->y));
+
+        for (i=1; i<4; i++) {
+            sp_256_proj_point_dbl_n_8(t, 64, tmp);
+            sp_256_proj_to_affine_8(t, tmp);
+            XMEMCPY(table[1<<i].x, t->x, sizeof(table->x));
+            XMEMCPY(table[1<<i].y, t->y, sizeof(table->y));
+        }
+
+        for (i=1; i<4; i++) {
+            XMEMCPY(s1->x, table[1<<i].x, sizeof(table->x));
+            XMEMCPY(s1->y, table[1<<i].y, sizeof(table->y));
+            for (j=(1<<i)+1; j<(1<<(i+1)); j++) {
+                XMEMCPY(s2->x, table[j-(1<<i)].x, sizeof(table->x));
+                XMEMCPY(s2->y, table[j-(1<<i)].y, sizeof(table->y));
+                sp_256_proj_point_add_qz1_8(t, s1, s2, tmp);
+                sp_256_proj_to_affine_8(t, tmp);
+                XMEMCPY(table[j].x, t->x, sizeof(table->x));
+                XMEMCPY(table[j].y, t->y, sizeof(table->y));
+            }
+        }
+    }
+
+    sp_256_point_free_8(s2, 0, heap);
+    sp_256_point_free_8(s1, 0, heap);
+    sp_256_point_free_8( t, 0, heap);
+
+    return err;
+}
+
+#endif /* FP_ECC */
+/* Multiply the point by the scalar and return the result.
+ * If map is true then convert result to affine coordinates.
+ *
+ * r     Resulting point.
+ * k     Scalar to multiply by.
+ * map   Indicates whether to convert result to affine.
+ * heap  Heap to use for allocation.
+ * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
+ */
+static int sp_256_ecc_mulmod_stripe_8(sp_point_256* r, const sp_point_256* g,
+        const sp_table_entry_256* table, const sp_digit* k, int map, void* heap)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_point_256 rtd;
+    sp_point_256 pd;
+    sp_digit td[2 * 8 * 5];
+#endif
+    sp_point_256* rt;
+    sp_point_256* p = NULL;
+    sp_digit* t;
+    int i, j;
+    int y, x;
+    int err;
+
+    (void)g;
+    (void)heap;
+
+
+    err = sp_256_point_new_8(heap, rtd, rt);
+    if (err == MP_OKAY) {
+        err = sp_256_point_new_8(heap, pd, p);
+    }
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    t = (sp_digit*)XMALLOC(sizeof(sp_digit) * 2 * 8 * 5, heap,
+                           DYNAMIC_TYPE_ECC);
+    if (t == NULL) {
+        err = MEMORY_E;
+    }
+#else
+    t = td;
+#endif
+
+    if (err == MP_OKAY) {
+        XMEMCPY(p->z, p256_norm_mod, sizeof(p256_norm_mod));
+        XMEMCPY(rt->z, p256_norm_mod, sizeof(p256_norm_mod));
+
+        y = 0;
+        for (j=0,x=63; j<4; j++,x+=64) {
+            y |= ((k[x / 32] >> (x % 32)) & 1) << j;
+        }
+        XMEMCPY(rt->x, table[y].x, sizeof(table[y].x));
+        XMEMCPY(rt->y, table[y].y, sizeof(table[y].y));
+        rt->infinity = !y;
+        for (i=62; i>=0; i--) {
+            y = 0;
+            for (j=0,x=i; j<4; j++,x+=64) {
+                y |= ((k[x / 32] >> (x % 32)) & 1) << j;
+            }
+
+            sp_256_proj_point_dbl_8(rt, rt, t);
+            XMEMCPY(p->x, table[y].x, sizeof(table[y].x));
+            XMEMCPY(p->y, table[y].y, sizeof(table[y].y));
+            p->infinity = !y;
+            sp_256_proj_point_add_qz1_8(rt, rt, p, t);
+        }
+
+        if (map != 0) {
+            sp_256_map_8(r, rt, t);
+        }
+        else {
+            XMEMCPY(r, rt, sizeof(sp_point_256));
+        }
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (t != NULL) {
+        XFREE(t, heap, DYNAMIC_TYPE_ECC);
+    }
+#endif
+    sp_256_point_free_8(p, 0, heap);
+    sp_256_point_free_8(rt, 0, heap);
+
+    return err;
+}
+
+#ifdef FP_ECC
+#ifndef FP_ENTRIES
+    #define FP_ENTRIES 16
+#endif
+
+typedef struct sp_cache_256_t {
+    sp_digit x[8];
+    sp_digit y[8];
+    sp_table_entry_256 table[16];
+    uint32_t cnt;
+    int set;
+} sp_cache_256_t;
+
+static THREAD_LS_T sp_cache_256_t sp_cache_256[FP_ENTRIES];
+static THREAD_LS_T int sp_cache_256_last = -1;
+static THREAD_LS_T int sp_cache_256_inited = 0;
+
+#ifndef HAVE_THREAD_LS
+    static volatile int initCacheMutex_256 = 0;
+    static wolfSSL_Mutex sp_cache_256_lock;
+#endif
+
+static void sp_ecc_get_cache_256(const sp_point_256* g, sp_cache_256_t** cache)
+{
+    int i, j;
+    uint32_t least;
+
+    if (sp_cache_256_inited == 0) {
+        for (i=0; i<FP_ENTRIES; i++) {
+            sp_cache_256[i].set = 0;
+        }
+        sp_cache_256_inited = 1;
+    }
+
+    /* Compare point with those in cache. */
+    for (i=0; i<FP_ENTRIES; i++) {
+        if (!sp_cache_256[i].set)
+            continue;
+
+        if (sp_256_cmp_equal_8(g->x, sp_cache_256[i].x) &
+                           sp_256_cmp_equal_8(g->y, sp_cache_256[i].y)) {
+            sp_cache_256[i].cnt++;
+            break;
+        }
+    }
+
+    /* No match. */
+    if (i == FP_ENTRIES) {
+        /* Find empty entry. */
+        i = (sp_cache_256_last + 1) % FP_ENTRIES;
+        for (; i != sp_cache_256_last; i=(i+1)%FP_ENTRIES) {
+            if (!sp_cache_256[i].set) {
+                break;
+            }
+        }
+
+        /* Evict least used. */
+        if (i == sp_cache_256_last) {
+            least = sp_cache_256[0].cnt;
+            for (j=1; j<FP_ENTRIES; j++) {
+                if (sp_cache_256[j].cnt < least) {
+                    i = j;
+                    least = sp_cache_256[i].cnt;
+                }
+            }
+        }
+
+        XMEMCPY(sp_cache_256[i].x, g->x, sizeof(sp_cache_256[i].x));
+        XMEMCPY(sp_cache_256[i].y, g->y, sizeof(sp_cache_256[i].y));
+        sp_cache_256[i].set = 1;
+        sp_cache_256[i].cnt = 1;
+    }
+
+    *cache = &sp_cache_256[i];
+    sp_cache_256_last = i;
+}
+#endif /* FP_ECC */
+
+/* Multiply the base point of P256 by the scalar and return the result.
+ * If map is true then convert result to affine coordinates.
+ *
+ * r     Resulting point.
+ * g     Point to multiply.
+ * k     Scalar to multiply by.
+ * map   Indicates whether to convert result to affine.
+ * heap  Heap to use for allocation.
+ * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
+ */
+static int sp_256_ecc_mulmod_8(sp_point_256* r, const sp_point_256* g, const sp_digit* k,
+        int map, void* heap)
+{
+#ifndef FP_ECC
+    return sp_256_ecc_mulmod_fast_8(r, g, k, map, heap);
+#else
+    sp_digit tmp[2 * 8 * 5];
+    sp_cache_256_t* cache;
+    int err = MP_OKAY;
+
+#ifndef HAVE_THREAD_LS
+    if (initCacheMutex_256 == 0) {
+         wc_InitMutex(&sp_cache_256_lock);
+         initCacheMutex_256 = 1;
+    }
+    if (wc_LockMutex(&sp_cache_256_lock) != 0)
+       err = BAD_MUTEX_E;
+#endif /* HAVE_THREAD_LS */
+
+    if (err == MP_OKAY) {
+        sp_ecc_get_cache_256(g, &cache);
+        if (cache->cnt == 2)
+            sp_256_gen_stripe_table_8(g, cache->table, tmp, heap);
+
+#ifndef HAVE_THREAD_LS
+        wc_UnLockMutex(&sp_cache_256_lock);
+#endif /* HAVE_THREAD_LS */
+
+        if (cache->cnt < 2) {
+            err = sp_256_ecc_mulmod_fast_8(r, g, k, map, heap);
+        }
+        else {
+            err = sp_256_ecc_mulmod_stripe_8(r, g, cache->table, k,
+                    map, heap);
+        }
+    }
+
+    return err;
+#endif
+}
+
+#else
+#ifdef FP_ECC
+/* Generate the pre-computed table of points for the base point.
+ *
+ * a      The base point.
+ * table  Place to store generated point data.
+ * tmp    Temporary data.
+ * heap  Heap to use for allocation.
+ */
+static int sp_256_gen_stripe_table_8(const sp_point_256* a,
+        sp_table_entry_256* table, sp_digit* tmp, void* heap)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_point_256 td, s1d, s2d;
+#endif
+    sp_point_256* t;
+    sp_point_256* s1 = NULL;
+    sp_point_256* s2 = NULL;
+    int i, j;
+    int err;
+
+    (void)heap;
+
+    err = sp_256_point_new_8(heap, td, t);
+    if (err == MP_OKAY) {
+        err = sp_256_point_new_8(heap, s1d, s1);
+    }
+    if (err == MP_OKAY) {
+        err = sp_256_point_new_8(heap, s2d, s2);
+    }
+
+    if (err == MP_OKAY) {
+        err = sp_256_mod_mul_norm_8(t->x, a->x, p256_mod);
+    }
+    if (err == MP_OKAY) {
+        err = sp_256_mod_mul_norm_8(t->y, a->y, p256_mod);
+    }
+    if (err == MP_OKAY) {
+        err = sp_256_mod_mul_norm_8(t->z, a->z, p256_mod);
+    }
+    if (err == MP_OKAY) {
+        t->infinity = 0;
+        sp_256_proj_to_affine_8(t, tmp);
+
+        XMEMCPY(s1->z, p256_norm_mod, sizeof(p256_norm_mod));
+        s1->infinity = 0;
+        XMEMCPY(s2->z, p256_norm_mod, sizeof(p256_norm_mod));
+        s2->infinity = 0;
+
+        /* table[0] = {0, 0, infinity} */
+        XMEMSET(&table[0], 0, sizeof(sp_table_entry_256));
+        /* table[1] = Affine version of 'a' in Montgomery form */
+        XMEMCPY(table[1].x, t->x, sizeof(table->x));
+        XMEMCPY(table[1].y, t->y, sizeof(table->y));
+
+        for (i=1; i<8; i++) {
+            sp_256_proj_point_dbl_n_8(t, 32, tmp);
+            sp_256_proj_to_affine_8(t, tmp);
+            XMEMCPY(table[1<<i].x, t->x, sizeof(table->x));
+            XMEMCPY(table[1<<i].y, t->y, sizeof(table->y));
+        }
+
+        for (i=1; i<8; i++) {
+            XMEMCPY(s1->x, table[1<<i].x, sizeof(table->x));
+            XMEMCPY(s1->y, table[1<<i].y, sizeof(table->y));
+            for (j=(1<<i)+1; j<(1<<(i+1)); j++) {
+                XMEMCPY(s2->x, table[j-(1<<i)].x, sizeof(table->x));
+                XMEMCPY(s2->y, table[j-(1<<i)].y, sizeof(table->y));
+                sp_256_proj_point_add_qz1_8(t, s1, s2, tmp);
+                sp_256_proj_to_affine_8(t, tmp);
+                XMEMCPY(table[j].x, t->x, sizeof(table->x));
+                XMEMCPY(table[j].y, t->y, sizeof(table->y));
+            }
+        }
+    }
+
+    sp_256_point_free_8(s2, 0, heap);
+    sp_256_point_free_8(s1, 0, heap);
+    sp_256_point_free_8( t, 0, heap);
+
+    return err;
+}
+
+#endif /* FP_ECC */
+/* Multiply the point by the scalar and return the result.
+ * If map is true then convert result to affine coordinates.
+ *
+ * r     Resulting point.
+ * k     Scalar to multiply by.
+ * map   Indicates whether to convert result to affine.
+ * heap  Heap to use for allocation.
+ * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
+ */
+static int sp_256_ecc_mulmod_stripe_8(sp_point_256* r, const sp_point_256* g,
+        const sp_table_entry_256* table, const sp_digit* k, int map, void* heap)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_point_256 rtd;
+    sp_point_256 pd;
+    sp_digit td[2 * 8 * 5];
+#endif
+    sp_point_256* rt;
+    sp_point_256* p = NULL;
+    sp_digit* t;
+    int i, j;
+    int y, x;
+    int err;
+
+    (void)g;
+    (void)heap;
+
+
+    err = sp_256_point_new_8(heap, rtd, rt);
+    if (err == MP_OKAY) {
+        err = sp_256_point_new_8(heap, pd, p);
+    }
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    t = (sp_digit*)XMALLOC(sizeof(sp_digit) * 2 * 8 * 5, heap,
+                           DYNAMIC_TYPE_ECC);
+    if (t == NULL) {
+        err = MEMORY_E;
+    }
+#else
+    t = td;
+#endif
+
+    if (err == MP_OKAY) {
+        XMEMCPY(p->z, p256_norm_mod, sizeof(p256_norm_mod));
+        XMEMCPY(rt->z, p256_norm_mod, sizeof(p256_norm_mod));
+
+        y = 0;
+        for (j=0,x=31; j<8; j++,x+=32) {
+            y |= ((k[x / 32] >> (x % 32)) & 1) << j;
+        }
+        XMEMCPY(rt->x, table[y].x, sizeof(table[y].x));
+        XMEMCPY(rt->y, table[y].y, sizeof(table[y].y));
+        rt->infinity = !y;
+        for (i=30; i>=0; i--) {
+            y = 0;
+            for (j=0,x=i; j<8; j++,x+=32) {
+                y |= ((k[x / 32] >> (x % 32)) & 1) << j;
+            }
+
+            sp_256_proj_point_dbl_8(rt, rt, t);
+            XMEMCPY(p->x, table[y].x, sizeof(table[y].x));
+            XMEMCPY(p->y, table[y].y, sizeof(table[y].y));
+            p->infinity = !y;
+            sp_256_proj_point_add_qz1_8(rt, rt, p, t);
+        }
+
+        if (map != 0) {
+            sp_256_map_8(r, rt, t);
+        }
+        else {
+            XMEMCPY(r, rt, sizeof(sp_point_256));
+        }
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (t != NULL) {
+        XFREE(t, heap, DYNAMIC_TYPE_ECC);
+    }
+#endif
+    sp_256_point_free_8(p, 0, heap);
+    sp_256_point_free_8(rt, 0, heap);
+
+    return err;
+}
+
+#ifdef FP_ECC
+#ifndef FP_ENTRIES
+    #define FP_ENTRIES 16
+#endif
+
+typedef struct sp_cache_256_t {
+    sp_digit x[8];
+    sp_digit y[8];
+    sp_table_entry_256 table[256];
+    uint32_t cnt;
+    int set;
+} sp_cache_256_t;
+
+static THREAD_LS_T sp_cache_256_t sp_cache_256[FP_ENTRIES];
+static THREAD_LS_T int sp_cache_256_last = -1;
+static THREAD_LS_T int sp_cache_256_inited = 0;
+
+#ifndef HAVE_THREAD_LS
+    static volatile int initCacheMutex_256 = 0;
+    static wolfSSL_Mutex sp_cache_256_lock;
+#endif
+
+static void sp_ecc_get_cache_256(const sp_point_256* g, sp_cache_256_t** cache)
+{
+    int i, j;
+    uint32_t least;
+
+    if (sp_cache_256_inited == 0) {
+        for (i=0; i<FP_ENTRIES; i++) {
+            sp_cache_256[i].set = 0;
+        }
+        sp_cache_256_inited = 1;
+    }
+
+    /* Compare point with those in cache. */
+    for (i=0; i<FP_ENTRIES; i++) {
+        if (!sp_cache_256[i].set)
+            continue;
+
+        if (sp_256_cmp_equal_8(g->x, sp_cache_256[i].x) &
+                           sp_256_cmp_equal_8(g->y, sp_cache_256[i].y)) {
+            sp_cache_256[i].cnt++;
+            break;
+        }
+    }
+
+    /* No match. */
+    if (i == FP_ENTRIES) {
+        /* Find empty entry. */
+        i = (sp_cache_256_last + 1) % FP_ENTRIES;
+        for (; i != sp_cache_256_last; i=(i+1)%FP_ENTRIES) {
+            if (!sp_cache_256[i].set) {
+                break;
+            }
+        }
+
+        /* Evict least used. */
+        if (i == sp_cache_256_last) {
+            least = sp_cache_256[0].cnt;
+            for (j=1; j<FP_ENTRIES; j++) {
+                if (sp_cache_256[j].cnt < least) {
+                    i = j;
+                    least = sp_cache_256[i].cnt;
+                }
+            }
+        }
+
+        XMEMCPY(sp_cache_256[i].x, g->x, sizeof(sp_cache_256[i].x));
+        XMEMCPY(sp_cache_256[i].y, g->y, sizeof(sp_cache_256[i].y));
+        sp_cache_256[i].set = 1;
+        sp_cache_256[i].cnt = 1;
+    }
+
+    *cache = &sp_cache_256[i];
+    sp_cache_256_last = i;
+}
+#endif /* FP_ECC */
+
+/* Multiply the base point of P256 by the scalar and return the result.
+ * If map is true then convert result to affine coordinates.
+ *
+ * r     Resulting point.
+ * g     Point to multiply.
+ * k     Scalar to multiply by.
+ * map   Indicates whether to convert result to affine.
+ * heap  Heap to use for allocation.
+ * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
+ */
+static int sp_256_ecc_mulmod_8(sp_point_256* r, const sp_point_256* g, const sp_digit* k,
+        int map, void* heap)
+{
+#ifndef FP_ECC
+    return sp_256_ecc_mulmod_fast_8(r, g, k, map, heap);
+#else
+    sp_digit tmp[2 * 8 * 5];
+    sp_cache_256_t* cache;
+    int err = MP_OKAY;
+
+#ifndef HAVE_THREAD_LS
+    if (initCacheMutex_256 == 0) {
+         wc_InitMutex(&sp_cache_256_lock);
+         initCacheMutex_256 = 1;
+    }
+    if (wc_LockMutex(&sp_cache_256_lock) != 0)
+       err = BAD_MUTEX_E;
+#endif /* HAVE_THREAD_LS */
+
+    if (err == MP_OKAY) {
+        sp_ecc_get_cache_256(g, &cache);
+        if (cache->cnt == 2)
+            sp_256_gen_stripe_table_8(g, cache->table, tmp, heap);
+
+#ifndef HAVE_THREAD_LS
+        wc_UnLockMutex(&sp_cache_256_lock);
+#endif /* HAVE_THREAD_LS */
+
+        if (cache->cnt < 2) {
+            err = sp_256_ecc_mulmod_fast_8(r, g, k, map, heap);
+        }
+        else {
+            err = sp_256_ecc_mulmod_stripe_8(r, g, cache->table, k,
+                    map, heap);
+        }
+    }
+
+    return err;
+#endif
+}
+
+#endif /* WOLFSSL_SP_SMALL */
+/* Multiply the point by the scalar and return the result.
+ * If map is true then convert result to affine coordinates.
+ *
+ * km    Scalar to multiply by.
+ * p     Point to multiply.
+ * r     Resulting point.
+ * map   Indicates whether to convert result to affine.
+ * heap  Heap to use for allocation.
+ * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
+ */
+int sp_ecc_mulmod_256(mp_int* km, ecc_point* gm, ecc_point* r, int map,
+        void* heap)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_point_256 p;
+    sp_digit kd[8];
+#endif
+    sp_point_256* point;
+    sp_digit* k = NULL;
+    int err = MP_OKAY;
+
+    err = sp_256_point_new_8(heap, p, point);
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        k = (sp_digit*)XMALLOC(sizeof(sp_digit) * 8, heap,
+                                                              DYNAMIC_TYPE_ECC);
+        if (k == NULL)
+            err = MEMORY_E;
+    }
+#else
+    k = kd;
+#endif
+    if (err == MP_OKAY) {
+        sp_256_from_mp(k, 8, km);
+        sp_256_point_from_ecc_point_8(point, gm);
+
+            err = sp_256_ecc_mulmod_8(point, point, k, map, heap);
+    }
+    if (err == MP_OKAY) {
+        err = sp_256_point_to_ecc_point_8(point, r);
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (k != NULL) {
+        XFREE(k, heap, DYNAMIC_TYPE_ECC);
+    }
+#endif
+    sp_256_point_free_8(point, 0, heap);
+
+    return err;
+}
+
+#ifdef WOLFSSL_SP_SMALL
+static const sp_table_entry_256 p256_table[16] = {
+    /* 0 */
+    { { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
+      { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 } },
+    /* 1 */
+    { { 0x18a9143c,0x79e730d4,0x5fedb601,0x75ba95fc,0x77622510,0x79fb732b,
+        0xa53755c6,0x18905f76 },
+      { 0xce95560a,0xddf25357,0xba19e45c,0x8b4ab8e4,0xdd21f325,0xd2e88688,
+        0x25885d85,0x8571ff18 } },
+    /* 2 */
+    { { 0x16a0d2bb,0x4f922fc5,0x1a623499,0x0d5cc16c,0x57c62c8b,0x9241cf3a,
+        0xfd1b667f,0x2f5e6961 },
+      { 0xf5a01797,0x5c15c70b,0x60956192,0x3d20b44d,0x071fdb52,0x04911b37,
+        0x8d6f0f7b,0xf648f916 } },
+    /* 3 */
+    { { 0xe137bbbc,0x9e566847,0x8a6a0bec,0xe434469e,0x79d73463,0xb1c42761,
+        0x133d0015,0x5abe0285 },
+      { 0xc04c7dab,0x92aa837c,0x43260c07,0x573d9f4c,0x78e6cc37,0x0c931562,
+        0x6b6f7383,0x94bb725b } },
+    /* 4 */
+    { { 0xbfe20925,0x62a8c244,0x8fdce867,0x91c19ac3,0xdd387063,0x5a96a5d5,
+        0x21d324f6,0x61d587d4 },
+      { 0xa37173ea,0xe87673a2,0x53778b65,0x23848008,0x05bab43e,0x10f8441e,
+        0x4621efbe,0xfa11fe12 } },
+    /* 5 */
+    { { 0x2cb19ffd,0x1c891f2b,0xb1923c23,0x01ba8d5b,0x8ac5ca8e,0xb6d03d67,
+        0x1f13bedc,0x586eb04c },
+      { 0x27e8ed09,0x0c35c6e5,0x1819ede2,0x1e81a33c,0x56c652fa,0x278fd6c0,
+        0x70864f11,0x19d5ac08 } },
+    /* 6 */
+    { { 0xd2b533d5,0x62577734,0xa1bdddc0,0x673b8af6,0xa79ec293,0x577e7c9a,
+        0xc3b266b1,0xbb6de651 },
+      { 0xb65259b3,0xe7e9303a,0xd03a7480,0xd6a0afd3,0x9b3cfc27,0xc5ac83d1,
+        0x5d18b99b,0x60b4619a } },
+    /* 7 */
+    { { 0x1ae5aa1c,0xbd6a38e1,0x49e73658,0xb8b7652b,0xee5f87ed,0x0b130014,
+        0xaeebffcd,0x9d0f27b2 },
+      { 0x7a730a55,0xca924631,0xddbbc83a,0x9c955b2f,0xac019a71,0x07c1dfe0,
+        0x356ec48d,0x244a566d } },
+    /* 8 */
+    { { 0xf4f8b16a,0x56f8410e,0xc47b266a,0x97241afe,0x6d9c87c1,0x0a406b8e,
+        0xcd42ab1b,0x803f3e02 },
+      { 0x04dbec69,0x7f0309a8,0x3bbad05f,0xa83b85f7,0xad8e197f,0xc6097273,
+        0x5067adc1,0xc097440e } },
+    /* 9 */
+    { { 0xc379ab34,0x846a56f2,0x841df8d1,0xa8ee068b,0x176c68ef,0x20314459,
+        0x915f1f30,0xf1af32d5 },
+      { 0x5d75bd50,0x99c37531,0xf72f67bc,0x837cffba,0x48d7723f,0x0613a418,
+        0xe2d41c8b,0x23d0f130 } },
+    /* 10 */
+    { { 0xd5be5a2b,0xed93e225,0x5934f3c6,0x6fe79983,0x22626ffc,0x43140926,
+        0x7990216a,0x50bbb4d9 },
+      { 0xe57ec63e,0x378191c6,0x181dcdb2,0x65422c40,0x0236e0f6,0x41a8099b,
+        0x01fe49c3,0x2b100118 } },
+    /* 11 */
+    { { 0x9b391593,0xfc68b5c5,0x598270fc,0xc385f5a2,0xd19adcbb,0x7144f3aa,
+        0x83fbae0c,0xdd558999 },
+      { 0x74b82ff4,0x93b88b8e,0x71e734c9,0xd2e03c40,0x43c0322a,0x9a7a9eaf,
+        0x149d6041,0xe6e4c551 } },
+    /* 12 */
+    { { 0x80ec21fe,0x5fe14bfe,0xc255be82,0xf6ce116a,0x2f4a5d67,0x98bc5a07,
+        0xdb7e63af,0xfad27148 },
+      { 0x29ab05b3,0x90c0b6ac,0x4e251ae6,0x37a9a83c,0xc2aade7d,0x0a7dc875,
+        0x9f0e1a84,0x77387de3 } },
+    /* 13 */
+    { { 0xa56c0dd7,0x1e9ecc49,0x46086c74,0xa5cffcd8,0xf505aece,0x8f7a1408,
+        0xbef0c47e,0xb37b85c0 },
+      { 0xcc0e6a8f,0x3596b6e4,0x6b388f23,0xfd6d4bbf,0xc39cef4e,0xaba453fa,
+        0xf9f628d5,0x9c135ac8 } },
+    /* 14 */
+    { { 0x95c8f8be,0x0a1c7294,0x3bf362bf,0x2961c480,0xdf63d4ac,0x9e418403,
+        0x91ece900,0xc109f9cb },
+      { 0x58945705,0xc2d095d0,0xddeb85c0,0xb9083d96,0x7a40449b,0x84692b8d,
+        0x2eee1ee1,0x9bc3344f } },
+    /* 15 */
+    { { 0x42913074,0x0d5ae356,0x48a542b1,0x55491b27,0xb310732a,0x469ca665,
+        0x5f1a4cc1,0x29591d52 },
+      { 0xb84f983f,0xe76f5b6b,0x9f5f84e1,0xbe7eef41,0x80baa189,0x1200d496,
+        0x18ef332c,0x6376551f } },
+};
+
+/* Multiply the base point of P256 by the scalar and return the result.
+ * If map is true then convert result to affine coordinates.
+ *
+ * r     Resulting point.
+ * k     Scalar to multiply by.
+ * map   Indicates whether to convert result to affine.
+ * heap  Heap to use for allocation.
+ * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
+ */
+static int sp_256_ecc_mulmod_base_8(sp_point_256* r, const sp_digit* k,
+        int map, void* heap)
+{
+    return sp_256_ecc_mulmod_stripe_8(r, &p256_base, p256_table,
+                                      k, map, heap);
+}
+
+#else
+static const sp_table_entry_256 p256_table[256] = {
+    /* 0 */
+    { { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
+      { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 } },
+    /* 1 */
+    { { 0x18a9143c,0x79e730d4,0x5fedb601,0x75ba95fc,0x77622510,0x79fb732b,
+        0xa53755c6,0x18905f76 },
+      { 0xce95560a,0xddf25357,0xba19e45c,0x8b4ab8e4,0xdd21f325,0xd2e88688,
+        0x25885d85,0x8571ff18 } },
+    /* 2 */
+    { { 0x4147519a,0x20288602,0x26b372f0,0xd0981eac,0xa785ebc8,0xa9d4a7ca,
+        0xdbdf58e9,0xd953c50d },
+      { 0xfd590f8f,0x9d6361cc,0x44e6c917,0x72e9626b,0x22eb64cf,0x7fd96110,
+        0x9eb288f3,0x863ebb7e } },
+    /* 3 */
+    { { 0x5cdb6485,0x7856b623,0x2f0a2f97,0x808f0ea2,0x4f7e300b,0x3e68d954,
+        0xb5ff80a0,0x00076055 },
+      { 0x838d2010,0x7634eb9b,0x3243708a,0x54014fbb,0x842a6606,0xe0e47d39,
+        0x34373ee0,0x83087761 } },
+    /* 4 */
+    { { 0x16a0d2bb,0x4f922fc5,0x1a623499,0x0d5cc16c,0x57c62c8b,0x9241cf3a,
+        0xfd1b667f,0x2f5e6961 },
+      { 0xf5a01797,0x5c15c70b,0x60956192,0x3d20b44d,0x071fdb52,0x04911b37,
+        0x8d6f0f7b,0xf648f916 } },
+    /* 5 */
+    { { 0xe137bbbc,0x9e566847,0x8a6a0bec,0xe434469e,0x79d73463,0xb1c42761,
+        0x133d0015,0x5abe0285 },
+      { 0xc04c7dab,0x92aa837c,0x43260c07,0x573d9f4c,0x78e6cc37,0x0c931562,
+        0x6b6f7383,0x94bb725b } },
+    /* 6 */
+    { { 0x720f141c,0xbbf9b48f,0x2df5bc74,0x6199b3cd,0x411045c4,0xdc3f6129,
+        0x2f7dc4ef,0xcdd6bbcb },
+      { 0xeaf436fd,0xcca6700b,0xb99326be,0x6f647f6d,0x014f2522,0x0c0fa792,
+        0x4bdae5f6,0xa361bebd } },
+    /* 7 */
+    { { 0x597c13c7,0x28aa2558,0x50b7c3e1,0xc38d635f,0xf3c09d1d,0x07039aec,
+        0xc4b5292c,0xba12ca09 },
+      { 0x59f91dfd,0x9e408fa4,0xceea07fb,0x3af43b66,0x9d780b29,0x1eceb089,
+        0x701fef4b,0x53ebb99d } },
+    /* 8 */
+    { { 0xb0e63d34,0x4fe7ee31,0xa9e54fab,0xf4600572,0xd5e7b5a4,0xc0493334,
+        0x06d54831,0x8589fb92 },
+      { 0x6583553a,0xaa70f5cc,0xe25649e5,0x0879094a,0x10044652,0xcc904507,
+        0x02541c4f,0xebb0696d } },
+    /* 9 */
+    { { 0xac1647c5,0x4616ca15,0xc4cf5799,0xb8127d47,0x764dfbac,0xdc666aa3,
+        0xd1b27da3,0xeb2820cb },
+      { 0x6a87e008,0x9406f8d8,0x922378f3,0xd87dfa9d,0x80ccecb2,0x56ed2e42,
+        0x55a7da1d,0x1f28289b } },
+    /* 10 */
+    { { 0x3b89da99,0xabbaa0c0,0xb8284022,0xa6f2d79e,0xb81c05e8,0x27847862,
+        0x05e54d63,0x337a4b59 },
+      { 0x21f7794a,0x3c67500d,0x7d6d7f61,0x207005b7,0x04cfd6e8,0x0a5a3781,
+        0xf4c2fbd6,0x0d65e0d5 } },
+    /* 11 */
+    { { 0xb5275d38,0xd9d09bbe,0x0be0a358,0x4268a745,0x973eb265,0xf0762ff4,
+        0x52f4a232,0xc23da242 },
+      { 0x0b94520c,0x5da1b84f,0xb05bd78e,0x09666763,0x94d29ea1,0x3a4dcb86,
+        0xc790cff1,0x19de3b8c } },
+    /* 12 */
+    { { 0x26c5fe04,0x183a716c,0x3bba1bdb,0x3b28de0b,0xa4cb712c,0x7432c586,
+        0x91fccbfd,0xe34dcbd4 },
+      { 0xaaa58403,0xb408d46b,0x82e97a53,0x9a697486,0x36aaa8af,0x9e390127,
+        0x7b4e0f7f,0xe7641f44 } },
+    /* 13 */
+    { { 0xdf64ba59,0x7d753941,0x0b0242fc,0xd33f10ec,0xa1581859,0x4f06dfc6,
+        0x052a57bf,0x4a12df57 },
+      { 0x9439dbd0,0xbfa6338f,0xbde53e1f,0xd3c24bd4,0x21f1b314,0xfd5e4ffa,
+        0xbb5bea46,0x6af5aa93 } },
+    /* 14 */
+    { { 0x10c91999,0xda10b699,0x2a580491,0x0a24b440,0xb8cc2090,0x3e0094b4,
+        0x66a44013,0x5fe3475a },
+      { 0xf93e7b4b,0xb0f8cabd,0x7c23f91a,0x292b501a,0xcd1e6263,0x42e889ae,
+        0xecfea916,0xb544e308 } },
+    /* 15 */
+    { { 0x16ddfdce,0x6478c6e9,0xf89179e6,0x2c329166,0x4d4e67e1,0x4e8d6e76,
+        0xa6b0c20b,0xe0b6b2bd },
+      { 0xbb7efb57,0x0d312df2,0x790c4007,0x1aac0dde,0x679bc944,0xf90336ad,
+        0x25a63774,0x71c023de } },
+    /* 16 */
+    { { 0xbfe20925,0x62a8c244,0x8fdce867,0x91c19ac3,0xdd387063,0x5a96a5d5,
+        0x21d324f6,0x61d587d4 },
+      { 0xa37173ea,0xe87673a2,0x53778b65,0x23848008,0x05bab43e,0x10f8441e,
+        0x4621efbe,0xfa11fe12 } },
+    /* 17 */
+    { { 0x2cb19ffd,0x1c891f2b,0xb1923c23,0x01ba8d5b,0x8ac5ca8e,0xb6d03d67,
+        0x1f13bedc,0x586eb04c },
+      { 0x27e8ed09,0x0c35c6e5,0x1819ede2,0x1e81a33c,0x56c652fa,0x278fd6c0,
+        0x70864f11,0x19d5ac08 } },
+    /* 18 */
+    { { 0x309a4e1f,0x1e99f581,0xe9270074,0xab7de71b,0xefd28d20,0x26a5ef0b,
+        0x7f9c563f,0xe7c0073f },
+      { 0x0ef59f76,0x1f6d663a,0x20fcb050,0x669b3b54,0x7a6602d4,0xc08c1f7a,
+        0xc65b3c0a,0xe08504fe } },
+    /* 19 */
+    { { 0xa031b3ca,0xf098f68d,0xe6da6d66,0x6d1cab9e,0x94f246e8,0x5bfd81fa,
+        0x5b0996b4,0x78f01882 },
+      { 0x3a25787f,0xb7eefde4,0x1dccac9b,0x8016f80d,0xb35bfc36,0x0cea4877,
+        0x7e94747a,0x43a773b8 } },
+    /* 20 */
+    { { 0xd2b533d5,0x62577734,0xa1bdddc0,0x673b8af6,0xa79ec293,0x577e7c9a,
+        0xc3b266b1,0xbb6de651 },
+      { 0xb65259b3,0xe7e9303a,0xd03a7480,0xd6a0afd3,0x9b3cfc27,0xc5ac83d1,
+        0x5d18b99b,0x60b4619a } },
+    /* 21 */
+    { { 0x1ae5aa1c,0xbd6a38e1,0x49e73658,0xb8b7652b,0xee5f87ed,0x0b130014,
+        0xaeebffcd,0x9d0f27b2 },
+      { 0x7a730a55,0xca924631,0xddbbc83a,0x9c955b2f,0xac019a71,0x07c1dfe0,
+        0x356ec48d,0x244a566d } },
+    /* 22 */
+    { { 0xeacf1f96,0x6db0394a,0x024c271c,0x9f2122a9,0x82cbd3b9,0x2626ac1b,
+        0x3581ef69,0x45e58c87 },
+      { 0xa38f9dbc,0xd3ff479d,0xe888a040,0xa8aaf146,0x46e0bed7,0x945adfb2,
+        0xc1e4b7a4,0xc040e21c } },
+    /* 23 */
+    { { 0x6f8117b6,0x847af000,0x73a35433,0x651969ff,0x1d9475eb,0x482b3576,
+        0x682c6ec7,0x1cdf5c97 },
+      { 0x11f04839,0x7db775b4,0x48de1698,0x7dbeacf4,0xb70b3219,0xb2921dd1,
+        0xa92dff3d,0x046755f8 } },
+    /* 24 */
+    { { 0xbce8ffcd,0xcc8ac5d2,0x2fe61a82,0x0d53c48b,0x7202d6c7,0xf6f16172,
+        0x3b83a5f3,0x046e5e11 },
+      { 0xd8007f01,0xe7b8ff64,0x5af43183,0x7fb1ef12,0x35e1a03c,0x045c5ea6,
+        0x303d005b,0x6e0106c3 } },
+    /* 25 */
+    { { 0x88dd73b1,0x48c73584,0x995ed0d9,0x7670708f,0xc56a2ab7,0x38385ea8,
+        0xe901cf1f,0x442594ed },
+      { 0x12d4b65b,0xf8faa2c9,0x96c90c37,0x94c2343b,0x5e978d1f,0xd326e4a1,
+        0x4c2ee68e,0xa796fa51 } },
+    /* 26 */
+    { { 0x823addd7,0x359fb604,0xe56693b3,0x9e2a6183,0x3cbf3c80,0xf885b78e,
+        0xc69766e9,0xe4ad2da9 },
+      { 0x8e048a61,0x357f7f42,0xc092d9a0,0x082d198c,0xc03ed8ef,0xfc3a1af4,
+        0xc37b5143,0xc5e94046 } },
+    /* 27 */
+    { { 0x2be75f9e,0x476a538c,0xcb123a78,0x6fd1a9e8,0xb109c04b,0xd85e4df0,
+        0xdb464747,0x63283daf },
+      { 0xbaf2df15,0xce728cf7,0x0ad9a7f4,0xe592c455,0xe834bcc3,0xfab226ad,
+        0x1981a938,0x68bd19ab } },
+    /* 28 */
+    { { 0x1887d659,0xc08ead51,0xb359305a,0x3374d5f4,0xcfe74fe3,0x96986981,
+        0x3c6fdfd6,0x495292f5 },
+      { 0x1acec896,0x4a878c9e,0xec5b4484,0xd964b210,0x664d60a7,0x6696f7e2,
+        0x26036837,0x0ec7530d } },
+    /* 29 */
+    { { 0xad2687bb,0x2da13a05,0xf32e21fa,0xa1f83b6a,0x1dd4607b,0x390f5ef5,
+        0x64863f0b,0x0f6207a6 },
+      { 0x0f138233,0xbd67e3bb,0x272aa718,0xdd66b96c,0x26ec88ae,0x8ed00407,
+        0x08ed6dcf,0xff0db072 } },
+    /* 30 */
+    { { 0x4c95d553,0x749fa101,0x5d680a8a,0xa44052fd,0xff3b566f,0x183b4317,
+        0x88740ea3,0x313b513c },
+      { 0x08d11549,0xb402e2ac,0xb4dee21c,0x071ee10b,0x47f2320e,0x26b987dd,
+        0x86f19f81,0x2d3abcf9 } },
+    /* 31 */
+    { { 0x815581a2,0x4c288501,0x632211af,0x9a0a6d56,0x0cab2e99,0x19ba7a0f,
+        0xded98cdf,0xc036fa10 },
+      { 0xc1fbd009,0x29ae08ba,0x06d15816,0x0b68b190,0x9b9e0d8f,0xc2eb3277,
+        0xb6d40194,0xa6b2a2c4 } },
+    /* 32 */
+    { { 0x6d3549cf,0xd433e50f,0xfacd665e,0x6f33696f,0xce11fcb4,0x695bfdac,
+        0xaf7c9860,0x810ee252 },
+      { 0x7159bb2c,0x65450fe1,0x758b357b,0xf7dfbebe,0xd69fea72,0x2b057e74,
+        0x92731745,0xd485717a } },
+    /* 33 */
+    { { 0xf0cb5a98,0x11741a8a,0x1f3110bf,0xd3da8f93,0xab382adf,0x1994e2cb,
+        0x2f9a604e,0x6a6045a7 },
+      { 0xa2b2411d,0x170c0d3f,0x510e96e0,0xbe0eb83e,0x8865b3cc,0x3bcc9f73,
+        0xf9e15790,0xd3e45cfa } },
+    /* 34 */
+    { { 0xe83f7669,0xce1f69bb,0x72877d6b,0x09f8ae82,0x3244278d,0x9548ae54,
+        0xe3c2c19c,0x207755de },
+      { 0x6fef1945,0x87bd61d9,0xb12d28c3,0x18813cef,0x72df64aa,0x9fbcd1d6,
+        0x7154b00d,0x48dc5ee5 } },
+    /* 35 */
+    { { 0xf7e5a199,0x123790bf,0x989ccbb7,0xe0efb8cf,0x0a519c79,0xc27a2bfe,
+        0xdff6f445,0xf2fb0aed },
+      { 0xf0b5025f,0x41c09575,0x40fa9f22,0x550543d7,0x380bfbd0,0x8fa3c8ad,
+        0xdb28d525,0xa13e9015 } },
+    /* 36 */
+    { { 0xa2b65cbc,0xf9f7a350,0x2a464226,0x0b04b972,0xe23f07a1,0x265ce241,
+        0x1497526f,0x2bf0d6b0 },
+      { 0x4b216fb7,0xd3d4dd3f,0xfbdda26a,0xf7d7b867,0x6708505c,0xaeb7b83f,
+        0x162fe89f,0x42a94a5a } },
+    /* 37 */
+    { { 0xeaadf191,0x5846ad0b,0x25a268d7,0x0f8a4890,0x494dc1f6,0xe8603050,
+        0xc65ede3d,0x2c2dd969 },
+      { 0x93849c17,0x6d02171d,0x1da250dd,0x460488ba,0x3c3a5485,0x4810c706,
+        0x42c56dbc,0xf437fa1f } },
+    /* 38 */
+    { { 0x4a0f7dab,0x6aa0d714,0x1776e9ac,0x0f049793,0xf5f39786,0x52c0a050,
+        0x54707aa8,0xaaf45b33 },
+      { 0xc18d364a,0x85e37c33,0x3e497165,0xd40b9b06,0x15ec5444,0xf4171681,
+        0xf4f272bc,0xcdf6310d } },
+    /* 39 */
+    { { 0x8ea8b7ef,0x7473c623,0x85bc2287,0x08e93518,0x2bda8e34,0x41956772,
+        0xda9e2ff2,0xf0d008ba },
+      { 0x2414d3b1,0x2912671d,0xb019ea76,0xb3754985,0x453bcbdb,0x5c61b96d,
+        0xca887b8b,0x5bd5c2f5 } },
+    /* 40 */
+    { { 0xf49a3154,0xef0f469e,0x6e2b2e9a,0x3e85a595,0xaa924a9c,0x45aaec1e,
+        0xa09e4719,0xaa12dfc8 },
+      { 0x4df69f1d,0x26f27227,0xa2ff5e73,0xe0e4c82c,0xb7a9dd44,0xb9d8ce73,
+        0xe48ca901,0x6c036e73 } },
+    /* 41 */
+    { { 0x0f6e3138,0x5cfae12a,0x25ad345a,0x6966ef00,0x45672bc5,0x8993c64b,
+        0x96afbe24,0x292ff658 },
+      { 0x5e213402,0xd5250d44,0x4392c9fe,0xf6580e27,0xda1c72e8,0x097b397f,
+        0x311b7276,0x644e0c90 } },
+    /* 42 */
+    { { 0xa47153f0,0xe1e421e1,0x920418c9,0xb86c3b79,0x705d7672,0x93bdce87,
+        0xcab79a77,0xf25ae793 },
+      { 0x6d869d0c,0x1f3194a3,0x4986c264,0x9d55c882,0x096e945e,0x49fb5ea3,
+        0x13db0a3e,0x39b8e653 } },
+    /* 43 */
+    { { 0xb6fd2e59,0x37754200,0x9255c98f,0x35e2c066,0x0e2a5739,0xd9dab21a,
+        0x0f19db06,0x39122f2f },
+      { 0x03cad53c,0xcfbce1e0,0xe65c17e3,0x225b2c0f,0x9aa13877,0x72baf1d2,
+        0xce80ff8d,0x8de80af8 } },
+    /* 44 */
+    { { 0x207bbb76,0xafbea8d9,0x21782758,0x921c7e7c,0x1c0436b1,0xdfa2b74b,
+        0x2e368c04,0x87194906 },
+      { 0xa3993df5,0xb5f928bb,0xf3b3d26a,0x639d75b5,0x85b55050,0x011aa78a,
+        0x5b74fde1,0xfc315e6a } },
+    /* 45 */
+    { { 0xe8d6ecfa,0x561fd41a,0x1aec7f86,0x5f8c44f6,0x4924741d,0x98452a7b,
+        0xee389088,0xe6d4a7ad },
+      { 0x4593c75d,0x60552ed1,0xdd271162,0x70a70da4,0x7ba2c7db,0xd2aede93,
+        0x9be2ae57,0x35dfaf9a } },
+    /* 46 */
+    { { 0xaa736636,0x6b956fcd,0xae2cab7e,0x09f51d97,0x0f349966,0xfb10bf41,
+        0x1c830d2b,0x1da5c7d7 },
+      { 0x3cce6825,0x5c41e483,0xf9573c3b,0x15ad118f,0xf23036b8,0xa28552c7,
+        0xdbf4b9d6,0x7077c0fd } },
+    /* 47 */
+    { { 0x46b9661c,0xbf63ff8d,0x0d2cfd71,0xa1dfd36b,0xa847f8f7,0x0373e140,
+        0xe50efe44,0x53a8632e },
+      { 0x696d8051,0x0976ff68,0xc74f468a,0xdaec0c95,0x5e4e26bd,0x62994dc3,
+        0x34e1fcc1,0x028ca76d } },
+    /* 48 */
+    { { 0xfc9877ee,0xd11d47dc,0x801d0002,0xc8b36210,0x54c260b6,0xd002c117,
+        0x6962f046,0x04c17cd8 },
+      { 0xb0daddf5,0x6d9bd094,0x24ce55c0,0xbea23575,0x72da03b5,0x663356e6,
+        0xfed97474,0xf7ba4de9 } },
+    /* 49 */
+    { { 0xebe1263f,0xd0dbfa34,0x71ae7ce6,0x55763735,0x82a6f523,0xd2440553,
+        0x52131c41,0xe31f9600 },
+      { 0xea6b6ec6,0xd1bb9216,0x73c2fc44,0x37a1d12e,0x89d0a294,0xc10e7eac,
+        0xce34d47b,0xaa3a6259 } },
+    /* 50 */
+    { { 0x36f3dcd3,0xfbcf9df5,0xd2bf7360,0x6ceded50,0xdf504f5b,0x491710fa,
+        0x7e79daee,0x2398dd62 },
+      { 0x6d09569e,0xcf4705a3,0x5149f769,0xea0619bb,0x35f6034c,0xff9c0377,
+        0x1c046210,0x5717f5b2 } },
+    /* 51 */
+    { { 0x21dd895e,0x9fe229c9,0x40c28451,0x8e518500,0x1d637ecd,0xfa13d239,
+        0x0e3c28de,0x660a2c56 },
+      { 0xd67fcbd0,0x9cca88ae,0x0ea9f096,0xc8472478,0x72e92b4d,0x32b2f481,
+        0x4f522453,0x624ee54c } },
+    /* 52 */
+    { { 0xd897eccc,0x09549ce4,0x3f9880aa,0x4d49d1d9,0x043a7c20,0x723c2423,
+        0x92bdfbc0,0x4f392afb },
+      { 0x7de44fd9,0x6969f8fa,0x57b32156,0xb66cfbe4,0x368ebc3c,0xdb2fa803,
+        0xccdb399c,0x8a3e7977 } },
+    /* 53 */
+    { { 0x06c4b125,0xdde1881f,0xf6e3ca8c,0xae34e300,0x5c7a13e9,0xef6999de,
+        0x70c24404,0x3888d023 },
+      { 0x44f91081,0x76280356,0x5f015504,0x3d9fcf61,0x632cd36e,0x1827edc8,
+        0x18102336,0xa5e62e47 } },
+    /* 54 */
+    { { 0x2facd6c8,0x1a825ee3,0x54bcbc66,0x699c6354,0x98df9931,0x0ce3edf7,
+        0x466a5adc,0x2c4768e6 },
+      { 0x90a64bc9,0xb346ff8c,0xe4779f5c,0x630a6020,0xbc05e884,0xd949d064,
+        0xf9e652a0,0x7b5e6441 } },
+    /* 55 */
+    { { 0x1d28444a,0x2169422c,0xbe136a39,0xe996c5d8,0xfb0c7fce,0x2387afe5,
+        0x0c8d744a,0xb8af73cb },
+      { 0x338b86fd,0x5fde83aa,0xa58a5cff,0xfee3f158,0x20ac9433,0xc9ee8f6f,
+        0x7f3f0895,0xa036395f } },
+    /* 56 */
+    { { 0xa10f7770,0x8c73c6bb,0xa12a0e24,0xa6f16d81,0x51bc2b9f,0x100df682,
+        0x875fb533,0x4be36b01 },
+      { 0x9fb56dbb,0x9226086e,0x07e7a4f8,0x306fef8b,0x66d52f20,0xeeaccc05,
+        0x1bdc00c0,0x8cbc9a87 } },
+    /* 57 */
+    { { 0xc0dac4ab,0xe131895c,0x712ff112,0xa874a440,0x6a1cee57,0x6332ae7c,
+        0x0c0835f8,0x44e7553e },
+      { 0x7734002d,0x6d503fff,0x0b34425c,0x9d35cb8b,0x0e8738b5,0x95f70276,
+        0x5eb8fc18,0x470a683a } },
+    /* 58 */
+    { { 0x90513482,0x81b761dc,0x01e9276a,0x0287202a,0x0ce73083,0xcda441ee,
+        0xc63dc6ef,0x16410690 },
+      { 0x6d06a2ed,0xf5034a06,0x189b100b,0xdd4d7745,0xab8218c9,0xd914ae72,
+        0x7abcbb4f,0xd73479fd } },
+    /* 59 */
+    { { 0x5ad4c6e5,0x7edefb16,0x5b06d04d,0x262cf08f,0x8575cb14,0x12ed5bb1,
+        0x0771666b,0x816469e3 },
+      { 0x561e291e,0xd7ab9d79,0xc1de1661,0xeb9daf22,0x135e0513,0xf49827eb,
+        0xf0dd3f9c,0x0a36dd23 } },
+    /* 60 */
+    { { 0x41d5533c,0x098d32c7,0x8684628f,0x7c5f5a9e,0xe349bd11,0x39a228ad,
+        0xfdbab118,0xe331dfd6 },
+      { 0x6bcc6ed8,0x5100ab68,0xef7a260e,0x7160c3bd,0xbce850d7,0x9063d9a7,
+        0x492e3389,0xd3b4782a } },
+    /* 61 */
+    { { 0xf3821f90,0xa149b6e8,0x66eb7aad,0x92edd9ed,0x1a013116,0x0bb66953,
+        0x4c86a5bd,0x7281275a },
+      { 0xd3ff47e5,0x503858f7,0x61016441,0x5e1616bc,0x7dfd9bb1,0x62b0f11a,
+        0xce145059,0x2c062e7e } },
+    /* 62 */
+    { { 0x0159ac2e,0xa76f996f,0xcbdb2713,0x281e7736,0x08e46047,0x2ad6d288,
+        0x2c4e7ef1,0x282a35f9 },
+      { 0xc0ce5cd2,0x9c354b1e,0x1379c229,0xcf99efc9,0x3e82c11e,0x992caf38,
+        0x554d2abd,0xc71cd513 } },
+    /* 63 */
+    { { 0x09b578f4,0x4885de9c,0xe3affa7a,0x1884e258,0x59182f1f,0x8f76b1b7,
+        0xcf47f3a3,0xc50f6740 },
+      { 0x374b68ea,0xa9c4adf3,0x69965fe2,0xa406f323,0x85a53050,0x2f86a222,
+        0x212958dc,0xb9ecb3a7 } },
+    /* 64 */
+    { { 0xf4f8b16a,0x56f8410e,0xc47b266a,0x97241afe,0x6d9c87c1,0x0a406b8e,
+        0xcd42ab1b,0x803f3e02 },
+      { 0x04dbec69,0x7f0309a8,0x3bbad05f,0xa83b85f7,0xad8e197f,0xc6097273,
+        0x5067adc1,0xc097440e } },
+    /* 65 */
+    { { 0xc379ab34,0x846a56f2,0x841df8d1,0xa8ee068b,0x176c68ef,0x20314459,
+        0x915f1f30,0xf1af32d5 },
+      { 0x5d75bd50,0x99c37531,0xf72f67bc,0x837cffba,0x48d7723f,0x0613a418,
+        0xe2d41c8b,0x23d0f130 } },
+    /* 66 */
+    { { 0xf41500d9,0x857ab6ed,0xfcbeada8,0x0d890ae5,0x89725951,0x52fe8648,
+        0xc0a3fadd,0xb0288dd6 },
+      { 0x650bcb08,0x85320f30,0x695d6e16,0x71af6313,0xb989aa76,0x31f520a7,
+        0xf408c8d2,0xffd3724f } },
+    /* 67 */
+    { { 0xb458e6cb,0x53968e64,0x317a5d28,0x992dad20,0x7aa75f56,0x3814ae0b,
+        0xd78c26df,0xf5590f4a },
+      { 0xcf0ba55a,0x0fc24bd3,0x0c778bae,0x0fc4724a,0x683b674a,0x1ce9864f,
+        0xf6f74a20,0x18d6da54 } },
+    /* 68 */
+    { { 0xd5be5a2b,0xed93e225,0x5934f3c6,0x6fe79983,0x22626ffc,0x43140926,
+        0x7990216a,0x50bbb4d9 },
+      { 0xe57ec63e,0x378191c6,0x181dcdb2,0x65422c40,0x0236e0f6,0x41a8099b,
+        0x01fe49c3,0x2b100118 } },
+    /* 69 */
+    { { 0x9b391593,0xfc68b5c5,0x598270fc,0xc385f5a2,0xd19adcbb,0x7144f3aa,
+        0x83fbae0c,0xdd558999 },
+      { 0x74b82ff4,0x93b88b8e,0x71e734c9,0xd2e03c40,0x43c0322a,0x9a7a9eaf,
+        0x149d6041,0xe6e4c551 } },
+    /* 70 */
+    { { 0x1e9af288,0x55f655bb,0xf7ada931,0x647e1a64,0xcb2820e5,0x43697e4b,
+        0x07ed56ff,0x51e00db1 },
+      { 0x771c327e,0x43d169b8,0x4a96c2ad,0x29cdb20b,0x3deb4779,0xc07d51f5,
+        0x49829177,0xe22f4241 } },
+    /* 71 */
+    { { 0x635f1abb,0xcd45e8f4,0x68538874,0x7edc0cb5,0xb5a8034d,0xc9472c1f,
+        0x52dc48c9,0xf709373d },
+      { 0xa8af30d6,0x401966bb,0xf137b69c,0x95bf5f4a,0x9361c47e,0x3966162a,
+        0xe7275b11,0xbd52d288 } },
+    /* 72 */
+    { { 0x9c5fa877,0xab155c7a,0x7d3a3d48,0x17dad672,0x73d189d8,0x43f43f9e,
+        0xc8aa77a6,0xa0d0f8e4 },
+      { 0xcc94f92d,0x0bbeafd8,0x0c4ddb3a,0xd818c8be,0xb82eba14,0x22cc65f8,
+        0x946d6a00,0xa56c78c7 } },
+    /* 73 */
+    { { 0x0dd09529,0x2962391b,0x3daddfcf,0x803e0ea6,0x5b5bf481,0x2c77351f,
+        0x731a367a,0xd8befdf8 },
+      { 0xfc0157f4,0xab919d42,0xfec8e650,0xf51caed7,0x02d48b0a,0xcdf9cb40,
+        0xce9f6478,0x854a68a5 } },
+    /* 74 */
+    { { 0x63506ea5,0xdc35f67b,0xa4fe0d66,0x9286c489,0xfe95cd4d,0x3f101d3b,
+        0x98846a95,0x5cacea0b },
+      { 0x9ceac44d,0xa90df60c,0x354d1c3a,0x3db29af4,0xad5dbabe,0x08dd3de8,
+        0x35e4efa9,0xe4982d12 } },
+    /* 75 */
+    { { 0xc34cd55e,0x23104a22,0x2680d132,0x58695bb3,0x1fa1d943,0xfb345afa,
+        0x16b20499,0x8046b7f6 },
+      { 0x38e7d098,0xb533581e,0xf46f0b70,0xd7f61e8d,0x44cb78c4,0x30dea9ea,
+        0x9082af55,0xeb17ca7b } },
+    /* 76 */
+    { { 0x76a145b9,0x1751b598,0xc1bc71ec,0xa5cf6b0f,0x392715bb,0xd3e03565,
+        0xfab5e131,0x097b00ba },
+      { 0x565f69e1,0xaa66c8e9,0xb5be5199,0x77e8f75a,0xda4fd984,0x6033ba11,
+        0xafdbcc9e,0xf95c747b } },
+    /* 77 */
+    { { 0xbebae45e,0x558f01d3,0xc4bc6955,0xa8ebe9f0,0xdbc64fc6,0xaeb705b1,
+        0x566ed837,0x3512601e },
+      { 0xfa1161cd,0x9336f1e1,0x4c65ef87,0x328ab8d5,0x724f21e5,0x4757eee2,
+        0x6068ab6b,0x0ef97123 } },
+    /* 78 */
+    { { 0x54ca4226,0x02598cf7,0xf8642c8e,0x5eede138,0x468e1790,0x48963f74,
+        0x3b4fbc95,0xfc16d933 },
+      { 0xe7c800ca,0xbe96fb31,0x2678adaa,0x13806331,0x6ff3e8b5,0x3d624497,
+        0xb95d7a17,0x14ca4af1 } },
+    /* 79 */
+    { { 0xbd2f81d5,0x7a4771ba,0x01f7d196,0x1a5f9d69,0xcad9c907,0xd898bef7,
+        0xf59c231d,0x4057b063 },
+      { 0x89c05c0a,0xbffd82fe,0x1dc0df85,0xe4911c6f,0xa35a16db,0x3befccae,
+        0xf1330b13,0x1c3b5d64 } },
+    /* 80 */
+    { { 0x80ec21fe,0x5fe14bfe,0xc255be82,0xf6ce116a,0x2f4a5d67,0x98bc5a07,
+        0xdb7e63af,0xfad27148 },
+      { 0x29ab05b3,0x90c0b6ac,0x4e251ae6,0x37a9a83c,0xc2aade7d,0x0a7dc875,
+        0x9f0e1a84,0x77387de3 } },
+    /* 81 */
+    { { 0xa56c0dd7,0x1e9ecc49,0x46086c74,0xa5cffcd8,0xf505aece,0x8f7a1408,
+        0xbef0c47e,0xb37b85c0 },
+      { 0xcc0e6a8f,0x3596b6e4,0x6b388f23,0xfd6d4bbf,0xc39cef4e,0xaba453fa,
+        0xf9f628d5,0x9c135ac8 } },
+    /* 82 */
+    { { 0x84e35743,0x32aa3202,0x85a3cdef,0x320d6ab1,0x1df19819,0xb821b176,
+        0xc433851f,0x5721361f },
+      { 0x71fc9168,0x1f0db36a,0x5e5c403c,0x5f98ba73,0x37bcd8f5,0xf64ca87e,
+        0xe6bb11bd,0xdcbac3c9 } },
+    /* 83 */
+    { { 0x4518cbe2,0xf01d9968,0x9c9eb04e,0xd242fc18,0xe47feebf,0x727663c7,
+        0x2d626862,0xb8c1c89e },
+      { 0xc8e1d569,0x51a58bdd,0xb7d88cd0,0x563809c8,0xf11f31eb,0x26c27fd9,
+        0x2f9422d4,0x5d23bbda } },
+    /* 84 */
+    { { 0x95c8f8be,0x0a1c7294,0x3bf362bf,0x2961c480,0xdf63d4ac,0x9e418403,
+        0x91ece900,0xc109f9cb },
+      { 0x58945705,0xc2d095d0,0xddeb85c0,0xb9083d96,0x7a40449b,0x84692b8d,
+        0x2eee1ee1,0x9bc3344f } },
+    /* 85 */
+    { { 0x42913074,0x0d5ae356,0x48a542b1,0x55491b27,0xb310732a,0x469ca665,
+        0x5f1a4cc1,0x29591d52 },
+      { 0xb84f983f,0xe76f5b6b,0x9f5f84e1,0xbe7eef41,0x80baa189,0x1200d496,
+        0x18ef332c,0x6376551f } },
+    /* 86 */
+    { { 0x562976cc,0xbda5f14e,0x0ef12c38,0x22bca3e6,0x6cca9852,0xbbfa3064,
+        0x08e2987a,0xbdb79dc8 },
+      { 0xcb06a772,0xfd2cb5c9,0xfe536dce,0x38f475aa,0x7c2b5db8,0xc2a3e022,
+        0xadd3c14a,0x8ee86001 } },
+    /* 87 */
+    { { 0xa4ade873,0xcbe96981,0xc4fba48c,0x7ee9aa4d,0x5a054ba5,0x2cee2899,
+        0x6f77aa4b,0x92e51d7a },
+      { 0x7190a34d,0x948bafa8,0xf6bd1ed1,0xd698f75b,0x0caf1144,0xd00ee6e3,
+        0x0a56aaaa,0x5182f86f } },
+    /* 88 */
+    { { 0x7a4cc99c,0xfba6212c,0x3e6d9ca1,0xff609b68,0x5ac98c5a,0x5dbb27cb,
+        0x4073a6f2,0x91dcab5d },
+      { 0x5f575a70,0x01b6cc3d,0x6f8d87fa,0x0cb36139,0x89981736,0x165d4e8c,
+        0x97974f2b,0x17a0cedb } },
+    /* 89 */
+    { { 0x076c8d3a,0x38861e2a,0x210f924b,0x701aad39,0x13a835d9,0x94d0eae4,
+        0x7f4cdf41,0x2e8ce36c },
+      { 0x037a862b,0x91273dab,0x60e4c8fa,0x01ba9bb7,0x33baf2dd,0xf9645388,
+        0x34f668f3,0xf4ccc6cb } },
+    /* 90 */
+    { { 0xf1f79687,0x44ef525c,0x92efa815,0x7c595495,0xa5c78d29,0xe1231741,
+        0x9a0df3c9,0xac0db488 },
+      { 0xdf01747f,0x86bfc711,0xef17df13,0x592b9358,0x5ccb6bb5,0xe5880e4f,
+        0x94c974a2,0x95a64a61 } },
+    /* 91 */
+    { { 0xc15a4c93,0x72c1efda,0x82585141,0x40269b73,0x16cb0bad,0x6a8dfb1c,
+        0x29210677,0x231e54ba },
+      { 0x8ae6d2dc,0xa70df917,0x39112918,0x4d6aa63f,0x5e5b7223,0xf627726b,
+        0xd8a731e1,0xab0be032 } },
+    /* 92 */
+    { { 0x8d131f2d,0x097ad0e9,0x3b04f101,0x637f09e3,0xd5e9a748,0x1ac86196,
+        0x2cf6a679,0xf1bcc880 },
+      { 0xe8daacb4,0x25c69140,0x60f65009,0x3c4e4055,0x477937a6,0x591cc8fc,
+        0x5aebb271,0x85169469 } },
+    /* 93 */
+    { { 0xf1dcf593,0xde35c143,0xb018be3b,0x78202b29,0x9bdd9d3d,0xe9cdadc2,
+        0xdaad55d8,0x8f67d9d2 },
+      { 0x7481ea5f,0x84111656,0xe34c590c,0xe7d2dde9,0x05053fa8,0xffdd43f4,
+        0xc0728b5d,0xf84572b9 } },
+    /* 94 */
+    { { 0x97af71c9,0x5e1a7a71,0x7a736565,0xa1449444,0x0e1d5063,0xa1b4ae07,
+        0x616b2c19,0xedee2710 },
+      { 0x11734121,0xb2f034f5,0x4a25e9f0,0x1cac6e55,0xa40c2ecf,0x8dc148f3,
+        0x44ebd7f4,0x9fd27e9b } },
+    /* 95 */
+    { { 0xf6e2cb16,0x3cc7658a,0xfe5919b6,0xe3eb7d2c,0x168d5583,0x5a8c5816,
+        0x958ff387,0xa40c2fb6 },
+      { 0xfedcc158,0x8c9ec560,0x55f23056,0x7ad804c6,0x9a307e12,0xd9396704,
+        0x7dc6decf,0x99bc9bb8 } },
+    /* 96 */
+    { { 0x927dafc6,0x84a9521d,0x5c09cd19,0x52c1fb69,0xf9366dde,0x9d9581a0,
+        0xa16d7e64,0x9abe210b },
+      { 0x48915220,0x480af84a,0x4dd816c6,0xfa73176a,0x1681ca5a,0xc7d53987,
+        0x87f344b0,0x7881c257 } },
+    /* 97 */
+    { { 0xe0bcf3ff,0x93399b51,0x127f74f6,0x0d02cbc5,0xdd01d968,0x8fb465a2,
+        0xa30e8940,0x15e6e319 },
+      { 0x3e0e05f4,0x646d6e0d,0x43588404,0xfad7bddc,0xc4f850d3,0xbe61c7d1,
+        0x191172ce,0x0e55facf } },
+    /* 98 */
+    { { 0xf8787564,0x7e9d9806,0x31e85ce6,0x1a331721,0xb819e8d6,0x6b0158ca,
+        0x6fe96577,0xd73d0976 },
+      { 0x1eb7206e,0x42483425,0xc618bb42,0xa519290f,0x5e30a520,0x5dcbb859,
+        0x8f15a50b,0x9250a374 } },
+    /* 99 */
+    { { 0xbe577410,0xcaff08f8,0x5077a8c6,0xfd408a03,0xec0a63a4,0xf1f63289,
+        0xc1cc8c0b,0x77414082 },
+      { 0xeb0991cd,0x05a40fa6,0x49fdc296,0xc1ca0866,0xb324fd40,0x3a68a3c7,
+        0x12eb20b9,0x8cb04f4d } },
+    /* 100 */
+    { { 0x6906171c,0xb1c2d055,0xb0240c3f,0x9073e9cd,0xd8906841,0xdb8e6b4f,
+        0x47123b51,0xe4e429ef },
+      { 0x38ec36f4,0x0b8dd53c,0xff4b6a27,0xf9d2dc01,0x879a9a48,0x5d066e07,
+        0x3c6e6552,0x37bca2ff } },
+    /* 101 */
+    { { 0xdf562470,0x4cd2e3c7,0xc0964ac9,0x44f272a2,0x80c793be,0x7c6d5df9,
+        0x3002b22a,0x59913edc },
+      { 0x5750592a,0x7a139a83,0xe783de02,0x99e01d80,0xea05d64f,0xcf8c0375,
+        0xb013e226,0x43786e4a } },
+    /* 102 */
+    { { 0x9e56b5a6,0xff32b0ed,0xd9fc68f9,0x0750d9a6,0x597846a7,0xec15e845,
+        0xb7e79e7a,0x8638ca98 },
+      { 0x0afc24b2,0x2f5ae096,0x4dace8f2,0x05398eaf,0xaecba78f,0x3b765dd0,
+        0x7b3aa6f0,0x1ecdd36a } },
+    /* 103 */
+    { { 0x6c5ff2f3,0x5d3acd62,0x2873a978,0xa2d516c0,0xd2110d54,0xad94c9fa,
+        0xd459f32d,0xd85d0f85 },
+      { 0x10b11da3,0x9f700b8d,0xa78318c4,0xd2c22c30,0x9208decd,0x556988f4,
+        0xb4ed3c62,0xa04f19c3 } },
+    /* 104 */
+    { { 0xed7f93bd,0x087924c8,0x392f51f6,0xcb64ac5d,0x821b71af,0x7cae330a,
+        0x5c0950b0,0x92b2eeea },
+      { 0x85b6e235,0x85ac4c94,0x2936c0f0,0xab2ca4a9,0xe0508891,0x80faa6b3,
+        0x5834276c,0x1ee78221 } },
+    /* 105 */
+    { { 0xe63e79f7,0xa60a2e00,0xf399d906,0xf590e7b2,0x6607c09d,0x9021054a,
+        0x57a6e150,0xf3f2ced8 },
+      { 0xf10d9b55,0x200510f3,0xd8642648,0x9d2fcfac,0xe8bd0e7c,0xe5631aa7,
+        0x3da3e210,0x0f56a454 } },
+    /* 106 */
+    { { 0x1043e0df,0x5b21bffa,0x9c007e6d,0x6c74b6cc,0xd4a8517a,0x1a656ec0,
+        0x1969e263,0xbd8f1741 },
+      { 0xbeb7494a,0x8a9bbb86,0x45f3b838,0x1567d46f,0xa4e5a79a,0xdf7a12a7,
+        0x30ccfa09,0x2d1a1c35 } },
+    /* 107 */
+    { { 0x506508da,0x192e3813,0xa1d795a7,0x336180c4,0x7a9944b3,0xcddb5949,
+        0xb91fba46,0xa107a65e },
+      { 0x0f94d639,0xe6d1d1c5,0x8a58b7d7,0x8b4af375,0xbd37ca1c,0x1a7c5584,
+        0xf87a9af2,0x183d760a } },
+    /* 108 */
+    { { 0x0dde59a4,0x29d69711,0x0e8bef87,0xf1ad8d07,0x4f2ebe78,0x229b4963,
+        0xc269d754,0x1d44179d },
+      { 0x8390d30e,0xb32dc0cf,0x0de8110c,0x0a3b2753,0x2bc0339a,0x31af1dc5,
+        0x9606d262,0x771f9cc2 } },
+    /* 109 */
+    { { 0x85040739,0x99993e77,0x8026a939,0x44539db9,0xf5f8fc26,0xcf40f6f2,
+        0x0362718e,0x64427a31 },
+      { 0x85428aa8,0x4f4f2d87,0xebfb49a8,0x7b7adc3f,0xf23d01ac,0x201b2c6d,
+        0x6ae90d6d,0x49d9b749 } },
+    /* 110 */
+    { { 0x435d1099,0xcc78d8bc,0x8e8d1a08,0x2adbcd4e,0x2cb68a41,0x02c2e2a0,
+        0x3f605445,0x9037d81b },
+      { 0x074c7b61,0x7cdbac27,0x57bfd72e,0xfe2031ab,0x596d5352,0x61ccec96,
+        0x7cc0639c,0x08c3de6a } },
+    /* 111 */
+    { { 0xf6d552ab,0x20fdd020,0x05cd81f1,0x56baff98,0x91351291,0x06fb7c3e,
+        0x45796b2f,0xc6909442 },
+      { 0x41231bd1,0x17b3ae9c,0x5cc58205,0x1eac6e87,0xf9d6a122,0x208837ab,
+        0xcafe3ac0,0x3fa3db02 } },
+    /* 112 */
+    { { 0x05058880,0xd75a3e65,0x643943f2,0x7da365ef,0xfab24925,0x4147861c,
+        0xfdb808ff,0xc5c4bdb0 },
+      { 0xb272b56b,0x73513e34,0x11b9043a,0xc8327e95,0xf8844969,0xfd8ce37d,
+        0x46c2b6b5,0x2d56db94 } },
+    /* 113 */
+    { { 0xff46ac6b,0x2461782f,0x07a2e425,0xd19f7926,0x09a48de1,0xfafea3c4,
+        0xe503ba42,0x0f56bd9d },
+      { 0x345cda49,0x137d4ed1,0x816f299d,0x821158fc,0xaeb43402,0xe7c6a54a,
+        0x1173b5f1,0x4003bb9d } },
+    /* 114 */
+    { { 0xa0803387,0x3b8e8189,0x39cbd404,0xece115f5,0xd2877f21,0x4297208d,
+        0xa07f2f9e,0x53765522 },
+      { 0xa8a4182d,0xa4980a21,0x3219df79,0xa2bbd07a,0x1a19a2d4,0x674d0a2e,
+        0x6c5d4549,0x7a056f58 } },
+    /* 115 */
+    { { 0x9d8a2a47,0x646b2558,0xc3df2773,0x5b582948,0xabf0d539,0x51ec000e,
+        0x7a1a2675,0x77d482f1 },
+      { 0x87853948,0xb8a1bd95,0x6cfbffee,0xa6f817bd,0x80681e47,0xab6ec057,
+        0x2b38b0e4,0x4115012b } },
+    /* 116 */
+    { { 0x6de28ced,0x3c73f0f4,0x9b13ec47,0x1d5da760,0x6e5c6392,0x61b8ce9e,
+        0xfbea0946,0xcdf04572 },
+      { 0x6c53c3b0,0x1cb3c58b,0x447b843c,0x97fe3c10,0x2cb9780e,0xfb2b8ae1,
+        0x97383109,0xee703dda } },
+    /* 117 */
+    { { 0xff57e43a,0x34515140,0xb1b811b8,0xd44660d3,0x8f42b986,0x2b3b5dff,
+        0xa162ce21,0x2a0ad89d },
+      { 0x6bc277ba,0x64e4a694,0xc141c276,0xc788c954,0xcabf6274,0x141aa64c,
+        0xac2b4659,0xd62d0b67 } },
+    /* 118 */
+    { { 0x2c054ac4,0x39c5d87b,0xf27df788,0x57005859,0xb18128d6,0xedf7cbf3,
+        0x991c2426,0xb39a23f2 },
+      { 0xf0b16ae5,0x95284a15,0xa136f51b,0x0c6a05b1,0xf2700783,0x1d63c137,
+        0xc0674cc5,0x04ed0092 } },
+    /* 119 */
+    { { 0x9ae90393,0x1f4185d1,0x4a3d64e6,0x3047b429,0x9854fc14,0xae0001a6,
+        0x0177c387,0xa0a91fc1 },
+      { 0xae2c831e,0xff0a3f01,0x2b727e16,0xbb76ae82,0x5a3075b4,0x8f12c8a1,
+        0x9ed20c41,0x084cf988 } },
+    /* 120 */
+    { { 0xfca6becf,0xd98509de,0x7dffb328,0x2fceae80,0x4778e8b9,0x5d8a15c4,
+        0x73abf77e,0xd57955b2 },
+      { 0x31b5d4f1,0x210da79e,0x3cfa7a1c,0xaa52f04b,0xdc27c20b,0xd4d12089,
+        0x02d141f1,0x8e14ea42 } },
+    /* 121 */
+    { { 0xf2897042,0xeed50345,0x43402c4a,0x8d05331f,0xc8bdfb21,0xc8d9c194,
+        0x2aa4d158,0x597e1a37 },
+      { 0xcf0bd68c,0x0327ec1a,0xab024945,0x6d4be0dc,0xc9fe3e84,0x5b9c8d7a,
+        0x199b4dea,0xca3f0236 } },
+    /* 122 */
+    { { 0x6170bd20,0x592a10b5,0x6d3f5de7,0x0ea897f1,0x44b2ade2,0xa3363ff1,
+        0x309c07e4,0xbde7fd7e },
+      { 0xb8f5432c,0x516bb6d2,0xe043444b,0x210dc1cb,0xf8f95b5a,0x3db01e6f,
+        0x0a7dd198,0xb623ad0e } },
+    /* 123 */
+    { { 0x60c7b65b,0xa75bd675,0x23a4a289,0xab8c5590,0xd7b26795,0xf8220fd0,
+        0x58ec137b,0xd6aa2e46 },
+      { 0x5138bb85,0x10abc00b,0xd833a95c,0x8c31d121,0x1702a32e,0xb24ff00b,
+        0x2dcc513a,0x111662e0 } },
+    /* 124 */
+    { { 0xefb42b87,0x78114015,0x1b6c4dff,0xbd9f5d70,0xa7d7c129,0x66ecccd7,
+        0x94b750f8,0xdb3ee1cb },
+      { 0xf34837cf,0xb26f3db0,0xb9578d4f,0xe7eed18b,0x7c56657d,0x5d2cdf93,
+        0x52206a59,0x886a6442 } },
+    /* 125 */
+    { { 0x65b569ea,0x3c234cfb,0xf72119c1,0x20011141,0xa15a619e,0x8badc85d,
+        0x018a17bc,0xa70cf4eb },
+      { 0x8c4a6a65,0x224f97ae,0x0134378f,0x36e5cf27,0x4f7e0960,0xbe3a609e,
+        0xd1747b77,0xaa4772ab } },
+    /* 126 */
+    { { 0x7aa60cc0,0x67676131,0x0368115f,0xc7916361,0xbbc1bb5a,0xded98bb4,
+        0x30faf974,0x611a6ddc },
+      { 0xc15ee47a,0x30e78cbc,0x4e0d96a5,0x2e896282,0x3dd9ed88,0x36f35adf,
+        0x16429c88,0x5cfffaf8 } },
+    /* 127 */
+    { { 0x9b7a99cd,0xc0d54cff,0x843c45a1,0x7bf3b99d,0x62c739e1,0x038a908f,
+        0x7dc1994c,0x6e5a6b23 },
+      { 0x0ba5db77,0xef8b454e,0xacf60d63,0xb7b8807f,0x76608378,0xe591c0c6,
+        0x242dabcc,0x481a238d } },
+    /* 128 */
+    { { 0x35d0b34a,0xe3417bc0,0x8327c0a7,0x440b386b,0xac0362d1,0x8fb7262d,
+        0xe0cdf943,0x2c41114c },
+      { 0xad95a0b1,0x2ba5cef1,0x67d54362,0xc09b37a8,0x01e486c9,0x26d6cdd2,
+        0x42ff9297,0x20477abf } },
+    /* 129 */
+    { { 0x18d65dbf,0x2f75173c,0x339edad8,0x77bf940e,0xdcf1001c,0x7022d26b,
+        0xc77396b6,0xac66409a },
+      { 0xc6261cc3,0x8b0bb36f,0x190e7e90,0x213f7bc9,0xa45e6c10,0x6541ceba,
+        0xcc122f85,0xce8e6975 } },
+    /* 130 */
+    { { 0xbc0a67d2,0x0f121b41,0x444d248a,0x62d4760a,0x659b4737,0x0e044f1d,
+        0x250bb4a8,0x08fde365 },
+      { 0x848bf287,0xaceec3da,0xd3369d6e,0xc2a62182,0x92449482,0x3582dfdc,
+        0x565d6cd7,0x2f7e2fd2 } },
+    /* 131 */
+    { { 0xc3770fa7,0xae4b92db,0x379043f9,0x095e8d5c,0x17761171,0x54f34e9d,
+        0x907702ae,0xc65be92e },
+      { 0xf6fd0a40,0x2758a303,0xbcce784b,0xe7d822e3,0x4f9767bf,0x7ae4f585,
+        0xd1193b3a,0x4bff8e47 } },
+    /* 132 */
+    { { 0x00ff1480,0xcd41d21f,0x0754db16,0x2ab8fb7d,0xbbe0f3ea,0xac81d2ef,
+        0x5772967d,0x3e4e4ae6 },
+      { 0x3c5303e6,0x7e18f36d,0x92262397,0x3bd9994b,0x1324c3c0,0x9ed70e26,
+        0x58ec6028,0x5388aefd } },
+    /* 133 */
+    { { 0x5e5d7713,0xad1317eb,0x75de49da,0x09b985ee,0xc74fb261,0x32f5bc4f,
+        0x4f75be0e,0x5cf908d1 },
+      { 0x8e657b12,0x76043510,0xb96ed9e6,0xbfd421a5,0x8970ccc2,0x0e29f51f,
+        0x60f00ce2,0xa698ba40 } },
+    /* 134 */
+    { { 0xef748fec,0x73db1686,0x7e9d2cf9,0xe6e755a2,0xce265eff,0x630b6544,
+        0x7aebad8d,0xb142ef8a },
+      { 0x17d5770a,0xad31af9f,0x2cb3412f,0x66af3b67,0xdf3359de,0x6bd60d1b,
+        0x58515075,0xd1896a96 } },
+    /* 135 */
+    { { 0x33c41c08,0xec5957ab,0x5468e2e1,0x87de94ac,0xac472f6c,0x18816b73,
+        0x7981da39,0x267b0e0b },
+      { 0x8e62b988,0x6e554e5d,0x116d21e7,0xd8ddc755,0x3d2a6f99,0x4610faf0,
+        0xa1119393,0xb54e287a } },
+    /* 136 */
+    { { 0x178a876b,0x0a0122b5,0x085104b4,0x51ff96ff,0x14f29f76,0x050b31ab,
+        0x5f87d4e6,0x84abb28b },
+      { 0x8270790a,0xd5ed439f,0x85e3f46b,0x2d6cb59d,0x6c1e2212,0x75f55c1b,
+        0x17655640,0xe5436f67 } },
+    /* 137 */
+    { { 0x2286e8d5,0x53f9025e,0x864453be,0x353c95b4,0xe408e3a0,0xd832f5bd,
+        0x5b9ce99e,0x0404f68b },
+      { 0xa781e8e5,0xcad33bde,0x163c2f5b,0x3cdf5018,0x0119caa3,0x57576960,
+        0x0ac1c701,0x3a4263df } },
+    /* 138 */
+    { { 0x9aeb596d,0xc2965ecc,0x023c92b4,0x01ea03e7,0x2e013961,0x4704b4b6,
+        0x905ea367,0x0ca8fd3f },
+      { 0x551b2b61,0x92523a42,0x390fcd06,0x1eb7a89c,0x0392a63e,0xe7f1d2be,
+        0x4ddb0c33,0x96dca264 } },
+    /* 139 */
+    { { 0x387510af,0x203bb43a,0xa9a36a01,0x846feaa8,0x2f950378,0xd23a5770,
+        0x3aad59dc,0x4363e212 },
+      { 0x40246a47,0xca43a1c7,0xe55dd24d,0xb362b8d2,0x5d8faf96,0xf9b08604,
+        0xd8bb98c4,0x840e115c } },
+    /* 140 */
+    { { 0x1023e8a7,0xf12205e2,0xd8dc7a0b,0xc808a8cd,0x163a5ddf,0xe292a272,
+        0x30ded6d4,0x5e0d6abd },
+      { 0x7cfc0f64,0x07a721c2,0x0e55ed88,0x42eec01d,0x1d1f9db2,0x26a7bef9,
+        0x2945a25a,0x7dea48f4 } },
+    /* 141 */
+    { { 0xe5060a81,0xabdf6f1c,0xf8f95615,0xe79f9c72,0x06ac268b,0xcfd36c54,
+        0xebfd16d1,0xabc2a2be },
+      { 0xd3e2eac7,0x8ac66f91,0xd2dd0466,0x6f10ba63,0x0282d31b,0x6790e377,
+        0x6c7eefc1,0x4ea35394 } },
+    /* 142 */
+    { { 0x5266309d,0xed8a2f8d,0x81945a3e,0x0a51c6c0,0x578c5dc1,0xcecaf45a,
+        0x1c94ffc3,0x3a76e689 },
+      { 0x7d7b0d0f,0x9aace8a4,0x8f584a5f,0x963ace96,0x4e697fbe,0x51a30c72,
+        0x465e6464,0x8212a10a } },
+    /* 143 */
+    { { 0xcfab8caa,0xef7c61c3,0x0e142390,0x18eb8e84,0x7e9733ca,0xcd1dff67,
+        0x599cb164,0xaa7cab71 },
+      { 0xbc837bd1,0x02fc9273,0xc36af5d7,0xc06407d0,0xf423da49,0x17621292,
+        0xfe0617c3,0x40e38073 } },
+    /* 144 */
+    { { 0xa7bf9b7c,0xf4f80824,0x3fbe30d0,0x365d2320,0x97cf9ce3,0xbfbe5320,
+        0xb3055526,0xe3604700 },
+      { 0x6cc6c2c7,0x4dcb9911,0xba4cbee6,0x72683708,0x637ad9ec,0xdcded434,
+        0xa3dee15f,0x6542d677 } },
+    /* 145 */
+    { { 0x7b6c377a,0x3f32b6d0,0x903448be,0x6cb03847,0x20da8af7,0xd6fdd3a8,
+        0x09bb6f21,0xa6534aee },
+      { 0x1035facf,0x30a1780d,0x9dcb47e6,0x35e55a33,0xc447f393,0x6ea50fe1,
+        0xdc9aef22,0xf3cb672f } },
+    /* 146 */
+    { { 0x3b55fd83,0xeb3719fe,0x875ddd10,0xe0d7a46c,0x05cea784,0x33ac9fa9,
+        0xaae870e7,0x7cafaa2e },
+      { 0x1d53b338,0x9b814d04,0xef87e6c6,0xe0acc0a0,0x11672b0f,0xfb93d108,
+        0xb9bd522e,0x0aab13c1 } },
+    /* 147 */
+    { { 0xd2681297,0xddcce278,0xb509546a,0xcb350eb1,0x7661aaf2,0x2dc43173,
+        0x847012e9,0x4b91a602 },
+      { 0x72f8ddcf,0xdcff1095,0x9a911af4,0x08ebf61e,0xc372430e,0x48f4360a,
+        0x72321cab,0x49534c53 } },
+    /* 148 */
+    { { 0xf07b7e9d,0x83df7d71,0x13cd516f,0xa478efa3,0x6c047ee3,0x78ef264b,
+        0xd65ac5ee,0xcaf46c4f },
+      { 0x92aa8266,0xa04d0c77,0x913684bb,0xedf45466,0xae4b16b0,0x56e65168,
+        0x04c6770f,0x14ce9e57 } },
+    /* 149 */
+    { { 0x965e8f91,0x99445e3e,0xcb0f2492,0xd3aca1ba,0x90c8a0a0,0xd31cc70f,
+        0x3e4c9a71,0x1bb708a5 },
+      { 0x558bdd7a,0xd5ca9e69,0x018a26b1,0x734a0508,0x4c9cf1ec,0xb093aa71,
+        0xda300102,0xf9d126f2 } },
+    /* 150 */
+    { { 0xaff9563e,0x749bca7a,0xb49914a0,0xdd077afe,0xbf5f1671,0xe27a0311,
+        0x729ecc69,0x807afcb9 },
+      { 0xc9b08b77,0x7f8a9337,0x443c7e38,0x86c3a785,0x476fd8ba,0x85fafa59,
+        0x6568cd8c,0x751adcd1 } },
+    /* 151 */
+    { { 0x10715c0d,0x8aea38b4,0x8f7697f7,0xd113ea71,0x93fbf06d,0x665eab14,
+        0x2537743f,0x29ec4468 },
+      { 0xb50bebbc,0x3d94719c,0xe4505422,0x399ee5bf,0x8d2dedb1,0x90cd5b3a,
+        0x92a4077d,0xff9370e3 } },
+    /* 152 */
+    { { 0xc6b75b65,0x59a2d69b,0x266651c5,0x4188f8d5,0x3de9d7d2,0x28a9f33e,
+        0xa2a9d01a,0x9776478b },
+      { 0x929af2c7,0x8852622d,0x4e690923,0x334f5d6d,0xa89a51e9,0xce6cc7e5,
+        0xac2f82fa,0x74a6313f } },
+    /* 153 */
+    { { 0xb75f079c,0xb2f4dfdd,0x18e36fbb,0x85b07c95,0xe7cd36dd,0x1b6cfcf0,
+        0x0ff4863d,0xab75be15 },
+      { 0x173fc9b7,0x81b367c0,0xd2594fd0,0xb90a7420,0xc4091236,0x15fdbf03,
+        0x0b4459f6,0x4ebeac2e } },
+    /* 154 */
+    { { 0x5c9f2c53,0xeb6c5fe7,0x8eae9411,0xd2522011,0xf95ac5d8,0xc8887633,
+        0x2c1baffc,0xdf99887b },
+      { 0x850aaecb,0xbb78eed2,0x01d6a272,0x9d49181b,0xb1cdbcac,0x978dd511,
+        0x779f4058,0x27b040a7 } },
+    /* 155 */
+    { { 0xf73b2eb2,0x90405db7,0x8e1b2118,0xe0df8508,0x5962327e,0x501b7152,
+        0xe4cfa3f5,0xb393dd37 },
+      { 0x3fd75165,0xa1230e7b,0xbcd33554,0xd66344c2,0x0f7b5022,0x6c36f1be,
+        0xd0463419,0x09588c12 } },
+    /* 156 */
+    { { 0x02601c3b,0xe086093f,0xcf5c335f,0xfb0252f8,0x894aff28,0x955cf280,
+        0xdb9f648b,0x81c879a9 },
+      { 0xc6f56c51,0x040e687c,0x3f17618c,0xfed47169,0x9059353b,0x44f88a41,
+        0x5fc11bc4,0xfa0d48f5 } },
+    /* 157 */
+    { { 0xe1608e4d,0xbc6e1c9d,0x3582822c,0x010dda11,0x157ec2d7,0xf6b7ddc1,
+        0xb6a367d6,0x8ea0e156 },
+      { 0x2383b3b4,0xa354e02f,0x3f01f53c,0x69966b94,0x2de03ca5,0x4ff6632b,
+        0xfa00b5ac,0x3f5ab924 } },
+    /* 158 */
+    { { 0x59739efb,0x337bb0d9,0xe7ebec0d,0xc751b0f4,0x411a67d1,0x2da52dd6,
+        0x2b74256e,0x8bc76887 },
+      { 0x82d3d253,0xa5be3b72,0xf58d779f,0xa9f679a1,0xe16767bb,0xa1cac168,
+        0x60fcf34f,0xb386f190 } },
+    /* 159 */
+    { { 0x2fedcfc2,0x31f3c135,0x62f8af0d,0x5396bf62,0xe57288c2,0x9a02b4ea,
+        0x1b069c4d,0x4cb460f7 },
+      { 0x5b8095ea,0xae67b4d3,0x6fc07603,0x92bbf859,0xb614a165,0xe1475f66,
+        0x95ef5223,0x52c0d508 } },
+    /* 160 */
+    { { 0x15339848,0x231c210e,0x70778c8d,0xe87a28e8,0x6956e170,0x9d1de661,
+        0x2bb09c0b,0x4ac3c938 },
+      { 0x6998987d,0x19be0551,0xae09f4d6,0x8b2376c4,0x1a3f933d,0x1de0b765,
+        0xe39705f4,0x380d94c7 } },
+    /* 161 */
+    { { 0x81542e75,0x01a355aa,0xee01b9b7,0x96c724a1,0x624d7087,0x6b3a2977,
+        0xde2637af,0x2ce3e171 },
+      { 0xf5d5bc1a,0xcfefeb49,0x2777e2b5,0xa655607e,0x9513756c,0x4feaac2f,
+        0x0b624e4d,0x2e6cd852 } },
+    /* 162 */
+    { { 0x8c31c31d,0x3685954b,0x5bf21a0c,0x68533d00,0x75c79ec9,0x0bd7626e,
+        0x42c69d54,0xca177547 },
+      { 0xf6d2dbb2,0xcc6edaff,0x174a9d18,0xfd0d8cbd,0xaa4578e8,0x875e8793,
+        0x9cab2ce6,0xa976a713 } },
+    /* 163 */
+    { { 0x93fb353d,0x0a651f1b,0x57fcfa72,0xd75cab8b,0x31b15281,0xaa88cfa7,
+        0x0a1f4999,0x8720a717 },
+      { 0x693e1b90,0x8c3e8d37,0x16f6dfc3,0xd345dc0b,0xb52a8742,0x8ea8d00a,
+        0xc769893c,0x9719ef29 } },
+    /* 164 */
+    { { 0x58e35909,0x820eed8d,0x33ddc116,0x9366d8dc,0x6e205026,0xd7f999d0,
+        0xe15704c1,0xa5072976 },
+      { 0xc4e70b2e,0x002a37ea,0x6890aa8a,0x84dcf657,0x645b2a5c,0xcd71bf18,
+        0xf7b77725,0x99389c9d } },
+    /* 165 */
+    { { 0x7ada7a4b,0x238c08f2,0xfd389366,0x3abe9d03,0x766f512c,0x6b672e89,
+        0x202c82e4,0xa88806aa },
+      { 0xd380184e,0x6602044a,0x126a8b85,0xa8cb78c4,0xad844f17,0x79d670c0,
+        0x4738dcfe,0x0043bffb } },
+    /* 166 */
+    { { 0x36d5192e,0x8d59b5dc,0x4590b2af,0xacf885d3,0x11601781,0x83566d0a,
+        0xba6c4866,0x52f3ef01 },
+      { 0x0edcb64d,0x3986732a,0x8068379f,0x0a482c23,0x7040f309,0x16cbe5fa,
+        0x9ef27e75,0x3296bd89 } },
+    /* 167 */
+    { { 0x454d81d7,0x476aba89,0x51eb9b3c,0x9eade7ef,0x81c57986,0x619a21cd,
+        0xaee571e9,0x3b90febf },
+      { 0x5496f7cb,0x9393023e,0x7fb51bc4,0x55be41d8,0x99beb5ce,0x03f1dd48,
+        0x9f810b18,0x6e88069d } },
+    /* 168 */
+    { { 0xb43ea1db,0xce37ab11,0x5259d292,0x0a7ff1a9,0x8f84f186,0x851b0221,
+        0xdefaad13,0xa7222bea },
+      { 0x2b0a9144,0xa2ac78ec,0xf2fa59c5,0x5a024051,0x6147ce38,0x91d1eca5,
+        0xbc2ac690,0xbe94d523 } },
+    /* 169 */
+    { { 0x0b226ce7,0x72f4945e,0x967e8b70,0xb8afd747,0x85a6c63e,0xedea46f1,
+        0x9be8c766,0x7782defe },
+      { 0x3db38626,0x760d2aa4,0x76f67ad1,0x460ae787,0x54499cdb,0x341b86fc,
+        0xa2892e4b,0x03838567 } },
+    /* 170 */
+    { { 0x79ec1a0f,0x2d8daefd,0xceb39c97,0x3bbcd6fd,0x58f61a95,0xf5575ffc,
+        0xadf7b420,0xdbd986c4 },
+      { 0x15f39eb7,0x81aa8814,0xb98d976c,0x6ee2fcf5,0xcf2f717d,0x5465475d,
+        0x6860bbd0,0x8e24d3c4 } },
+    /* 171 */
+    { { 0x9a587390,0x749d8e54,0x0cbec588,0x12bb194f,0xb25983c6,0x46e07da4,
+        0x407bafc8,0x541a99c4 },
+      { 0x624c8842,0xdb241692,0xd86c05ff,0x6044c12a,0x4f7fcf62,0xc59d14b4,
+        0xf57d35d1,0xc0092c49 } },
+    /* 172 */
+    { { 0xdf2e61ef,0xd3cc75c3,0x2e1b35ca,0x7e8841c8,0x909f29f4,0xc62d30d1,
+        0x7286944d,0x75e40634 },
+      { 0xbbc237d0,0xe7d41fc5,0xec4f01c9,0xc9537bf0,0x282bd534,0x91c51a16,
+        0xc7848586,0x5b7cb658 } },
+    /* 173 */
+    { { 0x8a28ead1,0x964a7084,0xfd3b47f6,0x802dc508,0x767e5b39,0x9ae4bfd1,
+        0x8df097a1,0x7ae13eba },
+      { 0xeadd384e,0xfd216ef8,0xb6b2ff06,0x0361a2d9,0x4bcdb5f3,0x204b9878,
+        0xe2a8e3fd,0x787d8074 } },
+    /* 174 */
+    { { 0x757fbb1c,0xc5e25d6b,0xca201deb,0xe47bddb2,0x6d2233ff,0x4a55e9a3,
+        0x9ef28484,0x5c222819 },
+      { 0x88315250,0x773d4a85,0x827097c1,0x21b21a2b,0xdef5d33f,0xab7c4ea1,
+        0xbaf0f2b0,0xe45d37ab } },
+    /* 175 */
+    { { 0x28511c8a,0xd2df1e34,0xbdca6cd3,0xebb229c8,0x627c39a7,0x578a71a7,
+        0x84dfb9d3,0xed7bc122 },
+      { 0x93dea561,0xcf22a6df,0xd48f0ed1,0x5443f18d,0x5bad23e8,0xd8b86140,
+        0x45ca6d27,0xaac97cc9 } },
+    /* 176 */
+    { { 0xa16bd00a,0xeb54ea74,0xf5c0bcc1,0xd839e9ad,0x1f9bfc06,0x092bb7f1,
+        0x1163dc4e,0x318f97b3 },
+      { 0xc30d7138,0xecc0c5be,0xabc30220,0x44e8df23,0xb0223606,0x2bb7972f,
+        0x9a84ff4d,0xfa41faa1 } },
+    /* 177 */
+    { { 0xa6642269,0x4402d974,0x9bb783bd,0xc81814ce,0x7941e60b,0x398d38e4,
+        0x1d26e9e2,0x38bb6b2c },
+      { 0x6a577f87,0xc64e4a25,0xdc11fe1c,0x8b52d253,0x62280728,0xff336abf,
+        0xce7601a5,0x94dd0905 } },
+    /* 178 */
+    { { 0xde93f92a,0x156cf7dc,0x89b5f315,0xa01333cb,0xc995e750,0x02404df9,
+        0xd25c2ae9,0x92077867 },
+      { 0x0bf39d44,0xe2471e01,0x96bb53d7,0x5f2c9020,0x5c9c3d8f,0x4c44b7b3,
+        0xd29beb51,0x81e8428b } },
+    /* 179 */
+    { { 0xc477199f,0x6dd9c2ba,0x6b5ecdd9,0x8cb8eeee,0xee40fd0e,0x8af7db3f,
+        0xdbbfa4b1,0x1b94ab62 },
+      { 0xce47f143,0x44f0d8b3,0x63f46163,0x51e623fc,0xcc599383,0xf18f270f,
+        0x055590ee,0x06a38e28 } },
+    /* 180 */
+    { { 0xb3355b49,0x2e5b0139,0xb4ebf99b,0x20e26560,0xd269f3dc,0xc08ffa6b,
+        0x83d9d4f8,0xa7b36c20 },
+      { 0x1b3e8830,0x64d15c3a,0xa89f9c0b,0xd5fceae1,0xe2d16930,0xcfeee4a2,
+        0xa2822a20,0xbe54c6b4 } },
+    /* 181 */
+    { { 0x8d91167c,0xd6cdb3df,0xe7a6625e,0x517c3f79,0x346ac7f4,0x7105648f,
+        0xeae022bb,0xbf30a5ab },
+      { 0x93828a68,0x8e7785be,0x7f3ef036,0x5161c332,0x592146b2,0xe11b5feb,
+        0x2732d13a,0xd1c820de } },
+    /* 182 */
+    { { 0x9038b363,0x043e1347,0x6b05e519,0x58c11f54,0x6026cad1,0x4fe57abe,
+        0x68a18da3,0xb7d17bed },
+      { 0xe29c2559,0x44ca5891,0x5bfffd84,0x4f7a0376,0x74e46948,0x498de4af,
+        0x6412cc64,0x3997fd5e } },
+    /* 183 */
+    { { 0x8bd61507,0xf2074682,0x34a64d2a,0x29e132d5,0x8a8a15e3,0xffeddfb0,
+        0x3c6c13e8,0x0eeb8929 },
+      { 0xa7e259f8,0xe9b69a3e,0xd13e7e67,0xce1db7e6,0xad1fa685,0x277318f6,
+        0xc922b6ef,0x228916f8 } },
+    /* 184 */
+    { { 0x0a12ab5b,0x959ae25b,0x957bc136,0xcc11171f,0xd16e2b0c,0x8058429e,
+        0x6e93097e,0xec05ad1d },
+      { 0xac3f3708,0x157ba5be,0x30b59d77,0x31baf935,0x118234e5,0x47b55237,
+        0x7ff11b37,0x7d314156 } },
+    /* 185 */
+    { { 0xf6dfefab,0x7bd9c05c,0xdcb37707,0xbe2f2268,0x3a38bb95,0xe53ead97,
+        0x9bc1d7a3,0xe9ce66fc },
+      { 0x6f6a02a1,0x75aa1576,0x60e600ed,0x38c087df,0x68cdc1b9,0xf8947f34,
+        0x72280651,0xd9650b01 } },
+    /* 186 */
+    { { 0x5a057e60,0x504b4c4a,0x8def25e4,0xcbccc3be,0x17c1ccbd,0xa6353208,
+        0x804eb7a2,0x14d6699a },
+      { 0xdb1f411a,0x2c8a8415,0xf80d769c,0x09fbaf0b,0x1c2f77ad,0xb4deef90,
+        0x0d43598a,0x6f4c6841 } },
+    /* 187 */
+    { { 0x96c24a96,0x8726df4e,0xfcbd99a3,0x534dbc85,0x8b2ae30a,0x3c466ef2,
+        0x61189abb,0x4c4350fd },
+      { 0xf855b8da,0x2967f716,0x463c38a1,0x41a42394,0xeae93343,0xc37e1413,
+        0x5a3118b5,0xa726d242 } },
+    /* 188 */
+    { { 0x948c1086,0xdae6b3ee,0xcbd3a2e1,0xf1de503d,0x03d022f3,0x3f35ed3f,
+        0xcc6cf392,0x13639e82 },
+      { 0xcdafaa86,0x9ac938fb,0x2654a258,0xf45bc5fb,0x45051329,0x1963b26e,
+        0xc1a335a3,0xca9365e1 } },
+    /* 189 */
+    { { 0x4c3b2d20,0x3615ac75,0x904e241b,0x742a5417,0xcc9d071d,0xb08521c4,
+        0x970b72a5,0x9ce29c34 },
+      { 0x6d3e0ad6,0x8cc81f73,0xf2f8434c,0x8060da9e,0x6ce862d9,0x35ed1d1a,
+        0xab42af98,0x48c4abd7 } },
+    /* 190 */
+    { { 0x40c7485a,0xd221b0cc,0xe5274dbf,0xead455bb,0x9263d2e8,0x493c7698,
+        0xf67b33cb,0x78017c32 },
+      { 0x930cb5ee,0xb9d35769,0x0c408ed2,0xc0d14e94,0x272f1a4d,0xf8b7bf55,
+        0xde5c1c04,0x53cd0454 } },
+    /* 191 */
+    { { 0x5d28ccac,0xbcd585fa,0x005b746e,0x5f823e56,0xcd0123aa,0x7c79f0a1,
+        0xd3d7fa8f,0xeea465c1 },
+      { 0x0551803b,0x7810659f,0x7ce6af70,0x6c0b599f,0x29288e70,0x4195a770,
+        0x7ae69193,0x1b6e42a4 } },
+    /* 192 */
+    { { 0xf67d04c3,0x2e80937c,0x89eeb811,0x1e312be2,0x92594d60,0x56b5d887,
+        0x187fbd3d,0x0224da14 },
+      { 0x0c5fe36f,0x87abb863,0x4ef51f5f,0x580f3c60,0xb3b429ec,0x964fb1bf,
+        0x42bfff33,0x60838ef0 } },
+    /* 193 */
+    { { 0x7e0bbe99,0x432cb2f2,0x04aa39ee,0x7bda44f3,0x9fa93903,0x5f497c7a,
+        0x2d331643,0x636eb202 },
+      { 0x93ae00aa,0xfcfd0e61,0x31ae6d2f,0x875a00fe,0x9f93901c,0xf43658a2,
+        0x39218bac,0x8844eeb6 } },
+    /* 194 */
+    { { 0x6b3bae58,0x114171d2,0x17e39f3e,0x7db3df71,0x81a8eada,0xcd37bc7f,
+        0x51fb789e,0x27ba83dc },
+      { 0xfbf54de5,0xa7df439f,0xb5fe1a71,0x7277030b,0xdb297a48,0x42ee8e35,
+        0x87f3a4ab,0xadb62d34 } },
+    /* 195 */
+    { { 0xa175df2a,0x9b1168a2,0x618c32e9,0x082aa04f,0x146b0916,0xc9e4f2e7,
+        0x75e7c8b2,0xb990fd76 },
+      { 0x4df37313,0x0829d96b,0xd0b40789,0x1c205579,0x78087711,0x66c9ae4a,
+        0x4d10d18d,0x81707ef9 } },
+    /* 196 */
+    { { 0x03d6ff96,0x97d7cab2,0x0d843360,0x5b851bfc,0xd042db4b,0x268823c4,
+        0xd5a8aa5c,0x3792daea },
+      { 0x941afa0b,0x52818865,0x42d83671,0xf3e9e741,0x5be4e0a7,0x17c82527,
+        0x94b001ba,0x5abd635e } },
+    /* 197 */
+    { { 0x0ac4927c,0x727fa84e,0xa7c8cf23,0xe3886035,0x4adca0df,0xa4bcd5ea,
+        0x846ab610,0x5995bf21 },
+      { 0x829dfa33,0xe90f860b,0x958fc18b,0xcaafe2ae,0x78630366,0x9b3baf44,
+        0xd483411e,0x44c32ca2 } },
+    /* 198 */
+    { { 0xe40ed80c,0xa74a97f1,0x31d2ca82,0x5f938cb1,0x7c2d6ad9,0x53f2124b,
+        0x8082a54c,0x1f2162fb },
+      { 0x720b173e,0x7e467cc5,0x085f12f9,0x40e8a666,0x4c9d65dc,0x8cebc20e,
+        0xc3e907c9,0x8f1d402b } },
+    /* 199 */
+    { { 0xfbc4058a,0x4f592f9c,0x292f5670,0xb15e14b6,0xbc1d8c57,0xc55cfe37,
+        0x926edbf9,0xb1980f43 },
+      { 0x32c76b09,0x98c33e09,0x33b07f78,0x1df5279d,0x863bb461,0x6f08ead4,
+        0x37448e45,0x2828ad9b } },
+    /* 200 */
+    { { 0xc4cf4ac5,0x696722c4,0xdde64afb,0xf5ac1a3f,0xe0890832,0x0551baa2,
+        0x5a14b390,0x4973f127 },
+      { 0x322eac5d,0xe59d8335,0x0bd9b568,0x5e07eef5,0xa2588393,0xab36720f,
+        0xdb168ac7,0x6dac8ed0 } },
+    /* 201 */
+    { { 0xeda835ef,0xf7b545ae,0x1d10ed51,0x4aa113d2,0x13741b09,0x035a65e0,
+        0x20b9de4c,0x4b23ef59 },
+      { 0x3c4c7341,0xe82bb680,0x3f58bc37,0xd457706d,0xa51e3ee8,0x73527863,
+        0xddf49a4e,0x4dd71534 } },
+    /* 202 */
+    { { 0x95476cd9,0xbf944672,0xe31a725b,0x648d072f,0xfc4b67e0,0x1441c8b8,
+        0x2f4a4dbb,0xfd317000 },
+      { 0x8995d0e1,0x1cb43ff4,0x0ef729aa,0x76e695d1,0x41798982,0xe0d5f976,
+        0x9569f365,0x14fac58c } },
+    /* 203 */
+    { { 0xf312ae18,0xad9a0065,0xfcc93fc9,0x51958dc0,0x8a7d2846,0xd9a14240,
+        0x36abda50,0xed7c7651 },
+      { 0x25d4abbc,0x46270f1a,0xf1a113ea,0x9b5dd8f3,0x5b51952f,0xc609b075,
+        0x4d2e9f53,0xfefcb7f7 } },
+    /* 204 */
+    { { 0xba119185,0xbd09497a,0xaac45ba4,0xd54e8c30,0xaa521179,0x492479de,
+        0x87e0d80b,0x1801a57e },
+      { 0xfcafffb0,0x073d3f8d,0xae255240,0x6cf33c0b,0x5b5fdfbc,0x781d763b,
+        0x1ead1064,0x9f8fc11e } },
+    /* 205 */
+    { { 0x5e69544c,0x1583a171,0xf04b7813,0x0eaf8567,0x278a4c32,0x1e22a8fd,
+        0x3d3a69a9,0xa9d3809d },
+      { 0x59a2da3b,0x936c2c2c,0x1895c847,0x38ccbcf6,0x63d50869,0x5e65244e,
+        0xe1178ef7,0x3006b9ae } },
+    /* 206 */
+    { { 0xc9eead28,0x0bb1f2b0,0x89f4dfbc,0x7eef635d,0xb2ce8939,0x074757fd,
+        0x45f8f761,0x0ab85fd7 },
+      { 0x3e5b4549,0xecda7c93,0x97922f21,0x4be2bb5c,0xb43b8040,0x261a1274,
+        0x11e942c2,0xb122d675 } },
+    /* 207 */
+    { { 0x66a5ae7a,0x3be607be,0x76adcbe3,0x01e703fa,0x4eb6e5c5,0xaf904301,
+        0x097dbaec,0x9f599dc1 },
+      { 0x0ff250ed,0x6d75b718,0x349a20dc,0x8eb91574,0x10b227a3,0x425605a4,
+        0x8a294b78,0x7d5528e0 } },
+    /* 208 */
+    { { 0x20c26def,0xf0f58f66,0x582b2d1e,0x025585ea,0x01ce3881,0xfbe7d79b,
+        0x303f1730,0x28ccea01 },
+      { 0x79644ba5,0xd1dabcd1,0x06fff0b8,0x1fc643e8,0x66b3e17b,0xa60a76fc,
+        0xa1d013bf,0xc18baf48 } },
+    /* 209 */
+    { { 0x5dc4216d,0x34e638c8,0x206142ac,0x00c01067,0x95f5064a,0xd453a171,
+        0xb7a9596b,0x9def809d },
+      { 0x67ab8d2c,0x41e8642e,0x6237a2b6,0xb4240433,0x64c4218b,0x7d506a6d,
+        0x68808ce5,0x0357f8b0 } },
+    /* 210 */
+    { { 0x4cd2cc88,0x8e9dbe64,0xf0b8f39d,0xcc61c28d,0xcd30a0c8,0x4a309874,
+        0x1b489887,0xe4a01add },
+      { 0xf57cd8f9,0x2ed1eeac,0xbd594c48,0x1b767d3e,0x7bd2f787,0xa7295c71,
+        0xce10cc30,0x466d7d79 } },
+    /* 211 */
+    { { 0x9dada2c7,0x47d31892,0x8f9aa27d,0x4fa0a6c3,0x820a59e1,0x90e4fd28,
+        0x451ead1a,0xc672a522 },
+      { 0x5d86b655,0x30607cc8,0xf9ad4af1,0xf0235d3b,0x571172a6,0x99a08680,
+        0xf2a67513,0x5e3d64fa } },
+    /* 212 */
+    { { 0x9b3b4416,0xaa6410c7,0xeab26d99,0xcd8fcf85,0xdb656a74,0x5ebff74a,
+        0xeb8e42fc,0x6c8a7a95 },
+      { 0xb02a63bd,0x10c60ba7,0x8b8f0047,0x6b2f2303,0x312d90b0,0x8c6c3738,
+        0xad82ca91,0x348ae422 } },
+    /* 213 */
+    { { 0x5ccda2fb,0x7f474663,0x8e0726d2,0x22accaa1,0x492b1f20,0x85adf782,
+        0xd9ef2d2e,0xc1074de0 },
+      { 0xae9a65b3,0xfcf3ce44,0x05d7151b,0xfd71e4ac,0xce6a9788,0xd4711f50,
+        0xc9e54ffc,0xfbadfbdb } },
+    /* 214 */
+    { { 0x20a99363,0x1713f1cd,0x6cf22775,0xb915658f,0x24d359b2,0x968175cd,
+        0x83716fcd,0xb7f976b4 },
+      { 0x5d6dbf74,0x5758e24d,0x71c3af36,0x8d23bafd,0x0243dfe3,0x48f47760,
+        0xcafcc805,0xf4d41b2e } },
+    /* 215 */
+    { { 0xfdabd48d,0x51f1cf28,0x32c078a4,0xce81be36,0x117146e9,0x6ace2974,
+        0xe0160f10,0x180824ea },
+      { 0x66e58358,0x0387698b,0xce6ca358,0x63568752,0x5e41e6c5,0x82380e34,
+        0x83cf6d25,0x67e5f639 } },
+    /* 216 */
+    { { 0xcf4899ef,0xf89ccb8d,0x9ebb44c0,0x949015f0,0xb2598ec9,0x546f9276,
+        0x04c11fc6,0x9fef789a },
+      { 0x53d2a071,0x6d367ecf,0xa4519b09,0xb10e1a7f,0x611e2eef,0xca6b3fb0,
+        0xa99c4e20,0xbc80c181 } },
+    /* 217 */
+    { { 0xe5eb82e6,0x972536f8,0xf56cb920,0x1a484fc7,0x50b5da5e,0xc78e2171,
+        0x9f8cdf10,0x49270e62 },
+      { 0xea6b50ad,0x1a39b7bb,0xa2388ffc,0x9a0284c1,0x8107197b,0x5403eb17,
+        0x61372f7f,0xd2ee52f9 } },
+    /* 218 */
+    { { 0x88e0362a,0xd37cd285,0x8fa5d94d,0x442fa8a7,0xa434a526,0xaff836e5,
+        0xe5abb733,0xdfb478be },
+      { 0x673eede6,0xa91f1ce7,0x2b5b2f04,0xa5390ad4,0x5530da2f,0x5e66f7bf,
+        0x08df473a,0xd9a140b4 } },
+    /* 219 */
+    { { 0x6e8ea498,0x0e0221b5,0x3563ee09,0x62347829,0x335d2ade,0xe06b8391,
+        0x623f4b1a,0x760c058d },
+      { 0xc198aa79,0x0b89b58c,0xf07aba7f,0xf74890d2,0xfde2556a,0x4e204110,
+        0x8f190409,0x7141982d } },
+    /* 220 */
+    { { 0x4d4b0f45,0x6f0a0e33,0x392a94e1,0xd9280b38,0xb3c61d5e,0x3af324c6,
+        0x89d54e47,0x3af9d1ce },
+      { 0x20930371,0xfd8f7981,0x21c17097,0xeda2664c,0xdc42309b,0x0e9545dc,
+        0x73957dd6,0xb1f815c3 } },
+    /* 221 */
+    { { 0x89fec44a,0x84faa78e,0x3caa4caf,0xc8c2ae47,0xc1b6a624,0x691c807d,
+        0x1543f052,0xa41aed14 },
+      { 0x7d5ffe04,0x42435399,0x625b6e20,0x8bacb2df,0x87817775,0x85d660be,
+        0x86fb60ef,0xd6e9c1dd } },
+    /* 222 */
+    { { 0xc6853264,0x3aa2e97e,0xe2304a0b,0x771533b7,0xb8eae9be,0x1b912bb7,
+        0xae9bf8c2,0x9c9c6e10 },
+      { 0xe030b74c,0xa2309a59,0x6a631e90,0x4ed7494d,0xa49b79f2,0x89f44b23,
+        0x40fa61b6,0x566bd596 } },
+    /* 223 */
+    { { 0xc18061f3,0x066c0118,0x7c83fc70,0x190b25d3,0x27273245,0xf05fc8e0,
+        0xf525345e,0xcf2c7390 },
+      { 0x10eb30cf,0xa09bceb4,0x0d77703a,0xcfd2ebba,0x150ff255,0xe842c43a,
+        0x8aa20979,0x02f51755 } },
+    /* 224 */
+    { { 0xaddb7d07,0x396ef794,0x24455500,0x0b4fc742,0xc78aa3ce,0xfaff8eac,
+        0xe8d4d97d,0x14e9ada5 },
+      { 0x2f7079e2,0xdaa480a1,0xe4b0800e,0x45baa3cd,0x7838157d,0x01765e2d,
+        0x8e9d9ae8,0xa0ad4fab } },
+    /* 225 */
+    { { 0x4a653618,0x0bfb7621,0x31eaaa5f,0x1872813c,0x44949d5e,0x1553e737,
+        0x6e56ed1e,0xbcd530b8 },
+      { 0x32e9c47b,0x169be853,0xb50059ab,0xdc2776fe,0x192bfbb4,0xcdba9761,
+        0x6979341d,0x909283cf } },
+    /* 226 */
+    { { 0x76e81a13,0x67b00324,0x62171239,0x9bee1a99,0xd32e19d6,0x08ed361b,
+        0xace1549a,0x35eeb7c9 },
+      { 0x7e4e5bdc,0x1280ae5a,0xb6ceec6e,0x2dcd2cd3,0x6e266bc1,0x52e4224c,
+        0x448ae864,0x9a8b2cf4 } },
+    /* 227 */
+    { { 0x09d03b59,0xf6471bf2,0xb65af2ab,0xc90e62a3,0xebd5eec9,0xff7ff168,
+        0xd4491379,0x6bdb60f4 },
+      { 0x8a55bc30,0xdadafebc,0x10097fe0,0xc79ead16,0x4c1e3bdd,0x42e19741,
+        0x94ba08a9,0x01ec3cfd } },
+    /* 228 */
+    { { 0xdc9485c2,0xba6277eb,0x22fb10c7,0x48cc9a79,0x70a28d8a,0x4f61d60f,
+        0x475464f6,0xd1acb1c0 },
+      { 0x26f36612,0xd26902b1,0xe0618d8b,0x59c3a44e,0x308357ee,0x4df8a813,
+        0x405626c2,0x7dcd079d } },
+    /* 229 */
+    { { 0xf05a4b48,0x5ce7d4d3,0x37230772,0xadcd2952,0x812a915a,0xd18f7971,
+        0x377d19b8,0x0bf53589 },
+      { 0x6c68ea73,0x35ecd95a,0x823a584d,0xc7f3bbca,0xf473a723,0x9fb674c6,
+        0xe16686fc,0xd28be4d9 } },
+    /* 230 */
+    { { 0x38fa8e4b,0x5d2b9906,0x893fd8fc,0x559f186e,0x436fb6fc,0x3a6de2aa,
+        0x510f88ce,0xd76007aa },
+      { 0x523a4988,0x2d10aab6,0x74dd0273,0xb455cf44,0xa3407278,0x7f467082,
+        0xb303bb01,0xf2b52f68 } },
+    /* 231 */
+    { { 0x9835b4ca,0x0d57eafa,0xbb669cbc,0x2d2232fc,0xc6643198,0x8eeeb680,
+        0xcc5aed3a,0xd8dbe98e },
+      { 0xc5a02709,0xcba9be3f,0xf5ba1fa8,0x30be68e5,0xf10ea852,0xfebd43cd,
+        0xee559705,0xe01593a3 } },
+    /* 232 */
+    { { 0xea75a0a6,0xd3e5af50,0x57858033,0x512226ac,0xd0176406,0x6fe6d50f,
+        0xaeb8ef06,0xafec07b1 },
+      { 0x80bb0a31,0x7fb99567,0x37309aae,0x6f1af3cc,0x01abf389,0x9153a15a,
+        0x6e2dbfdd,0xa71b9354 } },
+    /* 233 */
+    { { 0x18f593d2,0xbf8e12e0,0xa078122b,0xd1a90428,0x0ba4f2ad,0x150505db,
+        0x628523d9,0x53a2005c },
+      { 0xe7f2b935,0x07c8b639,0xc182961a,0x2bff975a,0x7518ca2c,0x86bceea7,
+        0x3d588e3d,0xbf47d19b } },
+    /* 234 */
+    { { 0xdd7665d5,0x672967a7,0x2f2f4de5,0x4e303057,0x80d4903f,0x144005ae,
+        0x39c9a1b6,0x001c2c7f },
+      { 0x69efc6d6,0x143a8014,0x7bc7a724,0xc810bdaa,0xa78150a4,0x5f65670b,
+        0x86ffb99b,0xfdadf8e7 } },
+    /* 235 */
+    { { 0xffc00785,0xfd38cb88,0x3b48eb67,0x77fa7591,0xbf368fbc,0x0454d055,
+        0x5aa43c94,0x3a838e4d },
+      { 0x3e97bb9a,0x56166329,0x441d94d9,0x9eb93363,0x0adb2a83,0x515591a6,
+        0x873e1da3,0x3cdb8257 } },
+    /* 236 */
+    { { 0x7de77eab,0x137140a9,0x41648109,0xf7e1c50d,0xceb1d0df,0x762dcad2,
+        0xf1f57fba,0x5a60cc89 },
+      { 0x40d45673,0x80b36382,0x5913c655,0x1b82be19,0xdd64b741,0x057284b8,
+        0xdbfd8fc0,0x922ff56f } },
+    /* 237 */
+    { { 0xc9a129a1,0x1b265dee,0xcc284e04,0xa5b1ce57,0xcebfbe3c,0x04380c46,
+        0xf6c5cd62,0x72919a7d },
+      { 0x8fb90f9a,0x298f453a,0x88e4031b,0xd719c00b,0x796f1856,0xe32c0e77,
+        0x3624089a,0x5e791780 } },
+    /* 238 */
+    { { 0x7f63cdfb,0x5c16ec55,0xf1cae4fd,0x8e6a3571,0x560597ca,0xfce26bea,
+        0xe24c2fab,0x4e0a5371 },
+      { 0xa5765357,0x276a40d3,0x0d73a2b4,0x3c89af44,0x41d11a32,0xb8f370ae,
+        0xd56604ee,0xf5ff7818 } },
+    /* 239 */
+    { { 0x1a09df21,0xfbf3e3fe,0xe66e8e47,0x26d5d28e,0x29c89015,0x2096bd0a,
+        0x533f5e64,0xe41df0e9 },
+      { 0xb3ba9e3f,0x305fda40,0x2604d895,0xf2340ceb,0x7f0367c7,0x0866e192,
+        0xac4f155f,0x8edd7d6e } },
+    /* 240 */
+    { { 0x0bfc8ff3,0xc9a1dc0e,0xe936f42f,0x14efd82b,0xcca381ef,0x67016f7c,
+        0xed8aee96,0x1432c1ca },
+      { 0x70b23c26,0xec684829,0x0735b273,0xa64fe873,0xeaef0f5a,0xe389f6e5,
+        0x5ac8d2c6,0xcaef480b } },
+    /* 241 */
+    { { 0x75315922,0x5245c978,0x3063cca5,0xd8295171,0xb64ef2cb,0xf3ce60d0,
+        0x8efae236,0xd0ba177e },
+      { 0xb1b3af60,0x53a9ae8f,0x3d2da20e,0x1a796ae5,0xdf9eef28,0x01d63605,
+        0x1c54ae16,0xf31c957c } },
+    /* 242 */
+    { { 0x49cc4597,0xc0f58d52,0xbae0a028,0xdc5015b0,0x734a814a,0xefc5fc55,
+        0x96e17c3a,0x013404cb },
+      { 0xc9a824bf,0xb29e2585,0x001eaed7,0xd593185e,0x61ef68ac,0x8d6ee682,
+        0x91933e6c,0x6f377c4b } },
+    /* 243 */
+    { { 0xa8333fd2,0x9f93bad1,0x5a2a95b8,0xa8930202,0xeaf75ace,0x211e5037,
+        0xd2d09506,0x6dba3e4e },
+      { 0xd04399cd,0xa48ef98c,0xe6b73ade,0x1811c66e,0xc17ecaf3,0x72f60752,
+        0x3becf4a7,0xf13cf342 } },
+    /* 244 */
+    { { 0xa919e2eb,0xceeb9ec0,0xf62c0f68,0x83a9a195,0x7aba2299,0xcfba3bb6,
+        0x274bbad3,0xc83fa9a9 },
+      { 0x62fa1ce0,0x0d7d1b0b,0x3418efbf,0xe58b60f5,0x52706f04,0xbfa8ef9e,
+        0x5d702683,0xb49d70f4 } },
+    /* 245 */
+    { { 0xfad5513b,0x914c7510,0xb1751e2d,0x05f32eec,0xd9fb9d59,0x6d850418,
+        0x0c30f1cf,0x59cfadbb },
+      { 0x55cb7fd6,0xe167ac23,0x820426a3,0x249367b8,0x90a78864,0xeaeec58c,
+        0x354a4b67,0x5babf362 } },
+    /* 246 */
+    { { 0xee424865,0x37c981d1,0xf2e5577f,0x8b002878,0xb9e0c058,0x702970f1,
+        0x9026c8f0,0x6188c6a7 },
+      { 0xd0f244da,0x06f9a19b,0xfb080873,0x1ecced5c,0x9f213637,0x35470f9b,
+        0xdf50b9d9,0x993fe475 } },
+    /* 247 */
+    { { 0x9b2c3609,0x68e31cdf,0x2c46d4ea,0x84eb19c0,0x9a775101,0x7ac9ec1a,
+        0x4c80616b,0x81f76466 },
+      { 0x75fbe978,0x1d7c2a5a,0xf183b356,0x6743fed3,0x501dd2bf,0x838d1f04,
+        0x5fe9060d,0x564a812a } },
+    /* 248 */
+    { { 0xfa817d1d,0x7a5a64f4,0xbea82e0f,0x55f96844,0xcd57f9aa,0xb5ff5a0f,
+        0x00e51d6c,0x226bf3cf },
+      { 0x2f2833cf,0xd6d1a9f9,0x4f4f89a8,0x20a0a35a,0x8f3f7f77,0x11536c49,
+        0xff257836,0x68779f47 } },
+    /* 249 */
+    { { 0x73043d08,0x79b0c1c1,0x1fc020fa,0xa5446774,0x9a6d26d0,0xd3767e28,
+        0xeb092e0b,0x97bcb0d1 },
+      { 0xf32ed3c3,0x2ab6eaa8,0xb281bc48,0xc8a4f151,0xbfa178f3,0x4d1bf4f3,
+        0x0a784655,0xa872ffe8 } },
+    /* 250 */
+    { { 0xa32b2086,0xb1ab7935,0x8160f486,0xe1eb710e,0x3b6ae6be,0x9bd0cd91,
+        0xb732a36a,0x02812bfc },
+      { 0xcf605318,0xa63fd7ca,0xfdfd6d1d,0x646e5d50,0x2102d619,0xa1d68398,
+        0xfe5396af,0x07391cc9 } },
+    /* 251 */
+    { { 0x8b80d02b,0xc50157f0,0x62877f7f,0x6b8333d1,0x78d542ae,0x7aca1af8,
+        0x7e6d2a08,0x355d2adc },
+      { 0x287386e1,0xb41f335a,0xf8e43275,0xfd272a94,0xe79989ea,0x286ca2cd,
+        0x7c2a3a79,0x3dc2b1e3 } },
+    /* 252 */
+    { { 0x04581352,0xd689d21c,0x376782be,0x0a00c825,0x9fed701f,0x203bd590,
+        0x3ccd846b,0xc4786910 },
+      { 0x24c768ed,0x5dba7708,0x6841f657,0x72feea02,0x6accce0e,0x73313ed5,
+        0xd5bb4d32,0xccc42968 } },
+    /* 253 */
+    { { 0x3d7620b9,0x94e50de1,0x5992a56a,0xd89a5c8a,0x675487c9,0xdc007640,
+        0xaa4871cf,0xe147eb42 },
+      { 0xacf3ae46,0x274ab4ee,0x50350fbe,0xfd4936fb,0x48c840ea,0xdf2afe47,
+        0x080e96e3,0x239ac047 } },
+    /* 254 */
+    { { 0x2bfee8d4,0x481d1f35,0xfa7b0fec,0xce80b5cf,0x2ce9af3c,0x105c4c9e,
+        0xf5f7e59d,0xc55fa1a3 },
+      { 0x8257c227,0x3186f14e,0x342be00b,0xc5b1653f,0xaa904fb2,0x09afc998,
+        0xd4f4b699,0x094cd99c } },
+    /* 255 */
+    { { 0xd703beba,0x8a981c84,0x32ceb291,0x8631d150,0xe3bd49ec,0xa445f2c9,
+        0x42abad33,0xb90a30b6 },
+      { 0xb4a5abf9,0xb465404f,0x75db7603,0x004750c3,0xca35d89f,0x6f9a42cc,
+        0x1b7924f7,0x019f8b9a } },
+};
+
+/* Multiply the base point of P256 by the scalar and return the result.
+ * If map is true then convert result to affine coordinates.
+ *
+ * r     Resulting point.
+ * k     Scalar to multiply by.
+ * map   Indicates whether to convert result to affine.
+ * heap  Heap to use for allocation.
+ * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
+ */
+static int sp_256_ecc_mulmod_base_8(sp_point_256* r, const sp_digit* k,
+        int map, void* heap)
+{
+    return sp_256_ecc_mulmod_stripe_8(r, &p256_base, p256_table,
+                                      k, map, heap);
+}
+
+#endif
+
+/* Multiply the base point of P256 by the scalar and return the result.
+ * If map is true then convert result to affine coordinates.
+ *
+ * km    Scalar to multiply by.
+ * r     Resulting point.
+ * map   Indicates whether to convert result to affine.
+ * heap  Heap to use for allocation.
+ * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
+ */
+int sp_ecc_mulmod_base_256(mp_int* km, ecc_point* r, int map, void* heap)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_point_256 p;
+    sp_digit kd[8];
+#endif
+    sp_point_256* point;
+    sp_digit* k = NULL;
+    int err = MP_OKAY;
+
+    err = sp_256_point_new_8(heap, p, point);
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        k = (sp_digit*)XMALLOC(sizeof(sp_digit) * 8, heap,
+                                                              DYNAMIC_TYPE_ECC);
+        if (k == NULL) {
+            err = MEMORY_E;
+        }
+    }
+#else
+    k = kd;
+#endif
+    if (err == MP_OKAY) {
+        sp_256_from_mp(k, 8, km);
+
+            err = sp_256_ecc_mulmod_base_8(point, k, map, heap);
+    }
+    if (err == MP_OKAY) {
+        err = sp_256_point_to_ecc_point_8(point, r);
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (k != NULL) {
+        XFREE(k, heap, DYNAMIC_TYPE_ECC);
+    }
+#endif
+    sp_256_point_free_8(point, 0, heap);
+
+    return err;
+}
+
+#if defined(WOLFSSL_VALIDATE_ECC_KEYGEN) || defined(HAVE_ECC_SIGN) || \
+                                                        defined(HAVE_ECC_VERIFY)
+/* Returns 1 if the number of zero.
+ * Implementation is constant time.
+ *
+ * a  Number to check.
+ * returns 1 if the number is zero and 0 otherwise.
+ */
+static int sp_256_iszero_8(const sp_digit* a)
+{
+    return (a[0] | a[1] | a[2] | a[3] | a[4] | a[5] | a[6] | a[7]) == 0;
+}
+
+#endif /* WOLFSSL_VALIDATE_ECC_KEYGEN || HAVE_ECC_SIGN || HAVE_ECC_VERIFY */
+/* Add 1 to a. (a = a + 1)
+ *
+ * a  A single precision integer.
+ */
+SP_NOINLINE static void sp_256_add_one_8(sp_digit* a)
+{
+    __asm__ __volatile__ (
+        "mov	r2, #1\n\t"
+        "ldr	r1, [%[a], #0]\n\t"
+        "adds	r1, r1, r2\n\t"
+        "mov	r2, #0\n\t"
+        "str	r1, [%[a], #0]\n\t"
+        "ldr	r1, [%[a], #4]\n\t"
+        "adcs	r1, r1, r2\n\t"
+        "str	r1, [%[a], #4]\n\t"
+        "ldr	r1, [%[a], #8]\n\t"
+        "adcs	r1, r1, r2\n\t"
+        "str	r1, [%[a], #8]\n\t"
+        "ldr	r1, [%[a], #12]\n\t"
+        "adcs	r1, r1, r2\n\t"
+        "str	r1, [%[a], #12]\n\t"
+        "ldr	r1, [%[a], #16]\n\t"
+        "adcs	r1, r1, r2\n\t"
+        "str	r1, [%[a], #16]\n\t"
+        "ldr	r1, [%[a], #20]\n\t"
+        "adcs	r1, r1, r2\n\t"
+        "str	r1, [%[a], #20]\n\t"
+        "ldr	r1, [%[a], #24]\n\t"
+        "adcs	r1, r1, r2\n\t"
+        "str	r1, [%[a], #24]\n\t"
+        "ldr	r1, [%[a], #28]\n\t"
+        "adcs	r1, r1, r2\n\t"
+        "str	r1, [%[a], #28]\n\t"
+        :
+        : [a] "r" (a)
+        : "memory", "r1", "r2"
+    );
+}
+
+/* Read big endian unsigned byte array into r.
+ *
+ * r  A single precision integer.
+ * size  Maximum number of bytes to convert
+ * a  Byte array.
+ * n  Number of bytes in array to read.
+ */
+static void sp_256_from_bin(sp_digit* r, int size, const byte* a, int n)
+{
+    int i, j = 0;
+    word32 s = 0;
+
+    r[0] = 0;
+    for (i = n-1; i >= 0; i--) {
+        r[j] |= (((sp_digit)a[i]) << s);
+        if (s >= 24U) {
+            r[j] &= 0xffffffff;
+            s = 32U - s;
+            if (j + 1 >= size) {
+                break;
+            }
+            r[++j] = (sp_digit)a[i] >> s;
+            s = 8U - s;
+        }
+        else {
+            s += 8U;
+        }
+    }
+
+    for (j++; j < size; j++) {
+        r[j] = 0;
+    }
+}
+
+/* Generates a scalar that is in the range 1..order-1.
+ *
+ * rng  Random number generator.
+ * k    Scalar value.
+ * returns RNG failures, MEMORY_E when memory allocation fails and
+ * MP_OKAY on success.
+ */
+static int sp_256_ecc_gen_k_8(WC_RNG* rng, sp_digit* k)
+{
+    int err;
+    byte buf[32];
+
+    do {
+        err = wc_RNG_GenerateBlock(rng, buf, sizeof(buf));
+        if (err == 0) {
+            sp_256_from_bin(k, 8, buf, (int)sizeof(buf));
+            if (sp_256_cmp_8(k, p256_order2) < 0) {
+                sp_256_add_one_8(k);
+                break;
+            }
+        }
+    }
+    while (err == 0);
+
+    return err;
+}
+
+/* Makes a random EC key pair.
+ *
+ * rng   Random number generator.
+ * priv  Generated private value.
+ * pub   Generated public point.
+ * heap  Heap to use for allocation.
+ * returns ECC_INF_E when the point does not have the correct order, RNG
+ * failures, MEMORY_E when memory allocation fails and MP_OKAY on success.
+ */
+int sp_ecc_make_key_256(WC_RNG* rng, mp_int* priv, ecc_point* pub, void* heap)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_point_256 p;
+    sp_digit kd[8];
+#ifdef WOLFSSL_VALIDATE_ECC_KEYGEN
+    sp_point_256 inf;
+#endif
+#endif
+    sp_point_256* point;
+    sp_digit* k = NULL;
+#ifdef WOLFSSL_VALIDATE_ECC_KEYGEN
+    sp_point_256* infinity;
+#endif
+    int err;
+
+    (void)heap;
+
+    err = sp_256_point_new_8(heap, p, point);
+#ifdef WOLFSSL_VALIDATE_ECC_KEYGEN
+    if (err == MP_OKAY) {
+        err = sp_256_point_new_8(heap, inf, infinity);
+    }
+#endif
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        k = (sp_digit*)XMALLOC(sizeof(sp_digit) * 8, heap,
+                                                              DYNAMIC_TYPE_ECC);
+        if (k == NULL) {
+            err = MEMORY_E;
+        }
+    }
+#else
+    k = kd;
+#endif
+
+    if (err == MP_OKAY) {
+        err = sp_256_ecc_gen_k_8(rng, k);
+    }
+    if (err == MP_OKAY) {
+            err = sp_256_ecc_mulmod_base_8(point, k, 1, NULL);
+    }
+
+#ifdef WOLFSSL_VALIDATE_ECC_KEYGEN
+    if (err == MP_OKAY) {
+            err = sp_256_ecc_mulmod_8(infinity, point, p256_order, 1, NULL);
+    }
+    if (err == MP_OKAY) {
+        if ((sp_256_iszero_8(point->x) == 0) || (sp_256_iszero_8(point->y) == 0)) {
+            err = ECC_INF_E;
+        }
+    }
+#endif
+
+    if (err == MP_OKAY) {
+        err = sp_256_to_mp(k, priv);
+    }
+    if (err == MP_OKAY) {
+        err = sp_256_point_to_ecc_point_8(point, pub);
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (k != NULL) {
+        XFREE(k, heap, DYNAMIC_TYPE_ECC);
+    }
+#endif
+#ifdef WOLFSSL_VALIDATE_ECC_KEYGEN
+    sp_256_point_free_8(infinity, 1, heap);
+#endif
+    sp_256_point_free_8(point, 1, heap);
+
+    return err;
+}
+
+#ifdef HAVE_ECC_DHE
+/* Write r as big endian to byte array.
+ * Fixed length number of bytes written: 32
+ *
+ * r  A single precision integer.
+ * a  Byte array.
+ */
+static void sp_256_to_bin(sp_digit* r, byte* a)
+{
+    int i, j, s = 0, b;
+
+    j = 256 / 8 - 1;
+    a[j] = 0;
+    for (i=0; i<8 && j>=0; i++) {
+        b = 0;
+        /* lint allow cast of mismatch sp_digit and int */
+        a[j--] |= (byte)(r[i] << s); /*lint !e9033*/
+        b += 8 - s;
+        if (j < 0) {
+            break;
+        }
+        while (b < 32) {
+            a[j--] = (byte)(r[i] >> b);
+            b += 8;
+            if (j < 0) {
+                break;
+            }
+        }
+        s = 8 - (b - 32);
+        if (j >= 0) {
+            a[j] = 0;
+        }
+        if (s != 0) {
+            j++;
+        }
+    }
+}
+
+/* Multiply the point by the scalar and serialize the X ordinate.
+ * The number is 0 padded to maximum size on output.
+ *
+ * priv    Scalar to multiply the point by.
+ * pub     Point to multiply.
+ * out     Buffer to hold X ordinate.
+ * outLen  On entry, size of the buffer in bytes.
+ *         On exit, length of data in buffer in bytes.
+ * heap    Heap to use for allocation.
+ * returns BUFFER_E if the buffer is to small for output size,
+ * MEMORY_E when memory allocation fails and MP_OKAY on success.
+ */
+int sp_ecc_secret_gen_256(mp_int* priv, ecc_point* pub, byte* out,
+                          word32* outLen, void* heap)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_point_256 p;
+    sp_digit kd[8];
+#endif
+    sp_point_256* point = NULL;
+    sp_digit* k = NULL;
+    int err = MP_OKAY;
+
+    if (*outLen < 32U) {
+        err = BUFFER_E;
+    }
+
+    if (err == MP_OKAY) {
+        err = sp_256_point_new_8(heap, p, point);
+    }
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        k = (sp_digit*)XMALLOC(sizeof(sp_digit) * 8, heap,
+                                                              DYNAMIC_TYPE_ECC);
+        if (k == NULL)
+            err = MEMORY_E;
+    }
+#else
+    k = kd;
+#endif
+
+    if (err == MP_OKAY) {
+        sp_256_from_mp(k, 8, priv);
+        sp_256_point_from_ecc_point_8(point, pub);
+            err = sp_256_ecc_mulmod_8(point, point, k, 1, heap);
+    }
+    if (err == MP_OKAY) {
+        sp_256_to_bin(point->x, out);
+        *outLen = 32;
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (k != NULL) {
+        XFREE(k, heap, DYNAMIC_TYPE_ECC);
+    }
+#endif
+    sp_256_point_free_8(point, 0, heap);
+
+    return err;
+}
+#endif /* HAVE_ECC_DHE */
+
+#if defined(HAVE_ECC_SIGN) || defined(HAVE_ECC_VERIFY)
+#endif
+#if defined(HAVE_ECC_SIGN) || defined(HAVE_ECC_VERIFY)
+#ifdef WOLFSSL_SP_SMALL
+/* Sub b from a into a. (a -= b)
+ *
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static sp_digit sp_256_sub_in_place_8(sp_digit* a,
+        const sp_digit* b)
+{
+    sp_digit c = 0;
+    __asm__ __volatile__ (
+        "mov	r8, %[a]\n\t"
+        "add	r8, r8, #32\n\t"
+        "\n1:\n\t"
+        "mov	r5, #0\n\t"
+        "subs	r5, r5, %[c]\n\t"
+        "ldr	r3, [%[a]]\n\t"
+        "ldr	r4, [%[a], #4]\n\t"
+        "ldr	r5, [%[b]]\n\t"
+        "ldr	r6, [%[b], #4]\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "str	r3, [%[a]]\n\t"
+        "str	r4, [%[a], #4]\n\t"
+        "sbc	%[c], %[c], %[c]\n\t"
+        "add	%[a], %[a], #8\n\t"
+        "add	%[b], %[b], #8\n\t"
+        "cmp	%[a], r8\n\t"
+        "bne	1b\n\t"
+        : [c] "+r" (c), [a] "+r" (a), [b] "+r" (b)
+        :
+        : "memory", "r3", "r4", "r5", "r6", "r8"
+    );
+
+    return c;
+}
+
+#else
+/* Sub b from a into r. (r = a - b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static sp_digit sp_256_sub_in_place_8(sp_digit* a,
+        const sp_digit* b)
+{
+    sp_digit c = 0;
+
+    __asm__ __volatile__ (
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "subs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "sbc	%[c], %[c], %[c]\n\t"
+        : [c] "+r" (c), [a] "+r" (a), [b] "+r" (b)
+        :
+        : "memory", "r3", "r4", "r5", "r6"
+    );
+
+    return c;
+}
+
+#endif /* WOLFSSL_SP_SMALL */
+/* Mul a by digit b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision digit.
+ */
+SP_NOINLINE static void sp_256_mul_d_8(sp_digit* r, const sp_digit* a,
+        sp_digit b)
+{
+    __asm__ __volatile__ (
+        "add	r9, %[a], #32\n\t"
+        /* A[0] * B */
+        "ldr	r6, [%[a]], #4\n\t"
+        "umull	r5, r3, r6, %[b]\n\t"
+        "mov	r4, #0\n\t"
+        "str	r5, [%[r]], #4\n\t"
+        /* A[0] * B - Done */
+        "\n1:\n\t"
+        "mov	r5, #0\n\t"
+        /* A[] * B */
+        "ldr	r6, [%[a]], #4\n\t"
+        "umull	r6, r8, r6, %[b]\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs 	r4, r4, r8\n\t"
+        "adc	r5, r5, #0\n\t"
+        /* A[] * B - Done */
+        "str	r3, [%[r]], #4\n\t"
+        "mov	r3, r4\n\t"
+        "mov	r4, r5\n\t"
+        "cmp	%[a], r9\n\t"
+        "blt	1b\n\t"
+        "str	r3, [%[r]]\n\t"
+        : [r] "+r" (r), [a] "+r" (a)
+        : [b] "r" (b)
+        : "memory", "r3", "r4", "r5", "r6", "r8", "r9"
+    );
+}
+
+/* Divide the double width number (d1|d0) by the dividend. (d1|d0 / div)
+ *
+ * d1   The high order half of the number to divide.
+ * d0   The low order half of the number to divide.
+ * div  The dividend.
+ * returns the result of the division.
+ *
+ * Note that this is an approximate div. It may give an answer 1 larger.
+ */
+SP_NOINLINE static sp_digit div_256_word_8(sp_digit d1, sp_digit d0,
+        sp_digit div)
+{
+    sp_digit r = 0;
+
+    __asm__ __volatile__ (
+        "lsr	r6, %[div], #16\n\t"
+        "add	r6, r6, #1\n\t"
+        "udiv	r4, %[d1], r6\n\t"
+        "lsl	r8, r4, #16\n\t"
+        "umull	r4, r5, %[div], r8\n\t"
+        "subs	%[d0], %[d0], r4\n\t"
+        "sbc	%[d1], %[d1], r5\n\t"
+        "udiv	r5, %[d1], r6\n\t"
+        "lsl	r4, r5, #16\n\t"
+        "add	r8, r8, r4\n\t"
+        "umull	r4, r5, %[div], r4\n\t"
+        "subs	%[d0], %[d0], r4\n\t"
+        "sbc	%[d1], %[d1], r5\n\t"
+        "lsl	r4, %[d1], #16\n\t"
+        "orr	r4, r4, %[d0], lsr #16\n\t"
+        "udiv	r4, r4, r6\n\t"
+        "add	r8, r8, r4\n\t"
+        "umull	r4, r5, %[div], r4\n\t"
+        "subs	%[d0], %[d0], r4\n\t"
+        "sbc	%[d1], %[d1], r5\n\t"
+        "lsl	r4, %[d1], #16\n\t"
+        "orr	r4, r4, %[d0], lsr #16\n\t"
+        "udiv	r4, r4, r6\n\t"
+        "add	r8, r8, r4\n\t"
+        "umull	r4, r5, %[div], r4\n\t"
+        "subs	%[d0], %[d0], r4\n\t"
+        "sbc	%[d1], %[d1], r5\n\t"
+        "udiv	r4, %[d0], %[div]\n\t"
+        "add	r8, r8, r4\n\t"
+        "mov	%[r], r8\n\t"
+        : [r] "+r" (r)
+        : [d1] "r" (d1), [d0] "r" (d0), [div] "r" (div)
+        : "r4", "r5", "r6", "r8"
+    );
+    return r;
+}
+
+/* AND m into each word of a and store in r.
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * m  Mask to AND against each digit.
+ */
+static void sp_256_mask_8(sp_digit* r, const sp_digit* a, sp_digit m)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int i;
+
+    for (i=0; i<8; i++) {
+        r[i] = a[i] & m;
+    }
+#else
+    r[0] = a[0] & m;
+    r[1] = a[1] & m;
+    r[2] = a[2] & m;
+    r[3] = a[3] & m;
+    r[4] = a[4] & m;
+    r[5] = a[5] & m;
+    r[6] = a[6] & m;
+    r[7] = a[7] & m;
+#endif
+}
+
+/* Divide d in a and put remainder into r (m*d + r = a)
+ * m is not calculated as it is not needed at this time.
+ *
+ * a  Nmber to be divided.
+ * d  Number to divide with.
+ * m  Multiplier result.
+ * r  Remainder from the division.
+ * returns MP_OKAY indicating success.
+ */
+static WC_INLINE int sp_256_div_8(const sp_digit* a, const sp_digit* d, sp_digit* m,
+        sp_digit* r)
+{
+    sp_digit t1[16], t2[9];
+    sp_digit div, r1;
+    int i;
+
+    (void)m;
+
+    div = d[7];
+    XMEMCPY(t1, a, sizeof(*t1) * 2 * 8);
+    for (i=7; i>=0; i--) {
+        r1 = div_256_word_8(t1[8 + i], t1[8 + i - 1], div);
+
+        sp_256_mul_d_8(t2, d, r1);
+        t1[8 + i] += sp_256_sub_in_place_8(&t1[i], t2);
+        t1[8 + i] -= t2[8];
+        sp_256_mask_8(t2, d, t1[8 + i]);
+        t1[8 + i] += sp_256_add_8(&t1[i], &t1[i], t2);
+        sp_256_mask_8(t2, d, t1[8 + i]);
+        t1[8 + i] += sp_256_add_8(&t1[i], &t1[i], t2);
+    }
+
+    r1 = sp_256_cmp_8(t1, d) >= 0;
+    sp_256_cond_sub_8(r, t1, d, (sp_digit)0 - r1);
+
+    return MP_OKAY;
+}
+
+/* Reduce a modulo m into r. (r = a mod m)
+ *
+ * r  A single precision number that is the reduced result.
+ * a  A single precision number that is to be reduced.
+ * m  A single precision number that is the modulus to reduce with.
+ * returns MP_OKAY indicating success.
+ */
+static WC_INLINE int sp_256_mod_8(sp_digit* r, const sp_digit* a, const sp_digit* m)
+{
+    return sp_256_div_8(a, m, NULL, r);
+}
+
+#endif
+#if defined(HAVE_ECC_SIGN) || defined(HAVE_ECC_VERIFY)
+#ifdef WOLFSSL_SP_SMALL
+/* Order-2 for the P256 curve. */
+static const uint32_t p256_order_minus_2[8] = {
+    0xfc63254fU,0xf3b9cac2U,0xa7179e84U,0xbce6faadU,0xffffffffU,0xffffffffU,
+    0x00000000U,0xffffffffU
+};
+#else
+/* The low half of the order-2 of the P256 curve. */
+static const uint32_t p256_order_low[4] = {
+    0xfc63254fU,0xf3b9cac2U,0xa7179e84U,0xbce6faadU
+};
+#endif /* WOLFSSL_SP_SMALL */
+
+/* Multiply two number mod the order of P256 curve. (r = a * b mod order)
+ *
+ * r  Result of the multiplication.
+ * a  First operand of the multiplication.
+ * b  Second operand of the multiplication.
+ */
+static void sp_256_mont_mul_order_8(sp_digit* r, const sp_digit* a, const sp_digit* b)
+{
+    sp_256_mul_8(r, a, b);
+    sp_256_mont_reduce_order_8(r, p256_order, p256_mp_order);
+}
+
+/* Square number mod the order of P256 curve. (r = a * a mod order)
+ *
+ * r  Result of the squaring.
+ * a  Number to square.
+ */
+static void sp_256_mont_sqr_order_8(sp_digit* r, const sp_digit* a)
+{
+    sp_256_sqr_8(r, a);
+    sp_256_mont_reduce_order_8(r, p256_order, p256_mp_order);
+}
+
+#ifndef WOLFSSL_SP_SMALL
+/* Square number mod the order of P256 curve a number of times.
+ * (r = a ^ n mod order)
+ *
+ * r  Result of the squaring.
+ * a  Number to square.
+ */
+static void sp_256_mont_sqr_n_order_8(sp_digit* r, const sp_digit* a, int n)
+{
+    int i;
+
+    sp_256_mont_sqr_order_8(r, a);
+    for (i=1; i<n; i++) {
+        sp_256_mont_sqr_order_8(r, r);
+    }
+}
+#endif /* !WOLFSSL_SP_SMALL */
+
+/* Invert the number, in Montgomery form, modulo the order of the P256 curve.
+ * (r = 1 / a mod order)
+ *
+ * r   Inverse result.
+ * a   Number to invert.
+ * td  Temporary data.
+ */
+static void sp_256_mont_inv_order_8(sp_digit* r, const sp_digit* a,
+        sp_digit* td)
+{
+#ifdef WOLFSSL_SP_SMALL
+    sp_digit* t = td;
+    int i;
+
+    XMEMCPY(t, a, sizeof(sp_digit) * 8);
+    for (i=254; i>=0; i--) {
+        sp_256_mont_sqr_order_8(t, t);
+        if ((p256_order_minus_2[i / 32] & ((sp_int_digit)1 << (i % 32))) != 0) {
+            sp_256_mont_mul_order_8(t, t, a);
+        }
+    }
+    XMEMCPY(r, t, sizeof(sp_digit) * 8U);
+#else
+    sp_digit* t = td;
+    sp_digit* t2 = td + 2 * 8;
+    sp_digit* t3 = td + 4 * 8;
+    int i;
+
+    /* t = a^2 */
+    sp_256_mont_sqr_order_8(t, a);
+    /* t = a^3 = t * a */
+    sp_256_mont_mul_order_8(t, t, a);
+    /* t2= a^c = t ^ 2 ^ 2 */
+    sp_256_mont_sqr_n_order_8(t2, t, 2);
+    /* t3= a^f = t2 * t */
+    sp_256_mont_mul_order_8(t3, t2, t);
+    /* t2= a^f0 = t3 ^ 2 ^ 4 */
+    sp_256_mont_sqr_n_order_8(t2, t3, 4);
+    /* t = a^ff = t2 * t3 */
+    sp_256_mont_mul_order_8(t, t2, t3);
+    /* t3= a^ff00 = t ^ 2 ^ 8 */
+    sp_256_mont_sqr_n_order_8(t2, t, 8);
+    /* t = a^ffff = t2 * t */
+    sp_256_mont_mul_order_8(t, t2, t);
+    /* t2= a^ffff0000 = t ^ 2 ^ 16 */
+    sp_256_mont_sqr_n_order_8(t2, t, 16);
+    /* t = a^ffffffff = t2 * t */
+    sp_256_mont_mul_order_8(t, t2, t);
+    /* t2= a^ffffffff0000000000000000 = t ^ 2 ^ 64  */
+    sp_256_mont_sqr_n_order_8(t2, t, 64);
+    /* t2= a^ffffffff00000000ffffffff = t2 * t */
+    sp_256_mont_mul_order_8(t2, t2, t);
+    /* t2= a^ffffffff00000000ffffffff00000000 = t2 ^ 2 ^ 32  */
+    sp_256_mont_sqr_n_order_8(t2, t2, 32);
+    /* t2= a^ffffffff00000000ffffffffffffffff = t2 * t */
+    sp_256_mont_mul_order_8(t2, t2, t);
+    /* t2= a^ffffffff00000000ffffffffffffffffbce6 */
+    for (i=127; i>=112; i--) {
+        sp_256_mont_sqr_order_8(t2, t2);
+        if (((sp_digit)p256_order_low[i / 32] & ((sp_int_digit)1 << (i % 32))) != 0) {
+            sp_256_mont_mul_order_8(t2, t2, a);
+        }
+    }
+    /* t2= a^ffffffff00000000ffffffffffffffffbce6f */
+    sp_256_mont_sqr_n_order_8(t2, t2, 4);
+    sp_256_mont_mul_order_8(t2, t2, t3);
+    /* t2= a^ffffffff00000000ffffffffffffffffbce6faada7179e84 */
+    for (i=107; i>=64; i--) {
+        sp_256_mont_sqr_order_8(t2, t2);
+        if (((sp_digit)p256_order_low[i / 32] & ((sp_int_digit)1 << (i % 32))) != 0) {
+            sp_256_mont_mul_order_8(t2, t2, a);
+        }
+    }
+    /* t2= a^ffffffff00000000ffffffffffffffffbce6faada7179e84f */
+    sp_256_mont_sqr_n_order_8(t2, t2, 4);
+    sp_256_mont_mul_order_8(t2, t2, t3);
+    /* t2= a^ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2 */
+    for (i=59; i>=32; i--) {
+        sp_256_mont_sqr_order_8(t2, t2);
+        if (((sp_digit)p256_order_low[i / 32] & ((sp_int_digit)1 << (i % 32))) != 0) {
+            sp_256_mont_mul_order_8(t2, t2, a);
+        }
+    }
+    /* t2= a^ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2f */
+    sp_256_mont_sqr_n_order_8(t2, t2, 4);
+    sp_256_mont_mul_order_8(t2, t2, t3);
+    /* t2= a^ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc63254 */
+    for (i=27; i>=0; i--) {
+        sp_256_mont_sqr_order_8(t2, t2);
+        if (((sp_digit)p256_order_low[i / 32] & ((sp_int_digit)1 << (i % 32))) != 0) {
+            sp_256_mont_mul_order_8(t2, t2, a);
+        }
+    }
+    /* t2= a^ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632540 */
+    sp_256_mont_sqr_n_order_8(t2, t2, 4);
+    /* r = a^ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc63254f */
+    sp_256_mont_mul_order_8(r, t2, t3);
+#endif /* WOLFSSL_SP_SMALL */
+}
+
+#endif /* HAVE_ECC_SIGN || HAVE_ECC_VERIFY */
+#ifdef HAVE_ECC_SIGN
+#ifndef SP_ECC_MAX_SIG_GEN
+#define SP_ECC_MAX_SIG_GEN  64
+#endif
+
+/* Sign the hash using the private key.
+ *   e = [hash, 256 bits] from binary
+ *   r = (k.G)->x mod order
+ *   s = (r * x + e) / k mod order
+ * The hash is truncated to the first 256 bits.
+ *
+ * hash     Hash to sign.
+ * hashLen  Length of the hash data.
+ * rng      Random number generator.
+ * priv     Private part of key - scalar.
+ * rm       First part of result as an mp_int.
+ * sm       Sirst part of result as an mp_int.
+ * heap     Heap to use for allocation.
+ * returns RNG failures, MEMORY_E when memory allocation fails and
+ * MP_OKAY on success.
+ */
+int sp_ecc_sign_256(const byte* hash, word32 hashLen, WC_RNG* rng, mp_int* priv,
+                    mp_int* rm, mp_int* sm, mp_int* km, void* heap)
+{
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit* d = NULL;
+#else
+    sp_digit ed[2*8];
+    sp_digit xd[2*8];
+    sp_digit kd[2*8];
+    sp_digit rd[2*8];
+    sp_digit td[3 * 2*8];
+    sp_point_256 p;
+#endif
+    sp_digit* e = NULL;
+    sp_digit* x = NULL;
+    sp_digit* k = NULL;
+    sp_digit* r = NULL;
+    sp_digit* tmp = NULL;
+    sp_point_256* point = NULL;
+    sp_digit carry;
+    sp_digit* s = NULL;
+    sp_digit* kInv = NULL;
+    int err = MP_OKAY;
+    int32_t c;
+    int i;
+
+    (void)heap;
+
+    err = sp_256_point_new_8(heap, p, point);
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        d = (sp_digit*)XMALLOC(sizeof(sp_digit) * 7 * 2 * 8, heap,
+                                                              DYNAMIC_TYPE_ECC);
+        if (d == NULL) {
+            err = MEMORY_E;
+        }
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+        e = d + 0 * 8;
+        x = d + 2 * 8;
+        k = d + 4 * 8;
+        r = d + 6 * 8;
+        tmp = d + 8 * 8;
+#else
+        e = ed;
+        x = xd;
+        k = kd;
+        r = rd;
+        tmp = td;
+#endif
+        s = e;
+        kInv = k;
+
+        if (hashLen > 32U) {
+            hashLen = 32U;
+        }
+
+        sp_256_from_bin(e, 8, hash, (int)hashLen);
+    }
+
+    for (i = SP_ECC_MAX_SIG_GEN; err == MP_OKAY && i > 0; i--) {
+        sp_256_from_mp(x, 8, priv);
+
+        /* New random point. */
+        if (km == NULL || mp_iszero(km)) {
+            err = sp_256_ecc_gen_k_8(rng, k);
+        }
+        else {
+            sp_256_from_mp(k, 8, km);
+            mp_zero(km);
+        }
+        if (err == MP_OKAY) {
+                err = sp_256_ecc_mulmod_base_8(point, k, 1, NULL);
+        }
+
+        if (err == MP_OKAY) {
+            /* r = point->x mod order */
+            XMEMCPY(r, point->x, sizeof(sp_digit) * 8U);
+            sp_256_norm_8(r);
+            c = sp_256_cmp_8(r, p256_order);
+            sp_256_cond_sub_8(r, r, p256_order, 0L - (sp_digit)(c >= 0));
+            sp_256_norm_8(r);
+
+            /* Conv k to Montgomery form (mod order) */
+                sp_256_mul_8(k, k, p256_norm_order);
+            err = sp_256_mod_8(k, k, p256_order);
+        }
+        if (err == MP_OKAY) {
+            sp_256_norm_8(k);
+            /* kInv = 1/k mod order */
+                sp_256_mont_inv_order_8(kInv, k, tmp);
+            sp_256_norm_8(kInv);
+
+            /* s = r * x + e */
+                sp_256_mul_8(x, x, r);
+            err = sp_256_mod_8(x, x, p256_order);
+        }
+        if (err == MP_OKAY) {
+            sp_256_norm_8(x);
+            carry = sp_256_add_8(s, e, x);
+            sp_256_cond_sub_8(s, s, p256_order, 0 - carry);
+            sp_256_norm_8(s);
+            c = sp_256_cmp_8(s, p256_order);
+            sp_256_cond_sub_8(s, s, p256_order, 0L - (sp_digit)(c >= 0));
+            sp_256_norm_8(s);
+
+            /* s = s * k^-1 mod order */
+                sp_256_mont_mul_order_8(s, s, kInv);
+            sp_256_norm_8(s);
+
+            /* Check that signature is usable. */
+            if (sp_256_iszero_8(s) == 0) {
+                break;
+            }
+        }
+    }
+
+    if (i == 0) {
+        err = RNG_FAILURE_E;
+    }
+
+    if (err == MP_OKAY) {
+        err = sp_256_to_mp(r, rm);
+    }
+    if (err == MP_OKAY) {
+        err = sp_256_to_mp(s, sm);
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (d != NULL) {
+        XMEMSET(d, 0, sizeof(sp_digit) * 8 * 8);
+        XFREE(d, heap, DYNAMIC_TYPE_ECC);
+    }
+#else
+    XMEMSET(e, 0, sizeof(sp_digit) * 2U * 8U);
+    XMEMSET(x, 0, sizeof(sp_digit) * 2U * 8U);
+    XMEMSET(k, 0, sizeof(sp_digit) * 2U * 8U);
+    XMEMSET(r, 0, sizeof(sp_digit) * 2U * 8U);
+    XMEMSET(r, 0, sizeof(sp_digit) * 2U * 8U);
+    XMEMSET(tmp, 0, sizeof(sp_digit) * 3U * 2U * 8U);
+#endif
+    sp_256_point_free_8(point, 1, heap);
+
+    return err;
+}
+#endif /* HAVE_ECC_SIGN */
+
+#ifdef HAVE_ECC_VERIFY
+/* Verify the signature values with the hash and public key.
+ *   e = Truncate(hash, 256)
+ *   u1 = e/s mod order
+ *   u2 = r/s mod order
+ *   r == (u1.G + u2.Q)->x mod order
+ * Optimization: Leave point in projective form.
+ *   (x, y, 1) == (x' / z'*z', y' / z'*z'*z', z' / z')
+ *   (r + n*order).z'.z' mod prime == (u1.G + u2.Q)->x'
+ * The hash is truncated to the first 256 bits.
+ *
+ * hash     Hash to sign.
+ * hashLen  Length of the hash data.
+ * rng      Random number generator.
+ * priv     Private part of key - scalar.
+ * rm       First part of result as an mp_int.
+ * sm       Sirst part of result as an mp_int.
+ * heap     Heap to use for allocation.
+ * returns RNG failures, MEMORY_E when memory allocation fails and
+ * MP_OKAY on success.
+ */
+int sp_ecc_verify_256(const byte* hash, word32 hashLen, mp_int* pX,
+    mp_int* pY, mp_int* pZ, mp_int* r, mp_int* sm, int* res, void* heap)
+{
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit* d = NULL;
+#else
+    sp_digit u1d[2*8];
+    sp_digit u2d[2*8];
+    sp_digit sd[2*8];
+    sp_digit tmpd[2*8 * 5];
+    sp_point_256 p1d;
+    sp_point_256 p2d;
+#endif
+    sp_digit* u1 = NULL;
+    sp_digit* u2 = NULL;
+    sp_digit* s = NULL;
+    sp_digit* tmp = NULL;
+    sp_point_256* p1;
+    sp_point_256* p2 = NULL;
+    sp_digit carry;
+    int32_t c;
+    int err;
+
+    err = sp_256_point_new_8(heap, p1d, p1);
+    if (err == MP_OKAY) {
+        err = sp_256_point_new_8(heap, p2d, p2);
+    }
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        d = (sp_digit*)XMALLOC(sizeof(sp_digit) * 16 * 8, heap,
+                                                              DYNAMIC_TYPE_ECC);
+        if (d == NULL) {
+            err = MEMORY_E;
+        }
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+        u1  = d + 0 * 8;
+        u2  = d + 2 * 8;
+        s   = d + 4 * 8;
+        tmp = d + 6 * 8;
+#else
+        u1 = u1d;
+        u2 = u2d;
+        s  = sd;
+        tmp = tmpd;
+#endif
+
+        if (hashLen > 32U) {
+            hashLen = 32U;
+        }
+
+        sp_256_from_bin(u1, 8, hash, (int)hashLen);
+        sp_256_from_mp(u2, 8, r);
+        sp_256_from_mp(s, 8, sm);
+        sp_256_from_mp(p2->x, 8, pX);
+        sp_256_from_mp(p2->y, 8, pY);
+        sp_256_from_mp(p2->z, 8, pZ);
+
+        {
+            sp_256_mul_8(s, s, p256_norm_order);
+        }
+        err = sp_256_mod_8(s, s, p256_order);
+    }
+    if (err == MP_OKAY) {
+        sp_256_norm_8(s);
+        {
+            sp_256_mont_inv_order_8(s, s, tmp);
+            sp_256_mont_mul_order_8(u1, u1, s);
+            sp_256_mont_mul_order_8(u2, u2, s);
+        }
+
+            err = sp_256_ecc_mulmod_base_8(p1, u1, 0, heap);
+    }
+    if (err == MP_OKAY) {
+            err = sp_256_ecc_mulmod_8(p2, p2, u2, 0, heap);
+    }
+
+    if (err == MP_OKAY) {
+        {
+            sp_256_proj_point_add_8(p1, p1, p2, tmp);
+            if (sp_256_iszero_8(p1->z)) {
+                if (sp_256_iszero_8(p1->x) && sp_256_iszero_8(p1->y)) {
+                    sp_256_proj_point_dbl_8(p1, p2, tmp);
+                }
+                else {
+                    /* Y ordinate is not used from here - don't set. */
+                    p1->x[0] = 0;
+                    p1->x[1] = 0;
+                    p1->x[2] = 0;
+                    p1->x[3] = 0;
+                    p1->x[4] = 0;
+                    p1->x[5] = 0;
+                    p1->x[6] = 0;
+                    p1->x[7] = 0;
+                    XMEMCPY(p1->z, p256_norm_mod, sizeof(p256_norm_mod));
+                }
+            }
+        }
+
+        /* (r + n*order).z'.z' mod prime == (u1.G + u2.Q)->x' */
+        /* Reload r and convert to Montgomery form. */
+        sp_256_from_mp(u2, 8, r);
+        err = sp_256_mod_mul_norm_8(u2, u2, p256_mod);
+    }
+
+    if (err == MP_OKAY) {
+        /* u1 = r.z'.z' mod prime */
+        sp_256_mont_sqr_8(p1->z, p1->z, p256_mod, p256_mp_mod);
+        sp_256_mont_mul_8(u1, u2, p1->z, p256_mod, p256_mp_mod);
+        *res = (int)(sp_256_cmp_8(p1->x, u1) == 0);
+        if (*res == 0) {
+            /* Reload r and add order. */
+            sp_256_from_mp(u2, 8, r);
+            carry = sp_256_add_8(u2, u2, p256_order);
+            /* Carry means result is greater than mod and is not valid. */
+            if (carry == 0) {
+                sp_256_norm_8(u2);
+
+                /* Compare with mod and if greater or equal then not valid. */
+                c = sp_256_cmp_8(u2, p256_mod);
+                if (c < 0) {
+                    /* Convert to Montogomery form */
+                    err = sp_256_mod_mul_norm_8(u2, u2, p256_mod);
+                    if (err == MP_OKAY) {
+                        /* u1 = (r + 1*order).z'.z' mod prime */
+                        sp_256_mont_mul_8(u1, u2, p1->z, p256_mod,
+                                                                  p256_mp_mod);
+                        *res = (int)(sp_256_cmp_8(p1->x, u1) == 0);
+                    }
+                }
+            }
+        }
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (d != NULL)
+        XFREE(d, heap, DYNAMIC_TYPE_ECC);
+#endif
+    sp_256_point_free_8(p1, 0, heap);
+    sp_256_point_free_8(p2, 0, heap);
+
+    return err;
+}
+#endif /* HAVE_ECC_VERIFY */
+
+#ifdef HAVE_ECC_CHECK_KEY
+/* Check that the x and y oridinates are a valid point on the curve.
+ *
+ * point  EC point.
+ * heap   Heap to use if dynamically allocating.
+ * returns MEMORY_E if dynamic memory allocation fails, MP_VAL if the point is
+ * not on the curve and MP_OKAY otherwise.
+ */
+static int sp_256_ecc_is_point_8(sp_point_256* point, void* heap)
+{
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit* d = NULL;
+#else
+    sp_digit t1d[2*8];
+    sp_digit t2d[2*8];
+#endif
+    sp_digit* t1;
+    sp_digit* t2;
+    int err = MP_OKAY;
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    d = (sp_digit*)XMALLOC(sizeof(sp_digit) * 8 * 4, heap, DYNAMIC_TYPE_ECC);
+    if (d == NULL) {
+        err = MEMORY_E;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+        t1 = d + 0 * 8;
+        t2 = d + 2 * 8;
+#else
+        (void)heap;
+
+        t1 = t1d;
+        t2 = t2d;
+#endif
+
+        sp_256_sqr_8(t1, point->y);
+        (void)sp_256_mod_8(t1, t1, p256_mod);
+        sp_256_sqr_8(t2, point->x);
+        (void)sp_256_mod_8(t2, t2, p256_mod);
+        sp_256_mul_8(t2, t2, point->x);
+        (void)sp_256_mod_8(t2, t2, p256_mod);
+        (void)sp_256_sub_8(t2, p256_mod, t2);
+        sp_256_mont_add_8(t1, t1, t2, p256_mod);
+
+        sp_256_mont_add_8(t1, t1, point->x, p256_mod);
+        sp_256_mont_add_8(t1, t1, point->x, p256_mod);
+        sp_256_mont_add_8(t1, t1, point->x, p256_mod);
+
+        if (sp_256_cmp_8(t1, p256_b) != 0) {
+            err = MP_VAL;
+        }
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (d != NULL) {
+        XFREE(d, heap, DYNAMIC_TYPE_ECC);
+    }
+#endif
+
+    return err;
+}
+
+/* Check that the x and y oridinates are a valid point on the curve.
+ *
+ * pX  X ordinate of EC point.
+ * pY  Y ordinate of EC point.
+ * returns MEMORY_E if dynamic memory allocation fails, MP_VAL if the point is
+ * not on the curve and MP_OKAY otherwise.
+ */
+int sp_ecc_is_point_256(mp_int* pX, mp_int* pY)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_point_256 pubd;
+#endif
+    sp_point_256* pub;
+    byte one[1] = { 1 };
+    int err;
+
+    err = sp_256_point_new_8(NULL, pubd, pub);
+    if (err == MP_OKAY) {
+        sp_256_from_mp(pub->x, 8, pX);
+        sp_256_from_mp(pub->y, 8, pY);
+        sp_256_from_bin(pub->z, 8, one, (int)sizeof(one));
+
+        err = sp_256_ecc_is_point_8(pub, NULL);
+    }
+
+    sp_256_point_free_8(pub, 0, NULL);
+
+    return err;
+}
+
+/* Check that the private scalar generates the EC point (px, py), the point is
+ * on the curve and the point has the correct order.
+ *
+ * pX     X ordinate of EC point.
+ * pY     Y ordinate of EC point.
+ * privm  Private scalar that generates EC point.
+ * returns MEMORY_E if dynamic memory allocation fails, MP_VAL if the point is
+ * not on the curve, ECC_INF_E if the point does not have the correct order,
+ * ECC_PRIV_KEY_E when the private scalar doesn't generate the EC point and
+ * MP_OKAY otherwise.
+ */
+int sp_ecc_check_key_256(mp_int* pX, mp_int* pY, mp_int* privm, void* heap)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit privd[8];
+    sp_point_256 pubd;
+    sp_point_256 pd;
+#endif
+    sp_digit* priv = NULL;
+    sp_point_256* pub;
+    sp_point_256* p = NULL;
+    byte one[1] = { 1 };
+    int err;
+
+    err = sp_256_point_new_8(heap, pubd, pub);
+    if (err == MP_OKAY) {
+        err = sp_256_point_new_8(heap, pd, p);
+    }
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        priv = (sp_digit*)XMALLOC(sizeof(sp_digit) * 8, heap,
+                                                              DYNAMIC_TYPE_ECC);
+        if (priv == NULL) {
+            err = MEMORY_E;
+        }
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+        priv = privd;
+#endif
+
+        sp_256_from_mp(pub->x, 8, pX);
+        sp_256_from_mp(pub->y, 8, pY);
+        sp_256_from_bin(pub->z, 8, one, (int)sizeof(one));
+        sp_256_from_mp(priv, 8, privm);
+
+        /* Check point at infinitiy. */
+        if ((sp_256_iszero_8(pub->x) != 0) &&
+            (sp_256_iszero_8(pub->y) != 0)) {
+            err = ECC_INF_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        /* Check range of X and Y */
+        if (sp_256_cmp_8(pub->x, p256_mod) >= 0 ||
+            sp_256_cmp_8(pub->y, p256_mod) >= 0) {
+            err = ECC_OUT_OF_RANGE_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        /* Check point is on curve */
+        err = sp_256_ecc_is_point_8(pub, heap);
+    }
+
+    if (err == MP_OKAY) {
+        /* Point * order = infinity */
+            err = sp_256_ecc_mulmod_8(p, pub, p256_order, 1, heap);
+    }
+    if (err == MP_OKAY) {
+        /* Check result is infinity */
+        if ((sp_256_iszero_8(p->x) == 0) ||
+            (sp_256_iszero_8(p->y) == 0)) {
+            err = ECC_INF_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        /* Base * private = point */
+            err = sp_256_ecc_mulmod_base_8(p, priv, 1, heap);
+    }
+    if (err == MP_OKAY) {
+        /* Check result is public key */
+        if (sp_256_cmp_8(p->x, pub->x) != 0 ||
+            sp_256_cmp_8(p->y, pub->y) != 0) {
+            err = ECC_PRIV_KEY_E;
+        }
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (priv != NULL) {
+        XFREE(priv, heap, DYNAMIC_TYPE_ECC);
+    }
+#endif
+    sp_256_point_free_8(p, 0, heap);
+    sp_256_point_free_8(pub, 0, heap);
+
+    return err;
+}
+#endif
+#ifdef WOLFSSL_PUBLIC_ECC_ADD_DBL
+/* Add two projective EC points together.
+ * (pX, pY, pZ) + (qX, qY, qZ) = (rX, rY, rZ)
+ *
+ * pX   First EC point's X ordinate.
+ * pY   First EC point's Y ordinate.
+ * pZ   First EC point's Z ordinate.
+ * qX   Second EC point's X ordinate.
+ * qY   Second EC point's Y ordinate.
+ * qZ   Second EC point's Z ordinate.
+ * rX   Resultant EC point's X ordinate.
+ * rY   Resultant EC point's Y ordinate.
+ * rZ   Resultant EC point's Z ordinate.
+ * returns MEMORY_E if dynamic memory allocation fails and MP_OKAY otherwise.
+ */
+int sp_ecc_proj_add_point_256(mp_int* pX, mp_int* pY, mp_int* pZ,
+                              mp_int* qX, mp_int* qY, mp_int* qZ,
+                              mp_int* rX, mp_int* rY, mp_int* rZ)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit tmpd[2 * 8 * 5];
+    sp_point_256 pd;
+    sp_point_256 qd;
+#endif
+    sp_digit* tmp;
+    sp_point_256* p;
+    sp_point_256* q = NULL;
+    int err;
+
+    err = sp_256_point_new_8(NULL, pd, p);
+    if (err == MP_OKAY) {
+        err = sp_256_point_new_8(NULL, qd, q);
+    }
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        tmp = (sp_digit*)XMALLOC(sizeof(sp_digit) * 2 * 8 * 5, NULL,
+                                                              DYNAMIC_TYPE_ECC);
+        if (tmp == NULL) {
+            err = MEMORY_E;
+        }
+    }
+#else
+    tmp = tmpd;
+#endif
+
+    if (err == MP_OKAY) {
+        sp_256_from_mp(p->x, 8, pX);
+        sp_256_from_mp(p->y, 8, pY);
+        sp_256_from_mp(p->z, 8, pZ);
+        sp_256_from_mp(q->x, 8, qX);
+        sp_256_from_mp(q->y, 8, qY);
+        sp_256_from_mp(q->z, 8, qZ);
+
+            sp_256_proj_point_add_8(p, p, q, tmp);
+    }
+
+    if (err == MP_OKAY) {
+        err = sp_256_to_mp(p->x, rX);
+    }
+    if (err == MP_OKAY) {
+        err = sp_256_to_mp(p->y, rY);
+    }
+    if (err == MP_OKAY) {
+        err = sp_256_to_mp(p->z, rZ);
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (tmp != NULL) {
+        XFREE(tmp, NULL, DYNAMIC_TYPE_ECC);
+    }
+#endif
+    sp_256_point_free_8(q, 0, NULL);
+    sp_256_point_free_8(p, 0, NULL);
+
+    return err;
+}
+
+/* Double a projective EC point.
+ * (pX, pY, pZ) + (pX, pY, pZ) = (rX, rY, rZ)
+ *
+ * pX   EC point's X ordinate.
+ * pY   EC point's Y ordinate.
+ * pZ   EC point's Z ordinate.
+ * rX   Resultant EC point's X ordinate.
+ * rY   Resultant EC point's Y ordinate.
+ * rZ   Resultant EC point's Z ordinate.
+ * returns MEMORY_E if dynamic memory allocation fails and MP_OKAY otherwise.
+ */
+int sp_ecc_proj_dbl_point_256(mp_int* pX, mp_int* pY, mp_int* pZ,
+                              mp_int* rX, mp_int* rY, mp_int* rZ)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit tmpd[2 * 8 * 2];
+    sp_point_256 pd;
+#endif
+    sp_digit* tmp;
+    sp_point_256* p;
+    int err;
+
+    err = sp_256_point_new_8(NULL, pd, p);
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        tmp = (sp_digit*)XMALLOC(sizeof(sp_digit) * 2 * 8 * 2, NULL,
+                                                              DYNAMIC_TYPE_ECC);
+        if (tmp == NULL) {
+            err = MEMORY_E;
+        }
+    }
+#else
+    tmp = tmpd;
+#endif
+
+    if (err == MP_OKAY) {
+        sp_256_from_mp(p->x, 8, pX);
+        sp_256_from_mp(p->y, 8, pY);
+        sp_256_from_mp(p->z, 8, pZ);
+
+            sp_256_proj_point_dbl_8(p, p, tmp);
+    }
+
+    if (err == MP_OKAY) {
+        err = sp_256_to_mp(p->x, rX);
+    }
+    if (err == MP_OKAY) {
+        err = sp_256_to_mp(p->y, rY);
+    }
+    if (err == MP_OKAY) {
+        err = sp_256_to_mp(p->z, rZ);
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (tmp != NULL) {
+        XFREE(tmp, NULL, DYNAMIC_TYPE_ECC);
+    }
+#endif
+    sp_256_point_free_8(p, 0, NULL);
+
+    return err;
+}
+
+/* Map a projective EC point to affine in place.
+ * pZ will be one.
+ *
+ * pX   EC point's X ordinate.
+ * pY   EC point's Y ordinate.
+ * pZ   EC point's Z ordinate.
+ * returns MEMORY_E if dynamic memory allocation fails and MP_OKAY otherwise.
+ */
+int sp_ecc_map_256(mp_int* pX, mp_int* pY, mp_int* pZ)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit tmpd[2 * 8 * 4];
+    sp_point_256 pd;
+#endif
+    sp_digit* tmp;
+    sp_point_256* p;
+    int err;
+
+    err = sp_256_point_new_8(NULL, pd, p);
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        tmp = (sp_digit*)XMALLOC(sizeof(sp_digit) * 2 * 8 * 4, NULL,
+                                                              DYNAMIC_TYPE_ECC);
+        if (tmp == NULL) {
+            err = MEMORY_E;
+        }
+    }
+#else
+    tmp = tmpd;
+#endif
+    if (err == MP_OKAY) {
+        sp_256_from_mp(p->x, 8, pX);
+        sp_256_from_mp(p->y, 8, pY);
+        sp_256_from_mp(p->z, 8, pZ);
+
+        sp_256_map_8(p, p, tmp);
+    }
+
+    if (err == MP_OKAY) {
+        err = sp_256_to_mp(p->x, pX);
+    }
+    if (err == MP_OKAY) {
+        err = sp_256_to_mp(p->y, pY);
+    }
+    if (err == MP_OKAY) {
+        err = sp_256_to_mp(p->z, pZ);
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (tmp != NULL) {
+        XFREE(tmp, NULL, DYNAMIC_TYPE_ECC);
+    }
+#endif
+    sp_256_point_free_8(p, 0, NULL);
+
+    return err;
+}
+#endif /* WOLFSSL_PUBLIC_ECC_ADD_DBL */
+#ifdef HAVE_COMP_KEY
+/* Find the square root of a number mod the prime of the curve.
+ *
+ * y  The number to operate on and the result.
+ * returns MEMORY_E if dynamic memory allocation fails and MP_OKAY otherwise.
+ */
+static int sp_256_mont_sqrt_8(sp_digit* y)
+{
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit* d;
+#else
+    sp_digit t1d[2 * 8];
+    sp_digit t2d[2 * 8];
+#endif
+    sp_digit* t1;
+    sp_digit* t2;
+    int err = MP_OKAY;
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    d = (sp_digit*)XMALLOC(sizeof(sp_digit) * 4 * 8, NULL, DYNAMIC_TYPE_ECC);
+    if (d == NULL) {
+        err = MEMORY_E;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+        t1 = d + 0 * 8;
+        t2 = d + 2 * 8;
+#else
+        t1 = t1d;
+        t2 = t2d;
+#endif
+
+        {
+            /* t2 = y ^ 0x2 */
+            sp_256_mont_sqr_8(t2, y, p256_mod, p256_mp_mod);
+            /* t1 = y ^ 0x3 */
+            sp_256_mont_mul_8(t1, t2, y, p256_mod, p256_mp_mod);
+            /* t2 = y ^ 0xc */
+            sp_256_mont_sqr_n_8(t2, t1, 2, p256_mod, p256_mp_mod);
+            /* t1 = y ^ 0xf */
+            sp_256_mont_mul_8(t1, t1, t2, p256_mod, p256_mp_mod);
+            /* t2 = y ^ 0xf0 */
+            sp_256_mont_sqr_n_8(t2, t1, 4, p256_mod, p256_mp_mod);
+            /* t1 = y ^ 0xff */
+            sp_256_mont_mul_8(t1, t1, t2, p256_mod, p256_mp_mod);
+            /* t2 = y ^ 0xff00 */
+            sp_256_mont_sqr_n_8(t2, t1, 8, p256_mod, p256_mp_mod);
+            /* t1 = y ^ 0xffff */
+            sp_256_mont_mul_8(t1, t1, t2, p256_mod, p256_mp_mod);
+            /* t2 = y ^ 0xffff0000 */
+            sp_256_mont_sqr_n_8(t2, t1, 16, p256_mod, p256_mp_mod);
+            /* t1 = y ^ 0xffffffff */
+            sp_256_mont_mul_8(t1, t1, t2, p256_mod, p256_mp_mod);
+            /* t1 = y ^ 0xffffffff00000000 */
+            sp_256_mont_sqr_n_8(t1, t1, 32, p256_mod, p256_mp_mod);
+            /* t1 = y ^ 0xffffffff00000001 */
+            sp_256_mont_mul_8(t1, t1, y, p256_mod, p256_mp_mod);
+            /* t1 = y ^ 0xffffffff00000001000000000000000000000000 */
+            sp_256_mont_sqr_n_8(t1, t1, 96, p256_mod, p256_mp_mod);
+            /* t1 = y ^ 0xffffffff00000001000000000000000000000001 */
+            sp_256_mont_mul_8(t1, t1, y, p256_mod, p256_mp_mod);
+            sp_256_mont_sqr_n_8(y, t1, 94, p256_mod, p256_mp_mod);
+        }
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (d != NULL) {
+        XFREE(d, NULL, DYNAMIC_TYPE_ECC);
+    }
+#endif
+
+    return err;
+}
+
+
+/* Uncompress the point given the X ordinate.
+ *
+ * xm    X ordinate.
+ * odd   Whether the Y ordinate is odd.
+ * ym    Calculated Y ordinate.
+ * returns MEMORY_E if dynamic memory allocation fails and MP_OKAY otherwise.
+ */
+int sp_ecc_uncompress_256(mp_int* xm, int odd, mp_int* ym)
+{
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit* d;
+#else
+    sp_digit xd[2 * 8];
+    sp_digit yd[2 * 8];
+#endif
+    sp_digit* x = NULL;
+    sp_digit* y = NULL;
+    int err = MP_OKAY;
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    d = (sp_digit*)XMALLOC(sizeof(sp_digit) * 4 * 8, NULL, DYNAMIC_TYPE_ECC);
+    if (d == NULL) {
+        err = MEMORY_E;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+        x = d + 0 * 8;
+        y = d + 2 * 8;
+#else
+        x = xd;
+        y = yd;
+#endif
+
+        sp_256_from_mp(x, 8, xm);
+        err = sp_256_mod_mul_norm_8(x, x, p256_mod);
+    }
+    if (err == MP_OKAY) {
+        /* y = x^3 */
+        {
+            sp_256_mont_sqr_8(y, x, p256_mod, p256_mp_mod);
+            sp_256_mont_mul_8(y, y, x, p256_mod, p256_mp_mod);
+        }
+        /* y = x^3 - 3x */
+        sp_256_mont_sub_8(y, y, x, p256_mod);
+        sp_256_mont_sub_8(y, y, x, p256_mod);
+        sp_256_mont_sub_8(y, y, x, p256_mod);
+        /* y = x^3 - 3x + b */
+        err = sp_256_mod_mul_norm_8(x, p256_b, p256_mod);
+    }
+    if (err == MP_OKAY) {
+        sp_256_mont_add_8(y, y, x, p256_mod);
+        /* y = sqrt(x^3 - 3x + b) */
+        err = sp_256_mont_sqrt_8(y);
+    }
+    if (err == MP_OKAY) {
+        XMEMSET(y + 8, 0, 8U * sizeof(sp_digit));
+        sp_256_mont_reduce_8(y, p256_mod, p256_mp_mod);
+        if ((((word32)y[0] ^ (word32)odd) & 1U) != 0U) {
+            sp_256_mont_sub_8(y, p256_mod, y, p256_mod);
+        }
+
+        err = sp_256_to_mp(y, ym);
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (d != NULL) {
+        XFREE(d, NULL, DYNAMIC_TYPE_ECC);
+    }
+#endif
+
+    return err;
+}
+#endif
+#endif /* !WOLFSSL_SP_NO_256 */
+#ifdef WOLFSSL_SP_384
+
+/* Point structure to use. */
+typedef struct sp_point_384 {
+    sp_digit x[2 * 12];
+    sp_digit y[2 * 12];
+    sp_digit z[2 * 12];
+    int infinity;
+} sp_point_384;
+
+/* The modulus (prime) of the curve P384. */
+static const sp_digit p384_mod[12] = {
+    0xffffffff,0x00000000,0x00000000,0xffffffff,0xfffffffe,0xffffffff,
+    0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff
+};
+/* The Montogmery normalizer for modulus of the curve P384. */
+static const sp_digit p384_norm_mod[12] = {
+    0x00000001,0xffffffff,0xffffffff,0x00000000,0x00000001,0x00000000,
+    0x00000000,0x00000000,0x00000000,0x00000000,0x00000000,0x00000000
+};
+/* The Montogmery multiplier for modulus of the curve P384. */
+static sp_digit p384_mp_mod = 0x00000001;
+#if defined(WOLFSSL_VALIDATE_ECC_KEYGEN) || defined(HAVE_ECC_SIGN) || \
+                                            defined(HAVE_ECC_VERIFY)
+/* The order of the curve P384. */
+static const sp_digit p384_order[12] = {
+    0xccc52973,0xecec196a,0x48b0a77a,0x581a0db2,0xf4372ddf,0xc7634d81,
+    0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff
+};
+#endif
+/* The order of the curve P384 minus 2. */
+static const sp_digit p384_order2[12] = {
+    0xccc52971,0xecec196a,0x48b0a77a,0x581a0db2,0xf4372ddf,0xc7634d81,
+    0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff,0xffffffff
+};
+#if defined(HAVE_ECC_SIGN) || defined(HAVE_ECC_VERIFY)
+/* The Montogmery normalizer for order of the curve P384. */
+static const sp_digit p384_norm_order[12] = {
+    0x333ad68d,0x1313e695,0xb74f5885,0xa7e5f24d,0x0bc8d220,0x389cb27e,
+    0x00000000,0x00000000,0x00000000,0x00000000,0x00000000,0x00000000
+};
+#endif
+#if defined(HAVE_ECC_SIGN) || defined(HAVE_ECC_VERIFY)
+/* The Montogmery multiplier for order of the curve P384. */
+static sp_digit p384_mp_order = 0xe88fdc45;
+#endif
+/* The base point of curve P384. */
+static const sp_point_384 p384_base = {
+    /* X ordinate */
+    {
+        0x72760ab7,0x3a545e38,0xbf55296c,0x5502f25d,0x82542a38,0x59f741e0,
+        0x8ba79b98,0x6e1d3b62,0xf320ad74,0x8eb1c71e,0xbe8b0537,0xaa87ca22,
+        0L, 0L, 0L, 0L, 0L, 0L, 0L, 0L, 0L, 0L, 0L, 0L
+    },
+    /* Y ordinate */
+    {
+        0x90ea0e5f,0x7a431d7c,0x1d7e819d,0x0a60b1ce,0xb5f0b8c0,0xe9da3113,
+        0x289a147c,0xf8f41dbd,0x9292dc29,0x5d9e98bf,0x96262c6f,0x3617de4a,
+        0L, 0L, 0L, 0L, 0L, 0L, 0L, 0L, 0L, 0L, 0L, 0L
+    },
+    /* Z ordinate */
+    {
+        0x00000001,0x00000000,0x00000000,0x00000000,0x00000000,0x00000000,
+        0x00000000,0x00000000,0x00000000,0x00000000,0x00000000,0x00000000,
+        0L, 0L, 0L, 0L, 0L, 0L, 0L, 0L, 0L, 0L, 0L, 0L
+    },
+    /* infinity */
+    0
+};
+#if defined(HAVE_ECC_CHECK_KEY) || defined(HAVE_COMP_KEY)
+static const sp_digit p384_b[12] = {
+    0xd3ec2aef,0x2a85c8ed,0x8a2ed19d,0xc656398d,0x5013875a,0x0314088f,
+    0xfe814112,0x181d9c6e,0xe3f82d19,0x988e056b,0xe23ee7e4,0xb3312fa7
+};
+#endif
+
+static int sp_384_point_new_ex_12(void* heap, sp_point_384* sp, sp_point_384** p)
+{
+    int ret = MP_OKAY;
+    (void)heap;
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    (void)sp;
+    *p = (sp_point_384*)XMALLOC(sizeof(sp_point_384), heap, DYNAMIC_TYPE_ECC);
+#else
+    *p = sp;
+#endif
+    if (*p == NULL) {
+        ret = MEMORY_E;
+    }
+    return ret;
+}
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+/* Allocate memory for point and return error. */
+#define sp_384_point_new_12(heap, sp, p) sp_384_point_new_ex_12((heap), NULL, &(p))
+#else
+/* Set pointer to data and return no error. */
+#define sp_384_point_new_12(heap, sp, p) sp_384_point_new_ex_12((heap), &(sp), &(p))
+#endif
+
+
+static void sp_384_point_free_12(sp_point_384* p, int clear, void* heap)
+{
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+/* If valid pointer then clear point data if requested and free data. */
+    if (p != NULL) {
+        if (clear != 0) {
+            XMEMSET(p, 0, sizeof(*p));
+        }
+        XFREE(p, heap, DYNAMIC_TYPE_ECC);
+    }
+#else
+/* Clear point data if requested. */
+    if (clear != 0) {
+        XMEMSET(p, 0, sizeof(*p));
+    }
+#endif
+    (void)heap;
+}
+
+/* Multiply a number by Montogmery normalizer mod modulus (prime).
+ *
+ * r  The resulting Montgomery form number.
+ * a  The number to convert.
+ * m  The modulus (prime).
+ * returns MEMORY_E when memory allocation fails and MP_OKAY otherwise.
+ */
+static int sp_384_mod_mul_norm_12(sp_digit* r, const sp_digit* a, const sp_digit* m)
+{
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    int64_t* t;
+#else
+    int64_t t[12];
+#endif
+    int64_t o;
+    int err = MP_OKAY;
+
+    (void)m;
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    t = (int64_t*)XMALLOC(sizeof(int64_t) * 12, NULL, DYNAMIC_TYPE_ECC);
+    if (t == NULL) {
+        err = MEMORY_E;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+        /*  1  0  0  0  0  0  0  0  1  1  0 -1 */
+        t[0] = 0 + (uint64_t)a[0] + (uint64_t)a[8] + (uint64_t)a[9] - (uint64_t)a[11];
+        /* -1  1  0  0  0  0  0  0 -1  0  1  1 */
+        t[1] = 0 - (uint64_t)a[0] + (uint64_t)a[1] - (uint64_t)a[8] + (uint64_t)a[10] + (uint64_t)a[11];
+        /*  0 -1  1  0  0  0  0  0  0 -1  0  1 */
+        t[2] = 0 - (uint64_t)a[1] + (uint64_t)a[2] - (uint64_t)a[9] + (uint64_t)a[11];
+        /*  1  0 -1  1  0  0  0  0  1  1 -1 -1 */
+        t[3] = 0 + (uint64_t)a[0] - (uint64_t)a[2] + (uint64_t)a[3] + (uint64_t)a[8] + (uint64_t)a[9] - (uint64_t)a[10] - (uint64_t)a[11];
+        /*  1  1  0 -1  1  0  0  0  1  2  1 -2 */
+        t[4] = 0 + (uint64_t)a[0] + (uint64_t)a[1] - (uint64_t)a[3] + (uint64_t)a[4] + (uint64_t)a[8] + 2 * (uint64_t)a[9] + (uint64_t)a[10] -  2 * (uint64_t)a[11];
+        /*  0  1  1  0 -1  1  0  0  0  1  2  1 */
+        t[5] = 0 + (uint64_t)a[1] + (uint64_t)a[2] - (uint64_t)a[4] + (uint64_t)a[5] + (uint64_t)a[9] + 2 * (uint64_t)a[10] + (uint64_t)a[11];
+        /*  0  0  1  1  0 -1  1  0  0  0  1  2 */
+        t[6] = 0 + (uint64_t)a[2] + (uint64_t)a[3] - (uint64_t)a[5] + (uint64_t)a[6] + (uint64_t)a[10] + 2 * (uint64_t)a[11];
+        /*  0  0  0  1  1  0 -1  1  0  0  0  1 */
+        t[7] = 0 + (uint64_t)a[3] + (uint64_t)a[4] - (uint64_t)a[6] + (uint64_t)a[7] + (uint64_t)a[11];
+        /*  0  0  0  0  1  1  0 -1  1  0  0  0 */
+        t[8] = 0 + (uint64_t)a[4] + (uint64_t)a[5] - (uint64_t)a[7] + (uint64_t)a[8];
+        /*  0  0  0  0  0  1  1  0 -1  1  0  0 */
+        t[9] = 0 + (uint64_t)a[5] + (uint64_t)a[6] - (uint64_t)a[8] + (uint64_t)a[9];
+        /*  0  0  0  0  0  0  1  1  0 -1  1  0 */
+        t[10] = 0 + (uint64_t)a[6] + (uint64_t)a[7] - (uint64_t)a[9] + (uint64_t)a[10];
+        /*  0  0  0  0  0  0  0  1  1  0 -1  1 */
+        t[11] = 0 + (uint64_t)a[7] + (uint64_t)a[8] - (uint64_t)a[10] + (uint64_t)a[11];
+
+        t[1] += t[0] >> 32; t[0] &= 0xffffffff;
+        t[2] += t[1] >> 32; t[1] &= 0xffffffff;
+        t[3] += t[2] >> 32; t[2] &= 0xffffffff;
+        t[4] += t[3] >> 32; t[3] &= 0xffffffff;
+        t[5] += t[4] >> 32; t[4] &= 0xffffffff;
+        t[6] += t[5] >> 32; t[5] &= 0xffffffff;
+        t[7] += t[6] >> 32; t[6] &= 0xffffffff;
+        t[8] += t[7] >> 32; t[7] &= 0xffffffff;
+        t[9] += t[8] >> 32; t[8] &= 0xffffffff;
+        t[10] += t[9] >> 32; t[9] &= 0xffffffff;
+        t[11] += t[10] >> 32; t[10] &= 0xffffffff;
+        o     = t[11] >> 32; t[11] &= 0xffffffff;
+        t[0] += o;
+        t[1] -= o;
+        t[3] += o;
+        t[4] += o;
+        t[1] += t[0] >> 32; t[0] &= 0xffffffff;
+        t[2] += t[1] >> 32; t[1] &= 0xffffffff;
+        t[3] += t[2] >> 32; t[2] &= 0xffffffff;
+        t[4] += t[3] >> 32; t[3] &= 0xffffffff;
+        t[5] += t[4] >> 32; t[4] &= 0xffffffff;
+        t[6] += t[5] >> 32; t[5] &= 0xffffffff;
+        t[7] += t[6] >> 32; t[6] &= 0xffffffff;
+        t[8] += t[7] >> 32; t[7] &= 0xffffffff;
+        t[9] += t[8] >> 32; t[8] &= 0xffffffff;
+        t[10] += t[9] >> 32; t[9] &= 0xffffffff;
+        t[11] += t[10] >> 32; t[10] &= 0xffffffff;
+
+        r[0] = t[0];
+        r[1] = t[1];
+        r[2] = t[2];
+        r[3] = t[3];
+        r[4] = t[4];
+        r[5] = t[5];
+        r[6] = t[6];
+        r[7] = t[7];
+        r[8] = t[8];
+        r[9] = t[9];
+        r[10] = t[10];
+        r[11] = t[11];
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (t != NULL)
+        XFREE(t, NULL, DYNAMIC_TYPE_ECC);
+#endif
+
+    return err;
+}
+
+/* Convert an mp_int to an array of sp_digit.
+ *
+ * r  A single precision integer.
+ * size  Maximum number of bytes to convert
+ * a  A multi-precision integer.
+ */
+static void sp_384_from_mp(sp_digit* r, int size, const mp_int* a)
+{
+#if DIGIT_BIT == 32
+    int j;
+
+    XMEMCPY(r, a->dp, sizeof(sp_digit) * a->used);
+
+    for (j = a->used; j < size; j++) {
+        r[j] = 0;
+    }
+#elif DIGIT_BIT > 32
+    int i, j = 0;
+    word32 s = 0;
+
+    r[0] = 0;
+    for (i = 0; i < a->used && j < size; i++) {
+        r[j] |= ((sp_digit)a->dp[i] << s);
+        r[j] &= 0xffffffff;
+        s = 32U - s;
+        if (j + 1 >= size) {
+            break;
+        }
+        /* lint allow cast of mismatch word32 and mp_digit */
+        r[++j] = (sp_digit)(a->dp[i] >> s); /*lint !e9033*/
+        while ((s + 32U) <= (word32)DIGIT_BIT) {
+            s += 32U;
+            r[j] &= 0xffffffff;
+            if (j + 1 >= size) {
+                break;
+            }
+            if (s < (word32)DIGIT_BIT) {
+                /* lint allow cast of mismatch word32 and mp_digit */
+                r[++j] = (sp_digit)(a->dp[i] >> s); /*lint !e9033*/
+            }
+            else {
+                r[++j] = 0L;
+            }
+        }
+        s = (word32)DIGIT_BIT - s;
+    }
+
+    for (j++; j < size; j++) {
+        r[j] = 0;
+    }
+#else
+    int i, j = 0, s = 0;
+
+    r[0] = 0;
+    for (i = 0; i < a->used && j < size; i++) {
+        r[j] |= ((sp_digit)a->dp[i]) << s;
+        if (s + DIGIT_BIT >= 32) {
+            r[j] &= 0xffffffff;
+            if (j + 1 >= size) {
+                break;
+            }
+            s = 32 - s;
+            if (s == DIGIT_BIT) {
+                r[++j] = 0;
+                s = 0;
+            }
+            else {
+                r[++j] = a->dp[i] >> s;
+                s = DIGIT_BIT - s;
+            }
+        }
+        else {
+            s += DIGIT_BIT;
+        }
+    }
+
+    for (j++; j < size; j++) {
+        r[j] = 0;
+    }
+#endif
+}
+
+/* Convert a point of type ecc_point to type sp_point_384.
+ *
+ * p   Point of type sp_point_384 (result).
+ * pm  Point of type ecc_point.
+ */
+static void sp_384_point_from_ecc_point_12(sp_point_384* p, const ecc_point* pm)
+{
+    XMEMSET(p->x, 0, sizeof(p->x));
+    XMEMSET(p->y, 0, sizeof(p->y));
+    XMEMSET(p->z, 0, sizeof(p->z));
+    sp_384_from_mp(p->x, 12, pm->x);
+    sp_384_from_mp(p->y, 12, pm->y);
+    sp_384_from_mp(p->z, 12, pm->z);
+    p->infinity = 0;
+}
+
+/* Convert an array of sp_digit to an mp_int.
+ *
+ * a  A single precision integer.
+ * r  A multi-precision integer.
+ */
+static int sp_384_to_mp(const sp_digit* a, mp_int* r)
+{
+    int err;
+
+    err = mp_grow(r, (384 + DIGIT_BIT - 1) / DIGIT_BIT);
+    if (err == MP_OKAY) { /*lint !e774 case where err is always MP_OKAY*/
+#if DIGIT_BIT == 32
+        XMEMCPY(r->dp, a, sizeof(sp_digit) * 12);
+        r->used = 12;
+        mp_clamp(r);
+#elif DIGIT_BIT < 32
+        int i, j = 0, s = 0;
+
+        r->dp[0] = 0;
+        for (i = 0; i < 12; i++) {
+            r->dp[j] |= (mp_digit)(a[i] << s);
+            r->dp[j] &= (1L << DIGIT_BIT) - 1;
+            s = DIGIT_BIT - s;
+            r->dp[++j] = (mp_digit)(a[i] >> s);
+            while (s + DIGIT_BIT <= 32) {
+                s += DIGIT_BIT;
+                r->dp[j++] &= (1L << DIGIT_BIT) - 1;
+                if (s == SP_WORD_SIZE) {
+                    r->dp[j] = 0;
+                }
+                else {
+                    r->dp[j] = (mp_digit)(a[i] >> s);
+                }
+            }
+            s = 32 - s;
+        }
+        r->used = (384 + DIGIT_BIT - 1) / DIGIT_BIT;
+        mp_clamp(r);
+#else
+        int i, j = 0, s = 0;
+
+        r->dp[0] = 0;
+        for (i = 0; i < 12; i++) {
+            r->dp[j] |= ((mp_digit)a[i]) << s;
+            if (s + 32 >= DIGIT_BIT) {
+    #if DIGIT_BIT != 32 && DIGIT_BIT != 64
+                r->dp[j] &= (1L << DIGIT_BIT) - 1;
+    #endif
+                s = DIGIT_BIT - s;
+                r->dp[++j] = a[i] >> s;
+                s = 32 - s;
+            }
+            else {
+                s += 32;
+            }
+        }
+        r->used = (384 + DIGIT_BIT - 1) / DIGIT_BIT;
+        mp_clamp(r);
+#endif
+    }
+
+    return err;
+}
+
+/* Convert a point of type sp_point_384 to type ecc_point.
+ *
+ * p   Point of type sp_point_384.
+ * pm  Point of type ecc_point (result).
+ * returns MEMORY_E when allocation of memory in ecc_point fails otherwise
+ * MP_OKAY.
+ */
+static int sp_384_point_to_ecc_point_12(const sp_point_384* p, ecc_point* pm)
+{
+    int err;
+
+    err = sp_384_to_mp(p->x, pm->x);
+    if (err == MP_OKAY) {
+        err = sp_384_to_mp(p->y, pm->y);
+    }
+    if (err == MP_OKAY) {
+        err = sp_384_to_mp(p->z, pm->z);
+    }
+
+    return err;
+}
+
+/* Multiply a and b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static void sp_384_mul_12(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    sp_digit tmp[12 * 2];
+    __asm__ __volatile__ (
+        "mov	r3, #0\n\t"
+        "mov	r4, #0\n\t"
+        "mov	r9, r3\n\t"
+        "mov	r12, %[r]\n\t"
+        "mov	r10, %[a]\n\t"
+        "mov	r11, %[b]\n\t"
+        "mov	r6, #48\n\t"
+        "add	r6, r6, r10\n\t"
+        "mov	r14, r6\n\t"
+        "\n1:\n\t"
+        "mov	%[r], #0\n\t"
+        "mov	r5, #0\n\t"
+        "mov	r6, #44\n\t"
+        "mov	%[a], r9\n\t"
+        "subs	%[a], %[a], r6\n\t"
+        "sbc	r6, r6, r6\n\t"
+        "mvn	r6, r6\n\t"
+        "and	%[a], %[a], r6\n\t"
+        "mov	%[b], r9\n\t"
+        "sub	%[b], %[b], %[a]\n\t"
+        "add	%[a], %[a], r10\n\t"
+        "add	%[b], %[b], r11\n\t"
+        "\n2:\n\t"
+        /* Multiply Start */
+        "ldr	r6, [%[a]]\n\t"
+        "ldr	r8, [%[b]]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs 	r4, r4, r8\n\t"
+        "adc	r5, r5, %[r]\n\t"
+        /* Multiply Done */
+        "add	%[a], %[a], #4\n\t"
+        "sub	%[b], %[b], #4\n\t"
+        "cmp	%[a], r14\n\t"
+        "beq	3f\n\t"
+        "mov	r6, r9\n\t"
+        "add	r6, r6, r10\n\t"
+        "cmp	%[a], r6\n\t"
+        "ble	2b\n\t"
+        "\n3:\n\t"
+        "mov	%[r], r12\n\t"
+        "mov	r8, r9\n\t"
+        "str	r3, [%[r], r8]\n\t"
+        "mov	r3, r4\n\t"
+        "mov	r4, r5\n\t"
+        "add	r8, r8, #4\n\t"
+        "mov	r9, r8\n\t"
+        "mov	r6, #88\n\t"
+        "cmp	r8, r6\n\t"
+        "ble	1b\n\t"
+        "str	r3, [%[r], r8]\n\t"
+        "mov	%[a], r10\n\t"
+        "mov	%[b], r11\n\t"
+        :
+        : [r] "r" (tmp), [a] "r" (a), [b] "r" (b)
+        : "memory", "r3", "r4", "r5", "r6", "r8", "r9", "r10", "r11", "r12", "r14"
+    );
+
+    XMEMCPY(r, tmp, sizeof(tmp));
+}
+
+/* Conditionally subtract b from a using the mask m.
+ * m is -1 to subtract and 0 when not copying.
+ *
+ * r  A single precision number representing condition subtract result.
+ * a  A single precision number to subtract from.
+ * b  A single precision number to subtract.
+ * m  Mask value to apply.
+ */
+SP_NOINLINE static sp_digit sp_384_cond_sub_12(sp_digit* r, const sp_digit* a,
+        const sp_digit* b, sp_digit m)
+{
+    sp_digit c = 0;
+
+    __asm__ __volatile__ (
+        "mov	r5, #48\n\t"
+        "mov	r9, r5\n\t"
+        "mov	r8, #0\n\t"
+        "\n1:\n\t"
+        "ldr	r6, [%[b], r8]\n\t"
+        "and	r6, r6, %[m]\n\t"
+        "mov	r5, #0\n\t"
+        "subs	r5, r5, %[c]\n\t"
+        "ldr	r5, [%[a], r8]\n\t"
+        "sbcs	r5, r5, r6\n\t"
+        "sbcs	%[c], %[c], %[c]\n\t"
+        "str	r5, [%[r], r8]\n\t"
+        "add	r8, r8, #4\n\t"
+        "cmp	r8, r9\n\t"
+        "blt	1b\n\t"
+        : [c] "+r" (c)
+        : [r] "r" (r), [a] "r" (a), [b] "r" (b), [m] "r" (m)
+        : "memory", "r5", "r6", "r8", "r9"
+    );
+
+    return c;
+}
+
+#define sp_384_mont_reduce_order_12   sp_384_mont_reduce_12
+
+/* Reduce the number back to 384 bits using Montgomery reduction.
+ *
+ * a   A single precision number to reduce in place.
+ * m   The single precision number representing the modulus.
+ * mp  The digit representing the negative inverse of m mod 2^n.
+ */
+SP_NOINLINE static void sp_384_mont_reduce_12(sp_digit* a, const sp_digit* m,
+        sp_digit mp)
+{
+    sp_digit ca = 0;
+
+    __asm__ __volatile__ (
+        "mov	r9, %[mp]\n\t"
+        "mov	r12, %[m]\n\t"
+        "mov	r10, %[a]\n\t"
+        "mov	r4, #0\n\t"
+        "add	r11, r10, #48\n\t"
+        "\n1:\n\t"
+        /* mu = a[i] * mp */
+        "mov	%[mp], r9\n\t"
+        "ldr	%[a], [r10]\n\t"
+        "mul	%[mp], %[mp], %[a]\n\t"
+        "mov	%[m], r12\n\t"
+        "add	r14, r10, #40\n\t"
+        "\n2:\n\t"
+        /* a[i+j] += m[j] * mu */
+        "ldr	%[a], [r10]\n\t"
+        "mov	r5, #0\n\t"
+        /* Multiply m[j] and mu - Start */
+        "ldr	r8, [%[m]], #4\n\t"
+        "umull	r6, r8, %[mp], r8\n\t"
+        "adds	%[a], %[a], r6\n\t"
+        "adc	r5, r5, r8\n\t"
+        /* Multiply m[j] and mu - Done */
+        "adds	r4, r4, %[a]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "str	r4, [r10], #4\n\t"
+        /* a[i+j+1] += m[j+1] * mu */
+        "ldr	%[a], [r10]\n\t"
+        "mov	r4, #0\n\t"
+        /* Multiply m[j] and mu - Start */
+        "ldr	r8, [%[m]], #4\n\t"
+        "umull	r6, r8, %[mp], r8\n\t"
+        "adds	%[a], %[a], r6\n\t"
+        "adc	r4, r4, r8\n\t"
+        /* Multiply m[j] and mu - Done */
+        "adds	r5, r5, %[a]\n\t"
+        "adc	r4, r4, #0\n\t"
+        "str	r5, [r10], #4\n\t"
+        "cmp	r10, r14\n\t"
+        "blt	2b\n\t"
+        /* a[i+10] += m[10] * mu */
+        "ldr	%[a], [r10]\n\t"
+        "mov	r5, #0\n\t"
+        /* Multiply m[j] and mu - Start */
+        "ldr	r8, [%[m]], #4\n\t"
+        "umull	r6, r8, %[mp], r8\n\t"
+        "adds	%[a], %[a], r6\n\t"
+        "adc	r5, r5, r8\n\t"
+        /* Multiply m[j] and mu - Done */
+        "adds	r4, r4, %[a]\n\t"
+        "adc	r5, r5, #0\n\t"
+        "str	r4, [r10], #4\n\t"
+        /* a[i+11] += m[11] * mu */
+        "mov	r4, %[ca]\n\t"
+        "mov	%[ca], #0\n\t"
+        /* Multiply m[11] and mu - Start */
+        "ldr	r8, [%[m]]\n\t"
+        "umull	r6, r8, %[mp], r8\n\t"
+        "adds	r5, r5, r6\n\t"
+        "adcs 	r4, r4, r8\n\t"
+        "adc	%[ca], %[ca], #0\n\t"
+        /* Multiply m[11] and mu - Done */
+        "ldr	r6, [r10]\n\t"
+        "ldr	r8, [r10, #4]\n\t"
+        "adds	r6, r6, r5\n\t"
+        "adcs	r8, r8, r4\n\t"
+        "adc	%[ca], %[ca], #0\n\t"
+        "str	r6, [r10]\n\t"
+        "str	r8, [r10, #4]\n\t"
+        /* Next word in a */
+        "sub	r10, r10, #40\n\t"
+        "cmp	r10, r11\n\t"
+        "blt	1b\n\t"
+        "mov	%[a], r10\n\t"
+        "mov	%[m], r12\n\t"
+        : [ca] "+r" (ca), [a] "+r" (a)
+        : [m] "r" (m), [mp] "r" (mp)
+        : "memory", "r4", "r5", "r6", "r8", "r9", "r10", "r11", "r12", "r14"
+    );
+
+    sp_384_cond_sub_12(a - 12, a, m, (sp_digit)0 - ca);
+}
+
+/* Multiply two Montogmery form numbers mod the modulus (prime).
+ * (r = a * b mod m)
+ *
+ * r   Result of multiplication.
+ * a   First number to multiply in Montogmery form.
+ * b   Second number to multiply in Montogmery form.
+ * m   Modulus (prime).
+ * mp  Montogmery mulitplier.
+ */
+static void sp_384_mont_mul_12(sp_digit* r, const sp_digit* a, const sp_digit* b,
+        const sp_digit* m, sp_digit mp)
+{
+    sp_384_mul_12(r, a, b);
+    sp_384_mont_reduce_12(r, m, mp);
+}
+
+/* Square a and put result in r. (r = a * a)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ */
+SP_NOINLINE static void sp_384_sqr_12(sp_digit* r, const sp_digit* a)
+{
+    __asm__ __volatile__ (
+        "mov	r3, #0\n\t"
+        "mov	r4, #0\n\t"
+        "mov	r5, #0\n\t"
+        "mov	r9, r3\n\t"
+        "mov	r12, %[r]\n\t"
+        "mov	r6, #96\n\t"
+        "neg	r6, r6\n\t"
+        "add	sp, sp, r6\n\t"
+        "mov	r11, sp\n\t"
+        "mov	r10, %[a]\n\t"
+        "\n1:\n\t"
+        "mov	%[r], #0\n\t"
+        "mov	r6, #44\n\t"
+        "mov	%[a], r9\n\t"
+        "subs	%[a], %[a], r6\n\t"
+        "sbc	r6, r6, r6\n\t"
+        "mvn	r6, r6\n\t"
+        "and	%[a], %[a], r6\n\t"
+        "mov	r2, r9\n\t"
+        "sub	r2, r2, %[a]\n\t"
+        "add	%[a], %[a], r10\n\t"
+        "add	r2, r2, r10\n\t"
+        "\n2:\n\t"
+        "cmp	r2, %[a]\n\t"
+        "beq	4f\n\t"
+        /* Multiply * 2: Start */
+        "ldr	r6, [%[a]]\n\t"
+        "ldr	r8, [r2]\n\t"
+        "umull	r6, r8, r6, r8\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs 	r4, r4, r8\n\t"
+        "adc	r5, r5, %[r]\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs 	r4, r4, r8\n\t"
+        "adc	r5, r5, %[r]\n\t"
+        /* Multiply * 2: Done */
+        "bal	5f\n\t"
+        "\n4:\n\t"
+        /* Square: Start */
+        "ldr	r6, [%[a]]\n\t"
+        "umull	r6, r8, r6, r6\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs	r4, r4, r8\n\t"
+        "adc	r5, r5, %[r]\n\t"
+        /* Square: Done */
+        "\n5:\n\t"
+        "add	%[a], %[a], #4\n\t"
+        "sub	r2, r2, #4\n\t"
+        "mov	r6, #48\n\t"
+        "add	r6, r6, r10\n\t"
+        "cmp	%[a], r6\n\t"
+        "beq	3f\n\t"
+        "cmp	%[a], r2\n\t"
+        "bgt	3f\n\t"
+        "mov	r8, r9\n\t"
+        "add	r8, r8, r10\n\t"
+        "cmp	%[a], r8\n\t"
+        "ble	2b\n\t"
+        "\n3:\n\t"
+        "mov	%[r], r11\n\t"
+        "mov	r8, r9\n\t"
+        "str	r3, [%[r], r8]\n\t"
+        "mov	r3, r4\n\t"
+        "mov	r4, r5\n\t"
+        "mov	r5, #0\n\t"
+        "add	r8, r8, #4\n\t"
+        "mov	r9, r8\n\t"
+        "mov	r6, #88\n\t"
+        "cmp	r8, r6\n\t"
+        "ble	1b\n\t"
+        "mov	%[a], r10\n\t"
+        "str	r3, [%[r], r8]\n\t"
+        "mov	%[r], r12\n\t"
+        "mov	%[a], r11\n\t"
+        "mov	r3, #92\n\t"
+        "\n4:\n\t"
+        "ldr	r6, [%[a], r3]\n\t"
+        "str	r6, [%[r], r3]\n\t"
+        "subs	r3, r3, #4\n\t"
+        "bge	4b\n\t"
+        "mov	r6, #96\n\t"
+        "add	sp, sp, r6\n\t"
+        :
+        : [r] "r" (r), [a] "r" (a)
+        : "memory", "r2", "r3", "r4", "r5", "r6", "r8", "r9", "r10", "r11", "r12"
+    );
+}
+
+/* Square the Montgomery form number. (r = a * a mod m)
+ *
+ * r   Result of squaring.
+ * a   Number to square in Montogmery form.
+ * m   Modulus (prime).
+ * mp  Montogmery mulitplier.
+ */
+static void sp_384_mont_sqr_12(sp_digit* r, const sp_digit* a, const sp_digit* m,
+        sp_digit mp)
+{
+    sp_384_sqr_12(r, a);
+    sp_384_mont_reduce_12(r, m, mp);
+}
+
+#if !defined(WOLFSSL_SP_SMALL) || defined(HAVE_COMP_KEY)
+/* Square the Montgomery form number a number of times. (r = a ^ n mod m)
+ *
+ * r   Result of squaring.
+ * a   Number to square in Montogmery form.
+ * n   Number of times to square.
+ * m   Modulus (prime).
+ * mp  Montogmery mulitplier.
+ */
+static void sp_384_mont_sqr_n_12(sp_digit* r, const sp_digit* a, int n,
+        const sp_digit* m, sp_digit mp)
+{
+    sp_384_mont_sqr_12(r, a, m, mp);
+    for (; n > 1; n--) {
+        sp_384_mont_sqr_12(r, r, m, mp);
+    }
+}
+
+#endif /* !WOLFSSL_SP_SMALL || HAVE_COMP_KEY */
+#ifdef WOLFSSL_SP_SMALL
+/* Mod-2 for the P384 curve. */
+static const uint32_t p384_mod_minus_2[12] = {
+    0xfffffffdU,0x00000000U,0x00000000U,0xffffffffU,0xfffffffeU,0xffffffffU,
+    0xffffffffU,0xffffffffU,0xffffffffU,0xffffffffU,0xffffffffU,0xffffffffU
+};
+#endif /* !WOLFSSL_SP_SMALL */
+
+/* Invert the number, in Montgomery form, modulo the modulus (prime) of the
+ * P384 curve. (r = 1 / a mod m)
+ *
+ * r   Inverse result.
+ * a   Number to invert.
+ * td  Temporary data.
+ */
+static void sp_384_mont_inv_12(sp_digit* r, const sp_digit* a, sp_digit* td)
+{
+#ifdef WOLFSSL_SP_SMALL
+    sp_digit* t = td;
+    int i;
+
+    XMEMCPY(t, a, sizeof(sp_digit) * 12);
+    for (i=382; i>=0; i--) {
+        sp_384_mont_sqr_12(t, t, p384_mod, p384_mp_mod);
+        if (p384_mod_minus_2[i / 32] & ((sp_digit)1 << (i % 32)))
+            sp_384_mont_mul_12(t, t, a, p384_mod, p384_mp_mod);
+    }
+    XMEMCPY(r, t, sizeof(sp_digit) * 12);
+#else
+    sp_digit* t1 = td;
+    sp_digit* t2 = td + 2 * 12;
+    sp_digit* t3 = td + 4 * 12;
+    sp_digit* t4 = td + 6 * 12;
+    sp_digit* t5 = td + 8 * 12;
+
+    /* 0x2 */
+    sp_384_mont_sqr_12(t1, a, p384_mod, p384_mp_mod);
+    /* 0x3 */
+    sp_384_mont_mul_12(t5, t1, a, p384_mod, p384_mp_mod);
+    /* 0xc */
+    sp_384_mont_sqr_n_12(t1, t5, 2, p384_mod, p384_mp_mod);
+    /* 0xf */
+    sp_384_mont_mul_12(t2, t5, t1, p384_mod, p384_mp_mod);
+    /* 0x1e */
+    sp_384_mont_sqr_12(t1, t2, p384_mod, p384_mp_mod);
+    /* 0x1f */
+    sp_384_mont_mul_12(t4, t1, a, p384_mod, p384_mp_mod);
+    /* 0x3e0 */
+    sp_384_mont_sqr_n_12(t1, t4, 5, p384_mod, p384_mp_mod);
+    /* 0x3ff */
+    sp_384_mont_mul_12(t2, t4, t1, p384_mod, p384_mp_mod);
+    /* 0x7fe0 */
+    sp_384_mont_sqr_n_12(t1, t2, 5, p384_mod, p384_mp_mod);
+    /* 0x7fff */
+    sp_384_mont_mul_12(t4, t4, t1, p384_mod, p384_mp_mod);
+    /* 0x3fff8000 */
+    sp_384_mont_sqr_n_12(t1, t4, 15, p384_mod, p384_mp_mod);
+    /* 0x3fffffff */
+    sp_384_mont_mul_12(t2, t4, t1, p384_mod, p384_mp_mod);
+    /* 0xfffffffc */
+    sp_384_mont_sqr_n_12(t3, t2, 2, p384_mod, p384_mp_mod);
+    /* 0xfffffffd */
+    sp_384_mont_mul_12(r, t3, a, p384_mod, p384_mp_mod);
+    /* 0xffffffff */
+    sp_384_mont_mul_12(t3, t5, t3, p384_mod, p384_mp_mod);
+    /* 0xfffffffc0000000 */
+    sp_384_mont_sqr_n_12(t1, t2, 30, p384_mod, p384_mp_mod);
+    /* 0xfffffffffffffff */
+    sp_384_mont_mul_12(t2, t2, t1, p384_mod, p384_mp_mod);
+    /* 0xfffffffffffffff000000000000000 */
+    sp_384_mont_sqr_n_12(t1, t2, 60, p384_mod, p384_mp_mod);
+    /* 0xffffffffffffffffffffffffffffff */
+    sp_384_mont_mul_12(t2, t2, t1, p384_mod, p384_mp_mod);
+    /* 0xffffffffffffffffffffffffffffff000000000000000000000000000000 */
+    sp_384_mont_sqr_n_12(t1, t2, 120, p384_mod, p384_mp_mod);
+    /* 0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff */
+    sp_384_mont_mul_12(t2, t2, t1, p384_mod, p384_mp_mod);
+    /* 0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffff8000 */
+    sp_384_mont_sqr_n_12(t1, t2, 15, p384_mod, p384_mp_mod);
+    /* 0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff */
+    sp_384_mont_mul_12(t2, t4, t1, p384_mod, p384_mp_mod);
+    /* 0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffe00000000 */
+    sp_384_mont_sqr_n_12(t1, t2, 33, p384_mod, p384_mp_mod);
+    /* 0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff */
+    sp_384_mont_mul_12(t2, t3, t1, p384_mod, p384_mp_mod);
+    /* 0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff000000000000000000000000 */
+    sp_384_mont_sqr_n_12(t1, t2, 96, p384_mod, p384_mp_mod);
+    /* 0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000fffffffd */
+    sp_384_mont_mul_12(r, r, t1, p384_mod, p384_mp_mod);
+
+#endif /* WOLFSSL_SP_SMALL */
+}
+
+/* Compare a with b in constant time.
+ *
+ * a  A single precision integer.
+ * b  A single precision integer.
+ * return -ve, 0 or +ve if a is less than, equal to or greater than b
+ * respectively.
+ */
+SP_NOINLINE static int32_t sp_384_cmp_12(const sp_digit* a, const sp_digit* b)
+{
+    sp_digit r = 0;
+
+
+    __asm__ __volatile__ (
+        "mov	r3, #0\n\t"
+        "mvn	r3, r3\n\t"
+        "mov	r6, #44\n\t"
+        "\n1:\n\t"
+        "ldr	r8, [%[a], r6]\n\t"
+        "ldr	r5, [%[b], r6]\n\t"
+        "and	r8, r8, r3\n\t"
+        "and	r5, r5, r3\n\t"
+        "mov	r4, r8\n\t"
+        "subs	r8, r8, r5\n\t"
+        "sbc	r8, r8, r8\n\t"
+        "add	%[r], %[r], r8\n\t"
+        "mvn	r8, r8\n\t"
+        "and	r3, r3, r8\n\t"
+        "subs	r5, r5, r4\n\t"
+        "sbc	r8, r8, r8\n\t"
+        "sub	%[r], %[r], r8\n\t"
+        "mvn	r8, r8\n\t"
+        "and	r3, r3, r8\n\t"
+        "sub	r6, r6, #4\n\t"
+        "cmp	r6, #0\n\t"
+        "bge	1b\n\t"
+        : [r] "+r" (r)
+        : [a] "r" (a), [b] "r" (b)
+        : "r3", "r4", "r5", "r6", "r8"
+    );
+
+    return r;
+}
+
+/* Normalize the values in each word to 32.
+ *
+ * a  Array of sp_digit to normalize.
+ */
+#define sp_384_norm_12(a)
+
+/* Map the Montgomery form projective coordinate point to an affine point.
+ *
+ * r  Resulting affine coordinate point.
+ * p  Montgomery form projective coordinate point.
+ * t  Temporary ordinate data.
+ */
+static void sp_384_map_12(sp_point_384* r, const sp_point_384* p, sp_digit* t)
+{
+    sp_digit* t1 = t;
+    sp_digit* t2 = t + 2*12;
+    int32_t n;
+
+    sp_384_mont_inv_12(t1, p->z, t + 2*12);
+
+    sp_384_mont_sqr_12(t2, t1, p384_mod, p384_mp_mod);
+    sp_384_mont_mul_12(t1, t2, t1, p384_mod, p384_mp_mod);
+
+    /* x /= z^2 */
+    sp_384_mont_mul_12(r->x, p->x, t2, p384_mod, p384_mp_mod);
+    XMEMSET(r->x + 12, 0, sizeof(r->x) / 2U);
+    sp_384_mont_reduce_12(r->x, p384_mod, p384_mp_mod);
+    /* Reduce x to less than modulus */
+    n = sp_384_cmp_12(r->x, p384_mod);
+    sp_384_cond_sub_12(r->x, r->x, p384_mod, 0 - ((n >= 0) ?
+                (sp_digit)1 : (sp_digit)0));
+    sp_384_norm_12(r->x);
+
+    /* y /= z^3 */
+    sp_384_mont_mul_12(r->y, p->y, t1, p384_mod, p384_mp_mod);
+    XMEMSET(r->y + 12, 0, sizeof(r->y) / 2U);
+    sp_384_mont_reduce_12(r->y, p384_mod, p384_mp_mod);
+    /* Reduce y to less than modulus */
+    n = sp_384_cmp_12(r->y, p384_mod);
+    sp_384_cond_sub_12(r->y, r->y, p384_mod, 0 - ((n >= 0) ?
+                (sp_digit)1 : (sp_digit)0));
+    sp_384_norm_12(r->y);
+
+    XMEMSET(r->z, 0, sizeof(r->z));
+    r->z[0] = 1;
+
+}
+
+#ifdef WOLFSSL_SP_SMALL
+/* Add b to a into r. (r = a + b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static sp_digit sp_384_add_12(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    sp_digit c = 0;
+
+    __asm__ __volatile__ (
+        "mov	r6, %[a]\n\t"
+        "mov	r8, #0\n\t"
+        "add	r6, r6, #48\n\t"
+        "sub	r8, r8, #1\n\t"
+        "\n1:\n\t"
+        "adds	%[c], %[c], r8\n\t"
+        "ldr	r4, [%[a]]\n\t"
+        "ldr	r5, [%[b]]\n\t"
+        "adcs	r4, r4, r5\n\t"
+        "str	r4, [%[r]]\n\t"
+        "mov	%[c], #0\n\t"
+        "adc	%[c], %[c], %[c]\n\t"
+        "add	%[a], %[a], #4\n\t"
+        "add	%[b], %[b], #4\n\t"
+        "add	%[r], %[r], #4\n\t"
+        "cmp	%[a], r6\n\t"
+        "bne	1b\n\t"
+        : [c] "+r" (c), [r] "+r" (r), [a] "+r" (a), [b] "+r" (b)
+        :
+        : "memory", "r4", "r5", "r6", "r8"
+    );
+
+    return c;
+}
+
+#else
+/* Add b to a into r. (r = a + b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static sp_digit sp_384_add_12(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    sp_digit c = 0;
+
+    __asm__ __volatile__ (
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adds	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "ldm	%[a]!, {r4, r5}\n\t"
+        "ldm	%[b]!, {r6, r8}\n\t"
+        "adcs	r4, r4, r6\n\t"
+        "adcs	r5, r5, r8\n\t"
+        "stm	%[r]!, {r4, r5}\n\t"
+        "mov	%[c], #0\n\t"
+        "adc	%[c], %[c], %[c]\n\t"
+        : [c] "+r" (c), [r] "+r" (r), [a] "+r" (a), [b] "+r" (b)
+        :
+        : "memory", "r4", "r5", "r6", "r8"
+    );
+
+    return c;
+}
+
+#endif /* WOLFSSL_SP_SMALL */
+/* Add two Montgomery form numbers (r = a + b % m).
+ *
+ * r   Result of addition.
+ * a   First number to add in Montogmery form.
+ * b   Second number to add in Montogmery form.
+ * m   Modulus (prime).
+ */
+SP_NOINLINE static void sp_384_mont_add_12(sp_digit* r, const sp_digit* a, const sp_digit* b,
+        const sp_digit* m)
+{
+    sp_digit o;
+
+    o = sp_384_add_12(r, a, b);
+    sp_384_cond_sub_12(r, r, m, 0 - o);
+}
+
+/* Double a Montgomery form number (r = a + a % m).
+ *
+ * r   Result of doubling.
+ * a   Number to double in Montogmery form.
+ * m   Modulus (prime).
+ */
+SP_NOINLINE static void sp_384_mont_dbl_12(sp_digit* r, const sp_digit* a, const sp_digit* m)
+{
+    sp_digit o;
+
+    o = sp_384_add_12(r, a, a);
+    sp_384_cond_sub_12(r, r, m, 0 - o);
+}
+
+/* Triple a Montgomery form number (r = a + a + a % m).
+ *
+ * r   Result of Tripling.
+ * a   Number to triple in Montogmery form.
+ * m   Modulus (prime).
+ */
+SP_NOINLINE static void sp_384_mont_tpl_12(sp_digit* r, const sp_digit* a, const sp_digit* m)
+{
+    sp_digit o;
+
+    o = sp_384_add_12(r, a, a);
+    sp_384_cond_sub_12(r, r, m, 0 - o);
+    o = sp_384_add_12(r, r, a);
+    sp_384_cond_sub_12(r, r, m, 0 - o);
+}
+
+#ifdef WOLFSSL_SP_SMALL
+/* Sub b from a into r. (r = a - b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static sp_digit sp_384_sub_12(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    sp_digit c = 0;
+
+    __asm__ __volatile__ (
+        "mov	r6, %[a]\n\t"
+        "add	r6, r6, #48\n\t"
+        "\n1:\n\t"
+        "mov	r5, #0\n\t"
+        "subs	r5, r5, %[c]\n\t"
+        "ldr	r4, [%[a]]\n\t"
+        "ldr	r5, [%[b]]\n\t"
+        "sbcs	r4, r4, r5\n\t"
+        "str	r4, [%[r]]\n\t"
+        "sbc	%[c], %[c], %[c]\n\t"
+        "add	%[a], %[a], #4\n\t"
+        "add	%[b], %[b], #4\n\t"
+        "add	%[r], %[r], #4\n\t"
+        "cmp	%[a], r6\n\t"
+        "bne	1b\n\t"
+        : [c] "+r" (c), [r] "+r" (r), [a] "+r" (a), [b] "+r" (b)
+        :
+        : "memory", "r4", "r5", "r6"
+    );
+
+    return c;
+}
+
+#else
+/* Sub b from a into r. (r = a - b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static sp_digit sp_384_sub_12(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+    sp_digit c = 0;
+
+    __asm__ __volatile__ (
+        "ldr	r4, [%[a], #0]\n\t"
+        "ldr	r5, [%[a], #4]\n\t"
+        "ldr	r6, [%[b], #0]\n\t"
+        "ldr	r8, [%[b], #4]\n\t"
+        "subs	r4, r4, r6\n\t"
+        "sbcs	r5, r5, r8\n\t"
+        "str	r4, [%[r], #0]\n\t"
+        "str	r5, [%[r], #4]\n\t"
+        "ldr	r4, [%[a], #8]\n\t"
+        "ldr	r5, [%[a], #12]\n\t"
+        "ldr	r6, [%[b], #8]\n\t"
+        "ldr	r8, [%[b], #12]\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "sbcs	r5, r5, r8\n\t"
+        "str	r4, [%[r], #8]\n\t"
+        "str	r5, [%[r], #12]\n\t"
+        "ldr	r4, [%[a], #16]\n\t"
+        "ldr	r5, [%[a], #20]\n\t"
+        "ldr	r6, [%[b], #16]\n\t"
+        "ldr	r8, [%[b], #20]\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "sbcs	r5, r5, r8\n\t"
+        "str	r4, [%[r], #16]\n\t"
+        "str	r5, [%[r], #20]\n\t"
+        "ldr	r4, [%[a], #24]\n\t"
+        "ldr	r5, [%[a], #28]\n\t"
+        "ldr	r6, [%[b], #24]\n\t"
+        "ldr	r8, [%[b], #28]\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "sbcs	r5, r5, r8\n\t"
+        "str	r4, [%[r], #24]\n\t"
+        "str	r5, [%[r], #28]\n\t"
+        "ldr	r4, [%[a], #32]\n\t"
+        "ldr	r5, [%[a], #36]\n\t"
+        "ldr	r6, [%[b], #32]\n\t"
+        "ldr	r8, [%[b], #36]\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "sbcs	r5, r5, r8\n\t"
+        "str	r4, [%[r], #32]\n\t"
+        "str	r5, [%[r], #36]\n\t"
+        "ldr	r4, [%[a], #40]\n\t"
+        "ldr	r5, [%[a], #44]\n\t"
+        "ldr	r6, [%[b], #40]\n\t"
+        "ldr	r8, [%[b], #44]\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "sbcs	r5, r5, r8\n\t"
+        "str	r4, [%[r], #40]\n\t"
+        "str	r5, [%[r], #44]\n\t"
+        "sbc	%[c], %[c], %[c]\n\t"
+        : [c] "+r" (c), [r] "+r" (r), [a] "+r" (a), [b] "+r" (b)
+        :
+        : "memory", "r4", "r5", "r6", "r8"
+    );
+
+    return c;
+}
+
+#endif /* WOLFSSL_SP_SMALL */
+/* Conditionally add a and b using the mask m.
+ * m is -1 to add and 0 when not.
+ *
+ * r  A single precision number representing conditional add result.
+ * a  A single precision number to add with.
+ * b  A single precision number to add.
+ * m  Mask value to apply.
+ */
+SP_NOINLINE static sp_digit sp_384_cond_add_12(sp_digit* r, const sp_digit* a, const sp_digit* b,
+        sp_digit m)
+{
+    sp_digit c = 0;
+
+    __asm__ __volatile__ (
+        "mov	r5, #48\n\t"
+        "mov	r9, r5\n\t"
+        "mov	r8, #0\n\t"
+        "\n1:\n\t"
+        "ldr	r6, [%[b], r8]\n\t"
+        "and	r6, r6, %[m]\n\t"
+        "adds	r5, %[c], #-1\n\t"
+        "ldr	r5, [%[a], r8]\n\t"
+        "adcs	r5, r5, r6\n\t"
+        "mov	%[c], #0\n\t"
+        "adcs	%[c], %[c], %[c]\n\t"
+        "str	r5, [%[r], r8]\n\t"
+        "add	r8, r8, #4\n\t"
+        "cmp	r8, r9\n\t"
+        "blt	1b\n\t"
+        : [c] "+r" (c)
+        : [r] "r" (r), [a] "r" (a), [b] "r" (b), [m] "r" (m)
+        : "memory", "r5", "r6", "r8", "r9"
+    );
+
+    return c;
+}
+
+/* Subtract two Montgomery form numbers (r = a - b % m).
+ *
+ * r   Result of subtration.
+ * a   Number to subtract from in Montogmery form.
+ * b   Number to subtract with in Montogmery form.
+ * m   Modulus (prime).
+ */
+SP_NOINLINE static void sp_384_mont_sub_12(sp_digit* r, const sp_digit* a, const sp_digit* b,
+        const sp_digit* m)
+{
+    sp_digit o;
+
+    o = sp_384_sub_12(r, a, b);
+    sp_384_cond_add_12(r, r, m, o);
+}
+
+static void sp_384_rshift1_12(sp_digit* r, sp_digit* a)
+{
+    __asm__ __volatile__ (
+        "ldr	r2, [%[a]]\n\t"
+        "ldr	r3, [%[a], #4]\n\t"
+        "lsr	r2, r2, #1\n\t"
+        "lsl	r5, r3, #31\n\t"
+        "lsr	r3, r3, #1\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r4, [%[a], #8]\n\t"
+        "str	r2, [%[r], #0]\n\t"
+        "lsl	r5, r4, #31\n\t"
+        "lsr	r4, r4, #1\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r2, [%[a], #12]\n\t"
+        "str	r3, [%[r], #4]\n\t"
+        "lsl	r5, r2, #31\n\t"
+        "lsr	r2, r2, #1\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r3, [%[a], #16]\n\t"
+        "str	r4, [%[r], #8]\n\t"
+        "lsl	r5, r3, #31\n\t"
+        "lsr	r3, r3, #1\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r4, [%[a], #20]\n\t"
+        "str	r2, [%[r], #12]\n\t"
+        "lsl	r5, r4, #31\n\t"
+        "lsr	r4, r4, #1\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r2, [%[a], #24]\n\t"
+        "str	r3, [%[r], #16]\n\t"
+        "lsl	r5, r2, #31\n\t"
+        "lsr	r2, r2, #1\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r3, [%[a], #28]\n\t"
+        "str	r4, [%[r], #20]\n\t"
+        "lsl	r5, r3, #31\n\t"
+        "lsr	r3, r3, #1\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r4, [%[a], #32]\n\t"
+        "str	r2, [%[r], #24]\n\t"
+        "lsl	r5, r4, #31\n\t"
+        "lsr	r4, r4, #1\n\t"
+        "orr	r3, r3, r5\n\t"
+        "ldr	r2, [%[a], #36]\n\t"
+        "str	r3, [%[r], #28]\n\t"
+        "lsl	r5, r2, #31\n\t"
+        "lsr	r2, r2, #1\n\t"
+        "orr	r4, r4, r5\n\t"
+        "ldr	r3, [%[a], #40]\n\t"
+        "str	r4, [%[r], #32]\n\t"
+        "lsl	r5, r3, #31\n\t"
+        "lsr	r3, r3, #1\n\t"
+        "orr	r2, r2, r5\n\t"
+        "ldr	r4, [%[a], #44]\n\t"
+        "str	r2, [%[r], #36]\n\t"
+        "lsl	r5, r4, #31\n\t"
+        "lsr	r4, r4, #1\n\t"
+        "orr	r3, r3, r5\n\t"
+        "str	r3, [%[r], #40]\n\t"
+        "str	r4, [%[r], #44]\n\t"
+        :
+        : [r] "r" (r), [a] "r" (a)
+        : "memory", "r2", "r3", "r4", "r5"
+    );
+}
+
+/* Divide the number by 2 mod the modulus (prime). (r = a / 2 % m)
+ *
+ * r  Result of division by 2.
+ * a  Number to divide.
+ * m  Modulus (prime).
+ */
+SP_NOINLINE static void sp_384_div2_12(sp_digit* r, const sp_digit* a, const sp_digit* m)
+{
+    sp_digit o;
+
+    o = sp_384_cond_add_12(r, a, m, 0 - (a[0] & 1));
+    sp_384_rshift1_12(r, r);
+    r[11] |= o << 31;
+}
+
+/* Double the Montgomery form projective point p.
+ *
+ * r  Result of doubling point.
+ * p  Point to double.
+ * t  Temporary ordinate data.
+ */
+static void sp_384_proj_point_dbl_12(sp_point_384* r, const sp_point_384* p, sp_digit* t)
+{
+    sp_digit* t1 = t;
+    sp_digit* t2 = t + 2*12;
+    sp_digit* x;
+    sp_digit* y;
+    sp_digit* z;
+
+    x = r->x;
+    y = r->y;
+    z = r->z;
+    /* Put infinity into result. */
+    if (r != p) {
+        r->infinity = p->infinity;
+    }
+
+    /* T1 = Z * Z */
+    sp_384_mont_sqr_12(t1, p->z, p384_mod, p384_mp_mod);
+    /* Z = Y * Z */
+    sp_384_mont_mul_12(z, p->y, p->z, p384_mod, p384_mp_mod);
+    /* Z = 2Z */
+    sp_384_mont_dbl_12(z, z, p384_mod);
+    /* T2 = X - T1 */
+    sp_384_mont_sub_12(t2, p->x, t1, p384_mod);
+    /* T1 = X + T1 */
+    sp_384_mont_add_12(t1, p->x, t1, p384_mod);
+    /* T2 = T1 * T2 */
+    sp_384_mont_mul_12(t2, t1, t2, p384_mod, p384_mp_mod);
+    /* T1 = 3T2 */
+    sp_384_mont_tpl_12(t1, t2, p384_mod);
+    /* Y = 2Y */
+    sp_384_mont_dbl_12(y, p->y, p384_mod);
+    /* Y = Y * Y */
+    sp_384_mont_sqr_12(y, y, p384_mod, p384_mp_mod);
+    /* T2 = Y * Y */
+    sp_384_mont_sqr_12(t2, y, p384_mod, p384_mp_mod);
+    /* T2 = T2/2 */
+    sp_384_div2_12(t2, t2, p384_mod);
+    /* Y = Y * X */
+    sp_384_mont_mul_12(y, y, p->x, p384_mod, p384_mp_mod);
+    /* X = T1 * T1 */
+    sp_384_mont_sqr_12(x, t1, p384_mod, p384_mp_mod);
+    /* X = X - Y */
+    sp_384_mont_sub_12(x, x, y, p384_mod);
+    /* X = X - Y */
+    sp_384_mont_sub_12(x, x, y, p384_mod);
+    /* Y = Y - X */
+    sp_384_mont_sub_12(y, y, x, p384_mod);
+    /* Y = Y * T1 */
+    sp_384_mont_mul_12(y, y, t1, p384_mod, p384_mp_mod);
+    /* Y = Y - T2 */
+    sp_384_mont_sub_12(y, y, t2, p384_mod);
+}
+
+/* Compare two numbers to determine if they are equal.
+ * Constant time implementation.
+ *
+ * a  First number to compare.
+ * b  Second number to compare.
+ * returns 1 when equal and 0 otherwise.
+ */
+static int sp_384_cmp_equal_12(const sp_digit* a, const sp_digit* b)
+{
+    return ((a[0] ^ b[0]) | (a[1] ^ b[1]) | (a[2] ^ b[2]) | (a[3] ^ b[3]) |
+            (a[4] ^ b[4]) | (a[5] ^ b[5]) | (a[6] ^ b[6]) | (a[7] ^ b[7]) |
+            (a[8] ^ b[8]) | (a[9] ^ b[9]) | (a[10] ^ b[10]) | (a[11] ^ b[11])) == 0;
+}
+
+/* Add two Montgomery form projective points.
+ *
+ * r  Result of addition.
+ * p  First point to add.
+ * q  Second point to add.
+ * t  Temporary ordinate data.
+ */
+static void sp_384_proj_point_add_12(sp_point_384* r, const sp_point_384* p, const sp_point_384* q,
+        sp_digit* t)
+{
+    const sp_point_384* ap[2];
+    sp_point_384* rp[2];
+    sp_digit* t1 = t;
+    sp_digit* t2 = t + 2*12;
+    sp_digit* t3 = t + 4*12;
+    sp_digit* t4 = t + 6*12;
+    sp_digit* t5 = t + 8*12;
+    sp_digit* x;
+    sp_digit* y;
+    sp_digit* z;
+    int i;
+
+    /* Ensure only the first point is the same as the result. */
+    if (q == r) {
+        const sp_point_384* a = p;
+        p = q;
+        q = a;
+    }
+
+    /* Check double */
+    (void)sp_384_sub_12(t1, p384_mod, q->y);
+    sp_384_norm_12(t1);
+    if ((sp_384_cmp_equal_12(p->x, q->x) & sp_384_cmp_equal_12(p->z, q->z) &
+        (sp_384_cmp_equal_12(p->y, q->y) | sp_384_cmp_equal_12(p->y, t1))) != 0) {
+        sp_384_proj_point_dbl_12(r, p, t);
+    }
+    else {
+        rp[0] = r;
+
+        /*lint allow cast to different type of pointer*/
+        rp[1] = (sp_point_384*)t; /*lint !e9087 !e740*/
+        XMEMSET(rp[1], 0, sizeof(sp_point_384));
+        x = rp[p->infinity | q->infinity]->x;
+        y = rp[p->infinity | q->infinity]->y;
+        z = rp[p->infinity | q->infinity]->z;
+
+        ap[0] = p;
+        ap[1] = q;
+        for (i=0; i<12; i++) {
+            r->x[i] = ap[p->infinity]->x[i];
+        }
+        for (i=0; i<12; i++) {
+            r->y[i] = ap[p->infinity]->y[i];
+        }
+        for (i=0; i<12; i++) {
+            r->z[i] = ap[p->infinity]->z[i];
+        }
+        r->infinity = ap[p->infinity]->infinity;
+
+        /* U1 = X1*Z2^2 */
+        sp_384_mont_sqr_12(t1, q->z, p384_mod, p384_mp_mod);
+        sp_384_mont_mul_12(t3, t1, q->z, p384_mod, p384_mp_mod);
+        sp_384_mont_mul_12(t1, t1, x, p384_mod, p384_mp_mod);
+        /* U2 = X2*Z1^2 */
+        sp_384_mont_sqr_12(t2, z, p384_mod, p384_mp_mod);
+        sp_384_mont_mul_12(t4, t2, z, p384_mod, p384_mp_mod);
+        sp_384_mont_mul_12(t2, t2, q->x, p384_mod, p384_mp_mod);
+        /* S1 = Y1*Z2^3 */
+        sp_384_mont_mul_12(t3, t3, y, p384_mod, p384_mp_mod);
+        /* S2 = Y2*Z1^3 */
+        sp_384_mont_mul_12(t4, t4, q->y, p384_mod, p384_mp_mod);
+        /* H = U2 - U1 */
+        sp_384_mont_sub_12(t2, t2, t1, p384_mod);
+        /* R = S2 - S1 */
+        sp_384_mont_sub_12(t4, t4, t3, p384_mod);
+        /* Z3 = H*Z1*Z2 */
+        sp_384_mont_mul_12(z, z, q->z, p384_mod, p384_mp_mod);
+        sp_384_mont_mul_12(z, z, t2, p384_mod, p384_mp_mod);
+        /* X3 = R^2 - H^3 - 2*U1*H^2 */
+        sp_384_mont_sqr_12(x, t4, p384_mod, p384_mp_mod);
+        sp_384_mont_sqr_12(t5, t2, p384_mod, p384_mp_mod);
+        sp_384_mont_mul_12(y, t1, t5, p384_mod, p384_mp_mod);
+        sp_384_mont_mul_12(t5, t5, t2, p384_mod, p384_mp_mod);
+        sp_384_mont_sub_12(x, x, t5, p384_mod);
+        sp_384_mont_dbl_12(t1, y, p384_mod);
+        sp_384_mont_sub_12(x, x, t1, p384_mod);
+        /* Y3 = R*(U1*H^2 - X3) - S1*H^3 */
+        sp_384_mont_sub_12(y, y, x, p384_mod);
+        sp_384_mont_mul_12(y, y, t4, p384_mod, p384_mp_mod);
+        sp_384_mont_mul_12(t5, t5, t3, p384_mod, p384_mp_mod);
+        sp_384_mont_sub_12(y, y, t5, p384_mod);
+    }
+}
+
+/* Multiply the point by the scalar and return the result.
+ * If map is true then convert result to affine coordinates.
+ *
+ * r     Resulting point.
+ * g     Point to multiply.
+ * k     Scalar to multiply by.
+ * map   Indicates whether to convert result to affine.
+ * heap  Heap to use for allocation.
+ * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
+ */
+static int sp_384_ecc_mulmod_fast_12(sp_point_384* r, const sp_point_384* g, const sp_digit* k,
+        int map, void* heap)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_point_384 td[16];
+    sp_point_384 rtd;
+    sp_digit tmpd[2 * 12 * 6];
+#endif
+    sp_point_384* t;
+    sp_point_384* rt;
+    sp_digit* tmp;
+    sp_digit n;
+    int i;
+    int c, y;
+    int err;
+
+    (void)heap;
+
+    err = sp_384_point_new_12(heap, rtd, rt);
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    t = (sp_point_384*)XMALLOC(sizeof(sp_point_384) * 16, heap, DYNAMIC_TYPE_ECC);
+    if (t == NULL)
+        err = MEMORY_E;
+    tmp = (sp_digit*)XMALLOC(sizeof(sp_digit) * 2 * 12 * 6, heap,
+                             DYNAMIC_TYPE_ECC);
+    if (tmp == NULL)
+        err = MEMORY_E;
+#else
+    t = td;
+    tmp = tmpd;
+#endif
+
+    if (err == MP_OKAY) {
+        /* t[0] = {0, 0, 1} * norm */
+        XMEMSET(&t[0], 0, sizeof(t[0]));
+        t[0].infinity = 1;
+        /* t[1] = {g->x, g->y, g->z} * norm */
+        (void)sp_384_mod_mul_norm_12(t[1].x, g->x, p384_mod);
+        (void)sp_384_mod_mul_norm_12(t[1].y, g->y, p384_mod);
+        (void)sp_384_mod_mul_norm_12(t[1].z, g->z, p384_mod);
+        t[1].infinity = 0;
+        sp_384_proj_point_dbl_12(&t[ 2], &t[ 1], tmp);
+        t[ 2].infinity = 0;
+        sp_384_proj_point_add_12(&t[ 3], &t[ 2], &t[ 1], tmp);
+        t[ 3].infinity = 0;
+        sp_384_proj_point_dbl_12(&t[ 4], &t[ 2], tmp);
+        t[ 4].infinity = 0;
+        sp_384_proj_point_add_12(&t[ 5], &t[ 3], &t[ 2], tmp);
+        t[ 5].infinity = 0;
+        sp_384_proj_point_dbl_12(&t[ 6], &t[ 3], tmp);
+        t[ 6].infinity = 0;
+        sp_384_proj_point_add_12(&t[ 7], &t[ 4], &t[ 3], tmp);
+        t[ 7].infinity = 0;
+        sp_384_proj_point_dbl_12(&t[ 8], &t[ 4], tmp);
+        t[ 8].infinity = 0;
+        sp_384_proj_point_add_12(&t[ 9], &t[ 5], &t[ 4], tmp);
+        t[ 9].infinity = 0;
+        sp_384_proj_point_dbl_12(&t[10], &t[ 5], tmp);
+        t[10].infinity = 0;
+        sp_384_proj_point_add_12(&t[11], &t[ 6], &t[ 5], tmp);
+        t[11].infinity = 0;
+        sp_384_proj_point_dbl_12(&t[12], &t[ 6], tmp);
+        t[12].infinity = 0;
+        sp_384_proj_point_add_12(&t[13], &t[ 7], &t[ 6], tmp);
+        t[13].infinity = 0;
+        sp_384_proj_point_dbl_12(&t[14], &t[ 7], tmp);
+        t[14].infinity = 0;
+        sp_384_proj_point_add_12(&t[15], &t[ 8], &t[ 7], tmp);
+        t[15].infinity = 0;
+
+        i = 10;
+        n = k[i+1] << 0;
+        c = 28;
+        y = n >> 28;
+        XMEMCPY(rt, &t[y], sizeof(sp_point_384));
+        n <<= 4;
+        for (; i>=0 || c>=4; ) {
+            if (c < 4) {
+                n |= k[i--];
+                c += 32;
+            }
+            y = (n >> 28) & 0xf;
+            n <<= 4;
+            c -= 4;
+
+            sp_384_proj_point_dbl_12(rt, rt, tmp);
+            sp_384_proj_point_dbl_12(rt, rt, tmp);
+            sp_384_proj_point_dbl_12(rt, rt, tmp);
+            sp_384_proj_point_dbl_12(rt, rt, tmp);
+
+            sp_384_proj_point_add_12(rt, rt, &t[y], tmp);
+        }
+
+        if (map != 0) {
+            sp_384_map_12(r, rt, tmp);
+        }
+        else {
+            XMEMCPY(r, rt, sizeof(sp_point_384));
+        }
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (tmp != NULL) {
+        XMEMSET(tmp, 0, sizeof(sp_digit) * 2 * 12 * 6);
+        XFREE(tmp, heap, DYNAMIC_TYPE_ECC);
+    }
+    if (t != NULL) {
+        XMEMSET(t, 0, sizeof(sp_point_384) * 16);
+        XFREE(t, heap, DYNAMIC_TYPE_ECC);
+    }
+#else
+    ForceZero(tmpd, sizeof(tmpd));
+    ForceZero(td, sizeof(td));
+#endif
+    sp_384_point_free_12(rt, 1, heap);
+
+    return err;
+}
+
+/* A table entry for pre-computed points. */
+typedef struct sp_table_entry_384 {
+    sp_digit x[12];
+    sp_digit y[12];
+} sp_table_entry_384;
+
+#ifdef FP_ECC
+/* Double the Montgomery form projective point p a number of times.
+ *
+ * r  Result of repeated doubling of point.
+ * p  Point to double.
+ * n  Number of times to double
+ * t  Temporary ordinate data.
+ */
+static void sp_384_proj_point_dbl_n_12(sp_point_384* p, int n, sp_digit* t)
+{
+    sp_digit* w = t;
+    sp_digit* a = t + 2*12;
+    sp_digit* b = t + 4*12;
+    sp_digit* t1 = t + 6*12;
+    sp_digit* t2 = t + 8*12;
+    sp_digit* x;
+    sp_digit* y;
+    sp_digit* z;
+
+    x = p->x;
+    y = p->y;
+    z = p->z;
+
+    /* Y = 2*Y */
+    sp_384_mont_dbl_12(y, y, p384_mod);
+    /* W = Z^4 */
+    sp_384_mont_sqr_12(w, z, p384_mod, p384_mp_mod);
+    sp_384_mont_sqr_12(w, w, p384_mod, p384_mp_mod);
+
+#ifndef WOLFSSL_SP_SMALL
+    while (--n > 0)
+#else
+    while (--n >= 0)
+#endif
+    {
+        /* A = 3*(X^2 - W) */
+        sp_384_mont_sqr_12(t1, x, p384_mod, p384_mp_mod);
+        sp_384_mont_sub_12(t1, t1, w, p384_mod);
+        sp_384_mont_tpl_12(a, t1, p384_mod);
+        /* B = X*Y^2 */
+        sp_384_mont_sqr_12(t1, y, p384_mod, p384_mp_mod);
+        sp_384_mont_mul_12(b, t1, x, p384_mod, p384_mp_mod);
+        /* X = A^2 - 2B */
+        sp_384_mont_sqr_12(x, a, p384_mod, p384_mp_mod);
+        sp_384_mont_dbl_12(t2, b, p384_mod);
+        sp_384_mont_sub_12(x, x, t2, p384_mod);
+        /* Z = Z*Y */
+        sp_384_mont_mul_12(z, z, y, p384_mod, p384_mp_mod);
+        /* t2 = Y^4 */
+        sp_384_mont_sqr_12(t1, t1, p384_mod, p384_mp_mod);
+#ifdef WOLFSSL_SP_SMALL
+        if (n != 0)
+#endif
+        {
+            /* W = W*Y^4 */
+            sp_384_mont_mul_12(w, w, t1, p384_mod, p384_mp_mod);
+        }
+        /* y = 2*A*(B - X) - Y^4 */
+        sp_384_mont_sub_12(y, b, x, p384_mod);
+        sp_384_mont_mul_12(y, y, a, p384_mod, p384_mp_mod);
+        sp_384_mont_dbl_12(y, y, p384_mod);
+        sp_384_mont_sub_12(y, y, t1, p384_mod);
+    }
+#ifndef WOLFSSL_SP_SMALL
+    /* A = 3*(X^2 - W) */
+    sp_384_mont_sqr_12(t1, x, p384_mod, p384_mp_mod);
+    sp_384_mont_sub_12(t1, t1, w, p384_mod);
+    sp_384_mont_tpl_12(a, t1, p384_mod);
+    /* B = X*Y^2 */
+    sp_384_mont_sqr_12(t1, y, p384_mod, p384_mp_mod);
+    sp_384_mont_mul_12(b, t1, x, p384_mod, p384_mp_mod);
+    /* X = A^2 - 2B */
+    sp_384_mont_sqr_12(x, a, p384_mod, p384_mp_mod);
+    sp_384_mont_dbl_12(t2, b, p384_mod);
+    sp_384_mont_sub_12(x, x, t2, p384_mod);
+    /* Z = Z*Y */
+    sp_384_mont_mul_12(z, z, y, p384_mod, p384_mp_mod);
+    /* t2 = Y^4 */
+    sp_384_mont_sqr_12(t1, t1, p384_mod, p384_mp_mod);
+    /* y = 2*A*(B - X) - Y^4 */
+    sp_384_mont_sub_12(y, b, x, p384_mod);
+    sp_384_mont_mul_12(y, y, a, p384_mod, p384_mp_mod);
+    sp_384_mont_dbl_12(y, y, p384_mod);
+    sp_384_mont_sub_12(y, y, t1, p384_mod);
+#endif
+    /* Y = Y/2 */
+    sp_384_div2_12(y, y, p384_mod);
+}
+
+/* Convert the projective point to affine.
+ * Ordinates are in Montgomery form.
+ *
+ * a  Point to convert.
+ * t  Temporary data.
+ */
+static void sp_384_proj_to_affine_12(sp_point_384* a, sp_digit* t)
+{
+    sp_digit* t1 = t;
+    sp_digit* t2 = t + 2 * 12;
+    sp_digit* tmp = t + 4 * 12;
+
+    sp_384_mont_inv_12(t1, a->z, tmp);
+
+    sp_384_mont_sqr_12(t2, t1, p384_mod, p384_mp_mod);
+    sp_384_mont_mul_12(t1, t2, t1, p384_mod, p384_mp_mod);
+
+    sp_384_mont_mul_12(a->x, a->x, t2, p384_mod, p384_mp_mod);
+    sp_384_mont_mul_12(a->y, a->y, t1, p384_mod, p384_mp_mod);
+    XMEMCPY(a->z, p384_norm_mod, sizeof(p384_norm_mod));
+}
+
+#endif /* FP_ECC */
+/* Add two Montgomery form projective points. The second point has a q value of
+ * one.
+ * Only the first point can be the same pointer as the result point.
+ *
+ * r  Result of addition.
+ * p  First point to add.
+ * q  Second point to add.
+ * t  Temporary ordinate data.
+ */
+static void sp_384_proj_point_add_qz1_12(sp_point_384* r, const sp_point_384* p,
+        const sp_point_384* q, sp_digit* t)
+{
+    const sp_point_384* ap[2];
+    sp_point_384* rp[2];
+    sp_digit* t1 = t;
+    sp_digit* t2 = t + 2*12;
+    sp_digit* t3 = t + 4*12;
+    sp_digit* t4 = t + 6*12;
+    sp_digit* t5 = t + 8*12;
+    sp_digit* x;
+    sp_digit* y;
+    sp_digit* z;
+    int i;
+
+    /* Check double */
+    (void)sp_384_sub_12(t1, p384_mod, q->y);
+    sp_384_norm_12(t1);
+    if ((sp_384_cmp_equal_12(p->x, q->x) & sp_384_cmp_equal_12(p->z, q->z) &
+        (sp_384_cmp_equal_12(p->y, q->y) | sp_384_cmp_equal_12(p->y, t1))) != 0) {
+        sp_384_proj_point_dbl_12(r, p, t);
+    }
+    else {
+        rp[0] = r;
+
+        /*lint allow cast to different type of pointer*/
+        rp[1] = (sp_point_384*)t; /*lint !e9087 !e740*/
+        XMEMSET(rp[1], 0, sizeof(sp_point_384));
+        x = rp[p->infinity | q->infinity]->x;
+        y = rp[p->infinity | q->infinity]->y;
+        z = rp[p->infinity | q->infinity]->z;
+
+        ap[0] = p;
+        ap[1] = q;
+        for (i=0; i<12; i++) {
+            r->x[i] = ap[p->infinity]->x[i];
+        }
+        for (i=0; i<12; i++) {
+            r->y[i] = ap[p->infinity]->y[i];
+        }
+        for (i=0; i<12; i++) {
+            r->z[i] = ap[p->infinity]->z[i];
+        }
+        r->infinity = ap[p->infinity]->infinity;
+
+        /* U2 = X2*Z1^2 */
+        sp_384_mont_sqr_12(t2, z, p384_mod, p384_mp_mod);
+        sp_384_mont_mul_12(t4, t2, z, p384_mod, p384_mp_mod);
+        sp_384_mont_mul_12(t2, t2, q->x, p384_mod, p384_mp_mod);
+        /* S2 = Y2*Z1^3 */
+        sp_384_mont_mul_12(t4, t4, q->y, p384_mod, p384_mp_mod);
+        /* H = U2 - X1 */
+        sp_384_mont_sub_12(t2, t2, x, p384_mod);
+        /* R = S2 - Y1 */
+        sp_384_mont_sub_12(t4, t4, y, p384_mod);
+        /* Z3 = H*Z1 */
+        sp_384_mont_mul_12(z, z, t2, p384_mod, p384_mp_mod);
+        /* X3 = R^2 - H^3 - 2*X1*H^2 */
+        sp_384_mont_sqr_12(t1, t4, p384_mod, p384_mp_mod);
+        sp_384_mont_sqr_12(t5, t2, p384_mod, p384_mp_mod);
+        sp_384_mont_mul_12(t3, x, t5, p384_mod, p384_mp_mod);
+        sp_384_mont_mul_12(t5, t5, t2, p384_mod, p384_mp_mod);
+        sp_384_mont_sub_12(x, t1, t5, p384_mod);
+        sp_384_mont_dbl_12(t1, t3, p384_mod);
+        sp_384_mont_sub_12(x, x, t1, p384_mod);
+        /* Y3 = R*(X1*H^2 - X3) - Y1*H^3 */
+        sp_384_mont_sub_12(t3, t3, x, p384_mod);
+        sp_384_mont_mul_12(t3, t3, t4, p384_mod, p384_mp_mod);
+        sp_384_mont_mul_12(t5, t5, y, p384_mod, p384_mp_mod);
+        sp_384_mont_sub_12(y, t3, t5, p384_mod);
+    }
+}
+
+#ifdef WOLFSSL_SP_SMALL
+#ifdef FP_ECC
+/* Generate the pre-computed table of points for the base point.
+ *
+ * a      The base point.
+ * table  Place to store generated point data.
+ * tmp    Temporary data.
+ * heap  Heap to use for allocation.
+ */
+static int sp_384_gen_stripe_table_12(const sp_point_384* a,
+        sp_table_entry_384* table, sp_digit* tmp, void* heap)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_point_384 td, s1d, s2d;
+#endif
+    sp_point_384* t;
+    sp_point_384* s1 = NULL;
+    sp_point_384* s2 = NULL;
+    int i, j;
+    int err;
+
+    (void)heap;
+
+    err = sp_384_point_new_12(heap, td, t);
+    if (err == MP_OKAY) {
+        err = sp_384_point_new_12(heap, s1d, s1);
+    }
+    if (err == MP_OKAY) {
+        err = sp_384_point_new_12(heap, s2d, s2);
+    }
+
+    if (err == MP_OKAY) {
+        err = sp_384_mod_mul_norm_12(t->x, a->x, p384_mod);
+    }
+    if (err == MP_OKAY) {
+        err = sp_384_mod_mul_norm_12(t->y, a->y, p384_mod);
+    }
+    if (err == MP_OKAY) {
+        err = sp_384_mod_mul_norm_12(t->z, a->z, p384_mod);
+    }
+    if (err == MP_OKAY) {
+        t->infinity = 0;
+        sp_384_proj_to_affine_12(t, tmp);
+
+        XMEMCPY(s1->z, p384_norm_mod, sizeof(p384_norm_mod));
+        s1->infinity = 0;
+        XMEMCPY(s2->z, p384_norm_mod, sizeof(p384_norm_mod));
+        s2->infinity = 0;
+
+        /* table[0] = {0, 0, infinity} */
+        XMEMSET(&table[0], 0, sizeof(sp_table_entry_384));
+        /* table[1] = Affine version of 'a' in Montgomery form */
+        XMEMCPY(table[1].x, t->x, sizeof(table->x));
+        XMEMCPY(table[1].y, t->y, sizeof(table->y));
+
+        for (i=1; i<4; i++) {
+            sp_384_proj_point_dbl_n_12(t, 96, tmp);
+            sp_384_proj_to_affine_12(t, tmp);
+            XMEMCPY(table[1<<i].x, t->x, sizeof(table->x));
+            XMEMCPY(table[1<<i].y, t->y, sizeof(table->y));
+        }
+
+        for (i=1; i<4; i++) {
+            XMEMCPY(s1->x, table[1<<i].x, sizeof(table->x));
+            XMEMCPY(s1->y, table[1<<i].y, sizeof(table->y));
+            for (j=(1<<i)+1; j<(1<<(i+1)); j++) {
+                XMEMCPY(s2->x, table[j-(1<<i)].x, sizeof(table->x));
+                XMEMCPY(s2->y, table[j-(1<<i)].y, sizeof(table->y));
+                sp_384_proj_point_add_qz1_12(t, s1, s2, tmp);
+                sp_384_proj_to_affine_12(t, tmp);
+                XMEMCPY(table[j].x, t->x, sizeof(table->x));
+                XMEMCPY(table[j].y, t->y, sizeof(table->y));
+            }
+        }
+    }
+
+    sp_384_point_free_12(s2, 0, heap);
+    sp_384_point_free_12(s1, 0, heap);
+    sp_384_point_free_12( t, 0, heap);
+
+    return err;
+}
+
+#endif /* FP_ECC */
+/* Multiply the point by the scalar and return the result.
+ * If map is true then convert result to affine coordinates.
+ *
+ * r     Resulting point.
+ * k     Scalar to multiply by.
+ * map   Indicates whether to convert result to affine.
+ * heap  Heap to use for allocation.
+ * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
+ */
+static int sp_384_ecc_mulmod_stripe_12(sp_point_384* r, const sp_point_384* g,
+        const sp_table_entry_384* table, const sp_digit* k, int map, void* heap)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_point_384 rtd;
+    sp_point_384 pd;
+    sp_digit td[2 * 12 * 6];
+#endif
+    sp_point_384* rt;
+    sp_point_384* p = NULL;
+    sp_digit* t;
+    int i, j;
+    int y, x;
+    int err;
+
+    (void)g;
+    (void)heap;
+
+
+    err = sp_384_point_new_12(heap, rtd, rt);
+    if (err == MP_OKAY) {
+        err = sp_384_point_new_12(heap, pd, p);
+    }
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    t = (sp_digit*)XMALLOC(sizeof(sp_digit) * 2 * 12 * 6, heap,
+                           DYNAMIC_TYPE_ECC);
+    if (t == NULL) {
+        err = MEMORY_E;
+    }
+#else
+    t = td;
+#endif
+
+    if (err == MP_OKAY) {
+        XMEMCPY(p->z, p384_norm_mod, sizeof(p384_norm_mod));
+        XMEMCPY(rt->z, p384_norm_mod, sizeof(p384_norm_mod));
+
+        y = 0;
+        for (j=0,x=95; j<4; j++,x+=96) {
+            y |= ((k[x / 32] >> (x % 32)) & 1) << j;
+        }
+        XMEMCPY(rt->x, table[y].x, sizeof(table[y].x));
+        XMEMCPY(rt->y, table[y].y, sizeof(table[y].y));
+        rt->infinity = !y;
+        for (i=94; i>=0; i--) {
+            y = 0;
+            for (j=0,x=i; j<4; j++,x+=96) {
+                y |= ((k[x / 32] >> (x % 32)) & 1) << j;
+            }
+
+            sp_384_proj_point_dbl_12(rt, rt, t);
+            XMEMCPY(p->x, table[y].x, sizeof(table[y].x));
+            XMEMCPY(p->y, table[y].y, sizeof(table[y].y));
+            p->infinity = !y;
+            sp_384_proj_point_add_qz1_12(rt, rt, p, t);
+        }
+
+        if (map != 0) {
+            sp_384_map_12(r, rt, t);
+        }
+        else {
+            XMEMCPY(r, rt, sizeof(sp_point_384));
+        }
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (t != NULL) {
+        XFREE(t, heap, DYNAMIC_TYPE_ECC);
+    }
+#endif
+    sp_384_point_free_12(p, 0, heap);
+    sp_384_point_free_12(rt, 0, heap);
+
+    return err;
+}
+
+#ifdef FP_ECC
+#ifndef FP_ENTRIES
+    #define FP_ENTRIES 16
+#endif
+
+typedef struct sp_cache_384_t {
+    sp_digit x[12];
+    sp_digit y[12];
+    sp_table_entry_384 table[16];
+    uint32_t cnt;
+    int set;
+} sp_cache_384_t;
+
+static THREAD_LS_T sp_cache_384_t sp_cache_384[FP_ENTRIES];
+static THREAD_LS_T int sp_cache_384_last = -1;
+static THREAD_LS_T int sp_cache_384_inited = 0;
+
+#ifndef HAVE_THREAD_LS
+    static volatile int initCacheMutex_384 = 0;
+    static wolfSSL_Mutex sp_cache_384_lock;
+#endif
+
+static void sp_ecc_get_cache_384(const sp_point_384* g, sp_cache_384_t** cache)
+{
+    int i, j;
+    uint32_t least;
+
+    if (sp_cache_384_inited == 0) {
+        for (i=0; i<FP_ENTRIES; i++) {
+            sp_cache_384[i].set = 0;
+        }
+        sp_cache_384_inited = 1;
+    }
+
+    /* Compare point with those in cache. */
+    for (i=0; i<FP_ENTRIES; i++) {
+        if (!sp_cache_384[i].set)
+            continue;
+
+        if (sp_384_cmp_equal_12(g->x, sp_cache_384[i].x) &
+                           sp_384_cmp_equal_12(g->y, sp_cache_384[i].y)) {
+            sp_cache_384[i].cnt++;
+            break;
+        }
+    }
+
+    /* No match. */
+    if (i == FP_ENTRIES) {
+        /* Find empty entry. */
+        i = (sp_cache_384_last + 1) % FP_ENTRIES;
+        for (; i != sp_cache_384_last; i=(i+1)%FP_ENTRIES) {
+            if (!sp_cache_384[i].set) {
+                break;
+            }
+        }
+
+        /* Evict least used. */
+        if (i == sp_cache_384_last) {
+            least = sp_cache_384[0].cnt;
+            for (j=1; j<FP_ENTRIES; j++) {
+                if (sp_cache_384[j].cnt < least) {
+                    i = j;
+                    least = sp_cache_384[i].cnt;
+                }
+            }
+        }
+
+        XMEMCPY(sp_cache_384[i].x, g->x, sizeof(sp_cache_384[i].x));
+        XMEMCPY(sp_cache_384[i].y, g->y, sizeof(sp_cache_384[i].y));
+        sp_cache_384[i].set = 1;
+        sp_cache_384[i].cnt = 1;
+    }
+
+    *cache = &sp_cache_384[i];
+    sp_cache_384_last = i;
+}
+#endif /* FP_ECC */
+
+/* Multiply the base point of P384 by the scalar and return the result.
+ * If map is true then convert result to affine coordinates.
+ *
+ * r     Resulting point.
+ * g     Point to multiply.
+ * k     Scalar to multiply by.
+ * map   Indicates whether to convert result to affine.
+ * heap  Heap to use for allocation.
+ * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
+ */
+static int sp_384_ecc_mulmod_12(sp_point_384* r, const sp_point_384* g, const sp_digit* k,
+        int map, void* heap)
+{
+#ifndef FP_ECC
+    return sp_384_ecc_mulmod_fast_12(r, g, k, map, heap);
+#else
+    sp_digit tmp[2 * 12 * 7];
+    sp_cache_384_t* cache;
+    int err = MP_OKAY;
+
+#ifndef HAVE_THREAD_LS
+    if (initCacheMutex_384 == 0) {
+         wc_InitMutex(&sp_cache_384_lock);
+         initCacheMutex_384 = 1;
+    }
+    if (wc_LockMutex(&sp_cache_384_lock) != 0)
+       err = BAD_MUTEX_E;
+#endif /* HAVE_THREAD_LS */
+
+    if (err == MP_OKAY) {
+        sp_ecc_get_cache_384(g, &cache);
+        if (cache->cnt == 2)
+            sp_384_gen_stripe_table_12(g, cache->table, tmp, heap);
+
+#ifndef HAVE_THREAD_LS
+        wc_UnLockMutex(&sp_cache_384_lock);
+#endif /* HAVE_THREAD_LS */
+
+        if (cache->cnt < 2) {
+            err = sp_384_ecc_mulmod_fast_12(r, g, k, map, heap);
+        }
+        else {
+            err = sp_384_ecc_mulmod_stripe_12(r, g, cache->table, k,
+                    map, heap);
+        }
+    }
+
+    return err;
+#endif
+}
+
+#else
+#ifdef FP_ECC
+/* Generate the pre-computed table of points for the base point.
+ *
+ * a      The base point.
+ * table  Place to store generated point data.
+ * tmp    Temporary data.
+ * heap  Heap to use for allocation.
+ */
+static int sp_384_gen_stripe_table_12(const sp_point_384* a,
+        sp_table_entry_384* table, sp_digit* tmp, void* heap)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_point_384 td, s1d, s2d;
+#endif
+    sp_point_384* t;
+    sp_point_384* s1 = NULL;
+    sp_point_384* s2 = NULL;
+    int i, j;
+    int err;
+
+    (void)heap;
+
+    err = sp_384_point_new_12(heap, td, t);
+    if (err == MP_OKAY) {
+        err = sp_384_point_new_12(heap, s1d, s1);
+    }
+    if (err == MP_OKAY) {
+        err = sp_384_point_new_12(heap, s2d, s2);
+    }
+
+    if (err == MP_OKAY) {
+        err = sp_384_mod_mul_norm_12(t->x, a->x, p384_mod);
+    }
+    if (err == MP_OKAY) {
+        err = sp_384_mod_mul_norm_12(t->y, a->y, p384_mod);
+    }
+    if (err == MP_OKAY) {
+        err = sp_384_mod_mul_norm_12(t->z, a->z, p384_mod);
+    }
+    if (err == MP_OKAY) {
+        t->infinity = 0;
+        sp_384_proj_to_affine_12(t, tmp);
+
+        XMEMCPY(s1->z, p384_norm_mod, sizeof(p384_norm_mod));
+        s1->infinity = 0;
+        XMEMCPY(s2->z, p384_norm_mod, sizeof(p384_norm_mod));
+        s2->infinity = 0;
+
+        /* table[0] = {0, 0, infinity} */
+        XMEMSET(&table[0], 0, sizeof(sp_table_entry_384));
+        /* table[1] = Affine version of 'a' in Montgomery form */
+        XMEMCPY(table[1].x, t->x, sizeof(table->x));
+        XMEMCPY(table[1].y, t->y, sizeof(table->y));
+
+        for (i=1; i<8; i++) {
+            sp_384_proj_point_dbl_n_12(t, 48, tmp);
+            sp_384_proj_to_affine_12(t, tmp);
+            XMEMCPY(table[1<<i].x, t->x, sizeof(table->x));
+            XMEMCPY(table[1<<i].y, t->y, sizeof(table->y));
+        }
+
+        for (i=1; i<8; i++) {
+            XMEMCPY(s1->x, table[1<<i].x, sizeof(table->x));
+            XMEMCPY(s1->y, table[1<<i].y, sizeof(table->y));
+            for (j=(1<<i)+1; j<(1<<(i+1)); j++) {
+                XMEMCPY(s2->x, table[j-(1<<i)].x, sizeof(table->x));
+                XMEMCPY(s2->y, table[j-(1<<i)].y, sizeof(table->y));
+                sp_384_proj_point_add_qz1_12(t, s1, s2, tmp);
+                sp_384_proj_to_affine_12(t, tmp);
+                XMEMCPY(table[j].x, t->x, sizeof(table->x));
+                XMEMCPY(table[j].y, t->y, sizeof(table->y));
+            }
+        }
+    }
+
+    sp_384_point_free_12(s2, 0, heap);
+    sp_384_point_free_12(s1, 0, heap);
+    sp_384_point_free_12( t, 0, heap);
+
+    return err;
+}
+
+#endif /* FP_ECC */
+/* Multiply the point by the scalar and return the result.
+ * If map is true then convert result to affine coordinates.
+ *
+ * r     Resulting point.
+ * k     Scalar to multiply by.
+ * map   Indicates whether to convert result to affine.
+ * heap  Heap to use for allocation.
+ * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
+ */
+static int sp_384_ecc_mulmod_stripe_12(sp_point_384* r, const sp_point_384* g,
+        const sp_table_entry_384* table, const sp_digit* k, int map, void* heap)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_point_384 rtd;
+    sp_point_384 pd;
+    sp_digit td[2 * 12 * 6];
+#endif
+    sp_point_384* rt;
+    sp_point_384* p = NULL;
+    sp_digit* t;
+    int i, j;
+    int y, x;
+    int err;
+
+    (void)g;
+    (void)heap;
+
+
+    err = sp_384_point_new_12(heap, rtd, rt);
+    if (err == MP_OKAY) {
+        err = sp_384_point_new_12(heap, pd, p);
+    }
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    t = (sp_digit*)XMALLOC(sizeof(sp_digit) * 2 * 12 * 6, heap,
+                           DYNAMIC_TYPE_ECC);
+    if (t == NULL) {
+        err = MEMORY_E;
+    }
+#else
+    t = td;
+#endif
+
+    if (err == MP_OKAY) {
+        XMEMCPY(p->z, p384_norm_mod, sizeof(p384_norm_mod));
+        XMEMCPY(rt->z, p384_norm_mod, sizeof(p384_norm_mod));
+
+        y = 0;
+        for (j=0,x=47; j<8; j++,x+=48) {
+            y |= ((k[x / 32] >> (x % 32)) & 1) << j;
+        }
+        XMEMCPY(rt->x, table[y].x, sizeof(table[y].x));
+        XMEMCPY(rt->y, table[y].y, sizeof(table[y].y));
+        rt->infinity = !y;
+        for (i=46; i>=0; i--) {
+            y = 0;
+            for (j=0,x=i; j<8; j++,x+=48) {
+                y |= ((k[x / 32] >> (x % 32)) & 1) << j;
+            }
+
+            sp_384_proj_point_dbl_12(rt, rt, t);
+            XMEMCPY(p->x, table[y].x, sizeof(table[y].x));
+            XMEMCPY(p->y, table[y].y, sizeof(table[y].y));
+            p->infinity = !y;
+            sp_384_proj_point_add_qz1_12(rt, rt, p, t);
+        }
+
+        if (map != 0) {
+            sp_384_map_12(r, rt, t);
+        }
+        else {
+            XMEMCPY(r, rt, sizeof(sp_point_384));
+        }
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (t != NULL) {
+        XFREE(t, heap, DYNAMIC_TYPE_ECC);
+    }
+#endif
+    sp_384_point_free_12(p, 0, heap);
+    sp_384_point_free_12(rt, 0, heap);
+
+    return err;
+}
+
+#ifdef FP_ECC
+#ifndef FP_ENTRIES
+    #define FP_ENTRIES 16
+#endif
+
+typedef struct sp_cache_384_t {
+    sp_digit x[12];
+    sp_digit y[12];
+    sp_table_entry_384 table[256];
+    uint32_t cnt;
+    int set;
+} sp_cache_384_t;
+
+static THREAD_LS_T sp_cache_384_t sp_cache_384[FP_ENTRIES];
+static THREAD_LS_T int sp_cache_384_last = -1;
+static THREAD_LS_T int sp_cache_384_inited = 0;
+
+#ifndef HAVE_THREAD_LS
+    static volatile int initCacheMutex_384 = 0;
+    static wolfSSL_Mutex sp_cache_384_lock;
+#endif
+
+static void sp_ecc_get_cache_384(const sp_point_384* g, sp_cache_384_t** cache)
+{
+    int i, j;
+    uint32_t least;
+
+    if (sp_cache_384_inited == 0) {
+        for (i=0; i<FP_ENTRIES; i++) {
+            sp_cache_384[i].set = 0;
+        }
+        sp_cache_384_inited = 1;
+    }
+
+    /* Compare point with those in cache. */
+    for (i=0; i<FP_ENTRIES; i++) {
+        if (!sp_cache_384[i].set)
+            continue;
+
+        if (sp_384_cmp_equal_12(g->x, sp_cache_384[i].x) &
+                           sp_384_cmp_equal_12(g->y, sp_cache_384[i].y)) {
+            sp_cache_384[i].cnt++;
+            break;
+        }
+    }
+
+    /* No match. */
+    if (i == FP_ENTRIES) {
+        /* Find empty entry. */
+        i = (sp_cache_384_last + 1) % FP_ENTRIES;
+        for (; i != sp_cache_384_last; i=(i+1)%FP_ENTRIES) {
+            if (!sp_cache_384[i].set) {
+                break;
+            }
+        }
+
+        /* Evict least used. */
+        if (i == sp_cache_384_last) {
+            least = sp_cache_384[0].cnt;
+            for (j=1; j<FP_ENTRIES; j++) {
+                if (sp_cache_384[j].cnt < least) {
+                    i = j;
+                    least = sp_cache_384[i].cnt;
+                }
+            }
+        }
+
+        XMEMCPY(sp_cache_384[i].x, g->x, sizeof(sp_cache_384[i].x));
+        XMEMCPY(sp_cache_384[i].y, g->y, sizeof(sp_cache_384[i].y));
+        sp_cache_384[i].set = 1;
+        sp_cache_384[i].cnt = 1;
+    }
+
+    *cache = &sp_cache_384[i];
+    sp_cache_384_last = i;
+}
+#endif /* FP_ECC */
+
+/* Multiply the base point of P384 by the scalar and return the result.
+ * If map is true then convert result to affine coordinates.
+ *
+ * r     Resulting point.
+ * g     Point to multiply.
+ * k     Scalar to multiply by.
+ * map   Indicates whether to convert result to affine.
+ * heap  Heap to use for allocation.
+ * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
+ */
+static int sp_384_ecc_mulmod_12(sp_point_384* r, const sp_point_384* g, const sp_digit* k,
+        int map, void* heap)
+{
+#ifndef FP_ECC
+    return sp_384_ecc_mulmod_fast_12(r, g, k, map, heap);
+#else
+    sp_digit tmp[2 * 12 * 7];
+    sp_cache_384_t* cache;
+    int err = MP_OKAY;
+
+#ifndef HAVE_THREAD_LS
+    if (initCacheMutex_384 == 0) {
+         wc_InitMutex(&sp_cache_384_lock);
+         initCacheMutex_384 = 1;
+    }
+    if (wc_LockMutex(&sp_cache_384_lock) != 0)
+       err = BAD_MUTEX_E;
+#endif /* HAVE_THREAD_LS */
+
+    if (err == MP_OKAY) {
+        sp_ecc_get_cache_384(g, &cache);
+        if (cache->cnt == 2)
+            sp_384_gen_stripe_table_12(g, cache->table, tmp, heap);
+
+#ifndef HAVE_THREAD_LS
+        wc_UnLockMutex(&sp_cache_384_lock);
+#endif /* HAVE_THREAD_LS */
+
+        if (cache->cnt < 2) {
+            err = sp_384_ecc_mulmod_fast_12(r, g, k, map, heap);
+        }
+        else {
+            err = sp_384_ecc_mulmod_stripe_12(r, g, cache->table, k,
+                    map, heap);
+        }
+    }
+
+    return err;
+#endif
+}
+
+#endif /* WOLFSSL_SP_SMALL */
+/* Multiply the point by the scalar and return the result.
+ * If map is true then convert result to affine coordinates.
+ *
+ * km    Scalar to multiply by.
+ * p     Point to multiply.
+ * r     Resulting point.
+ * map   Indicates whether to convert result to affine.
+ * heap  Heap to use for allocation.
+ * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
+ */
+int sp_ecc_mulmod_384(mp_int* km, ecc_point* gm, ecc_point* r, int map,
+        void* heap)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_point_384 p;
+    sp_digit kd[12];
+#endif
+    sp_point_384* point;
+    sp_digit* k = NULL;
+    int err = MP_OKAY;
+
+    err = sp_384_point_new_12(heap, p, point);
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        k = (sp_digit*)XMALLOC(sizeof(sp_digit) * 12, heap,
+                                                              DYNAMIC_TYPE_ECC);
+        if (k == NULL)
+            err = MEMORY_E;
+    }
+#else
+    k = kd;
+#endif
+    if (err == MP_OKAY) {
+        sp_384_from_mp(k, 12, km);
+        sp_384_point_from_ecc_point_12(point, gm);
+
+            err = sp_384_ecc_mulmod_12(point, point, k, map, heap);
+    }
+    if (err == MP_OKAY) {
+        err = sp_384_point_to_ecc_point_12(point, r);
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (k != NULL) {
+        XFREE(k, heap, DYNAMIC_TYPE_ECC);
+    }
+#endif
+    sp_384_point_free_12(point, 0, heap);
+
+    return err;
+}
+
+#ifdef WOLFSSL_SP_SMALL
+static const sp_table_entry_384 p384_table[16] = {
+    /* 0 */
+    { { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
+      { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 } },
+    /* 1 */
+    { { 0x49c0b528,0x3dd07566,0xa0d6ce38,0x20e378e2,0x541b4d6e,0x879c3afc,
+        0x59a30eff,0x64548684,0x614ede2b,0x812ff723,0x299e1513,0x4d3aadc2 },
+      { 0x4b03a4fe,0x23043dad,0x7bb4a9ac,0xa1bfa8bf,0x2e83b050,0x8bade756,
+        0x68f4ffd9,0xc6c35219,0x3969a840,0xdd800226,0x5a15c5e9,0x2b78abc2 } },
+    /* 2 */
+    { { 0xf26feef9,0x24480c57,0x3a0e1240,0xc31a2694,0x273e2bc7,0x735002c3,
+        0x3ef1ed4c,0x8c42e9c5,0x7f4948e8,0x028babf6,0x8a978632,0x6a502f43 },
+      { 0xb74536fe,0xf5f13a46,0xd8a9f0eb,0x1d218bab,0x37232768,0x30f36bcc,
+        0x576e8c18,0xc5317b31,0x9bbcb766,0xef1d57a6,0xb3e3d4dc,0x917c4930 } },
+    /* 3 */
+    { { 0xe349ddd0,0x11426e2e,0x9b2fc250,0x9f117ef9,0xec0174a6,0xff36b480,
+        0x18458466,0x4f4bde76,0x05806049,0x2f2edb6d,0x19dfca92,0x8adc75d1 },
+      { 0xb7d5a7ce,0xa619d097,0xa34411e9,0x874275e5,0x0da4b4ef,0x5403e047,
+        0x77901d8f,0x2ebaafd9,0xa747170f,0x5e63ebce,0x7f9d8036,0x12a36944 } },
+    /* 4 */
+    { { 0x2f9fbe67,0x378205de,0x7f728e44,0xc4afcb83,0x682e00f1,0xdbcec06c,
+        0x114d5423,0xf2a145c3,0x7a52463e,0xa01d9874,0x7d717b0a,0xfc0935b1 },
+      { 0xd4d01f95,0x9653bc4f,0x9560ad34,0x9aa83ea8,0xaf8e3f3f,0xf77943dc,
+        0xe86fe16e,0x70774a10,0xbf9ffdcf,0x6b62e6f1,0x588745c9,0x8a72f39e } },
+    /* 5 */
+    { { 0x2341c342,0x73ade4da,0xea704422,0xdd326e54,0x3741cef3,0x336c7d98,
+        0x59e61549,0x1eafa00d,0xbd9a3efd,0xcd3ed892,0xc5c6c7e4,0x03faf26c },
+      { 0x3045f8ac,0x087e2fcf,0x174f1e73,0x14a65532,0xfe0af9a7,0x2cf84f28,
+        0x2cdc935b,0xddfd7a84,0x6929c895,0x4c0f117b,0x4c8bcfcc,0x356572d6 } },
+    /* 6 */
+    { { 0x3f3b236f,0xfab08607,0x81e221da,0x19e9d41d,0x3927b428,0xf3f6571e,
+        0x7550f1f6,0x4348a933,0xa85e62f0,0x7167b996,0x7f5452bf,0x62d43759 },
+      { 0xf2955926,0xd85feb9e,0x6df78353,0x440a561f,0x9ca36b59,0x389668ec,
+        0xa22da016,0x052bf1a1,0xf6093254,0xbdfbff72,0xe22209f3,0x94e50f28 } },
+    /* 7 */
+    { { 0x3062e8af,0x90b2e5b3,0xe8a3d369,0xa8572375,0x201db7b1,0x3fe1b00b,
+        0xee651aa2,0xe926def0,0xb9b10ad7,0x6542c9be,0xa2fcbe74,0x098e309b },
+      { 0xfff1d63f,0x779deeb3,0x20bfd374,0x23d0e80a,0x8768f797,0x8452bb3b,
+        0x1f952856,0xcf75bb4d,0x29ea3faa,0x8fe6b400,0x81373a53,0x12bd3e40 } },
+    /* 8 */
+    { { 0x16973cf4,0x070d34e1,0x7e4f34f7,0x20aee08b,0x5eb8ad29,0x269af9b9,
+        0xa6a45dda,0xdde0a036,0x63df41e0,0xa18b528e,0xa260df2a,0x03cc71b2 },
+      { 0xa06b1dd7,0x24a6770a,0x9d2675d3,0x5bfa9c11,0x96844432,0x73c1e2a1,
+        0x131a6cf0,0x3660558d,0x2ee79454,0xb0289c83,0xc6d8ddcd,0xa6aefb01 } },
+    /* 9 */
+    { { 0x01ab5245,0xba1464b4,0xc48d93ff,0x9b8d0b6d,0x93ad272c,0x939867dc,
+        0xae9fdc77,0xbebe085e,0x894ea8bd,0x73ae5103,0x39ac22e1,0x740fc89a },
+      { 0x28e23b23,0x5e28b0a3,0xe13104d0,0x2352722e,0xb0a2640d,0xf4667a18,
+        0x49bb37c3,0xac74a72e,0xe81e183a,0x79f734f0,0x3fd9c0eb,0xbffe5b6c } },
+    /* 10 */
+    { { 0x00623f3b,0x03cf2922,0x5f29ebff,0x095c7111,0x80aa6823,0x42d72247,
+        0x7458c0b0,0x044c7ba1,0x0959ec20,0xca62f7ef,0xf8ca929f,0x40ae2ab7 },
+      { 0xa927b102,0xb8c5377a,0xdc031771,0x398a86a0,0xc216a406,0x04908f9d,
+        0x918d3300,0xb423a73a,0xe0b94739,0x634b0ff1,0x2d69f697,0xe29de725 } },
+    /* 11 */
+    { { 0x8435af04,0x744d1400,0xfec192da,0x5f255b1d,0x336dc542,0x1f17dc12,
+        0x636a68a8,0x5c90c2a7,0x7704ca1e,0x960c9eb7,0x6fb3d65a,0x9de8cf1e },
+      { 0x511d3d06,0xc60fee0d,0xf9eb52c7,0x466e2313,0x206b0914,0x743c0f5f,
+        0x2191aa4d,0x42f55bac,0xffebdbc2,0xcefc7c8f,0xe6e8ed1c,0xd4fa6081 } },
+    /* 12 */
+    { { 0x98683186,0x867db639,0xddcc4ea9,0xfb5cf424,0xd4f0e7bd,0xcc9a7ffe,
+        0x7a779f7e,0x7c57f71c,0xd6b25ef2,0x90774079,0xb4081680,0x90eae903 },
+      { 0x0ee1fceb,0xdf2aae5e,0xe86c1a1f,0x3ff1da24,0xca193edf,0x80f587d6,
+        0xdc9b9d6a,0xa5695523,0x85920303,0x7b840900,0xba6dbdef,0x1efa4dfc } },
+    /* 13 */
+    { { 0xe0540015,0xfbd838f9,0xc39077dc,0x2c323946,0xad619124,0x8b1fb9e6,
+        0x0ca62ea8,0x9612440c,0x2dbe00ff,0x9ad9b52c,0xae197643,0xf52abaa1 },
+      { 0x2cac32ad,0xd0e89894,0x62a98f91,0xdfb79e42,0x276f55cb,0x65452ecf,
+        0x7ad23e12,0xdb1ac0d2,0xde4986f0,0xf68c5f6a,0x82ce327d,0x389ac37b } },
+    /* 14 */
+    { { 0xb8a9e8c9,0xcd96866d,0x5bb8091e,0xa11963b8,0x045b3cd2,0xc7f90d53,
+        0x80f36504,0x755a72b5,0x21d3751c,0x46f8b399,0x53c193de,0x4bffdc91 },
+      { 0xb89554e7,0xcd15c049,0xf7a26be6,0x353c6754,0xbd41d970,0x79602370,
+        0x12b176c0,0xde16470b,0x40c8809d,0x56ba1175,0xe435fb1e,0xe2db35c3 } },
+    /* 15 */
+    { { 0x6328e33f,0xd71e4aab,0xaf8136d1,0x5486782b,0x86d57231,0x07a4995f,
+        0x1651a968,0xf1f0a5bd,0x76803b6d,0xa5dc5b24,0x42dda935,0x5c587cbc },
+      { 0xbae8b4c0,0x2b6cdb32,0xb1331138,0x66d1598b,0x5d7e9614,0x4a23b2d2,
+        0x74a8c05d,0x93e402a6,0xda7ce82e,0x45ac94e6,0xe463d465,0xeb9f8281 } },
+};
+
+/* Multiply the base point of P384 by the scalar and return the result.
+ * If map is true then convert result to affine coordinates.
+ *
+ * r     Resulting point.
+ * k     Scalar to multiply by.
+ * map   Indicates whether to convert result to affine.
+ * heap  Heap to use for allocation.
+ * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
+ */
+static int sp_384_ecc_mulmod_base_12(sp_point_384* r, const sp_digit* k,
+        int map, void* heap)
+{
+    return sp_384_ecc_mulmod_stripe_12(r, &p384_base, p384_table,
+                                      k, map, heap);
+}
+
+#else
+static const sp_table_entry_384 p384_table[256] = {
+    /* 0 */
+    { { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
+      { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 } },
+    /* 1 */
+    { { 0x49c0b528,0x3dd07566,0xa0d6ce38,0x20e378e2,0x541b4d6e,0x879c3afc,
+        0x59a30eff,0x64548684,0x614ede2b,0x812ff723,0x299e1513,0x4d3aadc2 },
+      { 0x4b03a4fe,0x23043dad,0x7bb4a9ac,0xa1bfa8bf,0x2e83b050,0x8bade756,
+        0x68f4ffd9,0xc6c35219,0x3969a840,0xdd800226,0x5a15c5e9,0x2b78abc2 } },
+    /* 2 */
+    { { 0x2b0c535b,0x29864753,0x70506296,0x90dd6953,0x216ab9ac,0x038cd6b4,
+        0xbe12d76a,0x3df9b7b7,0x5f347bdb,0x13f4d978,0x13e94489,0x222c5c9c },
+      { 0x2680dc64,0x5f8e796f,0x58352417,0x120e7cb7,0xd10740b8,0x254b5d8a,
+        0x5337dee6,0xc38b8efb,0x94f02247,0xf688c2e1,0x6c25bc4c,0x7b5c75f3 } },
+    /* 3 */
+    { { 0x9edffea5,0xe26a3cc3,0x37d7e9fc,0x35bbfd1c,0x9bde3ef6,0xf0e7700d,
+        0x1a538f5a,0x0380eb47,0x05bf9eb3,0x2e9da8bb,0x1a460c3e,0xdbb93c73 },
+      { 0xf526b605,0x37dba260,0xfd785537,0x95d4978e,0xed72a04a,0x24ed793a,
+        0x76005b1a,0x26948377,0x9e681f82,0x99f557b9,0xd64954ef,0xae5f9557 } },
+    /* 4 */
+    { { 0xf26feef9,0x24480c57,0x3a0e1240,0xc31a2694,0x273e2bc7,0x735002c3,
+        0x3ef1ed4c,0x8c42e9c5,0x7f4948e8,0x028babf6,0x8a978632,0x6a502f43 },
+      { 0xb74536fe,0xf5f13a46,0xd8a9f0eb,0x1d218bab,0x37232768,0x30f36bcc,
+        0x576e8c18,0xc5317b31,0x9bbcb766,0xef1d57a6,0xb3e3d4dc,0x917c4930 } },
+    /* 5 */
+    { { 0xe349ddd0,0x11426e2e,0x9b2fc250,0x9f117ef9,0xec0174a6,0xff36b480,
+        0x18458466,0x4f4bde76,0x05806049,0x2f2edb6d,0x19dfca92,0x8adc75d1 },
+      { 0xb7d5a7ce,0xa619d097,0xa34411e9,0x874275e5,0x0da4b4ef,0x5403e047,
+        0x77901d8f,0x2ebaafd9,0xa747170f,0x5e63ebce,0x7f9d8036,0x12a36944 } },
+    /* 6 */
+    { { 0x4fc52870,0x28f9c07a,0x1a53a961,0xce0b3748,0x0e1828d9,0xd550fa18,
+        0x6adb225a,0xa24abaf7,0x6e58a348,0xd11ed0a5,0x948acb62,0xf3d811e6 },
+      { 0x4c61ed22,0x8618dd77,0x80b47c9d,0x0bb747f9,0xde6b8559,0x22bf796f,
+        0x680a21e9,0xfdfd1c6d,0x2af2c9dd,0xc0db1577,0xc1e90f3d,0xa09379e6 } },
+    /* 7 */
+    { { 0xe085c629,0x386c66ef,0x095bc89a,0x5fc2a461,0x203f4b41,0x1353d631,
+        0x7e4bd8f5,0x7ca1972b,0xa7df8ce9,0xb077380a,0xee7e4ea3,0xd8a90389 },
+      { 0xe7b14461,0x1bc74dc7,0x0c9c4f78,0xdc2cb014,0x84ef0a10,0x52b4b3a6,
+        0x20327fe2,0xbde6ea5d,0x660f9615,0xb71ec435,0xb8ad8173,0xeede5a04 } },
+    /* 8 */
+    { { 0x893b9a2d,0x5584cbb3,0x00850c5d,0x820c660b,0x7df2d43d,0x4126d826,
+        0x0109e801,0xdd5bbbf0,0x38172f1c,0x85b92ee3,0xf31430d9,0x609d4f93 },
+      { 0xeadaf9d6,0x1e059a07,0x0f125fb0,0x70e6536c,0x560f20e7,0xd6220751,
+        0x7aaf3a9a,0xa59489ae,0x64bae14e,0x7b70e2f6,0x76d08249,0x0dd03701 } },
+    /* 9 */
+    { { 0x8510521f,0x4cc13be8,0xf724cc17,0x87315ba9,0x353dc263,0xb49d83bb,
+        0x0c279257,0x8b677efe,0xc93c9537,0x510a1c1c,0xa4702c99,0x33e30cd8 },
+      { 0x2208353f,0xf0ffc89d,0xced42b2b,0x0170fa8d,0x26e2a5f5,0x090851ed,
+        0xecb52c96,0x81276455,0x7fe1adf4,0x0646c4e1,0xb0868eab,0x513f047e } },
+    /* 10 */
+    { { 0xdf5bdf53,0xc07611f4,0x58b11a6d,0x45d331a7,0x1c4ee394,0x58965daf,
+        0x5a5878d1,0xba8bebe7,0x82dd3025,0xaecc0a18,0xa923eb8b,0xcf2a3899 },
+      { 0xd24fd048,0xf98c9281,0x8bbb025d,0x841bfb59,0xc9ab9d53,0xb8ddf8ce,
+        0x7fef044e,0x538a4cb6,0x23236662,0x092ac21f,0x0b66f065,0xa919d385 } },
+    /* 11 */
+    { { 0x85d480d8,0x3db03b40,0x1b287a7d,0x8cd9f479,0x4a8f3bae,0x8f24dc75,
+        0x3db41892,0x482eb800,0x9c56e0f5,0x38bf9eb3,0x9a91dc6f,0x8b977320 },
+      { 0x7209cfc2,0xa31b05b2,0x05b2db70,0x4c49bf85,0xd619527b,0x56462498,
+        0x1fac51ba,0x3fe51039,0xab4b8342,0xfb04f55e,0x04c6eabf,0xc07c10dc } },
+    /* 12 */
+    { { 0xdb32f048,0xad22fe4c,0x475ed6df,0x5f23bf91,0xaa66b6cb,0xa50ce0c0,
+        0xf03405c0,0xdf627a89,0xf95e2d6a,0x3674837d,0xba42e64e,0x081c95b6 },
+      { 0xe71d6ceb,0xeba3e036,0x6c6b0271,0xb45bcccf,0x0684701d,0x67b47e63,
+        0xe712523f,0x60f8f942,0x5cd47adc,0x82423472,0x87649cbb,0x83027d79 } },
+    /* 13 */
+    { { 0x3615b0b8,0xb3929ea6,0xa54dac41,0xb41441fd,0xb5b6a368,0x8995d556,
+        0x167ef05e,0xa80d4529,0x6d25a27f,0xf6bcb4a1,0x7bd55b68,0x210d6a4c },
+      { 0x25351130,0xf3804abb,0x903e37eb,0x1d2df699,0x084c25c8,0x5f201efc,
+        0xa1c68e91,0x31a28c87,0x563f62a5,0x81dad253,0xd6c415d4,0x5dd6de70 } },
+    /* 14 */
+    { { 0x846612ce,0x29f470fd,0xda18d997,0x986f3eec,0x2f34af86,0x6b84c161,
+        0x46ddaf8b,0x5ef0a408,0xe49e795f,0x14405a00,0xaa2f7a37,0x5f491b16 },
+      { 0xdb41b38d,0xc7f07ae4,0x18fbfcaa,0xef7d119e,0x14443b19,0x3a18e076,
+        0x79a19926,0x4356841a,0xe2226fbe,0x91f4a91c,0x3cc88721,0xdc77248c } },
+    /* 15 */
+    { { 0xe4b1ec9d,0xd570ff1a,0xe7eef706,0x21d23e0e,0xca19e086,0x3cde40f4,
+        0xcd4bb270,0x7d6523c4,0xbf13aa6c,0x16c1f06c,0xd14c4b60,0x5aa7245a },
+      { 0x44b74de8,0x37f81467,0x620a934e,0x839e7a17,0xde8b1aa1,0xf74d14e8,
+        0xf30d75e2,0x8789fa51,0xc81c261e,0x09b24052,0x33c565ee,0x654e2678 } },
+    /* 16 */
+    { { 0x2f9fbe67,0x378205de,0x7f728e44,0xc4afcb83,0x682e00f1,0xdbcec06c,
+        0x114d5423,0xf2a145c3,0x7a52463e,0xa01d9874,0x7d717b0a,0xfc0935b1 },
+      { 0xd4d01f95,0x9653bc4f,0x9560ad34,0x9aa83ea8,0xaf8e3f3f,0xf77943dc,
+        0xe86fe16e,0x70774a10,0xbf9ffdcf,0x6b62e6f1,0x588745c9,0x8a72f39e } },
+    /* 17 */
+    { { 0x2341c342,0x73ade4da,0xea704422,0xdd326e54,0x3741cef3,0x336c7d98,
+        0x59e61549,0x1eafa00d,0xbd9a3efd,0xcd3ed892,0xc5c6c7e4,0x03faf26c },
+      { 0x3045f8ac,0x087e2fcf,0x174f1e73,0x14a65532,0xfe0af9a7,0x2cf84f28,
+        0x2cdc935b,0xddfd7a84,0x6929c895,0x4c0f117b,0x4c8bcfcc,0x356572d6 } },
+    /* 18 */
+    { { 0x7d8c1bba,0x7ecbac01,0x90b0f3d5,0x6058f9c3,0xf6197d0f,0xaee116e3,
+        0x4033b128,0xc4dd7068,0xc209b983,0xf084dba6,0x831dbc4a,0x97c7c2cf },
+      { 0xf96010e8,0x2f4e61dd,0x529faa17,0xd97e4e20,0x69d37f20,0x4ee66660,
+        0x3d366d72,0xccc139ed,0x13488e0f,0x690b6ee2,0xf3a6d533,0x7cad1dc5 } },
+    /* 19 */
+    { { 0xda57a41f,0x660a9a81,0xec0039b6,0xe74a0412,0x5e1dad15,0x42343c6b,
+        0x46681d4c,0x284f3ff5,0x63749e89,0xb51087f1,0x6f9f2f13,0x070f23cc },
+      { 0x5d186e14,0x542211da,0xfddb0dff,0x84748f37,0xdb1f4180,0x41a3aab4,
+        0xa6402d0e,0x25ed667b,0x02f58355,0x2f2924a9,0xfa44a689,0x5844ee7c } },
+    /* 20 */
+    { { 0x3f3b236f,0xfab08607,0x81e221da,0x19e9d41d,0x3927b428,0xf3f6571e,
+        0x7550f1f6,0x4348a933,0xa85e62f0,0x7167b996,0x7f5452bf,0x62d43759 },
+      { 0xf2955926,0xd85feb9e,0x6df78353,0x440a561f,0x9ca36b59,0x389668ec,
+        0xa22da016,0x052bf1a1,0xf6093254,0xbdfbff72,0xe22209f3,0x94e50f28 } },
+    /* 21 */
+    { { 0x3062e8af,0x90b2e5b3,0xe8a3d369,0xa8572375,0x201db7b1,0x3fe1b00b,
+        0xee651aa2,0xe926def0,0xb9b10ad7,0x6542c9be,0xa2fcbe74,0x098e309b },
+      { 0xfff1d63f,0x779deeb3,0x20bfd374,0x23d0e80a,0x8768f797,0x8452bb3b,
+        0x1f952856,0xcf75bb4d,0x29ea3faa,0x8fe6b400,0x81373a53,0x12bd3e40 } },
+    /* 22 */
+    { { 0x104cbba5,0xc023780d,0xfa35dd4c,0x6207e747,0x1ca9b6a3,0x35c23928,
+        0x97987b10,0x4ff19be8,0x8022eee8,0xb8476bbf,0xd3bbe74d,0xaa0a4a14 },
+      { 0x187d4543,0x20f94331,0x79f6e066,0x32153870,0xac7e82e1,0x83b0f74e,
+        0x828f06ab,0xa7748ba2,0xc26ef35f,0xc5f0298a,0x8e9a7dbd,0x0f0c5070 } },
+    /* 23 */
+    { { 0xdef029dd,0x0c5c244c,0x850661b8,0x3dabc687,0xfe11d981,0x9992b865,
+        0x6274dbad,0xe9801b8f,0x098da242,0xe54e6319,0x91a53d08,0x9929a91a },
+      { 0x35285887,0x37bffd72,0xf1418102,0xbc759425,0xfd2e6e20,0x9280cc35,
+        0xfbc42ee5,0x735c600c,0x8837619a,0xb7ad2864,0xa778c57b,0xa3627231 } },
+    /* 24 */
+    { { 0x91361ed8,0xae799b5c,0x6c63366c,0x47d71b75,0x1b265a6a,0x54cdd521,
+        0x98d77b74,0xe0215a59,0xbab29db0,0x4424d9b7,0x7fd9e536,0x8b0ffacc },
+      { 0x37b5d9ef,0x46d85d12,0xbfa91747,0x5b106d62,0x5f99ba2d,0xed0479f8,
+        0x1d104de4,0x0e6f3923,0x25e8983f,0x83a84c84,0xf8105a70,0xa9507e0a } },
+    /* 25 */
+    { { 0x14cf381c,0xf6c68a6e,0xc22e31cc,0xaf9d27bd,0xaa8a5ccb,0x23568d4d,
+        0xe338e4d2,0xe431eec0,0x8f52ad1f,0xf1a828fe,0xe86acd80,0xdb6a0579 },
+      { 0x4507832a,0x2885672e,0x887e5289,0x73fc275f,0x05610d08,0x65f80278,
+        0x075ff5b0,0x8d9b4554,0x09f712b5,0x3a8e8fb1,0x2ebe9cf2,0x39f0ac86 } },
+    /* 26 */
+    { { 0x4c52edf5,0xd8fabf78,0xa589ae53,0xdcd737e5,0xd791ab17,0x94918bf0,
+        0xbcff06c9,0xb5fbd956,0xdca46d45,0xf6d3032e,0x41a3e486,0x2cdff7e1 },
+      { 0x61f47ec8,0x6674b3ba,0xeef84608,0x8a882163,0x4c687f90,0xa257c705,
+        0xf6cdf227,0xe30cb2ed,0x7f6ea846,0x2c4c64ca,0xcc6bcd3c,0x186fa17c } },
+    /* 27 */
+    { { 0x1dfcb91e,0x48a3f536,0x646d358a,0x83595e13,0x91128798,0xbd15827b,
+        0x2187757a,0x3ce612b8,0x61bd7372,0x873150a1,0xb662f568,0xf4684530 },
+      { 0x401896f6,0x8833950b,0x77f3e090,0xe11cb89a,0x48e7f4a5,0xb2f12cac,
+        0xf606677e,0x313dd769,0x16579f93,0xfdcf08b3,0x46b8f22b,0x6429cec9 } },
+    /* 28 */
+    { { 0xbb75f9a4,0x4984dd54,0x29d3b570,0x4aef06b9,0x3d6e4c1e,0xb5f84ca2,
+        0xb083ef35,0x24c61c11,0x392ca9ff,0xce4a7392,0x6730a800,0x865d6517 },
+      { 0x722b4a2b,0xca3dfe76,0x7b083e0e,0x12c04bf9,0x1b86b8a5,0x803ce5b5,
+        0x6a7e3e0c,0x3fc7632d,0xc81adbe4,0xc89970c2,0x120e16b1,0x3cbcd3ad } },
+    /* 29 */
+    { { 0xec30ce93,0xfbfb4cc7,0xb72720a2,0x10ed6c7d,0x47b55500,0xec675bf7,
+        0x333ff7c3,0x90725903,0x5075bfc0,0xc7c3973e,0x07acf31b,0xb049ecb0 },
+      { 0x4f58839c,0xb4076eaf,0xa2b05e4f,0x101896da,0xab40c66e,0x3f6033b0,
+        0xc8d864ba,0x19ee9eeb,0x47bf6d2a,0xeb6cf155,0xf826477d,0x8e5a9663 } },
+    /* 30 */
+    { { 0xf7fbd5e1,0x69e62fdd,0x76912b1d,0x38ecfe54,0xd1da3bfb,0x845a3d56,
+        0x1c86f0d4,0x0494950e,0x3bc36ce8,0x83cadbf9,0x4fccc8d1,0x41fce572 },
+      { 0x8332c144,0x05f939c2,0x0871e46e,0xb17f248b,0x66e8aff6,0x3d8534e2,
+        0x3b85c629,0x1d06f1dc,0xa3131b73,0xdb06a32e,0x8b3f64e5,0xf295184d } },
+    /* 31 */
+    { { 0x36ddc103,0xd9653ff7,0x95ef606f,0x25f43e37,0xfe06dce8,0x09e301fc,
+        0x30b6eebf,0x85af2341,0x0ff56b20,0x79b12b53,0xfe9a3c6b,0x9b4fb499 },
+      { 0x51d27ac2,0x0154f892,0x56ca5389,0xd33167e3,0xafc065a6,0x7828ec1f,
+        0x7f746c9b,0x0959a258,0x0c44f837,0xb18f1be3,0xc4132fdb,0xa7946117 } },
+    /* 32 */
+    { { 0x5e3c647b,0xc0426b77,0x8cf05348,0xbfcbd939,0x172c0d3d,0x31d312e3,
+        0xee754737,0x5f49fde6,0x6da7ee61,0x895530f0,0xe8b3a5fb,0xcf281b0a },
+      { 0x41b8a543,0xfd149735,0x3080dd30,0x41a625a7,0x653908cf,0xe2baae07,
+        0xba02a278,0xc3d01436,0x7b21b8f8,0xa0d0222e,0xd7ec1297,0xfdc270e9 } },
+    /* 33 */
+    { { 0xbc7f41d6,0x00873c0c,0x1b7ad641,0xd976113e,0x238443fb,0x2a536ff4,
+        0x41e62e45,0x030d00e2,0x5f545fc6,0x532e9867,0x8e91208c,0xcd033108 },
+      { 0x9797612c,0xd1a04c99,0xeea674e2,0xd4393e02,0xe19742a1,0xd56fa69e,
+        0x85f0590e,0xdd2ab480,0x48a2243d,0xa5cefc52,0x54383f41,0x48cc67b6 } },
+    /* 34 */
+    { { 0xfc14ab48,0x4e50430e,0x26706a74,0x195b7f4f,0xcc881ff6,0x2fe8a228,
+        0xd945013d,0xb1b968e2,0x4b92162b,0x936aa579,0x364e754a,0x4fb766b7 },
+      { 0x31e1ff7f,0x13f93bca,0xce4f2691,0x696eb5ca,0xa2b09e02,0xff754bf8,
+        0xe58e3ff8,0x58f13c9c,0x1678c0b0,0xb757346f,0xa86692b3,0xd54200db } },
+    /* 35 */
+    { { 0x6dda1265,0x9a030bbd,0xe89718dd,0xf7b4f3fc,0x936065b8,0xa6a4931f,
+        0x5f72241c,0xbce72d87,0x65775857,0x6cbb51cb,0x4e993675,0xc7161815 },
+      { 0x2ee32189,0xe81a0f79,0x277dc0b2,0xef2fab26,0xb71f469f,0x9e64f6fe,
+        0xdfdaf859,0xb448ce33,0xbe6b5df1,0x3f5c1c4c,0x1de45f7b,0xfb8dfb00 } },
+    /* 36 */
+    { { 0x4d5bb921,0xc7345fa7,0x4d2b667e,0x5c7e04be,0x282d7a3e,0x47ed3a80,
+        0x7e47b2a4,0x5c2777f8,0x08488e2e,0x89b3b100,0xb2eb5b45,0x9aad77c2 },
+      { 0xdaac34ae,0xd681bca7,0x26afb326,0x2452e4e5,0x41a1ee14,0x0c887924,
+        0xc2407ade,0x743b04d4,0xfc17a2ac,0xcb5e999b,0x4a701a06,0x4dca2f82 } },
+    /* 37 */
+    { { 0x1127bc1a,0x68e31ca6,0x17ead3be,0xa3edd59b,0xe25f5a15,0x67b6b645,
+        0xa420e15e,0x76221794,0x4b1e872e,0x794fd83b,0xb2dece1b,0x7cab3f03 },
+      { 0xca9b3586,0x7119bf15,0x4d250bd7,0xa5545924,0xcc6bcf24,0x173633ea,
+        0xb1b6f884,0x9bd308c2,0x447d38c3,0x3bae06f5,0xf341fe1c,0x54dcc135 } },
+    /* 38 */
+    { { 0x943caf0d,0x56d3598d,0x225ff133,0xce044ea9,0x563fadea,0x9edf6a7c,
+        0x73e8dc27,0x632eb944,0x3190dcab,0x814b467e,0x6dbb1e31,0x2d4f4f31 },
+      { 0xa143b7ca,0x8d69811c,0xde7cf950,0x4ec1ac32,0x37b5fe82,0x223ab5fd,
+        0x9390f1d9,0xe82616e4,0x75804610,0xabff4b20,0x875b08f0,0x11b9be15 } },
+    /* 39 */
+    { { 0x3bbe682c,0x4ae31a3d,0x74eef2dd,0xbc7c5d26,0x3c47dd40,0x92afd10a,
+        0xc14ab9e1,0xec7e0a3b,0xb2e495e4,0x6a6c3dd1,0x309bcd85,0x085ee5e9 },
+      { 0x8c2e67fd,0xf381a908,0xe261eaf2,0x32083a80,0x96deee15,0x0fcd6a49,
+        0x5e524c79,0xe3b8fb03,0x1d5b08b9,0x8dc360d9,0x7f26719f,0x3a06e2c8 } },
+    /* 40 */
+    { { 0x7237cac0,0x5cd9f5a8,0x43586794,0x93f0b59d,0xe94f6c4e,0x4384a764,
+        0xb62782d3,0x8304ed2b,0xcde06015,0x0b8db8b3,0x5dbe190f,0x4336dd53 },
+      { 0x92ab473a,0x57443553,0xbe5ed046,0x031c7275,0x21909aa4,0x3e78678c,
+        0x99202ddb,0x4ab7e04f,0x6977e635,0x2648d206,0x093198be,0xd427d184 } },
+    /* 41 */
+    { { 0x0f9b5a31,0x822848f5,0xbaadb62a,0xbb003468,0x3357559c,0x233a0472,
+        0x79aee843,0x49ef6880,0xaeb9e1e3,0xa89867a0,0x1f6f9a55,0xc151931b },
+      { 0xad74251e,0xd264eb0b,0x4abf295e,0x37b9b263,0x04960d10,0xb600921b,
+        0x4da77dc0,0x0de53dbc,0xd2b18697,0x01d9bab3,0xf7156ddf,0xad54ec7a } },
+    /* 42 */
+    { { 0x79efdc58,0x8e74dc35,0x4ff68ddb,0x456bd369,0xd32096a5,0x724e74cc,
+        0x386783d0,0xe41cff42,0x7c70d8a4,0xa04c7f21,0xe61a19a2,0x41199d2f },
+      { 0x29c05dd2,0xd389a3e0,0xe7e3fda9,0x535f2a6b,0x7c2b4df8,0x26ecf72d,
+        0xfe745294,0x678275f4,0x9d23f519,0x6319c9cc,0x88048fc4,0x1e05a02d } },
+    /* 43 */
+    { { 0xd4d5ffe8,0x75cc8e2e,0xdbea17f2,0xf8bb4896,0xcee3cb4a,0x35059790,
+        0xa47c6165,0x4c06ee85,0x92935d2f,0xf98fff25,0x32ffd7c7,0x34c4a572 },
+      { 0xea0376a2,0xc4b14806,0x4f115e02,0x2ea5e750,0x1e55d7c0,0x532d76e2,
+        0xf31044da,0x68dc9411,0x71b77993,0x9272e465,0x93a8cfd5,0xadaa38bb } },
+    /* 44 */
+    { { 0x7d4ed72a,0x4bf0c712,0xba1f79a3,0xda0e9264,0xf4c39ea4,0x48c0258b,
+        0x2a715138,0xa5394ed8,0xbf06c660,0x4af511ce,0xec5c37cd,0xfcebceef },
+      { 0x779ae8c1,0xf23b75aa,0xad1e606e,0xdeff59cc,0x22755c82,0xf3f526fd,
+        0xbb32cefd,0x64c5ab44,0x915bdefd,0xa96e11a2,0x1143813e,0xab19746a } },
+    /* 45 */
+    { { 0xec837d7d,0x43c78585,0xb8ee0ba4,0xca5b6fbc,0xd5dbb5ee,0x34e924d9,
+        0xbb4f1ca5,0x3f4fa104,0x398640f7,0x15458b72,0xd7f407ea,0x4231faa9 },
+      { 0xf96e6896,0x53e0661e,0xd03b0f9d,0x554e4c69,0x9c7858d1,0xd4fcb07b,
+        0x52cb04fa,0x7e952793,0x8974e7f7,0x5f5f1574,0x6b6d57c8,0x2e3fa558 } },
+    /* 46 */
+    { { 0x6a9951a8,0x42cd4803,0x42792ad0,0xa8b15b88,0xabb29a73,0x18e8bcf9,
+        0x409933e8,0xbfd9a092,0xefb88dc4,0x760a3594,0x40724458,0x14418863 },
+      { 0x99caedc7,0x162a56ee,0x91d101c9,0x8fb12ecd,0x393202da,0xea671967,
+        0xa4ccd796,0x1aac8c4a,0x1cf185a8,0x7db05036,0x8cfd095a,0x0c9f86cd } },
+    /* 47 */
+    { { 0x10b2a556,0x9a728147,0x327b70b2,0x767ca964,0x5e3799b7,0x04ed9e12,
+        0x22a3eb2a,0x6781d2dc,0x0d9450ac,0x5bd116eb,0xa7ebe08a,0xeccac1fc },
+      { 0xdc2d6e94,0xde68444f,0x35ecf21b,0x3621f429,0x29e03a2c,0x14e2d543,
+        0x7d3e7f0a,0x53e42cd5,0x73ed00b9,0xbba26c09,0xc57d2272,0x00297c39 } },
+    /* 48 */
+    { { 0xb8243a7d,0x3aaaab10,0x8fa58c5b,0x6eeef93e,0x9ae7f764,0xf866fca3,
+        0x61ab04d3,0x64105a26,0x03945d66,0xa3578d8a,0x791b848c,0xb08cd3e4 },
+      { 0x756d2411,0x45edc5f8,0xa755128c,0xd4a790d9,0x49e5f6a0,0xc2cf0963,
+        0xf649beaa,0xc66d267d,0x8467039e,0x3ce6d968,0x42f7816f,0x50046c6b } },
+    /* 49 */
+    { { 0x66425043,0x92ae1602,0xf08db890,0x1ff66afd,0x8f162ce5,0x386f5a7f,
+        0xfcf5598f,0x18d2dea0,0x1a8ca18e,0x78372b3a,0x8cd0e6f7,0xdf0d20eb },
+      { 0x75bb4045,0x7edd5e1d,0xb96d94b7,0x252a47ce,0x2c626776,0xbdb29358,
+        0x40dd1031,0x853c3943,0x7d5f47fd,0x9dc9becf,0xbae4044a,0x27c2302f } },
+    /* 50 */
+    { { 0x8f2d49ce,0x2d1d208a,0x162df0a2,0x0d91aa02,0x09a07f65,0x9c5cce87,
+        0x84339012,0xdf07238b,0x419442cd,0x5028e2c8,0x72062aba,0x2dcbd358 },
+      { 0xe4680967,0xb5fbc3cb,0x9f92d72c,0x2a7bc645,0x116c369d,0x806c76e1,
+        0x3177e8d8,0x5c50677a,0x4569df57,0x753739eb,0x36c3f40b,0x2d481ef6 } },
+    /* 51 */
+    { { 0xfea1103e,0x1a2d39fd,0x95f81b17,0xeaae5592,0xf59b264a,0xdbd0aa18,
+        0xcb592ee0,0x90c39c1a,0x9750cca3,0xdf62f80d,0xdf97cc6c,0xda4d8283 },
+      { 0x1e201067,0x0a6dd346,0x69fb1f6b,0x1531f859,0x1d60121f,0x4895e552,
+        0x4c041c91,0x0b21aab0,0xbcc1ccf8,0x9d896c46,0x3141bde7,0xd24da3b3 } },
+    /* 52 */
+    { { 0x53b0a354,0x575a0537,0x0c6ddcd8,0x392ff2f4,0x56157b94,0x0b8e8cff,
+        0x3b1b80d1,0x073e57bd,0x3fedee15,0x2a75e0f0,0xaa8e6f19,0x752380e4 },
+      { 0x6558ffe9,0x1f4e227c,0x19ec5415,0x3a348618,0xf7997085,0xab382d5e,
+        0xddc46ac2,0x5e6deaff,0xfc8d094c,0xe5144078,0xf60e37c6,0xf674fe51 } },
+    /* 53 */
+    { { 0xaf63408f,0x6fb87ae5,0xcd75a737,0xa39c36a9,0xcf4c618d,0x7833313f,
+        0xf034c88d,0xfbcd4482,0x39b35288,0x4469a761,0x66b5d9c9,0x77a711c5 },
+      { 0x944f8d65,0x4a695dc7,0x161aaba8,0xe6da5f65,0x24601669,0x8654e9c3,
+        0x28ae7491,0xbc8b93f5,0x8f5580d8,0x5f1d1e83,0xcea32cc8,0x8ccf9a1a } },
+    /* 54 */
+    { { 0x7196fee2,0x28ab110c,0x874c8945,0x75799d63,0x29aedadd,0xa2629348,
+        0x2be88ff4,0x9714cc7b,0xd58d60d6,0xf71293cf,0x32a564e9,0xda6b6cb3 },
+      { 0x3dd821c2,0xf43fddb1,0x90dd323d,0xf2f2785f,0x048489f8,0x91246419,
+        0xd24c6749,0x61660f26,0xc803c15c,0x961d9e8c,0xfaadc4c9,0x631c6158 } },
+    /* 55 */
+    { { 0xfd752366,0xacf2ebe0,0x139be88b,0xb93c340e,0x0f20179e,0x98f66485,
+        0xff1da785,0x14820254,0x4f85c16e,0x5278e276,0x7aab1913,0xa246ee45 },
+      { 0x53763b33,0x43861eb4,0x45c0bc0d,0xc49f03fc,0xad6b1ea1,0xafff16bc,
+        0x6fd49c99,0xce33908b,0xf7fde8c3,0x5c51e9bf,0xff142c5e,0x076a7a39 } },
+    /* 56 */
+    { { 0x9e338d10,0x04639dfe,0xf42b411b,0x8ee6996f,0xa875cef2,0x960461d1,
+        0x95b4d0ba,0x1057b6d6,0xa906e0bc,0x27639252,0xe1c20f8a,0x2c19f09a },
+      { 0xeef4c43d,0x5b8fc3f0,0x07a84aa9,0xe2e1b1a8,0x835d2bdb,0x5f455528,
+        0x207132dd,0x0f4aee4d,0x3907f675,0xe9f8338c,0x0e0531f0,0x7a874dc9 } },
+    /* 57 */
+    { { 0x97c27050,0x84b22d45,0x59e70bf8,0xbd0b8df7,0x79738b9b,0xb4d67405,
+        0xcd917c4f,0x47f4d5f5,0x13ce6e33,0x9099c4ce,0x521d0f8b,0x942bfd39 },
+      { 0xa43b566d,0x5028f0f6,0x21bff7de,0xaf6e8669,0xc44232cd,0x83f6f856,
+        0xf915069a,0x65680579,0xecfecb85,0xd12095a2,0xdb01ba16,0xcf7f06ae } },
+    /* 58 */
+    { { 0x8ef96c80,0x0f56e3c4,0x3ddb609c,0xd521f2b3,0x7dc1450d,0x2be94102,
+        0x02a91fe2,0x2d21a071,0x1efa37de,0x2e6f74fa,0x156c28a1,0x9a9a90b8 },
+      { 0x9dc7dfcb,0xc54ea9ea,0x2c2c1d62,0xc74e66fc,0x49d3e067,0x9f23f967,
+        0x54dd38ad,0x1c7c3a46,0x5946cee3,0xc7005884,0x45cc045d,0x89856368 } },
+    /* 59 */
+    { { 0xfce73946,0x29da7cd4,0x23168563,0x8f697db5,0xcba92ec6,0x8e235e9c,
+        0x9f91d3ea,0x55d4655f,0xaa50a6cd,0xf3689f23,0x21e6a1a0,0xdcf21c26 },
+      { 0x61b818bf,0xcffbc82e,0xda47a243,0xc74a2f96,0x8bc1a0cf,0x234e980a,
+        0x7929cb6d,0xf35fd6b5,0xefe17d6c,0x81468e12,0x58b2dafb,0xddea6ae5 } },
+    /* 60 */
+    { { 0x7e787b2e,0x294de887,0x39a9310d,0x258acc1f,0xac14265d,0x92d9714a,
+        0x708b48a0,0x18b5591c,0xe1abbf71,0x27cc6bb0,0x568307b9,0xc0581fa3 },
+      { 0xf24d4d58,0x9e0f58a3,0xe0ce2327,0xfebe9bb8,0x9d1be702,0x91fd6a41,
+        0xfacac993,0x9a7d8a45,0x9e50d66d,0xabc0a08c,0x06498201,0x02c342f7 } },
+    /* 61 */
+    { { 0x157bdbc2,0xccd71407,0xad0e1605,0x72fa89c6,0xb92a015f,0xb1d3da2b,
+        0xa0a3fe56,0x8ad9e7cd,0x24f06737,0x160edcbd,0x61275be6,0x79d4db33 },
+      { 0x5f3497c4,0xd3d31fd9,0x04192fb0,0x8cafeaee,0x13a50af3,0xe13ca745,
+        0x8c85aae5,0x18826167,0x9eb556ff,0xce06cea8,0xbdb549f3,0x2eef1995 } },
+    /* 62 */
+    { { 0x50596edc,0x8ed7d3eb,0x905243a2,0xaa359362,0xa4b6d02b,0xa212c2c2,
+        0xc4fbec68,0x611fd727,0xb84f733d,0x8a0b8ff7,0x5f0daf0e,0xd85a6b90 },
+      { 0xd4091cf7,0x60e899f5,0x2eff2768,0x4fef2b67,0x10c33964,0xc1f195cb,
+        0x93626a8f,0x8275d369,0x0d6c840a,0xc77904f4,0x7a868acd,0x88d8b7fd } },
+    /* 63 */
+    { { 0x7bd98425,0x85f23723,0xc70b154e,0xd4463992,0x96687a2e,0xcbb00ee2,
+        0xc83214fd,0x905fdbf7,0x13593684,0x2019d293,0xef51218e,0x0428c393 },
+      { 0x981e909a,0x40c7623f,0x7be192da,0x92513385,0x4010907e,0x48fe480f,
+        0x3120b459,0xdd7a187c,0xa1fd8f3c,0xc9d7702d,0xe358efc5,0x66e4753b } },
+    /* 64 */
+    { { 0x16973cf4,0x070d34e1,0x7e4f34f7,0x20aee08b,0x5eb8ad29,0x269af9b9,
+        0xa6a45dda,0xdde0a036,0x63df41e0,0xa18b528e,0xa260df2a,0x03cc71b2 },
+      { 0xa06b1dd7,0x24a6770a,0x9d2675d3,0x5bfa9c11,0x96844432,0x73c1e2a1,
+        0x131a6cf0,0x3660558d,0x2ee79454,0xb0289c83,0xc6d8ddcd,0xa6aefb01 } },
+    /* 65 */
+    { { 0x01ab5245,0xba1464b4,0xc48d93ff,0x9b8d0b6d,0x93ad272c,0x939867dc,
+        0xae9fdc77,0xbebe085e,0x894ea8bd,0x73ae5103,0x39ac22e1,0x740fc89a },
+      { 0x28e23b23,0x5e28b0a3,0xe13104d0,0x2352722e,0xb0a2640d,0xf4667a18,
+        0x49bb37c3,0xac74a72e,0xe81e183a,0x79f734f0,0x3fd9c0eb,0xbffe5b6c } },
+    /* 66 */
+    { { 0xc6a2123f,0xb1a358f5,0xfe28df6d,0x927b2d95,0xf199d2f9,0x89702753,
+        0x1a3f82dc,0x0a73754c,0x777affe1,0x063d029d,0xdae6d34d,0x5439817e },
+      { 0x6b8b83c4,0xf7979eef,0x9d945682,0x615cb214,0xc5e57eae,0x8f0e4fac,
+        0x113047dd,0x042b89b8,0x93f36508,0x888356dc,0x5fd1f32f,0xbf008d18 } },
+    /* 67 */
+    { { 0x4e8068db,0x8012aa24,0xa5729a47,0xc72cc641,0x43f0691d,0x3c33df2c,
+        0x1d92145f,0xfa057347,0xb97f7946,0xaefc0f2f,0x2f8121bf,0x813d75cb },
+      { 0x4383bba6,0x05613c72,0xa4224b3f,0xa924ce70,0x5f2179a6,0xe59cecbe,
+        0x79f62b61,0x78e2e8aa,0x53ad8079,0x3ac2cc3b,0xd8f4fa96,0x55518d71 } },
+    /* 68 */
+    { { 0x00623f3b,0x03cf2922,0x5f29ebff,0x095c7111,0x80aa6823,0x42d72247,
+        0x7458c0b0,0x044c7ba1,0x0959ec20,0xca62f7ef,0xf8ca929f,0x40ae2ab7 },
+      { 0xa927b102,0xb8c5377a,0xdc031771,0x398a86a0,0xc216a406,0x04908f9d,
+        0x918d3300,0xb423a73a,0xe0b94739,0x634b0ff1,0x2d69f697,0xe29de725 } },
+    /* 69 */
+    { { 0x8435af04,0x744d1400,0xfec192da,0x5f255b1d,0x336dc542,0x1f17dc12,
+        0x636a68a8,0x5c90c2a7,0x7704ca1e,0x960c9eb7,0x6fb3d65a,0x9de8cf1e },
+      { 0x511d3d06,0xc60fee0d,0xf9eb52c7,0x466e2313,0x206b0914,0x743c0f5f,
+        0x2191aa4d,0x42f55bac,0xffebdbc2,0xcefc7c8f,0xe6e8ed1c,0xd4fa6081 } },
+    /* 70 */
+    { { 0xb0ab9645,0xb5e405d3,0xd5f1f711,0xaeec7f98,0x585c2a6e,0x8ad42311,
+        0x512c6944,0x045acb9e,0xa90db1c6,0xae106c4e,0x898e6563,0xb89f33d5 },
+      { 0x7fed2ce4,0x43b07cd9,0xdd815b20,0xf9934e17,0x0a81a349,0x6778d4d5,
+        0x52918061,0x9e616ade,0xd7e67112,0xfa06db06,0x88488091,0x1da23cf1 } },
+    /* 71 */
+    { { 0x42f2c4b5,0x821c46b3,0x66059e47,0x931513ef,0x66f50cd1,0x7030ae43,
+        0x43e7b127,0x43b536c9,0x5fca5360,0x006258cf,0x6b557abf,0xe4e3ee79 },
+      { 0x24c8b22f,0xbb6b3900,0xfcbf1054,0x2eb5e2c1,0x567492af,0x937b18c9,
+        0xacf53957,0xf09432e4,0x1dbf3a56,0x585f5a9d,0xbe0887cf,0xf86751fd } },
+    /* 72 */
+    { { 0x9d10e0b2,0x157399cb,0x60dc51b7,0x1c0d5956,0x1f583090,0x1d496b8a,
+        0x88590484,0x6658bc26,0x03213f28,0x88c08ab7,0x7ae58de4,0x8d2e0f73 },
+      { 0x486cfee6,0x9b79bc95,0xe9e5bc57,0x036a26c7,0xcd8ae97a,0x1ad03601,
+        0xff3a0494,0x06907f87,0x2c7eb584,0x078f4bbf,0x7e8d0a5a,0xe3731bf5 } },
+    /* 73 */
+    { { 0xe1cd0abe,0x72f2282b,0x87efefa2,0xd4f9015e,0x6c3834bd,0x9d189806,
+        0xb8a29ced,0x9c8cdcc1,0xfee82ebc,0x0601b9f4,0x7206a756,0x371052bc },
+      { 0x46f32562,0x76fa1092,0x17351bb4,0xdaad534c,0xb3636bb5,0xc3d64c37,
+        0x45d54e00,0x038a8c51,0x32c09e7c,0x301e6180,0x95735151,0x9764eae7 } },
+    /* 74 */
+    { { 0xcbd5256a,0x8791b19f,0x6ca13a3b,0x4007e0f2,0x4cf06904,0x03b79460,
+        0xb6c17589,0xb18a9c22,0x81d45908,0xa1cb7d7d,0x21bb68f1,0x6e13fa9d },
+      { 0xa71e6e16,0x47183c62,0xe18749ed,0x5cf0ef8e,0x2e5ed409,0x2c9c7f9b,
+        0xe6e117e1,0x042eeacc,0x13fb5a7f,0xb86d4816,0xc9e5feb1,0xea1cf0ed } },
+    /* 75 */
+    { { 0xcea4cc9b,0x6e6573c9,0xafcec8f3,0x5417961d,0xa438b6f6,0x804bf02a,
+        0xdcd4ea88,0xb894b03c,0x3799571f,0xd0f807e9,0x862156e8,0x3466a7f5 },
+      { 0x56515664,0x51e59acd,0xa3c5eb0b,0x55b0f93c,0x6a4279db,0x84a06b02,
+        0xc5fae08e,0x5c850579,0xa663a1a2,0xcf07b8db,0xf46ffc8d,0x49a36bbc } },
+    /* 76 */
+    { { 0x46d93106,0xe47f5acc,0xaa897c9c,0x65b7ade0,0x12d7e4be,0x37cf4c94,
+        0xd4b2caa9,0xa2ae9b80,0xe60357a3,0x5e7ce09c,0xc8ecd5f9,0x29f77667 },
+      { 0xa8a0b1c5,0xdf6868f5,0x62978ad8,0x240858cf,0xdc0002a1,0x0f7ac101,
+        0xffe9aa05,0x1d28a9d7,0x5b962c97,0x744984d6,0x3d28c8b2,0xa8a7c00b } },
+    /* 77 */
+    { { 0xae11a338,0x7c58a852,0xd1af96e7,0xa78613f1,0x5355cc73,0x7e9767d2,
+        0x792a2de6,0x6ba37009,0x124386b2,0x7d60f618,0x11157674,0xab09b531 },
+      { 0x98eb9dd0,0x95a04841,0x15070328,0xe6c17acc,0x489c6e49,0xafc6da45,
+        0xbb211530,0xab45a60a,0x7d7ea933,0xc58d6592,0x095642c6,0xa3ef3c65 } },
+    /* 78 */
+    { { 0xdf010879,0x89d420e9,0x39576179,0x9d25255d,0xe39513b6,0x9cdefd50,
+        0xd5d1c313,0xe4efe45b,0x3f7af771,0xc0149de7,0x340ab06b,0x55a6b4f4 },
+      { 0xebeaf771,0xf1325251,0x878d4288,0x2ab44128,0x18e05afe,0xfcd5832e,
+        0xcc1fb62b,0xef52a348,0xc1c4792a,0x2bd08274,0x877c6dc7,0x345c5846 } },
+    /* 79 */
+    { { 0xbea65e90,0xde15ceb0,0x2416d99c,0x0987f72b,0xfd863dec,0x44db578d,
+        0xac6a3578,0xf617b74b,0xdb48e999,0x9e62bd7a,0xeab1a1be,0x877cae61 },
+      { 0x3a358610,0x23adddaa,0x325e2b07,0x2fc4d6d1,0x1585754e,0x897198f5,
+        0xb392b584,0xf741852c,0xb55f7de1,0x9927804c,0x1aa8efae,0xe9e6c4ed } },
+    /* 80 */
+    { { 0x98683186,0x867db639,0xddcc4ea9,0xfb5cf424,0xd4f0e7bd,0xcc9a7ffe,
+        0x7a779f7e,0x7c57f71c,0xd6b25ef2,0x90774079,0xb4081680,0x90eae903 },
+      { 0x0ee1fceb,0xdf2aae5e,0xe86c1a1f,0x3ff1da24,0xca193edf,0x80f587d6,
+        0xdc9b9d6a,0xa5695523,0x85920303,0x7b840900,0xba6dbdef,0x1efa4dfc } },
+    /* 81 */
+    { { 0xe0540015,0xfbd838f9,0xc39077dc,0x2c323946,0xad619124,0x8b1fb9e6,
+        0x0ca62ea8,0x9612440c,0x2dbe00ff,0x9ad9b52c,0xae197643,0xf52abaa1 },
+      { 0x2cac32ad,0xd0e89894,0x62a98f91,0xdfb79e42,0x276f55cb,0x65452ecf,
+        0x7ad23e12,0xdb1ac0d2,0xde4986f0,0xf68c5f6a,0x82ce327d,0x389ac37b } },
+    /* 82 */
+    { { 0xf8e60f5b,0x511188b4,0x48aa2ada,0x7fe67015,0x381abca2,0xdb333cb8,
+        0xdaf3fc97,0xb15e6d9d,0x36aabc03,0x4b24f6eb,0x72a748b4,0xc59789df },
+      { 0x29cf5279,0x26fcb8a5,0x01ad9a6c,0x7a3c6bfc,0x4b8bac9b,0x866cf88d,
+        0x9c80d041,0xf4c89989,0x70add148,0xf0a04241,0x45d81a41,0x5a02f479 } },
+    /* 83 */
+    { { 0xc1c90202,0xfa5c877c,0xf8ac7570,0xd099d440,0xd17881f7,0x428a5b1b,
+        0x5b2501d7,0x61e267db,0xf2e4465b,0xf889bf04,0x76aa4cb8,0x4da3ae08 },
+      { 0xe3e66861,0x3ef0fe26,0x3318b86d,0x5e772953,0x747396df,0xc3c35fbc,
+        0x439ffd37,0x5115a29c,0xb2d70374,0xbfc4bd97,0x56246b9d,0x088630ea } },
+    /* 84 */
+    { { 0xb8a9e8c9,0xcd96866d,0x5bb8091e,0xa11963b8,0x045b3cd2,0xc7f90d53,
+        0x80f36504,0x755a72b5,0x21d3751c,0x46f8b399,0x53c193de,0x4bffdc91 },
+      { 0xb89554e7,0xcd15c049,0xf7a26be6,0x353c6754,0xbd41d970,0x79602370,
+        0x12b176c0,0xde16470b,0x40c8809d,0x56ba1175,0xe435fb1e,0xe2db35c3 } },
+    /* 85 */
+    { { 0x6328e33f,0xd71e4aab,0xaf8136d1,0x5486782b,0x86d57231,0x07a4995f,
+        0x1651a968,0xf1f0a5bd,0x76803b6d,0xa5dc5b24,0x42dda935,0x5c587cbc },
+      { 0xbae8b4c0,0x2b6cdb32,0xb1331138,0x66d1598b,0x5d7e9614,0x4a23b2d2,
+        0x74a8c05d,0x93e402a6,0xda7ce82e,0x45ac94e6,0xe463d465,0xeb9f8281 } },
+    /* 86 */
+    { { 0xfecf5b9b,0x34e0f9d1,0xf206966a,0xa115b12b,0x1eaa0534,0x5591cf3b,
+        0xfb1558f9,0x5f0293cb,0x1bc703a5,0x1c8507a4,0x862c1f81,0x92e6b81c },
+      { 0xcdaf24e3,0xcc9ebc66,0x72fcfc70,0x68917ecd,0x8157ba48,0x6dc9a930,
+        0xb06ab2b2,0x5d425c08,0x36e929c4,0x362f8ce7,0x62e89324,0x09f6f57c } },
+    /* 87 */
+    { { 0xd29375fb,0x1c7d6b78,0xe35d1157,0xfabd851e,0x4243ea47,0xf6f62dcd,
+        0x8fe30b0f,0x1dd92460,0xffc6e709,0x08166dfa,0x0881e6a7,0xc6c4c693 },
+      { 0xd6a53fb0,0x20368f87,0x9eb4d1f9,0x38718e9f,0xafd7e790,0x03f08acd,
+        0x72fe2a1c,0x0835eb44,0x88076e5d,0x7e050903,0xa638e731,0x538f765e } },
+    /* 88 */
+    { { 0xc2663b4b,0x0e0249d9,0x47cd38dd,0xe700ab5b,0x2c46559f,0xb192559d,
+        0x4bcde66d,0x8f9f74a8,0x3e2aced5,0xad161523,0x3dd03a5b,0xc155c047 },
+      { 0x3be454eb,0x346a8799,0x83b7dccd,0x66ee94db,0xab9d2abe,0x1f6d8378,
+        0x7733f355,0x4a396dd2,0xf53553c2,0x419bd40a,0x731dd943,0xd0ead98d } },
+    /* 89 */
+    { { 0xec142408,0x908e0b0e,0x4114b310,0x98943cb9,0x1742b1d7,0x03dbf7d8,
+        0x693412f4,0xd270df6b,0x8f69e20c,0xc5065494,0x697e43a1,0xa76a90c3 },
+      { 0x4624825a,0xe0fa3384,0x8acc34c2,0x82e48c0b,0xe9a14f2b,0x7b24bd14,
+        0x4db30803,0x4f5dd5e2,0x932da0a3,0x0c77a9e7,0x74c653dc,0x20db90f2 } },
+    /* 90 */
+    { { 0x0e6c5fd9,0x261179b7,0x6c982eea,0xf8bec123,0xd4957b7e,0x47683338,
+        0x0a72f66a,0xcc47e664,0x1bad9350,0xbd54bf6a,0xf454e95a,0xdfbf4c6a },
+      { 0x6907f4fa,0x3f7a7afa,0x865ca735,0x7311fae0,0x2a496ada,0x24737ab8,
+        0x15feb79b,0x13e425f1,0xa1b93c21,0xe9e97c50,0x4ddd3eb5,0xb26b6eac } },
+    /* 91 */
+    { { 0x2a2e5f2b,0x81cab9f5,0xbf385ac4,0xf93caf29,0xc909963a,0xf4bf35c3,
+        0x74c9143c,0x081e7300,0xc281b4c5,0x3ea57fa8,0x9b340741,0xe497905c },
+      { 0x55ab3cfb,0xf556dd8a,0x518db6ad,0xd444b96b,0x5ef4b955,0x34f5425a,
+        0xecd26aa3,0xdda7a3ac,0xda655e97,0xb57da11b,0xc2024c70,0x02da3eff } },
+    /* 92 */
+    { { 0x6481d0d9,0xe24b0036,0x818fdfe2,0x3740dbe5,0x190fda00,0xc1fc1f45,
+        0x3cf27fde,0x329c9280,0x6934f43e,0x7435cb53,0x7884e8fe,0x2b505a5d },
+      { 0x711adcc9,0x6cfcc6a6,0x531e21e1,0xf034325c,0x9b2a8a99,0xa2f4a967,
+        0x3c21bdff,0x9d5f3842,0x31b57d66,0xb25c7811,0x0b8093b9,0xdb5344d8 } },
+    /* 93 */
+    { { 0xae50a2f5,0x0d72e667,0xe4a861d1,0x9b7f8d8a,0x330df1cb,0xa129f70f,
+        0xe04fefc3,0xe90aa5d7,0xe72c3ae1,0xff561ecb,0xcdb955fa,0x0d8fb428 },
+      { 0xd7663784,0xd2235f73,0x7e2c456a,0xc05baec6,0x2adbfccc,0xe5c292e4,
+        0xefb110d5,0x4fd17988,0xd19d49f3,0x27e57734,0x84f679fe,0x188ac4ce } },
+    /* 94 */
+    { { 0xa796c53e,0x7ee344cf,0x0868009b,0xbbf6074d,0x474a1295,0x1f1594f7,
+        0xac11632d,0x66776edc,0x04e2fa5a,0x1862278b,0xc854a89a,0x52665cf2 },
+      { 0x8104ab58,0x7e376464,0x7204fd6d,0x16775913,0x44ea1199,0x86ca06a5,
+        0x1c9240dd,0xaa3f765b,0x24746149,0x5f8501a9,0xdcd251d7,0x7b982e30 } },
+    /* 95 */
+    { { 0xc15f3060,0xe44e9efc,0xa87ebbe6,0x5ad62f2e,0xc79500d4,0x36499d41,
+        0x336fa9d1,0xa66d6dc0,0x5afd3b1f,0xf8afc495,0xe5c9822b,0x1d8ccb24 },
+      { 0x79d7584b,0x4031422b,0xea3f20dd,0xc54a0580,0x958468c5,0x3f837c8f,
+        0xfbea7735,0x3d82f110,0x7dffe2fc,0x679a8778,0x20704803,0x48eba63b } },
+    /* 96 */
+    { { 0xdf46e2f6,0x89b10d41,0x19514367,0x13ab57f8,0x1d469c87,0x067372b9,
+        0x4f6c5798,0x0c195afa,0x272c9acf,0xea43a12a,0x678abdac,0x9dadd8cb },
+      { 0xe182579a,0xcce56c6b,0x2d26c2d8,0x86febadb,0x2a44745c,0x1c668ee1,
+        0x98dc047a,0x580acd86,0x51b9ec2d,0x5a2b79cc,0x4054f6a0,0x007da608 } },
+    /* 97 */
+    { { 0x17b00dd0,0x9e3ca352,0x0e81a7a6,0x046779cb,0xd482d871,0xb999fef3,
+        0xd9233fbc,0xe6f38134,0xf48cd0e0,0x112c3001,0x3c6c66ae,0x934e7576 },
+      { 0xd73234dc,0xb44d4fc3,0x864eafc1,0xfcae2062,0x26bef21a,0x843afe25,
+        0xf3b75fdf,0x61355107,0x794c2e6b,0x8367a5aa,0x8548a372,0x3d2629b1 } },
+    /* 98 */
+    { { 0x437cfaf8,0x6230618f,0x2032c299,0x5b8742cb,0x2293643a,0x949f7247,
+        0x09464f79,0xb8040f1a,0x4f254143,0x049462d2,0x366c7e76,0xabd6b522 },
+      { 0xd5338f55,0x119b392b,0x01495a0c,0x1a80a9ce,0xf8d7537e,0xf3118ca7,
+        0x6bf4b762,0xb715adc2,0xa8482b6c,0x24506165,0x96a7c84d,0xd958d7c6 } },
+    /* 99 */
+    { { 0xbdc21f31,0x9ad8aa87,0x8063e58c,0xadb3cab4,0xb07dd7b8,0xefd86283,
+        0x1be7c6b4,0xc7b9b762,0x015582de,0x2ef58741,0x299addf3,0xc970c52e },
+      { 0x22f24d66,0x78f02e2a,0x74cc100a,0xefec1d10,0x09316e1a,0xaf2a6a39,
+        0x5849dd49,0xce7c2205,0x96bffc4c,0x9c1fe75c,0x7ba06ec0,0xcad98fd2 } },
+    /* 100 */
+    { { 0xb648b73e,0xed76e2d0,0x1cfd285e,0xa9f92ce5,0x2ed13de1,0xa8c86c06,
+        0xa5191a93,0x1d3a574e,0x1ad1b8bf,0x385cdf8b,0x47d2cfe3,0xbbecc28a },
+      { 0x69cec548,0x98d326c0,0xf240a0b2,0x4f5bc1dd,0x29057236,0x241a7062,
+        0xc68294a4,0x0fc6e9c5,0xa319f17a,0x4d04838b,0x9ffc1c6f,0x8b612cf1 } },
+    /* 101 */
+    { { 0x4c3830eb,0x9bb0b501,0x8ee0d0c5,0x3d08f83c,0x79ba9389,0xa4a62642,
+        0x9cbc2914,0x5d5d4044,0x074c46f0,0xae9eb83e,0x74ead7d6,0x63bb758f },
+      { 0xc6bb29e0,0x1c40d2ea,0x4b02f41e,0x95aa2d87,0x53cb199a,0x92989175,
+        0x51584f6d,0xdd91bafe,0x31a1aaec,0x3715efb9,0x46780f9e,0xc1b6ae5b } },
+    /* 102 */
+    { { 0x42772f41,0xcded3e4b,0x3bcb79d1,0x3a700d5d,0x80feee60,0x4430d50e,
+        0xf5e5d4bb,0x444ef1fc,0xe6e358ff,0xc660194f,0x6a91b43c,0xe68a2f32 },
+      { 0x977fe4d2,0x5842775c,0x7e2a41eb,0x78fdef5c,0xff8df00e,0x5f3bec02,
+        0x5852525d,0xf4b840cd,0x4e6988bd,0x0870483a,0xcc64b837,0x39499e39 } },
+    /* 103 */
+    { { 0xb08df5fe,0xfc05de80,0x63ba0362,0x0c12957c,0xd5cf1428,0xea379414,
+        0x54ef6216,0xc559132a,0xb9e65cf8,0x33d5f12f,0x1695d663,0x09c60278 },
+      { 0x61f7a2fb,0x3ac1ced4,0xd4f5eeb8,0xdd838444,0x8318fcad,0x82a38c6c,
+        0xe9f1a864,0x315be2e5,0x442daf47,0x317b5771,0x95aa5f9e,0x81b5904a } },
+    /* 104 */
+    { { 0x8b21d232,0x6b6b1c50,0x8c2cba75,0x87f3dbc0,0xae9f0faf,0xa7e74b46,
+        0xbb7b8079,0x036a0985,0x8d974a25,0x4f185b90,0xd9af5ec9,0x5aa7cef0 },
+      { 0x57dcfffc,0xe0566a70,0xb8453225,0x6ea311da,0x23368aa9,0x72ea1a8d,
+        0x48cd552d,0xed9b2083,0xc80ea435,0xb987967c,0x6c104173,0xad735c75 } },
+    /* 105 */
+    { { 0xcee76ef4,0xaea85ab3,0xaf1d2b93,0x44997444,0xeacb923f,0x0851929b,
+        0x51e3bc0c,0xb080b590,0x59be68a2,0xc4ee1d86,0x64b26cda,0xf00de219 },
+      { 0xf2e90d4d,0x8d7fb5c0,0x77d9ec64,0x00e219a7,0x5d1c491c,0xc4e6febd,
+        0x1a8f4585,0x080e3754,0x48d2af9c,0x4a9b86c8,0xb6679851,0x2ed70db6 } },
+    /* 106 */
+    { { 0x586f25cb,0xaee44116,0xa0fcf70f,0xf7b6861f,0x18a350e8,0x55d2cd20,
+        0x92dc286f,0x861bf3e5,0x6226aba7,0x9ab18ffa,0xa9857b03,0xd15827be },
+      { 0x92e6acef,0x26c1f547,0xac1fbac3,0x422c63c8,0xfcbfd71d,0xa2d8760d,
+        0xb2511224,0x35f6a539,0x048d1a21,0xbaa88fa1,0xebf999db,0x49f1abe9 } },
+    /* 107 */
+    { { 0xf7492b73,0x16f9f4f4,0xcb392b1a,0xcf28ec1e,0x69ca6ffc,0x45b130d4,
+        0xb72efa58,0x28ba8d40,0x5ca066f5,0xace987c7,0x4ad022eb,0x3e399246 },
+      { 0x752555bb,0x63a2d84e,0x9c2ae394,0xaaa93b4a,0xc89539ca,0xcd80424e,
+        0xaa119a99,0x6d6b5a6d,0x379f2629,0xbd50334c,0xef3cc7d3,0x899e925e } },
+    /* 108 */
+    { { 0xbf825dc4,0xb7ff3651,0x40b9c462,0x0f741cc4,0x5cc4fb5b,0x771ff5a9,
+        0x47fd56fe,0xcb9e9c9b,0x5626c0d3,0xbdf053db,0xf7e14098,0xa97ce675 },
+      { 0x6c934f5e,0x68afe5a3,0xccefc46f,0x6cd5e148,0xd7a88586,0xc7758570,
+        0xdd558d40,0x49978f5e,0x64ae00c1,0xa1d5088a,0xf1d65bb2,0x58f2a720 } },
+    /* 109 */
+    { { 0x3e4daedb,0x66fdda4a,0x65d1b052,0x38318c12,0x4c4bbf5c,0x28d910a2,
+        0x78a9cd14,0x762fe5c4,0xd2cc0aee,0x08e5ebaa,0xca0c654c,0xd2cdf257 },
+      { 0x08b717d2,0x48f7c58b,0x386cd07a,0x3807184a,0xae7d0112,0x3240f626,
+        0xc43917b0,0x03e9361b,0x20aea018,0xf261a876,0x7e1e6372,0x53f556a4 } },
+    /* 110 */
+    { { 0x2f512a90,0xc84cee56,0x1b0ea9f1,0x24b3c004,0xe26cc1ea,0x0ee15d2d,
+        0xf0c9ef7d,0xd848762c,0xd5341435,0x1026e9c5,0xfdb16b31,0x8f5b73dc },
+      { 0xd2c75d95,0x1f69bef2,0xbe064dda,0x8d33d581,0x57ed35e6,0x8c024c12,
+        0xc309c281,0xf8d435f9,0xd6960193,0xfd295061,0xe9e49541,0x66618d78 } },
+    /* 111 */
+    { { 0x8ce382de,0x571cfd45,0xde900dde,0x175806ee,0x34aba3b5,0x61849965,
+        0xde7aec95,0xe899778a,0xff4aa97f,0xe8f00f6e,0x010b0c6d,0xae971cb5 },
+      { 0x3af788f1,0x1827eebc,0xe413fe2d,0xd46229ff,0x4741c9b4,0x8a15455b,
+        0xf8e424eb,0x5f02e690,0xdae87712,0x40a1202e,0x64944f6d,0x49b3bda2 } },
+    /* 112 */
+    { { 0x035b2d69,0xd63c6067,0x6bed91b0,0xb507150d,0x7afb39b2,0x1f35f82f,
+        0x16012b66,0xb9bd9c01,0xed0a5f50,0x00d97960,0x2716f7c9,0xed705451 },
+      { 0x127abdb4,0x1576eff4,0xf01e701c,0x6850d698,0x3fc87e2f,0x9fa7d749,
+        0xb0ce3e48,0x0b6bcc6f,0xf7d8c1c0,0xf4fbe1f5,0x02719cc6,0xcf75230e } },
+    /* 113 */
+    { { 0x722d94ed,0x6761d6c2,0x3718820e,0xd1ec3f21,0x25d0e7c6,0x65a40b70,
+        0xbaf3cf31,0xd67f830e,0xb93ea430,0x633b3807,0x0bc96c69,0x17faa0ea },
+      { 0xdf866b98,0xe6bf3482,0xa9db52d4,0x205c1ee9,0xff9ab869,0x51ef9bbd,
+        0x75eeb985,0x3863dad1,0xd3cf442a,0xef216c3b,0xf9c8e321,0x3fb228e3 } },
+    /* 114 */
+    { { 0x0760ac07,0x94f9b70c,0x9d79bf4d,0xf3c9ccae,0xc5ffc83d,0x73cea084,
+        0xdc49c38e,0xef50f943,0xbc9e7330,0xf467a2ae,0x44ea7fba,0x5ee534b6 },
+      { 0x03609e7f,0x20cb6272,0x62fdc9f0,0x09844355,0x0f1457f7,0xaf5c8e58,
+        0xb4b25941,0xd1f50a6c,0x2ec82395,0x77cb247c,0xda3dca33,0xa5f3e1e5 } },
+    /* 115 */
+    { { 0x7d85fa94,0x023489d6,0x2db9ce47,0x0ba40537,0xaed7aad1,0x0fdf7a1f,
+        0x9a4ccb40,0xa57b0d73,0x5b18967c,0x48fcec99,0xb7274d24,0xf30b5b6e },
+      { 0xc81c5338,0x7ccb4773,0xa3ed6bd0,0xb85639e6,0x1d56eada,0x7d9df95f,
+        0x0a1607ad,0xe256d57f,0x957574d6,0x6da7ffdc,0x01c7a8c4,0x65f84046 } },
+    /* 116 */
+    { { 0xcba1e7f1,0x8d45d0cb,0x02b55f64,0xef0a08c0,0x17e19892,0x771ca31b,
+        0x4885907e,0xe1843ecb,0x364ce16a,0x67797ebc,0x8df4b338,0x816d2b2d },
+      { 0x39aa8671,0xe870b0e5,0xc102b5f5,0x9f0db3e4,0x1720c697,0x34296659,
+        0x613c0d2a,0x0ad4c89e,0x418ddd61,0x1af900b2,0xd336e20e,0xe087ca72 } },
+    /* 117 */
+    { { 0xaba10079,0x222831ff,0x6d64fff2,0x0dc5f87b,0x3e8cb330,0x44547907,
+        0x702a33fb,0xe815aaa2,0x5fba3215,0x338d6b2e,0x79f549c8,0x0f7535cb },
+      { 0x2ee95923,0x471ecd97,0xc6d1c09f,0x1e868b37,0xc666ef4e,0x2bc7b8ec,
+        0x808a4bfc,0xf5416589,0x3fbc4d2e,0xf23e9ee2,0x2d75125b,0x4357236c } },
+    /* 118 */
+    { { 0xba9cdb1b,0xfe176d95,0x2f82791e,0x45a1ca01,0x4de4cca2,0x97654af2,
+        0x5cc4bcb9,0xbdbf9d0e,0xad97ac0a,0xf6a7df50,0x61359fd6,0xc52112b0 },
+      { 0x4f05eae3,0x696d9ce3,0xe943ac2b,0x903adc02,0x0848be17,0xa9075347,
+        0x2a3973e5,0x1e20f170,0x6feb67e9,0xe1aacc1c,0xe16bc6b9,0x2ca0ac32 } },
+    /* 119 */
+    { { 0xef871eb5,0xffea12e4,0xa8bf0a7a,0x94c2f25d,0x78134eaa,0x4d1e4c2a,
+        0x0360fb10,0x11ed16fb,0x85fc11be,0x4029b6db,0xf4d390fa,0x5e9f7ab7 },
+      { 0x30646612,0x5076d72f,0xdda1d0d8,0xa0afed1d,0x85a1d103,0x29022257,
+        0x4e276bcd,0xcb499e17,0x51246c3d,0x16d1da71,0x589a0443,0xc72d56d3 } },
+    /* 120 */
+    { { 0xdae5bb45,0xdf5ffc74,0x261bd6dc,0x99068c4a,0xaa98ec7b,0xdc0afa7a,
+        0xf121e96d,0xedd2ee00,0x1414045c,0x163cc7be,0x335af50e,0xb0b1bbce },
+      { 0x01a06293,0xd440d785,0x6552e644,0xcdebab7c,0x8c757e46,0x48cb8dbc,
+        0x3cabe3cb,0x81f9cf78,0xb123f59a,0xddd02611,0xeeb3784d,0x3dc7b88e } },
+    /* 121 */
+    { { 0xc4741456,0xe1b8d398,0x6032a121,0xa9dfa902,0x1263245b,0x1cbfc86d,
+        0x5244718c,0xf411c762,0x05b0fc54,0x96521d54,0xdbaa4985,0x1afab46e },
+      { 0x8674b4ad,0xa75902ba,0x5ad87d12,0x486b43ad,0x36e0d099,0x72b1c736,
+        0xbb6cd6d6,0x39890e07,0x59bace4e,0x8128999c,0x7b535e33,0xd8da430b } },
+    /* 122 */
+    { { 0xc6b75791,0x39f65642,0x21806bfb,0x050947a6,0x1362ef84,0x0ca3e370,
+        0x8c3d2391,0x9bc60aed,0x732e1ddc,0x9b488671,0xa98ee077,0x12d10d9e },
+      { 0x3651b7dc,0xb6f2822d,0x80abd138,0x6345a5ba,0x472d3c84,0x62033262,
+        0xacc57527,0xd54a1d40,0x424447cb,0x6ea46b3a,0x2fb1a496,0x5bc41057 } },
+    /* 123 */
+    { { 0xa751cd0e,0xe70c57a3,0xeba3c7d6,0x190d8419,0x9d47d55a,0xb1c3bee7,
+        0xf912c6d8,0xda941266,0x407a6ad6,0x12e9aacc,0x6e838911,0xd6ce5f11 },
+      { 0x70e1f2ce,0x063ca97b,0x8213d434,0xa3e47c72,0x84df810a,0xa016e241,
+        0xdfd881a4,0x688ad7b0,0xa89bf0ad,0xa37d99fc,0xa23c2d23,0xd8e3f339 } },
+    /* 124 */
+    { { 0x750bed6f,0xbdf53163,0x83e68b0a,0x808abc32,0x5bb08a33,0x85a36627,
+        0x6b0e4abe,0xf72a3a0f,0xfaf0c6ad,0xf7716d19,0x5379b25f,0x22dcc020 },
+      { 0xf9a56e11,0x7400bf8d,0x56a47f21,0x6cb8bad7,0x7a6eb644,0x7c97176f,
+        0xd1f5b646,0xe8fd84f7,0x44ddb054,0x98320a94,0x1dde86f5,0x07071ba3 } },
+    /* 125 */
+    { { 0x98f8fcb9,0x6fdfa0e5,0x94d0d70c,0x89cec8e0,0x106d20a8,0xa0899397,
+        0xba8acc9c,0x915bfb9a,0x5507e01c,0x1370c94b,0x8a821ffb,0x83246a60 },
+      { 0xbe3c378f,0xa8273a9f,0x35a25be9,0x7e544789,0x4dd929d7,0x6cfa4972,
+        0x365bd878,0x987fed9d,0x5c29a7ae,0x4982ac94,0x5ddd7ec5,0x4589a5d7 } },
+    /* 126 */
+    { { 0xa95540a9,0x9fabb174,0x0162c5b0,0x7cfb886f,0xea3dee18,0x17be766b,
+        0xe88e624c,0xff7da41f,0x8b919c38,0xad0b71eb,0xf31ff9a9,0x86a522e0 },
+      { 0x868bc259,0xbc8e6f72,0x3ccef9e4,0x6130c638,0x9a466555,0x09f1f454,
+        0x19b2bfb4,0x8e6c0f09,0x0ca7bb22,0x945c46c9,0x4dafb67b,0xacd87168 } },
+    /* 127 */
+    { { 0x10c53841,0x090c72ca,0x55a4fced,0xc20ae01b,0xe10234ad,0x03f7ebd5,
+        0x85892064,0xb3f42a6a,0xb4a14722,0xbdbc30c0,0x8ca124cc,0x971bc437 },
+      { 0x517ff2ff,0x6f79f46d,0xecba947b,0x6a9c96e2,0x62925122,0x5e79f2f4,
+        0x6a4e91f1,0x30a96bb1,0x2d4c72da,0x1147c923,0x5811e4df,0x65bc311f } },
+    /* 128 */
+    { { 0x139b3239,0x87c7dd7d,0x4d833bae,0x8b57824e,0x9fff0015,0xbcbc4878,
+        0x909eaf1a,0x8ffcef8b,0xf1443a78,0x9905f4ee,0xe15cbfed,0x020dd4a2 },
+      { 0xa306d695,0xca2969ec,0xb93caf60,0xdf940cad,0x87ea6e39,0x67f7fab7,
+        0xf98c4fe5,0x0d0ee10f,0xc19cb91e,0xc646879a,0x7d1d7ab4,0x4b4ea50c } },
+    /* 129 */
+    { { 0x7a0db57e,0x19e40945,0x9a8c9702,0xe6017cad,0x1be5cff9,0xdbf739e5,
+        0xa7a938a2,0x3646b3cd,0x68350dfc,0x04511085,0x56e098b5,0xad3bd6f3 },
+      { 0xee2e3e3e,0x935ebabf,0x473926cb,0xfbd01702,0x9e9fb5aa,0x7c735b02,
+        0x2e3feff0,0xc52a1b85,0x046b405a,0x9199abd3,0x39039971,0xe306fcec } },
+    /* 130 */
+    { { 0x23e4712c,0xd6d9aec8,0xc3c198ee,0x7ca8376c,0x31bebd8a,0xe6d83187,
+        0xd88bfef3,0xed57aff3,0xcf44edc7,0x72a645ee,0x5cbb1517,0xd4e63d0b },
+      { 0xceee0ecf,0x98ce7a1c,0x5383ee8e,0x8f012633,0xa6b455e8,0x3b879078,
+        0xc7658c06,0xcbcd3d96,0x0783336a,0x721d6fe7,0x5a677136,0xf21a7263 } },
+    /* 131 */
+    { { 0x9586ba11,0x19d8b3cd,0x8a5c0480,0xd9e0aeb2,0x2230ef5c,0xe4261dbf,
+        0x02e6bf09,0x095a9dee,0x80dc7784,0x8963723c,0x145157b1,0x5c97dbaf },
+      { 0x4bc4503e,0x97e74434,0x85a6b370,0x0fb1cb31,0xcd205d4b,0x3e8df2be,
+        0xf8f765da,0x497dd1bc,0x6c988a1a,0x92ef95c7,0x64dc4cfa,0x3f924baa } },
+    /* 132 */
+    { { 0x7268b448,0x6bf1b8dd,0xefd79b94,0xd4c28ba1,0xe4e3551f,0x2fa1f8c8,
+        0x5c9187a9,0x769e3ad4,0x40326c0d,0x28843b4d,0x50d5d669,0xfefc8094 },
+      { 0x90339366,0x30c85bfd,0x5ccf6c3a,0x4eeb56f1,0x28ccd1dc,0x0e72b149,
+        0xf2ce978e,0x73ee85b5,0x3165bb23,0xcdeb2bf3,0x4e410abf,0x8106c923 } },
+    /* 133 */
+    { { 0x7d02f4ee,0xc8df0161,0x18e21225,0x8a781547,0x6acf9e40,0x4ea895eb,
+        0x6e5a633d,0x8b000cb5,0x7e981ffb,0xf31d86d5,0x4475bc32,0xf5c8029c },
+      { 0x1b568973,0x764561ce,0xa62996ec,0x2f809b81,0xda085408,0x9e513d64,
+        0xe61ce309,0xc27d815d,0x272999e0,0x0da6ff99,0xfead73f7,0xbd284779 } },
+    /* 134 */
+    { { 0x9b1cdf2b,0x6033c2f9,0xbc5fa151,0x2a99cf06,0x12177b3b,0x7d27d259,
+        0xc4485483,0xb1f15273,0x102e2297,0x5fd57d81,0xc7f6acb7,0x3d43e017 },
+      { 0x3a70eb28,0x41a8bb0b,0x3e80b06b,0x67de2d8e,0x70c28de5,0x09245a41,
+        0xa7b26023,0xad7dbcb1,0x2cbc6c1e,0x70b08a35,0x9b33041f,0xb504fb66 } },
+    /* 135 */
+    { { 0xf97a27c2,0xa8e85ab5,0xc10a011b,0x6ac5ec8b,0xffbcf161,0x55745533,
+        0x65790a60,0x01780e85,0x99ee75b0,0xe451bf85,0x39c29881,0x8907a63b },
+      { 0x260189ed,0x76d46738,0x47bd35cb,0x284a4436,0x20cab61e,0xd74e8c40,
+        0x416cf20a,0x6264bf8c,0x5fd820ce,0xfa5a6c95,0xf24bb5fc,0xfa7154d0 } },
+    /* 136 */
+    { { 0x9b3f5034,0x18482cec,0xcd9e68fd,0x962d445a,0x95746f23,0x266fb1d6,
+        0x58c94a4b,0xc66ade5a,0xed68a5b6,0xdbbda826,0x7ab0d6ae,0x05664a4d },
+      { 0x025e32fc,0xbcd4fe51,0xa96df252,0x61a5aebf,0x31592a31,0xd88a07e2,
+        0x98905517,0x5d9d94de,0x5fd440e7,0x96bb4010,0xe807db4c,0x1b0c47a2 } },
+    /* 137 */
+    { { 0x08223878,0x5c2a6ac8,0xe65a5558,0xba08c269,0x9bbc27fd,0xd22b1b9b,
+        0x72b9607d,0x919171bf,0xe588dc58,0x9ab455f9,0x23662d93,0x6d54916e },
+      { 0x3b1de0c1,0x8da8e938,0x804f278f,0xa84d186a,0xd3461695,0xbf4988cc,
+        0xe10eb0cb,0xf5eae3be,0xbf2a66ed,0x1ff8b68f,0xc305b570,0xa68daf67 } },
+    /* 138 */
+    { { 0x44b2e045,0xc1004cff,0x4b1c05d4,0x91b5e136,0x88a48a07,0x53ae4090,
+        0xea11bb1a,0x73fb2995,0x3d93a4ea,0x32048570,0x3bfc8a5f,0xcce45de8 },
+      { 0xc2b3106e,0xaff4a97e,0xb6848b4f,0x9069c630,0xed76241c,0xeda837a6,
+        0x6cc3f6cf,0x8a0daf13,0x3da018a8,0x199d049d,0xd9093ba3,0xf867c6b1 } },
+    /* 139 */
+    { { 0x56527296,0xe4d42a56,0xce71178d,0xae26c73d,0x6c251664,0x70a0adac,
+        0x5dc0ae1d,0x813483ae,0xdaab2daf,0x7574eacd,0xc2d55f4f,0xc56b52dc },
+      { 0x95f32923,0x872bc167,0x5bdd2a89,0x4be17581,0xa7699f00,0x9b57f1e7,
+        0x3ac2de02,0x5fcd9c72,0x92377739,0x83af3ba1,0xfc50b97f,0xa64d4e2b } },
+    /* 140 */
+    { { 0x0e552b40,0x2172dae2,0xd34d52e8,0x62f49725,0x07958f98,0x7930ee40,
+        0x751fdd74,0x56da2a90,0xf53e48c3,0xf1192834,0x8e53c343,0x34d2ac26 },
+      { 0x13111286,0x1073c218,0xda9d9827,0x201dac14,0xee95d378,0xec2c29db,
+        0x1f3ee0b1,0x9316f119,0x544ce71c,0x7890c9f0,0x27612127,0xd77138af } },
+    /* 141 */
+    { { 0x3b4ad1cd,0x78045e6d,0x4aa49bc1,0xcd86b94e,0xfd677a16,0x57e51f1d,
+        0xfa613697,0xd9290935,0x34f4d893,0x7a3f9593,0x5d5fcf9b,0x8c9c248b },
+      { 0x6f70d4e9,0x9f23a482,0x63190ae9,0x17273454,0x5b081a48,0x4bdd7c13,
+        0x28d65271,0x1e2de389,0xe5841d1f,0x0bbaaa25,0x746772e5,0xc4c18a79 } },
+    /* 142 */
+    { { 0x593375ac,0x10ee2681,0x7dd5e113,0x4f3288be,0x240f3538,0x9a97b2fb,
+        0x1de6b1e2,0xfa11089f,0x1351bc58,0x516da562,0x2dfa85b5,0x573b6119 },
+      { 0x6cba7df5,0x89e96683,0x8c28ab40,0xf299be15,0xad43fcbf,0xe91c9348,
+        0x9a1cefb3,0xe9bbc7cc,0x738b2775,0xc8add876,0x775eaa01,0x6e3b1f2e } },
+    /* 143 */
+    { { 0xb677788b,0x0365a888,0x3fd6173c,0x634ae8c4,0x9e498dbe,0x30498761,
+        0xc8f779ab,0x08c43e6d,0x4c09aca9,0x068ae384,0x2018d170,0x2380c70b },
+      { 0xa297c5ec,0xcf77fbc3,0xca457948,0xdacbc853,0x336bec7e,0x3690de04,
+        0x14eec461,0x26bbac64,0x1f713abf,0xd1c23c7e,0xe6fd569e,0xf08bbfcd } },
+    /* 144 */
+    { { 0x84770ee3,0x5f8163f4,0x744a1706,0x0e0c7f94,0xe1b2d46d,0x9c8f05f7,
+        0xd01fd99a,0x417eafe7,0x11440e5b,0x2ba15df5,0x91a6fbcf,0xdc5c552a },
+      { 0xa270f721,0x86271d74,0xa004485b,0x32c0a075,0x8defa075,0x9d1a87e3,
+        0xbf0d20fe,0xb590a7ac,0x8feda1f5,0x430c41c2,0x58f6ec24,0x454d2879 } },
+    /* 145 */
+    { { 0x7c525435,0x52b7a635,0x37c4bdbc,0x3d9ef57f,0xdffcc475,0x2bb93e9e,
+        0x7710f3be,0xf7b8ba98,0x21b727de,0x42ee86da,0x2e490d01,0x55ac3f19 },
+      { 0xc0c1c390,0x487e3a6e,0x446cde7b,0x036fb345,0x496ae951,0x089eb276,
+        0x71ed1234,0xedfed4d9,0x900f0b46,0x661b0dd5,0x8582f0d3,0x11bd6f1b } },
+    /* 146 */
+    { { 0x076bc9d1,0x5cf9350f,0xcf3cd2c3,0x15d903be,0x25af031c,0x21cfc8c2,
+        0x8b1cc657,0xe0ad3248,0x70014e87,0xdd9fb963,0x297f1658,0xf0f3a5a1 },
+      { 0xf1f703aa,0xbb908fba,0x2f6760ba,0x2f9cc420,0x66a38b51,0x00ceec66,
+        0x05d645da,0x4deda330,0xf7de3394,0xb9cf5c72,0x1ad4c906,0xaeef6502 } },
+    /* 147 */
+    { { 0x7a19045d,0x0583c8b1,0xd052824c,0xae7c3102,0xff6cfa58,0x2a234979,
+        0x62c733c0,0xfe9dffc9,0x9c0c4b09,0x3a7fa250,0x4fe21805,0x516437bb },
+      { 0xc2a23ddb,0x9454e3d5,0x289c104e,0x0726d887,0x4fd15243,0x8977d918,
+        0x6d7790ba,0xc559e73f,0x465af85f,0x8fd3e87d,0x5feee46b,0xa2615c74 } },
+    /* 148 */
+    { { 0x4335167d,0xc8d607a8,0xe0f5c887,0x8b42d804,0x398d11f9,0x5f9f13df,
+        0x20740c67,0x5aaa5087,0xa3d9234b,0x83da9a6a,0x2a54bad1,0xbd3a5c4e },
+      { 0x2db0f658,0xdd13914c,0x5a3f373a,0x29dcb66e,0x5245a72b,0xbfd62df5,
+        0x91e40847,0x19d18023,0xb136b1ae,0xd9df74db,0x3f93bc5b,0x72a06b6b } },
+    /* 149 */
+    { { 0xad19d96f,0x6da19ec3,0xfb2a4099,0xb342daa4,0x662271ea,0x0e61633a,
+        0xce8c054b,0x3bcece81,0x8bd62dc6,0x7cc8e061,0xee578d8b,0xae189e19 },
+      { 0xdced1eed,0x73e7a25d,0x7875d3ab,0xc1257f0a,0x1cfef026,0x2cb2d5a2,
+        0xb1fdf61c,0xd98ef39b,0x24e83e6c,0xcd8e6f69,0xc7b7088b,0xd71e7076 } },
+    /* 150 */
+    { { 0x9d4245bf,0x33936830,0x2ac2953b,0x22d96217,0x56c3c3cd,0xb3bf5a82,
+        0x0d0699e8,0x50c9be91,0x8f366459,0xec094463,0x513b7c35,0x6c056dba },
+      { 0x045ab0e3,0x687a6a83,0x445c9295,0x8d40b57f,0xa16f5954,0x0f345048,
+        0x3d8f0a87,0x64b5c639,0x9f71c5e2,0x106353a2,0x874f0dd4,0xdd58b475 } },
+    /* 151 */
+    { { 0x62230c72,0x67ec084f,0x481385e3,0xf14f6cca,0x4cda7774,0xf58bb407,
+        0xaa2dbb6b,0xe15011b1,0x0c035ab1,0xd488369d,0x8245f2fd,0xef83c24a },
+      { 0x9fdc2538,0xfb57328f,0x191fe46a,0x79808293,0x32ede548,0xe28f5c44,
+        0xea1a022c,0x1b3cda99,0x3df2ec7f,0x39e639b7,0x760e9a18,0x77b6272b } },
+    /* 152 */
+    { { 0xa65d56d5,0x2b1d51bd,0x7ea696e0,0x3a9b71f9,0x9904f4c4,0x95250ecc,
+        0xe75774b7,0x8bc4d6eb,0xeaeeb9aa,0x0e343f8a,0x930e04cb,0xc473c1d1 },
+      { 0x064cd8ae,0x282321b1,0x5562221c,0xf4b4371e,0xd1bf1221,0xc1cc81ec,
+        0xe2c8082f,0xa52a07a9,0xba64a958,0x350d8e59,0x6fb32c9a,0x29e4f3de } },
+    /* 153 */
+    { { 0xba89aaa5,0x0aa9d56c,0xc4c6059e,0xf0208ac0,0xbd6ddca4,0x7400d9c6,
+        0xf2c2f74a,0xb384e475,0xb1562dd3,0x4c1061fc,0x2e153b8d,0x3924e248 },
+      { 0x849808ab,0xf38b8d98,0xa491aa36,0x29bf3260,0x88220ede,0x85159ada,
+        0xbe5bc422,0x8b47915b,0xd7300967,0xa934d72e,0x2e515d0d,0xc4f30398 } },
+    /* 154 */
+    { { 0x1b1de38b,0xe3e9ee42,0x42636760,0xa124e25a,0x90165b1a,0x90bf73c0,
+        0x146434c5,0x21802a34,0x2e1fa109,0x54aa83f2,0xed9c51e9,0x1d4bd03c },
+      { 0x798751e6,0xc2d96a38,0x8c3507f5,0xed27235f,0xc8c24f88,0xb5fb80e2,
+        0xd37f4f78,0xf873eefa,0xf224ba96,0x7229fd74,0x9edd7149,0x9dcd9199 } },
+    /* 155 */
+    { { 0x4e94f22a,0xee9f81a6,0xf71ec341,0xe5609892,0xa998284e,0x6c818ddd,
+        0x3b54b098,0x9fd47295,0x0e8a7cc9,0x47a6ac03,0xb207a382,0xde684e5e },
+      { 0x2b6b956b,0x4bdd1ecd,0xf01b3583,0x09084414,0x55233b14,0xe2f80b32,
+        0xef5ebc5e,0x5a0fec54,0xbf8b29a2,0x74cf25e6,0x7f29e014,0x1c757fa0 } },
+    /* 156 */
+    { { 0xeb0fdfe4,0x1bcb5c4a,0xf0899367,0xd7c649b3,0x05bc083b,0xaef68e3f,
+        0xa78aa607,0x57a06e46,0x21223a44,0xa2136ecc,0x52f5a50b,0x89bd6484 },
+      { 0x4455f15a,0x724411b9,0x08a9c0fd,0x23dfa970,0x6db63bef,0x7b0da4d1,
+        0xfb162443,0x6f8a7ec1,0xe98284fb,0xc1ac9cee,0x33566022,0x085a582b } },
+    /* 157 */
+    { { 0xec1f138a,0x15cb61f9,0x668f0c28,0x11c9a230,0xdf93f38f,0xac829729,
+        0x4048848d,0xcef25698,0x2bba8fbf,0x3f686da0,0x111c619a,0xed5fea78 },
+      { 0xd6d1c833,0x9b4f73bc,0x86e7bf80,0x50951606,0x042b1d51,0xa2a73508,
+        0x5fb89ec2,0x9ef6ea49,0x5ef8b892,0xf1008ce9,0x9ae8568b,0x78a7e684 } },
+    /* 158 */
+    { { 0x10470cd8,0x3fe83a7c,0xf86df000,0x92734682,0xda9409b5,0xb5dac06b,
+        0x94939c5f,0x1e7a9660,0x5cc116dc,0xdec6c150,0x66bac8cc,0x1a52b408 },
+      { 0x6e864045,0x5303a365,0x9139efc1,0x45eae72a,0x6f31d54f,0x83bec646,
+        0x6e958a6d,0x2fb4a86f,0x4ff44030,0x6760718e,0xe91ae0df,0x008117e3 } },
+    /* 159 */
+    { { 0x384310a2,0x5d5833ba,0x1fd6c9fc,0xbdfb4edc,0x849c4fb8,0xb9a4f102,
+        0x581c1e1f,0xe5fb239a,0xd0a9746d,0xba44b2e7,0x3bd942b9,0x78f7b768 },
+      { 0xc87607ae,0x076c8ca1,0xd5caaa7e,0x82b23c2e,0x2763e461,0x6a581f39,
+        0x3886df11,0xca8a5e4a,0x264e7f22,0xc87e90cf,0x215cfcfc,0x04f74870 } },
+    /* 160 */
+    { { 0x141d161c,0x5285d116,0x93c4ed17,0x67cd2e0e,0x7c36187e,0x12c62a64,
+        0xed2584ca,0xf5329539,0x42fbbd69,0xc4c777c4,0x1bdfc50a,0x107de776 },
+      { 0xe96beebd,0x9976dcc5,0xa865a151,0xbe2aff95,0x9d8872af,0x0e0a9da1,
+        0xa63c17cc,0x5e357a3d,0xe15cc67c,0xd31fdfd8,0x7970c6d8,0xc44bbefd } },
+    /* 161 */
+    { { 0x4c0c62f1,0x703f83e2,0x4e195572,0x9b1e28ee,0xfe26cced,0x6a82858b,
+        0xc43638fa,0xd381c84b,0xa5ba43d8,0x94f72867,0x10b82743,0x3b4a783d },
+      { 0x7576451e,0xee1ad7b5,0x14b6b5c8,0xc3d0b597,0xfcacc1b8,0x3dc30954,
+        0x472c9d7b,0x55df110e,0x02f8a328,0x97c86ed7,0x88dc098f,0xd0433413 } },
+    /* 162 */
+    { { 0x2ca8f2fe,0x1a60d152,0x491bd41f,0x61640948,0x58dfe035,0x6dae29a5,
+        0x278e4863,0x9a615bea,0x9ad7c8e5,0xbbdb4477,0x2ceac2fc,0x1c706630 },
+      { 0x99699b4b,0x5e2b54c6,0x239e17e8,0xb509ca6d,0xea063a82,0x728165fe,
+        0xb6a22e02,0x6b5e609d,0xb26ee1df,0x12813905,0x439491fa,0x07b9f722 } },
+    /* 163 */
+    { { 0x48ff4e49,0x1592ec14,0x6d644129,0x3e4e9f17,0x1156acc0,0x7acf8288,
+        0xbb092b0b,0x5aa34ba8,0x7d38393d,0xcd0f9022,0xea4f8187,0x416724dd },
+      { 0xc0139e73,0x3c4e641c,0x91e4d87d,0xe0fe46cf,0xcab61f8a,0xedb3c792,
+        0xd3868753,0x4cb46de4,0x20f1098a,0xe449c21d,0xf5b8ea6e,0x5e5fd059 } },
+    /* 164 */
+    { { 0x75856031,0x7fcadd46,0xeaf2fbd0,0x89c7a4cd,0x7a87c480,0x1af523ce,
+        0x61d9ae90,0xe5fc1095,0xbcdb95f5,0x3fb5864f,0xbb5b2c7d,0xbeb5188e },
+      { 0x3ae65825,0x3d1563c3,0x0e57d641,0x116854c4,0x1942ebd3,0x11f73d34,
+        0xc06955b3,0x24dc5904,0x995a0a62,0x8a0d4c83,0x5d577b7d,0xfb26b86d } },
+    /* 165 */
+    { { 0xc686ae17,0xc53108e7,0xd1c1da56,0x9090d739,0x9aec50ae,0x4583b013,
+        0xa49a6ab2,0xdd9a088b,0xf382f850,0x28192eea,0xf5fe910e,0xcc8df756 },
+      { 0x9cab7630,0x877823a3,0xfb8e7fc1,0x64984a9a,0x364bfc16,0x5448ef9c,
+        0xc44e2a9a,0xbbb4f871,0x435c95e9,0x901a41ab,0xaaa50a06,0xc6c23e5f } },
+    /* 166 */
+    { { 0x9034d8dd,0xb78016c1,0x0b13e79b,0x856bb44b,0xb3241a05,0x85c6409a,
+        0x2d78ed21,0x8d2fe19a,0x726eddf2,0xdcc7c26d,0x25104f04,0x3ccaff5f },
+      { 0x6b21f843,0x397d7edc,0xe975de4c,0xda88e4dd,0x4f5ab69e,0x5273d396,
+        0x9aae6cc0,0x537680e3,0x3e6f9461,0xf749cce5,0x957bffd3,0x021ddbd9 } },
+    /* 167 */
+    { { 0x777233cf,0x7b64585f,0x0942a6f0,0xfe6771f6,0xdfe6eef0,0x636aba7a,
+        0x86038029,0x63bbeb56,0xde8fcf36,0xacee5842,0xd4a20524,0x48d9aa99 },
+      { 0x0da5e57a,0xcff7a74c,0xe549d6c9,0xc232593c,0xf0f2287b,0x68504bcc,
+        0xbc8360b5,0x6d7d098d,0x5b402f41,0xeac5f149,0xb87d1bf1,0x61936f11 } },
+    /* 168 */
+    { { 0xb8153a9d,0xaa9da167,0x9e83ecf0,0xa49fe3ac,0x1b661384,0x14c18f8e,
+        0x38434de1,0x61c24dab,0x283dae96,0x3d973c3a,0x82754fc9,0xc99baa01 },
+      { 0x4c26b1e3,0x477d198f,0xa7516202,0x12e8e186,0x362addfa,0x386e52f6,
+        0xc3962853,0x31e8f695,0x6aaedb60,0xdec2af13,0x29cf74ac,0xfcfdb4c6 } },
+    /* 169 */
+    { { 0xcca40298,0x6b3ee958,0xf2f5d195,0xc3878153,0xed2eae5b,0x0c565630,
+        0x3a697cf2,0xd089b37e,0xad5029ea,0xc2ed2ac7,0x0f0dda6a,0x7e5cdfad },
+      { 0xd9b86202,0xf98426df,0x4335e054,0xed1960b1,0x3f14639e,0x1fdb0246,
+        0x0db6c670,0x17f709c3,0x773421e1,0xbfc687ae,0x26c1a8ac,0x13fefc4a } },
+    /* 170 */
+    { { 0x7ffa0a5f,0xe361a198,0xc63fe109,0xf4b26102,0x6c74e111,0x264acbc5,
+        0x77abebaf,0x4af445fa,0x24cddb75,0x448c4fdd,0x44506eea,0x0b13157d },
+      { 0x72e9993d,0x22a6b159,0x85e5ecbe,0x2c3c57e4,0xfd83e1a1,0xa673560b,
+        0xc3b8c83b,0x6be23f82,0x40bbe38e,0x40b13a96,0xad17399b,0x66eea033 } },
+    /* 171 */
+    { { 0xb4c6c693,0x49fc6e95,0x36af7d38,0xefc735de,0x35fe42fc,0xe053343d,
+        0x6a9ab7c3,0xf0aa427c,0x4a0fcb24,0xc79f0436,0x93ebbc50,0x16287243 },
+      { 0x16927e1e,0x5c3d6bd0,0x673b984c,0x40158ed2,0x4cd48b9a,0xa7f86fc8,
+        0x60ea282d,0x1643eda6,0xe2a1beed,0x45b393ea,0x19571a94,0x664c839e } },
+    /* 172 */
+    { { 0x27eeaf94,0x57745750,0xea99e1e7,0x2875c925,0x5086adea,0xc127e7ba,
+        0x86fe424f,0x765252a0,0x2b6c0281,0x1143cc6c,0xd671312d,0xc9bb2989 },
+      { 0x51acb0a5,0x880c337c,0xd3c60f78,0xa3710915,0x9262b6ed,0x496113c0,
+        0x9ce48182,0x5d25d9f8,0xb3813586,0x53b6ad72,0x4c0e159c,0x0ea3bebc } },
+    /* 173 */
+    { { 0xc5e49bea,0xcaba450a,0x7c05da59,0x684e5415,0xde7ac36c,0xa2e9cab9,
+        0x2e6f957b,0x4ca79b5f,0x09b817b1,0xef7b0247,0x7d89df0f,0xeb304990 },
+      { 0x46fe5096,0x508f7307,0x2e04eaaf,0x695810e8,0x3512f76c,0x88ef1bd9,
+        0x3ebca06b,0x77661351,0xccf158b7,0xf7d4863a,0x94ee57da,0xb2a81e44 } },
+    /* 174 */
+    { { 0x6d53e6ba,0xff288e5b,0x14484ea2,0xa90de1a9,0xed33c8ec,0x2fadb60c,
+        0x28b66a40,0x579d6ef3,0xec24372d,0x4f2dd6dd,0x1d66ec7d,0xe9e33fc9 },
+      { 0x039eab6e,0x110899d2,0x3e97bb5e,0xa31a667a,0xcfdce68e,0x6200166d,
+        0x5137d54b,0xbe83ebae,0x4800acdf,0x085f7d87,0x0c6f8c86,0xcf4ab133 } },
+    /* 175 */
+    { { 0x931e08fb,0x03f65845,0x1506e2c0,0x6438551e,0x9c36961f,0x5791f0dc,
+        0xe3dcc916,0x68107b29,0xf495d2ca,0x83242374,0x6ee5895b,0xd8cfb663 },
+      { 0xa0349b1b,0x525e0f16,0x4a0fab86,0x33cd2c6c,0x2af8dda9,0x46c12ee8,
+        0x71e97ad3,0x7cc424ba,0x37621eb0,0x69766ddf,0xa5f0d390,0x95565f56 } },
+    /* 176 */
+    { { 0x1a0f5e94,0xe0e7bbf2,0x1d82d327,0xf771e115,0xceb111fa,0x10033e3d,
+        0xd3426638,0xd269744d,0x00d01ef6,0xbdf2d9da,0xa049ceaf,0x1cb80c71 },
+      { 0x9e21c677,0x17f18328,0x19c8f98b,0x6452af05,0x80b67997,0x35b9c5f7,
+        0x40f8f3d4,0x5c2e1cbe,0x66d667ca,0x43f91656,0xcf9d6e79,0x9faaa059 } },
+    /* 177 */
+    { { 0x0a078fe6,0x8ad24618,0x464fd1dd,0xf6cc73e6,0xc3e37448,0x4d2ce34d,
+        0xe3271b5f,0x624950c5,0xefc5af72,0x62910f5e,0xaa132bc6,0x8b585bf8 },
+      { 0xa839327f,0x11723985,0x4aac252f,0x34e2d27d,0x6296cc4e,0x402f59ef,
+        0x47053de9,0x00ae055c,0x28b4f09b,0xfc22a972,0xfa0c180e,0xa9e86264 } },
+    /* 178 */
+    { { 0xbc310ecc,0x0b7b6224,0x67fa14ed,0x8a1a74f1,0x7214395c,0x87dd0960,
+        0xf5c91128,0xdf1b3d09,0x86b264a8,0x39ff23c6,0x3e58d4c5,0xdc2d49d0 },
+      { 0xa9d6f501,0x2152b7d3,0xc04094f7,0xf4c32e24,0xd938990f,0xc6366596,
+        0x94fb207f,0x084d078f,0x328594cb,0xfd99f1d7,0xcb2d96b3,0x36defa64 } },
+    /* 179 */
+    { { 0x13ed7cbe,0x4619b781,0x9784bd0e,0x95e50015,0x2c7705fe,0x2a32251c,
+        0x5f0dd083,0xa376af99,0x0361a45b,0x55425c6c,0x1f291e7b,0x812d2cef },
+      { 0x5fd94972,0xccf581a0,0xe56dc383,0x26e20e39,0x63dbfbf0,0x0093685d,
+        0x36b8c575,0x1fc164cc,0x390ef5e7,0xb9c5ab81,0x26908c66,0x40086beb } },
+    /* 180 */
+    { { 0x37e3c115,0xe5e54f79,0xc1445a8a,0x69b8ee8c,0xb7659709,0x79aedff2,
+        0x1b46fbe6,0xe288e163,0xd18d7bb7,0xdb4844f0,0x48aa6424,0xe0ea23d0 },
+      { 0xf3d80a73,0x714c0e4e,0x3bd64f98,0x87a0aa9e,0x2ec63080,0x8844b8a8,
+        0x255d81a3,0xe0ac9c30,0x455397fc,0x86151237,0x2f820155,0x0b979464 } },
+    /* 181 */
+    { { 0x4ae03080,0x127a255a,0x580a89fb,0x232306b4,0x6416f539,0x04e8cd6a,
+        0x13b02a0e,0xaeb70dee,0x4c09684a,0xa3038cf8,0x28e433ee,0xa710ec3c },
+      { 0x681b1f7d,0x77a72567,0x2fc28170,0x86fbce95,0xf5735ac8,0xd3408683,
+        0x6bd68e93,0x3a324e2a,0xc027d155,0x7ec74353,0xd4427177,0xab60354c } },
+    /* 182 */
+    { { 0xef4c209d,0x32a5342a,0x08d62704,0x2ba75274,0xc825d5fe,0x4bb4af6f,
+        0xd28e7ff1,0x1c3919ce,0xde0340f6,0x1dfc2fdc,0x29f33ba9,0xc6580baf },
+      { 0x41d442cb,0xae121e75,0x3a4724e4,0x4c7727fd,0x524f3474,0xe556d6a4,
+        0x785642a2,0x87e13cc7,0xa17845fd,0x182efbb1,0x4e144857,0xdcec0cf1 } },
+    /* 183 */
+    { { 0xe9539819,0x1cb89541,0x9d94dbf1,0xc8cb3b4f,0x417da578,0x1d353f63,
+        0x8053a09e,0xb7a697fb,0xc35d8b78,0x8d841731,0xb656a7a9,0x85748d6f },
+      { 0xc1859c5d,0x1fd03947,0x535d22a2,0x6ce965c1,0x0ca3aadc,0x1966a13e,
+        0x4fb14eff,0x9802e41d,0x76dd3fcd,0xa9048cbb,0xe9455bba,0x89b182b5 } },
+    /* 184 */
+    { { 0x43360710,0xd777ad6a,0x55e9936b,0x841287ef,0x04a21b24,0xbaf5c670,
+        0x35ad86f1,0xf2c0725f,0xc707e72e,0x338fa650,0xd8883e52,0x2bf8ed2e },
+      { 0xb56e0d6a,0xb0212cf4,0x6843290c,0x50537e12,0x98b3dc6f,0xd8b184a1,
+        0x0210b722,0xd2be9a35,0x559781ee,0x407406db,0x0bc18534,0x5a78d591 } },
+    /* 185 */
+    { { 0xd748b02c,0x4d57aa2a,0xa12b3b95,0xbe5b3451,0x64711258,0xadca7a45,
+        0x322153db,0x597e091a,0x32eb1eab,0xf3271006,0x2873f301,0xbd9adcba },
+      { 0x38543f7f,0xd1dc79d1,0x921b1fef,0x00022092,0x1e5df8ed,0x86db3ef5,
+        0x9e6b944a,0x888cae04,0x791a32b4,0x71bd29ec,0xa6d1c13e,0xd3516206 } },
+    /* 186 */
+    { { 0x55924f43,0x2ef6b952,0x4f9de8d5,0xd2f401ae,0xadc68042,0xfc73e8d7,
+        0x0d9d1bb4,0x627ea70c,0xbbf35679,0xc3bb3e3e,0xd882dee4,0x7e8a254a },
+      { 0xb5924407,0x08906f50,0xa1ad444a,0xf14a0e61,0x65f3738e,0xaa0efa21,
+        0xae71f161,0xd60c7dd6,0xf175894d,0x9e8390fa,0x149f4c00,0xd115cd20 } },
+    /* 187 */
+    { { 0xa52abf77,0x2f2e2c1d,0x54232568,0xc2a0dca5,0x54966dcc,0xed423ea2,
+        0xcd0dd039,0xe48c93c7,0x176405c7,0x1e54a225,0x70d58f2e,0x1efb5b16 },
+      { 0x94fb1471,0xa751f9d9,0x67d2941d,0xfdb31e1f,0x53733698,0xa6c74eb2,
+        0x89a0f64a,0xd3155d11,0xa4b8d2b6,0x4414cfe4,0xf7a8e9e3,0x8d5a4be8 } },
+    /* 188 */
+    { { 0x52669e98,0x5c96b4d4,0x8fd42a03,0x4547f922,0xd285174e,0xcf5c1319,
+        0x064bffa0,0x805cd1ae,0x246d27e7,0x50e8bc4f,0xd5781e11,0xf89ef98f },
+      { 0xdee0b63f,0xb4ff95f6,0x222663a4,0xad850047,0x4d23ce9c,0x02691860,
+        0x50019f59,0x3e5309ce,0x69a508ae,0x27e6f722,0x267ba52c,0xe9376652 } },
+    /* 189 */
+    { { 0xc0368708,0xa04d289c,0x5e306e1d,0xc458872f,0x33112fea,0x76fa23de,
+        0x6efde42e,0x718e3974,0x1d206091,0xf0c98cdc,0x14a71987,0x5fa3ca62 },
+      { 0xdcaa9f2a,0xeee8188b,0x589a860d,0x312cc732,0xc63aeb1f,0xf9808dd6,
+        0x4ea62b53,0x70fd43db,0x890b6e97,0x2c2bfe34,0xfa426aa6,0x105f863c } },
+    /* 190 */
+    { { 0xb38059ad,0x0b29795d,0x90647ea0,0x5686b77e,0xdb473a3e,0xeff0470e,
+        0xf9b6d1e2,0x278d2340,0xbd594ec7,0xebbff95b,0xd3a7f23d,0xf4b72334 },
+      { 0xa5a83f0b,0x2a285980,0x9716a8b3,0x0786c41a,0x22511812,0x138901bd,
+        0xe2fede6e,0xd1b55221,0xdf4eb590,0x0806e264,0x762e462e,0x6c4c897e } },
+    /* 191 */
+    { { 0xb4b41d9d,0xd10b905f,0x4523a65b,0x826ca466,0xb699fa37,0x535bbd13,
+        0x73bc8f90,0x5b9933d7,0xcd2118ad,0x9332d61f,0xd4a65fd0,0x158c693e },
+      { 0xe6806e63,0x4ddfb2a8,0xb5de651b,0xe31ed3ec,0x819bc69a,0xf9460e51,
+        0x2c76b1f8,0x6229c0d6,0x901970a3,0xbb78f231,0x9cee72b8,0x31f3820f } },
+    /* 192 */
+    { { 0xc09e1c72,0xe931caf2,0x12990cf4,0x0715f298,0x943262d8,0x33aad81d,
+        0x73048d3f,0x5d292b7a,0xdc7415f6,0xb152aaa4,0x0fd19587,0xc3d10fd9 },
+      { 0x75ddadd0,0xf76b35c5,0x1e7b694c,0x9f5f4a51,0xc0663025,0x2f1ab7eb,
+        0x920260b0,0x01c9cc87,0x05d39da6,0xc4b1f61a,0xeb4a9c4e,0x6dcd76c4 } },
+    /* 193 */
+    { { 0xfdc83f01,0x0ba0916f,0x9553e4f9,0x354c8b44,0xffc5e622,0xa6cc511a,
+        0xe95be787,0xb954726a,0x75b41a62,0xcb048115,0xebfde989,0xfa2ae6cd },
+      { 0x0f24659a,0x6376bbc7,0x4c289c43,0x13a999fd,0xec9abd8b,0xc7134184,
+        0xa789ab04,0x28c02bf6,0xd3e526ec,0xff841ebc,0x640893a8,0x442b191e } },
+    /* 194 */
+    { { 0xfa2b6e20,0x4cac6c62,0xf6d69861,0x97f29e9b,0xbc96d12d,0x228ab1db,
+        0x5e8e108d,0x6eb91327,0x40771245,0xd4b3d4d1,0xca8a803a,0x61b20623 },
+      { 0xa6a560b1,0x2c2f3b41,0x3859fcf4,0x879e1d40,0x024dbfc3,0x7cdb5145,
+        0x3bfa5315,0x55d08f15,0xaa93823a,0x2f57d773,0xc6a2c9a2,0xa97f259c } },
+    /* 195 */
+    { { 0xe58edbbb,0xc306317b,0x79dfdf13,0x25ade51c,0x16d83dd6,0x6b5beaf1,
+        0x1dd8f925,0xe8038a44,0xb2a87b6b,0x7f00143c,0xf5b438de,0xa885d00d },
+      { 0xcf9e48bd,0xe9f76790,0xa5162768,0xf0bdf9f0,0xad7b57cb,0x0436709f,
+        0xf7c15db7,0x7e151c12,0x5d90ee3b,0x3514f022,0x2c361a8d,0x2e84e803 } },
+    /* 196 */
+    { { 0x563ec8d8,0x2277607d,0xe3934cb7,0xa661811f,0xf58fd5de,0x3ca72e7a,
+        0x62294c6a,0x7989da04,0xf6bbefe9,0x88b3708b,0x53ed7c82,0x0d524cf7 },
+      { 0x2f30c073,0x69f699ca,0x9dc1dcf3,0xf0fa264b,0x05f0aaf6,0x44ca4568,
+        0xd19b9baf,0x0f5b23c7,0xeabd1107,0x39193f41,0x2a7c9b83,0x9e3e10ad } },
+    /* 197 */
+    { { 0xd4ae972f,0xa90824f0,0xc6e846e7,0x43eef02b,0x29d2160a,0x7e460612,
+        0xfe604e91,0x29a178ac,0x4eb184b2,0x23056f04,0xeb54cdf4,0x4fcad55f },
+      { 0xae728d15,0xa0ff96f3,0xc6a00331,0x8a2680c6,0x7ee52556,0x5f84cae0,
+        0xc5a65dad,0x5e462c3a,0xe2d23f4f,0x5d2b81df,0xc5b1eb07,0x6e47301b } },
+    /* 198 */
+    { { 0xaf8219b9,0x77411d68,0x51b1907a,0xcb883ce6,0x101383b5,0x25c87e57,
+        0x982f970d,0x9c7d9859,0x118305d2,0xaa6abca5,0x9013a5db,0x725fed2f },
+      { 0xababd109,0x487cdbaf,0x87586528,0xc0f8cf56,0x8ad58254,0xa02591e6,
+        0xdebbd526,0xc071b1d1,0x961e7e31,0x927dfe8b,0x9263dfe1,0x55f895f9 } },
+    /* 199 */
+    { { 0xb175645b,0xf899b00d,0xb65b4b92,0x51f3a627,0xb67399ef,0xa2f3ac8d,
+        0xe400bc20,0xe717867f,0x1967b952,0x42cc9020,0x3ecd1de1,0x3d596751 },
+      { 0xdb979775,0xd41ebcde,0x6a2e7e88,0x99ba61bc,0x321504f2,0x039149a5,
+        0x27ba2fad,0xe7dc2314,0xb57d8368,0x9f556308,0x57da80a7,0x2b6d16c9 } },
+    /* 200 */
+    { { 0x279ad982,0x84af5e76,0x9c8b81a6,0x9bb4c92d,0x0e698e67,0xd79ad44e,
+        0x265fc167,0xe8be9048,0x0c3a4ccc,0xf135f7e6,0xb8863a33,0xa0a10d38 },
+      { 0xd386efd9,0xe197247c,0xb52346c2,0x0eefd3f9,0x78607bc8,0xc22415f9,
+        0x508674ce,0xa2a8f862,0xc8c9d607,0xa72ad09e,0x50fa764f,0xcd9f0ede } },
+    /* 201 */
+    { { 0xd1a46d4d,0x063391c7,0x9eb01693,0x2df51c11,0x849e83de,0xc5849800,
+        0x8ad08382,0x48fd09aa,0xaa742736,0xa405d873,0xe1f9600c,0xee49e61e },
+      { 0x48c76f73,0xd76676be,0x01274b2a,0xd9c100f6,0x83f8718d,0x110bb67c,
+        0x02fc0d73,0xec85a420,0x744656ad,0xc0449e1e,0x37d9939b,0x28ce7376 } },
+    /* 202 */
+    { { 0x44544ac7,0x97e9af72,0xba010426,0xf2c658d5,0xfb3adfbd,0x732dec39,
+        0xa2df0b07,0xd12faf91,0x2171e208,0x8ac26725,0x5b24fa54,0xf820cdc8 },
+      { 0x94f4cf77,0x307a6eea,0x944a33c6,0x18c783d2,0x0b741ac5,0x4b939d4c,
+        0x3ffbb6e4,0x1d7acd15,0x7a255e44,0x06a24858,0xce336d50,0x14fbc494 } },
+    /* 203 */
+    { { 0x51584e3c,0x9b920c0c,0xf7e54027,0xc7733c59,0x88422bbe,0xe24ce139,
+        0x523bd6ab,0x11ada812,0xb88e6def,0xde068800,0xfe8c582d,0x7b872671 },
+      { 0x7de53510,0x4e746f28,0xf7971968,0x492f8b99,0x7d928ac2,0x1ec80bc7,
+        0x432eb1b5,0xb3913e48,0x32028f6e,0xad084866,0x8fc2f38b,0x122bb835 } },
+    /* 204 */
+    { { 0x3b0b29c3,0x0a9f3b1e,0x4fa44151,0x837b6432,0x17b28ea7,0xb9905c92,
+        0x98451750,0xf39bc937,0xce8b6da1,0xcd383c24,0x010620b2,0x299f57db },
+      { 0x58afdce3,0x7b6ac396,0x3d05ef47,0xa15206b3,0xb9bb02ff,0xa0ae37e2,
+        0x9db3964c,0x107760ab,0x67954bea,0xe29de9a0,0x431c3f82,0x446a1ad8 } },
+    /* 205 */
+    { { 0x5c6b8195,0xc6fecea0,0xf49e71b9,0xd744a7c5,0x177a7ae7,0xa8e96acc,
+        0x358773a7,0x1a05746c,0x37567369,0xa4162146,0x87d1c971,0xaa0217f7 },
+      { 0x77fd3226,0x61e9d158,0xe4f600be,0x0f6f2304,0x7a6dff07,0xa9c4cebc,
+        0x09f12a24,0xd15afa01,0x8c863ee9,0x2bbadb22,0xe5eb8c78,0xa28290e4 } },
+    /* 206 */
+    { { 0x3e9de330,0x55b87fa0,0x195c145b,0x12b26066,0xa920bef0,0xe08536e0,
+        0x4d195adc,0x7bff6f2c,0x945f4187,0x7f319e9d,0xf892ce47,0xf9848863 },
+      { 0x4fe37657,0xd0efc1d3,0x5cf0e45a,0x3c58de82,0x8b0ccbbe,0x626ad21a,
+        0xaf952fc5,0xd2a31208,0xeb437357,0x81791995,0x98e95d4f,0x5f19d30f } },
+    /* 207 */
+    { { 0x0e6865bb,0x72e83d9a,0xf63456a6,0x22f5af3b,0x463c8d9e,0x409e9c73,
+        0xdfe6970e,0x40e9e578,0x711b91ca,0x876b6efa,0x942625a3,0x895512cf },
+      { 0xcb4e462b,0x84c8eda8,0x4412e7c8,0x84c0154a,0xceb7b71f,0x04325db1,
+        0x66f70877,0x1537dde3,0x1992b9ac,0xf3a09399,0xd498ae77,0xa7316606 } },
+    /* 208 */
+    { { 0xcad260f5,0x13990d2f,0xeec0e8c0,0x76c3be29,0x0f7bd7d5,0x7dc5bee0,
+        0xefebda4b,0x9be167d2,0x9122b87e,0xcce3dde6,0x82b5415c,0x75a28b09 },
+      { 0xe84607a6,0xf6810bcd,0x6f4dbf0d,0xc6d58128,0x1b4dafeb,0xfead577d,
+        0x066b28eb,0x9bc440b2,0x8b17e84b,0x53f1da97,0xcda9a575,0x0459504b } },
+    /* 209 */
+    { { 0x329e5836,0x13e39a02,0xf717269d,0x2c9e7d51,0xf26c963b,0xc5ac58d6,
+        0x79967bf5,0x3b0c6c43,0x55908d9d,0x60bbea3f,0xf07c9ad1,0xd84811e7 },
+      { 0x5bd20e4a,0xfe7609a7,0x0a70baa8,0xe4325dd2,0xb3600386,0x3711f370,
+        0xd0924302,0x97f9562f,0x4acc4436,0x040dc0c3,0xde79cdd4,0xfd6d725c } },
+    /* 210 */
+    { { 0xcf13eafb,0xb3efd0e3,0x5aa0ae5f,0x21009cbb,0x79022279,0xe480c553,
+        0xb2fc9a6d,0x755cf334,0x07096ae7,0x8564a5bf,0xbd238139,0xddd649d0 },
+      { 0x8a045041,0xd0de10b1,0xc957d572,0x6e05b413,0x4e0fb25c,0x5c5ff806,
+        0x641162fb,0xd933179b,0xe57439f9,0x42d48485,0x8a8d72aa,0x70c5bd0a } },
+    /* 211 */
+    { { 0x97bdf646,0xa7671738,0xab329f7c,0xaa1485b4,0xf8f25fdf,0xce3e11d6,
+        0xc6221824,0x76a3fc7e,0xf3924740,0x045f281f,0x96d13a9a,0x24557d4e },
+      { 0xdd4c27cd,0x875c804b,0x0f5c7fea,0x11c5f0f4,0xdc55ff7e,0xac8c880b,
+        0x1103f101,0x2acddec5,0xf99faa89,0x38341a21,0xce9d6b57,0xc7b67a2c } },
+    /* 212 */
+    { { 0x8e357586,0x9a0d724f,0xdf648da0,0x1d7f4ff5,0xfdee62a5,0x9c3e6c9b,
+        0x0389b372,0x0499cef0,0x98eab879,0xe904050d,0x6c051617,0xe8eef1b6 },
+      { 0xc37e3ca9,0xebf5bfeb,0xa4e0b91d,0x7c5e946d,0x2c4bea28,0x79097314,
+        0xee67b2b7,0x81f6c109,0xdafc5ede,0xaf237d9b,0x2abb04c7,0xd2e60201 } },
+    /* 213 */
+    { { 0x8a4f57bf,0x6156060c,0xff11182a,0xf9758696,0x6296ef00,0x8336773c,
+        0xff666899,0x9c054bce,0x719cd11c,0xd6a11611,0xdbe1acfa,0x9824a641 },
+      { 0xba89fd01,0x0b7b7a5f,0x889f79d8,0xf8d3b809,0xf578285c,0xc5e1ea08,
+        0xae6d8288,0x7ac74536,0x7521ef5f,0x5d37a200,0xb260a25d,0x5ecc4184 } },
+    /* 214 */
+    { { 0xa708c8d3,0xddcebb19,0xc63f81ec,0xe63ed04f,0x11873f95,0xd045f5a0,
+        0x79f276d5,0x3b5ad544,0x425ae5b3,0x81272a3d,0x10ce1605,0x8bfeb501 },
+      { 0x888228bf,0x4233809c,0xb2aff7df,0x4bd82acf,0x0cbd4a7f,0x9c68f180,
+        0x6b44323d,0xfcd77124,0x891db957,0x60c0fcf6,0x04da8f7f,0xcfbb4d89 } },
+    /* 215 */
+    { { 0x3b26139a,0x9a6a5df9,0xb2cc7eb8,0x3e076a83,0x5a964bcd,0x47a8e82d,
+        0xb9278d6b,0x8a4e2a39,0xe4443549,0x93506c98,0xf1e0d566,0x06497a8f },
+      { 0x2b1efa05,0x3dee8d99,0x45393e33,0x2da63ca8,0xcf0579ad,0xa4af7277,
+        0x3236d8ea,0xaf4b4639,0x32b617f5,0x6ccad95b,0xb88bb124,0xce76d8b8 } },
+    /* 216 */
+    { { 0x083843dc,0x63d2537a,0x1e4153b4,0x89eb3514,0xea9afc94,0x5175ebc4,
+        0x8ed1aed7,0x7a652580,0xd85e8297,0x67295611,0xb584b73d,0x8dd2d68b },
+      { 0x0133c3a4,0x237139e6,0x4bd278ea,0x9de838ab,0xc062fcd9,0xe829b072,
+        0x63ba8706,0x70730d4f,0xd3cd05ec,0x6080483f,0x0c85f84d,0x872ab5b8 } },
+    /* 217 */
+    { { 0x999d4d49,0xfc0776d3,0xec3f45e7,0xa3eb59de,0x0dae1fc1,0xbc990e44,
+        0xa15371ff,0x33596b1e,0x9bc7ab25,0xd447dcb2,0x35979582,0xcd5b63e9 },
+      { 0x77d1ff11,0xae3366fa,0xedee6903,0x59f28f05,0xa4433bf2,0x6f43fed1,
+        0xdf9ce00e,0x15409c9b,0xaca9c5dc,0x21b5cded,0x82d7bdb4,0xf9f33595 } },
+    /* 218 */
+    { { 0x9422c792,0x95944378,0xc958b8bf,0x239ea923,0xdf076541,0x4b61a247,
+        0xbb9fc544,0x4d29ce85,0x0b424559,0x9a692a67,0x0e486900,0x6e0ca5a0 },
+      { 0x85b3bece,0x6b79a782,0xc61f9892,0x41f35e39,0xae747f82,0xff82099a,
+        0xd0ca59d6,0x58c8ae3f,0x99406b5f,0x4ac930e2,0x9df24243,0x2ce04eb9 } },
+    /* 219 */
+    { { 0x1ac37b82,0x4366b994,0x25b04d83,0xff0c728d,0x19c47b7c,0x1f551361,
+        0xbeff13e7,0xdbf2d5ed,0xe12a683d,0xf78efd51,0x989cf9c4,0x82cd85b9 },
+      { 0xe0cb5d37,0xe23c6db6,0x72ee1a15,0x818aeebd,0x28771b14,0x8212aafd,
+        0x1def817d,0x7bc221d9,0x9445c51f,0xdac403a2,0x12c3746b,0x711b0517 } },
+    /* 220 */
+    { { 0x5ea99ecc,0x0ed9ed48,0xb8cab5e1,0xf799500d,0xb570cbdc,0xa8ec87dc,
+        0xd35dfaec,0x52cfb2c2,0x6e4d80a4,0x8d31fae2,0xdcdeabe5,0xe6a37dc9 },
+      { 0x1deca452,0x5d365a34,0x0d68b44e,0x09a5f8a5,0xa60744b1,0x59238ea5,
+        0xbb4249e9,0xf2fedc0d,0xa909b2e3,0xe395c74e,0x39388250,0xe156d1a5 } },
+    /* 221 */
+    { { 0x47181ae9,0xd796b3d0,0x44197808,0xbaf44ba8,0x34cf3fac,0xe6933094,
+        0xc3bd5c46,0x41aa6ade,0xeed947c6,0x4fda75d8,0x9ea5a525,0xacd9d412 },
+      { 0xd430301b,0x65cc55a3,0x7b52ea49,0x3c9a5bcf,0x159507f0,0x22d319cf,
+        0xde74a8dd,0x2ee0b9b5,0x877ac2b6,0x20c26a1e,0x92e7c314,0x387d73da } },
+    /* 222 */
+    { { 0x8cd3fdac,0x13c4833e,0x332e5b8e,0x76fcd473,0xe2fe1fd3,0xff671b4b,
+        0x5d98d8ec,0x4d734e8b,0x514bbc11,0xb1ead3c6,0x7b390494,0xd14ca858 },
+      { 0x5d2d37e9,0x95a443af,0x00464622,0x73c6ea73,0x15755044,0xa44aeb4b,
+        0xfab58fee,0xba3f8575,0xdc680a6f,0x9779dbc9,0x7b37ddfc,0xe1ee5f5a } },
+    /* 223 */
+    { { 0x12d29f46,0xcd0b4648,0x0ed53137,0x93295b0b,0x80bef6c9,0xbfe26094,
+        0x54248b00,0xa6565788,0x80e7f9c4,0x69c43fca,0xbe141ea1,0x2190837b },
+      { 0xa1b26cfb,0x875e159a,0x7affe852,0x90ca9f87,0x92ca598e,0x15e6550d,
+        0x1938ad11,0xe3e0945d,0x366ef937,0xef7636bb,0xb39869e5,0xb6034d0b } },
+    /* 224 */
+    { { 0x26d8356e,0x4d255e30,0xd314626f,0xf83666ed,0xd0c8ed64,0x421ddf61,
+        0x26677b61,0x96e473c5,0x9e9b18b3,0xdad4af7e,0xa9393f75,0xfceffd4a },
+      { 0x11c731d5,0x843138a1,0xb2f141d9,0x05bcb3a1,0x617b7671,0x20e1fa95,
+        0x88ccec7b,0xbefce812,0x90f1b568,0x582073dc,0x1f055cb7,0xf572261a } },
+    /* 225 */
+    { { 0x36973088,0xf3148277,0x86a9f980,0xc008e708,0xe046c261,0x1b795947,
+        0xca76bca0,0xdf1e6a7d,0x71acddf0,0xabafd886,0x1364d8f4,0xff7054d9 },
+      { 0xe2260594,0x2cf63547,0xd73b277e,0x468a5372,0xef9bd35e,0xc7419e24,
+        0x24043cc3,0x2b4a1c20,0x890b39cd,0xa28f047a,0x46f9a2e3,0xdca2cea1 } },
+    /* 226 */
+    { { 0x53277538,0xab788736,0xcf697738,0xa734e225,0x6b22e2c1,0x66ee1d1e,
+        0xebe1d212,0x2c615389,0x02bb0766,0xf36cad40,0x3e64f207,0x120885c3 },
+      { 0x90fbfec2,0x59e77d56,0xd7a574ae,0xf9e781aa,0x5d045e53,0x801410b0,
+        0xa91b5f0e,0xd3b5f0aa,0x7fbb3521,0xb3d1df00,0xc72bee9a,0x11c4b33e } },
+    /* 227 */
+    { { 0x83c3a7f3,0xd32b9832,0x88d8a354,0x8083abcf,0x50f4ec5a,0xdeb16404,
+        0x641e2907,0x18d747f0,0xf1bbf03e,0x4e8978ae,0x88a0cd89,0x932447dc },
+      { 0xcf3d5897,0x561e0feb,0x13600e6d,0xfc3a682f,0xd16a6b73,0xc78b9d73,
+        0xd29bf580,0xe713fede,0x08d69e5c,0x0a225223,0x1ff7fda4,0x3a924a57 } },
+    /* 228 */
+    { { 0xb4093bee,0xfb64554c,0xa58c6ec0,0xa6d65a25,0x43d0ed37,0x4126994d,
+        0x55152d44,0xa5689a51,0x284caa8d,0xb8e5ea8c,0xd1f25538,0x33f05d4f },
+      { 0x1b615d6e,0xe0fdfe09,0x705507da,0x2ded7e8f,0x17bbcc80,0xdd5631e5,
+        0x267fd11f,0x4f87453e,0xff89d62d,0xc6da723f,0xe3cda21d,0x55cbcae2 } },
+    /* 229 */
+    { { 0x6b4e84f3,0x336bc94e,0x4ef72c35,0x72863031,0xeeb57f99,0x6d85fdee,
+        0xa42ece1b,0x7f4e3272,0x36f0320a,0x7f86cbb5,0x923331e6,0xf09b6a2b },
+      { 0x56778435,0x21d3ecf1,0x8323b2d2,0x2977ba99,0x1704bc0f,0x6a1b57fb,
+        0x389f048a,0xd777cf8b,0xac6b42cd,0x9ce2174f,0x09e6c55a,0x404e2bff } },
+    /* 230 */
+    { { 0x204c5ddb,0x9b9b135e,0x3eff550e,0x9dbfe044,0xec3be0f6,0x35eab4bf,
+        0x0a43e56f,0x8b4c3f0d,0x0e73f9b3,0x4c1c6673,0x2c78c905,0x92ed38bd },
+      { 0xa386e27c,0xc7003f6a,0xaced8507,0xb9c4f46f,0x59df5464,0xea024ec8,
+        0x429572ea,0x4af96152,0xe1fc1194,0x279cd5e2,0x281e358c,0xaa376a03 } },
+    /* 231 */
+    { { 0x3cdbc95c,0x07859223,0xef2e337a,0xaae1aa6a,0x472a8544,0xc040108d,
+        0x8d037b7d,0x80c853e6,0x8c7eee24,0xd221315c,0x8ee47752,0x195d3856 },
+      { 0xdacd7fbe,0xd4b1ba03,0xd3e0c52b,0x4b5ac61e,0x6aab7b52,0x68d3c052,
+        0x660e3fea,0xf0d7248c,0x3145efb4,0xafdb3f89,0x8f40936d,0xa73fd9a3 } },
+    /* 232 */
+    { { 0xbb1b17ce,0x891b9ef3,0xc6127f31,0x14023667,0x305521fd,0x12b2e58d,
+        0xe3508088,0x3a47e449,0xff751507,0xe49fc84b,0x5310d16e,0x4023f722 },
+      { 0xb73399fa,0xa608e5ed,0xd532aa3e,0xf12632d8,0x845e8415,0x13a2758e,
+        0x1fc2d861,0xae4b6f85,0x339d02f2,0x3879f5b1,0x80d99ebd,0x446d22a6 } },
+    /* 233 */
+    { { 0x4be164f1,0x0f502302,0x88b81920,0x8d09d2d6,0x984aceff,0x514056f1,
+        0x75e9e80d,0xa5c4ddf0,0xdf496a93,0x38cb47e6,0x38df6bf7,0x899e1d6b },
+      { 0xb59eb2a6,0x69e87e88,0x9b47f38b,0x280d9d63,0x3654e955,0x599411ea,
+        0x969aa581,0xcf8dd4fd,0x530742a7,0xff5c2baf,0x1a373085,0xa4391536 } },
+    /* 234 */
+    { { 0xa8a4bdd2,0x6ace72a3,0xb68ef702,0xc656cdd1,0x90c4dad8,0xd4a33e7e,
+        0x9d951c50,0x4aece08a,0x085d68e6,0xea8005ae,0x6f7502b8,0xfdd7a7d7 },
+      { 0x98d6fa45,0xce6fb0a6,0x1104eb8c,0x228f8672,0xda09d7dc,0xd23d8787,
+        0x2ae93065,0x5521428b,0xea56c366,0x95faba3d,0x0a88aca5,0xedbe5039 } },
+    /* 235 */
+    { { 0xbfb26c82,0xd64da0ad,0x952c2f9c,0xe5d70b3c,0xf7e77f68,0xf5e8f365,
+        0x08f2d695,0x7234e002,0xd12e7be6,0xfaf900ee,0x4acf734e,0x27dc6934 },
+      { 0xc260a46a,0x80e4ff5e,0x2dc31c28,0x7da5ebce,0xca69f552,0x485c5d73,
+        0x69cc84c2,0xcdfb6b29,0xed6d4eca,0x031c5afe,0x22247637,0xc7bbf4c8 } },
+    /* 236 */
+    { { 0x49fe01b2,0x9d5b72c7,0x793a91b8,0x34785186,0xcf460438,0xa3ba3c54,
+        0x3ab21b6f,0x73e8e43d,0xbe57b8ab,0x50cde8e0,0xdd204264,0x6488b3a7 },
+      { 0xdddc4582,0xa9e398b3,0x5bec46fe,0x1698c1a9,0x156d3843,0x7f1446ef,
+        0x770329a2,0x3fd25dd8,0x2c710668,0x05b1221a,0xa72ee6cf,0x65b2dc2a } },
+    /* 237 */
+    { { 0xcd021d63,0x21a885f7,0xfea61f08,0x3f344b15,0xc5cf73e6,0xad5ba6dd,
+        0x227a8b23,0x154d0d8f,0xdc559311,0x9b74373c,0x98620fa1,0x4feab715 },
+      { 0x7d9ec924,0x5098938e,0x6d47e550,0x84d54a5e,0x1b617506,0x1a2d1bdc,
+        0x615868a4,0x99fe1782,0x3005a924,0x171da780,0x7d8f79b6,0xa70bf5ed } },
+    /* 238 */
+    { { 0xfe2216c5,0x0bc1250d,0x7601b351,0x2c37e250,0xd6f06b7e,0xb6300175,
+        0x8bfeb9b7,0x4dde8ca1,0xb82f843d,0x4f210432,0xb1ac0afd,0x8d70e2f9 },
+      { 0xaae91abb,0x25c73b78,0x863028f2,0x0230dca3,0xe5cf30b7,0x8b923ecf,
+        0x5506f265,0xed754ec2,0x729a5e39,0x8e41b88c,0xbabf889b,0xee67cec2 } },
+    /* 239 */
+    { { 0x1be46c65,0xe183acf5,0xe7565d7a,0x9789538f,0xd9627b4e,0x87873391,
+        0x9f1d9187,0xbf4ac4c1,0x4691f5c8,0x5db99f63,0x74a1fb98,0xa68df803 },
+      { 0xbf92b5fa,0x3c448ed1,0x3e0bdc32,0xa098c841,0x79bf016c,0x8e74cd55,
+        0x115e244d,0x5df0d09c,0x3410b66e,0x9418ad01,0x17a02130,0x8b6124cb } },
+    /* 240 */
+    { { 0xc26e3392,0x425ec3af,0xa1722e00,0xc07f8470,0xe2356b43,0xdcc28190,
+        0xb1ef59a6,0x4ed97dff,0xc63028c1,0xc22b3ad1,0x68c18988,0x070723c2 },
+      { 0x4cf49e7d,0x70da302f,0x3f12a522,0xc5e87c93,0x18594148,0x74acdd1d,
+        0xca74124c,0xad5f73ab,0xd69fd478,0xe72e4a3e,0x7b117cc3,0x61593868 } },
+    /* 241 */
+    { { 0xa9aa0486,0x7b7b9577,0xa063d557,0x6e41fb35,0xda9047d7,0xb017d5c7,
+        0x68a87ba9,0x8c748280,0xdf08ad93,0xab45fa5c,0x4c288a28,0xcd9fb217 },
+      { 0x5747843d,0x59544642,0xa56111e3,0x34d64c6c,0x4bfce8d5,0x12e47ea1,
+        0x6169267f,0x17740e05,0xeed03fb5,0x5c49438e,0x4fc3f513,0x9da30add } },
+    /* 242 */
+    { { 0xccfa5200,0xc4e85282,0x6a19b13d,0x2707608f,0xf5726e2f,0xdcb9a53d,
+        0xe9427de5,0x612407c9,0xd54d582a,0x3e5a17e1,0x655ae118,0xb99877de },
+      { 0x015254de,0x6f0e972b,0xf0a6f7c5,0x92a56db1,0xa656f8b2,0xd297e4e1,
+        0xad981983,0x99fe0052,0x07cfed84,0xd3652d2f,0x843c1738,0xc784352e } },
+    /* 243 */
+    { { 0x7e9b2d8a,0x6ee90af0,0x57cf1964,0xac8d7018,0x71f28efc,0xf6ed9031,
+        0x6812b20e,0x7f70d5a9,0xf1c61eee,0x27b557f4,0xc6263758,0xf1c9bd57 },
+      { 0x2a1a6194,0x5cf7d014,0x1890ab84,0xdd614e0b,0x0e93c2a6,0x3ef9de10,
+        0xe0cd91c5,0xf98cf575,0x14befc32,0x504ec0c6,0x6279d68c,0xd0513a66 } },
+    /* 244 */
+    { { 0xa859fb6a,0xa8eadbad,0xdb283666,0xcf8346e7,0x3e22e355,0x7b35e61a,
+        0x99639c6b,0x293ece2c,0x56f241c8,0xfa0162e2,0xbf7a1dda,0xd2e6c7b9 },
+      { 0x40075e63,0xd0de6253,0xf9ec8286,0x2405aa61,0x8fe45494,0x2237830a,
+        0x364e9c8c,0x4fd01ac7,0x904ba750,0x4d9c3d21,0xaf1b520b,0xd589be14 } },
+    /* 245 */
+    { { 0x4662e53b,0x13576a4f,0xf9077676,0x35ec2f51,0x97c0af97,0x66297d13,
+        0x9e598b58,0xed3201fe,0x5e70f604,0x49bc752a,0xbb12d951,0xb54af535 },
+      { 0x212c1c76,0x36ea4c2b,0xeb250dfd,0x18f5bbc7,0x9a0a1a46,0xa0d466cc,
+        0xdac2d917,0x52564da4,0x8e95fab5,0x206559f4,0x9ca67a33,0x7487c190 } },
+    /* 246 */
+    { { 0xdde98e9c,0x75abfe37,0x2a411199,0x99b90b26,0xdcdb1f7c,0x1b410996,
+        0x8b3b5675,0xab346f11,0xf1f8ae1e,0x04852193,0x6b8b98c1,0x1ec4d227 },
+      { 0x45452baa,0xba3bc926,0xacc4a572,0x387d1858,0xe51f171e,0x9478eff6,
+        0x931e1c00,0xf357077d,0xe54c8ca8,0xffee77cd,0x551dc9a4,0xfb4892ff } },
+    /* 247 */
+    { { 0x2db8dff8,0x5b1bdad0,0x5a2285a2,0xd462f4fd,0xda00b461,0x1d6aad8e,
+        0x41306d1b,0x43fbefcf,0x6a13fe19,0x428e86f3,0x17f89404,0xc8b2f118 },
+      { 0xf0d51afb,0x762528aa,0x549b1d06,0xa3e2fea4,0xea3ddf66,0x86fad8f2,
+        0x4fbdd206,0x0d9ccc4b,0xc189ff5a,0xcde97d4c,0x199f19a6,0xc36793d6 } },
+    /* 248 */
+    { { 0x51b85197,0xea38909b,0xb4c92895,0xffb17dd0,0x1ddb3f3f,0x0eb0878b,
+        0xc57cf0f2,0xb05d28ff,0x1abd57e2,0xd8bde2e7,0xc40c1b20,0x7f2be28d },
+      { 0x299a2d48,0x6554dca2,0x8377982d,0x5130ba2e,0x1071971a,0x8863205f,
+        0x7cf2825d,0x15ee6282,0x03748f2b,0xd4b6c57f,0x430385a0,0xa9e3f4da } },
+    /* 249 */
+    { { 0x83fbc9c6,0x33eb7cec,0x4541777e,0x24a311c7,0x4f0767fc,0xc81377f7,
+        0x4ab702da,0x12adae36,0x2a779696,0xb7fcb6db,0x01cea6ad,0x4a6fb284 },
+      { 0xcdfc73de,0x5e8b1d2a,0x1b02fd32,0xd0efae8d,0xd81d8519,0x3f99c190,
+        0xfc808971,0x3c18f7fa,0x51b7ae7b,0x41f713e7,0xf07fc3f8,0x0a4b3435 } },
+    /* 250 */
+    { { 0x019b7d2e,0x7dda3c4c,0xd4dc4b89,0x631c8d1a,0x1cdb313c,0x5489cd6e,
+        0x4c07bb06,0xd44aed10,0x75f000d1,0x8f97e13a,0xdda5df4d,0x0e9ee64f },
+      { 0x3e346910,0xeaa99f3b,0xfa294ad7,0x622f6921,0x0d0b2fe9,0x22aaa20d,
+        0x1e5881ba,0x4fed2f99,0xc1571802,0x9af3b2d6,0xdc7ee17c,0x919e67a8 } },
+    /* 251 */
+    { { 0x76250533,0xc724fe4c,0x7d817ef8,0x8a2080e5,0x172c9751,0xa2afb0f4,
+        0x17c0702e,0x9b10cdeb,0xc9b7e3e9,0xbf3975e3,0x1cd0cdc5,0x206117df },
+      { 0xbe05ebd5,0xfb049e61,0x16c782c0,0xeb0bb55c,0xab7fed09,0x13a331b8,
+        0x632863f0,0xf6c58b1d,0x4d3b6195,0x6264ef6e,0x9a53f116,0x92c51b63 } },
+    /* 252 */
+    { { 0x288b364d,0xa57c7bc8,0x7b41e5c4,0x4a562e08,0x698a9a11,0x699d21c6,
+        0xf3f849b9,0xa4ed9581,0x9eb726ba,0xa223eef3,0xcc2884f9,0x13159c23 },
+      { 0x3a3f4963,0x73931e58,0x0ada6a81,0x96500389,0x5ab2950b,0x3ee8a1c6,
+        0x775fab52,0xeedf4949,0x4f2671b6,0x63d652e1,0x3c4e2f55,0xfed4491c } },
+    /* 253 */
+    { { 0xf4eb453e,0x335eadc3,0xcadd1a5b,0x5ff74b63,0x5d84a91a,0x6933d0d7,
+        0xb49ba337,0x9ca3eeb9,0xc04c15b8,0x1f6facce,0xdc09a7e4,0x4ef19326 },
+      { 0x3dca3233,0x53d2d324,0xa2259d4b,0x0ee40590,0x5546f002,0x18c22edb,
+        0x09ea6b71,0x92429801,0xb0e91e61,0xaada0add,0x99963c50,0x5fe53ef4 } },
+    /* 254 */
+    { { 0x90c28c65,0x372dd06b,0x119ce47d,0x1765242c,0x6b22fc82,0xc041fb80,
+        0xb0a7ccc1,0x667edf07,0x1261bece,0xc79599e7,0x19cff22a,0xbc69d9ba },
+      { 0x13c06819,0x009d77cd,0xe282b79d,0x635a66ae,0x225b1be8,0x4edac4a6,
+        0x524008f9,0x57d4f4e4,0xb056af84,0xee299ac5,0x3a0bc386,0xcc38444c } },
+    /* 255 */
+    { { 0xcd4c2356,0x490643b1,0x750547be,0x740a4851,0xd4944c04,0x643eaf29,
+        0x299a98a0,0xba572479,0xee05fdf9,0x48b29f16,0x089b2d7b,0x33fb4f61 },
+      { 0xa950f955,0x86704902,0xfedc3ddf,0x97e1034d,0x05fbb6a2,0x211320b6,
+        0x432299bb,0x23d7b93f,0x8590e4a3,0x1fe1a057,0xf58c0ce6,0x8e1d0586 } },
+};
+
+/* Multiply the base point of P384 by the scalar and return the result.
+ * If map is true then convert result to affine coordinates.
+ *
+ * r     Resulting point.
+ * k     Scalar to multiply by.
+ * map   Indicates whether to convert result to affine.
+ * heap  Heap to use for allocation.
+ * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
+ */
+static int sp_384_ecc_mulmod_base_12(sp_point_384* r, const sp_digit* k,
+        int map, void* heap)
+{
+    return sp_384_ecc_mulmod_stripe_12(r, &p384_base, p384_table,
+                                      k, map, heap);
+}
+
+#endif
+
+/* Multiply the base point of P384 by the scalar and return the result.
+ * If map is true then convert result to affine coordinates.
+ *
+ * km    Scalar to multiply by.
+ * r     Resulting point.
+ * map   Indicates whether to convert result to affine.
+ * heap  Heap to use for allocation.
+ * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
+ */
+int sp_ecc_mulmod_base_384(mp_int* km, ecc_point* r, int map, void* heap)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_point_384 p;
+    sp_digit kd[12];
+#endif
+    sp_point_384* point;
+    sp_digit* k = NULL;
+    int err = MP_OKAY;
+
+    err = sp_384_point_new_12(heap, p, point);
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        k = (sp_digit*)XMALLOC(sizeof(sp_digit) * 12, heap,
+                                                              DYNAMIC_TYPE_ECC);
+        if (k == NULL) {
+            err = MEMORY_E;
+        }
+    }
+#else
+    k = kd;
+#endif
+    if (err == MP_OKAY) {
+        sp_384_from_mp(k, 12, km);
+
+            err = sp_384_ecc_mulmod_base_12(point, k, map, heap);
+    }
+    if (err == MP_OKAY) {
+        err = sp_384_point_to_ecc_point_12(point, r);
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (k != NULL) {
+        XFREE(k, heap, DYNAMIC_TYPE_ECC);
+    }
+#endif
+    sp_384_point_free_12(point, 0, heap);
+
+    return err;
+}
+
+#if defined(WOLFSSL_VALIDATE_ECC_KEYGEN) || defined(HAVE_ECC_SIGN) || \
+                                                        defined(HAVE_ECC_VERIFY)
+/* Returns 1 if the number of zero.
+ * Implementation is constant time.
+ *
+ * a  Number to check.
+ * returns 1 if the number is zero and 0 otherwise.
+ */
+static int sp_384_iszero_12(const sp_digit* a)
+{
+    return (a[0] | a[1] | a[2] | a[3] | a[4] | a[5] | a[6] | a[7] |
+            a[8] | a[9] | a[10] | a[11]) == 0;
+}
+
+#endif /* WOLFSSL_VALIDATE_ECC_KEYGEN || HAVE_ECC_SIGN || HAVE_ECC_VERIFY */
+/* Add 1 to a. (a = a + 1)
+ *
+ * a  A single precision integer.
+ */
+SP_NOINLINE static void sp_384_add_one_12(sp_digit* a)
+{
+    __asm__ __volatile__ (
+        "mov	r2, #1\n\t"
+        "ldr	r1, [%[a], #0]\n\t"
+        "adds	r1, r1, r2\n\t"
+        "mov	r2, #0\n\t"
+        "str	r1, [%[a], #0]\n\t"
+        "ldr	r1, [%[a], #4]\n\t"
+        "adcs	r1, r1, r2\n\t"
+        "str	r1, [%[a], #4]\n\t"
+        "ldr	r1, [%[a], #8]\n\t"
+        "adcs	r1, r1, r2\n\t"
+        "str	r1, [%[a], #8]\n\t"
+        "ldr	r1, [%[a], #12]\n\t"
+        "adcs	r1, r1, r2\n\t"
+        "str	r1, [%[a], #12]\n\t"
+        "ldr	r1, [%[a], #16]\n\t"
+        "adcs	r1, r1, r2\n\t"
+        "str	r1, [%[a], #16]\n\t"
+        "ldr	r1, [%[a], #20]\n\t"
+        "adcs	r1, r1, r2\n\t"
+        "str	r1, [%[a], #20]\n\t"
+        "ldr	r1, [%[a], #24]\n\t"
+        "adcs	r1, r1, r2\n\t"
+        "str	r1, [%[a], #24]\n\t"
+        "ldr	r1, [%[a], #28]\n\t"
+        "adcs	r1, r1, r2\n\t"
+        "str	r1, [%[a], #28]\n\t"
+        "ldr	r1, [%[a], #32]\n\t"
+        "adcs	r1, r1, r2\n\t"
+        "str	r1, [%[a], #32]\n\t"
+        "ldr	r1, [%[a], #36]\n\t"
+        "adcs	r1, r1, r2\n\t"
+        "str	r1, [%[a], #36]\n\t"
+        "ldr	r1, [%[a], #40]\n\t"
+        "adcs	r1, r1, r2\n\t"
+        "str	r1, [%[a], #40]\n\t"
+        "ldr	r1, [%[a], #44]\n\t"
+        "adcs	r1, r1, r2\n\t"
+        "str	r1, [%[a], #44]\n\t"
+        :
+        : [a] "r" (a)
+        : "memory", "r1", "r2"
+    );
+}
+
+/* Read big endian unsigned byte array into r.
+ *
+ * r  A single precision integer.
+ * size  Maximum number of bytes to convert
+ * a  Byte array.
+ * n  Number of bytes in array to read.
+ */
+static void sp_384_from_bin(sp_digit* r, int size, const byte* a, int n)
+{
+    int i, j = 0;
+    word32 s = 0;
+
+    r[0] = 0;
+    for (i = n-1; i >= 0; i--) {
+        r[j] |= (((sp_digit)a[i]) << s);
+        if (s >= 24U) {
+            r[j] &= 0xffffffff;
+            s = 32U - s;
+            if (j + 1 >= size) {
+                break;
+            }
+            r[++j] = (sp_digit)a[i] >> s;
+            s = 8U - s;
+        }
+        else {
+            s += 8U;
+        }
+    }
+
+    for (j++; j < size; j++) {
+        r[j] = 0;
+    }
+}
+
+/* Generates a scalar that is in the range 1..order-1.
+ *
+ * rng  Random number generator.
+ * k    Scalar value.
+ * returns RNG failures, MEMORY_E when memory allocation fails and
+ * MP_OKAY on success.
+ */
+static int sp_384_ecc_gen_k_12(WC_RNG* rng, sp_digit* k)
+{
+    int err;
+    byte buf[48];
+
+    do {
+        err = wc_RNG_GenerateBlock(rng, buf, sizeof(buf));
+        if (err == 0) {
+            sp_384_from_bin(k, 12, buf, (int)sizeof(buf));
+            if (sp_384_cmp_12(k, p384_order2) < 0) {
+                sp_384_add_one_12(k);
+                break;
+            }
+        }
+    }
+    while (err == 0);
+
+    return err;
+}
+
+/* Makes a random EC key pair.
+ *
+ * rng   Random number generator.
+ * priv  Generated private value.
+ * pub   Generated public point.
+ * heap  Heap to use for allocation.
+ * returns ECC_INF_E when the point does not have the correct order, RNG
+ * failures, MEMORY_E when memory allocation fails and MP_OKAY on success.
+ */
+int sp_ecc_make_key_384(WC_RNG* rng, mp_int* priv, ecc_point* pub, void* heap)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_point_384 p;
+    sp_digit kd[12];
+#ifdef WOLFSSL_VALIDATE_ECC_KEYGEN
+    sp_point_384 inf;
+#endif
+#endif
+    sp_point_384* point;
+    sp_digit* k = NULL;
+#ifdef WOLFSSL_VALIDATE_ECC_KEYGEN
+    sp_point_384* infinity;
+#endif
+    int err;
+
+    (void)heap;
+
+    err = sp_384_point_new_12(heap, p, point);
+#ifdef WOLFSSL_VALIDATE_ECC_KEYGEN
+    if (err == MP_OKAY) {
+        err = sp_384_point_new_12(heap, inf, infinity);
+    }
+#endif
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        k = (sp_digit*)XMALLOC(sizeof(sp_digit) * 12, heap,
+                                                              DYNAMIC_TYPE_ECC);
+        if (k == NULL) {
+            err = MEMORY_E;
+        }
+    }
+#else
+    k = kd;
+#endif
+
+    if (err == MP_OKAY) {
+        err = sp_384_ecc_gen_k_12(rng, k);
+    }
+    if (err == MP_OKAY) {
+            err = sp_384_ecc_mulmod_base_12(point, k, 1, NULL);
+    }
+
+#ifdef WOLFSSL_VALIDATE_ECC_KEYGEN
+    if (err == MP_OKAY) {
+            err = sp_384_ecc_mulmod_12(infinity, point, p384_order, 1, NULL);
+    }
+    if (err == MP_OKAY) {
+        if ((sp_384_iszero_12(point->x) == 0) || (sp_384_iszero_12(point->y) == 0)) {
+            err = ECC_INF_E;
+        }
+    }
+#endif
+
+    if (err == MP_OKAY) {
+        err = sp_384_to_mp(k, priv);
+    }
+    if (err == MP_OKAY) {
+        err = sp_384_point_to_ecc_point_12(point, pub);
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (k != NULL) {
+        XFREE(k, heap, DYNAMIC_TYPE_ECC);
+    }
+#endif
+#ifdef WOLFSSL_VALIDATE_ECC_KEYGEN
+    sp_384_point_free_12(infinity, 1, heap);
+#endif
+    sp_384_point_free_12(point, 1, heap);
+
+    return err;
+}
+
+#ifdef HAVE_ECC_DHE
+/* Write r as big endian to byte array.
+ * Fixed length number of bytes written: 48
+ *
+ * r  A single precision integer.
+ * a  Byte array.
+ */
+static void sp_384_to_bin(sp_digit* r, byte* a)
+{
+    int i, j, s = 0, b;
+
+    j = 384 / 8 - 1;
+    a[j] = 0;
+    for (i=0; i<12 && j>=0; i++) {
+        b = 0;
+        /* lint allow cast of mismatch sp_digit and int */
+        a[j--] |= (byte)(r[i] << s); /*lint !e9033*/
+        b += 8 - s;
+        if (j < 0) {
+            break;
+        }
+        while (b < 32) {
+            a[j--] = (byte)(r[i] >> b);
+            b += 8;
+            if (j < 0) {
+                break;
+            }
+        }
+        s = 8 - (b - 32);
+        if (j >= 0) {
+            a[j] = 0;
+        }
+        if (s != 0) {
+            j++;
+        }
+    }
+}
+
+/* Multiply the point by the scalar and serialize the X ordinate.
+ * The number is 0 padded to maximum size on output.
+ *
+ * priv    Scalar to multiply the point by.
+ * pub     Point to multiply.
+ * out     Buffer to hold X ordinate.
+ * outLen  On entry, size of the buffer in bytes.
+ *         On exit, length of data in buffer in bytes.
+ * heap    Heap to use for allocation.
+ * returns BUFFER_E if the buffer is to small for output size,
+ * MEMORY_E when memory allocation fails and MP_OKAY on success.
+ */
+int sp_ecc_secret_gen_384(mp_int* priv, ecc_point* pub, byte* out,
+                          word32* outLen, void* heap)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_point_384 p;
+    sp_digit kd[12];
+#endif
+    sp_point_384* point = NULL;
+    sp_digit* k = NULL;
+    int err = MP_OKAY;
+
+    if (*outLen < 48U) {
+        err = BUFFER_E;
+    }
+
+    if (err == MP_OKAY) {
+        err = sp_384_point_new_12(heap, p, point);
+    }
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        k = (sp_digit*)XMALLOC(sizeof(sp_digit) * 12, heap,
+                                                              DYNAMIC_TYPE_ECC);
+        if (k == NULL)
+            err = MEMORY_E;
+    }
+#else
+    k = kd;
+#endif
+
+    if (err == MP_OKAY) {
+        sp_384_from_mp(k, 12, priv);
+        sp_384_point_from_ecc_point_12(point, pub);
+            err = sp_384_ecc_mulmod_12(point, point, k, 1, heap);
+    }
+    if (err == MP_OKAY) {
+        sp_384_to_bin(point->x, out);
+        *outLen = 48;
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (k != NULL) {
+        XFREE(k, heap, DYNAMIC_TYPE_ECC);
+    }
+#endif
+    sp_384_point_free_12(point, 0, heap);
+
+    return err;
+}
+#endif /* HAVE_ECC_DHE */
+
+#if defined(HAVE_ECC_SIGN) || defined(HAVE_ECC_VERIFY)
+#endif
+#if defined(HAVE_ECC_SIGN) || defined(HAVE_ECC_VERIFY)
+#ifdef WOLFSSL_SP_SMALL
+/* Sub b from a into a. (a -= b)
+ *
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static sp_digit sp_384_sub_in_place_12(sp_digit* a,
+        const sp_digit* b)
+{
+    sp_digit c = 0;
+    __asm__ __volatile__ (
+        "mov	r8, %[a]\n\t"
+        "add	r8, r8, #48\n\t"
+        "\n1:\n\t"
+        "mov	r5, #0\n\t"
+        "subs	r5, r5, %[c]\n\t"
+        "ldr	r3, [%[a]]\n\t"
+        "ldr	r4, [%[a], #4]\n\t"
+        "ldr	r5, [%[b]]\n\t"
+        "ldr	r6, [%[b], #4]\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "str	r3, [%[a]]\n\t"
+        "str	r4, [%[a], #4]\n\t"
+        "sbc	%[c], %[c], %[c]\n\t"
+        "add	%[a], %[a], #8\n\t"
+        "add	%[b], %[b], #8\n\t"
+        "cmp	%[a], r8\n\t"
+        "bne	1b\n\t"
+        : [c] "+r" (c), [a] "+r" (a), [b] "+r" (b)
+        :
+        : "memory", "r3", "r4", "r5", "r6", "r8"
+    );
+
+    return c;
+}
+
+#else
+/* Sub b from a into r. (r = a - b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static sp_digit sp_384_sub_in_place_12(sp_digit* a,
+        const sp_digit* b)
+{
+    sp_digit c = 0;
+
+    __asm__ __volatile__ (
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "subs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "ldm	%[a], {r3, r4}\n\t"
+        "ldm	%[b]!, {r5, r6}\n\t"
+        "sbcs	r3, r3, r5\n\t"
+        "sbcs	r4, r4, r6\n\t"
+        "stm	%[a]!, {r3, r4}\n\t"
+        "sbc	%[c], %[c], %[c]\n\t"
+        : [c] "+r" (c), [a] "+r" (a), [b] "+r" (b)
+        :
+        : "memory", "r3", "r4", "r5", "r6"
+    );
+
+    return c;
+}
+
+#endif /* WOLFSSL_SP_SMALL */
+/* Mul a by digit b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision digit.
+ */
+SP_NOINLINE static void sp_384_mul_d_12(sp_digit* r, const sp_digit* a,
+        sp_digit b)
+{
+    __asm__ __volatile__ (
+        "add	r9, %[a], #48\n\t"
+        /* A[0] * B */
+        "ldr	r6, [%[a]], #4\n\t"
+        "umull	r5, r3, r6, %[b]\n\t"
+        "mov	r4, #0\n\t"
+        "str	r5, [%[r]], #4\n\t"
+        /* A[0] * B - Done */
+        "\n1:\n\t"
+        "mov	r5, #0\n\t"
+        /* A[] * B */
+        "ldr	r6, [%[a]], #4\n\t"
+        "umull	r6, r8, r6, %[b]\n\t"
+        "adds	r3, r3, r6\n\t"
+        "adcs 	r4, r4, r8\n\t"
+        "adc	r5, r5, #0\n\t"
+        /* A[] * B - Done */
+        "str	r3, [%[r]], #4\n\t"
+        "mov	r3, r4\n\t"
+        "mov	r4, r5\n\t"
+        "cmp	%[a], r9\n\t"
+        "blt	1b\n\t"
+        "str	r3, [%[r]]\n\t"
+        : [r] "+r" (r), [a] "+r" (a)
+        : [b] "r" (b)
+        : "memory", "r3", "r4", "r5", "r6", "r8", "r9"
+    );
+}
+
+/* Divide the double width number (d1|d0) by the dividend. (d1|d0 / div)
+ *
+ * d1   The high order half of the number to divide.
+ * d0   The low order half of the number to divide.
+ * div  The dividend.
+ * returns the result of the division.
+ *
+ * Note that this is an approximate div. It may give an answer 1 larger.
+ */
+SP_NOINLINE static sp_digit div_384_word_12(sp_digit d1, sp_digit d0,
+        sp_digit div)
+{
+    sp_digit r = 0;
+
+    __asm__ __volatile__ (
+        "lsr	r6, %[div], #16\n\t"
+        "add	r6, r6, #1\n\t"
+        "udiv	r4, %[d1], r6\n\t"
+        "lsl	r8, r4, #16\n\t"
+        "umull	r4, r5, %[div], r8\n\t"
+        "subs	%[d0], %[d0], r4\n\t"
+        "sbc	%[d1], %[d1], r5\n\t"
+        "udiv	r5, %[d1], r6\n\t"
+        "lsl	r4, r5, #16\n\t"
+        "add	r8, r8, r4\n\t"
+        "umull	r4, r5, %[div], r4\n\t"
+        "subs	%[d0], %[d0], r4\n\t"
+        "sbc	%[d1], %[d1], r5\n\t"
+        "lsl	r4, %[d1], #16\n\t"
+        "orr	r4, r4, %[d0], lsr #16\n\t"
+        "udiv	r4, r4, r6\n\t"
+        "add	r8, r8, r4\n\t"
+        "umull	r4, r5, %[div], r4\n\t"
+        "subs	%[d0], %[d0], r4\n\t"
+        "sbc	%[d1], %[d1], r5\n\t"
+        "lsl	r4, %[d1], #16\n\t"
+        "orr	r4, r4, %[d0], lsr #16\n\t"
+        "udiv	r4, r4, r6\n\t"
+        "add	r8, r8, r4\n\t"
+        "umull	r4, r5, %[div], r4\n\t"
+        "subs	%[d0], %[d0], r4\n\t"
+        "sbc	%[d1], %[d1], r5\n\t"
+        "udiv	r4, %[d0], %[div]\n\t"
+        "add	r8, r8, r4\n\t"
+        "mov	%[r], r8\n\t"
+        : [r] "+r" (r)
+        : [d1] "r" (d1), [d0] "r" (d0), [div] "r" (div)
+        : "r4", "r5", "r6", "r8"
+    );
+    return r;
+}
+
+/* AND m into each word of a and store in r.
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * m  Mask to AND against each digit.
+ */
+static void sp_384_mask_12(sp_digit* r, const sp_digit* a, sp_digit m)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int i;
+
+    for (i=0; i<12; i++) {
+        r[i] = a[i] & m;
+    }
+#else
+    r[0] = a[0] & m;
+    r[1] = a[1] & m;
+    r[2] = a[2] & m;
+    r[3] = a[3] & m;
+    r[4] = a[4] & m;
+    r[5] = a[5] & m;
+    r[6] = a[6] & m;
+    r[7] = a[7] & m;
+    r[8] = a[8] & m;
+    r[9] = a[9] & m;
+    r[10] = a[10] & m;
+    r[11] = a[11] & m;
+#endif
+}
+
+/* Divide d in a and put remainder into r (m*d + r = a)
+ * m is not calculated as it is not needed at this time.
+ *
+ * a  Nmber to be divided.
+ * d  Number to divide with.
+ * m  Multiplier result.
+ * r  Remainder from the division.
+ * returns MP_OKAY indicating success.
+ */
+static WC_INLINE int sp_384_div_12(const sp_digit* a, const sp_digit* d, sp_digit* m,
+        sp_digit* r)
+{
+    sp_digit t1[24], t2[13];
+    sp_digit div, r1;
+    int i;
+
+    (void)m;
+
+    div = d[11];
+    XMEMCPY(t1, a, sizeof(*t1) * 2 * 12);
+    for (i=11; i>=0; i--) {
+        r1 = div_384_word_12(t1[12 + i], t1[12 + i - 1], div);
+
+        sp_384_mul_d_12(t2, d, r1);
+        t1[12 + i] += sp_384_sub_in_place_12(&t1[i], t2);
+        t1[12 + i] -= t2[12];
+        sp_384_mask_12(t2, d, t1[12 + i]);
+        t1[12 + i] += sp_384_add_12(&t1[i], &t1[i], t2);
+        sp_384_mask_12(t2, d, t1[12 + i]);
+        t1[12 + i] += sp_384_add_12(&t1[i], &t1[i], t2);
+    }
+
+    r1 = sp_384_cmp_12(t1, d) >= 0;
+    sp_384_cond_sub_12(r, t1, d, (sp_digit)0 - r1);
+
+    return MP_OKAY;
+}
+
+/* Reduce a modulo m into r. (r = a mod m)
+ *
+ * r  A single precision number that is the reduced result.
+ * a  A single precision number that is to be reduced.
+ * m  A single precision number that is the modulus to reduce with.
+ * returns MP_OKAY indicating success.
+ */
+static WC_INLINE int sp_384_mod_12(sp_digit* r, const sp_digit* a, const sp_digit* m)
+{
+    return sp_384_div_12(a, m, NULL, r);
+}
+
+#endif
+#if defined(HAVE_ECC_SIGN) || defined(HAVE_ECC_VERIFY)
+#ifdef WOLFSSL_SP_SMALL
+/* Order-2 for the P384 curve. */
+static const uint32_t p384_order_minus_2[12] = {
+    0xccc52971U,0xecec196aU,0x48b0a77aU,0x581a0db2U,0xf4372ddfU,0xc7634d81U,
+    0xffffffffU,0xffffffffU,0xffffffffU,0xffffffffU,0xffffffffU,0xffffffffU
+};
+#else
+/* The low half of the order-2 of the P384 curve. */
+static const uint32_t p384_order_low[6] = {
+    0xccc52971U,0xecec196aU,0x48b0a77aU,0x581a0db2U,0xf4372ddfU,0xc7634d81U
+    
+};
+#endif /* WOLFSSL_SP_SMALL */
+
+/* Multiply two number mod the order of P384 curve. (r = a * b mod order)
+ *
+ * r  Result of the multiplication.
+ * a  First operand of the multiplication.
+ * b  Second operand of the multiplication.
+ */
+static void sp_384_mont_mul_order_12(sp_digit* r, const sp_digit* a, const sp_digit* b)
+{
+    sp_384_mul_12(r, a, b);
+    sp_384_mont_reduce_order_12(r, p384_order, p384_mp_order);
+}
+
+/* Square number mod the order of P384 curve. (r = a * a mod order)
+ *
+ * r  Result of the squaring.
+ * a  Number to square.
+ */
+static void sp_384_mont_sqr_order_12(sp_digit* r, const sp_digit* a)
+{
+    sp_384_sqr_12(r, a);
+    sp_384_mont_reduce_order_12(r, p384_order, p384_mp_order);
+}
+
+#ifndef WOLFSSL_SP_SMALL
+/* Square number mod the order of P384 curve a number of times.
+ * (r = a ^ n mod order)
+ *
+ * r  Result of the squaring.
+ * a  Number to square.
+ */
+static void sp_384_mont_sqr_n_order_12(sp_digit* r, const sp_digit* a, int n)
+{
+    int i;
+
+    sp_384_mont_sqr_order_12(r, a);
+    for (i=1; i<n; i++) {
+        sp_384_mont_sqr_order_12(r, r);
+    }
+}
+#endif /* !WOLFSSL_SP_SMALL */
+
+/* Invert the number, in Montgomery form, modulo the order of the P384 curve.
+ * (r = 1 / a mod order)
+ *
+ * r   Inverse result.
+ * a   Number to invert.
+ * td  Temporary data.
+ */
+static void sp_384_mont_inv_order_12(sp_digit* r, const sp_digit* a,
+        sp_digit* td)
+{
+#ifdef WOLFSSL_SP_SMALL
+    sp_digit* t = td;
+    int i;
+
+    XMEMCPY(t, a, sizeof(sp_digit) * 12);
+    for (i=382; i>=0; i--) {
+        sp_384_mont_sqr_order_12(t, t);
+        if ((p384_order_minus_2[i / 32] & ((sp_int_digit)1 << (i % 32))) != 0) {
+            sp_384_mont_mul_order_12(t, t, a);
+        }
+    }
+    XMEMCPY(r, t, sizeof(sp_digit) * 12U);
+#else
+    sp_digit* t = td;
+    sp_digit* t2 = td + 2 * 12;
+    sp_digit* t3 = td + 4 * 12;
+    int i;
+
+    /* t = a^2 */
+    sp_384_mont_sqr_order_12(t, a);
+    /* t = a^3 = t * a */
+    sp_384_mont_mul_order_12(t, t, a);
+    /* t2= a^c = t ^ 2 ^ 2 */
+    sp_384_mont_sqr_n_order_12(t2, t, 2);
+    /* t = a^f = t2 * t */
+    sp_384_mont_mul_order_12(t, t2, t);
+    /* t2= a^f0 = t ^ 2 ^ 4 */
+    sp_384_mont_sqr_n_order_12(t2, t, 4);
+    /* t = a^ff = t2 * t */
+    sp_384_mont_mul_order_12(t, t2, t);
+    /* t2= a^ff00 = t ^ 2 ^ 8 */
+    sp_384_mont_sqr_n_order_12(t2, t, 8);
+    /* t3= a^ffff = t2 * t */
+    sp_384_mont_mul_order_12(t3, t2, t);
+    /* t2= a^ffff0000 = t3 ^ 2 ^ 16 */
+    sp_384_mont_sqr_n_order_12(t2, t3, 16);
+    /* t = a^ffffffff = t2 * t3 */
+    sp_384_mont_mul_order_12(t, t2, t3);
+    /* t2= a^ffffffff0000 = t ^ 2 ^ 16  */
+    sp_384_mont_sqr_n_order_12(t2, t, 16);
+    /* t = a^ffffffffffff = t2 * t3 */
+    sp_384_mont_mul_order_12(t, t2, t3);
+    /* t2= a^ffffffffffff000000000000 = t ^ 2 ^ 48  */
+    sp_384_mont_sqr_n_order_12(t2, t, 48);
+    /* t= a^fffffffffffffffffffffffff = t2 * t */
+    sp_384_mont_mul_order_12(t, t2, t);
+    /* t2= a^ffffffffffffffffffffffff000000000000000000000000 */
+    sp_384_mont_sqr_n_order_12(t2, t, 96);
+    /* t2= a^ffffffffffffffffffffffffffffffffffffffffffffffff = t2 * t */
+    sp_384_mont_mul_order_12(t2, t2, t);
+    for (i=191; i>=1; i--) {
+        sp_384_mont_sqr_order_12(t2, t2);
+        if (((sp_digit)p384_order_low[i / 32] & ((sp_int_digit)1 << (i % 32))) != 0) {
+            sp_384_mont_mul_order_12(t2, t2, a);
+        }
+    }
+    sp_384_mont_sqr_order_12(t2, t2);
+    sp_384_mont_mul_order_12(r, t2, a);
+#endif /* WOLFSSL_SP_SMALL */
+}
+
+#endif /* HAVE_ECC_SIGN || HAVE_ECC_VERIFY */
+#ifdef HAVE_ECC_SIGN
+#ifndef SP_ECC_MAX_SIG_GEN
+#define SP_ECC_MAX_SIG_GEN  64
+#endif
+
+/* Sign the hash using the private key.
+ *   e = [hash, 384 bits] from binary
+ *   r = (k.G)->x mod order
+ *   s = (r * x + e) / k mod order
+ * The hash is truncated to the first 384 bits.
+ *
+ * hash     Hash to sign.
+ * hashLen  Length of the hash data.
+ * rng      Random number generator.
+ * priv     Private part of key - scalar.
+ * rm       First part of result as an mp_int.
+ * sm       Sirst part of result as an mp_int.
+ * heap     Heap to use for allocation.
+ * returns RNG failures, MEMORY_E when memory allocation fails and
+ * MP_OKAY on success.
+ */
+int sp_ecc_sign_384(const byte* hash, word32 hashLen, WC_RNG* rng, mp_int* priv,
+                    mp_int* rm, mp_int* sm, mp_int* km, void* heap)
+{
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit* d = NULL;
+#else
+    sp_digit ed[2*12];
+    sp_digit xd[2*12];
+    sp_digit kd[2*12];
+    sp_digit rd[2*12];
+    sp_digit td[3 * 2*12];
+    sp_point_384 p;
+#endif
+    sp_digit* e = NULL;
+    sp_digit* x = NULL;
+    sp_digit* k = NULL;
+    sp_digit* r = NULL;
+    sp_digit* tmp = NULL;
+    sp_point_384* point = NULL;
+    sp_digit carry;
+    sp_digit* s = NULL;
+    sp_digit* kInv = NULL;
+    int err = MP_OKAY;
+    int32_t c;
+    int i;
+
+    (void)heap;
+
+    err = sp_384_point_new_12(heap, p, point);
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        d = (sp_digit*)XMALLOC(sizeof(sp_digit) * 7 * 2 * 12, heap,
+                                                              DYNAMIC_TYPE_ECC);
+        if (d == NULL) {
+            err = MEMORY_E;
+        }
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+        e = d + 0 * 12;
+        x = d + 2 * 12;
+        k = d + 4 * 12;
+        r = d + 6 * 12;
+        tmp = d + 8 * 12;
+#else
+        e = ed;
+        x = xd;
+        k = kd;
+        r = rd;
+        tmp = td;
+#endif
+        s = e;
+        kInv = k;
+
+        if (hashLen > 48U) {
+            hashLen = 48U;
+        }
+
+        sp_384_from_bin(e, 12, hash, (int)hashLen);
+    }
+
+    for (i = SP_ECC_MAX_SIG_GEN; err == MP_OKAY && i > 0; i--) {
+        sp_384_from_mp(x, 12, priv);
+
+        /* New random point. */
+        if (km == NULL || mp_iszero(km)) {
+            err = sp_384_ecc_gen_k_12(rng, k);
+        }
+        else {
+            sp_384_from_mp(k, 12, km);
+            mp_zero(km);
+        }
+        if (err == MP_OKAY) {
+                err = sp_384_ecc_mulmod_base_12(point, k, 1, NULL);
+        }
+
+        if (err == MP_OKAY) {
+            /* r = point->x mod order */
+            XMEMCPY(r, point->x, sizeof(sp_digit) * 12U);
+            sp_384_norm_12(r);
+            c = sp_384_cmp_12(r, p384_order);
+            sp_384_cond_sub_12(r, r, p384_order, 0L - (sp_digit)(c >= 0));
+            sp_384_norm_12(r);
+
+            /* Conv k to Montgomery form (mod order) */
+                sp_384_mul_12(k, k, p384_norm_order);
+            err = sp_384_mod_12(k, k, p384_order);
+        }
+        if (err == MP_OKAY) {
+            sp_384_norm_12(k);
+            /* kInv = 1/k mod order */
+                sp_384_mont_inv_order_12(kInv, k, tmp);
+            sp_384_norm_12(kInv);
+
+            /* s = r * x + e */
+                sp_384_mul_12(x, x, r);
+            err = sp_384_mod_12(x, x, p384_order);
+        }
+        if (err == MP_OKAY) {
+            sp_384_norm_12(x);
+            carry = sp_384_add_12(s, e, x);
+            sp_384_cond_sub_12(s, s, p384_order, 0 - carry);
+            sp_384_norm_12(s);
+            c = sp_384_cmp_12(s, p384_order);
+            sp_384_cond_sub_12(s, s, p384_order, 0L - (sp_digit)(c >= 0));
+            sp_384_norm_12(s);
+
+            /* s = s * k^-1 mod order */
+                sp_384_mont_mul_order_12(s, s, kInv);
+            sp_384_norm_12(s);
+
+            /* Check that signature is usable. */
+            if (sp_384_iszero_12(s) == 0) {
+                break;
+            }
+        }
+    }
+
+    if (i == 0) {
+        err = RNG_FAILURE_E;
+    }
+
+    if (err == MP_OKAY) {
+        err = sp_384_to_mp(r, rm);
+    }
+    if (err == MP_OKAY) {
+        err = sp_384_to_mp(s, sm);
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (d != NULL) {
+        XMEMSET(d, 0, sizeof(sp_digit) * 8 * 12);
+        XFREE(d, heap, DYNAMIC_TYPE_ECC);
+    }
+#else
+    XMEMSET(e, 0, sizeof(sp_digit) * 2U * 12U);
+    XMEMSET(x, 0, sizeof(sp_digit) * 2U * 12U);
+    XMEMSET(k, 0, sizeof(sp_digit) * 2U * 12U);
+    XMEMSET(r, 0, sizeof(sp_digit) * 2U * 12U);
+    XMEMSET(r, 0, sizeof(sp_digit) * 2U * 12U);
+    XMEMSET(tmp, 0, sizeof(sp_digit) * 3U * 2U * 12U);
+#endif
+    sp_384_point_free_12(point, 1, heap);
+
+    return err;
+}
+#endif /* HAVE_ECC_SIGN */
+
+#ifdef HAVE_ECC_VERIFY
+/* Verify the signature values with the hash and public key.
+ *   e = Truncate(hash, 384)
+ *   u1 = e/s mod order
+ *   u2 = r/s mod order
+ *   r == (u1.G + u2.Q)->x mod order
+ * Optimization: Leave point in projective form.
+ *   (x, y, 1) == (x' / z'*z', y' / z'*z'*z', z' / z')
+ *   (r + n*order).z'.z' mod prime == (u1.G + u2.Q)->x'
+ * The hash is truncated to the first 384 bits.
+ *
+ * hash     Hash to sign.
+ * hashLen  Length of the hash data.
+ * rng      Random number generator.
+ * priv     Private part of key - scalar.
+ * rm       First part of result as an mp_int.
+ * sm       Sirst part of result as an mp_int.
+ * heap     Heap to use for allocation.
+ * returns RNG failures, MEMORY_E when memory allocation fails and
+ * MP_OKAY on success.
+ */
+int sp_ecc_verify_384(const byte* hash, word32 hashLen, mp_int* pX,
+    mp_int* pY, mp_int* pZ, mp_int* r, mp_int* sm, int* res, void* heap)
+{
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit* d = NULL;
+#else
+    sp_digit u1d[2*12];
+    sp_digit u2d[2*12];
+    sp_digit sd[2*12];
+    sp_digit tmpd[2*12 * 5];
+    sp_point_384 p1d;
+    sp_point_384 p2d;
+#endif
+    sp_digit* u1 = NULL;
+    sp_digit* u2 = NULL;
+    sp_digit* s = NULL;
+    sp_digit* tmp = NULL;
+    sp_point_384* p1;
+    sp_point_384* p2 = NULL;
+    sp_digit carry;
+    int32_t c;
+    int err;
+
+    err = sp_384_point_new_12(heap, p1d, p1);
+    if (err == MP_OKAY) {
+        err = sp_384_point_new_12(heap, p2d, p2);
+    }
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        d = (sp_digit*)XMALLOC(sizeof(sp_digit) * 16 * 12, heap,
+                                                              DYNAMIC_TYPE_ECC);
+        if (d == NULL) {
+            err = MEMORY_E;
+        }
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+        u1  = d + 0 * 12;
+        u2  = d + 2 * 12;
+        s   = d + 4 * 12;
+        tmp = d + 6 * 12;
+#else
+        u1 = u1d;
+        u2 = u2d;
+        s  = sd;
+        tmp = tmpd;
+#endif
+
+        if (hashLen > 48U) {
+            hashLen = 48U;
+        }
+
+        sp_384_from_bin(u1, 12, hash, (int)hashLen);
+        sp_384_from_mp(u2, 12, r);
+        sp_384_from_mp(s, 12, sm);
+        sp_384_from_mp(p2->x, 12, pX);
+        sp_384_from_mp(p2->y, 12, pY);
+        sp_384_from_mp(p2->z, 12, pZ);
+
+        {
+            sp_384_mul_12(s, s, p384_norm_order);
+        }
+        err = sp_384_mod_12(s, s, p384_order);
+    }
+    if (err == MP_OKAY) {
+        sp_384_norm_12(s);
+        {
+            sp_384_mont_inv_order_12(s, s, tmp);
+            sp_384_mont_mul_order_12(u1, u1, s);
+            sp_384_mont_mul_order_12(u2, u2, s);
+        }
+
+            err = sp_384_ecc_mulmod_base_12(p1, u1, 0, heap);
+    }
+    if (err == MP_OKAY) {
+            err = sp_384_ecc_mulmod_12(p2, p2, u2, 0, heap);
+    }
+
+    if (err == MP_OKAY) {
+        {
+            sp_384_proj_point_add_12(p1, p1, p2, tmp);
+            if (sp_384_iszero_12(p1->z)) {
+                if (sp_384_iszero_12(p1->x) && sp_384_iszero_12(p1->y)) {
+                    sp_384_proj_point_dbl_12(p1, p2, tmp);
+                }
+                else {
+                    /* Y ordinate is not used from here - don't set. */
+                    p1->x[0] = 0;
+                    p1->x[1] = 0;
+                    p1->x[2] = 0;
+                    p1->x[3] = 0;
+                    p1->x[4] = 0;
+                    p1->x[5] = 0;
+                    p1->x[6] = 0;
+                    p1->x[7] = 0;
+                    p1->x[8] = 0;
+                    p1->x[9] = 0;
+                    p1->x[10] = 0;
+                    p1->x[11] = 0;
+                    XMEMCPY(p1->z, p384_norm_mod, sizeof(p384_norm_mod));
+                }
+            }
+        }
+
+        /* (r + n*order).z'.z' mod prime == (u1.G + u2.Q)->x' */
+        /* Reload r and convert to Montgomery form. */
+        sp_384_from_mp(u2, 12, r);
+        err = sp_384_mod_mul_norm_12(u2, u2, p384_mod);
+    }
+
+    if (err == MP_OKAY) {
+        /* u1 = r.z'.z' mod prime */
+        sp_384_mont_sqr_12(p1->z, p1->z, p384_mod, p384_mp_mod);
+        sp_384_mont_mul_12(u1, u2, p1->z, p384_mod, p384_mp_mod);
+        *res = (int)(sp_384_cmp_12(p1->x, u1) == 0);
+        if (*res == 0) {
+            /* Reload r and add order. */
+            sp_384_from_mp(u2, 12, r);
+            carry = sp_384_add_12(u2, u2, p384_order);
+            /* Carry means result is greater than mod and is not valid. */
+            if (carry == 0) {
+                sp_384_norm_12(u2);
+
+                /* Compare with mod and if greater or equal then not valid. */
+                c = sp_384_cmp_12(u2, p384_mod);
+                if (c < 0) {
+                    /* Convert to Montogomery form */
+                    err = sp_384_mod_mul_norm_12(u2, u2, p384_mod);
+                    if (err == MP_OKAY) {
+                        /* u1 = (r + 1*order).z'.z' mod prime */
+                        sp_384_mont_mul_12(u1, u2, p1->z, p384_mod,
+                                                                  p384_mp_mod);
+                        *res = (int)(sp_384_cmp_12(p1->x, u1) == 0);
+                    }
+                }
+            }
+        }
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (d != NULL)
+        XFREE(d, heap, DYNAMIC_TYPE_ECC);
+#endif
+    sp_384_point_free_12(p1, 0, heap);
+    sp_384_point_free_12(p2, 0, heap);
+
+    return err;
+}
+#endif /* HAVE_ECC_VERIFY */
+
+#ifdef HAVE_ECC_CHECK_KEY
+/* Check that the x and y oridinates are a valid point on the curve.
+ *
+ * point  EC point.
+ * heap   Heap to use if dynamically allocating.
+ * returns MEMORY_E if dynamic memory allocation fails, MP_VAL if the point is
+ * not on the curve and MP_OKAY otherwise.
+ */
+static int sp_384_ecc_is_point_12(sp_point_384* point, void* heap)
+{
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit* d = NULL;
+#else
+    sp_digit t1d[2*12];
+    sp_digit t2d[2*12];
+#endif
+    sp_digit* t1;
+    sp_digit* t2;
+    int err = MP_OKAY;
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    d = (sp_digit*)XMALLOC(sizeof(sp_digit) * 12 * 4, heap, DYNAMIC_TYPE_ECC);
+    if (d == NULL) {
+        err = MEMORY_E;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+        t1 = d + 0 * 12;
+        t2 = d + 2 * 12;
+#else
+        (void)heap;
+
+        t1 = t1d;
+        t2 = t2d;
+#endif
+
+        sp_384_sqr_12(t1, point->y);
+        (void)sp_384_mod_12(t1, t1, p384_mod);
+        sp_384_sqr_12(t2, point->x);
+        (void)sp_384_mod_12(t2, t2, p384_mod);
+        sp_384_mul_12(t2, t2, point->x);
+        (void)sp_384_mod_12(t2, t2, p384_mod);
+        (void)sp_384_sub_12(t2, p384_mod, t2);
+        sp_384_mont_add_12(t1, t1, t2, p384_mod);
+
+        sp_384_mont_add_12(t1, t1, point->x, p384_mod);
+        sp_384_mont_add_12(t1, t1, point->x, p384_mod);
+        sp_384_mont_add_12(t1, t1, point->x, p384_mod);
+
+        if (sp_384_cmp_12(t1, p384_b) != 0) {
+            err = MP_VAL;
+        }
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (d != NULL) {
+        XFREE(d, heap, DYNAMIC_TYPE_ECC);
+    }
+#endif
+
+    return err;
+}
+
+/* Check that the x and y oridinates are a valid point on the curve.
+ *
+ * pX  X ordinate of EC point.
+ * pY  Y ordinate of EC point.
+ * returns MEMORY_E if dynamic memory allocation fails, MP_VAL if the point is
+ * not on the curve and MP_OKAY otherwise.
+ */
+int sp_ecc_is_point_384(mp_int* pX, mp_int* pY)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_point_384 pubd;
+#endif
+    sp_point_384* pub;
+    byte one[1] = { 1 };
+    int err;
+
+    err = sp_384_point_new_12(NULL, pubd, pub);
+    if (err == MP_OKAY) {
+        sp_384_from_mp(pub->x, 12, pX);
+        sp_384_from_mp(pub->y, 12, pY);
+        sp_384_from_bin(pub->z, 12, one, (int)sizeof(one));
+
+        err = sp_384_ecc_is_point_12(pub, NULL);
+    }
+
+    sp_384_point_free_12(pub, 0, NULL);
+
+    return err;
+}
+
+/* Check that the private scalar generates the EC point (px, py), the point is
+ * on the curve and the point has the correct order.
+ *
+ * pX     X ordinate of EC point.
+ * pY     Y ordinate of EC point.
+ * privm  Private scalar that generates EC point.
+ * returns MEMORY_E if dynamic memory allocation fails, MP_VAL if the point is
+ * not on the curve, ECC_INF_E if the point does not have the correct order,
+ * ECC_PRIV_KEY_E when the private scalar doesn't generate the EC point and
+ * MP_OKAY otherwise.
+ */
+int sp_ecc_check_key_384(mp_int* pX, mp_int* pY, mp_int* privm, void* heap)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit privd[12];
+    sp_point_384 pubd;
+    sp_point_384 pd;
+#endif
+    sp_digit* priv = NULL;
+    sp_point_384* pub;
+    sp_point_384* p = NULL;
+    byte one[1] = { 1 };
+    int err;
+
+    err = sp_384_point_new_12(heap, pubd, pub);
+    if (err == MP_OKAY) {
+        err = sp_384_point_new_12(heap, pd, p);
+    }
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        priv = (sp_digit*)XMALLOC(sizeof(sp_digit) * 12, heap,
+                                                              DYNAMIC_TYPE_ECC);
+        if (priv == NULL) {
+            err = MEMORY_E;
+        }
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+        priv = privd;
+#endif
+
+        sp_384_from_mp(pub->x, 12, pX);
+        sp_384_from_mp(pub->y, 12, pY);
+        sp_384_from_bin(pub->z, 12, one, (int)sizeof(one));
+        sp_384_from_mp(priv, 12, privm);
+
+        /* Check point at infinitiy. */
+        if ((sp_384_iszero_12(pub->x) != 0) &&
+            (sp_384_iszero_12(pub->y) != 0)) {
+            err = ECC_INF_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        /* Check range of X and Y */
+        if (sp_384_cmp_12(pub->x, p384_mod) >= 0 ||
+            sp_384_cmp_12(pub->y, p384_mod) >= 0) {
+            err = ECC_OUT_OF_RANGE_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        /* Check point is on curve */
+        err = sp_384_ecc_is_point_12(pub, heap);
+    }
+
+    if (err == MP_OKAY) {
+        /* Point * order = infinity */
+            err = sp_384_ecc_mulmod_12(p, pub, p384_order, 1, heap);
+    }
+    if (err == MP_OKAY) {
+        /* Check result is infinity */
+        if ((sp_384_iszero_12(p->x) == 0) ||
+            (sp_384_iszero_12(p->y) == 0)) {
+            err = ECC_INF_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        /* Base * private = point */
+            err = sp_384_ecc_mulmod_base_12(p, priv, 1, heap);
+    }
+    if (err == MP_OKAY) {
+        /* Check result is public key */
+        if (sp_384_cmp_12(p->x, pub->x) != 0 ||
+            sp_384_cmp_12(p->y, pub->y) != 0) {
+            err = ECC_PRIV_KEY_E;
+        }
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (priv != NULL) {
+        XFREE(priv, heap, DYNAMIC_TYPE_ECC);
+    }
+#endif
+    sp_384_point_free_12(p, 0, heap);
+    sp_384_point_free_12(pub, 0, heap);
+
+    return err;
+}
+#endif
+#ifdef WOLFSSL_PUBLIC_ECC_ADD_DBL
+/* Add two projective EC points together.
+ * (pX, pY, pZ) + (qX, qY, qZ) = (rX, rY, rZ)
+ *
+ * pX   First EC point's X ordinate.
+ * pY   First EC point's Y ordinate.
+ * pZ   First EC point's Z ordinate.
+ * qX   Second EC point's X ordinate.
+ * qY   Second EC point's Y ordinate.
+ * qZ   Second EC point's Z ordinate.
+ * rX   Resultant EC point's X ordinate.
+ * rY   Resultant EC point's Y ordinate.
+ * rZ   Resultant EC point's Z ordinate.
+ * returns MEMORY_E if dynamic memory allocation fails and MP_OKAY otherwise.
+ */
+int sp_ecc_proj_add_point_384(mp_int* pX, mp_int* pY, mp_int* pZ,
+                              mp_int* qX, mp_int* qY, mp_int* qZ,
+                              mp_int* rX, mp_int* rY, mp_int* rZ)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit tmpd[2 * 12 * 5];
+    sp_point_384 pd;
+    sp_point_384 qd;
+#endif
+    sp_digit* tmp;
+    sp_point_384* p;
+    sp_point_384* q = NULL;
+    int err;
+
+    err = sp_384_point_new_12(NULL, pd, p);
+    if (err == MP_OKAY) {
+        err = sp_384_point_new_12(NULL, qd, q);
+    }
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        tmp = (sp_digit*)XMALLOC(sizeof(sp_digit) * 2 * 12 * 5, NULL,
+                                                              DYNAMIC_TYPE_ECC);
+        if (tmp == NULL) {
+            err = MEMORY_E;
+        }
+    }
+#else
+    tmp = tmpd;
+#endif
+
+    if (err == MP_OKAY) {
+        sp_384_from_mp(p->x, 12, pX);
+        sp_384_from_mp(p->y, 12, pY);
+        sp_384_from_mp(p->z, 12, pZ);
+        sp_384_from_mp(q->x, 12, qX);
+        sp_384_from_mp(q->y, 12, qY);
+        sp_384_from_mp(q->z, 12, qZ);
+
+            sp_384_proj_point_add_12(p, p, q, tmp);
+    }
+
+    if (err == MP_OKAY) {
+        err = sp_384_to_mp(p->x, rX);
+    }
+    if (err == MP_OKAY) {
+        err = sp_384_to_mp(p->y, rY);
+    }
+    if (err == MP_OKAY) {
+        err = sp_384_to_mp(p->z, rZ);
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (tmp != NULL) {
+        XFREE(tmp, NULL, DYNAMIC_TYPE_ECC);
+    }
+#endif
+    sp_384_point_free_12(q, 0, NULL);
+    sp_384_point_free_12(p, 0, NULL);
+
+    return err;
+}
+
+/* Double a projective EC point.
+ * (pX, pY, pZ) + (pX, pY, pZ) = (rX, rY, rZ)
+ *
+ * pX   EC point's X ordinate.
+ * pY   EC point's Y ordinate.
+ * pZ   EC point's Z ordinate.
+ * rX   Resultant EC point's X ordinate.
+ * rY   Resultant EC point's Y ordinate.
+ * rZ   Resultant EC point's Z ordinate.
+ * returns MEMORY_E if dynamic memory allocation fails and MP_OKAY otherwise.
+ */
+int sp_ecc_proj_dbl_point_384(mp_int* pX, mp_int* pY, mp_int* pZ,
+                              mp_int* rX, mp_int* rY, mp_int* rZ)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit tmpd[2 * 12 * 2];
+    sp_point_384 pd;
+#endif
+    sp_digit* tmp;
+    sp_point_384* p;
+    int err;
+
+    err = sp_384_point_new_12(NULL, pd, p);
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        tmp = (sp_digit*)XMALLOC(sizeof(sp_digit) * 2 * 12 * 2, NULL,
+                                                              DYNAMIC_TYPE_ECC);
+        if (tmp == NULL) {
+            err = MEMORY_E;
+        }
+    }
+#else
+    tmp = tmpd;
+#endif
+
+    if (err == MP_OKAY) {
+        sp_384_from_mp(p->x, 12, pX);
+        sp_384_from_mp(p->y, 12, pY);
+        sp_384_from_mp(p->z, 12, pZ);
+
+            sp_384_proj_point_dbl_12(p, p, tmp);
+    }
+
+    if (err == MP_OKAY) {
+        err = sp_384_to_mp(p->x, rX);
+    }
+    if (err == MP_OKAY) {
+        err = sp_384_to_mp(p->y, rY);
+    }
+    if (err == MP_OKAY) {
+        err = sp_384_to_mp(p->z, rZ);
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (tmp != NULL) {
+        XFREE(tmp, NULL, DYNAMIC_TYPE_ECC);
+    }
+#endif
+    sp_384_point_free_12(p, 0, NULL);
+
+    return err;
+}
+
+/* Map a projective EC point to affine in place.
+ * pZ will be one.
+ *
+ * pX   EC point's X ordinate.
+ * pY   EC point's Y ordinate.
+ * pZ   EC point's Z ordinate.
+ * returns MEMORY_E if dynamic memory allocation fails and MP_OKAY otherwise.
+ */
+int sp_ecc_map_384(mp_int* pX, mp_int* pY, mp_int* pZ)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit tmpd[2 * 12 * 6];
+    sp_point_384 pd;
+#endif
+    sp_digit* tmp;
+    sp_point_384* p;
+    int err;
+
+    err = sp_384_point_new_12(NULL, pd, p);
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        tmp = (sp_digit*)XMALLOC(sizeof(sp_digit) * 2 * 12 * 6, NULL,
+                                                              DYNAMIC_TYPE_ECC);
+        if (tmp == NULL) {
+            err = MEMORY_E;
+        }
+    }
+#else
+    tmp = tmpd;
+#endif
+    if (err == MP_OKAY) {
+        sp_384_from_mp(p->x, 12, pX);
+        sp_384_from_mp(p->y, 12, pY);
+        sp_384_from_mp(p->z, 12, pZ);
+
+        sp_384_map_12(p, p, tmp);
+    }
+
+    if (err == MP_OKAY) {
+        err = sp_384_to_mp(p->x, pX);
+    }
+    if (err == MP_OKAY) {
+        err = sp_384_to_mp(p->y, pY);
+    }
+    if (err == MP_OKAY) {
+        err = sp_384_to_mp(p->z, pZ);
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (tmp != NULL) {
+        XFREE(tmp, NULL, DYNAMIC_TYPE_ECC);
+    }
+#endif
+    sp_384_point_free_12(p, 0, NULL);
+
+    return err;
+}
+#endif /* WOLFSSL_PUBLIC_ECC_ADD_DBL */
+#ifdef HAVE_COMP_KEY
+/* Find the square root of a number mod the prime of the curve.
+ *
+ * y  The number to operate on and the result.
+ * returns MEMORY_E if dynamic memory allocation fails and MP_OKAY otherwise.
+ */
+static int sp_384_mont_sqrt_12(sp_digit* y)
+{
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit* d;
+#else
+    sp_digit t1d[2 * 12];
+    sp_digit t2d[2 * 12];
+    sp_digit t3d[2 * 12];
+    sp_digit t4d[2 * 12];
+    sp_digit t5d[2 * 12];
+#endif
+    sp_digit* t1;
+    sp_digit* t2;
+    sp_digit* t3;
+    sp_digit* t4;
+    sp_digit* t5;
+    int err = MP_OKAY;
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    d = (sp_digit*)XMALLOC(sizeof(sp_digit) * 5 * 2 * 12, NULL, DYNAMIC_TYPE_ECC);
+    if (d == NULL) {
+        err = MEMORY_E;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+        t1 = d + 0 * 12;
+        t2 = d + 2 * 12;
+        t3 = d + 4 * 12;
+        t4 = d + 6 * 12;
+        t5 = d + 8 * 12;
+#else
+        t1 = t1d;
+        t2 = t2d;
+        t3 = t3d;
+        t4 = t4d;
+        t5 = t5d;
+#endif
+
+        {
+            /* t2 = y ^ 0x2 */
+            sp_384_mont_sqr_12(t2, y, p384_mod, p384_mp_mod);
+            /* t1 = y ^ 0x3 */
+            sp_384_mont_mul_12(t1, t2, y, p384_mod, p384_mp_mod);
+            /* t5 = y ^ 0xc */
+            sp_384_mont_sqr_n_12(t5, t1, 2, p384_mod, p384_mp_mod);
+            /* t1 = y ^ 0xf */
+            sp_384_mont_mul_12(t1, t1, t5, p384_mod, p384_mp_mod);
+            /* t2 = y ^ 0x1e */
+            sp_384_mont_sqr_12(t2, t1, p384_mod, p384_mp_mod);
+            /* t3 = y ^ 0x1f */
+            sp_384_mont_mul_12(t3, t2, y, p384_mod, p384_mp_mod);
+            /* t2 = y ^ 0x3e0 */
+            sp_384_mont_sqr_n_12(t2, t3, 5, p384_mod, p384_mp_mod);
+            /* t1 = y ^ 0x3ff */
+            sp_384_mont_mul_12(t1, t3, t2, p384_mod, p384_mp_mod);
+            /* t2 = y ^ 0x7fe0 */
+            sp_384_mont_sqr_n_12(t2, t1, 5, p384_mod, p384_mp_mod);
+            /* t3 = y ^ 0x7fff */
+            sp_384_mont_mul_12(t3, t3, t2, p384_mod, p384_mp_mod);
+            /* t2 = y ^ 0x3fff800 */
+            sp_384_mont_sqr_n_12(t2, t3, 15, p384_mod, p384_mp_mod);
+            /* t4 = y ^ 0x3ffffff */
+            sp_384_mont_mul_12(t4, t3, t2, p384_mod, p384_mp_mod);
+            /* t2 = y ^ 0xffffffc000000 */
+            sp_384_mont_sqr_n_12(t2, t4, 30, p384_mod, p384_mp_mod);
+            /* t1 = y ^ 0xfffffffffffff */
+            sp_384_mont_mul_12(t1, t4, t2, p384_mod, p384_mp_mod);
+            /* t2 = y ^ 0xfffffffffffffff000000000000000 */
+            sp_384_mont_sqr_n_12(t2, t1, 60, p384_mod, p384_mp_mod);
+            /* t1 = y ^ 0xffffffffffffffffffffffffffffff */
+            sp_384_mont_mul_12(t1, t1, t2, p384_mod, p384_mp_mod);
+            /* t2 = y ^ 0xffffffffffffffffffffffffffffff000000000000000000000000000000 */
+            sp_384_mont_sqr_n_12(t2, t1, 120, p384_mod, p384_mp_mod);
+            /* t1 = y ^ 0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff */
+            sp_384_mont_mul_12(t1, t1, t2, p384_mod, p384_mp_mod);
+            /* t2 = y ^ 0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffff8000 */
+            sp_384_mont_sqr_n_12(t2, t1, 15, p384_mod, p384_mp_mod);
+            /* t1 = y ^ 0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff */
+            sp_384_mont_mul_12(t1, t3, t2, p384_mod, p384_mp_mod);
+            /* t2 = y ^ 0x3fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff80000000 */
+            sp_384_mont_sqr_n_12(t2, t1, 31, p384_mod, p384_mp_mod);
+            /* t1 = y ^ 0x3fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffbfffffff */
+            sp_384_mont_mul_12(t1, t4, t2, p384_mod, p384_mp_mod);
+            /* t2 = y ^ 0x3fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffbfffffff0 */
+            sp_384_mont_sqr_n_12(t2, t1, 4, p384_mod, p384_mp_mod);
+            /* t1 = y ^ 0x3fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffbfffffffc */
+            sp_384_mont_mul_12(t1, t5, t2, p384_mod, p384_mp_mod);
+            /* t2 = y ^ 0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000 */
+            sp_384_mont_sqr_n_12(t2, t1, 62, p384_mod, p384_mp_mod);
+            /* t1 = y ^ 0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000001 */
+            sp_384_mont_mul_12(t1, y, t2, p384_mod, p384_mp_mod);
+            /* t2 = y ^ 0x3fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffbfffffffc00000000000000040000000 */
+            sp_384_mont_sqr_n_12(y, t1, 30, p384_mod, p384_mp_mod);
+        }
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (d != NULL) {
+        XFREE(d, NULL, DYNAMIC_TYPE_ECC);
+    }
+#endif
+
+    return err;
+}
+
+
+/* Uncompress the point given the X ordinate.
+ *
+ * xm    X ordinate.
+ * odd   Whether the Y ordinate is odd.
+ * ym    Calculated Y ordinate.
+ * returns MEMORY_E if dynamic memory allocation fails and MP_OKAY otherwise.
+ */
+int sp_ecc_uncompress_384(mp_int* xm, int odd, mp_int* ym)
+{
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit* d;
+#else
+    sp_digit xd[2 * 12];
+    sp_digit yd[2 * 12];
+#endif
+    sp_digit* x = NULL;
+    sp_digit* y = NULL;
+    int err = MP_OKAY;
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    d = (sp_digit*)XMALLOC(sizeof(sp_digit) * 4 * 12, NULL, DYNAMIC_TYPE_ECC);
+    if (d == NULL) {
+        err = MEMORY_E;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+        x = d + 0 * 12;
+        y = d + 2 * 12;
+#else
+        x = xd;
+        y = yd;
+#endif
+
+        sp_384_from_mp(x, 12, xm);
+        err = sp_384_mod_mul_norm_12(x, x, p384_mod);
+    }
+    if (err == MP_OKAY) {
+        /* y = x^3 */
+        {
+            sp_384_mont_sqr_12(y, x, p384_mod, p384_mp_mod);
+            sp_384_mont_mul_12(y, y, x, p384_mod, p384_mp_mod);
+        }
+        /* y = x^3 - 3x */
+        sp_384_mont_sub_12(y, y, x, p384_mod);
+        sp_384_mont_sub_12(y, y, x, p384_mod);
+        sp_384_mont_sub_12(y, y, x, p384_mod);
+        /* y = x^3 - 3x + b */
+        err = sp_384_mod_mul_norm_12(x, p384_b, p384_mod);
+    }
+    if (err == MP_OKAY) {
+        sp_384_mont_add_12(y, y, x, p384_mod);
+        /* y = sqrt(x^3 - 3x + b) */
+        err = sp_384_mont_sqrt_12(y);
+    }
+    if (err == MP_OKAY) {
+        XMEMSET(y + 12, 0, 12U * sizeof(sp_digit));
+        sp_384_mont_reduce_12(y, p384_mod, p384_mp_mod);
+        if ((((word32)y[0] ^ (word32)odd) & 1U) != 0U) {
+            sp_384_mont_sub_12(y, p384_mod, y, p384_mod);
+        }
+
+        err = sp_384_to_mp(y, ym);
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (d != NULL) {
+        XFREE(d, NULL, DYNAMIC_TYPE_ECC);
+    }
+#endif
+
+    return err;
+}
+#endif
+#endif /* WOLFSSL_SP_384 */
+#endif /* WOLFSSL_HAVE_SP_ECC */
+#endif /* WOLFSSL_SP_ARM_CORTEX_M_ASM */
+#endif /* WOLFSSL_HAVE_SP_RSA || WOLFSSL_HAVE_SP_DH || WOLFSSL_HAVE_SP_ECC */
diff --git a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/sp_dsp32.c b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/sp_dsp32.c
new file mode 100644
index 000000000..ef95c06fb
--- /dev/null
+++ b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/sp_dsp32.c
@@ -0,0 +1,4908 @@
+/* sp_cdsp_signed.c
+ *
+ * Copyright (C) 2006-2020 wolfSSL Inc.
+ *
+ * This file is part of wolfSSL.
+ *
+ * wolfSSL is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * wolfSSL is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
+ */
+
+/* from wolfcrypt/src/sp_c32.c */
+
+#ifdef HAVE_CONFIG_H
+    #include <config.h>
+#endif
+
+#include <wolfssl/wolfcrypt/settings.h>
+#include <wolfssl/wolfcrypt/error-crypt.h>
+#include <wolfssl/wolfcrypt/cpuid.h>
+#ifdef NO_INLINE
+    #include <wolfssl/wolfcrypt/misc.h>
+#else
+    #define WOLFSSL_MISC_INCLUDED
+    #include <wolfcrypt/src/misc.c>
+#endif
+
+#if defined(WOLFSSL_HAVE_SP_ECC)
+#ifdef WOLFSSL_DSP
+
+#include <wolfssl/wolfcrypt/sp.h>
+#include "remote.h"
+#include "hexagon_protos.h"
+#include "hexagon_types.h"
+
+#if (defined(WOLFSSL_SP_CACHE_RESISTANT) || defined(WOLFSSL_SP_SMALL)) &&              (defined(WOLFSSL_HAVE_SP_ECC) || !defined(WOLFSSL_RSA_PUBLIC_ONLY))
+/* Mask for address to obfuscate which of the two address will be used. */
+static const size_t addr_mask[2] = { 0, (size_t)-1 };
+#endif
+
+#ifdef WOLFSSL_HAVE_SP_ECC
+#ifndef WOLFSSL_SP_NO_256
+
+/* Point structure to use. */
+typedef struct sp_point {
+    sp_digit x[2 * 10] __attribute__((aligned(128)));
+    sp_digit y[2 * 10] __attribute__((aligned(128)));
+    sp_digit z[2 * 10] __attribute__((aligned(128)));
+    int infinity;
+} sp_point;
+
+/* The modulus (prime) of the curve P256. */
+static const sp_digit p256_mod[10] __attribute__((aligned(128))) = {
+    0x3ffffff,0x3ffffff,0x3ffffff,0x003ffff,0x0000000,0x0000000,0x0000000,
+    0x0000400,0x3ff0000,0x03fffff
+};
+#ifndef WOLFSSL_SP_SMALL
+/* The Montogmery normalizer for modulus of the curve P256. */
+static const sp_digit p256_norm_mod[10] __attribute__((aligned(128))) = {
+    0x0000001,0x0000000,0x0000000,0x3fc0000,0x3ffffff,0x3ffffff,0x3ffffff,
+    0x3fffbff,0x000ffff,0x0000000
+};
+#endif /* WOLFSSL_SP_SMALL */
+/* The Montogmery multiplier for modulus of the curve P256. */
+static const sp_digit p256_mp_mod __attribute__((aligned(128))) = 0x000001;
+#if defined(WOLFSSL_VALIDATE_ECC_KEYGEN) || defined(HAVE_ECC_SIGN) || \
+                                            defined(HAVE_ECC_VERIFY)
+/* The order of the curve P256. */
+static const sp_digit p256_order[10] __attribute__((aligned(128))) = {
+    0x0632551,0x272b0bf,0x1e84f3b,0x2b69c5e,0x3bce6fa,0x3ffffff,0x3ffffff,
+    0x00003ff,0x3ff0000,0x03fffff
+};
+#endif
+#if defined(HAVE_ECC_SIGN) || defined(HAVE_ECC_VERIFY)
+/* The Montogmery normalizer for order of the curve P256. */
+static const sp_digit p256_norm_order[10] __attribute__((aligned(128))) = {
+    0x39cdaaf,0x18d4f40,0x217b0c4,0x14963a1,0x0431905,0x0000000,0x0000000,
+    0x3fffc00,0x000ffff,0x0000000
+};
+#endif
+#if defined(HAVE_ECC_SIGN) || defined(HAVE_ECC_VERIFY)
+/* The Montogmery multiplier for order of the curve P256. */
+static const sp_digit p256_mp_order __attribute__((aligned(128))) = 0x200bc4f;
+#endif
+/* The base point of curve P256. */
+static const sp_point p256_base __attribute__((aligned(128))) = {
+    /* X ordinate */
+    {
+        0x098c296,0x04e5176,0x33a0f4a,0x204b7ac,0x277037d,0x0e9103c,0x3ce6e56,
+        0x1091fe2,0x1f2e12c,0x01ac5f4, 0L, 0L, 0L, 0L, 0L, 0L, 0L, 0L, 0L, 0L
+    },
+    /* Y ordinate */
+    {
+        0x3bf51f5,0x1901a0d,0x1ececbb,0x15dacc5,0x22bce33,0x303e785,0x27eb4a7,
+        0x1fe6e3b,0x2e2fe1a,0x013f8d0, 0L, 0L, 0L, 0L, 0L, 0L, 0L, 0L, 0L, 0L
+    },
+    /* Z ordinate */
+    {
+        0x0000001,0x0000000,0x0000000,0x0000000,0x0000000,0x0000000,0x0000000,
+        0x0000000,0x0000000,0x0000000, 0L, 0L, 0L, 0L, 0L, 0L, 0L, 0L, 0L, 0L
+    },
+    /* infinity */
+    0
+};
+
+static int sp_ecc_point_new_ex(void* heap, sp_point* sp, sp_point** p)
+{
+    int ret = MP_OKAY;
+    (void)heap;
+#if defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)
+    (void)sp;
+    *p = (sp_point*)XMALLOC(sizeof(sp_point), heap, DYNAMIC_TYPE_ECC);
+#else
+    *p = sp;
+#endif
+    if (p == NULL) {
+        ret = MEMORY_E;
+    }
+    return ret;
+}
+
+#if defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)
+/* Allocate memory for point and return error. */
+#define sp_ecc_point_new(heap, sp, p) sp_ecc_point_new_ex((heap), NULL, &(p))
+#else
+/* Set pointer to data and return no error. */
+#define sp_ecc_point_new(heap, sp, p) sp_ecc_point_new_ex((heap), &(sp), &(p))
+#endif
+
+
+static void sp_ecc_point_free(sp_point* p, int clear, void* heap)
+{
+#if defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)
+/* If valid pointer then clear point data if requested and free data. */
+    if (p != NULL) {
+        if (clear != 0) {
+            XMEMSET(p, 0, sizeof(*p));
+        }
+        XFREE(p, heap, DYNAMIC_TYPE_ECC);
+    }
+#else
+/* Clear point data if requested. */
+    if (clear != 0) {
+        XMEMSET(p, 0, sizeof(*p));
+    }
+#endif
+    (void)heap;
+}
+
+/* Multiply a number by Montogmery normalizer mod modulus (prime).
+ *
+ * r  The resulting Montgomery form number.
+ * a  The number to convert.
+ * m  The modulus (prime).
+ * returns MEMORY_E when memory allocation fails and MP_OKAY otherwise.
+ */
+static int sp_256_mod_mul_norm_10(sp_digit* r, const sp_digit* a, const sp_digit* m)
+{
+#if defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)
+    int64_t* td;
+#else
+    int64_t td[8];
+    int64_t a32d[8];
+#endif
+    int64_t* t;
+    int64_t* a32;
+    int64_t o;
+    int err = MP_OKAY;
+
+    (void)m;
+
+#if defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)
+    td = (int64_t*)XMALLOC(sizeof(int64_t) * 2 * 8, NULL, DYNAMIC_TYPE_ECC);
+    if (td == NULL) {
+        err = MEMORY_E;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#if defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)
+        t = td;
+        a32 = td + 8;
+#else
+        t = td;
+        a32 = a32d;
+#endif
+
+        a32[0] = a[0];
+        a32[0] |= a[1] << 26U;
+        a32[0] &= 0xffffffffL;
+        a32[1] = (sp_digit)(a[1] >> 6);
+        a32[1] |= a[2] << 20U;
+        a32[1] &= 0xffffffffL;
+        a32[2] = (sp_digit)(a[2] >> 12);
+        a32[2] |= a[3] << 14U;
+        a32[2] &= 0xffffffffL;
+        a32[3] = (sp_digit)(a[3] >> 18);
+        a32[3] |= a[4] << 8U;
+        a32[3] &= 0xffffffffL;
+        a32[4] = (sp_digit)(a[4] >> 24);
+        a32[4] |= a[5] << 2U;
+        a32[4] |= a[6] << 28U;
+        a32[4] &= 0xffffffffL;
+        a32[5] = (sp_digit)(a[6] >> 4);
+        a32[5] |= a[7] << 22U;
+        a32[5] &= 0xffffffffL;
+        a32[6] = (sp_digit)(a[7] >> 10);
+        a32[6] |= a[8] << 16U;
+        a32[6] &= 0xffffffffL;
+        a32[7] = (sp_digit)(a[8] >> 16);
+        a32[7] |= a[9] << 10U;
+        a32[7] &= 0xffffffffL;
+
+        /*  1  1  0 -1 -1 -1 -1  0 */
+        t[0] = 0 + a32[0] + a32[1] - a32[3] - a32[4] - a32[5] - a32[6];
+        /*  0  1  1  0 -1 -1 -1 -1 */
+        t[1] = 0 + a32[1] + a32[2] - a32[4] - a32[5] - a32[6] - a32[7];
+        /*  0  0  1  1  0 -1 -1 -1 */
+        t[2] = 0 + a32[2] + a32[3] - a32[5] - a32[6] - a32[7];
+        /* -1 -1  0  2  2  1  0 -1 */
+        t[3] = 0 - a32[0] - a32[1] + 2 * a32[3] + 2 * a32[4] + a32[5] - a32[7];
+        /*  0 -1 -1  0  2  2  1  0 */
+        t[4] = 0 - a32[1] - a32[2] + 2 * a32[4] + 2 * a32[5] + a32[6];
+        /*  0  0 -1 -1  0  2  2  1 */
+        t[5] = 0 - a32[2] - a32[3] + 2 * a32[5] + 2 * a32[6] + a32[7];
+        /* -1 -1  0  0  0  1  3  2 */
+        t[6] = 0 - a32[0] - a32[1] + a32[5] + 3 * a32[6] + 2 * a32[7];
+        /*  1  0 -1 -1 -1 -1  0  3 */
+        t[7] = 0 + a32[0] - a32[2] - a32[3] - a32[4] - a32[5] + 3 * a32[7];
+
+        t[1] += t[0] >> 32U; t[0] &= 0xffffffffL;
+        t[2] += t[1] >> 32U; t[1] &= 0xffffffffL;
+        t[3] += t[2] >> 32U; t[2] &= 0xffffffffL;
+        t[4] += t[3] >> 32U; t[3] &= 0xffffffffL;
+        t[5] += t[4] >> 32U; t[4] &= 0xffffffffL;
+        t[6] += t[5] >> 32U; t[5] &= 0xffffffffL;
+        t[7] += t[6] >> 32U; t[6] &= 0xffffffffL;
+        o     = t[7] >> 32U; t[7] &= 0xffffffffL;
+        t[0] += o;
+        t[3] -= o;
+        t[6] -= o;
+        t[7] += o;
+        t[1] += t[0] >> 32U; t[0] &= 0xffffffffL;
+        t[2] += t[1] >> 32U; t[1] &= 0xffffffffL;
+        t[3] += t[2] >> 32U; t[2] &= 0xffffffffL;
+        t[4] += t[3] >> 32U; t[3] &= 0xffffffffL;
+        t[5] += t[4] >> 32U; t[4] &= 0xffffffffL;
+        t[6] += t[5] >> 32U; t[5] &= 0xffffffffL;
+        t[7] += t[6] >> 32U; t[6] &= 0xffffffffL;
+
+        r[0] = (sp_digit)(t[0]) & 0x3ffffffL;
+        r[1] = (sp_digit)(t[0] >> 26U);
+        r[1] |= t[1] << 6U;
+        r[1] &= 0x3ffffffL;
+        r[2] = (sp_digit)(t[1] >> 20U);
+        r[2] |= t[2] << 12U;
+        r[2] &= 0x3ffffffL;
+        r[3] = (sp_digit)(t[2] >> 14U);
+        r[3] |= t[3] << 18U;
+        r[3] &= 0x3ffffffL;
+        r[4] = (sp_digit)(t[3] >> 8U);
+        r[4] |= t[4] << 24U;
+        r[4] &= 0x3ffffffL;
+        r[5] = (sp_digit)(t[4] >> 2U) & 0x3ffffffL;
+        r[6] = (sp_digit)(t[4] >> 28U);
+        r[6] |= t[5] << 4U;
+        r[6] &= 0x3ffffffL;
+        r[7] = (sp_digit)(t[5] >> 22U);
+        r[7] |= t[6] << 10U;
+        r[7] &= 0x3ffffffL;
+        r[8] = (sp_digit)(t[6] >> 16U);
+        r[8] |= t[7] << 16U;
+        r[8] &= 0x3ffffffL;
+        r[9] = (sp_digit)(t[7] >> 10U);
+    }
+
+#if defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)
+    if (td != NULL) {
+        XFREE(td, NULL, DYNAMIC_TYPE_ECC);
+    }
+#endif
+
+    return err;
+}
+
+
+/* Compare a with b in constant time.
+ *
+ * a  A single precision integer.
+ * b  A single precision integer.
+ * return -ve, 0 or +ve if a is less than, equal to or greater than b
+ * respectively.
+ */
+static sp_digit sp_256_cmp_10(const sp_digit* a, const sp_digit* b)
+{
+    sp_digit r = 0;
+#ifdef WOLFSSL_SP_SMALL
+    int i;
+
+    for (i=9; i>=0; i--) {
+        r |= (a[i] - b[i]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+    }
+#else
+    r |= (a[ 9] - b[ 9]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+    r |= (a[ 8] - b[ 8]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+    r |= (a[ 7] - b[ 7]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+    r |= (a[ 6] - b[ 6]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+    r |= (a[ 5] - b[ 5]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+    r |= (a[ 4] - b[ 4]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+    r |= (a[ 3] - b[ 3]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+    r |= (a[ 2] - b[ 2]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+    r |= (a[ 1] - b[ 1]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+    r |= (a[ 0] - b[ 0]) & (0 - ((r == 0) ? (sp_digit)1 : (sp_digit)0));
+#endif /* WOLFSSL_SP_SMALL */
+
+    return r;
+}
+
+/* Normalize the values in each word to 26.
+ *
+ * a  Array of sp_digit to normalize.
+ */
+static void sp_256_norm_10(sp_digit* a)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int i;
+    for (i = 0; i < 9; i++) {
+        a[i+1] += a[i] >> 26;
+        a[i] &= 0x3ffffff;
+    }
+#else
+    a[1] += a[0] >> 26; a[0] = Q6_R_and_RR(a[0], 0x3ffffff);
+    a[2] += a[1] >> 26; a[1] = Q6_R_and_RR(a[1], 0x3ffffff);
+    a[3] += a[2] >> 26; a[2] = Q6_R_and_RR(a[2], 0x3ffffff);
+    a[4] += a[3] >> 26; a[3] = Q6_R_and_RR(a[3], 0x3ffffff);
+    a[5] += a[4] >> 26; a[4] = Q6_R_and_RR(a[4], 0x3ffffff);
+    a[6] += a[5] >> 26; a[5] = Q6_R_and_RR(a[5], 0x3ffffff);
+    a[7] += a[6] >> 26; a[6] = Q6_R_and_RR(a[6], 0x3ffffff);
+    a[8] += a[7] >> 26; a[7] = Q6_R_and_RR(a[7], 0x3ffffff);
+    a[9] += a[8] >> 26; a[8] = Q6_R_and_RR(a[8], 0x3ffffff);
+#endif
+}
+
+/* Conditionally subtract b from a using the mask m.
+ * m is -1 to subtract and 0 when not.
+ *
+ * r  A single precision number representing condition subtract result.
+ * a  A single precision number to subtract from.
+ * b  A single precision number to subtract.
+ * m  Mask value to apply.
+ */
+static void sp_256_cond_sub_10(sp_digit* r, const sp_digit* a,
+        const sp_digit* b, const sp_digit m)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int i;
+
+    for (i = 0; i < 10; i++) {
+        r[i] = a[i] - (b[i] & m);
+    }
+#else
+    r[ 0] = Q6_R_sub_RR(a[ 0], Q6_R_and_RR(b[ 0], m));
+    r[ 1] = Q6_R_sub_RR(a[ 1], Q6_R_and_RR(b[ 1], m));
+    r[ 2] = Q6_R_sub_RR(a[ 2], Q6_R_and_RR(b[ 2], m));
+    r[ 3] = Q6_R_sub_RR(a[ 3], Q6_R_and_RR(b[ 3], m));
+    r[ 4] = Q6_R_sub_RR(a[ 4], Q6_R_and_RR(b[ 4], m));
+    r[ 5] = Q6_R_sub_RR(a[ 5], Q6_R_and_RR(b[ 5], m));
+    r[ 6] = Q6_R_sub_RR(a[ 6], Q6_R_and_RR(b[ 6], m));
+    r[ 7] = Q6_R_sub_RR(a[ 7], Q6_R_and_RR(b[ 7], m));
+    r[ 8] = Q6_R_sub_RR(a[ 8], Q6_R_and_RR(b[ 8], m));
+    r[ 9] = Q6_R_sub_RR(a[ 9], Q6_R_and_RR(b[ 9], m));
+#endif /* WOLFSSL_SP_SMALL */
+}
+
+#define sp_256_mont_reduce_order_10         sp_256_mont_reduce_10
+
+/* Mul a by scalar b and add into r. (r += a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A scalar.
+ */
+SP_NOINLINE static void sp_256_mul_add_10(sp_digit* r, const sp_digit* a,
+        const sp_digit b)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int64_t tb = b;
+    int64_t t = 0;
+    int i;
+
+    for (i = 0; i < 10; i++) {
+        t += (tb * a[i]) + r[i];
+        r[i] = t & 0x3ffffff;
+        t >>= 26;
+    }
+    r[10] += t;
+#else
+    int64_t tb = b;
+    int64_t t[10];
+
+    t[ 0] = Q6_P_mpy_RR(tb, a[ 0]);
+    t[ 1] = Q6_P_mpy_RR(tb, a[ 1]);
+    t[ 2] = Q6_P_mpy_RR(tb, a[ 2]);
+    t[ 3] = Q6_P_mpy_RR(tb, a[ 3]);
+    t[ 4] = Q6_P_mpy_RR(tb, a[ 4]);
+    t[ 5] = Q6_P_mpy_RR(tb, a[ 5]);
+    t[ 6] = Q6_P_mpy_RR(tb, a[ 6]);
+    t[ 7] = Q6_P_mpy_RR(tb, a[ 7]);
+    t[ 8] = Q6_P_mpy_RR(tb, a[ 8]);
+    t[ 9] = Q6_P_mpy_RR(tb, a[ 9]);
+    r[ 0] +=                 (t[ 0] & 0x3ffffff);
+    r[ 1] += (t[ 0] >> 26) + (t[ 1] & 0x3ffffff);
+    r[ 2] += (t[ 1] >> 26) + (t[ 2] & 0x3ffffff);
+    r[ 3] += (t[ 2] >> 26) + (t[ 3] & 0x3ffffff);
+    r[ 4] += (t[ 3] >> 26) + (t[ 4] & 0x3ffffff);
+    r[ 5] += (t[ 4] >> 26) + (t[ 5] & 0x3ffffff);
+    r[ 6] += (t[ 5] >> 26) + (t[ 6] & 0x3ffffff);
+    r[ 7] += (t[ 6] >> 26) + (t[ 7] & 0x3ffffff);
+    r[ 8] += (t[ 7] >> 26) + (t[ 8] & 0x3ffffff);
+    r[ 9] += (t[ 8] >> 26) + (t[ 9] & 0x3ffffff);
+    r[10] +=  t[ 9] >> 26;
+#endif /* WOLFSSL_SP_SMALL */
+}
+
+/* Shift the result in the high 256 bits down to the bottom.
+ *
+ * r  A single precision number.
+ * a  A single precision number.
+ */
+static void sp_256_mont_shift_10(sp_digit* r, const sp_digit* a)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int i;
+    sp_digit n, s;
+
+    s = a[10];
+    n = a[9] >> 22;
+    for (i = 0; i < 9; i++) {
+        n += (s & 0x3ffffff) << 4;
+        r[i] = n & 0x3ffffff;
+        n >>= 26;
+        s = a[11 + i] + (s >> 26);
+    }
+    n += s << 4;
+    r[9] = n;
+#else
+    sp_digit n, s;
+
+    s = a[10]; n = a[9] >> 22;
+    n += (s & 0x3ffffff) << 4; r[ 0] = Q6_R_and_RR(n, 0x3ffffff);
+    n >>= 26; s = a[11] + (s >> 26);
+    n += (s & 0x3ffffff) << 4; r[ 1] = Q6_R_and_RR(n, 0x3ffffff);
+    n >>= 26; s = a[12] + (s >> 26);
+    n += (s & 0x3ffffff) << 4; r[ 2] = Q6_R_and_RR(n, 0x3ffffff);
+    n >>= 26; s = a[13] + (s >> 26);
+    n += (s & 0x3ffffff) << 4; r[ 3] = Q6_R_and_RR(n, 0x3ffffff);
+    n >>= 26; s = a[14] + (s >> 26);
+    n += (s & 0x3ffffff) << 4; r[ 4] = Q6_R_and_RR(n, 0x3ffffff);
+    n >>= 26; s = a[15] + (s >> 26);
+    n += (s & 0x3ffffff) << 4; r[ 5] = Q6_R_and_RR(n, 0x3ffffff);
+    n >>= 26; s = a[16] + (s >> 26);
+    n += (s & 0x3ffffff) << 4; r[ 6] = Q6_R_and_RR(n, 0x3ffffff);
+    n >>= 26; s = a[17] + (s >> 26);
+    n += (s & 0x3ffffff) << 4; r[ 7] = Q6_R_and_RR(n, 0x3ffffff);
+    n >>= 26; s = a[18] + (s >> 26);
+    n += (s & 0x3ffffff) << 4; r[ 8] = Q6_R_and_RR(n, 0x3ffffff);
+    n >>= 26; s = a[19] + (s >> 26);
+    n += s << 4;              r[ 9] = n;
+#endif /* WOLFSSL_SP_SMALL */
+    XMEMSET(&r[10], 0, sizeof(*r) * 10U);
+}
+
+
+/* Reduce the number back to 256 bits using Montgomery reduction.
+ *
+ * a   A single precision number to reduce in place.
+ * m   The single precision number representing the modulus.
+ * mp  The digit representing the negative inverse of m mod 2^n.
+ */
+static void sp_256_mont_reduce_10(sp_digit* a, const sp_digit* m, sp_digit mp)
+{
+    sp_digit mu;
+
+
+    /* unrolled for loops due to unexpected behavior with -O optimizations */
+    if (mp != 1) {
+        mu = Q6_P_mpy_RR(a[0], mp) & 0x3ffffff;
+        sp_256_mul_add_10(a+0, m, mu);
+        a[0+1] += a[0] >> 26;
+
+        mu = Q6_P_mpy_RR(a[1], mp) & 0x3ffffff;
+        sp_256_mul_add_10(a+1, m, mu);
+        a[1+1] += a[1] >> 26;
+
+        mu = Q6_P_mpy_RR(a[2], mp) & 0x3ffffff;
+        sp_256_mul_add_10(a+2, m, mu);
+        a[2+1] += a[2] >> 26;
+
+        mu = Q6_P_mpy_RR(a[3], mp) & 0x3ffffff;
+        sp_256_mul_add_10(a+3, m, mu);
+        a[3+1] += a[3] >> 26;
+
+        mu = Q6_P_mpy_RR(a[4], mp) & 0x3ffffff;
+        sp_256_mul_add_10(a+4, m, mu);
+        a[4+1] += a[4] >> 26;
+
+        mu = Q6_P_mpy_RR(a[5], mp) & 0x3ffffff;
+        sp_256_mul_add_10(a+5, m, mu);
+        a[5+1] += a[5] >> 26;
+
+        mu = Q6_P_mpy_RR(a[6], mp) & 0x3ffffff;
+        sp_256_mul_add_10(a+6, m, mu);
+        a[6+1] += a[6] >> 26;
+
+        mu = Q6_P_mpy_RR(a[7], mp) & 0x3ffffff;
+        sp_256_mul_add_10(a+7, m, mu);
+        a[7+1] += a[7] >> 26;
+
+        mu = Q6_P_mpy_RR(a[8], mp) & 0x3ffffff;
+        sp_256_mul_add_10(a+8, m, mu);
+        a[8+1] += a[8] >> 26;
+
+        mu = Q6_P_mpy_RR(a[9], mp) & 0x3fffffL;
+        sp_256_mul_add_10(a+9, m, mu);
+        a[9+1] += a[9] >> 26;
+        a[9] &= 0x3ffffff;
+    }
+    else {
+        mu = Q6_P_mpy_RR(a[0], mp) & 0x3ffffff;
+        sp_256_mul_add_10(a+0, p256_mod, mu);
+        a[0+1] += a[0] >> 26;
+
+        mu = Q6_P_mpy_RR(a[1], mp) & 0x3ffffff;
+        sp_256_mul_add_10(a+1, p256_mod, mu);
+        a[1+1] += a[1] >> 26;
+
+        mu = Q6_P_mpy_RR(a[2], mp) & 0x3ffffff;
+        sp_256_mul_add_10(a+2, p256_mod, mu);
+        a[2+1] += a[2] >> 26;
+
+        mu = Q6_P_mpy_RR(a[3], mp) & 0x3ffffff;
+        sp_256_mul_add_10(a+3, p256_mod, mu);
+        a[3+1] += a[3] >> 26;
+
+        mu = Q6_P_mpy_RR(a[4], mp) & 0x3ffffff;
+        sp_256_mul_add_10(a+4, p256_mod, mu);
+        a[4+1] += a[4] >> 26;
+
+        mu = Q6_P_mpy_RR(a[5], mp) & 0x3ffffff;
+        sp_256_mul_add_10(a+5, p256_mod, mu);
+        a[5+1] += a[5] >> 26;
+
+        mu = Q6_P_mpy_RR(a[6], mp) & 0x3ffffff;
+        sp_256_mul_add_10(a+6, p256_mod, mu);
+        a[6+1] += a[6] >> 26;
+
+        mu = Q6_P_mpy_RR(a[7], mp) & 0x3ffffff;
+        sp_256_mul_add_10(a+7, p256_mod, mu);
+        a[7+1] += a[7] >> 26;
+
+        mu = Q6_P_mpy_RR(a[8], mp) & 0x3ffffff;
+        sp_256_mul_add_10(a+8, p256_mod, mu);
+        a[8+1] += a[8] >> 26;
+
+        mu = Q6_P_mpy_RR(a[9], mp) & 0x3fffffL;
+        sp_256_mul_add_10(a+9, p256_mod, mu);
+        a[9+1] += a[9] >> 26;
+        a[9] &= 0x3ffffff;
+    }
+
+
+    sp_256_mont_shift_10(a, a);
+    sp_256_cond_sub_10(a, a, m, 0 - (((a[9] >> 22) > 0) ?
+            (sp_digit)1 : (sp_digit)0));
+    sp_256_norm_10(a);
+}
+
+/* Multiply a and b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static void sp_256_mul_10(sp_digit* r, const sp_digit* a,
+    const sp_digit* b)
+{
+#if 1
+    int64_t t0   = Q6_P_mpy_RR(a[0], b[0]);
+    int64_t t1   = Q6_P_mpy_RR(a[0], b[1])
+                 + Q6_P_mpy_RR(a[1], b[0]);
+    int64_t t2   = Q6_P_mpy_RR(a[0], b[2])
+                 + Q6_P_mpy_RR(a[1], b[1])
+                 + Q6_P_mpy_RR(a[2], b[0]);
+    int64_t t3   = Q6_P_mpy_RR(a[0], b[3])
+                 + Q6_P_mpy_RR(a[1], b[2])
+                 + Q6_P_mpy_RR(a[2], b[1])
+                 + Q6_P_mpy_RR(a[3], b[0]);
+    int64_t t4   = Q6_P_mpy_RR(a[0], b[4])
+                 + Q6_P_mpy_RR(a[1], b[3])
+                 + Q6_P_mpy_RR(a[2], b[2])
+                 + Q6_P_mpy_RR(a[3], b[1])
+                 + Q6_P_mpy_RR(a[4], b[0]);
+    int64_t t5   = Q6_P_mpy_RR(a[0], b[5])
+                 + Q6_P_mpy_RR(a[1], b[4])
+                 + Q6_P_mpy_RR(a[2], b[3])
+                 + Q6_P_mpy_RR(a[3], b[2])
+                 + Q6_P_mpy_RR(a[4], b[1])
+                 + Q6_P_mpy_RR(a[5], b[0]);
+    int64_t t6   = Q6_P_mpy_RR(a[0], b[6])
+                 + Q6_P_mpy_RR(a[1], b[5])
+                 + Q6_P_mpy_RR(a[2], b[4])
+                 + Q6_P_mpy_RR(a[3], b[3])
+                 + Q6_P_mpy_RR(a[4], b[2])
+                 + Q6_P_mpy_RR(a[5], b[1])
+                 + Q6_P_mpy_RR(a[6], b[0]);
+    int64_t t7   = Q6_P_mpy_RR(a[0], b[7])
+                 + Q6_P_mpy_RR(a[1], b[6])
+                 + Q6_P_mpy_RR(a[2], b[5])
+                 + Q6_P_mpy_RR(a[3], b[4])
+                 + Q6_P_mpy_RR(a[4], b[3])
+                 + Q6_P_mpy_RR(a[5], b[2])
+                 + Q6_P_mpy_RR(a[6], b[1])
+                 + Q6_P_mpy_RR(a[7], b[0]);
+    int64_t t8   = Q6_P_mpy_RR(a[0], b[8])
+                 + Q6_P_mpy_RR(a[1], b[7])
+                 + Q6_P_mpy_RR(a[2], b[6])
+                 + Q6_P_mpy_RR(a[3], b[5])
+                 + Q6_P_mpy_RR(a[4], b[4])
+                 + Q6_P_mpy_RR(a[5], b[3])
+                 + Q6_P_mpy_RR(a[6], b[2])
+                 + Q6_P_mpy_RR(a[7], b[1])
+                 + Q6_P_mpy_RR(a[8], b[0]);
+    int64_t t9   = Q6_P_mpy_RR(a[0], b[9])
+                 + Q6_P_mpy_RR(a[1], b[8])
+                 + Q6_P_mpy_RR(a[2], b[7])
+                 + Q6_P_mpy_RR(a[3], b[6])
+                 + Q6_P_mpy_RR(a[4], b[5])
+                 + Q6_P_mpy_RR(a[5], b[4])
+                 + Q6_P_mpy_RR(a[6], b[3])
+                 + Q6_P_mpy_RR(a[7], b[2])
+                 + Q6_P_mpy_RR(a[8], b[1])
+                 + Q6_P_mpy_RR(a[9], b[0]);
+    int64_t t10  = Q6_P_mpy_RR(a[1], b[9])
+                 + Q6_P_mpy_RR(a[2], b[8])
+                 + Q6_P_mpy_RR(a[3], b[7])
+                 + Q6_P_mpy_RR(a[4], b[6])
+                 + Q6_P_mpy_RR(a[5], b[5])
+                 + Q6_P_mpy_RR(a[6], b[4])
+                 + Q6_P_mpy_RR(a[7], b[3])
+                 + Q6_P_mpy_RR(a[8], b[2])
+                 + Q6_P_mpy_RR(a[9], b[1]);
+    int64_t t11  = Q6_P_mpy_RR(a[2], b[9])
+                 + Q6_P_mpy_RR(a[3], b[8])
+                 + Q6_P_mpy_RR(a[4], b[7])
+                 + Q6_P_mpy_RR(a[5], b[6])
+                 + Q6_P_mpy_RR(a[6], b[5])
+                 + Q6_P_mpy_RR(a[7], b[4])
+                 + Q6_P_mpy_RR(a[8], b[3])
+                 + Q6_P_mpy_RR(a[9], b[2]);
+    int64_t t12  = Q6_P_mpy_RR(a[3], b[9])
+                 + Q6_P_mpy_RR(a[4], b[8])
+                 + Q6_P_mpy_RR(a[5], b[7])
+                 + Q6_P_mpy_RR(a[6], b[6])
+                 + Q6_P_mpy_RR(a[7], b[5])
+                 + Q6_P_mpy_RR(a[8], b[4])
+                 + Q6_P_mpy_RR(a[9], b[3]);
+    int64_t t13  = Q6_P_mpy_RR(a[4], b[9])
+                 + Q6_P_mpy_RR(a[5], b[8])
+                 + Q6_P_mpy_RR(a[6], b[7])
+                 + Q6_P_mpy_RR(a[7], b[6])
+                 + Q6_P_mpy_RR(a[8], b[5])
+                 + Q6_P_mpy_RR(a[9], b[4]);
+    int64_t t14  = Q6_P_mpy_RR(a[5], b[9])
+                 + Q6_P_mpy_RR(a[6], b[8])
+                 + Q6_P_mpy_RR(a[7], b[7])
+                 + Q6_P_mpy_RR(a[8], b[6])
+                 + Q6_P_mpy_RR(a[9], b[5]);
+    int64_t t15  = Q6_P_mpy_RR(a[6], b[9])
+                 + Q6_P_mpy_RR(a[7], b[8])
+                 + Q6_P_mpy_RR(a[8], b[7])
+                 + Q6_P_mpy_RR(a[9], b[6]);
+    int64_t t16  = Q6_P_mpy_RR(a[7], b[9])
+                 + Q6_P_mpy_RR(a[8], b[8])
+                 + Q6_P_mpy_RR(a[9], b[7]);
+    int64_t t17  = Q6_P_mpy_RR(a[8], b[9])
+                 + Q6_P_mpy_RR(a[9], b[8]);
+    int64_t t18  = Q6_P_mpy_RR(a[9], b[9]);
+
+
+    t1   += t0  >> 26; r[ 0] = t0  & 0x3ffffff;
+    t2   += t1  >> 26; r[ 1] = t1  & 0x3ffffff;
+    t3   += t2  >> 26; r[ 2] = t2  & 0x3ffffff;
+    t4   += t3  >> 26; r[ 3] = t3  & 0x3ffffff;
+    t5   += t4  >> 26; r[ 4] = t4  & 0x3ffffff;
+    t6   += t5  >> 26; r[ 5] = t5  & 0x3ffffff;
+    t7   += t6  >> 26; r[ 6] = t6  & 0x3ffffff;
+    t8   += t7  >> 26; r[ 7] = t7  & 0x3ffffff;
+    t9   += t8  >> 26; r[ 8] = t8  & 0x3ffffff;
+    t10  += t9  >> 26; r[ 9] = t9  & 0x3ffffff;
+    t11  += t10 >> 26; r[10] = t10 & 0x3ffffff;
+    t12  += t11 >> 26; r[11] = t11 & 0x3ffffff;
+    t13  += t12 >> 26; r[12] = t12 & 0x3ffffff;
+    t14  += t13 >> 26; r[13] = t13 & 0x3ffffff;
+    t15  += t14 >> 26; r[14] = t14 & 0x3ffffff;
+    t16  += t15 >> 26; r[15] = t15 & 0x3ffffff;
+    t17  += t16 >> 26; r[16] = t16 & 0x3ffffff;
+    t18  += t17 >> 26; r[17] = t17 & 0x3ffffff;
+    r[19] = (sp_digit)(t18 >> 26);
+                       r[18] = t18 & 0x3ffffff;
+#endif
+#if 0
+    /* Testing speeds with using HVX_Vectors */
+    {
+    int64_t t0, t1, t2, t3, t4, t5, t6, t7, t8, t9, t10, t11, t12, t13, t14, t15, t16, t17, t18;
+    HVX_Vector av, splat;
+    HVX_Vector vlow, vhi;
+    
+    av = Q6_V_vzero();
+    vlow = Q6_V_vzero();
+    vhi = Q6_V_vzero();
+    
+    XMEMCPY((byte*)&av, (byte*)a, 40);
+    
+    splat = Q6_V_vsplat_R(b[0]);
+    vlow = Q6_Vw_vmpyieo_VhVh(av, splat);
+    vlow = Q6_Vw_vmpyieacc_VwVwVuh(vlow, av, splat);
+    
+    vhi = Q6_Vw_vmpye_VwVuh(av, splat);
+    vhi = Q6_Vw_vmpyoacc_VwVwVh_s1_sat_shift(vhi, av, splat);
+    unsigned int* loi = (unsigned int*)&vlow;
+    int* hii = (int*)&vhi;
+    
+    /* a[0] * b[0] */
+    t0 = loi[0] | ((int64_t)hii[0] << 31);
+    
+    /* a[1] * b[0] */
+    t1 = loi[1] | ((int64_t)hii[1] << 31);
+    
+    /* a[2] * b[0] */
+    t2 = loi[2] | ((int64_t)hii[2] << 31);
+    
+    /* a[3] * b[0] */
+    t3 = loi[3] | ((int64_t)hii[3] << 31);
+    
+    /* a[4] * b[0] */
+    t4 = loi[4] | ((int64_t)hii[4] << 31);
+    
+    /* a[5] * b[0] */
+    t5 = loi[5] | ((int64_t)hii[5] << 31);
+    
+    /* a[6] * b[0] */
+    t6 = loi[6] | ((int64_t)hii[6] << 31);
+    
+    /* a[7] * b[0] */
+    t7 = loi[7] | ((int64_t)hii[7] << 31);
+    
+    /* a[8] * b[0] */
+    t8 = loi[8] | ((int64_t)hii[8] << 31);
+    
+    /* a[9] * b[0] */
+    t9 = loi[9] | ((int64_t)hii[9] << 31);
+    
+    /* a[*] * b[1] */
+    splat = Q6_V_vsplat_R(b[1]);
+    vlow = Q6_Vw_vmpyieo_VhVh(av, splat);
+    vlow = Q6_Vw_vmpyieacc_VwVwVuh(vlow, av, splat);
+    vhi = Q6_Vw_vmpye_VwVuh(av, splat);
+    vhi = Q6_Vw_vmpyoacc_VwVwVh_s1_sat_shift(vhi, av, splat);
+    loi = (unsigned int*)&vlow;
+    hii = (int*)&vhi;
+    
+    /* a[0] * b[1] */
+    t1 += (loi[0] | ((int64_t)hii[0] << 31));
+    
+    /* a[1] * b[1] */
+    t2 += (loi[1] | ((int64_t)hii[1] << 31));
+    
+    /* a[2] * b[1] */
+    t3 += (loi[2] | ((int64_t)hii[2] << 31));
+    
+    /* a[3] * b[1] */
+    t4 += (loi[3] | ((int64_t)hii[3] << 31));
+    
+    /* a[4] * b[1] */
+    t5 += (loi[4] | ((int64_t)hii[4] << 31));
+    
+    /* a[5] * b[1] */
+    t6 += (loi[5] | ((int64_t)hii[5] << 31));
+    
+    /* a[6] * b[1] */
+    t7 += (loi[6] | ((int64_t)hii[6] << 31));
+    
+    /* a[7] * b[1] */
+    t8 += (loi[7] | ((int64_t)hii[7] << 31));
+    
+    /* a[8] * b[1] */
+    t9 += (loi[8] | ((int64_t)hii[8] << 31));
+    
+    /* a[9] * b[1] */
+    t10 = (loi[9] | ((int64_t)hii[9] << 31));
+    
+    /* a[*] * b[2] */
+    splat = Q6_V_vsplat_R(b[2]);
+    vlow = Q6_Vw_vmpyieo_VhVh(av, splat);
+    vlow = Q6_Vw_vmpyieacc_VwVwVuh(vlow, av, splat);
+    vhi = Q6_Vw_vmpye_VwVuh(av, splat);
+    vhi = Q6_Vw_vmpyoacc_VwVwVh_s1_sat_shift(vhi, av, splat);
+    loi = (unsigned int*)&vlow;
+    hii = (int*)&vhi;
+    
+    
+    /* a[0] * b[2] */
+    t2 += (loi[0] | ((int64_t)hii[0] << 31));
+    
+    /* a[1] * b[2] */
+    t3 += (loi[1] | ((int64_t)hii[1] << 31));
+    
+    /* a[2] * b[2] */
+    t4 += (loi[2] | ((int64_t)hii[2] << 31));
+    
+    /* a[3] * b[2] */
+    t5 += (loi[3] | ((int64_t)hii[3] << 31));
+    
+    /* a[4] * b[2] */
+    t6 += (loi[4] | ((int64_t)hii[4] << 31));
+    
+    /* a[5] * b[2] */
+    t7 += (loi[5] | ((int64_t)hii[5] << 31));
+    
+    /* a[6] * b[2] */
+    t8 += (loi[6] | ((int64_t)hii[6] << 31));
+    
+    /* a[7] * b[2] */
+    t9 += (loi[7] | ((int64_t)hii[7] << 31));
+    
+    /* a[8] * b[2] */
+    t10 += (loi[8] | ((int64_t)hii[8] << 31));
+    
+    /* a[9] * b[2] */
+    t11 = (loi[9] | ((int64_t)hii[9] << 31));
+    
+    
+    /* a[*] * b[3] */
+    splat = Q6_V_vsplat_R(b[3]);
+    vlow = Q6_Vw_vmpyieo_VhVh(av, splat);
+    vlow = Q6_Vw_vmpyieacc_VwVwVuh(vlow, av, splat);
+    vhi = Q6_Vw_vmpye_VwVuh(av, splat);
+    vhi = Q6_Vw_vmpyoacc_VwVwVh_s1_sat_shift(vhi, av, splat);
+    loi = (unsigned int*)&vlow;
+    hii = (int*)&vhi;
+    
+    
+    /* a[0] * b[3] */
+    t3 += (loi[0] | ((int64_t)hii[0] << 31));
+    
+    /* a[1] * b[3] */
+    t4 += (loi[1] | ((int64_t)hii[1] << 31));
+    
+    /* a[2] * b[3] */
+    t5 += (loi[2] | ((int64_t)hii[2] << 31));
+    
+    /* a[3] * b[3] */
+    t6 += (loi[3] | ((int64_t)hii[3] << 31));
+    
+    /* a[4] * b[3] */
+    t7 += (loi[4] | ((int64_t)hii[4] << 31));
+    
+    /* a[5] * b[3] */
+    t8 += (loi[5] | ((int64_t)hii[5] << 31));
+    
+    /* a[6] * b[3] */
+    t9 += (loi[6] | ((int64_t)hii[6] << 31));
+    
+    /* a[7] * b[3] */
+    t10 += (loi[7] | ((int64_t)hii[7] << 31));
+    
+    /* a[8] * b[3] */
+    t11 += (loi[8] | ((int64_t)hii[8] << 31));
+    
+    /* a[9] * b[3] */
+    t12 = (loi[9] | ((int64_t)hii[9] << 31));
+    
+    
+    /* a[*] * b[4] */
+    splat = Q6_V_vsplat_R(b[4]);
+    vlow = Q6_Vw_vmpyieo_VhVh(av, splat);
+    vlow = Q6_Vw_vmpyieacc_VwVwVuh(vlow, av, splat);
+    vhi = Q6_Vw_vmpye_VwVuh(av, splat);
+    vhi = Q6_Vw_vmpyoacc_VwVwVh_s1_sat_shift(vhi, av, splat);
+    loi = (unsigned int*)&vlow;
+    hii = (int*)&vhi;
+    
+    
+    /* a[0] * b[4] */
+    t4 += (loi[0] | ((int64_t)hii[0] << 31));
+    
+    /* a[1] * b[4] */
+    t5 += (loi[1] | ((int64_t)hii[1] << 31));
+    
+    /* a[2] * b[4] */
+    t6 += (loi[2] | ((int64_t)hii[2] << 31));
+    
+    /* a[3] * b[4] */
+    t7 += (loi[3] | ((int64_t)hii[3] << 31));
+    
+    /* a[4] * b[4] */
+    t8 += (loi[4] | ((int64_t)hii[4] << 31));
+    
+    /* a[5] * b[4] */
+    t9 += (loi[5] | ((int64_t)hii[5] << 31));
+    
+    /* a[6] * b[4] */
+    t10 += (loi[6] | ((int64_t)hii[6] << 31));
+    
+    /* a[7] * b[4] */
+    t11 += (loi[7] | ((int64_t)hii[7] << 31));
+    
+    /* a[8] * b[4] */
+    t12 += (loi[8] | ((int64_t)hii[8] << 31));
+    
+    /* a[9] * b[4] */
+    t13 = (loi[9] | ((int64_t)hii[9] << 31));
+    
+    
+    /* a[*] * b[5] */
+    splat = Q6_V_vsplat_R(b[5]);
+    vlow = Q6_Vw_vmpyieo_VhVh(av, splat);
+    vlow = Q6_Vw_vmpyieacc_VwVwVuh(vlow, av, splat);
+    vhi = Q6_Vw_vmpye_VwVuh(av, splat);
+    vhi = Q6_Vw_vmpyoacc_VwVwVh_s1_sat_shift(vhi, av, splat);
+    loi = (unsigned int*)&vlow;
+    hii = (int*)&vhi;
+    
+    
+    /* a[0] * b[5] */
+    t5 += (loi[0] | ((int64_t)hii[0] << 31));
+    
+    /* a[1] * b[5] */
+    t6 += (loi[1] | ((int64_t)hii[1] << 31));
+    
+    /* a[2] * b[5] */
+    t7 += (loi[2] | ((int64_t)hii[2] << 31));
+    
+    /* a[3] * b[5] */
+    t8 += (loi[3] | ((int64_t)hii[3] << 31));
+    
+    /* a[4] * b[5] */
+    t9 += (loi[4] | ((int64_t)hii[4] << 31));
+    
+    /* a[5] * b[5] */
+    t10 += (loi[5] | ((int64_t)hii[5] << 31));
+    
+    /* a[6] * b[5] */
+    t11 += (loi[6] | ((int64_t)hii[6] << 31));
+    
+    /* a[7] * b[5] */
+    t12 += (loi[7] | ((int64_t)hii[7] << 31));
+    
+    /* a[8] * b[5] */
+    t13 += (loi[8] | ((int64_t)hii[8] << 31));
+    
+    /* a[9] * b[5] */
+    t14 = (loi[9] | ((int64_t)hii[9] << 31));
+    
+    
+    /* a[*] * b[6] */
+    splat = Q6_V_vsplat_R(b[6]);
+    vlow = Q6_Vw_vmpyieo_VhVh(av, splat);
+    vlow = Q6_Vw_vmpyieacc_VwVwVuh(vlow, av, splat);
+    vhi = Q6_Vw_vmpye_VwVuh(av, splat);
+    vhi = Q6_Vw_vmpyoacc_VwVwVh_s1_sat_shift(vhi, av, splat);
+    loi = (unsigned int*)&vlow;
+    hii = (int*)&vhi;
+    
+    
+    /* a[0] * b[6] */
+    t6 += (loi[0] | ((int64_t)hii[0] << 31));
+    
+    /* a[1] * b[6] */
+    t7 += (loi[1] | ((int64_t)hii[1] << 31));
+    
+    /* a[2] * b[6] */
+    t8 += (loi[2] | ((int64_t)hii[2] << 31));
+    
+    /* a[3] * b[6] */
+    t9 += (loi[3] | ((int64_t)hii[3] << 31));
+    
+    /* a[4] * b[6] */
+    t10 += (loi[4] | ((int64_t)hii[4] << 31));
+    
+    /* a[5] * b[6] */
+    t11 += (loi[5] | ((int64_t)hii[5] << 31));
+    
+    /* a[6] * b[6] */
+    t12 += (loi[6] | ((int64_t)hii[6] << 31));
+    
+    /* a[7] * b[6] */
+    t13 += (loi[7] | ((int64_t)hii[7] << 31));
+    
+    /* a[8] * b[6] */
+    t14 += (loi[8] | ((int64_t)hii[8] << 31));
+    
+    /* a[9] * b[6] */
+    t15 = (loi[9] | ((int64_t)hii[9] << 31));
+    
+    
+    
+    /* a[*] * b[7] */
+    splat = Q6_V_vsplat_R(b[7]);
+    vlow = Q6_Vw_vmpyieo_VhVh(av, splat);
+    vlow = Q6_Vw_vmpyieacc_VwVwVuh(vlow, av, splat);
+    vhi = Q6_Vw_vmpye_VwVuh(av, splat);
+    vhi = Q6_Vw_vmpyoacc_VwVwVh_s1_sat_shift(vhi, av, splat);
+    loi = (unsigned int*)&vlow;
+    hii = (int*)&vhi;
+    
+    
+    /* a[0] * b[7] */
+    t7 += (loi[0] | ((int64_t)hii[0] << 31));
+    
+    /* a[1] * b[7] */
+    t8 += (loi[1] | ((int64_t)hii[1] << 31));
+    
+    /* a[2] * b[7] */
+    t9 += (loi[2] | ((int64_t)hii[2] << 31));
+    
+    /* a[3] * b[7] */
+    t10 += (loi[3] | ((int64_t)hii[3] << 31));
+    
+    /* a[4] * b[7] */
+    t11 += (loi[4] | ((int64_t)hii[4] << 31));
+    
+    /* a[5] * b[7] */
+    t12 += (loi[5] | ((int64_t)hii[5] << 31));
+    
+    /* a[6] * b[7] */
+    t13 += (loi[6] | ((int64_t)hii[6] << 31));
+    
+    /* a[7] * b[7] */
+    t14 += (loi[7] | ((int64_t)hii[7] << 31));
+    
+    /* a[8] * b[7] */
+    t15 += (loi[8] | ((int64_t)hii[8] << 31));
+    
+    /* a[9] * b[7] */
+    t16 = (loi[9] | ((int64_t)hii[9] << 31));
+    
+    
+    /* a[*] * b[8] */
+    splat = Q6_V_vsplat_R(b[8]);
+    vlow = Q6_Vw_vmpyieo_VhVh(av, splat);
+    vlow = Q6_Vw_vmpyieacc_VwVwVuh(vlow, av, splat);
+    vhi = Q6_Vw_vmpye_VwVuh(av, splat);
+    vhi = Q6_Vw_vmpyoacc_VwVwVh_s1_sat_shift(vhi, av, splat);
+    loi = (unsigned int*)&vlow;
+    hii = (int*)&vhi;
+    
+    
+    /* a[0] * b[8] */
+    t8 += (loi[0] | ((int64_t)hii[0] << 31));
+    
+    /* a[1] * b[8] */
+    t9 += (loi[1] | ((int64_t)hii[1] << 31));
+    
+    /* a[2] * b[8] */
+    t10 += (loi[2] | ((int64_t)hii[2] << 31));
+    
+    /* a[3] * b[8] */
+    t11 += (loi[3] | ((int64_t)hii[3] << 31));
+    
+    /* a[4] * b[8] */
+    t12 += (loi[4] | ((int64_t)hii[4] << 31));
+    
+    /* a[5] * b[8] */
+    t13 += (loi[5] | ((int64_t)hii[5] << 31));
+    
+    /* a[6] * b[8] */
+    t14 += (loi[6] | ((int64_t)hii[6] << 31));
+    
+    /* a[7] * b[8] */
+    t15 += (loi[7] | ((int64_t)hii[7] << 31));
+    
+    /* a[8] * b[8] */
+    t16 += (loi[8] | ((int64_t)hii[8] << 31));
+    
+    /* a[9] * b[8] */
+    t17 = (loi[9] | ((int64_t)hii[9] << 31));
+    
+    
+    /* a[*] * b[9] */
+    splat = Q6_V_vsplat_R(b[9]);
+    vlow = Q6_Vw_vmpyieo_VhVh(av, splat);
+    vlow = Q6_Vw_vmpyieacc_VwVwVuh(vlow, av, splat);
+    vhi = Q6_Vw_vmpye_VwVuh(av, splat);
+    vhi = Q6_Vw_vmpyoacc_VwVwVh_s1_sat_shift(vhi, av, splat);
+    loi = (unsigned int*)&vlow;
+    hii = (int*)&vhi;
+    
+    
+    /* a[0] * b[9] */
+    t9 += (loi[0] | ((int64_t)hii[0] << 31));
+    
+    /* a[1] * b[9] */
+    t10 += (loi[1] | ((int64_t)hii[1] << 31));
+    
+    /* a[2] * b[9] */
+    t11 += (loi[2] | ((int64_t)hii[2] << 31));
+    
+    /* a[3] * b[9] */
+    t12 += (loi[3] | ((int64_t)hii[3] << 31));
+    
+    /* a[4] * b[9] */
+    t13 += (loi[4] | ((int64_t)hii[4] << 31));
+    
+    /* a[5] * b[9] */
+    t14 += (loi[5] | ((int64_t)hii[5] << 31));
+    
+    /* a[6] * b[9] */
+    t15 += (loi[6] | ((int64_t)hii[6] << 31));
+    
+    /* a[7] * b[9] */
+    t16 += (loi[7] | ((int64_t)hii[7] << 31));
+    
+    /* a[8] * b[9] */
+    t17 += (loi[8] | ((int64_t)hii[8] << 31));
+    
+    /* a[9] * b[9] */
+    t18 = (loi[9] | ((int64_t)hii[9] << 31));
+    
+        t1   += t0  >> 26; r[ 0] = t0  & 0x3ffffff;
+        t2   += t1  >> 26; r[ 1] = t1  & 0x3ffffff;
+        t3   += t2  >> 26; r[ 2] = t2  & 0x3ffffff;
+        t4   += t3  >> 26; r[ 3] = t3  & 0x3ffffff;
+        t5   += t4  >> 26; r[ 4] = t4  & 0x3ffffff;
+        t6   += t5  >> 26; r[ 5] = t5  & 0x3ffffff;
+        t7   += t6  >> 26; r[ 6] = t6  & 0x3ffffff;
+        t8   += t7  >> 26; r[ 7] = t7  & 0x3ffffff;
+        t9   += t8  >> 26; r[ 8] = t8  & 0x3ffffff;
+        t10  += t9  >> 26; r[ 9] = t9  & 0x3ffffff;
+        t11  += t10 >> 26; r[10] = t10 & 0x3ffffff;
+        t12  += t11 >> 26; r[11] = t11 & 0x3ffffff;
+        t13  += t12 >> 26; r[12] = t12 & 0x3ffffff;
+        t14  += t13 >> 26; r[13] = t13 & 0x3ffffff;
+        t15  += t14 >> 26; r[14] = t14 & 0x3ffffff;
+        t16  += t15 >> 26; r[15] = t15 & 0x3ffffff;
+        t17  += t16 >> 26; r[16] = t16 & 0x3ffffff;
+        t18  += t17 >> 26; r[17] = t17 & 0x3ffffff;
+        r[19] = (sp_digit)(t18 >> 26);
+                           r[18] = t18 & 0x3ffffff;
+    }
+#endif
+}
+
+
+/* Multiply two Montogmery form numbers mod the modulus (prime).
+ * (r = a * b mod m)
+ *
+ * r   Result of multiplication.
+ * a   First number to multiply in Montogmery form.
+ * b   Second number to multiply in Montogmery form.
+ * m   Modulus (prime).
+ * mp  Montogmery mulitplier.
+ */
+static void sp_256_mont_mul_10(sp_digit* r, const sp_digit* a, const sp_digit* b,
+        const sp_digit* m, sp_digit mp)
+{
+    sp_256_mul_10(r, a, b);
+    sp_256_mont_reduce_10(r, m, mp);
+}
+
+
+/* Square a and put result in r. (r = a * a)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ */
+SP_NOINLINE static void sp_256_sqr_10(sp_digit* r, const sp_digit* a)
+{
+    int64_t t0   = Q6_P_mpy_RR(a[0], a[0]);
+    int64_t t1   = Q6_P_mpy_RR(a[0], a[1]) * 2;
+    int64_t t2   = Q6_P_mpy_RR(a[0], a[2]) * 2
+                 + Q6_P_mpy_RR(a[1], a[1]);
+    int64_t t3   = (Q6_P_mpy_RR(a[0], a[3])
+                 + Q6_P_mpy_RR(a[1], a[2])) * 2;
+    int64_t t4   = (Q6_P_mpy_RR(a[ 0], a[ 4])
+                 + Q6_P_mpy_RR(a[ 1], a[ 3])) * 2
+                 + Q6_P_mpy_RR(a[ 2], a[ 2]);
+    int64_t t5   = (Q6_P_mpy_RR(a[ 0], a[ 5])
+                 + Q6_P_mpy_RR(a[ 1], a[ 4])
+                 + Q6_P_mpy_RR(a[ 2], a[ 3])) * 2;
+    int64_t t6   = (Q6_P_mpy_RR(a[ 0], a[ 6])
+                 + Q6_P_mpy_RR(a[ 1], a[ 5])
+                 + Q6_P_mpy_RR(a[ 2], a[ 4])) * 2
+                 + Q6_P_mpy_RR(a[ 3], a[ 3]);
+    int64_t t7   = (Q6_P_mpy_RR(a[ 0], a[ 7])
+                 + Q6_P_mpy_RR(a[ 1], a[ 6])
+                 + Q6_P_mpy_RR(a[ 2], a[ 5])
+                 + Q6_P_mpy_RR(a[ 3], a[ 4])) * 2;
+    int64_t t8   = (Q6_P_mpy_RR(a[ 0], a[ 8])
+                 + Q6_P_mpy_RR(a[ 1], a[ 7])
+                 + Q6_P_mpy_RR(a[ 2], a[ 6])
+                 + Q6_P_mpy_RR(a[ 3], a[ 5])) * 2
+                 + Q6_P_mpy_RR(a[ 4], a[ 4]);
+    int64_t t9   = (Q6_P_mpy_RR(a[ 0], a[ 9])
+                 + Q6_P_mpy_RR(a[ 1], a[ 8])
+                 + Q6_P_mpy_RR(a[ 2], a[ 7])
+                 + Q6_P_mpy_RR(a[ 3], a[ 6])
+                 + Q6_P_mpy_RR(a[ 4], a[ 5])) * 2;
+    int64_t t10  = (Q6_P_mpy_RR(a[ 1], a[ 9])
+                 + Q6_P_mpy_RR(a[ 2], a[ 8])
+                 + Q6_P_mpy_RR(a[ 3], a[ 7])
+                 + Q6_P_mpy_RR(a[ 4], a[ 6])) * 2
+                 + Q6_P_mpy_RR(a[ 5], a[ 5]);
+    int64_t t11  = (Q6_P_mpy_RR(a[ 2], a[ 9])
+                 + Q6_P_mpy_RR(a[ 3], a[ 8])
+                 + Q6_P_mpy_RR(a[ 4], a[ 7])
+                 + Q6_P_mpy_RR(a[ 5], a[ 6])) * 2;
+    int64_t t12  = (Q6_P_mpy_RR(a[ 3], a[ 9])
+                 + Q6_P_mpy_RR(a[ 4], a[ 8])
+                 + Q6_P_mpy_RR(a[ 5], a[ 7])) * 2
+                 + Q6_P_mpy_RR(a[ 6], a[ 6]);
+    int64_t t13  = (Q6_P_mpy_RR(a[ 4], a[ 9])
+                 + Q6_P_mpy_RR(a[ 5], a[ 8])
+                 + Q6_P_mpy_RR(a[ 6], a[ 7])) * 2;
+    int64_t t14  = (Q6_P_mpy_RR(a[ 5], a[ 9])
+                 + Q6_P_mpy_RR(a[ 6], a[ 8])) * 2
+                 + Q6_P_mpy_RR(a[ 7], a[ 7]);
+    int64_t t15  =( Q6_P_mpy_RR(a[ 6], a[ 9])
+                 + Q6_P_mpy_RR(a[ 7], a[ 8])) * 2;
+    int64_t t16  = Q6_P_mpy_RR(a[ 7], a[ 9]) * 2
+                 + Q6_P_mpy_RR(a[ 8], a[ 8]);
+    int64_t t17  = Q6_P_mpy_RR(a[ 8], a[ 9]) * 2;
+    int64_t t18  = Q6_P_mpy_RR(a[ 9], a[ 9]);
+
+    t1   += t0  >> 26; r[ 0] = t0  & 0x3ffffff;
+    t2   += t1  >> 26; r[ 1] = t1  & 0x3ffffff;
+    t3   += t2  >> 26; r[ 2] = t2  & 0x3ffffff;
+    t4   += t3  >> 26; r[ 3] = t3  & 0x3ffffff;
+    t5   += t4  >> 26; r[ 4] = t4  & 0x3ffffff;
+    t6   += t5  >> 26; r[ 5] = t5  & 0x3ffffff;
+    t7   += t6  >> 26; r[ 6] = t6  & 0x3ffffff;
+    t8   += t7  >> 26; r[ 7] = t7  & 0x3ffffff;
+    t9   += t8  >> 26; r[ 8] = t8  & 0x3ffffff;
+    t10  += t9  >> 26; r[ 9] = t9  & 0x3ffffff;
+    t11  += t10 >> 26; r[10] = t10 & 0x3ffffff;
+    t12  += t11 >> 26; r[11] = t11 & 0x3ffffff;
+    t13  += t12 >> 26; r[12] = t12 & 0x3ffffff;
+    t14  += t13 >> 26; r[13] = t13 & 0x3ffffff;
+    t15  += t14 >> 26; r[14] = t14 & 0x3ffffff;
+    t16  += t15 >> 26; r[15] = t15 & 0x3ffffff;
+    t17  += t16 >> 26; r[16] = t16 & 0x3ffffff;
+    t18  += t17 >> 26; r[17] = t17 & 0x3ffffff;
+    r[19] = (sp_digit)(t18 >> 26);
+                       r[18] = t18 & 0x3ffffff;
+}
+
+
+/* Square the Montgomery form number. (r = a * a mod m)
+ *
+ * r   Result of squaring.
+ * a   Number to square in Montogmery form.
+ * m   Modulus (prime).
+ * mp  Montogmery mulitplier.
+ */
+static void sp_256_mont_sqr_10(sp_digit* r, const sp_digit* a, const sp_digit* m,
+        sp_digit mp)
+{
+    sp_256_sqr_10(r, a);
+    sp_256_mont_reduce_10(r, m, mp);
+}
+
+#if !defined(WOLFSSL_SP_SMALL) || defined(HAVE_COMP_KEY)
+/* Square the Montgomery form number a number of times. (r = a ^ n mod m)
+ *
+ * r   Result of squaring.
+ * a   Number to square in Montogmery form.
+ * n   Number of times to square.
+ * m   Modulus (prime).
+ * mp  Montogmery mulitplier.
+ */
+static void sp_256_mont_sqr_n_10(sp_digit* r, const sp_digit* a, int n,
+        const sp_digit* m, sp_digit mp)
+{
+    sp_256_mont_sqr_10(r, a, m, mp);
+    for (; n > 1; n--) {
+        sp_256_mont_sqr_10(r, r, m, mp);
+    }
+}
+
+#endif /* !WOLFSSL_SP_SMALL || HAVE_COMP_KEY */
+#ifdef WOLFSSL_SP_SMALL
+/* Mod-2 for the P256 curve. */
+static const uint32_t p256_mod_2[8] = {
+    0xfffffffdU,0xffffffffU,0xffffffffU,0x00000000U,0x00000000U,0x00000000U,
+    0x00000001U,0xffffffffU
+};
+#endif /* !WOLFSSL_SP_SMALL */
+
+/* Invert the number, in Montgomery form, modulo the modulus (prime) of the
+ * P256 curve. (r = 1 / a mod m)
+ *
+ * r   Inverse result.
+ * a   Number to invert.
+ * td  Temporary data.
+ */
+static void sp_256_mont_inv_10(sp_digit* r, const sp_digit* a, sp_digit* td)
+{
+#ifdef WOLFSSL_SP_SMALL
+    sp_digit* t = td;
+    int i;
+
+    XMEMCPY(t, a, sizeof(sp_digit) * 10);
+    for (i=254; i>=0; i--) {
+        sp_256_mont_sqr_10(t, t, p256_mod, p256_mp_mod);
+        if (p256_mod_2[i / 32] & ((sp_digit)1 << (i % 32)))
+            sp_256_mont_mul_10(t, t, a, p256_mod, p256_mp_mod);
+    }
+    XMEMCPY(r, t, sizeof(sp_digit) * 10);
+#else
+    sp_digit* t = td;
+    sp_digit* t2 = td + Q6_P_mpy_RR(2, 10);
+    sp_digit* t3 = td + Q6_P_mpy_RR(4, 10);
+
+    /* t = a^2 */
+    sp_256_mont_sqr_10(t, a, p256_mod, p256_mp_mod);
+    /* t = a^3 = t * a */
+    sp_256_mont_mul_10(t, t, a, p256_mod, p256_mp_mod);
+    /* t2= a^c = t ^ 2 ^ 2 */
+    sp_256_mont_sqr_n_10(t2, t, 2, p256_mod, p256_mp_mod);
+    /* t3= a^d = t2 * a */
+    sp_256_mont_mul_10(t3, t2, a, p256_mod, p256_mp_mod);
+    /* t = a^f = t2 * t */
+    sp_256_mont_mul_10(t, t2, t, p256_mod, p256_mp_mod);
+    /* t2= a^f0 = t ^ 2 ^ 4 */
+    sp_256_mont_sqr_n_10(t2, t, 4, p256_mod, p256_mp_mod);
+    /* t3= a^fd = t2 * t3 */
+    sp_256_mont_mul_10(t3, t2, t3, p256_mod, p256_mp_mod);
+    /* t = a^ff = t2 * t */
+    sp_256_mont_mul_10(t, t2, t, p256_mod, p256_mp_mod);
+    /* t2= a^ff00 = t ^ 2 ^ 8 */
+    sp_256_mont_sqr_n_10(t2, t, 8, p256_mod, p256_mp_mod);
+    /* t3= a^fffd = t2 * t3 */
+    sp_256_mont_mul_10(t3, t2, t3, p256_mod, p256_mp_mod);
+    /* t = a^ffff = t2 * t */
+    sp_256_mont_mul_10(t, t2, t, p256_mod, p256_mp_mod);
+    /* t2= a^ffff0000 = t ^ 2 ^ 16 */
+    sp_256_mont_sqr_n_10(t2, t, 16, p256_mod, p256_mp_mod);
+    /* t3= a^fffffffd = t2 * t3 */
+    sp_256_mont_mul_10(t3, t2, t3, p256_mod, p256_mp_mod);
+    /* t = a^ffffffff = t2 * t */
+    sp_256_mont_mul_10(t, t2, t, p256_mod, p256_mp_mod);
+    /* t = a^ffffffff00000000 = t ^ 2 ^ 32  */
+    sp_256_mont_sqr_n_10(t2, t, 32, p256_mod, p256_mp_mod);
+    /* t2= a^ffffffffffffffff = t2 * t */
+    sp_256_mont_mul_10(t, t2, t, p256_mod, p256_mp_mod);
+    /* t2= a^ffffffff00000001 = t2 * a */
+    sp_256_mont_mul_10(t2, t2, a, p256_mod, p256_mp_mod);
+    /* t2= a^ffffffff000000010000000000000000000000000000000000000000
+     *   = t2 ^ 2 ^ 160 */
+    sp_256_mont_sqr_n_10(t2, t2, 160, p256_mod, p256_mp_mod);
+    /* t2= a^ffffffff00000001000000000000000000000000ffffffffffffffff
+     *   = t2 * t */
+    sp_256_mont_mul_10(t2, t2, t, p256_mod, p256_mp_mod);
+    /* t2= a^ffffffff00000001000000000000000000000000ffffffffffffffff00000000
+     *   = t2 ^ 2 ^ 32 */
+    sp_256_mont_sqr_n_10(t2, t2, 32, p256_mod, p256_mp_mod);
+    /* r = a^ffffffff00000001000000000000000000000000fffffffffffffffffffffffd
+     *   = t2 * t3 */
+    sp_256_mont_mul_10(r, t2, t3, p256_mod, p256_mp_mod);
+#endif /* WOLFSSL_SP_SMALL */
+}
+
+
+/* Map the Montgomery form projective co-ordinate point to an affine point.
+ *
+ * r  Resulting affine co-ordinate point.
+ * p  Montgomery form projective co-ordinate point.
+ * t  Temporary ordinate data.
+ */
+static void sp_256_map_10(sp_point* r, const sp_point* p, sp_digit* t)
+{
+    sp_digit* t1 = t;
+    sp_digit* t2 = t + Q6_P_mpy_RR(2, 10);
+    int32_t n;
+
+    sp_256_mont_inv_10(t1, p->z, t + 2*10);
+
+    sp_256_mont_sqr_10(t2, t1, p256_mod, p256_mp_mod);
+    sp_256_mont_mul_10(t1, t2, t1, p256_mod, p256_mp_mod);
+
+    /* x /= z^2 */
+    sp_256_mont_mul_10(r->x, p->x, t2, p256_mod, p256_mp_mod);
+    XMEMSET(r->x + 10, 0, sizeof(r->x) / 2U);
+    sp_256_mont_reduce_10(r->x, p256_mod, p256_mp_mod);
+    /* Reduce x to less than modulus */
+    n = sp_256_cmp_10(r->x, p256_mod);
+    sp_256_cond_sub_10(r->x, r->x, p256_mod, 0 - ((n >= 0) ?
+                (sp_digit)1 : (sp_digit)0));
+    sp_256_norm_10(r->x);
+
+    /* y /= z^3 */
+    sp_256_mont_mul_10(r->y, p->y, t1, p256_mod, p256_mp_mod);
+    XMEMSET(r->y + 10, 0, sizeof(r->y) / 2U);
+    sp_256_mont_reduce_10(r->y, p256_mod, p256_mp_mod);
+    /* Reduce y to less than modulus */
+    n = sp_256_cmp_10(r->y, p256_mod);
+    sp_256_cond_sub_10(r->y, r->y, p256_mod, 0 - ((n >= 0) ?
+                (sp_digit)1 : (sp_digit)0));
+    sp_256_norm_10(r->y);
+
+    XMEMSET(r->z, 0, sizeof(r->z));
+    r->z[0] = 1;
+
+}
+
+
+/* Add b to a into r. (r = a + b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static int sp_256_add_10(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+#if 0
+    r[ 0] = Q6_R_add_RR(a[0], b[0]);
+    r[ 1] = Q6_R_add_RR(a[1], b[1]);
+    r[ 2] = Q6_R_add_RR(a[2], b[2]);
+    r[ 3] = Q6_R_add_RR(a[3], b[3]);
+    r[ 4] = Q6_R_add_RR(a[4], b[4]);
+    r[ 5] = Q6_R_add_RR(a[5], b[5]);
+    r[ 6] = Q6_R_add_RR(a[6], b[6]);
+    r[ 7] = Q6_R_add_RR(a[7], b[7]);
+    r[ 8] = Q6_R_add_RR(a[8], b[8]);
+    r[ 9] = Q6_R_add_RR(a[9], b[9]);
+#endif
+#if 1
+    __asm__ __volatile__ (
+        "{ r1 = memw(%[a]+#0)  \n"
+        "  r2 = memw(%[b]+#0) }\n"
+        "{ r3 = memw(%[a]+#4)  \n"
+        "  r19 = add(r1,r2)    \n"
+        "  r4 = memw(%[b]+#4) }\n"
+        "{ r5 = memw(%[a]+#8)  \n"
+        "  r20 = add(r3,r4)    \n"
+        "  r6 = memw(%[b]+#8) }\n"
+        "{ memw(%[r]+#0) = r19 }\n"
+        "{ r7 = memw(%[a]+#12)  \n"
+        "  r21 = add(r5,r6)    \n"
+        "  r8 = memw(%[b]+#12) }\n"
+        "{ memw(%[r]+#4) = r20 }\n"
+        "{ r9 = memw(%[a]+#16)  \n"
+        "  r22 = add(r7,r8)     \n"
+        "  r10 = memw(%[b]+#16) }\n"
+        "{ memw(%[r]+#8) = r21 }\n"
+        "{ r11 = memw(%[a]+#20)  \n"
+        "  r23 = add(r9,r10)     \n"
+        "  r12 = memw(%[b]+#20) }\n"
+        "{ memw(%[r]+#12) = r22 }\n"
+        "{ r13 = memw(%[a]+#24)  \n"
+        "  r24 = add(r11,r12)     \n"
+        "  r14 = memw(%[b]+#24) }\n"
+        "{ memw(%[r]+#16) = r23 }\n"
+        "{ r15 = memw(%[a]+#28)  \n"
+        "  r25 = add(r13,r14)     \n"
+        "  r16 = memw(%[b]+#28) }\n"
+        "{ memw(%[r]+#20) = r24 }\n"
+        "{ r17 = memw(%[a]+#32)  \n"
+        "  r26 = add(r15,r16)     \n"
+        "  r18 = memw(%[b]+#32) }\n"
+        "{ memw(%[r]+#24) = r25 }\n"
+        "{ r5 = memw(%[a]+#36)  \n"
+        "  r19 = add(r17,r18)    \n"
+        "  r6 = memw(%[b]+#36) }\n"
+        "{ memw(%[r]+#28) = r26 }\n"
+        "{ r20 = add(r5,r6)      \n"
+            "  memw(%[r]+#32) = r19 }\n"
+        "{ memw(%[r]+#36) = r20 }\n"
+        : [r] "+r" (r)
+        : [a] "r"(a), [b] "r"(b)
+        : "memory", "r1", "r2", "r3", "r4", "r5", "r6", "r7", "r8", "r9", "r10", "r11", "r12", "r13", "r14", "r15", "r16", "r17", "r18", "r19", "r20", "r21", "r22", "r23", "r24", "r25", "r26"
+    );
+#endif
+    return 0;
+}
+
+
+/* Add two Montgomery form numbers (r = a + b % m).
+ *
+ * r   Result of addition.
+ * a   First number to add in Montogmery form.
+ * b   Second number to add in Montogmery form.
+ * m   Modulus (prime).
+ */
+static void sp_256_mont_add_10(sp_digit* r, const sp_digit* a, const sp_digit* b,
+        const sp_digit* m)
+{
+    (void)sp_256_add_10(r, a, b);
+    sp_256_norm_10(r);
+    sp_256_cond_sub_10(r, r, m, 0 - (((r[9] >> 22) > 0) ?
+                (sp_digit)1 : (sp_digit)0));
+    sp_256_norm_10(r);
+}
+
+
+/* Double a Montgomery form number (r = a + a % m).
+ *
+ * r   Result of doubling.
+ * a   Number to double in Montogmery form.
+ * m   Modulus (prime).
+ */
+static void sp_256_mont_dbl_10(sp_digit* r, const sp_digit* a, const sp_digit* m)
+{
+    (void)sp_256_add_10(r, a, a);
+    sp_256_norm_10(r);
+    sp_256_cond_sub_10(r, r, m, 0 - (((r[9] >> 22) > 0) ?
+                (sp_digit)1 : (sp_digit)0));
+    sp_256_norm_10(r);
+}
+
+
+/* Triple a Montgomery form number (r = a + a + a % m).
+ *
+ * r   Result of Tripling.
+ * a   Number to triple in Montogmery form.
+ * m   Modulus (prime).
+ */
+static void sp_256_mont_tpl_10(sp_digit* r, const sp_digit* a, const sp_digit* m)
+{
+    (void)sp_256_add_10(r, a, a);
+    sp_256_norm_10(r);
+    sp_256_cond_sub_10(r, r, m, 0 - (((r[9] >> 22) > 0) ?
+                (sp_digit)1 : (sp_digit)0));
+    sp_256_norm_10(r);
+    (void)sp_256_add_10(r, r, a);
+    sp_256_norm_10(r);
+    sp_256_cond_sub_10(r, r, m, 0 - (((r[9] >> 22) > 0) ?
+                (sp_digit)1 : (sp_digit)0));
+    sp_256_norm_10(r);
+}
+
+/* Sub b from a into r. (r = a - b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+SP_NOINLINE static int sp_256_sub_10(sp_digit* r, const sp_digit* a,
+        const sp_digit* b)
+{
+#if 0
+    r[ 0] = Q6_R_sub_RR(a[0], b[0]);
+    r[ 1] = Q6_R_sub_RR(a[1], b[1]);
+    r[ 2] = Q6_R_sub_RR(a[2], b[2]);
+    r[ 3] = Q6_R_sub_RR(a[3], b[3]);
+    r[ 4] = Q6_R_sub_RR(a[4], b[4]);
+    r[ 5] = Q6_R_sub_RR(a[5], b[5]);
+    r[ 6] = Q6_R_sub_RR(a[6], b[6]);
+    r[ 7] = Q6_R_sub_RR(a[7], b[7]);
+    r[ 8] = Q6_R_sub_RR(a[8], b[8]);
+    r[ 9] = Q6_R_sub_RR(a[9], b[9]);
+#endif
+#if 1
+    __asm__ __volatile__ (
+        "{ r1 = memw(%[a]+#0)  \n"
+        "  r2 = memw(%[b]+#0) }\n"
+        "{ r3 = memw(%[a]+#4)  \n"
+        "  r19 = sub(r1,r2)    \n"
+        "  r4 = memw(%[b]+#4) }\n"
+        "{ r5 = memw(%[a]+#8)  \n"
+        "  r20 = sub(r3,r4)    \n"
+        "  r6 = memw(%[b]+#8) }\n"
+        "{ memw(%[r]+#0) = r19 }\n"
+        "{ r7 = memw(%[a]+#12)  \n"
+        "  r21 = sub(r5,r6)    \n"
+        "  r8 = memw(%[b]+#12) }\n"
+        "{ memw(%[r]+#4) = r20 }\n"
+        "{ r9 = memw(%[a]+#16)  \n"
+        "  r22 = sub(r7,r8)     \n"
+        "  r10 = memw(%[b]+#16) }\n"
+        "{ memw(%[r]+#8) = r21 }\n"
+        "{ r11 = memw(%[a]+#20)  \n"
+        "  r23 = sub(r9,r10)     \n"
+        "  r12 = memw(%[b]+#20) }\n"
+        "{ memw(%[r]+#12) = r22 }\n"
+        "{ r13 = memw(%[a]+#24)  \n"
+        "  r24 = sub(r11,r12)     \n"
+        "  r14 = memw(%[b]+#24) }\n"
+        "{ memw(%[r]+#16) = r23 }\n"
+        "{ r15 = memw(%[a]+#28)  \n"
+        "  r25 = sub(r13,r14)     \n"
+        "  r16 = memw(%[b]+#28) }\n"
+        "{ memw(%[r]+#20) = r24 }\n"
+        "{ r17 = memw(%[a]+#32)  \n"
+        "  r26 = sub(r15,r16)     \n"
+        "  r18 = memw(%[b]+#32) }\n"
+        "{ memw(%[r]+#24) = r25 }\n"
+        "{ r5 = memw(%[a]+#36)  \n"
+        "  r19 = sub(r17,r18)    \n"
+        "  r6 = memw(%[b]+#36) }\n"
+        "{ memw(%[r]+#28) = r26 }\n"
+        "{ r20 = sub(r5,r6)      \n"
+            "  memw(%[r]+#32) = r19 }\n"
+        "{ memw(%[r]+#36) = r20 }\n"
+        : [r] "+r" (r)
+        : [a] "r"(a), [b] "r"(b)
+        : "memory", "r1", "r2", "r3", "r4", "r5", "r6", "r7", "r8", "r9", "r10", "r11", "r12", "r13", "r14", "r15", "r16", "r17", "r18", "r19", "r20", "r21", "r22", "r23", "r24", "r25", "r26"
+    );
+#endif
+    return 0;
+}
+
+/* Conditionally add a and b using the mask m.
+ * m is -1 to add and 0 when not.
+ *
+ * r  A single precision number representing conditional add result.
+ * a  A single precision number to add with.
+ * b  A single precision number to add.
+ * m  Mask value to apply.
+ */
+static void sp_256_cond_add_10(sp_digit* r, const sp_digit* a,
+        const sp_digit* b, const sp_digit m)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int i;
+
+    for (i = 0; i < 10; i++) {
+        r[i] = a[i] + (b[i] & m);
+    }
+#else
+    r[ 0] = Q6_R_add_RR(a[ 0], Q6_R_and_RR(b[ 0], m));
+    r[ 1] = Q6_R_add_RR(a[ 1], Q6_R_and_RR(b[ 1], m));
+    r[ 2] = Q6_R_add_RR(a[ 2], Q6_R_and_RR(b[ 2], m));
+    r[ 3] = Q6_R_add_RR(a[ 3], Q6_R_and_RR(b[ 3], m));
+    r[ 4] = Q6_R_add_RR(a[ 4], Q6_R_and_RR(b[ 4], m));
+    r[ 5] = Q6_R_add_RR(a[ 5], Q6_R_and_RR(b[ 5], m));
+    r[ 6] = Q6_R_add_RR(a[ 6], Q6_R_and_RR(b[ 6], m));
+    r[ 7] = Q6_R_add_RR(a[ 7], Q6_R_and_RR(b[ 7], m));
+    r[ 8] = Q6_R_add_RR(a[ 8], Q6_R_and_RR(b[ 8], m));
+    r[ 9] = Q6_R_add_RR(a[ 9], Q6_R_and_RR(b[ 9], m));
+#endif /* WOLFSSL_SP_SMALL */
+}
+
+
+/* Subtract two Montgomery form numbers (r = a - b % m).
+ *
+ * r   Result of subtration.
+ * a   Number to subtract from in Montogmery form.
+ * b   Number to subtract with in Montogmery form.
+ * m   Modulus (prime).
+ */
+static void sp_256_mont_sub_10(sp_digit* r, const sp_digit* a, const sp_digit* b,
+        const sp_digit* m)
+{
+    (void)sp_256_sub_10(r, a, b);
+    sp_256_cond_add_10(r, r, m, r[9] >> 22);
+    sp_256_norm_10(r);
+}
+
+
+/* Shift number left one bit.
+ * Bottom bit is lost.
+ *
+ * r  Result of shift.
+ * a  Number to shift.
+ */
+SP_NOINLINE static void sp_256_rshift1_10(sp_digit* r, sp_digit* a)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int i;
+
+    for (i=0; i<9; i++) {
+        r[i] = ((a[i] >> 1) | (a[i + 1] << 25)) & 0x3ffffff;
+    }
+#else
+    r[0] = ((a[0] >> 1) | Q6_R_and_RR((a[1] << 25), 0x3ffffff));
+    r[1] = ((a[1] >> 1) | Q6_R_and_RR((a[2] << 25), 0x3ffffff));
+    r[2] = ((a[2] >> 1) | Q6_R_and_RR((a[3] << 25), 0x3ffffff));
+    r[3] = ((a[3] >> 1) | Q6_R_and_RR((a[4] << 25), 0x3ffffff));
+    r[4] = ((a[4] >> 1) | Q6_R_and_RR((a[5] << 25), 0x3ffffff));
+    r[5] = ((a[5] >> 1) | Q6_R_and_RR((a[6] << 25), 0x3ffffff));
+    r[6] = ((a[6] >> 1) | Q6_R_and_RR((a[7] << 25), 0x3ffffff));
+    r[7] = ((a[7] >> 1) | Q6_R_and_RR((a[8] << 25), 0x3ffffff));
+    r[8] = ((a[8] >> 1) | Q6_R_and_RR((a[9] << 25), 0x3ffffff));
+#endif
+    r[9] = a[9] >> 1;
+}
+
+
+/* Divide the number by 2 mod the modulus (prime). (r = a / 2 % m)
+ *
+ * r  Result of division by 2.
+ * a  Number to divide.
+ * m  Modulus (prime).
+ */
+static void sp_256_div2_10(sp_digit* r, const sp_digit* a, const sp_digit* m)
+{
+    sp_256_cond_add_10(r, a, m, 0 - (a[0] & 1));
+    sp_256_norm_10(r);
+    sp_256_rshift1_10(r, r);
+}
+
+
+/* Double the Montgomery form projective point p.
+ *
+ * r  Result of doubling point.
+ * p  Point to double.
+ * t  Temporary ordinate data.
+ */
+static void sp_256_proj_point_dbl_10(sp_point* r, const sp_point* p, sp_digit* t)
+{
+    sp_point* rp[2];
+    sp_digit* t1 = t;
+    sp_digit* t2 = t + 2*10;
+    sp_digit* x;
+    sp_digit* y;
+    sp_digit* z;
+    int i;
+
+    /* When infinity don't double point passed in - constant time. */
+    rp[0] = r;
+
+    /*lint allow cast to different type of pointer*/
+    rp[1] = (sp_point*)t; /*lint !e9087 !e740*/
+    XMEMSET(rp[1], 0, sizeof(sp_point));
+    x = rp[p->infinity]->x;
+    y = rp[p->infinity]->y;
+    z = rp[p->infinity]->z;
+    /* Put point to double into result - good for infinity. */
+    if (r != p) {
+        for (i=0; i<10; i++) {
+            r->x[i] = p->x[i];
+        }
+        for (i=0; i<10; i++) {
+            r->y[i] = p->y[i];
+        }
+        for (i=0; i<10; i++) {
+            r->z[i] = p->z[i];
+        }
+        r->infinity = p->infinity;
+    }
+
+    /* T1 = Z * Z */
+    sp_256_mont_sqr_10(t1, z, p256_mod, p256_mp_mod);
+    /* Z = Y * Z */
+    sp_256_mont_mul_10(z, y, z, p256_mod, p256_mp_mod);
+    /* Z = 2Z */
+    sp_256_mont_dbl_10(z, z, p256_mod);
+    /* T2 = X - T1 */
+    sp_256_mont_sub_10(t2, x, t1, p256_mod);
+    /* T1 = X + T1 */
+    sp_256_mont_add_10(t1, x, t1, p256_mod);
+    /* T2 = T1 * T2 */
+    sp_256_mont_mul_10(t2, t1, t2, p256_mod, p256_mp_mod);
+    /* T1 = 3T2 */
+    sp_256_mont_tpl_10(t1, t2, p256_mod);
+    /* Y = 2Y */
+    sp_256_mont_dbl_10(y, y, p256_mod);
+    /* Y = Y * Y */
+    sp_256_mont_sqr_10(y, y, p256_mod, p256_mp_mod);
+    /* T2 = Y * Y */
+    sp_256_mont_sqr_10(t2, y, p256_mod, p256_mp_mod);
+    /* T2 = T2/2 */
+    sp_256_div2_10(t2, t2, p256_mod);
+    /* Y = Y * X */
+    sp_256_mont_mul_10(y, y, x, p256_mod, p256_mp_mod);
+    /* X = T1 * T1 */
+    sp_256_mont_mul_10(x, t1, t1, p256_mod, p256_mp_mod);
+    /* X = X - Y */
+    sp_256_mont_sub_10(x, x, y, p256_mod);
+    /* X = X - Y */
+    sp_256_mont_sub_10(x, x, y, p256_mod);
+    /* Y = Y - X */
+    sp_256_mont_sub_10(y, y, x, p256_mod);
+    /* Y = Y * T1 */
+    sp_256_mont_mul_10(y, y, t1, p256_mod, p256_mp_mod);
+    /* Y = Y - T2 */
+    sp_256_mont_sub_10(y, y, t2, p256_mod);
+
+}
+
+
+/* Compare two numbers to determine if they are equal.
+ * Constant time implementation.
+ *
+ * a  First number to compare.
+ * b  Second number to compare.
+ * returns 1 when equal and 0 otherwise.
+ */
+static int sp_256_cmp_equal_10(const sp_digit* a, const sp_digit* b)
+{
+    return ((a[0] ^ b[0]) | (a[1] ^ b[1]) | (a[2] ^ b[2]) | (a[3] ^ b[3]) |
+            (a[4] ^ b[4]) | (a[5] ^ b[5]) | (a[6] ^ b[6]) | (a[7] ^ b[7]) |
+            (a[8] ^ b[8]) | (a[9] ^ b[9])) == 0;
+}
+
+/* Add two Montgomery form projective points.
+ *
+ * r  Result of addition.
+ * p  First point to add.
+ * q  Second point to add.
+ * t  Temporary ordinate data.
+ */
+static void sp_256_proj_point_add_10(sp_point* r, const sp_point* p, const sp_point* q,
+        sp_digit* t)
+{
+    const sp_point* ap[2];
+    sp_point* rp[2];
+    sp_digit* t1 = t;
+    sp_digit* t2 = t + 2*10;
+    sp_digit* t3 = t + 4*10;
+    sp_digit* t4 = t + 6*10;
+    sp_digit* t5 = t + 8*10;
+    sp_digit* x;
+    sp_digit* y;
+    sp_digit* z;
+    int i;
+
+    /* Ensure only the first point is the same as the result. */
+    if (q == r) {
+        const sp_point* a = p;
+        p = q;
+        q = a;
+    }
+
+    /* Check double */
+    (void)sp_256_sub_10(t1, p256_mod, q->y);
+    sp_256_norm_10(t1);
+    if ((sp_256_cmp_equal_10(p->x, q->x) & sp_256_cmp_equal_10(p->z, q->z) &
+        (sp_256_cmp_equal_10(p->y, q->y) | sp_256_cmp_equal_10(p->y, t1))) != 0) {
+        sp_256_proj_point_dbl_10(r, p, t);
+    }
+    else {
+        rp[0] = r;
+
+        /*lint allow cast to different type of pointer*/
+        rp[1] = (sp_point*)t; /*lint !e9087 !e740*/
+        XMEMSET(rp[1], 0, sizeof(sp_point));
+        x = rp[p->infinity | q->infinity]->x;
+        y = rp[p->infinity | q->infinity]->y;
+        z = rp[p->infinity | q->infinity]->z;
+
+        ap[0] = p;
+        ap[1] = q;
+        for (i=0; i<10; i++) {
+            r->x[i] = ap[p->infinity]->x[i];
+        }
+        for (i=0; i<10; i++) {
+            r->y[i] = ap[p->infinity]->y[i];
+        }
+        for (i=0; i<10; i++) {
+            r->z[i] = ap[p->infinity]->z[i];
+        }
+        r->infinity = ap[p->infinity]->infinity;
+
+        /* U1 = X1*Z2^2 */
+        sp_256_mont_sqr_10(t1, q->z, p256_mod, p256_mp_mod);
+        sp_256_mont_mul_10(t3, t1, q->z, p256_mod, p256_mp_mod);
+        sp_256_mont_mul_10(t1, t1, x, p256_mod, p256_mp_mod);
+        /* U2 = X2*Z1^2 */
+        sp_256_mont_sqr_10(t2, z, p256_mod, p256_mp_mod);
+        sp_256_mont_mul_10(t4, t2, z, p256_mod, p256_mp_mod);
+        sp_256_mont_mul_10(t2, t2, q->x, p256_mod, p256_mp_mod);
+        /* S1 = Y1*Z2^3 */
+        sp_256_mont_mul_10(t3, t3, y, p256_mod, p256_mp_mod);
+        /* S2 = Y2*Z1^3 */
+        sp_256_mont_mul_10(t4, t4, q->y, p256_mod, p256_mp_mod);
+        /* H = U2 - U1 */
+        sp_256_mont_sub_10(t2, t2, t1, p256_mod);
+        /* R = S2 - S1 */
+        sp_256_mont_sub_10(t4, t4, t3, p256_mod);
+        /* Z3 = H*Z1*Z2 */
+        sp_256_mont_mul_10(z, z, q->z, p256_mod, p256_mp_mod);
+        sp_256_mont_mul_10(z, z, t2, p256_mod, p256_mp_mod);
+        /* X3 = R^2 - H^3 - 2*U1*H^2 */
+        sp_256_mont_sqr_10(x, t4, p256_mod, p256_mp_mod);
+        sp_256_mont_sqr_10(t5, t2, p256_mod, p256_mp_mod);
+        sp_256_mont_mul_10(y, t1, t5, p256_mod, p256_mp_mod);
+        sp_256_mont_mul_10(t5, t5, t2, p256_mod, p256_mp_mod);
+        sp_256_mont_sub_10(x, x, t5, p256_mod);
+        sp_256_mont_dbl_10(t1, y, p256_mod);
+        sp_256_mont_sub_10(x, x, t1, p256_mod);
+        /* Y3 = R*(U1*H^2 - X3) - S1*H^3 */
+        sp_256_mont_sub_10(y, y, x, p256_mod);
+        sp_256_mont_mul_10(y, y, t4, p256_mod, p256_mp_mod);
+        sp_256_mont_mul_10(t5, t5, t3, p256_mod, p256_mp_mod);
+        sp_256_mont_sub_10(y, y, t5, p256_mod);
+    }
+}
+
+#ifdef WOLFSSL_SP_SMALL
+/* Multiply the point by the scalar and return the result.
+ * If map is true then convert result to affine co-ordinates.
+ *
+ * r     Resulting point.
+ * g     Point to multiply.
+ * k     Scalar to multiply by.
+ * map   Indicates whether to convert result to affine.
+ * heap  Heap to use for allocation.
+ * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
+ */
+static int sp_256_ecc_mulmod_10(sp_point* r, const sp_point* g, const sp_digit* k,
+        int map, void* heap)
+{
+    sp_point* td;
+    sp_point* t[3];
+    sp_digit* tmp;
+    sp_digit n;
+    int i;
+    int c, y;
+    int err = MP_OKAY;
+
+    (void)heap;
+
+    td = (sp_point*)XMALLOC(sizeof(sp_point) * 3, heap, DYNAMIC_TYPE_ECC);
+    if (td == NULL)
+        err = MEMORY_E;
+    tmp = (sp_digit*)XMALLOC(sizeof(sp_digit) * 2 * 10 * 5, heap,
+                                                              DYNAMIC_TYPE_ECC);
+    if (tmp == NULL)
+        err = MEMORY_E;
+
+    if (err == MP_OKAY) {
+        XMEMSET(td, 0, sizeof(*td) * 3);
+
+        t[0] = &td[0];
+        t[1] = &td[1];
+        t[2] = &td[2];
+
+        /* t[0] = {0, 0, 1} * norm */
+        t[0]->infinity = 1;
+        /* t[1] = {g->x, g->y, g->z} * norm */
+        err = sp_256_mod_mul_norm_10(t[1]->x, g->x, p256_mod);
+    }
+    if (err == MP_OKAY)
+        err = sp_256_mod_mul_norm_10(t[1]->y, g->y, p256_mod);
+    if (err == MP_OKAY)
+        err = sp_256_mod_mul_norm_10(t[1]->z, g->z, p256_mod);
+
+    if (err == MP_OKAY) {
+        i = 9;
+        c = 22;
+        n = k[i--] << (26 - c);
+        for (; ; c--) {
+            if (c == 0) {
+                if (i == -1)
+                    break;
+
+                n = k[i--];
+                c = 26;
+            }
+
+            y = (n >> 25) & 1;
+            n <<= 1;
+
+            sp_256_proj_point_add_10(t[y^1], t[0], t[1], tmp);
+
+            XMEMCPY(t[2], (void*)(((size_t)t[0] & addr_mask[y^1]) +
+                                  ((size_t)t[1] & addr_mask[y])),
+                    sizeof(sp_point));
+            sp_256_proj_point_dbl_10(t[2], t[2], tmp);
+            XMEMCPY((void*)(((size_t)t[0] & addr_mask[y^1]) +
+                            ((size_t)t[1] & addr_mask[y])), t[2],
+                    sizeof(sp_point));
+        }
+
+        if (map != 0) {
+            sp_256_map_10(r, t[0], tmp);
+        }
+        else {
+            XMEMCPY(r, t[0], sizeof(sp_point));
+        }
+    }
+
+    if (tmp != NULL) {
+        XMEMSET(tmp, 0, sizeof(sp_digit) * 2 * 10 * 5);
+        XFREE(tmp, NULL, DYNAMIC_TYPE_ECC);
+    }
+    if (td != NULL) {
+        XMEMSET(td, 0, sizeof(sp_point) * 3);
+        XFREE(td, NULL, DYNAMIC_TYPE_ECC);
+    }
+
+    return err;
+}
+
+#elif defined(WOLFSSL_SP_CACHE_RESISTANT)
+/* Multiply the point by the scalar and return the result.
+ * If map is true then convert result to affine co-ordinates.
+ *
+ * r     Resulting point.
+ * g     Point to multiply.
+ * k     Scalar to multiply by.
+ * map   Indicates whether to convert result to affine.
+ * heap  Heap to use for allocation.
+ * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
+ */
+static int sp_256_ecc_mulmod_10(sp_point* r, const sp_point* g, const sp_digit* k,
+        int map, void* heap)
+{
+#if !defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)
+    sp_point td[3];
+    sp_digit tmpd[2 * 10 * 5];
+#endif
+    sp_point* t;
+    sp_digit* tmp;
+    sp_digit n;
+    int i;
+    int c, y;
+    int err = MP_OKAY;
+
+    (void)heap;
+
+#if defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)
+    sp_point td[3];
+    t = (sp_point*)XMALLOC(sizeof(*td) * 3, heap, DYNAMIC_TYPE_ECC);
+    if (t == NULL)
+        err = MEMORY_E;
+    tmp = (sp_digit*)XMALLOC(sizeof(sp_digit) * 2 * 10 * 5, heap,
+                             DYNAMIC_TYPE_ECC);
+    if (tmp == NULL)
+        err = MEMORY_E;
+#else
+    t = td;
+    tmp = tmpd;
+#endif
+
+    if (err == MP_OKAY) {
+        t[0] = &td[0];
+        t[1] = &td[1];
+        t[2] = &td[2];
+
+        /* t[0] = {0, 0, 1} * norm */
+        XMEMSET(&t[0], 0, sizeof(t[0]));
+        t[0].infinity = 1;
+        /* t[1] = {g->x, g->y, g->z} * norm */
+        err = sp_256_mod_mul_norm_10(t[1].x, g->x, p256_mod);
+    }
+    if (err == MP_OKAY)
+        err = sp_256_mod_mul_norm_10(t[1].y, g->y, p256_mod);
+    if (err == MP_OKAY)
+        err = sp_256_mod_mul_norm_10(t[1].z, g->z, p256_mod);
+
+    if (err == MP_OKAY) {
+        i = 9;
+        c = 22;
+        n = k[i--] << (26 - c);
+        for (; ; c--) {
+            if (c == 0) {
+                if (i == -1)
+                    break;
+
+                n = k[i--];
+                c = 26;
+            }
+
+            y = (n >> 25) & 1;
+            n <<= 1;
+
+            sp_256_proj_point_add_10(&t[y^1], &t[0], &t[1], tmp);
+
+            XMEMCPY(&t[2], (void*)(((size_t)&t[0] & addr_mask[y^1]) +
+                                 ((size_t)&t[1] & addr_mask[y])), sizeof(t[2]));
+            sp_256_proj_point_dbl_10(&t[2], &t[2], tmp);
+            XMEMCPY((void*)(((size_t)&t[0] & addr_mask[y^1]) +
+                          ((size_t)&t[1] & addr_mask[y])), &t[2], sizeof(t[2]));
+        }
+
+        if (map != 0) {
+            sp_256_map_10(r, &t[0], tmp);
+        }
+        else {
+            XMEMCPY(r, &t[0], sizeof(sp_point));
+        }
+    }
+
+#if defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)
+    if (tmp != NULL) {
+        XMEMSET(tmp, 0, sizeof(sp_digit) * 2 * 10 * 5);
+        XFREE(tmp, heap, DYNAMIC_TYPE_ECC);
+    }
+    if (t != NULL) {
+        XMEMSET(t, 0, sizeof(sp_point) * 3);
+        XFREE(t, heap, DYNAMIC_TYPE_ECC);
+    }
+#else
+    ForceZero(tmpd, sizeof(tmpd));
+    ForceZero(td, sizeof(td));
+#endif
+
+    return err;
+}
+
+#else
+/* A table entry for pre-computed points. */
+typedef struct sp_table_entry {
+    sp_digit x[10] __attribute__((aligned(128)));
+    sp_digit y[10] __attribute__((aligned(128)));
+} sp_table_entry;
+
+/* Multiply the point by the scalar and return the result.
+ * If map is true then convert result to affine co-ordinates.
+ *
+ * r     Resulting point.
+ * g     Point to multiply.
+ * k     Scalar to multiply by.
+ * map   Indicates whether to convert result to affine.
+ * heap  Heap to use for allocation.
+ * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
+ */
+static int sp_256_ecc_mulmod_fast_10(sp_point* r, const sp_point* g, const sp_digit* k,
+        int map, void* heap)
+{
+#if !defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)
+    sp_point td[16];
+    sp_point rtd;
+    sp_digit tmpd[2 * 10 * 5];
+#endif
+    sp_point* t;
+    sp_point* rt;
+    sp_digit* tmp;
+    sp_digit n;
+    int i;
+    int c, y;
+    int err;
+
+    (void)heap;
+
+    err = sp_ecc_point_new(heap, rtd, rt);
+#if defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)
+    t = (sp_point*)XMALLOC(sizeof(sp_point) * 16, heap, DYNAMIC_TYPE_ECC);
+    if (t == NULL)
+        err = MEMORY_E;
+    tmp = (sp_digit*)XMALLOC(sizeof(sp_digit) * 2 * 10 * 5, heap,
+                             DYNAMIC_TYPE_ECC);
+    if (tmp == NULL)
+        err = MEMORY_E;
+#else
+    t = td;
+    tmp = tmpd;
+#endif
+
+    if (err == MP_OKAY) {
+        /* t[0] = {0, 0, 1} * norm */
+        XMEMSET(&t[0], 0, sizeof(t[0]));
+        t[0].infinity = 1;
+        /* t[1] = {g->x, g->y, g->z} * norm */
+        (void)sp_256_mod_mul_norm_10(t[1].x, g->x, p256_mod);
+        (void)sp_256_mod_mul_norm_10(t[1].y, g->y, p256_mod);
+        (void)sp_256_mod_mul_norm_10(t[1].z, g->z, p256_mod);
+        t[1].infinity = 0;
+        sp_256_proj_point_dbl_10(&t[ 2], &t[ 1], tmp);
+        t[ 2].infinity = 0;
+        sp_256_proj_point_add_10(&t[ 3], &t[ 2], &t[ 1], tmp);
+        t[ 3].infinity = 0;
+        sp_256_proj_point_dbl_10(&t[ 4], &t[ 2], tmp);
+        t[ 4].infinity = 0;
+        sp_256_proj_point_add_10(&t[ 5], &t[ 3], &t[ 2], tmp);
+        t[ 5].infinity = 0;
+        sp_256_proj_point_dbl_10(&t[ 6], &t[ 3], tmp);
+        t[ 6].infinity = 0;
+        sp_256_proj_point_add_10(&t[ 7], &t[ 4], &t[ 3], tmp);
+        t[ 7].infinity = 0;
+        sp_256_proj_point_dbl_10(&t[ 8], &t[ 4], tmp);
+        t[ 8].infinity = 0;
+        sp_256_proj_point_add_10(&t[ 9], &t[ 5], &t[ 4], tmp);
+        t[ 9].infinity = 0;
+        sp_256_proj_point_dbl_10(&t[10], &t[ 5], tmp);
+        t[10].infinity = 0;
+        sp_256_proj_point_add_10(&t[11], &t[ 6], &t[ 5], tmp);
+        t[11].infinity = 0;
+        sp_256_proj_point_dbl_10(&t[12], &t[ 6], tmp);
+        t[12].infinity = 0;
+        sp_256_proj_point_add_10(&t[13], &t[ 7], &t[ 6], tmp);
+        t[13].infinity = 0;
+        sp_256_proj_point_dbl_10(&t[14], &t[ 7], tmp);
+        t[14].infinity = 0;
+        sp_256_proj_point_add_10(&t[15], &t[ 8], &t[ 7], tmp);
+        t[15].infinity = 0;
+
+        i = 8;
+        n = k[i+1] << 6;
+        c = 18;
+        y = n >> 24;
+        XMEMCPY(rt, &t[y], sizeof(sp_point));
+        n <<= 8;
+        for (; i>=0 || c>=4; ) {
+            if (c < 4) {
+                n |= k[i--] << (6 - c);
+                c += 26;
+            }
+            y = (n >> 28) & 0xf;
+            n <<= 4;
+            c -= 4;
+
+            sp_256_proj_point_dbl_10(rt, rt, tmp);
+            sp_256_proj_point_dbl_10(rt, rt, tmp);
+            sp_256_proj_point_dbl_10(rt, rt, tmp);
+            sp_256_proj_point_dbl_10(rt, rt, tmp);
+
+            sp_256_proj_point_add_10(rt, rt, &t[y], tmp);
+        }
+
+        if (map != 0) {
+            sp_256_map_10(r, rt, tmp);
+        }
+        else {
+            XMEMCPY(r, rt, sizeof(sp_point));
+        }
+    }
+
+#if defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)
+    if (tmp != NULL) {
+        XMEMSET(tmp, 0, sizeof(sp_digit) * 2 * 10 * 5);
+        XFREE(tmp, heap, DYNAMIC_TYPE_ECC);
+    }
+    if (t != NULL) {
+        XMEMSET(t, 0, sizeof(sp_point) * 16);
+        XFREE(t, heap, DYNAMIC_TYPE_ECC);
+    }
+#else
+    ForceZero(tmpd, sizeof(tmpd));
+    ForceZero(td, sizeof(td));
+#endif
+    sp_ecc_point_free(rt, 1, heap);
+
+    return err;
+}
+
+#ifdef FP_ECC
+/* Double the Montgomery form projective point p a number of times.
+ *
+ * r  Result of repeated doubling of point.
+ * p  Point to double.
+ * n  Number of times to double
+ * t  Temporary ordinate data.
+ */
+static void sp_256_proj_point_dbl_n_10(sp_point* r, const sp_point* p, int n,
+        sp_digit* t)
+{
+    sp_point* rp[2];
+    sp_digit* w = t;
+    sp_digit* a = t + 2*10;
+    sp_digit* b = t + 4*10;
+    sp_digit* t1 = t + 6*10;
+    sp_digit* t2 = t + 8*10;
+    sp_digit* x;
+    sp_digit* y;
+    sp_digit* z;
+    int i;
+
+    rp[0] = r;
+
+    /*lint allow cast to different type of pointer*/
+    rp[1] = (sp_point*)t; /*lint !e9087 !e740*/
+    XMEMSET(rp[1], 0, sizeof(sp_point));
+    x = rp[p->infinity]->x;
+    y = rp[p->infinity]->y;
+    z = rp[p->infinity]->z;
+    if (r != p) {
+        for (i=0; i<10; i++) {
+            r->x[i] = p->x[i];
+        }
+        for (i=0; i<10; i++) {
+            r->y[i] = p->y[i];
+        }
+        for (i=0; i<10; i++) {
+            r->z[i] = p->z[i];
+        }
+        r->infinity = p->infinity;
+    }
+
+    /* Y = 2*Y */
+    sp_256_mont_dbl_10(y, y, p256_mod);
+    /* W = Z^4 */
+    sp_256_mont_sqr_10(w, z, p256_mod, p256_mp_mod);
+    sp_256_mont_sqr_10(w, w, p256_mod, p256_mp_mod);
+    while (n-- > 0) {
+        /* A = 3*(X^2 - W) */
+        sp_256_mont_sqr_10(t1, x, p256_mod, p256_mp_mod);
+        sp_256_mont_sub_10(t1, t1, w, p256_mod);
+        sp_256_mont_tpl_10(a, t1, p256_mod);
+        /* B = X*Y^2 */
+        sp_256_mont_sqr_10(t2, y, p256_mod, p256_mp_mod);
+        sp_256_mont_mul_10(b, t2, x, p256_mod, p256_mp_mod);
+        /* X = A^2 - 2B */
+        sp_256_mont_sqr_10(x, a, p256_mod, p256_mp_mod);
+        sp_256_mont_dbl_10(t1, b, p256_mod);
+        sp_256_mont_sub_10(x, x, t1, p256_mod);
+        /* Z = Z*Y */
+        sp_256_mont_mul_10(z, z, y, p256_mod, p256_mp_mod);
+        /* t2 = Y^4 */
+        sp_256_mont_sqr_10(t2, t2, p256_mod, p256_mp_mod);
+        if (n != 0) {
+            /* W = W*Y^4 */
+            sp_256_mont_mul_10(w, w, t2, p256_mod, p256_mp_mod);
+        }
+        /* y = 2*A*(B - X) - Y^4 */
+        sp_256_mont_sub_10(y, b, x, p256_mod);
+        sp_256_mont_mul_10(y, y, a, p256_mod, p256_mp_mod);
+        sp_256_mont_dbl_10(y, y, p256_mod);
+        sp_256_mont_sub_10(y, y, t2, p256_mod);
+    }
+    /* Y = Y/2 */
+    sp_256_div2_10(y, y, p256_mod);
+}
+
+#endif /* FP_ECC */
+
+
+/* Add two Montgomery form projective points. The second point has a q value of
+ * one.
+ * Only the first point can be the same pointer as the result point.
+ *
+ * r  Result of addition.
+ * p  First point to add.
+ * q  Second point to add.
+ * t  Temporary ordinate data.
+ */
+static void sp_256_proj_point_add_qz1_10(sp_point* r, const sp_point* p,
+        const sp_point* q, sp_digit* t)
+{
+    const sp_point* ap[2];
+    sp_point* rp[2];
+    sp_digit* t1 = t;
+    sp_digit* t2 = t + 2*10;
+    sp_digit* t3 = t + 4*10;
+    sp_digit* t4 = t + 6*10;
+    sp_digit* t5 = t + 8*10;
+    sp_digit* x;
+    sp_digit* y;
+    sp_digit* z;
+    int i;
+
+    /* Check double */
+    (void)sp_256_sub_10(t1, p256_mod, q->y);
+    sp_256_norm_10(t1);
+    if ((sp_256_cmp_equal_10(p->x, q->x) & sp_256_cmp_equal_10(p->z, q->z) &
+        (sp_256_cmp_equal_10(p->y, q->y) | sp_256_cmp_equal_10(p->y, t1))) != 0) {
+        sp_256_proj_point_dbl_10(r, p, t);
+    }
+    else {
+        rp[0] = r;
+
+        /*lint allow cast to different type of pointer*/
+        rp[1] = (sp_point*)t; /*lint !e9087 !e740*/
+        XMEMSET(rp[1], 0, sizeof(sp_point));
+        x = rp[p->infinity | q->infinity]->x;
+        y = rp[p->infinity | q->infinity]->y;
+        z = rp[p->infinity | q->infinity]->z;
+
+        ap[0] = p;
+        ap[1] = q;
+        for (i=0; i<10; i++) {
+            r->x[i] = ap[p->infinity]->x[i];
+        }
+        for (i=0; i<10; i++) {
+            r->y[i] = ap[p->infinity]->y[i];
+        }
+        for (i=0; i<10; i++) {
+            r->z[i] = ap[p->infinity]->z[i];
+        }
+        r->infinity = ap[p->infinity]->infinity;
+
+        /* U2 = X2*Z1^2 */
+        sp_256_mont_sqr_10(t2, z, p256_mod, p256_mp_mod);
+        sp_256_mont_mul_10(t4, t2, z, p256_mod, p256_mp_mod);
+        sp_256_mont_mul_10(t2, t2, q->x, p256_mod, p256_mp_mod);
+        /* S2 = Y2*Z1^3 */
+        sp_256_mont_mul_10(t4, t4, q->y, p256_mod, p256_mp_mod);
+        /* H = U2 - X1 */
+        sp_256_mont_sub_10(t2, t2, x, p256_mod);
+        /* R = S2 - Y1 */
+        sp_256_mont_sub_10(t4, t4, y, p256_mod);
+        /* Z3 = H*Z1 */
+        sp_256_mont_mul_10(z, z, t2, p256_mod, p256_mp_mod);
+        /* X3 = R^2 - H^3 - 2*X1*H^2 */
+        sp_256_mont_sqr_10(t1, t4, p256_mod, p256_mp_mod);
+        sp_256_mont_sqr_10(t5, t2, p256_mod, p256_mp_mod);
+        sp_256_mont_mul_10(t3, x, t5, p256_mod, p256_mp_mod);
+        sp_256_mont_mul_10(t5, t5, t2, p256_mod, p256_mp_mod);
+        sp_256_mont_sub_10(x, t1, t5, p256_mod);
+        sp_256_mont_dbl_10(t1, t3, p256_mod);
+        sp_256_mont_sub_10(x, x, t1, p256_mod);
+        /* Y3 = R*(X1*H^2 - X3) - Y1*H^3 */
+        sp_256_mont_sub_10(t3, t3, x, p256_mod);
+        sp_256_mont_mul_10(t3, t3, t4, p256_mod, p256_mp_mod);
+        sp_256_mont_mul_10(t5, t5, y, p256_mod, p256_mp_mod);
+        sp_256_mont_sub_10(y, t3, t5, p256_mod);
+    }
+}
+
+#ifdef FP_ECC
+/* Convert the projective point to affine.
+ * Ordinates are in Montgomery form.
+ *
+ * a  Point to convert.
+ * t  Temporary data.
+ */
+static void sp_256_proj_to_affine_10(sp_point* a, sp_digit* t)
+{
+    sp_digit* t1 = t;
+    sp_digit* t2 = t + 2 * 10;
+    sp_digit* tmp = t + 4 * 10;
+
+    sp_256_mont_inv_10(t1, a->z, tmp);
+
+    sp_256_mont_sqr_10(t2, t1, p256_mod, p256_mp_mod);
+    sp_256_mont_mul_10(t1, t2, t1, p256_mod, p256_mp_mod);
+
+    sp_256_mont_mul_10(a->x, a->x, t2, p256_mod, p256_mp_mod);
+    sp_256_mont_mul_10(a->y, a->y, t1, p256_mod, p256_mp_mod);
+    XMEMCPY(a->z, p256_norm_mod, sizeof(p256_norm_mod));
+}
+
+
+/* Generate the pre-computed table of points for the base point.
+ *
+ * a      The base point.
+ * table  Place to store generated point data.
+ * tmp    Temporary data.
+ * heap  Heap to use for allocation.
+ */
+static int sp_256_gen_stripe_table_10(const sp_point* a,
+        sp_table_entry* table, sp_digit* tmp, void* heap)
+{
+#if !defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)
+    sp_point td, s1d, s2d;
+#endif
+    sp_point* t;
+    sp_point* s1 = NULL;
+    sp_point* s2 = NULL;
+    int i, j;
+    int err;
+
+    (void)heap;
+
+    err = sp_ecc_point_new(heap, td, t);
+    if (err == MP_OKAY) {
+        err = sp_ecc_point_new(heap, s1d, s1);
+    }
+    if (err == MP_OKAY) {
+        err = sp_ecc_point_new(heap, s2d, s2);
+    }
+
+    if (err == MP_OKAY) {
+        err = sp_256_mod_mul_norm_10(t->x, a->x, p256_mod);
+    }
+    if (err == MP_OKAY) {
+        err = sp_256_mod_mul_norm_10(t->y, a->y, p256_mod);
+    }
+    if (err == MP_OKAY) {
+        err = sp_256_mod_mul_norm_10(t->z, a->z, p256_mod);
+    }
+    if (err == MP_OKAY) {
+        t->infinity = 0;
+        sp_256_proj_to_affine_10(t, tmp);
+
+        XMEMCPY(s1->z, p256_norm_mod, sizeof(p256_norm_mod));
+        s1->infinity = 0;
+        XMEMCPY(s2->z, p256_norm_mod, sizeof(p256_norm_mod));
+        s2->infinity = 0;
+
+        /* table[0] = {0, 0, infinity} */
+        XMEMSET(&table[0], 0, sizeof(sp_table_entry));
+        /* table[1] = Affine version of 'a' in Montgomery form */
+        XMEMCPY(table[1].x, t->x, sizeof(table->x));
+        XMEMCPY(table[1].y, t->y, sizeof(table->y));
+
+        for (i=1; i<8; i++) {
+            sp_256_proj_point_dbl_n_10(t, t, 32, tmp);
+            sp_256_proj_to_affine_10(t, tmp);
+            XMEMCPY(table[1<<i].x, t->x, sizeof(table->x));
+            XMEMCPY(table[1<<i].y, t->y, sizeof(table->y));
+        }
+
+        for (i=1; i<8; i++) {
+            XMEMCPY(s1->x, table[1<<i].x, sizeof(table->x));
+            XMEMCPY(s1->y, table[1<<i].y, sizeof(table->y));
+            for (j=(1<<i)+1; j<(1<<(i+1)); j++) {
+                XMEMCPY(s2->x, table[j-(1<<i)].x, sizeof(table->x));
+                XMEMCPY(s2->y, table[j-(1<<i)].y, sizeof(table->y));
+                sp_256_proj_point_add_qz1_10(t, s1, s2, tmp);
+                sp_256_proj_to_affine_10(t, tmp);
+                XMEMCPY(table[j].x, t->x, sizeof(table->x));
+                XMEMCPY(table[j].y, t->y, sizeof(table->y));
+            }
+        }
+    }
+
+    sp_ecc_point_free(s2, 0, heap);
+    sp_ecc_point_free(s1, 0, heap);
+    sp_ecc_point_free( t, 0, heap);
+
+    return err;
+}
+
+#endif /* FP_ECC */
+/* Multiply the point by the scalar and return the result.
+ * If map is true then convert result to affine co-ordinates.
+ *
+ * r     Resulting point.
+ * k     Scalar to multiply by.
+ * map   Indicates whether to convert result to affine.
+ * heap  Heap to use for allocation.
+ * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
+ */
+static int sp_256_ecc_mulmod_stripe_10(sp_point* r, const sp_point* g,
+        const sp_table_entry* table, const sp_digit* k, int map, void* heap)
+{
+#if !defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)
+    sp_point rtd;
+    sp_point pd;
+    sp_digit td[2 * 10 * 5];
+#endif
+    sp_point* rt;
+    sp_point* p = NULL;
+    sp_digit* t;
+    int i, j;
+    int y, x;
+    int err;
+
+    (void)g;
+    (void)heap;
+
+    err = sp_ecc_point_new(heap, rtd, rt);
+    if (err == MP_OKAY) {
+        err = sp_ecc_point_new(heap, pd, p);
+    }
+#if defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)
+    t = (sp_digit*)XMALLOC(sizeof(sp_digit) * 2 * 10 * 5, heap,
+                           DYNAMIC_TYPE_ECC);
+    if (t == NULL) {
+        err = MEMORY_E;
+    }
+#else
+    t = td;
+#endif
+
+    if (err == MP_OKAY) {
+        XMEMCPY(p->z, p256_norm_mod, sizeof(p256_norm_mod));
+        XMEMCPY(rt->z, p256_norm_mod, sizeof(p256_norm_mod));
+
+        y = 0;
+        for (j=0,x=31; j<8; j++,x+=32) {
+            y |= ((k[x / 26] >> (x % 26)) & 1) << j;
+        }
+        XMEMCPY(rt->x, table[y].x, sizeof(table[y].x));
+        XMEMCPY(rt->y, table[y].y, sizeof(table[y].y));
+        rt->infinity = !y;
+        for (i=30; i>=0; i--) {
+            y = 0;
+            for (j=0,x=i; j<8; j++,x+=32) {
+                y |= ((k[x / 26] >> (x % 26)) & 1) << j;
+            }
+
+            sp_256_proj_point_dbl_10(rt, rt, t);
+            XMEMCPY(p->x, table[y].x, sizeof(table[y].x));
+            XMEMCPY(p->y, table[y].y, sizeof(table[y].y));
+            p->infinity = !y;
+            sp_256_proj_point_add_qz1_10(rt, rt, p, t);
+        }
+
+        if (map != 0) {
+            sp_256_map_10(r, rt, t);
+        }
+        else {
+            XMEMCPY(r, rt, sizeof(sp_point));
+        }
+    }
+
+#if defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)
+    if (t != NULL) {
+        XFREE(t, heap, DYNAMIC_TYPE_ECC);
+    }
+#endif
+    sp_ecc_point_free(p, 0, heap);
+    sp_ecc_point_free(rt, 0, heap);
+
+    return err;
+}
+
+#ifdef FP_ECC
+#ifndef FP_ENTRIES
+    #define FP_ENTRIES 16
+#endif
+
+typedef struct sp_cache_t {
+    sp_digit x[10] __attribute__((aligned(128)));
+    sp_digit y[10] __attribute__((aligned(128)));
+    sp_table_entry table[256] __attribute__((aligned(128)));
+    uint32_t cnt;
+    int set;
+} sp_cache_t;
+
+static THREAD_LS_T sp_cache_t sp_cache[FP_ENTRIES];
+static THREAD_LS_T int sp_cache_last = -1;
+static THREAD_LS_T int sp_cache_inited = 0;
+
+#ifndef HAVE_THREAD_LS
+    static volatile int initCacheMutex = 0;
+    static wolfSSL_Mutex sp_cache_lock;
+#endif
+
+static void sp_ecc_get_cache(const sp_point* g, sp_cache_t** cache)
+{
+    int i, j;
+    uint32_t least;
+
+    if (sp_cache_inited == 0) {
+        for (i=0; i<FP_ENTRIES; i++) {
+            sp_cache[i].set = 0;
+        }
+        sp_cache_inited = 1;
+    }
+
+    /* Compare point with those in cache. */
+    for (i=0; i<FP_ENTRIES; i++) {
+        if (!sp_cache[i].set)
+            continue;
+
+        if (sp_256_cmp_equal_10(g->x, sp_cache[i].x) &
+                           sp_256_cmp_equal_10(g->y, sp_cache[i].y)) {
+            sp_cache[i].cnt++;
+            break;
+        }
+    }
+
+    /* No match. */
+    if (i == FP_ENTRIES) {
+        /* Find empty entry. */
+        i = (sp_cache_last + 1) % FP_ENTRIES;
+        for (; i != sp_cache_last; i=(i+1)%FP_ENTRIES) {
+            if (!sp_cache[i].set) {
+                break;
+            }
+        }
+
+        /* Evict least used. */
+        if (i == sp_cache_last) {
+            least = sp_cache[0].cnt;
+            for (j=1; j<FP_ENTRIES; j++) {
+                if (sp_cache[j].cnt < least) {
+                    i = j;
+                    least = sp_cache[i].cnt;
+                }
+            }
+        }
+
+        XMEMCPY(sp_cache[i].x, g->x, sizeof(sp_cache[i].x));
+        XMEMCPY(sp_cache[i].y, g->y, sizeof(sp_cache[i].y));
+        sp_cache[i].set = 1;
+        sp_cache[i].cnt = 1;
+    }
+
+    *cache = &sp_cache[i];
+    sp_cache_last = i;
+}
+#endif /* FP_ECC */
+
+/* Multiply the base point of P256 by the scalar and return the result.
+ * If map is true then convert result to affine co-ordinates.
+ *
+ * r     Resulting point.
+ * g     Point to multiply.
+ * k     Scalar to multiply by.
+ * map   Indicates whether to convert result to affine.
+ * heap  Heap to use for allocation.
+ * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
+ */
+static int sp_256_ecc_mulmod_10(sp_point* r, const sp_point* g, const sp_digit* k,
+        int map, void* heap)
+{
+#ifndef FP_ECC
+    return sp_256_ecc_mulmod_fast_10(r, g, k, map, heap);
+#else
+    sp_digit tmp[2 * 10 * 5];
+    sp_cache_t* cache;
+    int err = MP_OKAY;
+
+#ifndef HAVE_THREAD_LS
+    if (initCacheMutex == 0) {
+         wc_InitMutex(&sp_cache_lock);
+         initCacheMutex = 1;
+    }
+    if (wc_LockMutex(&sp_cache_lock) != 0)
+       err = BAD_MUTEX_E;
+#endif /* HAVE_THREAD_LS */
+
+    if (err == MP_OKAY) {
+        sp_ecc_get_cache(g, &cache);
+        if (cache->cnt == 2)
+            sp_256_gen_stripe_table_10(g, cache->table, tmp, heap);
+
+#ifndef HAVE_THREAD_LS
+        wc_UnLockMutex(&sp_cache_lock);
+#endif /* HAVE_THREAD_LS */
+
+        if (cache->cnt < 2) {
+            err = sp_256_ecc_mulmod_fast_10(r, g, k, map, heap);
+        }
+        else {
+            err = sp_256_ecc_mulmod_stripe_10(r, g, cache->table, k,
+                    map, heap);
+        }
+    }
+
+    return err;
+#endif
+}
+
+#endif
+
+#ifdef WOLFSSL_SP_SMALL
+/* Multiply the base point of P256 by the scalar and return the result.
+ * If map is true then convert result to affine co-ordinates.
+ *
+ * r     Resulting point.
+ * k     Scalar to multiply by.
+ * map   Indicates whether to convert result to affine.
+ * heap  Heap to use for allocation.
+ * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
+ */
+static int sp_256_ecc_mulmod_base_10(sp_point* r, const sp_digit* k,
+        int map, void* heap)
+{
+    /* No pre-computed values. */
+    return sp_256_ecc_mulmod_10(r, &p256_base, k, map, heap);
+}
+
+#else
+static const sp_table_entry p256_table[256] = {
+    /* 0 */
+    { { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
+      { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 } },
+    /* 1 */
+    { { 0x0a9143c,0x1cc3506,0x360179e,0x3f17fb6,0x075ba95,0x1d88944,
+        0x3b732b7,0x15719e7,0x376a537,0x0062417 },
+      { 0x295560a,0x094d5f3,0x245cddf,0x392e867,0x18b4ab8,0x3487cc9,
+        0x288688d,0x176174b,0x3182588,0x0215c7f } },
+    /* 2 */
+    { { 0x147519a,0x2218090,0x32f0202,0x2b09acd,0x0d0981e,0x1e17af2,
+        0x14a7caa,0x163a6a7,0x10ddbdf,0x03654f1 },
+      { 0x1590f8f,0x0d8733f,0x09179d6,0x1ad139b,0x372e962,0x0bad933,
+        0x1961102,0x223cdff,0x37e9eb2,0x0218fae } },
+    /* 3 */
+    { { 0x0db6485,0x1ad88d7,0x2f97785,0x288bc28,0x3808f0e,0x3df8c02,
+        0x28d9544,0x20280f9,0x055b5ff,0x00001d8 },
+      { 0x38d2010,0x13ae6e0,0x308a763,0x2ecc90d,0x254014f,0x10a9981,
+        0x247d398,0x0fb8383,0x3613437,0x020c21d } },
+    /* 4 */
+    { { 0x2a0d2bb,0x08bf145,0x34994f9,0x1b06988,0x30d5cc1,0x1f18b22,
+        0x01cf3a5,0x199fe49,0x161fd1b,0x00bd79a },
+      { 0x1a01797,0x171c2fd,0x21925c1,0x1358255,0x23d20b4,0x1c7f6d4,
+        0x111b370,0x03dec12,0x1168d6f,0x03d923e } },
+    /* 5 */
+    { { 0x137bbbc,0x19a11f8,0x0bec9e5,0x27a29a8,0x3e43446,0x275cd18,
+        0x0427617,0x00056c7,0x285133d,0x016af80 },
+      { 0x04c7dab,0x2a0df30,0x0c0792a,0x1310c98,0x3573d9f,0x239b30d,
+        0x1315627,0x1ce0c32,0x25b6b6f,0x0252edc } },
+    /* 6 */
+    { { 0x20f141c,0x26d23dc,0x3c74bbf,0x334b7d6,0x06199b3,0x0441171,
+        0x3f61294,0x313bf70,0x3cb2f7d,0x03375ae },
+      { 0x2f436fd,0x19c02fa,0x26becca,0x1b6e64c,0x26f647f,0x053c948,
+        0x0fa7920,0x397d830,0x2bd4bda,0x028d86f } },
+    /* 7 */
+    { { 0x17c13c7,0x2895616,0x03e128a,0x17d42df,0x1c38d63,0x0f02747,
+        0x039aecf,0x0a4b01c,0x209c4b5,0x02e84b2 },
+      { 0x1f91dfd,0x023e916,0x07fb9e4,0x19b3ba8,0x13af43b,0x35e02ca,
+        0x0eb0899,0x3bd2c7b,0x19d701f,0x014faee } },
+    /* 8 */
+    { { 0x0e63d34,0x1fb8c6c,0x0fab4fe,0x1caa795,0x0f46005,0x179ed69,
+        0x093334d,0x120c701,0x39206d5,0x021627e },
+      { 0x183553a,0x03d7319,0x09e5aa7,0x12b8959,0x2087909,0x0011194,
+        0x1045071,0x0713f32,0x16d0254,0x03aec1a } },
+    /* 9 */
+    { { 0x01647c5,0x1b2856b,0x1799461,0x11f133d,0x0b8127d,0x1937eeb,
+        0x266aa37,0x1f68f71,0x0cbd1b2,0x03aca08 },
+      { 0x287e008,0x1be361a,0x38f3940,0x276488d,0x2d87dfa,0x0333b2c,
+        0x2d2e428,0x368755b,0x09b55a7,0x007ca0a } },
+    /* 10 */
+    { { 0x389da99,0x2a8300e,0x0022abb,0x27ae0a1,0x0a6f2d7,0x207017a,
+        0x047862b,0x1358c9e,0x35905e5,0x00cde92 },
+      { 0x1f7794a,0x1d40348,0x3f613c6,0x2ddf5b5,0x0207005,0x133f5ba,
+        0x1a37810,0x3ef5829,0x0d5f4c2,0x0035978 } },
+    /* 11 */
+    { { 0x1275d38,0x026efad,0x2358d9d,0x1142f82,0x14268a7,0x1cfac99,
+        0x362ff49,0x288cbc1,0x24252f4,0x0308f68 },
+      { 0x394520c,0x06e13c2,0x178e5da,0x18ec16f,0x1096667,0x134a7a8,
+        0x0dcb869,0x33fc4e9,0x38cc790,0x006778e } },
+    /* 12 */
+    { { 0x2c5fe04,0x29c5b09,0x1bdb183,0x02ceee8,0x03b28de,0x132dc4b,
+        0x32c586a,0x32ff5d0,0x3d491fc,0x038d372 },
+      { 0x2a58403,0x2351aea,0x3a53b40,0x21a0ba5,0x39a6974,0x1aaaa2b,
+        0x3901273,0x03dfe78,0x3447b4e,0x039d907 } },
+    /* 13 */
+    { { 0x364ba59,0x14e5077,0x02fc7d7,0x3b02c09,0x1d33f10,0x0560616,
+        0x06dfc6a,0x15efd3c,0x357052a,0x01284b7 },
+      { 0x039dbd0,0x18ce3e5,0x3e1fbfa,0x352f794,0x0d3c24b,0x07c6cc5,
+        0x1e4ffa2,0x3a91bf5,0x293bb5b,0x01abd6a } },
+    /* 14 */
+    { { 0x0c91999,0x02da644,0x0491da1,0x100a960,0x00a24b4,0x2330824,
+        0x0094b4b,0x1004cf8,0x35a66a4,0x017f8d1 },
+      { 0x13e7b4b,0x232af7e,0x391ab0f,0x069f08f,0x3292b50,0x3479898,
+        0x2889aec,0x2a4590b,0x308ecfe,0x02d5138 } },
+    /* 15 */
+    { { 0x2ddfdce,0x231ba45,0x39e6647,0x19be245,0x12c3291,0x35399f8,
+        0x0d6e764,0x3082d3a,0x2bda6b0,0x0382dac },
+      { 0x37efb57,0x04b7cae,0x00070d3,0x379e431,0x01aac0d,0x1e6f251,
+        0x0336ad6,0x0ddd3e4,0x3de25a6,0x01c7008 } },
+    /* 16 */
+    { { 0x3e20925,0x230912f,0x286762a,0x30e3f73,0x391c19a,0x34e1c18,
+        0x16a5d5d,0x093d96a,0x3d421d3,0x0187561 },
+      { 0x37173ea,0x19ce8a8,0x0b65e87,0x0214dde,0x2238480,0x16ead0f,
+        0x38441e0,0x3bef843,0x2124621,0x03e847f } },
+    /* 17 */
+    { { 0x0b19ffd,0x247cacb,0x3c231c8,0x16ec648,0x201ba8d,0x2b172a3,
+        0x103d678,0x2fb72db,0x04c1f13,0x0161bac },
+      { 0x3e8ed09,0x171b949,0x2de20c3,0x0f06067,0x21e81a3,0x1b194be,
+        0x0fd6c05,0x13c449e,0x0087086,0x006756b } },
+    /* 18 */
+    { { 0x09a4e1f,0x27d604c,0x00741e9,0x06fa49c,0x0ab7de7,0x3f4a348,
+        0x25ef0be,0x158fc9a,0x33f7f9c,0x039f001 },
+      { 0x2f59f76,0x3598e83,0x30501f6,0x15083f2,0x0669b3b,0x29980b5,
+        0x0c1f7a7,0x0f02b02,0x0fec65b,0x0382141 } },
+    /* 19 */
+    { { 0x031b3ca,0x23da368,0x2d66f09,0x27b9b69,0x06d1cab,0x13c91ba,
+        0x3d81fa9,0x25ad16f,0x0825b09,0x01e3c06 },
+      { 0x225787f,0x3bf790e,0x2c9bb7e,0x0347732,0x28016f8,0x0d6ff0d,
+        0x2a4877b,0x1d1e833,0x3b87e94,0x010e9dc } },
+    /* 20 */
+    { { 0x2b533d5,0x1ddcd34,0x1dc0625,0x3da86f7,0x3673b8a,0x1e7b0a4,
+        0x3e7c9aa,0x19ac55d,0x251c3b2,0x02edb79 },
+      { 0x25259b3,0x24c0ead,0x3480e7e,0x34f40e9,0x3d6a0af,0x2cf3f09,
+        0x2c83d19,0x2e66f16,0x19a5d18,0x0182d18 } },
+    /* 21 */
+    { { 0x2e5aa1c,0x28e3846,0x3658bd6,0x0ad279c,0x1b8b765,0x397e1fb,
+        0x130014e,0x3ff342c,0x3b2aeeb,0x02743c9 },
+      { 0x2730a55,0x0918c5e,0x083aca9,0x0bf76ef,0x19c955b,0x300669c,
+        0x01dfe0a,0x312341f,0x26d356e,0x0091295 } },
+    /* 22 */
+    { { 0x2cf1f96,0x00e52ba,0x271c6db,0x2a40930,0x19f2122,0x0b2f4ee,
+        0x26ac1b8,0x3bda498,0x0873581,0x0117963 },
+      { 0x38f9dbc,0x3d1e768,0x2040d3f,0x11ba222,0x3a8aaf1,0x1b82fb5,
+        0x1adfb24,0x2de9251,0x21cc1e4,0x0301038 } },
+    /* 23 */
+    { { 0x38117b6,0x2bc001b,0x1433847,0x3fdce8d,0x3651969,0x3651d7a,
+        0x2b35761,0x1bb1d20,0x097682c,0x00737d7 },
+      { 0x1f04839,0x1dd6d04,0x16987db,0x3d12378,0x17dbeac,0x1c2cc86,
+        0x121dd1b,0x3fcf6ca,0x1f8a92d,0x00119d5 } },
+    /* 24 */
+    { { 0x0e8ffcd,0x2b174af,0x1a82cc8,0x22cbf98,0x30d53c4,0x080b5b1,
+        0x3161727,0x297cfdb,0x2113b83,0x0011b97 },
+      { 0x0007f01,0x23fd936,0x3183e7b,0x0496bd0,0x07fb1ef,0x178680f,
+        0x1c5ea63,0x0016c11,0x2c3303d,0x01b8041 } },
+    /* 25 */
+    { { 0x0dd73b1,0x1cd6122,0x10d948c,0x23e657b,0x3767070,0x15a8aad,
+        0x385ea8c,0x33c7ce0,0x0ede901,0x0110965 },
+      { 0x2d4b65b,0x2a8b244,0x0c37f8f,0x0ee5b24,0x394c234,0x3a5e347,
+        0x26e4a15,0x39a3b4c,0x2514c2e,0x029e5be } },
+    /* 26 */
+    { { 0x23addd7,0x3ed8120,0x13b3359,0x20f959a,0x09e2a61,0x32fcf20,
+        0x05b78e3,0x19ba7e2,0x1a9c697,0x0392b4b },
+      { 0x2048a61,0x3dfd0a3,0x19a0357,0x233024b,0x3082d19,0x00fb63b,
+        0x3a1af4c,0x1450ff0,0x046c37b,0x0317a50 } },
+    /* 27 */
+    { { 0x3e75f9e,0x294e30a,0x3a78476,0x3a32c48,0x36fd1a9,0x0427012,
+        0x1e4df0b,0x11d1f61,0x1afdb46,0x018ca0f },
+      { 0x2f2df15,0x0a33dee,0x27f4ce7,0x1542b66,0x3e592c4,0x20d2f30,
+        0x3226ade,0x2a4e3ea,0x1ab1981,0x01a2f46 } },
+    /* 28 */
+    { { 0x087d659,0x3ab5446,0x305ac08,0x3d2cd64,0x33374d5,0x3f9d3f8,
+        0x186981c,0x37f5a5a,0x2f53c6f,0x01254a4 },
+      { 0x2cec896,0x1e32786,0x04844a8,0x043b16d,0x3d964b2,0x1935829,
+        0x16f7e26,0x1a0dd9a,0x30d2603,0x003b1d4 } },
+    /* 29 */
+    { { 0x12687bb,0x04e816b,0x21fa2da,0x1abccb8,0x3a1f83b,0x375181e,
+        0x0f5ef51,0x0fc2ce4,0x3a66486,0x003d881 },
+      { 0x3138233,0x1f8eec3,0x2718bd6,0x1b09caa,0x2dd66b9,0x1bb222b,
+        0x1004072,0x1b73e3b,0x07208ed,0x03fc36c } },
+    /* 30 */
+    { { 0x095d553,0x3e84053,0x0a8a749,0x3f575a0,0x3a44052,0x3ced59b,
+        0x3b4317f,0x03a8c60,0x13c8874,0x00c4ed4 },
+      { 0x0d11549,0x0b8ab02,0x221cb40,0x02ed37b,0x2071ee1,0x1fc8c83,
+        0x3987dd4,0x27e049a,0x0f986f1,0x00b4eaf } },
+    /* 31 */
+    { { 0x15581a2,0x2214060,0x11af4c2,0x1598c88,0x19a0a6d,0x32acba6,
+        0x3a7a0f0,0x2337c66,0x210ded9,0x0300dbe },
+      { 0x1fbd009,0x3822eb0,0x181629a,0x2401b45,0x30b68b1,0x2e78363,
+        0x2b32779,0x006530b,0x2c4b6d4,0x029aca8 } },
+    /* 32 */
+    { { 0x13549cf,0x0f943db,0x265ed43,0x1bfeb35,0x06f3369,0x3847f2d,
+        0x1bfdacc,0x26181a5,0x252af7c,0x02043b8 },
+      { 0x159bb2c,0x143f85c,0x357b654,0x2f9d62c,0x2f7dfbe,0x1a7fa9c,
+        0x057e74d,0x05d14ac,0x17a9273,0x035215c } },
+    /* 33 */
+    { { 0x0cb5a98,0x106a2bc,0x10bf117,0x24c7cc4,0x3d3da8f,0x2ce0ab7,
+        0x14e2cba,0x1813866,0x1a72f9a,0x01a9811 },
+      { 0x2b2411d,0x3034fe8,0x16e0170,0x0f9443a,0x0be0eb8,0x2196cf3,
+        0x0c9f738,0x15e40ef,0x0faf9e1,0x034f917 } },
+    /* 34 */
+    { { 0x03f7669,0x3da6efa,0x3d6bce1,0x209ca1d,0x109f8ae,0x09109e3,
+        0x08ae543,0x3067255,0x1dee3c2,0x0081dd5 },
+      { 0x3ef1945,0x358765b,0x28c387b,0x3bec4b4,0x218813c,0x0b7d92a,
+        0x3cd1d67,0x2c0367e,0x2e57154,0x0123717 } },
+    /* 35 */
+    { { 0x3e5a199,0x1e42ffd,0x0bb7123,0x33e6273,0x1e0efb8,0x294671e,
+        0x3a2bfe0,0x3d11709,0x2eddff6,0x03cbec2 },
+      { 0x0b5025f,0x0255d7c,0x1f2241c,0x35d03ea,0x0550543,0x202fef4,
+        0x23c8ad3,0x354963e,0x015db28,0x0284fa4 } },
+    /* 36 */
+    { { 0x2b65cbc,0x1e8d428,0x0226f9f,0x1c8a919,0x10b04b9,0x08fc1e8,
+        0x1ce241e,0x149bc99,0x2b01497,0x00afc35 },
+      { 0x3216fb7,0x1374fd2,0x226ad3d,0x19fef76,0x0f7d7b8,0x1c21417,
+        0x37b83f6,0x3a27eba,0x25a162f,0x010aa52 } },
+    /* 37 */
+    { { 0x2adf191,0x1ab42fa,0x28d7584,0x2409689,0x20f8a48,0x253707d,
+        0x2030504,0x378f7a1,0x169c65e,0x00b0b76 },
+      { 0x3849c17,0x085c764,0x10dd6d0,0x2e87689,0x1460488,0x30e9521,
+        0x10c7063,0x1b6f120,0x21f42c5,0x03d0dfe } },
+    /* 38 */
+    { { 0x20f7dab,0x035c512,0x29ac6aa,0x24c5ddb,0x20f0497,0x17ce5e1,
+        0x00a050f,0x1eaa14b,0x3335470,0x02abd16 },
+      { 0x18d364a,0x0df0cf0,0x316585e,0x018f925,0x0d40b9b,0x17b1511,
+        0x1716811,0x1caf3d0,0x10df4f2,0x0337d8c } },
+    /* 39 */
+    { { 0x2a8b7ef,0x0f188e3,0x2287747,0x06216f0,0x008e935,0x2f6a38d,
+        0x1567722,0x0bfc906,0x0bada9e,0x03c3402 },
+      { 0x014d3b1,0x099c749,0x2a76291,0x216c067,0x3b37549,0x14ef2f6,
+        0x21b96d4,0x1ee2d71,0x2f5ca88,0x016f570 } },
+    /* 40 */
+    { { 0x09a3154,0x3d1a7bd,0x2e9aef0,0x255b8ac,0x03e85a5,0x2a492a7,
+        0x2aec1ea,0x11c6516,0x3c8a09e,0x02a84b7 },
+      { 0x1f69f1d,0x09c89d3,0x1e7326f,0x0b28bfd,0x0e0e4c8,0x1ea7751,
+        0x18ce73b,0x2a406e7,0x273e48c,0x01b00db } },
+    /* 41 */
+    { { 0x36e3138,0x2b84a83,0x345a5cf,0x00096b4,0x16966ef,0x159caf1,
+        0x13c64b4,0x2f89226,0x25896af,0x00a4bfd },
+      { 0x2213402,0x1435117,0x09fed52,0x09d0e4b,0x0f6580e,0x2871cba,
+        0x3b397fd,0x1c9d825,0x090311b,0x0191383 } },
+    /* 42 */
+    { { 0x07153f0,0x1087869,0x18c9e1e,0x1e64810,0x2b86c3b,0x0175d9c,
+        0x3dce877,0x269de4e,0x393cab7,0x03c96b9 },
+      { 0x1869d0c,0x06528db,0x02641f3,0x209261b,0x29d55c8,0x25ba517,
+        0x3b5ea30,0x028f927,0x25313db,0x00e6e39 } },
+    /* 43 */
+    { { 0x2fd2e59,0x150802d,0x098f377,0x19a4957,0x135e2c0,0x38a95ce,
+        0x1ab21a0,0x36c1b67,0x32f0f19,0x00e448b },
+      { 0x3cad53c,0x3387800,0x17e3cfb,0x03f9970,0x3225b2c,0x2a84e1d,
+        0x3af1d29,0x3fe35ca,0x2f8ce80,0x0237a02 } },
+    /* 44 */
+    { { 0x07bbb76,0x3aa3648,0x2758afb,0x1f085e0,0x1921c7e,0x3010dac,
+        0x22b74b1,0x230137e,0x1062e36,0x021c652 },
+      { 0x3993df5,0x24a2ee8,0x126ab5f,0x2d7cecf,0x0639d75,0x16d5414,
+        0x1aa78a8,0x3f78404,0x26a5b74,0x03f0c57 } },
+    /* 45 */
+    { { 0x0d6ecfa,0x3f506ba,0x3f86561,0x3d86bb1,0x15f8c44,0x2491d07,
+        0x052a7b4,0x2422261,0x3adee38,0x039b529 },
+      { 0x193c75d,0x14bb451,0x1162605,0x293749c,0x370a70d,0x2e8b1f6,
+        0x2ede937,0x2b95f4a,0x39a9be2,0x00d77eb } },
+    /* 46 */
+    { { 0x2736636,0x15bf36a,0x2b7e6b9,0x25eb8b2,0x209f51d,0x3cd2659,
+        0x10bf410,0x034afec,0x3d71c83,0x0076971 },
+      { 0x0ce6825,0x07920cf,0x3c3b5c4,0x23fe55c,0x015ad11,0x08c0dae,
+        0x0552c7f,0x2e75a8a,0x0fddbf4,0x01c1df0 } },
+    /* 47 */
+    { { 0x2b9661c,0x0ffe351,0x3d71bf6,0x1ac34b3,0x3a1dfd3,0x211fe3d,
+        0x33e140a,0x3f9100d,0x32ee50e,0x014ea18 },
+      { 0x16d8051,0x1bfda1a,0x068a097,0x2571d3d,0x1daec0c,0x39389af,
+        0x194dc35,0x3f3058a,0x36d34e1,0x000a329 } },
+    /* 48 */
+    { { 0x09877ee,0x351f73f,0x0002d11,0x0420074,0x2c8b362,0x130982d,
+        0x02c1175,0x3c11b40,0x0d86962,0x001305f },
+      { 0x0daddf5,0x2f4252c,0x15c06d9,0x1d49339,0x1bea235,0x0b680ed,
+        0x3356e67,0x1d1d198,0x1e9fed9,0x03dee93 } },
+    /* 49 */
+    { { 0x3e1263f,0x2fe8d3a,0x3ce6d0d,0x0d5c6b9,0x3557637,0x0a9bd48,
+        0x0405538,0x0710749,0x2005213,0x038c7e5 },
+      { 0x26b6ec6,0x2e485ba,0x3c44d1b,0x0b9cf0b,0x037a1d1,0x27428a5,
+        0x0e7eac8,0x351ef04,0x259ce34,0x02a8e98 } },
+    /* 50 */
+    { { 0x2f3dcd3,0x3e77d4d,0x3360fbc,0x1434afd,0x36ceded,0x3d413d6,
+        0x1710fad,0x36bb924,0x1627e79,0x008e637 },
+      { 0x109569e,0x1c168db,0x3769cf4,0x2ed4527,0x0ea0619,0x17d80d3,
+        0x1c03773,0x18843fe,0x1b21c04,0x015c5fd } },
+    /* 51 */
+    { { 0x1dd895e,0x08a7248,0x04519fe,0x001030a,0x18e5185,0x358dfb3,
+        0x13d2391,0x0a37be8,0x0560e3c,0x019828b },
+      { 0x27fcbd0,0x2a22bb5,0x30969cc,0x1e03aa7,0x1c84724,0x0ba4ad3,
+        0x32f4817,0x0914cca,0x14c4f52,0x01893b9 } },
+    /* 52 */
+    { { 0x097eccc,0x1273936,0x00aa095,0x364fe62,0x04d49d1,0x10e9f08,
+        0x3c24230,0x3ef01c8,0x2fb92bd,0x013ce4a },
+      { 0x1e44fd9,0x27e3e9f,0x2156696,0x3915ecc,0x0b66cfb,0x1a3af0f,
+        0x2fa8033,0x0e6736c,0x177ccdb,0x0228f9e } },
+    /* 53 */
+    { { 0x2c4b125,0x06207c1,0x0a8cdde,0x003db8f,0x1ae34e3,0x31e84fa,
+        0x2999de5,0x11013bd,0x02370c2,0x00e2234 },
+      { 0x0f91081,0x200d591,0x1504762,0x1857c05,0x23d9fcf,0x0cb34db,
+        0x27edc86,0x08cd860,0x2471810,0x029798b } },
+    /* 54 */
+    { { 0x3acd6c8,0x097b8cb,0x3c661a8,0x15152f2,0x1699c63,0x237e64c,
+        0x23edf79,0x16b7033,0x0e6466a,0x00b11da },
+      { 0x0a64bc9,0x1bfe324,0x1f5cb34,0x08391de,0x0630a60,0x3017a21,
+        0x09d064b,0x14a8365,0x041f9e6,0x01ed799 } },
+    /* 55 */
+    { { 0x128444a,0x2508b07,0x2a39216,0x362f84d,0x2e996c5,0x2c31ff3,
+        0x07afe5f,0x1d1288e,0x3cb0c8d,0x02e2bdc },
+      { 0x38b86fd,0x3a0ea8c,0x1cff5fd,0x1629629,0x3fee3f1,0x02b250c,
+        0x2e8f6f2,0x0225727,0x15f7f3f,0x0280d8e } },
+    /* 56 */
+    { { 0x10f7770,0x0f1aee8,0x0e248c7,0x20684a8,0x3a6f16d,0x06f0ae7,
+        0x0df6825,0x2d4cc40,0x301875f,0x012f8da },
+      { 0x3b56dbb,0x1821ba7,0x24f8922,0x22c1f9e,0x0306fef,0x1b54bc8,
+        0x2ccc056,0x00303ba,0x2871bdc,0x0232f26 } },
+    /* 57 */
+    { { 0x0dac4ab,0x0625730,0x3112e13,0x101c4bf,0x3a874a4,0x2873b95,
+        0x32ae7c6,0x0d7e18c,0x13e0c08,0x01139d5 },
+      { 0x334002d,0x00fffdd,0x025c6d5,0x22c2cd1,0x19d35cb,0x3a1ce2d,
+        0x3702760,0x3f06257,0x03a5eb8,0x011c29a } },
+    /* 58 */
+    { { 0x0513482,0x1d87724,0x276a81b,0x0a807a4,0x3028720,0x339cc20,
+        0x2441ee0,0x31bbf36,0x290c63d,0x0059041 },
+      { 0x106a2ed,0x0d2819b,0x100bf50,0x114626c,0x1dd4d77,0x2e08632,
+        0x14ae72a,0x2ed3f64,0x1fd7abc,0x035cd1e } },
+    /* 59 */
+    { { 0x2d4c6e5,0x3bec596,0x104d7ed,0x23d6c1b,0x0262cf0,0x15d72c5,
+        0x2d5bb18,0x199ac4b,0x1e30771,0x020591a },
+      { 0x21e291e,0x2e75e55,0x1661d7a,0x08b0778,0x3eb9daf,0x0d78144,
+        0x1827eb1,0x0fe73d2,0x123f0dd,0x0028db7 } },
+    /* 60 */
+    { { 0x1d5533c,0x34cb1d0,0x228f098,0x27a1a11,0x17c5f5a,0x0d26f44,
+        0x2228ade,0x2c460e6,0x3d6fdba,0x038cc77 },
+      { 0x3cc6ed8,0x02ada1a,0x260e510,0x2f7bde8,0x37160c3,0x33a1435,
+        0x23d9a7b,0x0ce2641,0x02a492e,0x034ed1e } },
+    /* 61 */
+    { { 0x3821f90,0x26dba3c,0x3aada14,0x3b59bad,0x292edd9,0x2804c45,
+        0x3669531,0x296f42e,0x35a4c86,0x01ca049 },
+      { 0x3ff47e5,0x2163df4,0x2441503,0x2f18405,0x15e1616,0x37f66ec,
+        0x30f11a7,0x141658a,0x27ece14,0x00b018b } },
+    /* 62 */
+    { { 0x159ac2e,0x3e65bc0,0x2713a76,0x0db2f6c,0x3281e77,0x2391811,
+        0x16d2880,0x1fbc4ab,0x1f92c4e,0x00a0a8d },
+      { 0x0ce5cd2,0x152c7b0,0x02299c3,0x3244de7,0x2cf99ef,0x3a0b047,
+        0x2caf383,0x0aaf664,0x113554d,0x031c735 } },
+    /* 63 */
+    { { 0x1b578f4,0x177a702,0x3a7a488,0x1638ebf,0x31884e2,0x2460bc7,
+        0x36b1b75,0x3ce8e3d,0x340cf47,0x03143d9 },
+      { 0x34b68ea,0x12b7ccd,0x1fe2a9c,0x08da659,0x0a406f3,0x1694c14,
+        0x06a2228,0x16370be,0x3a72129,0x02e7b2c } },
+    /* 64 */
+    { { 0x0f8b16a,0x21043bd,0x266a56f,0x3fb11ec,0x197241a,0x36721f0,
+        0x006b8e6,0x2ac6c29,0x202cd42,0x0200fcf },
+      { 0x0dbec69,0x0c26a01,0x105f7f0,0x3dceeeb,0x3a83b85,0x363865f,
+        0x097273a,0x2b70718,0x00e5067,0x03025d1 } },
+    /* 65 */
+    { { 0x379ab34,0x295bcb0,0x38d1846,0x22e1077,0x3a8ee06,0x1db1a3b,
+        0x3144591,0x07cc080,0x2d5915f,0x03c6bcc },
+      { 0x175bd50,0x0dd4c57,0x27bc99c,0x2ebdcbd,0x3837cff,0x235dc8f,
+        0x13a4184,0x0722c18,0x130e2d4,0x008f43c } },
+    /* 66 */
+    { { 0x01500d9,0x2adbb7d,0x2da8857,0x397f2fa,0x10d890a,0x25c9654,
+        0x3e86488,0x3eb754b,0x1d6c0a3,0x02c0a23 },
+      { 0x10bcb08,0x083cc19,0x2e16853,0x04da575,0x271af63,0x2626a9d,
+        0x3520a7b,0x32348c7,0x24ff408,0x03ff4dc } },
+    /* 67 */
+    { { 0x058e6cb,0x1a3992d,0x1d28539,0x080c5e9,0x2992dad,0x2a9d7d5,
+        0x14ae0b7,0x09b7ce0,0x34ad78c,0x03d5643 },
+      { 0x30ba55a,0x092f4f3,0x0bae0fc,0x12831de,0x20fc472,0x20ed9d2,
+        0x29864f6,0x1288073,0x254f6f7,0x00635b6 } },
+    /* 68 */
+    { { 0x1be5a2b,0x0f88975,0x33c6ed9,0x20d64d3,0x06fe799,0x0989bff,
+        0x1409262,0x085a90c,0x0d97990,0x0142eed },
+      { 0x17ec63e,0x06471b9,0x0db2378,0x1006077,0x265422c,0x08db83d,
+        0x28099b0,0x1270d06,0x11801fe,0x00ac400 } },
+    /* 69 */
+    { { 0x3391593,0x22d7166,0x30fcfc6,0x2896609,0x3c385f5,0x066b72e,
+        0x04f3aad,0x2b831c5,0x19983fb,0x0375562 },
+      { 0x0b82ff4,0x222e39d,0x34c993b,0x101c79c,0x2d2e03c,0x0f00c8a,
+        0x3a9eaf4,0x1810669,0x151149d,0x039b931 } },
+    /* 70 */
+    { { 0x29af288,0x1956ec7,0x293155f,0x193deb6,0x1647e1a,0x2ca0839,
+        0x297e4bc,0x15bfd0d,0x1b107ed,0x0147803 },
+      { 0x31c327e,0x05a6e1d,0x02ad43d,0x02d2a5b,0x129cdb2,0x37ad1de,
+        0x3d51f53,0x245df01,0x2414982,0x0388bd0 } },
+    /* 71 */
+    { { 0x35f1abb,0x17a3d18,0x0874cd4,0x2d5a14e,0x17edc0c,0x16a00d3,
+        0x072c1fb,0x1232725,0x33d52dc,0x03dc24d },
+      { 0x0af30d6,0x259aeea,0x369c401,0x12bc4de,0x295bf5f,0x0d8711f,
+        0x26162a9,0x16c44e5,0x288e727,0x02f54b4 } },
+    /* 72 */
+    { { 0x05fa877,0x1571ea7,0x3d48ab1,0x1c9f4e8,0x017dad6,0x0f46276,
+        0x343f9e7,0x1de990f,0x0e4c8aa,0x028343e },
+      { 0x094f92d,0x3abf633,0x1b3a0bb,0x2f83137,0x0d818c8,0x20bae85,
+        0x0c65f8b,0x1a8008b,0x0c7946d,0x0295b1e } },
+    /* 73 */
+    { { 0x1d09529,0x08e46c3,0x1fcf296,0x298f6b7,0x1803e0e,0x2d6fd20,
+        0x37351f5,0x0d9e8b1,0x1f8731a,0x0362fbf },
+      { 0x00157f4,0x06750bf,0x2650ab9,0x35ffb23,0x2f51cae,0x0b522c2,
+        0x39cb400,0x191e337,0x0a5ce9f,0x021529a } },
+    /* 74 */
+    { { 0x3506ea5,0x17d9ed8,0x0d66dc3,0x22693f8,0x19286c4,0x3a57353,
+        0x101d3bf,0x1aa54fc,0x20b9884,0x0172b3a },
+      { 0x0eac44d,0x37d8327,0x1c3aa90,0x3d0d534,0x23db29a,0x3576eaf,
+        0x1d3de8a,0x3bea423,0x11235e4,0x039260b } },
+    /* 75 */
+    { { 0x34cd55e,0x01288b0,0x1132231,0x2cc9a03,0x358695b,0x3e87650,
+        0x345afa1,0x01267ec,0x3f616b2,0x02011ad },
+      { 0x0e7d098,0x0d6078e,0x0b70b53,0x237d1bc,0x0d7f61e,0x132de31,
+        0x1ea9ea4,0x2bd54c3,0x27b9082,0x03ac5f2 } },
+    /* 76 */
+    { { 0x2a145b9,0x06d661d,0x31ec175,0x03f06f1,0x3a5cf6b,0x249c56e,
+        0x2035653,0x384c74f,0x0bafab5,0x0025ec0 },
+      { 0x25f69e1,0x1b23a55,0x1199aa6,0x16ad6f9,0x077e8f7,0x293f661,
+        0x33ba11d,0x3327980,0x07bafdb,0x03e571d } },
+    /* 77 */
+    { { 0x2bae45e,0x3c074ef,0x2955558,0x3c312f1,0x2a8ebe9,0x2f193f1,
+        0x3705b1d,0x360deba,0x01e566e,0x00d4498 },
+      { 0x21161cd,0x1bc787e,0x2f87933,0x3553197,0x1328ab8,0x093c879,
+        0x17eee27,0x2adad1d,0x1236068,0x003be5c } },
+    /* 78 */
+    { { 0x0ca4226,0x2633dd5,0x2c8e025,0x0e3e190,0x05eede1,0x1a385e4,
+        0x163f744,0x2f25522,0x1333b4f,0x03f05b6 },
+      { 0x3c800ca,0x1becc79,0x2daabe9,0x0c499e2,0x1138063,0x3fcfa2d,
+        0x2244976,0x1e85cf5,0x2f1b95d,0x0053292 } },
+    /* 79 */
+    { { 0x12f81d5,0x1dc6eaf,0x11967a4,0x1a407df,0x31a5f9d,0x2b67241,
+        0x18bef7c,0x08c7762,0x063f59c,0x01015ec },
+      { 0x1c05c0a,0x360bfa2,0x1f85bff,0x1bc7703,0x3e4911c,0x0d685b6,
+        0x2fccaea,0x02c4cef,0x164f133,0x0070ed7 } },
+    /* 80 */
+    { { 0x0ec21fe,0x052ffa0,0x3e825fe,0x1ab0956,0x3f6ce11,0x3d29759,
+        0x3c5a072,0x18ebe62,0x148db7e,0x03eb49c },
+      { 0x1ab05b3,0x02dab0a,0x1ae690c,0x0f13894,0x137a9a8,0x0aab79f,
+        0x3dc875c,0x06a1029,0x1e39f0e,0x01dce1f } },
+    /* 81 */
+    { { 0x16c0dd7,0x3b31269,0x2c741e9,0x3611821,0x2a5cffc,0x1416bb3,
+        0x3a1408f,0x311fa3d,0x1c0bef0,0x02cdee1 },
+      { 0x00e6a8f,0x1adb933,0x0f23359,0x2fdace2,0x2fd6d4b,0x0e73bd3,
+        0x2453fac,0x0a356ae,0x2c8f9f6,0x02704d6 } },
+    /* 82 */
+    { { 0x0e35743,0x28c80a1,0x0def32a,0x2c6168f,0x1320d6a,0x37c6606,
+        0x21b1761,0x2147ee0,0x21fc433,0x015c84d },
+      { 0x1fc9168,0x36cda9c,0x003c1f0,0x1cd7971,0x15f98ba,0x1ef363d,
+        0x0ca87e3,0x046f7d9,0x3c9e6bb,0x0372eb0 } },
+    /* 83 */
+    { { 0x118cbe2,0x3665a11,0x304ef01,0x062727a,0x3d242fc,0x11ffbaf,
+        0x3663c7e,0x1a189c9,0x09e2d62,0x02e3072 },
+      { 0x0e1d569,0x162f772,0x0cd051a,0x322df62,0x3563809,0x047cc7a,
+        0x027fd9f,0x08b509b,0x3da2f94,0x01748ee } },
+    /* 84 */
+    { { 0x1c8f8be,0x31ca525,0x22bf0a1,0x200efcd,0x02961c4,0x3d8f52b,
+        0x018403d,0x3a40279,0x1cb91ec,0x030427e },
+      { 0x0945705,0x0257416,0x05c0c2d,0x25b77ae,0x3b9083d,0x2901126,
+        0x292b8d7,0x07b8611,0x04f2eee,0x026f0cd } },
+    /* 85 */
+    { { 0x2913074,0x2b8d590,0x02b10d5,0x09d2295,0x255491b,0x0c41cca,
+        0x1ca665b,0x133051a,0x1525f1a,0x00a5647 },
+      { 0x04f983f,0x3d6daee,0x04e1e76,0x1067d7e,0x1be7eef,0x02ea862,
+        0x00d4968,0x0ccb048,0x11f18ef,0x018dd95 } },
+    /* 86 */
+    { { 0x22976cc,0x17c5395,0x2c38bda,0x3983bc4,0x222bca3,0x332a614,
+        0x3a30646,0x261eaef,0x1c808e2,0x02f6de7 },
+      { 0x306a772,0x32d7272,0x2dcefd2,0x2abf94d,0x038f475,0x30ad76e,
+        0x23e0227,0x3052b0a,0x001add3,0x023ba18 } },
+    /* 87 */
+    { { 0x0ade873,0x25a6069,0x248ccbe,0x13713ee,0x17ee9aa,0x28152e9,
+        0x2e28995,0x2a92cb3,0x17a6f77,0x024b947 },
+      { 0x190a34d,0x2ebea1c,0x1ed1948,0x16fdaf4,0x0d698f7,0x32bc451,
+        0x0ee6e30,0x2aaab40,0x06f0a56,0x01460be } },
+    /* 88 */
+    { { 0x24cc99c,0x1884b1e,0x1ca1fba,0x1a0f9b6,0x2ff609b,0x2b26316,
+        0x3b27cb5,0x29bc976,0x35d4073,0x024772a },
+      { 0x3575a70,0x1b30f57,0x07fa01b,0x0e5be36,0x20cb361,0x26605cd,
+        0x1d4e8c8,0x13cac59,0x2db9797,0x005e833 } },
+    /* 89 */
+    { { 0x36c8d3a,0x1878a81,0x124b388,0x0e4843e,0x1701aad,0x0ea0d76,
+        0x10eae41,0x37d0653,0x36c7f4c,0x00ba338 },
+      { 0x37a862b,0x1cf6ac0,0x08fa912,0x2dd8393,0x101ba9b,0x0eebcb7,
+        0x2453883,0x1a3cfe5,0x2cb34f6,0x03d3331 } },
+    /* 90 */
+    { { 0x1f79687,0x3d4973c,0x281544e,0x2564bbe,0x17c5954,0x171e34a,
+        0x231741a,0x3cf2784,0x0889a0d,0x02b036d },
+      { 0x301747f,0x3f1c477,0x1f1386b,0x163bc5f,0x1592b93,0x332daed,
+        0x080e4f5,0x1d28b96,0x26194c9,0x0256992 } },
+    /* 91 */
+    { { 0x15a4c93,0x07bf6b0,0x114172c,0x1ce0961,0x140269b,0x1b2c2eb,
+        0x0dfb1c1,0x019ddaa,0x0ba2921,0x008c795 },
+      { 0x2e6d2dc,0x37e45e2,0x2918a70,0x0fce444,0x34d6aa6,0x396dc88,
+        0x27726b5,0x0c787d8,0x032d8a7,0x02ac2f8 } },
+    /* 92 */
+    { { 0x1131f2d,0x2b43a63,0x3101097,0x38cec13,0x0637f09,0x17a69d2,
+        0x086196d,0x299e46b,0x0802cf6,0x03c6f32 },
+      { 0x0daacb4,0x1a4503a,0x100925c,0x15583d9,0x23c4e40,0x1de4de9,
+        0x1cc8fc4,0x2c9c564,0x0695aeb,0x02145a5 } },
+    /* 93 */
+    { { 0x1dcf593,0x17050fc,0x3e3bde3,0x0a6c062,0x178202b,0x2f7674f,
+        0x0dadc29,0x15763a7,0x1d2daad,0x023d9f6 },
+      { 0x081ea5f,0x045959d,0x190c841,0x3a78d31,0x0e7d2dd,0x1414fea,
+        0x1d43f40,0x22d77ff,0x2b9c072,0x03e115c } },
+    /* 94 */
+    { { 0x3af71c9,0x29e9c65,0x25655e1,0x111e9cd,0x3a14494,0x3875418,
+        0x34ae070,0x0b06686,0x310616b,0x03b7b89 },
+      { 0x1734121,0x00d3d44,0x29f0b2f,0x1552897,0x31cac6e,0x1030bb3,
+        0x0148f3a,0x35fd237,0x29b44eb,0x027f49f } },
+    /* 95 */
+    { { 0x2e2cb16,0x1d962bd,0x19b63cc,0x0b3f964,0x3e3eb7d,0x1a35560,
+        0x0c58161,0x3ce1d6a,0x3b6958f,0x029030b },
+      { 0x2dcc158,0x3b1583f,0x30568c9,0x31957c8,0x27ad804,0x28c1f84,
+        0x3967049,0x37b3f64,0x3b87dc6,0x0266f26 } },
+    /* 96 */
+    { { 0x27dafc6,0x2548764,0x0d1984a,0x1a57027,0x252c1fb,0x24d9b77,
+        0x1581a0f,0x1f99276,0x10ba16d,0x026af88 },
+      { 0x0915220,0x2be1292,0x16c6480,0x1a93760,0x2fa7317,0x1a07296,
+        0x1539871,0x112c31f,0x25787f3,0x01e2070 } },
+    /* 97 */
+    { { 0x0bcf3ff,0x266d478,0x34f6933,0x31449fd,0x00d02cb,0x340765a,
+        0x3465a2d,0x225023e,0x319a30e,0x00579b8 },
+      { 0x20e05f4,0x35b834f,0x0404646,0x3710d62,0x3fad7bd,0x13e1434,
+        0x21c7d1c,0x1cb3af9,0x2cf1911,0x003957e } },
+    /* 98 */
+    { { 0x0787564,0x36601be,0x1ce67e9,0x084c7a1,0x21a3317,0x2067a35,
+        0x0158cab,0x195ddac,0x1766fe9,0x035cf42 },
+      { 0x2b7206e,0x20d0947,0x3b42424,0x03f1862,0x0a51929,0x38c2948,
+        0x0bb8595,0x2942d77,0x3748f15,0x0249428 } },
+    /* 99 */
+    { { 0x2577410,0x3c23e2f,0x28c6caf,0x00d41de,0x0fd408a,0x30298e9,
+        0x363289e,0x2302fc7,0x082c1cc,0x01dd050 },
+      { 0x30991cd,0x103e9ba,0x029605a,0x19927f7,0x0c1ca08,0x0c93f50,
+        0x28a3c7b,0x082e4e9,0x34d12eb,0x0232c13 } },
+    /* 100 */
+    { { 0x106171c,0x0b4155a,0x0c3fb1c,0x336c090,0x19073e9,0x2241a10,
+        0x0e6b4fd,0x0ed476e,0x1ef4712,0x039390a },
+      { 0x0ec36f4,0x3754f0e,0x2a270b8,0x007fd2d,0x0f9d2dc,0x1e6a692,
+        0x066e078,0x1954974,0x2ff3c6e,0x00def28 } },
+    /* 101 */
+    { { 0x3562470,0x0b8f1f7,0x0ac94cd,0x28b0259,0x244f272,0x031e4ef,
+        0x2d5df98,0x2c8a9f1,0x2dc3002,0x016644f },
+      { 0x350592a,0x0e6a0d5,0x1e027a1,0x2039e0f,0x399e01d,0x2817593,
+        0x0c0375e,0x3889b3e,0x24ab013,0x010de1b } },
+    /* 102 */
+    { { 0x256b5a6,0x0ac3b67,0x28f9ff3,0x29b67f1,0x30750d9,0x25e11a9,
+        0x15e8455,0x279ebb0,0x298b7e7,0x0218e32 },
+      { 0x2fc24b2,0x2b82582,0x28f22f5,0x2bd36b3,0x305398e,0x3b2e9e3,
+        0x365dd0a,0x29bc0ed,0x36a7b3a,0x007b374 } },
+    /* 103 */
+    { { 0x05ff2f3,0x2b3589b,0x29785d3,0x300a1ce,0x0a2d516,0x0844355,
+        0x14c9fad,0x3ccb6b6,0x385d459,0x0361743 },
+      { 0x0b11da3,0x002e344,0x18c49f7,0x0c29e0c,0x1d2c22c,0x08237b3,
+        0x2988f49,0x0f18955,0x1c3b4ed,0x02813c6 } },
+    /* 104 */
+    { { 0x17f93bd,0x249323b,0x11f6087,0x174e4bd,0x3cb64ac,0x086dc6b,
+        0x2e330a8,0x142c1f2,0x2ea5c09,0x024acbb },
+      { 0x1b6e235,0x3132521,0x00f085a,0x2a4a4db,0x1ab2ca4,0x0142224,
+        0x3aa6b3e,0x09db203,0x2215834,0x007b9e0 } },
+    /* 105 */
+    { { 0x23e79f7,0x28b8039,0x1906a60,0x2cbce67,0x1f590e7,0x181f027,
+        0x21054a6,0x3854240,0x2d857a6,0x03cfcb3 },
+      { 0x10d9b55,0x1443cfc,0x2648200,0x2b36190,0x09d2fcf,0x22f439f,
+        0x231aa7e,0x3884395,0x0543da3,0x003d5a9 } },
+    /* 106 */
+    { { 0x043e0df,0x06ffe84,0x3e6d5b2,0x3327001,0x26c74b6,0x12a145e,
+        0x256ec0d,0x3898c69,0x3411969,0x02f63c5 },
+      { 0x2b7494a,0x2eee1af,0x38388a9,0x1bd17ce,0x21567d4,0x13969e6,
+        0x3a12a7a,0x3e8277d,0x03530cc,0x00b4687 } },
+    /* 107 */
+    { { 0x06508da,0x38e04d4,0x15a7192,0x312875e,0x3336180,0x2a6512c,
+        0x1b59497,0x2e91b37,0x25eb91f,0x02841e9 },
+      { 0x394d639,0x0747143,0x37d7e6d,0x1d62962,0x08b4af3,0x34df287,
+        0x3c5584b,0x26bc869,0x20af87a,0x0060f5d } },
+    /* 108 */
+    { { 0x1de59a4,0x1a5c443,0x2f8729d,0x01c3a2f,0x0f1ad8d,0x3cbaf9e,
+        0x1b49634,0x35d508a,0x39dc269,0x0075105 },
+      { 0x390d30e,0x37033e0,0x110cb32,0x14c37a0,0x20a3b27,0x2f00ce6,
+        0x2f1dc52,0x34988c6,0x0c29606,0x01dc7e7 } },
+    /* 109 */
+    { { 0x1040739,0x24f9de1,0x2939999,0x2e6009a,0x244539d,0x17e3f09,
+        0x00f6f2f,0x1c63b3d,0x2310362,0x019109e },
+      { 0x1428aa8,0x3cb61e1,0x09a84f4,0x0ffafed,0x07b7adc,0x08f406b,
+        0x1b2c6df,0x035b480,0x3496ae9,0x012766d } },
+    /* 110 */
+    { { 0x35d1099,0x2362f10,0x1a08cc7,0x13a3a34,0x12adbcd,0x32da290,
+        0x02e2a02,0x151140b,0x01b3f60,0x0240df6 },
+      { 0x34c7b61,0x2eb09c1,0x172e7cd,0x2ad5eff,0x2fe2031,0x25b54d4,
+        0x0cec965,0x18e7187,0x26a7cc0,0x00230f7 } },
+    /* 111 */
+    { { 0x2d552ab,0x374083d,0x01f120f,0x2601736,0x156baff,0x04d44a4,
+        0x3b7c3e9,0x1acbc1b,0x0424579,0x031a425 },
+      { 0x1231bd1,0x0eba710,0x020517b,0x21d7316,0x21eac6e,0x275a848,
+        0x0837abf,0x0eb0082,0x302cafe,0x00fe8f6 } },
+    /* 112 */
+    { { 0x1058880,0x28f9941,0x03f2d75,0x3bd90e5,0x17da365,0x2ac9249,
+        0x07861cf,0x023fd05,0x1b0fdb8,0x031712f },
+      { 0x272b56b,0x04f8d2c,0x043a735,0x25446e4,0x1c8327e,0x221125a,
+        0x0ce37df,0x2dad7f6,0x39446c2,0x00b55b6 } },
+    /* 113 */
+    { { 0x346ac6b,0x05e0bff,0x2425246,0x0981e8b,0x1d19f79,0x2692378,
+        0x3ea3c40,0x2e90beb,0x19de503,0x003d5af },
+      { 0x05cda49,0x353b44d,0x299d137,0x3f205bc,0x2821158,0x3ad0d00,
+        0x06a54aa,0x2d7c79f,0x39d1173,0x01000ee } },
+    /* 114 */
+    { { 0x0803387,0x3a06268,0x14043b8,0x3d4e72f,0x1ece115,0x0a1dfc8,
+        0x17208dd,0x0be790a,0x122a07f,0x014dd95 },
+      { 0x0a4182d,0x202886a,0x1f79a49,0x1e8c867,0x0a2bbd0,0x28668b5,
+        0x0d0a2e1,0x115259d,0x3586c5d,0x01e815b } },
+    /* 115 */
+    { { 0x18a2a47,0x2c95627,0x2773646,0x1230f7c,0x15b5829,0x2fc354e,
+        0x2c000ea,0x099d547,0x2f17a1a,0x01df520 },
+      { 0x3853948,0x06f6561,0x3feeb8a,0x2f5b3ef,0x3a6f817,0x01a0791,
+        0x2ec0578,0x2c392ad,0x12b2b38,0x0104540 } },
+    /* 116 */
+    { { 0x1e28ced,0x0fc3d1b,0x2c473c7,0x1826c4f,0x21d5da7,0x39718e4,
+        0x38ce9e6,0x0251986,0x172fbea,0x0337c11 },
+      { 0x053c3b0,0x0f162db,0x043c1cb,0x04111ee,0x297fe3c,0x32e5e03,
+        0x2b8ae12,0x0c427ec,0x1da9738,0x03b9c0f } },
+    /* 117 */
+    { { 0x357e43a,0x054503f,0x11b8345,0x34ec6e0,0x2d44660,0x3d0ae61,
+        0x3b5dff8,0x33884ac,0x09da162,0x00a82b6 },
+      { 0x3c277ba,0x129a51a,0x027664e,0x1530507,0x0c788c9,0x2afd89d,
+        0x1aa64cc,0x1196450,0x367ac2b,0x0358b42 } },
+    /* 118 */
+    { { 0x0054ac4,0x1761ecb,0x378839c,0x167c9f7,0x2570058,0x0604a35,
+        0x37cbf3b,0x0909bb7,0x3f2991c,0x02ce688 },
+      { 0x0b16ae5,0x212857c,0x351b952,0x2c684db,0x30c6a05,0x09c01e0,
+        0x23c137f,0x1331475,0x092c067,0x0013b40 } },
+    /* 119 */
+    { { 0x2e90393,0x0617466,0x24e61f4,0x0a528f5,0x03047b4,0x2153f05,
+        0x0001a69,0x30e1eb8,0x3c10177,0x0282a47 },
+      { 0x22c831e,0x28fc06b,0x3e16ff0,0x208adc9,0x0bb76ae,0x28c1d6d,
+        0x12c8a15,0x031063c,0x1889ed2,0x002133e } },
+    /* 120 */
+    { { 0x0a6becf,0x14277bf,0x3328d98,0x201f7fe,0x12fceae,0x1de3a2e,
+        0x0a15c44,0x3ddf976,0x1b273ab,0x0355e55 },
+      { 0x1b5d4f1,0x369e78c,0x3a1c210,0x12cf3e9,0x3aa52f0,0x309f082,
+        0x112089d,0x107c753,0x24202d1,0x023853a } },
+    /* 121 */
+    { { 0x2897042,0x140d17c,0x2c4aeed,0x07d0d00,0x18d0533,0x22f7ec8,
+        0x19c194c,0x3456323,0x2372aa4,0x0165f86 },
+      { 0x30bd68c,0x1fb06b3,0x0945032,0x372ac09,0x06d4be0,0x27f8fa1,
+        0x1c8d7ac,0x137a96e,0x236199b,0x0328fc0 } },
+    /* 122 */
+    { { 0x170bd20,0x2842d58,0x1de7592,0x3c5b4fd,0x20ea897,0x12cab78,
+        0x363ff14,0x01f928c,0x17e309c,0x02f79ff },
+      { 0x0f5432c,0x2edb4ae,0x044b516,0x32f810d,0x2210dc1,0x23e56d6,
+        0x301e6ff,0x34660f6,0x10e0a7d,0x02d88eb } },
+    /* 123 */
+    { { 0x0c7b65b,0x2f59d58,0x2289a75,0x2408e92,0x1ab8c55,0x1ec99e5,
+        0x220fd0d,0x04defe0,0x24658ec,0x035aa8b },
+      { 0x138bb85,0x2f002d4,0x295c10a,0x08760ce,0x28c31d1,0x1c0a8cb,
+        0x0ff00b1,0x144eac9,0x2e02dcc,0x0044598 } },
+    /* 124 */
+    { { 0x3b42b87,0x050057b,0x0dff781,0x1c06db1,0x1bd9f5d,0x1f5f04a,
+        0x2cccd7a,0x143e19b,0x1cb94b7,0x036cfb8 },
+      { 0x34837cf,0x3cf6c3c,0x0d4fb26,0x22ee55e,0x1e7eed1,0x315995f,
+        0x2cdf937,0x1a96574,0x0425220,0x0221a99 } },
+    /* 125 */
+    { { 0x1b569ea,0x0d33ed9,0x19c13c2,0x107dc84,0x2200111,0x0569867,
+        0x2dc85da,0x05ef22e,0x0eb018a,0x029c33d },
+      { 0x04a6a65,0x3e5eba3,0x378f224,0x09c04d0,0x036e5cf,0x3df8258,
+        0x3a609e4,0x1eddef8,0x2abd174,0x02a91dc } },
+    /* 126 */
+    { { 0x2a60cc0,0x1d84c5e,0x115f676,0x1840da0,0x2c79163,0x2f06ed6,
+        0x198bb4b,0x3e5d37b,0x1dc30fa,0x018469b },
+      { 0x15ee47a,0x1e32f30,0x16a530e,0x2093836,0x02e8962,0x3767b62,
+        0x335adf3,0x27220db,0x2f81642,0x0173ffe } },
+    /* 127 */
+    { { 0x37a99cd,0x1533fe6,0x05a1c0d,0x27610f1,0x17bf3b9,0x0b1ce78,
+        0x0a908f6,0x265300e,0x3237dc1,0x01b969a },
+      { 0x3a5db77,0x2d15382,0x0d63ef8,0x1feb3d8,0x0b7b880,0x19820de,
+        0x11c0c67,0x2af3396,0x38d242d,0x0120688 } },
+    /* 128 */
+    { { 0x1d0b34a,0x05ef00d,0x00a7e34,0x1ae0c9f,0x1440b38,0x300d8b4,
+        0x37262da,0x3e50e3e,0x14ce0cd,0x00b1044 },
+      { 0x195a0b1,0x173bc6b,0x03622ba,0x2a19f55,0x1c09b37,0x07921b2,
+        0x16cdd20,0x24a5c9b,0x2bf42ff,0x00811de } },
+    /* 129 */
+    { { 0x0d65dbf,0x145cf06,0x1ad82f7,0x038ce7b,0x077bf94,0x33c4007,
+        0x22d26bd,0x25ad9c0,0x09ac773,0x02b1990 },
+      { 0x2261cc3,0x2ecdbf1,0x3e908b0,0x3246439,0x0213f7b,0x1179b04,
+        0x01cebaa,0x0be1595,0x175cc12,0x033a39a } },
+    /* 130 */
+    { { 0x00a67d2,0x086d06f,0x248a0f1,0x0291134,0x362d476,0x166d1cd,
+        0x044f1d6,0x2d2a038,0x365250b,0x0023f78 },
+      { 0x08bf287,0x3b0f6a1,0x1d6eace,0x20b4cda,0x2c2a621,0x0912520,
+        0x02dfdc9,0x1b35cd6,0x3d2565d,0x00bdf8b } },
+    /* 131 */
+    { { 0x3770fa7,0x2e4b6f0,0x03f9ae4,0x170de41,0x1095e8d,0x1dd845c,
+        0x334e9d1,0x00ab953,0x12e9077,0x03196fa },
+      { 0x2fd0a40,0x228c0fd,0x384b275,0x38ef339,0x3e7d822,0x3e5d9ef,
+        0x24f5854,0x0ece9eb,0x247d119,0x012ffe3 } },
+    /* 132 */
+    { { 0x0ff1480,0x07487c0,0x1b16cd4,0x1f41d53,0x22ab8fb,0x2f83cfa,
+        0x01d2efb,0x259f6b2,0x2e65772,0x00f9392 },
+      { 0x05303e6,0x23cdb4f,0x23977e1,0x12e4898,0x03bd999,0x0c930f0,
+        0x170e261,0x180a27b,0x2fd58ec,0x014e22b } },
+    /* 133 */
+    { { 0x25d7713,0x0c5fad7,0x09daad1,0x3b9d779,0x109b985,0x1d3ec98,
+        0x35bc4fc,0x2f838cb,0x0d14f75,0x0173e42 },
+      { 0x2657b12,0x10d4423,0x19e6760,0x296e5bb,0x2bfd421,0x25c3330,
+        0x29f51f8,0x0338838,0x24060f0,0x029a62e } },
+    /* 134 */
+    { { 0x3748fec,0x2c5a1bb,0x2cf973d,0x289fa74,0x3e6e755,0x38997bf,
+        0x0b6544c,0x2b6358c,0x38a7aeb,0x02c50bb },
+      { 0x3d5770a,0x06be7c5,0x012fad3,0x19cb2cd,0x266af3b,0x3ccd677,
+        0x160d1bd,0x141d5af,0x2965851,0x034625a } },
+    /* 135 */
+    { { 0x3c41c08,0x255eacc,0x22e1ec5,0x2b151a3,0x087de94,0x311cbdb,
+        0x016b73a,0x368e462,0x20b7981,0x0099ec3 },
+      { 0x262b988,0x1539763,0x21e76e5,0x15445b4,0x1d8ddc7,0x34a9be6,
+        0x10faf03,0x24e4d18,0x07aa111,0x02d538a } },
+    /* 136 */
+    { { 0x38a876b,0x048ad45,0x04b40a0,0x3fc2144,0x251ff96,0x13ca7dd,
+        0x0b31ab1,0x3539814,0x28b5f87,0x0212aec },
+      { 0x270790a,0x350e7e0,0x346bd5e,0x276178f,0x22d6cb5,0x3078884,
+        0x355c1b6,0x15901d7,0x3671765,0x03950db } },
+    /* 137 */
+    { { 0x286e8d5,0x2409788,0x13be53f,0x2d21911,0x0353c95,0x10238e8,
+        0x32f5bde,0x3a67b60,0x28b5b9c,0x001013d },
+      { 0x381e8e5,0x0cef7a9,0x2f5bcad,0x06058f0,0x33cdf50,0x04672a8,
+        0x1769600,0x31c055d,0x3df0ac1,0x00e9098 } },
+    /* 138 */
+    { { 0x2eb596d,0x197b326,0x12b4c29,0x39c08f2,0x101ea03,0x3804e58,
+        0x04b4b62,0x28d9d1c,0x13f905e,0x0032a3f },
+      { 0x11b2b61,0x08e9095,0x0d06925,0x270e43f,0x21eb7a8,0x0e4a98f,
+        0x31d2be0,0x030cf9f,0x2644ddb,0x025b728 } },
+    /* 139 */
+    { { 0x07510af,0x2ed0e8e,0x2a01203,0x2a2a68d,0x0846fea,0x3e540de,
+        0x3a57702,0x1677348,0x2123aad,0x010d8f8 },
+      { 0x0246a47,0x0e871d0,0x124dca4,0x34b9577,0x2b362b8,0x363ebe5,
+        0x3086045,0x26313e6,0x15cd8bb,0x0210384 } },
+    /* 140 */
+    { { 0x023e8a7,0x0817884,0x3a0bf12,0x3376371,0x3c808a8,0x18e9777,
+        0x12a2721,0x35b538a,0x2bd30de,0x017835a },
+      { 0x0fc0f64,0x1c8709f,0x2d8807a,0x0743957,0x242eec0,0x347e76c,
+        0x27bef91,0x289689a,0x0f42945,0x01f7a92 } },
+    /* 141 */
+    { { 0x1060a81,0x3dbc739,0x1615abd,0x1cbe3e5,0x3e79f9c,0x1ab09a2,
+        0x136c540,0x05b473f,0x2beebfd,0x02af0a8 },
+      { 0x3e2eac7,0x19be474,0x04668ac,0x18f4b74,0x36f10ba,0x0a0b4c6,
+        0x10e3770,0x3bf059e,0x3946c7e,0x013a8d4 } },
+    /* 142 */
+    { { 0x266309d,0x28be354,0x1a3eed8,0x3020651,0x10a51c6,0x1e31770,
+        0x0af45a5,0x3ff0f3b,0x2891c94,0x00e9db9 },
+      { 0x17b0d0f,0x33a291f,0x0a5f9aa,0x25a3d61,0x2963ace,0x39a5fef,
+        0x230c724,0x1919146,0x10a465e,0x02084a8 } },
+    /* 143 */
+    { { 0x3ab8caa,0x31870f3,0x2390ef7,0x2103850,0x218eb8e,0x3a5ccf2,
+        0x1dff677,0x2c59334,0x371599c,0x02a9f2a },
+      { 0x0837bd1,0x3249cef,0x35d702f,0x3430dab,0x1c06407,0x108f692,
+        0x221292f,0x05f0c5d,0x073fe06,0x01038e0 } },
+    /* 144 */
+    { { 0x3bf9b7c,0x2020929,0x30d0f4f,0x080fef8,0x3365d23,0x1f3e738,
+        0x3e53209,0x1549afe,0x300b305,0x038d811 },
+      { 0x0c6c2c7,0x2e6445b,0x3ee64dc,0x022e932,0x0726837,0x0deb67b,
+        0x1ed4346,0x3857f73,0x277a3de,0x01950b5 } },
+    /* 145 */
+    { { 0x36c377a,0x0adb41e,0x08be3f3,0x11e40d1,0x36cb038,0x036a2bd,
+        0x3dd3a82,0x1bc875b,0x2ee09bb,0x02994d2 },
+      { 0x035facf,0x05e0344,0x07e630a,0x0ce772d,0x335e55a,0x111fce4,
+        0x250fe1c,0x3bc89ba,0x32fdc9a,0x03cf2d9 } },
+    /* 146 */
+    { { 0x355fd83,0x1c67f8e,0x1d10eb3,0x1b21d77,0x0e0d7a4,0x173a9e1,
+        0x2c9fa90,0x1c39cce,0x22eaae8,0x01f2bea },
+      { 0x153b338,0x0534107,0x26c69b8,0x283be1f,0x3e0acc0,0x059cac3,
+        0x13d1081,0x148bbee,0x3c1b9bd,0x002aac4 } },
+    /* 147 */
+    { { 0x2681297,0x3389e34,0x146addc,0x2c6d425,0x2cb350e,0x1986abc,
+        0x0431737,0x04ba4b7,0x2028470,0x012e469 },
+      { 0x2f8ddcf,0x3c4255c,0x1af4dcf,0x07a6a44,0x208ebf6,0x0dc90c3,
+        0x34360ac,0x072ad23,0x0537232,0x01254d3 } },
+    /* 148 */
+    { { 0x07b7e9d,0x3df5c7c,0x116f83d,0x28c4f35,0x3a478ef,0x3011fb8,
+        0x2f264b6,0x317b9e3,0x04fd65a,0x032bd1b },
+      { 0x2aa8266,0x3431de4,0x04bba04,0x19a44da,0x0edf454,0x392c5ac,
+        0x265168a,0x1dc3d5b,0x25704c6,0x00533a7 } },
+    /* 149 */
+    { { 0x25e8f91,0x1178fa5,0x2492994,0x2eb2c3c,0x0d3aca1,0x0322828,
+        0x1cc70f9,0x269c74c,0x0a53e4c,0x006edc2 },
+      { 0x18bdd7a,0x2a79a55,0x26b1d5c,0x0200628,0x0734a05,0x3273c7b,
+        0x13aa714,0x0040ac2,0x2f2da30,0x03e7449 } },
+    /* 150 */
+    { { 0x3f9563e,0x2f29eab,0x14a0749,0x3fad264,0x1dd077a,0x3d7c59c,
+        0x3a0311b,0x331a789,0x0b9729e,0x0201ebf },
+      { 0x1b08b77,0x2a4cdf2,0x3e387f8,0x21510f1,0x286c3a7,0x1dbf62e,
+        0x3afa594,0x3363217,0x0d16568,0x01d46b7 } },
+    /* 151 */
+    { { 0x0715c0d,0x28e2d04,0x17f78ae,0x1c63dda,0x1d113ea,0x0fefc1b,
+        0x1eab149,0x1d0fd99,0x0682537,0x00a7b11 },
+      { 0x10bebbc,0x11c672d,0x14223d9,0x2ff9141,0x1399ee5,0x34b7b6c,
+        0x0d5b3a8,0x01df643,0x0e392a4,0x03fe4dc } },
+    /* 152 */
+    { { 0x2b75b65,0x0b5a6f1,0x11c559a,0x3549999,0x24188f8,0x37a75f4,
+        0x29f33e3,0x34068a2,0x38ba2a9,0x025dd91 },
+      { 0x29af2c7,0x0988b64,0x0923885,0x1b539a4,0x1334f5d,0x226947a,
+        0x2cc7e5a,0x20beb39,0x13fac2f,0x01d298c } },
+    /* 153 */
+    { { 0x35f079c,0x137f76d,0x2fbbb2f,0x254638d,0x185b07c,0x1f34db7,
+        0x2cfcf0e,0x218f46d,0x2150ff4,0x02add6f },
+      { 0x33fc9b7,0x0d9f005,0x0fd081b,0x0834965,0x2b90a74,0x102448d,
+        0x3dbf03c,0x167d857,0x02e0b44,0x013afab } },
+    /* 154 */
+    { { 0x09f2c53,0x317f9d7,0x1411eb6,0x0463aba,0x0d25220,0x256b176,
+        0x087633f,0x2bff322,0x07b2c1b,0x037e662 },
+      { 0x10aaecb,0x23bb4a1,0x2272bb7,0x06c075a,0x09d4918,0x0736f2b,
+        0x0dd511b,0x101625e,0x0a7779f,0x009ec10 } },
+    /* 155 */
+    { { 0x33b2eb2,0x0176dfd,0x2118904,0x022386c,0x2e0df85,0x2588c9f,
+        0x1b71525,0x28fd540,0x137e4cf,0x02ce4f7 },
+      { 0x3d75165,0x0c39ecf,0x3554a12,0x30af34c,0x2d66344,0x3ded408,
+        0x36f1be0,0x0d065b0,0x012d046,0x0025623 } },
+    /* 156 */
+    { { 0x2601c3b,0x1824fc0,0x335fe08,0x3e33d70,0x0fb0252,0x252bfca,
+        0x1cf2808,0x1922e55,0x1a9db9f,0x020721e },
+      { 0x2f56c51,0x39a1f31,0x218c040,0x1a4fc5d,0x3fed471,0x0164d4e,
+        0x388a419,0x06f1113,0x0f55fc1,0x03e8352 } },
+    /* 157 */
+    { { 0x1608e4d,0x3872778,0x022cbc6,0x044d60a,0x3010dda,0x15fb0b5,
+        0x37ddc11,0x19f5bda,0x156b6a3,0x023a838 },
+      { 0x383b3b4,0x1380bc8,0x353ca35,0x250fc07,0x169966b,0x3780f29,
+        0x36632b2,0x2d6b13f,0x124fa00,0x00fd6ae } },
+    /* 158 */
+    { { 0x1739efb,0x2ec3656,0x2c0d337,0x3d39faf,0x1c751b0,0x04699f4,
+        0x252dd64,0x095b8b6,0x0872b74,0x022f1da },
+      { 0x2d3d253,0x38edca0,0x379fa5b,0x287d635,0x3a9f679,0x059d9ee,
+        0x0ac168e,0x3cd3e87,0x19060fc,0x02ce1bc } },
+    /* 159 */
+    { { 0x3edcfc2,0x0f04d4b,0x2f0d31f,0x1898be2,0x25396bf,0x15ca230,
+        0x02b4eae,0x2713668,0x0f71b06,0x0132d18 },
+      { 0x38095ea,0x1ed34d6,0x3603ae6,0x165bf01,0x192bbf8,0x1852859,
+        0x075f66b,0x1488f85,0x10895ef,0x014b035 } },
+    /* 160 */
+    { { 0x1339848,0x3084385,0x0c8d231,0x3a1c1de,0x0e87a28,0x255b85c,
+        0x1de6616,0x2702e74,0x1382bb0,0x012b0f2 },
+      { 0x198987d,0x381545a,0x34d619b,0x312b827,0x18b2376,0x28fe4cf,
+        0x20b7651,0x017d077,0x0c7e397,0x00e0365 } },
+    /* 161 */
+    { { 0x1542e75,0x0d56aa0,0x39b701a,0x287b806,0x396c724,0x0935c21,
+        0x3a29776,0x0debdac,0x171de26,0x00b38f8 },
+      { 0x1d5bc1a,0x3fad27d,0x22b5cfe,0x1f89ddf,0x0a65560,0x144dd5b,
+        0x2aac2f9,0x139353f,0x0520b62,0x00b9b36 } },
+    /* 162 */
+    { { 0x031c31d,0x16552e3,0x1a0c368,0x0016fc8,0x168533d,0x171e7b2,
+        0x17626e7,0x275502f,0x14742c6,0x03285dd },
+      { 0x2d2dbb2,0x3b6bffd,0x1d18cc6,0x2f45d2a,0x0fd0d8c,0x2915e3a,
+        0x1e8793a,0x0b39a1d,0x3139cab,0x02a5da9 } },
+    /* 163 */
+    { { 0x3fb353d,0x147c6e4,0x3a720a6,0x22d5ff3,0x1d75cab,0x06c54a0,
+        0x08cfa73,0x12666aa,0x3170a1f,0x021c829 },
+      { 0x13e1b90,0x3a34dda,0x1fc38c3,0x02c5bdb,0x2d345dc,0x14aa1d0,
+        0x28d00ab,0x224f23a,0x329c769,0x025c67b } },
+    /* 164 */
+    { { 0x0e35909,0x3bb6356,0x0116820,0x370cf77,0x29366d8,0x3881409,
+        0x3999d06,0x013075f,0x176e157,0x02941ca },
+      { 0x0e70b2e,0x28dfab1,0x2a8a002,0x15da242,0x084dcf6,0x116ca97,
+        0x31bf186,0x1dc9735,0x09df7b7,0x0264e27 } },
+    /* 165 */
+    { { 0x2da7a4b,0x3023c9e,0x1366238,0x00ff4e2,0x03abe9d,0x19bd44b,
+        0x272e897,0x20b91ad,0x2aa202c,0x02a2201 },
+      { 0x380184e,0x08112b4,0x0b85660,0x31049aa,0x3a8cb78,0x36113c5,
+        0x1670c0a,0x373f9e7,0x3fb4738,0x00010ef } },
+    /* 166 */
+    { { 0x2d5192e,0x26d770d,0x32af8d5,0x34d1642,0x1acf885,0x05805e0,
+        0x166d0a1,0x1219a0d,0x301ba6c,0x014bcfb },
+      { 0x2dcb64d,0x19cca83,0x379f398,0x08e01a0,0x10a482c,0x0103cc2,
+        0x0be5fa7,0x1f9d45b,0x1899ef2,0x00ca5af } },
+    /* 167 */
+    { { 0x14d81d7,0x2aea251,0x1b3c476,0x3bd47ae,0x29eade7,0x0715e61,
+        0x1a21cd8,0x1c7a586,0x2bfaee5,0x00ee43f },
+      { 0x096f7cb,0x0c08f95,0x1bc4939,0x361fed4,0x255be41,0x26fad73,
+        0x31dd489,0x02c600f,0x29d9f81,0x01ba201 } },
+    /* 168 */
+    { { 0x03ea1db,0x1eac46d,0x1292ce3,0x2a54967,0x20a7ff1,0x3e13c61,
+        0x1b02218,0x2b44e14,0x3eadefa,0x029c88a },
+      { 0x30a9144,0x31e3b0a,0x19c5a2a,0x147cbe9,0x05a0240,0x051f38e,
+        0x11eca56,0x31a4247,0x123bc2a,0x02fa535 } },
+    /* 169 */
+    { { 0x3226ce7,0x1251782,0x0b7072f,0x11e59fa,0x2b8afd7,0x169b18f,
+        0x2a46f18,0x31d9bb7,0x2fe9be8,0x01de0b7 },
+      { 0x1b38626,0x34aa90f,0x3ad1760,0x21ddbd9,0x3460ae7,0x1126736,
+        0x1b86fc5,0x0b92cd0,0x167a289,0x000e0e1 } },
+    /* 170 */
+    { { 0x1ec1a0f,0x36bbf5e,0x1c972d8,0x3f73ace,0x13bbcd6,0x23d86a5,
+        0x175ffc5,0x2d083d5,0x2c4adf7,0x036f661 },
+      { 0x1f39eb7,0x2a20505,0x176c81a,0x3d6e636,0x16ee2fc,0x3cbdc5f,
+        0x25475dc,0x2ef4151,0x3c46860,0x0238934 } },
+    /* 171 */
+    { { 0x2587390,0x3639526,0x0588749,0x13c32fb,0x212bb19,0x09660f1,
+        0x207da4b,0x2bf211b,0x1c4407b,0x01506a6 },
+      { 0x24c8842,0x105a498,0x05ffdb2,0x0ab61b0,0x26044c1,0x3dff3d8,
+        0x1d14b44,0x0d74716,0x049f57d,0x030024b } },
+    /* 172 */
+    { { 0x32e61ef,0x31d70f7,0x35cad3c,0x320b86c,0x07e8841,0x027ca7d,
+        0x2d30d19,0x2513718,0x2347286,0x01d7901 },
+      { 0x3c237d0,0x107f16e,0x01c9e7d,0x3c3b13c,0x0c9537b,0x20af54d,
+        0x051a162,0x2161a47,0x258c784,0x016df2d } },
+    /* 173 */
+    { { 0x228ead1,0x29c2122,0x07f6964,0x023f4ed,0x1802dc5,0x19f96ce,
+        0x24bfd17,0x25e866b,0x2ba8df0,0x01eb84f },
+      { 0x2dd384e,0x05bbe3a,0x3f06fd2,0x366dacb,0x30361a2,0x2f36d7c,
+        0x0b98784,0x38ff481,0x074e2a8,0x01e1f60 } },
+    /* 174 */
+    { { 0x17fbb1c,0x0975add,0x1debc5e,0x2cb2880,0x3e47bdd,0x3488cff,
+        0x15e9a36,0x2121129,0x0199ef2,0x017088a },
+      { 0x0315250,0x352a162,0x17c1773,0x0ae09c2,0x321b21a,0x3bd74cf,
+        0x3c4ea1d,0x3cac2ad,0x3abbaf0,0x039174d } },
+    /* 175 */
+    { { 0x0511c8a,0x3c78d0a,0x2cd3d2d,0x322f729,0x3ebb229,0x09f0e69,
+        0x0a71a76,0x2e74d5e,0x12284df,0x03b5ef0 },
+      { 0x3dea561,0x0a9b7e4,0x0ed1cf2,0x237523c,0x05443f1,0x2eb48fa,
+        0x3861405,0x1b49f62,0x0c945ca,0x02ab25f } },
+    /* 176 */
+    { { 0x16bd00a,0x13a9d28,0x3cc1eb5,0x2b7d702,0x2d839e9,0x3e6ff01,
+        0x2bb7f11,0x3713824,0x3b31163,0x00c63e5 },
+      { 0x30d7138,0x0316fb0,0x0220ecc,0x08eaf0c,0x244e8df,0x0088d81,
+        0x37972fb,0x3fd34ae,0x2a19a84,0x03e907e } },
+    /* 177 */
+    { { 0x2642269,0x0b65d29,0x03bd440,0x33a6ede,0x3c81814,0x2507982,
+        0x0d38e47,0x3a788e6,0x32c1d26,0x00e2eda },
+      { 0x2577f87,0x392895a,0x3e1cc64,0x14f7047,0x08b52d2,0x08a01ca,
+        0x336abf6,0x00697fc,0x105ce76,0x0253742 } },
+    /* 178 */
+    { { 0x293f92a,0x33df737,0x3315156,0x32e26d7,0x0a01333,0x26579d4,
+        0x004df9c,0x0aba409,0x067d25c,0x02481de },
+      { 0x3f39d44,0x1c78042,0x13d7e24,0x0825aed,0x35f2c90,0x3270f63,
+        0x04b7b35,0x3ad4531,0x28bd29b,0x0207a10 } },
+    /* 179 */
+    { { 0x077199f,0x270aeb1,0x0dd96dd,0x3b9ad7b,0x28cb8ee,0x3903f43,
+        0x37db3fe,0x292c62b,0x362dbbf,0x006e52a },
+      { 0x247f143,0x0362cf3,0x216344f,0x3f18fd1,0x351e623,0x31664e0,
+        0x0f270fc,0x243bbc6,0x2280555,0x001a8e3 } },
+    /* 180 */
+    { { 0x3355b49,0x2c04e6c,0x399b2e5,0x182d3af,0x020e265,0x09a7cf7,
+        0x0ffa6bd,0x353e302,0x02083d9,0x029ecdb },
+      { 0x33e8830,0x0570e86,0x1c0b64d,0x386a27e,0x0d5fcea,0x0b45a4c,
+        0x2ee4a2e,0x0a8833f,0x2b4a282,0x02f9531 } },
+    /* 181 */
+    { { 0x191167c,0x36cf7e3,0x225ed6c,0x1e79e99,0x0517c3f,0x11ab1fd,
+        0x05648f3,0x08aedc4,0x1abeae0,0x02fcc29 },
+      { 0x3828a68,0x1e16fa4,0x30368e7,0x0c9fcfb,0x25161c3,0x24851ac,
+        0x1b5feb5,0x344eb84,0x0de2732,0x0347208 } },
+    /* 182 */
+    { { 0x038b363,0x384d1e4,0x2519043,0x151ac17,0x158c11f,0x009b2b4,
+        0x257abe6,0x2368d3f,0x3ed68a1,0x02df45e },
+      { 0x29c2559,0x2962478,0x3d8444c,0x1d96fff,0x04f7a03,0x1391a52,
+        0x0de4af7,0x3319126,0x15e6412,0x00e65ff } },
+    /* 183 */
+    { { 0x3d61507,0x1d1a0a2,0x0d2af20,0x354d299,0x329e132,0x2a28578,
+        0x2ddfb08,0x04fa3ff,0x1293c6c,0x003bae2 },
+      { 0x3e259f8,0x1a68fa9,0x3e67e9b,0x39b44f9,0x1ce1db7,0x347e9a1,
+        0x3318f6a,0x2dbbc9d,0x2f8c922,0x008a245 } },
+    /* 184 */
+    { { 0x212ab5b,0x2b896c2,0x0136959,0x07e55ef,0x0cc1117,0x05b8ac3,
+        0x18429ed,0x025fa01,0x11d6e93,0x03b016b },
+      { 0x03f3708,0x2e96fab,0x1d77157,0x0d4c2d6,0x131baf9,0x0608d39,
+        0x3552371,0x06cdd1e,0x1567ff1,0x01f4c50 } },
+    /* 185 */
+    { { 0x2dfefab,0x270173d,0x37077bd,0x1a372cd,0x1be2f22,0x28e2ee5,
+        0x3ead973,0x35e8f94,0x2fc9bc1,0x03a7399 },
+      { 0x36a02a1,0x2855d9b,0x00ed75a,0x37d8398,0x138c087,0x233706e,
+        0x147f346,0x01947e2,0x3017228,0x0365942 } },
+    /* 186 */
+    { { 0x2057e60,0x2d31296,0x25e4504,0x2fa37bc,0x1cbccc3,0x1f0732f,
+        0x3532081,0x2de8a98,0x19a804e,0x005359a },
+      { 0x31f411a,0x2a10576,0x369c2c8,0x02fe035,0x109fbaf,0x30bddeb,
+        0x1eef901,0x1662ad3,0x0410d43,0x01bd31a } },
+    /* 187 */
+    { { 0x2c24a96,0x1b7d3a5,0x19a3872,0x217f2f6,0x2534dbc,0x2cab8c2,
+        0x066ef28,0x26aecf1,0x0fd6118,0x01310d4 },
+      { 0x055b8da,0x1fdc5be,0x38a1296,0x25118f0,0x341a423,0x2ba4cd0,
+        0x3e1413e,0x062d70d,0x2425a31,0x029c9b4 } },
+    /* 188 */
+    { { 0x08c1086,0x1acfba5,0x22e1dae,0x0f72f4e,0x3f1de50,0x0f408bc,
+        0x35ed3f0,0x3ce48fc,0x282cc6c,0x004d8e7 },
+      { 0x1afaa86,0x24e3ef3,0x22589ac,0x3ec9952,0x1f45bc5,0x14144ca,
+        0x23b26e4,0x0d68c65,0x1e1c1a3,0x032a4d9 } },
+    /* 189 */
+    { { 0x03b2d20,0x16b1d53,0x241b361,0x05e4138,0x1742a54,0x32741c7,
+        0x0521c4c,0x1ca96c2,0x034970b,0x02738a7 },
+      { 0x13e0ad6,0x207dcdb,0x034c8cc,0x27bcbe1,0x18060da,0x33a18b6,
+        0x2d1d1a6,0x2be60d7,0x3d7ab42,0x012312a } },
+    /* 190 */
+    { { 0x0c7485a,0x06c3310,0x0dbfd22,0x2ef949d,0x0ead455,0x098f4ba,
+        0x3c76989,0x0cf2d24,0x032f67b,0x01e005f },
+      { 0x30cb5ee,0x0d5da64,0x0ed2b9d,0x2503102,0x1c0d14e,0x1cbc693,
+        0x37bf552,0x07013e2,0x054de5c,0x014f341 } },
+    /* 191 */
+    { { 0x128ccac,0x1617e97,0x346ebcd,0x158016d,0x25f823e,0x34048ea,
+        0x39f0a1c,0x3ea3df1,0x1c1d3d7,0x03ba919 },
+      { 0x151803b,0x01967c1,0x2f70781,0x27df39a,0x06c0b59,0x24a239c,
+        0x15a7702,0x2464d06,0x2a47ae6,0x006db90 } },
+    /* 192 */
+    { { 0x27d04c3,0x024df3d,0x38112e8,0x38a27ba,0x01e312b,0x0965358,
+        0x35d8879,0x2f4f55a,0x214187f,0x0008936 },
+      { 0x05fe36f,0x2ee18c3,0x1f5f87a,0x1813bd4,0x0580f3c,0x0ed0a7b,
+        0x0fb1bfb,0x3fcce59,0x2f042bf,0x01820e3 } },
+    /* 193 */
+    { { 0x20bbe99,0x32cbc9f,0x39ee432,0x3cc12a8,0x37bda44,0x3ea4e40,
+        0x097c7a9,0x0590d7d,0x2022d33,0x018dbac },
+      { 0x3ae00aa,0x3439864,0x2d2ffcf,0x3f8c6b9,0x0875a00,0x3e4e407,
+        0x3658a29,0x22eb3d0,0x2b63921,0x022113b } },
+    /* 194 */
+    { { 0x33bae58,0x05c749a,0x1f3e114,0x1c45f8e,0x27db3df,0x06a3ab6,
+        0x37bc7f8,0x1e27b34,0x3dc51fb,0x009eea0 },
+      { 0x3f54de5,0x3d0e7fe,0x1a71a7d,0x02ed7f8,0x0727703,0x2ca5e92,
+        0x2e8e35d,0x292ad0b,0x13487f3,0x02b6d8b } },
+    /* 195 */
+    { { 0x175df2a,0x05a28a8,0x32e99b1,0x13d8630,0x2082aa0,0x11ac245,
+        0x24f2e71,0x322cb27,0x17675e7,0x02e643f },
+      { 0x1f37313,0x2765ad3,0x0789082,0x1e742d0,0x11c2055,0x2021dc4,
+        0x09ae4a7,0x346359b,0x2f94d10,0x0205c1f } },
+    /* 196 */
+    { { 0x3d6ff96,0x1f2ac80,0x336097d,0x3f03610,0x35b851b,0x010b6d2,
+        0x0823c4d,0x2a9709a,0x2ead5a8,0x00de4b6 },
+      { 0x01afa0b,0x0621965,0x3671528,0x1050b60,0x3f3e9e7,0x2f93829,
+        0x0825275,0x006e85f,0x35e94b0,0x016af58 } },
+    /* 197 */
+    { { 0x2c4927c,0x3ea1382,0x0f23727,0x0d69f23,0x3e38860,0x2b72837,
+        0x3cd5ea4,0x2d84292,0x321846a,0x016656f },
+      { 0x29dfa33,0x3e182e0,0x018be90,0x2ba563f,0x2caafe2,0x218c0d9,
+        0x3baf447,0x1047a6c,0x0a2d483,0x01130cb } },
+    /* 198 */
+    { { 0x00ed80c,0x2a5fc79,0x0a82a74,0x2c4c74b,0x15f938c,0x30b5ab6,
+        0x32124b7,0x295314f,0x2fb8082,0x007c858 },
+      { 0x20b173e,0x19f315c,0x12f97e4,0x198217c,0x040e8a6,0x3275977,
+        0x2bc20e4,0x01f2633,0x02bc3e9,0x023c750 } },
+    /* 199 */
+    { { 0x3c4058a,0x24be73e,0x16704f5,0x2d8a4bd,0x3b15e14,0x3076315,
+        0x1cfe37b,0x36fe715,0x343926e,0x02c6603 },
+      { 0x2c76b09,0x0cf824c,0x3f7898c,0x274cec1,0x11df527,0x18eed18,
+        0x08ead48,0x23915bc,0x19b3744,0x00a0a2b } },
+    /* 200 */
+    { { 0x0cf4ac5,0x1c8b131,0x0afb696,0x0ff7799,0x2f5ac1a,0x022420c,
+        0x11baa2e,0x2ce4015,0x1275a14,0x0125cfc },
+      { 0x22eac5d,0x360cd4c,0x3568e59,0x3d42f66,0x35e07ee,0x09620e4,
+        0x36720fa,0x22b1eac,0x2d0db16,0x01b6b23 } },
+    /* 201 */
+    { { 0x1a835ef,0x1516bbb,0x2d51f7b,0x3487443,0x14aa113,0x0dd06c2,
+        0x1a65e01,0x379300d,0x35920b9,0x012c8fb },
+      { 0x04c7341,0x2eda00f,0x3c37e82,0x1b4fd62,0x0d45770,0x1478fba,
+        0x127863a,0x26939cd,0x134ddf4,0x01375c5 } },
+    /* 202 */
+    { { 0x1476cd9,0x1119ca5,0x325bbf9,0x0bf8c69,0x0648d07,0x312d9f8,
+        0x01c8b8f,0x136ec51,0x0002f4a,0x03f4c5c },
+      { 0x195d0e1,0x10ffd22,0x29aa1cb,0x3443bdc,0x276e695,0x05e6260,
+        0x15f9764,0x3cd9783,0x18c9569,0x0053eb1 } },
+    /* 203 */
+    { { 0x312ae18,0x280197c,0x3fc9ad9,0x303f324,0x251958d,0x29f4a11,
+        0x2142408,0x3694366,0x25136ab,0x03b5f1d },
+      { 0x1d4abbc,0x1c3c689,0x13ea462,0x3cfc684,0x39b5dd8,0x2d4654b,
+        0x09b0755,0x27d4f18,0x3f74d2e,0x03fbf2d } },
+    /* 204 */
+    { { 0x2119185,0x2525eae,0x1ba4bd0,0x0c2ab11,0x1d54e8c,0x294845e,
+        0x2479dea,0x3602d24,0x17e87e0,0x0060069 },
+      { 0x0afffb0,0x34fe37f,0x1240073,0x02eb895,0x06cf33c,0x2d7f7ef,
+        0x1d763b5,0x04191e0,0x11e1ead,0x027e3f0 } },
+    /* 205 */
+    { { 0x269544c,0x0e85c57,0x3813158,0x19fc12d,0x20eaf85,0x1e2930c,
+        0x22a8fd2,0x1a6a478,0x09d3d3a,0x02a74e0 },
+      { 0x1a2da3b,0x30b0b16,0x0847936,0x3d86257,0x138ccbc,0x0f5421a,
+        0x25244e6,0x23bdd79,0x1aee117,0x00c01ae } },
+    /* 206 */
+    { { 0x1eead28,0x07cac32,0x1fbc0bb,0x17627d3,0x17eef63,0x0b3a24e,
+        0x0757fdb,0x3dd841d,0x3d745f8,0x002ae17 },
+      { 0x25b4549,0x29f24cf,0x2f21ecd,0x1725e48,0x04be2bb,0x10ee010,
+        0x1a1274b,0x10b0898,0x27511e9,0x02c48b5 } },
+    /* 207 */
+    { { 0x2a5ae7a,0x181ef99,0x0be33be,0x3e9dab7,0x101e703,0x3adb971,
+        0x1043014,0x2ebb2be,0x1c1097d,0x027d667 },
+      { 0x3f250ed,0x16dc603,0x20dc6d7,0x1d0d268,0x38eb915,0x02c89e8,
+        0x1605a41,0x12de109,0x0e08a29,0x01f554a } },
+    /* 208 */
+    { { 0x0c26def,0x163d988,0x2d1ef0f,0x3a960ac,0x1025585,0x0738e20,
+        0x27d79b0,0x05cc3ef,0x201303f,0x00a333a },
+      { 0x1644ba5,0x2af345e,0x30b8d1d,0x3a01bff,0x31fc643,0x1acf85e,
+        0x0a76fc6,0x04efe98,0x348a1d0,0x03062eb } },
+    /* 209 */
+    { { 0x1c4216d,0x18e3217,0x02ac34e,0x19c8185,0x200c010,0x17d4192,
+        0x13a1719,0x165af51,0x09db7a9,0x0277be0 },
+      { 0x3ab8d2c,0x2190b99,0x22b641e,0x0cd88de,0x3b42404,0x1310862,
+        0x106a6d6,0x23395f5,0x0b06880,0x000d5fe } },
+    /* 210 */
+    { { 0x0d2cc88,0x36f9913,0x339d8e9,0x237c2e3,0x0cc61c2,0x34c2832,
+        0x309874c,0x2621d28,0x2dd1b48,0x0392806 },
+      { 0x17cd8f9,0x07bab3d,0x0c482ed,0x0faf565,0x31b767d,0x2f4bde1,
+        0x295c717,0x330c29c,0x179ce10,0x0119b5f } },
+    /* 211 */
+    { { 0x1ada2c7,0x0c624a7,0x227d47d,0x30e3e6a,0x14fa0a6,0x0829678,
+        0x24fd288,0x2b46a43,0x122451e,0x0319ca9 },
+      { 0x186b655,0x01f3217,0x0af1306,0x0efe6b5,0x2f0235d,0x1c45ca9,
+        0x2086805,0x1d44e66,0x0faf2a6,0x0178f59 } },
+    /* 212 */
+    { { 0x33b4416,0x10431e6,0x2d99aa6,0x217aac9,0x0cd8fcf,0x2d95a9d,
+        0x3ff74ad,0x10bf17a,0x295eb8e,0x01b229e },
+      { 0x02a63bd,0x182e9ec,0x004710c,0x00e2e3c,0x06b2f23,0x04b642c,
+        0x2c37383,0x32a4631,0x022ad82,0x00d22b9 } },
+    /* 213 */
+    { { 0x0cda2fb,0x1d198d7,0x26d27f4,0x286381c,0x022acca,0x24ac7c8,
+        0x2df7824,0x0b4ba16,0x1e0d9ef,0x03041d3 },
+      { 0x29a65b3,0x0f3912b,0x151bfcf,0x2b0175c,0x0fd71e4,0x39aa5e2,
+        0x311f50c,0x13ff351,0x3dbc9e5,0x03eeb7e } },
+    /* 214 */
+    { { 0x0a99363,0x0fc7348,0x2775171,0x23db3c8,0x2b91565,0x134d66c,
+        0x0175cd2,0x1bf365a,0x2b48371,0x02dfe5d },
+      { 0x16dbf74,0x2389357,0x2f36575,0x3f5c70e,0x38d23ba,0x090f7f8,
+        0x3477600,0x3201523,0x32ecafc,0x03d3506 } },
+    /* 215 */
+    { { 0x1abd48d,0x073ca3f,0x38a451f,0x0d8cb01,0x1ce81be,0x05c51ba,
+        0x0e29741,0x03c41ab,0x0eae016,0x0060209 },
+      { 0x2e58358,0x1da62d9,0x2358038,0x14b39b2,0x1635687,0x39079b1,
+        0x380e345,0x1b49608,0x23983cf,0x019f97d } },
+    /* 216 */
+    { { 0x34899ef,0x332e373,0x04c0f89,0x3c27aed,0x1949015,0x09663b2,
+        0x2f9276b,0x07f1951,0x09a04c1,0x027fbde },
+      { 0x3d2a071,0x19fb3d4,0x1b096d3,0x1fe9146,0x3b10e1a,0x0478bbb,
+        0x2b3fb06,0x1388329,0x181a99c,0x02f2030 } },
+    /* 217 */
+    { { 0x1eb82e6,0x14dbe39,0x3920972,0x31fd5b2,0x21a484f,0x02d7697,
+        0x0e21715,0x37c431e,0x2629f8c,0x01249c3 },
+      { 0x26b50ad,0x26deefa,0x0ffc1a3,0x30688e2,0x39a0284,0x041c65e,
+        0x03eb178,0x0bdfd50,0x2f96137,0x034bb94 } },
+    /* 218 */
+    { { 0x0e0362a,0x334a162,0x194dd37,0x29e3e97,0x2442fa8,0x10d2949,
+        0x3836e5a,0x2dccebf,0x0bee5ab,0x037ed1e },
+      { 0x33eede6,0x3c739d9,0x2f04a91,0x350ad6c,0x3a5390a,0x14c368b,
+        0x26f7bf5,0x11ce979,0x0b408df,0x0366850 } },
+    /* 219 */
+    { { 0x28ea498,0x0886d5b,0x2e090e0,0x0a4d58f,0x2623478,0x0d74ab7,
+        0x2b83913,0x12c6b81,0x18d623f,0x01d8301 },
+      { 0x198aa79,0x26d6330,0x3a7f0b8,0x34bc1ea,0x2f74890,0x378955a,
+        0x204110f,0x0102538,0x02d8f19,0x01c5066 } },
+    /* 220 */
+    { { 0x14b0f45,0x2838cd3,0x14e16f0,0x0e0e4aa,0x2d9280b,0x0f18757,
+        0x3324c6b,0x1391ceb,0x1ce89d5,0x00ebe74 },
+      { 0x0930371,0x3de6048,0x3097fd8,0x1308705,0x3eda266,0x3108c26,
+        0x1545dcd,0x1f7583a,0x1c37395,0x02c7e05 } },
+    /* 221 */
+    { { 0x1fec44a,0x2a9e3a2,0x0caf84f,0x11cf2a9,0x0c8c2ae,0x06da989,
+        0x1c807dc,0x3c149a4,0x1141543,0x02906bb },
+      { 0x15ffe04,0x0d4e65f,0x2e20424,0x37d896d,0x18bacb2,0x1e05ddd,
+        0x1660be8,0x183be17,0x1dd86fb,0x035ba70 } },
+    /* 222 */
+    { { 0x2853264,0x0ba5fb1,0x0a0b3aa,0x2df88c1,0x2771533,0x23aba6f,
+        0x112bb7b,0x3e3086e,0x210ae9b,0x027271b },
+      { 0x030b74c,0x0269678,0x1e90a23,0x135a98c,0x24ed749,0x126de7c,
+        0x344b23a,0x186da27,0x19640fa,0x0159af5 } },
+    /* 223 */
+    { { 0x18061f3,0x3004630,0x3c70066,0x34df20f,0x1190b25,0x1c9cc91,
+        0x1fc8e02,0x0d17bc1,0x390f525,0x033cb1c },
+      { 0x0eb30cf,0x2f3ad04,0x303aa09,0x2e835dd,0x1cfd2eb,0x143fc95,
+        0x02c43a1,0x025e7a1,0x3558aa2,0x000bd45 } },
+    /* 224 */
+    { { 0x1db7d07,0x3bde52b,0x1500396,0x1089115,0x20b4fc7,0x1e2a8f3,
+        0x3f8eacc,0x365f7eb,0x1a5e8d4,0x0053a6b },
+      { 0x37079e2,0x120284b,0x000edaa,0x33792c2,0x145baa3,0x20e055f,
+        0x365e2d7,0x26ba005,0x3ab8e9d,0x0282b53 } },
+    /* 225 */
+    { { 0x2653618,0x2dd8852,0x2a5f0bf,0x0f0c7aa,0x2187281,0x1252757,
+        0x13e7374,0x3b47855,0x0b86e56,0x02f354c },
+      { 0x2e9c47b,0x2fa14cc,0x19ab169,0x3fad401,0x0dc2776,0x24afeed,
+        0x3a97611,0x0d07736,0x3cf6979,0x02424a0 } },
+    /* 226 */
+    { { 0x2e81a13,0x000c91d,0x123967b,0x265885c,0x29bee1a,0x0cb8675,
+        0x2d361bd,0x1526823,0x3c9ace1,0x00d7bad },
+      { 0x24e5bdc,0x02b969f,0x2c6e128,0x34edb3b,0x12dcd2c,0x3899af0,
+        0x24224c6,0x3a1914b,0x0f4448a,0x026a2cb } },
+    /* 227 */
+    { { 0x1d03b59,0x1c6fc82,0x32abf64,0x28ed96b,0x1c90e62,0x2f57bb2,
+        0x3ff168e,0x04de7fd,0x0f4d449,0x01af6d8 },
+      { 0x255bc30,0x2bfaf22,0x3fe0dad,0x0584025,0x1c79ead,0x3078ef7,
+        0x2197414,0x022a50b,0x0fd94ba,0x0007b0f } },
+    /* 228 */
+    { { 0x09485c2,0x09dfaf7,0x10c7ba6,0x1e48bec,0x248cc9a,0x028a362,
+        0x21d60f7,0x193d93d,0x1c04754,0x0346b2c },
+      { 0x2f36612,0x240ac49,0x0d8bd26,0x13b8186,0x259c3a4,0x020d5fb,
+        0x38a8133,0x09b0937,0x39d4056,0x01f7341 } },
+    /* 229 */
+    { { 0x05a4b48,0x1f534fc,0x07725ce,0x148dc8c,0x2adcd29,0x04aa456,
+        0x0f79718,0x066e346,0x189377d,0x002fd4d },
+      { 0x068ea73,0x336569b,0x184d35e,0x32a08e9,0x3c7f3bb,0x11ce9c8,
+        0x3674c6f,0x21bf27e,0x0d9e166,0x034a2f9 } },
+    /* 230 */
+    { { 0x0fa8e4b,0x2e6418e,0x18fc5d2,0x1ba24ff,0x0559f18,0x0dbedbf,
+        0x2de2aa4,0x22338e9,0x3aa510f,0x035d801 },
+      { 0x23a4988,0x02aad94,0x02732d1,0x111d374,0x0b455cf,0x0d01c9e,
+        0x067082a,0x2ec05fd,0x368b303,0x03cad4b } },
+    /* 231 */
+    { { 0x035b4ca,0x1fabea6,0x1cbc0d5,0x3f2ed9a,0x02d2232,0x1990c66,
+        0x2eb680c,0x3b4ea3b,0x18ecc5a,0x03636fa },
+      { 0x1a02709,0x26f8ff1,0x1fa8cba,0x397d6e8,0x230be68,0x043aa14,
+        0x3d43cdf,0x25c17fa,0x3a3ee55,0x0380564 } },
+    /* 232 */
+    { { 0x275a0a6,0x16bd43a,0x0033d3e,0x2b15e16,0x2512226,0x005d901,
+        0x26d50fd,0x3bc19bf,0x3b1aeb8,0x02bfb01 },
+      { 0x0bb0a31,0x26559e0,0x1aae7fb,0x330dcc2,0x16f1af3,0x06afce2,
+        0x13a15a0,0x2ff7645,0x3546e2d,0x029c6e4 } },
+    /* 233 */
+    { { 0x0f593d2,0x384b806,0x122bbf8,0x0a281e0,0x1d1a904,0x2e93cab,
+        0x0505db0,0x08f6454,0x05c6285,0x014e880 },
+      { 0x3f2b935,0x22d8e79,0x161a07c,0x16b060a,0x02bff97,0x146328b,
+        0x3ceea77,0x238f61a,0x19b3d58,0x02fd1f4 } },
+    /* 234 */
+    { { 0x17665d5,0x259e9f7,0x0de5672,0x15cbcbd,0x34e3030,0x035240f,
+        0x0005ae8,0x286d851,0x07f39c9,0x000070b },
+      { 0x1efc6d6,0x2a0051a,0x2724143,0x2a9ef1e,0x0c810bd,0x1e05429,
+        0x25670ba,0x2e66d7d,0x0e786ff,0x03f6b7e } },
+    /* 235 */
+    { { 0x3c00785,0x232e23f,0x2b67fd3,0x244ed23,0x077fa75,0x3cda3ef,
+        0x14d055b,0x0f25011,0x24d5aa4,0x00ea0e3 },
+      { 0x297bb9a,0x198ca4f,0x14d9561,0x18d1076,0x39eb933,0x2b6caa0,
+        0x1591a60,0x0768d45,0x257873e,0x00f36e0 } },
+    /* 236 */
+    { { 0x1e77eab,0x0502a5f,0x0109137,0x0350592,0x3f7e1c5,0x3ac7437,
+        0x2dcad2c,0x1fee9d8,0x089f1f5,0x0169833 },
+      { 0x0d45673,0x0d8e090,0x065580b,0x065644f,0x11b82be,0x3592dd0,
+        0x3284b8d,0x23f0015,0x16fdbfd,0x0248bfd } },
+    /* 237 */
+    { { 0x1a129a1,0x1977bb2,0x0e041b2,0x15f30a1,0x0a5b1ce,0x3afef8f,
+        0x380c46c,0x3358810,0x27df6c5,0x01ca466 },
+      { 0x3b90f9a,0x3d14ea3,0x031b298,0x02e2390,0x2d719c0,0x25bc615,
+        0x2c0e777,0x0226b8c,0x3803624,0x0179e45 } },
+    /* 238 */
+    { { 0x363cdfb,0x1bb155f,0x24fd5c1,0x1c7c72b,0x28e6a35,0x18165f2,
+        0x226bea5,0x0beaff3,0x371e24c,0x0138294 },
+      { 0x1765357,0x29034e9,0x22b4276,0x11035ce,0x23c89af,0x074468c,
+        0x3370ae4,0x013bae3,0x018d566,0x03d7fde } },
+    /* 239 */
+    { { 0x209df21,0x0f8ff86,0x0e47fbf,0x23b99ba,0x126d5d2,0x2722405,
+        0x16bd0a2,0x1799082,0x0e9533f,0x039077c },
+      { 0x3ba9e3f,0x3f6902c,0x1895305,0x3ac9813,0x3f2340c,0x3c0d9f1,
+        0x26e1927,0x0557c21,0x16eac4f,0x023b75f } },
+    /* 240 */
+    { { 0x3fc8ff3,0x0770382,0x342fc9a,0x0afa4db,0x314efd8,0x328e07b,
+        0x016f7cc,0x3ba599c,0x1caed8a,0x0050cb0 },
+      { 0x0b23c26,0x2120a5c,0x3273ec6,0x1cc1cd6,0x2a64fe8,0x2bbc3d6,
+        0x09f6e5e,0x34b1b8e,0x00b5ac8,0x032bbd2 } },
+    /* 241 */
+    { { 0x1315922,0x1725e1d,0x0ca5524,0x1c4c18f,0x3d82951,0x193bcb2,
+        0x0e60d0b,0x388dbcf,0x37e8efa,0x0342e85 },
+      { 0x1b3af60,0x26ba3ec,0x220e53a,0x394f4b6,0x01a796a,0x3e7bbca,
+        0x163605d,0x2b85807,0x17c1c54,0x03cc725 } },
+    /* 242 */
+    { { 0x1cc4597,0x1635492,0x2028c0f,0x2c2eb82,0x2dc5015,0x0d2a052,
+        0x05fc557,0x1f0ebbf,0x0cb96e1,0x0004d01 },
+      { 0x1a824bf,0x3896172,0x2ed7b29,0x178007a,0x0d59318,0x07bda2b,
+        0x2ee6826,0x0f9b235,0x04b9193,0x01bcddf } },
+    /* 243 */
+    { { 0x0333fd2,0x0eeb46a,0x15b89f9,0x00968aa,0x2a89302,0x2bdd6b3,
+        0x1e5037e,0x2541884,0x24ed2d0,0x01b6e8f },
+      { 0x04399cd,0x3be6334,0x3adea48,0x1bb9adc,0x31811c6,0x05fb2bc,
+        0x360752c,0x3d29dcb,0x3423bec,0x03c4f3c } },
+    /* 244 */
+    { { 0x119e2eb,0x2e7b02a,0x0f68cee,0x257d8b0,0x183a9a1,0x2ae88a6,
+        0x3a3bb67,0x2eb4f3e,0x1a9274b,0x0320fea },
+      { 0x2fa1ce0,0x346c2d8,0x2fbf0d7,0x3d4d063,0x0e58b60,0x09c1bc1,
+        0x28ef9e5,0x09a0efe,0x0f45d70,0x02d275c } },
+    /* 245 */
+    { { 0x2d5513b,0x31d443e,0x1e2d914,0x3b2c5d4,0x105f32e,0x27ee756,
+        0x050418d,0x3c73db6,0x1bb0c30,0x01673eb },
+      { 0x1cb7fd6,0x1eb08d5,0x26a3e16,0x2e20810,0x0249367,0x029e219,
+        0x2ec58c9,0x12d9fab,0x362354a,0x016eafc } },
+    /* 246 */
+    { { 0x2424865,0x260747b,0x177f37c,0x1e3cb95,0x08b0028,0x2783016,
+        0x2970f1b,0x323c1c0,0x2a79026,0x0186231 },
+      { 0x0f244da,0x26866f4,0x087306f,0x173ec20,0x31ecced,0x3c84d8d,
+        0x070f9b9,0x2e764d5,0x075df50,0x0264ff9 } },
+    /* 247 */
+    { { 0x32c3609,0x0c737e6,0x14ea68e,0x300b11b,0x184eb19,0x29dd440,
+        0x09ec1a9,0x185adeb,0x0664c80,0x0207dd9 },
+      { 0x1fbe978,0x30a969d,0x33561d7,0x34fc60e,0x36743fe,0x00774af,
+        0x0d1f045,0x018360e,0x12a5fe9,0x01592a0 } },
+    /* 248 */
+    { { 0x2817d1d,0x2993d3e,0x2e0f7a5,0x112faa0,0x255f968,0x355fe6a,
+        0x3f5a0fc,0x075b2d7,0x3cf00e5,0x0089afc },
+      { 0x32833cf,0x06a7e4b,0x09a8d6d,0x1693d3e,0x320a0a3,0x3cfdfdd,
+        0x136c498,0x1e0d845,0x347ff25,0x01a1de7 } },
+    /* 249 */
+    { { 0x3043d08,0x030705c,0x20fa79b,0x1d07f00,0x0a54467,0x29b49b4,
+        0x367e289,0x0b82f4d,0x0d1eb09,0x025ef2c },
+      { 0x32ed3c3,0x1baaa3c,0x3c482ab,0x146ca06,0x3c8a4f1,0x3e85e3c,
+        0x1bf4f3b,0x1195534,0x3e80a78,0x02a1cbf } },
+    /* 250 */
+    { { 0x32b2086,0x2de4d68,0x3486b1a,0x03a0583,0x2e1eb71,0x2dab9af,
+        0x10cd913,0x28daa6f,0x3fcb732,0x000a04a },
+      { 0x3605318,0x3f5f2b3,0x2d1da63,0x143f7f5,0x1646e5d,0x040b586,
+        0x1683982,0x25abe87,0x0c9fe53,0x001ce47 } },
+    /* 251 */
+    { { 0x380d02b,0x055fc22,0x3f7fc50,0x3458a1d,0x26b8333,0x23550ab,
+        0x0a1af87,0x0a821eb,0x2dc7e6d,0x00d574a },
+      { 0x07386e1,0x3ccd68a,0x3275b41,0x253e390,0x2fd272a,0x1e6627a,
+        0x2ca2cde,0x0e9e4a1,0x1e37c2a,0x00f70ac } },
+    /* 252 */
+    { { 0x0581352,0x2748701,0x02bed68,0x094dd9e,0x30a00c8,0x3fb5c07,
+        0x3bd5909,0x211ac80,0x1103ccd,0x0311e1a },
+      { 0x0c768ed,0x29dc209,0x36575db,0x009a107,0x272feea,0x2b33383,
+        0x313ed56,0x134c9cc,0x168d5bb,0x033310a } },
+    /* 253 */
+    { { 0x17620b9,0x143784f,0x256a94e,0x229664a,0x1d89a5c,0x1d521f2,
+        0x0076406,0x1c73f70,0x342aa48,0x03851fa },
+      { 0x0f3ae46,0x2ad3bab,0x0fbe274,0x3ed40d4,0x2fd4936,0x232103a,
+        0x2afe474,0x25b8f7c,0x047080e,0x008e6b0 } },
+    /* 254 */
+    { { 0x3fee8d4,0x347cd4a,0x0fec481,0x33fe9ec,0x0ce80b5,0x33a6bcf,
+        0x1c4c9e2,0x3967441,0x1a3f5f7,0x03157e8 },
+      { 0x257c227,0x1bc53a0,0x200b318,0x0fcd0af,0x2c5b165,0x2a413ec,
+        0x2fc998a,0x2da6426,0x19cd4f4,0x0025336 } },
+    /* 255 */
+    { { 0x303beba,0x2072135,0x32918a9,0x140cb3a,0x08631d1,0x0ef527b,
+        0x05f2c9e,0x2b4ce91,0x0b642ab,0x02e428c },
+      { 0x0a5abf9,0x15013ed,0x3603b46,0x30dd76d,0x3004750,0x28d7627,
+        0x1a42ccc,0x093ddbe,0x39a1b79,0x00067e2 } },
+};
+
+/* Multiply the base point of P256 by the scalar and return the result.
+ * If map is true then convert result to affine co-ordinates.
+ *
+ * r     Resulting point.
+ * k     Scalar to multiply by.
+ * map   Indicates whether to convert result to affine.
+ * heap  Heap to use for allocation.
+ * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
+ */
+static int sp_256_ecc_mulmod_base_10(sp_point* r, const sp_digit* k,
+        int map, void* heap)
+{
+    return sp_256_ecc_mulmod_stripe_10(r, &p256_base, p256_table,
+                                      k, map, heap);
+}
+
+#endif
+
+
+#if defined(HAVE_ECC_SIGN) || defined(HAVE_ECC_VERIFY)
+#endif
+#if defined(HAVE_ECC_SIGN) || defined(HAVE_ECC_VERIFY)
+/* Multiply a by scalar b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A scalar.
+ */
+SP_NOINLINE static void sp_256_mul_d_10(sp_digit* r, const sp_digit* a,
+    sp_digit b)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int64_t tb = b;
+    int64_t t = 0;
+    int i;
+
+    for (i = 0; i < 10; i++) {
+        t += tb * a[i];
+        r[i] = t & 0x3ffffff;
+        t >>= 26;
+    }
+    r[10] = (sp_digit)t;
+#else
+    int64_t tb = b;
+    int64_t t[10];
+
+    t[ 0] = Q6_P_mpy_RR(tb, a[0]);
+    t[ 1] = Q6_P_mpy_RR(tb, a[1]);
+    t[ 2] = Q6_P_mpy_RR(tb, a[2]);
+    t[ 3] = Q6_P_mpy_RR(tb, a[3]);
+    t[ 4] = Q6_P_mpy_RR(tb, a[4]);
+    t[ 5] = Q6_P_mpy_RR(tb, a[5]);
+    t[ 6] = Q6_P_mpy_RR(tb, a[6]);
+    t[ 7] = Q6_P_mpy_RR(tb, a[7]);
+    t[ 8] = Q6_P_mpy_RR(tb, a[8]);
+    t[ 9] = Q6_P_mpy_RR(tb, a[9]);
+    r[ 0] =                           Q6_R_and_RR(t[ 0], 0x3ffffff);
+    r[ 1] = (sp_digit)(t[ 0] >> 26) + Q6_R_and_RR(t[ 1], 0x3ffffff);
+    r[ 2] = (sp_digit)(t[ 1] >> 26) + Q6_R_and_RR(t[ 2], 0x3ffffff);
+    r[ 3] = (sp_digit)(t[ 2] >> 26) + Q6_R_and_RR(t[ 3], 0x3ffffff);
+    r[ 4] = (sp_digit)(t[ 3] >> 26) + Q6_R_and_RR(t[ 4], 0x3ffffff);
+    r[ 5] = (sp_digit)(t[ 4] >> 26) + Q6_R_and_RR(t[ 5], 0x3ffffff);
+    r[ 6] = (sp_digit)(t[ 5] >> 26) + Q6_R_and_RR(t[ 6], 0x3ffffff);
+    r[ 7] = (sp_digit)(t[ 6] >> 26) + Q6_R_and_RR(t[ 7], 0x3ffffff);
+    r[ 8] = (sp_digit)(t[ 7] >> 26) + Q6_R_and_RR(t[ 8], 0x3ffffff);
+    r[ 9] = (sp_digit)(t[ 8] >> 26) + Q6_R_and_RR(t[ 9], 0x3ffffff);
+    r[10] = (sp_digit)(t[ 9] >> 26);
+#endif /* WOLFSSL_SP_SMALL */
+}
+
+#ifdef WOLFSSL_SP_DIV_32
+static WC_INLINE sp_digit sp_256_div_word_10(sp_digit d1, sp_digit d0,
+    sp_digit dv)
+{
+    sp_digit d, r, t, dv;
+    int64_t t0, t1;
+
+    /* dv has 14 bits. */
+    dv = (div >> 12) + 1;
+    /* All 26 bits from d1 and top 5 bits from d0. */
+    d = (d1 << 5) | (d0 >> 21);
+    r = d / dv;
+    d -= r * dv;
+    /* Up to 17 bits in r */
+    /* Next 9 bits from d0. */
+    d <<= 9;
+    r <<= 9;
+    d |= (d0 >> 12) & ((1 << 9) - 1);
+    t = d / dv;
+    d -= t * dv;
+    r += t;
+    /* Up to 26 bits in r */
+
+    /* Handle rounding error with dv - top part */
+    t0 = ((int64_t)d1 << 26) + d0;
+    t1 = (int64_t)r * dv;
+    t1 = t0 - t1;
+    t = (sp_digit)(t1 >> 12) / dv;
+    r += t;
+
+    /* Handle rounding error with dv - bottom 32 bits */
+    t1 = (sp_digit)t0 - (r * dv);
+    t = (sp_digit)t1 / dv;
+    r += t;
+
+    return r;
+}
+#endif /* WOLFSSL_SP_DIV_32 */
+
+/* Divide d in a and put remainder into r (m*d + r = a)
+ * m is not calculated as it is not needed at this time.
+ *
+ * a  Number to be divided.
+ * d  Number to divide with.
+ * m  Multiplier result.
+ * r  Remainder from the division.
+ * returns MEMORY_E when unable to allocate memory and MP_OKAY otherwise.
+ */
+static int sp_256_div_10(const sp_digit* a, const sp_digit* d, sp_digit* m,
+        sp_digit* r)
+{
+    int i;
+#ifndef WOLFSSL_SP_DIV_32
+    int64_t d1;
+#endif
+    sp_digit dv, r1;
+#if defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)
+    sp_digit* td;
+#else
+    sp_digit t1d[20], t2d[10 + 1];
+#endif
+    sp_digit* t1;
+    sp_digit* t2;
+    int err = MP_OKAY;
+
+    (void)m;
+
+#if defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)
+    td = (sp_digit*)XMALLOC(sizeof(sp_digit) * (3 * 10 + 1), NULL,
+                                                       DYNAMIC_TYPE_TMP_BUFFER);
+    if (td == NULL) {
+        err = MEMORY_E;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#if defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)
+        t1 = td;
+        t2 = td + 2 * 10;
+#else
+        t1 = t1d;
+        t2 = t2d;
+#endif
+
+        dv = d[9];
+        XMEMCPY(t1, a, sizeof(*t1) * 2U * 10U);
+        for (i=9; i>=0; i--) {
+            t1[10 + i] += t1[10 + i - 1] >> 26;
+            t1[10 + i - 1] = Q6_R_and_RR(t1[10 + i - 1], 0x3ffffff);
+#ifndef WOLFSSL_SP_DIV_32
+            d1 = t1[10 + i];
+            d1 <<= 26;
+            d1 += t1[10 + i - 1];
+            r1 = (sp_digit)(d1 / dv);
+#else
+            r1 = sp_256_div_word_10(t1[10 + i], t1[10 + i - 1], dv);
+#endif
+
+            sp_256_mul_d_10(t2, d, r1);
+            (void)sp_256_sub_10(&t1[i], &t1[i], t2);
+            t1[10 + i] -= t2[10];
+            t1[10 + i] += t1[10 + i - 1] >> 26;
+            t1[10 + i - 1] = Q6_R_and_RR(t1[10 + i - 1], 0x3ffffff);
+            r1 = (((-t1[10 + i]) << 26) - t1[10 + i - 1]) / dv;
+            r1++;
+            sp_256_mul_d_10(t2, d, r1);
+            (void)sp_256_add_10(&t1[i], &t1[i], t2);
+            t1[10 + i] += t1[10 + i - 1] >> 26;
+            t1[10 + i - 1] = Q6_R_and_RR(t1[10 + i - 1], 0x3ffffff);
+        }
+        t1[10 - 1] += t1[10 - 2] >> 26;
+        t1[10 - 2] &= 0x3ffffff;
+        d1 = t1[10 - 1];
+        r1 = (sp_digit)(d1 / dv);
+
+        sp_256_mul_d_10(t2, d, r1);
+        (void)sp_256_sub_10(t1, t1, t2);
+        XMEMCPY(r, t1, sizeof(*r) * 2U * 10U);
+        for (i=0; i<8; i++) {
+            r[i+1] += r[i] >> 26;
+            r[i] &= 0x3ffffff;
+        }
+        sp_256_cond_add_10(r, r, d, 0 - ((r[9] < 0) ?
+                    (sp_digit)1 : (sp_digit)0));
+    }
+
+#if defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)
+    if (td != NULL) {
+        XFREE(td, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    }
+#endif
+
+    return err;
+}
+
+/* Reduce a modulo m into r. (r = a mod m)
+ *
+ * r  A single precision number that is the reduced result.
+ * a  A single precision number that is to be reduced.
+ * m  A single precision number that is the modulus to reduce with.
+ * returns MEMORY_E when unable to allocate memory and MP_OKAY otherwise.
+ */
+static int sp_256_mod_10(sp_digit* r, const sp_digit* a, const sp_digit* m)
+{
+    return sp_256_div_10(a, m, NULL, r);
+}
+
+#endif
+#if defined(HAVE_ECC_SIGN) || defined(HAVE_ECC_VERIFY)
+#ifdef WOLFSSL_SP_SMALL
+/* Order-2 for the P256 curve. */
+static const uint32_t p256_order_2[8] = {
+    0xfc63254fU,0xf3b9cac2U,0xa7179e84U,0xbce6faadU,0xffffffffU,0xffffffffU,
+    0x00000000U,0xffffffffU
+};
+#else
+/* The low half of the order-2 of the P256 curve. */
+static const uint32_t p256_order_low[4] = {
+    0xfc63254fU,0xf3b9cac2U,0xa7179e84U,0xbce6faadU
+};
+#endif /* WOLFSSL_SP_SMALL */
+
+/* Multiply two number mod the order of P256 curve. (r = a * b mod order)
+ *
+ * r  Result of the multiplication.
+ * a  First operand of the multiplication.
+ * b  Second operand of the multiplication.
+ */
+static void sp_256_mont_mul_order_10(sp_digit* r, const sp_digit* a, const sp_digit* b)
+{
+    sp_256_mul_10(r, a, b);
+    sp_256_mont_reduce_order_10(r, p256_order, p256_mp_order);
+}
+
+/* Square number mod the order of P256 curve. (r = a * a mod order)
+ *
+ * r  Result of the squaring.
+ * a  Number to square.
+ */
+static void sp_256_mont_sqr_order_10(sp_digit* r, const sp_digit* a)
+{
+    sp_256_sqr_10(r, a);
+    sp_256_mont_reduce_order_10(r, p256_order, p256_mp_order);
+}
+
+#ifndef WOLFSSL_SP_SMALL
+/* Square number mod the order of P256 curve a number of times.
+ * (r = a ^ n mod order)
+ *
+ * r  Result of the squaring.
+ * a  Number to square.
+ */
+static void sp_256_mont_sqr_n_order_10(sp_digit* r, const sp_digit* a, int n)
+{
+    int i;
+
+    sp_256_mont_sqr_order_10(r, a);
+    for (i=1; i<n; i++) {
+        sp_256_mont_sqr_order_10(r, r);
+    }
+}
+#endif /* !WOLFSSL_SP_SMALL */
+
+/* Invert the number, in Montgomery form, modulo the order of the P256 curve.
+ * (r = 1 / a mod order)
+ *
+ * r   Inverse result.
+ * a   Number to invert.
+ * td  Temporary data.
+ */
+static void sp_256_mont_inv_order_10(sp_digit* r, const sp_digit* a,
+        sp_digit* td)
+{
+#ifdef WOLFSSL_SP_SMALL
+    sp_digit* t = td;
+    int i;
+
+    XMEMCPY(t, a, sizeof(sp_digit) * 10);
+    for (i=254; i>=0; i--) {
+        sp_256_mont_sqr_order_10(t, t);
+        if ((p256_order_2[i / 32] & ((sp_int_digit)1 << (i % 32))) != 0) {
+            sp_256_mont_mul_order_10(t, t, a);
+        }
+    }
+    XMEMCPY(r, t, sizeof(sp_digit) * 10U);
+#else
+    sp_digit* t = td;
+    sp_digit* t2 = td + 2 * 10;
+    sp_digit* t3 = td + 4 * 10;
+    int i;
+
+
+    /* t = a^2 */
+    sp_256_mont_sqr_order_10(t, a);
+    /* t = a^3 = t * a */
+    sp_256_mont_mul_order_10(t, t, a);
+    /* t2= a^c = t ^ 2 ^ 2 */
+    sp_256_mont_sqr_n_order_10(t2, t, 2);
+    /* t3= a^f = t2 * t */
+    sp_256_mont_mul_order_10(t3, t2, t);
+    /* t2= a^f0 = t3 ^ 2 ^ 4 */
+    sp_256_mont_sqr_n_order_10(t2, t3, 4);
+    /* t = a^ff = t2 * t3 */
+    sp_256_mont_mul_order_10(t, t2, t3);
+    /* t3= a^ff00 = t ^ 2 ^ 8 */
+    sp_256_mont_sqr_n_order_10(t2, t, 8);
+    /* t = a^ffff = t2 * t */
+    sp_256_mont_mul_order_10(t, t2, t);
+    /* t2= a^ffff0000 = t ^ 2 ^ 16 */
+    sp_256_mont_sqr_n_order_10(t2, t, 16);
+    /* t = a^ffffffff = t2 * t */
+    sp_256_mont_mul_order_10(t, t2, t);
+    /* t2= a^ffffffff0000000000000000 = t ^ 2 ^ 64  */
+    sp_256_mont_sqr_n_order_10(t2, t, 64);
+    /* t2= a^ffffffff00000000ffffffff = t2 * t */
+    sp_256_mont_mul_order_10(t2, t2, t);
+    /* t2= a^ffffffff00000000ffffffff00000000 = t2 ^ 2 ^ 32  */
+    sp_256_mont_sqr_n_order_10(t2, t2, 32);
+    /* t2= a^ffffffff00000000ffffffffffffffff = t2 * t */
+    sp_256_mont_mul_order_10(t2, t2, t);
+    /* t2= a^ffffffff00000000ffffffffffffffffbce6 */
+
+    for (i=127; i>=112; i--) {
+        sp_256_mont_sqr_order_10(t2, t2);
+        if (((sp_digit)p256_order_low[i / 32] & ((sp_int_digit)1 << (i % 32))) != 0) {
+            sp_256_mont_mul_order_10(t2, t2, a);
+        }
+    }
+    /* t2= a^ffffffff00000000ffffffffffffffffbce6f */
+    sp_256_mont_sqr_n_order_10(t2, t2, 4);
+    sp_256_mont_mul_order_10(t2, t2, t3);
+    /* t2= a^ffffffff00000000ffffffffffffffffbce6faada7179e84 */
+    for (i=107; i>=64; i--) {
+        sp_256_mont_sqr_order_10(t2, t2);
+        if (((sp_digit)p256_order_low[i / 32] & ((sp_int_digit)1 << (i % 32))) != 0) {
+            sp_256_mont_mul_order_10(t2, t2, a);
+        }
+    }
+    /* t2= a^ffffffff00000000ffffffffffffffffbce6faada7179e84f */
+    sp_256_mont_sqr_n_order_10(t2, t2, 4);
+    sp_256_mont_mul_order_10(t2, t2, t3);
+    /* t2= a^ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2 */
+    for (i=59; i>=32; i--) {
+        sp_256_mont_sqr_order_10(t2, t2);
+        if (((sp_digit)p256_order_low[i / 32] & ((sp_int_digit)1 << (i % 32))) != 0) {
+            sp_256_mont_mul_order_10(t2, t2, a);
+        }
+    }
+    /* t2= a^ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2f */
+    sp_256_mont_sqr_n_order_10(t2, t2, 4);
+    sp_256_mont_mul_order_10(t2, t2, t3);
+    /* t2= a^ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc63254 */
+    for (i=27; i>=0; i--) {
+        sp_256_mont_sqr_order_10(t2, t2);
+        if (((sp_digit)p256_order_low[i / 32] & ((sp_int_digit)1 << (i % 32))) != 0) {
+            sp_256_mont_mul_order_10(t2, t2, a);
+        }
+    }
+    /* t2= a^ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632540 */
+    sp_256_mont_sqr_n_order_10(t2, t2, 4);
+    /* r = a^ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc63254f */
+    sp_256_mont_mul_order_10(r, t2, t3);
+#endif /* WOLFSSL_SP_SMALL */
+}
+
+#endif /* HAVE_ECC_SIGN || HAVE_ECC_VERIFY */
+
+#ifdef HAVE_ECC_VERIFY
+
+
+/* Verify the signature values with the hash and public key.
+ *   e = Truncate(hash, 256)
+ *   u1 = e/s mod order
+ *   u2 = r/s mod order
+ *   r == (u1.G + u2.Q)->x mod order
+ * Optimization: Leave point in projective form.
+ *   (x, y, 1) == (x' / z'*z', y' / z'*z'*z', z' / z')
+ *   (r + n*order).z'.z' mod prime == (u1.G + u2.Q)->x'
+ * The hash is truncated to the first 256 bits.
+ *
+ * hash     Hash to sign.
+ * hashLen  Length of the hash data.
+ * rng      Random number generator.
+ * priv     Private part of key - scalar.
+ * rm       First part of result as an mp_int.
+ * sm       Sirst part of result as an mp_int.
+ * heap     Heap to use for allocation.
+ * returns RNG failures, MEMORY_E when memory allocation fails and
+ * MP_OKAY on success.
+ */
+int wolfSSL_DSP_ECC_Verify_256(remote_handle64 h, int32 *u1, int hashLen, int32* r, int rSz, int32* s, int sSz,
+	int32* x, int xSz, int32* y, int ySz, int32* z, int zSz, int* res)
+{
+#if defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)
+    sp_digit* d = NULL;
+#else
+    sp_digit u2d[2*10] __attribute__((aligned(128)));
+    sp_digit tmpd[2*10 * 5] __attribute__((aligned(128)));
+    sp_point p1d;
+    sp_point p2d;
+#endif
+    sp_digit* u2 = NULL;
+    sp_digit* tmp = NULL;
+    sp_point* p1;
+    sp_point* p2 = NULL;
+    sp_digit carry;
+    int32_t c;
+    int err;
+    void* heap = NULL;
+
+    (void)h;
+    (void)hashLen;
+
+    err = sp_ecc_point_new(heap, p1d, p1);
+    if (err == MP_OKAY) {
+        err = sp_ecc_point_new(heap, p2d, p2);
+    }
+
+    if (err == MP_OKAY) {
+        u2 = u2d;
+        tmp = tmpd;
+
+	XMEMCPY(u2, r, 40);
+	XMEMCPY(p2->x, x, 40);
+	XMEMCPY(p2->y, y, 40);
+	XMEMCPY(p2->z, z, 40);
+
+            sp_256_mul_10(s, s, p256_norm_order);
+        err = sp_256_mod_10(s, s, p256_order);
+    }
+    if (err == MP_OKAY) {
+        sp_256_norm_10(s);
+        {
+
+            sp_256_mont_inv_order_10(s, s, tmp);
+            sp_256_mont_mul_order_10(u1, u1, s);
+            sp_256_mont_mul_order_10(u2, u2, s);
+        }
+
+            err = sp_256_ecc_mulmod_base_10(p1, u1, 0, heap);
+    }
+    if (err == MP_OKAY) {
+            err = sp_256_ecc_mulmod_10(p2, p2, u2, 0, heap);
+    }
+
+    if (err == MP_OKAY) {
+            sp_256_proj_point_add_10(p1, p1, p2, tmp);
+
+        /* (r + n*order).z'.z' mod prime == (u1.G + u2.Q)->x' */
+        /* Reload r and convert to Montgomery form. */
+	XMEMCPY(u2, r, 40);
+        err = sp_256_mod_mul_norm_10(u2, u2, p256_mod);
+    }
+
+    if (err == MP_OKAY) {
+        /* u1 = r.z'.z' mod prime */
+        sp_256_mont_sqr_10(p1->z, p1->z, p256_mod, p256_mp_mod);
+        sp_256_mont_mul_10(u1, u2, p1->z, p256_mod, p256_mp_mod);
+        *res = (int)(sp_256_cmp_10(p1->x, u1) == 0);
+        if (*res == 0) {
+            /* Reload r and add order. */
+	    XMEMCPY(u2, r, 40);
+            carry = sp_256_add_10(u2, u2, p256_order);
+            /* Carry means result is greater than mod and is not valid. */
+            if (carry == 0) {
+                sp_256_norm_10(u2);
+
+                /* Compare with mod and if greater or equal then not valid. */
+                c = sp_256_cmp_10(u2, p256_mod);
+                if (c < 0) {
+                    /* Convert to Montogomery form */
+                    err = sp_256_mod_mul_norm_10(u2, u2, p256_mod);
+                    if (err == MP_OKAY) {
+                        /* u1 = (r + 1*order).z'.z' mod prime */
+                        sp_256_mont_mul_10(u1, u2, p1->z, p256_mod,
+                                                                  p256_mp_mod);
+                        *res = (int)(sp_256_cmp_10(p1->x, u2) == 0);
+                    }
+                }
+            }
+        }
+    }
+
+#if defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)
+    if (d != NULL)
+        XFREE(d, heap, DYNAMIC_TYPE_ECC);
+#endif
+    sp_ecc_point_free(p1, 0, heap);
+    sp_ecc_point_free(p2, 0, heap);
+
+    return err;
+}
+
+/** Free the Fixed Point cache */
+void wc_ecc_fp_free(void)
+{
+}
+
+
+AEEResult wolfSSL_open(const char *uri, remote_handle64 *handle) 
+{
+   void *tptr;
+  /* can be any value or ignored, rpc layer doesn't care
+   * also ok
+   * *handle = 0;
+   * *handle = 0xdeadc0de;
+   */
+   tptr = (void *)malloc(1);
+   *handle = (remote_handle64)tptr;
+   return 0;
+}
+
+AEEResult wolfSSL_close(remote_handle64 handle) 
+{
+   if (handle)
+      free((void*)handle);
+   return 0;
+}
+#endif /* HAVE_ECC_VERIFY */
+
+#ifdef WOLFSSL_PUBLIC_ECC_ADD_DBL
+/* Add two projective EC points together.
+ * (pX, pY, pZ) + (qX, qY, qZ) = (rX, rY, rZ)
+ *
+ * pX   First EC point's X ordinate.
+ * pY   First EC point's Y ordinate.
+ * pZ   First EC point's Z ordinate.
+ * qX   Second EC point's X ordinate.
+ * qY   Second EC point's Y ordinate.
+ * qZ   Second EC point's Z ordinate.
+ * rX   Resultant EC point's X ordinate.
+ * rY   Resultant EC point's Y ordinate.
+ * rZ   Resultant EC point's Z ordinate.
+ * returns MEMORY_E if dynamic memory allocation fails and MP_OKAY otherwise.
+ */
+int sp_ecc_proj_add_point_256(mp_int* pX, mp_int* pY, mp_int* pZ,
+                              mp_int* qX, mp_int* qY, mp_int* qZ,
+                              mp_int* rX, mp_int* rY, mp_int* rZ)
+{
+#if !defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)
+    sp_digit tmpd[2 * 10 * 5];
+    sp_point pd;
+    sp_point qd;
+#endif
+    sp_digit* tmp;
+    sp_point* p;
+    sp_point* q = NULL;
+    int err;
+
+    err = sp_ecc_point_new(NULL, pd, p);
+    if (err == MP_OKAY) {
+        err = sp_ecc_point_new(NULL, qd, q);
+    }
+#if defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)
+    if (err == MP_OKAY) {
+        tmp = (sp_digit*)XMALLOC(sizeof(sp_digit) * 2 * 10 * 5, NULL,
+                                                              DYNAMIC_TYPE_ECC);
+        if (tmp == NULL) {
+            err = MEMORY_E;
+        }
+    }
+#else
+    tmp = tmpd;
+#endif
+
+    if (err == MP_OKAY) {
+        sp_256_from_mp(p->x, 10, pX);
+        sp_256_from_mp(p->y, 10, pY);
+        sp_256_from_mp(p->z, 10, pZ);
+        sp_256_from_mp(q->x, 10, qX);
+        sp_256_from_mp(q->y, 10, qY);
+        sp_256_from_mp(q->z, 10, qZ);
+
+            sp_256_proj_point_add_10(p, p, q, tmp);
+    }
+
+    if (err == MP_OKAY) {
+        err = sp_256_to_mp(p->x, rX);
+    }
+    if (err == MP_OKAY) {
+        err = sp_256_to_mp(p->y, rY);
+    }
+    if (err == MP_OKAY) {
+        err = sp_256_to_mp(p->z, rZ);
+    }
+
+#if defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)
+    if (tmp != NULL) {
+        XFREE(tmp, NULL, DYNAMIC_TYPE_ECC);
+    }
+#endif
+    sp_ecc_point_free(q, 0, NULL);
+    sp_ecc_point_free(p, 0, NULL);
+
+    return err;
+}
+
+
+/* Double a projective EC point.
+ * (pX, pY, pZ) + (pX, pY, pZ) = (rX, rY, rZ)
+ *
+ * pX   EC point's X ordinate.
+ * pY   EC point's Y ordinate.
+ * pZ   EC point's Z ordinate.
+ * rX   Resultant EC point's X ordinate.
+ * rY   Resultant EC point's Y ordinate.
+ * rZ   Resultant EC point's Z ordinate.
+ * returns MEMORY_E if dynamic memory allocation fails and MP_OKAY otherwise.
+ */
+int sp_ecc_proj_dbl_point_256(mp_int* pX, mp_int* pY, mp_int* pZ,
+                              mp_int* rX, mp_int* rY, mp_int* rZ)
+{
+#if !defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)
+    sp_digit tmpd[2 * 10 * 2];
+    sp_point pd;
+#endif
+    sp_digit* tmp;
+    sp_point* p;
+    int err;
+
+    err = sp_ecc_point_new(NULL, pd, p);
+#if defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)
+    if (err == MP_OKAY) {
+        tmp = (sp_digit*)XMALLOC(sizeof(sp_digit) * 2 * 10 * 2, NULL,
+                                                              DYNAMIC_TYPE_ECC);
+        if (tmp == NULL) {
+            err = MEMORY_E;
+        }
+    }
+#else
+    tmp = tmpd;
+#endif
+
+    if (err == MP_OKAY) {
+        sp_256_from_mp(p->x, 10, pX);
+        sp_256_from_mp(p->y, 10, pY);
+        sp_256_from_mp(p->z, 10, pZ);
+
+            sp_256_proj_point_dbl_10(p, p, tmp);
+    }
+
+    if (err == MP_OKAY) {
+        err = sp_256_to_mp(p->x, rX);
+    }
+    if (err == MP_OKAY) {
+        err = sp_256_to_mp(p->y, rY);
+    }
+    if (err == MP_OKAY) {
+        err = sp_256_to_mp(p->z, rZ);
+    }
+
+#if defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)
+    if (tmp != NULL) {
+        XFREE(tmp, NULL, DYNAMIC_TYPE_ECC);
+    }
+#endif
+    sp_ecc_point_free(p, 0, NULL);
+
+    return err;
+}
+
+/* Map a projective EC point to affine in place.
+ * pZ will be one.
+ *
+ * pX   EC point's X ordinate.
+ * pY   EC point's Y ordinate.
+ * pZ   EC point's Z ordinate.
+ * returns MEMORY_E if dynamic memory allocation fails and MP_OKAY otherwise.
+ */
+int sp_ecc_map_256(mp_int* pX, mp_int* pY, mp_int* pZ)
+{
+#if !defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)
+    sp_digit tmpd[2 * 10 * 4];
+    sp_point pd;
+#endif
+    sp_digit* tmp;
+    sp_point* p;
+    int err;
+
+    err = sp_ecc_point_new(NULL, pd, p);
+#if defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)
+    if (err == MP_OKAY) {
+        tmp = (sp_digit*)XMALLOC(sizeof(sp_digit) * 2 * 10 * 4, NULL,
+                                                              DYNAMIC_TYPE_ECC);
+        if (tmp == NULL) {
+            err = MEMORY_E;
+        }
+    }
+#else
+    tmp = tmpd;
+#endif
+    if (err == MP_OKAY) {
+        sp_256_from_mp(p->x, 10, pX);
+        sp_256_from_mp(p->y, 10, pY);
+        sp_256_from_mp(p->z, 10, pZ);
+
+        sp_256_map_10(p, p, tmp);
+    }
+
+    if (err == MP_OKAY) {
+        err = sp_256_to_mp(p->x, pX);
+    }
+    if (err == MP_OKAY) {
+        err = sp_256_to_mp(p->y, pY);
+    }
+    if (err == MP_OKAY) {
+        err = sp_256_to_mp(p->z, pZ);
+    }
+
+#if defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)
+    if (tmp != NULL) {
+        XFREE(tmp, NULL, DYNAMIC_TYPE_ECC);
+    }
+#endif
+    sp_ecc_point_free(p, 0, NULL);
+
+    return err;
+}
+#endif /* WOLFSSL_PUBLIC_ECC_ADD_DBL */
+#ifdef HAVE_COMP_KEY
+/* Find the square root of a number mod the prime of the curve.
+ *
+ * y  The number to operate on and the result.
+ * returns MEMORY_E if dynamic memory allocation fails and MP_OKAY otherwise.
+ */
+static int sp_256_mont_sqrt_10(sp_digit* y)
+{
+#if defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)
+    sp_digit* d;
+#else
+    sp_digit t1d[2 * 10];
+    sp_digit t2d[2 * 10];
+#endif
+    sp_digit* t1;
+    sp_digit* t2;
+    int err = MP_OKAY;
+
+#if defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)
+    d = (sp_digit*)XMALLOC(sizeof(sp_digit) * 4 * 10, NULL, DYNAMIC_TYPE_ECC);
+    if (d == NULL) {
+        err = MEMORY_E;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#if defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)
+        t1 = d + 0 * 10;
+        t2 = d + 2 * 10;
+#else
+        t1 = t1d;
+        t2 = t2d;
+#endif
+
+        {
+            /* t2 = y ^ 0x2 */
+            sp_256_mont_sqr_10(t2, y, p256_mod, p256_mp_mod);
+            /* t1 = y ^ 0x3 */
+            sp_256_mont_mul_10(t1, t2, y, p256_mod, p256_mp_mod);
+            /* t2 = y ^ 0xc */
+            sp_256_mont_sqr_n_10(t2, t1, 2, p256_mod, p256_mp_mod);
+            /* t1 = y ^ 0xf */
+            sp_256_mont_mul_10(t1, t1, t2, p256_mod, p256_mp_mod);
+            /* t2 = y ^ 0xf0 */
+            sp_256_mont_sqr_n_10(t2, t1, 4, p256_mod, p256_mp_mod);
+            /* t1 = y ^ 0xff */
+            sp_256_mont_mul_10(t1, t1, t2, p256_mod, p256_mp_mod);
+            /* t2 = y ^ 0xff00 */
+            sp_256_mont_sqr_n_10(t2, t1, 8, p256_mod, p256_mp_mod);
+            /* t1 = y ^ 0xffff */
+            sp_256_mont_mul_10(t1, t1, t2, p256_mod, p256_mp_mod);
+            /* t2 = y ^ 0xffff0000 */
+            sp_256_mont_sqr_n_10(t2, t1, 16, p256_mod, p256_mp_mod);
+            /* t1 = y ^ 0xffffffff */
+            sp_256_mont_mul_10(t1, t1, t2, p256_mod, p256_mp_mod);
+            /* t1 = y ^ 0xffffffff00000000 */
+            sp_256_mont_sqr_n_10(t1, t1, 32, p256_mod, p256_mp_mod);
+            /* t1 = y ^ 0xffffffff00000001 */
+            sp_256_mont_mul_10(t1, t1, y, p256_mod, p256_mp_mod);
+            /* t1 = y ^ 0xffffffff00000001000000000000000000000000 */
+            sp_256_mont_sqr_n_10(t1, t1, 96, p256_mod, p256_mp_mod);
+            /* t1 = y ^ 0xffffffff00000001000000000000000000000001 */
+            sp_256_mont_mul_10(t1, t1, y, p256_mod, p256_mp_mod);
+            sp_256_mont_sqr_n_10(y, t1, 94, p256_mod, p256_mp_mod);
+        }
+    }
+
+#if defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)
+    if (d != NULL) {
+        XFREE(d, NULL, DYNAMIC_TYPE_ECC);
+    }
+#endif
+
+    return err;
+}
+
+/* Uncompress the point given the X ordinate.
+ *
+ * xm    X ordinate.
+ * odd   Whether the Y ordinate is odd.
+ * ym    Calculated Y ordinate.
+ * returns MEMORY_E if dynamic memory allocation fails and MP_OKAY otherwise.
+ */
+int sp_ecc_uncompress_256(mp_int* xm, int odd, mp_int* ym)
+{
+#if defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)
+    sp_digit* d;
+#else
+    sp_digit xd[2 * 10];
+    sp_digit yd[2 * 10];
+#endif
+    sp_digit* x = NULL;
+    sp_digit* y = NULL;
+    int err = MP_OKAY;
+
+#if defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)
+    d = (sp_digit*)XMALLOC(sizeof(sp_digit) * 4 * 10, NULL, DYNAMIC_TYPE_ECC);
+    if (d == NULL) {
+        err = MEMORY_E;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#if defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)
+        x = d + 0 * 10;
+        y = d + 2 * 10;
+#else
+        x = xd;
+        y = yd;
+#endif
+
+        sp_256_from_mp(x, 10, xm);
+        err = sp_256_mod_mul_norm_10(x, x, p256_mod);
+    }
+    if (err == MP_OKAY) {
+        /* y = x^3 */
+        {
+            sp_256_mont_sqr_10(y, x, p256_mod, p256_mp_mod);
+            sp_256_mont_mul_10(y, y, x, p256_mod, p256_mp_mod);
+        }
+        /* y = x^3 - 3x */
+        sp_256_mont_sub_10(y, y, x, p256_mod);
+        sp_256_mont_sub_10(y, y, x, p256_mod);
+        sp_256_mont_sub_10(y, y, x, p256_mod);
+        /* y = x^3 - 3x + b */
+        err = sp_256_mod_mul_norm_10(x, p256_b, p256_mod);
+    }
+    if (err == MP_OKAY) {
+        sp_256_mont_add_10(y, y, x, p256_mod);
+        /* y = sqrt(x^3 - 3x + b) */
+        err = sp_256_mont_sqrt_10(y);
+    }
+    if (err == MP_OKAY) {
+        XMEMSET(y + 10, 0, 10U * sizeof(sp_digit));
+        sp_256_mont_reduce_10(y, p256_mod, p256_mp_mod);
+        if ((((word32)y[0] ^ (word32)odd) & 1U) != 0U) {
+            sp_256_mont_sub_10(y, p256_mod, y, p256_mod);
+        }
+
+        err = sp_256_to_mp(y, ym);
+    }
+
+#if defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)
+    if (d != NULL) {
+        XFREE(d, NULL, DYNAMIC_TYPE_ECC);
+    }
+#endif
+
+    return err;
+}
+#endif
+#endif /* !WOLFSSL_SP_NO_256 */
+#endif /* WOLFSSL_HAVE_SP_ECC */
+#endif /* WOLFSSL_DSP */
+#endif /* WOLFSSL_HAVE_SP_ECC */
+
diff --git a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/sp_int.c b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/sp_int.c
new file mode 100644
index 000000000..0db891b98
--- /dev/null
+++ b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/sp_int.c
@@ -0,0 +1,2203 @@
+/* sp_int.c
+ *
+ * Copyright (C) 2006-2020 wolfSSL Inc.
+ *
+ * This file is part of wolfSSL.
+ *
+ * wolfSSL is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * wolfSSL is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
+ */
+
+/* Implementation by Sean Parkinson. */
+
+#ifdef HAVE_CONFIG_H
+    #include <config.h>
+#endif
+
+#include <wolfssl/wolfcrypt/settings.h>
+#include <wolfssl/wolfcrypt/error-crypt.h>
+#ifdef NO_INLINE
+    #include <wolfssl/wolfcrypt/misc.h>
+#else
+    #define WOLFSSL_MISC_INCLUDED
+    #include <wolfcrypt/src/misc.c>
+#endif
+
+/* SP Build Options:
+ * WOLFSSL_HAVE_SP_RSA:         Enable SP RSA support
+ * WOLFSSL_HAVE_SP_DH:          Enable SP DH support
+ * WOLFSSL_HAVE_SP_ECC:         Enable SP ECC support
+ * WOLFSSL_SP_MATH:             Use only single precision math and algorithms it supports (no fastmath tfm.c or normal integer.c)
+ * WOLFSSL_SP_SMALL:            Use smaller version of code and avoid large stack variables
+ * WOLFSSL_SP_NO_MALLOC:        Always use stack, no heap XMALLOC/XFREE allowed
+ * WOLFSSL_SP_NO_3072:          Disable RSA/DH 3072-bit support
+ * WOLFSSL_SP_NO_2048:          Disable RSA/DH 2048-bit support
+ * WOLFSSL_SP_4096:             Enable RSA/RH 4096-bit support
+ * WOLFSSL_SP_384               Enable ECC 384-bit SECP384R1 support
+ * WOLFSSL_SP_NO_256            Disable ECC 256-bit SECP256R1 support
+ * WOLFSSL_SP_CACHE_RESISTANT   Enable cache resistantant code 
+ * WOLFSSL_SP_ASM               Enable assembly speedups (detect platform)
+ * WOLFSSL_SP_X86_64_ASM        Enable Intel x86 assembly speedups like AVX/AVX2
+ * WOLFSSL_SP_ARM32_ASM         Enable Aarch32 assembly speedups
+ * WOLFSSL_SP_ARM64_ASM         Enable Aarch64 assembly speedups
+ * WOLFSSL_SP_ARM_CORTEX_M_ASM  Enable Cortex-M assembly speedups
+ * WOLFSSL_SP_ARM_THUMB_ASM     Enable ARM Thumb assembly speedups (used with -mthumb)
+ */
+
+#ifdef WOLFSSL_SP_MATH
+
+#include <wolfssl/wolfcrypt/sp_int.h>
+
+#if defined(WOLFSSL_HAVE_SP_DH) || defined(WOLFSSL_HAVE_SP_RSA)
+
+WOLFSSL_LOCAL int sp_ModExp_1024(sp_int* base, sp_int* exp, sp_int* mod,
+    sp_int* res);
+WOLFSSL_LOCAL int sp_ModExp_1536(sp_int* base, sp_int* exp, sp_int* mod,
+    sp_int* res);
+WOLFSSL_LOCAL int sp_ModExp_2048(sp_int* base, sp_int* exp, sp_int* mod,
+    sp_int* res);
+WOLFSSL_LOCAL int sp_ModExp_3072(sp_int* base, sp_int* exp, sp_int* mod,
+    sp_int* res);
+WOLFSSL_LOCAL int sp_ModExp_4096(sp_int* base, sp_int* exp, sp_int* mod,
+    sp_int* res);
+
+#endif
+
+int sp_get_digit_count(sp_int *a)
+{
+    int ret;
+    if (!a)
+        ret = 0;
+    else
+        ret = a->used;
+    return ret;
+}
+
+/* Initialize the big number to be zero.
+ *
+ * a  SP integer.
+ * returns MP_OKAY always.
+ */
+int sp_init(sp_int* a)
+{
+    a->used = 0;
+    a->size = SP_INT_DIGITS;
+
+    return MP_OKAY;
+}
+
+#if !defined(WOLFSSL_RSA_PUBLIC_ONLY) || (!defined(NO_DH) || defined(HAVE_ECC))
+/* Initialize up to six big numbers to be zero.
+ *
+ * a  SP integer.
+ * b  SP integer.
+ * c  SP integer.
+ * d  SP integer.
+ * e  SP integer.
+ * f  SP integer.
+ * returns MP_OKAY always.
+ */
+int sp_init_multi(sp_int* a, sp_int* b, sp_int* c, sp_int* d, sp_int* e,
+                  sp_int* f)
+{
+    if (a != NULL) {
+        a->used = 0;
+        a->size = SP_INT_DIGITS;
+    }
+    if (b != NULL) {
+        b->used = 0;
+        b->size = SP_INT_DIGITS;
+    }
+    if (c != NULL) {
+        c->used = 0;
+        c->size = SP_INT_DIGITS;
+    }
+    if (d != NULL) {
+        d->used = 0;
+        d->size = SP_INT_DIGITS;
+    }
+    if (e != NULL) {
+        e->used = 0;
+        e->size = SP_INT_DIGITS;
+    }
+    if (f != NULL) {
+        f->used = 0;
+        f->size = SP_INT_DIGITS;
+    }
+
+    return MP_OKAY;
+}
+#endif
+
+/* Clear the data from the big number and set to zero.
+ *
+ * a  SP integer.
+ */
+void sp_clear(sp_int* a)
+{
+    if (a != NULL) {
+        int i;
+
+        for (i=0; i<a->used; i++)
+            a->dp[i] = 0;
+        a->used = 0;
+    }
+}
+
+/* Calculate the number of 8-bit values required to represent the big number.
+ *
+ * a  SP integer.
+ * returns the count.
+ */
+int sp_unsigned_bin_size(sp_int* a)
+{
+    int size = sp_count_bits(a);
+    return (size + 7) / 8;
+}
+
+/* Convert a number as an array of bytes in big-endian format to a big number.
+ *
+ * a     SP integer.
+ * in    Array of bytes.
+ * inSz  Number of data bytes in array.
+ * returns BAD_FUNC_ARG when the number is too big to fit in an SP and
+           MP_OKAY otherwise.
+ */
+int sp_read_unsigned_bin(sp_int* a, const byte* in, int inSz)
+{
+    int err = MP_OKAY;
+    int i, j = 0, k;
+
+    if (inSz > SP_INT_DIGITS * (int)sizeof(a->dp[0])) {
+        err = MP_VAL;
+    }
+
+    if (err == MP_OKAY) {
+        for (i = inSz-1; i >= (SP_WORD_SIZE/8); i -= (SP_WORD_SIZE/8), j++) {
+            a->dp[j]  = (((sp_int_digit)in[i-0]) << (0*8))
+                     |  (((sp_int_digit)in[i-1]) << (1*8))
+                     |  (((sp_int_digit)in[i-2]) << (2*8))
+                     |  (((sp_int_digit)in[i-3]) << (3*8));
+    #if SP_WORD_SIZE == 64
+            a->dp[j] |= (((sp_int_digit)in[i-4]) << (4*8))
+                     |  (((sp_int_digit)in[i-5]) << (5*8))
+                     |  (((sp_int_digit)in[i-6]) << (6*8))
+                     |  (((sp_int_digit)in[i-7]) << (7*8));
+    #endif
+        }
+        if (i >= 0) {
+            a->dp[j] = 0;
+            for (k = 0; k <= i; k++) {
+                a->dp[j] <<= 8;
+                a->dp[j] |= in[k];
+            }
+        }
+        a->used = j + 1;
+    }
+
+    sp_clamp(a);
+
+    return err;
+}
+
+#ifdef HAVE_ECC
+/* Convert a number as string in big-endian format to a big number.
+ * Only supports base-16 (hexadecimal).
+ * Negative values not supported.
+ *
+ * a      SP integer.
+ * in     NUL terminated string.
+ * radix  Number of values in a digit.
+ * returns BAD_FUNC_ARG when radix not supported or value is negative, MP_VAL
+ * when a character is not valid and MP_OKAY otherwise.
+ */
+int sp_read_radix(sp_int* a, const char* in, int radix)
+{
+    int  err = MP_OKAY;
+    int  i, j = 0, k = 0;
+    char ch;
+
+    if ((radix != 16) || (*in == '-')) {
+        err = BAD_FUNC_ARG;
+    }
+
+    while (*in == '0') {
+        in++;
+    }
+
+    if (err == MP_OKAY) {
+        a->dp[0] = 0;
+        for (i = (int)(XSTRLEN(in) - 1); i >= 0; i--) {
+            ch = in[i];
+            if (ch >= '0' && ch <= '9')
+                ch -= '0';
+            else if (ch >= 'A' && ch <= 'F')
+                ch -= 'A' - 10;
+            else if (ch >= 'a' && ch <= 'f')
+                ch -= 'a' - 10;
+            else {
+                err = MP_VAL;
+                break;
+            }
+
+            a->dp[k] |= ((sp_int_digit)ch) << j;
+            j += 4;
+            if (k >= SP_INT_DIGITS - 1) {
+                err = MP_VAL;
+                break;
+            }
+            if (j == DIGIT_BIT)
+                a->dp[++k] = 0;
+            j &= SP_WORD_SIZE - 1;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        a->used = k + 1;
+        if (a->dp[k] == 0)
+            a->used--;
+
+        for (k++; k < a->size; k++)
+            a->dp[k] = 0;
+
+        sp_clamp(a);
+    }
+
+    return err;
+}
+#endif
+
+/* Compare two big numbers.
+ *
+ * a  SP integer.
+ * b  SP integer.
+ * returns MP_GT if a is greater than b, MP_LT if a is less than b and MP_EQ
+ * when a equals b.
+ */
+int sp_cmp(sp_int* a, sp_int* b)
+{
+    int ret = MP_EQ;
+    int i;
+
+    if (a->used > b->used)
+        ret = MP_GT;
+    else if (a->used < b->used)
+        ret = MP_LT;
+    else {
+        for (i = a->used - 1; i >= 0; i--) {
+            if (a->dp[i] > b->dp[i]) {
+                ret = MP_GT;
+                break;
+            }
+            else if (a->dp[i] < b->dp[i]) {
+                ret = MP_LT;
+                break;
+            }
+        }
+    }
+    return ret;
+}
+
+/* Count the number of bits in the big number.
+ *
+ * a  SP integer.
+ * returns the number of bits.
+ */
+int sp_count_bits(sp_int* a)
+{
+    int r = 0;
+    sp_int_digit d;
+
+    r = a->used - 1;
+    while (r >= 0 && a->dp[r] == 0)
+        r--;
+    if (r < 0)
+        r = 0;
+    else {
+        d = a->dp[r];
+        r *= SP_WORD_SIZE;
+        if (d >= (1L << (SP_WORD_SIZE / 2))) {
+            r += SP_WORD_SIZE;
+            while ((d & (1UL << (SP_WORD_SIZE - 1))) == 0) {
+                r--;
+                d <<= 1;
+            }
+        }
+        else {
+            while (d != 0) {
+                r++;
+                d >>= 1;
+            }
+        }
+    }
+
+    return r;
+}
+
+/* Determine if the most significant byte of the encoded big number as the top
+ * bit set.
+ *
+ * a  SP integer.
+ * returns 1 when the top bit is set and 0 otherwise.
+ */
+int sp_leading_bit(sp_int* a)
+{
+    int bit = 0;
+    sp_int_digit d;
+
+    if (a->used > 0) {
+        d = a->dp[a->used - 1];
+        while (d > (sp_int_digit)0xff)
+            d >>= 8;
+        bit = (int)(d >> 7);
+    }
+
+    return bit;
+}
+
+#if !defined(NO_DH) || defined(HAVE_ECC) || defined(WC_RSA_BLINDING) || \
+    !defined(WOLFSSL_RSA_VERIFY_ONLY)
+/* Convert the big number to an array of bytes in big-endian format.
+ * The array must be large enough for encoded number - use mp_unsigned_bin_size
+ * to calculate the number of bytes required.
+ *
+ * a    SP integer.
+ * out  Array to put encoding into.
+ * returns MP_OKAY always.
+ */
+int sp_to_unsigned_bin(sp_int* a, byte* out)
+{
+    int i, j, b;
+    sp_int_digit d;
+
+    j = sp_unsigned_bin_size(a) - 1;
+    for (i=0; j>=0; i++) {
+        d = a->dp[i];
+        for (b = 0; b < SP_WORD_SIZE / 8; b++) {
+            out[j] = d;
+            if (--j < 0) {
+                break;
+            }
+            d >>= 8;
+        }
+    }
+
+    return MP_OKAY;
+}
+#endif
+
+/* Convert the big number to an array of bytes in big-endian format.
+ * The array must be large enough for encoded number - use mp_unsigned_bin_size
+ * to calculate the number of bytes required.
+ * Front-pads the output array with zeros make number the size of the array.
+ *
+ * a      SP integer.
+ * out    Array to put encoding into.
+ * outSz  Size of the array.
+ * returns MP_OKAY always.
+ */
+int sp_to_unsigned_bin_len(sp_int* a, byte* out, int outSz)
+{
+    int i, j, b;
+
+    j = outSz - 1;
+    for (i=0; j>=0; i++) {
+        for (b = 0; b < SP_WORD_SIZE; b += 8) {
+            out[j--] = a->dp[i] >> b;
+            if (j < 0)
+                break;
+        }
+    }
+
+    return MP_OKAY;
+}
+
+#if !defined(WOLFSSL_RSA_PUBLIC_ONLY) || (!defined(NO_DH) || defined(HAVE_ECC))
+/* Ensure the data in the big number is zeroed.
+ *
+ * a  SP integer.
+ */
+void sp_forcezero(sp_int* a)
+{
+    ForceZero(a->dp, a->used * sizeof(sp_int_digit));
+    a->used = 0;
+}
+#endif
+
+#if !defined(WOLFSSL_RSA_VERIFY_ONLY) || (!defined(NO_DH) || defined(HAVE_ECC))
+/* Copy value of big number a into r.
+ *
+ * a  SP integer.
+ * r  SP integer.
+ * returns MP_OKAY always.
+ */
+int sp_copy(sp_int* a, sp_int* r)
+{
+    if (a != r) {
+        XMEMCPY(r->dp, a->dp, a->used * sizeof(sp_int_digit));
+        r->used = a->used;
+    }
+    return MP_OKAY;
+}
+
+/* creates "a" then copies b into it */
+int sp_init_copy (sp_int * a, sp_int * b)
+{
+  int err;
+  if ((err = sp_init(a)) == MP_OKAY) {
+      if((err = sp_copy (b, a)) != MP_OKAY) {
+          sp_clear(a);
+      }
+  }
+  return err;
+}
+#endif
+
+/* Set the big number to be the value of the digit.
+ *
+ * a  SP integer.
+ * d  Digit to be set.
+ * returns MP_OKAY always.
+ */
+int sp_set(sp_int* a, sp_int_digit d)
+{
+    if (d == 0) {
+      a->dp[0] = d;
+      a->used = 0;
+    }
+    else {
+      a->dp[0] = d;
+      a->used = 1;
+    }
+    return MP_OKAY;
+}
+
+/* Recalculate the number of digits used.
+ *
+ * a  SP integer.
+ */
+void sp_clamp(sp_int* a)
+{
+    int i;
+
+    for (i = a->used - 1; i >= 0 && a->dp[i] == 0; i--) {
+    }
+    a->used = i + 1;
+}
+
+#if !defined(WOLFSSL_RSA_VERIFY_ONLY) || (!defined(NO_DH) || defined(HAVE_ECC))
+/* Grow big number to be able to hold l digits.
+ * This function does nothing as the number of digits is fixed.
+ *
+ * a  SP integer.
+ * l  Number of digits.
+ * returns MP_MEM if the number of digits requested is more than available and
+ * MP_OKAY otherwise.
+ */
+int sp_grow(sp_int* a, int l)
+{
+    int err = MP_OKAY;
+
+    if (l > a->size)
+        err = MP_MEM;
+
+    return err;
+}
+
+/* Sub a one digit number from the big number.
+ *
+ * a  SP integer.
+ * d  Digit to subtract.
+ * r  SP integer - result.
+ * returns MP_OKAY always.
+ */
+int sp_sub_d(sp_int* a, sp_int_digit d, sp_int* r)
+{
+    int i = 0;
+    sp_int_digit t;
+
+    r->used = a->used;
+    t = a->dp[0] - d;
+    if (t > a->dp[0]) {
+        for (++i; i < a->used; i++) {
+            r->dp[i] = a->dp[i] - 1;
+            if (r->dp[i] != (sp_int_digit)-1)
+               break;
+        }
+    }
+    r->dp[0] = t;
+    if (r != a) {
+        for (++i; i < a->used; i++)
+            r->dp[i] = a->dp[i];
+    }
+    sp_clamp(r);
+
+    return MP_OKAY;
+}
+#endif
+
+/* Compare a one digit number with a big number.
+ *
+ * a  SP integer.
+ * d  Digit to compare with.
+ * returns MP_GT if a is greater than d, MP_LT if a is less than d and MP_EQ
+ * when a equals d.
+ */
+int sp_cmp_d(sp_int *a, sp_int_digit d)
+{
+    int ret = MP_EQ;
+
+    /* special case for zero*/
+    if (a->used == 0) {
+        if (d == 0)
+            ret = MP_EQ;
+        else
+            ret = MP_LT;
+    }
+    else if (a->used > 1)
+        ret = MP_GT;
+    else {
+        /* compare the only digit of a to d */
+        if (a->dp[0] > d)
+            ret = MP_GT;
+        else if (a->dp[0] < d)
+            ret = MP_LT;
+    }
+
+    return ret;
+}
+
+#if !defined(NO_DH) || defined(HAVE_ECC) || !defined(WOLFSSL_RSA_VERIFY_ONLY)
+/* Left shift the number by number of bits.
+ * Bits may be larger than the word size.
+ *
+ * a  SP integer.
+ * n  Number of bits to shift.
+ * returns MP_OKAY always.
+ */
+static int sp_lshb(sp_int* a, int n)
+{
+    int i;
+
+    if (n >= SP_WORD_SIZE) {
+        sp_lshd(a, n / SP_WORD_SIZE);
+        n %= SP_WORD_SIZE;
+    }
+
+    if (n != 0) {
+        a->dp[a->used] = 0;
+        for (i = a->used - 1; i >= 0; i--) {
+            a->dp[i+1] |= a->dp[i] >> (SP_WORD_SIZE - n);
+            a->dp[i] = a->dp[i] << n;
+        }
+        if (a->dp[a->used] != 0)
+            a->used++;
+    }
+
+    return MP_OKAY;
+}
+
+/* Subtract two large numbers into result: r = a - b
+ * a must be greater than b.
+ *
+ * a  SP integer.
+ * b  SP integer.
+ * r  SP integer.
+ * returns MP_OKAY always.
+ */
+int sp_sub(sp_int* a, sp_int* b, sp_int* r)
+{
+    int i;
+    sp_int_digit c = 0;
+    sp_int_digit t;
+
+    for (i = 0; i < a->used && i < b->used; i++) {
+        t = a->dp[i] - b->dp[i] - c;
+        if (c == 0)
+            c = t > a->dp[i];
+        else
+            c = t >= a->dp[i];
+        r->dp[i] = t;
+    }
+    for (; i < a->used; i++) {
+        r->dp[i] = a->dp[i] - c;
+        c &= (r->dp[i] == (sp_int_digit)-1);
+    }
+    r->used = i;
+    sp_clamp(r);
+
+    return MP_OKAY;
+}
+
+/* Shift a right by n bits into r: r = a >> n
+ *
+ * a    SP integer operand.
+ * n    Number of bits to shift.
+ * r    SP integer result.
+ */
+void sp_rshb(sp_int* a, int n, sp_int* r)
+{
+    int i;
+    int j;
+
+    for (i = n / SP_WORD_SIZE, j = 0; i < a->used-1; i++, j++)
+        r->dp[i] = (a->dp[j] >> n) | (a->dp[j+1] << (SP_WORD_SIZE - n));
+    r->dp[i] = a->dp[j] >> n;
+    r->used = j + 1;
+    sp_clamp(r);
+}
+
+/* Multiply a by digit n and put result into r shifting up o digits.
+ *   r = (a * n) << (o * SP_WORD_SIZE)
+ *
+ * a  SP integer to be multiplied.
+ * n  Number to multiply by.
+ * r  SP integer result.
+ * o  Number of digits to move result up by.
+ */
+static void _sp_mul_d(sp_int* a, sp_int_digit n, sp_int* r, int o)
+{
+    int i;
+    sp_int_word t = 0;
+
+    for (i = 0; i < o; i++)
+        r->dp[i] = 0;
+
+    for (i = 0; i < a->used; i++) {
+        t += (sp_int_word)n * a->dp[i];
+        r->dp[i + o] = (sp_int_digit)t;
+        t >>= SP_WORD_SIZE;
+    }
+
+    r->dp[i+o] = (sp_int_digit)t;
+    r->used = i+o+1;
+    sp_clamp(r);
+}
+
+/* Divide a by d and return the quotient in r and the remainder in rem.
+ *   r = a / d; rem = a % d
+ *
+ * a    SP integer to be divided.
+ * d    SP integer to divide by.
+ * r    SP integer of quotient.
+ * rem  SP integer of remainder.
+ * returns MP_VAL when d is 0, MP_MEM when dynamic memory allocation fails and
+ *         MP_OKAY otherwise.
+ */
+static int sp_div(sp_int* a, sp_int* d, sp_int* r, sp_int* rem)
+{
+    int err = MP_OKAY;
+    int ret;
+    int done = 0;
+    int i;
+    int s;
+#ifndef WOLFSSL_SP_DIV_32
+    sp_int_word w = 0;
+#endif
+    sp_int_digit dt;
+    sp_int_digit t;
+#ifdef WOLFSSL_SMALL_STACK
+    sp_int* sa = NULL;
+    sp_int* sd;
+    sp_int* tr;
+    sp_int* trial;
+#else
+    sp_int sa[1];
+    sp_int sd[1];
+    sp_int tr[1];
+    sp_int trial[1];
+#endif
+
+    if (sp_iszero(d))
+        err = MP_VAL;
+
+    ret = sp_cmp(a, d);
+    if (ret == MP_LT) {
+        if (rem != NULL) {
+            sp_copy(a, rem);
+        }
+        if (r != NULL) {
+            sp_set(r, 0);
+        }
+        done = 1;
+    }
+    else if (ret == MP_EQ) {
+        if (rem != NULL) {
+            sp_set(rem, 0);
+        }
+        if (r != NULL) {
+            sp_set(r, 1);
+        }
+        done = 1;
+    }
+    else if (sp_count_bits(a) == sp_count_bits(d)) {
+        /* a is greater than d but same bit length */
+        if (rem != NULL) {
+            sp_sub(a, d, rem);
+        }
+        if (r != NULL) {
+            sp_set(r, 1);
+        }
+        done = 1;
+    }
+
+#ifdef WOLFSSL_SMALL_STACK
+    if (!done && err == MP_OKAY) {
+        sa = (sp_int*)XMALLOC(sizeof(sp_int) * 4, NULL, DYNAMIC_TYPE_BIGINT);
+        if (sa == NULL) {
+            err = MP_MEM;
+        }
+    }
+#endif
+
+    if (!done && err == MP_OKAY) {
+#ifdef WOLFSSL_SMALL_STACK
+        sd    = &sa[1];
+        tr    = &sa[2];
+        trial = &sa[3];
+#endif
+
+        sp_init(sa);
+        sp_init(sd);
+        sp_init(tr);
+        sp_init(trial);
+
+        s = sp_count_bits(d);
+        s = SP_WORD_SIZE - (s % SP_WORD_SIZE);
+        sp_copy(a, sa);
+        if (s != SP_WORD_SIZE) {
+            sp_lshb(sa, s);
+            sp_copy(d, sd);
+            sp_lshb(sd, s);
+            d = sd;
+        }
+
+        tr->used = sa->used - d->used + 1;
+        sp_clear(tr);
+        tr->used = sa->used - d->used + 1;
+        dt = d->dp[d->used-1];
+#ifndef WOLFSSL_SP_DIV_32
+        for (i = sa->used - 1; i >= d->used; ) {
+            if (sa->dp[i] > dt) {
+                t = (sp_int_digit)-1;
+            }
+            else {
+                w = ((sp_int_word)sa->dp[i] << SP_WORD_SIZE) | sa->dp[i-1];
+                w /= dt;
+                if (w > (sp_int_digit)-1) {
+                    t = (sp_int_digit)-1;
+                }
+                else {
+                    t = (sp_int_digit)w;
+                }
+            }
+
+            if (t > 0) {
+                _sp_mul_d(d, t, trial, i - d->used);
+                while (sp_cmp(trial, sa) == MP_GT) {
+                    t--;
+                    _sp_mul_d(d, t, trial, i - d->used);
+                }
+                sp_sub(sa, trial, sa);
+                tr->dp[i - d->used] += t;
+                if (tr->dp[i - d->used] < t)
+                    tr->dp[i + 1 - d->used]++;
+            }
+            i = sa->used - 1;
+        }
+#else
+     {
+        sp_int_digit div = (dt >> (SP_WORD_SIZE / 2)) + 1;
+        for (i = sa->used - 1; i >= d->used; ) {
+            t = sa->dp[i] / div;
+            if ((t > 0) && (t << (SP_WORD_SIZE / 2) == 0))
+                t = (sp_int_digit)-1;
+            t <<= SP_WORD_SIZE / 2;
+            if (t == 0) {
+               t = sa->dp[i] << (SP_WORD_SIZE / 2);
+               t += sa->dp[i-1] >> (SP_WORD_SIZE / 2);
+               t /= div;
+            }
+
+            if (t > 0) {
+                _sp_mul_d(d, t, trial, i - d->used);
+                while (sp_cmp(trial, sa) == MP_GT) {
+                    t--;
+                    _sp_mul_d(d, t, trial, i - d->used);
+                }
+                sp_sub(sa, trial, sa);
+                tr->dp[i - d->used] += t;
+                if (tr->dp[i - d->used] < t)
+                    tr->dp[i + 1 - d->used]++;
+            }
+            i = sa->used - 1;
+        }
+
+        while (sp_cmp(sa, d) != MP_LT) {
+            sp_sub(sa, d, sa);
+            sp_add_d(tr, 1, tr);
+        }
+    }
+#endif
+
+        sp_clamp(tr);
+
+        if (rem != NULL) {
+            if (s != SP_WORD_SIZE)
+                sp_rshb(sa, s, sa);
+            sp_copy(sa, rem);
+        }
+        if (r != NULL)
+            sp_copy(tr, r);
+    }
+
+#ifdef WOLFSSL_SMALL_STACK
+    if (sa != NULL)
+        XFREE(sa, NULL, DYNAMIC_TYPE_BIGINT);
+#endif
+
+    return err;
+}
+
+
+#ifndef FREESCALE_LTC_TFM
+/* Calculate the remainder of dividing a by m: r = a mod m.
+ *
+ * a  SP integer.
+ * m  SP integer.
+ * r  SP integer.
+ * returns MP_VAL when m is 0 and MP_OKAY otherwise.
+ */
+int sp_mod(sp_int* a, sp_int* m, sp_int* r)
+{
+    return sp_div(a, m, NULL, r);
+}
+#endif
+#endif
+
+/* Clear all data in the big number and sets value to zero.
+ *
+ * a  SP integer.
+ */
+void sp_zero(sp_int* a)
+{
+    XMEMSET(a->dp, 0, a->size * sizeof(*a->dp));
+    a->used = 0;
+}
+
+/* Add a one digit number to the big number.
+ *
+ * a  SP integer.
+ * d  Digit to add.
+ * r  SP integer - result.
+ * returns MP_OKAY always.
+ */
+int sp_add_d(sp_int* a, sp_int_digit d, sp_int* r)
+{
+    int i = 0;
+
+    r->used = a->used;
+    if (a->used == 0) {
+        r->used = 1;
+    }
+    r->dp[0] = a->dp[0] + d;
+    if (r->dp[i] < a->dp[i]) {
+        for (; i < a->used; i++) {
+            r->dp[i] = a->dp[i] + 1;
+            if (r->dp[i] != 0)
+               break;
+        }
+
+        if (i == a->used) {
+            r->used++;
+            r->dp[i] = 1;
+        }
+    }
+    for (; i < a->used; i++)
+        r->dp[i] = a->dp[i];
+
+    return MP_OKAY;
+}
+
+#if !defined(NO_DH) || defined(HAVE_ECC) || defined(WC_RSA_BLINDING) || \
+    !defined(WOLFSSL_RSA_VERIFY_ONLY)
+/* Left shift the big number by a number of digits.
+ * WIll chop off digits overflowing maximum size.
+ *
+ * a  SP integer.
+ * s  Number of digits to shift.
+ * returns MP_OKAY always.
+ */
+int sp_lshd(sp_int* a, int s)
+{
+    if (a->used + s > a->size)
+        a->used = a->size - s;
+
+    XMEMMOVE(a->dp + s, a->dp, a->used * sizeof(sp_int_digit));
+    a->used += s;
+    XMEMSET(a->dp, 0, s * sizeof(sp_int_digit));
+    sp_clamp(a);
+
+    return MP_OKAY;
+}
+#endif
+
+#if !defined(NO_PWDBASED) || defined(WOLFSSL_KEY_GEN) || !defined(NO_DH)
+/* Add two large numbers into result: r = a + b
+ *
+ * a  SP integer.
+ * b  SP integer.
+ * r  SP integer.
+ * returns MP_OKAY always.
+ */
+int sp_add(sp_int* a, sp_int* b, sp_int* r)
+{
+    int i;
+    sp_int_digit c = 0;
+    sp_int_digit t;
+
+    for (i = 0; i < a->used && i < b->used; i++) {
+        t = a->dp[i] + b->dp[i] + c;
+        if (c == 0)
+            c = t < a->dp[i];
+        else
+            c = t <= a->dp[i];
+        r->dp[i] = t;
+    }
+    for (; i < a->used; i++) {
+        r->dp[i] = a->dp[i] + c;
+        c = (a->dp[i] != 0) && (r->dp[i] == 0);
+    }
+    for (; i < b->used; i++) {
+        r->dp[i] = b->dp[i] + c;
+        c = (b->dp[i] != 0) && (r->dp[i] == 0);
+    }
+    r->dp[i] = c;
+    r->used = (int)(i + c);
+
+    return MP_OKAY;
+}
+#endif /* !NO_PWDBASED || WOLFSSL_KEY_GEN || !NO_DH */
+
+#ifndef NO_RSA
+/* Set a number into the big number.
+ *
+ * a  SP integer.
+ * b  Value to set.
+ * returns MP_OKAY always.
+ */
+int sp_set_int(sp_int* a, unsigned long b)
+{
+    if (b == 0) {
+        a->used = 0;
+        a->dp[0] = 0;
+    }
+    else {
+        a->used = 1;
+        a->dp[0] = (sp_int_digit)b;
+    }
+
+    return MP_OKAY;
+}
+#endif /* !NO_RSA */
+
+#ifdef WC_MP_TO_RADIX
+/* Hex string characters. */
+static const char sp_hex_char[16] = {
+    '0', '1', '2', '3', '4', '5', '6', '7',
+    '8', '9', 'a', 'b', 'c', 'd', 'e', 'f'
+};
+
+/* Put the hex string version, big-endian, of a in str.
+ *
+ * a    SP integer.
+ * str  Hex string is stored here.
+ * returns MP_OKAY always.
+ */
+int sp_tohex(sp_int* a, char* str)
+{
+    int i, j;
+
+    /* quick out if its zero */
+    if (sp_iszero(a) == MP_YES) {
+        *str++ = '0';
+        *str = '\0';
+    }
+    else {
+        i = a->used - 1;
+        for (j = SP_WORD_SIZE - 4; j >= 0; j -= 4) {
+            if (((a->dp[i] >> j) & 0xf) != 0)
+                break;
+        }
+        for (; j >= 0; j -= 4)
+            *(str++) = sp_hex_char[(a->dp[i] >> j) & 0xf];
+        for (--i; i >= 0; i--) {
+            for (j = SP_WORD_SIZE - 4; j >= 0; j -= 4)
+                *(str++) = sp_hex_char[(a->dp[i] >> j) & 0xf];
+        }
+        *str = '\0';
+    }
+
+    return MP_OKAY;
+}
+#endif /* WC_MP_TO_RADIX */
+
+#if defined(WOLFSSL_KEY_GEN) || !defined(NO_DH) && !defined(WC_NO_RNG)
+/* Set a bit of a: a |= 1 << i
+ * The field 'used' is updated in a.
+ *
+ * a  SP integer to modify.
+ * i  Index of bit to set.
+ * returns MP_OKAY always.
+ */
+int sp_set_bit(sp_int* a, int i)
+{
+    int ret = MP_OKAY;
+
+    if ((a == NULL) ||  (i / SP_WORD_SIZE >= SP_INT_DIGITS)) {
+        ret = BAD_FUNC_ARG;
+    }
+    else {
+        a->dp[i/SP_WORD_SIZE] |= (sp_int_digit)1 << (i % SP_WORD_SIZE);
+        if (a->used <= i / SP_WORD_SIZE)
+            a->used = (i / SP_WORD_SIZE) + 1;
+    }
+    return ret;
+}
+
+/* Exponentiate 2 to the power of e: a = 2^e
+ * This is done by setting the 'e'th bit.
+ *
+ * a  SP integer.
+ * e  Exponent.
+ * returns MP_OKAY always.
+ */
+int sp_2expt(sp_int* a, int e)
+{
+    sp_zero(a);
+    return sp_set_bit(a, e);
+}
+
+/* Generate a random prime for RSA only.
+ *
+ * r     SP integer
+ * len   Number of bytes to prime.
+ * rng   Random number generator.
+ * heap  Unused
+ * returns MP_OKAY on success and MP_VAL when length is not supported or random
+ *         number genrator fails.
+ */
+int sp_rand_prime(sp_int* r, int len, WC_RNG* rng, void* heap)
+{
+    static const int USE_BBS = 1;
+    int   err = 0, type;
+    int   isPrime = MP_NO;
+
+    (void)heap;
+
+    /* get type */
+    if (len < 0) {
+        type = USE_BBS;
+        len = -len;
+    }
+    else {
+        type = 0;
+    }
+
+#if defined(WOLFSSL_HAVE_SP_DH) && defined(WOLFSSL_KEY_GEN)
+    if (len == 32) {
+    }
+    else
+#endif
+    /* Generate RSA primes that are half the modulus length. */
+#ifndef WOLFSSL_SP_NO_3072
+    if (len != 128 && len != 192)
+#else
+    if (len != 128)
+#endif
+    {
+        err = MP_VAL;
+    }
+
+    r->used = len / (SP_WORD_SIZE / 8);
+
+    /* Assume the candidate is probably prime and then test until
+     * it is proven composite. */
+    while (err == 0 && isPrime == MP_NO) {
+#ifdef SHOW_GEN
+        printf(".");
+        fflush(stdout);
+#endif
+        /* generate value */
+        err = wc_RNG_GenerateBlock(rng, (byte*)r->dp, len);
+        if (err != 0) {
+            err = MP_VAL;
+            break;
+        }
+
+        /* munge bits */
+        ((byte*)r->dp)[len-1] |= 0x80 | 0x40;
+        r->dp[0]              |= 0x01 | ((type & USE_BBS) ? 0x02 : 0x00);
+
+        /* test */
+        /* Running Miller-Rabin up to 3 times gives us a 2^{-80} chance
+         * of a 1024-bit candidate being a false positive, when it is our
+         * prime candidate. (Note 4.49 of Handbook of Applied Cryptography.)
+         * Using 8 because we've always used 8 */
+        sp_prime_is_prime_ex(r, 8, &isPrime, rng);
+    }
+
+    return err;
+}
+
+/* Multiply a by b and store in r: r = a * b
+ *
+ * a  SP integer to multiply.
+ * b  SP integer to multiply.
+ * r  SP integer result.
+ * returns MP_OKAY always.
+ */
+int sp_mul(sp_int* a, sp_int* b, sp_int* r)
+{
+    int err = MP_OKAY;
+    int i;
+#ifdef WOLFSSL_SMALL_STACK
+    sp_int* t = NULL;
+    sp_int* tr;
+#else
+    sp_int t[1];
+    sp_int tr[1];
+#endif
+
+    if (a->used + b->used > SP_INT_DIGITS)
+        err = MP_VAL;
+
+#ifdef WOLFSSL_SMALL_STACK
+    if (err == MP_OKAY) {
+        t = (sp_int*)XMALLOC(sizeof(sp_int) * 2, NULL, DYNAMIC_TYPE_BIGINT);
+        if (t == NULL)
+            err = MP_MEM;
+        else
+            tr = &t[1];
+    }
+#endif
+
+    if (err == MP_OKAY) {
+        sp_init(t);
+        sp_init(tr);
+
+        for (i = 0; i < b->used; i++) {
+            _sp_mul_d(a, b->dp[i], t, i);
+            sp_add(tr, t, tr);
+        }
+        sp_copy(tr, r);
+    }
+
+#ifdef WOLFSSL_SMALL_STACK
+    if (t != NULL)
+        XFREE(t, NULL, DYNAMIC_TYPE_BIGINT);
+#endif
+
+    return err;
+}
+
+/* Square a mod m and store in r: r = (a * a) mod m
+ *
+ * a  SP integer to square.
+ * m  SP integer modulus.
+ * r  SP integer result.
+ * returns MP_VAL when m is 0, MP_MEM when dynamic memory allocation fails,
+ *         BAD_FUNC_ARG when a is to big and MP_OKAY otherwise.
+ */
+static int sp_sqrmod(sp_int* a, sp_int* m, sp_int* r)
+{
+    int err = MP_OKAY;
+
+    if (a->used * 2 > SP_INT_DIGITS)
+        err = MP_VAL;
+
+    if (err == MP_OKAY)
+        err = sp_mul(a, a, r);
+    if (err == MP_OKAY)
+        err = sp_mod(r, m, r);
+
+    return err;
+}
+
+#if defined(WOLFSSL_HAVE_SP_DH) || defined(WOLFSSL_KEY_GEN)
+/* Multiply a by b mod m and store in r: r = (a * b) mod m
+ *
+ * a  SP integer to multiply.
+ * b  SP integer to multiply.
+ * m  SP integer modulus.
+ * r  SP integer result.
+ * returns MP_VAL when m is 0, MP_MEM when dynamic memory allocation fails and
+ *         MP_OKAY otherwise.
+ */
+int sp_mulmod(sp_int* a, sp_int* b, sp_int* m, sp_int* r)
+{
+    int err = MP_OKAY;
+#ifdef WOLFSSL_SMALL_STACK
+    sp_int* t = NULL;
+#else
+    sp_int t[1];
+#endif
+
+    if (a->used + b->used > SP_INT_DIGITS)
+        err = MP_VAL;
+
+#ifdef WOLFSSL_SMALL_STACK
+    if (err == MP_OKAY) {
+        t = (sp_int*)XMALLOC(sizeof(sp_int), NULL, DYNAMIC_TYPE_BIGINT);
+        if (t == NULL) {
+            err = MP_MEM;
+        }
+    }
+#endif
+    if (err == MP_OKAY) {
+        err = sp_mul(a, b, t);
+    }
+    if (err == MP_OKAY) {
+        err = sp_mod(t, m, r);
+    }
+
+#ifdef WOLFSSL_SMALL_STACK
+    if (t != NULL)
+        XFREE(t, NULL, DYNAMIC_TYPE_BIGINT);
+#endif
+    return err;
+}
+#endif
+
+/* Calculate a modulo the digit d into r: r = a mod d
+ *
+ * a  SP integer to square.
+ * d  SP integer digit, modulus.
+ * r  SP integer digit, result.
+ * returns MP_VAL when d is 0 and MP_OKAY otherwise.
+ */
+static int sp_mod_d(sp_int* a, const sp_int_digit d, sp_int_digit* r)
+{
+    int err = MP_OKAY;
+    int i;
+    sp_int_word w = 0;
+    sp_int_digit t;
+
+    if (d == 0)
+        err = MP_VAL;
+
+    if (err == MP_OKAY) {
+        for (i = a->used - 1; i >= 0; i--) {
+            w = (w << SP_WORD_SIZE) | a->dp[i];
+            t = (sp_int_digit)(w / d);
+            w -= (sp_int_word)t * d;
+        }
+
+        *r = (sp_int_digit)w;
+    }
+
+    return err;
+}
+
+/* Calculates the Greatest Common Denominator (GCD) of a and b into r.
+ *
+ * a  SP integer operand.
+ * b  SP integer operand.
+ * r  SP integer result.
+ * returns MP_MEM when dynamic memory allocation fails and MP_OKAY otherwise.
+ */
+int sp_gcd(sp_int* a, sp_int* b, sp_int* r)
+{
+    int err = MP_OKAY;
+#ifdef WOLFSSL_SMALL_STACK
+    sp_int* u = NULL;
+    sp_int* v;
+    sp_int* t;
+#else
+    sp_int u[1], v[1], t[1];
+#endif
+
+    if (sp_iszero(a))
+        sp_copy(b, r);
+    else if (sp_iszero(b))
+        sp_copy(a, r);
+    else {
+#ifdef WOLFSSL_SMALL_STACK
+        u = (sp_int*)XMALLOC(sizeof(sp_int) * 3, NULL, DYNAMIC_TYPE_BIGINT);
+        if (u == NULL)
+            err = MP_MEM;
+        else {
+            v = &u[1];
+            t = &u[2];
+        }
+#endif
+
+        if (err == MP_OKAY) {
+            sp_init(u);
+            sp_init(v);
+            sp_init(t);
+
+            if (sp_cmp(a, b) != MP_LT) {
+                sp_copy(b, u);
+                /* First iteration - u = a, v = b */
+                if (b->used == 1) {
+                    err = sp_mod_d(a, b->dp[0], &v->dp[0]);
+                    if (err == MP_OKAY)
+                        v->used = (v->dp[0] != 0);
+                }
+                else
+                    err = sp_mod(a, b, v);
+            }
+            else {
+                sp_copy(a, u);
+                /* First iteration - u = b, v = a */
+                if (a->used == 1) {
+                    err = sp_mod_d(b, a->dp[0], &v->dp[0]);
+                    if (err == MP_OKAY)
+                        v->used = (v->dp[0] != 0);
+                }
+                else
+                    err = sp_mod(b, a, v);
+            }
+        }
+
+        if (err == MP_OKAY) {
+            while (!sp_iszero(v)) {
+                if (v->used == 1) {
+                    sp_mod_d(u, v->dp[0], &t->dp[0]);
+                    t->used = (t->dp[0] != 0);
+                }
+                else
+                    sp_mod(u, v, t);
+                sp_copy(v, u);
+                sp_copy(t, v);
+            }
+            sp_copy(u, r);
+        }
+    }
+
+#ifdef WOLFSSL_SMALL_STACK
+    if (u != NULL)
+        XFREE(u, NULL, DYNAMIC_TYPE_BIGINT);
+#endif
+
+    return err;
+}
+
+/* Divides a by 2 and stores in r: r = a >> 1
+ *
+ * a  SP integer to divide.
+ * r  SP integer result.
+ * returns MP_OKAY always.
+ */
+static int sp_div_2(sp_int* a, sp_int* r)
+{
+    int i;
+
+    for (i = 0; i < a->used-1; i++)
+        r->dp[i] = (a->dp[i] >> 1) | (a->dp[i+1] << (SP_WORD_SIZE - 1));
+    r->dp[i] = a->dp[i] >> 1;
+    r->used = i + 1;
+    sp_clamp(r);
+
+    return MP_OKAY;
+}
+
+
+/* Calculates the multiplicative inverse in the field.
+ *
+ * a  SP integer to invert.
+ * m  SP integer that is the modulus of the field.
+ * r  SP integer result.
+ * returns MP_VAL when a or m is 0, MP_MEM when dynamic memory allocation fails
+ *         and MP_OKAY otherwise.
+ */
+int sp_invmod(sp_int* a, sp_int* m, sp_int* r)
+{
+    int err = MP_OKAY;
+#ifdef WOLFSSL_SMALL_STACK
+    sp_int* u = NULL;
+    sp_int* v;
+    sp_int* b;
+    sp_int* c;
+#else
+    sp_int u[1], v[1], b[1], c[1];
+#endif
+
+#ifdef WOLFSSL_SMALL_STACK
+    u = (sp_int*)XMALLOC(sizeof(sp_int) * 4, NULL, DYNAMIC_TYPE_BIGINT);
+    if (u == NULL) {
+        err = MP_MEM;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#ifdef WOLFSSL_SMALL_STACK
+        v = &u[1];
+        b = &u[2];
+        c = &u[3];
+#endif
+        sp_init(v);
+
+        if (sp_cmp(a, m) != MP_LT) {
+            err = sp_mod(a, m, v);
+            a = v;
+        }
+    }
+
+    /* 0 != n*m + 1 (+ve m), r*a mod 0 is always 0 (never 1)  */
+    if ((err == MP_OKAY) && (sp_iszero(a) || sp_iszero(m))) {
+        err = MP_VAL;
+    }
+    /* r*2*x != n*2*y + 1  */
+    if ((err == MP_OKAY) && sp_iseven(a) && sp_iseven(m)) {
+        err = MP_VAL;
+    }
+
+    /* 1*1 = 0*m + 1  */
+    if ((err == MP_OKAY) && sp_isone(a)) {
+        sp_set(r, 1);
+    }
+    else if (err != MP_OKAY) {
+    }
+    else if (sp_iseven(m)) {
+        /* a^-1 mod m = m + (1 - m*(m^-1 % a)) / a
+         *            = m - (m*(m^-1 % a) - 1) / a
+         */
+        err = sp_invmod(m, a, r);
+        if (err == MP_OKAY) {
+            err = sp_mul(r, m, r);
+        }
+        if (err == MP_OKAY) {
+            sp_sub_d(r, 1, r);
+            sp_div(r, a, r, NULL);
+            sp_sub(m, r, r);
+        }
+    }
+    else {
+        if (err == MP_OKAY) {
+            sp_init(u);
+            sp_init(b);
+            sp_init(c);
+
+            sp_copy(m, u);
+            sp_copy(a, v);
+            sp_zero(b);
+            sp_set(c, 1);
+
+            while (!sp_isone(v) && !sp_iszero(u)) {
+                if (sp_iseven(u)) {
+                    sp_div_2(u, u);
+                    if (sp_isodd(b)) {
+                        sp_add(b, m, b);
+                    }
+                    sp_div_2(b, b);
+                }
+                else if (sp_iseven(v)) {
+                    sp_div_2(v, v);
+                    if (sp_isodd(c)) {
+                        sp_add(c, m, c);
+                    }
+                    sp_div_2(c, c);
+                }
+                else if (sp_cmp(u, v) != MP_LT) {
+                    sp_sub(u, v, u);
+                    if (sp_cmp(b, c) == MP_LT) {
+                        sp_add(b, m, b);
+                    }
+                    sp_sub(b, c, b);
+                }
+                else {
+                    sp_sub(v, u, v);
+                    if (sp_cmp(c, b) == MP_LT) {
+                        sp_add(c, m, c);
+                    }
+                    sp_sub(c, b, c);
+                }
+            }
+            if  (sp_iszero(u)) {
+                err = MP_VAL;
+            }
+            else {
+                sp_copy(c, r);
+            }
+        }
+    }
+
+#ifdef WOLFSSL_SMALL_STACK
+    if (u != NULL) {
+        XFREE(u, NULL, DYNAMIC_TYPE_BIGINT);
+    }
+#endif
+
+    return err;
+}
+
+/* Calculates the Lowest Common Multiple (LCM) of a and b and stores in r.
+ *
+ * a  SP integer operand.
+ * b  SP integer operand.
+ * r  SP integer result.
+ * returns MP_MEM when dynamic memory allocation fails and MP_OKAY otherwise.
+ */
+int sp_lcm(sp_int* a, sp_int* b, sp_int* r)
+{
+    int     err = MP_OKAY;
+#ifndef WOLFSSL_SMALL_STACK
+    sp_int  t[2];
+#else
+    sp_int  *t = NULL;
+#endif
+
+#ifdef WOLFSSL_SMALL_STACK
+    t = (sp_int*)XMALLOC(sizeof(sp_int) * 2, NULL, DYNAMIC_TYPE_BIGINT);
+    if (t == NULL) {
+        err = MP_MEM;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+        sp_init(&t[0]);
+        sp_init(&t[1]);
+        err = sp_gcd(a, b, &t[0]);
+        if (err == MP_OKAY) {
+            if (sp_cmp(a, b) == MP_GT) {
+                err = sp_div(a, &t[0], &t[1], NULL);
+                if (err == MP_OKAY)
+                    err = sp_mul(b, &t[1], r);
+            }
+            else {
+                err = sp_div(b, &t[0], &t[1], NULL);
+                if (err == MP_OKAY)
+                    err = sp_mul(a, &t[1], r);
+            }
+        }
+    }
+
+#ifdef WOLFSSL_SMALL_STACK
+    if (t != NULL)
+        XFREE(t, NULL, DYNAMIC_TYPE_BIGINT);
+#endif
+    return err;
+}
+
+/* Exponentiates b to the power of e modulo m into r: r = b ^ e mod m
+ *
+ * b  SP integer base.
+ * e  SP integer exponent.
+ * m  SP integer modulus.
+ * r  SP integer result.
+ * returns MP_VAL when m is not 1024, 2048, 1536 or 3072 bits and otherwise
+ *         MP_OKAY.
+ */
+int sp_exptmod(sp_int* b, sp_int* e, sp_int* m, sp_int* r)
+{
+    int err = MP_OKAY;
+    int done = 0;
+    int mBits = sp_count_bits(m);
+    int bBits = sp_count_bits(b);
+    int eBits = sp_count_bits(e);
+
+    if (sp_iszero(m)) {
+        err = MP_VAL;
+    }
+    else if (sp_isone(m)) {
+        sp_set(r, 0);
+        done = 1;
+    }
+    else if (sp_iszero(e)) {
+        sp_set(r, 1);
+        done = 1;
+    }
+    else if (sp_iszero(b)) {
+        sp_set(r, 0);
+        done = 1;
+    }
+    else if (m->used * 2 > SP_INT_DIGITS) {
+        err = BAD_FUNC_ARG;
+    }
+
+    if (!done && (err == MP_OKAY)) {
+#ifndef WOLFSSL_SP_NO_2048
+        if ((mBits == 1024) && sp_isodd(m) && (bBits <= 1024) &&
+            (eBits <= 1024)) {
+            err = sp_ModExp_1024(b, e, m, r);
+            done = 1;
+        }
+        else if ((mBits == 2048) && sp_isodd(m) && (bBits <= 2048) &&
+                 (eBits <= 2048)) {
+            err = sp_ModExp_2048(b, e, m, r);
+            done = 1;
+        }
+        else
+#endif
+#ifndef WOLFSSL_SP_NO_3072
+        if ((mBits == 1536) && sp_isodd(m) && (bBits <= 1536) &&
+            (eBits <= 1536)) {
+            err = sp_ModExp_1536(b, e, m, r);
+            done = 1;
+        }
+        else if ((mBits == 3072) && sp_isodd(m) && (bBits <= 3072) &&
+                 (eBits <= 3072)) {
+            err = sp_ModExp_3072(b, e, m, r);
+            done = 1;
+        }
+        else
+#endif
+#ifdef WOLFSSL_SP_NO_4096
+        if ((mBits == 4096) && sp_isodd(m) && (bBits <= 4096) &&
+            (eBits <= 4096)) {
+            err = sp_ModExp_4096(b, e, m, r);
+            done = 1;
+        }
+        else
+#endif
+        {
+        }
+    }
+#if defined(WOLFSSL_HAVE_SP_DH) && defined(WOLFSSL_KEY_GEN)
+    if (!done && (err == MP_OKAY)) {
+        int i;
+
+    #ifdef WOLFSSL_SMALL_STACK
+        sp_int* t = NULL;
+    #else
+        sp_int t[1];
+    #endif
+
+    #ifdef WOLFSSL_SMALL_STACK
+        if (!done && (err == MP_OKAY)) {
+            t = (sp_int*)XMALLOC(sizeof(sp_int), NULL, DYNAMIC_TYPE_BIGINT);
+            if (t == NULL) {
+                err = MP_MEM;
+            }
+        }
+    #endif
+        if (!done && (err == MP_OKAY)) {
+            sp_init(t);
+
+            if (sp_cmp(b, m) != MP_LT) {
+                err = sp_mod(b, m, t);
+                if (err == MP_OKAY && sp_iszero(t)) {
+                    sp_set(r, 0);
+                    done = 1;
+                }
+            }
+            else {
+                sp_copy(b, t);
+            }
+
+            if (!done && (err == MP_OKAY)) {
+                for (i = eBits-2; err == MP_OKAY && i >= 0; i--) {
+                     err = sp_sqrmod(t, m, t);
+                     if (err == MP_OKAY && (e->dp[i / SP_WORD_SIZE] >>
+                                                      (i % SP_WORD_SIZE)) & 1) {
+                         err = sp_mulmod(t, b, m, t);
+                     }
+                 }
+             }
+        }
+        if (!done && (err == MP_OKAY)) {
+            sp_copy(t, r);
+        }
+
+    #ifdef WOLFSSL_SMALL_STACK
+        if (t != NULL) {
+            XFREE(t, NULL, DYNAMIC_TYPE_BIGINT);
+        }
+    #endif
+    }
+#else
+    if (!done && (err == MP_OKAY)) {
+        err = MP_VAL;
+    }
+#endif
+
+    (void)mBits;
+    (void)bBits;
+    (void)eBits;
+
+    return err;
+}
+
+
+/* Number of entries in array of number of least significant zero bits. */
+#define SP_LNZ_CNT      16
+/* Number of bits the array checks. */
+#define SP_LNZ_BITS     4
+/* Mask to apply to check with array. */
+#define SP_LNZ_MASK     0xf
+/* Number of least significant zero bits in first SP_LNZ_CNT numbers. */
+static const int lnz[SP_LNZ_CNT] = {
+   4, 0, 1, 0, 2, 0, 1, 0, 3, 0, 1, 0, 2, 0, 1, 0
+};
+
+/* Count the number of least significant zero bits.
+ *
+ * a  Number to check
+ * returns the count of least significant zero bits.
+ */
+static int sp_cnt_lsb(sp_int* a)
+{
+    int i, j;
+    int cnt = 0;
+    int bc = 0;
+
+    if (!sp_iszero(a)) {
+        for (i = 0; i < a->used && a->dp[i] == 0; i++, cnt += SP_WORD_SIZE) {
+        }
+
+        for (j = 0; j < SP_WORD_SIZE; j += SP_LNZ_BITS) {
+            bc = lnz[(a->dp[i] >> j) & SP_LNZ_MASK];
+            if (bc != 4) {
+                bc += cnt + j;
+                break;
+            }
+        }
+    }
+
+    return bc;
+}
+
+/* Miller-Rabin test of "a" to the base of "b" as described in
+ * HAC pp. 139 Algorithm 4.24
+ *
+ * Sets result to 0 if definitely composite or 1 if probably prime.
+ * Randomly the chance of error is no more than 1/4 and often
+ * very much lower.
+ *
+ * a       SP integer to check.
+ * b       SP integer small prime.
+ * result  Whether a is likely prime: MP_YES or MP_NO.
+ * n1      SP integer operand.
+ * y       SP integer operand.
+ * r       SP integer operand.
+ * returns MP_VAL when a is not 1024, 2048, 1536 or 3072 and MP_OKAY otherwise.
+ */
+static int sp_prime_miller_rabin_ex(sp_int * a, sp_int * b, int *result,
+  sp_int *n1, sp_int *y, sp_int *r)
+{
+    int s, j;
+    int err = MP_OKAY;
+
+    /* default */
+    *result = MP_NO;
+
+    /* ensure b > 1 */
+    if (sp_cmp_d(b, 1) == MP_GT) {
+        /* get n1 = a - 1 */
+        sp_copy(a, n1);
+        sp_sub_d(n1, 1, n1);
+        /* set 2**s * r = n1 */
+        sp_copy(n1, r);
+
+        /* count the number of least significant bits
+         * which are zero
+         */
+        s = sp_cnt_lsb(r);
+
+        /* now divide n - 1 by 2**s */
+        sp_rshb(r, s, r);
+
+        /* compute y = b**r mod a */
+        sp_zero(y);
+
+        err = sp_exptmod(b, r, a, y);
+
+        if (err == MP_OKAY) {
+            /* probably prime until shown otherwise */
+            *result = MP_YES;
+
+            /* if y != 1 and y != n1 do */
+            if (sp_cmp_d(y, 1) != MP_EQ && sp_cmp(y, n1) != MP_EQ) {
+                j = 1;
+                /* while j <= s-1 and y != n1 */
+                while ((j <= (s - 1)) && sp_cmp(y, n1) != MP_EQ) {
+                    sp_sqrmod(y, a, y);
+
+                    /* if y == 1 then composite */
+                    if (sp_cmp_d(y, 1) == MP_EQ) {
+                        *result = MP_NO;
+                        break;
+                    }
+                    ++j;
+                }
+
+                /* if y != n1 then composite */
+                if (*result == MP_YES && sp_cmp(y, n1) != MP_EQ)
+                    *result = MP_NO;
+            }
+        }
+    }
+
+    return err;
+}
+
+/* Miller-Rabin test of "a" to the base of "b" as described in
+ * HAC pp. 139 Algorithm 4.24
+ *
+ * Sets result to 0 if definitely composite or 1 if probably prime.
+ * Randomly the chance of error is no more than 1/4 and often
+ * very much lower.
+ *
+ * a       SP integer to check.
+ * b       SP integer small prime.
+ * result  Whether a is likely prime: MP_YES or MP_NO.
+ * returns MP_MEM when dynamic memory allocation fails, MP_VAL when a is not
+ *         1024, 2048, 1536 or 3072 and MP_OKAY otherwise.
+ */
+static int sp_prime_miller_rabin(sp_int * a, sp_int * b, int *result)
+{
+    int err = MP_OKAY;
+#ifndef WOLFSSL_SMALL_STACK
+    sp_int  n1[1], y[1], r[1];
+#else
+    sp_int *n1 = NULL, *y, *r;
+#endif
+
+#ifdef WOLFSSL_SMALL_STACK
+    n1 = (sp_int*)XMALLOC(sizeof(sp_int) * 3, NULL, DYNAMIC_TYPE_BIGINT);
+    if (n1 == NULL)
+        err = MP_MEM;
+    else {
+        y = &n1[1];
+        r = &n1[2];
+    }
+#endif
+
+    if (err == MP_OKAY) {
+        sp_init(n1);
+        sp_init(y);
+        sp_init(r);
+
+        err = sp_prime_miller_rabin_ex(a, b, result, n1, y, r);
+
+        sp_clear(n1);
+        sp_clear(y);
+        sp_clear(r);
+    }
+
+#ifdef WOLFSSL_SMALL_STACK
+    if (n1 != NULL)
+        XFREE(n1, NULL, DYNAMIC_TYPE_BIGINT);
+#endif
+
+    return err;
+}
+
+/* Number of pre-computed primes. First n primes. */
+#define SP_PRIME_SIZE      256
+
+/* a few primes */
+static const sp_int_digit primes[SP_PRIME_SIZE] = {
+    0x0002, 0x0003, 0x0005, 0x0007, 0x000B, 0x000D, 0x0011, 0x0013,
+    0x0017, 0x001D, 0x001F, 0x0025, 0x0029, 0x002B, 0x002F, 0x0035,
+    0x003B, 0x003D, 0x0043, 0x0047, 0x0049, 0x004F, 0x0053, 0x0059,
+    0x0061, 0x0065, 0x0067, 0x006B, 0x006D, 0x0071, 0x007F, 0x0083,
+    0x0089, 0x008B, 0x0095, 0x0097, 0x009D, 0x00A3, 0x00A7, 0x00AD,
+    0x00B3, 0x00B5, 0x00BF, 0x00C1, 0x00C5, 0x00C7, 0x00D3, 0x00DF,
+    0x00E3, 0x00E5, 0x00E9, 0x00EF, 0x00F1, 0x00FB, 0x0101, 0x0107,
+    0x010D, 0x010F, 0x0115, 0x0119, 0x011B, 0x0125, 0x0133, 0x0137,
+
+    0x0139, 0x013D, 0x014B, 0x0151, 0x015B, 0x015D, 0x0161, 0x0167,
+    0x016F, 0x0175, 0x017B, 0x017F, 0x0185, 0x018D, 0x0191, 0x0199,
+    0x01A3, 0x01A5, 0x01AF, 0x01B1, 0x01B7, 0x01BB, 0x01C1, 0x01C9,
+    0x01CD, 0x01CF, 0x01D3, 0x01DF, 0x01E7, 0x01EB, 0x01F3, 0x01F7,
+    0x01FD, 0x0209, 0x020B, 0x021D, 0x0223, 0x022D, 0x0233, 0x0239,
+    0x023B, 0x0241, 0x024B, 0x0251, 0x0257, 0x0259, 0x025F, 0x0265,
+    0x0269, 0x026B, 0x0277, 0x0281, 0x0283, 0x0287, 0x028D, 0x0293,
+    0x0295, 0x02A1, 0x02A5, 0x02AB, 0x02B3, 0x02BD, 0x02C5, 0x02CF,
+
+    0x02D7, 0x02DD, 0x02E3, 0x02E7, 0x02EF, 0x02F5, 0x02F9, 0x0301,
+    0x0305, 0x0313, 0x031D, 0x0329, 0x032B, 0x0335, 0x0337, 0x033B,
+    0x033D, 0x0347, 0x0355, 0x0359, 0x035B, 0x035F, 0x036D, 0x0371,
+    0x0373, 0x0377, 0x038B, 0x038F, 0x0397, 0x03A1, 0x03A9, 0x03AD,
+    0x03B3, 0x03B9, 0x03C7, 0x03CB, 0x03D1, 0x03D7, 0x03DF, 0x03E5,
+    0x03F1, 0x03F5, 0x03FB, 0x03FD, 0x0407, 0x0409, 0x040F, 0x0419,
+    0x041B, 0x0425, 0x0427, 0x042D, 0x043F, 0x0443, 0x0445, 0x0449,
+    0x044F, 0x0455, 0x045D, 0x0463, 0x0469, 0x047F, 0x0481, 0x048B,
+
+    0x0493, 0x049D, 0x04A3, 0x04A9, 0x04B1, 0x04BD, 0x04C1, 0x04C7,
+    0x04CD, 0x04CF, 0x04D5, 0x04E1, 0x04EB, 0x04FD, 0x04FF, 0x0503,
+    0x0509, 0x050B, 0x0511, 0x0515, 0x0517, 0x051B, 0x0527, 0x0529,
+    0x052F, 0x0551, 0x0557, 0x055D, 0x0565, 0x0577, 0x0581, 0x058F,
+    0x0593, 0x0595, 0x0599, 0x059F, 0x05A7, 0x05AB, 0x05AD, 0x05B3,
+    0x05BF, 0x05C9, 0x05CB, 0x05CF, 0x05D1, 0x05D5, 0x05DB, 0x05E7,
+    0x05F3, 0x05FB, 0x0607, 0x060D, 0x0611, 0x0617, 0x061F, 0x0623,
+    0x062B, 0x062F, 0x063D, 0x0641, 0x0647, 0x0649, 0x064D, 0x0653
+};
+
+
+/* Check whether a is prime.
+ * Checks against a number of small primes and does t iterations of
+ * Miller-Rabin.
+ *
+ * a       SP integer to check.
+ * t       Number of iterations of Muller-Rabin to perform.
+ * result  MP_YES when prime.
+ *         MP_NO when not prime.
+ * returns MP_VAL when t is out of range, MP_MEM when dynamic memory allocation
+ *         fails and otherwise MP_OKAY.
+ */
+int sp_prime_is_prime(sp_int *a, int t, int* result)
+{
+    int         err = MP_OKAY;
+    int         i;
+    int         haveRes = 0;
+#ifndef WOLFSSL_SMALL_STACK
+    sp_int      b[1];
+#else
+    sp_int      *b = NULL;
+#endif
+    sp_int_digit d;
+
+    if (t <= 0 || t > SP_PRIME_SIZE) {
+        *result = MP_NO;
+        err = MP_VAL;
+    }
+
+    if (sp_isone(a)) {
+        *result = MP_NO;
+        return MP_OKAY;
+    }
+
+    if (err == MP_OKAY && a->used == 1) {
+        /* check against primes table */
+        for (i = 0; i < SP_PRIME_SIZE; i++) {
+            if (sp_cmp_d(a, primes[i]) == MP_EQ) {
+                *result = MP_YES;
+                haveRes = 1;
+                break;
+            }
+        }
+    }
+
+    if (err == MP_OKAY && !haveRes) {
+        /* do trial division */
+        for (i = 0; i < SP_PRIME_SIZE; i++) {
+            err = sp_mod_d(a, primes[i], &d);
+            if (err != MP_OKAY || d == 0) {
+                *result = MP_NO;
+                haveRes = 1;
+                break;
+            }
+        }
+    }
+
+#ifdef WOLFSSL_SMALL_STACK
+    if (err == MP_OKAY && !haveRes) {
+        b = (sp_int*)XMALLOC(sizeof(sp_int), NULL, DYNAMIC_TYPE_BIGINT);
+        if (b == NULL)
+            err = MP_MEM;
+    }
+#endif
+
+    if (err == MP_OKAY && !haveRes) {
+        /* now do 't' miller rabins */
+        sp_init(b);
+        for (i = 0; i < t; i++) {
+            sp_set(b, primes[i]);
+            err = sp_prime_miller_rabin(a, b, result);
+            if (err != MP_OKAY || *result == MP_NO)
+                break;
+        }
+    }
+
+#ifdef WOLFSSL_SMALL_STACK
+     if (b != NULL)
+         XFREE(b, NULL, DYNAMIC_TYPE_BIGINT);
+#endif
+
+     return err;
+}
+
+/* Check whether a is prime.
+ * Checks against a number of small primes and does t iterations of
+ * Miller-Rabin.
+ *
+ * a       SP integer to check.
+ * t       Number of iterations of Muller-Rabin to perform.
+ * result  MP_YES when prime.
+ *         MP_NO when not prime.
+ * rng     Random number generator.
+ * returns MP_VAL when t is out of range, MP_MEM when dynamic memory allocation
+ *         fails and otherwise MP_OKAY.
+ */
+int sp_prime_is_prime_ex(sp_int* a, int t, int* result, WC_RNG* rng)
+{
+    int err = MP_OKAY;
+    int ret = MP_YES;
+    int haveRes = 0;
+    int i;
+#ifndef WC_NO_RNG
+    #ifndef WOLFSSL_SMALL_STACK
+        sp_int b[1], c[1], n1[1], y[1], r[1];
+    #else
+        sp_int *b = NULL, *c = NULL, *n1 = NULL, *y = NULL, *r = NULL;
+    #endif
+    word32 baseSz;
+#endif
+
+    if (a == NULL || result == NULL || rng == NULL)
+        err = MP_VAL;
+
+    if (sp_isone(a)) {
+        *result = MP_NO;
+        return MP_OKAY;
+    }
+
+    if (err == MP_OKAY && a->used == 1) {
+        /* check against primes table */
+        for (i = 0; i < SP_PRIME_SIZE; i++) {
+            if (sp_cmp_d(a, primes[i]) == MP_EQ) {
+                ret = MP_YES;
+                haveRes = 1;
+                break;
+            }
+        }
+    }
+
+    if (err == MP_OKAY && !haveRes) {
+        sp_int_digit d;
+
+        /* do trial division */
+        for (i = 0; i < SP_PRIME_SIZE; i++) {
+            err = sp_mod_d(a, primes[i], &d);
+            if (err != MP_OKAY || d == 0) {
+                ret = MP_NO;
+                haveRes = 1;
+                break;
+            }
+        }
+    }
+
+#ifndef WC_NO_RNG
+    /* now do a miller rabin with up to t random numbers, this should
+     * give a (1/4)^t chance of a false prime. */
+    #ifdef WOLFSSL_SMALL_STACK
+    if (err == MP_OKAY && !haveRes) {
+        b = (sp_int*)XMALLOC(sizeof(sp_int) * 5, NULL, DYNAMIC_TYPE_BIGINT);
+        if (b == NULL) {
+            err = MP_MEM;
+        }
+        else {
+            c = &b[1]; n1 = &b[2]; y= &b[3]; r = &b[4];
+        }
+    }
+    #endif
+
+    if (err == MP_OKAY && !haveRes) {
+        sp_init(b);
+        sp_init(c);
+        sp_init(n1);
+        sp_init(y);
+        sp_init(r);
+
+        err = sp_sub_d(a, 2, c);
+    }
+
+    if (err == MP_OKAY && !haveRes) {
+        baseSz = (sp_count_bits(a) + 7) / 8;
+
+        while (t > 0) {
+            err = wc_RNG_GenerateBlock(rng, (byte*)b->dp, baseSz);
+            if (err != MP_OKAY)
+                break;
+            b->used = a->used;
+
+            if (sp_cmp_d(b, 2) != MP_GT || sp_cmp(b, c) != MP_LT)
+                continue;
+
+            err = sp_prime_miller_rabin_ex(a, b, &ret, n1, y, r);
+            if (err != MP_OKAY || ret == MP_NO)
+                break;
+
+            t--;
+        }
+
+        sp_clear(n1);
+        sp_clear(y);
+        sp_clear(r);
+        sp_clear(b);
+        sp_clear(c);
+    }
+
+    #ifdef WOLFSSL_SMALL_STACK
+    if (b != NULL)
+        XFREE(b, NULL, DYNAMIC_TYPE_BIGINT);
+    #endif
+#else
+    (void)t;
+#endif /* !WC_NO_RNG */
+
+    *result = ret;
+    return err;
+}
+
+#ifndef NO_DH
+int sp_exch(sp_int* a, sp_int* b)
+{
+    int err = MP_OKAY;
+#ifndef WOLFSSL_SMALL_STACK
+    sp_int  t[1];
+#else
+    sp_int *t = NULL;
+#endif
+
+#ifdef WOLFSSL_SMALL_STACK
+   t = (sp_int*)XMALLOC(sizeof(sp_int), NULL, DYNAMIC_TYPE_BIGINT);
+   if (t == NULL)
+       err = MP_MEM;
+#endif
+
+    if (err == MP_OKAY) {
+        *t = *a;
+        *a = *b;
+        *b = *t;
+    }
+
+#ifdef WOLFSSL_SMALL_STACK
+    if (t != NULL)
+        XFREE(t, NULL, DYNAMIC_TYPE_BIGINT);
+#endif
+    return MP_OKAY;
+}
+#endif
+#endif
+
+#if defined(WOLFSSL_KEY_GEN) && !defined(NO_RSA)
+/* Multiply a by digit n and put result into r. r = a * n
+ *
+ * a  SP integer to be multiplied.
+ * n  Number to multiply by.
+ * r  SP integer result.
+ * returns MP_OKAY always.
+ */
+int sp_mul_d(sp_int* a, sp_int_digit n, sp_int* r)
+{
+    _sp_mul_d(a, n, r, 0);
+    return MP_OKAY;
+}
+#endif
+
+/* Returns the run time settings.
+ *
+ * returns the settings value.
+ */
+word32 CheckRunTimeSettings(void)
+{
+    return CTC_SETTINGS;
+}
+
+#endif /* WOLFSSL_SP_MATH */
diff --git a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/sp_x86_64.c b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/sp_x86_64.c
new file mode 100644
index 000000000..3e49d2022
--- /dev/null
+++ b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/sp_x86_64.c
@@ -0,0 +1,29555 @@
+/* sp.c
+ *
+ * Copyright (C) 2006-2020 wolfSSL Inc.
+ *
+ * This file is part of wolfSSL.
+ *
+ * wolfSSL is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * wolfSSL is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
+ */
+
+/* Implementation by Sean Parkinson. */
+
+#ifdef HAVE_CONFIG_H
+    #include <config.h>
+#endif
+
+#include <wolfssl/wolfcrypt/settings.h>
+#include <wolfssl/wolfcrypt/error-crypt.h>
+#include <wolfssl/wolfcrypt/cpuid.h>
+#ifdef NO_INLINE
+    #include <wolfssl/wolfcrypt/misc.h>
+#else
+    #define WOLFSSL_MISC_INCLUDED
+    #include <wolfcrypt/src/misc.c>
+#endif
+
+#if defined(WOLFSSL_HAVE_SP_RSA) || defined(WOLFSSL_HAVE_SP_DH) || \
+                                    defined(WOLFSSL_HAVE_SP_ECC)
+
+#ifdef RSA_LOW_MEM
+#ifndef WOLFSSL_SP_SMALL
+#define WOLFSSL_SP_SMALL
+#endif
+#endif
+
+#include <wolfssl/wolfcrypt/sp.h>
+
+#ifdef WOLFSSL_SP_X86_64_ASM
+#if defined(WOLFSSL_HAVE_SP_RSA) || defined(WOLFSSL_HAVE_SP_DH)
+#ifndef WOLFSSL_SP_NO_2048
+extern void sp_2048_from_bin(sp_digit* r, int size, const byte* a, int n);
+/* Convert an mp_int to an array of sp_digit.
+ *
+ * r  A single precision integer.
+ * size  Maximum number of bytes to convert
+ * a  A multi-precision integer.
+ */
+static void sp_2048_from_mp(sp_digit* r, int size, const mp_int* a)
+{
+#if DIGIT_BIT == 64
+    int j;
+
+    XMEMCPY(r, a->dp, sizeof(sp_digit) * a->used);
+
+    for (j = a->used; j < size; j++) {
+        r[j] = 0;
+    }
+#elif DIGIT_BIT > 64
+    int i, j = 0;
+    word32 s = 0;
+
+    r[0] = 0;
+    for (i = 0; i < a->used && j < size; i++) {
+        r[j] |= ((sp_digit)a->dp[i] << s);
+        r[j] &= 0xffffffffffffffffl;
+        s = 64U - s;
+        if (j + 1 >= size) {
+            break;
+        }
+        /* lint allow cast of mismatch word32 and mp_digit */
+        r[++j] = (sp_digit)(a->dp[i] >> s); /*lint !e9033*/
+        while ((s + 64U) <= (word32)DIGIT_BIT) {
+            s += 64U;
+            r[j] &= 0xffffffffffffffffl;
+            if (j + 1 >= size) {
+                break;
+            }
+            if (s < (word32)DIGIT_BIT) {
+                /* lint allow cast of mismatch word32 and mp_digit */
+                r[++j] = (sp_digit)(a->dp[i] >> s); /*lint !e9033*/
+            }
+            else {
+                r[++j] = 0L;
+            }
+        }
+        s = (word32)DIGIT_BIT - s;
+    }
+
+    for (j++; j < size; j++) {
+        r[j] = 0;
+    }
+#else
+    int i, j = 0, s = 0;
+
+    r[0] = 0;
+    for (i = 0; i < a->used && j < size; i++) {
+        r[j] |= ((sp_digit)a->dp[i]) << s;
+        if (s + DIGIT_BIT >= 64) {
+            r[j] &= 0xffffffffffffffffl;
+            if (j + 1 >= size) {
+                break;
+            }
+            s = 64 - s;
+            if (s == DIGIT_BIT) {
+                r[++j] = 0;
+                s = 0;
+            }
+            else {
+                r[++j] = a->dp[i] >> s;
+                s = DIGIT_BIT - s;
+            }
+        }
+        else {
+            s += DIGIT_BIT;
+        }
+    }
+
+    for (j++; j < size; j++) {
+        r[j] = 0;
+    }
+#endif
+}
+
+extern void sp_2048_to_bin(sp_digit* r, byte* a);
+extern void sp_2048_mul_16(sp_digit* r, const sp_digit* a, const sp_digit* b);
+extern void sp_2048_sqr_16(sp_digit* r, const sp_digit* a);
+extern void sp_2048_mul_avx2_16(sp_digit* r, const sp_digit* a, const sp_digit* b);
+extern void sp_2048_sqr_avx2_16(sp_digit* r, const sp_digit* a);
+extern sp_digit sp_2048_add_16(sp_digit* r, const sp_digit* a, const sp_digit* b);
+extern sp_digit sp_2048_sub_in_place_32(sp_digit* a, const sp_digit* b);
+extern sp_digit sp_2048_add_32(sp_digit* r, const sp_digit* a, const sp_digit* b);
+extern void sp_2048_mul_32(sp_digit* r, const sp_digit* a, const sp_digit* b);
+
+extern sp_digit sp_2048_dbl_16(sp_digit* r, const sp_digit* a);
+extern void sp_2048_sqr_32(sp_digit* r, const sp_digit* a);
+
+#ifdef HAVE_INTEL_AVX2
+extern void sp_2048_mul_avx2_32(sp_digit* r, const sp_digit* a, const sp_digit* b);
+#endif /* HAVE_INTEL_AVX2 */
+
+#ifdef HAVE_INTEL_AVX2
+extern void sp_2048_sqr_avx2_32(sp_digit* r, const sp_digit* a);
+#endif /* HAVE_INTEL_AVX2 */
+
+#if (defined(WOLFSSL_HAVE_SP_RSA) || defined(WOLFSSL_HAVE_SP_DH)) && !defined(WOLFSSL_RSA_PUBLIC_ONLY)
+#endif /* (WOLFSSL_HAVE_SP_RSA || WOLFSSL_HAVE_SP_DH) && !WOLFSSL_RSA_PUBLIC_ONLY */
+
+/* Caclulate the bottom digit of -1/a mod 2^n.
+ *
+ * a    A single precision number.
+ * rho  Bottom word of inverse.
+ */
+static void sp_2048_mont_setup(const sp_digit* a, sp_digit* rho)
+{
+    sp_digit x, b;
+
+    b = a[0];
+    x = (((b + 2) & 4) << 1) + b; /* here x*a==1 mod 2**4 */
+    x *= 2 - b * x;               /* here x*a==1 mod 2**8 */
+    x *= 2 - b * x;               /* here x*a==1 mod 2**16 */
+    x *= 2 - b * x;               /* here x*a==1 mod 2**32 */
+    x *= 2 - b * x;               /* here x*a==1 mod 2**64 */
+
+    /* rho = -1/m mod b */
+    *rho = -x;
+}
+
+extern void sp_2048_mul_d_32(sp_digit* r, const sp_digit* a, sp_digit b);
+#if (defined(WOLFSSL_HAVE_SP_RSA) || defined(WOLFSSL_HAVE_SP_DH)) && !defined(WOLFSSL_RSA_PUBLIC_ONLY)
+extern sp_digit sp_2048_sub_in_place_16(sp_digit* a, const sp_digit* b);
+/* r = 2^n mod m where n is the number of bits to reduce by.
+ * Given m must be 2048 bits, just need to subtract.
+ *
+ * r  A single precision number.
+ * m  A single precision number.
+ */
+static void sp_2048_mont_norm_16(sp_digit* r, const sp_digit* m)
+{
+    XMEMSET(r, 0, sizeof(sp_digit) * 16);
+
+    /* r = 2^n mod m */
+    sp_2048_sub_in_place_16(r, m);
+}
+
+extern sp_digit sp_2048_cond_sub_16(sp_digit* r, const sp_digit* a, const sp_digit* b, sp_digit m);
+extern void sp_2048_mont_reduce_16(sp_digit* a, const sp_digit* m, sp_digit mp);
+/* Multiply two Montogmery form numbers mod the modulus (prime).
+ * (r = a * b mod m)
+ *
+ * r   Result of multiplication.
+ * a   First number to multiply in Montogmery form.
+ * b   Second number to multiply in Montogmery form.
+ * m   Modulus (prime).
+ * mp  Montogmery mulitplier.
+ */
+static void sp_2048_mont_mul_16(sp_digit* r, const sp_digit* a, const sp_digit* b,
+        const sp_digit* m, sp_digit mp)
+{
+    sp_2048_mul_16(r, a, b);
+    sp_2048_mont_reduce_16(r, m, mp);
+}
+
+/* Square the Montgomery form number. (r = a * a mod m)
+ *
+ * r   Result of squaring.
+ * a   Number to square in Montogmery form.
+ * m   Modulus (prime).
+ * mp  Montogmery mulitplier.
+ */
+static void sp_2048_mont_sqr_16(sp_digit* r, const sp_digit* a, const sp_digit* m,
+        sp_digit mp)
+{
+    sp_2048_sqr_16(r, a);
+    sp_2048_mont_reduce_16(r, m, mp);
+}
+
+extern sp_digit sp_2048_cond_sub_avx2_16(sp_digit* r, const sp_digit* a, const sp_digit* b, sp_digit m);
+extern void sp_2048_mul_d_16(sp_digit* r, const sp_digit* a, sp_digit b);
+extern void sp_2048_mul_d_avx2_16(sp_digit* r, const sp_digit* a, const sp_digit b);
+/* Divide the double width number (d1|d0) by the dividend. (d1|d0 / div)
+ *
+ * d1   The high order half of the number to divide.
+ * d0   The low order half of the number to divide.
+ * div  The dividend.
+ * returns the result of the division.
+ */
+static WC_INLINE sp_digit div_2048_word_16(sp_digit d1, sp_digit d0,
+        sp_digit div)
+{
+    register sp_digit r asm("rax");
+    __asm__ __volatile__ (
+        "divq %3"
+        : "=a" (r)
+        : "d" (d1), "a" (d0), "r" (div)
+        :
+    );
+    return r;
+}
+/* AND m into each word of a and store in r.
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * m  Mask to AND against each digit.
+ */
+static void sp_2048_mask_16(sp_digit* r, const sp_digit* a, sp_digit m)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int i;
+
+    for (i=0; i<16; i++) {
+        r[i] = a[i] & m;
+    }
+#else
+    int i;
+
+    for (i = 0; i < 16; i += 8) {
+        r[i+0] = a[i+0] & m;
+        r[i+1] = a[i+1] & m;
+        r[i+2] = a[i+2] & m;
+        r[i+3] = a[i+3] & m;
+        r[i+4] = a[i+4] & m;
+        r[i+5] = a[i+5] & m;
+        r[i+6] = a[i+6] & m;
+        r[i+7] = a[i+7] & m;
+    }
+#endif
+}
+
+extern int64_t sp_2048_cmp_16(const sp_digit* a, const sp_digit* b);
+/* Divide d in a and put remainder into r (m*d + r = a)
+ * m is not calculated as it is not needed at this time.
+ *
+ * a  Nmber to be divided.
+ * d  Number to divide with.
+ * m  Multiplier result.
+ * r  Remainder from the division.
+ * returns MP_OKAY indicating success.
+ */
+static WC_INLINE int sp_2048_div_16(const sp_digit* a, const sp_digit* d, sp_digit* m,
+        sp_digit* r)
+{
+    sp_digit t1[32], t2[17];
+    sp_digit div, r1;
+    int i;
+#ifdef HAVE_INTEL_AVX2
+    word32 cpuid_flags = cpuid_get_flags();
+#endif
+
+    (void)m;
+
+    div = d[15];
+    XMEMCPY(t1, a, sizeof(*t1) * 2 * 16);
+    r1 = sp_2048_cmp_16(&t1[16], d) >= 0;
+#ifdef HAVE_INTEL_AVX2
+    if (IS_INTEL_BMI2(cpuid_flags) && IS_INTEL_ADX(cpuid_flags))
+        sp_2048_cond_sub_avx2_16(&t1[16], &t1[16], d, (sp_digit)0 - r1);
+    else
+#endif
+        sp_2048_cond_sub_16(&t1[16], &t1[16], d, (sp_digit)0 - r1);
+    for (i=15; i>=0; i--) {
+        r1 = div_2048_word_16(t1[16 + i], t1[16 + i - 1], div);
+
+#ifdef HAVE_INTEL_AVX2
+        if (IS_INTEL_BMI2(cpuid_flags) && IS_INTEL_ADX(cpuid_flags))
+            sp_2048_mul_d_avx2_16(t2, d, r1);
+        else
+#endif
+            sp_2048_mul_d_16(t2, d, r1);
+        t1[16 + i] += sp_2048_sub_in_place_16(&t1[i], t2);
+        t1[16 + i] -= t2[16];
+        sp_2048_mask_16(t2, d, t1[16 + i]);
+        t1[16 + i] += sp_2048_add_16(&t1[i], &t1[i], t2);
+        sp_2048_mask_16(t2, d, t1[16 + i]);
+        t1[16 + i] += sp_2048_add_16(&t1[i], &t1[i], t2);
+    }
+
+    r1 = sp_2048_cmp_16(t1, d) >= 0;
+#ifdef HAVE_INTEL_AVX2
+    if (IS_INTEL_BMI2(cpuid_flags) && IS_INTEL_ADX(cpuid_flags))
+        sp_2048_cond_sub_avx2_16(r, t1, d, (sp_digit)0 - r1);
+    else
+#endif
+        sp_2048_cond_sub_16(r, t1, d, (sp_digit)0 - r1);
+
+    return MP_OKAY;
+}
+
+/* Reduce a modulo m into r. (r = a mod m)
+ *
+ * r  A single precision number that is the reduced result.
+ * a  A single precision number that is to be reduced.
+ * m  A single precision number that is the modulus to reduce with.
+ * returns MP_OKAY indicating success.
+ */
+static WC_INLINE int sp_2048_mod_16(sp_digit* r, const sp_digit* a, const sp_digit* m)
+{
+    return sp_2048_div_16(a, m, NULL, r);
+}
+
+/* Modular exponentiate a to the e mod m. (r = a^e mod m)
+ *
+ * r     A single precision number that is the result of the operation.
+ * a     A single precision number being exponentiated.
+ * e     A single precision number that is the exponent.
+ * bits  The number of bits in the exponent.
+ * m     A single precision number that is the modulus.
+ * returns 0 on success and MEMORY_E on dynamic memory allocation failure.
+ */
+static int sp_2048_mod_exp_16(sp_digit* r, const sp_digit* a, const sp_digit* e,
+        int bits, const sp_digit* m, int reduceA)
+{
+#ifndef WOLFSSL_SMALL_STACK
+    sp_digit t[32][32];
+    sp_digit rt[32];
+#else
+    sp_digit* t[32];
+    sp_digit* rt;
+    sp_digit* td;
+#endif
+    sp_digit* norm;
+    sp_digit mp = 1;
+    sp_digit n;
+    sp_digit mask;
+    int i;
+    int c, y;
+    int err = MP_OKAY;
+
+#ifdef WOLFSSL_SMALL_STACK
+    td = (sp_digit*)XMALLOC(sizeof(sp_digit) * 33 * 32, NULL,
+                            DYNAMIC_TYPE_TMP_BUFFER);
+    if (td == NULL) {
+        err = MEMORY_E;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#ifdef WOLFSSL_SMALL_STACK
+        for (i=0; i<32; i++)
+            t[i] = td + i * 32;
+        rt = td + 1024;
+#endif
+        norm = t[0];
+
+        sp_2048_mont_setup(m, &mp);
+        sp_2048_mont_norm_16(norm, m);
+
+        XMEMSET(t[1], 0, sizeof(sp_digit) * 16);
+        if (reduceA) {
+            err = sp_2048_mod_16(t[1] + 16, a, m);
+            if (err == MP_OKAY)
+                err = sp_2048_mod_16(t[1], t[1], m);
+        }
+        else {
+            XMEMCPY(t[1] + 16, a, sizeof(sp_digit) * 16);
+            err = sp_2048_mod_16(t[1], t[1], m);
+        }
+    }
+
+    if (err == MP_OKAY) {
+        sp_2048_mont_sqr_16(t[ 2], t[ 1], m, mp);
+        sp_2048_mont_mul_16(t[ 3], t[ 2], t[ 1], m, mp);
+        sp_2048_mont_sqr_16(t[ 4], t[ 2], m, mp);
+        sp_2048_mont_mul_16(t[ 5], t[ 3], t[ 2], m, mp);
+        sp_2048_mont_sqr_16(t[ 6], t[ 3], m, mp);
+        sp_2048_mont_mul_16(t[ 7], t[ 4], t[ 3], m, mp);
+        sp_2048_mont_sqr_16(t[ 8], t[ 4], m, mp);
+        sp_2048_mont_mul_16(t[ 9], t[ 5], t[ 4], m, mp);
+        sp_2048_mont_sqr_16(t[10], t[ 5], m, mp);
+        sp_2048_mont_mul_16(t[11], t[ 6], t[ 5], m, mp);
+        sp_2048_mont_sqr_16(t[12], t[ 6], m, mp);
+        sp_2048_mont_mul_16(t[13], t[ 7], t[ 6], m, mp);
+        sp_2048_mont_sqr_16(t[14], t[ 7], m, mp);
+        sp_2048_mont_mul_16(t[15], t[ 8], t[ 7], m, mp);
+        sp_2048_mont_sqr_16(t[16], t[ 8], m, mp);
+        sp_2048_mont_mul_16(t[17], t[ 9], t[ 8], m, mp);
+        sp_2048_mont_sqr_16(t[18], t[ 9], m, mp);
+        sp_2048_mont_mul_16(t[19], t[10], t[ 9], m, mp);
+        sp_2048_mont_sqr_16(t[20], t[10], m, mp);
+        sp_2048_mont_mul_16(t[21], t[11], t[10], m, mp);
+        sp_2048_mont_sqr_16(t[22], t[11], m, mp);
+        sp_2048_mont_mul_16(t[23], t[12], t[11], m, mp);
+        sp_2048_mont_sqr_16(t[24], t[12], m, mp);
+        sp_2048_mont_mul_16(t[25], t[13], t[12], m, mp);
+        sp_2048_mont_sqr_16(t[26], t[13], m, mp);
+        sp_2048_mont_mul_16(t[27], t[14], t[13], m, mp);
+        sp_2048_mont_sqr_16(t[28], t[14], m, mp);
+        sp_2048_mont_mul_16(t[29], t[15], t[14], m, mp);
+        sp_2048_mont_sqr_16(t[30], t[15], m, mp);
+        sp_2048_mont_mul_16(t[31], t[16], t[15], m, mp);
+
+        i = (bits - 1) / 64;
+        n = e[i--];
+        c = bits & 63;
+        if (c == 0) {
+            c = 64;
+        }
+        if ((bits % 5) == 0) {
+            c -= 5;
+        }
+        else {
+            c -= bits % 5;
+        }
+        y = (int)(n >> c);
+        n <<= 64 - c;
+        XMEMCPY(r, t[y], sizeof(sp_digit) * 16);
+        for (; i>=0 || c>=5; ) {
+            if (c >= 5) {
+                y = (n >> 59) & 0x1f;
+                n <<= 5;
+                c -= 5;
+            }
+            else if (c == 0) {
+                n = e[i--];
+                y = (int)(n >> 59);
+                n <<= 5;
+                c = 59;
+            }
+            else {
+                y = (int)(n >> 59);
+                n = e[i--];
+                c = 5 - c;
+                y |= n >> (64 - c);
+                n <<= c;
+                c = 64 - c;
+            }
+
+            sp_2048_sqr_16(rt, r);
+            sp_2048_mont_reduce_16(rt, m, mp);
+            sp_2048_sqr_16(r, rt);
+            sp_2048_mont_reduce_16(r, m, mp);
+            sp_2048_sqr_16(rt, r);
+            sp_2048_mont_reduce_16(rt, m, mp);
+            sp_2048_sqr_16(r, rt);
+            sp_2048_mont_reduce_16(r, m, mp);
+            sp_2048_sqr_16(rt, r);
+            sp_2048_mont_reduce_16(rt, m, mp);
+
+            sp_2048_mul_16(r, rt, t[y]);
+            sp_2048_mont_reduce_16(r, m, mp);
+        }
+
+        XMEMSET(&r[16], 0, sizeof(sp_digit) * 16);
+        sp_2048_mont_reduce_16(r, m, mp);
+
+        mask = 0 - (sp_2048_cmp_16(r, m) >= 0);
+        sp_2048_cond_sub_16(r, r, m, mask);
+    }
+
+#ifdef WOLFSSL_SMALL_STACK
+    if (td != NULL)
+        XFREE(td, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+#endif
+
+    return err;
+}
+
+extern void sp_2048_mont_reduce_avx2_16(sp_digit* a, const sp_digit* m, sp_digit mp);
+#ifdef HAVE_INTEL_AVX2
+/* Multiply two Montogmery form numbers mod the modulus (prime).
+ * (r = a * b mod m)
+ *
+ * r   Result of multiplication.
+ * a   First number to multiply in Montogmery form.
+ * b   Second number to multiply in Montogmery form.
+ * m   Modulus (prime).
+ * mp  Montogmery mulitplier.
+ */
+static void sp_2048_mont_mul_avx2_16(sp_digit* r, const sp_digit* a, const sp_digit* b,
+        const sp_digit* m, sp_digit mp)
+{
+    sp_2048_mul_avx2_16(r, a, b);
+    sp_2048_mont_reduce_avx2_16(r, m, mp);
+}
+
+#endif /* HAVE_INTEL_AVX2 */
+#ifdef HAVE_INTEL_AVX2
+/* Square the Montgomery form number. (r = a * a mod m)
+ *
+ * r   Result of squaring.
+ * a   Number to square in Montogmery form.
+ * m   Modulus (prime).
+ * mp  Montogmery mulitplier.
+ */
+static void sp_2048_mont_sqr_avx2_16(sp_digit* r, const sp_digit* a, const sp_digit* m,
+        sp_digit mp)
+{
+    sp_2048_sqr_avx2_16(r, a);
+    sp_2048_mont_reduce_avx2_16(r, m, mp);
+}
+
+#endif /* HAVE_INTEL_AVX2 */
+#ifdef HAVE_INTEL_AVX2
+/* Modular exponentiate a to the e mod m. (r = a^e mod m)
+ *
+ * r     A single precision number that is the result of the operation.
+ * a     A single precision number being exponentiated.
+ * e     A single precision number that is the exponent.
+ * bits  The number of bits in the exponent.
+ * m     A single precision number that is the modulus.
+ * returns 0 on success and MEMORY_E on dynamic memory allocation failure.
+ */
+static int sp_2048_mod_exp_avx2_16(sp_digit* r, const sp_digit* a, const sp_digit* e,
+        int bits, const sp_digit* m, int reduceA)
+{
+#ifndef WOLFSSL_SMALL_STACK
+    sp_digit t[32][32];
+    sp_digit rt[32];
+#else
+    sp_digit* t[32];
+    sp_digit* rt;
+    sp_digit* td;
+#endif
+    sp_digit* norm;
+    sp_digit mp = 1;
+    sp_digit n;
+    sp_digit mask;
+    int i;
+    int c, y;
+    int err = MP_OKAY;
+
+#ifdef WOLFSSL_SMALL_STACK
+    td = (sp_digit*)XMALLOC(sizeof(sp_digit) * 33 * 32, NULL,
+                            DYNAMIC_TYPE_TMP_BUFFER);
+    if (td == NULL) {
+        err = MEMORY_E;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#ifdef WOLFSSL_SMALL_STACK
+        for (i=0; i<32; i++)
+            t[i] = td + i * 32;
+        rt = td + 1024;
+#endif
+        norm = t[0];
+
+        sp_2048_mont_setup(m, &mp);
+        sp_2048_mont_norm_16(norm, m);
+
+        XMEMSET(t[1], 0, sizeof(sp_digit) * 16);
+        if (reduceA) {
+            err = sp_2048_mod_16(t[1] + 16, a, m);
+            if (err == MP_OKAY)
+                err = sp_2048_mod_16(t[1], t[1], m);
+        }
+        else {
+            XMEMCPY(t[1] + 16, a, sizeof(sp_digit) * 16);
+            err = sp_2048_mod_16(t[1], t[1], m);
+        }
+    }
+
+    if (err == MP_OKAY) {
+        sp_2048_mont_sqr_avx2_16(t[ 2], t[ 1], m, mp);
+        sp_2048_mont_mul_avx2_16(t[ 3], t[ 2], t[ 1], m, mp);
+        sp_2048_mont_sqr_avx2_16(t[ 4], t[ 2], m, mp);
+        sp_2048_mont_mul_avx2_16(t[ 5], t[ 3], t[ 2], m, mp);
+        sp_2048_mont_sqr_avx2_16(t[ 6], t[ 3], m, mp);
+        sp_2048_mont_mul_avx2_16(t[ 7], t[ 4], t[ 3], m, mp);
+        sp_2048_mont_sqr_avx2_16(t[ 8], t[ 4], m, mp);
+        sp_2048_mont_mul_avx2_16(t[ 9], t[ 5], t[ 4], m, mp);
+        sp_2048_mont_sqr_avx2_16(t[10], t[ 5], m, mp);
+        sp_2048_mont_mul_avx2_16(t[11], t[ 6], t[ 5], m, mp);
+        sp_2048_mont_sqr_avx2_16(t[12], t[ 6], m, mp);
+        sp_2048_mont_mul_avx2_16(t[13], t[ 7], t[ 6], m, mp);
+        sp_2048_mont_sqr_avx2_16(t[14], t[ 7], m, mp);
+        sp_2048_mont_mul_avx2_16(t[15], t[ 8], t[ 7], m, mp);
+        sp_2048_mont_sqr_avx2_16(t[16], t[ 8], m, mp);
+        sp_2048_mont_mul_avx2_16(t[17], t[ 9], t[ 8], m, mp);
+        sp_2048_mont_sqr_avx2_16(t[18], t[ 9], m, mp);
+        sp_2048_mont_mul_avx2_16(t[19], t[10], t[ 9], m, mp);
+        sp_2048_mont_sqr_avx2_16(t[20], t[10], m, mp);
+        sp_2048_mont_mul_avx2_16(t[21], t[11], t[10], m, mp);
+        sp_2048_mont_sqr_avx2_16(t[22], t[11], m, mp);
+        sp_2048_mont_mul_avx2_16(t[23], t[12], t[11], m, mp);
+        sp_2048_mont_sqr_avx2_16(t[24], t[12], m, mp);
+        sp_2048_mont_mul_avx2_16(t[25], t[13], t[12], m, mp);
+        sp_2048_mont_sqr_avx2_16(t[26], t[13], m, mp);
+        sp_2048_mont_mul_avx2_16(t[27], t[14], t[13], m, mp);
+        sp_2048_mont_sqr_avx2_16(t[28], t[14], m, mp);
+        sp_2048_mont_mul_avx2_16(t[29], t[15], t[14], m, mp);
+        sp_2048_mont_sqr_avx2_16(t[30], t[15], m, mp);
+        sp_2048_mont_mul_avx2_16(t[31], t[16], t[15], m, mp);
+
+        i = (bits - 1) / 64;
+        n = e[i--];
+        c = bits & 63;
+        if (c == 0) {
+            c = 64;
+        }
+        if ((bits % 5) == 0) {
+            c -= 5;
+        }
+        else {
+            c -= bits % 5;
+        }
+        y = (int)(n >> c);
+        n <<= 64 - c;
+        XMEMCPY(r, t[y], sizeof(sp_digit) * 16);
+        for (; i>=0 || c>=5; ) {
+            if (c >= 5) {
+                y = (n >> 59) & 0x1f;
+                n <<= 5;
+                c -= 5;
+            }
+            else if (c == 0) {
+                n = e[i--];
+                y = (int)(n >> 59);
+                n <<= 5;
+                c = 59;
+            }
+            else {
+                y = (int)(n >> 59);
+                n = e[i--];
+                c = 5 - c;
+                y |= n >> (64 - c);
+                n <<= c;
+                c = 64 - c;
+            }
+
+            sp_2048_sqr_avx2_16(rt, r);
+            sp_2048_mont_reduce_avx2_16(rt, m, mp);
+            sp_2048_sqr_avx2_16(r, rt);
+            sp_2048_mont_reduce_avx2_16(r, m, mp);
+            sp_2048_sqr_avx2_16(rt, r);
+            sp_2048_mont_reduce_avx2_16(rt, m, mp);
+            sp_2048_sqr_avx2_16(r, rt);
+            sp_2048_mont_reduce_avx2_16(r, m, mp);
+            sp_2048_sqr_avx2_16(rt, r);
+            sp_2048_mont_reduce_avx2_16(rt, m, mp);
+
+            sp_2048_mul_avx2_16(r, rt, t[y]);
+            sp_2048_mont_reduce_avx2_16(r, m, mp);
+        }
+
+        XMEMSET(&r[16], 0, sizeof(sp_digit) * 16);
+        sp_2048_mont_reduce_avx2_16(r, m, mp);
+
+        mask = 0 - (sp_2048_cmp_16(r, m) >= 0);
+        sp_2048_cond_sub_avx2_16(r, r, m, mask);
+    }
+
+#ifdef WOLFSSL_SMALL_STACK
+    if (td != NULL)
+        XFREE(td, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+#endif
+
+    return err;
+}
+#endif /* HAVE_INTEL_AVX2 */
+
+#endif /* (WOLFSSL_HAVE_SP_RSA || WOLFSSL_HAVE_SP_DH) && !WOLFSSL_RSA_PUBLIC_ONLY */
+
+#if defined(WOLFSSL_HAVE_SP_RSA) || defined(WOLFSSL_HAVE_SP_DH)
+/* r = 2^n mod m where n is the number of bits to reduce by.
+ * Given m must be 2048 bits, just need to subtract.
+ *
+ * r  A single precision number.
+ * m  A single precision number.
+ */
+static void sp_2048_mont_norm_32(sp_digit* r, const sp_digit* m)
+{
+    XMEMSET(r, 0, sizeof(sp_digit) * 32);
+
+    /* r = 2^n mod m */
+    sp_2048_sub_in_place_32(r, m);
+}
+
+#endif /* WOLFSSL_HAVE_SP_RSA || WOLFSSL_HAVE_SP_DH */
+extern sp_digit sp_2048_cond_sub_32(sp_digit* r, const sp_digit* a, const sp_digit* b, sp_digit m);
+extern void sp_2048_mont_reduce_32(sp_digit* a, const sp_digit* m, sp_digit mp);
+/* Multiply two Montogmery form numbers mod the modulus (prime).
+ * (r = a * b mod m)
+ *
+ * r   Result of multiplication.
+ * a   First number to multiply in Montogmery form.
+ * b   Second number to multiply in Montogmery form.
+ * m   Modulus (prime).
+ * mp  Montogmery mulitplier.
+ */
+static void sp_2048_mont_mul_32(sp_digit* r, const sp_digit* a, const sp_digit* b,
+        const sp_digit* m, sp_digit mp)
+{
+    sp_2048_mul_32(r, a, b);
+    sp_2048_mont_reduce_32(r, m, mp);
+}
+
+/* Square the Montgomery form number. (r = a * a mod m)
+ *
+ * r   Result of squaring.
+ * a   Number to square in Montogmery form.
+ * m   Modulus (prime).
+ * mp  Montogmery mulitplier.
+ */
+static void sp_2048_mont_sqr_32(sp_digit* r, const sp_digit* a, const sp_digit* m,
+        sp_digit mp)
+{
+    sp_2048_sqr_32(r, a);
+    sp_2048_mont_reduce_32(r, m, mp);
+}
+
+#ifndef WOLFSSL_RSA_PUBLIC_ONLY
+extern sp_digit sp_2048_cond_sub_avx2_32(sp_digit* r, const sp_digit* a, const sp_digit* b, sp_digit m);
+extern void sp_2048_mul_d_avx2_32(sp_digit* r, const sp_digit* a, const sp_digit b);
+/* Divide the double width number (d1|d0) by the dividend. (d1|d0 / div)
+ *
+ * d1   The high order half of the number to divide.
+ * d0   The low order half of the number to divide.
+ * div  The dividend.
+ * returns the result of the division.
+ */
+static WC_INLINE sp_digit div_2048_word_32(sp_digit d1, sp_digit d0,
+        sp_digit div)
+{
+    register sp_digit r asm("rax");
+    __asm__ __volatile__ (
+        "divq %3"
+        : "=a" (r)
+        : "d" (d1), "a" (d0), "r" (div)
+        :
+    );
+    return r;
+}
+/* AND m into each word of a and store in r.
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * m  Mask to AND against each digit.
+ */
+static void sp_2048_mask_32(sp_digit* r, const sp_digit* a, sp_digit m)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int i;
+
+    for (i=0; i<32; i++) {
+        r[i] = a[i] & m;
+    }
+#else
+    int i;
+
+    for (i = 0; i < 32; i += 8) {
+        r[i+0] = a[i+0] & m;
+        r[i+1] = a[i+1] & m;
+        r[i+2] = a[i+2] & m;
+        r[i+3] = a[i+3] & m;
+        r[i+4] = a[i+4] & m;
+        r[i+5] = a[i+5] & m;
+        r[i+6] = a[i+6] & m;
+        r[i+7] = a[i+7] & m;
+    }
+#endif
+}
+
+extern int64_t sp_2048_cmp_32(const sp_digit* a, const sp_digit* b);
+/* Divide d in a and put remainder into r (m*d + r = a)
+ * m is not calculated as it is not needed at this time.
+ *
+ * a  Nmber to be divided.
+ * d  Number to divide with.
+ * m  Multiplier result.
+ * r  Remainder from the division.
+ * returns MP_OKAY indicating success.
+ */
+static WC_INLINE int sp_2048_div_32(const sp_digit* a, const sp_digit* d, sp_digit* m,
+        sp_digit* r)
+{
+    sp_digit t1[64], t2[33];
+    sp_digit div, r1;
+    int i;
+#ifdef HAVE_INTEL_AVX2
+    word32 cpuid_flags = cpuid_get_flags();
+#endif
+
+    (void)m;
+
+    div = d[31];
+    XMEMCPY(t1, a, sizeof(*t1) * 2 * 32);
+    r1 = sp_2048_cmp_32(&t1[32], d) >= 0;
+#ifdef HAVE_INTEL_AVX2
+    if (IS_INTEL_BMI2(cpuid_flags) && IS_INTEL_ADX(cpuid_flags))
+        sp_2048_cond_sub_avx2_32(&t1[32], &t1[32], d, (sp_digit)0 - r1);
+    else
+#endif
+        sp_2048_cond_sub_32(&t1[32], &t1[32], d, (sp_digit)0 - r1);
+    for (i=31; i>=0; i--) {
+        r1 = div_2048_word_32(t1[32 + i], t1[32 + i - 1], div);
+
+#ifdef HAVE_INTEL_AVX2
+        if (IS_INTEL_BMI2(cpuid_flags) && IS_INTEL_ADX(cpuid_flags))
+            sp_2048_mul_d_avx2_32(t2, d, r1);
+        else
+#endif
+            sp_2048_mul_d_32(t2, d, r1);
+        t1[32 + i] += sp_2048_sub_in_place_32(&t1[i], t2);
+        t1[32 + i] -= t2[32];
+        sp_2048_mask_32(t2, d, t1[32 + i]);
+        t1[32 + i] += sp_2048_add_32(&t1[i], &t1[i], t2);
+        sp_2048_mask_32(t2, d, t1[32 + i]);
+        t1[32 + i] += sp_2048_add_32(&t1[i], &t1[i], t2);
+    }
+
+    r1 = sp_2048_cmp_32(t1, d) >= 0;
+#ifdef HAVE_INTEL_AVX2
+    if (IS_INTEL_BMI2(cpuid_flags) && IS_INTEL_ADX(cpuid_flags))
+        sp_2048_cond_sub_avx2_32(r, t1, d, (sp_digit)0 - r1);
+    else
+#endif
+        sp_2048_cond_sub_32(r, t1, d, (sp_digit)0 - r1);
+
+    return MP_OKAY;
+}
+
+/* Reduce a modulo m into r. (r = a mod m)
+ *
+ * r  A single precision number that is the reduced result.
+ * a  A single precision number that is to be reduced.
+ * m  A single precision number that is the modulus to reduce with.
+ * returns MP_OKAY indicating success.
+ */
+static WC_INLINE int sp_2048_mod_32(sp_digit* r, const sp_digit* a, const sp_digit* m)
+{
+    return sp_2048_div_32(a, m, NULL, r);
+}
+
+#endif /* WOLFSSL_RSA_PUBLIC_ONLY */
+extern sp_digit sp_2048_sub_32(sp_digit* r, const sp_digit* a, const sp_digit* b);
+/* Divide d in a and put remainder into r (m*d + r = a)
+ * m is not calculated as it is not needed at this time.
+ *
+ * a  Nmber to be divided.
+ * d  Number to divide with.
+ * m  Multiplier result.
+ * r  Remainder from the division.
+ * returns MP_OKAY indicating success.
+ */
+static WC_INLINE int sp_2048_div_32_cond(const sp_digit* a, const sp_digit* d, sp_digit* m,
+        sp_digit* r)
+{
+    sp_digit t1[64], t2[33];
+    sp_digit div, r1;
+    int i;
+#ifdef HAVE_INTEL_AVX2
+    word32 cpuid_flags = cpuid_get_flags();
+#endif
+
+    (void)m;
+
+    div = d[31];
+    XMEMCPY(t1, a, sizeof(*t1) * 2 * 32);
+    for (i = 31; i > 0; i--) {
+        if (t1[i + 32] != d[i])
+            break;
+    }
+    if (t1[i + 32] >= d[i]) {
+        sp_2048_sub_in_place_32(&t1[32], d);
+    }
+    for (i=31; i>=0; i--) {
+        r1 = div_2048_word_32(t1[32 + i], t1[32 + i - 1], div);
+
+#ifdef HAVE_INTEL_AVX2
+        if (IS_INTEL_BMI2(cpuid_flags) && IS_INTEL_ADX(cpuid_flags))
+            sp_2048_mul_d_avx2_32(t2, d, r1);
+        else
+#endif
+            sp_2048_mul_d_32(t2, d, r1);
+        t1[32 + i] += sp_2048_sub_in_place_32(&t1[i], t2);
+        t1[32 + i] -= t2[32];
+        if (t1[32 + i] != 0) {
+            t1[32 + i] += sp_2048_add_32(&t1[i], &t1[i], d);
+            if (t1[32 + i] != 0)
+                t1[32 + i] += sp_2048_add_32(&t1[i], &t1[i], d);
+        }
+    }
+
+    for (i = 31; i > 0; i--) {
+        if (t1[i] != d[i])
+            break;
+    }
+    if (t1[i] >= d[i]) {
+        sp_2048_sub_32(r, t1, d);
+    }
+    else {
+        XMEMCPY(r, t1, sizeof(*t1) * 32);
+    }
+
+    return MP_OKAY;
+}
+
+/* Reduce a modulo m into r. (r = a mod m)
+ *
+ * r  A single precision number that is the reduced result.
+ * a  A single precision number that is to be reduced.
+ * m  A single precision number that is the modulus to reduce with.
+ * returns MP_OKAY indicating success.
+ */
+static WC_INLINE int sp_2048_mod_32_cond(sp_digit* r, const sp_digit* a, const sp_digit* m)
+{
+    return sp_2048_div_32_cond(a, m, NULL, r);
+}
+
+#if (defined(WOLFSSL_HAVE_SP_RSA) && !defined(WOLFSSL_RSA_PUBLIC_ONLY)) || defined(WOLFSSL_HAVE_SP_DH)
+/* Modular exponentiate a to the e mod m. (r = a^e mod m)
+ *
+ * r     A single precision number that is the result of the operation.
+ * a     A single precision number being exponentiated.
+ * e     A single precision number that is the exponent.
+ * bits  The number of bits in the exponent.
+ * m     A single precision number that is the modulus.
+ * returns 0 on success and MEMORY_E on dynamic memory allocation failure.
+ */
+static int sp_2048_mod_exp_32(sp_digit* r, const sp_digit* a, const sp_digit* e,
+        int bits, const sp_digit* m, int reduceA)
+{
+#ifndef WOLFSSL_SMALL_STACK
+    sp_digit t[32][64];
+    sp_digit rt[64];
+#else
+    sp_digit* t[32];
+    sp_digit* rt;
+    sp_digit* td;
+#endif
+    sp_digit* norm;
+    sp_digit mp = 1;
+    sp_digit n;
+    sp_digit mask;
+    int i;
+    int c, y;
+    int err = MP_OKAY;
+
+#ifdef WOLFSSL_SMALL_STACK
+    td = (sp_digit*)XMALLOC(sizeof(sp_digit) * 33 * 64, NULL,
+                            DYNAMIC_TYPE_TMP_BUFFER);
+    if (td == NULL) {
+        err = MEMORY_E;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#ifdef WOLFSSL_SMALL_STACK
+        for (i=0; i<32; i++)
+            t[i] = td + i * 64;
+        rt = td + 2048;
+#endif
+        norm = t[0];
+
+        sp_2048_mont_setup(m, &mp);
+        sp_2048_mont_norm_32(norm, m);
+
+        XMEMSET(t[1], 0, sizeof(sp_digit) * 32);
+        if (reduceA) {
+            err = sp_2048_mod_32(t[1] + 32, a, m);
+            if (err == MP_OKAY)
+                err = sp_2048_mod_32(t[1], t[1], m);
+        }
+        else {
+            XMEMCPY(t[1] + 32, a, sizeof(sp_digit) * 32);
+            err = sp_2048_mod_32(t[1], t[1], m);
+        }
+    }
+
+    if (err == MP_OKAY) {
+        sp_2048_mont_sqr_32(t[ 2], t[ 1], m, mp);
+        sp_2048_mont_mul_32(t[ 3], t[ 2], t[ 1], m, mp);
+        sp_2048_mont_sqr_32(t[ 4], t[ 2], m, mp);
+        sp_2048_mont_mul_32(t[ 5], t[ 3], t[ 2], m, mp);
+        sp_2048_mont_sqr_32(t[ 6], t[ 3], m, mp);
+        sp_2048_mont_mul_32(t[ 7], t[ 4], t[ 3], m, mp);
+        sp_2048_mont_sqr_32(t[ 8], t[ 4], m, mp);
+        sp_2048_mont_mul_32(t[ 9], t[ 5], t[ 4], m, mp);
+        sp_2048_mont_sqr_32(t[10], t[ 5], m, mp);
+        sp_2048_mont_mul_32(t[11], t[ 6], t[ 5], m, mp);
+        sp_2048_mont_sqr_32(t[12], t[ 6], m, mp);
+        sp_2048_mont_mul_32(t[13], t[ 7], t[ 6], m, mp);
+        sp_2048_mont_sqr_32(t[14], t[ 7], m, mp);
+        sp_2048_mont_mul_32(t[15], t[ 8], t[ 7], m, mp);
+        sp_2048_mont_sqr_32(t[16], t[ 8], m, mp);
+        sp_2048_mont_mul_32(t[17], t[ 9], t[ 8], m, mp);
+        sp_2048_mont_sqr_32(t[18], t[ 9], m, mp);
+        sp_2048_mont_mul_32(t[19], t[10], t[ 9], m, mp);
+        sp_2048_mont_sqr_32(t[20], t[10], m, mp);
+        sp_2048_mont_mul_32(t[21], t[11], t[10], m, mp);
+        sp_2048_mont_sqr_32(t[22], t[11], m, mp);
+        sp_2048_mont_mul_32(t[23], t[12], t[11], m, mp);
+        sp_2048_mont_sqr_32(t[24], t[12], m, mp);
+        sp_2048_mont_mul_32(t[25], t[13], t[12], m, mp);
+        sp_2048_mont_sqr_32(t[26], t[13], m, mp);
+        sp_2048_mont_mul_32(t[27], t[14], t[13], m, mp);
+        sp_2048_mont_sqr_32(t[28], t[14], m, mp);
+        sp_2048_mont_mul_32(t[29], t[15], t[14], m, mp);
+        sp_2048_mont_sqr_32(t[30], t[15], m, mp);
+        sp_2048_mont_mul_32(t[31], t[16], t[15], m, mp);
+
+        i = (bits - 1) / 64;
+        n = e[i--];
+        c = bits & 63;
+        if (c == 0) {
+            c = 64;
+        }
+        if ((bits % 5) == 0) {
+            c -= 5;
+        }
+        else {
+            c -= bits % 5;
+        }
+        y = (int)(n >> c);
+        n <<= 64 - c;
+        XMEMCPY(r, t[y], sizeof(sp_digit) * 32);
+        for (; i>=0 || c>=5; ) {
+            if (c >= 5) {
+                y = (n >> 59) & 0x1f;
+                n <<= 5;
+                c -= 5;
+            }
+            else if (c == 0) {
+                n = e[i--];
+                y = (int)(n >> 59);
+                n <<= 5;
+                c = 59;
+            }
+            else {
+                y = (int)(n >> 59);
+                n = e[i--];
+                c = 5 - c;
+                y |= n >> (64 - c);
+                n <<= c;
+                c = 64 - c;
+            }
+
+            sp_2048_sqr_32(rt, r);
+            sp_2048_mont_reduce_32(rt, m, mp);
+            sp_2048_sqr_32(r, rt);
+            sp_2048_mont_reduce_32(r, m, mp);
+            sp_2048_sqr_32(rt, r);
+            sp_2048_mont_reduce_32(rt, m, mp);
+            sp_2048_sqr_32(r, rt);
+            sp_2048_mont_reduce_32(r, m, mp);
+            sp_2048_sqr_32(rt, r);
+            sp_2048_mont_reduce_32(rt, m, mp);
+
+            sp_2048_mul_32(r, rt, t[y]);
+            sp_2048_mont_reduce_32(r, m, mp);
+        }
+
+        XMEMSET(&r[32], 0, sizeof(sp_digit) * 32);
+        sp_2048_mont_reduce_32(r, m, mp);
+
+        mask = 0 - (sp_2048_cmp_32(r, m) >= 0);
+        sp_2048_cond_sub_32(r, r, m, mask);
+    }
+
+#ifdef WOLFSSL_SMALL_STACK
+    if (td != NULL)
+        XFREE(td, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+#endif
+
+    return err;
+}
+#endif /* (WOLFSSL_HAVE_SP_RSA && !WOLFSSL_RSA_PUBLIC_ONLY) || WOLFSSL_HAVE_SP_DH */
+
+extern void sp_2048_mont_reduce_avx2_32(sp_digit* a, const sp_digit* m, sp_digit mp);
+#ifdef HAVE_INTEL_AVX2
+/* Multiply two Montogmery form numbers mod the modulus (prime).
+ * (r = a * b mod m)
+ *
+ * r   Result of multiplication.
+ * a   First number to multiply in Montogmery form.
+ * b   Second number to multiply in Montogmery form.
+ * m   Modulus (prime).
+ * mp  Montogmery mulitplier.
+ */
+static void sp_2048_mont_mul_avx2_32(sp_digit* r, const sp_digit* a, const sp_digit* b,
+        const sp_digit* m, sp_digit mp)
+{
+    sp_2048_mul_avx2_32(r, a, b);
+    sp_2048_mont_reduce_avx2_32(r, m, mp);
+}
+
+#endif /* HAVE_INTEL_AVX2 */
+#ifdef HAVE_INTEL_AVX2
+/* Square the Montgomery form number. (r = a * a mod m)
+ *
+ * r   Result of squaring.
+ * a   Number to square in Montogmery form.
+ * m   Modulus (prime).
+ * mp  Montogmery mulitplier.
+ */
+static void sp_2048_mont_sqr_avx2_32(sp_digit* r, const sp_digit* a, const sp_digit* m,
+        sp_digit mp)
+{
+    sp_2048_sqr_avx2_32(r, a);
+    sp_2048_mont_reduce_avx2_32(r, m, mp);
+}
+
+#endif /* HAVE_INTEL_AVX2 */
+#if (defined(WOLFSSL_HAVE_SP_RSA) && !defined(WOLFSSL_RSA_PUBLIC_ONLY)) || defined(WOLFSSL_HAVE_SP_DH)
+#ifdef HAVE_INTEL_AVX2
+/* Modular exponentiate a to the e mod m. (r = a^e mod m)
+ *
+ * r     A single precision number that is the result of the operation.
+ * a     A single precision number being exponentiated.
+ * e     A single precision number that is the exponent.
+ * bits  The number of bits in the exponent.
+ * m     A single precision number that is the modulus.
+ * returns 0 on success and MEMORY_E on dynamic memory allocation failure.
+ */
+static int sp_2048_mod_exp_avx2_32(sp_digit* r, const sp_digit* a, const sp_digit* e,
+        int bits, const sp_digit* m, int reduceA)
+{
+#ifndef WOLFSSL_SMALL_STACK
+    sp_digit t[32][64];
+    sp_digit rt[64];
+#else
+    sp_digit* t[32];
+    sp_digit* rt;
+    sp_digit* td;
+#endif
+    sp_digit* norm;
+    sp_digit mp = 1;
+    sp_digit n;
+    sp_digit mask;
+    int i;
+    int c, y;
+    int err = MP_OKAY;
+
+#ifdef WOLFSSL_SMALL_STACK
+    td = (sp_digit*)XMALLOC(sizeof(sp_digit) * 33 * 64, NULL,
+                            DYNAMIC_TYPE_TMP_BUFFER);
+    if (td == NULL) {
+        err = MEMORY_E;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#ifdef WOLFSSL_SMALL_STACK
+        for (i=0; i<32; i++)
+            t[i] = td + i * 64;
+        rt = td + 2048;
+#endif
+        norm = t[0];
+
+        sp_2048_mont_setup(m, &mp);
+        sp_2048_mont_norm_32(norm, m);
+
+        XMEMSET(t[1], 0, sizeof(sp_digit) * 32);
+        if (reduceA) {
+            err = sp_2048_mod_32(t[1] + 32, a, m);
+            if (err == MP_OKAY)
+                err = sp_2048_mod_32(t[1], t[1], m);
+        }
+        else {
+            XMEMCPY(t[1] + 32, a, sizeof(sp_digit) * 32);
+            err = sp_2048_mod_32(t[1], t[1], m);
+        }
+    }
+
+    if (err == MP_OKAY) {
+        sp_2048_mont_sqr_avx2_32(t[ 2], t[ 1], m, mp);
+        sp_2048_mont_mul_avx2_32(t[ 3], t[ 2], t[ 1], m, mp);
+        sp_2048_mont_sqr_avx2_32(t[ 4], t[ 2], m, mp);
+        sp_2048_mont_mul_avx2_32(t[ 5], t[ 3], t[ 2], m, mp);
+        sp_2048_mont_sqr_avx2_32(t[ 6], t[ 3], m, mp);
+        sp_2048_mont_mul_avx2_32(t[ 7], t[ 4], t[ 3], m, mp);
+        sp_2048_mont_sqr_avx2_32(t[ 8], t[ 4], m, mp);
+        sp_2048_mont_mul_avx2_32(t[ 9], t[ 5], t[ 4], m, mp);
+        sp_2048_mont_sqr_avx2_32(t[10], t[ 5], m, mp);
+        sp_2048_mont_mul_avx2_32(t[11], t[ 6], t[ 5], m, mp);
+        sp_2048_mont_sqr_avx2_32(t[12], t[ 6], m, mp);
+        sp_2048_mont_mul_avx2_32(t[13], t[ 7], t[ 6], m, mp);
+        sp_2048_mont_sqr_avx2_32(t[14], t[ 7], m, mp);
+        sp_2048_mont_mul_avx2_32(t[15], t[ 8], t[ 7], m, mp);
+        sp_2048_mont_sqr_avx2_32(t[16], t[ 8], m, mp);
+        sp_2048_mont_mul_avx2_32(t[17], t[ 9], t[ 8], m, mp);
+        sp_2048_mont_sqr_avx2_32(t[18], t[ 9], m, mp);
+        sp_2048_mont_mul_avx2_32(t[19], t[10], t[ 9], m, mp);
+        sp_2048_mont_sqr_avx2_32(t[20], t[10], m, mp);
+        sp_2048_mont_mul_avx2_32(t[21], t[11], t[10], m, mp);
+        sp_2048_mont_sqr_avx2_32(t[22], t[11], m, mp);
+        sp_2048_mont_mul_avx2_32(t[23], t[12], t[11], m, mp);
+        sp_2048_mont_sqr_avx2_32(t[24], t[12], m, mp);
+        sp_2048_mont_mul_avx2_32(t[25], t[13], t[12], m, mp);
+        sp_2048_mont_sqr_avx2_32(t[26], t[13], m, mp);
+        sp_2048_mont_mul_avx2_32(t[27], t[14], t[13], m, mp);
+        sp_2048_mont_sqr_avx2_32(t[28], t[14], m, mp);
+        sp_2048_mont_mul_avx2_32(t[29], t[15], t[14], m, mp);
+        sp_2048_mont_sqr_avx2_32(t[30], t[15], m, mp);
+        sp_2048_mont_mul_avx2_32(t[31], t[16], t[15], m, mp);
+
+        i = (bits - 1) / 64;
+        n = e[i--];
+        c = bits & 63;
+        if (c == 0) {
+            c = 64;
+        }
+        if ((bits % 5) == 0) {
+            c -= 5;
+        }
+        else {
+            c -= bits % 5;
+        }
+        y = (int)(n >> c);
+        n <<= 64 - c;
+        XMEMCPY(r, t[y], sizeof(sp_digit) * 32);
+        for (; i>=0 || c>=5; ) {
+            if (c >= 5) {
+                y = (n >> 59) & 0x1f;
+                n <<= 5;
+                c -= 5;
+            }
+            else if (c == 0) {
+                n = e[i--];
+                y = (int)(n >> 59);
+                n <<= 5;
+                c = 59;
+            }
+            else {
+                y = (int)(n >> 59);
+                n = e[i--];
+                c = 5 - c;
+                y |= n >> (64 - c);
+                n <<= c;
+                c = 64 - c;
+            }
+
+            sp_2048_sqr_avx2_32(rt, r);
+            sp_2048_mont_reduce_avx2_32(rt, m, mp);
+            sp_2048_sqr_avx2_32(r, rt);
+            sp_2048_mont_reduce_avx2_32(r, m, mp);
+            sp_2048_sqr_avx2_32(rt, r);
+            sp_2048_mont_reduce_avx2_32(rt, m, mp);
+            sp_2048_sqr_avx2_32(r, rt);
+            sp_2048_mont_reduce_avx2_32(r, m, mp);
+            sp_2048_sqr_avx2_32(rt, r);
+            sp_2048_mont_reduce_avx2_32(rt, m, mp);
+
+            sp_2048_mul_avx2_32(r, rt, t[y]);
+            sp_2048_mont_reduce_avx2_32(r, m, mp);
+        }
+
+        XMEMSET(&r[32], 0, sizeof(sp_digit) * 32);
+        sp_2048_mont_reduce_avx2_32(r, m, mp);
+
+        mask = 0 - (sp_2048_cmp_32(r, m) >= 0);
+        sp_2048_cond_sub_avx2_32(r, r, m, mask);
+    }
+
+#ifdef WOLFSSL_SMALL_STACK
+    if (td != NULL)
+        XFREE(td, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+#endif
+
+    return err;
+}
+#endif /* HAVE_INTEL_AVX2 */
+#endif /* (WOLFSSL_HAVE_SP_RSA && !WOLFSSL_RSA_PUBLIC_ONLY) || WOLFSSL_HAVE_SP_DH */
+
+#ifdef WOLFSSL_HAVE_SP_RSA
+/* RSA public key operation.
+ *
+ * in      Array of bytes representing the number to exponentiate, base.
+ * inLen   Number of bytes in base.
+ * em      Public exponent.
+ * mm      Modulus.
+ * out     Buffer to hold big-endian bytes of exponentiation result.
+ *         Must be at least 256 bytes long.
+ * outLen  Number of bytes in result.
+ * returns 0 on success, MP_TO_E when the outLen is too small, MP_READ_E when
+ * an array is too long and MEMORY_E when dynamic memory allocation fails.
+ */
+int sp_RsaPublic_2048(const byte* in, word32 inLen, mp_int* em, mp_int* mm,
+    byte* out, word32* outLen)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit ad[64], md[32], rd[64];
+#else
+    sp_digit* d = NULL;
+#endif
+    sp_digit* a;
+    sp_digit *ah;
+    sp_digit* m;
+    sp_digit* r;
+    sp_digit  e = 0;
+    int err = MP_OKAY;
+#ifdef HAVE_INTEL_AVX2
+    word32 cpuid_flags = cpuid_get_flags();
+#endif
+
+    if (*outLen < 256)
+        err = MP_TO_E;
+    if (err == MP_OKAY && (mp_count_bits(em) > 64 || inLen > 256 ||
+                                                     mp_count_bits(mm) != 2048))
+        err = MP_READ_E;
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        d = (sp_digit*)XMALLOC(sizeof(sp_digit) * 32 * 5, NULL,
+                                                              DYNAMIC_TYPE_RSA);
+        if (d == NULL)
+            err = MEMORY_E;
+    }
+
+    if (err == MP_OKAY) {
+        a = d;
+        r = a + 32 * 2;
+        m = r + 32 * 2;
+        ah = a + 32;
+    }
+#else
+    a = ad;
+    m = md;
+    r = rd;
+    ah = a + 32;
+#endif
+
+    if (err == MP_OKAY) {
+        sp_2048_from_bin(ah, 32, in, inLen);
+#if DIGIT_BIT >= 64
+        e = em->dp[0];
+#else
+        e = em->dp[0];
+        if (em->used > 1)
+            e |= ((sp_digit)em->dp[1]) << DIGIT_BIT;
+#endif
+        if (e == 0)
+            err = MP_EXPTMOD_E;
+    }
+    if (err == MP_OKAY) {
+        sp_2048_from_mp(m, 32, mm);
+
+        if (e == 0x3) {
+#ifdef HAVE_INTEL_AVX2
+            if (IS_INTEL_BMI2(cpuid_flags) && IS_INTEL_ADX(cpuid_flags)) {
+                if (err == MP_OKAY) {
+                    sp_2048_sqr_avx2_32(r, ah);
+                    err = sp_2048_mod_32_cond(r, r, m);
+                }
+                if (err == MP_OKAY) {
+                    sp_2048_mul_avx2_32(r, ah, r);
+                    err = sp_2048_mod_32_cond(r, r, m);
+                }
+            }
+            else
+#endif
+            {
+                if (err == MP_OKAY) {
+                    sp_2048_sqr_32(r, ah);
+                    err = sp_2048_mod_32_cond(r, r, m);
+                }
+                if (err == MP_OKAY) {
+                    sp_2048_mul_32(r, ah, r);
+                    err = sp_2048_mod_32_cond(r, r, m);
+                }
+            }
+        }
+        else {
+            int i;
+            sp_digit mp;
+
+            sp_2048_mont_setup(m, &mp);
+
+            /* Convert to Montgomery form. */
+            XMEMSET(a, 0, sizeof(sp_digit) * 32);
+            err = sp_2048_mod_32_cond(a, a, m);
+
+            if (err == MP_OKAY) {
+                for (i=63; i>=0; i--) {
+                    if (e >> i) {
+                        break;
+                    }
+                }
+
+                XMEMCPY(r, a, sizeof(sp_digit) * 32);
+#ifdef HAVE_INTEL_AVX2
+                if (IS_INTEL_BMI2(cpuid_flags) && IS_INTEL_ADX(cpuid_flags)) {
+                    for (i--; i>=0; i--) {
+                        sp_2048_mont_sqr_avx2_32(r, r, m, mp);
+                        if (((e >> i) & 1) == 1) {
+                            sp_2048_mont_mul_avx2_32(r, r, a, m, mp);
+                        }
+                    }
+                    XMEMSET(&r[32], 0, sizeof(sp_digit) * 32);
+                    sp_2048_mont_reduce_avx2_32(r, m, mp);
+                }
+                else
+#endif
+                {
+                    for (i--; i>=0; i--) {
+                        sp_2048_mont_sqr_32(r, r, m, mp);
+                        if (((e >> i) & 1) == 1) {
+                            sp_2048_mont_mul_32(r, r, a, m, mp);
+                        }
+                    }
+                    XMEMSET(&r[32], 0, sizeof(sp_digit) * 32);
+                    sp_2048_mont_reduce_32(r, m, mp);
+                }
+
+                for (i = 31; i > 0; i--) {
+                    if (r[i] != m[i])
+                        break;
+                }
+                if (r[i] >= m[i])
+                    sp_2048_sub_in_place_32(r, m);
+            }
+        }
+    }
+
+    if (err == MP_OKAY) {
+        sp_2048_to_bin(r, out);
+        *outLen = 256;
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (d != NULL)
+        XFREE(d, NULL, DYNAMIC_TYPE_RSA);
+#endif
+
+    return err;
+}
+
+#if defined(SP_RSA_PRIVATE_EXP_D) || defined(RSA_LOW_MEM)
+/* RSA private key operation.
+ *
+ * in      Array of bytes representing the number to exponentiate, base.
+ * inLen   Number of bytes in base.
+ * dm      Private exponent.
+ * pm      First prime.
+ * qm      Second prime.
+ * dpm     First prime's CRT exponent.
+ * dqm     Second prime's CRT exponent.
+ * qim     Inverse of second prime mod p.
+ * mm      Modulus.
+ * out     Buffer to hold big-endian bytes of exponentiation result.
+ *         Must be at least 256 bytes long.
+ * outLen  Number of bytes in result.
+ * returns 0 on success, MP_TO_E when the outLen is too small, MP_READ_E when
+ * an array is too long and MEMORY_E when dynamic memory allocation fails.
+ */
+int sp_RsaPrivate_2048(const byte* in, word32 inLen, mp_int* dm,
+    mp_int* pm, mp_int* qm, mp_int* dpm, mp_int* dqm, mp_int* qim, mp_int* mm,
+    byte* out, word32* outLen)
+{
+#if !defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)
+    sp_digit a[64], d[32], m[32];
+#else
+    sp_digit* d = NULL;
+    sp_digit* a;
+    sp_digit* m;
+#endif
+    sp_digit* r;
+    int err = MP_OKAY;
+
+    (void)pm;
+    (void)qm;
+    (void)dpm;
+    (void)dqm;
+    (void)qim;
+
+    if (*outLen < 256U) {
+        err = MP_TO_E;
+    }
+    if (err == MP_OKAY) {
+        if (mp_count_bits(dm) > 2048) {
+            err = MP_READ_E;
+        }
+        if (inLen > 256U) {
+            err = MP_READ_E;
+        }
+        if (mp_count_bits(mm) != 2048) {
+            err = MP_READ_E;
+        }
+    }
+
+#if defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)
+    if (err == MP_OKAY) {
+        d = (sp_digit*)XMALLOC(sizeof(sp_digit) * 32 * 4, NULL,
+                                                             DYNAMIC_TYPE_RSA);
+        if (d == NULL) {
+            err = MEMORY_E;
+        }
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#if defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)
+        a = d + 32;
+        m = a + 64;
+#endif
+        r = a;
+
+        sp_2048_from_bin(a, 32, in, inLen);
+        sp_2048_from_mp(d, 32, dm);
+        sp_2048_from_mp(m, 32, mm);
+        err = sp_2048_mod_exp_32(r, a, d, 2048, m, 0);
+    }
+
+    if (err == MP_OKAY) {
+        sp_2048_to_bin(r, out);
+        *outLen = 256;
+    }
+
+#if defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)
+    if (d != NULL) {
+        XMEMSET(d, 0, sizeof(sp_digit) * 32);
+        XFREE(d, NULL, DYNAMIC_TYPE_RSA);
+    }
+#else
+    XMEMSET(d, 0, sizeof(sp_digit) * 32);
+#endif
+
+    return err;
+}
+
+#else
+extern sp_digit sp_2048_cond_add_16(sp_digit* r, const sp_digit* a, const sp_digit* b, sp_digit m);
+extern sp_digit sp_2048_cond_add_avx2_16(sp_digit* r, const sp_digit* a, const sp_digit* b, sp_digit m);
+/* RSA private key operation.
+ *
+ * in      Array of bytes representing the number to exponentiate, base.
+ * inLen   Number of bytes in base.
+ * dm      Private exponent.
+ * pm      First prime.
+ * qm      Second prime.
+ * dpm     First prime's CRT exponent.
+ * dqm     Second prime's CRT exponent.
+ * qim     Inverse of second prime mod p.
+ * mm      Modulus.
+ * out     Buffer to hold big-endian bytes of exponentiation result.
+ *         Must be at least 256 bytes long.
+ * outLen  Number of bytes in result.
+ * returns 0 on success, MP_TO_E when the outLen is too small, MP_READ_E when
+ * an array is too long and MEMORY_E when dynamic memory allocation fails.
+ */
+int sp_RsaPrivate_2048(const byte* in, word32 inLen, mp_int* dm,
+    mp_int* pm, mp_int* qm, mp_int* dpm, mp_int* dqm, mp_int* qim, mp_int* mm,
+    byte* out, word32* outLen)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit ad[32 * 2];
+    sp_digit pd[16], qd[16], dpd[16];
+    sp_digit tmpad[32], tmpbd[32];
+#else
+    sp_digit* t = NULL;
+#endif
+    sp_digit* a;
+    sp_digit* p;
+    sp_digit* q;
+    sp_digit* dp;
+    sp_digit* dq;
+    sp_digit* qi;
+    sp_digit* tmpa;
+    sp_digit* tmpb;
+    sp_digit* r;
+    sp_digit c;
+    int err = MP_OKAY;
+#ifdef HAVE_INTEL_AVX2
+    word32 cpuid_flags = cpuid_get_flags();
+#endif
+
+    (void)dm;
+    (void)mm;
+
+    if (*outLen < 256)
+        err = MP_TO_E;
+    if (err == MP_OKAY && (inLen > 256 || mp_count_bits(mm) != 2048))
+        err = MP_READ_E;
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        t = (sp_digit*)XMALLOC(sizeof(sp_digit) * 16 * 11, NULL,
+                                                              DYNAMIC_TYPE_RSA);
+        if (t == NULL)
+            err = MEMORY_E;
+    }
+    if (err == MP_OKAY) {
+        a = t;
+        p = a + 32 * 2;
+        q = p + 16;
+        qi = dq = dp = q + 16;
+        tmpa = qi + 16;
+        tmpb = tmpa + 32;
+
+        r = t + 32;
+    }
+#else
+    r = a = ad;
+    p = pd;
+    q = qd;
+    qi = dq = dp = dpd;
+    tmpa = tmpad;
+    tmpb = tmpbd;
+#endif
+
+    if (err == MP_OKAY) {
+        sp_2048_from_bin(a, 32, in, inLen);
+        sp_2048_from_mp(p, 16, pm);
+        sp_2048_from_mp(q, 16, qm);
+        sp_2048_from_mp(dp, 16, dpm);
+
+#ifdef HAVE_INTEL_AVX2
+        if (IS_INTEL_BMI2(cpuid_flags) && IS_INTEL_ADX(cpuid_flags))
+            err = sp_2048_mod_exp_avx2_16(tmpa, a, dp, 1024, p, 1);
+        else
+#endif
+            err = sp_2048_mod_exp_16(tmpa, a, dp, 1024, p, 1);
+    }
+    if (err == MP_OKAY) {
+        sp_2048_from_mp(dq, 16, dqm);
+#ifdef HAVE_INTEL_AVX2
+        if (IS_INTEL_BMI2(cpuid_flags) && IS_INTEL_ADX(cpuid_flags))
+            err = sp_2048_mod_exp_avx2_16(tmpb, a, dq, 1024, q, 1);
+       else
+#endif
+            err = sp_2048_mod_exp_16(tmpb, a, dq, 1024, q, 1);
+    }
+
+    if (err == MP_OKAY) {
+        c = sp_2048_sub_in_place_16(tmpa, tmpb);
+#ifdef HAVE_INTEL_AVX2
+        if (IS_INTEL_BMI2(cpuid_flags) && IS_INTEL_ADX(cpuid_flags)) {
+            c += sp_2048_cond_add_avx2_16(tmpa, tmpa, p, c);
+            sp_2048_cond_add_avx2_16(tmpa, tmpa, p, c);
+        }
+        else
+#endif
+        {
+            c += sp_2048_cond_add_16(tmpa, tmpa, p, c);
+            sp_2048_cond_add_16(tmpa, tmpa, p, c);
+        }
+
+        sp_2048_from_mp(qi, 16, qim);
+#ifdef HAVE_INTEL_AVX2
+        if (IS_INTEL_BMI2(cpuid_flags) && IS_INTEL_ADX(cpuid_flags)) {
+            sp_2048_mul_avx2_16(tmpa, tmpa, qi);
+        }
+        else
+#endif
+        {
+            sp_2048_mul_16(tmpa, tmpa, qi);
+        }
+        err = sp_2048_mod_16(tmpa, tmpa, p);
+    }
+
+    if (err == MP_OKAY) {
+#ifdef HAVE_INTEL_AVX2
+        if (IS_INTEL_BMI2(cpuid_flags) && IS_INTEL_ADX(cpuid_flags)) {
+            sp_2048_mul_avx2_16(tmpa, q, tmpa);
+        }
+        else
+#endif
+        {
+            sp_2048_mul_16(tmpa, q, tmpa);
+        }
+        XMEMSET(&tmpb[16], 0, sizeof(sp_digit) * 16);
+        sp_2048_add_32(r, tmpb, tmpa);
+
+        sp_2048_to_bin(r, out);
+        *outLen = 256;
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (t != NULL) {
+        XMEMSET(t, 0, sizeof(sp_digit) * 16 * 11);
+        XFREE(t, NULL, DYNAMIC_TYPE_RSA);
+    }
+#else
+    XMEMSET(tmpad, 0, sizeof(tmpad));
+    XMEMSET(tmpbd, 0, sizeof(tmpbd));
+    XMEMSET(pd, 0, sizeof(pd));
+    XMEMSET(qd, 0, sizeof(qd));
+    XMEMSET(dpd, 0, sizeof(dpd));
+#endif
+
+    return err;
+}
+#endif /* SP_RSA_PRIVATE_EXP_D || RSA_LOW_MEM */
+#endif /* WOLFSSL_HAVE_SP_RSA */
+#if defined(WOLFSSL_HAVE_SP_DH) || (defined(WOLFSSL_HAVE_SP_RSA) && \
+                                              !defined(WOLFSSL_RSA_PUBLIC_ONLY))
+/* Convert an array of sp_digit to an mp_int.
+ *
+ * a  A single precision integer.
+ * r  A multi-precision integer.
+ */
+static int sp_2048_to_mp(const sp_digit* a, mp_int* r)
+{
+    int err;
+
+    err = mp_grow(r, (2048 + DIGIT_BIT - 1) / DIGIT_BIT);
+    if (err == MP_OKAY) { /*lint !e774 case where err is always MP_OKAY*/
+#if DIGIT_BIT == 64
+        XMEMCPY(r->dp, a, sizeof(sp_digit) * 32);
+        r->used = 32;
+        mp_clamp(r);
+#elif DIGIT_BIT < 64
+        int i, j = 0, s = 0;
+
+        r->dp[0] = 0;
+        for (i = 0; i < 32; i++) {
+            r->dp[j] |= (mp_digit)(a[i] << s);
+            r->dp[j] &= (1L << DIGIT_BIT) - 1;
+            s = DIGIT_BIT - s;
+            r->dp[++j] = (mp_digit)(a[i] >> s);
+            while (s + DIGIT_BIT <= 64) {
+                s += DIGIT_BIT;
+                r->dp[j++] &= (1L << DIGIT_BIT) - 1;
+                if (s == SP_WORD_SIZE) {
+                    r->dp[j] = 0;
+                }
+                else {
+                    r->dp[j] = (mp_digit)(a[i] >> s);
+                }
+            }
+            s = 64 - s;
+        }
+        r->used = (2048 + DIGIT_BIT - 1) / DIGIT_BIT;
+        mp_clamp(r);
+#else
+        int i, j = 0, s = 0;
+
+        r->dp[0] = 0;
+        for (i = 0; i < 32; i++) {
+            r->dp[j] |= ((mp_digit)a[i]) << s;
+            if (s + 64 >= DIGIT_BIT) {
+    #if DIGIT_BIT != 32 && DIGIT_BIT != 64
+                r->dp[j] &= (1L << DIGIT_BIT) - 1;
+    #endif
+                s = DIGIT_BIT - s;
+                r->dp[++j] = a[i] >> s;
+                s = 64 - s;
+            }
+            else {
+                s += 64;
+            }
+        }
+        r->used = (2048 + DIGIT_BIT - 1) / DIGIT_BIT;
+        mp_clamp(r);
+#endif
+    }
+
+    return err;
+}
+
+/* Perform the modular exponentiation for Diffie-Hellman.
+ *
+ * base  Base. MP integer.
+ * exp   Exponent. MP integer.
+ * mod   Modulus. MP integer.
+ * res   Result. MP integer.
+ * returns 0 on success, MP_READ_E if there are too many bytes in an array
+ * and MEMORY_E if memory allocation fails.
+ */
+int sp_ModExp_2048(mp_int* base, mp_int* exp, mp_int* mod, mp_int* res)
+{
+    int err = MP_OKAY;
+    sp_digit b[64], e[32], m[32];
+    sp_digit* r = b;
+#ifdef HAVE_INTEL_AVX2
+    word32 cpuid_flags = cpuid_get_flags();
+#endif
+    int expBits = mp_count_bits(exp);
+
+    if (mp_count_bits(base) > 2048 || expBits > 2048 ||
+                                                   mp_count_bits(mod) != 2048) {
+        err = MP_READ_E;
+    }
+
+    if (err == MP_OKAY) {
+        sp_2048_from_mp(b, 32, base);
+        sp_2048_from_mp(e, 32, exp);
+        sp_2048_from_mp(m, 32, mod);
+
+#ifdef HAVE_INTEL_AVX2
+        if (IS_INTEL_BMI2(cpuid_flags) && IS_INTEL_ADX(cpuid_flags))
+            err = sp_2048_mod_exp_avx2_32(r, b, e, expBits, m, 0);
+        else
+#endif
+            err = sp_2048_mod_exp_32(r, b, e, expBits, m, 0);
+    }
+
+    if (err == MP_OKAY) {
+        err = sp_2048_to_mp(r, res);
+    }
+
+    XMEMSET(e, 0, sizeof(e));
+
+    return err;
+}
+
+#ifdef WOLFSSL_HAVE_SP_DH
+#ifdef HAVE_FFDHE_2048
+extern void sp_2048_lshift_32(sp_digit* r, const sp_digit* a, int n);
+#ifdef HAVE_INTEL_AVX2
+/* Modular exponentiate 2 to the e mod m. (r = 2^e mod m)
+ *
+ * r     A single precision number that is the result of the operation.
+ * e     A single precision number that is the exponent.
+ * bits  The number of bits in the exponent.
+ * m     A single precision number that is the modulus.
+ * returns 0 on success and MEMORY_E on dynamic memory allocation failure.
+ */
+static int sp_2048_mod_exp_2_avx2_32(sp_digit* r, const sp_digit* e, int bits,
+        const sp_digit* m)
+{
+#ifndef WOLFSSL_SMALL_STACK
+    sp_digit nd[64];
+    sp_digit td[33];
+#else
+    sp_digit* td;
+#endif
+    sp_digit* norm;
+    sp_digit* tmp;
+    sp_digit mp = 1;
+    sp_digit n, o;
+    sp_digit mask;
+    int i;
+    int c, y;
+    int err = MP_OKAY;
+
+#ifdef WOLFSSL_SMALL_STACK
+    td = (sp_digit*)XMALLOC(sizeof(sp_digit) * 97, NULL,
+                            DYNAMIC_TYPE_TMP_BUFFER);
+    if (td == NULL) {
+        err = MEMORY_E;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#ifdef WOLFSSL_SMALL_STACK
+        norm = td;
+        tmp  = td + 64;
+#else
+        norm = nd;
+        tmp  = td;
+#endif
+
+        sp_2048_mont_setup(m, &mp);
+        sp_2048_mont_norm_32(norm, m);
+
+        i = (bits - 1) / 64;
+        n = e[i--];
+        c = bits & 63;
+        if (c == 0) {
+            c = 64;
+        }
+        if ((bits % 6) == 0) {
+            c -= 6;
+        }
+        else {
+            c -= bits % 6;
+        }
+        y = (int)(n >> c);
+        n <<= 64 - c;
+        sp_2048_lshift_32(r, norm, y);
+        for (; i>=0 || c>=6; ) {
+            if (c == 0) {
+                n = e[i--];
+                y = (int)(n >> 58);
+                n <<= 6;
+                c = 58;
+            }
+            else if (c < 6) {
+                y = (int)(n >> 58);
+                n = e[i--];
+                c = 6 - c;
+                y |= n >> (64 - c);
+                n <<= c;
+                c = 64 - c;
+            }
+            else {
+                y = (n >> 58) & 0x3f;
+                n <<= 6;
+                c -= 6;
+            }
+
+            sp_2048_mont_sqr_avx2_32(r, r, m, mp);
+            sp_2048_mont_sqr_avx2_32(r, r, m, mp);
+            sp_2048_mont_sqr_avx2_32(r, r, m, mp);
+            sp_2048_mont_sqr_avx2_32(r, r, m, mp);
+            sp_2048_mont_sqr_avx2_32(r, r, m, mp);
+            sp_2048_mont_sqr_avx2_32(r, r, m, mp);
+
+            sp_2048_lshift_32(r, r, y);
+            sp_2048_mul_d_avx2_32(tmp, norm, r[32]);
+            r[32] = 0;
+            o = sp_2048_add_32(r, r, tmp);
+            sp_2048_cond_sub_avx2_32(r, r, m, (sp_digit)0 - o);
+        }
+
+        XMEMSET(&r[32], 0, sizeof(sp_digit) * 32);
+        sp_2048_mont_reduce_avx2_32(r, m, mp);
+
+        mask = 0 - (sp_2048_cmp_32(r, m) >= 0);
+        sp_2048_cond_sub_avx2_32(r, r, m, mask);
+    }
+
+#ifdef WOLFSSL_SMALL_STACK
+    if (td != NULL)
+        XFREE(td, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+#endif
+
+    return err;
+}
+#endif /* HAVE_INTEL_AVX2 */
+
+/* Modular exponentiate 2 to the e mod m. (r = 2^e mod m)
+ *
+ * r     A single precision number that is the result of the operation.
+ * e     A single precision number that is the exponent.
+ * bits  The number of bits in the exponent.
+ * m     A single precision number that is the modulus.
+ * returns 0 on success and MEMORY_E on dynamic memory allocation failure.
+ */
+static int sp_2048_mod_exp_2_32(sp_digit* r, const sp_digit* e, int bits,
+        const sp_digit* m)
+{
+#ifndef WOLFSSL_SMALL_STACK
+    sp_digit nd[64];
+    sp_digit td[33];
+#else
+    sp_digit* td;
+#endif
+    sp_digit* norm;
+    sp_digit* tmp;
+    sp_digit mp = 1;
+    sp_digit n, o;
+    sp_digit mask;
+    int i;
+    int c, y;
+    int err = MP_OKAY;
+
+#ifdef WOLFSSL_SMALL_STACK
+    td = (sp_digit*)XMALLOC(sizeof(sp_digit) * 97, NULL,
+                            DYNAMIC_TYPE_TMP_BUFFER);
+    if (td == NULL) {
+        err = MEMORY_E;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#ifdef WOLFSSL_SMALL_STACK
+        norm = td;
+        tmp  = td + 64;
+#else
+        norm = nd;
+        tmp  = td;
+#endif
+
+        sp_2048_mont_setup(m, &mp);
+        sp_2048_mont_norm_32(norm, m);
+
+        i = (bits - 1) / 64;
+        n = e[i--];
+        c = bits & 63;
+        if (c == 0) {
+            c = 64;
+        }
+        if ((bits % 6) == 0) {
+            c -= 6;
+        }
+        else {
+            c -= bits % 6;
+        }
+        y = (int)(n >> c);
+        n <<= 64 - c;
+        sp_2048_lshift_32(r, norm, y);
+        for (; i>=0 || c>=6; ) {
+            if (c == 0) {
+                n = e[i--];
+                y = (int)(n >> 58);
+                n <<= 6;
+                c = 58;
+            }
+            else if (c < 6) {
+                y = (int)(n >> 58);
+                n = e[i--];
+                c = 6 - c;
+                y |= n >> (64 - c);
+                n <<= c;
+                c = 64 - c;
+            }
+            else {
+                y = (n >> 58) & 0x3f;
+                n <<= 6;
+                c -= 6;
+            }
+
+            sp_2048_mont_sqr_32(r, r, m, mp);
+            sp_2048_mont_sqr_32(r, r, m, mp);
+            sp_2048_mont_sqr_32(r, r, m, mp);
+            sp_2048_mont_sqr_32(r, r, m, mp);
+            sp_2048_mont_sqr_32(r, r, m, mp);
+            sp_2048_mont_sqr_32(r, r, m, mp);
+
+            sp_2048_lshift_32(r, r, y);
+            sp_2048_mul_d_32(tmp, norm, r[32]);
+            r[32] = 0;
+            o = sp_2048_add_32(r, r, tmp);
+            sp_2048_cond_sub_32(r, r, m, (sp_digit)0 - o);
+        }
+
+        XMEMSET(&r[32], 0, sizeof(sp_digit) * 32);
+        sp_2048_mont_reduce_32(r, m, mp);
+
+        mask = 0 - (sp_2048_cmp_32(r, m) >= 0);
+        sp_2048_cond_sub_32(r, r, m, mask);
+    }
+
+#ifdef WOLFSSL_SMALL_STACK
+    if (td != NULL)
+        XFREE(td, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+#endif
+
+    return err;
+}
+
+#endif /* HAVE_FFDHE_2048 */
+
+/* Perform the modular exponentiation for Diffie-Hellman.
+ *
+ * base     Base.
+ * exp      Array of bytes that is the exponent.
+ * expLen   Length of data, in bytes, in exponent.
+ * mod      Modulus.
+ * out      Buffer to hold big-endian bytes of exponentiation result.
+ *          Must be at least 256 bytes long.
+ * outLen   Length, in bytes, of exponentiation result.
+ * returns 0 on success, MP_READ_E if there are too many bytes in an array
+ * and MEMORY_E if memory allocation fails.
+ */
+int sp_DhExp_2048(mp_int* base, const byte* exp, word32 expLen,
+    mp_int* mod, byte* out, word32* outLen)
+{
+    int err = MP_OKAY;
+    sp_digit b[64], e[32], m[32];
+    sp_digit* r = b;
+    word32 i;
+#ifdef HAVE_INTEL_AVX2
+    word32 cpuid_flags = cpuid_get_flags();
+#endif
+
+    if (mp_count_bits(base) > 2048 || expLen > 256 ||
+                                                   mp_count_bits(mod) != 2048) {
+        err = MP_READ_E;
+    }
+
+    if (err == MP_OKAY) {
+        sp_2048_from_mp(b, 32, base);
+        sp_2048_from_bin(e, 32, exp, expLen);
+        sp_2048_from_mp(m, 32, mod);
+
+    #ifdef HAVE_FFDHE_2048
+        if (base->used == 1 && base->dp[0] == 2 && m[31] == (sp_digit)-1) {
+#ifdef HAVE_INTEL_AVX2
+            if (IS_INTEL_BMI2(cpuid_flags) && IS_INTEL_ADX(cpuid_flags))
+                err = sp_2048_mod_exp_2_avx2_32(r, e, expLen * 8, m);
+            else
+#endif
+                err = sp_2048_mod_exp_2_32(r, e, expLen * 8, m);
+        }
+        else
+    #endif
+        {
+#ifdef HAVE_INTEL_AVX2
+            if (IS_INTEL_BMI2(cpuid_flags) && IS_INTEL_ADX(cpuid_flags))
+                err = sp_2048_mod_exp_avx2_32(r, b, e, expLen * 8, m, 0);
+            else
+#endif
+                err = sp_2048_mod_exp_32(r, b, e, expLen * 8, m, 0);
+        }
+    }
+
+    if (err == MP_OKAY) {
+        sp_2048_to_bin(r, out);
+        *outLen = 256;
+        for (i=0; i<256 && out[i] == 0; i++) {
+        }
+        *outLen -= i;
+        XMEMMOVE(out, out + i, *outLen);
+    }
+
+    XMEMSET(e, 0, sizeof(e));
+
+    return err;
+}
+#endif
+/* Perform the modular exponentiation for Diffie-Hellman.
+ *
+ * base  Base. MP integer.
+ * exp   Exponent. MP integer.
+ * mod   Modulus. MP integer.
+ * res   Result. MP integer.
+ * returns 0 on success, MP_READ_E if there are too many bytes in an array
+ * and MEMORY_E if memory allocation fails.
+ */
+int sp_ModExp_1024(mp_int* base, mp_int* exp, mp_int* mod, mp_int* res)
+{
+    int err = MP_OKAY;
+    sp_digit b[32], e[16], m[16];
+    sp_digit* r = b;
+#ifdef HAVE_INTEL_AVX2
+    word32 cpuid_flags = cpuid_get_flags();
+#endif
+    int expBits = mp_count_bits(exp);
+
+    if (mp_count_bits(base) > 1024 || expBits > 1024 ||
+                                                   mp_count_bits(mod) != 1024) {
+        err = MP_READ_E;
+    }
+
+    if (err == MP_OKAY) {
+        sp_2048_from_mp(b, 16, base);
+        sp_2048_from_mp(e, 16, exp);
+        sp_2048_from_mp(m, 16, mod);
+
+#ifdef HAVE_INTEL_AVX2
+        if (IS_INTEL_BMI2(cpuid_flags) && IS_INTEL_ADX(cpuid_flags))
+            err = sp_2048_mod_exp_avx2_16(r, b, e, expBits, m, 0);
+        else
+#endif
+            err = sp_2048_mod_exp_16(r, b, e, expBits, m, 0);
+    }
+
+    if (err == MP_OKAY) {
+        XMEMSET(r + 16, 0, sizeof(*r) * 16);
+        err = sp_2048_to_mp(r, res);
+    }
+
+    XMEMSET(e, 0, sizeof(e));
+
+    return err;
+}
+
+#endif /* WOLFSSL_HAVE_SP_DH || (WOLFSSL_HAVE_SP_RSA && !WOLFSSL_RSA_PUBLIC_ONLY) */
+
+#endif /* !WOLFSSL_SP_NO_2048 */
+
+#ifndef WOLFSSL_SP_NO_3072
+extern void sp_3072_from_bin(sp_digit* r, int size, const byte* a, int n);
+/* Convert an mp_int to an array of sp_digit.
+ *
+ * r  A single precision integer.
+ * size  Maximum number of bytes to convert
+ * a  A multi-precision integer.
+ */
+static void sp_3072_from_mp(sp_digit* r, int size, const mp_int* a)
+{
+#if DIGIT_BIT == 64
+    int j;
+
+    XMEMCPY(r, a->dp, sizeof(sp_digit) * a->used);
+
+    for (j = a->used; j < size; j++) {
+        r[j] = 0;
+    }
+#elif DIGIT_BIT > 64
+    int i, j = 0;
+    word32 s = 0;
+
+    r[0] = 0;
+    for (i = 0; i < a->used && j < size; i++) {
+        r[j] |= ((sp_digit)a->dp[i] << s);
+        r[j] &= 0xffffffffffffffffl;
+        s = 64U - s;
+        if (j + 1 >= size) {
+            break;
+        }
+        /* lint allow cast of mismatch word32 and mp_digit */
+        r[++j] = (sp_digit)(a->dp[i] >> s); /*lint !e9033*/
+        while ((s + 64U) <= (word32)DIGIT_BIT) {
+            s += 64U;
+            r[j] &= 0xffffffffffffffffl;
+            if (j + 1 >= size) {
+                break;
+            }
+            if (s < (word32)DIGIT_BIT) {
+                /* lint allow cast of mismatch word32 and mp_digit */
+                r[++j] = (sp_digit)(a->dp[i] >> s); /*lint !e9033*/
+            }
+            else {
+                r[++j] = 0L;
+            }
+        }
+        s = (word32)DIGIT_BIT - s;
+    }
+
+    for (j++; j < size; j++) {
+        r[j] = 0;
+    }
+#else
+    int i, j = 0, s = 0;
+
+    r[0] = 0;
+    for (i = 0; i < a->used && j < size; i++) {
+        r[j] |= ((sp_digit)a->dp[i]) << s;
+        if (s + DIGIT_BIT >= 64) {
+            r[j] &= 0xffffffffffffffffl;
+            if (j + 1 >= size) {
+                break;
+            }
+            s = 64 - s;
+            if (s == DIGIT_BIT) {
+                r[++j] = 0;
+                s = 0;
+            }
+            else {
+                r[++j] = a->dp[i] >> s;
+                s = DIGIT_BIT - s;
+            }
+        }
+        else {
+            s += DIGIT_BIT;
+        }
+    }
+
+    for (j++; j < size; j++) {
+        r[j] = 0;
+    }
+#endif
+}
+
+extern void sp_3072_to_bin(sp_digit* r, byte* a);
+extern void sp_3072_mul_12(sp_digit* r, const sp_digit* a, const sp_digit* b);
+extern void sp_3072_sqr_12(sp_digit* r, const sp_digit* a);
+extern void sp_3072_mul_avx2_12(sp_digit* r, const sp_digit* a, const sp_digit* b);
+extern void sp_3072_sqr_avx2_12(sp_digit* r, const sp_digit* a);
+extern sp_digit sp_3072_add_12(sp_digit* r, const sp_digit* a, const sp_digit* b);
+extern sp_digit sp_3072_sub_in_place_24(sp_digit* a, const sp_digit* b);
+extern sp_digit sp_3072_add_24(sp_digit* r, const sp_digit* a, const sp_digit* b);
+extern void sp_3072_mul_24(sp_digit* r, const sp_digit* a, const sp_digit* b);
+
+extern sp_digit sp_3072_dbl_12(sp_digit* r, const sp_digit* a);
+extern void sp_3072_sqr_24(sp_digit* r, const sp_digit* a);
+
+#ifdef HAVE_INTEL_AVX2
+extern void sp_3072_mul_avx2_24(sp_digit* r, const sp_digit* a, const sp_digit* b);
+#endif /* HAVE_INTEL_AVX2 */
+
+#ifdef HAVE_INTEL_AVX2
+extern void sp_3072_sqr_avx2_24(sp_digit* r, const sp_digit* a);
+#endif /* HAVE_INTEL_AVX2 */
+
+extern sp_digit sp_3072_sub_in_place_48(sp_digit* a, const sp_digit* b);
+extern sp_digit sp_3072_add_48(sp_digit* r, const sp_digit* a, const sp_digit* b);
+extern void sp_3072_mul_48(sp_digit* r, const sp_digit* a, const sp_digit* b);
+
+extern sp_digit sp_3072_dbl_24(sp_digit* r, const sp_digit* a);
+extern void sp_3072_sqr_48(sp_digit* r, const sp_digit* a);
+
+#ifdef HAVE_INTEL_AVX2
+extern void sp_3072_mul_avx2_48(sp_digit* r, const sp_digit* a, const sp_digit* b);
+#endif /* HAVE_INTEL_AVX2 */
+
+#ifdef HAVE_INTEL_AVX2
+extern void sp_3072_sqr_avx2_48(sp_digit* r, const sp_digit* a);
+#endif /* HAVE_INTEL_AVX2 */
+
+#if (defined(WOLFSSL_HAVE_SP_RSA) || defined(WOLFSSL_HAVE_SP_DH)) && !defined(WOLFSSL_RSA_PUBLIC_ONLY)
+#endif /* (WOLFSSL_HAVE_SP_RSA || WOLFSSL_HAVE_SP_DH) && !WOLFSSL_RSA_PUBLIC_ONLY */
+
+/* Caclulate the bottom digit of -1/a mod 2^n.
+ *
+ * a    A single precision number.
+ * rho  Bottom word of inverse.
+ */
+static void sp_3072_mont_setup(const sp_digit* a, sp_digit* rho)
+{
+    sp_digit x, b;
+
+    b = a[0];
+    x = (((b + 2) & 4) << 1) + b; /* here x*a==1 mod 2**4 */
+    x *= 2 - b * x;               /* here x*a==1 mod 2**8 */
+    x *= 2 - b * x;               /* here x*a==1 mod 2**16 */
+    x *= 2 - b * x;               /* here x*a==1 mod 2**32 */
+    x *= 2 - b * x;               /* here x*a==1 mod 2**64 */
+
+    /* rho = -1/m mod b */
+    *rho = -x;
+}
+
+extern void sp_3072_mul_d_48(sp_digit* r, const sp_digit* a, sp_digit b);
+#if (defined(WOLFSSL_HAVE_SP_RSA) || defined(WOLFSSL_HAVE_SP_DH)) && !defined(WOLFSSL_RSA_PUBLIC_ONLY)
+/* r = 2^n mod m where n is the number of bits to reduce by.
+ * Given m must be 3072 bits, just need to subtract.
+ *
+ * r  A single precision number.
+ * m  A single precision number.
+ */
+static void sp_3072_mont_norm_24(sp_digit* r, const sp_digit* m)
+{
+    XMEMSET(r, 0, sizeof(sp_digit) * 24);
+
+    /* r = 2^n mod m */
+    sp_3072_sub_in_place_24(r, m);
+}
+
+extern sp_digit sp_3072_cond_sub_24(sp_digit* r, const sp_digit* a, const sp_digit* b, sp_digit m);
+extern void sp_3072_mont_reduce_24(sp_digit* a, const sp_digit* m, sp_digit mp);
+/* Multiply two Montogmery form numbers mod the modulus (prime).
+ * (r = a * b mod m)
+ *
+ * r   Result of multiplication.
+ * a   First number to multiply in Montogmery form.
+ * b   Second number to multiply in Montogmery form.
+ * m   Modulus (prime).
+ * mp  Montogmery mulitplier.
+ */
+static void sp_3072_mont_mul_24(sp_digit* r, const sp_digit* a, const sp_digit* b,
+        const sp_digit* m, sp_digit mp)
+{
+    sp_3072_mul_24(r, a, b);
+    sp_3072_mont_reduce_24(r, m, mp);
+}
+
+/* Square the Montgomery form number. (r = a * a mod m)
+ *
+ * r   Result of squaring.
+ * a   Number to square in Montogmery form.
+ * m   Modulus (prime).
+ * mp  Montogmery mulitplier.
+ */
+static void sp_3072_mont_sqr_24(sp_digit* r, const sp_digit* a, const sp_digit* m,
+        sp_digit mp)
+{
+    sp_3072_sqr_24(r, a);
+    sp_3072_mont_reduce_24(r, m, mp);
+}
+
+extern sp_digit sp_3072_cond_sub_avx2_24(sp_digit* r, const sp_digit* a, const sp_digit* b, sp_digit m);
+extern void sp_3072_mul_d_24(sp_digit* r, const sp_digit* a, sp_digit b);
+extern void sp_3072_mul_d_avx2_24(sp_digit* r, const sp_digit* a, const sp_digit b);
+/* Divide the double width number (d1|d0) by the dividend. (d1|d0 / div)
+ *
+ * d1   The high order half of the number to divide.
+ * d0   The low order half of the number to divide.
+ * div  The dividend.
+ * returns the result of the division.
+ */
+static WC_INLINE sp_digit div_3072_word_24(sp_digit d1, sp_digit d0,
+        sp_digit div)
+{
+    register sp_digit r asm("rax");
+    __asm__ __volatile__ (
+        "divq %3"
+        : "=a" (r)
+        : "d" (d1), "a" (d0), "r" (div)
+        :
+    );
+    return r;
+}
+/* AND m into each word of a and store in r.
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * m  Mask to AND against each digit.
+ */
+static void sp_3072_mask_24(sp_digit* r, const sp_digit* a, sp_digit m)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int i;
+
+    for (i=0; i<24; i++) {
+        r[i] = a[i] & m;
+    }
+#else
+    int i;
+
+    for (i = 0; i < 24; i += 8) {
+        r[i+0] = a[i+0] & m;
+        r[i+1] = a[i+1] & m;
+        r[i+2] = a[i+2] & m;
+        r[i+3] = a[i+3] & m;
+        r[i+4] = a[i+4] & m;
+        r[i+5] = a[i+5] & m;
+        r[i+6] = a[i+6] & m;
+        r[i+7] = a[i+7] & m;
+    }
+#endif
+}
+
+extern int64_t sp_3072_cmp_24(const sp_digit* a, const sp_digit* b);
+/* Divide d in a and put remainder into r (m*d + r = a)
+ * m is not calculated as it is not needed at this time.
+ *
+ * a  Nmber to be divided.
+ * d  Number to divide with.
+ * m  Multiplier result.
+ * r  Remainder from the division.
+ * returns MP_OKAY indicating success.
+ */
+static WC_INLINE int sp_3072_div_24(const sp_digit* a, const sp_digit* d, sp_digit* m,
+        sp_digit* r)
+{
+    sp_digit t1[48], t2[25];
+    sp_digit div, r1;
+    int i;
+#ifdef HAVE_INTEL_AVX2
+    word32 cpuid_flags = cpuid_get_flags();
+#endif
+
+    (void)m;
+
+    div = d[23];
+    XMEMCPY(t1, a, sizeof(*t1) * 2 * 24);
+    r1 = sp_3072_cmp_24(&t1[24], d) >= 0;
+#ifdef HAVE_INTEL_AVX2
+    if (IS_INTEL_BMI2(cpuid_flags) && IS_INTEL_ADX(cpuid_flags))
+        sp_3072_cond_sub_avx2_24(&t1[24], &t1[24], d, (sp_digit)0 - r1);
+    else
+#endif
+        sp_3072_cond_sub_24(&t1[24], &t1[24], d, (sp_digit)0 - r1);
+    for (i=23; i>=0; i--) {
+        r1 = div_3072_word_24(t1[24 + i], t1[24 + i - 1], div);
+
+#ifdef HAVE_INTEL_AVX2
+        if (IS_INTEL_BMI2(cpuid_flags) && IS_INTEL_ADX(cpuid_flags))
+            sp_3072_mul_d_avx2_24(t2, d, r1);
+        else
+#endif
+            sp_3072_mul_d_24(t2, d, r1);
+        t1[24 + i] += sp_3072_sub_in_place_24(&t1[i], t2);
+        t1[24 + i] -= t2[24];
+        sp_3072_mask_24(t2, d, t1[24 + i]);
+        t1[24 + i] += sp_3072_add_24(&t1[i], &t1[i], t2);
+        sp_3072_mask_24(t2, d, t1[24 + i]);
+        t1[24 + i] += sp_3072_add_24(&t1[i], &t1[i], t2);
+    }
+
+    r1 = sp_3072_cmp_24(t1, d) >= 0;
+#ifdef HAVE_INTEL_AVX2
+    if (IS_INTEL_BMI2(cpuid_flags) && IS_INTEL_ADX(cpuid_flags))
+        sp_3072_cond_sub_avx2_24(r, t1, d, (sp_digit)0 - r1);
+    else
+#endif
+        sp_3072_cond_sub_24(r, t1, d, (sp_digit)0 - r1);
+
+    return MP_OKAY;
+}
+
+/* Reduce a modulo m into r. (r = a mod m)
+ *
+ * r  A single precision number that is the reduced result.
+ * a  A single precision number that is to be reduced.
+ * m  A single precision number that is the modulus to reduce with.
+ * returns MP_OKAY indicating success.
+ */
+static WC_INLINE int sp_3072_mod_24(sp_digit* r, const sp_digit* a, const sp_digit* m)
+{
+    return sp_3072_div_24(a, m, NULL, r);
+}
+
+/* Modular exponentiate a to the e mod m. (r = a^e mod m)
+ *
+ * r     A single precision number that is the result of the operation.
+ * a     A single precision number being exponentiated.
+ * e     A single precision number that is the exponent.
+ * bits  The number of bits in the exponent.
+ * m     A single precision number that is the modulus.
+ * returns 0 on success and MEMORY_E on dynamic memory allocation failure.
+ */
+static int sp_3072_mod_exp_24(sp_digit* r, const sp_digit* a, const sp_digit* e,
+        int bits, const sp_digit* m, int reduceA)
+{
+#ifndef WOLFSSL_SMALL_STACK
+    sp_digit t[32][48];
+    sp_digit rt[48];
+#else
+    sp_digit* t[32];
+    sp_digit* rt;
+    sp_digit* td;
+#endif
+    sp_digit* norm;
+    sp_digit mp = 1;
+    sp_digit n;
+    sp_digit mask;
+    int i;
+    int c, y;
+    int err = MP_OKAY;
+
+#ifdef WOLFSSL_SMALL_STACK
+    td = (sp_digit*)XMALLOC(sizeof(sp_digit) * 33 * 48, NULL,
+                            DYNAMIC_TYPE_TMP_BUFFER);
+    if (td == NULL) {
+        err = MEMORY_E;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#ifdef WOLFSSL_SMALL_STACK
+        for (i=0; i<32; i++)
+            t[i] = td + i * 48;
+        rt = td + 1536;
+#endif
+        norm = t[0];
+
+        sp_3072_mont_setup(m, &mp);
+        sp_3072_mont_norm_24(norm, m);
+
+        XMEMSET(t[1], 0, sizeof(sp_digit) * 24);
+        if (reduceA) {
+            err = sp_3072_mod_24(t[1] + 24, a, m);
+            if (err == MP_OKAY)
+                err = sp_3072_mod_24(t[1], t[1], m);
+        }
+        else {
+            XMEMCPY(t[1] + 24, a, sizeof(sp_digit) * 24);
+            err = sp_3072_mod_24(t[1], t[1], m);
+        }
+    }
+
+    if (err == MP_OKAY) {
+        sp_3072_mont_sqr_24(t[ 2], t[ 1], m, mp);
+        sp_3072_mont_mul_24(t[ 3], t[ 2], t[ 1], m, mp);
+        sp_3072_mont_sqr_24(t[ 4], t[ 2], m, mp);
+        sp_3072_mont_mul_24(t[ 5], t[ 3], t[ 2], m, mp);
+        sp_3072_mont_sqr_24(t[ 6], t[ 3], m, mp);
+        sp_3072_mont_mul_24(t[ 7], t[ 4], t[ 3], m, mp);
+        sp_3072_mont_sqr_24(t[ 8], t[ 4], m, mp);
+        sp_3072_mont_mul_24(t[ 9], t[ 5], t[ 4], m, mp);
+        sp_3072_mont_sqr_24(t[10], t[ 5], m, mp);
+        sp_3072_mont_mul_24(t[11], t[ 6], t[ 5], m, mp);
+        sp_3072_mont_sqr_24(t[12], t[ 6], m, mp);
+        sp_3072_mont_mul_24(t[13], t[ 7], t[ 6], m, mp);
+        sp_3072_mont_sqr_24(t[14], t[ 7], m, mp);
+        sp_3072_mont_mul_24(t[15], t[ 8], t[ 7], m, mp);
+        sp_3072_mont_sqr_24(t[16], t[ 8], m, mp);
+        sp_3072_mont_mul_24(t[17], t[ 9], t[ 8], m, mp);
+        sp_3072_mont_sqr_24(t[18], t[ 9], m, mp);
+        sp_3072_mont_mul_24(t[19], t[10], t[ 9], m, mp);
+        sp_3072_mont_sqr_24(t[20], t[10], m, mp);
+        sp_3072_mont_mul_24(t[21], t[11], t[10], m, mp);
+        sp_3072_mont_sqr_24(t[22], t[11], m, mp);
+        sp_3072_mont_mul_24(t[23], t[12], t[11], m, mp);
+        sp_3072_mont_sqr_24(t[24], t[12], m, mp);
+        sp_3072_mont_mul_24(t[25], t[13], t[12], m, mp);
+        sp_3072_mont_sqr_24(t[26], t[13], m, mp);
+        sp_3072_mont_mul_24(t[27], t[14], t[13], m, mp);
+        sp_3072_mont_sqr_24(t[28], t[14], m, mp);
+        sp_3072_mont_mul_24(t[29], t[15], t[14], m, mp);
+        sp_3072_mont_sqr_24(t[30], t[15], m, mp);
+        sp_3072_mont_mul_24(t[31], t[16], t[15], m, mp);
+
+        i = (bits - 1) / 64;
+        n = e[i--];
+        c = bits & 63;
+        if (c == 0) {
+            c = 64;
+        }
+        if ((bits % 5) == 0) {
+            c -= 5;
+        }
+        else {
+            c -= bits % 5;
+        }
+        y = (int)(n >> c);
+        n <<= 64 - c;
+        XMEMCPY(r, t[y], sizeof(sp_digit) * 24);
+        for (; i>=0 || c>=5; ) {
+            if (c >= 5) {
+                y = (n >> 59) & 0x1f;
+                n <<= 5;
+                c -= 5;
+            }
+            else if (c == 0) {
+                n = e[i--];
+                y = (int)(n >> 59);
+                n <<= 5;
+                c = 59;
+            }
+            else {
+                y = (int)(n >> 59);
+                n = e[i--];
+                c = 5 - c;
+                y |= n >> (64 - c);
+                n <<= c;
+                c = 64 - c;
+            }
+
+            sp_3072_sqr_24(rt, r);
+            sp_3072_mont_reduce_24(rt, m, mp);
+            sp_3072_sqr_24(r, rt);
+            sp_3072_mont_reduce_24(r, m, mp);
+            sp_3072_sqr_24(rt, r);
+            sp_3072_mont_reduce_24(rt, m, mp);
+            sp_3072_sqr_24(r, rt);
+            sp_3072_mont_reduce_24(r, m, mp);
+            sp_3072_sqr_24(rt, r);
+            sp_3072_mont_reduce_24(rt, m, mp);
+
+            sp_3072_mul_24(r, rt, t[y]);
+            sp_3072_mont_reduce_24(r, m, mp);
+        }
+
+        XMEMSET(&r[24], 0, sizeof(sp_digit) * 24);
+        sp_3072_mont_reduce_24(r, m, mp);
+
+        mask = 0 - (sp_3072_cmp_24(r, m) >= 0);
+        sp_3072_cond_sub_24(r, r, m, mask);
+    }
+
+#ifdef WOLFSSL_SMALL_STACK
+    if (td != NULL)
+        XFREE(td, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+#endif
+
+    return err;
+}
+
+extern void sp_3072_mont_reduce_avx2_24(sp_digit* a, const sp_digit* m, sp_digit mp);
+#ifdef HAVE_INTEL_AVX2
+/* Multiply two Montogmery form numbers mod the modulus (prime).
+ * (r = a * b mod m)
+ *
+ * r   Result of multiplication.
+ * a   First number to multiply in Montogmery form.
+ * b   Second number to multiply in Montogmery form.
+ * m   Modulus (prime).
+ * mp  Montogmery mulitplier.
+ */
+static void sp_3072_mont_mul_avx2_24(sp_digit* r, const sp_digit* a, const sp_digit* b,
+        const sp_digit* m, sp_digit mp)
+{
+    sp_3072_mul_avx2_24(r, a, b);
+    sp_3072_mont_reduce_avx2_24(r, m, mp);
+}
+
+#endif /* HAVE_INTEL_AVX2 */
+#ifdef HAVE_INTEL_AVX2
+/* Square the Montgomery form number. (r = a * a mod m)
+ *
+ * r   Result of squaring.
+ * a   Number to square in Montogmery form.
+ * m   Modulus (prime).
+ * mp  Montogmery mulitplier.
+ */
+static void sp_3072_mont_sqr_avx2_24(sp_digit* r, const sp_digit* a, const sp_digit* m,
+        sp_digit mp)
+{
+    sp_3072_sqr_avx2_24(r, a);
+    sp_3072_mont_reduce_avx2_24(r, m, mp);
+}
+
+#endif /* HAVE_INTEL_AVX2 */
+#ifdef HAVE_INTEL_AVX2
+/* Modular exponentiate a to the e mod m. (r = a^e mod m)
+ *
+ * r     A single precision number that is the result of the operation.
+ * a     A single precision number being exponentiated.
+ * e     A single precision number that is the exponent.
+ * bits  The number of bits in the exponent.
+ * m     A single precision number that is the modulus.
+ * returns 0 on success and MEMORY_E on dynamic memory allocation failure.
+ */
+static int sp_3072_mod_exp_avx2_24(sp_digit* r, const sp_digit* a, const sp_digit* e,
+        int bits, const sp_digit* m, int reduceA)
+{
+#ifndef WOLFSSL_SMALL_STACK
+    sp_digit t[32][48];
+    sp_digit rt[48];
+#else
+    sp_digit* t[32];
+    sp_digit* rt;
+    sp_digit* td;
+#endif
+    sp_digit* norm;
+    sp_digit mp = 1;
+    sp_digit n;
+    sp_digit mask;
+    int i;
+    int c, y;
+    int err = MP_OKAY;
+
+#ifdef WOLFSSL_SMALL_STACK
+    td = (sp_digit*)XMALLOC(sizeof(sp_digit) * 33 * 48, NULL,
+                            DYNAMIC_TYPE_TMP_BUFFER);
+    if (td == NULL) {
+        err = MEMORY_E;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#ifdef WOLFSSL_SMALL_STACK
+        for (i=0; i<32; i++)
+            t[i] = td + i * 48;
+        rt = td + 1536;
+#endif
+        norm = t[0];
+
+        sp_3072_mont_setup(m, &mp);
+        sp_3072_mont_norm_24(norm, m);
+
+        XMEMSET(t[1], 0, sizeof(sp_digit) * 24);
+        if (reduceA) {
+            err = sp_3072_mod_24(t[1] + 24, a, m);
+            if (err == MP_OKAY)
+                err = sp_3072_mod_24(t[1], t[1], m);
+        }
+        else {
+            XMEMCPY(t[1] + 24, a, sizeof(sp_digit) * 24);
+            err = sp_3072_mod_24(t[1], t[1], m);
+        }
+    }
+
+    if (err == MP_OKAY) {
+        sp_3072_mont_sqr_avx2_24(t[ 2], t[ 1], m, mp);
+        sp_3072_mont_mul_avx2_24(t[ 3], t[ 2], t[ 1], m, mp);
+        sp_3072_mont_sqr_avx2_24(t[ 4], t[ 2], m, mp);
+        sp_3072_mont_mul_avx2_24(t[ 5], t[ 3], t[ 2], m, mp);
+        sp_3072_mont_sqr_avx2_24(t[ 6], t[ 3], m, mp);
+        sp_3072_mont_mul_avx2_24(t[ 7], t[ 4], t[ 3], m, mp);
+        sp_3072_mont_sqr_avx2_24(t[ 8], t[ 4], m, mp);
+        sp_3072_mont_mul_avx2_24(t[ 9], t[ 5], t[ 4], m, mp);
+        sp_3072_mont_sqr_avx2_24(t[10], t[ 5], m, mp);
+        sp_3072_mont_mul_avx2_24(t[11], t[ 6], t[ 5], m, mp);
+        sp_3072_mont_sqr_avx2_24(t[12], t[ 6], m, mp);
+        sp_3072_mont_mul_avx2_24(t[13], t[ 7], t[ 6], m, mp);
+        sp_3072_mont_sqr_avx2_24(t[14], t[ 7], m, mp);
+        sp_3072_mont_mul_avx2_24(t[15], t[ 8], t[ 7], m, mp);
+        sp_3072_mont_sqr_avx2_24(t[16], t[ 8], m, mp);
+        sp_3072_mont_mul_avx2_24(t[17], t[ 9], t[ 8], m, mp);
+        sp_3072_mont_sqr_avx2_24(t[18], t[ 9], m, mp);
+        sp_3072_mont_mul_avx2_24(t[19], t[10], t[ 9], m, mp);
+        sp_3072_mont_sqr_avx2_24(t[20], t[10], m, mp);
+        sp_3072_mont_mul_avx2_24(t[21], t[11], t[10], m, mp);
+        sp_3072_mont_sqr_avx2_24(t[22], t[11], m, mp);
+        sp_3072_mont_mul_avx2_24(t[23], t[12], t[11], m, mp);
+        sp_3072_mont_sqr_avx2_24(t[24], t[12], m, mp);
+        sp_3072_mont_mul_avx2_24(t[25], t[13], t[12], m, mp);
+        sp_3072_mont_sqr_avx2_24(t[26], t[13], m, mp);
+        sp_3072_mont_mul_avx2_24(t[27], t[14], t[13], m, mp);
+        sp_3072_mont_sqr_avx2_24(t[28], t[14], m, mp);
+        sp_3072_mont_mul_avx2_24(t[29], t[15], t[14], m, mp);
+        sp_3072_mont_sqr_avx2_24(t[30], t[15], m, mp);
+        sp_3072_mont_mul_avx2_24(t[31], t[16], t[15], m, mp);
+
+        i = (bits - 1) / 64;
+        n = e[i--];
+        c = bits & 63;
+        if (c == 0) {
+            c = 64;
+        }
+        if ((bits % 5) == 0) {
+            c -= 5;
+        }
+        else {
+            c -= bits % 5;
+        }
+        y = (int)(n >> c);
+        n <<= 64 - c;
+        XMEMCPY(r, t[y], sizeof(sp_digit) * 24);
+        for (; i>=0 || c>=5; ) {
+            if (c >= 5) {
+                y = (n >> 59) & 0x1f;
+                n <<= 5;
+                c -= 5;
+            }
+            else if (c == 0) {
+                n = e[i--];
+                y = (int)(n >> 59);
+                n <<= 5;
+                c = 59;
+            }
+            else {
+                y = (int)(n >> 59);
+                n = e[i--];
+                c = 5 - c;
+                y |= n >> (64 - c);
+                n <<= c;
+                c = 64 - c;
+            }
+
+            sp_3072_sqr_avx2_24(rt, r);
+            sp_3072_mont_reduce_avx2_24(rt, m, mp);
+            sp_3072_sqr_avx2_24(r, rt);
+            sp_3072_mont_reduce_avx2_24(r, m, mp);
+            sp_3072_sqr_avx2_24(rt, r);
+            sp_3072_mont_reduce_avx2_24(rt, m, mp);
+            sp_3072_sqr_avx2_24(r, rt);
+            sp_3072_mont_reduce_avx2_24(r, m, mp);
+            sp_3072_sqr_avx2_24(rt, r);
+            sp_3072_mont_reduce_avx2_24(rt, m, mp);
+
+            sp_3072_mul_avx2_24(r, rt, t[y]);
+            sp_3072_mont_reduce_avx2_24(r, m, mp);
+        }
+
+        XMEMSET(&r[24], 0, sizeof(sp_digit) * 24);
+        sp_3072_mont_reduce_avx2_24(r, m, mp);
+
+        mask = 0 - (sp_3072_cmp_24(r, m) >= 0);
+        sp_3072_cond_sub_avx2_24(r, r, m, mask);
+    }
+
+#ifdef WOLFSSL_SMALL_STACK
+    if (td != NULL)
+        XFREE(td, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+#endif
+
+    return err;
+}
+#endif /* HAVE_INTEL_AVX2 */
+
+#endif /* (WOLFSSL_HAVE_SP_RSA || WOLFSSL_HAVE_SP_DH) && !WOLFSSL_RSA_PUBLIC_ONLY */
+
+#if defined(WOLFSSL_HAVE_SP_RSA) || defined(WOLFSSL_HAVE_SP_DH)
+/* r = 2^n mod m where n is the number of bits to reduce by.
+ * Given m must be 3072 bits, just need to subtract.
+ *
+ * r  A single precision number.
+ * m  A single precision number.
+ */
+static void sp_3072_mont_norm_48(sp_digit* r, const sp_digit* m)
+{
+    XMEMSET(r, 0, sizeof(sp_digit) * 48);
+
+    /* r = 2^n mod m */
+    sp_3072_sub_in_place_48(r, m);
+}
+
+#endif /* WOLFSSL_HAVE_SP_RSA || WOLFSSL_HAVE_SP_DH */
+extern sp_digit sp_3072_cond_sub_48(sp_digit* r, const sp_digit* a, const sp_digit* b, sp_digit m);
+extern void sp_3072_mont_reduce_48(sp_digit* a, const sp_digit* m, sp_digit mp);
+/* Multiply two Montogmery form numbers mod the modulus (prime).
+ * (r = a * b mod m)
+ *
+ * r   Result of multiplication.
+ * a   First number to multiply in Montogmery form.
+ * b   Second number to multiply in Montogmery form.
+ * m   Modulus (prime).
+ * mp  Montogmery mulitplier.
+ */
+static void sp_3072_mont_mul_48(sp_digit* r, const sp_digit* a, const sp_digit* b,
+        const sp_digit* m, sp_digit mp)
+{
+    sp_3072_mul_48(r, a, b);
+    sp_3072_mont_reduce_48(r, m, mp);
+}
+
+/* Square the Montgomery form number. (r = a * a mod m)
+ *
+ * r   Result of squaring.
+ * a   Number to square in Montogmery form.
+ * m   Modulus (prime).
+ * mp  Montogmery mulitplier.
+ */
+static void sp_3072_mont_sqr_48(sp_digit* r, const sp_digit* a, const sp_digit* m,
+        sp_digit mp)
+{
+    sp_3072_sqr_48(r, a);
+    sp_3072_mont_reduce_48(r, m, mp);
+}
+
+#ifndef WOLFSSL_RSA_PUBLIC_ONLY
+extern sp_digit sp_3072_cond_sub_avx2_48(sp_digit* r, const sp_digit* a, const sp_digit* b, sp_digit m);
+extern void sp_3072_mul_d_avx2_48(sp_digit* r, const sp_digit* a, const sp_digit b);
+/* Divide the double width number (d1|d0) by the dividend. (d1|d0 / div)
+ *
+ * d1   The high order half of the number to divide.
+ * d0   The low order half of the number to divide.
+ * div  The dividend.
+ * returns the result of the division.
+ */
+static WC_INLINE sp_digit div_3072_word_48(sp_digit d1, sp_digit d0,
+        sp_digit div)
+{
+    register sp_digit r asm("rax");
+    __asm__ __volatile__ (
+        "divq %3"
+        : "=a" (r)
+        : "d" (d1), "a" (d0), "r" (div)
+        :
+    );
+    return r;
+}
+/* AND m into each word of a and store in r.
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * m  Mask to AND against each digit.
+ */
+static void sp_3072_mask_48(sp_digit* r, const sp_digit* a, sp_digit m)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int i;
+
+    for (i=0; i<48; i++) {
+        r[i] = a[i] & m;
+    }
+#else
+    int i;
+
+    for (i = 0; i < 48; i += 8) {
+        r[i+0] = a[i+0] & m;
+        r[i+1] = a[i+1] & m;
+        r[i+2] = a[i+2] & m;
+        r[i+3] = a[i+3] & m;
+        r[i+4] = a[i+4] & m;
+        r[i+5] = a[i+5] & m;
+        r[i+6] = a[i+6] & m;
+        r[i+7] = a[i+7] & m;
+    }
+#endif
+}
+
+extern int64_t sp_3072_cmp_48(const sp_digit* a, const sp_digit* b);
+/* Divide d in a and put remainder into r (m*d + r = a)
+ * m is not calculated as it is not needed at this time.
+ *
+ * a  Nmber to be divided.
+ * d  Number to divide with.
+ * m  Multiplier result.
+ * r  Remainder from the division.
+ * returns MP_OKAY indicating success.
+ */
+static WC_INLINE int sp_3072_div_48(const sp_digit* a, const sp_digit* d, sp_digit* m,
+        sp_digit* r)
+{
+    sp_digit t1[96], t2[49];
+    sp_digit div, r1;
+    int i;
+#ifdef HAVE_INTEL_AVX2
+    word32 cpuid_flags = cpuid_get_flags();
+#endif
+
+    (void)m;
+
+    div = d[47];
+    XMEMCPY(t1, a, sizeof(*t1) * 2 * 48);
+    r1 = sp_3072_cmp_48(&t1[48], d) >= 0;
+#ifdef HAVE_INTEL_AVX2
+    if (IS_INTEL_BMI2(cpuid_flags) && IS_INTEL_ADX(cpuid_flags))
+        sp_3072_cond_sub_avx2_48(&t1[48], &t1[48], d, (sp_digit)0 - r1);
+    else
+#endif
+        sp_3072_cond_sub_48(&t1[48], &t1[48], d, (sp_digit)0 - r1);
+    for (i=47; i>=0; i--) {
+        r1 = div_3072_word_48(t1[48 + i], t1[48 + i - 1], div);
+
+#ifdef HAVE_INTEL_AVX2
+        if (IS_INTEL_BMI2(cpuid_flags) && IS_INTEL_ADX(cpuid_flags))
+            sp_3072_mul_d_avx2_48(t2, d, r1);
+        else
+#endif
+            sp_3072_mul_d_48(t2, d, r1);
+        t1[48 + i] += sp_3072_sub_in_place_48(&t1[i], t2);
+        t1[48 + i] -= t2[48];
+        sp_3072_mask_48(t2, d, t1[48 + i]);
+        t1[48 + i] += sp_3072_add_48(&t1[i], &t1[i], t2);
+        sp_3072_mask_48(t2, d, t1[48 + i]);
+        t1[48 + i] += sp_3072_add_48(&t1[i], &t1[i], t2);
+    }
+
+    r1 = sp_3072_cmp_48(t1, d) >= 0;
+#ifdef HAVE_INTEL_AVX2
+    if (IS_INTEL_BMI2(cpuid_flags) && IS_INTEL_ADX(cpuid_flags))
+        sp_3072_cond_sub_avx2_48(r, t1, d, (sp_digit)0 - r1);
+    else
+#endif
+        sp_3072_cond_sub_48(r, t1, d, (sp_digit)0 - r1);
+
+    return MP_OKAY;
+}
+
+/* Reduce a modulo m into r. (r = a mod m)
+ *
+ * r  A single precision number that is the reduced result.
+ * a  A single precision number that is to be reduced.
+ * m  A single precision number that is the modulus to reduce with.
+ * returns MP_OKAY indicating success.
+ */
+static WC_INLINE int sp_3072_mod_48(sp_digit* r, const sp_digit* a, const sp_digit* m)
+{
+    return sp_3072_div_48(a, m, NULL, r);
+}
+
+#endif /* WOLFSSL_RSA_PUBLIC_ONLY */
+extern sp_digit sp_3072_sub_48(sp_digit* r, const sp_digit* a, const sp_digit* b);
+/* Divide d in a and put remainder into r (m*d + r = a)
+ * m is not calculated as it is not needed at this time.
+ *
+ * a  Nmber to be divided.
+ * d  Number to divide with.
+ * m  Multiplier result.
+ * r  Remainder from the division.
+ * returns MP_OKAY indicating success.
+ */
+static WC_INLINE int sp_3072_div_48_cond(const sp_digit* a, const sp_digit* d, sp_digit* m,
+        sp_digit* r)
+{
+    sp_digit t1[96], t2[49];
+    sp_digit div, r1;
+    int i;
+#ifdef HAVE_INTEL_AVX2
+    word32 cpuid_flags = cpuid_get_flags();
+#endif
+
+    (void)m;
+
+    div = d[47];
+    XMEMCPY(t1, a, sizeof(*t1) * 2 * 48);
+    for (i = 47; i > 0; i--) {
+        if (t1[i + 48] != d[i])
+            break;
+    }
+    if (t1[i + 48] >= d[i]) {
+        sp_3072_sub_in_place_48(&t1[48], d);
+    }
+    for (i=47; i>=0; i--) {
+        r1 = div_3072_word_48(t1[48 + i], t1[48 + i - 1], div);
+
+#ifdef HAVE_INTEL_AVX2
+        if (IS_INTEL_BMI2(cpuid_flags) && IS_INTEL_ADX(cpuid_flags))
+            sp_3072_mul_d_avx2_48(t2, d, r1);
+        else
+#endif
+            sp_3072_mul_d_48(t2, d, r1);
+        t1[48 + i] += sp_3072_sub_in_place_48(&t1[i], t2);
+        t1[48 + i] -= t2[48];
+        if (t1[48 + i] != 0) {
+            t1[48 + i] += sp_3072_add_48(&t1[i], &t1[i], d);
+            if (t1[48 + i] != 0)
+                t1[48 + i] += sp_3072_add_48(&t1[i], &t1[i], d);
+        }
+    }
+
+    for (i = 47; i > 0; i--) {
+        if (t1[i] != d[i])
+            break;
+    }
+    if (t1[i] >= d[i]) {
+        sp_3072_sub_48(r, t1, d);
+    }
+    else {
+        XMEMCPY(r, t1, sizeof(*t1) * 48);
+    }
+
+    return MP_OKAY;
+}
+
+/* Reduce a modulo m into r. (r = a mod m)
+ *
+ * r  A single precision number that is the reduced result.
+ * a  A single precision number that is to be reduced.
+ * m  A single precision number that is the modulus to reduce with.
+ * returns MP_OKAY indicating success.
+ */
+static WC_INLINE int sp_3072_mod_48_cond(sp_digit* r, const sp_digit* a, const sp_digit* m)
+{
+    return sp_3072_div_48_cond(a, m, NULL, r);
+}
+
+#if (defined(WOLFSSL_HAVE_SP_RSA) && !defined(WOLFSSL_RSA_PUBLIC_ONLY)) || defined(WOLFSSL_HAVE_SP_DH)
+/* Modular exponentiate a to the e mod m. (r = a^e mod m)
+ *
+ * r     A single precision number that is the result of the operation.
+ * a     A single precision number being exponentiated.
+ * e     A single precision number that is the exponent.
+ * bits  The number of bits in the exponent.
+ * m     A single precision number that is the modulus.
+ * returns 0 on success and MEMORY_E on dynamic memory allocation failure.
+ */
+static int sp_3072_mod_exp_48(sp_digit* r, const sp_digit* a, const sp_digit* e,
+        int bits, const sp_digit* m, int reduceA)
+{
+#ifndef WOLFSSL_SMALL_STACK
+    sp_digit t[32][96];
+    sp_digit rt[96];
+#else
+    sp_digit* t[32];
+    sp_digit* rt;
+    sp_digit* td;
+#endif
+    sp_digit* norm;
+    sp_digit mp = 1;
+    sp_digit n;
+    sp_digit mask;
+    int i;
+    int c, y;
+    int err = MP_OKAY;
+
+#ifdef WOLFSSL_SMALL_STACK
+    td = (sp_digit*)XMALLOC(sizeof(sp_digit) * 33 * 96, NULL,
+                            DYNAMIC_TYPE_TMP_BUFFER);
+    if (td == NULL) {
+        err = MEMORY_E;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#ifdef WOLFSSL_SMALL_STACK
+        for (i=0; i<32; i++)
+            t[i] = td + i * 96;
+        rt = td + 3072;
+#endif
+        norm = t[0];
+
+        sp_3072_mont_setup(m, &mp);
+        sp_3072_mont_norm_48(norm, m);
+
+        XMEMSET(t[1], 0, sizeof(sp_digit) * 48);
+        if (reduceA) {
+            err = sp_3072_mod_48(t[1] + 48, a, m);
+            if (err == MP_OKAY)
+                err = sp_3072_mod_48(t[1], t[1], m);
+        }
+        else {
+            XMEMCPY(t[1] + 48, a, sizeof(sp_digit) * 48);
+            err = sp_3072_mod_48(t[1], t[1], m);
+        }
+    }
+
+    if (err == MP_OKAY) {
+        sp_3072_mont_sqr_48(t[ 2], t[ 1], m, mp);
+        sp_3072_mont_mul_48(t[ 3], t[ 2], t[ 1], m, mp);
+        sp_3072_mont_sqr_48(t[ 4], t[ 2], m, mp);
+        sp_3072_mont_mul_48(t[ 5], t[ 3], t[ 2], m, mp);
+        sp_3072_mont_sqr_48(t[ 6], t[ 3], m, mp);
+        sp_3072_mont_mul_48(t[ 7], t[ 4], t[ 3], m, mp);
+        sp_3072_mont_sqr_48(t[ 8], t[ 4], m, mp);
+        sp_3072_mont_mul_48(t[ 9], t[ 5], t[ 4], m, mp);
+        sp_3072_mont_sqr_48(t[10], t[ 5], m, mp);
+        sp_3072_mont_mul_48(t[11], t[ 6], t[ 5], m, mp);
+        sp_3072_mont_sqr_48(t[12], t[ 6], m, mp);
+        sp_3072_mont_mul_48(t[13], t[ 7], t[ 6], m, mp);
+        sp_3072_mont_sqr_48(t[14], t[ 7], m, mp);
+        sp_3072_mont_mul_48(t[15], t[ 8], t[ 7], m, mp);
+        sp_3072_mont_sqr_48(t[16], t[ 8], m, mp);
+        sp_3072_mont_mul_48(t[17], t[ 9], t[ 8], m, mp);
+        sp_3072_mont_sqr_48(t[18], t[ 9], m, mp);
+        sp_3072_mont_mul_48(t[19], t[10], t[ 9], m, mp);
+        sp_3072_mont_sqr_48(t[20], t[10], m, mp);
+        sp_3072_mont_mul_48(t[21], t[11], t[10], m, mp);
+        sp_3072_mont_sqr_48(t[22], t[11], m, mp);
+        sp_3072_mont_mul_48(t[23], t[12], t[11], m, mp);
+        sp_3072_mont_sqr_48(t[24], t[12], m, mp);
+        sp_3072_mont_mul_48(t[25], t[13], t[12], m, mp);
+        sp_3072_mont_sqr_48(t[26], t[13], m, mp);
+        sp_3072_mont_mul_48(t[27], t[14], t[13], m, mp);
+        sp_3072_mont_sqr_48(t[28], t[14], m, mp);
+        sp_3072_mont_mul_48(t[29], t[15], t[14], m, mp);
+        sp_3072_mont_sqr_48(t[30], t[15], m, mp);
+        sp_3072_mont_mul_48(t[31], t[16], t[15], m, mp);
+
+        i = (bits - 1) / 64;
+        n = e[i--];
+        c = bits & 63;
+        if (c == 0) {
+            c = 64;
+        }
+        if ((bits % 5) == 0) {
+            c -= 5;
+        }
+        else {
+            c -= bits % 5;
+        }
+        y = (int)(n >> c);
+        n <<= 64 - c;
+        XMEMCPY(r, t[y], sizeof(sp_digit) * 48);
+        for (; i>=0 || c>=5; ) {
+            if (c >= 5) {
+                y = (n >> 59) & 0x1f;
+                n <<= 5;
+                c -= 5;
+            }
+            else if (c == 0) {
+                n = e[i--];
+                y = (int)(n >> 59);
+                n <<= 5;
+                c = 59;
+            }
+            else {
+                y = (int)(n >> 59);
+                n = e[i--];
+                c = 5 - c;
+                y |= n >> (64 - c);
+                n <<= c;
+                c = 64 - c;
+            }
+
+            sp_3072_sqr_48(rt, r);
+            sp_3072_mont_reduce_48(rt, m, mp);
+            sp_3072_sqr_48(r, rt);
+            sp_3072_mont_reduce_48(r, m, mp);
+            sp_3072_sqr_48(rt, r);
+            sp_3072_mont_reduce_48(rt, m, mp);
+            sp_3072_sqr_48(r, rt);
+            sp_3072_mont_reduce_48(r, m, mp);
+            sp_3072_sqr_48(rt, r);
+            sp_3072_mont_reduce_48(rt, m, mp);
+
+            sp_3072_mul_48(r, rt, t[y]);
+            sp_3072_mont_reduce_48(r, m, mp);
+        }
+
+        XMEMSET(&r[48], 0, sizeof(sp_digit) * 48);
+        sp_3072_mont_reduce_48(r, m, mp);
+
+        mask = 0 - (sp_3072_cmp_48(r, m) >= 0);
+        sp_3072_cond_sub_48(r, r, m, mask);
+    }
+
+#ifdef WOLFSSL_SMALL_STACK
+    if (td != NULL)
+        XFREE(td, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+#endif
+
+    return err;
+}
+#endif /* (WOLFSSL_HAVE_SP_RSA && !WOLFSSL_RSA_PUBLIC_ONLY) || WOLFSSL_HAVE_SP_DH */
+
+extern void sp_3072_mont_reduce_avx2_48(sp_digit* a, const sp_digit* m, sp_digit mp);
+#ifdef HAVE_INTEL_AVX2
+/* Multiply two Montogmery form numbers mod the modulus (prime).
+ * (r = a * b mod m)
+ *
+ * r   Result of multiplication.
+ * a   First number to multiply in Montogmery form.
+ * b   Second number to multiply in Montogmery form.
+ * m   Modulus (prime).
+ * mp  Montogmery mulitplier.
+ */
+static void sp_3072_mont_mul_avx2_48(sp_digit* r, const sp_digit* a, const sp_digit* b,
+        const sp_digit* m, sp_digit mp)
+{
+    sp_3072_mul_avx2_48(r, a, b);
+    sp_3072_mont_reduce_avx2_48(r, m, mp);
+}
+
+#endif /* HAVE_INTEL_AVX2 */
+#ifdef HAVE_INTEL_AVX2
+/* Square the Montgomery form number. (r = a * a mod m)
+ *
+ * r   Result of squaring.
+ * a   Number to square in Montogmery form.
+ * m   Modulus (prime).
+ * mp  Montogmery mulitplier.
+ */
+static void sp_3072_mont_sqr_avx2_48(sp_digit* r, const sp_digit* a, const sp_digit* m,
+        sp_digit mp)
+{
+    sp_3072_sqr_avx2_48(r, a);
+    sp_3072_mont_reduce_avx2_48(r, m, mp);
+}
+
+#endif /* HAVE_INTEL_AVX2 */
+#if (defined(WOLFSSL_HAVE_SP_RSA) && !defined(WOLFSSL_RSA_PUBLIC_ONLY)) || defined(WOLFSSL_HAVE_SP_DH)
+#ifdef HAVE_INTEL_AVX2
+/* Modular exponentiate a to the e mod m. (r = a^e mod m)
+ *
+ * r     A single precision number that is the result of the operation.
+ * a     A single precision number being exponentiated.
+ * e     A single precision number that is the exponent.
+ * bits  The number of bits in the exponent.
+ * m     A single precision number that is the modulus.
+ * returns 0 on success and MEMORY_E on dynamic memory allocation failure.
+ */
+static int sp_3072_mod_exp_avx2_48(sp_digit* r, const sp_digit* a, const sp_digit* e,
+        int bits, const sp_digit* m, int reduceA)
+{
+#ifndef WOLFSSL_SMALL_STACK
+    sp_digit t[32][96];
+    sp_digit rt[96];
+#else
+    sp_digit* t[32];
+    sp_digit* rt;
+    sp_digit* td;
+#endif
+    sp_digit* norm;
+    sp_digit mp = 1;
+    sp_digit n;
+    sp_digit mask;
+    int i;
+    int c, y;
+    int err = MP_OKAY;
+
+#ifdef WOLFSSL_SMALL_STACK
+    td = (sp_digit*)XMALLOC(sizeof(sp_digit) * 33 * 96, NULL,
+                            DYNAMIC_TYPE_TMP_BUFFER);
+    if (td == NULL) {
+        err = MEMORY_E;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#ifdef WOLFSSL_SMALL_STACK
+        for (i=0; i<32; i++)
+            t[i] = td + i * 96;
+        rt = td + 3072;
+#endif
+        norm = t[0];
+
+        sp_3072_mont_setup(m, &mp);
+        sp_3072_mont_norm_48(norm, m);
+
+        XMEMSET(t[1], 0, sizeof(sp_digit) * 48);
+        if (reduceA) {
+            err = sp_3072_mod_48(t[1] + 48, a, m);
+            if (err == MP_OKAY)
+                err = sp_3072_mod_48(t[1], t[1], m);
+        }
+        else {
+            XMEMCPY(t[1] + 48, a, sizeof(sp_digit) * 48);
+            err = sp_3072_mod_48(t[1], t[1], m);
+        }
+    }
+
+    if (err == MP_OKAY) {
+        sp_3072_mont_sqr_avx2_48(t[ 2], t[ 1], m, mp);
+        sp_3072_mont_mul_avx2_48(t[ 3], t[ 2], t[ 1], m, mp);
+        sp_3072_mont_sqr_avx2_48(t[ 4], t[ 2], m, mp);
+        sp_3072_mont_mul_avx2_48(t[ 5], t[ 3], t[ 2], m, mp);
+        sp_3072_mont_sqr_avx2_48(t[ 6], t[ 3], m, mp);
+        sp_3072_mont_mul_avx2_48(t[ 7], t[ 4], t[ 3], m, mp);
+        sp_3072_mont_sqr_avx2_48(t[ 8], t[ 4], m, mp);
+        sp_3072_mont_mul_avx2_48(t[ 9], t[ 5], t[ 4], m, mp);
+        sp_3072_mont_sqr_avx2_48(t[10], t[ 5], m, mp);
+        sp_3072_mont_mul_avx2_48(t[11], t[ 6], t[ 5], m, mp);
+        sp_3072_mont_sqr_avx2_48(t[12], t[ 6], m, mp);
+        sp_3072_mont_mul_avx2_48(t[13], t[ 7], t[ 6], m, mp);
+        sp_3072_mont_sqr_avx2_48(t[14], t[ 7], m, mp);
+        sp_3072_mont_mul_avx2_48(t[15], t[ 8], t[ 7], m, mp);
+        sp_3072_mont_sqr_avx2_48(t[16], t[ 8], m, mp);
+        sp_3072_mont_mul_avx2_48(t[17], t[ 9], t[ 8], m, mp);
+        sp_3072_mont_sqr_avx2_48(t[18], t[ 9], m, mp);
+        sp_3072_mont_mul_avx2_48(t[19], t[10], t[ 9], m, mp);
+        sp_3072_mont_sqr_avx2_48(t[20], t[10], m, mp);
+        sp_3072_mont_mul_avx2_48(t[21], t[11], t[10], m, mp);
+        sp_3072_mont_sqr_avx2_48(t[22], t[11], m, mp);
+        sp_3072_mont_mul_avx2_48(t[23], t[12], t[11], m, mp);
+        sp_3072_mont_sqr_avx2_48(t[24], t[12], m, mp);
+        sp_3072_mont_mul_avx2_48(t[25], t[13], t[12], m, mp);
+        sp_3072_mont_sqr_avx2_48(t[26], t[13], m, mp);
+        sp_3072_mont_mul_avx2_48(t[27], t[14], t[13], m, mp);
+        sp_3072_mont_sqr_avx2_48(t[28], t[14], m, mp);
+        sp_3072_mont_mul_avx2_48(t[29], t[15], t[14], m, mp);
+        sp_3072_mont_sqr_avx2_48(t[30], t[15], m, mp);
+        sp_3072_mont_mul_avx2_48(t[31], t[16], t[15], m, mp);
+
+        i = (bits - 1) / 64;
+        n = e[i--];
+        c = bits & 63;
+        if (c == 0) {
+            c = 64;
+        }
+        if ((bits % 5) == 0) {
+            c -= 5;
+        }
+        else {
+            c -= bits % 5;
+        }
+        y = (int)(n >> c);
+        n <<= 64 - c;
+        XMEMCPY(r, t[y], sizeof(sp_digit) * 48);
+        for (; i>=0 || c>=5; ) {
+            if (c >= 5) {
+                y = (n >> 59) & 0x1f;
+                n <<= 5;
+                c -= 5;
+            }
+            else if (c == 0) {
+                n = e[i--];
+                y = (int)(n >> 59);
+                n <<= 5;
+                c = 59;
+            }
+            else {
+                y = (int)(n >> 59);
+                n = e[i--];
+                c = 5 - c;
+                y |= n >> (64 - c);
+                n <<= c;
+                c = 64 - c;
+            }
+
+            sp_3072_sqr_avx2_48(rt, r);
+            sp_3072_mont_reduce_avx2_48(rt, m, mp);
+            sp_3072_sqr_avx2_48(r, rt);
+            sp_3072_mont_reduce_avx2_48(r, m, mp);
+            sp_3072_sqr_avx2_48(rt, r);
+            sp_3072_mont_reduce_avx2_48(rt, m, mp);
+            sp_3072_sqr_avx2_48(r, rt);
+            sp_3072_mont_reduce_avx2_48(r, m, mp);
+            sp_3072_sqr_avx2_48(rt, r);
+            sp_3072_mont_reduce_avx2_48(rt, m, mp);
+
+            sp_3072_mul_avx2_48(r, rt, t[y]);
+            sp_3072_mont_reduce_avx2_48(r, m, mp);
+        }
+
+        XMEMSET(&r[48], 0, sizeof(sp_digit) * 48);
+        sp_3072_mont_reduce_avx2_48(r, m, mp);
+
+        mask = 0 - (sp_3072_cmp_48(r, m) >= 0);
+        sp_3072_cond_sub_avx2_48(r, r, m, mask);
+    }
+
+#ifdef WOLFSSL_SMALL_STACK
+    if (td != NULL)
+        XFREE(td, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+#endif
+
+    return err;
+}
+#endif /* HAVE_INTEL_AVX2 */
+#endif /* (WOLFSSL_HAVE_SP_RSA && !WOLFSSL_RSA_PUBLIC_ONLY) || WOLFSSL_HAVE_SP_DH */
+
+#ifdef WOLFSSL_HAVE_SP_RSA
+/* RSA public key operation.
+ *
+ * in      Array of bytes representing the number to exponentiate, base.
+ * inLen   Number of bytes in base.
+ * em      Public exponent.
+ * mm      Modulus.
+ * out     Buffer to hold big-endian bytes of exponentiation result.
+ *         Must be at least 384 bytes long.
+ * outLen  Number of bytes in result.
+ * returns 0 on success, MP_TO_E when the outLen is too small, MP_READ_E when
+ * an array is too long and MEMORY_E when dynamic memory allocation fails.
+ */
+int sp_RsaPublic_3072(const byte* in, word32 inLen, mp_int* em, mp_int* mm,
+    byte* out, word32* outLen)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit ad[96], md[48], rd[96];
+#else
+    sp_digit* d = NULL;
+#endif
+    sp_digit* a;
+    sp_digit *ah;
+    sp_digit* m;
+    sp_digit* r;
+    sp_digit  e = 0;
+    int err = MP_OKAY;
+#ifdef HAVE_INTEL_AVX2
+    word32 cpuid_flags = cpuid_get_flags();
+#endif
+
+    if (*outLen < 384)
+        err = MP_TO_E;
+    if (err == MP_OKAY && (mp_count_bits(em) > 64 || inLen > 384 ||
+                                                     mp_count_bits(mm) != 3072))
+        err = MP_READ_E;
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        d = (sp_digit*)XMALLOC(sizeof(sp_digit) * 48 * 5, NULL,
+                                                              DYNAMIC_TYPE_RSA);
+        if (d == NULL)
+            err = MEMORY_E;
+    }
+
+    if (err == MP_OKAY) {
+        a = d;
+        r = a + 48 * 2;
+        m = r + 48 * 2;
+        ah = a + 48;
+    }
+#else
+    a = ad;
+    m = md;
+    r = rd;
+    ah = a + 48;
+#endif
+
+    if (err == MP_OKAY) {
+        sp_3072_from_bin(ah, 48, in, inLen);
+#if DIGIT_BIT >= 64
+        e = em->dp[0];
+#else
+        e = em->dp[0];
+        if (em->used > 1)
+            e |= ((sp_digit)em->dp[1]) << DIGIT_BIT;
+#endif
+        if (e == 0)
+            err = MP_EXPTMOD_E;
+    }
+    if (err == MP_OKAY) {
+        sp_3072_from_mp(m, 48, mm);
+
+        if (e == 0x3) {
+#ifdef HAVE_INTEL_AVX2
+            if (IS_INTEL_BMI2(cpuid_flags) && IS_INTEL_ADX(cpuid_flags)) {
+                if (err == MP_OKAY) {
+                    sp_3072_sqr_avx2_48(r, ah);
+                    err = sp_3072_mod_48_cond(r, r, m);
+                }
+                if (err == MP_OKAY) {
+                    sp_3072_mul_avx2_48(r, ah, r);
+                    err = sp_3072_mod_48_cond(r, r, m);
+                }
+            }
+            else
+#endif
+            {
+                if (err == MP_OKAY) {
+                    sp_3072_sqr_48(r, ah);
+                    err = sp_3072_mod_48_cond(r, r, m);
+                }
+                if (err == MP_OKAY) {
+                    sp_3072_mul_48(r, ah, r);
+                    err = sp_3072_mod_48_cond(r, r, m);
+                }
+            }
+        }
+        else {
+            int i;
+            sp_digit mp;
+
+            sp_3072_mont_setup(m, &mp);
+
+            /* Convert to Montgomery form. */
+            XMEMSET(a, 0, sizeof(sp_digit) * 48);
+            err = sp_3072_mod_48_cond(a, a, m);
+
+            if (err == MP_OKAY) {
+                for (i=63; i>=0; i--) {
+                    if (e >> i) {
+                        break;
+                    }
+                }
+
+                XMEMCPY(r, a, sizeof(sp_digit) * 48);
+#ifdef HAVE_INTEL_AVX2
+                if (IS_INTEL_BMI2(cpuid_flags) && IS_INTEL_ADX(cpuid_flags)) {
+                    for (i--; i>=0; i--) {
+                        sp_3072_mont_sqr_avx2_48(r, r, m, mp);
+                        if (((e >> i) & 1) == 1) {
+                            sp_3072_mont_mul_avx2_48(r, r, a, m, mp);
+                        }
+                    }
+                    XMEMSET(&r[48], 0, sizeof(sp_digit) * 48);
+                    sp_3072_mont_reduce_avx2_48(r, m, mp);
+                }
+                else
+#endif
+                {
+                    for (i--; i>=0; i--) {
+                        sp_3072_mont_sqr_48(r, r, m, mp);
+                        if (((e >> i) & 1) == 1) {
+                            sp_3072_mont_mul_48(r, r, a, m, mp);
+                        }
+                    }
+                    XMEMSET(&r[48], 0, sizeof(sp_digit) * 48);
+                    sp_3072_mont_reduce_48(r, m, mp);
+                }
+
+                for (i = 47; i > 0; i--) {
+                    if (r[i] != m[i])
+                        break;
+                }
+                if (r[i] >= m[i])
+                    sp_3072_sub_in_place_48(r, m);
+            }
+        }
+    }
+
+    if (err == MP_OKAY) {
+        sp_3072_to_bin(r, out);
+        *outLen = 384;
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (d != NULL)
+        XFREE(d, NULL, DYNAMIC_TYPE_RSA);
+#endif
+
+    return err;
+}
+
+#if defined(SP_RSA_PRIVATE_EXP_D) || defined(RSA_LOW_MEM)
+/* RSA private key operation.
+ *
+ * in      Array of bytes representing the number to exponentiate, base.
+ * inLen   Number of bytes in base.
+ * dm      Private exponent.
+ * pm      First prime.
+ * qm      Second prime.
+ * dpm     First prime's CRT exponent.
+ * dqm     Second prime's CRT exponent.
+ * qim     Inverse of second prime mod p.
+ * mm      Modulus.
+ * out     Buffer to hold big-endian bytes of exponentiation result.
+ *         Must be at least 384 bytes long.
+ * outLen  Number of bytes in result.
+ * returns 0 on success, MP_TO_E when the outLen is too small, MP_READ_E when
+ * an array is too long and MEMORY_E when dynamic memory allocation fails.
+ */
+int sp_RsaPrivate_3072(const byte* in, word32 inLen, mp_int* dm,
+    mp_int* pm, mp_int* qm, mp_int* dpm, mp_int* dqm, mp_int* qim, mp_int* mm,
+    byte* out, word32* outLen)
+{
+#if !defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)
+    sp_digit a[96], d[48], m[48];
+#else
+    sp_digit* d = NULL;
+    sp_digit* a;
+    sp_digit* m;
+#endif
+    sp_digit* r;
+    int err = MP_OKAY;
+
+    (void)pm;
+    (void)qm;
+    (void)dpm;
+    (void)dqm;
+    (void)qim;
+
+    if (*outLen < 384U) {
+        err = MP_TO_E;
+    }
+    if (err == MP_OKAY) {
+        if (mp_count_bits(dm) > 3072) {
+            err = MP_READ_E;
+        }
+        if (inLen > 384U) {
+            err = MP_READ_E;
+        }
+        if (mp_count_bits(mm) != 3072) {
+            err = MP_READ_E;
+        }
+    }
+
+#if defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)
+    if (err == MP_OKAY) {
+        d = (sp_digit*)XMALLOC(sizeof(sp_digit) * 48 * 4, NULL,
+                                                             DYNAMIC_TYPE_RSA);
+        if (d == NULL) {
+            err = MEMORY_E;
+        }
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#if defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)
+        a = d + 48;
+        m = a + 96;
+#endif
+        r = a;
+
+        sp_3072_from_bin(a, 48, in, inLen);
+        sp_3072_from_mp(d, 48, dm);
+        sp_3072_from_mp(m, 48, mm);
+        err = sp_3072_mod_exp_48(r, a, d, 3072, m, 0);
+    }
+
+    if (err == MP_OKAY) {
+        sp_3072_to_bin(r, out);
+        *outLen = 384;
+    }
+
+#if defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)
+    if (d != NULL) {
+        XMEMSET(d, 0, sizeof(sp_digit) * 48);
+        XFREE(d, NULL, DYNAMIC_TYPE_RSA);
+    }
+#else
+    XMEMSET(d, 0, sizeof(sp_digit) * 48);
+#endif
+
+    return err;
+}
+
+#else
+extern sp_digit sp_3072_cond_add_24(sp_digit* r, const sp_digit* a, const sp_digit* b, sp_digit m);
+extern sp_digit sp_3072_cond_add_avx2_24(sp_digit* r, const sp_digit* a, const sp_digit* b, sp_digit m);
+/* RSA private key operation.
+ *
+ * in      Array of bytes representing the number to exponentiate, base.
+ * inLen   Number of bytes in base.
+ * dm      Private exponent.
+ * pm      First prime.
+ * qm      Second prime.
+ * dpm     First prime's CRT exponent.
+ * dqm     Second prime's CRT exponent.
+ * qim     Inverse of second prime mod p.
+ * mm      Modulus.
+ * out     Buffer to hold big-endian bytes of exponentiation result.
+ *         Must be at least 384 bytes long.
+ * outLen  Number of bytes in result.
+ * returns 0 on success, MP_TO_E when the outLen is too small, MP_READ_E when
+ * an array is too long and MEMORY_E when dynamic memory allocation fails.
+ */
+int sp_RsaPrivate_3072(const byte* in, word32 inLen, mp_int* dm,
+    mp_int* pm, mp_int* qm, mp_int* dpm, mp_int* dqm, mp_int* qim, mp_int* mm,
+    byte* out, word32* outLen)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit ad[48 * 2];
+    sp_digit pd[24], qd[24], dpd[24];
+    sp_digit tmpad[48], tmpbd[48];
+#else
+    sp_digit* t = NULL;
+#endif
+    sp_digit* a;
+    sp_digit* p;
+    sp_digit* q;
+    sp_digit* dp;
+    sp_digit* dq;
+    sp_digit* qi;
+    sp_digit* tmpa;
+    sp_digit* tmpb;
+    sp_digit* r;
+    sp_digit c;
+    int err = MP_OKAY;
+#ifdef HAVE_INTEL_AVX2
+    word32 cpuid_flags = cpuid_get_flags();
+#endif
+
+    (void)dm;
+    (void)mm;
+
+    if (*outLen < 384)
+        err = MP_TO_E;
+    if (err == MP_OKAY && (inLen > 384 || mp_count_bits(mm) != 3072))
+        err = MP_READ_E;
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        t = (sp_digit*)XMALLOC(sizeof(sp_digit) * 24 * 11, NULL,
+                                                              DYNAMIC_TYPE_RSA);
+        if (t == NULL)
+            err = MEMORY_E;
+    }
+    if (err == MP_OKAY) {
+        a = t;
+        p = a + 48 * 2;
+        q = p + 24;
+        qi = dq = dp = q + 24;
+        tmpa = qi + 24;
+        tmpb = tmpa + 48;
+
+        r = t + 48;
+    }
+#else
+    r = a = ad;
+    p = pd;
+    q = qd;
+    qi = dq = dp = dpd;
+    tmpa = tmpad;
+    tmpb = tmpbd;
+#endif
+
+    if (err == MP_OKAY) {
+        sp_3072_from_bin(a, 48, in, inLen);
+        sp_3072_from_mp(p, 24, pm);
+        sp_3072_from_mp(q, 24, qm);
+        sp_3072_from_mp(dp, 24, dpm);
+
+#ifdef HAVE_INTEL_AVX2
+        if (IS_INTEL_BMI2(cpuid_flags) && IS_INTEL_ADX(cpuid_flags))
+            err = sp_3072_mod_exp_avx2_24(tmpa, a, dp, 1536, p, 1);
+        else
+#endif
+            err = sp_3072_mod_exp_24(tmpa, a, dp, 1536, p, 1);
+    }
+    if (err == MP_OKAY) {
+        sp_3072_from_mp(dq, 24, dqm);
+#ifdef HAVE_INTEL_AVX2
+        if (IS_INTEL_BMI2(cpuid_flags) && IS_INTEL_ADX(cpuid_flags))
+            err = sp_3072_mod_exp_avx2_24(tmpb, a, dq, 1536, q, 1);
+       else
+#endif
+            err = sp_3072_mod_exp_24(tmpb, a, dq, 1536, q, 1);
+    }
+
+    if (err == MP_OKAY) {
+        c = sp_3072_sub_in_place_24(tmpa, tmpb);
+#ifdef HAVE_INTEL_AVX2
+        if (IS_INTEL_BMI2(cpuid_flags) && IS_INTEL_ADX(cpuid_flags)) {
+            c += sp_3072_cond_add_avx2_24(tmpa, tmpa, p, c);
+            sp_3072_cond_add_avx2_24(tmpa, tmpa, p, c);
+        }
+        else
+#endif
+        {
+            c += sp_3072_cond_add_24(tmpa, tmpa, p, c);
+            sp_3072_cond_add_24(tmpa, tmpa, p, c);
+        }
+
+        sp_3072_from_mp(qi, 24, qim);
+#ifdef HAVE_INTEL_AVX2
+        if (IS_INTEL_BMI2(cpuid_flags) && IS_INTEL_ADX(cpuid_flags)) {
+            sp_3072_mul_avx2_24(tmpa, tmpa, qi);
+        }
+        else
+#endif
+        {
+            sp_3072_mul_24(tmpa, tmpa, qi);
+        }
+        err = sp_3072_mod_24(tmpa, tmpa, p);
+    }
+
+    if (err == MP_OKAY) {
+#ifdef HAVE_INTEL_AVX2
+        if (IS_INTEL_BMI2(cpuid_flags) && IS_INTEL_ADX(cpuid_flags)) {
+            sp_3072_mul_avx2_24(tmpa, q, tmpa);
+        }
+        else
+#endif
+        {
+            sp_3072_mul_24(tmpa, q, tmpa);
+        }
+        XMEMSET(&tmpb[24], 0, sizeof(sp_digit) * 24);
+        sp_3072_add_48(r, tmpb, tmpa);
+
+        sp_3072_to_bin(r, out);
+        *outLen = 384;
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (t != NULL) {
+        XMEMSET(t, 0, sizeof(sp_digit) * 24 * 11);
+        XFREE(t, NULL, DYNAMIC_TYPE_RSA);
+    }
+#else
+    XMEMSET(tmpad, 0, sizeof(tmpad));
+    XMEMSET(tmpbd, 0, sizeof(tmpbd));
+    XMEMSET(pd, 0, sizeof(pd));
+    XMEMSET(qd, 0, sizeof(qd));
+    XMEMSET(dpd, 0, sizeof(dpd));
+#endif
+
+    return err;
+}
+#endif /* SP_RSA_PRIVATE_EXP_D || RSA_LOW_MEM */
+#endif /* WOLFSSL_HAVE_SP_RSA */
+#if defined(WOLFSSL_HAVE_SP_DH) || (defined(WOLFSSL_HAVE_SP_RSA) && \
+                                              !defined(WOLFSSL_RSA_PUBLIC_ONLY))
+/* Convert an array of sp_digit to an mp_int.
+ *
+ * a  A single precision integer.
+ * r  A multi-precision integer.
+ */
+static int sp_3072_to_mp(const sp_digit* a, mp_int* r)
+{
+    int err;
+
+    err = mp_grow(r, (3072 + DIGIT_BIT - 1) / DIGIT_BIT);
+    if (err == MP_OKAY) { /*lint !e774 case where err is always MP_OKAY*/
+#if DIGIT_BIT == 64
+        XMEMCPY(r->dp, a, sizeof(sp_digit) * 48);
+        r->used = 48;
+        mp_clamp(r);
+#elif DIGIT_BIT < 64
+        int i, j = 0, s = 0;
+
+        r->dp[0] = 0;
+        for (i = 0; i < 48; i++) {
+            r->dp[j] |= (mp_digit)(a[i] << s);
+            r->dp[j] &= (1L << DIGIT_BIT) - 1;
+            s = DIGIT_BIT - s;
+            r->dp[++j] = (mp_digit)(a[i] >> s);
+            while (s + DIGIT_BIT <= 64) {
+                s += DIGIT_BIT;
+                r->dp[j++] &= (1L << DIGIT_BIT) - 1;
+                if (s == SP_WORD_SIZE) {
+                    r->dp[j] = 0;
+                }
+                else {
+                    r->dp[j] = (mp_digit)(a[i] >> s);
+                }
+            }
+            s = 64 - s;
+        }
+        r->used = (3072 + DIGIT_BIT - 1) / DIGIT_BIT;
+        mp_clamp(r);
+#else
+        int i, j = 0, s = 0;
+
+        r->dp[0] = 0;
+        for (i = 0; i < 48; i++) {
+            r->dp[j] |= ((mp_digit)a[i]) << s;
+            if (s + 64 >= DIGIT_BIT) {
+    #if DIGIT_BIT != 32 && DIGIT_BIT != 64
+                r->dp[j] &= (1L << DIGIT_BIT) - 1;
+    #endif
+                s = DIGIT_BIT - s;
+                r->dp[++j] = a[i] >> s;
+                s = 64 - s;
+            }
+            else {
+                s += 64;
+            }
+        }
+        r->used = (3072 + DIGIT_BIT - 1) / DIGIT_BIT;
+        mp_clamp(r);
+#endif
+    }
+
+    return err;
+}
+
+/* Perform the modular exponentiation for Diffie-Hellman.
+ *
+ * base  Base. MP integer.
+ * exp   Exponent. MP integer.
+ * mod   Modulus. MP integer.
+ * res   Result. MP integer.
+ * returns 0 on success, MP_READ_E if there are too many bytes in an array
+ * and MEMORY_E if memory allocation fails.
+ */
+int sp_ModExp_3072(mp_int* base, mp_int* exp, mp_int* mod, mp_int* res)
+{
+    int err = MP_OKAY;
+    sp_digit b[96], e[48], m[48];
+    sp_digit* r = b;
+#ifdef HAVE_INTEL_AVX2
+    word32 cpuid_flags = cpuid_get_flags();
+#endif
+    int expBits = mp_count_bits(exp);
+
+    if (mp_count_bits(base) > 3072 || expBits > 3072 ||
+                                                   mp_count_bits(mod) != 3072) {
+        err = MP_READ_E;
+    }
+
+    if (err == MP_OKAY) {
+        sp_3072_from_mp(b, 48, base);
+        sp_3072_from_mp(e, 48, exp);
+        sp_3072_from_mp(m, 48, mod);
+
+#ifdef HAVE_INTEL_AVX2
+        if (IS_INTEL_BMI2(cpuid_flags) && IS_INTEL_ADX(cpuid_flags))
+            err = sp_3072_mod_exp_avx2_48(r, b, e, expBits, m, 0);
+        else
+#endif
+            err = sp_3072_mod_exp_48(r, b, e, expBits, m, 0);
+    }
+
+    if (err == MP_OKAY) {
+        err = sp_3072_to_mp(r, res);
+    }
+
+    XMEMSET(e, 0, sizeof(e));
+
+    return err;
+}
+
+#ifdef WOLFSSL_HAVE_SP_DH
+#ifdef HAVE_FFDHE_3072
+extern void sp_3072_lshift_48(sp_digit* r, const sp_digit* a, int n);
+#ifdef HAVE_INTEL_AVX2
+/* Modular exponentiate 2 to the e mod m. (r = 2^e mod m)
+ *
+ * r     A single precision number that is the result of the operation.
+ * e     A single precision number that is the exponent.
+ * bits  The number of bits in the exponent.
+ * m     A single precision number that is the modulus.
+ * returns 0 on success and MEMORY_E on dynamic memory allocation failure.
+ */
+static int sp_3072_mod_exp_2_avx2_48(sp_digit* r, const sp_digit* e, int bits,
+        const sp_digit* m)
+{
+#ifndef WOLFSSL_SMALL_STACK
+    sp_digit nd[96];
+    sp_digit td[49];
+#else
+    sp_digit* td;
+#endif
+    sp_digit* norm;
+    sp_digit* tmp;
+    sp_digit mp = 1;
+    sp_digit n, o;
+    sp_digit mask;
+    int i;
+    int c, y;
+    int err = MP_OKAY;
+
+#ifdef WOLFSSL_SMALL_STACK
+    td = (sp_digit*)XMALLOC(sizeof(sp_digit) * 145, NULL,
+                            DYNAMIC_TYPE_TMP_BUFFER);
+    if (td == NULL) {
+        err = MEMORY_E;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#ifdef WOLFSSL_SMALL_STACK
+        norm = td;
+        tmp  = td + 96;
+#else
+        norm = nd;
+        tmp  = td;
+#endif
+
+        sp_3072_mont_setup(m, &mp);
+        sp_3072_mont_norm_48(norm, m);
+
+        i = (bits - 1) / 64;
+        n = e[i--];
+        c = bits & 63;
+        if (c == 0) {
+            c = 64;
+        }
+        if ((bits % 6) == 0) {
+            c -= 6;
+        }
+        else {
+            c -= bits % 6;
+        }
+        y = (int)(n >> c);
+        n <<= 64 - c;
+        sp_3072_lshift_48(r, norm, y);
+        for (; i>=0 || c>=6; ) {
+            if (c == 0) {
+                n = e[i--];
+                y = (int)(n >> 58);
+                n <<= 6;
+                c = 58;
+            }
+            else if (c < 6) {
+                y = (int)(n >> 58);
+                n = e[i--];
+                c = 6 - c;
+                y |= n >> (64 - c);
+                n <<= c;
+                c = 64 - c;
+            }
+            else {
+                y = (n >> 58) & 0x3f;
+                n <<= 6;
+                c -= 6;
+            }
+
+            sp_3072_mont_sqr_avx2_48(r, r, m, mp);
+            sp_3072_mont_sqr_avx2_48(r, r, m, mp);
+            sp_3072_mont_sqr_avx2_48(r, r, m, mp);
+            sp_3072_mont_sqr_avx2_48(r, r, m, mp);
+            sp_3072_mont_sqr_avx2_48(r, r, m, mp);
+            sp_3072_mont_sqr_avx2_48(r, r, m, mp);
+
+            sp_3072_lshift_48(r, r, y);
+            sp_3072_mul_d_avx2_48(tmp, norm, r[48]);
+            r[48] = 0;
+            o = sp_3072_add_48(r, r, tmp);
+            sp_3072_cond_sub_avx2_48(r, r, m, (sp_digit)0 - o);
+        }
+
+        XMEMSET(&r[48], 0, sizeof(sp_digit) * 48);
+        sp_3072_mont_reduce_avx2_48(r, m, mp);
+
+        mask = 0 - (sp_3072_cmp_48(r, m) >= 0);
+        sp_3072_cond_sub_avx2_48(r, r, m, mask);
+    }
+
+#ifdef WOLFSSL_SMALL_STACK
+    if (td != NULL)
+        XFREE(td, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+#endif
+
+    return err;
+}
+#endif /* HAVE_INTEL_AVX2 */
+
+/* Modular exponentiate 2 to the e mod m. (r = 2^e mod m)
+ *
+ * r     A single precision number that is the result of the operation.
+ * e     A single precision number that is the exponent.
+ * bits  The number of bits in the exponent.
+ * m     A single precision number that is the modulus.
+ * returns 0 on success and MEMORY_E on dynamic memory allocation failure.
+ */
+static int sp_3072_mod_exp_2_48(sp_digit* r, const sp_digit* e, int bits,
+        const sp_digit* m)
+{
+#ifndef WOLFSSL_SMALL_STACK
+    sp_digit nd[96];
+    sp_digit td[49];
+#else
+    sp_digit* td;
+#endif
+    sp_digit* norm;
+    sp_digit* tmp;
+    sp_digit mp = 1;
+    sp_digit n, o;
+    sp_digit mask;
+    int i;
+    int c, y;
+    int err = MP_OKAY;
+
+#ifdef WOLFSSL_SMALL_STACK
+    td = (sp_digit*)XMALLOC(sizeof(sp_digit) * 145, NULL,
+                            DYNAMIC_TYPE_TMP_BUFFER);
+    if (td == NULL) {
+        err = MEMORY_E;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#ifdef WOLFSSL_SMALL_STACK
+        norm = td;
+        tmp  = td + 96;
+#else
+        norm = nd;
+        tmp  = td;
+#endif
+
+        sp_3072_mont_setup(m, &mp);
+        sp_3072_mont_norm_48(norm, m);
+
+        i = (bits - 1) / 64;
+        n = e[i--];
+        c = bits & 63;
+        if (c == 0) {
+            c = 64;
+        }
+        if ((bits % 6) == 0) {
+            c -= 6;
+        }
+        else {
+            c -= bits % 6;
+        }
+        y = (int)(n >> c);
+        n <<= 64 - c;
+        sp_3072_lshift_48(r, norm, y);
+        for (; i>=0 || c>=6; ) {
+            if (c == 0) {
+                n = e[i--];
+                y = (int)(n >> 58);
+                n <<= 6;
+                c = 58;
+            }
+            else if (c < 6) {
+                y = (int)(n >> 58);
+                n = e[i--];
+                c = 6 - c;
+                y |= n >> (64 - c);
+                n <<= c;
+                c = 64 - c;
+            }
+            else {
+                y = (n >> 58) & 0x3f;
+                n <<= 6;
+                c -= 6;
+            }
+
+            sp_3072_mont_sqr_48(r, r, m, mp);
+            sp_3072_mont_sqr_48(r, r, m, mp);
+            sp_3072_mont_sqr_48(r, r, m, mp);
+            sp_3072_mont_sqr_48(r, r, m, mp);
+            sp_3072_mont_sqr_48(r, r, m, mp);
+            sp_3072_mont_sqr_48(r, r, m, mp);
+
+            sp_3072_lshift_48(r, r, y);
+            sp_3072_mul_d_48(tmp, norm, r[48]);
+            r[48] = 0;
+            o = sp_3072_add_48(r, r, tmp);
+            sp_3072_cond_sub_48(r, r, m, (sp_digit)0 - o);
+        }
+
+        XMEMSET(&r[48], 0, sizeof(sp_digit) * 48);
+        sp_3072_mont_reduce_48(r, m, mp);
+
+        mask = 0 - (sp_3072_cmp_48(r, m) >= 0);
+        sp_3072_cond_sub_48(r, r, m, mask);
+    }
+
+#ifdef WOLFSSL_SMALL_STACK
+    if (td != NULL)
+        XFREE(td, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+#endif
+
+    return err;
+}
+
+#endif /* HAVE_FFDHE_3072 */
+
+/* Perform the modular exponentiation for Diffie-Hellman.
+ *
+ * base     Base.
+ * exp      Array of bytes that is the exponent.
+ * expLen   Length of data, in bytes, in exponent.
+ * mod      Modulus.
+ * out      Buffer to hold big-endian bytes of exponentiation result.
+ *          Must be at least 384 bytes long.
+ * outLen   Length, in bytes, of exponentiation result.
+ * returns 0 on success, MP_READ_E if there are too many bytes in an array
+ * and MEMORY_E if memory allocation fails.
+ */
+int sp_DhExp_3072(mp_int* base, const byte* exp, word32 expLen,
+    mp_int* mod, byte* out, word32* outLen)
+{
+    int err = MP_OKAY;
+    sp_digit b[96], e[48], m[48];
+    sp_digit* r = b;
+    word32 i;
+#ifdef HAVE_INTEL_AVX2
+    word32 cpuid_flags = cpuid_get_flags();
+#endif
+
+    if (mp_count_bits(base) > 3072 || expLen > 384 ||
+                                                   mp_count_bits(mod) != 3072) {
+        err = MP_READ_E;
+    }
+
+    if (err == MP_OKAY) {
+        sp_3072_from_mp(b, 48, base);
+        sp_3072_from_bin(e, 48, exp, expLen);
+        sp_3072_from_mp(m, 48, mod);
+
+    #ifdef HAVE_FFDHE_3072
+        if (base->used == 1 && base->dp[0] == 2 && m[47] == (sp_digit)-1) {
+#ifdef HAVE_INTEL_AVX2
+            if (IS_INTEL_BMI2(cpuid_flags) && IS_INTEL_ADX(cpuid_flags))
+                err = sp_3072_mod_exp_2_avx2_48(r, e, expLen * 8, m);
+            else
+#endif
+                err = sp_3072_mod_exp_2_48(r, e, expLen * 8, m);
+        }
+        else
+    #endif
+        {
+#ifdef HAVE_INTEL_AVX2
+            if (IS_INTEL_BMI2(cpuid_flags) && IS_INTEL_ADX(cpuid_flags))
+                err = sp_3072_mod_exp_avx2_48(r, b, e, expLen * 8, m, 0);
+            else
+#endif
+                err = sp_3072_mod_exp_48(r, b, e, expLen * 8, m, 0);
+        }
+    }
+
+    if (err == MP_OKAY) {
+        sp_3072_to_bin(r, out);
+        *outLen = 384;
+        for (i=0; i<384 && out[i] == 0; i++) {
+        }
+        *outLen -= i;
+        XMEMMOVE(out, out + i, *outLen);
+    }
+
+    XMEMSET(e, 0, sizeof(e));
+
+    return err;
+}
+#endif
+/* Perform the modular exponentiation for Diffie-Hellman.
+ *
+ * base  Base. MP integer.
+ * exp   Exponent. MP integer.
+ * mod   Modulus. MP integer.
+ * res   Result. MP integer.
+ * returns 0 on success, MP_READ_E if there are too many bytes in an array
+ * and MEMORY_E if memory allocation fails.
+ */
+int sp_ModExp_1536(mp_int* base, mp_int* exp, mp_int* mod, mp_int* res)
+{
+    int err = MP_OKAY;
+    sp_digit b[48], e[24], m[24];
+    sp_digit* r = b;
+#ifdef HAVE_INTEL_AVX2
+    word32 cpuid_flags = cpuid_get_flags();
+#endif
+    int expBits = mp_count_bits(exp);
+
+    if (mp_count_bits(base) > 1536 || expBits > 1536 ||
+                                                   mp_count_bits(mod) != 1536) {
+        err = MP_READ_E;
+    }
+
+    if (err == MP_OKAY) {
+        sp_3072_from_mp(b, 24, base);
+        sp_3072_from_mp(e, 24, exp);
+        sp_3072_from_mp(m, 24, mod);
+
+#ifdef HAVE_INTEL_AVX2
+        if (IS_INTEL_BMI2(cpuid_flags) && IS_INTEL_ADX(cpuid_flags))
+            err = sp_3072_mod_exp_avx2_24(r, b, e, expBits, m, 0);
+        else
+#endif
+            err = sp_3072_mod_exp_24(r, b, e, expBits, m, 0);
+    }
+
+    if (err == MP_OKAY) {
+        XMEMSET(r + 24, 0, sizeof(*r) * 24);
+        err = sp_3072_to_mp(r, res);
+    }
+
+    XMEMSET(e, 0, sizeof(e));
+
+    return err;
+}
+
+#endif /* WOLFSSL_HAVE_SP_DH || (WOLFSSL_HAVE_SP_RSA && !WOLFSSL_RSA_PUBLIC_ONLY) */
+
+#endif /* !WOLFSSL_SP_NO_3072 */
+
+#ifdef WOLFSSL_SP_4096
+extern void sp_4096_from_bin(sp_digit* r, int size, const byte* a, int n);
+/* Convert an mp_int to an array of sp_digit.
+ *
+ * r  A single precision integer.
+ * size  Maximum number of bytes to convert
+ * a  A multi-precision integer.
+ */
+static void sp_4096_from_mp(sp_digit* r, int size, const mp_int* a)
+{
+#if DIGIT_BIT == 64
+    int j;
+
+    XMEMCPY(r, a->dp, sizeof(sp_digit) * a->used);
+
+    for (j = a->used; j < size; j++) {
+        r[j] = 0;
+    }
+#elif DIGIT_BIT > 64
+    int i, j = 0;
+    word32 s = 0;
+
+    r[0] = 0;
+    for (i = 0; i < a->used && j < size; i++) {
+        r[j] |= ((sp_digit)a->dp[i] << s);
+        r[j] &= 0xffffffffffffffffl;
+        s = 64U - s;
+        if (j + 1 >= size) {
+            break;
+        }
+        /* lint allow cast of mismatch word32 and mp_digit */
+        r[++j] = (sp_digit)(a->dp[i] >> s); /*lint !e9033*/
+        while ((s + 64U) <= (word32)DIGIT_BIT) {
+            s += 64U;
+            r[j] &= 0xffffffffffffffffl;
+            if (j + 1 >= size) {
+                break;
+            }
+            if (s < (word32)DIGIT_BIT) {
+                /* lint allow cast of mismatch word32 and mp_digit */
+                r[++j] = (sp_digit)(a->dp[i] >> s); /*lint !e9033*/
+            }
+            else {
+                r[++j] = 0L;
+            }
+        }
+        s = (word32)DIGIT_BIT - s;
+    }
+
+    for (j++; j < size; j++) {
+        r[j] = 0;
+    }
+#else
+    int i, j = 0, s = 0;
+
+    r[0] = 0;
+    for (i = 0; i < a->used && j < size; i++) {
+        r[j] |= ((sp_digit)a->dp[i]) << s;
+        if (s + DIGIT_BIT >= 64) {
+            r[j] &= 0xffffffffffffffffl;
+            if (j + 1 >= size) {
+                break;
+            }
+            s = 64 - s;
+            if (s == DIGIT_BIT) {
+                r[++j] = 0;
+                s = 0;
+            }
+            else {
+                r[++j] = a->dp[i] >> s;
+                s = DIGIT_BIT - s;
+            }
+        }
+        else {
+            s += DIGIT_BIT;
+        }
+    }
+
+    for (j++; j < size; j++) {
+        r[j] = 0;
+    }
+#endif
+}
+
+extern void sp_4096_to_bin(sp_digit* r, byte* a);
+extern sp_digit sp_4096_sub_in_place_64(sp_digit* a, const sp_digit* b);
+extern sp_digit sp_4096_add_64(sp_digit* r, const sp_digit* a, const sp_digit* b);
+extern void sp_4096_mul_64(sp_digit* r, const sp_digit* a, const sp_digit* b);
+
+extern sp_digit sp_2048_dbl_32(sp_digit* r, const sp_digit* a);
+extern void sp_4096_sqr_64(sp_digit* r, const sp_digit* a);
+
+#ifdef HAVE_INTEL_AVX2
+extern void sp_4096_mul_avx2_64(sp_digit* r, const sp_digit* a, const sp_digit* b);
+#endif /* HAVE_INTEL_AVX2 */
+
+#ifdef HAVE_INTEL_AVX2
+extern void sp_4096_sqr_avx2_64(sp_digit* r, const sp_digit* a);
+#endif /* HAVE_INTEL_AVX2 */
+
+/* Caclulate the bottom digit of -1/a mod 2^n.
+ *
+ * a    A single precision number.
+ * rho  Bottom word of inverse.
+ */
+static void sp_4096_mont_setup(const sp_digit* a, sp_digit* rho)
+{
+    sp_digit x, b;
+
+    b = a[0];
+    x = (((b + 2) & 4) << 1) + b; /* here x*a==1 mod 2**4 */
+    x *= 2 - b * x;               /* here x*a==1 mod 2**8 */
+    x *= 2 - b * x;               /* here x*a==1 mod 2**16 */
+    x *= 2 - b * x;               /* here x*a==1 mod 2**32 */
+    x *= 2 - b * x;               /* here x*a==1 mod 2**64 */
+
+    /* rho = -1/m mod b */
+    *rho = -x;
+}
+
+extern void sp_4096_mul_d_64(sp_digit* r, const sp_digit* a, sp_digit b);
+#if defined(WOLFSSL_HAVE_SP_RSA) || defined(WOLFSSL_HAVE_SP_DH)
+/* r = 2^n mod m where n is the number of bits to reduce by.
+ * Given m must be 4096 bits, just need to subtract.
+ *
+ * r  A single precision number.
+ * m  A single precision number.
+ */
+static void sp_4096_mont_norm_64(sp_digit* r, const sp_digit* m)
+{
+    XMEMSET(r, 0, sizeof(sp_digit) * 64);
+
+    /* r = 2^n mod m */
+    sp_4096_sub_in_place_64(r, m);
+}
+
+#endif /* WOLFSSL_HAVE_SP_RSA || WOLFSSL_HAVE_SP_DH */
+extern sp_digit sp_4096_cond_sub_64(sp_digit* r, const sp_digit* a, const sp_digit* b, sp_digit m);
+extern void sp_4096_mont_reduce_64(sp_digit* a, const sp_digit* m, sp_digit mp);
+/* Multiply two Montogmery form numbers mod the modulus (prime).
+ * (r = a * b mod m)
+ *
+ * r   Result of multiplication.
+ * a   First number to multiply in Montogmery form.
+ * b   Second number to multiply in Montogmery form.
+ * m   Modulus (prime).
+ * mp  Montogmery mulitplier.
+ */
+static void sp_4096_mont_mul_64(sp_digit* r, const sp_digit* a, const sp_digit* b,
+        const sp_digit* m, sp_digit mp)
+{
+    sp_4096_mul_64(r, a, b);
+    sp_4096_mont_reduce_64(r, m, mp);
+}
+
+/* Square the Montgomery form number. (r = a * a mod m)
+ *
+ * r   Result of squaring.
+ * a   Number to square in Montogmery form.
+ * m   Modulus (prime).
+ * mp  Montogmery mulitplier.
+ */
+static void sp_4096_mont_sqr_64(sp_digit* r, const sp_digit* a, const sp_digit* m,
+        sp_digit mp)
+{
+    sp_4096_sqr_64(r, a);
+    sp_4096_mont_reduce_64(r, m, mp);
+}
+
+#ifndef WOLFSSL_RSA_PUBLIC_ONLY
+extern sp_digit sp_4096_cond_sub_avx2_64(sp_digit* r, const sp_digit* a, const sp_digit* b, sp_digit m);
+extern void sp_4096_mul_d_avx2_64(sp_digit* r, const sp_digit* a, const sp_digit b);
+/* Divide the double width number (d1|d0) by the dividend. (d1|d0 / div)
+ *
+ * d1   The high order half of the number to divide.
+ * d0   The low order half of the number to divide.
+ * div  The dividend.
+ * returns the result of the division.
+ */
+static WC_INLINE sp_digit div_4096_word_64(sp_digit d1, sp_digit d0,
+        sp_digit div)
+{
+    register sp_digit r asm("rax");
+    __asm__ __volatile__ (
+        "divq %3"
+        : "=a" (r)
+        : "d" (d1), "a" (d0), "r" (div)
+        :
+    );
+    return r;
+}
+/* AND m into each word of a and store in r.
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * m  Mask to AND against each digit.
+ */
+static void sp_4096_mask_64(sp_digit* r, const sp_digit* a, sp_digit m)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int i;
+
+    for (i=0; i<64; i++) {
+        r[i] = a[i] & m;
+    }
+#else
+    int i;
+
+    for (i = 0; i < 64; i += 8) {
+        r[i+0] = a[i+0] & m;
+        r[i+1] = a[i+1] & m;
+        r[i+2] = a[i+2] & m;
+        r[i+3] = a[i+3] & m;
+        r[i+4] = a[i+4] & m;
+        r[i+5] = a[i+5] & m;
+        r[i+6] = a[i+6] & m;
+        r[i+7] = a[i+7] & m;
+    }
+#endif
+}
+
+extern int64_t sp_4096_cmp_64(const sp_digit* a, const sp_digit* b);
+/* Divide d in a and put remainder into r (m*d + r = a)
+ * m is not calculated as it is not needed at this time.
+ *
+ * a  Nmber to be divided.
+ * d  Number to divide with.
+ * m  Multiplier result.
+ * r  Remainder from the division.
+ * returns MP_OKAY indicating success.
+ */
+static WC_INLINE int sp_4096_div_64(const sp_digit* a, const sp_digit* d, sp_digit* m,
+        sp_digit* r)
+{
+    sp_digit t1[128], t2[65];
+    sp_digit div, r1;
+    int i;
+#ifdef HAVE_INTEL_AVX2
+    word32 cpuid_flags = cpuid_get_flags();
+#endif
+
+    (void)m;
+
+    div = d[63];
+    XMEMCPY(t1, a, sizeof(*t1) * 2 * 64);
+    r1 = sp_4096_cmp_64(&t1[64], d) >= 0;
+#ifdef HAVE_INTEL_AVX2
+    if (IS_INTEL_BMI2(cpuid_flags) && IS_INTEL_ADX(cpuid_flags))
+        sp_4096_cond_sub_avx2_64(&t1[64], &t1[64], d, (sp_digit)0 - r1);
+    else
+#endif
+        sp_4096_cond_sub_64(&t1[64], &t1[64], d, (sp_digit)0 - r1);
+    for (i=63; i>=0; i--) {
+        r1 = div_4096_word_64(t1[64 + i], t1[64 + i - 1], div);
+
+#ifdef HAVE_INTEL_AVX2
+        if (IS_INTEL_BMI2(cpuid_flags) && IS_INTEL_ADX(cpuid_flags))
+            sp_4096_mul_d_avx2_64(t2, d, r1);
+        else
+#endif
+            sp_4096_mul_d_64(t2, d, r1);
+        t1[64 + i] += sp_4096_sub_in_place_64(&t1[i], t2);
+        t1[64 + i] -= t2[64];
+        sp_4096_mask_64(t2, d, t1[64 + i]);
+        t1[64 + i] += sp_4096_add_64(&t1[i], &t1[i], t2);
+        sp_4096_mask_64(t2, d, t1[64 + i]);
+        t1[64 + i] += sp_4096_add_64(&t1[i], &t1[i], t2);
+    }
+
+    r1 = sp_4096_cmp_64(t1, d) >= 0;
+#ifdef HAVE_INTEL_AVX2
+    if (IS_INTEL_BMI2(cpuid_flags) && IS_INTEL_ADX(cpuid_flags))
+        sp_4096_cond_sub_avx2_64(r, t1, d, (sp_digit)0 - r1);
+    else
+#endif
+        sp_4096_cond_sub_64(r, t1, d, (sp_digit)0 - r1);
+
+    return MP_OKAY;
+}
+
+/* Reduce a modulo m into r. (r = a mod m)
+ *
+ * r  A single precision number that is the reduced result.
+ * a  A single precision number that is to be reduced.
+ * m  A single precision number that is the modulus to reduce with.
+ * returns MP_OKAY indicating success.
+ */
+static WC_INLINE int sp_4096_mod_64(sp_digit* r, const sp_digit* a, const sp_digit* m)
+{
+    return sp_4096_div_64(a, m, NULL, r);
+}
+
+#endif /* WOLFSSL_RSA_PUBLIC_ONLY */
+extern sp_digit sp_4096_sub_64(sp_digit* r, const sp_digit* a, const sp_digit* b);
+/* Divide d in a and put remainder into r (m*d + r = a)
+ * m is not calculated as it is not needed at this time.
+ *
+ * a  Nmber to be divided.
+ * d  Number to divide with.
+ * m  Multiplier result.
+ * r  Remainder from the division.
+ * returns MP_OKAY indicating success.
+ */
+static WC_INLINE int sp_4096_div_64_cond(const sp_digit* a, const sp_digit* d, sp_digit* m,
+        sp_digit* r)
+{
+    sp_digit t1[128], t2[65];
+    sp_digit div, r1;
+    int i;
+#ifdef HAVE_INTEL_AVX2
+    word32 cpuid_flags = cpuid_get_flags();
+#endif
+
+    (void)m;
+
+    div = d[63];
+    XMEMCPY(t1, a, sizeof(*t1) * 2 * 64);
+    for (i = 63; i > 0; i--) {
+        if (t1[i + 64] != d[i])
+            break;
+    }
+    if (t1[i + 64] >= d[i]) {
+        sp_4096_sub_in_place_64(&t1[64], d);
+    }
+    for (i=63; i>=0; i--) {
+        r1 = div_4096_word_64(t1[64 + i], t1[64 + i - 1], div);
+
+#ifdef HAVE_INTEL_AVX2
+        if (IS_INTEL_BMI2(cpuid_flags) && IS_INTEL_ADX(cpuid_flags))
+            sp_4096_mul_d_avx2_64(t2, d, r1);
+        else
+#endif
+            sp_4096_mul_d_64(t2, d, r1);
+        t1[64 + i] += sp_4096_sub_in_place_64(&t1[i], t2);
+        t1[64 + i] -= t2[64];
+        if (t1[64 + i] != 0) {
+            t1[64 + i] += sp_4096_add_64(&t1[i], &t1[i], d);
+            if (t1[64 + i] != 0)
+                t1[64 + i] += sp_4096_add_64(&t1[i], &t1[i], d);
+        }
+    }
+
+    for (i = 63; i > 0; i--) {
+        if (t1[i] != d[i])
+            break;
+    }
+    if (t1[i] >= d[i]) {
+        sp_4096_sub_64(r, t1, d);
+    }
+    else {
+        XMEMCPY(r, t1, sizeof(*t1) * 64);
+    }
+
+    return MP_OKAY;
+}
+
+/* Reduce a modulo m into r. (r = a mod m)
+ *
+ * r  A single precision number that is the reduced result.
+ * a  A single precision number that is to be reduced.
+ * m  A single precision number that is the modulus to reduce with.
+ * returns MP_OKAY indicating success.
+ */
+static WC_INLINE int sp_4096_mod_64_cond(sp_digit* r, const sp_digit* a, const sp_digit* m)
+{
+    return sp_4096_div_64_cond(a, m, NULL, r);
+}
+
+#if (defined(WOLFSSL_HAVE_SP_RSA) && !defined(WOLFSSL_RSA_PUBLIC_ONLY)) || defined(WOLFSSL_HAVE_SP_DH)
+/* Modular exponentiate a to the e mod m. (r = a^e mod m)
+ *
+ * r     A single precision number that is the result of the operation.
+ * a     A single precision number being exponentiated.
+ * e     A single precision number that is the exponent.
+ * bits  The number of bits in the exponent.
+ * m     A single precision number that is the modulus.
+ * returns 0 on success and MEMORY_E on dynamic memory allocation failure.
+ */
+static int sp_4096_mod_exp_64(sp_digit* r, const sp_digit* a, const sp_digit* e,
+        int bits, const sp_digit* m, int reduceA)
+{
+#ifndef WOLFSSL_SMALL_STACK
+    sp_digit t[32][128];
+    sp_digit rt[128];
+#else
+    sp_digit* t[32];
+    sp_digit* rt;
+    sp_digit* td;
+#endif
+    sp_digit* norm;
+    sp_digit mp = 1;
+    sp_digit n;
+    sp_digit mask;
+    int i;
+    int c, y;
+    int err = MP_OKAY;
+
+#ifdef WOLFSSL_SMALL_STACK
+    td = (sp_digit*)XMALLOC(sizeof(sp_digit) * 33 * 128, NULL,
+                            DYNAMIC_TYPE_TMP_BUFFER);
+    if (td == NULL) {
+        err = MEMORY_E;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#ifdef WOLFSSL_SMALL_STACK
+        for (i=0; i<32; i++)
+            t[i] = td + i * 128;
+        rt = td + 4096;
+#endif
+        norm = t[0];
+
+        sp_4096_mont_setup(m, &mp);
+        sp_4096_mont_norm_64(norm, m);
+
+        XMEMSET(t[1], 0, sizeof(sp_digit) * 64);
+        if (reduceA) {
+            err = sp_4096_mod_64(t[1] + 64, a, m);
+            if (err == MP_OKAY)
+                err = sp_4096_mod_64(t[1], t[1], m);
+        }
+        else {
+            XMEMCPY(t[1] + 64, a, sizeof(sp_digit) * 64);
+            err = sp_4096_mod_64(t[1], t[1], m);
+        }
+    }
+
+    if (err == MP_OKAY) {
+        sp_4096_mont_sqr_64(t[ 2], t[ 1], m, mp);
+        sp_4096_mont_mul_64(t[ 3], t[ 2], t[ 1], m, mp);
+        sp_4096_mont_sqr_64(t[ 4], t[ 2], m, mp);
+        sp_4096_mont_mul_64(t[ 5], t[ 3], t[ 2], m, mp);
+        sp_4096_mont_sqr_64(t[ 6], t[ 3], m, mp);
+        sp_4096_mont_mul_64(t[ 7], t[ 4], t[ 3], m, mp);
+        sp_4096_mont_sqr_64(t[ 8], t[ 4], m, mp);
+        sp_4096_mont_mul_64(t[ 9], t[ 5], t[ 4], m, mp);
+        sp_4096_mont_sqr_64(t[10], t[ 5], m, mp);
+        sp_4096_mont_mul_64(t[11], t[ 6], t[ 5], m, mp);
+        sp_4096_mont_sqr_64(t[12], t[ 6], m, mp);
+        sp_4096_mont_mul_64(t[13], t[ 7], t[ 6], m, mp);
+        sp_4096_mont_sqr_64(t[14], t[ 7], m, mp);
+        sp_4096_mont_mul_64(t[15], t[ 8], t[ 7], m, mp);
+        sp_4096_mont_sqr_64(t[16], t[ 8], m, mp);
+        sp_4096_mont_mul_64(t[17], t[ 9], t[ 8], m, mp);
+        sp_4096_mont_sqr_64(t[18], t[ 9], m, mp);
+        sp_4096_mont_mul_64(t[19], t[10], t[ 9], m, mp);
+        sp_4096_mont_sqr_64(t[20], t[10], m, mp);
+        sp_4096_mont_mul_64(t[21], t[11], t[10], m, mp);
+        sp_4096_mont_sqr_64(t[22], t[11], m, mp);
+        sp_4096_mont_mul_64(t[23], t[12], t[11], m, mp);
+        sp_4096_mont_sqr_64(t[24], t[12], m, mp);
+        sp_4096_mont_mul_64(t[25], t[13], t[12], m, mp);
+        sp_4096_mont_sqr_64(t[26], t[13], m, mp);
+        sp_4096_mont_mul_64(t[27], t[14], t[13], m, mp);
+        sp_4096_mont_sqr_64(t[28], t[14], m, mp);
+        sp_4096_mont_mul_64(t[29], t[15], t[14], m, mp);
+        sp_4096_mont_sqr_64(t[30], t[15], m, mp);
+        sp_4096_mont_mul_64(t[31], t[16], t[15], m, mp);
+
+        i = (bits - 1) / 64;
+        n = e[i--];
+        c = bits & 63;
+        if (c == 0) {
+            c = 64;
+        }
+        if ((bits % 5) == 0) {
+            c -= 5;
+        }
+        else {
+            c -= bits % 5;
+        }
+        y = (int)(n >> c);
+        n <<= 64 - c;
+        XMEMCPY(r, t[y], sizeof(sp_digit) * 64);
+        for (; i>=0 || c>=5; ) {
+            if (c >= 5) {
+                y = (n >> 59) & 0x1f;
+                n <<= 5;
+                c -= 5;
+            }
+            else if (c == 0) {
+                n = e[i--];
+                y = (int)(n >> 59);
+                n <<= 5;
+                c = 59;
+            }
+            else {
+                y = (int)(n >> 59);
+                n = e[i--];
+                c = 5 - c;
+                y |= n >> (64 - c);
+                n <<= c;
+                c = 64 - c;
+            }
+
+            sp_4096_sqr_64(rt, r);
+            sp_4096_mont_reduce_64(rt, m, mp);
+            sp_4096_sqr_64(r, rt);
+            sp_4096_mont_reduce_64(r, m, mp);
+            sp_4096_sqr_64(rt, r);
+            sp_4096_mont_reduce_64(rt, m, mp);
+            sp_4096_sqr_64(r, rt);
+            sp_4096_mont_reduce_64(r, m, mp);
+            sp_4096_sqr_64(rt, r);
+            sp_4096_mont_reduce_64(rt, m, mp);
+
+            sp_4096_mul_64(r, rt, t[y]);
+            sp_4096_mont_reduce_64(r, m, mp);
+        }
+
+        XMEMSET(&r[64], 0, sizeof(sp_digit) * 64);
+        sp_4096_mont_reduce_64(r, m, mp);
+
+        mask = 0 - (sp_4096_cmp_64(r, m) >= 0);
+        sp_4096_cond_sub_64(r, r, m, mask);
+    }
+
+#ifdef WOLFSSL_SMALL_STACK
+    if (td != NULL)
+        XFREE(td, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+#endif
+
+    return err;
+}
+#endif /* (WOLFSSL_HAVE_SP_RSA && !WOLFSSL_RSA_PUBLIC_ONLY) || WOLFSSL_HAVE_SP_DH */
+
+extern void sp_4096_mont_reduce_avx2_64(sp_digit* a, const sp_digit* m, sp_digit mp);
+#ifdef HAVE_INTEL_AVX2
+/* Multiply two Montogmery form numbers mod the modulus (prime).
+ * (r = a * b mod m)
+ *
+ * r   Result of multiplication.
+ * a   First number to multiply in Montogmery form.
+ * b   Second number to multiply in Montogmery form.
+ * m   Modulus (prime).
+ * mp  Montogmery mulitplier.
+ */
+static void sp_4096_mont_mul_avx2_64(sp_digit* r, const sp_digit* a, const sp_digit* b,
+        const sp_digit* m, sp_digit mp)
+{
+    sp_4096_mul_avx2_64(r, a, b);
+    sp_4096_mont_reduce_avx2_64(r, m, mp);
+}
+
+#endif /* HAVE_INTEL_AVX2 */
+#ifdef HAVE_INTEL_AVX2
+/* Square the Montgomery form number. (r = a * a mod m)
+ *
+ * r   Result of squaring.
+ * a   Number to square in Montogmery form.
+ * m   Modulus (prime).
+ * mp  Montogmery mulitplier.
+ */
+static void sp_4096_mont_sqr_avx2_64(sp_digit* r, const sp_digit* a, const sp_digit* m,
+        sp_digit mp)
+{
+    sp_4096_sqr_avx2_64(r, a);
+    sp_4096_mont_reduce_avx2_64(r, m, mp);
+}
+
+#endif /* HAVE_INTEL_AVX2 */
+#if (defined(WOLFSSL_HAVE_SP_RSA) && !defined(WOLFSSL_RSA_PUBLIC_ONLY)) || defined(WOLFSSL_HAVE_SP_DH)
+#ifdef HAVE_INTEL_AVX2
+/* Modular exponentiate a to the e mod m. (r = a^e mod m)
+ *
+ * r     A single precision number that is the result of the operation.
+ * a     A single precision number being exponentiated.
+ * e     A single precision number that is the exponent.
+ * bits  The number of bits in the exponent.
+ * m     A single precision number that is the modulus.
+ * returns 0 on success and MEMORY_E on dynamic memory allocation failure.
+ */
+static int sp_4096_mod_exp_avx2_64(sp_digit* r, const sp_digit* a, const sp_digit* e,
+        int bits, const sp_digit* m, int reduceA)
+{
+#ifndef WOLFSSL_SMALL_STACK
+    sp_digit t[32][128];
+    sp_digit rt[128];
+#else
+    sp_digit* t[32];
+    sp_digit* rt;
+    sp_digit* td;
+#endif
+    sp_digit* norm;
+    sp_digit mp = 1;
+    sp_digit n;
+    sp_digit mask;
+    int i;
+    int c, y;
+    int err = MP_OKAY;
+
+#ifdef WOLFSSL_SMALL_STACK
+    td = (sp_digit*)XMALLOC(sizeof(sp_digit) * 33 * 128, NULL,
+                            DYNAMIC_TYPE_TMP_BUFFER);
+    if (td == NULL) {
+        err = MEMORY_E;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#ifdef WOLFSSL_SMALL_STACK
+        for (i=0; i<32; i++)
+            t[i] = td + i * 128;
+        rt = td + 4096;
+#endif
+        norm = t[0];
+
+        sp_4096_mont_setup(m, &mp);
+        sp_4096_mont_norm_64(norm, m);
+
+        XMEMSET(t[1], 0, sizeof(sp_digit) * 64);
+        if (reduceA) {
+            err = sp_4096_mod_64(t[1] + 64, a, m);
+            if (err == MP_OKAY)
+                err = sp_4096_mod_64(t[1], t[1], m);
+        }
+        else {
+            XMEMCPY(t[1] + 64, a, sizeof(sp_digit) * 64);
+            err = sp_4096_mod_64(t[1], t[1], m);
+        }
+    }
+
+    if (err == MP_OKAY) {
+        sp_4096_mont_sqr_avx2_64(t[ 2], t[ 1], m, mp);
+        sp_4096_mont_mul_avx2_64(t[ 3], t[ 2], t[ 1], m, mp);
+        sp_4096_mont_sqr_avx2_64(t[ 4], t[ 2], m, mp);
+        sp_4096_mont_mul_avx2_64(t[ 5], t[ 3], t[ 2], m, mp);
+        sp_4096_mont_sqr_avx2_64(t[ 6], t[ 3], m, mp);
+        sp_4096_mont_mul_avx2_64(t[ 7], t[ 4], t[ 3], m, mp);
+        sp_4096_mont_sqr_avx2_64(t[ 8], t[ 4], m, mp);
+        sp_4096_mont_mul_avx2_64(t[ 9], t[ 5], t[ 4], m, mp);
+        sp_4096_mont_sqr_avx2_64(t[10], t[ 5], m, mp);
+        sp_4096_mont_mul_avx2_64(t[11], t[ 6], t[ 5], m, mp);
+        sp_4096_mont_sqr_avx2_64(t[12], t[ 6], m, mp);
+        sp_4096_mont_mul_avx2_64(t[13], t[ 7], t[ 6], m, mp);
+        sp_4096_mont_sqr_avx2_64(t[14], t[ 7], m, mp);
+        sp_4096_mont_mul_avx2_64(t[15], t[ 8], t[ 7], m, mp);
+        sp_4096_mont_sqr_avx2_64(t[16], t[ 8], m, mp);
+        sp_4096_mont_mul_avx2_64(t[17], t[ 9], t[ 8], m, mp);
+        sp_4096_mont_sqr_avx2_64(t[18], t[ 9], m, mp);
+        sp_4096_mont_mul_avx2_64(t[19], t[10], t[ 9], m, mp);
+        sp_4096_mont_sqr_avx2_64(t[20], t[10], m, mp);
+        sp_4096_mont_mul_avx2_64(t[21], t[11], t[10], m, mp);
+        sp_4096_mont_sqr_avx2_64(t[22], t[11], m, mp);
+        sp_4096_mont_mul_avx2_64(t[23], t[12], t[11], m, mp);
+        sp_4096_mont_sqr_avx2_64(t[24], t[12], m, mp);
+        sp_4096_mont_mul_avx2_64(t[25], t[13], t[12], m, mp);
+        sp_4096_mont_sqr_avx2_64(t[26], t[13], m, mp);
+        sp_4096_mont_mul_avx2_64(t[27], t[14], t[13], m, mp);
+        sp_4096_mont_sqr_avx2_64(t[28], t[14], m, mp);
+        sp_4096_mont_mul_avx2_64(t[29], t[15], t[14], m, mp);
+        sp_4096_mont_sqr_avx2_64(t[30], t[15], m, mp);
+        sp_4096_mont_mul_avx2_64(t[31], t[16], t[15], m, mp);
+
+        i = (bits - 1) / 64;
+        n = e[i--];
+        c = bits & 63;
+        if (c == 0) {
+            c = 64;
+        }
+        if ((bits % 5) == 0) {
+            c -= 5;
+        }
+        else {
+            c -= bits % 5;
+        }
+        y = (int)(n >> c);
+        n <<= 64 - c;
+        XMEMCPY(r, t[y], sizeof(sp_digit) * 64);
+        for (; i>=0 || c>=5; ) {
+            if (c >= 5) {
+                y = (n >> 59) & 0x1f;
+                n <<= 5;
+                c -= 5;
+            }
+            else if (c == 0) {
+                n = e[i--];
+                y = (int)(n >> 59);
+                n <<= 5;
+                c = 59;
+            }
+            else {
+                y = (int)(n >> 59);
+                n = e[i--];
+                c = 5 - c;
+                y |= n >> (64 - c);
+                n <<= c;
+                c = 64 - c;
+            }
+
+            sp_4096_sqr_avx2_64(rt, r);
+            sp_4096_mont_reduce_avx2_64(rt, m, mp);
+            sp_4096_sqr_avx2_64(r, rt);
+            sp_4096_mont_reduce_avx2_64(r, m, mp);
+            sp_4096_sqr_avx2_64(rt, r);
+            sp_4096_mont_reduce_avx2_64(rt, m, mp);
+            sp_4096_sqr_avx2_64(r, rt);
+            sp_4096_mont_reduce_avx2_64(r, m, mp);
+            sp_4096_sqr_avx2_64(rt, r);
+            sp_4096_mont_reduce_avx2_64(rt, m, mp);
+
+            sp_4096_mul_avx2_64(r, rt, t[y]);
+            sp_4096_mont_reduce_avx2_64(r, m, mp);
+        }
+
+        XMEMSET(&r[64], 0, sizeof(sp_digit) * 64);
+        sp_4096_mont_reduce_avx2_64(r, m, mp);
+
+        mask = 0 - (sp_4096_cmp_64(r, m) >= 0);
+        sp_4096_cond_sub_avx2_64(r, r, m, mask);
+    }
+
+#ifdef WOLFSSL_SMALL_STACK
+    if (td != NULL)
+        XFREE(td, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+#endif
+
+    return err;
+}
+#endif /* HAVE_INTEL_AVX2 */
+#endif /* (WOLFSSL_HAVE_SP_RSA && !WOLFSSL_RSA_PUBLIC_ONLY) || WOLFSSL_HAVE_SP_DH */
+
+#ifdef WOLFSSL_HAVE_SP_RSA
+/* RSA public key operation.
+ *
+ * in      Array of bytes representing the number to exponentiate, base.
+ * inLen   Number of bytes in base.
+ * em      Public exponent.
+ * mm      Modulus.
+ * out     Buffer to hold big-endian bytes of exponentiation result.
+ *         Must be at least 512 bytes long.
+ * outLen  Number of bytes in result.
+ * returns 0 on success, MP_TO_E when the outLen is too small, MP_READ_E when
+ * an array is too long and MEMORY_E when dynamic memory allocation fails.
+ */
+int sp_RsaPublic_4096(const byte* in, word32 inLen, mp_int* em, mp_int* mm,
+    byte* out, word32* outLen)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit ad[128], md[64], rd[128];
+#else
+    sp_digit* d = NULL;
+#endif
+    sp_digit* a;
+    sp_digit *ah;
+    sp_digit* m;
+    sp_digit* r;
+    sp_digit  e = 0;
+    int err = MP_OKAY;
+#ifdef HAVE_INTEL_AVX2
+    word32 cpuid_flags = cpuid_get_flags();
+#endif
+
+    if (*outLen < 512)
+        err = MP_TO_E;
+    if (err == MP_OKAY && (mp_count_bits(em) > 64 || inLen > 512 ||
+                                                     mp_count_bits(mm) != 4096))
+        err = MP_READ_E;
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        d = (sp_digit*)XMALLOC(sizeof(sp_digit) * 64 * 5, NULL,
+                                                              DYNAMIC_TYPE_RSA);
+        if (d == NULL)
+            err = MEMORY_E;
+    }
+
+    if (err == MP_OKAY) {
+        a = d;
+        r = a + 64 * 2;
+        m = r + 64 * 2;
+        ah = a + 64;
+    }
+#else
+    a = ad;
+    m = md;
+    r = rd;
+    ah = a + 64;
+#endif
+
+    if (err == MP_OKAY) {
+        sp_4096_from_bin(ah, 64, in, inLen);
+#if DIGIT_BIT >= 64
+        e = em->dp[0];
+#else
+        e = em->dp[0];
+        if (em->used > 1)
+            e |= ((sp_digit)em->dp[1]) << DIGIT_BIT;
+#endif
+        if (e == 0)
+            err = MP_EXPTMOD_E;
+    }
+    if (err == MP_OKAY) {
+        sp_4096_from_mp(m, 64, mm);
+
+        if (e == 0x3) {
+#ifdef HAVE_INTEL_AVX2
+            if (IS_INTEL_BMI2(cpuid_flags) && IS_INTEL_ADX(cpuid_flags)) {
+                if (err == MP_OKAY) {
+                    sp_4096_sqr_avx2_64(r, ah);
+                    err = sp_4096_mod_64_cond(r, r, m);
+                }
+                if (err == MP_OKAY) {
+                    sp_4096_mul_avx2_64(r, ah, r);
+                    err = sp_4096_mod_64_cond(r, r, m);
+                }
+            }
+            else
+#endif
+            {
+                if (err == MP_OKAY) {
+                    sp_4096_sqr_64(r, ah);
+                    err = sp_4096_mod_64_cond(r, r, m);
+                }
+                if (err == MP_OKAY) {
+                    sp_4096_mul_64(r, ah, r);
+                    err = sp_4096_mod_64_cond(r, r, m);
+                }
+            }
+        }
+        else {
+            int i;
+            sp_digit mp;
+
+            sp_4096_mont_setup(m, &mp);
+
+            /* Convert to Montgomery form. */
+            XMEMSET(a, 0, sizeof(sp_digit) * 64);
+            err = sp_4096_mod_64_cond(a, a, m);
+
+            if (err == MP_OKAY) {
+                for (i=63; i>=0; i--) {
+                    if (e >> i) {
+                        break;
+                    }
+                }
+
+                XMEMCPY(r, a, sizeof(sp_digit) * 64);
+#ifdef HAVE_INTEL_AVX2
+                if (IS_INTEL_BMI2(cpuid_flags) && IS_INTEL_ADX(cpuid_flags)) {
+                    for (i--; i>=0; i--) {
+                        sp_4096_mont_sqr_avx2_64(r, r, m, mp);
+                        if (((e >> i) & 1) == 1) {
+                            sp_4096_mont_mul_avx2_64(r, r, a, m, mp);
+                        }
+                    }
+                    XMEMSET(&r[64], 0, sizeof(sp_digit) * 64);
+                    sp_4096_mont_reduce_avx2_64(r, m, mp);
+                }
+                else
+#endif
+                {
+                    for (i--; i>=0; i--) {
+                        sp_4096_mont_sqr_64(r, r, m, mp);
+                        if (((e >> i) & 1) == 1) {
+                            sp_4096_mont_mul_64(r, r, a, m, mp);
+                        }
+                    }
+                    XMEMSET(&r[64], 0, sizeof(sp_digit) * 64);
+                    sp_4096_mont_reduce_64(r, m, mp);
+                }
+
+                for (i = 63; i > 0; i--) {
+                    if (r[i] != m[i])
+                        break;
+                }
+                if (r[i] >= m[i])
+                    sp_4096_sub_in_place_64(r, m);
+            }
+        }
+    }
+
+    if (err == MP_OKAY) {
+        sp_4096_to_bin(r, out);
+        *outLen = 512;
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (d != NULL)
+        XFREE(d, NULL, DYNAMIC_TYPE_RSA);
+#endif
+
+    return err;
+}
+
+#if defined(SP_RSA_PRIVATE_EXP_D) || defined(RSA_LOW_MEM)
+/* RSA private key operation.
+ *
+ * in      Array of bytes representing the number to exponentiate, base.
+ * inLen   Number of bytes in base.
+ * dm      Private exponent.
+ * pm      First prime.
+ * qm      Second prime.
+ * dpm     First prime's CRT exponent.
+ * dqm     Second prime's CRT exponent.
+ * qim     Inverse of second prime mod p.
+ * mm      Modulus.
+ * out     Buffer to hold big-endian bytes of exponentiation result.
+ *         Must be at least 512 bytes long.
+ * outLen  Number of bytes in result.
+ * returns 0 on success, MP_TO_E when the outLen is too small, MP_READ_E when
+ * an array is too long and MEMORY_E when dynamic memory allocation fails.
+ */
+int sp_RsaPrivate_4096(const byte* in, word32 inLen, mp_int* dm,
+    mp_int* pm, mp_int* qm, mp_int* dpm, mp_int* dqm, mp_int* qim, mp_int* mm,
+    byte* out, word32* outLen)
+{
+#if !defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)
+    sp_digit a[128], d[64], m[64];
+#else
+    sp_digit* d = NULL;
+    sp_digit* a;
+    sp_digit* m;
+#endif
+    sp_digit* r;
+    int err = MP_OKAY;
+
+    (void)pm;
+    (void)qm;
+    (void)dpm;
+    (void)dqm;
+    (void)qim;
+
+    if (*outLen < 512U) {
+        err = MP_TO_E;
+    }
+    if (err == MP_OKAY) {
+        if (mp_count_bits(dm) > 4096) {
+            err = MP_READ_E;
+        }
+        if (inLen > 512U) {
+            err = MP_READ_E;
+        }
+        if (mp_count_bits(mm) != 4096) {
+            err = MP_READ_E;
+        }
+    }
+
+#if defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)
+    if (err == MP_OKAY) {
+        d = (sp_digit*)XMALLOC(sizeof(sp_digit) * 64 * 4, NULL,
+                                                             DYNAMIC_TYPE_RSA);
+        if (d == NULL) {
+            err = MEMORY_E;
+        }
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#if defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)
+        a = d + 64;
+        m = a + 128;
+#endif
+        r = a;
+
+        sp_4096_from_bin(a, 64, in, inLen);
+        sp_4096_from_mp(d, 64, dm);
+        sp_4096_from_mp(m, 64, mm);
+        err = sp_4096_mod_exp_64(r, a, d, 4096, m, 0);
+    }
+
+    if (err == MP_OKAY) {
+        sp_4096_to_bin(r, out);
+        *outLen = 512;
+    }
+
+#if defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)
+    if (d != NULL) {
+        XMEMSET(d, 0, sizeof(sp_digit) * 64);
+        XFREE(d, NULL, DYNAMIC_TYPE_RSA);
+    }
+#else
+    XMEMSET(d, 0, sizeof(sp_digit) * 64);
+#endif
+
+    return err;
+}
+
+#else
+extern sp_digit sp_4096_cond_add_32(sp_digit* r, const sp_digit* a, const sp_digit* b, sp_digit m);
+extern sp_digit sp_4096_cond_add_avx2_32(sp_digit* r, const sp_digit* a, const sp_digit* b, sp_digit m);
+/* RSA private key operation.
+ *
+ * in      Array of bytes representing the number to exponentiate, base.
+ * inLen   Number of bytes in base.
+ * dm      Private exponent.
+ * pm      First prime.
+ * qm      Second prime.
+ * dpm     First prime's CRT exponent.
+ * dqm     Second prime's CRT exponent.
+ * qim     Inverse of second prime mod p.
+ * mm      Modulus.
+ * out     Buffer to hold big-endian bytes of exponentiation result.
+ *         Must be at least 512 bytes long.
+ * outLen  Number of bytes in result.
+ * returns 0 on success, MP_TO_E when the outLen is too small, MP_READ_E when
+ * an array is too long and MEMORY_E when dynamic memory allocation fails.
+ */
+int sp_RsaPrivate_4096(const byte* in, word32 inLen, mp_int* dm,
+    mp_int* pm, mp_int* qm, mp_int* dpm, mp_int* dqm, mp_int* qim, mp_int* mm,
+    byte* out, word32* outLen)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit ad[64 * 2];
+    sp_digit pd[32], qd[32], dpd[32];
+    sp_digit tmpad[64], tmpbd[64];
+#else
+    sp_digit* t = NULL;
+#endif
+    sp_digit* a;
+    sp_digit* p;
+    sp_digit* q;
+    sp_digit* dp;
+    sp_digit* dq;
+    sp_digit* qi;
+    sp_digit* tmpa;
+    sp_digit* tmpb;
+    sp_digit* r;
+    sp_digit c;
+    int err = MP_OKAY;
+#ifdef HAVE_INTEL_AVX2
+    word32 cpuid_flags = cpuid_get_flags();
+#endif
+
+    (void)dm;
+    (void)mm;
+
+    if (*outLen < 512)
+        err = MP_TO_E;
+    if (err == MP_OKAY && (inLen > 512 || mp_count_bits(mm) != 4096))
+        err = MP_READ_E;
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        t = (sp_digit*)XMALLOC(sizeof(sp_digit) * 32 * 11, NULL,
+                                                              DYNAMIC_TYPE_RSA);
+        if (t == NULL)
+            err = MEMORY_E;
+    }
+    if (err == MP_OKAY) {
+        a = t;
+        p = a + 64 * 2;
+        q = p + 32;
+        qi = dq = dp = q + 32;
+        tmpa = qi + 32;
+        tmpb = tmpa + 64;
+
+        r = t + 64;
+    }
+#else
+    r = a = ad;
+    p = pd;
+    q = qd;
+    qi = dq = dp = dpd;
+    tmpa = tmpad;
+    tmpb = tmpbd;
+#endif
+
+    if (err == MP_OKAY) {
+        sp_4096_from_bin(a, 64, in, inLen);
+        sp_4096_from_mp(p, 32, pm);
+        sp_4096_from_mp(q, 32, qm);
+        sp_4096_from_mp(dp, 32, dpm);
+
+#ifdef HAVE_INTEL_AVX2
+        if (IS_INTEL_BMI2(cpuid_flags) && IS_INTEL_ADX(cpuid_flags))
+            err = sp_2048_mod_exp_avx2_32(tmpa, a, dp, 2048, p, 1);
+        else
+#endif
+            err = sp_2048_mod_exp_32(tmpa, a, dp, 2048, p, 1);
+    }
+    if (err == MP_OKAY) {
+        sp_4096_from_mp(dq, 32, dqm);
+#ifdef HAVE_INTEL_AVX2
+        if (IS_INTEL_BMI2(cpuid_flags) && IS_INTEL_ADX(cpuid_flags))
+            err = sp_2048_mod_exp_avx2_32(tmpb, a, dq, 2048, q, 1);
+       else
+#endif
+            err = sp_2048_mod_exp_32(tmpb, a, dq, 2048, q, 1);
+    }
+
+    if (err == MP_OKAY) {
+        c = sp_2048_sub_in_place_32(tmpa, tmpb);
+#ifdef HAVE_INTEL_AVX2
+        if (IS_INTEL_BMI2(cpuid_flags) && IS_INTEL_ADX(cpuid_flags)) {
+            c += sp_4096_cond_add_avx2_32(tmpa, tmpa, p, c);
+            sp_4096_cond_add_avx2_32(tmpa, tmpa, p, c);
+        }
+        else
+#endif
+        {
+            c += sp_4096_cond_add_32(tmpa, tmpa, p, c);
+            sp_4096_cond_add_32(tmpa, tmpa, p, c);
+        }
+
+        sp_2048_from_mp(qi, 32, qim);
+#ifdef HAVE_INTEL_AVX2
+        if (IS_INTEL_BMI2(cpuid_flags) && IS_INTEL_ADX(cpuid_flags)) {
+            sp_2048_mul_avx2_32(tmpa, tmpa, qi);
+        }
+        else
+#endif
+        {
+            sp_2048_mul_32(tmpa, tmpa, qi);
+        }
+        err = sp_2048_mod_32(tmpa, tmpa, p);
+    }
+
+    if (err == MP_OKAY) {
+#ifdef HAVE_INTEL_AVX2
+        if (IS_INTEL_BMI2(cpuid_flags) && IS_INTEL_ADX(cpuid_flags)) {
+            sp_2048_mul_avx2_32(tmpa, q, tmpa);
+        }
+        else
+#endif
+        {
+            sp_2048_mul_32(tmpa, q, tmpa);
+        }
+        XMEMSET(&tmpb[32], 0, sizeof(sp_digit) * 32);
+        sp_4096_add_64(r, tmpb, tmpa);
+
+        sp_4096_to_bin(r, out);
+        *outLen = 512;
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (t != NULL) {
+        XMEMSET(t, 0, sizeof(sp_digit) * 32 * 11);
+        XFREE(t, NULL, DYNAMIC_TYPE_RSA);
+    }
+#else
+    XMEMSET(tmpad, 0, sizeof(tmpad));
+    XMEMSET(tmpbd, 0, sizeof(tmpbd));
+    XMEMSET(pd, 0, sizeof(pd));
+    XMEMSET(qd, 0, sizeof(qd));
+    XMEMSET(dpd, 0, sizeof(dpd));
+#endif
+
+    return err;
+}
+#endif /* SP_RSA_PRIVATE_EXP_D || RSA_LOW_MEM */
+#endif /* WOLFSSL_HAVE_SP_RSA */
+#if defined(WOLFSSL_HAVE_SP_DH) || (defined(WOLFSSL_HAVE_SP_RSA) && \
+                                              !defined(WOLFSSL_RSA_PUBLIC_ONLY))
+/* Convert an array of sp_digit to an mp_int.
+ *
+ * a  A single precision integer.
+ * r  A multi-precision integer.
+ */
+static int sp_4096_to_mp(const sp_digit* a, mp_int* r)
+{
+    int err;
+
+    err = mp_grow(r, (4096 + DIGIT_BIT - 1) / DIGIT_BIT);
+    if (err == MP_OKAY) { /*lint !e774 case where err is always MP_OKAY*/
+#if DIGIT_BIT == 64
+        XMEMCPY(r->dp, a, sizeof(sp_digit) * 64);
+        r->used = 64;
+        mp_clamp(r);
+#elif DIGIT_BIT < 64
+        int i, j = 0, s = 0;
+
+        r->dp[0] = 0;
+        for (i = 0; i < 64; i++) {
+            r->dp[j] |= (mp_digit)(a[i] << s);
+            r->dp[j] &= (1L << DIGIT_BIT) - 1;
+            s = DIGIT_BIT - s;
+            r->dp[++j] = (mp_digit)(a[i] >> s);
+            while (s + DIGIT_BIT <= 64) {
+                s += DIGIT_BIT;
+                r->dp[j++] &= (1L << DIGIT_BIT) - 1;
+                if (s == SP_WORD_SIZE) {
+                    r->dp[j] = 0;
+                }
+                else {
+                    r->dp[j] = (mp_digit)(a[i] >> s);
+                }
+            }
+            s = 64 - s;
+        }
+        r->used = (4096 + DIGIT_BIT - 1) / DIGIT_BIT;
+        mp_clamp(r);
+#else
+        int i, j = 0, s = 0;
+
+        r->dp[0] = 0;
+        for (i = 0; i < 64; i++) {
+            r->dp[j] |= ((mp_digit)a[i]) << s;
+            if (s + 64 >= DIGIT_BIT) {
+    #if DIGIT_BIT != 32 && DIGIT_BIT != 64
+                r->dp[j] &= (1L << DIGIT_BIT) - 1;
+    #endif
+                s = DIGIT_BIT - s;
+                r->dp[++j] = a[i] >> s;
+                s = 64 - s;
+            }
+            else {
+                s += 64;
+            }
+        }
+        r->used = (4096 + DIGIT_BIT - 1) / DIGIT_BIT;
+        mp_clamp(r);
+#endif
+    }
+
+    return err;
+}
+
+/* Perform the modular exponentiation for Diffie-Hellman.
+ *
+ * base  Base. MP integer.
+ * exp   Exponent. MP integer.
+ * mod   Modulus. MP integer.
+ * res   Result. MP integer.
+ * returns 0 on success, MP_READ_E if there are too many bytes in an array
+ * and MEMORY_E if memory allocation fails.
+ */
+int sp_ModExp_4096(mp_int* base, mp_int* exp, mp_int* mod, mp_int* res)
+{
+    int err = MP_OKAY;
+    sp_digit b[128], e[64], m[64];
+    sp_digit* r = b;
+#ifdef HAVE_INTEL_AVX2
+    word32 cpuid_flags = cpuid_get_flags();
+#endif
+    int expBits = mp_count_bits(exp);
+
+    if (mp_count_bits(base) > 4096 || expBits > 4096 ||
+                                                   mp_count_bits(mod) != 4096) {
+        err = MP_READ_E;
+    }
+
+    if (err == MP_OKAY) {
+        sp_4096_from_mp(b, 64, base);
+        sp_4096_from_mp(e, 64, exp);
+        sp_4096_from_mp(m, 64, mod);
+
+#ifdef HAVE_INTEL_AVX2
+        if (IS_INTEL_BMI2(cpuid_flags) && IS_INTEL_ADX(cpuid_flags))
+            err = sp_4096_mod_exp_avx2_64(r, b, e, expBits, m, 0);
+        else
+#endif
+            err = sp_4096_mod_exp_64(r, b, e, expBits, m, 0);
+    }
+
+    if (err == MP_OKAY) {
+        err = sp_4096_to_mp(r, res);
+    }
+
+    XMEMSET(e, 0, sizeof(e));
+
+    return err;
+}
+
+#ifdef WOLFSSL_HAVE_SP_DH
+#ifdef HAVE_FFDHE_4096
+extern void sp_4096_lshift_64(sp_digit* r, const sp_digit* a, int n);
+#ifdef HAVE_INTEL_AVX2
+/* Modular exponentiate 2 to the e mod m. (r = 2^e mod m)
+ *
+ * r     A single precision number that is the result of the operation.
+ * e     A single precision number that is the exponent.
+ * bits  The number of bits in the exponent.
+ * m     A single precision number that is the modulus.
+ * returns 0 on success and MEMORY_E on dynamic memory allocation failure.
+ */
+static int sp_4096_mod_exp_2_avx2_64(sp_digit* r, const sp_digit* e, int bits,
+        const sp_digit* m)
+{
+#ifndef WOLFSSL_SMALL_STACK
+    sp_digit nd[128];
+    sp_digit td[65];
+#else
+    sp_digit* td;
+#endif
+    sp_digit* norm;
+    sp_digit* tmp;
+    sp_digit mp = 1;
+    sp_digit n, o;
+    sp_digit mask;
+    int i;
+    int c, y;
+    int err = MP_OKAY;
+
+#ifdef WOLFSSL_SMALL_STACK
+    td = (sp_digit*)XMALLOC(sizeof(sp_digit) * 193, NULL,
+                            DYNAMIC_TYPE_TMP_BUFFER);
+    if (td == NULL) {
+        err = MEMORY_E;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#ifdef WOLFSSL_SMALL_STACK
+        norm = td;
+        tmp  = td + 128;
+#else
+        norm = nd;
+        tmp  = td;
+#endif
+
+        sp_4096_mont_setup(m, &mp);
+        sp_4096_mont_norm_64(norm, m);
+
+        i = (bits - 1) / 64;
+        n = e[i--];
+        c = bits & 63;
+        if (c == 0) {
+            c = 64;
+        }
+        if ((bits % 6) == 0) {
+            c -= 6;
+        }
+        else {
+            c -= bits % 6;
+        }
+        y = (int)(n >> c);
+        n <<= 64 - c;
+        sp_4096_lshift_64(r, norm, y);
+        for (; i>=0 || c>=6; ) {
+            if (c == 0) {
+                n = e[i--];
+                y = (int)(n >> 58);
+                n <<= 6;
+                c = 58;
+            }
+            else if (c < 6) {
+                y = (int)(n >> 58);
+                n = e[i--];
+                c = 6 - c;
+                y |= n >> (64 - c);
+                n <<= c;
+                c = 64 - c;
+            }
+            else {
+                y = (n >> 58) & 0x3f;
+                n <<= 6;
+                c -= 6;
+            }
+
+            sp_4096_mont_sqr_avx2_64(r, r, m, mp);
+            sp_4096_mont_sqr_avx2_64(r, r, m, mp);
+            sp_4096_mont_sqr_avx2_64(r, r, m, mp);
+            sp_4096_mont_sqr_avx2_64(r, r, m, mp);
+            sp_4096_mont_sqr_avx2_64(r, r, m, mp);
+            sp_4096_mont_sqr_avx2_64(r, r, m, mp);
+
+            sp_4096_lshift_64(r, r, y);
+            sp_4096_mul_d_avx2_64(tmp, norm, r[64]);
+            r[64] = 0;
+            o = sp_4096_add_64(r, r, tmp);
+            sp_4096_cond_sub_avx2_64(r, r, m, (sp_digit)0 - o);
+        }
+
+        XMEMSET(&r[64], 0, sizeof(sp_digit) * 64);
+        sp_4096_mont_reduce_avx2_64(r, m, mp);
+
+        mask = 0 - (sp_4096_cmp_64(r, m) >= 0);
+        sp_4096_cond_sub_avx2_64(r, r, m, mask);
+    }
+
+#ifdef WOLFSSL_SMALL_STACK
+    if (td != NULL)
+        XFREE(td, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+#endif
+
+    return err;
+}
+#endif /* HAVE_INTEL_AVX2 */
+
+/* Modular exponentiate 2 to the e mod m. (r = 2^e mod m)
+ *
+ * r     A single precision number that is the result of the operation.
+ * e     A single precision number that is the exponent.
+ * bits  The number of bits in the exponent.
+ * m     A single precision number that is the modulus.
+ * returns 0 on success and MEMORY_E on dynamic memory allocation failure.
+ */
+static int sp_4096_mod_exp_2_64(sp_digit* r, const sp_digit* e, int bits,
+        const sp_digit* m)
+{
+#ifndef WOLFSSL_SMALL_STACK
+    sp_digit nd[128];
+    sp_digit td[65];
+#else
+    sp_digit* td;
+#endif
+    sp_digit* norm;
+    sp_digit* tmp;
+    sp_digit mp = 1;
+    sp_digit n, o;
+    sp_digit mask;
+    int i;
+    int c, y;
+    int err = MP_OKAY;
+
+#ifdef WOLFSSL_SMALL_STACK
+    td = (sp_digit*)XMALLOC(sizeof(sp_digit) * 193, NULL,
+                            DYNAMIC_TYPE_TMP_BUFFER);
+    if (td == NULL) {
+        err = MEMORY_E;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#ifdef WOLFSSL_SMALL_STACK
+        norm = td;
+        tmp  = td + 128;
+#else
+        norm = nd;
+        tmp  = td;
+#endif
+
+        sp_4096_mont_setup(m, &mp);
+        sp_4096_mont_norm_64(norm, m);
+
+        i = (bits - 1) / 64;
+        n = e[i--];
+        c = bits & 63;
+        if (c == 0) {
+            c = 64;
+        }
+        if ((bits % 6) == 0) {
+            c -= 6;
+        }
+        else {
+            c -= bits % 6;
+        }
+        y = (int)(n >> c);
+        n <<= 64 - c;
+        sp_4096_lshift_64(r, norm, y);
+        for (; i>=0 || c>=6; ) {
+            if (c == 0) {
+                n = e[i--];
+                y = (int)(n >> 58);
+                n <<= 6;
+                c = 58;
+            }
+            else if (c < 6) {
+                y = (int)(n >> 58);
+                n = e[i--];
+                c = 6 - c;
+                y |= n >> (64 - c);
+                n <<= c;
+                c = 64 - c;
+            }
+            else {
+                y = (n >> 58) & 0x3f;
+                n <<= 6;
+                c -= 6;
+            }
+
+            sp_4096_mont_sqr_64(r, r, m, mp);
+            sp_4096_mont_sqr_64(r, r, m, mp);
+            sp_4096_mont_sqr_64(r, r, m, mp);
+            sp_4096_mont_sqr_64(r, r, m, mp);
+            sp_4096_mont_sqr_64(r, r, m, mp);
+            sp_4096_mont_sqr_64(r, r, m, mp);
+
+            sp_4096_lshift_64(r, r, y);
+            sp_4096_mul_d_64(tmp, norm, r[64]);
+            r[64] = 0;
+            o = sp_4096_add_64(r, r, tmp);
+            sp_4096_cond_sub_64(r, r, m, (sp_digit)0 - o);
+        }
+
+        XMEMSET(&r[64], 0, sizeof(sp_digit) * 64);
+        sp_4096_mont_reduce_64(r, m, mp);
+
+        mask = 0 - (sp_4096_cmp_64(r, m) >= 0);
+        sp_4096_cond_sub_64(r, r, m, mask);
+    }
+
+#ifdef WOLFSSL_SMALL_STACK
+    if (td != NULL)
+        XFREE(td, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+#endif
+
+    return err;
+}
+
+#endif /* HAVE_FFDHE_4096 */
+
+/* Perform the modular exponentiation for Diffie-Hellman.
+ *
+ * base     Base.
+ * exp      Array of bytes that is the exponent.
+ * expLen   Length of data, in bytes, in exponent.
+ * mod      Modulus.
+ * out      Buffer to hold big-endian bytes of exponentiation result.
+ *          Must be at least 512 bytes long.
+ * outLen   Length, in bytes, of exponentiation result.
+ * returns 0 on success, MP_READ_E if there are too many bytes in an array
+ * and MEMORY_E if memory allocation fails.
+ */
+int sp_DhExp_4096(mp_int* base, const byte* exp, word32 expLen,
+    mp_int* mod, byte* out, word32* outLen)
+{
+    int err = MP_OKAY;
+    sp_digit b[128], e[64], m[64];
+    sp_digit* r = b;
+    word32 i;
+#ifdef HAVE_INTEL_AVX2
+    word32 cpuid_flags = cpuid_get_flags();
+#endif
+
+    if (mp_count_bits(base) > 4096 || expLen > 512 ||
+                                                   mp_count_bits(mod) != 4096) {
+        err = MP_READ_E;
+    }
+
+    if (err == MP_OKAY) {
+        sp_4096_from_mp(b, 64, base);
+        sp_4096_from_bin(e, 64, exp, expLen);
+        sp_4096_from_mp(m, 64, mod);
+
+    #ifdef HAVE_FFDHE_4096
+        if (base->used == 1 && base->dp[0] == 2 && m[63] == (sp_digit)-1) {
+#ifdef HAVE_INTEL_AVX2
+            if (IS_INTEL_BMI2(cpuid_flags) && IS_INTEL_ADX(cpuid_flags))
+                err = sp_4096_mod_exp_2_avx2_64(r, e, expLen * 8, m);
+            else
+#endif
+                err = sp_4096_mod_exp_2_64(r, e, expLen * 8, m);
+        }
+        else
+    #endif
+        {
+#ifdef HAVE_INTEL_AVX2
+            if (IS_INTEL_BMI2(cpuid_flags) && IS_INTEL_ADX(cpuid_flags))
+                err = sp_4096_mod_exp_avx2_64(r, b, e, expLen * 8, m, 0);
+            else
+#endif
+                err = sp_4096_mod_exp_64(r, b, e, expLen * 8, m, 0);
+        }
+    }
+
+    if (err == MP_OKAY) {
+        sp_4096_to_bin(r, out);
+        *outLen = 512;
+        for (i=0; i<512 && out[i] == 0; i++) {
+        }
+        *outLen -= i;
+        XMEMMOVE(out, out + i, *outLen);
+    }
+
+    XMEMSET(e, 0, sizeof(e));
+
+    return err;
+}
+#endif
+#endif /* WOLFSSL_HAVE_SP_DH || (WOLFSSL_HAVE_SP_RSA && !WOLFSSL_RSA_PUBLIC_ONLY) */
+
+#endif /* WOLFSSL_SP_4096 */
+
+#endif /* WOLFSSL_HAVE_SP_RSA || WOLFSSL_HAVE_SP_DH */
+#ifdef WOLFSSL_HAVE_SP_ECC
+#ifndef WOLFSSL_SP_NO_256
+
+/* Point structure to use. */
+typedef struct sp_point_256 {
+    sp_digit x[2 * 4];
+    sp_digit y[2 * 4];
+    sp_digit z[2 * 4];
+    int infinity;
+} sp_point_256;
+
+/* The modulus (prime) of the curve P256. */
+static const sp_digit p256_mod[4] = {
+    0xffffffffffffffffL,0x00000000ffffffffL,0x0000000000000000L,
+    0xffffffff00000001L
+};
+/* The Montogmery normalizer for modulus of the curve P256. */
+static const sp_digit p256_norm_mod[4] = {
+    0x0000000000000001L,0xffffffff00000000L,0xffffffffffffffffL,
+    0x00000000fffffffeL
+};
+/* The Montogmery multiplier for modulus of the curve P256. */
+static const sp_digit p256_mp_mod = 0x0000000000000001;
+#if defined(WOLFSSL_VALIDATE_ECC_KEYGEN) || defined(HAVE_ECC_SIGN) || \
+                                            defined(HAVE_ECC_VERIFY)
+/* The order of the curve P256. */
+static const sp_digit p256_order[4] = {
+    0xf3b9cac2fc632551L,0xbce6faada7179e84L,0xffffffffffffffffL,
+    0xffffffff00000000L
+};
+#endif
+/* The order of the curve P256 minus 2. */
+static const sp_digit p256_order2[4] = {
+    0xf3b9cac2fc63254fL,0xbce6faada7179e84L,0xffffffffffffffffL,
+    0xffffffff00000000L
+};
+#if defined(HAVE_ECC_SIGN) || defined(HAVE_ECC_VERIFY)
+/* The Montogmery normalizer for order of the curve P256. */
+static const sp_digit p256_norm_order[4] = {
+    0x0c46353d039cdaafL,0x4319055258e8617bL,0x0000000000000000L,
+    0x00000000ffffffffL
+};
+#endif
+#if defined(HAVE_ECC_SIGN) || defined(HAVE_ECC_VERIFY)
+/* The Montogmery multiplier for order of the curve P256. */
+static const sp_digit p256_mp_order = 0xccd1c8aaee00bc4fL;
+#endif
+#ifdef WOLFSSL_SP_SMALL
+/* The base point of curve P256. */
+static const sp_point_256 p256_base = {
+    /* X ordinate */
+    {
+        0xf4a13945d898c296L,0x77037d812deb33a0L,0xf8bce6e563a440f2L,
+        0x6b17d1f2e12c4247L,
+        0L, 0L, 0L, 0L
+    },
+    /* Y ordinate */
+    {
+        0xcbb6406837bf51f5L,0x2bce33576b315eceL,0x8ee7eb4a7c0f9e16L,
+        0x4fe342e2fe1a7f9bL,
+        0L, 0L, 0L, 0L
+    },
+    /* Z ordinate */
+    {
+        0x0000000000000001L,0x0000000000000000L,0x0000000000000000L,
+        0x0000000000000000L,
+        0L, 0L, 0L, 0L
+    },
+    /* infinity */
+    0
+};
+#endif /* WOLFSSL_SP_SMALL */
+#if defined(HAVE_ECC_CHECK_KEY) || defined(HAVE_COMP_KEY)
+static const sp_digit p256_b[4] = {
+    0x3bce3c3e27d2604bL,0x651d06b0cc53b0f6L,0xb3ebbd55769886bcL,
+    0x5ac635d8aa3a93e7L
+};
+#endif
+
+static int sp_256_point_new_ex_4(void* heap, sp_point_256* sp, sp_point_256** p)
+{
+    int ret = MP_OKAY;
+    (void)heap;
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    (void)sp;
+    *p = (sp_point_256*)XMALLOC(sizeof(sp_point_256), heap, DYNAMIC_TYPE_ECC);
+#else
+    *p = sp;
+#endif
+    if (*p == NULL) {
+        ret = MEMORY_E;
+    }
+    return ret;
+}
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+/* Allocate memory for point and return error. */
+#define sp_256_point_new_4(heap, sp, p) sp_256_point_new_ex_4((heap), NULL, &(p))
+#else
+/* Set pointer to data and return no error. */
+#define sp_256_point_new_4(heap, sp, p) sp_256_point_new_ex_4((heap), &(sp), &(p))
+#endif
+
+
+static void sp_256_point_free_4(sp_point_256* p, int clear, void* heap)
+{
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+/* If valid pointer then clear point data if requested and free data. */
+    if (p != NULL) {
+        if (clear != 0) {
+            XMEMSET(p, 0, sizeof(*p));
+        }
+        XFREE(p, heap, DYNAMIC_TYPE_ECC);
+    }
+#else
+/* Clear point data if requested. */
+    if (clear != 0) {
+        XMEMSET(p, 0, sizeof(*p));
+    }
+#endif
+    (void)heap;
+}
+
+/* Multiply a number by Montogmery normalizer mod modulus (prime).
+ *
+ * r  The resulting Montgomery form number.
+ * a  The number to convert.
+ * m  The modulus (prime).
+ */
+static int sp_256_mod_mul_norm_4(sp_digit* r, const sp_digit* a, const sp_digit* m)
+{
+    int64_t t[8];
+    int64_t a32[8];
+    int64_t o;
+
+    (void)m;
+
+    a32[0] = a[0] & 0xffffffff;
+    a32[1] = a[0] >> 32;
+    a32[2] = a[1] & 0xffffffff;
+    a32[3] = a[1] >> 32;
+    a32[4] = a[2] & 0xffffffff;
+    a32[5] = a[2] >> 32;
+    a32[6] = a[3] & 0xffffffff;
+    a32[7] = a[3] >> 32;
+
+    /*  1  1  0 -1 -1 -1 -1  0 */
+    t[0] = 0 + a32[0] + a32[1] - a32[3] - a32[4] - a32[5] - a32[6];
+    /*  0  1  1  0 -1 -1 -1 -1 */
+    t[1] = 0 + a32[1] + a32[2] - a32[4] - a32[5] - a32[6] - a32[7];
+    /*  0  0  1  1  0 -1 -1 -1 */
+    t[2] = 0 + a32[2] + a32[3] - a32[5] - a32[6] - a32[7];
+    /* -1 -1  0  2  2  1  0 -1 */
+    t[3] = 0 - a32[0] - a32[1] + 2 * a32[3] + 2 * a32[4] + a32[5] - a32[7];
+    /*  0 -1 -1  0  2  2  1  0 */
+    t[4] = 0 - a32[1] - a32[2] + 2 * a32[4] + 2 * a32[5] + a32[6];
+    /*  0  0 -1 -1  0  2  2  1 */
+    t[5] = 0 - a32[2] - a32[3] + 2 * a32[5] + 2 * a32[6] + a32[7];
+    /* -1 -1  0  0  0  1  3  2 */
+    t[6] = 0 - a32[0] - a32[1] + a32[5] + 3 * a32[6] + 2 * a32[7];
+    /*  1  0 -1 -1 -1 -1  0  3 */
+    t[7] = 0 + a32[0] - a32[2] - a32[3] - a32[4] - a32[5] + 3 * a32[7];
+
+    t[1] += t[0] >> 32; t[0] &= 0xffffffff;
+    t[2] += t[1] >> 32; t[1] &= 0xffffffff;
+    t[3] += t[2] >> 32; t[2] &= 0xffffffff;
+    t[4] += t[3] >> 32; t[3] &= 0xffffffff;
+    t[5] += t[4] >> 32; t[4] &= 0xffffffff;
+    t[6] += t[5] >> 32; t[5] &= 0xffffffff;
+    t[7] += t[6] >> 32; t[6] &= 0xffffffff;
+    o     = t[7] >> 32; t[7] &= 0xffffffff;
+    t[0] += o;
+    t[3] -= o;
+    t[6] -= o;
+    t[7] += o;
+    t[1] += t[0] >> 32; t[0] &= 0xffffffff;
+    t[2] += t[1] >> 32; t[1] &= 0xffffffff;
+    t[3] += t[2] >> 32; t[2] &= 0xffffffff;
+    t[4] += t[3] >> 32; t[3] &= 0xffffffff;
+    t[5] += t[4] >> 32; t[4] &= 0xffffffff;
+    t[6] += t[5] >> 32; t[5] &= 0xffffffff;
+    t[7] += t[6] >> 32; t[6] &= 0xffffffff;
+    r[0] = (t[1] << 32) | t[0];
+    r[1] = (t[3] << 32) | t[2];
+    r[2] = (t[5] << 32) | t[4];
+    r[3] = (t[7] << 32) | t[6];
+
+    return MP_OKAY;
+}
+
+/* Convert an mp_int to an array of sp_digit.
+ *
+ * r  A single precision integer.
+ * size  Maximum number of bytes to convert
+ * a  A multi-precision integer.
+ */
+static void sp_256_from_mp(sp_digit* r, int size, const mp_int* a)
+{
+#if DIGIT_BIT == 64
+    int j;
+
+    XMEMCPY(r, a->dp, sizeof(sp_digit) * a->used);
+
+    for (j = a->used; j < size; j++) {
+        r[j] = 0;
+    }
+#elif DIGIT_BIT > 64
+    int i, j = 0;
+    word32 s = 0;
+
+    r[0] = 0;
+    for (i = 0; i < a->used && j < size; i++) {
+        r[j] |= ((sp_digit)a->dp[i] << s);
+        r[j] &= 0xffffffffffffffffl;
+        s = 64U - s;
+        if (j + 1 >= size) {
+            break;
+        }
+        /* lint allow cast of mismatch word32 and mp_digit */
+        r[++j] = (sp_digit)(a->dp[i] >> s); /*lint !e9033*/
+        while ((s + 64U) <= (word32)DIGIT_BIT) {
+            s += 64U;
+            r[j] &= 0xffffffffffffffffl;
+            if (j + 1 >= size) {
+                break;
+            }
+            if (s < (word32)DIGIT_BIT) {
+                /* lint allow cast of mismatch word32 and mp_digit */
+                r[++j] = (sp_digit)(a->dp[i] >> s); /*lint !e9033*/
+            }
+            else {
+                r[++j] = 0L;
+            }
+        }
+        s = (word32)DIGIT_BIT - s;
+    }
+
+    for (j++; j < size; j++) {
+        r[j] = 0;
+    }
+#else
+    int i, j = 0, s = 0;
+
+    r[0] = 0;
+    for (i = 0; i < a->used && j < size; i++) {
+        r[j] |= ((sp_digit)a->dp[i]) << s;
+        if (s + DIGIT_BIT >= 64) {
+            r[j] &= 0xffffffffffffffffl;
+            if (j + 1 >= size) {
+                break;
+            }
+            s = 64 - s;
+            if (s == DIGIT_BIT) {
+                r[++j] = 0;
+                s = 0;
+            }
+            else {
+                r[++j] = a->dp[i] >> s;
+                s = DIGIT_BIT - s;
+            }
+        }
+        else {
+            s += DIGIT_BIT;
+        }
+    }
+
+    for (j++; j < size; j++) {
+        r[j] = 0;
+    }
+#endif
+}
+
+/* Convert a point of type ecc_point to type sp_point_256.
+ *
+ * p   Point of type sp_point_256 (result).
+ * pm  Point of type ecc_point.
+ */
+static void sp_256_point_from_ecc_point_4(sp_point_256* p, const ecc_point* pm)
+{
+    XMEMSET(p->x, 0, sizeof(p->x));
+    XMEMSET(p->y, 0, sizeof(p->y));
+    XMEMSET(p->z, 0, sizeof(p->z));
+    sp_256_from_mp(p->x, 4, pm->x);
+    sp_256_from_mp(p->y, 4, pm->y);
+    sp_256_from_mp(p->z, 4, pm->z);
+    p->infinity = 0;
+}
+
+/* Convert an array of sp_digit to an mp_int.
+ *
+ * a  A single precision integer.
+ * r  A multi-precision integer.
+ */
+static int sp_256_to_mp(const sp_digit* a, mp_int* r)
+{
+    int err;
+
+    err = mp_grow(r, (256 + DIGIT_BIT - 1) / DIGIT_BIT);
+    if (err == MP_OKAY) { /*lint !e774 case where err is always MP_OKAY*/
+#if DIGIT_BIT == 64
+        XMEMCPY(r->dp, a, sizeof(sp_digit) * 4);
+        r->used = 4;
+        mp_clamp(r);
+#elif DIGIT_BIT < 64
+        int i, j = 0, s = 0;
+
+        r->dp[0] = 0;
+        for (i = 0; i < 4; i++) {
+            r->dp[j] |= (mp_digit)(a[i] << s);
+            r->dp[j] &= (1L << DIGIT_BIT) - 1;
+            s = DIGIT_BIT - s;
+            r->dp[++j] = (mp_digit)(a[i] >> s);
+            while (s + DIGIT_BIT <= 64) {
+                s += DIGIT_BIT;
+                r->dp[j++] &= (1L << DIGIT_BIT) - 1;
+                if (s == SP_WORD_SIZE) {
+                    r->dp[j] = 0;
+                }
+                else {
+                    r->dp[j] = (mp_digit)(a[i] >> s);
+                }
+            }
+            s = 64 - s;
+        }
+        r->used = (256 + DIGIT_BIT - 1) / DIGIT_BIT;
+        mp_clamp(r);
+#else
+        int i, j = 0, s = 0;
+
+        r->dp[0] = 0;
+        for (i = 0; i < 4; i++) {
+            r->dp[j] |= ((mp_digit)a[i]) << s;
+            if (s + 64 >= DIGIT_BIT) {
+    #if DIGIT_BIT != 32 && DIGIT_BIT != 64
+                r->dp[j] &= (1L << DIGIT_BIT) - 1;
+    #endif
+                s = DIGIT_BIT - s;
+                r->dp[++j] = a[i] >> s;
+                s = 64 - s;
+            }
+            else {
+                s += 64;
+            }
+        }
+        r->used = (256 + DIGIT_BIT - 1) / DIGIT_BIT;
+        mp_clamp(r);
+#endif
+    }
+
+    return err;
+}
+
+/* Convert a point of type sp_point_256 to type ecc_point.
+ *
+ * p   Point of type sp_point_256.
+ * pm  Point of type ecc_point (result).
+ * returns MEMORY_E when allocation of memory in ecc_point fails otherwise
+ * MP_OKAY.
+ */
+static int sp_256_point_to_ecc_point_4(const sp_point_256* p, ecc_point* pm)
+{
+    int err;
+
+    err = sp_256_to_mp(p->x, pm->x);
+    if (err == MP_OKAY) {
+        err = sp_256_to_mp(p->y, pm->y);
+    }
+    if (err == MP_OKAY) {
+        err = sp_256_to_mp(p->z, pm->z);
+    }
+
+    return err;
+}
+
+extern void sp_256_cond_copy_4(sp_digit* r, const sp_digit* a, sp_digit m);
+extern void sp_256_mont_mul_4(sp_digit* r, const sp_digit* a, const sp_digit* b, const sp_digit* m, sp_digit mp);
+extern void sp_256_mont_sqr_4(sp_digit* r, const sp_digit* a, const sp_digit* m, sp_digit mp);
+#if !defined(WOLFSSL_SP_SMALL) || defined(HAVE_COMP_KEY)
+/* Square the Montgomery form number a number of times. (r = a ^ n mod m)
+ *
+ * r   Result of squaring.
+ * a   Number to square in Montogmery form.
+ * n   Number of times to square.
+ * m   Modulus (prime).
+ * mp  Montogmery mulitplier.
+ */
+static void sp_256_mont_sqr_n_4(sp_digit* r, const sp_digit* a, int n,
+        const sp_digit* m, sp_digit mp)
+{
+    sp_256_mont_sqr_4(r, a, m, mp);
+    for (; n > 1; n--) {
+        sp_256_mont_sqr_4(r, r, m, mp);
+    }
+}
+
+#endif /* !WOLFSSL_SP_SMALL || HAVE_COMP_KEY */
+#ifdef WOLFSSL_SP_SMALL
+/* Mod-2 for the P256 curve. */
+static const uint64_t p256_mod_minus_2[4] = {
+    0xfffffffffffffffdU,0x00000000ffffffffU,0x0000000000000000U,
+    0xffffffff00000001U
+};
+#endif /* !WOLFSSL_SP_SMALL */
+
+/* Invert the number, in Montgomery form, modulo the modulus (prime) of the
+ * P256 curve. (r = 1 / a mod m)
+ *
+ * r   Inverse result.
+ * a   Number to invert.
+ * td  Temporary data.
+ */
+static void sp_256_mont_inv_4(sp_digit* r, const sp_digit* a, sp_digit* td)
+{
+#ifdef WOLFSSL_SP_SMALL
+    sp_digit* t = td;
+    int i;
+
+    XMEMCPY(t, a, sizeof(sp_digit) * 4);
+    for (i=254; i>=0; i--) {
+        sp_256_mont_sqr_4(t, t, p256_mod, p256_mp_mod);
+        if (p256_mod_minus_2[i / 64] & ((sp_digit)1 << (i % 64)))
+            sp_256_mont_mul_4(t, t, a, p256_mod, p256_mp_mod);
+    }
+    XMEMCPY(r, t, sizeof(sp_digit) * 4);
+#else
+    sp_digit* t1 = td;
+    sp_digit* t2 = td + 2 * 4;
+    sp_digit* t3 = td + 4 * 4;
+    /* 0x2 */
+    sp_256_mont_sqr_4(t1, a, p256_mod, p256_mp_mod);
+    /* 0x3 */
+    sp_256_mont_mul_4(t2, t1, a, p256_mod, p256_mp_mod);
+    /* 0xc */
+    sp_256_mont_sqr_n_4(t1, t2, 2, p256_mod, p256_mp_mod);
+    /* 0xd */
+    sp_256_mont_mul_4(t3, t1, a, p256_mod, p256_mp_mod);
+    /* 0xf */
+    sp_256_mont_mul_4(t2, t2, t1, p256_mod, p256_mp_mod);
+    /* 0xf0 */
+    sp_256_mont_sqr_n_4(t1, t2, 4, p256_mod, p256_mp_mod);
+    /* 0xfd */
+    sp_256_mont_mul_4(t3, t3, t1, p256_mod, p256_mp_mod);
+    /* 0xff */
+    sp_256_mont_mul_4(t2, t2, t1, p256_mod, p256_mp_mod);
+    /* 0xff00 */
+    sp_256_mont_sqr_n_4(t1, t2, 8, p256_mod, p256_mp_mod);
+    /* 0xfffd */
+    sp_256_mont_mul_4(t3, t3, t1, p256_mod, p256_mp_mod);
+    /* 0xffff */
+    sp_256_mont_mul_4(t2, t2, t1, p256_mod, p256_mp_mod);
+    /* 0xffff0000 */
+    sp_256_mont_sqr_n_4(t1, t2, 16, p256_mod, p256_mp_mod);
+    /* 0xfffffffd */
+    sp_256_mont_mul_4(t3, t3, t1, p256_mod, p256_mp_mod);
+    /* 0xffffffff */
+    sp_256_mont_mul_4(t2, t2, t1, p256_mod, p256_mp_mod);
+    /* 0xffffffff00000000 */
+    sp_256_mont_sqr_n_4(t1, t2, 32, p256_mod, p256_mp_mod);
+    /* 0xffffffffffffffff */
+    sp_256_mont_mul_4(t2, t2, t1, p256_mod, p256_mp_mod);
+    /* 0xffffffff00000001 */
+    sp_256_mont_mul_4(r, t1, a, p256_mod, p256_mp_mod);
+    /* 0xffffffff000000010000000000000000000000000000000000000000 */
+    sp_256_mont_sqr_n_4(r, r, 160, p256_mod, p256_mp_mod);
+    /* 0xffffffff00000001000000000000000000000000ffffffffffffffff */
+    sp_256_mont_mul_4(r, r, t2, p256_mod, p256_mp_mod);
+    /* 0xffffffff00000001000000000000000000000000ffffffffffffffff00000000 */
+    sp_256_mont_sqr_n_4(r, r, 32, p256_mod, p256_mp_mod);
+    /* 0xffffffff00000001000000000000000000000000fffffffffffffffffffffffd */
+    sp_256_mont_mul_4(r, r, t3, p256_mod, p256_mp_mod);
+#endif /* WOLFSSL_SP_SMALL */
+}
+
+extern int64_t sp_256_cmp_4(const sp_digit* a, const sp_digit* b);
+/* Normalize the values in each word to 64.
+ *
+ * a  Array of sp_digit to normalize.
+ */
+#define sp_256_norm_4(a)
+
+extern sp_digit sp_256_cond_sub_4(sp_digit* r, const sp_digit* a, const sp_digit* b, sp_digit m);
+extern sp_digit sp_256_sub_4(sp_digit* r, const sp_digit* a, const sp_digit* b);
+#define sp_256_mont_reduce_order_4         sp_256_mont_reduce_4
+
+extern void sp_256_mont_reduce_4(sp_digit* a, const sp_digit* m, sp_digit mp);
+/* Map the Montgomery form projective coordinate point to an affine point.
+ *
+ * r  Resulting affine coordinate point.
+ * p  Montgomery form projective coordinate point.
+ * t  Temporary ordinate data.
+ */
+static void sp_256_map_4(sp_point_256* r, const sp_point_256* p, sp_digit* t)
+{
+    sp_digit* t1 = t;
+    sp_digit* t2 = t + 2*4;
+    int64_t n;
+
+    sp_256_mont_inv_4(t1, p->z, t + 2*4);
+
+    sp_256_mont_sqr_4(t2, t1, p256_mod, p256_mp_mod);
+    sp_256_mont_mul_4(t1, t2, t1, p256_mod, p256_mp_mod);
+
+    /* x /= z^2 */
+    sp_256_mont_mul_4(r->x, p->x, t2, p256_mod, p256_mp_mod);
+    XMEMSET(r->x + 4, 0, sizeof(r->x) / 2U);
+    sp_256_mont_reduce_4(r->x, p256_mod, p256_mp_mod);
+    /* Reduce x to less than modulus */
+    n = sp_256_cmp_4(r->x, p256_mod);
+    sp_256_cond_sub_4(r->x, r->x, p256_mod, 0 - ((n >= 0) ?
+                (sp_digit)1 : (sp_digit)0));
+    sp_256_norm_4(r->x);
+
+    /* y /= z^3 */
+    sp_256_mont_mul_4(r->y, p->y, t1, p256_mod, p256_mp_mod);
+    XMEMSET(r->y + 4, 0, sizeof(r->y) / 2U);
+    sp_256_mont_reduce_4(r->y, p256_mod, p256_mp_mod);
+    /* Reduce y to less than modulus */
+    n = sp_256_cmp_4(r->y, p256_mod);
+    sp_256_cond_sub_4(r->y, r->y, p256_mod, 0 - ((n >= 0) ?
+                (sp_digit)1 : (sp_digit)0));
+    sp_256_norm_4(r->y);
+
+    XMEMSET(r->z, 0, sizeof(r->z));
+    r->z[0] = 1;
+
+}
+
+extern void sp_256_mont_add_4(sp_digit* r, const sp_digit* a, const sp_digit* b, const sp_digit* m);
+extern void sp_256_mont_dbl_4(const sp_digit* r, const sp_digit* a, const sp_digit* m);
+extern void sp_256_mont_tpl_4(sp_digit* r, const sp_digit* a, const sp_digit* m);
+extern void sp_256_mont_sub_4(sp_digit* r, const sp_digit* a, const sp_digit* b, const sp_digit* m);
+extern void sp_256_div2_4(sp_digit* r, const sp_digit* a, const sp_digit* m);
+/* Double the Montgomery form projective point p.
+ *
+ * r  Result of doubling point.
+ * p  Point to double.
+ * t  Temporary ordinate data.
+ */
+static void sp_256_proj_point_dbl_4(sp_point_256* r, const sp_point_256* p, sp_digit* t)
+{
+    sp_digit* t1 = t;
+    sp_digit* t2 = t + 2*4;
+    sp_digit* x;
+    sp_digit* y;
+    sp_digit* z;
+
+    x = r->x;
+    y = r->y;
+    z = r->z;
+    /* Put infinity into result. */
+    if (r != p) {
+        r->infinity = p->infinity;
+    }
+
+    /* T1 = Z * Z */
+    sp_256_mont_sqr_4(t1, p->z, p256_mod, p256_mp_mod);
+    /* Z = Y * Z */
+    sp_256_mont_mul_4(z, p->y, p->z, p256_mod, p256_mp_mod);
+    /* Z = 2Z */
+    sp_256_mont_dbl_4(z, z, p256_mod);
+    /* T2 = X - T1 */
+    sp_256_mont_sub_4(t2, p->x, t1, p256_mod);
+    /* T1 = X + T1 */
+    sp_256_mont_add_4(t1, p->x, t1, p256_mod);
+    /* T2 = T1 * T2 */
+    sp_256_mont_mul_4(t2, t1, t2, p256_mod, p256_mp_mod);
+    /* T1 = 3T2 */
+    sp_256_mont_tpl_4(t1, t2, p256_mod);
+    /* Y = 2Y */
+    sp_256_mont_dbl_4(y, p->y, p256_mod);
+    /* Y = Y * Y */
+    sp_256_mont_sqr_4(y, y, p256_mod, p256_mp_mod);
+    /* T2 = Y * Y */
+    sp_256_mont_sqr_4(t2, y, p256_mod, p256_mp_mod);
+    /* T2 = T2/2 */
+    sp_256_div2_4(t2, t2, p256_mod);
+    /* Y = Y * X */
+    sp_256_mont_mul_4(y, y, p->x, p256_mod, p256_mp_mod);
+    /* X = T1 * T1 */
+    sp_256_mont_sqr_4(x, t1, p256_mod, p256_mp_mod);
+    /* X = X - Y */
+    sp_256_mont_sub_4(x, x, y, p256_mod);
+    /* X = X - Y */
+    sp_256_mont_sub_4(x, x, y, p256_mod);
+    /* Y = Y - X */
+    sp_256_mont_sub_4(y, y, x, p256_mod);
+    /* Y = Y * T1 */
+    sp_256_mont_mul_4(y, y, t1, p256_mod, p256_mp_mod);
+    /* Y = Y - T2 */
+    sp_256_mont_sub_4(y, y, t2, p256_mod);
+}
+
+/* Double the Montgomery form projective point p a number of times.
+ *
+ * r  Result of repeated doubling of point.
+ * p  Point to double.
+ * n  Number of times to double
+ * t  Temporary ordinate data.
+ */
+static void sp_256_proj_point_dbl_n_4(sp_point_256* p, int n, sp_digit* t)
+{
+    sp_digit* w = t;
+    sp_digit* a = t + 2*4;
+    sp_digit* b = t + 4*4;
+    sp_digit* t1 = t + 6*4;
+    sp_digit* t2 = t + 8*4;
+    sp_digit* x;
+    sp_digit* y;
+    sp_digit* z;
+
+    x = p->x;
+    y = p->y;
+    z = p->z;
+
+    /* Y = 2*Y */
+    sp_256_mont_dbl_4(y, y, p256_mod);
+    /* W = Z^4 */
+    sp_256_mont_sqr_4(w, z, p256_mod, p256_mp_mod);
+    sp_256_mont_sqr_4(w, w, p256_mod, p256_mp_mod);
+
+#ifndef WOLFSSL_SP_SMALL
+    while (--n > 0)
+#else
+    while (--n >= 0)
+#endif
+    {
+        /* A = 3*(X^2 - W) */
+        sp_256_mont_sqr_4(t1, x, p256_mod, p256_mp_mod);
+        sp_256_mont_sub_4(t1, t1, w, p256_mod);
+        sp_256_mont_tpl_4(a, t1, p256_mod);
+        /* B = X*Y^2 */
+        sp_256_mont_sqr_4(t1, y, p256_mod, p256_mp_mod);
+        sp_256_mont_mul_4(b, t1, x, p256_mod, p256_mp_mod);
+        /* X = A^2 - 2B */
+        sp_256_mont_sqr_4(x, a, p256_mod, p256_mp_mod);
+        sp_256_mont_dbl_4(t2, b, p256_mod);
+        sp_256_mont_sub_4(x, x, t2, p256_mod);
+        /* Z = Z*Y */
+        sp_256_mont_mul_4(z, z, y, p256_mod, p256_mp_mod);
+        /* t2 = Y^4 */
+        sp_256_mont_sqr_4(t1, t1, p256_mod, p256_mp_mod);
+#ifdef WOLFSSL_SP_SMALL
+        if (n != 0)
+#endif
+        {
+            /* W = W*Y^4 */
+            sp_256_mont_mul_4(w, w, t1, p256_mod, p256_mp_mod);
+        }
+        /* y = 2*A*(B - X) - Y^4 */
+        sp_256_mont_sub_4(y, b, x, p256_mod);
+        sp_256_mont_mul_4(y, y, a, p256_mod, p256_mp_mod);
+        sp_256_mont_dbl_4(y, y, p256_mod);
+        sp_256_mont_sub_4(y, y, t1, p256_mod);
+    }
+#ifndef WOLFSSL_SP_SMALL
+    /* A = 3*(X^2 - W) */
+    sp_256_mont_sqr_4(t1, x, p256_mod, p256_mp_mod);
+    sp_256_mont_sub_4(t1, t1, w, p256_mod);
+    sp_256_mont_tpl_4(a, t1, p256_mod);
+    /* B = X*Y^2 */
+    sp_256_mont_sqr_4(t1, y, p256_mod, p256_mp_mod);
+    sp_256_mont_mul_4(b, t1, x, p256_mod, p256_mp_mod);
+    /* X = A^2 - 2B */
+    sp_256_mont_sqr_4(x, a, p256_mod, p256_mp_mod);
+    sp_256_mont_dbl_4(t2, b, p256_mod);
+    sp_256_mont_sub_4(x, x, t2, p256_mod);
+    /* Z = Z*Y */
+    sp_256_mont_mul_4(z, z, y, p256_mod, p256_mp_mod);
+    /* t2 = Y^4 */
+    sp_256_mont_sqr_4(t1, t1, p256_mod, p256_mp_mod);
+    /* y = 2*A*(B - X) - Y^4 */
+    sp_256_mont_sub_4(y, b, x, p256_mod);
+    sp_256_mont_mul_4(y, y, a, p256_mod, p256_mp_mod);
+    sp_256_mont_dbl_4(y, y, p256_mod);
+    sp_256_mont_sub_4(y, y, t1, p256_mod);
+#endif
+    /* Y = Y/2 */
+    sp_256_div2_4(y, y, p256_mod);
+}
+
+/* Compare two numbers to determine if they are equal.
+ * Constant time implementation.
+ *
+ * a  First number to compare.
+ * b  Second number to compare.
+ * returns 1 when equal and 0 otherwise.
+ */
+static int sp_256_cmp_equal_4(const sp_digit* a, const sp_digit* b)
+{
+    return ((a[0] ^ b[0]) | (a[1] ^ b[1]) | (a[2] ^ b[2]) | (a[3] ^ b[3])) == 0;
+}
+
+/* Add two Montgomery form projective points.
+ *
+ * r  Result of addition.
+ * p  First point to add.
+ * q  Second point to add.
+ * t  Temporary ordinate data.
+ */
+static void sp_256_proj_point_add_4(sp_point_256* r, const sp_point_256* p, const sp_point_256* q,
+        sp_digit* t)
+{
+    const sp_point_256* ap[2];
+    sp_point_256* rp[2];
+    sp_digit* t1 = t;
+    sp_digit* t2 = t + 2*4;
+    sp_digit* t3 = t + 4*4;
+    sp_digit* t4 = t + 6*4;
+    sp_digit* t5 = t + 8*4;
+    sp_digit* x;
+    sp_digit* y;
+    sp_digit* z;
+    int i;
+
+    /* Ensure only the first point is the same as the result. */
+    if (q == r) {
+        const sp_point_256* a = p;
+        p = q;
+        q = a;
+    }
+
+    /* Check double */
+    (void)sp_256_sub_4(t1, p256_mod, q->y);
+    sp_256_norm_4(t1);
+    if ((sp_256_cmp_equal_4(p->x, q->x) & sp_256_cmp_equal_4(p->z, q->z) &
+        (sp_256_cmp_equal_4(p->y, q->y) | sp_256_cmp_equal_4(p->y, t1))) != 0) {
+        sp_256_proj_point_dbl_4(r, p, t);
+    }
+    else {
+        rp[0] = r;
+
+        /*lint allow cast to different type of pointer*/
+        rp[1] = (sp_point_256*)t; /*lint !e9087 !e740*/
+        XMEMSET(rp[1], 0, sizeof(sp_point_256));
+        x = rp[p->infinity | q->infinity]->x;
+        y = rp[p->infinity | q->infinity]->y;
+        z = rp[p->infinity | q->infinity]->z;
+
+        ap[0] = p;
+        ap[1] = q;
+        for (i=0; i<4; i++) {
+            r->x[i] = ap[p->infinity]->x[i];
+        }
+        for (i=0; i<4; i++) {
+            r->y[i] = ap[p->infinity]->y[i];
+        }
+        for (i=0; i<4; i++) {
+            r->z[i] = ap[p->infinity]->z[i];
+        }
+        r->infinity = ap[p->infinity]->infinity;
+
+        /* U1 = X1*Z2^2 */
+        sp_256_mont_sqr_4(t1, q->z, p256_mod, p256_mp_mod);
+        sp_256_mont_mul_4(t3, t1, q->z, p256_mod, p256_mp_mod);
+        sp_256_mont_mul_4(t1, t1, x, p256_mod, p256_mp_mod);
+        /* U2 = X2*Z1^2 */
+        sp_256_mont_sqr_4(t2, z, p256_mod, p256_mp_mod);
+        sp_256_mont_mul_4(t4, t2, z, p256_mod, p256_mp_mod);
+        sp_256_mont_mul_4(t2, t2, q->x, p256_mod, p256_mp_mod);
+        /* S1 = Y1*Z2^3 */
+        sp_256_mont_mul_4(t3, t3, y, p256_mod, p256_mp_mod);
+        /* S2 = Y2*Z1^3 */
+        sp_256_mont_mul_4(t4, t4, q->y, p256_mod, p256_mp_mod);
+        /* H = U2 - U1 */
+        sp_256_mont_sub_4(t2, t2, t1, p256_mod);
+        /* R = S2 - S1 */
+        sp_256_mont_sub_4(t4, t4, t3, p256_mod);
+        /* Z3 = H*Z1*Z2 */
+        sp_256_mont_mul_4(z, z, q->z, p256_mod, p256_mp_mod);
+        sp_256_mont_mul_4(z, z, t2, p256_mod, p256_mp_mod);
+        /* X3 = R^2 - H^3 - 2*U1*H^2 */
+        sp_256_mont_sqr_4(x, t4, p256_mod, p256_mp_mod);
+        sp_256_mont_sqr_4(t5, t2, p256_mod, p256_mp_mod);
+        sp_256_mont_mul_4(y, t1, t5, p256_mod, p256_mp_mod);
+        sp_256_mont_mul_4(t5, t5, t2, p256_mod, p256_mp_mod);
+        sp_256_mont_sub_4(x, x, t5, p256_mod);
+        sp_256_mont_dbl_4(t1, y, p256_mod);
+        sp_256_mont_sub_4(x, x, t1, p256_mod);
+        /* Y3 = R*(U1*H^2 - X3) - S1*H^3 */
+        sp_256_mont_sub_4(y, y, x, p256_mod);
+        sp_256_mont_mul_4(y, y, t4, p256_mod, p256_mp_mod);
+        sp_256_mont_mul_4(t5, t5, t3, p256_mod, p256_mp_mod);
+        sp_256_mont_sub_4(y, y, t5, p256_mod);
+    }
+}
+
+/* Double the Montgomery form projective point p a number of times.
+ *
+ * r  Result of repeated doubling of point.
+ * p  Point to double.
+ * n  Number of times to double
+ * t  Temporary ordinate data.
+ */
+static void sp_256_proj_point_dbl_n_store_4(sp_point_256* r, const sp_point_256* p,
+        int n, int m, sp_digit* t)
+{
+    sp_digit* w = t;
+    sp_digit* a = t + 2*4;
+    sp_digit* b = t + 4*4;
+    sp_digit* t1 = t + 6*4;
+    sp_digit* t2 = t + 8*4;
+    sp_digit* x = r[2*m].x;
+    sp_digit* y = r[(1<<n)*m].y;
+    sp_digit* z = r[2*m].z;
+    int i;
+
+    for (i=0; i<4; i++) {
+        x[i] = p->x[i];
+    }
+    for (i=0; i<4; i++) {
+        y[i] = p->y[i];
+    }
+    for (i=0; i<4; i++) {
+        z[i] = p->z[i];
+    }
+
+    /* Y = 2*Y */
+    sp_256_mont_dbl_4(y, y, p256_mod);
+    /* W = Z^4 */
+    sp_256_mont_sqr_4(w, z, p256_mod, p256_mp_mod);
+    sp_256_mont_sqr_4(w, w, p256_mod, p256_mp_mod);
+    for (i=1; i<=n; i++) {
+        /* A = 3*(X^2 - W) */
+        sp_256_mont_sqr_4(t1, x, p256_mod, p256_mp_mod);
+        sp_256_mont_sub_4(t1, t1, w, p256_mod);
+        sp_256_mont_tpl_4(a, t1, p256_mod);
+        /* B = X*Y^2 */
+        sp_256_mont_sqr_4(t2, y, p256_mod, p256_mp_mod);
+        sp_256_mont_mul_4(b, t2, x, p256_mod, p256_mp_mod);
+        x = r[(1<<i)*m].x;
+        /* X = A^2 - 2B */
+        sp_256_mont_sqr_4(x, a, p256_mod, p256_mp_mod);
+        sp_256_mont_dbl_4(t1, b, p256_mod);
+        sp_256_mont_sub_4(x, x, t1, p256_mod);
+        /* Z = Z*Y */
+        sp_256_mont_mul_4(r[(1<<i)*m].z, z, y, p256_mod, p256_mp_mod);
+        z = r[(1<<i)*m].z;
+        /* t2 = Y^4 */
+        sp_256_mont_sqr_4(t2, t2, p256_mod, p256_mp_mod);
+        if (i != n) {
+            /* W = W*Y^4 */
+            sp_256_mont_mul_4(w, w, t2, p256_mod, p256_mp_mod);
+        }
+        /* y = 2*A*(B - X) - Y^4 */
+        sp_256_mont_sub_4(y, b, x, p256_mod);
+        sp_256_mont_mul_4(y, y, a, p256_mod, p256_mp_mod);
+        sp_256_mont_dbl_4(y, y, p256_mod);
+        sp_256_mont_sub_4(y, y, t2, p256_mod);
+
+        /* Y = Y/2 */
+        sp_256_div2_4(r[(1<<i)*m].y, y, p256_mod);
+        r[(1<<i)*m].infinity = 0;
+    }
+}
+
+/* Add two Montgomery form projective points.
+ *
+ * ra  Result of addition.
+ * rs  Result of subtraction.
+ * p   First point to add.
+ * q   Second point to add.
+ * t   Temporary ordinate data.
+ */
+static void sp_256_proj_point_add_sub_4(sp_point_256* ra, sp_point_256* rs,
+        const sp_point_256* p, const sp_point_256* q, sp_digit* t)
+{
+    sp_digit* t1 = t;
+    sp_digit* t2 = t + 2*4;
+    sp_digit* t3 = t + 4*4;
+    sp_digit* t4 = t + 6*4;
+    sp_digit* t5 = t + 8*4;
+    sp_digit* t6 = t + 10*4;
+    sp_digit* x = ra->x;
+    sp_digit* y = ra->y;
+    sp_digit* z = ra->z;
+    sp_digit* xs = rs->x;
+    sp_digit* ys = rs->y;
+    sp_digit* zs = rs->z;
+
+
+    XMEMCPY(x, p->x, sizeof(p->x) / 2);
+    XMEMCPY(y, p->y, sizeof(p->y) / 2);
+    XMEMCPY(z, p->z, sizeof(p->z) / 2);
+    ra->infinity = 0;
+    rs->infinity = 0;
+
+    /* U1 = X1*Z2^2 */
+    sp_256_mont_sqr_4(t1, q->z, p256_mod, p256_mp_mod);
+    sp_256_mont_mul_4(t3, t1, q->z, p256_mod, p256_mp_mod);
+    sp_256_mont_mul_4(t1, t1, x, p256_mod, p256_mp_mod);
+    /* U2 = X2*Z1^2 */
+    sp_256_mont_sqr_4(t2, z, p256_mod, p256_mp_mod);
+    sp_256_mont_mul_4(t4, t2, z, p256_mod, p256_mp_mod);
+    sp_256_mont_mul_4(t2, t2, q->x, p256_mod, p256_mp_mod);
+    /* S1 = Y1*Z2^3 */
+    sp_256_mont_mul_4(t3, t3, y, p256_mod, p256_mp_mod);
+    /* S2 = Y2*Z1^3 */
+    sp_256_mont_mul_4(t4, t4, q->y, p256_mod, p256_mp_mod);
+    /* H = U2 - U1 */
+    sp_256_mont_sub_4(t2, t2, t1, p256_mod);
+    /* RS = S2 + S1 */
+    sp_256_mont_add_4(t6, t4, t3, p256_mod);
+    /* R = S2 - S1 */
+    sp_256_mont_sub_4(t4, t4, t3, p256_mod);
+    /* Z3 = H*Z1*Z2 */
+    /* ZS = H*Z1*Z2 */
+    sp_256_mont_mul_4(z, z, q->z, p256_mod, p256_mp_mod);
+    sp_256_mont_mul_4(z, z, t2, p256_mod, p256_mp_mod);
+    XMEMCPY(zs, z, sizeof(p->z)/2);
+    /* X3 = R^2 - H^3 - 2*U1*H^2 */
+    /* XS = RS^2 - H^3 - 2*U1*H^2 */
+    sp_256_mont_sqr_4(x, t4, p256_mod, p256_mp_mod);
+    sp_256_mont_sqr_4(xs, t6, p256_mod, p256_mp_mod);
+    sp_256_mont_sqr_4(t5, t2, p256_mod, p256_mp_mod);
+    sp_256_mont_mul_4(y, t1, t5, p256_mod, p256_mp_mod);
+    sp_256_mont_mul_4(t5, t5, t2, p256_mod, p256_mp_mod);
+    sp_256_mont_sub_4(x, x, t5, p256_mod);
+    sp_256_mont_sub_4(xs, xs, t5, p256_mod);
+    sp_256_mont_dbl_4(t1, y, p256_mod);
+    sp_256_mont_sub_4(x, x, t1, p256_mod);
+    sp_256_mont_sub_4(xs, xs, t1, p256_mod);
+    /* Y3 = R*(U1*H^2 - X3) - S1*H^3 */
+    /* YS = -RS*(U1*H^2 - XS) - S1*H^3 */
+    sp_256_mont_sub_4(ys, y, xs, p256_mod);
+    sp_256_mont_sub_4(y, y, x, p256_mod);
+    sp_256_mont_mul_4(y, y, t4, p256_mod, p256_mp_mod);
+    sp_256_sub_4(t6, p256_mod, t6);
+    sp_256_mont_mul_4(ys, ys, t6, p256_mod, p256_mp_mod);
+    sp_256_mont_mul_4(t5, t5, t3, p256_mod, p256_mp_mod);
+    sp_256_mont_sub_4(y, y, t5, p256_mod);
+    sp_256_mont_sub_4(ys, ys, t5, p256_mod);
+}
+
+/* Structure used to describe recoding of scalar multiplication. */
+typedef struct ecc_recode_256 {
+    /* Index into pre-computation table. */
+    uint8_t i;
+    /* Use the negative of the point. */
+    uint8_t neg;
+} ecc_recode_256;
+
+/* The index into pre-computation table to use. */
+static const uint8_t recode_index_4_6[66] = {
+     0,  1,  2,  3,  4,  5,  6,  7,  8,  9, 10, 11, 12, 13, 14, 15,
+    16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31,
+    32, 31, 30, 29, 28, 27, 26, 25, 24, 23, 22, 21, 20, 19, 18, 17,
+    16, 15, 14, 13, 12, 11, 10,  9,  8,  7,  6,  5,  4,  3,  2,  1,
+     0,  1,
+};
+
+/* Whether to negate y-ordinate. */
+static const uint8_t recode_neg_4_6[66] = {
+     0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,
+     0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,
+     1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,
+     1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,
+     0,  0,
+};
+
+/* Recode the scalar for multiplication using pre-computed values and
+ * subtraction.
+ *
+ * k  Scalar to multiply by.
+ * v  Vector of operations to perform.
+ */
+static void sp_256_ecc_recode_6_4(const sp_digit* k, ecc_recode_256* v)
+{
+    int i, j;
+    uint8_t y;
+    int carry = 0;
+    int o;
+    sp_digit n;
+
+    j = 0;
+    n = k[j];
+    o = 0;
+    for (i=0; i<43; i++) {
+        y = n;
+        if (o + 6 < 64) {
+            y &= 0x3f;
+            n >>= 6;
+            o += 6;
+        }
+        else if (o + 6 == 64) {
+            n >>= 6;
+            if (++j < 4)
+                n = k[j];
+            o = 0;
+        }
+        else if (++j < 4) {
+            n = k[j];
+            y |= (n << (64 - o)) & 0x3f;
+            o -= 58;
+            n >>= o;
+        }
+
+        y += carry;
+        v[i].i = recode_index_4_6[y];
+        v[i].neg = recode_neg_4_6[y];
+        carry = (y >> 6) + v[i].neg;
+    }
+}
+
+/* Multiply the point by the scalar and return the result.
+ * If map is true then convert result to affine coordinates.
+ *
+ * r     Resulting point.
+ * g     Point to multiply.
+ * k     Scalar to multiply by.
+ * map   Indicates whether to convert result to affine.
+ * heap  Heap to use for allocation.
+ * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
+ */
+static int sp_256_ecc_mulmod_win_add_sub_4(sp_point_256* r, const sp_point_256* g,
+        const sp_digit* k, int map, void* heap)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_point_256 td[33];
+    sp_point_256 rtd, pd;
+    sp_digit tmpd[2 * 4 * 6];
+#endif
+    sp_point_256* t;
+    sp_point_256* rt;
+    sp_point_256* p = NULL;
+    sp_digit* tmp;
+    sp_digit* negy;
+    int i;
+    ecc_recode_256 v[43];
+    int err;
+
+    (void)heap;
+
+    err = sp_256_point_new_4(heap, rtd, rt);
+    if (err == MP_OKAY)
+        err = sp_256_point_new_4(heap, pd, p);
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    t = (sp_point_256*)XMALLOC(sizeof(sp_point_256) * 33, heap, DYNAMIC_TYPE_ECC);
+    if (t == NULL)
+        err = MEMORY_E;
+    tmp = (sp_digit*)XMALLOC(sizeof(sp_digit) * 2 * 4 * 6, heap,
+                             DYNAMIC_TYPE_ECC);
+    if (tmp == NULL)
+        err = MEMORY_E;
+#else
+    t = td;
+    tmp = tmpd;
+#endif
+
+
+    if (err == MP_OKAY) {
+        /* t[0] = {0, 0, 1} * norm */
+        XMEMSET(&t[0], 0, sizeof(t[0]));
+        t[0].infinity = 1;
+        /* t[1] = {g->x, g->y, g->z} * norm */
+        err = sp_256_mod_mul_norm_4(t[1].x, g->x, p256_mod);
+    }
+    if (err == MP_OKAY) {
+        err = sp_256_mod_mul_norm_4(t[1].y, g->y, p256_mod);
+    }
+    if (err == MP_OKAY) {
+        err = sp_256_mod_mul_norm_4(t[1].z, g->z, p256_mod);
+    }
+
+    if (err == MP_OKAY) {
+        t[1].infinity = 0;
+        /* t[2] ... t[32]  */
+        sp_256_proj_point_dbl_n_store_4(t, &t[ 1], 5, 1, tmp);
+        sp_256_proj_point_add_4(&t[ 3], &t[ 2], &t[ 1], tmp);
+        sp_256_proj_point_dbl_4(&t[ 6], &t[ 3], tmp);
+        sp_256_proj_point_add_sub_4(&t[ 7], &t[ 5], &t[ 6], &t[ 1], tmp);
+        sp_256_proj_point_dbl_4(&t[10], &t[ 5], tmp);
+        sp_256_proj_point_add_sub_4(&t[11], &t[ 9], &t[10], &t[ 1], tmp);
+        sp_256_proj_point_dbl_4(&t[12], &t[ 6], tmp);
+        sp_256_proj_point_dbl_4(&t[14], &t[ 7], tmp);
+        sp_256_proj_point_add_sub_4(&t[15], &t[13], &t[14], &t[ 1], tmp);
+        sp_256_proj_point_dbl_4(&t[18], &t[ 9], tmp);
+        sp_256_proj_point_add_sub_4(&t[19], &t[17], &t[18], &t[ 1], tmp);
+        sp_256_proj_point_dbl_4(&t[20], &t[10], tmp);
+        sp_256_proj_point_dbl_4(&t[22], &t[11], tmp);
+        sp_256_proj_point_add_sub_4(&t[23], &t[21], &t[22], &t[ 1], tmp);
+        sp_256_proj_point_dbl_4(&t[24], &t[12], tmp);
+        sp_256_proj_point_dbl_4(&t[26], &t[13], tmp);
+        sp_256_proj_point_add_sub_4(&t[27], &t[25], &t[26], &t[ 1], tmp);
+        sp_256_proj_point_dbl_4(&t[28], &t[14], tmp);
+        sp_256_proj_point_dbl_4(&t[30], &t[15], tmp);
+        sp_256_proj_point_add_sub_4(&t[31], &t[29], &t[30], &t[ 1], tmp);
+
+        negy = t[0].y;
+
+        sp_256_ecc_recode_6_4(k, v);
+
+        i = 42;
+        XMEMCPY(rt, &t[v[i].i], sizeof(sp_point_256));
+        for (--i; i>=0; i--) {
+            sp_256_proj_point_dbl_n_4(rt, 6, tmp);
+
+            XMEMCPY(p, &t[v[i].i], sizeof(sp_point_256));
+            sp_256_sub_4(negy, p256_mod, p->y);
+            sp_256_cond_copy_4(p->y, negy, (sp_digit)0 - v[i].neg);
+            sp_256_proj_point_add_4(rt, rt, p, tmp);
+        }
+
+        if (map != 0) {
+            sp_256_map_4(r, rt, tmp);
+        }
+        else {
+            XMEMCPY(r, rt, sizeof(sp_point_256));
+        }
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (t != NULL)
+        XFREE(t, heap, DYNAMIC_TYPE_ECC);
+    if (tmp != NULL)
+        XFREE(tmp, heap, DYNAMIC_TYPE_ECC);
+#endif
+    sp_256_point_free_4(p, 0, heap);
+    sp_256_point_free_4(rt, 0, heap);
+
+    return err;
+}
+
+#ifdef HAVE_INTEL_AVX2
+extern void sp_256_mont_mul_avx2_4(sp_digit* r, const sp_digit* a, const sp_digit* b, const sp_digit* m, sp_digit mp);
+extern void sp_256_mont_sqr_avx2_4(sp_digit* r, const sp_digit* a, const sp_digit* m, sp_digit mp);
+#if !defined(WOLFSSL_SP_SMALL) || defined(HAVE_COMP_KEY)
+/* Square the Montgomery form number a number of times. (r = a ^ n mod m)
+ *
+ * r   Result of squaring.
+ * a   Number to square in Montogmery form.
+ * n   Number of times to square.
+ * m   Modulus (prime).
+ * mp  Montogmery mulitplier.
+ */
+static void sp_256_mont_sqr_n_avx2_4(sp_digit* r, const sp_digit* a, int n,
+        const sp_digit* m, sp_digit mp)
+{
+    sp_256_mont_sqr_avx2_4(r, a, m, mp);
+    for (; n > 1; n--) {
+        sp_256_mont_sqr_avx2_4(r, r, m, mp);
+    }
+}
+
+#endif /* !WOLFSSL_SP_SMALL || HAVE_COMP_KEY */
+
+/* Invert the number, in Montgomery form, modulo the modulus (prime) of the
+ * P256 curve. (r = 1 / a mod m)
+ *
+ * r   Inverse result.
+ * a   Number to invert.
+ * td  Temporary data.
+ */
+static void sp_256_mont_inv_avx2_4(sp_digit* r, const sp_digit* a, sp_digit* td)
+{
+#ifdef WOLFSSL_SP_SMALL
+    sp_digit* t = td;
+    int i;
+
+    XMEMCPY(t, a, sizeof(sp_digit) * 4);
+    for (i=254; i>=0; i--) {
+        sp_256_mont_sqr_avx2_4(t, t, p256_mod, p256_mp_mod);
+        if (p256_mod_minus_2[i / 64] & ((sp_digit)1 << (i % 64)))
+            sp_256_mont_mul_avx2_4(t, t, a, p256_mod, p256_mp_mod);
+    }
+    XMEMCPY(r, t, sizeof(sp_digit) * 4);
+#else
+    sp_digit* t1 = td;
+    sp_digit* t2 = td + 2 * 4;
+    sp_digit* t3 = td + 4 * 4;
+    /* 0x2 */
+    sp_256_mont_sqr_avx2_4(t1, a, p256_mod, p256_mp_mod);
+    /* 0x3 */
+    sp_256_mont_mul_avx2_4(t2, t1, a, p256_mod, p256_mp_mod);
+    /* 0xc */
+    sp_256_mont_sqr_n_avx2_4(t1, t2, 2, p256_mod, p256_mp_mod);
+    /* 0xd */
+    sp_256_mont_mul_avx2_4(t3, t1, a, p256_mod, p256_mp_mod);
+    /* 0xf */
+    sp_256_mont_mul_avx2_4(t2, t2, t1, p256_mod, p256_mp_mod);
+    /* 0xf0 */
+    sp_256_mont_sqr_n_avx2_4(t1, t2, 4, p256_mod, p256_mp_mod);
+    /* 0xfd */
+    sp_256_mont_mul_avx2_4(t3, t3, t1, p256_mod, p256_mp_mod);
+    /* 0xff */
+    sp_256_mont_mul_avx2_4(t2, t2, t1, p256_mod, p256_mp_mod);
+    /* 0xff00 */
+    sp_256_mont_sqr_n_avx2_4(t1, t2, 8, p256_mod, p256_mp_mod);
+    /* 0xfffd */
+    sp_256_mont_mul_avx2_4(t3, t3, t1, p256_mod, p256_mp_mod);
+    /* 0xffff */
+    sp_256_mont_mul_avx2_4(t2, t2, t1, p256_mod, p256_mp_mod);
+    /* 0xffff0000 */
+    sp_256_mont_sqr_n_avx2_4(t1, t2, 16, p256_mod, p256_mp_mod);
+    /* 0xfffffffd */
+    sp_256_mont_mul_avx2_4(t3, t3, t1, p256_mod, p256_mp_mod);
+    /* 0xffffffff */
+    sp_256_mont_mul_avx2_4(t2, t2, t1, p256_mod, p256_mp_mod);
+    /* 0xffffffff00000000 */
+    sp_256_mont_sqr_n_avx2_4(t1, t2, 32, p256_mod, p256_mp_mod);
+    /* 0xffffffffffffffff */
+    sp_256_mont_mul_avx2_4(t2, t2, t1, p256_mod, p256_mp_mod);
+    /* 0xffffffff00000001 */
+    sp_256_mont_mul_avx2_4(r, t1, a, p256_mod, p256_mp_mod);
+    /* 0xffffffff000000010000000000000000000000000000000000000000 */
+    sp_256_mont_sqr_n_avx2_4(r, r, 160, p256_mod, p256_mp_mod);
+    /* 0xffffffff00000001000000000000000000000000ffffffffffffffff */
+    sp_256_mont_mul_avx2_4(r, r, t2, p256_mod, p256_mp_mod);
+    /* 0xffffffff00000001000000000000000000000000ffffffffffffffff00000000 */
+    sp_256_mont_sqr_n_avx2_4(r, r, 32, p256_mod, p256_mp_mod);
+    /* 0xffffffff00000001000000000000000000000000fffffffffffffffffffffffd */
+    sp_256_mont_mul_avx2_4(r, r, t3, p256_mod, p256_mp_mod);
+#endif /* WOLFSSL_SP_SMALL */
+}
+
+/* Map the Montgomery form projective coordinate point to an affine point.
+ *
+ * r  Resulting affine coordinate point.
+ * p  Montgomery form projective coordinate point.
+ * t  Temporary ordinate data.
+ */
+static void sp_256_map_avx2_4(sp_point_256* r, const sp_point_256* p, sp_digit* t)
+{
+    sp_digit* t1 = t;
+    sp_digit* t2 = t + 2*4;
+    int64_t n;
+
+    sp_256_mont_inv_avx2_4(t1, p->z, t + 2*4);
+
+    sp_256_mont_sqr_avx2_4(t2, t1, p256_mod, p256_mp_mod);
+    sp_256_mont_mul_avx2_4(t1, t2, t1, p256_mod, p256_mp_mod);
+
+    /* x /= z^2 */
+    sp_256_mont_mul_avx2_4(r->x, p->x, t2, p256_mod, p256_mp_mod);
+    XMEMSET(r->x + 4, 0, sizeof(r->x) / 2U);
+    sp_256_mont_reduce_4(r->x, p256_mod, p256_mp_mod);
+    /* Reduce x to less than modulus */
+    n = sp_256_cmp_4(r->x, p256_mod);
+    sp_256_cond_sub_4(r->x, r->x, p256_mod, 0 - ((n >= 0) ?
+                (sp_digit)1 : (sp_digit)0));
+    sp_256_norm_4(r->x);
+
+    /* y /= z^3 */
+    sp_256_mont_mul_avx2_4(r->y, p->y, t1, p256_mod, p256_mp_mod);
+    XMEMSET(r->y + 4, 0, sizeof(r->y) / 2U);
+    sp_256_mont_reduce_4(r->y, p256_mod, p256_mp_mod);
+    /* Reduce y to less than modulus */
+    n = sp_256_cmp_4(r->y, p256_mod);
+    sp_256_cond_sub_4(r->y, r->y, p256_mod, 0 - ((n >= 0) ?
+                (sp_digit)1 : (sp_digit)0));
+    sp_256_norm_4(r->y);
+
+    XMEMSET(r->z, 0, sizeof(r->z));
+    r->z[0] = 1;
+
+}
+
+/* Double the Montgomery form projective point p.
+ *
+ * r  Result of doubling point.
+ * p  Point to double.
+ * t  Temporary ordinate data.
+ */
+static void sp_256_proj_point_dbl_avx2_4(sp_point_256* r, const sp_point_256* p, sp_digit* t)
+{
+    sp_digit* t1 = t;
+    sp_digit* t2 = t + 2*4;
+    sp_digit* x;
+    sp_digit* y;
+    sp_digit* z;
+
+    x = r->x;
+    y = r->y;
+    z = r->z;
+    /* Put infinity into result. */
+    if (r != p) {
+        r->infinity = p->infinity;
+    }
+
+    /* T1 = Z * Z */
+    sp_256_mont_sqr_avx2_4(t1, p->z, p256_mod, p256_mp_mod);
+    /* Z = Y * Z */
+    sp_256_mont_mul_avx2_4(z, p->y, p->z, p256_mod, p256_mp_mod);
+    /* Z = 2Z */
+    sp_256_mont_dbl_4(z, z, p256_mod);
+    /* T2 = X - T1 */
+    sp_256_mont_sub_4(t2, p->x, t1, p256_mod);
+    /* T1 = X + T1 */
+    sp_256_mont_add_4(t1, p->x, t1, p256_mod);
+    /* T2 = T1 * T2 */
+    sp_256_mont_mul_avx2_4(t2, t1, t2, p256_mod, p256_mp_mod);
+    /* T1 = 3T2 */
+    sp_256_mont_tpl_4(t1, t2, p256_mod);
+    /* Y = 2Y */
+    sp_256_mont_dbl_4(y, p->y, p256_mod);
+    /* Y = Y * Y */
+    sp_256_mont_sqr_avx2_4(y, y, p256_mod, p256_mp_mod);
+    /* T2 = Y * Y */
+    sp_256_mont_sqr_avx2_4(t2, y, p256_mod, p256_mp_mod);
+    /* T2 = T2/2 */
+    sp_256_div2_4(t2, t2, p256_mod);
+    /* Y = Y * X */
+    sp_256_mont_mul_avx2_4(y, y, p->x, p256_mod, p256_mp_mod);
+    /* X = T1 * T1 */
+    sp_256_mont_sqr_avx2_4(x, t1, p256_mod, p256_mp_mod);
+    /* X = X - Y */
+    sp_256_mont_sub_4(x, x, y, p256_mod);
+    /* X = X - Y */
+    sp_256_mont_sub_4(x, x, y, p256_mod);
+    /* Y = Y - X */
+    sp_256_mont_sub_4(y, y, x, p256_mod);
+    /* Y = Y * T1 */
+    sp_256_mont_mul_avx2_4(y, y, t1, p256_mod, p256_mp_mod);
+    /* Y = Y - T2 */
+    sp_256_mont_sub_4(y, y, t2, p256_mod);
+}
+
+/* Double the Montgomery form projective point p a number of times.
+ *
+ * r  Result of repeated doubling of point.
+ * p  Point to double.
+ * n  Number of times to double
+ * t  Temporary ordinate data.
+ */
+static void sp_256_proj_point_dbl_n_avx2_4(sp_point_256* p, int n, sp_digit* t)
+{
+    sp_digit* w = t;
+    sp_digit* a = t + 2*4;
+    sp_digit* b = t + 4*4;
+    sp_digit* t1 = t + 6*4;
+    sp_digit* t2 = t + 8*4;
+    sp_digit* x;
+    sp_digit* y;
+    sp_digit* z;
+
+    x = p->x;
+    y = p->y;
+    z = p->z;
+
+    /* Y = 2*Y */
+    sp_256_mont_dbl_4(y, y, p256_mod);
+    /* W = Z^4 */
+    sp_256_mont_sqr_avx2_4(w, z, p256_mod, p256_mp_mod);
+    sp_256_mont_sqr_avx2_4(w, w, p256_mod, p256_mp_mod);
+
+#ifndef WOLFSSL_SP_SMALL
+    while (--n > 0)
+#else
+    while (--n >= 0)
+#endif
+    {
+        /* A = 3*(X^2 - W) */
+        sp_256_mont_sqr_avx2_4(t1, x, p256_mod, p256_mp_mod);
+        sp_256_mont_sub_4(t1, t1, w, p256_mod);
+        sp_256_mont_tpl_4(a, t1, p256_mod);
+        /* B = X*Y^2 */
+        sp_256_mont_sqr_avx2_4(t1, y, p256_mod, p256_mp_mod);
+        sp_256_mont_mul_avx2_4(b, t1, x, p256_mod, p256_mp_mod);
+        /* X = A^2 - 2B */
+        sp_256_mont_sqr_avx2_4(x, a, p256_mod, p256_mp_mod);
+        sp_256_mont_dbl_4(t2, b, p256_mod);
+        sp_256_mont_sub_4(x, x, t2, p256_mod);
+        /* Z = Z*Y */
+        sp_256_mont_mul_avx2_4(z, z, y, p256_mod, p256_mp_mod);
+        /* t2 = Y^4 */
+        sp_256_mont_sqr_avx2_4(t1, t1, p256_mod, p256_mp_mod);
+#ifdef WOLFSSL_SP_SMALL
+        if (n != 0)
+#endif
+        {
+            /* W = W*Y^4 */
+            sp_256_mont_mul_avx2_4(w, w, t1, p256_mod, p256_mp_mod);
+        }
+        /* y = 2*A*(B - X) - Y^4 */
+        sp_256_mont_sub_4(y, b, x, p256_mod);
+        sp_256_mont_mul_avx2_4(y, y, a, p256_mod, p256_mp_mod);
+        sp_256_mont_dbl_4(y, y, p256_mod);
+        sp_256_mont_sub_4(y, y, t1, p256_mod);
+    }
+#ifndef WOLFSSL_SP_SMALL
+    /* A = 3*(X^2 - W) */
+    sp_256_mont_sqr_avx2_4(t1, x, p256_mod, p256_mp_mod);
+    sp_256_mont_sub_4(t1, t1, w, p256_mod);
+    sp_256_mont_tpl_4(a, t1, p256_mod);
+    /* B = X*Y^2 */
+    sp_256_mont_sqr_avx2_4(t1, y, p256_mod, p256_mp_mod);
+    sp_256_mont_mul_avx2_4(b, t1, x, p256_mod, p256_mp_mod);
+    /* X = A^2 - 2B */
+    sp_256_mont_sqr_avx2_4(x, a, p256_mod, p256_mp_mod);
+    sp_256_mont_dbl_4(t2, b, p256_mod);
+    sp_256_mont_sub_4(x, x, t2, p256_mod);
+    /* Z = Z*Y */
+    sp_256_mont_mul_avx2_4(z, z, y, p256_mod, p256_mp_mod);
+    /* t2 = Y^4 */
+    sp_256_mont_sqr_avx2_4(t1, t1, p256_mod, p256_mp_mod);
+    /* y = 2*A*(B - X) - Y^4 */
+    sp_256_mont_sub_4(y, b, x, p256_mod);
+    sp_256_mont_mul_avx2_4(y, y, a, p256_mod, p256_mp_mod);
+    sp_256_mont_dbl_4(y, y, p256_mod);
+    sp_256_mont_sub_4(y, y, t1, p256_mod);
+#endif
+    /* Y = Y/2 */
+    sp_256_div2_4(y, y, p256_mod);
+}
+
+/* Add two Montgomery form projective points.
+ *
+ * r  Result of addition.
+ * p  First point to add.
+ * q  Second point to add.
+ * t  Temporary ordinate data.
+ */
+static void sp_256_proj_point_add_avx2_4(sp_point_256* r, const sp_point_256* p, const sp_point_256* q,
+        sp_digit* t)
+{
+    const sp_point_256* ap[2];
+    sp_point_256* rp[2];
+    sp_digit* t1 = t;
+    sp_digit* t2 = t + 2*4;
+    sp_digit* t3 = t + 4*4;
+    sp_digit* t4 = t + 6*4;
+    sp_digit* t5 = t + 8*4;
+    sp_digit* x;
+    sp_digit* y;
+    sp_digit* z;
+    int i;
+
+    /* Ensure only the first point is the same as the result. */
+    if (q == r) {
+        const sp_point_256* a = p;
+        p = q;
+        q = a;
+    }
+
+    /* Check double */
+    (void)sp_256_sub_4(t1, p256_mod, q->y);
+    sp_256_norm_4(t1);
+    if ((sp_256_cmp_equal_4(p->x, q->x) & sp_256_cmp_equal_4(p->z, q->z) &
+        (sp_256_cmp_equal_4(p->y, q->y) | sp_256_cmp_equal_4(p->y, t1))) != 0) {
+        sp_256_proj_point_dbl_4(r, p, t);
+    }
+    else {
+        rp[0] = r;
+
+        /*lint allow cast to different type of pointer*/
+        rp[1] = (sp_point_256*)t; /*lint !e9087 !e740*/
+        XMEMSET(rp[1], 0, sizeof(sp_point_256));
+        x = rp[p->infinity | q->infinity]->x;
+        y = rp[p->infinity | q->infinity]->y;
+        z = rp[p->infinity | q->infinity]->z;
+
+        ap[0] = p;
+        ap[1] = q;
+        for (i=0; i<4; i++) {
+            r->x[i] = ap[p->infinity]->x[i];
+        }
+        for (i=0; i<4; i++) {
+            r->y[i] = ap[p->infinity]->y[i];
+        }
+        for (i=0; i<4; i++) {
+            r->z[i] = ap[p->infinity]->z[i];
+        }
+        r->infinity = ap[p->infinity]->infinity;
+
+        /* U1 = X1*Z2^2 */
+        sp_256_mont_sqr_avx2_4(t1, q->z, p256_mod, p256_mp_mod);
+        sp_256_mont_mul_avx2_4(t3, t1, q->z, p256_mod, p256_mp_mod);
+        sp_256_mont_mul_avx2_4(t1, t1, x, p256_mod, p256_mp_mod);
+        /* U2 = X2*Z1^2 */
+        sp_256_mont_sqr_avx2_4(t2, z, p256_mod, p256_mp_mod);
+        sp_256_mont_mul_avx2_4(t4, t2, z, p256_mod, p256_mp_mod);
+        sp_256_mont_mul_avx2_4(t2, t2, q->x, p256_mod, p256_mp_mod);
+        /* S1 = Y1*Z2^3 */
+        sp_256_mont_mul_avx2_4(t3, t3, y, p256_mod, p256_mp_mod);
+        /* S2 = Y2*Z1^3 */
+        sp_256_mont_mul_avx2_4(t4, t4, q->y, p256_mod, p256_mp_mod);
+        /* H = U2 - U1 */
+        sp_256_mont_sub_4(t2, t2, t1, p256_mod);
+        /* R = S2 - S1 */
+        sp_256_mont_sub_4(t4, t4, t3, p256_mod);
+        /* Z3 = H*Z1*Z2 */
+        sp_256_mont_mul_avx2_4(z, z, q->z, p256_mod, p256_mp_mod);
+        sp_256_mont_mul_avx2_4(z, z, t2, p256_mod, p256_mp_mod);
+        /* X3 = R^2 - H^3 - 2*U1*H^2 */
+        sp_256_mont_sqr_avx2_4(x, t4, p256_mod, p256_mp_mod);
+        sp_256_mont_sqr_avx2_4(t5, t2, p256_mod, p256_mp_mod);
+        sp_256_mont_mul_avx2_4(y, t1, t5, p256_mod, p256_mp_mod);
+        sp_256_mont_mul_avx2_4(t5, t5, t2, p256_mod, p256_mp_mod);
+        sp_256_mont_sub_4(x, x, t5, p256_mod);
+        sp_256_mont_dbl_4(t1, y, p256_mod);
+        sp_256_mont_sub_4(x, x, t1, p256_mod);
+        /* Y3 = R*(U1*H^2 - X3) - S1*H^3 */
+        sp_256_mont_sub_4(y, y, x, p256_mod);
+        sp_256_mont_mul_avx2_4(y, y, t4, p256_mod, p256_mp_mod);
+        sp_256_mont_mul_avx2_4(t5, t5, t3, p256_mod, p256_mp_mod);
+        sp_256_mont_sub_4(y, y, t5, p256_mod);
+    }
+}
+
+/* Double the Montgomery form projective point p a number of times.
+ *
+ * r  Result of repeated doubling of point.
+ * p  Point to double.
+ * n  Number of times to double
+ * t  Temporary ordinate data.
+ */
+static void sp_256_proj_point_dbl_n_store_avx2_4(sp_point_256* r, const sp_point_256* p,
+        int n, int m, sp_digit* t)
+{
+    sp_digit* w = t;
+    sp_digit* a = t + 2*4;
+    sp_digit* b = t + 4*4;
+    sp_digit* t1 = t + 6*4;
+    sp_digit* t2 = t + 8*4;
+    sp_digit* x = r[2*m].x;
+    sp_digit* y = r[(1<<n)*m].y;
+    sp_digit* z = r[2*m].z;
+    int i;
+
+    for (i=0; i<4; i++) {
+        x[i] = p->x[i];
+    }
+    for (i=0; i<4; i++) {
+        y[i] = p->y[i];
+    }
+    for (i=0; i<4; i++) {
+        z[i] = p->z[i];
+    }
+
+    /* Y = 2*Y */
+    sp_256_mont_dbl_4(y, y, p256_mod);
+    /* W = Z^4 */
+    sp_256_mont_sqr_avx2_4(w, z, p256_mod, p256_mp_mod);
+    sp_256_mont_sqr_avx2_4(w, w, p256_mod, p256_mp_mod);
+    for (i=1; i<=n; i++) {
+        /* A = 3*(X^2 - W) */
+        sp_256_mont_sqr_avx2_4(t1, x, p256_mod, p256_mp_mod);
+        sp_256_mont_sub_4(t1, t1, w, p256_mod);
+        sp_256_mont_tpl_4(a, t1, p256_mod);
+        /* B = X*Y^2 */
+        sp_256_mont_sqr_avx2_4(t2, y, p256_mod, p256_mp_mod);
+        sp_256_mont_mul_avx2_4(b, t2, x, p256_mod, p256_mp_mod);
+        x = r[(1<<i)*m].x;
+        /* X = A^2 - 2B */
+        sp_256_mont_sqr_avx2_4(x, a, p256_mod, p256_mp_mod);
+        sp_256_mont_dbl_4(t1, b, p256_mod);
+        sp_256_mont_sub_4(x, x, t1, p256_mod);
+        /* Z = Z*Y */
+        sp_256_mont_mul_avx2_4(r[(1<<i)*m].z, z, y, p256_mod, p256_mp_mod);
+        z = r[(1<<i)*m].z;
+        /* t2 = Y^4 */
+        sp_256_mont_sqr_avx2_4(t2, t2, p256_mod, p256_mp_mod);
+        if (i != n) {
+            /* W = W*Y^4 */
+            sp_256_mont_mul_avx2_4(w, w, t2, p256_mod, p256_mp_mod);
+        }
+        /* y = 2*A*(B - X) - Y^4 */
+        sp_256_mont_sub_4(y, b, x, p256_mod);
+        sp_256_mont_mul_avx2_4(y, y, a, p256_mod, p256_mp_mod);
+        sp_256_mont_dbl_4(y, y, p256_mod);
+        sp_256_mont_sub_4(y, y, t2, p256_mod);
+
+        /* Y = Y/2 */
+        sp_256_div2_4(r[(1<<i)*m].y, y, p256_mod);
+        r[(1<<i)*m].infinity = 0;
+    }
+}
+
+/* Add two Montgomery form projective points.
+ *
+ * ra  Result of addition.
+ * rs  Result of subtraction.
+ * p   First point to add.
+ * q   Second point to add.
+ * t   Temporary ordinate data.
+ */
+static void sp_256_proj_point_add_sub_avx2_4(sp_point_256* ra, sp_point_256* rs,
+        const sp_point_256* p, const sp_point_256* q, sp_digit* t)
+{
+    sp_digit* t1 = t;
+    sp_digit* t2 = t + 2*4;
+    sp_digit* t3 = t + 4*4;
+    sp_digit* t4 = t + 6*4;
+    sp_digit* t5 = t + 8*4;
+    sp_digit* t6 = t + 10*4;
+    sp_digit* x = ra->x;
+    sp_digit* y = ra->y;
+    sp_digit* z = ra->z;
+    sp_digit* xs = rs->x;
+    sp_digit* ys = rs->y;
+    sp_digit* zs = rs->z;
+
+
+    XMEMCPY(x, p->x, sizeof(p->x) / 2);
+    XMEMCPY(y, p->y, sizeof(p->y) / 2);
+    XMEMCPY(z, p->z, sizeof(p->z) / 2);
+    ra->infinity = 0;
+    rs->infinity = 0;
+
+    /* U1 = X1*Z2^2 */
+    sp_256_mont_sqr_avx2_4(t1, q->z, p256_mod, p256_mp_mod);
+    sp_256_mont_mul_avx2_4(t3, t1, q->z, p256_mod, p256_mp_mod);
+    sp_256_mont_mul_avx2_4(t1, t1, x, p256_mod, p256_mp_mod);
+    /* U2 = X2*Z1^2 */
+    sp_256_mont_sqr_avx2_4(t2, z, p256_mod, p256_mp_mod);
+    sp_256_mont_mul_avx2_4(t4, t2, z, p256_mod, p256_mp_mod);
+    sp_256_mont_mul_avx2_4(t2, t2, q->x, p256_mod, p256_mp_mod);
+    /* S1 = Y1*Z2^3 */
+    sp_256_mont_mul_avx2_4(t3, t3, y, p256_mod, p256_mp_mod);
+    /* S2 = Y2*Z1^3 */
+    sp_256_mont_mul_avx2_4(t4, t4, q->y, p256_mod, p256_mp_mod);
+    /* H = U2 - U1 */
+    sp_256_mont_sub_4(t2, t2, t1, p256_mod);
+    /* RS = S2 + S1 */
+    sp_256_mont_add_4(t6, t4, t3, p256_mod);
+    /* R = S2 - S1 */
+    sp_256_mont_sub_4(t4, t4, t3, p256_mod);
+    /* Z3 = H*Z1*Z2 */
+    /* ZS = H*Z1*Z2 */
+    sp_256_mont_mul_avx2_4(z, z, q->z, p256_mod, p256_mp_mod);
+    sp_256_mont_mul_avx2_4(z, z, t2, p256_mod, p256_mp_mod);
+    XMEMCPY(zs, z, sizeof(p->z)/2);
+    /* X3 = R^2 - H^3 - 2*U1*H^2 */
+    /* XS = RS^2 - H^3 - 2*U1*H^2 */
+    sp_256_mont_sqr_avx2_4(x, t4, p256_mod, p256_mp_mod);
+    sp_256_mont_sqr_avx2_4(xs, t6, p256_mod, p256_mp_mod);
+    sp_256_mont_sqr_avx2_4(t5, t2, p256_mod, p256_mp_mod);
+    sp_256_mont_mul_avx2_4(y, t1, t5, p256_mod, p256_mp_mod);
+    sp_256_mont_mul_avx2_4(t5, t5, t2, p256_mod, p256_mp_mod);
+    sp_256_mont_sub_4(x, x, t5, p256_mod);
+    sp_256_mont_sub_4(xs, xs, t5, p256_mod);
+    sp_256_mont_dbl_4(t1, y, p256_mod);
+    sp_256_mont_sub_4(x, x, t1, p256_mod);
+    sp_256_mont_sub_4(xs, xs, t1, p256_mod);
+    /* Y3 = R*(U1*H^2 - X3) - S1*H^3 */
+    /* YS = -RS*(U1*H^2 - XS) - S1*H^3 */
+    sp_256_mont_sub_4(ys, y, xs, p256_mod);
+    sp_256_mont_sub_4(y, y, x, p256_mod);
+    sp_256_mont_mul_avx2_4(y, y, t4, p256_mod, p256_mp_mod);
+    sp_256_sub_4(t6, p256_mod, t6);
+    sp_256_mont_mul_avx2_4(ys, ys, t6, p256_mod, p256_mp_mod);
+    sp_256_mont_mul_avx2_4(t5, t5, t3, p256_mod, p256_mp_mod);
+    sp_256_mont_sub_4(y, y, t5, p256_mod);
+    sp_256_mont_sub_4(ys, ys, t5, p256_mod);
+}
+
+/* Multiply the point by the scalar and return the result.
+ * If map is true then convert result to affine coordinates.
+ *
+ * r     Resulting point.
+ * g     Point to multiply.
+ * k     Scalar to multiply by.
+ * map   Indicates whether to convert result to affine.
+ * heap  Heap to use for allocation.
+ * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
+ */
+static int sp_256_ecc_mulmod_win_add_sub_avx2_4(sp_point_256* r, const sp_point_256* g,
+        const sp_digit* k, int map, void* heap)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_point_256 td[33];
+    sp_point_256 rtd, pd;
+    sp_digit tmpd[2 * 4 * 6];
+#endif
+    sp_point_256* t;
+    sp_point_256* rt;
+    sp_point_256* p = NULL;
+    sp_digit* tmp;
+    sp_digit* negy;
+    int i;
+    ecc_recode_256 v[43];
+    int err;
+
+    (void)heap;
+
+    err = sp_256_point_new_4(heap, rtd, rt);
+    if (err == MP_OKAY)
+        err = sp_256_point_new_4(heap, pd, p);
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    t = (sp_point_256*)XMALLOC(sizeof(sp_point_256) * 33, heap, DYNAMIC_TYPE_ECC);
+    if (t == NULL)
+        err = MEMORY_E;
+    tmp = (sp_digit*)XMALLOC(sizeof(sp_digit) * 2 * 4 * 6, heap,
+                             DYNAMIC_TYPE_ECC);
+    if (tmp == NULL)
+        err = MEMORY_E;
+#else
+    t = td;
+    tmp = tmpd;
+#endif
+
+
+    if (err == MP_OKAY) {
+        /* t[0] = {0, 0, 1} * norm */
+        XMEMSET(&t[0], 0, sizeof(t[0]));
+        t[0].infinity = 1;
+        /* t[1] = {g->x, g->y, g->z} * norm */
+        err = sp_256_mod_mul_norm_4(t[1].x, g->x, p256_mod);
+    }
+    if (err == MP_OKAY) {
+        err = sp_256_mod_mul_norm_4(t[1].y, g->y, p256_mod);
+    }
+    if (err == MP_OKAY) {
+        err = sp_256_mod_mul_norm_4(t[1].z, g->z, p256_mod);
+    }
+
+    if (err == MP_OKAY) {
+        t[1].infinity = 0;
+        /* t[2] ... t[32]  */
+        sp_256_proj_point_dbl_n_store_avx2_4(t, &t[ 1], 5, 1, tmp);
+        sp_256_proj_point_add_avx2_4(&t[ 3], &t[ 2], &t[ 1], tmp);
+        sp_256_proj_point_dbl_avx2_4(&t[ 6], &t[ 3], tmp);
+        sp_256_proj_point_add_sub_avx2_4(&t[ 7], &t[ 5], &t[ 6], &t[ 1], tmp);
+        sp_256_proj_point_dbl_avx2_4(&t[10], &t[ 5], tmp);
+        sp_256_proj_point_add_sub_avx2_4(&t[11], &t[ 9], &t[10], &t[ 1], tmp);
+        sp_256_proj_point_dbl_avx2_4(&t[12], &t[ 6], tmp);
+        sp_256_proj_point_dbl_avx2_4(&t[14], &t[ 7], tmp);
+        sp_256_proj_point_add_sub_avx2_4(&t[15], &t[13], &t[14], &t[ 1], tmp);
+        sp_256_proj_point_dbl_avx2_4(&t[18], &t[ 9], tmp);
+        sp_256_proj_point_add_sub_avx2_4(&t[19], &t[17], &t[18], &t[ 1], tmp);
+        sp_256_proj_point_dbl_avx2_4(&t[20], &t[10], tmp);
+        sp_256_proj_point_dbl_avx2_4(&t[22], &t[11], tmp);
+        sp_256_proj_point_add_sub_avx2_4(&t[23], &t[21], &t[22], &t[ 1], tmp);
+        sp_256_proj_point_dbl_avx2_4(&t[24], &t[12], tmp);
+        sp_256_proj_point_dbl_avx2_4(&t[26], &t[13], tmp);
+        sp_256_proj_point_add_sub_avx2_4(&t[27], &t[25], &t[26], &t[ 1], tmp);
+        sp_256_proj_point_dbl_avx2_4(&t[28], &t[14], tmp);
+        sp_256_proj_point_dbl_avx2_4(&t[30], &t[15], tmp);
+        sp_256_proj_point_add_sub_avx2_4(&t[31], &t[29], &t[30], &t[ 1], tmp);
+
+        negy = t[0].y;
+
+        sp_256_ecc_recode_6_4(k, v);
+
+        i = 42;
+        XMEMCPY(rt, &t[v[i].i], sizeof(sp_point_256));
+        for (--i; i>=0; i--) {
+            sp_256_proj_point_dbl_n_avx2_4(rt, 6, tmp);
+
+            XMEMCPY(p, &t[v[i].i], sizeof(sp_point_256));
+            sp_256_sub_4(negy, p256_mod, p->y);
+            sp_256_cond_copy_4(p->y, negy, (sp_digit)0 - v[i].neg);
+            sp_256_proj_point_add_avx2_4(rt, rt, p, tmp);
+        }
+
+        if (map != 0) {
+            sp_256_map_avx2_4(r, rt, tmp);
+        }
+        else {
+            XMEMCPY(r, rt, sizeof(sp_point_256));
+        }
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (t != NULL)
+        XFREE(t, heap, DYNAMIC_TYPE_ECC);
+    if (tmp != NULL)
+        XFREE(tmp, heap, DYNAMIC_TYPE_ECC);
+#endif
+    sp_256_point_free_4(p, 0, heap);
+    sp_256_point_free_4(rt, 0, heap);
+
+    return err;
+}
+
+#endif /* HAVE_INTEL_AVX2 */
+/* A table entry for pre-computed points. */
+typedef struct sp_table_entry_256 {
+    sp_digit x[4];
+    sp_digit y[4];
+} sp_table_entry_256;
+
+#if defined(FP_ECC) || defined(WOLFSSL_SP_SMALL)
+#endif /* FP_ECC || WOLFSSL_SP_SMALL */
+/* Add two Montgomery form projective points. The second point has a q value of
+ * one.
+ * Only the first point can be the same pointer as the result point.
+ *
+ * r  Result of addition.
+ * p  First point to add.
+ * q  Second point to add.
+ * t  Temporary ordinate data.
+ */
+static void sp_256_proj_point_add_qz1_4(sp_point_256* r, const sp_point_256* p,
+        const sp_point_256* q, sp_digit* t)
+{
+    const sp_point_256* ap[2];
+    sp_point_256* rp[2];
+    sp_digit* t1 = t;
+    sp_digit* t2 = t + 2*4;
+    sp_digit* t3 = t + 4*4;
+    sp_digit* t4 = t + 6*4;
+    sp_digit* t5 = t + 8*4;
+    sp_digit* x;
+    sp_digit* y;
+    sp_digit* z;
+    int i;
+
+    /* Check double */
+    (void)sp_256_sub_4(t1, p256_mod, q->y);
+    sp_256_norm_4(t1);
+    if ((sp_256_cmp_equal_4(p->x, q->x) & sp_256_cmp_equal_4(p->z, q->z) &
+        (sp_256_cmp_equal_4(p->y, q->y) | sp_256_cmp_equal_4(p->y, t1))) != 0) {
+        sp_256_proj_point_dbl_4(r, p, t);
+    }
+    else {
+        rp[0] = r;
+
+        /*lint allow cast to different type of pointer*/
+        rp[1] = (sp_point_256*)t; /*lint !e9087 !e740*/
+        XMEMSET(rp[1], 0, sizeof(sp_point_256));
+        x = rp[p->infinity | q->infinity]->x;
+        y = rp[p->infinity | q->infinity]->y;
+        z = rp[p->infinity | q->infinity]->z;
+
+        ap[0] = p;
+        ap[1] = q;
+        for (i=0; i<4; i++) {
+            r->x[i] = ap[p->infinity]->x[i];
+        }
+        for (i=0; i<4; i++) {
+            r->y[i] = ap[p->infinity]->y[i];
+        }
+        for (i=0; i<4; i++) {
+            r->z[i] = ap[p->infinity]->z[i];
+        }
+        r->infinity = ap[p->infinity]->infinity;
+
+        /* U2 = X2*Z1^2 */
+        sp_256_mont_sqr_4(t2, z, p256_mod, p256_mp_mod);
+        sp_256_mont_mul_4(t4, t2, z, p256_mod, p256_mp_mod);
+        sp_256_mont_mul_4(t2, t2, q->x, p256_mod, p256_mp_mod);
+        /* S2 = Y2*Z1^3 */
+        sp_256_mont_mul_4(t4, t4, q->y, p256_mod, p256_mp_mod);
+        /* H = U2 - X1 */
+        sp_256_mont_sub_4(t2, t2, x, p256_mod);
+        /* R = S2 - Y1 */
+        sp_256_mont_sub_4(t4, t4, y, p256_mod);
+        /* Z3 = H*Z1 */
+        sp_256_mont_mul_4(z, z, t2, p256_mod, p256_mp_mod);
+        /* X3 = R^2 - H^3 - 2*X1*H^2 */
+        sp_256_mont_sqr_4(t1, t4, p256_mod, p256_mp_mod);
+        sp_256_mont_sqr_4(t5, t2, p256_mod, p256_mp_mod);
+        sp_256_mont_mul_4(t3, x, t5, p256_mod, p256_mp_mod);
+        sp_256_mont_mul_4(t5, t5, t2, p256_mod, p256_mp_mod);
+        sp_256_mont_sub_4(x, t1, t5, p256_mod);
+        sp_256_mont_dbl_4(t1, t3, p256_mod);
+        sp_256_mont_sub_4(x, x, t1, p256_mod);
+        /* Y3 = R*(X1*H^2 - X3) - Y1*H^3 */
+        sp_256_mont_sub_4(t3, t3, x, p256_mod);
+        sp_256_mont_mul_4(t3, t3, t4, p256_mod, p256_mp_mod);
+        sp_256_mont_mul_4(t5, t5, y, p256_mod, p256_mp_mod);
+        sp_256_mont_sub_4(y, t3, t5, p256_mod);
+    }
+}
+
+#ifdef FP_ECC
+/* Convert the projective point to affine.
+ * Ordinates are in Montgomery form.
+ *
+ * a  Point to convert.
+ * t  Temporary data.
+ */
+static void sp_256_proj_to_affine_4(sp_point_256* a, sp_digit* t)
+{
+    sp_digit* t1 = t;
+    sp_digit* t2 = t + 2 * 4;
+    sp_digit* tmp = t + 4 * 4;
+
+    sp_256_mont_inv_4(t1, a->z, tmp);
+
+    sp_256_mont_sqr_4(t2, t1, p256_mod, p256_mp_mod);
+    sp_256_mont_mul_4(t1, t2, t1, p256_mod, p256_mp_mod);
+
+    sp_256_mont_mul_4(a->x, a->x, t2, p256_mod, p256_mp_mod);
+    sp_256_mont_mul_4(a->y, a->y, t1, p256_mod, p256_mp_mod);
+    XMEMCPY(a->z, p256_norm_mod, sizeof(p256_norm_mod));
+}
+
+/* Generate the pre-computed table of points for the base point.
+ *
+ * a      The base point.
+ * table  Place to store generated point data.
+ * tmp    Temporary data.
+ * heap  Heap to use for allocation.
+ */
+static int sp_256_gen_stripe_table_4(const sp_point_256* a,
+        sp_table_entry_256* table, sp_digit* tmp, void* heap)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_point_256 td, s1d, s2d;
+#endif
+    sp_point_256* t;
+    sp_point_256* s1 = NULL;
+    sp_point_256* s2 = NULL;
+    int i, j;
+    int err;
+
+    (void)heap;
+
+    err = sp_256_point_new_4(heap, td, t);
+    if (err == MP_OKAY) {
+        err = sp_256_point_new_4(heap, s1d, s1);
+    }
+    if (err == MP_OKAY) {
+        err = sp_256_point_new_4(heap, s2d, s2);
+    }
+
+    if (err == MP_OKAY) {
+        err = sp_256_mod_mul_norm_4(t->x, a->x, p256_mod);
+    }
+    if (err == MP_OKAY) {
+        err = sp_256_mod_mul_norm_4(t->y, a->y, p256_mod);
+    }
+    if (err == MP_OKAY) {
+        err = sp_256_mod_mul_norm_4(t->z, a->z, p256_mod);
+    }
+    if (err == MP_OKAY) {
+        t->infinity = 0;
+        sp_256_proj_to_affine_4(t, tmp);
+
+        XMEMCPY(s1->z, p256_norm_mod, sizeof(p256_norm_mod));
+        s1->infinity = 0;
+        XMEMCPY(s2->z, p256_norm_mod, sizeof(p256_norm_mod));
+        s2->infinity = 0;
+
+        /* table[0] = {0, 0, infinity} */
+        XMEMSET(&table[0], 0, sizeof(sp_table_entry_256));
+        /* table[1] = Affine version of 'a' in Montgomery form */
+        XMEMCPY(table[1].x, t->x, sizeof(table->x));
+        XMEMCPY(table[1].y, t->y, sizeof(table->y));
+
+        for (i=1; i<8; i++) {
+            sp_256_proj_point_dbl_n_4(t, 32, tmp);
+            sp_256_proj_to_affine_4(t, tmp);
+            XMEMCPY(table[1<<i].x, t->x, sizeof(table->x));
+            XMEMCPY(table[1<<i].y, t->y, sizeof(table->y));
+        }
+
+        for (i=1; i<8; i++) {
+            XMEMCPY(s1->x, table[1<<i].x, sizeof(table->x));
+            XMEMCPY(s1->y, table[1<<i].y, sizeof(table->y));
+            for (j=(1<<i)+1; j<(1<<(i+1)); j++) {
+                XMEMCPY(s2->x, table[j-(1<<i)].x, sizeof(table->x));
+                XMEMCPY(s2->y, table[j-(1<<i)].y, sizeof(table->y));
+                sp_256_proj_point_add_qz1_4(t, s1, s2, tmp);
+                sp_256_proj_to_affine_4(t, tmp);
+                XMEMCPY(table[j].x, t->x, sizeof(table->x));
+                XMEMCPY(table[j].y, t->y, sizeof(table->y));
+            }
+        }
+    }
+
+    sp_256_point_free_4(s2, 0, heap);
+    sp_256_point_free_4(s1, 0, heap);
+    sp_256_point_free_4( t, 0, heap);
+
+    return err;
+}
+
+#endif /* FP_ECC */
+#if defined(FP_ECC) || defined(WOLFSSL_SP_SMALL)
+/* Multiply the point by the scalar and return the result.
+ * If map is true then convert result to affine coordinates.
+ *
+ * r     Resulting point.
+ * k     Scalar to multiply by.
+ * map   Indicates whether to convert result to affine.
+ * heap  Heap to use for allocation.
+ * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
+ */
+static int sp_256_ecc_mulmod_stripe_4(sp_point_256* r, const sp_point_256* g,
+        const sp_table_entry_256* table, const sp_digit* k, int map, void* heap)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_point_256 rtd;
+    sp_point_256 pd;
+    sp_digit td[2 * 4 * 5];
+#endif
+    sp_point_256* rt;
+    sp_point_256* p = NULL;
+    sp_digit* t;
+    int i, j;
+    int y, x;
+    int err;
+
+    (void)g;
+    (void)heap;
+
+
+    err = sp_256_point_new_4(heap, rtd, rt);
+    if (err == MP_OKAY) {
+        err = sp_256_point_new_4(heap, pd, p);
+    }
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    t = (sp_digit*)XMALLOC(sizeof(sp_digit) * 2 * 4 * 5, heap,
+                           DYNAMIC_TYPE_ECC);
+    if (t == NULL) {
+        err = MEMORY_E;
+    }
+#else
+    t = td;
+#endif
+
+    if (err == MP_OKAY) {
+        XMEMCPY(p->z, p256_norm_mod, sizeof(p256_norm_mod));
+        XMEMCPY(rt->z, p256_norm_mod, sizeof(p256_norm_mod));
+
+        y = 0;
+        for (j=0,x=31; j<8; j++,x+=32) {
+            y |= ((k[x / 64] >> (x % 64)) & 1) << j;
+        }
+        XMEMCPY(rt->x, table[y].x, sizeof(table[y].x));
+        XMEMCPY(rt->y, table[y].y, sizeof(table[y].y));
+        rt->infinity = !y;
+        for (i=30; i>=0; i--) {
+            y = 0;
+            for (j=0,x=i; j<8; j++,x+=32) {
+                y |= ((k[x / 64] >> (x % 64)) & 1) << j;
+            }
+
+            sp_256_proj_point_dbl_4(rt, rt, t);
+            XMEMCPY(p->x, table[y].x, sizeof(table[y].x));
+            XMEMCPY(p->y, table[y].y, sizeof(table[y].y));
+            p->infinity = !y;
+            sp_256_proj_point_add_qz1_4(rt, rt, p, t);
+        }
+
+        if (map != 0) {
+            sp_256_map_4(r, rt, t);
+        }
+        else {
+            XMEMCPY(r, rt, sizeof(sp_point_256));
+        }
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (t != NULL) {
+        XFREE(t, heap, DYNAMIC_TYPE_ECC);
+    }
+#endif
+    sp_256_point_free_4(p, 0, heap);
+    sp_256_point_free_4(rt, 0, heap);
+
+    return err;
+}
+
+#endif /* FP_ECC || WOLFSSL_SP_SMALL */
+#ifdef FP_ECC
+#ifndef FP_ENTRIES
+    #define FP_ENTRIES 16
+#endif
+
+typedef struct sp_cache_256_t {
+    sp_digit x[4];
+    sp_digit y[4];
+    sp_table_entry_256 table[256];
+    uint32_t cnt;
+    int set;
+} sp_cache_256_t;
+
+static THREAD_LS_T sp_cache_256_t sp_cache_256[FP_ENTRIES];
+static THREAD_LS_T int sp_cache_256_last = -1;
+static THREAD_LS_T int sp_cache_256_inited = 0;
+
+#ifndef HAVE_THREAD_LS
+    static volatile int initCacheMutex_256 = 0;
+    static wolfSSL_Mutex sp_cache_256_lock;
+#endif
+
+static void sp_ecc_get_cache_256(const sp_point_256* g, sp_cache_256_t** cache)
+{
+    int i, j;
+    uint32_t least;
+
+    if (sp_cache_256_inited == 0) {
+        for (i=0; i<FP_ENTRIES; i++) {
+            sp_cache_256[i].set = 0;
+        }
+        sp_cache_256_inited = 1;
+    }
+
+    /* Compare point with those in cache. */
+    for (i=0; i<FP_ENTRIES; i++) {
+        if (!sp_cache_256[i].set)
+            continue;
+
+        if (sp_256_cmp_equal_4(g->x, sp_cache_256[i].x) &
+                           sp_256_cmp_equal_4(g->y, sp_cache_256[i].y)) {
+            sp_cache_256[i].cnt++;
+            break;
+        }
+    }
+
+    /* No match. */
+    if (i == FP_ENTRIES) {
+        /* Find empty entry. */
+        i = (sp_cache_256_last + 1) % FP_ENTRIES;
+        for (; i != sp_cache_256_last; i=(i+1)%FP_ENTRIES) {
+            if (!sp_cache_256[i].set) {
+                break;
+            }
+        }
+
+        /* Evict least used. */
+        if (i == sp_cache_256_last) {
+            least = sp_cache_256[0].cnt;
+            for (j=1; j<FP_ENTRIES; j++) {
+                if (sp_cache_256[j].cnt < least) {
+                    i = j;
+                    least = sp_cache_256[i].cnt;
+                }
+            }
+        }
+
+        XMEMCPY(sp_cache_256[i].x, g->x, sizeof(sp_cache_256[i].x));
+        XMEMCPY(sp_cache_256[i].y, g->y, sizeof(sp_cache_256[i].y));
+        sp_cache_256[i].set = 1;
+        sp_cache_256[i].cnt = 1;
+    }
+
+    *cache = &sp_cache_256[i];
+    sp_cache_256_last = i;
+}
+#endif /* FP_ECC */
+
+/* Multiply the base point of P256 by the scalar and return the result.
+ * If map is true then convert result to affine coordinates.
+ *
+ * r     Resulting point.
+ * g     Point to multiply.
+ * k     Scalar to multiply by.
+ * map   Indicates whether to convert result to affine.
+ * heap  Heap to use for allocation.
+ * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
+ */
+static int sp_256_ecc_mulmod_4(sp_point_256* r, const sp_point_256* g, const sp_digit* k,
+        int map, void* heap)
+{
+#ifndef FP_ECC
+    return sp_256_ecc_mulmod_win_add_sub_4(r, g, k, map, heap);
+#else
+    sp_digit tmp[2 * 4 * 5];
+    sp_cache_256_t* cache;
+    int err = MP_OKAY;
+
+#ifndef HAVE_THREAD_LS
+    if (initCacheMutex_256 == 0) {
+         wc_InitMutex(&sp_cache_256_lock);
+         initCacheMutex_256 = 1;
+    }
+    if (wc_LockMutex(&sp_cache_256_lock) != 0)
+       err = BAD_MUTEX_E;
+#endif /* HAVE_THREAD_LS */
+
+    if (err == MP_OKAY) {
+        sp_ecc_get_cache_256(g, &cache);
+        if (cache->cnt == 2)
+            sp_256_gen_stripe_table_4(g, cache->table, tmp, heap);
+
+#ifndef HAVE_THREAD_LS
+        wc_UnLockMutex(&sp_cache_256_lock);
+#endif /* HAVE_THREAD_LS */
+
+        if (cache->cnt < 2) {
+            err = sp_256_ecc_mulmod_win_add_sub_4(r, g, k, map, heap);
+        }
+        else {
+            err = sp_256_ecc_mulmod_stripe_4(r, g, cache->table, k,
+                    map, heap);
+        }
+    }
+
+    return err;
+#endif
+}
+
+#ifdef HAVE_INTEL_AVX2
+#if defined(FP_ECC) || defined(WOLFSSL_SP_SMALL)
+#endif /* FP_ECC || WOLFSSL_SP_SMALL */
+/* Add two Montgomery form projective points. The second point has a q value of
+ * one.
+ * Only the first point can be the same pointer as the result point.
+ *
+ * r  Result of addition.
+ * p  First point to add.
+ * q  Second point to add.
+ * t  Temporary ordinate data.
+ */
+static void sp_256_proj_point_add_qz1_avx2_4(sp_point_256* r, const sp_point_256* p,
+        const sp_point_256* q, sp_digit* t)
+{
+    const sp_point_256* ap[2];
+    sp_point_256* rp[2];
+    sp_digit* t1 = t;
+    sp_digit* t2 = t + 2*4;
+    sp_digit* t3 = t + 4*4;
+    sp_digit* t4 = t + 6*4;
+    sp_digit* t5 = t + 8*4;
+    sp_digit* x;
+    sp_digit* y;
+    sp_digit* z;
+    int i;
+
+    /* Check double */
+    (void)sp_256_sub_4(t1, p256_mod, q->y);
+    sp_256_norm_4(t1);
+    if ((sp_256_cmp_equal_4(p->x, q->x) & sp_256_cmp_equal_4(p->z, q->z) &
+        (sp_256_cmp_equal_4(p->y, q->y) | sp_256_cmp_equal_4(p->y, t1))) != 0) {
+        sp_256_proj_point_dbl_4(r, p, t);
+    }
+    else {
+        rp[0] = r;
+
+        /*lint allow cast to different type of pointer*/
+        rp[1] = (sp_point_256*)t; /*lint !e9087 !e740*/
+        XMEMSET(rp[1], 0, sizeof(sp_point_256));
+        x = rp[p->infinity | q->infinity]->x;
+        y = rp[p->infinity | q->infinity]->y;
+        z = rp[p->infinity | q->infinity]->z;
+
+        ap[0] = p;
+        ap[1] = q;
+        for (i=0; i<4; i++) {
+            r->x[i] = ap[p->infinity]->x[i];
+        }
+        for (i=0; i<4; i++) {
+            r->y[i] = ap[p->infinity]->y[i];
+        }
+        for (i=0; i<4; i++) {
+            r->z[i] = ap[p->infinity]->z[i];
+        }
+        r->infinity = ap[p->infinity]->infinity;
+
+        /* U2 = X2*Z1^2 */
+        sp_256_mont_sqr_avx2_4(t2, z, p256_mod, p256_mp_mod);
+        sp_256_mont_mul_avx2_4(t4, t2, z, p256_mod, p256_mp_mod);
+        sp_256_mont_mul_avx2_4(t2, t2, q->x, p256_mod, p256_mp_mod);
+        /* S2 = Y2*Z1^3 */
+        sp_256_mont_mul_avx2_4(t4, t4, q->y, p256_mod, p256_mp_mod);
+        /* H = U2 - X1 */
+        sp_256_mont_sub_4(t2, t2, x, p256_mod);
+        /* R = S2 - Y1 */
+        sp_256_mont_sub_4(t4, t4, y, p256_mod);
+        /* Z3 = H*Z1 */
+        sp_256_mont_mul_avx2_4(z, z, t2, p256_mod, p256_mp_mod);
+        /* X3 = R^2 - H^3 - 2*X1*H^2 */
+        sp_256_mont_sqr_avx2_4(t1, t4, p256_mod, p256_mp_mod);
+        sp_256_mont_sqr_avx2_4(t5, t2, p256_mod, p256_mp_mod);
+        sp_256_mont_mul_avx2_4(t3, x, t5, p256_mod, p256_mp_mod);
+        sp_256_mont_mul_avx2_4(t5, t5, t2, p256_mod, p256_mp_mod);
+        sp_256_mont_sub_4(x, t1, t5, p256_mod);
+        sp_256_mont_dbl_4(t1, t3, p256_mod);
+        sp_256_mont_sub_4(x, x, t1, p256_mod);
+        /* Y3 = R*(X1*H^2 - X3) - Y1*H^3 */
+        sp_256_mont_sub_4(t3, t3, x, p256_mod);
+        sp_256_mont_mul_avx2_4(t3, t3, t4, p256_mod, p256_mp_mod);
+        sp_256_mont_mul_avx2_4(t5, t5, y, p256_mod, p256_mp_mod);
+        sp_256_mont_sub_4(y, t3, t5, p256_mod);
+    }
+}
+
+#ifdef FP_ECC
+/* Convert the projective point to affine.
+ * Ordinates are in Montgomery form.
+ *
+ * a  Point to convert.
+ * t  Temporary data.
+ */
+static void sp_256_proj_to_affine_avx2_4(sp_point_256* a, sp_digit* t)
+{
+    sp_digit* t1 = t;
+    sp_digit* t2 = t + 2 * 4;
+    sp_digit* tmp = t + 4 * 4;
+
+    sp_256_mont_inv_avx2_4(t1, a->z, tmp);
+
+    sp_256_mont_sqr_avx2_4(t2, t1, p256_mod, p256_mp_mod);
+    sp_256_mont_mul_avx2_4(t1, t2, t1, p256_mod, p256_mp_mod);
+
+    sp_256_mont_mul_avx2_4(a->x, a->x, t2, p256_mod, p256_mp_mod);
+    sp_256_mont_mul_avx2_4(a->y, a->y, t1, p256_mod, p256_mp_mod);
+    XMEMCPY(a->z, p256_norm_mod, sizeof(p256_norm_mod));
+}
+
+/* Generate the pre-computed table of points for the base point.
+ *
+ * a      The base point.
+ * table  Place to store generated point data.
+ * tmp    Temporary data.
+ * heap  Heap to use for allocation.
+ */
+static int sp_256_gen_stripe_table_avx2_4(const sp_point_256* a,
+        sp_table_entry_256* table, sp_digit* tmp, void* heap)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_point_256 td, s1d, s2d;
+#endif
+    sp_point_256* t;
+    sp_point_256* s1 = NULL;
+    sp_point_256* s2 = NULL;
+    int i, j;
+    int err;
+
+    (void)heap;
+
+    err = sp_256_point_new_4(heap, td, t);
+    if (err == MP_OKAY) {
+        err = sp_256_point_new_4(heap, s1d, s1);
+    }
+    if (err == MP_OKAY) {
+        err = sp_256_point_new_4(heap, s2d, s2);
+    }
+
+    if (err == MP_OKAY) {
+        err = sp_256_mod_mul_norm_4(t->x, a->x, p256_mod);
+    }
+    if (err == MP_OKAY) {
+        err = sp_256_mod_mul_norm_4(t->y, a->y, p256_mod);
+    }
+    if (err == MP_OKAY) {
+        err = sp_256_mod_mul_norm_4(t->z, a->z, p256_mod);
+    }
+    if (err == MP_OKAY) {
+        t->infinity = 0;
+        sp_256_proj_to_affine_avx2_4(t, tmp);
+
+        XMEMCPY(s1->z, p256_norm_mod, sizeof(p256_norm_mod));
+        s1->infinity = 0;
+        XMEMCPY(s2->z, p256_norm_mod, sizeof(p256_norm_mod));
+        s2->infinity = 0;
+
+        /* table[0] = {0, 0, infinity} */
+        XMEMSET(&table[0], 0, sizeof(sp_table_entry_256));
+        /* table[1] = Affine version of 'a' in Montgomery form */
+        XMEMCPY(table[1].x, t->x, sizeof(table->x));
+        XMEMCPY(table[1].y, t->y, sizeof(table->y));
+
+        for (i=1; i<8; i++) {
+            sp_256_proj_point_dbl_n_avx2_4(t, 32, tmp);
+            sp_256_proj_to_affine_avx2_4(t, tmp);
+            XMEMCPY(table[1<<i].x, t->x, sizeof(table->x));
+            XMEMCPY(table[1<<i].y, t->y, sizeof(table->y));
+        }
+
+        for (i=1; i<8; i++) {
+            XMEMCPY(s1->x, table[1<<i].x, sizeof(table->x));
+            XMEMCPY(s1->y, table[1<<i].y, sizeof(table->y));
+            for (j=(1<<i)+1; j<(1<<(i+1)); j++) {
+                XMEMCPY(s2->x, table[j-(1<<i)].x, sizeof(table->x));
+                XMEMCPY(s2->y, table[j-(1<<i)].y, sizeof(table->y));
+                sp_256_proj_point_add_qz1_avx2_4(t, s1, s2, tmp);
+                sp_256_proj_to_affine_avx2_4(t, tmp);
+                XMEMCPY(table[j].x, t->x, sizeof(table->x));
+                XMEMCPY(table[j].y, t->y, sizeof(table->y));
+            }
+        }
+    }
+
+    sp_256_point_free_4(s2, 0, heap);
+    sp_256_point_free_4(s1, 0, heap);
+    sp_256_point_free_4( t, 0, heap);
+
+    return err;
+}
+
+#endif /* FP_ECC */
+#if defined(FP_ECC) || defined(WOLFSSL_SP_SMALL)
+/* Multiply the point by the scalar and return the result.
+ * If map is true then convert result to affine coordinates.
+ *
+ * r     Resulting point.
+ * k     Scalar to multiply by.
+ * map   Indicates whether to convert result to affine.
+ * heap  Heap to use for allocation.
+ * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
+ */
+static int sp_256_ecc_mulmod_stripe_avx2_4(sp_point_256* r, const sp_point_256* g,
+        const sp_table_entry_256* table, const sp_digit* k, int map, void* heap)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_point_256 rtd;
+    sp_point_256 pd;
+    sp_digit td[2 * 4 * 5];
+#endif
+    sp_point_256* rt;
+    sp_point_256* p = NULL;
+    sp_digit* t;
+    int i, j;
+    int y, x;
+    int err;
+
+    (void)g;
+    (void)heap;
+
+
+    err = sp_256_point_new_4(heap, rtd, rt);
+    if (err == MP_OKAY) {
+        err = sp_256_point_new_4(heap, pd, p);
+    }
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    t = (sp_digit*)XMALLOC(sizeof(sp_digit) * 2 * 4 * 5, heap,
+                           DYNAMIC_TYPE_ECC);
+    if (t == NULL) {
+        err = MEMORY_E;
+    }
+#else
+    t = td;
+#endif
+
+    if (err == MP_OKAY) {
+        XMEMCPY(p->z, p256_norm_mod, sizeof(p256_norm_mod));
+        XMEMCPY(rt->z, p256_norm_mod, sizeof(p256_norm_mod));
+
+        y = 0;
+        for (j=0,x=31; j<8; j++,x+=32) {
+            y |= ((k[x / 64] >> (x % 64)) & 1) << j;
+        }
+        XMEMCPY(rt->x, table[y].x, sizeof(table[y].x));
+        XMEMCPY(rt->y, table[y].y, sizeof(table[y].y));
+        rt->infinity = !y;
+        for (i=30; i>=0; i--) {
+            y = 0;
+            for (j=0,x=i; j<8; j++,x+=32) {
+                y |= ((k[x / 64] >> (x % 64)) & 1) << j;
+            }
+
+            sp_256_proj_point_dbl_avx2_4(rt, rt, t);
+            XMEMCPY(p->x, table[y].x, sizeof(table[y].x));
+            XMEMCPY(p->y, table[y].y, sizeof(table[y].y));
+            p->infinity = !y;
+            sp_256_proj_point_add_qz1_avx2_4(rt, rt, p, t);
+        }
+
+        if (map != 0) {
+            sp_256_map_avx2_4(r, rt, t);
+        }
+        else {
+            XMEMCPY(r, rt, sizeof(sp_point_256));
+        }
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (t != NULL) {
+        XFREE(t, heap, DYNAMIC_TYPE_ECC);
+    }
+#endif
+    sp_256_point_free_4(p, 0, heap);
+    sp_256_point_free_4(rt, 0, heap);
+
+    return err;
+}
+
+#endif /* FP_ECC || WOLFSSL_SP_SMALL */
+/* Multiply the base point of P256 by the scalar and return the result.
+ * If map is true then convert result to affine coordinates.
+ *
+ * r     Resulting point.
+ * g     Point to multiply.
+ * k     Scalar to multiply by.
+ * map   Indicates whether to convert result to affine.
+ * heap  Heap to use for allocation.
+ * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
+ */
+static int sp_256_ecc_mulmod_avx2_4(sp_point_256* r, const sp_point_256* g, const sp_digit* k,
+        int map, void* heap)
+{
+#ifndef FP_ECC
+    return sp_256_ecc_mulmod_win_add_sub_avx2_4(r, g, k, map, heap);
+#else
+    sp_digit tmp[2 * 4 * 5];
+    sp_cache_256_t* cache;
+    int err = MP_OKAY;
+
+#ifndef HAVE_THREAD_LS
+    if (initCacheMutex_256 == 0) {
+         wc_InitMutex(&sp_cache_256_lock);
+         initCacheMutex_256 = 1;
+    }
+    if (wc_LockMutex(&sp_cache_256_lock) != 0)
+       err = BAD_MUTEX_E;
+#endif /* HAVE_THREAD_LS */
+
+    if (err == MP_OKAY) {
+        sp_ecc_get_cache_256(g, &cache);
+        if (cache->cnt == 2)
+            sp_256_gen_stripe_table_avx2_4(g, cache->table, tmp, heap);
+
+#ifndef HAVE_THREAD_LS
+        wc_UnLockMutex(&sp_cache_256_lock);
+#endif /* HAVE_THREAD_LS */
+
+        if (cache->cnt < 2) {
+            err = sp_256_ecc_mulmod_win_add_sub_avx2_4(r, g, k, map, heap);
+        }
+        else {
+            err = sp_256_ecc_mulmod_stripe_avx2_4(r, g, cache->table, k,
+                    map, heap);
+        }
+    }
+
+    return err;
+#endif
+}
+
+#endif /* HAVE_INTEL_AVX2 */
+/* Multiply the point by the scalar and return the result.
+ * If map is true then convert result to affine coordinates.
+ *
+ * km    Scalar to multiply by.
+ * p     Point to multiply.
+ * r     Resulting point.
+ * map   Indicates whether to convert result to affine.
+ * heap  Heap to use for allocation.
+ * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
+ */
+int sp_ecc_mulmod_256(mp_int* km, ecc_point* gm, ecc_point* r, int map,
+        void* heap)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_point_256 p;
+    sp_digit kd[4];
+#endif
+    sp_point_256* point;
+    sp_digit* k = NULL;
+    int err = MP_OKAY;
+#ifdef HAVE_INTEL_AVX2
+    word32 cpuid_flags = cpuid_get_flags();
+#endif
+
+    err = sp_256_point_new_4(heap, p, point);
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        k = (sp_digit*)XMALLOC(sizeof(sp_digit) * 4, heap,
+                                                              DYNAMIC_TYPE_ECC);
+        if (k == NULL)
+            err = MEMORY_E;
+    }
+#else
+    k = kd;
+#endif
+    if (err == MP_OKAY) {
+        sp_256_from_mp(k, 4, km);
+        sp_256_point_from_ecc_point_4(point, gm);
+
+#ifdef HAVE_INTEL_AVX2
+        if (IS_INTEL_BMI2(cpuid_flags) && IS_INTEL_ADX(cpuid_flags))
+            err = sp_256_ecc_mulmod_avx2_4(point, point, k, map, heap);
+        else
+#endif
+            err = sp_256_ecc_mulmod_4(point, point, k, map, heap);
+    }
+    if (err == MP_OKAY) {
+        err = sp_256_point_to_ecc_point_4(point, r);
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (k != NULL) {
+        XFREE(k, heap, DYNAMIC_TYPE_ECC);
+    }
+#endif
+    sp_256_point_free_4(point, 0, heap);
+
+    return err;
+}
+
+#ifdef WOLFSSL_SP_SMALL
+static const sp_table_entry_256 p256_table[256] = {
+    /* 0 */
+    { { 0x00, 0x00, 0x00, 0x00 },
+      { 0x00, 0x00, 0x00, 0x00 } },
+    /* 1 */
+    { { 0x79e730d418a9143cL,0x75ba95fc5fedb601L,0x79fb732b77622510L,
+        0x18905f76a53755c6L },
+      { 0xddf25357ce95560aL,0x8b4ab8e4ba19e45cL,0xd2e88688dd21f325L,
+        0x8571ff1825885d85L } },
+    /* 2 */
+    { { 0x202886024147519aL,0xd0981eac26b372f0L,0xa9d4a7caa785ebc8L,
+        0xd953c50ddbdf58e9L },
+      { 0x9d6361ccfd590f8fL,0x72e9626b44e6c917L,0x7fd9611022eb64cfL,
+        0x863ebb7e9eb288f3L } },
+    /* 3 */
+    { { 0x7856b6235cdb6485L,0x808f0ea22f0a2f97L,0x3e68d9544f7e300bL,
+        0x00076055b5ff80a0L },
+      { 0x7634eb9b838d2010L,0x54014fbb3243708aL,0xe0e47d39842a6606L,
+        0x8308776134373ee0L } },
+    /* 4 */
+    { { 0x4f922fc516a0d2bbL,0x0d5cc16c1a623499L,0x9241cf3a57c62c8bL,
+        0x2f5e6961fd1b667fL },
+      { 0x5c15c70bf5a01797L,0x3d20b44d60956192L,0x04911b37071fdb52L,
+        0xf648f9168d6f0f7bL } },
+    /* 5 */
+    { { 0x9e566847e137bbbcL,0xe434469e8a6a0becL,0xb1c4276179d73463L,
+        0x5abe0285133d0015L },
+      { 0x92aa837cc04c7dabL,0x573d9f4c43260c07L,0x0c93156278e6cc37L,
+        0x94bb725b6b6f7383L } },
+    /* 6 */
+    { { 0xbbf9b48f720f141cL,0x6199b3cd2df5bc74L,0xdc3f6129411045c4L,
+        0xcdd6bbcb2f7dc4efL },
+      { 0xcca6700beaf436fdL,0x6f647f6db99326beL,0x0c0fa792014f2522L,
+        0xa361bebd4bdae5f6L } },
+    /* 7 */
+    { { 0x28aa2558597c13c7L,0xc38d635f50b7c3e1L,0x07039aecf3c09d1dL,
+        0xba12ca09c4b5292cL },
+      { 0x9e408fa459f91dfdL,0x3af43b66ceea07fbL,0x1eceb0899d780b29L,
+        0x53ebb99d701fef4bL } },
+    /* 8 */
+    { { 0x4fe7ee31b0e63d34L,0xf4600572a9e54fabL,0xc0493334d5e7b5a4L,
+        0x8589fb9206d54831L },
+      { 0xaa70f5cc6583553aL,0x0879094ae25649e5L,0xcc90450710044652L,
+        0xebb0696d02541c4fL } },
+    /* 9 */
+    { { 0x4616ca15ac1647c5L,0xb8127d47c4cf5799L,0xdc666aa3764dfbacL,
+        0xeb2820cbd1b27da3L },
+      { 0x9406f8d86a87e008L,0xd87dfa9d922378f3L,0x56ed2e4280ccecb2L,
+        0x1f28289b55a7da1dL } },
+    /* 10 */
+    { { 0xabbaa0c03b89da99L,0xa6f2d79eb8284022L,0x27847862b81c05e8L,
+        0x337a4b5905e54d63L },
+      { 0x3c67500d21f7794aL,0x207005b77d6d7f61L,0x0a5a378104cfd6e8L,
+        0x0d65e0d5f4c2fbd6L } },
+    /* 11 */
+    { { 0xd9d09bbeb5275d38L,0x4268a7450be0a358L,0xf0762ff4973eb265L,
+        0xc23da24252f4a232L },
+      { 0x5da1b84f0b94520cL,0x09666763b05bd78eL,0x3a4dcb8694d29ea1L,
+        0x19de3b8cc790cff1L } },
+    /* 12 */
+    { { 0x183a716c26c5fe04L,0x3b28de0b3bba1bdbL,0x7432c586a4cb712cL,
+        0xe34dcbd491fccbfdL },
+      { 0xb408d46baaa58403L,0x9a69748682e97a53L,0x9e39012736aaa8afL,
+        0xe7641f447b4e0f7fL } },
+    /* 13 */
+    { { 0x7d753941df64ba59L,0xd33f10ec0b0242fcL,0x4f06dfc6a1581859L,
+        0x4a12df57052a57bfL },
+      { 0xbfa6338f9439dbd0L,0xd3c24bd4bde53e1fL,0xfd5e4ffa21f1b314L,
+        0x6af5aa93bb5bea46L } },
+    /* 14 */
+    { { 0xda10b69910c91999L,0x0a24b4402a580491L,0x3e0094b4b8cc2090L,
+        0x5fe3475a66a44013L },
+      { 0xb0f8cabdf93e7b4bL,0x292b501a7c23f91aL,0x42e889aecd1e6263L,
+        0xb544e308ecfea916L } },
+    /* 15 */
+    { { 0x6478c6e916ddfdceL,0x2c329166f89179e6L,0x4e8d6e764d4e67e1L,
+        0xe0b6b2bda6b0c20bL },
+      { 0x0d312df2bb7efb57L,0x1aac0dde790c4007L,0xf90336ad679bc944L,
+        0x71c023de25a63774L } },
+    /* 16 */
+    { { 0x62a8c244bfe20925L,0x91c19ac38fdce867L,0x5a96a5d5dd387063L,
+        0x61d587d421d324f6L },
+      { 0xe87673a2a37173eaL,0x2384800853778b65L,0x10f8441e05bab43eL,
+        0xfa11fe124621efbeL } },
+    /* 17 */
+    { { 0x1c891f2b2cb19ffdL,0x01ba8d5bb1923c23L,0xb6d03d678ac5ca8eL,
+        0x586eb04c1f13bedcL },
+      { 0x0c35c6e527e8ed09L,0x1e81a33c1819ede2L,0x278fd6c056c652faL,
+        0x19d5ac0870864f11L } },
+    /* 18 */
+    { { 0x1e99f581309a4e1fL,0xab7de71be9270074L,0x26a5ef0befd28d20L,
+        0xe7c0073f7f9c563fL },
+      { 0x1f6d663a0ef59f76L,0x669b3b5420fcb050L,0xc08c1f7a7a6602d4L,
+        0xe08504fec65b3c0aL } },
+    /* 19 */
+    { { 0xf098f68da031b3caL,0x6d1cab9ee6da6d66L,0x5bfd81fa94f246e8L,
+        0x78f018825b0996b4L },
+      { 0xb7eefde43a25787fL,0x8016f80d1dccac9bL,0x0cea4877b35bfc36L,
+        0x43a773b87e94747aL } },
+    /* 20 */
+    { { 0x62577734d2b533d5L,0x673b8af6a1bdddc0L,0x577e7c9aa79ec293L,
+        0xbb6de651c3b266b1L },
+      { 0xe7e9303ab65259b3L,0xd6a0afd3d03a7480L,0xc5ac83d19b3cfc27L,
+        0x60b4619a5d18b99bL } },
+    /* 21 */
+    { { 0xbd6a38e11ae5aa1cL,0xb8b7652b49e73658L,0x0b130014ee5f87edL,
+        0x9d0f27b2aeebffcdL },
+      { 0xca9246317a730a55L,0x9c955b2fddbbc83aL,0x07c1dfe0ac019a71L,
+        0x244a566d356ec48dL } },
+    /* 22 */
+    { { 0x6db0394aeacf1f96L,0x9f2122a9024c271cL,0x2626ac1b82cbd3b9L,
+        0x45e58c873581ef69L },
+      { 0xd3ff479da38f9dbcL,0xa8aaf146e888a040L,0x945adfb246e0bed7L,
+        0xc040e21cc1e4b7a4L } },
+    /* 23 */
+    { { 0x847af0006f8117b6L,0x651969ff73a35433L,0x482b35761d9475ebL,
+        0x1cdf5c97682c6ec7L },
+      { 0x7db775b411f04839L,0x7dbeacf448de1698L,0xb2921dd1b70b3219L,
+        0x046755f8a92dff3dL } },
+    /* 24 */
+    { { 0xcc8ac5d2bce8ffcdL,0x0d53c48b2fe61a82L,0xf6f161727202d6c7L,
+        0x046e5e113b83a5f3L },
+      { 0xe7b8ff64d8007f01L,0x7fb1ef125af43183L,0x045c5ea635e1a03cL,
+        0x6e0106c3303d005bL } },
+    /* 25 */
+    { { 0x48c7358488dd73b1L,0x7670708f995ed0d9L,0x38385ea8c56a2ab7L,
+        0x442594ede901cf1fL },
+      { 0xf8faa2c912d4b65bL,0x94c2343b96c90c37L,0xd326e4a15e978d1fL,
+        0xa796fa514c2ee68eL } },
+    /* 26 */
+    { { 0x359fb604823addd7L,0x9e2a6183e56693b3L,0xf885b78e3cbf3c80L,
+        0xe4ad2da9c69766e9L },
+      { 0x357f7f428e048a61L,0x082d198cc092d9a0L,0xfc3a1af4c03ed8efL,
+        0xc5e94046c37b5143L } },
+    /* 27 */
+    { { 0x476a538c2be75f9eL,0x6fd1a9e8cb123a78L,0xd85e4df0b109c04bL,
+        0x63283dafdb464747L },
+      { 0xce728cf7baf2df15L,0xe592c4550ad9a7f4L,0xfab226ade834bcc3L,
+        0x68bd19ab1981a938L } },
+    /* 28 */
+    { { 0xc08ead511887d659L,0x3374d5f4b359305aL,0x96986981cfe74fe3L,
+        0x495292f53c6fdfd6L },
+      { 0x4a878c9e1acec896L,0xd964b210ec5b4484L,0x6696f7e2664d60a7L,
+        0x0ec7530d26036837L } },
+    /* 29 */
+    { { 0x2da13a05ad2687bbL,0xa1f83b6af32e21faL,0x390f5ef51dd4607bL,
+        0x0f6207a664863f0bL },
+      { 0xbd67e3bb0f138233L,0xdd66b96c272aa718L,0x8ed0040726ec88aeL,
+        0xff0db07208ed6dcfL } },
+    /* 30 */
+    { { 0x749fa1014c95d553L,0xa44052fd5d680a8aL,0x183b4317ff3b566fL,
+        0x313b513c88740ea3L },
+      { 0xb402e2ac08d11549L,0x071ee10bb4dee21cL,0x26b987dd47f2320eL,
+        0x2d3abcf986f19f81L } },
+    /* 31 */
+    { { 0x4c288501815581a2L,0x9a0a6d56632211afL,0x19ba7a0f0cab2e99L,
+        0xc036fa10ded98cdfL },
+      { 0x29ae08bac1fbd009L,0x0b68b19006d15816L,0xc2eb32779b9e0d8fL,
+        0xa6b2a2c4b6d40194L } },
+    /* 32 */
+    { { 0xd433e50f6d3549cfL,0x6f33696ffacd665eL,0x695bfdacce11fcb4L,
+        0x810ee252af7c9860L },
+      { 0x65450fe17159bb2cL,0xf7dfbebe758b357bL,0x2b057e74d69fea72L,
+        0xd485717a92731745L } },
+    /* 33 */
+    { { 0x11741a8af0cb5a98L,0xd3da8f931f3110bfL,0x1994e2cbab382adfL,
+        0x6a6045a72f9a604eL },
+      { 0x170c0d3fa2b2411dL,0xbe0eb83e510e96e0L,0x3bcc9f738865b3ccL,
+        0xd3e45cfaf9e15790L } },
+    /* 34 */
+    { { 0xce1f69bbe83f7669L,0x09f8ae8272877d6bL,0x9548ae543244278dL,
+        0x207755dee3c2c19cL },
+      { 0x87bd61d96fef1945L,0x18813cefb12d28c3L,0x9fbcd1d672df64aaL,
+        0x48dc5ee57154b00dL } },
+    /* 35 */
+    { { 0x123790bff7e5a199L,0xe0efb8cf989ccbb7L,0xc27a2bfe0a519c79L,
+        0xf2fb0aeddff6f445L },
+      { 0x41c09575f0b5025fL,0x550543d740fa9f22L,0x8fa3c8ad380bfbd0L,
+        0xa13e9015db28d525L } },
+    /* 36 */
+    { { 0xf9f7a350a2b65cbcL,0x0b04b9722a464226L,0x265ce241e23f07a1L,
+        0x2bf0d6b01497526fL },
+      { 0xd3d4dd3f4b216fb7L,0xf7d7b867fbdda26aL,0xaeb7b83f6708505cL,
+        0x42a94a5a162fe89fL } },
+    /* 37 */
+    { { 0x5846ad0beaadf191L,0x0f8a489025a268d7L,0xe8603050494dc1f6L,
+        0x2c2dd969c65ede3dL },
+      { 0x6d02171d93849c17L,0x460488ba1da250ddL,0x4810c7063c3a5485L,
+        0xf437fa1f42c56dbcL } },
+    /* 38 */
+    { { 0x6aa0d7144a0f7dabL,0x0f0497931776e9acL,0x52c0a050f5f39786L,
+        0xaaf45b3354707aa8L },
+      { 0x85e37c33c18d364aL,0xd40b9b063e497165L,0xf417168115ec5444L,
+        0xcdf6310df4f272bcL } },
+    /* 39 */
+    { { 0x7473c6238ea8b7efL,0x08e9351885bc2287L,0x419567722bda8e34L,
+        0xf0d008bada9e2ff2L },
+      { 0x2912671d2414d3b1L,0xb3754985b019ea76L,0x5c61b96d453bcbdbL,
+        0x5bd5c2f5ca887b8bL } },
+    /* 40 */
+    { { 0xef0f469ef49a3154L,0x3e85a5956e2b2e9aL,0x45aaec1eaa924a9cL,
+        0xaa12dfc8a09e4719L },
+      { 0x26f272274df69f1dL,0xe0e4c82ca2ff5e73L,0xb9d8ce73b7a9dd44L,
+        0x6c036e73e48ca901L } },
+    /* 41 */
+    { { 0x5cfae12a0f6e3138L,0x6966ef0025ad345aL,0x8993c64b45672bc5L,
+        0x292ff65896afbe24L },
+      { 0xd5250d445e213402L,0xf6580e274392c9feL,0x097b397fda1c72e8L,
+        0x644e0c90311b7276L } },
+    /* 42 */
+    { { 0xe1e421e1a47153f0L,0xb86c3b79920418c9L,0x93bdce87705d7672L,
+        0xf25ae793cab79a77L },
+      { 0x1f3194a36d869d0cL,0x9d55c8824986c264L,0x49fb5ea3096e945eL,
+        0x39b8e65313db0a3eL } },
+    /* 43 */
+    { { 0x37754200b6fd2e59L,0x35e2c0669255c98fL,0xd9dab21a0e2a5739L,
+        0x39122f2f0f19db06L },
+      { 0xcfbce1e003cad53cL,0x225b2c0fe65c17e3L,0x72baf1d29aa13877L,
+        0x8de80af8ce80ff8dL } },
+    /* 44 */
+    { { 0xafbea8d9207bbb76L,0x921c7e7c21782758L,0xdfa2b74b1c0436b1L,
+        0x871949062e368c04L },
+      { 0xb5f928bba3993df5L,0x639d75b5f3b3d26aL,0x011aa78a85b55050L,
+        0xfc315e6a5b74fde1L } },
+    /* 45 */
+    { { 0x561fd41ae8d6ecfaL,0x5f8c44f61aec7f86L,0x98452a7b4924741dL,
+        0xe6d4a7adee389088L },
+      { 0x60552ed14593c75dL,0x70a70da4dd271162L,0xd2aede937ba2c7dbL,
+        0x35dfaf9a9be2ae57L } },
+    /* 46 */
+    { { 0x6b956fcdaa736636L,0x09f51d97ae2cab7eL,0xfb10bf410f349966L,
+        0x1da5c7d71c830d2bL },
+      { 0x5c41e4833cce6825L,0x15ad118ff9573c3bL,0xa28552c7f23036b8L,
+        0x7077c0fddbf4b9d6L } },
+    /* 47 */
+    { { 0xbf63ff8d46b9661cL,0xa1dfd36b0d2cfd71L,0x0373e140a847f8f7L,
+        0x53a8632ee50efe44L },
+      { 0x0976ff68696d8051L,0xdaec0c95c74f468aL,0x62994dc35e4e26bdL,
+        0x028ca76d34e1fcc1L } },
+    /* 48 */
+    { { 0xd11d47dcfc9877eeL,0xc8b36210801d0002L,0xd002c11754c260b6L,
+        0x04c17cd86962f046L },
+      { 0x6d9bd094b0daddf5L,0xbea2357524ce55c0L,0x663356e672da03b5L,
+        0xf7ba4de9fed97474L } },
+    /* 49 */
+    { { 0xd0dbfa34ebe1263fL,0x5576373571ae7ce6L,0xd244055382a6f523L,
+        0xe31f960052131c41L },
+      { 0xd1bb9216ea6b6ec6L,0x37a1d12e73c2fc44L,0xc10e7eac89d0a294L,
+        0xaa3a6259ce34d47bL } },
+    /* 50 */
+    { { 0xfbcf9df536f3dcd3L,0x6ceded50d2bf7360L,0x491710fadf504f5bL,
+        0x2398dd627e79daeeL },
+      { 0xcf4705a36d09569eL,0xea0619bb5149f769L,0xff9c037735f6034cL,
+        0x5717f5b21c046210L } },
+    /* 51 */
+    { { 0x9fe229c921dd895eL,0x8e51850040c28451L,0xfa13d2391d637ecdL,
+        0x660a2c560e3c28deL },
+      { 0x9cca88aed67fcbd0L,0xc84724780ea9f096L,0x32b2f48172e92b4dL,
+        0x624ee54c4f522453L } },
+    /* 52 */
+    { { 0x09549ce4d897ecccL,0x4d49d1d93f9880aaL,0x723c2423043a7c20L,
+        0x4f392afb92bdfbc0L },
+      { 0x6969f8fa7de44fd9L,0xb66cfbe457b32156L,0xdb2fa803368ebc3cL,
+        0x8a3e7977ccdb399cL } },
+    /* 53 */
+    { { 0xdde1881f06c4b125L,0xae34e300f6e3ca8cL,0xef6999de5c7a13e9L,
+        0x3888d02370c24404L },
+      { 0x7628035644f91081L,0x3d9fcf615f015504L,0x1827edc8632cd36eL,
+        0xa5e62e4718102336L } },
+    /* 54 */
+    { { 0x1a825ee32facd6c8L,0x699c635454bcbc66L,0x0ce3edf798df9931L,
+        0x2c4768e6466a5adcL },
+      { 0xb346ff8c90a64bc9L,0x630a6020e4779f5cL,0xd949d064bc05e884L,
+        0x7b5e6441f9e652a0L } },
+    /* 55 */
+    { { 0x2169422c1d28444aL,0xe996c5d8be136a39L,0x2387afe5fb0c7fceL,
+        0xb8af73cb0c8d744aL },
+      { 0x5fde83aa338b86fdL,0xfee3f158a58a5cffL,0xc9ee8f6f20ac9433L,
+        0xa036395f7f3f0895L } },
+    /* 56 */
+    { { 0x8c73c6bba10f7770L,0xa6f16d81a12a0e24L,0x100df68251bc2b9fL,
+        0x4be36b01875fb533L },
+      { 0x9226086e9fb56dbbL,0x306fef8b07e7a4f8L,0xeeaccc0566d52f20L,
+        0x8cbc9a871bdc00c0L } },
+    /* 57 */
+    { { 0xe131895cc0dac4abL,0xa874a440712ff112L,0x6332ae7c6a1cee57L,
+        0x44e7553e0c0835f8L },
+      { 0x6d503fff7734002dL,0x9d35cb8b0b34425cL,0x95f702760e8738b5L,
+        0x470a683a5eb8fc18L } },
+    /* 58 */
+    { { 0x81b761dc90513482L,0x0287202a01e9276aL,0xcda441ee0ce73083L,
+        0x16410690c63dc6efL },
+      { 0xf5034a066d06a2edL,0xdd4d7745189b100bL,0xd914ae72ab8218c9L,
+        0xd73479fd7abcbb4fL } },
+    /* 59 */
+    { { 0x7edefb165ad4c6e5L,0x262cf08f5b06d04dL,0x12ed5bb18575cb14L,
+        0x816469e30771666bL },
+      { 0xd7ab9d79561e291eL,0xeb9daf22c1de1661L,0xf49827eb135e0513L,
+        0x0a36dd23f0dd3f9cL } },
+    /* 60 */
+    { { 0x098d32c741d5533cL,0x7c5f5a9e8684628fL,0x39a228ade349bd11L,
+        0xe331dfd6fdbab118L },
+      { 0x5100ab686bcc6ed8L,0x7160c3bdef7a260eL,0x9063d9a7bce850d7L,
+        0xd3b4782a492e3389L } },
+    /* 61 */
+    { { 0xa149b6e8f3821f90L,0x92edd9ed66eb7aadL,0x0bb669531a013116L,
+        0x7281275a4c86a5bdL },
+      { 0x503858f7d3ff47e5L,0x5e1616bc61016441L,0x62b0f11a7dfd9bb1L,
+        0x2c062e7ece145059L } },
+    /* 62 */
+    { { 0xa76f996f0159ac2eL,0x281e7736cbdb2713L,0x2ad6d28808e46047L,
+        0x282a35f92c4e7ef1L },
+      { 0x9c354b1ec0ce5cd2L,0xcf99efc91379c229L,0x992caf383e82c11eL,
+        0xc71cd513554d2abdL } },
+    /* 63 */
+    { { 0x4885de9c09b578f4L,0x1884e258e3affa7aL,0x8f76b1b759182f1fL,
+        0xc50f6740cf47f3a3L },
+      { 0xa9c4adf3374b68eaL,0xa406f32369965fe2L,0x2f86a22285a53050L,
+        0xb9ecb3a7212958dcL } },
+    /* 64 */
+    { { 0x56f8410ef4f8b16aL,0x97241afec47b266aL,0x0a406b8e6d9c87c1L,
+        0x803f3e02cd42ab1bL },
+      { 0x7f0309a804dbec69L,0xa83b85f73bbad05fL,0xc6097273ad8e197fL,
+        0xc097440e5067adc1L } },
+    /* 65 */
+    { { 0x846a56f2c379ab34L,0xa8ee068b841df8d1L,0x20314459176c68efL,
+        0xf1af32d5915f1f30L },
+      { 0x99c375315d75bd50L,0x837cffbaf72f67bcL,0x0613a41848d7723fL,
+        0x23d0f130e2d41c8bL } },
+    /* 66 */
+    { { 0x857ab6edf41500d9L,0x0d890ae5fcbeada8L,0x52fe864889725951L,
+        0xb0288dd6c0a3faddL },
+      { 0x85320f30650bcb08L,0x71af6313695d6e16L,0x31f520a7b989aa76L,
+        0xffd3724ff408c8d2L } },
+    /* 67 */
+    { { 0x53968e64b458e6cbL,0x992dad20317a5d28L,0x3814ae0b7aa75f56L,
+        0xf5590f4ad78c26dfL },
+      { 0x0fc24bd3cf0ba55aL,0x0fc4724a0c778baeL,0x1ce9864f683b674aL,
+        0x18d6da54f6f74a20L } },
+    /* 68 */
+    { { 0xed93e225d5be5a2bL,0x6fe799835934f3c6L,0x4314092622626ffcL,
+        0x50bbb4d97990216aL },
+      { 0x378191c6e57ec63eL,0x65422c40181dcdb2L,0x41a8099b0236e0f6L,
+        0x2b10011801fe49c3L } },
+    /* 69 */
+    { { 0xfc68b5c59b391593L,0xc385f5a2598270fcL,0x7144f3aad19adcbbL,
+        0xdd55899983fbae0cL },
+      { 0x93b88b8e74b82ff4L,0xd2e03c4071e734c9L,0x9a7a9eaf43c0322aL,
+        0xe6e4c551149d6041L } },
+    /* 70 */
+    { { 0x55f655bb1e9af288L,0x647e1a64f7ada931L,0x43697e4bcb2820e5L,
+        0x51e00db107ed56ffL },
+      { 0x43d169b8771c327eL,0x29cdb20b4a96c2adL,0xc07d51f53deb4779L,
+        0xe22f424149829177L } },
+    /* 71 */
+    { { 0xcd45e8f4635f1abbL,0x7edc0cb568538874L,0xc9472c1fb5a8034dL,
+        0xf709373d52dc48c9L },
+      { 0x401966bba8af30d6L,0x95bf5f4af137b69cL,0x3966162a9361c47eL,
+        0xbd52d288e7275b11L } },
+    /* 72 */
+    { { 0xab155c7a9c5fa877L,0x17dad6727d3a3d48L,0x43f43f9e73d189d8L,
+        0xa0d0f8e4c8aa77a6L },
+      { 0x0bbeafd8cc94f92dL,0xd818c8be0c4ddb3aL,0x22cc65f8b82eba14L,
+        0xa56c78c7946d6a00L } },
+    /* 73 */
+    { { 0x2962391b0dd09529L,0x803e0ea63daddfcfL,0x2c77351f5b5bf481L,
+        0xd8befdf8731a367aL },
+      { 0xab919d42fc0157f4L,0xf51caed7fec8e650L,0xcdf9cb4002d48b0aL,
+        0x854a68a5ce9f6478L } },
+    /* 74 */
+    { { 0xdc35f67b63506ea5L,0x9286c489a4fe0d66L,0x3f101d3bfe95cd4dL,
+        0x5cacea0b98846a95L },
+      { 0xa90df60c9ceac44dL,0x3db29af4354d1c3aL,0x08dd3de8ad5dbabeL,
+        0xe4982d1235e4efa9L } },
+    /* 75 */
+    { { 0x23104a22c34cd55eL,0x58695bb32680d132L,0xfb345afa1fa1d943L,
+        0x8046b7f616b20499L },
+      { 0xb533581e38e7d098L,0xd7f61e8df46f0b70L,0x30dea9ea44cb78c4L,
+        0xeb17ca7b9082af55L } },
+    /* 76 */
+    { { 0x1751b59876a145b9L,0xa5cf6b0fc1bc71ecL,0xd3e03565392715bbL,
+        0x097b00bafab5e131L },
+      { 0xaa66c8e9565f69e1L,0x77e8f75ab5be5199L,0x6033ba11da4fd984L,
+        0xf95c747bafdbcc9eL } },
+    /* 77 */
+    { { 0x558f01d3bebae45eL,0xa8ebe9f0c4bc6955L,0xaeb705b1dbc64fc6L,
+        0x3512601e566ed837L },
+      { 0x9336f1e1fa1161cdL,0x328ab8d54c65ef87L,0x4757eee2724f21e5L,
+        0x0ef971236068ab6bL } },
+    /* 78 */
+    { { 0x02598cf754ca4226L,0x5eede138f8642c8eL,0x48963f74468e1790L,
+        0xfc16d9333b4fbc95L },
+      { 0xbe96fb31e7c800caL,0x138063312678adaaL,0x3d6244976ff3e8b5L,
+        0x14ca4af1b95d7a17L } },
+    /* 79 */
+    { { 0x7a4771babd2f81d5L,0x1a5f9d6901f7d196L,0xd898bef7cad9c907L,
+        0x4057b063f59c231dL },
+      { 0xbffd82fe89c05c0aL,0xe4911c6f1dc0df85L,0x3befccaea35a16dbL,
+        0x1c3b5d64f1330b13L } },
+    /* 80 */
+    { { 0x5fe14bfe80ec21feL,0xf6ce116ac255be82L,0x98bc5a072f4a5d67L,
+        0xfad27148db7e63afL },
+      { 0x90c0b6ac29ab05b3L,0x37a9a83c4e251ae6L,0x0a7dc875c2aade7dL,
+        0x77387de39f0e1a84L } },
+    /* 81 */
+    { { 0x1e9ecc49a56c0dd7L,0xa5cffcd846086c74L,0x8f7a1408f505aeceL,
+        0xb37b85c0bef0c47eL },
+      { 0x3596b6e4cc0e6a8fL,0xfd6d4bbf6b388f23L,0xaba453fac39cef4eL,
+        0x9c135ac8f9f628d5L } },
+    /* 82 */
+    { { 0x32aa320284e35743L,0x320d6ab185a3cdefL,0xb821b1761df19819L,
+        0x5721361fc433851fL },
+      { 0x1f0db36a71fc9168L,0x5f98ba735e5c403cL,0xf64ca87e37bcd8f5L,
+        0xdcbac3c9e6bb11bdL } },
+    /* 83 */
+    { { 0xf01d99684518cbe2L,0xd242fc189c9eb04eL,0x727663c7e47feebfL,
+        0xb8c1c89e2d626862L },
+      { 0x51a58bddc8e1d569L,0x563809c8b7d88cd0L,0x26c27fd9f11f31ebL,
+        0x5d23bbda2f9422d4L } },
+    /* 84 */
+    { { 0x0a1c729495c8f8beL,0x2961c4803bf362bfL,0x9e418403df63d4acL,
+        0xc109f9cb91ece900L },
+      { 0xc2d095d058945705L,0xb9083d96ddeb85c0L,0x84692b8d7a40449bL,
+        0x9bc3344f2eee1ee1L } },
+    /* 85 */
+    { { 0x0d5ae35642913074L,0x55491b2748a542b1L,0x469ca665b310732aL,
+        0x29591d525f1a4cc1L },
+      { 0xe76f5b6bb84f983fL,0xbe7eef419f5f84e1L,0x1200d49680baa189L,
+        0x6376551f18ef332cL } },
+    /* 86 */
+    { { 0xbda5f14e562976ccL,0x22bca3e60ef12c38L,0xbbfa30646cca9852L,
+        0xbdb79dc808e2987aL },
+      { 0xfd2cb5c9cb06a772L,0x38f475aafe536dceL,0xc2a3e0227c2b5db8L,
+        0x8ee86001add3c14aL } },
+    /* 87 */
+    { { 0xcbe96981a4ade873L,0x7ee9aa4dc4fba48cL,0x2cee28995a054ba5L,
+        0x92e51d7a6f77aa4bL },
+      { 0x948bafa87190a34dL,0xd698f75bf6bd1ed1L,0xd00ee6e30caf1144L,
+        0x5182f86f0a56aaaaL } },
+    /* 88 */
+    { { 0xfba6212c7a4cc99cL,0xff609b683e6d9ca1L,0x5dbb27cb5ac98c5aL,
+        0x91dcab5d4073a6f2L },
+      { 0x01b6cc3d5f575a70L,0x0cb361396f8d87faL,0x165d4e8c89981736L,
+        0x17a0cedb97974f2bL } },
+    /* 89 */
+    { { 0x38861e2a076c8d3aL,0x701aad39210f924bL,0x94d0eae413a835d9L,
+        0x2e8ce36c7f4cdf41L },
+      { 0x91273dab037a862bL,0x01ba9bb760e4c8faL,0xf964538833baf2ddL,
+        0xf4ccc6cb34f668f3L } },
+    /* 90 */
+    { { 0x44ef525cf1f79687L,0x7c59549592efa815L,0xe1231741a5c78d29L,
+        0xac0db4889a0df3c9L },
+      { 0x86bfc711df01747fL,0x592b9358ef17df13L,0xe5880e4f5ccb6bb5L,
+        0x95a64a6194c974a2L } },
+    /* 91 */
+    { { 0x72c1efdac15a4c93L,0x40269b7382585141L,0x6a8dfb1c16cb0badL,
+        0x231e54ba29210677L },
+      { 0xa70df9178ae6d2dcL,0x4d6aa63f39112918L,0xf627726b5e5b7223L,
+        0xab0be032d8a731e1L } },
+    /* 92 */
+    { { 0x097ad0e98d131f2dL,0x637f09e33b04f101L,0x1ac86196d5e9a748L,
+        0xf1bcc8802cf6a679L },
+      { 0x25c69140e8daacb4L,0x3c4e405560f65009L,0x591cc8fc477937a6L,
+        0x851694695aebb271L } },
+    /* 93 */
+    { { 0xde35c143f1dcf593L,0x78202b29b018be3bL,0xe9cdadc29bdd9d3dL,
+        0x8f67d9d2daad55d8L },
+      { 0x841116567481ea5fL,0xe7d2dde9e34c590cL,0xffdd43f405053fa8L,
+        0xf84572b9c0728b5dL } },
+    /* 94 */
+    { { 0x5e1a7a7197af71c9L,0xa14494447a736565L,0xa1b4ae070e1d5063L,
+        0xedee2710616b2c19L },
+      { 0xb2f034f511734121L,0x1cac6e554a25e9f0L,0x8dc148f3a40c2ecfL,
+        0x9fd27e9b44ebd7f4L } },
+    /* 95 */
+    { { 0x3cc7658af6e2cb16L,0xe3eb7d2cfe5919b6L,0x5a8c5816168d5583L,
+        0xa40c2fb6958ff387L },
+      { 0x8c9ec560fedcc158L,0x7ad804c655f23056L,0xd93967049a307e12L,
+        0x99bc9bb87dc6decfL } },
+    /* 96 */
+    { { 0x84a9521d927dafc6L,0x52c1fb695c09cd19L,0x9d9581a0f9366ddeL,
+        0x9abe210ba16d7e64L },
+      { 0x480af84a48915220L,0xfa73176a4dd816c6L,0xc7d539871681ca5aL,
+        0x7881c25787f344b0L } },
+    /* 97 */
+    { { 0x93399b51e0bcf3ffL,0x0d02cbc5127f74f6L,0x8fb465a2dd01d968L,
+        0x15e6e319a30e8940L },
+      { 0x646d6e0d3e0e05f4L,0xfad7bddc43588404L,0xbe61c7d1c4f850d3L,
+        0x0e55facf191172ceL } },
+    /* 98 */
+    { { 0x7e9d9806f8787564L,0x1a33172131e85ce6L,0x6b0158cab819e8d6L,
+        0xd73d09766fe96577L },
+      { 0x424834251eb7206eL,0xa519290fc618bb42L,0x5dcbb8595e30a520L,
+        0x9250a3748f15a50bL } },
+    /* 99 */
+    { { 0xcaff08f8be577410L,0xfd408a035077a8c6L,0xf1f63289ec0a63a4L,
+        0x77414082c1cc8c0bL },
+      { 0x05a40fa6eb0991cdL,0xc1ca086649fdc296L,0x3a68a3c7b324fd40L,
+        0x8cb04f4d12eb20b9L } },
+    /* 100 */
+    { { 0xb1c2d0556906171cL,0x9073e9cdb0240c3fL,0xdb8e6b4fd8906841L,
+        0xe4e429ef47123b51L },
+      { 0x0b8dd53c38ec36f4L,0xf9d2dc01ff4b6a27L,0x5d066e07879a9a48L,
+        0x37bca2ff3c6e6552L } },
+    /* 101 */
+    { { 0x4cd2e3c7df562470L,0x44f272a2c0964ac9L,0x7c6d5df980c793beL,
+        0x59913edc3002b22aL },
+      { 0x7a139a835750592aL,0x99e01d80e783de02L,0xcf8c0375ea05d64fL,
+        0x43786e4ab013e226L } },
+    /* 102 */
+    { { 0xff32b0ed9e56b5a6L,0x0750d9a6d9fc68f9L,0xec15e845597846a7L,
+        0x8638ca98b7e79e7aL },
+      { 0x2f5ae0960afc24b2L,0x05398eaf4dace8f2L,0x3b765dd0aecba78fL,
+        0x1ecdd36a7b3aa6f0L } },
+    /* 103 */
+    { { 0x5d3acd626c5ff2f3L,0xa2d516c02873a978L,0xad94c9fad2110d54L,
+        0xd85d0f85d459f32dL },
+      { 0x9f700b8d10b11da3L,0xd2c22c30a78318c4L,0x556988f49208decdL,
+        0xa04f19c3b4ed3c62L } },
+    /* 104 */
+    { { 0x087924c8ed7f93bdL,0xcb64ac5d392f51f6L,0x7cae330a821b71afL,
+        0x92b2eeea5c0950b0L },
+      { 0x85ac4c9485b6e235L,0xab2ca4a92936c0f0L,0x80faa6b3e0508891L,
+        0x1ee782215834276cL } },
+    /* 105 */
+    { { 0xa60a2e00e63e79f7L,0xf590e7b2f399d906L,0x9021054a6607c09dL,
+        0xf3f2ced857a6e150L },
+      { 0x200510f3f10d9b55L,0x9d2fcfacd8642648L,0xe5631aa7e8bd0e7cL,
+        0x0f56a4543da3e210L } },
+    /* 106 */
+    { { 0x5b21bffa1043e0dfL,0x6c74b6cc9c007e6dL,0x1a656ec0d4a8517aL,
+        0xbd8f17411969e263L },
+      { 0x8a9bbb86beb7494aL,0x1567d46f45f3b838L,0xdf7a12a7a4e5a79aL,
+        0x2d1a1c3530ccfa09L } },
+    /* 107 */
+    { { 0x192e3813506508daL,0x336180c4a1d795a7L,0xcddb59497a9944b3L,
+        0xa107a65eb91fba46L },
+      { 0xe6d1d1c50f94d639L,0x8b4af3758a58b7d7L,0x1a7c5584bd37ca1cL,
+        0x183d760af87a9af2L } },
+    /* 108 */
+    { { 0x29d697110dde59a4L,0xf1ad8d070e8bef87L,0x229b49634f2ebe78L,
+        0x1d44179dc269d754L },
+      { 0xb32dc0cf8390d30eL,0x0a3b27530de8110cL,0x31af1dc52bc0339aL,
+        0x771f9cc29606d262L } },
+    /* 109 */
+    { { 0x99993e7785040739L,0x44539db98026a939L,0xcf40f6f2f5f8fc26L,
+        0x64427a310362718eL },
+      { 0x4f4f2d8785428aa8L,0x7b7adc3febfb49a8L,0x201b2c6df23d01acL,
+        0x49d9b7496ae90d6dL } },
+    /* 110 */
+    { { 0xcc78d8bc435d1099L,0x2adbcd4e8e8d1a08L,0x02c2e2a02cb68a41L,
+        0x9037d81b3f605445L },
+      { 0x7cdbac27074c7b61L,0xfe2031ab57bfd72eL,0x61ccec96596d5352L,
+        0x08c3de6a7cc0639cL } },
+    /* 111 */
+    { { 0x20fdd020f6d552abL,0x56baff9805cd81f1L,0x06fb7c3e91351291L,
+        0xc690944245796b2fL },
+      { 0x17b3ae9c41231bd1L,0x1eac6e875cc58205L,0x208837abf9d6a122L,
+        0x3fa3db02cafe3ac0L } },
+    /* 112 */
+    { { 0xd75a3e6505058880L,0x7da365ef643943f2L,0x4147861cfab24925L,
+        0xc5c4bdb0fdb808ffL },
+      { 0x73513e34b272b56bL,0xc8327e9511b9043aL,0xfd8ce37df8844969L,
+        0x2d56db9446c2b6b5L } },
+    /* 113 */
+    { { 0x2461782fff46ac6bL,0xd19f792607a2e425L,0xfafea3c409a48de1L,
+        0x0f56bd9de503ba42L },
+      { 0x137d4ed1345cda49L,0x821158fc816f299dL,0xe7c6a54aaeb43402L,
+        0x4003bb9d1173b5f1L } },
+    /* 114 */
+    { { 0x3b8e8189a0803387L,0xece115f539cbd404L,0x4297208dd2877f21L,
+        0x53765522a07f2f9eL },
+      { 0xa4980a21a8a4182dL,0xa2bbd07a3219df79L,0x674d0a2e1a19a2d4L,
+        0x7a056f586c5d4549L } },
+    /* 115 */
+    { { 0x646b25589d8a2a47L,0x5b582948c3df2773L,0x51ec000eabf0d539L,
+        0x77d482f17a1a2675L },
+      { 0xb8a1bd9587853948L,0xa6f817bd6cfbffeeL,0xab6ec05780681e47L,
+        0x4115012b2b38b0e4L } },
+    /* 116 */
+    { { 0x3c73f0f46de28cedL,0x1d5da7609b13ec47L,0x61b8ce9e6e5c6392L,
+        0xcdf04572fbea0946L },
+      { 0x1cb3c58b6c53c3b0L,0x97fe3c10447b843cL,0xfb2b8ae12cb9780eL,
+        0xee703dda97383109L } },
+    /* 117 */
+    { { 0x34515140ff57e43aL,0xd44660d3b1b811b8L,0x2b3b5dff8f42b986L,
+        0x2a0ad89da162ce21L },
+      { 0x64e4a6946bc277baL,0xc788c954c141c276L,0x141aa64ccabf6274L,
+        0xd62d0b67ac2b4659L } },
+    /* 118 */
+    { { 0x39c5d87b2c054ac4L,0x57005859f27df788L,0xedf7cbf3b18128d6L,
+        0xb39a23f2991c2426L },
+      { 0x95284a15f0b16ae5L,0x0c6a05b1a136f51bL,0x1d63c137f2700783L,
+        0x04ed0092c0674cc5L } },
+    /* 119 */
+    { { 0x1f4185d19ae90393L,0x3047b4294a3d64e6L,0xae0001a69854fc14L,
+        0xa0a91fc10177c387L },
+      { 0xff0a3f01ae2c831eL,0xbb76ae822b727e16L,0x8f12c8a15a3075b4L,
+        0x084cf9889ed20c41L } },
+    /* 120 */
+    { { 0xd98509defca6becfL,0x2fceae807dffb328L,0x5d8a15c44778e8b9L,
+        0xd57955b273abf77eL },
+      { 0x210da79e31b5d4f1L,0xaa52f04b3cfa7a1cL,0xd4d12089dc27c20bL,
+        0x8e14ea4202d141f1L } },
+    /* 121 */
+    { { 0xeed50345f2897042L,0x8d05331f43402c4aL,0xc8d9c194c8bdfb21L,
+        0x597e1a372aa4d158L },
+      { 0x0327ec1acf0bd68cL,0x6d4be0dcab024945L,0x5b9c8d7ac9fe3e84L,
+        0xca3f0236199b4deaL } },
+    /* 122 */
+    { { 0x592a10b56170bd20L,0x0ea897f16d3f5de7L,0xa3363ff144b2ade2L,
+        0xbde7fd7e309c07e4L },
+      { 0x516bb6d2b8f5432cL,0x210dc1cbe043444bL,0x3db01e6ff8f95b5aL,
+        0xb623ad0e0a7dd198L } },
+    /* 123 */
+    { { 0xa75bd67560c7b65bL,0xab8c559023a4a289L,0xf8220fd0d7b26795L,
+        0xd6aa2e4658ec137bL },
+      { 0x10abc00b5138bb85L,0x8c31d121d833a95cL,0xb24ff00b1702a32eL,
+        0x111662e02dcc513aL } },
+    /* 124 */
+    { { 0x78114015efb42b87L,0xbd9f5d701b6c4dffL,0x66ecccd7a7d7c129L,
+        0xdb3ee1cb94b750f8L },
+      { 0xb26f3db0f34837cfL,0xe7eed18bb9578d4fL,0x5d2cdf937c56657dL,
+        0x886a644252206a59L } },
+    /* 125 */
+    { { 0x3c234cfb65b569eaL,0x20011141f72119c1L,0x8badc85da15a619eL,
+        0xa70cf4eb018a17bcL },
+      { 0x224f97ae8c4a6a65L,0x36e5cf270134378fL,0xbe3a609e4f7e0960L,
+        0xaa4772abd1747b77L } },
+    /* 126 */
+    { { 0x676761317aa60cc0L,0xc79163610368115fL,0xded98bb4bbc1bb5aL,
+        0x611a6ddc30faf974L },
+      { 0x30e78cbcc15ee47aL,0x2e8962824e0d96a5L,0x36f35adf3dd9ed88L,
+        0x5cfffaf816429c88L } },
+    /* 127 */
+    { { 0xc0d54cff9b7a99cdL,0x7bf3b99d843c45a1L,0x038a908f62c739e1L,
+        0x6e5a6b237dc1994cL },
+      { 0xef8b454e0ba5db77L,0xb7b8807facf60d63L,0xe591c0c676608378L,
+        0x481a238d242dabccL } },
+    /* 128 */
+    { { 0xe3417bc035d0b34aL,0x440b386b8327c0a7L,0x8fb7262dac0362d1L,
+        0x2c41114ce0cdf943L },
+      { 0x2ba5cef1ad95a0b1L,0xc09b37a867d54362L,0x26d6cdd201e486c9L,
+        0x20477abf42ff9297L } },
+    /* 129 */
+    { { 0x2f75173c18d65dbfL,0x77bf940e339edad8L,0x7022d26bdcf1001cL,
+        0xac66409ac77396b6L },
+      { 0x8b0bb36fc6261cc3L,0x213f7bc9190e7e90L,0x6541cebaa45e6c10L,
+        0xce8e6975cc122f85L } },
+    /* 130 */
+    { { 0x0f121b41bc0a67d2L,0x62d4760a444d248aL,0x0e044f1d659b4737L,
+        0x08fde365250bb4a8L },
+      { 0xaceec3da848bf287L,0xc2a62182d3369d6eL,0x3582dfdc92449482L,
+        0x2f7e2fd2565d6cd7L } },
+    /* 131 */
+    { { 0xae4b92dbc3770fa7L,0x095e8d5c379043f9L,0x54f34e9d17761171L,
+        0xc65be92e907702aeL },
+      { 0x2758a303f6fd0a40L,0xe7d822e3bcce784bL,0x7ae4f5854f9767bfL,
+        0x4bff8e47d1193b3aL } },
+    /* 132 */
+    { { 0xcd41d21f00ff1480L,0x2ab8fb7d0754db16L,0xac81d2efbbe0f3eaL,
+        0x3e4e4ae65772967dL },
+      { 0x7e18f36d3c5303e6L,0x3bd9994b92262397L,0x9ed70e261324c3c0L,
+        0x5388aefd58ec6028L } },
+    /* 133 */
+    { { 0xad1317eb5e5d7713L,0x09b985ee75de49daL,0x32f5bc4fc74fb261L,
+        0x5cf908d14f75be0eL },
+      { 0x760435108e657b12L,0xbfd421a5b96ed9e6L,0x0e29f51f8970ccc2L,
+        0xa698ba4060f00ce2L } },
+    /* 134 */
+    { { 0x73db1686ef748fecL,0xe6e755a27e9d2cf9L,0x630b6544ce265effL,
+        0xb142ef8a7aebad8dL },
+      { 0xad31af9f17d5770aL,0x66af3b672cb3412fL,0x6bd60d1bdf3359deL,
+        0xd1896a9658515075L } },
+    /* 135 */
+    { { 0xec5957ab33c41c08L,0x87de94ac5468e2e1L,0x18816b73ac472f6cL,
+        0x267b0e0b7981da39L },
+      { 0x6e554e5d8e62b988L,0xd8ddc755116d21e7L,0x4610faf03d2a6f99L,
+        0xb54e287aa1119393L } },
+    /* 136 */
+    { { 0x0a0122b5178a876bL,0x51ff96ff085104b4L,0x050b31ab14f29f76L,
+        0x84abb28b5f87d4e6L },
+      { 0xd5ed439f8270790aL,0x2d6cb59d85e3f46bL,0x75f55c1b6c1e2212L,
+        0xe5436f6717655640L } },
+    /* 137 */
+    { { 0x53f9025e2286e8d5L,0x353c95b4864453beL,0xd832f5bde408e3a0L,
+        0x0404f68b5b9ce99eL },
+      { 0xcad33bdea781e8e5L,0x3cdf5018163c2f5bL,0x575769600119caa3L,
+        0x3a4263df0ac1c701L } },
+    /* 138 */
+    { { 0xc2965ecc9aeb596dL,0x01ea03e7023c92b4L,0x4704b4b62e013961L,
+        0x0ca8fd3f905ea367L },
+      { 0x92523a42551b2b61L,0x1eb7a89c390fcd06L,0xe7f1d2be0392a63eL,
+        0x96dca2644ddb0c33L } },
+    /* 139 */
+    { { 0x203bb43a387510afL,0x846feaa8a9a36a01L,0xd23a57702f950378L,
+        0x4363e2123aad59dcL },
+      { 0xca43a1c740246a47L,0xb362b8d2e55dd24dL,0xf9b086045d8faf96L,
+        0x840e115cd8bb98c4L } },
+    /* 140 */
+    { { 0xf12205e21023e8a7L,0xc808a8cdd8dc7a0bL,0xe292a272163a5ddfL,
+        0x5e0d6abd30ded6d4L },
+      { 0x07a721c27cfc0f64L,0x42eec01d0e55ed88L,0x26a7bef91d1f9db2L,
+        0x7dea48f42945a25aL } },
+    /* 141 */
+    { { 0xabdf6f1ce5060a81L,0xe79f9c72f8f95615L,0xcfd36c5406ac268bL,
+        0xabc2a2beebfd16d1L },
+      { 0x8ac66f91d3e2eac7L,0x6f10ba63d2dd0466L,0x6790e3770282d31bL,
+        0x4ea353946c7eefc1L } },
+    /* 142 */
+    { { 0xed8a2f8d5266309dL,0x0a51c6c081945a3eL,0xcecaf45a578c5dc1L,
+        0x3a76e6891c94ffc3L },
+      { 0x9aace8a47d7b0d0fL,0x963ace968f584a5fL,0x51a30c724e697fbeL,
+        0x8212a10a465e6464L } },
+    /* 143 */
+    { { 0xef7c61c3cfab8caaL,0x18eb8e840e142390L,0xcd1dff677e9733caL,
+        0xaa7cab71599cb164L },
+      { 0x02fc9273bc837bd1L,0xc06407d0c36af5d7L,0x17621292f423da49L,
+        0x40e38073fe0617c3L } },
+    /* 144 */
+    { { 0xf4f80824a7bf9b7cL,0x365d23203fbe30d0L,0xbfbe532097cf9ce3L,
+        0xe3604700b3055526L },
+      { 0x4dcb99116cc6c2c7L,0x72683708ba4cbee6L,0xdcded434637ad9ecL,
+        0x6542d677a3dee15fL } },
+    /* 145 */
+    { { 0x3f32b6d07b6c377aL,0x6cb03847903448beL,0xd6fdd3a820da8af7L,
+        0xa6534aee09bb6f21L },
+      { 0x30a1780d1035facfL,0x35e55a339dcb47e6L,0x6ea50fe1c447f393L,
+        0xf3cb672fdc9aef22L } },
+    /* 146 */
+    { { 0xeb3719fe3b55fd83L,0xe0d7a46c875ddd10L,0x33ac9fa905cea784L,
+        0x7cafaa2eaae870e7L },
+      { 0x9b814d041d53b338L,0xe0acc0a0ef87e6c6L,0xfb93d10811672b0fL,
+        0x0aab13c1b9bd522eL } },
+    /* 147 */
+    { { 0xddcce278d2681297L,0xcb350eb1b509546aL,0x2dc431737661aaf2L,
+        0x4b91a602847012e9L },
+      { 0xdcff109572f8ddcfL,0x08ebf61e9a911af4L,0x48f4360ac372430eL,
+        0x49534c5372321cabL } },
+    /* 148 */
+    { { 0x83df7d71f07b7e9dL,0xa478efa313cd516fL,0x78ef264b6c047ee3L,
+        0xcaf46c4fd65ac5eeL },
+      { 0xa04d0c7792aa8266L,0xedf45466913684bbL,0x56e65168ae4b16b0L,
+        0x14ce9e5704c6770fL } },
+    /* 149 */
+    { { 0x99445e3e965e8f91L,0xd3aca1bacb0f2492L,0xd31cc70f90c8a0a0L,
+        0x1bb708a53e4c9a71L },
+      { 0xd5ca9e69558bdd7aL,0x734a0508018a26b1L,0xb093aa714c9cf1ecL,
+        0xf9d126f2da300102L } },
+    /* 150 */
+    { { 0x749bca7aaff9563eL,0xdd077afeb49914a0L,0xe27a0311bf5f1671L,
+        0x807afcb9729ecc69L },
+      { 0x7f8a9337c9b08b77L,0x86c3a785443c7e38L,0x85fafa59476fd8baL,
+        0x751adcd16568cd8cL } },
+    /* 151 */
+    { { 0x8aea38b410715c0dL,0xd113ea718f7697f7L,0x665eab1493fbf06dL,
+        0x29ec44682537743fL },
+      { 0x3d94719cb50bebbcL,0x399ee5bfe4505422L,0x90cd5b3a8d2dedb1L,
+        0xff9370e392a4077dL } },
+    /* 152 */
+    { { 0x59a2d69bc6b75b65L,0x4188f8d5266651c5L,0x28a9f33e3de9d7d2L,
+        0x9776478ba2a9d01aL },
+      { 0x8852622d929af2c7L,0x334f5d6d4e690923L,0xce6cc7e5a89a51e9L,
+        0x74a6313fac2f82faL } },
+    /* 153 */
+    { { 0xb2f4dfddb75f079cL,0x85b07c9518e36fbbL,0x1b6cfcf0e7cd36ddL,
+        0xab75be150ff4863dL },
+      { 0x81b367c0173fc9b7L,0xb90a7420d2594fd0L,0x15fdbf03c4091236L,
+        0x4ebeac2e0b4459f6L } },
+    /* 154 */
+    { { 0xeb6c5fe75c9f2c53L,0xd25220118eae9411L,0xc8887633f95ac5d8L,
+        0xdf99887b2c1baffcL },
+      { 0xbb78eed2850aaecbL,0x9d49181b01d6a272L,0x978dd511b1cdbcacL,
+        0x27b040a7779f4058L } },
+    /* 155 */
+    { { 0x90405db7f73b2eb2L,0xe0df85088e1b2118L,0x501b71525962327eL,
+        0xb393dd37e4cfa3f5L },
+      { 0xa1230e7b3fd75165L,0xd66344c2bcd33554L,0x6c36f1be0f7b5022L,
+        0x09588c12d0463419L } },
+    /* 156 */
+    { { 0xe086093f02601c3bL,0xfb0252f8cf5c335fL,0x955cf280894aff28L,
+        0x81c879a9db9f648bL },
+      { 0x040e687cc6f56c51L,0xfed471693f17618cL,0x44f88a419059353bL,
+        0xfa0d48f55fc11bc4L } },
+    /* 157 */
+    { { 0xbc6e1c9de1608e4dL,0x010dda113582822cL,0xf6b7ddc1157ec2d7L,
+        0x8ea0e156b6a367d6L },
+      { 0xa354e02f2383b3b4L,0x69966b943f01f53cL,0x4ff6632b2de03ca5L,
+        0x3f5ab924fa00b5acL } },
+    /* 158 */
+    { { 0x337bb0d959739efbL,0xc751b0f4e7ebec0dL,0x2da52dd6411a67d1L,
+        0x8bc768872b74256eL },
+      { 0xa5be3b7282d3d253L,0xa9f679a1f58d779fL,0xa1cac168e16767bbL,
+        0xb386f19060fcf34fL } },
+    /* 159 */
+    { { 0x31f3c1352fedcfc2L,0x5396bf6262f8af0dL,0x9a02b4eae57288c2L,
+        0x4cb460f71b069c4dL },
+      { 0xae67b4d35b8095eaL,0x92bbf8596fc07603L,0xe1475f66b614a165L,
+        0x52c0d50895ef5223L } },
+    /* 160 */
+    { { 0x231c210e15339848L,0xe87a28e870778c8dL,0x9d1de6616956e170L,
+        0x4ac3c9382bb09c0bL },
+      { 0x19be05516998987dL,0x8b2376c4ae09f4d6L,0x1de0b7651a3f933dL,
+        0x380d94c7e39705f4L } },
+    /* 161 */
+    { { 0x01a355aa81542e75L,0x96c724a1ee01b9b7L,0x6b3a2977624d7087L,
+        0x2ce3e171de2637afL },
+      { 0xcfefeb49f5d5bc1aL,0xa655607e2777e2b5L,0x4feaac2f9513756cL,
+        0x2e6cd8520b624e4dL } },
+    /* 162 */
+    { { 0x3685954b8c31c31dL,0x68533d005bf21a0cL,0x0bd7626e75c79ec9L,
+        0xca17754742c69d54L },
+      { 0xcc6edafff6d2dbb2L,0xfd0d8cbd174a9d18L,0x875e8793aa4578e8L,
+        0xa976a7139cab2ce6L } },
+    /* 163 */
+    { { 0x0a651f1b93fb353dL,0xd75cab8b57fcfa72L,0xaa88cfa731b15281L,
+        0x8720a7170a1f4999L },
+      { 0x8c3e8d37693e1b90L,0xd345dc0b16f6dfc3L,0x8ea8d00ab52a8742L,
+        0x9719ef29c769893cL } },
+    /* 164 */
+    { { 0x820eed8d58e35909L,0x9366d8dc33ddc116L,0xd7f999d06e205026L,
+        0xa5072976e15704c1L },
+      { 0x002a37eac4e70b2eL,0x84dcf6576890aa8aL,0xcd71bf18645b2a5cL,
+        0x99389c9df7b77725L } },
+    /* 165 */
+    { { 0x238c08f27ada7a4bL,0x3abe9d03fd389366L,0x6b672e89766f512cL,
+        0xa88806aa202c82e4L },
+      { 0x6602044ad380184eL,0xa8cb78c4126a8b85L,0x79d670c0ad844f17L,
+        0x0043bffb4738dcfeL } },
+    /* 166 */
+    { { 0x8d59b5dc36d5192eL,0xacf885d34590b2afL,0x83566d0a11601781L,
+        0x52f3ef01ba6c4866L },
+      { 0x3986732a0edcb64dL,0x0a482c238068379fL,0x16cbe5fa7040f309L,
+        0x3296bd899ef27e75L } },
+    /* 167 */
+    { { 0x476aba89454d81d7L,0x9eade7ef51eb9b3cL,0x619a21cd81c57986L,
+        0x3b90febfaee571e9L },
+      { 0x9393023e5496f7cbL,0x55be41d87fb51bc4L,0x03f1dd4899beb5ceL,
+        0x6e88069d9f810b18L } },
+    /* 168 */
+    { { 0xce37ab11b43ea1dbL,0x0a7ff1a95259d292L,0x851b02218f84f186L,
+        0xa7222beadefaad13L },
+      { 0xa2ac78ec2b0a9144L,0x5a024051f2fa59c5L,0x91d1eca56147ce38L,
+        0xbe94d523bc2ac690L } },
+    /* 169 */
+    { { 0x72f4945e0b226ce7L,0xb8afd747967e8b70L,0xedea46f185a6c63eL,
+        0x7782defe9be8c766L },
+      { 0x760d2aa43db38626L,0x460ae78776f67ad1L,0x341b86fc54499cdbL,
+        0x03838567a2892e4bL } },
+    /* 170 */
+    { { 0x2d8daefd79ec1a0fL,0x3bbcd6fdceb39c97L,0xf5575ffc58f61a95L,
+        0xdbd986c4adf7b420L },
+      { 0x81aa881415f39eb7L,0x6ee2fcf5b98d976cL,0x5465475dcf2f717dL,
+        0x8e24d3c46860bbd0L } },
+    /* 171 */
+    { { 0x749d8e549a587390L,0x12bb194f0cbec588L,0x46e07da4b25983c6L,
+        0x541a99c4407bafc8L },
+      { 0xdb241692624c8842L,0x6044c12ad86c05ffL,0xc59d14b44f7fcf62L,
+        0xc0092c49f57d35d1L } },
+    /* 172 */
+    { { 0xd3cc75c3df2e61efL,0x7e8841c82e1b35caL,0xc62d30d1909f29f4L,
+        0x75e406347286944dL },
+      { 0xe7d41fc5bbc237d0L,0xc9537bf0ec4f01c9L,0x91c51a16282bd534L,
+        0x5b7cb658c7848586L } },
+    /* 173 */
+    { { 0x964a70848a28ead1L,0x802dc508fd3b47f6L,0x9ae4bfd1767e5b39L,
+        0x7ae13eba8df097a1L },
+      { 0xfd216ef8eadd384eL,0x0361a2d9b6b2ff06L,0x204b98784bcdb5f3L,
+        0x787d8074e2a8e3fdL } },
+    /* 174 */
+    { { 0xc5e25d6b757fbb1cL,0xe47bddb2ca201debL,0x4a55e9a36d2233ffL,
+        0x5c2228199ef28484L },
+      { 0x773d4a8588315250L,0x21b21a2b827097c1L,0xab7c4ea1def5d33fL,
+        0xe45d37abbaf0f2b0L } },
+    /* 175 */
+    { { 0xd2df1e3428511c8aL,0xebb229c8bdca6cd3L,0x578a71a7627c39a7L,
+        0xed7bc12284dfb9d3L },
+      { 0xcf22a6df93dea561L,0x5443f18dd48f0ed1L,0xd8b861405bad23e8L,
+        0xaac97cc945ca6d27L } },
+    /* 176 */
+    { { 0xeb54ea74a16bd00aL,0xd839e9adf5c0bcc1L,0x092bb7f11f9bfc06L,
+        0x318f97b31163dc4eL },
+      { 0xecc0c5bec30d7138L,0x44e8df23abc30220L,0x2bb7972fb0223606L,
+        0xfa41faa19a84ff4dL } },
+    /* 177 */
+    { { 0x4402d974a6642269L,0xc81814ce9bb783bdL,0x398d38e47941e60bL,
+        0x38bb6b2c1d26e9e2L },
+      { 0xc64e4a256a577f87L,0x8b52d253dc11fe1cL,0xff336abf62280728L,
+        0x94dd0905ce7601a5L } },
+    /* 178 */
+    { { 0x156cf7dcde93f92aL,0xa01333cb89b5f315L,0x02404df9c995e750L,
+        0x92077867d25c2ae9L },
+      { 0xe2471e010bf39d44L,0x5f2c902096bb53d7L,0x4c44b7b35c9c3d8fL,
+        0x81e8428bd29beb51L } },
+    /* 179 */
+    { { 0x6dd9c2bac477199fL,0x8cb8eeee6b5ecdd9L,0x8af7db3fee40fd0eL,
+        0x1b94ab62dbbfa4b1L },
+      { 0x44f0d8b3ce47f143L,0x51e623fc63f46163L,0xf18f270fcc599383L,
+        0x06a38e28055590eeL } },
+    /* 180 */
+    { { 0x2e5b0139b3355b49L,0x20e26560b4ebf99bL,0xc08ffa6bd269f3dcL,
+        0xa7b36c2083d9d4f8L },
+      { 0x64d15c3a1b3e8830L,0xd5fceae1a89f9c0bL,0xcfeee4a2e2d16930L,
+        0xbe54c6b4a2822a20L } },
+    /* 181 */
+    { { 0xd6cdb3df8d91167cL,0x517c3f79e7a6625eL,0x7105648f346ac7f4L,
+        0xbf30a5abeae022bbL },
+      { 0x8e7785be93828a68L,0x5161c3327f3ef036L,0xe11b5feb592146b2L,
+        0xd1c820de2732d13aL } },
+    /* 182 */
+    { { 0x043e13479038b363L,0x58c11f546b05e519L,0x4fe57abe6026cad1L,
+        0xb7d17bed68a18da3L },
+      { 0x44ca5891e29c2559L,0x4f7a03765bfffd84L,0x498de4af74e46948L,
+        0x3997fd5e6412cc64L } },
+    /* 183 */
+    { { 0xf20746828bd61507L,0x29e132d534a64d2aL,0xffeddfb08a8a15e3L,
+        0x0eeb89293c6c13e8L },
+      { 0xe9b69a3ea7e259f8L,0xce1db7e6d13e7e67L,0x277318f6ad1fa685L,
+        0x228916f8c922b6efL } },
+    /* 184 */
+    { { 0x959ae25b0a12ab5bL,0xcc11171f957bc136L,0x8058429ed16e2b0cL,
+        0xec05ad1d6e93097eL },
+      { 0x157ba5beac3f3708L,0x31baf93530b59d77L,0x47b55237118234e5L,
+        0x7d3141567ff11b37L } },
+    /* 185 */
+    { { 0x7bd9c05cf6dfefabL,0xbe2f2268dcb37707L,0xe53ead973a38bb95L,
+        0xe9ce66fc9bc1d7a3L },
+      { 0x75aa15766f6a02a1L,0x38c087df60e600edL,0xf8947f3468cdc1b9L,
+        0xd9650b0172280651L } },
+    /* 186 */
+    { { 0x504b4c4a5a057e60L,0xcbccc3be8def25e4L,0xa635320817c1ccbdL,
+        0x14d6699a804eb7a2L },
+      { 0x2c8a8415db1f411aL,0x09fbaf0bf80d769cL,0xb4deef901c2f77adL,
+        0x6f4c68410d43598aL } },
+    /* 187 */
+    { { 0x8726df4e96c24a96L,0x534dbc85fcbd99a3L,0x3c466ef28b2ae30aL,
+        0x4c4350fd61189abbL },
+      { 0x2967f716f855b8daL,0x41a42394463c38a1L,0xc37e1413eae93343L,
+        0xa726d2425a3118b5L } },
+    /* 188 */
+    { { 0xdae6b3ee948c1086L,0xf1de503dcbd3a2e1L,0x3f35ed3f03d022f3L,
+        0x13639e82cc6cf392L },
+      { 0x9ac938fbcdafaa86L,0xf45bc5fb2654a258L,0x1963b26e45051329L,
+        0xca9365e1c1a335a3L } },
+    /* 189 */
+    { { 0x3615ac754c3b2d20L,0x742a5417904e241bL,0xb08521c4cc9d071dL,
+        0x9ce29c34970b72a5L },
+      { 0x8cc81f736d3e0ad6L,0x8060da9ef2f8434cL,0x35ed1d1a6ce862d9L,
+        0x48c4abd7ab42af98L } },
+    /* 190 */
+    { { 0xd221b0cc40c7485aL,0xead455bbe5274dbfL,0x493c76989263d2e8L,
+        0x78017c32f67b33cbL },
+      { 0xb9d35769930cb5eeL,0xc0d14e940c408ed2L,0xf8b7bf55272f1a4dL,
+        0x53cd0454de5c1c04L } },
+    /* 191 */
+    { { 0xbcd585fa5d28ccacL,0x5f823e56005b746eL,0x7c79f0a1cd0123aaL,
+        0xeea465c1d3d7fa8fL },
+      { 0x7810659f0551803bL,0x6c0b599f7ce6af70L,0x4195a77029288e70L,
+        0x1b6e42a47ae69193L } },
+    /* 192 */
+    { { 0x2e80937cf67d04c3L,0x1e312be289eeb811L,0x56b5d88792594d60L,
+        0x0224da14187fbd3dL },
+      { 0x87abb8630c5fe36fL,0x580f3c604ef51f5fL,0x964fb1bfb3b429ecL,
+        0x60838ef042bfff33L } },
+    /* 193 */
+    { { 0x432cb2f27e0bbe99L,0x7bda44f304aa39eeL,0x5f497c7a9fa93903L,
+        0x636eb2022d331643L },
+      { 0xfcfd0e6193ae00aaL,0x875a00fe31ae6d2fL,0xf43658a29f93901cL,
+        0x8844eeb639218bacL } },
+    /* 194 */
+    { { 0x114171d26b3bae58L,0x7db3df7117e39f3eL,0xcd37bc7f81a8eadaL,
+        0x27ba83dc51fb789eL },
+      { 0xa7df439ffbf54de5L,0x7277030bb5fe1a71L,0x42ee8e35db297a48L,
+        0xadb62d3487f3a4abL } },
+    /* 195 */
+    { { 0x9b1168a2a175df2aL,0x082aa04f618c32e9L,0xc9e4f2e7146b0916L,
+        0xb990fd7675e7c8b2L },
+      { 0x0829d96b4df37313L,0x1c205579d0b40789L,0x66c9ae4a78087711L,
+        0x81707ef94d10d18dL } },
+    /* 196 */
+    { { 0x97d7cab203d6ff96L,0x5b851bfc0d843360L,0x268823c4d042db4bL,
+        0x3792daead5a8aa5cL },
+      { 0x52818865941afa0bL,0xf3e9e74142d83671L,0x17c825275be4e0a7L,
+        0x5abd635e94b001baL } },
+    /* 197 */
+    { { 0x727fa84e0ac4927cL,0xe3886035a7c8cf23L,0xa4bcd5ea4adca0dfL,
+        0x5995bf21846ab610L },
+      { 0xe90f860b829dfa33L,0xcaafe2ae958fc18bL,0x9b3baf4478630366L,
+        0x44c32ca2d483411eL } },
+    /* 198 */
+    { { 0xa74a97f1e40ed80cL,0x5f938cb131d2ca82L,0x53f2124b7c2d6ad9L,
+        0x1f2162fb8082a54cL },
+      { 0x7e467cc5720b173eL,0x40e8a666085f12f9L,0x8cebc20e4c9d65dcL,
+        0x8f1d402bc3e907c9L } },
+    /* 199 */
+    { { 0x4f592f9cfbc4058aL,0xb15e14b6292f5670L,0xc55cfe37bc1d8c57L,
+        0xb1980f43926edbf9L },
+      { 0x98c33e0932c76b09L,0x1df5279d33b07f78L,0x6f08ead4863bb461L,
+        0x2828ad9b37448e45L } },
+    /* 200 */
+    { { 0x696722c4c4cf4ac5L,0xf5ac1a3fdde64afbL,0x0551baa2e0890832L,
+        0x4973f1275a14b390L },
+      { 0xe59d8335322eac5dL,0x5e07eef50bd9b568L,0xab36720fa2588393L,
+        0x6dac8ed0db168ac7L } },
+    /* 201 */
+    { { 0xf7b545aeeda835efL,0x4aa113d21d10ed51L,0x035a65e013741b09L,
+        0x4b23ef5920b9de4cL },
+      { 0xe82bb6803c4c7341L,0xd457706d3f58bc37L,0x73527863a51e3ee8L,
+        0x4dd71534ddf49a4eL } },
+    /* 202 */
+    { { 0xbf94467295476cd9L,0x648d072fe31a725bL,0x1441c8b8fc4b67e0L,
+        0xfd3170002f4a4dbbL },
+      { 0x1cb43ff48995d0e1L,0x76e695d10ef729aaL,0xe0d5f97641798982L,
+        0x14fac58c9569f365L } },
+    /* 203 */
+    { { 0xad9a0065f312ae18L,0x51958dc0fcc93fc9L,0xd9a142408a7d2846L,
+        0xed7c765136abda50L },
+      { 0x46270f1a25d4abbcL,0x9b5dd8f3f1a113eaL,0xc609b0755b51952fL,
+        0xfefcb7f74d2e9f53L } },
+    /* 204 */
+    { { 0xbd09497aba119185L,0xd54e8c30aac45ba4L,0x492479deaa521179L,
+        0x1801a57e87e0d80bL },
+      { 0x073d3f8dfcafffb0L,0x6cf33c0bae255240L,0x781d763b5b5fdfbcL,
+        0x9f8fc11e1ead1064L } },
+    /* 205 */
+    { { 0x1583a1715e69544cL,0x0eaf8567f04b7813L,0x1e22a8fd278a4c32L,
+        0xa9d3809d3d3a69a9L },
+      { 0x936c2c2c59a2da3bL,0x38ccbcf61895c847L,0x5e65244e63d50869L,
+        0x3006b9aee1178ef7L } },
+    /* 206 */
+    { { 0x0bb1f2b0c9eead28L,0x7eef635d89f4dfbcL,0x074757fdb2ce8939L,
+        0x0ab85fd745f8f761L },
+      { 0xecda7c933e5b4549L,0x4be2bb5c97922f21L,0x261a1274b43b8040L,
+        0xb122d67511e942c2L } },
+    /* 207 */
+    { { 0x3be607be66a5ae7aL,0x01e703fa76adcbe3L,0xaf9043014eb6e5c5L,
+        0x9f599dc1097dbaecL },
+      { 0x6d75b7180ff250edL,0x8eb91574349a20dcL,0x425605a410b227a3L,
+        0x7d5528e08a294b78L } },
+    /* 208 */
+    { { 0xf0f58f6620c26defL,0x025585ea582b2d1eL,0xfbe7d79b01ce3881L,
+        0x28ccea01303f1730L },
+      { 0xd1dabcd179644ba5L,0x1fc643e806fff0b8L,0xa60a76fc66b3e17bL,
+        0xc18baf48a1d013bfL } },
+    /* 209 */
+    { { 0x34e638c85dc4216dL,0x00c01067206142acL,0xd453a17195f5064aL,
+        0x9def809db7a9596bL },
+      { 0x41e8642e67ab8d2cL,0xb42404336237a2b6L,0x7d506a6d64c4218bL,
+        0x0357f8b068808ce5L } },
+    /* 210 */
+    { { 0x8e9dbe644cd2cc88L,0xcc61c28df0b8f39dL,0x4a309874cd30a0c8L,
+        0xe4a01add1b489887L },
+      { 0x2ed1eeacf57cd8f9L,0x1b767d3ebd594c48L,0xa7295c717bd2f787L,
+        0x466d7d79ce10cc30L } },
+    /* 211 */
+    { { 0x47d318929dada2c7L,0x4fa0a6c38f9aa27dL,0x90e4fd28820a59e1L,
+        0xc672a522451ead1aL },
+      { 0x30607cc85d86b655L,0xf0235d3bf9ad4af1L,0x99a08680571172a6L,
+        0x5e3d64faf2a67513L } },
+    /* 212 */
+    { { 0xaa6410c79b3b4416L,0xcd8fcf85eab26d99L,0x5ebff74adb656a74L,
+        0x6c8a7a95eb8e42fcL },
+      { 0x10c60ba7b02a63bdL,0x6b2f23038b8f0047L,0x8c6c3738312d90b0L,
+        0x348ae422ad82ca91L } },
+    /* 213 */
+    { { 0x7f4746635ccda2fbL,0x22accaa18e0726d2L,0x85adf782492b1f20L,
+        0xc1074de0d9ef2d2eL },
+      { 0xfcf3ce44ae9a65b3L,0xfd71e4ac05d7151bL,0xd4711f50ce6a9788L,
+        0xfbadfbdbc9e54ffcL } },
+    /* 214 */
+    { { 0x1713f1cd20a99363L,0xb915658f6cf22775L,0x968175cd24d359b2L,
+        0xb7f976b483716fcdL },
+      { 0x5758e24d5d6dbf74L,0x8d23bafd71c3af36L,0x48f477600243dfe3L,
+        0xf4d41b2ecafcc805L } },
+    /* 215 */
+    { { 0x51f1cf28fdabd48dL,0xce81be3632c078a4L,0x6ace2974117146e9L,
+        0x180824eae0160f10L },
+      { 0x0387698b66e58358L,0x63568752ce6ca358L,0x82380e345e41e6c5L,
+        0x67e5f63983cf6d25L } },
+    /* 216 */
+    { { 0xf89ccb8dcf4899efL,0x949015f09ebb44c0L,0x546f9276b2598ec9L,
+        0x9fef789a04c11fc6L },
+      { 0x6d367ecf53d2a071L,0xb10e1a7fa4519b09L,0xca6b3fb0611e2eefL,
+        0xbc80c181a99c4e20L } },
+    /* 217 */
+    { { 0x972536f8e5eb82e6L,0x1a484fc7f56cb920L,0xc78e217150b5da5eL,
+        0x49270e629f8cdf10L },
+      { 0x1a39b7bbea6b50adL,0x9a0284c1a2388ffcL,0x5403eb178107197bL,
+        0xd2ee52f961372f7fL } },
+    /* 218 */
+    { { 0xd37cd28588e0362aL,0x442fa8a78fa5d94dL,0xaff836e5a434a526L,
+        0xdfb478bee5abb733L },
+      { 0xa91f1ce7673eede6L,0xa5390ad42b5b2f04L,0x5e66f7bf5530da2fL,
+        0xd9a140b408df473aL } },
+    /* 219 */
+    { { 0x0e0221b56e8ea498L,0x623478293563ee09L,0xe06b8391335d2adeL,
+        0x760c058d623f4b1aL },
+      { 0x0b89b58cc198aa79L,0xf74890d2f07aba7fL,0x4e204110fde2556aL,
+        0x7141982d8f190409L } },
+    /* 220 */
+    { { 0x6f0a0e334d4b0f45L,0xd9280b38392a94e1L,0x3af324c6b3c61d5eL,
+        0x3af9d1ce89d54e47L },
+      { 0xfd8f798120930371L,0xeda2664c21c17097L,0x0e9545dcdc42309bL,
+        0xb1f815c373957dd6L } },
+    /* 221 */
+    { { 0x84faa78e89fec44aL,0xc8c2ae473caa4cafL,0x691c807dc1b6a624L,
+        0xa41aed141543f052L },
+      { 0x424353997d5ffe04L,0x8bacb2df625b6e20L,0x85d660be87817775L,
+        0xd6e9c1dd86fb60efL } },
+    /* 222 */
+    { { 0x3aa2e97ec6853264L,0x771533b7e2304a0bL,0x1b912bb7b8eae9beL,
+        0x9c9c6e10ae9bf8c2L },
+      { 0xa2309a59e030b74cL,0x4ed7494d6a631e90L,0x89f44b23a49b79f2L,
+        0x566bd59640fa61b6L } },
+    /* 223 */
+    { { 0x066c0118c18061f3L,0x190b25d37c83fc70L,0xf05fc8e027273245L,
+        0xcf2c7390f525345eL },
+      { 0xa09bceb410eb30cfL,0xcfd2ebba0d77703aL,0xe842c43a150ff255L,
+        0x02f517558aa20979L } },
+    /* 224 */
+    { { 0x396ef794addb7d07L,0x0b4fc74224455500L,0xfaff8eacc78aa3ceL,
+        0x14e9ada5e8d4d97dL },
+      { 0xdaa480a12f7079e2L,0x45baa3cde4b0800eL,0x01765e2d7838157dL,
+        0xa0ad4fab8e9d9ae8L } },
+    /* 225 */
+    { { 0x0bfb76214a653618L,0x1872813c31eaaa5fL,0x1553e73744949d5eL,
+        0xbcd530b86e56ed1eL },
+      { 0x169be85332e9c47bL,0xdc2776feb50059abL,0xcdba9761192bfbb4L,
+        0x909283cf6979341dL } },
+    /* 226 */
+    { { 0x67b0032476e81a13L,0x9bee1a9962171239L,0x08ed361bd32e19d6L,
+        0x35eeb7c9ace1549aL },
+      { 0x1280ae5a7e4e5bdcL,0x2dcd2cd3b6ceec6eL,0x52e4224c6e266bc1L,
+        0x9a8b2cf4448ae864L } },
+    /* 227 */
+    { { 0xf6471bf209d03b59L,0xc90e62a3b65af2abL,0xff7ff168ebd5eec9L,
+        0x6bdb60f4d4491379L },
+      { 0xdadafebc8a55bc30L,0xc79ead1610097fe0L,0x42e197414c1e3bddL,
+        0x01ec3cfd94ba08a9L } },
+    /* 228 */
+    { { 0xba6277ebdc9485c2L,0x48cc9a7922fb10c7L,0x4f61d60f70a28d8aL,
+        0xd1acb1c0475464f6L },
+      { 0xd26902b126f36612L,0x59c3a44ee0618d8bL,0x4df8a813308357eeL,
+        0x7dcd079d405626c2L } },
+    /* 229 */
+    { { 0x5ce7d4d3f05a4b48L,0xadcd295237230772L,0xd18f7971812a915aL,
+        0x0bf53589377d19b8L },
+      { 0x35ecd95a6c68ea73L,0xc7f3bbca823a584dL,0x9fb674c6f473a723L,
+        0xd28be4d9e16686fcL } },
+    /* 230 */
+    { { 0x5d2b990638fa8e4bL,0x559f186e893fd8fcL,0x3a6de2aa436fb6fcL,
+        0xd76007aa510f88ceL },
+      { 0x2d10aab6523a4988L,0xb455cf4474dd0273L,0x7f467082a3407278L,
+        0xf2b52f68b303bb01L } },
+    /* 231 */
+    { { 0x0d57eafa9835b4caL,0x2d2232fcbb669cbcL,0x8eeeb680c6643198L,
+        0xd8dbe98ecc5aed3aL },
+      { 0xcba9be3fc5a02709L,0x30be68e5f5ba1fa8L,0xfebd43cdf10ea852L,
+        0xe01593a3ee559705L } },
+    /* 232 */
+    { { 0xd3e5af50ea75a0a6L,0x512226ac57858033L,0x6fe6d50fd0176406L,
+        0xafec07b1aeb8ef06L },
+      { 0x7fb9956780bb0a31L,0x6f1af3cc37309aaeL,0x9153a15a01abf389L,
+        0xa71b93546e2dbfddL } },
+    /* 233 */
+    { { 0xbf8e12e018f593d2L,0xd1a90428a078122bL,0x150505db0ba4f2adL,
+        0x53a2005c628523d9L },
+      { 0x07c8b639e7f2b935L,0x2bff975ac182961aL,0x86bceea77518ca2cL,
+        0xbf47d19b3d588e3dL } },
+    /* 234 */
+    { { 0x672967a7dd7665d5L,0x4e3030572f2f4de5L,0x144005ae80d4903fL,
+        0x001c2c7f39c9a1b6L },
+      { 0x143a801469efc6d6L,0xc810bdaa7bc7a724L,0x5f65670ba78150a4L,
+        0xfdadf8e786ffb99bL } },
+    /* 235 */
+    { { 0xfd38cb88ffc00785L,0x77fa75913b48eb67L,0x0454d055bf368fbcL,
+        0x3a838e4d5aa43c94L },
+      { 0x561663293e97bb9aL,0x9eb93363441d94d9L,0x515591a60adb2a83L,
+        0x3cdb8257873e1da3L } },
+    /* 236 */
+    { { 0x137140a97de77eabL,0xf7e1c50d41648109L,0x762dcad2ceb1d0dfL,
+        0x5a60cc89f1f57fbaL },
+      { 0x80b3638240d45673L,0x1b82be195913c655L,0x057284b8dd64b741L,
+        0x922ff56fdbfd8fc0L } },
+    /* 237 */
+    { { 0x1b265deec9a129a1L,0xa5b1ce57cc284e04L,0x04380c46cebfbe3cL,
+        0x72919a7df6c5cd62L },
+      { 0x298f453a8fb90f9aL,0xd719c00b88e4031bL,0xe32c0e77796f1856L,
+        0x5e7917803624089aL } },
+    /* 238 */
+    { { 0x5c16ec557f63cdfbL,0x8e6a3571f1cae4fdL,0xfce26bea560597caL,
+        0x4e0a5371e24c2fabL },
+      { 0x276a40d3a5765357L,0x3c89af440d73a2b4L,0xb8f370ae41d11a32L,
+        0xf5ff7818d56604eeL } },
+    /* 239 */
+    { { 0xfbf3e3fe1a09df21L,0x26d5d28ee66e8e47L,0x2096bd0a29c89015L,
+        0xe41df0e9533f5e64L },
+      { 0x305fda40b3ba9e3fL,0xf2340ceb2604d895L,0x0866e1927f0367c7L,
+        0x8edd7d6eac4f155fL } },
+    /* 240 */
+    { { 0xc9a1dc0e0bfc8ff3L,0x14efd82be936f42fL,0x67016f7ccca381efL,
+        0x1432c1caed8aee96L },
+      { 0xec68482970b23c26L,0xa64fe8730735b273L,0xe389f6e5eaef0f5aL,
+        0xcaef480b5ac8d2c6L } },
+    /* 241 */
+    { { 0x5245c97875315922L,0xd82951713063cca5L,0xf3ce60d0b64ef2cbL,
+        0xd0ba177e8efae236L },
+      { 0x53a9ae8fb1b3af60L,0x1a796ae53d2da20eL,0x01d63605df9eef28L,
+        0xf31c957c1c54ae16L } },
+    /* 242 */
+    { { 0xc0f58d5249cc4597L,0xdc5015b0bae0a028L,0xefc5fc55734a814aL,
+        0x013404cb96e17c3aL },
+      { 0xb29e2585c9a824bfL,0xd593185e001eaed7L,0x8d6ee68261ef68acL,
+        0x6f377c4b91933e6cL } },
+    /* 243 */
+    { { 0x9f93bad1a8333fd2L,0xa89302025a2a95b8L,0x211e5037eaf75aceL,
+        0x6dba3e4ed2d09506L },
+      { 0xa48ef98cd04399cdL,0x1811c66ee6b73adeL,0x72f60752c17ecaf3L,
+        0xf13cf3423becf4a7L } },
+    /* 244 */
+    { { 0xceeb9ec0a919e2ebL,0x83a9a195f62c0f68L,0xcfba3bb67aba2299L,
+        0xc83fa9a9274bbad3L },
+      { 0x0d7d1b0b62fa1ce0L,0xe58b60f53418efbfL,0xbfa8ef9e52706f04L,
+        0xb49d70f45d702683L } },
+    /* 245 */
+    { { 0x914c7510fad5513bL,0x05f32eecb1751e2dL,0x6d850418d9fb9d59L,
+        0x59cfadbb0c30f1cfL },
+      { 0xe167ac2355cb7fd6L,0x249367b8820426a3L,0xeaeec58c90a78864L,
+        0x5babf362354a4b67L } },
+    /* 246 */
+    { { 0x37c981d1ee424865L,0x8b002878f2e5577fL,0x702970f1b9e0c058L,
+        0x6188c6a79026c8f0L },
+      { 0x06f9a19bd0f244daL,0x1ecced5cfb080873L,0x35470f9b9f213637L,
+        0x993fe475df50b9d9L } },
+    /* 247 */
+    { { 0x68e31cdf9b2c3609L,0x84eb19c02c46d4eaL,0x7ac9ec1a9a775101L,
+        0x81f764664c80616bL },
+      { 0x1d7c2a5a75fbe978L,0x6743fed3f183b356L,0x838d1f04501dd2bfL,
+        0x564a812a5fe9060dL } },
+    /* 248 */
+    { { 0x7a5a64f4fa817d1dL,0x55f96844bea82e0fL,0xb5ff5a0fcd57f9aaL,
+        0x226bf3cf00e51d6cL },
+      { 0xd6d1a9f92f2833cfL,0x20a0a35a4f4f89a8L,0x11536c498f3f7f77L,
+        0x68779f47ff257836L } },
+    /* 249 */
+    { { 0x79b0c1c173043d08L,0xa54467741fc020faL,0xd3767e289a6d26d0L,
+        0x97bcb0d1eb092e0bL },
+      { 0x2ab6eaa8f32ed3c3L,0xc8a4f151b281bc48L,0x4d1bf4f3bfa178f3L,
+        0xa872ffe80a784655L } },
+    /* 250 */
+    { { 0xb1ab7935a32b2086L,0xe1eb710e8160f486L,0x9bd0cd913b6ae6beL,
+        0x02812bfcb732a36aL },
+      { 0xa63fd7cacf605318L,0x646e5d50fdfd6d1dL,0xa1d683982102d619L,
+        0x07391cc9fe5396afL } },
+    /* 251 */
+    { { 0xc50157f08b80d02bL,0x6b8333d162877f7fL,0x7aca1af878d542aeL,
+        0x355d2adc7e6d2a08L },
+      { 0xb41f335a287386e1L,0xfd272a94f8e43275L,0x286ca2cde79989eaL,
+        0x3dc2b1e37c2a3a79L } },
+    /* 252 */
+    { { 0xd689d21c04581352L,0x0a00c825376782beL,0x203bd5909fed701fL,
+        0xc47869103ccd846bL },
+      { 0x5dba770824c768edL,0x72feea026841f657L,0x73313ed56accce0eL,
+        0xccc42968d5bb4d32L } },
+    /* 253 */
+    { { 0x94e50de13d7620b9L,0xd89a5c8a5992a56aL,0xdc007640675487c9L,
+        0xe147eb42aa4871cfL },
+      { 0x274ab4eeacf3ae46L,0xfd4936fb50350fbeL,0xdf2afe4748c840eaL,
+        0x239ac047080e96e3L } },
+    /* 254 */
+    { { 0x481d1f352bfee8d4L,0xce80b5cffa7b0fecL,0x105c4c9e2ce9af3cL,
+        0xc55fa1a3f5f7e59dL },
+      { 0x3186f14e8257c227L,0xc5b1653f342be00bL,0x09afc998aa904fb2L,
+        0x094cd99cd4f4b699L } },
+    /* 255 */
+    { { 0x8a981c84d703bebaL,0x8631d15032ceb291L,0xa445f2c9e3bd49ecL,
+        0xb90a30b642abad33L },
+      { 0xb465404fb4a5abf9L,0x004750c375db7603L,0x6f9a42ccca35d89fL,
+        0x019f8b9a1b7924f7L } },
+};
+
+/* Multiply the base point of P256 by the scalar and return the result.
+ * If map is true then convert result to affine coordinates.
+ *
+ * r     Resulting point.
+ * k     Scalar to multiply by.
+ * map   Indicates whether to convert result to affine.
+ * heap  Heap to use for allocation.
+ * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
+ */
+static int sp_256_ecc_mulmod_base_4(sp_point_256* r, const sp_digit* k,
+        int map, void* heap)
+{
+    return sp_256_ecc_mulmod_stripe_4(r, &p256_base, p256_table,
+                                      k, map, heap);
+}
+
+#ifdef HAVE_INTEL_AVX2
+/* Multiply the base point of P256 by the scalar and return the result.
+ * If map is true then convert result to affine coordinates.
+ *
+ * r     Resulting point.
+ * k     Scalar to multiply by.
+ * map   Indicates whether to convert result to affine.
+ * heap  Heap to use for allocation.
+ * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
+ */
+static int sp_256_ecc_mulmod_base_avx2_4(sp_point_256* r, const sp_digit* k,
+        int map, void* heap)
+{
+    return sp_256_ecc_mulmod_stripe_avx2_4(r, &p256_base, p256_table,
+                                      k, map, heap);
+}
+
+#endif /* HAVE_INTEL_AVX2 */
+#else /* WOLFSSL_SP_SMALL */
+/* The index into pre-computation table to use. */
+static const uint8_t recode_index_4_7[130] = {
+     0,  1,  2,  3,  4,  5,  6,  7,  8,  9, 10, 11, 12, 13, 14, 15,
+    16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31,
+    32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47,
+    48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63,
+    64, 63, 62, 61, 60, 59, 58, 57, 56, 55, 54, 53, 52, 51, 50, 49,
+    48, 47, 46, 45, 44, 43, 42, 41, 40, 39, 38, 37, 36, 35, 34, 33,
+    32, 31, 30, 29, 28, 27, 26, 25, 24, 23, 22, 21, 20, 19, 18, 17,
+    16, 15, 14, 13, 12, 11, 10,  9,  8,  7,  6,  5,  4,  3,  2,  1,
+     0,  1,
+};
+
+/* Whether to negate y-ordinate. */
+static const uint8_t recode_neg_4_7[130] = {
+     0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,
+     0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,
+     0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,
+     0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,
+     1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,
+     1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,
+     1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,
+     1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,
+     0,  0,
+};
+
+/* Recode the scalar for multiplication using pre-computed values and
+ * subtraction.
+ *
+ * k  Scalar to multiply by.
+ * v  Vector of operations to perform.
+ */
+static void sp_256_ecc_recode_7_4(const sp_digit* k, ecc_recode_256* v)
+{
+    int i, j;
+    uint8_t y;
+    int carry = 0;
+    int o;
+    sp_digit n;
+
+    j = 0;
+    n = k[j];
+    o = 0;
+    for (i=0; i<37; i++) {
+        y = n;
+        if (o + 7 < 64) {
+            y &= 0x7f;
+            n >>= 7;
+            o += 7;
+        }
+        else if (o + 7 == 64) {
+            n >>= 7;
+            if (++j < 4)
+                n = k[j];
+            o = 0;
+        }
+        else if (++j < 4) {
+            n = k[j];
+            y |= (n << (64 - o)) & 0x7f;
+            o -= 57;
+            n >>= o;
+        }
+
+        y += carry;
+        v[i].i = recode_index_4_7[y];
+        v[i].neg = recode_neg_4_7[y];
+        carry = (y >> 7) + v[i].neg;
+    }
+}
+
+static const sp_table_entry_256 p256_table[2405] = {
+    /* 0 << 0 */
+    { { 0x00, 0x00, 0x00, 0x00 },
+      { 0x00, 0x00, 0x00, 0x00 } },
+    /* 1 << 0 */
+    { { 0x79e730d418a9143cL,0x75ba95fc5fedb601L,0x79fb732b77622510L,
+        0x18905f76a53755c6L },
+      { 0xddf25357ce95560aL,0x8b4ab8e4ba19e45cL,0xd2e88688dd21f325L,
+        0x8571ff1825885d85L } },
+    /* 2 << 0 */
+    { { 0x850046d410ddd64dL,0xaa6ae3c1a433827dL,0x732205038d1490d9L,
+        0xf6bb32e43dcf3a3bL },
+      { 0x2f3648d361bee1a5L,0x152cd7cbeb236ff8L,0x19a8fb0e92042dbeL,
+        0x78c577510a5b8a3bL } },
+    /* 3 << 0 */
+    { { 0xffac3f904eebc127L,0xb027f84a087d81fbL,0x66ad77dd87cbbc98L,
+        0x26936a3fb6ff747eL },
+      { 0xb04c5c1fc983a7ebL,0x583e47ad0861fe1aL,0x788208311a2ee98eL,
+        0xd5f06a29e587cc07L } },
+    /* 4 << 0 */
+    { { 0x74b0b50d46918dccL,0x4650a6edc623c173L,0x0cdaacace8100af2L,
+        0x577362f541b0176bL },
+      { 0x2d96f24ce4cbaba6L,0x17628471fad6f447L,0x6b6c36dee5ddd22eL,
+        0x84b14c394c5ab863L } },
+    /* 5 << 0 */
+    { { 0xbe1b8aaec45c61f5L,0x90ec649a94b9537dL,0x941cb5aad076c20cL,
+        0xc9079605890523c8L },
+      { 0xeb309b4ae7ba4f10L,0x73c568efe5eb882bL,0x3540a9877e7a1f68L,
+        0x73a076bb2dd1e916L } },
+    /* 6 << 0 */
+    { { 0x403947373e77664aL,0x55ae744f346cee3eL,0xd50a961a5b17a3adL,
+        0x13074b5954213673L },
+      { 0x93d36220d377e44bL,0x299c2b53adff14b5L,0xf424d44cef639f11L,
+        0xa4c9916d4a07f75fL } },
+    /* 7 << 0 */
+    { { 0x0746354ea0173b4fL,0x2bd20213d23c00f7L,0xf43eaab50c23bb08L,
+        0x13ba5119c3123e03L },
+      { 0x2847d0303f5b9d4dL,0x6742f2f25da67bddL,0xef933bdc77c94195L,
+        0xeaedd9156e240867L } },
+    /* 8 << 0 */
+    { { 0x27f14cd19499a78fL,0x462ab5c56f9b3455L,0x8f90f02af02cfc6bL,
+        0xb763891eb265230dL },
+      { 0xf59da3a9532d4977L,0x21e3327dcf9eba15L,0x123c7b84be60bbf0L,
+        0x56ec12f27706df76L } },
+    /* 9 << 0 */
+    { { 0x75c96e8f264e20e8L,0xabe6bfed59a7a841L,0x2cc09c0444c8eb00L,
+        0xe05b3080f0c4e16bL },
+      { 0x1eb7777aa45f3314L,0x56af7bedce5d45e3L,0x2b6e019a88b12f1aL,
+        0x086659cdfd835f9bL } },
+    /* 10 << 0 */
+    { { 0x2c18dbd19dc21ec8L,0x98f9868a0fcf8139L,0x737d2cd648250b49L,
+        0xcc61c94724b3428fL },
+      { 0x0c2b407880dd9e76L,0xc43a8991383fbe08L,0x5f7d2d65779be5d2L,
+        0x78719a54eb3b4ab5L } },
+    /* 11 << 0 */
+    { { 0xea7d260a6245e404L,0x9de407956e7fdfe0L,0x1ff3a4158dac1ab5L,
+        0x3e7090f1649c9073L },
+      { 0x1a7685612b944e88L,0x250f939ee57f61c8L,0x0c0daa891ead643dL,
+        0x68930023e125b88eL } },
+    /* 12 << 0 */
+    { { 0x04b71aa7d2697768L,0xabdedef5ca345a33L,0x2409d29dee37385eL,
+        0x4ee1df77cb83e156L },
+      { 0x0cac12d91cbb5b43L,0x170ed2f6ca895637L,0x28228cfa8ade6d66L,
+        0x7ff57c9553238acaL } },
+    /* 13 << 0 */
+    { { 0xccc425634b2ed709L,0x0e356769856fd30dL,0xbcbcd43f559e9811L,
+        0x738477ac5395b759L },
+      { 0x35752b90c00ee17fL,0x68748390742ed2e3L,0x7cd06422bd1f5bc1L,
+        0xfbc08769c9e7b797L } },
+    /* 14 << 0 */
+    { { 0xa242a35bb0cf664aL,0x126e48f77f9707e3L,0x1717bf54c6832660L,
+        0xfaae7332fd12c72eL },
+      { 0x27b52db7995d586bL,0xbe29569e832237c2L,0xe8e4193e2a65e7dbL,
+        0x152706dc2eaa1bbbL } },
+    /* 15 << 0 */
+    { { 0x72bcd8b7bc60055bL,0x03cc23ee56e27e4bL,0xee337424e4819370L,
+        0xe2aa0e430ad3da09L },
+      { 0x40b8524f6383c45dL,0xd766355442a41b25L,0x64efa6de778a4797L,
+        0x2042170a7079adf4L } },
+    /* 16 << 0 */
+    { { 0x808b0b650bc6fb80L,0x5882e0753ffe2e6bL,0xd5ef2f7c2c83f549L,
+        0x54d63c809103b723L },
+      { 0xf2f11bd652a23f9bL,0x3670c3194b0b6587L,0x55c4623bb1580e9eL,
+        0x64edf7b201efe220L } },
+    /* 17 << 0 */
+    { { 0x97091dcbd53c5c9dL,0xf17624b6ac0a177bL,0xb0f139752cfe2dffL,
+        0xc1a35c0a6c7a574eL },
+      { 0x227d314693e79987L,0x0575bf30e89cb80eL,0x2f4e247f0d1883bbL,
+        0xebd512263274c3d0L } },
+    /* 18 << 0 */
+    { { 0x5f3e51c856ada97aL,0x4afc964d8f8b403eL,0xa6f247ab412e2979L,
+        0x675abd1b6f80ebdaL },
+      { 0x66a2bd725e485a1dL,0x4b2a5caf8f4f0b3cL,0x2626927f1b847bbaL,
+        0x6c6fc7d90502394dL } },
+    /* 19 << 0 */
+    { { 0xfea912baa5659ae8L,0x68363aba25e1a16eL,0xb8842277752c41acL,
+        0xfe545c282897c3fcL },
+      { 0x2d36e9e7dc4c696bL,0x5806244afba977c5L,0x85665e9be39508c1L,
+        0xf720ee256d12597bL } },
+    /* 20 << 0 */
+    { { 0x8a979129d2337a31L,0x5916868f0f862bdcL,0x048099d95dd283baL,
+        0xe2d1eeb6fe5bfb4eL },
+      { 0x82ef1c417884005dL,0xa2d4ec17ffffcbaeL,0x9161c53f8aa95e66L,
+        0x5ee104e1c5fee0d0L } },
+    /* 21 << 0 */
+    { { 0x562e4cecc135b208L,0x74e1b2654783f47dL,0x6d2a506c5a3f3b30L,
+        0xecead9f4c16762fcL },
+      { 0xf29dd4b2e286e5b9L,0x1b0fadc083bb3c61L,0x7a75023e7fac29a4L,
+        0xc086d5f1c9477fa3L } },
+    /* 22 << 0 */
+    { { 0x0fc611352f6f3076L,0xc99ffa23e3912a9aL,0x6a0b0685d2f8ba3dL,
+        0xfdc777e8e93358a4L },
+      { 0x94a787bb35415f04L,0x640c2d6a4d23fea4L,0x9de917da153a35b5L,
+        0x793e8d075d5cd074L } },
+    /* 23 << 0 */
+    { { 0xf4f876532de45068L,0x37c7a7e89e2e1f6eL,0xd0825fa2a3584069L,
+        0xaf2cea7c1727bf42L },
+      { 0x0360a4fb9e4785a9L,0xe5fda49c27299f4aL,0x48068e1371ac2f71L,
+        0x83d0687b9077666fL } },
+    /* 24 << 0 */
+    { { 0x6d3883b215d02819L,0x6d0d755040dd9a35L,0x61d7cbf91d2b469fL,
+        0xf97b232f2efc3115L },
+      { 0xa551d750b24bcbc7L,0x11ea494988a1e356L,0x7669f03193cb7501L,
+        0x595dc55eca737b8aL } },
+    /* 25 << 0 */
+    { { 0xa4a319acd837879fL,0x6fc1b49eed6b67b0L,0xe395993332f1f3afL,
+        0x966742eb65432a2eL },
+      { 0x4b8dc9feb4966228L,0x96cc631243f43950L,0x12068859c9b731eeL,
+        0x7b948dc356f79968L } },
+    /* 26 << 0 */
+    { { 0x61e4ad32ed1f8008L,0xe6c9267ad8b17538L,0x1ac7c5eb857ff6fbL,
+        0x994baaa855f2fb10L },
+      { 0x84cf14e11d248018L,0x5a39898b628ac508L,0x14fde97b5fa944f5L,
+        0xed178030d12e5ac7L } },
+    /* 27 << 0 */
+    { { 0x042c2af497e2feb4L,0xd36a42d7aebf7313L,0x49d2c9eb084ffdd7L,
+        0x9f8aa54b2ef7c76aL },
+      { 0x9200b7ba09895e70L,0x3bd0c66fddb7fb58L,0x2d97d10878eb4cbbL,
+        0x2d431068d84bde31L } },
+    /* 28 << 0 */
+    { { 0x4b523eb7172ccd1fL,0x7323cb2830a6a892L,0x97082ec0cfe153ebL,
+        0xe97f6b6af2aadb97L },
+      { 0x1d3d393ed1a83da1L,0xa6a7f9c7804b2a68L,0x4a688b482d0cb71eL,
+        0xa9b4cc5f40585278L } },
+    /* 29 << 0 */
+    { { 0x5e5db46acb66e132L,0xf1be963a0d925880L,0x944a70270317b9e2L,
+        0xe266f95948603d48L },
+      { 0x98db66735c208899L,0x90472447a2fb18a3L,0x8a966939777c619fL,
+        0x3798142a2a3be21bL } },
+    /* 30 << 0 */
+    { { 0xb4241cb13298b343L,0xa3a14e49b44f65a1L,0xc5f4d6cd3ac77acdL,
+        0xd0288cb552b6fc3cL },
+      { 0xd5cc8c2f1c040abcL,0xb675511e06bf9b4aL,0xd667da379b3aa441L,
+        0x460d45ce51601f72L } },
+    /* 31 << 0 */
+    { { 0xe2f73c696755ff89L,0xdd3cf7e7473017e6L,0x8ef5689d3cf7600dL,
+        0x948dc4f8b1fc87b4L },
+      { 0xd9e9fe814ea53299L,0x2d921ca298eb6028L,0xfaecedfd0c9803fcL,
+        0xf38ae8914d7b4745L } },
+    /* 32 << 0 */
+    { { 0xd8c5fccfc5e3a3d8L,0xbefd904c4079dfbfL,0xbc6d6a58fead0197L,
+        0x39227077695532a4L },
+      { 0x09e23e6ddbef42f5L,0x7e449b64480a9908L,0x7b969c1aad9a2e40L,
+        0x6231d7929591c2a4L } },
+    /* 33 << 0 */
+    { { 0x871514560f664534L,0x85ceae7c4b68f103L,0xac09c4ae65578ab9L,
+        0x33ec6868f044b10cL },
+      { 0x6ac4832b3a8ec1f1L,0x5509d1285847d5efL,0xf909604f763f1574L,
+        0xb16c4303c32f63c4L } },
+    /* 34 << 0 */
+    { { 0xb6ab20147ca23cd3L,0xcaa7a5c6a391849dL,0x5b0673a375678d94L,
+        0xc982ddd4dd303e64L },
+      { 0xfd7b000b5db6f971L,0xbba2cb1f6f876f92L,0xc77332a33c569426L,
+        0xa159100c570d74f8L } },
+    /* 35 << 0 */
+    { { 0xfd16847fdec67ef5L,0x742ee464233e76b7L,0x0b8e4134efc2b4c8L,
+        0xca640b8642a3e521L },
+      { 0x653a01908ceb6aa9L,0x313c300c547852d5L,0x24e4ab126b237af7L,
+        0x2ba901628bb47af8L } },
+    /* 36 << 0 */
+    { { 0x3d5e58d6a8219bb7L,0xc691d0bd1b06c57fL,0x0ae4cb10d257576eL,
+        0x3569656cd54a3dc3L },
+      { 0xe5ebaebd94cda03aL,0x934e82d3162bfe13L,0x450ac0bae251a0c6L,
+        0x480b9e11dd6da526L } },
+    /* 37 << 0 */
+    { { 0x00467bc58cce08b5L,0xb636458c7f178d55L,0xc5748baea677d806L,
+        0x2763a387dfa394ebL },
+      { 0xa12b448a7d3cebb6L,0xe7adda3e6f20d850L,0xf63ebce51558462cL,
+        0x58b36143620088a8L } },
+    /* 38 << 0 */
+    { { 0x8a2cc3ca4d63c0eeL,0x512331170fe948ceL,0x7463fd85222ef33bL,
+        0xadf0c7dc7c603d6cL },
+      { 0x0ec32d3bfe7765e5L,0xccaab359bf380409L,0xbdaa84d68e59319cL,
+        0xd9a4c2809c80c34dL } },
+    /* 39 << 0 */
+    { { 0xa9d89488a059c142L,0x6f5ae714ff0b9346L,0x068f237d16fb3664L,
+        0x5853e4c4363186acL },
+      { 0xe2d87d2363c52f98L,0x2ec4a76681828876L,0x47b864fae14e7b1cL,
+        0x0c0bc0e569192408L } },
+    /* 40 << 0 */
+    { { 0xe4d7681db82e9f3eL,0x83200f0bdf25e13cL,0x8909984c66f27280L,
+        0x462d7b0075f73227L },
+      { 0xd90ba188f2651798L,0x74c6e18c36ab1c34L,0xab256ea35ef54359L,
+        0x03466612d1aa702fL } },
+    /* 41 << 0 */
+    { { 0x624d60492ed22e91L,0x6fdfe0b56f072822L,0xeeca111539ce2271L,
+        0x98100a4fdb01614fL },
+      { 0xb6b0daa2a35c628fL,0xb6f94d2ec87e9a47L,0xc67732591d57d9ceL,
+        0xf70bfeec03884a7bL } },
+    /* 42 << 0 */
+    { { 0x5fb35ccfed2bad01L,0xa155cbe31da6a5c7L,0xc2e2594c30a92f8fL,
+        0x649c89ce5bfafe43L },
+      { 0xd158667de9ff257aL,0x9b359611f32c50aeL,0x4b00b20b906014cfL,
+        0xf3a8cfe389bc7d3dL } },
+    /* 43 << 0 */
+    { { 0x4ff23ffd248a7d06L,0x80c5bfb4878873faL,0xb7d9ad9005745981L,
+        0x179c85db3db01994L },
+      { 0xba41b06261a6966cL,0x4d82d052eadce5a8L,0x9e91cd3ba5e6a318L,
+        0x47795f4f95b2dda0L } },
+    /* 44 << 0 */
+    { { 0xecfd7c1fd55a897cL,0x009194abb29110fbL,0x5f0e2046e381d3b0L,
+        0x5f3425f6a98dd291L },
+      { 0xbfa06687730d50daL,0x0423446c4b083b7fL,0x397a247dd69d3417L,
+        0xeb629f90387ba42aL } },
+    /* 45 << 0 */
+    { { 0x1ee426ccd5cd79bfL,0x0032940b946c6e18L,0x1b1e8ae057477f58L,
+        0xe94f7d346d823278L },
+      { 0xc747cb96782ba21aL,0xc5254469f72b33a5L,0x772ef6dec7f80c81L,
+        0xd73acbfe2cd9e6b5L } },
+    /* 46 << 0 */
+    { { 0x4075b5b149ee90d9L,0x785c339aa06e9ebaL,0xa1030d5babf825e0L,
+        0xcec684c3a42931dcL },
+      { 0x42ab62c9c1586e63L,0x45431d665ab43f2bL,0x57c8b2c055f7835dL,
+        0x033da338c1b7f865L } },
+    /* 47 << 0 */
+    { { 0x283c7513caa76097L,0x0a624fa936c83906L,0x6b20afec715af2c7L,
+        0x4b969974eba78bfdL },
+      { 0x220755ccd921d60eL,0x9b944e107baeca13L,0x04819d515ded93d4L,
+        0x9bbff86e6dddfd27L } },
+    /* 48 << 0 */
+    { { 0x6b34413077adc612L,0xa7496529bbd803a0L,0x1a1baaa76d8805bdL,
+        0xc8403902470343adL },
+      { 0x39f59f66175adff1L,0x0b26d7fbb7d8c5b7L,0xa875f5ce529d75e3L,
+        0x85efc7e941325cc2L } },
+    /* 49 << 0 */
+    { { 0x21950b421ff6acd3L,0xffe7048453dc6909L,0xff4cd0b228766127L,
+        0xabdbe6084fb7db2bL },
+      { 0x837c92285e1109e8L,0x26147d27f4645b5aL,0x4d78f592f7818ed8L,
+        0xd394077ef247fa36L } },
+    /* 50 << 0 */
+    { { 0x0fb9c2d0488c171aL,0xa78bfbaa13685278L,0xedfbe268d5b1fa6aL,
+        0x0dceb8db2b7eaba7L },
+      { 0xbf9e80899ae2b710L,0xefde7ae6a4449c96L,0x43b7716bcc143a46L,
+        0xd7d34194c3628c13L } },
+    /* 51 << 0 */
+    { { 0x508cec1c3b3f64c9L,0xe20bc0ba1e5edf3fL,0xda1deb852f4318d4L,
+        0xd20ebe0d5c3fa443L },
+      { 0x370b4ea773241ea3L,0x61f1511c5e1a5f65L,0x99a5e23d82681c62L,
+        0xd731e383a2f54c2dL } },
+    /* 52 << 0 */
+    { { 0x2692f36e83445904L,0x2e0ec469af45f9c0L,0x905a3201c67528b7L,
+        0x88f77f34d0e5e542L },
+      { 0xf67a8d295864687cL,0x23b92eae22df3562L,0x5c27014b9bbec39eL,
+        0x7ef2f2269c0f0f8dL } },
+    /* 53 << 0 */
+    { { 0x97359638546c4d8dL,0x5f9c3fc492f24679L,0x912e8beda8c8acd9L,
+        0xec3a318d306634b0L },
+      { 0x80167f41c31cb264L,0x3db82f6f522113f2L,0xb155bcd2dcafe197L,
+        0xfba1da5943465283L } },
+    /* 54 << 0 */
+    { { 0xa0425b8eb212cf53L,0x4f2e512ef8557c5fL,0xc1286ff925c4d56cL,
+        0xbb8a0feaee26c851L },
+      { 0xc28f70d2e7d6107eL,0x7ee0c444e76265aaL,0x3df277a41d1936b1L,
+        0x1a556e3fea9595ebL } },
+    /* 55 << 0 */
+    { { 0x258bbbf9e7305683L,0x31eea5bf07ef5be6L,0x0deb0e4a46c814c1L,
+        0x5cee8449a7b730ddL },
+      { 0xeab495c5a0182bdeL,0xee759f879e27a6b4L,0xc2cf6a6880e518caL,
+        0x25e8013ff14cf3f4L } },
+    /* 56 << 0 */
+    { { 0x8fc441407e8d7a14L,0xbb1ff3ca9556f36aL,0x6a84438514600044L,
+        0xba3f0c4a7451ae63L },
+      { 0xdfcac25b1f9af32aL,0x01e0db86b1f2214bL,0x4e9a5bc2a4b596acL,
+        0x83927681026c2c08L } },
+    /* 57 << 0 */
+    { { 0x3ec832e77acaca28L,0x1bfeea57c7385b29L,0x068212e3fd1eaf38L,
+        0xc13298306acf8cccL },
+      { 0xb909f2db2aac9e59L,0x5748060db661782aL,0xc5ab2632c79b7a01L,
+        0xda44c6c600017626L } },
+    /* 58 << 0 */
+    { { 0xf26c00e8a7ea82f0L,0x99cac80de4299aafL,0xd66fe3b67ed78be1L,
+        0x305f725f648d02cdL },
+      { 0x33ed1bc4623fb21bL,0xfa70533e7a6319adL,0x17ab562dbe5ffb3eL,
+        0x0637499456674741L } },
+    /* 59 << 0 */
+    { { 0x69d44ed65c46aa8eL,0x2100d5d3a8d063d1L,0xcb9727eaa2d17c36L,
+        0x4c2bab1b8add53b7L },
+      { 0xa084e90c15426704L,0x778afcd3a837ebeaL,0x6651f7017ce477f8L,
+        0xa062499846fb7a8bL } },
+    /* 60 << 0 */
+    { { 0xdc1e6828ed8a6e19L,0x33fc23364189d9c7L,0x026f8fe2671c39bcL,
+        0xd40c4ccdbc6f9915L },
+      { 0xafa135bbf80e75caL,0x12c651a022adff2cL,0xc40a04bd4f51ad96L,
+        0x04820109bbe4e832L } },
+    /* 61 << 0 */
+    { { 0x3667eb1a7f4c04ccL,0x59556621a9404f84L,0x71cdf6537eceb50aL,
+        0x994a44a69b8335faL },
+      { 0xd7faf819dbeb9b69L,0x473c5680eed4350dL,0xb6658466da44bba2L,
+        0x0d1bc780872bdbf3L } },
+    /* 62 << 0 */
+    { { 0xe535f175a1962f91L,0x6ed7e061ed58f5a7L,0x177aa4c02089a233L,
+        0x0dbcb03ae539b413L },
+      { 0xe3dc424ebb32e38eL,0x6472e5ef6806701eL,0xdd47ff98814be9eeL,
+        0x6b60cfff35ace009L } },
+    /* 63 << 0 */
+    { { 0xb8d3d9319ff91fe5L,0x039c4800f0518eedL,0x95c376329182cb26L,
+        0x0763a43482fc568dL },
+      { 0x707c04d5383e76baL,0xac98b930824e8197L,0x92bf7c8f91230de0L,
+        0x90876a0140959b70L } },
+    /* 64 << 0 */
+    { { 0xdb6d96f305968b80L,0x380a0913089f73b9L,0x7da70b83c2c61e01L,
+        0x95fb8394569b38c7L },
+      { 0x9a3c651280edfe2fL,0x8f726bb98faeaf82L,0x8010a4a078424bf8L,
+        0x296720440e844970L } },
+    /* 0 << 7 */
+    { { 0x00, 0x00, 0x00, 0x00 },
+      { 0x00, 0x00, 0x00, 0x00 } },
+    /* 1 << 7 */
+    { { 0x63c5cb817a2ad62aL,0x7ef2b6b9ac62ff54L,0x3749bba4b3ad9db5L,
+        0xad311f2c46d5a617L },
+      { 0xb77a8087c2ff3b6dL,0xb46feaf3367834ffL,0xf8aa266d75d6b138L,
+        0xfa38d320ec008188L } },
+    /* 2 << 7 */
+    { { 0x486d8ffa696946fcL,0x50fbc6d8b9cba56dL,0x7e3d423e90f35a15L,
+        0x7c3da195c0dd962cL },
+      { 0xe673fdb03cfd5d8bL,0x0704b7c2889dfca5L,0xf6ce581ff52305aaL,
+        0x399d49eb914d5e53L } },
+    /* 3 << 7 */
+    { { 0x380a496d6ec293cdL,0x733dbda78e7051f5L,0x037e388db849140aL,
+        0xee4b32b05946dbf6L },
+      { 0xb1c4fda9cae368d1L,0x5001a7b0fdb0b2f3L,0x6df593742e3ac46eL,
+        0x4af675f239b3e656L } },
+    /* 4 << 7 */
+    { { 0x44e3811039949296L,0x5b63827b361db1b5L,0x3e5323ed206eaff5L,
+        0x942370d2c21f4290L },
+      { 0xf2caaf2ee0d985a1L,0x192cc64b7239846dL,0x7c0b8f47ae6312f8L,
+        0x7dc61f9196620108L } },
+    /* 5 << 7 */
+    { { 0xb830fb5bc2da7de9L,0xd0e643df0ff8d3beL,0x31ee77ba188a9641L,
+        0x4e8aa3aabcf6d502L },
+      { 0xf9fb65329a49110fL,0xd18317f62dd6b220L,0x7e3ced4152c3ea5aL,
+        0x0d296a147d579c4aL } },
+    /* 6 << 7 */
+    { { 0x35d6a53eed4c3717L,0x9f8240cf3d0ed2a3L,0x8c0d4d05e5543aa5L,
+        0x45d5bbfbdd33b4b4L },
+      { 0xfa04cc73137fd28eL,0x862ac6efc73b3ffdL,0x403ff9f531f51ef2L,
+        0x34d5e0fcbc73f5a2L } },
+    /* 7 << 7 */
+    { { 0xf252682008913f4fL,0xea20ed61eac93d95L,0x51ed38b46ca6b26cL,
+        0x8662dcbcea4327b0L },
+      { 0x6daf295c725d2aaaL,0xbad2752f8e52dcdaL,0x2210e7210b17daccL,
+        0xa37f7912d51e8232L } },
+    /* 8 << 7 */
+    { { 0x4f7081e144cc3addL,0xd5ffa1d687be82cfL,0x89890b6c0edd6472L,
+        0xada26e1a3ed17863L },
+      { 0x276f271563483caaL,0xe6924cd92f6077fdL,0x05a7fe980a466e3cL,
+        0xf1c794b0b1902d1fL } },
+    /* 9 << 7 */
+    { { 0xe521368882a8042cL,0xd931cfafcd278298L,0x069a0ae0f597a740L,
+        0x0adbb3f3eb59107cL },
+      { 0x983e951e5eaa8eb8L,0xe663a8b511b48e78L,0x1631cc0d8a03f2c5L,
+        0x7577c11e11e271e2L } },
+    /* 10 << 7 */
+    { { 0x33b2385c08369a90L,0x2990c59b190eb4f8L,0x819a6145c68eac80L,
+        0x7a786d622ec4a014L },
+      { 0x33faadbe20ac3a8dL,0x31a217815aba2d30L,0x209d2742dba4f565L,
+        0xdb2ce9e355aa0fbbL } },
+    /* 11 << 7 */
+    { { 0x8cef334b168984dfL,0xe81dce1733879638L,0xf6e6949c263720f0L,
+        0x5c56feaff593cbecL },
+      { 0x8bff5601fde58c84L,0x74e241172eccb314L,0xbcf01b614c9a8a78L,
+        0xa233e35e544c9868L } },
+    /* 12 << 7 */
+    { { 0xb3156bf38bd7aff1L,0x1b5ee4cb1d81b146L,0x7ba1ac41d628a915L,
+        0x8f3a8f9cfd89699eL },
+      { 0x7329b9c9a0748be7L,0x1d391c95a92e621fL,0xe51e6b214d10a837L,
+        0xd255f53a4947b435L } },
+    /* 13 << 7 */
+    { { 0x07669e04f1788ee3L,0xc14f27afa86938a2L,0x8b47a334e93a01c0L,
+        0xff627438d9366808L },
+      { 0x7a0985d8ca2a5965L,0x3d9a5542d6e9b9b3L,0xc23eb80b4cf972e8L,
+        0x5c1c33bb4fdf72fdL } },
+    /* 14 << 7 */
+    { { 0x0c4a58d474a86108L,0xf8048a8fee4c5d90L,0xe3c7c924e86d4c80L,
+        0x28c889de056a1e60L },
+      { 0x57e2662eb214a040L,0xe8c48e9837e10347L,0x8774286280ac748aL,
+        0xf1c24022186b06f2L } },
+    /* 15 << 7 */
+    { { 0xac2dd4c35f74040aL,0x409aeb71fceac957L,0x4fbad78255c4ec23L,
+        0xb359ed618a7b76ecL },
+      { 0x12744926ed6f4a60L,0xe21e8d7f4b912de3L,0xe2575a59fc705a59L,
+        0x72f1d4deed2dbc0eL } },
+    /* 16 << 7 */
+    { { 0x3d2b24b9eb7926b8L,0xbff88cb3cdbe5509L,0xd0f399afe4dd640bL,
+        0x3c5fe1302f76ed45L },
+      { 0x6f3562f43764fb3dL,0x7b5af3183151b62dL,0xd5bd0bc7d79ce5f3L,
+        0xfdaf6b20ec66890fL } },
+    /* 17 << 7 */
+    { { 0x735c67ec6063540cL,0x50b259c2e5f9cb8fL,0xb8734f9a3f99c6abL,
+        0xf8cc13d5a3a7bc85L },
+      { 0x80c1b305c5217659L,0xfe5364d44ec12a54L,0xbd87045e681345feL,
+        0x7f8efeb1582f897fL } },
+    /* 18 << 7 */
+    { { 0xe8cbf1e5d5923359L,0xdb0cea9d539b9fb0L,0x0c5b34cf49859b98L,
+        0x5e583c56a4403cc6L },
+      { 0x11fc1a2dd48185b7L,0xc93fbc7e6e521787L,0x47e7a05805105b8bL,
+        0x7b4d4d58db8260c8L } },
+    /* 19 << 7 */
+    { { 0xe33930b046eb842aL,0x8e844a9a7bdae56dL,0x34ef3a9e13f7fdfcL,
+        0xb3768f82636ca176L },
+      { 0x2821f4e04e09e61cL,0x414dc3a1a0c7cddcL,0xd537943754945fcdL,
+        0x151b6eefb3555ff1L } },
+    /* 20 << 7 */
+    { { 0xb31bd6136339c083L,0x39ff8155dfb64701L,0x7c3388d2e29604abL,
+        0x1e19084ba6b10442L },
+      { 0x17cf54c0eccd47efL,0x896933854a5dfb30L,0x69d023fb47daf9f6L,
+        0x9222840b7d91d959L } },
+    /* 21 << 7 */
+    { { 0x439108f5803bac62L,0x0b7dd91d379bd45fL,0xd651e827ca63c581L,
+        0x5c5d75f6509c104fL },
+      { 0x7d5fc7381f2dc308L,0x20faa7bfd98454beL,0x95374beea517b031L,
+        0xf036b9b1642692acL } },
+    /* 22 << 7 */
+    { { 0xc510610939842194L,0xb7e2353e49d05295L,0xfc8c1d5cefb42ee0L,
+        0xe04884eb08ce811cL },
+      { 0xf1f75d817419f40eL,0x5b0ac162a995c241L,0x120921bbc4c55646L,
+        0x713520c28d33cf97L } },
+    /* 23 << 7 */
+    { { 0xb4a65a5ce98c5100L,0x6cec871d2ddd0f5aL,0x251f0b7f9ba2e78bL,
+        0x224a8434ce3a2a5fL },
+      { 0x26827f6125f5c46fL,0x6a22bedc48545ec0L,0x25ae5fa0b1bb5cdcL,
+        0xd693682ffcb9b98fL } },
+    /* 24 << 7 */
+    { { 0x32027fe891e5d7d3L,0xf14b7d1773a07678L,0xf88497b3c0dfdd61L,
+        0xf7c2eec02a8c4f48L },
+      { 0xaa5573f43756e621L,0xc013a2401825b948L,0x1c03b34563878572L,
+        0xa0472bea653a4184L } },
+    /* 25 << 7 */
+    { { 0xf4222e270ac69a80L,0x34096d25f51e54f6L,0x00a648cb8fffa591L,
+        0x4e87acdc69b6527fL },
+      { 0x0575e037e285ccb4L,0x188089e450ddcf52L,0xaa96c9a8870ff719L,
+        0x74a56cd81fc7e369L } },
+    /* 26 << 7 */
+    { { 0x41d04ee21726931aL,0x0bbbb2c83660ecfdL,0xa6ef6de524818e18L,
+        0xe421cc51e7d57887L },
+      { 0xf127d208bea87be6L,0x16a475d3b1cdd682L,0x9db1b684439b63f7L,
+        0x5359b3dbf0f113b6L } },
+    /* 27 << 7 */
+    { { 0xdfccf1de8bf06e31L,0x1fdf8f44dd383901L,0x10775cad5017e7d2L,
+        0xdfc3a59758d11eefL },
+      { 0x6ec9c8a0b1ecff10L,0xee6ed6cc28400549L,0xb5ad7bae1b4f8d73L,
+        0x61b4f11de00aaab9L } },
+    /* 28 << 7 */
+    { { 0x7b32d69bd4eff2d7L,0x88ae67714288b60fL,0x159461b437a1e723L,
+        0x1f3d4789570aae8cL },
+      { 0x869118c07f9871daL,0x35fbda78f635e278L,0x738f3641e1541dacL,
+        0x6794b13ac0dae45fL } },
+    /* 29 << 7 */
+    { { 0x065064ac09cc0917L,0x27c53729c68540fdL,0x0d2d4c8eef227671L,
+        0xd23a9f80a1785a04L },
+      { 0x98c5952852650359L,0xfa09ad0174a1acadL,0x082d5a290b55bf5cL,
+        0xa40f1c67419b8084L } },
+    /* 30 << 7 */
+    { { 0x3a5c752edcc18770L,0x4baf1f2f8825c3a5L,0xebd63f7421b153edL,
+        0xa2383e47b2f64723L },
+      { 0xe7bf620a2646d19aL,0x56cb44ec03c83ffdL,0xaf7267c94f6be9f1L,
+        0x8b2dfd7bc06bb5e9L } },
+    /* 31 << 7 */
+    { { 0xb87072f2a672c5c7L,0xeacb11c80d53c5e2L,0x22dac29dff435932L,
+        0x37bdb99d4408693cL },
+      { 0xf6e62fb62899c20fL,0x3535d512447ece24L,0xfbdc6b88ff577ce3L,
+        0x726693bd190575f2L } },
+    /* 32 << 7 */
+    { { 0x6772b0e5ab4b35a2L,0x1d8b6001f5eeaacfL,0x728f7ce4795b9580L,
+        0x4a20ed2a41fb81daL },
+      { 0x9f685cd44fec01e6L,0x3ed7ddcca7ff50adL,0x460fd2640c2d97fdL,
+        0x3a241426eb82f4f9L } },
+    /* 33 << 7 */
+    { { 0x17d1df2c6a8ea820L,0xb2b50d3bf22cc254L,0x03856cbab7291426L,
+        0x87fd26ae04f5ee39L },
+      { 0x9cb696cc02bee4baL,0x5312180406820fd6L,0xa5dfc2690212e985L,
+        0x666f7ffa160f9a09L } },
+    /* 34 << 7 */
+    { { 0xc503cd33bccd9617L,0x365dede4ba7730a3L,0x798c63555ddb0786L,
+        0xa6c3200efc9cd3bcL },
+      { 0x060ffb2ce5e35efdL,0x99a4e25b5555a1c1L,0x11d95375f70b3751L,
+        0x0a57354a160e1bf6L } },
+    /* 35 << 7 */
+    { { 0xecb3ae4bf8e4b065L,0x07a834c42e53022bL,0x1cd300b38692ed96L,
+        0x16a6f79261ee14ecL },
+      { 0x8f1063c66a8649edL,0xfbcdfcfe869f3e14L,0x2cfb97c100a7b3ecL,
+        0xcea49b3c7130c2f1L } },
+    /* 36 << 7 */
+    { { 0x462d044fe9d96488L,0x4b53d52e8182a0c1L,0x84b6ddd30391e9e9L,
+        0x80ab7b48b1741a09L },
+      { 0xec0e15d427d3317fL,0x8dfc1ddb1a64671eL,0x93cc5d5fd49c5b92L,
+        0xc995d53d3674a331L } },
+    /* 37 << 7 */
+    { { 0x302e41ec090090aeL,0x2278a0ccedb06830L,0x1d025932fbc99690L,
+        0x0c32fbd2b80d68daL },
+      { 0xd79146daf341a6c1L,0xae0ba1391bef68a0L,0xc6b8a5638d774b3aL,
+        0x1cf307bd880ba4d7L } },
+    /* 38 << 7 */
+    { { 0xc033bdc719803511L,0xa9f97b3b8888c3beL,0x3d68aebc85c6d05eL,
+        0xc3b88a9d193919ebL },
+      { 0x2d300748c48b0ee3L,0x7506bc7c07a746c1L,0xfc48437c6e6d57f3L,
+        0x5bd71587cfeaa91aL } },
+    /* 39 << 7 */
+    { { 0xa4ed0408c1bc5225L,0xd0b946db2719226dL,0x109ecd62758d2d43L,
+        0x75c8485a2751759bL },
+      { 0xb0b75f499ce4177aL,0x4fa61a1e79c10c3dL,0xc062d300a167fcd7L,
+        0x4df3874c750f0fa8L } },
+    /* 40 << 7 */
+    { { 0x29ae2cf983dfedc9L,0xf84371348d87631aL,0xaf5717117429c8d2L,
+        0x18d15867146d9272L },
+      { 0x83053ecf69769bb7L,0xc55eb856c479ab82L,0x5ef7791c21b0f4b2L,
+        0xaa5956ba3d491525L } },
+    /* 41 << 7 */
+    { { 0x407a96c29fe20ebaL,0xf27168bbe52a5ad3L,0x43b60ab3bf1d9d89L,
+        0xe45c51ef710e727aL },
+      { 0xdfca5276099b4221L,0x8dc6407c2557a159L,0x0ead833591035895L,
+        0x0a9db9579c55dc32L } },
+    /* 42 << 7 */
+    { { 0xe40736d3df61bc76L,0x13a619c03f778cdbL,0x6dd921a4c56ea28fL,
+        0x76a524332fa647b4L },
+      { 0x23591891ac5bdc5dL,0xff4a1a72bac7dc01L,0x9905e26162df8453L,
+        0x3ac045dfe63b265fL } },
+    /* 43 << 7 */
+    { { 0x8a3f341bad53dba7L,0x8ec269cc837b625aL,0xd71a27823ae31189L,
+        0x8fb4f9a355e96120L },
+      { 0x804af823ff9875cfL,0x23224f575d442a9bL,0x1c4d3b9eecc62679L,
+        0x91da22fba0e7ddb1L } },
+    /* 44 << 7 */
+    { { 0xa370324d6c04a661L,0x9710d3b65e376d17L,0xed8c98f03044e357L,
+        0xc364ebbe6422701cL },
+      { 0x347f5d517733d61cL,0xd55644b9cea826c3L,0x80c6e0ad55a25548L,
+        0x0aa7641d844220a7L } },
+    /* 45 << 7 */
+    { { 0x1438ec8131810660L,0x9dfa6507de4b4043L,0x10b515d8cc3e0273L,
+        0x1b6066dd28d8cfb2L },
+      { 0xd3b045919c9efebdL,0x425d4bdfa21c1ff4L,0x5fe5af19d57607d3L,
+        0xbbf773f754481084L } },
+    /* 46 << 7 */
+    { { 0x8435bd6994b03ed1L,0xd9ad1de3634cc546L,0x2cf423fc00e420caL,
+        0xeed26d80a03096ddL },
+      { 0xd7f60be7a4db09d2L,0xf47f569d960622f7L,0xe5925fd77296c729L,
+        0xeff2db2626ca2715L } },
+    /* 47 << 7 */
+    { { 0xa6fcd014b913e759L,0x53da47868ff4de93L,0x14616d79c32068e1L,
+        0xb187d664ccdf352eL },
+      { 0xf7afb6501dc90b59L,0x8170e9437daa1b26L,0xc8e3bdd8700c0a84L,
+        0x6e8d345f6482bdfaL } },
+    /* 48 << 7 */
+    { { 0x84cfbfa1c5c5ea50L,0xd3baf14c67960681L,0x263984030dd50942L,
+        0xe4b7839c4716a663L },
+      { 0xd5f1f794e7de6dc0L,0x5cd0f4d4622aa7ceL,0x5295f3f159acfeecL,
+        0x8d933552953e0607L } },
+    /* 49 << 7 */
+    { { 0xc7db8ec5776c5722L,0xdc467e622b5f290cL,0xd4297e704ff425a9L,
+        0x4be924c10cf7bb72L },
+      { 0x0d5dc5aea1892131L,0x8bf8a8e3a705c992L,0x73a0b0647a305ac5L,
+        0x00c9ca4e9a8c77a8L } },
+    /* 50 << 7 */
+    { { 0x5dfee80f83774bddL,0x6313160285734485L,0xa1b524ae914a69a9L,
+        0xebc2ffafd4e300d7L },
+      { 0x52c93db77cfa46a5L,0x71e6161f21653b50L,0x3574fc57a4bc580aL,
+        0xc09015dde1bc1253L } },
+    /* 51 << 7 */
+    { { 0x4b7b47b2d174d7aaL,0x4072d8e8f3a15d04L,0xeeb7d47fd6fa07edL,
+        0x6f2b9ff9edbdafb1L },
+      { 0x18c516153760fe8aL,0x7a96e6bff06c6c13L,0x4d7a04100ea2d071L,
+        0xa1914e9b0be2a5ceL } },
+    /* 52 << 7 */
+    { { 0x5726e357d8a3c5cfL,0x1197ecc32abb2b13L,0x6c0d7f7f31ae88ddL,
+        0x15b20d1afdbb3efeL },
+      { 0xcd06aa2670584039L,0x2277c969a7dc9747L,0xbca695877855d815L,
+        0x899ea2385188b32aL } },
+    /* 53 << 7 */
+    { { 0x37d9228b760c1c9dL,0xc7efbb119b5c18daL,0x7f0d1bc819f6dbc5L,
+        0x4875384b07e6905bL },
+      { 0xc7c50baa3ba8cd86L,0xb0ce40fbc2905de0L,0x708406737a231952L,
+        0xa912a262cf43de26L } },
+    /* 54 << 7 */
+    { { 0x9c38ddcceb5b76c1L,0x746f528526fc0ab4L,0x52a63a50d62c269fL,
+        0x60049c5599458621L },
+      { 0xe7f48f823c2f7c9eL,0x6bd99043917d5cf3L,0xeb1317a88701f469L,
+        0xbd3fe2ed9a449fe0L } },
+    /* 55 << 7 */
+    { { 0x421e79ca12ef3d36L,0x9ee3c36c3e7ea5deL,0xe48198b5cdff36f7L,
+        0xaff4f967c6b82228L },
+      { 0x15e19dd0c47adb7eL,0x45699b23032e7dfaL,0x40680c8b1fae026aL,
+        0x5a347a48550dbf4dL } },
+    /* 56 << 7 */
+    { { 0xe652533b3cef0d7dL,0xd94f7b182bbb4381L,0x838752be0e80f500L,
+        0x8e6e24889e9c9bfbL },
+      { 0xc975169716caca6aL,0x866c49d838531ad9L,0xc917e2397151ade1L,
+        0x2d016ec16037c407L } },
+    /* 57 << 7 */
+    { { 0xa407ccc900eac3f9L,0x835f6280e2ed4748L,0xcc54c3471cc98e0dL,
+        0x0e969937dcb572ebL },
+      { 0x1b16c8e88f30c9cbL,0xa606ae75373c4661L,0x47aa689b35502cabL,
+        0xf89014ae4d9bb64fL } },
+    /* 58 << 7 */
+    { { 0x202f6a9c31c71f7bL,0x01f95aa3296ffe5cL,0x5fc0601453cec3a3L,
+        0xeb9912375f498a45L },
+      { 0xae9a935e5d91ba87L,0xc6ac62810b564a19L,0x8a8fe81c3bd44e69L,
+        0x7c8b467f9dd11d45L } },
+    /* 59 << 7 */
+    { { 0xf772251fea5b8e69L,0xaeecb3bdc5b75fbcL,0x1aca3331887ff0e5L,
+        0xbe5d49ff19f0a131L },
+      { 0x582c13aae5c8646fL,0xdbaa12e820e19980L,0x8f40f31af7abbd94L,
+        0x1f13f5a81dfc7663L } },
+    /* 60 << 7 */
+    { { 0x5d81f1eeaceb4fc0L,0x362560025e6f0f42L,0x4b67d6d7751370c8L,
+        0x2608b69803e80589L },
+      { 0xcfc0d2fc05268301L,0xa6943d3940309212L,0x192a90c21fd0e1c2L,
+        0xb209f11337f1dc76L } },
+    /* 61 << 7 */
+    { { 0xefcc5e0697bf1298L,0xcbdb6730219d639eL,0xd009c116b81e8c6fL,
+        0xa3ffdde31a7ce2e5L },
+      { 0xc53fbaaaa914d3baL,0x836d500f88df85eeL,0xd98dc71b66ee0751L,
+        0x5a3d7005714516fdL } },
+    /* 62 << 7 */
+    { { 0x21d3634d39eedbbaL,0x35cd2e680455a46dL,0xc8cafe65f9d7eb0cL,
+        0xbda3ce9e00cefb3eL },
+      { 0xddc17a602c9cf7a4L,0x01572ee47bcb8773L,0xa92b2b018c7548dfL,
+        0x732fd309a84600e3L } },
+    /* 63 << 7 */
+    { { 0xe22109c716543a40L,0x9acafd36fede3c6cL,0xfb2068526824e614L,
+        0x2a4544a9da25dca0L },
+      { 0x2598526291d60b06L,0x281b7be928753545L,0xec667b1a90f13b27L,
+        0x33a83aff940e2eb4L } },
+    /* 64 << 7 */
+    { { 0x80009862d5d721d5L,0x0c3357a35bd3a182L,0x27f3a83b7aa2cda4L,
+        0xb58ae74ef6f83085L },
+      { 0x2a911a812e6dad6bL,0xde286051f43d6c5bL,0x4bdccc41f996c4d8L,
+        0xe7312ec00ae1e24eL } },
+    /* 0 << 14 */
+    { { 0x00, 0x00, 0x00, 0x00 },
+      { 0x00, 0x00, 0x00, 0x00 } },
+    /* 1 << 14 */
+    { { 0xf8d112e76e6485b3L,0x4d3e24db771c52f8L,0x48e3ee41684a2f6dL,
+        0x7161957d21d95551L },
+      { 0x19631283cdb12a6cL,0xbf3fa8822e50e164L,0xf6254b633166cc73L,
+        0x3aefa7aeaee8cc38L } },
+    /* 2 << 14 */
+    { { 0x79b0fe623b36f9fdL,0x26543b23fde19fc0L,0x136e64a0958482efL,
+        0x23f637719b095825L },
+      { 0x14cfd596b6a1142eL,0x5ea6aac6335aac0bL,0x86a0e8bdf3081dd5L,
+        0x5fb89d79003dc12aL } },
+    /* 3 << 14 */
+    { { 0xf615c33af72e34d4L,0x0bd9ea40110eec35L,0x1c12bc5bc1dea34eL,
+        0x686584c949ae4699L },
+      { 0x13ad95d38c97b942L,0x4609561a4e5c7562L,0x9e94a4aef2737f89L,
+        0xf57594c6371c78b6L } },
+    /* 4 << 14 */
+    { { 0x0f0165fce3779ee3L,0xe00e7f9dbd495d9eL,0x1fa4efa220284e7aL,
+        0x4564bade47ac6219L },
+      { 0x90e6312ac4708e8eL,0x4f5725fba71e9adfL,0xe95f55ae3d684b9fL,
+        0x47f7ccb11e94b415L } },
+    /* 5 << 14 */
+    { { 0x7322851b8d946581L,0xf0d13133bdf4a012L,0xa3510f696584dae0L,
+        0x03a7c1713c9f6c6dL },
+      { 0x5be97f38e475381aL,0xca1ba42285823334L,0xf83cc5c70be17ddaL,
+        0x158b14940b918c0fL } },
+    /* 6 << 14 */
+    { { 0xda3a77e5522e6b69L,0x69c908c3bbcd6c18L,0x1f1b9e48d924fd56L,
+        0x37c64e36aa4bb3f7L },
+      { 0x5a4fdbdfee478d7dL,0xba75c8bc0193f7a0L,0x84bc1e8456cd16dfL,
+        0x1fb08f0846fad151L } },
+    /* 7 << 14 */
+    { { 0x8a7cabf9842e9f30L,0xa331d4bf5eab83afL,0xd272cfba017f2a6aL,
+        0x27560abc83aba0e3L },
+      { 0x94b833870e3a6b75L,0x25c6aea26b9f50f5L,0x803d691db5fdf6d0L,
+        0x03b77509e6333514L } },
+    /* 8 << 14 */
+    { { 0x3617890361a341c1L,0x3604dc600cfd6142L,0x022295eb8533316cL,
+        0x3dbde4ac44af2922L },
+      { 0x898afc5d1c7eef69L,0x58896805d14f4fa1L,0x05002160203c21caL,
+        0x6f0d1f3040ef730bL } },
+    /* 9 << 14 */
+    { { 0x8e8c44d4196224f8L,0x75a4ab95374d079dL,0x79085ecc7d48f123L,
+        0x56f04d311bf65ad8L },
+      { 0xe220bf1cbda602b2L,0x73ee1742f9612c69L,0x76008fc8084fd06bL,
+        0x4000ef9ff11380d1L } },
+    /* 10 << 14 */
+    { { 0x48201b4b12cfe297L,0x3eee129c292f74e5L,0xe1fe114ec9e874e8L,
+        0x899b055c92c5fc41L },
+      { 0x4e477a643a39c8cfL,0x82f09efe78963cc9L,0x6fd3fd8fd333f863L,
+        0x85132b2adc949c63L } },
+    /* 11 << 14 */
+    { { 0x7e06a3ab516eb17bL,0x73bec06fd2c7372bL,0xe4f74f55ba896da6L,
+        0xbb4afef88e9eb40fL },
+      { 0x2d75bec8e61d66b0L,0x02bda4b4ef29300bL,0x8bbaa8de026baa5aL,
+        0xff54befda07f4440L } },
+    /* 12 << 14 */
+    { { 0xbd9b8b1dbe7a2af3L,0xec51caa94fb74a72L,0xb9937a4b63879697L,
+        0x7c9a9d20ec2687d5L },
+      { 0x1773e44f6ef5f014L,0x8abcf412e90c6900L,0x387bd0228142161eL,
+        0x50393755fcb6ff2aL } },
+    /* 13 << 14 */
+    { { 0x9813fd56ed6def63L,0x53cf64827d53106cL,0x991a35bd431f7ac1L,
+        0xf1e274dd63e65fafL },
+      { 0xf63ffa3c44cc7880L,0x411a426b7c256981L,0xb698b9fd93a420e0L,
+        0x89fdddc0ae53f8feL } },
+    /* 14 << 14 */
+    { { 0x766e072232398baaL,0x205fee425cfca031L,0xa49f53417a029cf2L,
+        0xa88c68b84023890dL },
+      { 0xbc2750417337aaa8L,0x9ed364ad0eb384f4L,0xe0816f8529aba92fL,
+        0x2e9e194104e38a88L } },
+    /* 15 << 14 */
+    { { 0x57eef44a3dafd2d5L,0x35d1fae597ed98d8L,0x50628c092307f9b1L,
+        0x09d84aaed6cba5c6L },
+      { 0x67071bc788aaa691L,0x2dea57a9afe6cb03L,0xdfe11bb43d78ac01L,
+        0x7286418c7fd7aa51L } },
+    /* 16 << 14 */
+    { { 0xfabf770977f7195aL,0x8ec86167adeb838fL,0xea1285a8bb4f012dL,
+        0xd68835039a3eab3fL },
+      { 0xee5d24f8309004c2L,0xa96e4b7613ffe95eL,0x0cdffe12bd223ea4L,
+        0x8f5c2ee5b6739a53L } },
+    /* 17 << 14 */
+    { { 0x5cb4aaa5dd968198L,0xfa131c5272413a6cL,0x53d46a909536d903L,
+        0xb270f0d348606d8eL },
+      { 0x518c7564a053a3bcL,0x088254b71a86caefL,0xb3ba8cb40ab5efd0L,
+        0x5c59900e4605945dL } },
+    /* 18 << 14 */
+    { { 0xecace1dda1887395L,0x40960f36932a65deL,0x9611ff5c3aa95529L,
+        0xc58215b07c1e5a36L },
+      { 0xd48c9b58f0e1a524L,0xb406856bf590dfb8L,0xc7605e049cd95662L,
+        0x0dd036eea33ecf82L } },
+    /* 19 << 14 */
+    { { 0xa50171acc33156b3L,0xf09d24ea4a80172eL,0x4e1f72c676dc8eefL,
+        0xe60caadc5e3d44eeL },
+      { 0x006ef8a6979b1d8fL,0x60908a1c97788d26L,0x6e08f95b266feec0L,
+        0x618427c222e8c94eL } },
+    /* 20 << 14 */
+    { { 0x3d61333959145a65L,0xcd9bc368fa406337L,0x82d11be32d8a52a0L,
+        0xf6877b2797a1c590L },
+      { 0x837a819bf5cbdb25L,0x2a4fd1d8de090249L,0x622a7de774990e5fL,
+        0x840fa5a07945511bL } },
+    /* 21 << 14 */
+    { { 0x30b974be6558842dL,0x70df8c6417f3d0a6L,0x7c8035207542e46dL,
+        0x7251fe7fe4ecc823L },
+      { 0xe59134cb5e9aac9aL,0x11bb0934f0045d71L,0x53e5d9b5dbcb1d4eL,
+        0x8d97a90592defc91L } },
+    /* 22 << 14 */
+    { { 0xfe2893277946d3f9L,0xe132bd2407472273L,0xeeeb510c1eb6ae86L,
+        0x777708c5f0595067L },
+      { 0x18e2c8cd1297029eL,0x2c61095cbbf9305eL,0xe466c2586b85d6d9L,
+        0x8ac06c36da1ea530L } },
+    /* 23 << 14 */
+    { { 0xa365dc39a1304668L,0xe4a9c88507f89606L,0x65a4898facc7228dL,
+        0x3e2347ff84ca8303L },
+      { 0xa5f6fb77ea7d23a3L,0x2fac257d672a71cdL,0x6908bef87e6a44d3L,
+        0x8ff87566891d3d7aL } },
+    /* 24 << 14 */
+    { { 0xe58e90b36b0cf82eL,0x6438d2462615b5e7L,0x07b1f8fc669c145aL,
+        0xb0d8b2da36f1e1cbL },
+      { 0x54d5dadbd9184c4dL,0x3dbb18d5f93d9976L,0x0a3e0f56d1147d47L,
+        0x2afa8c8da0a48609L } },
+    /* 25 << 14 */
+    { { 0x275353e8bc36742cL,0x898f427eeea0ed90L,0x26f4947e3e477b00L,
+        0x8ad8848a308741e3L },
+      { 0x6c703c38d74a2a46L,0x5e3e05a99ba17ba2L,0xc1fa6f664ab9a9e4L,
+        0x474a2d9a3841d6ecL } },
+    /* 26 << 14 */
+    { { 0x871239ad653ae326L,0x14bcf72aa74cbb43L,0x8737650e20d4c083L,
+        0x3df86536110ed4afL },
+      { 0xd2d86fe7b53ca555L,0x688cb00dabd5d538L,0xcf81bda31ad38468L,
+        0x7ccfe3ccf01167b6L } },
+    /* 27 << 14 */
+    { { 0xcf4f47e06c4c1fe6L,0x557e1f1a298bbb79L,0xf93b974f30d45a14L,
+        0x174a1d2d0baf97c4L },
+      { 0x7a003b30c51fbf53L,0xd8940991ee68b225L,0x5b0aa7b71c0f4173L,
+        0x975797c9a20a7153L } },
+    /* 28 << 14 */
+    { { 0x26e08c07e3533d77L,0xd7222e6a2e341c99L,0x9d60ec3d8d2dc4edL,
+        0xbdfe0d8f7c476cf8L },
+      { 0x1fe59ab61d056605L,0xa9ea9df686a8551fL,0x8489941e47fb8d8cL,
+        0xfeb874eb4a7f1b10L } },
+    /* 29 << 14 */
+    { { 0xfe5fea867ee0d98fL,0x201ad34bdbf61864L,0x45d8fe4737c031d4L,
+        0xd5f49fae795f0822L },
+      { 0xdb0fb291c7f4a40cL,0x2e69d9c1730ddd92L,0x754e105449d76987L,
+        0x8a24911d7662db87L } },
+    /* 30 << 14 */
+    { { 0x61fc181060a71676L,0xe852d1a8f66a8ad1L,0x172bbd656417231eL,
+        0x0d6de7bd3babb11fL },
+      { 0x6fde6f88c8e347f8L,0x1c5875479bd99cc3L,0x78e54ed034076950L,
+        0x97f0f334796e83baL } },
+    /* 31 << 14 */
+    { { 0xe4dbe1ce4924867aL,0xbd5f51b060b84917L,0x375300403cb09a79L,
+        0xdb3fe0f8ff1743d8L },
+      { 0xed7894d8556fa9dbL,0xfa26216923412fbfL,0x563be0dbba7b9291L,
+        0x6ca8b8c00c9fb234L } },
+    /* 32 << 14 */
+    { { 0xed406aa9bd763802L,0xc21486a065303da1L,0x61ae291ec7e62ec4L,
+        0x622a0492df99333eL },
+      { 0x7fd80c9dbb7a8ee0L,0xdc2ed3bc6c01aedbL,0x35c35a1208be74ecL,
+        0xd540cb1a469f671fL } },
+    /* 33 << 14 */
+    { { 0xd16ced4ecf84f6c7L,0x8561fb9c2d090f43L,0x7e693d796f239db4L,
+        0xa736f92877bd0d94L },
+      { 0x07b4d9292c1950eeL,0xda17754356dc11b3L,0xa5dfbbaa7a6a878eL,
+        0x1c70cb294decb08aL } },
+    /* 34 << 14 */
+    { { 0xfba28c8b6f0f7c50L,0xa8eba2b8854dcc6dL,0x5ff8e89a36b78642L,
+        0x070c1c8ef6873adfL },
+      { 0xbbd3c3716484d2e4L,0xfb78318f0d414129L,0x2621a39c6ad93b0bL,
+        0x979d74c2a9e917f7L } },
+    /* 35 << 14 */
+    { { 0xfc19564761fb0428L,0x4d78954abee624d4L,0xb94896e0b8ae86fdL,
+        0x6667ac0cc91c8b13L },
+      { 0x9f18051243bcf832L,0xfbadf8b7a0010137L,0xc69b4089b3ba8aa7L,
+        0xfac4bacde687ce85L } },
+    /* 36 << 14 */
+    { { 0x9164088d977eab40L,0x51f4c5b62760b390L,0xd238238f340dd553L,
+        0x358566c3db1d31c9L },
+      { 0x3a5ad69e5068f5ffL,0xf31435fcdaff6b06L,0xae549a5bd6debff0L,
+        0x59e5f0b775e01331L } },
+    /* 37 << 14 */
+    { { 0x5d492fb898559acfL,0x96018c2e4db79b50L,0x55f4a48f609f66aaL,
+        0x1943b3af4900a14fL },
+      { 0xc22496df15a40d39L,0xb2a446844c20f7c5L,0x76a35afa3b98404cL,
+        0xbec75725ff5d1b77L } },
+    /* 38 << 14 */
+    { { 0xb67aa163bea06444L,0x27e95bb2f724b6f2L,0x3c20e3e9d238c8abL,
+        0x1213754eddd6ae17L },
+      { 0x8c431020716e0f74L,0x6679c82effc095c2L,0x2eb3adf4d0ac2932L,
+        0x2cc970d301bb7a76L } },
+    /* 39 << 14 */
+    { { 0x70c71f2f740f0e66L,0x545c616b2b6b23ccL,0x4528cfcbb40a8bd7L,
+        0xff8396332ab27722L },
+      { 0x049127d9025ac99aL,0xd314d4a02b63e33bL,0xc8c310e728d84519L,
+        0x0fcb8983b3bc84baL } },
+    /* 40 << 14 */
+    { { 0x2cc5226138634818L,0x501814f4b44c2e0bL,0xf7e181aa54dfdba3L,
+        0xcfd58ff0e759718cL },
+      { 0xf90cdb14d3b507a8L,0x57bd478ec50bdad8L,0x29c197e250e5f9aaL,
+        0x4db6eef8e40bc855L } },
+    /* 41 << 14 */
+    { { 0x2cc8f21ad1fc0654L,0xc71cc96381269d73L,0xecfbb204077f49f9L,
+        0xdde92571ca56b793L },
+      { 0x9abed6a3f97ad8f7L,0xe6c19d3f924de3bdL,0x8dce92f4a140a800L,
+        0x85f44d1e1337af07L } },
+    /* 42 << 14 */
+    { { 0x5953c08b09d64c52L,0xa1b5e49ff5df9749L,0x336a8fb852735f7dL,
+        0xb332b6db9add676bL },
+      { 0x558b88a0b4511aa4L,0x09788752dbd5cc55L,0x16b43b9cd8cd52bdL,
+        0x7f0bc5a0c2a2696bL } },
+    /* 43 << 14 */
+    { { 0x146e12d4c11f61efL,0x9ce107543a83e79eL,0x08ec73d96cbfca15L,
+        0x09ff29ad5b49653fL },
+      { 0xe31b72bde7da946eL,0xebf9eb3bee80a4f2L,0xd1aabd0817598ce4L,
+        0x18b5fef453f37e80L } },
+    /* 44 << 14 */
+    { { 0xd5d5cdd35958cd79L,0x3580a1b51d373114L,0xa36e4c91fa935726L,
+        0xa38c534def20d760L },
+      { 0x7088e40a2ff5845bL,0xe5bb40bdbd78177fL,0x4f06a7a8857f9920L,
+        0xe3cc3e50e968f05dL } },
+    /* 45 << 14 */
+    { { 0x1d68b7fee5682d26L,0x5206f76faec7f87cL,0x41110530041951abL,
+        0x58ec52c1d4b5a71aL },
+      { 0xf3488f990f75cf9aL,0xf411951fba82d0d5L,0x27ee75be618895abL,
+        0xeae060d46d8aab14L } },
+    /* 46 << 14 */
+    { { 0x9ae1df737fb54dc2L,0x1f3e391b25963649L,0x242ec32afe055081L,
+        0x5bd450ef8491c9bdL },
+      { 0x367efc67981eb389L,0xed7e19283a0550d5L,0x362e776bab3ce75cL,
+        0xe890e3081f24c523L } },
+    /* 47 << 14 */
+    { { 0xb961b682feccef76L,0x8b8e11f58bba6d92L,0x8f2ccc4c2b2375c4L,
+        0x0d7f7a52e2f86cfaL },
+      { 0xfd94d30a9efe5633L,0x2d8d246b5451f934L,0x2234c6e3244e6a00L,
+        0xde2b5b0dddec8c50L } },
+    /* 48 << 14 */
+    { { 0x2ce53c5abf776f5bL,0x6f72407160357b05L,0xb259371771bf3f7aL,
+        0x87d2501c440c4a9fL },
+      { 0x440552e187b05340L,0xb7bf7cc821624c32L,0x4155a6ce22facddbL,
+        0x5a4228cb889837efL } },
+    /* 49 << 14 */
+    { { 0xef87d6d6fd4fd671L,0xa233687ec2daa10eL,0x7562224403c0eb96L,
+        0x7632d1848bf19be6L },
+      { 0x05d0f8e940735ff4L,0x3a3e6e13c00931f1L,0x31ccde6adafe3f18L,
+        0xf381366acfe51207L } },
+    /* 50 << 14 */
+    { { 0x24c222a960167d92L,0x62f9d6f87529f18cL,0x412397c00353b114L,
+        0x334d89dcef808043L },
+      { 0xd9ec63ba2a4383ceL,0xcec8e9375cf92ba0L,0xfb8b4288c8be74c0L,
+        0x67d6912f105d4391L } },
+    /* 51 << 14 */
+    { { 0x7b996c461b913149L,0x36aae2ef3a4e02daL,0xb68aa003972de594L,
+        0x284ec70d4ec6d545L },
+      { 0xf3d2b2d061391d54L,0x69c5d5d6fe114e92L,0xbe0f00b5b4482dffL,
+        0xe1596fa5f5bf33c5L } },
+    /* 52 << 14 */
+    { { 0x10595b5696a71cbaL,0x944938b2fdcadeb7L,0xa282da4cfccd8471L,
+        0x98ec05f30d37bfe1L },
+      { 0xe171ce1b0698304aL,0x2d69144421bdf79bL,0xd0cd3b741b21dec1L,
+        0x712ecd8b16a15f71L } },
+    /* 53 << 14 */
+    { { 0x8d4c00a700fd56e1L,0x02ec9692f9527c18L,0x21c449374a3e42e1L,
+        0x9176fbab1392ae0aL },
+      { 0x8726f1ba44b7b618L,0xb4d7aae9f1de491cL,0xf91df7b907b582c0L,
+        0x7e116c30ef60aa3aL } },
+    /* 54 << 14 */
+    { { 0x99270f81466265d7L,0xb15b6fe24df7adf0L,0xfe33b2d3f9738f7fL,
+        0x48553ab9d6d70f95L },
+      { 0x2cc72ac8c21e94dbL,0x795ac38dbdc0bbeeL,0x0a1be4492e40478fL,
+        0x81bd3394052bde55L } },
+    /* 55 << 14 */
+    { { 0x63c8dbe956b3c4f2L,0x017a99cf904177ccL,0x947bbddb4d010fc1L,
+        0xacf9b00bbb2c9b21L },
+      { 0x2970bc8d47173611L,0x1a4cbe08ac7d756fL,0x06d9f4aa67d541a2L,
+        0xa3e8b68959c2cf44L } },
+    /* 56 << 14 */
+    { { 0xaad066da4d88f1ddL,0xc604f1657ad35deaL,0x7edc07204478ca67L,
+        0xa10dfae0ba02ce06L },
+      { 0xeceb1c76af36f4e4L,0x994b2292af3f8f48L,0xbf9ed77b77c8a68cL,
+        0x74f544ea51744c9dL } },
+    /* 57 << 14 */
+    { { 0x82d05bb98113a757L,0x4ef2d2b48a9885e4L,0x1e332be51aa7865fL,
+        0x22b76b18290d1a52L },
+      { 0x308a231044351683L,0x9d861896a3f22840L,0x5959ddcd841ed947L,
+        0x0def0c94154b73bfL } },
+    /* 58 << 14 */
+    { { 0xf01054174c7c15e0L,0x539bfb023a277c32L,0xe699268ef9dccf5fL,
+        0x9f5796a50247a3bdL },
+      { 0x8b839de84f157269L,0xc825c1e57a30196bL,0x6ef0aabcdc8a5a91L,
+        0xf4a8ce6c498b7fe6L } },
+    /* 59 << 14 */
+    { { 0x1cce35a770cbac78L,0x83488e9bf6b23958L,0x0341a070d76cb011L,
+        0xda6c9d06ae1b2658L },
+      { 0xb701fb30dd648c52L,0x994ca02c52fb9fd1L,0x069331176f563086L,
+        0x3d2b810017856babL } },
+    /* 60 << 14 */
+    { { 0xe89f48c85963a46eL,0x658ab875a99e61c7L,0x6e296f874b8517b4L,
+        0x36c4fcdcfc1bc656L },
+      { 0xde5227a1a3906defL,0x9fe95f5762418945L,0x20c91e81fdd96cdeL,
+        0x5adbe47eda4480deL } },
+    /* 61 << 14 */
+    { { 0xa009370f396de2b6L,0x98583d4bf0ecc7bdL,0xf44f6b57e51d0672L,
+        0x03d6b078556b1984L },
+      { 0x27dbdd93b0b64912L,0x9b3a343415687b09L,0x0dba646151ec20a9L,
+        0xec93db7fff28187cL } },
+    /* 62 << 14 */
+    { { 0x00ff8c2466e48bddL,0x2514f2f911ccd78eL,0xeba11f4fe1250603L,
+        0x8a22cd41243fa156L },
+      { 0xa4e58df4b283e4c6L,0x78c298598b39783fL,0x5235aee2a5259809L,
+        0xc16284b50e0227ddL } },
+    /* 63 << 14 */
+    { { 0xa5f579161338830dL,0x6d4b8a6bd2123fcaL,0x236ea68af9c546f8L,
+        0xc1d36873fa608d36L },
+      { 0xcd76e4958d436d13L,0xd4d9c2218fb080afL,0x665c1728e8ad3fb5L,
+        0xcf1ebe4db3d572e0L } },
+    /* 64 << 14 */
+    { { 0xa7a8746a584c5e20L,0x267e4ea1b9dc7035L,0x593a15cfb9548c9bL,
+        0x5e6e21354bd012f3L },
+      { 0xdf31cc6a8c8f936eL,0x8af84d04b5c241dcL,0x63990a6f345efb86L,
+        0x6fef4e61b9b962cbL } },
+    /* 0 << 21 */
+    { { 0x00, 0x00, 0x00, 0x00 },
+      { 0x00, 0x00, 0x00, 0x00 } },
+    /* 1 << 21 */
+    { { 0xf6368f0925722608L,0x131260db131cf5c6L,0x40eb353bfab4f7acL,
+        0x85c7888037eee829L },
+      { 0x4c1581ffc3bdf24eL,0x5bff75cbf5c3c5a8L,0x35e8c83fa14e6f40L,
+        0xb81d1c0f0295e0caL } },
+    /* 2 << 21 */
+    { { 0xfcde7cc8f43a730fL,0xe89b6f3c33ab590eL,0xc823f529ad03240bL,
+        0x82b79afe98bea5dbL },
+      { 0x568f2856962fe5deL,0x0c590adb60c591f3L,0x1fc74a144a28a858L,
+        0x3b662498b3203f4cL } },
+    /* 3 << 21 */
+    { { 0x91e3cf0d6c39765aL,0xa2db3acdac3cca0bL,0x288f2f08cb953b50L,
+        0x2414582ccf43cf1aL },
+      { 0x8dec8bbc60eee9a8L,0x54c79f02729aa042L,0xd81cd5ec6532f5d5L,
+        0xa672303acf82e15fL } },
+    /* 4 << 21 */
+    { { 0x376aafa8719c0563L,0xcd8ad2dcbc5fc79fL,0x303fdb9fcb750cd3L,
+        0x14ff052f4418b08eL },
+      { 0xf75084cf3e2d6520L,0x7ebdf0f8144ed509L,0xf43bf0f2d3f25b98L,
+        0x86ad71cfa354d837L } },
+    /* 5 << 21 */
+    { { 0xb827fe9226f43572L,0xdfd3ab5b5d824758L,0x315dd23a539094c1L,
+        0x85c0e37a66623d68L },
+      { 0x575c79727be19ae0L,0x616a3396df0d36b5L,0xa1ebb3c826b1ff7eL,
+        0x635b9485140ad453L } },
+    /* 6 << 21 */
+    { { 0x92bf3cdada430c0bL,0x4702850e3a96dac6L,0xc91cf0a515ac326aL,
+        0x95de4f49ab8c25e4L },
+      { 0xb01bad09e265c17cL,0x24e45464087b3881L,0xd43e583ce1fac5caL,
+        0xe17cb3186ead97a6L } },
+    /* 7 << 21 */
+    { { 0x6cc3924374dcec46L,0x33cfc02d54c2b73fL,0x82917844f26cd99cL,
+        0x8819dd95d1773f89L },
+      { 0x09572aa60871f427L,0x8e0cf365f6f01c34L,0x7fa52988bff1f5afL,
+        0x4eb357eae75e8e50L } },
+    /* 8 << 21 */
+    { { 0xd9d0c8c4868af75dL,0xd7325cff45c8c7eaL,0xab471996cc81ecb0L,
+        0xff5d55f3611824edL },
+      { 0xbe3145411977a0eeL,0x5085c4c5722038c6L,0x2d5335bff94bb495L,
+        0x894ad8a6c8e2a082L } },
+    /* 9 << 21 */
+    { { 0x5c3e2341ada35438L,0xf4a9fc89049b8c4eL,0xbeeb355a9f17cf34L,
+        0x3f311e0e6c91fe10L },
+      { 0xc2d2003892ab9891L,0x257bdcc13e8ce9a9L,0x1b2d978988c53beeL,
+        0x927ce89acdba143aL } },
+    /* 10 << 21 */
+    { { 0xb0a32cca523db280L,0x5c889f8a50d43783L,0x503e04b34897d16fL,
+        0x8cdb6e7808f5f2e8L },
+      { 0x6ab91cf0179c8e74L,0xd8874e5248211d60L,0xf948d4d5ea851200L,
+        0x4076d41ee6f9840aL } },
+    /* 11 << 21 */
+    { { 0xc20e263c47b517eaL,0x79a448fd30685e5eL,0xe55f6f78f90631a0L,
+        0x88a790b1a79e6346L },
+      { 0x62160c7d80969fe8L,0x54f92fd441491bb9L,0xa6645c235c957526L,
+        0xf44cc5aebea3ce7bL } },
+    /* 12 << 21 */
+    { { 0xf76283278b1e68b7L,0xc731ad7a303f29d3L,0xfe5a9ca957d03ecbL,
+        0x96c0d50c41bc97a7L },
+      { 0xc4669fe79b4f7f24L,0xfdd781d83d9967efL,0x7892c7c35d2c208dL,
+        0x8bf64f7cae545cb3L } },
+    /* 13 << 21 */
+    { { 0xc01f862c467be912L,0xf4c85ee9c73d30ccL,0x1fa6f4be6ab83ec7L,
+        0xa07a3c1c4e3e3cf9L },
+      { 0x87f8ef450c00beb3L,0x30e2c2b3000d4c3eL,0x1aa00b94fe08bf5bL,
+        0x32c133aa9224ef52L } },
+    /* 14 << 21 */
+    { { 0x38df16bb32e5685dL,0x68a9e06958e6f544L,0x495aaff7cdc5ebc6L,
+        0xf894a645378b135fL },
+      { 0xf316350a09e27ecfL,0xeced201e58f7179dL,0x2eec273ce97861baL,
+        0x47ec2caed693be2eL } },
+    /* 15 << 21 */
+    { { 0xfa4c97c4f68367ceL,0xe4f47d0bbe5a5755L,0x17de815db298a979L,
+        0xd7eca659c177dc7dL },
+      { 0x20fdbb7149ded0a3L,0x4cb2aad4fb34d3c5L,0x2cf31d2860858a33L,
+        0x3b6873efa24aa40fL } },
+    /* 16 << 21 */
+    { { 0x540234b22c11bb37L,0x2d0366dded4c74a3L,0xf9a968daeec5f25dL,
+        0x3660106867b63142L },
+      { 0x07cd6d2c68d7b6d4L,0xa8f74f090c842942L,0xe27514047768b1eeL,
+        0x4b5f7e89fe62aee4L } },
+    /* 17 << 21 */
+    { { 0xc6a7717789070d26L,0xa1f28e4edd1c8bc7L,0xea5f4f06469e1f17L,
+        0x78fc242afbdb78e0L },
+      { 0xc9c7c5928b0588f1L,0xb6b7a0fd1535921eL,0xcc5bdb91bde5ae35L,
+        0xb42c485e12ff1864L } },
+    /* 18 << 21 */
+    { { 0xa1113e13dbab98aaL,0xde9d469ba17b1024L,0x23f48b37c0462d3aL,
+        0x3752e5377c5c078dL },
+      { 0xe3a86add15544eb9L,0xf013aea780fba279L,0x8b5bb76cf22001b5L,
+        0xe617ba14f02891abL } },
+    /* 19 << 21 */
+    { { 0xd39182a6936219d3L,0x5ce1f194ae51cb19L,0xc78f8598bf07a74cL,
+        0x6d7158f222cbf1bcL },
+      { 0x3b846b21e300ce18L,0x35fba6302d11275dL,0x5fe25c36a0239b9bL,
+        0xd8beb35ddf05d940L } },
+    /* 20 << 21 */
+    { { 0x4db02bb01f7e320dL,0x0641c3646da320eaL,0x6d95fa5d821389a3L,
+        0x926997488fcd8e3dL },
+      { 0x316fef17ceb6c143L,0x67fcb841d933762bL,0xbb837e35118b17f8L,
+        0x4b92552f9fd24821L } },
+    /* 21 << 21 */
+    { { 0xae6bc70e46aca793L,0x1cf0b0e4e579311bL,0x8dc631be5802f716L,
+        0x099bdc6fbddbee4dL },
+      { 0xcc352bb20caf8b05L,0xf74d505a72d63df2L,0xb9876d4b91c4f408L,
+        0x1ce184739e229b2dL } },
+    /* 22 << 21 */
+    { { 0x4950759783abdb4aL,0x850fbcb6dee84b18L,0x6325236e609e67dcL,
+        0x04d831d99336c6d8L },
+      { 0x8deaae3bfa12d45dL,0xe425f8ce4746e246L,0x8004c17524f5f31eL,
+        0xaca16d8fad62c3b7L } },
+    /* 23 << 21 */
+    { { 0x0dc15a6a9152f934L,0xf1235e5ded0e12c1L,0xc33c06ecda477dacL,
+        0x76be8732b2ea0006L },
+      { 0xcf3f78310c0cd313L,0x3c524553a614260dL,0x31a756f8cab22d15L,
+        0x03ee10d177827a20L } },
+    /* 24 << 21 */
+    { { 0xd1e059b21994ef20L,0x2a653b69638ae318L,0x70d5eb582f699010L,
+        0x279739f709f5f84aL },
+      { 0x5da4663c8b799336L,0xfdfdf14d203c37ebL,0x32d8a9dca1dbfb2dL,
+        0xab40cff077d48f9bL } },
+    /* 25 << 21 */
+    { { 0xc018b383d20b42d5L,0xf9a810ef9f78845fL,0x40af3753bdba9df0L,
+        0xb90bdcfc131dfdf9L },
+      { 0x18720591f01ab782L,0xc823f2116af12a88L,0xa51b80f30dc14401L,
+        0xde248f77fb2dfbe3L } },
+    /* 26 << 21 */
+    { { 0xef5a44e50cafe751L,0x73997c9cd4dcd221L,0x32fd86d1de854024L,
+        0xd5b53adca09b84bbL },
+      { 0x008d7a11dcedd8d1L,0x406bd1c874b32c84L,0x5d4472ff05dde8b1L,
+        0x2e25f2cdfce2b32fL } },
+    /* 27 << 21 */
+    { { 0xbec0dd5e29dfc254L,0x4455fcf62b98b267L,0x0b4d43a5c72df2adL,
+        0xea70e6be48a75397L },
+      { 0x2aad61695820f3bfL,0xf410d2dd9e37f68fL,0x70fb7dba7be5ac83L,
+        0x636bb64536ec3eecL } },
+    /* 28 << 21 */
+    { { 0x27104ea39754e21cL,0xbc87a3e68d63c373L,0x483351d74109db9aL,
+        0x0fa724e360134da7L },
+      { 0x9ff44c29b0720b16L,0x2dd0cf1306aceeadL,0x5942758ce26929a6L,
+        0x96c5db92b766a92bL } },
+    /* 29 << 21 */
+    { { 0xcec7d4c05f18395eL,0xd3f227441f80d032L,0x7a68b37acb86075bL,
+        0x074764ddafef92dbL },
+      { 0xded1e9507bc7f389L,0xc580c850b9756460L,0xaeeec2a47da48157L,
+        0x3f0b4e7f82c587b3L } },
+    /* 30 << 21 */
+    { { 0x231c6de8a9f19c53L,0x5717bd736974e34eL,0xd9e1d216f1508fa9L,
+        0x9f112361dadaa124L },
+      { 0x80145e31823b7348L,0x4dd8f0d5ac634069L,0xe3d82fc72297c258L,
+        0x276fcfee9cee7431L } },
+    /* 31 << 21 */
+    { { 0x8eb61b5e2bc0aea9L,0x4f668fd5de329431L,0x03a32ab138e4b87eL,
+        0xe137451773d0ef0bL },
+      { 0x1a46f7e6853ac983L,0xc3bdf42e68e78a57L,0xacf207852ea96dd1L,
+        0xa10649b9f1638460L } },
+    /* 32 << 21 */
+    { { 0xf2369f0b879fbbedL,0x0ff0ae86da9d1869L,0x5251d75956766f45L,
+        0x4984d8c02be8d0fcL },
+      { 0x7ecc95a6d21008f0L,0x29bd54a03a1a1c49L,0xab9828c5d26c50f3L,
+        0x32c0087c51d0d251L } },
+    /* 33 << 21 */
+    { { 0x9bac3ce60c1cdb26L,0xcd94d947557ca205L,0x1b1bd5989db1fdcdL,
+        0x0eda0108a3d8b149L },
+      { 0x9506661056152fccL,0xc2f037e6e7192b33L,0xdeffb41ac92e05a4L,
+        0x1105f6c2c2f6c62eL } },
+    /* 34 << 21 */
+    { { 0x68e735008733913cL,0xcce861633f3adc40L,0xf407a94238a278e9L,
+        0xd13c1b9d2ab21292L },
+      { 0x93ed7ec71c74cf5cL,0x8887dc48f1a4c1b4L,0x3830ff304b3a11f1L,
+        0x358c5a3c58937cb6L } },
+    /* 35 << 21 */
+    { { 0x027dc40489022829L,0x40e939773b798f79L,0x90ad333738be6eadL,
+        0x9c23f6bcf34c0a5dL },
+      { 0xd1711a35fbffd8bbL,0x60fcfb491949d3ddL,0x09c8ef4b7825d93aL,
+        0x24233cffa0a8c968L } },
+    /* 36 << 21 */
+    { { 0x67ade46ce6d982afL,0xebb6bf3ee7544d7cL,0xd6b9ba763d8bd087L,
+        0x46fe382d4dc61280L },
+      { 0xbd39a7e8b5bdbd75L,0xab381331b8f228feL,0x0709a77cce1c4300L,
+        0x6a247e56f337ceacL } },
+    /* 37 << 21 */
+    { { 0x8f34f21b636288beL,0x9dfdca74c8a7c305L,0x6decfd1bea919e04L,
+        0xcdf2688d8e1991f8L },
+      { 0xe607df44d0f8a67eL,0xd985df4b0b58d010L,0x57f834c50c24f8f4L,
+        0xe976ef56a0bf01aeL } },
+    /* 38 << 21 */
+    { { 0x536395aca1c32373L,0x351027aa734c0a13L,0xd2f1b5d65e6bd5bcL,
+        0x2b539e24223debedL },
+      { 0xd4994cec0eaa1d71L,0x2a83381d661dcf65L,0x5f1aed2f7b54c740L,
+        0x0bea3fa5d6dda5eeL } },
+    /* 39 << 21 */
+    { { 0x9d4fb68436cc6134L,0x8eb9bbf3c0a443ddL,0xfc500e2e383b7d2aL,
+        0x7aad621c5b775257L },
+      { 0x69284d740a8f7cc0L,0xe820c2ce07562d65L,0xbf9531b9499758eeL,
+        0x73e95ca56ee0cc2dL } },
+    /* 40 << 21 */
+    { { 0xf61790abfbaf50a5L,0xdf55e76b684e0750L,0xec516da7f176b005L,
+        0x575553bb7a2dddc7L },
+      { 0x37c87ca3553afa73L,0x315f3ffc4d55c251L,0xe846442aaf3e5d35L,
+        0x61b911496495ff28L } },
+    /* 41 << 21 */
+    { { 0x23cc95d3fa326dc3L,0x1df4da1f18fc2ceaL,0x24bf9adcd0a37d59L,
+        0xb6710053320d6e1eL },
+      { 0x96f9667e618344d1L,0xcc7ce042a06445afL,0xa02d8514d68dbc3aL,
+        0x4ea109e4280b5a5bL } },
+    /* 42 << 21 */
+    { { 0x5741a7acb40961bfL,0x4ada59376aa56bfaL,0x7feb914502b765d1L,
+        0x561e97bee6ad1582L },
+      { 0xbbc4a5b6da3982f5L,0x0c2659edb546f468L,0xb8e7e6aa59612d20L,
+        0xd83dfe20ac19e8e0L } },
+    /* 43 << 21 */
+    { { 0x8530c45fb835398cL,0x6106a8bfb38a41c2L,0x21e8f9a635f5dcdbL,
+        0x39707137cae498edL },
+      { 0x70c23834d8249f00L,0x9f14b58fab2537a0L,0xd043c3655f61c0c2L,
+        0xdc5926d609a194a7L } },
+    /* 44 << 21 */
+    { { 0xddec03398e77738aL,0xd07a63effba46426L,0x2e58e79cee7f6e86L,
+        0xe59b0459ff32d241L },
+      { 0xc5ec84e520fa0338L,0x97939ac8eaff5aceL,0x0310a4e3b4a38313L,
+        0x9115fba28f9d9885L } },
+    /* 45 << 21 */
+    { { 0x8dd710c25fadf8c3L,0x66be38a2ce19c0e2L,0xd42a279c4cfe5022L,
+        0x597bb5300e24e1b8L },
+      { 0x3cde86b7c153ca7fL,0xa8d30fb3707d63bdL,0xac905f92bd60d21eL,
+        0x98e7ffb67b9a54abL } },
+    /* 46 << 21 */
+    { { 0xd7147df8e9726a30L,0xb5e216ffafce3533L,0xb550b7992ff1ec40L,
+        0x6b613b87a1e953fdL },
+      { 0x87b88dba792d5610L,0x2ee1270aa190fbe1L,0x02f4e2dc2ef581daL,
+        0x016530e4eff82a95L } },
+    /* 47 << 21 */
+    { { 0xcbb93dfd8fd6ee89L,0x16d3d98646848fffL,0x600eff241da47adfL,
+        0x1b9754a00ad47a71L },
+      { 0x8f9266df70c33b98L,0xaadc87aedf34186eL,0x0d2ce8e14ad24132L,
+        0x8a47cbfc19946ebaL } },
+    /* 48 << 21 */
+    { { 0x47feeb6662b5f3afL,0xcefab5610abb3734L,0x449de60e19f35cb1L,
+        0x39f8db14157f0eb9L },
+      { 0xffaecc5b3c61bfd6L,0xa5a4d41d41216703L,0x7f8fabed224e1cc2L,
+        0x0d5a8186871ad953L } },
+    /* 49 << 21 */
+    { { 0xf10774f7d22da9a9L,0x45b8a678cc8a9b0dL,0xd9c2e722bdc32cffL,
+        0xbf71b5f5337202a5L },
+      { 0x95c57f2f69fc4db9L,0xb6dad34c765d01e1L,0x7e0bd13fcb904635L,
+        0x61751253763a588cL } },
+    /* 50 << 21 */
+    { { 0xd85c299781af2c2dL,0xc0f7d9c481b9d7daL,0x838a34ae08533e8dL,
+        0x15c4cb08311d8311L },
+      { 0x97f832858e121e14L,0xeea7dc1e85000a5fL,0x0c6059b65d256274L,
+        0xec9beaceb95075c0L } },
+    /* 51 << 21 */
+    { { 0x173daad71df97828L,0xbf851cb5a8937877L,0xb083c59401646f3cL,
+        0x3bad30cf50c6d352L },
+      { 0xfeb2b202496bbceaL,0x3cf9fd4f18a1e8baL,0xd26de7ff1c066029L,
+        0x39c81e9e4e9ed4f8L } },
+    /* 52 << 21 */
+    { { 0xd8be0cb97b390d35L,0x01df2bbd964aab27L,0x3e8c1a65c3ef64f8L,
+        0x567291d1716ed1ddL },
+      { 0x95499c6c5f5406d3L,0x71fdda395ba8e23fL,0xcfeb320ed5096eceL,
+        0xbe7ba92bca66dd16L } },
+    /* 53 << 21 */
+    { { 0x4608d36bc6fb5a7dL,0xe3eea15a6d2dd0e0L,0x75b0a3eb8f97a36aL,
+        0xf59814cc1c83de1eL },
+      { 0x56c9c5b01c33c23fL,0xa96c1da46faa4136L,0x46bf2074de316551L,
+        0x3b866e7b1f756c8fL } },
+    /* 54 << 21 */
+    { { 0x727727d81495ed6bL,0xb2394243b682dce7L,0x8ab8454e758610f3L,
+        0xc243ce84857d72a4L },
+      { 0x7b320d71dbbf370fL,0xff9afa3778e0f7caL,0x0119d1e0ea7b523fL,
+        0xb997f8cb058c7d42L } },
+    /* 55 << 21 */
+    { { 0x285bcd2a37bbb184L,0x51dcec49a45d1fa6L,0x6ade3b64e29634cbL,
+        0x080c94a726b86ef1L },
+      { 0xba583db12283fbe3L,0x902bddc85a9315edL,0x07c1ccb386964becL,
+        0x78f4eacfb6258301L } },
+    /* 56 << 21 */
+    { { 0x4bdf3a4956f90823L,0xba0f5080741d777bL,0x091d71c3f38bf760L,
+        0x9633d50f9b625b02L },
+      { 0x03ecb743b8c9de61L,0xb47512545de74720L,0x9f9defc974ce1cb2L,
+        0x774a4f6a00bd32efL } },
+    /* 57 << 21 */
+    { { 0xaca385f773848f22L,0x53dad716f3f8558eL,0xab7b34b093c471f9L,
+        0xf530e06919644bc7L },
+      { 0x3d9fb1ffdd59d31aL,0x4382e0df08daa795L,0x165c6f4bd5cc88d7L,
+        0xeaa392d54a18c900L } },
+    /* 58 << 21 */
+    { { 0x94203c67648024eeL,0x188763f28c2fabcdL,0xa80f87acbbaec835L,
+        0x632c96e0f29d8d54L },
+      { 0x29b0a60e4c00a95eL,0x2ef17f40e011e9faL,0xf6c0e1d115b77223L,
+        0xaaec2c6214b04e32L } },
+    /* 59 << 21 */
+    { { 0xd35688d83d84e58cL,0x2af5094c958571dbL,0x4fff7e19760682a6L,
+        0x4cb27077e39a407cL },
+      { 0x0f59c5474ff0e321L,0x169f34a61b34c8ffL,0x2bff109652bc1ba7L,
+        0xa25423b783583544L } },
+    /* 60 << 21 */
+    { { 0x5d55d5d50ac8b782L,0xff6622ec2db3c892L,0x48fce7416b8bb642L,
+        0x31d6998c69d7e3dcL },
+      { 0xdbaf8004cadcaed0L,0x801b0142d81d053cL,0x94b189fc59630ec6L,
+        0x120e9934af762c8eL } },
+    /* 61 << 21 */
+    { { 0x53a29aa4fdc6a404L,0x19d8e01ea1909948L,0x3cfcabf1d7e89681L,
+        0x3321a50d4e132d37L },
+      { 0xd0496863e9a86111L,0x8c0cde6106a3bc65L,0xaf866c49fc9f8eefL,
+        0x2066350eff7f5141L } },
+    /* 62 << 21 */
+    { { 0x4f8a4689e56ddfbdL,0xea1b0c07fe32983aL,0x2b317462873cb8cbL,
+        0x658deddc2d93229fL },
+      { 0x65efaf4d0f64ef58L,0xfe43287d730cc7a8L,0xaebc0c723d047d70L,
+        0x92efa539d92d26c9L } },
+    /* 63 << 21 */
+    { { 0x06e7845794b56526L,0x415cb80f0961002dL,0x89e5c56576dcb10fL,
+        0x8bbb6982ff9259feL },
+      { 0x4fe8795b9abc2668L,0xb5d4f5341e678fb1L,0x6601f3be7b7da2b9L,
+        0x98da59e2a13d6805L } },
+    /* 64 << 21 */
+    { { 0x190d8ea601799a52L,0xa20cec41b86d2952L,0x3062ffb27fff2a7cL,
+        0x741b32e579f19d37L },
+      { 0xf80d81814eb57d47L,0x7a2d0ed416aef06bL,0x09735fb01cecb588L,
+        0x1641caaac6061f5bL } },
+    /* 0 << 28 */
+    { { 0x00, 0x00, 0x00, 0x00 },
+      { 0x00, 0x00, 0x00, 0x00 } },
+    /* 1 << 28 */
+    { { 0x7f99824f20151427L,0x206828b692430206L,0xaa9097d7e1112357L,
+        0xacf9a2f209e414ecL },
+      { 0xdbdac9da27915356L,0x7e0734b7001efee3L,0x54fab5bbd2b288e2L,
+        0x4c630fc4f62dd09cL } },
+    /* 2 << 28 */
+    { { 0x8537107a1ac2703bL,0xb49258d86bc857b5L,0x57df14debcdaccd1L,
+        0x24ab68d7c4ae8529L },
+      { 0x7ed8b5d4734e59d0L,0x5f8740c8c495cc80L,0x84aedd5a291db9b3L,
+        0x80b360f84fb995beL } },
+    /* 3 << 28 */
+    { { 0xae915f5d5fa067d1L,0x4134b57f9668960cL,0xbd3656d6a48edaacL,
+        0xdac1e3e4fc1d7436L },
+      { 0x674ff869d81fbb26L,0x449ed3ecb26c33d4L,0x85138705d94203e8L,
+        0xccde538bbeeb6f4aL } },
+    /* 4 << 28 */
+    { { 0x55d5c68da61a76faL,0x598b441dca1554dcL,0xd39923b9773b279cL,
+        0x33331d3c36bf9efcL },
+      { 0x2d4c848e298de399L,0xcfdb8e77a1a27f56L,0x94c855ea57b8ab70L,
+        0xdcdb9dae6f7879baL } },
+    /* 5 << 28 */
+    { { 0x7bdff8c2019f2a59L,0xb3ce5bb3cb4fbc74L,0xea907f688a9173ddL,
+        0x6cd3d0d395a75439L },
+      { 0x92ecc4d6efed021cL,0x09a9f9b06a77339aL,0x87ca6b157188c64aL,
+        0x10c2996844899158L } },
+    /* 6 << 28 */
+    { { 0x5859a229ed6e82efL,0x16f338e365ebaf4eL,0x0cd313875ead67aeL,
+        0x1c73d22854ef0bb4L },
+      { 0x4cb5513174a5c8c7L,0x01cd29707f69ad6aL,0xa04d00dde966f87eL,
+        0xd96fe4470b7b0321L } },
+    /* 7 << 28 */
+    { { 0x342ac06e88fbd381L,0x02cd4a845c35a493L,0xe8fa89de54f1bbcdL,
+        0x341d63672575ed4cL },
+      { 0xebe357fbd238202bL,0x600b4d1aa984ead9L,0xc35c9f4452436ea0L,
+        0x96fe0a39a370751bL } },
+    /* 8 << 28 */
+    { { 0x4c4f07367f636a38L,0x9f943fb70e76d5cbL,0xb03510baa8b68b8bL,
+        0xc246780a9ed07a1fL },
+      { 0x3c0514156d549fc2L,0xc2953f31607781caL,0x955e2c69d8d95413L,
+        0xb300fadc7bd282e3L } },
+    /* 9 << 28 */
+    { { 0x81fe7b5087e9189fL,0xdb17375cf42dda27L,0x22f7d896cf0a5904L,
+        0xa0e57c5aebe348e6L },
+      { 0xa61011d3f40e3c80L,0xb11893218db705c5L,0x4ed9309e50fedec3L,
+        0xdcf14a104d6d5c1dL } },
+    /* 10 << 28 */
+    { { 0x056c265b55691342L,0xe8e0850491049dc7L,0x131329f5c9bae20aL,
+        0x96c8b3e8d9dccdb4L },
+      { 0x8c5ff838fb4ee6b4L,0xfc5a9aeb41e8ccf0L,0x7417b764fae050c6L,
+        0x0953c3d700452080L } },
+    /* 11 << 28 */
+    { { 0x2137268238dfe7e8L,0xea417e152bb79d4bL,0x59641f1c76e7cf2dL,
+        0x271e3059ea0bcfccL },
+      { 0x624c7dfd7253ecbdL,0x2f552e254fca6186L,0xcbf84ecd4d866e9cL,
+        0x73967709f68d4610L } },
+    /* 12 << 28 */
+    { { 0xa14b1163c27901b4L,0xfd9236e0899b8bf3L,0x42b091eccbc6da0aL,
+        0xbb1dac6f5ad1d297L },
+      { 0x80e61d53a91cf76eL,0x4110a412d31f1ee7L,0x2d87c3ba13efcf77L,
+        0x1f374bb4df450d76L } },
+    /* 13 << 28 */
+    { { 0x5e78e2f20d188dabL,0xe3968ed0f4b885efL,0x46c0568e7314570fL,
+        0x3161633801170521L },
+      { 0x18e1e7e24f0c8afeL,0x4caa75ffdeea78daL,0x82db67f27c5d8a51L,
+        0x36a44d866f505370L } },
+    /* 14 << 28 */
+    { { 0xd72c5bda0333974fL,0x5db516ae27a70146L,0x34705281210ef921L,
+        0xbff17a8f0c9c38e5L },
+      { 0x78f4814e12476da1L,0xc1e1661333c16980L,0x9e5b386f424d4bcaL,
+        0x4c274e87c85740deL } },
+    /* 15 << 28 */
+    { { 0xb6a9b88d6c2f5226L,0x14d1b944550d7ca8L,0x580c85fc1fc41709L,
+        0xc1da368b54c6d519L },
+      { 0x2b0785ced5113cf7L,0x0670f6335a34708fL,0x46e2376715cc3f88L,
+        0x1b480cfa50c72c8fL } },
+    /* 16 << 28 */
+    { { 0x202886024147519aL,0xd0981eac26b372f0L,0xa9d4a7caa785ebc8L,
+        0xd953c50ddbdf58e9L },
+      { 0x9d6361ccfd590f8fL,0x72e9626b44e6c917L,0x7fd9611022eb64cfL,
+        0x863ebb7e9eb288f3L } },
+    /* 17 << 28 */
+    { { 0x6e6ab7616aca8ee7L,0x97d10b39d7b40358L,0x1687d3771e5feb0dL,
+        0xc83e50e48265a27aL },
+      { 0x8f75a9fec954b313L,0xcc2e8f47310d1f61L,0xf5ba81c56557d0e0L,
+        0x25f9680c3eaf6207L } },
+    /* 18 << 28 */
+    { { 0xf95c66094354080bL,0x5225bfa57bf2fe1cL,0xc5c004e25c7d98faL,
+        0x3561bf1c019aaf60L },
+      { 0x5e6f9f17ba151474L,0xdec2f934b04f6ecaL,0x64e368a1269acb1eL,
+        0x1332d9e40cdda493L } },
+    /* 19 << 28 */
+    { { 0x60d6cf69df23de05L,0x66d17da2009339a0L,0x9fcac9850a693923L,
+        0xbcf057fced7c6a6dL },
+      { 0xc3c5c8c5f0b5662cL,0x25318dd8dcba4f24L,0x60e8cb75082b69ffL,
+        0x7c23b3ee1e728c01L } },
+    /* 20 << 28 */
+    { { 0x15e10a0a097e4403L,0xcb3d0a8619854665L,0x88d8e211d67d4826L,
+        0xb39af66e0b9d2839L },
+      { 0xa5f94588bd475ca8L,0xe06b7966c077b80bL,0xfedb1485da27c26cL,
+        0xd290d33afe0fd5e0L } },
+    /* 21 << 28 */
+    { { 0xa40bcc47f34fb0faL,0xb4760cc81fb1ab09L,0x8fca0993a273bfe3L,
+        0x13e4fe07f70b213cL },
+      { 0x3bcdb992fdb05163L,0x8c484b110c2b19b6L,0x1acb815faaf2e3e2L,
+        0xc6905935b89ff1b4L } },
+    /* 22 << 28 */
+    { { 0xb2ad6f9d586e74e1L,0x488883ad67b80484L,0x758aa2c7369c3ddbL,
+        0x8ab74e699f9afd31L },
+      { 0x10fc2d285e21beb1L,0x3484518a318c42f9L,0x377427dc53cf40c3L,
+        0x9de0781a391bc1d9L } },
+    /* 23 << 28 */
+    { { 0x8faee858693807e1L,0xa38653274e81ccc7L,0x02c30ff26f835b84L,
+        0xb604437b0d3d38d4L },
+      { 0xb3fc8a985ca1823dL,0xb82f7ec903be0324L,0xee36d761cf684a33L,
+        0x5a01df0e9f29bf7dL } },
+    /* 24 << 28 */
+    { { 0x686202f31306583dL,0x05b10da0437c622eL,0xbf9aaa0f076a7bc8L,
+        0x25e94efb8f8f4e43L },
+      { 0x8a35c9b7fa3dc26dL,0xe0e5fb9396ff03c5L,0xa77e3843ebc394ceL,
+        0xcede65958361de60L } },
+    /* 25 << 28 */
+    { { 0xd27c22f6a1993545L,0xab01cc3624d671baL,0x63fa2877a169c28eL,
+        0x925ef9042eb08376L },
+      { 0x3b2fa3cf53aa0b32L,0xb27beb5b71c49d7aL,0xb60e1834d105e27fL,
+        0xd60897884f68570dL } },
+    /* 26 << 28 */
+    { { 0x23094ce0d6fbc2acL,0x738037a1815ff551L,0xda73b1bb6bef119cL,
+        0xdcf6c430eef506baL },
+      { 0x00e4fe7be3ef104aL,0xebdd9a2c0a065628L,0x853a81c38792043eL,
+        0x22ad6eceb3b59108L } },
+    /* 27 << 28 */
+    { { 0x9fb813c039cd297dL,0x8ec7e16e05bda5d9L,0x2834797c0d104b96L,
+        0xcc11a2e77c511510L },
+      { 0x96ca5a5396ee6380L,0x054c8655cea38742L,0xb5946852d54dfa7dL,
+        0x97c422e71f4ab207L } },
+    /* 28 << 28 */
+    { { 0xbf9075090c22b540L,0x2cde42aab7c267d4L,0xba18f9ed5ab0d693L,
+        0x3ba62aa66e4660d9L },
+      { 0xb24bf97bab9ea96aL,0x5d039642e3b60e32L,0x4e6a45067c4d9bd5L,
+        0x666c5b9e7ed4a6a4L } },
+    /* 29 << 28 */
+    { { 0xfa3fdcd98edbd7ccL,0x4660bb87c6ccd753L,0x9ae9082021e6b64fL,
+        0x8a56a713b36bfb3fL },
+      { 0xabfce0965726d47fL,0x9eed01b20b1a9a7fL,0x30e9cad44eb74a37L,
+        0x7b2524cc53e9666dL } },
+    /* 30 << 28 */
+    { { 0x6a29683b8f4b002fL,0xc2200d7a41f4fc20L,0xcf3af47a3a338accL,
+        0x6539a4fbe7128975L },
+      { 0xcec31c14c33c7fcfL,0x7eb6799bc7be322bL,0x119ef4e96646f623L,
+        0x7b7a26a554d7299bL } },
+    /* 31 << 28 */
+    { { 0xcb37f08d403f46f2L,0x94b8fc431a0ec0c7L,0xbb8514e3c332142fL,
+        0xf3ed2c33e80d2a7aL },
+      { 0x8d2080afb639126cL,0xf7b6be60e3553adeL,0x3950aa9f1c7e2b09L,
+        0x847ff9586410f02bL } },
+    /* 32 << 28 */
+    { { 0x877b7cf5678a31b0L,0xd50301ae3998b620L,0x734257c5c00fb396L,
+        0xf9fb18a004e672a6L },
+      { 0xff8bd8ebe8758851L,0x1e64e4c65d99ba44L,0x4b8eaedf7dfd93b7L,
+        0xba2f2a9804e76b8cL } },
+    /* 33 << 28 */
+    { { 0x7d790cbae8053433L,0xc8e725a03d2c9585L,0x58c5c476cdd8f5edL,
+        0xd106b952efa9fe1dL },
+      { 0x3c5c775b0eff13a9L,0x242442bae057b930L,0xe9f458d4c9b70cbdL,
+        0x69b71448a3cdb89aL } },
+    /* 34 << 28 */
+    { { 0x41ee46f60e2ed742L,0x573f104540067493L,0xb1e154ff9d54c304L,
+        0x2ad0436a8d3a7502L },
+      { 0xee4aaa2d431a8121L,0xcd38b3ab886f11edL,0x57d49ea6034a0eb7L,
+        0xd2b773bdf7e85e58L } },
+    /* 35 << 28 */
+    { { 0x4a559ac49b5c1f14L,0xc444be1a3e54df2bL,0x13aad704eda41891L,
+        0xcd927bec5eb5c788L },
+      { 0xeb3c8516e48c8a34L,0x1b7ac8124b546669L,0x1815f896594df8ecL,
+        0x87c6a79c79227865L } },
+    /* 36 << 28 */
+    { { 0xae02a2f09b56ddbdL,0x1339b5ac8a2f1cf3L,0xf2b569c7839dff0dL,
+        0xb0b9e864fee9a43dL },
+      { 0x4ff8ca4177bb064eL,0x145a2812fd249f63L,0x3ab7beacf86f689aL,
+        0x9bafec2701d35f5eL } },
+    /* 37 << 28 */
+    { { 0x28054c654265aa91L,0xa4b18304035efe42L,0x6887b0e69639dec7L,
+        0xf4b8f6ad3d52aea5L },
+      { 0xfb9293cc971a8a13L,0x3f159e5d4c934d07L,0x2c50e9b109acbc29L,
+        0x08eb65e67154d129L } },
+    /* 38 << 28 */
+    { { 0x4feff58930b75c3eL,0x0bb82fe294491c93L,0xd8ac377a89af62bbL,
+        0xd7b514909685e49fL },
+      { 0xabca9a7b04497f19L,0x1b35ed0a1a7ad13fL,0x6b601e213ec86ed6L,
+        0xda91fcb9ce0c76f1L } },
+    /* 39 << 28 */
+    { { 0x9e28507bd7ab27e1L,0x7c19a55563945b7bL,0x6b43f0a1aafc9827L,
+        0x443b4fbd3aa55b91L },
+      { 0x962b2e656962c88fL,0x139da8d4ce0db0caL,0xb93f05dd1b8d6c4fL,
+        0x779cdff7180b9824L } },
+    /* 40 << 28 */
+    { { 0xbba23fddae57c7b7L,0x345342f21b932522L,0xfd9c80fe556d4aa3L,
+        0xa03907ba6525bb61L },
+      { 0x38b010e1ff218933L,0xc066b654aa52117bL,0x8e14192094f2e6eaL,
+        0x66a27dca0d32f2b2L } },
+    /* 41 << 28 */
+    { { 0x69c7f993048b3717L,0xbf5a989ab178ae1cL,0x49fa9058564f1d6bL,
+        0x27ec6e15d31fde4eL },
+      { 0x4cce03737276e7fcL,0x64086d7989d6bf02L,0x5a72f0464ccdd979L,
+        0x909c356647775631L } },
+    /* 42 << 28 */
+    { { 0x1c07bc6b75dd7125L,0xb4c6bc9787a0428dL,0x507ece52fdeb6b9dL,
+        0xfca56512b2c95432L },
+      { 0x15d97181d0e8bd06L,0x384dd317c6bb46eaL,0x5441ea203952b624L,
+        0xbcf70dee4e7dc2fbL } },
+    /* 43 << 28 */
+    { { 0x372b016e6628e8c3L,0x07a0d667b60a7522L,0xcf05751b0a344ee2L,
+        0x0ec09a48118bdeecL },
+      { 0x6e4b3d4ed83dce46L,0x43a6316d99d2fc6eL,0xa99d898956cf044cL,
+        0x7c7f4454ae3e5fb7L } },
+    /* 44 << 28 */
+    { { 0xb2e6b121fbabbe92L,0x281850fbe1330076L,0x093581ec97890015L,
+        0x69b1dded75ff77f5L },
+      { 0x7cf0b18fab105105L,0x953ced31a89ccfefL,0x3151f85feb914009L,
+        0x3c9f1b8788ed48adL } },
+    /* 45 << 28 */
+    { { 0xc9aba1a14a7eadcbL,0x928e7501522e71cfL,0xeaede7273a2e4f83L,
+        0x467e10d11ce3bbd3L },
+      { 0xf3442ac3b955dcf0L,0xba96307dd3d5e527L,0xf763a10efd77f474L,
+        0x5d744bd06a6e1ff0L } },
+    /* 46 << 28 */
+    { { 0xd287282aa777899eL,0xe20eda8fd03f3cdeL,0x6a7e75bb50b07d31L,
+        0x0b7e2a946f379de4L },
+      { 0x31cb64ad19f593cfL,0x7b1a9e4f1e76ef1dL,0xe18c9c9db62d609cL,
+        0x439bad6de779a650L } },
+    /* 47 << 28 */
+    { { 0x219d9066e032f144L,0x1db632b8e8b2ec6aL,0xff0d0fd4fda12f78L,
+        0x56fb4c2d2a25d265L },
+      { 0x5f4e2ee1255a03f1L,0x61cd6af2e96af176L,0xe0317ba8d068bc97L,
+        0x927d6bab264b988eL } },
+    /* 48 << 28 */
+    { { 0xa18f07e0e90fb21eL,0x00fd2b80bba7fca1L,0x20387f2795cd67b5L,
+        0x5b89a4e7d39707f7L },
+      { 0x8f83ad3f894407ceL,0xa0025b946c226132L,0xc79563c7f906c13bL,
+        0x5f548f314e7bb025L } },
+    /* 49 << 28 */
+    { { 0x2b4c6b8feac6d113L,0xa67e3f9c0e813c76L,0x3982717c3fe1f4b9L,
+        0x5886581926d8050eL },
+      { 0x99f3640cf7f06f20L,0xdc6102162a66ebc2L,0x52f2c175767a1e08L,
+        0x05660e1a5999871bL } },
+    /* 50 << 28 */
+    { { 0x6b0f17626d3c4693L,0xf0e7d62737ed7beaL,0xc51758c7b75b226dL,
+        0x40a886281f91613bL },
+      { 0x889dbaa7bbb38ce0L,0xe0404b65bddcad81L,0xfebccd3a8bc9671fL,
+        0xfbf9a357ee1f5375L } },
+    /* 51 << 28 */
+    { { 0x5dc169b028f33398L,0xb07ec11d72e90f65L,0xae7f3b4afaab1eb1L,
+        0xd970195e5f17538aL },
+      { 0x52b05cbe0181e640L,0xf5debd622643313dL,0x761481545df31f82L,
+        0x23e03b333a9e13c5L } },
+    /* 52 << 28 */
+    { { 0xff7589494fde0c1fL,0xbf8a1abee5b6ec20L,0x702278fb87e1db6cL,
+        0xc447ad7a35ed658fL },
+      { 0x48d4aa3803d0ccf2L,0x80acb338819a7c03L,0x9bc7c89e6e17ceccL,
+        0x46736b8b03be1d82L } },
+    /* 53 << 28 */
+    { { 0xd65d7b60c0432f96L,0xddebe7a3deb5442fL,0x79a253077dff69a2L,
+        0x37a56d9402cf3122L },
+      { 0x8bab8aedf2350d0aL,0x13c3f276037b0d9aL,0xc664957c44c65caeL,
+        0x88b44089c2e71a88L } },
+    /* 54 << 28 */
+    { { 0xdb88e5a35cb02664L,0x5d4c0bf18686c72eL,0xea3d9b62a682d53eL,
+        0x9b605ef40b2ad431L },
+      { 0x71bac202c69645d0L,0xa115f03a6a1b66e7L,0xfe2c563a158f4dc4L,
+        0xf715b3a04d12a78cL } },
+    /* 55 << 28 */
+    { { 0x8f7f0a48d413213aL,0x2035806dc04becdbL,0xecd34a995d8587f5L,
+        0x4d8c30799f6d3a71L },
+      { 0x1b2a2a678d95a8f6L,0xc58c9d7df2110d0dL,0xdeee81d5cf8fba3fL,
+        0xa42be3c00c7cdf68L } },
+    /* 56 << 28 */
+    { { 0x2126f742d43b5eaaL,0x054a0766dfa59b85L,0x9d0d5e36126bfd45L,
+        0xa1f8fbd7384f8a8fL },
+      { 0x317680f5d563fcccL,0x48ca5055f280a928L,0xe00b81b227b578cfL,
+        0x10aad9182994a514L } },
+    /* 57 << 28 */
+    { { 0xd9e07b62b7bdc953L,0x9f0f6ff25bc086ddL,0x09d1ccff655eee77L,
+        0x45475f795bef7df1L },
+      { 0x3faa28fa86f702ccL,0x92e609050f021f07L,0xe9e629687f8fa8c6L,
+        0xbd71419af036ea2cL } },
+    /* 58 << 28 */
+    { { 0x171ee1cc6028da9aL,0x5352fe1ac251f573L,0xf8ff236e3fa997f4L,
+        0xd831b6c9a5749d5fL },
+      { 0x7c872e1de350e2c2L,0xc56240d91e0ce403L,0xf9deb0776974f5cbL,
+        0x7d50ba87961c3728L } },
+    /* 59 << 28 */
+    { { 0xd6f894265a3a2518L,0xcf817799c6303d43L,0x510a0471619e5696L,
+        0xab049ff63a5e307bL },
+      { 0xe4cdf9b0feb13ec7L,0xd5e971179d8ff90cL,0xf6f64d069afa96afL,
+        0x00d0bf5e9d2012a2L } },
+    /* 60 << 28 */
+    { { 0xe63f301f358bcdc0L,0x07689e990a9d47f8L,0x1f689e2f4f43d43aL,
+        0x4d542a1690920904L },
+      { 0xaea293d59ca0a707L,0xd061fe458ac68065L,0x1033bf1b0090008cL,
+        0x29749558c08a6db6L } },
+    /* 61 << 28 */
+    { { 0x74b5fc59c1d5d034L,0xf712e9f667e215e0L,0xfd520cbd860200e6L,
+        0x0229acb43ea22588L },
+      { 0x9cd1e14cfff0c82eL,0x87684b6259c69e73L,0xda85e61c96ccb989L,
+        0x2d5dbb02a3d06493L } },
+    /* 62 << 28 */
+    { { 0xf22ad33ae86b173cL,0xe8e41ea5a79ff0e3L,0x01d2d725dd0d0c10L,
+        0x31f39088032d28f9L },
+      { 0x7b3f71e17829839eL,0x0cf691b44502ae58L,0xef658dbdbefc6115L,
+        0xa5cd6ee5b3ab5314L } },
+    /* 63 << 28 */
+    { { 0x206c8d7b5f1d2347L,0x794645ba4cc2253aL,0xd517d8ff58389e08L,
+        0x4fa20dee9f847288L },
+      { 0xeba072d8d797770aL,0x7360c91dbf429e26L,0x7200a3b380af8279L,
+        0x6a1c915082dadce3L } },
+    /* 64 << 28 */
+    { { 0x0ee6d3a7c35d8794L,0x042e65580356bae5L,0x9f59698d643322fdL,
+        0x9379ae1550a61967L },
+      { 0x64b9ae62fcc9981eL,0xaed3d6316d2934c6L,0x2454b3025e4e65ebL,
+        0xab09f647f9950428L } },
+    /* 0 << 35 */
+    { { 0x00, 0x00, 0x00, 0x00 },
+      { 0x00, 0x00, 0x00, 0x00 } },
+    /* 1 << 35 */
+    { { 0xb2083a1222248accL,0x1f6ec0ef3264e366L,0x5659b7045afdee28L,
+        0x7a823a40e6430bb5L },
+      { 0x24592a04e1900a79L,0xcde09d4ac9ee6576L,0x52b6463f4b5ea54aL,
+        0x1efe9ed3d3ca65a7L } },
+    /* 2 << 35 */
+    { { 0xe27a6dbe305406ddL,0x8eb7dc7fdd5d1957L,0xf54a6876387d4d8fL,
+        0x9c479409c7762de4L },
+      { 0xbe4d5b5d99b30778L,0x25380c566e793682L,0x602d37f3dac740e3L,
+        0x140deabe1566e4aeL } },
+    /* 3 << 35 */
+    { { 0x4481d067afd32acfL,0xd8f0fccae1f71ccfL,0xd208dd0cb596f2daL,
+        0xd049d7309aad93f9L },
+      { 0xc79f263d42ab580eL,0x09411bb123f707b4L,0x8cfde1ff835e0edaL,
+        0x7270749090f03402L } },
+    /* 4 << 35 */
+    { { 0xeaee6126c49a861eL,0x024f3b65e14f0d06L,0x51a3f1e8c69bfc17L,
+        0xc3c3a8e9a7686381L },
+      { 0x3400752cb103d4c8L,0x02bc46139218b36bL,0xc67f75eb7651504aL,
+        0xd6848b56d02aebfaL } },
+    /* 5 << 35 */
+    { { 0xbd9802e6c30fa92bL,0x5a70d96d9a552784L,0x9085c4ea3f83169bL,
+        0xfa9423bb06908228L },
+      { 0x2ffebe12fe97a5b9L,0x85da604971b99118L,0x9cbc2f7f63178846L,
+        0xfd96bc709153218eL } },
+    /* 6 << 35 */
+    { { 0x958381db1782269bL,0xae34bf792597e550L,0xbb5c60645f385153L,
+        0x6f0e96afe3088048L },
+      { 0xbf6a021577884456L,0xb3b5688c69310ea7L,0x17c9429504fad2deL,
+        0xe020f0e517896d4dL } },
+    /* 7 << 35 */
+    { { 0x730ba0ab0976505fL,0x567f6813095e2ec5L,0x470620106331ab71L,
+        0x72cfa97741d22b9fL },
+      { 0x33e55ead8a2373daL,0xa8d0d5f47ba45a68L,0xba1d8f9c03029d15L,
+        0x8f34f1ccfc55b9f3L } },
+    /* 8 << 35 */
+    { { 0xcca4428dbbe5a1a9L,0x8187fd5f3126bd67L,0x0036973a48105826L,
+        0xa39b6663b8bd61a0L },
+      { 0x6d42deef2d65a808L,0x4969044f94636b19L,0xf611ee47dd5d564cL,
+        0x7b2f3a49d2873077L } },
+    /* 9 << 35 */
+    { { 0x94157d45300eb294L,0x2b2a656e169c1494L,0xc000dd76d3a47aa9L,
+        0xa2864e4fa6243ea4L },
+      { 0x82716c47db89842eL,0x12dfd7d761479fb7L,0x3b9a2c56e0b2f6dcL,
+        0x46be862ad7f85d67L } },
+    /* 10 << 35 */
+    { { 0x03b0d8dd0f82b214L,0x460c34f9f103cbc6L,0xf32e5c0318d79e19L,
+        0x8b8888baa84117f8L },
+      { 0x8f3c37dcc0722677L,0x10d21be91c1c0f27L,0xd47c8468e0f7a0c6L,
+        0x9bf02213adecc0e0L } },
+    /* 11 << 35 */
+    { { 0x0baa7d1242b48b99L,0x1bcb665d48424096L,0x8b847cd6ebfb5cfbL,
+        0x87c2ae569ad4d10dL },
+      { 0xf1cbb1220de36726L,0xe7043c683fdfbd21L,0x4bd0826a4e79d460L,
+        0x11f5e5984bd1a2cbL } },
+    /* 12 << 35 */
+    { { 0x97554160b7fe7b6eL,0x7d16189a400a3fb2L,0xd73e9beae328ca1eL,
+        0x0dd04b97e793d8ccL },
+      { 0xa9c83c9b506db8ccL,0x5cd47aaecf38814cL,0x26fc430db64b45e6L,
+        0x079b5499d818ea84L } },
+    /* 13 << 35 */
+    { { 0xebb01102c1c24a3bL,0xca24e5681c161c1aL,0x103eea6936f00a4aL,
+        0x9ad76ee876176c7bL },
+      { 0x97451fc2538e0ff7L,0x94f898096604b3b0L,0x6311436e3249cfd7L,
+        0x27b4a7bd41224f69L } },
+    /* 14 << 35 */
+    { { 0x03b5d21ae0ac2941L,0x279b0254c2d31937L,0x3307c052cac992d0L,
+        0x6aa7cb92efa8b1f3L },
+      { 0x5a1825800d37c7a5L,0x13380c37342d5422L,0x92ac2d66d5d2ef92L,
+        0x035a70c9030c63c6L } },
+    /* 15 << 35 */
+    { { 0xc16025dd4ce4f152L,0x1f419a71f9df7c06L,0x6d5b221491e4bb14L,
+        0xfc43c6cc839fb4ceL },
+      { 0x49f06591925d6b2dL,0x4b37d9d362186598L,0x8c54a971d01b1629L,
+        0xe1a9c29f51d50e05L } },
+    /* 16 << 35 */
+    { { 0x5109b78571ba1861L,0x48b22d5cd0c8f93dL,0xe8fa84a78633bb93L,
+        0x53fba6ba5aebbd08L },
+      { 0x7ff27df3e5eea7d8L,0x521c879668ca7158L,0xb9d5133bce6f1a05L,
+        0x2d50cd53fd0ebee4L } },
+    /* 17 << 35 */
+    { { 0xc82115d6c5a3ef16L,0x993eff9dba079221L,0xe4da2c5e4b5da81cL,
+        0x9a89dbdb8033fd85L },
+      { 0x60819ebf2b892891L,0x53902b215d14a4d5L,0x6ac35051d7fda421L,
+        0xcc6ab88561c83284L } },
+    /* 18 << 35 */
+    { { 0x14eba133f74cff17L,0x240aaa03ecb813f2L,0xcfbb65406f665beeL,
+        0x084b1fe4a425ad73L },
+      { 0x009d5d16d081f6a6L,0x35304fe8eef82c90L,0xf20346d5aa9eaa22L,
+        0x0ada9f07ac1c91e3L } },
+    /* 19 << 35 */
+    { { 0xa6e21678968a6144L,0x54c1f77c07b31a1eL,0xd6bb787e5781fbe1L,
+        0x61bd2ee0e31f1c4aL },
+      { 0xf25aa1e9781105fcL,0x9cf2971f7b2f8e80L,0x26d15412cdff919bL,
+        0x01db4ebe34bc896eL } },
+    /* 20 << 35 */
+    { { 0x7d9b3e23b40df1cfL,0x5933737394e971b4L,0xbf57bd14669cf921L,
+        0x865daedf0c1a1064L },
+      { 0x3eb70bd383279125L,0xbc3d5b9f34ecdaabL,0x91e3ed7e5f755cafL,
+        0x49699f54d41e6f02L } },
+    /* 21 << 35 */
+    { { 0x185770e1d4a7a15bL,0x08f3587aeaac87e7L,0x352018db473133eaL,
+        0x674ce71904fd30fcL },
+      { 0x7b8d9835088b3e0eL,0x7a0356a95d0d47a1L,0x9d9e76596474a3c4L,
+        0x61ea48a7ff66966cL } },
+    /* 22 << 35 */
+    { { 0x304177580f3e4834L,0xfdbb21c217a9afcbL,0x756fa17f2f9a67b3L,
+        0x2a6b2421a245c1a8L },
+      { 0x64be27944af02291L,0xade465c62a5804feL,0x8dffbd39a6f08fd7L,
+        0xc4efa84caa14403bL } },
+    /* 23 << 35 */
+    { { 0xa1b91b2a442b0f5cL,0xb748e317cf997736L,0x8d1b62bfcee90e16L,
+        0x907ae2710b2078c0L },
+      { 0xdf31534b0c9bcdddL,0x043fb05439adce83L,0x99031043d826846aL,
+        0x61a9c0d6b144f393L } },
+    /* 24 << 35 */
+    { { 0xdab4804647718427L,0xdf17ff9b6e830f8bL,0x408d7ee8e49a1347L,
+        0x6ac71e2391c1d4aeL },
+      { 0xc8cbb9fd1defd73cL,0x19840657bbbbfec5L,0x39db1cb59e7ef8eaL,
+        0x78aa829664105f30L } },
+    /* 25 << 35 */
+    { { 0xa3d9b7f0a3738c29L,0x0a2f235abc3250a3L,0x55e506f6445e4cafL,
+        0x0974f73d33475f7aL },
+      { 0xd37dbba35ba2f5a8L,0x542c6e636af40066L,0x26d99b53c5d73e2cL,
+        0x06060d7d6c3ca33eL } },
+    /* 26 << 35 */
+    { { 0xcdbef1c2065fef4aL,0x77e60f7dfd5b92e3L,0xd7c549f026708350L,
+        0x201b3ad034f121bfL },
+      { 0x5fcac2a10334fc14L,0x8a9a9e09344552f6L,0x7dd8a1d397653082L,
+        0x5fc0738f79d4f289L } },
+    /* 27 << 35 */
+    { { 0x787d244d17d2d8c3L,0xeffc634570830684L,0x5ddb96dde4f73ae5L,
+        0x8efb14b1172549a5L },
+      { 0x6eb73eee2245ae7aL,0xbca4061eea11f13eL,0xb577421d30b01f5dL,
+        0xaa688b24782e152cL } },
+    /* 28 << 35 */
+    { { 0x67608e71bd3502baL,0x4ef41f24b4de75a0L,0xb08dde5efd6125e5L,
+        0xde484825a409543fL },
+      { 0x1f198d9865cc2295L,0x428a37716e0edfa2L,0x4f9697a2adf35fc7L,
+        0x01a43c79f7cac3c7L } },
+    /* 29 << 35 */
+    { { 0xb05d70590fd3659aL,0x8927f30cbb7f2d9aL,0x4023d1ac8cf984d3L,
+        0x32125ed302897a45L },
+      { 0xfb572dad3d414205L,0x73000ef2e3fa82a9L,0x4c0868e9f10a5581L,
+        0x5b61fc676b0b3ca5L } },
+    /* 30 << 35 */
+    { { 0xc1258d5b7cae440cL,0x21c08b41402b7531L,0xf61a8955de932321L,
+        0x3568faf82d1408afL },
+      { 0x71b15e999ecf965bL,0xf14ed248e917276fL,0xc6f4caa1820cf9e2L,
+        0x681b20b218d83c7eL } },
+    /* 31 << 35 */
+    { { 0x6cde738dc6c01120L,0x71db0813ae70e0dbL,0x95fc064474afe18cL,
+        0x34619053129e2be7L },
+      { 0x80615ceadb2a3b15L,0x0a49a19edb4c7073L,0x0e1b84c88fd2d367L,
+        0xd74bf462033fb8aaL } },
+    /* 32 << 35 */
+    { { 0x889f6d65533ef217L,0x7158c7e4c3ca2e87L,0xfb670dfbdc2b4167L,
+        0x75910a01844c257fL },
+      { 0xf336bf07cf88577dL,0x22245250e45e2aceL,0x2ed92e8d7ca23d85L,
+        0x29f8be4c2b812f58L } },
+    /* 33 << 35 */
+    { { 0xdd9ebaa7076fe12bL,0x3f2400cbae1537f9L,0x1aa9352817bdfb46L,
+        0xc0f9843067883b41L },
+      { 0x5590ede10170911dL,0x7562f5bb34d4b17fL,0xe1fa1df21826b8d2L,
+        0xb40b796a6bd80d59L } },
+    /* 34 << 35 */
+    { { 0xd65bf1973467ba92L,0x8c9b46dbf70954b0L,0x97c8a0f30e78f15dL,
+        0xa8f3a69a85a4c961L },
+      { 0x4242660f61e4ce9bL,0xbf06aab36ea6790cL,0xc6706f8eec986416L,
+        0x9e56dec19a9fc225L } },
+    /* 35 << 35 */
+    { { 0x527c46f49a9898d9L,0xd799e77b5633cdefL,0x24eacc167d9e4297L,
+        0xabb61cea6b1cb734L },
+      { 0xbee2e8a7f778443cL,0x3bb42bf129de2fe6L,0xcbed86a13003bb6fL,
+        0xd3918e6cd781cdf6L } },
+    /* 36 << 35 */
+    { { 0x4bee32719a5103f1L,0x5243efc6f50eac06L,0xb8e122cb6adcc119L,
+        0x1b7faa84c0b80a08L },
+      { 0x32c3d1bd6dfcd08cL,0x129dec4e0be427deL,0x98ab679c1d263c83L,
+        0xafc83cb7cef64effL } },
+    /* 37 << 35 */
+    { { 0x85eb60882fa6be76L,0x892585fb1328cbfeL,0xc154d3edcf618ddaL,
+        0xc44f601b3abaf26eL },
+      { 0x7bf57d0b2be1fdfdL,0xa833bd2d21137feeL,0x9353af362db591a8L,
+        0xc76f26dc5562a056L } },
+    /* 38 << 35 */
+    { { 0x1d87e47d3fdf5a51L,0x7afb5f9355c9cab0L,0x91bbf58f89e0586eL,
+        0x7c72c0180d843709L },
+      { 0xa9a5aafb99b5c3dcL,0xa48a0f1d3844aeb0L,0x7178b7ddb667e482L,
+        0x453985e96e23a59aL } },
+    /* 39 << 35 */
+    { { 0x4a54c86001b25dd8L,0x0dd37f48fb897c8aL,0x5f8aa6100ea90cd9L,
+        0xc8892c6816d5830dL },
+      { 0xeb4befc0ef514ca5L,0x478eb679e72c9ee6L,0x9bca20dadbc40d5fL,
+        0xf015de21dde4f64aL } },
+    /* 40 << 35 */
+    { { 0xaa6a4de0eaf4b8a5L,0x68cfd9ca4bc60e32L,0x668a4b017fd15e70L,
+        0xd9f0694af27dc09dL },
+      { 0xf6c3cad5ba708bcdL,0x5cd2ba695bb95c2aL,0xaa28c1d333c0a58fL,
+        0x23e274e3abc77870L } },
+    /* 41 << 35 */
+    { { 0x44c3692ddfd20a4aL,0x091c5fd381a66653L,0x6c0bb69109a0757dL,
+        0x9072e8b9667343eaL },
+      { 0x31d40eb080848becL,0x95bd480a79fd36ccL,0x01a77c6165ed43f5L,
+        0xafccd1272e0d40bfL } },
+    /* 42 << 35 */
+    { { 0xeccfc82d1cc1884bL,0xc85ac2015d4753b4L,0xc7a6caac658e099fL,
+        0xcf46369e04b27390L },
+      { 0xe2e7d049506467eaL,0x481b63a237cdecccL,0x4029abd8ed80143aL,
+        0x28bfe3c7bcb00b88L } },
+    /* 43 << 35 */
+    { { 0x3bec10090643d84aL,0x885f3668abd11041L,0xdb02432cf83a34d6L,
+        0x32f7b360719ceebeL },
+      { 0xf06c7837dad1fe7aL,0x60a157a95441a0b0L,0x704970e9e2d47550L,
+        0xcd2bd553271b9020L } },
+    /* 44 << 35 */
+    { { 0xff57f82f33e24a0bL,0x9cbee23ff2565079L,0x16353427eb5f5825L,
+        0x276feec4e948d662L },
+      { 0xd1b62bc6da10032bL,0x718351ddf0e72a53L,0x934520762420e7baL,
+        0x96368fff3a00118dL } },
+    /* 45 << 35 */
+    { { 0x00ce2d26150a49e4L,0x0c28b6363f04706bL,0xbad65a4658b196d0L,
+        0x6c8455fcec9f8b7cL },
+      { 0xe90c895f2d71867eL,0x5c0be31bedf9f38cL,0x2a37a15ed8f6ec04L,
+        0x239639e78cd85251L } },
+    /* 46 << 35 */
+    { { 0xd89753159c7c4c6bL,0x603aa3c0d7409af7L,0xb8d53d0c007132fbL,
+        0x68d12af7a6849238L },
+      { 0xbe0607e7bf5d9279L,0x9aa50055aada74ceL,0xe81079cbba7e8ccbL,
+        0x610c71d1a5f4ff5eL } },
+    /* 47 << 35 */
+    { { 0x9e2ee1a75aa07093L,0xca84004ba75da47cL,0x074d39513de75401L,
+        0xf938f756bb311592L },
+      { 0x9619761800a43421L,0x39a2536207bc78c8L,0x278f710a0a171276L,
+        0xb28446ea8d1a8f08L } },
+    /* 48 << 35 */
+    { { 0x184781bfe3b6a661L,0x7751cb1de6d279f7L,0xf8ff95d6c59eb662L,
+        0x186d90b758d3dea7L },
+      { 0x0e4bb6c1dfb4f754L,0x5c5cf56b2b2801dcL,0xc561e4521f54564dL,
+        0xb4fb8c60f0dd7f13L } },
+    /* 49 << 35 */
+    { { 0xf884963033ff98c7L,0x9619fffacf17769cL,0xf8090bf61bfdd80aL,
+        0x14d9a149422cfe63L },
+      { 0xb354c3606f6df9eaL,0xdbcf770d218f17eaL,0x207db7c879eb3480L,
+        0x213dbda8559b6a26L } },
+    /* 50 << 35 */
+    { { 0xac4c200b29fc81b3L,0xebc3e09f171d87c1L,0x917995301481aa9eL,
+        0x051b92e192e114faL },
+      { 0xdf8f92e9ecb5537fL,0x44b1b2cc290c7483L,0xa711455a2adeb016L,
+        0x964b685681a10c2cL } },
+    /* 51 << 35 */
+    { { 0x4f159d99cec03623L,0x05532225ef3271eaL,0xb231bea3c5ee4849L,
+        0x57a54f507094f103L },
+      { 0x3e2d421d9598b352L,0xe865a49c67412ab4L,0xd2998a251cc3a912L,
+        0x5d0928080c74d65dL } },
+    /* 52 << 35 */
+    { { 0x73f459084088567aL,0xeb6b280e1f214a61L,0x8c9adc34caf0c13dL,
+        0x39d12938f561fb80L },
+      { 0xb2dc3a5ebc6edfb4L,0x7485b1b1fe4d210eL,0x062e0400e186ae72L,
+        0x91e32d5c6eeb3b88L } },
+    /* 53 << 35 */
+    { { 0x6df574d74be59224L,0xebc88ccc716d55f3L,0x26c2e6d0cad6ed33L,
+        0xc6e21e7d0d3e8b10L },
+      { 0x2cc5840e5bcc36bbL,0x9292445e7da74f69L,0x8be8d3214e5193a8L,
+        0x3ec236298df06413L } },
+    /* 54 << 35 */
+    { { 0xc7e9ae85b134defaL,0x6073b1d01bb2d475L,0xb9ad615e2863c00dL,
+        0x9e29493d525f4ac4L },
+      { 0xc32b1dea4e9acf4fL,0x3e1f01c8a50db88dL,0xb05d70ea04da916cL,
+        0x714b0d0ad865803eL } },
+    /* 55 << 35 */
+    { { 0x4bd493fc9920cb5eL,0x5b44b1f792c7a3acL,0xa2a77293bcec9235L,
+        0x5ee06e87cd378553L },
+      { 0xceff8173da621607L,0x2bb03e4c99f5d290L,0x2945106aa6f734acL,
+        0xb5056604d25c4732L } },
+    /* 56 << 35 */
+    { { 0x5945920ce079afeeL,0x686e17a06789831fL,0x5966bee8b74a5ae5L,
+        0x38a673a21e258d46L },
+      { 0xbd1cc1f283141c95L,0x3b2ecf4f0e96e486L,0xcd3aa89674e5fc78L,
+        0x415ec10c2482fa7aL } },
+    /* 57 << 35 */
+    { { 0x1523441980503380L,0x513d917ad314b392L,0xb0b52f4e63caecaeL,
+        0x07bf22ad2dc7780bL },
+      { 0xe761e8a1e4306839L,0x1b3be9625dd7feaaL,0x4fe728de74c778f1L,
+        0xf1fa0bda5e0070f6L } },
+    /* 58 << 35 */
+    { { 0x85205a316ec3f510L,0x2c7e4a14d2980475L,0xde3c19c06f30ebfdL,
+        0xdb1c1f38d4b7e644L },
+      { 0xfe291a755dce364aL,0xb7b22a3c058f5be3L,0x2cd2c30237fea38cL,
+        0x2930967a2e17be17L } },
+    /* 59 << 35 */
+    { { 0x87f009de0c061c65L,0xcb014aacedc6ed44L,0x49bd1cb43bafb1ebL,
+        0x81bd8b5c282d3688L },
+      { 0x1cdab87ef01a17afL,0x21f37ac4e710063bL,0x5a6c567642fc8193L,
+        0xf4753e7056a6015cL } },
+    /* 60 << 35 */
+    { { 0x020f795ea15b0a44L,0x8f37c8d78958a958L,0x63b7e89ba4b675b5L,
+        0xb4fb0c0c0fc31aeaL },
+      { 0xed95e639a7ff1f2eL,0x9880f5a3619614fbL,0xdeb6ff02947151abL,
+        0x5bc5118ca868dcdbL } },
+    /* 61 << 35 */
+    { { 0xd8da20554c20cea5L,0xcac2776e14c4d69aL,0xcccb22c1622d599bL,
+        0xa4ddb65368a9bb50L },
+      { 0x2c4ff1511b4941b4L,0xe1ff19b46efba588L,0x35034363c48345e0L,
+        0x45542e3d1e29dfc4L } },
+    /* 62 << 35 */
+    { { 0xf197cb91349f7aedL,0x3b2b5a008fca8420L,0x7c175ee823aaf6d8L,
+        0x54dcf42135af32b6L },
+      { 0x0ba1430727d6561eL,0x879d5ee4d175b1e2L,0xc7c4367399807db5L,
+        0x77a544559cd55bcdL } },
+    /* 63 << 35 */
+    { { 0xe6c2ff130105c072L,0x18f7a99f8dda7da4L,0x4c3018200e2d35c1L,
+        0x06a53ca0d9cc6c82L },
+      { 0xaa21cc1ef1aa1d9eL,0x324143344a75b1e8L,0x2a6d13280ebe9fdcL,
+        0x16bd173f98a4755aL } },
+    /* 64 << 35 */
+    { { 0xfbb9b2452133ffd9L,0x39a8b2f1830f1a20L,0x484bc97dd5a1f52aL,
+        0xd6aebf56a40eddf8L },
+      { 0x32257acb76ccdac6L,0xaf4d36ec1586ff27L,0x8eaa8863f8de7dd1L,
+        0x0045d5cf88647c16L } },
+    /* 0 << 42 */
+    { { 0x00, 0x00, 0x00, 0x00 },
+      { 0x00, 0x00, 0x00, 0x00 } },
+    /* 1 << 42 */
+    { { 0xa6f3d574c005979dL,0xc2072b426a40e350L,0xfca5c1568de2ecf9L,
+        0xa8c8bf5ba515344eL },
+      { 0x97aee555114df14aL,0xd4374a4dfdc5ec6bL,0x754cc28f2ca85418L,
+        0x71cb9e27d3c41f78L } },
+    /* 2 << 42 */
+    { { 0x8910507903605c39L,0xf0843d9ea142c96cL,0xf374493416923684L,
+        0x732caa2ffa0a2893L },
+      { 0xb2e8c27061160170L,0xc32788cc437fbaa3L,0x39cd818ea6eda3acL,
+        0xe2e942399e2b2e07L } },
+    /* 3 << 42 */
+    { { 0x6967d39b0260e52aL,0xd42585cc90653325L,0x0d9bd60521ca7954L,
+        0x4fa2087781ed57b3L },
+      { 0x60c1eff8e34a0bbeL,0x56b0040c84f6ef64L,0x28be2b24b1af8483L,
+        0xb2278163f5531614L } },
+    /* 4 << 42 */
+    { { 0x8df275455922ac1cL,0xa7b3ef5ca52b3f63L,0x8e77b21471de57c4L,
+        0x31682c10834c008bL },
+      { 0xc76824f04bd55d31L,0xb6d1c08617b61c71L,0x31db0903c2a5089dL,
+        0x9c092172184e5d3fL } },
+    /* 5 << 42 */
+    { { 0xdd7ced5bc00cc638L,0x1a2015eb61278fc2L,0x2e8e52886a37f8d6L,
+        0xc457786fe79933adL },
+      { 0xb3fe4cce2c51211aL,0xad9b10b224c20498L,0x90d87a4fd28db5e5L,
+        0x698cd1053aca2fc3L } },
+    /* 6 << 42 */
+    { { 0x4f112d07e91b536dL,0xceb982f29eba09d6L,0x3c157b2c197c396fL,
+        0xe23c2d417b66eb24L },
+      { 0x480c57d93f330d37L,0xb3a4c8a179108debL,0x702388decb199ce5L,
+        0x0b019211b944a8d4L } },
+    /* 7 << 42 */
+    { { 0x24f2a692840bb336L,0x7c353bdca669fa7bL,0xda20d6fcdec9c300L,
+        0x625fbe2fa13a4f17L },
+      { 0xa2b1b61adbc17328L,0x008965bfa9515621L,0x49690939c620ff46L,
+        0x182dd27d8717e91cL } },
+    /* 8 << 42 */
+    { { 0x5ace5035ea6c3997L,0x54259aaac2610befL,0xef18bb3f3c80dd39L,
+        0x6910b95b5fc3fa39L },
+      { 0xfce2f51043e09aeeL,0xced56c9fa7675665L,0x10e265acd872db61L,
+        0x6982812eae9fce69L } },
+    /* 9 << 42 */
+    { { 0x29be11c6ce800998L,0x72bb1752b90360d9L,0x2c1931975a4ad590L,
+        0x2ba2f5489fc1dbc0L },
+      { 0x7fe4eebbe490ebe0L,0x12a0a4cd7fae11c0L,0x7197cf81e903ba37L,
+        0xcf7d4aa8de1c6dd8L } },
+    /* 10 << 42 */
+    { { 0x92af6bf43fd5684cL,0x2b26eecf80360aa1L,0xbd960f3000546a82L,
+        0x407b3c43f59ad8feL },
+      { 0x86cae5fe249c82baL,0x9e0faec72463744cL,0x87f551e894916272L,
+        0x033f93446ceb0615L } },
+    /* 11 << 42 */
+    { { 0x1e5eb0d18be82e84L,0x89967f0e7a582fefL,0xbcf687d5a6e921faL,
+        0xdfee4cf3d37a09baL },
+      { 0x94f06965b493c465L,0x638b9a1c7635c030L,0x7666786466f05e9fL,
+        0xccaf6808c04da725L } },
+    /* 12 << 42 */
+    { { 0xca2eb690768fccfcL,0xf402d37db835b362L,0x0efac0d0e2fdfcceL,
+        0xefc9cdefb638d990L },
+      { 0x2af12b72d1669a8bL,0x33c536bc5774ccbdL,0x30b21909fb34870eL,
+        0xc38fa2f77df25acaL } },
+    /* 13 << 42 */
+    { { 0x74c5f02bbf81f3f5L,0x0525a5aeaf7e4581L,0x88d2aaba433c54aeL,
+        0xed9775db806a56c5L },
+      { 0xd320738ac0edb37dL,0x25fdb6ee66cc1f51L,0xac661d1710600d76L,
+        0x931ec1f3bdd1ed76L } },
+    /* 14 << 42 */
+    { { 0x65c11d6219ee43f1L,0x5cd57c3e60829d97L,0xd26c91a3984be6e8L,
+        0xf08d93098b0c53bdL },
+      { 0x94bc9e5bc016e4eaL,0xd391683911d43d2bL,0x886c5ad773701155L,
+        0xe037762620b00715L } },
+    /* 15 << 42 */
+    { { 0x7f01c9ecaa80ba59L,0x3083411a68538e51L,0x970370f1e88128afL,
+        0x625cc3db91dec14bL },
+      { 0xfef9666c01ac3107L,0xb2a8d577d5057ac3L,0xb0f2629992be5df7L,
+        0xf579c8e500353924L } },
+    /* 16 << 42 */
+    { { 0xb8fa3d931341ed7aL,0x4223272ca7b59d49L,0x3dcb194783b8c4a4L,
+        0x4e413c01ed1302e4L },
+      { 0x6d999127e17e44ceL,0xee86bf7533b3adfbL,0xf6902fe625aa96caL,
+        0xb73540e4e5aae47dL } },
+    /* 17 << 42 */
+    { { 0x32801d7b1b4a158cL,0xe571c99e27e2a369L,0x40cb76c010d9f197L,
+        0xc308c2893167c0aeL },
+      { 0xa6ef9dd3eb7958f2L,0xa7226dfc300879b1L,0x6cd0b3627edf0636L,
+        0x4efbce6c7bc37eedL } },
+    /* 18 << 42 */
+    { { 0x75f92a058d699021L,0x586d4c79772566e3L,0x378ca5f1761ad23aL,
+        0x650d86fc1465a8acL },
+      { 0x7a4ed457842ba251L,0x6b65e3e642234933L,0xaf1543b731aad657L,
+        0xa4cefe98cbfec369L } },
+    /* 19 << 42 */
+    { { 0xb587da909f47befbL,0x6562e9fb41312d13L,0xa691ea59eff1cefeL,
+        0xcc30477a05fc4cf6L },
+      { 0xa16324610b0ffd3dL,0xa1f16f3b5b355956L,0x5b148d534224ec24L,
+        0xdc834e7bf977012aL } },
+    /* 20 << 42 */
+    { { 0x7bfc5e75b2c69dbcL,0x3aa77a2903c3da6cL,0xde0df03cca910271L,
+        0xcbd5ca4a7806dc55L },
+      { 0xe1ca58076db476cbL,0xfde15d625f37a31eL,0xf49af520f41af416L,
+        0x96c5c5b17d342db5L } },
+    /* 21 << 42 */
+    { { 0x155c43b7eb4ceb9bL,0x2e9930104e77371aL,0x1d2987da675d43afL,
+        0xef2bc1c08599fd72L },
+      { 0x96894b7b9342f6b2L,0x201eadf27c8e71f0L,0xf3479d9f4a1f3efcL,
+        0xe0f8a742702a9704L } },
+    /* 22 << 42 */
+    { { 0xeafd44b6b3eba40cL,0xf9739f29c1c1e0d0L,0x0091471a619d505eL,
+        0xc15f9c969d7c263eL },
+      { 0x5be4728583afbe33L,0xa3b6d6af04f1e092L,0xe76526b9751a9d11L,
+        0x2ec5b26d9a4ae4d2L } },
+    /* 23 << 42 */
+    { { 0xeb66f4d902f6fb8dL,0x4063c56196912164L,0xeb7050c180ef3000L,
+        0x288d1c33eaa5b3f0L },
+      { 0xe87c68d607806fd8L,0xb2f7f9d54bbbf50fL,0x25972f3aac8d6627L,
+        0xf854777410e8c13bL } },
+    /* 24 << 42 */
+    { { 0xcc50ef6c872b4a60L,0xab2a34a44613521bL,0x39c5c190983e15d1L,
+        0x61dde5df59905512L },
+      { 0xe417f6219f2275f3L,0x0750c8b6451d894bL,0x75b04ab978b0bdaaL,
+        0x3bfd9fd4458589bdL } },
+    /* 25 << 42 */
+    { { 0xf1013e30ee9120b6L,0x2b51af9323a4743eL,0xea96ffae48d14d9eL,
+        0x71dc0dbe698a1d32L },
+      { 0x914962d20180cca4L,0x1ae60677c3568963L,0x8cf227b1437bc444L,
+        0xc650c83bc9962c7aL } },
+    /* 26 << 42 */
+    { { 0x23c2c7ddfe7ccfc4L,0xf925c89d1b929d48L,0x4460f74b06783c33L,
+        0xac2c8d49a590475aL },
+      { 0xfb40b407b807bba0L,0x9d1e362d69ff8f3aL,0xa33e9681cbef64a4L,
+        0x67ece5fa332fb4b2L } },
+    /* 27 << 42 */
+    { { 0x6900a99b739f10e3L,0xc3341ca9ff525925L,0xee18a626a9e2d041L,
+        0xa5a8368529580dddL },
+      { 0xf3470c819d7de3cdL,0xedf025862062cf9cL,0xf43522fac010edb0L,
+        0x3031413513a4b1aeL } },
+    /* 28 << 42 */
+    { { 0xc792e02adb22b94bL,0x993d8ae9a1eaa45bL,0x8aad6cd3cd1e1c63L,
+        0x89529ca7c5ce688aL },
+      { 0x2ccee3aae572a253L,0xe02b643802a21efbL,0xa7091b6ec9430358L,
+        0x06d1b1fa9d7db504L } },
+    /* 29 << 42 */
+    { { 0x58846d32c4744733L,0x40517c71379f9e34L,0x2f65655f130ef6caL,
+        0x526e4488f1f3503fL },
+      { 0x8467bd177ee4a976L,0x1d9dc913921363d1L,0xd8d24c33b069e041L,
+        0x5eb5da0a2cdf7f51L } },
+    /* 30 << 42 */
+    { { 0x1c0f3cb1197b994fL,0x3c95a6c52843eae9L,0x7766ffc9a6097ea5L,
+        0x7bea4093d723b867L },
+      { 0xb48e1f734db378f9L,0x70025b00e37b77acL,0x943dc8e7af24ad46L,
+        0xb98a15ac16d00a85L } },
+    /* 31 << 42 */
+    { { 0x3adc38ba2743b004L,0xb1c7f4f7334415eeL,0xea43df8f1e62d05aL,
+        0x326189059d76a3b6L },
+      { 0x2fbd0bb5a23a0f46L,0x5bc971db6a01918cL,0x7801d94ab4743f94L,
+        0xb94df65e676ae22bL } },
+    /* 32 << 42 */
+    { { 0xaafcbfabaf95894cL,0x7b9bdc07276b2241L,0xeaf983625bdda48bL,
+        0x5977faf2a3fcb4dfL },
+      { 0xbed042ef052c4b5bL,0x9fe87f71067591f0L,0xc89c73ca22f24ec7L,
+        0x7d37fa9ee64a9f1bL } },
+    /* 33 << 42 */
+    { { 0x2710841a15562627L,0x2c01a613c243b034L,0x1d135c562bc68609L,
+        0xc2ca17158b03f1f6L },
+      { 0xc9966c2d3eb81d82L,0xc02abf4a8f6df13eL,0x77b34bd78f72b43bL,
+        0xaff6218f360c82b0L } },
+    /* 34 << 42 */
+    { { 0x0aa5726c8d55b9d2L,0xdc0adbe999e9bffbL,0x9097549cefb9e72aL,
+        0x167557129dfb3111L },
+      { 0xdd8bf984f26847f9L,0xbcb8e387dfb30cb7L,0xc1fd32a75171ef9cL,
+        0x977f3fc7389b363fL } },
+    /* 35 << 42 */
+    { { 0x116eaf2bf4babda0L,0xfeab68bdf7113c8eL,0xd1e3f064b7def526L,
+        0x1ac30885e0b3fa02L },
+      { 0x1c5a6e7b40142d9dL,0x839b560330921c0bL,0x48f301fa36a116a3L,
+        0x380e1107cfd9ee6dL } },
+    /* 36 << 42 */
+    { { 0x7945ead858854be1L,0x4111c12ecbd4d49dL,0xece3b1ec3a29c2efL,
+        0x6356d4048d3616f5L },
+      { 0x9f0d6a8f594d320eL,0x0989316df651ccd2L,0x6c32117a0f8fdde4L,
+        0x9abe5cc5a26a9bbcL } },
+    /* 37 << 42 */
+    { { 0xcff560fb9723f671L,0x21b2a12d7f3d593cL,0xe4cb18da24ba0696L,
+        0x186e2220c3543384L },
+      { 0x722f64e088312c29L,0x94282a9917dc7752L,0x62467bbf5a85ee89L,
+        0xf435c650f10076a0L } },
+    /* 38 << 42 */
+    { { 0xc9ff153943b3a50bL,0x7132130c1a53efbcL,0x31bfe063f7b0c5b7L,
+        0xb0179a7d4ea994ccL },
+      { 0x12d064b3c85f455bL,0x472593288f6e0062L,0xf64e590bb875d6d9L,
+        0x22dd6225ad92bcc7L } },
+    /* 39 << 42 */
+    { { 0xb658038eb9c3bd6dL,0x00cdb0d6fbba27c8L,0x0c6813371062c45dL,
+        0xd8515b8c2d33407dL },
+      { 0xcb8f699e8cbb5ecfL,0x8c4347f8c608d7d8L,0x2c11850abb3e00dbL,
+        0x20a8dafdecb49d19L } },
+    /* 40 << 42 */
+    { { 0xbd78148045ee2f40L,0x75e354af416b60cfL,0xde0b58a18d49a8c4L,
+        0xe40e94e2fa359536L },
+      { 0xbd4fa59f62accd76L,0x05cf466a8c762837L,0xb5abda99448c277bL,
+        0x5a9e01bf48b13740L } },
+    /* 41 << 42 */
+    { { 0x9d457798326aad8dL,0xbdef4954c396f7e7L,0x6fb274a2c253e292L,
+        0x2800bf0a1cfe53e7L },
+      { 0x22426d3144438fd4L,0xef2339235e259f9aL,0x4188503c03f66264L,
+        0x9e5e7f137f9fdfabL } },
+    /* 42 << 42 */
+    { { 0x565eb76c5fcc1abaL,0xea63254859b5bff8L,0x5587c087aab6d3faL,
+        0x92b639ea6ce39c1bL },
+      { 0x0706e782953b135cL,0x7308912e425268efL,0x599e92c7090e7469L,
+        0x83b90f529bc35e75L } },
+    /* 43 << 42 */
+    { { 0x4750b3d0244975b3L,0xf3a4435811965d72L,0x179c67749c8dc751L,
+        0xff18cdfed23d9ff0L },
+      { 0xc40138332028e247L,0x96e280e2f3bfbc79L,0xf60417bdd0880a84L,
+        0x263c9f3d2a568151L } },
+    /* 44 << 42 */
+    { { 0x36be15b32d2ce811L,0x846dc0c2f8291d21L,0x5cfa0ecb789fcfdbL,
+        0x45a0beedd7535b9aL },
+      { 0xec8e9f0796d69af1L,0x31a7c5b8599ab6dcL,0xd36d45eff9e2e09fL,
+        0x3cf49ef1dcee954bL } },
+    /* 45 << 42 */
+    { { 0x6be34cf3086cff9bL,0x88dbd49139a3360fL,0x1e96b8cc0dbfbd1dL,
+        0xc1e5f7bfcb7e2552L },
+      { 0x0547b21428819d98L,0xc770dd9c7aea9dcbL,0xaef0d4c7041d68c8L,
+        0xcc2b981813cb9ba8L } },
+    /* 46 << 42 */
+    { { 0x7fc7bc76fe86c607L,0x6b7b9337502a9a95L,0x1948dc27d14dab63L,
+        0x249dd198dae047beL },
+      { 0xe8356584a981a202L,0x3531dd183a893387L,0x1be11f90c85c7209L,
+        0x93d2fe1ee2a52b5aL } },
+    /* 47 << 42 */
+    { { 0x8225bfe2ec6d6b97L,0x9cf6d6f4bd0aa5deL,0x911459cb54779f5fL,
+        0x5649cddb86aeb1f3L },
+      { 0x321335793f26ce5aL,0xc289a102550f431eL,0x559dcfda73b84c6fL,
+        0x84973819ee3ac4d7L } },
+    /* 48 << 42 */
+    { { 0xb51e55e6f2606a82L,0xe25f706190f2fb57L,0xacef6c2ab1a4e37cL,
+        0x864e359d5dcf2706L },
+      { 0x479e6b187ce57316L,0x2cab25003a96b23dL,0xed4898628ef16df7L,
+        0x2056538cef3758b5L } },
+    /* 49 << 42 */
+    { { 0xa7df865ef15d3101L,0x80c5533a61b553d7L,0x366e19974ed14294L,
+        0x6620741fb3c0bcd6L },
+      { 0x21d1d9c4edc45418L,0x005b859ec1cc4a9dL,0xdf01f630a1c462f0L,
+        0x15d06cf3f26820c7L } },
+    /* 50 << 42 */
+    { { 0x9f7f24ee3484be47L,0x2ff33e964a0c902fL,0x00bdf4575a0bc453L,
+        0x2378dfaf1aa238dbL },
+      { 0x272420ec856720f2L,0x2ad9d95b96797291L,0xd1242cc6768a1558L,
+        0x2e287f8b5cc86aa8L } },
+    /* 51 << 42 */
+    { { 0x796873d0990cecaaL,0xade55f81675d4080L,0x2645eea321f0cd84L,
+        0x7a1efa0fb4e17d02L },
+      { 0xf6858420037cc061L,0x682e05f0d5d43e12L,0x59c3699427218710L,
+        0x85cbba4d3f7cd2fcL } },
+    /* 52 << 42 */
+    { { 0x726f97297a3cd22aL,0x9f8cd5dc4a628397L,0x17b93ab9c23165edL,
+        0xff5f5dbf122823d4L },
+      { 0xc1e4e4b5654a446dL,0xd1a9496f677257baL,0x6387ba94de766a56L,
+        0x23608bc8521ec74aL } },
+    /* 53 << 42 */
+    { { 0x16a522d76688c4d4L,0x9d6b428207373abdL,0xa62f07acb42efaa3L,
+        0xf73e00f7e3b90180L },
+      { 0x36175fec49421c3eL,0xc4e44f9b3dcf2678L,0x76df436b7220f09fL,
+        0x172755fb3aa8b6cfL } },
+    /* 54 << 42 */
+    { { 0xbab89d57446139ccL,0x0a0a6e025fe0208fL,0xcdbb63e211e5d399L,
+        0x33ecaa12a8977f0bL },
+      { 0x59598b21f7c42664L,0xb3e91b32ab65d08aL,0x035822eef4502526L,
+        0x1dcf0176720a82a9L } },
+    /* 55 << 42 */
+    { { 0x50f8598f3d589e02L,0xdf0478ffb1d63d2cL,0x8b8068bd1571cd07L,
+        0x30c3aa4fd79670cdL },
+      { 0x25e8fd4b941ade7fL,0x3d1debdc32790011L,0x65b6dcbd3a3f9ff0L,
+        0x282736a4793de69cL } },
+    /* 56 << 42 */
+    { { 0xef69a0c3d41d3bd3L,0xb533b8c907a26bdeL,0xe2801d97db2edf9fL,
+        0xdc4a8269e1877af0L },
+      { 0x6c1c58513d590dbeL,0x84632f6bee4e9357L,0xd36d36b779b33374L,
+        0xb46833e39bbca2e6L } },
+    /* 57 << 42 */
+    { { 0x37893913f7fc0586L,0x385315f766bf4719L,0x72c56293b31855dcL,
+        0xd1416d4e849061feL },
+      { 0xbeb3ab7851047213L,0x447f6e61f040c996L,0xd06d310d638b1d0cL,
+        0xe28a413fbad1522eL } },
+    /* 58 << 42 */
+    { { 0x685a76cb82003f86L,0x610d07f70bcdbca3L,0x6ff660219ca4c455L,
+        0x7df39b87cea10eecL },
+      { 0xb9255f96e22db218L,0x8cc6d9eb08a34c44L,0xcd4ffb86859f9276L,
+        0x8fa15eb250d07335L } },
+    /* 59 << 42 */
+    { { 0xdf553845cf2c24b5L,0x89f66a9f52f9c3baL,0x8f22b5b9e4a7ceb3L,
+        0xaffef8090e134686L },
+      { 0x3e53e1c68eb8fac2L,0x93c1e4eb28aec98eL,0xb6b91ec532a43bcbL,
+        0x2dbfa947b2d74a51L } },
+    /* 60 << 42 */
+    { { 0xe065d190ca84bad7L,0xfb13919fad58e65cL,0x3c41718bf1cb6e31L,
+        0x688969f006d05c3fL },
+      { 0xd4f94ce721264d45L,0xfdfb65e97367532bL,0x5b1be8b10945a39dL,
+        0x229f789c2b8baf3bL } },
+    /* 61 << 42 */
+    { { 0xd8f41f3e6f49f15dL,0x678ce828907f0792L,0xc69ace82fca6e867L,
+        0x106451aed01dcc89L },
+      { 0x1bb4f7f019fc32d2L,0x64633dfcb00c52d2L,0x8f13549aad9ea445L,
+        0x99a3bf50fb323705L } },
+    /* 62 << 42 */
+    { { 0x0c9625a2534d4dbcL,0x45b8f1d1c2a2fea3L,0x76ec21a1a530fc1aL,
+        0x4bac9c2a9e5bd734L },
+      { 0x5996d76a7b4e3587L,0x0045cdee1182d9e3L,0x1aee24b91207f13dL,
+        0x66452e9797345a41L } },
+    /* 63 << 42 */
+    { { 0x16e5b0549f950cd0L,0x9cc72fb1d7fdd075L,0x6edd61e766249663L,
+        0xde4caa4df043cccbL },
+      { 0x11b1f57a55c7ac17L,0x779cbd441a85e24dL,0x78030f86e46081e7L,
+        0xfd4a60328e20f643L } },
+    /* 64 << 42 */
+    { { 0xcc7a64880a750c0fL,0x39bacfe34e548e83L,0x3d418c760c110f05L,
+        0x3e4daa4cb1f11588L },
+      { 0x2733e7b55ffc69ffL,0x46f147bc92053127L,0x885b2434d722df94L,
+        0x6a444f65e6fc6b7cL } },
+    /* 0 << 49 */
+    { { 0x00, 0x00, 0x00, 0x00 },
+      { 0x00, 0x00, 0x00, 0x00 } },
+    /* 1 << 49 */
+    { { 0x7a1a465ac3f16ea8L,0x115a461db2f1d11cL,0x4767dd956c68a172L,
+        0x3392f2ebd13a4698L },
+      { 0xc7a99ccde526cdc7L,0x8e537fdc22292b81L,0x76d8cf69a6d39198L,
+        0xffc5ff432446852dL } },
+    /* 2 << 49 */
+    { { 0x97b14f7ea90567e6L,0x513257b7b6ae5cb7L,0x85454a3c9f10903dL,
+        0xd8d2c9ad69bc3724L },
+      { 0x38da93246b29cb44L,0xb540a21d77c8cbacL,0x9bbfe43501918e42L,
+        0xfffa707a56c3614eL } },
+    /* 3 << 49 */
+    { { 0x0ce4e3f1d4e353b7L,0x062d8a14ef46b0a0L,0x6408d5ab574b73fdL,
+        0xbc41d1c9d3273ffdL },
+      { 0x3538e1e76be77800L,0x71fe8b37c5655031L,0x1cd916216b9b331aL,
+        0xad825d0bbb388f73L } },
+    /* 4 << 49 */
+    { { 0x56c2e05b1cb76219L,0x0ec0bf9171567e7eL,0xe7076f8661c4c910L,
+        0xd67b085bbabc04d9L },
+      { 0x9fb904595e93a96aL,0x7526c1eafbdc249aL,0x0d44d367ecdd0bb7L,
+        0x953999179dc0d695L } },
+    /* 5 << 49 */
+    { { 0x61360ee99e240d18L,0x057cdcacb4b94466L,0xe7667cd12fe5325cL,
+        0x1fa297b521974e3bL },
+      { 0xfa4081e7db083d76L,0x31993be6f206bd15L,0x8949269b14c19f8cL,
+        0x21468d72a9d92357L } },
+    /* 6 << 49 */
+    { { 0x2ccbc583a4c506ecL,0x957ed188d1acfe97L,0x8baed83312f1aea2L,
+        0xef2a6cb48325362dL },
+      { 0x130dde428e195c43L,0xc842025a0e6050c6L,0x2da972a708686a5dL,
+        0xb52999a1e508b4a8L } },
+    /* 7 << 49 */
+    { { 0xd9f090b910a5a8bdL,0xca91d249096864daL,0x8e6a93be3f67dbc1L,
+        0xacae6fbaf5f4764cL },
+      { 0x1563c6e0d21411a0L,0x28fa787fda0a4ad8L,0xd524491c908c8030L,
+        0x1257ba0e4c795f07L } },
+    /* 8 << 49 */
+    { { 0x83f49167ceca9754L,0x426d2cf64b7939a0L,0x2555e355723fd0bfL,
+        0xa96e6d06c4f144e2L },
+      { 0x4768a8dd87880e61L,0x15543815e508e4d5L,0x09d7e772b1b65e15L,
+        0x63439dd6ac302fa0L } },
+    /* 9 << 49 */
+    { { 0xb93f802fc14e35c2L,0x71735b7c4341333cL,0x03a2510416d4f362L,
+        0x3f4d069bbf433c8eL },
+      { 0x0d83ae01f78f5a7cL,0x50a8ffbe7c4eed07L,0xc74f890676e10f83L,
+        0x7d0809669ddaf8e1L } },
+    /* 10 << 49 */
+    { { 0xb11df8e1698e04ccL,0x877be203169005c8L,0x32749e8c4f3c6179L,
+        0x2dbc9d0a7853fc05L },
+      { 0x187d4f939454d937L,0xe682ce9db4800e1bL,0xa9129ad8165e68e8L,
+        0x0fe29735be7f785bL } },
+    /* 11 << 49 */
+    { { 0x5303f40c5b9e02b7L,0xa37c969235ee04e8L,0x5f46cc2034d6632bL,
+        0x55ef72b296ac545bL },
+      { 0xabec5c1f7b91b062L,0x0a79e1c7bb33e821L,0xbb04b4283a9f4117L,
+        0x0de1f28ffd2a475aL } },
+    /* 12 << 49 */
+    { { 0x31019ccf3a4434b4L,0xa34581111a7954dcL,0xa9dac80de34972a7L,
+        0xb043d05474f6b8ddL },
+      { 0x021c319e11137b1aL,0x00a754ceed5cc03fL,0x0aa2c794cbea5ad4L,
+        0x093e67f470c015b6L } },
+    /* 13 << 49 */
+    { { 0x72cdfee9c97e3f6bL,0xc10bcab4b6da7461L,0x3b02d2fcb59806b9L,
+        0x85185e89a1de6f47L },
+      { 0x39e6931f0eb6c4d4L,0x4d4440bdd4fa5b04L,0x5418786e34be7eb8L,
+        0x6380e5219d7259bcL } },
+    /* 14 << 49 */
+    { { 0x20ac0351d598d710L,0x272c4166cb3a4da4L,0xdb82fe1aca71de1fL,
+        0x746e79f2d8f54b0fL },
+      { 0x6e7fc7364b573e9bL,0x75d03f46fd4b5040L,0x5c1cc36d0b98d87bL,
+        0x513ba3f11f472da1L } },
+    /* 15 << 49 */
+    { { 0x79d0af26abb177ddL,0xf82ab5687891d564L,0x2b6768a972232173L,
+        0xefbb3bb08c1f6619L },
+      { 0xb29c11dba6d18358L,0x519e2797b0916d3aL,0xd4dc18f09188e290L,
+        0x648e86e398b0ca7fL } },
+    /* 16 << 49 */
+    { { 0x859d3145983c38b5L,0xb14f176c637abc8bL,0x2793fb9dcaff7be6L,
+        0xebe5a55f35a66a5aL },
+      { 0x7cec1dcd9f87dc59L,0x7c595cd3fbdbf560L,0x5b543b2226eb3257L,
+        0x69080646c4c935fdL } },
+    /* 17 << 49 */
+    { { 0x7f2e440381e9ede3L,0x243c3894caf6df0aL,0x7c605bb11c073b11L,
+        0xcd06a541ba6a4a62L },
+      { 0x2916894949d4e2e5L,0x33649d074af66880L,0xbfc0c885e9a85035L,
+        0xb4e52113fc410f4bL } },
+    /* 18 << 49 */
+    { { 0xdca3b70678a6513bL,0x92ea4a2a9edb1943L,0x02642216db6e2dd8L,
+        0x9b45d0b49fd57894L },
+      { 0x114e70dbc69d11aeL,0x1477dd194c57595fL,0xbc2208b4ec77c272L,
+        0x95c5b4d7db68f59cL } },
+    /* 19 << 49 */
+    { { 0xb8c4fc6342e532b7L,0x386ba4229ae35290L,0xfb5dda42d201ecbcL,
+        0x2353dc8ba0e38fd6L },
+      { 0x9a0b85ea68f7e978L,0x96ec56822ad6d11fL,0x5e279d6ce5f6886dL,
+        0xd3fe03cd3cb1914dL } },
+    /* 20 << 49 */
+    { { 0xfe541fa47ea67c77L,0x952bd2afe3ea810cL,0x791fef568d01d374L,
+        0xa3a1c6210f11336eL },
+      { 0x5ad0d5a9c7ec6d79L,0xff7038af3225c342L,0x003c6689bc69601bL,
+        0x25059bc745e8747dL } },
+    /* 21 << 49 */
+    { { 0xfa4965b2f2086fbfL,0xf6840ea686916078L,0xd7ac762070081d6cL,
+        0xe600da31b5328645L },
+      { 0x01916f63529b8a80L,0xe80e48582d7d6f3eL,0x29eb0fe8d664ca7cL,
+        0xf017637be7b43b0cL } },
+    /* 22 << 49 */
+    { { 0x9a75c80676cb2566L,0x8f76acb1b24892d9L,0x7ae7b9cc1f08fe45L,
+        0x19ef73296a4907d8L },
+      { 0x2db4ab715f228bf0L,0xf3cdea39817032d7L,0x0b1f482edcabe3c0L,
+        0x3baf76b4bb86325cL } },
+    /* 23 << 49 */
+    { { 0xd49065e010089465L,0x3bab5d298e77c596L,0x7636c3a6193dbd95L,
+        0xdef5d294b246e499L },
+      { 0xb22c58b9286b2475L,0xa0b93939cd80862bL,0x3002c83af0992388L,
+        0x6de01f9beacbe14cL } },
+    /* 24 << 49 */
+    { { 0x6aac688eadd70482L,0x708de92a7b4a4e8aL,0x75b6dd73758a6eefL,
+        0xea4bf352725b3c43L },
+      { 0x10041f2c87912868L,0xb1b1be95ef09297aL,0x19ae23c5a9f3860aL,
+        0xc4f0f839515dcf4bL } },
+    /* 25 << 49 */
+    { { 0x3c7ecca397f6306aL,0x744c44ae68a3a4b0L,0x69cd13a0b3a1d8a2L,
+        0x7cad0a1e5256b578L },
+      { 0xea653fcd33791d9eL,0x9cc2a05d74b2e05fL,0x73b391dcfd7affa2L,
+        0xddb7091eb6b05442L } },
+    /* 26 << 49 */
+    { { 0xc71e27bf8538a5c6L,0x195c63dd89abff17L,0xfd3152851b71e3daL,
+        0x9cbdfda7fa680fa0L },
+      { 0x9db876ca849d7eabL,0xebe2764b3c273271L,0x663357e3f208dceaL,
+        0x8c5bd833565b1b70L } },
+    /* 27 << 49 */
+    { { 0xccc3b4f59837fc0dL,0x9b641ba8a79cf00fL,0x7428243ddfdf3990L,
+        0x83a594c4020786b1L },
+      { 0xb712451a526c4502L,0x9d39438e6adb3f93L,0xfdb261e3e9ff0ccdL,
+        0x80344e3ce07af4c3L } },
+    /* 28 << 49 */
+    { { 0x75900d7c2fa4f126L,0x08a3b8655c99a232L,0x2478b6bfdb25e0c3L,
+        0x482cc2c271db2edfL },
+      { 0x37df7e645f321bb8L,0x8a93821b9a8005b4L,0x3fa2f10ccc8c1958L,
+        0x0d3322182c269d0aL } },
+    /* 29 << 49 */
+    { { 0x20ab8119e246b0e6L,0xb39781e4d349fd17L,0xd293231eb31aa100L,
+        0x4b779c97bb032168L },
+      { 0x4b3f19e1c8470500L,0x45b7efe90c4c869dL,0xdb84f38aa1a6bbccL,
+        0x3b59cb15b2fddbc1L } },
+    /* 30 << 49 */
+    { { 0xba5514df3fd165e8L,0x499fd6a9061f8811L,0x72cd1fe0bfef9f00L,
+        0x120a4bb979ad7e8aL },
+      { 0xf2ffd0955f4a5ac5L,0xcfd174f195a7a2f0L,0xd42301ba9d17baf1L,
+        0xd2fa487a77f22089L } },
+    /* 31 << 49 */
+    { { 0x9cb09efeb1dc77e1L,0xe956693921c99682L,0x8c5469016c6067bbL,
+        0xfd37857461c24456L },
+      { 0x2b6a6cbe81796b33L,0x62d550f658e87f8bL,0x1b763e1c7f1b01b4L,
+        0x4b93cfea1b1b5e12L } },
+    /* 32 << 49 */
+    { { 0xb93452381d531696L,0x57201c0088cdde69L,0xdde922519a86afc7L,
+        0xe3043895bd35cea8L },
+      { 0x7608c1e18555970dL,0x8267dfa92535935eL,0xd4c60a57322ea38bL,
+        0xe0bf7977804ef8b5L } },
+    /* 33 << 49 */
+    { { 0x1a0dab28c06fece4L,0xd405991e94e7b49dL,0xc542b6d2706dab28L,
+        0xcb228da3a91618fbL },
+      { 0x224e4164107d1ceaL,0xeb9fdab3d0f5d8f1L,0xc02ba3860d6e41cdL,
+        0x676a72c59b1f7146L } },
+    /* 34 << 49 */
+    { { 0xffd6dd984d6cb00bL,0xcef9c5cade2e8d7cL,0xa1bbf5d7641c7936L,
+        0x1b95b230ee8f772eL },
+      { 0xf765a92ee8ac25b1L,0xceb04cfc3a18b7c6L,0x27944cef0acc8966L,
+        0xcbb3c957434c1004L } },
+    /* 35 << 49 */
+    { { 0x9c9971a1a43ff93cL,0x5bc2db17a1e358a9L,0x45b4862ea8d9bc82L,
+        0x70ebfbfb2201e052L },
+      { 0xafdf64c792871591L,0xea5bcae6b42d0219L,0xde536c552ad8f03cL,
+        0xcd6c3f4da76aa33cL } },
+    /* 36 << 49 */
+    { { 0xbeb5f6230bca6de3L,0xdd20dd99b1e706fdL,0x90b3ff9dac9059d4L,
+        0x2d7b29027ccccc4eL },
+      { 0x8a090a59ce98840fL,0xa5d947e08410680aL,0x49ae346a923379a5L,
+        0x7dbc84f9b28a3156L } },
+    /* 37 << 49 */
+    { { 0xfd40d91654a1aff2L,0xabf318ba3a78fb9bL,0x50152ed83029f95eL,
+        0x9fc1dd77c58ad7faL },
+      { 0x5fa5791513595c17L,0xb95046688f62b3a9L,0x907b5b24ff3055b0L,
+        0x2e995e359a84f125L } },
+    /* 38 << 49 */
+    { { 0x87dacf697e9bbcfbL,0x95d0c1d6e86d96e3L,0x65726e3c2d95a75cL,
+        0x2c3c9001acd27f21L },
+      { 0x1deab5616c973f57L,0x108b7e2ca5221643L,0x5fee9859c4ef79d4L,
+        0xbd62b88a40d4b8c6L } },
+    /* 39 << 49 */
+    { { 0xb4dd29c4197c75d6L,0x266a6df2b7076febL,0x9512d0ea4bf2df11L,
+        0x1320c24f6b0cc9ecL },
+      { 0x6bb1e0e101a59596L,0x8317c5bbeff9aaacL,0x65bb405e385aa6c9L,
+        0x613439c18f07988fL } },
+    /* 40 << 49 */
+    { { 0xd730049f16a66e91L,0xe97f2820fa1b0e0dL,0x4131e003304c28eaL,
+        0x820ab732526bac62L },
+      { 0xb2ac9ef928714423L,0x54ecfffaadb10cb2L,0x8781476ef886a4ccL,
+        0x4b2c87b5db2f8d49L } },
+    /* 41 << 49 */
+    { { 0xe857cd200a44295dL,0x707d7d2158c6b044L,0xae8521f9f596757cL,
+        0x87448f0367b2b714L },
+      { 0x13a9bc455ebcd58dL,0x79bcced99122d3c1L,0x3c6442479e076642L,
+        0x0cf227782df4767dL } },
+    /* 42 << 49 */
+    { { 0x5e61aee471d444b6L,0x211236bfc5084a1dL,0x7e15bc9a4fd3eaf6L,
+        0x68df2c34ab622bf5L },
+      { 0x9e674f0f59bf4f36L,0xf883669bd7f34d73L,0xc48ac1b831497b1dL,
+        0x323b925d5106703bL } },
+    /* 43 << 49 */
+    { { 0x22156f4274082008L,0xeffc521ac8482bcbL,0x5c6831bf12173479L,
+        0xcaa2528fc4739490L },
+      { 0x84d2102a8f1b3c4dL,0xcf64dfc12d9bec0dL,0x433febad78a546efL,
+        0x1f621ec37b73cef1L } },
+    /* 44 << 49 */
+    { { 0x6aecd62737338615L,0x162082ab01d8edf6L,0x833a811919e86b66L,
+        0x6023a251d299b5dbL },
+      { 0xf5bb0c3abbf04b89L,0x6735eb69ae749a44L,0xd0e058c54713de3bL,
+        0xfdf2593e2c3d4ccdL } },
+    /* 45 << 49 */
+    { { 0x1b8f414efdd23667L,0xdd52aacafa2015eeL,0x3e31b517bd9625ffL,
+        0x5ec9322d8db5918cL },
+      { 0xbc73ac85a96f5294L,0x82aa5bf361a0666aL,0x49755810bf08ac42L,
+        0xd21cdfd5891cedfcL } },
+    /* 46 << 49 */
+    { { 0x918cb57b67f8be10L,0x365d1a7c56ffa726L,0x2435c5046532de93L,
+        0xc0fc5e102674cd02L },
+      { 0x6e51fcf89cbbb142L,0x1d436e5aafc50692L,0x766bffff3fbcae22L,
+        0x3148c2fdfd55d3b8L } },
+    /* 47 << 49 */
+    { { 0x52c7fdc9233222faL,0x89ff1092e419fb6bL,0x3cd6db9925254977L,
+        0x2e85a1611cf12ca7L },
+      { 0xadd2547cdc810bc9L,0xea3f458f9d257c22L,0x642c1fbe27d6b19bL,
+        0xed07e6b5140481a6L } },
+    /* 48 << 49 */
+    { { 0x6ada1d4286d2e0f8L,0xe59201220e8a9fd5L,0x02c936af708c1b49L,
+        0x60f30fee2b4bfaffL },
+      { 0x6637ad06858e6a61L,0xce4c77673fd374d0L,0x39d54b2d7188defbL,
+        0xa8c9d250f56a6b66L } },
+    /* 49 << 49 */
+    { { 0x58fc0f5eb24fe1dcL,0x9eaf9dee6b73f24cL,0xa90d588b33650705L,
+        0xde5b62c5af2ec729L },
+      { 0x5c72cfaed3c2b36eL,0x868c19d5034435daL,0x88605f93e17ee145L,
+        0xaa60c4ee77a5d5b1L } },
+    /* 50 << 49 */
+    { { 0xbcf5bfd23b60c472L,0xaf4ef13ceb1d3049L,0x373f44fce13895c9L,
+        0xf29b382f0cbc9822L },
+      { 0x1bfcb85373efaef6L,0xcf56ac9ca8c96f40L,0xd7adf1097a191e24L,
+        0x98035f44bf8a8dc2L } },
+    /* 51 << 49 */
+    { { 0xf40a71b91e750c84L,0xc57f7b0c5dc6c469L,0x49a0e79c6fbc19c1L,
+        0x6b0f5889a48ebdb8L },
+      { 0x5d3fd084a07c4e9fL,0xc3830111ab27de14L,0x0e4929fe33e08dccL,
+        0xf4a5ad2440bb73a3L } },
+    /* 52 << 49 */
+    { { 0xde86c2bf490f97caL,0x288f09c667a1ce18L,0x364bb8861844478dL,
+        0x7840fa42ceedb040L },
+      { 0x1269fdd25a631b37L,0x94761f1ea47c8b7dL,0xfc0c2e17481c6266L,
+        0x85e16ea23daa5fa7L } },
+    /* 53 << 49 */
+    { { 0xccd8603392491048L,0x0c2f6963f4d402d7L,0x6336f7dfdf6a865cL,
+        0x0a2a463cb5c02a87L },
+      { 0xb0e29be7bf2f12eeL,0xf0a2200266bad988L,0x27f87e039123c1d7L,
+        0x21669c55328a8c98L } },
+    /* 54 << 49 */
+    { { 0x186b980392f14529L,0xd3d056cc63954df3L,0x2f03fd58175a46f6L,
+        0x63e34ebe11558558L },
+      { 0xe13fedee5b80cfa5L,0xe872a120d401dbd1L,0x52657616e8a9d667L,
+        0xbc8da4b6e08d6693L } },
+    /* 55 << 49 */
+    { { 0x370fb9bb1b703e75L,0x6773b186d4338363L,0x18dad378ecef7bffL,
+        0xaac787ed995677daL },
+      { 0x4801ea8b0437164bL,0xf430ad2073fe795eL,0xb164154d8ee5eb73L,
+        0x0884ecd8108f7c0eL } },
+    /* 56 << 49 */
+    { { 0x0e6ec0965f520698L,0x640631fe44f7b8d9L,0x92fd34fca35a68b9L,
+        0x9c5a4b664d40cf4eL },
+      { 0x949454bf80b6783dL,0x80e701fe3a320a10L,0x8d1a564a1a0a39b2L,
+        0x1436d53d320587dbL } },
+    /* 57 << 49 */
+    { { 0xf5096e6d6556c362L,0xbc23a3c0e2455d7eL,0x3a7aee54807230f9L,
+        0x9ba1cfa622ae82fdL },
+      { 0x833a057a99c5d706L,0x8be85f4b842315c9L,0xd083179a66a72f12L,
+        0x2fc77d5dcdcc73cdL } },
+    /* 58 << 49 */
+    { { 0x22b88a805616ee30L,0xfb09548fe7ab1083L,0x8ad6ab0d511270cdL,
+        0x61f6c57a6924d9abL },
+      { 0xa0f7bf7290aecb08L,0x849f87c90df784a4L,0x27c79c15cfaf1d03L,
+        0xbbf9f675c463faceL } },
+    /* 59 << 49 */
+    { { 0x91502c65765ba543L,0x18ce3cac42ea60ddL,0xe5cee6ac6e43ecb3L,
+        0x63e4e91068f2aeebL },
+      { 0x26234fa3c85932eeL,0x96883e8b4c90c44dL,0x29b9e738a18a50f6L,
+        0xbfc62b2a3f0420dfL } },
+    /* 60 << 49 */
+    { { 0xd22a7d906d3e1fa9L,0x17115618fe05b8a3L,0x2a0c9926bb2b9c01L,
+        0xc739fcc6e07e76a2L },
+      { 0x540e9157165e439aL,0x06353a626a9063d8L,0x84d9559461e927a3L,
+        0x013b9b26e2e0be7fL } },
+    /* 61 << 49 */
+    { { 0x4feaec3b973497f1L,0x15c0f94e093ebc2dL,0x6af5f22733af0583L,
+        0x0c2af206c61f3340L },
+      { 0xd25dbdf14457397cL,0x2e8ed017cabcbae0L,0xe3010938c2815306L,
+        0xbaa99337e8c6cd68L } },
+    /* 62 << 49 */
+    { { 0x085131823b0ec7deL,0x1e1b822b58df05dfL,0x5c14842fa5c3b683L,
+        0x98fe977e3eba34ceL },
+      { 0xfd2316c20d5e8873L,0xe48d839abd0d427dL,0x495b2218623fc961L,
+        0x24ee56e7b46fba5eL } },
+    /* 63 << 49 */
+    { { 0x9184a55b91e4de58L,0xa7488ca5dfdea288L,0xa723862ea8dcc943L,
+        0x92d762b2849dc0fcL },
+      { 0x3c444a12091ff4a9L,0x581113fa0cada274L,0xb9de0a4530d8eae2L,
+        0x5e0fcd85df6b41eaL } },
+    /* 64 << 49 */
+    { { 0x6233ea68c094dbb5L,0xb77d062ed968d410L,0x3e719bbc58b3002dL,
+        0x68e7dd3d3dc49d58L },
+      { 0x8d825740013a5e58L,0x213117473c9e3c1bL,0x0cb0a2a77c99b6abL,
+        0x5c48a3b3c2f888f2L } },
+    /* 0 << 56 */
+    { { 0x00, 0x00, 0x00, 0x00 },
+      { 0x00, 0x00, 0x00, 0x00 } },
+    /* 1 << 56 */
+    { { 0xc7913e91991724f3L,0x5eda799c39cbd686L,0xddb595c763d4fc1eL,
+        0x6b63b80bac4fed54L },
+      { 0x6ea0fc697e5fb516L,0x737708bad0f1c964L,0x9628745f11a92ca5L,
+        0x61f379589a86967aL } },
+    /* 2 << 56 */
+    { { 0x9af39b2caa665072L,0x78322fa4efd324efL,0x3d153394c327bd31L,
+        0x81d5f2713129dab0L },
+      { 0xc72e0c42f48027f5L,0xaa40cdbc8536e717L,0xf45a657a2d369d0fL,
+        0xb03bbfc4ea7f74e6L } },
+    /* 3 << 56 */
+    { { 0x46a8c4180d738dedL,0x6f1a5bb0e0de5729L,0xf10230b98ba81675L,
+        0x32c6f30c112b33d4L },
+      { 0x7559129dd8fffb62L,0x6a281b47b459bf05L,0x77c1bd3afa3b6776L,
+        0x0709b3807829973aL } },
+    /* 4 << 56 */
+    { { 0x8c26b232a3326505L,0x38d69272ee1d41bfL,0x0459453effe32afaL,
+        0xce8143ad7cb3ea87L },
+      { 0x932ec1fa7e6ab666L,0x6cd2d23022286264L,0x459a46fe6736f8edL,
+        0x50bf0d009eca85bbL } },
+    /* 5 << 56 */
+    { { 0x0b825852877a21ecL,0x300414a70f537a94L,0x3f1cba4021a9a6a2L,
+        0x50824eee76943c00L },
+      { 0xa0dbfcecf83cba5dL,0xf953814893b4f3c0L,0x6174416248f24dd7L,
+        0x5322d64de4fb09ddL } },
+    /* 6 << 56 */
+    { { 0x574473843d9325f3L,0xa9bef2d0f371cb84L,0x77d2188ba61e36c5L,
+        0xbbd6a7d7c602df72L },
+      { 0xba3aa9028f61bc0bL,0xf49085ed6ed0b6a1L,0x8bc625d6ae6e8298L,
+        0x832b0b1da2e9c01dL } },
+    /* 7 << 56 */
+    { { 0xa337c447f1f0ced1L,0x800cc7939492dd2bL,0x4b93151dbea08efaL,
+        0x820cf3f8de0a741eL },
+      { 0xff1982dc1c0f7d13L,0xef92196084dde6caL,0x1ad7d97245f96ee3L,
+        0x319c8dbe29dea0c7L } },
+    /* 8 << 56 */
+    { { 0xd3ea38717b82b99bL,0x75922d4d470eb624L,0x8f66ec543b95d466L,
+        0x66e673ccbee1e346L },
+      { 0x6afe67c4b5f2b89aL,0x3de9c1e6290e5cd3L,0x8c278bb6310a2adaL,
+        0x420fa3840bdb323bL } },
+    /* 9 << 56 */
+    { { 0x0ae1d63b0eb919b0L,0xd74ee51da74b9620L,0x395458d0a674290cL,
+        0x324c930f4620a510L },
+      { 0x2d1f4d19fbac27d4L,0x4086e8ca9bedeeacL,0x0cdd211b9b679ab8L,
+        0x5970167d7090fec4L } },
+    /* 10 << 56 */
+    { { 0x3420f2c9faf1fc63L,0x616d333a328c8bb4L,0x7d65364c57f1fe4aL,
+        0x9343e87755e5c73aL },
+      { 0x5795176be970e78cL,0xa36ccebf60533627L,0xfc7c738009cdfc1bL,
+        0xb39a2afeb3fec326L } },
+    /* 11 << 56 */
+    { { 0xb7ff1ba16224408aL,0xcc856e92247cfc5eL,0x01f102e7c18bc493L,
+        0x4613ab742091c727L },
+      { 0xaa25e89cc420bf2bL,0x00a5317690337ec2L,0xd2be9f437d025fc7L,
+        0x3316fb856e6fe3dcL } },
+    /* 12 << 56 */
+    { { 0x27520af59ac50814L,0xfdf95e789a8e4223L,0xb7e7df2a56bec5a0L,
+        0xf7022f7ddf159e5dL },
+      { 0x93eeeab1cac1fe8fL,0x8040188c37451168L,0x7ee8aa8ad967dce6L,
+        0xfa0e79e73abc9299L } },
+    /* 13 << 56 */
+    { { 0x67332cfc2064cfd1L,0x339c31deb0651934L,0x719b28d52a3bcbeaL,
+        0xee74c82b9d6ae5c6L },
+      { 0x0927d05ebaf28ee6L,0x82cecf2c9d719028L,0x0b0d353eddb30289L,
+        0xfe4bb977fddb2e29L } },
+    /* 14 << 56 */
+    { { 0xbb5bb990640bfd9eL,0xd226e27782f62108L,0x4bf0098502ffdd56L,
+        0x7756758a2ca1b1b5L },
+      { 0xc32b62a35285fe91L,0xedbc546a8c9cd140L,0x1e47a013af5cb008L,
+        0xbca7e720073ce8f2L } },
+    /* 15 << 56 */
+    { { 0xe10b2ab817a91caeL,0xb89aab6508e27f63L,0x7b3074a7dba3ddf9L,
+        0x1c20ce09330c2972L },
+      { 0x6b9917b45fcf7e33L,0xe6793743945ceb42L,0x18fc22155c633d19L,
+        0xad1adb3cc7485474L } },
+    /* 16 << 56 */
+    { { 0x646f96796424c49bL,0xf888dfe867c241c9L,0xe12d4b9324f68b49L,
+        0x9a6b62d8a571df20L },
+      { 0x81b4b26d179483cbL,0x666f96329511fae2L,0xd281b3e4d53aa51fL,
+        0x7f96a7657f3dbd16L } },
+    /* 17 << 56 */
+    { { 0xa7f8b5bf074a30ceL,0xd7f52107005a32e6L,0x6f9e090750237ed4L,
+        0x2f21da478096fa2bL },
+      { 0xf3e19cb4eec863a0L,0xd18f77fd9527620aL,0x9505c81c407c1cf8L,
+        0x9998db4e1b6ec284L } },
+    /* 18 << 56 */
+    { { 0x7e3389e5c247d44dL,0x125071413f4f3d80L,0xd4ba01104a78a6c7L,
+        0x312874a0767720beL },
+      { 0xded059a675944370L,0xd6123d903b2c0bddL,0xa56b717b51c108e3L,
+        0x9bb7940e070623e9L } },
+    /* 19 << 56 */
+    { { 0x794e2d5984ac066cL,0xf5954a92e68c69a0L,0x28c524584fd99dccL,
+        0x60e639fcb1012517L },
+      { 0xc2e601257de79248L,0xe9ef6404f12fc6d7L,0x4c4f28082a3b5d32L,
+        0x865ad32ec768eb8aL } },
+    /* 20 << 56 */
+    { { 0xac02331b13fb70b6L,0x037b44c195599b27L,0x1a860fc460bd082cL,
+        0xa2e25745c980cd01L },
+      { 0xee3387a81da0263eL,0x931bfb952d10f3d6L,0x5b687270a1f24a32L,
+        0xf140e65dca494b86L } },
+    /* 21 << 56 */
+    { { 0x4f4ddf91b2f1ac7aL,0xf99eaabb760fee27L,0x57f4008a49c228e5L,
+        0x090be4401cf713bbL },
+      { 0xac91fbe45004f022L,0xd838c2c2569e1af6L,0xd6c7d20b0f1daaa5L,
+        0xaa063ac11bbb02c0L } },
+    /* 22 << 56 */
+    { { 0x0938a42259558a78L,0x5343c6698435da2fL,0x96f67b18034410dcL,
+        0x7cc1e42484510804L },
+      { 0x86a1543f16dfbb7dL,0x921fa9425b5bd592L,0x9dcccb6eb33dd03cL,
+        0x8581ddd9b843f51eL } },
+    /* 23 << 56 */
+    { { 0x54935fcb81d73c9eL,0x6d07e9790a5e97abL,0x4dc7b30acf3a6babL,
+        0x147ab1f3170bee11L },
+      { 0x0aaf8e3d9fafdee4L,0xfab3dbcb538a8b95L,0x405df4b36ef13871L,
+        0xf1f4e9cb088d5a49L } },
+    /* 24 << 56 */
+    { { 0x9bcd24d366b33f1dL,0x3b97b8205ce445c0L,0xe2926549ba93ff61L,
+        0xd9c341ce4dafe616L },
+      { 0xfb30a76e16efb6f3L,0xdf24b8ca605b953cL,0x8bd52afec2fffb9fL,
+        0xbbac5ff7e19d0b96L } },
+    /* 25 << 56 */
+    { { 0x43c01b87459afccdL,0x6bd45143b7432652L,0x8473453055b5d78eL,
+        0x81088fdb1554ba7dL },
+      { 0xada0a52c1e269375L,0xf9f037c42dc5ec10L,0xc066060794bfbc11L,
+        0xc0a630bbc9c40d2fL } },
+    /* 26 << 56 */
+    { { 0x5efc797eab64c31eL,0xffdb1dab74507144L,0xf61242871ca6790cL,
+        0xe9609d81e69bf1bfL },
+      { 0xdb89859500d24fc9L,0x9c750333e51fb417L,0x51830a91fef7bbdeL,
+        0x0ce67dc8945f585cL } },
+    /* 27 << 56 */
+    { { 0x9a730ed44763eb50L,0x24a0e221c1ab0d66L,0x643b6393648748f3L,
+        0x1982daa16d3c6291L },
+      { 0x6f00a9f78bbc5549L,0x7a1783e17f36384eL,0xe8346323de977f50L,
+        0x91ab688db245502aL } },
+    /* 28 << 56 */
+    { { 0x331ab6b56d0bdd66L,0x0a6ef32e64b71229L,0x1028150efe7c352fL,
+        0x27e04350ce7b39d3L },
+      { 0x2a3c8acdc1070c82L,0xfb2034d380c9feefL,0x2d729621709f3729L,
+        0x8df290bf62cb4549L } },
+    /* 29 << 56 */
+    { { 0x02f99f33fc2e4326L,0x3b30076d5eddf032L,0xbb21f8cf0c652fb5L,
+        0x314fb49eed91cf7bL },
+      { 0xa013eca52f700750L,0x2b9e3c23712a4575L,0xe5355557af30fbb0L,
+        0x1ada35167c77e771L } },
+    /* 30 << 56 */
+    { { 0x45f6ecb27b135670L,0xe85d19df7cfc202eL,0x0f1b50c758d1be9fL,
+        0x5ebf2c0aead2e344L },
+      { 0x1531fe4eabc199c9L,0xc703259256bab0aeL,0x16ab2e486c1fec54L,
+        0x0f87fda804280188L } },
+    /* 31 << 56 */
+    { { 0xdc9f46fc609e4a74L,0x2a44a143ba667f91L,0xbc3d8b95b4d83436L,
+        0xa01e4bd0c7bd2958L },
+      { 0x7b18293273483c90L,0xa79c6aa1a7c7b598L,0xbf3983c6eaaac07eL,
+        0x8f18181e96e0d4e6L } },
+    /* 32 << 56 */
+    { { 0x8553d37c051af62bL,0xe9a998eb0bf94496L,0xe0844f9fb0d59aa1L,
+        0x983fd558e6afb813L },
+      { 0x9670c0ca65d69804L,0x732b22de6ea5ff2dL,0xd7640ba95fd8623bL,
+        0x9f619163a6351782L } },
+    /* 33 << 56 */
+    { { 0x0bfc27eeacee5043L,0xae419e732eb10f02L,0x19c028d18943fb05L,
+        0x71f01cf7ff13aa2aL },
+      { 0x7790737e8887a132L,0x6751330966318410L,0x9819e8a37ddb795eL,
+        0xfecb8ef5dad100b2L } },
+    /* 34 << 56 */
+    { { 0x59f74a223021926aL,0xb7c28a496f9b4c1cL,0xed1a733f912ad0abL,
+        0x42a910af01a5659cL },
+      { 0x3842c6e07bd68cabL,0x2b57fa3876d70ac8L,0x8a6707a83c53aaebL,
+        0x62c1c51065b4db18L } },
+    /* 35 << 56 */
+    { { 0x8de2c1fbb2d09dc7L,0xc3dfed12266bd23bL,0x927d039bd5b27db6L,
+        0x2fb2f0f1103243daL },
+      { 0xf855a07b80be7399L,0xed9327ce1f9f27a8L,0xa0bd99c7729bdef7L,
+        0x2b67125e28250d88L } },
+    /* 36 << 56 */
+    { { 0x784b26e88670ced7L,0xe3dfe41fc31bd3b4L,0x9e353a06bcc85cbcL,
+        0x302e290960178a9dL },
+      { 0x860abf11a6eac16eL,0x76447000aa2b3aacL,0x46ff9d19850afdabL,
+        0x35bdd6a5fdb2d4c1L } },
+    /* 37 << 56 */
+    { { 0xe82594b07e5c9ce9L,0x0f379e5320af346eL,0x608b31e3bc65ad4aL,
+        0x710c6b12267c4826L },
+      { 0x51c966f971954cf1L,0xb1cec7930d0aa215L,0x1f15598986bd23a8L,
+        0xae2ff99cf9452e86L } },
+    /* 38 << 56 */
+    { { 0xd8dd953c340ceaa2L,0x263552752e2e9333L,0x15d4e5f98586f06dL,
+        0xd6bf94a8f7cab546L },
+      { 0x33c59a0ab76a9af0L,0x52740ab3ba095af7L,0xc444de8a24389ca0L,
+        0xcc6f9863706da0cbL } },
+    /* 39 << 56 */
+    { { 0xb5a741a76b2515cfL,0x71c416019585c749L,0x78350d4fe683de97L,
+        0x31d6152463d0b5f5L },
+      { 0x7a0cc5e1fbce090bL,0xaac927edfbcb2a5bL,0xe920de4920d84c35L,
+        0x8c06a0b622b4de26L } },
+    /* 40 << 56 */
+    { { 0xd34dd58bafe7ddf3L,0x55851fedc1e6e55bL,0xd1395616960696e7L,
+        0x940304b25f22705fL },
+      { 0x6f43f861b0a2a860L,0xcf1212820e7cc981L,0x121862120ab64a96L,
+        0x09215b9ab789383cL } },
+    /* 41 << 56 */
+    { { 0x311eb30537387c09L,0xc5832fcef03ee760L,0x30358f5832f7ea19L,
+        0xe01d3c3491d53551L },
+      { 0x1ca5ee41da48ea80L,0x34e71e8ecf4fa4c1L,0x312abd257af1e1c7L,
+        0xe3afcdeb2153f4a5L } },
+    /* 42 << 56 */
+    { { 0x9d5c84d700235e9aL,0x0308d3f48c4c836fL,0xc0a66b0489332de5L,
+        0x610dd39989e566efL },
+      { 0xf8eea460d1ac1635L,0x84cbb3fb20a2c0dfL,0x40afb488e74a48c5L,
+        0x29738198d326b150L } },
+    /* 43 << 56 */
+    { { 0x2a17747fa6d74081L,0x60ea4c0555a26214L,0x53514bb41f88c5feL,
+        0xedd645677e83426cL },
+      { 0xd5d6cbec96460b25L,0xa12fd0ce68dc115eL,0xc5bc3ed2697840eaL,
+        0x969876a8a6331e31L } },
+    /* 44 << 56 */
+    { { 0x60c36217472ff580L,0xf42297054ad41393L,0x4bd99ef0a03b8b92L,
+        0x501c7317c144f4f6L },
+      { 0x159009b318464945L,0x6d5e594c74c5c6beL,0x2d587011321a3660L,
+        0xd1e184b13898d022L } },
+    /* 45 << 56 */
+    { { 0x5ba047524c6a7e04L,0x47fa1e2b45550b65L,0x9419daf048c0a9a5L,
+        0x663629537c243236L },
+      { 0xcd0744b15cb12a88L,0x561b6f9a2b646188L,0x599415a566c2c0c0L,
+        0xbe3f08590f83f09aL } },
+    /* 46 << 56 */
+    { { 0x9141c5beb92041b8L,0x01ae38c726477d0dL,0xca8b71f3d12c7a94L,
+        0xfab5b31f765c70dbL },
+      { 0x76ae7492487443e9L,0x8595a310990d1349L,0xf8dbeda87d460a37L,
+        0x7f7ad0821e45a38fL } },
+    /* 47 << 56 */
+    { { 0xed1d4db61059705aL,0xa3dd492ae6b9c697L,0x4b92ee3a6eb38bd5L,
+        0xbab2609d67cc0bb7L },
+      { 0x7fc4fe896e70ee82L,0xeff2c56e13e6b7e3L,0x9b18959e34d26fcaL,
+        0x2517ab66889d6b45L } },
+    /* 48 << 56 */
+    { { 0xf167b4e0bdefdd4fL,0x69958465f366e401L,0x5aa368aba73bbec0L,
+        0x121487097b240c21L },
+      { 0x378c323318969006L,0xcb4d73cee1fe53d1L,0x5f50a80e130c4361L,
+        0xd67f59517ef5212bL } },
+    /* 49 << 56 */
+    { { 0xf145e21e9e70c72eL,0xb2e52e295566d2fbL,0x44eaba4a032397f5L,
+        0x5e56937b7e31a7deL },
+      { 0x68dcf517456c61e1L,0xbc2e954aa8b0a388L,0xe3552fa760a8b755L,
+        0x03442dae73ad0cdeL } },
+    /* 50 << 56 */
+    { { 0x37ffe747ceb26210L,0x983545e8787baef9L,0x8b8c853586a3de31L,
+        0xc621dbcbfacd46dbL },
+      { 0x82e442e959266fbbL,0xa3514c37339d471cL,0x3a11b77162cdad96L,
+        0xf0cb3b3cecf9bdf0L } },
+    /* 51 << 56 */
+    { { 0x3fcbdbce478e2135L,0x7547b5cfbda35342L,0xa97e81f18a677af6L,
+        0xc8c2bf8328817987L },
+      { 0xdf07eaaf45580985L,0xc68d1f05c93b45cbL,0x106aa2fec77b4cacL,
+        0x4c1d8afc04a7ae86L } },
+    /* 52 << 56 */
+    { { 0xdb41c3fd9eb45ab2L,0x5b234b5bd4b22e74L,0xda253decf215958aL,
+        0x67e0606ea04edfa0L },
+      { 0xabbbf070ef751b11L,0xf352f175f6f06dceL,0xdfc4b6af6839f6b4L,
+        0x53ddf9a89959848eL } },
+    /* 53 << 56 */
+    { { 0xda49c379c21520b0L,0x90864ff0dbd5d1b6L,0x2f055d235f49c7f7L,
+        0xe51e4e6aa796b2d8L },
+      { 0xc361a67f5c9dc340L,0x5ad53c37bca7c620L,0xda1d658832c756d0L,
+        0xad60d9118bb67e13L } },
+    /* 54 << 56 */
+    { { 0xd6c47bdf0eeec8c6L,0x4a27fec1078a1821L,0x081f7415c3099524L,
+        0x8effdf0b82cd8060L },
+      { 0xdb70ec1c65842df8L,0x8821b358d319a901L,0x72ee56eede42b529L,
+        0x5bb39592236e4286L } },
+    /* 55 << 56 */
+    { { 0xd1183316fd6f7140L,0xf9fadb5bbd8e81f7L,0x701d5e0c5a02d962L,
+        0xfdee4dbf1b601324L },
+      { 0xbed1740735d7620eL,0x04e3c2c3f48c0012L,0x9ee29da73455449aL,
+        0x562cdef491a836c4L } },
+    /* 56 << 56 */
+    { { 0x8f682a5f47701097L,0x617125d8ff88d0c2L,0x948fda2457bb86ddL,
+        0x348abb8f289f7286L },
+      { 0xeb10eab599d94bbdL,0xd51ba28e4684d160L,0xabe0e51c30c8f41aL,
+        0x66588b4513254f4aL } },
+    /* 57 << 56 */
+    { { 0x147ebf01fad097a5L,0x49883ea8610e815dL,0xe44d60ba8a11de56L,
+        0xa970de6e827a7a6dL },
+      { 0x2be414245e17fc19L,0xd833c65701214057L,0x1375813b363e723fL,
+        0x6820bb88e6a52e9bL } },
+    /* 58 << 56 */
+    { { 0x7e7f6970d875d56aL,0xd6a0a9ac51fbf6bfL,0x54ba8790a3083c12L,
+        0xebaeb23d6ae7eb64L },
+      { 0xa8685c3ab99a907aL,0xf1e74550026bf40bL,0x7b73a027c802cd9eL,
+        0x9a8a927c4fef4635L } },
+    /* 59 << 56 */
+    { { 0xe1b6f60c08191224L,0xc4126ebbde4ec091L,0xe1dff4dc4ae38d84L,
+        0xde3f57db4f2ef985L },
+      { 0x34964337d446a1ddL,0x7bf217a0859e77f6L,0x8ff105278e1d13f5L,
+        0xa304ef0374eeae27L } },
+    /* 60 << 56 */
+    { { 0xfc6f5e47d19dfa5aL,0xdb007de37fad982bL,0x28205ad1613715f5L,
+        0x251e67297889529eL },
+      { 0x727051841ae98e78L,0xf818537d271cac32L,0xc8a15b7eb7f410f5L,
+        0xc474356f81f62393L } },
+    /* 61 << 56 */
+    { { 0x92dbdc5ac242316bL,0xabe060acdbf4aff5L,0x6e8c38fe909a8ec6L,
+        0x43e514e56116cb94L },
+      { 0x2078fa3807d784f9L,0x1161a880f4b5b357L,0x5283ce7913adea3dL,
+        0x0756c3e6cc6a910bL } },
+    /* 62 << 56 */
+    { { 0x60bcfe01aaa79697L,0x04a73b2956391db1L,0xdd8dad47189b45a0L,
+        0xbfac0dd048d5b8d9L },
+      { 0x34ab3af57d3d2ec2L,0x6fa2fc2d207bd3afL,0x9ff4009266550dedL,
+        0x719b3e871fd5b913L } },
+    /* 63 << 56 */
+    { { 0xa573a4966d17fbc7L,0x0cd1a70a73d2b24eL,0x34e2c5cab2676937L,
+        0xe7050b06bf669f21L },
+      { 0xfbe948b61ede9046L,0xa053005197662659L,0x58cbd4edf10124c5L,
+        0xde2646e4dd6c06c8L } },
+    /* 64 << 56 */
+    { { 0x332f81088cad38c0L,0x471b7e906bd68ae2L,0x56ac3fb20d8e27a3L,
+        0xb54660db136b4b0dL },
+      { 0x123a1e11a6fd8de4L,0x44dbffeaa37799efL,0x4540b977ce6ac17cL,
+        0x495173a8af60acefL } },
+    /* 0 << 63 */
+    { { 0x00, 0x00, 0x00, 0x00 },
+      { 0x00, 0x00, 0x00, 0x00 } },
+    /* 1 << 63 */
+    { { 0x9ebb284d391c2a82L,0xbcdd4863158308e8L,0x006f16ec83f1edcaL,
+        0xa13e2c37695dc6c8L },
+      { 0x2ab756f04a057a87L,0xa8765500a6b48f98L,0x4252face68651c44L,
+        0xa52b540be1765e02L } },
+    /* 2 << 63 */
+    { { 0x4f922fc516a0d2bbL,0x0d5cc16c1a623499L,0x9241cf3a57c62c8bL,
+        0x2f5e6961fd1b667fL },
+      { 0x5c15c70bf5a01797L,0x3d20b44d60956192L,0x04911b37071fdb52L,
+        0xf648f9168d6f0f7bL } },
+    /* 3 << 63 */
+    { { 0x6dc1acafe60b7cf7L,0x25860a5084a9d869L,0x56fc6f09e7ba8ac4L,
+        0x828c5bd06148d29eL },
+      { 0xac6b435edc55ae5fL,0xa527f56cc0117411L,0x94d5045efd24342cL,
+        0x2c4c0a3570b67c0dL } },
+    /* 4 << 63 */
+    { { 0x027cc8b8fac61d9aL,0x7d25e062e3c6fe8aL,0xe08805bfe5bff503L,
+        0x13271e6c6ff632f7L },
+      { 0x55dca6c0232f76a5L,0x8957c32d701ef426L,0xee728bcba10a5178L,
+        0x5ea60411b62c5173L } },
+    /* 5 << 63 */
+    { { 0xfc4e964ed0b8892bL,0x9ea176839301bb74L,0x6265c5aefcc48626L,
+        0xe60cf82ebb3e9102L },
+      { 0x57adf797d4df5531L,0x235b59a18deeefe2L,0x60adcf583f306eb1L,
+        0x105c27533d09492dL } },
+    /* 6 << 63 */
+    { { 0x4090914bb5def996L,0x1cb69c83233dd1e7L,0xc1e9c1d39b3d5e76L,
+        0x1f3338edfccf6012L },
+      { 0xb1e95d0d2f5378a8L,0xacf4c2c72f00cd21L,0x6e984240eb5fe290L,
+        0xd66c038d248088aeL } },
+    /* 7 << 63 */
+    { { 0x804d264af94d70cfL,0xbdb802ef7314bf7eL,0x8fb54de24333ed02L,
+        0x740461e0285635d9L },
+      { 0x4113b2c8365e9383L,0xea762c833fdef652L,0x4eec6e2e47b956c1L,
+        0xa3d814be65620fa4L } },
+    /* 8 << 63 */
+    { { 0x9ad5462bb4d8bc50L,0x181c0b16a9195770L,0xebd4fe1c78412a68L,
+        0xae0341bcc0dff48cL },
+      { 0xb6bc45cf7003e866L,0xf11a6dea8a24a41bL,0x5407151ad04c24c2L,
+        0x62c9d27dda5b7b68L } },
+    /* 9 << 63 */
+    { { 0x2e96423588cceff6L,0x8594c54f8b07ed69L,0x1578e73cc84d0d0dL,
+        0x7b4e1055ff532868L },
+      { 0xa348c0d5b5ec995aL,0xbf4b9d5514289a54L,0x9ba155a658fbd777L,
+        0x186ed7a81a84491dL } },
+    /* 10 << 63 */
+    { { 0xd4992b30614c0900L,0xda98d121bd00c24bL,0x7f534dc87ec4bfa1L,
+        0x4a5ff67437dc34bcL },
+      { 0x68c196b81d7ea1d7L,0x38cf289380a6d208L,0xfd56cd09e3cbbd6eL,
+        0xec72e27e4205a5b6L } },
+    /* 11 << 63 */
+    { { 0x15ea68f5a44f77f7L,0x7aa5f9fdb43c52bcL,0x86ff676f94f0e609L,
+        0xa4cde9632e2d432bL },
+      { 0x8cafa0c0eee470afL,0x84137d0e8a3f5ec8L,0xebb40411faa31231L,
+        0xa239c13f6f7f7ccfL } },
+    /* 12 << 63 */
+    { { 0x32865719a8afd30bL,0x867983288a826dceL,0xdf04e891c4a8fbe0L,
+        0xbb6b6e1bebf56ad3L },
+      { 0x0a695b11471f1ff0L,0xd76c3389be15baf0L,0x018edb95be96c43eL,
+        0xf2beaaf490794158L } },
+    /* 13 << 63 */
+    { { 0x152db09ec3076a27L,0x5e82908ee416545dL,0xa2c41272356d6f2eL,
+        0xdc9c964231fd74e1L },
+      { 0x66ceb88d519bf615L,0xe29ecd7605a2274eL,0x3a0473c4bf5e2fa0L,
+        0x6b6eb67164284e67L } },
+    /* 14 << 63 */
+    { { 0xe8b97932b88756ddL,0xed4e8652f17e3e61L,0xc2dd14993ee1c4a4L,
+        0xc0aaee17597f8c0eL },
+      { 0x15c4edb96c168af3L,0x6563c7bfb39ae875L,0xadfadb6f20adb436L,
+        0xad55e8c99a042ac0L } },
+    /* 15 << 63 */
+    { { 0x975a1ed8b76da1f5L,0x10dfa466a58acb94L,0x8dd7f7e3ac060282L,
+        0x6813e66a572a051eL },
+      { 0xb4ccae1e350cb901L,0xb653d65650cb7822L,0x42484710dfab3b87L,
+        0xcd7ee5379b670fd0L } },
+    /* 16 << 63 */
+    { { 0x0a50b12e523b8bf6L,0x8009eb5b8f910c1bL,0xf535af824a167588L,
+        0x0f835f9cfb2a2abdL },
+      { 0xf59b29312afceb62L,0xc797df2a169d383fL,0xeb3f5fb066ac02b0L,
+        0x029d4c6fdaa2d0caL } },
+    /* 17 << 63 */
+    { { 0xd4059bc1afab4bc5L,0x833f5c6f56783247L,0xb53466308d2d3605L,
+        0x83387891d34d8433L },
+      { 0xd973b30fadd9419aL,0xbcca1099afe3fce8L,0x081783150809aac6L,
+        0x01b7f21a540f0f11L } },
+    /* 18 << 63 */
+    { { 0x65c29219909523c8L,0xa62f648fa3a1c741L,0x88598d4f60c9e55aL,
+        0xbce9141b0e4f347aL },
+      { 0x9af97d8435f9b988L,0x0210da62320475b6L,0x3c076e229191476cL,
+        0x7520dbd944fc7834L } },
+    /* 19 << 63 */
+    { { 0x6a6b2cfec1ab1bbdL,0xef8a65bedc650938L,0x72855540805d7bc4L,
+        0xda389396ed11fdfdL },
+      { 0xa9d5bd3674660876L,0x11d67c54b45dff35L,0x6af7d148a4f5da94L,
+        0xbb8d4c3fc0bbeb31L } },
+    /* 20 << 63 */
+    { { 0x87a7ebd1e0a1b12aL,0x1e4ef88d770ba95fL,0x8c33345cdc2ae9cbL,
+        0xcecf127601cc8403L },
+      { 0x687c012e1b39b80fL,0xfd90d0ad35c33ba4L,0xa3ef5a675c9661c2L,
+        0x368fc88ee017429eL } },
+    /* 21 << 63 */
+    { { 0xd30c6761196a2fa2L,0x931b9817bd5b312eL,0xba01000c72f54a31L,
+        0xa203d2c866eaa541L },
+      { 0xf2abdee098939db3L,0xe37d6c2c3e606c02L,0xf2921574521ff643L,
+        0x2781b3c4d7e2fca3L } },
+    /* 22 << 63 */
+    { { 0x664300b07850ec06L,0xac5a38b97d3a10cfL,0x9233188de34ab39dL,
+        0xe77057e45072cbb9L },
+      { 0xbcf0c042b59e78dfL,0x4cfc91e81d97de52L,0x4661a26c3ee0ca4aL,
+        0x5620a4c1fb8507bcL } },
+    /* 23 << 63 */
+    { { 0x4b44d4aa049f842cL,0xceabc5d51540e82bL,0x306710fd15c6f156L,
+        0xbe5ae52b63db1d72L },
+      { 0x06f1e7e6334957f1L,0x57e388f031144a70L,0xfb69bb2fdf96447bL,
+        0x0f78ebd373e38a12L } },
+    /* 24 << 63 */
+    { { 0xb82226052b7ce542L,0xe6d4ce997472bde1L,0x53e16ebe09d2f4daL,
+        0x180ff42e53b92b2eL },
+      { 0xc59bcc022c34a1c6L,0x3803d6f9422c46c2L,0x18aff74f5c14a8a2L,
+        0x55aebf8010a08b28L } },
+    /* 25 << 63 */
+    { { 0x66097d587135593fL,0x32e6eff72be570cdL,0x584e6a102a8c860dL,
+        0xcd185890a2eb4163L },
+      { 0x7ceae99d6d97e134L,0xd42c6b70dd8447ceL,0x59ddbb4ab8c50273L,
+        0x03c612df3cf34e1eL } },
+    /* 26 << 63 */
+    { { 0x84b9ca1504b6c5a0L,0x35216f3918f0e3a3L,0x3ec2d2bcbd986c00L,
+        0x8bf546d9d19228feL },
+      { 0xd1c655a44cd623c3L,0x366ce718502b8e5aL,0x2cfc84b4eea0bfe7L,
+        0xe01d5ceecf443e8eL } },
+    /* 27 << 63 */
+    { { 0x8ec045d9036520f8L,0xdfb3c3d192d40e98L,0x0bac4ccecc559a04L,
+        0x35eccae5240ea6b1L },
+      { 0x180b32dbf8a5a0acL,0x547972a5eb699700L,0xa3765801ca26bca0L,
+        0x57e09d0ea647f25aL } },
+    /* 28 << 63 */
+    { { 0xb956970e2fdd23ccL,0xb80288bc5682e971L,0xe6e6d91e9ae86ebcL,
+        0x0564c83f8c9f1939L },
+      { 0x551932a239560368L,0xe893752b049c28e2L,0x0b03cee5a6a158c3L,
+        0xe12d656b04964263L } },
+    /* 29 << 63 */
+    { { 0x4b47554e63e3bc1dL,0xc719b6a245044ff7L,0x4f24d30ae48daa07L,
+        0xa3f37556c8c1edc3L },
+      { 0x9a47bf760700d360L,0xbb1a1824822ae4e2L,0x22e275a389f1fb4cL,
+        0x72b1aa239968c5f5L } },
+    /* 30 << 63 */
+    { { 0xa75feacabe063f64L,0x9b392f43bce47a09L,0xd42415091ad07acaL,
+        0x4b0c591b8d26cd0fL },
+      { 0x2d42ddfd92f1169aL,0x63aeb1ac4cbf2392L,0x1de9e8770691a2afL,
+        0xebe79af7d98021daL } },
+    /* 31 << 63 */
+    { { 0xcfdf2a4e40e50acfL,0xf0a98ad7af01d665L,0xefb640bf1831be1fL,
+        0x6fe8bd2f80e9ada0L },
+      { 0x94c103a16cafbc91L,0x170f87598308e08cL,0x5de2d2ab9780ff4fL,
+        0x666466bc45b201f2L } },
+    /* 32 << 63 */
+    { { 0x58af2010f5b343bcL,0x0f2e400af2f142feL,0x3483bfdea85f4bdfL,
+        0xf0b1d09303bfeaa9L },
+      { 0x2ea01b95c7081603L,0xe943e4c93dba1097L,0x47be92adb438f3a6L,
+        0x00bb7742e5bf6636L } },
+    /* 33 << 63 */
+    { { 0x136b7083824297b4L,0x9d0e55805584455fL,0xab48cedcf1c7d69eL,
+        0x53a9e4812a256e76L },
+      { 0x0402b0e065eb2413L,0xdadbbb848fc407a7L,0xa65cd5a48d7f5492L,
+        0x21d4429374bae294L } },
+    /* 34 << 63 */
+    { { 0x66917ce63b5f1cc4L,0x37ae52eace872e62L,0xbb087b722905f244L,
+        0x120770861e6af74fL },
+      { 0x4b644e491058edeaL,0x827510e3b638ca1dL,0x8cf2b7046038591cL,
+        0xffc8b47afe635063L } },
+    /* 35 << 63 */
+    { { 0x3ae220e61b4d5e63L,0xbd8647429d961b4bL,0x610c107e9bd16bedL,
+        0x4270352a1127147bL },
+      { 0x7d17ffe664cfc50eL,0x50dee01a1e36cb42L,0x068a762235dc5f9aL,
+        0x9a08d536df53f62cL } },
+    /* 36 << 63 */
+    { { 0x4ed714576be5f7deL,0xd93006f8c2263c9eL,0xe073694ccacacb36L,
+        0x2ff7a5b43ae118abL },
+      { 0x3cce53f1cd871236L,0xf156a39dc2aa6d52L,0x9cc5f271b198d76dL,
+        0xbc615b6f81383d39L } },
+    /* 37 << 63 */
+    { { 0xa54538e8de3eee6bL,0x58c77538ab910d91L,0x31e5bdbc58d278bdL,
+        0x3cde4adfb963acaeL },
+      { 0xb1881fd25302169cL,0x8ca60fa0a989ed8bL,0xa1999458ff96a0eeL,
+        0xc1141f03ac6c283dL } },
+    /* 38 << 63 */
+    { { 0x7677408d6dfafed3L,0x33a0165339661588L,0x3c9c15ec0b726fa0L,
+        0x090cfd936c9b56daL },
+      { 0xe34f4baea3c40af5L,0x3469eadbd21129f1L,0xcc51674a1e207ce8L,
+        0x1e293b24c83b1ef9L } },
+    /* 39 << 63 */
+    { { 0x17173d131e6c0bb4L,0x1900469590776d35L,0xe7980e346de6f922L,
+        0x873554cbf4dd9a22L },
+      { 0x0316c627cbf18a51L,0x4d93651b3032c081L,0x207f27713946834dL,
+        0x2c08d7b430cdbf80L } },
+    /* 40 << 63 */
+    { { 0x137a4fb486df2a61L,0xa1ed9c07ecf7b4a2L,0xb2e460e27bd042ffL,
+        0xb7f5e2fa5f62f5ecL },
+      { 0x7aa6ec6bcc2423b7L,0x75ce0a7fba63eea7L,0x67a45fb1f250a6e1L,
+        0x93bc919ce53cdc9fL } },
+    /* 41 << 63 */
+    { { 0x9271f56f871942dfL,0x2372ff6f7859ad66L,0x5f4c2b9633cb1a78L,
+        0xe3e291015838aa83L },
+      { 0xa7ed1611e4e8110cL,0x2a2d70d5330198ceL,0xbdf132e86720efe0L,
+        0xe61a896266a471bfL } },
+    /* 42 << 63 */
+    { { 0x796d3a85825808bdL,0x51dc3cb73fd6e902L,0x643c768a916219d1L,
+        0x36cd7685a2ad7d32L },
+      { 0xe3db9d05b22922a4L,0x6494c87edba29660L,0xf0ac91dfbcd2ebc7L,
+        0x4deb57a045107f8dL } },
+    /* 43 << 63 */
+    { { 0x42271f59c3d12a73L,0x5f71687ca5c2c51dL,0xcb1f50c605797bcbL,
+        0x29ed0ed9d6d34eb0L },
+      { 0xe5fe5b474683c2ebL,0x4956eeb597447c46L,0x5b163a4371207167L,
+        0x93fa2fed0248c5efL } },
+    /* 44 << 63 */
+    { { 0x67930af231f63950L,0xa77797c114caa2c9L,0x526e80ee27ac7e62L,
+        0xe1e6e62658b28aecL },
+      { 0x636178b0b3c9fef0L,0xaf7752e06d5f90beL,0x94ecaf18eece51cfL,
+        0x2864d0edca806e1fL } },
+    /* 45 << 63 */
+    { { 0x6de2e38397c69134L,0x5a42c316eb291293L,0xc77792196a60bae0L,
+        0xa24de3466b7599d1L },
+      { 0x49d374aab75d4941L,0x989005862d501ff0L,0x9f16d40eeb7974cfL,
+        0x1033860bcdd8c115L } },
+    /* 46 << 63 */
+    { { 0xb6c69ac82094cec3L,0x9976fb88403b770cL,0x1dea026c4859590dL,
+        0xb6acbb468562d1fdL },
+      { 0x7cd6c46144569d85L,0xc3190a3697f0891dL,0xc6f5319548d5a17dL,
+        0x7d919966d749abc8L } },
+    /* 47 << 63 */
+    { { 0x65104837dd1c8a20L,0x7e5410c82f683419L,0x958c3ca8be94022eL,
+        0x605c31976145dac2L },
+      { 0x3fc0750101683d54L,0x1d7127c5595b1234L,0x10b8f87c9481277fL,
+        0x677db2a8e65a1adbL } },
+    /* 48 << 63 */
+    { { 0xec2fccaaddce3345L,0x2a6811b7012a4350L,0x96760ff1ac598bdcL,
+        0x054d652ad1bf4128L },
+      { 0x0a1151d492a21005L,0xad7f397133110fdfL,0x8c95928c1960100fL,
+        0x6c91c8257bf03362L } },
+    /* 49 << 63 */
+    { { 0xc8c8b2a2ce309f06L,0xfdb27b59ca27204bL,0xd223eaa50848e32eL,
+        0xb93e4b2ee7bfaf1eL },
+      { 0xc5308ae644aa3dedL,0x317a666ac015d573L,0xc888ce231a979707L,
+        0xf141c1e60d5c4958L } },
+    /* 50 << 63 */
+    { { 0xb53b7de561906373L,0x858dbadeeb999595L,0x8cbb47b2a59e5c36L,
+        0x660318b3dcf4e842L },
+      { 0xbd161ccd12ba4b7aL,0xf399daabf8c8282aL,0x1587633aeeb2130dL,
+        0xa465311ada38dd7dL } },
+    /* 51 << 63 */
+    { { 0x5f75eec864d3779bL,0x3c5d0476ad64c171L,0x874103712a914428L,
+        0x8096a89190e2fc29L },
+      { 0xd3d2ae9d23b3ebc2L,0x90bdd6dba580cfd6L,0x52dbb7f3c5b01f6cL,
+        0xe68eded4e102a2dcL } },
+    /* 52 << 63 */
+    { { 0x17785b7799eb6df0L,0x26c3cc517386b779L,0x345ed9886417a48eL,
+        0xe990b4e407d6ef31L },
+      { 0x0f456b7e2586abbaL,0x239ca6a559c96e9aL,0xe327459ce2eb4206L,
+        0x3a4c3313a002b90aL } },
+    /* 53 << 63 */
+    { { 0x2a114806f6a3f6fbL,0xad5cad2f85c251ddL,0x92c1f613f5a784d3L,
+        0xec7bfacf349766d5L },
+      { 0x04b3cd333e23cb3bL,0x3979fe84c5a64b2dL,0x192e27207e589106L,
+        0xa60c43d1a15b527fL } },
+    /* 54 << 63 */
+    { { 0x2dae9082be7cf3a6L,0xcc86ba92bc967274L,0xf28a2ce8aea0a8a9L,
+        0x404ca6d96ee988b3L },
+      { 0xfd7e9c5d005921b8L,0xf56297f144e79bf9L,0xa163b4600d75ddc2L,
+        0x30b23616a1f2be87L } },
+    /* 55 << 63 */
+    { { 0x4b070d21bfe50e2bL,0x7ef8cfd0e1bfede1L,0xadba00112aac4ae0L,
+        0x2a3e7d01b9ebd033L },
+      { 0x995277ece38d9d1cL,0xb500249e9c5d2de3L,0x8912b820f13ca8c9L,
+        0xc8798114877793afL } },
+    /* 56 << 63 */
+    { { 0x19e6125dec3f1decL,0x07b1f040911178daL,0xd93ededa904a6738L,
+        0x55187a5a0bebedcdL },
+      { 0xf7d04722eb329d41L,0xf449099ef170b391L,0xfd317a69ca99f828L,
+        0x50c3db2b34a4976dL } },
+    /* 57 << 63 */
+    { { 0xe9ba77843757b392L,0x326caefdaa3ca05aL,0x78e5293bf1e593d4L,
+        0x7842a9370d98fd13L },
+      { 0xe694bf965f96b10dL,0x373a9df606a8cd05L,0x997d1e51e8f0c7fcL,
+        0x1d01979063fd972eL } },
+    /* 58 << 63 */
+    { { 0x0064d8585499fb32L,0x7b67bad977a8aeb7L,0x1d3eb9772d08eec5L,
+        0x5fc047a6cbabae1dL },
+      { 0x0577d159e54a64bbL,0x8862201bc43497e4L,0xad6b4e282ce0608dL,
+        0x8b687b7d0b167aacL } },
+    /* 59 << 63 */
+    { { 0x6ed4d3678b2ecfa9L,0x24dfe62da90c3c38L,0xa1862e103fe5c42bL,
+        0x1ca73dcad5732a9fL },
+      { 0x35f038b776bb87adL,0x674976abf242b81fL,0x4f2bde7eb0fd90cdL,
+        0x6efc172ea7fdf092L } },
+    /* 60 << 63 */
+    { { 0x3806b69b92222f1fL,0x5a2459ca6cf7ae70L,0x6789f69ca85217eeL,
+        0x5f232b5ee3dc85acL },
+      { 0x660e3ec548e9e516L,0x124b4e473197eb31L,0x10a0cb13aafcca23L,
+        0x7bd63ba48213224fL } },
+    /* 61 << 63 */
+    { { 0xaffad7cc290a7f4fL,0x6b409c9e0286b461L,0x58ab809fffa407afL,
+        0xc3122eedc68ac073L },
+      { 0x17bf9e504ef24d7eL,0x5d9297943e2a5811L,0x519bc86702902e01L,
+        0x76bba5da39c8a851L } },
+    /* 62 << 63 */
+    { { 0xe9f9669cda94951eL,0x4b6af58d66b8d418L,0xfa32107417d426a4L,
+        0xc78e66a99dde6027L },
+      { 0x0516c0834a53b964L,0xfc659d38ff602330L,0x0ab55e5c58c5c897L,
+        0x985099b2838bc5dfL } },
+    /* 63 << 63 */
+    { { 0x061d9efcc52fc238L,0x712b27286ac1da3fL,0xfb6581499283fe08L,
+        0x4954ac94b8aaa2f7L },
+      { 0x85c0ada47fb2e74fL,0xee8ba98eb89926b0L,0xe4f9d37d23d1af5bL,
+        0x14ccdbf9ba9b015eL } },
+    /* 64 << 63 */
+    { { 0xb674481b7bfe7178L,0x4e1debae65405868L,0x061b2821c48c867dL,
+        0x69c15b35513b30eaL },
+      { 0x3b4a166636871088L,0xe5e29f5d1220b1ffL,0x4b82bb35233d9f4dL,
+        0x4e07633318cdc675L } },
+    /* 0 << 70 */
+    { { 0x00, 0x00, 0x00, 0x00 },
+      { 0x00, 0x00, 0x00, 0x00 } },
+    /* 1 << 70 */
+    { { 0x0d53f5c7a3e6fcedL,0xe8cbbdd5f45fbdebL,0xf85c01df13339a70L,
+        0x0ff71880142ceb81L },
+      { 0x4c4e8774bd70437aL,0x5fb32891ba0bda6aL,0x1cdbebd2f18bd26eL,
+        0x2f9526f103a9d522L } },
+    /* 2 << 70 */
+    { { 0x40ce305192c4d684L,0x8b04d7257612efcdL,0xb9dcda366f9cae20L,
+        0x0edc4d24f058856cL },
+      { 0x64f2e6bf85427900L,0x3de81295dc09dfeaL,0xd41b4487379bf26cL,
+        0x50b62c6d6df135a9L } },
+    /* 3 << 70 */
+    { { 0xd4f8e3b4c72dfe67L,0xc416b0f690e19fdfL,0x18b9098d4c13bd35L,
+        0xac11118a15b8cb9eL },
+      { 0xf598a318f0062841L,0xbfe0602f89f356f4L,0x7ae3637e30177a0cL,
+        0x3409774761136537L } },
+    /* 4 << 70 */
+    { { 0x0db2fb5ed005832aL,0x5f5efd3b91042e4fL,0x8c4ffdc6ed70f8caL,
+        0xe4645d0bb52da9ccL },
+      { 0x9596f58bc9001d1fL,0x52c8f0bc4e117205L,0xfd4aa0d2e398a084L,
+        0x815bfe3a104f49deL } },
+    /* 5 << 70 */
+    { { 0x97e5443f23885e5fL,0xf72f8f99e8433aabL,0xbd00b154e4d4e604L,
+        0xd0b35e6ae5e173ffL },
+      { 0x57b2a0489164722dL,0x3e3c665b88761ec8L,0x6bdd13973da83832L,
+        0x3c8b1a1e73dafe3bL } },
+    /* 6 << 70 */
+    { { 0x4497ace654317cacL,0xbe600ab9521771b3L,0xb42e409eb0dfe8b8L,
+        0x386a67d73942310fL },
+      { 0x25548d8d4431cc28L,0xa7cff142985dc524L,0x4d60f5a193c4be32L,
+        0x83ebd5c8d071c6e1L } },
+    /* 7 << 70 */
+    { { 0xba3a80a7b1fd2b0bL,0x9b3ad3965bec33e8L,0xb3868d6179743fb3L,
+        0xcfd169fcfdb462faL },
+      { 0xd3b499d79ce0a6afL,0x55dc1cf1e42d3ff8L,0x04fb9e6cc6c3e1b2L,
+        0x47e6961d6f69a474L } },
+    /* 8 << 70 */
+    { { 0x54eb3acce548b37bL,0xb38e754284d40549L,0x8c3daa517b341b4fL,
+        0x2f6928ec690bf7faL },
+      { 0x0496b32386ce6c41L,0x01be1c5510adadcdL,0xc04e67e74bb5faf9L,
+        0x3cbaf678e15c9985L } },
+    /* 9 << 70 */
+    { { 0x8cd1214550ca4247L,0xba1aa47ae7dd30aaL,0x2f81ddf1e58fee24L,
+        0x03452936eec9b0e8L },
+      { 0x8bdc3b81243aea96L,0x9a2919af15c3d0e5L,0x9ea640ec10948361L,
+        0x5ac86d5b6e0bcccfL } },
+    /* 10 << 70 */
+    { { 0xf892d918c36cf440L,0xaed3e837c939719cL,0xb07b08d2c0218b64L,
+        0x6f1bcbbace9790ddL },
+      { 0x4a84d6ed60919b8eL,0xd89007918ac1f9ebL,0xf84941aa0dd5daefL,
+        0xb22fe40a67fd62c5L } },
+    /* 11 << 70 */
+    { { 0x97e15ba2157f2db3L,0xbda2fc8f8e28ca9cL,0x5d050da437b9f454L,
+        0x3d57eb572379d72eL },
+      { 0xe9b5eba2fb5ee997L,0x01648ca2e11538caL,0x32bb76f6f6327974L,
+        0x338f14b8ff3f4bb7L } },
+    /* 12 << 70 */
+    { { 0x524d226ad7ab9a2dL,0x9c00090d7dfae958L,0x0ba5f5398751d8c2L,
+        0x8afcbcdd3ab8262dL },
+      { 0x57392729e99d043bL,0xef51263baebc943aL,0x9feace9320862935L,
+        0x639efc03b06c817bL } },
+    /* 13 << 70 */
+    { { 0x1fe054b366b4be7aL,0x3f25a9de84a37a1eL,0xf39ef1ad78d75cd9L,
+        0xd7b58f495062c1b5L },
+      { 0x6f74f9a9ff563436L,0xf718ff29e8af51e7L,0x5234d31315e97fecL,
+        0xb6a8e2b1292f1c0aL } },
+    /* 14 << 70 */
+    { { 0xa7f53aa8327720c1L,0x956ca322ba092cc8L,0x8f03d64a28746c4dL,
+        0x51fe178266d0d392L },
+      { 0xd19b34db3c832c80L,0x60dccc5c6da2e3b4L,0x245dd62e0a104cccL,
+        0xa7ab1de1620b21fdL } },
+    /* 15 << 70 */
+    { { 0xb293ae0b3893d123L,0xf7b75783b15ee71cL,0x5aa3c61442a9468bL,
+        0xd686123cdb15d744L },
+      { 0x8c616891a7ab4116L,0x6fcd72c8a4e6a459L,0xac21911077e5fad7L,
+        0xfb6a20e7704fa46bL } },
+    /* 16 << 70 */
+    { { 0xe839be7d341d81dcL,0xcddb688932148379L,0xda6211a1f7026eadL,
+        0xf3b2575ff4d1cc5eL },
+      { 0x40cfc8f6a7a73ae6L,0x83879a5e61d5b483L,0xc5acb1ed41a50ebcL,
+        0x59a60cc83c07d8faL } },
+    /* 17 << 70 */
+    { { 0x1b73bdceb1876262L,0x2b0d79f012af4ee9L,0x8bcf3b0bd46e1d07L,
+        0x17d6af9de45d152fL },
+      { 0x735204616d736451L,0x43cbbd9756b0bf5aL,0xb0833a5bd5999b9dL,
+        0x702614f0eb72e398L } },
+    /* 18 << 70 */
+    { { 0x0aadf01a59c3e9f8L,0x40200e77ce6b3d16L,0xda22bdd3deddafadL,
+        0x76dedaf4310d72e1L },
+      { 0x49ef807c4bc2e88fL,0x6ba81291146dd5a5L,0xa1a4077a7d8d59e9L,
+        0x87b6a2e7802db349L } },
+    /* 19 << 70 */
+    { { 0xd56799971b4e598eL,0xf499ef1f06fe4b1dL,0x3978d3aefcb267c5L,
+        0xb582b557235786d0L },
+      { 0x32b3b2ca1715cb07L,0x4c3de6a28480241dL,0x63b5ffedcb571ecdL,
+        0xeaf53900ed2fe9a9L } },
+    /* 20 << 70 */
+    { { 0xdec98d4ac3b81990L,0x1cb837229e0cc8feL,0xfe0b0491d2b427b9L,
+        0x0f2386ace983a66cL },
+      { 0x930c4d1eb3291213L,0xa2f82b2e59a62ae4L,0x77233853f93e89e3L,
+        0x7f8063ac11777c7fL } },
+    /* 21 << 70 */
+    { { 0xff0eb56759ad2877L,0x6f4546429865c754L,0xe6fe701a236e9a84L,
+        0xc586ef1606e40fc3L },
+      { 0x3f62b6e024bafad9L,0xc8b42bd264da906aL,0xc98e1eb4da3276a0L,
+        0x30d0e5fc06cbf852L } },
+    /* 22 << 70 */
+    { { 0x1b6b2ae1e8b4dfd4L,0xd754d5c78301cbacL,0x66097629112a39acL,
+        0xf86b599993ba4ab9L },
+      { 0x26c9dea799f9d581L,0x0473b1a8c2fafeaaL,0x1469af553b2505a5L,
+        0x227d16d7d6a43323L } },
+    /* 23 << 70 */
+    { { 0x3316f73cad3d97f9L,0x52bf3bb51f137455L,0x953eafeb09954e7cL,
+        0xa721dfeddd732411L },
+      { 0xb4929821141d4579L,0x3411321caa3bd435L,0xafb355aa17fa6015L,
+        0xb4e7ef4a18e42f0eL } },
+    /* 24 << 70 */
+    { { 0x604ac97c59371000L,0xe1c48c707f759c18L,0x3f62ecc5a5db6b65L,
+        0x0a78b17338a21495L },
+      { 0x6be1819dbcc8ad94L,0x70dc04f6d89c3400L,0x462557b4a6b4840aL,
+        0x544c6ade60bd21c0L } },
+    /* 25 << 70 */
+    { { 0x6a00f24e907a544bL,0xa7520dcb313da210L,0xfe939b7511e4994bL,
+        0x918b6ba6bc275d70L },
+      { 0xd3e5e0fc644be892L,0x707a9816fdaf6c42L,0x60145567f15c13feL,
+        0x4818ebaae130a54aL } },
+    /* 26 << 70 */
+    { { 0x28aad3ad58d2f767L,0xdc5267fdd7e7c773L,0x4919cc88c3afcc98L,
+        0xaa2e6ab02db8cd4bL },
+      { 0xd46fec04d0c63eaaL,0xa1cb92c519ffa832L,0x678dd178e43a631fL,
+        0xfb5ae1cd3dc788b3L } },
+    /* 27 << 70 */
+    { { 0x68b4fb906e77de04L,0x7992bcf0f06dbb97L,0x896e6a13c417c01dL,
+        0x8d96332cb956be01L },
+      { 0x902fc93a413aa2b9L,0x99a4d915fc98c8a5L,0x52c29407565f1137L,
+        0x4072690f21e4f281L } },
+    /* 28 << 70 */
+    { { 0x36e607cf02ff6072L,0xa47d2ca98ad98cdcL,0xbf471d1ef5f56609L,
+        0xbcf86623f264ada0L },
+      { 0xb70c0687aa9e5cb6L,0xc98124f217401c6cL,0x8189635fd4a61435L,
+        0xd28fb8afa9d98ea6L } },
+    /* 29 << 70 */
+    { { 0xb9a67c2a40c251f8L,0x88cd5d87a2da44beL,0x437deb96e09b5423L,
+        0x150467db64287dc1L },
+      { 0xe161debbcdabb839L,0xa79e9742f1839a3eL,0xbb8dd3c2652d202bL,
+        0x7b3e67f7e9f97d96L } },
+    /* 30 << 70 */
+    { { 0x5aa5d78fb1cb6ac9L,0xffa13e8eca1d0d45L,0x369295dd2ba5bf95L,
+        0xd68bd1f839aff05eL },
+      { 0xaf0d86f926d783f2L,0x543a59b3fc3aafc1L,0x3fcf81d27b7da97cL,
+        0xc990a056d25dee46L } },
+    /* 31 << 70 */
+    { { 0x3e6775b8519cce2cL,0xfc9af71fae13d863L,0x774a4a6f47c1605cL,
+        0x46ba42452fd205e8L },
+      { 0xa06feea4d3fd524dL,0x1e7246416de1acc2L,0xf53816f1334e2b42L,
+        0x49e5918e922f0024L } },
+    /* 32 << 70 */
+    { { 0x439530b665c7322dL,0xcf12cc01b3c1b3fbL,0xc70b01860172f685L,
+        0xb915ee221b58391dL },
+      { 0x9afdf03ba317db24L,0x87dec65917b8ffc4L,0x7f46597be4d3d050L,
+        0x80a1c1ed006500e7L } },
+    /* 33 << 70 */
+    { { 0x84902a9678bf030eL,0xfb5e9c9a50560148L,0x6dae0a9263362426L,
+        0xdcaeecf4a9e30c40L },
+      { 0xc0d887bb518d0c6bL,0x99181152cb985b9dL,0xad186898ef7bc381L,
+        0x18168ffb9ee46201L } },
+    /* 34 << 70 */
+    { { 0x9a04cdaa2502753cL,0xbb279e2651407c41L,0xeacb03aaf23564e5L,
+        0x1833658271e61016L },
+      { 0x8684b8c4eb809877L,0xb336e18dea0e672eL,0xefb601f034ee5867L,
+        0x2733edbe1341cfd1L } },
+    /* 35 << 70 */
+    { { 0xb15e809a26025c3cL,0xe6e981a69350df88L,0x923762378502fd8eL,
+        0x4791f2160c12be9bL },
+      { 0xb725678925f02425L,0xec8631947a974443L,0x7c0ce882fb41cc52L,
+        0xc266ff7ef25c07f2L } },
+    /* 36 << 70 */
+    { { 0x3d4da8c3017025f3L,0xefcf628cfb9579b4L,0x5c4d00161f3716ecL,
+        0x9c27ebc46801116eL },
+      { 0x5eba0ea11da1767eL,0xfe15145247004c57L,0x3ace6df68c2373b7L,
+        0x75c3dffe5dbc37acL } },
+    /* 37 << 70 */
+    { { 0x3dc32a73ddc925fcL,0xb679c8412f65ee0bL,0x715a3295451cbfebL,
+        0xd9889768f76e9a29L },
+      { 0xec20ce7fb28ad247L,0xe99146c400894d79L,0x71457d7c9f5e3ea7L,
+        0x097b266238030031L } },
+    /* 38 << 70 */
+    { { 0xdb7f6ae6cf9f82a8L,0x319decb9438f473aL,0xa63ab386283856c3L,
+        0x13e3172fb06a361bL },
+      { 0x2959f8dc7d5a006cL,0x2dbc27c675fba752L,0xc1227ab287c22c9eL,
+        0x06f61f7571a268b2L } },
+    /* 39 << 70 */
+    { { 0x1b6bb97104779ce2L,0xaca838120aadcb1dL,0x297ae0bcaeaab2d5L,
+        0xa5c14ee75bfb9f13L },
+      { 0xaa00c583f17a62c7L,0x39eb962c173759f6L,0x1eeba1d486c9a88fL,
+        0x0ab6c37adf016c5eL } },
+    /* 40 << 70 */
+    { { 0xa2a147dba28a0749L,0x246c20d6ee519165L,0x5068d1b1d3810715L,
+        0xb1e7018c748160b9L },
+      { 0x03f5b1faf380ff62L,0xef7fb1ddf3cb2c1eL,0xeab539a8fc91a7daL,
+        0x83ddb707f3f9b561L } },
+    /* 41 << 70 */
+    { { 0xc550e211fe7df7a4L,0xa7cd07f2063f6f40L,0xb0de36352976879cL,
+        0xb5f83f85e55741daL },
+      { 0x4ea9d25ef3d8ac3dL,0x6fe2066f62819f02L,0x4ab2b9c2cef4a564L,
+        0x1e155d965ffa2de3L } },
+    /* 42 << 70 */
+    { { 0x0eb0a19bc3a72d00L,0x4037665b8513c31bL,0x2fb2b6bf04c64637L,
+        0x45c34d6e08cdc639L },
+      { 0x56f1e10ff01fd796L,0x4dfb8101fe3667b8L,0xe0eda2539021d0c0L,
+        0x7a94e9ff8a06c6abL } },
+    /* 43 << 70 */
+    { { 0x2d3bb0d9bb9aa882L,0xea20e4e5ec05fd10L,0xed7eeb5f1a1ca64eL,
+        0x2fa6b43cc6327cbdL },
+      { 0xb577e3cf3aa91121L,0x8c6bd5ea3a34079bL,0xd7e5ba3960e02fc0L,
+        0xf16dd2c390141bf8L } },
+    /* 44 << 70 */
+    { { 0xb57276d980101b98L,0x760883fdb82f0f66L,0x89d7de754bc3eff3L,
+        0x03b606435dc2ab40L },
+      { 0xcd6e53dfe05beeacL,0xf2f1e862bc3325cdL,0xdd0f7921774f03c3L,
+        0x97ca72214552cc1bL } },
+    /* 45 << 70 */
+    { { 0x5a0d6afe1cd19f72L,0xa20915dcf183fbebL,0x9fda4b40832c403cL,
+        0x32738eddbe425442L },
+      { 0x469a1df6b5eccf1aL,0x4b5aff4228bbe1f0L,0x31359d7f570dfc93L,
+        0xa18be235f0088628L } },
+    /* 46 << 70 */
+    { { 0xa5b30fbab00ed3a9L,0x34c6137473cdf8beL,0x2c5c5f46abc56797L,
+        0x5cecf93db82a8ae2L },
+      { 0x7d3dbe41a968fbf0L,0xd23d45831a5c7f3dL,0xf28f69a0c087a9c7L,
+        0xc2d75471474471caL } },
+    /* 47 << 70 */
+    { { 0x36ec9f4a4eb732ecL,0x6c943bbdb1ca6bedL,0xd64535e1f2457892L,
+        0x8b84a8eaf7e2ac06L },
+      { 0xe0936cd32499dd5fL,0x12053d7e0ed04e57L,0x4bdd0076e4305d9dL,
+        0x34a527b91f67f0a2L } },
+    /* 48 << 70 */
+    { { 0xe79a4af09cec46eaL,0xb15347a1658b9bc7L,0x6bd2796f35af2f75L,
+        0xac9579904051c435L },
+      { 0x2669dda3c33a655dL,0x5d503c2e88514aa3L,0xdfa113373753dd41L,
+        0x3f0546730b754f78L } },
+    /* 49 << 70 */
+    { { 0xbf185677496125bdL,0xfb0023c83775006cL,0xfa0f072f3a037899L,
+        0x4222b6eb0e4aea57L },
+      { 0x3dde5e767866d25aL,0xb6eb04f84837aa6fL,0x5315591a2cf1cdb8L,
+        0x6dfb4f412d4e683cL } },
+    /* 50 << 70 */
+    { { 0x7e923ea448ee1f3aL,0x9604d9f705a2afd5L,0xbe1d4a3340ea4948L,
+        0x5b45f1f4b44cbd2fL },
+      { 0x5faf83764acc757eL,0xa7cf9ab863d68ff7L,0x8ad62f69df0e404bL,
+        0xd65f33c212bdafdfL } },
+    /* 51 << 70 */
+    { { 0xc365de15a377b14eL,0x6bf5463b8e39f60cL,0x62030d2d2ce68148L,
+        0xd95867efe6f843a8L },
+      { 0xd39a0244ef5ab017L,0x0bd2d8c14ab55d12L,0xc9503db341639169L,
+        0x2d4e25b0f7660c8aL } },
+    /* 52 << 70 */
+    { { 0x760cb3b5e224c5d7L,0xfa3baf8c68616919L,0x9fbca1138d142552L,
+        0x1ab18bf17669ebf5L },
+      { 0x55e6f53e9bdf25ddL,0x04cc0bf3cb6cd154L,0x595bef4995e89080L,
+        0xfe9459a8104a9ac1L } },
+    /* 53 << 70 */
+    { { 0xad2d89cacce9bb32L,0xddea65e1f7de8285L,0x62ed8c35b351bd4bL,
+        0x4150ff360c0e19a7L },
+      { 0x86e3c801345f4e47L,0x3bf21f71203a266cL,0x7ae110d4855b1f13L,
+        0x5d6aaf6a07262517L } },
+    /* 54 << 70 */
+    { { 0x1e0f12e1813d28f1L,0x6000e11d7ad7a523L,0xc7d8deefc744a17bL,
+        0x1e990b4814c05a00L },
+      { 0x68fddaee93e976d5L,0x696241d146610d63L,0xb204e7c3893dda88L,
+        0x8bccfa656a3a6946L } },
+    /* 55 << 70 */
+    { { 0xb59425b4c5cd1411L,0x701b4042ff3658b1L,0xe3e56bca4784cf93L,
+        0x27de5f158fe68d60L },
+      { 0x4ab9cfcef8d53f19L,0xddb10311a40a730dL,0x6fa73cd14eee0a8aL,
+        0xfd5487485249719dL } },
+    /* 56 << 70 */
+    { { 0x49d66316a8123ef0L,0x73c32db4e7f95438L,0x2e2ed2090d9e7854L,
+        0xf98a93299d9f0507L },
+      { 0xc5d33cf60c6aa20aL,0x9a32ba1475279bb2L,0x7e3202cb774a7307L,
+        0x64ed4bc4e8c42dbdL } },
+    /* 57 << 70 */
+    { { 0xc20f1a06d4caed0dL,0xb8021407171d22b3L,0xd426ca04d13268d7L,
+        0x9237700725f4d126L },
+      { 0x4204cbc371f21a85L,0x18461b7af82369baL,0xc0c07d313fc858f9L,
+        0x5deb5a50e2bab569L } },
+    /* 58 << 70 */
+    { { 0xd5959d46d5eea89eL,0xfdff842408437f4bL,0xf21071e43cfe254fL,
+        0x7241769695468321L },
+      { 0x5d8288b9102cae3eL,0x2d143e3df1965dffL,0x00c9a376a078d847L,
+        0x6fc0da3126028731L } },
+    /* 59 << 70 */
+    { { 0xa2baeadfe45083a2L,0x66bc72185e5b4bcdL,0x2c826442d04b8e7fL,
+        0xc19f54516c4b586bL },
+      { 0x60182c495b7eeed5L,0xd9954ecd7aa9dfa1L,0xa403a8ecc73884adL,
+        0x7fb17de29bb39041L } },
+    /* 60 << 70 */
+    { { 0x694b64c5abb020e8L,0x3d18c18419c4eec7L,0x9c4673ef1c4793e5L,
+        0xc7b8aeb5056092e6L },
+      { 0x3aa1ca43f0f8c16bL,0x224ed5ecd679b2f6L,0x0d56eeaf55a205c9L,
+        0xbfe115ba4b8e028bL } },
+    /* 61 << 70 */
+    { { 0x97e608493927f4feL,0xf91fbf94759aa7c5L,0x985af7696be90a51L,
+        0xc1277b7878ccb823L },
+      { 0x395b656ee7a75952L,0x00df7de0928da5f5L,0x09c231754ca4454fL,
+        0x4ec971f47aa2d3c1L } },
+    /* 62 << 70 */
+    { { 0x45c3c507e75d9cccL,0x63b7be8a3dc90306L,0x37e09c665db44bdcL,
+        0x50d60da16841c6a2L },
+      { 0x6f9b65ee08df1b12L,0x387348797ff089dfL,0x9c331a663fe8013dL,
+        0x017f5de95f42fcc8L } },
+    /* 63 << 70 */
+    { { 0x43077866e8e57567L,0xc9f781cef9fcdb18L,0x38131dda9b12e174L,
+        0x25d84aa38a03752aL },
+      { 0x45e09e094d0c0ce2L,0x1564008b92bebba5L,0xf7e8ad31a87284c7L,
+        0xb7c4b46c97e7bbaaL } },
+    /* 64 << 70 */
+    { { 0x3e22a7b397acf4ecL,0x0426c4005ea8b640L,0x5e3295a64e969285L,
+        0x22aabc59a6a45670L },
+      { 0xb929714c5f5942bcL,0x9a6168bdfa3182edL,0x2216a665104152baL,
+        0x46908d03b6926368L } },
+    /* 0 << 77 */
+    { { 0x00, 0x00, 0x00, 0x00 },
+      { 0x00, 0x00, 0x00, 0x00 } },
+    /* 1 << 77 */
+    { { 0xa9f5d8745a1251fbL,0x967747a8c72725c7L,0x195c33e531ffe89eL,
+        0x609d210fe964935eL },
+      { 0xcafd6ca82fe12227L,0xaf9b5b960426469dL,0x2e9ee04c5693183cL,
+        0x1084a333c8146fefL } },
+    /* 2 << 77 */
+    { { 0x96649933aed1d1f7L,0x566eaff350563090L,0x345057f0ad2e39cfL,
+        0x148ff65b1f832124L },
+      { 0x042e89d4cf94cf0dL,0x319bec84520c58b3L,0x2a2676265361aa0dL,
+        0xc86fa3028fbc87adL } },
+    /* 3 << 77 */
+    { { 0xfc83d2ab5c8b06d5L,0xb1a785a2fe4eac46L,0xb99315bc846f7779L,
+        0xcf31d816ef9ea505L },
+      { 0x2391fe6a15d7dc85L,0x2f132b04b4016b33L,0x29547fe3181cb4c7L,
+        0xdb66d8a6650155a1L } },
+    /* 4 << 77 */
+    { { 0x6b66d7e1adc1696fL,0x98ebe5930acd72d0L,0x65f24550cc1b7435L,
+        0xce231393b4b9a5ecL },
+      { 0x234a22d4db067df9L,0x98dda095caff9b00L,0x1bbc75a06100c9c1L,
+        0x1560a9c8939cf695L } },
+    /* 5 << 77 */
+    { { 0xcf006d3e99e0925fL,0x2dd74a966322375aL,0xc58b446ab56af5baL,
+        0x50292683e0b9b4f1L },
+      { 0xe2c34cb41aeaffa3L,0x8b17203f9b9587c1L,0x6d559207ead1350cL,
+        0x2b66a215fb7f9604L } },
+    /* 6 << 77 */
+    { { 0x0850325efe51bf74L,0x9c4f579e5e460094L,0x5c87b92a76da2f25L,
+        0x889de4e06febef33L },
+      { 0x6900ec06646083ceL,0xbe2a0335bfe12773L,0xadd1da35c5344110L,
+        0x757568b7b802cd20L } },
+    /* 7 << 77 */
+    { { 0x7555977900f7e6c8L,0x38e8b94f0facd2f0L,0xfea1f3af03fde375L,
+        0x5e11a1d875881dfcL },
+      { 0xb3a6b02ec1e2f2efL,0x193d2bbbc605a6c5L,0x325ffeee339a0b2dL,
+        0x27b6a7249e0c8846L } },
+    /* 8 << 77 */
+    { { 0xe4050f1cf1c367caL,0x9bc85a9bc90fbc7dL,0xa373c4a2e1a11032L,
+        0xb64232b7ad0393a9L },
+      { 0xf5577eb0167dad29L,0x1604f30194b78ab2L,0x0baa94afe829348bL,
+        0x77fbd8dd41654342L } },
+    /* 9 << 77 */
+    { { 0xdab50ea5b964e39aL,0xd4c29e3cd0d3c76eL,0x80dae67c56d11964L,
+        0x7307a8bfe5ffcc2fL },
+      { 0x65bbc1aa91708c3bL,0xa151e62c28bf0eebL,0x6cb533816fa34db7L,
+        0x5139e05ca29403a8L } },
+    /* 10 << 77 */
+    { { 0x6ff651b494a7cd2eL,0x5671ffd10699336cL,0x6f5fd2cc979a896aL,
+        0x11e893a8d8148cefL },
+      { 0x988906a165cf7b10L,0x81b67178c50d8485L,0x7c0deb358a35b3deL,
+        0x423ac855c1d29799L } },
+    /* 11 << 77 */
+    { { 0xaf580d87dac50b74L,0x28b2b89f5869734cL,0x99a3b936874e28fbL,
+        0xbb2c919025f3f73aL },
+      { 0x199f691884a9d5b7L,0x7ebe23257e770374L,0xf442e1070738efe2L,
+        0xcf9f3f56cf9082d2L } },
+    /* 12 << 77 */
+    { { 0x719f69e109618708L,0xcc9e8364c183f9b1L,0xec203a95366a21afL,
+        0x6aec5d6d068b141fL },
+      { 0xee2df78a994f04e9L,0xb39ccae8271245b0L,0xb875a4a997e43f4fL,
+        0x507dfe11db2cea98L } },
+    /* 13 << 77 */
+    { { 0x4fbf81cb489b03e9L,0xdb86ec5b6ec414faL,0xfad444f9f51b3ae5L,
+        0xca7d33d61914e3feL },
+      { 0xa9c32f5c0ae6c4d0L,0xa9ca1d1e73969568L,0x98043c311aa7467eL,
+        0xe832e75ce21b5ac6L } },
+    /* 14 << 77 */
+    { { 0x314b7aea5232123dL,0x08307c8c65ae86dbL,0x06e7165caa4668edL,
+        0xb170458bb4d3ec39L },
+      { 0x4d2e3ec6c19bb986L,0xc5f34846ae0304edL,0x917695a06c9f9722L,
+        0x6c7f73174cab1c0aL } },
+    /* 15 << 77 */
+    { { 0x6295940e9d6d2e8bL,0xd318b8c1549f7c97L,0x2245320497713885L,
+        0x468d834ba8a440feL },
+      { 0xd81fe5b2bfba796eL,0x152364db6d71f116L,0xbb8c7c59b5b66e53L,
+        0x0b12c61b2641a192L } },
+    /* 16 << 77 */
+    { { 0x31f14802fcf0a7fdL,0x42fd07895488b01eL,0x71d78d6d9952b498L,
+        0x8eb572d907ac5201L },
+      { 0xe0a2a44c4d194a88L,0xd2b63fd9ba017e66L,0x78efc6c8f888aefcL,
+        0xb76f6bda4a881a11L } },
+    /* 17 << 77 */
+    { { 0x187f314bb46c2397L,0x004cf5665ded2819L,0xa9ea570438764d34L,
+        0xbba4521778084709L },
+      { 0x064745711171121eL,0xad7b7eb1e7c9b671L,0xdacfbc40730f7507L,
+        0x178cd8c6c7ad7bd1L } },
+    /* 18 << 77 */
+    { { 0xbf0be101b2a67238L,0x3556d367af9c14f2L,0x104b7831a5662075L,
+        0x58ca59bb79d9e60aL },
+      { 0x4bc45392a569a73bL,0x517a52e85698f6c9L,0x85643da5aeadd755L,
+        0x1aed0cd52a581b84L } },
+    /* 19 << 77 */
+    { { 0xb9b4ff8480af1372L,0x244c3113f1ba5d1fL,0x2a5dacbef5f98d31L,
+        0x2c3323e84375bc2aL },
+      { 0x17a3ab4a5594b1ddL,0xa1928bfbceb4797eL,0xe83af245e4886a19L,
+        0x8979d54672b5a74aL } },
+    /* 20 << 77 */
+    { { 0xa0f726bc19f9e967L,0xd9d03152e8fbbf4eL,0xcfd6f51db7707d40L,
+        0x633084d963f6e6e0L },
+      { 0xedcd9cdc55667eafL,0x73b7f92b2e44d56fL,0xfb2e39b64e962b14L,
+        0x7d408f6ef671fcbfL } },
+    /* 21 << 77 */
+    { { 0xcc634ddc164a89bbL,0x74a42bb23ef3bd05L,0x1280dbb2428decbbL,
+        0x6103f6bb402c8596L },
+      { 0xfa2bf581355a5752L,0x562f96a800946674L,0x4e4ca16d6da0223bL,
+        0xfe47819f28d3aa25L } },
+    /* 22 << 77 */
+    { { 0x9eea3075f8dfcf8aL,0xa284f0aa95669825L,0xb3fca250867d3fd8L,
+        0x20757b5f269d691eL },
+      { 0xf2c2402093b8a5deL,0xd3f93359ebc06da6L,0x1178293eb2739c33L,
+        0xd2a3e770bcd686e5L } },
+    /* 23 << 77 */
+    { { 0xa76f49f4cd941534L,0x0d37406be3c71c0eL,0x172d93973b97f7e3L,
+        0xec17e239bd7fd0deL },
+      { 0xe32905516f496ba2L,0x6a69317236ad50e7L,0xc4e539a283e7eff5L,
+        0x752737e718e1b4cfL } },
+    /* 24 << 77 */
+    { { 0xa2f7932c68af43eeL,0x5502468e703d00bdL,0xe5dc978f2fb061f5L,
+        0xc9a1904a28c815adL },
+      { 0xd3af538d470c56a4L,0x159abc5f193d8cedL,0x2a37245f20108ef3L,
+        0xfa17081e223f7178L } },
+    /* 25 << 77 */
+    { { 0x27b0fb2b10c8c0f5L,0x2102c3ea40650547L,0x594564df8ac3bfa7L,
+        0x98102033509dad96L },
+      { 0x6989643ff1d18a13L,0x35eebd91d7fc5af0L,0x078d096afaeaafd8L,
+        0xb7a89341def3de98L } },
+    /* 26 << 77 */
+    { { 0x2a206e8decf2a73aL,0x066a63978e551994L,0x3a6a088ab98d53a2L,
+        0x0ce7c67c2d1124aaL },
+      { 0x48cec671759a113cL,0xe3b373d34f6f67faL,0x5455d479fd36727bL,
+        0xe5a428eea13c0d81L } },
+    /* 27 << 77 */
+    { { 0xb853dbc81c86682bL,0xb78d2727b8d02b2aL,0xaaf69bed8ebc329aL,
+        0xdb6b40b3293b2148L },
+      { 0xe42ea77db8c4961fL,0xb1a12f7c20e5e0abL,0xa0ec527479e8b05eL,
+        0x68027391fab60a80L } },
+    /* 28 << 77 */
+    { { 0x6bfeea5f16b1bd5eL,0xf957e4204de30ad3L,0xcbaf664e6a353b9eL,
+        0x5c87331226d14febL },
+      { 0x4e87f98cb65f57cbL,0xdb60a6215e0cdd41L,0x67c16865a6881440L,
+        0x1093ef1a46ab52aaL } },
+    /* 29 << 77 */
+    { { 0xc095afb53f4ece64L,0x6a6bb02e7604551aL,0x55d44b4e0b26b8cdL,
+        0xe5f9a999f971268aL },
+      { 0xc08ec42511a7de84L,0x83568095fda469ddL,0x737bfba16c6c90a2L,
+        0x1cb9c4a0be229831L } },
+    /* 30 << 77 */
+    { { 0x93bccbbabb2eec64L,0xa0c23b64da03adbeL,0x5f7aa00ae0e86ac4L,
+        0x470b941efc1401e6L },
+      { 0x5ad8d6799df43574L,0x4ccfb8a90f65d810L,0x1bce80e3aa7fbd81L,
+        0x273291ad9508d20aL } },
+    /* 31 << 77 */
+    { { 0xf5c4b46b42a92806L,0x810684eca86ab44aL,0x4591640bca0bc9f8L,
+        0xb5efcdfc5c4b6054L },
+      { 0x16fc89076e9edd12L,0xe29d0b50d4d792f9L,0xa45fd01c9b03116dL,
+        0x85035235c81765a4L } },
+    /* 32 << 77 */
+    { { 0x1fe2a9b2b4b4b67cL,0xc1d10df0e8020604L,0x9d64abfcbc8058d8L,
+        0x8943b9b2712a0fbbL },
+      { 0x90eed9143b3def04L,0x85ab3aa24ce775ffL,0x605fd4ca7bbc9040L,
+        0x8b34a564e2c75dfbL } },
+    /* 33 << 77 */
+    { { 0x41ffc94a10358560L,0x2d8a50729e5c28aaL,0xe915a0fc4cc7eb15L,
+        0xe9efab058f6d0f5dL },
+      { 0xdbab47a9d19e9b91L,0x8cfed7450276154cL,0x154357ae2cfede0dL,
+        0x520630df19f5a4efL } },
+    /* 34 << 77 */
+    { { 0x25759f7ce382360fL,0xb6db05c988bf5857L,0x2917d61d6c58d46cL,
+        0x14f8e491fd20cb7aL },
+      { 0xb68a727a11c20340L,0x0386f86faf7ccbb6L,0x5c8bc6ccfee09a20L,
+        0x7d76ff4abb7eea35L } },
+    /* 35 << 77 */
+    { { 0xa7bdebe7db15be7aL,0x67a08054d89f0302L,0x56bf0ea9c1193364L,
+        0xc824446762837ebeL },
+      { 0x32bd8e8b20d841b8L,0x127a0548dbb8a54fL,0x83dd4ca663b20236L,
+        0x87714718203491faL } },
+    /* 36 << 77 */
+    { { 0x4dabcaaaaa8a5288L,0x91cc0c8aaf23a1c9L,0x34c72c6a3f220e0cL,
+        0xbcc20bdf1232144aL },
+      { 0x6e2f42daa20ede1bL,0xc441f00c74a00515L,0xbf46a5b6734b8c4bL,
+        0x574095037b56c9a4L } },
+    /* 37 << 77 */
+    { { 0x9f735261e4585d45L,0x9231faed6734e642L,0x1158a176be70ee6cL,
+        0x35f1068d7c3501bfL },
+      { 0x6beef900a2d26115L,0x649406f2ef0afee3L,0x3f43a60abc2420a1L,
+        0x509002a7d5aee4acL } },
+    /* 38 << 77 */
+    { { 0xb46836a53ff3571bL,0x24f98b78837927c1L,0x6254256a4533c716L,
+        0xf27abb0bd07ee196L },
+      { 0xd7cf64fc5c6d5bfdL,0x6915c751f0cd7a77L,0xd9f590128798f534L,
+        0x772b0da8f81d8b5fL } },
+    /* 39 << 77 */
+    { { 0x1244260c2e03fa69L,0x36cf0e3a3be1a374L,0x6e7c1633ef06b960L,
+        0xa71a4c55671f90f6L },
+      { 0x7a94125133c673dbL,0xc0bea51073e8c131L,0x61a8a699d4f6c734L,
+        0x25e78c88341ed001L } },
+    /* 40 << 77 */
+    { { 0x5c18acf88e2f7d90L,0xfdbf33d777be32cdL,0x0a085cd7d2eb5ee9L,
+        0x2d702cfbb3201115L },
+      { 0xb6e0ebdb85c88ce8L,0x23a3ce3c1e01d617L,0x3041618e567333acL,
+        0x9dd0fd8f157edb6bL } },
+    /* 41 << 77 */
+    { { 0x27f74702b57872b8L,0x2ef26b4f657d5fe1L,0x95426f0a57cf3d40L,
+        0x847e2ad165a6067aL },
+      { 0xd474d9a009996a74L,0x16a56acd2a26115cL,0x02a615c3d16f4d43L,
+        0xcc3fc965aadb85b7L } },
+    /* 42 << 77 */
+    { { 0x386bda73ce07d1b0L,0xd82910c258ad4178L,0x124f82cfcd2617f4L,
+        0xcc2f5e8def691770L },
+      { 0x82702550b8c30cccL,0x7b856aea1a8e575aL,0xbb822fefb1ab9459L,
+        0x085928bcec24e38eL } },
+    /* 43 << 77 */
+    { { 0x5d0402ecba8f4b4dL,0xc07cd4ba00b4d58bL,0x5d8dffd529227e7aL,
+        0x61d44d0c31bf386fL },
+      { 0xe486dc2b135e6f4dL,0x680962ebe79410efL,0xa61bd343f10088b5L,
+        0x6aa76076e2e28686L } },
+    /* 44 << 77 */
+    { { 0x80463d118fb98871L,0xcb26f5c3bbc76affL,0xd4ab8eddfbe03614L,
+        0xc8eb579bc0cf2deeL },
+      { 0xcc004c15c93bae41L,0x46fbae5d3aeca3b2L,0x671235cf0f1e9ab1L,
+        0xadfba9349ec285c1L } },
+    /* 45 << 77 */
+    { { 0x88ded013f216c980L,0xc8ac4fb8f79e0bc1L,0xa29b89c6fb97a237L,
+        0xb697b7809922d8e7L },
+      { 0x3142c639ddb945b5L,0x447b06c7e094c3a9L,0xcdcb364272266c90L,
+        0x633aad08a9385046L } },
+    /* 46 << 77 */
+    { { 0xa36c936bb57c6477L,0x871f8b64e94dbcc6L,0x28d0fb62a591a67bL,
+        0x9d40e081c1d926f5L },
+      { 0x3111eaf6f2d84b5aL,0x228993f9a565b644L,0x0ccbf5922c83188bL,
+        0xf87b30ab3df3e197L } },
+    /* 47 << 77 */
+    { { 0xb8658b317642bca8L,0x1a032d7f52800f17L,0x051dcae579bf9445L,
+        0xeba6b8ee54a2e253L },
+      { 0x5c8b9cadd4485692L,0x84bda40e8986e9beL,0xd16d16a42f0db448L,
+        0x8ec80050a14d4188L } },
+    /* 48 << 77 */
+    { { 0xb2b2610798fa7aaaL,0x41209ee4f073aa4eL,0xf1570359f2d6b19bL,
+        0xcbe6868cfc577cafL },
+      { 0x186c4bdc32c04dd3L,0xa6c35faecfeee397L,0xb4a1b312f086c0cfL,
+        0xe0a5ccc6d9461fe2L } },
+    /* 49 << 77 */
+    { { 0xc32278aa1536189fL,0x1126c55fba6df571L,0x0f71a602b194560eL,
+        0x8b2d7405324bd6e1L },
+      { 0x8481939e3738be71L,0xb5090b1a1a4d97a9L,0x116c65a3f05ba915L,
+        0x21863ad3aae448aaL } },
+    /* 50 << 77 */
+    { { 0xd24e2679a7aae5d3L,0x7076013d0de5c1c4L,0x2d50f8babb05b629L,
+        0x73c1abe26e66efbbL },
+      { 0xefd4b422f2488af7L,0xe4105d02663ba575L,0x7eb60a8b53a69457L,
+        0x62210008c945973bL } },
+    /* 51 << 77 */
+    { { 0xfb25547877a50ec6L,0xbf0392f70a37a72cL,0xa0a7a19c4be18e7aL,
+        0x90d8ea1625b1e0afL },
+      { 0x7582a293ef953f57L,0x90a64d05bdc5465aL,0xca79c497e2510717L,
+        0x560dbb7c18cb641fL } },
+    /* 52 << 77 */
+    { { 0x1d8e32864b66abfbL,0xd26f52e559030900L,0x1ee3f6435584941aL,
+        0x6d3b3730569f5958L },
+      { 0x9ff2a62f4789dba5L,0x91fcb81572b5c9b7L,0xf446cb7d6c8f9a0eL,
+        0x48f625c139b7ecb5L } },
+    /* 53 << 77 */
+    { { 0xbabae8011c6219b8L,0xe7a562d928ac2f23L,0xe1b4873226e20588L,
+        0x06ee1cad775af051L },
+      { 0xda29ae43faff79f7L,0xc141a412652ee9e0L,0x1e127f6f195f4bd0L,
+        0x29c6ab4f072f34f8L } },
+    /* 54 << 77 */
+    { { 0x7b7c147730448112L,0x82b51af1e4a38656L,0x2bf2028a2f315010L,
+        0xc9a4a01f6ea88cd4L },
+      { 0xf63e95d8257e5818L,0xdd8efa10b4519b16L,0xed8973e00da910bfL,
+        0xed49d0775c0fe4a9L } },
+    /* 55 << 77 */
+    { { 0xac3aac5eb7caee1eL,0x1033898da7f4da57L,0x42145c0e5c6669b9L,
+        0x42daa688c1aa2aa0L },
+      { 0x629cc15c1a1d885aL,0x25572ec0f4b76817L,0x8312e4359c8f8f28L,
+        0x8107f8cd81965490L } },
+    /* 56 << 77 */
+    { { 0x516ff3a36fa6110cL,0x74fb1eb1fb93561fL,0x6c0c90478457522bL,
+        0xcfd321046bb8bdc6L },
+      { 0x2d6884a2cc80ad57L,0x7c27fc3586a9b637L,0x3461baedadf4e8cdL,
+        0x1d56251a617242f0L } },
+    /* 57 << 77 */
+    { { 0x0b80d209c955bef4L,0xdf02cad206adb047L,0xf0d7cb915ec74feeL,
+        0xd25033751111ba44L },
+      { 0x9671755edf53cb36L,0x54dcb6123368551bL,0x66d69aacc8a025a4L,
+        0x6be946c6e77ef445L } },
+    /* 58 << 77 */
+    { { 0x719946d1a995e094L,0x65e848f6e51e04d8L,0xe62f33006a1e3113L,
+        0x1541c7c1501de503L },
+      { 0x4daac9faf4acfadeL,0x0e58589744cd0b71L,0x544fd8690a51cd77L,
+        0x60fc20ed0031016dL } },
+    /* 59 << 77 */
+    { { 0x58b404eca4276867L,0x46f6c3cc34f34993L,0x477ca007c636e5bdL,
+        0x8018f5e57c458b47L },
+      { 0xa1202270e47b668fL,0xcef48ccdee14f203L,0x23f98bae62ff9b4dL,
+        0x55acc035c589edddL } },
+    /* 60 << 77 */
+    { { 0x3fe712af64db4444L,0x19e9d634becdd480L,0xe08bc047a930978aL,
+        0x2dbf24eca1280733L },
+      { 0x3c0ae38c2cd706b2L,0x5b012a5b359017b9L,0x3943c38c72e0f5aeL,
+        0x786167ea57176fa3L } },
+    /* 61 << 77 */
+    { { 0xe5f9897d594881dcL,0x6b5efad8cfb820c1L,0xb2179093d55018deL,
+        0x39ad7d320bac56ceL },
+      { 0xb55122e02cfc0e81L,0x117c4661f6d89daaL,0x362d01e1cb64fa09L,
+        0x6a309b4e3e9c4dddL } },
+    /* 62 << 77 */
+    { { 0xfa979fb7abea49b1L,0xb4b1d27d10e2c6c5L,0xbd61c2c423afde7aL,
+        0xeb6614f89786d358L },
+      { 0x4a5d816b7f6f7459L,0xe431a44f09360e7bL,0x8c27a032c309914cL,
+        0xcea5d68acaede3d8L } },
+    /* 63 << 77 */
+    { { 0x3668f6653a0a3f95L,0x893694167ceba27bL,0x89981fade4728fe9L,
+        0x7102c8a08a093562L },
+      { 0xbb80310e235d21c8L,0x505e55d1befb7f7bL,0xa0a9081112958a67L,
+        0xd67e106a4d851fefL } },
+    /* 64 << 77 */
+    { { 0xb84011a9431dd80eL,0xeb7c7cca73306cd9L,0x20fadd29d1b3b730L,
+        0x83858b5bfe37b3d3L },
+      { 0xbf4cd193b6251d5cL,0x1cca1fd31352d952L,0xc66157a490fbc051L,
+        0x7990a63889b98636L } },
+    /* 0 << 84 */
+    { { 0x00, 0x00, 0x00, 0x00 },
+      { 0x00, 0x00, 0x00, 0x00 } },
+    /* 1 << 84 */
+    { { 0xe5aa692a87dec0e1L,0x010ded8df7b39d00L,0x7b1b80c854cfa0b5L,
+        0x66beb876a0f8ea28L },
+      { 0x50d7f5313476cd0eL,0xa63d0e65b08d3949L,0x1a09eea953479fc6L,
+        0x82ae9891f499e742L } },
+    /* 2 << 84 */
+    { { 0xab58b9105ca7d866L,0x582967e23adb3b34L,0x89ae4447cceac0bcL,
+        0x919c667c7bf56af5L },
+      { 0x9aec17b160f5dcd7L,0xec697b9fddcaadbcL,0x0b98f341463467f5L,
+        0xb187f1f7a967132fL } },
+    /* 3 << 84 */
+    { { 0x90fe7a1d214aeb18L,0x1506af3c741432f7L,0xbb5565f9e591a0c4L,
+        0x10d41a77b44f1bc3L },
+      { 0xa09d65e4a84bde96L,0x42f060d8f20a6a1cL,0x652a3bfdf27f9ce7L,
+        0xb6bdb65c3b3d739fL } },
+    /* 4 << 84 */
+    { { 0xeb5ddcb6ec7fae9fL,0x995f2714efb66e5aL,0xdee95d8e69445d52L,
+        0x1b6c2d4609e27620L },
+      { 0x32621c318129d716L,0xb03909f10958c1aaL,0x8c468ef91af4af63L,
+        0x162c429ffba5cdf6L } },
+    /* 5 << 84 */
+    { { 0x2f682343753b9371L,0x29cab45a5f1f9cd7L,0x571623abb245db96L,
+        0xc507db093fd79999L },
+      { 0x4e2ef652af036c32L,0x86f0cc7805018e5cL,0xc10a73d4ab8be350L,
+        0x6519b3977e826327L } },
+    /* 6 << 84 */
+    { { 0xe8cb5eef9c053df7L,0x8de25b37b300ea6fL,0xdb03fa92c849cffbL,
+        0x242e43a7e84169bbL },
+      { 0xe4fa51f4dd6f958eL,0x6925a77ff4445a8dL,0xe6e72a50e90d8949L,
+        0xc66648e32b1f6390L } },
+    /* 7 << 84 */
+    { { 0xb2ab1957173e460cL,0x1bbbce7530704590L,0xc0a90dbddb1c7162L,
+        0x505e399e15cdd65dL },
+      { 0x68434dcb57797ab7L,0x60ad35ba6a2ca8e8L,0x4bfdb1e0de3336c1L,
+        0xbbef99ebd8b39015L } },
+    /* 8 << 84 */
+    { { 0x6c3b96f31711ebecL,0x2da40f1fce98fdc4L,0xb99774d357b4411fL,
+        0x87c8bdf415b65bb6L },
+      { 0xda3a89e3c2eef12dL,0xde95bb9b3c7471f3L,0x600f225bd812c594L,
+        0x54907c5d2b75a56bL } },
+    /* 9 << 84 */
+    { { 0xa93cc5f08db60e35L,0x743e3cd6fa833319L,0x7dad5c41f81683c9L,
+        0x70c1e7d99c34107eL },
+      { 0x0edc4a39a6be0907L,0x36d4703586d0b7d3L,0x8c76da03272bfa60L,
+        0x0b4a07ea0f08a414L } },
+    /* 10 << 84 */
+    { { 0x699e4d2945c1dd53L,0xcadc5898231debb5L,0xdf49fcc7a77f00e0L,
+        0x93057bbfa73e5a0eL },
+      { 0x2f8b7ecd027a4cd1L,0x114734b3c614011aL,0xe7a01db767677c68L,
+        0x89d9be5e7e273f4fL } },
+    /* 11 << 84 */
+    { { 0xd225cb2e089808efL,0xf1f7a27dd59e4107L,0x53afc7618211b9c9L,
+        0x0361bc67e6819159L },
+      { 0x2a865d0b7f071426L,0x6a3c1810e7072567L,0x3e3bca1e0d6bcabdL,
+        0xa1b02bc1408591bcL } },
+    /* 12 << 84 */
+    { { 0xe0deee5931fba239L,0xf47424d398bd91d1L,0x0f8886f4071a3c1dL,
+        0x3f7d41e8a819233bL },
+      { 0x708623c2cf6eb998L,0x86bb49af609a287fL,0x942bb24963c90762L,
+        0x0ef6eea555a9654bL } },
+    /* 13 << 84 */
+    { { 0x5f6d2d7236f5defeL,0xfa9922dc56f99176L,0x6c8c5ecef78ce0c7L,
+        0x7b44589dbe09b55eL },
+      { 0xe11b3bca9ea83770L,0xd7fa2c7f2ab71547L,0x2a3dd6fa2a1ddcc0L,
+        0x09acb4305a7b7707L } },
+    /* 14 << 84 */
+    { { 0x4add4a2e649d4e57L,0xcd53a2b01917526eL,0xc526233020b44ac4L,
+        0x4028746abaa2c31dL },
+      { 0x5131839064291d4cL,0xbf48f151ee5ad909L,0xcce57f597b185681L,
+        0x7c3ac1b04854d442L } },
+    /* 15 << 84 */
+    { { 0x65587dc3c093c171L,0xae7acb2424f42b65L,0x5a338adb955996cbL,
+        0xc8e656756051f91bL },
+      { 0x66711fba28b8d0b1L,0x15d74137b6c10a90L,0x70cdd7eb3a232a80L,
+        0xc9e2f07f6191ed24L } },
+    /* 16 << 84 */
+    { { 0xa80d1db6f79588c0L,0xfa52fc69b55768ccL,0x0b4df1ae7f54438aL,
+        0x0cadd1a7f9b46a4fL },
+      { 0xb40ea6b31803dd6fL,0x488e4fa555eaae35L,0x9f047d55382e4e16L,
+        0xc9b5b7e02f6e0c98L } },
+    /* 17 << 84 */
+    { { 0x6b1bd2d395762649L,0xa9604ee7c7aea3f6L,0x3646ff276dc6f896L,
+        0x9bf0e7f52860bad1L },
+      { 0x2d92c8217cb44b92L,0xa2f5ce63aea9c182L,0xd0a2afb19154a5fdL,
+        0x482e474c95801da6L } },
+    /* 18 << 84 */
+    { { 0xc19972d0b611c24bL,0x1d468e6560a8f351L,0xeb7580697bcf6421L,
+        0xec9dd0ee88fbc491L },
+      { 0x5b59d2bf956c2e32L,0x73dc6864dcddf94eL,0xfd5e2321bcee7665L,
+        0xa7b4f8ef5e9a06c4L } },
+    /* 19 << 84 */
+    { { 0xfba918dd7280f855L,0xbbaac2608baec688L,0xa3b3f00f33400f42L,
+        0x3d2dba2966f2e6e4L },
+      { 0xb6f71a9498509375L,0x8f33031fcea423ccL,0x009b8dd04807e6fbL,
+        0x5163cfe55cdb954cL } },
+    /* 20 << 84 */
+    { { 0x03cc8f17cf41c6e8L,0xf1f03c2a037b925cL,0xc39c19cc66d2427cL,
+        0x823d24ba7b6c18e4L },
+      { 0x32ef9013901f0b4fL,0x684360f1f8941c2eL,0x0ebaff522c28092eL,
+        0x7891e4e3256c932fL } },
+    /* 21 << 84 */
+    { { 0x51264319ac445e3dL,0x553432e78ea74381L,0xe6eeaa6967e9c50aL,
+        0x27ced28462e628c7L },
+      { 0x3f96d3757a4afa57L,0xde0a14c3e484c150L,0x364a24eb38bd9923L,
+        0x1df18da0e5177422L } },
+    /* 22 << 84 */
+    { { 0x174e8f82d8d38a9bL,0x2e97c600e7de1391L,0xc5709850a1c175ddL,
+        0x969041a032ae5035L },
+      { 0xcbfd533b76a2086bL,0xd6bba71bd7c2e8feL,0xb2d58ee6099dfb67L,
+        0x3a8b342d064a85d9L } },
+    /* 23 << 84 */
+    { { 0x3bc07649522f9be3L,0x690c075bdf1f49a8L,0x80e1aee83854ec42L,
+        0x2a7dbf4417689dc7L },
+      { 0xc004fc0e3faf4078L,0xb2f02e9edf11862cL,0xf10a5e0fa0a1b7b3L,
+        0x30aca6238936ec80L } },
+    /* 24 << 84 */
+    { { 0xf83cbf0502f40d9aL,0x4681c4682c318a4dL,0x985756180e9c2674L,
+        0xbe79d0461847092eL },
+      { 0xaf1e480a78bd01e0L,0x6dd359e472a51db9L,0x62ce3821e3afbab6L,
+        0xc5cee5b617733199L } },
+    /* 25 << 84 */
+    { { 0xe08b30d46ffd9fbbL,0x6e5bc69936c610b7L,0xf343cff29ce262cfL,
+        0xca2e4e3568b914c1L },
+      { 0x011d64c016de36c5L,0xe0b10fdd42e2b829L,0x789429816685aaf8L,
+        0xe7511708230ede97L } },
+    /* 26 << 84 */
+    { { 0x671ed8fc3b922bf8L,0xe4d8c0a04c29b133L,0x87eb12393b6e99c4L,
+        0xaff3974c8793bebaL },
+      { 0x037494052c18df9bL,0xc5c3a29391007139L,0x6a77234fe37a0b95L,
+        0x02c29a21b661c96bL } },
+    /* 27 << 84 */
+    { { 0xc3aaf1d6141ecf61L,0x9195509e3bb22f53L,0x2959740422d51357L,
+        0x1b083822537bed60L },
+      { 0xcd7d6e35e07289f0L,0x1f94c48c6dd86effL,0xc8bb1f82eb0f9cfaL,
+        0x9ee0b7e61b2eb97dL } },
+    /* 28 << 84 */
+    { { 0x5a52fe2e34d74e31L,0xa352c3103bf79ab6L,0x97ff6c5aabfeeb8fL,
+        0xbfbe8feff5c97305L },
+      { 0xd6081ce6a7904608L,0x1f812f3ac4fca249L,0x9b24bc9ab9e5e200L,
+        0x91022c6738012ee8L } },
+    /* 29 << 84 */
+    { { 0xe83d9c5d30a713a1L,0x4876e3f084ef0f93L,0xc9777029c1fbf928L,
+        0xef7a6bb3bce7d2a4L },
+      { 0xb8067228dfa2a659L,0xd5cd3398d877a48fL,0xbea4fd8f025d0f3fL,
+        0xd67d2e352eae7c2bL } },
+    /* 30 << 84 */
+    { { 0x184de7d7cc5f4394L,0xb5551b5c4536e142L,0x2e89b212d34aa60aL,
+        0x14a96feaf50051d5L },
+      { 0x4e21ef740d12bb0bL,0xc522f02060b9677eL,0x8b12e4672df7731dL,
+        0x39f803827b326d31L } },
+    /* 31 << 84 */
+    { { 0xdfb8630c39024a94L,0xaacb96a897319452L,0xd68a3961eda3867cL,
+        0x0c58e2b077c4ffcaL },
+      { 0x3d545d634da919faL,0xef79b69af15e2289L,0x54bc3d3d808bab10L,
+        0xc8ab300745f82c37L } },
+    /* 32 << 84 */
+    { { 0xc12738b67c4a658aL,0xb3c4763940e72182L,0x3b77be468798e44fL,
+        0xdc047df217a7f85fL },
+      { 0x2439d4c55e59d92dL,0xcedca475e8e64d8dL,0xa724cd0d87ca9b16L,
+        0x35e4fd59a5540dfeL } },
+    /* 33 << 84 */
+    { { 0xf8c1ff18e4bcf6b1L,0x856d6285295018faL,0x433f665c3263c949L,
+        0xa6a76dd6a1f21409L },
+      { 0x17d32334cc7b4f79L,0xa1d0312206720e4aL,0xadb6661d81d9bed5L,
+        0xf0d6fb0211db15d1L } },
+    /* 34 << 84 */
+    { { 0x7fd11ad51fb747d2L,0xab50f9593033762bL,0x2a7e711bfbefaf5aL,
+        0xc73932783fef2bbfL },
+      { 0xe29fa2440df6f9beL,0x9092757b71efd215L,0xee60e3114f3d6fd9L,
+        0x338542d40acfb78bL } },
+    /* 35 << 84 */
+    { { 0x44a23f0838961a0fL,0x1426eade986987caL,0x36e6ee2e4a863cc6L,
+        0x48059420628b8b79L },
+      { 0x30303ad87396e1deL,0x5c8bdc4838c5aad1L,0x3e40e11f5c8f5066L,
+        0xabd6e7688d246bbdL } },
+    /* 36 << 84 */
+    { { 0x68aa40bb23330a01L,0xd23f5ee4c34eafa0L,0x3bbee3155de02c21L,
+        0x18dd4397d1d8dd06L },
+      { 0x3ba1939a122d7b44L,0xe6d3b40aa33870d6L,0x8e620f701c4fe3f8L,
+        0xf6bba1a5d3a50cbfL } },
+    /* 37 << 84 */
+    { { 0x4a78bde5cfc0aee0L,0x847edc46c08c50bdL,0xbaa2439cad63c9b2L,
+        0xceb4a72810fc2acbL },
+      { 0xa419e40e26da033dL,0x6cc3889d03e02683L,0x1cd28559fdccf725L,
+        0x0fd7e0f18d13d208L } },
+    /* 38 << 84 */
+    { { 0x01b9733b1f0df9d4L,0x8cc2c5f3a2b5e4f3L,0x43053bfa3a304fd4L,
+        0x8e87665c0a9f1aa7L },
+      { 0x087f29ecd73dc965L,0x15ace4553e9023dbL,0x2370e3092bce28b4L,
+        0xf9723442b6b1e84aL } },
+    /* 39 << 84 */
+    { { 0xbeee662eb72d9f26L,0xb19396def0e47109L,0x85b1fa73e13289d0L,
+        0x436cf77e54e58e32L },
+      { 0x0ec833b3e990ef77L,0x7373e3ed1b11fc25L,0xbe0eda870fc332ceL,
+        0xced049708d7ea856L } },
+    /* 40 << 84 */
+    { { 0xf85ff7857e977ca0L,0xb66ee8dadfdd5d2bL,0xf5e37950905af461L,
+        0x587b9090966d487cL },
+      { 0x6a198a1b32ba0127L,0xa7720e07141615acL,0xa23f3499996ef2f2L,
+        0xef5f64b4470bcb3dL } },
+    /* 41 << 84 */
+    { { 0xa526a96292b8c559L,0x0c14aac069740a0fL,0x0d41a9e3a6bdc0a5L,
+        0x97d521069c48aef4L },
+      { 0xcf16bd303e7c253bL,0xcc834b1a47fdedc1L,0x7362c6e5373aab2eL,
+        0x264ed85ec5f590ffL } },
+    /* 42 << 84 */
+    { { 0x7a46d9c066d41870L,0xa50c20b14787ba09L,0x185e7e51e3d44635L,
+        0xb3b3e08031e2d8dcL },
+      { 0xbed1e558a179e9d9L,0x2daa3f7974a76781L,0x4372baf23a40864fL,
+        0x46900c544fe75cb5L } },
+    /* 43 << 84 */
+    { { 0xb95f171ef76765d0L,0x4ad726d295c87502L,0x2ec769da4d7c99bdL,
+        0x5e2ddd19c36cdfa8L },
+      { 0xc22117fca93e6deaL,0xe8a2583b93771123L,0xbe2f6089fa08a3a2L,
+        0x4809d5ed8f0e1112L } },
+    /* 44 << 84 */
+    { { 0x3b414aa3da7a095eL,0x9049acf126f5aaddL,0x78d46a4d6be8b84aL,
+        0xd66b1963b732b9b3L },
+      { 0x5c2ac2a0de6e9555L,0xcf52d098b5bd8770L,0x15a15fa60fd28921L,
+        0x56ccb81e8b27536dL } },
+    /* 45 << 84 */
+    { { 0x0f0d8ab89f4ccbb8L,0xed5f44d2db221729L,0x4314198800bed10cL,
+        0xc94348a41d735b8bL },
+      { 0x79f3e9c429ef8479L,0x4c13a4e3614c693fL,0x32c9af568e143a14L,
+        0xbc517799e29ac5c4L } },
+    /* 46 << 84 */
+    { { 0x05e179922774856fL,0x6e52fb056c1bf55fL,0xaeda4225e4f19e16L,
+        0x70f4728aaf5ccb26L },
+      { 0x5d2118d1b2947f22L,0xc827ea16281d6fb9L,0x8412328d8cf0eabdL,
+        0x45ee9fb203ef9dcfL } },
+    /* 47 << 84 */
+    { { 0x8e700421bb937d63L,0xdf8ff2d5cc4b37a6L,0xa4c0d5b25ced7b68L,
+        0x6537c1efc7308f59L },
+      { 0x25ce6a263b37f8e8L,0x170e9a9bdeebc6ceL,0xdd0379528728d72cL,
+        0x445b0e55850154bcL } },
+    /* 48 << 84 */
+    { { 0x4b7d0e0683a7337bL,0x1e3416d4ffecf249L,0x24840eff66a2b71fL,
+        0xd0d9a50ab37cc26dL },
+      { 0xe21981506fe28ef7L,0x3cc5ef1623324c7fL,0x220f3455769b5263L,
+        0xe2ade2f1a10bf475L } },
+    /* 49 << 84 */
+    { { 0x28cd20fa458d3671L,0x1549722c2dc4847bL,0x6dd01e55591941e3L,
+        0x0e6fbcea27128ccbL },
+      { 0xae1a1e6b3bef0262L,0xfa8c472c8f54e103L,0x7539c0a872c052ecL,
+        0xd7b273695a3490e9L } },
+    /* 50 << 84 */
+    { { 0x143fe1f171684349L,0x36b4722e32e19b97L,0xdc05922790980affL,
+        0x175c9c889e13d674L },
+      { 0xa7de5b226e6bfdb1L,0x5ea5b7b2bedb4b46L,0xd5570191d34a6e44L,
+        0xfcf60d2ea24ff7e6L } },
+    /* 51 << 84 */
+    { { 0x614a392d677819e1L,0x7be74c7eaa5a29e8L,0xab50fece63c85f3fL,
+        0xaca2e2a946cab337L },
+      { 0x7f700388122a6fe3L,0xdb69f703882a04a8L,0x9a77935dcf7aed57L,
+        0xdf16207c8d91c86fL } },
+    /* 52 << 84 */
+    { { 0x2fca49ab63ed9998L,0xa3125c44a77ddf96L,0x05dd8a8624344072L,
+        0xa023dda2fec3fb56L },
+      { 0x421b41fc0c743032L,0x4f2120c15e438639L,0xfb7cae51c83c1b07L,
+        0xb2370caacac2171aL } },
+    /* 53 << 84 */
+    { { 0x2eb2d9626cc820fbL,0x59feee5cb85a44bfL,0x94620fca5b6598f0L,
+        0x6b922cae7e314051L },
+      { 0xff8745ad106bed4eL,0x546e71f5dfa1e9abL,0x935c1e481ec29487L,
+        0x9509216c4d936530L } },
+    /* 54 << 84 */
+    { { 0xc7ca306785c9a2dbL,0xd6ae51526be8606fL,0x09dbcae6e14c651dL,
+        0xc9536e239bc32f96L },
+      { 0xa90535a934521b03L,0xf39c526c878756ffL,0x383172ec8aedf03cL,
+        0x20a8075eefe0c034L } },
+    /* 55 << 84 */
+    { { 0xf22f9c6264026422L,0x8dd1078024b9d076L,0x944c742a3bef2950L,
+        0x55b9502e88a2b00bL },
+      { 0xa59e14b486a09817L,0xa39dd3ac47bb4071L,0x55137f663be0592fL,
+        0x07fcafd4c9e63f5bL } },
+    /* 56 << 84 */
+    { { 0x963652ee346eb226L,0x7dfab085ec2facb7L,0x273bf2b8691add26L,
+        0x30d74540f2b46c44L },
+      { 0x05e8e73ef2c2d065L,0xff9b8a00d42eeac9L,0x2fcbd20597209d22L,
+        0xeb740ffade14ea2cL } },
+    /* 57 << 84 */
+    { { 0xc71ff913a8aef518L,0x7bfc74bbfff4cfa2L,0x1716680cb6b36048L,
+        0x121b2cce9ef79af1L },
+      { 0xbff3c836a01eb3d3L,0x50eb1c6a5f79077bL,0xa48c32d6a004bbcfL,
+        0x47a593167d64f61dL } },
+    /* 58 << 84 */
+    { { 0x6068147f93102016L,0x12c5f65494d12576L,0xefb071a7c9bc6b91L,
+        0x7c2da0c56e23ea95L },
+      { 0xf4fd45b6d4a1dd5dL,0x3e7ad9b69122b13cL,0x342ca118e6f57a48L,
+        0x1c2e94a706f8288fL } },
+    /* 59 << 84 */
+    { { 0x99e68f075a97d231L,0x7c80de974d838758L,0xbce0f5d005872727L,
+        0xbe5d95c219c4d016L },
+      { 0x921d5cb19c2492eeL,0x42192dc1404d6fb3L,0x4c84dcd132f988d3L,
+        0xde26d61fa17b8e85L } },
+    /* 60 << 84 */
+    { { 0xc466dcb6137c7408L,0x9a38d7b636a266daL,0x7ef5cb0683bebf1bL,
+        0xe5cdcbbf0fd014e3L },
+      { 0x30aa376df65965a0L,0x60fe88c2ebb3e95eL,0x33fd0b6166ee6f20L,
+        0x8827dcdb3f41f0a0L } },
+    /* 61 << 84 */
+    { { 0xbf8a9d240c56c690L,0x40265dadddb7641dL,0x522b05bf3a6b662bL,
+        0x466d1dfeb1478c9bL },
+      { 0xaa6169621484469bL,0x0db6054902df8f9fL,0xc37bca023cb8bf51L,
+        0x5effe34621371ce8L } },
+    /* 62 << 84 */
+    { { 0xe8f65264ff112c32L,0x8a9c736d7b971fb2L,0xa4f194707b75080dL,
+        0xfc3f2c5a8839c59bL },
+      { 0x1d6c777e5aeb49c2L,0xf3db034dda1addfeL,0xd76fee5a5535affcL,
+        0x0853ac70b92251fdL } },
+    /* 63 << 84 */
+    { { 0x37e3d5948b2a29d5L,0x28f1f4574de00ddbL,0x8083c1b5f42c328bL,
+        0xd8ef1d8fe493c73bL },
+      { 0x96fb626041dc61bdL,0xf74e8a9d27ee2f8aL,0x7c605a802c946a5dL,
+        0xeed48d653839ccfdL } },
+    /* 64 << 84 */
+    { { 0x9894344f3a29467aL,0xde81e949c51eba6dL,0xdaea066ba5e5c2f2L,
+        0x3fc8a61408c8c7b3L },
+      { 0x7adff88f06d0de9fL,0xbbc11cf53b75ce0aL,0x9fbb7accfbbc87d5L,
+        0xa1458e267badfde2L } },
+    /* 0 << 91 */
+    { { 0x00, 0x00, 0x00, 0x00 },
+      { 0x00, 0x00, 0x00, 0x00 } },
+    /* 1 << 91 */
+    { { 0x1cb43668e039c256L,0x5f26fb8b7c17fd5dL,0xeee426af79aa062bL,
+        0x072002d0d78fbf04L },
+      { 0x4c9ca237e84fb7e3L,0xb401d8a10c82133dL,0xaaa525926d7e4181L,
+        0xe943083373dbb152L } },
+    /* 2 << 91 */
+    { { 0xf92dda31be24319aL,0x03f7d28be095a8e7L,0xa52fe84098782185L,
+        0x276ddafe29c24dbcL },
+      { 0x80cd54961d7a64ebL,0xe43608897f1dbe42L,0x2f81a8778438d2d5L,
+        0x7e4d52a885169036L } },
+    /* 3 << 91 */
+    { { 0x19e3d5b11d59715dL,0xc7eaa762d788983eL,0xe5a730b0abf1f248L,
+        0xfbab8084fae3fd83L },
+      { 0x65e50d2153765b2fL,0xbdd4e083fa127f3dL,0x9cf3c074397b1b10L,
+        0x59f8090cb1b59fd3L } },
+    /* 4 << 91 */
+    { { 0x7b15fd9d615faa8fL,0x8fa1eb40968554edL,0x7bb4447e7aa44882L,
+        0x2bb2d0d1029fff32L },
+      { 0x075e2a646caa6d2fL,0x8eb879de22e7351bL,0xbcd5624e9a506c62L,
+        0x218eaef0a87e24dcL } },
+    /* 5 << 91 */
+    { { 0x37e5684744ddfa35L,0x9ccfc5c5dab3f747L,0x9ac1df3f1ee96cf4L,
+        0x0c0571a13b480b8fL },
+      { 0x2fbeb3d54b3a7b3cL,0x35c036695dcdbb99L,0x52a0f5dcb2415b3aL,
+        0xd57759b44413ed9aL } },
+    /* 6 << 91 */
+    { { 0x1fe647d83d30a2c5L,0x0857f77ef78a81dcL,0x11d5a334131a4a9bL,
+        0xc0a94af929d393f5L },
+      { 0xbc3a5c0bdaa6ec1aL,0xba9fe49388d2d7edL,0xbb4335b4bb614797L,
+        0x991c4d6872f83533L } },
+    /* 7 << 91 */
+    { { 0x53258c28d2f01cb3L,0x93d6eaa3d75db0b1L,0x419a2b0de87d0db4L,
+        0xa1e48f03d8fe8493L },
+      { 0xf747faf6c508b23aL,0xf137571a35d53549L,0x9f5e58e2fcf9b838L,
+        0xc7186ceea7fd3cf5L } },
+    /* 8 << 91 */
+    { { 0x77b868cee978a1d3L,0xe3a68b337ab92d04L,0x5102979487a5b862L,
+        0x5f0606c33a61d41dL },
+      { 0x2814be276f9326f1L,0x2f521c14c6fe3c2eL,0x17464d7dacdf7351L,
+        0x10f5f9d3777f7e44L } },
+    /* 9 << 91 */
+    { { 0xce8e616b269fb37dL,0xaaf738047de62de5L,0xaba111754fdd4153L,
+        0x515759ba3770b49bL },
+      { 0x8b09ebf8aa423a61L,0x592245a1cd41fb92L,0x1cba8ec19b4c8936L,
+        0xa87e91e3af36710eL } },
+    /* 10 << 91 */
+    { { 0x1fd84ce43d34a2e3L,0xee3759ceb43b5d61L,0x895bc78c619186c7L,
+        0xf19c3809cbb9725aL },
+      { 0xc0be21aade744b1fL,0xa7d222b060f8056bL,0x74be6157b23efe11L,
+        0x6fab2b4f0cd68253L } },
+    /* 11 << 91 */
+    { { 0xad33ea5f4bf1d725L,0x9c1d8ee24f6c950fL,0x544ee78aa377af06L,
+        0x54f489bb94a113e1L },
+      { 0x8f11d634992fb7e8L,0x0169a7aaa2a44347L,0x1d49d4af95020e00L,
+        0x95945722e08e120bL } },
+    /* 12 << 91 */
+    { { 0xb6e33878a4d32282L,0xe36e029d48020ae7L,0xe05847fb37a9b750L,
+        0xf876812cb29e3819L },
+      { 0x84ad138ed23a17f0L,0x6d7b4480f0b3950eL,0xdfa8aef42fd67ae0L,
+        0x8d3eea2452333af6L } },
+    /* 13 << 91 */
+    { { 0x0d052075b15d5accL,0xc6d9c79fbd815bc4L,0x8dcafd88dfa36cf2L,
+        0x908ccbe238aa9070L },
+      { 0x638722c4ba35afceL,0x5a3da8b0fd6abf0bL,0x2dce252cc9c335c1L,
+        0x84e7f0de65aa799bL } },
+    /* 14 << 91 */
+    { { 0x2101a522b99a72cbL,0x06de6e6787618016L,0x5ff8c7cde6f3653eL,
+        0x0a821ab5c7a6754aL },
+      { 0x7e3fa52b7cb0b5a2L,0xa7fb121cc9048790L,0x1a72502006ce053aL,
+        0xb490a31f04e929b0L } },
+    /* 15 << 91 */
+    { { 0xe17be47d62dd61adL,0x781a961c6be01371L,0x1063bfd3dae3cbbaL,
+        0x356474067f73c9baL },
+      { 0xf50e957b2736a129L,0xa6313702ed13f256L,0x9436ee653a19fcc5L,
+        0xcf2bdb29e7a4c8b6L } },
+    /* 16 << 91 */
+    { { 0xb06b1244c5f95cd8L,0xda8c8af0f4ab95f4L,0x1bae59c2b9e5836dL,
+        0x07d51e7e3acffffcL },
+      { 0x01e15e6ac2ccbcdaL,0x3bc1923f8528c3e0L,0x43324577a49fead4L,
+        0x61a1b8842aa7a711L } },
+    /* 17 << 91 */
+    { { 0xf9a86e08700230efL,0x0af585a1bd19adf8L,0x7645f361f55ad8f2L,
+        0x6e67622346c3614cL },
+      { 0x23cb257c4e774d3fL,0x82a38513ac102d1bL,0x9bcddd887b126aa5L,
+        0xe716998beefd3ee4L } },
+    /* 18 << 91 */
+    { { 0x4239d571fb167583L,0xdd011c78d16c8f8aL,0x271c289569a27519L,
+        0x9ce0a3b7d2d64b6aL },
+      { 0x8c977289d5ec6738L,0xa3b49f9a8840ef6bL,0x808c14c99a453419L,
+        0x5c00295b0cf0a2d5L } },
+    /* 19 << 91 */
+    { { 0x524414fb1d4bcc76L,0xb07691d2459a88f1L,0x77f43263f70d110fL,
+        0x64ada5e0b7abf9f3L },
+      { 0xafd0f94e5b544cf5L,0xb4a13a15fd2713feL,0xb99b7d6e250c74f4L,
+        0x097f2f7320324e45L } },
+    /* 20 << 91 */
+    { { 0x994b37d8affa8208L,0xc3c31b0bdc29aafcL,0x3da746517a3a607fL,
+        0xd8e1b8c1fe6955d6L },
+      { 0x716e1815c8418682L,0x541d487f7dc91d97L,0x48a04669c6996982L,
+        0xf39cab1583a6502eL } },
+    /* 21 << 91 */
+    { { 0x025801a0e68db055L,0xf3569758ba3338d5L,0xb0c8c0aaee2afa84L,
+        0x4f6985d3fb6562d1L },
+      { 0x351f1f15132ed17aL,0x510ed0b4c04365feL,0xa3f98138e5b1f066L,
+        0xbc9d95d632df03dcL } },
+    /* 22 << 91 */
+    { { 0xa83ccf6e19abd09eL,0x0b4097c14ff17edbL,0x58a5c478d64a06ceL,
+        0x2ddcc3fd544a58fdL },
+      { 0xd449503d9e8153b8L,0x3324fd027774179bL,0xaf5d47c8dbd9120cL,
+        0xeb86016234fa94dbL } },
+    /* 23 << 91 */
+    { { 0x5817bdd1972f07f4L,0xe5579e2ed27bbcebL,0x86847a1f5f11e5a6L,
+        0xb39ed2557c3cf048L },
+      { 0xe1076417a2f62e55L,0x6b9ab38f1bcf82a2L,0x4bb7c3197aeb29f9L,
+        0xf6d17da317227a46L } },
+    /* 24 << 91 */
+    { { 0xab53ddbd0f968c00L,0xa03da7ec000c880bL,0x7b2396246a9ad24dL,
+        0x612c040101ec60d0L },
+      { 0x70d10493109f5df1L,0xfbda403080af7550L,0x30b93f95c6b9a9b3L,
+        0x0c74ec71007d9418L } },
+    /* 25 << 91 */
+    { { 0x941755646edb951fL,0x5f4a9d787f22c282L,0xb7870895b38d1196L,
+        0xbc593df3a228ce7cL },
+      { 0xc78c5bd46af3641aL,0x7802200b3d9b3dccL,0x0dc73f328be33304L,
+        0x847ed87d61ffb79aL } },
+    /* 26 << 91 */
+    { { 0xf85c974e6d671192L,0x1e14100ade16f60fL,0x45cb0d5a95c38797L,
+        0x18923bba9b022da4L },
+      { 0xef2be899bbe7e86eL,0x4a1510ee216067bfL,0xd98c815484d5ce3eL,
+        0x1af777f0f92a2b90L } },
+    /* 27 << 91 */
+    { { 0x9fbcb4004ef65724L,0x3e04a4c93c0ca6feL,0xfb3e2cb555002994L,
+        0x1f3a93c55363ecabL },
+      { 0x1fe00efe3923555bL,0x744bedd91e1751eaL,0x3fb2db596ab69357L,
+        0x8dbd7365f5e6618bL } },
+    /* 28 << 91 */
+    { { 0x99d53099df1ea40eL,0xb3f24a0b57d61e64L,0xd088a198596eb812L,
+        0x22c8361b5762940bL },
+      { 0x66f01f97f9c0d95cL,0x884611728e43cdaeL,0x11599a7fb72b15c3L,
+        0x135a7536420d95ccL } },
+    /* 29 << 91 */
+    { { 0x2dcdf0f75f7ae2f6L,0x15fc6e1dd7fa6da2L,0x81ca829ad1d441b6L,
+        0x84c10cf804a106b6L },
+      { 0xa9b26c95a73fbbd0L,0x7f24e0cb4d8f6ee8L,0x48b459371e25a043L,
+        0xf8a74fca036f3dfeL } },
+    /* 30 << 91 */
+    { { 0x1ed46585c9f84296L,0x7fbaa8fb3bc278b0L,0xa8e96cd46c4fcbd0L,
+        0x940a120273b60a5fL },
+      { 0x34aae12055a4aec8L,0x550e9a74dbd742f0L,0x794456d7228c68abL,
+        0x492f8868a4e25ec6L } },
+    /* 31 << 91 */
+    { { 0x682915adb2d8f398L,0xf13b51cc5b84c953L,0xcda90ab85bb917d6L,
+        0x4b6155604ea3dee1L },
+      { 0x578b4e850a52c1c8L,0xeab1a69520b75fc4L,0x60c14f3caa0bb3c6L,
+        0x220f448ab8216094L } },
+    /* 32 << 91 */
+    { { 0x4fe7ee31b0e63d34L,0xf4600572a9e54fabL,0xc0493334d5e7b5a4L,
+        0x8589fb9206d54831L },
+      { 0xaa70f5cc6583553aL,0x0879094ae25649e5L,0xcc90450710044652L,
+        0xebb0696d02541c4fL } },
+    /* 33 << 91 */
+    { { 0x5a171fdeb9718710L,0x38f1bed8f374a9f5L,0xc8c582e1ba39bdc1L,
+        0xfc457b0a908cc0ceL },
+      { 0x9a187fd4883841e2L,0x8ec25b3938725381L,0x2553ed0596f84395L,
+        0x095c76616f6c6897L } },
+    /* 34 << 91 */
+    { { 0x917ac85c4bdc5610L,0xb2885fe4179eb301L,0x5fc655478b78bdccL,
+        0x4a9fc893e59e4699L },
+      { 0xbb7ff0cd3ce299afL,0x195be9b3adf38b20L,0x6a929c87d38ddb8fL,
+        0x55fcc99cb21a51b9L } },
+    /* 35 << 91 */
+    { { 0x2b695b4c721a4593L,0xed1e9a15768eaac2L,0xfb63d71c7489f914L,
+        0xf98ba31c78118910L },
+      { 0x802913739b128eb4L,0x7801214ed448af4aL,0xdbd2e22b55418dd3L,
+        0xeffb3c0dd3998242L } },
+    /* 36 << 91 */
+    { { 0xdfa6077cc7bf3827L,0xf2165bcb47f8238fL,0xfe37cf688564d554L,
+        0xe5f825c40a81fb98L },
+      { 0x43cc4f67ffed4d6fL,0xbc609578b50a34b0L,0x8aa8fcf95041faf1L,
+        0x5659f053651773b6L } },
+    /* 37 << 91 */
+    { { 0xe87582c36044d63bL,0xa60894090cdb0ca0L,0x8c993e0fbfb2bcf6L,
+        0xfc64a71945985cfcL },
+      { 0x15c4da8083dbedbaL,0x804ae1122be67df7L,0xda4c9658a23defdeL,
+        0x12002ddd5156e0d3L } },
+    /* 38 << 91 */
+    { { 0xe68eae895dd21b96L,0x8b99f28bcf44624dL,0x0ae008081ec8897aL,
+        0xdd0a93036712f76eL },
+      { 0x962375224e233de4L,0x192445b12b36a8a5L,0xabf9ff74023993d9L,
+        0x21f37bf42aad4a8fL } },
+    /* 39 << 91 */
+    { { 0x340a4349f8bd2bbdL,0x1d902cd94868195dL,0x3d27bbf1e5fdb6f1L,
+        0x7a5ab088124f9f1cL },
+      { 0xc466ab06f7a09e03L,0x2f8a197731f2c123L,0xda355dc7041b6657L,
+        0xcb840d128ece2a7cL } },
+    /* 40 << 91 */
+    { { 0xb600ad9f7db32675L,0x78fea13307a06f1bL,0x5d032269b31f6094L,
+        0x07753ef583ec37aaL },
+      { 0x03485aed9c0bea78L,0x41bb3989bc3f4524L,0x09403761697f726dL,
+        0x6109beb3df394820L } },
+    /* 41 << 91 */
+    { { 0x804111ea3b6d1145L,0xb6271ea9a8582654L,0x619615e624e66562L,
+        0xa2554945d7b6ad9cL },
+      { 0xd9c4985e99bfe35fL,0x9770ccc07b51cdf6L,0x7c32701392881832L,
+        0x8777d45f286b26d1L } },
+    /* 42 << 91 */
+    { { 0x9bbeda22d847999dL,0x03aa33b6c3525d32L,0x4b7b96d428a959a1L,
+        0xbb3786e531e5d234L },
+      { 0xaeb5d3ce6961f247L,0x20aa85af02f93d3fL,0x9cd1ad3dd7a7ae4fL,
+        0xbf6688f0781adaa8L } },
+    /* 43 << 91 */
+    { { 0xb1b40e867469ceadL,0x1904c524309fca48L,0x9b7312af4b54bbc7L,
+        0xbe24bf8f593affa2L },
+      { 0xbe5e0790bd98764bL,0xa0f45f17a26e299eL,0x4af0d2c26b8fe4c7L,
+        0xef170db18ae8a3e6L } },
+    /* 44 << 91 */
+    { { 0x0e8d61a029e0ccc1L,0xcd53e87e60ad36caL,0x328c6623c8173822L,
+        0x7ee1767da496be55L },
+      { 0x89f13259648945afL,0x9e45a5fd25c8009cL,0xaf2febd91f61ab8cL,
+        0x43f6bc868a275385L } },
+    /* 45 << 91 */
+    { { 0x87792348f2142e79L,0x17d89259c6e6238aL,0x7536d2f64a839d9bL,
+        0x1f428fce76a1fbdcL },
+      { 0x1c1096010db06dfeL,0xbfc16bc150a3a3ccL,0xf9cbd9ec9b30f41bL,
+        0x5b5da0d600138cceL } },
+    /* 46 << 91 */
+    { { 0xec1d0a4856ef96a7L,0xb47eb848982bf842L,0x66deae32ec3f700dL,
+        0x4e43c42caa1181e0L },
+      { 0xa1d72a31d1a4aa2aL,0x440d4668c004f3ceL,0x0d6a2d3b45fe8a7aL,
+        0x820e52e2fb128365L } },
+    /* 47 << 91 */
+    { { 0x29ac5fcf25e51b09L,0x180cd2bf2023d159L,0xa9892171a1ebf90eL,
+        0xf97c4c877c132181L },
+      { 0x9f1dc724c03dbb7eL,0xae043765018cbbe4L,0xfb0b2a360767d153L,
+        0xa8e2f4d6249cbaebL } },
+    /* 48 << 91 */
+    { { 0x172a5247d95ea168L,0x1758fada2970764aL,0xac803a511d978169L,
+        0x299cfe2ede77e01bL },
+      { 0x652a1e17b0a98927L,0x2e26e1d120014495L,0x7ae0af9f7175b56aL,
+        0xc2e22a80d64b9f95L } },
+    /* 49 << 91 */
+    { { 0x4d0ff9fbd90a060aL,0x496a27dbbaf38085L,0x32305401da776bcfL,
+        0xb8cdcef6725f209eL },
+      { 0x61ba0f37436a0bbaL,0x263fa10876860049L,0x92beb98eda3542cfL,
+        0xa2d4d14ad5849538L } },
+    /* 50 << 91 */
+    { { 0x989b9d6812e9a1bcL,0x61d9075c5f6e3268L,0x352c6aa999ace638L,
+        0xde4e4a55920f43ffL },
+      { 0xe5e4144ad673c017L,0x667417ae6f6e05eaL,0x613416aedcd1bd56L,
+        0x5eb3620186693711L } },
+    /* 51 << 91 */
+    { { 0x2d7bc5043a1aa914L,0x175a129976dc5975L,0xe900e0f23fc8125cL,
+        0x569ef68c11198875L },
+      { 0x9012db6363a113b4L,0xe3bd3f5698835766L,0xa5c94a5276412deaL,
+        0xad9e2a09aa735e5cL } },
+    /* 52 << 91 */
+    { { 0x405a984c508b65e9L,0xbde4a1d16df1a0d1L,0x1a9433a1dfba80daL,
+        0xe9192ff99440ad2eL },
+      { 0x9f6496965099fe92L,0x25ddb65c0b27a54aL,0x178279ddc590da61L,
+        0x5479a999fbde681aL } },
+    /* 53 << 91 */
+    { { 0xd0e84e05013fe162L,0xbe11dc92632d471bL,0xdf0b0c45fc0e089fL,
+        0x04fb15b04c144025L },
+      { 0xa61d5fc213c99927L,0xa033e9e03de2eb35L,0xf8185d5cb8dacbb4L,
+        0x9a88e2658644549dL } },
+    /* 54 << 91 */
+    { { 0xf717af6254671ff6L,0x4bd4241b5fa58603L,0x06fba40be67773c0L,
+        0xc1d933d26a2847e9L },
+      { 0xf4f5acf3689e2c70L,0x92aab0e746bafd31L,0x798d76aa3473f6e5L,
+        0xcc6641db93141934L } },
+    /* 55 << 91 */
+    { { 0xcae27757d31e535eL,0x04cc43b687c2ee11L,0x8d1f96752e029ffaL,
+        0xc2150672e4cc7a2cL },
+      { 0x3b03c1e08d68b013L,0xa9d6816fedf298f3L,0x1bfbb529a2804464L,
+        0x95a52fae5db22125L } },
+    /* 56 << 91 */
+    { { 0x55b321600e1cb64eL,0x004828f67e7fc9feL,0x13394b821bb0fb93L,
+        0xb6293a2d35f1a920L },
+      { 0xde35ef21d145d2d9L,0xbe6225b3bb8fa603L,0x00fc8f6b32cf252dL,
+        0xa28e52e6117cf8c2L } },
+    /* 57 << 91 */
+    { { 0x9d1dc89b4c371e6dL,0xcebe067536ef0f28L,0x5de05d09a4292f81L,
+        0xa8303593353e3083L },
+      { 0xa1715b0a7e37a9bbL,0x8c56f61e2b8faec3L,0x5250743133c9b102L,
+        0x0130cefca44431f0L } },
+    /* 58 << 91 */
+    { { 0x56039fa0bd865cfbL,0x4b03e578bc5f1dd7L,0x40edf2e4babe7224L,
+        0xc752496d3a1988f6L },
+      { 0xd1572d3b564beb6bL,0x0db1d11039a1c608L,0x568d193416f60126L,
+        0x05ae9668f354af33L } },
+    /* 59 << 91 */
+    { { 0x19de6d37c92544f2L,0xcc084353a35837d5L,0xcbb6869c1a514eceL,
+        0xb633e7282e1d1066L },
+      { 0xf15dd69f936c581cL,0x96e7b8ce7439c4f9L,0x5e676f482e448a5bL,
+        0xb2ca7d5bfd916bbbL } },
+    /* 60 << 91 */
+    { { 0xd55a2541f5024025L,0x47bc5769e4c2d937L,0x7d31b92a0362189fL,
+        0x83f3086eef7816f9L },
+      { 0xf9f46d94b587579aL,0xec2d22d830e76c5fL,0x27d57461b000ffcfL,
+        0xbb7e65f9364ffc2cL } },
+    /* 61 << 91 */
+    { { 0x7c7c94776652a220L,0x61618f89d696c981L,0x5021701d89effff3L,
+        0xf2c8ff8e7c314163L },
+      { 0x2da413ad8efb4d3eL,0x937b5adfce176d95L,0x22867d342a67d51cL,
+        0x262b9b1018eb3ac9L } },
+    /* 62 << 91 */
+    { { 0x4e314fe4c43ff28bL,0x764766276a664e7aL,0x3e90e40bb7a565c2L,
+        0x8588993ac1acf831L },
+      { 0xd7b501d68f938829L,0x996627ee3edd7d4cL,0x37d44a6290cd34c7L,
+        0xa8327499f3833e8dL } },
+    /* 63 << 91 */
+    { { 0x2e18917d4bf50353L,0x85dd726b556765fbL,0x54fe65d693d5ab66L,
+        0x3ddbaced915c25feL },
+      { 0xa799d9a412f22e85L,0xe2a248676d06f6bcL,0xf4f1ee5643ca1637L,
+        0xfda2828b61ece30aL } },
+    /* 64 << 91 */
+    { { 0x758c1a3ea2dee7a6L,0xdcde2f3c734b2284L,0xaba445d24eaba6adL,
+        0x35aaf66876cee0a7L },
+      { 0x7e0b04a9e5aa049aL,0xe74083ad91103e84L,0xbeb183ce40afecc3L,
+        0x6b89de9fea043f7aL } },
+    /* 0 << 98 */
+    { { 0x00, 0x00, 0x00, 0x00 },
+      { 0x00, 0x00, 0x00, 0x00 } },
+    /* 1 << 98 */
+    { { 0x0e299d23fe67ba66L,0x9145076093cf2f34L,0xf45b5ea997fcf913L,
+        0x5be008438bd7dddaL },
+      { 0x358c3e05d53ff04dL,0xbf7ccdc35de91ef7L,0xad684dbfb69ec1a0L,
+        0x367e7cf2801fd997L } },
+    /* 2 << 98 */
+    { { 0x0ca1f3b7b0dc8595L,0x27de46089f1d9f2eL,0x1af3bf39badd82a7L,
+        0x79356a7965862448L },
+      { 0xc0602345f5f9a052L,0x1a8b0f89139a42f9L,0xb53eee42844d40fcL,
+        0x93b0bfe54e5b6368L } },
+    /* 3 << 98 */
+    { { 0x5434dd02c024789cL,0x90dca9ea41b57bfcL,0x8aa898e2243398dfL,
+        0xf607c834894a94bbL },
+      { 0xbb07be97c2c99b76L,0x6576ba6718c29302L,0x3d79efcce703a88cL,
+        0xf259ced7b6a0d106L } },
+    /* 4 << 98 */
+    { { 0x0f893a5dc8de610bL,0xe8c515fb67e223ceL,0x7774bfa64ead6dc5L,
+        0x89d20f95925c728fL },
+      { 0x7a1e0966098583ceL,0xa2eedb9493f2a7d7L,0x1b2820974c304d4aL,
+        0x0842e3dac077282dL } },
+    /* 5 << 98 */
+    { { 0xe4d972a33b9e2d7bL,0x7cc60b27c48218ffL,0x8fc7083884149d91L,
+        0x5c04346f2f461eccL },
+      { 0xebe9fdf2614650a9L,0x5e35b537c1f666acL,0x645613d188babc83L,
+        0x88cace3ac5e1c93eL } },
+    /* 6 << 98 */
+    { { 0x209ca3753de92e23L,0xccb03cc85fbbb6e3L,0xccb90f03d7b1487eL,
+        0xfa9c2a38c710941fL },
+      { 0x756c38236724ceedL,0x3a902258192d0323L,0xb150e519ea5e038eL,
+        0xdcba2865c7427591L } },
+    /* 7 << 98 */
+    { { 0xe549237f78890732L,0xc443bef953fcb4d9L,0x9884d8a6eb3480d6L,
+        0x8a35b6a13048b186L },
+      { 0xb4e4471665e9a90aL,0x45bf380d653006c0L,0x8f3f820d4fe9ae3bL,
+        0x244a35a0979a3b71L } },
+    /* 8 << 98 */
+    { { 0xa1010e9d74cd06ffL,0x9c17c7dfaca3eeacL,0x74c86cd38063aa2bL,
+        0x8595c4b3734614ffL },
+      { 0xa3de00ca990f62ccL,0xd9bed213ca0c3be5L,0x7886078adf8ce9f5L,
+        0xddb27ce35cd44444L } },
+    /* 9 << 98 */
+    { { 0xed374a6658926dddL,0x138b2d49908015b8L,0x886c6579de1f7ab8L,
+        0x888b9aa0c3020b7aL },
+      { 0xd3ec034e3a96e355L,0xba65b0b8f30fbe9aL,0x064c8e50ff21367aL,
+        0x1f508ea40b04b46eL } },
+    /* 10 << 98 */
+    { { 0x98561a49747c866cL,0xbbb1e5fe0518a062L,0x20ff4e8becdc3608L,
+        0x7f55cded20184027L },
+      { 0x8d73ec95f38c85f0L,0x5b589fdf8bc3b8c3L,0xbe95dd980f12b66fL,
+        0xf5bd1a090e338e01L } },
+    /* 11 << 98 */
+    { { 0x65163ae55e915918L,0x6158d6d986f8a46bL,0x8466b538eeebf99cL,
+        0xca8761f6bca477efL },
+      { 0xaf3449c29ebbc601L,0xef3b0f41e0c3ae2fL,0xaa6c577d5de63752L,
+        0xe916660164682a51L } },
+    /* 12 << 98 */
+    { { 0x5a3097befc15aa1eL,0x40d12548b54b0745L,0x5bad4706519a5f12L,
+        0xed03f717a439dee6L },
+      { 0x0794bb6c4a02c499L,0xf725083dcffe71d2L,0x2cad75190f3adcafL,
+        0x7f68ea1c43729310L } },
+    /* 13 << 98 */
+    { { 0xe747c8c7b7ffd977L,0xec104c3580761a22L,0x8395ebaf5a3ffb83L,
+        0xfb3261f4e4b63db7L },
+      { 0x53544960d883e544L,0x13520d708cc2eeb8L,0x08f6337bd3d65f99L,
+        0x83997db2781cf95bL } },
+    /* 14 << 98 */
+    { { 0xce6ff1060dbd2c01L,0x4f8eea6b1f9ce934L,0x546f7c4b0e993921L,
+        0x6236a3245e753fc7L },
+      { 0x65a41f84a16022e9L,0x0c18d87843d1dbb2L,0x73c556402d4cef9cL,
+        0xa042810870444c74L } },
+    /* 15 << 98 */
+    { { 0x68e4f15e9afdfb3cL,0x49a561435bdfb6dfL,0xa9bc1bd45f823d97L,
+        0xbceb5970ea111c2aL },
+      { 0x366b455fb269bbc4L,0x7cd85e1ee9bc5d62L,0xc743c41c4f18b086L,
+        0xa4b4099095294fb9L } },
+    /* 16 << 98 */
+    { { 0x9c7c581d26ee8382L,0xcf17dcc5359d638eL,0xee8273abb728ae3dL,
+        0x1d112926f821f047L },
+      { 0x1149847750491a74L,0x687fa761fde0dfb9L,0x2c2580227ea435abL,
+        0x6b8bdb9491ce7e3fL } },
+    /* 17 << 98 */
+    { { 0x4c5b5dc93bf834aaL,0x043718194f6c7e4bL,0xc284e00a3736bcadL,
+        0x0d88111821ae8f8dL },
+      { 0xf9cf0f82f48c8e33L,0xa11fd075a1bf40dbL,0xdceab0dedc2733e5L,
+        0xc560a8b58e986bd7L } },
+    /* 18 << 98 */
+    { { 0x48dd1fe23929d097L,0x3885b29092f188f1L,0x0f2ae613da6fcdacL,
+        0x9054303eb662a46cL },
+      { 0xb6871e440738042aL,0x98e6a977bdaf6449L,0xd8bc0650d1c9df1bL,
+        0xef3d645136e098f9L } },
+    /* 19 << 98 */
+    { { 0x03fbae82b6d72d28L,0x77ca9db1f5d84080L,0x8a112cffa58efc1cL,
+        0x518d761cc564cb4aL },
+      { 0x69b5740ef0d1b5ceL,0x717039cce9eb1785L,0x3fe29f9022f53382L,
+        0x8e54ba566bc7c95cL } },
+    /* 20 << 98 */
+    { { 0x9c806d8af7f91d0fL,0x3b61b0f1a82a5728L,0x4640032d94d76754L,
+        0x273eb5de47d834c6L },
+      { 0x2988abf77b4e4d53L,0xb7ce66bfde401777L,0x9fba6b32715071b3L,
+        0x82413c24ad3a1a98L } },
+    /* 21 << 98 */
+    { { 0x5b7fc8c4e0e8ad93L,0xb5679aee5fab868dL,0xb1f9d2fa2b3946f3L,
+        0x458897dc5685b50aL },
+      { 0x1e98c93089d0caf3L,0x39564c5f78642e92L,0x1b77729a0dbdaf18L,
+        0xf9170722579e82e6L } },
+    /* 22 << 98 */
+    { { 0x680c0317e4515fa5L,0xf85cff84fb0c790fL,0xc7a82aab6d2e0765L,
+        0x7446bca935c82b32L },
+      { 0x5de607aa6d63184fL,0x7c1a46a8262803a6L,0xd218313daebe8035L,
+        0x92113ffdc73c51f8L } },
+    /* 23 << 98 */
+    { { 0x4b38e08312e7e46cL,0x69d0a37a56126bd5L,0xfb3f324b73c07e04L,
+        0xa0c22f678fda7267L },
+      { 0x8f2c00514d2c7d8fL,0xbc45ced3cbe2cae5L,0xe1c6cf07a8f0f277L,
+        0xbc3923121eb99a98L } },
+    /* 24 << 98 */
+    { { 0x75537b7e3cc8ac85L,0x8d725f57dd02753bL,0xfd05ff64b737df2fL,
+        0x55fe8712f6d2531dL },
+      { 0x57ce04a96ab6b01cL,0x69a02a897cd93724L,0x4f82ac35cf86699bL,
+        0x8242d3ad9cb4b232L } },
+    /* 25 << 98 */
+    { { 0x713d0f65d62105e5L,0xbb222bfa2d29be61L,0xf2f9a79e6cfbef09L,
+        0xfc24d8d3d5d6782fL },
+      { 0x5db77085d4129967L,0xdb81c3ccdc3c2a43L,0x9d655fc005d8d9a3L,
+        0x3f5d057a54298026L } },
+    /* 26 << 98 */
+    { { 0x1157f56d88c54694L,0xb26baba59b09573eL,0x2cab03b022adffd1L,
+        0x60a412c8dd69f383L },
+      { 0xed76e98b54b25039L,0xd4ee67d3687e714dL,0x877396487b00b594L,
+        0xce419775c9ef709bL } },
+    /* 27 << 98 */
+    { { 0x40f76f851c203a40L,0x30d352d6eafd8f91L,0xaf196d3d95578dd2L,
+        0xea4bb3d777cc3f3dL },
+      { 0x42a5bd03b98e782bL,0xac958c400624920dL,0xb838134cfc56fcc8L,
+        0x86ec4ccf89572e5eL } },
+    /* 28 << 98 */
+    { { 0x69c435269be47be0L,0x323b7dd8cb28fea1L,0xfa5538ba3a6c67e5L,
+        0xef921d701d378e46L },
+      { 0xf92961fc3c4b880eL,0x3f6f914e98940a67L,0xa990eb0afef0ff39L,
+        0xa6c2920ff0eeff9cL } },
+    /* 29 << 98 */
+    { { 0xca80416651b8d9a3L,0x42531bc90ffb0db1L,0x72ce4718aa82e7ceL,
+        0x6e199913df574741L },
+      { 0xd5f1b13dd5d36946L,0x8255dc65f68f0194L,0xdc9df4cd8710d230L,
+        0x3453c20f138c1988L } },
+    /* 30 << 98 */
+    { { 0x9af98dc089a6ef01L,0x4dbcc3f09857df85L,0x348056015c1ad924L,
+        0x40448da5d0493046L },
+      { 0xf629926d4ee343e2L,0x6343f1bd90e8a301L,0xefc9349140815b3fL,
+        0xf882a423de8f66fbL } },
+    /* 31 << 98 */
+    { { 0x3a12d5f4e7db9f57L,0x7dfba38a3c384c27L,0x7a904bfd6fc660b1L,
+        0xeb6c5db32773b21cL },
+      { 0xc350ee661cdfe049L,0x9baac0ce44540f29L,0xbc57b6aba5ec6aadL,
+        0x167ce8c30a7c1baaL } },
+    /* 32 << 98 */
+    { { 0xb23a03a553fb2b56L,0x6ce141e74e057f78L,0x796525c389e490d9L,
+        0x0bc95725a31a7e75L },
+      { 0x1ec567911220fd06L,0x716e3a3c408b0bd6L,0x31cd6bf7e8ebeba9L,
+        0xa7326ca6bee6b670L } },
+    /* 33 << 98 */
+    { { 0x3d9f851ccd090c43L,0x561e8f13f12c3988L,0x50490b6a904b7be4L,
+        0x61690ce10410737bL },
+      { 0x299e9a370f009052L,0x258758f0f026092eL,0x9fa255f3fdfcdc0fL,
+        0xdbc9fb1fc0e1bcd2L } },
+    /* 34 << 98 */
+    { { 0x35f9dd6e24651840L,0xdca45a84a5c59abcL,0x103d396fecca4938L,
+        0x4532da0ab97b3f29L },
+      { 0xc4135ea51999a6bfL,0x3aa9505a5e6bf2eeL,0xf77cef063f5be093L,
+        0x97d1a0f8a943152eL } },
+    /* 35 << 98 */
+    { { 0x2cb0ebba2e1c21ddL,0xf41b29fc2c6797c4L,0xc6e17321b300101fL,
+        0x4422b0e9d0d79a89L },
+      { 0x49e4901c92f1bfc4L,0x06ab1f8fe1e10ed9L,0x84d35577db2926b8L,
+        0xca349d39356e8ec2L } },
+    /* 36 << 98 */
+    { { 0x70b63d32343bf1a9L,0x8fd3bd2837d1a6b1L,0x0454879c316865b4L,
+        0xee959ff6c458efa2L },
+      { 0x0461dcf89706dc3fL,0x737db0e2164e4b2eL,0x092626802f8843c8L,
+        0x54498bbc7745e6f6L } },
+    /* 37 << 98 */
+    { { 0x359473faa29e24afL,0xfcc3c45470aa87a1L,0xfd2c4bf500573aceL,
+        0xb65b514e28dd1965L },
+      { 0xe46ae7cf2193e393L,0x60e9a4e1f5444d97L,0xe7594e9600ff38edL,
+        0x43d84d2f0a0e0f02L } },
+    /* 38 << 98 */
+    { { 0x8b6db141ee398a21L,0xb88a56aee3bcc5beL,0x0a1aa52f373460eaL,
+        0x20da1a56160bb19bL },
+      { 0xfb54999d65bf0384L,0x71a14d245d5a180eL,0xbc44db7b21737b04L,
+        0xd84fcb1801dd8e92L } },
+    /* 39 << 98 */
+    { { 0x80de937bfa44b479L,0x535054995c98fd4fL,0x1edb12ab28f08727L,
+        0x4c58b582a5f3ef53L },
+      { 0xbfb236d88327f246L,0xc3a3bfaa4d7df320L,0xecd96c59b96024f2L,
+        0xfc293a537f4e0433L } },
+    /* 40 << 98 */
+    { { 0x5341352b5acf6e10L,0xc50343fdafe652c3L,0x4af3792d18577a7fL,
+        0xe1a4c617af16823dL },
+      { 0x9b26d0cd33425d0aL,0x306399ed9b7bc47fL,0x2a792f33706bb20bL,
+        0x3121961498111055L } },
+    /* 41 << 98 */
+    { { 0x864ec06487f5d28bL,0x11392d91962277fdL,0xb5aa7942bb6aed5fL,
+        0x080094dc47e799d9L },
+      { 0x4afa588c208ba19bL,0xd3e7570f8512f284L,0xcbae64e602f5799aL,
+        0xdeebe7ef514b9492L } },
+    /* 42 << 98 */
+    { { 0x30300f98e5c298ffL,0x17f561be3678361fL,0xf52ff31298cb9a16L,
+        0x6233c3bc5562d490L },
+      { 0x7bfa15a192e3a2cbL,0x961bcfd1e6365119L,0x3bdd29bf2c8c53b1L,
+        0x739704df822844baL } },
+    /* 43 << 98 */
+    { { 0x7dacfb587e7b754bL,0x23360791a806c9b9L,0xe7eb88c923504452L,
+        0x2983e996852c1783L },
+      { 0xdd4ae529958d881dL,0x026bae03262c7b3cL,0x3a6f9193960b52d1L,
+        0xd0980f9092696cfbL } },
+    /* 44 << 98 */
+    { { 0x4c1f428cd5f30851L,0x94dfed272a4f6630L,0x4df53772fc5d48a4L,
+        0xdd2d5a2f933260ceL },
+      { 0x574115bdd44cc7a5L,0x4ba6b20dbd12533aL,0x30e93cb8243057c9L,
+        0x794c486a14de320eL } },
+    /* 45 << 98 */
+    { { 0xe925d4cef21496e4L,0xf951d198ec696331L,0x9810e2de3e8d812fL,
+        0xd0a47259389294abL },
+      { 0x513ba2b50e3bab66L,0x462caff5abad306fL,0xe2dc6d59af04c49eL,
+        0x1aeb8750e0b84b0bL } },
+    /* 46 << 98 */
+    { { 0xc034f12f2f7d0ca2L,0x6d2e8128e06acf2fL,0x801f4f8321facc2fL,
+        0xa1170c03f40ef607L },
+      { 0xfe0a1d4f7805a99cL,0xbde56a36cc26aba5L,0x5b1629d035531f40L,
+        0xac212c2b9afa6108L } },
+    /* 47 << 98 */
+    { { 0x30a06bf315697be5L,0x6f0545dc2c63c7c1L,0x5d8cb8427ccdadafL,
+        0xd52e379bac7015bbL },
+      { 0xc4f56147f462c23eL,0xd44a429846bc24b0L,0xbc73d23ae2856d4fL,
+        0x61cedd8c0832bcdfL } },
+    /* 48 << 98 */
+    { { 0x6095355699f241d7L,0xee4adbd7001a349dL,0x0b35bf6aaa89e491L,
+        0x7f0076f4136f7546L },
+      { 0xd19a18ba9264da3dL,0x6eb2d2cd62a7a28bL,0xcdba941f8761c971L,
+        0x1550518ba3be4a5dL } },
+    /* 49 << 98 */
+    { { 0xd0e8e2f057d0b70cL,0xeea8612ecd133ba3L,0x814670f044416aecL,
+        0x424db6c330775061L },
+      { 0xd96039d116213fd1L,0xc61e7fa518a3478fL,0xa805bdcccb0c5021L,
+        0xbdd6f3a80cc616ddL } },
+    /* 50 << 98 */
+    { { 0x060096675d97f7e2L,0x31db0fc1af0bf4b6L,0x23680ed45491627aL,
+        0xb99a3c667d741fb1L },
+      { 0xe9bb5f5536b1ff92L,0x29738577512b388dL,0xdb8a2ce750fcf263L,
+        0x385346d46c4f7b47L } },
+    /* 51 << 98 */
+    { { 0xbe86c5ef31631f9eL,0xbf91da2103a57a29L,0xc3b1f7967b23f821L,
+        0x0f7d00d2770db354L },
+      { 0x8ffc6c3bd8fe79daL,0xcc5e8c40d525c996L,0x4640991dcfff632aL,
+        0x64d97e8c67112528L } },
+    /* 52 << 98 */
+    { { 0xc232d97302f1cd1eL,0xce87eacb1dd212a4L,0x6e4c8c73e69802f7L,
+        0x12ef02901fffddbdL },
+      { 0x941ec74e1bcea6e2L,0xd0b540243cb92cbbL,0x809fb9d47e8f9d05L,
+        0x3bf16159f2992aaeL } },
+    /* 53 << 98 */
+    { { 0xad40f279f8a7a838L,0x11aea63105615660L,0xbf52e6f1a01f6fa1L,
+        0xef0469953dc2aec9L },
+      { 0x785dbec9d8080711L,0xe1aec60a9fdedf76L,0xece797b5fa21c126L,
+        0xc66e898f05e52732L } },
+    /* 54 << 98 */
+    { { 0x39bb69c408811fdbL,0x8bfe1ef82fc7f082L,0xc8e7a393174f4138L,
+        0xfba8ad1dd58d1f98L },
+      { 0xbc21d0cebfd2fd5bL,0x0b839a826ee60d61L,0xaacf7658afd22253L,
+        0xb526bed8aae396b3L } },
+    /* 55 << 98 */
+    { { 0xccc1bbc238564464L,0x9e3ff9478c45bc73L,0xcde9bca358188a78L,
+        0x138b8ee0d73bf8f7L },
+      { 0x5c7e234c4123c489L,0x66e69368fa643297L,0x0629eeee39a15fa3L,
+        0x95fab881a9e2a927L } },
+    /* 56 << 98 */
+    { { 0xb2497007eafbb1e1L,0xd75c9ce6e75b7a93L,0x3558352defb68d78L,
+        0xa2f26699223f6396L },
+      { 0xeb911ecfe469b17aL,0x62545779e72d3ec2L,0x8ea47de782cb113fL,
+        0xebe4b0864e1fa98dL } },
+    /* 57 << 98 */
+    { { 0xec2d5ed78cdfedb1L,0xa535c077fe211a74L,0x9678109b11d244c5L,
+        0xf17c8bfbbe299a76L },
+      { 0xb651412efb11fbc4L,0xea0b548294ab3f65L,0xd8dffd950cf78243L,
+        0x2e719e57ce0361d4L } },
+    /* 58 << 98 */
+    { { 0x9007f085304ddc5bL,0x095e8c6d4daba2eaL,0x5a33cdb43f9d28a9L,
+        0x85b95cd8e2283003L },
+      { 0xbcd6c819b9744733L,0x29c5f538fc7f5783L,0x6c49b2fad59038e4L,
+        0x68349cc13bbe1018L } },
+    /* 59 << 98 */
+    { { 0xcc490c1d21830ee5L,0x36f9c4eee9bfa297L,0x58fd729448de1a94L,
+        0xaadb13a84e8f2cdcL },
+      { 0x515eaaa081313dbaL,0xc76bb468c2152dd8L,0x357f8d75a653dbf8L,
+        0xe4d8c4d1b14ac143L } },
+    /* 60 << 98 */
+    { { 0xbdb8e675b055cb40L,0x898f8e7b977b5167L,0xecc65651b82fb863L,
+        0x565448146d88f01fL },
+      { 0xb0928e95263a75a9L,0xcfb6836f1a22fcdaL,0x651d14db3f3bd37cL,
+        0x1d3837fbb6ad4664L } },
+    /* 61 << 98 */
+    { { 0x7c5fb538ff4f94abL,0x7243c7126d7fb8f2L,0xef13d60ca85c5287L,
+        0x18cfb7c74bb8dd1bL },
+      { 0x82f9bfe672908219L,0x35c4592b9d5144abL,0x52734f379cf4b42fL,
+        0x6bac55e78c60ddc4L } },
+    /* 62 << 98 */
+    { { 0xb5cd811e94dea0f6L,0x259ecae4e18cc1a3L,0x6a0e836e15e660f8L,
+        0x6c639ea60e02bff2L },
+      { 0x8721b8cb7e1026fdL,0x9e73b50b63261942L,0xb8c7097477f01da3L,
+        0x1839e6a68268f57fL } },
+    /* 63 << 98 */
+    { { 0x571b94155150b805L,0x1892389ef92c7097L,0x8d69c18e4a084b95L,
+        0x7014c512be5b495cL },
+      { 0x4780db361b07523cL,0x2f6219ce2c1c64faL,0xc38b81b0602c105aL,
+        0xab4f4f205dc8e360L } },
+    /* 64 << 98 */
+    { { 0x20d3c982cf7d62d2L,0x1f36e29d23ba8150L,0x48ae0bf092763f9eL,
+        0x7a527e6b1d3a7007L },
+      { 0xb4a89097581a85e3L,0x1f1a520fdc158be5L,0xf98db37d167d726eL,
+        0x8802786e1113e862L } },
+    /* 0 << 105 */
+    { { 0x00, 0x00, 0x00, 0x00 },
+      { 0x00, 0x00, 0x00, 0x00 } },
+    /* 1 << 105 */
+    { { 0xefb2149e36f09ab0L,0x03f163ca4a10bb5bL,0xd029704506e20998L,
+        0x56f0af001b5a3babL },
+      { 0x7af4cfec70880e0dL,0x7332a66fbe3d913fL,0x32e6c84a7eceb4bdL,
+        0xedc4a79a9c228f55L } },
+    /* 2 << 105 */
+    { { 0xc37c7dd0c55c4496L,0xa6a9635725bbabd2L,0x5b7e63f2add7f363L,
+        0x9dce37822e73f1dfL },
+      { 0xe1e5a16ab2b91f71L,0xe44898235ba0163cL,0xf2759c32f6e515adL,
+        0xa5e2f1f88615eecfL } },
+    /* 3 << 105 */
+    { { 0x74519be7abded551L,0x03d358b8c8b74410L,0x4d00b10b0e10d9a9L,
+        0x6392b0b128da52b7L },
+      { 0x6744a2980b75c904L,0xc305b0aea8f7f96cL,0x042e421d182cf932L,
+        0xf6fc5d509e4636caL } },
+    /* 4 << 105 */
+    { { 0x795847c9d64cc78cL,0x6c50621b9b6cb27bL,0x07099bf8df8022abL,
+        0x48f862ebc04eda1dL },
+      { 0xd12732ede1603c16L,0x19a80e0f5c9a9450L,0xe2257f54b429b4fcL,
+        0x66d3b2c645460515L } },
+    /* 5 << 105 */
+    { { 0x6ca4f87e822e37beL,0x73f237b4253bda4eL,0xf747f3a241190aebL,
+        0xf06fa36f804cf284L },
+      { 0x0a6bbb6efc621c12L,0x5d624b6440b80ec6L,0x4b0724257ba556f3L,
+        0x7fa0c3543e2d20a8L } },
+    /* 6 << 105 */
+    { { 0xe921fa31e3229d41L,0xa929c65294531bd4L,0x84156027a6d38209L,
+        0xf3d69f736bdb97bdL },
+      { 0x8906d19a16833631L,0x68a34c2e03d51be3L,0xcb59583b0e511cd8L,
+        0x99ce6bfdfdc132a8L } },
+    /* 7 << 105 */
+    { { 0x3facdaaaffcdb463L,0x658bbc1a34a38b08L,0x12a801f8f1a9078dL,
+        0x1567bcf96ab855deL },
+      { 0xe08498e03572359bL,0xcf0353e58659e68bL,0xbb86e9c87d23807cL,
+        0xbc08728d2198e8a2L } },
+    /* 8 << 105 */
+    { { 0x8de2b7bc453cadd6L,0x203900a7bc0bc1f8L,0xbcd86e47a6abd3afL,
+        0x911cac128502effbL },
+      { 0x2d550242ec965469L,0x0e9f769229e0017eL,0x633f078f65979885L,
+        0xfb87d4494cf751efL } },
+    /* 9 << 105 */
+    { { 0xe1790e4bfc25419aL,0x364672034bff3cfdL,0xc8db638625b6e83fL,
+        0x6cc69f236cad6fd2L },
+      { 0x0219e45a6bc68bb9L,0xe43d79b6297f7334L,0x7d445368465dc97cL,
+        0x4b9eea322a0b949aL } },
+    /* 10 << 105 */
+    { { 0x1b96c6ba6102d021L,0xeaafac782f4461eaL,0xd4b85c41c49f19a8L,
+        0x275c28e4cf538875L },
+      { 0x35451a9ddd2e54e0L,0x6991adb50605618bL,0x5b8b4bcd7b36cd24L,
+        0x372a4f8c56f37216L } },
+    /* 11 << 105 */
+    { { 0xc890bd73a6a5da60L,0x6f083da0dc4c9ff0L,0xf4e14d94f0536e57L,
+        0xf9ee1edaaaec8243L },
+      { 0x571241ec8bdcf8e7L,0xa5db82710b041e26L,0x9a0b9a99e3fff040L,
+        0xcaaf21dd7c271202L } },
+    /* 12 << 105 */
+    { { 0xb4e2b2e14f0dd2e8L,0xe77e7c4f0a377ac7L,0x69202c3f0d7a2198L,
+        0xf759b7ff28200eb8L },
+      { 0xc87526eddcfe314eL,0xeb84c52453d5cf99L,0xb1b52ace515138b6L,
+        0x5aa7ff8c23fca3f4L } },
+    /* 13 << 105 */
+    { { 0xff0b13c3b9791a26L,0x960022dacdd58b16L,0xdbd55c9257aad2deL,
+        0x3baaaaa3f30fe619L },
+      { 0x9a4b23460d881efdL,0x506416c046325e2aL,0x91381e76035c18d4L,
+        0xb3bb68bef27817b0L } },
+    /* 14 << 105 */
+    { { 0x15bfb8bf5116f937L,0x7c64a586c1268943L,0x71e25cc38419a2c8L,
+        0x9fd6b0c48335f463L },
+      { 0x4bf0ba3ce8ee0e0eL,0x6f6fba60298c21faL,0x57d57b39ae66bee0L,
+        0x292d513022672544L } },
+    /* 15 << 105 */
+    { { 0xf451105dbab093b3L,0x012f59b902839986L,0x8a9158023474a89cL,
+        0x048c919c2de03e97L },
+      { 0xc476a2b591071cd5L,0x791ed89a034970a5L,0x89bd9042e1b7994bL,
+        0x8eaf5179a1057ffdL } },
+    /* 16 << 105 */
+    { { 0x6066e2a2d551ee10L,0x87a8f1d8727e09a6L,0x00d08bab2c01148dL,
+        0x6da8e4f1424f33feL },
+      { 0x466d17f0cf9a4e71L,0xff5020103bf5cb19L,0xdccf97d8d062ecc0L,
+        0x80c0d9af81d80ac4L } },
+    /* 17 << 105 */
+    { { 0xe87771d8033f2876L,0xb0186ec67d5cc3dbL,0x58e8bb803bc9bc1dL,
+        0x4d1395cc6f6ef60eL },
+      { 0xa73c62d6186244a0L,0x918e5f23110a5b53L,0xed4878ca741b7eabL,
+        0x3038d71adbe03e51L } },
+    /* 18 << 105 */
+    { { 0x840204b7a93c3246L,0x21ab6069a0b9b4cdL,0xf5fa6e2bb1d64218L,
+        0x1de6ad0ef3d56191L },
+      { 0x570aaa88ff1929c7L,0xc6df4c6b640e87b5L,0xde8a74f2c65f0cccL,
+        0x8b972fd5e6f6cc01L } },
+    /* 19 << 105 */
+    { { 0x3fff36b60b846531L,0xba7e45e610a5e475L,0x84a1d10e4145b6c5L,
+        0xf1f7f91a5e046d9dL },
+      { 0x0317a69244de90d7L,0x951a1d4af199c15eL,0x91f78046c9d73debL,
+        0x74c82828fab8224fL } },
+    /* 20 << 105 */
+    { { 0xaa6778fce7560b90L,0xb4073e61a7e824ceL,0xff0d693cd642eba8L,
+        0x7ce2e57a5dccef38L },
+      { 0x89c2c7891df1ad46L,0x83a06922098346fdL,0x2d715d72da2fc177L,
+        0x7b6dd71d85b6cf1dL } },
+    /* 21 << 105 */
+    { { 0xc60a6d0a73fa9cb0L,0xedd3992e328bf5a9L,0xc380ddd0832c8c82L,
+        0xd182d410a2a0bf50L },
+      { 0x7d9d7438d9a528dbL,0xe8b1a0e9caf53994L,0xddd6e5fe0e19987cL,
+        0xacb8df03190b059dL } },
+    /* 22 << 105 */
+    { { 0x53703a328300129fL,0x1f63766268c43bfdL,0xbcbd191300e54051L,
+        0x812fcc627bf5a8c5L },
+      { 0x3f969d5f29fb85daL,0x72f4e00a694759e8L,0x426b6e52790726b7L,
+        0x617bbc873bdbb209L } },
+    /* 23 << 105 */
+    { { 0x511f8bb997aee317L,0x812a4096e81536a8L,0x137dfe593ac09b9bL,
+        0x0682238fba8c9a7aL },
+      { 0x7072ead6aeccb4bdL,0x6a34e9aa692ba633L,0xc82eaec26fff9d33L,
+        0xfb7535121d4d2b62L } },
+    /* 24 << 105 */
+    { { 0x1a0445ff1d7aadabL,0x65d38260d5f6a67cL,0x6e62fb0891cfb26fL,
+        0xef1e0fa55c7d91d6L },
+      { 0x47e7c7ba33db72cdL,0x017cbc09fa7c74b2L,0x3c931590f50a503cL,
+        0xcac54f60616baa42L } },
+    /* 25 << 105 */
+    { { 0x9b6cd380b2369f0fL,0x97d3a70d23c76151L,0x5f9dd6fc9862a9c6L,
+        0x044c4ab212312f51L },
+      { 0x035ea0fd834a2ddcL,0x49e6b862cc7b826dL,0xb03d688362fce490L,
+        0x62f2497ab37e36e9L } },
+    /* 26 << 105 */
+    { { 0x04b005b6c6458293L,0x36bb5276e8d10af7L,0xacf2dc138ee617b8L,
+        0x470d2d35b004b3d4L },
+      { 0x06790832feeb1b77L,0x2bb75c3985657f9cL,0xd70bd4edc0f60004L,
+        0xfe797ecc219b018bL } },
+    /* 27 << 105 */
+    { { 0x9b5bec2a753aebccL,0xdaf9f3dcc939eca5L,0xd6bc6833d095ad09L,
+        0x98abdd51daa4d2fcL },
+      { 0xd9840a318d168be5L,0xcf7c10e02325a23cL,0xa5c02aa07e6ecfafL,
+        0x2462e7e6b5bfdf18L } },
+    /* 28 << 105 */
+    { { 0xab2d8a8ba0cc3f12L,0x68dd485dbc672a29L,0x72039752596f2cd3L,
+        0x5d3eea67a0cf3d8dL },
+      { 0x810a1a81e6602671L,0x8f144a4014026c0cL,0xbc753a6d76b50f85L,
+        0xc4dc21e8645cd4a4L } },
+    /* 29 << 105 */
+    { { 0xc5262dea521d0378L,0x802b8e0e05011c6fL,0x1ba19cbb0b4c19eaL,
+        0x21db64b5ebf0aaecL },
+      { 0x1f394ee970342f9dL,0x93a10aee1bc44a14L,0xa7eed31b3efd0baaL,
+        0x6e7c824e1d154e65L } },
+    /* 30 << 105 */
+    { { 0xee23fa819966e7eeL,0x64ec4aa805b7920dL,0x2d44462d2d90aad4L,
+        0xf44dd195df277ad5L },
+      { 0x8d6471f1bb46b6a1L,0x1e65d313fd885090L,0x33a800f513a977b4L,
+        0xaca9d7210797e1efL } },
+    /* 31 << 105 */
+    { { 0x9a5a85a0fcff6a17L,0x9970a3f31eca7ceeL,0xbb9f0d6bc9504be3L,
+        0xe0c504beadd24ee2L },
+      { 0x7e09d95677fcc2f4L,0xef1a522765bb5fc4L,0x145d4fb18b9286aaL,
+        0x66fd0c5d6649028bL } },
+    /* 32 << 105 */
+    { { 0x98857ceb1bf4581cL,0xe635e186aca7b166L,0x278ddd22659722acL,
+        0xa0903c4c1db68007L },
+      { 0x366e458948f21402L,0x31b49c14b96abda2L,0x329c4b09e0403190L,
+        0x97197ca3d29f43feL } },
+    /* 33 << 105 */
+    { { 0x8073dd1e274983d8L,0xda1a3bde55717c8fL,0xfd3d4da20361f9d1L,
+        0x1332d0814c7de1ceL },
+      { 0x9b7ef7a3aa6d0e10L,0x17db2e73f54f1c4aL,0xaf3dffae4cd35567L,
+        0xaaa2f406e56f4e71L } },
+    /* 34 << 105 */
+    { { 0x8966759e7ace3fc7L,0x9594eacf45a8d8c6L,0x8de3bd8b91834e0eL,
+        0xafe4ca53548c0421L },
+      { 0xfdd7e856e6ee81c6L,0x8f671beb6b891a3aL,0xf7a58f2bfae63829L,
+        0x9ab186fb9c11ac9fL } },
+    /* 35 << 105 */
+    { { 0x8d6eb36910b5be76L,0x046b7739fb040bcdL,0xccb4529fcb73de88L,
+        0x1df0fefccf26be03L },
+      { 0xad7757a6bcfcd027L,0xa8786c75bb3165caL,0xe9db1e347e99a4d9L,
+        0x99ee86dfb06c504bL } },
+    /* 36 << 105 */
+    { { 0x5b7c2dddc15c9f0aL,0xdf87a7344295989eL,0x59ece47c03d08fdaL,
+        0xb074d3ddad5fc702L },
+      { 0x2040790351a03776L,0x2bb1f77b2a608007L,0x25c58f4fe1153185L,
+        0xe6df62f6766e6447L } },
+    /* 37 << 105 */
+    { { 0xefb3d1beed51275aL,0x5de47dc72f0f483fL,0x7932d98e97c2bedfL,
+        0xd5c119270219f8a1L },
+      { 0x9d751200a73a294eL,0x5f88434a9dc20172L,0xd28d9fd3a26f506aL,
+        0xa890cd319d1dcd48L } },
+    /* 38 << 105 */
+    { { 0x0aebaec170f4d3b4L,0xfd1a13690ffc8d00L,0xb9d9c24057d57838L,
+        0x45929d2668bac361L },
+      { 0x5a2cd06025b15ca6L,0x4b3c83e16e474446L,0x1aac7578ee1e5134L,
+        0xa418f5d6c91e2f41L } },
+    /* 39 << 105 */
+    { { 0x6936fc8a213ed68bL,0x860ae7ed510a5224L,0x63660335def09b53L,
+        0x641b2897cd79c98dL },
+      { 0x29bd38e101110f35L,0x79c26f42648b1937L,0x64dae5199d9164f4L,
+        0xd85a23100265c273L } },
+    /* 40 << 105 */
+    { { 0x7173dd5d4b07e2b1L,0xd144c4cb8d9ea221L,0xe8b04ea41105ab14L,
+        0x92dda542fe80d8f1L },
+      { 0xe9982fa8cf03dce6L,0x8b5ea9651a22cffcL,0xf7f4ea7f3fad88c4L,
+        0x62db773e6a5ba95cL } },
+    /* 41 << 105 */
+    { { 0xd20f02fb93f24567L,0xfd46c69a315257caL,0x0ac74cc78bcab987L,
+        0x46f31c015ceca2f5L },
+      { 0x40aedb59888b219eL,0xe50ecc37e1fccd02L,0x1bcd9dad911f816cL,
+        0x583cc1ec8db9b00cL } },
+    /* 42 << 105 */
+    { { 0xf3cd2e66a483bf11L,0xfa08a6f5b1b2c169L,0xf375e2454be9fa28L,
+        0x99a7ffec5b6d011fL },
+      { 0x6a3ebddbc4ae62daL,0x6cea00ae374aef5dL,0xab5fb98d9d4d05bcL,
+        0x7cba1423d560f252L } },
+    /* 43 << 105 */
+    { { 0x49b2cc21208490deL,0x1ca66ec3bcfb2879L,0x7f1166b71b6fb16fL,
+        0xfff63e0865fe5db3L },
+      { 0xb8345abe8b2610beL,0xb732ed8039de3df4L,0x0e24ed50211c32b4L,
+        0xd10d8a69848ff27dL } },
+    /* 44 << 105 */
+    { { 0xc1074398ed4de248L,0xd7cedace10488927L,0xa4aa6bf885673e13L,
+        0xb46bae916daf30afL },
+      { 0x07088472fcef7ad8L,0x61151608d4b35e97L,0xbcfe8f26dde29986L,
+        0xeb84c4c7d5a34c79L } },
+    /* 45 << 105 */
+    { { 0xc1eec55c164e1214L,0x891be86da147bb03L,0x9fab4d100ba96835L,
+        0xbf01e9b8a5c1ae9fL },
+      { 0x6b4de139b186ebc0L,0xd5c74c2685b91bcaL,0x5086a99cc2d93854L,
+        0xeed62a7ba7a9dfbcL } },
+    /* 46 << 105 */
+    { { 0x8778ed6f76b7618aL,0xbff750a503b66062L,0x4cb7be22b65186dbL,
+        0x369dfbf0cc3a6d13L },
+      { 0xc7dab26c7191a321L,0x9edac3f940ed718eL,0xbc142b36d0cfd183L,
+        0xc8af82f67c991693L } },
+    /* 47 << 105 */
+    { { 0xb3d1e4d897ce0b2aL,0xe6d7c87fc3a55cdfL,0x35846b9568b81afeL,
+        0x018d12afd3c239d8L },
+      { 0x2b2c620801206e15L,0xe0e42453a3b882c6L,0x854470a3a50162d5L,
+        0x081574787017a62aL } },
+    /* 48 << 105 */
+    { { 0x18bd3fb4820357c7L,0x992039ae6f1458adL,0x9a1df3c525b44aa1L,
+        0x2d780357ed3d5281L },
+      { 0x58cf7e4dc77ad4d4L,0xd49a7998f9df4fc4L,0x4465a8b51d71205eL,
+        0xa0ee0ea6649254aaL } },
+    /* 49 << 105 */
+    { { 0x4b5eeecfab7bd771L,0x6c87307335c262b9L,0xdc5bd6483c9d61e7L,
+        0x233d6d54321460d2L },
+      { 0xd20c5626fc195bccL,0x2544595804d78b63L,0xe03fcb3d17ec8ef3L,
+        0x54b690d146b8f781L } },
+    /* 50 << 105 */
+    { { 0x82fa2c8a21230646L,0xf51aabb9084f418cL,0xff4fbec11a30ba43L,
+        0x6a5acf73743c9df7L },
+      { 0x1da2b357d635b4d5L,0xc3de68ddecd5c1daL,0xa689080bd61af0ddL,
+        0xdea5938ad665bf99L } },
+    /* 51 << 105 */
+    { { 0x0231d71afe637294L,0x01968aa6a5a81cd8L,0x11252d50048e63b5L,
+        0xc446bc526ca007e9L },
+      { 0xef8c50a696d6134bL,0x9361fbf59e09a05cL,0xf17f85a6dca3291aL,
+        0xb178d548ff251a21L } },
+    /* 52 << 105 */
+    { { 0x87f6374ba4df3915L,0x566ce1bf2fd5d608L,0x425cba4d7de35102L,
+        0x6b745f8f58c5d5e2L },
+      { 0x88402af663122edfL,0x3190f9ed3b989a89L,0x4ad3d387ebba3156L,
+        0xef385ad9c7c469a5L } },
+    /* 53 << 105 */
+    { { 0xb08281de3f642c29L,0x20be0888910ffb88L,0xf353dd4ad5292546L,
+        0x3f1627de8377a262L },
+      { 0xa5faa013eefcd638L,0x8f3bf62674cc77c3L,0x32618f65a348f55eL,
+        0x5787c0dc9fefeb9eL } },
+    /* 54 << 105 */
+    { { 0xf1673aa2d9a23e44L,0x88dfa9934e10690dL,0x1ced1b362bf91108L,
+        0x9193ceca3af48649L },
+      { 0xfb34327d2d738fc5L,0x6697b037975fee6cL,0x2f485da0c04079a5L,
+        0x2cdf57352feaa1acL } },
+    /* 55 << 105 */
+    { { 0x76944420bd55659eL,0x7973e32b4376090cL,0x86bb4fe1163b591aL,
+        0x10441aedc196f0caL },
+      { 0x3b431f4a045ad915L,0x6c11b437a4afacb1L,0x30b0c7db71fdbbd8L,
+        0xb642931feda65acdL } },
+    /* 56 << 105 */
+    { { 0x4baae6e89c92b235L,0xa73bbd0e6b3993a1L,0xd06d60ec693dd031L,
+        0x03cab91b7156881cL },
+      { 0xd615862f1db3574bL,0x485b018564bb061aL,0x27434988a0181e06L,
+        0x2cd61ad4c1c0c757L } },
+    /* 57 << 105 */
+    { { 0x3effed5a2ff9f403L,0x8dc98d8b62239029L,0x2206021e1f17b70dL,
+        0xafbec0cabf510015L },
+      { 0x9fed716480130dfaL,0x306dc2b58a02dcf5L,0x48f06620feb10fc0L,
+        0x78d1e1d55a57cf51L } },
+    /* 58 << 105 */
+    { { 0xadef8c5a192ef710L,0x88afbd4b3b7431f9L,0x7e1f740764250c9eL,
+        0x6e31318db58bec07L },
+      { 0xfd4fc4b824f89b4eL,0x65a5dd8848c36a2aL,0x4f1eccfff024baa7L,
+        0x22a21cf2cba94650L } },
+    /* 59 << 105 */
+    { { 0x95d29dee42a554f7L,0x828983a5002ec4baL,0x8112a1f78badb73dL,
+        0x79ea8897a27c1839L },
+      { 0x8969a5a7d065fd83L,0xf49af791b262a0bcL,0xfcdea8b6af2b5127L,
+        0x10e913e1564c2dbcL } },
+    /* 60 << 105 */
+    { { 0x51239d14bc21ef51L,0xe51c3ceb4ce57292L,0x795ff06847bbcc3bL,
+        0x86b46e1ebd7e11e6L },
+      { 0x0ea6ba2380041ef4L,0xd72fe5056262342eL,0x8abc6dfd31d294d4L,
+        0xbbe017a21278c2c9L } },
+    /* 61 << 105 */
+    { { 0xb1fcfa09b389328aL,0x322fbc62d01771b5L,0x04c0d06360b045bfL,
+        0xdb652edc10e52d01L },
+      { 0x50ef932c03ec6627L,0xde1b3b2dc1ee50e3L,0x5ab7bdc5dc37a90dL,
+        0xfea6721331e33a96L } },
+    /* 62 << 105 */
+    { { 0x6482b5cb4f2999aaL,0x38476cc6b8cbf0ddL,0x93ebfacb173405bbL,
+        0x15cdafe7e52369ecL },
+      { 0xd42d5ba4d935b7dbL,0x648b60041c99a4cdL,0x785101bda3b5545bL,
+        0x4bf2c38a9dd67fafL } },
+    /* 63 << 105 */
+    { { 0xb1aadc634442449cL,0xe0e9921a33ad4fb8L,0x5c552313aa686d82L,
+        0xdee635fa465d866cL },
+      { 0xbc3c224a18ee6e8aL,0xeed748a6ed42e02fL,0xe70f930ad474cd08L,
+        0x774ea6ecfff24adfL } },
+    /* 64 << 105 */
+    { { 0x03e2de1cf3480d4aL,0xf0d8edc7bc8acf1aL,0xf23e330368295a9cL,
+        0xfadd5f68c546a97dL },
+      { 0x895597ad96f8acb1L,0xbddd49d5671bdae2L,0x16fcd52821dd43f4L,
+        0xa5a454126619141aL } },
+    /* 0 << 112 */
+    { { 0x00, 0x00, 0x00, 0x00 },
+      { 0x00, 0x00, 0x00, 0x00 } },
+    /* 1 << 112 */
+    { { 0x8ce9b6bfc360e25aL,0xe6425195075a1a78L,0x9dc756a8481732f4L,
+        0x83c0440f5432b57aL },
+      { 0xc670b3f1d720281fL,0x2205910ed135e051L,0xded14b0edb052be7L,
+        0x697b3d27c568ea39L } },
+    /* 2 << 112 */
+    { { 0x2e599b9afb3ff9edL,0x28c2e0ab17f6515cL,0x1cbee4fd474da449L,
+        0x071279a44f364452L },
+      { 0x97abff6601fbe855L,0x3ee394e85fda51c4L,0x190385f667597c0bL,
+        0x6e9fccc6a27ee34bL } },
+    /* 3 << 112 */
+    { { 0x0b89de9314092ebbL,0xf17256bd428e240cL,0xcf89a7f393d2f064L,
+        0x4f57841ee1ed3b14L },
+      { 0x4ee14405e708d855L,0x856aae7203f1c3d0L,0xc8e5424fbdd7eed5L,
+        0x3333e4ef73ab4270L } },
+    /* 4 << 112 */
+    { { 0x3bc77adedda492f8L,0xc11a3aea78297205L,0x5e89a3e734931b4cL,
+        0x17512e2e9f5694bbL },
+      { 0x5dc349f3177bf8b6L,0x232ea4ba08c7ff3eL,0x9c4f9d16f511145dL,
+        0xccf109a333b379c3L } },
+    /* 5 << 112 */
+    { { 0xe75e7a88a1f25897L,0x7ac6961fa1b5d4d8L,0xe3e1077308f3ed5cL,
+        0x208a54ec0a892dfbL },
+      { 0xbe826e1978660710L,0x0cf70a97237df2c8L,0x418a7340ed704da5L,
+        0xa3eeb9a908ca33fdL } },
+    /* 6 << 112 */
+    { { 0x49d96233169bca96L,0x04d286d42da6aafbL,0xc09606eca0c2fa94L,
+        0x8869d0d523ff0fb3L },
+      { 0xa99937e5d0150d65L,0xa92e2503240c14c9L,0x656bf945108e2d49L,
+        0x152a733aa2f59e2bL } },
+    /* 7 << 112 */
+    { { 0xb4323d588434a920L,0xc0af8e93622103c5L,0x667518ef938dbf9aL,
+        0xa184307383a9cdf2L },
+      { 0x350a94aa5447ab80L,0xe5e5a325c75a3d61L,0x74ba507f68411a9eL,
+        0x10581fc1594f70c5L } },
+    /* 8 << 112 */
+    { { 0x60e2857080eb24a9L,0x7bedfb4d488e0cfdL,0x721ebbd7c259cdb8L,
+        0x0b0da855bc6390a9L },
+      { 0x2b4d04dbde314c70L,0xcdbf1fbc6c32e846L,0x33833eabb162fc9eL,
+        0x9939b48bb0dd3ab7L } },
+    /* 9 << 112 */
+    { { 0x5aaa98a7cb0c9c8cL,0x75105f3081c4375cL,0xceee50575ef1c90fL,
+        0xb31e065fc23a17bfL },
+      { 0x5364d275d4b6d45aL,0xd363f3ad62ec8996L,0xb5d212394391c65bL,
+        0x84564765ebb41b47L } },
+    /* 10 << 112 */
+    { { 0x20d18ecc37107c78L,0xacff3b6b570c2a66L,0x22f975d99bd0d845L,
+        0xef0a0c46ba178fa0L },
+      { 0x1a41965176b6028eL,0xc49ec674248612d4L,0x5b6ac4f27338af55L,
+        0x06145e627bee5a36L } },
+    /* 11 << 112 */
+    { { 0x33e95d07e75746b5L,0x1c1e1f6dc40c78beL,0x967833ef222ff8e2L,
+        0x4bedcf6ab49180adL },
+      { 0x6b37e9c13d7a4c8aL,0x2748887c6ddfe760L,0xf7055123aa3a5bbcL,
+        0x954ff2257bbb8e74L } },
+    /* 12 << 112 */
+    { { 0xc42b8ab197c3dfb9L,0x55a549b0cf168154L,0xad6748e7c1b50692L,
+        0x2775780f6fc5cbcbL },
+      { 0x4eab80b8e1c9d7c8L,0x8c69dae13fdbcd56L,0x47e6b4fb9969eaceL,
+        0x002f1085a705cb5aL } },
+    /* 13 << 112 */
+    { { 0x4e23ca446d3fea55L,0xb4ae9c86f4810568L,0x47bfb91b2a62f27dL,
+        0x60deb4c9d9bac28cL },
+      { 0xa892d8947de6c34cL,0x4ee682594494587dL,0x914ee14e1a3f8a5bL,
+        0xbb113eaa28700385L } },
+    /* 14 << 112 */
+    { { 0x81ca03b92115b4c9L,0x7c163d388908cad1L,0xc912a118aa18179aL,
+        0xe09ed750886e3081L },
+      { 0xa676e3fa26f516caL,0x753cacf78e732f91L,0x51592aea833da8b4L,
+        0xc626f42f4cbea8aaL } },
+    /* 15 << 112 */
+    { { 0xef9dc899a7b56eafL,0x00c0e52c34ef7316L,0x5b1e4e24fe818a86L,
+        0x9d31e20dc538be47L },
+      { 0x22eb932d3ed68974L,0xe44bbc087c4e87c4L,0x4121086e0dde9aefL,
+        0x8e6b9cff134f4345L } },
+    /* 16 << 112 */
+    { { 0x96892c1f711b0eb9L,0xb905f2c8780ab954L,0xace26309a20792dbL,
+        0xec8ac9b30684e126L },
+      { 0x486ad8b6b40a2447L,0x60121fc19fe3fb24L,0x5626fccf1a8e3b3fL,
+        0x4e5686226ad1f394L } },
+    /* 17 << 112 */
+    { { 0xda7aae0d196aa5a1L,0xe0df8c771041b5fbL,0x451465d926b318b7L,
+        0xc29b6e557ab136e9L },
+      { 0x2c2ab48b71148463L,0xb5738de364454a76L,0x54ccf9a05a03abe4L,
+        0x377c02960427d58eL } },
+    /* 18 << 112 */
+    { { 0x73f5f0b92bb39c1fL,0x14373f2ce608d8c5L,0xdcbfd31400fbb805L,
+        0xdf18fb2083afdcfbL },
+      { 0x81a57f4242b3523fL,0xe958532d87f650fbL,0xaa8dc8b68b0a7d7cL,
+        0x1b75dfb7150166beL } },
+    /* 19 << 112 */
+    { { 0x90e4f7c92d7d1413L,0x67e2d6b59834f597L,0x4fd4f4f9a808c3e8L,
+        0xaf8237e0d5281ec1L },
+      { 0x25ab5fdc84687ceeL,0xc5ded6b1a5b26c09L,0x8e4a5aecc8ea7650L,
+        0x23b73e5c14cc417fL } },
+    /* 20 << 112 */
+    { { 0x2bfb43183037bf52L,0xb61e6db578c725d7L,0x8efd4060bbb3e5d7L,
+        0x2e014701dbac488eL },
+      { 0xac75cf9a360aa449L,0xb70cfd0579634d08L,0xa591536dfffb15efL,
+        0xb2c37582d07c106cL } },
+    /* 21 << 112 */
+    { { 0xb4293fdcf50225f9L,0xc52e175cb0e12b03L,0xf649c3bad0a8bf64L,
+        0x745a8fefeb8ae3c6L },
+      { 0x30d7e5a358321bc3L,0xb1732be70bc4df48L,0x1f217993e9ea5058L,
+        0xf7a71cde3e4fd745L } },
+    /* 22 << 112 */
+    { { 0x86cc533e894c5bbbL,0x6915c7d969d83082L,0xa6aa2d055815c244L,
+        0xaeeee59249b22ce5L },
+      { 0x89e39d1378135486L,0x3a275c1f16b76f2fL,0xdb6bcc1be036e8f5L,
+        0x4df69b215e4709f5L } },
+    /* 23 << 112 */
+    { { 0xa188b2502d0f39aaL,0x622118bb15a85947L,0x2ebf520ffde0f4faL,
+        0xa40e9f294860e539L },
+      { 0x7b6a51eb22b57f0fL,0x849a33b97e80644aL,0x50e5d16f1cf095feL,
+        0xd754b54eec55f002L } },
+    /* 24 << 112 */
+    { { 0x5cfbbb22236f4a98L,0x0b0c59e9066800bbL,0x4ac69a8f5a9a7774L,
+        0x2b33f804d6bec948L },
+      { 0xb372929532e6c466L,0x68956d0f4e599c73L,0xa47a249f155c31ccL,
+        0x24d80f0de1ce284eL } },
+    /* 25 << 112 */
+    { { 0xcd821dfb988baf01L,0xe6331a7ddbb16647L,0x1eb8ad33094cb960L,
+        0x593cca38c91bbca5L },
+      { 0x384aac8d26567456L,0x40fa0309c04b6490L,0x97834cd6dab6c8f6L,
+        0x68a7318d3f91e55fL } },
+    /* 26 << 112 */
+    { { 0xa00fd04efc4d3157L,0xb56f8ab22bf3bdeaL,0x014f56484fa57172L,
+        0x948c5860450abdb3L },
+      { 0x342b5df00ebd4f08L,0x3e5168cd0e82938eL,0x7aedc1ceb0df5dd0L,
+        0x6bbbc6d9e5732516L } },
+    /* 27 << 112 */
+    { { 0xc7bfd486605daaa6L,0x46fd72b7bb9a6c9eL,0xe4847fb1a124fb89L,
+        0x75959cbda2d8ffbcL },
+      { 0x42579f65c8a588eeL,0x368c92e6b80b499dL,0xea4ef6cd999a5df1L,
+        0xaa73bb7f936fe604L } },
+    /* 28 << 112 */
+    { { 0xf347a70d6457d188L,0x86eda86b8b7a388bL,0xb7cdff060ccd6013L,
+        0xbeb1b6c7d0053fb2L },
+      { 0x0b02238799240a9fL,0x1bbb384f776189b2L,0x8695e71e9066193aL,
+        0x2eb5009706ffac7eL } },
+    /* 29 << 112 */
+    { { 0x0654a9c04a7d2caaL,0x6f3fb3d1a5aaa290L,0x835db041ff476e8fL,
+        0x540b8b0bc42295e4L },
+      { 0xa5c73ac905e214f5L,0x9a74075a56a0b638L,0x2e4b1090ce9e680bL,
+        0x57a5b4796b8d9afaL } },
+    /* 30 << 112 */
+    { { 0x0dca48e726bfe65cL,0x097e391c7290c307L,0x683c462e6669e72eL,
+        0xf505be1e062559acL },
+      { 0x5fbe3ea1e3a3035aL,0x6431ebf69cd50da8L,0xfd169d5c1f6407f2L,
+        0x8d838a9560fce6b8L } },
+    /* 31 << 112 */
+    { { 0x2a2bfa7f650006f0L,0xdfd7dad350c0fbb2L,0x92452495ccf9ad96L,
+        0x183bf494d95635f9L },
+      { 0x02d5df434a7bd989L,0x505385cca5431095L,0xdd98e67dfd43f53eL,
+        0xd61e1a6c500c34a9L } },
+    /* 32 << 112 */
+    { { 0x5a4b46c64a8a3d62L,0x8469c4d0247743d2L,0x2bb3a13d88f7e433L,
+        0x62b23a1001be5849L },
+      { 0xe83596b4a63d1a4cL,0x454e7fea7d183f3eL,0x643fce6117afb01cL,
+        0x4e65e5e61c4c3638L } },
+    /* 33 << 112 */
+    { { 0x41d85ea1ef74c45bL,0x2cfbfa66ae328506L,0x98b078f53ada7da9L,
+        0xd985fe37ec752fbbL },
+      { 0xeece68fe5a0148b4L,0x6f9a55c72d78136dL,0x232dccc4d2b729ceL,
+        0xa27e0dfd90aafbc4L } },
+    /* 34 << 112 */
+    { { 0x9647445212b4603eL,0xa876c5516b706d14L,0xdf145fcf69a9d412L,
+        0xe2ab75b72d479c34L },
+      { 0x12df9a761a23ff97L,0xc61389925d359d10L,0x6e51c7aefa835f22L,
+        0x69a79cb1c0fcc4d9L } },
+    /* 35 << 112 */
+    { { 0xf57f350d594cc7e1L,0x3079ca633350ab79L,0x226fb6149aff594aL,
+        0x35afec026d59a62bL },
+      { 0x9bee46f406ed2c6eL,0x58da17357d939a57L,0x44c504028fd1797eL,
+        0xd8853e7c5ccea6caL } },
+    /* 36 << 112 */
+    { { 0x4065508da35fcd5fL,0x8965df8c495ccaebL,0x0f2da85012e1a962L,
+        0xee471b94c1cf1cc4L },
+      { 0xcef19bc80a08fb75L,0x704958f581de3591L,0x2867f8b23aef4f88L,
+        0x8d749384ea9f9a5fL } },
+    /* 37 << 112 */
+    { { 0x1b3855378c9049f4L,0x5be948f37b92d8b6L,0xd96f725db6e2bd6bL,
+        0x37a222bc958c454dL },
+      { 0xe7c61abb8809bf61L,0x46f07fbc1346f18dL,0xfb567a7ae87c0d1cL,
+        0x84a461c87ef3d07aL } },
+    /* 38 << 112 */
+    { { 0x0a5adce6d9278d98L,0x24d948139dfc73e1L,0x4f3528b6054321c3L,
+        0x2e03fdde692ea706L },
+      { 0x10e6061947b533c0L,0x1a8bc73f2ca3c055L,0xae58d4b21bb62b8fL,
+        0xb2045a73584a24e3L } },
+    /* 39 << 112 */
+    { { 0x3ab3d5afbd76e195L,0x478dd1ad6938a810L,0x6ffab3936ee3d5cbL,
+        0xdfb693db22b361e4L },
+      { 0xf969449651dbf1a7L,0xcab4b4ef08a2e762L,0xe8c92f25d39bba9aL,
+        0x850e61bcf1464d96L } },
+    /* 40 << 112 */
+    { { 0xb7e830e3dc09508bL,0xfaf6d2cf74317655L,0x72606cebdf690355L,
+        0x48bb92b3d0c3ded6L },
+      { 0x65b754845c7cf892L,0xf6cd7ac9d5d5f01fL,0xc2c30a5996401d69L,
+        0x91268650ed921878L } },
+    /* 41 << 112 */
+    { { 0x380bf913b78c558fL,0x43c0baebc8afdaa9L,0x377f61d554f169d3L,
+        0xf8da07e3ae5ff20bL },
+      { 0xb676c49da8a90ea8L,0x81c1ff2b83a29b21L,0x383297ac2ad8d276L,
+        0x3001122fba89f982L } },
+    /* 42 << 112 */
+    { { 0xe1d794be6718e448L,0x246c14827c3e6e13L,0x56646ef85d26b5efL,
+        0x80f5091e88069cddL },
+      { 0xc5992e2f724bdd38L,0x02e915b48471e8c7L,0x96ff320a0d0ff2a9L,
+        0xbf8864874384d1a0L } },
+    /* 43 << 112 */
+    { { 0xbbe1e6a6c93f72d6L,0xd5f75d12cad800eaL,0xfa40a09fe7acf117L,
+        0x32c8cdd57581a355L },
+      { 0x742219927023c499L,0xa8afe5d738ec3901L,0x5691afcba90e83f0L,
+        0x41bcaa030b8f8eacL } },
+    /* 44 << 112 */
+    { { 0xe38b5ff98d2668d5L,0x0715281a7ad81965L,0x1bc8fc7c03c6ce11L,
+        0xcbbee6e28b650436L },
+      { 0x06b00fe80cdb9808L,0x17d6e066fe3ed315L,0x2e9d38c64d0b5018L,
+        0xab8bfd56844dcaefL } },
+    /* 45 << 112 */
+    { { 0x42894a59513aed8bL,0xf77f3b6d314bd07aL,0xbbdecb8f8e42b582L,
+        0xf10e2fa8d2390fe6L },
+      { 0xefb9502262a2f201L,0x4d59ea5050ee32b0L,0xd87f77286da789a8L,
+        0xcf98a2cff79492c4L } },
+    /* 46 << 112 */
+    { { 0xf9577239720943c2L,0xba044cf53990b9d0L,0x5aa8e82395f2884aL,
+        0x834de6ed0278a0afL },
+      { 0xc8e1ee9a5f25bd12L,0x9259ceaa6f7ab271L,0x7e6d97a277d00b76L,
+        0x5c0c6eeaa437832aL } },
+    /* 47 << 112 */
+    { { 0x5232c20f5606b81dL,0xabd7b3750d991ee5L,0x4d2bfe358632d951L,
+        0x78f8514698ed9364L },
+      { 0x951873f0f30c3282L,0x0da8ac80a789230bL,0x3ac7789c5398967fL,
+        0xa69b8f7fbdda0fb5L } },
+    /* 48 << 112 */
+    { { 0xe5db77176add8545L,0x1b71cb6672c49b66L,0xd856073968421d77L,
+        0x03840fe883e3afeaL },
+      { 0xb391dad51ec69977L,0xae243fb9307f6726L,0xc88ac87be8ca160cL,
+        0x5174cced4ce355f4L } },
+    /* 49 << 112 */
+    { { 0x98a35966e58ba37dL,0xfdcc8da27817335dL,0x5b75283083fbc7bfL,
+        0x68e419d4d9c96984L },
+      { 0x409a39f402a40380L,0x88940faf1fe977bcL,0xc640a94b8f8edea6L,
+        0x1e22cd17ed11547dL } },
+    /* 50 << 112 */
+    { { 0xe28568ce59ffc3e2L,0x60aa1b55c1dee4e7L,0xc67497c8837cb363L,
+        0x06fb438a105a2bf2L },
+      { 0x30357ec4500d8e20L,0x1ad9095d0670db10L,0x7f589a05c73b7cfdL,
+        0xf544607d880d6d28L } },
+    /* 51 << 112 */
+    { { 0x17ba93b1a20ef103L,0xad8591306ba6577bL,0x65c91cf66fa214a0L,
+        0xd7d49c6c27990da5L },
+      { 0xecd9ec8d20bb569dL,0xbd4b2502eeffbc33L,0x2056ca5a6bed0467L,
+        0x7916a1f75b63728cL } },
+    /* 52 << 112 */
+    { { 0xd4f9497d53a4f566L,0x8973466497b56810L,0xf8e1da740494a621L,
+        0x82546a938d011c68L },
+      { 0x1f3acb19c61ac162L,0x52f8fa9cabad0d3eL,0x15356523b4b7ea43L,
+        0x5a16ad61ae608125L } },
+    /* 53 << 112 */
+    { { 0xb0bcb87f4faed184L,0x5f236b1d5029f45fL,0xd42c76070bc6b1fcL,
+        0xc644324e68aefce3L },
+      { 0x8e191d595c5d8446L,0xc020807713ae1979L,0xadcaee553ba59cc7L,
+        0x20ed6d6ba2cb81baL } },
+    /* 54 << 112 */
+    { { 0x0952ba19b6efcffcL,0x60f12d6897c0b87cL,0x4ee2c7c49caa30bcL,
+        0x767238b797fbff4eL },
+      { 0xebc73921501b5d92L,0x3279e3dfc2a37737L,0x9fc12bc86d197543L,
+        0xfa94dc6f0a40db4eL } },
+    /* 55 << 112 */
+    { { 0x7392b41a530ccbbdL,0x87c82146ea823525L,0xa52f984c05d98d0cL,
+        0x2ae57d735ef6974cL },
+      { 0x9377f7bf3042a6ddL,0xb1a007c019647a64L,0xfaa9079a0cca9767L,
+        0x3d81a25bf68f72d5L } },
+    /* 56 << 112 */
+    { { 0x752067f8ff81578eL,0x786221509045447dL,0xc0c22fcf0505aa6fL,
+        0x1030f0a66bed1c77L },
+      { 0x31f29f151f0bd739L,0x2d7989c7e6debe85L,0x5c070e728e677e98L,
+        0x0a817bd306e81fd5L } },
+    /* 57 << 112 */
+    { { 0xc110d830b0f2ac95L,0x48d0995aab20e64eL,0x0f3e00e17729cd9aL,
+        0x2a570c20dd556946L },
+      { 0x912dbcfd4e86214dL,0x2d014ee2cf615498L,0x55e2b1e63530d76eL,
+        0xc5135ae4fd0fd6d1L } },
+    /* 58 << 112 */
+    { { 0x0066273ad4f3049fL,0xbb8e9893e7087477L,0x2dba1ddb14c6e5fdL,
+        0xdba3788651f57e6cL },
+      { 0x5aaee0a65a72f2cfL,0x1208bfbf7bea5642L,0xf5c6aa3b67872c37L,
+        0xd726e08343f93224L } },
+    /* 59 << 112 */
+    { { 0x1854daa5061f1658L,0xc0016df1df0cd2b3L,0xc2a3f23e833d50deL,
+        0x73b681d2bbbd3017L },
+      { 0x2f046dc43ac343c0L,0x9c847e7d85716421L,0xe1e13c910917eed4L,
+        0x3fc9eebd63a1b9c6L } },
+    /* 60 << 112 */
+    { { 0x0f816a727fe02299L,0x6335ccc2294f3319L,0x3820179f4745c5beL,
+        0xe647b782922f066eL },
+      { 0xc22e49de02cafb8aL,0x299bc2fffcc2ecccL,0x9a8feea26e0e8282L,
+        0xa627278bfe893205L } },
+    /* 61 << 112 */
+    { { 0xa7e197337933e47bL,0xf4ff6b132e766402L,0xa4d8be0a98440d9fL,
+        0x658f5c2f38938808L },
+      { 0x90b75677c95b3b3eL,0xfa0442693137b6ffL,0x077b039b43c47c29L,
+        0xcca95dd38a6445b2L } },
+    /* 62 << 112 */
+    { { 0x0b498ba42333fc4cL,0x274f8e68f736a1b1L,0x6ca348fd5f1d4b2eL,
+        0x24d3be78a8f10199L },
+      { 0x8535f858ca14f530L,0xa6e7f1635b982e51L,0x847c851236e1bf62L,
+        0xf6a7c58e03448418L } },
+    /* 63 << 112 */
+    { { 0x583f3703f9374ab6L,0x864f91956e564145L,0x33bc3f4822526d50L,
+        0x9f323c801262a496L },
+      { 0xaa97a7ae3f046a9aL,0x70da183edf8a039aL,0x5b68f71c52aa0ba6L,
+        0x9be0fe5121459c2dL } },
+    /* 64 << 112 */
+    { { 0xc1e17eb6cbc613e5L,0x33131d55497ea61cL,0x2f69d39eaf7eded5L,
+        0x73c2f434de6af11bL },
+      { 0x4ca52493a4a375faL,0x5f06787cb833c5c2L,0x814e091f3e6e71cfL,
+        0x76451f578b746666L } },
+    /* 0 << 119 */
+    { { 0x00, 0x00, 0x00, 0x00 },
+      { 0x00, 0x00, 0x00, 0x00 } },
+    /* 1 << 119 */
+    { { 0x80f9bdef694db7e0L,0xedca8787b9fcddc6L,0x51981c3403b8dce1L,
+        0x4274dcf170e10ba1L },
+      { 0xf72743b86def6d1aL,0xd25b1670ebdb1866L,0xc4491e8c050c6f58L,
+        0x2be2b2ab87fbd7f5L } },
+    /* 2 << 119 */
+    { { 0x3e0e5c9dd111f8ecL,0xbcc33f8db7c4e760L,0x702f9a91bd392a51L,
+        0x7da4a795c132e92dL },
+      { 0x1a0b0ae30bb1151bL,0x54febac802e32251L,0xea3a5082694e9e78L,
+        0xe58ffec1e4fe40b8L } },
+    /* 3 << 119 */
+    { { 0xf85592fcd1e0cf9eL,0xdea75f0dc0e7b2e8L,0xc04215cfc135584eL,
+        0x174fc7272f57092aL },
+      { 0xe7277877eb930beaL,0x504caccb5eb02a5aL,0xf9fe08f7f5241b9bL,
+        0xe7fb62f48d5ca954L } },
+    /* 4 << 119 */
+    { { 0xfbb8349d29c4120bL,0x9f94391fc0d0d915L,0xc4074fa75410ba51L,
+        0xa66adbf6150a5911L },
+      { 0xc164543c34bfca38L,0xe0f27560b9e1ccfcL,0x99da0f53e820219cL,
+        0xe8234498c6b4997aL } },
+    /* 5 << 119 */
+    { { 0xcfb88b769d4c5423L,0x9e56eb10b0521c49L,0x418e0b5ebe8700a1L,
+        0x00cbaad6f93cb58aL },
+      { 0xe923fbded92a5e67L,0xca4979ac1f347f11L,0x89162d856bc0585bL,
+        0xdd6254afac3c70e3L } },
+    /* 6 << 119 */
+    { { 0x7b23c513516e19e4L,0x56e2e847c5c4d593L,0x9f727d735ce71ef6L,
+        0x5b6304a6f79a44c5L },
+      { 0x6638a7363ab7e433L,0x1adea470fe742f83L,0xe054b8545b7fc19fL,
+        0xf935381aba1d0698L } },
+    /* 7 << 119 */
+    { { 0x546eab2d799e9a74L,0x96239e0ea949f729L,0xca274c6b7090055aL,
+        0x835142c39020c9b0L },
+      { 0xa405667aa2e8807fL,0x29f2c0851aa3d39eL,0xcc555d6442fc72f5L,
+        0xe856e0e7fbeacb3cL } },
+    /* 8 << 119 */
+    { { 0xb5504f9d918e4936L,0x65035ef6b2513982L,0x0553a0c26f4d9cb9L,
+        0x6cb10d56bea85509L },
+      { 0x48d957b7a242da11L,0x16a4d3dd672b7268L,0x3d7e637c8502a96bL,
+        0x27c7032b730d463bL } },
+    /* 9 << 119 */
+    { { 0xbdc02b18e4136a14L,0xbacf969d678e32bfL,0xc98d89a3dd9c3c03L,
+        0x7b92420a23becc4fL },
+      { 0xd4b41f78c64d565cL,0x9f969d0010f28295L,0xec7f7f76b13d051aL,
+        0x08945e1ea92da585L } },
+    /* 10 << 119 */
+    { { 0x55366b7d5846426fL,0xe7d09e89247d441dL,0x510b404d736fbf48L,
+        0x7fa003d0e784bd7dL },
+      { 0x25f7614f17fd9596L,0x49e0e0a135cb98dbL,0x2c65957b2e83a76aL,
+        0x5d40da8dcddbe0f8L } },
+    /* 11 << 119 */
+    { { 0xf2b8c405050bad24L,0x8918426dc2aa4823L,0x2aeab3dda38365a7L,
+        0x720317177c91b690L },
+      { 0x8b00d69960a94120L,0x478a255de99eaeecL,0xbf656a5f6f60aafdL,
+        0xdfd7cb755dee77b3L } },
+    /* 12 << 119 */
+    { { 0x37f68bb4a595939dL,0x0355647928740217L,0x8e740e7c84ad7612L,
+        0xd89bc8439044695fL },
+      { 0xf7f3da5d85a9184dL,0x562563bb9fc0b074L,0x06d2e6aaf88a888eL,
+        0x612d8643161fbe7cL } },
+    /* 13 << 119 */
+    { { 0x465edba7f64085e7L,0xb230f30429aa8511L,0x53388426cda2d188L,
+        0x908857354b666649L },
+      { 0x6f02ff9a652f54f6L,0x65c822945fae2bf0L,0x7816ade062f5eee3L,
+        0xdcdbdf43fcc56d70L } },
+    /* 14 << 119 */
+    { { 0x9fb3bba354530bb2L,0xbde3ef77cb0869eaL,0x89bc90460b431163L,
+        0x4d03d7d2e4819a35L },
+      { 0x33ae4f9e43b6a782L,0x216db3079c88a686L,0x91dd88e000ffedd9L,
+        0xb280da9f12bd4840L } },
+    /* 15 << 119 */
+    { { 0x32a7cb8a1635e741L,0xfe14008a78be02a7L,0x3fafb3341b7ae030L,
+        0x7fd508e75add0ce9L },
+      { 0x72c83219d607ad51L,0x0f229c0a8d40964aL,0x1be2c3361c878da2L,
+        0xe0c96742eab2ab86L } },
+    /* 16 << 119 */
+    { { 0x458f86913e538cd7L,0xa7001f6c8e08ad53L,0x52b8c6e6bf5d15ffL,
+        0x548234a4011215ddL },
+      { 0xff5a9d2d3d5b4045L,0xb0ffeeb64a904190L,0x55a3aca448607f8bL,
+        0x8cbd665c30a0672aL } },
+    /* 17 << 119 */
+    { { 0x87f834e042583068L,0x02da2aebf3f6e683L,0x6b763e5d05c12248L,
+        0x7230378f65a8aefcL },
+      { 0x93bd80b571e8e5caL,0x53ab041cb3b62524L,0x1b8605136c9c552eL,
+        0xe84d402cd5524e66L } },
+    /* 18 << 119 */
+    { { 0xa37f3573f37f5937L,0xeb0f6c7dd1e4fca5L,0x2965a554ac8ab0fcL,
+        0x17fbf56c274676acL },
+      { 0x2e2f6bd9acf7d720L,0x41fc8f8810224766L,0x517a14b385d53befL,
+        0xdae327a57d76a7d1L } },
+    /* 19 << 119 */
+    { { 0x6ad0a065c4818267L,0x33aa189b37c1bbc1L,0x64970b5227392a92L,
+        0x21699a1c2d1535eaL },
+      { 0xcd20779cc2d7a7fdL,0xe318605999c83cf2L,0x9b69440b72c0b8c7L,
+        0xa81497d77b9e0e4dL } },
+    /* 20 << 119 */
+    { { 0x515d5c891f5f82dcL,0x9a7f67d76361079eL,0xa8da81e311a35330L,
+        0xe44990c44b18be1bL },
+      { 0xc7d5ed95af103e59L,0xece8aba78dac9261L,0xbe82b0999394b8d3L,
+        0x6830f09a16adfe83L } },
+    /* 21 << 119 */
+    { { 0x250a29b488172d01L,0x8b20bd65caff9e02L,0xb8a7661ee8a6329aL,
+        0x4520304dd3fce920L },
+      { 0xae45da1f2b47f7efL,0xe07f52885bffc540L,0xf79970093464f874L,
+        0x2244c2cda6fa1f38L } },
+    /* 22 << 119 */
+    { { 0x43c41ac194d7d9b1L,0x5bafdd82c82e7f17L,0xdf0614c15fda0fcaL,
+        0x74b043a7a8ae37adL },
+      { 0x3ba6afa19e71734cL,0x15d5437e9c450f2eL,0x4a5883fe67e242b1L,
+        0x5143bdc22c1953c2L } },
+    /* 23 << 119 */
+    { { 0x542b8b53fc5e8920L,0x363bf9a89a9cee08L,0x02375f10c3486e08L,
+        0x2037543b8c5e70d2L },
+      { 0x7109bccc625640b4L,0xcbc1051e8bc62c3bL,0xf8455fed803f26eaL,
+        0x6badceabeb372424L } },
+    /* 24 << 119 */
+    { { 0xa2a9ce7c6b53f5f9L,0x642465951b176d99L,0xb1298d36b95c081bL,
+        0x53505bb81d9a9ee6L },
+      { 0x3f6f9e61f2ba70b0L,0xd07e16c98afad453L,0x9f1694bbe7eb4a6aL,
+        0xdfebced93cb0bc8eL } },
+    /* 25 << 119 */
+    { { 0x92d3dcdc53868c8bL,0x174311a2386107a6L,0x4109e07c689b4e64L,
+        0x30e4587f2df3dcb6L },
+      { 0x841aea310811b3b2L,0x6144d41d0cce43eaL,0x464c45812a9a7803L,
+        0xd03d371f3e158930L } },
+    /* 26 << 119 */
+    { { 0xc676d7f2b1f3390bL,0x9f7a1b8ca5b61272L,0x4ebebfc9c2e127a9L,
+        0x4602500c5dd997bfL },
+      { 0x7f09771c4711230fL,0x058eb37c020f09c1L,0xab693d4bfee5e38bL,
+        0x9289eb1f4653cbc0L } },
+    /* 27 << 119 */
+    { { 0xbecf46abd51b9cf5L,0xd2aa9c029f0121afL,0x36aaf7d2e90dc274L,
+        0x909e4ea048b95a3cL },
+      { 0xe6b704966f32dbdbL,0x672188a08b030b3eL,0xeeffe5b3cfb617e2L,
+        0x87e947de7c82709eL } },
+    /* 28 << 119 */
+    { { 0xa44d2b391770f5a7L,0xe4d4d7910e44eb82L,0x42e69d1e3f69712aL,
+        0xbf11c4d6ac6a820eL },
+      { 0xb5e7f3e542c4224cL,0xd6b4e81c449d941cL,0x5d72bd165450e878L,
+        0x6a61e28aee25ac54L } },
+    /* 29 << 119 */
+    { { 0x33272094e6f1cd95L,0x7512f30d0d18673fL,0x32f7a4ca5afc1464L,
+        0x2f0956566bbb977bL },
+      { 0x586f47caa8226200L,0x02c868ad1ac07369L,0x4ef2b845c613acbeL,
+        0x43d7563e0386054cL } },
+    /* 30 << 119 */
+    { { 0x54da9dc7ab952578L,0xb5423df226e84d0bL,0xa8b64eeb9b872042L,
+        0xac2057825990f6dfL },
+      { 0x4ff696eb21f4c77aL,0x1a79c3e4aab273afL,0x29bc922e9436b3f1L,
+        0xff807ef8d6d9a27aL } },
+    /* 31 << 119 */
+    { { 0x82acea3d778f22a0L,0xfb10b2e85b5e7469L,0xc0b169802818ee7dL,
+        0x011afff4c91c1a2fL },
+      { 0x95a6d126ad124418L,0x31c081a5e72e295fL,0x36bb283af2f4db75L,
+        0xd115540f7acef462L } },
+    /* 32 << 119 */
+    { { 0xc7f3a8f833f6746cL,0x21e46f65fea990caL,0x915fd5c5caddb0a9L,
+        0xbd41f01678614555L },
+      { 0x346f4434426ffb58L,0x8055943614dbc204L,0xf3dd20fe5a969b7fL,
+        0x9d59e956e899a39aL } },
+    /* 33 << 119 */
+    { { 0xf1b0971c8ad4cf4bL,0x034488602ffb8fb8L,0xf071ac3c65340ba4L,
+        0x408d0596b27fd758L },
+      { 0xe7c78ea498c364b0L,0xa4aac4a5051e8ab5L,0xb9e1d560485d9002L,
+        0x9acd518a88844455L } },
+    /* 34 << 119 */
+    { { 0xe4ca688fd06f56c0L,0xa48af70ddf027972L,0x691f0f045e9a609dL,
+        0xa9dd82cdee61270eL },
+      { 0x8903ca63a0ef18d3L,0x9fb7ee353d6ca3bdL,0xa7b4a09cabf47d03L,
+        0x4cdada011c67de8eL } },
+    /* 35 << 119 */
+    { { 0x520037499355a244L,0xe77fd2b64f2151a9L,0x695d6cf666b4efcbL,
+        0xc5a0cacfda2cfe25L },
+      { 0x104efe5cef811865L,0xf52813e89ea5cc3dL,0x855683dc40b58dbcL,
+        0x0338ecde175fcb11L } },
+    /* 36 << 119 */
+    { { 0xf9a0563774921592L,0xb4f1261db9bb9d31L,0x551429b74e9c5459L,
+        0xbe182e6f6ea71f53L },
+      { 0xd3a3b07cdfc50573L,0x9ba1afda62be8d44L,0x9bcfd2cb52ab65d3L,
+        0xdf11d547a9571802L } },
+    /* 37 << 119 */
+    { { 0x099403ee02a2404aL,0x497406f421088a71L,0x994794095004ae71L,
+        0xbdb42078a812c362L },
+      { 0x2b72a30fd8828442L,0x283add27fcb5ed1cL,0xf7c0e20066a40015L,
+        0x3e3be64108b295efL } },
+    /* 38 << 119 */
+    { { 0xac127dc1e038a675L,0x729deff38c5c6320L,0xb7df8fd4a90d2c53L,
+        0x9b74b0ec681e7cd3L },
+      { 0x5cb5a623dab407e5L,0xcdbd361576b340c6L,0xa184415a7d28392cL,
+        0xc184c1d8e96f7830L } },
+    /* 39 << 119 */
+    { { 0xc3204f1981d3a80fL,0xfde0c841c8e02432L,0x78203b3e8149e0c1L,
+        0x5904bdbb08053a73L },
+      { 0x30fc1dd1101b6805L,0x43c223bc49aa6d49L,0x9ed671417a174087L,
+        0x311469a0d5997008L } },
+    /* 40 << 119 */
+    { { 0xb189b6845e43fc61L,0xf3282375e0d3ab57L,0x4fa34b67b1181da8L,
+        0x621ed0b299ee52b8L },
+      { 0x9b178de1ad990676L,0xd51de67b56d54065L,0x2a2c27c47538c201L,
+        0x33856ec838a40f5cL } },
+    /* 41 << 119 */
+    { { 0x2522fc15be6cdcdeL,0x1e603f339f0c6f89L,0x7994edc3103e30a6L,
+        0x033a00db220c853eL },
+      { 0xd3cfa409f7bb7fd7L,0x70f8781e462d18f6L,0xbbd82980687fe295L,
+        0x6eef4c32595669f3L } },
+    /* 42 << 119 */
+    { { 0x86a9303b2f7e85c3L,0x5fce462171988f9bL,0x5b935bf6c138acb5L,
+        0x30ea7d6725661212L },
+      { 0xef1eb5f4e51ab9a2L,0x0587c98aae067c78L,0xb3ce1b3c77ca9ca6L,
+        0x2a553d4d54b5f057L } },
+    /* 43 << 119 */
+    { { 0xc78982364da29ec2L,0xdbdd5d13b9c57316L,0xc57d6e6b2cd80d47L,
+        0x80b460cffe9e7391L },
+      { 0x98648cabf963c31eL,0x67f9f633cc4d32fdL,0x0af42a9dfdf7c687L,
+        0x55f292a30b015ea7L } },
+    /* 44 << 119 */
+    { { 0x89e468b2cd21ab3dL,0xe504f022c393d392L,0xab21e1d4a5013af9L,
+        0xe3283f78c2c28acbL },
+      { 0xf38b35f6226bf99fL,0xe83542740e291e69L,0x61673a15b20c162dL,
+        0xc101dc75b04fbdbeL } },
+    /* 45 << 119 */
+    { { 0x8323b4c2255bd617L,0x6c9696936c2a9154L,0xc6e6586062679387L,
+        0x8e01db0cb8c88e23L },
+      { 0x33c42873893a5559L,0x7630f04b47a3e149L,0xb5d80805ddcf35f8L,
+        0x582ca08077dfe732L } },
+    /* 46 << 119 */
+    { { 0x2c7156e10b1894a0L,0x92034001d81c68c0L,0xed225d00c8b115b5L,
+        0x237f9c2283b907f2L },
+      { 0x0ea2f32f4470e2c0L,0xb725f7c158be4e95L,0x0f1dcafab1ae5463L,
+        0x59ed51871ba2fc04L } },
+    /* 47 << 119 */
+    { { 0xf6e0f316d0115d4dL,0x5180b12fd3691599L,0x157e32c9527f0a41L,
+        0x7b0b081da8e0ecc0L },
+      { 0x6dbaaa8abf4f0dd0L,0x99b289c74d252696L,0x79b7755edbf864feL,
+        0x6974e2b176cad3abL } },
+    /* 48 << 119 */
+    { { 0x35dbbee206ddd657L,0xe7cbdd112ff3a96dL,0x88381968076be758L,
+        0x2d737e7208c91f5dL },
+      { 0x5f83ab6286ec3776L,0x98aa649d945fa7a1L,0xf477ec3772ef0933L,
+        0x66f52b1e098c17b1L } },
+    /* 49 << 119 */
+    { { 0x9eec58fbd803738bL,0x91aaade7e4e86aa4L,0x6b1ae617a5b51492L,
+        0x63272121bbc45974L },
+      { 0x7e0e28f0862c5129L,0x0a8f79a93321a4a0L,0xe26d16645041c88fL,
+        0x0571b80553233e3aL } },
+    /* 50 << 119 */
+    { { 0xd1b0ccdec9520711L,0x55a9e4ed3c8b84bfL,0x9426bd39a1fef314L,
+        0x4f5f638e6eb93f2bL },
+      { 0xba2a1ed32bf9341bL,0xd63c13214d42d5a9L,0xd2964a89316dc7c5L,
+        0xd1759606ca511851L } },
+    /* 51 << 119 */
+    { { 0xd8a9201ff9e6ed35L,0xb7b5ee456736925aL,0x0a83fbbc99581af7L,
+        0x3076bc4064eeb051L },
+      { 0x5511c98c02dec312L,0x270de898238dcb78L,0x2cf4cf9c539c08c9L,
+        0xa70cb65e38d3b06eL } },
+    /* 52 << 119 */
+    { { 0xb12ec10ecfe57bbdL,0x82c7b65635a0c2b5L,0xddc7d5cd161c67bdL,
+        0xe32e8985ae3a32ccL },
+      { 0x7aba9444d11a5529L,0xe964ed022427fa1aL,0x1528392d24a1770aL,
+        0xa152ce2c12c72fcdL } },
+    /* 53 << 119 */
+    { { 0x714553a48ec07649L,0x18b4c290459dd453L,0xea32b7147b64b110L,
+        0xb871bfa52e6f07a2L },
+      { 0xb67112e59e2e3c9bL,0xfbf250e544aa90f6L,0xf77aedb8bd539006L,
+        0x3b0cdf9ad172a66fL } },
+    /* 54 << 119 */
+    { { 0xedf69feaf8c51187L,0x05bb67ec741e4da7L,0x47df0f3208114345L,
+        0x56facb07bb9792b1L },
+      { 0xf3e007e98f6229e4L,0x62d103f4526fba0fL,0x4f33bef7b0339d79L,
+        0x9841357bb59bfec1L } },
+    /* 55 << 119 */
+    { { 0xfa8dbb59c34e6705L,0xc3c7180b7fdaa84cL,0xf95872fca4108537L,
+        0x8750cc3b932a3e5aL },
+      { 0xb61cc69db7275d7dL,0xffa0168b2e59b2e9L,0xca032abc6ecbb493L,
+        0x1d86dbd32c9082d8L } },
+    /* 56 << 119 */
+    { { 0xae1e0b67e28ef5baL,0x2c9a4699cb18e169L,0x0ecd0e331e6bbd20L,
+        0x571b360eaf5e81d2L },
+      { 0xcd9fea58101c1d45L,0x6651788e18880452L,0xa99726351f8dd446L,
+        0x44bed022e37281d0L } },
+    /* 57 << 119 */
+    { { 0x094b2b2d33da525dL,0xf193678e13144fd8L,0xb8ab5ba4f4c1061dL,
+        0x4343b5fadccbe0f4L },
+      { 0xa870237163812713L,0x47bf6d2df7611d93L,0x46729b8cbd21e1d7L,
+        0x7484d4e0d629e77dL } },
+    /* 58 << 119 */
+    { { 0x830e6eea60dbac1fL,0x23d8c484da06a2f7L,0x896714b050ca535bL,
+        0xdc8d3644ebd97a9bL },
+      { 0x106ef9fab12177b4L,0xf79bf464534d5d9cL,0x2537a349a6ab360bL,
+        0xc7c54253a00c744fL } },
+    /* 59 << 119 */
+    { { 0xb3c7a047e5911a76L,0x61ffa5c8647f1ee7L,0x15aed36f8f56ab42L,
+        0x6a0d41b0a3ff9ac9L },
+      { 0x68f469f5cc30d357L,0xbe9adf816b72be96L,0x1cd926fe903ad461L,
+        0x7e89e38fcaca441bL } },
+    /* 60 << 119 */
+    { { 0xf0f82de5facf69d4L,0x363b7e764775344cL,0x6894f312b2e36d04L,
+        0x3c6cb4fe11d1c9a5L },
+      { 0x85d9c3394008e1f2L,0x5e9a85ea249f326cL,0xdc35c60a678c5e06L,
+        0xc08b944f9f86fba9L } },
+    /* 61 << 119 */
+    { { 0xde40c02c89f71f0fL,0xad8f3e31ff3da3c0L,0x3ea5096b42125dedL,
+        0x13879cbfa7379183L },
+      { 0x6f4714a56b306a0bL,0x359c2ea667646c5eL,0xfacf894307726368L,
+        0x07a5893565ff431eL } },
+    /* 62 << 119 */
+    { { 0x24d661d168754ab0L,0x801fce1d6f429a76L,0xc068a85fa58ce769L,
+        0xedc35c545d5eca2bL },
+      { 0xea31276fa3f660d1L,0xa0184ebeb8fc7167L,0x0f20f21a1d8db0aeL,
+        0xd96d095f56c35e12L } },
+    /* 63 << 119 */
+    { { 0xedf402b5f8c2a25bL,0x1bb772b9059204b6L,0x50cbeae219b4e34cL,
+        0x93109d803fa0845aL },
+      { 0x54f7ccf78ef59fb5L,0x3b438fe288070963L,0x9e28c65931f3ba9bL,
+        0x9cc31b46ead9da92L } },
+    /* 64 << 119 */
+    { { 0x3c2f0ba9b733aa5fL,0xdece47cbf05af235L,0xf8e3f715a2ac82a5L,
+        0xc97ba6412203f18aL },
+      { 0xc3af550409c11060L,0x56ea2c0546af512dL,0xfac28daff3f28146L,
+        0x87fab43a959ef494L } },
+    /* 0 << 126 */
+    { { 0x00, 0x00, 0x00, 0x00 },
+      { 0x00, 0x00, 0x00, 0x00 } },
+    /* 1 << 126 */
+    { { 0x09891641d4c5105fL,0x1ae80f8e6d7fbd65L,0x9d67225fbee6bdb0L,
+        0x3b433b597fc4d860L },
+      { 0x44e66db693e85638L,0xf7b59252e3e9862fL,0xdb785157665c32ecL,
+        0x702fefd7ae362f50L } },
+    /* 2 << 126 */
+    { { 0x3754475d0fefb0c3L,0xd48fb56b46d7c35dL,0xa070b633363798a4L,
+        0xae89f3d28fdb98e6L },
+      { 0x970b89c86363d14cL,0x8981752167abd27dL,0x9bf7d47444d5a021L,
+        0xb3083bafcac72aeeL } },
+    /* 3 << 126 */
+    { { 0x389741debe949a44L,0x638e9388546a4fa5L,0x3fe6419ca0047bdcL,
+        0x7047f648aaea57caL },
+      { 0x54e48a9041fbab17L,0xda8e0b28576bdba2L,0xe807eebcc72afddcL,
+        0x07d3336df42577bfL } },
+    /* 4 << 126 */
+    { { 0x62a8c244bfe20925L,0x91c19ac38fdce867L,0x5a96a5d5dd387063L,
+        0x61d587d421d324f6L },
+      { 0xe87673a2a37173eaL,0x2384800853778b65L,0x10f8441e05bab43eL,
+        0xfa11fe124621efbeL } },
+    /* 5 << 126 */
+    { { 0x047b772e81685d7bL,0x23f27d81bf34a976L,0xc27608e2915f48efL,
+        0x3b0b43faa521d5c3L },
+      { 0x7613fb2663ca7284L,0x7f5729b41d4db837L,0x87b14898583b526bL,
+        0x00b732a6bbadd3d1L } },
+    /* 6 << 126 */
+    { { 0x8e02f4262048e396L,0x436b50b6383d9de4L,0xf78d3481471e85adL,
+        0x8b01ea6ad005c8d6L },
+      { 0xd3c7afee97015c07L,0x46cdf1a94e3ba2aeL,0x7a42e50183d3a1d2L,
+        0xd54b5268b541dff4L } },
+    /* 7 << 126 */
+    { { 0x3f24cf304e23e9bcL,0x4387f816126e3624L,0x26a46a033b0b6d61L,
+        0xaf1bc8458b2d777cL },
+      { 0x25c401ba527de79cL,0x0e1346d44261bbb6L,0x4b96c44b287b4bc7L,
+        0x658493c75254562fL } },
+    /* 8 << 126 */
+    { { 0x23f949feb8a24a20L,0x17ebfed1f52ca53fL,0x9b691bbebcfb4853L,
+        0x5617ff6b6278a05dL },
+      { 0x241b34c5e3c99ebdL,0xfc64242e1784156aL,0x4206482f695d67dfL,
+        0xb967ce0eee27c011L } },
+    /* 9 << 126 */
+    { { 0x65db375121c80b5dL,0x2e7a563ca31ecca0L,0xe56ffc4e5238a07eL,
+        0x3d6c296632ced854L },
+      { 0xe99d7d1aaf70b885L,0xafc3bad92d686459L,0x9c78bf460cc8ba5bL,
+        0x5a43951918955aa3L } },
+    /* 10 << 126 */
+    { { 0xf8b517a85fe4e314L,0xe60234d0fcb8906fL,0xffe542acf2061b23L,
+        0x287e191f6b4cb59cL },
+      { 0x21857ddc09d877d8L,0x1c23478c14678941L,0xbbf0c056b6e05ea4L,
+        0x82da4b53b01594feL } },
+    /* 11 << 126 */
+    { { 0xf7526791fadb8608L,0x049e832d7b74cdf6L,0xa43581ccc2b90a34L,
+        0x73639eb89360b10cL },
+      { 0x4fba331fe1e4a71bL,0x6ffd6b938072f919L,0x6e53271c65679032L,
+        0x67206444f14272ceL } },
+    /* 12 << 126 */
+    { { 0xc0f734a3b2335834L,0x9526205a90ef6860L,0xcb8be71704e2bb0dL,
+        0x2418871e02f383faL },
+      { 0xd71776814082c157L,0xcc914ad029c20073L,0xf186c1ebe587e728L,
+        0x6fdb3c2261bcd5fdL } },
+    /* 13 << 126 */
+    { { 0x30d014a6f2f9f8e9L,0x963ece234fec49d2L,0x862025c59605a8d9L,
+        0x3987444519f8929aL },
+      { 0x01b6ff6512bf476aL,0x598a64d809cf7d91L,0xd7ec774993be56caL,
+        0x10899785cbb33615L } },
+    /* 14 << 126 */
+    { { 0xb8a092fd02eee3adL,0xa86b3d3530145270L,0x323d98c68512b675L,
+        0x4b8bc78562ebb40fL },
+      { 0x7d301f54413f9cdeL,0xa5e4fb4f2bab5664L,0x1d2b252d1cbfec23L,
+        0xfcd576bbe177120dL } },
+    /* 15 << 126 */
+    { { 0x04427d3e83731a34L,0x2bb9028eed836e8eL,0xb36acff8b612ca7cL,
+        0xb88fe5efd3d9c73aL },
+      { 0xbe2a6bc6edea4eb3L,0x43b93133488eec77L,0xf41ff566b17106e1L,
+        0x469e9172654efa32L } },
+    /* 16 << 126 */
+    { { 0xb4480f0441c23fa3L,0xb4712eb0c1989a2eL,0x3ccbba0f93a29ca7L,
+        0x6e205c14d619428cL },
+      { 0x90db7957b3641686L,0x0432691d45ac8b4eL,0x07a759acf64e0350L,
+        0x0514d89c9c972517L } },
+    /* 17 << 126 */
+    { { 0x1701147fa8e67fc3L,0x9e2e0b8bab2085beL,0xd5651824ac284e57L,
+        0x890d432574893664L },
+      { 0x8a7c5e6ec55e68a3L,0xbf12e90b4339c85aL,0x31846b85f922b655L,
+        0x9a54ce4d0bf4d700L } },
+    /* 18 << 126 */
+    { { 0xd7f4e83af1a14295L,0x916f955cb285d4f9L,0xe57bb0e099ffdabaL,
+        0x28a43034eab0d152L },
+      { 0x0a36ffa2b8a9cef8L,0x5517407eb9ec051aL,0x9c796096ea68e672L,
+        0x853db5fbfb3c77fbL } },
+    /* 19 << 126 */
+    { { 0x21474ba9e864a51aL,0x6c2676996e8a1b8bL,0x7c82362694120a28L,
+        0xe61e9a488383a5dbL },
+      { 0x7dd750039f84216dL,0xab020d07ad43cd85L,0x9437ae48da12c659L,
+        0x6449c2ebe65452adL } },
+    /* 20 << 126 */
+    { { 0xcc7c4c1c2cf9d7c1L,0x1320886aee95e5abL,0xbb7b9056beae170cL,
+        0xc8a5b250dbc0d662L },
+      { 0x4ed81432c11d2303L,0x7da669121f03769fL,0x3ac7a5fd84539828L,
+        0x14dada943bccdd02L } },
+    /* 21 << 126 */
+    { { 0x8b84c3217ef6b0d1L,0x52a9477a7c933f22L,0x5ef6728afd440b82L,
+        0x5c3bd8596ce4bd5eL },
+      { 0x918b80f5f22c2d3eL,0x368d5040b7bb6cc5L,0xb66142a12695a11cL,
+        0x60ac583aeb19ea70L } },
+    /* 22 << 126 */
+    { { 0x317cbb980eab2437L,0x8cc08c555e2654c8L,0xfe2d6520e6d8307fL,
+        0xe9f147f357428993L },
+      { 0x5f9c7d14d2fd6cf1L,0xa3ecd0642d4fcbb0L,0xad83fef08e7341f7L,
+        0x643f23a03a63115cL } },
+    /* 23 << 126 */
+    { { 0xd38a78abe65ab743L,0xbf7c75b135edc89cL,0x3dd8752e530df568L,
+        0xf85c4a76e308c682L },
+      { 0x4c9955b2e68acf37L,0xa544df3dab32af85L,0x4b8ec3f5a25cf493L,
+        0x4d8f27641a622febL } },
+    /* 24 << 126 */
+    { { 0x7bb4f7aaf0dcbc49L,0x7de551f970bbb45bL,0xcfd0f3e49f2ca2e5L,
+        0xece587091f5c76efL },
+      { 0x32920edd167d79aeL,0x039df8a2fa7d7ec1L,0xf46206c0bb30af91L,
+        0x1ff5e2f522676b59L } },
+    /* 25 << 126 */
+    { { 0x11f4a0396ea51d66L,0x506c1445807d7a26L,0x60da5705755a9b24L,
+        0x8fc8cc321f1a319eL },
+      { 0x83642d4d9433d67dL,0x7fa5cb8f6a7dd296L,0x576591db9b7bde07L,
+        0x13173d25419716fbL } },
+    /* 26 << 126 */
+    { { 0xea30599dd5b340ffL,0xfc6b5297b0fe76c5L,0x1c6968c8ab8f5adcL,
+        0xf723c7f5901c928dL },
+      { 0x4203c3219773d402L,0xdf7c6aa31b51dd47L,0x3d49e37a552be23cL,
+        0x57febee80b5a6e87L } },
+    /* 27 << 126 */
+    { { 0xc5ecbee47bd8e739L,0x79d44994ae63bf75L,0x168bd00f38fb8923L,
+        0x75d48ee4d0533130L },
+      { 0x554f77aadb5cdf33L,0x3396e8963c696769L,0x2fdddbf2d3fd674eL,
+        0xbbb8f6ee99d0e3e5L } },
+    /* 28 << 126 */
+    { { 0x51b90651cbae2f70L,0xefc4bc0593aaa8ebL,0x8ecd8689dd1df499L,
+        0x1aee99a822f367a5L },
+      { 0x95d485b9ae8274c5L,0x6c14d4457d30b39cL,0xbafea90bbcc1ef81L,
+        0x7c5f317aa459a2edL } },
+    /* 29 << 126 */
+    { { 0x012110754ef44227L,0xa17bed6edc20f496L,0x0cdfe424819853cdL,
+        0x13793298f71e2ce7L },
+      { 0x3c1f3078dbbe307bL,0x6dd1c20e76ee9936L,0x23ee4b57423caa20L,
+        0x4ac3793b8efb840eL } },
+    /* 30 << 126 */
+    { { 0x934438ebed1f8ca0L,0x3e5466584ebb25a2L,0xc415af0ec069896fL,
+        0xc13eddb09a5aa43dL },
+      { 0x7a04204fd49eb8f6L,0xd0d5bdfcd74f1670L,0x3697e28656fc0558L,
+        0x1020737101cebadeL } },
+    /* 31 << 126 */
+    { { 0x5f87e6900647a82bL,0x908e0ed48f40054fL,0xa9f633d479853803L,
+        0x8ed13c9a4a28b252L },
+      { 0x3e2ef6761f460f64L,0x53930b9b36d06336L,0x347073ac8fc4979bL,
+        0x84380e0e5ecd5597L } },
+    /* 32 << 126 */
+    { { 0xe3b22c6bc4fe3c39L,0xba4a81536c7bebdfL,0xf23ab6b725693459L,
+        0x53bc377014922b11L },
+      { 0x4645c8ab5afc60dbL,0xaa02235520b9f2a3L,0x52a2954cce0fc507L,
+        0x8c2731bb7ce1c2e7L } },
+    /* 33 << 126 */
+    { { 0xf39608ab18a0339dL,0xac7a658d3735436cL,0xb22c2b07cd992b4fL,
+        0x4e83daecf40dcfd4L },
+      { 0x8a34c7be2f39ea3eL,0xef0c005fb0a56d2eL,0x62731f6a6edd8038L,
+        0x5721d7404e3cb075L } },
+    /* 34 << 126 */
+    { { 0x1ea41511fbeeee1bL,0xd1ef5e73ef1d0c05L,0x42feefd173c07d35L,
+        0xe530a00a8a329493L },
+      { 0x5d55b7fef15ebfb0L,0x549de03cd322491aL,0xf7b5f602745b3237L,
+        0x3632a3a21ab6e2b6L } },
+    /* 35 << 126 */
+    { { 0x0d3bba890ef59f78L,0x0dfc6443c9e52b9aL,0x1dc7969972631447L,
+        0xef033917b3be20b1L },
+      { 0x0c92735db1383948L,0xc1fc29a2c0dd7d7dL,0x6485b697403ed068L,
+        0x13bfaab3aac93bdcL } },
+    /* 36 << 126 */
+    { { 0x410dc6a90deeaf52L,0xb003fb024c641c15L,0x1384978c5bc504c4L,
+        0x37640487864a6a77L },
+      { 0x05991bc6222a77daL,0x62260a575e47eb11L,0xc7af6613f21b432cL,
+        0x22f3acc9ab4953e9L } },
+    /* 37 << 126 */
+    { { 0x529349228e41d155L,0x4d0245683ac059efL,0xb02017554d884411L,
+        0xce8055cfa59a178fL },
+      { 0xcd77d1aff6204549L,0xa0a00a3ec7066759L,0x471071ef0272c229L,
+        0x009bcf6bd3c4b6b0L } },
+    /* 38 << 126 */
+    { { 0x2a2638a822305177L,0xd51d59df41645bbfL,0xa81142fdc0a7a3c0L,
+        0xa17eca6d4c7063eeL },
+      { 0x0bb887ed60d9dcecL,0xd6d28e5120ad2455L,0xebed6308a67102baL,
+        0x042c31148bffa408L } },
+    /* 39 << 126 */
+    { { 0xfd099ac58aa68e30L,0x7a6a3d7c1483513eL,0xffcc6b75ba2d8f0cL,
+        0x54dacf961e78b954L },
+      { 0xf645696fa4a9af89L,0x3a41194006ac98ecL,0x41b8b3f622a67a20L,
+        0x2d0b1e0f99dec626L } },
+    /* 40 << 126 */
+    { { 0x27c8919240be34e8L,0xc7162b3791907f35L,0x90188ec1a956702bL,
+        0xca132f7ddf93769cL },
+      { 0x3ece44f90e2025b4L,0x67aaec690c62f14cL,0xad74141822e3cc11L,
+        0xcf9b75c37ff9a50eL } },
+    /* 41 << 126 */
+    { { 0x02fa2b164d348272L,0xbd99d61a9959d56dL,0xbc4f19db18762916L,
+        0xcc7cce5049c1ac80L },
+      { 0x4d59ebaad846bd83L,0x8775a9dca9202849L,0x07ec4ae16e1f4ca9L,
+        0x27eb5875ba893f11L } },
+    /* 42 << 126 */
+    { { 0x00284d51662cc565L,0x82353a6b0db4138dL,0xd9c7aaaaaa32a594L,
+        0xf5528b5ea5669c47L },
+      { 0xf32202312f23c5ffL,0xe3e8147a6affa3a1L,0xfb423d5c202ddda0L,
+        0x3d6414ac6b871bd4L } },
+    /* 43 << 126 */
+    { { 0x586f82e1a51a168aL,0xb712c67148ae5448L,0x9a2e4bd176233eb8L,
+        0x0188223a78811ca9L },
+      { 0x553c5e21f7c18de1L,0x7682e451b27bb286L,0x3ed036b30e51e929L,
+        0xf487211bec9cb34fL } },
+    /* 44 << 126 */
+    { { 0x0d0942770c24efc8L,0x0349fd04bef737a4L,0x6d1c9dd2514cdd28L,
+        0x29c135ff30da9521L },
+      { 0xea6e4508f78b0b6fL,0x176f5dd2678c143cL,0x081484184be21e65L,
+        0x27f7525ce7df38c4L } },
+    /* 45 << 126 */
+    { { 0x1fb70e09748ab1a4L,0x9cba50a05efe4433L,0x7846c7a615f75af2L,
+        0x2a7c2c575ee73ea8L },
+      { 0x42e566a43f0a449aL,0x45474c3bad90fc3dL,0x7447be3d8b61d057L,
+        0x3e9d1cf13a4ec092L } },
+    /* 46 << 126 */
+    { { 0x1603e453f380a6e6L,0x0b86e4319b1437c2L,0x7a4173f2ef29610aL,
+        0x8fa729a7f03d57f7L },
+      { 0x3e186f6e6c9c217eL,0xbe1d307991919524L,0x92a62a70153d4fb1L,
+        0x32ed3e34d68c2f71L } },
+    /* 47 << 126 */
+    { { 0xd785027f9eb1a8b7L,0xbc37eb77c5b22fe8L,0x466b34f0b9d6a191L,
+        0x008a89af9a05f816L },
+      { 0x19b028fb7d42c10aL,0x7fe8c92f49b3f6b8L,0x58907cc0a5a0ade3L,
+        0xb3154f51559d1a7cL } },
+    /* 48 << 126 */
+    { { 0x5066efb6d9790ed6L,0xa77a0cbca6aa793bL,0x1a915f3c223e042eL,
+        0x1c5def0469c5874bL },
+      { 0x0e83007873b6c1daL,0x55cf85d2fcd8557aL,0x0f7c7c760460f3b1L,
+        0x87052acb46e58063L } },
+    /* 49 << 126 */
+    { { 0x09212b80907eae66L,0x3cb068e04d721c89L,0xa87941aedd45ac1cL,
+        0xde8d5c0d0daa0dbbL },
+      { 0xda421fdce3502e6eL,0xc89442014d89a084L,0x7307ba5ef0c24bfbL,
+        0xda212beb20bde0efL } },
+    /* 50 << 126 */
+    { { 0xea2da24bf82ce682L,0x058d381607f71fe4L,0x35a024625ffad8deL,
+        0xcd7b05dcaadcefabL },
+      { 0xd442f8ed1d9f54ecL,0x8be3d618b2d3b5caL,0xe2220ed0e06b2ce2L,
+        0x82699a5f1b0da4c0L } },
+    /* 51 << 126 */
+    { { 0x3ff106f571c0c3a7L,0x8f580f5a0d34180cL,0x4ebb120e22d7d375L,
+        0x5e5782cce9513675L },
+      { 0x2275580c99c82a70L,0xe8359fbf15ea8c4cL,0x53b48db87b415e70L,
+        0xaacf2240100c6014L } },
+    /* 52 << 126 */
+    { { 0x9faaccf5e4652f1dL,0xbd6fdd2ad56157b2L,0xa4f4fb1f6261ec50L,
+        0x244e55ad476bcd52L },
+      { 0x881c9305047d320bL,0x1ca983d56181263fL,0x354e9a44278fb8eeL,
+        0xad2dbc0f396e4964L } },
+    /* 53 << 126 */
+    { { 0x723f3aa29268b3deL,0x0d1ca29ae6e0609aL,0x794866aa6cf44252L,
+        0x0b59f3e301af87edL },
+      { 0xe234e5ff7f4a6c51L,0xa8768fd261dc2f7eL,0xdafc73320a94d81fL,
+        0xd7f8428206938ce1L } },
+    /* 54 << 126 */
+    { { 0xae0b3c0e0546063eL,0x7fbadcb25d61abc6L,0xd5d7a2c9369ac400L,
+        0xa5978d09ae67d10cL },
+      { 0x290f211e4f85eaacL,0xe61e2ad1facac681L,0xae125225388384cdL,
+        0xa7fb68e9ccfde30fL } },
+    /* 55 << 126 */
+    { { 0x7a59b9363daed4c2L,0x80a9aa402606f789L,0xb40c1ea5f6a6d90aL,
+        0x948364d3514d5885L },
+      { 0x062ebc6070985182L,0xa6db5b0e33310895L,0x64a12175e329c2f5L,
+        0xc5f25bd290ea237eL } },
+    /* 56 << 126 */
+    { { 0x7915c5242d0a4c23L,0xeb5d26e46bb3cc52L,0x369a9116c09e2c92L,
+        0x0c527f92cf182cf8L },
+      { 0x9e5919382aede0acL,0xb29222086cc34939L,0x3c9d896299a34361L,
+        0x3c81836dc1905fe6L } },
+    /* 57 << 126 */
+    { { 0x4bfeb57fa001ec5aL,0xe993f5bba0dc5dbaL,0x47884109724a1380L,
+        0x8a0369ab32fe9a04L },
+      { 0xea068d608c927db8L,0xbf5f37cf94655741L,0x47d402a204b6c7eaL,
+        0x4551c2956af259cbL } },
+    /* 58 << 126 */
+    { { 0x698b71e7ed77ee8bL,0xbddf7bd0f309d5c7L,0x6201c22c34e780caL,
+        0xab04f7d84c295ef4L },
+      { 0x1c9472944313a8ceL,0xe532e4ac92ca4cfeL,0x89738f80d0a7a97aL,
+        0xec088c88a580fd5bL } },
+    /* 59 << 126 */
+    { { 0x612b1ecc42ce9e51L,0x8f9840fdb25fdd2aL,0x3cda78c001e7f839L,
+        0x546b3d3aece05480L },
+      { 0x271719a980d30916L,0x45497107584c20c4L,0xaf8f94785bc78608L,
+        0x28c7d484277e2a4cL } },
+    /* 60 << 126 */
+    { { 0xfce0176788a2ffe4L,0xdc506a3528e169a5L,0x0ea108617af9c93aL,
+        0x1ed2436103fa0e08L },
+      { 0x96eaaa92a3d694e7L,0xc0f43b4def50bc74L,0xce6aa58c64114db4L,
+        0x8218e8ea7c000fd4L } },
+    /* 61 << 126 */
+    { { 0xac815dfb185f8844L,0xcd7e90cb1557abfbL,0x23d16655afbfecdfL,
+        0x80f3271f085cac4aL },
+      { 0x7fc39aa7d0e62f47L,0x88d519d1460a48e5L,0x59559ac4d28f101eL,
+        0x7981d9e9ca9ae816L } },
+    /* 62 << 126 */
+    { { 0x5c38652c9ac38203L,0x86eaf87f57657fe5L,0x568fc472e21f5416L,
+        0x2afff39ce7e597b5L },
+      { 0x3adbbb07256d4eabL,0x225986928285ab89L,0x35f8112a041caefeL,
+        0x95df02e3a5064c8bL } },
+    /* 63 << 126 */
+    { { 0x4d63356ec7004bf3L,0x230a08f4db83c7deL,0xca27b2708709a7b7L,
+        0x0d1c4cc4cb9abd2dL },
+      { 0x8a0bc66e7550fee8L,0x369cd4c79cf7247eL,0x75562e8492b5b7e7L,
+        0x8fed0da05802af7bL } },
+    /* 64 << 126 */
+    { { 0x6a7091c2e48fb889L,0x26882c137b8a9d06L,0xa24986631b82a0e2L,
+        0x844ed7363518152dL },
+      { 0x282f476fd86e27c7L,0xa04edaca04afefdcL,0x8b256ebc6119e34dL,
+        0x56a413e90787d78bL } },
+    /* 0 << 133 */
+    { { 0x00, 0x00, 0x00, 0x00 },
+      { 0x00, 0x00, 0x00, 0x00 } },
+    /* 1 << 133 */
+    { { 0x82ee061d5a74be50L,0xe41781c4dea16ff5L,0xe0b0c81e99bfc8a2L,
+        0x624f4d690b547e2dL },
+      { 0x3a83545dbdcc9ae4L,0x2573dbb6409b1e8eL,0x482960c4a6c93539L,
+        0xf01059ad5ae18798L } },
+    /* 2 << 133 */
+    { { 0x715c9f973112795fL,0xe8244437984e6ee1L,0x55cb4858ecb66bcdL,
+        0x7c136735abaffbeeL },
+      { 0x546615955dbec38eL,0x51c0782c388ad153L,0x9ba4c53ac6e0952fL,
+        0x27e6782a1b21dfa8L } },
+    /* 3 << 133 */
+    { { 0x682f903d4ed2dbc2L,0x0eba59c87c3b2d83L,0x8e9dc84d9c7e9335L,
+        0x5f9b21b00eb226d7L },
+      { 0xe33bd394af267baeL,0xaa86cc25be2e15aeL,0x4f0bf67d6a8ec500L,
+        0x5846aa44f9630658L } },
+    /* 4 << 133 */
+    { { 0xfeb09740e2c2bf15L,0x627a2205a9e99704L,0xec8d73d0c2fbc565L,
+        0x223eed8fc20c8de8L },
+      { 0x1ee32583a8363b49L,0x1a0b6cb9c9c2b0a6L,0x49f7c3d290dbc85cL,
+        0xa8dfbb971ef4c1acL } },
+    /* 5 << 133 */
+    { { 0xafb34d4c65c7c2abL,0x1d4610e7e2c5ea84L,0x893f6d1b973c4ab5L,
+        0xa3cdd7e9945ba5c4L },
+      { 0x60514983064417eeL,0x1459b23cad6bdf2bL,0x23b2c3415cf726c3L,
+        0x3a82963532d6354aL } },
+    /* 6 << 133 */
+    { { 0x294f901fab192c18L,0xec5fcbfe7030164fL,0xe2e2fcb7e2246ba6L,
+        0x1e7c88b3221a1a0cL },
+      { 0x72c7dd93c92d88c5L,0x41c2148e1106fb59L,0x547dd4f5a0f60f14L,
+        0xed9b52b263960f31L } },
+    /* 7 << 133 */
+    { { 0x6c8349ebb0a5b358L,0xb154c5c29e7e2ed6L,0xcad5eccfeda462dbL,
+        0xf2d6dbe42de66b69L },
+      { 0x426aedf38665e5b2L,0x488a85137b7f5723L,0x15cc43b38bcbb386L,
+        0x27ad0af3d791d879L } },
+    /* 8 << 133 */
+    { { 0xc16c236e846e364fL,0x7f33527cdea50ca0L,0xc48107750926b86dL,
+        0x6c2a36090598e70cL },
+      { 0xa6755e52f024e924L,0xe0fa07a49db4afcaL,0x15c3ce7d66831790L,
+        0x5b4ef350a6cbb0d6L } },
+    /* 9 << 133 */
+    { { 0x2c4aafc4b6205969L,0x42563f02f6c7854fL,0x016aced51d983b48L,
+        0xfeb356d899949755L },
+      { 0x8c2a2c81d1a39bd7L,0x8f44340fe6934ae9L,0x148cf91c447904daL,
+        0x7340185f0f51a926L } },
+    /* 10 << 133 */
+    { { 0x2f8f00fb7409ab46L,0x057e78e680e289b2L,0x03e5022ca888e5d1L,
+        0x3c87111a9dede4e2L },
+      { 0x5b9b0e1c7809460bL,0xe751c85271c9abc7L,0x8b944e28c7cc1dc9L,
+        0x4f201ffa1d3cfa08L } },
+    /* 11 << 133 */
+    { { 0x02fc905c3e6721ceL,0xd52d70dad0b3674cL,0x5dc2e5ca18810da4L,
+        0xa984b2735c69dd99L },
+      { 0x63b9252784de5ca4L,0x2f1c9872c852dec4L,0x18b03593c2e3de09L,
+        0x19d70b019813dc2fL } },
+    /* 12 << 133 */
+    { { 0x42806b2da6dc1d29L,0xd3030009f871e144L,0xa1feb333aaf49276L,
+        0xb5583b9ec70bc04bL },
+      { 0x1db0be7895695f20L,0xfc84181189d012b5L,0x6409f27205f61643L,
+        0x40d34174d5883128L } },
+    /* 13 << 133 */
+    { { 0xd79196f567419833L,0x6059e252863b7b08L,0x84da18171c56700cL,
+        0x5758ee56b28d3ec4L },
+      { 0x7da2771d013b0ea6L,0xfddf524b54c5e9b9L,0x7df4faf824305d80L,
+        0x58f5c1bf3a97763fL } },
+    /* 14 << 133 */
+    { { 0xa5af37f17c696042L,0xd4cba22c4a2538deL,0x211cb9959ea42600L,
+        0xcd105f417b069889L },
+      { 0xb1e1cf19ddb81e74L,0x472f2d895157b8caL,0x086fb008ee9db885L,
+        0x365cd5700f26d131L } },
+    /* 15 << 133 */
+    { { 0x284b02bba2be7053L,0xdcbbf7c67ab9a6d6L,0x4425559c20f7a530L,
+        0x961f2dfa188767c8L },
+      { 0xe2fd943570dc80c4L,0x104d6b63f0784120L,0x7f592bc153567122L,
+        0xf6bc1246f688ad77L } },
+    /* 16 << 133 */
+    { { 0x05214c050f15dde9L,0xa47a76a80d5f2b82L,0xbb254d3062e82b62L,
+        0x11a05fe03ec955eeL },
+      { 0x7eaff46e9d529b36L,0x55ab13018f9e3df6L,0xc463e37199317698L,
+        0xfd251438ccda47adL } },
+    /* 17 << 133 */
+    { { 0xca9c354723d695eaL,0x48ce626e16e589b5L,0x6b5b64c7b187d086L,
+        0xd02e1794b2207948L },
+      { 0x8b58e98f7198111dL,0x90ca6305dcf9c3ccL,0x5691fe72f34089b0L,
+        0x60941af1fc7c80ffL } },
+    /* 18 << 133 */
+    { { 0xa09bc0a222eb51e5L,0xc0bb7244aa9cf09aL,0x36a8077f80159f06L,
+        0x8b5c989edddc560eL },
+      { 0x19d2f316512e1f43L,0x02eac554ad08ff62L,0x012ab84c07d20b4eL,
+        0x37d1e115d6d4e4e1L } },
+    /* 19 << 133 */
+    { { 0xb6443e1aab7b19a8L,0xf08d067edef8cd45L,0x63adf3e9685e03daL,
+        0xcf15a10e4792b916L },
+      { 0xf44bcce5b738a425L,0xebe131d59636b2fdL,0x940688417850d605L,
+        0x09684eaab40d749dL } },
+    /* 20 << 133 */
+    { { 0x8c3c669c72ba075bL,0x89f78b55ba469015L,0x5706aade3e9f8ba8L,
+        0x6d8bd565b32d7ed7L },
+      { 0x25f4e63b805f08d6L,0x7f48200dc3bcc1b5L,0x4e801968b025d847L,
+        0x74afac0487cbe0a8L } },
+    /* 21 << 133 */
+    { { 0x43ed2c2b7e63d690L,0xefb6bbf00223cdb8L,0x4fec3cae2884d3feL,
+        0x065ecce6d75e25a4L },
+      { 0x6c2294ce69f79071L,0x0d9a8e5f044b8666L,0x5009f23817b69d8fL,
+        0x3c29f8fec5dfdaf7L } },
+    /* 22 << 133 */
+    { { 0x9067528febae68c4L,0x5b38563230c5ba21L,0x540df1191fdd1aecL,
+        0xcf37825bcfba4c78L },
+      { 0x77eff980beb11454L,0x40a1a99160c1b066L,0xe8018980f889a1c7L,
+        0xb9c52ae976c24be0L } },
+    /* 23 << 133 */
+    { { 0x05fbbcce45650ef4L,0xae000f108aa29ac7L,0x884b71724f04c470L,
+        0x7cd4fde219bb5c25L },
+      { 0x6477b22ae8840869L,0xa88688595fbd0686L,0xf23cc02e1116dfbaL,
+        0x76cd563fd87d7776L } },
+    /* 24 << 133 */
+    { { 0xe2a37598a9d82abfL,0x5f188ccbe6c170f5L,0x816822005066b087L,
+        0xda22c212c7155adaL },
+      { 0x151e5d3afbddb479L,0x4b606b846d715b99L,0x4a73b54bf997cb2eL,
+        0x9a1bfe433ecd8b66L } },
+    /* 25 << 133 */
+    { { 0x1c3128092a67d48aL,0xcd6a671e031fa9e2L,0xbec3312a0e43a34aL,
+        0x1d93563955ef47d3L },
+      { 0x5ea024898fea73eaL,0x8247b364a035afb2L,0xb58300a65265b54cL,
+        0x3286662f722c7148L } },
+    /* 26 << 133 */
+    { { 0xb77fd76bb4ec4c20L,0xf0a12fa70f3fe3fdL,0xf845bbf541d8c7e8L,
+        0xe4d969ca5ec10aa8L },
+      { 0x4c0053b743e232a3L,0xdc7a3fac37f8a45aL,0x3c4261c520d81c8fL,
+        0xfd4b3453b00eab00L } },
+    /* 27 << 133 */
+    { { 0x76d48f86d36e3062L,0x626c5277a143ff02L,0x538174deaf76f42eL,
+        0x2267aa866407ceacL },
+      { 0xfad7635172e572d5L,0xab861af7ba7330ebL,0xa0a1c8c7418d8657L,
+        0x988821cb20289a52L } },
+    /* 28 << 133 */
+    { { 0x79732522cccc18adL,0xaadf3f8df1a6e027L,0xf7382c9317c2354dL,
+        0x5ce1680cd818b689L },
+      { 0x359ebbfcd9ecbee9L,0x4330689c1cae62acL,0xb55ce5b4c51ac38aL,
+        0x7921dfeafe238ee8L } },
+    /* 29 << 133 */
+    { { 0x3972bef8271d1ca5L,0x3e423bc7e8aabd18L,0x57b09f3f44a3e5e3L,
+        0x5da886ae7b444d66L },
+      { 0x68206634a9964375L,0x356a2fa3699cd0ffL,0xaf0faa24dba515e9L,
+        0x536e1f5cb321d79aL } },
+    /* 30 << 133 */
+    { { 0xd3b9913a5c04e4eaL,0xd549dcfed6f11513L,0xee227bf579fd1d94L,
+        0x9f35afeeb43f2c67L },
+      { 0xd2638d24f1314f53L,0x62baf948cabcd822L,0x5542de294ef48db0L,
+        0xb3eb6a04fc5f6bb2L } },
+    /* 31 << 133 */
+    { { 0x23c110ae1208e16aL,0x1a4d15b5f8363e24L,0x30716844164be00bL,
+        0xa8e24824f6f4690dL },
+      { 0x548773a290b170cfL,0xa1bef33142f191f4L,0x70f418d09247aa97L,
+        0xea06028e48be9147L } },
+    /* 32 << 133 */
+    { { 0xe13122f3dbfb894eL,0xbe9b79f6ce274b18L,0x85a49de5ca58aadfL,
+        0x2495775811487351L },
+      { 0x111def61bb939099L,0x1d6a974a26d13694L,0x4474b4ced3fc253bL,
+        0x3a1485e64c5db15eL } },
+    /* 33 << 133 */
+    { { 0xe79667b4147c15b4L,0xe34f553b7bc61301L,0x032b80f817094381L,
+        0x55d8bafd723eaa21L },
+      { 0x5a987995f1c0e74eL,0x5a9b292eebba289cL,0x413cd4b2eb4c8251L,
+        0x98b5d243d162db0aL } },
+    /* 34 << 133 */
+    { { 0xbb47bf6668342520L,0x08d68949baa862d1L,0x11f349c7e906abcdL,
+        0x454ce985ed7bf00eL },
+      { 0xacab5c9eb55b803bL,0xb03468ea31e3c16dL,0x5c24213dd273bf12L,
+        0x211538eb71587887L } },
+    /* 35 << 133 */
+    { { 0x198e4a2f731dea2dL,0xd5856cf274ed7b2aL,0x86a632eb13a664feL,
+        0x932cd909bda41291L },
+      { 0x850e95d4c0c4ddc0L,0xc0f422f8347fc2c9L,0xe68cbec486076bcbL,
+        0xf9e7c0c0cd6cd286L } },
+    /* 36 << 133 */
+    { { 0x65994ddb0f5f27caL,0xe85461fba80d59ffL,0xff05481a66601023L,
+        0xc665427afc9ebbfbL },
+      { 0xb0571a697587fd52L,0x935289f88d49efceL,0x61becc60ea420688L,
+        0xb22639d913a786afL } },
+    /* 37 << 133 */
+    { { 0x1a8e6220361ecf90L,0x001f23e025506463L,0xe4ae9b5d0a5c2b79L,
+        0xebc9cdadd8149db5L },
+      { 0xb33164a1934aa728L,0x750eb00eae9b60f3L,0x5a91615b9b9cfbfdL,
+        0x97015cbfef45f7f6L } },
+    /* 38 << 133 */
+    { { 0xb462c4a5bf5151dfL,0x21adcc41b07118f2L,0xd60c545b043fa42cL,
+        0xfc21aa54e96be1abL },
+      { 0xe84bc32f4e51ea80L,0x3dae45f0259b5d8dL,0xbb73c7ebc38f1b5eL,
+        0xe405a74ae8ae617dL } },
+    /* 39 << 133 */
+    { { 0xbb1ae9c69f1c56bdL,0x8c176b9849f196a4L,0xc448f3116875092bL,
+        0xb5afe3de9f976033L },
+      { 0xa8dafd49145813e5L,0x687fc4d9e2b34226L,0xf2dfc92d4c7ff57fL,
+        0x004e3fc1401f1b46L } },
+    /* 40 << 133 */
+    { { 0x5afddab61430c9abL,0x0bdd41d32238e997L,0xf0947430418042aeL,
+        0x71f9addacdddc4cbL },
+      { 0x7090c016c52dd907L,0xd9bdf44d29e2047fL,0xe6f1fe801b1011a6L,
+        0xb63accbcd9acdc78L } },
+    /* 41 << 133 */
+    { { 0xcfc7e2351272a95bL,0x0c667717a6276ac8L,0x3c0d3709e2d7eef7L,
+        0x5add2b069a685b3eL },
+      { 0x363ad32d14ea5d65L,0xf8e01f068d7dd506L,0xc9ea221375b4aac6L,
+        0xed2a2bf90d353466L } },
+    /* 42 << 133 */
+    { { 0x439d79b5e9d3a7c3L,0x8e0ee5a681b7f34bL,0xcf3dacf51dc4ba75L,
+        0x1d3d1773eb3310c7L },
+      { 0xa8e671127747ae83L,0x31f43160197d6b40L,0x0521cceecd961400L,
+        0x67246f11f6535768L } },
+    /* 43 << 133 */
+    { { 0x702fcc5aef0c3133L,0x247cc45d7e16693bL,0xfd484e49c729b749L,
+        0x522cef7db218320fL },
+      { 0xe56ef40559ab93b3L,0x225fba119f181071L,0x33bd659515330ed0L,
+        0xc4be69d51ddb32f7L } },
+    /* 44 << 133 */
+    { { 0x264c76680448087cL,0xac30903f71432daeL,0x3851b26600f9bf47L,
+        0x400ed3116cdd6d03L },
+      { 0x045e79fef8fd2424L,0xfdfd974afa6da98bL,0x45c9f6410c1e673aL,
+        0x76f2e7335b2c5168L } },
+    /* 45 << 133 */
+    { { 0x1adaebb52a601753L,0xb286514cc57c2d49L,0xd87696701e0bfd24L,
+        0x950c547e04478922L },
+      { 0xd1d41969e5d32bfeL,0x30bc1472750d6c3eL,0x8f3679fee0e27f3aL,
+        0x8f64a7dca4a6ee0cL } },
+    /* 46 << 133 */
+    { { 0x2fe59937633dfb1fL,0xea82c395977f2547L,0xcbdfdf1a661ea646L,
+        0xc7ccc591b9085451L },
+      { 0x8217796281761e13L,0xda57596f9196885cL,0xbc17e84928ffbd70L,
+        0x1e6e0a412671d36fL } },
+    /* 47 << 133 */
+    { { 0x61ae872c4152fcf5L,0x441c87b09e77e754L,0xd0799dd5a34dff09L,
+        0x766b4e4488a6b171L },
+      { 0xdc06a51211f1c792L,0xea02ae934be35c3eL,0xe5ca4d6de90c469eL,
+        0x4df4368e56e4ff5cL } },
+    /* 48 << 133 */
+    { { 0x7817acab4baef62eL,0x9f5a2202a85b91e8L,0x9666ebe66ce57610L,
+        0x32ad31f3f73bfe03L },
+      { 0x628330a425bcf4d6L,0xea950593515056e6L,0x59811c89e1332156L,
+        0xc89cf1fe8c11b2d7L } },
+    /* 49 << 133 */
+    { { 0x75b6391304e60cc0L,0xce811e8d4625d375L,0x030e43fc2d26e562L,
+        0xfbb30b4b608d36a0L },
+      { 0x634ff82c48528118L,0x7c6fe085cd285911L,0x7f2830c099358f28L,
+        0x2e60a95e665e6c09L } },
+    /* 50 << 133 */
+    { { 0x08407d3d9b785dbfL,0x530889aba759bce7L,0xf228e0e652f61239L,
+        0x2b6d14616879be3cL },
+      { 0xe6902c0451a7bbf7L,0x30ad99f076f24a64L,0x66d9317a98bc6da0L,
+        0xf4f877f3cb596ac0L } },
+    /* 51 << 133 */
+    { { 0xb05ff62d4c44f119L,0x4555f536e9b77416L,0xc7c0d0598caed63bL,
+        0x0cd2b7cec358b2a9L },
+      { 0x3f33287b46945fa3L,0xf8785b20d67c8791L,0xc54a7a619637bd08L,
+        0x54d4598c18be79d7L } },
+    /* 52 << 133 */
+    { { 0x889e5acbc46d7ce1L,0x9a515bb78b085877L,0xfac1a03d0b7a5050L,
+        0x7d3e738af2926035L },
+      { 0x861cc2ce2a6cb0ebL,0x6f2e29558f7adc79L,0x61c4d45133016376L,
+        0xd9fd2c805ad59090L } },
+    /* 53 << 133 */
+    { { 0xe5a83738b2b836a1L,0x855b41a07c0d6622L,0x186fe3177cc19af1L,
+        0x6465c1fffdd99acbL },
+      { 0x46e5c23f6974b99eL,0x75a7cf8ba2717cbeL,0x4d2ebc3f062be658L,
+        0x094b44475f209c98L } },
+    /* 54 << 133 */
+    { { 0x4af285edb940cb5aL,0x6706d7927cc82f10L,0xc8c8776c030526faL,
+        0xfa8e6f76a0da9140L },
+      { 0x77ea9d34591ee4f0L,0x5f46e33740274166L,0x1bdf98bbea671457L,
+        0xd7c08b46862a1fe2L } },
+    /* 55 << 133 */
+    { { 0x46cc303c1c08ad63L,0x995434404c845e7bL,0x1b8fbdb548f36bf7L,
+        0x5b82c3928c8273a7L },
+      { 0x08f712c4928435d5L,0x071cf0f179330380L,0xc74c2d24a8da054aL,
+        0xcb0e720143c46b5cL } },
+    /* 56 << 133 */
+    { { 0x0ad7337ac0b7eff3L,0x8552225ec5e48b3cL,0xe6f78b0c73f13a5fL,
+        0x5e70062e82349cbeL },
+      { 0x6b8d5048e7073969L,0x392d2a29c33cb3d2L,0xee4f727c4ecaa20fL,
+        0xa068c99e2ccde707L } },
+    /* 57 << 133 */
+    { { 0xfcd5651fb87a2913L,0xea3e3c153cc252f0L,0x777d92df3b6cd3e4L,
+        0x7a414143c5a732e7L },
+      { 0xa895951aa71ff493L,0xfe980c92bbd37cf6L,0x45bd5e64decfeeffL,
+        0x910dc2a9a44c43e9L } },
+    /* 58 << 133 */
+    { { 0xcb403f26cca9f54dL,0x928bbdfb9303f6dbL,0x3c37951ea9eee67cL,
+        0x3bd61a52f79961c3L },
+      { 0x09a238e6395c9a79L,0x6940ca2d61eb352dL,0x7d1e5c5ec1875631L,
+        0x1e19742c1e1b20d1L } },
+    /* 59 << 133 */
+    { { 0x4633d90823fc2e6eL,0xa76e29a908959149L,0x61069d9c84ed7da5L,
+        0x0baa11cf5dbcad51L },
+      { 0xd01eec64961849daL,0x93b75f1faf3d8c28L,0x57bc4f9f1ca2ee44L,
+        0x5a26322d00e00558L } },
+    /* 60 << 133 */
+    { { 0x1888d65861a023efL,0x1d72aab4b9e5246eL,0xa9a26348e5563ec0L,
+        0xa0971963c3439a43L },
+      { 0x567dd54badb9b5b7L,0x73fac1a1c45a524bL,0x8fe97ef7fe38e608L,
+        0x608748d23f384f48L } },
+    /* 61 << 133 */
+    { { 0xb0571794c486094fL,0x869254a38bf3a8d6L,0x148a8dd1310b0e25L,
+        0x99ab9f3f9aa3f7d8L },
+      { 0x0927c68a6706c02eL,0x22b5e76c69790e6cL,0x6c3252606c71376cL,
+        0x53a5769009ef6657L } },
+    /* 62 << 133 */
+    { { 0x8d63f852edffcf3aL,0xb4d2ed043c0a6f55L,0xdb3aa8de12519b9eL,
+        0x5d38e9c41e0a569aL },
+      { 0x871528bf303747e2L,0xa208e77cf5b5c18dL,0x9d129c88ca6bf923L,
+        0xbcbf197fbf02839fL } },
+    /* 63 << 133 */
+    { { 0x9b9bf03027323194L,0x3b055a8b339ca59dL,0xb46b23120f669520L,
+        0x19789f1f497e5f24L },
+      { 0x9c499468aaf01801L,0x72ee11908b69d59cL,0x8bd39595acf4c079L,
+        0x3ee11ece8e0cd048L } },
+    /* 64 << 133 */
+    { { 0xebde86ec1ed66f18L,0x225d906bd61fce43L,0x5cab07d6e8bed74dL,
+        0x16e4617f27855ab7L },
+      { 0x6568aaddb2fbc3ddL,0xedb5484f8aeddf5bL,0x878f20e86dcf2fadL,
+        0x3516497c615f5699L } },
+    /* 0 << 140 */
+    { { 0x00, 0x00, 0x00, 0x00 },
+      { 0x00, 0x00, 0x00, 0x00 } },
+    /* 1 << 140 */
+    { { 0xef0a3fecfa181e69L,0x9ea02f8130d69a98L,0xb2e9cf8e66eab95dL,
+        0x520f2beb24720021L },
+      { 0x621c540a1df84361L,0x1203772171fa6d5dL,0x6e3c7b510ff5f6ffL,
+        0x817a069babb2bef3L } },
+    /* 2 << 140 */
+    { { 0x83572fb6b294cda6L,0x6ce9bf75b9039f34L,0x20e012f0095cbb21L,
+        0xa0aecc1bd063f0daL },
+      { 0x57c21c3af02909e5L,0xc7d59ecf48ce9cdcL,0x2732b8448ae336f8L,
+        0x056e37233f4f85f4L } },
+    /* 3 << 140 */
+    { { 0x8a10b53189e800caL,0x50fe0c17145208fdL,0x9e43c0d3b714ba37L,
+        0x427d200e34189accL },
+      { 0x05dee24fe616e2c0L,0x9c25f4c8ee1854c1L,0x4d3222a58f342a73L,
+        0x0807804fa027c952L } },
+    /* 4 << 140 */
+    { { 0xc222653a4f0d56f3L,0x961e4047ca28b805L,0x2c03f8b04a73434bL,
+        0x4c966787ab712a19L },
+      { 0xcc196c42864fee42L,0xc1be93da5b0ece5cL,0xa87d9f22c131c159L,
+        0x2bb6d593dce45655L } },
+    /* 5 << 140 */
+    { { 0x22c49ec9b809b7ceL,0x8a41486be2c72c2cL,0x813b9420fea0bf36L,
+        0xb3d36ee9a66dac69L },
+      { 0x6fddc08a328cc987L,0x0a3bcd2c3a326461L,0x7103c49dd810dbbaL,
+        0xf9d81a284b78a4c4L } },
+    /* 6 << 140 */
+    { { 0x3de865ade4d55941L,0xdedafa5e30384087L,0x6f414abb4ef18b9bL,
+        0x9ee9ea42faee5268L },
+      { 0x260faa1637a55a4aL,0xeb19a514015f93b9L,0x51d7ebd29e9c3598L,
+        0x523fc56d1932178eL } },
+    /* 7 << 140 */
+    { { 0x501d070cb98fe684L,0xd60fbe9a124a1458L,0xa45761c892bc6b3fL,
+        0xf5384858fe6f27cbL },
+      { 0x4b0271f7b59e763bL,0x3d4606a95b5a8e5eL,0x1eda5d9b05a48292L,
+        0xda7731d0e6fec446L } },
+    /* 8 << 140 */
+    { { 0xa3e3369390d45871L,0xe976404006166d8dL,0xb5c3368289a90403L,
+        0x4bd1798372f1d637L },
+      { 0xa616679ed5d2c53aL,0x5ec4bcd8fdcf3b87L,0xae6d7613b66a694eL,
+        0x7460fc76e3fc27e5L } },
+    /* 9 << 140 */
+    { { 0x70469b8295caabeeL,0xde024ca5889501e3L,0x6bdadc06076ed265L,
+        0x0cb1236b5a0ef8b2L },
+      { 0x4065ddbf0972ebf9L,0xf1dd387522aca432L,0xa88b97cf744aff76L,
+        0xd1359afdfe8e3d24L } },
+    /* 10 << 140 */
+    { { 0x52a3ba2b91502cf3L,0x2c3832a8084db75dL,0x04a12dddde30b1c9L,
+        0x7802eabce31fd60cL },
+      { 0x33707327a37fddabL,0x65d6f2abfaafa973L,0x3525c5b811e6f91aL,
+        0x76aeb0c95f46530bL } },
+    /* 11 << 140 */
+    { { 0xe8815ff62f93a675L,0xa6ec968405f48679L,0x6dcbb556358ae884L,
+        0x0af61472e19e3873L },
+      { 0x72334372a5f696beL,0xc65e57ea6f22fb70L,0x268da30c946cea90L,
+        0x136a8a8765681b2aL } },
+    /* 12 << 140 */
+    { { 0xad5e81dc0f9f44d4L,0xf09a69602c46585aL,0xd1649164c447d1b1L,
+        0x3b4b36c8879dc8b1L },
+      { 0x20d4177b3b6b234cL,0x096a25051730d9d0L,0x0611b9b8ef80531dL,
+        0xba904b3b64bb495dL } },
+    /* 13 << 140 */
+    { { 0x1192d9d493a3147aL,0x9f30a5dc9a565545L,0x90b1f9cb6ef07212L,
+        0x299585460d87fc13L },
+      { 0xd3323effc17db9baL,0xcb18548ccb1644a8L,0x18a306d44f49ffbcL,
+        0x28d658f14c2e8684L } },
+    /* 14 << 140 */
+    { { 0x44ba60cda99f8c71L,0x67b7abdb4bf742ffL,0x66310f9c914b3f99L,
+        0xae430a32f412c161L },
+      { 0x1e6776d388ace52fL,0x4bc0fa2452d7067dL,0x03c286aa8f07cd1bL,
+        0x4cb8f38ca985b2c1L } },
+    /* 15 << 140 */
+    { { 0x83ccbe808c3bff36L,0x005a0bd25263e575L,0x460d7dda259bdcd1L,
+        0x4a1c5642fa5cab6bL },
+      { 0x2b7bdbb99fe4fc88L,0x09418e28cc97bbb5L,0xd8274fb4a12321aeL,
+        0xb137007d5c87b64eL } },
+    /* 16 << 140 */
+    { { 0x80531fe1c63c4962L,0x50541e89981fdb25L,0xdc1291a1fd4c2b6bL,
+        0xc0693a17a6df4fcaL },
+      { 0xb2c4604e0117f203L,0x245f19630a99b8d0L,0xaedc20aac6212c44L,
+        0xb1ed4e56520f52a8L } },
+    /* 17 << 140 */
+    { { 0xfe48f575f8547be3L,0x0a7033cda9e45f98L,0x4b45d3a918c50100L,
+        0xb2a6cd6aa61d41daL },
+      { 0x60bbb4f557933c6bL,0xa7538ebd2b0d7ffcL,0x9ea3ab8d8cd626b6L,
+        0x8273a4843601625aL } },
+    /* 18 << 140 */
+    { { 0x888598450168e508L,0x8cbc9bb299a94abdL,0x713ac792fab0a671L,
+        0xa3995b196c9ebffcL },
+      { 0xe711668e1239e152L,0x56892558bbb8dff4L,0x8bfc7dabdbf17963L,
+        0x5b59fe5ab3de1253L } },
+    /* 19 << 140 */
+    { { 0x7e3320eb34a9f7aeL,0xe5e8cf72d751efe4L,0x7ea003bcd9be2f37L,
+        0xc0f551a0b6c08ef7L },
+      { 0x56606268038f6725L,0x1dd38e356d92d3b6L,0x07dfce7cc3cbd686L,
+        0x4e549e04651c5da8L } },
+    /* 20 << 140 */
+    { { 0x4058f93b08b19340L,0xc2fae6f4cac6d89dL,0x4bad8a8c8f159cc7L,
+        0x0ddba4b3cb0b601cL },
+      { 0xda4fc7b51dd95f8cL,0x1d163cd7cea5c255L,0x30707d06274a8c4cL,
+        0x79d9e0082802e9ceL } },
+    /* 21 << 140 */
+    { { 0x02a29ebfe6ddd505L,0x37064e74b50bed1aL,0x3f6bae65a7327d57L,
+        0x3846f5f1f83920bcL },
+      { 0x87c3749160df1b9bL,0x4cfb28952d1da29fL,0x10a478ca4ed1743cL,
+        0x390c60303edd47c6L } },
+    /* 22 << 140 */
+    { { 0x8f3e53128c0a78deL,0xccd02bda1e85df70L,0xd6c75c03a61b6582L,
+        0x0762921cfc0eebd1L },
+      { 0xd34d0823d85010c0L,0xd73aaacb0044cf1fL,0xfb4159bba3b5e78aL,
+        0x2287c7f7e5826f3fL } },
+    /* 23 << 140 */
+    { { 0x4aeaf742580b1a01L,0xf080415d60423b79L,0xe12622cda7dea144L,
+        0x49ea499659d62472L },
+      { 0xb42991ef571f3913L,0x0610f214f5b25a8aL,0x47adc58530b79e8fL,
+        0xf90e3df607a065a2L } },
+    /* 24 << 140 */
+    { { 0x5d0a5deb43e2e034L,0x53fb5a34444024aaL,0xa8628c686b0c9f7fL,
+        0x9c69c29cac563656L },
+      { 0x5a231febbace47b6L,0xbdce02899ea5a2ecL,0x05da1fac9463853eL,
+        0x96812c52509e78aaL } },
+    /* 25 << 140 */
+    { { 0xd3fb577157151692L,0xeb2721f8d98e1c44L,0xc050608732399be1L,
+        0xda5a5511d979d8b8L },
+      { 0x737ed55dc6f56780L,0xe20d30040dc7a7f4L,0x02ce7301f5941a03L,
+        0x91ef5215ed30f83aL } },
+    /* 26 << 140 */
+    { { 0x28727fc14092d85fL,0x72d223c65c49e41aL,0xa7cf30a2ba6a4d81L,
+        0x7c086209b030d87dL },
+      { 0x04844c7dfc588b09L,0x728cd4995874bbb0L,0xcc1281eee84c0495L,
+        0x0769b5baec31958fL } },
+    /* 27 << 140 */
+    { { 0x665c228bf99c2471L,0xf2d8a11b191eb110L,0x4594f494d36d7024L,
+        0x482ded8bcdcb25a1L },
+      { 0xc958a9d8dadd4885L,0x7004477ef1d2b547L,0x0a45f6ef2a0af550L,
+        0x4fc739d62f8d6351L } },
+    /* 28 << 140 */
+    { { 0x75cdaf27786f08a9L,0x8700bb2642c2737fL,0x855a71411c4e2670L,
+        0x810188c115076fefL },
+      { 0xc251d0c9abcd3297L,0xae4c8967f48108ebL,0xbd146de718ceed30L,
+        0xf9d4f07ac986bcedL } },
+    /* 29 << 140 */
+    { { 0x5ad98ed583fa1e08L,0x7780d33ebeabd1fbL,0xe330513c903b1196L,
+        0xba11de9ea47bc8c4L },
+      { 0x684334da02c2d064L,0x7ecf360da48de23bL,0x57a1b4740a9089d8L,
+        0xf28fa439ff36734cL } },
+    /* 30 << 140 */
+    { { 0xf2a482cbea4570b3L,0xee65d68ba5ebcee9L,0x988d0036b9694cd5L,
+        0x53edd0e937885d32L },
+      { 0xe37e3307beb9bc6dL,0xe9abb9079f5c6768L,0x4396ccd551f2160fL,
+        0x2500888c47336da6L } },
+    /* 31 << 140 */
+    { { 0x383f9ed9926fce43L,0x809dd1c704da2930L,0x30f6f5968a4cb227L,
+        0x0d700c7f73a56b38L },
+      { 0x1825ea33ab64a065L,0xaab9b7351338df80L,0x1516100d9b63f57fL,
+        0x2574395a27a6a634L } },
+    /* 32 << 140 */
+    { { 0xb5560fb6700a1acdL,0xe823fd73fd999681L,0xda915d1f6cb4e1baL,
+        0x0d0301186ebe00a3L },
+      { 0x744fb0c989fca8cdL,0x970d01dbf9da0e0bL,0x0ad8c5647931d76fL,
+        0xb15737bff659b96aL } },
+    /* 33 << 140 */
+    { { 0xdc9933e8a8b484e7L,0xb2fdbdf97a26dec7L,0x2349e9a49f1f0136L,
+        0x7860368e70fddddbL },
+      { 0xd93d2c1cf9ad3e18L,0x6d6c5f17689f4e79L,0x7a544d91b24ff1b6L,
+        0x3e12a5ebfe16cd8cL } },
+    /* 34 << 140 */
+    { { 0x543574e9a56b872fL,0xa1ad550cfcf68ea2L,0x689e37d23f560ef7L,
+        0x8c54b9cac9d47a8bL },
+      { 0x46d40a4a088ac342L,0xec450c7c1576c6d0L,0xb589e31c1f9689e9L,
+        0xdacf2602b8781718L } },
+    /* 35 << 140 */
+    { { 0xa89237c6c8cb6b42L,0x1326fc93b96ef381L,0x55d56c6db5f07825L,
+        0xacba2eea7449e22dL },
+      { 0x74e0887a633c3000L,0xcb6cd172d7cbcf71L,0x309e81dec36cf1beL,
+        0x07a18a6d60ae399bL } },
+    /* 36 << 140 */
+    { { 0xb36c26799edce57eL,0x52b892f4df001d41L,0xd884ae5d16a1f2c6L,
+        0x9b329424efcc370aL },
+      { 0x3120daf2bd2e21dfL,0x55298d2d02470a99L,0x0b78af6ca05db32eL,
+        0x5c76a331601f5636L } },
+    /* 37 << 140 */
+    { { 0xaae861fff8a4f29cL,0x70dc9240d68f8d49L,0x960e649f81b1321cL,
+        0x3d2c801b8792e4ceL },
+      { 0xf479f77242521876L,0x0bed93bc416c79b1L,0xa67fbc05263e5bc9L,
+        0x01e8e630521db049L } },
+    /* 38 << 140 */
+    { { 0x76f26738c6f3431eL,0xe609cb02e3267541L,0xb10cff2d818c877cL,
+        0x1f0e75ce786a13cbL },
+      { 0xf4fdca641158544dL,0x5d777e896cb71ed0L,0x3c233737a9aa4755L,
+        0x7b453192e527ab40L } },
+    /* 39 << 140 */
+    { { 0xdb59f68839f05ffeL,0x8f4f4be06d82574eL,0xcce3450cee292d1bL,
+        0xaa448a1261ccd086L },
+      { 0xabce91b3f7914967L,0x4537f09b1908a5edL,0xa812421ef51042e7L,
+        0xfaf5cebcec0b3a34L } },
+    /* 40 << 140 */
+    { { 0x730ffd874ca6b39aL,0x70fb72ed02efd342L,0xeb4735f9d75c8edbL,
+        0xc11f2157c278aa51L },
+      { 0xc459f635bf3bfebfL,0x3a1ff0b46bd9601fL,0xc9d12823c420cb73L,
+        0x3e9af3e23c2915a3L } },
+    /* 41 << 140 */
+    { { 0xe0c82c72b41c3440L,0x175239e5e3039a5fL,0xe1084b8a558795a3L,
+        0x328d0a1dd01e5c60L },
+      { 0x0a495f2ed3788a04L,0x25d8ff1666c11a9fL,0xf5155f059ed692d6L,
+        0x954fa1074f425fe4L } },
+    /* 42 << 140 */
+    { { 0xd16aabf2e98aaa99L,0x90cd8ba096b0f88aL,0x957f4782c154026aL,
+        0x54ee073452af56d2L },
+      { 0xbcf89e5445b4147aL,0x3d102f219a52816cL,0x6808517e39b62e77L,
+        0x92e2542169169ad8L } },
+    /* 43 << 140 */
+    { { 0xd721d871bb608558L,0x60e4ebaef6d4ff9bL,0x0ba1081941f2763eL,
+        0xca2e45be51ee3247L },
+      { 0x66d172ec2bfd7a5fL,0x528a8f2f74d0b12dL,0xe17f1e38dabe70dcL,
+        0x1d5d73169f93983cL } },
+    /* 44 << 140 */
+    { { 0x51b2184adf423e31L,0xcb417291aedb1a10L,0x2054ca93625bcab9L,
+        0x54396860a98998f0L },
+      { 0x4e53f6c4a54ae57eL,0x0ffeb590ee648e9dL,0xfbbdaadc6afaf6bcL,
+        0xf88ae796aa3bfb8aL } },
+    /* 45 << 140 */
+    { { 0x209f1d44d2359ed9L,0xac68dd03f3544ce2L,0xf378da47fd51e569L,
+        0xe1abd8602cc80097L },
+      { 0x23ca18d9343b6e3aL,0x480797e8b40a1baeL,0xd1f0c717533f3e67L,
+        0x4489697006e6cdfcL } },
+    /* 46 << 140 */
+    { { 0x8ca2105552a82e8dL,0xb2caf78578460cdcL,0x4c1b7b62e9037178L,
+        0xefc09d2cdb514b58L },
+      { 0x5f2df9ee9113be5cL,0x2fbda78fb3f9271cL,0xe09a81af8f83fc54L,
+        0x06b138668afb5141L } },
+    /* 47 << 140 */
+    { { 0x38f6480f43e3865dL,0x72dd77a81ddf47d9L,0xf2a8e9714c205ff7L,
+        0x46d449d89d088ad8L },
+      { 0x926619ea185d706fL,0xe47e02ebc7dd7f62L,0xe7f120a78cbc2031L,
+        0xc18bef00998d4ac9L } },
+    /* 48 << 140 */
+    { { 0x18f37a9c6bdf22daL,0xefbc432f90dc82dfL,0xc52cef8e5d703651L,
+        0x82887ba0d99881a5L },
+      { 0x7cec9ddab920ec1dL,0xd0d7e8c3ec3e8d3bL,0x445bc3954ca88747L,
+        0xedeaa2e09fd53535L } },
+    /* 49 << 140 */
+    { { 0x461b1d936cc87475L,0xd92a52e26d2383bdL,0xfabccb59d7903546L,
+        0x6111a7613d14b112L },
+      { 0x0ae584feb3d5f612L,0x5ea69b8d60e828ecL,0x6c07898554087030L,
+        0x649cab04ac4821feL } },
+    /* 50 << 140 */
+    { { 0x25ecedcf8bdce214L,0xb5622f7286af7361L,0x0e1227aa7038b9e2L,
+        0xd0efb273ac20fa77L },
+      { 0x817ff88b79df975bL,0x856bf2861999503eL,0xb4d5351f5038ec46L,
+        0x740a52c5fc42af6eL } },
+    /* 51 << 140 */
+    { { 0x2e38bb152cbb1a3fL,0xc3eb99fe17a83429L,0xca4fcbf1dd66bb74L,
+        0x880784d6cde5e8fcL },
+      { 0xddc84c1cb4e7a0beL,0x8780510dbd15a72fL,0x44bcf1af81ec30e1L,
+        0x141e50a80a61073eL } },
+    /* 52 << 140 */
+    { { 0x0d95571847be87aeL,0x68a61417f76a4372L,0xf57e7e87c607c3d3L,
+        0x043afaf85252f332L },
+      { 0xcc14e1211552a4d2L,0xb6dee692bb4d4ab4L,0xb6ab74c8a03816a4L,
+        0x84001ae46f394a29L } },
+    /* 53 << 140 */
+    { { 0x5bed8344d795fb45L,0x57326e7db79f55a5L,0xc9533ce04accdffcL,
+        0x53473caf3993fa04L },
+      { 0x7906eb93a13df4c8L,0xa73e51f697cbe46fL,0xd1ab3ae10ae4ccf8L,
+        0x256145088a5b3dbcL } },
+    /* 54 << 140 */
+    { { 0x61eff96211a71b27L,0xdf71412b6bb7fa39L,0xb31ba6b82bd7f3efL,
+        0xb0b9c41569180d29L },
+      { 0xeec14552014cdde5L,0x702c624b227b4bbbL,0x2b15e8c2d3e988f3L,
+        0xee3bcc6da4f7fd04L } },
+    /* 55 << 140 */
+    { { 0x9d00822a42ac6c85L,0x2db0cea61df9f2b7L,0xd7cad2ab42de1e58L,
+        0x346ed5262d6fbb61L },
+      { 0xb39629951a2faf09L,0x2fa8a5807c25612eL,0x30ae04da7cf56490L,
+        0x756629080eea3961L } },
+    /* 56 << 140 */
+    { { 0x3609f5c53d080847L,0xcb081d395241d4f6L,0xb4fb381077961a63L,
+        0xc20c59842abb66fcL },
+      { 0x3d40aa7cf902f245L,0x9cb127364e536b1eL,0x5eda24da99b3134fL,
+        0xafbd9c695cd011afL } },
+    /* 57 << 140 */
+    { { 0x9a16e30ac7088c7dL,0x5ab657103207389fL,0x1b09547fe7407a53L,
+        0x2322f9d74fdc6eabL },
+      { 0xc0f2f22d7430de4dL,0x19382696e68ca9a9L,0x17f1eff1918e5868L,
+        0xe3b5b635586f4204L } },
+    /* 58 << 140 */
+    { { 0x146ef9803fbc4341L,0x359f2c805b5eed4eL,0x9f35744e7482e41dL,
+        0x9a9ac3ecf3b224c2L },
+      { 0x9161a6fe91fc50aeL,0x89ccc66bc613fa7cL,0x89268b14c732f15aL,
+        0x7cd6f4e2b467ed03L } },
+    /* 59 << 140 */
+    { { 0xfbf79869ce56b40eL,0xf93e094cc02dde98L,0xefe0c3a8edee2cd7L,
+        0x90f3ffc0b268fd42L },
+      { 0x81a7fd5608241aedL,0x95ab7ad800b1afe8L,0x401270563e310d52L,
+        0xd3ffdeb109d9fc43L } },
+    /* 60 << 140 */
+    { { 0xc8f85c91d11a8594L,0x2e74d25831cf6db8L,0x829c7ca302b5dfd0L,
+        0xe389cfbe69143c86L },
+      { 0xd01b6405941768d8L,0x4510399503bf825dL,0xcc4ee16656cd17e2L,
+        0xbea3c283ba037e79L } },
+    /* 61 << 140 */
+    { { 0x4e1ac06ed9a47520L,0xfbfe18aaaf852404L,0x5615f8e28087648aL,
+        0x7301e47eb9d150d9L },
+      { 0x79f9f9ddb299b977L,0x76697a7ba5b78314L,0x10d674687d7c90e7L,
+        0x7afffe03937210b5L } },
+    /* 62 << 140 */
+    { { 0x5aef3e4b28c22ceeL,0xefb0ecd809fd55aeL,0x4cea71320d2a5d6aL,
+        0x9cfb5fa101db6357L },
+      { 0x395e0b57f36e1ac5L,0x008fa9ad36cafb7dL,0x8f6cdf705308c4dbL,
+        0x51527a3795ed2477L } },
+    /* 63 << 140 */
+    { { 0xba0dee305bd21311L,0x6ed41b22909c90d7L,0xc5f6b7587c8696d3L,
+        0x0db8eaa83ce83a80L },
+      { 0xd297fe37b24b4b6fL,0xfe58afe8522d1f0dL,0x973587368c98dbd9L,
+        0x6bc226ca9454a527L } },
+    /* 64 << 140 */
+    { { 0xa12b384ece53c2d0L,0x779d897d5e4606daL,0xa53e47b073ec12b0L,
+        0x462dbbba5756f1adL },
+      { 0x69fe09f2cafe37b6L,0x273d1ebfecce2e17L,0x8ac1d5383cf607fdL,
+        0x8035f7ff12e10c25L } },
+    /* 0 << 147 */
+    { { 0x00, 0x00, 0x00, 0x00 },
+      { 0x00, 0x00, 0x00, 0x00 } },
+    /* 1 << 147 */
+    { { 0x854d34c77e6c5520L,0xc27df9efdcb9ea58L,0x405f2369d686666dL,
+        0x29d1febf0417aa85L },
+      { 0x9846819e93470afeL,0x3e6a9669e2a27f9eL,0x24d008a2e31e6504L,
+        0xdba7cecf9cb7680aL } },
+    /* 2 << 147 */
+    { { 0xecaff541338d6e43L,0x56f7dd734541d5ccL,0xb5d426de96bc88caL,
+        0x48d94f6b9ed3a2c3L },
+      { 0x6354a3bb2ef8279cL,0xd575465b0b1867f2L,0xef99b0ff95225151L,
+        0xf3e19d88f94500d8L } },
+    /* 3 << 147 */
+    { { 0x92a83268e32dd620L,0x913ec99f627849a2L,0xedd8fdfa2c378882L,
+        0xaf96f33eee6f8cfeL },
+      { 0xc06737e5dc3fa8a5L,0x236bb531b0b03a1dL,0x33e59f2989f037b0L,
+        0x13f9b5a7d9a12a53L } },
+    /* 4 << 147 */
+    { { 0x0d0df6ce51efb310L,0xcb5b2eb4958df5beL,0xd6459e2936158e59L,
+        0x82aae2b91466e336L },
+      { 0xfb658a39411aa636L,0x7152ecc5d4c0a933L,0xf10c758a49f026b7L,
+        0xf4837f97cb09311fL } },
+    /* 5 << 147 */
+    { { 0xddfb02c4c753c45fL,0x18ca81b6f9c840feL,0x846fd09ab0f8a3e6L,
+        0xb1162adde7733dbcL },
+      { 0x7070ad20236e3ab6L,0xf88cdaf5b2a56326L,0x05fc8719997cbc7aL,
+        0x442cd4524b665272L } },
+    /* 6 << 147 */
+    { { 0x7807f364b71698f5L,0x6ba418d29f7b605eL,0xfd20b00fa03b2cbbL,
+        0x883eca37da54386fL },
+      { 0xff0be43ff3437f24L,0xe910b432a48bb33cL,0x4963a128329df765L,
+        0xac1dd556be2fe6f7L } },
+    /* 7 << 147 */
+    { { 0x557610f924a0a3fcL,0x38e17bf4e881c3f9L,0x6ba84fafed0dac99L,
+        0xd4a222c359eeb918L },
+      { 0xc79c1dbe13f542b6L,0x1fc65e0de425d457L,0xeffb754f1debb779L,
+        0x638d8fd09e08af60L } },
+    /* 8 << 147 */
+    { { 0x994f523a626332d5L,0x7bc388335561bb44L,0x005ed4b03d845ea2L,
+        0xd39d3ee1c2a1f08aL },
+      { 0x6561fdd3e7676b0dL,0x620e35fffb706017L,0x36ce424ff264f9a8L,
+        0xc4c3419fda2681f7L } },
+    /* 9 << 147 */
+    { { 0xfb6afd2f69beb6e8L,0x3a50b9936d700d03L,0xc840b2ad0c83a14fL,
+        0x573207be54085befL },
+      { 0x5af882e309fe7e5bL,0x957678a43b40a7e1L,0x172d4bdd543056e2L,
+        0x9c1b26b40df13c0aL } },
+    /* 10 << 147 */
+    { { 0x1c30861cf405ff06L,0xebac86bd486e828bL,0xe791a971636933fcL,
+        0x50e7c2be7aeee947L },
+      { 0xc3d4a095fa90d767L,0xae60eb7be670ab7bL,0x17633a64397b056dL,
+        0x93a21f33105012aaL } },
+    /* 11 << 147 */
+    { { 0x663c370babb88643L,0x91df36d722e21599L,0x183ba8358b761671L,
+        0x381eea1d728f3bf1L },
+      { 0xb9b2f1ba39966e6cL,0x7c464a28e7295492L,0x0fd5f70a09b26b7fL,
+        0xa9aba1f9fbe009dfL } },
+    /* 12 << 147 */
+    { { 0x857c1f22369b87adL,0x3c00e5d932fca556L,0x1ad74cab90b06466L,
+        0xa7112386550faaf2L },
+      { 0x7435e1986d9bd5f5L,0x2dcc7e3859c3463fL,0xdc7df748ca7bd4b2L,
+        0x13cd4c089dec2f31L } },
+    /* 13 << 147 */
+    { { 0x0d3b5df8e3237710L,0x0dadb26ecbd2f7b0L,0x9f5966abe4aa082bL,
+        0x666ec8de350e966eL },
+      { 0x1bfd1ed5ee524216L,0xcd93c59b41dab0b6L,0x658a8435d186d6baL,
+        0x1b7d34d2159d1195L } },
+    /* 14 << 147 */
+    { { 0x5936e46022caf46bL,0x6a45dd8f9a96fe4fL,0xf7925434b98f474eL,
+        0x414104120053ef15L },
+      { 0x71cf8d1241de97bfL,0xb8547b61bd80bef4L,0xb47d3970c4db0037L,
+        0xf1bcd328fef20dffL } },
+    /* 15 << 147 */
+    { { 0x31a92e0910caad67L,0x1f5919605531a1e1L,0x3bb852e05f4fc840L,
+        0x63e297ca93a72c6cL },
+      { 0x3c2b0b2e49abad67L,0x6ec405fced3db0d9L,0xdc14a5307fef1d40L,
+        0xccd19846280896fcL } },
+    /* 16 << 147 */
+    { { 0x00f831769bb81648L,0xd69eb485653120d0L,0xd17d75f44ccabc62L,
+        0x34a07f82b749fcb1L },
+      { 0x2c3af787bbfb5554L,0xb06ed4d062e283f8L,0x5722889fa19213a0L,
+        0x162b085edcf3c7b4L } },
+    /* 17 << 147 */
+    { { 0xbcaecb31e0dd3ecaL,0xc6237fbce52f13a5L,0xcc2b6b0327bac297L,
+        0x2ae1cac5b917f54aL },
+      { 0x474807d47845ae4fL,0xfec7dd92ce5972e0L,0xc3bd25411d7915bbL,
+        0x66f85dc4d94907caL } },
+    /* 18 << 147 */
+    { { 0xd981b888bdbcf0caL,0xd75f5da6df279e9fL,0x128bbf247054e934L,
+        0x3c6ff6e581db134bL },
+      { 0x795b7cf4047d26e4L,0xf370f7b85049ec37L,0xc6712d4dced945afL,
+        0xdf30b5ec095642bcL } },
+    /* 19 << 147 */
+    { { 0x9b034c624896246eL,0x5652c016ee90bbd1L,0xeb38636f87fedb73L,
+        0x5e32f8470135a613L },
+      { 0x0703b312cf933c83L,0xd05bb76e1a7f47e6L,0x825e4f0c949c2415L,
+        0x569e56227250d6f8L } },
+    /* 20 << 147 */
+    { { 0xbbe9eb3a6568013eL,0x8dbd203f22f243fcL,0x9dbd7694b342734aL,
+        0x8f6d12f846afa984L },
+      { 0xb98610a2c9eade29L,0xbab4f32347dd0f18L,0x5779737b671c0d46L,
+        0x10b6a7c6d3e0a42aL } },
+    /* 21 << 147 */
+    { { 0xfb19ddf33035b41cL,0xd336343f99c45895L,0x61fe493854c857e5L,
+        0xc4d506beae4e57d5L },
+      { 0x3cd8c8cbbbc33f75L,0x7281f08a9262c77dL,0x083f4ea6f11a2823L,
+        0x8895041e9fba2e33L } },
+    /* 22 << 147 */
+    { { 0xfcdfea499c438edfL,0x7678dcc391edba44L,0xf07b3b87e2ba50f0L,
+        0xc13888ef43948c1bL },
+      { 0xc2135ad41140af42L,0x8e5104f3926ed1a7L,0xf24430cb88f6695fL,
+        0x0ce0637b6d73c120L } },
+    /* 23 << 147 */
+    { { 0xb2db01e6fe631e8fL,0x1c5563d7d7bdd24bL,0x8daea3ba369ad44fL,
+        0x000c81b68187a9f9L },
+      { 0x5f48a951aae1fd9aL,0xe35626c78d5aed8aL,0x209527630498c622L,
+        0x76d17634773aa504L } },
+    /* 24 << 147 */
+    { { 0x36d90ddaeb300f7aL,0x9dcf7dfcedb5e801L,0x645cb26874d5244cL,
+        0xa127ee79348e3aa2L },
+      { 0x488acc53575f1dbbL,0x95037e8580e6161eL,0x57e59283292650d0L,
+        0xabe67d9914938216L } },
+    /* 25 << 147 */
+    { { 0x3c7f944b3f8e1065L,0xed908cb6330e8924L,0x08ee8fd56f530136L,
+        0x2227b7d5d7ffc169L },
+      { 0x4f55c893b5cd6dd5L,0x82225e11a62796e8L,0x5c6cead1cb18e12cL,
+        0x4381ae0c84f5a51aL } },
+    /* 26 << 147 */
+    { { 0x345913d37fafa4c8L,0x3d9180820491aac0L,0x9347871f3e69264cL,
+        0xbea9dd3cb4f4f0cdL },
+      { 0xbda5d0673eadd3e7L,0x0033c1b80573bcd8L,0x255893795da2486cL,
+        0xcb89ee5b86abbee7L } },
+    /* 27 << 147 */
+    { { 0x8fe0a8f322532e5dL,0xb6410ff0727dfc4cL,0x619b9d58226726dbL,
+        0x5ec256697a2b2dc7L },
+      { 0xaf4d2e064c3beb01L,0x852123d07acea556L,0x0e9470faf783487aL,
+        0x75a7ea045664b3ebL } },
+    /* 28 << 147 */
+    { { 0x4ad78f356798e4baL,0x9214e6e5c7d0e091L,0xc420b488b1290403L,
+        0x64049e0afc295749L },
+      { 0x03ef5af13ae9841fL,0xdbe4ca19b0b662a6L,0x46845c5ffa453458L,
+        0xf8dabf1910b66722L } },
+    /* 29 << 147 */
+    { { 0xb650f0aacce2793bL,0x71db851ec5ec47c1L,0x3eb78f3e3b234fa9L,
+        0xb0c60f35fc0106ceL },
+      { 0x05427121774eadbdL,0x25367fafce323863L,0x7541b5c9cd086976L,
+        0x4ff069e2dc507ad1L } },
+    /* 30 << 147 */
+    { { 0x741452568776e667L,0x6e76142cb23c6bb5L,0xdbf307121b3a8a87L,
+        0x60e7363e98450836L },
+      { 0x5741450eb7366d80L,0xe4ee14ca4837dbdfL,0xa765eb9b69d4316fL,
+        0x04548dca8ef43825L } },
+    /* 31 << 147 */
+    { { 0x9c9f4e4c5ae888ebL,0x733abb5156e9ac99L,0xdaad3c20ba6ac029L,
+        0x9b8dd3d32ba3e38eL },
+      { 0xa9bb4c920bc5d11aL,0xf20127a79c5f88a3L,0x4f52b06e161d3cb8L,
+        0x26c1ff096afaf0a6L } },
+    /* 32 << 147 */
+    { { 0x32670d2f7189e71fL,0xc64387485ecf91e7L,0x15758e57db757a21L,
+        0x427d09f8290a9ce5L },
+      { 0x846a308f38384a7aL,0xaac3acb4b0732b99L,0x9e94100917845819L,
+        0x95cba111a7ce5e03L } },
+    /* 33 << 147 */
+    { { 0x6f3d4f7fb00009c4L,0xb8396c278ff28b5fL,0xb1a9ae431c97975dL,
+        0x9d7ba8afe5d9fed5L },
+      { 0x338cf09f34f485b6L,0xbc0ddacc64122516L,0xa450da1205d471feL,
+        0x4c3a6250628dd8c9L } },
+    /* 34 << 147 */
+    { { 0x69c7d103d1295837L,0xa2893e503807eb2fL,0xd6e1e1debdb41491L,
+        0xc630745b5e138235L },
+      { 0xc892109e48661ae1L,0x8d17e7ebea2b2674L,0x00ec0f87c328d6b5L,
+        0x6d858645f079ff9eL } },
+    /* 35 << 147 */
+    { { 0x6cdf243e19115eadL,0x1ce1393e4bac4fcfL,0x2c960ed09c29f25bL,
+        0x59be4d8e9d388a05L },
+      { 0x0d46e06cd0def72bL,0xb923db5de0342748L,0xf7d3aacd936d4a3dL,
+        0x558519cc0b0b099eL } },
+    /* 36 << 147 */
+    { { 0x3ea8ebf8827097efL,0x259353dbd054f55dL,0x84c89abc6d2ed089L,
+        0x5c548b698e096a7cL },
+      { 0xd587f616994b995dL,0x4d1531f6a5845601L,0x792ab31e451fd9f0L,
+        0xc8b57bb265adf6caL } },
+    /* 37 << 147 */
+    { { 0x68440fcb1cd5ad73L,0xb9c860e66144da4fL,0x2ab286aa8462beb8L,
+        0xcc6b8fffef46797fL },
+      { 0xac820da420c8a471L,0x69ae05a177ff7fafL,0xb9163f39bfb5da77L,
+        0xbd03e5902c73ab7aL } },
+    /* 38 << 147 */
+    { { 0x7e862b5eb2940d9eL,0x3c663d864b9af564L,0xd8309031bde3033dL,
+        0x298231b2d42c5bc6L },
+      { 0x42090d2c552ad093L,0xa4799d1cff854695L,0x0a88b5d6d31f0d00L,
+        0xf8b40825a2f26b46L } },
+    /* 39 << 147 */
+    { { 0xec29b1edf1bd7218L,0xd491c53b4b24c86eL,0xd2fe588f3395ea65L,
+        0x6f3764f74456ef15L },
+      { 0xdb43116dcdc34800L,0xcdbcd456c1e33955L,0xefdb554074ab286bL,
+        0x948c7a51d18c5d7cL } },
+    /* 40 << 147 */
+    { { 0xeb81aa377378058eL,0x41c746a104411154L,0xa10c73bcfb828ac7L,
+        0x6439be919d972b29L },
+      { 0x4bf3b4b043a2fbadL,0x39e6dadf82b5e840L,0x4f7164086397bd4cL,
+        0x0f7de5687f1eeccbL } },
+    /* 41 << 147 */
+    { { 0x5865c5a1d2ffbfc1L,0xf74211fa4ccb6451L,0x66368a88c0b32558L,
+        0x5b539dc29ad7812eL },
+      { 0x579483d02f3af6f6L,0x5213207899934eceL,0x50b9650fdcc9e983L,
+        0xca989ec9aee42b8aL } },
+    /* 42 << 147 */
+    { { 0x6a44c829d6f62f99L,0x8f06a3094c2a7c0cL,0x4ea2b3a098a0cb0aL,
+        0x5c547b70beee8364L },
+      { 0x461d40e1682afe11L,0x9e0fc77a7b41c0a8L,0x79e4aefde20d5d36L,
+        0x2916e52032dd9f63L } },
+    /* 43 << 147 */
+    { { 0xf59e52e83f883fafL,0x396f96392b868d35L,0xc902a9df4ca19881L,
+        0x0fc96822db2401a6L },
+      { 0x4123758766f1c68dL,0x10fc6de3fb476c0dL,0xf8b6b579841f5d90L,
+        0x2ba8446cfa24f44aL } },
+    /* 44 << 147 */
+    { { 0xa237b920ef4a9975L,0x60bb60042330435fL,0xd6f4ab5acfb7e7b5L,
+        0xb2ac509783435391L },
+      { 0xf036ee2fb0d1ea67L,0xae779a6a74c56230L,0x59bff8c8ab838ae6L,
+        0xcd83ca999b38e6f0L } },
+    /* 45 << 147 */
+    { { 0xbb27bef5e33deed3L,0xe6356f6f001892a8L,0xbf3be6cc7adfbd3eL,
+        0xaecbc81c33d1ac9dL },
+      { 0xe4feb909e6e861dcL,0x90a247a453f5f801L,0x01c50acb27346e57L,
+        0xce29242e461acc1bL } },
+    /* 46 << 147 */
+    { { 0x04dd214a2f998a91L,0x271ee9b1d4baf27bL,0x7e3027d1e8c26722L,
+        0x21d1645c1820dce5L },
+      { 0x086f242c7501779cL,0xf0061407fa0e8009L,0xf23ce47760187129L,
+        0x05bbdedb0fde9bd0L } },
+    /* 47 << 147 */
+    { { 0x682f483225d98473L,0xf207fe855c658427L,0xb6fdd7ba4166ffa1L,
+        0x0c3140569eed799dL },
+      { 0x0db8048f4107e28fL,0x74ed387141216840L,0x74489f8f56a3c06eL,
+        0x1e1c005b12777134L } },
+    /* 48 << 147 */
+    { { 0xdb332a73f37ec3c3L,0xc65259bddd59eba0L,0x2291709cdb4d3257L,
+        0x9a793b25bd389390L },
+      { 0xf39fe34be43756f0L,0x2f76bdce9afb56c9L,0x9f37867a61208b27L,
+        0xea1d4307089972c3L } },
+    /* 49 << 147 */
+    { { 0x8c5953308bdf623aL,0x5f5accda8441fb7dL,0xfafa941832ddfd95L,
+        0x6ad40c5a0fde9be7L },
+      { 0x43faba89aeca8709L,0xc64a7cf12c248a9dL,0x1662025272637a76L,
+        0xaee1c79122b8d1bbL } },
+    /* 50 << 147 */
+    { { 0xf0f798fd21a843b2L,0x56e4ed4d8d005cb1L,0x355f77801f0d8abeL,
+        0x197b04cf34522326L },
+      { 0x41f9b31ffd42c13fL,0x5ef7feb2b40f933dL,0x27326f425d60bad4L,
+        0x027ecdb28c92cf89L } },
+    /* 51 << 147 */
+    { { 0x04aae4d14e3352feL,0x08414d2f73591b90L,0x5ed6124eb7da7d60L,
+        0xb985b9314d13d4ecL },
+      { 0xa592d3ab96bf36f9L,0x012dbed5bbdf51dfL,0xa57963c0df6c177dL,
+        0x010ec86987ca29cfL } },
+    /* 52 << 147 */
+    { { 0xba1700f6bf926dffL,0x7c9fdbd1f4bf6bc2L,0xdc18dc8f64da11f5L,
+        0xa6074b7ad938ae75L },
+      { 0x14270066e84f44a4L,0x99998d38d27b954eL,0xc1be8ab2b4f38e9aL,
+        0x8bb55bbf15c01016L } },
+    /* 53 << 147 */
+    { { 0xf73472b40ea2ab30L,0xd365a340f73d68ddL,0xc01a716819c2e1ebL,
+        0x32f49e3734061719L },
+      { 0xb73c57f101d8b4d6L,0x03c8423c26b47700L,0x321d0bc8a4d8826aL,
+        0x6004213c4bc0e638L } },
+    /* 54 << 147 */
+    { { 0xf78c64a1c1c06681L,0x16e0a16fef018e50L,0x31cbdf91db42b2b3L,
+        0xf8f4ffcee0d36f58L },
+      { 0xcdcc71cd4cc5e3e0L,0xd55c7cfaa129e3e0L,0xccdb6ba00fb2cbf1L,
+        0x6aba0005c4bce3cbL } },
+    /* 55 << 147 */
+    { { 0x501cdb30d232cfc4L,0x9ddcf12ed58a3cefL,0x02d2cf9c87e09149L,
+        0xdc5d7ec72c976257L },
+      { 0x6447986e0b50d7ddL,0x88fdbaf7807f112aL,0x58c9822ab00ae9f6L,
+        0x6abfb9506d3d27e0L } },
+    /* 56 << 147 */
+    { { 0xd0a744878a429f4fL,0x0649712bdb516609L,0xb826ba57e769b5dfL,
+        0x82335df21fc7aaf2L },
+      { 0x2389f0675c93d995L,0x59ac367a68677be6L,0xa77985ff21d9951bL,
+        0x038956fb85011cceL } },
+    /* 57 << 147 */
+    { { 0x608e48cbbb734e37L,0xc08c0bf22be5b26fL,0x17bbdd3bf9b1a0d9L,
+        0xeac7d89810483319L },
+      { 0xc95c4bafbc1a6deaL,0xfdd0e2bf172aafdbL,0x40373cbc8235c41aL,
+        0x14303f21fb6f41d5L } },
+    /* 58 << 147 */
+    { { 0xba0636210408f237L,0xcad3b09aecd2d1edL,0x4667855a52abb6a2L,
+        0xba9157dcaa8b417bL },
+      { 0xfe7f35074f013efbL,0x1b112c4baa38c4a2L,0xa1406a609ba64345L,
+        0xe53cba336993c80bL } },
+    /* 59 << 147 */
+    { { 0x45466063ded40d23L,0x3d5f1f4d54908e25L,0x9ebefe62403c3c31L,
+        0x274ea0b50672a624L },
+      { 0xff818d99451d1b71L,0x80e826438f79cf79L,0xa165df1373ce37f5L,
+        0xa744ef4ffe3a21fdL } },
+    /* 60 << 147 */
+    { { 0x73f1e7f5cf551396L,0xc616898e868c676bL,0x671c28c78c442c36L,
+        0xcfe5e5585e0a317dL },
+      { 0x1242d8187051f476L,0x56fad2a614f03442L,0x262068bc0a44d0f6L,
+        0xdfa2cd6ece6edf4eL } },
+    /* 61 << 147 */
+    { { 0x0f43813ad15d1517L,0x61214cb2377d44f5L,0xd399aa29c639b35fL,
+        0x42136d7154c51c19L },
+      { 0x9774711b08417221L,0x0a5546b352545a57L,0x80624c411150582dL,
+        0x9ec5c418fbc555bcL } },
+    /* 62 << 147 */
+    { { 0x2c87dcad771849f1L,0xb0c932c501d7bf6fL,0x6aa5cd3e89116eb2L,
+        0xd378c25a51ca7bd3L },
+      { 0xc612a0da9e6e3e31L,0x0417a54db68ad5d0L,0x00451e4a22c6edb8L,
+        0x9fbfe019b42827ceL } },
+    /* 63 << 147 */
+    { { 0x2fa92505ba9384a2L,0x21b8596e64ad69c1L,0x8f4fcc49983b35a6L,
+        0xde09376072754672L },
+      { 0x2f14ccc8f7bffe6dL,0x27566bff5d94263dL,0xb5b4e9c62df3ec30L,
+        0x94f1d7d53e6ea6baL } },
+    /* 64 << 147 */
+    { { 0x97b7851aaaca5e9bL,0x518aa52156713b97L,0x3357e8c7150a61f6L,
+        0x7842e7e2ec2c2b69L },
+      { 0x8dffaf656868a548L,0xd963bd82e068fc81L,0x64da5c8b65917733L,
+        0x927090ff7b247328L } },
+    /* 0 << 154 */
+    { { 0x00, 0x00, 0x00, 0x00 },
+      { 0x00, 0x00, 0x00, 0x00 } },
+    /* 1 << 154 */
+    { { 0x214bc9a7d298c241L,0xe3b697ba56807cfdL,0xef1c78024564eadbL,
+        0xdde8cdcfb48149c5L },
+      { 0x946bf0a75a4d2604L,0x27154d7f6c1538afL,0x95cc9230de5b1fccL,
+        0xd88519e966864f82L } },
+    /* 2 << 154 */
+    { { 0xb828dd1a7cb1282cL,0xa08d7626be46973aL,0x6baf8d40e708d6b2L,
+        0x72571fa14daeb3f3L },
+      { 0x85b1732ff22dfd98L,0x87ab01a70087108dL,0xaaaafea85988207aL,
+        0xccc832f869f00755L } },
+    /* 3 << 154 */
+    { { 0x964d950e36ff3bf0L,0x8ad20f6ff0b34638L,0x4d9177b3b5d7585fL,
+        0xcf839760ef3f019fL },
+      { 0x582fc5b38288c545L,0x2f8e4e9b13116bd1L,0xf91e1b2f332120efL,
+        0xcf5687242a17dd23L } },
+    /* 4 << 154 */
+    { { 0x488f1185ca8d9d1aL,0xadf2c77dd987ded2L,0x5f3039f060c46124L,
+        0xe5d70b7571e095f4L },
+      { 0x82d586506260e70fL,0x39d75ea7f750d105L,0x8cf3d0b175bac364L,
+        0xf3a7564d21d01329L } },
+    /* 5 << 154 */
+    { { 0x182f04cd2f52d2a7L,0x4fde149ae2df565aL,0xb80c5eeca79fb2f7L,
+        0xab491d7b22ddc897L },
+      { 0x99d76c18c6312c7fL,0xca0d5f3d6aa41a57L,0x71207325d15363a0L,
+        0xe82aa265beb252c2L } },
+    /* 6 << 154 */
+    { { 0x94ab4700ec3128c2L,0x6c76d8628e383f49L,0xdc36b150c03024ebL,
+        0xfb43947753daac69L },
+      { 0xfc68764a8dc79623L,0x5b86995db440fbb2L,0xd66879bfccc5ee0dL,
+        0x0522894295aa8bd3L } },
+    /* 7 << 154 */
+    { { 0xb51a40a51e6a75c1L,0x24327c760ea7d817L,0x0663018207774597L,
+        0xd6fdbec397fa7164L },
+      { 0x20c99dfb13c90f48L,0xd6ac5273686ef263L,0xc6a50bdcfef64eebL,
+        0xcd87b28186fdfc32L } },
+    /* 8 << 154 */
+    { { 0xb24aa43e3fcd3efcL,0xdd26c034b8088e9aL,0xa5ef4dc9bd3d46eaL,
+        0xa2f99d588a4c6a6fL },
+      { 0xddabd3552f1da46cL,0x72c3f8ce1afacdd1L,0xd90c4eee92d40578L,
+        0xd28bb41fca623b94L } },
+    /* 9 << 154 */
+    { { 0x50fc0711745edc11L,0x9dd9ad7d3dc87558L,0xce6931fbb49d1e64L,
+        0x6c77a0a2c98bd0f9L },
+      { 0x62b9a6296baf7cb1L,0xcf065f91ccf72d22L,0x7203cce979639071L,
+        0x09ae4885f9cb732fL } },
+    /* 10 << 154 */
+    { { 0x5e7c3becee8314f3L,0x1c068aeddbea298fL,0x08d381f17c80acecL,
+        0x03b56be8e330495bL },
+      { 0xaeffb8f29222882dL,0x95ff38f6c4af8bf7L,0x50e32d351fc57d8cL,
+        0x6635be5217b444f0L } },
+    /* 11 << 154 */
+    { { 0x04d15276a5177900L,0x4e1dbb47f6858752L,0x5b475622c615796cL,
+        0xa6fa0387691867bfL },
+      { 0xed7f5d562844c6d0L,0xc633cf9b03a2477dL,0xf6be5c402d3721d6L,
+        0xaf312eb7e9fd68e6L } },
+    /* 12 << 154 */
+    { { 0x242792d2e7417ce1L,0xff42bc71970ee7f5L,0x1ff4dc6d5c67a41eL,
+        0x77709b7b20882a58L },
+      { 0x3554731dbe217f2cL,0x2af2a8cd5bb72177L,0x58eee769591dd059L,
+        0xbb2930c94bba6477L } },
+    /* 13 << 154 */
+    { { 0x863ee0477d930cfcL,0x4c262ad1396fd1f4L,0xf4765bc8039af7e1L,
+        0x2519834b5ba104f6L },
+      { 0x7cd61b4cd105f961L,0xa5415da5d63bca54L,0x778280a088a1f17cL,
+        0xc49689492329512cL } },
+    /* 14 << 154 */
+    { { 0x174a9126cecdaa7aL,0xfc8c7e0e0b13247bL,0x29c110d23484c1c4L,
+        0xf8eb8757831dfc3bL },
+      { 0x022f0212c0067452L,0x3f6f69ee7b9b926cL,0x09032da0ef42daf4L,
+        0x79f00ade83f80de4L } },
+    /* 15 << 154 */
+    { { 0x6210db7181236c97L,0x74f7685b3ee0781fL,0x4df7da7ba3e41372L,
+        0x2aae38b1b1a1553eL },
+      { 0x1688e222f6dd9d1bL,0x576954485b8b6487L,0x478d21274b2edeaaL,
+        0xb2818fa51e85956aL } },
+    /* 16 << 154 */
+    { { 0x1e6adddaf176f2c0L,0x01ca4604e2572658L,0x0a404ded85342ffbL,
+        0x8cf60f96441838d6L },
+      { 0x9bbc691cc9071c4aL,0xfd58874434442803L,0x97101c85809c0d81L,
+        0xa7fb754c8c456f7fL } },
+    /* 17 << 154 */
+    { { 0xc95f3c5cd51805e1L,0xab4ccd39b299dca8L,0x3e03d20b47eaf500L,
+        0xfa3165c1d7b80893L },
+      { 0x005e8b54e160e552L,0xdc4972ba9019d11fL,0x21a6972e0c9a4a7aL,
+        0xa52c258f37840fd7L } },
+    /* 18 << 154 */
+    { { 0xf8559ff4c1e99d81L,0x08e1a7d6a3c617c0L,0xb398fd43248c6ba7L,
+        0x6ffedd91d1283794L },
+      { 0x8a6a59d2d629d208L,0xa9d141d53490530eL,0x42f6fc1838505989L,
+        0x09bf250d479d94eeL } },
+    /* 19 << 154 */
+    { { 0x223ad3b1b3822790L,0x6c5926c093b8971cL,0x609efc7e75f7fa62L,
+        0x45d66a6d1ec2d989L },
+      { 0x4422d663987d2792L,0x4a73caad3eb31d2bL,0xf06c2ac1a32cb9e6L,
+        0xd9445c5f91aeba84L } },
+    /* 20 << 154 */
+    { { 0x6af7a1d5af71013fL,0xe68216e50bedc946L,0xf4cba30bd27370a0L,
+        0x7981afbf870421ccL },
+      { 0x02496a679449f0e1L,0x86cfc4be0a47edaeL,0x3073c936b1feca22L,
+        0xf569461203f8f8fbL } },
+    /* 21 << 154 */
+    { { 0xd063b723901515eaL,0x4c6c77a5749cf038L,0x6361e360ab9e5059L,
+        0x596cf171a76a37c0L },
+      { 0x800f53fa6530ae7aL,0x0f5e631e0792a7a6L,0x5cc29c24efdb81c9L,
+        0xa269e8683f9c40baL } },
+    /* 22 << 154 */
+    { { 0xec14f9e12cb7191eL,0x78ea1bd8e5b08ea6L,0x3c65aa9b46332bb9L,
+        0x84cc22b3bf80ce25L },
+      { 0x0098e9e9d49d5bf1L,0xcd4ec1c619087da4L,0x3c9d07c5aef6e357L,
+        0x839a02689f8f64b8L } },
+    /* 23 << 154 */
+    { { 0xc5e9eb62c6d8607fL,0x759689f56aa995e4L,0x70464669bbb48317L,
+        0x921474bfe402417dL },
+      { 0xcabe135b2a354c8cL,0xd51e52d2812fa4b5L,0xec74109653311fe8L,
+        0x4f774535b864514bL } },
+    /* 24 << 154 */
+    { { 0xbcadd6715bde48f8L,0xc97038732189bc7dL,0x5d45299ec709ee8aL,
+        0xd1287ee2845aaff8L },
+      { 0x7d1f8874db1dbf1fL,0xea46588b990c88d6L,0x60ba649a84368313L,
+        0xd5fdcbce60d543aeL } },
+    /* 25 << 154 */
+    { { 0x90b46d43810d5ab0L,0x6739d8f904d7e5ccL,0x021c1a580d337c33L,
+        0x00a6116268e67c40L },
+      { 0x95ef413b379f0a1fL,0xfe126605e9e2ab95L,0x67578b852f5f199cL,
+        0xf5c003292cb84913L } },
+    /* 26 << 154 */
+    { { 0xf795643037577dd8L,0x83b82af429c5fe88L,0x9c1bea26cdbdc132L,
+        0x589fa0869c04339eL },
+      { 0x033e9538b13799dfL,0x85fa8b21d295d034L,0xdf17f73fbd9ddccaL,
+        0xf32bd122ddb66334L } },
+    /* 27 << 154 */
+    { { 0x55ef88a7858b044cL,0x1f0d69c25aa9e397L,0x55fd9cc340d85559L,
+        0xc774df727785ddb2L },
+      { 0x5dcce9f6d3bd2e1cL,0xeb30da20a85dfed0L,0x5ed7f5bbd3ed09c4L,
+        0x7d42a35c82a9c1bdL } },
+    /* 28 << 154 */
+    { { 0xcf3de9959890272dL,0x75f3432a3e713a10L,0x5e13479fe28227b8L,
+        0xb8561ea9fefacdc8L },
+      { 0xa6a297a08332aafdL,0x9b0d8bb573809b62L,0xd2fa1cfd0c63036fL,
+        0x7a16eb55bd64bda8L } },
+    /* 29 << 154 */
+    { { 0x3f5cf5f678e62ddcL,0x2267c45407fd752bL,0x5e361b6b5e437bbeL,
+        0x95c595018354e075L },
+      { 0xec725f85f2b254d9L,0x844b617d2cb52b4eL,0xed8554f5cf425fb5L,
+        0xab67703e2af9f312L } },
+    /* 30 << 154 */
+    { { 0x4cc34ec13cf48283L,0xb09daa259c8a705eL,0xd1e9d0d05b7d4f84L,
+        0x4df6ef64db38929dL },
+      { 0xe16b0763aa21ba46L,0xc6b1d178a293f8fbL,0x0ff5b602d520aabfL,
+        0x94d671bdc339397aL } },
+    /* 31 << 154 */
+    { { 0x7c7d98cf4f5792faL,0x7c5e0d6711215261L,0x9b19a631a7c5a6d4L,
+        0xc8511a627a45274dL },
+      { 0x0c16621ca5a60d99L,0xf7fbab88cf5e48cbL,0xab1e6ca2f7ddee08L,
+        0x83bd08cee7867f3cL } },
+    /* 32 << 154 */
+    { { 0xf7e48e8a2ac13e27L,0x4494f6df4eb1a9f5L,0xedbf84eb981f0a62L,
+        0x49badc32536438f0L },
+      { 0x50bea541004f7571L,0xbac67d10df1c94eeL,0x253d73a1b727bc31L,
+        0xb3d01cf230686e28L } },
+    /* 33 << 154 */
+    { { 0x51b77b1b55fd0b8bL,0xa099d183feec3173L,0x202b1fb7670e72b7L,
+        0xadc88b33a8e1635fL },
+      { 0x34e8216af989d905L,0xc2e68d2029b58d01L,0x11f81c926fe55a93L,
+        0x15f1462a8f296f40L } },
+    /* 34 << 154 */
+    { { 0x1915d375ea3d62f2L,0xa17765a301c8977dL,0x7559710ae47b26f6L,
+        0xe0bd29c8535077a5L },
+      { 0x615f976d08d84858L,0x370dfe8569ced5c1L,0xbbc7503ca734fa56L,
+        0xfbb9f1ec91ac4574L } },
+    /* 35 << 154 */
+    { { 0x95d7ec53060dd7efL,0xeef2dacd6e657979L,0x54511af3e2a08235L,
+        0x1e324aa41f4aea3dL },
+      { 0x550e7e71e6e67671L,0xbccd5190bf52faf7L,0xf880d316223cc62aL,
+        0x0d402c7e2b32eb5dL } },
+    /* 36 << 154 */
+    { { 0xa40bc039306a5a3bL,0x4e0a41fd96783a1bL,0xa1e8d39a0253cdd4L,
+        0x6480be26c7388638L },
+      { 0xee365e1d2285f382L,0x188d8d8fec0b5c36L,0x34ef1a481f0f4d82L,
+        0x1a8f43e1a487d29aL } },
+    /* 37 << 154 */
+    { { 0x8168226d77aefb3aL,0xf69a751e1e72c253L,0x8e04359ae9594df1L,
+        0x475ffd7dd14c0467L },
+      { 0xb5a2c2b13844e95cL,0x85caf647dd12ef94L,0x1ecd2a9ff1063d00L,
+        0x1dd2e22923843311L } },
+    /* 38 << 154 */
+    { { 0x38f0e09d73d17244L,0x3ede77468fc653f1L,0xae4459f5dc20e21cL,
+        0x00db2ffa6a8599eaL },
+      { 0x11682c3930cfd905L,0x4934d074a5c112a6L,0xbdf063c5568bfe95L,
+        0x779a440a016c441aL } },
+    /* 39 << 154 */
+    { { 0x0c23f21897d6fbdcL,0xd3a5cd87e0776aacL,0xcee37f72d712e8dbL,
+        0xfb28c70d26f74e8dL },
+      { 0xffe0c728b61301a0L,0xa6282168d3724354L,0x7ff4cb00768ffedcL,
+        0xc51b308803b02de9L } },
+    /* 40 << 154 */
+    { { 0xa5a8147c3902dda5L,0x35d2f706fe6973b4L,0x5ac2efcfc257457eL,
+        0x933f48d48700611bL },
+      { 0xc365af884912beb2L,0x7f5a4de6162edf94L,0xc646ba7c0c32f34bL,
+        0x632c6af3b2091074L } },
+    /* 41 << 154 */
+    { { 0x58d4f2e3753e43a9L,0x70e1d21724d4e23fL,0xb24bf729afede6a6L,
+        0x7f4a94d8710c8b60L },
+      { 0xaad90a968d4faa6aL,0xd9ed0b32b066b690L,0x52fcd37b78b6dbfdL,
+        0x0b64615e8bd2b431L } },
+    /* 42 << 154 */
+    { { 0x228e2048cfb9fad5L,0xbeaa386d240b76bdL,0x2d6681c890dad7bcL,
+        0x3e553fc306d38f5eL },
+      { 0xf27cdb9b9d5f9750L,0x3e85c52ad28c5b0eL,0x190795af5247c39bL,
+        0x547831ebbddd6828L } },
+    /* 43 << 154 */
+    { { 0xf327a2274a82f424L,0x36919c787e47f89dL,0xe478391943c7392cL,
+        0xf101b9aa2316fefeL },
+      { 0xbcdc9e9c1c5009d2L,0xfb55ea139cd18345L,0xf5b5e231a3ce77c7L,
+        0xde6b4527d2f2cb3dL } },
+    /* 44 << 154 */
+    { { 0x10f6a3339bb26f5fL,0x1e85db8e044d85b6L,0xc3697a0894197e54L,
+        0x65e18cc0a7cb4ea8L },
+      { 0xa38c4f50a471fe6eL,0xf031747a2f13439cL,0x53c4a6bac007318bL,
+        0xa8da3ee51deccb3dL } },
+    /* 45 << 154 */
+    { { 0x0555b31c558216b1L,0x90c7810c2f79e6c2L,0x9b669f4dfe8eed3cL,
+        0x70398ec8e0fac126L },
+      { 0xa96a449ef701b235L,0x0ceecdb3eb94f395L,0x285fc368d0cb7431L,
+        0x0d37bb5216a18c64L } },
+    /* 46 << 154 */
+    { { 0x05110d38b880d2ddL,0xa60f177b65930d57L,0x7da34a67f36235f5L,
+        0x47f5e17c183816b9L },
+      { 0xc7664b57db394af4L,0x39ba215d7036f789L,0x46d2ca0e2f27b472L,
+        0xc42647eef73a84b7L } },
+    /* 47 << 154 */
+    { { 0x44bc754564488f1dL,0xaa922708f4cf85d5L,0x721a01d553e4df63L,
+        0x649c0c515db46cedL },
+      { 0x6bf0d64e3cffcb6cL,0xe3bf93fe50f71d96L,0x75044558bcc194a0L,
+        0x16ae33726afdc554L } },
+    /* 48 << 154 */
+    { { 0xbfc01adf5ca48f3fL,0x64352f06e22a9b84L,0xcee54da1c1099e4aL,
+        0xbbda54e8fa1b89c0L },
+      { 0x166a3df56f6e55fbL,0x1ca44a2420176f88L,0x936afd88dfb7b5ffL,
+        0xe34c24378611d4a0L } },
+    /* 49 << 154 */
+    { { 0x7effbb7586142103L,0x6704ba1b1f34fc4dL,0x7c2a468f10c1b122L,
+        0x36b3a6108c6aace9L },
+      { 0xabfcc0a775a0d050L,0x066f91973ce33e32L,0xce905ef429fe09beL,
+        0x89ee25baa8376351L } },
+    /* 50 << 154 */
+    { { 0x2a3ede22fd29dc76L,0x7fd32ed936f17260L,0x0cadcf68284b4126L,
+        0x63422f08a7951fc8L },
+      { 0x562b24f40807e199L,0xfe9ce5d122ad4490L,0xc2f51b100db2b1b4L,
+        0xeb3613ffe4541d0dL } },
+    /* 51 << 154 */
+    { { 0xbd2c4a052680813bL,0x527aa55d561b08d6L,0xa9f8a40ea7205558L,
+        0xe3eea56f243d0becL },
+      { 0x7b853817a0ff58b3L,0xb67d3f651a69e627L,0x0b76bbb9a869b5d6L,
+        0xa3afeb82546723edL } },
+    /* 52 << 154 */
+    { { 0x5f24416d3e554892L,0x8413b53d430e2a45L,0x99c56aee9032a2a0L,
+        0x09432bf6eec367b1L },
+      { 0x552850c6daf0ecc1L,0x49ebce555bc92048L,0xdfb66ba654811307L,
+        0x1b84f7976f298597L } },
+    /* 53 << 154 */
+    { { 0x795904818d1d7a0dL,0xd9fabe033a6fa556L,0xa40f9c59ba9e5d35L,
+        0xcb1771c1f6247577L },
+      { 0x542a47cae9a6312bL,0xa34b3560552dd8c5L,0xfdf94de00d794716L,
+        0xd46124a99c623094L } },
+    /* 54 << 154 */
+    { { 0x56b7435d68afe8b4L,0x27f205406c0d8ea1L,0x12b77e1473186898L,
+        0xdbc3dd467479490fL },
+      { 0x951a9842c03b0c05L,0x8b1b3bb37921bc96L,0xa573b3462b202e0aL,
+        0x77e4665d47254d56L } },
+    /* 55 << 154 */
+    { { 0x08b70dfcd23e3984L,0xab86e8bcebd14236L,0xaa3e07f857114ba7L,
+        0x5ac71689ab0ef4f2L },
+      { 0x88fca3840139d9afL,0x72733f8876644af0L,0xf122f72a65d74f4aL,
+        0x13931577a5626c7aL } },
+    /* 56 << 154 */
+    { { 0xd5b5d9eb70f8d5a4L,0x375adde7d7bbb228L,0x31e88b860c1c0b32L,
+        0xd1f568c4173edbaaL },
+      { 0x1592fc835459df02L,0x2beac0fb0fcd9a7eL,0xb0a6fdb81b473b0aL,
+        0xe3224c6f0fe8fc48L } },
+    /* 57 << 154 */
+    { { 0x680bd00ee87edf5bL,0x30385f0220e77cf5L,0xe9ab98c04d42d1b2L,
+        0x72d191d2d3816d77L },
+      { 0x1564daca0917d9e5L,0x394eab591f8fed7fL,0xa209aa8d7fbb3896L,
+        0x5564f3b9be6ac98eL } },
+    /* 58 << 154 */
+    { { 0xead21d05d73654efL,0x68d1a9c413d78d74L,0x61e017086d4973a0L,
+        0x83da350046e6d32aL },
+      { 0x6a3dfca468ae0118L,0xa1b9a4c9d02da069L,0x0b2ff9c7ebab8302L,
+        0x98af07c3944ba436L } },
+    /* 59 << 154 */
+    { { 0x85997326995f0f9fL,0x467fade071b58bc6L,0x47e4495abd625a2bL,
+        0xfdd2d01d33c3b8cdL },
+      { 0x2c38ae28c693f9faL,0x48622329348f7999L,0x97bf738e2161f583L,
+        0x15ee2fa7565e8cc9L } },
+    /* 60 << 154 */
+    { { 0xa1a5c8455777e189L,0xcc10bee0456f2829L,0x8ad95c56da762bd5L,
+        0x152e2214e9d91da8L },
+      { 0x975b0e727cb23c74L,0xfd5d7670a90c66dfL,0xb5b5b8ad225ffc53L,
+        0xab6dff73faded2aeL } },
+    /* 61 << 154 */
+    { { 0xebd567816f4cbe9dL,0x0ed8b2496a574bd7L,0x41c246fe81a881faL,
+        0x91564805c3db9c70L },
+      { 0xd7c12b085b862809L,0x1facd1f155858d7bL,0x7693747caf09e92aL,
+        0x3b69dcba189a425fL } },
+    /* 62 << 154 */
+    { { 0x0be28e9f967365efL,0x57300eb2e801f5c9L,0x93b8ac6ad583352fL,
+        0xa2cf1f89cd05b2b7L },
+      { 0x7c0c9b744dcc40ccL,0xfee38c45ada523fbL,0xb49a4dec1099cc4dL,
+        0x325c377f69f069c6L } },
+    /* 63 << 154 */
+    { { 0xe12458ce476cc9ffL,0x580e0b6cc6d4cb63L,0xd561c8b79072289bL,
+        0x0377f264a619e6daL },
+      { 0x2668536288e591a5L,0xa453a7bd7523ca2bL,0x8a9536d2c1df4533L,
+        0xc8e50f2fbe972f79L } },
+    /* 64 << 154 */
+    { { 0xd433e50f6d3549cfL,0x6f33696ffacd665eL,0x695bfdacce11fcb4L,
+        0x810ee252af7c9860L },
+      { 0x65450fe17159bb2cL,0xf7dfbebe758b357bL,0x2b057e74d69fea72L,
+        0xd485717a92731745L } },
+    /* 0 << 161 */
+    { { 0x00, 0x00, 0x00, 0x00 },
+      { 0x00, 0x00, 0x00, 0x00 } },
+    /* 1 << 161 */
+    { { 0x896c42e8ee36860cL,0xdaf04dfd4113c22dL,0x1adbb7b744104213L,
+        0xe5fd5fa11fd394eaL },
+      { 0x68235d941a4e0551L,0x6772cfbe18d10151L,0x276071e309984523L,
+        0xe4e879de5a56ba98L } },
+    /* 2 << 161 */
+    { { 0xaaafafb0285b9491L,0x01a0be881e4c705eL,0xff1d4f5d2ad9caabL,
+        0x6e349a4ac37a233fL },
+      { 0xcf1c12464a1c6a16L,0xd99e6b6629383260L,0xea3d43665f6d5471L,
+        0x36974d04ff8cc89bL } },
+    /* 3 << 161 */
+    { { 0xc26c49a1cfe89d80L,0xb42c026dda9c8371L,0xca6c013adad066d2L,
+        0xfb8f722856a4f3eeL },
+      { 0x08b579ecd850935bL,0x34c1a74cd631e1b3L,0xcb5fe596ac198534L,
+        0x39ff21f6e1f24f25L } },
+    /* 4 << 161 */
+    { { 0x27f29e148f929057L,0x7a64ae06c0c853dfL,0x256cd18358e9c5ceL,
+        0x9d9cce82ded092a5L },
+      { 0xcc6e59796e93b7c7L,0xe1e4709231bb9e27L,0xb70b3083aa9e29a0L,
+        0xbf181a753785e644L } },
+    /* 5 << 161 */
+    { { 0xf53f2c658ead09f7L,0x1335e1d59780d14dL,0x69cc20e0cd1b66bcL,
+        0x9b670a37bbe0bfc8L },
+      { 0xce53dc8128efbeedL,0x0c74e77c8326a6e5L,0x3604e0d2b88e9a63L,
+        0xbab38fca13dc2248L } },
+    /* 6 << 161 */
+    { { 0x8ed6e8c85c0a3f1eL,0xbcad24927c87c37fL,0xfdfb62bb9ee3b78dL,
+        0xeba8e477cbceba46L },
+      { 0x37d38cb0eeaede4bL,0x0bc498e87976deb6L,0xb2944c046b6147fbL,
+        0x8b123f35f71f9609L } },
+    /* 7 << 161 */
+    { { 0xa155dcc7de79dc24L,0xf1168a32558f69cdL,0xbac215950d1850dfL,
+        0x15c8295bb204c848L },
+      { 0xf661aa367d8184ffL,0xc396228e30447bdbL,0x11cd5143bde4a59eL,
+        0xe3a26e3b6beab5e6L } },
+    /* 8 << 161 */
+    { { 0xd3b3a13f1402b9d0L,0x573441c32c7bc863L,0x4b301ec4578c3e6eL,
+        0xc26fc9c40adaf57eL },
+      { 0x96e71bfd7493cea3L,0xd05d4b3f1af81456L,0xdaca2a8a6a8c608fL,
+        0x53ef07f60725b276L } },
+    /* 9 << 161 */
+    { { 0x07a5fbd27824fc56L,0x3467521813289077L,0x5bf69fd5e0c48349L,
+        0xa613ddd3b6aa7875L },
+      { 0x7f78c19c5450d866L,0x46f4409c8f84a481L,0x9f1d192890fce239L,
+        0x016c4168b2ce44b9L } },
+    /* 10 << 161 */
+    { { 0xbae023f0c7435978L,0xb152c88820e30e19L,0x9c241645e3fa6fafL,
+        0x735d95c184823e60L },
+      { 0x0319757303955317L,0x0b4b02a9f03b4995L,0x076bf55970274600L,
+        0x32c5cc53aaf57508L } },
+    /* 11 << 161 */
+    { { 0xe8af6d1f60624129L,0xb7bc5d649a5e2b5eL,0x3814b0485f082d72L,
+        0x76f267f2ce19677aL },
+      { 0x626c630fb36eed93L,0x55230cd73bf56803L,0x78837949ce2736a0L,
+        0x0d792d60aa6c55f1L } },
+    /* 12 << 161 */
+    { { 0x0318dbfdd5c7c5d2L,0xb38f8da7072b342dL,0x3569bddc7b8de38aL,
+        0xf25b5887a1c94842L },
+      { 0xb2d5b2842946ad60L,0x854f29ade9d1707eL,0xaa5159dc2c6a4509L,
+        0x899f94c057189837L } },
+    /* 13 << 161 */
+    { { 0xcf6adc51f4a55b03L,0x261762de35e3b2d5L,0x4cc4301204827b51L,
+        0xcd22a113c6021442L },
+      { 0xce2fd61a247c9569L,0x59a50973d152becaL,0x6c835a1163a716d4L,
+        0xc26455ed187dedcfL } },
+    /* 14 << 161 */
+    { { 0x27f536e049ce89e7L,0x18908539cc890cb5L,0x308909abd83c2aa1L,
+        0xecd3142b1ab73bd3L },
+      { 0x6a85bf59b3f5ab84L,0x3c320a68f2bea4c6L,0xad8dc5386da4541fL,
+        0xeaf34eb0b7c41186L } },
+    /* 15 << 161 */
+    { { 0x1c780129977c97c4L,0x5ff9beebc57eb9faL,0xa24d0524c822c478L,
+        0xfd8eec2a461cd415L },
+      { 0xfbde194ef027458cL,0xb4ff53191d1be115L,0x63f874d94866d6f4L,
+        0x35c75015b21ad0c9L } },
+    /* 16 << 161 */
+    { { 0xa6b5c9d646ac49d2L,0x42c77c0b83137aa9L,0x24d000fc68225a38L,
+        0x0f63cfc82fe1e907L },
+      { 0x22d1b01bc6441f95L,0x7d38f719ec8e448fL,0x9b33fa5f787fb1baL,
+        0x94dcfda1190158dfL } },
+    /* 17 << 161 */
+    { { 0xc47cb3395f6d4a09L,0x6b4f355cee52b826L,0x3d100f5df51b930aL,
+        0xf4512fac9f668f69L },
+      { 0x546781d5206c4c74L,0xd021d4d4cb4d2e48L,0x494a54c2ca085c2dL,
+        0xf1dbaca4520850a8L } },
+    /* 18 << 161 */
+    { { 0x63c79326490a1acaL,0xcb64dd9c41526b02L,0xbb772591a2979258L,
+        0x3f58297048d97846L },
+      { 0xd66b70d17c213ba7L,0xc28febb5e8a0ced4L,0x6b911831c10338c1L,
+        0x0d54e389bf0126f3L } },
+    /* 19 << 161 */
+    { { 0x7048d4604af206eeL,0x786c88f677e97cb9L,0xd4375ae1ac64802eL,
+        0x469bcfe1d53ec11cL },
+      { 0xfc9b340d47062230L,0xe743bb57c5b4a3acL,0xfe00b4aa59ef45acL,
+        0x29a4ef2359edf188L } },
+    /* 20 << 161 */
+    { { 0x40242efeb483689bL,0x2575d3f6513ac262L,0xf30037c80ca6db72L,
+        0xc9fcce8298864be2L },
+      { 0x84a112ff0149362dL,0x95e575821c4ae971L,0x1fa4b1a8945cf86cL,
+        0x4525a7340b024a2fL } },
+    /* 21 << 161 */
+    { { 0xe76c8b628f338360L,0x483ff59328edf32bL,0x67e8e90a298b1aecL,
+        0x9caab338736d9a21L },
+      { 0x5c09d2fd66892709L,0x2496b4dcb55a1d41L,0x93f5fb1ae24a4394L,
+        0x08c750496fa8f6c1L } },
+    /* 22 << 161 */
+    { { 0xcaead1c2c905d85fL,0xe9d7f7900733ae57L,0x24c9a65cf07cdd94L,
+        0x7389359ca4b55931L },
+      { 0xf58709b7367e45f7L,0x1f203067cb7e7adcL,0x82444bffc7b72818L,
+        0x07303b35baac8033L } },
+    /* 23 << 161 */
+    { { 0x1e1ee4e4d13b7ea1L,0xe6489b24e0e74180L,0xa5f2c6107e70ef70L,
+        0xa1655412bdd10894L },
+      { 0x555ebefb7af4194eL,0x533c1c3c8e89bd9cL,0x735b9b5789895856L,
+        0x15fb3cd2567f5c15L } },
+    /* 24 << 161 */
+    { { 0x057fed45526f09fdL,0xe8a4f10c8128240aL,0x9332efc4ff2bfd8dL,
+        0x214e77a0bd35aa31L },
+      { 0x32896d7314faa40eL,0x767867ec01e5f186L,0xc9adf8f117a1813eL,
+        0xcb6cda7854741795L } },
+    /* 25 << 161 */
+    { { 0xb7521b6d349d51aaL,0xf56b5a9ee3c7b8e9L,0xc6f1e5c932a096dfL,
+        0x083667c4a3635024L },
+      { 0x365ea13518087f2fL,0xf1b8eaacd136e45dL,0xc8a0e48473aec989L,
+        0xd75a324b142c9259L } },
+    /* 26 << 161 */
+    { { 0xb7b4d00101dae185L,0x45434e0b9b7a94bcL,0xf54339affbd8cb0bL,
+        0xdcc4569ee98ef49eL },
+      { 0x7789318a09a51299L,0x81b4d206b2b025d8L,0xf64aa418fae85792L,
+        0x3e50258facd7baf7L } },
+    /* 27 << 161 */
+    { { 0xdce84cdb2996864bL,0xa2e670891f485fa4L,0xb28b2bb6534c6a5aL,
+        0x31a7ec6bc94b9d39L },
+      { 0x1d217766d6bc20daL,0x4acdb5ec86761190L,0x6872632873701063L,
+        0x4d24ee7c2128c29bL } },
+    /* 28 << 161 */
+    { { 0xc072ebd3a19fd868L,0x612e481cdb8ddd3bL,0xb4e1d7541a64d852L,
+        0x00ef95acc4c6c4abL },
+      { 0x1536d2edaa0a6c46L,0x6129408643774790L,0x54af25e8343fda10L,
+        0x9ff9d98dfd25d6f2L } },
+    /* 29 << 161 */
+    { { 0x0746af7c468b8835L,0x977a31cb730ecea7L,0xa5096b80c2cf4a81L,
+        0xaa9868336458c37aL },
+      { 0x6af29bf3a6bd9d34L,0x6a62fe9b33c5d854L,0x50e6c304b7133b5eL,
+        0x04b601597d6e6848L } },
+    /* 30 << 161 */
+    { { 0x4cd296df5579bea4L,0x10e35ac85ceedaf1L,0x04c4c5fde3bcc5b1L,
+        0x95f9ee8a89412cf9L },
+      { 0x2c9459ee82b6eb0fL,0x2e84576595c2aaddL,0x774a84aed327fcfeL,
+        0xd8c937220368d476L } },
+    /* 31 << 161 */
+    { { 0x0dbd5748f83e8a3bL,0xa579aa968d2495f3L,0x535996a0ae496e9bL,
+        0x07afbfe9b7f9bcc2L },
+      { 0x3ac1dc6d5b7bd293L,0x3b592cff7022323dL,0xba0deb989c0a3e76L,
+        0x18e78e9f4b197acbL } },
+    /* 32 << 161 */
+    { { 0x211cde10296c36efL,0x7ee8967282c4da77L,0xb617d270a57836daL,
+        0xf0cd9c319cb7560bL },
+      { 0x01fdcbf7e455fe90L,0x3fb53cbb7e7334f3L,0x781e2ea44e7de4ecL,
+        0x8adab3ad0b384fd0L } },
+    /* 33 << 161 */
+    { { 0x129eee2f53d64829L,0x7a471e17a261492bL,0xe4f9adb9e4cb4a2cL,
+        0x3d359f6f97ba2c2dL },
+      { 0x346c67860aacd697L,0x92b444c375c2f8a8L,0xc79fa117d85df44eL,
+        0x56782372398ddf31L } },
+    /* 34 << 161 */
+    { { 0x60e690f2bbbab3b8L,0x4851f8ae8b04816bL,0xc72046ab9c92e4d2L,
+        0x518c74a17cf3136bL },
+      { 0xff4eb50af9877d4cL,0x14578d90a919cabbL,0x8218f8c4ac5eb2b6L,
+        0xa3ccc547542016e4L } },
+    /* 35 << 161 */
+    { { 0x025bf48e327f8349L,0xf3e97346f43cb641L,0xdc2bafdf500f1085L,
+        0x571678762f063055L },
+      { 0x5bd914b9411925a6L,0x7c078d48a1123de5L,0xee6bf835182b165dL,
+        0xb11b5e5bba519727L } },
+    /* 36 << 161 */
+    { { 0xe33ea76c1eea7b85L,0x2352b46192d4f85eL,0xf101d334afe115bbL,
+        0xfabc1294889175a3L },
+      { 0x7f6bcdc05233f925L,0xe0a802dbe77fec55L,0xbdb47b758069b659L,
+        0x1c5e12def98fbd74L } },
+    /* 37 << 161 */
+    { { 0x869c58c64b8457eeL,0xa5360f694f7ea9f7L,0xe576c09ff460b38fL,
+        0x6b70d54822b7fb36L },
+      { 0x3fd237f13bfae315L,0x33797852cbdff369L,0x97df25f525b516f9L,
+        0x46f388f2ba38ad2dL } },
+    /* 38 << 161 */
+    { { 0x656c465889d8ddbbL,0x8830b26e70f38ee8L,0x4320fd5cde1212b0L,
+        0xc34f30cfe4a2edb2L },
+      { 0xabb131a356ab64b8L,0x7f77f0ccd99c5d26L,0x66856a37bf981d94L,
+        0x19e76d09738bd76eL } },
+    /* 39 << 161 */
+    { { 0xe76c8ac396238f39L,0xc0a482bea830b366L,0xb7b8eaff0b4eb499L,
+        0x8ecd83bc4bfb4865L },
+      { 0x971b2cb7a2f3776fL,0xb42176a4f4b88adfL,0xb9617df5be1fa446L,
+        0x8b32d508cd031bd2L } },
+    /* 40 << 161 */
+    { { 0x1c6bd47d53b618c0L,0xc424f46c6a227923L,0x7303ffdedd92d964L,
+        0xe971287871b5abf2L },
+      { 0x8f48a632f815561dL,0x85f48ff5d3c055d1L,0x222a14277525684fL,
+        0xd0d841a067360cc3L } },
+    /* 41 << 161 */
+    { { 0x4245a9260b9267c6L,0xc78913f1cf07f863L,0xaa844c8e4d0d9e24L,
+        0xa42ad5223d5f9017L },
+      { 0xbd371749a2c989d5L,0x928292dfe1f5e78eL,0x493b383e0a1ea6daL,
+        0x5136fd8d13aee529L } },
+    /* 42 << 161 */
+    { { 0x860c44b1f2c34a99L,0x3b00aca4bf5855acL,0xabf6aaa0faaf37beL,
+        0x65f436822a53ec08L },
+      { 0x1d9a5801a11b12e1L,0x78a7ab2ce20ed475L,0x0de1067e9a41e0d5L,
+        0x30473f5f305023eaL } },
+    /* 43 << 161 */
+    { { 0xdd3ae09d169c7d97L,0x5cd5baa4cfaef9cdL,0x5cd7440b65a44803L,
+        0xdc13966a47f364deL },
+      { 0x077b2be82b8357c1L,0x0cb1b4c5e9d57c2aL,0x7a4ceb3205ff363eL,
+        0xf310fa4dca35a9efL } },
+    /* 44 << 161 */
+    { { 0xdbb7b352f97f68c6L,0x0c773b500b02cf58L,0xea2e48213c1f96d9L,
+        0xffb357b0eee01815L },
+      { 0xb9c924cde0f28039L,0x0b36c95a46a3fbe4L,0x1faaaea45e46db6cL,
+        0xcae575c31928aaffL } },
+    /* 45 << 161 */
+    { { 0x7f671302a70dab86L,0xfcbd12a971c58cfcL,0xcbef9acfbee0cb92L,
+        0x573da0b9f8c1b583L },
+      { 0x4752fcfe0d41d550L,0xe7eec0e32155cffeL,0x0fc39fcb545ae248L,
+        0x522cb8d18065f44eL } },
+    /* 46 << 161 */
+    { { 0x263c962a70cbb96cL,0xe034362abcd124a9L,0xf120db283c2ae58dL,
+        0xb9a38d49fef6d507L },
+      { 0xb1fd2a821ff140fdL,0xbd162f3020aee7e0L,0x4e17a5d4cb251949L,
+        0x2aebcb834f7e1c3dL } },
+    /* 47 << 161 */
+    { { 0x608eb25f937b0527L,0xf42e1e47eb7d9997L,0xeba699c4b8a53a29L,
+        0x1f921c71e091b536L },
+      { 0xcce29e7b5b26bbd5L,0x7a8ef5ed3b61a680L,0xe5ef8043ba1f1c7eL,
+        0x16ea821718158ddaL } },
+    /* 48 << 161 */
+    { { 0x01778a2b599ff0f9L,0x68a923d78104fc6bL,0x5bfa44dfda694ff3L,
+        0x4f7199dbf7667f12L },
+      { 0xc06d8ff6e46f2a79L,0x08b5deade9f8131dL,0x02519a59abb4ce7cL,
+        0xc4f710bcb42aec3eL } },
+    /* 49 << 161 */
+    { { 0x3d77b05778bde41aL,0x6474bf80b4186b5aL,0x048b3f6788c65741L,
+        0xc64519de03c7c154L },
+      { 0xdf0738460edfcc4fL,0x319aa73748f1aa6bL,0x8b9f8a02ca909f77L,
+        0x902581397580bfefL } },
+    /* 50 << 161 */
+    { { 0xd8bfd3cac0c22719L,0xc60209e4c9ca151eL,0x7a744ab5d9a1a69cL,
+        0x6de5048b14937f8fL },
+      { 0x171938d8e115ac04L,0x7df709401c6b16d2L,0xa6aeb6637f8e94e7L,
+        0xc130388e2a2cf094L } },
+    /* 51 << 161 */
+    { { 0x1850be8477f54e6eL,0x9f258a7265d60fe5L,0xff7ff0c06c9146d6L,
+        0x039aaf90e63a830bL },
+      { 0x38f27a739460342fL,0x4703148c3f795f8aL,0x1bb5467b9681a97eL,
+        0x00931ba5ecaeb594L } },
+    /* 52 << 161 */
+    { { 0xcdb6719d786f337cL,0xd9c01cd2e704397dL,0x0f4a3f20555c2fefL,
+        0x004525097c0af223L },
+      { 0x54a5804784db8e76L,0x3bacf1aa93c8aa06L,0x11ca957cf7919422L,
+        0x5064105378cdaa40L } },
+    /* 53 << 161 */
+    { { 0x7a3038749f7144aeL,0x170c963f43d4acfdL,0x5e14814958ddd3efL,
+        0xa7bde5829e72dba8L },
+      { 0x0769da8b6fa68750L,0xfa64e532572e0249L,0xfcaadf9d2619ad31L,
+        0x87882daaa7b349cdL } },
+    /* 54 << 161 */
+    { { 0x9f6eb7316c67a775L,0xcb10471aefc5d0b1L,0xb433750ce1b806b2L,
+        0x19c5714d57b1ae7eL },
+      { 0xc0dc8b7bed03fd3fL,0xdd03344f31bc194eL,0xa66c52a78c6320b5L,
+        0x8bc82ce3d0b6fd93L } },
+    /* 55 << 161 */
+    { { 0xf8e13501b35f1341L,0xe53156dd25a43e42L,0xd3adf27e4daeb85cL,
+        0xb81d8379bbeddeb5L },
+      { 0x1b0b546e2e435867L,0x9020eb94eba5dd60L,0x37d911618210cb9dL,
+        0x4c596b315c91f1cfL } },
+    /* 56 << 161 */
+    { { 0xb228a90f0e0b040dL,0xbaf02d8245ff897fL,0x2aac79e600fa6122L,
+        0x248288178e36f557L },
+      { 0xb9521d31113ec356L,0x9e48861e15eff1f8L,0x2aa1d412e0d41715L,
+        0x71f8620353f131b8L } },
+    /* 57 << 161 */
+    { { 0xf60da8da3fd19408L,0x4aa716dc278d9d99L,0x394531f7a8c51c90L,
+        0xb560b0e8f59db51cL },
+      { 0xa28fc992fa34bdadL,0xf024fa149cd4f8bdL,0x5cf530f723a9d0d3L,
+        0x615ca193e28c9b56L } },
+    /* 58 << 161 */
+    { { 0x6d2a483d6f73c51eL,0xa4cb2412ea0dc2ddL,0x50663c411eb917ffL,
+        0x3d3a74cfeade299eL },
+      { 0x29b3990f4a7a9202L,0xa9bccf59a7b15c3dL,0x66a3ccdca5df9208L,
+        0x48027c1443f2f929L } },
+    /* 59 << 161 */
+    { { 0xd385377c40b557f0L,0xe001c366cd684660L,0x1b18ed6be2183a27L,
+        0x879738d863210329L },
+      { 0xa687c74bbda94882L,0xd1bbcc48a684b299L,0xaf6f1112863b3724L,
+        0x6943d1b42c8ce9f8L } },
+    /* 60 << 161 */
+    { { 0xe044a3bb098cafb4L,0x27ed231060d48cafL,0x542b56753a31b84dL,
+        0xcbf3dd50fcddbed7L },
+      { 0x25031f1641b1d830L,0xa7ec851dcb0c1e27L,0xac1c8fe0b5ae75dbL,
+        0xb24c755708c52120L } },
+    /* 61 << 161 */
+    { { 0x57f811dc1d4636c3L,0xf8436526681a9939L,0x1f6bc6d99c81adb3L,
+        0x840f8ac35b7d80d4L },
+      { 0x731a9811f4387f1aL,0x7c501cd3b5156880L,0xa5ca4a07dfe68867L,
+        0xf123d8f05fcea120L } },
+    /* 62 << 161 */
+    { { 0x1fbb0e71d607039eL,0x2b70e215cd3a4546L,0x32d2f01d53324091L,
+        0xb796ff08180ab19bL },
+      { 0x32d87a863c57c4aaL,0x2aed9cafb7c49a27L,0x9fb35eac31630d98L,
+        0x338e8cdf5c3e20a3L } },
+    /* 63 << 161 */
+    { { 0x80f1618266cde8dbL,0x4e1599802d72fd36L,0xd7b8f13b9b6e5072L,
+        0xf52139073b7b5dc1L },
+      { 0x4d431f1d8ce4396eL,0x37a1a680a7ed2142L,0xbf375696d01aaf6bL,
+        0xaa1c0c54e63aab66L } },
+    /* 64 << 161 */
+    { { 0x3014368b4ed80940L,0x67e6d0567a6fceddL,0x7c208c49ca97579fL,
+        0xfe3d7a81a23597f6L },
+      { 0x5e2032027e096ae2L,0xb1f3e1e724b39366L,0x26da26f32fdcdffcL,
+        0x79422f1d6097be83L } },
+    /* 0 << 168 */
+    { { 0x00, 0x00, 0x00, 0x00 },
+      { 0x00, 0x00, 0x00, 0x00 } },
+    /* 1 << 168 */
+    { { 0x263a2cfb9db3b381L,0x9c3a2deed4df0a4bL,0x728d06e97d04e61fL,
+        0x8b1adfbc42449325L },
+      { 0x6ec1d9397e053a1bL,0xee2be5c766daf707L,0x80ba1e14810ac7abL,
+        0xdd2ae778f530f174L } },
+    /* 2 << 168 */
+    { { 0x0435d97a205b9d8bL,0x6eb8f064056756d4L,0xd5e88a8bb6f8210eL,
+        0x070ef12dec9fd9eaL },
+      { 0x4d8495053bcc876aL,0x12a75338a7404ce3L,0xd22b49e1b8a1db5eL,
+        0xec1f205114bfa5adL } },
+    /* 3 << 168 */
+    { { 0xadbaeb79b6828f36L,0x9d7a025801bd5b9eL,0xeda01e0d1e844b0cL,
+        0x4b625175887edfc9L },
+      { 0x14109fdd9669b621L,0x88a2ca56f6f87b98L,0xfe2eb788170df6bcL,
+        0x0cea06f4ffa473f9L } },
+    /* 4 << 168 */
+    { { 0x43ed81b5c4e83d33L,0xd9f358795efd488bL,0x164a620f9deb4d0fL,
+        0xc6927bdbac6a7394L },
+      { 0x45c28df79f9e0f03L,0x2868661efcd7e1a9L,0x7cf4e8d0ffa348f1L,
+        0x6bd4c284398538e0L } },
+    /* 5 << 168 */
+    { { 0x2618a091289a8619L,0xef796e606671b173L,0x664e46e59090c632L,
+        0xa38062d41e66f8fbL },
+      { 0x6c744a200573274eL,0xd07b67e4a9271394L,0x391223b26bdc0e20L,
+        0xbe2d93f1eb0a05a7L } },
+    /* 6 << 168 */
+    { { 0xf23e2e533f36d141L,0xe84bb3d44dfca442L,0xb804a48d6b7c023aL,
+        0x1e16a8fa76431c3bL },
+      { 0x1b5452adddd472e0L,0x7d405ee70d1ee127L,0x50fc6f1dffa27599L,
+        0x351ac53cbf391b35L } },
+    /* 7 << 168 */
+    { { 0x7efa14b84444896bL,0x64974d2ff94027fbL,0xefdcd0e8de84487dL,
+        0x8c45b2602b48989bL },
+      { 0xa8fcbbc2d8463487L,0xd1b2b3f73fbc476cL,0x21d005b7c8f443c0L,
+        0x518f2e6740c0139cL } },
+    /* 8 << 168 */
+    { { 0x56036e8c06d75fc1L,0x2dcf7bb73249a89fL,0x81dd1d3de245e7ddL,
+        0xf578dc4bebd6e2a7L },
+      { 0x4c028903df2ce7a0L,0xaee362889c39afacL,0xdc847c31146404abL,
+        0x6304c0d8a4e97818L } },
+    /* 9 << 168 */
+    { { 0xae51dca2a91f6791L,0x2abe41909baa9efcL,0xd9d2e2f4559c7ac1L,
+        0xe82f4b51fc9f773aL },
+      { 0xa77130274073e81cL,0xc0276facfbb596fcL,0x1d819fc9a684f70cL,
+        0x29b47fddc9f7b1e0L } },
+    /* 10 << 168 */
+    { { 0x358de103459b1940L,0xec881c595b013e93L,0x51574c9349532ad3L,
+        0x2db1d445b37b46deL },
+      { 0xc6445b87df239fd8L,0xc718af75151d24eeL,0xaea1c4a4f43c6259L,
+        0x40c0e5d770be02f7L } },
+    /* 11 << 168 */
+    { { 0x6a4590f4721b33f2L,0x2124f1fbfedf04eaL,0xf8e53cde9745efe7L,
+        0xe7e1043265f046d9L },
+      { 0xc3fca28ee4d0c7e6L,0x847e339a87253b1bL,0x9b5953483743e643L,
+        0xcb6a0a0b4fd12fc5L } },
+    /* 12 << 168 */
+    { { 0xfb6836c327d02dccL,0x5ad009827a68bcc2L,0x1b24b44c005e912dL,
+        0xcc83d20f811fdcfeL },
+      { 0x36527ec1666fba0cL,0x6994819714754635L,0xfcdcb1a8556da9c2L,
+        0xa593426781a732b2L } },
+    /* 13 << 168 */
+    { { 0xec1214eda714181dL,0x609ac13b6067b341L,0xff4b4c97a545df1fL,
+        0xa124050134d2076bL },
+      { 0x6efa0c231409ca97L,0x254cc1a820638c43L,0xd4e363afdcfb46cdL,
+        0x62c2adc303942a27L } },
+    /* 14 << 168 */
+    { { 0xc67b9df056e46483L,0xa55abb2063736356L,0xab93c098c551bc52L,
+        0x382b49f9b15fe64bL },
+      { 0x9ec221ad4dff8d47L,0x79caf615437df4d6L,0x5f13dc64bb456509L,
+        0xe4c589d9191f0714L } },
+    /* 15 << 168 */
+    { { 0x27b6a8ab3fd40e09L,0xe455842e77313ea9L,0x8b51d1e21f55988bL,
+        0x5716dd73062bbbfcL },
+      { 0x633c11e54e8bf3deL,0x9a0e77b61b85be3bL,0x565107290911cca6L,
+        0x27e76495efa6590fL } },
+    /* 16 << 168 */
+    { { 0xe4ac8b33070d3aabL,0x2643672b9a2cd5e5L,0x52eff79b1cfc9173L,
+        0x665ca49b90a7c13fL },
+      { 0x5a8dda59b3efb998L,0x8a5b922d052f1341L,0xae9ebbab3cf9a530L,
+        0x35986e7bf56da4d7L } },
+    /* 17 << 168 */
+    { { 0x3a636b5cff3513ccL,0xbb0cf8ba3198f7ddL,0xb8d4052241f16f86L,
+        0x760575d8de13a7bfL },
+      { 0x36f74e169f7aa181L,0x163a3ecff509ed1cL,0x6aead61f3c40a491L,
+        0x158c95fcdfe8fcaaL } },
+    /* 18 << 168 */
+    { { 0xa3991b6e13cda46fL,0x79482415342faed0L,0xf3ba5bde666b5970L,
+        0x1d52e6bcb26ab6ddL },
+      { 0x768ba1e78608dd3dL,0x4930db2aea076586L,0xd9575714e7dc1afaL,
+        0x1fc7bf7df7c58817L } },
+    /* 19 << 168 */
+    { { 0x6b47accdd9eee96cL,0x0ca277fbe58cec37L,0x113fe413e702c42aL,
+        0xdd1764eec47cbe51L },
+      { 0x041e7cde7b3ed739L,0x50cb74595ce9e1c0L,0x355685132925b212L,
+        0x7cff95c4001b081cL } },
+    /* 20 << 168 */
+    { { 0x63ee4cbd8088b454L,0xdb7f32f79a9e0c8aL,0xb377d4186b2447cbL,
+        0xe3e982aad370219bL },
+      { 0x06ccc1e4c2a2a593L,0x72c368650773f24fL,0xa13b4da795859423L,
+        0x8bbf1d3375040c8fL } },
+    /* 21 << 168 */
+    { { 0x726f0973da50c991L,0x48afcd5b822d6ee2L,0xe5fc718b20fd7771L,
+        0xb9e8e77dfd0807a1L },
+      { 0x7f5e0f4499a7703dL,0x6972930e618e36f3L,0x2b7c77b823807bbeL,
+        0xe5b82405cb27ff50L } },
+    /* 22 << 168 */
+    { { 0xba8b8be3bd379062L,0xd64b7a1d2dce4a92L,0x040a73c5b2952e37L,
+        0x0a9e252ed438aecaL },
+      { 0xdd43956bc39d3bcbL,0x1a31ca00b32b2d63L,0xd67133b85c417a18L,
+        0xd08e47902ef442c8L } },
+    /* 23 << 168 */
+    { { 0x98cb1ae9255c0980L,0x4bd863812b4a739fL,0x5a5c31e11e4a45a1L,
+        0x1e5d55fe9cb0db2fL },
+      { 0x74661b068ff5cc29L,0x026b389f0eb8a4f4L,0x536b21a458848c24L,
+        0x2e5bf8ec81dc72b0L } },
+    /* 24 << 168 */
+    { { 0x03c187d0ad886aacL,0x5c16878ab771b645L,0xb07dfc6fc74045abL,
+        0x2c6360bf7800caedL },
+      { 0x24295bb5b9c972a3L,0xc9e6f88e7c9a6dbaL,0x90ffbf2492a79aa6L,
+        0xde29d50a41c26ac2L } },
+    /* 25 << 168 */
+    { { 0x9f0af483d309cbe6L,0x5b020d8ae0bced4fL,0x606e986db38023e3L,
+        0xad8f2c9d1abc6933L },
+      { 0x19292e1de7400e93L,0xfe3e18a952be5e4dL,0xe8e9771d2e0680bfL,
+        0x8c5bec98c54db063L } },
+    /* 26 << 168 */
+    { { 0x2af9662a74a55d1fL,0xe3fbf28f046f66d8L,0xa3a72ab4d4dc4794L,
+        0x09779f455c7c2dd8L },
+      { 0xd893bdafc3d19d8dL,0xd5a7509457d6a6dfL,0x8cf8fef9952e6255L,
+        0x3da67cfbda9a8affL } },
+    /* 27 << 168 */
+    { { 0x4c23f62a2c160dcdL,0x34e6c5e38f90eaefL,0x35865519a9a65d5aL,
+        0x07c48aae8fd38a3dL },
+      { 0xb7e7aeda50068527L,0x2c09ef231c90936aL,0x31ecfeb6e879324cL,
+        0xa0871f6bfb0ec938L } },
+    /* 28 << 168 */
+    { { 0xb1f0fb68d84d835dL,0xc90caf39861dc1e6L,0x12e5b0467594f8d7L,
+        0x26897ae265012b92L },
+      { 0xbcf68a08a4d6755dL,0x403ee41c0991fbdaL,0x733e343e3bbf17e8L,
+        0xd2c7980d679b3d65L } },
+    /* 29 << 168 */
+    { { 0x33056232d2e11305L,0x966be492f3c07a6fL,0x6a8878ffbb15509dL,
+        0xff2211010a9b59a4L },
+      { 0x6c9f564aabe30129L,0xc6f2c940336e64cfL,0x0fe752628b0c8022L,
+        0xbe0267e96ae8db87L } },
+    /* 30 << 168 */
+    { { 0x22e192f193bc042bL,0xf085b534b237c458L,0xa0d192bd832c4168L,
+        0x7a76e9e3bdf6271dL },
+      { 0x52a882fab88911b5L,0xc85345e4b4db0eb5L,0xa3be02a681a7c3ffL,
+        0x51889c8cf0ec0469L } },
+    /* 31 << 168 */
+    { { 0x9d031369a5e829e5L,0xcbb4c6fc1607aa41L,0x75ac59a6241d84c1L,
+        0xc043f2bf8829e0eeL },
+      { 0x82a38f758ea5e185L,0x8bda40b9d87cbd9fL,0x9e65e75e2d8fc601L,
+        0x3d515f74a35690b3L } },
+    /* 32 << 168 */
+    { { 0x534acf4fda79e5acL,0x68b83b3a8630215fL,0x5c748b2ed085756eL,
+        0xb0317258e5d37cb2L },
+      { 0x6735841ac5ccc2c4L,0x7d7dc96b3d9d5069L,0xa147e410fd1754bdL,
+        0x65296e94d399ddd5L } },
+    /* 33 << 168 */
+    { { 0xf6b5b2d0bc8fa5bcL,0x8a5ead67500c277bL,0x214625e6dfa08a5dL,
+        0x51fdfedc959cf047L },
+      { 0x6bc9430b289fca32L,0xe36ff0cf9d9bdc3fL,0x2fe187cb58ea0edeL,
+        0xed66af205a900b3fL } },
+    /* 34 << 168 */
+    { { 0x00e0968b5fa9f4d6L,0x2d4066ce37a362e7L,0xa99a9748bd07e772L,
+        0x710989c006a4f1d0L },
+      { 0xd5dedf35ce40cbd8L,0xab55c5f01743293dL,0x766f11448aa24e2cL,
+        0x94d874f8605fbcb4L } },
+    /* 35 << 168 */
+    { { 0xa365f0e8a518001bL,0xee605eb69d04ef0fL,0x5a3915cdba8d4d25L,
+        0x44c0e1b8b5113472L },
+      { 0xcbb024e88b6740dcL,0x89087a53ee1d4f0cL,0xa88fa05c1fc4e372L,
+        0x8bf395cbaf8b3af2L } },
+    /* 36 << 168 */
+    { { 0x1e71c9a1deb8568bL,0xa35daea080fb3d32L,0xe8b6f2662cf8fb81L,
+        0x6d51afe89490696aL },
+      { 0x81beac6e51803a19L,0xe3d24b7f86219080L,0x727cfd9ddf6f463cL,
+        0x8c6865ca72284ee8L } },
+    /* 37 << 168 */
+    { { 0x32c88b7db743f4efL,0x3793909be7d11dceL,0xd398f9222ff2ebe8L,
+        0x2c70ca44e5e49796L },
+      { 0xdf4d9929cb1131b1L,0x7826f29825888e79L,0x4d3a112cf1d8740aL,
+        0x00384cb6270afa8bL } },
+    /* 38 << 168 */
+    { { 0xcb64125b3ab48095L,0x3451c25662d05106L,0xd73d577da4955845L,
+        0x39570c16bf9f4433L },
+      { 0xd7dfaad3adecf263L,0xf1c3d8d1dc76e102L,0x5e774a5854c6a836L,
+        0xdad4b6723e92d47bL } },
+    /* 39 << 168 */
+    { { 0xbe7e990ff0d796a0L,0x5fc62478df0e8b02L,0x8aae8bf4030c00adL,
+        0x3d2db93b9004ba0fL },
+      { 0xe48c8a79d85d5ddcL,0xe907caa76bb07f34L,0x58db343aa39eaed5L,
+        0x0ea6e007adaf5724L } },
+    /* 40 << 168 */
+    { { 0xe00df169d23233f3L,0x3e32279677cb637fL,0x1f897c0e1da0cf6cL,
+        0xa651f5d831d6bbddL },
+      { 0xdd61af191a230c76L,0xbd527272cdaa5e4aL,0xca753636d0abcd7eL,
+        0x78bdd37c370bd8dcL } },
+    /* 41 << 168 */
+    { { 0xc23916c217cd93feL,0x65b97a4ddadce6e2L,0xe04ed4eb174e42f8L,
+        0x1491ccaabb21480aL },
+      { 0x145a828023196332L,0x3c3862d7587b479aL,0x9f4a88a301dcd0edL,
+        0x4da2b7ef3ea12f1fL } },
+    /* 42 << 168 */
+    { { 0xf8e7ae33b126e48eL,0x404a0b32f494e237L,0x9beac474c55acadbL,
+        0x4ee5cf3bcbec9fd9L },
+      { 0x336b33b97df3c8c3L,0xbd905fe3b76808fdL,0x8f436981aa45c16aL,
+        0x255c5bfa3dd27b62L } },
+    /* 43 << 168 */
+    { { 0x71965cbfc3dd9b4dL,0xce23edbffc068a87L,0xb78d4725745b029bL,
+        0x74610713cefdd9bdL },
+      { 0x7116f75f1266bf52L,0x0204672218e49bb6L,0xdf43df9f3d6f19e3L,
+        0xef1bc7d0e685cb2fL } },
+    /* 44 << 168 */
+    { { 0xcddb27c17078c432L,0xe1961b9cb77fedb7L,0x1edc2f5cc2290570L,
+        0x2c3fefca19cbd886L },
+      { 0xcf880a36c2af389aL,0x96c610fdbda71ceaL,0xf03977a932aa8463L,
+        0x8eb7763f8586d90aL } },
+    /* 45 << 168 */
+    { { 0x3f3424542a296e77L,0xc871868342837a35L,0x7dc710906a09c731L,
+        0x54778ffb51b816dbL },
+      { 0x6b33bfecaf06defdL,0xfe3c105f8592b70bL,0xf937fda461da6114L,
+        0x3c13e6514c266ad7L } },
+    /* 46 << 168 */
+    { { 0xe363a829855938e8L,0x2eeb5d9e9de54b72L,0xbeb93b0e20ccfab9L,
+        0x3dffbb5f25e61a25L },
+      { 0x7f655e431acc093dL,0x0cb6cc3d3964ce61L,0x6ab283a1e5e9b460L,
+        0x55d787c5a1c7e72dL } },
+    /* 47 << 168 */
+    { { 0x4d2efd47deadbf02L,0x11e80219ac459068L,0x810c762671f311f0L,
+        0xfa17ef8d4ab6ef53L },
+      { 0xaf47fd2593e43bffL,0x5cb5ff3f0be40632L,0x546871068ee61da3L,
+        0x7764196eb08afd0fL } },
+    /* 48 << 168 */
+    { { 0x831ab3edf0290a8fL,0xcae81966cb47c387L,0xaad7dece184efb4fL,
+        0xdcfc53b34749110eL },
+      { 0x6698f23c4cb632f9L,0xc42a1ad6b91f8067L,0xb116a81d6284180aL,
+        0xebedf5f8e901326fL } },
+    /* 49 << 168 */
+    { { 0xf2274c9f97e3e044L,0x4201852011d09fc9L,0x56a65f17d18e6e23L,
+        0x2ea61e2a352b683cL },
+      { 0x27d291bc575eaa94L,0x9e7bc721b8ff522dL,0x5f7268bfa7f04d6fL,
+        0x5868c73faba41748L } },
+    /* 50 << 168 */
+    { { 0x9f85c2db7be0eeadL,0x511e7842ff719135L,0x5a06b1e9c5ea90d7L,
+        0x0c19e28326fab631L },
+      { 0x8af8f0cfe9206c55L,0x89389cb43553c06aL,0x39dbed97f65f8004L,
+        0x0621b037c508991dL } },
+    /* 51 << 168 */
+    { { 0x1c52e63596e78cc4L,0x5385c8b20c06b4a8L,0xd84ddfdbb0e87d03L,
+        0xc49dfb66934bafadL },
+      { 0x7071e17059f70772L,0x3a073a843a1db56bL,0x034949033b8af190L,
+        0x7d882de3d32920f0L } },
+    /* 52 << 168 */
+    { { 0x91633f0ab2cf8940L,0x72b0b1786f948f51L,0x2d28dc30782653c8L,
+        0x88829849db903a05L },
+      { 0xb8095d0c6a19d2bbL,0x4b9e7f0c86f782cbL,0x7af739882d907064L,
+        0xd12be0fe8b32643cL } },
+    /* 53 << 168 */
+    { { 0x358ed23d0e165dc3L,0x3d47ce624e2378ceL,0x7e2bb0b9feb8a087L,
+        0x3246e8aee29e10b9L },
+      { 0x459f4ec703ce2b4dL,0xe9b4ca1bbbc077cfL,0x2613b4f20e9940c1L,
+        0xfc598bb9047d1eb1L } },
+    /* 54 << 168 */
+    { { 0x9744c62b45036099L,0xa9dee742167c65d8L,0x0c511525dabe1943L,
+        0xda11055493c6c624L },
+      { 0xae00a52c651a3be2L,0xcda5111d884449a6L,0x063c06f4ff33bed1L,
+        0x73baaf9a0d3d76b4L } },
+    /* 55 << 168 */
+    { { 0x52fb0c9d7fc63668L,0x6886c9dd0c039cdeL,0x602bd59955b22351L,
+        0xb00cab02360c7c13L },
+      { 0x8cb616bc81b69442L,0x41486700b55c3ceeL,0x71093281f49ba278L,
+        0xad956d9c64a50710L } },
+    /* 56 << 168 */
+    { { 0x9561f28b638a7e81L,0x54155cdf5980ddc3L,0xb2db4a96d26f247aL,
+        0x9d774e4e4787d100L },
+      { 0x1a9e6e2e078637d2L,0x1c363e2d5e0ae06aL,0x7493483ee9cfa354L,
+        0x76843cb37f74b98dL } },
+    /* 57 << 168 */
+    { { 0xbaca6591d4b66947L,0xb452ce9804460a8cL,0x6830d24643768f55L,
+        0xf4197ed87dff12dfL },
+      { 0x6521b472400dd0f7L,0x59f5ca8f4b1e7093L,0x6feff11b080338aeL,
+        0x0ada31f6a29ca3c6L } },
+    /* 58 << 168 */
+    { { 0x24794eb694a2c215L,0xd83a43ab05a57ab4L,0x264a543a2a6f89feL,
+        0x2c2a3868dd5ec7c2L },
+      { 0xd33739408439d9b2L,0x715ea6720acd1f11L,0x42c1d235e7e6cc19L,
+        0x81ce6e96b990585cL } },
+    /* 59 << 168 */
+    { { 0x04e5dfe0d809c7bdL,0xd7b2580c8f1050abL,0x6d91ad78d8a4176fL,
+        0x0af556ee4e2e897cL },
+      { 0x162a8b73921de0acL,0x52ac9c227ea78400L,0xee2a4eeaefce2174L,
+        0xbe61844e6d637f79L } },
+    /* 60 << 168 */
+    { { 0x0491f1bc789a283bL,0x72d3ac3d880836f4L,0xaa1c5ea388e5402dL,
+        0x1b192421d5cc473dL },
+      { 0x5c0b99989dc84cacL,0xb0a8482d9c6e75b8L,0x639961d03a191ce2L,
+        0xda3bc8656d837930L } },
+    /* 61 << 168 */
+    { { 0xca990653056e6f8fL,0x84861c4164d133a7L,0x8b403276746abe40L,
+        0xb7b4d51aebf8e303L },
+      { 0x05b43211220a255dL,0xc997152c02419e6eL,0x76ff47b6630c2feaL,
+        0x50518677281fdadeL } },
+    /* 62 << 168 */
+    { { 0x3283b8bacf902b0bL,0x8d4b4eb537db303bL,0xcc89f42d755011bcL,
+        0xb43d74bbdd09d19bL },
+      { 0x65746bc98adba350L,0x364eaf8cb51c1927L,0x13c7659610ad72ecL,
+        0x30045121f8d40c20L } },
+    /* 63 << 168 */
+    { { 0x6d2d99b7ea7b979bL,0xcd78cd74e6fb3bcdL,0x11e45a9e86cffbfeL,
+        0x78a61cf4637024f6L },
+      { 0xd06bc8723d502295L,0xf1376854458cb288L,0xb9db26a1342f8586L,
+        0xf33effcf4beee09eL } },
+    /* 64 << 168 */
+    { { 0xd7e0c4cdb30cfb3aL,0x6d09b8c16c9db4c8L,0x40ba1a4207c8d9dfL,
+        0x6fd495f71c52c66dL },
+      { 0xfb0e169f275264daL,0x80c2b746e57d8362L,0xedd987f749ad7222L,
+        0xfdc229af4398ec7bL } },
+    /* 0 << 175 */
+    { { 0x00, 0x00, 0x00, 0x00 },
+      { 0x00, 0x00, 0x00, 0x00 } },
+    /* 1 << 175 */
+    { { 0xb0d1ed8452666a58L,0x4bcb6e00e6a9c3c2L,0x3c57411c26906408L,
+        0xcfc2075513556400L },
+      { 0xa08b1c505294dba3L,0xa30ba2868b7dd31eL,0xd70ba90e991eca74L,
+        0x094e142ce762c2b9L } },
+    /* 2 << 175 */
+    { { 0xb81d783e979f3925L,0x1efd130aaf4c89a7L,0x525c2144fd1bf7faL,
+        0x4b2969041b265a9eL },
+      { 0xed8e9634b9db65b6L,0x35c82e3203599d8aL,0xdaa7a54f403563f3L,
+        0x9df088ad022c38abL } },
+    /* 3 << 175 */
+    { { 0xe5cfb066bb3fd30aL,0x429169daeff0354eL,0x809cf8523524e36cL,
+        0x136f4fb30155be1dL },
+      { 0x4826af011fbba712L,0x6ef0f0b4506ba1a1L,0xd9928b3177aea73eL,
+        0xe2bf6af25eaa244eL } },
+    /* 4 << 175 */
+    { { 0x8d084f124237b64bL,0x688ebe99e3ecfd07L,0x57b8a70cf6845dd8L,
+        0x808fc59c5da4a325L },
+      { 0xa9032b2ba3585862L,0xb66825d5edf29386L,0xb5a5a8db431ec29bL,
+        0xbb143a983a1e8dc8L } },
+    /* 5 << 175 */
+    { { 0x35ee94ce12ae381bL,0x3a7f176c86ccda90L,0xc63a657e4606eacaL,
+        0x9ae5a38043cd04dfL },
+      { 0x9bec8d15ed251b46L,0x1f5d6d30caca5e64L,0x347b3b359ff20f07L,
+        0x4d65f034f7e4b286L } },
+    /* 6 << 175 */
+    { { 0x9e93ba24f111661eL,0xedced484b105eb04L,0x96dc9ba1f424b578L,
+        0xbf8f66b7e83e9069L },
+      { 0x872d4df4d7ed8216L,0xbf07f3778e2cbecfL,0x4281d89998e73754L,
+        0xfec85fbb8aab8708L } },
+    /* 7 << 175 */
+    { { 0x9a3c0deea5ba5b0bL,0xe6a116ce42d05299L,0xae9775fee9b02d42L,
+        0x72b05200a1545cb6L },
+      { 0xbc506f7d31a3b4eaL,0xe58930788bbd9b32L,0xc8bc5f37e4b12a97L,
+        0x6b000c064a73b671L } },
+    /* 8 << 175 */
+    { { 0x13b5bf22765fa7d0L,0x59805bf01d6a5370L,0x67a5e29d4280db98L,
+        0x4f53916f776b1ce3L },
+      { 0x714ff61f33ddf626L,0x4206238ea085d103L,0x1c50d4b7e5809ee3L,
+        0x999f450d85f8eb1dL } },
+    /* 9 << 175 */
+    { { 0x658a6051e4c79e9bL,0x1394cb73c66a9feaL,0x27f31ed5c6be7b23L,
+        0xf4c88f365aa6f8feL },
+      { 0x0fb0721f4aaa499eL,0x68b3a7d5e3fb2a6bL,0xa788097d3a92851dL,
+        0x060e7f8ae96f4913L } },
+    /* 10 << 175 */
+    { { 0x82eebe731a3a93bcL,0x42bbf465a21adc1aL,0xc10b6fa4ef030efdL,
+        0x247aa4c787b097bbL },
+      { 0x8b8dc632f60c77daL,0x6ffbc26ac223523eL,0xa4f6ff11344579cfL,
+        0x5825653c980250f6L } },
+    /* 11 << 175 */
+    { { 0xb2dd097ebc1aa2b9L,0x0788939337a0333aL,0x1cf55e7137a0db38L,
+        0x2648487f792c1613L },
+      { 0xdad013363fcef261L,0x6239c81d0eabf129L,0x8ee761de9d276be2L,
+        0x406a7a341eda6ad3L } },
+    /* 12 << 175 */
+    { { 0x4bf367ba4a493b31L,0x54f20a529bf7f026L,0xb696e0629795914bL,
+        0xcddab96d8bf236acL },
+      { 0x4ff2c70aed25ea13L,0xfa1d09eb81cbbbe7L,0x88fc8c87468544c5L,
+        0x847a670d696b3317L } },
+    /* 13 << 175 */
+    { { 0xf133421e64bcb626L,0xaea638c826dee0b5L,0xd6e7680bb310346cL,
+        0xe06f4097d5d4ced3L },
+      { 0x099614527512a30bL,0xf3d867fde589a59aL,0x2e73254f52d0c180L,
+        0x9063d8a3333c74acL } },
+    /* 14 << 175 */
+    { { 0xeda6c595d314e7bcL,0x2ee7464b467899edL,0x1cef423c0a1ed5d3L,
+        0x217e76ea69cc7613L },
+      { 0x27ccce1fe7cda917L,0x12d8016b8a893f16L,0xbcd6de849fc74f6bL,
+        0xfa5817e2f3144e61L } },
+    /* 15 << 175 */
+    { { 0x1f3541640821ee4cL,0x1583eab40bc61992L,0x7490caf61d72879fL,
+        0x998ad9f3f76ae7b2L },
+      { 0x1e181950a41157f7L,0xa9d7e1e6e8da3a7eL,0x963784eb8426b95fL,
+        0x0ee4ed6e542e2a10L } },
+    /* 16 << 175 */
+    { { 0xb79d4cc5ac751e7bL,0x93f96472fd4211bdL,0x8c72d3d2c8de4fc6L,
+        0x7b69cbf5df44f064L },
+      { 0x3da90ca2f4bf94e1L,0x1a5325f8f12894e2L,0x0a437f6c7917d60bL,
+        0x9be7048696c9cb5dL } },
+    /* 17 << 175 */
+    { { 0xb4d880bfe1dc5c05L,0xd738addaeebeeb57L,0x6f0119d3df0fe6a3L,
+        0x5c686e5566eaaf5aL },
+      { 0x9cb10b50dfd0b7ecL,0xbdd0264b6a497c21L,0xfc0935148c546c96L,
+        0x58a947fa79dbf42aL } },
+    /* 18 << 175 */
+    { { 0xc0b48d4e49ccd6d7L,0xff8fb02c88bd5580L,0xc75235e907d473b2L,
+        0x4fab1ac5a2188af3L },
+      { 0x030fa3bc97576ec0L,0xe8c946e80b7e7d2fL,0x40a5c9cc70305600L,
+        0x6d8260a9c8b013b4L } },
+    /* 19 << 175 */
+    { { 0x0368304f70bba85cL,0xad090da1a4a0d311L,0x7170e8702415eec1L,
+        0xbfba35fe8461ea47L },
+      { 0x6279019ac1e91938L,0xa47638f31afc415fL,0x36c65cbbbcba0e0fL,
+        0x02160efb034e2c48L } },
+    /* 20 << 175 */
+    { { 0xe6c51073615cd9e4L,0x498ec047f1243c06L,0x3e5a8809b17b3d8cL,
+        0x5cd99e610cc565f1L },
+      { 0x81e312df7851dafeL,0xf156f5baa79061e2L,0x80d62b71880c590eL,
+        0xbec9746f0a39faa1L } },
+    /* 21 << 175 */
+    { { 0x1d98a9c1c8ed1f7aL,0x09e43bb5a81d5ff2L,0xd5f00f680da0794aL,
+        0x412050d9661aa836L },
+      { 0xa89f7c4e90747e40L,0x6dc05ebbb62a3686L,0xdf4de847308e3353L,
+        0x53868fbb9fb53bb9L } },
+    /* 22 << 175 */
+    { { 0x2b09d2c3cfdcf7ddL,0x41a9fce3723fcab4L,0x73d905f707f57ca3L,
+        0x080f9fb1ac8e1555L },
+      { 0x7c088e849ba7a531L,0x07d35586ed9a147fL,0x602846abaf48c336L,
+        0x7320fd320ccf0e79L } },
+    /* 23 << 175 */
+    { { 0xaa780798b18bd1ffL,0x52c2e300afdd2905L,0xf27ea3d6434267cdL,
+        0x8b96d16d15605b5fL },
+      { 0x7bb310494b45706bL,0xe7f58b8e743d25f8L,0xe9b5e45b87f30076L,
+        0xd19448d65d053d5aL } },
+    /* 24 << 175 */
+    { { 0x1ecc8cb9d3210a04L,0x6bc7d463dafb5269L,0x3e59b10a67c3489fL,
+        0x1769788c65641e1bL },
+      { 0x8a53b82dbd6cb838L,0x7066d6e6236d5f22L,0x03aa1c616908536eL,
+        0xc971da0d66ae9809L } },
+    /* 25 << 175 */
+    { { 0x01b3a86bc49a2facL,0x3b8420c03092e77aL,0x020573007d6fb556L,
+        0x6941b2a1bff40a87L },
+      { 0x140b63080658ff2aL,0x878043633424ab36L,0x0253bd515751e299L,
+        0xc75bcd76449c3e3aL } },
+    /* 26 << 175 */
+    { { 0x92eb40907f8f875dL,0x9c9d754e56c26bbfL,0x158cea618110bbe7L,
+        0x62a6b802745f91eaL },
+      { 0xa79c41aac6e7394bL,0x445b6a83ad57ef10L,0x0c5277eb6ea6f40cL,
+        0x319fe96b88633365L } },
+    /* 27 << 175 */
+    { { 0x0b0fc61f385f63cbL,0x41250c8422bdd127L,0x67d153f109e942c2L,
+        0x60920d08c021ad5dL },
+      { 0x229f5746724d81a5L,0xb7ffb8925bba3299L,0x518c51a1de413032L,
+        0x2a9bfe773c2fd94cL } },
+    /* 28 << 175 */
+    { { 0xcbcde2393191f4fdL,0x43093e16d3d6ada1L,0x184579f358769606L,
+        0x2c94a8b3d236625cL },
+      { 0x6922b9c05c437d8eL,0x3d4ae423d8d9f3c8L,0xf72c31c12e7090a2L,
+        0x4ac3f5f3d76a55bdL } },
+    /* 29 << 175 */
+    { { 0x342508fc6b6af991L,0x0d5271001b5cebbdL,0xb84740d0dd440dd7L,
+        0x748ef841780162fdL },
+      { 0xa8dbfe0edfc6fafbL,0xeadfdf05f7300f27L,0x7d06555ffeba4ec9L,
+        0x12c56f839e25fa97L } },
+    /* 30 << 175 */
+    { { 0x77f84203d39b8c34L,0xed8b1be63125eddbL,0x5bbf2441f6e39dc5L,
+        0xb00f6ee66a5d678aL },
+      { 0xba456ecf57d0ea99L,0xdcae0f5817e06c43L,0x01643de40f5b4baaL,
+        0x2c324341d161b9beL } },
+    /* 31 << 175 */
+    { { 0x80177f55e126d468L,0xed325f1f76748e09L,0x6116004acfa9bdc2L,
+        0x2d8607e63a9fb468L },
+      { 0x0e573e276009d660L,0x3a525d2e8d10c5a1L,0xd26cb45c3b9009a0L,
+        0xb6b0cdc0de9d7448L } },
+    /* 32 << 175 */
+    { { 0x949c9976e1337c26L,0x6faadebdd73d68e5L,0x9e158614f1b768d9L,
+        0x22dfa5579cc4f069L },
+      { 0xccd6da17be93c6d6L,0x24866c61a504f5b9L,0x2121353c8d694da1L,
+        0x1c6ca5800140b8c6L } },
+    /* 33 << 175 */
+    { { 0xc245ad8ce964021eL,0xb83bffba032b82b3L,0xfaa220c647ef9898L,
+        0x7e8d3ac6982c948aL },
+      { 0x1faa2091bc2d124aL,0xbd54c3dd05b15ff4L,0x386bf3abc87c6fb7L,
+        0xfb2b0563fdeb6f66L } },
+    /* 34 << 175 */
+    { { 0x4e77c5575b45afb4L,0xe9ded649efb8912dL,0x7ec9bbf542f6e557L,
+        0x2570dfff62671f00L },
+      { 0x2b3bfb7888e084bdL,0xa024b238f37fe5b4L,0x44e7dc0495649aeeL,
+        0x498ca2555e7ec1d8L } },
+    /* 35 << 175 */
+    { { 0x3bc766eaaaa07e86L,0x0db6facbf3608586L,0xbadd2549bdc259c8L,
+        0x95af3c6e041c649fL },
+      { 0xb36a928c02e30afbL,0x9b5356ad008a88b8L,0x4b67a5f1cf1d9e9dL,
+        0xc6542e47a5d8d8ceL } },
+    /* 36 << 175 */
+    { { 0x73061fe87adfb6ccL,0xcc826fd398678141L,0x00e758b13c80515aL,
+        0x6afe324741485083L },
+      { 0x0fcb08b9b6ae8a75L,0xb8cf388d4acf51e1L,0x344a55606961b9d6L,
+        0x1a6778b86a97fd0cL } },
+    /* 37 << 175 */
+    { { 0xd840fdc1ecc4c7e3L,0xde9fe47d16db68ccL,0xe95f89dea3e216aaL,
+        0x84f1a6a49594a8beL },
+      { 0x7ddc7d725a7b162bL,0xc5cfda19adc817a3L,0x80a5d35078b58d46L,
+        0x93365b1382978f19L } },
+    /* 38 << 175 */
+    { { 0x2e44d22526a1fc90L,0x0d6d10d24d70705dL,0xd94b6b10d70c45f4L,
+        0x0f201022b216c079L },
+      { 0xcec966c5658fde41L,0xa8d2bc7d7e27601dL,0xbfcce3e1ff230be7L,
+        0x3394ff6b0033ffb5L } },
+    /* 39 << 175 */
+    { { 0xd890c5098132c9afL,0xaac4b0eb361e7868L,0x5194ded3e82d15aaL,
+        0x4550bd2e23ae6b7dL },
+      { 0x3fda318eea5399d4L,0xd989bffa91638b80L,0x5ea124d0a14aa12dL,
+        0x1fb1b8993667b944L } },
+    /* 40 << 175 */
+    { { 0x95ec796944c44d6aL,0x91df144a57e86137L,0x915fd62073adac44L,
+        0x8f01732d59a83801L },
+      { 0xec579d253aa0a633L,0x06de5e7cc9d6d59cL,0xc132f958b1ef8010L,
+        0x29476f96e65c1a02L } },
+    /* 41 << 175 */
+    { { 0x336a77c0d34c3565L,0xef1105b21b9f1e9eL,0x63e6d08bf9e08002L,
+        0x9aff2f21c613809eL },
+      { 0xb5754f853a80e75dL,0xde71853e6bbda681L,0x86f041df8197fd7aL,
+        0x8b332e08127817faL } },
+    /* 42 << 175 */
+    { { 0x05d99be8b9c20cdaL,0x89f7aad5d5cd0c98L,0x7ef936fe5bb94183L,
+        0x92ca0753b05cd7f2L },
+      { 0x9d65db1174a1e035L,0x02628cc813eaea92L,0xf2d9e24249e4fbf2L,
+        0x94fdfd9be384f8b7L } },
+    /* 43 << 175 */
+    { { 0x65f5605463428c6bL,0x2f7205b290b409a5L,0xf778bb78ff45ae11L,
+        0xa13045bec5ee53b2L },
+      { 0xe00a14ff03ef77feL,0x689cd59fffef8befL,0x3578f0ed1e9ade22L,
+        0xe99f3ec06268b6a8L } },
+    /* 44 << 175 */
+    { { 0xa2057d91ea1b3c3eL,0x2d1a7053b8823a4aL,0xabbb336a2cca451eL,
+        0xcd2466e32218bb5dL },
+      { 0x3ac1f42fc8cb762dL,0x7e312aae7690211fL,0xebb9bd7345d07450L,
+        0x207c4b8246c2213fL } },
+    /* 45 << 175 */
+    { { 0x99d425c1375913ecL,0x94e45e9667908220L,0xc08f3087cd67dbf6L,
+        0xa5670fbec0887056L },
+      { 0x6717b64a66f5b8fcL,0xd5a56aea786fec28L,0xa8c3f55fc0ff4952L,
+        0xa77fefae457ac49bL } },
+    /* 46 << 175 */
+    { { 0x29882d7c98379d44L,0xd000bdfb509edc8aL,0xc6f95979e66fe464L,
+        0x504a6115fa61bde0L },
+      { 0x56b3b871effea31aL,0x2d3de26df0c21a54L,0x21dbff31834753bfL,
+        0xe67ecf4969269d86L } },
+    /* 47 << 175 */
+    { { 0x7a176952151fe690L,0x035158047f2adb5fL,0xee794b15d1b62a8dL,
+        0xf004ceecaae454e6L },
+      { 0x0897ea7cf0386facL,0x3b62ff12d1fca751L,0x154181df1b7a04ecL,
+        0x2008e04afb5847ecL } },
+    /* 48 << 175 */
+    { { 0xd147148e41dbd772L,0x2b419f7322942654L,0x669f30d3e9c544f7L,
+        0x52a2c223c8540149L },
+      { 0x5da9ee14634dfb02L,0x5f074ff0f47869f3L,0x74ee878da3933accL,
+        0xe65106514fe35ed1L } },
+    /* 49 << 175 */
+    { { 0xb3eb9482f1012e7aL,0x51013cc0a8a566aeL,0xdd5e924347c00d3bL,
+        0x7fde089d946bb0e5L },
+      { 0x030754fec731b4b3L,0x12a136a499fda062L,0x7c1064b85a1a35bcL,
+        0xbf1f5763446c84efL } },
+    /* 50 << 175 */
+    { { 0xed29a56da16d4b34L,0x7fba9d09dca21c4fL,0x66d7ac006d8de486L,
+        0x6006198773a2a5e1L },
+      { 0x8b400f869da28ff0L,0x3133f70843c4599cL,0x9911c9b8ee28cb0dL,
+        0xcd7e28748e0af61dL } },
+    /* 51 << 175 */
+    { { 0x5a85f0f272ed91fcL,0x85214f319cd4a373L,0x881fe5be1925253cL,
+        0xd8dc98e091e8bc76L },
+      { 0x7120affe585cc3a2L,0x724952ed735bf97aL,0x5581e7dc3eb34581L,
+        0x5cbff4f2e52ee57dL } },
+    /* 52 << 175 */
+    { { 0x8d320a0e87d8cc7bL,0x9beaa7f3f1d280d0L,0x7a0b95719beec704L,
+        0x9126332e5b7f0057L },
+      { 0x01fbc1b48ed3bd6dL,0x35bb2c12d945eb24L,0x6404694e9a8ae255L,
+        0xb6092eec8d6abfb3L } },
+    /* 53 << 175 */
+    { { 0x4d76143fcc058865L,0x7b0a5af26e249922L,0x8aef94406a50d353L,
+        0xe11e4bcc64f0e07aL },
+      { 0x4472993aa14a90faL,0x7706e20cba0c51d4L,0xf403292f1532672dL,
+        0x52573bfa21829382L } },
+    /* 54 << 175 */
+    { { 0x6a7bb6a93b5bdb83L,0x08da65c0a4a72318L,0xc58d22aa63eb065fL,
+        0x1717596c1b15d685L },
+      { 0x112df0d0b266d88bL,0xf688ae975941945aL,0x487386e37c292cacL,
+        0x42f3b50d57d6985cL } },
+    /* 55 << 175 */
+    { { 0x6da4f9986a90fc34L,0xc8f257d365ca8a8dL,0xc2feabca6951f762L,
+        0xe1bc81d074c323acL },
+      { 0x1bc68f67251a2a12L,0x10d86587be8a70dcL,0xd648af7ff0f84d2eL,
+        0xf0aa9ebc6a43ac92L } },
+    /* 56 << 175 */
+    { { 0x69e3be0427596893L,0xb6bb02a645bf452bL,0x0875c11af4c698c8L,
+        0x6652b5c7bece3794L },
+      { 0x7b3755fd4f5c0499L,0x6ea16558b5532b38L,0xd1c69889a2e96ef7L,
+        0x9c773c3a61ed8f48L } },
+    /* 57 << 175 */
+    { { 0x2b653a409b323abcL,0xe26605e1f0e1d791L,0x45d410644a87157aL,
+        0x8f9a78b7cbbce616L },
+      { 0xcf1e44aac407edddL,0x81ddd1d8a35b964fL,0x473e339efd083999L,
+        0x6c94bdde8e796802L } },
+    /* 58 << 175 */
+    { { 0x5a304ada8545d185L,0x82ae44ea738bb8cbL,0x628a35e3df87e10eL,
+        0xd3624f3da15b9fe3L },
+      { 0xcc44209b14be4254L,0x7d0efcbcbdbc2ea5L,0x1f60336204c37bbeL,
+        0x21f363f556a5852cL } },
+    /* 59 << 175 */
+    { { 0xa1503d1ca8501550L,0x2251e0e1d8ab10bbL,0xde129c966961c51cL,
+        0x1f7246a481910f68L },
+      { 0x2eb744ee5f2591f2L,0x3c47d33f5e627157L,0x4d6d62c922f3bd68L,
+        0x6120a64bcb8df856L } },
+    /* 60 << 175 */
+    { { 0x3a9ac6c07b5d07dfL,0xa92b95587ef39783L,0xe128a134ab3a9b4fL,
+        0x41c18807b1252f05L },
+      { 0xfc7ed08980ba9b1cL,0xac8dc6dec532a9ddL,0xbf829cef55246809L,
+        0x101b784f5b4ee80fL } },
+    /* 61 << 175 */
+    { { 0xc09945bbb6f11603L,0x57b09dbe41d2801eL,0xfba5202fa97534a8L,
+        0x7fd8ae5fc17b9614L },
+      { 0xa50ba66678308435L,0x9572f77cd3868c4dL,0x0cef7bfd2dd7aab0L,
+        0xe7958e082c7c79ffL } },
+    /* 62 << 175 */
+    { { 0x81262e4225346689L,0x716da290b07c7004L,0x35f911eab7950ee3L,
+        0x6fd72969261d21b5L },
+      { 0x5238980308b640d3L,0x5b0026ee887f12a1L,0x20e21660742e9311L,
+        0x0ef6d5415ff77ff7L } },
+    /* 63 << 175 */
+    { { 0x969127f0f9c41135L,0xf21d60c968a64993L,0x656e5d0ce541875cL,
+        0xf1e0f84ea1d3c233L },
+      { 0x9bcca35906002d60L,0xbe2da60c06191552L,0x5da8bbae61181ec3L,
+        0x9f04b82365806f19L } },
+    /* 64 << 175 */
+    { { 0xf1604a7dd4b79bb8L,0xaee806fb52c878c8L,0x34144f118d47b8e8L,
+        0x72edf52b949f9054L },
+      { 0xebfca84e2127015aL,0x9051d0c09cb7cef3L,0x86e8fe58296deec8L,
+        0x33b2818841010d74L } },
+    /* 0 << 182 */
+    { { 0x00, 0x00, 0x00, 0x00 },
+      { 0x00, 0x00, 0x00, 0x00 } },
+    /* 1 << 182 */
+    { { 0x01079383171b445fL,0x9bcf21e38131ad4cL,0x8cdfe205c93987e8L,
+        0xe63f4152c92e8c8fL },
+      { 0x729462a930add43dL,0x62ebb143c980f05aL,0x4f3954e53b06e968L,
+        0xfe1d75ad242cf6b1L } },
+    /* 2 << 182 */
+    { { 0x5f95c6c7af8685c8L,0xd4c1c8ce2f8f01aaL,0xc44bbe322574692aL,
+        0xb8003478d4a4a068L },
+      { 0x7c8fc6e52eca3cdbL,0xea1db16bec04d399L,0xb05bc82e8f2bc5cfL,
+        0x763d517ff44793d2L } },
+    /* 3 << 182 */
+    { { 0x4451c1b808bd98d0L,0x644b1cd46575f240L,0x6907eb337375d270L,
+        0x56c8bebdfa2286bdL },
+      { 0xc713d2acc4632b46L,0x17da427aafd60242L,0x313065b7c95c7546L,
+        0xf8239898bf17a3deL } },
+    /* 4 << 182 */
+    { { 0xf3b7963f4c830320L,0x842c7aa0903203e3L,0xaf22ca0ae7327afbL,
+        0x38e13092967609b6L },
+      { 0x73b8fb62757558f1L,0x3cc3e831f7eca8c1L,0xe4174474f6331627L,
+        0xa77989cac3c40234L } },
+    /* 5 << 182 */
+    { { 0xe5fd17a144a081e0L,0xd797fb7db70e296aL,0x2b472b30481f719cL,
+        0x0e632a98fe6f8c52L },
+      { 0x89ccd116c5f0c284L,0xf51088af2d987c62L,0x2a2bccda4c2de6cfL,
+        0x810f9efef679f0f9L } },
+    /* 6 << 182 */
+    { { 0xb0f394b97ffe4b3eL,0x0b691d21e5fa5d21L,0xb0bd77479dfbbc75L,
+        0xd2830fdafaf78b00L },
+      { 0xf78c249c52434f57L,0x4b1f754598096dabL,0x73bf6f948ff8c0b3L,
+        0x34aef03d454e134cL } },
+    /* 7 << 182 */
+    { { 0xf8d151f4b7ac7ec5L,0xd6ceb95ae50da7d5L,0xa1b492b0dc3a0eb8L,
+        0x75157b69b3dd2863L },
+      { 0xe2c4c74ec5413d62L,0xbe329ff7bc5fc4c7L,0x835a2aea60fa9ddaL,
+        0xf117f5ad7445cb87L } },
+    /* 8 << 182 */
+    { { 0xae8317f4b0166f7aL,0xfbd3e3f7ceec74e6L,0xfdb516ace0874bfdL,
+        0x3d846019c681f3a3L },
+      { 0x0b12ee5c7c1620b0L,0xba68b4dd2b63c501L,0xac03cd326668c51eL,
+        0x2a6279f74e0bcb5bL } },
+    /* 9 << 182 */
+    { { 0x17bd69b06ae85c10L,0x729469791dfdd3a6L,0xd9a032682c078becL,
+        0x41c6a658bfd68a52L },
+      { 0xcdea10240e023900L,0xbaeec121b10d144dL,0x5a600e74058ab8dcL,
+        0x1333af21bb89ccddL } },
+    /* 10 << 182 */
+    { { 0xdf25eae03aaba1f1L,0x2cada16e3b7144cfL,0x657ee27d71ab98bcL,
+        0x99088b4c7a6fc96eL },
+      { 0x05d5c0a03549dbd4L,0x42cbdf8ff158c3acL,0x3fb6b3b087edd685L,
+        0x22071cf686f064d0L } },
+    /* 11 << 182 */
+    { { 0xd2d6721fff2811e5L,0xdb81b703fe7fae8cL,0x3cfb74efd3f1f7bbL,
+        0x0cdbcd7616cdeb5dL },
+      { 0x4f39642a566a808cL,0x02b74454340064d6L,0xfabbadca0528fa6fL,
+        0xe4c3074cd3fc0bb6L } },
+    /* 12 << 182 */
+    { { 0xb32cb8b0b796d219L,0xc3e95f4f34741dd9L,0x8721212568edf6f5L,
+        0x7a03aee4a2b9cb8eL },
+      { 0x0cd3c376f53a89aaL,0x0d8af9b1948a28dcL,0xcf86a3f4902ab04fL,
+        0x8aacb62a7f42002dL } },
+    /* 13 << 182 */
+    { { 0x106985ebf62ffd52L,0xe670b54e5797bf10L,0x4b405209c5e30aefL,
+        0x12c97a204365b5e9L },
+      { 0x104646ce1fe32093L,0x13cb4ff63907a8c9L,0x8b9f30d1d46e726bL,
+        0xe1985e21aba0f499L } },
+    /* 14 << 182 */
+    { { 0xc573dea910a230cdL,0x24f46a93cd30f947L,0xf2623fcfabe2010aL,
+        0x3f278cb273f00e4fL },
+      { 0xed55c67d50b920ebL,0xf1cb9a2d8e760571L,0x7c50d1090895b709L,
+        0x4207cf07190d4369L } },
+    /* 15 << 182 */
+    { { 0x3b027e81c4127fe1L,0xa9f8b9ad3ae9c566L,0x5ab10851acbfbba5L,
+        0xa747d648569556f5L },
+      { 0xcc172b5c2ba97bf7L,0x15e0f77dbcfa3324L,0xa345b7977686279dL,
+        0x5a723480e38003d3L } },
+    /* 16 << 182 */
+    { { 0xfd8e139f8f5fcda8L,0xf3e558c4bdee5bfdL,0xd76cbaf4e33f9f77L,
+        0x3a4c97a471771969L },
+      { 0xda27e84bf6dce6a7L,0xff373d9613e6c2d1L,0xf115193cd759a6e9L,
+        0x3f9b702563d2262cL } },
+    /* 17 << 182 */
+    { { 0xd9764a31317cd062L,0x30779d8e199f8332L,0xd807410616b11b0bL,
+        0x7917ab9f78aeaed8L },
+      { 0xb67a9cbe28fb1d8eL,0x2e313563136eda33L,0x010b7069a371a86cL,
+        0x44d90fa26744e6b7L } },
+    /* 18 << 182 */
+    { { 0x68190867d6b3e243L,0x9fe6cd9d59048c48L,0xb900b02895731538L,
+        0xa012062f32cae04fL },
+      { 0x8107c8bc9399d082L,0x47e8c54a41df12e2L,0x14ba5117b6ef3f73L,
+        0x22260bea81362f0bL } },
+    /* 19 << 182 */
+    { { 0x90ea261e1a18cc20L,0x2192999f2321d636L,0xef64d314e311b6a0L,
+        0xd7401e4c3b54a1f5L },
+      { 0x190199836fbca2baL,0x46ad32938fbffc4bL,0xa142d3f63786bf40L,
+        0xeb5cbc26b67039fcL } },
+    /* 20 << 182 */
+    { { 0x9cb0ae6c252bd479L,0x05e0f88a12b5848fL,0x78f6d2b2a5c97663L,
+        0x6f6e149bc162225cL },
+      { 0xe602235cde601a89L,0xd17bbe98f373be1fL,0xcaf49a5ba8471827L,
+        0x7e1a0a8518aaa116L } },
+    /* 21 << 182 */
+    { { 0x6c833196270580c3L,0x1e233839f1c98a14L,0x67b2f7b4ae34e0a5L,
+        0x47ac8745d8ce7289L },
+      { 0x2b74779a100dd467L,0x274a43374ee50d09L,0x603dcf1383608bc9L,
+        0xcd9da6c3c89e8388L } },
+    /* 22 << 182 */
+    { { 0x2660199f355116acL,0xcc38bb59b6d18eedL,0x3075f31f2f4bc071L,
+        0x9774457f265dc57eL },
+      { 0x06a6a9c8c6db88bbL,0x6429d07f4ec98e04L,0x8d05e57b05ecaa8bL,
+        0x20f140b17872ea7bL } },
+    /* 23 << 182 */
+    { { 0xdf8c0f09ca494693L,0x48d3a020f252e909L,0x4c5c29af57b14b12L,
+        0x7e6fa37dbf47ad1cL },
+      { 0x66e7b50649a0c938L,0xb72c0d486be5f41fL,0x6a6242b8b2359412L,
+        0xcd35c7748e859480L } },
+    /* 24 << 182 */
+    { { 0x12536fea87baa627L,0x58c1fec1f72aa680L,0x6c29b637601e5dc9L,
+        0x9e3c3c1cde9e01b9L },
+      { 0xefc8127b2bcfe0b0L,0x351071022a12f50dL,0x6ccd6cb14879b397L,
+        0xf792f804f8a82f21L } },
+    /* 25 << 182 */
+    { { 0x509d4804a9b46402L,0xedddf85dc10f0850L,0x928410dc4b6208aaL,
+        0xf6229c46391012dcL },
+      { 0xc5a7c41e7727b9b6L,0x289e4e4baa444842L,0x049ba1d9e9a947eaL,
+        0x44f9e47f83c8debcL } },
+    /* 26 << 182 */
+    { { 0xfa77a1fe611f8b8eL,0xfd2e416af518f427L,0xc5fffa70114ebac3L,
+        0xfe57c4e95d89697bL },
+      { 0xfdd053acb1aaf613L,0x31df210fea585a45L,0x318cc10e24985034L,
+        0x1a38efd15f1d6130L } },
+    /* 27 << 182 */
+    { { 0xbf86f2370b1e9e21L,0xb258514d1dbe88aaL,0x1e38a58890c1baf9L,
+        0x2936a01ebdb9b692L },
+      { 0xd576de986dd5b20cL,0xb586bf7170f98ecfL,0xcccf0f12c42d2fd7L,
+        0x8717e61cfb35bd7bL } },
+    /* 28 << 182 */
+    { { 0x8b1e572235e6fc06L,0x3477728f0b3e13d5L,0x150c294daa8a7372L,
+        0xc0291d433bfa528aL },
+      { 0xc6c8bc67cec5a196L,0xdeeb31e45c2e8a7cL,0xba93e244fb6e1c51L,
+        0xb9f8b71b2e28e156L } },
+    /* 29 << 182 */
+    { { 0xce65a287968a2ab9L,0xe3c5ce6946bbcb1fL,0xf8c835b9e7ae3f30L,
+        0x16bbee26ff72b82bL },
+      { 0x665e2017fd42cd22L,0x1e139970f8b1d2a0L,0x125cda2979204932L,
+        0x7aee94a549c3bee5L } },
+    /* 30 << 182 */
+    { { 0x68c7016089821a66L,0xf7c376788f981669L,0xd90829fc48cc3645L,
+        0x346af049d70addfcL },
+      { 0x2057b232370bf29cL,0xf90c73ce42e650eeL,0xe03386eaa126ab90L,
+        0x0e266e7e975a087bL } },
+    /* 31 << 182 */
+    { { 0x80578eb90fca65d9L,0x7e2989ea16af45b8L,0x7438212dcac75a4eL,
+        0x38c7ca394fef36b8L },
+      { 0x8650c494d402676aL,0x26ab5a66f72c7c48L,0x4e6cb426ce3a464eL,
+        0xf8f998962b72f841L } },
+    /* 32 << 182 */
+    { { 0x8c3184911a335cc8L,0x563459ba6a5913e4L,0x1b920d61c7b32919L,
+        0x805ab8b6a02425adL },
+      { 0x2ac512da8d006086L,0x6ca4846abcf5c0fdL,0xafea51d8ac2138d7L,
+        0xcb647545344cd443L } },
+    /* 33 << 182 */
+    { { 0x0429ee8fbd7d9040L,0xee66a2de819b9c96L,0x54f9ec25dea7d744L,
+        0x2ffea642671721bbL },
+      { 0x4f19dbd1114344eaL,0x04304536fd0dbc8bL,0x014b50aa29ec7f91L,
+        0xb5fc22febb06014dL } },
+    /* 34 << 182 */
+    { { 0x60d963a91ee682e0L,0xdf48abc0fe85c727L,0x0cadba132e707c2dL,
+        0xde608d3aa645aeffL },
+      { 0x05f1c28bedafd883L,0x3c362edebd94de1fL,0x8dd0629d13593e41L,
+        0x0a5e736f766d6eafL } },
+    /* 35 << 182 */
+    { { 0xbfa92311f68cf9d1L,0xa4f9ef87c1797556L,0x10d75a1f5601c209L,
+        0x651c374c09b07361L },
+      { 0x49950b5888b5ceadL,0x0ef000586fa9dbaaL,0xf51ddc264e15f33aL,
+        0x1f8b5ca62ef46140L } },
+    /* 36 << 182 */
+    { { 0x343ac0a3ee9523f0L,0xbb75eab2975ea978L,0x1bccf332107387f4L,
+        0x790f92599ab0062eL },
+      { 0xf1a363ad1e4f6a5fL,0x06e08b8462519a50L,0x609151877265f1eeL,
+        0x6a80ca3493ae985eL } },
+    /* 37 << 182 */
+    { { 0x81b29768aaba4864L,0xb13cabf28d52a7d6L,0xb5c363488ead03f1L,
+        0xc932ad9581c7c1c0L },
+      { 0x5452708ecae1e27bL,0x9dac42691b0df648L,0x233e3f0cdfcdb8bcL,
+        0xe6ceccdfec540174L } },
+    /* 38 << 182 */
+    { { 0xbd0d845e95081181L,0xcc8a7920699355d5L,0x111c0f6dc3b375a8L,
+        0xfd95bc6bfd51e0dcL },
+      { 0x4a106a266888523aL,0x4d142bd6cb01a06dL,0x79bfd289adb9b397L,
+        0x0bdbfb94e9863914L } },
+    /* 39 << 182 */
+    { { 0x29d8a2291660f6a6L,0x7f6abcd6551c042dL,0x13039deb0ac3ffe8L,
+        0xa01be628ec8523fbL },
+      { 0x6ea341030ca1c328L,0xc74114bdb903928eL,0x8aa4ff4e9e9144b0L,
+        0x7064091f7f9a4b17L } },
+    /* 40 << 182 */
+    { { 0xa3f4f521e447f2c4L,0x81b8da7a604291f0L,0xd680bc467d5926deL,
+        0x84f21fd534a1202fL },
+      { 0x1d1e31814e9df3d8L,0x1ca4861a39ab8d34L,0x809ddeec5b19aa4aL,
+        0x59f72f7e4d329366L } },
+    /* 41 << 182 */
+    { { 0xa2f93f41386d5087L,0x40bf739cdd67d64fL,0xb449420566702158L,
+        0xc33c65be73b1e178L },
+      { 0xcdcd657c38ca6153L,0x97f4519adc791976L,0xcc7c7f29cd6e1f39L,
+        0x38de9cfb7e3c3932L } },
+    /* 42 << 182 */
+    { { 0xe448eba37b793f85L,0xe9f8dbf9f067e914L,0xc0390266f114ae87L,
+        0x39ed75a7cd6a8e2aL },
+      { 0xadb148487ffba390L,0x67f8cb8b6af9bc09L,0x322c38489c7476dbL,
+        0xa320fecf52a538d6L } },
+    /* 43 << 182 */
+    { { 0xe0493002b2aced2bL,0xdfba1809616bd430L,0x531c4644c331be70L,
+        0xbc04d32e90d2e450L },
+      { 0x1805a0d10f9f142dL,0x2c44a0c547ee5a23L,0x31875a433989b4e3L,
+        0x6b1949fd0c063481L } },
+    /* 44 << 182 */
+    { { 0x2dfb9e08be0f4492L,0x3ff0da03e9d5e517L,0x03dbe9a1f79466a8L,
+        0x0b87bcd015ea9932L },
+      { 0xeb64fc83ab1f58abL,0x6d9598da817edc8aL,0x699cff661d3b67e5L,
+        0x645c0f2992635853L } },
+    /* 45 << 182 */
+    { { 0x253cdd82eabaf21cL,0x82b9602a2241659eL,0x2cae07ec2d9f7091L,
+        0xbe4c720c8b48cd9bL },
+      { 0x6ce5bc036f08d6c9L,0x36e8a997af10bf40L,0x83422d213e10ff12L,
+        0x7b26d3ebbcc12494L } },
+    /* 46 << 182 */
+    { { 0xb240d2d0c9469ad6L,0xc4a11b4d30afa05bL,0x4b604acedd6ba286L,
+        0x184866003ee2864cL },
+      { 0x5869d6ba8d9ce5beL,0x0d8f68c5ff4bfb0dL,0xb69f210b5700cf73L,
+        0x61f6653a6d37c135L } },
+    /* 47 << 182 */
+    { { 0xff3d432b5aff5a48L,0x0d81c4b972ba3a69L,0xee879ae9fa1899efL,
+        0xbac7e2a02d6acafdL },
+      { 0xd6d93f6c1c664399L,0x4c288de15bcb135dL,0x83031dab9dab7cbfL,
+        0xfe23feb03abbf5f0L } },
+    /* 48 << 182 */
+    { { 0x9f1b2466cdedca85L,0x140bb7101a09538cL,0xac8ae8515e11115dL,
+        0x0d63ff676f03f59eL },
+      { 0x755e55517d234afbL,0x61c2db4e7e208fc1L,0xaa9859cef28a4b5dL,
+        0xbdd6d4fc34af030fL } },
+    /* 49 << 182 */
+    { { 0xd1c4a26d3be01cb1L,0x9ba14ffc243aa07cL,0xf95cd3a9b2503502L,
+        0xe379bc067d2a93abL },
+      { 0x3efc18e9d4ca8d68L,0x083558ec80bb412aL,0xd903b9409645a968L,
+        0xa499f0b69ba6054fL } },
+    /* 50 << 182 */
+    { { 0x208b573cb8349abeL,0x3baab3e530b4fc1cL,0x87e978bacb524990L,
+        0x3524194eccdf0e80L },
+      { 0x627117257d4bcc42L,0xe90a3d9bb90109baL,0x3b1bdd571323e1e0L,
+        0xb78e9bd55eae1599L } },
+    /* 51 << 182 */
+    { { 0x0794b7469e03d278L,0x80178605d70e6297L,0x171792f899c97855L,
+        0x11b393eef5a86b5cL },
+      { 0x48ef6582d8884f27L,0xbd44737abf19ba5fL,0x8698de4ca42062c6L,
+        0x8975eb8061ce9c54L } },
+    /* 52 << 182 */
+    { { 0xd50e57c7d7fe71f3L,0x15342190bc97ce38L,0x51bda2de4df07b63L,
+        0xba12aeae200eb87dL },
+      { 0xabe135d2a9b4f8f6L,0x04619d65fad6d99cL,0x4a6683a77994937cL,
+        0x7a778c8b6f94f09aL } },
+    /* 53 << 182 */
+    { { 0x8c50862320a71b89L,0x241a2aed1c229165L,0x352be595aaf83a99L,
+        0x9fbfee7f1562bac8L },
+      { 0xeaf658b95c4017e3L,0x1dc7f9e015120b86L,0xd84f13dd4c034d6fL,
+        0x283dd737eaea3038L } },
+    /* 54 << 182 */
+    { { 0x197f2609cd85d6a2L,0x6ebbc345fae60177L,0xb80f031b4e12fedeL,
+        0xde55d0c207a2186bL },
+      { 0x1fb3e37f24dcdd5aL,0x8d602da57ed191fbL,0x108fb05676023e0dL,
+        0x70178c71459c20c0L } },
+    /* 55 << 182 */
+    { { 0xfad5a3863fe54cf0L,0xa4a3ec4f02bbb475L,0x1aa5ec20919d94d7L,
+        0x5d3b63b5a81e4ab3L },
+      { 0x7fa733d85ad3d2afL,0xfbc586ddd1ac7a37L,0x282925de40779614L,
+        0xfe0ffffbe74a242aL } },
+    /* 56 << 182 */
+    { { 0x3f39e67f906151e5L,0xcea27f5f55e10649L,0xdca1d4e1c17cf7b7L,
+        0x0c326d122fe2362dL },
+      { 0x05f7ac337dd35df3L,0x0c3b7639c396dbdfL,0x0912f5ac03b7db1cL,
+        0x9dea4b705c9ed4a9L } },
+    /* 57 << 182 */
+    { { 0x475e6e53aae3f639L,0xfaba0e7cfc278bacL,0x16f9e2219490375fL,
+        0xaebf9746a5a7ed0aL },
+      { 0x45f9af3ff41ad5d6L,0x03c4623cb2e99224L,0x82c5bb5cb3cf56aaL,
+        0x6431181934567ed3L } },
+    /* 58 << 182 */
+    { { 0xec57f2118be489acL,0x2821895db9a1104bL,0x610dc8756064e007L,
+        0x8e526f3f5b20d0feL },
+      { 0x6e71ca775b645aeeL,0x3d1dcb9f800e10ffL,0x36b51162189cf6deL,
+        0x2c5a3e306bb17353L } },
+    /* 59 << 182 */
+    { { 0xc186cd3e2a6c6fbfL,0xa74516fa4bf97906L,0x5b4b8f4b279d6901L,
+        0x0c4e57b42b573743L },
+      { 0x75fdb229b6e386b6L,0xb46793fd99deac27L,0xeeec47eacf712629L,
+        0xe965f3c4cbc3b2ddL } },
+    /* 60 << 182 */
+    { { 0x8dd1fb83425c6559L,0x7fc00ee60af06fdaL,0xe98c922533d956dfL,
+        0x0f1ef3354fbdc8a2L },
+      { 0x2abb5145b79b8ea2L,0x40fd2945bdbff288L,0x6a814ac4d7185db7L,
+        0xc4329d6fc084609aL } },
+    /* 61 << 182 */
+    { { 0xc9ba7b52ed1be45dL,0x891dd20de4cd2c74L,0x5a4d4a7f824139b1L,
+        0x66c17716b873c710L },
+      { 0x5e5bc1412843c4e0L,0xd5ac4817b97eb5bfL,0xc0f8af54450c95c7L,
+        0xc91b3fa0318406c5L } },
+    /* 62 << 182 */
+    { { 0x360c340aab9d97f8L,0xfb57bd0790a2d611L,0x4339ae3ca6a6f7e5L,
+        0x9c1fcd2a2feb8a10L },
+      { 0x972bcca9c7ea7432L,0x1b0b924c308076f6L,0x80b2814a2a5b4ca5L,
+        0x2f78f55b61ef3b29L } },
+    /* 63 << 182 */
+    { { 0xf838744ac18a414fL,0xc611eaae903d0a86L,0x94dabc162a453f55L,
+        0xe6f2e3da14efb279L },
+      { 0x5b7a60179320dc3cL,0x692e382f8df6b5a4L,0x3f5e15e02d40fa90L,
+        0xc87883ae643dd318L } },
+    /* 64 << 182 */
+    { { 0x511053e453544774L,0x834d0ecc3adba2bcL,0x4215d7f7bae371f5L,
+        0xfcfd57bf6c8663bcL },
+      { 0xded2383dd6901b1dL,0x3b49fbb4b5587dc3L,0xfd44a08d07625f62L,
+        0x3ee4d65b9de9b762L } },
+    /* 0 << 189 */
+    { { 0x00, 0x00, 0x00, 0x00 },
+      { 0x00, 0x00, 0x00, 0x00 } },
+    /* 1 << 189 */
+    { { 0x64e5137d0d63d1faL,0x658fc05202a9d89fL,0x4889487450436309L,
+        0xe9ae30f8d598da61L },
+      { 0x2ed710d1818baf91L,0xe27e9e068b6a0c20L,0x1e28dcfb1c1a6b44L,
+        0x883acb64d6ac57dcL } },
+    /* 2 << 189 */
+    { { 0x8735728dc2c6ff70L,0x79d6122fc5dc2235L,0x23f5d00319e277f9L,
+        0x7ee84e25dded8cc7L },
+      { 0x91a8afb063cd880aL,0x3f3ea7c63574af60L,0x0cfcdc8402de7f42L,
+        0x62d0792fb31aa152L } },
+    /* 3 << 189 */
+    { { 0x8e1b4e438a5807ceL,0xad283893e4109a7eL,0xc30cc9cbafd59ddaL,
+        0xf65f36c63d8d8093L },
+      { 0xdf31469ea60d32b2L,0xee93df4b3e8191c8L,0x9c1017c5355bdeb5L,
+        0xd26231858616aa28L } },
+    /* 4 << 189 */
+    { { 0xb02c83f9dec31a21L,0x988c8b236ad9d573L,0x53e983aea57be365L,
+        0xe968734d646f834eL },
+      { 0x9137ea8f5da6309bL,0x10f3a624c1f1ce16L,0x782a9ea2ca440921L,
+        0xdf94739e5b46f1b5L } },
+    /* 5 << 189 */
+    { { 0x9f9be006cce85c9bL,0x360e70d6a4c7c2d3L,0x2cd5beeaaefa1e60L,
+        0x64cf63c08c3d2b6dL },
+      { 0xfb107fa3e1cf6f90L,0xb7e937c6d5e044e6L,0x74e8ca78ce34db9fL,
+        0x4f8b36c13e210bd0L } },
+    /* 6 << 189 */
+    { { 0x1df165a434a35ea8L,0x3418e0f74d4412f6L,0x5af1f8af518836c3L,
+        0x42ceef4d130e1965L },
+      { 0x5560ca0b543a1957L,0xc33761e5886cb123L,0x66624b1ffe98ed30L,
+        0xf772f4bf1090997dL } },
+    /* 7 << 189 */
+    { { 0xf4e540bb4885d410L,0x7287f8109ba5f8d7L,0x22d0d865de98dfb1L,
+        0x49ff51a1bcfbb8a3L },
+      { 0xb6b6fa536bc3012eL,0x3d31fd72170d541dL,0x8018724f4b0f4966L,
+        0x79e7399f87dbde07L } },
+    /* 8 << 189 */
+    { { 0x56f8410ef4f8b16aL,0x97241afec47b266aL,0x0a406b8e6d9c87c1L,
+        0x803f3e02cd42ab1bL },
+      { 0x7f0309a804dbec69L,0xa83b85f73bbad05fL,0xc6097273ad8e197fL,
+        0xc097440e5067adc1L } },
+    /* 9 << 189 */
+    { { 0x730eafb63524ff16L,0xd7f9b51e823fc6ceL,0x27bd0d32443e4ac0L,
+        0x40c59ad94d66f217L },
+      { 0x6c33136f17c387a4L,0x5043b8d5eb86804dL,0x74970312675a73c9L,
+        0x838fdb31f16669b6L } },
+    /* 10 << 189 */
+    { { 0xc507b6dd418e7dddL,0x39888d93472f19d6L,0x7eae26be0c27eb4dL,
+        0x17b53ed3fbabb884L },
+      { 0xfc27021b2b01ae4fL,0x88462e87cf488682L,0xbee096ec215e2d87L,
+        0xeb2fea9ad242e29bL } },
+    /* 11 << 189 */
+    { { 0x5d985b5fb821fc28L,0x89d2e197dc1e2ad2L,0x55b566b89030ba62L,
+        0xe3fd41b54f41b1c6L },
+      { 0xb738ac2eb9a96d61L,0x7f8567ca369443f4L,0x8698622df803a440L,
+        0x2b5862368fe2f4dcL } },
+    /* 12 << 189 */
+    { { 0xbbcc00c756b95bceL,0x5ec03906616da680L,0x79162ee672214252L,
+        0x43132b6386a892d2L },
+      { 0x4bdd3ff22f3263bfL,0xd5b3733c9cd0a142L,0x592eaa8244415ccbL,
+        0x663e89248d5474eaL } },
+    /* 13 << 189 */
+    { { 0x8058a25e5236344eL,0x82e8df9dbda76ee6L,0xdcf6efd811cc3d22L,
+        0x00089cda3b4ab529L },
+      { 0x91d3a071bd38a3dbL,0x4ea97fc0ef72b925L,0x0c9fc15bea3edf75L,
+        0x5a6297cda4348ed3L } },
+    /* 14 << 189 */
+    { { 0x0d38ab35ce7c42d4L,0x9fd493ef82feab10L,0x46056b6d82111b45L,
+        0xda11dae173efc5c3L },
+      { 0xdc7402785545a7fbL,0xbdb2601c40d507e6L,0x121dfeeb7066fa58L,
+        0x214369a839ae8c2aL } },
+    /* 15 << 189 */
+    { { 0x195709cb06e0956cL,0x4c9d254f010cd34bL,0xf51e13f70471a532L,
+        0xe19d67911e73054dL },
+      { 0xf702a628db5c7be3L,0xc7141218b24dde05L,0xdc18233cf29b2e2eL,
+        0x3a6bd1e885342dbaL } },
+    /* 16 << 189 */
+    { { 0x3f747fa0b311898cL,0xe2a272e4cd0eac65L,0x4bba5851f914d0bcL,
+        0x7a1a9660c4a43ee3L },
+      { 0xe5a367cea1c8cde9L,0x9d958ba97271abe3L,0xf3ff7eb63d1615cdL,
+        0xa2280dcef5ae20b0L } },
+    /* 17 << 189 */
+    { { 0x56dba5c1cf640147L,0xea5a2e3d5e83d118L,0x04cd6b6dda24c511L,
+        0x1c0f4671e854d214L },
+      { 0x91a6b7a969565381L,0xdc966240decf1f5bL,0x1b22d21cfcf5d009L,
+        0x2a05f6419021dbd5L } },
+    /* 18 << 189 */
+    { { 0x8c0ed566d4312483L,0x5179a95d643e216fL,0xcc185fec17044493L,
+        0xb306333954991a21L },
+      { 0xd801ecdb0081a726L,0x0149b0c64fa89bbbL,0xafe9065a4391b6b9L,
+        0xedc92786d633f3a3L } },
+    /* 19 << 189 */
+    { { 0xe408c24aae6a8e13L,0x85833fde9f3897abL,0x43800e7ed81a0715L,
+        0xde08e346b44ffc5fL },
+      { 0x7094184ccdeff2e0L,0x49f9387b165eaed1L,0x635d6129777c468aL,
+        0x8c0dcfd1538c2dd8L } },
+    /* 20 << 189 */
+    { { 0xd6d9d9e37a6a308bL,0x623758304c2767d3L,0x874a8bc6f38cbeb6L,
+        0xd94d3f1accb6fd9eL },
+      { 0x92a9735bba21f248L,0x272ad0e56cd1efb0L,0x7437b69c05b03284L,
+        0xe7f047026948c225L } },
+    /* 21 << 189 */
+    { { 0x8a56c04acba2ececL,0x0c181270e3a73e41L,0x6cb34e9d03e93725L,
+        0xf77c8713496521a9L },
+      { 0x94569183fa7f9f90L,0xf2e7aa4c8c9707adL,0xced2c9ba26c1c9a3L,
+        0x9109fe9640197507L } },
+    /* 22 << 189 */
+    { { 0x9ae868a9e9adfe1cL,0x3984403d314e39bbL,0xb5875720f2fe378fL,
+        0x33f901e0ba44a628L },
+      { 0xea1125fe3652438cL,0xae9ec4e69dd1f20bL,0x1e740d9ebebf7fbdL,
+        0x6dbd3ddc42dbe79cL } },
+    /* 23 << 189 */
+    { { 0x62082aecedd36776L,0xf612c478e9859039L,0xa493b201032f7065L,
+        0xebd4d8f24ff9b211L },
+      { 0x3f23a0aaaac4cb32L,0xea3aadb715ed4005L,0xacf17ea4afa27e63L,
+        0x56125c1ac11fd66cL } },
+    /* 24 << 189 */
+    { { 0x266344a43794f8dcL,0xdcca923a483c5c36L,0x2d6b6bbf3f9d10a0L,
+        0xb320c5ca81d9bdf3L },
+      { 0x620e28ff47b50a95L,0x933e3b01cef03371L,0xf081bf8599100153L,
+        0x183be9a0c3a8c8d6L } },
+    /* 25 << 189 */
+    { { 0x4e3ddc5ad6bbe24dL,0xc6c7463053843795L,0x78193dd765ec2d4cL,
+        0xb8df26cccd3c89b2L },
+      { 0x98dbe3995a483f8dL,0x72d8a9577dd3313aL,0x65087294ab0bd375L,
+        0xfcd892487c259d16L } },
+    /* 26 << 189 */
+    { { 0x8a9443d77613aa81L,0x8010080085fe6584L,0x70fc4dbc7fb10288L,
+        0xf58280d3e86beee8L },
+      { 0x14fdd82f7c978c38L,0xdf1204c10de44d7bL,0xa08a1c844160252fL,
+        0x591554cac17646a5L } },
+    /* 27 << 189 */
+    { { 0x214a37d6a05bd525L,0x48d5f09b07957b3cL,0x0247cdcbd7109bc9L,
+        0x40f9e4bb30599ce7L },
+      { 0xc325fa03f46ad2ecL,0x00f766cfc3e3f9eeL,0xab556668d43a4577L,
+        0x68d30a613ee03b93L } },
+    /* 28 << 189 */
+    { { 0x7ddc81ea77b46a08L,0xcf5a6477c7480699L,0x43a8cb346633f683L,
+        0x1b867e6b92363c60L },
+      { 0x439211141f60558eL,0xcdbcdd632f41450eL,0x7fc04601cc630e8bL,
+        0xea7c66d597038b43L } },
+    /* 29 << 189 */
+    { { 0x7259b8a504e99fd8L,0x98a8dd124785549aL,0x0e459a7c840552e1L,
+        0xcdfcf4d04bb0909eL },
+      { 0x34a86db253758da7L,0xe643bb83eac997e1L,0x96400bd7530c5b7eL,
+        0x9f97af87b41c8b52L } },
+    /* 30 << 189 */
+    { { 0x34fc8820fbeee3f9L,0x93e5349049091afdL,0x764b9be59a31f35cL,
+        0x71f3786457e3d924L },
+      { 0x02fb34e0943aa75eL,0xa18c9c58ab8ff6e4L,0x080f31b133cf0d19L,
+        0x5c9682db083518a7L } },
+    /* 31 << 189 */
+    { { 0x873d4ca6b709c3deL,0x64a842623575b8f0L,0x6275da1f020154bbL,
+        0x97678caad17cf1abL },
+      { 0x8779795f951a95c3L,0xdd35b16350fccc08L,0x3270962733d8f031L,
+        0x3c5ab10a498dd85cL } },
+    /* 32 << 189 */
+    { { 0xb6c185c341dca566L,0x7de7fedad8622aa3L,0x99e84d92901b6dfbL,
+        0x30a02b0e7c4ad288L },
+      { 0xc7c81daa2fd3cf36L,0xd1319547df89e59fL,0xb2be8184cd496733L,
+        0xd5f449eb93d3412bL } },
+    /* 33 << 189 */
+    { { 0x7ea41b1b25fe531dL,0xf97974326a1d5646L,0x86067f722bde501aL,
+        0xf91481c00c85e89cL },
+      { 0xca8ee465f8b05bc6L,0x1844e1cf02e83cdaL,0xca82114ab4dbe33bL,
+        0x0f9f87694eabfde2L } },
+    /* 34 << 189 */
+    { { 0x4936b1c038b27fe2L,0x63b6359baba402dfL,0x40c0ea2f656bdbabL,
+        0x9c992a896580c39cL },
+      { 0x600e8f152a60aed1L,0xeb089ca4e0bf49dfL,0x9c233d7d2d42d99aL,
+        0x648d3f954c6bc2faL } },
+    /* 35 << 189 */
+    { { 0xdcc383a8e1add3f3L,0xf42c0c6a4f64a348L,0x2abd176f0030dbdbL,
+        0x4de501a37d6c215eL },
+      { 0x4a107c1f4b9a64bcL,0xa77f0ad32496cd59L,0xfb78ac627688dffbL,
+        0x7025a2ca67937d8eL } },
+    /* 36 << 189 */
+    { { 0xfde8b2d1d1a8f4e7L,0xf5b3da477354927cL,0xe48606a3d9205735L,
+        0xac477cc6e177b917L },
+      { 0xfb1f73d2a883239aL,0xe12572f6cc8b8357L,0x9d355e9cfb1f4f86L,
+        0x89b795f8d9f3ec6eL } },
+    /* 37 << 189 */
+    { { 0x27be56f1b54398dcL,0x1890efd73fedeed5L,0x62f77f1f9c6d0140L,
+        0x7ef0e314596f0ee4L },
+      { 0x50ca6631cc61dab3L,0x4a39801df4866e4fL,0x66c8d032ae363b39L,
+        0x22c591e52ead66aaL } },
+    /* 38 << 189 */
+    { { 0x954ba308de02a53eL,0x2a6c060fd389f357L,0xe6cfcde8fbf40b66L,
+        0x8e02fc56c6340ce1L },
+      { 0xe495779573adb4baL,0x7b86122ca7b03805L,0x63f835120c8e6fa6L,
+        0x83660ea0057d7804L } },
+    /* 39 << 189 */
+    { { 0xbad7910521ba473cL,0xb6c50beeded5389dL,0xee2caf4daa7c9bc0L,
+        0xd97b8de48c4e98a7L },
+      { 0xa9f63e70ab3bbddbL,0x3898aabf2597815aL,0x7659af89ac15b3d9L,
+        0xedf7725b703ce784L } },
+    /* 40 << 189 */
+    { { 0x25470fabe085116bL,0x04a4337587285310L,0x4e39187ee2bfd52fL,
+        0x36166b447d9ebc74L },
+      { 0x92ad433cfd4b322cL,0x726aa817ba79ab51L,0xf96eacd8c1db15ebL,
+        0xfaf71e910476be63L } },
+    /* 41 << 189 */
+    { { 0xdd69a640641fad98L,0xb799591829622559L,0x03c6daa5de4199dcL,
+        0x92cadc97ad545eb4L },
+      { 0x1028238b256534e4L,0x73e80ce68595409aL,0x690d4c66d05dc59bL,
+        0xc95f7b8f981dee80L } },
+    /* 42 << 189 */
+    { { 0xf4337014d856ac25L,0x441bd9ddac524dcaL,0x640b3d855f0499f5L,
+        0x39cf84a9d5fda182L },
+      { 0x04e7b055b2aa95a0L,0x29e33f0a0ddf1860L,0x082e74b5423f6b43L,
+        0x217edeb90aaa2b0fL } },
+    /* 43 << 189 */
+    { { 0x58b83f3583cbea55L,0xc485ee4dbc185d70L,0x833ff03b1e5f6992L,
+        0xb5b9b9cccf0c0dd5L },
+      { 0x7caaee8e4e9e8a50L,0x462e907b6269dafdL,0x6ed5cee9fbe791c6L,
+        0x68ca3259ed430790L } },
+    /* 44 << 189 */
+    { { 0x2b72bdf213b5ba88L,0x60294c8a35ef0ac4L,0x9c3230ed19b99b08L,
+        0x560fff176c2589aaL },
+      { 0x552b8487d6770374L,0xa373202d9a56f685L,0xd3e7f90745f175d9L,
+        0x3c2f315fd080d810L } },
+    /* 45 << 189 */
+    { { 0x1130e9dd7b9520e8L,0xc078f9e20af037b5L,0x38cd2ec71e9c104cL,
+        0x0f684368c472fe92L },
+      { 0xd3f1b5ed6247e7efL,0xb32d33a9396dfe21L,0x46f59cf44a9aa2c2L,
+        0x69cd5168ff0f7e41L } },
+    /* 46 << 189 */
+    { { 0x3f59da0f4b3234daL,0xcf0b0235b4579ebeL,0x6d1cbb256d2476c7L,
+        0x4f0837e69dc30f08L },
+      { 0x9a4075bb906f6e98L,0x253bb434c761e7d1L,0xde2e645f6e73af10L,
+        0xb89a40600c5f131cL } },
+    /* 47 << 189 */
+    { { 0xd12840c5b8cc037fL,0x3d093a5b7405bb47L,0x6202c253206348b8L,
+        0xbf5d57fcc55a3ca7L },
+      { 0x89f6c90c8c3bef48L,0x23ac76235a0a960aL,0xdfbd3d6b552b42abL,
+        0x3ef22458132061f6L } },
+    /* 48 << 189 */
+    { { 0xd74e9bdac97e6516L,0x88779360c230f49eL,0xa6ec1de31e74ea49L,
+        0x581dcee53fb645a2L },
+      { 0xbaef23918f483f14L,0x6d2dddfcd137d13bL,0x54cde50ed2743a42L,
+        0x89a34fc5e4d97e67L } },
+    /* 49 << 189 */
+    { { 0x13f1f5b312e08ce5L,0xa80540b8a7f0b2caL,0x854bcf7701982805L,
+        0xb8653ffd233bea04L },
+      { 0x8e7b878702b0b4c9L,0x2675261f9acb170aL,0x061a9d90930c14e5L,
+        0xb59b30e0def0abeaL } },
+    /* 50 << 189 */
+    { { 0x1dc19ea60200ec7dL,0xb6f4a3f90bce132bL,0xb8d5de90f13e27e0L,
+        0xbaee5ef01fade16fL },
+      { 0x6f406aaae4c6cf38L,0xab4cfe06d1369815L,0x0dcffe87efd550c6L,
+        0x9d4f59c775ff7d39L } },
+    /* 51 << 189 */
+    { { 0xb02553b151deb6adL,0x812399a4b1877749L,0xce90f71fca6006e1L,
+        0xc32363a6b02b6e77L },
+      { 0x02284fbedc36c64dL,0x86c81e31a7e1ae61L,0x2576c7e5b909d94aL,
+        0x8b6f7d02818b2bb0L } },
+    /* 52 << 189 */
+    { { 0xeca3ed0756faa38aL,0xa3790e6c9305bb54L,0xd784eeda7bc73061L,
+        0xbd56d3696dd50614L },
+      { 0xd6575949229a8aa9L,0xdcca8f474595ec28L,0x814305c106ab4fe6L,
+        0xc8c3976824f43f16L } },
+    /* 53 << 189 */
+    { { 0xe2a45f36523f2b36L,0x995c6493920d93bbL,0xf8afdab790f1632bL,
+        0x79ebbecd1c295954L },
+      { 0xc7bb3ddb79592f48L,0x67216a7b5f88e998L,0xd91f098bbc01193eL,
+        0xf7d928a5b1db83fcL } },
+    /* 54 << 189 */
+    { { 0x55e38417e991f600L,0x2a91113e2981a934L,0xcbc9d64806b13bdeL,
+        0xb011b6ac0755ff44L },
+      { 0x6f4cb518045ec613L,0x522d2d31c2f5930aL,0x5acae1af382e65deL,
+        0x5764306727bc966fL } },
+    /* 55 << 189 */
+    { { 0x5e12705d1c7193f0L,0xf0f32f473be8858eL,0x785c3d7d96c6dfc7L,
+        0xd75b4a20bf31795dL },
+      { 0x91acf17b342659d4L,0xe596ea3444f0378fL,0x4515708fce52129dL,
+        0x17387e1e79f2f585L } },
+    /* 56 << 189 */
+    { { 0x72cfd2e949dee168L,0x1ae052233e2af239L,0x009e75be1d94066aL,
+        0x6cca31c738abf413L },
+      { 0xb50bd61d9bc49908L,0x4a9b4a8cf5e2bc1eL,0xeb6cc5f7946f83acL,
+        0x27da93fcebffab28L } },
+    /* 57 << 189 */
+    { { 0xea314c964821c8c5L,0x8de49deda83c15f4L,0x7a64cf207af33004L,
+        0x45f1bfebc9627e10L },
+      { 0x878b062654b9df60L,0x5e4fdc3ca95c0b33L,0xe54a37cac2035d8eL,
+        0x9087cda980f20b8cL } },
+    /* 58 << 189 */
+    { { 0x36f61c238319ade4L,0x766f287ade8cfdf8L,0x48821948346f3705L,
+        0x49a7b85316e4f4a2L },
+      { 0xb9b3f8a75cedadfdL,0x8f5628158db2a815L,0xc0b7d55401f68f95L,
+        0x12971e27688a208eL } },
+    /* 59 << 189 */
+    { { 0xc9f8b696d0ff34fcL,0x20824de21222718cL,0x7213cf9f0c95284dL,
+        0xe2ad741bdc158240L },
+      { 0x0ee3a6df54043ccfL,0x16ff479bd84412b3L,0xf6c74ee0dfc98af0L,
+        0xa78a169f52fcd2fbL } },
+    /* 60 << 189 */
+    { { 0xd8ae874699c930e9L,0x1d33e85849e117a5L,0x7581fcb46624759fL,
+        0xde50644f5bedc01dL },
+      { 0xbeec5d00caf3155eL,0x672d66acbc73e75fL,0x86b9d8c6270b01dbL,
+        0xd249ef8350f55b79L } },
+    /* 61 << 189 */
+    { { 0x6131d6d473978fe3L,0xcc4e4542754b00a1L,0x4e05df0557dfcfe9L,
+        0x94b29cdd51ef6bf0L },
+      { 0xe4530cff9bc7edf2L,0x8ac236fdd3da65f3L,0x0faf7d5fc8eb0b48L,
+        0x4d2de14c660eb039L } },
+    /* 62 << 189 */
+    { { 0xc006bba760430e54L,0x10a2d0d6da3289abL,0x9c037a5dd7979c59L,
+        0x04d1f3d3a116d944L },
+      { 0x9ff224738a0983cdL,0x28e25b38c883cabbL,0xe968dba547a58995L,
+        0x2c80b505774eebdfL } },
+    /* 63 << 189 */
+    { { 0xee763b714a953bebL,0x502e223f1642e7f6L,0x6fe4b64161d5e722L,
+        0x9d37c5b0dbef5316L },
+      { 0x0115ed70f8330bc7L,0x139850e675a72789L,0x27d7faecffceccc2L,
+        0x3016a8604fd9f7f6L } },
+    /* 64 << 189 */
+    { { 0xc492ec644cd8f64cL,0x58a2d790279d7b51L,0x0ced1fc51fc75256L,
+        0x3e658aed8f433017L },
+      { 0x0b61942e05da59ebL,0xba3d60a30ddc3722L,0x7c311cd1742e7f87L,
+        0x6473ffeef6b01b6eL } },
+    /* 0 << 196 */
+    { { 0x00, 0x00, 0x00, 0x00 },
+      { 0x00, 0x00, 0x00, 0x00 } },
+    /* 1 << 196 */
+    { { 0x8303604f692ac542L,0xf079ffe1227b91d3L,0x19f63e6315aaf9bdL,
+        0xf99ee565f1f344fbL },
+      { 0x8a1d661fd6219199L,0x8c883bc6d48ce41cL,0x1065118f3c74d904L,
+        0x713889ee0faf8b1bL } },
+    /* 2 << 196 */
+    { { 0x972b3f8f81a1b3beL,0x4f3ce145ce2764a0L,0xe2d0f1cc28c4f5f7L,
+        0xdeee0c0dc7f3985bL },
+      { 0x7df4adc0d39e25c3L,0x40619820c467a080L,0x440ebc9361cf5a58L,
+        0x527729a6422ad600L } },
+    /* 3 << 196 */
+    { { 0xca6c0937b1b76ba6L,0x1a2eab854d2026dcL,0xb1715e1519d9ae0aL,
+        0xf1ad9199bac4a026L },
+      { 0x35b3dfb807ea7b0eL,0xedf5496f3ed9eb89L,0x8932e5ff2d6d08abL,
+        0xf314874e25bd2731L } },
+    /* 4 << 196 */
+    { { 0xefb26a753f73f449L,0x1d1c94f88d44fc79L,0x49f0fbc53bc0dc4dL,
+        0xb747ea0b3698a0d0L },
+      { 0x5218c3fe228d291eL,0x35b804b543c129d6L,0xfac859b8d1acc516L,
+        0x6c10697d95d6e668L } },
+    /* 5 << 196 */
+    { { 0xc38e438f0876fd4eL,0x45f0c30783d2f383L,0x203cc2ecb10934cbL,
+        0x6a8f24392c9d46eeL },
+      { 0xf16b431b65ccde7bL,0x41e2cd1827e76a6fL,0xb9c8cf8f4e3484d7L,
+        0x64426efd8315244aL } },
+    /* 6 << 196 */
+    { { 0x1c0a8e44fc94dea3L,0x34c8cdbfdad6a0b0L,0x919c384004113cefL,
+        0xfd32fba415490ffaL },
+      { 0x58d190f6795dcfb7L,0xfef01b0383588bafL,0x9e6d1d63ca1fc1c0L,
+        0x53173f96f0a41ac9L } },
+    /* 7 << 196 */
+    { { 0x2b1d402aba16f73bL,0x2fb310148cf9b9fcL,0x2d51e60e446ef7bfL,
+        0xc731021bb91e1745L },
+      { 0x9d3b47244fee99d4L,0x4bca48b6fac5c1eaL,0x70f5f514bbea9af7L,
+        0x751f55a5974c283aL } },
+    /* 8 << 196 */
+    { { 0x6e30251acb452fdbL,0x31ee696550f30650L,0xb0b3e508933548d9L,
+        0xb8949a4ff4b0ef5bL },
+      { 0x208b83263c88f3bdL,0xab147c30db1d9989L,0xed6515fd44d4df03L,
+        0x17a12f75e72eb0c5L } },
+    /* 9 << 196 */
+    { { 0x3b59796d36cf69dbL,0x1219eee956670c18L,0xfe3341f77a070d8eL,
+        0x9b70130ba327f90cL },
+      { 0x36a324620ae18e0eL,0x2021a62346c0a638L,0x251b5817c62eb0d4L,
+        0x87bfbcdf4c762293L } },
+    /* 10 << 196 */
+    { { 0xf78ab505cdd61d64L,0x8c7a53fcc8c18857L,0xa653ce6f16147515L,
+        0x9c923aa5ea7d52d5L },
+      { 0xc24709cb5c18871fL,0x7d53bec873b3cc74L,0x59264afffdd1d4c4L,
+        0x5555917e240da582L } },
+    /* 11 << 196 */
+    { { 0xcae8bbda548f5a0eL,0x1910eaba3bbfbbe1L,0xae5796857677afc3L,
+        0x49ea61f173ff0b5cL },
+      { 0x786554784f7c3922L,0x95d337cd20c68eefL,0x68f1e1e5df779ab9L,
+        0x14b491b0b5cf69a8L } },
+    /* 12 << 196 */
+    { { 0x7a6cbbe028e3fe89L,0xe7e1fee4c5aac0ebL,0x7f47eda5697e5140L,
+        0x4f450137b454921fL },
+      { 0xdb625f8495cd8185L,0x74be0ba1cdb2e583L,0xaee4fd7cdd5e6de4L,
+        0x4251437de8101739L } },
+    /* 13 << 196 */
+    { { 0x686d72a0ac620366L,0x4be3fb9cb6d59344L,0x6e8b44e7a1eb75b9L,
+        0x84e39da391a5c10cL },
+      { 0x37cc1490b38f0409L,0x029519432c2ade82L,0x9b6887831190a2d8L,
+        0x25627d14231182baL } },
+    /* 14 << 196 */
+    { { 0x6eb550aa658a6d87L,0x1405aaa7cf9c7325L,0xd147142e5c8748c9L,
+        0x7f637e4f53ede0e0L },
+      { 0xf8ca277614ffad2cL,0xe58fb1bdbafb6791L,0x17158c23bf8f93fcL,
+        0x7f15b3730a4a4655L } },
+    /* 15 << 196 */
+    { { 0x39d4add2d842ca72L,0xa71e43913ed96305L,0x5bb09cbe6700be14L,
+        0x68d69d54d8befcf6L },
+      { 0xa45f536737183bcfL,0x7152b7bb3370dff7L,0xcf887baabf12525bL,
+        0xe7ac7bddd6d1e3cdL } },
+    /* 16 << 196 */
+    { { 0x25914f7881fdad90L,0xcf638f560d2cf6abL,0xb90bc03fcc054de5L,
+        0x932811a718b06350L },
+      { 0x2f00b3309bbd11ffL,0x76108a6fb4044974L,0x801bb9e0a851d266L,
+        0x0dd099bebf8990c1L } },
+    /* 17 << 196 */
+    { { 0x58c5aaaaabe32986L,0x0fe9dd2a50d59c27L,0x84951ff48d307305L,
+        0x6c23f82986529b78L },
+      { 0x50bb22180b136a79L,0x7e2174de77a20996L,0x6f00a4b9c0bb4da6L,
+        0x89a25a17efdde8daL } },
+    /* 18 << 196 */
+    { { 0xf728a27ec11ee01dL,0xf900553ae5f10dfbL,0x189a83c802ec893cL,
+        0x3ca5bdc123f66d77L },
+      { 0x9878153797eada9fL,0x59c50ab310256230L,0x346042d9323c69b3L,
+        0x1b715a6d2c460449L } },
+    /* 19 << 196 */
+    { { 0xa41dd4766ae06e0bL,0xcdd7888e9d42e25fL,0x0f395f7456b25a20L,
+        0xeadfe0ae8700e27eL },
+      { 0xb09d52a969950093L,0x3525d9cb327f8d40L,0xb8235a9467df886aL,
+        0x77e4b0dd035faec2L } },
+    /* 20 << 196 */
+    { { 0x115eb20a517d7061L,0x77fe34336c2df683L,0x6870ddc7cdc6fc67L,
+        0xb16105880b87de83L },
+      { 0x343584cad9c4ddbeL,0xb3164f1c3d754be2L,0x0731ed3ac1e6c894L,
+        0x26327dec4f6b904cL } },
+    /* 21 << 196 */
+    { { 0x9d49c6de97b5cd32L,0x40835daeb5eceecdL,0xc66350edd9ded7feL,
+        0x8aeebb5c7a678804L },
+      { 0x51d42fb75b8ee9ecL,0xd7a17bdd8e3ca118L,0x40d7511a2ef4400eL,
+        0xc48990ac875a66f4L } },
+    /* 22 << 196 */
+    { { 0x8de07d2a2199e347L,0xbee755562a39e051L,0x56918786916e51dcL,
+        0xeb1913134a2d89ecL },
+      { 0x6679610d37d341edL,0x434fbb4156d51c2bL,0xe54b7ee7d7492dbaL,
+        0xaa33a79a59021493L } },
+    /* 23 << 196 */
+    { { 0x49fc5054e4bd6d3dL,0x09540f045ab551d0L,0x8acc90854942d3a6L,
+        0x231af02f2d28323bL },
+      { 0x93458cac0992c163L,0x1fef8e71888e3bb4L,0x27578da5be8c268cL,
+        0xcc8be792e805ec00L } },
+    /* 24 << 196 */
+    { { 0x29267baec61c3855L,0xebff429d58c1fd3bL,0x22d886c08c0b93b8L,
+        0xca5e00b22ddb8953L },
+      { 0xcf330117c3fed8b7L,0xd49ac6fa819c01f6L,0x6ddaa6bd3c0fbd54L,
+        0x917430688049a2cfL } },
+    /* 25 << 196 */
+    { { 0xd67f981eaff2ef81L,0xc3654d352818ae80L,0x81d050441b2aa892L,
+        0x2db067bf3d099328L },
+      { 0xe7c79e86703dcc97L,0xe66f9b37e133e215L,0xcdf119a6e39a7a5cL,
+        0x47c60de3876f1b61L } },
+    /* 26 << 196 */
+    { { 0x6e405939d860f1b2L,0x3e9a1dbcf5ed4d4aL,0x3f23619ec9b6bcbdL,
+        0x5ee790cf734e4497L },
+      { 0xf0a834b15bdaf9bbL,0x02cedda74ca295f0L,0x4619aa2bcb8e378cL,
+        0xe5613244cc987ea4L } },
+    /* 27 << 196 */
+    { { 0x0bc022cc76b23a50L,0x4a2793ad0a6c21ceL,0x3832878089cac3f5L,
+        0x29176f1bcba26d56L },
+      { 0x062961874f6f59ebL,0x86e9bca98bdc658eL,0x2ca9c4d357e30402L,
+        0x5438b216516a09bbL } },
+    /* 28 << 196 */
+    { { 0x0a6a063c7672765aL,0x37a3ce640547b9bfL,0x42c099c898b1a633L,
+        0xb5ab800d05ee6961L },
+      { 0xf1963f5911a5acd6L,0xbaee615746201063L,0x36d9a649a596210aL,
+        0xaed043631ba7138cL } },
+    /* 29 << 196 */
+    { { 0xcf817d1ca4a82b76L,0x5586960ef3806be9L,0x7ab67c8909dc6bb5L,
+        0x52ace7a0114fe7ebL },
+      { 0xcd987618cbbc9b70L,0x4f06fd5a604ca5e1L,0x90af14ca6dbde133L,
+        0x1afe4322948a3264L } },
+    /* 30 << 196 */
+    { { 0xa70d2ca6c44b2c6cL,0xab7267990ef87dfeL,0x310f64dc2e696377L,
+        0x49b42e684c8126a0L },
+      { 0x0ea444c3cea0b176L,0x53a8ddf7cb269182L,0xf3e674ebbbba9dcbL,
+        0x0d2878a8d8669d33L } },
+    /* 31 << 196 */
+    { { 0x04b935d5d019b6a3L,0xbb5cf88e406f1e46L,0xa1912d165b57c111L,
+        0x9803fc2119ebfd78L },
+      { 0x4f231c9ec07764a9L,0xd93286eeb75bd055L,0x83a9457d8ee6c9deL,
+        0x046959156087ec90L } },
+    /* 32 << 196 */
+    { { 0x14c6dd8a58d6cd46L,0x9cb633b58e6634d2L,0xc1305047f81bc328L,
+        0x12ede0e226a177e5L },
+      { 0x332cca62065a6f4fL,0xc3a47ecd67be487bL,0x741eb1870f47ed1cL,
+        0x99e66e58e7598b14L } },
+    /* 33 << 196 */
+    { { 0x6f0544ca63d0ff12L,0xe5efc784b610a05fL,0xf72917b17cad7b47L,
+        0x3ff6ea20f2cac0c0L },
+      { 0xcc23791bf21db8b7L,0x7dac70b1d7d93565L,0x682cda1d694bdaadL,
+        0xeb88bb8c1023516dL } },
+    /* 34 << 196 */
+    { { 0xc4c634b4dfdbeb1bL,0x22f5ca72b4ee4deaL,0x1045a368e6524821L,
+        0xed9e8a3f052b18b2L },
+      { 0x9b7f2cb1b961f49aL,0x7fee2ec17b009670L,0x350d875422507a6dL,
+        0x561bd7114db55f1dL } },
+    /* 35 << 196 */
+    { { 0x4c189ccc320bbcafL,0x568434cfdf1de48cL,0x6af1b00e0fa8f128L,
+        0xf0ba9d028907583cL },
+      { 0x735a400432ff9f60L,0x3dd8e4b6c25dcf33L,0xf2230f1642c74cefL,
+        0xd8117623013fa8adL } },
+    /* 36 << 196 */
+    { { 0x36822876f51fe76eL,0x8a6811cc11d62589L,0xc3fc7e6546225718L,
+        0xb7df2c9fc82fdbcdL },
+      { 0x3b1d4e52dd7b205bL,0xb695947847a2e414L,0x05e4d793efa91148L,
+        0xb47ed446fd2e9675L } },
+    /* 37 << 196 */
+    { { 0x1a7098b904c9d9bfL,0x661e28811b793048L,0xb1a16966b01ee461L,
+        0xbc5213082954746fL },
+      { 0xc909a0fc2477de50L,0xd80bb41c7dbd51efL,0xa85be7ec53294905L,
+        0x6d465b1883958f97L } },
+    /* 38 << 196 */
+    { { 0x16f6f330fb6840fdL,0xfaaeb2143401e6c8L,0xaf83d30fccb5b4f8L,
+        0x22885739266dec4bL },
+      { 0x51b4367c7bc467dfL,0x926562e3d842d27aL,0xdfcb66140fea14a6L,
+        0xeb394daef2734cd9L } },
+    /* 39 << 196 */
+    { { 0x3eeae5d211c0be98L,0xb1e6ed11814e8165L,0x191086bce52bce1cL,
+        0x14b74cc6a75a04daL },
+      { 0x63cf11868c060985L,0x071047de2dbd7f7cL,0x4e433b8bce0942caL,
+        0xecbac447d8fec61dL } },
+    /* 40 << 196 */
+    { { 0x8f0ed0e2ebf3232fL,0xfff80f9ec52a2eddL,0xad9ab43375b55fdbL,
+        0x73ca7820e42e0c11L },
+      { 0x6dace0a0e6251b46L,0x89bc6b5c4c0d932dL,0x3438cd77095da19aL,
+        0x2f24a9398d48bdfbL } },
+    /* 41 << 196 */
+    { { 0x99b47e46766561b7L,0x736600e60ed0322aL,0x06a47cb1638e1865L,
+        0x927c1c2dcb136000L },
+      { 0x295423370cc5df69L,0x99b37c0209d649a9L,0xc5f0043c6aefdb27L,
+        0x6cdd99871be95c27L } },
+    /* 42 << 196 */
+    { { 0x69850931390420d2L,0x299c40ac0983efa4L,0x3a05e778af39aeadL,
+        0x8427440843a45193L },
+      { 0x6bcd0fb991a711a0L,0x461592c89f52ab17L,0xb49302b4da3c6ed6L,
+        0xc51fddc7330d7067L } },
+    /* 43 << 196 */
+    { { 0x94babeb6da50d531L,0x521b840da6a7b9daL,0x5305151e404bdc89L,
+        0x1bcde201d0d07449L },
+      { 0xf427a78b3b76a59aL,0xf84841ce07791a1bL,0xebd314bebf91ed1cL,
+        0x8e61d34cbf172943L } },
+    /* 44 << 196 */
+    { { 0x1d5dc4515541b892L,0xb186ee41fc9d9e54L,0x9d9f345ed5bf610dL,
+        0x3e7ba65df6acca9fL },
+      { 0x9dda787aa8369486L,0x09f9dab78eb5ba53L,0x5afb2033d6481bc3L,
+        0x76f4ce30afa62104L } },
+    /* 45 << 196 */
+    { { 0xa8fa00cff4f066b5L,0x89ab5143461dafc2L,0x44339ed7a3389998L,
+        0x2ff862f1bc214903L },
+      { 0x2c88f985b05556e3L,0xcd96058e3467081eL,0x7d6a4176edc637eaL,
+        0xe1743d0936a5acdcL } },
+    /* 46 << 196 */
+    { { 0x66fd72e27eb37726L,0xf7fa264e1481a037L,0x9fbd3bde45f4aa79L,
+        0xed1e0147767c3e22L },
+      { 0x7621f97982e7abe2L,0x19eedc7245f633f8L,0xe69b155e6137bf3aL,
+        0xa0ad13ce414ee94eL } },
+    /* 47 << 196 */
+    { { 0x93e3d5241c0e651aL,0xab1a6e2a02ce227eL,0xe7af17974ab27ecaL,
+        0x245446debd444f39L },
+      { 0x59e22a2156c07613L,0x43deafcef4275498L,0x10834ccb67fd0946L,
+        0xa75841e547406edfL } },
+    /* 48 << 196 */
+    { { 0xebd6a6777b0ac93dL,0xa6e37b0d78f5e0d7L,0x2516c09676f5492bL,
+        0x1e4bf8889ac05f3aL },
+      { 0xcdb42ce04df0ba2bL,0x935d5cfd5062341bL,0x8a30333382acac20L,
+        0x429438c45198b00eL } },
+    /* 49 << 196 */
+    { { 0x1d083bc9049d33faL,0x58b82dda946f67ffL,0xac3e2db867a1d6a3L,
+        0x62e6bead1798aac8L },
+      { 0xfc85980fde46c58cL,0xa7f6937969c8d7beL,0x23557927837b35ecL,
+        0x06a933d8e0790c0cL } },
+    /* 50 << 196 */
+    { { 0x827c0e9b077ff55dL,0x53977798bb26e680L,0x595308741d9cb54fL,
+        0xcca3f4494aac53efL },
+      { 0x11dc5c87a07eda0fL,0xc138bccffd6400c8L,0x549680d313e5da72L,
+        0xc93eed824540617eL } },
+    /* 51 << 196 */
+    { { 0xfd3db1574d0b75c0L,0x9716eb426386075bL,0x0639605c817b2c16L,
+        0x09915109f1e4f201L },
+      { 0x35c9a9285cca6c3bL,0xb25f7d1a3505c900L,0xeb9f7d20630480c4L,
+        0xc3c7b8c62a1a501cL } },
+    /* 52 << 196 */
+    { { 0x3f99183c5a1f8e24L,0xfdb118fa9dd255f0L,0xb9b18b90c27f62a6L,
+        0xe8f732f7396ec191L },
+      { 0x524a2d910be786abL,0x5d32adef0ac5a0f5L,0x9b53d4d69725f694L,
+        0x032a76c60510ba89L } },
+    /* 53 << 196 */
+    { { 0x840391a3ebeb1544L,0x44b7b88c3ed73ac3L,0xd24bae7a256cb8b3L,
+        0x7ceb151ae394cb12L },
+      { 0xbd6b66d05bc1e6a8L,0xec70cecb090f07bfL,0x270644ed7d937589L,
+        0xee9e1a3d5f1dccfeL } },
+    /* 54 << 196 */
+    { { 0xb0d40a84745b98d2L,0xda429a212556ed40L,0xf676eced85148cb9L,
+        0x5a22d40cded18936L },
+      { 0x3bc4b9e570e8a4ceL,0xbfd1445b9eae0379L,0xf23f2c0c1a0bd47eL,
+        0xa9c0bb31e1845531L } },
+    /* 55 << 196 */
+    { { 0x9ddc4d600a4c3f6bL,0xbdfaad792c15ef44L,0xce55a2367f484accL,
+        0x08653ca7055b1f15L },
+      { 0x2efa8724538873a3L,0x09299e5dace1c7e7L,0x07afab66ade332baL,
+        0x9be1fdf692dd71b7L } },
+    /* 56 << 196 */
+    { { 0xa49b5d595758b11cL,0x0b852893c8654f40L,0xb63ef6f452379447L,
+        0xd4957d29105e690cL },
+      { 0x7d484363646559b0L,0xf4a8273c49788a8eL,0xee406cb834ce54a9L,
+        0x1e1c260ff86fda9bL } },
+    /* 57 << 196 */
+    { { 0xe150e228cf6a4a81L,0x1fa3b6a31b488772L,0x1e6ff110c5a9c15bL,
+        0xc6133b918ad6aa47L },
+      { 0x8ac5d55c9dffa978L,0xba1d1c1d5f3965f2L,0xf969f4e07732b52fL,
+        0xfceecdb5a5172a07L } },
+    /* 58 << 196 */
+    { { 0xb0120a5f10f2b8f5L,0xc83a6cdf5c4c2f63L,0x4d47a491f8f9c213L,
+        0xd9e1cce5d3f1bbd5L },
+      { 0x0d91bc7caba7e372L,0xfcdc74c8dfd1a2dbL,0x05efa800374618e5L,
+        0x1121696915a7925eL } },
+    /* 59 << 196 */
+    { { 0xd4c89823f6021c5dL,0x880d5e84eff14423L,0x6523bc5a6dcd1396L,
+        0xd1acfdfc113c978bL },
+      { 0xb0c164e8bbb66840L,0xf7f4301e72b58459L,0xc29ad4a6a638e8ecL,
+        0xf5ab896146b78699L } },
+    /* 60 << 196 */
+    { { 0x9dbd79740e954750L,0x0121de8864f9d2c6L,0x2e597b42d985232eL,
+        0x55b6c3c553451777L },
+      { 0xbb53e547519cb9fbL,0xf134019f8428600dL,0x5a473176e081791aL,
+        0x2f3e226335fb0c08L } },
+    /* 61 << 196 */
+    { { 0xb28c301773d273b0L,0xccd210767721ef9aL,0x054cc292b650dc39L,
+        0x662246de6188045eL },
+      { 0x904b52fa6b83c0d1L,0xa72df26797e9cd46L,0x886b43cd899725e4L,
+        0x2b651688d849ff22L } },
+    /* 62 << 196 */
+    { { 0x60479b7902f34533L,0x5e354c140c77c148L,0xb4bb7581a8537c78L,
+        0x188043d7efe1495fL },
+      { 0x9ba12f428c1d5026L,0x2e0c8a2693d4aaabL,0xbdba7b8baa57c450L,
+        0x140c9ad69bbdafefL } },
+    /* 63 << 196 */
+    { { 0x2067aa4225ac0f18L,0xf7b1295b04d1fbf3L,0x14829111a4b04824L,
+        0x2ce3f19233bd5e91L },
+      { 0x9c7a1d558f2e1b72L,0xfe932286302aa243L,0x497ca7b4d4be9554L,
+        0xb8e821b8e0547a6eL } },
+    /* 64 << 196 */
+    { { 0xfb2838be67e573e0L,0x05891db94084c44bL,0x9131137396c1c2c5L,
+        0x6aebfa3fd958444bL },
+      { 0xac9cdce9e56e55c1L,0x7148ced32caa46d0L,0x2e10c7efb61fe8ebL,
+        0x9fd835daff97cf4dL } },
+    /* 0 << 203 */
+    { { 0x00, 0x00, 0x00, 0x00 },
+      { 0x00, 0x00, 0x00, 0x00 } },
+    /* 1 << 203 */
+    { { 0xa36da109081e9387L,0xfb9780d78c935828L,0xd5940332e540b015L,
+        0xc9d7b51be0f466faL },
+      { 0xfaadcd41d6d9f671L,0xba6c1e28b1a2ac17L,0x066a7833ed201e5fL,
+        0x19d99719f90f462bL } },
+    /* 2 << 203 */
+    { { 0xf431f462060b5f61L,0xa56f46b47bd057c2L,0x348dca6c47e1bf65L,
+        0x9a38783e41bcf1ffL },
+      { 0x7a5d33a9da710718L,0x5a7799872e0aeaf6L,0xca87314d2d29d187L,
+        0xfa0edc3ec687d733L } },
+    /* 3 << 203 */
+    { { 0x9df336216a31e09bL,0xde89e44dc1350e35L,0x292148714ca0cf52L,
+        0xdf3796720b88a538L },
+      { 0xc92a510a2591d61bL,0x79aa87d7585b447bL,0xf67db604e5287f77L,
+        0x1697c8bf5efe7a80L } },
+    /* 4 << 203 */
+    { { 0x1c894849cb198ac7L,0xa884a93d0f264665L,0x2da964ef9b200678L,
+        0x3c351b87009834e6L },
+      { 0xafb2ef9fe2c4b44bL,0x580f6c473326790cL,0xb84805210b02264aL,
+        0x8ba6f9e242a194e2L } },
+    /* 5 << 203 */
+    { { 0xfc87975f8fb54738L,0x3516078827c3ead3L,0x834116d2b74a085aL,
+        0x53c99a73a62fe996L },
+      { 0x87585be05b81c51bL,0x925bafa8be0852b7L,0x76a4fafda84d19a7L,
+        0x39a45982585206d4L } },
+    /* 6 << 203 */
+    { { 0x499b6ab65eb03c0eL,0xf19b795472bc3fdeL,0xa86b5b9c6e3a80d2L,
+        0xe43775086d42819fL },
+      { 0xc1663650bb3ee8a3L,0x75eb14fcb132075fL,0xa8ccc9067ad834f6L,
+        0xea6a2474e6e92ffdL } },
+    /* 7 << 203 */
+    { { 0x9d72fd950f8d6758L,0xcb84e101408c07ddL,0xb9114bfda5e23221L,
+        0x358b5fe2e94e742cL },
+      { 0x1c0577ec95f40e75L,0xf01554513d73f3d6L,0x9d55cd67bd1b9b66L,
+        0x63e86e78af8d63c7L } },
+    /* 8 << 203 */
+    { { 0x39d934abd3c095f1L,0x04b261bee4b76d71L,0x1d2e6970e73e6984L,
+        0x879fb23b5e5fcb11L },
+      { 0x11506c72dfd75490L,0x3a97d08561bcf1c1L,0x43201d82bf5e7007L,
+        0x7f0ac52f798232a7L } },
+    /* 9 << 203 */
+    { { 0x2715cbc46eb564d4L,0x8d6c752c9e570e29L,0xf80247c89ef5fd5dL,
+        0xc3c66b46d53eb514L },
+      { 0x9666b4010f87de56L,0xce62c06fc6c603b5L,0xae7b4c607e4fc942L,
+        0x38ac0b77663a9c19L } },
+    /* 10 << 203 */
+    { { 0xcb4d20ee4b049136L,0x8b63bf12356a4613L,0x1221aef670e08128L,
+        0xe62d8c514acb6b16L },
+      { 0x71f64a67379e7896L,0xb25237a2cafd7fa5L,0xf077bd983841ba6aL,
+        0xc4ac02443cd16e7eL } },
+    /* 11 << 203 */
+    { { 0x548ba86921fea4caL,0xd36d0817f3dfdac1L,0x09d8d71ff4685fafL,
+        0x8eff66bec52c459aL },
+      { 0x182faee70b57235eL,0xee3c39b10106712bL,0x5107331fc0fcdcb0L,
+        0x669fb9dca51054baL } },
+    /* 12 << 203 */
+    { { 0xb25101fb319d7682L,0xb02931290a982feeL,0x51c1c9b90261b344L,
+        0x0e008c5bbfd371faL },
+      { 0xd866dd1c0278ca33L,0x666f76a6e5aa53b1L,0xe5cfb7796013a2cfL,
+        0x1d3a1aada3521836L } },
+    /* 13 << 203 */
+    { { 0xcedd253173faa485L,0xc8ee6c4fc0a76878L,0xddbccfc92a11667dL,
+        0x1a418ea91c2f695aL },
+      { 0xdb11bd9251f73971L,0x3e4b3c82da2ed89fL,0x9a44f3f4e73e0319L,
+        0xd1e3de0f303431afL } },
+    /* 14 << 203 */
+    { { 0x3c5604ff50f75f9cL,0x1d8eddf37e752b22L,0x0ef074dd3c9a1118L,
+        0xd0ffc172ccb86d7bL },
+      { 0xabd1ece3037d90f2L,0xe3f307d66055856cL,0x422f93287e4c6dafL,
+        0x902aac66334879a0L } },
+    /* 15 << 203 */
+    { { 0xb6a1e7bf94cdfadeL,0x6c97e1ed7fc6d634L,0x662ad24da2fb63f8L,
+        0xf81be1b9a5928405L },
+      { 0x86d765e4d14b4206L,0xbecc2e0e8fa0db65L,0xa28838e0b17fc76cL,
+        0xe49a602ae37cf24eL } },
+    /* 16 << 203 */
+    { { 0x76b4131a567193ecL,0xaf3c305ae5f6e70bL,0x9587bd39031eebddL,
+        0x5709def871bbe831L },
+      { 0x570599830eb2b669L,0x4d80ce1b875b7029L,0x838a7da80364ac16L,
+        0x2f431d23be1c83abL } },
+    /* 17 << 203 */
+    { { 0xe56812a6f9294dd3L,0xb448d01f9b4b0d77L,0xf3ae606104e8305cL,
+        0x2bead64594d8c63eL },
+      { 0x0a85434d84fd8b07L,0x537b983ff7a9dee5L,0xedcc5f18ef55bd85L,
+        0x2041af6221c6cf8bL } },
+    /* 18 << 203 */
+    { { 0x8e52874cb940c71eL,0x211935a9db5f4b3aL,0x94350492301b1dc3L,
+        0x33d2646d29958620L },
+      { 0x16b0d64bef911404L,0x9d1f25ea9a3c5ef4L,0x20f200eb4a352c78L,
+        0x43929f2c4bd0b428L } },
+    /* 19 << 203 */
+    { { 0xa5656667c7196e29L,0x7992c2f09391be48L,0xaaa97cbd9ee0cd6eL,
+        0x51b0310c3dc8c9bfL },
+      { 0x237f8acfdd9f22cbL,0xbb1d81a1b585d584L,0x8d5d85f58c416388L,
+        0x0d6e5a5a42fe474fL } },
+    /* 20 << 203 */
+    { { 0xe781276638235d4eL,0x1c62bd67496e3298L,0x8378660c3f175bc8L,
+        0x4d04e18917afdd4dL },
+      { 0x32a8160185a8068cL,0xdb58e4e192b29a85L,0xe8a65b86c70d8a3bL,
+        0x5f0e6f4e98a0403bL } },
+    /* 21 << 203 */
+    { { 0x0812968469ed2370L,0x34dc30bd0871ee26L,0x3a5ce9487c9c5b05L,
+        0x7d487b8043a90c87L },
+      { 0x4089ba37dd0e7179L,0x45f80191b4041811L,0x1c3e105898747ba5L,
+        0x98c4e13a6e1ae592L } },
+    /* 22 << 203 */
+    { { 0xd44636e6e82c9f9eL,0x711db87cc33a1043L,0x6f431263aa8aec05L,
+        0x43ff120d2744a4aaL },
+      { 0xd3bd892fae77779bL,0xf0fe0cc98cdc9f82L,0xca5f7fe6f1c5b1bcL,
+        0xcc63a68244929a72L } },
+    /* 23 << 203 */
+    { { 0xc7eaba0c09dbe19aL,0x2f3585ad6b5c73c2L,0x8ab8924b0ae50c30L,
+        0x17fcd27a638b30baL },
+      { 0xaf414d3410b3d5a5L,0x09c107d22a9accf1L,0x15dac49f946a6242L,
+        0xaec3df2ad707d642L } },
+    /* 24 << 203 */
+    { { 0x2c2492b73f894ae0L,0xf59df3e5b75f18ceL,0x7cb740d28f53cad0L,
+        0x3eb585fbc4f01294L },
+      { 0x17da0c8632c7f717L,0xeb8c795baf943f4cL,0x4ee23fb5f67c51d2L,
+        0xef18757568889949L } },
+    /* 25 << 203 */
+    { { 0xa6b4bdb20389168bL,0xc4ecd258ea577d03L,0x3a63782b55743082L,
+        0x6f678f4cc72f08cdL },
+      { 0x553511cf65e58dd8L,0xd53b4e3ed402c0cdL,0x37de3e29a037c14cL,
+        0x86b6c516c05712aaL } },
+    /* 26 << 203 */
+    { { 0x2834da3eb38dff6fL,0xbe012c52ea636be8L,0x292d238c61dd37f8L,
+        0x0e54523f8f8142dbL },
+      { 0xe31eb436036a05d8L,0x83e3cdff1e93c0ffL,0x3fd2fe0f50821ddfL,
+        0xc8e19b0dff9eb33bL } },
+    /* 27 << 203 */
+    { { 0xc8cc943fb569a5feL,0xad0090d4d4342d75L,0x82090b4bcaeca000L,
+        0xca39687f1bd410ebL },
+      { 0xe7bb0df765959d77L,0x39d782189c964999L,0xd87f62e8b2415451L,
+        0xe5efb774bed76108L } },
+    /* 28 << 203 */
+    { { 0x3ea011a4e822f0d0L,0xbc647ad15a8704f8L,0xbb315b3550c6820fL,
+        0x863dec3db7e76becL },
+      { 0x01ff5d3af017bfc7L,0x20054439976b8229L,0x067fca370bbd0d3bL,
+        0xf63dde647f5e3d0fL } },
+    /* 29 << 203 */
+    { { 0x22dbefb32a4c94e9L,0xafbff0fe96f8278aL,0x80aea0b13503793dL,
+        0xb22380295f06cd29L },
+      { 0x65703e578ec3fecaL,0x06c38314393e7053L,0xa0b751eb7c6734c4L,
+        0xd2e8a435c59f0f1eL } },
+    /* 30 << 203 */
+    { { 0x147d90525e9ca895L,0x2f4dd31e972072dfL,0xa16fda8ee6c6755cL,
+        0xc66826ffcf196558L },
+      { 0x1f1a76a30cf43895L,0xa9d604e083c3097bL,0xe190830966390e0eL,
+        0xa50bf753b3c85effL } },
+    /* 31 << 203 */
+    { { 0x0696bddef6a70251L,0x548b801b3c6ab16aL,0x37fcf704a4d08762L,
+        0x090b3defdff76c4eL },
+      { 0x87e8cb8969cb9158L,0x44a90744995ece43L,0xf85395f40ad9fbf5L,
+        0x49b0f6c54fb0c82dL } },
+    /* 32 << 203 */
+    { { 0x75d9bc15adf7cccfL,0x81a3e5d6dfa1e1b0L,0x8c39e444249bc17eL,
+        0xf37dccb28ea7fd43L },
+      { 0xda654873907fba12L,0x35daa6da4a372904L,0x0564cfc66283a6c5L,
+        0xd09fa4f64a9395bfL } },
+    /* 33 << 203 */
+    { { 0x688e9ec9aeb19a36L,0xd913f1cec7bfbfb4L,0x797b9a3c61c2faa6L,
+        0x2f979bec6a0a9c12L },
+      { 0xb5969d0f359679ecL,0xebcf523d079b0460L,0xfd6b000810fab870L,
+        0x3f2edcda9373a39cL } },
+    /* 34 << 203 */
+    { { 0x0d64f9a76f568431L,0xf848c27c02f8898cL,0xf418ade1260b5bd5L,
+        0xc1f3e3236973dee8L },
+      { 0x46e9319c26c185ddL,0x6d85b7d8546f0ac4L,0x427965f2247f9d57L,
+        0xb519b636b0035f48L } },
+    /* 35 << 203 */
+    { { 0x6b6163a9ab87d59cL,0xff9f58c339caaa11L,0x4ac39cde3177387bL,
+        0x5f6557c2873e77f9L },
+      { 0x6750400636a83041L,0x9b1c96ca75ef196cL,0xf34283deb08c7940L,
+        0x7ea096441128c316L } },
+    /* 36 << 203 */
+    { { 0xb510b3b56aa39dffL,0x59b43da29f8e4d8cL,0xa8ce31fd9e4c4b9fL,
+        0x0e20be26c1303c01L },
+      { 0x18187182e8ee47c9L,0xd9687cdb7db98101L,0x7a520e4da1e14ff6L,
+        0x429808ba8836d572L } },
+    /* 37 << 203 */
+    { { 0xa37ca60d4944b663L,0xf901f7a9a3f91ae5L,0xe4e3e76e9e36e3b1L,
+        0x9aa219cf29d93250L },
+      { 0x347fe275056a2512L,0xa4d643d9de65d95cL,0x9669d396699fc3edL,
+        0xb598dee2cf8c6bbeL } },
+    /* 38 << 203 */
+    { { 0x682ac1e5dda9e5c6L,0x4e0d3c72caa9fc95L,0x17faaade772bea44L,
+        0x5ef8428cab0009c8L },
+      { 0xcc4ce47a460ff016L,0xda6d12bf725281cbL,0x44c678480223aad2L,
+        0x6e342afa36256e28L } },
+    /* 39 << 203 */
+    { { 0x1400bb0b93a37c04L,0x62b1bc9bdd10bd96L,0x7251adeb0dac46b7L,
+        0x7d33b92e7be4ef51L },
+      { 0x28b2a94be61fa29aL,0x4b2be13f06422233L,0x36d6d062330d8d37L,
+        0x5ef80e1eb28ca005L } },
+    /* 40 << 203 */
+    { { 0x174d46996d16768eL,0x9fc4ff6a628bf217L,0x77705a94154e490dL,
+        0x9d96dd288d2d997aL },
+      { 0x77e2d9d8ce5d72c4L,0x9d06c5a4c11c714fL,0x02aa513679e4a03eL,
+        0x1386b3c2030ff28bL } },
+    /* 41 << 203 */
+    { { 0xfe82e8a6fb283f61L,0x7df203e5f3abc3fbL,0xeec7c3513a4d3622L,
+        0xf7d17dbfdf762761L },
+      { 0xc3956e44522055f0L,0xde3012db8fa748dbL,0xca9fcb63bf1dcc14L,
+        0xa56d9dcfbe4e2f3aL } },
+    /* 42 << 203 */
+    { { 0xb86186b68bcec9c2L,0x7cf24df9680b9f06L,0xc46b45eac0d29281L,
+        0xfff42bc507b10e12L },
+      { 0x12263c404d289427L,0x3d5f1899b4848ec4L,0x11f97010d040800cL,
+        0xb4c5f529300feb20L } },
+    /* 43 << 203 */
+    { { 0xcc543f8fde94fdcbL,0xe96af739c7c2f05eL,0xaa5e0036882692e1L,
+        0x09c75b68950d4ae9L },
+      { 0x62f63df2b5932a7aL,0x2658252ede0979adL,0x2a19343fb5e69631L,
+        0x718c7501525b666bL } },
+    /* 44 << 203 */
+    { { 0x26a42d69ea40dc3aL,0xdc84ad22aecc018fL,0x25c36c7b3270f04aL,
+        0x46ba6d4750fa72edL },
+      { 0x6c37d1c593e58a8eL,0xa2394731120c088cL,0xc3be4263cb6e86daL,
+        0x2c417d367126d038L } },
+    /* 45 << 203 */
+    { { 0x5b70f9c58b6f8efaL,0x671a2faa37718536L,0xd3ced3c6b539c92bL,
+        0xe56f1bd9a31203c2L },
+      { 0x8b096ec49ff3c8ebL,0x2deae43243491ceaL,0x2465c6eb17943794L,
+        0x5d267e6620586843L } },
+    /* 46 << 203 */
+    { { 0x9d3d116db07159d0L,0xae07a67fc1896210L,0x8fc84d87bb961579L,
+        0x30009e491c1f8dd6L },
+      { 0x8a8caf22e3132819L,0xcffa197cf23ab4ffL,0x58103a44205dd687L,
+        0x57b796c30ded67a2L } },
+    /* 47 << 203 */
+    { { 0x0b9c3a6ca1779ad7L,0xa33cfe2e357c09c5L,0x2ea293153db4a57eL,
+        0x919596958ebeb52eL },
+      { 0x118db9a6e546c879L,0x8e996df46295c8d6L,0xdd99048455ec806bL,
+        0x24f291ca165c1035L } },
+    /* 48 << 203 */
+    { { 0xcca523bb440e2229L,0x324673a273ef4d04L,0xaf3adf343e11ec39L,
+        0x6136d7f1dc5968d3L },
+      { 0x7a7b2899b053a927L,0x3eaa2661ae067ecdL,0x8549b9c802779cd9L,
+        0x061d7940c53385eaL } },
+    /* 49 << 203 */
+    { { 0x3e0ba883f06d18bdL,0x4ba6de53b2700843L,0xb966b668591a9e4dL,
+        0x93f675677f4fa0edL },
+      { 0x5a02711b4347237bL,0xbc041e2fe794608eL,0x55af10f570f73d8cL,
+        0xd2d4d4f7bb7564f7L } },
+    /* 50 << 203 */
+    { { 0xd7d27a89b3e93ce7L,0xf7b5a8755d3a2c1bL,0xb29e68a0255b218aL,
+        0xb533837e8af76754L },
+      { 0xd1b05a73579fab2eL,0xb41055a1ecd74385L,0xb2369274445e9115L,
+        0x2972a7c4f520274eL } },
+    /* 51 << 203 */
+    { { 0x6c08334ef678e68aL,0x4e4160f099b057edL,0x3cfe11b852ccb69aL,
+        0x2fd1823a21c8f772L },
+      { 0xdf7f072f3298f055L,0x8c0566f9fec74a6eL,0xe549e0195bb4d041L,
+        0x7c3930ba9208d850L } },
+    /* 52 << 203 */
+    { { 0xe07141fcaaa2902bL,0x539ad799e4f69ad3L,0xa6453f94813f9ffdL,
+        0xc58d3c48375bc2f7L },
+      { 0xb3326fad5dc64e96L,0x3aafcaa9b240e354L,0x1d1b0903aca1e7a9L,
+        0x4ceb97671211b8a0L } },
+    /* 53 << 203 */
+    { { 0xeca83e49e32a858eL,0x4c32892eae907badL,0xd5b42ab62eb9b494L,
+        0x7fde3ee21eabae1bL },
+      { 0x13b5ab09caf54957L,0xbfb028bee5f5d5d5L,0x928a06502003e2c0L,
+        0x90793aac67476843L } },
+    /* 54 << 203 */
+    { { 0x5e942e79c81710a0L,0x557e4a3627ccadd4L,0x72a2bc564bcf6d0cL,
+        0x09ee5f4326d7b80cL },
+      { 0x6b70dbe9d4292f19L,0x56f74c2663f16b18L,0xc23db0f735fbb42aL,
+        0xb606bdf66ae10040L } },
+    /* 55 << 203 */
+    { { 0x1eb15d4d044573acL,0x7dc3cf86556b0ba4L,0x97af9a33c60df6f7L,
+        0x0b1ef85ca716ce8cL },
+      { 0x2922f884c96958beL,0x7c32fa9435690963L,0x2d7f667ceaa00061L,
+        0xeaaf7c173547365cL } },
+    /* 56 << 203 */
+    { { 0x1eb4de4687032d58L,0xc54f3d835e2c79e0L,0x07818df45d04ef23L,
+        0x55faa9c8673d41b4L },
+      { 0xced64f6f89b95355L,0x4860d2eab7415c84L,0x5fdb9bd2050ebad3L,
+        0xdb53e0cc6685a5bfL } },
+    /* 57 << 203 */
+    { { 0xb830c0319feb6593L,0xdd87f3106accff17L,0x2303ebab9f555c10L,
+        0x94603695287e7065L },
+      { 0xf88311c32e83358cL,0x508dd9b4eefb0178L,0x7ca237062dba8652L,
+        0x62aac5a30047abe5L } },
+    /* 58 << 203 */
+    { { 0x9a61d2a08b1ea7b3L,0xd495ab63ae8b1485L,0x38740f8487052f99L,
+        0x178ebe5bb2974eeaL },
+      { 0x030bbcca5b36d17fL,0xb5e4cce3aaf86eeaL,0xb51a022068f8e9e0L,
+        0xa434879609eb3e75L } },
+    /* 59 << 203 */
+    { { 0xbe592309eef1a752L,0x5d7162d76f2aa1edL,0xaebfb5ed0f007dd2L,
+        0x255e14b2c89edd22L },
+      { 0xba85e0720303b697L,0xc5d17e25f05720ffL,0x02b58d6e5128ebb6L,
+        0x2c80242dd754e113L } },
+    /* 60 << 203 */
+    { { 0x919fca5fabfae1caL,0x937afaac1a21459bL,0x9e0ca91c1f66a4d2L,
+        0x194cc7f323ec1331L },
+      { 0xad25143a8aa11690L,0xbe40ad8d09b59e08L,0x37d60d9be750860aL,
+        0x6c53b008c6bf434cL } },
+    /* 61 << 203 */
+    { { 0xb572415d1356eb80L,0xb8bf9da39578ded8L,0x22658e365e8fb38bL,
+        0x9b70ce225af8cb22L },
+      { 0x7c00018a829a8180L,0x84329f93b81ed295L,0x7c343ea25f3cea83L,
+        0x38f8655f67586536L } },
+    /* 62 << 203 */
+    { { 0xa661a0d01d3ec517L,0x98744652512321aeL,0x084ca591eca92598L,
+        0xa9bb9dc91dcb3febL },
+      { 0x14c5435578b4c240L,0x5ed62a3b610cafdcL,0x07512f371b38846bL,
+        0x571bb70ab0e38161L } },
+    /* 63 << 203 */
+    { { 0xb556b95b2da705d2L,0x3ef8ada6b1a08f98L,0x85302ca7ddecfbe5L,
+        0x0e530573943105cdL },
+      { 0x60554d5521a9255dL,0x63a32fa1f2f3802aL,0x35c8c5b0cd477875L,
+        0x97f458ea6ad42da1L } },
+    /* 64 << 203 */
+    { { 0x832d7080eb6b242dL,0xd30bd0233b71e246L,0x7027991bbe31139dL,
+        0x68797e91462e4e53L },
+      { 0x423fe20a6b4e185aL,0x82f2c67e42d9b707L,0x25c817684cf7811bL,
+        0xbd53005e045bb95dL } },
+    /* 0 << 210 */
+    { { 0x00, 0x00, 0x00, 0x00 },
+      { 0x00, 0x00, 0x00, 0x00 } },
+    /* 1 << 210 */
+    { { 0xe5f649be9d8e68fdL,0xdb0f05331b044320L,0xf6fde9b3e0c33398L,
+        0x92f4209b66c8cfaeL },
+      { 0xe9d1afcc1a739d4bL,0x09aea75fa28ab8deL,0x14375fb5eac6f1d0L,
+        0x6420b560708f7aa5L } },
+    /* 2 << 210 */
+    { { 0x9eae499c6254dc41L,0x7e2939247a837e7eL,0x74aec08c090524a7L,
+        0xf82b92198d6f55f2L },
+      { 0x493c962e1402cec5L,0x9f17ca17fa2f30e7L,0xbcd783e8e9b879cbL,
+        0xea3d8c145a6f145fL } },
+    /* 3 << 210 */
+    { { 0xdede15e75e0dee6eL,0x74f24872dc628aa2L,0xd3e9c4fe7861bb93L,
+        0x56d4822a6187b2e0L },
+      { 0xb66417cfc59826f9L,0xca2609692408169eL,0xedf69d06c79ef885L,
+        0x00031f8adc7d138fL } },
+    /* 4 << 210 */
+    { { 0x103c46e60ebcf726L,0x4482b8316231470eL,0x6f6dfaca487c2109L,
+        0x2e0ace9762e666efL },
+      { 0x3246a9d31f8d1f42L,0x1b1e83f1574944d2L,0x13dfa63aa57f334bL,
+        0x0cf8daed9f025d81L } },
+    /* 5 << 210 */
+    { { 0x30d78ea800ee11c1L,0xeb053cd4b5e3dd75L,0x9b65b13ed58c43c5L,
+        0xc3ad49bdbd151663L },
+      { 0x99fd8e41b6427990L,0x12cf15bd707eae1eL,0x29ad4f1b1aabb71eL,
+        0x5143e74d07545d0eL } },
+    /* 6 << 210 */
+    { { 0x30266336c88bdee1L,0x25f293065876767cL,0x9c078571c6731996L,
+        0xc88690b2ed552951L },
+      { 0x274f2c2d852705b4L,0xb0bf8d444e09552dL,0x7628beeb986575d1L,
+        0x407be2387f864651L } },
+    /* 7 << 210 */
+    { { 0x0e5e3049a639fc6bL,0xe75c35d986003625L,0x0cf35bd85dcc1646L,
+        0x8bcaced26c26273aL },
+      { 0xe22ecf1db5536742L,0x013dd8971a9e068bL,0x17f411cb8a7909c5L,
+        0x5757ac98861dd506L } },
+    /* 8 << 210 */
+    { { 0x85de1f0d1e935abbL,0xdefd10b4154de37aL,0xb8d9e392369cebb5L,
+        0x54d5ef9b761324beL },
+      { 0x4d6341ba74f17e26L,0xc0a0e3c878c1dde4L,0xa6d7758187d918fdL,
+        0x6687601502ca3a13L } },
+    /* 9 << 210 */
+    { { 0xc7313e9cf36658f0L,0xc433ef1c71f8057eL,0x853262461b6a835aL,
+        0xc8f053987c86394cL },
+      { 0xff398cdfe983c4a1L,0xbf5e816203b7b931L,0x93193c46b7b9045bL,
+        0x1e4ebf5da4a6e46bL } },
+    /* 10 << 210 */
+    { { 0xf9942a6043a24fe7L,0x29c1191effb3492bL,0x9f662449902fde05L,
+        0xc792a7ac6713c32dL },
+      { 0x2fd88ad8b737982cL,0x7e3a0319a21e60e3L,0x09b0de447383591aL,
+        0x6df141ee8310a456L } },
+    /* 11 << 210 */
+    { { 0xaec1a039e6d6f471L,0x14b2ba0f1198d12eL,0xebc1a1603aeee5acL,
+        0x401f4836e0b964ceL },
+      { 0x2ee437964fd03f66L,0x3fdb4e49dd8f3f12L,0x6ef267f629380f18L,
+        0x3e8e96708da64d16L } },
+    /* 12 << 210 */
+    { { 0xbc19180c207674f1L,0x112e09a733ae8fdbL,0x996675546aaeb71eL,
+        0x79432af1e101b1c7L },
+      { 0xd5eb558fde2ddec6L,0x81392d1f5357753fL,0xa7a76b973ae1158aL,
+        0x416fbbff4a899991L } },
+    /* 13 << 210 */
+    { { 0x9e65fdfd0d4a9dcfL,0x7bc29e48944ddf12L,0xbc1a92d93c856866L,
+        0x273c69056e98dfe2L },
+      { 0x69fce418cdfaa6b8L,0x606bd8235061c69fL,0x42d495a06af75e27L,
+        0x8ed3d5056d873a1fL } },
+    /* 14 << 210 */
+    { { 0xaf5528416ab25b6aL,0xc6c0ffc72b1a4523L,0xab18827b21c99e03L,
+        0x060e86489034691bL },
+      { 0x5207f90f93c7f398L,0x9f4a96cb82f8d10bL,0xdd71cd793ad0f9e3L,
+        0x84f435d2fc3a54f5L } },
+    /* 15 << 210 */
+    { { 0x4b03c55b8e33787fL,0xef42f975a6384673L,0xff7304f75051b9f0L,
+        0x18aca1dc741c87c2L },
+      { 0x56f120a72d4bfe80L,0xfd823b3d053e732cL,0x11bccfe47537ca16L,
+        0xdf6c9c741b5a996bL } },
+    /* 16 << 210 */
+    { { 0xee7332c7904fc3faL,0x14a23f45c7e3636aL,0xc38659c3f091d9aaL,
+        0x4a995e5db12d8540L },
+      { 0x20a53becf3a5598aL,0x56534b17b1eaa995L,0x9ed3dca4bf04e03cL,
+        0x716c563ad8d56268L } },
+    /* 17 << 210 */
+    { { 0x27ba77a41d6178e7L,0xe4c80c4068a1ff8eL,0x750110990a13f63dL,
+        0x7bf33521a61d46f3L },
+      { 0x0aff218e10b365bbL,0x810218040fd7ea75L,0x05a3fd8aa4b3a925L,
+        0xb829e75f9b3db4e6L } },
+    /* 18 << 210 */
+    { { 0x6bdc75a54d53e5fbL,0x04a5dc02d52717e3L,0x86af502fe9a42ec2L,
+        0x8867e8fb2630e382L },
+      { 0xbf845c6ebec9889bL,0x54f491f2cb47c98dL,0xa3091fba790c2a12L,
+        0xd7f6fd78c20f708bL } },
+    /* 19 << 210 */
+    { { 0xa569ac30acde5e17L,0xd0f996d06852b4d7L,0xe51d4bb54609ae54L,
+        0x3fa37d170daed061L },
+      { 0x62a8868434b8fb41L,0x99a2acbd9efb64f1L,0xb75c1a5e6448e1f2L,
+        0xfa99951a42b5a069L } },
+    /* 20 << 210 */
+    { { 0x6d956e892f3b26e7L,0xf4709860da875247L,0x3ad151792482dda3L,
+        0xd64110e3017d82f0L },
+      { 0x14928d2cfad414e4L,0x2b155f582ed02b24L,0x481a141bcb821bf1L,
+        0x12e3c7704f81f5daL } },
+    /* 21 << 210 */
+    { { 0xe49c5de59fff8381L,0x110532325bbec894L,0xa0d051cc454d88c4L,
+        0x4f6db89c1f8e531bL },
+      { 0x34fe3fd6ca563a44L,0x7f5c221558da8ab9L,0x8445016d9474f0a1L,
+        0x17d34d61cb7d8a0aL } },
+    /* 22 << 210 */
+    { { 0x8e9d39101c474019L,0xcaff2629d52ceefbL,0xf9cf3e32c1622c2bL,
+        0xd4b95e3ce9071a05L },
+      { 0xfbbca61f1594438cL,0x1eb6e6a604aadedfL,0x853027f468e14940L,
+        0x221d322adfabda9cL } },
+    /* 23 << 210 */
+    { { 0xed8ea9f6b7cb179aL,0xdc7b764db7934dccL,0xfcb139405e09180dL,
+        0x6629a6bfb47dc2ddL },
+      { 0xbfc55e4e9f5a915eL,0xb1db9d376204441eL,0xf82d68cf930c5f53L,
+        0x17d3a142cbb605b1L } },
+    /* 24 << 210 */
+    { { 0xdd5944ea308780f2L,0xdc8de7613845f5e4L,0x6beaba7d7624d7a3L,
+        0x1e709afd304df11eL },
+      { 0x9536437602170456L,0xbf204b3ac8f94b64L,0x4e53af7c5680ca68L,
+        0x0526074ae0c67574L } },
+    /* 25 << 210 */
+    { { 0x95d8cef8ecd92af6L,0xe6b9fa7a6cd1745aL,0x3d546d3da325c3e4L,
+        0x1f57691d9ae93aaeL },
+      { 0xe891f3fe9d2e1a33L,0xd430093fac063d35L,0xeda59b125513a327L,
+        0xdc2134f35536f18fL } },
+    /* 26 << 210 */
+    { { 0xaa51fe2c5c210286L,0x3f68aaee1cab658cL,0x5a23a00bf9357292L,
+        0x9a626f397efdabedL },
+      { 0xfe2b3bf3199d78e3L,0xb7a2af7771bbc345L,0x3d19827a1e59802cL,
+        0x823bbc15b487a51cL } },
+    /* 27 << 210 */
+    { { 0x856139f299d0a422L,0x9ac3df65f456c6fbL,0xaddf65c6701f8bd6L,
+        0x149f321e3758df87L },
+      { 0xb1ecf714721b7ebaL,0xe17df09831a3312aL,0xdb2fd6ecd5c4d581L,
+        0xfd02996f8fcea1b3L } },
+    /* 28 << 210 */
+    { { 0xe29fa63e7882f14fL,0xc9f6dc3507c6cadcL,0x46f22d6fb882bed0L,
+        0x1a45755bd118e52cL },
+      { 0x9f2c7c277c4608cfL,0x7ccbdf32568012c2L,0xfcb0aedd61729b0eL,
+        0x7ca2ca9ef7d75dbfL } },
+    /* 29 << 210 */
+    { { 0xf58fecb16f640f62L,0xe274b92b39f51946L,0x7f4dfc046288af44L,
+        0x0a91f32aeac329e5L },
+      { 0x43ad274bd6aaba31L,0x719a16400f6884f9L,0x685d29f6daf91e20L,
+        0x5ec1cc3327e49d52L } },
+    /* 30 << 210 */
+    { { 0x38f4de963b54a059L,0x0e0015e5efbcfdb3L,0x177d23d94dbb8da6L,
+        0x98724aa297a617adL },
+      { 0x30f0885bfdb6558eL,0xf9f7a28ac7899a96L,0xd2ae8ac8872dc112L,
+        0xfa0642ca73c3c459L } },
+    /* 31 << 210 */
+    { { 0x15296981e7dfc8d6L,0x67cd44501fb5b94aL,0x0ec71cf10eddfd37L,
+        0xc7e5eeb39a8eddc7L },
+      { 0x02ac8e3d81d95028L,0x0088f17270b0e35dL,0xec041fabe1881fe3L,
+        0x62cf71b8d99e7faaL } },
+    /* 32 << 210 */
+    { { 0x5043dea7e0f222c2L,0x309d42ac72e65142L,0x94fe9ddd9216cd30L,
+        0xd6539c7d0f87feecL },
+      { 0x03c5a57c432ac7d7L,0x72692cf0327fda10L,0xec28c85f280698deL,
+        0x2331fb467ec283b1L } },
+    /* 33 << 210 */
+    { { 0xd34bfa322867e633L,0x78709a820a9cc815L,0xb7fe6964875e2fa5L,
+        0x25cc064f9e98bfb5L },
+      { 0x9eb0151c493a65c5L,0x5fb5d94153182464L,0x69e6f130f04618e2L,
+        0xa8ecec22f89c8ab6L } },
+    /* 34 << 210 */
+    { { 0xcd6ac88bb96209bdL,0x65fa8cdbb3e1c9e0L,0xa47d22f54a8d8eacL,
+        0x83895cdf8d33f963L },
+      { 0xa8adca59b56cd3d1L,0x10c8350bdaf38232L,0x2b161fb3a5080a9fL,
+        0xbe7f5c643af65b3aL } },
+    /* 35 << 210 */
+    { { 0x2c75403997403a11L,0x94626cf7121b96afL,0x431de7c46a983ec2L,
+        0x3780dd3a52cc3df7L },
+      { 0xe28a0e462baf8e3bL,0xabe68aad51d299aeL,0x603eb8f9647a2408L,
+        0x14c61ed65c750981L } },
+    /* 36 << 210 */
+    { { 0x88b34414c53352e7L,0x5a34889c1337d46eL,0x612c1560f95f2bc8L,
+        0x8a3f8441d4807a3aL },
+      { 0x680d9e975224da68L,0x60cd6e88c3eb00e9L,0x3875a98e9a6bc375L,
+        0xdc80f9244fd554c2L } },
+    /* 37 << 210 */
+    { { 0x6c4b34156ac77407L,0xa1e5ea8f25420681L,0x541bfa144607a458L,
+        0x5dbc7e7a96d7fbf9L },
+      { 0x646a851b31590a47L,0x039e85ba15ee6df8L,0xd19fa231d7b43fc0L,
+        0x84bc8be8299a0e04L } },
+    /* 38 << 210 */
+    { { 0x2b9d2936f20df03aL,0x240543828608d472L,0x76b6ba049149202aL,
+        0xb21c38313670e7b7L },
+      { 0xddd93059d6fdee10L,0x9da47ad378488e71L,0x99cc1dfda0fcfb25L,
+        0x42abde1064696954L } },
+    /* 39 << 210 */
+    { { 0x14cc15fc17eab9feL,0xd6e863e4d3e70972L,0x29a7765c6432112cL,
+        0x886600015b0774d8L },
+      { 0x3729175a2c088eaeL,0x13afbcae8230b8d4L,0x44768151915f4379L,
+        0xf086431ad8d22812L } },
+    /* 40 << 210 */
+    { { 0x37461955c298b974L,0x905fb5f0f8711e04L,0x787abf3afe969d18L,
+        0x392167c26f6a494eL },
+      { 0xfc7a0d2d28c511daL,0xf127c7dcb66a262dL,0xf9c4bb95fd63fdf0L,
+        0x900165893913ef46L } },
+    /* 41 << 210 */
+    { { 0x74d2a73c11aa600dL,0x2f5379bd9fb5ab52L,0xe49e53a47fb70068L,
+        0x68dd39e5404aa9a7L },
+      { 0xb9b0cf572ecaa9c3L,0xba0e103be824826bL,0x60c2198b4631a3c4L,
+        0xc5ff84abfa8966a2L } },
+    /* 42 << 210 */
+    { { 0x2d6ebe22ac95aff8L,0x1c9bb6dbb5a46d09L,0x419062da53ee4f8dL,
+        0x7b9042d0bb97efefL },
+      { 0x0f87f080830cf6bdL,0x4861d19a6ec8a6c6L,0xd3a0daa1202f01aaL,
+        0xb0111674f25afbd5L } },
+    /* 43 << 210 */
+    { { 0x6d00d6cf1afb20d9L,0x1369500040671bc5L,0x913ab0dc2485ea9bL,
+        0x1f2bed069eef61acL },
+      { 0x850c82176d799e20L,0x93415f373271c2deL,0x5afb06e96c4f5910L,
+        0x688a52dfc4e9e421L } },
+    /* 44 << 210 */
+    { { 0x30495ba3e2a9a6dbL,0x4601303d58f9268bL,0xbe3b0dad7eb0f04fL,
+        0x4ea472504456936dL },
+      { 0x8caf8798d33fd3e7L,0x1ccd8a89eb433708L,0x9effe3e887fd50adL,
+        0xbe240a566b29c4dfL } },
+    /* 45 << 210 */
+    { { 0xec4ffd98ca0e7ebdL,0xf586783ae748616eL,0xa5b00d8fc77baa99L,
+        0x0acada29b4f34c9cL },
+      { 0x36dad67d0fe723acL,0x1d8e53a539c36c1eL,0xe4dd342d1f4bea41L,
+        0x64fd5e35ebc9e4e0L } },
+    /* 46 << 210 */
+    { { 0x96f01f9057908805L,0xb5b9ea3d5ed480ddL,0x366c5dc23efd2dd0L,
+        0xed2fe3056e9dfa27L },
+      { 0x4575e8926e9197e2L,0x11719c09ab502a5dL,0x264c7bece81f213fL,
+        0x741b924155f5c457L } },
+    /* 47 << 210 */
+    { { 0x78ac7b6849a5f4f4L,0xf91d70a29fc45b7dL,0x39b05544b0f5f355L,
+        0x11f06bceeef930d9L },
+      { 0xdb84d25d038d05e1L,0x04838ee5bacc1d51L,0x9da3ce869e8ee00bL,
+        0xc3412057c36eda1fL } },
+    /* 48 << 210 */
+    { { 0xae80b91364d9c2f4L,0x7468bac3a010a8ffL,0xdfd2003737359d41L,
+        0x1a0f5ab815efeaccL },
+      { 0x7c25ad2f659d0ce0L,0x4011bcbb6785cff1L,0x128b99127e2192c7L,
+        0xa549d8e113ccb0e8L } },
+    /* 49 << 210 */
+    { { 0x805588d8c85438b1L,0x5680332dbc25cb27L,0xdcd1bc961a4bfdf4L,
+        0x779ff428706f6566L },
+      { 0x8bbee998f059987aL,0xf6ce8cf2cc686de7L,0xf8ad3c4a953cfdb2L,
+        0xd1d426d92205da36L } },
+    /* 50 << 210 */
+    { { 0xb3c0f13fc781a241L,0x3e89360ed75362a8L,0xccd05863c8a91184L,
+        0x9bd0c9b7efa8a7f4L },
+      { 0x97ee4d538a912a4bL,0xde5e15f8bcf518fdL,0x6a055bf8c467e1e0L,
+        0x10be4b4b1587e256L } },
+    /* 51 << 210 */
+    { { 0xd90c14f2668621c9L,0xd5518f51ab9c92c1L,0x8e6a0100d6d47b3cL,
+        0xcbe980dd66716175L },
+      { 0x500d3f10ddd83683L,0x3b6cb35d99cac73cL,0x53730c8b6083d550L,
+        0xcf159767df0a1987L } },
+    /* 52 << 210 */
+    { { 0x84bfcf5343ad73b3L,0x1b528c204f035a94L,0x4294edf733eeac69L,
+        0xb6283e83817f3240L },
+      { 0xc3fdc9590a5f25b1L,0xefaf8aa55844ee22L,0xde269ba5dbdde4deL,
+        0xe3347160c56133bfL } },
+    /* 53 << 210 */
+    { { 0xc11842198d9ea9f8L,0x090de5dbf3fc1ab5L,0x404c37b10bf22cdaL,
+        0x7de20ec8f5618894L },
+      { 0x754c588eecdaecabL,0x6ca4b0ed88342743L,0x76f08bddf4a938ecL,
+        0xd182de8991493ccbL } },
+    /* 54 << 210 */
+    { { 0xd652c53ec8a4186aL,0xb3e878db946d8e33L,0x088453c05f37663cL,
+        0x5cd9daaab407748bL },
+      { 0xa1f5197f586d5e72L,0x47500be8c443ca59L,0x78ef35b2e2652424L,
+        0x09c5d26f6dd7767dL } },
+    /* 55 << 210 */
+    { { 0x7175a79aa74d3f7bL,0x0428fd8dcf5ea459L,0x511cb97ca5d1746dL,
+        0x36363939e71d1278L },
+      { 0xcf2df95510350bf4L,0xb381743960aae782L,0xa748c0e43e688809L,
+        0x98021fbfd7a5a006L } },
+    /* 56 << 210 */
+    { { 0x9076a70c0e367a98L,0xbea1bc150f62b7c2L,0x2645a68c30fe0343L,
+        0xacaffa78699dc14fL },
+      { 0xf4469964457bf9c4L,0x0db6407b0d2ead83L,0x68d56cadb2c6f3ebL,
+        0x3b512e73f376356cL } },
+    /* 57 << 210 */
+    { { 0xe43b0e1ffce10408L,0x89ddc0035a5e257dL,0xb0ae0d120362e5b3L,
+        0x07f983c7b0519161L },
+      { 0xc2e94d155d5231e7L,0xcff22aed0b4f9513L,0xb02588dd6ad0b0b5L,
+        0xb967d1ac11d0dcd5L } },
+    /* 58 << 210 */
+    { { 0x8dac6bc6cf777b6cL,0x0062bdbd4c6d1959L,0x53da71b50ef5cc85L,
+        0x07012c7d4006f14fL },
+      { 0x4617f962ac47800dL,0x53365f2bc102ed75L,0xb422efcb4ab8c9d3L,
+        0x195cb26b34af31c9L } },
+    /* 59 << 210 */
+    { { 0x3a926e2905f2c4ceL,0xbd2bdecb9856966cL,0x5d16ab3a85527015L,
+        0x9f81609e4486c231L },
+      { 0xd8b96b2cda350002L,0xbd054690fa1b7d36L,0xdc90ebf5e71d79bcL,
+        0xf241b6f908964e4eL } },
+    /* 60 << 210 */
+    { { 0x7c8386432fe3cd4cL,0xe0f33acbb4bc633cL,0xb4a9ecec3d139f1fL,
+        0x05ce69cddc4a1f49L },
+      { 0xa19d1b16f5f98aafL,0x45bb71d66f23e0efL,0x33789fcd46cdfdd3L,
+        0x9b8e2978cee040caL } },
+    /* 61 << 210 */
+    { { 0x9c69b246ae0a6828L,0xba533d247078d5aaL,0x7a2e42c07bb4fbdbL,
+        0xcfb4879a7035385cL },
+      { 0x8c3dd30b3281705bL,0x7e361c6c404fe081L,0x7b21649c3f604edfL,
+        0x5dbf6a3fe52ffe47L } },
+    /* 62 << 210 */
+    { { 0xc41b7c234b54d9bfL,0x1374e6813511c3d9L,0x1863bf16c1b2b758L,
+        0x90e785071e9e6a96L },
+      { 0xab4bf98d5d86f174L,0xd74e0bd385e96fe4L,0x8afde39fcac5d344L,
+        0x90946dbcbd91b847L } },
+    /* 63 << 210 */
+    { { 0xf5b42358fe1a838cL,0x05aae6c5620ac9d8L,0x8e193bd8a1ce5a0bL,
+        0x8f7105714dabfd72L },
+      { 0x8d8fdd48182caaacL,0x8c4aeefa040745cfL,0x73c6c30af3b93e6dL,
+        0x991241f316f42011L } },
+    /* 64 << 210 */
+    { { 0xa0158eeae457a477L,0xd19857dbee6ddc05L,0xb326522418c41671L,
+        0x3ffdfc7e3c2c0d58L },
+      { 0x3a3a525426ee7cdaL,0x341b0869df02c3a8L,0xa023bf42723bbfc8L,
+        0x3d15002a14452691L } },
+    /* 0 << 217 */
+    { { 0x00, 0x00, 0x00, 0x00 },
+      { 0x00, 0x00, 0x00, 0x00 } },
+    /* 1 << 217 */
+    { { 0x5ef7324c85edfa30L,0x2597655487d4f3daL,0x352f5bc0dcb50c86L,
+        0x8f6927b04832a96cL },
+      { 0xd08ee1ba55f2f94cL,0x6a996f99344b45faL,0xe133cb8da8aa455dL,
+        0x5d0721ec758dc1f7L } },
+    /* 2 << 217 */
+    { { 0x6ba7a92079e5fb67L,0xe1331feb70aa725eL,0x5080ccf57df5d837L,
+        0xe4cae01d7ff72e21L },
+      { 0xd9243ee60412a77dL,0x06ff7cacdf449025L,0xbe75f7cd23ef5a31L,
+        0xbc9578220ddef7a8L } },
+    /* 3 << 217 */
+    { { 0x8cf7230cb0ce1c55L,0x5b534d050bbfb607L,0xee1ef1130e16363bL,
+        0x27e0aa7ab4999e82L },
+      { 0xce1dac2d79362c41L,0x67920c9091bb6cb0L,0x1e648d632223df24L,
+        0x0f7d9eefe32e8f28L } },
+    /* 4 << 217 */
+    { { 0x6943f39afa833834L,0x22951722a6328562L,0x81d63dd54170fc10L,
+        0x9f5fa58faecc2e6dL },
+      { 0xb66c8725e77d9a3bL,0x11235cea6384ebe0L,0x06a8c1185845e24aL,
+        0x0137b286ebd093b1L } },
+    /* 5 << 217 */
+    { { 0xc589e1ce44ace150L,0xe0f8d3d94381e97cL,0x59e99b1162c5a4b8L,
+        0x90d262f7fd0ec9f9L },
+      { 0xfbc854c9283e13c9L,0x2d04fde7aedc7085L,0x057d776547dcbecbL,
+        0x8dbdf5919a76fa5fL } },
+    /* 6 << 217 */
+    { { 0xd01506950de1e578L,0x2e1463e7e9f72bc6L,0xffa684411b39eca5L,
+        0x673c85307c037f2fL },
+      { 0xd0d6a600747f91daL,0xb08d43e1c9cb78e9L,0x0fc0c64427b5cef5L,
+        0x5c1d160aa60a2fd6L } },
+    /* 7 << 217 */
+    { { 0xf98cae5328c8e13bL,0x375f10c4b2eddcd1L,0xd4eb8b7f5cce06adL,
+        0xb4669f4580a2e1efL },
+      { 0xd593f9d05bbd8699L,0x5528a4c9e7976d13L,0x3923e0951c7e28d3L,
+        0xb92937903f6bb577L } },
+    /* 8 << 217 */
+    { { 0xdb567d6ac42bd6d2L,0x6df86468bb1f96aeL,0x0efe5b1a4843b28eL,
+        0x961bbb056379b240L },
+      { 0xb6caf5f070a6a26bL,0x70686c0d328e6e39L,0x80da06cf895fc8d3L,
+        0x804d8810b363fdc9L } },
+    /* 9 << 217 */
+    { { 0xbe22877b207f1670L,0x9b0dd1884e615291L,0x625ae8dc97a3c2bfL,
+        0x08584ef7439b86e8L },
+      { 0xde7190a5dcd898ffL,0x26286c402058ee3dL,0x3db0b2175f87b1c1L,
+        0xcc334771102a6db5L } },
+    /* 10 << 217 */
+    { { 0xd99de9542f770fb1L,0x97c1c6204cd7535eL,0xd3b6c4483f09cefcL,
+        0xd725af155a63b4f8L },
+      { 0x0c95d24fc01e20ecL,0xdfd374949ae7121fL,0x7d6ddb72ec77b7ecL,
+        0xfe079d3b0353a4aeL } },
+    /* 11 << 217 */
+    { { 0x3066e70a2e6ac8d2L,0x9c6b5a43106e5c05L,0x52d3c6f5ede59b8cL,
+        0x30d6a5c3fccec9aeL },
+      { 0xedec7c224fc0a9efL,0x190ff08395c16cedL,0xbe12ec8f94de0fdeL,
+        0x0d131ab8852d3433L } },
+    /* 12 << 217 */
+    { { 0x42ace07e85701291L,0x94793ed9194061a8L,0x30e83ed6d7f4a485L,
+        0x9eec7269f9eeff4dL },
+      { 0x90acba590c9d8005L,0x5feca4581e79b9d1L,0x8fbe54271d506a1eL,
+        0xa32b2c8e2439cfa7L } },
+    /* 13 << 217 */
+    { { 0x1671c17373dd0b4eL,0x37a2821444a054c6L,0x81760a1b4e8b53f1L,
+        0xa6c04224f9f93b9eL },
+      { 0x18784b34cf671e3cL,0x81bbecd2cda9b994L,0x38831979b2ab3848L,
+        0xef54feb7f2e03c2dL } },
+    /* 14 << 217 */
+    { { 0xcf197ca7fb8088faL,0x014272474ddc96c5L,0xa2d2550a30777176L,
+        0x534698984d0cf71dL },
+      { 0x6ce937b83a2aaac6L,0xe9f91dc35af38d9bL,0x2598ad83c8bf2899L,
+        0x8e706ac9b5536c16L } },
+    /* 15 << 217 */
+    { { 0x40dc7495f688dc98L,0x26490cd7124c4afcL,0xe651ec841f18775cL,
+        0x393ea6c3b4fdaf4aL },
+      { 0x1e1f33437f338e0dL,0x39fb832b6053e7b5L,0x46e702da619e14d5L,
+        0x859cacd1cdeef6e0L } },
+    /* 16 << 217 */
+    { { 0x63b99ce74462007dL,0xb8ab48a54cb5f5b7L,0x9ec673d2f55edde7L,
+        0xd1567f748cfaefdaL },
+      { 0x46381b6b0887bcecL,0x694497cee178f3c2L,0x5e6525e31e6266cbL,
+        0x5931de26697d6413L } },
+    /* 17 << 217 */
+    { { 0x87f8df7c0e58d493L,0xb1ae5ed058b73f12L,0xc368f784dea0c34dL,
+        0x9bd0a120859a91a0L },
+      { 0xb00d88b7cc863c68L,0x3a1cc11e3d1f4d65L,0xea38e0e70aa85593L,
+        0x37f13e987dc4aee8L } },
+    /* 18 << 217 */
+    { { 0x10d38667bc947badL,0x738e07ce2a36ee2eL,0xc93470cdc577fcacL,
+        0xdee1b6162782470dL },
+      { 0x36a25e672e793d12L,0xd6aa6caee0f186daL,0x474d0fd980e07af7L,
+        0xf7cdc47dba8a5cd4L } },
+    /* 19 << 217 */
+    { { 0x28af6d9dab15247fL,0x7c789c10493a537fL,0x7ac9b11023a334e7L,
+        0x0236ac0912c9c277L },
+      { 0xa7e5bd251d7a5144L,0x098b9c2af13ec4ecL,0x3639dacad3f0abcaL,
+        0x642da81aa23960f9L } },
+    /* 20 << 217 */
+    { { 0x7d2e5c054f7269b1L,0xfcf30777e287c385L,0x10edc84ff2a46f21L,
+        0x354417574f43fa36L },
+      { 0xf1327899fd703431L,0xa438d7a616dd587aL,0x65c34c57e9c8352dL,
+        0xa728edab5cc5a24eL } },
+    /* 21 << 217 */
+    { { 0xaed78abc42531689L,0x0a51a0e8010963efL,0x5776fa0ad717d9b3L,
+        0xf356c2397dd3428bL },
+      { 0x29903fff8d3a3dacL,0x409597fa3d94491fL,0x4cd7a5ffbf4a56a4L,
+        0xe50964748adab462L } },
+    /* 22 << 217 */
+    { { 0xa97b51265c3427b0L,0x6401405cd282c9bdL,0x3629f8d7222c5c45L,
+        0xb1c02c16e8d50aedL },
+      { 0xbea2ed75d9635bc9L,0x226790c76e24552fL,0x3c33f2a365f1d066L,
+        0x2a43463e6dfccc2eL } },
+    /* 23 << 217 */
+    { { 0x8cc3453adb483761L,0xe7cc608565d5672bL,0x277ed6cbde3efc87L,
+        0x19f2f36869234eafL },
+      { 0x9aaf43175c0b800bL,0x1f1e7c898b6da6e2L,0x6cfb4715b94ec75eL,
+        0xd590dd5f453118c2L } },
+    /* 24 << 217 */
+    { { 0x14e49da11f17a34cL,0x5420ab39235a1456L,0xb76372412f50363bL,
+        0x7b15d623c3fabb6eL },
+      { 0xa0ef40b1e274e49cL,0x5cf5074496b1860aL,0xd6583fbf66afe5a4L,
+        0x44240510f47e3e9aL } },
+    /* 25 << 217 */
+    { { 0x9925434311b2d595L,0xf1367499eec8df57L,0x3cb12c613e73dd05L,
+        0xd248c0337dac102aL },
+      { 0xcf154f13a77739f5L,0xbf4288cb23d2af42L,0xaa64c9b632e4a1cfL,
+        0xee8c07a8c8a208f3L } },
+    /* 26 << 217 */
+    { { 0xe10d49996fe8393fL,0x0f809a3fe91f3a32L,0x61096d1c802f63c8L,
+        0x289e146257750d3dL },
+      { 0xed06167e9889feeaL,0xd5c9c0e2e0993909L,0x46fca0d856508ac6L,
+        0x918260474f1b8e83L } },
+    /* 27 << 217 */
+    { { 0x4f2c877a9a4a2751L,0x71bd0072cae6feadL,0x38df8dcc06aa1941L,
+        0x5a074b4c63beeaa8L },
+      { 0xd6d65934c1cec8edL,0xa6ecb49eaabc03bdL,0xaade91c2de8a8415L,
+        0xcfb0efdf691136e0L } },
+    /* 28 << 217 */
+    { { 0x11af45ee23ab3495L,0xa132df880b77463dL,0x8923c15c815d06f4L,
+        0xc3ceb3f50d61a436L },
+      { 0xaf52291de88fb1daL,0xea0579741da12179L,0xb0d7218cd2fef720L,
+        0x6c0899c98e1d8845L } },
+    /* 29 << 217 */
+    { { 0x98157504752ddad7L,0xd60bd74fa1a68a97L,0x7047a3a9f658fb99L,
+        0x1f5d86d65f8511e4L },
+      { 0xb8a4bc424b5a6d88L,0x69eb2c331abefa7dL,0x95bf39e813c9c510L,
+        0xf571960ad48aab43L } },
+    /* 30 << 217 */
+    { { 0x7e8cfbcf704e23c6L,0xc71b7d2228aaa65bL,0xa041b2bd245e3c83L,
+        0x69b98834d21854ffL },
+      { 0x89d227a3963bfeecL,0x99947aaade7da7cbL,0x1d9ee9dbee68a9b1L,
+        0x0a08f003698ec368L } },
+    /* 31 << 217 */
+    { { 0xe9ea409478ef2487L,0xc8d2d41502cfec26L,0xc52f9a6eb7dcf328L,
+        0x0ed489e385b6a937L },
+      { 0x9b94986bbef3366eL,0x0de59c70edddddb8L,0xffdb748ceadddbe2L,
+        0x9b9784bb8266ea40L } },
+    /* 32 << 217 */
+    { { 0x142b55021a93507aL,0xb4cd11878d3c06cfL,0xdf70e76a91ec3f40L,
+        0x484e81ad4e7553c2L },
+      { 0x830f87b5272e9d6eL,0xea1c93e5c6ff514aL,0x67cc2adcc4192a8eL,
+        0xc77e27e242f4535aL } },
+    /* 33 << 217 */
+    { { 0x9cdbab36d2b713c5L,0x86274ea0cf7b0cd3L,0x784680f309af826bL,
+        0xbfcc837a0c72dea3L },
+      { 0xa8bdfe9dd6529b73L,0x708aa22863a88002L,0x6c7a9a54c91d45b9L,
+        0xdf1a38bbfd004f56L } },
+    /* 34 << 217 */
+    { { 0x2e8c9a26b8bad853L,0x2d52cea33723eae7L,0x054d6d8156ca2830L,
+        0xa3317d149a8dc411L },
+      { 0xa08662fefd4ddedaL,0xed2a153ab55d792bL,0x7035c16abfc6e944L,
+        0xb6bc583400171cf3L } },
+    /* 35 << 217 */
+    { { 0xe27152b383d102b6L,0xfe695a470646b848L,0xa5bb09d8916e6d37L,
+        0xb4269d640d17015eL },
+      { 0x8d8156a10a1d2285L,0xfeef6c5146d26d72L,0x9dac57c84c5434a7L,
+        0x0282e5be59d39e31L } },
+    /* 36 << 217 */
+    { { 0xedfff181721c486dL,0x301baf10bc58824eL,0x8136a6aa00570031L,
+        0x55aaf78c1cddde68L },
+      { 0x2682937159c63952L,0x3a3bd2748bc25bafL,0xecdf8657b7e52dc3L,
+        0x2dd8c087fd78e6c8L } },
+    /* 37 << 217 */
+    { { 0x20553274f5531461L,0x8b4a12815d95499bL,0xe2c8763a1a80f9d2L,
+        0xd1dbe32b4ddec758L },
+      { 0xaf12210d30c34169L,0xba74a95378baa533L,0x3d133c6ea438f254L,
+        0xa431531a201bef5bL } },
+    /* 38 << 217 */
+    { { 0x15295e22f669d7ecL,0xca374f64357fb515L,0x8a8406ffeaa3fdb3L,
+        0x106ae448df3f2da8L },
+      { 0x8f9b0a9033c8e9a1L,0x234645e271ad5885L,0x3d0832241c0aed14L,
+        0xf10a7d3e7a942d46L } },
+    /* 39 << 217 */
+    { { 0x7c11deee40d5c9beL,0xb2bae7ffba84ed98L,0x93e97139aad58dddL,
+        0x3d8727963f6d1fa3L },
+      { 0x483aca818569ff13L,0x8b89a5fb9a600f72L,0x4cbc27c3c06f2b86L,
+        0x2213071363ad9c0bL } },
+    /* 40 << 217 */
+    { { 0xb5358b1e48ac2840L,0x18311294ecba9477L,0xda58f990a6946b43L,
+        0x3098baf99ab41819L },
+      { 0x66c4c1584198da52L,0xab4fc17c146bfd1bL,0x2f0a4c3cbf36a908L,
+        0x2ae9e34b58cf7838L } },
+    /* 41 << 217 */
+    { { 0xf411529e3fa11b1fL,0x21e43677974af2b4L,0x7c20958ec230793bL,
+        0x710ea88516e840f3L },
+      { 0xfc0b21fcc5dc67cfL,0x08d5164788405718L,0xd955c21fcfe49eb7L,
+        0x9722a5d556dd4a1fL } },
+    /* 42 << 217 */
+    { { 0xc9ef50e2c861baa5L,0xc0c21a5d9505ac3eL,0xaf6b9a338b7c063fL,
+        0xc63703392f4779c1L },
+      { 0x22df99c7638167c3L,0xfe6ffe76795db30cL,0x2b822d33a4854989L,
+        0xfef031dd30563aa5L } },
+    /* 43 << 217 */
+    { { 0x16b09f82d57c667fL,0xc70312cecc0b76f1L,0xbf04a9e6c9118aecL,
+        0x82fcb4193409d133L },
+      { 0x1a8ab385ab45d44dL,0xfba07222617b83a3L,0xb05f50dd58e81b52L,
+        0x1d8db55321ce5affL } },
+    /* 44 << 217 */
+    { { 0x3097b8d4e344a873L,0x7d8d116dfe36d53eL,0x6db22f587875e750L,
+        0x2dc5e37343e144eaL },
+      { 0xc05f32e6e799eb95L,0xe9e5f4df6899e6ecL,0xbdc3bd681fab23d5L,
+        0xb72b8ab773af60e6L } },
+    /* 45 << 217 */
+    { { 0x8db27ae02cecc84aL,0x600016d87bdb871cL,0x42a44b13d7c46f58L,
+        0xb8919727c3a77d39L },
+      { 0xcfc6bbbddafd6088L,0x1a7401466bd20d39L,0x8c747abd98c41072L,
+        0x4c91e765bdf68ea1L } },
+    /* 46 << 217 */
+    { { 0x7c95e5ca08819a78L,0xcf48b729c9587921L,0x091c7c5fdebbcc7dL,
+        0x6f287404f0e05149L },
+      { 0xf83b5ac226cd44ecL,0x88ae32a6cfea250eL,0x6ac5047a1d06ebc5L,
+        0xc7e550b4d434f781L } },
+    /* 47 << 217 */
+    { { 0x61ab1cf25c727bd2L,0x2e4badb11cf915b0L,0x1b4dadecf69d3920L,
+        0xe61b1ca6f14c1dfeL },
+      { 0x90b479ccbd6bd51fL,0x8024e4018045ec30L,0xcab29ca325ef0e62L,
+        0x4f2e941649e4ebc0L } },
+    /* 48 << 217 */
+    { { 0x45eb40ec0ccced58L,0x25cd4b9c0da44f98L,0x43e06458871812c6L,
+        0x99f80d5516cef651L },
+      { 0x571340c9ce6dc153L,0x138d5117d8665521L,0xacdb45bc4e07014dL,
+        0x2f34bb3884b60b91L } },
+    /* 49 << 217 */
+    { { 0xf44a4fd22ae8921eL,0xb039288e892ba1e2L,0x9da50174b1c180b2L,
+        0x6b70ab661693dc87L },
+      { 0x7e9babc9e7057481L,0x4581ddef9c80dc41L,0x0c890da951294682L,
+        0x0b5629d33f4736e5L } },
+    /* 50 << 217 */
+    { { 0x2340c79eb06f5b41L,0xa42e84ce4e243469L,0xf9a20135045a71a9L,
+        0xefbfb415d27b6fb6L },
+      { 0x25ebea239d33cd6fL,0x9caedb88aa6c0af8L,0x53dc7e9ad9ce6f96L,
+        0x3897f9fd51e0b15aL } },
+    /* 51 << 217 */
+    { { 0xf51cb1f88e5d788eL,0x1aec7ba8e1d490eeL,0x265991e0cc58cb3cL,
+        0x9f306e8c9fc3ad31L },
+      { 0x5fed006e5040a0acL,0xca9d5043fb476f2eL,0xa19c06e8beea7a23L,
+        0xd28658010edabb63L } },
+    /* 52 << 217 */
+    { { 0xdb92293f6967469aL,0x2894d8398d8a8ed8L,0x87c9e406bbc77122L,
+        0x8671c6f12ea3a26aL },
+      { 0xe42df8d6d7de9853L,0x2e3ce346b1f2bcc7L,0xda601dfc899d50cfL,
+        0xbfc913defb1b598fL } },
+    /* 53 << 217 */
+    { { 0x81c4909fe61f7908L,0x192e304f9bbc7b29L,0xc3ed8738c104b338L,
+        0xedbe9e47783f5d61L },
+      { 0x0c06e9be2db30660L,0xda3e613fc0eb7d8eL,0xd8fa3e97322e096eL,
+        0xfebd91e8d336e247L } },
+    /* 54 << 217 */
+    { { 0x8f13ccc4df655a49L,0xa9e00dfc5eb20210L,0x84631d0fc656b6eaL,
+        0x93a058cdd8c0d947L },
+      { 0x6846904a67bd3448L,0x4a3d4e1af394fd5cL,0xc102c1a5db225f52L,
+        0xe3455bbafc4f5e9aL } },
+    /* 55 << 217 */
+    { { 0x6b36985b4b9ad1ceL,0xa98185365bb7f793L,0x6c25e1d048b1a416L,
+        0x1381dd533c81bee7L },
+      { 0xd2a30d617a4a7620L,0xc841292639b8944cL,0x3c1c6fbe7a97c33aL,
+        0x941e541d938664e7L } },
+    /* 56 << 217 */
+    { { 0x417499e84a34f239L,0x15fdb83cb90402d5L,0xb75f46bf433aa832L,
+        0xb61e15af63215db1L },
+      { 0xaabe59d4a127f89aL,0x5d541e0c07e816daL,0xaaba0659a618b692L,
+        0x5532773317266026L } },
+    /* 57 << 217 */
+    { { 0xaf53a0fc95f57552L,0x329476506cacb0c9L,0x253ff58dc821be01L,
+        0xb0309531a06f1146L },
+      { 0x59bbbdf505c2e54dL,0x158f27ad26e8dd22L,0xcc5b7ffb397e1e53L,
+        0xae03f65b7fc1e50dL } },
+    /* 58 << 217 */
+    { { 0xa9784ebd9c95f0f9L,0x5ed9deb224640771L,0x31244af7035561c4L,
+        0x87332f3a7ee857deL },
+      { 0x09e16e9e2b9e0d88L,0x52d910f456a06049L,0x507ed477a9592f48L,
+        0x85cb917b2365d678L } },
+    /* 59 << 217 */
+    { { 0xf8511c934c8998d1L,0x2186a3f1730ea58fL,0x50189626b2029db0L,
+        0x9137a6d902ceb75aL },
+      { 0x2fe17f37748bc82cL,0x87c2e93180469f8cL,0x850f71cdbf891aa2L,
+        0x0ca1b89b75ec3d8dL } },
+    /* 60 << 217 */
+    { { 0x516c43aa5e1cd3cdL,0x893978089a887c28L,0x0059c699ddea1f9fL,
+        0x7737d6fa8e6868f7L },
+      { 0x6d93746a60f1524bL,0x36985e55ba052aa7L,0x41b1d322ed923ea5L,
+        0x3429759f25852a11L } },
+    /* 61 << 217 */
+    { { 0xbeca6ec3092e9f41L,0x3a238c6662256bbdL,0xd82958ea70ad487dL,
+        0x4ac8aaf965610d93L },
+      { 0x3fa101b15e4ccab0L,0x9bf430f29de14bfbL,0xa10f5cc66531899dL,
+        0x590005fbea8ce17dL } },
+    /* 62 << 217 */
+    { { 0xc437912f24544cb6L,0x9987b71ad79ac2e3L,0x13e3d9ddc058a212L,
+        0x00075aacd2de9606L },
+      { 0x80ab508b6cac8369L,0x87842be7f54f6c89L,0xa7ad663d6bc532a4L,
+        0x67813de778a91bc8L } },
+    /* 63 << 217 */
+    { { 0x5dcb61cec3427239L,0x5f3c7cf0c56934d9L,0xc079e0fbe3191591L,
+        0xe40896bdb01aada7L },
+      { 0x8d4667910492d25fL,0x8aeb30c9e7408276L,0xe94374959287aaccL,
+        0x23d4708d79fe03d4L } },
+    /* 64 << 217 */
+    { { 0x8cda9cf2d0c05199L,0x502fbc22fae78454L,0xc0bda9dff572a182L,
+        0x5f9b71b86158b372L },
+      { 0xe0f33a592b82dd07L,0x763027359523032eL,0x7fe1a721c4505a32L,
+        0x7b6e3e82f796409fL } },
+    /* 0 << 224 */
+    { { 0x00, 0x00, 0x00, 0x00 },
+      { 0x00, 0x00, 0x00, 0x00 } },
+    /* 1 << 224 */
+    { { 0xe3417bc035d0b34aL,0x440b386b8327c0a7L,0x8fb7262dac0362d1L,
+        0x2c41114ce0cdf943L },
+      { 0x2ba5cef1ad95a0b1L,0xc09b37a867d54362L,0x26d6cdd201e486c9L,
+        0x20477abf42ff9297L } },
+    /* 2 << 224 */
+    { { 0xa004dcb3292a9287L,0xddc15cf677b092c7L,0x083a8464806c0605L,
+        0x4a68df703db997b0L },
+      { 0x9c134e4505bf7dd0L,0xa4e63d398ccf7f8cL,0xa6e6517f41b5f8afL,
+        0xaa8b9342ad7bc1ccL } },
+    /* 3 << 224 */
+    { { 0x126f35b51e706ad9L,0xb99cebb4c3a9ebdfL,0xa75389afbf608d90L,
+        0x76113c4fc6c89858L },
+      { 0x80de8eb097e2b5aaL,0x7e1022cc63b91304L,0x3bdab6056ccc066cL,
+        0x33cbb144b2edf900L } },
+    /* 4 << 224 */
+    { { 0xc41764717af715d2L,0xe2f7f594d0134a96L,0x2c1873efa41ec956L,
+        0xe4e7b4f677821304L },
+      { 0xe5c8ff9788d5374aL,0x2b915e6380823d5bL,0xea6bc755b2ee8fe2L,
+        0x6657624ce7112651L } },
+    /* 5 << 224 */
+    { { 0x157af101dace5acaL,0xc4fdbcf211a6a267L,0xdaddf340c49c8609L,
+        0x97e49f52e9604a65L },
+      { 0x9be8e790937e2ad5L,0x846e2508326e17f1L,0x3f38007a0bbbc0dcL,
+        0xcf03603fb11e16d6L } },
+    /* 6 << 224 */
+    { { 0xd6f800e07442f1d5L,0x475607d166e0e3abL,0x82807f16b7c64047L,
+        0x8858e1e3a749883dL },
+      { 0x5859120b8231ee10L,0x1b80e7eb638a1eceL,0xcb72525ac6aa73a4L,
+        0xa7cdea3d844423acL } },
+    /* 7 << 224 */
+    { { 0x5ed0c007f8ae7c38L,0x6db07a5c3d740192L,0xbe5e9c2a5fe36db3L,
+        0xd5b9d57a76e95046L },
+      { 0x54ac32e78eba20f2L,0xef11ca8f71b9a352L,0x305e373eff98a658L,
+        0xffe5a100823eb667L } },
+    /* 8 << 224 */
+    { { 0x57477b11e51732d2L,0xdfd6eb282538fc0eL,0x5c43b0cc3b39eec5L,
+        0x6af12778cb36cc57L },
+      { 0x70b0852d06c425aeL,0x6df92f8c5c221b9bL,0x6c8d4f9ece826d9cL,
+        0xf59aba7bb49359c3L } },
+    /* 9 << 224 */
+    { { 0x5c8ed8d5da64309dL,0x61a6de5691b30704L,0xd6b52f6a2f9b5808L,
+        0x0eee419498c958a7L },
+      { 0xcddd9aab771e4caaL,0x83965dfd78bc21beL,0x02affce3b3b504f5L,
+        0x30847a21561c8291L } },
+    /* 10 << 224 */
+    { { 0xd2eb2cf152bfda05L,0xe0e4c4e96197b98cL,0x1d35076cf8a1726fL,
+        0x6c06085b2db11e3dL },
+      { 0x15c0c4d74463ba14L,0x9d292f830030238cL,0x1311ee8b3727536dL,
+        0xfeea86efbeaedc1eL } },
+    /* 11 << 224 */
+    { { 0xb9d18cd366131e2eL,0xf31d974f80fe2682L,0xb6e49e0fe4160289L,
+        0x7c48ec0b08e92799L },
+      { 0x818111d8d1989aa7L,0xb34fa0aaebf926f9L,0xdb5fe2f5a245474aL,
+        0xf80a6ebb3c7ca756L } },
+    /* 12 << 224 */
+    { { 0xa7f96054afa05dd8L,0x26dfcf21fcaf119eL,0xe20ef2e30564bb59L,
+        0xef4dca5061cb02b8L },
+      { 0xcda7838a65d30672L,0x8b08d534fd657e86L,0x4c5b439546d595c8L,
+        0x39b58725425cb836L } },
+    /* 13 << 224 */
+    { { 0x8ea610593de9abe3L,0x404348819cdc03beL,0x9b261245cfedce8cL,
+        0x78c318b4cf5234a1L },
+      { 0x510bcf16fde24c99L,0x2a77cb75a2c2ff5dL,0x9c895c2b27960fb4L,
+        0xd30ce975b0eda42bL } },
+    /* 14 << 224 */
+    { { 0xfda853931a62cc26L,0x23c69b9650c0e052L,0xa227df15bfc633f3L,
+        0x2ac788481bae7d48L },
+      { 0x487878f9187d073dL,0x6c2be919967f807dL,0x765861d8336e6d8fL,
+        0x88b8974cce528a43L } },
+    /* 15 << 224 */
+    { { 0x09521177ff57d051L,0x2ff38037fb6a1961L,0xfc0aba74a3d76ad4L,
+        0x7c76480325a7ec17L },
+      { 0x7532d75f48879bc8L,0xea7eacc058ce6bc1L,0xc82176b48e896c16L,
+        0x9a30e0b22c750fedL } },
+    /* 16 << 224 */
+    { { 0xc37e2c2e421d3aa4L,0xf926407ce84fa840L,0x18abc03d1454e41cL,
+        0x26605ecd3f7af644L },
+      { 0x242341a6d6a5eabfL,0x1edb84f4216b668eL,0xd836edb804010102L,
+        0x5b337ce7945e1d8cL } },
+    /* 17 << 224 */
+    { { 0xd2075c77c055dc14L,0x2a0ffa2581d89cdfL,0x8ce815ea6ffdcbafL,
+        0xa3428878fb648867L },
+      { 0x277699cf884655fbL,0xfa5b5bd6364d3e41L,0x01f680c6441e1cb7L,
+        0x3fd61e66b70a7d67L } },
+    /* 18 << 224 */
+    { { 0x666ba2dccc78cf66L,0xb30181746fdbff77L,0x8d4dd0db168d4668L,
+        0x259455d01dab3a2aL },
+      { 0xf58564c5cde3acecL,0x7714192513adb276L,0x527d725d8a303f65L,
+        0x55deb6c9e6f38f7bL } },
+    /* 19 << 224 */
+    { { 0xfd5bb657b1fa70fbL,0xfa07f50fd8073a00L,0xf72e3aa7bca02500L,
+        0xf68f895d9975740dL },
+      { 0x301120605cae2a6aL,0x01bd721802874842L,0x3d4238917ce47bd3L,
+        0xa66663c1789544f6L } },
+    /* 20 << 224 */
+    { { 0x864d05d73272d838L,0xe22924f9fa6295c5L,0x8189593f6c2fda32L,
+        0x330d7189b184b544L },
+      { 0x79efa62cbde1f714L,0x35771c94e5cb1a63L,0x2f4826b8641c8332L,
+        0x00a894fbc8cee854L } },
+    /* 21 << 224 */
+    { { 0xb4b9a39b36194d40L,0xe857a7c577612601L,0xf4209dd24ecf2f58L,
+        0x82b9e66d5a033487L },
+      { 0xc1e36934e4e8b9ddL,0xd2372c9da42377d7L,0x51dc94c70e3ae43bL,
+        0x4c57761e04474f6fL } },
+    /* 22 << 224 */
+    { { 0xdcdacd0a1058a318L,0x369cf3f578053a9aL,0xc6c3de5031c68de2L,
+        0x4653a5763c4b6d9fL },
+      { 0x1688dd5aaa4e5c97L,0x5be80aa1b7ab3c74L,0x70cefe7cbc65c283L,
+        0x57f95f1306867091L } },
+    /* 23 << 224 */
+    { { 0xa39114e24415503bL,0xc08ff7c64cbb17e9L,0x1eff674dd7dec966L,
+        0x6d4690af53376f63L },
+      { 0xff6fe32eea74237bL,0xc436d17ecd57508eL,0x15aa28e1edcc40feL,
+        0x0d769c04581bbb44L } },
+    /* 24 << 224 */
+    { { 0xc240b6de34eaacdaL,0xd9e116e82ba0f1deL,0xcbe45ec779438e55L,
+        0x91787c9d96f752d7L },
+      { 0x897f532bf129ac2fL,0xd307b7c85a36e22cL,0x91940675749fb8f3L,
+        0xd14f95d0157fdb28L } },
+    /* 25 << 224 */
+    { { 0xfe51d0296ae55043L,0x8931e98f44a87de1L,0xe57f1cc609e4fee2L,
+        0x0d063b674e072d92L },
+      { 0x70a998b9ed0e4316L,0xe74a736b306aca46L,0xecf0fbf24fda97c7L,
+        0xa40f65cb3e178d93L } },
+    /* 26 << 224 */
+    { { 0x1625360416df4285L,0xb0c9babbd0c56ae2L,0x73032b19cfc5cfc3L,
+        0xe497e5c309752056L },
+      { 0x12096bb4164bda96L,0x1ee42419a0b74da1L,0x8fc36243403826baL,
+        0x0c8f0069dc09e660L } },
+    /* 27 << 224 */
+    { { 0x8667e981c27253c9L,0x05a6aefb92b36a45L,0xa62c4b369cb7bb46L,
+        0x8394f37511f7027bL },
+      { 0x747bc79c5f109d0fL,0xcad88a765b8cc60aL,0x80c5a66b58f09e68L,
+        0xe753d451f6127eacL } },
+    /* 28 << 224 */
+    { { 0xc44b74a15b0ec6f5L,0x47989fe45289b2b8L,0x745f848458d6fc73L,
+        0xec362a6ff61c70abL },
+      { 0x070c98a7b3a8ad41L,0x73a20fc07b63db51L,0xed2c2173f44c35f4L,
+        0x8a56149d9acc9dcaL } },
+    /* 29 << 224 */
+    { { 0x98f178819ac6e0f4L,0x360fdeafa413b5edL,0x0625b8f4a300b0fdL,
+        0xf1f4d76a5b3222d3L },
+      { 0x9d6f5109587f76b8L,0x8b4ee08d2317fdb5L,0x88089bb78c68b095L,
+        0x95570e9a5808d9b9L } },
+    /* 30 << 224 */
+    { { 0xa395c36f35d33ae7L,0x200ea12350bb5a94L,0x20c789bd0bafe84bL,
+        0x243ef52d0919276aL },
+      { 0x3934c577e23ae233L,0xb93807afa460d1ecL,0xb72a53b1f8fa76a4L,
+        0xd8914cb0c3ca4491L } },
+    /* 31 << 224 */
+    { { 0x2e1284943fb42622L,0x3b2700ac500907d5L,0xf370fb091a95ec63L,
+        0xf8f30be231b6dfbdL },
+      { 0xf2b2f8d269e55f15L,0x1fead851cc1323e9L,0xfa366010d9e5eef6L,
+        0x64d487b0e316107eL } },
+    /* 32 << 224 */
+    { { 0x4c076b86d23ddc82L,0x03fd344c7e0143f0L,0xa95362ff317af2c5L,
+        0x0add3db7e18b7a4fL },
+      { 0x9c673e3f8260e01bL,0xfbeb49e554a1cc91L,0x91351bf292f2e433L,
+        0xc755e7ec851141ebL } },
+    /* 33 << 224 */
+    { { 0xc9a9513929607745L,0x0ca07420a26f2b28L,0xcb2790e74bc6f9ddL,
+        0x345bbb58adcaffc0L },
+      { 0xc65ea38cbe0f27a2L,0x67c24d7c641fcb56L,0x2c25f0a7a9e2c757L,
+        0x93f5cdb016f16c49L } },
+    /* 34 << 224 */
+    { { 0x2ca5a9d7c5ee30a1L,0xd1593635b909b729L,0x804ce9f3dadeff48L,
+        0xec464751b07c30c3L },
+      { 0x89d65ff39e49af6aL,0xf2d6238a6f3d01bcL,0x1095561e0bced843L,
+        0x51789e12c8a13fd8L } },
+    /* 35 << 224 */
+    { { 0xd633f929763231dfL,0x46df9f7de7cbddefL,0x01c889c0cb265da8L,
+        0xfce1ad10af4336d2L },
+      { 0x8d110df6fc6a0a7eL,0xdd431b986da425dcL,0xcdc4aeab1834aabeL,
+        0x84deb1248439b7fcL } },
+    /* 36 << 224 */
+    { { 0x8796f1693c2a5998L,0x9b9247b47947190dL,0x55b9d9a511597014L,
+        0x7e9dd70d7b1566eeL },
+      { 0x94ad78f7cbcd5e64L,0x0359ac179bd4c032L,0x3b11baaf7cc222aeL,
+        0xa6a6e284ba78e812L } },
+    /* 37 << 224 */
+    { { 0x8392053f24cea1a0L,0xc97bce4a33621491L,0x7eb1db3435399ee9L,
+        0x473f78efece81ad1L },
+      { 0x41d72fe0f63d3d0dL,0xe620b880afab62fcL,0x92096bc993158383L,
+        0x41a213578f896f6cL } },
+    /* 38 << 224 */
+    { { 0x1b5ee2fac7dcfcabL,0x650acfde9546e007L,0xc081b749b1b02e07L,
+        0xda9e41a0f9eca03dL },
+      { 0x013ba727175a54abL,0xca0cd190ea5d8d10L,0x85ea52c095fd96a9L,
+        0x2c591b9fbc5c3940L } },
+    /* 39 << 224 */
+    { { 0x6fb4d4e42bad4d5fL,0xfa4c3590fef0059bL,0x6a10218af5122294L,
+        0x9a78a81aa85751d1L },
+      { 0x04f20579a98e84e7L,0xfe1242c04997e5b5L,0xe77a273bca21e1e4L,
+        0xfcc8b1ef9411939dL } },
+    /* 40 << 224 */
+    { { 0xe20ea30292d0487aL,0x1442dbec294b91feL,0x1f7a4afebb6b0e8fL,
+        0x1700ef746889c318L },
+      { 0xf5bbffc370f1fc62L,0x3b31d4b669c79ccaL,0xe8bc2aaba7f6340dL,
+        0xb0b08ab4a725e10aL } },
+    /* 41 << 224 */
+    { { 0x44f05701ae340050L,0xba4b30161cf0c569L,0x5aa29f83fbe19a51L,
+        0x1b9ed428b71d752eL },
+      { 0x1666e54eeb4819f5L,0x616cdfed9e18b75bL,0x112ed5be3ee27b0bL,
+        0xfbf2831944c7de4dL } },
+    /* 42 << 224 */
+    { { 0xd685ec85e0e60d84L,0x68037e301db7ee78L,0x5b65bdcd003c4d6eL,
+        0x33e7363a93e29a6aL },
+      { 0x995b3a6108d0756cL,0xd727f85c2faf134bL,0xfac6edf71d337823L,
+        0x99b9aa500439b8b4L } },
+    /* 43 << 224 */
+    { { 0x722eb104e2b4e075L,0x49987295437c4926L,0xb1e4c0e446a9b82dL,
+        0xd0cb319757a006f5L },
+      { 0xf3de0f7dd7808c56L,0xb5c54d8f51f89772L,0x500a114aadbd31aaL,
+        0x9afaaaa6295f6cabL } },
+    /* 44 << 224 */
+    { { 0x94705e2104cf667aL,0xfc2a811b9d3935d7L,0x560b02806d09267cL,
+        0xf19ed119f780e53bL },
+      { 0xf0227c09067b6269L,0x967b85335caef599L,0x155b924368efeebcL,
+        0xcd6d34f5c497bae6L } },
+    /* 45 << 224 */
+    { { 0x1dd8d5d36cceb370L,0x2aeac579a78d7bf9L,0x5d65017d70b67a62L,
+        0x70c8e44f17c53f67L },
+      { 0xd1fc095086a34d09L,0xe0fca256e7134907L,0xe24fa29c80fdd315L,
+        0x2c4acd03d87499adL } },
+    /* 46 << 224 */
+    { { 0xbaaf75173b5a9ba6L,0xb9cbe1f612e51a51L,0xd88edae35e154897L,
+        0xe4309c3c77b66ca0L },
+      { 0xf5555805f67f3746L,0x85fc37baa36401ffL,0xdf86e2cad9499a53L,
+        0x6270b2a3ecbc955bL } },
+    /* 47 << 224 */
+    { { 0xafae64f5974ad33bL,0x04d85977fe7b2df1L,0x2a3db3ff4ab03f73L,
+        0x0b87878a8702740aL },
+      { 0x6d263f015a061732L,0xc25430cea32a1901L,0xf7ebab3ddb155018L,
+        0x3a86f69363a9b78eL } },
+    /* 48 << 224 */
+    { { 0x349ae368da9f3804L,0x470f07fea164349cL,0xd52f4cc98562baa5L,
+        0xc74a9e862b290df3L },
+      { 0xd3a1aa3543471a24L,0x239446beb8194511L,0xbec2dd0081dcd44dL,
+        0xca3d7f0fc42ac82dL } },
+    /* 49 << 224 */
+    { { 0x1f3db085fdaf4520L,0xbb6d3e804549daf2L,0xf5969d8a19ad5c42L,
+        0x7052b13ddbfd1511L },
+      { 0x11890d1b682b9060L,0xa71d3883ac34452cL,0xa438055b783805b4L,
+        0x432412774725b23eL } },
+    /* 50 << 224 */
+    { { 0xf20cf96e4901bbedL,0x6419c710f432a2bbL,0x57a0fbb9dfa9cd7dL,
+        0x589111e400daa249L },
+      { 0x19809a337b60554eL,0xea5f8887ede283a4L,0x2d713802503bfd35L,
+        0x151bb0af585d2a53L } },
+    /* 51 << 224 */
+    { { 0x40b08f7443b30ca8L,0xe10b5bbad9934583L,0xe8a546d6b51110adL,
+        0x1dd50e6628e0b6c5L },
+      { 0x292e9d54cff2b821L,0x3882555d47281760L,0x134838f83724d6e3L,
+        0xf2c679e022ddcda1L } },
+    /* 52 << 224 */
+    { { 0x40ee88156d2a5768L,0x7f227bd21c1e7e2dL,0x487ba134d04ff443L,
+        0x76e2ff3dc614e54bL },
+      { 0x36b88d6fa3177ec7L,0xbf731d512328fff5L,0x758caea249ba158eL,
+        0x5ab8ff4c02938188L } },
+    /* 53 << 224 */
+    { { 0x33e1605635edc56dL,0x5a69d3497e940d79L,0x6c4fd00103866dcbL,
+        0x20a38f574893cdefL },
+      { 0xfbf3e790fac3a15bL,0x6ed7ea2e7a4f8e6bL,0xa663eb4fbc3aca86L,
+        0x22061ea5080d53f7L } },
+    /* 54 << 224 */
+    { { 0x2480dfe6f546783fL,0xd38bc6da5a0a641eL,0xfb093cd12ede8965L,
+        0x89654db4acb455cfL },
+      { 0x413cbf9a26e1adeeL,0x291f3764373294d4L,0x00797257648083feL,
+        0x25f504d3208cc341L } },
+    /* 55 << 224 */
+    { { 0x635a8e5ec3a0ee43L,0x70aaebca679898ffL,0x9ee9f5475dc63d56L,
+        0xce987966ffb34d00L },
+      { 0xf9f86b195e26310aL,0x9e435484382a8ca8L,0x253bcb81c2352fe4L,
+        0xa4eac8b04474b571L } },
+    /* 56 << 224 */
+    { { 0xc1b97512c1ad8cf8L,0x193b4e9e99e0b697L,0x939d271601e85df0L,
+        0x4fb265b3cd44eafdL },
+      { 0x321e7dcde51e1ae2L,0x8e3a8ca6e3d8b096L,0x8de46cb052604998L,
+        0x91099ad839072aa7L } },
+    /* 57 << 224 */
+    { { 0x2617f91c93aa96b8L,0x0fc8716b7fca2e13L,0xa7106f5e95328723L,
+        0xd1c9c40b262e6522L },
+      { 0xb9bafe8642b7c094L,0x1873439d1543c021L,0xe1baa5de5cbefd5dL,
+        0xa363fc5e521e8affL } },
+    /* 58 << 224 */
+    { { 0xefe6320df862eaacL,0x14419c6322c647dcL,0x0e06707c4e46d428L,
+        0xcb6c834f4a178f8fL },
+      { 0x0f993a45d30f917cL,0xd4c4b0499879afeeL,0xb6142a1e70500063L,
+        0x7c9b41c3a5d9d605L } },
+    /* 59 << 224 */
+    { { 0xbc00fc2f2f8ba2c7L,0x0966eb2f7c67aa28L,0x13f7b5165a786972L,
+        0x3bfb75578a2fbba0L },
+      { 0x131c4f235a2b9620L,0xbff3ed276faf46beL,0x9b4473d17e172323L,
+        0x421e8878339f6246L } },
+    /* 60 << 224 */
+    { { 0x0fa8587a25a41632L,0xc0814124a35b6c93L,0x2b18a9f559ebb8dbL,
+        0x264e335776edb29cL },
+      { 0xaf245ccdc87c51e2L,0x16b3015b501e6214L,0xbb31c5600a3882ceL,
+        0x6961bb94fec11e04L } },
+    /* 61 << 224 */
+    { { 0x3b825b8deff7a3a0L,0xbec33738b1df7326L,0x68ad747c99604a1fL,
+        0xd154c9349a3bd499L },
+      { 0xac33506f1cc7a906L,0x73bb53926c560e8fL,0x6428fcbe263e3944L,
+        0xc11828d51c387434L } },
+    /* 62 << 224 */
+    { { 0x3cd04be13e4b12ffL,0xc3aad9f92d88667cL,0xc52ddcf8248120cfL,
+        0x985a892e2a389532L },
+      { 0xfbb4b21b3bb85fa0L,0xf95375e08dfc6269L,0xfb4fb06c7ee2aceaL,
+        0x6785426e309c4d1fL } },
+    /* 63 << 224 */
+    { { 0x659b17c8d8ceb147L,0x9b649eeeb70a5554L,0x6b7fa0b5ac6bc634L,
+        0xd99fe2c71d6e732fL },
+      { 0x30e6e7628d3abba2L,0x18fee6e7a797b799L,0x5c9d360dc696464dL,
+        0xe3baeb4827bfde12L } },
+    /* 64 << 224 */
+    { { 0x2bf5db47f23206d5L,0x2f6d34201d260152L,0x17b876533f8ff89aL,
+        0x5157c30c378fa458L },
+      { 0x7517c5c52d4fb936L,0xef22f7ace6518cdcL,0xdeb483e6bf847a64L,
+        0xf508455892e0fa89L } },
+    /* 0 << 231 */
+    { { 0x00, 0x00, 0x00, 0x00 },
+      { 0x00, 0x00, 0x00, 0x00 } },
+    /* 1 << 231 */
+    { { 0xab9659d8df7304d4L,0xb71bcf1bff210e8eL,0xa9a2438bd73fbd60L,
+        0x4595cd1f5d11b4deL },
+      { 0x9c0d329a4835859dL,0x4a0f0d2d7dbb6e56L,0xc6038e5edf928a4eL,
+        0xc94296218f5ad154L } },
+    /* 2 << 231 */
+    { { 0x91213462f23f2d92L,0x6cab71bd60b94078L,0x6bdd0a63176cde20L,
+        0x54c9b20cee4d54bcL },
+      { 0x3cd2d8aa9f2ac02fL,0x03f8e617206eedb0L,0xc7f68e1693086434L,
+        0x831469c592dd3db9L } },
+    /* 3 << 231 */
+    { { 0x8521df248f981354L,0x587e23ec3588a259L,0xcbedf281d7a0992cL,
+        0x06930a5538961407L },
+      { 0x09320debbe5bbe21L,0xa7ffa5b52491817fL,0xe6c8b4d909065160L,
+        0xac4f3992fff6d2a9L } },
+    /* 4 << 231 */
+    { { 0x7aa7a1583ae9c1bdL,0xe0af6d98e37ce240L,0xe54342d928ab38b4L,
+        0xe8b750070a1c98caL },
+      { 0xefce86afe02358f2L,0x31b8b856ea921228L,0x052a19120a1c67fcL,
+        0xb4069ea4e3aead59L } },
+    /* 5 << 231 */
+    { { 0x3232d6e27fa03cb3L,0xdb938e5b0fdd7d88L,0x04c1d2cd2ccbfc5dL,
+        0xd2f45c12af3a580fL },
+      { 0x592620b57883e614L,0x5fd27e68be7c5f26L,0x139e45a91567e1e3L,
+        0x2cc71d2d44d8aaafL } },
+    /* 6 << 231 */
+    { { 0x4a9090cde36d0757L,0xf722d7b1d9a29382L,0xfb7fb04c04b48ddfL,
+        0x628ad2a7ebe16f43L },
+      { 0xcd3fbfb520226040L,0x6c34ecb15104b6c4L,0x30c0754ec903c188L,
+        0xec336b082d23cab0L } },
+    /* 7 << 231 */
+    { { 0x473d62a21e206ee5L,0xf1e274808c49a633L,0x87ab956ce9f6b2c3L,
+        0x61830b4862b606eaL },
+      { 0x67cd6846e78e815fL,0xfe40139f4c02082aL,0x52bbbfcb952ec365L,
+        0x74c116426b9836abL } },
+    /* 8 << 231 */
+    { { 0x9f51439e558df019L,0x230da4baac712b27L,0x518919e355185a24L,
+        0x4dcefcdd84b78f50L },
+      { 0xa7d90fb2a47d4c5aL,0x55ac9abfb30e009eL,0xfd2fc35974eed273L,
+        0xb72d824cdbea8fafL } },
+    /* 9 << 231 */
+    { { 0xce721a744513e2caL,0x0b41861238240b2cL,0x05199968d5baa450L,
+        0xeb1757ed2b0e8c25L },
+      { 0x6ebc3e283dfac6d5L,0xb2431e2e48a237f5L,0x2acb5e2352f61499L,
+        0x5558a2a7e06c936bL } },
+    /* 10 << 231 */
+    { { 0xd213f923cbb13d1bL,0x98799f425bfb9bfeL,0x1ae8ddc9701144a9L,
+        0x0b8b3bb64c5595eeL },
+      { 0x0ea9ef2e3ecebb21L,0x17cb6c4b3671f9a7L,0x47ef464f726f1d1fL,
+        0x171b94846943a276L } },
+    /* 11 << 231 */
+    { { 0x51a4ae2d7ef0329cL,0x0850922291c4402aL,0x64a61d35afd45bbcL,
+        0x38f096fe3035a851L },
+      { 0xc7468b74a1dec027L,0xe8cf10e74fc7dcbaL,0xea35ff40f4a06353L,
+        0x0b4c0dfa8b77dd66L } },
+    /* 12 << 231 */
+    { { 0x779b8552de7e5c19L,0xfab28609c1c0256cL,0x64f58eeeabd4743dL,
+        0x4e8ef8387b6cc93bL },
+      { 0xee650d264cb1bf3dL,0x4c1f9d0973dedf61L,0xaef7c9d7bfb70cedL,
+        0x1ec0507e1641de1eL } },
+    /* 13 << 231 */
+    { { 0xcd7e5cc7cde45079L,0xde173c9a516ac9e4L,0x517a8494c170315cL,
+        0x438fd90591d8e8fbL },
+      { 0x5145c506c7d9630bL,0x6457a87bf47d4d75L,0xd31646bf0d9a80e8L,
+        0x453add2bcef3aabeL } },
+    /* 14 << 231 */
+    { { 0xc9941109a607419dL,0xfaa71e62bb6bca80L,0x34158c1307c431f3L,
+        0x594abebc992bc47aL },
+      { 0x6dfea691eb78399fL,0x48aafb353f42cba4L,0xedcd65af077c04f0L,
+        0x1a29a366e884491aL } },
+    /* 15 << 231 */
+    { { 0x023a40e51c21f2bfL,0xf99a513ca5057aeeL,0xa3fe7e25bcab072eL,
+        0x8568d2e140e32bcfL },
+      { 0x904594ebd3f69d9fL,0x181a973307affab1L,0xe4d68d76b6e330f4L,
+        0x87a6dafbc75a7fc1L } },
+    /* 16 << 231 */
+    { { 0x549db2b5ef7d9289L,0x2480d4a8197f015aL,0x61d5590bc40493b6L,
+        0x3a55b52e6f780331L },
+      { 0x40eb8115309eadb0L,0xdea7de5a92e5c625L,0x64d631f0cc6a3d5aL,
+        0x9d5e9d7c93e8dd61L } },
+    /* 17 << 231 */
+    { { 0xf297bef5206d3ffcL,0x23d5e0337d808bd4L,0x4a4f6912d24cf5baL,
+        0xe4d8163b09cdaa8aL },
+      { 0x0e0de9efd3082e8eL,0x4fe1246c0192f360L,0x1f9001504b8eee0aL,
+        0x5219da81f1da391bL } },
+    /* 18 << 231 */
+    { { 0x7bf6a5c1f7ea25aaL,0xd165e6bffbb07d5fL,0xe353936189e78671L,
+        0xa3fcac892bac4219L },
+      { 0xdfab6fd4f0baa8abL,0x5a4adac1e2c1c2e5L,0x6cd75e3140d85849L,
+        0xce263fea19b39181L } },
+    /* 19 << 231 */
+    { { 0xcb6803d307032c72L,0x7f40d5ce790968c8L,0xa6de86bddce978f0L,
+        0x25547c4f368f751cL },
+      { 0xb1e685fd65fb2a9eL,0xce69336f1eb9179cL,0xb15d1c2712504442L,
+        0xb7df465cb911a06bL } },
+    /* 20 << 231 */
+    { { 0xb8d804a3315980cdL,0x693bc492fa3bebf7L,0x3578aeee2253c504L,
+        0x158de498cd2474a2L },
+      { 0x1331f5c7cfda8368L,0xd2d7bbb378d7177eL,0xdf61133af3c1e46eL,
+        0x5836ce7dd30e7be8L } },
+    /* 21 << 231 */
+    { { 0x83084f1994f834cbL,0xd35653d4429ed782L,0xa542f16f59e58243L,
+        0xc2b52f650470a22dL },
+      { 0xe3b6221b18f23d96L,0xcb05abac3f5252b4L,0xca00938b87d61402L,
+        0x2f186cdd411933e4L } },
+    /* 22 << 231 */
+    { { 0xe042ece59a29a5c5L,0xb19b3c073b6c8402L,0xc97667c719d92684L,
+        0xb5624622ebc66372L },
+      { 0x0cb96e653c04fa02L,0x83a7176c8eaa39aaL,0x2033561deaa1633fL,
+        0x45a9d0864533df73L } },
+    /* 23 << 231 */
+    { { 0xe0542c1d3dc090bcL,0x82c996efaa59c167L,0xe3f735e80ee7fc4dL,
+        0x7b1793937c35db79L },
+      { 0xb6419e25f8c5dbfdL,0x4d9d7a1e1f327b04L,0x979f6f9b298dfca8L,
+        0xc7c5dff18de9366aL } },
+    /* 24 << 231 */
+    { { 0x1b7a588d04c82bddL,0x68005534f8319dfdL,0xde8a55b5d8eb9580L,
+        0x5ea886da8d5bca81L },
+      { 0xe8530a01252a0b4dL,0x1bffb4fe35eaa0a1L,0x2ad828b1d8e99563L,
+        0x7de96ef595f9cd87L } },
+    /* 25 << 231 */
+    { { 0x4abb2d0cd77d970cL,0x03cfb933d33ef9cbL,0xb0547c018b211fe9L,
+        0x2fe64809a56ed1c6L },
+      { 0xcb7d5624c2ac98ccL,0x2a1372c01a393e33L,0xc8d1ec1c29660521L,
+        0xf3d31b04b37ac3e9L } },
+    /* 26 << 231 */
+    { { 0xa29ae9df5ece6e7cL,0x0603ac8f0facfb55L,0xcfe85b7adda233a5L,
+        0xe618919fbd75f0b8L },
+      { 0xf555a3d299bf1603L,0x1f43afc9f184255aL,0xdcdaf341319a3e02L,
+        0xd3b117ef03903a39L } },
+    /* 27 << 231 */
+    { { 0xe095da1365d1d131L,0x86f16367c37ad03eL,0x5f37389e462cd8ddL,
+        0xc103fa04d67a60e6L },
+      { 0x57c34344f4b478f0L,0xce91edd8e117c98dL,0x001777b0231fc12eL,
+        0x11ae47f2b207bccbL } },
+    /* 28 << 231 */
+    { { 0xd983cf8d20f8a242L,0x7aff5b1df22e1ad8L,0x68fd11d07fc4feb3L,
+        0x5d53ae90b0f1c3e1L },
+      { 0x50fb7905ec041803L,0x85e3c97714404888L,0x0e67faedac628d8fL,
+        0x2e8651506668532cL } },
+    /* 29 << 231 */
+    { { 0x15acaaa46a67a6b0L,0xf4cdee25b25cec41L,0x49ee565ae4c6701eL,
+        0x2a04ca66fc7d63d8L },
+      { 0xeb105018ef0543fbL,0xf709a4f5d1b0d81dL,0x5b906ee62915d333L,
+        0xf4a8741296f1f0abL } },
+    /* 30 << 231 */
+    { { 0xb6b82fa74d82f4c2L,0x90725a606804efb3L,0xbc82ec46adc3425eL,
+        0xb7b805812787843eL },
+      { 0xdf46d91cdd1fc74cL,0xdc1c62cbe783a6c4L,0x59d1b9f31a04cbbaL,
+        0xd87f6f7295e40764L } },
+    /* 31 << 231 */
+    { { 0x02b4cfc1317f4a76L,0x8d2703eb91036bceL,0x98206cc6a5e72a56L,
+        0x57be9ed1cf53fb0fL },
+      { 0x09374571ef0b17acL,0x74b2655ed9181b38L,0xc8f80ea889935d0eL,
+        0xc0d9e94291529936L } },
+    /* 32 << 231 */
+    { { 0x196860411e84e0e5L,0xa5db84d3aea34c93L,0xf9d5bb197073a732L,
+        0xb8d2fe566bcfd7c0L },
+      { 0x45775f36f3eb82faL,0x8cb20cccfdff8b58L,0x1659b65f8374c110L,
+        0xb8b4a422330c789aL } },
+    /* 33 << 231 */
+    { { 0x75e3c3ea6fe8208bL,0xbd74b9e4286e78feL,0x0be2e81bd7d93a1aL,
+        0x7ed06e27dd0a5aaeL },
+      { 0x721f5a586be8b800L,0x428299d1d846db28L,0x95cb8e6b5be88ed3L,
+        0xc3186b231c034e11L } },
+    /* 34 << 231 */
+    { { 0xa6312c9e8977d99bL,0xbe94433183f531e7L,0x8232c0c218d3b1d4L,
+        0x617aae8be1247b73L },
+      { 0x40153fc4282aec3bL,0xc6063d2ff7b8f823L,0x68f10e583304f94cL,
+        0x31efae74ee676346L } },
+    /* 35 << 231 */
+    { { 0xbadb6c6d40a9b97cL,0x14702c634f666256L,0xdeb954f15184b2e3L,
+        0x5184a52694b6ca40L },
+      { 0xfff05337003c32eaL,0x5aa374dd205974c7L,0x9a7638544b0dd71aL,
+        0x459cd27fdeb947ecL } },
+    /* 36 << 231 */
+    { { 0xa6e28161459c2b92L,0x2f020fa875ee8ef5L,0xb132ec2d30b06310L,
+        0xc3e15899bc6a4530L },
+      { 0xdc5f53feaa3f451aL,0x3a3c7f23c2d9acacL,0x2ec2f8926b27e58bL,
+        0x68466ee7d742799fL } },
+    /* 37 << 231 */
+    { { 0x98324dd41fa26613L,0xa2dc6dabbdc29d63L,0xf9675faad712d657L,
+        0x813994be21fd8d15L },
+      { 0x5ccbb722fd4f7553L,0x5135ff8bf3a36b20L,0x44be28af69559df5L,
+        0x40b65bed9d41bf30L } },
+    /* 38 << 231 */
+    { { 0xd98bf2a43734e520L,0x5e3abbe3209bdcbaL,0x77c76553bc945b35L,
+        0x5331c093c6ef14aaL },
+      { 0x518ffe2976b60c80L,0x2285593b7ace16f8L,0xab1f64ccbe2b9784L,
+        0xe8f2c0d9ab2421b6L } },
+    /* 39 << 231 */
+    { { 0x617d7174c1df065cL,0xafeeb5ab5f6578faL,0x16ff1329263b54a8L,
+        0x45c55808c990dce3L },
+      { 0x42eab6c0ecc8c177L,0x799ea9b55982ecaaL,0xf65da244b607ef8eL,
+        0x8ab226ce32a3fc2cL } },
+    /* 40 << 231 */
+    { { 0x745741e57ea973dcL,0x5c00ca7020888f2eL,0x7cdce3cf45fd9cf1L,
+        0x8a741ef15507f872L },
+      { 0x47c51c2f196b4cecL,0x70d08e43c97ea618L,0x930da15c15b18a2bL,
+        0x33b6c6782f610514L } },
+    /* 41 << 231 */
+    { { 0xc662e4f807ac9794L,0x1eccf050ba06cb79L,0x1ff08623e7d954e5L,
+        0x6ef2c5fb24cf71c3L },
+      { 0xb2c063d267978453L,0xa0cf37961d654af8L,0x7cb242ea7ebdaa37L,
+        0x206e0b10b86747e0L } },
+    /* 42 << 231 */
+    { { 0x481dae5fd5ecfefcL,0x07084fd8c2bff8fcL,0x8040a01aea324596L,
+        0x4c646980d4de4036L },
+      { 0x9eb8ab4ed65abfc3L,0xe01cb91f13541ec7L,0x8f029adbfd695012L,
+        0x9ae284833c7569ecL } },
+    /* 43 << 231 */
+    { { 0xa5614c9ea66d80a1L,0x680a3e4475f5f911L,0x0c07b14dceba4fc1L,
+        0x891c285ba13071c1L },
+      { 0xcac67ceb799ece3cL,0x29b910a941e07e27L,0x66bdb409f2e43123L,
+        0x06f8b1377ac9ecbeL } },
+    /* 44 << 231 */
+    { { 0x5981fafd38547090L,0x19ab8b9f85e3415dL,0xfc28c194c7e31b27L,
+        0x843be0aa6fbcbb42L },
+      { 0xf3b1ed43a6db836cL,0x2a1330e401a45c05L,0x4f19f3c595c1a377L,
+        0xa85f39d044b5ee33L } },
+    /* 45 << 231 */
+    { { 0x3da18e6d4ae52834L,0x5a403b397423dcb0L,0xbb555e0af2374aefL,
+        0x2ad599c41e8ca111L },
+      { 0x1b3a2fb9014b3bf8L,0x73092684f66d5007L,0x079f1426c4340102L,
+        0x1827cf818fddf4deL } },
+    /* 46 << 231 */
+    { { 0xc83605f6f10ff927L,0xd387145123739fc6L,0x6d163450cac1c2ccL,
+        0x6b521296a2ec1ac5L },
+      { 0x0606c4f96e3cb4a5L,0xe47d3f41778abff7L,0x425a8d5ebe8e3a45L,
+        0x53ea9e97a6102160L } },
+    /* 47 << 231 */
+    { { 0x477a106e39cbb688L,0x532401d2f3386d32L,0x8e564f64b1b9b421L,
+        0xca9b838881dad33fL },
+      { 0xb1422b4e2093913eL,0x533d2f9269bc8112L,0x3fa017beebe7b2c7L,
+        0xb2767c4acaf197c6L } },
+    /* 48 << 231 */
+    { { 0xc925ff87aedbae9fL,0x7daf0eb936880a54L,0x9284ddf59c4d0e71L,
+        0x1581cf93316f8cf5L },
+      { 0x3eeca8873ac1f452L,0xb417fce9fb6aeffeL,0xa5918046eefb8dc3L,
+        0x73d318ac02209400L } },
+    /* 49 << 231 */
+    { { 0xe800400f728693e5L,0xe87d814b339927edL,0x93e94d3b57ea9910L,
+        0xff8a35b62245fb69L },
+      { 0x043853d77f200d34L,0x470f1e680f653ce1L,0x81ac05bd59a06379L,
+        0xa14052c203930c29L } },
+    /* 50 << 231 */
+    { { 0x6b72fab526bc2797L,0x13670d1699f16771L,0x001700521e3e48d1L,
+        0x978fe401b7adf678L },
+      { 0x55ecfb92d41c5dd4L,0x5ff8e247c7b27da5L,0xe7518272013fb606L,
+        0x5768d7e52f547a3cL } },
+    /* 51 << 231 */
+    { { 0xbb24eaa360017a5fL,0x6b18e6e49c64ce9bL,0xc225c655103dde07L,
+        0xfc3672ae7592f7eaL },
+      { 0x9606ad77d06283a1L,0x542fc650e4d59d99L,0xabb57c492a40e7c2L,
+        0xac948f13a8db9f55L } },
+    /* 52 << 231 */
+    { { 0x6d4c9682b04465c3L,0xe3d062fa6468bd15L,0xa51729ac5f318d7eL,
+        0x1fc87df69eb6fc95L },
+      { 0x63d146a80591f652L,0xa861b8f7589621aaL,0x59f5f15ace31348cL,
+        0x8f663391440da6daL } },
+    /* 53 << 231 */
+    { { 0xcfa778acb591ffa3L,0x027ca9c54cdfebceL,0xbe8e05a5444ea6b3L,
+        0x8aab4e69a78d8254L },
+      { 0x2437f04fb474d6b8L,0x6597ffd4045b3855L,0xbb0aea4eca47ecaaL,
+        0x568aae8385c7ebfcL } },
+    /* 54 << 231 */
+    { { 0x0e966e64c73b2383L,0x49eb3447d17d8762L,0xde1078218da05dabL,
+        0x443d8baa016b7236L },
+      { 0x163b63a5ea7610d6L,0xe47e4185ce1ca979L,0xae648b6580baa132L,
+        0xebf53de20e0d5b64L } },
+    /* 55 << 231 */
+    { { 0x8d3bfcb4d3c8c1caL,0x0d914ef35d04b309L,0x55ef64153de7d395L,
+        0xbde1666f26b850e8L },
+      { 0xdbe1ca6ed449ab19L,0x8902b322e89a2672L,0xb1674b7edacb7a53L,
+        0x8e9faf6ef52523ffL } },
+    /* 56 << 231 */
+    { { 0x6ba535da9a85788bL,0xd21f03aebd0626d4L,0x099f8c47e873dc64L,
+        0xcda8564d018ec97eL },
+      { 0x3e8d7a5cde92c68cL,0x78e035a173323cc4L,0x3ef26275f880ff7cL,
+        0xa4ee3dff273eedaaL } },
+    /* 57 << 231 */
+    { { 0x58823507af4e18f8L,0x967ec9b50672f328L,0x9ded19d9559d3186L,
+        0x5e2ab3de6cdce39cL },
+      { 0xabad6e4d11c226dfL,0xf9783f4387723014L,0x9a49a0cf1a885719L,
+        0xfc0c1a5a90da9dbfL } },
+    /* 58 << 231 */
+    { { 0x8bbaec49571d92acL,0x569e85fe4692517fL,0x8333b014a14ea4afL,
+        0x32f2a62f12e5c5adL },
+      { 0x98c2ce3a06d89b85L,0xb90741aa2ff77a08L,0x2530defc01f795a2L,
+        0xd6e5ba0b84b3c199L } },
+    /* 59 << 231 */
+    { { 0x7d8e845112e4c936L,0xae419f7dbd0be17bL,0xa583fc8c22262bc9L,
+        0x6b842ac791bfe2bdL },
+      { 0x33cef4e9440d6827L,0x5f69f4deef81fb14L,0xf16cf6f6234fbb92L,
+        0x76ae3fc3d9e7e158L } },
+    /* 60 << 231 */
+    { { 0x4e89f6c2e9740b33L,0x677bc85d4962d6a1L,0x6c6d8a7f68d10d15L,
+        0x5f9a72240257b1cdL },
+      { 0x7096b9164ad85961L,0x5f8c47f7e657ab4aL,0xde57d7d0f7461d7eL,
+        0x7eb6094d80ce5ee2L } },
+    /* 61 << 231 */
+    { { 0x0b1e1dfd34190547L,0x8a394f43f05dd150L,0x0a9eb24d97df44e6L,
+        0x78ca06bf87675719L },
+      { 0x6f0b34626ffeec22L,0x9d91bcea36cdd8fbL,0xac83363ca105be47L,
+        0x81ba76c1069710e3L } },
+    /* 62 << 231 */
+    { { 0x3d1b24cb28c682c6L,0x27f252288612575bL,0xb587c779e8e66e98L,
+        0x7b0c03e9405eb1feL },
+      { 0xfdf0d03015b548e7L,0xa8be76e038b36af7L,0x4cdab04a4f310c40L,
+        0x6287223ef47ecaecL } },
+    /* 63 << 231 */
+    { { 0x678e60558b399320L,0x61fe3fa6c01e4646L,0xc482866b03261a5eL,
+        0xdfcf45b85c2f244aL },
+      { 0x8fab9a512f684b43L,0xf796c654c7220a66L,0x1d90707ef5afa58fL,
+        0x2c421d974fdbe0deL } },
+    /* 64 << 231 */
+    { { 0xc4f4cda3af2ebc2fL,0xa0af843dcb4efe24L,0x53b857c19ccd10b1L,
+        0xddc9d1eb914d3e04L },
+      { 0x7bdec8bb62771debL,0x829277aa91c5aa81L,0x7af18dd6832391aeL,
+        0x1740f316c71a84caL } },
+    /* 0 << 238 */
+    { { 0x00, 0x00, 0x00, 0x00 },
+      { 0x00, 0x00, 0x00, 0x00 } },
+    /* 1 << 238 */
+    { { 0x8928e99aeeaf8c49L,0xee7aa73d6e24d728L,0x4c5007c2e72b156cL,
+        0x5fcf57c5ed408a1dL },
+      { 0x9f719e39b6057604L,0x7d343c01c2868bbfL,0x2cca254b7e103e2dL,
+        0xe6eb38a9f131bea2L } },
+    /* 2 << 238 */
+    { { 0xb33e624f8be762b4L,0x2a9ee4d1058e3413L,0x968e636967d805faL,
+        0x9848949b7db8bfd7L },
+      { 0x5308d7e5d23a8417L,0x892f3b1df3e29da5L,0xc95c139e3dee471fL,
+        0x8631594dd757e089L } },
+    /* 3 << 238 */
+    { { 0xe0c82a3cde918dccL,0x2e7b599426fdcf4bL,0x82c5024932cb1b2dL,
+        0xea613a9d7657ae07L },
+      { 0xc2eb5f6cf1fdc9f7L,0xb6eae8b8879fe682L,0x253dfee0591cbc7fL,
+        0x000da7133e1290e6L } },
+    /* 4 << 238 */
+    { { 0x1083e2ea1f095615L,0x0a28ad7714e68c33L,0x6bfc02523d8818beL,
+        0xb585113af35850cdL },
+      { 0x7d935f0b30df8aa1L,0xaddda07c4ab7e3acL,0x92c34299552f00cbL,
+        0xc33ed1de2909df6cL } },
+    /* 5 << 238 */
+    { { 0x22c2195d80e87766L,0x9e99e6d89ddf4ac0L,0x09642e4e65e74934L,
+        0x2610ffa2ff1ff241L },
+      { 0x4d1d47d4751c8159L,0x697b4985af3a9363L,0x0318ca4687477c33L,
+        0xa90cb5659441eff3L } },
+    /* 6 << 238 */
+    { { 0x58bb384836f024cbL,0x85be1f7736016168L,0x6c59587cdc7e07f1L,
+        0x191be071af1d8f02L },
+      { 0xbf169fa5cca5e55cL,0x3864ba3cf7d04eacL,0x915e367f8d7d05dbL,
+        0xb48a876da6549e5dL } },
+    /* 7 << 238 */
+    { { 0xef89c656580e40a2L,0xf194ed8c728068bcL,0x74528045a47990c9L,
+        0xf53fc7d75e1a4649L },
+      { 0xbec5ae9b78593e7dL,0x2cac4ee341db65d7L,0xa8c1eb2404a3d39bL,
+        0x53b7d63403f8f3efL } },
+    /* 8 << 238 */
+    { { 0x2dc40d483e07113cL,0x6e4a5d397d8b63aeL,0x5582a94b79684c2bL,
+        0x932b33d4622da26cL },
+      { 0xf534f6510dbbf08dL,0x211d07c964c23a52L,0x0eeece0fee5bdc9bL,
+        0xdf178168f7015558L } },
+    /* 9 << 238 */
+    { { 0xd42946350a712229L,0x93cbe44809273f8cL,0x00b095ef8f13bc83L,
+        0xbb7419728798978cL },
+      { 0x9d7309a256dbe6e7L,0xe578ec565a5d39ecL,0x3961151b851f9a31L,
+        0x2da7715de5709eb4L } },
+    /* 10 << 238 */
+    { { 0x867f301753dfabf0L,0x728d2078b8e39259L,0x5c75a0cd815d9958L,
+        0xf84867a616603be1L },
+      { 0xc865b13d70e35b1cL,0x0241446819b03e2cL,0xe46041daac1f3121L,
+        0x7c9017ad6f028a7cL } },
+    /* 11 << 238 */
+    { { 0xabc96de90a482873L,0x4265d6b1b77e54d4L,0x68c38e79a57d88e7L,
+        0xd461d7669ce82de3L },
+      { 0x817a9ec564a7e489L,0xcc5675cda0def5f2L,0x9a00e785985d494eL,
+        0xc626833f1b03514aL } },
+    /* 12 << 238 */
+    { { 0xabe7905a83cdd60eL,0x50602fb5a1170184L,0x689886cdb023642aL,
+        0xd568d090a6e1fb00L },
+      { 0x5b1922c70259217fL,0x93831cd9c43141e4L,0xdfca35870c95f86eL,
+        0xdec2057a568ae828L } },
+    /* 13 << 238 */
+    { { 0xc44ea599f98a759aL,0x55a0a7a2f7c23c1dL,0xd5ffb6e694c4f687L,
+        0x3563cce212848478L },
+      { 0x812b3517e7b1fbe1L,0x8a7dc9794f7338e0L,0x211ecee952d048dbL,
+        0x2eea4056c86ea3b8L } },
+    /* 14 << 238 */
+    { { 0xd8cb68a7ba772b34L,0xe16ed3415f4e2541L,0x9b32f6a60fec14dbL,
+        0xeee376f7391698beL },
+      { 0xe9a7aa1783674c02L,0x65832f975843022aL,0x29f3a8da5ba4990fL,
+        0x79a59c3afb8e3216L } },
+    /* 15 << 238 */
+    { { 0x9cdc4d2ebd19bb16L,0xc6c7cfd0b3262d86L,0xd4ce14d0969c0b47L,
+        0x1fa352b713e56128L },
+      { 0x383d55b8973db6d3L,0x71836850e8e5b7bfL,0xc7714596e6bb571fL,
+        0x259df31f2d5b2dd2L } },
+    /* 16 << 238 */
+    { { 0x568f8925913cc16dL,0x18bc5b6de1a26f5aL,0xdfa413bef5f499aeL,
+        0xf8835decc3f0ae84L },
+      { 0xb6e60bd865a40ab0L,0x65596439194b377eL,0xbcd8562592084a69L,
+        0x5ce433b94f23ede0L } },
+    /* 17 << 238 */
+    { { 0xe8e8f04f6ad65143L,0x11511827d6e14af6L,0x3d390a108295c0c7L,
+        0x71e29ee4621eba16L },
+      { 0xa588fc0963717b46L,0x02be02fee06ad4a2L,0x931558c604c22b22L,
+        0xbb4d4bd612f3c849L } },
+    /* 18 << 238 */
+    { { 0x54a4f49620efd662L,0x92ba6d20c5952d14L,0x2db8ea1ecc9784c2L,
+        0x81cc10ca4b353644L },
+      { 0x40b570ad4b4d7f6cL,0x5c9f1d9684a1dcd2L,0x01379f813147e797L,
+        0xe5c6097b2bd499f5L } },
+    /* 19 << 238 */
+    { { 0x40dcafa6328e5e20L,0xf7b5244a54815550L,0xb9a4f11847bfc978L,
+        0x0ea0e79fd25825b1L },
+      { 0xa50f96eb646c7ecfL,0xeb811493446dea9dL,0x2af04677dfabcf69L,
+        0xbe3a068fc713f6e8L } },
+    /* 20 << 238 */
+    { { 0x860d523d42e06189L,0xbf0779414e3aff13L,0x0b616dcac1b20650L,
+        0xe66dd6d12131300dL },
+      { 0xd4a0fd67ff99abdeL,0xc9903550c7aac50dL,0x022ecf8b7c46b2d7L,
+        0x3333b1e83abf92afL } },
+    /* 21 << 238 */
+    { { 0x11cc113c6c491c14L,0x0597668880dd3f88L,0xf5b4d9e729d932edL,
+        0xe982aad8a2c38b6dL },
+      { 0x6f9253478be0dcf0L,0x700080ae65ca53f2L,0xd8131156443ca77fL,
+        0xe92d6942ec51f984L } },
+    /* 22 << 238 */
+    { { 0xd2a08af885dfe9aeL,0xd825d9a54d2a86caL,0x2c53988d39dff020L,
+        0xf38b135a430cdc40L },
+      { 0x0c918ae062a7150bL,0xf31fd8de0c340e9bL,0xafa0e7ae4dbbf02eL,
+        0x5847fb2a5eba6239L } },
+    /* 23 << 238 */
+    { { 0x6b1647dcdccbac8bL,0xb642aa7806f485c8L,0x873f37657038ecdfL,
+        0x2ce5e865fa49d3feL },
+      { 0xea223788c98c4400L,0x8104a8cdf1fa5279L,0xbcf7cc7a06becfd7L,
+        0x49424316c8f974aeL } },
+    /* 24 << 238 */
+    { { 0xc0da65e784d6365dL,0xbcb7443f8f759fb8L,0x35c712b17ae81930L,
+        0x80428dff4c6e08abL },
+      { 0xf19dafefa4faf843L,0xced8538dffa9855fL,0x20ac409cbe3ac7ceL,
+        0x358c1fb6882da71eL } },
+    /* 25 << 238 */
+    { { 0xafa9c0e5fd349961L,0x2b2cfa518421c2fcL,0x2a80db17f3a28d38L,
+        0xa8aba5395d138e7eL },
+      { 0x52012d1d6e96eb8dL,0x65d8dea0cbaf9622L,0x57735447b264f56cL,
+        0xbeebef3f1b6c8da2L } },
+    /* 26 << 238 */
+    { { 0xfc346d98ce785254L,0xd50e8d72bb64a161L,0xc03567c749794addL,
+        0x15a76065752c7ef6L },
+      { 0x59f3a222961f23d6L,0x378e443873ecc0b0L,0xc74be4345a82fde4L,
+        0xae509af2d8b9cf34L } },
+    /* 27 << 238 */
+    { { 0x4a61ee46577f44a1L,0xe09b748cb611deebL,0xc0481b2cf5f7b884L,
+        0x3562667861acfa6bL },
+      { 0x37f4c518bf8d21e6L,0x22d96531b205a76dL,0x37fb85e1954073c0L,
+        0xbceafe4f65b3a567L } },
+    /* 28 << 238 */
+    { { 0xefecdef7be42a582L,0xd3fc608065046be6L,0xc9af13c809e8dba9L,
+        0x1e6c9847641491ffL },
+      { 0x3b574925d30c31f7L,0xb7eb72baac2a2122L,0x776a0dacef0859e7L,
+        0x06fec31421900942L } },
+    /* 29 << 238 */
+    { { 0x2464bc10f8c22049L,0x9bfbcce7875ebf69L,0xd7a88e2a4336326bL,
+        0xda05261c5bc2acfaL },
+      { 0xc29f5bdceba7efc8L,0x471237ca25dbbf2eL,0xa72773f22975f127L,
+        0xdc744e8e04d0b326L } },
+    /* 30 << 238 */
+    { { 0x38a7ed16a56edb73L,0x64357e372c007e70L,0xa167d15b5080b400L,
+        0x07b4116423de4be1L },
+      { 0xb2d91e3274c89883L,0x3c1628212882e7edL,0xad6b36ba7503e482L,
+        0x48434e8e0ea34331L } },
+    /* 31 << 238 */
+    { { 0x79f4f24f2c7ae0b9L,0xc46fbf811939b44aL,0x76fefae856595eb1L,
+        0x417b66abcd5f29c7L },
+      { 0x5f2332b2c5ceec20L,0xd69661ffe1a1cae2L,0x5ede7e529b0286e6L,
+        0x9d062529e276b993L } },
+    /* 32 << 238 */
+    { { 0x324794b07e50122bL,0xdd744f8b4af07ca5L,0x30a12f08d63fc97bL,
+        0x39650f1a76626d9dL },
+      { 0x101b47f71fa38477L,0x3d815f19d4dc124fL,0x1569ae95b26eb58aL,
+        0xc3cde18895fb1887L } },
+    /* 33 << 238 */
+    { { 0x54e9f37bf9539a48L,0xb0100e067408c1a5L,0x821d9811ea580cbbL,
+        0x8af52d3586e50c56L },
+      { 0xdfbd9d47dbbf698bL,0x2961a1ea03dc1c73L,0x203d38f8e76a5df8L,
+        0x08a53a686def707aL } },
+    /* 34 << 238 */
+    { { 0x26eefb481bee45d4L,0xb3cee3463c688036L,0x463c5315c42f2469L,
+        0x19d84d2e81378162L },
+      { 0x22d7c3c51c4d349fL,0x65965844163d59c5L,0xcf198c56b8abceaeL,
+        0x6fb1fb1b628559d5L } },
+    /* 35 << 238 */
+    { { 0x8bbffd0607bf8fe3L,0x46259c583467734bL,0xd8953cea35f7f0d3L,
+        0x1f0bece2d65b0ff1L },
+      { 0xf7d5b4b3f3c72914L,0x29e8ea953cb53389L,0x4a365626836b6d46L,
+        0xe849f910ea174fdeL } },
+    /* 36 << 238 */
+    { { 0x7ec62fbbf4737f21L,0xd8dba5ab6209f5acL,0x24b5d7a9a5f9adbeL,
+        0x707d28f7a61dc768L },
+      { 0x7711460bcaa999eaL,0xba7b174d1c92e4ccL,0x3c4bab6618d4bf2dL,
+        0xb8f0c980eb8bd279L } },
+    /* 37 << 238 */
+    { { 0x024bea9a324b4737L,0xfba9e42332a83bcaL,0x6e635643a232dcedL,
+        0x996193672571c8baL },
+      { 0xe8c9f35754b7032bL,0xf936b3ba2442d54aL,0x2263f0f08290c65aL,
+        0x48989780ee2c7fdbL } },
+    /* 38 << 238 */
+    { { 0xadc5d55a13d4f95eL,0x737cff85ad9b8500L,0x271c557b8a73f43dL,
+        0xbed617a4e18bc476L },
+      { 0x662454017dfd8ab2L,0xae7b89ae3a2870aaL,0x1b555f5323a7e545L,
+        0x6791e247be057e4cL } },
+    /* 39 << 238 */
+    { { 0x860136ad324fa34dL,0xea1114474cbeae28L,0x023a4270bedd3299L,
+        0x3d5c3a7fc1c35c34L },
+      { 0xb0f6db678d0412d2L,0xd92625e2fcdc6b9aL,0x92ae5ccc4e28a982L,
+        0xea251c3647a3ce7eL } },
+    /* 40 << 238 */
+    { { 0x9d658932790691bfL,0xed61058906b736aeL,0x712c2f04c0d63b6eL,
+        0x5cf06fd5c63d488fL },
+      { 0x97363facd9588e41L,0x1f9bf7622b93257eL,0xa9d1ffc4667acaceL,
+        0x1cf4a1aa0a061ecfL } },
+    /* 41 << 238 */
+    { { 0x40e48a49dc1818d0L,0x0643ff39a3621ab0L,0x5768640ce39ef639L,
+        0x1fc099ea04d86854L },
+      { 0x9130b9c3eccd28fdL,0xd743cbd27eec54abL,0x052b146fe5b475b6L,
+        0x058d9a82900a7d1fL } },
+    /* 42 << 238 */
+    { { 0x65e0229291262b72L,0x96f924f9bb0edf03L,0x5cfa59c8fe206842L,
+        0xf60370045eafa720L },
+      { 0x5f30699e18d7dd96L,0x381e8782cbab2495L,0x91669b46dd8be949L,
+        0xb40606f526aae8efL } },
+    /* 43 << 238 */
+    { { 0x2812b839fc6751a4L,0x16196214fba800efL,0x4398d5ca4c1a2875L,
+        0x720c00ee653d8349L },
+      { 0xc2699eb0d820007cL,0x880ee660a39b5825L,0x70694694471f6984L,
+        0xf7d16ea8e3dda99aL } },
+    /* 44 << 238 */
+    { { 0x28d675b2c0519a23L,0x9ebf94fe4f6952e3L,0xf28bb767a2294a8aL,
+        0x85512b4dfe0af3f5L },
+      { 0x18958ba899b16a0dL,0x95c2430cba7548a7L,0xb30d1b10a16be615L,
+        0xe3ebbb9785bfb74cL } },
+    /* 45 << 238 */
+    { { 0xa3273cfe18549fdbL,0xf6e200bf4fcdb792L,0x54a76e1883aba56cL,
+        0x73ec66f689ef6aa2L },
+      { 0x8d17add7d1b9a305L,0xa959c5b9b7ae1b9dL,0x886435226bcc094aL,
+        0xcc5616c4d7d429b9L } },
+    /* 46 << 238 */
+    { { 0xa6dada01e6a33f7cL,0xc6217a079d4e70adL,0xd619a81809c15b7cL,
+        0xea06b3290e80c854L },
+      { 0x174811cea5f5e7b9L,0x66dfc310787c65f4L,0x4ea7bd693316ab54L,
+        0xc12c4acb1dcc0f70L } },
+    /* 47 << 238 */
+    { { 0xe4308d1a1e407dd9L,0xe8a3587c91afa997L,0xea296c12ab77b7a5L,
+        0xb5ad49e4673c0d52L },
+      { 0x40f9b2b27006085aL,0xa88ff34087bf6ec2L,0x978603b14e3066a6L,
+        0xb3f99fc2b5e486e2L } },
+    /* 48 << 238 */
+    { { 0x07b53f5eb2e63645L,0xbe57e54784c84232L,0xd779c2167214d5cfL,
+        0x617969cd029a3acaL },
+      { 0xd17668cd8a7017a0L,0x77b4d19abe9b7ee8L,0x58fd0e939c161776L,
+        0xa8c4f4efd5968a72L } },
+    /* 49 << 238 */
+    { { 0x296071cc67b3de77L,0xae3c0b8e634f7905L,0x67e440c28a7100c9L,
+        0xbb8c3c1beb4b9b42L },
+      { 0x6d71e8eac51b3583L,0x7591f5af9525e642L,0xf73a2f7b13f509f3L,
+        0x618487aa5619ac9bL } },
+    /* 50 << 238 */
+    { { 0x3a72e5f79d61718aL,0x00413bcc7592d28cL,0x7d9b11d3963c35cfL,
+        0x77623bcfb90a46edL },
+      { 0xdeef273bdcdd2a50L,0x4a741f9b0601846eL,0x33b89e510ec6e929L,
+        0xcb02319f8b7f22cdL } },
+    /* 51 << 238 */
+    { { 0xbbe1500d084bae24L,0x2f0ae8d7343d2693L,0xacffb5f27cdef811L,
+        0xaa0c030a263fb94fL },
+      { 0x6eef0d61a0f442deL,0xf92e181727b139d3L,0x1ae6deb70ad8bc28L,
+        0xa89e38dcc0514130L } },
+    /* 52 << 238 */
+    { { 0x81eeb865d2fdca23L,0x5a15ee08cc8ef895L,0x768fa10a01905614L,
+        0xeff5b8ef880ee19bL },
+      { 0xf0c0cabbcb1c8a0eL,0x2e1ee9cdb8c838f9L,0x0587d8b88a4a14c0L,
+        0xf6f278962ff698e5L } },
+    /* 53 << 238 */
+    { { 0xed38ef1c89ee6256L,0xf44ee1fe6b353b45L,0x9115c0c770e903b3L,
+        0xc78ec0a1818f31dfL },
+      { 0x6c003324b7dccbc6L,0xd96dd1f3163bbc25L,0x33aa82dd5cedd805L,
+        0x123aae4f7f7eb2f1L } },
+    /* 54 << 238 */
+    { { 0x1723fcf5a26262cdL,0x1f7f4d5d0060ebd5L,0xf19c5c01b2eaa3afL,
+        0x2ccb9b149790accfL },
+      { 0x1f9c1cad52324aa6L,0x632005267247df54L,0x5732fe42bac96f82L,
+        0x52fe771f01a1c384L } },
+    /* 55 << 238 */
+    { { 0x546ca13db1001684L,0xb56b4eeea1709f75L,0x266545a9d5db8672L,
+        0xed971c901e8f3cfbL },
+      { 0x4e7d8691e3a07b29L,0x7570d9ece4b696b9L,0xdc5fa0677bc7e9aeL,
+        0x68b44cafc82c4844L } },
+    /* 56 << 238 */
+    { { 0x519d34b3bf44da80L,0x283834f95ab32e66L,0x6e6087976278a000L,
+        0x1e62960e627312f6L },
+      { 0x9b87b27be6901c55L,0x80e7853824fdbc1fL,0xbbbc09512facc27dL,
+        0x06394239ac143b5aL } },
+    /* 57 << 238 */
+    { { 0x35bb4a40376c1944L,0x7cb6269463da1511L,0xafd29161b7148a3bL,
+        0xa6f9d9ed4e2ea2eeL },
+      { 0x15dc2ca2880dd212L,0x903c3813a61139a9L,0x2aa7b46d6c0f8785L,
+        0x36ce2871901c60ffL } },
+    /* 58 << 238 */
+    { { 0xc683b028e10d9c12L,0x7573baa2032f33d3L,0x87a9b1f667a31b58L,
+        0xfd3ed11af4ffae12L },
+      { 0x83dcaa9a0cb2748eL,0x8239f0185d6fdf16L,0xba67b49c72753941L,
+        0x2beec455c321cb36L } },
+    /* 59 << 238 */
+    { { 0x880156063f8b84ceL,0x764170838d38c86fL,0x054f1ca7598953ddL,
+        0xc939e1104e8e7429L },
+      { 0x9b1ac2b35a914f2fL,0x39e35ed3e74b8f9cL,0xd0debdb2781b2fb0L,
+        0x1585638f2d997ba2L } },
+    /* 60 << 238 */
+    { { 0x9c4b646e9e2fce99L,0x68a210811e80857fL,0x06d54e443643b52aL,
+        0xde8d6d630d8eb843L },
+      { 0x7032156342146a0aL,0x8ba826f25eaa3622L,0x227a58bd86138787L,
+        0x43b6c03c10281d37L } },
+    /* 61 << 238 */
+    { { 0x6326afbbb54dde39L,0x744e5e8adb6f2d5fL,0x48b2a99acff158e1L,
+        0xa93c8fa0ef87918fL },
+      { 0x2182f956de058c5cL,0x216235d2936f9e7aL,0xace0c0dbd2e31e67L,
+        0xc96449bff23ac3e7L } },
+    /* 62 << 238 */
+    { { 0x7e9a2874170693bdL,0xa28e14fda45e6335L,0x5757f6b356427344L,
+        0x822e4556acf8edf9L },
+      { 0x2b7a6ee2e6a285cdL,0x5866f211a9df3af0L,0x40dde2ddf845b844L,
+        0x986c3726110e5e49L } },
+    /* 63 << 238 */
+    { { 0x73680c2af7172277L,0x57b94f0f0cccb244L,0xbdff72672d438ca7L,
+        0xbad1ce11cf4663fdL },
+      { 0x9813ed9dd8f71caeL,0xf43272a6961fdaa6L,0xbeff0119bd6d1637L,
+        0xfebc4f9130361978L } },
+    /* 64 << 238 */
+    { { 0x02b37a952f41deffL,0x0e44a59ae63b89b7L,0x673257dc143ff951L,
+        0x19c02205d752baf4L },
+      { 0x46c23069c4b7d692L,0x2e6392c3fd1502acL,0x6057b1a21b220846L,
+        0xe51ff9460c1b5b63L } },
+    /* 0 << 245 */
+    { { 0x00, 0x00, 0x00, 0x00 },
+      { 0x00, 0x00, 0x00, 0x00 } },
+    /* 1 << 245 */
+    { { 0x6e85cb51566c5c43L,0xcff9c9193597f046L,0x9354e90c4994d94aL,
+        0xe0a393322147927dL },
+      { 0x8427fac10dc1eb2bL,0x88cfd8c22ff319faL,0xe2d4e68401965274L,
+        0xfa2e067d67aaa746L } },
+    /* 2 << 245 */
+    { { 0xb6d92a7f3e5f9f11L,0x9afe153ad6cb3b8eL,0x4d1a6dd7ddf800bdL,
+        0xf6c13cc0caf17e19L },
+      { 0x15f6c58e325fc3eeL,0x71095400a31dc3b2L,0x168e7c07afa3d3e7L,
+        0x3f8417a194c7ae2dL } },
+    /* 3 << 245 */
+    { { 0xec234772813b230dL,0x634d0f5f17344427L,0x11548ab1d77fc56aL,
+        0x7fab1750ce06af77L },
+      { 0xb62c10a74f7c4f83L,0xa7d2edc4220a67d9L,0x1c404170921209a0L,
+        0x0b9815a0face59f0L } },
+    /* 4 << 245 */
+    { { 0x2842589b319540c3L,0x18490f59a283d6f8L,0xa2731f84daae9fcbL,
+        0x3db6d960c3683ba0L },
+      { 0xc85c63bb14611069L,0xb19436af0788bf05L,0x905459df347460d2L,
+        0x73f6e094e11a7db1L } },
+    /* 5 << 245 */
+    { { 0xdc7f938eb6357f37L,0xc5d00f792bd8aa62L,0xc878dcb92ca979fcL,
+        0x37e83ed9eb023a99L },
+      { 0x6b23e2731560bf3dL,0x1086e4591d0fae61L,0x782483169a9414bdL,
+        0x1b956bc0f0ea9ea1L } },
+    /* 6 << 245 */
+    { { 0x7b85bb91c31b9c38L,0x0c5aa90b48ef57b5L,0xdedeb169af3bab6fL,
+        0xe610ad732d373685L },
+      { 0xf13870df02ba8e15L,0x0337edb68ca7f771L,0xe4acf747b62c036cL,
+        0xd921d576b6b94e81L } },
+    /* 7 << 245 */
+    { { 0xdbc864392c422f7aL,0xfb635362ed348898L,0x83084668c45bfcd1L,
+        0xc357c9e32b315e11L },
+      { 0xb173b5405b2e5b8cL,0x7e946931e102b9a4L,0x17c890eb7b0fb199L,
+        0xec225a83d61b662bL } },
+    /* 8 << 245 */
+    { { 0xf306a3c8ee3c76cbL,0x3cf11623d32a1f6eL,0xe6d5ab646863e956L,
+        0x3b8a4cbe5c005c26L },
+      { 0xdcd529a59ce6bb27L,0xc4afaa5204d4b16fL,0xb0624a267923798dL,
+        0x85e56df66b307fabL } },
+    /* 9 << 245 */
+    { { 0x0281893c2bf29698L,0x91fc19a4d7ce7603L,0x75a5dca3ad9a558fL,
+        0x40ceb3fa4d50bf77L },
+      { 0x1baf6060bc9ba369L,0x927e1037597888c2L,0xd936bf1986a34c07L,
+        0xd4cf10c1c34ae980L } },
+    /* 10 << 245 */
+    { { 0x3a3e5334859dd614L,0x9c475b5b18d0c8eeL,0x63080d1f07cd51d5L,
+        0xc9c0d0a6b88b4326L },
+      { 0x1ac98691c234296fL,0x2a0a83a494887fb6L,0x565114270cea9cf2L,
+        0x5230a6e8a24802f5L } },
+    /* 11 << 245 */
+    { { 0xf7a2bf0f72e3d5c1L,0x377174464f21439eL,0xfedcbf259ce30334L,
+        0xe0030a787ce202f9L },
+      { 0x6f2d9ebf1202e9caL,0xe79dde6c75e6e591L,0xf52072aff1dac4f8L,
+        0x6c8d087ebb9b404dL } },
+    /* 12 << 245 */
+    { { 0xad0fc73dbce913afL,0x909e587b458a07cbL,0x1300da84d4f00c8aL,
+        0x425cd048b54466acL },
+      { 0xb59cb9be90e9d8bfL,0x991616db3e431b0eL,0xd3aa117a531aecffL,
+        0x91af92d359f4dc3bL } },
+    /* 13 << 245 */
+    { { 0x9b1ec292e93fda29L,0x76bb6c17e97d91bcL,0x7509d95faface1e6L,
+        0x3653fe47be855ae3L },
+      { 0x73180b280f680e75L,0x75eefd1beeb6c26cL,0xa4cdf29fb66d4236L,
+        0x2d70a9976b5821d8L } },
+    /* 14 << 245 */
+    { { 0x7a3ee20720445c36L,0x71d1ac8259877174L,0x0fc539f7949f73e9L,
+        0xd05cf3d7982e3081L },
+      { 0x8758e20b7b1c7129L,0xffadcc20569e61f2L,0xb05d3a2f59544c2dL,
+        0xbe16f5c19fff5e53L } },
+    /* 15 << 245 */
+    { { 0x73cf65b8aad58135L,0x622c2119037aa5beL,0x79373b3f646fd6a0L,
+        0x0e029db50d3978cfL },
+      { 0x8bdfc43794fba037L,0xaefbd687620797a6L,0x3fa5382bbd30d38eL,
+        0x7627cfbf585d7464L } },
+    /* 16 << 245 */
+    { { 0xb2330fef4e4ca463L,0xbcef72873566cc63L,0xd161d2cacf780900L,
+        0x135dc5395b54827dL },
+      { 0x638f052e27bf1bc6L,0x10a224f007dfa06cL,0xe973586d6d3321daL,
+        0x8b0c573826152c8fL } },
+    /* 17 << 245 */
+    { { 0x07ef4f2a34606074L,0x80fe7fe8a0f7047aL,0x3d1a8152e1a0e306L,
+        0x32cf43d888da5222L },
+      { 0xbf89a95f5f02ffe6L,0x3d9eb9a4806ad3eaL,0x012c17bb79c8e55eL,
+        0xfdcd1a7499c81dacL } },
+    /* 18 << 245 */
+    { { 0x7043178bb9556098L,0x4090a1df801c3886L,0x759800ff9b67b912L,
+        0x3e5c0304232620c8L },
+      { 0x4b9d3c4b70dceecaL,0xbb2d3c15181f648eL,0xf981d8376e33345cL,
+        0xb626289b0cf2297aL } },
+    /* 19 << 245 */
+    { { 0x766ac6598baebdcfL,0x1a28ae0975df01e5L,0xb71283da375876d8L,
+        0x4865a96d607b9800L },
+      { 0x25dd1bcd237936b2L,0x332f4f4b60417494L,0xd0923d68370a2147L,
+        0x497f5dfbdc842203L } },
+    /* 20 << 245 */
+    { { 0x9dc74cbd32be5e0fL,0x7475bcb717a01375L,0x438477c950d872b1L,
+        0xcec67879ffe1d63dL },
+      { 0x9b006014d8578c70L,0xc9ad99a878bb6b8bL,0x6799008e11fb3806L,
+        0xcfe81435cd44cab3L } },
+    /* 21 << 245 */
+    { { 0xa2ee15822f4fb344L,0xb8823450483fa6ebL,0x622d323d652c7749L,
+        0xd8474a98beb0a15bL },
+      { 0xe43c154d5d1c00d0L,0x7fd581d90e3e7aacL,0x2b44c6192525ddf8L,
+        0x67a033ebb8ae9739L } },
+    /* 22 << 245 */
+    { { 0x113ffec19ef2d2e4L,0x1bf6767ed5a0ea7fL,0x57fff75e03714c0aL,
+        0xa23c422e0a23e9eeL },
+      { 0xdd5f6b2d540f83afL,0xc2c2c27e55ea46a7L,0xeb6b4246672a1208L,
+        0xd13599f7ae634f7aL } },
+    /* 23 << 245 */
+    { { 0xcf914b5cd7b32c6eL,0x61a5a640eaf61814L,0x8dc3df8b208a1bbbL,
+        0xef627fd6b6d79aa5L },
+      { 0x44232ffcc4c86bc8L,0xe6f9231b061539feL,0x1d04f25a958b9533L,
+        0x180cf93449e8c885L } },
+    /* 24 << 245 */
+    { { 0x896895959884aaf7L,0xb1959be307b348a6L,0x96250e573c147c87L,
+        0xae0efb3add0c61f8L },
+      { 0xed00745eca8c325eL,0x3c911696ecff3f70L,0x73acbc65319ad41dL,
+        0x7b01a020f0b1c7efL } },
+    /* 25 << 245 */
+    { { 0xea32b29363a1483fL,0x89eabe717a248f96L,0x9c6231d3343157e5L,
+        0x93a375e5df3c546dL },
+      { 0xe76e93436a2afe69L,0xc4f89100e166c88eL,0x248efd0d4f872093L,
+        0xae0eb3ea8fe0ea61L } },
+    /* 26 << 245 */
+    { { 0xaf89790d9d79046eL,0x4d650f2d6cee0976L,0xa3935d9a43071ecaL,
+        0x66fcd2c9283b0bfeL },
+      { 0x0e665eb5696605f1L,0xe77e5d07a54cd38dL,0x90ee050a43d950cfL,
+        0x86ddebdad32e69b5L } },
+    /* 27 << 245 */
+    { { 0x6ad94a3dfddf7415L,0xf7fa13093f6e8d5aL,0xc4831d1de9957f75L,
+        0x7de28501d5817447L },
+      { 0x6f1d70789e2aeb6bL,0xba2b9ff4f67a53c2L,0x36963767df9defc3L,
+        0x479deed30d38022cL } },
+    /* 28 << 245 */
+    { { 0xd2edb89b3a8631e8L,0x8de855de7a213746L,0xb2056cb7b00c5f11L,
+        0xdeaefbd02c9b85e4L },
+      { 0x03f39a8dd150892dL,0x37b84686218b7985L,0x36296dd8b7375f1aL,
+        0x472cd4b1b78e898eL } },
+    /* 29 << 245 */
+    { { 0x15dff651e9f05de9L,0xd40450692ce98ba9L,0x8466a7ae9b38024cL,
+        0xb910e700e5a6b5efL },
+      { 0xae1c56eab3aa8f0dL,0xbab2a5077eee74a6L,0x0dca11e24b4c4620L,
+        0xfd896e2e4c47d1f4L } },
+    /* 30 << 245 */
+    { { 0xeb45ae53308fbd93L,0x46cd5a2e02c36fdaL,0x6a3d4e90baa48385L,
+        0xdd55e62e9dbe9960L },
+      { 0xa1406aa02a81ede7L,0x6860dd14f9274ea7L,0xcfdcb0c280414f86L,
+        0xff410b1022f94327L } },
+    /* 31 << 245 */
+    { { 0x5a33cc3849ad467bL,0xefb48b6c0a7335f1L,0x14fb54a4b153a360L,
+        0x604aa9d2b52469ccL },
+      { 0x5e9dc486754e48e9L,0x693cb45537471e8eL,0xfb2fd7cd8d3b37b6L,
+        0x63345e16cf09ff07L } },
+    /* 32 << 245 */
+    { { 0x9910ba6b23a5d896L,0x1fe19e357fe4364eL,0x6e1da8c39a33c677L,
+        0x15b4488b29fd9fd0L },
+      { 0x1f4392541a1f22bfL,0x920a8a70ab8163e8L,0x3fd1b24907e5658eL,
+        0xf2c4f79cb6ec839bL } },
+    /* 33 << 245 */
+    { { 0x1abbc3d04aa38d1bL,0x3b0db35cb5d9510eL,0x1754ac783e60dec0L,
+        0x53272fd7ea099b33L },
+      { 0x5fb0494f07a8e107L,0x4a89e1376a8191faL,0xa113b7f63c4ad544L,
+        0x88a2e9096cb9897bL } },
+    /* 34 << 245 */
+    { { 0x17d55de3b44a3f84L,0xacb2f34417c6c690L,0x3208816810232390L,
+        0xf2e8a61f6c733bf7L },
+      { 0xa774aab69c2d7652L,0xfb5307e3ed95c5bcL,0xa05c73c24981f110L,
+        0x1baae31ca39458c9L } },
+    /* 35 << 245 */
+    { { 0x1def185bcbea62e7L,0xe8ac9eaeeaf63059L,0x098a8cfd9921851cL,
+        0xd959c3f13abe2f5bL },
+      { 0xa4f1952520e40ae5L,0x320789e307a24aa1L,0x259e69277392b2bcL,
+        0x58f6c6671918668bL } },
+    /* 36 << 245 */
+    { { 0xce1db2bbc55d2d8bL,0x41d58bb7f4f6ca56L,0x7650b6808f877614L,
+        0x905e16baf4c349edL },
+      { 0xed415140f661acacL,0x3b8784f0cb2270afL,0x3bc280ac8a402cbaL,
+        0xd53f71460937921aL } },
+    /* 37 << 245 */
+    { { 0xc03c8ee5e5681e83L,0x62126105f6ac9e4aL,0x9503a53f936b1a38L,
+        0x3d45e2d4782fecbdL },
+      { 0x69a5c43976e8ae98L,0xb53b2eebbfb4b00eL,0xf167471272386c89L,
+        0x30ca34a24268bce4L } },
+    /* 38 << 245 */
+    { { 0x7f1ed86c78341730L,0x8ef5beb8b525e248L,0xbbc489fdb74fbf38L,
+        0x38a92a0e91a0b382L },
+      { 0x7a77ba3f22433ccfL,0xde8362d6a29f05a9L,0x7f6a30ea61189afcL,
+        0x693b550559ef114fL } },
+    /* 39 << 245 */
+    { { 0x50266bc0cd1797a1L,0xea17b47ef4b7af2dL,0xd6c4025c3df9483eL,
+        0x8cbb9d9fa37b18c9L },
+      { 0x91cbfd9c4d8424cfL,0xdb7048f1ab1c3506L,0x9eaf641f028206a3L,
+        0xf986f3f925bdf6ceL } },
+    /* 40 << 245 */
+    { { 0x262143b5224c08dcL,0x2bbb09b481b50c91L,0xc16ed709aca8c84fL,
+        0xa6210d9db2850ca8L },
+      { 0x6d8df67a09cb54d6L,0x91eef6e0500919a4L,0x90f613810f132857L,
+        0x9acede47f8d5028bL } },
+    /* 41 << 245 */
+    { { 0x844d1b7190b771c3L,0x563b71e4ba6426beL,0x2efa2e83bdb802ffL,
+        0x3410cbabab5b4a41L },
+      { 0x555b2d2630da84ddL,0xd0711ae9ee1cc29aL,0xcf3e8c602f547792L,
+        0x03d7d5dedc678b35L } },
+    /* 42 << 245 */
+    { { 0x071a2fa8ced806b8L,0x222e6134697f1478L,0xdc16fd5dabfcdbbfL,
+        0x44912ebf121b53b8L },
+      { 0xac9436742496c27cL,0x8ea3176c1ffc26b0L,0xb6e224ac13debf2cL,
+        0x524cc235f372a832L } },
+    /* 43 << 245 */
+    { { 0xd706e1d89f6f1b18L,0x2552f00544cce35bL,0x8c8326c2a88e31fcL,
+        0xb5468b2cf9552047L },
+      { 0xce683e883ff90f2bL,0x77947bdf2f0a5423L,0xd0a1b28bed56e328L,
+        0xaee35253c20134acL } },
+    /* 44 << 245 */
+    { { 0x7e98367d3567962fL,0x379ed61f8188bffbL,0x73bba348faf130a1L,
+        0x6c1f75e1904ed734L },
+      { 0x189566423b4a79fcL,0xf20bc83d54ef4493L,0x836d425d9111eca1L,
+        0xe5b5c318009a8dcfL } },
+    /* 45 << 245 */
+    { { 0x3360b25d13221bc5L,0x707baad26b3eeaf7L,0xd7279ed8743a95a1L,
+        0x7450a875969e809fL },
+      { 0x32b6bd53e5d0338fL,0x1e77f7af2b883bbcL,0x90da12cc1063ecd0L,
+        0xe2697b58c315be47L } },
+    /* 46 << 245 */
+    { { 0x2771a5bdda85d534L,0x53e78c1fff980eeaL,0xadf1cf84900385e7L,
+        0x7d3b14f6c9387b62L },
+      { 0x170e74b0cb8f2bd2L,0x2d50b486827fa993L,0xcdbe8c9af6f32babL,
+        0x55e906b0c3b93ab8L } },
+    /* 47 << 245 */
+    { { 0x747f22fc8fe280d1L,0xcd8e0de5b2e114abL,0x5ab7dbebe10b68b0L,
+        0x9dc63a9ca480d4b2L },
+      { 0x78d4bc3b4be1495fL,0x25eb3db89359122dL,0x3f8ac05b0809cbdcL,
+        0xbf4187bbd37c702fL } },
+    /* 48 << 245 */
+    { { 0x84cea0691416a6a5L,0x8f860c7943ef881cL,0x41311f8a38038a5dL,
+        0xe78c2ec0fc612067L },
+      { 0x494d2e815ad73581L,0xb4cc9e0059604097L,0xff558aecf3612cbaL,
+        0x35beef7a9e36c39eL } },
+    /* 49 << 245 */
+    { { 0x1845c7cfdbcf41b9L,0x5703662aaea997c0L,0x8b925afee402f6d8L,
+        0xd0a1b1ae4dd72162L },
+      { 0x9f47b37503c41c4bL,0xa023829b0391d042L,0x5f5045c3503b8b0aL,
+        0x123c268898c010e5L } },
+    /* 50 << 245 */
+    { { 0x324ec0cc36ba06eeL,0xface31153dd2cc0cL,0xb364f3bef333e91fL,
+        0xef8aff7328e832b0L },
+      { 0x1e9bad042d05841bL,0x42f0e3df356a21e2L,0xa3270bcb4add627eL,
+        0xb09a8158d322e711L } },
+    /* 51 << 245 */
+    { { 0x86e326a10fee104aL,0xad7788f83703f65dL,0x7e76543047bc4833L,
+        0x6cee582b2b9b893aL },
+      { 0x9cd2a167e8f55a7bL,0xefbee3c6d9e4190dL,0x33ee7185d40c2e9dL,
+        0x844cc9c5a380b548L } },
+    /* 52 << 245 */
+    { { 0x323f8ecd66926e04L,0x0001e38f8110c1baL,0x8dbcac12fc6a7f07L,
+        0xd65e1d580cec0827L },
+      { 0xd2cd4141be76ca2dL,0x7895cf5ce892f33aL,0x956d230d367139d2L,
+        0xa91abd3ed012c4c1L } },
+    /* 53 << 245 */
+    { { 0x34fa488387eb36bfL,0xc5f07102914b8fb4L,0x90f0e579adb9c95fL,
+        0xfe6ea8cb28888195L },
+      { 0x7b9b5065edfa9284L,0x6c510bd22b8c8d65L,0xd7b8ebefcbe8aafdL,
+        0xedb3af9896b1da07L } },
+    /* 54 << 245 */
+    { { 0x28ff779d6295d426L,0x0c4f6ac73fa3ad7bL,0xec44d0548b8e2604L,
+        0x9b32a66d8b0050e1L },
+      { 0x1f943366f0476ce2L,0x7554d953a602c7b4L,0xbe35aca6524f2809L,
+        0xb6881229fd4edbeaL } },
+    /* 55 << 245 */
+    { { 0xe8cd0c8f508efb63L,0x9eb5b5c86abcefc7L,0xf5621f5fb441ab4fL,
+        0x79e6c046b76a2b22L },
+      { 0x74a4792ce37a1f69L,0xcbd252cb03542b60L,0x785f65d5b3c20bd3L,
+        0x8dea61434fabc60cL } },
+    /* 56 << 245 */
+    { { 0x45e21446de673629L,0x57f7aa1e703c2d21L,0xa0e99b7f98c868c7L,
+        0x4e42f66d8b641676L },
+      { 0x602884dc91077896L,0xa0d690cfc2c9885bL,0xfeb4da333b9a5187L,
+        0x5f789598153c87eeL } },
+    /* 57 << 245 */
+    { { 0x2192dd4752b16dbaL,0xdeefc0e63524c1b1L,0x465ea76ee4383693L,
+        0x79401711361b8d98L },
+      { 0xa5f9ace9f21a15cbL,0x73d26163efee9aebL,0xcca844b3e677016cL,
+        0x6c122b0757eaee06L } },
+    /* 58 << 245 */
+    { { 0xb782dce715f09690L,0x508b9b122dfc0fc9L,0x9015ab4b65d89fc6L,
+        0x5e79dab7d6d5bb0fL },
+      { 0x64f021f06c775aa2L,0xdf09d8cc37c7eca1L,0x9a761367ef2fa506L,
+        0xed4ca4765b81eec6L } },
+    /* 59 << 245 */
+    { { 0x262ede3610bbb8b5L,0x0737ce830641ada3L,0x4c94288ae9831cccL,
+        0x487fc1ce8065e635L },
+      { 0xb13d7ab3b8bb3659L,0xdea5df3e855e4120L,0xb9a1857385eb0244L,
+        0x1a1b8ea3a7cfe0a3L } },
+    /* 60 << 245 */
+    { { 0x3b83711967b0867cL,0x8d5e0d089d364520L,0x52dccc1ed930f0e3L,
+        0xefbbcec7bf20bbafL },
+      { 0x99cffcab0263ad10L,0xd8199e6dfcd18f8aL,0x64e2773fe9f10617L,
+        0x0079e8e108704848L } },
+    /* 61 << 245 */
+    { { 0x1169989f8a342283L,0x8097799ca83012e6L,0xece966cb8a6a9001L,
+        0x93b3afef072ac7fcL },
+      { 0xe6893a2a2db3d5baL,0x263dc46289bf4fdcL,0x8852dfc9e0396673L,
+        0x7ac708953af362b6L } },
+    /* 62 << 245 */
+    { { 0xbb9cce4d5c2f342bL,0xbf80907ab52d7aaeL,0x97f3d3cd2161bcd0L,
+        0xb25b08340962744dL },
+      { 0xc5b18ea56c3a1ddaL,0xfe4ec7eb06c92317L,0xb787b890ad1c4afeL,
+        0xdccd9a920ede801aL } },
+    /* 63 << 245 */
+    { { 0x9ac6dddadb58da1fL,0x22bbc12fb8cae6eeL,0xc6f8bced815c4a43L,
+        0x8105a92cf96480c7L },
+      { 0x0dc3dbf37a859d51L,0xe3ec7ce63041196bL,0xd9f64b250d1067c9L,
+        0xf23213213d1f8dd8L } },
+    /* 64 << 245 */
+    { { 0x8b5c619c76497ee8L,0x5d2b0ac6c717370eL,0x98204cb64fcf68e1L,
+        0x0bdec21162bc6792L },
+      { 0x6973ccefa63b1011L,0xf9e3fa97e0de1ac5L,0x5efb693e3d0e0c8bL,
+        0x037248e9d2d4fcb4L } },
+    /* 0 << 252 */
+    { { 0x00, 0x00, 0x00, 0x00 },
+      { 0x00, 0x00, 0x00, 0x00 } },
+    /* 1 << 252 */
+    { { 0x80802dc91ec34f9eL,0xd8772d3533810603L,0x3f06d66c530cb4f3L,
+        0x7be5ed0dc475c129L },
+      { 0xcb9e3c1931e82b10L,0xc63d2857c9ff6b4cL,0xb92118c692a1b45eL,
+        0x0aec44147285bbcaL } },
+    /* 2 << 252 */
+    { { 0xfc189ae71e29a3efL,0xcbe906f04c93302eL,0xd0107914ceaae10eL,
+        0xb7a23f34b68e19f8L },
+      { 0xe9d875c2efd2119dL,0x03198c6efcadc9c8L,0x65591bf64da17113L,
+        0x3cf0bbf83d443038L } },
+    /* 3 << 252 */
+    { { 0xae485bb72b724759L,0x945353e1b2d4c63aL,0x82159d07de7d6f2cL,
+        0x389caef34ec5b109L },
+      { 0x4a8ebb53db65ef14L,0x2dc2cb7edd99de43L,0x816fa3ed83f2405fL,
+        0x73429bb9c14208a3L } },
+    /* 4 << 252 */
+    { { 0xb618d590b01e6e27L,0x047e2ccde180b2dcL,0xd1b299b504aea4a9L,
+        0x412c9e1e9fa403a4L },
+      { 0x88d28a3679407552L,0x49c50136f332b8e3L,0x3a1b6fcce668de19L,
+        0x178851bc75122b97L } },
+    /* 5 << 252 */
+    { { 0xb1e13752fb85fa4cL,0xd61257ce383c8ce9L,0xd43da670d2f74daeL,
+        0xa35aa23fbf846bbbL },
+      { 0x5e74235d4421fc83L,0xf6df8ee0c363473bL,0x34d7f52a3c4aa158L,
+        0x50d05aab9bc6d22eL } },
+    /* 6 << 252 */
+    { { 0x8c56e735a64785f4L,0xbc56637b5f29cd07L,0x53b2bb803ee35067L,
+        0x50235a0fdc919270L },
+      { 0x191ab6d8f2c4aa65L,0xc34758318396023bL,0x80400ba5f0f805baL,
+        0x8881065b5ec0f80fL } },
+    /* 7 << 252 */
+    { { 0xc370e522cc1b5e83L,0xde2d4ad1860b8bfbL,0xad364df067b256dfL,
+        0x8f12502ee0138997L },
+      { 0x503fa0dc7783920aL,0xe80014adc0bc866aL,0x3f89b744d3064ba6L,
+        0x03511dcdcba5dba5L } },
+    /* 8 << 252 */
+    { { 0x197dd46d95a7b1a2L,0x9c4e7ad63c6341fbL,0x426eca29484c2eceL,
+        0x9211e489de7f4f8aL },
+      { 0x14997f6ec78ef1f4L,0x2b2c091006574586L,0x17286a6e1c3eede8L,
+        0x25f92e470f60e018L } },
+    /* 9 << 252 */
+    { { 0x805c564631890a36L,0x703ef60057feea5bL,0x389f747caf3c3030L,
+        0xe0e5daeb54dd3739L },
+      { 0xfe24a4c3c9c9f155L,0x7e4bf176b5393962L,0x37183de2af20bf29L,
+        0x4a1bd7b5f95a8c3bL } },
+    /* 10 << 252 */
+    { { 0xa83b969946191d3dL,0x281fc8dd7b87f257L,0xb18e2c1354107588L,
+        0x6372def79b2bafe8L },
+      { 0xdaf4bb480d8972caL,0x3f2dd4b756167a3fL,0x1eace32d84310cf4L,
+        0xe3bcefafe42700aaL } },
+    /* 11 << 252 */
+    { { 0x5fe5691ed785e73dL,0xa5db5ab62ea60467L,0x02e23d41dfc6514aL,
+        0x35e8048ee03c3665L },
+      { 0x3f8b118f1adaa0f8L,0x28ec3b4584ce1a5aL,0xe8cacc6e2c6646b8L,
+        0x1343d185dbd0e40fL } },
+    /* 12 << 252 */
+    { { 0xe5d7f844caaa358cL,0x1a1db7e49924182aL,0xd64cd42d9c875d9aL,
+        0xb37b515f042eeec8L },
+      { 0x4d4dd4097b165fbeL,0xfc322ed9e206eff3L,0x7dee410259b7e17eL,
+        0x55a481c08236ca00L } },
+    /* 13 << 252 */
+    { { 0x8c885312c23fc975L,0x1571580605d6297bL,0xa078868ef78edd39L,
+        0x956b31e003c45e52L },
+      { 0x470275d5ff7b33a6L,0xc8d5dc3a0c7e673fL,0x419227b47e2f2598L,
+        0x8b37b6344c14a975L } },
+    /* 14 << 252 */
+    { { 0xd0667ed68b11888cL,0x5e0e8c3e803e25dcL,0x34e5d0dcb987a24aL,
+        0x9f40ac3bae920323L },
+      { 0x5463de9534e0f63aL,0xa128bf926b6328f9L,0x491ccd7cda64f1b7L,
+        0x7ef1ec27c47bde35L } },
+    /* 15 << 252 */
+    { { 0xa857240fa36a2737L,0x35dc136663621bc1L,0x7a3a6453d4fb6897L,
+        0x80f1a439c929319dL },
+      { 0xfc18274bf8cb0ba0L,0xb0b537668078c5ebL,0xfb0d49241e01d0efL,
+        0x50d7c67d372ab09cL } },
+    /* 16 << 252 */
+    { { 0xb4e370af3aeac968L,0xe4f7fee9c4b63266L,0xb4acd4c2e3ac5664L,
+        0xf8910bd2ceb38cbfL },
+      { 0x1c3ae50cc9c0726eL,0x15309569d97b40bfL,0x70884b7ffd5a5a1bL,
+        0x3890896aef8314cdL } },
+    /* 17 << 252 */
+    { { 0x58e1515ca5618c93L,0xe665432b77d942d1L,0xb32181bfb6f767a8L,
+        0x753794e83a604110L },
+      { 0x09afeb7ce8c0dbccL,0x31e02613598673a3L,0x5d98e5577d46db00L,
+        0xfc21fb8c9d985b28L } },
+    /* 18 << 252 */
+    { { 0xc9040116b0843e0bL,0x53b1b3a869b04531L,0xdd1649f085d7d830L,
+        0xbb3bcc87cb7427e8L },
+      { 0x77261100c93dce83L,0x7e79da61a1922a2aL,0x587a2b02f3149ce8L,
+        0x147e1384de92ec83L } },
+    /* 19 << 252 */
+    { { 0x484c83d3af077f30L,0xea78f8440658b53aL,0x912076c2027aec53L,
+        0xf34714e393c8177dL },
+      { 0x37ef5d15c2376c84L,0x8315b6593d1aa783L,0x3a75c484ef852a90L,
+        0x0ba0c58a16086bd4L } },
+    /* 20 << 252 */
+    { { 0x29688d7a529a6d48L,0x9c7f250dc2f19203L,0x123042fb682e2df9L,
+        0x2b7587e7ad8121bcL },
+      { 0x30fc0233e0182a65L,0xb82ecf87e3e1128aL,0x7168286193fb098fL,
+        0x043e21ae85e9e6a7L } },
+    /* 21 << 252 */
+    { { 0xab5b49d666c834eaL,0x3be43e1847414287L,0xf40fb859219a2a47L,
+        0x0e6559e9cc58df3cL },
+      { 0xfe1dfe8e0c6615b4L,0x14abc8fd56459d70L,0x7be0fa8e05de0386L,
+        0x8e63ef68e9035c7cL } },
+    /* 22 << 252 */
+    { { 0x116401b453b31e91L,0x0cba7ad44436b4d8L,0x9151f9a0107afd66L,
+        0xafaca8d01f0ee4c4L },
+      { 0x75fe5c1d9ee9761cL,0x3497a16bf0c0588fL,0x3ee2bebd0304804cL,
+        0xa8fb9a60c2c990b9L } },
+    /* 23 << 252 */
+    { { 0xd14d32fe39251114L,0x36bf25bccac73366L,0xc9562c66dba7495cL,
+        0x324d301b46ad348bL },
+      { 0x9f46620cd670407eL,0x0ea8d4f1e3733a01L,0xd396d532b0c324e0L,
+        0x5b211a0e03c317cdL } },
+    /* 24 << 252 */
+    { { 0x090d7d205ffe7b37L,0x3b7f3efb1747d2daL,0xa2cb525fb54fc519L,
+        0x6e220932f66a971eL },
+      { 0xddc160dfb486d440L,0x7fcfec463fe13465L,0x83da7e4e76e4c151L,
+        0xd6fa48a1d8d302b5L } },
+    /* 25 << 252 */
+    { { 0xc6304f265872cd88L,0x806c1d3c278b90a1L,0x3553e725caf0bc1cL,
+        0xff59e603bb9d8d5cL },
+      { 0xa4550f327a0b85ddL,0xdec5720a93ecc217L,0x0b88b74169d62213L,
+        0x7212f2455b365955L } },
+    /* 26 << 252 */
+    { { 0x20764111b5cae787L,0x13cb7f581dfd3124L,0x2dca77da1175aefbL,
+        0xeb75466bffaae775L },
+      { 0x74d76f3bdb6cff32L,0x7440f37a61fcda9aL,0x1bb3ac92b525028bL,
+        0x20fbf8f7a1975f29L } },
+    /* 27 << 252 */
+    { { 0x982692e1df83097fL,0x28738f6c554b0800L,0xdc703717a2ce2f2fL,
+        0x7913b93c40814194L },
+      { 0x049245931fe89636L,0x7b98443ff78834a6L,0x11c6ab015114a5a1L,
+        0x60deb383ffba5f4cL } },
+    /* 28 << 252 */
+    { { 0x4caa54c601a982e6L,0x1dd35e113491cd26L,0x973c315f7cbd6b05L,
+        0xcab0077552494724L },
+      { 0x04659b1f6565e15aL,0xbf30f5298c8fb026L,0xfc21641ba8a0de37L,
+        0xe9c7a366fa5e5114L } },
+    /* 29 << 252 */
+    { { 0xdb849ca552f03ad8L,0xc7e8dbe9024e35c0L,0xa1a2bbaccfc3c789L,
+        0xbf733e7d9c26f262L },
+      { 0x882ffbf5b8444823L,0xb7224e886bf8483bL,0x53023b8b65bef640L,
+        0xaabfec91d4d5f8cdL } },
+    /* 30 << 252 */
+    { { 0xa40e1510079ea1bdL,0x1ad9addcd05d5d26L,0xdb3f2eab13e68d4fL,
+        0x1cff1ae2640f803fL },
+      { 0xe0e7b749d4cee117L,0x8e9f275b4036d909L,0xce34e31d8f4d4c38L,
+        0x22b37f69d75130fcL } },
+    /* 31 << 252 */
+    { { 0x83e0f1fdb4014604L,0xa8ce991989415078L,0x82375b7541792efeL,
+        0x4f59bf5c97d4515bL },
+      { 0xac4f324f923a277dL,0xd9bc9b7d650f3406L,0xc6fa87d18a39bc51L,
+        0x825885305ccc108fL } },
+    /* 32 << 252 */
+    { { 0x5ced3c9f82e4c634L,0x8efb83143a4464f8L,0xe706381b7a1dca25L,
+        0x6cd15a3c5a2a412bL },
+      { 0x9347a8fdbfcd8fb5L,0x31db2eef6e54cd22L,0xc4aeb11ef8d8932fL,
+        0x11e7c1ed344411afL } },
+    /* 33 << 252 */
+    { { 0x2653050cdc9a151eL,0x9edbfc083bb0a859L,0x926c81c7fd5691e7L,
+        0x9c1b23426f39019aL },
+      { 0x64a81c8b7f8474b9L,0x90657c0701761819L,0x390b333155e0375aL,
+        0xc676c626b6ebc47dL } },
+    /* 34 << 252 */
+    { { 0x51623247b7d6dee8L,0x0948d92779659313L,0x99700161e9ab35edL,
+        0x06cc32b48ddde408L },
+      { 0x6f2fd664061ef338L,0x1606fa02c202e9edL,0x55388bc1929ba99bL,
+        0xc4428c5e1e81df69L } },
+    /* 35 << 252 */
+    { { 0xce2028aef91b0b2aL,0xce870a23f03dfd3fL,0x66ec2c870affe8edL,
+        0xb205fb46284d0c00L },
+      { 0xbf5dffe744cefa48L,0xb6fc37a8a19876d7L,0xbecfa84c08b72863L,
+        0xd7205ff52576374fL } },
+    /* 36 << 252 */
+    { { 0x80330d328887de41L,0x5de0df0c869ea534L,0x13f427533c56ea17L,
+        0xeb1f6069452b1a78L },
+      { 0x50474396e30ea15cL,0x575816a1c1494125L,0xbe1ce55bfe6bb38fL,
+        0xb901a94896ae30f7L } },
+    /* 37 << 252 */
+    { { 0xe5af0f08d8fc3548L,0x5010b5d0d73bfd08L,0x993d288053fe655aL,
+        0x99f2630b1c1309fdL },
+      { 0xd8677bafb4e3b76fL,0x14e51ddcb840784bL,0x326c750cbf0092ceL,
+        0xc83d306bf528320fL } },
+    /* 38 << 252 */
+    { { 0xc445671577d4715cL,0xd30019f96b703235L,0x207ccb2ed669e986L,
+        0x57c824aff6dbfc28L },
+      { 0xf0eb532fd8f92a23L,0x4a557fd49bb98fd2L,0xa57acea7c1e6199aL,
+        0x0c6638208b94b1edL } },
+    /* 39 << 252 */
+    { { 0x9b42be8ff83a9266L,0xc7741c970101bd45L,0x95770c1107bd9cebL,
+        0x1f50250a8b2e0744L },
+      { 0xf762eec81477b654L,0xc65b900e15efe59aL,0x88c961489546a897L,
+        0x7e8025b3c30b4d7cL } },
+    /* 40 << 252 */
+    { { 0xae4065ef12045cf9L,0x6fcb2caf9ccce8bdL,0x1fa0ba4ef2cf6525L,
+        0xf683125dcb72c312L },
+      { 0xa01da4eae312410eL,0x67e286776cd8e830L,0xabd9575298fb3f07L,
+        0x05f11e11eef649a5L } },
+    /* 41 << 252 */
+    { { 0xba47faef9d3472c2L,0x3adff697c77d1345L,0x4761fa04dd15afeeL,
+        0x64f1f61ab9e69462L },
+      { 0xfa691fab9bfb9093L,0x3df8ae8fa1133dfeL,0xcd5f896758cc710dL,
+        0xfbb88d5016c7fe79L } },
+    /* 42 << 252 */
+    { { 0x8e011b4ce88c50d1L,0x7532e807a8771c4fL,0x64c78a48e2278ee4L,
+        0x0b283e833845072aL },
+      { 0x98a6f29149e69274L,0xb96e96681868b21cL,0x38f0adc2b1a8908eL,
+        0x90afcff71feb829dL } },
+    /* 43 << 252 */
+    { { 0x9915a383210b0856L,0xa5a80602def04889L,0x800e9af97c64d509L,
+        0x81382d0bb8996f6fL },
+      { 0x490eba5381927e27L,0x46c63b324af50182L,0x784c5fd9d3ad62ceL,
+        0xe4fa1870f8ae8736L } },
+    /* 44 << 252 */
+    { { 0x4ec9d0bcd7466b25L,0x84ddbe1adb235c65L,0x5e2645ee163c1688L,
+        0x570bd00e00eba747L },
+      { 0xfa51b629128bfa0fL,0x92fce1bd6c1d3b68L,0x3e7361dcb66778b1L,
+        0x9c7d249d5561d2bbL } },
+    /* 45 << 252 */
+    { { 0xa40b28bf0bbc6229L,0x1c83c05edfd91497L,0x5f9f5154f083df05L,
+        0xbac38b3ceee66c9dL },
+      { 0xf71db7e3ec0dfcfdL,0xf2ecda8e8b0a8416L,0x52fddd867812aa66L,
+        0x2896ef104e6f4272L } },
+    /* 46 << 252 */
+    { { 0xff27186a0fe9a745L,0x08249fcd49ca70dbL,0x7425a2e6441cac49L,
+        0xf4a0885aece5ff57L },
+      { 0x6e2cb7317d7ead58L,0xf96cf7d61898d104L,0xafe67c9d4f2c9a89L,
+        0x89895a501c7bf5bcL } },
+    /* 47 << 252 */
+    { { 0xdc7cb8e5573cecfaL,0x66497eaed15f03e6L,0x6bc0de693f084420L,
+        0x323b9b36acd532b0L },
+      { 0xcfed390a0115a3c1L,0x9414c40b2d65ca0eL,0x641406bd2f530c78L,
+        0x29369a44833438f2L } },
+    /* 48 << 252 */
+    { { 0x996884f5903fa271L,0xe6da0fd2b9da921eL,0xa6f2f2695db01e54L,
+        0x1ee3e9bd6876214eL },
+      { 0xa26e181ce27a9497L,0x36d254e48e215e04L,0x42f32a6c252cabcaL,
+        0x9948148780b57614L } },
+    /* 49 << 252 */
+    { { 0x4c4dfe6940d9cae1L,0x0586958011a10f09L,0xca287b573491b64bL,
+        0x77862d5d3fd4a53bL },
+      { 0xbf94856e50349126L,0x2be30bd171c5268fL,0x10393f19cbb650a6L,
+        0x639531fe778cf9fdL } },
+    /* 50 << 252 */
+    { { 0x02556a11b2935359L,0xda38aa96af8c126eL,0x47dbe6c20960167fL,
+        0x37bbabb6501901cdL },
+      { 0xb6e979e02c947778L,0xd69a51757a1a1dc6L,0xc3ed50959d9faf0cL,
+        0x4dd9c0961d5fa5f0L } },
+    /* 51 << 252 */
+    { { 0xa0c4304d64f16ea8L,0x8b1cac167e718623L,0x0b5765467c67f03eL,
+        0x559cf5adcbd88c01L },
+      { 0x074877bb0e2af19aL,0x1f717ec1a1228c92L,0x70bcb800326e8920L,
+        0xec6e2c5c4f312804L } },
+    /* 52 << 252 */
+    { { 0x426aea7d3fca4752L,0xf12c09492211f62aL,0x24beecd87be7b6b5L,
+        0xb77eaf4c36d7a27dL },
+      { 0x154c2781fda78fd3L,0x848a83b0264eeabeL,0x81287ef04ffe2bc4L,
+        0x7b6d88c6b6b6fc2aL } },
+    /* 53 << 252 */
+    { { 0x805fb947ce417d99L,0x4b93dcc38b916cc4L,0x72e65bb321273323L,
+        0xbcc1badd6ea9886eL },
+      { 0x0e2230114bc5ee85L,0xa561be74c18ee1e4L,0x762fd2d4a6bcf1f1L,
+        0x50e6a5a495231489L } },
+    /* 54 << 252 */
+    { { 0xca96001fa00b500bL,0x5c098cfc5d7dcdf5L,0xa64e2d2e8c446a85L,
+        0xbae9bcf1971f3c62L },
+      { 0x4ec226838435a2c5L,0x8ceaed6c4bad4643L,0xe9f8fb47ccccf4e3L,
+        0xbd4f3fa41ce3b21eL } },
+    /* 55 << 252 */
+    { { 0xd79fb110a3db3292L,0xe28a37dab536c66aL,0x279ce87b8e49e6a9L,
+        0x70ccfe8dfdcec8e3L },
+      { 0x2193e4e03ba464b2L,0x0f39d60eaca9a398L,0x7d7932aff82c12abL,
+        0xd8ff50ed91e7e0f7L } },
+    /* 56 << 252 */
+    { { 0xea961058fa28a7e0L,0xc726cf250bf5ec74L,0xe74d55c8db229666L,
+        0x0bd9abbfa57f5799L },
+      { 0x7479ef074dfc47b3L,0xd9c65fc30c52f91dL,0x8e0283fe36a8bde2L,
+        0xa32a8b5e7d4b7280L } },
+    /* 57 << 252 */
+    { { 0x6a677c6112e83233L,0x0fbb3512dcc9bf28L,0x562e8ea50d780f61L,
+        0x0db8b22b1dc4e89cL },
+      { 0x0a6fd1fb89be0144L,0x8c77d246ca57113bL,0x4639075dff09c91cL,
+        0x5b47b17f5060824cL } },
+    /* 58 << 252 */
+    { { 0x58aea2b016287b52L,0xa1343520d0cd8eb0L,0x6148b4d0c5d58573L,
+        0xdd2b6170291c68aeL },
+      { 0xa61b39291da3b3b7L,0x5f946d7908c4ac10L,0x4105d4a57217d583L,
+        0x5061da3d25e6de5eL } },
+    /* 59 << 252 */
+    { { 0x3113940dec1b4991L,0xf12195e136f485aeL,0xa7507fb2731a2ee0L,
+        0x95057a8e6e9e196eL },
+      { 0xa3c2c9112e130136L,0x97dfbb3633c60d15L,0xcaf3c581b300ee2bL,
+        0x77f25d90f4bac8b8L } },
+    /* 60 << 252 */
+    { { 0xdb1c4f986d840cd6L,0x471d62c0e634288cL,0x8ec2f85ecec8a161L,
+        0x41f37cbcfa6f4ae2L },
+      { 0x6793a20f4b709985L,0x7a7bd33befa8985bL,0x2c6a3fbd938e6446L,
+        0x190426192a8d47c1L } },
+    /* 61 << 252 */
+    { { 0x16848667cc36975fL,0x02acf1689d5f1dfbL,0x62d41ad4613baa94L,
+        0xb56fbb929f684670L },
+      { 0xce610d0de9e40569L,0x7b99c65f35489fefL,0x0c88ad1b3df18b97L,
+        0x81b7d9be5d0e9edbL } },
+    /* 62 << 252 */
+    { { 0xd85218c0c716cc0aL,0xf4b5ff9085691c49L,0xa4fd666bce356ac6L,
+        0x17c728954b327a7aL },
+      { 0xf93d5085da6be7deL,0xff71530e3301d34eL,0x4cd96442d8f448e8L,
+        0x9283d3312ed18ffaL } },
+    /* 63 << 252 */
+    { { 0x4d33dd992a849870L,0xa716964b41576335L,0xff5e3a9b179be0e5L,
+        0x5b9d6b1b83b13632L },
+      { 0x3b8bd7d4a52f313bL,0xc9dd95a0637a4660L,0x300359620b3e218fL,
+        0xce1481a3c7b28a3cL } },
+    /* 64 << 252 */
+    { { 0xab41b43a43228d83L,0x24ae1c304ad63f99L,0x8e525f1a46a51229L,
+        0x14af860fcd26d2b4L },
+      { 0xd6baef613f714aa1L,0xf51865adeb78795eL,0xd3e21fcee6a9d694L,
+        0x82ceb1dd8a37b527L } },
+};
+
+/* Multiply the point by the scalar and return the result.
+ * If map is true then convert result to affine coordinates.
+ *
+ * r     Resulting point.
+ * k     Scalar to multiply by.
+ * map   Indicates whether to convert result to affine.
+ * heap  Heap to use for allocation.
+ * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
+ */
+static int sp_256_ecc_mulmod_add_only_4(sp_point_256* r, const sp_point_256* g,
+        const sp_table_entry_256* table, const sp_digit* k, int map, void* heap)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_point_256 rtd;
+    sp_point_256 pd;
+    sp_digit tmpd[2 * 4 * 5];
+#endif
+    sp_point_256* rt;
+    sp_point_256* p = NULL;
+    sp_digit* tmp;
+    sp_digit* negy;
+    int i;
+    ecc_recode_256 v[37];
+    int err;
+
+    (void)g;
+    (void)heap;
+
+    err = sp_256_point_new_4(heap, rtd, rt);
+    if (err == MP_OKAY)
+        err = sp_256_point_new_4(heap, pd, p);
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    tmp = (sp_digit*)XMALLOC(sizeof(sp_digit) * 2 * 4 * 5, heap,
+                             DYNAMIC_TYPE_ECC);
+    if (tmp == NULL)
+        err = MEMORY_E;
+#else
+    tmp = tmpd;
+#endif
+    negy = tmp;
+
+    if (err == MP_OKAY) {
+        sp_256_ecc_recode_7_4(k, v);
+
+        XMEMCPY(p->z, p256_norm_mod, sizeof(p256_norm_mod));
+        XMEMCPY(rt->z, p256_norm_mod, sizeof(p256_norm_mod));
+
+        i = 36;
+        XMEMCPY(rt->x, table[i * 65 + v[i].i].x, sizeof(table->x));
+        XMEMCPY(rt->y, table[i * 65 + v[i].i].y, sizeof(table->y));
+        rt->infinity = !v[i].i;
+        for (--i; i>=0; i--) {
+            XMEMCPY(p->x, table[i * 65 + v[i].i].x, sizeof(table->x));
+            XMEMCPY(p->y, table[i * 65 + v[i].i].y, sizeof(table->y));
+            p->infinity = !v[i].i;
+            sp_256_sub_4(negy, p256_mod, p->y);
+            sp_256_cond_copy_4(p->y, negy, 0 - v[i].neg);
+            sp_256_proj_point_add_qz1_4(rt, rt, p, tmp);
+        }
+        if (map != 0) {
+            sp_256_map_4(r, rt, tmp);
+        }
+        else {
+            XMEMCPY(r, rt, sizeof(sp_point_256));
+        }
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (tmp != NULL) {
+        XMEMSET(tmp, 0, sizeof(sp_digit) * 2 * 4 * 5);
+        XFREE(tmp, heap, DYNAMIC_TYPE_ECC);
+    }
+#else
+    ForceZero(tmp, sizeof(sp_digit) * 2 * 4 * 5);
+#endif
+    sp_256_point_free_4(p, 0, heap);
+    sp_256_point_free_4(rt, 0, heap);
+
+    return MP_OKAY;
+}
+
+/* Multiply the base point of P256 by the scalar and return the result.
+ * If map is true then convert result to affine coordinates.
+ *
+ * r     Resulting point.
+ * k     Scalar to multiply by.
+ * map   Indicates whether to convert result to affine.
+ * heap  Heap to use for allocation.
+ * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
+ */
+static int sp_256_ecc_mulmod_base_4(sp_point_256* r, const sp_digit* k,
+        int map, void* heap)
+{
+    return sp_256_ecc_mulmod_add_only_4(r, NULL, p256_table,
+                                      k, map, heap);
+}
+
+#ifdef HAVE_INTEL_AVX2
+/* Multiply the point by the scalar and return the result.
+ * If map is true then convert result to affine coordinates.
+ *
+ * r     Resulting point.
+ * k     Scalar to multiply by.
+ * map   Indicates whether to convert result to affine.
+ * heap  Heap to use for allocation.
+ * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
+ */
+static int sp_256_ecc_mulmod_add_only_avx2_4(sp_point_256* r, const sp_point_256* g,
+        const sp_table_entry_256* table, const sp_digit* k, int map, void* heap)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_point_256 rtd;
+    sp_point_256 pd;
+    sp_digit tmpd[2 * 4 * 5];
+#endif
+    sp_point_256* rt;
+    sp_point_256* p = NULL;
+    sp_digit* tmp;
+    sp_digit* negy;
+    int i;
+    ecc_recode_256 v[37];
+    int err;
+
+    (void)g;
+    (void)heap;
+
+    err = sp_256_point_new_4(heap, rtd, rt);
+    if (err == MP_OKAY)
+        err = sp_256_point_new_4(heap, pd, p);
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    tmp = (sp_digit*)XMALLOC(sizeof(sp_digit) * 2 * 4 * 5, heap,
+                             DYNAMIC_TYPE_ECC);
+    if (tmp == NULL)
+        err = MEMORY_E;
+#else
+    tmp = tmpd;
+#endif
+    negy = tmp;
+
+    if (err == MP_OKAY) {
+        sp_256_ecc_recode_7_4(k, v);
+
+        XMEMCPY(p->z, p256_norm_mod, sizeof(p256_norm_mod));
+        XMEMCPY(rt->z, p256_norm_mod, sizeof(p256_norm_mod));
+
+        i = 36;
+        XMEMCPY(rt->x, table[i * 65 + v[i].i].x, sizeof(table->x));
+        XMEMCPY(rt->y, table[i * 65 + v[i].i].y, sizeof(table->y));
+        rt->infinity = !v[i].i;
+        for (--i; i>=0; i--) {
+            XMEMCPY(p->x, table[i * 65 + v[i].i].x, sizeof(table->x));
+            XMEMCPY(p->y, table[i * 65 + v[i].i].y, sizeof(table->y));
+            p->infinity = !v[i].i;
+            sp_256_sub_4(negy, p256_mod, p->y);
+            sp_256_cond_copy_4(p->y, negy, 0 - v[i].neg);
+            sp_256_proj_point_add_qz1_avx2_4(rt, rt, p, tmp);
+        }
+        if (map != 0) {
+            sp_256_map_avx2_4(r, rt, tmp);
+        }
+        else {
+            XMEMCPY(r, rt, sizeof(sp_point_256));
+        }
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (tmp != NULL) {
+        XMEMSET(tmp, 0, sizeof(sp_digit) * 2 * 4 * 5);
+        XFREE(tmp, heap, DYNAMIC_TYPE_ECC);
+    }
+#else
+    ForceZero(tmp, sizeof(sp_digit) * 2 * 4 * 5);
+#endif
+    sp_256_point_free_4(p, 0, heap);
+    sp_256_point_free_4(rt, 0, heap);
+
+    return MP_OKAY;
+}
+
+/* Multiply the base point of P256 by the scalar and return the result.
+ * If map is true then convert result to affine coordinates.
+ *
+ * r     Resulting point.
+ * k     Scalar to multiply by.
+ * map   Indicates whether to convert result to affine.
+ * heap  Heap to use for allocation.
+ * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
+ */
+static int sp_256_ecc_mulmod_base_avx2_4(sp_point_256* r, const sp_digit* k,
+        int map, void* heap)
+{
+    return sp_256_ecc_mulmod_add_only_avx2_4(r, NULL, p256_table,
+                                      k, map, heap);
+}
+
+#endif /* HAVE_INTEL_AVX2 */
+#endif /* WOLFSSL_SP_SMALL */
+/* Multiply the base point of P256 by the scalar and return the result.
+ * If map is true then convert result to affine coordinates.
+ *
+ * km    Scalar to multiply by.
+ * r     Resulting point.
+ * map   Indicates whether to convert result to affine.
+ * heap  Heap to use for allocation.
+ * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
+ */
+int sp_ecc_mulmod_base_256(mp_int* km, ecc_point* r, int map, void* heap)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_point_256 p;
+    sp_digit kd[4];
+#endif
+    sp_point_256* point;
+    sp_digit* k = NULL;
+    int err = MP_OKAY;
+#ifdef HAVE_INTEL_AVX2
+    word32 cpuid_flags = cpuid_get_flags();
+#endif
+
+    err = sp_256_point_new_4(heap, p, point);
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        k = (sp_digit*)XMALLOC(sizeof(sp_digit) * 4, heap,
+                                                              DYNAMIC_TYPE_ECC);
+        if (k == NULL) {
+            err = MEMORY_E;
+        }
+    }
+#else
+    k = kd;
+#endif
+    if (err == MP_OKAY) {
+        sp_256_from_mp(k, 4, km);
+
+#ifdef HAVE_INTEL_AVX2
+        if (IS_INTEL_BMI2(cpuid_flags) && IS_INTEL_ADX(cpuid_flags))
+            err = sp_256_ecc_mulmod_base_avx2_4(point, k, map, heap);
+        else
+#endif
+            err = sp_256_ecc_mulmod_base_4(point, k, map, heap);
+    }
+    if (err == MP_OKAY) {
+        err = sp_256_point_to_ecc_point_4(point, r);
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (k != NULL) {
+        XFREE(k, heap, DYNAMIC_TYPE_ECC);
+    }
+#endif
+    sp_256_point_free_4(point, 0, heap);
+
+    return err;
+}
+
+#if defined(WOLFSSL_VALIDATE_ECC_KEYGEN) || defined(HAVE_ECC_SIGN) || \
+                                                        defined(HAVE_ECC_VERIFY)
+/* Returns 1 if the number of zero.
+ * Implementation is constant time.
+ *
+ * a  Number to check.
+ * returns 1 if the number is zero and 0 otherwise.
+ */
+static int sp_256_iszero_4(const sp_digit* a)
+{
+    return (a[0] | a[1] | a[2] | a[3]) == 0;
+}
+
+#endif /* WOLFSSL_VALIDATE_ECC_KEYGEN || HAVE_ECC_SIGN || HAVE_ECC_VERIFY */
+extern void sp_256_add_one_4(sp_digit* a);
+extern void sp_256_from_bin(sp_digit* r, int size, const byte* a, int n);
+/* Generates a scalar that is in the range 1..order-1.
+ *
+ * rng  Random number generator.
+ * k    Scalar value.
+ * returns RNG failures, MEMORY_E when memory allocation fails and
+ * MP_OKAY on success.
+ */
+static int sp_256_ecc_gen_k_4(WC_RNG* rng, sp_digit* k)
+{
+    int err;
+    byte buf[32];
+
+    do {
+        err = wc_RNG_GenerateBlock(rng, buf, sizeof(buf));
+        if (err == 0) {
+            sp_256_from_bin(k, 4, buf, (int)sizeof(buf));
+            if (sp_256_cmp_4(k, p256_order2) < 0) {
+                sp_256_add_one_4(k);
+                break;
+            }
+        }
+    }
+    while (err == 0);
+
+    return err;
+}
+
+/* Makes a random EC key pair.
+ *
+ * rng   Random number generator.
+ * priv  Generated private value.
+ * pub   Generated public point.
+ * heap  Heap to use for allocation.
+ * returns ECC_INF_E when the point does not have the correct order, RNG
+ * failures, MEMORY_E when memory allocation fails and MP_OKAY on success.
+ */
+int sp_ecc_make_key_256(WC_RNG* rng, mp_int* priv, ecc_point* pub, void* heap)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_point_256 p;
+    sp_digit kd[4];
+#ifdef WOLFSSL_VALIDATE_ECC_KEYGEN
+    sp_point_256 inf;
+#endif
+#endif
+    sp_point_256* point;
+    sp_digit* k = NULL;
+#ifdef WOLFSSL_VALIDATE_ECC_KEYGEN
+    sp_point_256* infinity;
+#endif
+    int err;
+#ifdef HAVE_INTEL_AVX2
+    word32 cpuid_flags = cpuid_get_flags();
+#endif
+
+    (void)heap;
+
+    err = sp_256_point_new_4(heap, p, point);
+#ifdef WOLFSSL_VALIDATE_ECC_KEYGEN
+    if (err == MP_OKAY) {
+        err = sp_256_point_new_4(heap, inf, infinity);
+    }
+#endif
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        k = (sp_digit*)XMALLOC(sizeof(sp_digit) * 4, heap,
+                                                              DYNAMIC_TYPE_ECC);
+        if (k == NULL) {
+            err = MEMORY_E;
+        }
+    }
+#else
+    k = kd;
+#endif
+
+    if (err == MP_OKAY) {
+        err = sp_256_ecc_gen_k_4(rng, k);
+    }
+    if (err == MP_OKAY) {
+#ifdef HAVE_INTEL_AVX2
+        if (IS_INTEL_BMI2(cpuid_flags) && IS_INTEL_ADX(cpuid_flags))
+            err = sp_256_ecc_mulmod_base_avx2_4(point, k, 1, NULL);
+        else
+#endif
+            err = sp_256_ecc_mulmod_base_4(point, k, 1, NULL);
+    }
+
+#ifdef WOLFSSL_VALIDATE_ECC_KEYGEN
+    if (err == MP_OKAY) {
+#ifdef HAVE_INTEL_AVX2
+        if (IS_INTEL_BMI2(cpuid_flags) && IS_INTEL_ADX(cpuid_flags)) {
+            err = sp_256_ecc_mulmod_avx2_4(infinity, point, p256_order, 1,
+                                                                          NULL);
+        }
+        else
+#endif
+            err = sp_256_ecc_mulmod_4(infinity, point, p256_order, 1, NULL);
+    }
+    if (err == MP_OKAY) {
+        if ((sp_256_iszero_4(point->x) == 0) || (sp_256_iszero_4(point->y) == 0)) {
+            err = ECC_INF_E;
+        }
+    }
+#endif
+
+    if (err == MP_OKAY) {
+        err = sp_256_to_mp(k, priv);
+    }
+    if (err == MP_OKAY) {
+        err = sp_256_point_to_ecc_point_4(point, pub);
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (k != NULL) {
+        XFREE(k, heap, DYNAMIC_TYPE_ECC);
+    }
+#endif
+#ifdef WOLFSSL_VALIDATE_ECC_KEYGEN
+    sp_256_point_free_4(infinity, 1, heap);
+#endif
+    sp_256_point_free_4(point, 1, heap);
+
+    return err;
+}
+
+#ifdef HAVE_ECC_DHE
+extern void sp_256_to_bin(sp_digit* r, byte* a);
+/* Multiply the point by the scalar and serialize the X ordinate.
+ * The number is 0 padded to maximum size on output.
+ *
+ * priv    Scalar to multiply the point by.
+ * pub     Point to multiply.
+ * out     Buffer to hold X ordinate.
+ * outLen  On entry, size of the buffer in bytes.
+ *         On exit, length of data in buffer in bytes.
+ * heap    Heap to use for allocation.
+ * returns BUFFER_E if the buffer is to small for output size,
+ * MEMORY_E when memory allocation fails and MP_OKAY on success.
+ */
+int sp_ecc_secret_gen_256(mp_int* priv, ecc_point* pub, byte* out,
+                          word32* outLen, void* heap)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_point_256 p;
+    sp_digit kd[4];
+#endif
+    sp_point_256* point = NULL;
+    sp_digit* k = NULL;
+    int err = MP_OKAY;
+#ifdef HAVE_INTEL_AVX2
+    word32 cpuid_flags = cpuid_get_flags();
+#endif
+
+    if (*outLen < 32U) {
+        err = BUFFER_E;
+    }
+
+    if (err == MP_OKAY) {
+        err = sp_256_point_new_4(heap, p, point);
+    }
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        k = (sp_digit*)XMALLOC(sizeof(sp_digit) * 4, heap,
+                                                              DYNAMIC_TYPE_ECC);
+        if (k == NULL)
+            err = MEMORY_E;
+    }
+#else
+    k = kd;
+#endif
+
+    if (err == MP_OKAY) {
+        sp_256_from_mp(k, 4, priv);
+        sp_256_point_from_ecc_point_4(point, pub);
+#ifdef HAVE_INTEL_AVX2
+        if (IS_INTEL_BMI2(cpuid_flags) && IS_INTEL_ADX(cpuid_flags))
+            err = sp_256_ecc_mulmod_avx2_4(point, point, k, 1, heap);
+        else
+#endif
+            err = sp_256_ecc_mulmod_4(point, point, k, 1, heap);
+    }
+    if (err == MP_OKAY) {
+        sp_256_to_bin(point->x, out);
+        *outLen = 32;
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (k != NULL) {
+        XFREE(k, heap, DYNAMIC_TYPE_ECC);
+    }
+#endif
+    sp_256_point_free_4(point, 0, heap);
+
+    return err;
+}
+#endif /* HAVE_ECC_DHE */
+
+#if defined(HAVE_ECC_SIGN) || defined(HAVE_ECC_VERIFY)
+extern sp_digit sp_256_add_4(sp_digit* r, const sp_digit* a, const sp_digit* b);
+#endif
+#if defined(HAVE_ECC_SIGN) || defined(HAVE_ECC_VERIFY)
+extern void sp_256_mul_4(sp_digit* r, const sp_digit* a, const sp_digit* b);
+#ifdef HAVE_INTEL_AVX2
+extern void sp_256_mul_avx2_4(sp_digit* r, const sp_digit* a, const sp_digit* b);
+#endif /* HAVE_INTEL_AVX2 */
+#endif
+#if defined(HAVE_ECC_SIGN) || defined(HAVE_ECC_VERIFY)
+extern sp_digit sp_256_sub_in_place_4(sp_digit* a, const sp_digit* b);
+extern sp_digit sp_256_cond_sub_avx2_4(sp_digit* r, const sp_digit* a, const sp_digit* b, sp_digit m);
+extern void sp_256_mul_d_4(sp_digit* r, const sp_digit* a, sp_digit b);
+extern void sp_256_mul_d_avx2_4(sp_digit* r, const sp_digit* a, const sp_digit b);
+/* Divide the double width number (d1|d0) by the dividend. (d1|d0 / div)
+ *
+ * d1   The high order half of the number to divide.
+ * d0   The low order half of the number to divide.
+ * div  The dividend.
+ * returns the result of the division.
+ */
+static WC_INLINE sp_digit div_256_word_4(sp_digit d1, sp_digit d0,
+        sp_digit div)
+{
+    register sp_digit r asm("rax");
+    __asm__ __volatile__ (
+        "divq %3"
+        : "=a" (r)
+        : "d" (d1), "a" (d0), "r" (div)
+        :
+    );
+    return r;
+}
+/* AND m into each word of a and store in r.
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * m  Mask to AND against each digit.
+ */
+static void sp_256_mask_4(sp_digit* r, const sp_digit* a, sp_digit m)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int i;
+
+    for (i=0; i<4; i++) {
+        r[i] = a[i] & m;
+    }
+#else
+    r[0] = a[0] & m;
+    r[1] = a[1] & m;
+    r[2] = a[2] & m;
+    r[3] = a[3] & m;
+#endif
+}
+
+/* Divide d in a and put remainder into r (m*d + r = a)
+ * m is not calculated as it is not needed at this time.
+ *
+ * a  Nmber to be divided.
+ * d  Number to divide with.
+ * m  Multiplier result.
+ * r  Remainder from the division.
+ * returns MP_OKAY indicating success.
+ */
+static WC_INLINE int sp_256_div_4(const sp_digit* a, const sp_digit* d, sp_digit* m,
+        sp_digit* r)
+{
+    sp_digit t1[8], t2[5];
+    sp_digit div, r1;
+    int i;
+#ifdef HAVE_INTEL_AVX2
+    word32 cpuid_flags = cpuid_get_flags();
+#endif
+
+    (void)m;
+
+    div = d[3];
+    XMEMCPY(t1, a, sizeof(*t1) * 2 * 4);
+    r1 = sp_256_cmp_4(&t1[4], d) >= 0;
+#ifdef HAVE_INTEL_AVX2
+    if (IS_INTEL_BMI2(cpuid_flags) && IS_INTEL_ADX(cpuid_flags))
+        sp_256_cond_sub_avx2_4(&t1[4], &t1[4], d, (sp_digit)0 - r1);
+    else
+#endif
+        sp_256_cond_sub_4(&t1[4], &t1[4], d, (sp_digit)0 - r1);
+    for (i=3; i>=0; i--) {
+        r1 = div_256_word_4(t1[4 + i], t1[4 + i - 1], div);
+
+#ifdef HAVE_INTEL_AVX2
+        if (IS_INTEL_BMI2(cpuid_flags) && IS_INTEL_ADX(cpuid_flags))
+            sp_256_mul_d_avx2_4(t2, d, r1);
+        else
+#endif
+            sp_256_mul_d_4(t2, d, r1);
+        t1[4 + i] += sp_256_sub_in_place_4(&t1[i], t2);
+        t1[4 + i] -= t2[4];
+        sp_256_mask_4(t2, d, t1[4 + i]);
+        t1[4 + i] += sp_256_add_4(&t1[i], &t1[i], t2);
+        sp_256_mask_4(t2, d, t1[4 + i]);
+        t1[4 + i] += sp_256_add_4(&t1[i], &t1[i], t2);
+    }
+
+    r1 = sp_256_cmp_4(t1, d) >= 0;
+#ifdef HAVE_INTEL_AVX2
+    if (IS_INTEL_BMI2(cpuid_flags) && IS_INTEL_ADX(cpuid_flags))
+        sp_256_cond_sub_avx2_4(r, t1, d, (sp_digit)0 - r1);
+    else
+#endif
+        sp_256_cond_sub_4(r, t1, d, (sp_digit)0 - r1);
+
+    return MP_OKAY;
+}
+
+/* Reduce a modulo m into r. (r = a mod m)
+ *
+ * r  A single precision number that is the reduced result.
+ * a  A single precision number that is to be reduced.
+ * m  A single precision number that is the modulus to reduce with.
+ * returns MP_OKAY indicating success.
+ */
+static WC_INLINE int sp_256_mod_4(sp_digit* r, const sp_digit* a, const sp_digit* m)
+{
+    return sp_256_div_4(a, m, NULL, r);
+}
+
+#endif
+#if defined(HAVE_ECC_SIGN) || defined(HAVE_ECC_VERIFY)
+extern void sp_256_sqr_4(sp_digit* r, const sp_digit* a);
+#ifdef WOLFSSL_SP_SMALL
+/* Order-2 for the P256 curve. */
+static const uint64_t p256_order_minus_2[4] = {
+    0xf3b9cac2fc63254fU,0xbce6faada7179e84U,0xffffffffffffffffU,
+    0xffffffff00000000U
+};
+#else
+/* The low half of the order-2 of the P256 curve. */
+static const uint64_t p256_order_low[2] = {
+    0xf3b9cac2fc63254fU,0xbce6faada7179e84U
+};
+#endif /* WOLFSSL_SP_SMALL */
+
+/* Multiply two number mod the order of P256 curve. (r = a * b mod order)
+ *
+ * r  Result of the multiplication.
+ * a  First operand of the multiplication.
+ * b  Second operand of the multiplication.
+ */
+static void sp_256_mont_mul_order_4(sp_digit* r, const sp_digit* a, const sp_digit* b)
+{
+    sp_256_mul_4(r, a, b);
+    sp_256_mont_reduce_order_4(r, p256_order, p256_mp_order);
+}
+
+/* Square number mod the order of P256 curve. (r = a * a mod order)
+ *
+ * r  Result of the squaring.
+ * a  Number to square.
+ */
+static void sp_256_mont_sqr_order_4(sp_digit* r, const sp_digit* a)
+{
+    sp_256_sqr_4(r, a);
+    sp_256_mont_reduce_order_4(r, p256_order, p256_mp_order);
+}
+
+#ifndef WOLFSSL_SP_SMALL
+/* Square number mod the order of P256 curve a number of times.
+ * (r = a ^ n mod order)
+ *
+ * r  Result of the squaring.
+ * a  Number to square.
+ */
+static void sp_256_mont_sqr_n_order_4(sp_digit* r, const sp_digit* a, int n)
+{
+    int i;
+
+    sp_256_mont_sqr_order_4(r, a);
+    for (i=1; i<n; i++) {
+        sp_256_mont_sqr_order_4(r, r);
+    }
+}
+#endif /* !WOLFSSL_SP_SMALL */
+
+/* Invert the number, in Montgomery form, modulo the order of the P256 curve.
+ * (r = 1 / a mod order)
+ *
+ * r   Inverse result.
+ * a   Number to invert.
+ * td  Temporary data.
+ */
+static void sp_256_mont_inv_order_4(sp_digit* r, const sp_digit* a,
+        sp_digit* td)
+{
+#ifdef WOLFSSL_SP_SMALL
+    sp_digit* t = td;
+    int i;
+
+    XMEMCPY(t, a, sizeof(sp_digit) * 4);
+    for (i=254; i>=0; i--) {
+        sp_256_mont_sqr_order_4(t, t);
+        if ((p256_order_minus_2[i / 64] & ((sp_int_digit)1 << (i % 64))) != 0) {
+            sp_256_mont_mul_order_4(t, t, a);
+        }
+    }
+    XMEMCPY(r, t, sizeof(sp_digit) * 4U);
+#else
+    sp_digit* t = td;
+    sp_digit* t2 = td + 2 * 4;
+    sp_digit* t3 = td + 4 * 4;
+    int i;
+
+    /* t = a^2 */
+    sp_256_mont_sqr_order_4(t, a);
+    /* t = a^3 = t * a */
+    sp_256_mont_mul_order_4(t, t, a);
+    /* t2= a^c = t ^ 2 ^ 2 */
+    sp_256_mont_sqr_n_order_4(t2, t, 2);
+    /* t3= a^f = t2 * t */
+    sp_256_mont_mul_order_4(t3, t2, t);
+    /* t2= a^f0 = t3 ^ 2 ^ 4 */
+    sp_256_mont_sqr_n_order_4(t2, t3, 4);
+    /* t = a^ff = t2 * t3 */
+    sp_256_mont_mul_order_4(t, t2, t3);
+    /* t3= a^ff00 = t ^ 2 ^ 8 */
+    sp_256_mont_sqr_n_order_4(t2, t, 8);
+    /* t = a^ffff = t2 * t */
+    sp_256_mont_mul_order_4(t, t2, t);
+    /* t2= a^ffff0000 = t ^ 2 ^ 16 */
+    sp_256_mont_sqr_n_order_4(t2, t, 16);
+    /* t = a^ffffffff = t2 * t */
+    sp_256_mont_mul_order_4(t, t2, t);
+    /* t2= a^ffffffff0000000000000000 = t ^ 2 ^ 64  */
+    sp_256_mont_sqr_n_order_4(t2, t, 64);
+    /* t2= a^ffffffff00000000ffffffff = t2 * t */
+    sp_256_mont_mul_order_4(t2, t2, t);
+    /* t2= a^ffffffff00000000ffffffff00000000 = t2 ^ 2 ^ 32  */
+    sp_256_mont_sqr_n_order_4(t2, t2, 32);
+    /* t2= a^ffffffff00000000ffffffffffffffff = t2 * t */
+    sp_256_mont_mul_order_4(t2, t2, t);
+    /* t2= a^ffffffff00000000ffffffffffffffffbce6 */
+    for (i=127; i>=112; i--) {
+        sp_256_mont_sqr_order_4(t2, t2);
+        if (((sp_digit)p256_order_low[i / 64] & ((sp_int_digit)1 << (i % 64))) != 0) {
+            sp_256_mont_mul_order_4(t2, t2, a);
+        }
+    }
+    /* t2= a^ffffffff00000000ffffffffffffffffbce6f */
+    sp_256_mont_sqr_n_order_4(t2, t2, 4);
+    sp_256_mont_mul_order_4(t2, t2, t3);
+    /* t2= a^ffffffff00000000ffffffffffffffffbce6faada7179e84 */
+    for (i=107; i>=64; i--) {
+        sp_256_mont_sqr_order_4(t2, t2);
+        if (((sp_digit)p256_order_low[i / 64] & ((sp_int_digit)1 << (i % 64))) != 0) {
+            sp_256_mont_mul_order_4(t2, t2, a);
+        }
+    }
+    /* t2= a^ffffffff00000000ffffffffffffffffbce6faada7179e84f */
+    sp_256_mont_sqr_n_order_4(t2, t2, 4);
+    sp_256_mont_mul_order_4(t2, t2, t3);
+    /* t2= a^ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2 */
+    for (i=59; i>=32; i--) {
+        sp_256_mont_sqr_order_4(t2, t2);
+        if (((sp_digit)p256_order_low[i / 64] & ((sp_int_digit)1 << (i % 64))) != 0) {
+            sp_256_mont_mul_order_4(t2, t2, a);
+        }
+    }
+    /* t2= a^ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2f */
+    sp_256_mont_sqr_n_order_4(t2, t2, 4);
+    sp_256_mont_mul_order_4(t2, t2, t3);
+    /* t2= a^ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc63254 */
+    for (i=27; i>=0; i--) {
+        sp_256_mont_sqr_order_4(t2, t2);
+        if (((sp_digit)p256_order_low[i / 64] & ((sp_int_digit)1 << (i % 64))) != 0) {
+            sp_256_mont_mul_order_4(t2, t2, a);
+        }
+    }
+    /* t2= a^ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632540 */
+    sp_256_mont_sqr_n_order_4(t2, t2, 4);
+    /* r = a^ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc63254f */
+    sp_256_mont_mul_order_4(r, t2, t3);
+#endif /* WOLFSSL_SP_SMALL */
+}
+
+#ifdef HAVE_INTEL_AVX2
+extern void sp_256_sqr_avx2_4(sp_digit* r, const sp_digit* a);
+#define sp_256_mont_reduce_order_avx2_4    sp_256_mont_reduce_avx2_4
+
+extern void sp_256_mont_reduce_avx2_4(sp_digit* a, const sp_digit* m, sp_digit mp);
+/* Multiply two number mod the order of P256 curve. (r = a * b mod order)
+ *
+ * r  Result of the multiplication.
+ * a  First operand of the multiplication.
+ * b  Second operand of the multiplication.
+ */
+static void sp_256_mont_mul_order_avx2_4(sp_digit* r, const sp_digit* a, const sp_digit* b)
+{
+    sp_256_mul_avx2_4(r, a, b);
+    sp_256_mont_reduce_order_avx2_4(r, p256_order, p256_mp_order);
+}
+
+/* Square number mod the order of P256 curve. (r = a * a mod order)
+ *
+ * r  Result of the squaring.
+ * a  Number to square.
+ */
+static void sp_256_mont_sqr_order_avx2_4(sp_digit* r, const sp_digit* a)
+{
+    sp_256_sqr_avx2_4(r, a);
+    sp_256_mont_reduce_order_avx2_4(r, p256_order, p256_mp_order);
+}
+
+#ifndef WOLFSSL_SP_SMALL
+/* Square number mod the order of P256 curve a number of times.
+ * (r = a ^ n mod order)
+ *
+ * r  Result of the squaring.
+ * a  Number to square.
+ */
+static void sp_256_mont_sqr_n_order_avx2_4(sp_digit* r, const sp_digit* a, int n)
+{
+    int i;
+
+    sp_256_mont_sqr_order_avx2_4(r, a);
+    for (i=1; i<n; i++) {
+        sp_256_mont_sqr_order_avx2_4(r, r);
+    }
+}
+#endif /* !WOLFSSL_SP_SMALL */
+
+/* Invert the number, in Montgomery form, modulo the order of the P256 curve.
+ * (r = 1 / a mod order)
+ *
+ * r   Inverse result.
+ * a   Number to invert.
+ * td  Temporary data.
+ */
+static void sp_256_mont_inv_order_avx2_4(sp_digit* r, const sp_digit* a,
+        sp_digit* td)
+{
+#ifdef WOLFSSL_SP_SMALL
+    sp_digit* t = td;
+    int i;
+
+    XMEMCPY(t, a, sizeof(sp_digit) * 4);
+    for (i=254; i>=0; i--) {
+        sp_256_mont_sqr_order_avx2_4(t, t);
+        if ((p256_order_minus_2[i / 64] & ((sp_int_digit)1 << (i % 64))) != 0) {
+            sp_256_mont_mul_order_avx2_4(t, t, a);
+        }
+    }
+    XMEMCPY(r, t, sizeof(sp_digit) * 4U);
+#else
+    sp_digit* t = td;
+    sp_digit* t2 = td + 2 * 4;
+    sp_digit* t3 = td + 4 * 4;
+    int i;
+
+    /* t = a^2 */
+    sp_256_mont_sqr_order_avx2_4(t, a);
+    /* t = a^3 = t * a */
+    sp_256_mont_mul_order_avx2_4(t, t, a);
+    /* t2= a^c = t ^ 2 ^ 2 */
+    sp_256_mont_sqr_n_order_avx2_4(t2, t, 2);
+    /* t3= a^f = t2 * t */
+    sp_256_mont_mul_order_avx2_4(t3, t2, t);
+    /* t2= a^f0 = t3 ^ 2 ^ 4 */
+    sp_256_mont_sqr_n_order_avx2_4(t2, t3, 4);
+    /* t = a^ff = t2 * t3 */
+    sp_256_mont_mul_order_avx2_4(t, t2, t3);
+    /* t3= a^ff00 = t ^ 2 ^ 8 */
+    sp_256_mont_sqr_n_order_avx2_4(t2, t, 8);
+    /* t = a^ffff = t2 * t */
+    sp_256_mont_mul_order_avx2_4(t, t2, t);
+    /* t2= a^ffff0000 = t ^ 2 ^ 16 */
+    sp_256_mont_sqr_n_order_avx2_4(t2, t, 16);
+    /* t = a^ffffffff = t2 * t */
+    sp_256_mont_mul_order_avx2_4(t, t2, t);
+    /* t2= a^ffffffff0000000000000000 = t ^ 2 ^ 64  */
+    sp_256_mont_sqr_n_order_avx2_4(t2, t, 64);
+    /* t2= a^ffffffff00000000ffffffff = t2 * t */
+    sp_256_mont_mul_order_avx2_4(t2, t2, t);
+    /* t2= a^ffffffff00000000ffffffff00000000 = t2 ^ 2 ^ 32  */
+    sp_256_mont_sqr_n_order_avx2_4(t2, t2, 32);
+    /* t2= a^ffffffff00000000ffffffffffffffff = t2 * t */
+    sp_256_mont_mul_order_avx2_4(t2, t2, t);
+    /* t2= a^ffffffff00000000ffffffffffffffffbce6 */
+    for (i=127; i>=112; i--) {
+        sp_256_mont_sqr_order_avx2_4(t2, t2);
+        if (((sp_digit)p256_order_low[i / 64] & ((sp_int_digit)1 << (i % 64))) != 0) {
+            sp_256_mont_mul_order_avx2_4(t2, t2, a);
+        }
+    }
+    /* t2= a^ffffffff00000000ffffffffffffffffbce6f */
+    sp_256_mont_sqr_n_order_avx2_4(t2, t2, 4);
+    sp_256_mont_mul_order_avx2_4(t2, t2, t3);
+    /* t2= a^ffffffff00000000ffffffffffffffffbce6faada7179e84 */
+    for (i=107; i>=64; i--) {
+        sp_256_mont_sqr_order_avx2_4(t2, t2);
+        if (((sp_digit)p256_order_low[i / 64] & ((sp_int_digit)1 << (i % 64))) != 0) {
+            sp_256_mont_mul_order_avx2_4(t2, t2, a);
+        }
+    }
+    /* t2= a^ffffffff00000000ffffffffffffffffbce6faada7179e84f */
+    sp_256_mont_sqr_n_order_avx2_4(t2, t2, 4);
+    sp_256_mont_mul_order_avx2_4(t2, t2, t3);
+    /* t2= a^ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2 */
+    for (i=59; i>=32; i--) {
+        sp_256_mont_sqr_order_avx2_4(t2, t2);
+        if (((sp_digit)p256_order_low[i / 64] & ((sp_int_digit)1 << (i % 64))) != 0) {
+            sp_256_mont_mul_order_avx2_4(t2, t2, a);
+        }
+    }
+    /* t2= a^ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2f */
+    sp_256_mont_sqr_n_order_avx2_4(t2, t2, 4);
+    sp_256_mont_mul_order_avx2_4(t2, t2, t3);
+    /* t2= a^ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc63254 */
+    for (i=27; i>=0; i--) {
+        sp_256_mont_sqr_order_avx2_4(t2, t2);
+        if (((sp_digit)p256_order_low[i / 64] & ((sp_int_digit)1 << (i % 64))) != 0) {
+            sp_256_mont_mul_order_avx2_4(t2, t2, a);
+        }
+    }
+    /* t2= a^ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632540 */
+    sp_256_mont_sqr_n_order_avx2_4(t2, t2, 4);
+    /* r = a^ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc63254f */
+    sp_256_mont_mul_order_avx2_4(r, t2, t3);
+#endif /* WOLFSSL_SP_SMALL */
+}
+
+#endif /* HAVE_INTEL_AVX2 */
+#endif /* HAVE_ECC_SIGN || HAVE_ECC_VERIFY */
+#ifdef HAVE_ECC_SIGN
+#ifndef SP_ECC_MAX_SIG_GEN
+#define SP_ECC_MAX_SIG_GEN  64
+#endif
+
+/* Sign the hash using the private key.
+ *   e = [hash, 256 bits] from binary
+ *   r = (k.G)->x mod order
+ *   s = (r * x + e) / k mod order
+ * The hash is truncated to the first 256 bits.
+ *
+ * hash     Hash to sign.
+ * hashLen  Length of the hash data.
+ * rng      Random number generator.
+ * priv     Private part of key - scalar.
+ * rm       First part of result as an mp_int.
+ * sm       Sirst part of result as an mp_int.
+ * heap     Heap to use for allocation.
+ * returns RNG failures, MEMORY_E when memory allocation fails and
+ * MP_OKAY on success.
+ */
+int sp_ecc_sign_256(const byte* hash, word32 hashLen, WC_RNG* rng, mp_int* priv,
+                    mp_int* rm, mp_int* sm, mp_int* km, void* heap)
+{
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit* d = NULL;
+#else
+    sp_digit ed[2*4];
+    sp_digit xd[2*4];
+    sp_digit kd[2*4];
+    sp_digit rd[2*4];
+    sp_digit td[3 * 2*4];
+    sp_point_256 p;
+#endif
+    sp_digit* e = NULL;
+    sp_digit* x = NULL;
+    sp_digit* k = NULL;
+    sp_digit* r = NULL;
+    sp_digit* tmp = NULL;
+    sp_point_256* point = NULL;
+    sp_digit carry;
+    sp_digit* s = NULL;
+    sp_digit* kInv = NULL;
+    int err = MP_OKAY;
+    int64_t c;
+    int i;
+#ifdef HAVE_INTEL_AVX2
+    word32 cpuid_flags = cpuid_get_flags();
+#endif
+
+    (void)heap;
+
+    err = sp_256_point_new_4(heap, p, point);
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        d = (sp_digit*)XMALLOC(sizeof(sp_digit) * 7 * 2 * 4, heap,
+                                                              DYNAMIC_TYPE_ECC);
+        if (d == NULL) {
+            err = MEMORY_E;
+        }
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+        e = d + 0 * 4;
+        x = d + 2 * 4;
+        k = d + 4 * 4;
+        r = d + 6 * 4;
+        tmp = d + 8 * 4;
+#else
+        e = ed;
+        x = xd;
+        k = kd;
+        r = rd;
+        tmp = td;
+#endif
+        s = e;
+        kInv = k;
+
+        if (hashLen > 32U) {
+            hashLen = 32U;
+        }
+
+        sp_256_from_bin(e, 4, hash, (int)hashLen);
+    }
+
+    for (i = SP_ECC_MAX_SIG_GEN; err == MP_OKAY && i > 0; i--) {
+        sp_256_from_mp(x, 4, priv);
+
+        /* New random point. */
+        if (km == NULL || mp_iszero(km)) {
+            err = sp_256_ecc_gen_k_4(rng, k);
+        }
+        else {
+            sp_256_from_mp(k, 4, km);
+            mp_zero(km);
+        }
+        if (err == MP_OKAY) {
+#ifdef HAVE_INTEL_AVX2
+            if (IS_INTEL_BMI2(cpuid_flags) && IS_INTEL_ADX(cpuid_flags))
+                err = sp_256_ecc_mulmod_base_avx2_4(point, k, 1, heap);
+            else
+#endif
+                err = sp_256_ecc_mulmod_base_4(point, k, 1, NULL);
+        }
+
+        if (err == MP_OKAY) {
+            /* r = point->x mod order */
+            XMEMCPY(r, point->x, sizeof(sp_digit) * 4U);
+            sp_256_norm_4(r);
+            c = sp_256_cmp_4(r, p256_order);
+            sp_256_cond_sub_4(r, r, p256_order, 0L - (sp_digit)(c >= 0));
+            sp_256_norm_4(r);
+
+            /* Conv k to Montgomery form (mod order) */
+#ifdef HAVE_INTEL_AVX2
+            if (IS_INTEL_BMI2(cpuid_flags) && IS_INTEL_ADX(cpuid_flags))
+                sp_256_mul_avx2_4(k, k, p256_norm_order);
+            else
+#endif
+                sp_256_mul_4(k, k, p256_norm_order);
+            err = sp_256_mod_4(k, k, p256_order);
+        }
+        if (err == MP_OKAY) {
+            sp_256_norm_4(k);
+            /* kInv = 1/k mod order */
+#ifdef HAVE_INTEL_AVX2
+            if (IS_INTEL_BMI2(cpuid_flags) && IS_INTEL_ADX(cpuid_flags))
+                sp_256_mont_inv_order_avx2_4(kInv, k, tmp);
+            else
+#endif
+                sp_256_mont_inv_order_4(kInv, k, tmp);
+            sp_256_norm_4(kInv);
+
+            /* s = r * x + e */
+#ifdef HAVE_INTEL_AVX2
+            if (IS_INTEL_BMI2(cpuid_flags) && IS_INTEL_ADX(cpuid_flags))
+                sp_256_mul_avx2_4(x, x, r);
+            else
+#endif
+                sp_256_mul_4(x, x, r);
+            err = sp_256_mod_4(x, x, p256_order);
+        }
+        if (err == MP_OKAY) {
+            sp_256_norm_4(x);
+            carry = sp_256_add_4(s, e, x);
+            sp_256_cond_sub_4(s, s, p256_order, 0 - carry);
+            sp_256_norm_4(s);
+            c = sp_256_cmp_4(s, p256_order);
+            sp_256_cond_sub_4(s, s, p256_order, 0L - (sp_digit)(c >= 0));
+            sp_256_norm_4(s);
+
+            /* s = s * k^-1 mod order */
+#ifdef HAVE_INTEL_AVX2
+            if (IS_INTEL_BMI2(cpuid_flags) && IS_INTEL_ADX(cpuid_flags))
+                sp_256_mont_mul_order_avx2_4(s, s, kInv);
+            else
+#endif
+                sp_256_mont_mul_order_4(s, s, kInv);
+            sp_256_norm_4(s);
+
+            /* Check that signature is usable. */
+            if (sp_256_iszero_4(s) == 0) {
+                break;
+            }
+        }
+    }
+
+    if (i == 0) {
+        err = RNG_FAILURE_E;
+    }
+
+    if (err == MP_OKAY) {
+        err = sp_256_to_mp(r, rm);
+    }
+    if (err == MP_OKAY) {
+        err = sp_256_to_mp(s, sm);
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (d != NULL) {
+        XMEMSET(d, 0, sizeof(sp_digit) * 8 * 4);
+        XFREE(d, heap, DYNAMIC_TYPE_ECC);
+    }
+#else
+    XMEMSET(e, 0, sizeof(sp_digit) * 2U * 4U);
+    XMEMSET(x, 0, sizeof(sp_digit) * 2U * 4U);
+    XMEMSET(k, 0, sizeof(sp_digit) * 2U * 4U);
+    XMEMSET(r, 0, sizeof(sp_digit) * 2U * 4U);
+    XMEMSET(r, 0, sizeof(sp_digit) * 2U * 4U);
+    XMEMSET(tmp, 0, sizeof(sp_digit) * 3U * 2U * 4U);
+#endif
+    sp_256_point_free_4(point, 1, heap);
+
+    return err;
+}
+#endif /* HAVE_ECC_SIGN */
+
+#ifdef HAVE_ECC_VERIFY
+/* Verify the signature values with the hash and public key.
+ *   e = Truncate(hash, 256)
+ *   u1 = e/s mod order
+ *   u2 = r/s mod order
+ *   r == (u1.G + u2.Q)->x mod order
+ * Optimization: Leave point in projective form.
+ *   (x, y, 1) == (x' / z'*z', y' / z'*z'*z', z' / z')
+ *   (r + n*order).z'.z' mod prime == (u1.G + u2.Q)->x'
+ * The hash is truncated to the first 256 bits.
+ *
+ * hash     Hash to sign.
+ * hashLen  Length of the hash data.
+ * rng      Random number generator.
+ * priv     Private part of key - scalar.
+ * rm       First part of result as an mp_int.
+ * sm       Sirst part of result as an mp_int.
+ * heap     Heap to use for allocation.
+ * returns RNG failures, MEMORY_E when memory allocation fails and
+ * MP_OKAY on success.
+ */
+int sp_ecc_verify_256(const byte* hash, word32 hashLen, mp_int* pX,
+    mp_int* pY, mp_int* pZ, mp_int* r, mp_int* sm, int* res, void* heap)
+{
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit* d = NULL;
+#else
+    sp_digit u1d[2*4];
+    sp_digit u2d[2*4];
+    sp_digit sd[2*4];
+    sp_digit tmpd[2*4 * 5];
+    sp_point_256 p1d;
+    sp_point_256 p2d;
+#endif
+    sp_digit* u1 = NULL;
+    sp_digit* u2 = NULL;
+    sp_digit* s = NULL;
+    sp_digit* tmp = NULL;
+    sp_point_256* p1;
+    sp_point_256* p2 = NULL;
+    sp_digit carry;
+    int64_t c;
+    int err;
+#ifdef HAVE_INTEL_AVX2
+    word32 cpuid_flags = cpuid_get_flags();
+#endif
+
+    err = sp_256_point_new_4(heap, p1d, p1);
+    if (err == MP_OKAY) {
+        err = sp_256_point_new_4(heap, p2d, p2);
+    }
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        d = (sp_digit*)XMALLOC(sizeof(sp_digit) * 16 * 4, heap,
+                                                              DYNAMIC_TYPE_ECC);
+        if (d == NULL) {
+            err = MEMORY_E;
+        }
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+        u1  = d + 0 * 4;
+        u2  = d + 2 * 4;
+        s   = d + 4 * 4;
+        tmp = d + 6 * 4;
+#else
+        u1 = u1d;
+        u2 = u2d;
+        s  = sd;
+        tmp = tmpd;
+#endif
+
+        if (hashLen > 32U) {
+            hashLen = 32U;
+        }
+
+        sp_256_from_bin(u1, 4, hash, (int)hashLen);
+        sp_256_from_mp(u2, 4, r);
+        sp_256_from_mp(s, 4, sm);
+        sp_256_from_mp(p2->x, 4, pX);
+        sp_256_from_mp(p2->y, 4, pY);
+        sp_256_from_mp(p2->z, 4, pZ);
+
+#ifdef HAVE_INTEL_AVX2
+        if (IS_INTEL_BMI2(cpuid_flags) && IS_INTEL_ADX(cpuid_flags)) {
+            sp_256_mul_avx2_4(s, s, p256_norm_order);
+        }
+        else
+#endif
+        {
+            sp_256_mul_4(s, s, p256_norm_order);
+        }
+        err = sp_256_mod_4(s, s, p256_order);
+    }
+    if (err == MP_OKAY) {
+        sp_256_norm_4(s);
+#ifdef HAVE_INTEL_AVX2
+        if (IS_INTEL_BMI2(cpuid_flags) && IS_INTEL_ADX(cpuid_flags)) {
+            sp_256_mont_inv_order_avx2_4(s, s, tmp);
+            sp_256_mont_mul_order_avx2_4(u1, u1, s);
+            sp_256_mont_mul_order_avx2_4(u2, u2, s);
+        }
+        else
+#endif
+        {
+            sp_256_mont_inv_order_4(s, s, tmp);
+            sp_256_mont_mul_order_4(u1, u1, s);
+            sp_256_mont_mul_order_4(u2, u2, s);
+        }
+
+#ifdef HAVE_INTEL_AVX2
+        if (IS_INTEL_BMI2(cpuid_flags) && IS_INTEL_ADX(cpuid_flags))
+            err = sp_256_ecc_mulmod_base_avx2_4(p1, u1, 0, heap);
+        else
+#endif
+            err = sp_256_ecc_mulmod_base_4(p1, u1, 0, heap);
+    }
+    if (err == MP_OKAY) {
+#ifdef HAVE_INTEL_AVX2
+        if (IS_INTEL_BMI2(cpuid_flags) && IS_INTEL_ADX(cpuid_flags))
+            err = sp_256_ecc_mulmod_avx2_4(p2, p2, u2, 0, heap);
+        else
+#endif
+            err = sp_256_ecc_mulmod_4(p2, p2, u2, 0, heap);
+    }
+
+    if (err == MP_OKAY) {
+#ifdef HAVE_INTEL_AVX2
+        if (IS_INTEL_BMI2(cpuid_flags) && IS_INTEL_ADX(cpuid_flags)) {
+            sp_256_proj_point_add_avx2_4(p1, p1, p2, tmp);
+            if (sp_256_iszero_4(p1->z)) {
+                if (sp_256_iszero_4(p1->x) && sp_256_iszero_4(p1->y)) {
+                    sp_256_proj_point_dbl_avx2_4(p1, p2, tmp);
+                }
+                else {
+                    /* Y ordinate is not used from here - don't set. */
+                    p1->x[0] = 0;
+                    p1->x[1] = 0;
+                    p1->x[2] = 0;
+                    p1->x[3] = 0;
+                    XMEMCPY(p1->z, p256_norm_mod, sizeof(p256_norm_mod));
+                }
+            }
+        }
+        else
+#endif
+        {
+            sp_256_proj_point_add_4(p1, p1, p2, tmp);
+            if (sp_256_iszero_4(p1->z)) {
+                if (sp_256_iszero_4(p1->x) && sp_256_iszero_4(p1->y)) {
+                    sp_256_proj_point_dbl_4(p1, p2, tmp);
+                }
+                else {
+                    /* Y ordinate is not used from here - don't set. */
+                    p1->x[0] = 0;
+                    p1->x[1] = 0;
+                    p1->x[2] = 0;
+                    p1->x[3] = 0;
+                    XMEMCPY(p1->z, p256_norm_mod, sizeof(p256_norm_mod));
+                }
+            }
+        }
+
+        /* (r + n*order).z'.z' mod prime == (u1.G + u2.Q)->x' */
+        /* Reload r and convert to Montgomery form. */
+        sp_256_from_mp(u2, 4, r);
+        err = sp_256_mod_mul_norm_4(u2, u2, p256_mod);
+    }
+
+    if (err == MP_OKAY) {
+        /* u1 = r.z'.z' mod prime */
+        sp_256_mont_sqr_4(p1->z, p1->z, p256_mod, p256_mp_mod);
+        sp_256_mont_mul_4(u1, u2, p1->z, p256_mod, p256_mp_mod);
+        *res = (int)(sp_256_cmp_4(p1->x, u1) == 0);
+        if (*res == 0) {
+            /* Reload r and add order. */
+            sp_256_from_mp(u2, 4, r);
+            carry = sp_256_add_4(u2, u2, p256_order);
+            /* Carry means result is greater than mod and is not valid. */
+            if (carry == 0) {
+                sp_256_norm_4(u2);
+
+                /* Compare with mod and if greater or equal then not valid. */
+                c = sp_256_cmp_4(u2, p256_mod);
+                if (c < 0) {
+                    /* Convert to Montogomery form */
+                    err = sp_256_mod_mul_norm_4(u2, u2, p256_mod);
+                    if (err == MP_OKAY) {
+                        /* u1 = (r + 1*order).z'.z' mod prime */
+                        sp_256_mont_mul_4(u1, u2, p1->z, p256_mod,
+                                                                  p256_mp_mod);
+                        *res = (int)(sp_256_cmp_4(p1->x, u1) == 0);
+                    }
+                }
+            }
+        }
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (d != NULL)
+        XFREE(d, heap, DYNAMIC_TYPE_ECC);
+#endif
+    sp_256_point_free_4(p1, 0, heap);
+    sp_256_point_free_4(p2, 0, heap);
+
+    return err;
+}
+#endif /* HAVE_ECC_VERIFY */
+
+#ifdef HAVE_ECC_CHECK_KEY
+/* Check that the x and y oridinates are a valid point on the curve.
+ *
+ * point  EC point.
+ * heap   Heap to use if dynamically allocating.
+ * returns MEMORY_E if dynamic memory allocation fails, MP_VAL if the point is
+ * not on the curve and MP_OKAY otherwise.
+ */
+static int sp_256_ecc_is_point_4(sp_point_256* point, void* heap)
+{
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit* d = NULL;
+#else
+    sp_digit t1d[2*4];
+    sp_digit t2d[2*4];
+#endif
+    sp_digit* t1;
+    sp_digit* t2;
+    int err = MP_OKAY;
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    d = (sp_digit*)XMALLOC(sizeof(sp_digit) * 4 * 4, heap, DYNAMIC_TYPE_ECC);
+    if (d == NULL) {
+        err = MEMORY_E;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+        t1 = d + 0 * 4;
+        t2 = d + 2 * 4;
+#else
+        (void)heap;
+
+        t1 = t1d;
+        t2 = t2d;
+#endif
+
+        sp_256_sqr_4(t1, point->y);
+        (void)sp_256_mod_4(t1, t1, p256_mod);
+        sp_256_sqr_4(t2, point->x);
+        (void)sp_256_mod_4(t2, t2, p256_mod);
+        sp_256_mul_4(t2, t2, point->x);
+        (void)sp_256_mod_4(t2, t2, p256_mod);
+        (void)sp_256_sub_4(t2, p256_mod, t2);
+        sp_256_mont_add_4(t1, t1, t2, p256_mod);
+
+        sp_256_mont_add_4(t1, t1, point->x, p256_mod);
+        sp_256_mont_add_4(t1, t1, point->x, p256_mod);
+        sp_256_mont_add_4(t1, t1, point->x, p256_mod);
+
+        if (sp_256_cmp_4(t1, p256_b) != 0) {
+            err = MP_VAL;
+        }
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (d != NULL) {
+        XFREE(d, heap, DYNAMIC_TYPE_ECC);
+    }
+#endif
+
+    return err;
+}
+
+/* Check that the x and y oridinates are a valid point on the curve.
+ *
+ * pX  X ordinate of EC point.
+ * pY  Y ordinate of EC point.
+ * returns MEMORY_E if dynamic memory allocation fails, MP_VAL if the point is
+ * not on the curve and MP_OKAY otherwise.
+ */
+int sp_ecc_is_point_256(mp_int* pX, mp_int* pY)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_point_256 pubd;
+#endif
+    sp_point_256* pub;
+    byte one[1] = { 1 };
+    int err;
+
+    err = sp_256_point_new_4(NULL, pubd, pub);
+    if (err == MP_OKAY) {
+        sp_256_from_mp(pub->x, 4, pX);
+        sp_256_from_mp(pub->y, 4, pY);
+        sp_256_from_bin(pub->z, 4, one, (int)sizeof(one));
+
+        err = sp_256_ecc_is_point_4(pub, NULL);
+    }
+
+    sp_256_point_free_4(pub, 0, NULL);
+
+    return err;
+}
+
+/* Check that the private scalar generates the EC point (px, py), the point is
+ * on the curve and the point has the correct order.
+ *
+ * pX     X ordinate of EC point.
+ * pY     Y ordinate of EC point.
+ * privm  Private scalar that generates EC point.
+ * returns MEMORY_E if dynamic memory allocation fails, MP_VAL if the point is
+ * not on the curve, ECC_INF_E if the point does not have the correct order,
+ * ECC_PRIV_KEY_E when the private scalar doesn't generate the EC point and
+ * MP_OKAY otherwise.
+ */
+int sp_ecc_check_key_256(mp_int* pX, mp_int* pY, mp_int* privm, void* heap)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit privd[4];
+    sp_point_256 pubd;
+    sp_point_256 pd;
+#endif
+    sp_digit* priv = NULL;
+    sp_point_256* pub;
+    sp_point_256* p = NULL;
+    byte one[1] = { 1 };
+    int err;
+#ifdef HAVE_INTEL_AVX2
+    word32 cpuid_flags = cpuid_get_flags();
+#endif
+
+    err = sp_256_point_new_4(heap, pubd, pub);
+    if (err == MP_OKAY) {
+        err = sp_256_point_new_4(heap, pd, p);
+    }
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        priv = (sp_digit*)XMALLOC(sizeof(sp_digit) * 4, heap,
+                                                              DYNAMIC_TYPE_ECC);
+        if (priv == NULL) {
+            err = MEMORY_E;
+        }
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+        priv = privd;
+#endif
+
+        sp_256_from_mp(pub->x, 4, pX);
+        sp_256_from_mp(pub->y, 4, pY);
+        sp_256_from_bin(pub->z, 4, one, (int)sizeof(one));
+        sp_256_from_mp(priv, 4, privm);
+
+        /* Check point at infinitiy. */
+        if ((sp_256_iszero_4(pub->x) != 0) &&
+            (sp_256_iszero_4(pub->y) != 0)) {
+            err = ECC_INF_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        /* Check range of X and Y */
+        if (sp_256_cmp_4(pub->x, p256_mod) >= 0 ||
+            sp_256_cmp_4(pub->y, p256_mod) >= 0) {
+            err = ECC_OUT_OF_RANGE_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        /* Check point is on curve */
+        err = sp_256_ecc_is_point_4(pub, heap);
+    }
+
+    if (err == MP_OKAY) {
+        /* Point * order = infinity */
+#ifdef HAVE_INTEL_AVX2
+        if (IS_INTEL_BMI2(cpuid_flags) && IS_INTEL_ADX(cpuid_flags))
+            err = sp_256_ecc_mulmod_avx2_4(p, pub, p256_order, 1, heap);
+        else
+#endif
+            err = sp_256_ecc_mulmod_4(p, pub, p256_order, 1, heap);
+    }
+    if (err == MP_OKAY) {
+        /* Check result is infinity */
+        if ((sp_256_iszero_4(p->x) == 0) ||
+            (sp_256_iszero_4(p->y) == 0)) {
+            err = ECC_INF_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        /* Base * private = point */
+#ifdef HAVE_INTEL_AVX2
+        if (IS_INTEL_BMI2(cpuid_flags) && IS_INTEL_ADX(cpuid_flags))
+            err = sp_256_ecc_mulmod_base_avx2_4(p, priv, 1, heap);
+        else
+#endif
+            err = sp_256_ecc_mulmod_base_4(p, priv, 1, heap);
+    }
+    if (err == MP_OKAY) {
+        /* Check result is public key */
+        if (sp_256_cmp_4(p->x, pub->x) != 0 ||
+            sp_256_cmp_4(p->y, pub->y) != 0) {
+            err = ECC_PRIV_KEY_E;
+        }
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (priv != NULL) {
+        XFREE(priv, heap, DYNAMIC_TYPE_ECC);
+    }
+#endif
+    sp_256_point_free_4(p, 0, heap);
+    sp_256_point_free_4(pub, 0, heap);
+
+    return err;
+}
+#endif
+#ifdef WOLFSSL_PUBLIC_ECC_ADD_DBL
+/* Add two projective EC points together.
+ * (pX, pY, pZ) + (qX, qY, qZ) = (rX, rY, rZ)
+ *
+ * pX   First EC point's X ordinate.
+ * pY   First EC point's Y ordinate.
+ * pZ   First EC point's Z ordinate.
+ * qX   Second EC point's X ordinate.
+ * qY   Second EC point's Y ordinate.
+ * qZ   Second EC point's Z ordinate.
+ * rX   Resultant EC point's X ordinate.
+ * rY   Resultant EC point's Y ordinate.
+ * rZ   Resultant EC point's Z ordinate.
+ * returns MEMORY_E if dynamic memory allocation fails and MP_OKAY otherwise.
+ */
+int sp_ecc_proj_add_point_256(mp_int* pX, mp_int* pY, mp_int* pZ,
+                              mp_int* qX, mp_int* qY, mp_int* qZ,
+                              mp_int* rX, mp_int* rY, mp_int* rZ)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit tmpd[2 * 4 * 5];
+    sp_point_256 pd;
+    sp_point_256 qd;
+#endif
+    sp_digit* tmp;
+    sp_point_256* p;
+    sp_point_256* q = NULL;
+    int err;
+#ifdef HAVE_INTEL_AVX2
+    word32 cpuid_flags = cpuid_get_flags();
+#endif
+
+    err = sp_256_point_new_4(NULL, pd, p);
+    if (err == MP_OKAY) {
+        err = sp_256_point_new_4(NULL, qd, q);
+    }
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        tmp = (sp_digit*)XMALLOC(sizeof(sp_digit) * 2 * 4 * 5, NULL,
+                                                              DYNAMIC_TYPE_ECC);
+        if (tmp == NULL) {
+            err = MEMORY_E;
+        }
+    }
+#else
+    tmp = tmpd;
+#endif
+
+    if (err == MP_OKAY) {
+        sp_256_from_mp(p->x, 4, pX);
+        sp_256_from_mp(p->y, 4, pY);
+        sp_256_from_mp(p->z, 4, pZ);
+        sp_256_from_mp(q->x, 4, qX);
+        sp_256_from_mp(q->y, 4, qY);
+        sp_256_from_mp(q->z, 4, qZ);
+
+#ifdef HAVE_INTEL_AVX2
+        if (IS_INTEL_BMI2(cpuid_flags) && IS_INTEL_ADX(cpuid_flags))
+            sp_256_proj_point_add_avx2_4(p, p, q, tmp);
+        else
+#endif
+            sp_256_proj_point_add_4(p, p, q, tmp);
+    }
+
+    if (err == MP_OKAY) {
+        err = sp_256_to_mp(p->x, rX);
+    }
+    if (err == MP_OKAY) {
+        err = sp_256_to_mp(p->y, rY);
+    }
+    if (err == MP_OKAY) {
+        err = sp_256_to_mp(p->z, rZ);
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (tmp != NULL) {
+        XFREE(tmp, NULL, DYNAMIC_TYPE_ECC);
+    }
+#endif
+    sp_256_point_free_4(q, 0, NULL);
+    sp_256_point_free_4(p, 0, NULL);
+
+    return err;
+}
+
+/* Double a projective EC point.
+ * (pX, pY, pZ) + (pX, pY, pZ) = (rX, rY, rZ)
+ *
+ * pX   EC point's X ordinate.
+ * pY   EC point's Y ordinate.
+ * pZ   EC point's Z ordinate.
+ * rX   Resultant EC point's X ordinate.
+ * rY   Resultant EC point's Y ordinate.
+ * rZ   Resultant EC point's Z ordinate.
+ * returns MEMORY_E if dynamic memory allocation fails and MP_OKAY otherwise.
+ */
+int sp_ecc_proj_dbl_point_256(mp_int* pX, mp_int* pY, mp_int* pZ,
+                              mp_int* rX, mp_int* rY, mp_int* rZ)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit tmpd[2 * 4 * 2];
+    sp_point_256 pd;
+#endif
+    sp_digit* tmp;
+    sp_point_256* p;
+    int err;
+#ifdef HAVE_INTEL_AVX2
+    word32 cpuid_flags = cpuid_get_flags();
+#endif
+
+    err = sp_256_point_new_4(NULL, pd, p);
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        tmp = (sp_digit*)XMALLOC(sizeof(sp_digit) * 2 * 4 * 2, NULL,
+                                                              DYNAMIC_TYPE_ECC);
+        if (tmp == NULL) {
+            err = MEMORY_E;
+        }
+    }
+#else
+    tmp = tmpd;
+#endif
+
+    if (err == MP_OKAY) {
+        sp_256_from_mp(p->x, 4, pX);
+        sp_256_from_mp(p->y, 4, pY);
+        sp_256_from_mp(p->z, 4, pZ);
+
+#ifdef HAVE_INTEL_AVX2
+        if (IS_INTEL_BMI2(cpuid_flags) && IS_INTEL_ADX(cpuid_flags))
+            sp_256_proj_point_dbl_avx2_4(p, p, tmp);
+        else
+#endif
+            sp_256_proj_point_dbl_4(p, p, tmp);
+    }
+
+    if (err == MP_OKAY) {
+        err = sp_256_to_mp(p->x, rX);
+    }
+    if (err == MP_OKAY) {
+        err = sp_256_to_mp(p->y, rY);
+    }
+    if (err == MP_OKAY) {
+        err = sp_256_to_mp(p->z, rZ);
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (tmp != NULL) {
+        XFREE(tmp, NULL, DYNAMIC_TYPE_ECC);
+    }
+#endif
+    sp_256_point_free_4(p, 0, NULL);
+
+    return err;
+}
+
+/* Map a projective EC point to affine in place.
+ * pZ will be one.
+ *
+ * pX   EC point's X ordinate.
+ * pY   EC point's Y ordinate.
+ * pZ   EC point's Z ordinate.
+ * returns MEMORY_E if dynamic memory allocation fails and MP_OKAY otherwise.
+ */
+int sp_ecc_map_256(mp_int* pX, mp_int* pY, mp_int* pZ)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit tmpd[2 * 4 * 4];
+    sp_point_256 pd;
+#endif
+    sp_digit* tmp;
+    sp_point_256* p;
+    int err;
+
+    err = sp_256_point_new_4(NULL, pd, p);
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        tmp = (sp_digit*)XMALLOC(sizeof(sp_digit) * 2 * 4 * 4, NULL,
+                                                              DYNAMIC_TYPE_ECC);
+        if (tmp == NULL) {
+            err = MEMORY_E;
+        }
+    }
+#else
+    tmp = tmpd;
+#endif
+    if (err == MP_OKAY) {
+        sp_256_from_mp(p->x, 4, pX);
+        sp_256_from_mp(p->y, 4, pY);
+        sp_256_from_mp(p->z, 4, pZ);
+
+        sp_256_map_4(p, p, tmp);
+    }
+
+    if (err == MP_OKAY) {
+        err = sp_256_to_mp(p->x, pX);
+    }
+    if (err == MP_OKAY) {
+        err = sp_256_to_mp(p->y, pY);
+    }
+    if (err == MP_OKAY) {
+        err = sp_256_to_mp(p->z, pZ);
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (tmp != NULL) {
+        XFREE(tmp, NULL, DYNAMIC_TYPE_ECC);
+    }
+#endif
+    sp_256_point_free_4(p, 0, NULL);
+
+    return err;
+}
+#endif /* WOLFSSL_PUBLIC_ECC_ADD_DBL */
+#ifdef HAVE_COMP_KEY
+/* Find the square root of a number mod the prime of the curve.
+ *
+ * y  The number to operate on and the result.
+ * returns MEMORY_E if dynamic memory allocation fails and MP_OKAY otherwise.
+ */
+static int sp_256_mont_sqrt_4(sp_digit* y)
+{
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit* d;
+#else
+    sp_digit t1d[2 * 4];
+    sp_digit t2d[2 * 4];
+#endif
+    sp_digit* t1;
+    sp_digit* t2;
+    int err = MP_OKAY;
+#ifdef HAVE_INTEL_AVX2
+    word32 cpuid_flags = cpuid_get_flags();
+#endif
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    d = (sp_digit*)XMALLOC(sizeof(sp_digit) * 4 * 4, NULL, DYNAMIC_TYPE_ECC);
+    if (d == NULL) {
+        err = MEMORY_E;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+        t1 = d + 0 * 4;
+        t2 = d + 2 * 4;
+#else
+        t1 = t1d;
+        t2 = t2d;
+#endif
+
+#ifdef HAVE_INTEL_AVX2
+        if (IS_INTEL_BMI2(cpuid_flags) && IS_INTEL_ADX(cpuid_flags)) {
+            /* t2 = y ^ 0x2 */
+            sp_256_mont_sqr_avx2_4(t2, y, p256_mod, p256_mp_mod);
+            /* t1 = y ^ 0x3 */
+            sp_256_mont_mul_avx2_4(t1, t2, y, p256_mod, p256_mp_mod);
+            /* t2 = y ^ 0xc */
+            sp_256_mont_sqr_n_avx2_4(t2, t1, 2, p256_mod, p256_mp_mod);
+            /* t1 = y ^ 0xf */
+            sp_256_mont_mul_avx2_4(t1, t1, t2, p256_mod, p256_mp_mod);
+            /* t2 = y ^ 0xf0 */
+            sp_256_mont_sqr_n_avx2_4(t2, t1, 4, p256_mod, p256_mp_mod);
+            /* t1 = y ^ 0xff */
+            sp_256_mont_mul_avx2_4(t1, t1, t2, p256_mod, p256_mp_mod);
+            /* t2 = y ^ 0xff00 */
+            sp_256_mont_sqr_n_avx2_4(t2, t1, 8, p256_mod, p256_mp_mod);
+            /* t1 = y ^ 0xffff */
+            sp_256_mont_mul_avx2_4(t1, t1, t2, p256_mod, p256_mp_mod);
+            /* t2 = y ^ 0xffff0000 */
+            sp_256_mont_sqr_n_avx2_4(t2, t1, 16, p256_mod, p256_mp_mod);
+            /* t1 = y ^ 0xffffffff */
+            sp_256_mont_mul_avx2_4(t1, t1, t2, p256_mod, p256_mp_mod);
+            /* t1 = y ^ 0xffffffff00000000 */
+            sp_256_mont_sqr_n_avx2_4(t1, t1, 32, p256_mod, p256_mp_mod);
+            /* t1 = y ^ 0xffffffff00000001 */
+            sp_256_mont_mul_avx2_4(t1, t1, y, p256_mod, p256_mp_mod);
+            /* t1 = y ^ 0xffffffff00000001000000000000000000000000 */
+            sp_256_mont_sqr_n_avx2_4(t1, t1, 96, p256_mod, p256_mp_mod);
+            /* t1 = y ^ 0xffffffff00000001000000000000000000000001 */
+            sp_256_mont_mul_avx2_4(t1, t1, y, p256_mod, p256_mp_mod);
+            sp_256_mont_sqr_n_avx2_4(y, t1, 94, p256_mod, p256_mp_mod);
+        }
+        else
+#endif
+        {
+            /* t2 = y ^ 0x2 */
+            sp_256_mont_sqr_4(t2, y, p256_mod, p256_mp_mod);
+            /* t1 = y ^ 0x3 */
+            sp_256_mont_mul_4(t1, t2, y, p256_mod, p256_mp_mod);
+            /* t2 = y ^ 0xc */
+            sp_256_mont_sqr_n_4(t2, t1, 2, p256_mod, p256_mp_mod);
+            /* t1 = y ^ 0xf */
+            sp_256_mont_mul_4(t1, t1, t2, p256_mod, p256_mp_mod);
+            /* t2 = y ^ 0xf0 */
+            sp_256_mont_sqr_n_4(t2, t1, 4, p256_mod, p256_mp_mod);
+            /* t1 = y ^ 0xff */
+            sp_256_mont_mul_4(t1, t1, t2, p256_mod, p256_mp_mod);
+            /* t2 = y ^ 0xff00 */
+            sp_256_mont_sqr_n_4(t2, t1, 8, p256_mod, p256_mp_mod);
+            /* t1 = y ^ 0xffff */
+            sp_256_mont_mul_4(t1, t1, t2, p256_mod, p256_mp_mod);
+            /* t2 = y ^ 0xffff0000 */
+            sp_256_mont_sqr_n_4(t2, t1, 16, p256_mod, p256_mp_mod);
+            /* t1 = y ^ 0xffffffff */
+            sp_256_mont_mul_4(t1, t1, t2, p256_mod, p256_mp_mod);
+            /* t1 = y ^ 0xffffffff00000000 */
+            sp_256_mont_sqr_n_4(t1, t1, 32, p256_mod, p256_mp_mod);
+            /* t1 = y ^ 0xffffffff00000001 */
+            sp_256_mont_mul_4(t1, t1, y, p256_mod, p256_mp_mod);
+            /* t1 = y ^ 0xffffffff00000001000000000000000000000000 */
+            sp_256_mont_sqr_n_4(t1, t1, 96, p256_mod, p256_mp_mod);
+            /* t1 = y ^ 0xffffffff00000001000000000000000000000001 */
+            sp_256_mont_mul_4(t1, t1, y, p256_mod, p256_mp_mod);
+            sp_256_mont_sqr_n_4(y, t1, 94, p256_mod, p256_mp_mod);
+        }
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (d != NULL) {
+        XFREE(d, NULL, DYNAMIC_TYPE_ECC);
+    }
+#endif
+
+    return err;
+}
+
+
+/* Uncompress the point given the X ordinate.
+ *
+ * xm    X ordinate.
+ * odd   Whether the Y ordinate is odd.
+ * ym    Calculated Y ordinate.
+ * returns MEMORY_E if dynamic memory allocation fails and MP_OKAY otherwise.
+ */
+int sp_ecc_uncompress_256(mp_int* xm, int odd, mp_int* ym)
+{
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit* d;
+#else
+    sp_digit xd[2 * 4];
+    sp_digit yd[2 * 4];
+#endif
+    sp_digit* x = NULL;
+    sp_digit* y = NULL;
+    int err = MP_OKAY;
+#ifdef HAVE_INTEL_AVX2
+    word32 cpuid_flags = cpuid_get_flags();
+#endif
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    d = (sp_digit*)XMALLOC(sizeof(sp_digit) * 4 * 4, NULL, DYNAMIC_TYPE_ECC);
+    if (d == NULL) {
+        err = MEMORY_E;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+        x = d + 0 * 4;
+        y = d + 2 * 4;
+#else
+        x = xd;
+        y = yd;
+#endif
+
+        sp_256_from_mp(x, 4, xm);
+        err = sp_256_mod_mul_norm_4(x, x, p256_mod);
+    }
+    if (err == MP_OKAY) {
+        /* y = x^3 */
+#ifdef HAVE_INTEL_AVX2
+        if (IS_INTEL_BMI2(cpuid_flags) && IS_INTEL_ADX(cpuid_flags)) {
+            sp_256_mont_sqr_avx2_4(y, x, p256_mod, p256_mp_mod);
+            sp_256_mont_mul_avx2_4(y, y, x, p256_mod, p256_mp_mod);
+        }
+        else
+#endif
+        {
+            sp_256_mont_sqr_4(y, x, p256_mod, p256_mp_mod);
+            sp_256_mont_mul_4(y, y, x, p256_mod, p256_mp_mod);
+        }
+        /* y = x^3 - 3x */
+        sp_256_mont_sub_4(y, y, x, p256_mod);
+        sp_256_mont_sub_4(y, y, x, p256_mod);
+        sp_256_mont_sub_4(y, y, x, p256_mod);
+        /* y = x^3 - 3x + b */
+        err = sp_256_mod_mul_norm_4(x, p256_b, p256_mod);
+    }
+    if (err == MP_OKAY) {
+        sp_256_mont_add_4(y, y, x, p256_mod);
+        /* y = sqrt(x^3 - 3x + b) */
+        err = sp_256_mont_sqrt_4(y);
+    }
+    if (err == MP_OKAY) {
+        XMEMSET(y + 4, 0, 4U * sizeof(sp_digit));
+        sp_256_mont_reduce_4(y, p256_mod, p256_mp_mod);
+        if ((((word32)y[0] ^ (word32)odd) & 1U) != 0U) {
+            sp_256_mont_sub_4(y, p256_mod, y, p256_mod);
+        }
+
+        err = sp_256_to_mp(y, ym);
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (d != NULL) {
+        XFREE(d, NULL, DYNAMIC_TYPE_ECC);
+    }
+#endif
+
+    return err;
+}
+#endif
+#endif /* !WOLFSSL_SP_NO_256 */
+#ifdef WOLFSSL_SP_384
+
+/* Point structure to use. */
+typedef struct sp_point_384 {
+    sp_digit x[2 * 6];
+    sp_digit y[2 * 6];
+    sp_digit z[2 * 6];
+    int infinity;
+} sp_point_384;
+
+/* The modulus (prime) of the curve P384. */
+static const sp_digit p384_mod[6] = {
+    0x00000000ffffffffL,0xffffffff00000000L,0xfffffffffffffffeL,
+    0xffffffffffffffffL,0xffffffffffffffffL,0xffffffffffffffffL
+};
+/* The Montogmery normalizer for modulus of the curve P384. */
+static const sp_digit p384_norm_mod[6] = {
+    0xffffffff00000001L,0x00000000ffffffffL,0x0000000000000001L,
+    0x0000000000000000L,0x0000000000000000L,0x0000000000000000L
+};
+/* The Montogmery multiplier for modulus of the curve P384. */
+static sp_digit p384_mp_mod = 0x0000000100000001;
+#if defined(WOLFSSL_VALIDATE_ECC_KEYGEN) || defined(HAVE_ECC_SIGN) || \
+                                            defined(HAVE_ECC_VERIFY)
+/* The order of the curve P384. */
+static const sp_digit p384_order[6] = {
+    0xecec196accc52973L,0x581a0db248b0a77aL,0xc7634d81f4372ddfL,
+    0xffffffffffffffffL,0xffffffffffffffffL,0xffffffffffffffffL
+};
+#endif
+/* The order of the curve P384 minus 2. */
+static const sp_digit p384_order2[6] = {
+    0xecec196accc52971L,0x581a0db248b0a77aL,0xc7634d81f4372ddfL,
+    0xffffffffffffffffL,0xffffffffffffffffL,0xffffffffffffffffL
+};
+#if defined(HAVE_ECC_SIGN) || defined(HAVE_ECC_VERIFY)
+/* The Montogmery normalizer for order of the curve P384. */
+static const sp_digit p384_norm_order[6] = {
+    0x1313e695333ad68dL,0xa7e5f24db74f5885L,0x389cb27e0bc8d220L,
+    0x0000000000000000L,0x0000000000000000L,0x0000000000000000L
+};
+#endif
+#if defined(HAVE_ECC_SIGN) || defined(HAVE_ECC_VERIFY)
+/* The Montogmery multiplier for order of the curve P384. */
+static sp_digit p384_mp_order = 0x6ed46089e88fdc45l;
+#endif
+/* The base point of curve P384. */
+static const sp_point_384 p384_base = {
+    /* X ordinate */
+    {
+        0x3a545e3872760ab7L,0x5502f25dbf55296cL,0x59f741e082542a38L,
+        0x6e1d3b628ba79b98L,0x8eb1c71ef320ad74L,0xaa87ca22be8b0537L,
+        0L, 0L, 0L, 0L, 0L, 0L
+    },
+    /* Y ordinate */
+    {
+        0x7a431d7c90ea0e5fL,0x0a60b1ce1d7e819dL,0xe9da3113b5f0b8c0L,
+        0xf8f41dbd289a147cL,0x5d9e98bf9292dc29L,0x3617de4a96262c6fL,
+        0L, 0L, 0L, 0L, 0L, 0L
+    },
+    /* Z ordinate */
+    {
+        0x0000000000000001L,0x0000000000000000L,0x0000000000000000L,
+        0x0000000000000000L,0x0000000000000000L,0x0000000000000000L,
+        0L, 0L, 0L, 0L, 0L, 0L
+    },
+    /* infinity */
+    0
+};
+#if defined(HAVE_ECC_CHECK_KEY) || defined(HAVE_COMP_KEY)
+static const sp_digit p384_b[6] = {
+    0x2a85c8edd3ec2aefL,0xc656398d8a2ed19dL,0x0314088f5013875aL,
+    0x181d9c6efe814112L,0x988e056be3f82d19L,0xb3312fa7e23ee7e4L
+};
+#endif
+
+static int sp_384_point_new_ex_6(void* heap, sp_point_384* sp, sp_point_384** p)
+{
+    int ret = MP_OKAY;
+    (void)heap;
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    (void)sp;
+    *p = (sp_point_384*)XMALLOC(sizeof(sp_point_384), heap, DYNAMIC_TYPE_ECC);
+#else
+    *p = sp;
+#endif
+    if (*p == NULL) {
+        ret = MEMORY_E;
+    }
+    return ret;
+}
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+/* Allocate memory for point and return error. */
+#define sp_384_point_new_6(heap, sp, p) sp_384_point_new_ex_6((heap), NULL, &(p))
+#else
+/* Set pointer to data and return no error. */
+#define sp_384_point_new_6(heap, sp, p) sp_384_point_new_ex_6((heap), &(sp), &(p))
+#endif
+
+
+static void sp_384_point_free_6(sp_point_384* p, int clear, void* heap)
+{
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+/* If valid pointer then clear point data if requested and free data. */
+    if (p != NULL) {
+        if (clear != 0) {
+            XMEMSET(p, 0, sizeof(*p));
+        }
+        XFREE(p, heap, DYNAMIC_TYPE_ECC);
+    }
+#else
+/* Clear point data if requested. */
+    if (clear != 0) {
+        XMEMSET(p, 0, sizeof(*p));
+    }
+#endif
+    (void)heap;
+}
+
+/* Multiply a number by Montogmery normalizer mod modulus (prime).
+ *
+ * r  The resulting Montgomery form number.
+ * a  The number to convert.
+ * m  The modulus (prime).
+ * returns MEMORY_E when memory allocation fails and MP_OKAY otherwise.
+ */
+static int sp_384_mod_mul_norm_6(sp_digit* r, const sp_digit* a, const sp_digit* m)
+{
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    int64_t* td;
+#else
+    int64_t td[12];
+    int64_t a32d[12];
+#endif
+    int64_t* t;
+    int64_t* a32;
+    int64_t o;
+    int err = MP_OKAY;
+
+    (void)m;
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    td = (int64_t*)XMALLOC(sizeof(int64_t) * 2 * 12, NULL, DYNAMIC_TYPE_ECC);
+    if (td == NULL) {
+        err = MEMORY_E;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+        t = td;
+        a32 = td + 12;
+#else
+        t = td;
+        a32 = a32d;
+#endif
+
+        a32[0] = a[0] & 0xffffffff;
+        a32[1] = a[0] >> 32;
+        a32[2] = a[1] & 0xffffffff;
+        a32[3] = a[1] >> 32;
+        a32[4] = a[2] & 0xffffffff;
+        a32[5] = a[2] >> 32;
+        a32[6] = a[3] & 0xffffffff;
+        a32[7] = a[3] >> 32;
+        a32[8] = a[4] & 0xffffffff;
+        a32[9] = a[4] >> 32;
+        a32[10] = a[5] & 0xffffffff;
+        a32[11] = a[5] >> 32;
+
+        /*  1  0  0  0  0  0  0  0  1  1  0 -1 */
+        t[0] = 0 + a32[0] + a32[8] + a32[9] - a32[11];
+        /* -1  1  0  0  0  0  0  0 -1  0  1  1 */
+        t[1] = 0 - a32[0] + a32[1] - a32[8] + a32[10] + a32[11];
+        /*  0 -1  1  0  0  0  0  0  0 -1  0  1 */
+        t[2] = 0 - a32[1] + a32[2] - a32[9] + a32[11];
+        /*  1  0 -1  1  0  0  0  0  1  1 -1 -1 */
+        t[3] = 0 + a32[0] - a32[2] + a32[3] + a32[8] + a32[9] - a32[10] - a32[11];
+        /*  1  1  0 -1  1  0  0  0  1  2  1 -2 */
+        t[4] = 0 + a32[0] + a32[1] - a32[3] + a32[4] + a32[8] + 2 * a32[9] + a32[10] -  2 * a32[11];
+        /*  0  1  1  0 -1  1  0  0  0  1  2  1 */
+        t[5] = 0 + a32[1] + a32[2] - a32[4] + a32[5] + a32[9] + 2 * a32[10] + a32[11];
+        /*  0  0  1  1  0 -1  1  0  0  0  1  2 */
+        t[6] = 0 + a32[2] + a32[3] - a32[5] + a32[6] + a32[10] + 2 * a32[11];
+        /*  0  0  0  1  1  0 -1  1  0  0  0  1 */
+        t[7] = 0 + a32[3] + a32[4] - a32[6] + a32[7] + a32[11];
+        /*  0  0  0  0  1  1  0 -1  1  0  0  0 */
+        t[8] = 0 + a32[4] + a32[5] - a32[7] + a32[8];
+        /*  0  0  0  0  0  1  1  0 -1  1  0  0 */
+        t[9] = 0 + a32[5] + a32[6] - a32[8] + a32[9];
+        /*  0  0  0  0  0  0  1  1  0 -1  1  0 */
+        t[10] = 0 + a32[6] + a32[7] - a32[9] + a32[10];
+        /*  0  0  0  0  0  0  0  1  1  0 -1  1 */
+        t[11] = 0 + a32[7] + a32[8] - a32[10] + a32[11];
+
+        t[1] += t[0] >> 32; t[0] &= 0xffffffff;
+        t[2] += t[1] >> 32; t[1] &= 0xffffffff;
+        t[3] += t[2] >> 32; t[2] &= 0xffffffff;
+        t[4] += t[3] >> 32; t[3] &= 0xffffffff;
+        t[5] += t[4] >> 32; t[4] &= 0xffffffff;
+        t[6] += t[5] >> 32; t[5] &= 0xffffffff;
+        t[7] += t[6] >> 32; t[6] &= 0xffffffff;
+        t[8] += t[7] >> 32; t[7] &= 0xffffffff;
+        t[9] += t[8] >> 32; t[8] &= 0xffffffff;
+        t[10] += t[9] >> 32; t[9] &= 0xffffffff;
+        t[11] += t[10] >> 32; t[10] &= 0xffffffff;
+        o     = t[11] >> 32; t[11] &= 0xffffffff;
+        t[0] += o;
+        t[1] -= o;
+        t[3] += o;
+        t[4] += o;
+        t[1] += t[0] >> 32; t[0] &= 0xffffffff;
+        t[2] += t[1] >> 32; t[1] &= 0xffffffff;
+        t[3] += t[2] >> 32; t[2] &= 0xffffffff;
+        t[4] += t[3] >> 32; t[3] &= 0xffffffff;
+        t[5] += t[4] >> 32; t[4] &= 0xffffffff;
+        t[6] += t[5] >> 32; t[5] &= 0xffffffff;
+        t[7] += t[6] >> 32; t[6] &= 0xffffffff;
+        t[8] += t[7] >> 32; t[7] &= 0xffffffff;
+        t[9] += t[8] >> 32; t[8] &= 0xffffffff;
+        t[10] += t[9] >> 32; t[9] &= 0xffffffff;
+        t[11] += t[10] >> 32; t[10] &= 0xffffffff;
+
+        r[0] = (t[1] << 32) | t[0];
+        r[1] = (t[3] << 32) | t[2];
+        r[2] = (t[5] << 32) | t[4];
+        r[3] = (t[7] << 32) | t[6];
+        r[4] = (t[9] << 32) | t[8];
+        r[5] = (t[11] << 32) | t[10];
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (td != NULL)
+        XFREE(td, NULL, DYNAMIC_TYPE_ECC);
+#endif
+
+    return err;
+}
+
+/* Convert an mp_int to an array of sp_digit.
+ *
+ * r  A single precision integer.
+ * size  Maximum number of bytes to convert
+ * a  A multi-precision integer.
+ */
+static void sp_384_from_mp(sp_digit* r, int size, const mp_int* a)
+{
+#if DIGIT_BIT == 64
+    int j;
+
+    XMEMCPY(r, a->dp, sizeof(sp_digit) * a->used);
+
+    for (j = a->used; j < size; j++) {
+        r[j] = 0;
+    }
+#elif DIGIT_BIT > 64
+    int i, j = 0;
+    word32 s = 0;
+
+    r[0] = 0;
+    for (i = 0; i < a->used && j < size; i++) {
+        r[j] |= ((sp_digit)a->dp[i] << s);
+        r[j] &= 0xffffffffffffffffl;
+        s = 64U - s;
+        if (j + 1 >= size) {
+            break;
+        }
+        /* lint allow cast of mismatch word32 and mp_digit */
+        r[++j] = (sp_digit)(a->dp[i] >> s); /*lint !e9033*/
+        while ((s + 64U) <= (word32)DIGIT_BIT) {
+            s += 64U;
+            r[j] &= 0xffffffffffffffffl;
+            if (j + 1 >= size) {
+                break;
+            }
+            if (s < (word32)DIGIT_BIT) {
+                /* lint allow cast of mismatch word32 and mp_digit */
+                r[++j] = (sp_digit)(a->dp[i] >> s); /*lint !e9033*/
+            }
+            else {
+                r[++j] = 0L;
+            }
+        }
+        s = (word32)DIGIT_BIT - s;
+    }
+
+    for (j++; j < size; j++) {
+        r[j] = 0;
+    }
+#else
+    int i, j = 0, s = 0;
+
+    r[0] = 0;
+    for (i = 0; i < a->used && j < size; i++) {
+        r[j] |= ((sp_digit)a->dp[i]) << s;
+        if (s + DIGIT_BIT >= 64) {
+            r[j] &= 0xffffffffffffffffl;
+            if (j + 1 >= size) {
+                break;
+            }
+            s = 64 - s;
+            if (s == DIGIT_BIT) {
+                r[++j] = 0;
+                s = 0;
+            }
+            else {
+                r[++j] = a->dp[i] >> s;
+                s = DIGIT_BIT - s;
+            }
+        }
+        else {
+            s += DIGIT_BIT;
+        }
+    }
+
+    for (j++; j < size; j++) {
+        r[j] = 0;
+    }
+#endif
+}
+
+/* Convert a point of type ecc_point to type sp_point_384.
+ *
+ * p   Point of type sp_point_384 (result).
+ * pm  Point of type ecc_point.
+ */
+static void sp_384_point_from_ecc_point_6(sp_point_384* p, const ecc_point* pm)
+{
+    XMEMSET(p->x, 0, sizeof(p->x));
+    XMEMSET(p->y, 0, sizeof(p->y));
+    XMEMSET(p->z, 0, sizeof(p->z));
+    sp_384_from_mp(p->x, 6, pm->x);
+    sp_384_from_mp(p->y, 6, pm->y);
+    sp_384_from_mp(p->z, 6, pm->z);
+    p->infinity = 0;
+}
+
+/* Convert an array of sp_digit to an mp_int.
+ *
+ * a  A single precision integer.
+ * r  A multi-precision integer.
+ */
+static int sp_384_to_mp(const sp_digit* a, mp_int* r)
+{
+    int err;
+
+    err = mp_grow(r, (384 + DIGIT_BIT - 1) / DIGIT_BIT);
+    if (err == MP_OKAY) { /*lint !e774 case where err is always MP_OKAY*/
+#if DIGIT_BIT == 64
+        XMEMCPY(r->dp, a, sizeof(sp_digit) * 6);
+        r->used = 6;
+        mp_clamp(r);
+#elif DIGIT_BIT < 64
+        int i, j = 0, s = 0;
+
+        r->dp[0] = 0;
+        for (i = 0; i < 6; i++) {
+            r->dp[j] |= (mp_digit)(a[i] << s);
+            r->dp[j] &= (1L << DIGIT_BIT) - 1;
+            s = DIGIT_BIT - s;
+            r->dp[++j] = (mp_digit)(a[i] >> s);
+            while (s + DIGIT_BIT <= 64) {
+                s += DIGIT_BIT;
+                r->dp[j++] &= (1L << DIGIT_BIT) - 1;
+                if (s == SP_WORD_SIZE) {
+                    r->dp[j] = 0;
+                }
+                else {
+                    r->dp[j] = (mp_digit)(a[i] >> s);
+                }
+            }
+            s = 64 - s;
+        }
+        r->used = (384 + DIGIT_BIT - 1) / DIGIT_BIT;
+        mp_clamp(r);
+#else
+        int i, j = 0, s = 0;
+
+        r->dp[0] = 0;
+        for (i = 0; i < 6; i++) {
+            r->dp[j] |= ((mp_digit)a[i]) << s;
+            if (s + 64 >= DIGIT_BIT) {
+    #if DIGIT_BIT != 32 && DIGIT_BIT != 64
+                r->dp[j] &= (1L << DIGIT_BIT) - 1;
+    #endif
+                s = DIGIT_BIT - s;
+                r->dp[++j] = a[i] >> s;
+                s = 64 - s;
+            }
+            else {
+                s += 64;
+            }
+        }
+        r->used = (384 + DIGIT_BIT - 1) / DIGIT_BIT;
+        mp_clamp(r);
+#endif
+    }
+
+    return err;
+}
+
+/* Convert a point of type sp_point_384 to type ecc_point.
+ *
+ * p   Point of type sp_point_384.
+ * pm  Point of type ecc_point (result).
+ * returns MEMORY_E when allocation of memory in ecc_point fails otherwise
+ * MP_OKAY.
+ */
+static int sp_384_point_to_ecc_point_6(const sp_point_384* p, ecc_point* pm)
+{
+    int err;
+
+    err = sp_384_to_mp(p->x, pm->x);
+    if (err == MP_OKAY) {
+        err = sp_384_to_mp(p->y, pm->y);
+    }
+    if (err == MP_OKAY) {
+        err = sp_384_to_mp(p->z, pm->z);
+    }
+
+    return err;
+}
+
+extern void sp_384_cond_copy_6(sp_digit* r, const sp_digit* a, sp_digit m);
+extern void sp_384_mul_6(sp_digit* r, const sp_digit* a, const sp_digit* b);
+extern sp_digit sp_384_cond_sub_6(sp_digit* r, const sp_digit* a, const sp_digit* b, sp_digit m);
+extern void sp_384_mont_reduce_6(sp_digit* a, const sp_digit* m, sp_digit mp);
+extern void sp_384_mont_reduce_order_6(sp_digit* a, const sp_digit* m, sp_digit mp);
+/* Multiply two Montogmery form numbers mod the modulus (prime).
+ * (r = a * b mod m)
+ *
+ * r   Result of multiplication.
+ * a   First number to multiply in Montogmery form.
+ * b   Second number to multiply in Montogmery form.
+ * m   Modulus (prime).
+ * mp  Montogmery mulitplier.
+ */
+static void sp_384_mont_mul_6(sp_digit* r, const sp_digit* a, const sp_digit* b,
+        const sp_digit* m, sp_digit mp)
+{
+    sp_384_mul_6(r, a, b);
+    sp_384_mont_reduce_6(r, m, mp);
+}
+
+extern void sp_384_sqr_6(sp_digit* r, const sp_digit* a);
+/* Square the Montgomery form number. (r = a * a mod m)
+ *
+ * r   Result of squaring.
+ * a   Number to square in Montogmery form.
+ * m   Modulus (prime).
+ * mp  Montogmery mulitplier.
+ */
+static void sp_384_mont_sqr_6(sp_digit* r, const sp_digit* a, const sp_digit* m,
+        sp_digit mp)
+{
+    sp_384_sqr_6(r, a);
+    sp_384_mont_reduce_6(r, m, mp);
+}
+
+#if !defined(WOLFSSL_SP_SMALL) || defined(HAVE_COMP_KEY)
+/* Square the Montgomery form number a number of times. (r = a ^ n mod m)
+ *
+ * r   Result of squaring.
+ * a   Number to square in Montogmery form.
+ * n   Number of times to square.
+ * m   Modulus (prime).
+ * mp  Montogmery mulitplier.
+ */
+static void sp_384_mont_sqr_n_6(sp_digit* r, const sp_digit* a, int n,
+        const sp_digit* m, sp_digit mp)
+{
+    sp_384_mont_sqr_6(r, a, m, mp);
+    for (; n > 1; n--) {
+        sp_384_mont_sqr_6(r, r, m, mp);
+    }
+}
+
+#endif /* !WOLFSSL_SP_SMALL || HAVE_COMP_KEY */
+#ifdef WOLFSSL_SP_SMALL
+/* Mod-2 for the P384 curve. */
+static const uint64_t p384_mod_minus_2[6] = {
+    0x00000000fffffffdU,0xffffffff00000000U,0xfffffffffffffffeU,
+    0xffffffffffffffffU,0xffffffffffffffffU,0xffffffffffffffffU
+};
+#endif /* !WOLFSSL_SP_SMALL */
+
+/* Invert the number, in Montgomery form, modulo the modulus (prime) of the
+ * P384 curve. (r = 1 / a mod m)
+ *
+ * r   Inverse result.
+ * a   Number to invert.
+ * td  Temporary data.
+ */
+static void sp_384_mont_inv_6(sp_digit* r, const sp_digit* a, sp_digit* td)
+{
+#ifdef WOLFSSL_SP_SMALL
+    sp_digit* t = td;
+    int i;
+
+    XMEMCPY(t, a, sizeof(sp_digit) * 6);
+    for (i=382; i>=0; i--) {
+        sp_384_mont_sqr_6(t, t, p384_mod, p384_mp_mod);
+        if (p384_mod_minus_2[i / 64] & ((sp_digit)1 << (i % 64)))
+            sp_384_mont_mul_6(t, t, a, p384_mod, p384_mp_mod);
+    }
+    XMEMCPY(r, t, sizeof(sp_digit) * 6);
+#else
+    sp_digit* t1 = td;
+    sp_digit* t2 = td + 2 * 6;
+    sp_digit* t3 = td + 4 * 6;
+    sp_digit* t4 = td + 6 * 6;
+    sp_digit* t5 = td + 8 * 6;
+
+    /* 0x2 */
+    sp_384_mont_sqr_6(t1, a, p384_mod, p384_mp_mod);
+    /* 0x3 */
+    sp_384_mont_mul_6(t5, t1, a, p384_mod, p384_mp_mod);
+    /* 0xc */
+    sp_384_mont_sqr_n_6(t1, t5, 2, p384_mod, p384_mp_mod);
+    /* 0xf */
+    sp_384_mont_mul_6(t2, t5, t1, p384_mod, p384_mp_mod);
+    /* 0x1e */
+    sp_384_mont_sqr_6(t1, t2, p384_mod, p384_mp_mod);
+    /* 0x1f */
+    sp_384_mont_mul_6(t4, t1, a, p384_mod, p384_mp_mod);
+    /* 0x3e0 */
+    sp_384_mont_sqr_n_6(t1, t4, 5, p384_mod, p384_mp_mod);
+    /* 0x3ff */
+    sp_384_mont_mul_6(t2, t4, t1, p384_mod, p384_mp_mod);
+    /* 0x7fe0 */
+    sp_384_mont_sqr_n_6(t1, t2, 5, p384_mod, p384_mp_mod);
+    /* 0x7fff */
+    sp_384_mont_mul_6(t4, t4, t1, p384_mod, p384_mp_mod);
+    /* 0x3fff8000 */
+    sp_384_mont_sqr_n_6(t1, t4, 15, p384_mod, p384_mp_mod);
+    /* 0x3fffffff */
+    sp_384_mont_mul_6(t2, t4, t1, p384_mod, p384_mp_mod);
+    /* 0xfffffffc */
+    sp_384_mont_sqr_n_6(t3, t2, 2, p384_mod, p384_mp_mod);
+    /* 0xfffffffd */
+    sp_384_mont_mul_6(r, t3, a, p384_mod, p384_mp_mod);
+    /* 0xffffffff */
+    sp_384_mont_mul_6(t3, t5, t3, p384_mod, p384_mp_mod);
+    /* 0xfffffffc0000000 */
+    sp_384_mont_sqr_n_6(t1, t2, 30, p384_mod, p384_mp_mod);
+    /* 0xfffffffffffffff */
+    sp_384_mont_mul_6(t2, t2, t1, p384_mod, p384_mp_mod);
+    /* 0xfffffffffffffff000000000000000 */
+    sp_384_mont_sqr_n_6(t1, t2, 60, p384_mod, p384_mp_mod);
+    /* 0xffffffffffffffffffffffffffffff */
+    sp_384_mont_mul_6(t2, t2, t1, p384_mod, p384_mp_mod);
+    /* 0xffffffffffffffffffffffffffffff000000000000000000000000000000 */
+    sp_384_mont_sqr_n_6(t1, t2, 120, p384_mod, p384_mp_mod);
+    /* 0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff */
+    sp_384_mont_mul_6(t2, t2, t1, p384_mod, p384_mp_mod);
+    /* 0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffff8000 */
+    sp_384_mont_sqr_n_6(t1, t2, 15, p384_mod, p384_mp_mod);
+    /* 0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff */
+    sp_384_mont_mul_6(t2, t4, t1, p384_mod, p384_mp_mod);
+    /* 0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffe00000000 */
+    sp_384_mont_sqr_n_6(t1, t2, 33, p384_mod, p384_mp_mod);
+    /* 0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff */
+    sp_384_mont_mul_6(t2, t3, t1, p384_mod, p384_mp_mod);
+    /* 0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff000000000000000000000000 */
+    sp_384_mont_sqr_n_6(t1, t2, 96, p384_mod, p384_mp_mod);
+    /* 0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000fffffffd */
+    sp_384_mont_mul_6(r, r, t1, p384_mod, p384_mp_mod);
+
+#endif /* WOLFSSL_SP_SMALL */
+}
+
+extern int64_t sp_384_cmp_6(const sp_digit* a, const sp_digit* b);
+/* Normalize the values in each word to 64.
+ *
+ * a  Array of sp_digit to normalize.
+ */
+#define sp_384_norm_6(a)
+
+/* Map the Montgomery form projective coordinate point to an affine point.
+ *
+ * r  Resulting affine coordinate point.
+ * p  Montgomery form projective coordinate point.
+ * t  Temporary ordinate data.
+ */
+static void sp_384_map_6(sp_point_384* r, const sp_point_384* p, sp_digit* t)
+{
+    sp_digit* t1 = t;
+    sp_digit* t2 = t + 2*6;
+    int64_t n;
+
+    sp_384_mont_inv_6(t1, p->z, t + 2*6);
+
+    sp_384_mont_sqr_6(t2, t1, p384_mod, p384_mp_mod);
+    sp_384_mont_mul_6(t1, t2, t1, p384_mod, p384_mp_mod);
+
+    /* x /= z^2 */
+    sp_384_mont_mul_6(r->x, p->x, t2, p384_mod, p384_mp_mod);
+    XMEMSET(r->x + 6, 0, sizeof(r->x) / 2U);
+    sp_384_mont_reduce_6(r->x, p384_mod, p384_mp_mod);
+    /* Reduce x to less than modulus */
+    n = sp_384_cmp_6(r->x, p384_mod);
+    sp_384_cond_sub_6(r->x, r->x, p384_mod, 0 - ((n >= 0) ?
+                (sp_digit)1 : (sp_digit)0));
+    sp_384_norm_6(r->x);
+
+    /* y /= z^3 */
+    sp_384_mont_mul_6(r->y, p->y, t1, p384_mod, p384_mp_mod);
+    XMEMSET(r->y + 6, 0, sizeof(r->y) / 2U);
+    sp_384_mont_reduce_6(r->y, p384_mod, p384_mp_mod);
+    /* Reduce y to less than modulus */
+    n = sp_384_cmp_6(r->y, p384_mod);
+    sp_384_cond_sub_6(r->y, r->y, p384_mod, 0 - ((n >= 0) ?
+                (sp_digit)1 : (sp_digit)0));
+    sp_384_norm_6(r->y);
+
+    XMEMSET(r->z, 0, sizeof(r->z));
+    r->z[0] = 1;
+
+}
+
+extern sp_digit sp_384_add_6(sp_digit* r, const sp_digit* a, const sp_digit* b);
+/* Add two Montgomery form numbers (r = a + b % m).
+ *
+ * r   Result of addition.
+ * a   First number to add in Montogmery form.
+ * b   Second number to add in Montogmery form.
+ * m   Modulus (prime).
+ */
+static void sp_384_mont_add_6(sp_digit* r, const sp_digit* a, const sp_digit* b,
+        const sp_digit* m)
+{
+    sp_digit o;
+
+    o = sp_384_add_6(r, a, b);
+    sp_384_cond_sub_6(r, r, m, 0 - o);
+}
+
+extern sp_digit sp_384_dbl_6(sp_digit* r, const sp_digit* a);
+/* Double a Montgomery form number (r = a + a % m).
+ *
+ * r   Result of doubling.
+ * a   Number to double in Montogmery form.
+ * m   Modulus (prime).
+ */
+static void sp_384_mont_dbl_6(sp_digit* r, const sp_digit* a, const sp_digit* m)
+{
+    sp_digit o;
+
+    o = sp_384_dbl_6(r, a);
+    sp_384_cond_sub_6(r, r, m, 0 - o);
+}
+
+/* Triple a Montgomery form number (r = a + a + a % m).
+ *
+ * r   Result of Tripling.
+ * a   Number to triple in Montogmery form.
+ * m   Modulus (prime).
+ */
+static void sp_384_mont_tpl_6(sp_digit* r, const sp_digit* a, const sp_digit* m)
+{
+    sp_digit o;
+
+    o = sp_384_dbl_6(r, a);
+    sp_384_cond_sub_6(r, r, m, 0 - o);
+    o = sp_384_add_6(r, r, a);
+    sp_384_cond_sub_6(r, r, m, 0 - o);
+}
+
+extern sp_digit sp_384_sub_6(sp_digit* r, const sp_digit* a, const sp_digit* b);
+extern sp_digit sp_384_cond_add_6(sp_digit* r, const sp_digit* a, const sp_digit* b, sp_digit m);
+/* Subtract two Montgomery form numbers (r = a - b % m).
+ *
+ * r   Result of subtration.
+ * a   Number to subtract from in Montogmery form.
+ * b   Number to subtract with in Montogmery form.
+ * m   Modulus (prime).
+ */
+static void sp_384_mont_sub_6(sp_digit* r, const sp_digit* a, const sp_digit* b,
+        const sp_digit* m)
+{
+    sp_digit o;
+
+    o = sp_384_sub_6(r, a, b);
+    sp_384_cond_add_6(r, r, m, o);
+}
+
+extern void sp_384_div2_6(sp_digit* r, const sp_digit* a, const sp_digit* m);
+/* Double the Montgomery form projective point p.
+ *
+ * r  Result of doubling point.
+ * p  Point to double.
+ * t  Temporary ordinate data.
+ */
+static void sp_384_proj_point_dbl_6(sp_point_384* r, const sp_point_384* p, sp_digit* t)
+{
+    sp_digit* t1 = t;
+    sp_digit* t2 = t + 2*6;
+    sp_digit* x;
+    sp_digit* y;
+    sp_digit* z;
+
+    x = r->x;
+    y = r->y;
+    z = r->z;
+    /* Put infinity into result. */
+    if (r != p) {
+        r->infinity = p->infinity;
+    }
+
+    /* T1 = Z * Z */
+    sp_384_mont_sqr_6(t1, p->z, p384_mod, p384_mp_mod);
+    /* Z = Y * Z */
+    sp_384_mont_mul_6(z, p->y, p->z, p384_mod, p384_mp_mod);
+    /* Z = 2Z */
+    sp_384_mont_dbl_6(z, z, p384_mod);
+    /* T2 = X - T1 */
+    sp_384_mont_sub_6(t2, p->x, t1, p384_mod);
+    /* T1 = X + T1 */
+    sp_384_mont_add_6(t1, p->x, t1, p384_mod);
+    /* T2 = T1 * T2 */
+    sp_384_mont_mul_6(t2, t1, t2, p384_mod, p384_mp_mod);
+    /* T1 = 3T2 */
+    sp_384_mont_tpl_6(t1, t2, p384_mod);
+    /* Y = 2Y */
+    sp_384_mont_dbl_6(y, p->y, p384_mod);
+    /* Y = Y * Y */
+    sp_384_mont_sqr_6(y, y, p384_mod, p384_mp_mod);
+    /* T2 = Y * Y */
+    sp_384_mont_sqr_6(t2, y, p384_mod, p384_mp_mod);
+    /* T2 = T2/2 */
+    sp_384_div2_6(t2, t2, p384_mod);
+    /* Y = Y * X */
+    sp_384_mont_mul_6(y, y, p->x, p384_mod, p384_mp_mod);
+    /* X = T1 * T1 */
+    sp_384_mont_sqr_6(x, t1, p384_mod, p384_mp_mod);
+    /* X = X - Y */
+    sp_384_mont_sub_6(x, x, y, p384_mod);
+    /* X = X - Y */
+    sp_384_mont_sub_6(x, x, y, p384_mod);
+    /* Y = Y - X */
+    sp_384_mont_sub_6(y, y, x, p384_mod);
+    /* Y = Y * T1 */
+    sp_384_mont_mul_6(y, y, t1, p384_mod, p384_mp_mod);
+    /* Y = Y - T2 */
+    sp_384_mont_sub_6(y, y, t2, p384_mod);
+}
+
+/* Double the Montgomery form projective point p a number of times.
+ *
+ * r  Result of repeated doubling of point.
+ * p  Point to double.
+ * n  Number of times to double
+ * t  Temporary ordinate data.
+ */
+static void sp_384_proj_point_dbl_n_6(sp_point_384* p, int n, sp_digit* t)
+{
+    sp_digit* w = t;
+    sp_digit* a = t + 2*6;
+    sp_digit* b = t + 4*6;
+    sp_digit* t1 = t + 6*6;
+    sp_digit* t2 = t + 8*6;
+    sp_digit* x;
+    sp_digit* y;
+    sp_digit* z;
+
+    x = p->x;
+    y = p->y;
+    z = p->z;
+
+    /* Y = 2*Y */
+    sp_384_mont_dbl_6(y, y, p384_mod);
+    /* W = Z^4 */
+    sp_384_mont_sqr_6(w, z, p384_mod, p384_mp_mod);
+    sp_384_mont_sqr_6(w, w, p384_mod, p384_mp_mod);
+
+#ifndef WOLFSSL_SP_SMALL
+    while (--n > 0)
+#else
+    while (--n >= 0)
+#endif
+    {
+        /* A = 3*(X^2 - W) */
+        sp_384_mont_sqr_6(t1, x, p384_mod, p384_mp_mod);
+        sp_384_mont_sub_6(t1, t1, w, p384_mod);
+        sp_384_mont_tpl_6(a, t1, p384_mod);
+        /* B = X*Y^2 */
+        sp_384_mont_sqr_6(t1, y, p384_mod, p384_mp_mod);
+        sp_384_mont_mul_6(b, t1, x, p384_mod, p384_mp_mod);
+        /* X = A^2 - 2B */
+        sp_384_mont_sqr_6(x, a, p384_mod, p384_mp_mod);
+        sp_384_mont_dbl_6(t2, b, p384_mod);
+        sp_384_mont_sub_6(x, x, t2, p384_mod);
+        /* Z = Z*Y */
+        sp_384_mont_mul_6(z, z, y, p384_mod, p384_mp_mod);
+        /* t2 = Y^4 */
+        sp_384_mont_sqr_6(t1, t1, p384_mod, p384_mp_mod);
+#ifdef WOLFSSL_SP_SMALL
+        if (n != 0)
+#endif
+        {
+            /* W = W*Y^4 */
+            sp_384_mont_mul_6(w, w, t1, p384_mod, p384_mp_mod);
+        }
+        /* y = 2*A*(B - X) - Y^4 */
+        sp_384_mont_sub_6(y, b, x, p384_mod);
+        sp_384_mont_mul_6(y, y, a, p384_mod, p384_mp_mod);
+        sp_384_mont_dbl_6(y, y, p384_mod);
+        sp_384_mont_sub_6(y, y, t1, p384_mod);
+    }
+#ifndef WOLFSSL_SP_SMALL
+    /* A = 3*(X^2 - W) */
+    sp_384_mont_sqr_6(t1, x, p384_mod, p384_mp_mod);
+    sp_384_mont_sub_6(t1, t1, w, p384_mod);
+    sp_384_mont_tpl_6(a, t1, p384_mod);
+    /* B = X*Y^2 */
+    sp_384_mont_sqr_6(t1, y, p384_mod, p384_mp_mod);
+    sp_384_mont_mul_6(b, t1, x, p384_mod, p384_mp_mod);
+    /* X = A^2 - 2B */
+    sp_384_mont_sqr_6(x, a, p384_mod, p384_mp_mod);
+    sp_384_mont_dbl_6(t2, b, p384_mod);
+    sp_384_mont_sub_6(x, x, t2, p384_mod);
+    /* Z = Z*Y */
+    sp_384_mont_mul_6(z, z, y, p384_mod, p384_mp_mod);
+    /* t2 = Y^4 */
+    sp_384_mont_sqr_6(t1, t1, p384_mod, p384_mp_mod);
+    /* y = 2*A*(B - X) - Y^4 */
+    sp_384_mont_sub_6(y, b, x, p384_mod);
+    sp_384_mont_mul_6(y, y, a, p384_mod, p384_mp_mod);
+    sp_384_mont_dbl_6(y, y, p384_mod);
+    sp_384_mont_sub_6(y, y, t1, p384_mod);
+#endif
+    /* Y = Y/2 */
+    sp_384_div2_6(y, y, p384_mod);
+}
+
+/* Compare two numbers to determine if they are equal.
+ * Constant time implementation.
+ *
+ * a  First number to compare.
+ * b  Second number to compare.
+ * returns 1 when equal and 0 otherwise.
+ */
+static int sp_384_cmp_equal_6(const sp_digit* a, const sp_digit* b)
+{
+    return ((a[0] ^ b[0]) | (a[1] ^ b[1]) | (a[2] ^ b[2]) | (a[3] ^ b[3]) |
+            (a[4] ^ b[4]) | (a[5] ^ b[5])) == 0;
+}
+
+/* Add two Montgomery form projective points.
+ *
+ * r  Result of addition.
+ * p  First point to add.
+ * q  Second point to add.
+ * t  Temporary ordinate data.
+ */
+static void sp_384_proj_point_add_6(sp_point_384* r, const sp_point_384* p, const sp_point_384* q,
+        sp_digit* t)
+{
+    const sp_point_384* ap[2];
+    sp_point_384* rp[2];
+    sp_digit* t1 = t;
+    sp_digit* t2 = t + 2*6;
+    sp_digit* t3 = t + 4*6;
+    sp_digit* t4 = t + 6*6;
+    sp_digit* t5 = t + 8*6;
+    sp_digit* x;
+    sp_digit* y;
+    sp_digit* z;
+    int i;
+
+    /* Ensure only the first point is the same as the result. */
+    if (q == r) {
+        const sp_point_384* a = p;
+        p = q;
+        q = a;
+    }
+
+    /* Check double */
+    (void)sp_384_sub_6(t1, p384_mod, q->y);
+    sp_384_norm_6(t1);
+    if ((sp_384_cmp_equal_6(p->x, q->x) & sp_384_cmp_equal_6(p->z, q->z) &
+        (sp_384_cmp_equal_6(p->y, q->y) | sp_384_cmp_equal_6(p->y, t1))) != 0) {
+        sp_384_proj_point_dbl_6(r, p, t);
+    }
+    else {
+        rp[0] = r;
+
+        /*lint allow cast to different type of pointer*/
+        rp[1] = (sp_point_384*)t; /*lint !e9087 !e740*/
+        XMEMSET(rp[1], 0, sizeof(sp_point_384));
+        x = rp[p->infinity | q->infinity]->x;
+        y = rp[p->infinity | q->infinity]->y;
+        z = rp[p->infinity | q->infinity]->z;
+
+        ap[0] = p;
+        ap[1] = q;
+        for (i=0; i<6; i++) {
+            r->x[i] = ap[p->infinity]->x[i];
+        }
+        for (i=0; i<6; i++) {
+            r->y[i] = ap[p->infinity]->y[i];
+        }
+        for (i=0; i<6; i++) {
+            r->z[i] = ap[p->infinity]->z[i];
+        }
+        r->infinity = ap[p->infinity]->infinity;
+
+        /* U1 = X1*Z2^2 */
+        sp_384_mont_sqr_6(t1, q->z, p384_mod, p384_mp_mod);
+        sp_384_mont_mul_6(t3, t1, q->z, p384_mod, p384_mp_mod);
+        sp_384_mont_mul_6(t1, t1, x, p384_mod, p384_mp_mod);
+        /* U2 = X2*Z1^2 */
+        sp_384_mont_sqr_6(t2, z, p384_mod, p384_mp_mod);
+        sp_384_mont_mul_6(t4, t2, z, p384_mod, p384_mp_mod);
+        sp_384_mont_mul_6(t2, t2, q->x, p384_mod, p384_mp_mod);
+        /* S1 = Y1*Z2^3 */
+        sp_384_mont_mul_6(t3, t3, y, p384_mod, p384_mp_mod);
+        /* S2 = Y2*Z1^3 */
+        sp_384_mont_mul_6(t4, t4, q->y, p384_mod, p384_mp_mod);
+        /* H = U2 - U1 */
+        sp_384_mont_sub_6(t2, t2, t1, p384_mod);
+        /* R = S2 - S1 */
+        sp_384_mont_sub_6(t4, t4, t3, p384_mod);
+        /* Z3 = H*Z1*Z2 */
+        sp_384_mont_mul_6(z, z, q->z, p384_mod, p384_mp_mod);
+        sp_384_mont_mul_6(z, z, t2, p384_mod, p384_mp_mod);
+        /* X3 = R^2 - H^3 - 2*U1*H^2 */
+        sp_384_mont_sqr_6(x, t4, p384_mod, p384_mp_mod);
+        sp_384_mont_sqr_6(t5, t2, p384_mod, p384_mp_mod);
+        sp_384_mont_mul_6(y, t1, t5, p384_mod, p384_mp_mod);
+        sp_384_mont_mul_6(t5, t5, t2, p384_mod, p384_mp_mod);
+        sp_384_mont_sub_6(x, x, t5, p384_mod);
+        sp_384_mont_dbl_6(t1, y, p384_mod);
+        sp_384_mont_sub_6(x, x, t1, p384_mod);
+        /* Y3 = R*(U1*H^2 - X3) - S1*H^3 */
+        sp_384_mont_sub_6(y, y, x, p384_mod);
+        sp_384_mont_mul_6(y, y, t4, p384_mod, p384_mp_mod);
+        sp_384_mont_mul_6(t5, t5, t3, p384_mod, p384_mp_mod);
+        sp_384_mont_sub_6(y, y, t5, p384_mod);
+    }
+}
+
+/* Double the Montgomery form projective point p a number of times.
+ *
+ * r  Result of repeated doubling of point.
+ * p  Point to double.
+ * n  Number of times to double
+ * t  Temporary ordinate data.
+ */
+static void sp_384_proj_point_dbl_n_store_6(sp_point_384* r, const sp_point_384* p,
+        int n, int m, sp_digit* t)
+{
+    sp_digit* w = t;
+    sp_digit* a = t + 2*6;
+    sp_digit* b = t + 4*6;
+    sp_digit* t1 = t + 6*6;
+    sp_digit* t2 = t + 8*6;
+    sp_digit* x = r[2*m].x;
+    sp_digit* y = r[(1<<n)*m].y;
+    sp_digit* z = r[2*m].z;
+    int i;
+
+    for (i=0; i<6; i++) {
+        x[i] = p->x[i];
+    }
+    for (i=0; i<6; i++) {
+        y[i] = p->y[i];
+    }
+    for (i=0; i<6; i++) {
+        z[i] = p->z[i];
+    }
+
+    /* Y = 2*Y */
+    sp_384_mont_dbl_6(y, y, p384_mod);
+    /* W = Z^4 */
+    sp_384_mont_sqr_6(w, z, p384_mod, p384_mp_mod);
+    sp_384_mont_sqr_6(w, w, p384_mod, p384_mp_mod);
+    for (i=1; i<=n; i++) {
+        /* A = 3*(X^2 - W) */
+        sp_384_mont_sqr_6(t1, x, p384_mod, p384_mp_mod);
+        sp_384_mont_sub_6(t1, t1, w, p384_mod);
+        sp_384_mont_tpl_6(a, t1, p384_mod);
+        /* B = X*Y^2 */
+        sp_384_mont_sqr_6(t2, y, p384_mod, p384_mp_mod);
+        sp_384_mont_mul_6(b, t2, x, p384_mod, p384_mp_mod);
+        x = r[(1<<i)*m].x;
+        /* X = A^2 - 2B */
+        sp_384_mont_sqr_6(x, a, p384_mod, p384_mp_mod);
+        sp_384_mont_dbl_6(t1, b, p384_mod);
+        sp_384_mont_sub_6(x, x, t1, p384_mod);
+        /* Z = Z*Y */
+        sp_384_mont_mul_6(r[(1<<i)*m].z, z, y, p384_mod, p384_mp_mod);
+        z = r[(1<<i)*m].z;
+        /* t2 = Y^4 */
+        sp_384_mont_sqr_6(t2, t2, p384_mod, p384_mp_mod);
+        if (i != n) {
+            /* W = W*Y^4 */
+            sp_384_mont_mul_6(w, w, t2, p384_mod, p384_mp_mod);
+        }
+        /* y = 2*A*(B - X) - Y^4 */
+        sp_384_mont_sub_6(y, b, x, p384_mod);
+        sp_384_mont_mul_6(y, y, a, p384_mod, p384_mp_mod);
+        sp_384_mont_dbl_6(y, y, p384_mod);
+        sp_384_mont_sub_6(y, y, t2, p384_mod);
+
+        /* Y = Y/2 */
+        sp_384_div2_6(r[(1<<i)*m].y, y, p384_mod);
+        r[(1<<i)*m].infinity = 0;
+    }
+}
+
+/* Add two Montgomery form projective points.
+ *
+ * ra  Result of addition.
+ * rs  Result of subtraction.
+ * p   First point to add.
+ * q   Second point to add.
+ * t   Temporary ordinate data.
+ */
+static void sp_384_proj_point_add_sub_6(sp_point_384* ra, sp_point_384* rs,
+        const sp_point_384* p, const sp_point_384* q, sp_digit* t)
+{
+    sp_digit* t1 = t;
+    sp_digit* t2 = t + 2*6;
+    sp_digit* t3 = t + 4*6;
+    sp_digit* t4 = t + 6*6;
+    sp_digit* t5 = t + 8*6;
+    sp_digit* t6 = t + 10*6;
+    sp_digit* x = ra->x;
+    sp_digit* y = ra->y;
+    sp_digit* z = ra->z;
+    sp_digit* xs = rs->x;
+    sp_digit* ys = rs->y;
+    sp_digit* zs = rs->z;
+
+
+    XMEMCPY(x, p->x, sizeof(p->x) / 2);
+    XMEMCPY(y, p->y, sizeof(p->y) / 2);
+    XMEMCPY(z, p->z, sizeof(p->z) / 2);
+    ra->infinity = 0;
+    rs->infinity = 0;
+
+    /* U1 = X1*Z2^2 */
+    sp_384_mont_sqr_6(t1, q->z, p384_mod, p384_mp_mod);
+    sp_384_mont_mul_6(t3, t1, q->z, p384_mod, p384_mp_mod);
+    sp_384_mont_mul_6(t1, t1, x, p384_mod, p384_mp_mod);
+    /* U2 = X2*Z1^2 */
+    sp_384_mont_sqr_6(t2, z, p384_mod, p384_mp_mod);
+    sp_384_mont_mul_6(t4, t2, z, p384_mod, p384_mp_mod);
+    sp_384_mont_mul_6(t2, t2, q->x, p384_mod, p384_mp_mod);
+    /* S1 = Y1*Z2^3 */
+    sp_384_mont_mul_6(t3, t3, y, p384_mod, p384_mp_mod);
+    /* S2 = Y2*Z1^3 */
+    sp_384_mont_mul_6(t4, t4, q->y, p384_mod, p384_mp_mod);
+    /* H = U2 - U1 */
+    sp_384_mont_sub_6(t2, t2, t1, p384_mod);
+    /* RS = S2 + S1 */
+    sp_384_mont_add_6(t6, t4, t3, p384_mod);
+    /* R = S2 - S1 */
+    sp_384_mont_sub_6(t4, t4, t3, p384_mod);
+    /* Z3 = H*Z1*Z2 */
+    /* ZS = H*Z1*Z2 */
+    sp_384_mont_mul_6(z, z, q->z, p384_mod, p384_mp_mod);
+    sp_384_mont_mul_6(z, z, t2, p384_mod, p384_mp_mod);
+    XMEMCPY(zs, z, sizeof(p->z)/2);
+    /* X3 = R^2 - H^3 - 2*U1*H^2 */
+    /* XS = RS^2 - H^3 - 2*U1*H^2 */
+    sp_384_mont_sqr_6(x, t4, p384_mod, p384_mp_mod);
+    sp_384_mont_sqr_6(xs, t6, p384_mod, p384_mp_mod);
+    sp_384_mont_sqr_6(t5, t2, p384_mod, p384_mp_mod);
+    sp_384_mont_mul_6(y, t1, t5, p384_mod, p384_mp_mod);
+    sp_384_mont_mul_6(t5, t5, t2, p384_mod, p384_mp_mod);
+    sp_384_mont_sub_6(x, x, t5, p384_mod);
+    sp_384_mont_sub_6(xs, xs, t5, p384_mod);
+    sp_384_mont_dbl_6(t1, y, p384_mod);
+    sp_384_mont_sub_6(x, x, t1, p384_mod);
+    sp_384_mont_sub_6(xs, xs, t1, p384_mod);
+    /* Y3 = R*(U1*H^2 - X3) - S1*H^3 */
+    /* YS = -RS*(U1*H^2 - XS) - S1*H^3 */
+    sp_384_mont_sub_6(ys, y, xs, p384_mod);
+    sp_384_mont_sub_6(y, y, x, p384_mod);
+    sp_384_mont_mul_6(y, y, t4, p384_mod, p384_mp_mod);
+    sp_384_sub_6(t6, p384_mod, t6);
+    sp_384_mont_mul_6(ys, ys, t6, p384_mod, p384_mp_mod);
+    sp_384_mont_mul_6(t5, t5, t3, p384_mod, p384_mp_mod);
+    sp_384_mont_sub_6(y, y, t5, p384_mod);
+    sp_384_mont_sub_6(ys, ys, t5, p384_mod);
+}
+
+/* Structure used to describe recoding of scalar multiplication. */
+typedef struct ecc_recode_384 {
+    /* Index into pre-computation table. */
+    uint8_t i;
+    /* Use the negative of the point. */
+    uint8_t neg;
+} ecc_recode_384;
+
+/* The index into pre-computation table to use. */
+static const uint8_t recode_index_6_6[66] = {
+     0,  1,  2,  3,  4,  5,  6,  7,  8,  9, 10, 11, 12, 13, 14, 15,
+    16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31,
+    32, 31, 30, 29, 28, 27, 26, 25, 24, 23, 22, 21, 20, 19, 18, 17,
+    16, 15, 14, 13, 12, 11, 10,  9,  8,  7,  6,  5,  4,  3,  2,  1,
+     0,  1,
+};
+
+/* Whether to negate y-ordinate. */
+static const uint8_t recode_neg_6_6[66] = {
+     0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,
+     0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,
+     1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,
+     1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,
+     0,  0,
+};
+
+/* Recode the scalar for multiplication using pre-computed values and
+ * subtraction.
+ *
+ * k  Scalar to multiply by.
+ * v  Vector of operations to perform.
+ */
+static void sp_384_ecc_recode_6_6(const sp_digit* k, ecc_recode_384* v)
+{
+    int i, j;
+    uint8_t y;
+    int carry = 0;
+    int o;
+    sp_digit n;
+
+    j = 0;
+    n = k[j];
+    o = 0;
+    for (i=0; i<65; i++) {
+        y = n;
+        if (o + 6 < 64) {
+            y &= 0x3f;
+            n >>= 6;
+            o += 6;
+        }
+        else if (o + 6 == 64) {
+            n >>= 6;
+            if (++j < 6)
+                n = k[j];
+            o = 0;
+        }
+        else if (++j < 6) {
+            n = k[j];
+            y |= (n << (64 - o)) & 0x3f;
+            o -= 58;
+            n >>= o;
+        }
+
+        y += carry;
+        v[i].i = recode_index_6_6[y];
+        v[i].neg = recode_neg_6_6[y];
+        carry = (y >> 6) + v[i].neg;
+    }
+}
+
+/* Multiply the point by the scalar and return the result.
+ * If map is true then convert result to affine coordinates.
+ *
+ * r     Resulting point.
+ * g     Point to multiply.
+ * k     Scalar to multiply by.
+ * map   Indicates whether to convert result to affine.
+ * heap  Heap to use for allocation.
+ * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
+ */
+static int sp_384_ecc_mulmod_win_add_sub_6(sp_point_384* r, const sp_point_384* g,
+        const sp_digit* k, int map, void* heap)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_point_384 td[33];
+    sp_point_384 rtd, pd;
+    sp_digit tmpd[2 * 6 * 6];
+#endif
+    sp_point_384* t;
+    sp_point_384* rt;
+    sp_point_384* p = NULL;
+    sp_digit* tmp;
+    sp_digit* negy;
+    int i;
+    ecc_recode_384 v[65];
+    int err;
+
+    (void)heap;
+
+    err = sp_384_point_new_6(heap, rtd, rt);
+    if (err == MP_OKAY)
+        err = sp_384_point_new_6(heap, pd, p);
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    t = (sp_point_384*)XMALLOC(sizeof(sp_point_384) * 33, heap, DYNAMIC_TYPE_ECC);
+    if (t == NULL)
+        err = MEMORY_E;
+    tmp = (sp_digit*)XMALLOC(sizeof(sp_digit) * 2 * 6 * 6, heap,
+                             DYNAMIC_TYPE_ECC);
+    if (tmp == NULL)
+        err = MEMORY_E;
+#else
+    t = td;
+    tmp = tmpd;
+#endif
+
+
+    if (err == MP_OKAY) {
+        /* t[0] = {0, 0, 1} * norm */
+        XMEMSET(&t[0], 0, sizeof(t[0]));
+        t[0].infinity = 1;
+        /* t[1] = {g->x, g->y, g->z} * norm */
+        err = sp_384_mod_mul_norm_6(t[1].x, g->x, p384_mod);
+    }
+    if (err == MP_OKAY) {
+        err = sp_384_mod_mul_norm_6(t[1].y, g->y, p384_mod);
+    }
+    if (err == MP_OKAY) {
+        err = sp_384_mod_mul_norm_6(t[1].z, g->z, p384_mod);
+    }
+
+    if (err == MP_OKAY) {
+        t[1].infinity = 0;
+        /* t[2] ... t[32]  */
+        sp_384_proj_point_dbl_n_store_6(t, &t[ 1], 5, 1, tmp);
+        sp_384_proj_point_add_6(&t[ 3], &t[ 2], &t[ 1], tmp);
+        sp_384_proj_point_dbl_6(&t[ 6], &t[ 3], tmp);
+        sp_384_proj_point_add_sub_6(&t[ 7], &t[ 5], &t[ 6], &t[ 1], tmp);
+        sp_384_proj_point_dbl_6(&t[10], &t[ 5], tmp);
+        sp_384_proj_point_add_sub_6(&t[11], &t[ 9], &t[10], &t[ 1], tmp);
+        sp_384_proj_point_dbl_6(&t[12], &t[ 6], tmp);
+        sp_384_proj_point_dbl_6(&t[14], &t[ 7], tmp);
+        sp_384_proj_point_add_sub_6(&t[15], &t[13], &t[14], &t[ 1], tmp);
+        sp_384_proj_point_dbl_6(&t[18], &t[ 9], tmp);
+        sp_384_proj_point_add_sub_6(&t[19], &t[17], &t[18], &t[ 1], tmp);
+        sp_384_proj_point_dbl_6(&t[20], &t[10], tmp);
+        sp_384_proj_point_dbl_6(&t[22], &t[11], tmp);
+        sp_384_proj_point_add_sub_6(&t[23], &t[21], &t[22], &t[ 1], tmp);
+        sp_384_proj_point_dbl_6(&t[24], &t[12], tmp);
+        sp_384_proj_point_dbl_6(&t[26], &t[13], tmp);
+        sp_384_proj_point_add_sub_6(&t[27], &t[25], &t[26], &t[ 1], tmp);
+        sp_384_proj_point_dbl_6(&t[28], &t[14], tmp);
+        sp_384_proj_point_dbl_6(&t[30], &t[15], tmp);
+        sp_384_proj_point_add_sub_6(&t[31], &t[29], &t[30], &t[ 1], tmp);
+
+        negy = t[0].y;
+
+        sp_384_ecc_recode_6_6(k, v);
+
+        i = 64;
+        XMEMCPY(rt, &t[v[i].i], sizeof(sp_point_384));
+        for (--i; i>=0; i--) {
+            sp_384_proj_point_dbl_n_6(rt, 6, tmp);
+
+            XMEMCPY(p, &t[v[i].i], sizeof(sp_point_384));
+            sp_384_sub_6(negy, p384_mod, p->y);
+            sp_384_cond_copy_6(p->y, negy, (sp_digit)0 - v[i].neg);
+            sp_384_proj_point_add_6(rt, rt, p, tmp);
+        }
+
+        if (map != 0) {
+            sp_384_map_6(r, rt, tmp);
+        }
+        else {
+            XMEMCPY(r, rt, sizeof(sp_point_384));
+        }
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (t != NULL)
+        XFREE(t, heap, DYNAMIC_TYPE_ECC);
+    if (tmp != NULL)
+        XFREE(tmp, heap, DYNAMIC_TYPE_ECC);
+#endif
+    sp_384_point_free_6(p, 0, heap);
+    sp_384_point_free_6(rt, 0, heap);
+
+    return err;
+}
+
+#ifdef HAVE_INTEL_AVX2
+#ifdef HAVE_INTEL_AVX2
+extern void sp_384_mul_avx2_6(sp_digit* r, const sp_digit* a, const sp_digit* b);
+#define sp_384_mont_reduce_avx2_6         sp_384_mont_reduce_6
+extern void sp_384_mont_reduce_order_avx2_6(sp_digit* a, const sp_digit* m, sp_digit mp);
+/* Multiply two Montogmery form numbers mod the modulus (prime).
+ * (r = a * b mod m)
+ *
+ * r   Result of multiplication.
+ * a   First number to multiply in Montogmery form.
+ * b   Second number to multiply in Montogmery form.
+ * m   Modulus (prime).
+ * mp  Montogmery mulitplier.
+ */
+static void sp_384_mont_mul_avx2_6(sp_digit* r, const sp_digit* a, const sp_digit* b,
+        const sp_digit* m, sp_digit mp)
+{
+    sp_384_mul_avx2_6(r, a, b);
+    sp_384_mont_reduce_avx2_6(r, m, mp);
+}
+
+#endif /* HAVE_INTEL_AVX2 */
+#ifdef HAVE_INTEL_AVX2
+extern void sp_384_sqr_avx2_6(sp_digit* r, const sp_digit* a);
+/* Square the Montgomery form number. (r = a * a mod m)
+ *
+ * r   Result of squaring.
+ * a   Number to square in Montogmery form.
+ * m   Modulus (prime).
+ * mp  Montogmery mulitplier.
+ */
+static void sp_384_mont_sqr_avx2_6(sp_digit* r, const sp_digit* a, const sp_digit* m,
+        sp_digit mp)
+{
+    sp_384_sqr_avx2_6(r, a);
+    sp_384_mont_reduce_avx2_6(r, m, mp);
+}
+
+#endif /* HAVE_INTEL_AVX2 */
+#if !defined(WOLFSSL_SP_SMALL) || defined(HAVE_COMP_KEY)
+/* Square the Montgomery form number a number of times. (r = a ^ n mod m)
+ *
+ * r   Result of squaring.
+ * a   Number to square in Montogmery form.
+ * n   Number of times to square.
+ * m   Modulus (prime).
+ * mp  Montogmery mulitplier.
+ */
+static void sp_384_mont_sqr_n_avx2_6(sp_digit* r, const sp_digit* a, int n,
+        const sp_digit* m, sp_digit mp)
+{
+    sp_384_mont_sqr_avx2_6(r, a, m, mp);
+    for (; n > 1; n--) {
+        sp_384_mont_sqr_avx2_6(r, r, m, mp);
+    }
+}
+
+#endif /* !WOLFSSL_SP_SMALL || HAVE_COMP_KEY */
+
+/* Invert the number, in Montgomery form, modulo the modulus (prime) of the
+ * P384 curve. (r = 1 / a mod m)
+ *
+ * r   Inverse result.
+ * a   Number to invert.
+ * td  Temporary data.
+ */
+static void sp_384_mont_inv_avx2_6(sp_digit* r, const sp_digit* a, sp_digit* td)
+{
+#ifdef WOLFSSL_SP_SMALL
+    sp_digit* t = td;
+    int i;
+
+    XMEMCPY(t, a, sizeof(sp_digit) * 6);
+    for (i=382; i>=0; i--) {
+        sp_384_mont_sqr_avx2_6(t, t, p384_mod, p384_mp_mod);
+        if (p384_mod_minus_2[i / 64] & ((sp_digit)1 << (i % 64)))
+            sp_384_mont_mul_avx2_6(t, t, a, p384_mod, p384_mp_mod);
+    }
+    XMEMCPY(r, t, sizeof(sp_digit) * 6);
+#else
+    sp_digit* t1 = td;
+    sp_digit* t2 = td + 2 * 6;
+    sp_digit* t3 = td + 4 * 6;
+    sp_digit* t4 = td + 6 * 6;
+    sp_digit* t5 = td + 8 * 6;
+
+    /* 0x2 */
+    sp_384_mont_sqr_avx2_6(t1, a, p384_mod, p384_mp_mod);
+    /* 0x3 */
+    sp_384_mont_mul_avx2_6(t5, t1, a, p384_mod, p384_mp_mod);
+    /* 0xc */
+    sp_384_mont_sqr_n_avx2_6(t1, t5, 2, p384_mod, p384_mp_mod);
+    /* 0xf */
+    sp_384_mont_mul_avx2_6(t2, t5, t1, p384_mod, p384_mp_mod);
+    /* 0x1e */
+    sp_384_mont_sqr_avx2_6(t1, t2, p384_mod, p384_mp_mod);
+    /* 0x1f */
+    sp_384_mont_mul_avx2_6(t4, t1, a, p384_mod, p384_mp_mod);
+    /* 0x3e0 */
+    sp_384_mont_sqr_n_avx2_6(t1, t4, 5, p384_mod, p384_mp_mod);
+    /* 0x3ff */
+    sp_384_mont_mul_avx2_6(t2, t4, t1, p384_mod, p384_mp_mod);
+    /* 0x7fe0 */
+    sp_384_mont_sqr_n_avx2_6(t1, t2, 5, p384_mod, p384_mp_mod);
+    /* 0x7fff */
+    sp_384_mont_mul_avx2_6(t4, t4, t1, p384_mod, p384_mp_mod);
+    /* 0x3fff8000 */
+    sp_384_mont_sqr_n_avx2_6(t1, t4, 15, p384_mod, p384_mp_mod);
+    /* 0x3fffffff */
+    sp_384_mont_mul_avx2_6(t2, t4, t1, p384_mod, p384_mp_mod);
+    /* 0xfffffffc */
+    sp_384_mont_sqr_n_avx2_6(t3, t2, 2, p384_mod, p384_mp_mod);
+    /* 0xfffffffd */
+    sp_384_mont_mul_avx2_6(r, t3, a, p384_mod, p384_mp_mod);
+    /* 0xffffffff */
+    sp_384_mont_mul_avx2_6(t3, t5, t3, p384_mod, p384_mp_mod);
+    /* 0xfffffffc0000000 */
+    sp_384_mont_sqr_n_avx2_6(t1, t2, 30, p384_mod, p384_mp_mod);
+    /* 0xfffffffffffffff */
+    sp_384_mont_mul_avx2_6(t2, t2, t1, p384_mod, p384_mp_mod);
+    /* 0xfffffffffffffff000000000000000 */
+    sp_384_mont_sqr_n_avx2_6(t1, t2, 60, p384_mod, p384_mp_mod);
+    /* 0xffffffffffffffffffffffffffffff */
+    sp_384_mont_mul_avx2_6(t2, t2, t1, p384_mod, p384_mp_mod);
+    /* 0xffffffffffffffffffffffffffffff000000000000000000000000000000 */
+    sp_384_mont_sqr_n_avx2_6(t1, t2, 120, p384_mod, p384_mp_mod);
+    /* 0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff */
+    sp_384_mont_mul_avx2_6(t2, t2, t1, p384_mod, p384_mp_mod);
+    /* 0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffff8000 */
+    sp_384_mont_sqr_n_avx2_6(t1, t2, 15, p384_mod, p384_mp_mod);
+    /* 0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff */
+    sp_384_mont_mul_avx2_6(t2, t4, t1, p384_mod, p384_mp_mod);
+    /* 0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffe00000000 */
+    sp_384_mont_sqr_n_avx2_6(t1, t2, 33, p384_mod, p384_mp_mod);
+    /* 0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff */
+    sp_384_mont_mul_avx2_6(t2, t3, t1, p384_mod, p384_mp_mod);
+    /* 0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff000000000000000000000000 */
+    sp_384_mont_sqr_n_avx2_6(t1, t2, 96, p384_mod, p384_mp_mod);
+    /* 0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000fffffffd */
+    sp_384_mont_mul_avx2_6(r, r, t1, p384_mod, p384_mp_mod);
+
+#endif /* WOLFSSL_SP_SMALL */
+}
+
+/* Map the Montgomery form projective coordinate point to an affine point.
+ *
+ * r  Resulting affine coordinate point.
+ * p  Montgomery form projective coordinate point.
+ * t  Temporary ordinate data.
+ */
+static void sp_384_map_avx2_6(sp_point_384* r, const sp_point_384* p, sp_digit* t)
+{
+    sp_digit* t1 = t;
+    sp_digit* t2 = t + 2*6;
+    int64_t n;
+
+    sp_384_mont_inv_avx2_6(t1, p->z, t + 2*6);
+
+    sp_384_mont_sqr_avx2_6(t2, t1, p384_mod, p384_mp_mod);
+    sp_384_mont_mul_avx2_6(t1, t2, t1, p384_mod, p384_mp_mod);
+
+    /* x /= z^2 */
+    sp_384_mont_mul_avx2_6(r->x, p->x, t2, p384_mod, p384_mp_mod);
+    XMEMSET(r->x + 6, 0, sizeof(r->x) / 2U);
+    sp_384_mont_reduce_6(r->x, p384_mod, p384_mp_mod);
+    /* Reduce x to less than modulus */
+    n = sp_384_cmp_6(r->x, p384_mod);
+    sp_384_cond_sub_6(r->x, r->x, p384_mod, 0 - ((n >= 0) ?
+                (sp_digit)1 : (sp_digit)0));
+    sp_384_norm_6(r->x);
+
+    /* y /= z^3 */
+    sp_384_mont_mul_avx2_6(r->y, p->y, t1, p384_mod, p384_mp_mod);
+    XMEMSET(r->y + 6, 0, sizeof(r->y) / 2U);
+    sp_384_mont_reduce_6(r->y, p384_mod, p384_mp_mod);
+    /* Reduce y to less than modulus */
+    n = sp_384_cmp_6(r->y, p384_mod);
+    sp_384_cond_sub_6(r->y, r->y, p384_mod, 0 - ((n >= 0) ?
+                (sp_digit)1 : (sp_digit)0));
+    sp_384_norm_6(r->y);
+
+    XMEMSET(r->z, 0, sizeof(r->z));
+    r->z[0] = 1;
+
+}
+
+/* Double the Montgomery form projective point p.
+ *
+ * r  Result of doubling point.
+ * p  Point to double.
+ * t  Temporary ordinate data.
+ */
+static void sp_384_proj_point_dbl_avx2_6(sp_point_384* r, const sp_point_384* p, sp_digit* t)
+{
+    sp_digit* t1 = t;
+    sp_digit* t2 = t + 2*6;
+    sp_digit* x;
+    sp_digit* y;
+    sp_digit* z;
+
+    x = r->x;
+    y = r->y;
+    z = r->z;
+    /* Put infinity into result. */
+    if (r != p) {
+        r->infinity = p->infinity;
+    }
+
+    /* T1 = Z * Z */
+    sp_384_mont_sqr_avx2_6(t1, p->z, p384_mod, p384_mp_mod);
+    /* Z = Y * Z */
+    sp_384_mont_mul_avx2_6(z, p->y, p->z, p384_mod, p384_mp_mod);
+    /* Z = 2Z */
+    sp_384_mont_dbl_6(z, z, p384_mod);
+    /* T2 = X - T1 */
+    sp_384_mont_sub_6(t2, p->x, t1, p384_mod);
+    /* T1 = X + T1 */
+    sp_384_mont_add_6(t1, p->x, t1, p384_mod);
+    /* T2 = T1 * T2 */
+    sp_384_mont_mul_avx2_6(t2, t1, t2, p384_mod, p384_mp_mod);
+    /* T1 = 3T2 */
+    sp_384_mont_tpl_6(t1, t2, p384_mod);
+    /* Y = 2Y */
+    sp_384_mont_dbl_6(y, p->y, p384_mod);
+    /* Y = Y * Y */
+    sp_384_mont_sqr_avx2_6(y, y, p384_mod, p384_mp_mod);
+    /* T2 = Y * Y */
+    sp_384_mont_sqr_avx2_6(t2, y, p384_mod, p384_mp_mod);
+    /* T2 = T2/2 */
+    sp_384_div2_6(t2, t2, p384_mod);
+    /* Y = Y * X */
+    sp_384_mont_mul_avx2_6(y, y, p->x, p384_mod, p384_mp_mod);
+    /* X = T1 * T1 */
+    sp_384_mont_sqr_avx2_6(x, t1, p384_mod, p384_mp_mod);
+    /* X = X - Y */
+    sp_384_mont_sub_6(x, x, y, p384_mod);
+    /* X = X - Y */
+    sp_384_mont_sub_6(x, x, y, p384_mod);
+    /* Y = Y - X */
+    sp_384_mont_sub_6(y, y, x, p384_mod);
+    /* Y = Y * T1 */
+    sp_384_mont_mul_avx2_6(y, y, t1, p384_mod, p384_mp_mod);
+    /* Y = Y - T2 */
+    sp_384_mont_sub_6(y, y, t2, p384_mod);
+}
+
+/* Double the Montgomery form projective point p a number of times.
+ *
+ * r  Result of repeated doubling of point.
+ * p  Point to double.
+ * n  Number of times to double
+ * t  Temporary ordinate data.
+ */
+static void sp_384_proj_point_dbl_n_avx2_6(sp_point_384* p, int n, sp_digit* t)
+{
+    sp_digit* w = t;
+    sp_digit* a = t + 2*6;
+    sp_digit* b = t + 4*6;
+    sp_digit* t1 = t + 6*6;
+    sp_digit* t2 = t + 8*6;
+    sp_digit* x;
+    sp_digit* y;
+    sp_digit* z;
+
+    x = p->x;
+    y = p->y;
+    z = p->z;
+
+    /* Y = 2*Y */
+    sp_384_mont_dbl_6(y, y, p384_mod);
+    /* W = Z^4 */
+    sp_384_mont_sqr_avx2_6(w, z, p384_mod, p384_mp_mod);
+    sp_384_mont_sqr_avx2_6(w, w, p384_mod, p384_mp_mod);
+
+#ifndef WOLFSSL_SP_SMALL
+    while (--n > 0)
+#else
+    while (--n >= 0)
+#endif
+    {
+        /* A = 3*(X^2 - W) */
+        sp_384_mont_sqr_avx2_6(t1, x, p384_mod, p384_mp_mod);
+        sp_384_mont_sub_6(t1, t1, w, p384_mod);
+        sp_384_mont_tpl_6(a, t1, p384_mod);
+        /* B = X*Y^2 */
+        sp_384_mont_sqr_avx2_6(t1, y, p384_mod, p384_mp_mod);
+        sp_384_mont_mul_avx2_6(b, t1, x, p384_mod, p384_mp_mod);
+        /* X = A^2 - 2B */
+        sp_384_mont_sqr_avx2_6(x, a, p384_mod, p384_mp_mod);
+        sp_384_mont_dbl_6(t2, b, p384_mod);
+        sp_384_mont_sub_6(x, x, t2, p384_mod);
+        /* Z = Z*Y */
+        sp_384_mont_mul_avx2_6(z, z, y, p384_mod, p384_mp_mod);
+        /* t2 = Y^4 */
+        sp_384_mont_sqr_avx2_6(t1, t1, p384_mod, p384_mp_mod);
+#ifdef WOLFSSL_SP_SMALL
+        if (n != 0)
+#endif
+        {
+            /* W = W*Y^4 */
+            sp_384_mont_mul_avx2_6(w, w, t1, p384_mod, p384_mp_mod);
+        }
+        /* y = 2*A*(B - X) - Y^4 */
+        sp_384_mont_sub_6(y, b, x, p384_mod);
+        sp_384_mont_mul_avx2_6(y, y, a, p384_mod, p384_mp_mod);
+        sp_384_mont_dbl_6(y, y, p384_mod);
+        sp_384_mont_sub_6(y, y, t1, p384_mod);
+    }
+#ifndef WOLFSSL_SP_SMALL
+    /* A = 3*(X^2 - W) */
+    sp_384_mont_sqr_avx2_6(t1, x, p384_mod, p384_mp_mod);
+    sp_384_mont_sub_6(t1, t1, w, p384_mod);
+    sp_384_mont_tpl_6(a, t1, p384_mod);
+    /* B = X*Y^2 */
+    sp_384_mont_sqr_avx2_6(t1, y, p384_mod, p384_mp_mod);
+    sp_384_mont_mul_avx2_6(b, t1, x, p384_mod, p384_mp_mod);
+    /* X = A^2 - 2B */
+    sp_384_mont_sqr_avx2_6(x, a, p384_mod, p384_mp_mod);
+    sp_384_mont_dbl_6(t2, b, p384_mod);
+    sp_384_mont_sub_6(x, x, t2, p384_mod);
+    /* Z = Z*Y */
+    sp_384_mont_mul_avx2_6(z, z, y, p384_mod, p384_mp_mod);
+    /* t2 = Y^4 */
+    sp_384_mont_sqr_avx2_6(t1, t1, p384_mod, p384_mp_mod);
+    /* y = 2*A*(B - X) - Y^4 */
+    sp_384_mont_sub_6(y, b, x, p384_mod);
+    sp_384_mont_mul_avx2_6(y, y, a, p384_mod, p384_mp_mod);
+    sp_384_mont_dbl_6(y, y, p384_mod);
+    sp_384_mont_sub_6(y, y, t1, p384_mod);
+#endif
+    /* Y = Y/2 */
+    sp_384_div2_6(y, y, p384_mod);
+}
+
+/* Add two Montgomery form projective points.
+ *
+ * r  Result of addition.
+ * p  First point to add.
+ * q  Second point to add.
+ * t  Temporary ordinate data.
+ */
+static void sp_384_proj_point_add_avx2_6(sp_point_384* r, const sp_point_384* p, const sp_point_384* q,
+        sp_digit* t)
+{
+    const sp_point_384* ap[2];
+    sp_point_384* rp[2];
+    sp_digit* t1 = t;
+    sp_digit* t2 = t + 2*6;
+    sp_digit* t3 = t + 4*6;
+    sp_digit* t4 = t + 6*6;
+    sp_digit* t5 = t + 8*6;
+    sp_digit* x;
+    sp_digit* y;
+    sp_digit* z;
+    int i;
+
+    /* Ensure only the first point is the same as the result. */
+    if (q == r) {
+        const sp_point_384* a = p;
+        p = q;
+        q = a;
+    }
+
+    /* Check double */
+    (void)sp_384_sub_6(t1, p384_mod, q->y);
+    sp_384_norm_6(t1);
+    if ((sp_384_cmp_equal_6(p->x, q->x) & sp_384_cmp_equal_6(p->z, q->z) &
+        (sp_384_cmp_equal_6(p->y, q->y) | sp_384_cmp_equal_6(p->y, t1))) != 0) {
+        sp_384_proj_point_dbl_6(r, p, t);
+    }
+    else {
+        rp[0] = r;
+
+        /*lint allow cast to different type of pointer*/
+        rp[1] = (sp_point_384*)t; /*lint !e9087 !e740*/
+        XMEMSET(rp[1], 0, sizeof(sp_point_384));
+        x = rp[p->infinity | q->infinity]->x;
+        y = rp[p->infinity | q->infinity]->y;
+        z = rp[p->infinity | q->infinity]->z;
+
+        ap[0] = p;
+        ap[1] = q;
+        for (i=0; i<6; i++) {
+            r->x[i] = ap[p->infinity]->x[i];
+        }
+        for (i=0; i<6; i++) {
+            r->y[i] = ap[p->infinity]->y[i];
+        }
+        for (i=0; i<6; i++) {
+            r->z[i] = ap[p->infinity]->z[i];
+        }
+        r->infinity = ap[p->infinity]->infinity;
+
+        /* U1 = X1*Z2^2 */
+        sp_384_mont_sqr_avx2_6(t1, q->z, p384_mod, p384_mp_mod);
+        sp_384_mont_mul_avx2_6(t3, t1, q->z, p384_mod, p384_mp_mod);
+        sp_384_mont_mul_avx2_6(t1, t1, x, p384_mod, p384_mp_mod);
+        /* U2 = X2*Z1^2 */
+        sp_384_mont_sqr_avx2_6(t2, z, p384_mod, p384_mp_mod);
+        sp_384_mont_mul_avx2_6(t4, t2, z, p384_mod, p384_mp_mod);
+        sp_384_mont_mul_avx2_6(t2, t2, q->x, p384_mod, p384_mp_mod);
+        /* S1 = Y1*Z2^3 */
+        sp_384_mont_mul_avx2_6(t3, t3, y, p384_mod, p384_mp_mod);
+        /* S2 = Y2*Z1^3 */
+        sp_384_mont_mul_avx2_6(t4, t4, q->y, p384_mod, p384_mp_mod);
+        /* H = U2 - U1 */
+        sp_384_mont_sub_6(t2, t2, t1, p384_mod);
+        /* R = S2 - S1 */
+        sp_384_mont_sub_6(t4, t4, t3, p384_mod);
+        /* Z3 = H*Z1*Z2 */
+        sp_384_mont_mul_avx2_6(z, z, q->z, p384_mod, p384_mp_mod);
+        sp_384_mont_mul_avx2_6(z, z, t2, p384_mod, p384_mp_mod);
+        /* X3 = R^2 - H^3 - 2*U1*H^2 */
+        sp_384_mont_sqr_avx2_6(x, t4, p384_mod, p384_mp_mod);
+        sp_384_mont_sqr_avx2_6(t5, t2, p384_mod, p384_mp_mod);
+        sp_384_mont_mul_avx2_6(y, t1, t5, p384_mod, p384_mp_mod);
+        sp_384_mont_mul_avx2_6(t5, t5, t2, p384_mod, p384_mp_mod);
+        sp_384_mont_sub_6(x, x, t5, p384_mod);
+        sp_384_mont_dbl_6(t1, y, p384_mod);
+        sp_384_mont_sub_6(x, x, t1, p384_mod);
+        /* Y3 = R*(U1*H^2 - X3) - S1*H^3 */
+        sp_384_mont_sub_6(y, y, x, p384_mod);
+        sp_384_mont_mul_avx2_6(y, y, t4, p384_mod, p384_mp_mod);
+        sp_384_mont_mul_avx2_6(t5, t5, t3, p384_mod, p384_mp_mod);
+        sp_384_mont_sub_6(y, y, t5, p384_mod);
+    }
+}
+
+/* Double the Montgomery form projective point p a number of times.
+ *
+ * r  Result of repeated doubling of point.
+ * p  Point to double.
+ * n  Number of times to double
+ * t  Temporary ordinate data.
+ */
+static void sp_384_proj_point_dbl_n_store_avx2_6(sp_point_384* r, const sp_point_384* p,
+        int n, int m, sp_digit* t)
+{
+    sp_digit* w = t;
+    sp_digit* a = t + 2*6;
+    sp_digit* b = t + 4*6;
+    sp_digit* t1 = t + 6*6;
+    sp_digit* t2 = t + 8*6;
+    sp_digit* x = r[2*m].x;
+    sp_digit* y = r[(1<<n)*m].y;
+    sp_digit* z = r[2*m].z;
+    int i;
+
+    for (i=0; i<6; i++) {
+        x[i] = p->x[i];
+    }
+    for (i=0; i<6; i++) {
+        y[i] = p->y[i];
+    }
+    for (i=0; i<6; i++) {
+        z[i] = p->z[i];
+    }
+
+    /* Y = 2*Y */
+    sp_384_mont_dbl_6(y, y, p384_mod);
+    /* W = Z^4 */
+    sp_384_mont_sqr_avx2_6(w, z, p384_mod, p384_mp_mod);
+    sp_384_mont_sqr_avx2_6(w, w, p384_mod, p384_mp_mod);
+    for (i=1; i<=n; i++) {
+        /* A = 3*(X^2 - W) */
+        sp_384_mont_sqr_avx2_6(t1, x, p384_mod, p384_mp_mod);
+        sp_384_mont_sub_6(t1, t1, w, p384_mod);
+        sp_384_mont_tpl_6(a, t1, p384_mod);
+        /* B = X*Y^2 */
+        sp_384_mont_sqr_avx2_6(t2, y, p384_mod, p384_mp_mod);
+        sp_384_mont_mul_avx2_6(b, t2, x, p384_mod, p384_mp_mod);
+        x = r[(1<<i)*m].x;
+        /* X = A^2 - 2B */
+        sp_384_mont_sqr_avx2_6(x, a, p384_mod, p384_mp_mod);
+        sp_384_mont_dbl_6(t1, b, p384_mod);
+        sp_384_mont_sub_6(x, x, t1, p384_mod);
+        /* Z = Z*Y */
+        sp_384_mont_mul_avx2_6(r[(1<<i)*m].z, z, y, p384_mod, p384_mp_mod);
+        z = r[(1<<i)*m].z;
+        /* t2 = Y^4 */
+        sp_384_mont_sqr_avx2_6(t2, t2, p384_mod, p384_mp_mod);
+        if (i != n) {
+            /* W = W*Y^4 */
+            sp_384_mont_mul_avx2_6(w, w, t2, p384_mod, p384_mp_mod);
+        }
+        /* y = 2*A*(B - X) - Y^4 */
+        sp_384_mont_sub_6(y, b, x, p384_mod);
+        sp_384_mont_mul_avx2_6(y, y, a, p384_mod, p384_mp_mod);
+        sp_384_mont_dbl_6(y, y, p384_mod);
+        sp_384_mont_sub_6(y, y, t2, p384_mod);
+
+        /* Y = Y/2 */
+        sp_384_div2_6(r[(1<<i)*m].y, y, p384_mod);
+        r[(1<<i)*m].infinity = 0;
+    }
+}
+
+/* Add two Montgomery form projective points.
+ *
+ * ra  Result of addition.
+ * rs  Result of subtraction.
+ * p   First point to add.
+ * q   Second point to add.
+ * t   Temporary ordinate data.
+ */
+static void sp_384_proj_point_add_sub_avx2_6(sp_point_384* ra, sp_point_384* rs,
+        const sp_point_384* p, const sp_point_384* q, sp_digit* t)
+{
+    sp_digit* t1 = t;
+    sp_digit* t2 = t + 2*6;
+    sp_digit* t3 = t + 4*6;
+    sp_digit* t4 = t + 6*6;
+    sp_digit* t5 = t + 8*6;
+    sp_digit* t6 = t + 10*6;
+    sp_digit* x = ra->x;
+    sp_digit* y = ra->y;
+    sp_digit* z = ra->z;
+    sp_digit* xs = rs->x;
+    sp_digit* ys = rs->y;
+    sp_digit* zs = rs->z;
+
+
+    XMEMCPY(x, p->x, sizeof(p->x) / 2);
+    XMEMCPY(y, p->y, sizeof(p->y) / 2);
+    XMEMCPY(z, p->z, sizeof(p->z) / 2);
+    ra->infinity = 0;
+    rs->infinity = 0;
+
+    /* U1 = X1*Z2^2 */
+    sp_384_mont_sqr_avx2_6(t1, q->z, p384_mod, p384_mp_mod);
+    sp_384_mont_mul_avx2_6(t3, t1, q->z, p384_mod, p384_mp_mod);
+    sp_384_mont_mul_avx2_6(t1, t1, x, p384_mod, p384_mp_mod);
+    /* U2 = X2*Z1^2 */
+    sp_384_mont_sqr_avx2_6(t2, z, p384_mod, p384_mp_mod);
+    sp_384_mont_mul_avx2_6(t4, t2, z, p384_mod, p384_mp_mod);
+    sp_384_mont_mul_avx2_6(t2, t2, q->x, p384_mod, p384_mp_mod);
+    /* S1 = Y1*Z2^3 */
+    sp_384_mont_mul_avx2_6(t3, t3, y, p384_mod, p384_mp_mod);
+    /* S2 = Y2*Z1^3 */
+    sp_384_mont_mul_avx2_6(t4, t4, q->y, p384_mod, p384_mp_mod);
+    /* H = U2 - U1 */
+    sp_384_mont_sub_6(t2, t2, t1, p384_mod);
+    /* RS = S2 + S1 */
+    sp_384_mont_add_6(t6, t4, t3, p384_mod);
+    /* R = S2 - S1 */
+    sp_384_mont_sub_6(t4, t4, t3, p384_mod);
+    /* Z3 = H*Z1*Z2 */
+    /* ZS = H*Z1*Z2 */
+    sp_384_mont_mul_avx2_6(z, z, q->z, p384_mod, p384_mp_mod);
+    sp_384_mont_mul_avx2_6(z, z, t2, p384_mod, p384_mp_mod);
+    XMEMCPY(zs, z, sizeof(p->z)/2);
+    /* X3 = R^2 - H^3 - 2*U1*H^2 */
+    /* XS = RS^2 - H^3 - 2*U1*H^2 */
+    sp_384_mont_sqr_avx2_6(x, t4, p384_mod, p384_mp_mod);
+    sp_384_mont_sqr_avx2_6(xs, t6, p384_mod, p384_mp_mod);
+    sp_384_mont_sqr_avx2_6(t5, t2, p384_mod, p384_mp_mod);
+    sp_384_mont_mul_avx2_6(y, t1, t5, p384_mod, p384_mp_mod);
+    sp_384_mont_mul_avx2_6(t5, t5, t2, p384_mod, p384_mp_mod);
+    sp_384_mont_sub_6(x, x, t5, p384_mod);
+    sp_384_mont_sub_6(xs, xs, t5, p384_mod);
+    sp_384_mont_dbl_6(t1, y, p384_mod);
+    sp_384_mont_sub_6(x, x, t1, p384_mod);
+    sp_384_mont_sub_6(xs, xs, t1, p384_mod);
+    /* Y3 = R*(U1*H^2 - X3) - S1*H^3 */
+    /* YS = -RS*(U1*H^2 - XS) - S1*H^3 */
+    sp_384_mont_sub_6(ys, y, xs, p384_mod);
+    sp_384_mont_sub_6(y, y, x, p384_mod);
+    sp_384_mont_mul_avx2_6(y, y, t4, p384_mod, p384_mp_mod);
+    sp_384_sub_6(t6, p384_mod, t6);
+    sp_384_mont_mul_avx2_6(ys, ys, t6, p384_mod, p384_mp_mod);
+    sp_384_mont_mul_avx2_6(t5, t5, t3, p384_mod, p384_mp_mod);
+    sp_384_mont_sub_6(y, y, t5, p384_mod);
+    sp_384_mont_sub_6(ys, ys, t5, p384_mod);
+}
+
+/* Multiply the point by the scalar and return the result.
+ * If map is true then convert result to affine coordinates.
+ *
+ * r     Resulting point.
+ * g     Point to multiply.
+ * k     Scalar to multiply by.
+ * map   Indicates whether to convert result to affine.
+ * heap  Heap to use for allocation.
+ * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
+ */
+static int sp_384_ecc_mulmod_win_add_sub_avx2_6(sp_point_384* r, const sp_point_384* g,
+        const sp_digit* k, int map, void* heap)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_point_384 td[33];
+    sp_point_384 rtd, pd;
+    sp_digit tmpd[2 * 6 * 6];
+#endif
+    sp_point_384* t;
+    sp_point_384* rt;
+    sp_point_384* p = NULL;
+    sp_digit* tmp;
+    sp_digit* negy;
+    int i;
+    ecc_recode_384 v[65];
+    int err;
+
+    (void)heap;
+
+    err = sp_384_point_new_6(heap, rtd, rt);
+    if (err == MP_OKAY)
+        err = sp_384_point_new_6(heap, pd, p);
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    t = (sp_point_384*)XMALLOC(sizeof(sp_point_384) * 33, heap, DYNAMIC_TYPE_ECC);
+    if (t == NULL)
+        err = MEMORY_E;
+    tmp = (sp_digit*)XMALLOC(sizeof(sp_digit) * 2 * 6 * 6, heap,
+                             DYNAMIC_TYPE_ECC);
+    if (tmp == NULL)
+        err = MEMORY_E;
+#else
+    t = td;
+    tmp = tmpd;
+#endif
+
+
+    if (err == MP_OKAY) {
+        /* t[0] = {0, 0, 1} * norm */
+        XMEMSET(&t[0], 0, sizeof(t[0]));
+        t[0].infinity = 1;
+        /* t[1] = {g->x, g->y, g->z} * norm */
+        err = sp_384_mod_mul_norm_6(t[1].x, g->x, p384_mod);
+    }
+    if (err == MP_OKAY) {
+        err = sp_384_mod_mul_norm_6(t[1].y, g->y, p384_mod);
+    }
+    if (err == MP_OKAY) {
+        err = sp_384_mod_mul_norm_6(t[1].z, g->z, p384_mod);
+    }
+
+    if (err == MP_OKAY) {
+        t[1].infinity = 0;
+        /* t[2] ... t[32]  */
+        sp_384_proj_point_dbl_n_store_avx2_6(t, &t[ 1], 5, 1, tmp);
+        sp_384_proj_point_add_avx2_6(&t[ 3], &t[ 2], &t[ 1], tmp);
+        sp_384_proj_point_dbl_avx2_6(&t[ 6], &t[ 3], tmp);
+        sp_384_proj_point_add_sub_avx2_6(&t[ 7], &t[ 5], &t[ 6], &t[ 1], tmp);
+        sp_384_proj_point_dbl_avx2_6(&t[10], &t[ 5], tmp);
+        sp_384_proj_point_add_sub_avx2_6(&t[11], &t[ 9], &t[10], &t[ 1], tmp);
+        sp_384_proj_point_dbl_avx2_6(&t[12], &t[ 6], tmp);
+        sp_384_proj_point_dbl_avx2_6(&t[14], &t[ 7], tmp);
+        sp_384_proj_point_add_sub_avx2_6(&t[15], &t[13], &t[14], &t[ 1], tmp);
+        sp_384_proj_point_dbl_avx2_6(&t[18], &t[ 9], tmp);
+        sp_384_proj_point_add_sub_avx2_6(&t[19], &t[17], &t[18], &t[ 1], tmp);
+        sp_384_proj_point_dbl_avx2_6(&t[20], &t[10], tmp);
+        sp_384_proj_point_dbl_avx2_6(&t[22], &t[11], tmp);
+        sp_384_proj_point_add_sub_avx2_6(&t[23], &t[21], &t[22], &t[ 1], tmp);
+        sp_384_proj_point_dbl_avx2_6(&t[24], &t[12], tmp);
+        sp_384_proj_point_dbl_avx2_6(&t[26], &t[13], tmp);
+        sp_384_proj_point_add_sub_avx2_6(&t[27], &t[25], &t[26], &t[ 1], tmp);
+        sp_384_proj_point_dbl_avx2_6(&t[28], &t[14], tmp);
+        sp_384_proj_point_dbl_avx2_6(&t[30], &t[15], tmp);
+        sp_384_proj_point_add_sub_avx2_6(&t[31], &t[29], &t[30], &t[ 1], tmp);
+
+        negy = t[0].y;
+
+        sp_384_ecc_recode_6_6(k, v);
+
+        i = 64;
+        XMEMCPY(rt, &t[v[i].i], sizeof(sp_point_384));
+        for (--i; i>=0; i--) {
+            sp_384_proj_point_dbl_n_avx2_6(rt, 6, tmp);
+
+            XMEMCPY(p, &t[v[i].i], sizeof(sp_point_384));
+            sp_384_sub_6(negy, p384_mod, p->y);
+            sp_384_cond_copy_6(p->y, negy, (sp_digit)0 - v[i].neg);
+            sp_384_proj_point_add_avx2_6(rt, rt, p, tmp);
+        }
+
+        if (map != 0) {
+            sp_384_map_avx2_6(r, rt, tmp);
+        }
+        else {
+            XMEMCPY(r, rt, sizeof(sp_point_384));
+        }
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (t != NULL)
+        XFREE(t, heap, DYNAMIC_TYPE_ECC);
+    if (tmp != NULL)
+        XFREE(tmp, heap, DYNAMIC_TYPE_ECC);
+#endif
+    sp_384_point_free_6(p, 0, heap);
+    sp_384_point_free_6(rt, 0, heap);
+
+    return err;
+}
+
+#endif /* HAVE_INTEL_AVX2 */
+/* A table entry for pre-computed points. */
+typedef struct sp_table_entry_384 {
+    sp_digit x[6];
+    sp_digit y[6];
+} sp_table_entry_384;
+
+#ifdef FP_ECC
+#endif /* FP_ECC */
+/* Add two Montgomery form projective points. The second point has a q value of
+ * one.
+ * Only the first point can be the same pointer as the result point.
+ *
+ * r  Result of addition.
+ * p  First point to add.
+ * q  Second point to add.
+ * t  Temporary ordinate data.
+ */
+static void sp_384_proj_point_add_qz1_6(sp_point_384* r, const sp_point_384* p,
+        const sp_point_384* q, sp_digit* t)
+{
+    const sp_point_384* ap[2];
+    sp_point_384* rp[2];
+    sp_digit* t1 = t;
+    sp_digit* t2 = t + 2*6;
+    sp_digit* t3 = t + 4*6;
+    sp_digit* t4 = t + 6*6;
+    sp_digit* t5 = t + 8*6;
+    sp_digit* x;
+    sp_digit* y;
+    sp_digit* z;
+    int i;
+
+    /* Check double */
+    (void)sp_384_sub_6(t1, p384_mod, q->y);
+    sp_384_norm_6(t1);
+    if ((sp_384_cmp_equal_6(p->x, q->x) & sp_384_cmp_equal_6(p->z, q->z) &
+        (sp_384_cmp_equal_6(p->y, q->y) | sp_384_cmp_equal_6(p->y, t1))) != 0) {
+        sp_384_proj_point_dbl_6(r, p, t);
+    }
+    else {
+        rp[0] = r;
+
+        /*lint allow cast to different type of pointer*/
+        rp[1] = (sp_point_384*)t; /*lint !e9087 !e740*/
+        XMEMSET(rp[1], 0, sizeof(sp_point_384));
+        x = rp[p->infinity | q->infinity]->x;
+        y = rp[p->infinity | q->infinity]->y;
+        z = rp[p->infinity | q->infinity]->z;
+
+        ap[0] = p;
+        ap[1] = q;
+        for (i=0; i<6; i++) {
+            r->x[i] = ap[p->infinity]->x[i];
+        }
+        for (i=0; i<6; i++) {
+            r->y[i] = ap[p->infinity]->y[i];
+        }
+        for (i=0; i<6; i++) {
+            r->z[i] = ap[p->infinity]->z[i];
+        }
+        r->infinity = ap[p->infinity]->infinity;
+
+        /* U2 = X2*Z1^2 */
+        sp_384_mont_sqr_6(t2, z, p384_mod, p384_mp_mod);
+        sp_384_mont_mul_6(t4, t2, z, p384_mod, p384_mp_mod);
+        sp_384_mont_mul_6(t2, t2, q->x, p384_mod, p384_mp_mod);
+        /* S2 = Y2*Z1^3 */
+        sp_384_mont_mul_6(t4, t4, q->y, p384_mod, p384_mp_mod);
+        /* H = U2 - X1 */
+        sp_384_mont_sub_6(t2, t2, x, p384_mod);
+        /* R = S2 - Y1 */
+        sp_384_mont_sub_6(t4, t4, y, p384_mod);
+        /* Z3 = H*Z1 */
+        sp_384_mont_mul_6(z, z, t2, p384_mod, p384_mp_mod);
+        /* X3 = R^2 - H^3 - 2*X1*H^2 */
+        sp_384_mont_sqr_6(t1, t4, p384_mod, p384_mp_mod);
+        sp_384_mont_sqr_6(t5, t2, p384_mod, p384_mp_mod);
+        sp_384_mont_mul_6(t3, x, t5, p384_mod, p384_mp_mod);
+        sp_384_mont_mul_6(t5, t5, t2, p384_mod, p384_mp_mod);
+        sp_384_mont_sub_6(x, t1, t5, p384_mod);
+        sp_384_mont_dbl_6(t1, t3, p384_mod);
+        sp_384_mont_sub_6(x, x, t1, p384_mod);
+        /* Y3 = R*(X1*H^2 - X3) - Y1*H^3 */
+        sp_384_mont_sub_6(t3, t3, x, p384_mod);
+        sp_384_mont_mul_6(t3, t3, t4, p384_mod, p384_mp_mod);
+        sp_384_mont_mul_6(t5, t5, y, p384_mod, p384_mp_mod);
+        sp_384_mont_sub_6(y, t3, t5, p384_mod);
+    }
+}
+
+#ifdef FP_ECC
+/* Convert the projective point to affine.
+ * Ordinates are in Montgomery form.
+ *
+ * a  Point to convert.
+ * t  Temporary data.
+ */
+static void sp_384_proj_to_affine_6(sp_point_384* a, sp_digit* t)
+{
+    sp_digit* t1 = t;
+    sp_digit* t2 = t + 2 * 6;
+    sp_digit* tmp = t + 4 * 6;
+
+    sp_384_mont_inv_6(t1, a->z, tmp);
+
+    sp_384_mont_sqr_6(t2, t1, p384_mod, p384_mp_mod);
+    sp_384_mont_mul_6(t1, t2, t1, p384_mod, p384_mp_mod);
+
+    sp_384_mont_mul_6(a->x, a->x, t2, p384_mod, p384_mp_mod);
+    sp_384_mont_mul_6(a->y, a->y, t1, p384_mod, p384_mp_mod);
+    XMEMCPY(a->z, p384_norm_mod, sizeof(p384_norm_mod));
+}
+
+/* Generate the pre-computed table of points for the base point.
+ *
+ * a      The base point.
+ * table  Place to store generated point data.
+ * tmp    Temporary data.
+ * heap  Heap to use for allocation.
+ */
+static int sp_384_gen_stripe_table_6(const sp_point_384* a,
+        sp_table_entry_384* table, sp_digit* tmp, void* heap)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_point_384 td, s1d, s2d;
+#endif
+    sp_point_384* t;
+    sp_point_384* s1 = NULL;
+    sp_point_384* s2 = NULL;
+    int i, j;
+    int err;
+
+    (void)heap;
+
+    err = sp_384_point_new_6(heap, td, t);
+    if (err == MP_OKAY) {
+        err = sp_384_point_new_6(heap, s1d, s1);
+    }
+    if (err == MP_OKAY) {
+        err = sp_384_point_new_6(heap, s2d, s2);
+    }
+
+    if (err == MP_OKAY) {
+        err = sp_384_mod_mul_norm_6(t->x, a->x, p384_mod);
+    }
+    if (err == MP_OKAY) {
+        err = sp_384_mod_mul_norm_6(t->y, a->y, p384_mod);
+    }
+    if (err == MP_OKAY) {
+        err = sp_384_mod_mul_norm_6(t->z, a->z, p384_mod);
+    }
+    if (err == MP_OKAY) {
+        t->infinity = 0;
+        sp_384_proj_to_affine_6(t, tmp);
+
+        XMEMCPY(s1->z, p384_norm_mod, sizeof(p384_norm_mod));
+        s1->infinity = 0;
+        XMEMCPY(s2->z, p384_norm_mod, sizeof(p384_norm_mod));
+        s2->infinity = 0;
+
+        /* table[0] = {0, 0, infinity} */
+        XMEMSET(&table[0], 0, sizeof(sp_table_entry_384));
+        /* table[1] = Affine version of 'a' in Montgomery form */
+        XMEMCPY(table[1].x, t->x, sizeof(table->x));
+        XMEMCPY(table[1].y, t->y, sizeof(table->y));
+
+        for (i=1; i<8; i++) {
+            sp_384_proj_point_dbl_n_6(t, 48, tmp);
+            sp_384_proj_to_affine_6(t, tmp);
+            XMEMCPY(table[1<<i].x, t->x, sizeof(table->x));
+            XMEMCPY(table[1<<i].y, t->y, sizeof(table->y));
+        }
+
+        for (i=1; i<8; i++) {
+            XMEMCPY(s1->x, table[1<<i].x, sizeof(table->x));
+            XMEMCPY(s1->y, table[1<<i].y, sizeof(table->y));
+            for (j=(1<<i)+1; j<(1<<(i+1)); j++) {
+                XMEMCPY(s2->x, table[j-(1<<i)].x, sizeof(table->x));
+                XMEMCPY(s2->y, table[j-(1<<i)].y, sizeof(table->y));
+                sp_384_proj_point_add_qz1_6(t, s1, s2, tmp);
+                sp_384_proj_to_affine_6(t, tmp);
+                XMEMCPY(table[j].x, t->x, sizeof(table->x));
+                XMEMCPY(table[j].y, t->y, sizeof(table->y));
+            }
+        }
+    }
+
+    sp_384_point_free_6(s2, 0, heap);
+    sp_384_point_free_6(s1, 0, heap);
+    sp_384_point_free_6( t, 0, heap);
+
+    return err;
+}
+
+#endif /* FP_ECC */
+/* Multiply the point by the scalar and return the result.
+ * If map is true then convert result to affine coordinates.
+ *
+ * r     Resulting point.
+ * k     Scalar to multiply by.
+ * map   Indicates whether to convert result to affine.
+ * heap  Heap to use for allocation.
+ * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
+ */
+static int sp_384_ecc_mulmod_stripe_6(sp_point_384* r, const sp_point_384* g,
+        const sp_table_entry_384* table, const sp_digit* k, int map, void* heap)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_point_384 rtd;
+    sp_point_384 pd;
+    sp_digit td[2 * 6 * 6];
+#endif
+    sp_point_384* rt;
+    sp_point_384* p = NULL;
+    sp_digit* t;
+    int i, j;
+    int y, x;
+    int err;
+
+    (void)g;
+    (void)heap;
+
+
+    err = sp_384_point_new_6(heap, rtd, rt);
+    if (err == MP_OKAY) {
+        err = sp_384_point_new_6(heap, pd, p);
+    }
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    t = (sp_digit*)XMALLOC(sizeof(sp_digit) * 2 * 6 * 6, heap,
+                           DYNAMIC_TYPE_ECC);
+    if (t == NULL) {
+        err = MEMORY_E;
+    }
+#else
+    t = td;
+#endif
+
+    if (err == MP_OKAY) {
+        XMEMCPY(p->z, p384_norm_mod, sizeof(p384_norm_mod));
+        XMEMCPY(rt->z, p384_norm_mod, sizeof(p384_norm_mod));
+
+        y = 0;
+        for (j=0,x=47; j<8; j++,x+=48) {
+            y |= ((k[x / 64] >> (x % 64)) & 1) << j;
+        }
+        XMEMCPY(rt->x, table[y].x, sizeof(table[y].x));
+        XMEMCPY(rt->y, table[y].y, sizeof(table[y].y));
+        rt->infinity = !y;
+        for (i=46; i>=0; i--) {
+            y = 0;
+            for (j=0,x=i; j<8; j++,x+=48) {
+                y |= ((k[x / 64] >> (x % 64)) & 1) << j;
+            }
+
+            sp_384_proj_point_dbl_6(rt, rt, t);
+            XMEMCPY(p->x, table[y].x, sizeof(table[y].x));
+            XMEMCPY(p->y, table[y].y, sizeof(table[y].y));
+            p->infinity = !y;
+            sp_384_proj_point_add_qz1_6(rt, rt, p, t);
+        }
+
+        if (map != 0) {
+            sp_384_map_6(r, rt, t);
+        }
+        else {
+            XMEMCPY(r, rt, sizeof(sp_point_384));
+        }
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (t != NULL) {
+        XFREE(t, heap, DYNAMIC_TYPE_ECC);
+    }
+#endif
+    sp_384_point_free_6(p, 0, heap);
+    sp_384_point_free_6(rt, 0, heap);
+
+    return err;
+}
+
+#ifdef FP_ECC
+#ifndef FP_ENTRIES
+    #define FP_ENTRIES 16
+#endif
+
+typedef struct sp_cache_384_t {
+    sp_digit x[6];
+    sp_digit y[6];
+    sp_table_entry_384 table[256];
+    uint32_t cnt;
+    int set;
+} sp_cache_384_t;
+
+static THREAD_LS_T sp_cache_384_t sp_cache_384[FP_ENTRIES];
+static THREAD_LS_T int sp_cache_384_last = -1;
+static THREAD_LS_T int sp_cache_384_inited = 0;
+
+#ifndef HAVE_THREAD_LS
+    static volatile int initCacheMutex_384 = 0;
+    static wolfSSL_Mutex sp_cache_384_lock;
+#endif
+
+static void sp_ecc_get_cache_384(const sp_point_384* g, sp_cache_384_t** cache)
+{
+    int i, j;
+    uint32_t least;
+
+    if (sp_cache_384_inited == 0) {
+        for (i=0; i<FP_ENTRIES; i++) {
+            sp_cache_384[i].set = 0;
+        }
+        sp_cache_384_inited = 1;
+    }
+
+    /* Compare point with those in cache. */
+    for (i=0; i<FP_ENTRIES; i++) {
+        if (!sp_cache_384[i].set)
+            continue;
+
+        if (sp_384_cmp_equal_6(g->x, sp_cache_384[i].x) &
+                           sp_384_cmp_equal_6(g->y, sp_cache_384[i].y)) {
+            sp_cache_384[i].cnt++;
+            break;
+        }
+    }
+
+    /* No match. */
+    if (i == FP_ENTRIES) {
+        /* Find empty entry. */
+        i = (sp_cache_384_last + 1) % FP_ENTRIES;
+        for (; i != sp_cache_384_last; i=(i+1)%FP_ENTRIES) {
+            if (!sp_cache_384[i].set) {
+                break;
+            }
+        }
+
+        /* Evict least used. */
+        if (i == sp_cache_384_last) {
+            least = sp_cache_384[0].cnt;
+            for (j=1; j<FP_ENTRIES; j++) {
+                if (sp_cache_384[j].cnt < least) {
+                    i = j;
+                    least = sp_cache_384[i].cnt;
+                }
+            }
+        }
+
+        XMEMCPY(sp_cache_384[i].x, g->x, sizeof(sp_cache_384[i].x));
+        XMEMCPY(sp_cache_384[i].y, g->y, sizeof(sp_cache_384[i].y));
+        sp_cache_384[i].set = 1;
+        sp_cache_384[i].cnt = 1;
+    }
+
+    *cache = &sp_cache_384[i];
+    sp_cache_384_last = i;
+}
+#endif /* FP_ECC */
+
+/* Multiply the base point of P384 by the scalar and return the result.
+ * If map is true then convert result to affine coordinates.
+ *
+ * r     Resulting point.
+ * g     Point to multiply.
+ * k     Scalar to multiply by.
+ * map   Indicates whether to convert result to affine.
+ * heap  Heap to use for allocation.
+ * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
+ */
+static int sp_384_ecc_mulmod_6(sp_point_384* r, const sp_point_384* g, const sp_digit* k,
+        int map, void* heap)
+{
+#ifndef FP_ECC
+    return sp_384_ecc_mulmod_win_add_sub_6(r, g, k, map, heap);
+#else
+    sp_digit tmp[2 * 6 * 7];
+    sp_cache_384_t* cache;
+    int err = MP_OKAY;
+
+#ifndef HAVE_THREAD_LS
+    if (initCacheMutex_384 == 0) {
+         wc_InitMutex(&sp_cache_384_lock);
+         initCacheMutex_384 = 1;
+    }
+    if (wc_LockMutex(&sp_cache_384_lock) != 0)
+       err = BAD_MUTEX_E;
+#endif /* HAVE_THREAD_LS */
+
+    if (err == MP_OKAY) {
+        sp_ecc_get_cache_384(g, &cache);
+        if (cache->cnt == 2)
+            sp_384_gen_stripe_table_6(g, cache->table, tmp, heap);
+
+#ifndef HAVE_THREAD_LS
+        wc_UnLockMutex(&sp_cache_384_lock);
+#endif /* HAVE_THREAD_LS */
+
+        if (cache->cnt < 2) {
+            err = sp_384_ecc_mulmod_win_add_sub_6(r, g, k, map, heap);
+        }
+        else {
+            err = sp_384_ecc_mulmod_stripe_6(r, g, cache->table, k,
+                    map, heap);
+        }
+    }
+
+    return err;
+#endif
+}
+
+#ifdef HAVE_INTEL_AVX2
+#ifdef FP_ECC
+#endif /* FP_ECC */
+/* Add two Montgomery form projective points. The second point has a q value of
+ * one.
+ * Only the first point can be the same pointer as the result point.
+ *
+ * r  Result of addition.
+ * p  First point to add.
+ * q  Second point to add.
+ * t  Temporary ordinate data.
+ */
+static void sp_384_proj_point_add_qz1_avx2_6(sp_point_384* r, const sp_point_384* p,
+        const sp_point_384* q, sp_digit* t)
+{
+    const sp_point_384* ap[2];
+    sp_point_384* rp[2];
+    sp_digit* t1 = t;
+    sp_digit* t2 = t + 2*6;
+    sp_digit* t3 = t + 4*6;
+    sp_digit* t4 = t + 6*6;
+    sp_digit* t5 = t + 8*6;
+    sp_digit* x;
+    sp_digit* y;
+    sp_digit* z;
+    int i;
+
+    /* Check double */
+    (void)sp_384_sub_6(t1, p384_mod, q->y);
+    sp_384_norm_6(t1);
+    if ((sp_384_cmp_equal_6(p->x, q->x) & sp_384_cmp_equal_6(p->z, q->z) &
+        (sp_384_cmp_equal_6(p->y, q->y) | sp_384_cmp_equal_6(p->y, t1))) != 0) {
+        sp_384_proj_point_dbl_6(r, p, t);
+    }
+    else {
+        rp[0] = r;
+
+        /*lint allow cast to different type of pointer*/
+        rp[1] = (sp_point_384*)t; /*lint !e9087 !e740*/
+        XMEMSET(rp[1], 0, sizeof(sp_point_384));
+        x = rp[p->infinity | q->infinity]->x;
+        y = rp[p->infinity | q->infinity]->y;
+        z = rp[p->infinity | q->infinity]->z;
+
+        ap[0] = p;
+        ap[1] = q;
+        for (i=0; i<6; i++) {
+            r->x[i] = ap[p->infinity]->x[i];
+        }
+        for (i=0; i<6; i++) {
+            r->y[i] = ap[p->infinity]->y[i];
+        }
+        for (i=0; i<6; i++) {
+            r->z[i] = ap[p->infinity]->z[i];
+        }
+        r->infinity = ap[p->infinity]->infinity;
+
+        /* U2 = X2*Z1^2 */
+        sp_384_mont_sqr_avx2_6(t2, z, p384_mod, p384_mp_mod);
+        sp_384_mont_mul_avx2_6(t4, t2, z, p384_mod, p384_mp_mod);
+        sp_384_mont_mul_avx2_6(t2, t2, q->x, p384_mod, p384_mp_mod);
+        /* S2 = Y2*Z1^3 */
+        sp_384_mont_mul_avx2_6(t4, t4, q->y, p384_mod, p384_mp_mod);
+        /* H = U2 - X1 */
+        sp_384_mont_sub_6(t2, t2, x, p384_mod);
+        /* R = S2 - Y1 */
+        sp_384_mont_sub_6(t4, t4, y, p384_mod);
+        /* Z3 = H*Z1 */
+        sp_384_mont_mul_avx2_6(z, z, t2, p384_mod, p384_mp_mod);
+        /* X3 = R^2 - H^3 - 2*X1*H^2 */
+        sp_384_mont_sqr_avx2_6(t1, t4, p384_mod, p384_mp_mod);
+        sp_384_mont_sqr_avx2_6(t5, t2, p384_mod, p384_mp_mod);
+        sp_384_mont_mul_avx2_6(t3, x, t5, p384_mod, p384_mp_mod);
+        sp_384_mont_mul_avx2_6(t5, t5, t2, p384_mod, p384_mp_mod);
+        sp_384_mont_sub_6(x, t1, t5, p384_mod);
+        sp_384_mont_dbl_6(t1, t3, p384_mod);
+        sp_384_mont_sub_6(x, x, t1, p384_mod);
+        /* Y3 = R*(X1*H^2 - X3) - Y1*H^3 */
+        sp_384_mont_sub_6(t3, t3, x, p384_mod);
+        sp_384_mont_mul_avx2_6(t3, t3, t4, p384_mod, p384_mp_mod);
+        sp_384_mont_mul_avx2_6(t5, t5, y, p384_mod, p384_mp_mod);
+        sp_384_mont_sub_6(y, t3, t5, p384_mod);
+    }
+}
+
+#ifdef FP_ECC
+/* Convert the projective point to affine.
+ * Ordinates are in Montgomery form.
+ *
+ * a  Point to convert.
+ * t  Temporary data.
+ */
+static void sp_384_proj_to_affine_avx2_6(sp_point_384* a, sp_digit* t)
+{
+    sp_digit* t1 = t;
+    sp_digit* t2 = t + 2 * 6;
+    sp_digit* tmp = t + 4 * 6;
+
+    sp_384_mont_inv_avx2_6(t1, a->z, tmp);
+
+    sp_384_mont_sqr_avx2_6(t2, t1, p384_mod, p384_mp_mod);
+    sp_384_mont_mul_avx2_6(t1, t2, t1, p384_mod, p384_mp_mod);
+
+    sp_384_mont_mul_avx2_6(a->x, a->x, t2, p384_mod, p384_mp_mod);
+    sp_384_mont_mul_avx2_6(a->y, a->y, t1, p384_mod, p384_mp_mod);
+    XMEMCPY(a->z, p384_norm_mod, sizeof(p384_norm_mod));
+}
+
+/* Generate the pre-computed table of points for the base point.
+ *
+ * a      The base point.
+ * table  Place to store generated point data.
+ * tmp    Temporary data.
+ * heap  Heap to use for allocation.
+ */
+static int sp_384_gen_stripe_table_avx2_6(const sp_point_384* a,
+        sp_table_entry_384* table, sp_digit* tmp, void* heap)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_point_384 td, s1d, s2d;
+#endif
+    sp_point_384* t;
+    sp_point_384* s1 = NULL;
+    sp_point_384* s2 = NULL;
+    int i, j;
+    int err;
+
+    (void)heap;
+
+    err = sp_384_point_new_6(heap, td, t);
+    if (err == MP_OKAY) {
+        err = sp_384_point_new_6(heap, s1d, s1);
+    }
+    if (err == MP_OKAY) {
+        err = sp_384_point_new_6(heap, s2d, s2);
+    }
+
+    if (err == MP_OKAY) {
+        err = sp_384_mod_mul_norm_6(t->x, a->x, p384_mod);
+    }
+    if (err == MP_OKAY) {
+        err = sp_384_mod_mul_norm_6(t->y, a->y, p384_mod);
+    }
+    if (err == MP_OKAY) {
+        err = sp_384_mod_mul_norm_6(t->z, a->z, p384_mod);
+    }
+    if (err == MP_OKAY) {
+        t->infinity = 0;
+        sp_384_proj_to_affine_avx2_6(t, tmp);
+
+        XMEMCPY(s1->z, p384_norm_mod, sizeof(p384_norm_mod));
+        s1->infinity = 0;
+        XMEMCPY(s2->z, p384_norm_mod, sizeof(p384_norm_mod));
+        s2->infinity = 0;
+
+        /* table[0] = {0, 0, infinity} */
+        XMEMSET(&table[0], 0, sizeof(sp_table_entry_384));
+        /* table[1] = Affine version of 'a' in Montgomery form */
+        XMEMCPY(table[1].x, t->x, sizeof(table->x));
+        XMEMCPY(table[1].y, t->y, sizeof(table->y));
+
+        for (i=1; i<8; i++) {
+            sp_384_proj_point_dbl_n_avx2_6(t, 48, tmp);
+            sp_384_proj_to_affine_avx2_6(t, tmp);
+            XMEMCPY(table[1<<i].x, t->x, sizeof(table->x));
+            XMEMCPY(table[1<<i].y, t->y, sizeof(table->y));
+        }
+
+        for (i=1; i<8; i++) {
+            XMEMCPY(s1->x, table[1<<i].x, sizeof(table->x));
+            XMEMCPY(s1->y, table[1<<i].y, sizeof(table->y));
+            for (j=(1<<i)+1; j<(1<<(i+1)); j++) {
+                XMEMCPY(s2->x, table[j-(1<<i)].x, sizeof(table->x));
+                XMEMCPY(s2->y, table[j-(1<<i)].y, sizeof(table->y));
+                sp_384_proj_point_add_qz1_avx2_6(t, s1, s2, tmp);
+                sp_384_proj_to_affine_avx2_6(t, tmp);
+                XMEMCPY(table[j].x, t->x, sizeof(table->x));
+                XMEMCPY(table[j].y, t->y, sizeof(table->y));
+            }
+        }
+    }
+
+    sp_384_point_free_6(s2, 0, heap);
+    sp_384_point_free_6(s1, 0, heap);
+    sp_384_point_free_6( t, 0, heap);
+
+    return err;
+}
+
+#endif /* FP_ECC */
+/* Multiply the point by the scalar and return the result.
+ * If map is true then convert result to affine coordinates.
+ *
+ * r     Resulting point.
+ * k     Scalar to multiply by.
+ * map   Indicates whether to convert result to affine.
+ * heap  Heap to use for allocation.
+ * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
+ */
+static int sp_384_ecc_mulmod_stripe_avx2_6(sp_point_384* r, const sp_point_384* g,
+        const sp_table_entry_384* table, const sp_digit* k, int map, void* heap)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_point_384 rtd;
+    sp_point_384 pd;
+    sp_digit td[2 * 6 * 6];
+#endif
+    sp_point_384* rt;
+    sp_point_384* p = NULL;
+    sp_digit* t;
+    int i, j;
+    int y, x;
+    int err;
+
+    (void)g;
+    (void)heap;
+
+
+    err = sp_384_point_new_6(heap, rtd, rt);
+    if (err == MP_OKAY) {
+        err = sp_384_point_new_6(heap, pd, p);
+    }
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    t = (sp_digit*)XMALLOC(sizeof(sp_digit) * 2 * 6 * 6, heap,
+                           DYNAMIC_TYPE_ECC);
+    if (t == NULL) {
+        err = MEMORY_E;
+    }
+#else
+    t = td;
+#endif
+
+    if (err == MP_OKAY) {
+        XMEMCPY(p->z, p384_norm_mod, sizeof(p384_norm_mod));
+        XMEMCPY(rt->z, p384_norm_mod, sizeof(p384_norm_mod));
+
+        y = 0;
+        for (j=0,x=47; j<8; j++,x+=48) {
+            y |= ((k[x / 64] >> (x % 64)) & 1) << j;
+        }
+        XMEMCPY(rt->x, table[y].x, sizeof(table[y].x));
+        XMEMCPY(rt->y, table[y].y, sizeof(table[y].y));
+        rt->infinity = !y;
+        for (i=46; i>=0; i--) {
+            y = 0;
+            for (j=0,x=i; j<8; j++,x+=48) {
+                y |= ((k[x / 64] >> (x % 64)) & 1) << j;
+            }
+
+            sp_384_proj_point_dbl_avx2_6(rt, rt, t);
+            XMEMCPY(p->x, table[y].x, sizeof(table[y].x));
+            XMEMCPY(p->y, table[y].y, sizeof(table[y].y));
+            p->infinity = !y;
+            sp_384_proj_point_add_qz1_avx2_6(rt, rt, p, t);
+        }
+
+        if (map != 0) {
+            sp_384_map_avx2_6(r, rt, t);
+        }
+        else {
+            XMEMCPY(r, rt, sizeof(sp_point_384));
+        }
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (t != NULL) {
+        XFREE(t, heap, DYNAMIC_TYPE_ECC);
+    }
+#endif
+    sp_384_point_free_6(p, 0, heap);
+    sp_384_point_free_6(rt, 0, heap);
+
+    return err;
+}
+
+/* Multiply the base point of P384 by the scalar and return the result.
+ * If map is true then convert result to affine coordinates.
+ *
+ * r     Resulting point.
+ * g     Point to multiply.
+ * k     Scalar to multiply by.
+ * map   Indicates whether to convert result to affine.
+ * heap  Heap to use for allocation.
+ * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
+ */
+static int sp_384_ecc_mulmod_avx2_6(sp_point_384* r, const sp_point_384* g, const sp_digit* k,
+        int map, void* heap)
+{
+#ifndef FP_ECC
+    return sp_384_ecc_mulmod_win_add_sub_avx2_6(r, g, k, map, heap);
+#else
+    sp_digit tmp[2 * 6 * 7];
+    sp_cache_384_t* cache;
+    int err = MP_OKAY;
+
+#ifndef HAVE_THREAD_LS
+    if (initCacheMutex_384 == 0) {
+         wc_InitMutex(&sp_cache_384_lock);
+         initCacheMutex_384 = 1;
+    }
+    if (wc_LockMutex(&sp_cache_384_lock) != 0)
+       err = BAD_MUTEX_E;
+#endif /* HAVE_THREAD_LS */
+
+    if (err == MP_OKAY) {
+        sp_ecc_get_cache_384(g, &cache);
+        if (cache->cnt == 2)
+            sp_384_gen_stripe_table_avx2_6(g, cache->table, tmp, heap);
+
+#ifndef HAVE_THREAD_LS
+        wc_UnLockMutex(&sp_cache_384_lock);
+#endif /* HAVE_THREAD_LS */
+
+        if (cache->cnt < 2) {
+            err = sp_384_ecc_mulmod_win_add_sub_avx2_6(r, g, k, map, heap);
+        }
+        else {
+            err = sp_384_ecc_mulmod_stripe_avx2_6(r, g, cache->table, k,
+                    map, heap);
+        }
+    }
+
+    return err;
+#endif
+}
+
+#endif /* HAVE_INTEL_AVX2 */
+/* Multiply the point by the scalar and return the result.
+ * If map is true then convert result to affine coordinates.
+ *
+ * km    Scalar to multiply by.
+ * p     Point to multiply.
+ * r     Resulting point.
+ * map   Indicates whether to convert result to affine.
+ * heap  Heap to use for allocation.
+ * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
+ */
+int sp_ecc_mulmod_384(mp_int* km, ecc_point* gm, ecc_point* r, int map,
+        void* heap)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_point_384 p;
+    sp_digit kd[6];
+#endif
+    sp_point_384* point;
+    sp_digit* k = NULL;
+    int err = MP_OKAY;
+#ifdef HAVE_INTEL_AVX2
+    word32 cpuid_flags = cpuid_get_flags();
+#endif
+
+    err = sp_384_point_new_6(heap, p, point);
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        k = (sp_digit*)XMALLOC(sizeof(sp_digit) * 6, heap,
+                                                              DYNAMIC_TYPE_ECC);
+        if (k == NULL)
+            err = MEMORY_E;
+    }
+#else
+    k = kd;
+#endif
+    if (err == MP_OKAY) {
+        sp_384_from_mp(k, 6, km);
+        sp_384_point_from_ecc_point_6(point, gm);
+
+#ifdef HAVE_INTEL_AVX2
+        if (IS_INTEL_BMI2(cpuid_flags) && IS_INTEL_ADX(cpuid_flags))
+            err = sp_384_ecc_mulmod_avx2_6(point, point, k, map, heap);
+        else
+#endif
+            err = sp_384_ecc_mulmod_6(point, point, k, map, heap);
+    }
+    if (err == MP_OKAY) {
+        err = sp_384_point_to_ecc_point_6(point, r);
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (k != NULL) {
+        XFREE(k, heap, DYNAMIC_TYPE_ECC);
+    }
+#endif
+    sp_384_point_free_6(point, 0, heap);
+
+    return err;
+}
+
+static const sp_table_entry_384 p384_table[256] = {
+    /* 0 */
+    { { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
+      { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 } },
+    /* 1 */
+    { { 0x3dd0756649c0b528L,0x20e378e2a0d6ce38L,0x879c3afc541b4d6eL,
+        0x6454868459a30effL,0x812ff723614ede2bL,0x4d3aadc2299e1513L },
+      { 0x23043dad4b03a4feL,0xa1bfa8bf7bb4a9acL,0x8bade7562e83b050L,
+        0xc6c3521968f4ffd9L,0xdd8002263969a840L,0x2b78abc25a15c5e9L } },
+    /* 2 */
+    { { 0x298647532b0c535bL,0x90dd695370506296L,0x038cd6b4216ab9acL,
+        0x3df9b7b7be12d76aL,0x13f4d9785f347bdbL,0x222c5c9c13e94489L },
+      { 0x5f8e796f2680dc64L,0x120e7cb758352417L,0x254b5d8ad10740b8L,
+        0xc38b8efb5337dee6L,0xf688c2e194f02247L,0x7b5c75f36c25bc4cL } },
+    /* 3 */
+    { { 0xe26a3cc39edffea5L,0x35bbfd1c37d7e9fcL,0xf0e7700d9bde3ef6L,
+        0x0380eb471a538f5aL,0x2e9da8bb05bf9eb3L,0xdbb93c731a460c3eL },
+      { 0x37dba260f526b605L,0x95d4978efd785537L,0x24ed793aed72a04aL,
+        0x2694837776005b1aL,0x99f557b99e681f82L,0xae5f9557d64954efL } },
+    /* 4 */
+    { { 0x24480c57f26feef9L,0xc31a26943a0e1240L,0x735002c3273e2bc7L,
+        0x8c42e9c53ef1ed4cL,0x028babf67f4948e8L,0x6a502f438a978632L },
+      { 0xf5f13a46b74536feL,0x1d218babd8a9f0ebL,0x30f36bcc37232768L,
+        0xc5317b31576e8c18L,0xef1d57a69bbcb766L,0x917c4930b3e3d4dcL } },
+    /* 5 */
+    { { 0x11426e2ee349ddd0L,0x9f117ef99b2fc250L,0xff36b480ec0174a6L,
+        0x4f4bde7618458466L,0x2f2edb6d05806049L,0x8adc75d119dfca92L },
+      { 0xa619d097b7d5a7ceL,0x874275e5a34411e9L,0x5403e0470da4b4efL,
+        0x2ebaafd977901d8fL,0x5e63ebcea747170fL,0x12a369447f9d8036L } },
+    /* 6 */
+    { { 0x28f9c07a4fc52870L,0xce0b37481a53a961L,0xd550fa180e1828d9L,
+        0xa24abaf76adb225aL,0xd11ed0a56e58a348L,0xf3d811e6948acb62L },
+      { 0x8618dd774c61ed22L,0x0bb747f980b47c9dL,0x22bf796fde6b8559L,
+        0xfdfd1c6d680a21e9L,0xc0db15772af2c9ddL,0xa09379e6c1e90f3dL } },
+    /* 7 */
+    { { 0x386c66efe085c629L,0x5fc2a461095bc89aL,0x1353d631203f4b41L,
+        0x7ca1972b7e4bd8f5L,0xb077380aa7df8ce9L,0xd8a90389ee7e4ea3L },
+      { 0x1bc74dc7e7b14461L,0xdc2cb0140c9c4f78L,0x52b4b3a684ef0a10L,
+        0xbde6ea5d20327fe2L,0xb71ec435660f9615L,0xeede5a04b8ad8173L } },
+    /* 8 */
+    { { 0x5584cbb3893b9a2dL,0x820c660b00850c5dL,0x4126d8267df2d43dL,
+        0xdd5bbbf00109e801L,0x85b92ee338172f1cL,0x609d4f93f31430d9L },
+      { 0x1e059a07eadaf9d6L,0x70e6536c0f125fb0L,0xd6220751560f20e7L,
+        0xa59489ae7aaf3a9aL,0x7b70e2f664bae14eL,0x0dd0370176d08249L } },
+    /* 9 */
+    { { 0x4cc13be88510521fL,0x87315ba9f724cc17L,0xb49d83bb353dc263L,
+        0x8b677efe0c279257L,0x510a1c1cc93c9537L,0x33e30cd8a4702c99L },
+      { 0xf0ffc89d2208353fL,0x0170fa8dced42b2bL,0x090851ed26e2a5f5L,
+        0x81276455ecb52c96L,0x0646c4e17fe1adf4L,0x513f047eb0868eabL } },
+    /* 10 */
+    { { 0xc07611f4df5bdf53L,0x45d331a758b11a6dL,0x58965daf1c4ee394L,
+        0xba8bebe75a5878d1L,0xaecc0a1882dd3025L,0xcf2a3899a923eb8bL },
+      { 0xf98c9281d24fd048L,0x841bfb598bbb025dL,0xb8ddf8cec9ab9d53L,
+        0x538a4cb67fef044eL,0x092ac21f23236662L,0xa919d3850b66f065L } },
+    /* 11 */
+    { { 0x3db03b4085d480d8L,0x8cd9f4791b287a7dL,0x8f24dc754a8f3baeL,
+        0x482eb8003db41892L,0x38bf9eb39c56e0f5L,0x8b9773209a91dc6fL },
+      { 0xa31b05b27209cfc2L,0x4c49bf8505b2db70L,0x56462498d619527bL,
+        0x3fe510391fac51baL,0xfb04f55eab4b8342L,0xc07c10dc04c6eabfL } },
+    /* 12 */
+    { { 0xad22fe4cdb32f048L,0x5f23bf91475ed6dfL,0xa50ce0c0aa66b6cbL,
+        0xdf627a89f03405c0L,0x3674837df95e2d6aL,0x081c95b6ba42e64eL },
+      { 0xeba3e036e71d6cebL,0xb45bcccf6c6b0271L,0x67b47e630684701dL,
+        0x60f8f942e712523fL,0x824234725cd47adcL,0x83027d7987649cbbL } },
+    /* 13 */
+    { { 0xb3929ea63615b0b8L,0xb41441fda54dac41L,0x8995d556b5b6a368L,
+        0xa80d4529167ef05eL,0xf6bcb4a16d25a27fL,0x210d6a4c7bd55b68L },
+      { 0xf3804abb25351130L,0x1d2df699903e37ebL,0x5f201efc084c25c8L,
+        0x31a28c87a1c68e91L,0x81dad253563f62a5L,0x5dd6de70d6c415d4L } },
+    /* 14 */
+    { { 0x29f470fd846612ceL,0x986f3eecda18d997L,0x6b84c1612f34af86L,
+        0x5ef0a40846ddaf8bL,0x14405a00e49e795fL,0x5f491b16aa2f7a37L },
+      { 0xc7f07ae4db41b38dL,0xef7d119e18fbfcaaL,0x3a18e07614443b19L,
+        0x4356841a79a19926L,0x91f4a91ce2226fbeL,0xdc77248c3cc88721L } },
+    /* 15 */
+    { { 0xd570ff1ae4b1ec9dL,0x21d23e0ee7eef706L,0x3cde40f4ca19e086L,
+        0x7d6523c4cd4bb270L,0x16c1f06cbf13aa6cL,0x5aa7245ad14c4b60L },
+      { 0x37f8146744b74de8L,0x839e7a17620a934eL,0xf74d14e8de8b1aa1L,
+        0x8789fa51f30d75e2L,0x09b24052c81c261eL,0x654e267833c565eeL } },
+    /* 16 */
+    { { 0x378205de2f9fbe67L,0xc4afcb837f728e44L,0xdbcec06c682e00f1L,
+        0xf2a145c3114d5423L,0xa01d98747a52463eL,0xfc0935b17d717b0aL },
+      { 0x9653bc4fd4d01f95L,0x9aa83ea89560ad34L,0xf77943dcaf8e3f3fL,
+        0x70774a10e86fe16eL,0x6b62e6f1bf9ffdcfL,0x8a72f39e588745c9L } },
+    /* 17 */
+    { { 0x73ade4da2341c342L,0xdd326e54ea704422L,0x336c7d983741cef3L,
+        0x1eafa00d59e61549L,0xcd3ed892bd9a3efdL,0x03faf26cc5c6c7e4L },
+      { 0x087e2fcf3045f8acL,0x14a65532174f1e73L,0x2cf84f28fe0af9a7L,
+        0xddfd7a842cdc935bL,0x4c0f117b6929c895L,0x356572d64c8bcfccL } },
+    /* 18 */
+    { { 0x7ecbac017d8c1bbaL,0x6058f9c390b0f3d5L,0xaee116e3f6197d0fL,
+        0xc4dd70684033b128L,0xf084dba6c209b983L,0x97c7c2cf831dbc4aL },
+      { 0x2f4e61ddf96010e8L,0xd97e4e20529faa17L,0x4ee6666069d37f20L,
+        0xccc139ed3d366d72L,0x690b6ee213488e0fL,0x7cad1dc5f3a6d533L } },
+    /* 19 */
+    { { 0x660a9a81da57a41fL,0xe74a0412ec0039b6L,0x42343c6b5e1dad15L,
+        0x284f3ff546681d4cL,0xb51087f163749e89L,0x070f23cc6f9f2f13L },
+      { 0x542211da5d186e14L,0x84748f37fddb0dffL,0x41a3aab4db1f4180L,
+        0x25ed667ba6402d0eL,0x2f2924a902f58355L,0x5844ee7cfa44a689L } },
+    /* 20 */
+    { { 0xfab086073f3b236fL,0x19e9d41d81e221daL,0xf3f6571e3927b428L,
+        0x4348a9337550f1f6L,0x7167b996a85e62f0L,0x62d437597f5452bfL },
+      { 0xd85feb9ef2955926L,0x440a561f6df78353L,0x389668ec9ca36b59L,
+        0x052bf1a1a22da016L,0xbdfbff72f6093254L,0x94e50f28e22209f3L } },
+    /* 21 */
+    { { 0x90b2e5b33062e8afL,0xa8572375e8a3d369L,0x3fe1b00b201db7b1L,
+        0xe926def0ee651aa2L,0x6542c9beb9b10ad7L,0x098e309ba2fcbe74L },
+      { 0x779deeb3fff1d63fL,0x23d0e80a20bfd374L,0x8452bb3b8768f797L,
+        0xcf75bb4d1f952856L,0x8fe6b40029ea3faaL,0x12bd3e4081373a53L } },
+    /* 22 */
+    { { 0xc023780d104cbba5L,0x6207e747fa35dd4cL,0x35c239281ca9b6a3L,
+        0x4ff19be897987b10L,0xb8476bbf8022eee8L,0xaa0a4a14d3bbe74dL },
+      { 0x20f94331187d4543L,0x3215387079f6e066L,0x83b0f74eac7e82e1L,
+        0xa7748ba2828f06abL,0xc5f0298ac26ef35fL,0x0f0c50708e9a7dbdL } },
+    /* 23 */
+    { { 0x0c5c244cdef029ddL,0x3dabc687850661b8L,0x9992b865fe11d981L,
+        0xe9801b8f6274dbadL,0xe54e6319098da242L,0x9929a91a91a53d08L },
+      { 0x37bffd7235285887L,0xbc759425f1418102L,0x9280cc35fd2e6e20L,
+        0x735c600cfbc42ee5L,0xb7ad28648837619aL,0xa3627231a778c57bL } },
+    /* 24 */
+    { { 0xae799b5c91361ed8L,0x47d71b756c63366cL,0x54cdd5211b265a6aL,
+        0xe0215a5998d77b74L,0x4424d9b7bab29db0L,0x8b0ffacc7fd9e536L },
+      { 0x46d85d1237b5d9efL,0x5b106d62bfa91747L,0xed0479f85f99ba2dL,
+        0x0e6f39231d104de4L,0x83a84c8425e8983fL,0xa9507e0af8105a70L } },
+    /* 25 */
+    { { 0xf6c68a6e14cf381cL,0xaf9d27bdc22e31ccL,0x23568d4daa8a5ccbL,
+        0xe431eec0e338e4d2L,0xf1a828fe8f52ad1fL,0xdb6a0579e86acd80L },
+      { 0x2885672e4507832aL,0x73fc275f887e5289L,0x65f8027805610d08L,
+        0x8d9b4554075ff5b0L,0x3a8e8fb109f712b5L,0x39f0ac862ebe9cf2L } },
+    /* 26 */
+    { { 0xd8fabf784c52edf5L,0xdcd737e5a589ae53L,0x94918bf0d791ab17L,
+        0xb5fbd956bcff06c9L,0xf6d3032edca46d45L,0x2cdff7e141a3e486L },
+      { 0x6674b3ba61f47ec8L,0x8a882163eef84608L,0xa257c7054c687f90L,
+        0xe30cb2edf6cdf227L,0x2c4c64ca7f6ea846L,0x186fa17ccc6bcd3cL } },
+    /* 27 */
+    { { 0x48a3f5361dfcb91eL,0x83595e13646d358aL,0xbd15827b91128798L,
+        0x3ce612b82187757aL,0x873150a161bd7372L,0xf4684530b662f568L },
+      { 0x8833950b401896f6L,0xe11cb89a77f3e090L,0xb2f12cac48e7f4a5L,
+        0x313dd769f606677eL,0xfdcf08b316579f93L,0x6429cec946b8f22bL } },
+    /* 28 */
+    { { 0x4984dd54bb75f9a4L,0x4aef06b929d3b570L,0xb5f84ca23d6e4c1eL,
+        0x24c61c11b083ef35L,0xce4a7392392ca9ffL,0x865d65176730a800L },
+      { 0xca3dfe76722b4a2bL,0x12c04bf97b083e0eL,0x803ce5b51b86b8a5L,
+        0x3fc7632d6a7e3e0cL,0xc89970c2c81adbe4L,0x3cbcd3ad120e16b1L } },
+    /* 29 */
+    { { 0xfbfb4cc7ec30ce93L,0x10ed6c7db72720a2L,0xec675bf747b55500L,
+        0x90725903333ff7c3L,0xc7c3973e5075bfc0L,0xb049ecb007acf31bL },
+      { 0xb4076eaf4f58839cL,0x101896daa2b05e4fL,0x3f6033b0ab40c66eL,
+        0x19ee9eebc8d864baL,0xeb6cf15547bf6d2aL,0x8e5a9663f826477dL } },
+    /* 30 */
+    { { 0x69e62fddf7fbd5e1L,0x38ecfe5476912b1dL,0x845a3d56d1da3bfbL,
+        0x0494950e1c86f0d4L,0x83cadbf93bc36ce8L,0x41fce5724fccc8d1L },
+      { 0x05f939c28332c144L,0xb17f248b0871e46eL,0x3d8534e266e8aff6L,
+        0x1d06f1dc3b85c629L,0xdb06a32ea3131b73L,0xf295184d8b3f64e5L } },
+    /* 31 */
+    { { 0xd9653ff736ddc103L,0x25f43e3795ef606fL,0x09e301fcfe06dce8L,
+        0x85af234130b6eebfL,0x79b12b530ff56b20L,0x9b4fb499fe9a3c6bL },
+      { 0x0154f89251d27ac2L,0xd33167e356ca5389L,0x7828ec1fafc065a6L,
+        0x0959a2587f746c9bL,0xb18f1be30c44f837L,0xa7946117c4132fdbL } },
+    /* 32 */
+    { { 0xc0426b775e3c647bL,0xbfcbd9398cf05348L,0x31d312e3172c0d3dL,
+        0x5f49fde6ee754737L,0x895530f06da7ee61L,0xcf281b0ae8b3a5fbL },
+      { 0xfd14973541b8a543L,0x41a625a73080dd30L,0xe2baae07653908cfL,
+        0xc3d01436ba02a278L,0xa0d0222e7b21b8f8L,0xfdc270e9d7ec1297L } },
+    /* 33 */
+    { { 0x00873c0cbc7f41d6L,0xd976113e1b7ad641L,0x2a536ff4238443fbL,
+        0x030d00e241e62e45L,0x532e98675f545fc6L,0xcd0331088e91208cL },
+      { 0xd1a04c999797612cL,0xd4393e02eea674e2L,0xd56fa69ee19742a1L,
+        0xdd2ab48085f0590eL,0xa5cefc5248a2243dL,0x48cc67b654383f41L } },
+    /* 34 */
+    { { 0x4e50430efc14ab48L,0x195b7f4f26706a74L,0x2fe8a228cc881ff6L,
+        0xb1b968e2d945013dL,0x936aa5794b92162bL,0x4fb766b7364e754aL },
+      { 0x13f93bca31e1ff7fL,0x696eb5cace4f2691L,0xff754bf8a2b09e02L,
+        0x58f13c9ce58e3ff8L,0xb757346f1678c0b0L,0xd54200dba86692b3L } },
+    /* 35 */
+    { { 0x9a030bbd6dda1265L,0xf7b4f3fce89718ddL,0xa6a4931f936065b8L,
+        0xbce72d875f72241cL,0x6cbb51cb65775857L,0xc71618154e993675L },
+      { 0xe81a0f792ee32189L,0xef2fab26277dc0b2L,0x9e64f6feb71f469fL,
+        0xb448ce33dfdaf859L,0x3f5c1c4cbe6b5df1L,0xfb8dfb001de45f7bL } },
+    /* 36 */
+    { { 0xc7345fa74d5bb921L,0x5c7e04be4d2b667eL,0x47ed3a80282d7a3eL,
+        0x5c2777f87e47b2a4L,0x89b3b10008488e2eL,0x9aad77c2b2eb5b45L },
+      { 0xd681bca7daac34aeL,0x2452e4e526afb326L,0x0c88792441a1ee14L,
+        0x743b04d4c2407adeL,0xcb5e999bfc17a2acL,0x4dca2f824a701a06L } },
+    /* 37 */
+    { { 0x68e31ca61127bc1aL,0xa3edd59b17ead3beL,0x67b6b645e25f5a15L,
+        0x76221794a420e15eL,0x794fd83b4b1e872eL,0x7cab3f03b2dece1bL },
+      { 0x7119bf15ca9b3586L,0xa55459244d250bd7L,0x173633eacc6bcf24L,
+        0x9bd308c2b1b6f884L,0x3bae06f5447d38c3L,0x54dcc135f341fe1cL } },
+    /* 38 */
+    { { 0x56d3598d943caf0dL,0xce044ea9225ff133L,0x9edf6a7c563fadeaL,
+        0x632eb94473e8dc27L,0x814b467e3190dcabL,0x2d4f4f316dbb1e31L },
+      { 0x8d69811ca143b7caL,0x4ec1ac32de7cf950L,0x223ab5fd37b5fe82L,
+        0xe82616e49390f1d9L,0xabff4b2075804610L,0x11b9be15875b08f0L } },
+    /* 39 */
+    { { 0x4ae31a3d3bbe682cL,0xbc7c5d2674eef2ddL,0x92afd10a3c47dd40L,
+        0xec7e0a3bc14ab9e1L,0x6a6c3dd1b2e495e4L,0x085ee5e9309bcd85L },
+      { 0xf381a9088c2e67fdL,0x32083a80e261eaf2L,0x0fcd6a4996deee15L,
+        0xe3b8fb035e524c79L,0x8dc360d91d5b08b9L,0x3a06e2c87f26719fL } },
+    /* 40 */
+    { { 0x5cd9f5a87237cac0L,0x93f0b59d43586794L,0x4384a764e94f6c4eL,
+        0x8304ed2bb62782d3L,0x0b8db8b3cde06015L,0x4336dd535dbe190fL },
+      { 0x5744355392ab473aL,0x031c7275be5ed046L,0x3e78678c21909aa4L,
+        0x4ab7e04f99202ddbL,0x2648d2066977e635L,0xd427d184093198beL } },
+    /* 41 */
+    { { 0x822848f50f9b5a31L,0xbb003468baadb62aL,0x233a04723357559cL,
+        0x49ef688079aee843L,0xa89867a0aeb9e1e3L,0xc151931b1f6f9a55L },
+      { 0xd264eb0bad74251eL,0x37b9b2634abf295eL,0xb600921b04960d10L,
+        0x0de53dbc4da77dc0L,0x01d9bab3d2b18697L,0xad54ec7af7156ddfL } },
+    /* 42 */
+    { { 0x8e74dc3579efdc58L,0x456bd3694ff68ddbL,0x724e74ccd32096a5L,
+        0xe41cff42386783d0L,0xa04c7f217c70d8a4L,0x41199d2fe61a19a2L },
+      { 0xd389a3e029c05dd2L,0x535f2a6be7e3fda9L,0x26ecf72d7c2b4df8L,
+        0x678275f4fe745294L,0x6319c9cc9d23f519L,0x1e05a02d88048fc4L } },
+    /* 43 */
+    { { 0x75cc8e2ed4d5ffe8L,0xf8bb4896dbea17f2L,0x35059790cee3cb4aL,
+        0x4c06ee85a47c6165L,0xf98fff2592935d2fL,0x34c4a57232ffd7c7L },
+      { 0xc4b14806ea0376a2L,0x2ea5e7504f115e02L,0x532d76e21e55d7c0L,
+        0x68dc9411f31044daL,0x9272e46571b77993L,0xadaa38bb93a8cfd5L } },
+    /* 44 */
+    { { 0x4bf0c7127d4ed72aL,0xda0e9264ba1f79a3L,0x48c0258bf4c39ea4L,
+        0xa5394ed82a715138L,0x4af511cebf06c660L,0xfcebceefec5c37cdL },
+      { 0xf23b75aa779ae8c1L,0xdeff59ccad1e606eL,0xf3f526fd22755c82L,
+        0x64c5ab44bb32cefdL,0xa96e11a2915bdefdL,0xab19746a1143813eL } },
+    /* 45 */
+    { { 0x43c78585ec837d7dL,0xca5b6fbcb8ee0ba4L,0x34e924d9d5dbb5eeL,
+        0x3f4fa104bb4f1ca5L,0x15458b72398640f7L,0x4231faa9d7f407eaL },
+      { 0x53e0661ef96e6896L,0x554e4c69d03b0f9dL,0xd4fcb07b9c7858d1L,
+        0x7e95279352cb04faL,0x5f5f15748974e7f7L,0x2e3fa5586b6d57c8L } },
+    /* 46 */
+    { { 0x42cd48036a9951a8L,0xa8b15b8842792ad0L,0x18e8bcf9abb29a73L,
+        0xbfd9a092409933e8L,0x760a3594efb88dc4L,0x1441886340724458L },
+      { 0x162a56ee99caedc7L,0x8fb12ecd91d101c9L,0xea671967393202daL,
+        0x1aac8c4aa4ccd796L,0x7db050361cf185a8L,0x0c9f86cd8cfd095aL } },
+    /* 47 */
+    { { 0x9a72814710b2a556L,0x767ca964327b70b2L,0x04ed9e125e3799b7L,
+        0x6781d2dc22a3eb2aL,0x5bd116eb0d9450acL,0xeccac1fca7ebe08aL },
+      { 0xde68444fdc2d6e94L,0x3621f42935ecf21bL,0x14e2d54329e03a2cL,
+        0x53e42cd57d3e7f0aL,0xbba26c0973ed00b9L,0x00297c39c57d2272L } },
+    /* 48 */
+    { { 0x3aaaab10b8243a7dL,0x6eeef93e8fa58c5bL,0xf866fca39ae7f764L,
+        0x64105a2661ab04d3L,0xa3578d8a03945d66L,0xb08cd3e4791b848cL },
+      { 0x45edc5f8756d2411L,0xd4a790d9a755128cL,0xc2cf096349e5f6a0L,
+        0xc66d267df649beaaL,0x3ce6d9688467039eL,0x50046c6b42f7816fL } },
+    /* 49 */
+    { { 0x92ae160266425043L,0x1ff66afdf08db890L,0x386f5a7f8f162ce5L,
+        0x18d2dea0fcf5598fL,0x78372b3a1a8ca18eL,0xdf0d20eb8cd0e6f7L },
+      { 0x7edd5e1d75bb4045L,0x252a47ceb96d94b7L,0xbdb293582c626776L,
+        0x853c394340dd1031L,0x9dc9becf7d5f47fdL,0x27c2302fbae4044aL } },
+    /* 50 */
+    { { 0x2d1d208a8f2d49ceL,0x0d91aa02162df0a2L,0x9c5cce8709a07f65L,
+        0xdf07238b84339012L,0x5028e2c8419442cdL,0x2dcbd35872062abaL },
+      { 0xb5fbc3cbe4680967L,0x2a7bc6459f92d72cL,0x806c76e1116c369dL,
+        0x5c50677a3177e8d8L,0x753739eb4569df57L,0x2d481ef636c3f40bL } },
+    /* 51 */
+    { { 0x1a2d39fdfea1103eL,0xeaae559295f81b17L,0xdbd0aa18f59b264aL,
+        0x90c39c1acb592ee0L,0xdf62f80d9750cca3L,0xda4d8283df97cc6cL },
+      { 0x0a6dd3461e201067L,0x1531f85969fb1f6bL,0x4895e5521d60121fL,
+        0x0b21aab04c041c91L,0x9d896c46bcc1ccf8L,0xd24da3b33141bde7L } },
+    /* 52 */
+    { { 0x575a053753b0a354L,0x392ff2f40c6ddcd8L,0x0b8e8cff56157b94L,
+        0x073e57bd3b1b80d1L,0x2a75e0f03fedee15L,0x752380e4aa8e6f19L },
+      { 0x1f4e227c6558ffe9L,0x3a34861819ec5415L,0xab382d5ef7997085L,
+        0x5e6deaffddc46ac2L,0xe5144078fc8d094cL,0xf674fe51f60e37c6L } },
+    /* 53 */
+    { { 0x6fb87ae5af63408fL,0xa39c36a9cd75a737L,0x7833313fcf4c618dL,
+        0xfbcd4482f034c88dL,0x4469a76139b35288L,0x77a711c566b5d9c9L },
+      { 0x4a695dc7944f8d65L,0xe6da5f65161aaba8L,0x8654e9c324601669L,
+        0xbc8b93f528ae7491L,0x5f1d1e838f5580d8L,0x8ccf9a1acea32cc8L } },
+    /* 54 */
+    { { 0x28ab110c7196fee2L,0x75799d63874c8945L,0xa262934829aedaddL,
+        0x9714cc7b2be88ff4L,0xf71293cfd58d60d6L,0xda6b6cb332a564e9L },
+      { 0xf43fddb13dd821c2L,0xf2f2785f90dd323dL,0x91246419048489f8L,
+        0x61660f26d24c6749L,0x961d9e8cc803c15cL,0x631c6158faadc4c9L } },
+    /* 55 */
+    { { 0xacf2ebe0fd752366L,0xb93c340e139be88bL,0x98f664850f20179eL,
+        0x14820254ff1da785L,0x5278e2764f85c16eL,0xa246ee457aab1913L },
+      { 0x43861eb453763b33L,0xc49f03fc45c0bc0dL,0xafff16bcad6b1ea1L,
+        0xce33908b6fd49c99L,0x5c51e9bff7fde8c3L,0x076a7a39ff142c5eL } },
+    /* 56 */
+    { { 0x04639dfe9e338d10L,0x8ee6996ff42b411bL,0x960461d1a875cef2L,
+        0x1057b6d695b4d0baL,0x27639252a906e0bcL,0x2c19f09ae1c20f8aL },
+      { 0x5b8fc3f0eef4c43dL,0xe2e1b1a807a84aa9L,0x5f455528835d2bdbL,
+        0x0f4aee4d207132ddL,0xe9f8338c3907f675L,0x7a874dc90e0531f0L } },
+    /* 57 */
+    { { 0x84b22d4597c27050L,0xbd0b8df759e70bf8L,0xb4d6740579738b9bL,
+        0x47f4d5f5cd917c4fL,0x9099c4ce13ce6e33L,0x942bfd39521d0f8bL },
+      { 0x5028f0f6a43b566dL,0xaf6e866921bff7deL,0x83f6f856c44232cdL,
+        0x65680579f915069aL,0xd12095a2ecfecb85L,0xcf7f06aedb01ba16L } },
+    /* 58 */
+    { { 0x0f56e3c48ef96c80L,0xd521f2b33ddb609cL,0x2be941027dc1450dL,
+        0x2d21a07102a91fe2L,0x2e6f74fa1efa37deL,0x9a9a90b8156c28a1L },
+      { 0xc54ea9ea9dc7dfcbL,0xc74e66fc2c2c1d62L,0x9f23f96749d3e067L,
+        0x1c7c3a4654dd38adL,0xc70058845946cee3L,0x8985636845cc045dL } },
+    /* 59 */
+    { { 0x29da7cd4fce73946L,0x8f697db523168563L,0x8e235e9ccba92ec6L,
+        0x55d4655f9f91d3eaL,0xf3689f23aa50a6cdL,0xdcf21c2621e6a1a0L },
+      { 0xcffbc82e61b818bfL,0xc74a2f96da47a243L,0x234e980a8bc1a0cfL,
+        0xf35fd6b57929cb6dL,0x81468e12efe17d6cL,0xddea6ae558b2dafbL } },
+    /* 60 */
+    { { 0x294de8877e787b2eL,0x258acc1f39a9310dL,0x92d9714aac14265dL,
+        0x18b5591c708b48a0L,0x27cc6bb0e1abbf71L,0xc0581fa3568307b9L },
+      { 0x9e0f58a3f24d4d58L,0xfebe9bb8e0ce2327L,0x91fd6a419d1be702L,
+        0x9a7d8a45facac993L,0xabc0a08c9e50d66dL,0x02c342f706498201L } },
+    /* 61 */
+    { { 0xccd71407157bdbc2L,0x72fa89c6ad0e1605L,0xb1d3da2bb92a015fL,
+        0x8ad9e7cda0a3fe56L,0x160edcbd24f06737L,0x79d4db3361275be6L },
+      { 0xd3d31fd95f3497c4L,0x8cafeaee04192fb0L,0xe13ca74513a50af3L,
+        0x188261678c85aae5L,0xce06cea89eb556ffL,0x2eef1995bdb549f3L } },
+    /* 62 */
+    { { 0x8ed7d3eb50596edcL,0xaa359362905243a2L,0xa212c2c2a4b6d02bL,
+        0x611fd727c4fbec68L,0x8a0b8ff7b84f733dL,0xd85a6b905f0daf0eL },
+      { 0x60e899f5d4091cf7L,0x4fef2b672eff2768L,0xc1f195cb10c33964L,
+        0x8275d36993626a8fL,0xc77904f40d6c840aL,0x88d8b7fd7a868acdL } },
+    /* 63 */
+    { { 0x85f237237bd98425L,0xd4463992c70b154eL,0xcbb00ee296687a2eL,
+        0x905fdbf7c83214fdL,0x2019d29313593684L,0x0428c393ef51218eL },
+      { 0x40c7623f981e909aL,0x925133857be192daL,0x48fe480f4010907eL,
+        0xdd7a187c3120b459L,0xc9d7702da1fd8f3cL,0x66e4753be358efc5L } },
+    /* 64 */
+    { { 0x070d34e116973cf4L,0x20aee08b7e4f34f7L,0x269af9b95eb8ad29L,
+        0xdde0a036a6a45ddaL,0xa18b528e63df41e0L,0x03cc71b2a260df2aL },
+      { 0x24a6770aa06b1dd7L,0x5bfa9c119d2675d3L,0x73c1e2a196844432L,
+        0x3660558d131a6cf0L,0xb0289c832ee79454L,0xa6aefb01c6d8ddcdL } },
+    /* 65 */
+    { { 0xba1464b401ab5245L,0x9b8d0b6dc48d93ffL,0x939867dc93ad272cL,
+        0xbebe085eae9fdc77L,0x73ae5103894ea8bdL,0x740fc89a39ac22e1L },
+      { 0x5e28b0a328e23b23L,0x2352722ee13104d0L,0xf4667a18b0a2640dL,
+        0xac74a72e49bb37c3L,0x79f734f0e81e183aL,0xbffe5b6c3fd9c0ebL } },
+    /* 66 */
+    { { 0xb1a358f5c6a2123fL,0x927b2d95fe28df6dL,0x89702753f199d2f9L,
+        0x0a73754c1a3f82dcL,0x063d029d777affe1L,0x5439817edae6d34dL },
+      { 0xf7979eef6b8b83c4L,0x615cb2149d945682L,0x8f0e4facc5e57eaeL,
+        0x042b89b8113047ddL,0x888356dc93f36508L,0xbf008d185fd1f32fL } },
+    /* 67 */
+    { { 0x8012aa244e8068dbL,0xc72cc641a5729a47L,0x3c33df2c43f0691dL,
+        0xfa0573471d92145fL,0xaefc0f2fb97f7946L,0x813d75cb2f8121bfL },
+      { 0x05613c724383bba6L,0xa924ce70a4224b3fL,0xe59cecbe5f2179a6L,
+        0x78e2e8aa79f62b61L,0x3ac2cc3b53ad8079L,0x55518d71d8f4fa96L } },
+    /* 68 */
+    { { 0x03cf292200623f3bL,0x095c71115f29ebffL,0x42d7224780aa6823L,
+        0x044c7ba17458c0b0L,0xca62f7ef0959ec20L,0x40ae2ab7f8ca929fL },
+      { 0xb8c5377aa927b102L,0x398a86a0dc031771L,0x04908f9dc216a406L,
+        0xb423a73a918d3300L,0x634b0ff1e0b94739L,0xe29de7252d69f697L } },
+    /* 69 */
+    { { 0x744d14008435af04L,0x5f255b1dfec192daL,0x1f17dc12336dc542L,
+        0x5c90c2a7636a68a8L,0x960c9eb77704ca1eL,0x9de8cf1e6fb3d65aL },
+      { 0xc60fee0d511d3d06L,0x466e2313f9eb52c7L,0x743c0f5f206b0914L,
+        0x42f55bac2191aa4dL,0xcefc7c8fffebdbc2L,0xd4fa6081e6e8ed1cL } },
+    /* 70 */
+    { { 0xb5e405d3b0ab9645L,0xaeec7f98d5f1f711L,0x8ad42311585c2a6eL,
+        0x045acb9e512c6944L,0xae106c4ea90db1c6L,0xb89f33d5898e6563L },
+      { 0x43b07cd97fed2ce4L,0xf9934e17dd815b20L,0x6778d4d50a81a349L,
+        0x9e616ade52918061L,0xfa06db06d7e67112L,0x1da23cf188488091L } },
+    /* 71 */
+    { { 0x821c46b342f2c4b5L,0x931513ef66059e47L,0x7030ae4366f50cd1L,
+        0x43b536c943e7b127L,0x006258cf5fca5360L,0xe4e3ee796b557abfL },
+      { 0xbb6b390024c8b22fL,0x2eb5e2c1fcbf1054L,0x937b18c9567492afL,
+        0xf09432e4acf53957L,0x585f5a9d1dbf3a56L,0xf86751fdbe0887cfL } },
+    /* 72 */
+    { { 0x157399cb9d10e0b2L,0x1c0d595660dc51b7L,0x1d496b8a1f583090L,
+        0x6658bc2688590484L,0x88c08ab703213f28L,0x8d2e0f737ae58de4L },
+      { 0x9b79bc95486cfee6L,0x036a26c7e9e5bc57L,0x1ad03601cd8ae97aL,
+        0x06907f87ff3a0494L,0x078f4bbf2c7eb584L,0xe3731bf57e8d0a5aL } },
+    /* 73 */
+    { { 0x72f2282be1cd0abeL,0xd4f9015e87efefa2L,0x9d1898066c3834bdL,
+        0x9c8cdcc1b8a29cedL,0x0601b9f4fee82ebcL,0x371052bc7206a756L },
+      { 0x76fa109246f32562L,0xdaad534c17351bb4L,0xc3d64c37b3636bb5L,
+        0x038a8c5145d54e00L,0x301e618032c09e7cL,0x9764eae795735151L } },
+    /* 74 */
+    { { 0x8791b19fcbd5256aL,0x4007e0f26ca13a3bL,0x03b794604cf06904L,
+        0xb18a9c22b6c17589L,0xa1cb7d7d81d45908L,0x6e13fa9d21bb68f1L },
+      { 0x47183c62a71e6e16L,0x5cf0ef8ee18749edL,0x2c9c7f9b2e5ed409L,
+        0x042eeacce6e117e1L,0xb86d481613fb5a7fL,0xea1cf0edc9e5feb1L } },
+    /* 75 */
+    { { 0x6e6573c9cea4cc9bL,0x5417961dafcec8f3L,0x804bf02aa438b6f6L,
+        0xb894b03cdcd4ea88L,0xd0f807e93799571fL,0x3466a7f5862156e8L },
+      { 0x51e59acd56515664L,0x55b0f93ca3c5eb0bL,0x84a06b026a4279dbL,
+        0x5c850579c5fae08eL,0xcf07b8dba663a1a2L,0x49a36bbcf46ffc8dL } },
+    /* 76 */
+    { { 0xe47f5acc46d93106L,0x65b7ade0aa897c9cL,0x37cf4c9412d7e4beL,
+        0xa2ae9b80d4b2caa9L,0x5e7ce09ce60357a3L,0x29f77667c8ecd5f9L },
+      { 0xdf6868f5a8a0b1c5L,0x240858cf62978ad8L,0x0f7ac101dc0002a1L,
+        0x1d28a9d7ffe9aa05L,0x744984d65b962c97L,0xa8a7c00b3d28c8b2L } },
+    /* 77 */
+    { { 0x7c58a852ae11a338L,0xa78613f1d1af96e7L,0x7e9767d25355cc73L,
+        0x6ba37009792a2de6L,0x7d60f618124386b2L,0xab09b53111157674L },
+      { 0x95a0484198eb9dd0L,0xe6c17acc15070328L,0xafc6da45489c6e49L,
+        0xab45a60abb211530L,0xc58d65927d7ea933L,0xa3ef3c65095642c6L } },
+    /* 78 */
+    { { 0x89d420e9df010879L,0x9d25255d39576179L,0x9cdefd50e39513b6L,
+        0xe4efe45bd5d1c313L,0xc0149de73f7af771L,0x55a6b4f4340ab06bL },
+      { 0xf1325251ebeaf771L,0x2ab44128878d4288L,0xfcd5832e18e05afeL,
+        0xef52a348cc1fb62bL,0x2bd08274c1c4792aL,0x345c5846877c6dc7L } },
+    /* 79 */
+    { { 0xde15ceb0bea65e90L,0x0987f72b2416d99cL,0x44db578dfd863decL,
+        0xf617b74bac6a3578L,0x9e62bd7adb48e999L,0x877cae61eab1a1beL },
+      { 0x23adddaa3a358610L,0x2fc4d6d1325e2b07L,0x897198f51585754eL,
+        0xf741852cb392b584L,0x9927804cb55f7de1L,0xe9e6c4ed1aa8efaeL } },
+    /* 80 */
+    { { 0x867db63998683186L,0xfb5cf424ddcc4ea9L,0xcc9a7ffed4f0e7bdL,
+        0x7c57f71c7a779f7eL,0x90774079d6b25ef2L,0x90eae903b4081680L },
+      { 0xdf2aae5e0ee1fcebL,0x3ff1da24e86c1a1fL,0x80f587d6ca193edfL,
+        0xa5695523dc9b9d6aL,0x7b84090085920303L,0x1efa4dfcba6dbdefL } },
+    /* 81 */
+    { { 0xfbd838f9e0540015L,0x2c323946c39077dcL,0x8b1fb9e6ad619124L,
+        0x9612440c0ca62ea8L,0x9ad9b52c2dbe00ffL,0xf52abaa1ae197643L },
+      { 0xd0e898942cac32adL,0xdfb79e4262a98f91L,0x65452ecf276f55cbL,
+        0xdb1ac0d27ad23e12L,0xf68c5f6ade4986f0L,0x389ac37b82ce327dL } },
+    /* 82 */
+    { { 0x511188b4f8e60f5bL,0x7fe6701548aa2adaL,0xdb333cb8381abca2L,
+        0xb15e6d9ddaf3fc97L,0x4b24f6eb36aabc03L,0xc59789df72a748b4L },
+      { 0x26fcb8a529cf5279L,0x7a3c6bfc01ad9a6cL,0x866cf88d4b8bac9bL,
+        0xf4c899899c80d041L,0xf0a0424170add148L,0x5a02f47945d81a41L } },
+    /* 83 */
+    { { 0xfa5c877cc1c90202L,0xd099d440f8ac7570L,0x428a5b1bd17881f7L,
+        0x61e267db5b2501d7L,0xf889bf04f2e4465bL,0x4da3ae0876aa4cb8L },
+      { 0x3ef0fe26e3e66861L,0x5e7729533318b86dL,0xc3c35fbc747396dfL,
+        0x5115a29c439ffd37L,0xbfc4bd97b2d70374L,0x088630ea56246b9dL } },
+    /* 84 */
+    { { 0xcd96866db8a9e8c9L,0xa11963b85bb8091eL,0xc7f90d53045b3cd2L,
+        0x755a72b580f36504L,0x46f8b39921d3751cL,0x4bffdc9153c193deL },
+      { 0xcd15c049b89554e7L,0x353c6754f7a26be6L,0x79602370bd41d970L,
+        0xde16470b12b176c0L,0x56ba117540c8809dL,0xe2db35c3e435fb1eL } },
+    /* 85 */
+    { { 0xd71e4aab6328e33fL,0x5486782baf8136d1L,0x07a4995f86d57231L,
+        0xf1f0a5bd1651a968L,0xa5dc5b2476803b6dL,0x5c587cbc42dda935L },
+      { 0x2b6cdb32bae8b4c0L,0x66d1598bb1331138L,0x4a23b2d25d7e9614L,
+        0x93e402a674a8c05dL,0x45ac94e6da7ce82eL,0xeb9f8281e463d465L } },
+    /* 86 */
+    { { 0x34e0f9d1fecf5b9bL,0xa115b12bf206966aL,0x5591cf3b1eaa0534L,
+        0x5f0293cbfb1558f9L,0x1c8507a41bc703a5L,0x92e6b81c862c1f81L },
+      { 0xcc9ebc66cdaf24e3L,0x68917ecd72fcfc70L,0x6dc9a9308157ba48L,
+        0x5d425c08b06ab2b2L,0x362f8ce736e929c4L,0x09f6f57c62e89324L } },
+    /* 87 */
+    { { 0x1c7d6b78d29375fbL,0xfabd851ee35d1157L,0xf6f62dcd4243ea47L,
+        0x1dd924608fe30b0fL,0x08166dfaffc6e709L,0xc6c4c6930881e6a7L },
+      { 0x20368f87d6a53fb0L,0x38718e9f9eb4d1f9L,0x03f08acdafd7e790L,
+        0x0835eb4472fe2a1cL,0x7e05090388076e5dL,0x538f765ea638e731L } },
+    /* 88 */
+    { { 0x0e0249d9c2663b4bL,0xe700ab5b47cd38ddL,0xb192559d2c46559fL,
+        0x8f9f74a84bcde66dL,0xad1615233e2aced5L,0xc155c0473dd03a5bL },
+      { 0x346a87993be454ebL,0x66ee94db83b7dccdL,0x1f6d8378ab9d2abeL,
+        0x4a396dd27733f355L,0x419bd40af53553c2L,0xd0ead98d731dd943L } },
+    /* 89 */
+    { { 0x908e0b0eec142408L,0x98943cb94114b310L,0x03dbf7d81742b1d7L,
+        0xd270df6b693412f4L,0xc50654948f69e20cL,0xa76a90c3697e43a1L },
+      { 0xe0fa33844624825aL,0x82e48c0b8acc34c2L,0x7b24bd14e9a14f2bL,
+        0x4f5dd5e24db30803L,0x0c77a9e7932da0a3L,0x20db90f274c653dcL } },
+    /* 90 */
+    { { 0x261179b70e6c5fd9L,0xf8bec1236c982eeaL,0x47683338d4957b7eL,
+        0xcc47e6640a72f66aL,0xbd54bf6a1bad9350L,0xdfbf4c6af454e95aL },
+      { 0x3f7a7afa6907f4faL,0x7311fae0865ca735L,0x24737ab82a496adaL,
+        0x13e425f115feb79bL,0xe9e97c50a1b93c21L,0xb26b6eac4ddd3eb5L } },
+    /* 91 */
+    { { 0x81cab9f52a2e5f2bL,0xf93caf29bf385ac4L,0xf4bf35c3c909963aL,
+        0x081e730074c9143cL,0x3ea57fa8c281b4c5L,0xe497905c9b340741L },
+      { 0xf556dd8a55ab3cfbL,0xd444b96b518db6adL,0x34f5425a5ef4b955L,
+        0xdda7a3acecd26aa3L,0xb57da11bda655e97L,0x02da3effc2024c70L } },
+    /* 92 */
+    { { 0xe24b00366481d0d9L,0x3740dbe5818fdfe2L,0xc1fc1f45190fda00L,
+        0x329c92803cf27fdeL,0x7435cb536934f43eL,0x2b505a5d7884e8feL },
+      { 0x6cfcc6a6711adcc9L,0xf034325c531e21e1L,0xa2f4a9679b2a8a99L,
+        0x9d5f38423c21bdffL,0xb25c781131b57d66L,0xdb5344d80b8093b9L } },
+    /* 93 */
+    { { 0x0d72e667ae50a2f5L,0x9b7f8d8ae4a861d1L,0xa129f70f330df1cbL,
+        0xe90aa5d7e04fefc3L,0xff561ecbe72c3ae1L,0x0d8fb428cdb955faL },
+      { 0xd2235f73d7663784L,0xc05baec67e2c456aL,0xe5c292e42adbfcccL,
+        0x4fd17988efb110d5L,0x27e57734d19d49f3L,0x188ac4ce84f679feL } },
+    /* 94 */
+    { { 0x7ee344cfa796c53eL,0xbbf6074d0868009bL,0x1f1594f7474a1295L,
+        0x66776edcac11632dL,0x1862278b04e2fa5aL,0x52665cf2c854a89aL },
+      { 0x7e3764648104ab58L,0x167759137204fd6dL,0x86ca06a544ea1199L,
+        0xaa3f765b1c9240ddL,0x5f8501a924746149L,0x7b982e30dcd251d7L } },
+    /* 95 */
+    { { 0xe44e9efcc15f3060L,0x5ad62f2ea87ebbe6L,0x36499d41c79500d4L,
+        0xa66d6dc0336fa9d1L,0xf8afc4955afd3b1fL,0x1d8ccb24e5c9822bL },
+      { 0x4031422b79d7584bL,0xc54a0580ea3f20ddL,0x3f837c8f958468c5L,
+        0x3d82f110fbea7735L,0x679a87787dffe2fcL,0x48eba63b20704803L } },
+    /* 96 */
+    { { 0x89b10d41df46e2f6L,0x13ab57f819514367L,0x067372b91d469c87L,
+        0x0c195afa4f6c5798L,0xea43a12a272c9acfL,0x9dadd8cb678abdacL },
+      { 0xcce56c6be182579aL,0x86febadb2d26c2d8L,0x1c668ee12a44745cL,
+        0x580acd8698dc047aL,0x5a2b79cc51b9ec2dL,0x007da6084054f6a0L } },
+    /* 97 */
+    { { 0x9e3ca35217b00dd0L,0x046779cb0e81a7a6L,0xb999fef3d482d871L,
+        0xe6f38134d9233fbcL,0x112c3001f48cd0e0L,0x934e75763c6c66aeL },
+      { 0xb44d4fc3d73234dcL,0xfcae2062864eafc1L,0x843afe2526bef21aL,
+        0x61355107f3b75fdfL,0x8367a5aa794c2e6bL,0x3d2629b18548a372L } },
+    /* 98 */
+    { { 0x6230618f437cfaf8L,0x5b8742cb2032c299L,0x949f72472293643aL,
+        0xb8040f1a09464f79L,0x049462d24f254143L,0xabd6b522366c7e76L },
+      { 0x119b392bd5338f55L,0x1a80a9ce01495a0cL,0xf3118ca7f8d7537eL,
+        0xb715adc26bf4b762L,0x24506165a8482b6cL,0xd958d7c696a7c84dL } },
+    /* 99 */
+    { { 0x9ad8aa87bdc21f31L,0xadb3cab48063e58cL,0xefd86283b07dd7b8L,
+        0xc7b9b7621be7c6b4L,0x2ef58741015582deL,0xc970c52e299addf3L },
+      { 0x78f02e2a22f24d66L,0xefec1d1074cc100aL,0xaf2a6a3909316e1aL,
+        0xce7c22055849dd49L,0x9c1fe75c96bffc4cL,0xcad98fd27ba06ec0L } },
+    /* 100 */
+    { { 0xed76e2d0b648b73eL,0xa9f92ce51cfd285eL,0xa8c86c062ed13de1L,
+        0x1d3a574ea5191a93L,0x385cdf8b1ad1b8bfL,0xbbecc28a47d2cfe3L },
+      { 0x98d326c069cec548L,0x4f5bc1ddf240a0b2L,0x241a706229057236L,
+        0x0fc6e9c5c68294a4L,0x4d04838ba319f17aL,0x8b612cf19ffc1c6fL } },
+    /* 101 */
+    { { 0x9bb0b5014c3830ebL,0x3d08f83c8ee0d0c5L,0xa4a6264279ba9389L,
+        0x5d5d40449cbc2914L,0xae9eb83e074c46f0L,0x63bb758f74ead7d6L },
+      { 0x1c40d2eac6bb29e0L,0x95aa2d874b02f41eL,0x9298917553cb199aL,
+        0xdd91bafe51584f6dL,0x3715efb931a1aaecL,0xc1b6ae5b46780f9eL } },
+    /* 102 */
+    { { 0xcded3e4b42772f41L,0x3a700d5d3bcb79d1L,0x4430d50e80feee60L,
+        0x444ef1fcf5e5d4bbL,0xc660194fe6e358ffL,0xe68a2f326a91b43cL },
+      { 0x5842775c977fe4d2L,0x78fdef5c7e2a41ebL,0x5f3bec02ff8df00eL,
+        0xf4b840cd5852525dL,0x0870483a4e6988bdL,0x39499e39cc64b837L } },
+    /* 103 */
+    { { 0xfc05de80b08df5feL,0x0c12957c63ba0362L,0xea379414d5cf1428L,
+        0xc559132a54ef6216L,0x33d5f12fb9e65cf8L,0x09c602781695d663L },
+      { 0x3ac1ced461f7a2fbL,0xdd838444d4f5eeb8L,0x82a38c6c8318fcadL,
+        0x315be2e5e9f1a864L,0x317b5771442daf47L,0x81b5904a95aa5f9eL } },
+    /* 104 */
+    { { 0x6b6b1c508b21d232L,0x87f3dbc08c2cba75L,0xa7e74b46ae9f0fafL,
+        0x036a0985bb7b8079L,0x4f185b908d974a25L,0x5aa7cef0d9af5ec9L },
+      { 0xe0566a7057dcfffcL,0x6ea311dab8453225L,0x72ea1a8d23368aa9L,
+        0xed9b208348cd552dL,0xb987967cc80ea435L,0xad735c756c104173L } },
+    /* 105 */
+    { { 0xaea85ab3cee76ef4L,0x44997444af1d2b93L,0x0851929beacb923fL,
+        0xb080b59051e3bc0cL,0xc4ee1d8659be68a2L,0xf00de21964b26cdaL },
+      { 0x8d7fb5c0f2e90d4dL,0x00e219a777d9ec64L,0xc4e6febd5d1c491cL,
+        0x080e37541a8f4585L,0x4a9b86c848d2af9cL,0x2ed70db6b6679851L } },
+    /* 106 */
+    { { 0xaee44116586f25cbL,0xf7b6861fa0fcf70fL,0x55d2cd2018a350e8L,
+        0x861bf3e592dc286fL,0x9ab18ffa6226aba7L,0xd15827bea9857b03L },
+      { 0x26c1f54792e6acefL,0x422c63c8ac1fbac3L,0xa2d8760dfcbfd71dL,
+        0x35f6a539b2511224L,0xbaa88fa1048d1a21L,0x49f1abe9ebf999dbL } },
+    /* 107 */
+    { { 0x16f9f4f4f7492b73L,0xcf28ec1ecb392b1aL,0x45b130d469ca6ffcL,
+        0x28ba8d40b72efa58L,0xace987c75ca066f5L,0x3e3992464ad022ebL },
+      { 0x63a2d84e752555bbL,0xaaa93b4a9c2ae394L,0xcd80424ec89539caL,
+        0x6d6b5a6daa119a99L,0xbd50334c379f2629L,0x899e925eef3cc7d3L } },
+    /* 108 */
+    { { 0xb7ff3651bf825dc4L,0x0f741cc440b9c462L,0x771ff5a95cc4fb5bL,
+        0xcb9e9c9b47fd56feL,0xbdf053db5626c0d3L,0xa97ce675f7e14098L },
+      { 0x68afe5a36c934f5eL,0x6cd5e148ccefc46fL,0xc7758570d7a88586L,
+        0x49978f5edd558d40L,0xa1d5088a64ae00c1L,0x58f2a720f1d65bb2L } },
+    /* 109 */
+    { { 0x66fdda4a3e4daedbL,0x38318c1265d1b052L,0x28d910a24c4bbf5cL,
+        0x762fe5c478a9cd14L,0x08e5ebaad2cc0aeeL,0xd2cdf257ca0c654cL },
+      { 0x48f7c58b08b717d2L,0x3807184a386cd07aL,0x3240f626ae7d0112L,
+        0x03e9361bc43917b0L,0xf261a87620aea018L,0x53f556a47e1e6372L } },
+    /* 110 */
+    { { 0xc84cee562f512a90L,0x24b3c0041b0ea9f1L,0x0ee15d2de26cc1eaL,
+        0xd848762cf0c9ef7dL,0x1026e9c5d5341435L,0x8f5b73dcfdb16b31L },
+      { 0x1f69bef2d2c75d95L,0x8d33d581be064ddaL,0x8c024c1257ed35e6L,
+        0xf8d435f9c309c281L,0xfd295061d6960193L,0x66618d78e9e49541L } },
+    /* 111 */
+    { { 0x571cfd458ce382deL,0x175806eede900ddeL,0x6184996534aba3b5L,
+        0xe899778ade7aec95L,0xe8f00f6eff4aa97fL,0xae971cb5010b0c6dL },
+      { 0x1827eebc3af788f1L,0xd46229ffe413fe2dL,0x8a15455b4741c9b4L,
+        0x5f02e690f8e424ebL,0x40a1202edae87712L,0x49b3bda264944f6dL } },
+    /* 112 */
+    { { 0xd63c6067035b2d69L,0xb507150d6bed91b0L,0x1f35f82f7afb39b2L,
+        0xb9bd9c0116012b66L,0x00d97960ed0a5f50L,0xed7054512716f7c9L },
+      { 0x1576eff4127abdb4L,0x6850d698f01e701cL,0x9fa7d7493fc87e2fL,
+        0x0b6bcc6fb0ce3e48L,0xf4fbe1f5f7d8c1c0L,0xcf75230e02719cc6L } },
+    /* 113 */
+    { { 0x6761d6c2722d94edL,0xd1ec3f213718820eL,0x65a40b7025d0e7c6L,
+        0xd67f830ebaf3cf31L,0x633b3807b93ea430L,0x17faa0ea0bc96c69L },
+      { 0xe6bf3482df866b98L,0x205c1ee9a9db52d4L,0x51ef9bbdff9ab869L,
+        0x3863dad175eeb985L,0xef216c3bd3cf442aL,0x3fb228e3f9c8e321L } },
+    /* 114 */
+    { { 0x94f9b70c0760ac07L,0xf3c9ccae9d79bf4dL,0x73cea084c5ffc83dL,
+        0xef50f943dc49c38eL,0xf467a2aebc9e7330L,0x5ee534b644ea7fbaL },
+      { 0x20cb627203609e7fL,0x0984435562fdc9f0L,0xaf5c8e580f1457f7L,
+        0xd1f50a6cb4b25941L,0x77cb247c2ec82395L,0xa5f3e1e5da3dca33L } },
+    /* 115 */
+    { { 0x023489d67d85fa94L,0x0ba405372db9ce47L,0x0fdf7a1faed7aad1L,
+        0xa57b0d739a4ccb40L,0x48fcec995b18967cL,0xf30b5b6eb7274d24L },
+      { 0x7ccb4773c81c5338L,0xb85639e6a3ed6bd0L,0x7d9df95f1d56eadaL,
+        0xe256d57f0a1607adL,0x6da7ffdc957574d6L,0x65f8404601c7a8c4L } },
+    /* 116 */
+    { { 0x8d45d0cbcba1e7f1L,0xef0a08c002b55f64L,0x771ca31b17e19892L,
+        0xe1843ecb4885907eL,0x67797ebc364ce16aL,0x816d2b2d8df4b338L },
+      { 0xe870b0e539aa8671L,0x9f0db3e4c102b5f5L,0x342966591720c697L,
+        0x0ad4c89e613c0d2aL,0x1af900b2418ddd61L,0xe087ca72d336e20eL } },
+    /* 117 */
+    { { 0x222831ffaba10079L,0x0dc5f87b6d64fff2L,0x445479073e8cb330L,
+        0xe815aaa2702a33fbL,0x338d6b2e5fba3215L,0x0f7535cb79f549c8L },
+      { 0x471ecd972ee95923L,0x1e868b37c6d1c09fL,0x2bc7b8ecc666ef4eL,
+        0xf5416589808a4bfcL,0xf23e9ee23fbc4d2eL,0x4357236c2d75125bL } },
+    /* 118 */
+    { { 0xfe176d95ba9cdb1bL,0x45a1ca012f82791eL,0x97654af24de4cca2L,
+        0xbdbf9d0e5cc4bcb9L,0xf6a7df50ad97ac0aL,0xc52112b061359fd6L },
+      { 0x696d9ce34f05eae3L,0x903adc02e943ac2bL,0xa90753470848be17L,
+        0x1e20f1702a3973e5L,0xe1aacc1c6feb67e9L,0x2ca0ac32e16bc6b9L } },
+    /* 119 */
+    { { 0xffea12e4ef871eb5L,0x94c2f25da8bf0a7aL,0x4d1e4c2a78134eaaL,
+        0x11ed16fb0360fb10L,0x4029b6db85fc11beL,0x5e9f7ab7f4d390faL },
+      { 0x5076d72f30646612L,0xa0afed1ddda1d0d8L,0x2902225785a1d103L,
+        0xcb499e174e276bcdL,0x16d1da7151246c3dL,0xc72d56d3589a0443L } },
+    /* 120 */
+    { { 0xdf5ffc74dae5bb45L,0x99068c4a261bd6dcL,0xdc0afa7aaa98ec7bL,
+        0xedd2ee00f121e96dL,0x163cc7be1414045cL,0xb0b1bbce335af50eL },
+      { 0xd440d78501a06293L,0xcdebab7c6552e644L,0x48cb8dbc8c757e46L,
+        0x81f9cf783cabe3cbL,0xddd02611b123f59aL,0x3dc7b88eeeb3784dL } },
+    /* 121 */
+    { { 0xe1b8d398c4741456L,0xa9dfa9026032a121L,0x1cbfc86d1263245bL,
+        0xf411c7625244718cL,0x96521d5405b0fc54L,0x1afab46edbaa4985L },
+      { 0xa75902ba8674b4adL,0x486b43ad5ad87d12L,0x72b1c73636e0d099L,
+        0x39890e07bb6cd6d6L,0x8128999c59bace4eL,0xd8da430b7b535e33L } },
+    /* 122 */
+    { { 0x39f65642c6b75791L,0x050947a621806bfbL,0x0ca3e3701362ef84L,
+        0x9bc60aed8c3d2391L,0x9b488671732e1ddcL,0x12d10d9ea98ee077L },
+      { 0xb6f2822d3651b7dcL,0x6345a5ba80abd138L,0x62033262472d3c84L,
+        0xd54a1d40acc57527L,0x6ea46b3a424447cbL,0x5bc410572fb1a496L } },
+    /* 123 */
+    { { 0xe70c57a3a751cd0eL,0x190d8419eba3c7d6L,0xb1c3bee79d47d55aL,
+        0xda941266f912c6d8L,0x12e9aacc407a6ad6L,0xd6ce5f116e838911L },
+      { 0x063ca97b70e1f2ceL,0xa3e47c728213d434L,0xa016e24184df810aL,
+        0x688ad7b0dfd881a4L,0xa37d99fca89bf0adL,0xd8e3f339a23c2d23L } },
+    /* 124 */
+    { { 0xbdf53163750bed6fL,0x808abc3283e68b0aL,0x85a366275bb08a33L,
+        0xf72a3a0f6b0e4abeL,0xf7716d19faf0c6adL,0x22dcc0205379b25fL },
+      { 0x7400bf8df9a56e11L,0x6cb8bad756a47f21L,0x7c97176f7a6eb644L,
+        0xe8fd84f7d1f5b646L,0x98320a9444ddb054L,0x07071ba31dde86f5L } },
+    /* 125 */
+    { { 0x6fdfa0e598f8fcb9L,0x89cec8e094d0d70cL,0xa0899397106d20a8L,
+        0x915bfb9aba8acc9cL,0x1370c94b5507e01cL,0x83246a608a821ffbL },
+      { 0xa8273a9fbe3c378fL,0x7e54478935a25be9L,0x6cfa49724dd929d7L,
+        0x987fed9d365bd878L,0x4982ac945c29a7aeL,0x4589a5d75ddd7ec5L } },
+    /* 126 */
+    { { 0x9fabb174a95540a9L,0x7cfb886f0162c5b0L,0x17be766bea3dee18L,
+        0xff7da41fe88e624cL,0xad0b71eb8b919c38L,0x86a522e0f31ff9a9L },
+      { 0xbc8e6f72868bc259L,0x6130c6383ccef9e4L,0x09f1f4549a466555L,
+        0x8e6c0f0919b2bfb4L,0x945c46c90ca7bb22L,0xacd871684dafb67bL } },
+    /* 127 */
+    { { 0x090c72ca10c53841L,0xc20ae01b55a4fcedL,0x03f7ebd5e10234adL,
+        0xb3f42a6a85892064L,0xbdbc30c0b4a14722L,0x971bc4378ca124ccL },
+      { 0x6f79f46d517ff2ffL,0x6a9c96e2ecba947bL,0x5e79f2f462925122L,
+        0x30a96bb16a4e91f1L,0x1147c9232d4c72daL,0x65bc311f5811e4dfL } },
+    /* 128 */
+    { { 0x87c7dd7d139b3239L,0x8b57824e4d833baeL,0xbcbc48789fff0015L,
+        0x8ffcef8b909eaf1aL,0x9905f4eef1443a78L,0x020dd4a2e15cbfedL },
+      { 0xca2969eca306d695L,0xdf940cadb93caf60L,0x67f7fab787ea6e39L,
+        0x0d0ee10ff98c4fe5L,0xc646879ac19cb91eL,0x4b4ea50c7d1d7ab4L } },
+    /* 129 */
+    { { 0x19e409457a0db57eL,0xe6017cad9a8c9702L,0xdbf739e51be5cff9L,
+        0x3646b3cda7a938a2L,0x0451108568350dfcL,0xad3bd6f356e098b5L },
+      { 0x935ebabfee2e3e3eL,0xfbd01702473926cbL,0x7c735b029e9fb5aaL,
+        0xc52a1b852e3feff0L,0x9199abd3046b405aL,0xe306fcec39039971L } },
+    /* 130 */
+    { { 0xd6d9aec823e4712cL,0x7ca8376cc3c198eeL,0xe6d8318731bebd8aL,
+        0xed57aff3d88bfef3L,0x72a645eecf44edc7L,0xd4e63d0b5cbb1517L },
+      { 0x98ce7a1cceee0ecfL,0x8f0126335383ee8eL,0x3b879078a6b455e8L,
+        0xcbcd3d96c7658c06L,0x721d6fe70783336aL,0xf21a72635a677136L } },
+    /* 131 */
+    { { 0x19d8b3cd9586ba11L,0xd9e0aeb28a5c0480L,0xe4261dbf2230ef5cL,
+        0x095a9dee02e6bf09L,0x8963723c80dc7784L,0x5c97dbaf145157b1L },
+      { 0x97e744344bc4503eL,0x0fb1cb3185a6b370L,0x3e8df2becd205d4bL,
+        0x497dd1bcf8f765daL,0x92ef95c76c988a1aL,0x3f924baa64dc4cfaL } },
+    /* 132 */
+    { { 0x6bf1b8dd7268b448L,0xd4c28ba1efd79b94L,0x2fa1f8c8e4e3551fL,
+        0x769e3ad45c9187a9L,0x28843b4d40326c0dL,0xfefc809450d5d669L },
+      { 0x30c85bfd90339366L,0x4eeb56f15ccf6c3aL,0x0e72b14928ccd1dcL,
+        0x73ee85b5f2ce978eL,0xcdeb2bf33165bb23L,0x8106c9234e410abfL } },
+    /* 133 */
+    { { 0xc8df01617d02f4eeL,0x8a78154718e21225L,0x4ea895eb6acf9e40L,
+        0x8b000cb56e5a633dL,0xf31d86d57e981ffbL,0xf5c8029c4475bc32L },
+      { 0x764561ce1b568973L,0x2f809b81a62996ecL,0x9e513d64da085408L,
+        0xc27d815de61ce309L,0x0da6ff99272999e0L,0xbd284779fead73f7L } },
+    /* 134 */
+    { { 0x6033c2f99b1cdf2bL,0x2a99cf06bc5fa151L,0x7d27d25912177b3bL,
+        0xb1f15273c4485483L,0x5fd57d81102e2297L,0x3d43e017c7f6acb7L },
+      { 0x41a8bb0b3a70eb28L,0x67de2d8e3e80b06bL,0x09245a4170c28de5L,
+        0xad7dbcb1a7b26023L,0x70b08a352cbc6c1eL,0xb504fb669b33041fL } },
+    /* 135 */
+    { { 0xa8e85ab5f97a27c2L,0x6ac5ec8bc10a011bL,0x55745533ffbcf161L,
+        0x01780e8565790a60L,0xe451bf8599ee75b0L,0x8907a63b39c29881L },
+      { 0x76d46738260189edL,0x284a443647bd35cbL,0xd74e8c4020cab61eL,
+        0x6264bf8c416cf20aL,0xfa5a6c955fd820ceL,0xfa7154d0f24bb5fcL } },
+    /* 136 */
+    { { 0x18482cec9b3f5034L,0x962d445acd9e68fdL,0x266fb1d695746f23L,
+        0xc66ade5a58c94a4bL,0xdbbda826ed68a5b6L,0x05664a4d7ab0d6aeL },
+      { 0xbcd4fe51025e32fcL,0x61a5aebfa96df252L,0xd88a07e231592a31L,
+        0x5d9d94de98905517L,0x96bb40105fd440e7L,0x1b0c47a2e807db4cL } },
+    /* 137 */
+    { { 0x5c2a6ac808223878L,0xba08c269e65a5558L,0xd22b1b9b9bbc27fdL,
+        0x919171bf72b9607dL,0x9ab455f9e588dc58L,0x6d54916e23662d93L },
+      { 0x8da8e9383b1de0c1L,0xa84d186a804f278fL,0xbf4988ccd3461695L,
+        0xf5eae3bee10eb0cbL,0x1ff8b68fbf2a66edL,0xa68daf67c305b570L } },
+    /* 138 */
+    { { 0xc1004cff44b2e045L,0x91b5e1364b1c05d4L,0x53ae409088a48a07L,
+        0x73fb2995ea11bb1aL,0x320485703d93a4eaL,0xcce45de83bfc8a5fL },
+      { 0xaff4a97ec2b3106eL,0x9069c630b6848b4fL,0xeda837a6ed76241cL,
+        0x8a0daf136cc3f6cfL,0x199d049d3da018a8L,0xf867c6b1d9093ba3L } },
+    /* 139 */
+    { { 0xe4d42a5656527296L,0xae26c73dce71178dL,0x70a0adac6c251664L,
+        0x813483ae5dc0ae1dL,0x7574eacddaab2dafL,0xc56b52dcc2d55f4fL },
+      { 0x872bc16795f32923L,0x4be175815bdd2a89L,0x9b57f1e7a7699f00L,
+        0x5fcd9c723ac2de02L,0x83af3ba192377739L,0xa64d4e2bfc50b97fL } },
+    /* 140 */
+    { { 0x2172dae20e552b40L,0x62f49725d34d52e8L,0x7930ee4007958f98L,
+        0x56da2a90751fdd74L,0xf1192834f53e48c3L,0x34d2ac268e53c343L },
+      { 0x1073c21813111286L,0x201dac14da9d9827L,0xec2c29dbee95d378L,
+        0x9316f1191f3ee0b1L,0x7890c9f0544ce71cL,0xd77138af27612127L } },
+    /* 141 */
+    { { 0x78045e6d3b4ad1cdL,0xcd86b94e4aa49bc1L,0x57e51f1dfd677a16L,
+        0xd9290935fa613697L,0x7a3f959334f4d893L,0x8c9c248b5d5fcf9bL },
+      { 0x9f23a4826f70d4e9L,0x1727345463190ae9L,0x4bdd7c135b081a48L,
+        0x1e2de38928d65271L,0x0bbaaa25e5841d1fL,0xc4c18a79746772e5L } },
+    /* 142 */
+    { { 0x10ee2681593375acL,0x4f3288be7dd5e113L,0x9a97b2fb240f3538L,
+        0xfa11089f1de6b1e2L,0x516da5621351bc58L,0x573b61192dfa85b5L },
+      { 0x89e966836cba7df5L,0xf299be158c28ab40L,0xe91c9348ad43fcbfL,
+        0xe9bbc7cc9a1cefb3L,0xc8add876738b2775L,0x6e3b1f2e775eaa01L } },
+    /* 143 */
+    { { 0x0365a888b677788bL,0x634ae8c43fd6173cL,0x304987619e498dbeL,
+        0x08c43e6dc8f779abL,0x068ae3844c09aca9L,0x2380c70b2018d170L },
+      { 0xcf77fbc3a297c5ecL,0xdacbc853ca457948L,0x3690de04336bec7eL,
+        0x26bbac6414eec461L,0xd1c23c7e1f713abfL,0xf08bbfcde6fd569eL } },
+    /* 144 */
+    { { 0x5f8163f484770ee3L,0x0e0c7f94744a1706L,0x9c8f05f7e1b2d46dL,
+        0x417eafe7d01fd99aL,0x2ba15df511440e5bL,0xdc5c552a91a6fbcfL },
+      { 0x86271d74a270f721L,0x32c0a075a004485bL,0x9d1a87e38defa075L,
+        0xb590a7acbf0d20feL,0x430c41c28feda1f5L,0x454d287958f6ec24L } },
+    /* 145 */
+    { { 0x52b7a6357c525435L,0x3d9ef57f37c4bdbcL,0x2bb93e9edffcc475L,
+        0xf7b8ba987710f3beL,0x42ee86da21b727deL,0x55ac3f192e490d01L },
+      { 0x487e3a6ec0c1c390L,0x036fb345446cde7bL,0x089eb276496ae951L,
+        0xedfed4d971ed1234L,0x661b0dd5900f0b46L,0x11bd6f1b8582f0d3L } },
+    /* 146 */
+    { { 0x5cf9350f076bc9d1L,0x15d903becf3cd2c3L,0x21cfc8c225af031cL,
+        0xe0ad32488b1cc657L,0xdd9fb96370014e87L,0xf0f3a5a1297f1658L },
+      { 0xbb908fbaf1f703aaL,0x2f9cc4202f6760baL,0x00ceec6666a38b51L,
+        0x4deda33005d645daL,0xb9cf5c72f7de3394L,0xaeef65021ad4c906L } },
+    /* 147 */
+    { { 0x0583c8b17a19045dL,0xae7c3102d052824cL,0x2a234979ff6cfa58L,
+        0xfe9dffc962c733c0L,0x3a7fa2509c0c4b09L,0x516437bb4fe21805L },
+      { 0x9454e3d5c2a23ddbL,0x0726d887289c104eL,0x8977d9184fd15243L,
+        0xc559e73f6d7790baL,0x8fd3e87d465af85fL,0xa2615c745feee46bL } },
+    /* 148 */
+    { { 0xc8d607a84335167dL,0x8b42d804e0f5c887L,0x5f9f13df398d11f9L,
+        0x5aaa508720740c67L,0x83da9a6aa3d9234bL,0xbd3a5c4e2a54bad1L },
+      { 0xdd13914c2db0f658L,0x29dcb66e5a3f373aL,0xbfd62df55245a72bL,
+        0x19d1802391e40847L,0xd9df74dbb136b1aeL,0x72a06b6b3f93bc5bL } },
+    /* 149 */
+    { { 0x6da19ec3ad19d96fL,0xb342daa4fb2a4099L,0x0e61633a662271eaL,
+        0x3bcece81ce8c054bL,0x7cc8e0618bd62dc6L,0xae189e19ee578d8bL },
+      { 0x73e7a25ddced1eedL,0xc1257f0a7875d3abL,0x2cb2d5a21cfef026L,
+        0xd98ef39bb1fdf61cL,0xcd8e6f6924e83e6cL,0xd71e7076c7b7088bL } },
+    /* 150 */
+    { { 0x339368309d4245bfL,0x22d962172ac2953bL,0xb3bf5a8256c3c3cdL,
+        0x50c9be910d0699e8L,0xec0944638f366459L,0x6c056dba513b7c35L },
+      { 0x687a6a83045ab0e3L,0x8d40b57f445c9295L,0x0f345048a16f5954L,
+        0x64b5c6393d8f0a87L,0x106353a29f71c5e2L,0xdd58b475874f0dd4L } },
+    /* 151 */
+    { { 0x67ec084f62230c72L,0xf14f6cca481385e3L,0xf58bb4074cda7774L,
+        0xe15011b1aa2dbb6bL,0xd488369d0c035ab1L,0xef83c24a8245f2fdL },
+      { 0xfb57328f9fdc2538L,0x79808293191fe46aL,0xe28f5c4432ede548L,
+        0x1b3cda99ea1a022cL,0x39e639b73df2ec7fL,0x77b6272b760e9a18L } },
+    /* 152 */
+    { { 0x2b1d51bda65d56d5L,0x3a9b71f97ea696e0L,0x95250ecc9904f4c4L,
+        0x8bc4d6ebe75774b7L,0x0e343f8aeaeeb9aaL,0xc473c1d1930e04cbL },
+      { 0x282321b1064cd8aeL,0xf4b4371e5562221cL,0xc1cc81ecd1bf1221L,
+        0xa52a07a9e2c8082fL,0x350d8e59ba64a958L,0x29e4f3de6fb32c9aL } },
+    /* 153 */
+    { { 0x0aa9d56cba89aaa5L,0xf0208ac0c4c6059eL,0x7400d9c6bd6ddca4L,
+        0xb384e475f2c2f74aL,0x4c1061fcb1562dd3L,0x3924e2482e153b8dL },
+      { 0xf38b8d98849808abL,0x29bf3260a491aa36L,0x85159ada88220edeL,
+        0x8b47915bbe5bc422L,0xa934d72ed7300967L,0xc4f303982e515d0dL } },
+    /* 154 */
+    { { 0xe3e9ee421b1de38bL,0xa124e25a42636760L,0x90bf73c090165b1aL,
+        0x21802a34146434c5L,0x54aa83f22e1fa109L,0x1d4bd03ced9c51e9L },
+      { 0xc2d96a38798751e6L,0xed27235f8c3507f5L,0xb5fb80e2c8c24f88L,
+        0xf873eefad37f4f78L,0x7229fd74f224ba96L,0x9dcd91999edd7149L } },
+    /* 155 */
+    { { 0xee9f81a64e94f22aL,0xe5609892f71ec341L,0x6c818ddda998284eL,
+        0x9fd472953b54b098L,0x47a6ac030e8a7cc9L,0xde684e5eb207a382L },
+      { 0x4bdd1ecd2b6b956bL,0x09084414f01b3583L,0xe2f80b3255233b14L,
+        0x5a0fec54ef5ebc5eL,0x74cf25e6bf8b29a2L,0x1c757fa07f29e014L } },
+    /* 156 */
+    { { 0x1bcb5c4aeb0fdfe4L,0xd7c649b3f0899367L,0xaef68e3f05bc083bL,
+        0x57a06e46a78aa607L,0xa2136ecc21223a44L,0x89bd648452f5a50bL },
+      { 0x724411b94455f15aL,0x23dfa97008a9c0fdL,0x7b0da4d16db63befL,
+        0x6f8a7ec1fb162443L,0xc1ac9ceee98284fbL,0x085a582b33566022L } },
+    /* 157 */
+    { { 0x15cb61f9ec1f138aL,0x11c9a230668f0c28L,0xac829729df93f38fL,
+        0xcef256984048848dL,0x3f686da02bba8fbfL,0xed5fea78111c619aL },
+      { 0x9b4f73bcd6d1c833L,0x5095160686e7bf80L,0xa2a73508042b1d51L,
+        0x9ef6ea495fb89ec2L,0xf1008ce95ef8b892L,0x78a7e6849ae8568bL } },
+    /* 158 */
+    { { 0x3fe83a7c10470cd8L,0x92734682f86df000L,0xb5dac06bda9409b5L,
+        0x1e7a966094939c5fL,0xdec6c1505cc116dcL,0x1a52b40866bac8ccL },
+      { 0x5303a3656e864045L,0x45eae72a9139efc1L,0x83bec6466f31d54fL,
+        0x2fb4a86f6e958a6dL,0x6760718e4ff44030L,0x008117e3e91ae0dfL } },
+    /* 159 */
+    { { 0x5d5833ba384310a2L,0xbdfb4edc1fd6c9fcL,0xb9a4f102849c4fb8L,
+        0xe5fb239a581c1e1fL,0xba44b2e7d0a9746dL,0x78f7b7683bd942b9L },
+      { 0x076c8ca1c87607aeL,0x82b23c2ed5caaa7eL,0x6a581f392763e461L,
+        0xca8a5e4a3886df11L,0xc87e90cf264e7f22L,0x04f74870215cfcfcL } },
+    /* 160 */
+    { { 0x5285d116141d161cL,0x67cd2e0e93c4ed17L,0x12c62a647c36187eL,
+        0xf5329539ed2584caL,0xc4c777c442fbbd69L,0x107de7761bdfc50aL },
+      { 0x9976dcc5e96beebdL,0xbe2aff95a865a151L,0x0e0a9da19d8872afL,
+        0x5e357a3da63c17ccL,0xd31fdfd8e15cc67cL,0xc44bbefd7970c6d8L } },
+    /* 161 */
+    { { 0x703f83e24c0c62f1L,0x9b1e28ee4e195572L,0x6a82858bfe26ccedL,
+        0xd381c84bc43638faL,0x94f72867a5ba43d8L,0x3b4a783d10b82743L },
+      { 0xee1ad7b57576451eL,0xc3d0b59714b6b5c8L,0x3dc30954fcacc1b8L,
+        0x55df110e472c9d7bL,0x97c86ed702f8a328L,0xd043341388dc098fL } },
+    /* 162 */
+    { { 0x1a60d1522ca8f2feL,0x61640948491bd41fL,0x6dae29a558dfe035L,
+        0x9a615bea278e4863L,0xbbdb44779ad7c8e5L,0x1c7066302ceac2fcL },
+      { 0x5e2b54c699699b4bL,0xb509ca6d239e17e8L,0x728165feea063a82L,
+        0x6b5e609db6a22e02L,0x12813905b26ee1dfL,0x07b9f722439491faL } },
+    /* 163 */
+    { { 0x1592ec1448ff4e49L,0x3e4e9f176d644129L,0x7acf82881156acc0L,
+        0x5aa34ba8bb092b0bL,0xcd0f90227d38393dL,0x416724ddea4f8187L },
+      { 0x3c4e641cc0139e73L,0xe0fe46cf91e4d87dL,0xedb3c792cab61f8aL,
+        0x4cb46de4d3868753L,0xe449c21d20f1098aL,0x5e5fd059f5b8ea6eL } },
+    /* 164 */
+    { { 0x7fcadd4675856031L,0x89c7a4cdeaf2fbd0L,0x1af523ce7a87c480L,
+        0xe5fc109561d9ae90L,0x3fb5864fbcdb95f5L,0xbeb5188ebb5b2c7dL },
+      { 0x3d1563c33ae65825L,0x116854c40e57d641L,0x11f73d341942ebd3L,
+        0x24dc5904c06955b3L,0x8a0d4c83995a0a62L,0xfb26b86d5d577b7dL } },
+    /* 165 */
+    { { 0xc53108e7c686ae17L,0x9090d739d1c1da56L,0x4583b0139aec50aeL,
+        0xdd9a088ba49a6ab2L,0x28192eeaf382f850L,0xcc8df756f5fe910eL },
+      { 0x877823a39cab7630L,0x64984a9afb8e7fc1L,0x5448ef9c364bfc16L,
+        0xbbb4f871c44e2a9aL,0x901a41ab435c95e9L,0xc6c23e5faaa50a06L } },
+    /* 166 */
+    { { 0xb78016c19034d8ddL,0x856bb44b0b13e79bL,0x85c6409ab3241a05L,
+        0x8d2fe19a2d78ed21L,0xdcc7c26d726eddf2L,0x3ccaff5f25104f04L },
+      { 0x397d7edc6b21f843L,0xda88e4dde975de4cL,0x5273d3964f5ab69eL,
+        0x537680e39aae6cc0L,0xf749cce53e6f9461L,0x021ddbd9957bffd3L } },
+    /* 167 */
+    { { 0x7b64585f777233cfL,0xfe6771f60942a6f0L,0x636aba7adfe6eef0L,
+        0x63bbeb5686038029L,0xacee5842de8fcf36L,0x48d9aa99d4a20524L },
+      { 0xcff7a74c0da5e57aL,0xc232593ce549d6c9L,0x68504bccf0f2287bL,
+        0x6d7d098dbc8360b5L,0xeac5f1495b402f41L,0x61936f11b87d1bf1L } },
+    /* 168 */
+    { { 0xaa9da167b8153a9dL,0xa49fe3ac9e83ecf0L,0x14c18f8e1b661384L,
+        0x61c24dab38434de1L,0x3d973c3a283dae96L,0xc99baa0182754fc9L },
+      { 0x477d198f4c26b1e3L,0x12e8e186a7516202L,0x386e52f6362addfaL,
+        0x31e8f695c3962853L,0xdec2af136aaedb60L,0xfcfdb4c629cf74acL } },
+    /* 169 */
+    { { 0x6b3ee958cca40298L,0xc3878153f2f5d195L,0x0c565630ed2eae5bL,
+        0xd089b37e3a697cf2L,0xc2ed2ac7ad5029eaL,0x7e5cdfad0f0dda6aL },
+      { 0xf98426dfd9b86202L,0xed1960b14335e054L,0x1fdb02463f14639eL,
+        0x17f709c30db6c670L,0xbfc687ae773421e1L,0x13fefc4a26c1a8acL } },
+    /* 170 */
+    { { 0xe361a1987ffa0a5fL,0xf4b26102c63fe109L,0x264acbc56c74e111L,
+        0x4af445fa77abebafL,0x448c4fdd24cddb75L,0x0b13157d44506eeaL },
+      { 0x22a6b15972e9993dL,0x2c3c57e485e5ecbeL,0xa673560bfd83e1a1L,
+        0x6be23f82c3b8c83bL,0x40b13a9640bbe38eL,0x66eea033ad17399bL } },
+    /* 171 */
+    { { 0x49fc6e95b4c6c693L,0xefc735de36af7d38L,0xe053343d35fe42fcL,
+        0xf0aa427c6a9ab7c3L,0xc79f04364a0fcb24L,0x1628724393ebbc50L },
+      { 0x5c3d6bd016927e1eL,0x40158ed2673b984cL,0xa7f86fc84cd48b9aL,
+        0x1643eda660ea282dL,0x45b393eae2a1beedL,0x664c839e19571a94L } },
+    /* 172 */
+    { { 0x5774575027eeaf94L,0x2875c925ea99e1e7L,0xc127e7ba5086adeaL,
+        0x765252a086fe424fL,0x1143cc6c2b6c0281L,0xc9bb2989d671312dL },
+      { 0x880c337c51acb0a5L,0xa3710915d3c60f78L,0x496113c09262b6edL,
+        0x5d25d9f89ce48182L,0x53b6ad72b3813586L,0x0ea3bebc4c0e159cL } },
+    /* 173 */
+    { { 0xcaba450ac5e49beaL,0x684e54157c05da59L,0xa2e9cab9de7ac36cL,
+        0x4ca79b5f2e6f957bL,0xef7b024709b817b1L,0xeb3049907d89df0fL },
+      { 0x508f730746fe5096L,0x695810e82e04eaafL,0x88ef1bd93512f76cL,
+        0x776613513ebca06bL,0xf7d4863accf158b7L,0xb2a81e4494ee57daL } },
+    /* 174 */
+    { { 0xff288e5b6d53e6baL,0xa90de1a914484ea2L,0x2fadb60ced33c8ecL,
+        0x579d6ef328b66a40L,0x4f2dd6ddec24372dL,0xe9e33fc91d66ec7dL },
+      { 0x110899d2039eab6eL,0xa31a667a3e97bb5eL,0x6200166dcfdce68eL,
+        0xbe83ebae5137d54bL,0x085f7d874800acdfL,0xcf4ab1330c6f8c86L } },
+    /* 175 */
+    { { 0x03f65845931e08fbL,0x6438551e1506e2c0L,0x5791f0dc9c36961fL,
+        0x68107b29e3dcc916L,0x83242374f495d2caL,0xd8cfb6636ee5895bL },
+      { 0x525e0f16a0349b1bL,0x33cd2c6c4a0fab86L,0x46c12ee82af8dda9L,
+        0x7cc424ba71e97ad3L,0x69766ddf37621eb0L,0x95565f56a5f0d390L } },
+    /* 176 */
+    { { 0xe0e7bbf21a0f5e94L,0xf771e1151d82d327L,0x10033e3dceb111faL,
+        0xd269744dd3426638L,0xbdf2d9da00d01ef6L,0x1cb80c71a049ceafL },
+      { 0x17f183289e21c677L,0x6452af0519c8f98bL,0x35b9c5f780b67997L,
+        0x5c2e1cbe40f8f3d4L,0x43f9165666d667caL,0x9faaa059cf9d6e79L } },
+    /* 177 */
+    { { 0x8ad246180a078fe6L,0xf6cc73e6464fd1ddL,0x4d2ce34dc3e37448L,
+        0x624950c5e3271b5fL,0x62910f5eefc5af72L,0x8b585bf8aa132bc6L },
+      { 0x11723985a839327fL,0x34e2d27d4aac252fL,0x402f59ef6296cc4eL,
+        0x00ae055c47053de9L,0xfc22a97228b4f09bL,0xa9e86264fa0c180eL } },
+    /* 178 */
+    { { 0x0b7b6224bc310eccL,0x8a1a74f167fa14edL,0x87dd09607214395cL,
+        0xdf1b3d09f5c91128L,0x39ff23c686b264a8L,0xdc2d49d03e58d4c5L },
+      { 0x2152b7d3a9d6f501L,0xf4c32e24c04094f7L,0xc6366596d938990fL,
+        0x084d078f94fb207fL,0xfd99f1d7328594cbL,0x36defa64cb2d96b3L } },
+    /* 179 */
+    { { 0x4619b78113ed7cbeL,0x95e500159784bd0eL,0x2a32251c2c7705feL,
+        0xa376af995f0dd083L,0x55425c6c0361a45bL,0x812d2cef1f291e7bL },
+      { 0xccf581a05fd94972L,0x26e20e39e56dc383L,0x0093685d63dbfbf0L,
+        0x1fc164cc36b8c575L,0xb9c5ab81390ef5e7L,0x40086beb26908c66L } },
+    /* 180 */
+    { { 0xe5e54f7937e3c115L,0x69b8ee8cc1445a8aL,0x79aedff2b7659709L,
+        0xe288e1631b46fbe6L,0xdb4844f0d18d7bb7L,0xe0ea23d048aa6424L },
+      { 0x714c0e4ef3d80a73L,0x87a0aa9e3bd64f98L,0x8844b8a82ec63080L,
+        0xe0ac9c30255d81a3L,0x86151237455397fcL,0x0b9794642f820155L } },
+    /* 181 */
+    { { 0x127a255a4ae03080L,0x232306b4580a89fbL,0x04e8cd6a6416f539L,
+        0xaeb70dee13b02a0eL,0xa3038cf84c09684aL,0xa710ec3c28e433eeL },
+      { 0x77a72567681b1f7dL,0x86fbce952fc28170L,0xd3408683f5735ac8L,
+        0x3a324e2a6bd68e93L,0x7ec74353c027d155L,0xab60354cd4427177L } },
+    /* 182 */
+    { { 0x32a5342aef4c209dL,0x2ba7527408d62704L,0x4bb4af6fc825d5feL,
+        0x1c3919ced28e7ff1L,0x1dfc2fdcde0340f6L,0xc6580baf29f33ba9L },
+      { 0xae121e7541d442cbL,0x4c7727fd3a4724e4L,0xe556d6a4524f3474L,
+        0x87e13cc7785642a2L,0x182efbb1a17845fdL,0xdcec0cf14e144857L } },
+    /* 183 */
+    { { 0x1cb89541e9539819L,0xc8cb3b4f9d94dbf1L,0x1d353f63417da578L,
+        0xb7a697fb8053a09eL,0x8d841731c35d8b78L,0x85748d6fb656a7a9L },
+      { 0x1fd03947c1859c5dL,0x6ce965c1535d22a2L,0x1966a13e0ca3aadcL,
+        0x9802e41d4fb14effL,0xa9048cbb76dd3fcdL,0x89b182b5e9455bbaL } },
+    /* 184 */
+    { { 0xd777ad6a43360710L,0x841287ef55e9936bL,0xbaf5c67004a21b24L,
+        0xf2c0725f35ad86f1L,0x338fa650c707e72eL,0x2bf8ed2ed8883e52L },
+      { 0xb0212cf4b56e0d6aL,0x50537e126843290cL,0xd8b184a198b3dc6fL,
+        0xd2be9a350210b722L,0x407406db559781eeL,0x5a78d5910bc18534L } },
+    /* 185 */
+    { { 0x4d57aa2ad748b02cL,0xbe5b3451a12b3b95L,0xadca7a4564711258L,
+        0x597e091a322153dbL,0xf327100632eb1eabL,0xbd9adcba2873f301L },
+      { 0xd1dc79d138543f7fL,0x00022092921b1fefL,0x86db3ef51e5df8edL,
+        0x888cae049e6b944aL,0x71bd29ec791a32b4L,0xd3516206a6d1c13eL } },
+    /* 186 */
+    { { 0x2ef6b95255924f43L,0xd2f401ae4f9de8d5L,0xfc73e8d7adc68042L,
+        0x627ea70c0d9d1bb4L,0xc3bb3e3ebbf35679L,0x7e8a254ad882dee4L },
+      { 0x08906f50b5924407L,0xf14a0e61a1ad444aL,0xaa0efa2165f3738eL,
+        0xd60c7dd6ae71f161L,0x9e8390faf175894dL,0xd115cd20149f4c00L } },
+    /* 187 */
+    { { 0x2f2e2c1da52abf77L,0xc2a0dca554232568L,0xed423ea254966dccL,
+        0xe48c93c7cd0dd039L,0x1e54a225176405c7L,0x1efb5b1670d58f2eL },
+      { 0xa751f9d994fb1471L,0xfdb31e1f67d2941dL,0xa6c74eb253733698L,
+        0xd3155d1189a0f64aL,0x4414cfe4a4b8d2b6L,0x8d5a4be8f7a8e9e3L } },
+    /* 188 */
+    { { 0x5c96b4d452669e98L,0x4547f9228fd42a03L,0xcf5c1319d285174eL,
+        0x805cd1ae064bffa0L,0x50e8bc4f246d27e7L,0xf89ef98fd5781e11L },
+      { 0xb4ff95f6dee0b63fL,0xad850047222663a4L,0x026918604d23ce9cL,
+        0x3e5309ce50019f59L,0x27e6f72269a508aeL,0xe9376652267ba52cL } },
+    /* 189 */
+    { { 0xa04d289cc0368708L,0xc458872f5e306e1dL,0x76fa23de33112feaL,
+        0x718e39746efde42eL,0xf0c98cdc1d206091L,0x5fa3ca6214a71987L },
+      { 0xeee8188bdcaa9f2aL,0x312cc732589a860dL,0xf9808dd6c63aeb1fL,
+        0x70fd43db4ea62b53L,0x2c2bfe34890b6e97L,0x105f863cfa426aa6L } },
+    /* 190 */
+    { { 0x0b29795db38059adL,0x5686b77e90647ea0L,0xeff0470edb473a3eL,
+        0x278d2340f9b6d1e2L,0xebbff95bbd594ec7L,0xf4b72334d3a7f23dL },
+      { 0x2a285980a5a83f0bL,0x0786c41a9716a8b3L,0x138901bd22511812L,
+        0xd1b55221e2fede6eL,0x0806e264df4eb590L,0x6c4c897e762e462eL } },
+    /* 191 */
+    { { 0xd10b905fb4b41d9dL,0x826ca4664523a65bL,0x535bbd13b699fa37L,
+        0x5b9933d773bc8f90L,0x9332d61fcd2118adL,0x158c693ed4a65fd0L },
+      { 0x4ddfb2a8e6806e63L,0xe31ed3ecb5de651bL,0xf9460e51819bc69aL,
+        0x6229c0d62c76b1f8L,0xbb78f231901970a3L,0x31f3820f9cee72b8L } },
+    /* 192 */
+    { { 0xe931caf2c09e1c72L,0x0715f29812990cf4L,0x33aad81d943262d8L,
+        0x5d292b7a73048d3fL,0xb152aaa4dc7415f6L,0xc3d10fd90fd19587L },
+      { 0xf76b35c575ddadd0L,0x9f5f4a511e7b694cL,0x2f1ab7ebc0663025L,
+        0x01c9cc87920260b0L,0xc4b1f61a05d39da6L,0x6dcd76c4eb4a9c4eL } },
+    /* 193 */
+    { { 0x0ba0916ffdc83f01L,0x354c8b449553e4f9L,0xa6cc511affc5e622L,
+        0xb954726ae95be787L,0xcb04811575b41a62L,0xfa2ae6cdebfde989L },
+      { 0x6376bbc70f24659aL,0x13a999fd4c289c43L,0xc7134184ec9abd8bL,
+        0x28c02bf6a789ab04L,0xff841ebcd3e526ecL,0x442b191e640893a8L } },
+    /* 194 */
+    { { 0x4cac6c62fa2b6e20L,0x97f29e9bf6d69861L,0x228ab1dbbc96d12dL,
+        0x6eb913275e8e108dL,0xd4b3d4d140771245L,0x61b20623ca8a803aL },
+      { 0x2c2f3b41a6a560b1L,0x879e1d403859fcf4L,0x7cdb5145024dbfc3L,
+        0x55d08f153bfa5315L,0x2f57d773aa93823aL,0xa97f259cc6a2c9a2L } },
+    /* 195 */
+    { { 0xc306317be58edbbbL,0x25ade51c79dfdf13L,0x6b5beaf116d83dd6L,
+        0xe8038a441dd8f925L,0x7f00143cb2a87b6bL,0xa885d00df5b438deL },
+      { 0xe9f76790cf9e48bdL,0xf0bdf9f0a5162768L,0x0436709fad7b57cbL,
+        0x7e151c12f7c15db7L,0x3514f0225d90ee3bL,0x2e84e8032c361a8dL } },
+    /* 196 */
+    { { 0x2277607d563ec8d8L,0xa661811fe3934cb7L,0x3ca72e7af58fd5deL,
+        0x7989da0462294c6aL,0x88b3708bf6bbefe9L,0x0d524cf753ed7c82L },
+      { 0x69f699ca2f30c073L,0xf0fa264b9dc1dcf3L,0x44ca456805f0aaf6L,
+        0x0f5b23c7d19b9bafL,0x39193f41eabd1107L,0x9e3e10ad2a7c9b83L } },
+    /* 197 */
+    { { 0xa90824f0d4ae972fL,0x43eef02bc6e846e7L,0x7e46061229d2160aL,
+        0x29a178acfe604e91L,0x23056f044eb184b2L,0x4fcad55feb54cdf4L },
+      { 0xa0ff96f3ae728d15L,0x8a2680c6c6a00331L,0x5f84cae07ee52556L,
+        0x5e462c3ac5a65dadL,0x5d2b81dfe2d23f4fL,0x6e47301bc5b1eb07L } },
+    /* 198 */
+    { { 0x77411d68af8219b9L,0xcb883ce651b1907aL,0x25c87e57101383b5L,
+        0x9c7d9859982f970dL,0xaa6abca5118305d2L,0x725fed2f9013a5dbL },
+      { 0x487cdbafababd109L,0xc0f8cf5687586528L,0xa02591e68ad58254L,
+        0xc071b1d1debbd526L,0x927dfe8b961e7e31L,0x55f895f99263dfe1L } },
+    /* 199 */
+    { { 0xf899b00db175645bL,0x51f3a627b65b4b92L,0xa2f3ac8db67399efL,
+        0xe717867fe400bc20L,0x42cc90201967b952L,0x3d5967513ecd1de1L },
+      { 0xd41ebcdedb979775L,0x99ba61bc6a2e7e88L,0x039149a5321504f2L,
+        0xe7dc231427ba2fadL,0x9f556308b57d8368L,0x2b6d16c957da80a7L } },
+    /* 200 */
+    { { 0x84af5e76279ad982L,0x9bb4c92d9c8b81a6L,0xd79ad44e0e698e67L,
+        0xe8be9048265fc167L,0xf135f7e60c3a4cccL,0xa0a10d38b8863a33L },
+      { 0xe197247cd386efd9L,0x0eefd3f9b52346c2L,0xc22415f978607bc8L,
+        0xa2a8f862508674ceL,0xa72ad09ec8c9d607L,0xcd9f0ede50fa764fL } },
+    /* 201 */
+    { { 0x063391c7d1a46d4dL,0x2df51c119eb01693L,0xc5849800849e83deL,
+        0x48fd09aa8ad08382L,0xa405d873aa742736L,0xee49e61ee1f9600cL },
+      { 0xd76676be48c76f73L,0xd9c100f601274b2aL,0x110bb67c83f8718dL,
+        0xec85a42002fc0d73L,0xc0449e1e744656adL,0x28ce737637d9939bL } },
+    /* 202 */
+    { { 0x97e9af7244544ac7L,0xf2c658d5ba010426L,0x732dec39fb3adfbdL,
+        0xd12faf91a2df0b07L,0x8ac267252171e208L,0xf820cdc85b24fa54L },
+      { 0x307a6eea94f4cf77L,0x18c783d2944a33c6L,0x4b939d4c0b741ac5L,
+        0x1d7acd153ffbb6e4L,0x06a248587a255e44L,0x14fbc494ce336d50L } },
+    /* 203 */
+    { { 0x9b920c0c51584e3cL,0xc7733c59f7e54027L,0xe24ce13988422bbeL,
+        0x11ada812523bd6abL,0xde068800b88e6defL,0x7b872671fe8c582dL },
+      { 0x4e746f287de53510L,0x492f8b99f7971968L,0x1ec80bc77d928ac2L,
+        0xb3913e48432eb1b5L,0xad08486632028f6eL,0x122bb8358fc2f38bL } },
+    /* 204 */
+    { { 0x0a9f3b1e3b0b29c3L,0x837b64324fa44151L,0xb9905c9217b28ea7L,
+        0xf39bc93798451750L,0xcd383c24ce8b6da1L,0x299f57db010620b2L },
+      { 0x7b6ac39658afdce3L,0xa15206b33d05ef47L,0xa0ae37e2b9bb02ffL,
+        0x107760ab9db3964cL,0xe29de9a067954beaL,0x446a1ad8431c3f82L } },
+    /* 205 */
+    { { 0xc6fecea05c6b8195L,0xd744a7c5f49e71b9L,0xa8e96acc177a7ae7L,
+        0x1a05746c358773a7L,0xa416214637567369L,0xaa0217f787d1c971L },
+      { 0x61e9d15877fd3226L,0x0f6f2304e4f600beL,0xa9c4cebc7a6dff07L,
+        0xd15afa0109f12a24L,0x2bbadb228c863ee9L,0xa28290e4e5eb8c78L } },
+    /* 206 */
+    { { 0x55b87fa03e9de330L,0x12b26066195c145bL,0xe08536e0a920bef0L,
+        0x7bff6f2c4d195adcL,0x7f319e9d945f4187L,0xf9848863f892ce47L },
+      { 0xd0efc1d34fe37657L,0x3c58de825cf0e45aL,0x626ad21a8b0ccbbeL,
+        0xd2a31208af952fc5L,0x81791995eb437357L,0x5f19d30f98e95d4fL } },
+    /* 207 */
+    { { 0x72e83d9a0e6865bbL,0x22f5af3bf63456a6L,0x409e9c73463c8d9eL,
+        0x40e9e578dfe6970eL,0x876b6efa711b91caL,0x895512cf942625a3L },
+      { 0x84c8eda8cb4e462bL,0x84c0154a4412e7c8L,0x04325db1ceb7b71fL,
+        0x1537dde366f70877L,0xf3a093991992b9acL,0xa7316606d498ae77L } },
+    /* 208 */
+    { { 0x13990d2fcad260f5L,0x76c3be29eec0e8c0L,0x7dc5bee00f7bd7d5L,
+        0x9be167d2efebda4bL,0xcce3dde69122b87eL,0x75a28b0982b5415cL },
+      { 0xf6810bcde84607a6L,0xc6d581286f4dbf0dL,0xfead577d1b4dafebL,
+        0x9bc440b2066b28ebL,0x53f1da978b17e84bL,0x0459504bcda9a575L } },
+    /* 209 */
+    { { 0x13e39a02329e5836L,0x2c9e7d51f717269dL,0xc5ac58d6f26c963bL,
+        0x3b0c6c4379967bf5L,0x60bbea3f55908d9dL,0xd84811e7f07c9ad1L },
+      { 0xfe7609a75bd20e4aL,0xe4325dd20a70baa8L,0x3711f370b3600386L,
+        0x97f9562fd0924302L,0x040dc0c34acc4436L,0xfd6d725cde79cdd4L } },
+    /* 210 */
+    { { 0xb3efd0e3cf13eafbL,0x21009cbb5aa0ae5fL,0xe480c55379022279L,
+        0x755cf334b2fc9a6dL,0x8564a5bf07096ae7L,0xddd649d0bd238139L },
+      { 0xd0de10b18a045041L,0x6e05b413c957d572L,0x5c5ff8064e0fb25cL,
+        0xd933179b641162fbL,0x42d48485e57439f9L,0x70c5bd0a8a8d72aaL } },
+    /* 211 */
+    { { 0xa767173897bdf646L,0xaa1485b4ab329f7cL,0xce3e11d6f8f25fdfL,
+        0x76a3fc7ec6221824L,0x045f281ff3924740L,0x24557d4e96d13a9aL },
+      { 0x875c804bdd4c27cdL,0x11c5f0f40f5c7feaL,0xac8c880bdc55ff7eL,
+        0x2acddec51103f101L,0x38341a21f99faa89L,0xc7b67a2cce9d6b57L } },
+    /* 212 */
+    { { 0x9a0d724f8e357586L,0x1d7f4ff5df648da0L,0x9c3e6c9bfdee62a5L,
+        0x0499cef00389b372L,0xe904050d98eab879L,0xe8eef1b66c051617L },
+      { 0xebf5bfebc37e3ca9L,0x7c5e946da4e0b91dL,0x790973142c4bea28L,
+        0x81f6c109ee67b2b7L,0xaf237d9bdafc5edeL,0xd2e602012abb04c7L } },
+    /* 213 */
+    { { 0x6156060c8a4f57bfL,0xf9758696ff11182aL,0x8336773c6296ef00L,
+        0x9c054bceff666899L,0xd6a11611719cd11cL,0x9824a641dbe1acfaL },
+      { 0x0b7b7a5fba89fd01L,0xf8d3b809889f79d8L,0xc5e1ea08f578285cL,
+        0x7ac74536ae6d8288L,0x5d37a2007521ef5fL,0x5ecc4184b260a25dL } },
+    /* 214 */
+    { { 0xddcebb19a708c8d3L,0xe63ed04fc63f81ecL,0xd045f5a011873f95L,
+        0x3b5ad54479f276d5L,0x81272a3d425ae5b3L,0x8bfeb50110ce1605L },
+      { 0x4233809c888228bfL,0x4bd82acfb2aff7dfL,0x9c68f1800cbd4a7fL,
+        0xfcd771246b44323dL,0x60c0fcf6891db957L,0xcfbb4d8904da8f7fL } },
+    /* 215 */
+    { { 0x9a6a5df93b26139aL,0x3e076a83b2cc7eb8L,0x47a8e82d5a964bcdL,
+        0x8a4e2a39b9278d6bL,0x93506c98e4443549L,0x06497a8ff1e0d566L },
+      { 0x3dee8d992b1efa05L,0x2da63ca845393e33L,0xa4af7277cf0579adL,
+        0xaf4b46393236d8eaL,0x6ccad95b32b617f5L,0xce76d8b8b88bb124L } },
+    /* 216 */
+    { { 0x63d2537a083843dcL,0x89eb35141e4153b4L,0x5175ebc4ea9afc94L,
+        0x7a6525808ed1aed7L,0x67295611d85e8297L,0x8dd2d68bb584b73dL },
+      { 0x237139e60133c3a4L,0x9de838ab4bd278eaL,0xe829b072c062fcd9L,
+        0x70730d4f63ba8706L,0x6080483fd3cd05ecL,0x872ab5b80c85f84dL } },
+    /* 217 */
+    { { 0xfc0776d3999d4d49L,0xa3eb59deec3f45e7L,0xbc990e440dae1fc1L,
+        0x33596b1ea15371ffL,0xd447dcb29bc7ab25L,0xcd5b63e935979582L },
+      { 0xae3366fa77d1ff11L,0x59f28f05edee6903L,0x6f43fed1a4433bf2L,
+        0x15409c9bdf9ce00eL,0x21b5cdedaca9c5dcL,0xf9f3359582d7bdb4L } },
+    /* 218 */
+    { { 0x959443789422c792L,0x239ea923c958b8bfL,0x4b61a247df076541L,
+        0x4d29ce85bb9fc544L,0x9a692a670b424559L,0x6e0ca5a00e486900L },
+      { 0x6b79a78285b3beceL,0x41f35e39c61f9892L,0xff82099aae747f82L,
+        0x58c8ae3fd0ca59d6L,0x4ac930e299406b5fL,0x2ce04eb99df24243L } },
+    /* 219 */
+    { { 0x4366b9941ac37b82L,0xff0c728d25b04d83L,0x1f55136119c47b7cL,
+        0xdbf2d5edbeff13e7L,0xf78efd51e12a683dL,0x82cd85b9989cf9c4L },
+      { 0xe23c6db6e0cb5d37L,0x818aeebd72ee1a15L,0x8212aafd28771b14L,
+        0x7bc221d91def817dL,0xdac403a29445c51fL,0x711b051712c3746bL } },
+    /* 220 */
+    { { 0x0ed9ed485ea99eccL,0xf799500db8cab5e1L,0xa8ec87dcb570cbdcL,
+        0x52cfb2c2d35dfaecL,0x8d31fae26e4d80a4L,0xe6a37dc9dcdeabe5L },
+      { 0x5d365a341deca452L,0x09a5f8a50d68b44eL,0x59238ea5a60744b1L,
+        0xf2fedc0dbb4249e9L,0xe395c74ea909b2e3L,0xe156d1a539388250L } },
+    /* 221 */
+    { { 0xd796b3d047181ae9L,0xbaf44ba844197808L,0xe693309434cf3facL,
+        0x41aa6adec3bd5c46L,0x4fda75d8eed947c6L,0xacd9d4129ea5a525L },
+      { 0x65cc55a3d430301bL,0x3c9a5bcf7b52ea49L,0x22d319cf159507f0L,
+        0x2ee0b9b5de74a8ddL,0x20c26a1e877ac2b6L,0x387d73da92e7c314L } },
+    /* 222 */
+    { { 0x13c4833e8cd3fdacL,0x76fcd473332e5b8eL,0xff671b4be2fe1fd3L,
+        0x4d734e8b5d98d8ecL,0xb1ead3c6514bbc11L,0xd14ca8587b390494L },
+      { 0x95a443af5d2d37e9L,0x73c6ea7300464622L,0xa44aeb4b15755044L,
+        0xba3f8575fab58feeL,0x9779dbc9dc680a6fL,0xe1ee5f5a7b37ddfcL } },
+    /* 223 */
+    { { 0xcd0b464812d29f46L,0x93295b0b0ed53137L,0xbfe2609480bef6c9L,
+        0xa656578854248b00L,0x69c43fca80e7f9c4L,0x2190837bbe141ea1L },
+      { 0x875e159aa1b26cfbL,0x90ca9f877affe852L,0x15e6550d92ca598eL,
+        0xe3e0945d1938ad11L,0xef7636bb366ef937L,0xb6034d0bb39869e5L } },
+    /* 224 */
+    { { 0x4d255e3026d8356eL,0xf83666edd314626fL,0x421ddf61d0c8ed64L,
+        0x96e473c526677b61L,0xdad4af7e9e9b18b3L,0xfceffd4aa9393f75L },
+      { 0x843138a111c731d5L,0x05bcb3a1b2f141d9L,0x20e1fa95617b7671L,
+        0xbefce81288ccec7bL,0x582073dc90f1b568L,0xf572261a1f055cb7L } },
+    /* 225 */
+    { { 0xf314827736973088L,0xc008e70886a9f980L,0x1b795947e046c261L,
+        0xdf1e6a7dca76bca0L,0xabafd88671acddf0L,0xff7054d91364d8f4L },
+      { 0x2cf63547e2260594L,0x468a5372d73b277eL,0xc7419e24ef9bd35eL,
+        0x2b4a1c2024043cc3L,0xa28f047a890b39cdL,0xdca2cea146f9a2e3L } },
+    /* 226 */
+    { { 0xab78873653277538L,0xa734e225cf697738L,0x66ee1d1e6b22e2c1L,
+        0x2c615389ebe1d212L,0xf36cad4002bb0766L,0x120885c33e64f207L },
+      { 0x59e77d5690fbfec2L,0xf9e781aad7a574aeL,0x801410b05d045e53L,
+        0xd3b5f0aaa91b5f0eL,0xb3d1df007fbb3521L,0x11c4b33ec72bee9aL } },
+    /* 227 */
+    { { 0xd32b983283c3a7f3L,0x8083abcf88d8a354L,0xdeb1640450f4ec5aL,
+        0x18d747f0641e2907L,0x4e8978aef1bbf03eL,0x932447dc88a0cd89L },
+      { 0x561e0febcf3d5897L,0xfc3a682f13600e6dL,0xc78b9d73d16a6b73L,
+        0xe713feded29bf580L,0x0a22522308d69e5cL,0x3a924a571ff7fda4L } },
+    /* 228 */
+    { { 0xfb64554cb4093beeL,0xa6d65a25a58c6ec0L,0x4126994d43d0ed37L,
+        0xa5689a5155152d44L,0xb8e5ea8c284caa8dL,0x33f05d4fd1f25538L },
+      { 0xe0fdfe091b615d6eL,0x2ded7e8f705507daL,0xdd5631e517bbcc80L,
+        0x4f87453e267fd11fL,0xc6da723fff89d62dL,0x55cbcae2e3cda21dL } },
+    /* 229 */
+    { { 0x336bc94e6b4e84f3L,0x728630314ef72c35L,0x6d85fdeeeeb57f99L,
+        0x7f4e3272a42ece1bL,0x7f86cbb536f0320aL,0xf09b6a2b923331e6L },
+      { 0x21d3ecf156778435L,0x2977ba998323b2d2L,0x6a1b57fb1704bc0fL,
+        0xd777cf8b389f048aL,0x9ce2174fac6b42cdL,0x404e2bff09e6c55aL } },
+    /* 230 */
+    { { 0x9b9b135e204c5ddbL,0x9dbfe0443eff550eL,0x35eab4bfec3be0f6L,
+        0x8b4c3f0d0a43e56fL,0x4c1c66730e73f9b3L,0x92ed38bd2c78c905L },
+      { 0xc7003f6aa386e27cL,0xb9c4f46faced8507L,0xea024ec859df5464L,
+        0x4af96152429572eaL,0x279cd5e2e1fc1194L,0xaa376a03281e358cL } },
+    /* 231 */
+    { { 0x078592233cdbc95cL,0xaae1aa6aef2e337aL,0xc040108d472a8544L,
+        0x80c853e68d037b7dL,0xd221315c8c7eee24L,0x195d38568ee47752L },
+      { 0xd4b1ba03dacd7fbeL,0x4b5ac61ed3e0c52bL,0x68d3c0526aab7b52L,
+        0xf0d7248c660e3feaL,0xafdb3f893145efb4L,0xa73fd9a38f40936dL } },
+    /* 232 */
+    { { 0x891b9ef3bb1b17ceL,0x14023667c6127f31L,0x12b2e58d305521fdL,
+        0x3a47e449e3508088L,0xe49fc84bff751507L,0x4023f7225310d16eL },
+      { 0xa608e5edb73399faL,0xf12632d8d532aa3eL,0x13a2758e845e8415L,
+        0xae4b6f851fc2d861L,0x3879f5b1339d02f2L,0x446d22a680d99ebdL } },
+    /* 233 */
+    { { 0x0f5023024be164f1L,0x8d09d2d688b81920L,0x514056f1984aceffL,
+        0xa5c4ddf075e9e80dL,0x38cb47e6df496a93L,0x899e1d6b38df6bf7L },
+      { 0x69e87e88b59eb2a6L,0x280d9d639b47f38bL,0x599411ea3654e955L,
+        0xcf8dd4fd969aa581L,0xff5c2baf530742a7L,0xa43915361a373085L } },
+    /* 234 */
+    { { 0x6ace72a3a8a4bdd2L,0xc656cdd1b68ef702L,0xd4a33e7e90c4dad8L,
+        0x4aece08a9d951c50L,0xea8005ae085d68e6L,0xfdd7a7d76f7502b8L },
+      { 0xce6fb0a698d6fa45L,0x228f86721104eb8cL,0xd23d8787da09d7dcL,
+        0x5521428b2ae93065L,0x95faba3dea56c366L,0xedbe50390a88aca5L } },
+    /* 235 */
+    { { 0xd64da0adbfb26c82L,0xe5d70b3c952c2f9cL,0xf5e8f365f7e77f68L,
+        0x7234e00208f2d695L,0xfaf900eed12e7be6L,0x27dc69344acf734eL },
+      { 0x80e4ff5ec260a46aL,0x7da5ebce2dc31c28L,0x485c5d73ca69f552L,
+        0xcdfb6b2969cc84c2L,0x031c5afeed6d4ecaL,0xc7bbf4c822247637L } },
+    /* 236 */
+    { { 0x9d5b72c749fe01b2L,0x34785186793a91b8L,0xa3ba3c54cf460438L,
+        0x73e8e43d3ab21b6fL,0x50cde8e0be57b8abL,0x6488b3a7dd204264L },
+      { 0xa9e398b3dddc4582L,0x1698c1a95bec46feL,0x7f1446ef156d3843L,
+        0x3fd25dd8770329a2L,0x05b1221a2c710668L,0x65b2dc2aa72ee6cfL } },
+    /* 237 */
+    { { 0x21a885f7cd021d63L,0x3f344b15fea61f08L,0xad5ba6ddc5cf73e6L,
+        0x154d0d8f227a8b23L,0x9b74373cdc559311L,0x4feab71598620fa1L },
+      { 0x5098938e7d9ec924L,0x84d54a5e6d47e550L,0x1a2d1bdc1b617506L,
+        0x99fe1782615868a4L,0x171da7803005a924L,0xa70bf5ed7d8f79b6L } },
+    /* 238 */
+    { { 0x0bc1250dfe2216c5L,0x2c37e2507601b351L,0xb6300175d6f06b7eL,
+        0x4dde8ca18bfeb9b7L,0x4f210432b82f843dL,0x8d70e2f9b1ac0afdL },
+      { 0x25c73b78aae91abbL,0x0230dca3863028f2L,0x8b923ecfe5cf30b7L,
+        0xed754ec25506f265L,0x8e41b88c729a5e39L,0xee67cec2babf889bL } },
+    /* 239 */
+    { { 0xe183acf51be46c65L,0x9789538fe7565d7aL,0x87873391d9627b4eL,
+        0xbf4ac4c19f1d9187L,0x5db99f634691f5c8L,0xa68df80374a1fb98L },
+      { 0x3c448ed1bf92b5faL,0xa098c8413e0bdc32L,0x8e74cd5579bf016cL,
+        0x5df0d09c115e244dL,0x9418ad013410b66eL,0x8b6124cb17a02130L } },
+    /* 240 */
+    { { 0x425ec3afc26e3392L,0xc07f8470a1722e00L,0xdcc28190e2356b43L,
+        0x4ed97dffb1ef59a6L,0xc22b3ad1c63028c1L,0x070723c268c18988L },
+      { 0x70da302f4cf49e7dL,0xc5e87c933f12a522L,0x74acdd1d18594148L,
+        0xad5f73abca74124cL,0xe72e4a3ed69fd478L,0x615938687b117cc3L } },
+    /* 241 */
+    { { 0x7b7b9577a9aa0486L,0x6e41fb35a063d557L,0xb017d5c7da9047d7L,
+        0x8c74828068a87ba9L,0xab45fa5cdf08ad93L,0xcd9fb2174c288a28L },
+      { 0x595446425747843dL,0x34d64c6ca56111e3L,0x12e47ea14bfce8d5L,
+        0x17740e056169267fL,0x5c49438eeed03fb5L,0x9da30add4fc3f513L } },
+    /* 242 */
+    { { 0xc4e85282ccfa5200L,0x2707608f6a19b13dL,0xdcb9a53df5726e2fL,
+        0x612407c9e9427de5L,0x3e5a17e1d54d582aL,0xb99877de655ae118L },
+      { 0x6f0e972b015254deL,0x92a56db1f0a6f7c5L,0xd297e4e1a656f8b2L,
+        0x99fe0052ad981983L,0xd3652d2f07cfed84L,0xc784352e843c1738L } },
+    /* 243 */
+    { { 0x6ee90af07e9b2d8aL,0xac8d701857cf1964L,0xf6ed903171f28efcL,
+        0x7f70d5a96812b20eL,0x27b557f4f1c61eeeL,0xf1c9bd57c6263758L },
+      { 0x5cf7d0142a1a6194L,0xdd614e0b1890ab84L,0x3ef9de100e93c2a6L,
+        0xf98cf575e0cd91c5L,0x504ec0c614befc32L,0xd0513a666279d68cL } },
+    /* 244 */
+    { { 0xa8eadbada859fb6aL,0xcf8346e7db283666L,0x7b35e61a3e22e355L,
+        0x293ece2c99639c6bL,0xfa0162e256f241c8L,0xd2e6c7b9bf7a1ddaL },
+      { 0xd0de625340075e63L,0x2405aa61f9ec8286L,0x2237830a8fe45494L,
+        0x4fd01ac7364e9c8cL,0x4d9c3d21904ba750L,0xd589be14af1b520bL } },
+    /* 245 */
+    { { 0x13576a4f4662e53bL,0x35ec2f51f9077676L,0x66297d1397c0af97L,
+        0xed3201fe9e598b58L,0x49bc752a5e70f604L,0xb54af535bb12d951L },
+      { 0x36ea4c2b212c1c76L,0x18f5bbc7eb250dfdL,0xa0d466cc9a0a1a46L,
+        0x52564da4dac2d917L,0x206559f48e95fab5L,0x7487c1909ca67a33L } },
+    /* 246 */
+    { { 0x75abfe37dde98e9cL,0x99b90b262a411199L,0x1b410996dcdb1f7cL,
+        0xab346f118b3b5675L,0x04852193f1f8ae1eL,0x1ec4d2276b8b98c1L },
+      { 0xba3bc92645452baaL,0x387d1858acc4a572L,0x9478eff6e51f171eL,
+        0xf357077d931e1c00L,0xffee77cde54c8ca8L,0xfb4892ff551dc9a4L } },
+    /* 247 */
+    { { 0x5b1bdad02db8dff8L,0xd462f4fd5a2285a2L,0x1d6aad8eda00b461L,
+        0x43fbefcf41306d1bL,0x428e86f36a13fe19L,0xc8b2f11817f89404L },
+      { 0x762528aaf0d51afbL,0xa3e2fea4549b1d06L,0x86fad8f2ea3ddf66L,
+        0x0d9ccc4b4fbdd206L,0xcde97d4cc189ff5aL,0xc36793d6199f19a6L } },
+    /* 248 */
+    { { 0xea38909b51b85197L,0xffb17dd0b4c92895L,0x0eb0878b1ddb3f3fL,
+        0xb05d28ffc57cf0f2L,0xd8bde2e71abd57e2L,0x7f2be28dc40c1b20L },
+      { 0x6554dca2299a2d48L,0x5130ba2e8377982dL,0x8863205f1071971aL,
+        0x15ee62827cf2825dL,0xd4b6c57f03748f2bL,0xa9e3f4da430385a0L } },
+    /* 249 */
+    { { 0x33eb7cec83fbc9c6L,0x24a311c74541777eL,0xc81377f74f0767fcL,
+        0x12adae364ab702daL,0xb7fcb6db2a779696L,0x4a6fb28401cea6adL },
+      { 0x5e8b1d2acdfc73deL,0xd0efae8d1b02fd32L,0x3f99c190d81d8519L,
+        0x3c18f7fafc808971L,0x41f713e751b7ae7bL,0x0a4b3435f07fc3f8L } },
+    /* 250 */
+    { { 0x7dda3c4c019b7d2eL,0x631c8d1ad4dc4b89L,0x5489cd6e1cdb313cL,
+        0xd44aed104c07bb06L,0x8f97e13a75f000d1L,0x0e9ee64fdda5df4dL },
+      { 0xeaa99f3b3e346910L,0x622f6921fa294ad7L,0x22aaa20d0d0b2fe9L,
+        0x4fed2f991e5881baL,0x9af3b2d6c1571802L,0x919e67a8dc7ee17cL } },
+    /* 251 */
+    { { 0xc724fe4c76250533L,0x8a2080e57d817ef8L,0xa2afb0f4172c9751L,
+        0x9b10cdeb17c0702eL,0xbf3975e3c9b7e3e9L,0x206117df1cd0cdc5L },
+      { 0xfb049e61be05ebd5L,0xeb0bb55c16c782c0L,0x13a331b8ab7fed09L,
+        0xf6c58b1d632863f0L,0x6264ef6e4d3b6195L,0x92c51b639a53f116L } },
+    /* 252 */
+    { { 0xa57c7bc8288b364dL,0x4a562e087b41e5c4L,0x699d21c6698a9a11L,
+        0xa4ed9581f3f849b9L,0xa223eef39eb726baL,0x13159c23cc2884f9L },
+      { 0x73931e583a3f4963L,0x965003890ada6a81L,0x3ee8a1c65ab2950bL,
+        0xeedf4949775fab52L,0x63d652e14f2671b6L,0xfed4491c3c4e2f55L } },
+    /* 253 */
+    { { 0x335eadc3f4eb453eL,0x5ff74b63cadd1a5bL,0x6933d0d75d84a91aL,
+        0x9ca3eeb9b49ba337L,0x1f6faccec04c15b8L,0x4ef19326dc09a7e4L },
+      { 0x53d2d3243dca3233L,0x0ee40590a2259d4bL,0x18c22edb5546f002L,
+        0x9242980109ea6b71L,0xaada0addb0e91e61L,0x5fe53ef499963c50L } },
+    /* 254 */
+    { { 0x372dd06b90c28c65L,0x1765242c119ce47dL,0xc041fb806b22fc82L,
+        0x667edf07b0a7ccc1L,0xc79599e71261beceL,0xbc69d9ba19cff22aL },
+      { 0x009d77cd13c06819L,0x635a66aee282b79dL,0x4edac4a6225b1be8L,
+        0x57d4f4e4524008f9L,0xee299ac5b056af84L,0xcc38444c3a0bc386L } },
+    /* 255 */
+    { { 0x490643b1cd4c2356L,0x740a4851750547beL,0x643eaf29d4944c04L,
+        0xba572479299a98a0L,0x48b29f16ee05fdf9L,0x33fb4f61089b2d7bL },
+      { 0x86704902a950f955L,0x97e1034dfedc3ddfL,0x211320b605fbb6a2L,
+        0x23d7b93f432299bbL,0x1fe1a0578590e4a3L,0x8e1d0586f58c0ce6L } },
+};
+
+/* Multiply the base point of P384 by the scalar and return the result.
+ * If map is true then convert result to affine coordinates.
+ *
+ * r     Resulting point.
+ * k     Scalar to multiply by.
+ * map   Indicates whether to convert result to affine.
+ * heap  Heap to use for allocation.
+ * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
+ */
+static int sp_384_ecc_mulmod_base_6(sp_point_384* r, const sp_digit* k,
+        int map, void* heap)
+{
+    return sp_384_ecc_mulmod_stripe_6(r, &p384_base, p384_table,
+                                      k, map, heap);
+}
+
+#ifdef HAVE_INTEL_AVX2
+/* Multiply the base point of P384 by the scalar and return the result.
+ * If map is true then convert result to affine coordinates.
+ *
+ * r     Resulting point.
+ * k     Scalar to multiply by.
+ * map   Indicates whether to convert result to affine.
+ * heap  Heap to use for allocation.
+ * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
+ */
+static int sp_384_ecc_mulmod_base_avx2_6(sp_point_384* r, const sp_digit* k,
+        int map, void* heap)
+{
+    return sp_384_ecc_mulmod_stripe_avx2_6(r, &p384_base, p384_table,
+                                      k, map, heap);
+}
+
+#endif /* HAVE_INTEL_AVX2 */
+/* Multiply the base point of P384 by the scalar and return the result.
+ * If map is true then convert result to affine coordinates.
+ *
+ * km    Scalar to multiply by.
+ * r     Resulting point.
+ * map   Indicates whether to convert result to affine.
+ * heap  Heap to use for allocation.
+ * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
+ */
+int sp_ecc_mulmod_base_384(mp_int* km, ecc_point* r, int map, void* heap)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_point_384 p;
+    sp_digit kd[6];
+#endif
+    sp_point_384* point;
+    sp_digit* k = NULL;
+    int err = MP_OKAY;
+#ifdef HAVE_INTEL_AVX2
+    word32 cpuid_flags = cpuid_get_flags();
+#endif
+
+    err = sp_384_point_new_6(heap, p, point);
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        k = (sp_digit*)XMALLOC(sizeof(sp_digit) * 6, heap,
+                                                              DYNAMIC_TYPE_ECC);
+        if (k == NULL) {
+            err = MEMORY_E;
+        }
+    }
+#else
+    k = kd;
+#endif
+    if (err == MP_OKAY) {
+        sp_384_from_mp(k, 6, km);
+
+#ifdef HAVE_INTEL_AVX2
+        if (IS_INTEL_BMI2(cpuid_flags) && IS_INTEL_ADX(cpuid_flags))
+            err = sp_384_ecc_mulmod_base_avx2_6(point, k, map, heap);
+        else
+#endif
+            err = sp_384_ecc_mulmod_base_6(point, k, map, heap);
+    }
+    if (err == MP_OKAY) {
+        err = sp_384_point_to_ecc_point_6(point, r);
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (k != NULL) {
+        XFREE(k, heap, DYNAMIC_TYPE_ECC);
+    }
+#endif
+    sp_384_point_free_6(point, 0, heap);
+
+    return err;
+}
+
+#if defined(WOLFSSL_VALIDATE_ECC_KEYGEN) || defined(HAVE_ECC_SIGN) || \
+                                                        defined(HAVE_ECC_VERIFY)
+/* Returns 1 if the number of zero.
+ * Implementation is constant time.
+ *
+ * a  Number to check.
+ * returns 1 if the number is zero and 0 otherwise.
+ */
+static int sp_384_iszero_6(const sp_digit* a)
+{
+    return (a[0] | a[1] | a[2] | a[3] | a[4] | a[5]) == 0;
+}
+
+#endif /* WOLFSSL_VALIDATE_ECC_KEYGEN || HAVE_ECC_SIGN || HAVE_ECC_VERIFY */
+extern void sp_384_add_one_6(sp_digit* a);
+extern void sp_384_from_bin(sp_digit* r, int size, const byte* a, int n);
+/* Generates a scalar that is in the range 1..order-1.
+ *
+ * rng  Random number generator.
+ * k    Scalar value.
+ * returns RNG failures, MEMORY_E when memory allocation fails and
+ * MP_OKAY on success.
+ */
+static int sp_384_ecc_gen_k_6(WC_RNG* rng, sp_digit* k)
+{
+    int err;
+    byte buf[48];
+
+    do {
+        err = wc_RNG_GenerateBlock(rng, buf, sizeof(buf));
+        if (err == 0) {
+            sp_384_from_bin(k, 6, buf, (int)sizeof(buf));
+            if (sp_384_cmp_6(k, p384_order2) < 0) {
+                sp_384_add_one_6(k);
+                break;
+            }
+        }
+    }
+    while (err == 0);
+
+    return err;
+}
+
+/* Makes a random EC key pair.
+ *
+ * rng   Random number generator.
+ * priv  Generated private value.
+ * pub   Generated public point.
+ * heap  Heap to use for allocation.
+ * returns ECC_INF_E when the point does not have the correct order, RNG
+ * failures, MEMORY_E when memory allocation fails and MP_OKAY on success.
+ */
+int sp_ecc_make_key_384(WC_RNG* rng, mp_int* priv, ecc_point* pub, void* heap)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_point_384 p;
+    sp_digit kd[6];
+#ifdef WOLFSSL_VALIDATE_ECC_KEYGEN
+    sp_point_384 inf;
+#endif
+#endif
+    sp_point_384* point;
+    sp_digit* k = NULL;
+#ifdef WOLFSSL_VALIDATE_ECC_KEYGEN
+    sp_point_384* infinity;
+#endif
+    int err;
+#ifdef HAVE_INTEL_AVX2
+    word32 cpuid_flags = cpuid_get_flags();
+#endif
+
+    (void)heap;
+
+    err = sp_384_point_new_6(heap, p, point);
+#ifdef WOLFSSL_VALIDATE_ECC_KEYGEN
+    if (err == MP_OKAY) {
+        err = sp_384_point_new_6(heap, inf, infinity);
+    }
+#endif
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        k = (sp_digit*)XMALLOC(sizeof(sp_digit) * 6, heap,
+                                                              DYNAMIC_TYPE_ECC);
+        if (k == NULL) {
+            err = MEMORY_E;
+        }
+    }
+#else
+    k = kd;
+#endif
+
+    if (err == MP_OKAY) {
+        err = sp_384_ecc_gen_k_6(rng, k);
+    }
+    if (err == MP_OKAY) {
+#ifdef HAVE_INTEL_AVX2
+        if (IS_INTEL_BMI2(cpuid_flags) && IS_INTEL_ADX(cpuid_flags))
+            err = sp_384_ecc_mulmod_base_avx2_6(point, k, 1, NULL);
+        else
+#endif
+            err = sp_384_ecc_mulmod_base_6(point, k, 1, NULL);
+    }
+
+#ifdef WOLFSSL_VALIDATE_ECC_KEYGEN
+    if (err == MP_OKAY) {
+#ifdef HAVE_INTEL_AVX2
+        if (IS_INTEL_BMI2(cpuid_flags) && IS_INTEL_ADX(cpuid_flags)) {
+            err = sp_384_ecc_mulmod_avx2_6(infinity, point, p384_order, 1,
+                                                                          NULL);
+        }
+        else
+#endif
+            err = sp_384_ecc_mulmod_6(infinity, point, p384_order, 1, NULL);
+    }
+    if (err == MP_OKAY) {
+        if ((sp_384_iszero_6(point->x) == 0) || (sp_384_iszero_6(point->y) == 0)) {
+            err = ECC_INF_E;
+        }
+    }
+#endif
+
+    if (err == MP_OKAY) {
+        err = sp_384_to_mp(k, priv);
+    }
+    if (err == MP_OKAY) {
+        err = sp_384_point_to_ecc_point_6(point, pub);
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (k != NULL) {
+        XFREE(k, heap, DYNAMIC_TYPE_ECC);
+    }
+#endif
+#ifdef WOLFSSL_VALIDATE_ECC_KEYGEN
+    sp_384_point_free_6(infinity, 1, heap);
+#endif
+    sp_384_point_free_6(point, 1, heap);
+
+    return err;
+}
+
+#ifdef HAVE_ECC_DHE
+extern void sp_384_to_bin(sp_digit* r, byte* a);
+/* Multiply the point by the scalar and serialize the X ordinate.
+ * The number is 0 padded to maximum size on output.
+ *
+ * priv    Scalar to multiply the point by.
+ * pub     Point to multiply.
+ * out     Buffer to hold X ordinate.
+ * outLen  On entry, size of the buffer in bytes.
+ *         On exit, length of data in buffer in bytes.
+ * heap    Heap to use for allocation.
+ * returns BUFFER_E if the buffer is to small for output size,
+ * MEMORY_E when memory allocation fails and MP_OKAY on success.
+ */
+int sp_ecc_secret_gen_384(mp_int* priv, ecc_point* pub, byte* out,
+                          word32* outLen, void* heap)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_point_384 p;
+    sp_digit kd[6];
+#endif
+    sp_point_384* point = NULL;
+    sp_digit* k = NULL;
+    int err = MP_OKAY;
+#ifdef HAVE_INTEL_AVX2
+    word32 cpuid_flags = cpuid_get_flags();
+#endif
+
+    if (*outLen < 48U) {
+        err = BUFFER_E;
+    }
+
+    if (err == MP_OKAY) {
+        err = sp_384_point_new_6(heap, p, point);
+    }
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        k = (sp_digit*)XMALLOC(sizeof(sp_digit) * 6, heap,
+                                                              DYNAMIC_TYPE_ECC);
+        if (k == NULL)
+            err = MEMORY_E;
+    }
+#else
+    k = kd;
+#endif
+
+    if (err == MP_OKAY) {
+        sp_384_from_mp(k, 6, priv);
+        sp_384_point_from_ecc_point_6(point, pub);
+#ifdef HAVE_INTEL_AVX2
+        if (IS_INTEL_BMI2(cpuid_flags) && IS_INTEL_ADX(cpuid_flags))
+            err = sp_384_ecc_mulmod_avx2_6(point, point, k, 1, heap);
+        else
+#endif
+            err = sp_384_ecc_mulmod_6(point, point, k, 1, heap);
+    }
+    if (err == MP_OKAY) {
+        sp_384_to_bin(point->x, out);
+        *outLen = 48;
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (k != NULL) {
+        XFREE(k, heap, DYNAMIC_TYPE_ECC);
+    }
+#endif
+    sp_384_point_free_6(point, 0, heap);
+
+    return err;
+}
+#endif /* HAVE_ECC_DHE */
+
+#if defined(HAVE_ECC_SIGN) || defined(HAVE_ECC_VERIFY)
+#ifdef HAVE_INTEL_AVX2
+#endif /* HAVE_INTEL_AVX2 */
+#endif
+#if defined(HAVE_ECC_SIGN) || defined(HAVE_ECC_VERIFY)
+extern sp_digit sp_384_sub_in_place_6(sp_digit* a, const sp_digit* b);
+extern sp_digit sp_384_cond_sub_avx2_6(sp_digit* r, const sp_digit* a, const sp_digit* b, sp_digit m);
+extern void sp_384_mul_d_6(sp_digit* r, const sp_digit* a, sp_digit b);
+extern void sp_384_mul_d_avx2_6(sp_digit* r, const sp_digit* a, const sp_digit b);
+/* Divide the double width number (d1|d0) by the dividend. (d1|d0 / div)
+ *
+ * d1   The high order half of the number to divide.
+ * d0   The low order half of the number to divide.
+ * div  The dividend.
+ * returns the result of the division.
+ */
+static WC_INLINE sp_digit div_384_word_6(sp_digit d1, sp_digit d0,
+        sp_digit div)
+{
+    register sp_digit r asm("rax");
+    __asm__ __volatile__ (
+        "divq %3"
+        : "=a" (r)
+        : "d" (d1), "a" (d0), "r" (div)
+        :
+    );
+    return r;
+}
+/* AND m into each word of a and store in r.
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * m  Mask to AND against each digit.
+ */
+static void sp_384_mask_6(sp_digit* r, const sp_digit* a, sp_digit m)
+{
+#ifdef WOLFSSL_SP_SMALL
+    int i;
+
+    for (i=0; i<6; i++) {
+        r[i] = a[i] & m;
+    }
+#else
+    r[0] = a[0] & m;
+    r[1] = a[1] & m;
+    r[2] = a[2] & m;
+    r[3] = a[3] & m;
+    r[4] = a[4] & m;
+    r[5] = a[5] & m;
+#endif
+}
+
+/* Divide d in a and put remainder into r (m*d + r = a)
+ * m is not calculated as it is not needed at this time.
+ *
+ * a  Nmber to be divided.
+ * d  Number to divide with.
+ * m  Multiplier result.
+ * r  Remainder from the division.
+ * returns MP_OKAY indicating success.
+ */
+static WC_INLINE int sp_384_div_6(const sp_digit* a, const sp_digit* d, sp_digit* m,
+        sp_digit* r)
+{
+    sp_digit t1[12], t2[7];
+    sp_digit div, r1;
+    int i;
+#ifdef HAVE_INTEL_AVX2
+    word32 cpuid_flags = cpuid_get_flags();
+#endif
+
+    (void)m;
+
+    div = d[5];
+    XMEMCPY(t1, a, sizeof(*t1) * 2 * 6);
+    r1 = sp_384_cmp_6(&t1[6], d) >= 0;
+#ifdef HAVE_INTEL_AVX2
+    if (IS_INTEL_BMI2(cpuid_flags) && IS_INTEL_ADX(cpuid_flags))
+        sp_384_cond_sub_avx2_6(&t1[6], &t1[6], d, (sp_digit)0 - r1);
+    else
+#endif
+        sp_384_cond_sub_6(&t1[6], &t1[6], d, (sp_digit)0 - r1);
+    for (i=5; i>=0; i--) {
+        r1 = div_384_word_6(t1[6 + i], t1[6 + i - 1], div);
+
+#ifdef HAVE_INTEL_AVX2
+        if (IS_INTEL_BMI2(cpuid_flags) && IS_INTEL_ADX(cpuid_flags))
+            sp_384_mul_d_avx2_6(t2, d, r1);
+        else
+#endif
+            sp_384_mul_d_6(t2, d, r1);
+        t1[6 + i] += sp_384_sub_in_place_6(&t1[i], t2);
+        t1[6 + i] -= t2[6];
+        sp_384_mask_6(t2, d, t1[6 + i]);
+        t1[6 + i] += sp_384_add_6(&t1[i], &t1[i], t2);
+        sp_384_mask_6(t2, d, t1[6 + i]);
+        t1[6 + i] += sp_384_add_6(&t1[i], &t1[i], t2);
+    }
+
+    r1 = sp_384_cmp_6(t1, d) >= 0;
+#ifdef HAVE_INTEL_AVX2
+    if (IS_INTEL_BMI2(cpuid_flags) && IS_INTEL_ADX(cpuid_flags))
+        sp_384_cond_sub_avx2_6(r, t1, d, (sp_digit)0 - r1);
+    else
+#endif
+        sp_384_cond_sub_6(r, t1, d, (sp_digit)0 - r1);
+
+    return MP_OKAY;
+}
+
+/* Reduce a modulo m into r. (r = a mod m)
+ *
+ * r  A single precision number that is the reduced result.
+ * a  A single precision number that is to be reduced.
+ * m  A single precision number that is the modulus to reduce with.
+ * returns MP_OKAY indicating success.
+ */
+static WC_INLINE int sp_384_mod_6(sp_digit* r, const sp_digit* a, const sp_digit* m)
+{
+    return sp_384_div_6(a, m, NULL, r);
+}
+
+#endif
+#if defined(HAVE_ECC_SIGN) || defined(HAVE_ECC_VERIFY)
+#ifdef WOLFSSL_SP_SMALL
+/* Order-2 for the P384 curve. */
+static const uint64_t p384_order_minus_2[6] = {
+    0xecec196accc52971U,0x581a0db248b0a77aU,0xc7634d81f4372ddfU,
+    0xffffffffffffffffU,0xffffffffffffffffU,0xffffffffffffffffU
+};
+#else
+/* The low half of the order-2 of the P384 curve. */
+static const uint64_t p384_order_low[3] = {
+    0xecec196accc52971U,0x581a0db248b0a77aU,0xc7634d81f4372ddfU
+    
+};
+#endif /* WOLFSSL_SP_SMALL */
+
+/* Multiply two number mod the order of P384 curve. (r = a * b mod order)
+ *
+ * r  Result of the multiplication.
+ * a  First operand of the multiplication.
+ * b  Second operand of the multiplication.
+ */
+static void sp_384_mont_mul_order_6(sp_digit* r, const sp_digit* a, const sp_digit* b)
+{
+    sp_384_mul_6(r, a, b);
+    sp_384_mont_reduce_order_6(r, p384_order, p384_mp_order);
+}
+
+/* Square number mod the order of P384 curve. (r = a * a mod order)
+ *
+ * r  Result of the squaring.
+ * a  Number to square.
+ */
+static void sp_384_mont_sqr_order_6(sp_digit* r, const sp_digit* a)
+{
+    sp_384_sqr_6(r, a);
+    sp_384_mont_reduce_order_6(r, p384_order, p384_mp_order);
+}
+
+#ifndef WOLFSSL_SP_SMALL
+/* Square number mod the order of P384 curve a number of times.
+ * (r = a ^ n mod order)
+ *
+ * r  Result of the squaring.
+ * a  Number to square.
+ */
+static void sp_384_mont_sqr_n_order_6(sp_digit* r, const sp_digit* a, int n)
+{
+    int i;
+
+    sp_384_mont_sqr_order_6(r, a);
+    for (i=1; i<n; i++) {
+        sp_384_mont_sqr_order_6(r, r);
+    }
+}
+#endif /* !WOLFSSL_SP_SMALL */
+
+/* Invert the number, in Montgomery form, modulo the order of the P384 curve.
+ * (r = 1 / a mod order)
+ *
+ * r   Inverse result.
+ * a   Number to invert.
+ * td  Temporary data.
+ */
+static void sp_384_mont_inv_order_6(sp_digit* r, const sp_digit* a,
+        sp_digit* td)
+{
+#ifdef WOLFSSL_SP_SMALL
+    sp_digit* t = td;
+    int i;
+
+    XMEMCPY(t, a, sizeof(sp_digit) * 6);
+    for (i=382; i>=0; i--) {
+        sp_384_mont_sqr_order_6(t, t);
+        if ((p384_order_minus_2[i / 64] & ((sp_int_digit)1 << (i % 64))) != 0) {
+            sp_384_mont_mul_order_6(t, t, a);
+        }
+    }
+    XMEMCPY(r, t, sizeof(sp_digit) * 6U);
+#else
+    sp_digit* t = td;
+    sp_digit* t2 = td + 2 * 6;
+    sp_digit* t3 = td + 4 * 6;
+    int i;
+
+    /* t = a^2 */
+    sp_384_mont_sqr_order_6(t, a);
+    /* t = a^3 = t * a */
+    sp_384_mont_mul_order_6(t, t, a);
+    /* t2= a^c = t ^ 2 ^ 2 */
+    sp_384_mont_sqr_n_order_6(t2, t, 2);
+    /* t = a^f = t2 * t */
+    sp_384_mont_mul_order_6(t, t2, t);
+    /* t2= a^f0 = t ^ 2 ^ 4 */
+    sp_384_mont_sqr_n_order_6(t2, t, 4);
+    /* t = a^ff = t2 * t */
+    sp_384_mont_mul_order_6(t, t2, t);
+    /* t2= a^ff00 = t ^ 2 ^ 8 */
+    sp_384_mont_sqr_n_order_6(t2, t, 8);
+    /* t3= a^ffff = t2 * t */
+    sp_384_mont_mul_order_6(t3, t2, t);
+    /* t2= a^ffff0000 = t3 ^ 2 ^ 16 */
+    sp_384_mont_sqr_n_order_6(t2, t3, 16);
+    /* t = a^ffffffff = t2 * t3 */
+    sp_384_mont_mul_order_6(t, t2, t3);
+    /* t2= a^ffffffff0000 = t ^ 2 ^ 16  */
+    sp_384_mont_sqr_n_order_6(t2, t, 16);
+    /* t = a^ffffffffffff = t2 * t3 */
+    sp_384_mont_mul_order_6(t, t2, t3);
+    /* t2= a^ffffffffffff000000000000 = t ^ 2 ^ 48  */
+    sp_384_mont_sqr_n_order_6(t2, t, 48);
+    /* t= a^fffffffffffffffffffffffff = t2 * t */
+    sp_384_mont_mul_order_6(t, t2, t);
+    /* t2= a^ffffffffffffffffffffffff000000000000000000000000 */
+    sp_384_mont_sqr_n_order_6(t2, t, 96);
+    /* t2= a^ffffffffffffffffffffffffffffffffffffffffffffffff = t2 * t */
+    sp_384_mont_mul_order_6(t2, t2, t);
+    for (i=191; i>=1; i--) {
+        sp_384_mont_sqr_order_6(t2, t2);
+        if (((sp_digit)p384_order_low[i / 64] & ((sp_int_digit)1 << (i % 64))) != 0) {
+            sp_384_mont_mul_order_6(t2, t2, a);
+        }
+    }
+    sp_384_mont_sqr_order_6(t2, t2);
+    sp_384_mont_mul_order_6(r, t2, a);
+#endif /* WOLFSSL_SP_SMALL */
+}
+
+#ifdef HAVE_INTEL_AVX2
+/* Multiply two number mod the order of P384 curve. (r = a * b mod order)
+ *
+ * r  Result of the multiplication.
+ * a  First operand of the multiplication.
+ * b  Second operand of the multiplication.
+ */
+static void sp_384_mont_mul_order_avx2_6(sp_digit* r, const sp_digit* a, const sp_digit* b)
+{
+    sp_384_mul_avx2_6(r, a, b);
+    sp_384_mont_reduce_order_avx2_6(r, p384_order, p384_mp_order);
+}
+
+/* Square number mod the order of P384 curve. (r = a * a mod order)
+ *
+ * r  Result of the squaring.
+ * a  Number to square.
+ */
+static void sp_384_mont_sqr_order_avx2_6(sp_digit* r, const sp_digit* a)
+{
+    sp_384_sqr_avx2_6(r, a);
+    sp_384_mont_reduce_order_avx2_6(r, p384_order, p384_mp_order);
+}
+
+#ifndef WOLFSSL_SP_SMALL
+/* Square number mod the order of P384 curve a number of times.
+ * (r = a ^ n mod order)
+ *
+ * r  Result of the squaring.
+ * a  Number to square.
+ */
+static void sp_384_mont_sqr_n_order_avx2_6(sp_digit* r, const sp_digit* a, int n)
+{
+    int i;
+
+    sp_384_mont_sqr_order_avx2_6(r, a);
+    for (i=1; i<n; i++) {
+        sp_384_mont_sqr_order_avx2_6(r, r);
+    }
+}
+#endif /* !WOLFSSL_SP_SMALL */
+
+/* Invert the number, in Montgomery form, modulo the order of the P384 curve.
+ * (r = 1 / a mod order)
+ *
+ * r   Inverse result.
+ * a   Number to invert.
+ * td  Temporary data.
+ */
+static void sp_384_mont_inv_order_avx2_6(sp_digit* r, const sp_digit* a,
+        sp_digit* td)
+{
+#ifdef WOLFSSL_SP_SMALL
+    sp_digit* t = td;
+    int i;
+
+    XMEMCPY(t, a, sizeof(sp_digit) * 6);
+    for (i=382; i>=0; i--) {
+        sp_384_mont_sqr_order_avx2_6(t, t);
+        if ((p384_order_minus_2[i / 64] & ((sp_int_digit)1 << (i % 64))) != 0) {
+            sp_384_mont_mul_order_avx2_6(t, t, a);
+        }
+    }
+    XMEMCPY(r, t, sizeof(sp_digit) * 6U);
+#else
+    sp_digit* t = td;
+    sp_digit* t2 = td + 2 * 6;
+    sp_digit* t3 = td + 4 * 6;
+    int i;
+
+    /* t = a^2 */
+    sp_384_mont_sqr_order_avx2_6(t, a);
+    /* t = a^3 = t * a */
+    sp_384_mont_mul_order_avx2_6(t, t, a);
+    /* t2= a^c = t ^ 2 ^ 2 */
+    sp_384_mont_sqr_n_order_avx2_6(t2, t, 2);
+    /* t = a^f = t2 * t */
+    sp_384_mont_mul_order_avx2_6(t, t2, t);
+    /* t2= a^f0 = t ^ 2 ^ 4 */
+    sp_384_mont_sqr_n_order_avx2_6(t2, t, 4);
+    /* t = a^ff = t2 * t */
+    sp_384_mont_mul_order_avx2_6(t, t2, t);
+    /* t2= a^ff00 = t ^ 2 ^ 8 */
+    sp_384_mont_sqr_n_order_avx2_6(t2, t, 8);
+    /* t3= a^ffff = t2 * t */
+    sp_384_mont_mul_order_avx2_6(t3, t2, t);
+    /* t2= a^ffff0000 = t3 ^ 2 ^ 16 */
+    sp_384_mont_sqr_n_order_avx2_6(t2, t3, 16);
+    /* t = a^ffffffff = t2 * t3 */
+    sp_384_mont_mul_order_avx2_6(t, t2, t3);
+    /* t2= a^ffffffff0000 = t ^ 2 ^ 16  */
+    sp_384_mont_sqr_n_order_avx2_6(t2, t, 16);
+    /* t = a^ffffffffffff = t2 * t3 */
+    sp_384_mont_mul_order_avx2_6(t, t2, t3);
+    /* t2= a^ffffffffffff000000000000 = t ^ 2 ^ 48  */
+    sp_384_mont_sqr_n_order_avx2_6(t2, t, 48);
+    /* t= a^fffffffffffffffffffffffff = t2 * t */
+    sp_384_mont_mul_order_avx2_6(t, t2, t);
+    /* t2= a^ffffffffffffffffffffffff000000000000000000000000 */
+    sp_384_mont_sqr_n_order_avx2_6(t2, t, 96);
+    /* t2= a^ffffffffffffffffffffffffffffffffffffffffffffffff = t2 * t */
+    sp_384_mont_mul_order_avx2_6(t2, t2, t);
+    for (i=191; i>=1; i--) {
+        sp_384_mont_sqr_order_avx2_6(t2, t2);
+        if (((sp_digit)p384_order_low[i / 64] & ((sp_int_digit)1 << (i % 64))) != 0) {
+            sp_384_mont_mul_order_avx2_6(t2, t2, a);
+        }
+    }
+    sp_384_mont_sqr_order_avx2_6(t2, t2);
+    sp_384_mont_mul_order_avx2_6(r, t2, a);
+#endif /* WOLFSSL_SP_SMALL */
+}
+
+#endif /* HAVE_INTEL_AVX2 */
+#endif /* HAVE_ECC_SIGN || HAVE_ECC_VERIFY */
+#ifdef HAVE_ECC_SIGN
+#ifndef SP_ECC_MAX_SIG_GEN
+#define SP_ECC_MAX_SIG_GEN  64
+#endif
+
+/* Sign the hash using the private key.
+ *   e = [hash, 384 bits] from binary
+ *   r = (k.G)->x mod order
+ *   s = (r * x + e) / k mod order
+ * The hash is truncated to the first 384 bits.
+ *
+ * hash     Hash to sign.
+ * hashLen  Length of the hash data.
+ * rng      Random number generator.
+ * priv     Private part of key - scalar.
+ * rm       First part of result as an mp_int.
+ * sm       Sirst part of result as an mp_int.
+ * heap     Heap to use for allocation.
+ * returns RNG failures, MEMORY_E when memory allocation fails and
+ * MP_OKAY on success.
+ */
+int sp_ecc_sign_384(const byte* hash, word32 hashLen, WC_RNG* rng, mp_int* priv,
+                    mp_int* rm, mp_int* sm, mp_int* km, void* heap)
+{
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit* d = NULL;
+#else
+    sp_digit ed[2*6];
+    sp_digit xd[2*6];
+    sp_digit kd[2*6];
+    sp_digit rd[2*6];
+    sp_digit td[3 * 2*6];
+    sp_point_384 p;
+#endif
+    sp_digit* e = NULL;
+    sp_digit* x = NULL;
+    sp_digit* k = NULL;
+    sp_digit* r = NULL;
+    sp_digit* tmp = NULL;
+    sp_point_384* point = NULL;
+    sp_digit carry;
+    sp_digit* s = NULL;
+    sp_digit* kInv = NULL;
+    int err = MP_OKAY;
+    int64_t c;
+    int i;
+#ifdef HAVE_INTEL_AVX2
+    word32 cpuid_flags = cpuid_get_flags();
+#endif
+
+    (void)heap;
+
+    err = sp_384_point_new_6(heap, p, point);
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        d = (sp_digit*)XMALLOC(sizeof(sp_digit) * 7 * 2 * 6, heap,
+                                                              DYNAMIC_TYPE_ECC);
+        if (d == NULL) {
+            err = MEMORY_E;
+        }
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+        e = d + 0 * 6;
+        x = d + 2 * 6;
+        k = d + 4 * 6;
+        r = d + 6 * 6;
+        tmp = d + 8 * 6;
+#else
+        e = ed;
+        x = xd;
+        k = kd;
+        r = rd;
+        tmp = td;
+#endif
+        s = e;
+        kInv = k;
+
+        if (hashLen > 48U) {
+            hashLen = 48U;
+        }
+
+        sp_384_from_bin(e, 6, hash, (int)hashLen);
+    }
+
+    for (i = SP_ECC_MAX_SIG_GEN; err == MP_OKAY && i > 0; i--) {
+        sp_384_from_mp(x, 6, priv);
+
+        /* New random point. */
+        if (km == NULL || mp_iszero(km)) {
+            err = sp_384_ecc_gen_k_6(rng, k);
+        }
+        else {
+            sp_384_from_mp(k, 6, km);
+            mp_zero(km);
+        }
+        if (err == MP_OKAY) {
+#ifdef HAVE_INTEL_AVX2
+            if (IS_INTEL_BMI2(cpuid_flags) && IS_INTEL_ADX(cpuid_flags))
+                err = sp_384_ecc_mulmod_base_avx2_6(point, k, 1, heap);
+            else
+#endif
+                err = sp_384_ecc_mulmod_base_6(point, k, 1, NULL);
+        }
+
+        if (err == MP_OKAY) {
+            /* r = point->x mod order */
+            XMEMCPY(r, point->x, sizeof(sp_digit) * 6U);
+            sp_384_norm_6(r);
+            c = sp_384_cmp_6(r, p384_order);
+            sp_384_cond_sub_6(r, r, p384_order, 0L - (sp_digit)(c >= 0));
+            sp_384_norm_6(r);
+
+            /* Conv k to Montgomery form (mod order) */
+#ifdef HAVE_INTEL_AVX2
+            if (IS_INTEL_BMI2(cpuid_flags) && IS_INTEL_ADX(cpuid_flags))
+                sp_384_mul_avx2_6(k, k, p384_norm_order);
+            else
+#endif
+                sp_384_mul_6(k, k, p384_norm_order);
+            err = sp_384_mod_6(k, k, p384_order);
+        }
+        if (err == MP_OKAY) {
+            sp_384_norm_6(k);
+            /* kInv = 1/k mod order */
+#ifdef HAVE_INTEL_AVX2
+            if (IS_INTEL_BMI2(cpuid_flags) && IS_INTEL_ADX(cpuid_flags))
+                sp_384_mont_inv_order_avx2_6(kInv, k, tmp);
+            else
+#endif
+                sp_384_mont_inv_order_6(kInv, k, tmp);
+            sp_384_norm_6(kInv);
+
+            /* s = r * x + e */
+#ifdef HAVE_INTEL_AVX2
+            if (IS_INTEL_BMI2(cpuid_flags) && IS_INTEL_ADX(cpuid_flags))
+                sp_384_mul_avx2_6(x, x, r);
+            else
+#endif
+                sp_384_mul_6(x, x, r);
+            err = sp_384_mod_6(x, x, p384_order);
+        }
+        if (err == MP_OKAY) {
+            sp_384_norm_6(x);
+            carry = sp_384_add_6(s, e, x);
+            sp_384_cond_sub_6(s, s, p384_order, 0 - carry);
+            sp_384_norm_6(s);
+            c = sp_384_cmp_6(s, p384_order);
+            sp_384_cond_sub_6(s, s, p384_order, 0L - (sp_digit)(c >= 0));
+            sp_384_norm_6(s);
+
+            /* s = s * k^-1 mod order */
+#ifdef HAVE_INTEL_AVX2
+            if (IS_INTEL_BMI2(cpuid_flags) && IS_INTEL_ADX(cpuid_flags))
+                sp_384_mont_mul_order_avx2_6(s, s, kInv);
+            else
+#endif
+                sp_384_mont_mul_order_6(s, s, kInv);
+            sp_384_norm_6(s);
+
+            /* Check that signature is usable. */
+            if (sp_384_iszero_6(s) == 0) {
+                break;
+            }
+        }
+    }
+
+    if (i == 0) {
+        err = RNG_FAILURE_E;
+    }
+
+    if (err == MP_OKAY) {
+        err = sp_384_to_mp(r, rm);
+    }
+    if (err == MP_OKAY) {
+        err = sp_384_to_mp(s, sm);
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (d != NULL) {
+        XMEMSET(d, 0, sizeof(sp_digit) * 8 * 6);
+        XFREE(d, heap, DYNAMIC_TYPE_ECC);
+    }
+#else
+    XMEMSET(e, 0, sizeof(sp_digit) * 2U * 6U);
+    XMEMSET(x, 0, sizeof(sp_digit) * 2U * 6U);
+    XMEMSET(k, 0, sizeof(sp_digit) * 2U * 6U);
+    XMEMSET(r, 0, sizeof(sp_digit) * 2U * 6U);
+    XMEMSET(r, 0, sizeof(sp_digit) * 2U * 6U);
+    XMEMSET(tmp, 0, sizeof(sp_digit) * 3U * 2U * 6U);
+#endif
+    sp_384_point_free_6(point, 1, heap);
+
+    return err;
+}
+#endif /* HAVE_ECC_SIGN */
+
+#ifdef HAVE_ECC_VERIFY
+/* Verify the signature values with the hash and public key.
+ *   e = Truncate(hash, 384)
+ *   u1 = e/s mod order
+ *   u2 = r/s mod order
+ *   r == (u1.G + u2.Q)->x mod order
+ * Optimization: Leave point in projective form.
+ *   (x, y, 1) == (x' / z'*z', y' / z'*z'*z', z' / z')
+ *   (r + n*order).z'.z' mod prime == (u1.G + u2.Q)->x'
+ * The hash is truncated to the first 384 bits.
+ *
+ * hash     Hash to sign.
+ * hashLen  Length of the hash data.
+ * rng      Random number generator.
+ * priv     Private part of key - scalar.
+ * rm       First part of result as an mp_int.
+ * sm       Sirst part of result as an mp_int.
+ * heap     Heap to use for allocation.
+ * returns RNG failures, MEMORY_E when memory allocation fails and
+ * MP_OKAY on success.
+ */
+int sp_ecc_verify_384(const byte* hash, word32 hashLen, mp_int* pX,
+    mp_int* pY, mp_int* pZ, mp_int* r, mp_int* sm, int* res, void* heap)
+{
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit* d = NULL;
+#else
+    sp_digit u1d[2*6];
+    sp_digit u2d[2*6];
+    sp_digit sd[2*6];
+    sp_digit tmpd[2*6 * 5];
+    sp_point_384 p1d;
+    sp_point_384 p2d;
+#endif
+    sp_digit* u1 = NULL;
+    sp_digit* u2 = NULL;
+    sp_digit* s = NULL;
+    sp_digit* tmp = NULL;
+    sp_point_384* p1;
+    sp_point_384* p2 = NULL;
+    sp_digit carry;
+    int64_t c;
+    int err;
+#ifdef HAVE_INTEL_AVX2
+    word32 cpuid_flags = cpuid_get_flags();
+#endif
+
+    err = sp_384_point_new_6(heap, p1d, p1);
+    if (err == MP_OKAY) {
+        err = sp_384_point_new_6(heap, p2d, p2);
+    }
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        d = (sp_digit*)XMALLOC(sizeof(sp_digit) * 16 * 6, heap,
+                                                              DYNAMIC_TYPE_ECC);
+        if (d == NULL) {
+            err = MEMORY_E;
+        }
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+        u1  = d + 0 * 6;
+        u2  = d + 2 * 6;
+        s   = d + 4 * 6;
+        tmp = d + 6 * 6;
+#else
+        u1 = u1d;
+        u2 = u2d;
+        s  = sd;
+        tmp = tmpd;
+#endif
+
+        if (hashLen > 48U) {
+            hashLen = 48U;
+        }
+
+        sp_384_from_bin(u1, 6, hash, (int)hashLen);
+        sp_384_from_mp(u2, 6, r);
+        sp_384_from_mp(s, 6, sm);
+        sp_384_from_mp(p2->x, 6, pX);
+        sp_384_from_mp(p2->y, 6, pY);
+        sp_384_from_mp(p2->z, 6, pZ);
+
+#ifdef HAVE_INTEL_AVX2
+        if (IS_INTEL_BMI2(cpuid_flags) && IS_INTEL_ADX(cpuid_flags)) {
+            sp_384_mul_avx2_6(s, s, p384_norm_order);
+        }
+        else
+#endif
+        {
+            sp_384_mul_6(s, s, p384_norm_order);
+        }
+        err = sp_384_mod_6(s, s, p384_order);
+    }
+    if (err == MP_OKAY) {
+        sp_384_norm_6(s);
+#ifdef HAVE_INTEL_AVX2
+        if (IS_INTEL_BMI2(cpuid_flags) && IS_INTEL_ADX(cpuid_flags)) {
+            sp_384_mont_inv_order_avx2_6(s, s, tmp);
+            sp_384_mont_mul_order_avx2_6(u1, u1, s);
+            sp_384_mont_mul_order_avx2_6(u2, u2, s);
+        }
+        else
+#endif
+        {
+            sp_384_mont_inv_order_6(s, s, tmp);
+            sp_384_mont_mul_order_6(u1, u1, s);
+            sp_384_mont_mul_order_6(u2, u2, s);
+        }
+
+#ifdef HAVE_INTEL_AVX2
+        if (IS_INTEL_BMI2(cpuid_flags) && IS_INTEL_ADX(cpuid_flags))
+            err = sp_384_ecc_mulmod_base_avx2_6(p1, u1, 0, heap);
+        else
+#endif
+            err = sp_384_ecc_mulmod_base_6(p1, u1, 0, heap);
+    }
+    if (err == MP_OKAY) {
+#ifdef HAVE_INTEL_AVX2
+        if (IS_INTEL_BMI2(cpuid_flags) && IS_INTEL_ADX(cpuid_flags))
+            err = sp_384_ecc_mulmod_avx2_6(p2, p2, u2, 0, heap);
+        else
+#endif
+            err = sp_384_ecc_mulmod_6(p2, p2, u2, 0, heap);
+    }
+
+    if (err == MP_OKAY) {
+#ifdef HAVE_INTEL_AVX2
+        if (IS_INTEL_BMI2(cpuid_flags) && IS_INTEL_ADX(cpuid_flags)) {
+            sp_384_proj_point_add_avx2_6(p1, p1, p2, tmp);
+            if (sp_384_iszero_6(p1->z)) {
+                if (sp_384_iszero_6(p1->x) && sp_384_iszero_6(p1->y)) {
+                    sp_384_proj_point_dbl_avx2_6(p1, p2, tmp);
+                }
+                else {
+                    /* Y ordinate is not used from here - don't set. */
+                    p1->x[0] = 0;
+                    p1->x[1] = 0;
+                    p1->x[2] = 0;
+                    p1->x[3] = 0;
+                    p1->x[4] = 0;
+                    p1->x[5] = 0;
+                    XMEMCPY(p1->z, p384_norm_mod, sizeof(p384_norm_mod));
+                }
+            }
+        }
+        else
+#endif
+        {
+            sp_384_proj_point_add_6(p1, p1, p2, tmp);
+            if (sp_384_iszero_6(p1->z)) {
+                if (sp_384_iszero_6(p1->x) && sp_384_iszero_6(p1->y)) {
+                    sp_384_proj_point_dbl_6(p1, p2, tmp);
+                }
+                else {
+                    /* Y ordinate is not used from here - don't set. */
+                    p1->x[0] = 0;
+                    p1->x[1] = 0;
+                    p1->x[2] = 0;
+                    p1->x[3] = 0;
+                    p1->x[4] = 0;
+                    p1->x[5] = 0;
+                    XMEMCPY(p1->z, p384_norm_mod, sizeof(p384_norm_mod));
+                }
+            }
+        }
+
+        /* (r + n*order).z'.z' mod prime == (u1.G + u2.Q)->x' */
+        /* Reload r and convert to Montgomery form. */
+        sp_384_from_mp(u2, 6, r);
+        err = sp_384_mod_mul_norm_6(u2, u2, p384_mod);
+    }
+
+    if (err == MP_OKAY) {
+        /* u1 = r.z'.z' mod prime */
+        sp_384_mont_sqr_6(p1->z, p1->z, p384_mod, p384_mp_mod);
+        sp_384_mont_mul_6(u1, u2, p1->z, p384_mod, p384_mp_mod);
+        *res = (int)(sp_384_cmp_6(p1->x, u1) == 0);
+        if (*res == 0) {
+            /* Reload r and add order. */
+            sp_384_from_mp(u2, 6, r);
+            carry = sp_384_add_6(u2, u2, p384_order);
+            /* Carry means result is greater than mod and is not valid. */
+            if (carry == 0) {
+                sp_384_norm_6(u2);
+
+                /* Compare with mod and if greater or equal then not valid. */
+                c = sp_384_cmp_6(u2, p384_mod);
+                if (c < 0) {
+                    /* Convert to Montogomery form */
+                    err = sp_384_mod_mul_norm_6(u2, u2, p384_mod);
+                    if (err == MP_OKAY) {
+                        /* u1 = (r + 1*order).z'.z' mod prime */
+                        sp_384_mont_mul_6(u1, u2, p1->z, p384_mod,
+                                                                  p384_mp_mod);
+                        *res = (int)(sp_384_cmp_6(p1->x, u1) == 0);
+                    }
+                }
+            }
+        }
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (d != NULL)
+        XFREE(d, heap, DYNAMIC_TYPE_ECC);
+#endif
+    sp_384_point_free_6(p1, 0, heap);
+    sp_384_point_free_6(p2, 0, heap);
+
+    return err;
+}
+#endif /* HAVE_ECC_VERIFY */
+
+#ifdef HAVE_ECC_CHECK_KEY
+/* Check that the x and y oridinates are a valid point on the curve.
+ *
+ * point  EC point.
+ * heap   Heap to use if dynamically allocating.
+ * returns MEMORY_E if dynamic memory allocation fails, MP_VAL if the point is
+ * not on the curve and MP_OKAY otherwise.
+ */
+static int sp_384_ecc_is_point_6(sp_point_384* point, void* heap)
+{
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit* d = NULL;
+#else
+    sp_digit t1d[2*6];
+    sp_digit t2d[2*6];
+#endif
+    sp_digit* t1;
+    sp_digit* t2;
+    int err = MP_OKAY;
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    d = (sp_digit*)XMALLOC(sizeof(sp_digit) * 6 * 4, heap, DYNAMIC_TYPE_ECC);
+    if (d == NULL) {
+        err = MEMORY_E;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+        t1 = d + 0 * 6;
+        t2 = d + 2 * 6;
+#else
+        (void)heap;
+
+        t1 = t1d;
+        t2 = t2d;
+#endif
+
+        sp_384_sqr_6(t1, point->y);
+        (void)sp_384_mod_6(t1, t1, p384_mod);
+        sp_384_sqr_6(t2, point->x);
+        (void)sp_384_mod_6(t2, t2, p384_mod);
+        sp_384_mul_6(t2, t2, point->x);
+        (void)sp_384_mod_6(t2, t2, p384_mod);
+        (void)sp_384_sub_6(t2, p384_mod, t2);
+        sp_384_mont_add_6(t1, t1, t2, p384_mod);
+
+        sp_384_mont_add_6(t1, t1, point->x, p384_mod);
+        sp_384_mont_add_6(t1, t1, point->x, p384_mod);
+        sp_384_mont_add_6(t1, t1, point->x, p384_mod);
+
+        if (sp_384_cmp_6(t1, p384_b) != 0) {
+            err = MP_VAL;
+        }
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (d != NULL) {
+        XFREE(d, heap, DYNAMIC_TYPE_ECC);
+    }
+#endif
+
+    return err;
+}
+
+/* Check that the x and y oridinates are a valid point on the curve.
+ *
+ * pX  X ordinate of EC point.
+ * pY  Y ordinate of EC point.
+ * returns MEMORY_E if dynamic memory allocation fails, MP_VAL if the point is
+ * not on the curve and MP_OKAY otherwise.
+ */
+int sp_ecc_is_point_384(mp_int* pX, mp_int* pY)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_point_384 pubd;
+#endif
+    sp_point_384* pub;
+    byte one[1] = { 1 };
+    int err;
+
+    err = sp_384_point_new_6(NULL, pubd, pub);
+    if (err == MP_OKAY) {
+        sp_384_from_mp(pub->x, 6, pX);
+        sp_384_from_mp(pub->y, 6, pY);
+        sp_384_from_bin(pub->z, 6, one, (int)sizeof(one));
+
+        err = sp_384_ecc_is_point_6(pub, NULL);
+    }
+
+    sp_384_point_free_6(pub, 0, NULL);
+
+    return err;
+}
+
+/* Check that the private scalar generates the EC point (px, py), the point is
+ * on the curve and the point has the correct order.
+ *
+ * pX     X ordinate of EC point.
+ * pY     Y ordinate of EC point.
+ * privm  Private scalar that generates EC point.
+ * returns MEMORY_E if dynamic memory allocation fails, MP_VAL if the point is
+ * not on the curve, ECC_INF_E if the point does not have the correct order,
+ * ECC_PRIV_KEY_E when the private scalar doesn't generate the EC point and
+ * MP_OKAY otherwise.
+ */
+int sp_ecc_check_key_384(mp_int* pX, mp_int* pY, mp_int* privm, void* heap)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit privd[6];
+    sp_point_384 pubd;
+    sp_point_384 pd;
+#endif
+    sp_digit* priv = NULL;
+    sp_point_384* pub;
+    sp_point_384* p = NULL;
+    byte one[1] = { 1 };
+    int err;
+#ifdef HAVE_INTEL_AVX2
+    word32 cpuid_flags = cpuid_get_flags();
+#endif
+
+    err = sp_384_point_new_6(heap, pubd, pub);
+    if (err == MP_OKAY) {
+        err = sp_384_point_new_6(heap, pd, p);
+    }
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        priv = (sp_digit*)XMALLOC(sizeof(sp_digit) * 6, heap,
+                                                              DYNAMIC_TYPE_ECC);
+        if (priv == NULL) {
+            err = MEMORY_E;
+        }
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+        priv = privd;
+#endif
+
+        sp_384_from_mp(pub->x, 6, pX);
+        sp_384_from_mp(pub->y, 6, pY);
+        sp_384_from_bin(pub->z, 6, one, (int)sizeof(one));
+        sp_384_from_mp(priv, 6, privm);
+
+        /* Check point at infinitiy. */
+        if ((sp_384_iszero_6(pub->x) != 0) &&
+            (sp_384_iszero_6(pub->y) != 0)) {
+            err = ECC_INF_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        /* Check range of X and Y */
+        if (sp_384_cmp_6(pub->x, p384_mod) >= 0 ||
+            sp_384_cmp_6(pub->y, p384_mod) >= 0) {
+            err = ECC_OUT_OF_RANGE_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        /* Check point is on curve */
+        err = sp_384_ecc_is_point_6(pub, heap);
+    }
+
+    if (err == MP_OKAY) {
+        /* Point * order = infinity */
+#ifdef HAVE_INTEL_AVX2
+        if (IS_INTEL_BMI2(cpuid_flags) && IS_INTEL_ADX(cpuid_flags))
+            err = sp_384_ecc_mulmod_avx2_6(p, pub, p384_order, 1, heap);
+        else
+#endif
+            err = sp_384_ecc_mulmod_6(p, pub, p384_order, 1, heap);
+    }
+    if (err == MP_OKAY) {
+        /* Check result is infinity */
+        if ((sp_384_iszero_6(p->x) == 0) ||
+            (sp_384_iszero_6(p->y) == 0)) {
+            err = ECC_INF_E;
+        }
+    }
+
+    if (err == MP_OKAY) {
+        /* Base * private = point */
+#ifdef HAVE_INTEL_AVX2
+        if (IS_INTEL_BMI2(cpuid_flags) && IS_INTEL_ADX(cpuid_flags))
+            err = sp_384_ecc_mulmod_base_avx2_6(p, priv, 1, heap);
+        else
+#endif
+            err = sp_384_ecc_mulmod_base_6(p, priv, 1, heap);
+    }
+    if (err == MP_OKAY) {
+        /* Check result is public key */
+        if (sp_384_cmp_6(p->x, pub->x) != 0 ||
+            sp_384_cmp_6(p->y, pub->y) != 0) {
+            err = ECC_PRIV_KEY_E;
+        }
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (priv != NULL) {
+        XFREE(priv, heap, DYNAMIC_TYPE_ECC);
+    }
+#endif
+    sp_384_point_free_6(p, 0, heap);
+    sp_384_point_free_6(pub, 0, heap);
+
+    return err;
+}
+#endif
+#ifdef WOLFSSL_PUBLIC_ECC_ADD_DBL
+/* Add two projective EC points together.
+ * (pX, pY, pZ) + (qX, qY, qZ) = (rX, rY, rZ)
+ *
+ * pX   First EC point's X ordinate.
+ * pY   First EC point's Y ordinate.
+ * pZ   First EC point's Z ordinate.
+ * qX   Second EC point's X ordinate.
+ * qY   Second EC point's Y ordinate.
+ * qZ   Second EC point's Z ordinate.
+ * rX   Resultant EC point's X ordinate.
+ * rY   Resultant EC point's Y ordinate.
+ * rZ   Resultant EC point's Z ordinate.
+ * returns MEMORY_E if dynamic memory allocation fails and MP_OKAY otherwise.
+ */
+int sp_ecc_proj_add_point_384(mp_int* pX, mp_int* pY, mp_int* pZ,
+                              mp_int* qX, mp_int* qY, mp_int* qZ,
+                              mp_int* rX, mp_int* rY, mp_int* rZ)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit tmpd[2 * 6 * 5];
+    sp_point_384 pd;
+    sp_point_384 qd;
+#endif
+    sp_digit* tmp;
+    sp_point_384* p;
+    sp_point_384* q = NULL;
+    int err;
+#ifdef HAVE_INTEL_AVX2
+    word32 cpuid_flags = cpuid_get_flags();
+#endif
+
+    err = sp_384_point_new_6(NULL, pd, p);
+    if (err == MP_OKAY) {
+        err = sp_384_point_new_6(NULL, qd, q);
+    }
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        tmp = (sp_digit*)XMALLOC(sizeof(sp_digit) * 2 * 6 * 5, NULL,
+                                                              DYNAMIC_TYPE_ECC);
+        if (tmp == NULL) {
+            err = MEMORY_E;
+        }
+    }
+#else
+    tmp = tmpd;
+#endif
+
+    if (err == MP_OKAY) {
+        sp_384_from_mp(p->x, 6, pX);
+        sp_384_from_mp(p->y, 6, pY);
+        sp_384_from_mp(p->z, 6, pZ);
+        sp_384_from_mp(q->x, 6, qX);
+        sp_384_from_mp(q->y, 6, qY);
+        sp_384_from_mp(q->z, 6, qZ);
+
+#ifdef HAVE_INTEL_AVX2
+        if (IS_INTEL_BMI2(cpuid_flags) && IS_INTEL_ADX(cpuid_flags))
+            sp_384_proj_point_add_avx2_6(p, p, q, tmp);
+        else
+#endif
+            sp_384_proj_point_add_6(p, p, q, tmp);
+    }
+
+    if (err == MP_OKAY) {
+        err = sp_384_to_mp(p->x, rX);
+    }
+    if (err == MP_OKAY) {
+        err = sp_384_to_mp(p->y, rY);
+    }
+    if (err == MP_OKAY) {
+        err = sp_384_to_mp(p->z, rZ);
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (tmp != NULL) {
+        XFREE(tmp, NULL, DYNAMIC_TYPE_ECC);
+    }
+#endif
+    sp_384_point_free_6(q, 0, NULL);
+    sp_384_point_free_6(p, 0, NULL);
+
+    return err;
+}
+
+/* Double a projective EC point.
+ * (pX, pY, pZ) + (pX, pY, pZ) = (rX, rY, rZ)
+ *
+ * pX   EC point's X ordinate.
+ * pY   EC point's Y ordinate.
+ * pZ   EC point's Z ordinate.
+ * rX   Resultant EC point's X ordinate.
+ * rY   Resultant EC point's Y ordinate.
+ * rZ   Resultant EC point's Z ordinate.
+ * returns MEMORY_E if dynamic memory allocation fails and MP_OKAY otherwise.
+ */
+int sp_ecc_proj_dbl_point_384(mp_int* pX, mp_int* pY, mp_int* pZ,
+                              mp_int* rX, mp_int* rY, mp_int* rZ)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit tmpd[2 * 6 * 2];
+    sp_point_384 pd;
+#endif
+    sp_digit* tmp;
+    sp_point_384* p;
+    int err;
+#ifdef HAVE_INTEL_AVX2
+    word32 cpuid_flags = cpuid_get_flags();
+#endif
+
+    err = sp_384_point_new_6(NULL, pd, p);
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        tmp = (sp_digit*)XMALLOC(sizeof(sp_digit) * 2 * 6 * 2, NULL,
+                                                              DYNAMIC_TYPE_ECC);
+        if (tmp == NULL) {
+            err = MEMORY_E;
+        }
+    }
+#else
+    tmp = tmpd;
+#endif
+
+    if (err == MP_OKAY) {
+        sp_384_from_mp(p->x, 6, pX);
+        sp_384_from_mp(p->y, 6, pY);
+        sp_384_from_mp(p->z, 6, pZ);
+
+#ifdef HAVE_INTEL_AVX2
+        if (IS_INTEL_BMI2(cpuid_flags) && IS_INTEL_ADX(cpuid_flags))
+            sp_384_proj_point_dbl_avx2_6(p, p, tmp);
+        else
+#endif
+            sp_384_proj_point_dbl_6(p, p, tmp);
+    }
+
+    if (err == MP_OKAY) {
+        err = sp_384_to_mp(p->x, rX);
+    }
+    if (err == MP_OKAY) {
+        err = sp_384_to_mp(p->y, rY);
+    }
+    if (err == MP_OKAY) {
+        err = sp_384_to_mp(p->z, rZ);
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (tmp != NULL) {
+        XFREE(tmp, NULL, DYNAMIC_TYPE_ECC);
+    }
+#endif
+    sp_384_point_free_6(p, 0, NULL);
+
+    return err;
+}
+
+/* Map a projective EC point to affine in place.
+ * pZ will be one.
+ *
+ * pX   EC point's X ordinate.
+ * pY   EC point's Y ordinate.
+ * pZ   EC point's Z ordinate.
+ * returns MEMORY_E if dynamic memory allocation fails and MP_OKAY otherwise.
+ */
+int sp_ecc_map_384(mp_int* pX, mp_int* pY, mp_int* pZ)
+{
+#if (!defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SMALL_STACK)) || defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit tmpd[2 * 6 * 6];
+    sp_point_384 pd;
+#endif
+    sp_digit* tmp;
+    sp_point_384* p;
+    int err;
+
+    err = sp_384_point_new_6(NULL, pd, p);
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (err == MP_OKAY) {
+        tmp = (sp_digit*)XMALLOC(sizeof(sp_digit) * 2 * 6 * 6, NULL,
+                                                              DYNAMIC_TYPE_ECC);
+        if (tmp == NULL) {
+            err = MEMORY_E;
+        }
+    }
+#else
+    tmp = tmpd;
+#endif
+    if (err == MP_OKAY) {
+        sp_384_from_mp(p->x, 6, pX);
+        sp_384_from_mp(p->y, 6, pY);
+        sp_384_from_mp(p->z, 6, pZ);
+
+        sp_384_map_6(p, p, tmp);
+    }
+
+    if (err == MP_OKAY) {
+        err = sp_384_to_mp(p->x, pX);
+    }
+    if (err == MP_OKAY) {
+        err = sp_384_to_mp(p->y, pY);
+    }
+    if (err == MP_OKAY) {
+        err = sp_384_to_mp(p->z, pZ);
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (tmp != NULL) {
+        XFREE(tmp, NULL, DYNAMIC_TYPE_ECC);
+    }
+#endif
+    sp_384_point_free_6(p, 0, NULL);
+
+    return err;
+}
+#endif /* WOLFSSL_PUBLIC_ECC_ADD_DBL */
+#ifdef HAVE_COMP_KEY
+/* Find the square root of a number mod the prime of the curve.
+ *
+ * y  The number to operate on and the result.
+ * returns MEMORY_E if dynamic memory allocation fails and MP_OKAY otherwise.
+ */
+static int sp_384_mont_sqrt_6(sp_digit* y)
+{
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit* d;
+#else
+    sp_digit t1d[2 * 6];
+    sp_digit t2d[2 * 6];
+    sp_digit t3d[2 * 6];
+    sp_digit t4d[2 * 6];
+    sp_digit t5d[2 * 6];
+#endif
+    sp_digit* t1;
+    sp_digit* t2;
+    sp_digit* t3;
+    sp_digit* t4;
+    sp_digit* t5;
+    int err = MP_OKAY;
+#ifdef HAVE_INTEL_AVX2
+    word32 cpuid_flags = cpuid_get_flags();
+#endif
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    d = (sp_digit*)XMALLOC(sizeof(sp_digit) * 5 * 2 * 6, NULL, DYNAMIC_TYPE_ECC);
+    if (d == NULL) {
+        err = MEMORY_E;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+        t1 = d + 0 * 6;
+        t2 = d + 2 * 6;
+        t3 = d + 4 * 6;
+        t4 = d + 6 * 6;
+        t5 = d + 8 * 6;
+#else
+        t1 = t1d;
+        t2 = t2d;
+        t3 = t3d;
+        t4 = t4d;
+        t5 = t5d;
+#endif
+
+#ifdef HAVE_INTEL_AVX2
+        if (IS_INTEL_BMI2(cpuid_flags) && IS_INTEL_ADX(cpuid_flags)) {
+            /* t2 = y ^ 0x2 */
+            sp_384_mont_sqr_avx2_6(t2, y, p384_mod, p384_mp_mod);
+            /* t1 = y ^ 0x3 */
+            sp_384_mont_mul_avx2_6(t1, t2, y, p384_mod, p384_mp_mod);
+            /* t5 = y ^ 0xc */
+            sp_384_mont_sqr_n_avx2_6(t5, t1, 2, p384_mod, p384_mp_mod);
+            /* t1 = y ^ 0xf */
+            sp_384_mont_mul_avx2_6(t1, t1, t5, p384_mod, p384_mp_mod);
+            /* t2 = y ^ 0x1e */
+            sp_384_mont_sqr_avx2_6(t2, t1, p384_mod, p384_mp_mod);
+            /* t3 = y ^ 0x1f */
+            sp_384_mont_mul_avx2_6(t3, t2, y, p384_mod, p384_mp_mod);
+            /* t2 = y ^ 0x3e0 */
+            sp_384_mont_sqr_n_avx2_6(t2, t3, 5, p384_mod, p384_mp_mod);
+            /* t1 = y ^ 0x3ff */
+            sp_384_mont_mul_avx2_6(t1, t3, t2, p384_mod, p384_mp_mod);
+            /* t2 = y ^ 0x7fe0 */
+            sp_384_mont_sqr_n_avx2_6(t2, t1, 5, p384_mod, p384_mp_mod);
+            /* t3 = y ^ 0x7fff */
+            sp_384_mont_mul_avx2_6(t3, t3, t2, p384_mod, p384_mp_mod);
+            /* t2 = y ^ 0x3fff800 */
+            sp_384_mont_sqr_n_avx2_6(t2, t3, 15, p384_mod, p384_mp_mod);
+            /* t4 = y ^ 0x3ffffff */
+            sp_384_mont_mul_avx2_6(t4, t3, t2, p384_mod, p384_mp_mod);
+            /* t2 = y ^ 0xffffffc000000 */
+            sp_384_mont_sqr_n_avx2_6(t2, t4, 30, p384_mod, p384_mp_mod);
+            /* t1 = y ^ 0xfffffffffffff */
+            sp_384_mont_mul_avx2_6(t1, t4, t2, p384_mod, p384_mp_mod);
+            /* t2 = y ^ 0xfffffffffffffff000000000000000 */
+            sp_384_mont_sqr_n_avx2_6(t2, t1, 60, p384_mod, p384_mp_mod);
+            /* t1 = y ^ 0xffffffffffffffffffffffffffffff */
+            sp_384_mont_mul_avx2_6(t1, t1, t2, p384_mod, p384_mp_mod);
+            /* t2 = y ^ 0xffffffffffffffffffffffffffffff000000000000000000000000000000 */
+            sp_384_mont_sqr_n_avx2_6(t2, t1, 120, p384_mod, p384_mp_mod);
+            /* t1 = y ^ 0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff */
+            sp_384_mont_mul_avx2_6(t1, t1, t2, p384_mod, p384_mp_mod);
+            /* t2 = y ^ 0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffff8000 */
+            sp_384_mont_sqr_n_avx2_6(t2, t1, 15, p384_mod, p384_mp_mod);
+            /* t1 = y ^ 0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff */
+            sp_384_mont_mul_avx2_6(t1, t3, t2, p384_mod, p384_mp_mod);
+            /* t2 = y ^ 0x3fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff80000000 */
+            sp_384_mont_sqr_n_avx2_6(t2, t1, 31, p384_mod, p384_mp_mod);
+            /* t1 = y ^ 0x3fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffbfffffff */
+            sp_384_mont_mul_avx2_6(t1, t4, t2, p384_mod, p384_mp_mod);
+            /* t2 = y ^ 0x3fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffbfffffff0 */
+            sp_384_mont_sqr_n_avx2_6(t2, t1, 4, p384_mod, p384_mp_mod);
+            /* t1 = y ^ 0x3fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffbfffffffc */
+            sp_384_mont_mul_avx2_6(t1, t5, t2, p384_mod, p384_mp_mod);
+            /* t2 = y ^ 0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000 */
+            sp_384_mont_sqr_n_avx2_6(t2, t1, 62, p384_mod, p384_mp_mod);
+            /* t1 = y ^ 0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000001 */
+            sp_384_mont_mul_avx2_6(t1, y, t2, p384_mod, p384_mp_mod);
+            /* t2 = y ^ 0x3fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffbfffffffc00000000000000040000000 */
+            sp_384_mont_sqr_n_avx2_6(y, t1, 30, p384_mod, p384_mp_mod);
+        }
+        else
+#endif
+        {
+            /* t2 = y ^ 0x2 */
+            sp_384_mont_sqr_6(t2, y, p384_mod, p384_mp_mod);
+            /* t1 = y ^ 0x3 */
+            sp_384_mont_mul_6(t1, t2, y, p384_mod, p384_mp_mod);
+            /* t5 = y ^ 0xc */
+            sp_384_mont_sqr_n_6(t5, t1, 2, p384_mod, p384_mp_mod);
+            /* t1 = y ^ 0xf */
+            sp_384_mont_mul_6(t1, t1, t5, p384_mod, p384_mp_mod);
+            /* t2 = y ^ 0x1e */
+            sp_384_mont_sqr_6(t2, t1, p384_mod, p384_mp_mod);
+            /* t3 = y ^ 0x1f */
+            sp_384_mont_mul_6(t3, t2, y, p384_mod, p384_mp_mod);
+            /* t2 = y ^ 0x3e0 */
+            sp_384_mont_sqr_n_6(t2, t3, 5, p384_mod, p384_mp_mod);
+            /* t1 = y ^ 0x3ff */
+            sp_384_mont_mul_6(t1, t3, t2, p384_mod, p384_mp_mod);
+            /* t2 = y ^ 0x7fe0 */
+            sp_384_mont_sqr_n_6(t2, t1, 5, p384_mod, p384_mp_mod);
+            /* t3 = y ^ 0x7fff */
+            sp_384_mont_mul_6(t3, t3, t2, p384_mod, p384_mp_mod);
+            /* t2 = y ^ 0x3fff800 */
+            sp_384_mont_sqr_n_6(t2, t3, 15, p384_mod, p384_mp_mod);
+            /* t4 = y ^ 0x3ffffff */
+            sp_384_mont_mul_6(t4, t3, t2, p384_mod, p384_mp_mod);
+            /* t2 = y ^ 0xffffffc000000 */
+            sp_384_mont_sqr_n_6(t2, t4, 30, p384_mod, p384_mp_mod);
+            /* t1 = y ^ 0xfffffffffffff */
+            sp_384_mont_mul_6(t1, t4, t2, p384_mod, p384_mp_mod);
+            /* t2 = y ^ 0xfffffffffffffff000000000000000 */
+            sp_384_mont_sqr_n_6(t2, t1, 60, p384_mod, p384_mp_mod);
+            /* t1 = y ^ 0xffffffffffffffffffffffffffffff */
+            sp_384_mont_mul_6(t1, t1, t2, p384_mod, p384_mp_mod);
+            /* t2 = y ^ 0xffffffffffffffffffffffffffffff000000000000000000000000000000 */
+            sp_384_mont_sqr_n_6(t2, t1, 120, p384_mod, p384_mp_mod);
+            /* t1 = y ^ 0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff */
+            sp_384_mont_mul_6(t1, t1, t2, p384_mod, p384_mp_mod);
+            /* t2 = y ^ 0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffff8000 */
+            sp_384_mont_sqr_n_6(t2, t1, 15, p384_mod, p384_mp_mod);
+            /* t1 = y ^ 0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff */
+            sp_384_mont_mul_6(t1, t3, t2, p384_mod, p384_mp_mod);
+            /* t2 = y ^ 0x3fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff80000000 */
+            sp_384_mont_sqr_n_6(t2, t1, 31, p384_mod, p384_mp_mod);
+            /* t1 = y ^ 0x3fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffbfffffff */
+            sp_384_mont_mul_6(t1, t4, t2, p384_mod, p384_mp_mod);
+            /* t2 = y ^ 0x3fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffbfffffff0 */
+            sp_384_mont_sqr_n_6(t2, t1, 4, p384_mod, p384_mp_mod);
+            /* t1 = y ^ 0x3fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffbfffffffc */
+            sp_384_mont_mul_6(t1, t5, t2, p384_mod, p384_mp_mod);
+            /* t2 = y ^ 0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000 */
+            sp_384_mont_sqr_n_6(t2, t1, 62, p384_mod, p384_mp_mod);
+            /* t1 = y ^ 0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000001 */
+            sp_384_mont_mul_6(t1, y, t2, p384_mod, p384_mp_mod);
+            /* t2 = y ^ 0x3fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffbfffffffc00000000000000040000000 */
+            sp_384_mont_sqr_n_6(y, t1, 30, p384_mod, p384_mp_mod);
+        }
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (d != NULL) {
+        XFREE(d, NULL, DYNAMIC_TYPE_ECC);
+    }
+#endif
+
+    return err;
+}
+
+
+/* Uncompress the point given the X ordinate.
+ *
+ * xm    X ordinate.
+ * odd   Whether the Y ordinate is odd.
+ * ym    Calculated Y ordinate.
+ * returns MEMORY_E if dynamic memory allocation fails and MP_OKAY otherwise.
+ */
+int sp_ecc_uncompress_384(mp_int* xm, int odd, mp_int* ym)
+{
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    sp_digit* d;
+#else
+    sp_digit xd[2 * 6];
+    sp_digit yd[2 * 6];
+#endif
+    sp_digit* x = NULL;
+    sp_digit* y = NULL;
+    int err = MP_OKAY;
+#ifdef HAVE_INTEL_AVX2
+    word32 cpuid_flags = cpuid_get_flags();
+#endif
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    d = (sp_digit*)XMALLOC(sizeof(sp_digit) * 4 * 6, NULL, DYNAMIC_TYPE_ECC);
+    if (d == NULL) {
+        err = MEMORY_E;
+    }
+#endif
+
+    if (err == MP_OKAY) {
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+        x = d + 0 * 6;
+        y = d + 2 * 6;
+#else
+        x = xd;
+        y = yd;
+#endif
+
+        sp_384_from_mp(x, 6, xm);
+        err = sp_384_mod_mul_norm_6(x, x, p384_mod);
+    }
+    if (err == MP_OKAY) {
+        /* y = x^3 */
+#ifdef HAVE_INTEL_AVX2
+        if (IS_INTEL_BMI2(cpuid_flags) && IS_INTEL_ADX(cpuid_flags)) {
+            sp_384_mont_sqr_avx2_6(y, x, p384_mod, p384_mp_mod);
+            sp_384_mont_mul_avx2_6(y, y, x, p384_mod, p384_mp_mod);
+        }
+        else
+#endif
+        {
+            sp_384_mont_sqr_6(y, x, p384_mod, p384_mp_mod);
+            sp_384_mont_mul_6(y, y, x, p384_mod, p384_mp_mod);
+        }
+        /* y = x^3 - 3x */
+        sp_384_mont_sub_6(y, y, x, p384_mod);
+        sp_384_mont_sub_6(y, y, x, p384_mod);
+        sp_384_mont_sub_6(y, y, x, p384_mod);
+        /* y = x^3 - 3x + b */
+        err = sp_384_mod_mul_norm_6(x, p384_b, p384_mod);
+    }
+    if (err == MP_OKAY) {
+        sp_384_mont_add_6(y, y, x, p384_mod);
+        /* y = sqrt(x^3 - 3x + b) */
+        err = sp_384_mont_sqrt_6(y);
+    }
+    if (err == MP_OKAY) {
+        XMEMSET(y + 6, 0, 6U * sizeof(sp_digit));
+        sp_384_mont_reduce_6(y, p384_mod, p384_mp_mod);
+        if ((((word32)y[0] ^ (word32)odd) & 1U) != 0U) {
+            sp_384_mont_sub_6(y, p384_mod, y, p384_mod);
+        }
+
+        err = sp_384_to_mp(y, ym);
+    }
+
+#if (defined(WOLFSSL_SP_SMALL) || defined(WOLFSSL_SMALL_STACK)) && !defined(WOLFSSL_SP_NO_MALLOC)
+    if (d != NULL) {
+        XFREE(d, NULL, DYNAMIC_TYPE_ECC);
+    }
+#endif
+
+    return err;
+}
+#endif
+#endif /* WOLFSSL_SP_384 */
+#endif /* WOLFSSL_HAVE_SP_ECC */
+#endif /* WOLFSSL_SP_X86_64_ASM */
+#endif /* WOLFSSL_HAVE_SP_RSA || WOLFSSL_HAVE_SP_DH || WOLFSSL_HAVE_SP_ECC */
diff --git a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/sp_x86_64_asm.S b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/sp_x86_64_asm.S
new file mode 100644
index 000000000..c6941f1f0
--- /dev/null
+++ b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/sp_x86_64_asm.S
@@ -0,0 +1,41830 @@
+/* sp_x86_64_asm
+ *
+ * Copyright (C) 2006-2020 wolfSSL Inc.
+ *
+ * This file is part of wolfSSL.
+ *
+ * wolfSSL is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * wolfSSL is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
+ */
+
+#define HAVE_INTEL_AVX2
+#ifndef WOLFSSL_SP_NO_2048
+#ifndef WOLFSSL_SP_NO_2048
+/* Read big endian unsigned byte array into r.
+ *
+ * r  A single precision integer.
+ * size  Maximum number of bytes to convert
+ * a  Byte array.
+ * n  Number of bytes in array to read.
+ */
+#ifndef __APPLE__
+.globl	sp_2048_from_bin
+.type	sp_2048_from_bin,@function
+.align	16
+sp_2048_from_bin:
+#else
+.globl	_sp_2048_from_bin
+.p2align	4
+_sp_2048_from_bin:
+#endif /* __APPLE__ */
+        movq	%rdx, %r9
+        movq	%rdi, %r10
+        addq	%rcx, %r9
+        addq	$256, %r10
+        xorq	%r11, %r11
+        jmp	L_2048_from_bin_64_end
+L_2048_from_bin_64_start:
+        subq	$64, %r9
+        movbeq	56(%r9), %rax
+        movbeq	48(%r9), %r8
+        movq	%rax, (%rdi)
+        movq	%r8, 8(%rdi)
+        movbeq	40(%r9), %rax
+        movbeq	32(%r9), %r8
+        movq	%rax, 16(%rdi)
+        movq	%r8, 24(%rdi)
+        movbeq	24(%r9), %rax
+        movbeq	16(%r9), %r8
+        movq	%rax, 32(%rdi)
+        movq	%r8, 40(%rdi)
+        movbeq	8(%r9), %rax
+        movbeq	(%r9), %r8
+        movq	%rax, 48(%rdi)
+        movq	%r8, 56(%rdi)
+        addq	$64, %rdi
+        subq	$64, %rcx
+L_2048_from_bin_64_end:
+        cmpq	$63, %rcx
+        jg	L_2048_from_bin_64_start
+        jmp	L_2048_from_bin_8_end
+L_2048_from_bin_8_start:
+        subq	$8, %r9
+        movbeq	(%r9), %rax
+        movq	%rax, (%rdi)
+        addq	$8, %rdi
+        subq	$8, %rcx
+L_2048_from_bin_8_end:
+        cmpq	$7, %rcx
+        jg	L_2048_from_bin_8_start
+        cmpq	%r11, %rcx
+        je	L_2048_from_bin_hi_end
+        movq	%r11, %r8
+        movq	%r11, %rax
+L_2048_from_bin_hi_start:
+        movb	(%rdx), %al
+        shlq	$8, %r8
+        incq	%rdx
+        addq	%rax, %r8
+        decq	%rcx
+        jg	L_2048_from_bin_hi_start
+        movq	%r8, (%rdi)
+        addq	$8, %rdi
+L_2048_from_bin_hi_end:
+        cmpq	%r10, %rdi
+        je	L_2048_from_bin_zero_end
+L_2048_from_bin_zero_start:
+        movq	%r11, (%rdi)
+        addq	$8, %rdi
+        cmpq	%r10, %rdi
+        jl	L_2048_from_bin_zero_start
+L_2048_from_bin_zero_end:
+        repz retq
+#ifndef __APPLE__
+.size	sp_2048_from_bin,.-sp_2048_from_bin
+#endif /* __APPLE__ */
+/* Write r as big endian to byte array.
+ * Fixed length number of bytes written: 256
+ *
+ * r  A single precision integer.
+ * a  Byte array.
+ */
+#ifndef __APPLE__
+.globl	sp_2048_to_bin
+.type	sp_2048_to_bin,@function
+.align	16
+sp_2048_to_bin:
+#else
+.globl	_sp_2048_to_bin
+.p2align	4
+_sp_2048_to_bin:
+#endif /* __APPLE__ */
+        movbeq	248(%rdi), %rdx
+        movbeq	240(%rdi), %rax
+        movq	%rdx, (%rsi)
+        movq	%rax, 8(%rsi)
+        movbeq	232(%rdi), %rdx
+        movbeq	224(%rdi), %rax
+        movq	%rdx, 16(%rsi)
+        movq	%rax, 24(%rsi)
+        movbeq	216(%rdi), %rdx
+        movbeq	208(%rdi), %rax
+        movq	%rdx, 32(%rsi)
+        movq	%rax, 40(%rsi)
+        movbeq	200(%rdi), %rdx
+        movbeq	192(%rdi), %rax
+        movq	%rdx, 48(%rsi)
+        movq	%rax, 56(%rsi)
+        movbeq	184(%rdi), %rdx
+        movbeq	176(%rdi), %rax
+        movq	%rdx, 64(%rsi)
+        movq	%rax, 72(%rsi)
+        movbeq	168(%rdi), %rdx
+        movbeq	160(%rdi), %rax
+        movq	%rdx, 80(%rsi)
+        movq	%rax, 88(%rsi)
+        movbeq	152(%rdi), %rdx
+        movbeq	144(%rdi), %rax
+        movq	%rdx, 96(%rsi)
+        movq	%rax, 104(%rsi)
+        movbeq	136(%rdi), %rdx
+        movbeq	128(%rdi), %rax
+        movq	%rdx, 112(%rsi)
+        movq	%rax, 120(%rsi)
+        movbeq	120(%rdi), %rdx
+        movbeq	112(%rdi), %rax
+        movq	%rdx, 128(%rsi)
+        movq	%rax, 136(%rsi)
+        movbeq	104(%rdi), %rdx
+        movbeq	96(%rdi), %rax
+        movq	%rdx, 144(%rsi)
+        movq	%rax, 152(%rsi)
+        movbeq	88(%rdi), %rdx
+        movbeq	80(%rdi), %rax
+        movq	%rdx, 160(%rsi)
+        movq	%rax, 168(%rsi)
+        movbeq	72(%rdi), %rdx
+        movbeq	64(%rdi), %rax
+        movq	%rdx, 176(%rsi)
+        movq	%rax, 184(%rsi)
+        movbeq	56(%rdi), %rdx
+        movbeq	48(%rdi), %rax
+        movq	%rdx, 192(%rsi)
+        movq	%rax, 200(%rsi)
+        movbeq	40(%rdi), %rdx
+        movbeq	32(%rdi), %rax
+        movq	%rdx, 208(%rsi)
+        movq	%rax, 216(%rsi)
+        movbeq	24(%rdi), %rdx
+        movbeq	16(%rdi), %rax
+        movq	%rdx, 224(%rsi)
+        movq	%rax, 232(%rsi)
+        movbeq	8(%rdi), %rdx
+        movbeq	(%rdi), %rax
+        movq	%rdx, 240(%rsi)
+        movq	%rax, 248(%rsi)
+        repz retq
+#ifndef __APPLE__
+.size	sp_2048_to_bin,.-sp_2048_to_bin
+#endif /* __APPLE__ */
+/* Multiply a and b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+#ifndef __APPLE__
+.globl	sp_2048_mul_16
+.type	sp_2048_mul_16,@function
+.align	16
+sp_2048_mul_16:
+#else
+.globl	_sp_2048_mul_16
+.p2align	4
+_sp_2048_mul_16:
+#endif /* __APPLE__ */
+        movq	%rdx, %rcx
+        subq	$128, %rsp
+        # A[0] * B[0]
+        movq	(%rcx), %rax
+        mulq	(%rsi)
+        xorq	%r10, %r10
+        movq	%rax, (%rsp)
+        movq	%rdx, %r9
+        # A[0] * B[1]
+        movq	8(%rcx), %rax
+        mulq	(%rsi)
+        xorq	%r8, %r8
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[1] * B[0]
+        movq	(%rcx), %rax
+        mulq	8(%rsi)
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        movq	%r9, 8(%rsp)
+        # A[0] * B[2]
+        movq	16(%rcx), %rax
+        mulq	(%rsi)
+        xorq	%r9, %r9
+        addq	%rax, %r10
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[1] * B[1]
+        movq	8(%rcx), %rax
+        mulq	8(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[2] * B[0]
+        movq	(%rcx), %rax
+        mulq	16(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        movq	%r10, 16(%rsp)
+        # A[0] * B[3]
+        movq	24(%rcx), %rax
+        mulq	(%rsi)
+        xorq	%r10, %r10
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[1] * B[2]
+        movq	16(%rcx), %rax
+        mulq	8(%rsi)
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[2] * B[1]
+        movq	8(%rcx), %rax
+        mulq	16(%rsi)
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[3] * B[0]
+        movq	(%rcx), %rax
+        mulq	24(%rsi)
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        movq	%r8, 24(%rsp)
+        # A[0] * B[4]
+        movq	32(%rcx), %rax
+        mulq	(%rsi)
+        xorq	%r8, %r8
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[1] * B[3]
+        movq	24(%rcx), %rax
+        mulq	8(%rsi)
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[2] * B[2]
+        movq	16(%rcx), %rax
+        mulq	16(%rsi)
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[3] * B[1]
+        movq	8(%rcx), %rax
+        mulq	24(%rsi)
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[4] * B[0]
+        movq	(%rcx), %rax
+        mulq	32(%rsi)
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        movq	%r9, 32(%rsp)
+        # A[0] * B[5]
+        movq	40(%rcx), %rax
+        mulq	(%rsi)
+        xorq	%r9, %r9
+        addq	%rax, %r10
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[1] * B[4]
+        movq	32(%rcx), %rax
+        mulq	8(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[2] * B[3]
+        movq	24(%rcx), %rax
+        mulq	16(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[3] * B[2]
+        movq	16(%rcx), %rax
+        mulq	24(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[4] * B[1]
+        movq	8(%rcx), %rax
+        mulq	32(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[5] * B[0]
+        movq	(%rcx), %rax
+        mulq	40(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        movq	%r10, 40(%rsp)
+        # A[0] * B[6]
+        movq	48(%rcx), %rax
+        mulq	(%rsi)
+        xorq	%r10, %r10
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[1] * B[5]
+        movq	40(%rcx), %rax
+        mulq	8(%rsi)
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[2] * B[4]
+        movq	32(%rcx), %rax
+        mulq	16(%rsi)
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[3] * B[3]
+        movq	24(%rcx), %rax
+        mulq	24(%rsi)
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[4] * B[2]
+        movq	16(%rcx), %rax
+        mulq	32(%rsi)
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[5] * B[1]
+        movq	8(%rcx), %rax
+        mulq	40(%rsi)
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[6] * B[0]
+        movq	(%rcx), %rax
+        mulq	48(%rsi)
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        movq	%r8, 48(%rsp)
+        # A[0] * B[7]
+        movq	56(%rcx), %rax
+        mulq	(%rsi)
+        xorq	%r8, %r8
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[1] * B[6]
+        movq	48(%rcx), %rax
+        mulq	8(%rsi)
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[2] * B[5]
+        movq	40(%rcx), %rax
+        mulq	16(%rsi)
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[3] * B[4]
+        movq	32(%rcx), %rax
+        mulq	24(%rsi)
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[4] * B[3]
+        movq	24(%rcx), %rax
+        mulq	32(%rsi)
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[5] * B[2]
+        movq	16(%rcx), %rax
+        mulq	40(%rsi)
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[6] * B[1]
+        movq	8(%rcx), %rax
+        mulq	48(%rsi)
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[7] * B[0]
+        movq	(%rcx), %rax
+        mulq	56(%rsi)
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        movq	%r9, 56(%rsp)
+        # A[0] * B[8]
+        movq	64(%rcx), %rax
+        mulq	(%rsi)
+        xorq	%r9, %r9
+        addq	%rax, %r10
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[1] * B[7]
+        movq	56(%rcx), %rax
+        mulq	8(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[2] * B[6]
+        movq	48(%rcx), %rax
+        mulq	16(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[3] * B[5]
+        movq	40(%rcx), %rax
+        mulq	24(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[4] * B[4]
+        movq	32(%rcx), %rax
+        mulq	32(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[5] * B[3]
+        movq	24(%rcx), %rax
+        mulq	40(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[6] * B[2]
+        movq	16(%rcx), %rax
+        mulq	48(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[7] * B[1]
+        movq	8(%rcx), %rax
+        mulq	56(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[8] * B[0]
+        movq	(%rcx), %rax
+        mulq	64(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        movq	%r10, 64(%rsp)
+        # A[0] * B[9]
+        movq	72(%rcx), %rax
+        mulq	(%rsi)
+        xorq	%r10, %r10
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[1] * B[8]
+        movq	64(%rcx), %rax
+        mulq	8(%rsi)
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[2] * B[7]
+        movq	56(%rcx), %rax
+        mulq	16(%rsi)
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[3] * B[6]
+        movq	48(%rcx), %rax
+        mulq	24(%rsi)
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[4] * B[5]
+        movq	40(%rcx), %rax
+        mulq	32(%rsi)
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[5] * B[4]
+        movq	32(%rcx), %rax
+        mulq	40(%rsi)
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[6] * B[3]
+        movq	24(%rcx), %rax
+        mulq	48(%rsi)
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[7] * B[2]
+        movq	16(%rcx), %rax
+        mulq	56(%rsi)
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[8] * B[1]
+        movq	8(%rcx), %rax
+        mulq	64(%rsi)
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[9] * B[0]
+        movq	(%rcx), %rax
+        mulq	72(%rsi)
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        movq	%r8, 72(%rsp)
+        # A[0] * B[10]
+        movq	80(%rcx), %rax
+        mulq	(%rsi)
+        xorq	%r8, %r8
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[1] * B[9]
+        movq	72(%rcx), %rax
+        mulq	8(%rsi)
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[2] * B[8]
+        movq	64(%rcx), %rax
+        mulq	16(%rsi)
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[3] * B[7]
+        movq	56(%rcx), %rax
+        mulq	24(%rsi)
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[4] * B[6]
+        movq	48(%rcx), %rax
+        mulq	32(%rsi)
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[5] * B[5]
+        movq	40(%rcx), %rax
+        mulq	40(%rsi)
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[6] * B[4]
+        movq	32(%rcx), %rax
+        mulq	48(%rsi)
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[7] * B[3]
+        movq	24(%rcx), %rax
+        mulq	56(%rsi)
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[8] * B[2]
+        movq	16(%rcx), %rax
+        mulq	64(%rsi)
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[9] * B[1]
+        movq	8(%rcx), %rax
+        mulq	72(%rsi)
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[10] * B[0]
+        movq	(%rcx), %rax
+        mulq	80(%rsi)
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        movq	%r9, 80(%rsp)
+        # A[0] * B[11]
+        movq	88(%rcx), %rax
+        mulq	(%rsi)
+        xorq	%r9, %r9
+        addq	%rax, %r10
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[1] * B[10]
+        movq	80(%rcx), %rax
+        mulq	8(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[2] * B[9]
+        movq	72(%rcx), %rax
+        mulq	16(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[3] * B[8]
+        movq	64(%rcx), %rax
+        mulq	24(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[4] * B[7]
+        movq	56(%rcx), %rax
+        mulq	32(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[5] * B[6]
+        movq	48(%rcx), %rax
+        mulq	40(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[6] * B[5]
+        movq	40(%rcx), %rax
+        mulq	48(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[7] * B[4]
+        movq	32(%rcx), %rax
+        mulq	56(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[8] * B[3]
+        movq	24(%rcx), %rax
+        mulq	64(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[9] * B[2]
+        movq	16(%rcx), %rax
+        mulq	72(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[10] * B[1]
+        movq	8(%rcx), %rax
+        mulq	80(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[11] * B[0]
+        movq	(%rcx), %rax
+        mulq	88(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        movq	%r10, 88(%rsp)
+        # A[0] * B[12]
+        movq	96(%rcx), %rax
+        mulq	(%rsi)
+        xorq	%r10, %r10
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[1] * B[11]
+        movq	88(%rcx), %rax
+        mulq	8(%rsi)
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[2] * B[10]
+        movq	80(%rcx), %rax
+        mulq	16(%rsi)
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[3] * B[9]
+        movq	72(%rcx), %rax
+        mulq	24(%rsi)
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[4] * B[8]
+        movq	64(%rcx), %rax
+        mulq	32(%rsi)
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[5] * B[7]
+        movq	56(%rcx), %rax
+        mulq	40(%rsi)
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[6] * B[6]
+        movq	48(%rcx), %rax
+        mulq	48(%rsi)
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[7] * B[5]
+        movq	40(%rcx), %rax
+        mulq	56(%rsi)
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[8] * B[4]
+        movq	32(%rcx), %rax
+        mulq	64(%rsi)
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[9] * B[3]
+        movq	24(%rcx), %rax
+        mulq	72(%rsi)
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[10] * B[2]
+        movq	16(%rcx), %rax
+        mulq	80(%rsi)
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[11] * B[1]
+        movq	8(%rcx), %rax
+        mulq	88(%rsi)
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[12] * B[0]
+        movq	(%rcx), %rax
+        mulq	96(%rsi)
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        movq	%r8, 96(%rsp)
+        # A[0] * B[13]
+        movq	104(%rcx), %rax
+        mulq	(%rsi)
+        xorq	%r8, %r8
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[1] * B[12]
+        movq	96(%rcx), %rax
+        mulq	8(%rsi)
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[2] * B[11]
+        movq	88(%rcx), %rax
+        mulq	16(%rsi)
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[3] * B[10]
+        movq	80(%rcx), %rax
+        mulq	24(%rsi)
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[4] * B[9]
+        movq	72(%rcx), %rax
+        mulq	32(%rsi)
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[5] * B[8]
+        movq	64(%rcx), %rax
+        mulq	40(%rsi)
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[6] * B[7]
+        movq	56(%rcx), %rax
+        mulq	48(%rsi)
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[7] * B[6]
+        movq	48(%rcx), %rax
+        mulq	56(%rsi)
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[8] * B[5]
+        movq	40(%rcx), %rax
+        mulq	64(%rsi)
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[9] * B[4]
+        movq	32(%rcx), %rax
+        mulq	72(%rsi)
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[10] * B[3]
+        movq	24(%rcx), %rax
+        mulq	80(%rsi)
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[11] * B[2]
+        movq	16(%rcx), %rax
+        mulq	88(%rsi)
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[12] * B[1]
+        movq	8(%rcx), %rax
+        mulq	96(%rsi)
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[13] * B[0]
+        movq	(%rcx), %rax
+        mulq	104(%rsi)
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        movq	%r9, 104(%rsp)
+        # A[0] * B[14]
+        movq	112(%rcx), %rax
+        mulq	(%rsi)
+        xorq	%r9, %r9
+        addq	%rax, %r10
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[1] * B[13]
+        movq	104(%rcx), %rax
+        mulq	8(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[2] * B[12]
+        movq	96(%rcx), %rax
+        mulq	16(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[3] * B[11]
+        movq	88(%rcx), %rax
+        mulq	24(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[4] * B[10]
+        movq	80(%rcx), %rax
+        mulq	32(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[5] * B[9]
+        movq	72(%rcx), %rax
+        mulq	40(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[6] * B[8]
+        movq	64(%rcx), %rax
+        mulq	48(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[7] * B[7]
+        movq	56(%rcx), %rax
+        mulq	56(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[8] * B[6]
+        movq	48(%rcx), %rax
+        mulq	64(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[9] * B[5]
+        movq	40(%rcx), %rax
+        mulq	72(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[10] * B[4]
+        movq	32(%rcx), %rax
+        mulq	80(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[11] * B[3]
+        movq	24(%rcx), %rax
+        mulq	88(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[12] * B[2]
+        movq	16(%rcx), %rax
+        mulq	96(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[13] * B[1]
+        movq	8(%rcx), %rax
+        mulq	104(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[14] * B[0]
+        movq	(%rcx), %rax
+        mulq	112(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        movq	%r10, 112(%rsp)
+        # A[0] * B[15]
+        movq	120(%rcx), %rax
+        mulq	(%rsi)
+        xorq	%r10, %r10
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[1] * B[14]
+        movq	112(%rcx), %rax
+        mulq	8(%rsi)
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[2] * B[13]
+        movq	104(%rcx), %rax
+        mulq	16(%rsi)
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[3] * B[12]
+        movq	96(%rcx), %rax
+        mulq	24(%rsi)
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[4] * B[11]
+        movq	88(%rcx), %rax
+        mulq	32(%rsi)
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[5] * B[10]
+        movq	80(%rcx), %rax
+        mulq	40(%rsi)
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[6] * B[9]
+        movq	72(%rcx), %rax
+        mulq	48(%rsi)
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[7] * B[8]
+        movq	64(%rcx), %rax
+        mulq	56(%rsi)
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[8] * B[7]
+        movq	56(%rcx), %rax
+        mulq	64(%rsi)
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[9] * B[6]
+        movq	48(%rcx), %rax
+        mulq	72(%rsi)
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[10] * B[5]
+        movq	40(%rcx), %rax
+        mulq	80(%rsi)
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[11] * B[4]
+        movq	32(%rcx), %rax
+        mulq	88(%rsi)
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[12] * B[3]
+        movq	24(%rcx), %rax
+        mulq	96(%rsi)
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[13] * B[2]
+        movq	16(%rcx), %rax
+        mulq	104(%rsi)
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[14] * B[1]
+        movq	8(%rcx), %rax
+        mulq	112(%rsi)
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[15] * B[0]
+        movq	(%rcx), %rax
+        mulq	120(%rsi)
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        movq	%r8, 120(%rsp)
+        # A[1] * B[15]
+        movq	120(%rcx), %rax
+        mulq	8(%rsi)
+        xorq	%r8, %r8
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[2] * B[14]
+        movq	112(%rcx), %rax
+        mulq	16(%rsi)
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[3] * B[13]
+        movq	104(%rcx), %rax
+        mulq	24(%rsi)
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[4] * B[12]
+        movq	96(%rcx), %rax
+        mulq	32(%rsi)
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[5] * B[11]
+        movq	88(%rcx), %rax
+        mulq	40(%rsi)
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[6] * B[10]
+        movq	80(%rcx), %rax
+        mulq	48(%rsi)
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[7] * B[9]
+        movq	72(%rcx), %rax
+        mulq	56(%rsi)
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[8] * B[8]
+        movq	64(%rcx), %rax
+        mulq	64(%rsi)
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[9] * B[7]
+        movq	56(%rcx), %rax
+        mulq	72(%rsi)
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[10] * B[6]
+        movq	48(%rcx), %rax
+        mulq	80(%rsi)
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[11] * B[5]
+        movq	40(%rcx), %rax
+        mulq	88(%rsi)
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[12] * B[4]
+        movq	32(%rcx), %rax
+        mulq	96(%rsi)
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[13] * B[3]
+        movq	24(%rcx), %rax
+        mulq	104(%rsi)
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[14] * B[2]
+        movq	16(%rcx), %rax
+        mulq	112(%rsi)
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[15] * B[1]
+        movq	8(%rcx), %rax
+        mulq	120(%rsi)
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        movq	%r9, 128(%rdi)
+        # A[2] * B[15]
+        movq	120(%rcx), %rax
+        mulq	16(%rsi)
+        xorq	%r9, %r9
+        addq	%rax, %r10
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[3] * B[14]
+        movq	112(%rcx), %rax
+        mulq	24(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[4] * B[13]
+        movq	104(%rcx), %rax
+        mulq	32(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[5] * B[12]
+        movq	96(%rcx), %rax
+        mulq	40(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[6] * B[11]
+        movq	88(%rcx), %rax
+        mulq	48(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[7] * B[10]
+        movq	80(%rcx), %rax
+        mulq	56(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[8] * B[9]
+        movq	72(%rcx), %rax
+        mulq	64(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[9] * B[8]
+        movq	64(%rcx), %rax
+        mulq	72(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[10] * B[7]
+        movq	56(%rcx), %rax
+        mulq	80(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[11] * B[6]
+        movq	48(%rcx), %rax
+        mulq	88(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[12] * B[5]
+        movq	40(%rcx), %rax
+        mulq	96(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[13] * B[4]
+        movq	32(%rcx), %rax
+        mulq	104(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[14] * B[3]
+        movq	24(%rcx), %rax
+        mulq	112(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[15] * B[2]
+        movq	16(%rcx), %rax
+        mulq	120(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        movq	%r10, 136(%rdi)
+        # A[3] * B[15]
+        movq	120(%rcx), %rax
+        mulq	24(%rsi)
+        xorq	%r10, %r10
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[4] * B[14]
+        movq	112(%rcx), %rax
+        mulq	32(%rsi)
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[5] * B[13]
+        movq	104(%rcx), %rax
+        mulq	40(%rsi)
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[6] * B[12]
+        movq	96(%rcx), %rax
+        mulq	48(%rsi)
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[7] * B[11]
+        movq	88(%rcx), %rax
+        mulq	56(%rsi)
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[8] * B[10]
+        movq	80(%rcx), %rax
+        mulq	64(%rsi)
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[9] * B[9]
+        movq	72(%rcx), %rax
+        mulq	72(%rsi)
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[10] * B[8]
+        movq	64(%rcx), %rax
+        mulq	80(%rsi)
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[11] * B[7]
+        movq	56(%rcx), %rax
+        mulq	88(%rsi)
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[12] * B[6]
+        movq	48(%rcx), %rax
+        mulq	96(%rsi)
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[13] * B[5]
+        movq	40(%rcx), %rax
+        mulq	104(%rsi)
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[14] * B[4]
+        movq	32(%rcx), %rax
+        mulq	112(%rsi)
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[15] * B[3]
+        movq	24(%rcx), %rax
+        mulq	120(%rsi)
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        movq	%r8, 144(%rdi)
+        # A[4] * B[15]
+        movq	120(%rcx), %rax
+        mulq	32(%rsi)
+        xorq	%r8, %r8
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[5] * B[14]
+        movq	112(%rcx), %rax
+        mulq	40(%rsi)
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[6] * B[13]
+        movq	104(%rcx), %rax
+        mulq	48(%rsi)
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[7] * B[12]
+        movq	96(%rcx), %rax
+        mulq	56(%rsi)
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[8] * B[11]
+        movq	88(%rcx), %rax
+        mulq	64(%rsi)
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[9] * B[10]
+        movq	80(%rcx), %rax
+        mulq	72(%rsi)
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[10] * B[9]
+        movq	72(%rcx), %rax
+        mulq	80(%rsi)
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[11] * B[8]
+        movq	64(%rcx), %rax
+        mulq	88(%rsi)
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[12] * B[7]
+        movq	56(%rcx), %rax
+        mulq	96(%rsi)
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[13] * B[6]
+        movq	48(%rcx), %rax
+        mulq	104(%rsi)
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[14] * B[5]
+        movq	40(%rcx), %rax
+        mulq	112(%rsi)
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[15] * B[4]
+        movq	32(%rcx), %rax
+        mulq	120(%rsi)
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        movq	%r9, 152(%rdi)
+        # A[5] * B[15]
+        movq	120(%rcx), %rax
+        mulq	40(%rsi)
+        xorq	%r9, %r9
+        addq	%rax, %r10
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[6] * B[14]
+        movq	112(%rcx), %rax
+        mulq	48(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[7] * B[13]
+        movq	104(%rcx), %rax
+        mulq	56(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[8] * B[12]
+        movq	96(%rcx), %rax
+        mulq	64(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[9] * B[11]
+        movq	88(%rcx), %rax
+        mulq	72(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[10] * B[10]
+        movq	80(%rcx), %rax
+        mulq	80(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[11] * B[9]
+        movq	72(%rcx), %rax
+        mulq	88(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[12] * B[8]
+        movq	64(%rcx), %rax
+        mulq	96(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[13] * B[7]
+        movq	56(%rcx), %rax
+        mulq	104(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[14] * B[6]
+        movq	48(%rcx), %rax
+        mulq	112(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[15] * B[5]
+        movq	40(%rcx), %rax
+        mulq	120(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        movq	%r10, 160(%rdi)
+        # A[6] * B[15]
+        movq	120(%rcx), %rax
+        mulq	48(%rsi)
+        xorq	%r10, %r10
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[7] * B[14]
+        movq	112(%rcx), %rax
+        mulq	56(%rsi)
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[8] * B[13]
+        movq	104(%rcx), %rax
+        mulq	64(%rsi)
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[9] * B[12]
+        movq	96(%rcx), %rax
+        mulq	72(%rsi)
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[10] * B[11]
+        movq	88(%rcx), %rax
+        mulq	80(%rsi)
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[11] * B[10]
+        movq	80(%rcx), %rax
+        mulq	88(%rsi)
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[12] * B[9]
+        movq	72(%rcx), %rax
+        mulq	96(%rsi)
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[13] * B[8]
+        movq	64(%rcx), %rax
+        mulq	104(%rsi)
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[14] * B[7]
+        movq	56(%rcx), %rax
+        mulq	112(%rsi)
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[15] * B[6]
+        movq	48(%rcx), %rax
+        mulq	120(%rsi)
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        movq	%r8, 168(%rdi)
+        # A[7] * B[15]
+        movq	120(%rcx), %rax
+        mulq	56(%rsi)
+        xorq	%r8, %r8
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[8] * B[14]
+        movq	112(%rcx), %rax
+        mulq	64(%rsi)
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[9] * B[13]
+        movq	104(%rcx), %rax
+        mulq	72(%rsi)
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[10] * B[12]
+        movq	96(%rcx), %rax
+        mulq	80(%rsi)
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[11] * B[11]
+        movq	88(%rcx), %rax
+        mulq	88(%rsi)
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[12] * B[10]
+        movq	80(%rcx), %rax
+        mulq	96(%rsi)
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[13] * B[9]
+        movq	72(%rcx), %rax
+        mulq	104(%rsi)
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[14] * B[8]
+        movq	64(%rcx), %rax
+        mulq	112(%rsi)
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[15] * B[7]
+        movq	56(%rcx), %rax
+        mulq	120(%rsi)
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        movq	%r9, 176(%rdi)
+        # A[8] * B[15]
+        movq	120(%rcx), %rax
+        mulq	64(%rsi)
+        xorq	%r9, %r9
+        addq	%rax, %r10
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[9] * B[14]
+        movq	112(%rcx), %rax
+        mulq	72(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[10] * B[13]
+        movq	104(%rcx), %rax
+        mulq	80(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[11] * B[12]
+        movq	96(%rcx), %rax
+        mulq	88(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[12] * B[11]
+        movq	88(%rcx), %rax
+        mulq	96(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[13] * B[10]
+        movq	80(%rcx), %rax
+        mulq	104(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[14] * B[9]
+        movq	72(%rcx), %rax
+        mulq	112(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[15] * B[8]
+        movq	64(%rcx), %rax
+        mulq	120(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        movq	%r10, 184(%rdi)
+        # A[9] * B[15]
+        movq	120(%rcx), %rax
+        mulq	72(%rsi)
+        xorq	%r10, %r10
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[10] * B[14]
+        movq	112(%rcx), %rax
+        mulq	80(%rsi)
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[11] * B[13]
+        movq	104(%rcx), %rax
+        mulq	88(%rsi)
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[12] * B[12]
+        movq	96(%rcx), %rax
+        mulq	96(%rsi)
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[13] * B[11]
+        movq	88(%rcx), %rax
+        mulq	104(%rsi)
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[14] * B[10]
+        movq	80(%rcx), %rax
+        mulq	112(%rsi)
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[15] * B[9]
+        movq	72(%rcx), %rax
+        mulq	120(%rsi)
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        movq	%r8, 192(%rdi)
+        # A[10] * B[15]
+        movq	120(%rcx), %rax
+        mulq	80(%rsi)
+        xorq	%r8, %r8
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[11] * B[14]
+        movq	112(%rcx), %rax
+        mulq	88(%rsi)
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[12] * B[13]
+        movq	104(%rcx), %rax
+        mulq	96(%rsi)
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[13] * B[12]
+        movq	96(%rcx), %rax
+        mulq	104(%rsi)
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[14] * B[11]
+        movq	88(%rcx), %rax
+        mulq	112(%rsi)
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[15] * B[10]
+        movq	80(%rcx), %rax
+        mulq	120(%rsi)
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        movq	%r9, 200(%rdi)
+        # A[11] * B[15]
+        movq	120(%rcx), %rax
+        mulq	88(%rsi)
+        xorq	%r9, %r9
+        addq	%rax, %r10
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[12] * B[14]
+        movq	112(%rcx), %rax
+        mulq	96(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[13] * B[13]
+        movq	104(%rcx), %rax
+        mulq	104(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[14] * B[12]
+        movq	96(%rcx), %rax
+        mulq	112(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[15] * B[11]
+        movq	88(%rcx), %rax
+        mulq	120(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        movq	%r10, 208(%rdi)
+        # A[12] * B[15]
+        movq	120(%rcx), %rax
+        mulq	96(%rsi)
+        xorq	%r10, %r10
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[13] * B[14]
+        movq	112(%rcx), %rax
+        mulq	104(%rsi)
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[14] * B[13]
+        movq	104(%rcx), %rax
+        mulq	112(%rsi)
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[15] * B[12]
+        movq	96(%rcx), %rax
+        mulq	120(%rsi)
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        movq	%r8, 216(%rdi)
+        # A[13] * B[15]
+        movq	120(%rcx), %rax
+        mulq	104(%rsi)
+        xorq	%r8, %r8
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[14] * B[14]
+        movq	112(%rcx), %rax
+        mulq	112(%rsi)
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[15] * B[13]
+        movq	104(%rcx), %rax
+        mulq	120(%rsi)
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        movq	%r9, 224(%rdi)
+        # A[14] * B[15]
+        movq	120(%rcx), %rax
+        mulq	112(%rsi)
+        xorq	%r9, %r9
+        addq	%rax, %r10
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[15] * B[14]
+        movq	112(%rcx), %rax
+        mulq	120(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        movq	%r10, 232(%rdi)
+        # A[15] * B[15]
+        movq	120(%rcx), %rax
+        mulq	120(%rsi)
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        movq	%r8, 240(%rdi)
+        movq	%r9, 248(%rdi)
+        movq	(%rsp), %rax
+        movq	8(%rsp), %rdx
+        movq	16(%rsp), %r8
+        movq	24(%rsp), %r9
+        movq	%rax, (%rdi)
+        movq	%rdx, 8(%rdi)
+        movq	%r8, 16(%rdi)
+        movq	%r9, 24(%rdi)
+        movq	32(%rsp), %rax
+        movq	40(%rsp), %rdx
+        movq	48(%rsp), %r8
+        movq	56(%rsp), %r9
+        movq	%rax, 32(%rdi)
+        movq	%rdx, 40(%rdi)
+        movq	%r8, 48(%rdi)
+        movq	%r9, 56(%rdi)
+        movq	64(%rsp), %rax
+        movq	72(%rsp), %rdx
+        movq	80(%rsp), %r8
+        movq	88(%rsp), %r9
+        movq	%rax, 64(%rdi)
+        movq	%rdx, 72(%rdi)
+        movq	%r8, 80(%rdi)
+        movq	%r9, 88(%rdi)
+        movq	96(%rsp), %rax
+        movq	104(%rsp), %rdx
+        movq	112(%rsp), %r8
+        movq	120(%rsp), %r9
+        movq	%rax, 96(%rdi)
+        movq	%rdx, 104(%rdi)
+        movq	%r8, 112(%rdi)
+        movq	%r9, 120(%rdi)
+        addq	$128, %rsp
+        repz retq
+#ifndef __APPLE__
+.size	sp_2048_mul_16,.-sp_2048_mul_16
+#endif /* __APPLE__ */
+/* Square a and put result in r. (r = a * a)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ */
+#ifndef __APPLE__
+.globl	sp_2048_sqr_16
+.type	sp_2048_sqr_16,@function
+.align	16
+sp_2048_sqr_16:
+#else
+.globl	_sp_2048_sqr_16
+.p2align	4
+_sp_2048_sqr_16:
+#endif /* __APPLE__ */
+        push	%r12
+        subq	$128, %rsp
+        # A[0] * A[0]
+        movq	(%rsi), %rax
+        mulq	%rax
+        xorq	%r9, %r9
+        movq	%rax, (%rsp)
+        movq	%rdx, %r8
+        # A[0] * A[1]
+        movq	8(%rsi), %rax
+        mulq	(%rsi)
+        xorq	%rcx, %rcx
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %rcx
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %rcx
+        movq	%r8, 8(%rsp)
+        # A[0] * A[2]
+        movq	16(%rsi), %rax
+        mulq	(%rsi)
+        xorq	%r8, %r8
+        addq	%rax, %r9
+        adcq	%rdx, %rcx
+        adcq	$0, %r8
+        addq	%rax, %r9
+        adcq	%rdx, %rcx
+        adcq	$0, %r8
+        # A[1] * A[1]
+        movq	8(%rsi), %rax
+        mulq	%rax
+        addq	%rax, %r9
+        adcq	%rdx, %rcx
+        adcq	$0, %r8
+        movq	%r9, 16(%rsp)
+        # A[0] * A[3]
+        movq	24(%rsi), %rax
+        mulq	(%rsi)
+        xorq	%r9, %r9
+        addq	%rax, %rcx
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        addq	%rax, %rcx
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[1] * A[2]
+        movq	16(%rsi), %rax
+        mulq	8(%rsi)
+        addq	%rax, %rcx
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        addq	%rax, %rcx
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        movq	%rcx, 24(%rsp)
+        # A[0] * A[4]
+        movq	32(%rsi), %rax
+        mulq	(%rsi)
+        xorq	%rcx, %rcx
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %rcx
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %rcx
+        # A[1] * A[3]
+        movq	24(%rsi), %rax
+        mulq	8(%rsi)
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %rcx
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %rcx
+        # A[2] * A[2]
+        movq	16(%rsi), %rax
+        mulq	%rax
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %rcx
+        movq	%r8, 32(%rsp)
+        # A[0] * A[5]
+        movq	40(%rsi), %rax
+        mulq	(%rsi)
+        xorq	%r8, %r8
+        xorq	%r12, %r12
+        movq	%rax, %r10
+        movq	%rdx, %r11
+        # A[1] * A[4]
+        movq	32(%rsi), %rax
+        mulq	8(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0, %r12
+        # A[2] * A[3]
+        movq	24(%rsi), %rax
+        mulq	16(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0, %r12
+        addq	%r10, %r10
+        adcq	%r11, %r11
+        adcq	%r12, %r12
+        addq	%r10, %r9
+        adcq	%r11, %rcx
+        adcq	%r12, %r8
+        movq	%r9, 40(%rsp)
+        # A[0] * A[6]
+        movq	48(%rsi), %rax
+        mulq	(%rsi)
+        xorq	%r9, %r9
+        xorq	%r12, %r12
+        movq	%rax, %r10
+        movq	%rdx, %r11
+        # A[1] * A[5]
+        movq	40(%rsi), %rax
+        mulq	8(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0, %r12
+        # A[2] * A[4]
+        movq	32(%rsi), %rax
+        mulq	16(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0, %r12
+        # A[3] * A[3]
+        movq	24(%rsi), %rax
+        mulq	%rax
+        addq	%r10, %r10
+        adcq	%r11, %r11
+        adcq	%r12, %r12
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0, %r12
+        addq	%r10, %rcx
+        adcq	%r11, %r8
+        adcq	%r12, %r9
+        movq	%rcx, 48(%rsp)
+        # A[0] * A[7]
+        movq	56(%rsi), %rax
+        mulq	(%rsi)
+        xorq	%rcx, %rcx
+        xorq	%r12, %r12
+        movq	%rax, %r10
+        movq	%rdx, %r11
+        # A[1] * A[6]
+        movq	48(%rsi), %rax
+        mulq	8(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0, %r12
+        # A[2] * A[5]
+        movq	40(%rsi), %rax
+        mulq	16(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0, %r12
+        # A[3] * A[4]
+        movq	32(%rsi), %rax
+        mulq	24(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0, %r12
+        addq	%r10, %r10
+        adcq	%r11, %r11
+        adcq	%r12, %r12
+        addq	%r10, %r8
+        adcq	%r11, %r9
+        adcq	%r12, %rcx
+        movq	%r8, 56(%rsp)
+        # A[0] * A[8]
+        movq	64(%rsi), %rax
+        mulq	(%rsi)
+        xorq	%r8, %r8
+        xorq	%r12, %r12
+        movq	%rax, %r10
+        movq	%rdx, %r11
+        # A[1] * A[7]
+        movq	56(%rsi), %rax
+        mulq	8(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0, %r12
+        # A[2] * A[6]
+        movq	48(%rsi), %rax
+        mulq	16(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0, %r12
+        # A[3] * A[5]
+        movq	40(%rsi), %rax
+        mulq	24(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0, %r12
+        # A[4] * A[4]
+        movq	32(%rsi), %rax
+        mulq	%rax
+        addq	%r10, %r10
+        adcq	%r11, %r11
+        adcq	%r12, %r12
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0, %r12
+        addq	%r10, %r9
+        adcq	%r11, %rcx
+        adcq	%r12, %r8
+        movq	%r9, 64(%rsp)
+        # A[0] * A[9]
+        movq	72(%rsi), %rax
+        mulq	(%rsi)
+        xorq	%r9, %r9
+        xorq	%r12, %r12
+        movq	%rax, %r10
+        movq	%rdx, %r11
+        # A[1] * A[8]
+        movq	64(%rsi), %rax
+        mulq	8(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0, %r12
+        # A[2] * A[7]
+        movq	56(%rsi), %rax
+        mulq	16(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0, %r12
+        # A[3] * A[6]
+        movq	48(%rsi), %rax
+        mulq	24(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0, %r12
+        # A[4] * A[5]
+        movq	40(%rsi), %rax
+        mulq	32(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0, %r12
+        addq	%r10, %r10
+        adcq	%r11, %r11
+        adcq	%r12, %r12
+        addq	%r10, %rcx
+        adcq	%r11, %r8
+        adcq	%r12, %r9
+        movq	%rcx, 72(%rsp)
+        # A[0] * A[10]
+        movq	80(%rsi), %rax
+        mulq	(%rsi)
+        xorq	%rcx, %rcx
+        xorq	%r12, %r12
+        movq	%rax, %r10
+        movq	%rdx, %r11
+        # A[1] * A[9]
+        movq	72(%rsi), %rax
+        mulq	8(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0, %r12
+        # A[2] * A[8]
+        movq	64(%rsi), %rax
+        mulq	16(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0, %r12
+        # A[3] * A[7]
+        movq	56(%rsi), %rax
+        mulq	24(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0, %r12
+        # A[4] * A[6]
+        movq	48(%rsi), %rax
+        mulq	32(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0, %r12
+        # A[5] * A[5]
+        movq	40(%rsi), %rax
+        mulq	%rax
+        addq	%r10, %r10
+        adcq	%r11, %r11
+        adcq	%r12, %r12
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0, %r12
+        addq	%r10, %r8
+        adcq	%r11, %r9
+        adcq	%r12, %rcx
+        movq	%r8, 80(%rsp)
+        # A[0] * A[11]
+        movq	88(%rsi), %rax
+        mulq	(%rsi)
+        xorq	%r8, %r8
+        xorq	%r12, %r12
+        movq	%rax, %r10
+        movq	%rdx, %r11
+        # A[1] * A[10]
+        movq	80(%rsi), %rax
+        mulq	8(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0, %r12
+        # A[2] * A[9]
+        movq	72(%rsi), %rax
+        mulq	16(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0, %r12
+        # A[3] * A[8]
+        movq	64(%rsi), %rax
+        mulq	24(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0, %r12
+        # A[4] * A[7]
+        movq	56(%rsi), %rax
+        mulq	32(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0, %r12
+        # A[5] * A[6]
+        movq	48(%rsi), %rax
+        mulq	40(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0, %r12
+        addq	%r10, %r10
+        adcq	%r11, %r11
+        adcq	%r12, %r12
+        addq	%r10, %r9
+        adcq	%r11, %rcx
+        adcq	%r12, %r8
+        movq	%r9, 88(%rsp)
+        # A[0] * A[12]
+        movq	96(%rsi), %rax
+        mulq	(%rsi)
+        xorq	%r9, %r9
+        xorq	%r12, %r12
+        movq	%rax, %r10
+        movq	%rdx, %r11
+        # A[1] * A[11]
+        movq	88(%rsi), %rax
+        mulq	8(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0, %r12
+        # A[2] * A[10]
+        movq	80(%rsi), %rax
+        mulq	16(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0, %r12
+        # A[3] * A[9]
+        movq	72(%rsi), %rax
+        mulq	24(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0, %r12
+        # A[4] * A[8]
+        movq	64(%rsi), %rax
+        mulq	32(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0, %r12
+        # A[5] * A[7]
+        movq	56(%rsi), %rax
+        mulq	40(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0, %r12
+        # A[6] * A[6]
+        movq	48(%rsi), %rax
+        mulq	%rax
+        addq	%r10, %r10
+        adcq	%r11, %r11
+        adcq	%r12, %r12
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0, %r12
+        addq	%r10, %rcx
+        adcq	%r11, %r8
+        adcq	%r12, %r9
+        movq	%rcx, 96(%rsp)
+        # A[0] * A[13]
+        movq	104(%rsi), %rax
+        mulq	(%rsi)
+        xorq	%rcx, %rcx
+        xorq	%r12, %r12
+        movq	%rax, %r10
+        movq	%rdx, %r11
+        # A[1] * A[12]
+        movq	96(%rsi), %rax
+        mulq	8(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0, %r12
+        # A[2] * A[11]
+        movq	88(%rsi), %rax
+        mulq	16(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0, %r12
+        # A[3] * A[10]
+        movq	80(%rsi), %rax
+        mulq	24(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0, %r12
+        # A[4] * A[9]
+        movq	72(%rsi), %rax
+        mulq	32(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0, %r12
+        # A[5] * A[8]
+        movq	64(%rsi), %rax
+        mulq	40(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0, %r12
+        # A[6] * A[7]
+        movq	56(%rsi), %rax
+        mulq	48(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0, %r12
+        addq	%r10, %r10
+        adcq	%r11, %r11
+        adcq	%r12, %r12
+        addq	%r10, %r8
+        adcq	%r11, %r9
+        adcq	%r12, %rcx
+        movq	%r8, 104(%rsp)
+        # A[0] * A[14]
+        movq	112(%rsi), %rax
+        mulq	(%rsi)
+        xorq	%r8, %r8
+        xorq	%r12, %r12
+        movq	%rax, %r10
+        movq	%rdx, %r11
+        # A[1] * A[13]
+        movq	104(%rsi), %rax
+        mulq	8(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0, %r12
+        # A[2] * A[12]
+        movq	96(%rsi), %rax
+        mulq	16(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0, %r12
+        # A[3] * A[11]
+        movq	88(%rsi), %rax
+        mulq	24(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0, %r12
+        # A[4] * A[10]
+        movq	80(%rsi), %rax
+        mulq	32(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0, %r12
+        # A[5] * A[9]
+        movq	72(%rsi), %rax
+        mulq	40(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0, %r12
+        # A[6] * A[8]
+        movq	64(%rsi), %rax
+        mulq	48(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0, %r12
+        # A[7] * A[7]
+        movq	56(%rsi), %rax
+        mulq	%rax
+        addq	%r10, %r10
+        adcq	%r11, %r11
+        adcq	%r12, %r12
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0, %r12
+        addq	%r10, %r9
+        adcq	%r11, %rcx
+        adcq	%r12, %r8
+        movq	%r9, 112(%rsp)
+        # A[0] * A[15]
+        movq	120(%rsi), %rax
+        mulq	(%rsi)
+        xorq	%r9, %r9
+        xorq	%r12, %r12
+        movq	%rax, %r10
+        movq	%rdx, %r11
+        # A[1] * A[14]
+        movq	112(%rsi), %rax
+        mulq	8(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0, %r12
+        # A[2] * A[13]
+        movq	104(%rsi), %rax
+        mulq	16(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0, %r12
+        # A[3] * A[12]
+        movq	96(%rsi), %rax
+        mulq	24(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0, %r12
+        # A[4] * A[11]
+        movq	88(%rsi), %rax
+        mulq	32(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0, %r12
+        # A[5] * A[10]
+        movq	80(%rsi), %rax
+        mulq	40(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0, %r12
+        # A[6] * A[9]
+        movq	72(%rsi), %rax
+        mulq	48(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0, %r12
+        # A[7] * A[8]
+        movq	64(%rsi), %rax
+        mulq	56(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0, %r12
+        addq	%r10, %r10
+        adcq	%r11, %r11
+        adcq	%r12, %r12
+        addq	%r10, %rcx
+        adcq	%r11, %r8
+        adcq	%r12, %r9
+        movq	%rcx, 120(%rsp)
+        # A[1] * A[15]
+        movq	120(%rsi), %rax
+        mulq	8(%rsi)
+        xorq	%rcx, %rcx
+        xorq	%r12, %r12
+        movq	%rax, %r10
+        movq	%rdx, %r11
+        # A[2] * A[14]
+        movq	112(%rsi), %rax
+        mulq	16(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0, %r12
+        # A[3] * A[13]
+        movq	104(%rsi), %rax
+        mulq	24(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0, %r12
+        # A[4] * A[12]
+        movq	96(%rsi), %rax
+        mulq	32(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0, %r12
+        # A[5] * A[11]
+        movq	88(%rsi), %rax
+        mulq	40(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0, %r12
+        # A[6] * A[10]
+        movq	80(%rsi), %rax
+        mulq	48(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0, %r12
+        # A[7] * A[9]
+        movq	72(%rsi), %rax
+        mulq	56(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0, %r12
+        # A[8] * A[8]
+        movq	64(%rsi), %rax
+        mulq	%rax
+        addq	%r10, %r10
+        adcq	%r11, %r11
+        adcq	%r12, %r12
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0, %r12
+        addq	%r10, %r8
+        adcq	%r11, %r9
+        adcq	%r12, %rcx
+        movq	%r8, 128(%rdi)
+        # A[2] * A[15]
+        movq	120(%rsi), %rax
+        mulq	16(%rsi)
+        xorq	%r8, %r8
+        xorq	%r12, %r12
+        movq	%rax, %r10
+        movq	%rdx, %r11
+        # A[3] * A[14]
+        movq	112(%rsi), %rax
+        mulq	24(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0, %r12
+        # A[4] * A[13]
+        movq	104(%rsi), %rax
+        mulq	32(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0, %r12
+        # A[5] * A[12]
+        movq	96(%rsi), %rax
+        mulq	40(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0, %r12
+        # A[6] * A[11]
+        movq	88(%rsi), %rax
+        mulq	48(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0, %r12
+        # A[7] * A[10]
+        movq	80(%rsi), %rax
+        mulq	56(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0, %r12
+        # A[8] * A[9]
+        movq	72(%rsi), %rax
+        mulq	64(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0, %r12
+        addq	%r10, %r10
+        adcq	%r11, %r11
+        adcq	%r12, %r12
+        addq	%r10, %r9
+        adcq	%r11, %rcx
+        adcq	%r12, %r8
+        movq	%r9, 136(%rdi)
+        # A[3] * A[15]
+        movq	120(%rsi), %rax
+        mulq	24(%rsi)
+        xorq	%r9, %r9
+        xorq	%r12, %r12
+        movq	%rax, %r10
+        movq	%rdx, %r11
+        # A[4] * A[14]
+        movq	112(%rsi), %rax
+        mulq	32(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0, %r12
+        # A[5] * A[13]
+        movq	104(%rsi), %rax
+        mulq	40(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0, %r12
+        # A[6] * A[12]
+        movq	96(%rsi), %rax
+        mulq	48(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0, %r12
+        # A[7] * A[11]
+        movq	88(%rsi), %rax
+        mulq	56(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0, %r12
+        # A[8] * A[10]
+        movq	80(%rsi), %rax
+        mulq	64(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0, %r12
+        # A[9] * A[9]
+        movq	72(%rsi), %rax
+        mulq	%rax
+        addq	%r10, %r10
+        adcq	%r11, %r11
+        adcq	%r12, %r12
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0, %r12
+        addq	%r10, %rcx
+        adcq	%r11, %r8
+        adcq	%r12, %r9
+        movq	%rcx, 144(%rdi)
+        # A[4] * A[15]
+        movq	120(%rsi), %rax
+        mulq	32(%rsi)
+        xorq	%rcx, %rcx
+        xorq	%r12, %r12
+        movq	%rax, %r10
+        movq	%rdx, %r11
+        # A[5] * A[14]
+        movq	112(%rsi), %rax
+        mulq	40(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0, %r12
+        # A[6] * A[13]
+        movq	104(%rsi), %rax
+        mulq	48(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0, %r12
+        # A[7] * A[12]
+        movq	96(%rsi), %rax
+        mulq	56(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0, %r12
+        # A[8] * A[11]
+        movq	88(%rsi), %rax
+        mulq	64(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0, %r12
+        # A[9] * A[10]
+        movq	80(%rsi), %rax
+        mulq	72(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0, %r12
+        addq	%r10, %r10
+        adcq	%r11, %r11
+        adcq	%r12, %r12
+        addq	%r10, %r8
+        adcq	%r11, %r9
+        adcq	%r12, %rcx
+        movq	%r8, 152(%rdi)
+        # A[5] * A[15]
+        movq	120(%rsi), %rax
+        mulq	40(%rsi)
+        xorq	%r8, %r8
+        xorq	%r12, %r12
+        movq	%rax, %r10
+        movq	%rdx, %r11
+        # A[6] * A[14]
+        movq	112(%rsi), %rax
+        mulq	48(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0, %r12
+        # A[7] * A[13]
+        movq	104(%rsi), %rax
+        mulq	56(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0, %r12
+        # A[8] * A[12]
+        movq	96(%rsi), %rax
+        mulq	64(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0, %r12
+        # A[9] * A[11]
+        movq	88(%rsi), %rax
+        mulq	72(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0, %r12
+        # A[10] * A[10]
+        movq	80(%rsi), %rax
+        mulq	%rax
+        addq	%r10, %r10
+        adcq	%r11, %r11
+        adcq	%r12, %r12
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0, %r12
+        addq	%r10, %r9
+        adcq	%r11, %rcx
+        adcq	%r12, %r8
+        movq	%r9, 160(%rdi)
+        # A[6] * A[15]
+        movq	120(%rsi), %rax
+        mulq	48(%rsi)
+        xorq	%r9, %r9
+        xorq	%r12, %r12
+        movq	%rax, %r10
+        movq	%rdx, %r11
+        # A[7] * A[14]
+        movq	112(%rsi), %rax
+        mulq	56(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0, %r12
+        # A[8] * A[13]
+        movq	104(%rsi), %rax
+        mulq	64(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0, %r12
+        # A[9] * A[12]
+        movq	96(%rsi), %rax
+        mulq	72(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0, %r12
+        # A[10] * A[11]
+        movq	88(%rsi), %rax
+        mulq	80(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0, %r12
+        addq	%r10, %r10
+        adcq	%r11, %r11
+        adcq	%r12, %r12
+        addq	%r10, %rcx
+        adcq	%r11, %r8
+        adcq	%r12, %r9
+        movq	%rcx, 168(%rdi)
+        # A[7] * A[15]
+        movq	120(%rsi), %rax
+        mulq	56(%rsi)
+        xorq	%rcx, %rcx
+        xorq	%r12, %r12
+        movq	%rax, %r10
+        movq	%rdx, %r11
+        # A[8] * A[14]
+        movq	112(%rsi), %rax
+        mulq	64(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0, %r12
+        # A[9] * A[13]
+        movq	104(%rsi), %rax
+        mulq	72(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0, %r12
+        # A[10] * A[12]
+        movq	96(%rsi), %rax
+        mulq	80(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0, %r12
+        # A[11] * A[11]
+        movq	88(%rsi), %rax
+        mulq	%rax
+        addq	%r10, %r10
+        adcq	%r11, %r11
+        adcq	%r12, %r12
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0, %r12
+        addq	%r10, %r8
+        adcq	%r11, %r9
+        adcq	%r12, %rcx
+        movq	%r8, 176(%rdi)
+        # A[8] * A[15]
+        movq	120(%rsi), %rax
+        mulq	64(%rsi)
+        xorq	%r8, %r8
+        xorq	%r12, %r12
+        movq	%rax, %r10
+        movq	%rdx, %r11
+        # A[9] * A[14]
+        movq	112(%rsi), %rax
+        mulq	72(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0, %r12
+        # A[10] * A[13]
+        movq	104(%rsi), %rax
+        mulq	80(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0, %r12
+        # A[11] * A[12]
+        movq	96(%rsi), %rax
+        mulq	88(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0, %r12
+        addq	%r10, %r10
+        adcq	%r11, %r11
+        adcq	%r12, %r12
+        addq	%r10, %r9
+        adcq	%r11, %rcx
+        adcq	%r12, %r8
+        movq	%r9, 184(%rdi)
+        # A[9] * A[15]
+        movq	120(%rsi), %rax
+        mulq	72(%rsi)
+        xorq	%r9, %r9
+        xorq	%r12, %r12
+        movq	%rax, %r10
+        movq	%rdx, %r11
+        # A[10] * A[14]
+        movq	112(%rsi), %rax
+        mulq	80(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0, %r12
+        # A[11] * A[13]
+        movq	104(%rsi), %rax
+        mulq	88(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0, %r12
+        # A[12] * A[12]
+        movq	96(%rsi), %rax
+        mulq	%rax
+        addq	%r10, %r10
+        adcq	%r11, %r11
+        adcq	%r12, %r12
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0, %r12
+        addq	%r10, %rcx
+        adcq	%r11, %r8
+        adcq	%r12, %r9
+        movq	%rcx, 192(%rdi)
+        # A[10] * A[15]
+        movq	120(%rsi), %rax
+        mulq	80(%rsi)
+        xorq	%rcx, %rcx
+        xorq	%r12, %r12
+        movq	%rax, %r10
+        movq	%rdx, %r11
+        # A[11] * A[14]
+        movq	112(%rsi), %rax
+        mulq	88(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0, %r12
+        # A[12] * A[13]
+        movq	104(%rsi), %rax
+        mulq	96(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0, %r12
+        addq	%r10, %r10
+        adcq	%r11, %r11
+        adcq	%r12, %r12
+        addq	%r10, %r8
+        adcq	%r11, %r9
+        adcq	%r12, %rcx
+        movq	%r8, 200(%rdi)
+        # A[11] * A[15]
+        movq	120(%rsi), %rax
+        mulq	88(%rsi)
+        xorq	%r8, %r8
+        addq	%rax, %r9
+        adcq	%rdx, %rcx
+        adcq	$0, %r8
+        addq	%rax, %r9
+        adcq	%rdx, %rcx
+        adcq	$0, %r8
+        # A[12] * A[14]
+        movq	112(%rsi), %rax
+        mulq	96(%rsi)
+        addq	%rax, %r9
+        adcq	%rdx, %rcx
+        adcq	$0, %r8
+        addq	%rax, %r9
+        adcq	%rdx, %rcx
+        adcq	$0, %r8
+        # A[13] * A[13]
+        movq	104(%rsi), %rax
+        mulq	%rax
+        addq	%rax, %r9
+        adcq	%rdx, %rcx
+        adcq	$0, %r8
+        movq	%r9, 208(%rdi)
+        # A[12] * A[15]
+        movq	120(%rsi), %rax
+        mulq	96(%rsi)
+        xorq	%r9, %r9
+        addq	%rax, %rcx
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        addq	%rax, %rcx
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[13] * A[14]
+        movq	112(%rsi), %rax
+        mulq	104(%rsi)
+        addq	%rax, %rcx
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        addq	%rax, %rcx
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        movq	%rcx, 216(%rdi)
+        # A[13] * A[15]
+        movq	120(%rsi), %rax
+        mulq	104(%rsi)
+        xorq	%rcx, %rcx
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %rcx
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %rcx
+        # A[14] * A[14]
+        movq	112(%rsi), %rax
+        mulq	%rax
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %rcx
+        movq	%r8, 224(%rdi)
+        # A[14] * A[15]
+        movq	120(%rsi), %rax
+        mulq	112(%rsi)
+        xorq	%r8, %r8
+        addq	%rax, %r9
+        adcq	%rdx, %rcx
+        adcq	$0, %r8
+        addq	%rax, %r9
+        adcq	%rdx, %rcx
+        adcq	$0, %r8
+        movq	%r9, 232(%rdi)
+        # A[15] * A[15]
+        movq	120(%rsi), %rax
+        mulq	%rax
+        addq	%rax, %rcx
+        adcq	%rdx, %r8
+        movq	%rcx, 240(%rdi)
+        movq	%r8, 248(%rdi)
+        movq	(%rsp), %rax
+        movq	8(%rsp), %rdx
+        movq	16(%rsp), %r10
+        movq	24(%rsp), %r11
+        movq	%rax, (%rdi)
+        movq	%rdx, 8(%rdi)
+        movq	%r10, 16(%rdi)
+        movq	%r11, 24(%rdi)
+        movq	32(%rsp), %rax
+        movq	40(%rsp), %rdx
+        movq	48(%rsp), %r10
+        movq	56(%rsp), %r11
+        movq	%rax, 32(%rdi)
+        movq	%rdx, 40(%rdi)
+        movq	%r10, 48(%rdi)
+        movq	%r11, 56(%rdi)
+        movq	64(%rsp), %rax
+        movq	72(%rsp), %rdx
+        movq	80(%rsp), %r10
+        movq	88(%rsp), %r11
+        movq	%rax, 64(%rdi)
+        movq	%rdx, 72(%rdi)
+        movq	%r10, 80(%rdi)
+        movq	%r11, 88(%rdi)
+        movq	96(%rsp), %rax
+        movq	104(%rsp), %rdx
+        movq	112(%rsp), %r10
+        movq	120(%rsp), %r11
+        movq	%rax, 96(%rdi)
+        movq	%rdx, 104(%rdi)
+        movq	%r10, 112(%rdi)
+        movq	%r11, 120(%rdi)
+        addq	$128, %rsp
+        pop	%r12
+        repz retq
+#ifndef __APPLE__
+.size	sp_2048_sqr_16,.-sp_2048_sqr_16
+#endif /* __APPLE__ */
+#ifdef HAVE_INTEL_AVX2
+/* Multiply a and b into r. (r = a * b)
+ *
+ * r   Result of multiplication.
+ * a   First number to multiply.
+ * b   Second number to multiply.
+ */
+#ifndef __APPLE__
+.globl	sp_2048_mul_avx2_16
+.type	sp_2048_mul_avx2_16,@function
+.align	16
+sp_2048_mul_avx2_16:
+#else
+.globl	_sp_2048_mul_avx2_16
+.p2align	4
+_sp_2048_mul_avx2_16:
+#endif /* __APPLE__ */
+        push	%rbx
+        push	%rbp
+        push	%r12
+        push	%r13
+        push	%r14
+        movq	%rdx, %rbp
+        subq	$128, %rsp
+        cmpq	%rdi, %rsi
+        movq	%rsp, %rbx
+        cmovne	%rdi, %rbx
+        cmpq	%rdi, %rbp
+        cmove	%rsp, %rbx
+        xorq	%r14, %r14
+        movq	(%rsi), %rdx
+        # A[0] * B[0]
+        mulx	(%rbp), %r8, %r9
+        # A[0] * B[1]
+        mulx	8(%rbp), %rax, %r10
+        movq	%r8, (%rbx)
+        adcxq	%rax, %r9
+        # A[0] * B[2]
+        mulx	16(%rbp), %rax, %r11
+        movq	%r9, 8(%rbx)
+        adcxq	%rax, %r10
+        # A[0] * B[3]
+        mulx	24(%rbp), %rax, %r12
+        movq	%r10, 16(%rbx)
+        adcxq	%rax, %r11
+        movq	%r11, 24(%rbx)
+        # A[0] * B[4]
+        mulx	32(%rbp), %rax, %r8
+        adcxq	%rax, %r12
+        # A[0] * B[5]
+        mulx	40(%rbp), %rax, %r9
+        movq	%r12, 32(%rbx)
+        adcxq	%rax, %r8
+        # A[0] * B[6]
+        mulx	48(%rbp), %rax, %r10
+        movq	%r8, 40(%rbx)
+        adcxq	%rax, %r9
+        # A[0] * B[7]
+        mulx	56(%rbp), %rax, %r11
+        movq	%r9, 48(%rbx)
+        adcxq	%rax, %r10
+        movq	%r10, 56(%rbx)
+        # A[0] * B[8]
+        mulx	64(%rbp), %rax, %r12
+        adcxq	%rax, %r11
+        # A[0] * B[9]
+        mulx	72(%rbp), %rax, %r8
+        movq	%r11, 64(%rbx)
+        adcxq	%rax, %r12
+        # A[0] * B[10]
+        mulx	80(%rbp), %rax, %r9
+        movq	%r12, 72(%rbx)
+        adcxq	%rax, %r8
+        # A[0] * B[11]
+        mulx	88(%rbp), %rax, %r10
+        movq	%r8, 80(%rbx)
+        adcxq	%rax, %r9
+        movq	%r9, 88(%rbx)
+        # A[0] * B[12]
+        mulx	96(%rbp), %rax, %r11
+        adcxq	%rax, %r10
+        # A[0] * B[13]
+        mulx	104(%rbp), %rax, %r12
+        movq	%r10, 96(%rbx)
+        adcxq	%rax, %r11
+        # A[0] * B[14]
+        mulx	112(%rbp), %rax, %r8
+        movq	%r11, 104(%rbx)
+        adcxq	%rax, %r12
+        # A[0] * B[15]
+        mulx	120(%rbp), %rax, %r9
+        movq	%r12, 112(%rbx)
+        adcxq	%rax, %r8
+        adcxq	%r14, %r9
+        movq	%r14, %r13
+        adcxq	%r14, %r13
+        movq	%r8, 120(%rbx)
+        movq	%r9, 128(%rdi)
+        movq	8(%rsi), %rdx
+        movq	8(%rbx), %r9
+        movq	16(%rbx), %r10
+        movq	24(%rbx), %r11
+        movq	32(%rbx), %r12
+        movq	40(%rbx), %r8
+        # A[1] * B[0]
+        mulx	(%rbp), %rax, %rcx
+        adcxq	%rax, %r9
+        adoxq	%rcx, %r10
+        # A[1] * B[1]
+        mulx	8(%rbp), %rax, %rcx
+        movq	%r9, 8(%rbx)
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r11
+        # A[1] * B[2]
+        mulx	16(%rbp), %rax, %rcx
+        movq	%r10, 16(%rbx)
+        adcxq	%rax, %r11
+        adoxq	%rcx, %r12
+        # A[1] * B[3]
+        mulx	24(%rbp), %rax, %rcx
+        movq	%r11, 24(%rbx)
+        adcxq	%rax, %r12
+        adoxq	%rcx, %r8
+        movq	%r12, 32(%rbx)
+        movq	48(%rbx), %r9
+        movq	56(%rbx), %r10
+        movq	64(%rbx), %r11
+        movq	72(%rbx), %r12
+        # A[1] * B[4]
+        mulx	32(%rbp), %rax, %rcx
+        adcxq	%rax, %r8
+        adoxq	%rcx, %r9
+        # A[1] * B[5]
+        mulx	40(%rbp), %rax, %rcx
+        movq	%r8, 40(%rbx)
+        adcxq	%rax, %r9
+        adoxq	%rcx, %r10
+        # A[1] * B[6]
+        mulx	48(%rbp), %rax, %rcx
+        movq	%r9, 48(%rbx)
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r11
+        # A[1] * B[7]
+        mulx	56(%rbp), %rax, %rcx
+        movq	%r10, 56(%rbx)
+        adcxq	%rax, %r11
+        adoxq	%rcx, %r12
+        movq	%r11, 64(%rbx)
+        movq	80(%rbx), %r8
+        movq	88(%rbx), %r9
+        movq	96(%rbx), %r10
+        movq	104(%rbx), %r11
+        # A[1] * B[8]
+        mulx	64(%rbp), %rax, %rcx
+        adcxq	%rax, %r12
+        adoxq	%rcx, %r8
+        # A[1] * B[9]
+        mulx	72(%rbp), %rax, %rcx
+        movq	%r12, 72(%rbx)
+        adcxq	%rax, %r8
+        adoxq	%rcx, %r9
+        # A[1] * B[10]
+        mulx	80(%rbp), %rax, %rcx
+        movq	%r8, 80(%rbx)
+        adcxq	%rax, %r9
+        adoxq	%rcx, %r10
+        # A[1] * B[11]
+        mulx	88(%rbp), %rax, %rcx
+        movq	%r9, 88(%rbx)
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r11
+        movq	%r10, 96(%rbx)
+        movq	112(%rbx), %r12
+        movq	120(%rbx), %r8
+        movq	128(%rdi), %r9
+        # A[1] * B[12]
+        mulx	96(%rbp), %rax, %rcx
+        adcxq	%rax, %r11
+        adoxq	%rcx, %r12
+        # A[1] * B[13]
+        mulx	104(%rbp), %rax, %rcx
+        movq	%r11, 104(%rbx)
+        adcxq	%rax, %r12
+        adoxq	%rcx, %r8
+        # A[1] * B[14]
+        mulx	112(%rbp), %rax, %rcx
+        movq	%r12, 112(%rbx)
+        adcxq	%rax, %r8
+        adoxq	%rcx, %r9
+        # A[1] * B[15]
+        mulx	120(%rbp), %rax, %rcx
+        movq	%r8, 120(%rbx)
+        movq	%r14, %r10
+        adcxq	%rax, %r9
+        adoxq	%rcx, %r10
+        adcxq	%r13, %r10
+        movq	%r14, %r13
+        adoxq	%r14, %r13
+        adcxq	%r14, %r13
+        movq	%r9, 128(%rdi)
+        movq	%r10, 136(%rdi)
+        movq	16(%rsi), %rdx
+        movq	16(%rbx), %r10
+        movq	24(%rbx), %r11
+        movq	32(%rbx), %r12
+        movq	40(%rbx), %r8
+        movq	48(%rbx), %r9
+        # A[2] * B[0]
+        mulx	(%rbp), %rax, %rcx
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r11
+        # A[2] * B[1]
+        mulx	8(%rbp), %rax, %rcx
+        movq	%r10, 16(%rbx)
+        adcxq	%rax, %r11
+        adoxq	%rcx, %r12
+        # A[2] * B[2]
+        mulx	16(%rbp), %rax, %rcx
+        movq	%r11, 24(%rbx)
+        adcxq	%rax, %r12
+        adoxq	%rcx, %r8
+        # A[2] * B[3]
+        mulx	24(%rbp), %rax, %rcx
+        movq	%r12, 32(%rbx)
+        adcxq	%rax, %r8
+        adoxq	%rcx, %r9
+        movq	%r8, 40(%rbx)
+        movq	56(%rbx), %r10
+        movq	64(%rbx), %r11
+        movq	72(%rbx), %r12
+        movq	80(%rbx), %r8
+        # A[2] * B[4]
+        mulx	32(%rbp), %rax, %rcx
+        adcxq	%rax, %r9
+        adoxq	%rcx, %r10
+        # A[2] * B[5]
+        mulx	40(%rbp), %rax, %rcx
+        movq	%r9, 48(%rbx)
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r11
+        # A[2] * B[6]
+        mulx	48(%rbp), %rax, %rcx
+        movq	%r10, 56(%rbx)
+        adcxq	%rax, %r11
+        adoxq	%rcx, %r12
+        # A[2] * B[7]
+        mulx	56(%rbp), %rax, %rcx
+        movq	%r11, 64(%rbx)
+        adcxq	%rax, %r12
+        adoxq	%rcx, %r8
+        movq	%r12, 72(%rbx)
+        movq	88(%rbx), %r9
+        movq	96(%rbx), %r10
+        movq	104(%rbx), %r11
+        movq	112(%rbx), %r12
+        # A[2] * B[8]
+        mulx	64(%rbp), %rax, %rcx
+        adcxq	%rax, %r8
+        adoxq	%rcx, %r9
+        # A[2] * B[9]
+        mulx	72(%rbp), %rax, %rcx
+        movq	%r8, 80(%rbx)
+        adcxq	%rax, %r9
+        adoxq	%rcx, %r10
+        # A[2] * B[10]
+        mulx	80(%rbp), %rax, %rcx
+        movq	%r9, 88(%rbx)
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r11
+        # A[2] * B[11]
+        mulx	88(%rbp), %rax, %rcx
+        movq	%r10, 96(%rbx)
+        adcxq	%rax, %r11
+        adoxq	%rcx, %r12
+        movq	%r11, 104(%rbx)
+        movq	120(%rbx), %r8
+        movq	128(%rdi), %r9
+        movq	136(%rdi), %r10
+        # A[2] * B[12]
+        mulx	96(%rbp), %rax, %rcx
+        adcxq	%rax, %r12
+        adoxq	%rcx, %r8
+        # A[2] * B[13]
+        mulx	104(%rbp), %rax, %rcx
+        movq	%r12, 112(%rbx)
+        adcxq	%rax, %r8
+        adoxq	%rcx, %r9
+        # A[2] * B[14]
+        mulx	112(%rbp), %rax, %rcx
+        movq	%r8, 120(%rbx)
+        adcxq	%rax, %r9
+        adoxq	%rcx, %r10
+        # A[2] * B[15]
+        mulx	120(%rbp), %rax, %rcx
+        movq	%r9, 128(%rdi)
+        movq	%r14, %r11
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r11
+        adcxq	%r13, %r11
+        movq	%r14, %r13
+        adoxq	%r14, %r13
+        adcxq	%r14, %r13
+        movq	%r10, 136(%rdi)
+        movq	%r11, 144(%rdi)
+        movq	24(%rsi), %rdx
+        movq	24(%rbx), %r11
+        movq	32(%rbx), %r12
+        movq	40(%rbx), %r8
+        movq	48(%rbx), %r9
+        movq	56(%rbx), %r10
+        # A[3] * B[0]
+        mulx	(%rbp), %rax, %rcx
+        adcxq	%rax, %r11
+        adoxq	%rcx, %r12
+        # A[3] * B[1]
+        mulx	8(%rbp), %rax, %rcx
+        movq	%r11, 24(%rbx)
+        adcxq	%rax, %r12
+        adoxq	%rcx, %r8
+        # A[3] * B[2]
+        mulx	16(%rbp), %rax, %rcx
+        movq	%r12, 32(%rbx)
+        adcxq	%rax, %r8
+        adoxq	%rcx, %r9
+        # A[3] * B[3]
+        mulx	24(%rbp), %rax, %rcx
+        movq	%r8, 40(%rbx)
+        adcxq	%rax, %r9
+        adoxq	%rcx, %r10
+        movq	%r9, 48(%rbx)
+        movq	64(%rbx), %r11
+        movq	72(%rbx), %r12
+        movq	80(%rbx), %r8
+        movq	88(%rbx), %r9
+        # A[3] * B[4]
+        mulx	32(%rbp), %rax, %rcx
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r11
+        # A[3] * B[5]
+        mulx	40(%rbp), %rax, %rcx
+        movq	%r10, 56(%rbx)
+        adcxq	%rax, %r11
+        adoxq	%rcx, %r12
+        # A[3] * B[6]
+        mulx	48(%rbp), %rax, %rcx
+        movq	%r11, 64(%rbx)
+        adcxq	%rax, %r12
+        adoxq	%rcx, %r8
+        # A[3] * B[7]
+        mulx	56(%rbp), %rax, %rcx
+        movq	%r12, 72(%rbx)
+        adcxq	%rax, %r8
+        adoxq	%rcx, %r9
+        movq	%r8, 80(%rbx)
+        movq	96(%rbx), %r10
+        movq	104(%rbx), %r11
+        movq	112(%rbx), %r12
+        movq	120(%rbx), %r8
+        # A[3] * B[8]
+        mulx	64(%rbp), %rax, %rcx
+        adcxq	%rax, %r9
+        adoxq	%rcx, %r10
+        # A[3] * B[9]
+        mulx	72(%rbp), %rax, %rcx
+        movq	%r9, 88(%rbx)
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r11
+        # A[3] * B[10]
+        mulx	80(%rbp), %rax, %rcx
+        movq	%r10, 96(%rbx)
+        adcxq	%rax, %r11
+        adoxq	%rcx, %r12
+        # A[3] * B[11]
+        mulx	88(%rbp), %rax, %rcx
+        movq	%r11, 104(%rbx)
+        adcxq	%rax, %r12
+        adoxq	%rcx, %r8
+        movq	%r12, 112(%rbx)
+        movq	128(%rdi), %r9
+        movq	136(%rdi), %r10
+        movq	144(%rdi), %r11
+        # A[3] * B[12]
+        mulx	96(%rbp), %rax, %rcx
+        adcxq	%rax, %r8
+        adoxq	%rcx, %r9
+        # A[3] * B[13]
+        mulx	104(%rbp), %rax, %rcx
+        movq	%r8, 120(%rbx)
+        adcxq	%rax, %r9
+        adoxq	%rcx, %r10
+        # A[3] * B[14]
+        mulx	112(%rbp), %rax, %rcx
+        movq	%r9, 128(%rdi)
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r11
+        # A[3] * B[15]
+        mulx	120(%rbp), %rax, %rcx
+        movq	%r10, 136(%rdi)
+        movq	%r14, %r12
+        adcxq	%rax, %r11
+        adoxq	%rcx, %r12
+        adcxq	%r13, %r12
+        movq	%r14, %r13
+        adoxq	%r14, %r13
+        adcxq	%r14, %r13
+        movq	%r11, 144(%rdi)
+        movq	%r12, 152(%rdi)
+        movq	32(%rsi), %rdx
+        movq	32(%rbx), %r12
+        movq	40(%rbx), %r8
+        movq	48(%rbx), %r9
+        movq	56(%rbx), %r10
+        movq	64(%rbx), %r11
+        # A[4] * B[0]
+        mulx	(%rbp), %rax, %rcx
+        adcxq	%rax, %r12
+        adoxq	%rcx, %r8
+        # A[4] * B[1]
+        mulx	8(%rbp), %rax, %rcx
+        movq	%r12, 32(%rbx)
+        adcxq	%rax, %r8
+        adoxq	%rcx, %r9
+        # A[4] * B[2]
+        mulx	16(%rbp), %rax, %rcx
+        movq	%r8, 40(%rbx)
+        adcxq	%rax, %r9
+        adoxq	%rcx, %r10
+        # A[4] * B[3]
+        mulx	24(%rbp), %rax, %rcx
+        movq	%r9, 48(%rbx)
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r11
+        movq	%r10, 56(%rbx)
+        movq	72(%rbx), %r12
+        movq	80(%rbx), %r8
+        movq	88(%rbx), %r9
+        movq	96(%rbx), %r10
+        # A[4] * B[4]
+        mulx	32(%rbp), %rax, %rcx
+        adcxq	%rax, %r11
+        adoxq	%rcx, %r12
+        # A[4] * B[5]
+        mulx	40(%rbp), %rax, %rcx
+        movq	%r11, 64(%rbx)
+        adcxq	%rax, %r12
+        adoxq	%rcx, %r8
+        # A[4] * B[6]
+        mulx	48(%rbp), %rax, %rcx
+        movq	%r12, 72(%rbx)
+        adcxq	%rax, %r8
+        adoxq	%rcx, %r9
+        # A[4] * B[7]
+        mulx	56(%rbp), %rax, %rcx
+        movq	%r8, 80(%rbx)
+        adcxq	%rax, %r9
+        adoxq	%rcx, %r10
+        movq	%r9, 88(%rbx)
+        movq	104(%rbx), %r11
+        movq	112(%rbx), %r12
+        movq	120(%rbx), %r8
+        movq	128(%rdi), %r9
+        # A[4] * B[8]
+        mulx	64(%rbp), %rax, %rcx
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r11
+        # A[4] * B[9]
+        mulx	72(%rbp), %rax, %rcx
+        movq	%r10, 96(%rbx)
+        adcxq	%rax, %r11
+        adoxq	%rcx, %r12
+        # A[4] * B[10]
+        mulx	80(%rbp), %rax, %rcx
+        movq	%r11, 104(%rbx)
+        adcxq	%rax, %r12
+        adoxq	%rcx, %r8
+        # A[4] * B[11]
+        mulx	88(%rbp), %rax, %rcx
+        movq	%r12, 112(%rbx)
+        adcxq	%rax, %r8
+        adoxq	%rcx, %r9
+        movq	%r8, 120(%rbx)
+        movq	136(%rdi), %r10
+        movq	144(%rdi), %r11
+        movq	152(%rdi), %r12
+        # A[4] * B[12]
+        mulx	96(%rbp), %rax, %rcx
+        adcxq	%rax, %r9
+        adoxq	%rcx, %r10
+        # A[4] * B[13]
+        mulx	104(%rbp), %rax, %rcx
+        movq	%r9, 128(%rdi)
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r11
+        # A[4] * B[14]
+        mulx	112(%rbp), %rax, %rcx
+        movq	%r10, 136(%rdi)
+        adcxq	%rax, %r11
+        adoxq	%rcx, %r12
+        # A[4] * B[15]
+        mulx	120(%rbp), %rax, %rcx
+        movq	%r11, 144(%rdi)
+        movq	%r14, %r8
+        adcxq	%rax, %r12
+        adoxq	%rcx, %r8
+        adcxq	%r13, %r8
+        movq	%r14, %r13
+        adoxq	%r14, %r13
+        adcxq	%r14, %r13
+        movq	%r12, 152(%rdi)
+        movq	%r8, 160(%rdi)
+        movq	40(%rsi), %rdx
+        movq	40(%rbx), %r8
+        movq	48(%rbx), %r9
+        movq	56(%rbx), %r10
+        movq	64(%rbx), %r11
+        movq	72(%rbx), %r12
+        # A[5] * B[0]
+        mulx	(%rbp), %rax, %rcx
+        adcxq	%rax, %r8
+        adoxq	%rcx, %r9
+        # A[5] * B[1]
+        mulx	8(%rbp), %rax, %rcx
+        movq	%r8, 40(%rbx)
+        adcxq	%rax, %r9
+        adoxq	%rcx, %r10
+        # A[5] * B[2]
+        mulx	16(%rbp), %rax, %rcx
+        movq	%r9, 48(%rbx)
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r11
+        # A[5] * B[3]
+        mulx	24(%rbp), %rax, %rcx
+        movq	%r10, 56(%rbx)
+        adcxq	%rax, %r11
+        adoxq	%rcx, %r12
+        movq	%r11, 64(%rbx)
+        movq	80(%rbx), %r8
+        movq	88(%rbx), %r9
+        movq	96(%rbx), %r10
+        movq	104(%rbx), %r11
+        # A[5] * B[4]
+        mulx	32(%rbp), %rax, %rcx
+        adcxq	%rax, %r12
+        adoxq	%rcx, %r8
+        # A[5] * B[5]
+        mulx	40(%rbp), %rax, %rcx
+        movq	%r12, 72(%rbx)
+        adcxq	%rax, %r8
+        adoxq	%rcx, %r9
+        # A[5] * B[6]
+        mulx	48(%rbp), %rax, %rcx
+        movq	%r8, 80(%rbx)
+        adcxq	%rax, %r9
+        adoxq	%rcx, %r10
+        # A[5] * B[7]
+        mulx	56(%rbp), %rax, %rcx
+        movq	%r9, 88(%rbx)
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r11
+        movq	%r10, 96(%rbx)
+        movq	112(%rbx), %r12
+        movq	120(%rbx), %r8
+        movq	128(%rdi), %r9
+        movq	136(%rdi), %r10
+        # A[5] * B[8]
+        mulx	64(%rbp), %rax, %rcx
+        adcxq	%rax, %r11
+        adoxq	%rcx, %r12
+        # A[5] * B[9]
+        mulx	72(%rbp), %rax, %rcx
+        movq	%r11, 104(%rbx)
+        adcxq	%rax, %r12
+        adoxq	%rcx, %r8
+        # A[5] * B[10]
+        mulx	80(%rbp), %rax, %rcx
+        movq	%r12, 112(%rbx)
+        adcxq	%rax, %r8
+        adoxq	%rcx, %r9
+        # A[5] * B[11]
+        mulx	88(%rbp), %rax, %rcx
+        movq	%r8, 120(%rbx)
+        adcxq	%rax, %r9
+        adoxq	%rcx, %r10
+        movq	%r9, 128(%rdi)
+        movq	144(%rdi), %r11
+        movq	152(%rdi), %r12
+        movq	160(%rdi), %r8
+        # A[5] * B[12]
+        mulx	96(%rbp), %rax, %rcx
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r11
+        # A[5] * B[13]
+        mulx	104(%rbp), %rax, %rcx
+        movq	%r10, 136(%rdi)
+        adcxq	%rax, %r11
+        adoxq	%rcx, %r12
+        # A[5] * B[14]
+        mulx	112(%rbp), %rax, %rcx
+        movq	%r11, 144(%rdi)
+        adcxq	%rax, %r12
+        adoxq	%rcx, %r8
+        # A[5] * B[15]
+        mulx	120(%rbp), %rax, %rcx
+        movq	%r12, 152(%rdi)
+        movq	%r14, %r9
+        adcxq	%rax, %r8
+        adoxq	%rcx, %r9
+        adcxq	%r13, %r9
+        movq	%r14, %r13
+        adoxq	%r14, %r13
+        adcxq	%r14, %r13
+        movq	%r8, 160(%rdi)
+        movq	%r9, 168(%rdi)
+        movq	48(%rsi), %rdx
+        movq	48(%rbx), %r9
+        movq	56(%rbx), %r10
+        movq	64(%rbx), %r11
+        movq	72(%rbx), %r12
+        movq	80(%rbx), %r8
+        # A[6] * B[0]
+        mulx	(%rbp), %rax, %rcx
+        adcxq	%rax, %r9
+        adoxq	%rcx, %r10
+        # A[6] * B[1]
+        mulx	8(%rbp), %rax, %rcx
+        movq	%r9, 48(%rbx)
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r11
+        # A[6] * B[2]
+        mulx	16(%rbp), %rax, %rcx
+        movq	%r10, 56(%rbx)
+        adcxq	%rax, %r11
+        adoxq	%rcx, %r12
+        # A[6] * B[3]
+        mulx	24(%rbp), %rax, %rcx
+        movq	%r11, 64(%rbx)
+        adcxq	%rax, %r12
+        adoxq	%rcx, %r8
+        movq	%r12, 72(%rbx)
+        movq	88(%rbx), %r9
+        movq	96(%rbx), %r10
+        movq	104(%rbx), %r11
+        movq	112(%rbx), %r12
+        # A[6] * B[4]
+        mulx	32(%rbp), %rax, %rcx
+        adcxq	%rax, %r8
+        adoxq	%rcx, %r9
+        # A[6] * B[5]
+        mulx	40(%rbp), %rax, %rcx
+        movq	%r8, 80(%rbx)
+        adcxq	%rax, %r9
+        adoxq	%rcx, %r10
+        # A[6] * B[6]
+        mulx	48(%rbp), %rax, %rcx
+        movq	%r9, 88(%rbx)
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r11
+        # A[6] * B[7]
+        mulx	56(%rbp), %rax, %rcx
+        movq	%r10, 96(%rbx)
+        adcxq	%rax, %r11
+        adoxq	%rcx, %r12
+        movq	%r11, 104(%rbx)
+        movq	120(%rbx), %r8
+        movq	128(%rdi), %r9
+        movq	136(%rdi), %r10
+        movq	144(%rdi), %r11
+        # A[6] * B[8]
+        mulx	64(%rbp), %rax, %rcx
+        adcxq	%rax, %r12
+        adoxq	%rcx, %r8
+        # A[6] * B[9]
+        mulx	72(%rbp), %rax, %rcx
+        movq	%r12, 112(%rbx)
+        adcxq	%rax, %r8
+        adoxq	%rcx, %r9
+        # A[6] * B[10]
+        mulx	80(%rbp), %rax, %rcx
+        movq	%r8, 120(%rbx)
+        adcxq	%rax, %r9
+        adoxq	%rcx, %r10
+        # A[6] * B[11]
+        mulx	88(%rbp), %rax, %rcx
+        movq	%r9, 128(%rdi)
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r11
+        movq	%r10, 136(%rdi)
+        movq	152(%rdi), %r12
+        movq	160(%rdi), %r8
+        movq	168(%rdi), %r9
+        # A[6] * B[12]
+        mulx	96(%rbp), %rax, %rcx
+        adcxq	%rax, %r11
+        adoxq	%rcx, %r12
+        # A[6] * B[13]
+        mulx	104(%rbp), %rax, %rcx
+        movq	%r11, 144(%rdi)
+        adcxq	%rax, %r12
+        adoxq	%rcx, %r8
+        # A[6] * B[14]
+        mulx	112(%rbp), %rax, %rcx
+        movq	%r12, 152(%rdi)
+        adcxq	%rax, %r8
+        adoxq	%rcx, %r9
+        # A[6] * B[15]
+        mulx	120(%rbp), %rax, %rcx
+        movq	%r8, 160(%rdi)
+        movq	%r14, %r10
+        adcxq	%rax, %r9
+        adoxq	%rcx, %r10
+        adcxq	%r13, %r10
+        movq	%r14, %r13
+        adoxq	%r14, %r13
+        adcxq	%r14, %r13
+        movq	%r9, 168(%rdi)
+        movq	%r10, 176(%rdi)
+        movq	56(%rsi), %rdx
+        movq	56(%rbx), %r10
+        movq	64(%rbx), %r11
+        movq	72(%rbx), %r12
+        movq	80(%rbx), %r8
+        movq	88(%rbx), %r9
+        # A[7] * B[0]
+        mulx	(%rbp), %rax, %rcx
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r11
+        # A[7] * B[1]
+        mulx	8(%rbp), %rax, %rcx
+        movq	%r10, 56(%rbx)
+        adcxq	%rax, %r11
+        adoxq	%rcx, %r12
+        # A[7] * B[2]
+        mulx	16(%rbp), %rax, %rcx
+        movq	%r11, 64(%rbx)
+        adcxq	%rax, %r12
+        adoxq	%rcx, %r8
+        # A[7] * B[3]
+        mulx	24(%rbp), %rax, %rcx
+        movq	%r12, 72(%rbx)
+        adcxq	%rax, %r8
+        adoxq	%rcx, %r9
+        movq	%r8, 80(%rbx)
+        movq	96(%rbx), %r10
+        movq	104(%rbx), %r11
+        movq	112(%rbx), %r12
+        movq	120(%rbx), %r8
+        # A[7] * B[4]
+        mulx	32(%rbp), %rax, %rcx
+        adcxq	%rax, %r9
+        adoxq	%rcx, %r10
+        # A[7] * B[5]
+        mulx	40(%rbp), %rax, %rcx
+        movq	%r9, 88(%rbx)
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r11
+        # A[7] * B[6]
+        mulx	48(%rbp), %rax, %rcx
+        movq	%r10, 96(%rbx)
+        adcxq	%rax, %r11
+        adoxq	%rcx, %r12
+        # A[7] * B[7]
+        mulx	56(%rbp), %rax, %rcx
+        movq	%r11, 104(%rbx)
+        adcxq	%rax, %r12
+        adoxq	%rcx, %r8
+        movq	%r12, 112(%rbx)
+        movq	128(%rdi), %r9
+        movq	136(%rdi), %r10
+        movq	144(%rdi), %r11
+        movq	152(%rdi), %r12
+        # A[7] * B[8]
+        mulx	64(%rbp), %rax, %rcx
+        adcxq	%rax, %r8
+        adoxq	%rcx, %r9
+        # A[7] * B[9]
+        mulx	72(%rbp), %rax, %rcx
+        movq	%r8, 120(%rbx)
+        adcxq	%rax, %r9
+        adoxq	%rcx, %r10
+        # A[7] * B[10]
+        mulx	80(%rbp), %rax, %rcx
+        movq	%r9, 128(%rdi)
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r11
+        # A[7] * B[11]
+        mulx	88(%rbp), %rax, %rcx
+        movq	%r10, 136(%rdi)
+        adcxq	%rax, %r11
+        adoxq	%rcx, %r12
+        movq	%r11, 144(%rdi)
+        movq	160(%rdi), %r8
+        movq	168(%rdi), %r9
+        movq	176(%rdi), %r10
+        # A[7] * B[12]
+        mulx	96(%rbp), %rax, %rcx
+        adcxq	%rax, %r12
+        adoxq	%rcx, %r8
+        # A[7] * B[13]
+        mulx	104(%rbp), %rax, %rcx
+        movq	%r12, 152(%rdi)
+        adcxq	%rax, %r8
+        adoxq	%rcx, %r9
+        # A[7] * B[14]
+        mulx	112(%rbp), %rax, %rcx
+        movq	%r8, 160(%rdi)
+        adcxq	%rax, %r9
+        adoxq	%rcx, %r10
+        # A[7] * B[15]
+        mulx	120(%rbp), %rax, %rcx
+        movq	%r9, 168(%rdi)
+        movq	%r14, %r11
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r11
+        adcxq	%r13, %r11
+        movq	%r14, %r13
+        adoxq	%r14, %r13
+        adcxq	%r14, %r13
+        movq	%r10, 176(%rdi)
+        movq	%r11, 184(%rdi)
+        movq	64(%rsi), %rdx
+        movq	64(%rbx), %r11
+        movq	72(%rbx), %r12
+        movq	80(%rbx), %r8
+        movq	88(%rbx), %r9
+        movq	96(%rbx), %r10
+        # A[8] * B[0]
+        mulx	(%rbp), %rax, %rcx
+        adcxq	%rax, %r11
+        adoxq	%rcx, %r12
+        # A[8] * B[1]
+        mulx	8(%rbp), %rax, %rcx
+        movq	%r11, 64(%rbx)
+        adcxq	%rax, %r12
+        adoxq	%rcx, %r8
+        # A[8] * B[2]
+        mulx	16(%rbp), %rax, %rcx
+        movq	%r12, 72(%rbx)
+        adcxq	%rax, %r8
+        adoxq	%rcx, %r9
+        # A[8] * B[3]
+        mulx	24(%rbp), %rax, %rcx
+        movq	%r8, 80(%rbx)
+        adcxq	%rax, %r9
+        adoxq	%rcx, %r10
+        movq	%r9, 88(%rbx)
+        movq	104(%rbx), %r11
+        movq	112(%rbx), %r12
+        movq	120(%rbx), %r8
+        movq	128(%rdi), %r9
+        # A[8] * B[4]
+        mulx	32(%rbp), %rax, %rcx
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r11
+        # A[8] * B[5]
+        mulx	40(%rbp), %rax, %rcx
+        movq	%r10, 96(%rbx)
+        adcxq	%rax, %r11
+        adoxq	%rcx, %r12
+        # A[8] * B[6]
+        mulx	48(%rbp), %rax, %rcx
+        movq	%r11, 104(%rbx)
+        adcxq	%rax, %r12
+        adoxq	%rcx, %r8
+        # A[8] * B[7]
+        mulx	56(%rbp), %rax, %rcx
+        movq	%r12, 112(%rbx)
+        adcxq	%rax, %r8
+        adoxq	%rcx, %r9
+        movq	%r8, 120(%rbx)
+        movq	136(%rdi), %r10
+        movq	144(%rdi), %r11
+        movq	152(%rdi), %r12
+        movq	160(%rdi), %r8
+        # A[8] * B[8]
+        mulx	64(%rbp), %rax, %rcx
+        adcxq	%rax, %r9
+        adoxq	%rcx, %r10
+        # A[8] * B[9]
+        mulx	72(%rbp), %rax, %rcx
+        movq	%r9, 128(%rdi)
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r11
+        # A[8] * B[10]
+        mulx	80(%rbp), %rax, %rcx
+        movq	%r10, 136(%rdi)
+        adcxq	%rax, %r11
+        adoxq	%rcx, %r12
+        # A[8] * B[11]
+        mulx	88(%rbp), %rax, %rcx
+        movq	%r11, 144(%rdi)
+        adcxq	%rax, %r12
+        adoxq	%rcx, %r8
+        movq	%r12, 152(%rdi)
+        movq	168(%rdi), %r9
+        movq	176(%rdi), %r10
+        movq	184(%rdi), %r11
+        # A[8] * B[12]
+        mulx	96(%rbp), %rax, %rcx
+        adcxq	%rax, %r8
+        adoxq	%rcx, %r9
+        # A[8] * B[13]
+        mulx	104(%rbp), %rax, %rcx
+        movq	%r8, 160(%rdi)
+        adcxq	%rax, %r9
+        adoxq	%rcx, %r10
+        # A[8] * B[14]
+        mulx	112(%rbp), %rax, %rcx
+        movq	%r9, 168(%rdi)
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r11
+        # A[8] * B[15]
+        mulx	120(%rbp), %rax, %rcx
+        movq	%r10, 176(%rdi)
+        movq	%r14, %r12
+        adcxq	%rax, %r11
+        adoxq	%rcx, %r12
+        adcxq	%r13, %r12
+        movq	%r14, %r13
+        adoxq	%r14, %r13
+        adcxq	%r14, %r13
+        movq	%r11, 184(%rdi)
+        movq	%r12, 192(%rdi)
+        movq	72(%rsi), %rdx
+        movq	72(%rbx), %r12
+        movq	80(%rbx), %r8
+        movq	88(%rbx), %r9
+        movq	96(%rbx), %r10
+        movq	104(%rbx), %r11
+        # A[9] * B[0]
+        mulx	(%rbp), %rax, %rcx
+        adcxq	%rax, %r12
+        adoxq	%rcx, %r8
+        # A[9] * B[1]
+        mulx	8(%rbp), %rax, %rcx
+        movq	%r12, 72(%rbx)
+        adcxq	%rax, %r8
+        adoxq	%rcx, %r9
+        # A[9] * B[2]
+        mulx	16(%rbp), %rax, %rcx
+        movq	%r8, 80(%rbx)
+        adcxq	%rax, %r9
+        adoxq	%rcx, %r10
+        # A[9] * B[3]
+        mulx	24(%rbp), %rax, %rcx
+        movq	%r9, 88(%rbx)
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r11
+        movq	%r10, 96(%rbx)
+        movq	112(%rbx), %r12
+        movq	120(%rbx), %r8
+        movq	128(%rdi), %r9
+        movq	136(%rdi), %r10
+        # A[9] * B[4]
+        mulx	32(%rbp), %rax, %rcx
+        adcxq	%rax, %r11
+        adoxq	%rcx, %r12
+        # A[9] * B[5]
+        mulx	40(%rbp), %rax, %rcx
+        movq	%r11, 104(%rbx)
+        adcxq	%rax, %r12
+        adoxq	%rcx, %r8
+        # A[9] * B[6]
+        mulx	48(%rbp), %rax, %rcx
+        movq	%r12, 112(%rbx)
+        adcxq	%rax, %r8
+        adoxq	%rcx, %r9
+        # A[9] * B[7]
+        mulx	56(%rbp), %rax, %rcx
+        movq	%r8, 120(%rbx)
+        adcxq	%rax, %r9
+        adoxq	%rcx, %r10
+        movq	%r9, 128(%rdi)
+        movq	144(%rdi), %r11
+        movq	152(%rdi), %r12
+        movq	160(%rdi), %r8
+        movq	168(%rdi), %r9
+        # A[9] * B[8]
+        mulx	64(%rbp), %rax, %rcx
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r11
+        # A[9] * B[9]
+        mulx	72(%rbp), %rax, %rcx
+        movq	%r10, 136(%rdi)
+        adcxq	%rax, %r11
+        adoxq	%rcx, %r12
+        # A[9] * B[10]
+        mulx	80(%rbp), %rax, %rcx
+        movq	%r11, 144(%rdi)
+        adcxq	%rax, %r12
+        adoxq	%rcx, %r8
+        # A[9] * B[11]
+        mulx	88(%rbp), %rax, %rcx
+        movq	%r12, 152(%rdi)
+        adcxq	%rax, %r8
+        adoxq	%rcx, %r9
+        movq	%r8, 160(%rdi)
+        movq	176(%rdi), %r10
+        movq	184(%rdi), %r11
+        movq	192(%rdi), %r12
+        # A[9] * B[12]
+        mulx	96(%rbp), %rax, %rcx
+        adcxq	%rax, %r9
+        adoxq	%rcx, %r10
+        # A[9] * B[13]
+        mulx	104(%rbp), %rax, %rcx
+        movq	%r9, 168(%rdi)
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r11
+        # A[9] * B[14]
+        mulx	112(%rbp), %rax, %rcx
+        movq	%r10, 176(%rdi)
+        adcxq	%rax, %r11
+        adoxq	%rcx, %r12
+        # A[9] * B[15]
+        mulx	120(%rbp), %rax, %rcx
+        movq	%r11, 184(%rdi)
+        movq	%r14, %r8
+        adcxq	%rax, %r12
+        adoxq	%rcx, %r8
+        adcxq	%r13, %r8
+        movq	%r14, %r13
+        adoxq	%r14, %r13
+        adcxq	%r14, %r13
+        movq	%r12, 192(%rdi)
+        movq	%r8, 200(%rdi)
+        movq	80(%rsi), %rdx
+        movq	80(%rbx), %r8
+        movq	88(%rbx), %r9
+        movq	96(%rbx), %r10
+        movq	104(%rbx), %r11
+        movq	112(%rbx), %r12
+        # A[10] * B[0]
+        mulx	(%rbp), %rax, %rcx
+        adcxq	%rax, %r8
+        adoxq	%rcx, %r9
+        # A[10] * B[1]
+        mulx	8(%rbp), %rax, %rcx
+        movq	%r8, 80(%rbx)
+        adcxq	%rax, %r9
+        adoxq	%rcx, %r10
+        # A[10] * B[2]
+        mulx	16(%rbp), %rax, %rcx
+        movq	%r9, 88(%rbx)
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r11
+        # A[10] * B[3]
+        mulx	24(%rbp), %rax, %rcx
+        movq	%r10, 96(%rbx)
+        adcxq	%rax, %r11
+        adoxq	%rcx, %r12
+        movq	%r11, 104(%rbx)
+        movq	120(%rbx), %r8
+        movq	128(%rdi), %r9
+        movq	136(%rdi), %r10
+        movq	144(%rdi), %r11
+        # A[10] * B[4]
+        mulx	32(%rbp), %rax, %rcx
+        adcxq	%rax, %r12
+        adoxq	%rcx, %r8
+        # A[10] * B[5]
+        mulx	40(%rbp), %rax, %rcx
+        movq	%r12, 112(%rbx)
+        adcxq	%rax, %r8
+        adoxq	%rcx, %r9
+        # A[10] * B[6]
+        mulx	48(%rbp), %rax, %rcx
+        movq	%r8, 120(%rbx)
+        adcxq	%rax, %r9
+        adoxq	%rcx, %r10
+        # A[10] * B[7]
+        mulx	56(%rbp), %rax, %rcx
+        movq	%r9, 128(%rdi)
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r11
+        movq	%r10, 136(%rdi)
+        movq	152(%rdi), %r12
+        movq	160(%rdi), %r8
+        movq	168(%rdi), %r9
+        movq	176(%rdi), %r10
+        # A[10] * B[8]
+        mulx	64(%rbp), %rax, %rcx
+        adcxq	%rax, %r11
+        adoxq	%rcx, %r12
+        # A[10] * B[9]
+        mulx	72(%rbp), %rax, %rcx
+        movq	%r11, 144(%rdi)
+        adcxq	%rax, %r12
+        adoxq	%rcx, %r8
+        # A[10] * B[10]
+        mulx	80(%rbp), %rax, %rcx
+        movq	%r12, 152(%rdi)
+        adcxq	%rax, %r8
+        adoxq	%rcx, %r9
+        # A[10] * B[11]
+        mulx	88(%rbp), %rax, %rcx
+        movq	%r8, 160(%rdi)
+        adcxq	%rax, %r9
+        adoxq	%rcx, %r10
+        movq	%r9, 168(%rdi)
+        movq	184(%rdi), %r11
+        movq	192(%rdi), %r12
+        movq	200(%rdi), %r8
+        # A[10] * B[12]
+        mulx	96(%rbp), %rax, %rcx
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r11
+        # A[10] * B[13]
+        mulx	104(%rbp), %rax, %rcx
+        movq	%r10, 176(%rdi)
+        adcxq	%rax, %r11
+        adoxq	%rcx, %r12
+        # A[10] * B[14]
+        mulx	112(%rbp), %rax, %rcx
+        movq	%r11, 184(%rdi)
+        adcxq	%rax, %r12
+        adoxq	%rcx, %r8
+        # A[10] * B[15]
+        mulx	120(%rbp), %rax, %rcx
+        movq	%r12, 192(%rdi)
+        movq	%r14, %r9
+        adcxq	%rax, %r8
+        adoxq	%rcx, %r9
+        adcxq	%r13, %r9
+        movq	%r14, %r13
+        adoxq	%r14, %r13
+        adcxq	%r14, %r13
+        movq	%r8, 200(%rdi)
+        movq	%r9, 208(%rdi)
+        movq	88(%rsi), %rdx
+        movq	88(%rbx), %r9
+        movq	96(%rbx), %r10
+        movq	104(%rbx), %r11
+        movq	112(%rbx), %r12
+        movq	120(%rbx), %r8
+        # A[11] * B[0]
+        mulx	(%rbp), %rax, %rcx
+        adcxq	%rax, %r9
+        adoxq	%rcx, %r10
+        # A[11] * B[1]
+        mulx	8(%rbp), %rax, %rcx
+        movq	%r9, 88(%rbx)
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r11
+        # A[11] * B[2]
+        mulx	16(%rbp), %rax, %rcx
+        movq	%r10, 96(%rbx)
+        adcxq	%rax, %r11
+        adoxq	%rcx, %r12
+        # A[11] * B[3]
+        mulx	24(%rbp), %rax, %rcx
+        movq	%r11, 104(%rbx)
+        adcxq	%rax, %r12
+        adoxq	%rcx, %r8
+        movq	%r12, 112(%rbx)
+        movq	128(%rdi), %r9
+        movq	136(%rdi), %r10
+        movq	144(%rdi), %r11
+        movq	152(%rdi), %r12
+        # A[11] * B[4]
+        mulx	32(%rbp), %rax, %rcx
+        adcxq	%rax, %r8
+        adoxq	%rcx, %r9
+        # A[11] * B[5]
+        mulx	40(%rbp), %rax, %rcx
+        movq	%r8, 120(%rbx)
+        adcxq	%rax, %r9
+        adoxq	%rcx, %r10
+        # A[11] * B[6]
+        mulx	48(%rbp), %rax, %rcx
+        movq	%r9, 128(%rdi)
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r11
+        # A[11] * B[7]
+        mulx	56(%rbp), %rax, %rcx
+        movq	%r10, 136(%rdi)
+        adcxq	%rax, %r11
+        adoxq	%rcx, %r12
+        movq	%r11, 144(%rdi)
+        movq	160(%rdi), %r8
+        movq	168(%rdi), %r9
+        movq	176(%rdi), %r10
+        movq	184(%rdi), %r11
+        # A[11] * B[8]
+        mulx	64(%rbp), %rax, %rcx
+        adcxq	%rax, %r12
+        adoxq	%rcx, %r8
+        # A[11] * B[9]
+        mulx	72(%rbp), %rax, %rcx
+        movq	%r12, 152(%rdi)
+        adcxq	%rax, %r8
+        adoxq	%rcx, %r9
+        # A[11] * B[10]
+        mulx	80(%rbp), %rax, %rcx
+        movq	%r8, 160(%rdi)
+        adcxq	%rax, %r9
+        adoxq	%rcx, %r10
+        # A[11] * B[11]
+        mulx	88(%rbp), %rax, %rcx
+        movq	%r9, 168(%rdi)
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r11
+        movq	%r10, 176(%rdi)
+        movq	192(%rdi), %r12
+        movq	200(%rdi), %r8
+        movq	208(%rdi), %r9
+        # A[11] * B[12]
+        mulx	96(%rbp), %rax, %rcx
+        adcxq	%rax, %r11
+        adoxq	%rcx, %r12
+        # A[11] * B[13]
+        mulx	104(%rbp), %rax, %rcx
+        movq	%r11, 184(%rdi)
+        adcxq	%rax, %r12
+        adoxq	%rcx, %r8
+        # A[11] * B[14]
+        mulx	112(%rbp), %rax, %rcx
+        movq	%r12, 192(%rdi)
+        adcxq	%rax, %r8
+        adoxq	%rcx, %r9
+        # A[11] * B[15]
+        mulx	120(%rbp), %rax, %rcx
+        movq	%r8, 200(%rdi)
+        movq	%r14, %r10
+        adcxq	%rax, %r9
+        adoxq	%rcx, %r10
+        adcxq	%r13, %r10
+        movq	%r14, %r13
+        adoxq	%r14, %r13
+        adcxq	%r14, %r13
+        movq	%r9, 208(%rdi)
+        movq	%r10, 216(%rdi)
+        movq	96(%rsi), %rdx
+        movq	96(%rbx), %r10
+        movq	104(%rbx), %r11
+        movq	112(%rbx), %r12
+        movq	120(%rbx), %r8
+        movq	128(%rdi), %r9
+        # A[12] * B[0]
+        mulx	(%rbp), %rax, %rcx
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r11
+        # A[12] * B[1]
+        mulx	8(%rbp), %rax, %rcx
+        movq	%r10, 96(%rbx)
+        adcxq	%rax, %r11
+        adoxq	%rcx, %r12
+        # A[12] * B[2]
+        mulx	16(%rbp), %rax, %rcx
+        movq	%r11, 104(%rbx)
+        adcxq	%rax, %r12
+        adoxq	%rcx, %r8
+        # A[12] * B[3]
+        mulx	24(%rbp), %rax, %rcx
+        movq	%r12, 112(%rbx)
+        adcxq	%rax, %r8
+        adoxq	%rcx, %r9
+        movq	%r8, 120(%rbx)
+        movq	136(%rdi), %r10
+        movq	144(%rdi), %r11
+        movq	152(%rdi), %r12
+        movq	160(%rdi), %r8
+        # A[12] * B[4]
+        mulx	32(%rbp), %rax, %rcx
+        adcxq	%rax, %r9
+        adoxq	%rcx, %r10
+        # A[12] * B[5]
+        mulx	40(%rbp), %rax, %rcx
+        movq	%r9, 128(%rdi)
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r11
+        # A[12] * B[6]
+        mulx	48(%rbp), %rax, %rcx
+        movq	%r10, 136(%rdi)
+        adcxq	%rax, %r11
+        adoxq	%rcx, %r12
+        # A[12] * B[7]
+        mulx	56(%rbp), %rax, %rcx
+        movq	%r11, 144(%rdi)
+        adcxq	%rax, %r12
+        adoxq	%rcx, %r8
+        movq	%r12, 152(%rdi)
+        movq	168(%rdi), %r9
+        movq	176(%rdi), %r10
+        movq	184(%rdi), %r11
+        movq	192(%rdi), %r12
+        # A[12] * B[8]
+        mulx	64(%rbp), %rax, %rcx
+        adcxq	%rax, %r8
+        adoxq	%rcx, %r9
+        # A[12] * B[9]
+        mulx	72(%rbp), %rax, %rcx
+        movq	%r8, 160(%rdi)
+        adcxq	%rax, %r9
+        adoxq	%rcx, %r10
+        # A[12] * B[10]
+        mulx	80(%rbp), %rax, %rcx
+        movq	%r9, 168(%rdi)
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r11
+        # A[12] * B[11]
+        mulx	88(%rbp), %rax, %rcx
+        movq	%r10, 176(%rdi)
+        adcxq	%rax, %r11
+        adoxq	%rcx, %r12
+        movq	%r11, 184(%rdi)
+        movq	200(%rdi), %r8
+        movq	208(%rdi), %r9
+        movq	216(%rdi), %r10
+        # A[12] * B[12]
+        mulx	96(%rbp), %rax, %rcx
+        adcxq	%rax, %r12
+        adoxq	%rcx, %r8
+        # A[12] * B[13]
+        mulx	104(%rbp), %rax, %rcx
+        movq	%r12, 192(%rdi)
+        adcxq	%rax, %r8
+        adoxq	%rcx, %r9
+        # A[12] * B[14]
+        mulx	112(%rbp), %rax, %rcx
+        movq	%r8, 200(%rdi)
+        adcxq	%rax, %r9
+        adoxq	%rcx, %r10
+        # A[12] * B[15]
+        mulx	120(%rbp), %rax, %rcx
+        movq	%r9, 208(%rdi)
+        movq	%r14, %r11
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r11
+        adcxq	%r13, %r11
+        movq	%r14, %r13
+        adoxq	%r14, %r13
+        adcxq	%r14, %r13
+        movq	%r10, 216(%rdi)
+        movq	%r11, 224(%rdi)
+        movq	104(%rsi), %rdx
+        movq	104(%rbx), %r11
+        movq	112(%rbx), %r12
+        movq	120(%rbx), %r8
+        movq	128(%rdi), %r9
+        movq	136(%rdi), %r10
+        # A[13] * B[0]
+        mulx	(%rbp), %rax, %rcx
+        adcxq	%rax, %r11
+        adoxq	%rcx, %r12
+        # A[13] * B[1]
+        mulx	8(%rbp), %rax, %rcx
+        movq	%r11, 104(%rbx)
+        adcxq	%rax, %r12
+        adoxq	%rcx, %r8
+        # A[13] * B[2]
+        mulx	16(%rbp), %rax, %rcx
+        movq	%r12, 112(%rbx)
+        adcxq	%rax, %r8
+        adoxq	%rcx, %r9
+        # A[13] * B[3]
+        mulx	24(%rbp), %rax, %rcx
+        movq	%r8, 120(%rbx)
+        adcxq	%rax, %r9
+        adoxq	%rcx, %r10
+        movq	%r9, 128(%rdi)
+        movq	144(%rdi), %r11
+        movq	152(%rdi), %r12
+        movq	160(%rdi), %r8
+        movq	168(%rdi), %r9
+        # A[13] * B[4]
+        mulx	32(%rbp), %rax, %rcx
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r11
+        # A[13] * B[5]
+        mulx	40(%rbp), %rax, %rcx
+        movq	%r10, 136(%rdi)
+        adcxq	%rax, %r11
+        adoxq	%rcx, %r12
+        # A[13] * B[6]
+        mulx	48(%rbp), %rax, %rcx
+        movq	%r11, 144(%rdi)
+        adcxq	%rax, %r12
+        adoxq	%rcx, %r8
+        # A[13] * B[7]
+        mulx	56(%rbp), %rax, %rcx
+        movq	%r12, 152(%rdi)
+        adcxq	%rax, %r8
+        adoxq	%rcx, %r9
+        movq	%r8, 160(%rdi)
+        movq	176(%rdi), %r10
+        movq	184(%rdi), %r11
+        movq	192(%rdi), %r12
+        movq	200(%rdi), %r8
+        # A[13] * B[8]
+        mulx	64(%rbp), %rax, %rcx
+        adcxq	%rax, %r9
+        adoxq	%rcx, %r10
+        # A[13] * B[9]
+        mulx	72(%rbp), %rax, %rcx
+        movq	%r9, 168(%rdi)
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r11
+        # A[13] * B[10]
+        mulx	80(%rbp), %rax, %rcx
+        movq	%r10, 176(%rdi)
+        adcxq	%rax, %r11
+        adoxq	%rcx, %r12
+        # A[13] * B[11]
+        mulx	88(%rbp), %rax, %rcx
+        movq	%r11, 184(%rdi)
+        adcxq	%rax, %r12
+        adoxq	%rcx, %r8
+        movq	%r12, 192(%rdi)
+        movq	208(%rdi), %r9
+        movq	216(%rdi), %r10
+        movq	224(%rdi), %r11
+        # A[13] * B[12]
+        mulx	96(%rbp), %rax, %rcx
+        adcxq	%rax, %r8
+        adoxq	%rcx, %r9
+        # A[13] * B[13]
+        mulx	104(%rbp), %rax, %rcx
+        movq	%r8, 200(%rdi)
+        adcxq	%rax, %r9
+        adoxq	%rcx, %r10
+        # A[13] * B[14]
+        mulx	112(%rbp), %rax, %rcx
+        movq	%r9, 208(%rdi)
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r11
+        # A[13] * B[15]
+        mulx	120(%rbp), %rax, %rcx
+        movq	%r10, 216(%rdi)
+        movq	%r14, %r12
+        adcxq	%rax, %r11
+        adoxq	%rcx, %r12
+        adcxq	%r13, %r12
+        movq	%r14, %r13
+        adoxq	%r14, %r13
+        adcxq	%r14, %r13
+        movq	%r11, 224(%rdi)
+        movq	%r12, 232(%rdi)
+        movq	112(%rsi), %rdx
+        movq	112(%rbx), %r12
+        movq	120(%rbx), %r8
+        movq	128(%rdi), %r9
+        movq	136(%rdi), %r10
+        movq	144(%rdi), %r11
+        # A[14] * B[0]
+        mulx	(%rbp), %rax, %rcx
+        adcxq	%rax, %r12
+        adoxq	%rcx, %r8
+        # A[14] * B[1]
+        mulx	8(%rbp), %rax, %rcx
+        movq	%r12, 112(%rbx)
+        adcxq	%rax, %r8
+        adoxq	%rcx, %r9
+        # A[14] * B[2]
+        mulx	16(%rbp), %rax, %rcx
+        movq	%r8, 120(%rbx)
+        adcxq	%rax, %r9
+        adoxq	%rcx, %r10
+        # A[14] * B[3]
+        mulx	24(%rbp), %rax, %rcx
+        movq	%r9, 128(%rdi)
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r11
+        movq	%r10, 136(%rdi)
+        movq	152(%rdi), %r12
+        movq	160(%rdi), %r8
+        movq	168(%rdi), %r9
+        movq	176(%rdi), %r10
+        # A[14] * B[4]
+        mulx	32(%rbp), %rax, %rcx
+        adcxq	%rax, %r11
+        adoxq	%rcx, %r12
+        # A[14] * B[5]
+        mulx	40(%rbp), %rax, %rcx
+        movq	%r11, 144(%rdi)
+        adcxq	%rax, %r12
+        adoxq	%rcx, %r8
+        # A[14] * B[6]
+        mulx	48(%rbp), %rax, %rcx
+        movq	%r12, 152(%rdi)
+        adcxq	%rax, %r8
+        adoxq	%rcx, %r9
+        # A[14] * B[7]
+        mulx	56(%rbp), %rax, %rcx
+        movq	%r8, 160(%rdi)
+        adcxq	%rax, %r9
+        adoxq	%rcx, %r10
+        movq	%r9, 168(%rdi)
+        movq	184(%rdi), %r11
+        movq	192(%rdi), %r12
+        movq	200(%rdi), %r8
+        movq	208(%rdi), %r9
+        # A[14] * B[8]
+        mulx	64(%rbp), %rax, %rcx
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r11
+        # A[14] * B[9]
+        mulx	72(%rbp), %rax, %rcx
+        movq	%r10, 176(%rdi)
+        adcxq	%rax, %r11
+        adoxq	%rcx, %r12
+        # A[14] * B[10]
+        mulx	80(%rbp), %rax, %rcx
+        movq	%r11, 184(%rdi)
+        adcxq	%rax, %r12
+        adoxq	%rcx, %r8
+        # A[14] * B[11]
+        mulx	88(%rbp), %rax, %rcx
+        movq	%r12, 192(%rdi)
+        adcxq	%rax, %r8
+        adoxq	%rcx, %r9
+        movq	%r8, 200(%rdi)
+        movq	216(%rdi), %r10
+        movq	224(%rdi), %r11
+        movq	232(%rdi), %r12
+        # A[14] * B[12]
+        mulx	96(%rbp), %rax, %rcx
+        adcxq	%rax, %r9
+        adoxq	%rcx, %r10
+        # A[14] * B[13]
+        mulx	104(%rbp), %rax, %rcx
+        movq	%r9, 208(%rdi)
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r11
+        # A[14] * B[14]
+        mulx	112(%rbp), %rax, %rcx
+        movq	%r10, 216(%rdi)
+        adcxq	%rax, %r11
+        adoxq	%rcx, %r12
+        # A[14] * B[15]
+        mulx	120(%rbp), %rax, %rcx
+        movq	%r11, 224(%rdi)
+        movq	%r14, %r8
+        adcxq	%rax, %r12
+        adoxq	%rcx, %r8
+        adcxq	%r13, %r8
+        movq	%r14, %r13
+        adoxq	%r14, %r13
+        adcxq	%r14, %r13
+        movq	%r12, 232(%rdi)
+        movq	%r8, 240(%rdi)
+        movq	120(%rsi), %rdx
+        movq	120(%rbx), %r8
+        movq	128(%rdi), %r9
+        movq	136(%rdi), %r10
+        movq	144(%rdi), %r11
+        movq	152(%rdi), %r12
+        # A[15] * B[0]
+        mulx	(%rbp), %rax, %rcx
+        adcxq	%rax, %r8
+        adoxq	%rcx, %r9
+        # A[15] * B[1]
+        mulx	8(%rbp), %rax, %rcx
+        movq	%r8, 120(%rbx)
+        adcxq	%rax, %r9
+        adoxq	%rcx, %r10
+        # A[15] * B[2]
+        mulx	16(%rbp), %rax, %rcx
+        movq	%r9, 128(%rdi)
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r11
+        # A[15] * B[3]
+        mulx	24(%rbp), %rax, %rcx
+        movq	%r10, 136(%rdi)
+        adcxq	%rax, %r11
+        adoxq	%rcx, %r12
+        movq	%r11, 144(%rdi)
+        movq	160(%rdi), %r8
+        movq	168(%rdi), %r9
+        movq	176(%rdi), %r10
+        movq	184(%rdi), %r11
+        # A[15] * B[4]
+        mulx	32(%rbp), %rax, %rcx
+        adcxq	%rax, %r12
+        adoxq	%rcx, %r8
+        # A[15] * B[5]
+        mulx	40(%rbp), %rax, %rcx
+        movq	%r12, 152(%rdi)
+        adcxq	%rax, %r8
+        adoxq	%rcx, %r9
+        # A[15] * B[6]
+        mulx	48(%rbp), %rax, %rcx
+        movq	%r8, 160(%rdi)
+        adcxq	%rax, %r9
+        adoxq	%rcx, %r10
+        # A[15] * B[7]
+        mulx	56(%rbp), %rax, %rcx
+        movq	%r9, 168(%rdi)
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r11
+        movq	%r10, 176(%rdi)
+        movq	192(%rdi), %r12
+        movq	200(%rdi), %r8
+        movq	208(%rdi), %r9
+        movq	216(%rdi), %r10
+        # A[15] * B[8]
+        mulx	64(%rbp), %rax, %rcx
+        adcxq	%rax, %r11
+        adoxq	%rcx, %r12
+        # A[15] * B[9]
+        mulx	72(%rbp), %rax, %rcx
+        movq	%r11, 184(%rdi)
+        adcxq	%rax, %r12
+        adoxq	%rcx, %r8
+        # A[15] * B[10]
+        mulx	80(%rbp), %rax, %rcx
+        movq	%r12, 192(%rdi)
+        adcxq	%rax, %r8
+        adoxq	%rcx, %r9
+        # A[15] * B[11]
+        mulx	88(%rbp), %rax, %rcx
+        movq	%r8, 200(%rdi)
+        adcxq	%rax, %r9
+        adoxq	%rcx, %r10
+        movq	%r9, 208(%rdi)
+        movq	224(%rdi), %r11
+        movq	232(%rdi), %r12
+        movq	240(%rdi), %r8
+        # A[15] * B[12]
+        mulx	96(%rbp), %rax, %rcx
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r11
+        # A[15] * B[13]
+        mulx	104(%rbp), %rax, %rcx
+        movq	%r10, 216(%rdi)
+        adcxq	%rax, %r11
+        adoxq	%rcx, %r12
+        # A[15] * B[14]
+        mulx	112(%rbp), %rax, %rcx
+        movq	%r11, 224(%rdi)
+        adcxq	%rax, %r12
+        adoxq	%rcx, %r8
+        # A[15] * B[15]
+        mulx	120(%rbp), %rax, %rcx
+        movq	%r12, 232(%rdi)
+        movq	%r14, %r9
+        adcxq	%rax, %r8
+        adoxq	%rcx, %r9
+        adcxq	%r13, %r9
+        movq	%r8, 240(%rdi)
+        movq	%r9, 248(%rdi)
+        cmpq	%rdi, %rsi
+        je	L_start_2048_mul_avx2_16
+        cmpq	%rdi, %rbp
+        jne	L_end_2048_mul_avx2_16
+L_start_2048_mul_avx2_16:
+        vmovdqu	(%rbx), %xmm0
+        vmovups	%xmm0, (%rdi)
+        vmovdqu	16(%rbx), %xmm0
+        vmovups	%xmm0, 16(%rdi)
+        vmovdqu	32(%rbx), %xmm0
+        vmovups	%xmm0, 32(%rdi)
+        vmovdqu	48(%rbx), %xmm0
+        vmovups	%xmm0, 48(%rdi)
+        vmovdqu	64(%rbx), %xmm0
+        vmovups	%xmm0, 64(%rdi)
+        vmovdqu	80(%rbx), %xmm0
+        vmovups	%xmm0, 80(%rdi)
+        vmovdqu	96(%rbx), %xmm0
+        vmovups	%xmm0, 96(%rdi)
+        vmovdqu	112(%rbx), %xmm0
+        vmovups	%xmm0, 112(%rdi)
+L_end_2048_mul_avx2_16:
+        addq	$128, %rsp
+        pop	%r14
+        pop	%r13
+        pop	%r12
+        pop	%rbp
+        pop	%rbx
+        repz retq
+#ifndef __APPLE__
+.size	sp_2048_mul_avx2_16,.-sp_2048_mul_avx2_16
+#endif /* __APPLE__ */
+#endif /* HAVE_INTEL_AVX2 */
+#ifdef HAVE_INTEL_AVX2
+/* Square a and put result in r. (r = a * a)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ */
+#ifndef __APPLE__
+.globl	sp_2048_sqr_avx2_16
+.type	sp_2048_sqr_avx2_16,@function
+.align	16
+sp_2048_sqr_avx2_16:
+#else
+.globl	_sp_2048_sqr_avx2_16
+.p2align	4
+_sp_2048_sqr_avx2_16:
+#endif /* __APPLE__ */
+        push	%rbp
+        push	%r12
+        push	%r13
+        push	%r14
+        push	%r15
+        push	%rbx
+        subq	$128, %rsp
+        cmpq	%rdi, %rsi
+        movq	%rsp, %rbp
+        cmovne	%rdi, %rbp
+        xorq	%r11, %r11
+        # Diagonal 1
+        xorq	%r10, %r10
+        # A[1] x A[0]
+        movq	(%rsi), %rdx
+        mulxq	8(%rsi), %r8, %r9
+        # A[2] x A[0]
+        mulxq	16(%rsi), %rax, %rcx
+        adcxq	%rax, %r9
+        adoxq	%rcx, %r10
+        movq	%r8, 8(%rbp)
+        movq	%r9, 16(%rbp)
+        movq	%r11, %r8
+        movq	%r11, %r9
+        # A[3] x A[0]
+        mulxq	24(%rsi), %rax, %rcx
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r8
+        # A[4] x A[0]
+        mulxq	32(%rsi), %rax, %rcx
+        adcxq	%rax, %r8
+        adoxq	%rcx, %r9
+        movq	%r10, 24(%rbp)
+        movq	%r8, 32(%rbp)
+        movq	%r11, %r10
+        movq	%r11, %r8
+        # A[5] x A[0]
+        mulxq	40(%rsi), %rax, %rcx
+        adcxq	%rax, %r9
+        adoxq	%rcx, %r10
+        # A[6] x A[0]
+        mulxq	48(%rsi), %rax, %rcx
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r8
+        movq	%r9, 40(%rbp)
+        movq	%r10, 48(%rbp)
+        movq	%r11, %r9
+        movq	%r11, %r10
+        # A[7] x A[0]
+        mulxq	56(%rsi), %rax, %rcx
+        adcxq	%rax, %r8
+        adoxq	%rcx, %r9
+        # A[8] x A[0]
+        mulxq	64(%rsi), %rax, %rcx
+        adcxq	%rax, %r9
+        adoxq	%rcx, %r10
+        movq	%r8, 56(%rbp)
+        movq	%r9, 64(%rbp)
+        movq	%r11, %r8
+        movq	%r11, %r9
+        # A[9] x A[0]
+        mulxq	72(%rsi), %rax, %rcx
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r8
+        # A[10] x A[0]
+        mulxq	80(%rsi), %rax, %rcx
+        adcxq	%rax, %r8
+        adoxq	%rcx, %r9
+        movq	%r10, 72(%rbp)
+        movq	%r8, 80(%rbp)
+        movq	%r11, %r10
+        movq	%r11, %r8
+        # A[11] x A[0]
+        mulxq	88(%rsi), %rax, %rcx
+        adcxq	%rax, %r9
+        adoxq	%rcx, %r10
+        # A[12] x A[0]
+        mulxq	96(%rsi), %rax, %rcx
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r8
+        movq	%r9, 88(%rbp)
+        movq	%r10, %r13
+        movq	%r11, %r9
+        movq	%r11, %r10
+        # A[13] x A[0]
+        mulxq	104(%rsi), %rax, %rcx
+        adcxq	%rax, %r8
+        adoxq	%rcx, %r9
+        # A[14] x A[0]
+        mulxq	112(%rsi), %rax, %rcx
+        adcxq	%rax, %r9
+        adoxq	%rcx, %r10
+        movq	%r8, %r14
+        movq	%r9, %r15
+        movq	%r11, %r8
+        # A[15] x A[0]
+        mulxq	120(%rsi), %rax, %rcx
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r8
+        movq	%r10, %rbx
+        #  Carry
+        adcxq	%r11, %r8
+        movq	%r11, %r12
+        adcxq	%r11, %r12
+        adoxq	%r11, %r12
+        movq	%r8, 128(%rdi)
+        # Diagonal 2
+        movq	24(%rbp), %r8
+        movq	32(%rbp), %r9
+        movq	40(%rbp), %r10
+        # A[2] x A[1]
+        movq	8(%rsi), %rdx
+        mulxq	16(%rsi), %rax, %rcx
+        adcxq	%rax, %r8
+        adoxq	%rcx, %r9
+        # A[3] x A[1]
+        mulxq	24(%rsi), %rax, %rcx
+        adcxq	%rax, %r9
+        adoxq	%rcx, %r10
+        movq	%r8, 24(%rbp)
+        movq	%r9, 32(%rbp)
+        movq	48(%rbp), %r8
+        movq	56(%rbp), %r9
+        # A[4] x A[1]
+        mulxq	32(%rsi), %rax, %rcx
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r8
+        # A[5] x A[1]
+        mulxq	40(%rsi), %rax, %rcx
+        adcxq	%rax, %r8
+        adoxq	%rcx, %r9
+        movq	%r10, 40(%rbp)
+        movq	%r8, 48(%rbp)
+        movq	64(%rbp), %r10
+        movq	72(%rbp), %r8
+        # A[6] x A[1]
+        mulxq	48(%rsi), %rax, %rcx
+        adcxq	%rax, %r9
+        adoxq	%rcx, %r10
+        # A[7] x A[1]
+        mulxq	56(%rsi), %rax, %rcx
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r8
+        movq	%r9, 56(%rbp)
+        movq	%r10, 64(%rbp)
+        movq	80(%rbp), %r9
+        movq	88(%rbp), %r10
+        # A[8] x A[1]
+        mulxq	64(%rsi), %rax, %rcx
+        adcxq	%rax, %r8
+        adoxq	%rcx, %r9
+        # A[9] x A[1]
+        mulxq	72(%rsi), %rax, %rcx
+        adcxq	%rax, %r9
+        adoxq	%rcx, %r10
+        movq	%r8, 72(%rbp)
+        movq	%r9, 80(%rbp)
+        # No load %r13 - %r8
+        # No load %r14 - %r9
+        # A[10] x A[1]
+        mulxq	80(%rsi), %rax, %rcx
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r13
+        # A[11] x A[1]
+        mulxq	88(%rsi), %rax, %rcx
+        adcxq	%rax, %r13
+        adoxq	%rcx, %r14
+        movq	%r10, 88(%rbp)
+        # No store %r13
+        # No load %r15 - %r10
+        # No load %rbx - %r8
+        # A[12] x A[1]
+        mulxq	96(%rsi), %rax, %rcx
+        adcxq	%rax, %r14
+        adoxq	%rcx, %r15
+        # A[13] x A[1]
+        mulxq	104(%rsi), %rax, %rcx
+        adcxq	%rax, %r15
+        adoxq	%rcx, %rbx
+        # No store %r14
+        # No store %r15
+        movq	128(%rdi), %r9
+        movq	%r11, %r10
+        # A[14] x A[1]
+        mulxq	112(%rsi), %rax, %rcx
+        adcxq	%rax, %rbx
+        adoxq	%rcx, %r9
+        # A[15] x A[1]
+        mulxq	120(%rsi), %rax, %rcx
+        adcxq	%rax, %r9
+        adoxq	%rcx, %r10
+        # No store %rbx
+        movq	%r9, 128(%rdi)
+        movq	%r11, %r8
+        # A[15] x A[2]
+        movq	16(%rsi), %rdx
+        mulxq	120(%rsi), %rax, %rcx
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r8
+        movq	%r10, 136(%rdi)
+        #  Carry
+        adcxq	%r12, %r8
+        movq	%r11, %r12
+        adcxq	%r11, %r12
+        adoxq	%r11, %r12
+        movq	%r8, 144(%rdi)
+        # Diagonal 3
+        movq	40(%rbp), %r8
+        movq	48(%rbp), %r9
+        movq	56(%rbp), %r10
+        # A[3] x A[2]
+        mulxq	24(%rsi), %rax, %rcx
+        adcxq	%rax, %r8
+        adoxq	%rcx, %r9
+        # A[4] x A[2]
+        mulxq	32(%rsi), %rax, %rcx
+        adcxq	%rax, %r9
+        adoxq	%rcx, %r10
+        movq	%r8, 40(%rbp)
+        movq	%r9, 48(%rbp)
+        movq	64(%rbp), %r8
+        movq	72(%rbp), %r9
+        # A[5] x A[2]
+        mulxq	40(%rsi), %rax, %rcx
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r8
+        # A[6] x A[2]
+        mulxq	48(%rsi), %rax, %rcx
+        adcxq	%rax, %r8
+        adoxq	%rcx, %r9
+        movq	%r10, 56(%rbp)
+        movq	%r8, 64(%rbp)
+        movq	80(%rbp), %r10
+        movq	88(%rbp), %r8
+        # A[7] x A[2]
+        mulxq	56(%rsi), %rax, %rcx
+        adcxq	%rax, %r9
+        adoxq	%rcx, %r10
+        # A[8] x A[2]
+        mulxq	64(%rsi), %rax, %rcx
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r8
+        movq	%r9, 72(%rbp)
+        movq	%r10, 80(%rbp)
+        # No load %r13 - %r9
+        # No load %r14 - %r10
+        # A[9] x A[2]
+        mulxq	72(%rsi), %rax, %rcx
+        adcxq	%rax, %r8
+        adoxq	%rcx, %r13
+        # A[10] x A[2]
+        mulxq	80(%rsi), %rax, %rcx
+        adcxq	%rax, %r13
+        adoxq	%rcx, %r14
+        movq	%r8, 88(%rbp)
+        # No store %r13
+        # No load %r15 - %r8
+        # No load %rbx - %r9
+        # A[11] x A[2]
+        mulxq	88(%rsi), %rax, %rcx
+        adcxq	%rax, %r14
+        adoxq	%rcx, %r15
+        # A[12] x A[2]
+        mulxq	96(%rsi), %rax, %rcx
+        adcxq	%rax, %r15
+        adoxq	%rcx, %rbx
+        # No store %r14
+        # No store %r15
+        movq	128(%rdi), %r10
+        movq	136(%rdi), %r8
+        # A[13] x A[2]
+        mulxq	104(%rsi), %rax, %rcx
+        adcxq	%rax, %rbx
+        adoxq	%rcx, %r10
+        # A[14] x A[2]
+        mulxq	112(%rsi), %rax, %rcx
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r8
+        # No store %rbx
+        movq	%r10, 128(%rdi)
+        movq	144(%rdi), %r9
+        movq	%r11, %r10
+        # A[14] x A[3]
+        movq	112(%rsi), %rdx
+        mulxq	24(%rsi), %rax, %rcx
+        adcxq	%rax, %r8
+        adoxq	%rcx, %r9
+        # A[14] x A[4]
+        mulxq	32(%rsi), %rax, %rcx
+        adcxq	%rax, %r9
+        adoxq	%rcx, %r10
+        movq	%r8, 136(%rdi)
+        movq	%r9, 144(%rdi)
+        movq	%r11, %r8
+        # A[14] x A[5]
+        mulxq	40(%rsi), %rax, %rcx
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r8
+        movq	%r10, 152(%rdi)
+        #  Carry
+        adcxq	%r12, %r8
+        movq	%r11, %r12
+        adcxq	%r11, %r12
+        adoxq	%r11, %r12
+        movq	%r8, 160(%rdi)
+        # Diagonal 4
+        movq	56(%rbp), %r8
+        movq	64(%rbp), %r9
+        movq	72(%rbp), %r10
+        # A[4] x A[3]
+        movq	24(%rsi), %rdx
+        mulxq	32(%rsi), %rax, %rcx
+        adcxq	%rax, %r8
+        adoxq	%rcx, %r9
+        # A[5] x A[3]
+        mulxq	40(%rsi), %rax, %rcx
+        adcxq	%rax, %r9
+        adoxq	%rcx, %r10
+        movq	%r8, 56(%rbp)
+        movq	%r9, 64(%rbp)
+        movq	80(%rbp), %r8
+        movq	88(%rbp), %r9
+        # A[6] x A[3]
+        mulxq	48(%rsi), %rax, %rcx
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r8
+        # A[7] x A[3]
+        mulxq	56(%rsi), %rax, %rcx
+        adcxq	%rax, %r8
+        adoxq	%rcx, %r9
+        movq	%r10, 72(%rbp)
+        movq	%r8, 80(%rbp)
+        # No load %r13 - %r10
+        # No load %r14 - %r8
+        # A[8] x A[3]
+        mulxq	64(%rsi), %rax, %rcx
+        adcxq	%rax, %r9
+        adoxq	%rcx, %r13
+        # A[9] x A[3]
+        mulxq	72(%rsi), %rax, %rcx
+        adcxq	%rax, %r13
+        adoxq	%rcx, %r14
+        movq	%r9, 88(%rbp)
+        # No store %r13
+        # No load %r15 - %r9
+        # No load %rbx - %r10
+        # A[10] x A[3]
+        mulxq	80(%rsi), %rax, %rcx
+        adcxq	%rax, %r14
+        adoxq	%rcx, %r15
+        # A[11] x A[3]
+        mulxq	88(%rsi), %rax, %rcx
+        adcxq	%rax, %r15
+        adoxq	%rcx, %rbx
+        # No store %r14
+        # No store %r15
+        movq	128(%rdi), %r8
+        movq	136(%rdi), %r9
+        # A[12] x A[3]
+        mulxq	96(%rsi), %rax, %rcx
+        adcxq	%rax, %rbx
+        adoxq	%rcx, %r8
+        # A[13] x A[3]
+        mulxq	104(%rsi), %rax, %rcx
+        adcxq	%rax, %r8
+        adoxq	%rcx, %r9
+        # No store %rbx
+        movq	%r8, 128(%rdi)
+        movq	144(%rdi), %r10
+        movq	152(%rdi), %r8
+        # A[13] x A[4]
+        movq	104(%rsi), %rdx
+        mulxq	32(%rsi), %rax, %rcx
+        adcxq	%rax, %r9
+        adoxq	%rcx, %r10
+        # A[13] x A[5]
+        mulxq	40(%rsi), %rax, %rcx
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r8
+        movq	%r9, 136(%rdi)
+        movq	%r10, 144(%rdi)
+        movq	160(%rdi), %r9
+        movq	%r11, %r10
+        # A[13] x A[6]
+        mulxq	48(%rsi), %rax, %rcx
+        adcxq	%rax, %r8
+        adoxq	%rcx, %r9
+        # A[13] x A[7]
+        mulxq	56(%rsi), %rax, %rcx
+        adcxq	%rax, %r9
+        adoxq	%rcx, %r10
+        movq	%r8, 152(%rdi)
+        movq	%r9, 160(%rdi)
+        movq	%r11, %r8
+        # A[13] x A[8]
+        mulxq	64(%rsi), %rax, %rcx
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r8
+        movq	%r10, 168(%rdi)
+        #  Carry
+        adcxq	%r12, %r8
+        movq	%r11, %r12
+        adcxq	%r11, %r12
+        adoxq	%r11, %r12
+        movq	%r8, 176(%rdi)
+        # Diagonal 5
+        movq	72(%rbp), %r8
+        movq	80(%rbp), %r9
+        movq	88(%rbp), %r10
+        # A[5] x A[4]
+        movq	32(%rsi), %rdx
+        mulxq	40(%rsi), %rax, %rcx
+        adcxq	%rax, %r8
+        adoxq	%rcx, %r9
+        # A[6] x A[4]
+        mulxq	48(%rsi), %rax, %rcx
+        adcxq	%rax, %r9
+        adoxq	%rcx, %r10
+        movq	%r8, 72(%rbp)
+        movq	%r9, 80(%rbp)
+        # No load %r13 - %r8
+        # No load %r14 - %r9
+        # A[7] x A[4]
+        mulxq	56(%rsi), %rax, %rcx
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r13
+        # A[8] x A[4]
+        mulxq	64(%rsi), %rax, %rcx
+        adcxq	%rax, %r13
+        adoxq	%rcx, %r14
+        movq	%r10, 88(%rbp)
+        # No store %r13
+        # No load %r15 - %r10
+        # No load %rbx - %r8
+        # A[9] x A[4]
+        mulxq	72(%rsi), %rax, %rcx
+        adcxq	%rax, %r14
+        adoxq	%rcx, %r15
+        # A[10] x A[4]
+        mulxq	80(%rsi), %rax, %rcx
+        adcxq	%rax, %r15
+        adoxq	%rcx, %rbx
+        # No store %r14
+        # No store %r15
+        movq	128(%rdi), %r9
+        movq	136(%rdi), %r10
+        # A[11] x A[4]
+        mulxq	88(%rsi), %rax, %rcx
+        adcxq	%rax, %rbx
+        adoxq	%rcx, %r9
+        # A[12] x A[4]
+        mulxq	96(%rsi), %rax, %rcx
+        adcxq	%rax, %r9
+        adoxq	%rcx, %r10
+        # No store %rbx
+        movq	%r9, 128(%rdi)
+        movq	144(%rdi), %r8
+        movq	152(%rdi), %r9
+        # A[12] x A[5]
+        movq	96(%rsi), %rdx
+        mulxq	40(%rsi), %rax, %rcx
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r8
+        # A[12] x A[6]
+        mulxq	48(%rsi), %rax, %rcx
+        adcxq	%rax, %r8
+        adoxq	%rcx, %r9
+        movq	%r10, 136(%rdi)
+        movq	%r8, 144(%rdi)
+        movq	160(%rdi), %r10
+        movq	168(%rdi), %r8
+        # A[12] x A[7]
+        mulxq	56(%rsi), %rax, %rcx
+        adcxq	%rax, %r9
+        adoxq	%rcx, %r10
+        # A[12] x A[8]
+        mulxq	64(%rsi), %rax, %rcx
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r8
+        movq	%r9, 152(%rdi)
+        movq	%r10, 160(%rdi)
+        movq	176(%rdi), %r9
+        movq	%r11, %r10
+        # A[12] x A[9]
+        mulxq	72(%rsi), %rax, %rcx
+        adcxq	%rax, %r8
+        adoxq	%rcx, %r9
+        # A[12] x A[10]
+        mulxq	80(%rsi), %rax, %rcx
+        adcxq	%rax, %r9
+        adoxq	%rcx, %r10
+        movq	%r8, 168(%rdi)
+        movq	%r9, 176(%rdi)
+        movq	%r11, %r8
+        # A[12] x A[11]
+        mulxq	88(%rsi), %rax, %rcx
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r8
+        movq	%r10, 184(%rdi)
+        #  Carry
+        adcxq	%r12, %r8
+        movq	%r11, %r12
+        adcxq	%r11, %r12
+        adoxq	%r11, %r12
+        movq	%r8, 192(%rdi)
+        # Diagonal 6
+        movq	88(%rbp), %r8
+        # No load %r13 - %r9
+        # No load %r14 - %r10
+        # A[6] x A[5]
+        movq	40(%rsi), %rdx
+        mulxq	48(%rsi), %rax, %rcx
+        adcxq	%rax, %r8
+        adoxq	%rcx, %r13
+        # A[7] x A[5]
+        mulxq	56(%rsi), %rax, %rcx
+        adcxq	%rax, %r13
+        adoxq	%rcx, %r14
+        movq	%r8, 88(%rbp)
+        # No store %r13
+        # No load %r15 - %r8
+        # No load %rbx - %r9
+        # A[8] x A[5]
+        mulxq	64(%rsi), %rax, %rcx
+        adcxq	%rax, %r14
+        adoxq	%rcx, %r15
+        # A[9] x A[5]
+        mulxq	72(%rsi), %rax, %rcx
+        adcxq	%rax, %r15
+        adoxq	%rcx, %rbx
+        # No store %r14
+        # No store %r15
+        movq	128(%rdi), %r10
+        movq	136(%rdi), %r8
+        # A[10] x A[5]
+        mulxq	80(%rsi), %rax, %rcx
+        adcxq	%rax, %rbx
+        adoxq	%rcx, %r10
+        # A[11] x A[5]
+        mulxq	88(%rsi), %rax, %rcx
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r8
+        # No store %rbx
+        movq	%r10, 128(%rdi)
+        movq	144(%rdi), %r9
+        movq	152(%rdi), %r10
+        # A[11] x A[6]
+        movq	88(%rsi), %rdx
+        mulxq	48(%rsi), %rax, %rcx
+        adcxq	%rax, %r8
+        adoxq	%rcx, %r9
+        # A[11] x A[7]
+        mulxq	56(%rsi), %rax, %rcx
+        adcxq	%rax, %r9
+        adoxq	%rcx, %r10
+        movq	%r8, 136(%rdi)
+        movq	%r9, 144(%rdi)
+        movq	160(%rdi), %r8
+        movq	168(%rdi), %r9
+        # A[11] x A[8]
+        mulxq	64(%rsi), %rax, %rcx
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r8
+        # A[11] x A[9]
+        mulxq	72(%rsi), %rax, %rcx
+        adcxq	%rax, %r8
+        adoxq	%rcx, %r9
+        movq	%r10, 152(%rdi)
+        movq	%r8, 160(%rdi)
+        movq	176(%rdi), %r10
+        movq	184(%rdi), %r8
+        # A[11] x A[10]
+        mulxq	80(%rsi), %rax, %rcx
+        adcxq	%rax, %r9
+        adoxq	%rcx, %r10
+        # A[13] x A[9]
+        movq	104(%rsi), %rdx
+        mulxq	72(%rsi), %rax, %rcx
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r8
+        movq	%r9, 168(%rdi)
+        movq	%r10, 176(%rdi)
+        movq	192(%rdi), %r9
+        movq	%r11, %r10
+        # A[13] x A[10]
+        mulxq	80(%rsi), %rax, %rcx
+        adcxq	%rax, %r8
+        adoxq	%rcx, %r9
+        # A[13] x A[11]
+        mulxq	88(%rsi), %rax, %rcx
+        adcxq	%rax, %r9
+        adoxq	%rcx, %r10
+        movq	%r8, 184(%rdi)
+        movq	%r9, 192(%rdi)
+        movq	%r11, %r8
+        # A[13] x A[12]
+        mulxq	96(%rsi), %rax, %rcx
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r8
+        movq	%r10, 200(%rdi)
+        #  Carry
+        adcxq	%r12, %r8
+        movq	%r11, %r12
+        adcxq	%r11, %r12
+        adoxq	%r11, %r12
+        movq	%r8, 208(%rdi)
+        # Diagonal 7
+        # No load %r14 - %r8
+        # No load %r15 - %r9
+        # No load %rbx - %r10
+        # A[7] x A[6]
+        movq	48(%rsi), %rdx
+        mulxq	56(%rsi), %rax, %rcx
+        adcxq	%rax, %r14
+        adoxq	%rcx, %r15
+        # A[8] x A[6]
+        mulxq	64(%rsi), %rax, %rcx
+        adcxq	%rax, %r15
+        adoxq	%rcx, %rbx
+        # No store %r14
+        # No store %r15
+        movq	128(%rdi), %r8
+        movq	136(%rdi), %r9
+        # A[9] x A[6]
+        mulxq	72(%rsi), %rax, %rcx
+        adcxq	%rax, %rbx
+        adoxq	%rcx, %r8
+        # A[10] x A[6]
+        mulxq	80(%rsi), %rax, %rcx
+        adcxq	%rax, %r8
+        adoxq	%rcx, %r9
+        # No store %rbx
+        movq	%r8, 128(%rdi)
+        movq	144(%rdi), %r10
+        movq	152(%rdi), %r8
+        # A[10] x A[7]
+        movq	80(%rsi), %rdx
+        mulxq	56(%rsi), %rax, %rcx
+        adcxq	%rax, %r9
+        adoxq	%rcx, %r10
+        # A[10] x A[8]
+        mulxq	64(%rsi), %rax, %rcx
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r8
+        movq	%r9, 136(%rdi)
+        movq	%r10, 144(%rdi)
+        movq	160(%rdi), %r9
+        movq	168(%rdi), %r10
+        # A[10] x A[9]
+        mulxq	72(%rsi), %rax, %rcx
+        adcxq	%rax, %r8
+        adoxq	%rcx, %r9
+        # A[14] x A[6]
+        movq	112(%rsi), %rdx
+        mulxq	48(%rsi), %rax, %rcx
+        adcxq	%rax, %r9
+        adoxq	%rcx, %r10
+        movq	%r8, 152(%rdi)
+        movq	%r9, 160(%rdi)
+        movq	176(%rdi), %r8
+        movq	184(%rdi), %r9
+        # A[14] x A[7]
+        mulxq	56(%rsi), %rax, %rcx
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r8
+        # A[14] x A[8]
+        mulxq	64(%rsi), %rax, %rcx
+        adcxq	%rax, %r8
+        adoxq	%rcx, %r9
+        movq	%r10, 168(%rdi)
+        movq	%r8, 176(%rdi)
+        movq	192(%rdi), %r10
+        movq	200(%rdi), %r8
+        # A[14] x A[9]
+        mulxq	72(%rsi), %rax, %rcx
+        adcxq	%rax, %r9
+        adoxq	%rcx, %r10
+        # A[14] x A[10]
+        mulxq	80(%rsi), %rax, %rcx
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r8
+        movq	%r9, 184(%rdi)
+        movq	%r10, 192(%rdi)
+        movq	208(%rdi), %r9
+        movq	%r11, %r10
+        # A[14] x A[11]
+        mulxq	88(%rsi), %rax, %rcx
+        adcxq	%rax, %r8
+        adoxq	%rcx, %r9
+        # A[14] x A[12]
+        mulxq	96(%rsi), %rax, %rcx
+        adcxq	%rax, %r9
+        adoxq	%rcx, %r10
+        movq	%r8, 200(%rdi)
+        movq	%r9, 208(%rdi)
+        movq	%r11, %r8
+        # A[14] x A[13]
+        mulxq	104(%rsi), %rax, %rcx
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r8
+        movq	%r10, 216(%rdi)
+        #  Carry
+        adcxq	%r12, %r8
+        movq	%r11, %r12
+        adcxq	%r11, %r12
+        adoxq	%r11, %r12
+        movq	%r8, 224(%rdi)
+        # Diagonal 8
+        # No load %rbx - %r8
+        movq	128(%rdi), %r9
+        movq	136(%rdi), %r10
+        # A[8] x A[7]
+        movq	56(%rsi), %rdx
+        mulxq	64(%rsi), %rax, %rcx
+        adcxq	%rax, %rbx
+        adoxq	%rcx, %r9
+        # A[9] x A[7]
+        mulxq	72(%rsi), %rax, %rcx
+        adcxq	%rax, %r9
+        adoxq	%rcx, %r10
+        # No store %rbx
+        movq	%r9, 128(%rdi)
+        movq	144(%rdi), %r8
+        movq	152(%rdi), %r9
+        # A[9] x A[8]
+        movq	64(%rsi), %rdx
+        mulxq	72(%rsi), %rax, %rcx
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r8
+        # A[15] x A[3]
+        movq	120(%rsi), %rdx
+        mulxq	24(%rsi), %rax, %rcx
+        adcxq	%rax, %r8
+        adoxq	%rcx, %r9
+        movq	%r10, 136(%rdi)
+        movq	%r8, 144(%rdi)
+        movq	160(%rdi), %r10
+        movq	168(%rdi), %r8
+        # A[15] x A[4]
+        mulxq	32(%rsi), %rax, %rcx
+        adcxq	%rax, %r9
+        adoxq	%rcx, %r10
+        # A[15] x A[5]
+        mulxq	40(%rsi), %rax, %rcx
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r8
+        movq	%r9, 152(%rdi)
+        movq	%r10, 160(%rdi)
+        movq	176(%rdi), %r9
+        movq	184(%rdi), %r10
+        # A[15] x A[6]
+        mulxq	48(%rsi), %rax, %rcx
+        adcxq	%rax, %r8
+        adoxq	%rcx, %r9
+        # A[15] x A[7]
+        mulxq	56(%rsi), %rax, %rcx
+        adcxq	%rax, %r9
+        adoxq	%rcx, %r10
+        movq	%r8, 168(%rdi)
+        movq	%r9, 176(%rdi)
+        movq	192(%rdi), %r8
+        movq	200(%rdi), %r9
+        # A[15] x A[8]
+        mulxq	64(%rsi), %rax, %rcx
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r8
+        # A[15] x A[9]
+        mulxq	72(%rsi), %rax, %rcx
+        adcxq	%rax, %r8
+        adoxq	%rcx, %r9
+        movq	%r10, 184(%rdi)
+        movq	%r8, 192(%rdi)
+        movq	208(%rdi), %r10
+        movq	216(%rdi), %r8
+        # A[15] x A[10]
+        mulxq	80(%rsi), %rax, %rcx
+        adcxq	%rax, %r9
+        adoxq	%rcx, %r10
+        # A[15] x A[11]
+        mulxq	88(%rsi), %rax, %rcx
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r8
+        movq	%r9, 200(%rdi)
+        movq	%r10, 208(%rdi)
+        movq	224(%rdi), %r9
+        movq	%r11, %r10
+        # A[15] x A[12]
+        mulxq	96(%rsi), %rax, %rcx
+        adcxq	%rax, %r8
+        adoxq	%rcx, %r9
+        # A[15] x A[13]
+        mulxq	104(%rsi), %rax, %rcx
+        adcxq	%rax, %r9
+        adoxq	%rcx, %r10
+        movq	%r8, 216(%rdi)
+        movq	%r9, 224(%rdi)
+        movq	%r11, %r8
+        # A[15] x A[14]
+        mulxq	112(%rsi), %rax, %rcx
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r8
+        movq	%r10, 232(%rdi)
+        #  Carry
+        adcxq	%r12, %r8
+        movq	%r11, %r12
+        adcxq	%r11, %r12
+        adoxq	%r11, %r12
+        movq	%r8, 240(%rdi)
+        movq	%r12, 248(%rdi)
+        # Double and Add in A[i] x A[i]
+        movq	8(%rbp), %r9
+        # A[0] x A[0]
+        movq	(%rsi), %rdx
+        mulxq	%rdx, %rax, %rcx
+        movq	%rax, (%rbp)
+        adoxq	%r9, %r9
+        adcxq	%rcx, %r9
+        movq	%r9, 8(%rbp)
+        movq	16(%rbp), %r8
+        movq	24(%rbp), %r9
+        # A[1] x A[1]
+        movq	8(%rsi), %rdx
+        mulxq	%rdx, %rax, %rcx
+        adoxq	%r8, %r8
+        adoxq	%r9, %r9
+        adcxq	%rax, %r8
+        adcxq	%rcx, %r9
+        movq	%r8, 16(%rbp)
+        movq	%r9, 24(%rbp)
+        movq	32(%rbp), %r8
+        movq	40(%rbp), %r9
+        # A[2] x A[2]
+        movq	16(%rsi), %rdx
+        mulxq	%rdx, %rax, %rcx
+        adoxq	%r8, %r8
+        adoxq	%r9, %r9
+        adcxq	%rax, %r8
+        adcxq	%rcx, %r9
+        movq	%r8, 32(%rbp)
+        movq	%r9, 40(%rbp)
+        movq	48(%rbp), %r8
+        movq	56(%rbp), %r9
+        # A[3] x A[3]
+        movq	24(%rsi), %rdx
+        mulxq	%rdx, %rax, %rcx
+        adoxq	%r8, %r8
+        adoxq	%r9, %r9
+        adcxq	%rax, %r8
+        adcxq	%rcx, %r9
+        movq	%r8, 48(%rbp)
+        movq	%r9, 56(%rbp)
+        movq	64(%rbp), %r8
+        movq	72(%rbp), %r9
+        # A[4] x A[4]
+        movq	32(%rsi), %rdx
+        mulxq	%rdx, %rax, %rcx
+        adoxq	%r8, %r8
+        adoxq	%r9, %r9
+        adcxq	%rax, %r8
+        adcxq	%rcx, %r9
+        movq	%r8, 64(%rbp)
+        movq	%r9, 72(%rbp)
+        movq	80(%rbp), %r8
+        movq	88(%rbp), %r9
+        # A[5] x A[5]
+        movq	40(%rsi), %rdx
+        mulxq	%rdx, %rax, %rcx
+        adoxq	%r8, %r8
+        adoxq	%r9, %r9
+        adcxq	%rax, %r8
+        adcxq	%rcx, %r9
+        movq	%r8, 80(%rbp)
+        movq	%r9, 88(%rbp)
+        # A[6] x A[6]
+        movq	48(%rsi), %rdx
+        mulxq	%rdx, %rax, %rcx
+        adoxq	%r13, %r13
+        adoxq	%r14, %r14
+        adcxq	%rax, %r13
+        adcxq	%rcx, %r14
+        # A[7] x A[7]
+        movq	56(%rsi), %rdx
+        mulxq	%rdx, %rax, %rcx
+        adoxq	%r15, %r15
+        adoxq	%rbx, %rbx
+        adcxq	%rax, %r15
+        adcxq	%rcx, %rbx
+        movq	128(%rdi), %r8
+        movq	136(%rdi), %r9
+        # A[8] x A[8]
+        movq	64(%rsi), %rdx
+        mulxq	%rdx, %rax, %rcx
+        adoxq	%r8, %r8
+        adoxq	%r9, %r9
+        adcxq	%rax, %r8
+        adcxq	%rcx, %r9
+        movq	%r8, 128(%rdi)
+        movq	%r9, 136(%rdi)
+        movq	144(%rdi), %r8
+        movq	152(%rdi), %r9
+        # A[9] x A[9]
+        movq	72(%rsi), %rdx
+        mulxq	%rdx, %rax, %rcx
+        adoxq	%r8, %r8
+        adoxq	%r9, %r9
+        adcxq	%rax, %r8
+        adcxq	%rcx, %r9
+        movq	%r8, 144(%rdi)
+        movq	%r9, 152(%rdi)
+        movq	160(%rdi), %r8
+        movq	168(%rdi), %r9
+        # A[10] x A[10]
+        movq	80(%rsi), %rdx
+        mulxq	%rdx, %rax, %rcx
+        adoxq	%r8, %r8
+        adoxq	%r9, %r9
+        adcxq	%rax, %r8
+        adcxq	%rcx, %r9
+        movq	%r8, 160(%rdi)
+        movq	%r9, 168(%rdi)
+        movq	176(%rdi), %r8
+        movq	184(%rdi), %r9
+        # A[11] x A[11]
+        movq	88(%rsi), %rdx
+        mulxq	%rdx, %rax, %rcx
+        adoxq	%r8, %r8
+        adoxq	%r9, %r9
+        adcxq	%rax, %r8
+        adcxq	%rcx, %r9
+        movq	%r8, 176(%rdi)
+        movq	%r9, 184(%rdi)
+        movq	192(%rdi), %r8
+        movq	200(%rdi), %r9
+        # A[12] x A[12]
+        movq	96(%rsi), %rdx
+        mulxq	%rdx, %rax, %rcx
+        adoxq	%r8, %r8
+        adoxq	%r9, %r9
+        adcxq	%rax, %r8
+        adcxq	%rcx, %r9
+        movq	%r8, 192(%rdi)
+        movq	%r9, 200(%rdi)
+        movq	208(%rdi), %r8
+        movq	216(%rdi), %r9
+        # A[13] x A[13]
+        movq	104(%rsi), %rdx
+        mulxq	%rdx, %rax, %rcx
+        adoxq	%r8, %r8
+        adoxq	%r9, %r9
+        adcxq	%rax, %r8
+        adcxq	%rcx, %r9
+        movq	%r8, 208(%rdi)
+        movq	%r9, 216(%rdi)
+        movq	224(%rdi), %r8
+        movq	232(%rdi), %r9
+        # A[14] x A[14]
+        movq	112(%rsi), %rdx
+        mulxq	%rdx, %rax, %rcx
+        adoxq	%r8, %r8
+        adoxq	%r9, %r9
+        adcxq	%rax, %r8
+        adcxq	%rcx, %r9
+        movq	%r8, 224(%rdi)
+        movq	%r9, 232(%rdi)
+        movq	240(%rdi), %r8
+        movq	248(%rdi), %r9
+        # A[15] x A[15]
+        movq	120(%rsi), %rdx
+        mulxq	%rdx, %rax, %rcx
+        adoxq	%r8, %r8
+        adoxq	%r9, %r9
+        adcxq	%rax, %r8
+        adcxq	%rcx, %r9
+        movq	%r8, 240(%rdi)
+        movq	%r9, 248(%rdi)
+        movq	%r13, 96(%rdi)
+        movq	%r14, 104(%rdi)
+        movq	%r15, 112(%rdi)
+        movq	%rbx, 120(%rdi)
+        cmpq	%rdi, %rsi
+        jne	L_end_2048_sqr_avx2_16
+        vmovdqu	(%rbp), %xmm0
+        vmovups	%xmm0, (%rdi)
+        vmovdqu	16(%rbp), %xmm0
+        vmovups	%xmm0, 16(%rdi)
+        vmovdqu	32(%rbp), %xmm0
+        vmovups	%xmm0, 32(%rdi)
+        vmovdqu	48(%rbp), %xmm0
+        vmovups	%xmm0, 48(%rdi)
+        vmovdqu	64(%rbp), %xmm0
+        vmovups	%xmm0, 64(%rdi)
+        vmovdqu	80(%rbp), %xmm0
+        vmovups	%xmm0, 80(%rdi)
+L_end_2048_sqr_avx2_16:
+        addq	$128, %rsp
+        pop	%rbx
+        pop	%r15
+        pop	%r14
+        pop	%r13
+        pop	%r12
+        pop	%rbp
+        repz retq
+#ifndef __APPLE__
+.size	sp_2048_sqr_avx2_16,.-sp_2048_sqr_avx2_16
+#endif /* __APPLE__ */
+#endif /* HAVE_INTEL_AVX2 */
+/* Add b to a into r. (r = a + b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+#ifndef __APPLE__
+.globl	sp_2048_add_16
+.type	sp_2048_add_16,@function
+.align	16
+sp_2048_add_16:
+#else
+.globl	_sp_2048_add_16
+.p2align	4
+_sp_2048_add_16:
+#endif /* __APPLE__ */
+        # Add
+        movq	(%rsi), %rcx
+        xorq	%rax, %rax
+        addq	(%rdx), %rcx
+        movq	8(%rsi), %r8
+        movq	%rcx, (%rdi)
+        adcq	8(%rdx), %r8
+        movq	16(%rsi), %rcx
+        movq	%r8, 8(%rdi)
+        adcq	16(%rdx), %rcx
+        movq	24(%rsi), %r8
+        movq	%rcx, 16(%rdi)
+        adcq	24(%rdx), %r8
+        movq	32(%rsi), %rcx
+        movq	%r8, 24(%rdi)
+        adcq	32(%rdx), %rcx
+        movq	40(%rsi), %r8
+        movq	%rcx, 32(%rdi)
+        adcq	40(%rdx), %r8
+        movq	48(%rsi), %rcx
+        movq	%r8, 40(%rdi)
+        adcq	48(%rdx), %rcx
+        movq	56(%rsi), %r8
+        movq	%rcx, 48(%rdi)
+        adcq	56(%rdx), %r8
+        movq	64(%rsi), %rcx
+        movq	%r8, 56(%rdi)
+        adcq	64(%rdx), %rcx
+        movq	72(%rsi), %r8
+        movq	%rcx, 64(%rdi)
+        adcq	72(%rdx), %r8
+        movq	80(%rsi), %rcx
+        movq	%r8, 72(%rdi)
+        adcq	80(%rdx), %rcx
+        movq	88(%rsi), %r8
+        movq	%rcx, 80(%rdi)
+        adcq	88(%rdx), %r8
+        movq	96(%rsi), %rcx
+        movq	%r8, 88(%rdi)
+        adcq	96(%rdx), %rcx
+        movq	104(%rsi), %r8
+        movq	%rcx, 96(%rdi)
+        adcq	104(%rdx), %r8
+        movq	112(%rsi), %rcx
+        movq	%r8, 104(%rdi)
+        adcq	112(%rdx), %rcx
+        movq	120(%rsi), %r8
+        movq	%rcx, 112(%rdi)
+        adcq	120(%rdx), %r8
+        movq	%r8, 120(%rdi)
+        adcq	$0, %rax
+        repz retq
+#ifndef __APPLE__
+.size	sp_2048_add_16,.-sp_2048_add_16
+#endif /* __APPLE__ */
+/* Sub b from a into a. (a -= b)
+ *
+ * a  A single precision integer and result.
+ * b  A single precision integer.
+ */
+#ifndef __APPLE__
+.globl	sp_2048_sub_in_place_32
+.type	sp_2048_sub_in_place_32,@function
+.align	16
+sp_2048_sub_in_place_32:
+#else
+.globl	_sp_2048_sub_in_place_32
+.p2align	4
+_sp_2048_sub_in_place_32:
+#endif /* __APPLE__ */
+        movq	(%rdi), %rdx
+        xorq	%rax, %rax
+        subq	(%rsi), %rdx
+        movq	8(%rdi), %rcx
+        movq	%rdx, (%rdi)
+        sbbq	8(%rsi), %rcx
+        movq	16(%rdi), %rdx
+        movq	%rcx, 8(%rdi)
+        sbbq	16(%rsi), %rdx
+        movq	24(%rdi), %rcx
+        movq	%rdx, 16(%rdi)
+        sbbq	24(%rsi), %rcx
+        movq	32(%rdi), %rdx
+        movq	%rcx, 24(%rdi)
+        sbbq	32(%rsi), %rdx
+        movq	40(%rdi), %rcx
+        movq	%rdx, 32(%rdi)
+        sbbq	40(%rsi), %rcx
+        movq	48(%rdi), %rdx
+        movq	%rcx, 40(%rdi)
+        sbbq	48(%rsi), %rdx
+        movq	56(%rdi), %rcx
+        movq	%rdx, 48(%rdi)
+        sbbq	56(%rsi), %rcx
+        movq	64(%rdi), %rdx
+        movq	%rcx, 56(%rdi)
+        sbbq	64(%rsi), %rdx
+        movq	72(%rdi), %rcx
+        movq	%rdx, 64(%rdi)
+        sbbq	72(%rsi), %rcx
+        movq	80(%rdi), %rdx
+        movq	%rcx, 72(%rdi)
+        sbbq	80(%rsi), %rdx
+        movq	88(%rdi), %rcx
+        movq	%rdx, 80(%rdi)
+        sbbq	88(%rsi), %rcx
+        movq	96(%rdi), %rdx
+        movq	%rcx, 88(%rdi)
+        sbbq	96(%rsi), %rdx
+        movq	104(%rdi), %rcx
+        movq	%rdx, 96(%rdi)
+        sbbq	104(%rsi), %rcx
+        movq	112(%rdi), %rdx
+        movq	%rcx, 104(%rdi)
+        sbbq	112(%rsi), %rdx
+        movq	120(%rdi), %rcx
+        movq	%rdx, 112(%rdi)
+        sbbq	120(%rsi), %rcx
+        movq	128(%rdi), %rdx
+        movq	%rcx, 120(%rdi)
+        sbbq	128(%rsi), %rdx
+        movq	136(%rdi), %rcx
+        movq	%rdx, 128(%rdi)
+        sbbq	136(%rsi), %rcx
+        movq	144(%rdi), %rdx
+        movq	%rcx, 136(%rdi)
+        sbbq	144(%rsi), %rdx
+        movq	152(%rdi), %rcx
+        movq	%rdx, 144(%rdi)
+        sbbq	152(%rsi), %rcx
+        movq	160(%rdi), %rdx
+        movq	%rcx, 152(%rdi)
+        sbbq	160(%rsi), %rdx
+        movq	168(%rdi), %rcx
+        movq	%rdx, 160(%rdi)
+        sbbq	168(%rsi), %rcx
+        movq	176(%rdi), %rdx
+        movq	%rcx, 168(%rdi)
+        sbbq	176(%rsi), %rdx
+        movq	184(%rdi), %rcx
+        movq	%rdx, 176(%rdi)
+        sbbq	184(%rsi), %rcx
+        movq	192(%rdi), %rdx
+        movq	%rcx, 184(%rdi)
+        sbbq	192(%rsi), %rdx
+        movq	200(%rdi), %rcx
+        movq	%rdx, 192(%rdi)
+        sbbq	200(%rsi), %rcx
+        movq	208(%rdi), %rdx
+        movq	%rcx, 200(%rdi)
+        sbbq	208(%rsi), %rdx
+        movq	216(%rdi), %rcx
+        movq	%rdx, 208(%rdi)
+        sbbq	216(%rsi), %rcx
+        movq	224(%rdi), %rdx
+        movq	%rcx, 216(%rdi)
+        sbbq	224(%rsi), %rdx
+        movq	232(%rdi), %rcx
+        movq	%rdx, 224(%rdi)
+        sbbq	232(%rsi), %rcx
+        movq	240(%rdi), %rdx
+        movq	%rcx, 232(%rdi)
+        sbbq	240(%rsi), %rdx
+        movq	248(%rdi), %rcx
+        movq	%rdx, 240(%rdi)
+        sbbq	248(%rsi), %rcx
+        movq	%rcx, 248(%rdi)
+        sbbq	$0, %rax
+        repz retq
+#ifndef __APPLE__
+.size	sp_2048_sub_in_place_32,.-sp_2048_sub_in_place_32
+#endif /* __APPLE__ */
+/* Add b to a into r. (r = a + b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+#ifndef __APPLE__
+.globl	sp_2048_add_32
+.type	sp_2048_add_32,@function
+.align	16
+sp_2048_add_32:
+#else
+.globl	_sp_2048_add_32
+.p2align	4
+_sp_2048_add_32:
+#endif /* __APPLE__ */
+        # Add
+        movq	(%rsi), %rcx
+        xorq	%rax, %rax
+        addq	(%rdx), %rcx
+        movq	8(%rsi), %r8
+        movq	%rcx, (%rdi)
+        adcq	8(%rdx), %r8
+        movq	16(%rsi), %rcx
+        movq	%r8, 8(%rdi)
+        adcq	16(%rdx), %rcx
+        movq	24(%rsi), %r8
+        movq	%rcx, 16(%rdi)
+        adcq	24(%rdx), %r8
+        movq	32(%rsi), %rcx
+        movq	%r8, 24(%rdi)
+        adcq	32(%rdx), %rcx
+        movq	40(%rsi), %r8
+        movq	%rcx, 32(%rdi)
+        adcq	40(%rdx), %r8
+        movq	48(%rsi), %rcx
+        movq	%r8, 40(%rdi)
+        adcq	48(%rdx), %rcx
+        movq	56(%rsi), %r8
+        movq	%rcx, 48(%rdi)
+        adcq	56(%rdx), %r8
+        movq	64(%rsi), %rcx
+        movq	%r8, 56(%rdi)
+        adcq	64(%rdx), %rcx
+        movq	72(%rsi), %r8
+        movq	%rcx, 64(%rdi)
+        adcq	72(%rdx), %r8
+        movq	80(%rsi), %rcx
+        movq	%r8, 72(%rdi)
+        adcq	80(%rdx), %rcx
+        movq	88(%rsi), %r8
+        movq	%rcx, 80(%rdi)
+        adcq	88(%rdx), %r8
+        movq	96(%rsi), %rcx
+        movq	%r8, 88(%rdi)
+        adcq	96(%rdx), %rcx
+        movq	104(%rsi), %r8
+        movq	%rcx, 96(%rdi)
+        adcq	104(%rdx), %r8
+        movq	112(%rsi), %rcx
+        movq	%r8, 104(%rdi)
+        adcq	112(%rdx), %rcx
+        movq	120(%rsi), %r8
+        movq	%rcx, 112(%rdi)
+        adcq	120(%rdx), %r8
+        movq	128(%rsi), %rcx
+        movq	%r8, 120(%rdi)
+        adcq	128(%rdx), %rcx
+        movq	136(%rsi), %r8
+        movq	%rcx, 128(%rdi)
+        adcq	136(%rdx), %r8
+        movq	144(%rsi), %rcx
+        movq	%r8, 136(%rdi)
+        adcq	144(%rdx), %rcx
+        movq	152(%rsi), %r8
+        movq	%rcx, 144(%rdi)
+        adcq	152(%rdx), %r8
+        movq	160(%rsi), %rcx
+        movq	%r8, 152(%rdi)
+        adcq	160(%rdx), %rcx
+        movq	168(%rsi), %r8
+        movq	%rcx, 160(%rdi)
+        adcq	168(%rdx), %r8
+        movq	176(%rsi), %rcx
+        movq	%r8, 168(%rdi)
+        adcq	176(%rdx), %rcx
+        movq	184(%rsi), %r8
+        movq	%rcx, 176(%rdi)
+        adcq	184(%rdx), %r8
+        movq	192(%rsi), %rcx
+        movq	%r8, 184(%rdi)
+        adcq	192(%rdx), %rcx
+        movq	200(%rsi), %r8
+        movq	%rcx, 192(%rdi)
+        adcq	200(%rdx), %r8
+        movq	208(%rsi), %rcx
+        movq	%r8, 200(%rdi)
+        adcq	208(%rdx), %rcx
+        movq	216(%rsi), %r8
+        movq	%rcx, 208(%rdi)
+        adcq	216(%rdx), %r8
+        movq	224(%rsi), %rcx
+        movq	%r8, 216(%rdi)
+        adcq	224(%rdx), %rcx
+        movq	232(%rsi), %r8
+        movq	%rcx, 224(%rdi)
+        adcq	232(%rdx), %r8
+        movq	240(%rsi), %rcx
+        movq	%r8, 232(%rdi)
+        adcq	240(%rdx), %rcx
+        movq	248(%rsi), %r8
+        movq	%rcx, 240(%rdi)
+        adcq	248(%rdx), %r8
+        movq	%r8, 248(%rdi)
+        adcq	$0, %rax
+        repz retq
+#ifndef __APPLE__
+.size	sp_2048_add_32,.-sp_2048_add_32
+#endif /* __APPLE__ */
+/* Multiply a and b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+#ifndef __APPLE__
+.globl	sp_2048_mul_32
+.type	sp_2048_mul_32,@function
+.align	16
+sp_2048_mul_32:
+#else
+.globl	_sp_2048_mul_32
+.p2align	4
+_sp_2048_mul_32:
+#endif /* __APPLE__ */
+        push	%r12
+        push	%r13
+        push	%r14
+        push	%r15
+        subq	$808, %rsp
+        movq	%rdi, 768(%rsp)
+        movq	%rsi, 776(%rsp)
+        movq	%rdx, 784(%rsp)
+        leaq	512(%rsp), %r10
+        leaq	128(%rsi), %r12
+        # Add
+        movq	(%rsi), %rax
+        xorq	%r13, %r13
+        addq	(%r12), %rax
+        movq	8(%rsi), %rcx
+        movq	%rax, (%r10)
+        adcq	8(%r12), %rcx
+        movq	16(%rsi), %r8
+        movq	%rcx, 8(%r10)
+        adcq	16(%r12), %r8
+        movq	24(%rsi), %rax
+        movq	%r8, 16(%r10)
+        adcq	24(%r12), %rax
+        movq	32(%rsi), %rcx
+        movq	%rax, 24(%r10)
+        adcq	32(%r12), %rcx
+        movq	40(%rsi), %r8
+        movq	%rcx, 32(%r10)
+        adcq	40(%r12), %r8
+        movq	48(%rsi), %rax
+        movq	%r8, 40(%r10)
+        adcq	48(%r12), %rax
+        movq	56(%rsi), %rcx
+        movq	%rax, 48(%r10)
+        adcq	56(%r12), %rcx
+        movq	64(%rsi), %r8
+        movq	%rcx, 56(%r10)
+        adcq	64(%r12), %r8
+        movq	72(%rsi), %rax
+        movq	%r8, 64(%r10)
+        adcq	72(%r12), %rax
+        movq	80(%rsi), %rcx
+        movq	%rax, 72(%r10)
+        adcq	80(%r12), %rcx
+        movq	88(%rsi), %r8
+        movq	%rcx, 80(%r10)
+        adcq	88(%r12), %r8
+        movq	96(%rsi), %rax
+        movq	%r8, 88(%r10)
+        adcq	96(%r12), %rax
+        movq	104(%rsi), %rcx
+        movq	%rax, 96(%r10)
+        adcq	104(%r12), %rcx
+        movq	112(%rsi), %r8
+        movq	%rcx, 104(%r10)
+        adcq	112(%r12), %r8
+        movq	120(%rsi), %rax
+        movq	%r8, 112(%r10)
+        adcq	120(%r12), %rax
+        movq	%rax, 120(%r10)
+        adcq	$0, %r13
+        movq	%r13, 792(%rsp)
+        leaq	640(%rsp), %r11
+        leaq	128(%rdx), %r12
+        # Add
+        movq	(%rdx), %rax
+        xorq	%r14, %r14
+        addq	(%r12), %rax
+        movq	8(%rdx), %rcx
+        movq	%rax, (%r11)
+        adcq	8(%r12), %rcx
+        movq	16(%rdx), %r8
+        movq	%rcx, 8(%r11)
+        adcq	16(%r12), %r8
+        movq	24(%rdx), %rax
+        movq	%r8, 16(%r11)
+        adcq	24(%r12), %rax
+        movq	32(%rdx), %rcx
+        movq	%rax, 24(%r11)
+        adcq	32(%r12), %rcx
+        movq	40(%rdx), %r8
+        movq	%rcx, 32(%r11)
+        adcq	40(%r12), %r8
+        movq	48(%rdx), %rax
+        movq	%r8, 40(%r11)
+        adcq	48(%r12), %rax
+        movq	56(%rdx), %rcx
+        movq	%rax, 48(%r11)
+        adcq	56(%r12), %rcx
+        movq	64(%rdx), %r8
+        movq	%rcx, 56(%r11)
+        adcq	64(%r12), %r8
+        movq	72(%rdx), %rax
+        movq	%r8, 64(%r11)
+        adcq	72(%r12), %rax
+        movq	80(%rdx), %rcx
+        movq	%rax, 72(%r11)
+        adcq	80(%r12), %rcx
+        movq	88(%rdx), %r8
+        movq	%rcx, 80(%r11)
+        adcq	88(%r12), %r8
+        movq	96(%rdx), %rax
+        movq	%r8, 88(%r11)
+        adcq	96(%r12), %rax
+        movq	104(%rdx), %rcx
+        movq	%rax, 96(%r11)
+        adcq	104(%r12), %rcx
+        movq	112(%rdx), %r8
+        movq	%rcx, 104(%r11)
+        adcq	112(%r12), %r8
+        movq	120(%rdx), %rax
+        movq	%r8, 112(%r11)
+        adcq	120(%r12), %rax
+        movq	%rax, 120(%r11)
+        adcq	$0, %r14
+        movq	%r14, 800(%rsp)
+        movq	%r11, %rdx
+        movq	%r10, %rsi
+        movq	%rsp, %rdi
+#ifndef __APPLE__
+        callq	sp_2048_mul_16@plt
+#else
+        callq	_sp_2048_mul_16
+#endif /* __APPLE__ */
+        movq	784(%rsp), %rdx
+        movq	776(%rsp), %rsi
+        leaq	256(%rsp), %rdi
+        addq	$128, %rdx
+        addq	$128, %rsi
+#ifndef __APPLE__
+        callq	sp_2048_mul_16@plt
+#else
+        callq	_sp_2048_mul_16
+#endif /* __APPLE__ */
+        movq	784(%rsp), %rdx
+        movq	776(%rsp), %rsi
+        movq	768(%rsp), %rdi
+#ifndef __APPLE__
+        callq	sp_2048_mul_16@plt
+#else
+        callq	_sp_2048_mul_16
+#endif /* __APPLE__ */
+        movq	792(%rsp), %r13
+        movq	800(%rsp), %r14
+        movq	768(%rsp), %r15
+        movq	%r13, %r9
+        leaq	512(%rsp), %r10
+        leaq	640(%rsp), %r11
+        andq	%r14, %r9
+        negq	%r13
+        negq	%r14
+        addq	$256, %r15
+        movq	(%r10), %rax
+        movq	(%r11), %rcx
+        andq	%r14, %rax
+        andq	%r13, %rcx
+        movq	%rax, (%r10)
+        movq	%rcx, (%r11)
+        movq	8(%r10), %rax
+        movq	8(%r11), %rcx
+        andq	%r14, %rax
+        andq	%r13, %rcx
+        movq	%rax, 8(%r10)
+        movq	%rcx, 8(%r11)
+        movq	16(%r10), %rax
+        movq	16(%r11), %rcx
+        andq	%r14, %rax
+        andq	%r13, %rcx
+        movq	%rax, 16(%r10)
+        movq	%rcx, 16(%r11)
+        movq	24(%r10), %rax
+        movq	24(%r11), %rcx
+        andq	%r14, %rax
+        andq	%r13, %rcx
+        movq	%rax, 24(%r10)
+        movq	%rcx, 24(%r11)
+        movq	32(%r10), %rax
+        movq	32(%r11), %rcx
+        andq	%r14, %rax
+        andq	%r13, %rcx
+        movq	%rax, 32(%r10)
+        movq	%rcx, 32(%r11)
+        movq	40(%r10), %rax
+        movq	40(%r11), %rcx
+        andq	%r14, %rax
+        andq	%r13, %rcx
+        movq	%rax, 40(%r10)
+        movq	%rcx, 40(%r11)
+        movq	48(%r10), %rax
+        movq	48(%r11), %rcx
+        andq	%r14, %rax
+        andq	%r13, %rcx
+        movq	%rax, 48(%r10)
+        movq	%rcx, 48(%r11)
+        movq	56(%r10), %rax
+        movq	56(%r11), %rcx
+        andq	%r14, %rax
+        andq	%r13, %rcx
+        movq	%rax, 56(%r10)
+        movq	%rcx, 56(%r11)
+        movq	64(%r10), %rax
+        movq	64(%r11), %rcx
+        andq	%r14, %rax
+        andq	%r13, %rcx
+        movq	%rax, 64(%r10)
+        movq	%rcx, 64(%r11)
+        movq	72(%r10), %rax
+        movq	72(%r11), %rcx
+        andq	%r14, %rax
+        andq	%r13, %rcx
+        movq	%rax, 72(%r10)
+        movq	%rcx, 72(%r11)
+        movq	80(%r10), %rax
+        movq	80(%r11), %rcx
+        andq	%r14, %rax
+        andq	%r13, %rcx
+        movq	%rax, 80(%r10)
+        movq	%rcx, 80(%r11)
+        movq	88(%r10), %rax
+        movq	88(%r11), %rcx
+        andq	%r14, %rax
+        andq	%r13, %rcx
+        movq	%rax, 88(%r10)
+        movq	%rcx, 88(%r11)
+        movq	96(%r10), %rax
+        movq	96(%r11), %rcx
+        andq	%r14, %rax
+        andq	%r13, %rcx
+        movq	%rax, 96(%r10)
+        movq	%rcx, 96(%r11)
+        movq	104(%r10), %rax
+        movq	104(%r11), %rcx
+        andq	%r14, %rax
+        andq	%r13, %rcx
+        movq	%rax, 104(%r10)
+        movq	%rcx, 104(%r11)
+        movq	112(%r10), %rax
+        movq	112(%r11), %rcx
+        andq	%r14, %rax
+        andq	%r13, %rcx
+        movq	%rax, 112(%r10)
+        movq	%rcx, 112(%r11)
+        movq	120(%r10), %rax
+        movq	120(%r11), %rcx
+        andq	%r14, %rax
+        andq	%r13, %rcx
+        movq	%rax, 120(%r10)
+        movq	%rcx, 120(%r11)
+        movq	(%r10), %rax
+        addq	(%r11), %rax
+        movq	8(%r10), %rcx
+        movq	%rax, (%r15)
+        adcq	8(%r11), %rcx
+        movq	16(%r10), %r8
+        movq	%rcx, 8(%r15)
+        adcq	16(%r11), %r8
+        movq	24(%r10), %rax
+        movq	%r8, 16(%r15)
+        adcq	24(%r11), %rax
+        movq	32(%r10), %rcx
+        movq	%rax, 24(%r15)
+        adcq	32(%r11), %rcx
+        movq	40(%r10), %r8
+        movq	%rcx, 32(%r15)
+        adcq	40(%r11), %r8
+        movq	48(%r10), %rax
+        movq	%r8, 40(%r15)
+        adcq	48(%r11), %rax
+        movq	56(%r10), %rcx
+        movq	%rax, 48(%r15)
+        adcq	56(%r11), %rcx
+        movq	64(%r10), %r8
+        movq	%rcx, 56(%r15)
+        adcq	64(%r11), %r8
+        movq	72(%r10), %rax
+        movq	%r8, 64(%r15)
+        adcq	72(%r11), %rax
+        movq	80(%r10), %rcx
+        movq	%rax, 72(%r15)
+        adcq	80(%r11), %rcx
+        movq	88(%r10), %r8
+        movq	%rcx, 80(%r15)
+        adcq	88(%r11), %r8
+        movq	96(%r10), %rax
+        movq	%r8, 88(%r15)
+        adcq	96(%r11), %rax
+        movq	104(%r10), %rcx
+        movq	%rax, 96(%r15)
+        adcq	104(%r11), %rcx
+        movq	112(%r10), %r8
+        movq	%rcx, 104(%r15)
+        adcq	112(%r11), %r8
+        movq	120(%r10), %rax
+        movq	%r8, 112(%r15)
+        adcq	120(%r11), %rax
+        movq	%rax, 120(%r15)
+        adcq	$0, %r9
+        leaq	256(%rsp), %r11
+        movq	%rsp, %r10
+        movq	(%r10), %rax
+        subq	(%r11), %rax
+        movq	8(%r10), %rcx
+        movq	%rax, (%r10)
+        sbbq	8(%r11), %rcx
+        movq	16(%r10), %r8
+        movq	%rcx, 8(%r10)
+        sbbq	16(%r11), %r8
+        movq	24(%r10), %rax
+        movq	%r8, 16(%r10)
+        sbbq	24(%r11), %rax
+        movq	32(%r10), %rcx
+        movq	%rax, 24(%r10)
+        sbbq	32(%r11), %rcx
+        movq	40(%r10), %r8
+        movq	%rcx, 32(%r10)
+        sbbq	40(%r11), %r8
+        movq	48(%r10), %rax
+        movq	%r8, 40(%r10)
+        sbbq	48(%r11), %rax
+        movq	56(%r10), %rcx
+        movq	%rax, 48(%r10)
+        sbbq	56(%r11), %rcx
+        movq	64(%r10), %r8
+        movq	%rcx, 56(%r10)
+        sbbq	64(%r11), %r8
+        movq	72(%r10), %rax
+        movq	%r8, 64(%r10)
+        sbbq	72(%r11), %rax
+        movq	80(%r10), %rcx
+        movq	%rax, 72(%r10)
+        sbbq	80(%r11), %rcx
+        movq	88(%r10), %r8
+        movq	%rcx, 80(%r10)
+        sbbq	88(%r11), %r8
+        movq	96(%r10), %rax
+        movq	%r8, 88(%r10)
+        sbbq	96(%r11), %rax
+        movq	104(%r10), %rcx
+        movq	%rax, 96(%r10)
+        sbbq	104(%r11), %rcx
+        movq	112(%r10), %r8
+        movq	%rcx, 104(%r10)
+        sbbq	112(%r11), %r8
+        movq	120(%r10), %rax
+        movq	%r8, 112(%r10)
+        sbbq	120(%r11), %rax
+        movq	128(%r10), %rcx
+        movq	%rax, 120(%r10)
+        sbbq	128(%r11), %rcx
+        movq	136(%r10), %r8
+        movq	%rcx, 128(%r10)
+        sbbq	136(%r11), %r8
+        movq	144(%r10), %rax
+        movq	%r8, 136(%r10)
+        sbbq	144(%r11), %rax
+        movq	152(%r10), %rcx
+        movq	%rax, 144(%r10)
+        sbbq	152(%r11), %rcx
+        movq	160(%r10), %r8
+        movq	%rcx, 152(%r10)
+        sbbq	160(%r11), %r8
+        movq	168(%r10), %rax
+        movq	%r8, 160(%r10)
+        sbbq	168(%r11), %rax
+        movq	176(%r10), %rcx
+        movq	%rax, 168(%r10)
+        sbbq	176(%r11), %rcx
+        movq	184(%r10), %r8
+        movq	%rcx, 176(%r10)
+        sbbq	184(%r11), %r8
+        movq	192(%r10), %rax
+        movq	%r8, 184(%r10)
+        sbbq	192(%r11), %rax
+        movq	200(%r10), %rcx
+        movq	%rax, 192(%r10)
+        sbbq	200(%r11), %rcx
+        movq	208(%r10), %r8
+        movq	%rcx, 200(%r10)
+        sbbq	208(%r11), %r8
+        movq	216(%r10), %rax
+        movq	%r8, 208(%r10)
+        sbbq	216(%r11), %rax
+        movq	224(%r10), %rcx
+        movq	%rax, 216(%r10)
+        sbbq	224(%r11), %rcx
+        movq	232(%r10), %r8
+        movq	%rcx, 224(%r10)
+        sbbq	232(%r11), %r8
+        movq	240(%r10), %rax
+        movq	%r8, 232(%r10)
+        sbbq	240(%r11), %rax
+        movq	248(%r10), %rcx
+        movq	%rax, 240(%r10)
+        sbbq	248(%r11), %rcx
+        movq	%rcx, 248(%r10)
+        sbbq	$0, %r9
+        movq	(%r10), %rax
+        subq	(%rdi), %rax
+        movq	8(%r10), %rcx
+        movq	%rax, (%r10)
+        sbbq	8(%rdi), %rcx
+        movq	16(%r10), %r8
+        movq	%rcx, 8(%r10)
+        sbbq	16(%rdi), %r8
+        movq	24(%r10), %rax
+        movq	%r8, 16(%r10)
+        sbbq	24(%rdi), %rax
+        movq	32(%r10), %rcx
+        movq	%rax, 24(%r10)
+        sbbq	32(%rdi), %rcx
+        movq	40(%r10), %r8
+        movq	%rcx, 32(%r10)
+        sbbq	40(%rdi), %r8
+        movq	48(%r10), %rax
+        movq	%r8, 40(%r10)
+        sbbq	48(%rdi), %rax
+        movq	56(%r10), %rcx
+        movq	%rax, 48(%r10)
+        sbbq	56(%rdi), %rcx
+        movq	64(%r10), %r8
+        movq	%rcx, 56(%r10)
+        sbbq	64(%rdi), %r8
+        movq	72(%r10), %rax
+        movq	%r8, 64(%r10)
+        sbbq	72(%rdi), %rax
+        movq	80(%r10), %rcx
+        movq	%rax, 72(%r10)
+        sbbq	80(%rdi), %rcx
+        movq	88(%r10), %r8
+        movq	%rcx, 80(%r10)
+        sbbq	88(%rdi), %r8
+        movq	96(%r10), %rax
+        movq	%r8, 88(%r10)
+        sbbq	96(%rdi), %rax
+        movq	104(%r10), %rcx
+        movq	%rax, 96(%r10)
+        sbbq	104(%rdi), %rcx
+        movq	112(%r10), %r8
+        movq	%rcx, 104(%r10)
+        sbbq	112(%rdi), %r8
+        movq	120(%r10), %rax
+        movq	%r8, 112(%r10)
+        sbbq	120(%rdi), %rax
+        movq	128(%r10), %rcx
+        movq	%rax, 120(%r10)
+        sbbq	128(%rdi), %rcx
+        movq	136(%r10), %r8
+        movq	%rcx, 128(%r10)
+        sbbq	136(%rdi), %r8
+        movq	144(%r10), %rax
+        movq	%r8, 136(%r10)
+        sbbq	144(%rdi), %rax
+        movq	152(%r10), %rcx
+        movq	%rax, 144(%r10)
+        sbbq	152(%rdi), %rcx
+        movq	160(%r10), %r8
+        movq	%rcx, 152(%r10)
+        sbbq	160(%rdi), %r8
+        movq	168(%r10), %rax
+        movq	%r8, 160(%r10)
+        sbbq	168(%rdi), %rax
+        movq	176(%r10), %rcx
+        movq	%rax, 168(%r10)
+        sbbq	176(%rdi), %rcx
+        movq	184(%r10), %r8
+        movq	%rcx, 176(%r10)
+        sbbq	184(%rdi), %r8
+        movq	192(%r10), %rax
+        movq	%r8, 184(%r10)
+        sbbq	192(%rdi), %rax
+        movq	200(%r10), %rcx
+        movq	%rax, 192(%r10)
+        sbbq	200(%rdi), %rcx
+        movq	208(%r10), %r8
+        movq	%rcx, 200(%r10)
+        sbbq	208(%rdi), %r8
+        movq	216(%r10), %rax
+        movq	%r8, 208(%r10)
+        sbbq	216(%rdi), %rax
+        movq	224(%r10), %rcx
+        movq	%rax, 216(%r10)
+        sbbq	224(%rdi), %rcx
+        movq	232(%r10), %r8
+        movq	%rcx, 224(%r10)
+        sbbq	232(%rdi), %r8
+        movq	240(%r10), %rax
+        movq	%r8, 232(%r10)
+        sbbq	240(%rdi), %rax
+        movq	248(%r10), %rcx
+        movq	%rax, 240(%r10)
+        sbbq	248(%rdi), %rcx
+        movq	%rcx, 248(%r10)
+        sbbq	$0, %r9
+        subq	$128, %r15
+        # Add
+        movq	(%r15), %rax
+        addq	(%r10), %rax
+        movq	8(%r15), %rcx
+        movq	%rax, (%r15)
+        adcq	8(%r10), %rcx
+        movq	16(%r15), %r8
+        movq	%rcx, 8(%r15)
+        adcq	16(%r10), %r8
+        movq	24(%r15), %rax
+        movq	%r8, 16(%r15)
+        adcq	24(%r10), %rax
+        movq	32(%r15), %rcx
+        movq	%rax, 24(%r15)
+        adcq	32(%r10), %rcx
+        movq	40(%r15), %r8
+        movq	%rcx, 32(%r15)
+        adcq	40(%r10), %r8
+        movq	48(%r15), %rax
+        movq	%r8, 40(%r15)
+        adcq	48(%r10), %rax
+        movq	56(%r15), %rcx
+        movq	%rax, 48(%r15)
+        adcq	56(%r10), %rcx
+        movq	64(%r15), %r8
+        movq	%rcx, 56(%r15)
+        adcq	64(%r10), %r8
+        movq	72(%r15), %rax
+        movq	%r8, 64(%r15)
+        adcq	72(%r10), %rax
+        movq	80(%r15), %rcx
+        movq	%rax, 72(%r15)
+        adcq	80(%r10), %rcx
+        movq	88(%r15), %r8
+        movq	%rcx, 80(%r15)
+        adcq	88(%r10), %r8
+        movq	96(%r15), %rax
+        movq	%r8, 88(%r15)
+        adcq	96(%r10), %rax
+        movq	104(%r15), %rcx
+        movq	%rax, 96(%r15)
+        adcq	104(%r10), %rcx
+        movq	112(%r15), %r8
+        movq	%rcx, 104(%r15)
+        adcq	112(%r10), %r8
+        movq	120(%r15), %rax
+        movq	%r8, 112(%r15)
+        adcq	120(%r10), %rax
+        movq	128(%r15), %rcx
+        movq	%rax, 120(%r15)
+        adcq	128(%r10), %rcx
+        movq	136(%r15), %r8
+        movq	%rcx, 128(%r15)
+        adcq	136(%r10), %r8
+        movq	144(%r15), %rax
+        movq	%r8, 136(%r15)
+        adcq	144(%r10), %rax
+        movq	152(%r15), %rcx
+        movq	%rax, 144(%r15)
+        adcq	152(%r10), %rcx
+        movq	160(%r15), %r8
+        movq	%rcx, 152(%r15)
+        adcq	160(%r10), %r8
+        movq	168(%r15), %rax
+        movq	%r8, 160(%r15)
+        adcq	168(%r10), %rax
+        movq	176(%r15), %rcx
+        movq	%rax, 168(%r15)
+        adcq	176(%r10), %rcx
+        movq	184(%r15), %r8
+        movq	%rcx, 176(%r15)
+        adcq	184(%r10), %r8
+        movq	192(%r15), %rax
+        movq	%r8, 184(%r15)
+        adcq	192(%r10), %rax
+        movq	200(%r15), %rcx
+        movq	%rax, 192(%r15)
+        adcq	200(%r10), %rcx
+        movq	208(%r15), %r8
+        movq	%rcx, 200(%r15)
+        adcq	208(%r10), %r8
+        movq	216(%r15), %rax
+        movq	%r8, 208(%r15)
+        adcq	216(%r10), %rax
+        movq	224(%r15), %rcx
+        movq	%rax, 216(%r15)
+        adcq	224(%r10), %rcx
+        movq	232(%r15), %r8
+        movq	%rcx, 224(%r15)
+        adcq	232(%r10), %r8
+        movq	240(%r15), %rax
+        movq	%r8, 232(%r15)
+        adcq	240(%r10), %rax
+        movq	248(%r15), %rcx
+        movq	%rax, 240(%r15)
+        adcq	248(%r10), %rcx
+        movq	%rcx, 248(%r15)
+        adcq	$0, %r9
+        movq	%r9, 384(%rdi)
+        addq	$128, %r15
+        # Add
+        movq	(%r15), %rax
+        xorq	%r9, %r9
+        addq	(%r11), %rax
+        movq	8(%r15), %rcx
+        movq	%rax, (%r15)
+        adcq	8(%r11), %rcx
+        movq	16(%r15), %r8
+        movq	%rcx, 8(%r15)
+        adcq	16(%r11), %r8
+        movq	24(%r15), %rax
+        movq	%r8, 16(%r15)
+        adcq	24(%r11), %rax
+        movq	32(%r15), %rcx
+        movq	%rax, 24(%r15)
+        adcq	32(%r11), %rcx
+        movq	40(%r15), %r8
+        movq	%rcx, 32(%r15)
+        adcq	40(%r11), %r8
+        movq	48(%r15), %rax
+        movq	%r8, 40(%r15)
+        adcq	48(%r11), %rax
+        movq	56(%r15), %rcx
+        movq	%rax, 48(%r15)
+        adcq	56(%r11), %rcx
+        movq	64(%r15), %r8
+        movq	%rcx, 56(%r15)
+        adcq	64(%r11), %r8
+        movq	72(%r15), %rax
+        movq	%r8, 64(%r15)
+        adcq	72(%r11), %rax
+        movq	80(%r15), %rcx
+        movq	%rax, 72(%r15)
+        adcq	80(%r11), %rcx
+        movq	88(%r15), %r8
+        movq	%rcx, 80(%r15)
+        adcq	88(%r11), %r8
+        movq	96(%r15), %rax
+        movq	%r8, 88(%r15)
+        adcq	96(%r11), %rax
+        movq	104(%r15), %rcx
+        movq	%rax, 96(%r15)
+        adcq	104(%r11), %rcx
+        movq	112(%r15), %r8
+        movq	%rcx, 104(%r15)
+        adcq	112(%r11), %r8
+        movq	120(%r15), %rax
+        movq	%r8, 112(%r15)
+        adcq	120(%r11), %rax
+        movq	128(%r15), %rcx
+        movq	%rax, 120(%r15)
+        adcq	128(%r11), %rcx
+        movq	%rcx, 128(%r15)
+        adcq	$0, %r9
+        # Add to zero
+        movq	136(%r11), %rax
+        adcq	$0, %rax
+        movq	144(%r11), %rcx
+        movq	%rax, 136(%r15)
+        adcq	$0, %rcx
+        movq	152(%r11), %r8
+        movq	%rcx, 144(%r15)
+        adcq	$0, %r8
+        movq	160(%r11), %rax
+        movq	%r8, 152(%r15)
+        adcq	$0, %rax
+        movq	168(%r11), %rcx
+        movq	%rax, 160(%r15)
+        adcq	$0, %rcx
+        movq	176(%r11), %r8
+        movq	%rcx, 168(%r15)
+        adcq	$0, %r8
+        movq	184(%r11), %rax
+        movq	%r8, 176(%r15)
+        adcq	$0, %rax
+        movq	192(%r11), %rcx
+        movq	%rax, 184(%r15)
+        adcq	$0, %rcx
+        movq	200(%r11), %r8
+        movq	%rcx, 192(%r15)
+        adcq	$0, %r8
+        movq	208(%r11), %rax
+        movq	%r8, 200(%r15)
+        adcq	$0, %rax
+        movq	216(%r11), %rcx
+        movq	%rax, 208(%r15)
+        adcq	$0, %rcx
+        movq	224(%r11), %r8
+        movq	%rcx, 216(%r15)
+        adcq	$0, %r8
+        movq	232(%r11), %rax
+        movq	%r8, 224(%r15)
+        adcq	$0, %rax
+        movq	240(%r11), %rcx
+        movq	%rax, 232(%r15)
+        adcq	$0, %rcx
+        movq	248(%r11), %r8
+        movq	%rcx, 240(%r15)
+        adcq	$0, %r8
+        movq	%r8, 248(%r15)
+        addq	$808, %rsp
+        pop	%r15
+        pop	%r14
+        pop	%r13
+        pop	%r12
+        repz retq
+#ifndef __APPLE__
+.size	sp_2048_mul_32,.-sp_2048_mul_32
+#endif /* __APPLE__ */
+/* Add a to a into r. (r = a + a)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ */
+#ifndef __APPLE__
+.globl	sp_2048_dbl_16
+.type	sp_2048_dbl_16,@function
+.align	16
+sp_2048_dbl_16:
+#else
+.globl	_sp_2048_dbl_16
+.p2align	4
+_sp_2048_dbl_16:
+#endif /* __APPLE__ */
+        movq	(%rsi), %rdx
+        xorq	%rax, %rax
+        addq	%rdx, %rdx
+        movq	8(%rsi), %rcx
+        movq	%rdx, (%rdi)
+        adcq	%rcx, %rcx
+        movq	16(%rsi), %rdx
+        movq	%rcx, 8(%rdi)
+        adcq	%rdx, %rdx
+        movq	24(%rsi), %rcx
+        movq	%rdx, 16(%rdi)
+        adcq	%rcx, %rcx
+        movq	32(%rsi), %rdx
+        movq	%rcx, 24(%rdi)
+        adcq	%rdx, %rdx
+        movq	40(%rsi), %rcx
+        movq	%rdx, 32(%rdi)
+        adcq	%rcx, %rcx
+        movq	48(%rsi), %rdx
+        movq	%rcx, 40(%rdi)
+        adcq	%rdx, %rdx
+        movq	56(%rsi), %rcx
+        movq	%rdx, 48(%rdi)
+        adcq	%rcx, %rcx
+        movq	64(%rsi), %rdx
+        movq	%rcx, 56(%rdi)
+        adcq	%rdx, %rdx
+        movq	72(%rsi), %rcx
+        movq	%rdx, 64(%rdi)
+        adcq	%rcx, %rcx
+        movq	80(%rsi), %rdx
+        movq	%rcx, 72(%rdi)
+        adcq	%rdx, %rdx
+        movq	88(%rsi), %rcx
+        movq	%rdx, 80(%rdi)
+        adcq	%rcx, %rcx
+        movq	96(%rsi), %rdx
+        movq	%rcx, 88(%rdi)
+        adcq	%rdx, %rdx
+        movq	104(%rsi), %rcx
+        movq	%rdx, 96(%rdi)
+        adcq	%rcx, %rcx
+        movq	112(%rsi), %rdx
+        movq	%rcx, 104(%rdi)
+        adcq	%rdx, %rdx
+        movq	120(%rsi), %rcx
+        movq	%rdx, 112(%rdi)
+        adcq	%rcx, %rcx
+        movq	%rcx, 120(%rdi)
+        adcq	$0, %rax
+        repz retq
+#ifndef __APPLE__
+.size	sp_2048_dbl_16,.-sp_2048_dbl_16
+#endif /* __APPLE__ */
+/* Square a and put result in r. (r = a * a)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ */
+#ifndef __APPLE__
+.globl	sp_2048_sqr_32
+.type	sp_2048_sqr_32,@function
+.align	16
+sp_2048_sqr_32:
+#else
+.globl	_sp_2048_sqr_32
+.p2align	4
+_sp_2048_sqr_32:
+#endif /* __APPLE__ */
+        subq	$664, %rsp
+        movq	%rdi, 640(%rsp)
+        movq	%rsi, 648(%rsp)
+        leaq	512(%rsp), %r8
+        leaq	128(%rsi), %r9
+        # Add
+        movq	(%rsi), %rdx
+        xorq	%rcx, %rcx
+        addq	(%r9), %rdx
+        movq	8(%rsi), %rax
+        movq	%rdx, (%r8)
+        adcq	8(%r9), %rax
+        movq	16(%rsi), %rdx
+        movq	%rax, 8(%r8)
+        adcq	16(%r9), %rdx
+        movq	24(%rsi), %rax
+        movq	%rdx, 16(%r8)
+        adcq	24(%r9), %rax
+        movq	32(%rsi), %rdx
+        movq	%rax, 24(%r8)
+        adcq	32(%r9), %rdx
+        movq	40(%rsi), %rax
+        movq	%rdx, 32(%r8)
+        adcq	40(%r9), %rax
+        movq	48(%rsi), %rdx
+        movq	%rax, 40(%r8)
+        adcq	48(%r9), %rdx
+        movq	56(%rsi), %rax
+        movq	%rdx, 48(%r8)
+        adcq	56(%r9), %rax
+        movq	64(%rsi), %rdx
+        movq	%rax, 56(%r8)
+        adcq	64(%r9), %rdx
+        movq	72(%rsi), %rax
+        movq	%rdx, 64(%r8)
+        adcq	72(%r9), %rax
+        movq	80(%rsi), %rdx
+        movq	%rax, 72(%r8)
+        adcq	80(%r9), %rdx
+        movq	88(%rsi), %rax
+        movq	%rdx, 80(%r8)
+        adcq	88(%r9), %rax
+        movq	96(%rsi), %rdx
+        movq	%rax, 88(%r8)
+        adcq	96(%r9), %rdx
+        movq	104(%rsi), %rax
+        movq	%rdx, 96(%r8)
+        adcq	104(%r9), %rax
+        movq	112(%rsi), %rdx
+        movq	%rax, 104(%r8)
+        adcq	112(%r9), %rdx
+        movq	120(%rsi), %rax
+        movq	%rdx, 112(%r8)
+        adcq	120(%r9), %rax
+        movq	%rax, 120(%r8)
+        adcq	$0, %rcx
+        movq	%rcx, 656(%rsp)
+        movq	%r8, %rsi
+        movq	%rsp, %rdi
+#ifndef __APPLE__
+        callq	sp_2048_sqr_16@plt
+#else
+        callq	_sp_2048_sqr_16
+#endif /* __APPLE__ */
+        movq	648(%rsp), %rsi
+        leaq	256(%rsp), %rdi
+        addq	$128, %rsi
+#ifndef __APPLE__
+        callq	sp_2048_sqr_16@plt
+#else
+        callq	_sp_2048_sqr_16
+#endif /* __APPLE__ */
+        movq	648(%rsp), %rsi
+        movq	640(%rsp), %rdi
+#ifndef __APPLE__
+        callq	sp_2048_sqr_16@plt
+#else
+        callq	_sp_2048_sqr_16
+#endif /* __APPLE__ */
+        movq	656(%rsp), %r10
+        leaq	512(%rsp), %r8
+        movq	%r10, %rcx
+        negq	%r10
+        movq	(%r8), %rdx
+        movq	8(%r8), %rax
+        andq	%r10, %rdx
+        andq	%r10, %rax
+        movq	%rdx, 256(%rdi)
+        movq	%rax, 264(%rdi)
+        movq	16(%r8), %rdx
+        movq	24(%r8), %rax
+        andq	%r10, %rdx
+        andq	%r10, %rax
+        movq	%rdx, 272(%rdi)
+        movq	%rax, 280(%rdi)
+        movq	32(%r8), %rdx
+        movq	40(%r8), %rax
+        andq	%r10, %rdx
+        andq	%r10, %rax
+        movq	%rdx, 288(%rdi)
+        movq	%rax, 296(%rdi)
+        movq	48(%r8), %rdx
+        movq	56(%r8), %rax
+        andq	%r10, %rdx
+        andq	%r10, %rax
+        movq	%rdx, 304(%rdi)
+        movq	%rax, 312(%rdi)
+        movq	64(%r8), %rdx
+        movq	72(%r8), %rax
+        andq	%r10, %rdx
+        andq	%r10, %rax
+        movq	%rdx, 320(%rdi)
+        movq	%rax, 328(%rdi)
+        movq	80(%r8), %rdx
+        movq	88(%r8), %rax
+        andq	%r10, %rdx
+        andq	%r10, %rax
+        movq	%rdx, 336(%rdi)
+        movq	%rax, 344(%rdi)
+        movq	96(%r8), %rdx
+        movq	104(%r8), %rax
+        andq	%r10, %rdx
+        andq	%r10, %rax
+        movq	%rdx, 352(%rdi)
+        movq	%rax, 360(%rdi)
+        movq	112(%r8), %rdx
+        movq	120(%r8), %rax
+        andq	%r10, %rdx
+        andq	%r10, %rax
+        movq	%rdx, 368(%rdi)
+        movq	%rax, 376(%rdi)
+        movq	256(%rdi), %rdx
+        addq	%rdx, %rdx
+        movq	264(%rdi), %rax
+        movq	%rdx, 256(%rdi)
+        adcq	%rax, %rax
+        movq	272(%rdi), %rdx
+        movq	%rax, 264(%rdi)
+        adcq	%rdx, %rdx
+        movq	280(%rdi), %rax
+        movq	%rdx, 272(%rdi)
+        adcq	%rax, %rax
+        movq	288(%rdi), %rdx
+        movq	%rax, 280(%rdi)
+        adcq	%rdx, %rdx
+        movq	296(%rdi), %rax
+        movq	%rdx, 288(%rdi)
+        adcq	%rax, %rax
+        movq	304(%rdi), %rdx
+        movq	%rax, 296(%rdi)
+        adcq	%rdx, %rdx
+        movq	312(%rdi), %rax
+        movq	%rdx, 304(%rdi)
+        adcq	%rax, %rax
+        movq	320(%rdi), %rdx
+        movq	%rax, 312(%rdi)
+        adcq	%rdx, %rdx
+        movq	328(%rdi), %rax
+        movq	%rdx, 320(%rdi)
+        adcq	%rax, %rax
+        movq	336(%rdi), %rdx
+        movq	%rax, 328(%rdi)
+        adcq	%rdx, %rdx
+        movq	344(%rdi), %rax
+        movq	%rdx, 336(%rdi)
+        adcq	%rax, %rax
+        movq	352(%rdi), %rdx
+        movq	%rax, 344(%rdi)
+        adcq	%rdx, %rdx
+        movq	360(%rdi), %rax
+        movq	%rdx, 352(%rdi)
+        adcq	%rax, %rax
+        movq	368(%rdi), %rdx
+        movq	%rax, 360(%rdi)
+        adcq	%rdx, %rdx
+        movq	376(%rdi), %rax
+        movq	%rdx, 368(%rdi)
+        adcq	%rax, %rax
+        movq	%rax, 376(%rdi)
+        adcq	$0, %rcx
+        leaq	256(%rsp), %rsi
+        movq	%rsp, %r8
+        movq	(%r8), %rdx
+        subq	(%rsi), %rdx
+        movq	8(%r8), %rax
+        movq	%rdx, (%r8)
+        sbbq	8(%rsi), %rax
+        movq	16(%r8), %rdx
+        movq	%rax, 8(%r8)
+        sbbq	16(%rsi), %rdx
+        movq	24(%r8), %rax
+        movq	%rdx, 16(%r8)
+        sbbq	24(%rsi), %rax
+        movq	32(%r8), %rdx
+        movq	%rax, 24(%r8)
+        sbbq	32(%rsi), %rdx
+        movq	40(%r8), %rax
+        movq	%rdx, 32(%r8)
+        sbbq	40(%rsi), %rax
+        movq	48(%r8), %rdx
+        movq	%rax, 40(%r8)
+        sbbq	48(%rsi), %rdx
+        movq	56(%r8), %rax
+        movq	%rdx, 48(%r8)
+        sbbq	56(%rsi), %rax
+        movq	64(%r8), %rdx
+        movq	%rax, 56(%r8)
+        sbbq	64(%rsi), %rdx
+        movq	72(%r8), %rax
+        movq	%rdx, 64(%r8)
+        sbbq	72(%rsi), %rax
+        movq	80(%r8), %rdx
+        movq	%rax, 72(%r8)
+        sbbq	80(%rsi), %rdx
+        movq	88(%r8), %rax
+        movq	%rdx, 80(%r8)
+        sbbq	88(%rsi), %rax
+        movq	96(%r8), %rdx
+        movq	%rax, 88(%r8)
+        sbbq	96(%rsi), %rdx
+        movq	104(%r8), %rax
+        movq	%rdx, 96(%r8)
+        sbbq	104(%rsi), %rax
+        movq	112(%r8), %rdx
+        movq	%rax, 104(%r8)
+        sbbq	112(%rsi), %rdx
+        movq	120(%r8), %rax
+        movq	%rdx, 112(%r8)
+        sbbq	120(%rsi), %rax
+        movq	128(%r8), %rdx
+        movq	%rax, 120(%r8)
+        sbbq	128(%rsi), %rdx
+        movq	136(%r8), %rax
+        movq	%rdx, 128(%r8)
+        sbbq	136(%rsi), %rax
+        movq	144(%r8), %rdx
+        movq	%rax, 136(%r8)
+        sbbq	144(%rsi), %rdx
+        movq	152(%r8), %rax
+        movq	%rdx, 144(%r8)
+        sbbq	152(%rsi), %rax
+        movq	160(%r8), %rdx
+        movq	%rax, 152(%r8)
+        sbbq	160(%rsi), %rdx
+        movq	168(%r8), %rax
+        movq	%rdx, 160(%r8)
+        sbbq	168(%rsi), %rax
+        movq	176(%r8), %rdx
+        movq	%rax, 168(%r8)
+        sbbq	176(%rsi), %rdx
+        movq	184(%r8), %rax
+        movq	%rdx, 176(%r8)
+        sbbq	184(%rsi), %rax
+        movq	192(%r8), %rdx
+        movq	%rax, 184(%r8)
+        sbbq	192(%rsi), %rdx
+        movq	200(%r8), %rax
+        movq	%rdx, 192(%r8)
+        sbbq	200(%rsi), %rax
+        movq	208(%r8), %rdx
+        movq	%rax, 200(%r8)
+        sbbq	208(%rsi), %rdx
+        movq	216(%r8), %rax
+        movq	%rdx, 208(%r8)
+        sbbq	216(%rsi), %rax
+        movq	224(%r8), %rdx
+        movq	%rax, 216(%r8)
+        sbbq	224(%rsi), %rdx
+        movq	232(%r8), %rax
+        movq	%rdx, 224(%r8)
+        sbbq	232(%rsi), %rax
+        movq	240(%r8), %rdx
+        movq	%rax, 232(%r8)
+        sbbq	240(%rsi), %rdx
+        movq	248(%r8), %rax
+        movq	%rdx, 240(%r8)
+        sbbq	248(%rsi), %rax
+        movq	%rax, 248(%r8)
+        sbbq	$0, %rcx
+        movq	(%r8), %rdx
+        subq	(%rdi), %rdx
+        movq	8(%r8), %rax
+        movq	%rdx, (%r8)
+        sbbq	8(%rdi), %rax
+        movq	16(%r8), %rdx
+        movq	%rax, 8(%r8)
+        sbbq	16(%rdi), %rdx
+        movq	24(%r8), %rax
+        movq	%rdx, 16(%r8)
+        sbbq	24(%rdi), %rax
+        movq	32(%r8), %rdx
+        movq	%rax, 24(%r8)
+        sbbq	32(%rdi), %rdx
+        movq	40(%r8), %rax
+        movq	%rdx, 32(%r8)
+        sbbq	40(%rdi), %rax
+        movq	48(%r8), %rdx
+        movq	%rax, 40(%r8)
+        sbbq	48(%rdi), %rdx
+        movq	56(%r8), %rax
+        movq	%rdx, 48(%r8)
+        sbbq	56(%rdi), %rax
+        movq	64(%r8), %rdx
+        movq	%rax, 56(%r8)
+        sbbq	64(%rdi), %rdx
+        movq	72(%r8), %rax
+        movq	%rdx, 64(%r8)
+        sbbq	72(%rdi), %rax
+        movq	80(%r8), %rdx
+        movq	%rax, 72(%r8)
+        sbbq	80(%rdi), %rdx
+        movq	88(%r8), %rax
+        movq	%rdx, 80(%r8)
+        sbbq	88(%rdi), %rax
+        movq	96(%r8), %rdx
+        movq	%rax, 88(%r8)
+        sbbq	96(%rdi), %rdx
+        movq	104(%r8), %rax
+        movq	%rdx, 96(%r8)
+        sbbq	104(%rdi), %rax
+        movq	112(%r8), %rdx
+        movq	%rax, 104(%r8)
+        sbbq	112(%rdi), %rdx
+        movq	120(%r8), %rax
+        movq	%rdx, 112(%r8)
+        sbbq	120(%rdi), %rax
+        movq	128(%r8), %rdx
+        movq	%rax, 120(%r8)
+        sbbq	128(%rdi), %rdx
+        movq	136(%r8), %rax
+        movq	%rdx, 128(%r8)
+        sbbq	136(%rdi), %rax
+        movq	144(%r8), %rdx
+        movq	%rax, 136(%r8)
+        sbbq	144(%rdi), %rdx
+        movq	152(%r8), %rax
+        movq	%rdx, 144(%r8)
+        sbbq	152(%rdi), %rax
+        movq	160(%r8), %rdx
+        movq	%rax, 152(%r8)
+        sbbq	160(%rdi), %rdx
+        movq	168(%r8), %rax
+        movq	%rdx, 160(%r8)
+        sbbq	168(%rdi), %rax
+        movq	176(%r8), %rdx
+        movq	%rax, 168(%r8)
+        sbbq	176(%rdi), %rdx
+        movq	184(%r8), %rax
+        movq	%rdx, 176(%r8)
+        sbbq	184(%rdi), %rax
+        movq	192(%r8), %rdx
+        movq	%rax, 184(%r8)
+        sbbq	192(%rdi), %rdx
+        movq	200(%r8), %rax
+        movq	%rdx, 192(%r8)
+        sbbq	200(%rdi), %rax
+        movq	208(%r8), %rdx
+        movq	%rax, 200(%r8)
+        sbbq	208(%rdi), %rdx
+        movq	216(%r8), %rax
+        movq	%rdx, 208(%r8)
+        sbbq	216(%rdi), %rax
+        movq	224(%r8), %rdx
+        movq	%rax, 216(%r8)
+        sbbq	224(%rdi), %rdx
+        movq	232(%r8), %rax
+        movq	%rdx, 224(%r8)
+        sbbq	232(%rdi), %rax
+        movq	240(%r8), %rdx
+        movq	%rax, 232(%r8)
+        sbbq	240(%rdi), %rdx
+        movq	248(%r8), %rax
+        movq	%rdx, 240(%r8)
+        sbbq	248(%rdi), %rax
+        movq	%rax, 248(%r8)
+        sbbq	$0, %rcx
+        # Add in place
+        movq	128(%rdi), %rdx
+        addq	(%r8), %rdx
+        movq	136(%rdi), %rax
+        movq	%rdx, 128(%rdi)
+        adcq	8(%r8), %rax
+        movq	144(%rdi), %rdx
+        movq	%rax, 136(%rdi)
+        adcq	16(%r8), %rdx
+        movq	152(%rdi), %rax
+        movq	%rdx, 144(%rdi)
+        adcq	24(%r8), %rax
+        movq	160(%rdi), %rdx
+        movq	%rax, 152(%rdi)
+        adcq	32(%r8), %rdx
+        movq	168(%rdi), %rax
+        movq	%rdx, 160(%rdi)
+        adcq	40(%r8), %rax
+        movq	176(%rdi), %rdx
+        movq	%rax, 168(%rdi)
+        adcq	48(%r8), %rdx
+        movq	184(%rdi), %rax
+        movq	%rdx, 176(%rdi)
+        adcq	56(%r8), %rax
+        movq	192(%rdi), %rdx
+        movq	%rax, 184(%rdi)
+        adcq	64(%r8), %rdx
+        movq	200(%rdi), %rax
+        movq	%rdx, 192(%rdi)
+        adcq	72(%r8), %rax
+        movq	208(%rdi), %rdx
+        movq	%rax, 200(%rdi)
+        adcq	80(%r8), %rdx
+        movq	216(%rdi), %rax
+        movq	%rdx, 208(%rdi)
+        adcq	88(%r8), %rax
+        movq	224(%rdi), %rdx
+        movq	%rax, 216(%rdi)
+        adcq	96(%r8), %rdx
+        movq	232(%rdi), %rax
+        movq	%rdx, 224(%rdi)
+        adcq	104(%r8), %rax
+        movq	240(%rdi), %rdx
+        movq	%rax, 232(%rdi)
+        adcq	112(%r8), %rdx
+        movq	248(%rdi), %rax
+        movq	%rdx, 240(%rdi)
+        adcq	120(%r8), %rax
+        movq	256(%rdi), %rdx
+        movq	%rax, 248(%rdi)
+        adcq	128(%r8), %rdx
+        movq	264(%rdi), %rax
+        movq	%rdx, 256(%rdi)
+        adcq	136(%r8), %rax
+        movq	272(%rdi), %rdx
+        movq	%rax, 264(%rdi)
+        adcq	144(%r8), %rdx
+        movq	280(%rdi), %rax
+        movq	%rdx, 272(%rdi)
+        adcq	152(%r8), %rax
+        movq	288(%rdi), %rdx
+        movq	%rax, 280(%rdi)
+        adcq	160(%r8), %rdx
+        movq	296(%rdi), %rax
+        movq	%rdx, 288(%rdi)
+        adcq	168(%r8), %rax
+        movq	304(%rdi), %rdx
+        movq	%rax, 296(%rdi)
+        adcq	176(%r8), %rdx
+        movq	312(%rdi), %rax
+        movq	%rdx, 304(%rdi)
+        adcq	184(%r8), %rax
+        movq	320(%rdi), %rdx
+        movq	%rax, 312(%rdi)
+        adcq	192(%r8), %rdx
+        movq	328(%rdi), %rax
+        movq	%rdx, 320(%rdi)
+        adcq	200(%r8), %rax
+        movq	336(%rdi), %rdx
+        movq	%rax, 328(%rdi)
+        adcq	208(%r8), %rdx
+        movq	344(%rdi), %rax
+        movq	%rdx, 336(%rdi)
+        adcq	216(%r8), %rax
+        movq	352(%rdi), %rdx
+        movq	%rax, 344(%rdi)
+        adcq	224(%r8), %rdx
+        movq	360(%rdi), %rax
+        movq	%rdx, 352(%rdi)
+        adcq	232(%r8), %rax
+        movq	368(%rdi), %rdx
+        movq	%rax, 360(%rdi)
+        adcq	240(%r8), %rdx
+        movq	376(%rdi), %rax
+        movq	%rdx, 368(%rdi)
+        adcq	248(%r8), %rax
+        movq	%rax, 376(%rdi)
+        adcq	$0, %rcx
+        movq	%rcx, 384(%rdi)
+        # Add in place
+        movq	256(%rdi), %rdx
+        xorq	%rcx, %rcx
+        addq	(%rsi), %rdx
+        movq	264(%rdi), %rax
+        movq	%rdx, 256(%rdi)
+        adcq	8(%rsi), %rax
+        movq	272(%rdi), %rdx
+        movq	%rax, 264(%rdi)
+        adcq	16(%rsi), %rdx
+        movq	280(%rdi), %rax
+        movq	%rdx, 272(%rdi)
+        adcq	24(%rsi), %rax
+        movq	288(%rdi), %rdx
+        movq	%rax, 280(%rdi)
+        adcq	32(%rsi), %rdx
+        movq	296(%rdi), %rax
+        movq	%rdx, 288(%rdi)
+        adcq	40(%rsi), %rax
+        movq	304(%rdi), %rdx
+        movq	%rax, 296(%rdi)
+        adcq	48(%rsi), %rdx
+        movq	312(%rdi), %rax
+        movq	%rdx, 304(%rdi)
+        adcq	56(%rsi), %rax
+        movq	320(%rdi), %rdx
+        movq	%rax, 312(%rdi)
+        adcq	64(%rsi), %rdx
+        movq	328(%rdi), %rax
+        movq	%rdx, 320(%rdi)
+        adcq	72(%rsi), %rax
+        movq	336(%rdi), %rdx
+        movq	%rax, 328(%rdi)
+        adcq	80(%rsi), %rdx
+        movq	344(%rdi), %rax
+        movq	%rdx, 336(%rdi)
+        adcq	88(%rsi), %rax
+        movq	352(%rdi), %rdx
+        movq	%rax, 344(%rdi)
+        adcq	96(%rsi), %rdx
+        movq	360(%rdi), %rax
+        movq	%rdx, 352(%rdi)
+        adcq	104(%rsi), %rax
+        movq	368(%rdi), %rdx
+        movq	%rax, 360(%rdi)
+        adcq	112(%rsi), %rdx
+        movq	376(%rdi), %rax
+        movq	%rdx, 368(%rdi)
+        adcq	120(%rsi), %rax
+        movq	384(%rdi), %rdx
+        movq	%rax, 376(%rdi)
+        adcq	128(%rsi), %rdx
+        movq	%rdx, 384(%rdi)
+        adcq	$0, %rcx
+        # Add to zero
+        movq	136(%rsi), %rdx
+        adcq	$0, %rdx
+        movq	144(%rsi), %rax
+        movq	%rdx, 392(%rdi)
+        adcq	$0, %rax
+        movq	152(%rsi), %rdx
+        movq	%rax, 400(%rdi)
+        adcq	$0, %rdx
+        movq	160(%rsi), %rax
+        movq	%rdx, 408(%rdi)
+        adcq	$0, %rax
+        movq	168(%rsi), %rdx
+        movq	%rax, 416(%rdi)
+        adcq	$0, %rdx
+        movq	176(%rsi), %rax
+        movq	%rdx, 424(%rdi)
+        adcq	$0, %rax
+        movq	184(%rsi), %rdx
+        movq	%rax, 432(%rdi)
+        adcq	$0, %rdx
+        movq	192(%rsi), %rax
+        movq	%rdx, 440(%rdi)
+        adcq	$0, %rax
+        movq	200(%rsi), %rdx
+        movq	%rax, 448(%rdi)
+        adcq	$0, %rdx
+        movq	208(%rsi), %rax
+        movq	%rdx, 456(%rdi)
+        adcq	$0, %rax
+        movq	216(%rsi), %rdx
+        movq	%rax, 464(%rdi)
+        adcq	$0, %rdx
+        movq	224(%rsi), %rax
+        movq	%rdx, 472(%rdi)
+        adcq	$0, %rax
+        movq	232(%rsi), %rdx
+        movq	%rax, 480(%rdi)
+        adcq	$0, %rdx
+        movq	240(%rsi), %rax
+        movq	%rdx, 488(%rdi)
+        adcq	$0, %rax
+        movq	248(%rsi), %rdx
+        movq	%rax, 496(%rdi)
+        adcq	$0, %rdx
+        movq	%rdx, 504(%rdi)
+        addq	$664, %rsp
+        repz retq
+#ifndef __APPLE__
+.size	sp_2048_sqr_32,.-sp_2048_sqr_32
+#endif /* __APPLE__ */
+/* Multiply a and b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+#ifndef __APPLE__
+.globl	sp_2048_mul_avx2_32
+.type	sp_2048_mul_avx2_32,@function
+.align	16
+sp_2048_mul_avx2_32:
+#else
+.globl	_sp_2048_mul_avx2_32
+.p2align	4
+_sp_2048_mul_avx2_32:
+#endif /* __APPLE__ */
+        push	%r12
+        push	%r13
+        push	%r14
+        push	%r15
+        subq	$808, %rsp
+        movq	%rdi, 768(%rsp)
+        movq	%rsi, 776(%rsp)
+        movq	%rdx, 784(%rsp)
+        leaq	512(%rsp), %r10
+        leaq	128(%rsi), %r12
+        # Add
+        movq	(%rsi), %rax
+        xorq	%r13, %r13
+        addq	(%r12), %rax
+        movq	8(%rsi), %rcx
+        movq	%rax, (%r10)
+        adcq	8(%r12), %rcx
+        movq	16(%rsi), %r8
+        movq	%rcx, 8(%r10)
+        adcq	16(%r12), %r8
+        movq	24(%rsi), %rax
+        movq	%r8, 16(%r10)
+        adcq	24(%r12), %rax
+        movq	32(%rsi), %rcx
+        movq	%rax, 24(%r10)
+        adcq	32(%r12), %rcx
+        movq	40(%rsi), %r8
+        movq	%rcx, 32(%r10)
+        adcq	40(%r12), %r8
+        movq	48(%rsi), %rax
+        movq	%r8, 40(%r10)
+        adcq	48(%r12), %rax
+        movq	56(%rsi), %rcx
+        movq	%rax, 48(%r10)
+        adcq	56(%r12), %rcx
+        movq	64(%rsi), %r8
+        movq	%rcx, 56(%r10)
+        adcq	64(%r12), %r8
+        movq	72(%rsi), %rax
+        movq	%r8, 64(%r10)
+        adcq	72(%r12), %rax
+        movq	80(%rsi), %rcx
+        movq	%rax, 72(%r10)
+        adcq	80(%r12), %rcx
+        movq	88(%rsi), %r8
+        movq	%rcx, 80(%r10)
+        adcq	88(%r12), %r8
+        movq	96(%rsi), %rax
+        movq	%r8, 88(%r10)
+        adcq	96(%r12), %rax
+        movq	104(%rsi), %rcx
+        movq	%rax, 96(%r10)
+        adcq	104(%r12), %rcx
+        movq	112(%rsi), %r8
+        movq	%rcx, 104(%r10)
+        adcq	112(%r12), %r8
+        movq	120(%rsi), %rax
+        movq	%r8, 112(%r10)
+        adcq	120(%r12), %rax
+        movq	%rax, 120(%r10)
+        adcq	$0, %r13
+        movq	%r13, 792(%rsp)
+        leaq	640(%rsp), %r11
+        leaq	128(%rdx), %r12
+        # Add
+        movq	(%rdx), %rax
+        xorq	%r14, %r14
+        addq	(%r12), %rax
+        movq	8(%rdx), %rcx
+        movq	%rax, (%r11)
+        adcq	8(%r12), %rcx
+        movq	16(%rdx), %r8
+        movq	%rcx, 8(%r11)
+        adcq	16(%r12), %r8
+        movq	24(%rdx), %rax
+        movq	%r8, 16(%r11)
+        adcq	24(%r12), %rax
+        movq	32(%rdx), %rcx
+        movq	%rax, 24(%r11)
+        adcq	32(%r12), %rcx
+        movq	40(%rdx), %r8
+        movq	%rcx, 32(%r11)
+        adcq	40(%r12), %r8
+        movq	48(%rdx), %rax
+        movq	%r8, 40(%r11)
+        adcq	48(%r12), %rax
+        movq	56(%rdx), %rcx
+        movq	%rax, 48(%r11)
+        adcq	56(%r12), %rcx
+        movq	64(%rdx), %r8
+        movq	%rcx, 56(%r11)
+        adcq	64(%r12), %r8
+        movq	72(%rdx), %rax
+        movq	%r8, 64(%r11)
+        adcq	72(%r12), %rax
+        movq	80(%rdx), %rcx
+        movq	%rax, 72(%r11)
+        adcq	80(%r12), %rcx
+        movq	88(%rdx), %r8
+        movq	%rcx, 80(%r11)
+        adcq	88(%r12), %r8
+        movq	96(%rdx), %rax
+        movq	%r8, 88(%r11)
+        adcq	96(%r12), %rax
+        movq	104(%rdx), %rcx
+        movq	%rax, 96(%r11)
+        adcq	104(%r12), %rcx
+        movq	112(%rdx), %r8
+        movq	%rcx, 104(%r11)
+        adcq	112(%r12), %r8
+        movq	120(%rdx), %rax
+        movq	%r8, 112(%r11)
+        adcq	120(%r12), %rax
+        movq	%rax, 120(%r11)
+        adcq	$0, %r14
+        movq	%r14, 800(%rsp)
+        movq	%r11, %rdx
+        movq	%r10, %rsi
+        movq	%rsp, %rdi
+#ifndef __APPLE__
+        callq	sp_2048_mul_avx2_16@plt
+#else
+        callq	_sp_2048_mul_avx2_16
+#endif /* __APPLE__ */
+        movq	784(%rsp), %rdx
+        movq	776(%rsp), %rsi
+        leaq	256(%rsp), %rdi
+        addq	$128, %rdx
+        addq	$128, %rsi
+#ifndef __APPLE__
+        callq	sp_2048_mul_avx2_16@plt
+#else
+        callq	_sp_2048_mul_avx2_16
+#endif /* __APPLE__ */
+        movq	784(%rsp), %rdx
+        movq	776(%rsp), %rsi
+        movq	768(%rsp), %rdi
+#ifndef __APPLE__
+        callq	sp_2048_mul_avx2_16@plt
+#else
+        callq	_sp_2048_mul_avx2_16
+#endif /* __APPLE__ */
+        movq	792(%rsp), %r13
+        movq	800(%rsp), %r14
+        movq	768(%rsp), %r15
+        movq	%r13, %r9
+        leaq	512(%rsp), %r10
+        leaq	640(%rsp), %r11
+        andq	%r14, %r9
+        negq	%r13
+        negq	%r14
+        addq	$256, %r15
+        movq	(%r10), %rax
+        movq	(%r11), %rcx
+        pextq	%r14, %rax, %rax
+        pextq	%r13, %rcx, %rcx
+        addq	%rcx, %rax
+        movq	8(%r10), %rcx
+        movq	8(%r11), %r8
+        pextq	%r14, %rcx, %rcx
+        pextq	%r13, %r8, %r8
+        movq	%rax, (%r15)
+        adcq	%r8, %rcx
+        movq	16(%r10), %r8
+        movq	16(%r11), %rax
+        pextq	%r14, %r8, %r8
+        pextq	%r13, %rax, %rax
+        movq	%rcx, 8(%r15)
+        adcq	%rax, %r8
+        movq	24(%r10), %rax
+        movq	24(%r11), %rcx
+        pextq	%r14, %rax, %rax
+        pextq	%r13, %rcx, %rcx
+        movq	%r8, 16(%r15)
+        adcq	%rcx, %rax
+        movq	32(%r10), %rcx
+        movq	32(%r11), %r8
+        pextq	%r14, %rcx, %rcx
+        pextq	%r13, %r8, %r8
+        movq	%rax, 24(%r15)
+        adcq	%r8, %rcx
+        movq	40(%r10), %r8
+        movq	40(%r11), %rax
+        pextq	%r14, %r8, %r8
+        pextq	%r13, %rax, %rax
+        movq	%rcx, 32(%r15)
+        adcq	%rax, %r8
+        movq	48(%r10), %rax
+        movq	48(%r11), %rcx
+        pextq	%r14, %rax, %rax
+        pextq	%r13, %rcx, %rcx
+        movq	%r8, 40(%r15)
+        adcq	%rcx, %rax
+        movq	56(%r10), %rcx
+        movq	56(%r11), %r8
+        pextq	%r14, %rcx, %rcx
+        pextq	%r13, %r8, %r8
+        movq	%rax, 48(%r15)
+        adcq	%r8, %rcx
+        movq	64(%r10), %r8
+        movq	64(%r11), %rax
+        pextq	%r14, %r8, %r8
+        pextq	%r13, %rax, %rax
+        movq	%rcx, 56(%r15)
+        adcq	%rax, %r8
+        movq	72(%r10), %rax
+        movq	72(%r11), %rcx
+        pextq	%r14, %rax, %rax
+        pextq	%r13, %rcx, %rcx
+        movq	%r8, 64(%r15)
+        adcq	%rcx, %rax
+        movq	80(%r10), %rcx
+        movq	80(%r11), %r8
+        pextq	%r14, %rcx, %rcx
+        pextq	%r13, %r8, %r8
+        movq	%rax, 72(%r15)
+        adcq	%r8, %rcx
+        movq	88(%r10), %r8
+        movq	88(%r11), %rax
+        pextq	%r14, %r8, %r8
+        pextq	%r13, %rax, %rax
+        movq	%rcx, 80(%r15)
+        adcq	%rax, %r8
+        movq	96(%r10), %rax
+        movq	96(%r11), %rcx
+        pextq	%r14, %rax, %rax
+        pextq	%r13, %rcx, %rcx
+        movq	%r8, 88(%r15)
+        adcq	%rcx, %rax
+        movq	104(%r10), %rcx
+        movq	104(%r11), %r8
+        pextq	%r14, %rcx, %rcx
+        pextq	%r13, %r8, %r8
+        movq	%rax, 96(%r15)
+        adcq	%r8, %rcx
+        movq	112(%r10), %r8
+        movq	112(%r11), %rax
+        pextq	%r14, %r8, %r8
+        pextq	%r13, %rax, %rax
+        movq	%rcx, 104(%r15)
+        adcq	%rax, %r8
+        movq	120(%r10), %rax
+        movq	120(%r11), %rcx
+        pextq	%r14, %rax, %rax
+        pextq	%r13, %rcx, %rcx
+        movq	%r8, 112(%r15)
+        adcq	%rcx, %rax
+        movq	%rax, 120(%r15)
+        adcq	$0, %r9
+        leaq	256(%rsp), %r11
+        movq	%rsp, %r10
+        movq	(%r10), %rax
+        subq	(%r11), %rax
+        movq	8(%r10), %rcx
+        movq	%rax, (%r10)
+        sbbq	8(%r11), %rcx
+        movq	16(%r10), %r8
+        movq	%rcx, 8(%r10)
+        sbbq	16(%r11), %r8
+        movq	24(%r10), %rax
+        movq	%r8, 16(%r10)
+        sbbq	24(%r11), %rax
+        movq	32(%r10), %rcx
+        movq	%rax, 24(%r10)
+        sbbq	32(%r11), %rcx
+        movq	40(%r10), %r8
+        movq	%rcx, 32(%r10)
+        sbbq	40(%r11), %r8
+        movq	48(%r10), %rax
+        movq	%r8, 40(%r10)
+        sbbq	48(%r11), %rax
+        movq	56(%r10), %rcx
+        movq	%rax, 48(%r10)
+        sbbq	56(%r11), %rcx
+        movq	64(%r10), %r8
+        movq	%rcx, 56(%r10)
+        sbbq	64(%r11), %r8
+        movq	72(%r10), %rax
+        movq	%r8, 64(%r10)
+        sbbq	72(%r11), %rax
+        movq	80(%r10), %rcx
+        movq	%rax, 72(%r10)
+        sbbq	80(%r11), %rcx
+        movq	88(%r10), %r8
+        movq	%rcx, 80(%r10)
+        sbbq	88(%r11), %r8
+        movq	96(%r10), %rax
+        movq	%r8, 88(%r10)
+        sbbq	96(%r11), %rax
+        movq	104(%r10), %rcx
+        movq	%rax, 96(%r10)
+        sbbq	104(%r11), %rcx
+        movq	112(%r10), %r8
+        movq	%rcx, 104(%r10)
+        sbbq	112(%r11), %r8
+        movq	120(%r10), %rax
+        movq	%r8, 112(%r10)
+        sbbq	120(%r11), %rax
+        movq	128(%r10), %rcx
+        movq	%rax, 120(%r10)
+        sbbq	128(%r11), %rcx
+        movq	136(%r10), %r8
+        movq	%rcx, 128(%r10)
+        sbbq	136(%r11), %r8
+        movq	144(%r10), %rax
+        movq	%r8, 136(%r10)
+        sbbq	144(%r11), %rax
+        movq	152(%r10), %rcx
+        movq	%rax, 144(%r10)
+        sbbq	152(%r11), %rcx
+        movq	160(%r10), %r8
+        movq	%rcx, 152(%r10)
+        sbbq	160(%r11), %r8
+        movq	168(%r10), %rax
+        movq	%r8, 160(%r10)
+        sbbq	168(%r11), %rax
+        movq	176(%r10), %rcx
+        movq	%rax, 168(%r10)
+        sbbq	176(%r11), %rcx
+        movq	184(%r10), %r8
+        movq	%rcx, 176(%r10)
+        sbbq	184(%r11), %r8
+        movq	192(%r10), %rax
+        movq	%r8, 184(%r10)
+        sbbq	192(%r11), %rax
+        movq	200(%r10), %rcx
+        movq	%rax, 192(%r10)
+        sbbq	200(%r11), %rcx
+        movq	208(%r10), %r8
+        movq	%rcx, 200(%r10)
+        sbbq	208(%r11), %r8
+        movq	216(%r10), %rax
+        movq	%r8, 208(%r10)
+        sbbq	216(%r11), %rax
+        movq	224(%r10), %rcx
+        movq	%rax, 216(%r10)
+        sbbq	224(%r11), %rcx
+        movq	232(%r10), %r8
+        movq	%rcx, 224(%r10)
+        sbbq	232(%r11), %r8
+        movq	240(%r10), %rax
+        movq	%r8, 232(%r10)
+        sbbq	240(%r11), %rax
+        movq	248(%r10), %rcx
+        movq	%rax, 240(%r10)
+        sbbq	248(%r11), %rcx
+        movq	%rcx, 248(%r10)
+        sbbq	$0, %r9
+        movq	(%r10), %rax
+        subq	(%rdi), %rax
+        movq	8(%r10), %rcx
+        movq	%rax, (%r10)
+        sbbq	8(%rdi), %rcx
+        movq	16(%r10), %r8
+        movq	%rcx, 8(%r10)
+        sbbq	16(%rdi), %r8
+        movq	24(%r10), %rax
+        movq	%r8, 16(%r10)
+        sbbq	24(%rdi), %rax
+        movq	32(%r10), %rcx
+        movq	%rax, 24(%r10)
+        sbbq	32(%rdi), %rcx
+        movq	40(%r10), %r8
+        movq	%rcx, 32(%r10)
+        sbbq	40(%rdi), %r8
+        movq	48(%r10), %rax
+        movq	%r8, 40(%r10)
+        sbbq	48(%rdi), %rax
+        movq	56(%r10), %rcx
+        movq	%rax, 48(%r10)
+        sbbq	56(%rdi), %rcx
+        movq	64(%r10), %r8
+        movq	%rcx, 56(%r10)
+        sbbq	64(%rdi), %r8
+        movq	72(%r10), %rax
+        movq	%r8, 64(%r10)
+        sbbq	72(%rdi), %rax
+        movq	80(%r10), %rcx
+        movq	%rax, 72(%r10)
+        sbbq	80(%rdi), %rcx
+        movq	88(%r10), %r8
+        movq	%rcx, 80(%r10)
+        sbbq	88(%rdi), %r8
+        movq	96(%r10), %rax
+        movq	%r8, 88(%r10)
+        sbbq	96(%rdi), %rax
+        movq	104(%r10), %rcx
+        movq	%rax, 96(%r10)
+        sbbq	104(%rdi), %rcx
+        movq	112(%r10), %r8
+        movq	%rcx, 104(%r10)
+        sbbq	112(%rdi), %r8
+        movq	120(%r10), %rax
+        movq	%r8, 112(%r10)
+        sbbq	120(%rdi), %rax
+        movq	128(%r10), %rcx
+        movq	%rax, 120(%r10)
+        sbbq	128(%rdi), %rcx
+        movq	136(%r10), %r8
+        movq	%rcx, 128(%r10)
+        sbbq	136(%rdi), %r8
+        movq	144(%r10), %rax
+        movq	%r8, 136(%r10)
+        sbbq	144(%rdi), %rax
+        movq	152(%r10), %rcx
+        movq	%rax, 144(%r10)
+        sbbq	152(%rdi), %rcx
+        movq	160(%r10), %r8
+        movq	%rcx, 152(%r10)
+        sbbq	160(%rdi), %r8
+        movq	168(%r10), %rax
+        movq	%r8, 160(%r10)
+        sbbq	168(%rdi), %rax
+        movq	176(%r10), %rcx
+        movq	%rax, 168(%r10)
+        sbbq	176(%rdi), %rcx
+        movq	184(%r10), %r8
+        movq	%rcx, 176(%r10)
+        sbbq	184(%rdi), %r8
+        movq	192(%r10), %rax
+        movq	%r8, 184(%r10)
+        sbbq	192(%rdi), %rax
+        movq	200(%r10), %rcx
+        movq	%rax, 192(%r10)
+        sbbq	200(%rdi), %rcx
+        movq	208(%r10), %r8
+        movq	%rcx, 200(%r10)
+        sbbq	208(%rdi), %r8
+        movq	216(%r10), %rax
+        movq	%r8, 208(%r10)
+        sbbq	216(%rdi), %rax
+        movq	224(%r10), %rcx
+        movq	%rax, 216(%r10)
+        sbbq	224(%rdi), %rcx
+        movq	232(%r10), %r8
+        movq	%rcx, 224(%r10)
+        sbbq	232(%rdi), %r8
+        movq	240(%r10), %rax
+        movq	%r8, 232(%r10)
+        sbbq	240(%rdi), %rax
+        movq	248(%r10), %rcx
+        movq	%rax, 240(%r10)
+        sbbq	248(%rdi), %rcx
+        movq	%rcx, 248(%r10)
+        sbbq	$0, %r9
+        subq	$128, %r15
+        # Add
+        movq	(%r15), %rax
+        addq	(%r10), %rax
+        movq	8(%r15), %rcx
+        movq	%rax, (%r15)
+        adcq	8(%r10), %rcx
+        movq	16(%r15), %r8
+        movq	%rcx, 8(%r15)
+        adcq	16(%r10), %r8
+        movq	24(%r15), %rax
+        movq	%r8, 16(%r15)
+        adcq	24(%r10), %rax
+        movq	32(%r15), %rcx
+        movq	%rax, 24(%r15)
+        adcq	32(%r10), %rcx
+        movq	40(%r15), %r8
+        movq	%rcx, 32(%r15)
+        adcq	40(%r10), %r8
+        movq	48(%r15), %rax
+        movq	%r8, 40(%r15)
+        adcq	48(%r10), %rax
+        movq	56(%r15), %rcx
+        movq	%rax, 48(%r15)
+        adcq	56(%r10), %rcx
+        movq	64(%r15), %r8
+        movq	%rcx, 56(%r15)
+        adcq	64(%r10), %r8
+        movq	72(%r15), %rax
+        movq	%r8, 64(%r15)
+        adcq	72(%r10), %rax
+        movq	80(%r15), %rcx
+        movq	%rax, 72(%r15)
+        adcq	80(%r10), %rcx
+        movq	88(%r15), %r8
+        movq	%rcx, 80(%r15)
+        adcq	88(%r10), %r8
+        movq	96(%r15), %rax
+        movq	%r8, 88(%r15)
+        adcq	96(%r10), %rax
+        movq	104(%r15), %rcx
+        movq	%rax, 96(%r15)
+        adcq	104(%r10), %rcx
+        movq	112(%r15), %r8
+        movq	%rcx, 104(%r15)
+        adcq	112(%r10), %r8
+        movq	120(%r15), %rax
+        movq	%r8, 112(%r15)
+        adcq	120(%r10), %rax
+        movq	128(%r15), %rcx
+        movq	%rax, 120(%r15)
+        adcq	128(%r10), %rcx
+        movq	136(%r15), %r8
+        movq	%rcx, 128(%r15)
+        adcq	136(%r10), %r8
+        movq	144(%r15), %rax
+        movq	%r8, 136(%r15)
+        adcq	144(%r10), %rax
+        movq	152(%r15), %rcx
+        movq	%rax, 144(%r15)
+        adcq	152(%r10), %rcx
+        movq	160(%r15), %r8
+        movq	%rcx, 152(%r15)
+        adcq	160(%r10), %r8
+        movq	168(%r15), %rax
+        movq	%r8, 160(%r15)
+        adcq	168(%r10), %rax
+        movq	176(%r15), %rcx
+        movq	%rax, 168(%r15)
+        adcq	176(%r10), %rcx
+        movq	184(%r15), %r8
+        movq	%rcx, 176(%r15)
+        adcq	184(%r10), %r8
+        movq	192(%r15), %rax
+        movq	%r8, 184(%r15)
+        adcq	192(%r10), %rax
+        movq	200(%r15), %rcx
+        movq	%rax, 192(%r15)
+        adcq	200(%r10), %rcx
+        movq	208(%r15), %r8
+        movq	%rcx, 200(%r15)
+        adcq	208(%r10), %r8
+        movq	216(%r15), %rax
+        movq	%r8, 208(%r15)
+        adcq	216(%r10), %rax
+        movq	224(%r15), %rcx
+        movq	%rax, 216(%r15)
+        adcq	224(%r10), %rcx
+        movq	232(%r15), %r8
+        movq	%rcx, 224(%r15)
+        adcq	232(%r10), %r8
+        movq	240(%r15), %rax
+        movq	%r8, 232(%r15)
+        adcq	240(%r10), %rax
+        movq	248(%r15), %rcx
+        movq	%rax, 240(%r15)
+        adcq	248(%r10), %rcx
+        movq	%rcx, 248(%r15)
+        adcq	$0, %r9
+        movq	%r9, 384(%rdi)
+        addq	$128, %r15
+        # Add
+        movq	(%r15), %rax
+        xorq	%r9, %r9
+        addq	(%r11), %rax
+        movq	8(%r15), %rcx
+        movq	%rax, (%r15)
+        adcq	8(%r11), %rcx
+        movq	16(%r15), %r8
+        movq	%rcx, 8(%r15)
+        adcq	16(%r11), %r8
+        movq	24(%r15), %rax
+        movq	%r8, 16(%r15)
+        adcq	24(%r11), %rax
+        movq	32(%r15), %rcx
+        movq	%rax, 24(%r15)
+        adcq	32(%r11), %rcx
+        movq	40(%r15), %r8
+        movq	%rcx, 32(%r15)
+        adcq	40(%r11), %r8
+        movq	48(%r15), %rax
+        movq	%r8, 40(%r15)
+        adcq	48(%r11), %rax
+        movq	56(%r15), %rcx
+        movq	%rax, 48(%r15)
+        adcq	56(%r11), %rcx
+        movq	64(%r15), %r8
+        movq	%rcx, 56(%r15)
+        adcq	64(%r11), %r8
+        movq	72(%r15), %rax
+        movq	%r8, 64(%r15)
+        adcq	72(%r11), %rax
+        movq	80(%r15), %rcx
+        movq	%rax, 72(%r15)
+        adcq	80(%r11), %rcx
+        movq	88(%r15), %r8
+        movq	%rcx, 80(%r15)
+        adcq	88(%r11), %r8
+        movq	96(%r15), %rax
+        movq	%r8, 88(%r15)
+        adcq	96(%r11), %rax
+        movq	104(%r15), %rcx
+        movq	%rax, 96(%r15)
+        adcq	104(%r11), %rcx
+        movq	112(%r15), %r8
+        movq	%rcx, 104(%r15)
+        adcq	112(%r11), %r8
+        movq	120(%r15), %rax
+        movq	%r8, 112(%r15)
+        adcq	120(%r11), %rax
+        movq	128(%r15), %rcx
+        movq	%rax, 120(%r15)
+        adcq	128(%r11), %rcx
+        movq	%rcx, 128(%r15)
+        adcq	$0, %r9
+        # Add to zero
+        movq	136(%r11), %rax
+        adcq	$0, %rax
+        movq	144(%r11), %rcx
+        movq	%rax, 136(%r15)
+        adcq	$0, %rcx
+        movq	152(%r11), %r8
+        movq	%rcx, 144(%r15)
+        adcq	$0, %r8
+        movq	160(%r11), %rax
+        movq	%r8, 152(%r15)
+        adcq	$0, %rax
+        movq	168(%r11), %rcx
+        movq	%rax, 160(%r15)
+        adcq	$0, %rcx
+        movq	176(%r11), %r8
+        movq	%rcx, 168(%r15)
+        adcq	$0, %r8
+        movq	184(%r11), %rax
+        movq	%r8, 176(%r15)
+        adcq	$0, %rax
+        movq	192(%r11), %rcx
+        movq	%rax, 184(%r15)
+        adcq	$0, %rcx
+        movq	200(%r11), %r8
+        movq	%rcx, 192(%r15)
+        adcq	$0, %r8
+        movq	208(%r11), %rax
+        movq	%r8, 200(%r15)
+        adcq	$0, %rax
+        movq	216(%r11), %rcx
+        movq	%rax, 208(%r15)
+        adcq	$0, %rcx
+        movq	224(%r11), %r8
+        movq	%rcx, 216(%r15)
+        adcq	$0, %r8
+        movq	232(%r11), %rax
+        movq	%r8, 224(%r15)
+        adcq	$0, %rax
+        movq	240(%r11), %rcx
+        movq	%rax, 232(%r15)
+        adcq	$0, %rcx
+        movq	248(%r11), %r8
+        movq	%rcx, 240(%r15)
+        adcq	$0, %r8
+        movq	%r8, 248(%r15)
+        addq	$808, %rsp
+        pop	%r15
+        pop	%r14
+        pop	%r13
+        pop	%r12
+        repz retq
+#ifndef __APPLE__
+.size	sp_2048_mul_avx2_32,.-sp_2048_mul_avx2_32
+#endif /* __APPLE__ */
+/* Square a and put result in r. (r = a * a)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ */
+#ifndef __APPLE__
+.globl	sp_2048_sqr_avx2_32
+.type	sp_2048_sqr_avx2_32,@function
+.align	16
+sp_2048_sqr_avx2_32:
+#else
+.globl	_sp_2048_sqr_avx2_32
+.p2align	4
+_sp_2048_sqr_avx2_32:
+#endif /* __APPLE__ */
+        subq	$664, %rsp
+        movq	%rdi, 640(%rsp)
+        movq	%rsi, 648(%rsp)
+        leaq	512(%rsp), %r8
+        leaq	128(%rsi), %r9
+        # Add
+        movq	(%rsi), %rdx
+        xorq	%rcx, %rcx
+        addq	(%r9), %rdx
+        movq	8(%rsi), %rax
+        movq	%rdx, (%r8)
+        adcq	8(%r9), %rax
+        movq	16(%rsi), %rdx
+        movq	%rax, 8(%r8)
+        adcq	16(%r9), %rdx
+        movq	24(%rsi), %rax
+        movq	%rdx, 16(%r8)
+        adcq	24(%r9), %rax
+        movq	32(%rsi), %rdx
+        movq	%rax, 24(%r8)
+        adcq	32(%r9), %rdx
+        movq	40(%rsi), %rax
+        movq	%rdx, 32(%r8)
+        adcq	40(%r9), %rax
+        movq	48(%rsi), %rdx
+        movq	%rax, 40(%r8)
+        adcq	48(%r9), %rdx
+        movq	56(%rsi), %rax
+        movq	%rdx, 48(%r8)
+        adcq	56(%r9), %rax
+        movq	64(%rsi), %rdx
+        movq	%rax, 56(%r8)
+        adcq	64(%r9), %rdx
+        movq	72(%rsi), %rax
+        movq	%rdx, 64(%r8)
+        adcq	72(%r9), %rax
+        movq	80(%rsi), %rdx
+        movq	%rax, 72(%r8)
+        adcq	80(%r9), %rdx
+        movq	88(%rsi), %rax
+        movq	%rdx, 80(%r8)
+        adcq	88(%r9), %rax
+        movq	96(%rsi), %rdx
+        movq	%rax, 88(%r8)
+        adcq	96(%r9), %rdx
+        movq	104(%rsi), %rax
+        movq	%rdx, 96(%r8)
+        adcq	104(%r9), %rax
+        movq	112(%rsi), %rdx
+        movq	%rax, 104(%r8)
+        adcq	112(%r9), %rdx
+        movq	120(%rsi), %rax
+        movq	%rdx, 112(%r8)
+        adcq	120(%r9), %rax
+        movq	%rax, 120(%r8)
+        adcq	$0, %rcx
+        movq	%rcx, 656(%rsp)
+        movq	%r8, %rsi
+        movq	%rsp, %rdi
+#ifndef __APPLE__
+        callq	sp_2048_sqr_avx2_16@plt
+#else
+        callq	_sp_2048_sqr_avx2_16
+#endif /* __APPLE__ */
+        movq	648(%rsp), %rsi
+        leaq	256(%rsp), %rdi
+        addq	$128, %rsi
+#ifndef __APPLE__
+        callq	sp_2048_sqr_avx2_16@plt
+#else
+        callq	_sp_2048_sqr_avx2_16
+#endif /* __APPLE__ */
+        movq	648(%rsp), %rsi
+        movq	640(%rsp), %rdi
+#ifndef __APPLE__
+        callq	sp_2048_sqr_avx2_16@plt
+#else
+        callq	_sp_2048_sqr_avx2_16
+#endif /* __APPLE__ */
+        movq	656(%rsp), %r10
+        leaq	512(%rsp), %r8
+        movq	%r10, %rcx
+        negq	%r10
+        movq	(%r8), %rdx
+        pextq	%r10, %rdx, %rdx
+        addq	%rdx, %rdx
+        movq	8(%r8), %rax
+        movq	%rdx, 256(%rdi)
+        pextq	%r10, %rax, %rax
+        adcq	%rax, %rax
+        movq	16(%r8), %rdx
+        movq	%rax, 264(%rdi)
+        pextq	%r10, %rdx, %rdx
+        adcq	%rdx, %rdx
+        movq	24(%r8), %rax
+        movq	%rdx, 272(%rdi)
+        pextq	%r10, %rax, %rax
+        adcq	%rax, %rax
+        movq	32(%r8), %rdx
+        movq	%rax, 280(%rdi)
+        pextq	%r10, %rdx, %rdx
+        adcq	%rdx, %rdx
+        movq	40(%r8), %rax
+        movq	%rdx, 288(%rdi)
+        pextq	%r10, %rax, %rax
+        adcq	%rax, %rax
+        movq	48(%r8), %rdx
+        movq	%rax, 296(%rdi)
+        pextq	%r10, %rdx, %rdx
+        adcq	%rdx, %rdx
+        movq	56(%r8), %rax
+        movq	%rdx, 304(%rdi)
+        pextq	%r10, %rax, %rax
+        adcq	%rax, %rax
+        movq	64(%r8), %rdx
+        movq	%rax, 312(%rdi)
+        pextq	%r10, %rdx, %rdx
+        adcq	%rdx, %rdx
+        movq	72(%r8), %rax
+        movq	%rdx, 320(%rdi)
+        pextq	%r10, %rax, %rax
+        adcq	%rax, %rax
+        movq	80(%r8), %rdx
+        movq	%rax, 328(%rdi)
+        pextq	%r10, %rdx, %rdx
+        adcq	%rdx, %rdx
+        movq	88(%r8), %rax
+        movq	%rdx, 336(%rdi)
+        pextq	%r10, %rax, %rax
+        adcq	%rax, %rax
+        movq	96(%r8), %rdx
+        movq	%rax, 344(%rdi)
+        pextq	%r10, %rdx, %rdx
+        adcq	%rdx, %rdx
+        movq	104(%r8), %rax
+        movq	%rdx, 352(%rdi)
+        pextq	%r10, %rax, %rax
+        adcq	%rax, %rax
+        movq	112(%r8), %rdx
+        movq	%rax, 360(%rdi)
+        pextq	%r10, %rdx, %rdx
+        adcq	%rdx, %rdx
+        movq	120(%r8), %rax
+        movq	%rdx, 368(%rdi)
+        pextq	%r10, %rax, %rax
+        adcq	%rax, %rax
+        movq	%rax, 376(%rdi)
+        adcq	$0, %rcx
+        leaq	256(%rsp), %rsi
+        movq	%rsp, %r8
+        movq	(%r8), %rdx
+        subq	(%rsi), %rdx
+        movq	8(%r8), %rax
+        movq	%rdx, (%r8)
+        sbbq	8(%rsi), %rax
+        movq	16(%r8), %rdx
+        movq	%rax, 8(%r8)
+        sbbq	16(%rsi), %rdx
+        movq	24(%r8), %rax
+        movq	%rdx, 16(%r8)
+        sbbq	24(%rsi), %rax
+        movq	32(%r8), %rdx
+        movq	%rax, 24(%r8)
+        sbbq	32(%rsi), %rdx
+        movq	40(%r8), %rax
+        movq	%rdx, 32(%r8)
+        sbbq	40(%rsi), %rax
+        movq	48(%r8), %rdx
+        movq	%rax, 40(%r8)
+        sbbq	48(%rsi), %rdx
+        movq	56(%r8), %rax
+        movq	%rdx, 48(%r8)
+        sbbq	56(%rsi), %rax
+        movq	64(%r8), %rdx
+        movq	%rax, 56(%r8)
+        sbbq	64(%rsi), %rdx
+        movq	72(%r8), %rax
+        movq	%rdx, 64(%r8)
+        sbbq	72(%rsi), %rax
+        movq	80(%r8), %rdx
+        movq	%rax, 72(%r8)
+        sbbq	80(%rsi), %rdx
+        movq	88(%r8), %rax
+        movq	%rdx, 80(%r8)
+        sbbq	88(%rsi), %rax
+        movq	96(%r8), %rdx
+        movq	%rax, 88(%r8)
+        sbbq	96(%rsi), %rdx
+        movq	104(%r8), %rax
+        movq	%rdx, 96(%r8)
+        sbbq	104(%rsi), %rax
+        movq	112(%r8), %rdx
+        movq	%rax, 104(%r8)
+        sbbq	112(%rsi), %rdx
+        movq	120(%r8), %rax
+        movq	%rdx, 112(%r8)
+        sbbq	120(%rsi), %rax
+        movq	128(%r8), %rdx
+        movq	%rax, 120(%r8)
+        sbbq	128(%rsi), %rdx
+        movq	136(%r8), %rax
+        movq	%rdx, 128(%r8)
+        sbbq	136(%rsi), %rax
+        movq	144(%r8), %rdx
+        movq	%rax, 136(%r8)
+        sbbq	144(%rsi), %rdx
+        movq	152(%r8), %rax
+        movq	%rdx, 144(%r8)
+        sbbq	152(%rsi), %rax
+        movq	160(%r8), %rdx
+        movq	%rax, 152(%r8)
+        sbbq	160(%rsi), %rdx
+        movq	168(%r8), %rax
+        movq	%rdx, 160(%r8)
+        sbbq	168(%rsi), %rax
+        movq	176(%r8), %rdx
+        movq	%rax, 168(%r8)
+        sbbq	176(%rsi), %rdx
+        movq	184(%r8), %rax
+        movq	%rdx, 176(%r8)
+        sbbq	184(%rsi), %rax
+        movq	192(%r8), %rdx
+        movq	%rax, 184(%r8)
+        sbbq	192(%rsi), %rdx
+        movq	200(%r8), %rax
+        movq	%rdx, 192(%r8)
+        sbbq	200(%rsi), %rax
+        movq	208(%r8), %rdx
+        movq	%rax, 200(%r8)
+        sbbq	208(%rsi), %rdx
+        movq	216(%r8), %rax
+        movq	%rdx, 208(%r8)
+        sbbq	216(%rsi), %rax
+        movq	224(%r8), %rdx
+        movq	%rax, 216(%r8)
+        sbbq	224(%rsi), %rdx
+        movq	232(%r8), %rax
+        movq	%rdx, 224(%r8)
+        sbbq	232(%rsi), %rax
+        movq	240(%r8), %rdx
+        movq	%rax, 232(%r8)
+        sbbq	240(%rsi), %rdx
+        movq	248(%r8), %rax
+        movq	%rdx, 240(%r8)
+        sbbq	248(%rsi), %rax
+        movq	%rax, 248(%r8)
+        sbbq	$0, %rcx
+        movq	(%r8), %rdx
+        subq	(%rdi), %rdx
+        movq	8(%r8), %rax
+        movq	%rdx, (%r8)
+        sbbq	8(%rdi), %rax
+        movq	16(%r8), %rdx
+        movq	%rax, 8(%r8)
+        sbbq	16(%rdi), %rdx
+        movq	24(%r8), %rax
+        movq	%rdx, 16(%r8)
+        sbbq	24(%rdi), %rax
+        movq	32(%r8), %rdx
+        movq	%rax, 24(%r8)
+        sbbq	32(%rdi), %rdx
+        movq	40(%r8), %rax
+        movq	%rdx, 32(%r8)
+        sbbq	40(%rdi), %rax
+        movq	48(%r8), %rdx
+        movq	%rax, 40(%r8)
+        sbbq	48(%rdi), %rdx
+        movq	56(%r8), %rax
+        movq	%rdx, 48(%r8)
+        sbbq	56(%rdi), %rax
+        movq	64(%r8), %rdx
+        movq	%rax, 56(%r8)
+        sbbq	64(%rdi), %rdx
+        movq	72(%r8), %rax
+        movq	%rdx, 64(%r8)
+        sbbq	72(%rdi), %rax
+        movq	80(%r8), %rdx
+        movq	%rax, 72(%r8)
+        sbbq	80(%rdi), %rdx
+        movq	88(%r8), %rax
+        movq	%rdx, 80(%r8)
+        sbbq	88(%rdi), %rax
+        movq	96(%r8), %rdx
+        movq	%rax, 88(%r8)
+        sbbq	96(%rdi), %rdx
+        movq	104(%r8), %rax
+        movq	%rdx, 96(%r8)
+        sbbq	104(%rdi), %rax
+        movq	112(%r8), %rdx
+        movq	%rax, 104(%r8)
+        sbbq	112(%rdi), %rdx
+        movq	120(%r8), %rax
+        movq	%rdx, 112(%r8)
+        sbbq	120(%rdi), %rax
+        movq	128(%r8), %rdx
+        movq	%rax, 120(%r8)
+        sbbq	128(%rdi), %rdx
+        movq	136(%r8), %rax
+        movq	%rdx, 128(%r8)
+        sbbq	136(%rdi), %rax
+        movq	144(%r8), %rdx
+        movq	%rax, 136(%r8)
+        sbbq	144(%rdi), %rdx
+        movq	152(%r8), %rax
+        movq	%rdx, 144(%r8)
+        sbbq	152(%rdi), %rax
+        movq	160(%r8), %rdx
+        movq	%rax, 152(%r8)
+        sbbq	160(%rdi), %rdx
+        movq	168(%r8), %rax
+        movq	%rdx, 160(%r8)
+        sbbq	168(%rdi), %rax
+        movq	176(%r8), %rdx
+        movq	%rax, 168(%r8)
+        sbbq	176(%rdi), %rdx
+        movq	184(%r8), %rax
+        movq	%rdx, 176(%r8)
+        sbbq	184(%rdi), %rax
+        movq	192(%r8), %rdx
+        movq	%rax, 184(%r8)
+        sbbq	192(%rdi), %rdx
+        movq	200(%r8), %rax
+        movq	%rdx, 192(%r8)
+        sbbq	200(%rdi), %rax
+        movq	208(%r8), %rdx
+        movq	%rax, 200(%r8)
+        sbbq	208(%rdi), %rdx
+        movq	216(%r8), %rax
+        movq	%rdx, 208(%r8)
+        sbbq	216(%rdi), %rax
+        movq	224(%r8), %rdx
+        movq	%rax, 216(%r8)
+        sbbq	224(%rdi), %rdx
+        movq	232(%r8), %rax
+        movq	%rdx, 224(%r8)
+        sbbq	232(%rdi), %rax
+        movq	240(%r8), %rdx
+        movq	%rax, 232(%r8)
+        sbbq	240(%rdi), %rdx
+        movq	248(%r8), %rax
+        movq	%rdx, 240(%r8)
+        sbbq	248(%rdi), %rax
+        movq	%rax, 248(%r8)
+        sbbq	$0, %rcx
+        # Add in place
+        movq	128(%rdi), %rdx
+        addq	(%r8), %rdx
+        movq	136(%rdi), %rax
+        movq	%rdx, 128(%rdi)
+        adcq	8(%r8), %rax
+        movq	144(%rdi), %rdx
+        movq	%rax, 136(%rdi)
+        adcq	16(%r8), %rdx
+        movq	152(%rdi), %rax
+        movq	%rdx, 144(%rdi)
+        adcq	24(%r8), %rax
+        movq	160(%rdi), %rdx
+        movq	%rax, 152(%rdi)
+        adcq	32(%r8), %rdx
+        movq	168(%rdi), %rax
+        movq	%rdx, 160(%rdi)
+        adcq	40(%r8), %rax
+        movq	176(%rdi), %rdx
+        movq	%rax, 168(%rdi)
+        adcq	48(%r8), %rdx
+        movq	184(%rdi), %rax
+        movq	%rdx, 176(%rdi)
+        adcq	56(%r8), %rax
+        movq	192(%rdi), %rdx
+        movq	%rax, 184(%rdi)
+        adcq	64(%r8), %rdx
+        movq	200(%rdi), %rax
+        movq	%rdx, 192(%rdi)
+        adcq	72(%r8), %rax
+        movq	208(%rdi), %rdx
+        movq	%rax, 200(%rdi)
+        adcq	80(%r8), %rdx
+        movq	216(%rdi), %rax
+        movq	%rdx, 208(%rdi)
+        adcq	88(%r8), %rax
+        movq	224(%rdi), %rdx
+        movq	%rax, 216(%rdi)
+        adcq	96(%r8), %rdx
+        movq	232(%rdi), %rax
+        movq	%rdx, 224(%rdi)
+        adcq	104(%r8), %rax
+        movq	240(%rdi), %rdx
+        movq	%rax, 232(%rdi)
+        adcq	112(%r8), %rdx
+        movq	248(%rdi), %rax
+        movq	%rdx, 240(%rdi)
+        adcq	120(%r8), %rax
+        movq	256(%rdi), %rdx
+        movq	%rax, 248(%rdi)
+        adcq	128(%r8), %rdx
+        movq	264(%rdi), %rax
+        movq	%rdx, 256(%rdi)
+        adcq	136(%r8), %rax
+        movq	272(%rdi), %rdx
+        movq	%rax, 264(%rdi)
+        adcq	144(%r8), %rdx
+        movq	280(%rdi), %rax
+        movq	%rdx, 272(%rdi)
+        adcq	152(%r8), %rax
+        movq	288(%rdi), %rdx
+        movq	%rax, 280(%rdi)
+        adcq	160(%r8), %rdx
+        movq	296(%rdi), %rax
+        movq	%rdx, 288(%rdi)
+        adcq	168(%r8), %rax
+        movq	304(%rdi), %rdx
+        movq	%rax, 296(%rdi)
+        adcq	176(%r8), %rdx
+        movq	312(%rdi), %rax
+        movq	%rdx, 304(%rdi)
+        adcq	184(%r8), %rax
+        movq	320(%rdi), %rdx
+        movq	%rax, 312(%rdi)
+        adcq	192(%r8), %rdx
+        movq	328(%rdi), %rax
+        movq	%rdx, 320(%rdi)
+        adcq	200(%r8), %rax
+        movq	336(%rdi), %rdx
+        movq	%rax, 328(%rdi)
+        adcq	208(%r8), %rdx
+        movq	344(%rdi), %rax
+        movq	%rdx, 336(%rdi)
+        adcq	216(%r8), %rax
+        movq	352(%rdi), %rdx
+        movq	%rax, 344(%rdi)
+        adcq	224(%r8), %rdx
+        movq	360(%rdi), %rax
+        movq	%rdx, 352(%rdi)
+        adcq	232(%r8), %rax
+        movq	368(%rdi), %rdx
+        movq	%rax, 360(%rdi)
+        adcq	240(%r8), %rdx
+        movq	376(%rdi), %rax
+        movq	%rdx, 368(%rdi)
+        adcq	248(%r8), %rax
+        movq	%rax, 376(%rdi)
+        adcq	$0, %rcx
+        movq	%rcx, 384(%rdi)
+        # Add in place
+        movq	256(%rdi), %rdx
+        xorq	%rcx, %rcx
+        addq	(%rsi), %rdx
+        movq	264(%rdi), %rax
+        movq	%rdx, 256(%rdi)
+        adcq	8(%rsi), %rax
+        movq	272(%rdi), %rdx
+        movq	%rax, 264(%rdi)
+        adcq	16(%rsi), %rdx
+        movq	280(%rdi), %rax
+        movq	%rdx, 272(%rdi)
+        adcq	24(%rsi), %rax
+        movq	288(%rdi), %rdx
+        movq	%rax, 280(%rdi)
+        adcq	32(%rsi), %rdx
+        movq	296(%rdi), %rax
+        movq	%rdx, 288(%rdi)
+        adcq	40(%rsi), %rax
+        movq	304(%rdi), %rdx
+        movq	%rax, 296(%rdi)
+        adcq	48(%rsi), %rdx
+        movq	312(%rdi), %rax
+        movq	%rdx, 304(%rdi)
+        adcq	56(%rsi), %rax
+        movq	320(%rdi), %rdx
+        movq	%rax, 312(%rdi)
+        adcq	64(%rsi), %rdx
+        movq	328(%rdi), %rax
+        movq	%rdx, 320(%rdi)
+        adcq	72(%rsi), %rax
+        movq	336(%rdi), %rdx
+        movq	%rax, 328(%rdi)
+        adcq	80(%rsi), %rdx
+        movq	344(%rdi), %rax
+        movq	%rdx, 336(%rdi)
+        adcq	88(%rsi), %rax
+        movq	352(%rdi), %rdx
+        movq	%rax, 344(%rdi)
+        adcq	96(%rsi), %rdx
+        movq	360(%rdi), %rax
+        movq	%rdx, 352(%rdi)
+        adcq	104(%rsi), %rax
+        movq	368(%rdi), %rdx
+        movq	%rax, 360(%rdi)
+        adcq	112(%rsi), %rdx
+        movq	376(%rdi), %rax
+        movq	%rdx, 368(%rdi)
+        adcq	120(%rsi), %rax
+        movq	384(%rdi), %rdx
+        movq	%rax, 376(%rdi)
+        adcq	128(%rsi), %rdx
+        movq	%rdx, 384(%rdi)
+        adcq	$0, %rcx
+        # Add to zero
+        movq	136(%rsi), %rdx
+        adcq	$0, %rdx
+        movq	144(%rsi), %rax
+        movq	%rdx, 392(%rdi)
+        adcq	$0, %rax
+        movq	152(%rsi), %rdx
+        movq	%rax, 400(%rdi)
+        adcq	$0, %rdx
+        movq	160(%rsi), %rax
+        movq	%rdx, 408(%rdi)
+        adcq	$0, %rax
+        movq	168(%rsi), %rdx
+        movq	%rax, 416(%rdi)
+        adcq	$0, %rdx
+        movq	176(%rsi), %rax
+        movq	%rdx, 424(%rdi)
+        adcq	$0, %rax
+        movq	184(%rsi), %rdx
+        movq	%rax, 432(%rdi)
+        adcq	$0, %rdx
+        movq	192(%rsi), %rax
+        movq	%rdx, 440(%rdi)
+        adcq	$0, %rax
+        movq	200(%rsi), %rdx
+        movq	%rax, 448(%rdi)
+        adcq	$0, %rdx
+        movq	208(%rsi), %rax
+        movq	%rdx, 456(%rdi)
+        adcq	$0, %rax
+        movq	216(%rsi), %rdx
+        movq	%rax, 464(%rdi)
+        adcq	$0, %rdx
+        movq	224(%rsi), %rax
+        movq	%rdx, 472(%rdi)
+        adcq	$0, %rax
+        movq	232(%rsi), %rdx
+        movq	%rax, 480(%rdi)
+        adcq	$0, %rdx
+        movq	240(%rsi), %rax
+        movq	%rdx, 488(%rdi)
+        adcq	$0, %rax
+        movq	248(%rsi), %rdx
+        movq	%rax, 496(%rdi)
+        adcq	$0, %rdx
+        movq	%rdx, 504(%rdi)
+        addq	$664, %rsp
+        repz retq
+#ifndef __APPLE__
+.size	sp_2048_sqr_avx2_32,.-sp_2048_sqr_avx2_32
+#endif /* __APPLE__ */
+/* Mul a by digit b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision digit.
+ */
+#ifndef __APPLE__
+.globl	sp_2048_mul_d_32
+.type	sp_2048_mul_d_32,@function
+.align	16
+sp_2048_mul_d_32:
+#else
+.globl	_sp_2048_mul_d_32
+.p2align	4
+_sp_2048_mul_d_32:
+#endif /* __APPLE__ */
+        movq	%rdx, %rcx
+        # A[0] * B
+        movq	%rcx, %rax
+        xorq	%r10, %r10
+        mulq	(%rsi)
+        movq	%rax, %r8
+        movq	%rdx, %r9
+        movq	%r8, (%rdi)
+        # A[1] * B
+        movq	%rcx, %rax
+        xorq	%r8, %r8
+        mulq	8(%rsi)
+        addq	%rax, %r9
+        movq	%r9, 8(%rdi)
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[2] * B
+        movq	%rcx, %rax
+        xorq	%r9, %r9
+        mulq	16(%rsi)
+        addq	%rax, %r10
+        movq	%r10, 16(%rdi)
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[3] * B
+        movq	%rcx, %rax
+        xorq	%r10, %r10
+        mulq	24(%rsi)
+        addq	%rax, %r8
+        movq	%r8, 24(%rdi)
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[4] * B
+        movq	%rcx, %rax
+        xorq	%r8, %r8
+        mulq	32(%rsi)
+        addq	%rax, %r9
+        movq	%r9, 32(%rdi)
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[5] * B
+        movq	%rcx, %rax
+        xorq	%r9, %r9
+        mulq	40(%rsi)
+        addq	%rax, %r10
+        movq	%r10, 40(%rdi)
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[6] * B
+        movq	%rcx, %rax
+        xorq	%r10, %r10
+        mulq	48(%rsi)
+        addq	%rax, %r8
+        movq	%r8, 48(%rdi)
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[7] * B
+        movq	%rcx, %rax
+        xorq	%r8, %r8
+        mulq	56(%rsi)
+        addq	%rax, %r9
+        movq	%r9, 56(%rdi)
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[8] * B
+        movq	%rcx, %rax
+        xorq	%r9, %r9
+        mulq	64(%rsi)
+        addq	%rax, %r10
+        movq	%r10, 64(%rdi)
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[9] * B
+        movq	%rcx, %rax
+        xorq	%r10, %r10
+        mulq	72(%rsi)
+        addq	%rax, %r8
+        movq	%r8, 72(%rdi)
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[10] * B
+        movq	%rcx, %rax
+        xorq	%r8, %r8
+        mulq	80(%rsi)
+        addq	%rax, %r9
+        movq	%r9, 80(%rdi)
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[11] * B
+        movq	%rcx, %rax
+        xorq	%r9, %r9
+        mulq	88(%rsi)
+        addq	%rax, %r10
+        movq	%r10, 88(%rdi)
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[12] * B
+        movq	%rcx, %rax
+        xorq	%r10, %r10
+        mulq	96(%rsi)
+        addq	%rax, %r8
+        movq	%r8, 96(%rdi)
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[13] * B
+        movq	%rcx, %rax
+        xorq	%r8, %r8
+        mulq	104(%rsi)
+        addq	%rax, %r9
+        movq	%r9, 104(%rdi)
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[14] * B
+        movq	%rcx, %rax
+        xorq	%r9, %r9
+        mulq	112(%rsi)
+        addq	%rax, %r10
+        movq	%r10, 112(%rdi)
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[15] * B
+        movq	%rcx, %rax
+        xorq	%r10, %r10
+        mulq	120(%rsi)
+        addq	%rax, %r8
+        movq	%r8, 120(%rdi)
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[16] * B
+        movq	%rcx, %rax
+        xorq	%r8, %r8
+        mulq	128(%rsi)
+        addq	%rax, %r9
+        movq	%r9, 128(%rdi)
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[17] * B
+        movq	%rcx, %rax
+        xorq	%r9, %r9
+        mulq	136(%rsi)
+        addq	%rax, %r10
+        movq	%r10, 136(%rdi)
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[18] * B
+        movq	%rcx, %rax
+        xorq	%r10, %r10
+        mulq	144(%rsi)
+        addq	%rax, %r8
+        movq	%r8, 144(%rdi)
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[19] * B
+        movq	%rcx, %rax
+        xorq	%r8, %r8
+        mulq	152(%rsi)
+        addq	%rax, %r9
+        movq	%r9, 152(%rdi)
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[20] * B
+        movq	%rcx, %rax
+        xorq	%r9, %r9
+        mulq	160(%rsi)
+        addq	%rax, %r10
+        movq	%r10, 160(%rdi)
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[21] * B
+        movq	%rcx, %rax
+        xorq	%r10, %r10
+        mulq	168(%rsi)
+        addq	%rax, %r8
+        movq	%r8, 168(%rdi)
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[22] * B
+        movq	%rcx, %rax
+        xorq	%r8, %r8
+        mulq	176(%rsi)
+        addq	%rax, %r9
+        movq	%r9, 176(%rdi)
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[23] * B
+        movq	%rcx, %rax
+        xorq	%r9, %r9
+        mulq	184(%rsi)
+        addq	%rax, %r10
+        movq	%r10, 184(%rdi)
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[24] * B
+        movq	%rcx, %rax
+        xorq	%r10, %r10
+        mulq	192(%rsi)
+        addq	%rax, %r8
+        movq	%r8, 192(%rdi)
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[25] * B
+        movq	%rcx, %rax
+        xorq	%r8, %r8
+        mulq	200(%rsi)
+        addq	%rax, %r9
+        movq	%r9, 200(%rdi)
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[26] * B
+        movq	%rcx, %rax
+        xorq	%r9, %r9
+        mulq	208(%rsi)
+        addq	%rax, %r10
+        movq	%r10, 208(%rdi)
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[27] * B
+        movq	%rcx, %rax
+        xorq	%r10, %r10
+        mulq	216(%rsi)
+        addq	%rax, %r8
+        movq	%r8, 216(%rdi)
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[28] * B
+        movq	%rcx, %rax
+        xorq	%r8, %r8
+        mulq	224(%rsi)
+        addq	%rax, %r9
+        movq	%r9, 224(%rdi)
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[29] * B
+        movq	%rcx, %rax
+        xorq	%r9, %r9
+        mulq	232(%rsi)
+        addq	%rax, %r10
+        movq	%r10, 232(%rdi)
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[30] * B
+        movq	%rcx, %rax
+        xorq	%r10, %r10
+        mulq	240(%rsi)
+        addq	%rax, %r8
+        movq	%r8, 240(%rdi)
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[31] * B
+        movq	%rcx, %rax
+        mulq	248(%rsi)
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        movq	%r9, 248(%rdi)
+        movq	%r10, 256(%rdi)
+        repz retq
+#ifndef __APPLE__
+.size	sp_2048_mul_d_32,.-sp_2048_mul_d_32
+#endif /* __APPLE__ */
+/* Sub b from a into a. (a -= b)
+ *
+ * a  A single precision integer and result.
+ * b  A single precision integer.
+ */
+#ifndef __APPLE__
+.globl	sp_2048_sub_in_place_16
+.type	sp_2048_sub_in_place_16,@function
+.align	16
+sp_2048_sub_in_place_16:
+#else
+.globl	_sp_2048_sub_in_place_16
+.p2align	4
+_sp_2048_sub_in_place_16:
+#endif /* __APPLE__ */
+        movq	(%rdi), %rdx
+        xorq	%rax, %rax
+        subq	(%rsi), %rdx
+        movq	8(%rdi), %rcx
+        movq	%rdx, (%rdi)
+        sbbq	8(%rsi), %rcx
+        movq	16(%rdi), %rdx
+        movq	%rcx, 8(%rdi)
+        sbbq	16(%rsi), %rdx
+        movq	24(%rdi), %rcx
+        movq	%rdx, 16(%rdi)
+        sbbq	24(%rsi), %rcx
+        movq	32(%rdi), %rdx
+        movq	%rcx, 24(%rdi)
+        sbbq	32(%rsi), %rdx
+        movq	40(%rdi), %rcx
+        movq	%rdx, 32(%rdi)
+        sbbq	40(%rsi), %rcx
+        movq	48(%rdi), %rdx
+        movq	%rcx, 40(%rdi)
+        sbbq	48(%rsi), %rdx
+        movq	56(%rdi), %rcx
+        movq	%rdx, 48(%rdi)
+        sbbq	56(%rsi), %rcx
+        movq	64(%rdi), %rdx
+        movq	%rcx, 56(%rdi)
+        sbbq	64(%rsi), %rdx
+        movq	72(%rdi), %rcx
+        movq	%rdx, 64(%rdi)
+        sbbq	72(%rsi), %rcx
+        movq	80(%rdi), %rdx
+        movq	%rcx, 72(%rdi)
+        sbbq	80(%rsi), %rdx
+        movq	88(%rdi), %rcx
+        movq	%rdx, 80(%rdi)
+        sbbq	88(%rsi), %rcx
+        movq	96(%rdi), %rdx
+        movq	%rcx, 88(%rdi)
+        sbbq	96(%rsi), %rdx
+        movq	104(%rdi), %rcx
+        movq	%rdx, 96(%rdi)
+        sbbq	104(%rsi), %rcx
+        movq	112(%rdi), %rdx
+        movq	%rcx, 104(%rdi)
+        sbbq	112(%rsi), %rdx
+        movq	120(%rdi), %rcx
+        movq	%rdx, 112(%rdi)
+        sbbq	120(%rsi), %rcx
+        movq	%rcx, 120(%rdi)
+        sbbq	$0, %rax
+        repz retq
+#ifndef __APPLE__
+.size	sp_2048_sub_in_place_16,.-sp_2048_sub_in_place_16
+#endif /* __APPLE__ */
+/* Conditionally subtract b from a using the mask m.
+ * m is -1 to subtract and 0 when not copying.
+ *
+ * r  A single precision number representing condition subtract result.
+ * a  A single precision number to subtract from.
+ * b  A single precision number to subtract.
+ * m  Mask value to apply.
+ */
+#ifndef __APPLE__
+.globl	sp_2048_cond_sub_16
+.type	sp_2048_cond_sub_16,@function
+.align	16
+sp_2048_cond_sub_16:
+#else
+.globl	_sp_2048_cond_sub_16
+.p2align	4
+_sp_2048_cond_sub_16:
+#endif /* __APPLE__ */
+        subq	$128, %rsp
+        movq	$0, %rax
+        movq	(%rdx), %r8
+        movq	8(%rdx), %r9
+        andq	%rcx, %r8
+        andq	%rcx, %r9
+        movq	%r8, (%rsp)
+        movq	%r9, 8(%rsp)
+        movq	16(%rdx), %r8
+        movq	24(%rdx), %r9
+        andq	%rcx, %r8
+        andq	%rcx, %r9
+        movq	%r8, 16(%rsp)
+        movq	%r9, 24(%rsp)
+        movq	32(%rdx), %r8
+        movq	40(%rdx), %r9
+        andq	%rcx, %r8
+        andq	%rcx, %r9
+        movq	%r8, 32(%rsp)
+        movq	%r9, 40(%rsp)
+        movq	48(%rdx), %r8
+        movq	56(%rdx), %r9
+        andq	%rcx, %r8
+        andq	%rcx, %r9
+        movq	%r8, 48(%rsp)
+        movq	%r9, 56(%rsp)
+        movq	64(%rdx), %r8
+        movq	72(%rdx), %r9
+        andq	%rcx, %r8
+        andq	%rcx, %r9
+        movq	%r8, 64(%rsp)
+        movq	%r9, 72(%rsp)
+        movq	80(%rdx), %r8
+        movq	88(%rdx), %r9
+        andq	%rcx, %r8
+        andq	%rcx, %r9
+        movq	%r8, 80(%rsp)
+        movq	%r9, 88(%rsp)
+        movq	96(%rdx), %r8
+        movq	104(%rdx), %r9
+        andq	%rcx, %r8
+        andq	%rcx, %r9
+        movq	%r8, 96(%rsp)
+        movq	%r9, 104(%rsp)
+        movq	112(%rdx), %r8
+        movq	120(%rdx), %r9
+        andq	%rcx, %r8
+        andq	%rcx, %r9
+        movq	%r8, 112(%rsp)
+        movq	%r9, 120(%rsp)
+        movq	(%rsi), %r8
+        movq	(%rsp), %rdx
+        subq	%rdx, %r8
+        movq	8(%rsi), %r9
+        movq	8(%rsp), %rdx
+        sbbq	%rdx, %r9
+        movq	%r8, (%rdi)
+        movq	16(%rsi), %r8
+        movq	16(%rsp), %rdx
+        sbbq	%rdx, %r8
+        movq	%r9, 8(%rdi)
+        movq	24(%rsi), %r9
+        movq	24(%rsp), %rdx
+        sbbq	%rdx, %r9
+        movq	%r8, 16(%rdi)
+        movq	32(%rsi), %r8
+        movq	32(%rsp), %rdx
+        sbbq	%rdx, %r8
+        movq	%r9, 24(%rdi)
+        movq	40(%rsi), %r9
+        movq	40(%rsp), %rdx
+        sbbq	%rdx, %r9
+        movq	%r8, 32(%rdi)
+        movq	48(%rsi), %r8
+        movq	48(%rsp), %rdx
+        sbbq	%rdx, %r8
+        movq	%r9, 40(%rdi)
+        movq	56(%rsi), %r9
+        movq	56(%rsp), %rdx
+        sbbq	%rdx, %r9
+        movq	%r8, 48(%rdi)
+        movq	64(%rsi), %r8
+        movq	64(%rsp), %rdx
+        sbbq	%rdx, %r8
+        movq	%r9, 56(%rdi)
+        movq	72(%rsi), %r9
+        movq	72(%rsp), %rdx
+        sbbq	%rdx, %r9
+        movq	%r8, 64(%rdi)
+        movq	80(%rsi), %r8
+        movq	80(%rsp), %rdx
+        sbbq	%rdx, %r8
+        movq	%r9, 72(%rdi)
+        movq	88(%rsi), %r9
+        movq	88(%rsp), %rdx
+        sbbq	%rdx, %r9
+        movq	%r8, 80(%rdi)
+        movq	96(%rsi), %r8
+        movq	96(%rsp), %rdx
+        sbbq	%rdx, %r8
+        movq	%r9, 88(%rdi)
+        movq	104(%rsi), %r9
+        movq	104(%rsp), %rdx
+        sbbq	%rdx, %r9
+        movq	%r8, 96(%rdi)
+        movq	112(%rsi), %r8
+        movq	112(%rsp), %rdx
+        sbbq	%rdx, %r8
+        movq	%r9, 104(%rdi)
+        movq	120(%rsi), %r9
+        movq	120(%rsp), %rdx
+        sbbq	%rdx, %r9
+        movq	%r8, 112(%rdi)
+        movq	%r9, 120(%rdi)
+        sbbq	$0, %rax
+        addq	$128, %rsp
+        repz retq
+#ifndef __APPLE__
+.size	sp_2048_cond_sub_16,.-sp_2048_cond_sub_16
+#endif /* __APPLE__ */
+/* Reduce the number back to 2048 bits using Montgomery reduction.
+ *
+ * a   A single precision number to reduce in place.
+ * m   The single precision number representing the modulus.
+ * mp  The digit representing the negative inverse of m mod 2^n.
+ */
+#ifndef __APPLE__
+.globl	sp_2048_mont_reduce_16
+.type	sp_2048_mont_reduce_16,@function
+.align	16
+sp_2048_mont_reduce_16:
+#else
+.globl	_sp_2048_mont_reduce_16
+.p2align	4
+_sp_2048_mont_reduce_16:
+#endif /* __APPLE__ */
+        push	%r12
+        push	%r13
+        push	%r14
+        push	%r15
+        movq	%rdx, %rcx
+        xorq	%r15, %r15
+        # i = 16
+        movq	$16, %r8
+        movq	(%rdi), %r13
+        movq	8(%rdi), %r14
+L_mont_loop_16:
+        # mu = a[i] * mp
+        movq	%r13, %r11
+        imulq	%rcx, %r11
+        # a[i+0] += m[0] * mu
+        movq	%r11, %rax
+        xorq	%r10, %r10
+        mulq	(%rsi)
+        addq	%rax, %r13
+        adcq	%rdx, %r10
+        # a[i+1] += m[1] * mu
+        movq	%r11, %rax
+        xorq	%r9, %r9
+        mulq	8(%rsi)
+        movq	%r14, %r13
+        addq	%rax, %r13
+        adcq	%rdx, %r9
+        addq	%r10, %r13
+        adcq	$0, %r9
+        # a[i+2] += m[2] * mu
+        movq	%r11, %rax
+        xorq	%r10, %r10
+        mulq	16(%rsi)
+        movq	16(%rdi), %r14
+        addq	%rax, %r14
+        adcq	%rdx, %r10
+        addq	%r9, %r14
+        adcq	$0, %r10
+        # a[i+3] += m[3] * mu
+        movq	%r11, %rax
+        xorq	%r9, %r9
+        mulq	24(%rsi)
+        movq	24(%rdi), %r12
+        addq	%rax, %r12
+        adcq	%rdx, %r9
+        addq	%r10, %r12
+        movq	%r12, 24(%rdi)
+        adcq	$0, %r9
+        # a[i+4] += m[4] * mu
+        movq	%r11, %rax
+        xorq	%r10, %r10
+        mulq	32(%rsi)
+        movq	32(%rdi), %r12
+        addq	%rax, %r12
+        adcq	%rdx, %r10
+        addq	%r9, %r12
+        movq	%r12, 32(%rdi)
+        adcq	$0, %r10
+        # a[i+5] += m[5] * mu
+        movq	%r11, %rax
+        xorq	%r9, %r9
+        mulq	40(%rsi)
+        movq	40(%rdi), %r12
+        addq	%rax, %r12
+        adcq	%rdx, %r9
+        addq	%r10, %r12
+        movq	%r12, 40(%rdi)
+        adcq	$0, %r9
+        # a[i+6] += m[6] * mu
+        movq	%r11, %rax
+        xorq	%r10, %r10
+        mulq	48(%rsi)
+        movq	48(%rdi), %r12
+        addq	%rax, %r12
+        adcq	%rdx, %r10
+        addq	%r9, %r12
+        movq	%r12, 48(%rdi)
+        adcq	$0, %r10
+        # a[i+7] += m[7] * mu
+        movq	%r11, %rax
+        xorq	%r9, %r9
+        mulq	56(%rsi)
+        movq	56(%rdi), %r12
+        addq	%rax, %r12
+        adcq	%rdx, %r9
+        addq	%r10, %r12
+        movq	%r12, 56(%rdi)
+        adcq	$0, %r9
+        # a[i+8] += m[8] * mu
+        movq	%r11, %rax
+        xorq	%r10, %r10
+        mulq	64(%rsi)
+        movq	64(%rdi), %r12
+        addq	%rax, %r12
+        adcq	%rdx, %r10
+        addq	%r9, %r12
+        movq	%r12, 64(%rdi)
+        adcq	$0, %r10
+        # a[i+9] += m[9] * mu
+        movq	%r11, %rax
+        xorq	%r9, %r9
+        mulq	72(%rsi)
+        movq	72(%rdi), %r12
+        addq	%rax, %r12
+        adcq	%rdx, %r9
+        addq	%r10, %r12
+        movq	%r12, 72(%rdi)
+        adcq	$0, %r9
+        # a[i+10] += m[10] * mu
+        movq	%r11, %rax
+        xorq	%r10, %r10
+        mulq	80(%rsi)
+        movq	80(%rdi), %r12
+        addq	%rax, %r12
+        adcq	%rdx, %r10
+        addq	%r9, %r12
+        movq	%r12, 80(%rdi)
+        adcq	$0, %r10
+        # a[i+11] += m[11] * mu
+        movq	%r11, %rax
+        xorq	%r9, %r9
+        mulq	88(%rsi)
+        movq	88(%rdi), %r12
+        addq	%rax, %r12
+        adcq	%rdx, %r9
+        addq	%r10, %r12
+        movq	%r12, 88(%rdi)
+        adcq	$0, %r9
+        # a[i+12] += m[12] * mu
+        movq	%r11, %rax
+        xorq	%r10, %r10
+        mulq	96(%rsi)
+        movq	96(%rdi), %r12
+        addq	%rax, %r12
+        adcq	%rdx, %r10
+        addq	%r9, %r12
+        movq	%r12, 96(%rdi)
+        adcq	$0, %r10
+        # a[i+13] += m[13] * mu
+        movq	%r11, %rax
+        xorq	%r9, %r9
+        mulq	104(%rsi)
+        movq	104(%rdi), %r12
+        addq	%rax, %r12
+        adcq	%rdx, %r9
+        addq	%r10, %r12
+        movq	%r12, 104(%rdi)
+        adcq	$0, %r9
+        # a[i+14] += m[14] * mu
+        movq	%r11, %rax
+        xorq	%r10, %r10
+        mulq	112(%rsi)
+        movq	112(%rdi), %r12
+        addq	%rax, %r12
+        adcq	%rdx, %r10
+        addq	%r9, %r12
+        movq	%r12, 112(%rdi)
+        adcq	$0, %r10
+        # a[i+15] += m[15] * mu
+        movq	%r11, %rax
+        mulq	120(%rsi)
+        movq	120(%rdi), %r12
+        addq	%rax, %r10
+        adcq	%r15, %rdx
+        movq	$0, %r15
+        adcq	$0, %r15
+        addq	%r10, %r12
+        movq	%r12, 120(%rdi)
+        adcq	%rdx, 128(%rdi)
+        adcq	$0, %r15
+        # i -= 1
+        addq	$8, %rdi
+        decq	%r8
+        jnz	L_mont_loop_16
+        movq	%r13, (%rdi)
+        movq	%r14, 8(%rdi)
+        negq	%r15
+        movq	%r15, %rcx
+        movq	%rsi, %rdx
+        movq	%rdi, %rsi
+        subq	$128, %rdi
+#ifndef __APPLE__
+        callq	sp_2048_cond_sub_16@plt
+#else
+        callq	_sp_2048_cond_sub_16
+#endif /* __APPLE__ */
+        pop	%r15
+        pop	%r14
+        pop	%r13
+        pop	%r12
+        repz retq
+#ifndef __APPLE__
+.size	sp_2048_mont_reduce_16,.-sp_2048_mont_reduce_16
+#endif /* __APPLE__ */
+/* Conditionally subtract b from a using the mask m.
+ * m is -1 to subtract and 0 when not copying.
+ *
+ * r  A single precision number representing condition subtract result.
+ * a  A single precision number to subtract from.
+ * b  A single precision number to subtract.
+ * m  Mask value to apply.
+ */
+#ifndef __APPLE__
+.globl	sp_2048_cond_sub_avx2_16
+.type	sp_2048_cond_sub_avx2_16,@function
+.align	16
+sp_2048_cond_sub_avx2_16:
+#else
+.globl	_sp_2048_cond_sub_avx2_16
+.p2align	4
+_sp_2048_cond_sub_avx2_16:
+#endif /* __APPLE__ */
+        movq	$0, %rax
+        movq	(%rdx), %r10
+        movq	(%rsi), %r8
+        pextq	%rcx, %r10, %r10
+        subq	%r10, %r8
+        movq	8(%rdx), %r10
+        movq	8(%rsi), %r9
+        pextq	%rcx, %r10, %r10
+        movq	%r8, (%rdi)
+        sbbq	%r10, %r9
+        movq	16(%rdx), %r8
+        movq	16(%rsi), %r10
+        pextq	%rcx, %r8, %r8
+        movq	%r9, 8(%rdi)
+        sbbq	%r8, %r10
+        movq	24(%rdx), %r9
+        movq	24(%rsi), %r8
+        pextq	%rcx, %r9, %r9
+        movq	%r10, 16(%rdi)
+        sbbq	%r9, %r8
+        movq	32(%rdx), %r10
+        movq	32(%rsi), %r9
+        pextq	%rcx, %r10, %r10
+        movq	%r8, 24(%rdi)
+        sbbq	%r10, %r9
+        movq	40(%rdx), %r8
+        movq	40(%rsi), %r10
+        pextq	%rcx, %r8, %r8
+        movq	%r9, 32(%rdi)
+        sbbq	%r8, %r10
+        movq	48(%rdx), %r9
+        movq	48(%rsi), %r8
+        pextq	%rcx, %r9, %r9
+        movq	%r10, 40(%rdi)
+        sbbq	%r9, %r8
+        movq	56(%rdx), %r10
+        movq	56(%rsi), %r9
+        pextq	%rcx, %r10, %r10
+        movq	%r8, 48(%rdi)
+        sbbq	%r10, %r9
+        movq	64(%rdx), %r8
+        movq	64(%rsi), %r10
+        pextq	%rcx, %r8, %r8
+        movq	%r9, 56(%rdi)
+        sbbq	%r8, %r10
+        movq	72(%rdx), %r9
+        movq	72(%rsi), %r8
+        pextq	%rcx, %r9, %r9
+        movq	%r10, 64(%rdi)
+        sbbq	%r9, %r8
+        movq	80(%rdx), %r10
+        movq	80(%rsi), %r9
+        pextq	%rcx, %r10, %r10
+        movq	%r8, 72(%rdi)
+        sbbq	%r10, %r9
+        movq	88(%rdx), %r8
+        movq	88(%rsi), %r10
+        pextq	%rcx, %r8, %r8
+        movq	%r9, 80(%rdi)
+        sbbq	%r8, %r10
+        movq	96(%rdx), %r9
+        movq	96(%rsi), %r8
+        pextq	%rcx, %r9, %r9
+        movq	%r10, 88(%rdi)
+        sbbq	%r9, %r8
+        movq	104(%rdx), %r10
+        movq	104(%rsi), %r9
+        pextq	%rcx, %r10, %r10
+        movq	%r8, 96(%rdi)
+        sbbq	%r10, %r9
+        movq	112(%rdx), %r8
+        movq	112(%rsi), %r10
+        pextq	%rcx, %r8, %r8
+        movq	%r9, 104(%rdi)
+        sbbq	%r8, %r10
+        movq	120(%rdx), %r9
+        movq	120(%rsi), %r8
+        pextq	%rcx, %r9, %r9
+        movq	%r10, 112(%rdi)
+        sbbq	%r9, %r8
+        movq	%r8, 120(%rdi)
+        sbbq	$0, %rax
+        repz retq
+#ifndef __APPLE__
+.size	sp_2048_cond_sub_avx2_16,.-sp_2048_cond_sub_avx2_16
+#endif /* __APPLE__ */
+/* Mul a by digit b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision digit.
+ */
+#ifndef __APPLE__
+.globl	sp_2048_mul_d_16
+.type	sp_2048_mul_d_16,@function
+.align	16
+sp_2048_mul_d_16:
+#else
+.globl	_sp_2048_mul_d_16
+.p2align	4
+_sp_2048_mul_d_16:
+#endif /* __APPLE__ */
+        movq	%rdx, %rcx
+        # A[0] * B
+        movq	%rcx, %rax
+        xorq	%r10, %r10
+        mulq	(%rsi)
+        movq	%rax, %r8
+        movq	%rdx, %r9
+        movq	%r8, (%rdi)
+        # A[1] * B
+        movq	%rcx, %rax
+        xorq	%r8, %r8
+        mulq	8(%rsi)
+        addq	%rax, %r9
+        movq	%r9, 8(%rdi)
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[2] * B
+        movq	%rcx, %rax
+        xorq	%r9, %r9
+        mulq	16(%rsi)
+        addq	%rax, %r10
+        movq	%r10, 16(%rdi)
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[3] * B
+        movq	%rcx, %rax
+        xorq	%r10, %r10
+        mulq	24(%rsi)
+        addq	%rax, %r8
+        movq	%r8, 24(%rdi)
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[4] * B
+        movq	%rcx, %rax
+        xorq	%r8, %r8
+        mulq	32(%rsi)
+        addq	%rax, %r9
+        movq	%r9, 32(%rdi)
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[5] * B
+        movq	%rcx, %rax
+        xorq	%r9, %r9
+        mulq	40(%rsi)
+        addq	%rax, %r10
+        movq	%r10, 40(%rdi)
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[6] * B
+        movq	%rcx, %rax
+        xorq	%r10, %r10
+        mulq	48(%rsi)
+        addq	%rax, %r8
+        movq	%r8, 48(%rdi)
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[7] * B
+        movq	%rcx, %rax
+        xorq	%r8, %r8
+        mulq	56(%rsi)
+        addq	%rax, %r9
+        movq	%r9, 56(%rdi)
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[8] * B
+        movq	%rcx, %rax
+        xorq	%r9, %r9
+        mulq	64(%rsi)
+        addq	%rax, %r10
+        movq	%r10, 64(%rdi)
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[9] * B
+        movq	%rcx, %rax
+        xorq	%r10, %r10
+        mulq	72(%rsi)
+        addq	%rax, %r8
+        movq	%r8, 72(%rdi)
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[10] * B
+        movq	%rcx, %rax
+        xorq	%r8, %r8
+        mulq	80(%rsi)
+        addq	%rax, %r9
+        movq	%r9, 80(%rdi)
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[11] * B
+        movq	%rcx, %rax
+        xorq	%r9, %r9
+        mulq	88(%rsi)
+        addq	%rax, %r10
+        movq	%r10, 88(%rdi)
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[12] * B
+        movq	%rcx, %rax
+        xorq	%r10, %r10
+        mulq	96(%rsi)
+        addq	%rax, %r8
+        movq	%r8, 96(%rdi)
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[13] * B
+        movq	%rcx, %rax
+        xorq	%r8, %r8
+        mulq	104(%rsi)
+        addq	%rax, %r9
+        movq	%r9, 104(%rdi)
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[14] * B
+        movq	%rcx, %rax
+        xorq	%r9, %r9
+        mulq	112(%rsi)
+        addq	%rax, %r10
+        movq	%r10, 112(%rdi)
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[15] * B
+        movq	%rcx, %rax
+        mulq	120(%rsi)
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        movq	%r8, 120(%rdi)
+        movq	%r9, 128(%rdi)
+        repz retq
+#ifndef __APPLE__
+.size	sp_2048_mul_d_16,.-sp_2048_mul_d_16
+#endif /* __APPLE__ */
+#ifdef HAVE_INTEL_AVX2
+/* Mul a by digit b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision digit.
+ */
+#ifndef __APPLE__
+.globl	sp_2048_mul_d_avx2_16
+.type	sp_2048_mul_d_avx2_16,@function
+.align	16
+sp_2048_mul_d_avx2_16:
+#else
+.globl	_sp_2048_mul_d_avx2_16
+.p2align	4
+_sp_2048_mul_d_avx2_16:
+#endif /* __APPLE__ */
+        movq	%rdx, %rax
+        # A[0] * B
+        movq	%rax, %rdx
+        xorq	%r11, %r11
+        mulxq	(%rsi), %r9, %r10
+        movq	%r9, (%rdi)
+        # A[1] * B
+        mulxq	8(%rsi), %rcx, %r8
+        movq	%r11, %r9
+        adcxq	%rcx, %r10
+        movq	%r10, 8(%rdi)
+        adoxq	%r8, %r9
+        # A[2] * B
+        mulxq	16(%rsi), %rcx, %r8
+        movq	%r11, %r10
+        adcxq	%rcx, %r9
+        movq	%r9, 16(%rdi)
+        adoxq	%r8, %r10
+        # A[3] * B
+        mulxq	24(%rsi), %rcx, %r8
+        movq	%r11, %r9
+        adcxq	%rcx, %r10
+        movq	%r10, 24(%rdi)
+        adoxq	%r8, %r9
+        # A[4] * B
+        mulxq	32(%rsi), %rcx, %r8
+        movq	%r11, %r10
+        adcxq	%rcx, %r9
+        movq	%r9, 32(%rdi)
+        adoxq	%r8, %r10
+        # A[5] * B
+        mulxq	40(%rsi), %rcx, %r8
+        movq	%r11, %r9
+        adcxq	%rcx, %r10
+        movq	%r10, 40(%rdi)
+        adoxq	%r8, %r9
+        # A[6] * B
+        mulxq	48(%rsi), %rcx, %r8
+        movq	%r11, %r10
+        adcxq	%rcx, %r9
+        movq	%r9, 48(%rdi)
+        adoxq	%r8, %r10
+        # A[7] * B
+        mulxq	56(%rsi), %rcx, %r8
+        movq	%r11, %r9
+        adcxq	%rcx, %r10
+        movq	%r10, 56(%rdi)
+        adoxq	%r8, %r9
+        # A[8] * B
+        mulxq	64(%rsi), %rcx, %r8
+        movq	%r11, %r10
+        adcxq	%rcx, %r9
+        movq	%r9, 64(%rdi)
+        adoxq	%r8, %r10
+        # A[9] * B
+        mulxq	72(%rsi), %rcx, %r8
+        movq	%r11, %r9
+        adcxq	%rcx, %r10
+        movq	%r10, 72(%rdi)
+        adoxq	%r8, %r9
+        # A[10] * B
+        mulxq	80(%rsi), %rcx, %r8
+        movq	%r11, %r10
+        adcxq	%rcx, %r9
+        movq	%r9, 80(%rdi)
+        adoxq	%r8, %r10
+        # A[11] * B
+        mulxq	88(%rsi), %rcx, %r8
+        movq	%r11, %r9
+        adcxq	%rcx, %r10
+        movq	%r10, 88(%rdi)
+        adoxq	%r8, %r9
+        # A[12] * B
+        mulxq	96(%rsi), %rcx, %r8
+        movq	%r11, %r10
+        adcxq	%rcx, %r9
+        movq	%r9, 96(%rdi)
+        adoxq	%r8, %r10
+        # A[13] * B
+        mulxq	104(%rsi), %rcx, %r8
+        movq	%r11, %r9
+        adcxq	%rcx, %r10
+        movq	%r10, 104(%rdi)
+        adoxq	%r8, %r9
+        # A[14] * B
+        mulxq	112(%rsi), %rcx, %r8
+        movq	%r11, %r10
+        adcxq	%rcx, %r9
+        movq	%r9, 112(%rdi)
+        adoxq	%r8, %r10
+        # A[15] * B
+        mulxq	120(%rsi), %rcx, %r8
+        movq	%r11, %r9
+        adcxq	%rcx, %r10
+        adoxq	%r8, %r9
+        adcxq	%r11, %r9
+        movq	%r10, 120(%rdi)
+        movq	%r9, 128(%rdi)
+        repz retq
+#ifndef __APPLE__
+.size	sp_2048_mul_d_avx2_16,.-sp_2048_mul_d_avx2_16
+#endif /* __APPLE__ */
+#endif /* HAVE_INTEL_AVX2 */
+/* Compare a with b in constant time.
+ *
+ * a  A single precision integer.
+ * b  A single precision integer.
+ * return -ve, 0 or +ve if a is less than, equal to or greater than b
+ * respectively.
+ */
+#ifndef __APPLE__
+.globl	sp_2048_cmp_16
+.type	sp_2048_cmp_16,@function
+.align	16
+sp_2048_cmp_16:
+#else
+.globl	_sp_2048_cmp_16
+.p2align	4
+_sp_2048_cmp_16:
+#endif /* __APPLE__ */
+        xorq	%rcx, %rcx
+        movq	$-1, %rdx
+        movq	$-1, %rax
+        movq	$1, %r8
+        movq	120(%rdi), %r9
+        movq	120(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	112(%rdi), %r9
+        movq	112(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	104(%rdi), %r9
+        movq	104(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	96(%rdi), %r9
+        movq	96(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	88(%rdi), %r9
+        movq	88(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	80(%rdi), %r9
+        movq	80(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	72(%rdi), %r9
+        movq	72(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	64(%rdi), %r9
+        movq	64(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	56(%rdi), %r9
+        movq	56(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	48(%rdi), %r9
+        movq	48(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	40(%rdi), %r9
+        movq	40(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	32(%rdi), %r9
+        movq	32(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	24(%rdi), %r9
+        movq	24(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	16(%rdi), %r9
+        movq	16(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	8(%rdi), %r9
+        movq	8(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	(%rdi), %r9
+        movq	(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        xorq	%rdx, %rax
+        repz retq
+#ifndef __APPLE__
+.size	sp_2048_cmp_16,.-sp_2048_cmp_16
+#endif /* __APPLE__ */
+#ifdef HAVE_INTEL_AVX2
+/* Reduce the number back to 2048 bits using Montgomery reduction.
+ *
+ * a   A single precision number to reduce in place.
+ * m   The single precision number representing the modulus.
+ * mp  The digit representing the negative inverse of m mod 2^n.
+ */
+#ifndef __APPLE__
+.globl	sp_2048_mont_reduce_avx2_16
+.type	sp_2048_mont_reduce_avx2_16,@function
+.align	16
+sp_2048_mont_reduce_avx2_16:
+#else
+.globl	_sp_2048_mont_reduce_avx2_16
+.p2align	4
+_sp_2048_mont_reduce_avx2_16:
+#endif /* __APPLE__ */
+        push	%r12
+        push	%r13
+        push	%r14
+        movq	%rdx, %r8
+        xorq	%r14, %r14
+        # i = 16
+        movq	$16, %r9
+        movq	(%rdi), %r13
+        addq	$64, %rdi
+        xorq	%r12, %r12
+L_mont_loop_avx2_16:
+        # mu = a[i] * mp
+        movq	%r13, %rdx
+        movq	%r13, %r10
+        imulq	%r8, %rdx
+        xorq	%r12, %r12
+        # a[i+0] += m[0] * mu
+        mulxq	(%rsi), %rax, %rcx
+        movq	-56(%rdi), %r13
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r13
+        # a[i+1] += m[1] * mu
+        mulxq	8(%rsi), %rax, %rcx
+        movq	-48(%rdi), %r10
+        adcxq	%rax, %r13
+        adoxq	%rcx, %r10
+        # a[i+2] += m[2] * mu
+        mulxq	16(%rsi), %rax, %rcx
+        movq	-40(%rdi), %r11
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r11
+        movq	%r10, -48(%rdi)
+        # a[i+3] += m[3] * mu
+        mulxq	24(%rsi), %rax, %rcx
+        movq	-32(%rdi), %r10
+        adcxq	%rax, %r11
+        adoxq	%rcx, %r10
+        movq	%r11, -40(%rdi)
+        # a[i+4] += m[4] * mu
+        mulxq	32(%rsi), %rax, %rcx
+        movq	-24(%rdi), %r11
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r11
+        movq	%r10, -32(%rdi)
+        # a[i+5] += m[5] * mu
+        mulxq	40(%rsi), %rax, %rcx
+        movq	-16(%rdi), %r10
+        adcxq	%rax, %r11
+        adoxq	%rcx, %r10
+        movq	%r11, -24(%rdi)
+        # a[i+6] += m[6] * mu
+        mulxq	48(%rsi), %rax, %rcx
+        movq	-8(%rdi), %r11
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r11
+        movq	%r10, -16(%rdi)
+        # a[i+7] += m[7] * mu
+        mulxq	56(%rsi), %rax, %rcx
+        movq	(%rdi), %r10
+        adcxq	%rax, %r11
+        adoxq	%rcx, %r10
+        movq	%r11, -8(%rdi)
+        # a[i+8] += m[8] * mu
+        mulxq	64(%rsi), %rax, %rcx
+        movq	8(%rdi), %r11
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r11
+        movq	%r10, (%rdi)
+        # a[i+9] += m[9] * mu
+        mulxq	72(%rsi), %rax, %rcx
+        movq	16(%rdi), %r10
+        adcxq	%rax, %r11
+        adoxq	%rcx, %r10
+        movq	%r11, 8(%rdi)
+        # a[i+10] += m[10] * mu
+        mulxq	80(%rsi), %rax, %rcx
+        movq	24(%rdi), %r11
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r11
+        movq	%r10, 16(%rdi)
+        # a[i+11] += m[11] * mu
+        mulxq	88(%rsi), %rax, %rcx
+        movq	32(%rdi), %r10
+        adcxq	%rax, %r11
+        adoxq	%rcx, %r10
+        movq	%r11, 24(%rdi)
+        # a[i+12] += m[12] * mu
+        mulxq	96(%rsi), %rax, %rcx
+        movq	40(%rdi), %r11
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r11
+        movq	%r10, 32(%rdi)
+        # a[i+13] += m[13] * mu
+        mulxq	104(%rsi), %rax, %rcx
+        movq	48(%rdi), %r10
+        adcxq	%rax, %r11
+        adoxq	%rcx, %r10
+        movq	%r11, 40(%rdi)
+        # a[i+14] += m[14] * mu
+        mulxq	112(%rsi), %rax, %rcx
+        movq	56(%rdi), %r11
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r11
+        movq	%r10, 48(%rdi)
+        # a[i+15] += m[15] * mu
+        mulxq	120(%rsi), %rax, %rcx
+        movq	64(%rdi), %r10
+        adcxq	%rax, %r11
+        adoxq	%rcx, %r10
+        movq	%r11, 56(%rdi)
+        adcxq	%r14, %r10
+        movq	%r10, 64(%rdi)
+        movq	%r12, %r14
+        adoxq	%r12, %r14
+        adcxq	%r12, %r14
+        # mu = a[i] * mp
+        movq	%r13, %rdx
+        movq	%r13, %r10
+        imulq	%r8, %rdx
+        xorq	%r12, %r12
+        # a[i+0] += m[0] * mu
+        mulxq	(%rsi), %rax, %rcx
+        movq	-48(%rdi), %r13
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r13
+        # a[i+1] += m[1] * mu
+        mulxq	8(%rsi), %rax, %rcx
+        movq	-40(%rdi), %r10
+        adcxq	%rax, %r13
+        adoxq	%rcx, %r10
+        # a[i+2] += m[2] * mu
+        mulxq	16(%rsi), %rax, %rcx
+        movq	-32(%rdi), %r11
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r11
+        movq	%r10, -40(%rdi)
+        # a[i+3] += m[3] * mu
+        mulxq	24(%rsi), %rax, %rcx
+        movq	-24(%rdi), %r10
+        adcxq	%rax, %r11
+        adoxq	%rcx, %r10
+        movq	%r11, -32(%rdi)
+        # a[i+4] += m[4] * mu
+        mulxq	32(%rsi), %rax, %rcx
+        movq	-16(%rdi), %r11
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r11
+        movq	%r10, -24(%rdi)
+        # a[i+5] += m[5] * mu
+        mulxq	40(%rsi), %rax, %rcx
+        movq	-8(%rdi), %r10
+        adcxq	%rax, %r11
+        adoxq	%rcx, %r10
+        movq	%r11, -16(%rdi)
+        # a[i+6] += m[6] * mu
+        mulxq	48(%rsi), %rax, %rcx
+        movq	(%rdi), %r11
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r11
+        movq	%r10, -8(%rdi)
+        # a[i+7] += m[7] * mu
+        mulxq	56(%rsi), %rax, %rcx
+        movq	8(%rdi), %r10
+        adcxq	%rax, %r11
+        adoxq	%rcx, %r10
+        movq	%r11, (%rdi)
+        # a[i+8] += m[8] * mu
+        mulxq	64(%rsi), %rax, %rcx
+        movq	16(%rdi), %r11
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r11
+        movq	%r10, 8(%rdi)
+        # a[i+9] += m[9] * mu
+        mulxq	72(%rsi), %rax, %rcx
+        movq	24(%rdi), %r10
+        adcxq	%rax, %r11
+        adoxq	%rcx, %r10
+        movq	%r11, 16(%rdi)
+        # a[i+10] += m[10] * mu
+        mulxq	80(%rsi), %rax, %rcx
+        movq	32(%rdi), %r11
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r11
+        movq	%r10, 24(%rdi)
+        # a[i+11] += m[11] * mu
+        mulxq	88(%rsi), %rax, %rcx
+        movq	40(%rdi), %r10
+        adcxq	%rax, %r11
+        adoxq	%rcx, %r10
+        movq	%r11, 32(%rdi)
+        # a[i+12] += m[12] * mu
+        mulxq	96(%rsi), %rax, %rcx
+        movq	48(%rdi), %r11
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r11
+        movq	%r10, 40(%rdi)
+        # a[i+13] += m[13] * mu
+        mulxq	104(%rsi), %rax, %rcx
+        movq	56(%rdi), %r10
+        adcxq	%rax, %r11
+        adoxq	%rcx, %r10
+        movq	%r11, 48(%rdi)
+        # a[i+14] += m[14] * mu
+        mulxq	112(%rsi), %rax, %rcx
+        movq	64(%rdi), %r11
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r11
+        movq	%r10, 56(%rdi)
+        # a[i+15] += m[15] * mu
+        mulxq	120(%rsi), %rax, %rcx
+        movq	72(%rdi), %r10
+        adcxq	%rax, %r11
+        adoxq	%rcx, %r10
+        movq	%r11, 64(%rdi)
+        adcxq	%r14, %r10
+        movq	%r10, 72(%rdi)
+        movq	%r12, %r14
+        adoxq	%r12, %r14
+        adcxq	%r12, %r14
+        # a += 2
+        addq	$16, %rdi
+        # i -= 2
+        subq	$2, %r9
+        jnz	L_mont_loop_avx2_16
+        subq	$64, %rdi
+        negq	%r14
+        movq	%rdi, %r8
+        subq	$128, %rdi
+        movq	(%rsi), %rcx
+        movq	%r13, %rdx
+        pextq	%r14, %rcx, %rcx
+        subq	%rcx, %rdx
+        movq	8(%rsi), %rcx
+        movq	8(%r8), %rax
+        pextq	%r14, %rcx, %rcx
+        movq	%rdx, (%rdi)
+        sbbq	%rcx, %rax
+        movq	16(%rsi), %rdx
+        movq	16(%r8), %rcx
+        pextq	%r14, %rdx, %rdx
+        movq	%rax, 8(%rdi)
+        sbbq	%rdx, %rcx
+        movq	24(%rsi), %rax
+        movq	24(%r8), %rdx
+        pextq	%r14, %rax, %rax
+        movq	%rcx, 16(%rdi)
+        sbbq	%rax, %rdx
+        movq	32(%rsi), %rcx
+        movq	32(%r8), %rax
+        pextq	%r14, %rcx, %rcx
+        movq	%rdx, 24(%rdi)
+        sbbq	%rcx, %rax
+        movq	40(%rsi), %rdx
+        movq	40(%r8), %rcx
+        pextq	%r14, %rdx, %rdx
+        movq	%rax, 32(%rdi)
+        sbbq	%rdx, %rcx
+        movq	48(%rsi), %rax
+        movq	48(%r8), %rdx
+        pextq	%r14, %rax, %rax
+        movq	%rcx, 40(%rdi)
+        sbbq	%rax, %rdx
+        movq	56(%rsi), %rcx
+        movq	56(%r8), %rax
+        pextq	%r14, %rcx, %rcx
+        movq	%rdx, 48(%rdi)
+        sbbq	%rcx, %rax
+        movq	64(%rsi), %rdx
+        movq	64(%r8), %rcx
+        pextq	%r14, %rdx, %rdx
+        movq	%rax, 56(%rdi)
+        sbbq	%rdx, %rcx
+        movq	72(%rsi), %rax
+        movq	72(%r8), %rdx
+        pextq	%r14, %rax, %rax
+        movq	%rcx, 64(%rdi)
+        sbbq	%rax, %rdx
+        movq	80(%rsi), %rcx
+        movq	80(%r8), %rax
+        pextq	%r14, %rcx, %rcx
+        movq	%rdx, 72(%rdi)
+        sbbq	%rcx, %rax
+        movq	88(%rsi), %rdx
+        movq	88(%r8), %rcx
+        pextq	%r14, %rdx, %rdx
+        movq	%rax, 80(%rdi)
+        sbbq	%rdx, %rcx
+        movq	96(%rsi), %rax
+        movq	96(%r8), %rdx
+        pextq	%r14, %rax, %rax
+        movq	%rcx, 88(%rdi)
+        sbbq	%rax, %rdx
+        movq	104(%rsi), %rcx
+        movq	104(%r8), %rax
+        pextq	%r14, %rcx, %rcx
+        movq	%rdx, 96(%rdi)
+        sbbq	%rcx, %rax
+        movq	112(%rsi), %rdx
+        movq	112(%r8), %rcx
+        pextq	%r14, %rdx, %rdx
+        movq	%rax, 104(%rdi)
+        sbbq	%rdx, %rcx
+        movq	120(%rsi), %rax
+        movq	120(%r8), %rdx
+        pextq	%r14, %rax, %rax
+        movq	%rcx, 112(%rdi)
+        sbbq	%rax, %rdx
+        movq	%rdx, 120(%rdi)
+        pop	%r14
+        pop	%r13
+        pop	%r12
+        repz retq
+#ifndef __APPLE__
+.size	sp_2048_mont_reduce_avx2_16,.-sp_2048_mont_reduce_avx2_16
+#endif /* __APPLE__ */
+#endif /* HAVE_INTEL_AVX2 */
+/* Conditionally subtract b from a using the mask m.
+ * m is -1 to subtract and 0 when not copying.
+ *
+ * r  A single precision number representing condition subtract result.
+ * a  A single precision number to subtract from.
+ * b  A single precision number to subtract.
+ * m  Mask value to apply.
+ */
+#ifndef __APPLE__
+.globl	sp_2048_cond_sub_32
+.type	sp_2048_cond_sub_32,@function
+.align	16
+sp_2048_cond_sub_32:
+#else
+.globl	_sp_2048_cond_sub_32
+.p2align	4
+_sp_2048_cond_sub_32:
+#endif /* __APPLE__ */
+        subq	$256, %rsp
+        movq	$0, %rax
+        movq	(%rdx), %r8
+        movq	8(%rdx), %r9
+        andq	%rcx, %r8
+        andq	%rcx, %r9
+        movq	%r8, (%rsp)
+        movq	%r9, 8(%rsp)
+        movq	16(%rdx), %r8
+        movq	24(%rdx), %r9
+        andq	%rcx, %r8
+        andq	%rcx, %r9
+        movq	%r8, 16(%rsp)
+        movq	%r9, 24(%rsp)
+        movq	32(%rdx), %r8
+        movq	40(%rdx), %r9
+        andq	%rcx, %r8
+        andq	%rcx, %r9
+        movq	%r8, 32(%rsp)
+        movq	%r9, 40(%rsp)
+        movq	48(%rdx), %r8
+        movq	56(%rdx), %r9
+        andq	%rcx, %r8
+        andq	%rcx, %r9
+        movq	%r8, 48(%rsp)
+        movq	%r9, 56(%rsp)
+        movq	64(%rdx), %r8
+        movq	72(%rdx), %r9
+        andq	%rcx, %r8
+        andq	%rcx, %r9
+        movq	%r8, 64(%rsp)
+        movq	%r9, 72(%rsp)
+        movq	80(%rdx), %r8
+        movq	88(%rdx), %r9
+        andq	%rcx, %r8
+        andq	%rcx, %r9
+        movq	%r8, 80(%rsp)
+        movq	%r9, 88(%rsp)
+        movq	96(%rdx), %r8
+        movq	104(%rdx), %r9
+        andq	%rcx, %r8
+        andq	%rcx, %r9
+        movq	%r8, 96(%rsp)
+        movq	%r9, 104(%rsp)
+        movq	112(%rdx), %r8
+        movq	120(%rdx), %r9
+        andq	%rcx, %r8
+        andq	%rcx, %r9
+        movq	%r8, 112(%rsp)
+        movq	%r9, 120(%rsp)
+        movq	128(%rdx), %r8
+        movq	136(%rdx), %r9
+        andq	%rcx, %r8
+        andq	%rcx, %r9
+        movq	%r8, 128(%rsp)
+        movq	%r9, 136(%rsp)
+        movq	144(%rdx), %r8
+        movq	152(%rdx), %r9
+        andq	%rcx, %r8
+        andq	%rcx, %r9
+        movq	%r8, 144(%rsp)
+        movq	%r9, 152(%rsp)
+        movq	160(%rdx), %r8
+        movq	168(%rdx), %r9
+        andq	%rcx, %r8
+        andq	%rcx, %r9
+        movq	%r8, 160(%rsp)
+        movq	%r9, 168(%rsp)
+        movq	176(%rdx), %r8
+        movq	184(%rdx), %r9
+        andq	%rcx, %r8
+        andq	%rcx, %r9
+        movq	%r8, 176(%rsp)
+        movq	%r9, 184(%rsp)
+        movq	192(%rdx), %r8
+        movq	200(%rdx), %r9
+        andq	%rcx, %r8
+        andq	%rcx, %r9
+        movq	%r8, 192(%rsp)
+        movq	%r9, 200(%rsp)
+        movq	208(%rdx), %r8
+        movq	216(%rdx), %r9
+        andq	%rcx, %r8
+        andq	%rcx, %r9
+        movq	%r8, 208(%rsp)
+        movq	%r9, 216(%rsp)
+        movq	224(%rdx), %r8
+        movq	232(%rdx), %r9
+        andq	%rcx, %r8
+        andq	%rcx, %r9
+        movq	%r8, 224(%rsp)
+        movq	%r9, 232(%rsp)
+        movq	240(%rdx), %r8
+        movq	248(%rdx), %r9
+        andq	%rcx, %r8
+        andq	%rcx, %r9
+        movq	%r8, 240(%rsp)
+        movq	%r9, 248(%rsp)
+        movq	(%rsi), %r8
+        movq	(%rsp), %rdx
+        subq	%rdx, %r8
+        movq	8(%rsi), %r9
+        movq	8(%rsp), %rdx
+        sbbq	%rdx, %r9
+        movq	%r8, (%rdi)
+        movq	16(%rsi), %r8
+        movq	16(%rsp), %rdx
+        sbbq	%rdx, %r8
+        movq	%r9, 8(%rdi)
+        movq	24(%rsi), %r9
+        movq	24(%rsp), %rdx
+        sbbq	%rdx, %r9
+        movq	%r8, 16(%rdi)
+        movq	32(%rsi), %r8
+        movq	32(%rsp), %rdx
+        sbbq	%rdx, %r8
+        movq	%r9, 24(%rdi)
+        movq	40(%rsi), %r9
+        movq	40(%rsp), %rdx
+        sbbq	%rdx, %r9
+        movq	%r8, 32(%rdi)
+        movq	48(%rsi), %r8
+        movq	48(%rsp), %rdx
+        sbbq	%rdx, %r8
+        movq	%r9, 40(%rdi)
+        movq	56(%rsi), %r9
+        movq	56(%rsp), %rdx
+        sbbq	%rdx, %r9
+        movq	%r8, 48(%rdi)
+        movq	64(%rsi), %r8
+        movq	64(%rsp), %rdx
+        sbbq	%rdx, %r8
+        movq	%r9, 56(%rdi)
+        movq	72(%rsi), %r9
+        movq	72(%rsp), %rdx
+        sbbq	%rdx, %r9
+        movq	%r8, 64(%rdi)
+        movq	80(%rsi), %r8
+        movq	80(%rsp), %rdx
+        sbbq	%rdx, %r8
+        movq	%r9, 72(%rdi)
+        movq	88(%rsi), %r9
+        movq	88(%rsp), %rdx
+        sbbq	%rdx, %r9
+        movq	%r8, 80(%rdi)
+        movq	96(%rsi), %r8
+        movq	96(%rsp), %rdx
+        sbbq	%rdx, %r8
+        movq	%r9, 88(%rdi)
+        movq	104(%rsi), %r9
+        movq	104(%rsp), %rdx
+        sbbq	%rdx, %r9
+        movq	%r8, 96(%rdi)
+        movq	112(%rsi), %r8
+        movq	112(%rsp), %rdx
+        sbbq	%rdx, %r8
+        movq	%r9, 104(%rdi)
+        movq	120(%rsi), %r9
+        movq	120(%rsp), %rdx
+        sbbq	%rdx, %r9
+        movq	%r8, 112(%rdi)
+        movq	128(%rsi), %r8
+        movq	128(%rsp), %rdx
+        sbbq	%rdx, %r8
+        movq	%r9, 120(%rdi)
+        movq	136(%rsi), %r9
+        movq	136(%rsp), %rdx
+        sbbq	%rdx, %r9
+        movq	%r8, 128(%rdi)
+        movq	144(%rsi), %r8
+        movq	144(%rsp), %rdx
+        sbbq	%rdx, %r8
+        movq	%r9, 136(%rdi)
+        movq	152(%rsi), %r9
+        movq	152(%rsp), %rdx
+        sbbq	%rdx, %r9
+        movq	%r8, 144(%rdi)
+        movq	160(%rsi), %r8
+        movq	160(%rsp), %rdx
+        sbbq	%rdx, %r8
+        movq	%r9, 152(%rdi)
+        movq	168(%rsi), %r9
+        movq	168(%rsp), %rdx
+        sbbq	%rdx, %r9
+        movq	%r8, 160(%rdi)
+        movq	176(%rsi), %r8
+        movq	176(%rsp), %rdx
+        sbbq	%rdx, %r8
+        movq	%r9, 168(%rdi)
+        movq	184(%rsi), %r9
+        movq	184(%rsp), %rdx
+        sbbq	%rdx, %r9
+        movq	%r8, 176(%rdi)
+        movq	192(%rsi), %r8
+        movq	192(%rsp), %rdx
+        sbbq	%rdx, %r8
+        movq	%r9, 184(%rdi)
+        movq	200(%rsi), %r9
+        movq	200(%rsp), %rdx
+        sbbq	%rdx, %r9
+        movq	%r8, 192(%rdi)
+        movq	208(%rsi), %r8
+        movq	208(%rsp), %rdx
+        sbbq	%rdx, %r8
+        movq	%r9, 200(%rdi)
+        movq	216(%rsi), %r9
+        movq	216(%rsp), %rdx
+        sbbq	%rdx, %r9
+        movq	%r8, 208(%rdi)
+        movq	224(%rsi), %r8
+        movq	224(%rsp), %rdx
+        sbbq	%rdx, %r8
+        movq	%r9, 216(%rdi)
+        movq	232(%rsi), %r9
+        movq	232(%rsp), %rdx
+        sbbq	%rdx, %r9
+        movq	%r8, 224(%rdi)
+        movq	240(%rsi), %r8
+        movq	240(%rsp), %rdx
+        sbbq	%rdx, %r8
+        movq	%r9, 232(%rdi)
+        movq	248(%rsi), %r9
+        movq	248(%rsp), %rdx
+        sbbq	%rdx, %r9
+        movq	%r8, 240(%rdi)
+        movq	%r9, 248(%rdi)
+        sbbq	$0, %rax
+        addq	$256, %rsp
+        repz retq
+#ifndef __APPLE__
+.size	sp_2048_cond_sub_32,.-sp_2048_cond_sub_32
+#endif /* __APPLE__ */
+/* Reduce the number back to 2048 bits using Montgomery reduction.
+ *
+ * a   A single precision number to reduce in place.
+ * m   The single precision number representing the modulus.
+ * mp  The digit representing the negative inverse of m mod 2^n.
+ */
+#ifndef __APPLE__
+.globl	sp_2048_mont_reduce_32
+.type	sp_2048_mont_reduce_32,@function
+.align	16
+sp_2048_mont_reduce_32:
+#else
+.globl	_sp_2048_mont_reduce_32
+.p2align	4
+_sp_2048_mont_reduce_32:
+#endif /* __APPLE__ */
+        push	%r12
+        push	%r13
+        push	%r14
+        push	%r15
+        movq	%rdx, %rcx
+        xorq	%r15, %r15
+        # i = 32
+        movq	$32, %r8
+        movq	(%rdi), %r13
+        movq	8(%rdi), %r14
+L_mont_loop_32:
+        # mu = a[i] * mp
+        movq	%r13, %r11
+        imulq	%rcx, %r11
+        # a[i+0] += m[0] * mu
+        movq	%r11, %rax
+        xorq	%r10, %r10
+        mulq	(%rsi)
+        addq	%rax, %r13
+        adcq	%rdx, %r10
+        # a[i+1] += m[1] * mu
+        movq	%r11, %rax
+        xorq	%r9, %r9
+        mulq	8(%rsi)
+        movq	%r14, %r13
+        addq	%rax, %r13
+        adcq	%rdx, %r9
+        addq	%r10, %r13
+        adcq	$0, %r9
+        # a[i+2] += m[2] * mu
+        movq	%r11, %rax
+        xorq	%r10, %r10
+        mulq	16(%rsi)
+        movq	16(%rdi), %r14
+        addq	%rax, %r14
+        adcq	%rdx, %r10
+        addq	%r9, %r14
+        adcq	$0, %r10
+        # a[i+3] += m[3] * mu
+        movq	%r11, %rax
+        xorq	%r9, %r9
+        mulq	24(%rsi)
+        movq	24(%rdi), %r12
+        addq	%rax, %r12
+        adcq	%rdx, %r9
+        addq	%r10, %r12
+        movq	%r12, 24(%rdi)
+        adcq	$0, %r9
+        # a[i+4] += m[4] * mu
+        movq	%r11, %rax
+        xorq	%r10, %r10
+        mulq	32(%rsi)
+        movq	32(%rdi), %r12
+        addq	%rax, %r12
+        adcq	%rdx, %r10
+        addq	%r9, %r12
+        movq	%r12, 32(%rdi)
+        adcq	$0, %r10
+        # a[i+5] += m[5] * mu
+        movq	%r11, %rax
+        xorq	%r9, %r9
+        mulq	40(%rsi)
+        movq	40(%rdi), %r12
+        addq	%rax, %r12
+        adcq	%rdx, %r9
+        addq	%r10, %r12
+        movq	%r12, 40(%rdi)
+        adcq	$0, %r9
+        # a[i+6] += m[6] * mu
+        movq	%r11, %rax
+        xorq	%r10, %r10
+        mulq	48(%rsi)
+        movq	48(%rdi), %r12
+        addq	%rax, %r12
+        adcq	%rdx, %r10
+        addq	%r9, %r12
+        movq	%r12, 48(%rdi)
+        adcq	$0, %r10
+        # a[i+7] += m[7] * mu
+        movq	%r11, %rax
+        xorq	%r9, %r9
+        mulq	56(%rsi)
+        movq	56(%rdi), %r12
+        addq	%rax, %r12
+        adcq	%rdx, %r9
+        addq	%r10, %r12
+        movq	%r12, 56(%rdi)
+        adcq	$0, %r9
+        # a[i+8] += m[8] * mu
+        movq	%r11, %rax
+        xorq	%r10, %r10
+        mulq	64(%rsi)
+        movq	64(%rdi), %r12
+        addq	%rax, %r12
+        adcq	%rdx, %r10
+        addq	%r9, %r12
+        movq	%r12, 64(%rdi)
+        adcq	$0, %r10
+        # a[i+9] += m[9] * mu
+        movq	%r11, %rax
+        xorq	%r9, %r9
+        mulq	72(%rsi)
+        movq	72(%rdi), %r12
+        addq	%rax, %r12
+        adcq	%rdx, %r9
+        addq	%r10, %r12
+        movq	%r12, 72(%rdi)
+        adcq	$0, %r9
+        # a[i+10] += m[10] * mu
+        movq	%r11, %rax
+        xorq	%r10, %r10
+        mulq	80(%rsi)
+        movq	80(%rdi), %r12
+        addq	%rax, %r12
+        adcq	%rdx, %r10
+        addq	%r9, %r12
+        movq	%r12, 80(%rdi)
+        adcq	$0, %r10
+        # a[i+11] += m[11] * mu
+        movq	%r11, %rax
+        xorq	%r9, %r9
+        mulq	88(%rsi)
+        movq	88(%rdi), %r12
+        addq	%rax, %r12
+        adcq	%rdx, %r9
+        addq	%r10, %r12
+        movq	%r12, 88(%rdi)
+        adcq	$0, %r9
+        # a[i+12] += m[12] * mu
+        movq	%r11, %rax
+        xorq	%r10, %r10
+        mulq	96(%rsi)
+        movq	96(%rdi), %r12
+        addq	%rax, %r12
+        adcq	%rdx, %r10
+        addq	%r9, %r12
+        movq	%r12, 96(%rdi)
+        adcq	$0, %r10
+        # a[i+13] += m[13] * mu
+        movq	%r11, %rax
+        xorq	%r9, %r9
+        mulq	104(%rsi)
+        movq	104(%rdi), %r12
+        addq	%rax, %r12
+        adcq	%rdx, %r9
+        addq	%r10, %r12
+        movq	%r12, 104(%rdi)
+        adcq	$0, %r9
+        # a[i+14] += m[14] * mu
+        movq	%r11, %rax
+        xorq	%r10, %r10
+        mulq	112(%rsi)
+        movq	112(%rdi), %r12
+        addq	%rax, %r12
+        adcq	%rdx, %r10
+        addq	%r9, %r12
+        movq	%r12, 112(%rdi)
+        adcq	$0, %r10
+        # a[i+15] += m[15] * mu
+        movq	%r11, %rax
+        xorq	%r9, %r9
+        mulq	120(%rsi)
+        movq	120(%rdi), %r12
+        addq	%rax, %r12
+        adcq	%rdx, %r9
+        addq	%r10, %r12
+        movq	%r12, 120(%rdi)
+        adcq	$0, %r9
+        # a[i+16] += m[16] * mu
+        movq	%r11, %rax
+        xorq	%r10, %r10
+        mulq	128(%rsi)
+        movq	128(%rdi), %r12
+        addq	%rax, %r12
+        adcq	%rdx, %r10
+        addq	%r9, %r12
+        movq	%r12, 128(%rdi)
+        adcq	$0, %r10
+        # a[i+17] += m[17] * mu
+        movq	%r11, %rax
+        xorq	%r9, %r9
+        mulq	136(%rsi)
+        movq	136(%rdi), %r12
+        addq	%rax, %r12
+        adcq	%rdx, %r9
+        addq	%r10, %r12
+        movq	%r12, 136(%rdi)
+        adcq	$0, %r9
+        # a[i+18] += m[18] * mu
+        movq	%r11, %rax
+        xorq	%r10, %r10
+        mulq	144(%rsi)
+        movq	144(%rdi), %r12
+        addq	%rax, %r12
+        adcq	%rdx, %r10
+        addq	%r9, %r12
+        movq	%r12, 144(%rdi)
+        adcq	$0, %r10
+        # a[i+19] += m[19] * mu
+        movq	%r11, %rax
+        xorq	%r9, %r9
+        mulq	152(%rsi)
+        movq	152(%rdi), %r12
+        addq	%rax, %r12
+        adcq	%rdx, %r9
+        addq	%r10, %r12
+        movq	%r12, 152(%rdi)
+        adcq	$0, %r9
+        # a[i+20] += m[20] * mu
+        movq	%r11, %rax
+        xorq	%r10, %r10
+        mulq	160(%rsi)
+        movq	160(%rdi), %r12
+        addq	%rax, %r12
+        adcq	%rdx, %r10
+        addq	%r9, %r12
+        movq	%r12, 160(%rdi)
+        adcq	$0, %r10
+        # a[i+21] += m[21] * mu
+        movq	%r11, %rax
+        xorq	%r9, %r9
+        mulq	168(%rsi)
+        movq	168(%rdi), %r12
+        addq	%rax, %r12
+        adcq	%rdx, %r9
+        addq	%r10, %r12
+        movq	%r12, 168(%rdi)
+        adcq	$0, %r9
+        # a[i+22] += m[22] * mu
+        movq	%r11, %rax
+        xorq	%r10, %r10
+        mulq	176(%rsi)
+        movq	176(%rdi), %r12
+        addq	%rax, %r12
+        adcq	%rdx, %r10
+        addq	%r9, %r12
+        movq	%r12, 176(%rdi)
+        adcq	$0, %r10
+        # a[i+23] += m[23] * mu
+        movq	%r11, %rax
+        xorq	%r9, %r9
+        mulq	184(%rsi)
+        movq	184(%rdi), %r12
+        addq	%rax, %r12
+        adcq	%rdx, %r9
+        addq	%r10, %r12
+        movq	%r12, 184(%rdi)
+        adcq	$0, %r9
+        # a[i+24] += m[24] * mu
+        movq	%r11, %rax
+        xorq	%r10, %r10
+        mulq	192(%rsi)
+        movq	192(%rdi), %r12
+        addq	%rax, %r12
+        adcq	%rdx, %r10
+        addq	%r9, %r12
+        movq	%r12, 192(%rdi)
+        adcq	$0, %r10
+        # a[i+25] += m[25] * mu
+        movq	%r11, %rax
+        xorq	%r9, %r9
+        mulq	200(%rsi)
+        movq	200(%rdi), %r12
+        addq	%rax, %r12
+        adcq	%rdx, %r9
+        addq	%r10, %r12
+        movq	%r12, 200(%rdi)
+        adcq	$0, %r9
+        # a[i+26] += m[26] * mu
+        movq	%r11, %rax
+        xorq	%r10, %r10
+        mulq	208(%rsi)
+        movq	208(%rdi), %r12
+        addq	%rax, %r12
+        adcq	%rdx, %r10
+        addq	%r9, %r12
+        movq	%r12, 208(%rdi)
+        adcq	$0, %r10
+        # a[i+27] += m[27] * mu
+        movq	%r11, %rax
+        xorq	%r9, %r9
+        mulq	216(%rsi)
+        movq	216(%rdi), %r12
+        addq	%rax, %r12
+        adcq	%rdx, %r9
+        addq	%r10, %r12
+        movq	%r12, 216(%rdi)
+        adcq	$0, %r9
+        # a[i+28] += m[28] * mu
+        movq	%r11, %rax
+        xorq	%r10, %r10
+        mulq	224(%rsi)
+        movq	224(%rdi), %r12
+        addq	%rax, %r12
+        adcq	%rdx, %r10
+        addq	%r9, %r12
+        movq	%r12, 224(%rdi)
+        adcq	$0, %r10
+        # a[i+29] += m[29] * mu
+        movq	%r11, %rax
+        xorq	%r9, %r9
+        mulq	232(%rsi)
+        movq	232(%rdi), %r12
+        addq	%rax, %r12
+        adcq	%rdx, %r9
+        addq	%r10, %r12
+        movq	%r12, 232(%rdi)
+        adcq	$0, %r9
+        # a[i+30] += m[30] * mu
+        movq	%r11, %rax
+        xorq	%r10, %r10
+        mulq	240(%rsi)
+        movq	240(%rdi), %r12
+        addq	%rax, %r12
+        adcq	%rdx, %r10
+        addq	%r9, %r12
+        movq	%r12, 240(%rdi)
+        adcq	$0, %r10
+        # a[i+31] += m[31] * mu
+        movq	%r11, %rax
+        mulq	248(%rsi)
+        movq	248(%rdi), %r12
+        addq	%rax, %r10
+        adcq	%r15, %rdx
+        movq	$0, %r15
+        adcq	$0, %r15
+        addq	%r10, %r12
+        movq	%r12, 248(%rdi)
+        adcq	%rdx, 256(%rdi)
+        adcq	$0, %r15
+        # i -= 1
+        addq	$8, %rdi
+        decq	%r8
+        jnz	L_mont_loop_32
+        movq	%r13, (%rdi)
+        movq	%r14, 8(%rdi)
+        negq	%r15
+        movq	%r15, %rcx
+        movq	%rsi, %rdx
+        movq	%rdi, %rsi
+        subq	$256, %rdi
+#ifndef __APPLE__
+        callq	sp_2048_cond_sub_32@plt
+#else
+        callq	_sp_2048_cond_sub_32
+#endif /* __APPLE__ */
+        pop	%r15
+        pop	%r14
+        pop	%r13
+        pop	%r12
+        repz retq
+#ifndef __APPLE__
+.size	sp_2048_mont_reduce_32,.-sp_2048_mont_reduce_32
+#endif /* __APPLE__ */
+/* Conditionally subtract b from a using the mask m.
+ * m is -1 to subtract and 0 when not copying.
+ *
+ * r  A single precision number representing condition subtract result.
+ * a  A single precision number to subtract from.
+ * b  A single precision number to subtract.
+ * m  Mask value to apply.
+ */
+#ifndef __APPLE__
+.globl	sp_2048_cond_sub_avx2_32
+.type	sp_2048_cond_sub_avx2_32,@function
+.align	16
+sp_2048_cond_sub_avx2_32:
+#else
+.globl	_sp_2048_cond_sub_avx2_32
+.p2align	4
+_sp_2048_cond_sub_avx2_32:
+#endif /* __APPLE__ */
+        movq	$0, %rax
+        movq	(%rdx), %r10
+        movq	(%rsi), %r8
+        pextq	%rcx, %r10, %r10
+        subq	%r10, %r8
+        movq	8(%rdx), %r10
+        movq	8(%rsi), %r9
+        pextq	%rcx, %r10, %r10
+        movq	%r8, (%rdi)
+        sbbq	%r10, %r9
+        movq	16(%rdx), %r8
+        movq	16(%rsi), %r10
+        pextq	%rcx, %r8, %r8
+        movq	%r9, 8(%rdi)
+        sbbq	%r8, %r10
+        movq	24(%rdx), %r9
+        movq	24(%rsi), %r8
+        pextq	%rcx, %r9, %r9
+        movq	%r10, 16(%rdi)
+        sbbq	%r9, %r8
+        movq	32(%rdx), %r10
+        movq	32(%rsi), %r9
+        pextq	%rcx, %r10, %r10
+        movq	%r8, 24(%rdi)
+        sbbq	%r10, %r9
+        movq	40(%rdx), %r8
+        movq	40(%rsi), %r10
+        pextq	%rcx, %r8, %r8
+        movq	%r9, 32(%rdi)
+        sbbq	%r8, %r10
+        movq	48(%rdx), %r9
+        movq	48(%rsi), %r8
+        pextq	%rcx, %r9, %r9
+        movq	%r10, 40(%rdi)
+        sbbq	%r9, %r8
+        movq	56(%rdx), %r10
+        movq	56(%rsi), %r9
+        pextq	%rcx, %r10, %r10
+        movq	%r8, 48(%rdi)
+        sbbq	%r10, %r9
+        movq	64(%rdx), %r8
+        movq	64(%rsi), %r10
+        pextq	%rcx, %r8, %r8
+        movq	%r9, 56(%rdi)
+        sbbq	%r8, %r10
+        movq	72(%rdx), %r9
+        movq	72(%rsi), %r8
+        pextq	%rcx, %r9, %r9
+        movq	%r10, 64(%rdi)
+        sbbq	%r9, %r8
+        movq	80(%rdx), %r10
+        movq	80(%rsi), %r9
+        pextq	%rcx, %r10, %r10
+        movq	%r8, 72(%rdi)
+        sbbq	%r10, %r9
+        movq	88(%rdx), %r8
+        movq	88(%rsi), %r10
+        pextq	%rcx, %r8, %r8
+        movq	%r9, 80(%rdi)
+        sbbq	%r8, %r10
+        movq	96(%rdx), %r9
+        movq	96(%rsi), %r8
+        pextq	%rcx, %r9, %r9
+        movq	%r10, 88(%rdi)
+        sbbq	%r9, %r8
+        movq	104(%rdx), %r10
+        movq	104(%rsi), %r9
+        pextq	%rcx, %r10, %r10
+        movq	%r8, 96(%rdi)
+        sbbq	%r10, %r9
+        movq	112(%rdx), %r8
+        movq	112(%rsi), %r10
+        pextq	%rcx, %r8, %r8
+        movq	%r9, 104(%rdi)
+        sbbq	%r8, %r10
+        movq	120(%rdx), %r9
+        movq	120(%rsi), %r8
+        pextq	%rcx, %r9, %r9
+        movq	%r10, 112(%rdi)
+        sbbq	%r9, %r8
+        movq	128(%rdx), %r10
+        movq	128(%rsi), %r9
+        pextq	%rcx, %r10, %r10
+        movq	%r8, 120(%rdi)
+        sbbq	%r10, %r9
+        movq	136(%rdx), %r8
+        movq	136(%rsi), %r10
+        pextq	%rcx, %r8, %r8
+        movq	%r9, 128(%rdi)
+        sbbq	%r8, %r10
+        movq	144(%rdx), %r9
+        movq	144(%rsi), %r8
+        pextq	%rcx, %r9, %r9
+        movq	%r10, 136(%rdi)
+        sbbq	%r9, %r8
+        movq	152(%rdx), %r10
+        movq	152(%rsi), %r9
+        pextq	%rcx, %r10, %r10
+        movq	%r8, 144(%rdi)
+        sbbq	%r10, %r9
+        movq	160(%rdx), %r8
+        movq	160(%rsi), %r10
+        pextq	%rcx, %r8, %r8
+        movq	%r9, 152(%rdi)
+        sbbq	%r8, %r10
+        movq	168(%rdx), %r9
+        movq	168(%rsi), %r8
+        pextq	%rcx, %r9, %r9
+        movq	%r10, 160(%rdi)
+        sbbq	%r9, %r8
+        movq	176(%rdx), %r10
+        movq	176(%rsi), %r9
+        pextq	%rcx, %r10, %r10
+        movq	%r8, 168(%rdi)
+        sbbq	%r10, %r9
+        movq	184(%rdx), %r8
+        movq	184(%rsi), %r10
+        pextq	%rcx, %r8, %r8
+        movq	%r9, 176(%rdi)
+        sbbq	%r8, %r10
+        movq	192(%rdx), %r9
+        movq	192(%rsi), %r8
+        pextq	%rcx, %r9, %r9
+        movq	%r10, 184(%rdi)
+        sbbq	%r9, %r8
+        movq	200(%rdx), %r10
+        movq	200(%rsi), %r9
+        pextq	%rcx, %r10, %r10
+        movq	%r8, 192(%rdi)
+        sbbq	%r10, %r9
+        movq	208(%rdx), %r8
+        movq	208(%rsi), %r10
+        pextq	%rcx, %r8, %r8
+        movq	%r9, 200(%rdi)
+        sbbq	%r8, %r10
+        movq	216(%rdx), %r9
+        movq	216(%rsi), %r8
+        pextq	%rcx, %r9, %r9
+        movq	%r10, 208(%rdi)
+        sbbq	%r9, %r8
+        movq	224(%rdx), %r10
+        movq	224(%rsi), %r9
+        pextq	%rcx, %r10, %r10
+        movq	%r8, 216(%rdi)
+        sbbq	%r10, %r9
+        movq	232(%rdx), %r8
+        movq	232(%rsi), %r10
+        pextq	%rcx, %r8, %r8
+        movq	%r9, 224(%rdi)
+        sbbq	%r8, %r10
+        movq	240(%rdx), %r9
+        movq	240(%rsi), %r8
+        pextq	%rcx, %r9, %r9
+        movq	%r10, 232(%rdi)
+        sbbq	%r9, %r8
+        movq	248(%rdx), %r10
+        movq	248(%rsi), %r9
+        pextq	%rcx, %r10, %r10
+        movq	%r8, 240(%rdi)
+        sbbq	%r10, %r9
+        movq	%r9, 248(%rdi)
+        sbbq	$0, %rax
+        repz retq
+#ifndef __APPLE__
+.size	sp_2048_cond_sub_avx2_32,.-sp_2048_cond_sub_avx2_32
+#endif /* __APPLE__ */
+#ifdef HAVE_INTEL_AVX2
+/* Mul a by digit b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision digit.
+ */
+#ifndef __APPLE__
+.globl	sp_2048_mul_d_avx2_32
+.type	sp_2048_mul_d_avx2_32,@function
+.align	16
+sp_2048_mul_d_avx2_32:
+#else
+.globl	_sp_2048_mul_d_avx2_32
+.p2align	4
+_sp_2048_mul_d_avx2_32:
+#endif /* __APPLE__ */
+        movq	%rdx, %rax
+        # A[0] * B
+        movq	%rax, %rdx
+        xorq	%r11, %r11
+        mulxq	(%rsi), %r9, %r10
+        movq	%r9, (%rdi)
+        # A[1] * B
+        mulxq	8(%rsi), %rcx, %r8
+        movq	%r11, %r9
+        adcxq	%rcx, %r10
+        movq	%r10, 8(%rdi)
+        adoxq	%r8, %r9
+        # A[2] * B
+        mulxq	16(%rsi), %rcx, %r8
+        movq	%r11, %r10
+        adcxq	%rcx, %r9
+        movq	%r9, 16(%rdi)
+        adoxq	%r8, %r10
+        # A[3] * B
+        mulxq	24(%rsi), %rcx, %r8
+        movq	%r11, %r9
+        adcxq	%rcx, %r10
+        movq	%r10, 24(%rdi)
+        adoxq	%r8, %r9
+        # A[4] * B
+        mulxq	32(%rsi), %rcx, %r8
+        movq	%r11, %r10
+        adcxq	%rcx, %r9
+        movq	%r9, 32(%rdi)
+        adoxq	%r8, %r10
+        # A[5] * B
+        mulxq	40(%rsi), %rcx, %r8
+        movq	%r11, %r9
+        adcxq	%rcx, %r10
+        movq	%r10, 40(%rdi)
+        adoxq	%r8, %r9
+        # A[6] * B
+        mulxq	48(%rsi), %rcx, %r8
+        movq	%r11, %r10
+        adcxq	%rcx, %r9
+        movq	%r9, 48(%rdi)
+        adoxq	%r8, %r10
+        # A[7] * B
+        mulxq	56(%rsi), %rcx, %r8
+        movq	%r11, %r9
+        adcxq	%rcx, %r10
+        movq	%r10, 56(%rdi)
+        adoxq	%r8, %r9
+        # A[8] * B
+        mulxq	64(%rsi), %rcx, %r8
+        movq	%r11, %r10
+        adcxq	%rcx, %r9
+        movq	%r9, 64(%rdi)
+        adoxq	%r8, %r10
+        # A[9] * B
+        mulxq	72(%rsi), %rcx, %r8
+        movq	%r11, %r9
+        adcxq	%rcx, %r10
+        movq	%r10, 72(%rdi)
+        adoxq	%r8, %r9
+        # A[10] * B
+        mulxq	80(%rsi), %rcx, %r8
+        movq	%r11, %r10
+        adcxq	%rcx, %r9
+        movq	%r9, 80(%rdi)
+        adoxq	%r8, %r10
+        # A[11] * B
+        mulxq	88(%rsi), %rcx, %r8
+        movq	%r11, %r9
+        adcxq	%rcx, %r10
+        movq	%r10, 88(%rdi)
+        adoxq	%r8, %r9
+        # A[12] * B
+        mulxq	96(%rsi), %rcx, %r8
+        movq	%r11, %r10
+        adcxq	%rcx, %r9
+        movq	%r9, 96(%rdi)
+        adoxq	%r8, %r10
+        # A[13] * B
+        mulxq	104(%rsi), %rcx, %r8
+        movq	%r11, %r9
+        adcxq	%rcx, %r10
+        movq	%r10, 104(%rdi)
+        adoxq	%r8, %r9
+        # A[14] * B
+        mulxq	112(%rsi), %rcx, %r8
+        movq	%r11, %r10
+        adcxq	%rcx, %r9
+        movq	%r9, 112(%rdi)
+        adoxq	%r8, %r10
+        # A[15] * B
+        mulxq	120(%rsi), %rcx, %r8
+        movq	%r11, %r9
+        adcxq	%rcx, %r10
+        movq	%r10, 120(%rdi)
+        adoxq	%r8, %r9
+        # A[16] * B
+        mulxq	128(%rsi), %rcx, %r8
+        movq	%r11, %r10
+        adcxq	%rcx, %r9
+        movq	%r9, 128(%rdi)
+        adoxq	%r8, %r10
+        # A[17] * B
+        mulxq	136(%rsi), %rcx, %r8
+        movq	%r11, %r9
+        adcxq	%rcx, %r10
+        movq	%r10, 136(%rdi)
+        adoxq	%r8, %r9
+        # A[18] * B
+        mulxq	144(%rsi), %rcx, %r8
+        movq	%r11, %r10
+        adcxq	%rcx, %r9
+        movq	%r9, 144(%rdi)
+        adoxq	%r8, %r10
+        # A[19] * B
+        mulxq	152(%rsi), %rcx, %r8
+        movq	%r11, %r9
+        adcxq	%rcx, %r10
+        movq	%r10, 152(%rdi)
+        adoxq	%r8, %r9
+        # A[20] * B
+        mulxq	160(%rsi), %rcx, %r8
+        movq	%r11, %r10
+        adcxq	%rcx, %r9
+        movq	%r9, 160(%rdi)
+        adoxq	%r8, %r10
+        # A[21] * B
+        mulxq	168(%rsi), %rcx, %r8
+        movq	%r11, %r9
+        adcxq	%rcx, %r10
+        movq	%r10, 168(%rdi)
+        adoxq	%r8, %r9
+        # A[22] * B
+        mulxq	176(%rsi), %rcx, %r8
+        movq	%r11, %r10
+        adcxq	%rcx, %r9
+        movq	%r9, 176(%rdi)
+        adoxq	%r8, %r10
+        # A[23] * B
+        mulxq	184(%rsi), %rcx, %r8
+        movq	%r11, %r9
+        adcxq	%rcx, %r10
+        movq	%r10, 184(%rdi)
+        adoxq	%r8, %r9
+        # A[24] * B
+        mulxq	192(%rsi), %rcx, %r8
+        movq	%r11, %r10
+        adcxq	%rcx, %r9
+        movq	%r9, 192(%rdi)
+        adoxq	%r8, %r10
+        # A[25] * B
+        mulxq	200(%rsi), %rcx, %r8
+        movq	%r11, %r9
+        adcxq	%rcx, %r10
+        movq	%r10, 200(%rdi)
+        adoxq	%r8, %r9
+        # A[26] * B
+        mulxq	208(%rsi), %rcx, %r8
+        movq	%r11, %r10
+        adcxq	%rcx, %r9
+        movq	%r9, 208(%rdi)
+        adoxq	%r8, %r10
+        # A[27] * B
+        mulxq	216(%rsi), %rcx, %r8
+        movq	%r11, %r9
+        adcxq	%rcx, %r10
+        movq	%r10, 216(%rdi)
+        adoxq	%r8, %r9
+        # A[28] * B
+        mulxq	224(%rsi), %rcx, %r8
+        movq	%r11, %r10
+        adcxq	%rcx, %r9
+        movq	%r9, 224(%rdi)
+        adoxq	%r8, %r10
+        # A[29] * B
+        mulxq	232(%rsi), %rcx, %r8
+        movq	%r11, %r9
+        adcxq	%rcx, %r10
+        movq	%r10, 232(%rdi)
+        adoxq	%r8, %r9
+        # A[30] * B
+        mulxq	240(%rsi), %rcx, %r8
+        movq	%r11, %r10
+        adcxq	%rcx, %r9
+        movq	%r9, 240(%rdi)
+        adoxq	%r8, %r10
+        # A[31] * B
+        mulxq	248(%rsi), %rcx, %r8
+        movq	%r11, %r9
+        adcxq	%rcx, %r10
+        adoxq	%r8, %r9
+        adcxq	%r11, %r9
+        movq	%r10, 248(%rdi)
+        movq	%r9, 256(%rdi)
+        repz retq
+#ifndef __APPLE__
+.size	sp_2048_mul_d_avx2_32,.-sp_2048_mul_d_avx2_32
+#endif /* __APPLE__ */
+#endif /* HAVE_INTEL_AVX2 */
+/* Compare a with b in constant time.
+ *
+ * a  A single precision integer.
+ * b  A single precision integer.
+ * return -ve, 0 or +ve if a is less than, equal to or greater than b
+ * respectively.
+ */
+#ifndef __APPLE__
+.globl	sp_2048_cmp_32
+.type	sp_2048_cmp_32,@function
+.align	16
+sp_2048_cmp_32:
+#else
+.globl	_sp_2048_cmp_32
+.p2align	4
+_sp_2048_cmp_32:
+#endif /* __APPLE__ */
+        xorq	%rcx, %rcx
+        movq	$-1, %rdx
+        movq	$-1, %rax
+        movq	$1, %r8
+        movq	248(%rdi), %r9
+        movq	248(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	240(%rdi), %r9
+        movq	240(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	232(%rdi), %r9
+        movq	232(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	224(%rdi), %r9
+        movq	224(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	216(%rdi), %r9
+        movq	216(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	208(%rdi), %r9
+        movq	208(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	200(%rdi), %r9
+        movq	200(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	192(%rdi), %r9
+        movq	192(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	184(%rdi), %r9
+        movq	184(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	176(%rdi), %r9
+        movq	176(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	168(%rdi), %r9
+        movq	168(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	160(%rdi), %r9
+        movq	160(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	152(%rdi), %r9
+        movq	152(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	144(%rdi), %r9
+        movq	144(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	136(%rdi), %r9
+        movq	136(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	128(%rdi), %r9
+        movq	128(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	120(%rdi), %r9
+        movq	120(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	112(%rdi), %r9
+        movq	112(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	104(%rdi), %r9
+        movq	104(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	96(%rdi), %r9
+        movq	96(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	88(%rdi), %r9
+        movq	88(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	80(%rdi), %r9
+        movq	80(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	72(%rdi), %r9
+        movq	72(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	64(%rdi), %r9
+        movq	64(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	56(%rdi), %r9
+        movq	56(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	48(%rdi), %r9
+        movq	48(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	40(%rdi), %r9
+        movq	40(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	32(%rdi), %r9
+        movq	32(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	24(%rdi), %r9
+        movq	24(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	16(%rdi), %r9
+        movq	16(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	8(%rdi), %r9
+        movq	8(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	(%rdi), %r9
+        movq	(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        xorq	%rdx, %rax
+        repz retq
+#ifndef __APPLE__
+.size	sp_2048_cmp_32,.-sp_2048_cmp_32
+#endif /* __APPLE__ */
+/* Sub b from a into r. (r = a - b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+#ifndef __APPLE__
+.globl	sp_2048_sub_32
+.type	sp_2048_sub_32,@function
+.align	16
+sp_2048_sub_32:
+#else
+.globl	_sp_2048_sub_32
+.p2align	4
+_sp_2048_sub_32:
+#endif /* __APPLE__ */
+        movq	(%rsi), %rcx
+        xorq	%rax, %rax
+        subq	(%rdx), %rcx
+        movq	8(%rsi), %r8
+        movq	%rcx, (%rdi)
+        sbbq	8(%rdx), %r8
+        movq	16(%rsi), %rcx
+        movq	%r8, 8(%rdi)
+        sbbq	16(%rdx), %rcx
+        movq	24(%rsi), %r8
+        movq	%rcx, 16(%rdi)
+        sbbq	24(%rdx), %r8
+        movq	32(%rsi), %rcx
+        movq	%r8, 24(%rdi)
+        sbbq	32(%rdx), %rcx
+        movq	40(%rsi), %r8
+        movq	%rcx, 32(%rdi)
+        sbbq	40(%rdx), %r8
+        movq	48(%rsi), %rcx
+        movq	%r8, 40(%rdi)
+        sbbq	48(%rdx), %rcx
+        movq	56(%rsi), %r8
+        movq	%rcx, 48(%rdi)
+        sbbq	56(%rdx), %r8
+        movq	64(%rsi), %rcx
+        movq	%r8, 56(%rdi)
+        sbbq	64(%rdx), %rcx
+        movq	72(%rsi), %r8
+        movq	%rcx, 64(%rdi)
+        sbbq	72(%rdx), %r8
+        movq	80(%rsi), %rcx
+        movq	%r8, 72(%rdi)
+        sbbq	80(%rdx), %rcx
+        movq	88(%rsi), %r8
+        movq	%rcx, 80(%rdi)
+        sbbq	88(%rdx), %r8
+        movq	96(%rsi), %rcx
+        movq	%r8, 88(%rdi)
+        sbbq	96(%rdx), %rcx
+        movq	104(%rsi), %r8
+        movq	%rcx, 96(%rdi)
+        sbbq	104(%rdx), %r8
+        movq	112(%rsi), %rcx
+        movq	%r8, 104(%rdi)
+        sbbq	112(%rdx), %rcx
+        movq	120(%rsi), %r8
+        movq	%rcx, 112(%rdi)
+        sbbq	120(%rdx), %r8
+        movq	128(%rsi), %rcx
+        movq	%r8, 120(%rdi)
+        sbbq	128(%rdx), %rcx
+        movq	136(%rsi), %r8
+        movq	%rcx, 128(%rdi)
+        sbbq	136(%rdx), %r8
+        movq	144(%rsi), %rcx
+        movq	%r8, 136(%rdi)
+        sbbq	144(%rdx), %rcx
+        movq	152(%rsi), %r8
+        movq	%rcx, 144(%rdi)
+        sbbq	152(%rdx), %r8
+        movq	160(%rsi), %rcx
+        movq	%r8, 152(%rdi)
+        sbbq	160(%rdx), %rcx
+        movq	168(%rsi), %r8
+        movq	%rcx, 160(%rdi)
+        sbbq	168(%rdx), %r8
+        movq	176(%rsi), %rcx
+        movq	%r8, 168(%rdi)
+        sbbq	176(%rdx), %rcx
+        movq	184(%rsi), %r8
+        movq	%rcx, 176(%rdi)
+        sbbq	184(%rdx), %r8
+        movq	192(%rsi), %rcx
+        movq	%r8, 184(%rdi)
+        sbbq	192(%rdx), %rcx
+        movq	200(%rsi), %r8
+        movq	%rcx, 192(%rdi)
+        sbbq	200(%rdx), %r8
+        movq	208(%rsi), %rcx
+        movq	%r8, 200(%rdi)
+        sbbq	208(%rdx), %rcx
+        movq	216(%rsi), %r8
+        movq	%rcx, 208(%rdi)
+        sbbq	216(%rdx), %r8
+        movq	224(%rsi), %rcx
+        movq	%r8, 216(%rdi)
+        sbbq	224(%rdx), %rcx
+        movq	232(%rsi), %r8
+        movq	%rcx, 224(%rdi)
+        sbbq	232(%rdx), %r8
+        movq	240(%rsi), %rcx
+        movq	%r8, 232(%rdi)
+        sbbq	240(%rdx), %rcx
+        movq	248(%rsi), %r8
+        movq	%rcx, 240(%rdi)
+        sbbq	248(%rdx), %r8
+        movq	%r8, 248(%rdi)
+        sbbq	$0, %rax
+        repz retq
+#ifndef __APPLE__
+.size	sp_2048_sub_32,.-sp_2048_sub_32
+#endif /* __APPLE__ */
+#ifdef HAVE_INTEL_AVX2
+/* Reduce the number back to 2048 bits using Montgomery reduction.
+ *
+ * a   A single precision number to reduce in place.
+ * m   The single precision number representing the modulus.
+ * mp  The digit representing the negative inverse of m mod 2^n.
+ */
+#ifndef __APPLE__
+.globl	sp_2048_mont_reduce_avx2_32
+.type	sp_2048_mont_reduce_avx2_32,@function
+.align	16
+sp_2048_mont_reduce_avx2_32:
+#else
+.globl	_sp_2048_mont_reduce_avx2_32
+.p2align	4
+_sp_2048_mont_reduce_avx2_32:
+#endif /* __APPLE__ */
+        push	%r12
+        push	%r13
+        push	%r14
+        movq	%rdx, %r8
+        xorq	%r14, %r14
+        # i = 32
+        movq	$32, %r9
+        movq	(%rdi), %r13
+        addq	$128, %rdi
+        xorq	%r12, %r12
+L_mont_loop_avx2_32:
+        # mu = a[i] * mp
+        movq	%r13, %rdx
+        movq	%r13, %r10
+        imulq	%r8, %rdx
+        xorq	%r12, %r12
+        # a[i+0] += m[0] * mu
+        mulxq	(%rsi), %rax, %rcx
+        movq	-120(%rdi), %r13
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r13
+        # a[i+1] += m[1] * mu
+        mulxq	8(%rsi), %rax, %rcx
+        movq	-112(%rdi), %r10
+        adcxq	%rax, %r13
+        adoxq	%rcx, %r10
+        # a[i+2] += m[2] * mu
+        mulxq	16(%rsi), %rax, %rcx
+        movq	-104(%rdi), %r11
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r11
+        movq	%r10, -112(%rdi)
+        # a[i+3] += m[3] * mu
+        mulxq	24(%rsi), %rax, %rcx
+        movq	-96(%rdi), %r10
+        adcxq	%rax, %r11
+        adoxq	%rcx, %r10
+        movq	%r11, -104(%rdi)
+        # a[i+4] += m[4] * mu
+        mulxq	32(%rsi), %rax, %rcx
+        movq	-88(%rdi), %r11
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r11
+        movq	%r10, -96(%rdi)
+        # a[i+5] += m[5] * mu
+        mulxq	40(%rsi), %rax, %rcx
+        movq	-80(%rdi), %r10
+        adcxq	%rax, %r11
+        adoxq	%rcx, %r10
+        movq	%r11, -88(%rdi)
+        # a[i+6] += m[6] * mu
+        mulxq	48(%rsi), %rax, %rcx
+        movq	-72(%rdi), %r11
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r11
+        movq	%r10, -80(%rdi)
+        # a[i+7] += m[7] * mu
+        mulxq	56(%rsi), %rax, %rcx
+        movq	-64(%rdi), %r10
+        adcxq	%rax, %r11
+        adoxq	%rcx, %r10
+        movq	%r11, -72(%rdi)
+        # a[i+8] += m[8] * mu
+        mulxq	64(%rsi), %rax, %rcx
+        movq	-56(%rdi), %r11
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r11
+        movq	%r10, -64(%rdi)
+        # a[i+9] += m[9] * mu
+        mulxq	72(%rsi), %rax, %rcx
+        movq	-48(%rdi), %r10
+        adcxq	%rax, %r11
+        adoxq	%rcx, %r10
+        movq	%r11, -56(%rdi)
+        # a[i+10] += m[10] * mu
+        mulxq	80(%rsi), %rax, %rcx
+        movq	-40(%rdi), %r11
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r11
+        movq	%r10, -48(%rdi)
+        # a[i+11] += m[11] * mu
+        mulxq	88(%rsi), %rax, %rcx
+        movq	-32(%rdi), %r10
+        adcxq	%rax, %r11
+        adoxq	%rcx, %r10
+        movq	%r11, -40(%rdi)
+        # a[i+12] += m[12] * mu
+        mulxq	96(%rsi), %rax, %rcx
+        movq	-24(%rdi), %r11
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r11
+        movq	%r10, -32(%rdi)
+        # a[i+13] += m[13] * mu
+        mulxq	104(%rsi), %rax, %rcx
+        movq	-16(%rdi), %r10
+        adcxq	%rax, %r11
+        adoxq	%rcx, %r10
+        movq	%r11, -24(%rdi)
+        # a[i+14] += m[14] * mu
+        mulxq	112(%rsi), %rax, %rcx
+        movq	-8(%rdi), %r11
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r11
+        movq	%r10, -16(%rdi)
+        # a[i+15] += m[15] * mu
+        mulxq	120(%rsi), %rax, %rcx
+        movq	(%rdi), %r10
+        adcxq	%rax, %r11
+        adoxq	%rcx, %r10
+        movq	%r11, -8(%rdi)
+        # a[i+16] += m[16] * mu
+        mulxq	128(%rsi), %rax, %rcx
+        movq	8(%rdi), %r11
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r11
+        movq	%r10, (%rdi)
+        # a[i+17] += m[17] * mu
+        mulxq	136(%rsi), %rax, %rcx
+        movq	16(%rdi), %r10
+        adcxq	%rax, %r11
+        adoxq	%rcx, %r10
+        movq	%r11, 8(%rdi)
+        # a[i+18] += m[18] * mu
+        mulxq	144(%rsi), %rax, %rcx
+        movq	24(%rdi), %r11
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r11
+        movq	%r10, 16(%rdi)
+        # a[i+19] += m[19] * mu
+        mulxq	152(%rsi), %rax, %rcx
+        movq	32(%rdi), %r10
+        adcxq	%rax, %r11
+        adoxq	%rcx, %r10
+        movq	%r11, 24(%rdi)
+        # a[i+20] += m[20] * mu
+        mulxq	160(%rsi), %rax, %rcx
+        movq	40(%rdi), %r11
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r11
+        movq	%r10, 32(%rdi)
+        # a[i+21] += m[21] * mu
+        mulxq	168(%rsi), %rax, %rcx
+        movq	48(%rdi), %r10
+        adcxq	%rax, %r11
+        adoxq	%rcx, %r10
+        movq	%r11, 40(%rdi)
+        # a[i+22] += m[22] * mu
+        mulxq	176(%rsi), %rax, %rcx
+        movq	56(%rdi), %r11
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r11
+        movq	%r10, 48(%rdi)
+        # a[i+23] += m[23] * mu
+        mulxq	184(%rsi), %rax, %rcx
+        movq	64(%rdi), %r10
+        adcxq	%rax, %r11
+        adoxq	%rcx, %r10
+        movq	%r11, 56(%rdi)
+        # a[i+24] += m[24] * mu
+        mulxq	192(%rsi), %rax, %rcx
+        movq	72(%rdi), %r11
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r11
+        movq	%r10, 64(%rdi)
+        # a[i+25] += m[25] * mu
+        mulxq	200(%rsi), %rax, %rcx
+        movq	80(%rdi), %r10
+        adcxq	%rax, %r11
+        adoxq	%rcx, %r10
+        movq	%r11, 72(%rdi)
+        # a[i+26] += m[26] * mu
+        mulxq	208(%rsi), %rax, %rcx
+        movq	88(%rdi), %r11
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r11
+        movq	%r10, 80(%rdi)
+        # a[i+27] += m[27] * mu
+        mulxq	216(%rsi), %rax, %rcx
+        movq	96(%rdi), %r10
+        adcxq	%rax, %r11
+        adoxq	%rcx, %r10
+        movq	%r11, 88(%rdi)
+        # a[i+28] += m[28] * mu
+        mulxq	224(%rsi), %rax, %rcx
+        movq	104(%rdi), %r11
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r11
+        movq	%r10, 96(%rdi)
+        # a[i+29] += m[29] * mu
+        mulxq	232(%rsi), %rax, %rcx
+        movq	112(%rdi), %r10
+        adcxq	%rax, %r11
+        adoxq	%rcx, %r10
+        movq	%r11, 104(%rdi)
+        # a[i+30] += m[30] * mu
+        mulxq	240(%rsi), %rax, %rcx
+        movq	120(%rdi), %r11
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r11
+        movq	%r10, 112(%rdi)
+        # a[i+31] += m[31] * mu
+        mulxq	248(%rsi), %rax, %rcx
+        movq	128(%rdi), %r10
+        adcxq	%rax, %r11
+        adoxq	%rcx, %r10
+        movq	%r11, 120(%rdi)
+        adcxq	%r14, %r10
+        movq	%r10, 128(%rdi)
+        movq	%r12, %r14
+        adoxq	%r12, %r14
+        adcxq	%r12, %r14
+        # a += 1
+        addq	$8, %rdi
+        # i -= 1
+        subq	$1, %r9
+        jnz	L_mont_loop_avx2_32
+        subq	$128, %rdi
+        negq	%r14
+        movq	%rdi, %r8
+        subq	$256, %rdi
+        movq	(%rsi), %rcx
+        movq	%r13, %rdx
+        pextq	%r14, %rcx, %rcx
+        subq	%rcx, %rdx
+        movq	8(%rsi), %rcx
+        movq	8(%r8), %rax
+        pextq	%r14, %rcx, %rcx
+        movq	%rdx, (%rdi)
+        sbbq	%rcx, %rax
+        movq	16(%rsi), %rdx
+        movq	16(%r8), %rcx
+        pextq	%r14, %rdx, %rdx
+        movq	%rax, 8(%rdi)
+        sbbq	%rdx, %rcx
+        movq	24(%rsi), %rax
+        movq	24(%r8), %rdx
+        pextq	%r14, %rax, %rax
+        movq	%rcx, 16(%rdi)
+        sbbq	%rax, %rdx
+        movq	32(%rsi), %rcx
+        movq	32(%r8), %rax
+        pextq	%r14, %rcx, %rcx
+        movq	%rdx, 24(%rdi)
+        sbbq	%rcx, %rax
+        movq	40(%rsi), %rdx
+        movq	40(%r8), %rcx
+        pextq	%r14, %rdx, %rdx
+        movq	%rax, 32(%rdi)
+        sbbq	%rdx, %rcx
+        movq	48(%rsi), %rax
+        movq	48(%r8), %rdx
+        pextq	%r14, %rax, %rax
+        movq	%rcx, 40(%rdi)
+        sbbq	%rax, %rdx
+        movq	56(%rsi), %rcx
+        movq	56(%r8), %rax
+        pextq	%r14, %rcx, %rcx
+        movq	%rdx, 48(%rdi)
+        sbbq	%rcx, %rax
+        movq	64(%rsi), %rdx
+        movq	64(%r8), %rcx
+        pextq	%r14, %rdx, %rdx
+        movq	%rax, 56(%rdi)
+        sbbq	%rdx, %rcx
+        movq	72(%rsi), %rax
+        movq	72(%r8), %rdx
+        pextq	%r14, %rax, %rax
+        movq	%rcx, 64(%rdi)
+        sbbq	%rax, %rdx
+        movq	80(%rsi), %rcx
+        movq	80(%r8), %rax
+        pextq	%r14, %rcx, %rcx
+        movq	%rdx, 72(%rdi)
+        sbbq	%rcx, %rax
+        movq	88(%rsi), %rdx
+        movq	88(%r8), %rcx
+        pextq	%r14, %rdx, %rdx
+        movq	%rax, 80(%rdi)
+        sbbq	%rdx, %rcx
+        movq	96(%rsi), %rax
+        movq	96(%r8), %rdx
+        pextq	%r14, %rax, %rax
+        movq	%rcx, 88(%rdi)
+        sbbq	%rax, %rdx
+        movq	104(%rsi), %rcx
+        movq	104(%r8), %rax
+        pextq	%r14, %rcx, %rcx
+        movq	%rdx, 96(%rdi)
+        sbbq	%rcx, %rax
+        movq	112(%rsi), %rdx
+        movq	112(%r8), %rcx
+        pextq	%r14, %rdx, %rdx
+        movq	%rax, 104(%rdi)
+        sbbq	%rdx, %rcx
+        movq	120(%rsi), %rax
+        movq	120(%r8), %rdx
+        pextq	%r14, %rax, %rax
+        movq	%rcx, 112(%rdi)
+        sbbq	%rax, %rdx
+        movq	128(%rsi), %rcx
+        movq	128(%r8), %rax
+        pextq	%r14, %rcx, %rcx
+        movq	%rdx, 120(%rdi)
+        sbbq	%rcx, %rax
+        movq	136(%rsi), %rdx
+        movq	136(%r8), %rcx
+        pextq	%r14, %rdx, %rdx
+        movq	%rax, 128(%rdi)
+        sbbq	%rdx, %rcx
+        movq	144(%rsi), %rax
+        movq	144(%r8), %rdx
+        pextq	%r14, %rax, %rax
+        movq	%rcx, 136(%rdi)
+        sbbq	%rax, %rdx
+        movq	152(%rsi), %rcx
+        movq	152(%r8), %rax
+        pextq	%r14, %rcx, %rcx
+        movq	%rdx, 144(%rdi)
+        sbbq	%rcx, %rax
+        movq	160(%rsi), %rdx
+        movq	160(%r8), %rcx
+        pextq	%r14, %rdx, %rdx
+        movq	%rax, 152(%rdi)
+        sbbq	%rdx, %rcx
+        movq	168(%rsi), %rax
+        movq	168(%r8), %rdx
+        pextq	%r14, %rax, %rax
+        movq	%rcx, 160(%rdi)
+        sbbq	%rax, %rdx
+        movq	176(%rsi), %rcx
+        movq	176(%r8), %rax
+        pextq	%r14, %rcx, %rcx
+        movq	%rdx, 168(%rdi)
+        sbbq	%rcx, %rax
+        movq	184(%rsi), %rdx
+        movq	184(%r8), %rcx
+        pextq	%r14, %rdx, %rdx
+        movq	%rax, 176(%rdi)
+        sbbq	%rdx, %rcx
+        movq	192(%rsi), %rax
+        movq	192(%r8), %rdx
+        pextq	%r14, %rax, %rax
+        movq	%rcx, 184(%rdi)
+        sbbq	%rax, %rdx
+        movq	200(%rsi), %rcx
+        movq	200(%r8), %rax
+        pextq	%r14, %rcx, %rcx
+        movq	%rdx, 192(%rdi)
+        sbbq	%rcx, %rax
+        movq	208(%rsi), %rdx
+        movq	208(%r8), %rcx
+        pextq	%r14, %rdx, %rdx
+        movq	%rax, 200(%rdi)
+        sbbq	%rdx, %rcx
+        movq	216(%rsi), %rax
+        movq	216(%r8), %rdx
+        pextq	%r14, %rax, %rax
+        movq	%rcx, 208(%rdi)
+        sbbq	%rax, %rdx
+        movq	224(%rsi), %rcx
+        movq	224(%r8), %rax
+        pextq	%r14, %rcx, %rcx
+        movq	%rdx, 216(%rdi)
+        sbbq	%rcx, %rax
+        movq	232(%rsi), %rdx
+        movq	232(%r8), %rcx
+        pextq	%r14, %rdx, %rdx
+        movq	%rax, 224(%rdi)
+        sbbq	%rdx, %rcx
+        movq	240(%rsi), %rax
+        movq	240(%r8), %rdx
+        pextq	%r14, %rax, %rax
+        movq	%rcx, 232(%rdi)
+        sbbq	%rax, %rdx
+        movq	248(%rsi), %rcx
+        movq	248(%r8), %rax
+        pextq	%r14, %rcx, %rcx
+        movq	%rdx, 240(%rdi)
+        sbbq	%rcx, %rax
+        movq	%rax, 248(%rdi)
+        pop	%r14
+        pop	%r13
+        pop	%r12
+        repz retq
+#ifndef __APPLE__
+.size	sp_2048_mont_reduce_avx2_32,.-sp_2048_mont_reduce_avx2_32
+#endif /* __APPLE__ */
+#endif /* HAVE_INTEL_AVX2 */
+/* Conditionally add a and b using the mask m.
+ * m is -1 to add and 0 when not.
+ *
+ * r  A single precision number representing conditional add result.
+ * a  A single precision number to add with.
+ * b  A single precision number to add.
+ * m  Mask value to apply.
+ */
+#ifndef __APPLE__
+.globl	sp_2048_cond_add_16
+.type	sp_2048_cond_add_16,@function
+.align	16
+sp_2048_cond_add_16:
+#else
+.globl	_sp_2048_cond_add_16
+.p2align	4
+_sp_2048_cond_add_16:
+#endif /* __APPLE__ */
+        subq	$128, %rsp
+        movq	$0, %rax
+        movq	(%rdx), %r8
+        movq	8(%rdx), %r9
+        andq	%rcx, %r8
+        andq	%rcx, %r9
+        movq	%r8, (%rsp)
+        movq	%r9, 8(%rsp)
+        movq	16(%rdx), %r8
+        movq	24(%rdx), %r9
+        andq	%rcx, %r8
+        andq	%rcx, %r9
+        movq	%r8, 16(%rsp)
+        movq	%r9, 24(%rsp)
+        movq	32(%rdx), %r8
+        movq	40(%rdx), %r9
+        andq	%rcx, %r8
+        andq	%rcx, %r9
+        movq	%r8, 32(%rsp)
+        movq	%r9, 40(%rsp)
+        movq	48(%rdx), %r8
+        movq	56(%rdx), %r9
+        andq	%rcx, %r8
+        andq	%rcx, %r9
+        movq	%r8, 48(%rsp)
+        movq	%r9, 56(%rsp)
+        movq	64(%rdx), %r8
+        movq	72(%rdx), %r9
+        andq	%rcx, %r8
+        andq	%rcx, %r9
+        movq	%r8, 64(%rsp)
+        movq	%r9, 72(%rsp)
+        movq	80(%rdx), %r8
+        movq	88(%rdx), %r9
+        andq	%rcx, %r8
+        andq	%rcx, %r9
+        movq	%r8, 80(%rsp)
+        movq	%r9, 88(%rsp)
+        movq	96(%rdx), %r8
+        movq	104(%rdx), %r9
+        andq	%rcx, %r8
+        andq	%rcx, %r9
+        movq	%r8, 96(%rsp)
+        movq	%r9, 104(%rsp)
+        movq	112(%rdx), %r8
+        movq	120(%rdx), %r9
+        andq	%rcx, %r8
+        andq	%rcx, %r9
+        movq	%r8, 112(%rsp)
+        movq	%r9, 120(%rsp)
+        movq	(%rsi), %r8
+        movq	(%rsp), %rdx
+        addq	%rdx, %r8
+        movq	8(%rsi), %r9
+        movq	8(%rsp), %rdx
+        adcq	%rdx, %r9
+        movq	%r8, (%rdi)
+        movq	16(%rsi), %r8
+        movq	16(%rsp), %rdx
+        adcq	%rdx, %r8
+        movq	%r9, 8(%rdi)
+        movq	24(%rsi), %r9
+        movq	24(%rsp), %rdx
+        adcq	%rdx, %r9
+        movq	%r8, 16(%rdi)
+        movq	32(%rsi), %r8
+        movq	32(%rsp), %rdx
+        adcq	%rdx, %r8
+        movq	%r9, 24(%rdi)
+        movq	40(%rsi), %r9
+        movq	40(%rsp), %rdx
+        adcq	%rdx, %r9
+        movq	%r8, 32(%rdi)
+        movq	48(%rsi), %r8
+        movq	48(%rsp), %rdx
+        adcq	%rdx, %r8
+        movq	%r9, 40(%rdi)
+        movq	56(%rsi), %r9
+        movq	56(%rsp), %rdx
+        adcq	%rdx, %r9
+        movq	%r8, 48(%rdi)
+        movq	64(%rsi), %r8
+        movq	64(%rsp), %rdx
+        adcq	%rdx, %r8
+        movq	%r9, 56(%rdi)
+        movq	72(%rsi), %r9
+        movq	72(%rsp), %rdx
+        adcq	%rdx, %r9
+        movq	%r8, 64(%rdi)
+        movq	80(%rsi), %r8
+        movq	80(%rsp), %rdx
+        adcq	%rdx, %r8
+        movq	%r9, 72(%rdi)
+        movq	88(%rsi), %r9
+        movq	88(%rsp), %rdx
+        adcq	%rdx, %r9
+        movq	%r8, 80(%rdi)
+        movq	96(%rsi), %r8
+        movq	96(%rsp), %rdx
+        adcq	%rdx, %r8
+        movq	%r9, 88(%rdi)
+        movq	104(%rsi), %r9
+        movq	104(%rsp), %rdx
+        adcq	%rdx, %r9
+        movq	%r8, 96(%rdi)
+        movq	112(%rsi), %r8
+        movq	112(%rsp), %rdx
+        adcq	%rdx, %r8
+        movq	%r9, 104(%rdi)
+        movq	120(%rsi), %r9
+        movq	120(%rsp), %rdx
+        adcq	%rdx, %r9
+        movq	%r8, 112(%rdi)
+        movq	%r9, 120(%rdi)
+        adcq	$0, %rax
+        addq	$128, %rsp
+        repz retq
+#ifndef __APPLE__
+.size	sp_2048_cond_add_16,.-sp_2048_cond_add_16
+#endif /* __APPLE__ */
+/* Conditionally add a and b using the mask m.
+ * m is -1 to add and 0 when not.
+ *
+ * r  A single precision number representing conditional add result.
+ * a  A single precision number to add with.
+ * b  A single precision number to add.
+ * m  Mask value to apply.
+ */
+#ifndef __APPLE__
+.globl	sp_2048_cond_add_avx2_16
+.type	sp_2048_cond_add_avx2_16,@function
+.align	16
+sp_2048_cond_add_avx2_16:
+#else
+.globl	_sp_2048_cond_add_avx2_16
+.p2align	4
+_sp_2048_cond_add_avx2_16:
+#endif /* __APPLE__ */
+        movq	$0, %rax
+        movq	(%rdx), %r10
+        movq	(%rsi), %r8
+        pextq	%rcx, %r10, %r10
+        addq	%r10, %r8
+        movq	8(%rdx), %r10
+        movq	8(%rsi), %r9
+        pextq	%rcx, %r10, %r10
+        movq	%r8, (%rdi)
+        adcq	%r10, %r9
+        movq	16(%rdx), %r8
+        movq	16(%rsi), %r10
+        pextq	%rcx, %r8, %r8
+        movq	%r9, 8(%rdi)
+        adcq	%r8, %r10
+        movq	24(%rdx), %r9
+        movq	24(%rsi), %r8
+        pextq	%rcx, %r9, %r9
+        movq	%r10, 16(%rdi)
+        adcq	%r9, %r8
+        movq	32(%rdx), %r10
+        movq	32(%rsi), %r9
+        pextq	%rcx, %r10, %r10
+        movq	%r8, 24(%rdi)
+        adcq	%r10, %r9
+        movq	40(%rdx), %r8
+        movq	40(%rsi), %r10
+        pextq	%rcx, %r8, %r8
+        movq	%r9, 32(%rdi)
+        adcq	%r8, %r10
+        movq	48(%rdx), %r9
+        movq	48(%rsi), %r8
+        pextq	%rcx, %r9, %r9
+        movq	%r10, 40(%rdi)
+        adcq	%r9, %r8
+        movq	56(%rdx), %r10
+        movq	56(%rsi), %r9
+        pextq	%rcx, %r10, %r10
+        movq	%r8, 48(%rdi)
+        adcq	%r10, %r9
+        movq	64(%rdx), %r8
+        movq	64(%rsi), %r10
+        pextq	%rcx, %r8, %r8
+        movq	%r9, 56(%rdi)
+        adcq	%r8, %r10
+        movq	72(%rdx), %r9
+        movq	72(%rsi), %r8
+        pextq	%rcx, %r9, %r9
+        movq	%r10, 64(%rdi)
+        adcq	%r9, %r8
+        movq	80(%rdx), %r10
+        movq	80(%rsi), %r9
+        pextq	%rcx, %r10, %r10
+        movq	%r8, 72(%rdi)
+        adcq	%r10, %r9
+        movq	88(%rdx), %r8
+        movq	88(%rsi), %r10
+        pextq	%rcx, %r8, %r8
+        movq	%r9, 80(%rdi)
+        adcq	%r8, %r10
+        movq	96(%rdx), %r9
+        movq	96(%rsi), %r8
+        pextq	%rcx, %r9, %r9
+        movq	%r10, 88(%rdi)
+        adcq	%r9, %r8
+        movq	104(%rdx), %r10
+        movq	104(%rsi), %r9
+        pextq	%rcx, %r10, %r10
+        movq	%r8, 96(%rdi)
+        adcq	%r10, %r9
+        movq	112(%rdx), %r8
+        movq	112(%rsi), %r10
+        pextq	%rcx, %r8, %r8
+        movq	%r9, 104(%rdi)
+        adcq	%r8, %r10
+        movq	120(%rdx), %r9
+        movq	120(%rsi), %r8
+        pextq	%rcx, %r9, %r9
+        movq	%r10, 112(%rdi)
+        adcq	%r9, %r8
+        movq	%r8, 120(%rdi)
+        adcq	$0, %rax
+        repz retq
+#ifndef __APPLE__
+.size	sp_2048_cond_add_avx2_16,.-sp_2048_cond_add_avx2_16
+#endif /* __APPLE__ */
+/* Shift number left by n bit. (r = a << n)
+ *
+ * r  Result of left shift by n.
+ * a  Number to shift.
+ * n  Amoutnt o shift.
+ */
+#ifndef __APPLE__
+.globl	sp_2048_lshift_32
+.type	sp_2048_lshift_32,@function
+.align	16
+sp_2048_lshift_32:
+#else
+.globl	_sp_2048_lshift_32
+.p2align	4
+_sp_2048_lshift_32:
+#endif /* __APPLE__ */
+        movq	%rdx, %rcx
+        movq	$0, %r10
+        movq	216(%rsi), %r11
+        movq	224(%rsi), %rdx
+        movq	232(%rsi), %rax
+        movq	240(%rsi), %r8
+        movq	248(%rsi), %r9
+        shldq	%cl, %r9, %r10
+        shldq	%cl, %r8, %r9
+        shldq	%cl, %rax, %r8
+        shldq	%cl, %rdx, %rax
+        shldq	%cl, %r11, %rdx
+        movq	%rdx, 224(%rdi)
+        movq	%rax, 232(%rdi)
+        movq	%r8, 240(%rdi)
+        movq	%r9, 248(%rdi)
+        movq	%r10, 256(%rdi)
+        movq	184(%rsi), %r9
+        movq	192(%rsi), %rdx
+        movq	200(%rsi), %rax
+        movq	208(%rsi), %r8
+        shldq	%cl, %r8, %r11
+        shldq	%cl, %rax, %r8
+        shldq	%cl, %rdx, %rax
+        shldq	%cl, %r9, %rdx
+        movq	%rdx, 192(%rdi)
+        movq	%rax, 200(%rdi)
+        movq	%r8, 208(%rdi)
+        movq	%r11, 216(%rdi)
+        movq	152(%rsi), %r11
+        movq	160(%rsi), %rdx
+        movq	168(%rsi), %rax
+        movq	176(%rsi), %r8
+        shldq	%cl, %r8, %r9
+        shldq	%cl, %rax, %r8
+        shldq	%cl, %rdx, %rax
+        shldq	%cl, %r11, %rdx
+        movq	%rdx, 160(%rdi)
+        movq	%rax, 168(%rdi)
+        movq	%r8, 176(%rdi)
+        movq	%r9, 184(%rdi)
+        movq	120(%rsi), %r9
+        movq	128(%rsi), %rdx
+        movq	136(%rsi), %rax
+        movq	144(%rsi), %r8
+        shldq	%cl, %r8, %r11
+        shldq	%cl, %rax, %r8
+        shldq	%cl, %rdx, %rax
+        shldq	%cl, %r9, %rdx
+        movq	%rdx, 128(%rdi)
+        movq	%rax, 136(%rdi)
+        movq	%r8, 144(%rdi)
+        movq	%r11, 152(%rdi)
+        movq	88(%rsi), %r11
+        movq	96(%rsi), %rdx
+        movq	104(%rsi), %rax
+        movq	112(%rsi), %r8
+        shldq	%cl, %r8, %r9
+        shldq	%cl, %rax, %r8
+        shldq	%cl, %rdx, %rax
+        shldq	%cl, %r11, %rdx
+        movq	%rdx, 96(%rdi)
+        movq	%rax, 104(%rdi)
+        movq	%r8, 112(%rdi)
+        movq	%r9, 120(%rdi)
+        movq	56(%rsi), %r9
+        movq	64(%rsi), %rdx
+        movq	72(%rsi), %rax
+        movq	80(%rsi), %r8
+        shldq	%cl, %r8, %r11
+        shldq	%cl, %rax, %r8
+        shldq	%cl, %rdx, %rax
+        shldq	%cl, %r9, %rdx
+        movq	%rdx, 64(%rdi)
+        movq	%rax, 72(%rdi)
+        movq	%r8, 80(%rdi)
+        movq	%r11, 88(%rdi)
+        movq	24(%rsi), %r11
+        movq	32(%rsi), %rdx
+        movq	40(%rsi), %rax
+        movq	48(%rsi), %r8
+        shldq	%cl, %r8, %r9
+        shldq	%cl, %rax, %r8
+        shldq	%cl, %rdx, %rax
+        shldq	%cl, %r11, %rdx
+        movq	%rdx, 32(%rdi)
+        movq	%rax, 40(%rdi)
+        movq	%r8, 48(%rdi)
+        movq	%r9, 56(%rdi)
+        movq	(%rsi), %rdx
+        movq	8(%rsi), %rax
+        movq	16(%rsi), %r8
+        shldq	%cl, %r8, %r11
+        shldq	%cl, %rax, %r8
+        shldq	%cl, %rdx, %rax
+        shlq	%cl, %rdx
+        movq	%rdx, (%rdi)
+        movq	%rax, 8(%rdi)
+        movq	%r8, 16(%rdi)
+        movq	%r11, 24(%rdi)
+        repz retq
+#endif /* !WOLFSSL_SP_NO_2048 */
+#endif /* !WOLFSSL_SP_NO_2048 */
+#ifndef WOLFSSL_SP_NO_3072
+#ifndef WOLFSSL_SP_NO_3072
+/* Read big endian unsigned byte array into r.
+ *
+ * r  A single precision integer.
+ * size  Maximum number of bytes to convert
+ * a  Byte array.
+ * n  Number of bytes in array to read.
+ */
+#ifndef __APPLE__
+.globl	sp_3072_from_bin
+.type	sp_3072_from_bin,@function
+.align	16
+sp_3072_from_bin:
+#else
+.globl	_sp_3072_from_bin
+.p2align	4
+_sp_3072_from_bin:
+#endif /* __APPLE__ */
+        movq	%rdx, %r9
+        movq	%rdi, %r10
+        addq	%rcx, %r9
+        addq	$384, %r10
+        xorq	%r11, %r11
+        jmp	L_3072_from_bin_64_end
+L_3072_from_bin_64_start:
+        subq	$64, %r9
+        movbeq	56(%r9), %rax
+        movbeq	48(%r9), %r8
+        movq	%rax, (%rdi)
+        movq	%r8, 8(%rdi)
+        movbeq	40(%r9), %rax
+        movbeq	32(%r9), %r8
+        movq	%rax, 16(%rdi)
+        movq	%r8, 24(%rdi)
+        movbeq	24(%r9), %rax
+        movbeq	16(%r9), %r8
+        movq	%rax, 32(%rdi)
+        movq	%r8, 40(%rdi)
+        movbeq	8(%r9), %rax
+        movbeq	(%r9), %r8
+        movq	%rax, 48(%rdi)
+        movq	%r8, 56(%rdi)
+        addq	$64, %rdi
+        subq	$64, %rcx
+L_3072_from_bin_64_end:
+        cmpq	$63, %rcx
+        jg	L_3072_from_bin_64_start
+        jmp	L_3072_from_bin_8_end
+L_3072_from_bin_8_start:
+        subq	$8, %r9
+        movbeq	(%r9), %rax
+        movq	%rax, (%rdi)
+        addq	$8, %rdi
+        subq	$8, %rcx
+L_3072_from_bin_8_end:
+        cmpq	$7, %rcx
+        jg	L_3072_from_bin_8_start
+        cmpq	%r11, %rcx
+        je	L_3072_from_bin_hi_end
+        movq	%r11, %r8
+        movq	%r11, %rax
+L_3072_from_bin_hi_start:
+        movb	(%rdx), %al
+        shlq	$8, %r8
+        incq	%rdx
+        addq	%rax, %r8
+        decq	%rcx
+        jg	L_3072_from_bin_hi_start
+        movq	%r8, (%rdi)
+        addq	$8, %rdi
+L_3072_from_bin_hi_end:
+        cmpq	%r10, %rdi
+        je	L_3072_from_bin_zero_end
+L_3072_from_bin_zero_start:
+        movq	%r11, (%rdi)
+        addq	$8, %rdi
+        cmpq	%r10, %rdi
+        jl	L_3072_from_bin_zero_start
+L_3072_from_bin_zero_end:
+        repz retq
+#ifndef __APPLE__
+.size	sp_3072_from_bin,.-sp_3072_from_bin
+#endif /* __APPLE__ */
+/* Write r as big endian to byte array.
+ * Fixed length number of bytes written: 384
+ *
+ * r  A single precision integer.
+ * a  Byte array.
+ */
+#ifndef __APPLE__
+.globl	sp_3072_to_bin
+.type	sp_3072_to_bin,@function
+.align	16
+sp_3072_to_bin:
+#else
+.globl	_sp_3072_to_bin
+.p2align	4
+_sp_3072_to_bin:
+#endif /* __APPLE__ */
+        movbeq	376(%rdi), %rdx
+        movbeq	368(%rdi), %rax
+        movq	%rdx, (%rsi)
+        movq	%rax, 8(%rsi)
+        movbeq	360(%rdi), %rdx
+        movbeq	352(%rdi), %rax
+        movq	%rdx, 16(%rsi)
+        movq	%rax, 24(%rsi)
+        movbeq	344(%rdi), %rdx
+        movbeq	336(%rdi), %rax
+        movq	%rdx, 32(%rsi)
+        movq	%rax, 40(%rsi)
+        movbeq	328(%rdi), %rdx
+        movbeq	320(%rdi), %rax
+        movq	%rdx, 48(%rsi)
+        movq	%rax, 56(%rsi)
+        movbeq	312(%rdi), %rdx
+        movbeq	304(%rdi), %rax
+        movq	%rdx, 64(%rsi)
+        movq	%rax, 72(%rsi)
+        movbeq	296(%rdi), %rdx
+        movbeq	288(%rdi), %rax
+        movq	%rdx, 80(%rsi)
+        movq	%rax, 88(%rsi)
+        movbeq	280(%rdi), %rdx
+        movbeq	272(%rdi), %rax
+        movq	%rdx, 96(%rsi)
+        movq	%rax, 104(%rsi)
+        movbeq	264(%rdi), %rdx
+        movbeq	256(%rdi), %rax
+        movq	%rdx, 112(%rsi)
+        movq	%rax, 120(%rsi)
+        movbeq	248(%rdi), %rdx
+        movbeq	240(%rdi), %rax
+        movq	%rdx, 128(%rsi)
+        movq	%rax, 136(%rsi)
+        movbeq	232(%rdi), %rdx
+        movbeq	224(%rdi), %rax
+        movq	%rdx, 144(%rsi)
+        movq	%rax, 152(%rsi)
+        movbeq	216(%rdi), %rdx
+        movbeq	208(%rdi), %rax
+        movq	%rdx, 160(%rsi)
+        movq	%rax, 168(%rsi)
+        movbeq	200(%rdi), %rdx
+        movbeq	192(%rdi), %rax
+        movq	%rdx, 176(%rsi)
+        movq	%rax, 184(%rsi)
+        movbeq	184(%rdi), %rdx
+        movbeq	176(%rdi), %rax
+        movq	%rdx, 192(%rsi)
+        movq	%rax, 200(%rsi)
+        movbeq	168(%rdi), %rdx
+        movbeq	160(%rdi), %rax
+        movq	%rdx, 208(%rsi)
+        movq	%rax, 216(%rsi)
+        movbeq	152(%rdi), %rdx
+        movbeq	144(%rdi), %rax
+        movq	%rdx, 224(%rsi)
+        movq	%rax, 232(%rsi)
+        movbeq	136(%rdi), %rdx
+        movbeq	128(%rdi), %rax
+        movq	%rdx, 240(%rsi)
+        movq	%rax, 248(%rsi)
+        movbeq	120(%rdi), %rdx
+        movbeq	112(%rdi), %rax
+        movq	%rdx, 256(%rsi)
+        movq	%rax, 264(%rsi)
+        movbeq	104(%rdi), %rdx
+        movbeq	96(%rdi), %rax
+        movq	%rdx, 272(%rsi)
+        movq	%rax, 280(%rsi)
+        movbeq	88(%rdi), %rdx
+        movbeq	80(%rdi), %rax
+        movq	%rdx, 288(%rsi)
+        movq	%rax, 296(%rsi)
+        movbeq	72(%rdi), %rdx
+        movbeq	64(%rdi), %rax
+        movq	%rdx, 304(%rsi)
+        movq	%rax, 312(%rsi)
+        movbeq	56(%rdi), %rdx
+        movbeq	48(%rdi), %rax
+        movq	%rdx, 320(%rsi)
+        movq	%rax, 328(%rsi)
+        movbeq	40(%rdi), %rdx
+        movbeq	32(%rdi), %rax
+        movq	%rdx, 336(%rsi)
+        movq	%rax, 344(%rsi)
+        movbeq	24(%rdi), %rdx
+        movbeq	16(%rdi), %rax
+        movq	%rdx, 352(%rsi)
+        movq	%rax, 360(%rsi)
+        movbeq	8(%rdi), %rdx
+        movbeq	(%rdi), %rax
+        movq	%rdx, 368(%rsi)
+        movq	%rax, 376(%rsi)
+        repz retq
+#ifndef __APPLE__
+.size	sp_3072_to_bin,.-sp_3072_to_bin
+#endif /* __APPLE__ */
+/* Multiply a and b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+#ifndef __APPLE__
+.globl	sp_3072_mul_12
+.type	sp_3072_mul_12,@function
+.align	16
+sp_3072_mul_12:
+#else
+.globl	_sp_3072_mul_12
+.p2align	4
+_sp_3072_mul_12:
+#endif /* __APPLE__ */
+        movq	%rdx, %rcx
+        subq	$96, %rsp
+        # A[0] * B[0]
+        movq	(%rcx), %rax
+        mulq	(%rsi)
+        xorq	%r10, %r10
+        movq	%rax, (%rsp)
+        movq	%rdx, %r9
+        # A[0] * B[1]
+        movq	8(%rcx), %rax
+        mulq	(%rsi)
+        xorq	%r8, %r8
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[1] * B[0]
+        movq	(%rcx), %rax
+        mulq	8(%rsi)
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        movq	%r9, 8(%rsp)
+        # A[0] * B[2]
+        movq	16(%rcx), %rax
+        mulq	(%rsi)
+        xorq	%r9, %r9
+        addq	%rax, %r10
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[1] * B[1]
+        movq	8(%rcx), %rax
+        mulq	8(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[2] * B[0]
+        movq	(%rcx), %rax
+        mulq	16(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        movq	%r10, 16(%rsp)
+        # A[0] * B[3]
+        movq	24(%rcx), %rax
+        mulq	(%rsi)
+        xorq	%r10, %r10
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[1] * B[2]
+        movq	16(%rcx), %rax
+        mulq	8(%rsi)
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[2] * B[1]
+        movq	8(%rcx), %rax
+        mulq	16(%rsi)
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[3] * B[0]
+        movq	(%rcx), %rax
+        mulq	24(%rsi)
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        movq	%r8, 24(%rsp)
+        # A[0] * B[4]
+        movq	32(%rcx), %rax
+        mulq	(%rsi)
+        xorq	%r8, %r8
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[1] * B[3]
+        movq	24(%rcx), %rax
+        mulq	8(%rsi)
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[2] * B[2]
+        movq	16(%rcx), %rax
+        mulq	16(%rsi)
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[3] * B[1]
+        movq	8(%rcx), %rax
+        mulq	24(%rsi)
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[4] * B[0]
+        movq	(%rcx), %rax
+        mulq	32(%rsi)
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        movq	%r9, 32(%rsp)
+        # A[0] * B[5]
+        movq	40(%rcx), %rax
+        mulq	(%rsi)
+        xorq	%r9, %r9
+        addq	%rax, %r10
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[1] * B[4]
+        movq	32(%rcx), %rax
+        mulq	8(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[2] * B[3]
+        movq	24(%rcx), %rax
+        mulq	16(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[3] * B[2]
+        movq	16(%rcx), %rax
+        mulq	24(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[4] * B[1]
+        movq	8(%rcx), %rax
+        mulq	32(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[5] * B[0]
+        movq	(%rcx), %rax
+        mulq	40(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        movq	%r10, 40(%rsp)
+        # A[0] * B[6]
+        movq	48(%rcx), %rax
+        mulq	(%rsi)
+        xorq	%r10, %r10
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[1] * B[5]
+        movq	40(%rcx), %rax
+        mulq	8(%rsi)
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[2] * B[4]
+        movq	32(%rcx), %rax
+        mulq	16(%rsi)
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[3] * B[3]
+        movq	24(%rcx), %rax
+        mulq	24(%rsi)
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[4] * B[2]
+        movq	16(%rcx), %rax
+        mulq	32(%rsi)
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[5] * B[1]
+        movq	8(%rcx), %rax
+        mulq	40(%rsi)
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[6] * B[0]
+        movq	(%rcx), %rax
+        mulq	48(%rsi)
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        movq	%r8, 48(%rsp)
+        # A[0] * B[7]
+        movq	56(%rcx), %rax
+        mulq	(%rsi)
+        xorq	%r8, %r8
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[1] * B[6]
+        movq	48(%rcx), %rax
+        mulq	8(%rsi)
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[2] * B[5]
+        movq	40(%rcx), %rax
+        mulq	16(%rsi)
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[3] * B[4]
+        movq	32(%rcx), %rax
+        mulq	24(%rsi)
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[4] * B[3]
+        movq	24(%rcx), %rax
+        mulq	32(%rsi)
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[5] * B[2]
+        movq	16(%rcx), %rax
+        mulq	40(%rsi)
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[6] * B[1]
+        movq	8(%rcx), %rax
+        mulq	48(%rsi)
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[7] * B[0]
+        movq	(%rcx), %rax
+        mulq	56(%rsi)
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        movq	%r9, 56(%rsp)
+        # A[0] * B[8]
+        movq	64(%rcx), %rax
+        mulq	(%rsi)
+        xorq	%r9, %r9
+        addq	%rax, %r10
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[1] * B[7]
+        movq	56(%rcx), %rax
+        mulq	8(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[2] * B[6]
+        movq	48(%rcx), %rax
+        mulq	16(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[3] * B[5]
+        movq	40(%rcx), %rax
+        mulq	24(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[4] * B[4]
+        movq	32(%rcx), %rax
+        mulq	32(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[5] * B[3]
+        movq	24(%rcx), %rax
+        mulq	40(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[6] * B[2]
+        movq	16(%rcx), %rax
+        mulq	48(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[7] * B[1]
+        movq	8(%rcx), %rax
+        mulq	56(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[8] * B[0]
+        movq	(%rcx), %rax
+        mulq	64(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        movq	%r10, 64(%rsp)
+        # A[0] * B[9]
+        movq	72(%rcx), %rax
+        mulq	(%rsi)
+        xorq	%r10, %r10
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[1] * B[8]
+        movq	64(%rcx), %rax
+        mulq	8(%rsi)
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[2] * B[7]
+        movq	56(%rcx), %rax
+        mulq	16(%rsi)
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[3] * B[6]
+        movq	48(%rcx), %rax
+        mulq	24(%rsi)
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[4] * B[5]
+        movq	40(%rcx), %rax
+        mulq	32(%rsi)
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[5] * B[4]
+        movq	32(%rcx), %rax
+        mulq	40(%rsi)
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[6] * B[3]
+        movq	24(%rcx), %rax
+        mulq	48(%rsi)
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[7] * B[2]
+        movq	16(%rcx), %rax
+        mulq	56(%rsi)
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[8] * B[1]
+        movq	8(%rcx), %rax
+        mulq	64(%rsi)
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[9] * B[0]
+        movq	(%rcx), %rax
+        mulq	72(%rsi)
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        movq	%r8, 72(%rsp)
+        # A[0] * B[10]
+        movq	80(%rcx), %rax
+        mulq	(%rsi)
+        xorq	%r8, %r8
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[1] * B[9]
+        movq	72(%rcx), %rax
+        mulq	8(%rsi)
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[2] * B[8]
+        movq	64(%rcx), %rax
+        mulq	16(%rsi)
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[3] * B[7]
+        movq	56(%rcx), %rax
+        mulq	24(%rsi)
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[4] * B[6]
+        movq	48(%rcx), %rax
+        mulq	32(%rsi)
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[5] * B[5]
+        movq	40(%rcx), %rax
+        mulq	40(%rsi)
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[6] * B[4]
+        movq	32(%rcx), %rax
+        mulq	48(%rsi)
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[7] * B[3]
+        movq	24(%rcx), %rax
+        mulq	56(%rsi)
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[8] * B[2]
+        movq	16(%rcx), %rax
+        mulq	64(%rsi)
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[9] * B[1]
+        movq	8(%rcx), %rax
+        mulq	72(%rsi)
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[10] * B[0]
+        movq	(%rcx), %rax
+        mulq	80(%rsi)
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        movq	%r9, 80(%rsp)
+        # A[0] * B[11]
+        movq	88(%rcx), %rax
+        mulq	(%rsi)
+        xorq	%r9, %r9
+        addq	%rax, %r10
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[1] * B[10]
+        movq	80(%rcx), %rax
+        mulq	8(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[2] * B[9]
+        movq	72(%rcx), %rax
+        mulq	16(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[3] * B[8]
+        movq	64(%rcx), %rax
+        mulq	24(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[4] * B[7]
+        movq	56(%rcx), %rax
+        mulq	32(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[5] * B[6]
+        movq	48(%rcx), %rax
+        mulq	40(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[6] * B[5]
+        movq	40(%rcx), %rax
+        mulq	48(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[7] * B[4]
+        movq	32(%rcx), %rax
+        mulq	56(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[8] * B[3]
+        movq	24(%rcx), %rax
+        mulq	64(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[9] * B[2]
+        movq	16(%rcx), %rax
+        mulq	72(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[10] * B[1]
+        movq	8(%rcx), %rax
+        mulq	80(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[11] * B[0]
+        movq	(%rcx), %rax
+        mulq	88(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        movq	%r10, 88(%rsp)
+        # A[1] * B[11]
+        movq	88(%rcx), %rax
+        mulq	8(%rsi)
+        xorq	%r10, %r10
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[2] * B[10]
+        movq	80(%rcx), %rax
+        mulq	16(%rsi)
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[3] * B[9]
+        movq	72(%rcx), %rax
+        mulq	24(%rsi)
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[4] * B[8]
+        movq	64(%rcx), %rax
+        mulq	32(%rsi)
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[5] * B[7]
+        movq	56(%rcx), %rax
+        mulq	40(%rsi)
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[6] * B[6]
+        movq	48(%rcx), %rax
+        mulq	48(%rsi)
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[7] * B[5]
+        movq	40(%rcx), %rax
+        mulq	56(%rsi)
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[8] * B[4]
+        movq	32(%rcx), %rax
+        mulq	64(%rsi)
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[9] * B[3]
+        movq	24(%rcx), %rax
+        mulq	72(%rsi)
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[10] * B[2]
+        movq	16(%rcx), %rax
+        mulq	80(%rsi)
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[11] * B[1]
+        movq	8(%rcx), %rax
+        mulq	88(%rsi)
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        movq	%r8, 96(%rdi)
+        # A[2] * B[11]
+        movq	88(%rcx), %rax
+        mulq	16(%rsi)
+        xorq	%r8, %r8
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[3] * B[10]
+        movq	80(%rcx), %rax
+        mulq	24(%rsi)
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[4] * B[9]
+        movq	72(%rcx), %rax
+        mulq	32(%rsi)
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[5] * B[8]
+        movq	64(%rcx), %rax
+        mulq	40(%rsi)
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[6] * B[7]
+        movq	56(%rcx), %rax
+        mulq	48(%rsi)
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[7] * B[6]
+        movq	48(%rcx), %rax
+        mulq	56(%rsi)
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[8] * B[5]
+        movq	40(%rcx), %rax
+        mulq	64(%rsi)
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[9] * B[4]
+        movq	32(%rcx), %rax
+        mulq	72(%rsi)
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[10] * B[3]
+        movq	24(%rcx), %rax
+        mulq	80(%rsi)
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[11] * B[2]
+        movq	16(%rcx), %rax
+        mulq	88(%rsi)
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        movq	%r9, 104(%rdi)
+        # A[3] * B[11]
+        movq	88(%rcx), %rax
+        mulq	24(%rsi)
+        xorq	%r9, %r9
+        addq	%rax, %r10
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[4] * B[10]
+        movq	80(%rcx), %rax
+        mulq	32(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[5] * B[9]
+        movq	72(%rcx), %rax
+        mulq	40(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[6] * B[8]
+        movq	64(%rcx), %rax
+        mulq	48(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[7] * B[7]
+        movq	56(%rcx), %rax
+        mulq	56(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[8] * B[6]
+        movq	48(%rcx), %rax
+        mulq	64(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[9] * B[5]
+        movq	40(%rcx), %rax
+        mulq	72(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[10] * B[4]
+        movq	32(%rcx), %rax
+        mulq	80(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[11] * B[3]
+        movq	24(%rcx), %rax
+        mulq	88(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        movq	%r10, 112(%rdi)
+        # A[4] * B[11]
+        movq	88(%rcx), %rax
+        mulq	32(%rsi)
+        xorq	%r10, %r10
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[5] * B[10]
+        movq	80(%rcx), %rax
+        mulq	40(%rsi)
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[6] * B[9]
+        movq	72(%rcx), %rax
+        mulq	48(%rsi)
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[7] * B[8]
+        movq	64(%rcx), %rax
+        mulq	56(%rsi)
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[8] * B[7]
+        movq	56(%rcx), %rax
+        mulq	64(%rsi)
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[9] * B[6]
+        movq	48(%rcx), %rax
+        mulq	72(%rsi)
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[10] * B[5]
+        movq	40(%rcx), %rax
+        mulq	80(%rsi)
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[11] * B[4]
+        movq	32(%rcx), %rax
+        mulq	88(%rsi)
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        movq	%r8, 120(%rdi)
+        # A[5] * B[11]
+        movq	88(%rcx), %rax
+        mulq	40(%rsi)
+        xorq	%r8, %r8
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[6] * B[10]
+        movq	80(%rcx), %rax
+        mulq	48(%rsi)
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[7] * B[9]
+        movq	72(%rcx), %rax
+        mulq	56(%rsi)
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[8] * B[8]
+        movq	64(%rcx), %rax
+        mulq	64(%rsi)
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[9] * B[7]
+        movq	56(%rcx), %rax
+        mulq	72(%rsi)
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[10] * B[6]
+        movq	48(%rcx), %rax
+        mulq	80(%rsi)
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[11] * B[5]
+        movq	40(%rcx), %rax
+        mulq	88(%rsi)
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        movq	%r9, 128(%rdi)
+        # A[6] * B[11]
+        movq	88(%rcx), %rax
+        mulq	48(%rsi)
+        xorq	%r9, %r9
+        addq	%rax, %r10
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[7] * B[10]
+        movq	80(%rcx), %rax
+        mulq	56(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[8] * B[9]
+        movq	72(%rcx), %rax
+        mulq	64(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[9] * B[8]
+        movq	64(%rcx), %rax
+        mulq	72(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[10] * B[7]
+        movq	56(%rcx), %rax
+        mulq	80(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[11] * B[6]
+        movq	48(%rcx), %rax
+        mulq	88(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        movq	%r10, 136(%rdi)
+        # A[7] * B[11]
+        movq	88(%rcx), %rax
+        mulq	56(%rsi)
+        xorq	%r10, %r10
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[8] * B[10]
+        movq	80(%rcx), %rax
+        mulq	64(%rsi)
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[9] * B[9]
+        movq	72(%rcx), %rax
+        mulq	72(%rsi)
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[10] * B[8]
+        movq	64(%rcx), %rax
+        mulq	80(%rsi)
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[11] * B[7]
+        movq	56(%rcx), %rax
+        mulq	88(%rsi)
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        movq	%r8, 144(%rdi)
+        # A[8] * B[11]
+        movq	88(%rcx), %rax
+        mulq	64(%rsi)
+        xorq	%r8, %r8
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[9] * B[10]
+        movq	80(%rcx), %rax
+        mulq	72(%rsi)
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[10] * B[9]
+        movq	72(%rcx), %rax
+        mulq	80(%rsi)
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[11] * B[8]
+        movq	64(%rcx), %rax
+        mulq	88(%rsi)
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        movq	%r9, 152(%rdi)
+        # A[9] * B[11]
+        movq	88(%rcx), %rax
+        mulq	72(%rsi)
+        xorq	%r9, %r9
+        addq	%rax, %r10
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[10] * B[10]
+        movq	80(%rcx), %rax
+        mulq	80(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[11] * B[9]
+        movq	72(%rcx), %rax
+        mulq	88(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        movq	%r10, 160(%rdi)
+        # A[10] * B[11]
+        movq	88(%rcx), %rax
+        mulq	80(%rsi)
+        xorq	%r10, %r10
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[11] * B[10]
+        movq	80(%rcx), %rax
+        mulq	88(%rsi)
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        movq	%r8, 168(%rdi)
+        # A[11] * B[11]
+        movq	88(%rcx), %rax
+        mulq	88(%rsi)
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        movq	%r9, 176(%rdi)
+        movq	%r10, 184(%rdi)
+        movq	(%rsp), %rax
+        movq	8(%rsp), %rdx
+        movq	16(%rsp), %r8
+        movq	24(%rsp), %r9
+        movq	%rax, (%rdi)
+        movq	%rdx, 8(%rdi)
+        movq	%r8, 16(%rdi)
+        movq	%r9, 24(%rdi)
+        movq	32(%rsp), %rax
+        movq	40(%rsp), %rdx
+        movq	48(%rsp), %r8
+        movq	56(%rsp), %r9
+        movq	%rax, 32(%rdi)
+        movq	%rdx, 40(%rdi)
+        movq	%r8, 48(%rdi)
+        movq	%r9, 56(%rdi)
+        movq	64(%rsp), %rax
+        movq	72(%rsp), %rdx
+        movq	80(%rsp), %r8
+        movq	88(%rsp), %r9
+        movq	%rax, 64(%rdi)
+        movq	%rdx, 72(%rdi)
+        movq	%r8, 80(%rdi)
+        movq	%r9, 88(%rdi)
+        addq	$96, %rsp
+        repz retq
+#ifndef __APPLE__
+.size	sp_3072_mul_12,.-sp_3072_mul_12
+#endif /* __APPLE__ */
+/* Square a and put result in r. (r = a * a)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ */
+#ifndef __APPLE__
+.globl	sp_3072_sqr_12
+.type	sp_3072_sqr_12,@function
+.align	16
+sp_3072_sqr_12:
+#else
+.globl	_sp_3072_sqr_12
+.p2align	4
+_sp_3072_sqr_12:
+#endif /* __APPLE__ */
+        push	%r12
+        subq	$96, %rsp
+        # A[0] * A[0]
+        movq	(%rsi), %rax
+        mulq	%rax
+        xorq	%r9, %r9
+        movq	%rax, (%rsp)
+        movq	%rdx, %r8
+        # A[0] * A[1]
+        movq	8(%rsi), %rax
+        mulq	(%rsi)
+        xorq	%rcx, %rcx
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %rcx
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %rcx
+        movq	%r8, 8(%rsp)
+        # A[0] * A[2]
+        movq	16(%rsi), %rax
+        mulq	(%rsi)
+        xorq	%r8, %r8
+        addq	%rax, %r9
+        adcq	%rdx, %rcx
+        adcq	$0, %r8
+        addq	%rax, %r9
+        adcq	%rdx, %rcx
+        adcq	$0, %r8
+        # A[1] * A[1]
+        movq	8(%rsi), %rax
+        mulq	%rax
+        addq	%rax, %r9
+        adcq	%rdx, %rcx
+        adcq	$0, %r8
+        movq	%r9, 16(%rsp)
+        # A[0] * A[3]
+        movq	24(%rsi), %rax
+        mulq	(%rsi)
+        xorq	%r9, %r9
+        addq	%rax, %rcx
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        addq	%rax, %rcx
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[1] * A[2]
+        movq	16(%rsi), %rax
+        mulq	8(%rsi)
+        addq	%rax, %rcx
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        addq	%rax, %rcx
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        movq	%rcx, 24(%rsp)
+        # A[0] * A[4]
+        movq	32(%rsi), %rax
+        mulq	(%rsi)
+        xorq	%rcx, %rcx
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %rcx
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %rcx
+        # A[1] * A[3]
+        movq	24(%rsi), %rax
+        mulq	8(%rsi)
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %rcx
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %rcx
+        # A[2] * A[2]
+        movq	16(%rsi), %rax
+        mulq	%rax
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %rcx
+        movq	%r8, 32(%rsp)
+        # A[0] * A[5]
+        movq	40(%rsi), %rax
+        mulq	(%rsi)
+        xorq	%r8, %r8
+        xorq	%r12, %r12
+        movq	%rax, %r10
+        movq	%rdx, %r11
+        # A[1] * A[4]
+        movq	32(%rsi), %rax
+        mulq	8(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0, %r12
+        # A[2] * A[3]
+        movq	24(%rsi), %rax
+        mulq	16(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0, %r12
+        addq	%r10, %r10
+        adcq	%r11, %r11
+        adcq	%r12, %r12
+        addq	%r10, %r9
+        adcq	%r11, %rcx
+        adcq	%r12, %r8
+        movq	%r9, 40(%rsp)
+        # A[0] * A[6]
+        movq	48(%rsi), %rax
+        mulq	(%rsi)
+        xorq	%r9, %r9
+        xorq	%r12, %r12
+        movq	%rax, %r10
+        movq	%rdx, %r11
+        # A[1] * A[5]
+        movq	40(%rsi), %rax
+        mulq	8(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0, %r12
+        # A[2] * A[4]
+        movq	32(%rsi), %rax
+        mulq	16(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0, %r12
+        # A[3] * A[3]
+        movq	24(%rsi), %rax
+        mulq	%rax
+        addq	%r10, %r10
+        adcq	%r11, %r11
+        adcq	%r12, %r12
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0, %r12
+        addq	%r10, %rcx
+        adcq	%r11, %r8
+        adcq	%r12, %r9
+        movq	%rcx, 48(%rsp)
+        # A[0] * A[7]
+        movq	56(%rsi), %rax
+        mulq	(%rsi)
+        xorq	%rcx, %rcx
+        xorq	%r12, %r12
+        movq	%rax, %r10
+        movq	%rdx, %r11
+        # A[1] * A[6]
+        movq	48(%rsi), %rax
+        mulq	8(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0, %r12
+        # A[2] * A[5]
+        movq	40(%rsi), %rax
+        mulq	16(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0, %r12
+        # A[3] * A[4]
+        movq	32(%rsi), %rax
+        mulq	24(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0, %r12
+        addq	%r10, %r10
+        adcq	%r11, %r11
+        adcq	%r12, %r12
+        addq	%r10, %r8
+        adcq	%r11, %r9
+        adcq	%r12, %rcx
+        movq	%r8, 56(%rsp)
+        # A[0] * A[8]
+        movq	64(%rsi), %rax
+        mulq	(%rsi)
+        xorq	%r8, %r8
+        xorq	%r12, %r12
+        movq	%rax, %r10
+        movq	%rdx, %r11
+        # A[1] * A[7]
+        movq	56(%rsi), %rax
+        mulq	8(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0, %r12
+        # A[2] * A[6]
+        movq	48(%rsi), %rax
+        mulq	16(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0, %r12
+        # A[3] * A[5]
+        movq	40(%rsi), %rax
+        mulq	24(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0, %r12
+        # A[4] * A[4]
+        movq	32(%rsi), %rax
+        mulq	%rax
+        addq	%r10, %r10
+        adcq	%r11, %r11
+        adcq	%r12, %r12
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0, %r12
+        addq	%r10, %r9
+        adcq	%r11, %rcx
+        adcq	%r12, %r8
+        movq	%r9, 64(%rsp)
+        # A[0] * A[9]
+        movq	72(%rsi), %rax
+        mulq	(%rsi)
+        xorq	%r9, %r9
+        xorq	%r12, %r12
+        movq	%rax, %r10
+        movq	%rdx, %r11
+        # A[1] * A[8]
+        movq	64(%rsi), %rax
+        mulq	8(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0, %r12
+        # A[2] * A[7]
+        movq	56(%rsi), %rax
+        mulq	16(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0, %r12
+        # A[3] * A[6]
+        movq	48(%rsi), %rax
+        mulq	24(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0, %r12
+        # A[4] * A[5]
+        movq	40(%rsi), %rax
+        mulq	32(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0, %r12
+        addq	%r10, %r10
+        adcq	%r11, %r11
+        adcq	%r12, %r12
+        addq	%r10, %rcx
+        adcq	%r11, %r8
+        adcq	%r12, %r9
+        movq	%rcx, 72(%rsp)
+        # A[0] * A[10]
+        movq	80(%rsi), %rax
+        mulq	(%rsi)
+        xorq	%rcx, %rcx
+        xorq	%r12, %r12
+        movq	%rax, %r10
+        movq	%rdx, %r11
+        # A[1] * A[9]
+        movq	72(%rsi), %rax
+        mulq	8(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0, %r12
+        # A[2] * A[8]
+        movq	64(%rsi), %rax
+        mulq	16(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0, %r12
+        # A[3] * A[7]
+        movq	56(%rsi), %rax
+        mulq	24(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0, %r12
+        # A[4] * A[6]
+        movq	48(%rsi), %rax
+        mulq	32(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0, %r12
+        # A[5] * A[5]
+        movq	40(%rsi), %rax
+        mulq	%rax
+        addq	%r10, %r10
+        adcq	%r11, %r11
+        adcq	%r12, %r12
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0, %r12
+        addq	%r10, %r8
+        adcq	%r11, %r9
+        adcq	%r12, %rcx
+        movq	%r8, 80(%rsp)
+        # A[0] * A[11]
+        movq	88(%rsi), %rax
+        mulq	(%rsi)
+        xorq	%r8, %r8
+        xorq	%r12, %r12
+        movq	%rax, %r10
+        movq	%rdx, %r11
+        # A[1] * A[10]
+        movq	80(%rsi), %rax
+        mulq	8(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0, %r12
+        # A[2] * A[9]
+        movq	72(%rsi), %rax
+        mulq	16(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0, %r12
+        # A[3] * A[8]
+        movq	64(%rsi), %rax
+        mulq	24(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0, %r12
+        # A[4] * A[7]
+        movq	56(%rsi), %rax
+        mulq	32(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0, %r12
+        # A[5] * A[6]
+        movq	48(%rsi), %rax
+        mulq	40(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0, %r12
+        addq	%r10, %r10
+        adcq	%r11, %r11
+        adcq	%r12, %r12
+        addq	%r10, %r9
+        adcq	%r11, %rcx
+        adcq	%r12, %r8
+        movq	%r9, 88(%rsp)
+        # A[1] * A[11]
+        movq	88(%rsi), %rax
+        mulq	8(%rsi)
+        xorq	%r9, %r9
+        xorq	%r12, %r12
+        movq	%rax, %r10
+        movq	%rdx, %r11
+        # A[2] * A[10]
+        movq	80(%rsi), %rax
+        mulq	16(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0, %r12
+        # A[3] * A[9]
+        movq	72(%rsi), %rax
+        mulq	24(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0, %r12
+        # A[4] * A[8]
+        movq	64(%rsi), %rax
+        mulq	32(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0, %r12
+        # A[5] * A[7]
+        movq	56(%rsi), %rax
+        mulq	40(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0, %r12
+        # A[6] * A[6]
+        movq	48(%rsi), %rax
+        mulq	%rax
+        addq	%r10, %r10
+        adcq	%r11, %r11
+        adcq	%r12, %r12
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0, %r12
+        addq	%r10, %rcx
+        adcq	%r11, %r8
+        adcq	%r12, %r9
+        movq	%rcx, 96(%rdi)
+        # A[2] * A[11]
+        movq	88(%rsi), %rax
+        mulq	16(%rsi)
+        xorq	%rcx, %rcx
+        xorq	%r12, %r12
+        movq	%rax, %r10
+        movq	%rdx, %r11
+        # A[3] * A[10]
+        movq	80(%rsi), %rax
+        mulq	24(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0, %r12
+        # A[4] * A[9]
+        movq	72(%rsi), %rax
+        mulq	32(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0, %r12
+        # A[5] * A[8]
+        movq	64(%rsi), %rax
+        mulq	40(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0, %r12
+        # A[6] * A[7]
+        movq	56(%rsi), %rax
+        mulq	48(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0, %r12
+        addq	%r10, %r10
+        adcq	%r11, %r11
+        adcq	%r12, %r12
+        addq	%r10, %r8
+        adcq	%r11, %r9
+        adcq	%r12, %rcx
+        movq	%r8, 104(%rdi)
+        # A[3] * A[11]
+        movq	88(%rsi), %rax
+        mulq	24(%rsi)
+        xorq	%r8, %r8
+        xorq	%r12, %r12
+        movq	%rax, %r10
+        movq	%rdx, %r11
+        # A[4] * A[10]
+        movq	80(%rsi), %rax
+        mulq	32(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0, %r12
+        # A[5] * A[9]
+        movq	72(%rsi), %rax
+        mulq	40(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0, %r12
+        # A[6] * A[8]
+        movq	64(%rsi), %rax
+        mulq	48(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0, %r12
+        # A[7] * A[7]
+        movq	56(%rsi), %rax
+        mulq	%rax
+        addq	%r10, %r10
+        adcq	%r11, %r11
+        adcq	%r12, %r12
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0, %r12
+        addq	%r10, %r9
+        adcq	%r11, %rcx
+        adcq	%r12, %r8
+        movq	%r9, 112(%rdi)
+        # A[4] * A[11]
+        movq	88(%rsi), %rax
+        mulq	32(%rsi)
+        xorq	%r9, %r9
+        xorq	%r12, %r12
+        movq	%rax, %r10
+        movq	%rdx, %r11
+        # A[5] * A[10]
+        movq	80(%rsi), %rax
+        mulq	40(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0, %r12
+        # A[6] * A[9]
+        movq	72(%rsi), %rax
+        mulq	48(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0, %r12
+        # A[7] * A[8]
+        movq	64(%rsi), %rax
+        mulq	56(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0, %r12
+        addq	%r10, %r10
+        adcq	%r11, %r11
+        adcq	%r12, %r12
+        addq	%r10, %rcx
+        adcq	%r11, %r8
+        adcq	%r12, %r9
+        movq	%rcx, 120(%rdi)
+        # A[5] * A[11]
+        movq	88(%rsi), %rax
+        mulq	40(%rsi)
+        xorq	%rcx, %rcx
+        xorq	%r12, %r12
+        movq	%rax, %r10
+        movq	%rdx, %r11
+        # A[6] * A[10]
+        movq	80(%rsi), %rax
+        mulq	48(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0, %r12
+        # A[7] * A[9]
+        movq	72(%rsi), %rax
+        mulq	56(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0, %r12
+        # A[8] * A[8]
+        movq	64(%rsi), %rax
+        mulq	%rax
+        addq	%r10, %r10
+        adcq	%r11, %r11
+        adcq	%r12, %r12
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0, %r12
+        addq	%r10, %r8
+        adcq	%r11, %r9
+        adcq	%r12, %rcx
+        movq	%r8, 128(%rdi)
+        # A[6] * A[11]
+        movq	88(%rsi), %rax
+        mulq	48(%rsi)
+        xorq	%r8, %r8
+        xorq	%r12, %r12
+        movq	%rax, %r10
+        movq	%rdx, %r11
+        # A[7] * A[10]
+        movq	80(%rsi), %rax
+        mulq	56(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0, %r12
+        # A[8] * A[9]
+        movq	72(%rsi), %rax
+        mulq	64(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0, %r12
+        addq	%r10, %r10
+        adcq	%r11, %r11
+        adcq	%r12, %r12
+        addq	%r10, %r9
+        adcq	%r11, %rcx
+        adcq	%r12, %r8
+        movq	%r9, 136(%rdi)
+        # A[7] * A[11]
+        movq	88(%rsi), %rax
+        mulq	56(%rsi)
+        xorq	%r9, %r9
+        addq	%rax, %rcx
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        addq	%rax, %rcx
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[8] * A[10]
+        movq	80(%rsi), %rax
+        mulq	64(%rsi)
+        addq	%rax, %rcx
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        addq	%rax, %rcx
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[9] * A[9]
+        movq	72(%rsi), %rax
+        mulq	%rax
+        addq	%rax, %rcx
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        movq	%rcx, 144(%rdi)
+        # A[8] * A[11]
+        movq	88(%rsi), %rax
+        mulq	64(%rsi)
+        xorq	%rcx, %rcx
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %rcx
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %rcx
+        # A[9] * A[10]
+        movq	80(%rsi), %rax
+        mulq	72(%rsi)
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %rcx
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %rcx
+        movq	%r8, 152(%rdi)
+        # A[9] * A[11]
+        movq	88(%rsi), %rax
+        mulq	72(%rsi)
+        xorq	%r8, %r8
+        addq	%rax, %r9
+        adcq	%rdx, %rcx
+        adcq	$0, %r8
+        addq	%rax, %r9
+        adcq	%rdx, %rcx
+        adcq	$0, %r8
+        # A[10] * A[10]
+        movq	80(%rsi), %rax
+        mulq	%rax
+        addq	%rax, %r9
+        adcq	%rdx, %rcx
+        adcq	$0, %r8
+        movq	%r9, 160(%rdi)
+        # A[10] * A[11]
+        movq	88(%rsi), %rax
+        mulq	80(%rsi)
+        xorq	%r9, %r9
+        addq	%rax, %rcx
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        addq	%rax, %rcx
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        movq	%rcx, 168(%rdi)
+        # A[11] * A[11]
+        movq	88(%rsi), %rax
+        mulq	%rax
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        movq	%r8, 176(%rdi)
+        movq	%r9, 184(%rdi)
+        movq	(%rsp), %rax
+        movq	8(%rsp), %rdx
+        movq	16(%rsp), %r10
+        movq	24(%rsp), %r11
+        movq	%rax, (%rdi)
+        movq	%rdx, 8(%rdi)
+        movq	%r10, 16(%rdi)
+        movq	%r11, 24(%rdi)
+        movq	32(%rsp), %rax
+        movq	40(%rsp), %rdx
+        movq	48(%rsp), %r10
+        movq	56(%rsp), %r11
+        movq	%rax, 32(%rdi)
+        movq	%rdx, 40(%rdi)
+        movq	%r10, 48(%rdi)
+        movq	%r11, 56(%rdi)
+        movq	64(%rsp), %rax
+        movq	72(%rsp), %rdx
+        movq	80(%rsp), %r10
+        movq	88(%rsp), %r11
+        movq	%rax, 64(%rdi)
+        movq	%rdx, 72(%rdi)
+        movq	%r10, 80(%rdi)
+        movq	%r11, 88(%rdi)
+        addq	$96, %rsp
+        pop	%r12
+        repz retq
+#ifndef __APPLE__
+.size	sp_3072_sqr_12,.-sp_3072_sqr_12
+#endif /* __APPLE__ */
+#ifdef HAVE_INTEL_AVX2
+/* Multiply a and b into r. (r = a * b)
+ *
+ * r   Result of multiplication.
+ * a   First number to multiply.
+ * b   Second number to multiply.
+ */
+#ifndef __APPLE__
+.globl	sp_3072_mul_avx2_12
+.type	sp_3072_mul_avx2_12,@function
+.align	16
+sp_3072_mul_avx2_12:
+#else
+.globl	_sp_3072_mul_avx2_12
+.p2align	4
+_sp_3072_mul_avx2_12:
+#endif /* __APPLE__ */
+        push	%rbx
+        push	%rbp
+        push	%r12
+        movq	%rdx, %rbp
+        subq	$96, %rsp
+        cmpq	%rdi, %rsi
+        movq	%rsp, %rbx
+        cmovne	%rdi, %rbx
+        cmpq	%rdi, %rbp
+        cmove	%rsp, %rbx
+        xorq	%r12, %r12
+        movq	(%rsi), %rdx
+        # A[0] * B[0]
+        mulx	(%rbp), %r8, %r9
+        # A[0] * B[1]
+        mulx	8(%rbp), %rax, %r10
+        movq	%r8, (%rbx)
+        adcxq	%rax, %r9
+        movq	%r9, 8(%rbx)
+        # A[0] * B[2]
+        mulx	16(%rbp), %rax, %r8
+        adcxq	%rax, %r10
+        # A[0] * B[3]
+        mulx	24(%rbp), %rax, %r9
+        movq	%r10, 16(%rbx)
+        adcxq	%rax, %r8
+        movq	%r8, 24(%rbx)
+        # A[0] * B[4]
+        mulx	32(%rbp), %rax, %r10
+        adcxq	%rax, %r9
+        # A[0] * B[5]
+        mulx	40(%rbp), %rax, %r8
+        movq	%r9, 32(%rbx)
+        adcxq	%rax, %r10
+        movq	%r10, 40(%rbx)
+        # A[0] * B[6]
+        mulx	48(%rbp), %rax, %r9
+        adcxq	%rax, %r8
+        # A[0] * B[7]
+        mulx	56(%rbp), %rax, %r10
+        movq	%r8, 48(%rbx)
+        adcxq	%rax, %r9
+        movq	%r9, 56(%rbx)
+        # A[0] * B[8]
+        mulx	64(%rbp), %rax, %r8
+        adcxq	%rax, %r10
+        # A[0] * B[9]
+        mulx	72(%rbp), %rax, %r9
+        movq	%r10, 64(%rbx)
+        adcxq	%rax, %r8
+        movq	%r8, 72(%rbx)
+        # A[0] * B[10]
+        mulx	80(%rbp), %rax, %r10
+        adcxq	%rax, %r9
+        # A[0] * B[11]
+        mulx	88(%rbp), %rax, %r8
+        movq	%r9, 80(%rbx)
+        adcxq	%rax, %r10
+        adcxq	%r12, %r8
+        movq	%r12, %r11
+        adcxq	%r12, %r11
+        movq	%r10, 88(%rbx)
+        movq	%r8, 96(%rdi)
+        movq	8(%rsi), %rdx
+        movq	8(%rbx), %r9
+        movq	16(%rbx), %r10
+        movq	24(%rbx), %r8
+        # A[1] * B[0]
+        mulx	(%rbp), %rax, %rcx
+        adcxq	%rax, %r9
+        adoxq	%rcx, %r10
+        # A[1] * B[1]
+        mulx	8(%rbp), %rax, %rcx
+        movq	%r9, 8(%rbx)
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r8
+        movq	%r10, 16(%rbx)
+        movq	32(%rbx), %r9
+        movq	40(%rbx), %r10
+        # A[1] * B[2]
+        mulx	16(%rbp), %rax, %rcx
+        adcxq	%rax, %r8
+        adoxq	%rcx, %r9
+        # A[1] * B[3]
+        mulx	24(%rbp), %rax, %rcx
+        movq	%r8, 24(%rbx)
+        adcxq	%rax, %r9
+        adoxq	%rcx, %r10
+        movq	%r9, 32(%rbx)
+        movq	48(%rbx), %r8
+        movq	56(%rbx), %r9
+        # A[1] * B[4]
+        mulx	32(%rbp), %rax, %rcx
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r8
+        # A[1] * B[5]
+        mulx	40(%rbp), %rax, %rcx
+        movq	%r10, 40(%rbx)
+        adcxq	%rax, %r8
+        adoxq	%rcx, %r9
+        movq	%r8, 48(%rbx)
+        movq	64(%rbx), %r10
+        movq	72(%rbx), %r8
+        # A[1] * B[6]
+        mulx	48(%rbp), %rax, %rcx
+        adcxq	%rax, %r9
+        adoxq	%rcx, %r10
+        # A[1] * B[7]
+        mulx	56(%rbp), %rax, %rcx
+        movq	%r9, 56(%rbx)
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r8
+        movq	%r10, 64(%rbx)
+        movq	80(%rbx), %r9
+        movq	88(%rbx), %r10
+        # A[1] * B[8]
+        mulx	64(%rbp), %rax, %rcx
+        adcxq	%rax, %r8
+        adoxq	%rcx, %r9
+        # A[1] * B[9]
+        mulx	72(%rbp), %rax, %rcx
+        movq	%r8, 72(%rbx)
+        adcxq	%rax, %r9
+        adoxq	%rcx, %r10
+        movq	%r9, 80(%rbx)
+        movq	96(%rdi), %r8
+        # A[1] * B[10]
+        mulx	80(%rbp), %rax, %rcx
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r8
+        # A[1] * B[11]
+        mulx	88(%rbp), %rax, %rcx
+        movq	%r10, 88(%rbx)
+        movq	%r12, %r9
+        adcxq	%rax, %r8
+        adoxq	%rcx, %r9
+        adcxq	%r11, %r9
+        movq	%r12, %r11
+        adoxq	%r12, %r11
+        adcxq	%r12, %r11
+        movq	%r8, 96(%rdi)
+        movq	%r9, 104(%rdi)
+        movq	16(%rsi), %rdx
+        movq	16(%rbx), %r10
+        movq	24(%rbx), %r8
+        movq	32(%rbx), %r9
+        # A[2] * B[0]
+        mulx	(%rbp), %rax, %rcx
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r8
+        # A[2] * B[1]
+        mulx	8(%rbp), %rax, %rcx
+        movq	%r10, 16(%rbx)
+        adcxq	%rax, %r8
+        adoxq	%rcx, %r9
+        movq	%r8, 24(%rbx)
+        movq	40(%rbx), %r10
+        movq	48(%rbx), %r8
+        # A[2] * B[2]
+        mulx	16(%rbp), %rax, %rcx
+        adcxq	%rax, %r9
+        adoxq	%rcx, %r10
+        # A[2] * B[3]
+        mulx	24(%rbp), %rax, %rcx
+        movq	%r9, 32(%rbx)
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r8
+        movq	%r10, 40(%rbx)
+        movq	56(%rbx), %r9
+        movq	64(%rbx), %r10
+        # A[2] * B[4]
+        mulx	32(%rbp), %rax, %rcx
+        adcxq	%rax, %r8
+        adoxq	%rcx, %r9
+        # A[2] * B[5]
+        mulx	40(%rbp), %rax, %rcx
+        movq	%r8, 48(%rbx)
+        adcxq	%rax, %r9
+        adoxq	%rcx, %r10
+        movq	%r9, 56(%rbx)
+        movq	72(%rbx), %r8
+        movq	80(%rbx), %r9
+        # A[2] * B[6]
+        mulx	48(%rbp), %rax, %rcx
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r8
+        # A[2] * B[7]
+        mulx	56(%rbp), %rax, %rcx
+        movq	%r10, 64(%rbx)
+        adcxq	%rax, %r8
+        adoxq	%rcx, %r9
+        movq	%r8, 72(%rbx)
+        movq	88(%rbx), %r10
+        movq	96(%rdi), %r8
+        # A[2] * B[8]
+        mulx	64(%rbp), %rax, %rcx
+        adcxq	%rax, %r9
+        adoxq	%rcx, %r10
+        # A[2] * B[9]
+        mulx	72(%rbp), %rax, %rcx
+        movq	%r9, 80(%rbx)
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r8
+        movq	%r10, 88(%rbx)
+        movq	104(%rdi), %r9
+        # A[2] * B[10]
+        mulx	80(%rbp), %rax, %rcx
+        adcxq	%rax, %r8
+        adoxq	%rcx, %r9
+        # A[2] * B[11]
+        mulx	88(%rbp), %rax, %rcx
+        movq	%r8, 96(%rdi)
+        movq	%r12, %r10
+        adcxq	%rax, %r9
+        adoxq	%rcx, %r10
+        adcxq	%r11, %r10
+        movq	%r12, %r11
+        adoxq	%r12, %r11
+        adcxq	%r12, %r11
+        movq	%r9, 104(%rdi)
+        movq	%r10, 112(%rdi)
+        movq	24(%rsi), %rdx
+        movq	24(%rbx), %r8
+        movq	32(%rbx), %r9
+        movq	40(%rbx), %r10
+        # A[3] * B[0]
+        mulx	(%rbp), %rax, %rcx
+        adcxq	%rax, %r8
+        adoxq	%rcx, %r9
+        # A[3] * B[1]
+        mulx	8(%rbp), %rax, %rcx
+        movq	%r8, 24(%rbx)
+        adcxq	%rax, %r9
+        adoxq	%rcx, %r10
+        movq	%r9, 32(%rbx)
+        movq	48(%rbx), %r8
+        movq	56(%rbx), %r9
+        # A[3] * B[2]
+        mulx	16(%rbp), %rax, %rcx
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r8
+        # A[3] * B[3]
+        mulx	24(%rbp), %rax, %rcx
+        movq	%r10, 40(%rbx)
+        adcxq	%rax, %r8
+        adoxq	%rcx, %r9
+        movq	%r8, 48(%rbx)
+        movq	64(%rbx), %r10
+        movq	72(%rbx), %r8
+        # A[3] * B[4]
+        mulx	32(%rbp), %rax, %rcx
+        adcxq	%rax, %r9
+        adoxq	%rcx, %r10
+        # A[3] * B[5]
+        mulx	40(%rbp), %rax, %rcx
+        movq	%r9, 56(%rbx)
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r8
+        movq	%r10, 64(%rbx)
+        movq	80(%rbx), %r9
+        movq	88(%rbx), %r10
+        # A[3] * B[6]
+        mulx	48(%rbp), %rax, %rcx
+        adcxq	%rax, %r8
+        adoxq	%rcx, %r9
+        # A[3] * B[7]
+        mulx	56(%rbp), %rax, %rcx
+        movq	%r8, 72(%rbx)
+        adcxq	%rax, %r9
+        adoxq	%rcx, %r10
+        movq	%r9, 80(%rbx)
+        movq	96(%rdi), %r8
+        movq	104(%rdi), %r9
+        # A[3] * B[8]
+        mulx	64(%rbp), %rax, %rcx
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r8
+        # A[3] * B[9]
+        mulx	72(%rbp), %rax, %rcx
+        movq	%r10, 88(%rbx)
+        adcxq	%rax, %r8
+        adoxq	%rcx, %r9
+        movq	%r8, 96(%rdi)
+        movq	112(%rdi), %r10
+        # A[3] * B[10]
+        mulx	80(%rbp), %rax, %rcx
+        adcxq	%rax, %r9
+        adoxq	%rcx, %r10
+        # A[3] * B[11]
+        mulx	88(%rbp), %rax, %rcx
+        movq	%r9, 104(%rdi)
+        movq	%r12, %r8
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r8
+        adcxq	%r11, %r8
+        movq	%r12, %r11
+        adoxq	%r12, %r11
+        adcxq	%r12, %r11
+        movq	%r10, 112(%rdi)
+        movq	%r8, 120(%rdi)
+        movq	32(%rsi), %rdx
+        movq	32(%rbx), %r9
+        movq	40(%rbx), %r10
+        movq	48(%rbx), %r8
+        # A[4] * B[0]
+        mulx	(%rbp), %rax, %rcx
+        adcxq	%rax, %r9
+        adoxq	%rcx, %r10
+        # A[4] * B[1]
+        mulx	8(%rbp), %rax, %rcx
+        movq	%r9, 32(%rbx)
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r8
+        movq	%r10, 40(%rbx)
+        movq	56(%rbx), %r9
+        movq	64(%rbx), %r10
+        # A[4] * B[2]
+        mulx	16(%rbp), %rax, %rcx
+        adcxq	%rax, %r8
+        adoxq	%rcx, %r9
+        # A[4] * B[3]
+        mulx	24(%rbp), %rax, %rcx
+        movq	%r8, 48(%rbx)
+        adcxq	%rax, %r9
+        adoxq	%rcx, %r10
+        movq	%r9, 56(%rbx)
+        movq	72(%rbx), %r8
+        movq	80(%rbx), %r9
+        # A[4] * B[4]
+        mulx	32(%rbp), %rax, %rcx
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r8
+        # A[4] * B[5]
+        mulx	40(%rbp), %rax, %rcx
+        movq	%r10, 64(%rbx)
+        adcxq	%rax, %r8
+        adoxq	%rcx, %r9
+        movq	%r8, 72(%rbx)
+        movq	88(%rbx), %r10
+        movq	96(%rdi), %r8
+        # A[4] * B[6]
+        mulx	48(%rbp), %rax, %rcx
+        adcxq	%rax, %r9
+        adoxq	%rcx, %r10
+        # A[4] * B[7]
+        mulx	56(%rbp), %rax, %rcx
+        movq	%r9, 80(%rbx)
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r8
+        movq	%r10, 88(%rbx)
+        movq	104(%rdi), %r9
+        movq	112(%rdi), %r10
+        # A[4] * B[8]
+        mulx	64(%rbp), %rax, %rcx
+        adcxq	%rax, %r8
+        adoxq	%rcx, %r9
+        # A[4] * B[9]
+        mulx	72(%rbp), %rax, %rcx
+        movq	%r8, 96(%rdi)
+        adcxq	%rax, %r9
+        adoxq	%rcx, %r10
+        movq	%r9, 104(%rdi)
+        movq	120(%rdi), %r8
+        # A[4] * B[10]
+        mulx	80(%rbp), %rax, %rcx
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r8
+        # A[4] * B[11]
+        mulx	88(%rbp), %rax, %rcx
+        movq	%r10, 112(%rdi)
+        movq	%r12, %r9
+        adcxq	%rax, %r8
+        adoxq	%rcx, %r9
+        adcxq	%r11, %r9
+        movq	%r12, %r11
+        adoxq	%r12, %r11
+        adcxq	%r12, %r11
+        movq	%r8, 120(%rdi)
+        movq	%r9, 128(%rdi)
+        movq	40(%rsi), %rdx
+        movq	40(%rbx), %r10
+        movq	48(%rbx), %r8
+        movq	56(%rbx), %r9
+        # A[5] * B[0]
+        mulx	(%rbp), %rax, %rcx
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r8
+        # A[5] * B[1]
+        mulx	8(%rbp), %rax, %rcx
+        movq	%r10, 40(%rbx)
+        adcxq	%rax, %r8
+        adoxq	%rcx, %r9
+        movq	%r8, 48(%rbx)
+        movq	64(%rbx), %r10
+        movq	72(%rbx), %r8
+        # A[5] * B[2]
+        mulx	16(%rbp), %rax, %rcx
+        adcxq	%rax, %r9
+        adoxq	%rcx, %r10
+        # A[5] * B[3]
+        mulx	24(%rbp), %rax, %rcx
+        movq	%r9, 56(%rbx)
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r8
+        movq	%r10, 64(%rbx)
+        movq	80(%rbx), %r9
+        movq	88(%rbx), %r10
+        # A[5] * B[4]
+        mulx	32(%rbp), %rax, %rcx
+        adcxq	%rax, %r8
+        adoxq	%rcx, %r9
+        # A[5] * B[5]
+        mulx	40(%rbp), %rax, %rcx
+        movq	%r8, 72(%rbx)
+        adcxq	%rax, %r9
+        adoxq	%rcx, %r10
+        movq	%r9, 80(%rbx)
+        movq	96(%rdi), %r8
+        movq	104(%rdi), %r9
+        # A[5] * B[6]
+        mulx	48(%rbp), %rax, %rcx
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r8
+        # A[5] * B[7]
+        mulx	56(%rbp), %rax, %rcx
+        movq	%r10, 88(%rbx)
+        adcxq	%rax, %r8
+        adoxq	%rcx, %r9
+        movq	%r8, 96(%rdi)
+        movq	112(%rdi), %r10
+        movq	120(%rdi), %r8
+        # A[5] * B[8]
+        mulx	64(%rbp), %rax, %rcx
+        adcxq	%rax, %r9
+        adoxq	%rcx, %r10
+        # A[5] * B[9]
+        mulx	72(%rbp), %rax, %rcx
+        movq	%r9, 104(%rdi)
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r8
+        movq	%r10, 112(%rdi)
+        movq	128(%rdi), %r9
+        # A[5] * B[10]
+        mulx	80(%rbp), %rax, %rcx
+        adcxq	%rax, %r8
+        adoxq	%rcx, %r9
+        # A[5] * B[11]
+        mulx	88(%rbp), %rax, %rcx
+        movq	%r8, 120(%rdi)
+        movq	%r12, %r10
+        adcxq	%rax, %r9
+        adoxq	%rcx, %r10
+        adcxq	%r11, %r10
+        movq	%r12, %r11
+        adoxq	%r12, %r11
+        adcxq	%r12, %r11
+        movq	%r9, 128(%rdi)
+        movq	%r10, 136(%rdi)
+        movq	48(%rsi), %rdx
+        movq	48(%rbx), %r8
+        movq	56(%rbx), %r9
+        movq	64(%rbx), %r10
+        # A[6] * B[0]
+        mulx	(%rbp), %rax, %rcx
+        adcxq	%rax, %r8
+        adoxq	%rcx, %r9
+        # A[6] * B[1]
+        mulx	8(%rbp), %rax, %rcx
+        movq	%r8, 48(%rbx)
+        adcxq	%rax, %r9
+        adoxq	%rcx, %r10
+        movq	%r9, 56(%rbx)
+        movq	72(%rbx), %r8
+        movq	80(%rbx), %r9
+        # A[6] * B[2]
+        mulx	16(%rbp), %rax, %rcx
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r8
+        # A[6] * B[3]
+        mulx	24(%rbp), %rax, %rcx
+        movq	%r10, 64(%rbx)
+        adcxq	%rax, %r8
+        adoxq	%rcx, %r9
+        movq	%r8, 72(%rbx)
+        movq	88(%rbx), %r10
+        movq	96(%rdi), %r8
+        # A[6] * B[4]
+        mulx	32(%rbp), %rax, %rcx
+        adcxq	%rax, %r9
+        adoxq	%rcx, %r10
+        # A[6] * B[5]
+        mulx	40(%rbp), %rax, %rcx
+        movq	%r9, 80(%rbx)
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r8
+        movq	%r10, 88(%rbx)
+        movq	104(%rdi), %r9
+        movq	112(%rdi), %r10
+        # A[6] * B[6]
+        mulx	48(%rbp), %rax, %rcx
+        adcxq	%rax, %r8
+        adoxq	%rcx, %r9
+        # A[6] * B[7]
+        mulx	56(%rbp), %rax, %rcx
+        movq	%r8, 96(%rdi)
+        adcxq	%rax, %r9
+        adoxq	%rcx, %r10
+        movq	%r9, 104(%rdi)
+        movq	120(%rdi), %r8
+        movq	128(%rdi), %r9
+        # A[6] * B[8]
+        mulx	64(%rbp), %rax, %rcx
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r8
+        # A[6] * B[9]
+        mulx	72(%rbp), %rax, %rcx
+        movq	%r10, 112(%rdi)
+        adcxq	%rax, %r8
+        adoxq	%rcx, %r9
+        movq	%r8, 120(%rdi)
+        movq	136(%rdi), %r10
+        # A[6] * B[10]
+        mulx	80(%rbp), %rax, %rcx
+        adcxq	%rax, %r9
+        adoxq	%rcx, %r10
+        # A[6] * B[11]
+        mulx	88(%rbp), %rax, %rcx
+        movq	%r9, 128(%rdi)
+        movq	%r12, %r8
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r8
+        adcxq	%r11, %r8
+        movq	%r12, %r11
+        adoxq	%r12, %r11
+        adcxq	%r12, %r11
+        movq	%r10, 136(%rdi)
+        movq	%r8, 144(%rdi)
+        movq	56(%rsi), %rdx
+        movq	56(%rbx), %r9
+        movq	64(%rbx), %r10
+        movq	72(%rbx), %r8
+        # A[7] * B[0]
+        mulx	(%rbp), %rax, %rcx
+        adcxq	%rax, %r9
+        adoxq	%rcx, %r10
+        # A[7] * B[1]
+        mulx	8(%rbp), %rax, %rcx
+        movq	%r9, 56(%rbx)
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r8
+        movq	%r10, 64(%rbx)
+        movq	80(%rbx), %r9
+        movq	88(%rbx), %r10
+        # A[7] * B[2]
+        mulx	16(%rbp), %rax, %rcx
+        adcxq	%rax, %r8
+        adoxq	%rcx, %r9
+        # A[7] * B[3]
+        mulx	24(%rbp), %rax, %rcx
+        movq	%r8, 72(%rbx)
+        adcxq	%rax, %r9
+        adoxq	%rcx, %r10
+        movq	%r9, 80(%rbx)
+        movq	96(%rdi), %r8
+        movq	104(%rdi), %r9
+        # A[7] * B[4]
+        mulx	32(%rbp), %rax, %rcx
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r8
+        # A[7] * B[5]
+        mulx	40(%rbp), %rax, %rcx
+        movq	%r10, 88(%rbx)
+        adcxq	%rax, %r8
+        adoxq	%rcx, %r9
+        movq	%r8, 96(%rdi)
+        movq	112(%rdi), %r10
+        movq	120(%rdi), %r8
+        # A[7] * B[6]
+        mulx	48(%rbp), %rax, %rcx
+        adcxq	%rax, %r9
+        adoxq	%rcx, %r10
+        # A[7] * B[7]
+        mulx	56(%rbp), %rax, %rcx
+        movq	%r9, 104(%rdi)
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r8
+        movq	%r10, 112(%rdi)
+        movq	128(%rdi), %r9
+        movq	136(%rdi), %r10
+        # A[7] * B[8]
+        mulx	64(%rbp), %rax, %rcx
+        adcxq	%rax, %r8
+        adoxq	%rcx, %r9
+        # A[7] * B[9]
+        mulx	72(%rbp), %rax, %rcx
+        movq	%r8, 120(%rdi)
+        adcxq	%rax, %r9
+        adoxq	%rcx, %r10
+        movq	%r9, 128(%rdi)
+        movq	144(%rdi), %r8
+        # A[7] * B[10]
+        mulx	80(%rbp), %rax, %rcx
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r8
+        # A[7] * B[11]
+        mulx	88(%rbp), %rax, %rcx
+        movq	%r10, 136(%rdi)
+        movq	%r12, %r9
+        adcxq	%rax, %r8
+        adoxq	%rcx, %r9
+        adcxq	%r11, %r9
+        movq	%r12, %r11
+        adoxq	%r12, %r11
+        adcxq	%r12, %r11
+        movq	%r8, 144(%rdi)
+        movq	%r9, 152(%rdi)
+        movq	64(%rsi), %rdx
+        movq	64(%rbx), %r10
+        movq	72(%rbx), %r8
+        movq	80(%rbx), %r9
+        # A[8] * B[0]
+        mulx	(%rbp), %rax, %rcx
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r8
+        # A[8] * B[1]
+        mulx	8(%rbp), %rax, %rcx
+        movq	%r10, 64(%rbx)
+        adcxq	%rax, %r8
+        adoxq	%rcx, %r9
+        movq	%r8, 72(%rbx)
+        movq	88(%rbx), %r10
+        movq	96(%rdi), %r8
+        # A[8] * B[2]
+        mulx	16(%rbp), %rax, %rcx
+        adcxq	%rax, %r9
+        adoxq	%rcx, %r10
+        # A[8] * B[3]
+        mulx	24(%rbp), %rax, %rcx
+        movq	%r9, 80(%rbx)
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r8
+        movq	%r10, 88(%rbx)
+        movq	104(%rdi), %r9
+        movq	112(%rdi), %r10
+        # A[8] * B[4]
+        mulx	32(%rbp), %rax, %rcx
+        adcxq	%rax, %r8
+        adoxq	%rcx, %r9
+        # A[8] * B[5]
+        mulx	40(%rbp), %rax, %rcx
+        movq	%r8, 96(%rdi)
+        adcxq	%rax, %r9
+        adoxq	%rcx, %r10
+        movq	%r9, 104(%rdi)
+        movq	120(%rdi), %r8
+        movq	128(%rdi), %r9
+        # A[8] * B[6]
+        mulx	48(%rbp), %rax, %rcx
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r8
+        # A[8] * B[7]
+        mulx	56(%rbp), %rax, %rcx
+        movq	%r10, 112(%rdi)
+        adcxq	%rax, %r8
+        adoxq	%rcx, %r9
+        movq	%r8, 120(%rdi)
+        movq	136(%rdi), %r10
+        movq	144(%rdi), %r8
+        # A[8] * B[8]
+        mulx	64(%rbp), %rax, %rcx
+        adcxq	%rax, %r9
+        adoxq	%rcx, %r10
+        # A[8] * B[9]
+        mulx	72(%rbp), %rax, %rcx
+        movq	%r9, 128(%rdi)
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r8
+        movq	%r10, 136(%rdi)
+        movq	152(%rdi), %r9
+        # A[8] * B[10]
+        mulx	80(%rbp), %rax, %rcx
+        adcxq	%rax, %r8
+        adoxq	%rcx, %r9
+        # A[8] * B[11]
+        mulx	88(%rbp), %rax, %rcx
+        movq	%r8, 144(%rdi)
+        movq	%r12, %r10
+        adcxq	%rax, %r9
+        adoxq	%rcx, %r10
+        adcxq	%r11, %r10
+        movq	%r12, %r11
+        adoxq	%r12, %r11
+        adcxq	%r12, %r11
+        movq	%r9, 152(%rdi)
+        movq	%r10, 160(%rdi)
+        movq	72(%rsi), %rdx
+        movq	72(%rbx), %r8
+        movq	80(%rbx), %r9
+        movq	88(%rbx), %r10
+        # A[9] * B[0]
+        mulx	(%rbp), %rax, %rcx
+        adcxq	%rax, %r8
+        adoxq	%rcx, %r9
+        # A[9] * B[1]
+        mulx	8(%rbp), %rax, %rcx
+        movq	%r8, 72(%rbx)
+        adcxq	%rax, %r9
+        adoxq	%rcx, %r10
+        movq	%r9, 80(%rbx)
+        movq	96(%rdi), %r8
+        movq	104(%rdi), %r9
+        # A[9] * B[2]
+        mulx	16(%rbp), %rax, %rcx
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r8
+        # A[9] * B[3]
+        mulx	24(%rbp), %rax, %rcx
+        movq	%r10, 88(%rbx)
+        adcxq	%rax, %r8
+        adoxq	%rcx, %r9
+        movq	%r8, 96(%rdi)
+        movq	112(%rdi), %r10
+        movq	120(%rdi), %r8
+        # A[9] * B[4]
+        mulx	32(%rbp), %rax, %rcx
+        adcxq	%rax, %r9
+        adoxq	%rcx, %r10
+        # A[9] * B[5]
+        mulx	40(%rbp), %rax, %rcx
+        movq	%r9, 104(%rdi)
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r8
+        movq	%r10, 112(%rdi)
+        movq	128(%rdi), %r9
+        movq	136(%rdi), %r10
+        # A[9] * B[6]
+        mulx	48(%rbp), %rax, %rcx
+        adcxq	%rax, %r8
+        adoxq	%rcx, %r9
+        # A[9] * B[7]
+        mulx	56(%rbp), %rax, %rcx
+        movq	%r8, 120(%rdi)
+        adcxq	%rax, %r9
+        adoxq	%rcx, %r10
+        movq	%r9, 128(%rdi)
+        movq	144(%rdi), %r8
+        movq	152(%rdi), %r9
+        # A[9] * B[8]
+        mulx	64(%rbp), %rax, %rcx
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r8
+        # A[9] * B[9]
+        mulx	72(%rbp), %rax, %rcx
+        movq	%r10, 136(%rdi)
+        adcxq	%rax, %r8
+        adoxq	%rcx, %r9
+        movq	%r8, 144(%rdi)
+        movq	160(%rdi), %r10
+        # A[9] * B[10]
+        mulx	80(%rbp), %rax, %rcx
+        adcxq	%rax, %r9
+        adoxq	%rcx, %r10
+        # A[9] * B[11]
+        mulx	88(%rbp), %rax, %rcx
+        movq	%r9, 152(%rdi)
+        movq	%r12, %r8
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r8
+        adcxq	%r11, %r8
+        movq	%r12, %r11
+        adoxq	%r12, %r11
+        adcxq	%r12, %r11
+        movq	%r10, 160(%rdi)
+        movq	%r8, 168(%rdi)
+        movq	80(%rsi), %rdx
+        movq	80(%rbx), %r9
+        movq	88(%rbx), %r10
+        movq	96(%rdi), %r8
+        # A[10] * B[0]
+        mulx	(%rbp), %rax, %rcx
+        adcxq	%rax, %r9
+        adoxq	%rcx, %r10
+        # A[10] * B[1]
+        mulx	8(%rbp), %rax, %rcx
+        movq	%r9, 80(%rbx)
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r8
+        movq	%r10, 88(%rbx)
+        movq	104(%rdi), %r9
+        movq	112(%rdi), %r10
+        # A[10] * B[2]
+        mulx	16(%rbp), %rax, %rcx
+        adcxq	%rax, %r8
+        adoxq	%rcx, %r9
+        # A[10] * B[3]
+        mulx	24(%rbp), %rax, %rcx
+        movq	%r8, 96(%rdi)
+        adcxq	%rax, %r9
+        adoxq	%rcx, %r10
+        movq	%r9, 104(%rdi)
+        movq	120(%rdi), %r8
+        movq	128(%rdi), %r9
+        # A[10] * B[4]
+        mulx	32(%rbp), %rax, %rcx
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r8
+        # A[10] * B[5]
+        mulx	40(%rbp), %rax, %rcx
+        movq	%r10, 112(%rdi)
+        adcxq	%rax, %r8
+        adoxq	%rcx, %r9
+        movq	%r8, 120(%rdi)
+        movq	136(%rdi), %r10
+        movq	144(%rdi), %r8
+        # A[10] * B[6]
+        mulx	48(%rbp), %rax, %rcx
+        adcxq	%rax, %r9
+        adoxq	%rcx, %r10
+        # A[10] * B[7]
+        mulx	56(%rbp), %rax, %rcx
+        movq	%r9, 128(%rdi)
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r8
+        movq	%r10, 136(%rdi)
+        movq	152(%rdi), %r9
+        movq	160(%rdi), %r10
+        # A[10] * B[8]
+        mulx	64(%rbp), %rax, %rcx
+        adcxq	%rax, %r8
+        adoxq	%rcx, %r9
+        # A[10] * B[9]
+        mulx	72(%rbp), %rax, %rcx
+        movq	%r8, 144(%rdi)
+        adcxq	%rax, %r9
+        adoxq	%rcx, %r10
+        movq	%r9, 152(%rdi)
+        movq	168(%rdi), %r8
+        # A[10] * B[10]
+        mulx	80(%rbp), %rax, %rcx
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r8
+        # A[10] * B[11]
+        mulx	88(%rbp), %rax, %rcx
+        movq	%r10, 160(%rdi)
+        movq	%r12, %r9
+        adcxq	%rax, %r8
+        adoxq	%rcx, %r9
+        adcxq	%r11, %r9
+        movq	%r12, %r11
+        adoxq	%r12, %r11
+        adcxq	%r12, %r11
+        movq	%r8, 168(%rdi)
+        movq	%r9, 176(%rdi)
+        movq	88(%rsi), %rdx
+        movq	88(%rbx), %r10
+        movq	96(%rdi), %r8
+        movq	104(%rdi), %r9
+        # A[11] * B[0]
+        mulx	(%rbp), %rax, %rcx
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r8
+        # A[11] * B[1]
+        mulx	8(%rbp), %rax, %rcx
+        movq	%r10, 88(%rbx)
+        adcxq	%rax, %r8
+        adoxq	%rcx, %r9
+        movq	%r8, 96(%rdi)
+        movq	112(%rdi), %r10
+        movq	120(%rdi), %r8
+        # A[11] * B[2]
+        mulx	16(%rbp), %rax, %rcx
+        adcxq	%rax, %r9
+        adoxq	%rcx, %r10
+        # A[11] * B[3]
+        mulx	24(%rbp), %rax, %rcx
+        movq	%r9, 104(%rdi)
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r8
+        movq	%r10, 112(%rdi)
+        movq	128(%rdi), %r9
+        movq	136(%rdi), %r10
+        # A[11] * B[4]
+        mulx	32(%rbp), %rax, %rcx
+        adcxq	%rax, %r8
+        adoxq	%rcx, %r9
+        # A[11] * B[5]
+        mulx	40(%rbp), %rax, %rcx
+        movq	%r8, 120(%rdi)
+        adcxq	%rax, %r9
+        adoxq	%rcx, %r10
+        movq	%r9, 128(%rdi)
+        movq	144(%rdi), %r8
+        movq	152(%rdi), %r9
+        # A[11] * B[6]
+        mulx	48(%rbp), %rax, %rcx
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r8
+        # A[11] * B[7]
+        mulx	56(%rbp), %rax, %rcx
+        movq	%r10, 136(%rdi)
+        adcxq	%rax, %r8
+        adoxq	%rcx, %r9
+        movq	%r8, 144(%rdi)
+        movq	160(%rdi), %r10
+        movq	168(%rdi), %r8
+        # A[11] * B[8]
+        mulx	64(%rbp), %rax, %rcx
+        adcxq	%rax, %r9
+        adoxq	%rcx, %r10
+        # A[11] * B[9]
+        mulx	72(%rbp), %rax, %rcx
+        movq	%r9, 152(%rdi)
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r8
+        movq	%r10, 160(%rdi)
+        movq	176(%rdi), %r9
+        # A[11] * B[10]
+        mulx	80(%rbp), %rax, %rcx
+        adcxq	%rax, %r8
+        adoxq	%rcx, %r9
+        # A[11] * B[11]
+        mulx	88(%rbp), %rax, %rcx
+        movq	%r8, 168(%rdi)
+        movq	%r12, %r10
+        adcxq	%rax, %r9
+        adoxq	%rcx, %r10
+        adcxq	%r11, %r10
+        movq	%r9, 176(%rdi)
+        movq	%r10, 184(%rdi)
+        cmpq	%rdi, %rsi
+        je	L_start_3072_mul_avx2_12
+        cmpq	%rdi, %rbp
+        jne	L_end_3072_mul_avx2_12
+L_start_3072_mul_avx2_12:
+        vmovdqu	(%rbx), %xmm0
+        vmovups	%xmm0, (%rdi)
+        vmovdqu	16(%rbx), %xmm0
+        vmovups	%xmm0, 16(%rdi)
+        vmovdqu	32(%rbx), %xmm0
+        vmovups	%xmm0, 32(%rdi)
+        vmovdqu	48(%rbx), %xmm0
+        vmovups	%xmm0, 48(%rdi)
+        vmovdqu	64(%rbx), %xmm0
+        vmovups	%xmm0, 64(%rdi)
+        vmovdqu	80(%rbx), %xmm0
+        vmovups	%xmm0, 80(%rdi)
+L_end_3072_mul_avx2_12:
+        addq	$96, %rsp
+        pop	%r12
+        pop	%rbp
+        pop	%rbx
+        repz retq
+#ifndef __APPLE__
+.size	sp_3072_mul_avx2_12,.-sp_3072_mul_avx2_12
+#endif /* __APPLE__ */
+#endif /* HAVE_INTEL_AVX2 */
+#ifdef HAVE_INTEL_AVX2
+/* Square a and put result in r. (r = a * a)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ */
+#ifndef __APPLE__
+.globl	sp_3072_sqr_avx2_12
+.type	sp_3072_sqr_avx2_12,@function
+.align	16
+sp_3072_sqr_avx2_12:
+#else
+.globl	_sp_3072_sqr_avx2_12
+.p2align	4
+_sp_3072_sqr_avx2_12:
+#endif /* __APPLE__ */
+        push	%rbp
+        push	%r12
+        push	%r13
+        push	%r14
+        push	%r15
+        push	%rbx
+        subq	$96, %rsp
+        cmpq	%rdi, %rsi
+        movq	%rsp, %rbp
+        cmovne	%rdi, %rbp
+        xorq	%r10, %r10
+        # Diagonal 1
+        # A[1] x A[0]
+        movq	(%rsi), %rdx
+        mulxq	8(%rsi), %r8, %r9
+        movq	%r8, 8(%rbp)
+        movq	%r10, %r8
+        # A[2] x A[0]
+        mulxq	16(%rsi), %rax, %rcx
+        adcxq	%rax, %r9
+        adoxq	%rcx, %r8
+        movq	%r9, 16(%rbp)
+        movq	%r10, %r9
+        # A[3] x A[0]
+        mulxq	24(%rsi), %rax, %rcx
+        adcxq	%rax, %r8
+        adoxq	%rcx, %r9
+        movq	%r8, 24(%rbp)
+        movq	%r10, %r8
+        # A[4] x A[0]
+        mulxq	32(%rsi), %rax, %rcx
+        adcxq	%rax, %r9
+        adoxq	%rcx, %r8
+        movq	%r9, 32(%rbp)
+        movq	%r10, %r9
+        # A[5] x A[0]
+        mulxq	40(%rsi), %rax, %rcx
+        adcxq	%rax, %r8
+        adoxq	%rcx, %r9
+        movq	%r8, 40(%rbp)
+        movq	%r10, %r8
+        # A[6] x A[0]
+        mulxq	48(%rsi), %rax, %rcx
+        adcxq	%rax, %r9
+        adoxq	%rcx, %r8
+        movq	%r9, 48(%rbp)
+        movq	%r10, %r9
+        # A[7] x A[0]
+        mulxq	56(%rsi), %rax, %rcx
+        adcxq	%rax, %r8
+        adoxq	%rcx, %r9
+        movq	%r8, %r12
+        movq	%r10, %r8
+        # A[8] x A[0]
+        mulxq	64(%rsi), %rax, %rcx
+        adcxq	%rax, %r9
+        adoxq	%rcx, %r8
+        movq	%r9, %r13
+        movq	%r10, %r9
+        # A[9] x A[0]
+        mulxq	72(%rsi), %rax, %rcx
+        adcxq	%rax, %r8
+        adoxq	%rcx, %r9
+        movq	%r8, %r14
+        movq	%r10, %r8
+        # A[10] x A[0]
+        mulxq	80(%rsi), %rax, %rcx
+        adcxq	%rax, %r9
+        adoxq	%rcx, %r8
+        movq	%r9, %r15
+        movq	%r10, %r9
+        # A[11] x A[0]
+        mulxq	88(%rsi), %rax, %rcx
+        adcxq	%rax, %r8
+        adoxq	%rcx, %r9
+        movq	%r8, %rbx
+        #  Carry
+        adcxq	%r10, %r9
+        movq	%r10, %r11
+        adcxq	%r10, %r11
+        adoxq	%r10, %r11
+        movq	%r9, 96(%rdi)
+        # Diagonal 2
+        movq	24(%rbp), %r9
+        movq	32(%rbp), %r8
+        # A[2] x A[1]
+        movq	8(%rsi), %rdx
+        mulxq	16(%rsi), %rax, %rcx
+        adcxq	%rax, %r9
+        adoxq	%rcx, %r8
+        movq	%r9, 24(%rbp)
+        movq	40(%rbp), %r9
+        # A[3] x A[1]
+        mulxq	24(%rsi), %rax, %rcx
+        adcxq	%rax, %r8
+        adoxq	%rcx, %r9
+        movq	%r8, 32(%rbp)
+        movq	48(%rbp), %r8
+        # A[4] x A[1]
+        mulxq	32(%rsi), %rax, %rcx
+        adcxq	%rax, %r9
+        adoxq	%rcx, %r8
+        movq	%r9, 40(%rbp)
+        # No load %r12 - %r9
+        # A[5] x A[1]
+        mulxq	40(%rsi), %rax, %rcx
+        adcxq	%rax, %r8
+        adoxq	%rcx, %r12
+        movq	%r8, 48(%rbp)
+        # No load %r13 - %r8
+        # A[6] x A[1]
+        mulxq	48(%rsi), %rax, %rcx
+        adcxq	%rax, %r12
+        adoxq	%rcx, %r13
+        # No store %r12
+        # No load %r14 - %r9
+        # A[7] x A[1]
+        mulxq	56(%rsi), %rax, %rcx
+        adcxq	%rax, %r13
+        adoxq	%rcx, %r14
+        # No store %r13
+        # No load %r15 - %r8
+        # A[8] x A[1]
+        mulxq	64(%rsi), %rax, %rcx
+        adcxq	%rax, %r14
+        adoxq	%rcx, %r15
+        # No store %r14
+        # No load %rbx - %r9
+        # A[9] x A[1]
+        mulxq	72(%rsi), %rax, %rcx
+        adcxq	%rax, %r15
+        adoxq	%rcx, %rbx
+        # No store %r15
+        movq	96(%rdi), %r8
+        # A[10] x A[1]
+        mulxq	80(%rsi), %rax, %rcx
+        adcxq	%rax, %rbx
+        adoxq	%rcx, %r8
+        # No store %rbx
+        movq	%r10, %r9
+        # A[11] x A[1]
+        mulxq	88(%rsi), %rax, %rcx
+        adcxq	%rax, %r8
+        adoxq	%rcx, %r9
+        movq	%r8, 96(%rdi)
+        movq	%r10, %r8
+        # A[11] x A[2]
+        movq	16(%rsi), %rdx
+        mulxq	88(%rsi), %rax, %rcx
+        adcxq	%rax, %r9
+        adoxq	%rcx, %r8
+        movq	%r9, 104(%rdi)
+        #  Carry
+        adcxq	%r11, %r8
+        movq	%r10, %r11
+        adcxq	%r10, %r11
+        adoxq	%r10, %r11
+        movq	%r8, 112(%rdi)
+        # Diagonal 3
+        movq	40(%rbp), %r8
+        movq	48(%rbp), %r9
+        # A[3] x A[2]
+        mulxq	24(%rsi), %rax, %rcx
+        adcxq	%rax, %r8
+        adoxq	%rcx, %r9
+        movq	%r8, 40(%rbp)
+        # No load %r12 - %r8
+        # A[4] x A[2]
+        mulxq	32(%rsi), %rax, %rcx
+        adcxq	%rax, %r9
+        adoxq	%rcx, %r12
+        movq	%r9, 48(%rbp)
+        # No load %r13 - %r9
+        # A[5] x A[2]
+        mulxq	40(%rsi), %rax, %rcx
+        adcxq	%rax, %r12
+        adoxq	%rcx, %r13
+        # No store %r12
+        # No load %r14 - %r8
+        # A[6] x A[2]
+        mulxq	48(%rsi), %rax, %rcx
+        adcxq	%rax, %r13
+        adoxq	%rcx, %r14
+        # No store %r13
+        # No load %r15 - %r9
+        # A[7] x A[2]
+        mulxq	56(%rsi), %rax, %rcx
+        adcxq	%rax, %r14
+        adoxq	%rcx, %r15
+        # No store %r14
+        # No load %rbx - %r8
+        # A[8] x A[2]
+        mulxq	64(%rsi), %rax, %rcx
+        adcxq	%rax, %r15
+        adoxq	%rcx, %rbx
+        # No store %r15
+        movq	96(%rdi), %r9
+        # A[9] x A[2]
+        mulxq	72(%rsi), %rax, %rcx
+        adcxq	%rax, %rbx
+        adoxq	%rcx, %r9
+        # No store %rbx
+        movq	104(%rdi), %r8
+        # A[10] x A[2]
+        mulxq	80(%rsi), %rax, %rcx
+        adcxq	%rax, %r9
+        adoxq	%rcx, %r8
+        movq	%r9, 96(%rdi)
+        movq	112(%rdi), %r9
+        # A[10] x A[3]
+        movq	80(%rsi), %rdx
+        mulxq	24(%rsi), %rax, %rcx
+        adcxq	%rax, %r8
+        adoxq	%rcx, %r9
+        movq	%r8, 104(%rdi)
+        movq	%r10, %r8
+        # A[10] x A[4]
+        mulxq	32(%rsi), %rax, %rcx
+        adcxq	%rax, %r9
+        adoxq	%rcx, %r8
+        movq	%r9, 112(%rdi)
+        movq	%r10, %r9
+        # A[10] x A[5]
+        mulxq	40(%rsi), %rax, %rcx
+        adcxq	%rax, %r8
+        adoxq	%rcx, %r9
+        movq	%r8, 120(%rdi)
+        #  Carry
+        adcxq	%r11, %r9
+        movq	%r10, %r11
+        adcxq	%r10, %r11
+        adoxq	%r10, %r11
+        movq	%r9, 128(%rdi)
+        # Diagonal 4
+        # No load %r12 - %r9
+        # No load %r13 - %r8
+        # A[4] x A[3]
+        movq	24(%rsi), %rdx
+        mulxq	32(%rsi), %rax, %rcx
+        adcxq	%rax, %r12
+        adoxq	%rcx, %r13
+        # No store %r12
+        # No load %r14 - %r9
+        # A[5] x A[3]
+        mulxq	40(%rsi), %rax, %rcx
+        adcxq	%rax, %r13
+        adoxq	%rcx, %r14
+        # No store %r13
+        # No load %r15 - %r8
+        # A[6] x A[3]
+        mulxq	48(%rsi), %rax, %rcx
+        adcxq	%rax, %r14
+        adoxq	%rcx, %r15
+        # No store %r14
+        # No load %rbx - %r9
+        # A[7] x A[3]
+        mulxq	56(%rsi), %rax, %rcx
+        adcxq	%rax, %r15
+        adoxq	%rcx, %rbx
+        # No store %r15
+        movq	96(%rdi), %r8
+        # A[8] x A[3]
+        mulxq	64(%rsi), %rax, %rcx
+        adcxq	%rax, %rbx
+        adoxq	%rcx, %r8
+        # No store %rbx
+        movq	104(%rdi), %r9
+        # A[9] x A[3]
+        mulxq	72(%rsi), %rax, %rcx
+        adcxq	%rax, %r8
+        adoxq	%rcx, %r9
+        movq	%r8, 96(%rdi)
+        movq	112(%rdi), %r8
+        # A[9] x A[4]
+        movq	72(%rsi), %rdx
+        mulxq	32(%rsi), %rax, %rcx
+        adcxq	%rax, %r9
+        adoxq	%rcx, %r8
+        movq	%r9, 104(%rdi)
+        movq	120(%rdi), %r9
+        # A[9] x A[5]
+        mulxq	40(%rsi), %rax, %rcx
+        adcxq	%rax, %r8
+        adoxq	%rcx, %r9
+        movq	%r8, 112(%rdi)
+        movq	128(%rdi), %r8
+        # A[9] x A[6]
+        mulxq	48(%rsi), %rax, %rcx
+        adcxq	%rax, %r9
+        adoxq	%rcx, %r8
+        movq	%r9, 120(%rdi)
+        movq	%r10, %r9
+        # A[9] x A[7]
+        mulxq	56(%rsi), %rax, %rcx
+        adcxq	%rax, %r8
+        adoxq	%rcx, %r9
+        movq	%r8, 128(%rdi)
+        movq	%r10, %r8
+        # A[9] x A[8]
+        mulxq	64(%rsi), %rax, %rcx
+        adcxq	%rax, %r9
+        adoxq	%rcx, %r8
+        movq	%r9, 136(%rdi)
+        #  Carry
+        adcxq	%r11, %r8
+        movq	%r10, %r11
+        adcxq	%r10, %r11
+        adoxq	%r10, %r11
+        movq	%r8, 144(%rdi)
+        # Diagonal 5
+        # No load %r14 - %r8
+        # No load %r15 - %r9
+        # A[5] x A[4]
+        movq	32(%rsi), %rdx
+        mulxq	40(%rsi), %rax, %rcx
+        adcxq	%rax, %r14
+        adoxq	%rcx, %r15
+        # No store %r14
+        # No load %rbx - %r8
+        # A[6] x A[4]
+        mulxq	48(%rsi), %rax, %rcx
+        adcxq	%rax, %r15
+        adoxq	%rcx, %rbx
+        # No store %r15
+        movq	96(%rdi), %r9
+        # A[7] x A[4]
+        mulxq	56(%rsi), %rax, %rcx
+        adcxq	%rax, %rbx
+        adoxq	%rcx, %r9
+        # No store %rbx
+        movq	104(%rdi), %r8
+        # A[8] x A[4]
+        mulxq	64(%rsi), %rax, %rcx
+        adcxq	%rax, %r9
+        adoxq	%rcx, %r8
+        movq	%r9, 96(%rdi)
+        movq	112(%rdi), %r9
+        # A[8] x A[5]
+        movq	64(%rsi), %rdx
+        mulxq	40(%rsi), %rax, %rcx
+        adcxq	%rax, %r8
+        adoxq	%rcx, %r9
+        movq	%r8, 104(%rdi)
+        movq	120(%rdi), %r8
+        # A[8] x A[6]
+        mulxq	48(%rsi), %rax, %rcx
+        adcxq	%rax, %r9
+        adoxq	%rcx, %r8
+        movq	%r9, 112(%rdi)
+        movq	128(%rdi), %r9
+        # A[8] x A[7]
+        mulxq	56(%rsi), %rax, %rcx
+        adcxq	%rax, %r8
+        adoxq	%rcx, %r9
+        movq	%r8, 120(%rdi)
+        movq	136(%rdi), %r8
+        # A[10] x A[6]
+        movq	80(%rsi), %rdx
+        mulxq	48(%rsi), %rax, %rcx
+        adcxq	%rax, %r9
+        adoxq	%rcx, %r8
+        movq	%r9, 128(%rdi)
+        movq	144(%rdi), %r9
+        # A[10] x A[7]
+        mulxq	56(%rsi), %rax, %rcx
+        adcxq	%rax, %r8
+        adoxq	%rcx, %r9
+        movq	%r8, 136(%rdi)
+        movq	%r10, %r8
+        # A[10] x A[8]
+        mulxq	64(%rsi), %rax, %rcx
+        adcxq	%rax, %r9
+        adoxq	%rcx, %r8
+        movq	%r9, 144(%rdi)
+        movq	%r10, %r9
+        # A[10] x A[9]
+        mulxq	72(%rsi), %rax, %rcx
+        adcxq	%rax, %r8
+        adoxq	%rcx, %r9
+        movq	%r8, 152(%rdi)
+        #  Carry
+        adcxq	%r11, %r9
+        movq	%r10, %r11
+        adcxq	%r10, %r11
+        adoxq	%r10, %r11
+        movq	%r9, 160(%rdi)
+        # Diagonal 6
+        # No load %rbx - %r9
+        movq	96(%rdi), %r8
+        # A[6] x A[5]
+        movq	40(%rsi), %rdx
+        mulxq	48(%rsi), %rax, %rcx
+        adcxq	%rax, %rbx
+        adoxq	%rcx, %r8
+        # No store %rbx
+        movq	104(%rdi), %r9
+        # A[7] x A[5]
+        mulxq	56(%rsi), %rax, %rcx
+        adcxq	%rax, %r8
+        adoxq	%rcx, %r9
+        movq	%r8, 96(%rdi)
+        movq	112(%rdi), %r8
+        # A[7] x A[6]
+        movq	48(%rsi), %rdx
+        mulxq	56(%rsi), %rax, %rcx
+        adcxq	%rax, %r9
+        adoxq	%rcx, %r8
+        movq	%r9, 104(%rdi)
+        movq	120(%rdi), %r9
+        # A[11] x A[3]
+        movq	88(%rsi), %rdx
+        mulxq	24(%rsi), %rax, %rcx
+        adcxq	%rax, %r8
+        adoxq	%rcx, %r9
+        movq	%r8, 112(%rdi)
+        movq	128(%rdi), %r8
+        # A[11] x A[4]
+        mulxq	32(%rsi), %rax, %rcx
+        adcxq	%rax, %r9
+        adoxq	%rcx, %r8
+        movq	%r9, 120(%rdi)
+        movq	136(%rdi), %r9
+        # A[11] x A[5]
+        mulxq	40(%rsi), %rax, %rcx
+        adcxq	%rax, %r8
+        adoxq	%rcx, %r9
+        movq	%r8, 128(%rdi)
+        movq	144(%rdi), %r8
+        # A[11] x A[6]
+        mulxq	48(%rsi), %rax, %rcx
+        adcxq	%rax, %r9
+        adoxq	%rcx, %r8
+        movq	%r9, 136(%rdi)
+        movq	152(%rdi), %r9
+        # A[11] x A[7]
+        mulxq	56(%rsi), %rax, %rcx
+        adcxq	%rax, %r8
+        adoxq	%rcx, %r9
+        movq	%r8, 144(%rdi)
+        movq	160(%rdi), %r8
+        # A[11] x A[8]
+        mulxq	64(%rsi), %rax, %rcx
+        adcxq	%rax, %r9
+        adoxq	%rcx, %r8
+        movq	%r9, 152(%rdi)
+        movq	%r10, %r9
+        # A[11] x A[9]
+        mulxq	72(%rsi), %rax, %rcx
+        adcxq	%rax, %r8
+        adoxq	%rcx, %r9
+        movq	%r8, 160(%rdi)
+        movq	%r10, %r8
+        # A[11] x A[10]
+        mulxq	80(%rsi), %rax, %rcx
+        adcxq	%rax, %r9
+        adoxq	%rcx, %r8
+        movq	%r9, 168(%rdi)
+        #  Carry
+        adcxq	%r11, %r8
+        movq	%r10, %r11
+        adcxq	%r10, %r11
+        adoxq	%r10, %r11
+        movq	%r8, 176(%rdi)
+        movq	%r11, 184(%rdi)
+        # Double and Add in A[i] x A[i]
+        movq	8(%rbp), %r9
+        # A[0] x A[0]
+        movq	(%rsi), %rdx
+        mulxq	%rdx, %rax, %rcx
+        movq	%rax, (%rbp)
+        adoxq	%r9, %r9
+        adcxq	%rcx, %r9
+        movq	%r9, 8(%rbp)
+        movq	16(%rbp), %r8
+        movq	24(%rbp), %r9
+        # A[1] x A[1]
+        movq	8(%rsi), %rdx
+        mulxq	%rdx, %rax, %rcx
+        adoxq	%r8, %r8
+        adoxq	%r9, %r9
+        adcxq	%rax, %r8
+        adcxq	%rcx, %r9
+        movq	%r8, 16(%rbp)
+        movq	%r9, 24(%rbp)
+        movq	32(%rbp), %r8
+        movq	40(%rbp), %r9
+        # A[2] x A[2]
+        movq	16(%rsi), %rdx
+        mulxq	%rdx, %rax, %rcx
+        adoxq	%r8, %r8
+        adoxq	%r9, %r9
+        adcxq	%rax, %r8
+        adcxq	%rcx, %r9
+        movq	%r8, 32(%rbp)
+        movq	%r9, 40(%rbp)
+        movq	48(%rbp), %r8
+        # A[3] x A[3]
+        movq	24(%rsi), %rdx
+        mulxq	%rdx, %rax, %rcx
+        adoxq	%r8, %r8
+        adoxq	%r12, %r12
+        adcxq	%rax, %r8
+        adcxq	%rcx, %r12
+        movq	%r8, 48(%rbp)
+        # A[4] x A[4]
+        movq	32(%rsi), %rdx
+        mulxq	%rdx, %rax, %rcx
+        adoxq	%r13, %r13
+        adoxq	%r14, %r14
+        adcxq	%rax, %r13
+        adcxq	%rcx, %r14
+        # A[5] x A[5]
+        movq	40(%rsi), %rdx
+        mulxq	%rdx, %rax, %rcx
+        adoxq	%r15, %r15
+        adoxq	%rbx, %rbx
+        adcxq	%rax, %r15
+        adcxq	%rcx, %rbx
+        movq	96(%rdi), %r8
+        movq	104(%rdi), %r9
+        # A[6] x A[6]
+        movq	48(%rsi), %rdx
+        mulxq	%rdx, %rax, %rcx
+        adoxq	%r8, %r8
+        adoxq	%r9, %r9
+        adcxq	%rax, %r8
+        adcxq	%rcx, %r9
+        movq	%r8, 96(%rdi)
+        movq	%r9, 104(%rdi)
+        movq	112(%rdi), %r8
+        movq	120(%rdi), %r9
+        # A[7] x A[7]
+        movq	56(%rsi), %rdx
+        mulxq	%rdx, %rax, %rcx
+        adoxq	%r8, %r8
+        adoxq	%r9, %r9
+        adcxq	%rax, %r8
+        adcxq	%rcx, %r9
+        movq	%r8, 112(%rdi)
+        movq	%r9, 120(%rdi)
+        movq	128(%rdi), %r8
+        movq	136(%rdi), %r9
+        # A[8] x A[8]
+        movq	64(%rsi), %rdx
+        mulxq	%rdx, %rax, %rcx
+        adoxq	%r8, %r8
+        adoxq	%r9, %r9
+        adcxq	%rax, %r8
+        adcxq	%rcx, %r9
+        movq	%r8, 128(%rdi)
+        movq	%r9, 136(%rdi)
+        movq	144(%rdi), %r8
+        movq	152(%rdi), %r9
+        # A[9] x A[9]
+        movq	72(%rsi), %rdx
+        mulxq	%rdx, %rax, %rcx
+        adoxq	%r8, %r8
+        adoxq	%r9, %r9
+        adcxq	%rax, %r8
+        adcxq	%rcx, %r9
+        movq	%r8, 144(%rdi)
+        movq	%r9, 152(%rdi)
+        movq	160(%rdi), %r8
+        movq	168(%rdi), %r9
+        # A[10] x A[10]
+        movq	80(%rsi), %rdx
+        mulxq	%rdx, %rax, %rcx
+        adoxq	%r8, %r8
+        adoxq	%r9, %r9
+        adcxq	%rax, %r8
+        adcxq	%rcx, %r9
+        movq	%r8, 160(%rdi)
+        movq	%r9, 168(%rdi)
+        movq	176(%rdi), %r8
+        movq	184(%rdi), %r9
+        # A[11] x A[11]
+        movq	88(%rsi), %rdx
+        mulxq	%rdx, %rax, %rcx
+        adoxq	%r8, %r8
+        adoxq	%r9, %r9
+        adcxq	%rax, %r8
+        adcxq	%rcx, %r9
+        movq	%r8, 176(%rdi)
+        movq	%r9, 184(%rdi)
+        movq	%r12, 56(%rdi)
+        movq	%r13, 64(%rdi)
+        movq	%r14, 72(%rdi)
+        movq	%r15, 80(%rdi)
+        movq	%rbx, 88(%rdi)
+        cmpq	%rdi, %rsi
+        jne	L_end_3072_sqr_avx2_12
+        vmovdqu	(%rbp), %xmm0
+        vmovups	%xmm0, (%rdi)
+        vmovdqu	16(%rbp), %xmm0
+        vmovups	%xmm0, 16(%rdi)
+        vmovdqu	32(%rbp), %xmm0
+        vmovups	%xmm0, 32(%rdi)
+        movq	48(%rbp), %rax
+        movq	%rax, 48(%rdi)
+L_end_3072_sqr_avx2_12:
+        addq	$96, %rsp
+        pop	%rbx
+        pop	%r15
+        pop	%r14
+        pop	%r13
+        pop	%r12
+        pop	%rbp
+        repz retq
+#ifndef __APPLE__
+.size	sp_3072_sqr_avx2_12,.-sp_3072_sqr_avx2_12
+#endif /* __APPLE__ */
+#endif /* HAVE_INTEL_AVX2 */
+/* Add b to a into r. (r = a + b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+#ifndef __APPLE__
+.globl	sp_3072_add_12
+.type	sp_3072_add_12,@function
+.align	16
+sp_3072_add_12:
+#else
+.globl	_sp_3072_add_12
+.p2align	4
+_sp_3072_add_12:
+#endif /* __APPLE__ */
+        # Add
+        movq	(%rsi), %rcx
+        xorq	%rax, %rax
+        addq	(%rdx), %rcx
+        movq	8(%rsi), %r8
+        movq	%rcx, (%rdi)
+        adcq	8(%rdx), %r8
+        movq	16(%rsi), %rcx
+        movq	%r8, 8(%rdi)
+        adcq	16(%rdx), %rcx
+        movq	24(%rsi), %r8
+        movq	%rcx, 16(%rdi)
+        adcq	24(%rdx), %r8
+        movq	32(%rsi), %rcx
+        movq	%r8, 24(%rdi)
+        adcq	32(%rdx), %rcx
+        movq	40(%rsi), %r8
+        movq	%rcx, 32(%rdi)
+        adcq	40(%rdx), %r8
+        movq	48(%rsi), %rcx
+        movq	%r8, 40(%rdi)
+        adcq	48(%rdx), %rcx
+        movq	56(%rsi), %r8
+        movq	%rcx, 48(%rdi)
+        adcq	56(%rdx), %r8
+        movq	64(%rsi), %rcx
+        movq	%r8, 56(%rdi)
+        adcq	64(%rdx), %rcx
+        movq	72(%rsi), %r8
+        movq	%rcx, 64(%rdi)
+        adcq	72(%rdx), %r8
+        movq	80(%rsi), %rcx
+        movq	%r8, 72(%rdi)
+        adcq	80(%rdx), %rcx
+        movq	88(%rsi), %r8
+        movq	%rcx, 80(%rdi)
+        adcq	88(%rdx), %r8
+        movq	%r8, 88(%rdi)
+        adcq	$0, %rax
+        repz retq
+#ifndef __APPLE__
+.size	sp_3072_add_12,.-sp_3072_add_12
+#endif /* __APPLE__ */
+/* Sub b from a into a. (a -= b)
+ *
+ * a  A single precision integer and result.
+ * b  A single precision integer.
+ */
+#ifndef __APPLE__
+.globl	sp_3072_sub_in_place_24
+.type	sp_3072_sub_in_place_24,@function
+.align	16
+sp_3072_sub_in_place_24:
+#else
+.globl	_sp_3072_sub_in_place_24
+.p2align	4
+_sp_3072_sub_in_place_24:
+#endif /* __APPLE__ */
+        movq	(%rdi), %rdx
+        xorq	%rax, %rax
+        subq	(%rsi), %rdx
+        movq	8(%rdi), %rcx
+        movq	%rdx, (%rdi)
+        sbbq	8(%rsi), %rcx
+        movq	16(%rdi), %rdx
+        movq	%rcx, 8(%rdi)
+        sbbq	16(%rsi), %rdx
+        movq	24(%rdi), %rcx
+        movq	%rdx, 16(%rdi)
+        sbbq	24(%rsi), %rcx
+        movq	32(%rdi), %rdx
+        movq	%rcx, 24(%rdi)
+        sbbq	32(%rsi), %rdx
+        movq	40(%rdi), %rcx
+        movq	%rdx, 32(%rdi)
+        sbbq	40(%rsi), %rcx
+        movq	48(%rdi), %rdx
+        movq	%rcx, 40(%rdi)
+        sbbq	48(%rsi), %rdx
+        movq	56(%rdi), %rcx
+        movq	%rdx, 48(%rdi)
+        sbbq	56(%rsi), %rcx
+        movq	64(%rdi), %rdx
+        movq	%rcx, 56(%rdi)
+        sbbq	64(%rsi), %rdx
+        movq	72(%rdi), %rcx
+        movq	%rdx, 64(%rdi)
+        sbbq	72(%rsi), %rcx
+        movq	80(%rdi), %rdx
+        movq	%rcx, 72(%rdi)
+        sbbq	80(%rsi), %rdx
+        movq	88(%rdi), %rcx
+        movq	%rdx, 80(%rdi)
+        sbbq	88(%rsi), %rcx
+        movq	96(%rdi), %rdx
+        movq	%rcx, 88(%rdi)
+        sbbq	96(%rsi), %rdx
+        movq	104(%rdi), %rcx
+        movq	%rdx, 96(%rdi)
+        sbbq	104(%rsi), %rcx
+        movq	112(%rdi), %rdx
+        movq	%rcx, 104(%rdi)
+        sbbq	112(%rsi), %rdx
+        movq	120(%rdi), %rcx
+        movq	%rdx, 112(%rdi)
+        sbbq	120(%rsi), %rcx
+        movq	128(%rdi), %rdx
+        movq	%rcx, 120(%rdi)
+        sbbq	128(%rsi), %rdx
+        movq	136(%rdi), %rcx
+        movq	%rdx, 128(%rdi)
+        sbbq	136(%rsi), %rcx
+        movq	144(%rdi), %rdx
+        movq	%rcx, 136(%rdi)
+        sbbq	144(%rsi), %rdx
+        movq	152(%rdi), %rcx
+        movq	%rdx, 144(%rdi)
+        sbbq	152(%rsi), %rcx
+        movq	160(%rdi), %rdx
+        movq	%rcx, 152(%rdi)
+        sbbq	160(%rsi), %rdx
+        movq	168(%rdi), %rcx
+        movq	%rdx, 160(%rdi)
+        sbbq	168(%rsi), %rcx
+        movq	176(%rdi), %rdx
+        movq	%rcx, 168(%rdi)
+        sbbq	176(%rsi), %rdx
+        movq	184(%rdi), %rcx
+        movq	%rdx, 176(%rdi)
+        sbbq	184(%rsi), %rcx
+        movq	%rcx, 184(%rdi)
+        sbbq	$0, %rax
+        repz retq
+#ifndef __APPLE__
+.size	sp_3072_sub_in_place_24,.-sp_3072_sub_in_place_24
+#endif /* __APPLE__ */
+/* Add b to a into r. (r = a + b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+#ifndef __APPLE__
+.globl	sp_3072_add_24
+.type	sp_3072_add_24,@function
+.align	16
+sp_3072_add_24:
+#else
+.globl	_sp_3072_add_24
+.p2align	4
+_sp_3072_add_24:
+#endif /* __APPLE__ */
+        # Add
+        movq	(%rsi), %rcx
+        xorq	%rax, %rax
+        addq	(%rdx), %rcx
+        movq	8(%rsi), %r8
+        movq	%rcx, (%rdi)
+        adcq	8(%rdx), %r8
+        movq	16(%rsi), %rcx
+        movq	%r8, 8(%rdi)
+        adcq	16(%rdx), %rcx
+        movq	24(%rsi), %r8
+        movq	%rcx, 16(%rdi)
+        adcq	24(%rdx), %r8
+        movq	32(%rsi), %rcx
+        movq	%r8, 24(%rdi)
+        adcq	32(%rdx), %rcx
+        movq	40(%rsi), %r8
+        movq	%rcx, 32(%rdi)
+        adcq	40(%rdx), %r8
+        movq	48(%rsi), %rcx
+        movq	%r8, 40(%rdi)
+        adcq	48(%rdx), %rcx
+        movq	56(%rsi), %r8
+        movq	%rcx, 48(%rdi)
+        adcq	56(%rdx), %r8
+        movq	64(%rsi), %rcx
+        movq	%r8, 56(%rdi)
+        adcq	64(%rdx), %rcx
+        movq	72(%rsi), %r8
+        movq	%rcx, 64(%rdi)
+        adcq	72(%rdx), %r8
+        movq	80(%rsi), %rcx
+        movq	%r8, 72(%rdi)
+        adcq	80(%rdx), %rcx
+        movq	88(%rsi), %r8
+        movq	%rcx, 80(%rdi)
+        adcq	88(%rdx), %r8
+        movq	96(%rsi), %rcx
+        movq	%r8, 88(%rdi)
+        adcq	96(%rdx), %rcx
+        movq	104(%rsi), %r8
+        movq	%rcx, 96(%rdi)
+        adcq	104(%rdx), %r8
+        movq	112(%rsi), %rcx
+        movq	%r8, 104(%rdi)
+        adcq	112(%rdx), %rcx
+        movq	120(%rsi), %r8
+        movq	%rcx, 112(%rdi)
+        adcq	120(%rdx), %r8
+        movq	128(%rsi), %rcx
+        movq	%r8, 120(%rdi)
+        adcq	128(%rdx), %rcx
+        movq	136(%rsi), %r8
+        movq	%rcx, 128(%rdi)
+        adcq	136(%rdx), %r8
+        movq	144(%rsi), %rcx
+        movq	%r8, 136(%rdi)
+        adcq	144(%rdx), %rcx
+        movq	152(%rsi), %r8
+        movq	%rcx, 144(%rdi)
+        adcq	152(%rdx), %r8
+        movq	160(%rsi), %rcx
+        movq	%r8, 152(%rdi)
+        adcq	160(%rdx), %rcx
+        movq	168(%rsi), %r8
+        movq	%rcx, 160(%rdi)
+        adcq	168(%rdx), %r8
+        movq	176(%rsi), %rcx
+        movq	%r8, 168(%rdi)
+        adcq	176(%rdx), %rcx
+        movq	184(%rsi), %r8
+        movq	%rcx, 176(%rdi)
+        adcq	184(%rdx), %r8
+        movq	%r8, 184(%rdi)
+        adcq	$0, %rax
+        repz retq
+#ifndef __APPLE__
+.size	sp_3072_add_24,.-sp_3072_add_24
+#endif /* __APPLE__ */
+/* Multiply a and b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+#ifndef __APPLE__
+.globl	sp_3072_mul_24
+.type	sp_3072_mul_24,@function
+.align	16
+sp_3072_mul_24:
+#else
+.globl	_sp_3072_mul_24
+.p2align	4
+_sp_3072_mul_24:
+#endif /* __APPLE__ */
+        push	%r12
+        push	%r13
+        push	%r14
+        push	%r15
+        subq	$616, %rsp
+        movq	%rdi, 576(%rsp)
+        movq	%rsi, 584(%rsp)
+        movq	%rdx, 592(%rsp)
+        leaq	384(%rsp), %r10
+        leaq	96(%rsi), %r12
+        # Add
+        movq	(%rsi), %rax
+        xorq	%r13, %r13
+        addq	(%r12), %rax
+        movq	8(%rsi), %rcx
+        movq	%rax, (%r10)
+        adcq	8(%r12), %rcx
+        movq	16(%rsi), %r8
+        movq	%rcx, 8(%r10)
+        adcq	16(%r12), %r8
+        movq	24(%rsi), %rax
+        movq	%r8, 16(%r10)
+        adcq	24(%r12), %rax
+        movq	32(%rsi), %rcx
+        movq	%rax, 24(%r10)
+        adcq	32(%r12), %rcx
+        movq	40(%rsi), %r8
+        movq	%rcx, 32(%r10)
+        adcq	40(%r12), %r8
+        movq	48(%rsi), %rax
+        movq	%r8, 40(%r10)
+        adcq	48(%r12), %rax
+        movq	56(%rsi), %rcx
+        movq	%rax, 48(%r10)
+        adcq	56(%r12), %rcx
+        movq	64(%rsi), %r8
+        movq	%rcx, 56(%r10)
+        adcq	64(%r12), %r8
+        movq	72(%rsi), %rax
+        movq	%r8, 64(%r10)
+        adcq	72(%r12), %rax
+        movq	80(%rsi), %rcx
+        movq	%rax, 72(%r10)
+        adcq	80(%r12), %rcx
+        movq	88(%rsi), %r8
+        movq	%rcx, 80(%r10)
+        adcq	88(%r12), %r8
+        movq	%r8, 88(%r10)
+        adcq	$0, %r13
+        movq	%r13, 600(%rsp)
+        leaq	480(%rsp), %r11
+        leaq	96(%rdx), %r12
+        # Add
+        movq	(%rdx), %rax
+        xorq	%r14, %r14
+        addq	(%r12), %rax
+        movq	8(%rdx), %rcx
+        movq	%rax, (%r11)
+        adcq	8(%r12), %rcx
+        movq	16(%rdx), %r8
+        movq	%rcx, 8(%r11)
+        adcq	16(%r12), %r8
+        movq	24(%rdx), %rax
+        movq	%r8, 16(%r11)
+        adcq	24(%r12), %rax
+        movq	32(%rdx), %rcx
+        movq	%rax, 24(%r11)
+        adcq	32(%r12), %rcx
+        movq	40(%rdx), %r8
+        movq	%rcx, 32(%r11)
+        adcq	40(%r12), %r8
+        movq	48(%rdx), %rax
+        movq	%r8, 40(%r11)
+        adcq	48(%r12), %rax
+        movq	56(%rdx), %rcx
+        movq	%rax, 48(%r11)
+        adcq	56(%r12), %rcx
+        movq	64(%rdx), %r8
+        movq	%rcx, 56(%r11)
+        adcq	64(%r12), %r8
+        movq	72(%rdx), %rax
+        movq	%r8, 64(%r11)
+        adcq	72(%r12), %rax
+        movq	80(%rdx), %rcx
+        movq	%rax, 72(%r11)
+        adcq	80(%r12), %rcx
+        movq	88(%rdx), %r8
+        movq	%rcx, 80(%r11)
+        adcq	88(%r12), %r8
+        movq	%r8, 88(%r11)
+        adcq	$0, %r14
+        movq	%r14, 608(%rsp)
+        movq	%r11, %rdx
+        movq	%r10, %rsi
+        movq	%rsp, %rdi
+#ifndef __APPLE__
+        callq	sp_3072_mul_12@plt
+#else
+        callq	_sp_3072_mul_12
+#endif /* __APPLE__ */
+        movq	592(%rsp), %rdx
+        movq	584(%rsp), %rsi
+        leaq	192(%rsp), %rdi
+        addq	$96, %rdx
+        addq	$96, %rsi
+#ifndef __APPLE__
+        callq	sp_3072_mul_12@plt
+#else
+        callq	_sp_3072_mul_12
+#endif /* __APPLE__ */
+        movq	592(%rsp), %rdx
+        movq	584(%rsp), %rsi
+        movq	576(%rsp), %rdi
+#ifndef __APPLE__
+        callq	sp_3072_mul_12@plt
+#else
+        callq	_sp_3072_mul_12
+#endif /* __APPLE__ */
+        movq	600(%rsp), %r13
+        movq	608(%rsp), %r14
+        movq	576(%rsp), %r15
+        movq	%r13, %r9
+        leaq	384(%rsp), %r10
+        leaq	480(%rsp), %r11
+        andq	%r14, %r9
+        negq	%r13
+        negq	%r14
+        addq	$192, %r15
+        movq	(%r10), %rax
+        movq	(%r11), %rcx
+        andq	%r14, %rax
+        andq	%r13, %rcx
+        movq	%rax, (%r10)
+        movq	%rcx, (%r11)
+        movq	8(%r10), %rax
+        movq	8(%r11), %rcx
+        andq	%r14, %rax
+        andq	%r13, %rcx
+        movq	%rax, 8(%r10)
+        movq	%rcx, 8(%r11)
+        movq	16(%r10), %rax
+        movq	16(%r11), %rcx
+        andq	%r14, %rax
+        andq	%r13, %rcx
+        movq	%rax, 16(%r10)
+        movq	%rcx, 16(%r11)
+        movq	24(%r10), %rax
+        movq	24(%r11), %rcx
+        andq	%r14, %rax
+        andq	%r13, %rcx
+        movq	%rax, 24(%r10)
+        movq	%rcx, 24(%r11)
+        movq	32(%r10), %rax
+        movq	32(%r11), %rcx
+        andq	%r14, %rax
+        andq	%r13, %rcx
+        movq	%rax, 32(%r10)
+        movq	%rcx, 32(%r11)
+        movq	40(%r10), %rax
+        movq	40(%r11), %rcx
+        andq	%r14, %rax
+        andq	%r13, %rcx
+        movq	%rax, 40(%r10)
+        movq	%rcx, 40(%r11)
+        movq	48(%r10), %rax
+        movq	48(%r11), %rcx
+        andq	%r14, %rax
+        andq	%r13, %rcx
+        movq	%rax, 48(%r10)
+        movq	%rcx, 48(%r11)
+        movq	56(%r10), %rax
+        movq	56(%r11), %rcx
+        andq	%r14, %rax
+        andq	%r13, %rcx
+        movq	%rax, 56(%r10)
+        movq	%rcx, 56(%r11)
+        movq	64(%r10), %rax
+        movq	64(%r11), %rcx
+        andq	%r14, %rax
+        andq	%r13, %rcx
+        movq	%rax, 64(%r10)
+        movq	%rcx, 64(%r11)
+        movq	72(%r10), %rax
+        movq	72(%r11), %rcx
+        andq	%r14, %rax
+        andq	%r13, %rcx
+        movq	%rax, 72(%r10)
+        movq	%rcx, 72(%r11)
+        movq	80(%r10), %rax
+        movq	80(%r11), %rcx
+        andq	%r14, %rax
+        andq	%r13, %rcx
+        movq	%rax, 80(%r10)
+        movq	%rcx, 80(%r11)
+        movq	88(%r10), %rax
+        movq	88(%r11), %rcx
+        andq	%r14, %rax
+        andq	%r13, %rcx
+        movq	%rax, 88(%r10)
+        movq	%rcx, 88(%r11)
+        movq	(%r10), %rax
+        addq	(%r11), %rax
+        movq	8(%r10), %rcx
+        movq	%rax, (%r15)
+        adcq	8(%r11), %rcx
+        movq	16(%r10), %r8
+        movq	%rcx, 8(%r15)
+        adcq	16(%r11), %r8
+        movq	24(%r10), %rax
+        movq	%r8, 16(%r15)
+        adcq	24(%r11), %rax
+        movq	32(%r10), %rcx
+        movq	%rax, 24(%r15)
+        adcq	32(%r11), %rcx
+        movq	40(%r10), %r8
+        movq	%rcx, 32(%r15)
+        adcq	40(%r11), %r8
+        movq	48(%r10), %rax
+        movq	%r8, 40(%r15)
+        adcq	48(%r11), %rax
+        movq	56(%r10), %rcx
+        movq	%rax, 48(%r15)
+        adcq	56(%r11), %rcx
+        movq	64(%r10), %r8
+        movq	%rcx, 56(%r15)
+        adcq	64(%r11), %r8
+        movq	72(%r10), %rax
+        movq	%r8, 64(%r15)
+        adcq	72(%r11), %rax
+        movq	80(%r10), %rcx
+        movq	%rax, 72(%r15)
+        adcq	80(%r11), %rcx
+        movq	88(%r10), %r8
+        movq	%rcx, 80(%r15)
+        adcq	88(%r11), %r8
+        movq	%r8, 88(%r15)
+        adcq	$0, %r9
+        leaq	192(%rsp), %r11
+        movq	%rsp, %r10
+        movq	(%r10), %rax
+        subq	(%r11), %rax
+        movq	8(%r10), %rcx
+        movq	%rax, (%r10)
+        sbbq	8(%r11), %rcx
+        movq	16(%r10), %r8
+        movq	%rcx, 8(%r10)
+        sbbq	16(%r11), %r8
+        movq	24(%r10), %rax
+        movq	%r8, 16(%r10)
+        sbbq	24(%r11), %rax
+        movq	32(%r10), %rcx
+        movq	%rax, 24(%r10)
+        sbbq	32(%r11), %rcx
+        movq	40(%r10), %r8
+        movq	%rcx, 32(%r10)
+        sbbq	40(%r11), %r8
+        movq	48(%r10), %rax
+        movq	%r8, 40(%r10)
+        sbbq	48(%r11), %rax
+        movq	56(%r10), %rcx
+        movq	%rax, 48(%r10)
+        sbbq	56(%r11), %rcx
+        movq	64(%r10), %r8
+        movq	%rcx, 56(%r10)
+        sbbq	64(%r11), %r8
+        movq	72(%r10), %rax
+        movq	%r8, 64(%r10)
+        sbbq	72(%r11), %rax
+        movq	80(%r10), %rcx
+        movq	%rax, 72(%r10)
+        sbbq	80(%r11), %rcx
+        movq	88(%r10), %r8
+        movq	%rcx, 80(%r10)
+        sbbq	88(%r11), %r8
+        movq	96(%r10), %rax
+        movq	%r8, 88(%r10)
+        sbbq	96(%r11), %rax
+        movq	104(%r10), %rcx
+        movq	%rax, 96(%r10)
+        sbbq	104(%r11), %rcx
+        movq	112(%r10), %r8
+        movq	%rcx, 104(%r10)
+        sbbq	112(%r11), %r8
+        movq	120(%r10), %rax
+        movq	%r8, 112(%r10)
+        sbbq	120(%r11), %rax
+        movq	128(%r10), %rcx
+        movq	%rax, 120(%r10)
+        sbbq	128(%r11), %rcx
+        movq	136(%r10), %r8
+        movq	%rcx, 128(%r10)
+        sbbq	136(%r11), %r8
+        movq	144(%r10), %rax
+        movq	%r8, 136(%r10)
+        sbbq	144(%r11), %rax
+        movq	152(%r10), %rcx
+        movq	%rax, 144(%r10)
+        sbbq	152(%r11), %rcx
+        movq	160(%r10), %r8
+        movq	%rcx, 152(%r10)
+        sbbq	160(%r11), %r8
+        movq	168(%r10), %rax
+        movq	%r8, 160(%r10)
+        sbbq	168(%r11), %rax
+        movq	176(%r10), %rcx
+        movq	%rax, 168(%r10)
+        sbbq	176(%r11), %rcx
+        movq	184(%r10), %r8
+        movq	%rcx, 176(%r10)
+        sbbq	184(%r11), %r8
+        movq	%r8, 184(%r10)
+        sbbq	$0, %r9
+        movq	(%r10), %rax
+        subq	(%rdi), %rax
+        movq	8(%r10), %rcx
+        movq	%rax, (%r10)
+        sbbq	8(%rdi), %rcx
+        movq	16(%r10), %r8
+        movq	%rcx, 8(%r10)
+        sbbq	16(%rdi), %r8
+        movq	24(%r10), %rax
+        movq	%r8, 16(%r10)
+        sbbq	24(%rdi), %rax
+        movq	32(%r10), %rcx
+        movq	%rax, 24(%r10)
+        sbbq	32(%rdi), %rcx
+        movq	40(%r10), %r8
+        movq	%rcx, 32(%r10)
+        sbbq	40(%rdi), %r8
+        movq	48(%r10), %rax
+        movq	%r8, 40(%r10)
+        sbbq	48(%rdi), %rax
+        movq	56(%r10), %rcx
+        movq	%rax, 48(%r10)
+        sbbq	56(%rdi), %rcx
+        movq	64(%r10), %r8
+        movq	%rcx, 56(%r10)
+        sbbq	64(%rdi), %r8
+        movq	72(%r10), %rax
+        movq	%r8, 64(%r10)
+        sbbq	72(%rdi), %rax
+        movq	80(%r10), %rcx
+        movq	%rax, 72(%r10)
+        sbbq	80(%rdi), %rcx
+        movq	88(%r10), %r8
+        movq	%rcx, 80(%r10)
+        sbbq	88(%rdi), %r8
+        movq	96(%r10), %rax
+        movq	%r8, 88(%r10)
+        sbbq	96(%rdi), %rax
+        movq	104(%r10), %rcx
+        movq	%rax, 96(%r10)
+        sbbq	104(%rdi), %rcx
+        movq	112(%r10), %r8
+        movq	%rcx, 104(%r10)
+        sbbq	112(%rdi), %r8
+        movq	120(%r10), %rax
+        movq	%r8, 112(%r10)
+        sbbq	120(%rdi), %rax
+        movq	128(%r10), %rcx
+        movq	%rax, 120(%r10)
+        sbbq	128(%rdi), %rcx
+        movq	136(%r10), %r8
+        movq	%rcx, 128(%r10)
+        sbbq	136(%rdi), %r8
+        movq	144(%r10), %rax
+        movq	%r8, 136(%r10)
+        sbbq	144(%rdi), %rax
+        movq	152(%r10), %rcx
+        movq	%rax, 144(%r10)
+        sbbq	152(%rdi), %rcx
+        movq	160(%r10), %r8
+        movq	%rcx, 152(%r10)
+        sbbq	160(%rdi), %r8
+        movq	168(%r10), %rax
+        movq	%r8, 160(%r10)
+        sbbq	168(%rdi), %rax
+        movq	176(%r10), %rcx
+        movq	%rax, 168(%r10)
+        sbbq	176(%rdi), %rcx
+        movq	184(%r10), %r8
+        movq	%rcx, 176(%r10)
+        sbbq	184(%rdi), %r8
+        movq	%r8, 184(%r10)
+        sbbq	$0, %r9
+        subq	$96, %r15
+        # Add
+        movq	(%r15), %rax
+        addq	(%r10), %rax
+        movq	8(%r15), %rcx
+        movq	%rax, (%r15)
+        adcq	8(%r10), %rcx
+        movq	16(%r15), %r8
+        movq	%rcx, 8(%r15)
+        adcq	16(%r10), %r8
+        movq	24(%r15), %rax
+        movq	%r8, 16(%r15)
+        adcq	24(%r10), %rax
+        movq	32(%r15), %rcx
+        movq	%rax, 24(%r15)
+        adcq	32(%r10), %rcx
+        movq	40(%r15), %r8
+        movq	%rcx, 32(%r15)
+        adcq	40(%r10), %r8
+        movq	48(%r15), %rax
+        movq	%r8, 40(%r15)
+        adcq	48(%r10), %rax
+        movq	56(%r15), %rcx
+        movq	%rax, 48(%r15)
+        adcq	56(%r10), %rcx
+        movq	64(%r15), %r8
+        movq	%rcx, 56(%r15)
+        adcq	64(%r10), %r8
+        movq	72(%r15), %rax
+        movq	%r8, 64(%r15)
+        adcq	72(%r10), %rax
+        movq	80(%r15), %rcx
+        movq	%rax, 72(%r15)
+        adcq	80(%r10), %rcx
+        movq	88(%r15), %r8
+        movq	%rcx, 80(%r15)
+        adcq	88(%r10), %r8
+        movq	96(%r15), %rax
+        movq	%r8, 88(%r15)
+        adcq	96(%r10), %rax
+        movq	104(%r15), %rcx
+        movq	%rax, 96(%r15)
+        adcq	104(%r10), %rcx
+        movq	112(%r15), %r8
+        movq	%rcx, 104(%r15)
+        adcq	112(%r10), %r8
+        movq	120(%r15), %rax
+        movq	%r8, 112(%r15)
+        adcq	120(%r10), %rax
+        movq	128(%r15), %rcx
+        movq	%rax, 120(%r15)
+        adcq	128(%r10), %rcx
+        movq	136(%r15), %r8
+        movq	%rcx, 128(%r15)
+        adcq	136(%r10), %r8
+        movq	144(%r15), %rax
+        movq	%r8, 136(%r15)
+        adcq	144(%r10), %rax
+        movq	152(%r15), %rcx
+        movq	%rax, 144(%r15)
+        adcq	152(%r10), %rcx
+        movq	160(%r15), %r8
+        movq	%rcx, 152(%r15)
+        adcq	160(%r10), %r8
+        movq	168(%r15), %rax
+        movq	%r8, 160(%r15)
+        adcq	168(%r10), %rax
+        movq	176(%r15), %rcx
+        movq	%rax, 168(%r15)
+        adcq	176(%r10), %rcx
+        movq	184(%r15), %r8
+        movq	%rcx, 176(%r15)
+        adcq	184(%r10), %r8
+        movq	%r8, 184(%r15)
+        adcq	$0, %r9
+        movq	%r9, 288(%rdi)
+        addq	$96, %r15
+        # Add
+        movq	(%r15), %rax
+        addq	(%r11), %rax
+        movq	8(%r15), %rcx
+        movq	%rax, (%r15)
+        adcq	8(%r11), %rcx
+        movq	16(%r15), %r8
+        movq	%rcx, 8(%r15)
+        adcq	16(%r11), %r8
+        movq	24(%r15), %rax
+        movq	%r8, 16(%r15)
+        adcq	24(%r11), %rax
+        movq	32(%r15), %rcx
+        movq	%rax, 24(%r15)
+        adcq	32(%r11), %rcx
+        movq	40(%r15), %r8
+        movq	%rcx, 32(%r15)
+        adcq	40(%r11), %r8
+        movq	48(%r15), %rax
+        movq	%r8, 40(%r15)
+        adcq	48(%r11), %rax
+        movq	56(%r15), %rcx
+        movq	%rax, 48(%r15)
+        adcq	56(%r11), %rcx
+        movq	64(%r15), %r8
+        movq	%rcx, 56(%r15)
+        adcq	64(%r11), %r8
+        movq	72(%r15), %rax
+        movq	%r8, 64(%r15)
+        adcq	72(%r11), %rax
+        movq	80(%r15), %rcx
+        movq	%rax, 72(%r15)
+        adcq	80(%r11), %rcx
+        movq	88(%r15), %r8
+        movq	%rcx, 80(%r15)
+        adcq	88(%r11), %r8
+        movq	96(%r15), %rax
+        movq	%r8, 88(%r15)
+        adcq	96(%r11), %rax
+        movq	%rax, 96(%r15)
+        # Add to zero
+        movq	104(%r11), %rax
+        adcq	$0, %rax
+        movq	112(%r11), %rcx
+        movq	%rax, 104(%r15)
+        adcq	$0, %rcx
+        movq	120(%r11), %r8
+        movq	%rcx, 112(%r15)
+        adcq	$0, %r8
+        movq	128(%r11), %rax
+        movq	%r8, 120(%r15)
+        adcq	$0, %rax
+        movq	136(%r11), %rcx
+        movq	%rax, 128(%r15)
+        adcq	$0, %rcx
+        movq	144(%r11), %r8
+        movq	%rcx, 136(%r15)
+        adcq	$0, %r8
+        movq	152(%r11), %rax
+        movq	%r8, 144(%r15)
+        adcq	$0, %rax
+        movq	160(%r11), %rcx
+        movq	%rax, 152(%r15)
+        adcq	$0, %rcx
+        movq	168(%r11), %r8
+        movq	%rcx, 160(%r15)
+        adcq	$0, %r8
+        movq	176(%r11), %rax
+        movq	%r8, 168(%r15)
+        adcq	$0, %rax
+        movq	184(%r11), %rcx
+        movq	%rax, 176(%r15)
+        adcq	$0, %rcx
+        movq	%rcx, 184(%r15)
+        addq	$616, %rsp
+        pop	%r15
+        pop	%r14
+        pop	%r13
+        pop	%r12
+        repz retq
+#ifndef __APPLE__
+.size	sp_3072_mul_24,.-sp_3072_mul_24
+#endif /* __APPLE__ */
+/* Add a to a into r. (r = a + a)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ */
+#ifndef __APPLE__
+.globl	sp_3072_dbl_12
+.type	sp_3072_dbl_12,@function
+.align	16
+sp_3072_dbl_12:
+#else
+.globl	_sp_3072_dbl_12
+.p2align	4
+_sp_3072_dbl_12:
+#endif /* __APPLE__ */
+        movq	(%rsi), %rdx
+        xorq	%rax, %rax
+        addq	%rdx, %rdx
+        movq	8(%rsi), %rcx
+        movq	%rdx, (%rdi)
+        adcq	%rcx, %rcx
+        movq	16(%rsi), %rdx
+        movq	%rcx, 8(%rdi)
+        adcq	%rdx, %rdx
+        movq	24(%rsi), %rcx
+        movq	%rdx, 16(%rdi)
+        adcq	%rcx, %rcx
+        movq	32(%rsi), %rdx
+        movq	%rcx, 24(%rdi)
+        adcq	%rdx, %rdx
+        movq	40(%rsi), %rcx
+        movq	%rdx, 32(%rdi)
+        adcq	%rcx, %rcx
+        movq	48(%rsi), %rdx
+        movq	%rcx, 40(%rdi)
+        adcq	%rdx, %rdx
+        movq	56(%rsi), %rcx
+        movq	%rdx, 48(%rdi)
+        adcq	%rcx, %rcx
+        movq	64(%rsi), %rdx
+        movq	%rcx, 56(%rdi)
+        adcq	%rdx, %rdx
+        movq	72(%rsi), %rcx
+        movq	%rdx, 64(%rdi)
+        adcq	%rcx, %rcx
+        movq	80(%rsi), %rdx
+        movq	%rcx, 72(%rdi)
+        adcq	%rdx, %rdx
+        movq	88(%rsi), %rcx
+        movq	%rdx, 80(%rdi)
+        adcq	%rcx, %rcx
+        movq	%rcx, 88(%rdi)
+        adcq	$0, %rax
+        repz retq
+#ifndef __APPLE__
+.size	sp_3072_dbl_12,.-sp_3072_dbl_12
+#endif /* __APPLE__ */
+/* Square a and put result in r. (r = a * a)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ */
+#ifndef __APPLE__
+.globl	sp_3072_sqr_24
+.type	sp_3072_sqr_24,@function
+.align	16
+sp_3072_sqr_24:
+#else
+.globl	_sp_3072_sqr_24
+.p2align	4
+_sp_3072_sqr_24:
+#endif /* __APPLE__ */
+        subq	$504, %rsp
+        movq	%rdi, 480(%rsp)
+        movq	%rsi, 488(%rsp)
+        leaq	384(%rsp), %r8
+        leaq	96(%rsi), %r9
+        # Add
+        movq	(%rsi), %rdx
+        xorq	%rcx, %rcx
+        addq	(%r9), %rdx
+        movq	8(%rsi), %rax
+        movq	%rdx, (%r8)
+        adcq	8(%r9), %rax
+        movq	16(%rsi), %rdx
+        movq	%rax, 8(%r8)
+        adcq	16(%r9), %rdx
+        movq	24(%rsi), %rax
+        movq	%rdx, 16(%r8)
+        adcq	24(%r9), %rax
+        movq	32(%rsi), %rdx
+        movq	%rax, 24(%r8)
+        adcq	32(%r9), %rdx
+        movq	40(%rsi), %rax
+        movq	%rdx, 32(%r8)
+        adcq	40(%r9), %rax
+        movq	48(%rsi), %rdx
+        movq	%rax, 40(%r8)
+        adcq	48(%r9), %rdx
+        movq	56(%rsi), %rax
+        movq	%rdx, 48(%r8)
+        adcq	56(%r9), %rax
+        movq	64(%rsi), %rdx
+        movq	%rax, 56(%r8)
+        adcq	64(%r9), %rdx
+        movq	72(%rsi), %rax
+        movq	%rdx, 64(%r8)
+        adcq	72(%r9), %rax
+        movq	80(%rsi), %rdx
+        movq	%rax, 72(%r8)
+        adcq	80(%r9), %rdx
+        movq	88(%rsi), %rax
+        movq	%rdx, 80(%r8)
+        adcq	88(%r9), %rax
+        movq	%rax, 88(%r8)
+        adcq	$0, %rcx
+        movq	%rcx, 496(%rsp)
+        movq	%r8, %rsi
+        movq	%rsp, %rdi
+#ifndef __APPLE__
+        callq	sp_3072_sqr_12@plt
+#else
+        callq	_sp_3072_sqr_12
+#endif /* __APPLE__ */
+        movq	488(%rsp), %rsi
+        leaq	192(%rsp), %rdi
+        addq	$96, %rsi
+#ifndef __APPLE__
+        callq	sp_3072_sqr_12@plt
+#else
+        callq	_sp_3072_sqr_12
+#endif /* __APPLE__ */
+        movq	488(%rsp), %rsi
+        movq	480(%rsp), %rdi
+#ifndef __APPLE__
+        callq	sp_3072_sqr_12@plt
+#else
+        callq	_sp_3072_sqr_12
+#endif /* __APPLE__ */
+        movq	496(%rsp), %r10
+        movq	%rdi, %r9
+        leaq	384(%rsp), %r8
+        movq	%r10, %rcx
+        negq	%r10
+        addq	$192, %r9
+        movq	(%r8), %rdx
+        movq	8(%r8), %rax
+        andq	%r10, %rdx
+        andq	%r10, %rax
+        movq	%rdx, (%r9)
+        movq	%rax, 8(%r9)
+        movq	16(%r8), %rdx
+        movq	24(%r8), %rax
+        andq	%r10, %rdx
+        andq	%r10, %rax
+        movq	%rdx, 16(%r9)
+        movq	%rax, 24(%r9)
+        movq	32(%r8), %rdx
+        movq	40(%r8), %rax
+        andq	%r10, %rdx
+        andq	%r10, %rax
+        movq	%rdx, 32(%r9)
+        movq	%rax, 40(%r9)
+        movq	48(%r8), %rdx
+        movq	56(%r8), %rax
+        andq	%r10, %rdx
+        andq	%r10, %rax
+        movq	%rdx, 48(%r9)
+        movq	%rax, 56(%r9)
+        movq	64(%r8), %rdx
+        movq	72(%r8), %rax
+        andq	%r10, %rdx
+        andq	%r10, %rax
+        movq	%rdx, 64(%r9)
+        movq	%rax, 72(%r9)
+        movq	80(%r8), %rdx
+        movq	88(%r8), %rax
+        andq	%r10, %rdx
+        andq	%r10, %rax
+        movq	%rdx, 80(%r9)
+        movq	%rax, 88(%r9)
+        movq	(%r9), %rdx
+        addq	%rdx, %rdx
+        movq	8(%r9), %rax
+        movq	%rdx, (%r9)
+        adcq	%rax, %rax
+        movq	16(%r9), %rdx
+        movq	%rax, 8(%r9)
+        adcq	%rdx, %rdx
+        movq	24(%r9), %rax
+        movq	%rdx, 16(%r9)
+        adcq	%rax, %rax
+        movq	32(%r9), %rdx
+        movq	%rax, 24(%r9)
+        adcq	%rdx, %rdx
+        movq	40(%r9), %rax
+        movq	%rdx, 32(%r9)
+        adcq	%rax, %rax
+        movq	48(%r9), %rdx
+        movq	%rax, 40(%r9)
+        adcq	%rdx, %rdx
+        movq	56(%r9), %rax
+        movq	%rdx, 48(%r9)
+        adcq	%rax, %rax
+        movq	64(%r9), %rdx
+        movq	%rax, 56(%r9)
+        adcq	%rdx, %rdx
+        movq	72(%r9), %rax
+        movq	%rdx, 64(%r9)
+        adcq	%rax, %rax
+        movq	80(%r9), %rdx
+        movq	%rax, 72(%r9)
+        adcq	%rdx, %rdx
+        movq	88(%r9), %rax
+        movq	%rdx, 80(%r9)
+        adcq	%rax, %rax
+        movq	%rax, 88(%r9)
+        adcq	$0, %rcx
+        leaq	192(%rsp), %rsi
+        movq	%rsp, %r8
+        movq	(%r8), %rdx
+        subq	(%rsi), %rdx
+        movq	8(%r8), %rax
+        movq	%rdx, (%r8)
+        sbbq	8(%rsi), %rax
+        movq	16(%r8), %rdx
+        movq	%rax, 8(%r8)
+        sbbq	16(%rsi), %rdx
+        movq	24(%r8), %rax
+        movq	%rdx, 16(%r8)
+        sbbq	24(%rsi), %rax
+        movq	32(%r8), %rdx
+        movq	%rax, 24(%r8)
+        sbbq	32(%rsi), %rdx
+        movq	40(%r8), %rax
+        movq	%rdx, 32(%r8)
+        sbbq	40(%rsi), %rax
+        movq	48(%r8), %rdx
+        movq	%rax, 40(%r8)
+        sbbq	48(%rsi), %rdx
+        movq	56(%r8), %rax
+        movq	%rdx, 48(%r8)
+        sbbq	56(%rsi), %rax
+        movq	64(%r8), %rdx
+        movq	%rax, 56(%r8)
+        sbbq	64(%rsi), %rdx
+        movq	72(%r8), %rax
+        movq	%rdx, 64(%r8)
+        sbbq	72(%rsi), %rax
+        movq	80(%r8), %rdx
+        movq	%rax, 72(%r8)
+        sbbq	80(%rsi), %rdx
+        movq	88(%r8), %rax
+        movq	%rdx, 80(%r8)
+        sbbq	88(%rsi), %rax
+        movq	96(%r8), %rdx
+        movq	%rax, 88(%r8)
+        sbbq	96(%rsi), %rdx
+        movq	104(%r8), %rax
+        movq	%rdx, 96(%r8)
+        sbbq	104(%rsi), %rax
+        movq	112(%r8), %rdx
+        movq	%rax, 104(%r8)
+        sbbq	112(%rsi), %rdx
+        movq	120(%r8), %rax
+        movq	%rdx, 112(%r8)
+        sbbq	120(%rsi), %rax
+        movq	128(%r8), %rdx
+        movq	%rax, 120(%r8)
+        sbbq	128(%rsi), %rdx
+        movq	136(%r8), %rax
+        movq	%rdx, 128(%r8)
+        sbbq	136(%rsi), %rax
+        movq	144(%r8), %rdx
+        movq	%rax, 136(%r8)
+        sbbq	144(%rsi), %rdx
+        movq	152(%r8), %rax
+        movq	%rdx, 144(%r8)
+        sbbq	152(%rsi), %rax
+        movq	160(%r8), %rdx
+        movq	%rax, 152(%r8)
+        sbbq	160(%rsi), %rdx
+        movq	168(%r8), %rax
+        movq	%rdx, 160(%r8)
+        sbbq	168(%rsi), %rax
+        movq	176(%r8), %rdx
+        movq	%rax, 168(%r8)
+        sbbq	176(%rsi), %rdx
+        movq	184(%r8), %rax
+        movq	%rdx, 176(%r8)
+        sbbq	184(%rsi), %rax
+        movq	%rax, 184(%r8)
+        sbbq	$0, %rcx
+        movq	(%r8), %rdx
+        subq	(%rdi), %rdx
+        movq	8(%r8), %rax
+        movq	%rdx, (%r8)
+        sbbq	8(%rdi), %rax
+        movq	16(%r8), %rdx
+        movq	%rax, 8(%r8)
+        sbbq	16(%rdi), %rdx
+        movq	24(%r8), %rax
+        movq	%rdx, 16(%r8)
+        sbbq	24(%rdi), %rax
+        movq	32(%r8), %rdx
+        movq	%rax, 24(%r8)
+        sbbq	32(%rdi), %rdx
+        movq	40(%r8), %rax
+        movq	%rdx, 32(%r8)
+        sbbq	40(%rdi), %rax
+        movq	48(%r8), %rdx
+        movq	%rax, 40(%r8)
+        sbbq	48(%rdi), %rdx
+        movq	56(%r8), %rax
+        movq	%rdx, 48(%r8)
+        sbbq	56(%rdi), %rax
+        movq	64(%r8), %rdx
+        movq	%rax, 56(%r8)
+        sbbq	64(%rdi), %rdx
+        movq	72(%r8), %rax
+        movq	%rdx, 64(%r8)
+        sbbq	72(%rdi), %rax
+        movq	80(%r8), %rdx
+        movq	%rax, 72(%r8)
+        sbbq	80(%rdi), %rdx
+        movq	88(%r8), %rax
+        movq	%rdx, 80(%r8)
+        sbbq	88(%rdi), %rax
+        movq	96(%r8), %rdx
+        movq	%rax, 88(%r8)
+        sbbq	96(%rdi), %rdx
+        movq	104(%r8), %rax
+        movq	%rdx, 96(%r8)
+        sbbq	104(%rdi), %rax
+        movq	112(%r8), %rdx
+        movq	%rax, 104(%r8)
+        sbbq	112(%rdi), %rdx
+        movq	120(%r8), %rax
+        movq	%rdx, 112(%r8)
+        sbbq	120(%rdi), %rax
+        movq	128(%r8), %rdx
+        movq	%rax, 120(%r8)
+        sbbq	128(%rdi), %rdx
+        movq	136(%r8), %rax
+        movq	%rdx, 128(%r8)
+        sbbq	136(%rdi), %rax
+        movq	144(%r8), %rdx
+        movq	%rax, 136(%r8)
+        sbbq	144(%rdi), %rdx
+        movq	152(%r8), %rax
+        movq	%rdx, 144(%r8)
+        sbbq	152(%rdi), %rax
+        movq	160(%r8), %rdx
+        movq	%rax, 152(%r8)
+        sbbq	160(%rdi), %rdx
+        movq	168(%r8), %rax
+        movq	%rdx, 160(%r8)
+        sbbq	168(%rdi), %rax
+        movq	176(%r8), %rdx
+        movq	%rax, 168(%r8)
+        sbbq	176(%rdi), %rdx
+        movq	184(%r8), %rax
+        movq	%rdx, 176(%r8)
+        sbbq	184(%rdi), %rax
+        movq	%rax, 184(%r8)
+        sbbq	$0, %rcx
+        subq	$96, %r9
+        # Add in place
+        movq	(%r9), %rdx
+        addq	(%r8), %rdx
+        movq	8(%r9), %rax
+        movq	%rdx, (%r9)
+        adcq	8(%r8), %rax
+        movq	16(%r9), %rdx
+        movq	%rax, 8(%r9)
+        adcq	16(%r8), %rdx
+        movq	24(%r9), %rax
+        movq	%rdx, 16(%r9)
+        adcq	24(%r8), %rax
+        movq	32(%r9), %rdx
+        movq	%rax, 24(%r9)
+        adcq	32(%r8), %rdx
+        movq	40(%r9), %rax
+        movq	%rdx, 32(%r9)
+        adcq	40(%r8), %rax
+        movq	48(%r9), %rdx
+        movq	%rax, 40(%r9)
+        adcq	48(%r8), %rdx
+        movq	56(%r9), %rax
+        movq	%rdx, 48(%r9)
+        adcq	56(%r8), %rax
+        movq	64(%r9), %rdx
+        movq	%rax, 56(%r9)
+        adcq	64(%r8), %rdx
+        movq	72(%r9), %rax
+        movq	%rdx, 64(%r9)
+        adcq	72(%r8), %rax
+        movq	80(%r9), %rdx
+        movq	%rax, 72(%r9)
+        adcq	80(%r8), %rdx
+        movq	88(%r9), %rax
+        movq	%rdx, 80(%r9)
+        adcq	88(%r8), %rax
+        movq	96(%r9), %rdx
+        movq	%rax, 88(%r9)
+        adcq	96(%r8), %rdx
+        movq	104(%r9), %rax
+        movq	%rdx, 96(%r9)
+        adcq	104(%r8), %rax
+        movq	112(%r9), %rdx
+        movq	%rax, 104(%r9)
+        adcq	112(%r8), %rdx
+        movq	120(%r9), %rax
+        movq	%rdx, 112(%r9)
+        adcq	120(%r8), %rax
+        movq	128(%r9), %rdx
+        movq	%rax, 120(%r9)
+        adcq	128(%r8), %rdx
+        movq	136(%r9), %rax
+        movq	%rdx, 128(%r9)
+        adcq	136(%r8), %rax
+        movq	144(%r9), %rdx
+        movq	%rax, 136(%r9)
+        adcq	144(%r8), %rdx
+        movq	152(%r9), %rax
+        movq	%rdx, 144(%r9)
+        adcq	152(%r8), %rax
+        movq	160(%r9), %rdx
+        movq	%rax, 152(%r9)
+        adcq	160(%r8), %rdx
+        movq	168(%r9), %rax
+        movq	%rdx, 160(%r9)
+        adcq	168(%r8), %rax
+        movq	176(%r9), %rdx
+        movq	%rax, 168(%r9)
+        adcq	176(%r8), %rdx
+        movq	184(%r9), %rax
+        movq	%rdx, 176(%r9)
+        adcq	184(%r8), %rax
+        movq	%rax, 184(%r9)
+        adcq	$0, %rcx
+        movq	%rcx, 288(%rdi)
+        # Add in place
+        movq	96(%r9), %rdx
+        addq	(%rsi), %rdx
+        movq	104(%r9), %rax
+        movq	%rdx, 96(%r9)
+        adcq	8(%rsi), %rax
+        movq	112(%r9), %rdx
+        movq	%rax, 104(%r9)
+        adcq	16(%rsi), %rdx
+        movq	120(%r9), %rax
+        movq	%rdx, 112(%r9)
+        adcq	24(%rsi), %rax
+        movq	128(%r9), %rdx
+        movq	%rax, 120(%r9)
+        adcq	32(%rsi), %rdx
+        movq	136(%r9), %rax
+        movq	%rdx, 128(%r9)
+        adcq	40(%rsi), %rax
+        movq	144(%r9), %rdx
+        movq	%rax, 136(%r9)
+        adcq	48(%rsi), %rdx
+        movq	152(%r9), %rax
+        movq	%rdx, 144(%r9)
+        adcq	56(%rsi), %rax
+        movq	160(%r9), %rdx
+        movq	%rax, 152(%r9)
+        adcq	64(%rsi), %rdx
+        movq	168(%r9), %rax
+        movq	%rdx, 160(%r9)
+        adcq	72(%rsi), %rax
+        movq	176(%r9), %rdx
+        movq	%rax, 168(%r9)
+        adcq	80(%rsi), %rdx
+        movq	184(%r9), %rax
+        movq	%rdx, 176(%r9)
+        adcq	88(%rsi), %rax
+        movq	192(%r9), %rdx
+        movq	%rax, 184(%r9)
+        adcq	96(%rsi), %rdx
+        movq	%rdx, 192(%r9)
+        # Add to zero
+        movq	104(%rsi), %rdx
+        adcq	$0, %rdx
+        movq	112(%rsi), %rax
+        movq	%rdx, 200(%r9)
+        adcq	$0, %rax
+        movq	120(%rsi), %rdx
+        movq	%rax, 208(%r9)
+        adcq	$0, %rdx
+        movq	128(%rsi), %rax
+        movq	%rdx, 216(%r9)
+        adcq	$0, %rax
+        movq	136(%rsi), %rdx
+        movq	%rax, 224(%r9)
+        adcq	$0, %rdx
+        movq	144(%rsi), %rax
+        movq	%rdx, 232(%r9)
+        adcq	$0, %rax
+        movq	152(%rsi), %rdx
+        movq	%rax, 240(%r9)
+        adcq	$0, %rdx
+        movq	160(%rsi), %rax
+        movq	%rdx, 248(%r9)
+        adcq	$0, %rax
+        movq	168(%rsi), %rdx
+        movq	%rax, 256(%r9)
+        adcq	$0, %rdx
+        movq	176(%rsi), %rax
+        movq	%rdx, 264(%r9)
+        adcq	$0, %rax
+        movq	184(%rsi), %rdx
+        movq	%rax, 272(%r9)
+        adcq	$0, %rdx
+        movq	%rdx, 280(%r9)
+        addq	$504, %rsp
+        repz retq
+#ifndef __APPLE__
+.size	sp_3072_sqr_24,.-sp_3072_sqr_24
+#endif /* __APPLE__ */
+/* Multiply a and b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+#ifndef __APPLE__
+.globl	sp_3072_mul_avx2_24
+.type	sp_3072_mul_avx2_24,@function
+.align	16
+sp_3072_mul_avx2_24:
+#else
+.globl	_sp_3072_mul_avx2_24
+.p2align	4
+_sp_3072_mul_avx2_24:
+#endif /* __APPLE__ */
+        push	%r12
+        push	%r13
+        push	%r14
+        push	%r15
+        subq	$616, %rsp
+        movq	%rdi, 576(%rsp)
+        movq	%rsi, 584(%rsp)
+        movq	%rdx, 592(%rsp)
+        leaq	384(%rsp), %r10
+        leaq	96(%rsi), %r12
+        # Add
+        movq	(%rsi), %rax
+        xorq	%r13, %r13
+        addq	(%r12), %rax
+        movq	8(%rsi), %rcx
+        movq	%rax, (%r10)
+        adcq	8(%r12), %rcx
+        movq	16(%rsi), %r8
+        movq	%rcx, 8(%r10)
+        adcq	16(%r12), %r8
+        movq	24(%rsi), %rax
+        movq	%r8, 16(%r10)
+        adcq	24(%r12), %rax
+        movq	32(%rsi), %rcx
+        movq	%rax, 24(%r10)
+        adcq	32(%r12), %rcx
+        movq	40(%rsi), %r8
+        movq	%rcx, 32(%r10)
+        adcq	40(%r12), %r8
+        movq	48(%rsi), %rax
+        movq	%r8, 40(%r10)
+        adcq	48(%r12), %rax
+        movq	56(%rsi), %rcx
+        movq	%rax, 48(%r10)
+        adcq	56(%r12), %rcx
+        movq	64(%rsi), %r8
+        movq	%rcx, 56(%r10)
+        adcq	64(%r12), %r8
+        movq	72(%rsi), %rax
+        movq	%r8, 64(%r10)
+        adcq	72(%r12), %rax
+        movq	80(%rsi), %rcx
+        movq	%rax, 72(%r10)
+        adcq	80(%r12), %rcx
+        movq	88(%rsi), %r8
+        movq	%rcx, 80(%r10)
+        adcq	88(%r12), %r8
+        movq	%r8, 88(%r10)
+        adcq	$0, %r13
+        movq	%r13, 600(%rsp)
+        leaq	480(%rsp), %r11
+        leaq	96(%rdx), %r12
+        # Add
+        movq	(%rdx), %rax
+        xorq	%r14, %r14
+        addq	(%r12), %rax
+        movq	8(%rdx), %rcx
+        movq	%rax, (%r11)
+        adcq	8(%r12), %rcx
+        movq	16(%rdx), %r8
+        movq	%rcx, 8(%r11)
+        adcq	16(%r12), %r8
+        movq	24(%rdx), %rax
+        movq	%r8, 16(%r11)
+        adcq	24(%r12), %rax
+        movq	32(%rdx), %rcx
+        movq	%rax, 24(%r11)
+        adcq	32(%r12), %rcx
+        movq	40(%rdx), %r8
+        movq	%rcx, 32(%r11)
+        adcq	40(%r12), %r8
+        movq	48(%rdx), %rax
+        movq	%r8, 40(%r11)
+        adcq	48(%r12), %rax
+        movq	56(%rdx), %rcx
+        movq	%rax, 48(%r11)
+        adcq	56(%r12), %rcx
+        movq	64(%rdx), %r8
+        movq	%rcx, 56(%r11)
+        adcq	64(%r12), %r8
+        movq	72(%rdx), %rax
+        movq	%r8, 64(%r11)
+        adcq	72(%r12), %rax
+        movq	80(%rdx), %rcx
+        movq	%rax, 72(%r11)
+        adcq	80(%r12), %rcx
+        movq	88(%rdx), %r8
+        movq	%rcx, 80(%r11)
+        adcq	88(%r12), %r8
+        movq	%r8, 88(%r11)
+        adcq	$0, %r14
+        movq	%r14, 608(%rsp)
+        movq	%r11, %rdx
+        movq	%r10, %rsi
+        movq	%rsp, %rdi
+#ifndef __APPLE__
+        callq	sp_3072_mul_avx2_12@plt
+#else
+        callq	_sp_3072_mul_avx2_12
+#endif /* __APPLE__ */
+        movq	592(%rsp), %rdx
+        movq	584(%rsp), %rsi
+        leaq	192(%rsp), %rdi
+        addq	$96, %rdx
+        addq	$96, %rsi
+#ifndef __APPLE__
+        callq	sp_3072_mul_avx2_12@plt
+#else
+        callq	_sp_3072_mul_avx2_12
+#endif /* __APPLE__ */
+        movq	592(%rsp), %rdx
+        movq	584(%rsp), %rsi
+        movq	576(%rsp), %rdi
+#ifndef __APPLE__
+        callq	sp_3072_mul_avx2_12@plt
+#else
+        callq	_sp_3072_mul_avx2_12
+#endif /* __APPLE__ */
+        movq	600(%rsp), %r13
+        movq	608(%rsp), %r14
+        movq	576(%rsp), %r15
+        movq	%r13, %r9
+        leaq	384(%rsp), %r10
+        leaq	480(%rsp), %r11
+        andq	%r14, %r9
+        negq	%r13
+        negq	%r14
+        addq	$192, %r15
+        movq	(%r10), %rax
+        movq	(%r11), %rcx
+        pextq	%r14, %rax, %rax
+        pextq	%r13, %rcx, %rcx
+        addq	%rcx, %rax
+        movq	8(%r10), %rcx
+        movq	8(%r11), %r8
+        pextq	%r14, %rcx, %rcx
+        pextq	%r13, %r8, %r8
+        movq	%rax, (%r15)
+        adcq	%r8, %rcx
+        movq	16(%r10), %r8
+        movq	16(%r11), %rax
+        pextq	%r14, %r8, %r8
+        pextq	%r13, %rax, %rax
+        movq	%rcx, 8(%r15)
+        adcq	%rax, %r8
+        movq	24(%r10), %rax
+        movq	24(%r11), %rcx
+        pextq	%r14, %rax, %rax
+        pextq	%r13, %rcx, %rcx
+        movq	%r8, 16(%r15)
+        adcq	%rcx, %rax
+        movq	32(%r10), %rcx
+        movq	32(%r11), %r8
+        pextq	%r14, %rcx, %rcx
+        pextq	%r13, %r8, %r8
+        movq	%rax, 24(%r15)
+        adcq	%r8, %rcx
+        movq	40(%r10), %r8
+        movq	40(%r11), %rax
+        pextq	%r14, %r8, %r8
+        pextq	%r13, %rax, %rax
+        movq	%rcx, 32(%r15)
+        adcq	%rax, %r8
+        movq	48(%r10), %rax
+        movq	48(%r11), %rcx
+        pextq	%r14, %rax, %rax
+        pextq	%r13, %rcx, %rcx
+        movq	%r8, 40(%r15)
+        adcq	%rcx, %rax
+        movq	56(%r10), %rcx
+        movq	56(%r11), %r8
+        pextq	%r14, %rcx, %rcx
+        pextq	%r13, %r8, %r8
+        movq	%rax, 48(%r15)
+        adcq	%r8, %rcx
+        movq	64(%r10), %r8
+        movq	64(%r11), %rax
+        pextq	%r14, %r8, %r8
+        pextq	%r13, %rax, %rax
+        movq	%rcx, 56(%r15)
+        adcq	%rax, %r8
+        movq	72(%r10), %rax
+        movq	72(%r11), %rcx
+        pextq	%r14, %rax, %rax
+        pextq	%r13, %rcx, %rcx
+        movq	%r8, 64(%r15)
+        adcq	%rcx, %rax
+        movq	80(%r10), %rcx
+        movq	80(%r11), %r8
+        pextq	%r14, %rcx, %rcx
+        pextq	%r13, %r8, %r8
+        movq	%rax, 72(%r15)
+        adcq	%r8, %rcx
+        movq	88(%r10), %r8
+        movq	88(%r11), %rax
+        pextq	%r14, %r8, %r8
+        pextq	%r13, %rax, %rax
+        movq	%rcx, 80(%r15)
+        adcq	%rax, %r8
+        movq	%r8, 88(%r15)
+        adcq	$0, %r9
+        leaq	192(%rsp), %r11
+        movq	%rsp, %r10
+        movq	(%r10), %rax
+        subq	(%r11), %rax
+        movq	8(%r10), %rcx
+        movq	%rax, (%r10)
+        sbbq	8(%r11), %rcx
+        movq	16(%r10), %r8
+        movq	%rcx, 8(%r10)
+        sbbq	16(%r11), %r8
+        movq	24(%r10), %rax
+        movq	%r8, 16(%r10)
+        sbbq	24(%r11), %rax
+        movq	32(%r10), %rcx
+        movq	%rax, 24(%r10)
+        sbbq	32(%r11), %rcx
+        movq	40(%r10), %r8
+        movq	%rcx, 32(%r10)
+        sbbq	40(%r11), %r8
+        movq	48(%r10), %rax
+        movq	%r8, 40(%r10)
+        sbbq	48(%r11), %rax
+        movq	56(%r10), %rcx
+        movq	%rax, 48(%r10)
+        sbbq	56(%r11), %rcx
+        movq	64(%r10), %r8
+        movq	%rcx, 56(%r10)
+        sbbq	64(%r11), %r8
+        movq	72(%r10), %rax
+        movq	%r8, 64(%r10)
+        sbbq	72(%r11), %rax
+        movq	80(%r10), %rcx
+        movq	%rax, 72(%r10)
+        sbbq	80(%r11), %rcx
+        movq	88(%r10), %r8
+        movq	%rcx, 80(%r10)
+        sbbq	88(%r11), %r8
+        movq	96(%r10), %rax
+        movq	%r8, 88(%r10)
+        sbbq	96(%r11), %rax
+        movq	104(%r10), %rcx
+        movq	%rax, 96(%r10)
+        sbbq	104(%r11), %rcx
+        movq	112(%r10), %r8
+        movq	%rcx, 104(%r10)
+        sbbq	112(%r11), %r8
+        movq	120(%r10), %rax
+        movq	%r8, 112(%r10)
+        sbbq	120(%r11), %rax
+        movq	128(%r10), %rcx
+        movq	%rax, 120(%r10)
+        sbbq	128(%r11), %rcx
+        movq	136(%r10), %r8
+        movq	%rcx, 128(%r10)
+        sbbq	136(%r11), %r8
+        movq	144(%r10), %rax
+        movq	%r8, 136(%r10)
+        sbbq	144(%r11), %rax
+        movq	152(%r10), %rcx
+        movq	%rax, 144(%r10)
+        sbbq	152(%r11), %rcx
+        movq	160(%r10), %r8
+        movq	%rcx, 152(%r10)
+        sbbq	160(%r11), %r8
+        movq	168(%r10), %rax
+        movq	%r8, 160(%r10)
+        sbbq	168(%r11), %rax
+        movq	176(%r10), %rcx
+        movq	%rax, 168(%r10)
+        sbbq	176(%r11), %rcx
+        movq	184(%r10), %r8
+        movq	%rcx, 176(%r10)
+        sbbq	184(%r11), %r8
+        movq	%r8, 184(%r10)
+        sbbq	$0, %r9
+        movq	(%r10), %rax
+        subq	(%rdi), %rax
+        movq	8(%r10), %rcx
+        movq	%rax, (%r10)
+        sbbq	8(%rdi), %rcx
+        movq	16(%r10), %r8
+        movq	%rcx, 8(%r10)
+        sbbq	16(%rdi), %r8
+        movq	24(%r10), %rax
+        movq	%r8, 16(%r10)
+        sbbq	24(%rdi), %rax
+        movq	32(%r10), %rcx
+        movq	%rax, 24(%r10)
+        sbbq	32(%rdi), %rcx
+        movq	40(%r10), %r8
+        movq	%rcx, 32(%r10)
+        sbbq	40(%rdi), %r8
+        movq	48(%r10), %rax
+        movq	%r8, 40(%r10)
+        sbbq	48(%rdi), %rax
+        movq	56(%r10), %rcx
+        movq	%rax, 48(%r10)
+        sbbq	56(%rdi), %rcx
+        movq	64(%r10), %r8
+        movq	%rcx, 56(%r10)
+        sbbq	64(%rdi), %r8
+        movq	72(%r10), %rax
+        movq	%r8, 64(%r10)
+        sbbq	72(%rdi), %rax
+        movq	80(%r10), %rcx
+        movq	%rax, 72(%r10)
+        sbbq	80(%rdi), %rcx
+        movq	88(%r10), %r8
+        movq	%rcx, 80(%r10)
+        sbbq	88(%rdi), %r8
+        movq	96(%r10), %rax
+        movq	%r8, 88(%r10)
+        sbbq	96(%rdi), %rax
+        movq	104(%r10), %rcx
+        movq	%rax, 96(%r10)
+        sbbq	104(%rdi), %rcx
+        movq	112(%r10), %r8
+        movq	%rcx, 104(%r10)
+        sbbq	112(%rdi), %r8
+        movq	120(%r10), %rax
+        movq	%r8, 112(%r10)
+        sbbq	120(%rdi), %rax
+        movq	128(%r10), %rcx
+        movq	%rax, 120(%r10)
+        sbbq	128(%rdi), %rcx
+        movq	136(%r10), %r8
+        movq	%rcx, 128(%r10)
+        sbbq	136(%rdi), %r8
+        movq	144(%r10), %rax
+        movq	%r8, 136(%r10)
+        sbbq	144(%rdi), %rax
+        movq	152(%r10), %rcx
+        movq	%rax, 144(%r10)
+        sbbq	152(%rdi), %rcx
+        movq	160(%r10), %r8
+        movq	%rcx, 152(%r10)
+        sbbq	160(%rdi), %r8
+        movq	168(%r10), %rax
+        movq	%r8, 160(%r10)
+        sbbq	168(%rdi), %rax
+        movq	176(%r10), %rcx
+        movq	%rax, 168(%r10)
+        sbbq	176(%rdi), %rcx
+        movq	184(%r10), %r8
+        movq	%rcx, 176(%r10)
+        sbbq	184(%rdi), %r8
+        movq	%r8, 184(%r10)
+        sbbq	$0, %r9
+        subq	$96, %r15
+        # Add
+        movq	(%r15), %rax
+        addq	(%r10), %rax
+        movq	8(%r15), %rcx
+        movq	%rax, (%r15)
+        adcq	8(%r10), %rcx
+        movq	16(%r15), %r8
+        movq	%rcx, 8(%r15)
+        adcq	16(%r10), %r8
+        movq	24(%r15), %rax
+        movq	%r8, 16(%r15)
+        adcq	24(%r10), %rax
+        movq	32(%r15), %rcx
+        movq	%rax, 24(%r15)
+        adcq	32(%r10), %rcx
+        movq	40(%r15), %r8
+        movq	%rcx, 32(%r15)
+        adcq	40(%r10), %r8
+        movq	48(%r15), %rax
+        movq	%r8, 40(%r15)
+        adcq	48(%r10), %rax
+        movq	56(%r15), %rcx
+        movq	%rax, 48(%r15)
+        adcq	56(%r10), %rcx
+        movq	64(%r15), %r8
+        movq	%rcx, 56(%r15)
+        adcq	64(%r10), %r8
+        movq	72(%r15), %rax
+        movq	%r8, 64(%r15)
+        adcq	72(%r10), %rax
+        movq	80(%r15), %rcx
+        movq	%rax, 72(%r15)
+        adcq	80(%r10), %rcx
+        movq	88(%r15), %r8
+        movq	%rcx, 80(%r15)
+        adcq	88(%r10), %r8
+        movq	96(%r15), %rax
+        movq	%r8, 88(%r15)
+        adcq	96(%r10), %rax
+        movq	104(%r15), %rcx
+        movq	%rax, 96(%r15)
+        adcq	104(%r10), %rcx
+        movq	112(%r15), %r8
+        movq	%rcx, 104(%r15)
+        adcq	112(%r10), %r8
+        movq	120(%r15), %rax
+        movq	%r8, 112(%r15)
+        adcq	120(%r10), %rax
+        movq	128(%r15), %rcx
+        movq	%rax, 120(%r15)
+        adcq	128(%r10), %rcx
+        movq	136(%r15), %r8
+        movq	%rcx, 128(%r15)
+        adcq	136(%r10), %r8
+        movq	144(%r15), %rax
+        movq	%r8, 136(%r15)
+        adcq	144(%r10), %rax
+        movq	152(%r15), %rcx
+        movq	%rax, 144(%r15)
+        adcq	152(%r10), %rcx
+        movq	160(%r15), %r8
+        movq	%rcx, 152(%r15)
+        adcq	160(%r10), %r8
+        movq	168(%r15), %rax
+        movq	%r8, 160(%r15)
+        adcq	168(%r10), %rax
+        movq	176(%r15), %rcx
+        movq	%rax, 168(%r15)
+        adcq	176(%r10), %rcx
+        movq	184(%r15), %r8
+        movq	%rcx, 176(%r15)
+        adcq	184(%r10), %r8
+        movq	%r8, 184(%r15)
+        adcq	$0, %r9
+        movq	%r9, 288(%rdi)
+        addq	$96, %r15
+        # Add
+        movq	(%r15), %rax
+        addq	(%r11), %rax
+        movq	8(%r15), %rcx
+        movq	%rax, (%r15)
+        adcq	8(%r11), %rcx
+        movq	16(%r15), %r8
+        movq	%rcx, 8(%r15)
+        adcq	16(%r11), %r8
+        movq	24(%r15), %rax
+        movq	%r8, 16(%r15)
+        adcq	24(%r11), %rax
+        movq	32(%r15), %rcx
+        movq	%rax, 24(%r15)
+        adcq	32(%r11), %rcx
+        movq	40(%r15), %r8
+        movq	%rcx, 32(%r15)
+        adcq	40(%r11), %r8
+        movq	48(%r15), %rax
+        movq	%r8, 40(%r15)
+        adcq	48(%r11), %rax
+        movq	56(%r15), %rcx
+        movq	%rax, 48(%r15)
+        adcq	56(%r11), %rcx
+        movq	64(%r15), %r8
+        movq	%rcx, 56(%r15)
+        adcq	64(%r11), %r8
+        movq	72(%r15), %rax
+        movq	%r8, 64(%r15)
+        adcq	72(%r11), %rax
+        movq	80(%r15), %rcx
+        movq	%rax, 72(%r15)
+        adcq	80(%r11), %rcx
+        movq	88(%r15), %r8
+        movq	%rcx, 80(%r15)
+        adcq	88(%r11), %r8
+        movq	96(%r15), %rax
+        movq	%r8, 88(%r15)
+        adcq	96(%r11), %rax
+        movq	%rax, 96(%r15)
+        # Add to zero
+        movq	104(%r11), %rax
+        adcq	$0, %rax
+        movq	112(%r11), %rcx
+        movq	%rax, 104(%r15)
+        adcq	$0, %rcx
+        movq	120(%r11), %r8
+        movq	%rcx, 112(%r15)
+        adcq	$0, %r8
+        movq	128(%r11), %rax
+        movq	%r8, 120(%r15)
+        adcq	$0, %rax
+        movq	136(%r11), %rcx
+        movq	%rax, 128(%r15)
+        adcq	$0, %rcx
+        movq	144(%r11), %r8
+        movq	%rcx, 136(%r15)
+        adcq	$0, %r8
+        movq	152(%r11), %rax
+        movq	%r8, 144(%r15)
+        adcq	$0, %rax
+        movq	160(%r11), %rcx
+        movq	%rax, 152(%r15)
+        adcq	$0, %rcx
+        movq	168(%r11), %r8
+        movq	%rcx, 160(%r15)
+        adcq	$0, %r8
+        movq	176(%r11), %rax
+        movq	%r8, 168(%r15)
+        adcq	$0, %rax
+        movq	184(%r11), %rcx
+        movq	%rax, 176(%r15)
+        adcq	$0, %rcx
+        movq	%rcx, 184(%r15)
+        addq	$616, %rsp
+        pop	%r15
+        pop	%r14
+        pop	%r13
+        pop	%r12
+        repz retq
+#ifndef __APPLE__
+.size	sp_3072_mul_avx2_24,.-sp_3072_mul_avx2_24
+#endif /* __APPLE__ */
+/* Square a and put result in r. (r = a * a)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ */
+#ifndef __APPLE__
+.globl	sp_3072_sqr_avx2_24
+.type	sp_3072_sqr_avx2_24,@function
+.align	16
+sp_3072_sqr_avx2_24:
+#else
+.globl	_sp_3072_sqr_avx2_24
+.p2align	4
+_sp_3072_sqr_avx2_24:
+#endif /* __APPLE__ */
+        subq	$504, %rsp
+        movq	%rdi, 480(%rsp)
+        movq	%rsi, 488(%rsp)
+        leaq	384(%rsp), %r8
+        leaq	96(%rsi), %r9
+        # Add
+        movq	(%rsi), %rdx
+        xorq	%rcx, %rcx
+        addq	(%r9), %rdx
+        movq	8(%rsi), %rax
+        movq	%rdx, (%r8)
+        adcq	8(%r9), %rax
+        movq	16(%rsi), %rdx
+        movq	%rax, 8(%r8)
+        adcq	16(%r9), %rdx
+        movq	24(%rsi), %rax
+        movq	%rdx, 16(%r8)
+        adcq	24(%r9), %rax
+        movq	32(%rsi), %rdx
+        movq	%rax, 24(%r8)
+        adcq	32(%r9), %rdx
+        movq	40(%rsi), %rax
+        movq	%rdx, 32(%r8)
+        adcq	40(%r9), %rax
+        movq	48(%rsi), %rdx
+        movq	%rax, 40(%r8)
+        adcq	48(%r9), %rdx
+        movq	56(%rsi), %rax
+        movq	%rdx, 48(%r8)
+        adcq	56(%r9), %rax
+        movq	64(%rsi), %rdx
+        movq	%rax, 56(%r8)
+        adcq	64(%r9), %rdx
+        movq	72(%rsi), %rax
+        movq	%rdx, 64(%r8)
+        adcq	72(%r9), %rax
+        movq	80(%rsi), %rdx
+        movq	%rax, 72(%r8)
+        adcq	80(%r9), %rdx
+        movq	88(%rsi), %rax
+        movq	%rdx, 80(%r8)
+        adcq	88(%r9), %rax
+        movq	%rax, 88(%r8)
+        adcq	$0, %rcx
+        movq	%rcx, 496(%rsp)
+        movq	%r8, %rsi
+        movq	%rsp, %rdi
+#ifndef __APPLE__
+        callq	sp_3072_sqr_avx2_12@plt
+#else
+        callq	_sp_3072_sqr_avx2_12
+#endif /* __APPLE__ */
+        movq	488(%rsp), %rsi
+        leaq	192(%rsp), %rdi
+        addq	$96, %rsi
+#ifndef __APPLE__
+        callq	sp_3072_sqr_avx2_12@plt
+#else
+        callq	_sp_3072_sqr_avx2_12
+#endif /* __APPLE__ */
+        movq	488(%rsp), %rsi
+        movq	480(%rsp), %rdi
+#ifndef __APPLE__
+        callq	sp_3072_sqr_avx2_12@plt
+#else
+        callq	_sp_3072_sqr_avx2_12
+#endif /* __APPLE__ */
+        movq	496(%rsp), %r10
+        movq	%rdi, %r9
+        leaq	384(%rsp), %r8
+        movq	%r10, %rcx
+        negq	%r10
+        addq	$192, %r9
+        movq	(%r8), %rdx
+        pextq	%r10, %rdx, %rdx
+        addq	%rdx, %rdx
+        movq	8(%r8), %rax
+        movq	%rdx, (%r9)
+        pextq	%r10, %rax, %rax
+        adcq	%rax, %rax
+        movq	16(%r8), %rdx
+        movq	%rax, 8(%r9)
+        pextq	%r10, %rdx, %rdx
+        adcq	%rdx, %rdx
+        movq	24(%r8), %rax
+        movq	%rdx, 16(%r9)
+        pextq	%r10, %rax, %rax
+        adcq	%rax, %rax
+        movq	32(%r8), %rdx
+        movq	%rax, 24(%r9)
+        pextq	%r10, %rdx, %rdx
+        adcq	%rdx, %rdx
+        movq	40(%r8), %rax
+        movq	%rdx, 32(%r9)
+        pextq	%r10, %rax, %rax
+        adcq	%rax, %rax
+        movq	48(%r8), %rdx
+        movq	%rax, 40(%r9)
+        pextq	%r10, %rdx, %rdx
+        adcq	%rdx, %rdx
+        movq	56(%r8), %rax
+        movq	%rdx, 48(%r9)
+        pextq	%r10, %rax, %rax
+        adcq	%rax, %rax
+        movq	64(%r8), %rdx
+        movq	%rax, 56(%r9)
+        pextq	%r10, %rdx, %rdx
+        adcq	%rdx, %rdx
+        movq	72(%r8), %rax
+        movq	%rdx, 64(%r9)
+        pextq	%r10, %rax, %rax
+        adcq	%rax, %rax
+        movq	80(%r8), %rdx
+        movq	%rax, 72(%r9)
+        pextq	%r10, %rdx, %rdx
+        adcq	%rdx, %rdx
+        movq	88(%r8), %rax
+        movq	%rdx, 80(%r9)
+        pextq	%r10, %rax, %rax
+        adcq	%rax, %rax
+        movq	%rax, 88(%r9)
+        adcq	$0, %rcx
+        leaq	192(%rsp), %rsi
+        movq	%rsp, %r8
+        movq	(%r8), %rdx
+        subq	(%rsi), %rdx
+        movq	8(%r8), %rax
+        movq	%rdx, (%r8)
+        sbbq	8(%rsi), %rax
+        movq	16(%r8), %rdx
+        movq	%rax, 8(%r8)
+        sbbq	16(%rsi), %rdx
+        movq	24(%r8), %rax
+        movq	%rdx, 16(%r8)
+        sbbq	24(%rsi), %rax
+        movq	32(%r8), %rdx
+        movq	%rax, 24(%r8)
+        sbbq	32(%rsi), %rdx
+        movq	40(%r8), %rax
+        movq	%rdx, 32(%r8)
+        sbbq	40(%rsi), %rax
+        movq	48(%r8), %rdx
+        movq	%rax, 40(%r8)
+        sbbq	48(%rsi), %rdx
+        movq	56(%r8), %rax
+        movq	%rdx, 48(%r8)
+        sbbq	56(%rsi), %rax
+        movq	64(%r8), %rdx
+        movq	%rax, 56(%r8)
+        sbbq	64(%rsi), %rdx
+        movq	72(%r8), %rax
+        movq	%rdx, 64(%r8)
+        sbbq	72(%rsi), %rax
+        movq	80(%r8), %rdx
+        movq	%rax, 72(%r8)
+        sbbq	80(%rsi), %rdx
+        movq	88(%r8), %rax
+        movq	%rdx, 80(%r8)
+        sbbq	88(%rsi), %rax
+        movq	96(%r8), %rdx
+        movq	%rax, 88(%r8)
+        sbbq	96(%rsi), %rdx
+        movq	104(%r8), %rax
+        movq	%rdx, 96(%r8)
+        sbbq	104(%rsi), %rax
+        movq	112(%r8), %rdx
+        movq	%rax, 104(%r8)
+        sbbq	112(%rsi), %rdx
+        movq	120(%r8), %rax
+        movq	%rdx, 112(%r8)
+        sbbq	120(%rsi), %rax
+        movq	128(%r8), %rdx
+        movq	%rax, 120(%r8)
+        sbbq	128(%rsi), %rdx
+        movq	136(%r8), %rax
+        movq	%rdx, 128(%r8)
+        sbbq	136(%rsi), %rax
+        movq	144(%r8), %rdx
+        movq	%rax, 136(%r8)
+        sbbq	144(%rsi), %rdx
+        movq	152(%r8), %rax
+        movq	%rdx, 144(%r8)
+        sbbq	152(%rsi), %rax
+        movq	160(%r8), %rdx
+        movq	%rax, 152(%r8)
+        sbbq	160(%rsi), %rdx
+        movq	168(%r8), %rax
+        movq	%rdx, 160(%r8)
+        sbbq	168(%rsi), %rax
+        movq	176(%r8), %rdx
+        movq	%rax, 168(%r8)
+        sbbq	176(%rsi), %rdx
+        movq	184(%r8), %rax
+        movq	%rdx, 176(%r8)
+        sbbq	184(%rsi), %rax
+        movq	%rax, 184(%r8)
+        sbbq	$0, %rcx
+        movq	(%r8), %rdx
+        subq	(%rdi), %rdx
+        movq	8(%r8), %rax
+        movq	%rdx, (%r8)
+        sbbq	8(%rdi), %rax
+        movq	16(%r8), %rdx
+        movq	%rax, 8(%r8)
+        sbbq	16(%rdi), %rdx
+        movq	24(%r8), %rax
+        movq	%rdx, 16(%r8)
+        sbbq	24(%rdi), %rax
+        movq	32(%r8), %rdx
+        movq	%rax, 24(%r8)
+        sbbq	32(%rdi), %rdx
+        movq	40(%r8), %rax
+        movq	%rdx, 32(%r8)
+        sbbq	40(%rdi), %rax
+        movq	48(%r8), %rdx
+        movq	%rax, 40(%r8)
+        sbbq	48(%rdi), %rdx
+        movq	56(%r8), %rax
+        movq	%rdx, 48(%r8)
+        sbbq	56(%rdi), %rax
+        movq	64(%r8), %rdx
+        movq	%rax, 56(%r8)
+        sbbq	64(%rdi), %rdx
+        movq	72(%r8), %rax
+        movq	%rdx, 64(%r8)
+        sbbq	72(%rdi), %rax
+        movq	80(%r8), %rdx
+        movq	%rax, 72(%r8)
+        sbbq	80(%rdi), %rdx
+        movq	88(%r8), %rax
+        movq	%rdx, 80(%r8)
+        sbbq	88(%rdi), %rax
+        movq	96(%r8), %rdx
+        movq	%rax, 88(%r8)
+        sbbq	96(%rdi), %rdx
+        movq	104(%r8), %rax
+        movq	%rdx, 96(%r8)
+        sbbq	104(%rdi), %rax
+        movq	112(%r8), %rdx
+        movq	%rax, 104(%r8)
+        sbbq	112(%rdi), %rdx
+        movq	120(%r8), %rax
+        movq	%rdx, 112(%r8)
+        sbbq	120(%rdi), %rax
+        movq	128(%r8), %rdx
+        movq	%rax, 120(%r8)
+        sbbq	128(%rdi), %rdx
+        movq	136(%r8), %rax
+        movq	%rdx, 128(%r8)
+        sbbq	136(%rdi), %rax
+        movq	144(%r8), %rdx
+        movq	%rax, 136(%r8)
+        sbbq	144(%rdi), %rdx
+        movq	152(%r8), %rax
+        movq	%rdx, 144(%r8)
+        sbbq	152(%rdi), %rax
+        movq	160(%r8), %rdx
+        movq	%rax, 152(%r8)
+        sbbq	160(%rdi), %rdx
+        movq	168(%r8), %rax
+        movq	%rdx, 160(%r8)
+        sbbq	168(%rdi), %rax
+        movq	176(%r8), %rdx
+        movq	%rax, 168(%r8)
+        sbbq	176(%rdi), %rdx
+        movq	184(%r8), %rax
+        movq	%rdx, 176(%r8)
+        sbbq	184(%rdi), %rax
+        movq	%rax, 184(%r8)
+        sbbq	$0, %rcx
+        subq	$96, %r9
+        # Add in place
+        movq	(%r9), %rdx
+        addq	(%r8), %rdx
+        movq	8(%r9), %rax
+        movq	%rdx, (%r9)
+        adcq	8(%r8), %rax
+        movq	16(%r9), %rdx
+        movq	%rax, 8(%r9)
+        adcq	16(%r8), %rdx
+        movq	24(%r9), %rax
+        movq	%rdx, 16(%r9)
+        adcq	24(%r8), %rax
+        movq	32(%r9), %rdx
+        movq	%rax, 24(%r9)
+        adcq	32(%r8), %rdx
+        movq	40(%r9), %rax
+        movq	%rdx, 32(%r9)
+        adcq	40(%r8), %rax
+        movq	48(%r9), %rdx
+        movq	%rax, 40(%r9)
+        adcq	48(%r8), %rdx
+        movq	56(%r9), %rax
+        movq	%rdx, 48(%r9)
+        adcq	56(%r8), %rax
+        movq	64(%r9), %rdx
+        movq	%rax, 56(%r9)
+        adcq	64(%r8), %rdx
+        movq	72(%r9), %rax
+        movq	%rdx, 64(%r9)
+        adcq	72(%r8), %rax
+        movq	80(%r9), %rdx
+        movq	%rax, 72(%r9)
+        adcq	80(%r8), %rdx
+        movq	88(%r9), %rax
+        movq	%rdx, 80(%r9)
+        adcq	88(%r8), %rax
+        movq	96(%r9), %rdx
+        movq	%rax, 88(%r9)
+        adcq	96(%r8), %rdx
+        movq	104(%r9), %rax
+        movq	%rdx, 96(%r9)
+        adcq	104(%r8), %rax
+        movq	112(%r9), %rdx
+        movq	%rax, 104(%r9)
+        adcq	112(%r8), %rdx
+        movq	120(%r9), %rax
+        movq	%rdx, 112(%r9)
+        adcq	120(%r8), %rax
+        movq	128(%r9), %rdx
+        movq	%rax, 120(%r9)
+        adcq	128(%r8), %rdx
+        movq	136(%r9), %rax
+        movq	%rdx, 128(%r9)
+        adcq	136(%r8), %rax
+        movq	144(%r9), %rdx
+        movq	%rax, 136(%r9)
+        adcq	144(%r8), %rdx
+        movq	152(%r9), %rax
+        movq	%rdx, 144(%r9)
+        adcq	152(%r8), %rax
+        movq	160(%r9), %rdx
+        movq	%rax, 152(%r9)
+        adcq	160(%r8), %rdx
+        movq	168(%r9), %rax
+        movq	%rdx, 160(%r9)
+        adcq	168(%r8), %rax
+        movq	176(%r9), %rdx
+        movq	%rax, 168(%r9)
+        adcq	176(%r8), %rdx
+        movq	184(%r9), %rax
+        movq	%rdx, 176(%r9)
+        adcq	184(%r8), %rax
+        movq	%rax, 184(%r9)
+        adcq	$0, %rcx
+        movq	%rcx, 288(%rdi)
+        # Add in place
+        movq	96(%r9), %rdx
+        addq	(%rsi), %rdx
+        movq	104(%r9), %rax
+        movq	%rdx, 96(%r9)
+        adcq	8(%rsi), %rax
+        movq	112(%r9), %rdx
+        movq	%rax, 104(%r9)
+        adcq	16(%rsi), %rdx
+        movq	120(%r9), %rax
+        movq	%rdx, 112(%r9)
+        adcq	24(%rsi), %rax
+        movq	128(%r9), %rdx
+        movq	%rax, 120(%r9)
+        adcq	32(%rsi), %rdx
+        movq	136(%r9), %rax
+        movq	%rdx, 128(%r9)
+        adcq	40(%rsi), %rax
+        movq	144(%r9), %rdx
+        movq	%rax, 136(%r9)
+        adcq	48(%rsi), %rdx
+        movq	152(%r9), %rax
+        movq	%rdx, 144(%r9)
+        adcq	56(%rsi), %rax
+        movq	160(%r9), %rdx
+        movq	%rax, 152(%r9)
+        adcq	64(%rsi), %rdx
+        movq	168(%r9), %rax
+        movq	%rdx, 160(%r9)
+        adcq	72(%rsi), %rax
+        movq	176(%r9), %rdx
+        movq	%rax, 168(%r9)
+        adcq	80(%rsi), %rdx
+        movq	184(%r9), %rax
+        movq	%rdx, 176(%r9)
+        adcq	88(%rsi), %rax
+        movq	192(%r9), %rdx
+        movq	%rax, 184(%r9)
+        adcq	96(%rsi), %rdx
+        movq	%rdx, 192(%r9)
+        # Add to zero
+        movq	104(%rsi), %rdx
+        adcq	$0, %rdx
+        movq	112(%rsi), %rax
+        movq	%rdx, 200(%r9)
+        adcq	$0, %rax
+        movq	120(%rsi), %rdx
+        movq	%rax, 208(%r9)
+        adcq	$0, %rdx
+        movq	128(%rsi), %rax
+        movq	%rdx, 216(%r9)
+        adcq	$0, %rax
+        movq	136(%rsi), %rdx
+        movq	%rax, 224(%r9)
+        adcq	$0, %rdx
+        movq	144(%rsi), %rax
+        movq	%rdx, 232(%r9)
+        adcq	$0, %rax
+        movq	152(%rsi), %rdx
+        movq	%rax, 240(%r9)
+        adcq	$0, %rdx
+        movq	160(%rsi), %rax
+        movq	%rdx, 248(%r9)
+        adcq	$0, %rax
+        movq	168(%rsi), %rdx
+        movq	%rax, 256(%r9)
+        adcq	$0, %rdx
+        movq	176(%rsi), %rax
+        movq	%rdx, 264(%r9)
+        adcq	$0, %rax
+        movq	184(%rsi), %rdx
+        movq	%rax, 272(%r9)
+        adcq	$0, %rdx
+        movq	%rdx, 280(%r9)
+        addq	$504, %rsp
+        repz retq
+#ifndef __APPLE__
+.size	sp_3072_sqr_avx2_24,.-sp_3072_sqr_avx2_24
+#endif /* __APPLE__ */
+/* Sub b from a into a. (a -= b)
+ *
+ * a  A single precision integer and result.
+ * b  A single precision integer.
+ */
+#ifndef __APPLE__
+.globl	sp_3072_sub_in_place_48
+.type	sp_3072_sub_in_place_48,@function
+.align	16
+sp_3072_sub_in_place_48:
+#else
+.globl	_sp_3072_sub_in_place_48
+.p2align	4
+_sp_3072_sub_in_place_48:
+#endif /* __APPLE__ */
+        movq	(%rdi), %rdx
+        xorq	%rax, %rax
+        subq	(%rsi), %rdx
+        movq	8(%rdi), %rcx
+        movq	%rdx, (%rdi)
+        sbbq	8(%rsi), %rcx
+        movq	16(%rdi), %rdx
+        movq	%rcx, 8(%rdi)
+        sbbq	16(%rsi), %rdx
+        movq	24(%rdi), %rcx
+        movq	%rdx, 16(%rdi)
+        sbbq	24(%rsi), %rcx
+        movq	32(%rdi), %rdx
+        movq	%rcx, 24(%rdi)
+        sbbq	32(%rsi), %rdx
+        movq	40(%rdi), %rcx
+        movq	%rdx, 32(%rdi)
+        sbbq	40(%rsi), %rcx
+        movq	48(%rdi), %rdx
+        movq	%rcx, 40(%rdi)
+        sbbq	48(%rsi), %rdx
+        movq	56(%rdi), %rcx
+        movq	%rdx, 48(%rdi)
+        sbbq	56(%rsi), %rcx
+        movq	64(%rdi), %rdx
+        movq	%rcx, 56(%rdi)
+        sbbq	64(%rsi), %rdx
+        movq	72(%rdi), %rcx
+        movq	%rdx, 64(%rdi)
+        sbbq	72(%rsi), %rcx
+        movq	80(%rdi), %rdx
+        movq	%rcx, 72(%rdi)
+        sbbq	80(%rsi), %rdx
+        movq	88(%rdi), %rcx
+        movq	%rdx, 80(%rdi)
+        sbbq	88(%rsi), %rcx
+        movq	96(%rdi), %rdx
+        movq	%rcx, 88(%rdi)
+        sbbq	96(%rsi), %rdx
+        movq	104(%rdi), %rcx
+        movq	%rdx, 96(%rdi)
+        sbbq	104(%rsi), %rcx
+        movq	112(%rdi), %rdx
+        movq	%rcx, 104(%rdi)
+        sbbq	112(%rsi), %rdx
+        movq	120(%rdi), %rcx
+        movq	%rdx, 112(%rdi)
+        sbbq	120(%rsi), %rcx
+        movq	128(%rdi), %rdx
+        movq	%rcx, 120(%rdi)
+        sbbq	128(%rsi), %rdx
+        movq	136(%rdi), %rcx
+        movq	%rdx, 128(%rdi)
+        sbbq	136(%rsi), %rcx
+        movq	144(%rdi), %rdx
+        movq	%rcx, 136(%rdi)
+        sbbq	144(%rsi), %rdx
+        movq	152(%rdi), %rcx
+        movq	%rdx, 144(%rdi)
+        sbbq	152(%rsi), %rcx
+        movq	160(%rdi), %rdx
+        movq	%rcx, 152(%rdi)
+        sbbq	160(%rsi), %rdx
+        movq	168(%rdi), %rcx
+        movq	%rdx, 160(%rdi)
+        sbbq	168(%rsi), %rcx
+        movq	176(%rdi), %rdx
+        movq	%rcx, 168(%rdi)
+        sbbq	176(%rsi), %rdx
+        movq	184(%rdi), %rcx
+        movq	%rdx, 176(%rdi)
+        sbbq	184(%rsi), %rcx
+        movq	192(%rdi), %rdx
+        movq	%rcx, 184(%rdi)
+        sbbq	192(%rsi), %rdx
+        movq	200(%rdi), %rcx
+        movq	%rdx, 192(%rdi)
+        sbbq	200(%rsi), %rcx
+        movq	208(%rdi), %rdx
+        movq	%rcx, 200(%rdi)
+        sbbq	208(%rsi), %rdx
+        movq	216(%rdi), %rcx
+        movq	%rdx, 208(%rdi)
+        sbbq	216(%rsi), %rcx
+        movq	224(%rdi), %rdx
+        movq	%rcx, 216(%rdi)
+        sbbq	224(%rsi), %rdx
+        movq	232(%rdi), %rcx
+        movq	%rdx, 224(%rdi)
+        sbbq	232(%rsi), %rcx
+        movq	240(%rdi), %rdx
+        movq	%rcx, 232(%rdi)
+        sbbq	240(%rsi), %rdx
+        movq	248(%rdi), %rcx
+        movq	%rdx, 240(%rdi)
+        sbbq	248(%rsi), %rcx
+        movq	256(%rdi), %rdx
+        movq	%rcx, 248(%rdi)
+        sbbq	256(%rsi), %rdx
+        movq	264(%rdi), %rcx
+        movq	%rdx, 256(%rdi)
+        sbbq	264(%rsi), %rcx
+        movq	272(%rdi), %rdx
+        movq	%rcx, 264(%rdi)
+        sbbq	272(%rsi), %rdx
+        movq	280(%rdi), %rcx
+        movq	%rdx, 272(%rdi)
+        sbbq	280(%rsi), %rcx
+        movq	288(%rdi), %rdx
+        movq	%rcx, 280(%rdi)
+        sbbq	288(%rsi), %rdx
+        movq	296(%rdi), %rcx
+        movq	%rdx, 288(%rdi)
+        sbbq	296(%rsi), %rcx
+        movq	304(%rdi), %rdx
+        movq	%rcx, 296(%rdi)
+        sbbq	304(%rsi), %rdx
+        movq	312(%rdi), %rcx
+        movq	%rdx, 304(%rdi)
+        sbbq	312(%rsi), %rcx
+        movq	320(%rdi), %rdx
+        movq	%rcx, 312(%rdi)
+        sbbq	320(%rsi), %rdx
+        movq	328(%rdi), %rcx
+        movq	%rdx, 320(%rdi)
+        sbbq	328(%rsi), %rcx
+        movq	336(%rdi), %rdx
+        movq	%rcx, 328(%rdi)
+        sbbq	336(%rsi), %rdx
+        movq	344(%rdi), %rcx
+        movq	%rdx, 336(%rdi)
+        sbbq	344(%rsi), %rcx
+        movq	352(%rdi), %rdx
+        movq	%rcx, 344(%rdi)
+        sbbq	352(%rsi), %rdx
+        movq	360(%rdi), %rcx
+        movq	%rdx, 352(%rdi)
+        sbbq	360(%rsi), %rcx
+        movq	368(%rdi), %rdx
+        movq	%rcx, 360(%rdi)
+        sbbq	368(%rsi), %rdx
+        movq	376(%rdi), %rcx
+        movq	%rdx, 368(%rdi)
+        sbbq	376(%rsi), %rcx
+        movq	%rcx, 376(%rdi)
+        sbbq	$0, %rax
+        repz retq
+#ifndef __APPLE__
+.size	sp_3072_sub_in_place_48,.-sp_3072_sub_in_place_48
+#endif /* __APPLE__ */
+/* Add b to a into r. (r = a + b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+#ifndef __APPLE__
+.globl	sp_3072_add_48
+.type	sp_3072_add_48,@function
+.align	16
+sp_3072_add_48:
+#else
+.globl	_sp_3072_add_48
+.p2align	4
+_sp_3072_add_48:
+#endif /* __APPLE__ */
+        # Add
+        movq	(%rsi), %rcx
+        xorq	%rax, %rax
+        addq	(%rdx), %rcx
+        movq	8(%rsi), %r8
+        movq	%rcx, (%rdi)
+        adcq	8(%rdx), %r8
+        movq	16(%rsi), %rcx
+        movq	%r8, 8(%rdi)
+        adcq	16(%rdx), %rcx
+        movq	24(%rsi), %r8
+        movq	%rcx, 16(%rdi)
+        adcq	24(%rdx), %r8
+        movq	32(%rsi), %rcx
+        movq	%r8, 24(%rdi)
+        adcq	32(%rdx), %rcx
+        movq	40(%rsi), %r8
+        movq	%rcx, 32(%rdi)
+        adcq	40(%rdx), %r8
+        movq	48(%rsi), %rcx
+        movq	%r8, 40(%rdi)
+        adcq	48(%rdx), %rcx
+        movq	56(%rsi), %r8
+        movq	%rcx, 48(%rdi)
+        adcq	56(%rdx), %r8
+        movq	64(%rsi), %rcx
+        movq	%r8, 56(%rdi)
+        adcq	64(%rdx), %rcx
+        movq	72(%rsi), %r8
+        movq	%rcx, 64(%rdi)
+        adcq	72(%rdx), %r8
+        movq	80(%rsi), %rcx
+        movq	%r8, 72(%rdi)
+        adcq	80(%rdx), %rcx
+        movq	88(%rsi), %r8
+        movq	%rcx, 80(%rdi)
+        adcq	88(%rdx), %r8
+        movq	96(%rsi), %rcx
+        movq	%r8, 88(%rdi)
+        adcq	96(%rdx), %rcx
+        movq	104(%rsi), %r8
+        movq	%rcx, 96(%rdi)
+        adcq	104(%rdx), %r8
+        movq	112(%rsi), %rcx
+        movq	%r8, 104(%rdi)
+        adcq	112(%rdx), %rcx
+        movq	120(%rsi), %r8
+        movq	%rcx, 112(%rdi)
+        adcq	120(%rdx), %r8
+        movq	128(%rsi), %rcx
+        movq	%r8, 120(%rdi)
+        adcq	128(%rdx), %rcx
+        movq	136(%rsi), %r8
+        movq	%rcx, 128(%rdi)
+        adcq	136(%rdx), %r8
+        movq	144(%rsi), %rcx
+        movq	%r8, 136(%rdi)
+        adcq	144(%rdx), %rcx
+        movq	152(%rsi), %r8
+        movq	%rcx, 144(%rdi)
+        adcq	152(%rdx), %r8
+        movq	160(%rsi), %rcx
+        movq	%r8, 152(%rdi)
+        adcq	160(%rdx), %rcx
+        movq	168(%rsi), %r8
+        movq	%rcx, 160(%rdi)
+        adcq	168(%rdx), %r8
+        movq	176(%rsi), %rcx
+        movq	%r8, 168(%rdi)
+        adcq	176(%rdx), %rcx
+        movq	184(%rsi), %r8
+        movq	%rcx, 176(%rdi)
+        adcq	184(%rdx), %r8
+        movq	192(%rsi), %rcx
+        movq	%r8, 184(%rdi)
+        adcq	192(%rdx), %rcx
+        movq	200(%rsi), %r8
+        movq	%rcx, 192(%rdi)
+        adcq	200(%rdx), %r8
+        movq	208(%rsi), %rcx
+        movq	%r8, 200(%rdi)
+        adcq	208(%rdx), %rcx
+        movq	216(%rsi), %r8
+        movq	%rcx, 208(%rdi)
+        adcq	216(%rdx), %r8
+        movq	224(%rsi), %rcx
+        movq	%r8, 216(%rdi)
+        adcq	224(%rdx), %rcx
+        movq	232(%rsi), %r8
+        movq	%rcx, 224(%rdi)
+        adcq	232(%rdx), %r8
+        movq	240(%rsi), %rcx
+        movq	%r8, 232(%rdi)
+        adcq	240(%rdx), %rcx
+        movq	248(%rsi), %r8
+        movq	%rcx, 240(%rdi)
+        adcq	248(%rdx), %r8
+        movq	256(%rsi), %rcx
+        movq	%r8, 248(%rdi)
+        adcq	256(%rdx), %rcx
+        movq	264(%rsi), %r8
+        movq	%rcx, 256(%rdi)
+        adcq	264(%rdx), %r8
+        movq	272(%rsi), %rcx
+        movq	%r8, 264(%rdi)
+        adcq	272(%rdx), %rcx
+        movq	280(%rsi), %r8
+        movq	%rcx, 272(%rdi)
+        adcq	280(%rdx), %r8
+        movq	288(%rsi), %rcx
+        movq	%r8, 280(%rdi)
+        adcq	288(%rdx), %rcx
+        movq	296(%rsi), %r8
+        movq	%rcx, 288(%rdi)
+        adcq	296(%rdx), %r8
+        movq	304(%rsi), %rcx
+        movq	%r8, 296(%rdi)
+        adcq	304(%rdx), %rcx
+        movq	312(%rsi), %r8
+        movq	%rcx, 304(%rdi)
+        adcq	312(%rdx), %r8
+        movq	320(%rsi), %rcx
+        movq	%r8, 312(%rdi)
+        adcq	320(%rdx), %rcx
+        movq	328(%rsi), %r8
+        movq	%rcx, 320(%rdi)
+        adcq	328(%rdx), %r8
+        movq	336(%rsi), %rcx
+        movq	%r8, 328(%rdi)
+        adcq	336(%rdx), %rcx
+        movq	344(%rsi), %r8
+        movq	%rcx, 336(%rdi)
+        adcq	344(%rdx), %r8
+        movq	352(%rsi), %rcx
+        movq	%r8, 344(%rdi)
+        adcq	352(%rdx), %rcx
+        movq	360(%rsi), %r8
+        movq	%rcx, 352(%rdi)
+        adcq	360(%rdx), %r8
+        movq	368(%rsi), %rcx
+        movq	%r8, 360(%rdi)
+        adcq	368(%rdx), %rcx
+        movq	376(%rsi), %r8
+        movq	%rcx, 368(%rdi)
+        adcq	376(%rdx), %r8
+        movq	%r8, 376(%rdi)
+        adcq	$0, %rax
+        repz retq
+#ifndef __APPLE__
+.size	sp_3072_add_48,.-sp_3072_add_48
+#endif /* __APPLE__ */
+/* Multiply a and b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+#ifndef __APPLE__
+.globl	sp_3072_mul_48
+.type	sp_3072_mul_48,@function
+.align	16
+sp_3072_mul_48:
+#else
+.globl	_sp_3072_mul_48
+.p2align	4
+_sp_3072_mul_48:
+#endif /* __APPLE__ */
+        push	%r12
+        push	%r13
+        push	%r14
+        push	%r15
+        subq	$1192, %rsp
+        movq	%rdi, 1152(%rsp)
+        movq	%rsi, 1160(%rsp)
+        movq	%rdx, 1168(%rsp)
+        leaq	768(%rsp), %r10
+        leaq	192(%rsi), %r12
+        # Add
+        movq	(%rsi), %rax
+        xorq	%r13, %r13
+        addq	(%r12), %rax
+        movq	8(%rsi), %rcx
+        movq	%rax, (%r10)
+        adcq	8(%r12), %rcx
+        movq	16(%rsi), %r8
+        movq	%rcx, 8(%r10)
+        adcq	16(%r12), %r8
+        movq	24(%rsi), %rax
+        movq	%r8, 16(%r10)
+        adcq	24(%r12), %rax
+        movq	32(%rsi), %rcx
+        movq	%rax, 24(%r10)
+        adcq	32(%r12), %rcx
+        movq	40(%rsi), %r8
+        movq	%rcx, 32(%r10)
+        adcq	40(%r12), %r8
+        movq	48(%rsi), %rax
+        movq	%r8, 40(%r10)
+        adcq	48(%r12), %rax
+        movq	56(%rsi), %rcx
+        movq	%rax, 48(%r10)
+        adcq	56(%r12), %rcx
+        movq	64(%rsi), %r8
+        movq	%rcx, 56(%r10)
+        adcq	64(%r12), %r8
+        movq	72(%rsi), %rax
+        movq	%r8, 64(%r10)
+        adcq	72(%r12), %rax
+        movq	80(%rsi), %rcx
+        movq	%rax, 72(%r10)
+        adcq	80(%r12), %rcx
+        movq	88(%rsi), %r8
+        movq	%rcx, 80(%r10)
+        adcq	88(%r12), %r8
+        movq	96(%rsi), %rax
+        movq	%r8, 88(%r10)
+        adcq	96(%r12), %rax
+        movq	104(%rsi), %rcx
+        movq	%rax, 96(%r10)
+        adcq	104(%r12), %rcx
+        movq	112(%rsi), %r8
+        movq	%rcx, 104(%r10)
+        adcq	112(%r12), %r8
+        movq	120(%rsi), %rax
+        movq	%r8, 112(%r10)
+        adcq	120(%r12), %rax
+        movq	128(%rsi), %rcx
+        movq	%rax, 120(%r10)
+        adcq	128(%r12), %rcx
+        movq	136(%rsi), %r8
+        movq	%rcx, 128(%r10)
+        adcq	136(%r12), %r8
+        movq	144(%rsi), %rax
+        movq	%r8, 136(%r10)
+        adcq	144(%r12), %rax
+        movq	152(%rsi), %rcx
+        movq	%rax, 144(%r10)
+        adcq	152(%r12), %rcx
+        movq	160(%rsi), %r8
+        movq	%rcx, 152(%r10)
+        adcq	160(%r12), %r8
+        movq	168(%rsi), %rax
+        movq	%r8, 160(%r10)
+        adcq	168(%r12), %rax
+        movq	176(%rsi), %rcx
+        movq	%rax, 168(%r10)
+        adcq	176(%r12), %rcx
+        movq	184(%rsi), %r8
+        movq	%rcx, 176(%r10)
+        adcq	184(%r12), %r8
+        movq	%r8, 184(%r10)
+        adcq	$0, %r13
+        movq	%r13, 1176(%rsp)
+        leaq	960(%rsp), %r11
+        leaq	192(%rdx), %r12
+        # Add
+        movq	(%rdx), %rax
+        xorq	%r14, %r14
+        addq	(%r12), %rax
+        movq	8(%rdx), %rcx
+        movq	%rax, (%r11)
+        adcq	8(%r12), %rcx
+        movq	16(%rdx), %r8
+        movq	%rcx, 8(%r11)
+        adcq	16(%r12), %r8
+        movq	24(%rdx), %rax
+        movq	%r8, 16(%r11)
+        adcq	24(%r12), %rax
+        movq	32(%rdx), %rcx
+        movq	%rax, 24(%r11)
+        adcq	32(%r12), %rcx
+        movq	40(%rdx), %r8
+        movq	%rcx, 32(%r11)
+        adcq	40(%r12), %r8
+        movq	48(%rdx), %rax
+        movq	%r8, 40(%r11)
+        adcq	48(%r12), %rax
+        movq	56(%rdx), %rcx
+        movq	%rax, 48(%r11)
+        adcq	56(%r12), %rcx
+        movq	64(%rdx), %r8
+        movq	%rcx, 56(%r11)
+        adcq	64(%r12), %r8
+        movq	72(%rdx), %rax
+        movq	%r8, 64(%r11)
+        adcq	72(%r12), %rax
+        movq	80(%rdx), %rcx
+        movq	%rax, 72(%r11)
+        adcq	80(%r12), %rcx
+        movq	88(%rdx), %r8
+        movq	%rcx, 80(%r11)
+        adcq	88(%r12), %r8
+        movq	96(%rdx), %rax
+        movq	%r8, 88(%r11)
+        adcq	96(%r12), %rax
+        movq	104(%rdx), %rcx
+        movq	%rax, 96(%r11)
+        adcq	104(%r12), %rcx
+        movq	112(%rdx), %r8
+        movq	%rcx, 104(%r11)
+        adcq	112(%r12), %r8
+        movq	120(%rdx), %rax
+        movq	%r8, 112(%r11)
+        adcq	120(%r12), %rax
+        movq	128(%rdx), %rcx
+        movq	%rax, 120(%r11)
+        adcq	128(%r12), %rcx
+        movq	136(%rdx), %r8
+        movq	%rcx, 128(%r11)
+        adcq	136(%r12), %r8
+        movq	144(%rdx), %rax
+        movq	%r8, 136(%r11)
+        adcq	144(%r12), %rax
+        movq	152(%rdx), %rcx
+        movq	%rax, 144(%r11)
+        adcq	152(%r12), %rcx
+        movq	160(%rdx), %r8
+        movq	%rcx, 152(%r11)
+        adcq	160(%r12), %r8
+        movq	168(%rdx), %rax
+        movq	%r8, 160(%r11)
+        adcq	168(%r12), %rax
+        movq	176(%rdx), %rcx
+        movq	%rax, 168(%r11)
+        adcq	176(%r12), %rcx
+        movq	184(%rdx), %r8
+        movq	%rcx, 176(%r11)
+        adcq	184(%r12), %r8
+        movq	%r8, 184(%r11)
+        adcq	$0, %r14
+        movq	%r14, 1184(%rsp)
+        movq	%r11, %rdx
+        movq	%r10, %rsi
+        movq	%rsp, %rdi
+#ifndef __APPLE__
+        callq	sp_3072_mul_24@plt
+#else
+        callq	_sp_3072_mul_24
+#endif /* __APPLE__ */
+        movq	1168(%rsp), %rdx
+        movq	1160(%rsp), %rsi
+        leaq	384(%rsp), %rdi
+        addq	$192, %rdx
+        addq	$192, %rsi
+#ifndef __APPLE__
+        callq	sp_3072_mul_24@plt
+#else
+        callq	_sp_3072_mul_24
+#endif /* __APPLE__ */
+        movq	1168(%rsp), %rdx
+        movq	1160(%rsp), %rsi
+        movq	1152(%rsp), %rdi
+#ifndef __APPLE__
+        callq	sp_3072_mul_24@plt
+#else
+        callq	_sp_3072_mul_24
+#endif /* __APPLE__ */
+        movq	1176(%rsp), %r13
+        movq	1184(%rsp), %r14
+        movq	1152(%rsp), %r15
+        movq	%r13, %r9
+        leaq	768(%rsp), %r10
+        leaq	960(%rsp), %r11
+        andq	%r14, %r9
+        negq	%r13
+        negq	%r14
+        addq	$384, %r15
+        movq	(%r10), %rax
+        movq	(%r11), %rcx
+        andq	%r14, %rax
+        andq	%r13, %rcx
+        movq	%rax, (%r10)
+        movq	%rcx, (%r11)
+        movq	8(%r10), %rax
+        movq	8(%r11), %rcx
+        andq	%r14, %rax
+        andq	%r13, %rcx
+        movq	%rax, 8(%r10)
+        movq	%rcx, 8(%r11)
+        movq	16(%r10), %rax
+        movq	16(%r11), %rcx
+        andq	%r14, %rax
+        andq	%r13, %rcx
+        movq	%rax, 16(%r10)
+        movq	%rcx, 16(%r11)
+        movq	24(%r10), %rax
+        movq	24(%r11), %rcx
+        andq	%r14, %rax
+        andq	%r13, %rcx
+        movq	%rax, 24(%r10)
+        movq	%rcx, 24(%r11)
+        movq	32(%r10), %rax
+        movq	32(%r11), %rcx
+        andq	%r14, %rax
+        andq	%r13, %rcx
+        movq	%rax, 32(%r10)
+        movq	%rcx, 32(%r11)
+        movq	40(%r10), %rax
+        movq	40(%r11), %rcx
+        andq	%r14, %rax
+        andq	%r13, %rcx
+        movq	%rax, 40(%r10)
+        movq	%rcx, 40(%r11)
+        movq	48(%r10), %rax
+        movq	48(%r11), %rcx
+        andq	%r14, %rax
+        andq	%r13, %rcx
+        movq	%rax, 48(%r10)
+        movq	%rcx, 48(%r11)
+        movq	56(%r10), %rax
+        movq	56(%r11), %rcx
+        andq	%r14, %rax
+        andq	%r13, %rcx
+        movq	%rax, 56(%r10)
+        movq	%rcx, 56(%r11)
+        movq	64(%r10), %rax
+        movq	64(%r11), %rcx
+        andq	%r14, %rax
+        andq	%r13, %rcx
+        movq	%rax, 64(%r10)
+        movq	%rcx, 64(%r11)
+        movq	72(%r10), %rax
+        movq	72(%r11), %rcx
+        andq	%r14, %rax
+        andq	%r13, %rcx
+        movq	%rax, 72(%r10)
+        movq	%rcx, 72(%r11)
+        movq	80(%r10), %rax
+        movq	80(%r11), %rcx
+        andq	%r14, %rax
+        andq	%r13, %rcx
+        movq	%rax, 80(%r10)
+        movq	%rcx, 80(%r11)
+        movq	88(%r10), %rax
+        movq	88(%r11), %rcx
+        andq	%r14, %rax
+        andq	%r13, %rcx
+        movq	%rax, 88(%r10)
+        movq	%rcx, 88(%r11)
+        movq	96(%r10), %rax
+        movq	96(%r11), %rcx
+        andq	%r14, %rax
+        andq	%r13, %rcx
+        movq	%rax, 96(%r10)
+        movq	%rcx, 96(%r11)
+        movq	104(%r10), %rax
+        movq	104(%r11), %rcx
+        andq	%r14, %rax
+        andq	%r13, %rcx
+        movq	%rax, 104(%r10)
+        movq	%rcx, 104(%r11)
+        movq	112(%r10), %rax
+        movq	112(%r11), %rcx
+        andq	%r14, %rax
+        andq	%r13, %rcx
+        movq	%rax, 112(%r10)
+        movq	%rcx, 112(%r11)
+        movq	120(%r10), %rax
+        movq	120(%r11), %rcx
+        andq	%r14, %rax
+        andq	%r13, %rcx
+        movq	%rax, 120(%r10)
+        movq	%rcx, 120(%r11)
+        movq	128(%r10), %rax
+        movq	128(%r11), %rcx
+        andq	%r14, %rax
+        andq	%r13, %rcx
+        movq	%rax, 128(%r10)
+        movq	%rcx, 128(%r11)
+        movq	136(%r10), %rax
+        movq	136(%r11), %rcx
+        andq	%r14, %rax
+        andq	%r13, %rcx
+        movq	%rax, 136(%r10)
+        movq	%rcx, 136(%r11)
+        movq	144(%r10), %rax
+        movq	144(%r11), %rcx
+        andq	%r14, %rax
+        andq	%r13, %rcx
+        movq	%rax, 144(%r10)
+        movq	%rcx, 144(%r11)
+        movq	152(%r10), %rax
+        movq	152(%r11), %rcx
+        andq	%r14, %rax
+        andq	%r13, %rcx
+        movq	%rax, 152(%r10)
+        movq	%rcx, 152(%r11)
+        movq	160(%r10), %rax
+        movq	160(%r11), %rcx
+        andq	%r14, %rax
+        andq	%r13, %rcx
+        movq	%rax, 160(%r10)
+        movq	%rcx, 160(%r11)
+        movq	168(%r10), %rax
+        movq	168(%r11), %rcx
+        andq	%r14, %rax
+        andq	%r13, %rcx
+        movq	%rax, 168(%r10)
+        movq	%rcx, 168(%r11)
+        movq	176(%r10), %rax
+        movq	176(%r11), %rcx
+        andq	%r14, %rax
+        andq	%r13, %rcx
+        movq	%rax, 176(%r10)
+        movq	%rcx, 176(%r11)
+        movq	184(%r10), %rax
+        movq	184(%r11), %rcx
+        andq	%r14, %rax
+        andq	%r13, %rcx
+        movq	%rax, 184(%r10)
+        movq	%rcx, 184(%r11)
+        movq	(%r10), %rax
+        addq	(%r11), %rax
+        movq	8(%r10), %rcx
+        movq	%rax, (%r15)
+        adcq	8(%r11), %rcx
+        movq	16(%r10), %r8
+        movq	%rcx, 8(%r15)
+        adcq	16(%r11), %r8
+        movq	24(%r10), %rax
+        movq	%r8, 16(%r15)
+        adcq	24(%r11), %rax
+        movq	32(%r10), %rcx
+        movq	%rax, 24(%r15)
+        adcq	32(%r11), %rcx
+        movq	40(%r10), %r8
+        movq	%rcx, 32(%r15)
+        adcq	40(%r11), %r8
+        movq	48(%r10), %rax
+        movq	%r8, 40(%r15)
+        adcq	48(%r11), %rax
+        movq	56(%r10), %rcx
+        movq	%rax, 48(%r15)
+        adcq	56(%r11), %rcx
+        movq	64(%r10), %r8
+        movq	%rcx, 56(%r15)
+        adcq	64(%r11), %r8
+        movq	72(%r10), %rax
+        movq	%r8, 64(%r15)
+        adcq	72(%r11), %rax
+        movq	80(%r10), %rcx
+        movq	%rax, 72(%r15)
+        adcq	80(%r11), %rcx
+        movq	88(%r10), %r8
+        movq	%rcx, 80(%r15)
+        adcq	88(%r11), %r8
+        movq	96(%r10), %rax
+        movq	%r8, 88(%r15)
+        adcq	96(%r11), %rax
+        movq	104(%r10), %rcx
+        movq	%rax, 96(%r15)
+        adcq	104(%r11), %rcx
+        movq	112(%r10), %r8
+        movq	%rcx, 104(%r15)
+        adcq	112(%r11), %r8
+        movq	120(%r10), %rax
+        movq	%r8, 112(%r15)
+        adcq	120(%r11), %rax
+        movq	128(%r10), %rcx
+        movq	%rax, 120(%r15)
+        adcq	128(%r11), %rcx
+        movq	136(%r10), %r8
+        movq	%rcx, 128(%r15)
+        adcq	136(%r11), %r8
+        movq	144(%r10), %rax
+        movq	%r8, 136(%r15)
+        adcq	144(%r11), %rax
+        movq	152(%r10), %rcx
+        movq	%rax, 144(%r15)
+        adcq	152(%r11), %rcx
+        movq	160(%r10), %r8
+        movq	%rcx, 152(%r15)
+        adcq	160(%r11), %r8
+        movq	168(%r10), %rax
+        movq	%r8, 160(%r15)
+        adcq	168(%r11), %rax
+        movq	176(%r10), %rcx
+        movq	%rax, 168(%r15)
+        adcq	176(%r11), %rcx
+        movq	184(%r10), %r8
+        movq	%rcx, 176(%r15)
+        adcq	184(%r11), %r8
+        movq	%r8, 184(%r15)
+        adcq	$0, %r9
+        leaq	384(%rsp), %r11
+        movq	%rsp, %r10
+        movq	(%r10), %rax
+        subq	(%r11), %rax
+        movq	8(%r10), %rcx
+        movq	%rax, (%r10)
+        sbbq	8(%r11), %rcx
+        movq	16(%r10), %r8
+        movq	%rcx, 8(%r10)
+        sbbq	16(%r11), %r8
+        movq	24(%r10), %rax
+        movq	%r8, 16(%r10)
+        sbbq	24(%r11), %rax
+        movq	32(%r10), %rcx
+        movq	%rax, 24(%r10)
+        sbbq	32(%r11), %rcx
+        movq	40(%r10), %r8
+        movq	%rcx, 32(%r10)
+        sbbq	40(%r11), %r8
+        movq	48(%r10), %rax
+        movq	%r8, 40(%r10)
+        sbbq	48(%r11), %rax
+        movq	56(%r10), %rcx
+        movq	%rax, 48(%r10)
+        sbbq	56(%r11), %rcx
+        movq	64(%r10), %r8
+        movq	%rcx, 56(%r10)
+        sbbq	64(%r11), %r8
+        movq	72(%r10), %rax
+        movq	%r8, 64(%r10)
+        sbbq	72(%r11), %rax
+        movq	80(%r10), %rcx
+        movq	%rax, 72(%r10)
+        sbbq	80(%r11), %rcx
+        movq	88(%r10), %r8
+        movq	%rcx, 80(%r10)
+        sbbq	88(%r11), %r8
+        movq	96(%r10), %rax
+        movq	%r8, 88(%r10)
+        sbbq	96(%r11), %rax
+        movq	104(%r10), %rcx
+        movq	%rax, 96(%r10)
+        sbbq	104(%r11), %rcx
+        movq	112(%r10), %r8
+        movq	%rcx, 104(%r10)
+        sbbq	112(%r11), %r8
+        movq	120(%r10), %rax
+        movq	%r8, 112(%r10)
+        sbbq	120(%r11), %rax
+        movq	128(%r10), %rcx
+        movq	%rax, 120(%r10)
+        sbbq	128(%r11), %rcx
+        movq	136(%r10), %r8
+        movq	%rcx, 128(%r10)
+        sbbq	136(%r11), %r8
+        movq	144(%r10), %rax
+        movq	%r8, 136(%r10)
+        sbbq	144(%r11), %rax
+        movq	152(%r10), %rcx
+        movq	%rax, 144(%r10)
+        sbbq	152(%r11), %rcx
+        movq	160(%r10), %r8
+        movq	%rcx, 152(%r10)
+        sbbq	160(%r11), %r8
+        movq	168(%r10), %rax
+        movq	%r8, 160(%r10)
+        sbbq	168(%r11), %rax
+        movq	176(%r10), %rcx
+        movq	%rax, 168(%r10)
+        sbbq	176(%r11), %rcx
+        movq	184(%r10), %r8
+        movq	%rcx, 176(%r10)
+        sbbq	184(%r11), %r8
+        movq	192(%r10), %rax
+        movq	%r8, 184(%r10)
+        sbbq	192(%r11), %rax
+        movq	200(%r10), %rcx
+        movq	%rax, 192(%r10)
+        sbbq	200(%r11), %rcx
+        movq	208(%r10), %r8
+        movq	%rcx, 200(%r10)
+        sbbq	208(%r11), %r8
+        movq	216(%r10), %rax
+        movq	%r8, 208(%r10)
+        sbbq	216(%r11), %rax
+        movq	224(%r10), %rcx
+        movq	%rax, 216(%r10)
+        sbbq	224(%r11), %rcx
+        movq	232(%r10), %r8
+        movq	%rcx, 224(%r10)
+        sbbq	232(%r11), %r8
+        movq	240(%r10), %rax
+        movq	%r8, 232(%r10)
+        sbbq	240(%r11), %rax
+        movq	248(%r10), %rcx
+        movq	%rax, 240(%r10)
+        sbbq	248(%r11), %rcx
+        movq	256(%r10), %r8
+        movq	%rcx, 248(%r10)
+        sbbq	256(%r11), %r8
+        movq	264(%r10), %rax
+        movq	%r8, 256(%r10)
+        sbbq	264(%r11), %rax
+        movq	272(%r10), %rcx
+        movq	%rax, 264(%r10)
+        sbbq	272(%r11), %rcx
+        movq	280(%r10), %r8
+        movq	%rcx, 272(%r10)
+        sbbq	280(%r11), %r8
+        movq	288(%r10), %rax
+        movq	%r8, 280(%r10)
+        sbbq	288(%r11), %rax
+        movq	296(%r10), %rcx
+        movq	%rax, 288(%r10)
+        sbbq	296(%r11), %rcx
+        movq	304(%r10), %r8
+        movq	%rcx, 296(%r10)
+        sbbq	304(%r11), %r8
+        movq	312(%r10), %rax
+        movq	%r8, 304(%r10)
+        sbbq	312(%r11), %rax
+        movq	320(%r10), %rcx
+        movq	%rax, 312(%r10)
+        sbbq	320(%r11), %rcx
+        movq	328(%r10), %r8
+        movq	%rcx, 320(%r10)
+        sbbq	328(%r11), %r8
+        movq	336(%r10), %rax
+        movq	%r8, 328(%r10)
+        sbbq	336(%r11), %rax
+        movq	344(%r10), %rcx
+        movq	%rax, 336(%r10)
+        sbbq	344(%r11), %rcx
+        movq	352(%r10), %r8
+        movq	%rcx, 344(%r10)
+        sbbq	352(%r11), %r8
+        movq	360(%r10), %rax
+        movq	%r8, 352(%r10)
+        sbbq	360(%r11), %rax
+        movq	368(%r10), %rcx
+        movq	%rax, 360(%r10)
+        sbbq	368(%r11), %rcx
+        movq	376(%r10), %r8
+        movq	%rcx, 368(%r10)
+        sbbq	376(%r11), %r8
+        movq	%r8, 376(%r10)
+        sbbq	$0, %r9
+        movq	(%r10), %rax
+        subq	(%rdi), %rax
+        movq	8(%r10), %rcx
+        movq	%rax, (%r10)
+        sbbq	8(%rdi), %rcx
+        movq	16(%r10), %r8
+        movq	%rcx, 8(%r10)
+        sbbq	16(%rdi), %r8
+        movq	24(%r10), %rax
+        movq	%r8, 16(%r10)
+        sbbq	24(%rdi), %rax
+        movq	32(%r10), %rcx
+        movq	%rax, 24(%r10)
+        sbbq	32(%rdi), %rcx
+        movq	40(%r10), %r8
+        movq	%rcx, 32(%r10)
+        sbbq	40(%rdi), %r8
+        movq	48(%r10), %rax
+        movq	%r8, 40(%r10)
+        sbbq	48(%rdi), %rax
+        movq	56(%r10), %rcx
+        movq	%rax, 48(%r10)
+        sbbq	56(%rdi), %rcx
+        movq	64(%r10), %r8
+        movq	%rcx, 56(%r10)
+        sbbq	64(%rdi), %r8
+        movq	72(%r10), %rax
+        movq	%r8, 64(%r10)
+        sbbq	72(%rdi), %rax
+        movq	80(%r10), %rcx
+        movq	%rax, 72(%r10)
+        sbbq	80(%rdi), %rcx
+        movq	88(%r10), %r8
+        movq	%rcx, 80(%r10)
+        sbbq	88(%rdi), %r8
+        movq	96(%r10), %rax
+        movq	%r8, 88(%r10)
+        sbbq	96(%rdi), %rax
+        movq	104(%r10), %rcx
+        movq	%rax, 96(%r10)
+        sbbq	104(%rdi), %rcx
+        movq	112(%r10), %r8
+        movq	%rcx, 104(%r10)
+        sbbq	112(%rdi), %r8
+        movq	120(%r10), %rax
+        movq	%r8, 112(%r10)
+        sbbq	120(%rdi), %rax
+        movq	128(%r10), %rcx
+        movq	%rax, 120(%r10)
+        sbbq	128(%rdi), %rcx
+        movq	136(%r10), %r8
+        movq	%rcx, 128(%r10)
+        sbbq	136(%rdi), %r8
+        movq	144(%r10), %rax
+        movq	%r8, 136(%r10)
+        sbbq	144(%rdi), %rax
+        movq	152(%r10), %rcx
+        movq	%rax, 144(%r10)
+        sbbq	152(%rdi), %rcx
+        movq	160(%r10), %r8
+        movq	%rcx, 152(%r10)
+        sbbq	160(%rdi), %r8
+        movq	168(%r10), %rax
+        movq	%r8, 160(%r10)
+        sbbq	168(%rdi), %rax
+        movq	176(%r10), %rcx
+        movq	%rax, 168(%r10)
+        sbbq	176(%rdi), %rcx
+        movq	184(%r10), %r8
+        movq	%rcx, 176(%r10)
+        sbbq	184(%rdi), %r8
+        movq	192(%r10), %rax
+        movq	%r8, 184(%r10)
+        sbbq	192(%rdi), %rax
+        movq	200(%r10), %rcx
+        movq	%rax, 192(%r10)
+        sbbq	200(%rdi), %rcx
+        movq	208(%r10), %r8
+        movq	%rcx, 200(%r10)
+        sbbq	208(%rdi), %r8
+        movq	216(%r10), %rax
+        movq	%r8, 208(%r10)
+        sbbq	216(%rdi), %rax
+        movq	224(%r10), %rcx
+        movq	%rax, 216(%r10)
+        sbbq	224(%rdi), %rcx
+        movq	232(%r10), %r8
+        movq	%rcx, 224(%r10)
+        sbbq	232(%rdi), %r8
+        movq	240(%r10), %rax
+        movq	%r8, 232(%r10)
+        sbbq	240(%rdi), %rax
+        movq	248(%r10), %rcx
+        movq	%rax, 240(%r10)
+        sbbq	248(%rdi), %rcx
+        movq	256(%r10), %r8
+        movq	%rcx, 248(%r10)
+        sbbq	256(%rdi), %r8
+        movq	264(%r10), %rax
+        movq	%r8, 256(%r10)
+        sbbq	264(%rdi), %rax
+        movq	272(%r10), %rcx
+        movq	%rax, 264(%r10)
+        sbbq	272(%rdi), %rcx
+        movq	280(%r10), %r8
+        movq	%rcx, 272(%r10)
+        sbbq	280(%rdi), %r8
+        movq	288(%r10), %rax
+        movq	%r8, 280(%r10)
+        sbbq	288(%rdi), %rax
+        movq	296(%r10), %rcx
+        movq	%rax, 288(%r10)
+        sbbq	296(%rdi), %rcx
+        movq	304(%r10), %r8
+        movq	%rcx, 296(%r10)
+        sbbq	304(%rdi), %r8
+        movq	312(%r10), %rax
+        movq	%r8, 304(%r10)
+        sbbq	312(%rdi), %rax
+        movq	320(%r10), %rcx
+        movq	%rax, 312(%r10)
+        sbbq	320(%rdi), %rcx
+        movq	328(%r10), %r8
+        movq	%rcx, 320(%r10)
+        sbbq	328(%rdi), %r8
+        movq	336(%r10), %rax
+        movq	%r8, 328(%r10)
+        sbbq	336(%rdi), %rax
+        movq	344(%r10), %rcx
+        movq	%rax, 336(%r10)
+        sbbq	344(%rdi), %rcx
+        movq	352(%r10), %r8
+        movq	%rcx, 344(%r10)
+        sbbq	352(%rdi), %r8
+        movq	360(%r10), %rax
+        movq	%r8, 352(%r10)
+        sbbq	360(%rdi), %rax
+        movq	368(%r10), %rcx
+        movq	%rax, 360(%r10)
+        sbbq	368(%rdi), %rcx
+        movq	376(%r10), %r8
+        movq	%rcx, 368(%r10)
+        sbbq	376(%rdi), %r8
+        movq	%r8, 376(%r10)
+        sbbq	$0, %r9
+        subq	$192, %r15
+        # Add
+        movq	(%r15), %rax
+        addq	(%r10), %rax
+        movq	8(%r15), %rcx
+        movq	%rax, (%r15)
+        adcq	8(%r10), %rcx
+        movq	16(%r15), %r8
+        movq	%rcx, 8(%r15)
+        adcq	16(%r10), %r8
+        movq	24(%r15), %rax
+        movq	%r8, 16(%r15)
+        adcq	24(%r10), %rax
+        movq	32(%r15), %rcx
+        movq	%rax, 24(%r15)
+        adcq	32(%r10), %rcx
+        movq	40(%r15), %r8
+        movq	%rcx, 32(%r15)
+        adcq	40(%r10), %r8
+        movq	48(%r15), %rax
+        movq	%r8, 40(%r15)
+        adcq	48(%r10), %rax
+        movq	56(%r15), %rcx
+        movq	%rax, 48(%r15)
+        adcq	56(%r10), %rcx
+        movq	64(%r15), %r8
+        movq	%rcx, 56(%r15)
+        adcq	64(%r10), %r8
+        movq	72(%r15), %rax
+        movq	%r8, 64(%r15)
+        adcq	72(%r10), %rax
+        movq	80(%r15), %rcx
+        movq	%rax, 72(%r15)
+        adcq	80(%r10), %rcx
+        movq	88(%r15), %r8
+        movq	%rcx, 80(%r15)
+        adcq	88(%r10), %r8
+        movq	96(%r15), %rax
+        movq	%r8, 88(%r15)
+        adcq	96(%r10), %rax
+        movq	104(%r15), %rcx
+        movq	%rax, 96(%r15)
+        adcq	104(%r10), %rcx
+        movq	112(%r15), %r8
+        movq	%rcx, 104(%r15)
+        adcq	112(%r10), %r8
+        movq	120(%r15), %rax
+        movq	%r8, 112(%r15)
+        adcq	120(%r10), %rax
+        movq	128(%r15), %rcx
+        movq	%rax, 120(%r15)
+        adcq	128(%r10), %rcx
+        movq	136(%r15), %r8
+        movq	%rcx, 128(%r15)
+        adcq	136(%r10), %r8
+        movq	144(%r15), %rax
+        movq	%r8, 136(%r15)
+        adcq	144(%r10), %rax
+        movq	152(%r15), %rcx
+        movq	%rax, 144(%r15)
+        adcq	152(%r10), %rcx
+        movq	160(%r15), %r8
+        movq	%rcx, 152(%r15)
+        adcq	160(%r10), %r8
+        movq	168(%r15), %rax
+        movq	%r8, 160(%r15)
+        adcq	168(%r10), %rax
+        movq	176(%r15), %rcx
+        movq	%rax, 168(%r15)
+        adcq	176(%r10), %rcx
+        movq	184(%r15), %r8
+        movq	%rcx, 176(%r15)
+        adcq	184(%r10), %r8
+        movq	192(%r15), %rax
+        movq	%r8, 184(%r15)
+        adcq	192(%r10), %rax
+        movq	200(%r15), %rcx
+        movq	%rax, 192(%r15)
+        adcq	200(%r10), %rcx
+        movq	208(%r15), %r8
+        movq	%rcx, 200(%r15)
+        adcq	208(%r10), %r8
+        movq	216(%r15), %rax
+        movq	%r8, 208(%r15)
+        adcq	216(%r10), %rax
+        movq	224(%r15), %rcx
+        movq	%rax, 216(%r15)
+        adcq	224(%r10), %rcx
+        movq	232(%r15), %r8
+        movq	%rcx, 224(%r15)
+        adcq	232(%r10), %r8
+        movq	240(%r15), %rax
+        movq	%r8, 232(%r15)
+        adcq	240(%r10), %rax
+        movq	248(%r15), %rcx
+        movq	%rax, 240(%r15)
+        adcq	248(%r10), %rcx
+        movq	256(%r15), %r8
+        movq	%rcx, 248(%r15)
+        adcq	256(%r10), %r8
+        movq	264(%r15), %rax
+        movq	%r8, 256(%r15)
+        adcq	264(%r10), %rax
+        movq	272(%r15), %rcx
+        movq	%rax, 264(%r15)
+        adcq	272(%r10), %rcx
+        movq	280(%r15), %r8
+        movq	%rcx, 272(%r15)
+        adcq	280(%r10), %r8
+        movq	288(%r15), %rax
+        movq	%r8, 280(%r15)
+        adcq	288(%r10), %rax
+        movq	296(%r15), %rcx
+        movq	%rax, 288(%r15)
+        adcq	296(%r10), %rcx
+        movq	304(%r15), %r8
+        movq	%rcx, 296(%r15)
+        adcq	304(%r10), %r8
+        movq	312(%r15), %rax
+        movq	%r8, 304(%r15)
+        adcq	312(%r10), %rax
+        movq	320(%r15), %rcx
+        movq	%rax, 312(%r15)
+        adcq	320(%r10), %rcx
+        movq	328(%r15), %r8
+        movq	%rcx, 320(%r15)
+        adcq	328(%r10), %r8
+        movq	336(%r15), %rax
+        movq	%r8, 328(%r15)
+        adcq	336(%r10), %rax
+        movq	344(%r15), %rcx
+        movq	%rax, 336(%r15)
+        adcq	344(%r10), %rcx
+        movq	352(%r15), %r8
+        movq	%rcx, 344(%r15)
+        adcq	352(%r10), %r8
+        movq	360(%r15), %rax
+        movq	%r8, 352(%r15)
+        adcq	360(%r10), %rax
+        movq	368(%r15), %rcx
+        movq	%rax, 360(%r15)
+        adcq	368(%r10), %rcx
+        movq	376(%r15), %r8
+        movq	%rcx, 368(%r15)
+        adcq	376(%r10), %r8
+        movq	%r8, 376(%r15)
+        adcq	$0, %r9
+        movq	%r9, 576(%rdi)
+        addq	$192, %r15
+        # Add
+        movq	(%r15), %rax
+        addq	(%r11), %rax
+        movq	8(%r15), %rcx
+        movq	%rax, (%r15)
+        adcq	8(%r11), %rcx
+        movq	16(%r15), %r8
+        movq	%rcx, 8(%r15)
+        adcq	16(%r11), %r8
+        movq	24(%r15), %rax
+        movq	%r8, 16(%r15)
+        adcq	24(%r11), %rax
+        movq	32(%r15), %rcx
+        movq	%rax, 24(%r15)
+        adcq	32(%r11), %rcx
+        movq	40(%r15), %r8
+        movq	%rcx, 32(%r15)
+        adcq	40(%r11), %r8
+        movq	48(%r15), %rax
+        movq	%r8, 40(%r15)
+        adcq	48(%r11), %rax
+        movq	56(%r15), %rcx
+        movq	%rax, 48(%r15)
+        adcq	56(%r11), %rcx
+        movq	64(%r15), %r8
+        movq	%rcx, 56(%r15)
+        adcq	64(%r11), %r8
+        movq	72(%r15), %rax
+        movq	%r8, 64(%r15)
+        adcq	72(%r11), %rax
+        movq	80(%r15), %rcx
+        movq	%rax, 72(%r15)
+        adcq	80(%r11), %rcx
+        movq	88(%r15), %r8
+        movq	%rcx, 80(%r15)
+        adcq	88(%r11), %r8
+        movq	96(%r15), %rax
+        movq	%r8, 88(%r15)
+        adcq	96(%r11), %rax
+        movq	104(%r15), %rcx
+        movq	%rax, 96(%r15)
+        adcq	104(%r11), %rcx
+        movq	112(%r15), %r8
+        movq	%rcx, 104(%r15)
+        adcq	112(%r11), %r8
+        movq	120(%r15), %rax
+        movq	%r8, 112(%r15)
+        adcq	120(%r11), %rax
+        movq	128(%r15), %rcx
+        movq	%rax, 120(%r15)
+        adcq	128(%r11), %rcx
+        movq	136(%r15), %r8
+        movq	%rcx, 128(%r15)
+        adcq	136(%r11), %r8
+        movq	144(%r15), %rax
+        movq	%r8, 136(%r15)
+        adcq	144(%r11), %rax
+        movq	152(%r15), %rcx
+        movq	%rax, 144(%r15)
+        adcq	152(%r11), %rcx
+        movq	160(%r15), %r8
+        movq	%rcx, 152(%r15)
+        adcq	160(%r11), %r8
+        movq	168(%r15), %rax
+        movq	%r8, 160(%r15)
+        adcq	168(%r11), %rax
+        movq	176(%r15), %rcx
+        movq	%rax, 168(%r15)
+        adcq	176(%r11), %rcx
+        movq	184(%r15), %r8
+        movq	%rcx, 176(%r15)
+        adcq	184(%r11), %r8
+        movq	192(%r15), %rax
+        movq	%r8, 184(%r15)
+        adcq	192(%r11), %rax
+        movq	%rax, 192(%r15)
+        # Add to zero
+        movq	200(%r11), %rax
+        adcq	$0, %rax
+        movq	208(%r11), %rcx
+        movq	%rax, 200(%r15)
+        adcq	$0, %rcx
+        movq	216(%r11), %r8
+        movq	%rcx, 208(%r15)
+        adcq	$0, %r8
+        movq	224(%r11), %rax
+        movq	%r8, 216(%r15)
+        adcq	$0, %rax
+        movq	232(%r11), %rcx
+        movq	%rax, 224(%r15)
+        adcq	$0, %rcx
+        movq	240(%r11), %r8
+        movq	%rcx, 232(%r15)
+        adcq	$0, %r8
+        movq	248(%r11), %rax
+        movq	%r8, 240(%r15)
+        adcq	$0, %rax
+        movq	256(%r11), %rcx
+        movq	%rax, 248(%r15)
+        adcq	$0, %rcx
+        movq	264(%r11), %r8
+        movq	%rcx, 256(%r15)
+        adcq	$0, %r8
+        movq	272(%r11), %rax
+        movq	%r8, 264(%r15)
+        adcq	$0, %rax
+        movq	280(%r11), %rcx
+        movq	%rax, 272(%r15)
+        adcq	$0, %rcx
+        movq	288(%r11), %r8
+        movq	%rcx, 280(%r15)
+        adcq	$0, %r8
+        movq	296(%r11), %rax
+        movq	%r8, 288(%r15)
+        adcq	$0, %rax
+        movq	304(%r11), %rcx
+        movq	%rax, 296(%r15)
+        adcq	$0, %rcx
+        movq	312(%r11), %r8
+        movq	%rcx, 304(%r15)
+        adcq	$0, %r8
+        movq	320(%r11), %rax
+        movq	%r8, 312(%r15)
+        adcq	$0, %rax
+        movq	328(%r11), %rcx
+        movq	%rax, 320(%r15)
+        adcq	$0, %rcx
+        movq	336(%r11), %r8
+        movq	%rcx, 328(%r15)
+        adcq	$0, %r8
+        movq	344(%r11), %rax
+        movq	%r8, 336(%r15)
+        adcq	$0, %rax
+        movq	352(%r11), %rcx
+        movq	%rax, 344(%r15)
+        adcq	$0, %rcx
+        movq	360(%r11), %r8
+        movq	%rcx, 352(%r15)
+        adcq	$0, %r8
+        movq	368(%r11), %rax
+        movq	%r8, 360(%r15)
+        adcq	$0, %rax
+        movq	376(%r11), %rcx
+        movq	%rax, 368(%r15)
+        adcq	$0, %rcx
+        movq	%rcx, 376(%r15)
+        addq	$1192, %rsp
+        pop	%r15
+        pop	%r14
+        pop	%r13
+        pop	%r12
+        repz retq
+#ifndef __APPLE__
+.size	sp_3072_mul_48,.-sp_3072_mul_48
+#endif /* __APPLE__ */
+/* Add a to a into r. (r = a + a)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ */
+#ifndef __APPLE__
+.globl	sp_3072_dbl_24
+.type	sp_3072_dbl_24,@function
+.align	16
+sp_3072_dbl_24:
+#else
+.globl	_sp_3072_dbl_24
+.p2align	4
+_sp_3072_dbl_24:
+#endif /* __APPLE__ */
+        movq	(%rsi), %rdx
+        xorq	%rax, %rax
+        addq	%rdx, %rdx
+        movq	8(%rsi), %rcx
+        movq	%rdx, (%rdi)
+        adcq	%rcx, %rcx
+        movq	16(%rsi), %rdx
+        movq	%rcx, 8(%rdi)
+        adcq	%rdx, %rdx
+        movq	24(%rsi), %rcx
+        movq	%rdx, 16(%rdi)
+        adcq	%rcx, %rcx
+        movq	32(%rsi), %rdx
+        movq	%rcx, 24(%rdi)
+        adcq	%rdx, %rdx
+        movq	40(%rsi), %rcx
+        movq	%rdx, 32(%rdi)
+        adcq	%rcx, %rcx
+        movq	48(%rsi), %rdx
+        movq	%rcx, 40(%rdi)
+        adcq	%rdx, %rdx
+        movq	56(%rsi), %rcx
+        movq	%rdx, 48(%rdi)
+        adcq	%rcx, %rcx
+        movq	64(%rsi), %rdx
+        movq	%rcx, 56(%rdi)
+        adcq	%rdx, %rdx
+        movq	72(%rsi), %rcx
+        movq	%rdx, 64(%rdi)
+        adcq	%rcx, %rcx
+        movq	80(%rsi), %rdx
+        movq	%rcx, 72(%rdi)
+        adcq	%rdx, %rdx
+        movq	88(%rsi), %rcx
+        movq	%rdx, 80(%rdi)
+        adcq	%rcx, %rcx
+        movq	96(%rsi), %rdx
+        movq	%rcx, 88(%rdi)
+        adcq	%rdx, %rdx
+        movq	104(%rsi), %rcx
+        movq	%rdx, 96(%rdi)
+        adcq	%rcx, %rcx
+        movq	112(%rsi), %rdx
+        movq	%rcx, 104(%rdi)
+        adcq	%rdx, %rdx
+        movq	120(%rsi), %rcx
+        movq	%rdx, 112(%rdi)
+        adcq	%rcx, %rcx
+        movq	128(%rsi), %rdx
+        movq	%rcx, 120(%rdi)
+        adcq	%rdx, %rdx
+        movq	136(%rsi), %rcx
+        movq	%rdx, 128(%rdi)
+        adcq	%rcx, %rcx
+        movq	144(%rsi), %rdx
+        movq	%rcx, 136(%rdi)
+        adcq	%rdx, %rdx
+        movq	152(%rsi), %rcx
+        movq	%rdx, 144(%rdi)
+        adcq	%rcx, %rcx
+        movq	160(%rsi), %rdx
+        movq	%rcx, 152(%rdi)
+        adcq	%rdx, %rdx
+        movq	168(%rsi), %rcx
+        movq	%rdx, 160(%rdi)
+        adcq	%rcx, %rcx
+        movq	176(%rsi), %rdx
+        movq	%rcx, 168(%rdi)
+        adcq	%rdx, %rdx
+        movq	184(%rsi), %rcx
+        movq	%rdx, 176(%rdi)
+        adcq	%rcx, %rcx
+        movq	%rcx, 184(%rdi)
+        adcq	$0, %rax
+        repz retq
+#ifndef __APPLE__
+.size	sp_3072_dbl_24,.-sp_3072_dbl_24
+#endif /* __APPLE__ */
+/* Square a and put result in r. (r = a * a)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ */
+#ifndef __APPLE__
+.globl	sp_3072_sqr_48
+.type	sp_3072_sqr_48,@function
+.align	16
+sp_3072_sqr_48:
+#else
+.globl	_sp_3072_sqr_48
+.p2align	4
+_sp_3072_sqr_48:
+#endif /* __APPLE__ */
+        subq	$984, %rsp
+        movq	%rdi, 960(%rsp)
+        movq	%rsi, 968(%rsp)
+        leaq	768(%rsp), %r8
+        leaq	192(%rsi), %r9
+        # Add
+        movq	(%rsi), %rdx
+        xorq	%rcx, %rcx
+        addq	(%r9), %rdx
+        movq	8(%rsi), %rax
+        movq	%rdx, (%r8)
+        adcq	8(%r9), %rax
+        movq	16(%rsi), %rdx
+        movq	%rax, 8(%r8)
+        adcq	16(%r9), %rdx
+        movq	24(%rsi), %rax
+        movq	%rdx, 16(%r8)
+        adcq	24(%r9), %rax
+        movq	32(%rsi), %rdx
+        movq	%rax, 24(%r8)
+        adcq	32(%r9), %rdx
+        movq	40(%rsi), %rax
+        movq	%rdx, 32(%r8)
+        adcq	40(%r9), %rax
+        movq	48(%rsi), %rdx
+        movq	%rax, 40(%r8)
+        adcq	48(%r9), %rdx
+        movq	56(%rsi), %rax
+        movq	%rdx, 48(%r8)
+        adcq	56(%r9), %rax
+        movq	64(%rsi), %rdx
+        movq	%rax, 56(%r8)
+        adcq	64(%r9), %rdx
+        movq	72(%rsi), %rax
+        movq	%rdx, 64(%r8)
+        adcq	72(%r9), %rax
+        movq	80(%rsi), %rdx
+        movq	%rax, 72(%r8)
+        adcq	80(%r9), %rdx
+        movq	88(%rsi), %rax
+        movq	%rdx, 80(%r8)
+        adcq	88(%r9), %rax
+        movq	96(%rsi), %rdx
+        movq	%rax, 88(%r8)
+        adcq	96(%r9), %rdx
+        movq	104(%rsi), %rax
+        movq	%rdx, 96(%r8)
+        adcq	104(%r9), %rax
+        movq	112(%rsi), %rdx
+        movq	%rax, 104(%r8)
+        adcq	112(%r9), %rdx
+        movq	120(%rsi), %rax
+        movq	%rdx, 112(%r8)
+        adcq	120(%r9), %rax
+        movq	128(%rsi), %rdx
+        movq	%rax, 120(%r8)
+        adcq	128(%r9), %rdx
+        movq	136(%rsi), %rax
+        movq	%rdx, 128(%r8)
+        adcq	136(%r9), %rax
+        movq	144(%rsi), %rdx
+        movq	%rax, 136(%r8)
+        adcq	144(%r9), %rdx
+        movq	152(%rsi), %rax
+        movq	%rdx, 144(%r8)
+        adcq	152(%r9), %rax
+        movq	160(%rsi), %rdx
+        movq	%rax, 152(%r8)
+        adcq	160(%r9), %rdx
+        movq	168(%rsi), %rax
+        movq	%rdx, 160(%r8)
+        adcq	168(%r9), %rax
+        movq	176(%rsi), %rdx
+        movq	%rax, 168(%r8)
+        adcq	176(%r9), %rdx
+        movq	184(%rsi), %rax
+        movq	%rdx, 176(%r8)
+        adcq	184(%r9), %rax
+        movq	%rax, 184(%r8)
+        adcq	$0, %rcx
+        movq	%rcx, 976(%rsp)
+        movq	%r8, %rsi
+        movq	%rsp, %rdi
+#ifndef __APPLE__
+        callq	sp_3072_sqr_24@plt
+#else
+        callq	_sp_3072_sqr_24
+#endif /* __APPLE__ */
+        movq	968(%rsp), %rsi
+        leaq	384(%rsp), %rdi
+        addq	$192, %rsi
+#ifndef __APPLE__
+        callq	sp_3072_sqr_24@plt
+#else
+        callq	_sp_3072_sqr_24
+#endif /* __APPLE__ */
+        movq	968(%rsp), %rsi
+        movq	960(%rsp), %rdi
+#ifndef __APPLE__
+        callq	sp_3072_sqr_24@plt
+#else
+        callq	_sp_3072_sqr_24
+#endif /* __APPLE__ */
+        movq	976(%rsp), %r10
+        movq	%rdi, %r9
+        leaq	768(%rsp), %r8
+        movq	%r10, %rcx
+        negq	%r10
+        addq	$384, %r9
+        movq	(%r8), %rdx
+        movq	8(%r8), %rax
+        andq	%r10, %rdx
+        andq	%r10, %rax
+        movq	%rdx, (%r9)
+        movq	%rax, 8(%r9)
+        movq	16(%r8), %rdx
+        movq	24(%r8), %rax
+        andq	%r10, %rdx
+        andq	%r10, %rax
+        movq	%rdx, 16(%r9)
+        movq	%rax, 24(%r9)
+        movq	32(%r8), %rdx
+        movq	40(%r8), %rax
+        andq	%r10, %rdx
+        andq	%r10, %rax
+        movq	%rdx, 32(%r9)
+        movq	%rax, 40(%r9)
+        movq	48(%r8), %rdx
+        movq	56(%r8), %rax
+        andq	%r10, %rdx
+        andq	%r10, %rax
+        movq	%rdx, 48(%r9)
+        movq	%rax, 56(%r9)
+        movq	64(%r8), %rdx
+        movq	72(%r8), %rax
+        andq	%r10, %rdx
+        andq	%r10, %rax
+        movq	%rdx, 64(%r9)
+        movq	%rax, 72(%r9)
+        movq	80(%r8), %rdx
+        movq	88(%r8), %rax
+        andq	%r10, %rdx
+        andq	%r10, %rax
+        movq	%rdx, 80(%r9)
+        movq	%rax, 88(%r9)
+        movq	96(%r8), %rdx
+        movq	104(%r8), %rax
+        andq	%r10, %rdx
+        andq	%r10, %rax
+        movq	%rdx, 96(%r9)
+        movq	%rax, 104(%r9)
+        movq	112(%r8), %rdx
+        movq	120(%r8), %rax
+        andq	%r10, %rdx
+        andq	%r10, %rax
+        movq	%rdx, 112(%r9)
+        movq	%rax, 120(%r9)
+        movq	128(%r8), %rdx
+        movq	136(%r8), %rax
+        andq	%r10, %rdx
+        andq	%r10, %rax
+        movq	%rdx, 128(%r9)
+        movq	%rax, 136(%r9)
+        movq	144(%r8), %rdx
+        movq	152(%r8), %rax
+        andq	%r10, %rdx
+        andq	%r10, %rax
+        movq	%rdx, 144(%r9)
+        movq	%rax, 152(%r9)
+        movq	160(%r8), %rdx
+        movq	168(%r8), %rax
+        andq	%r10, %rdx
+        andq	%r10, %rax
+        movq	%rdx, 160(%r9)
+        movq	%rax, 168(%r9)
+        movq	176(%r8), %rdx
+        movq	184(%r8), %rax
+        andq	%r10, %rdx
+        andq	%r10, %rax
+        movq	%rdx, 176(%r9)
+        movq	%rax, 184(%r9)
+        movq	(%r9), %rdx
+        addq	%rdx, %rdx
+        movq	8(%r9), %rax
+        movq	%rdx, (%r9)
+        adcq	%rax, %rax
+        movq	16(%r9), %rdx
+        movq	%rax, 8(%r9)
+        adcq	%rdx, %rdx
+        movq	24(%r9), %rax
+        movq	%rdx, 16(%r9)
+        adcq	%rax, %rax
+        movq	32(%r9), %rdx
+        movq	%rax, 24(%r9)
+        adcq	%rdx, %rdx
+        movq	40(%r9), %rax
+        movq	%rdx, 32(%r9)
+        adcq	%rax, %rax
+        movq	48(%r9), %rdx
+        movq	%rax, 40(%r9)
+        adcq	%rdx, %rdx
+        movq	56(%r9), %rax
+        movq	%rdx, 48(%r9)
+        adcq	%rax, %rax
+        movq	64(%r9), %rdx
+        movq	%rax, 56(%r9)
+        adcq	%rdx, %rdx
+        movq	72(%r9), %rax
+        movq	%rdx, 64(%r9)
+        adcq	%rax, %rax
+        movq	80(%r9), %rdx
+        movq	%rax, 72(%r9)
+        adcq	%rdx, %rdx
+        movq	88(%r9), %rax
+        movq	%rdx, 80(%r9)
+        adcq	%rax, %rax
+        movq	96(%r9), %rdx
+        movq	%rax, 88(%r9)
+        adcq	%rdx, %rdx
+        movq	104(%r9), %rax
+        movq	%rdx, 96(%r9)
+        adcq	%rax, %rax
+        movq	112(%r9), %rdx
+        movq	%rax, 104(%r9)
+        adcq	%rdx, %rdx
+        movq	120(%r9), %rax
+        movq	%rdx, 112(%r9)
+        adcq	%rax, %rax
+        movq	128(%r9), %rdx
+        movq	%rax, 120(%r9)
+        adcq	%rdx, %rdx
+        movq	136(%r9), %rax
+        movq	%rdx, 128(%r9)
+        adcq	%rax, %rax
+        movq	144(%r9), %rdx
+        movq	%rax, 136(%r9)
+        adcq	%rdx, %rdx
+        movq	152(%r9), %rax
+        movq	%rdx, 144(%r9)
+        adcq	%rax, %rax
+        movq	160(%r9), %rdx
+        movq	%rax, 152(%r9)
+        adcq	%rdx, %rdx
+        movq	168(%r9), %rax
+        movq	%rdx, 160(%r9)
+        adcq	%rax, %rax
+        movq	176(%r9), %rdx
+        movq	%rax, 168(%r9)
+        adcq	%rdx, %rdx
+        movq	184(%r9), %rax
+        movq	%rdx, 176(%r9)
+        adcq	%rax, %rax
+        movq	%rax, 184(%r9)
+        adcq	$0, %rcx
+        leaq	384(%rsp), %rsi
+        movq	%rsp, %r8
+        movq	(%r8), %rdx
+        subq	(%rsi), %rdx
+        movq	8(%r8), %rax
+        movq	%rdx, (%r8)
+        sbbq	8(%rsi), %rax
+        movq	16(%r8), %rdx
+        movq	%rax, 8(%r8)
+        sbbq	16(%rsi), %rdx
+        movq	24(%r8), %rax
+        movq	%rdx, 16(%r8)
+        sbbq	24(%rsi), %rax
+        movq	32(%r8), %rdx
+        movq	%rax, 24(%r8)
+        sbbq	32(%rsi), %rdx
+        movq	40(%r8), %rax
+        movq	%rdx, 32(%r8)
+        sbbq	40(%rsi), %rax
+        movq	48(%r8), %rdx
+        movq	%rax, 40(%r8)
+        sbbq	48(%rsi), %rdx
+        movq	56(%r8), %rax
+        movq	%rdx, 48(%r8)
+        sbbq	56(%rsi), %rax
+        movq	64(%r8), %rdx
+        movq	%rax, 56(%r8)
+        sbbq	64(%rsi), %rdx
+        movq	72(%r8), %rax
+        movq	%rdx, 64(%r8)
+        sbbq	72(%rsi), %rax
+        movq	80(%r8), %rdx
+        movq	%rax, 72(%r8)
+        sbbq	80(%rsi), %rdx
+        movq	88(%r8), %rax
+        movq	%rdx, 80(%r8)
+        sbbq	88(%rsi), %rax
+        movq	96(%r8), %rdx
+        movq	%rax, 88(%r8)
+        sbbq	96(%rsi), %rdx
+        movq	104(%r8), %rax
+        movq	%rdx, 96(%r8)
+        sbbq	104(%rsi), %rax
+        movq	112(%r8), %rdx
+        movq	%rax, 104(%r8)
+        sbbq	112(%rsi), %rdx
+        movq	120(%r8), %rax
+        movq	%rdx, 112(%r8)
+        sbbq	120(%rsi), %rax
+        movq	128(%r8), %rdx
+        movq	%rax, 120(%r8)
+        sbbq	128(%rsi), %rdx
+        movq	136(%r8), %rax
+        movq	%rdx, 128(%r8)
+        sbbq	136(%rsi), %rax
+        movq	144(%r8), %rdx
+        movq	%rax, 136(%r8)
+        sbbq	144(%rsi), %rdx
+        movq	152(%r8), %rax
+        movq	%rdx, 144(%r8)
+        sbbq	152(%rsi), %rax
+        movq	160(%r8), %rdx
+        movq	%rax, 152(%r8)
+        sbbq	160(%rsi), %rdx
+        movq	168(%r8), %rax
+        movq	%rdx, 160(%r8)
+        sbbq	168(%rsi), %rax
+        movq	176(%r8), %rdx
+        movq	%rax, 168(%r8)
+        sbbq	176(%rsi), %rdx
+        movq	184(%r8), %rax
+        movq	%rdx, 176(%r8)
+        sbbq	184(%rsi), %rax
+        movq	192(%r8), %rdx
+        movq	%rax, 184(%r8)
+        sbbq	192(%rsi), %rdx
+        movq	200(%r8), %rax
+        movq	%rdx, 192(%r8)
+        sbbq	200(%rsi), %rax
+        movq	208(%r8), %rdx
+        movq	%rax, 200(%r8)
+        sbbq	208(%rsi), %rdx
+        movq	216(%r8), %rax
+        movq	%rdx, 208(%r8)
+        sbbq	216(%rsi), %rax
+        movq	224(%r8), %rdx
+        movq	%rax, 216(%r8)
+        sbbq	224(%rsi), %rdx
+        movq	232(%r8), %rax
+        movq	%rdx, 224(%r8)
+        sbbq	232(%rsi), %rax
+        movq	240(%r8), %rdx
+        movq	%rax, 232(%r8)
+        sbbq	240(%rsi), %rdx
+        movq	248(%r8), %rax
+        movq	%rdx, 240(%r8)
+        sbbq	248(%rsi), %rax
+        movq	256(%r8), %rdx
+        movq	%rax, 248(%r8)
+        sbbq	256(%rsi), %rdx
+        movq	264(%r8), %rax
+        movq	%rdx, 256(%r8)
+        sbbq	264(%rsi), %rax
+        movq	272(%r8), %rdx
+        movq	%rax, 264(%r8)
+        sbbq	272(%rsi), %rdx
+        movq	280(%r8), %rax
+        movq	%rdx, 272(%r8)
+        sbbq	280(%rsi), %rax
+        movq	288(%r8), %rdx
+        movq	%rax, 280(%r8)
+        sbbq	288(%rsi), %rdx
+        movq	296(%r8), %rax
+        movq	%rdx, 288(%r8)
+        sbbq	296(%rsi), %rax
+        movq	304(%r8), %rdx
+        movq	%rax, 296(%r8)
+        sbbq	304(%rsi), %rdx
+        movq	312(%r8), %rax
+        movq	%rdx, 304(%r8)
+        sbbq	312(%rsi), %rax
+        movq	320(%r8), %rdx
+        movq	%rax, 312(%r8)
+        sbbq	320(%rsi), %rdx
+        movq	328(%r8), %rax
+        movq	%rdx, 320(%r8)
+        sbbq	328(%rsi), %rax
+        movq	336(%r8), %rdx
+        movq	%rax, 328(%r8)
+        sbbq	336(%rsi), %rdx
+        movq	344(%r8), %rax
+        movq	%rdx, 336(%r8)
+        sbbq	344(%rsi), %rax
+        movq	352(%r8), %rdx
+        movq	%rax, 344(%r8)
+        sbbq	352(%rsi), %rdx
+        movq	360(%r8), %rax
+        movq	%rdx, 352(%r8)
+        sbbq	360(%rsi), %rax
+        movq	368(%r8), %rdx
+        movq	%rax, 360(%r8)
+        sbbq	368(%rsi), %rdx
+        movq	376(%r8), %rax
+        movq	%rdx, 368(%r8)
+        sbbq	376(%rsi), %rax
+        movq	%rax, 376(%r8)
+        sbbq	$0, %rcx
+        movq	(%r8), %rdx
+        subq	(%rdi), %rdx
+        movq	8(%r8), %rax
+        movq	%rdx, (%r8)
+        sbbq	8(%rdi), %rax
+        movq	16(%r8), %rdx
+        movq	%rax, 8(%r8)
+        sbbq	16(%rdi), %rdx
+        movq	24(%r8), %rax
+        movq	%rdx, 16(%r8)
+        sbbq	24(%rdi), %rax
+        movq	32(%r8), %rdx
+        movq	%rax, 24(%r8)
+        sbbq	32(%rdi), %rdx
+        movq	40(%r8), %rax
+        movq	%rdx, 32(%r8)
+        sbbq	40(%rdi), %rax
+        movq	48(%r8), %rdx
+        movq	%rax, 40(%r8)
+        sbbq	48(%rdi), %rdx
+        movq	56(%r8), %rax
+        movq	%rdx, 48(%r8)
+        sbbq	56(%rdi), %rax
+        movq	64(%r8), %rdx
+        movq	%rax, 56(%r8)
+        sbbq	64(%rdi), %rdx
+        movq	72(%r8), %rax
+        movq	%rdx, 64(%r8)
+        sbbq	72(%rdi), %rax
+        movq	80(%r8), %rdx
+        movq	%rax, 72(%r8)
+        sbbq	80(%rdi), %rdx
+        movq	88(%r8), %rax
+        movq	%rdx, 80(%r8)
+        sbbq	88(%rdi), %rax
+        movq	96(%r8), %rdx
+        movq	%rax, 88(%r8)
+        sbbq	96(%rdi), %rdx
+        movq	104(%r8), %rax
+        movq	%rdx, 96(%r8)
+        sbbq	104(%rdi), %rax
+        movq	112(%r8), %rdx
+        movq	%rax, 104(%r8)
+        sbbq	112(%rdi), %rdx
+        movq	120(%r8), %rax
+        movq	%rdx, 112(%r8)
+        sbbq	120(%rdi), %rax
+        movq	128(%r8), %rdx
+        movq	%rax, 120(%r8)
+        sbbq	128(%rdi), %rdx
+        movq	136(%r8), %rax
+        movq	%rdx, 128(%r8)
+        sbbq	136(%rdi), %rax
+        movq	144(%r8), %rdx
+        movq	%rax, 136(%r8)
+        sbbq	144(%rdi), %rdx
+        movq	152(%r8), %rax
+        movq	%rdx, 144(%r8)
+        sbbq	152(%rdi), %rax
+        movq	160(%r8), %rdx
+        movq	%rax, 152(%r8)
+        sbbq	160(%rdi), %rdx
+        movq	168(%r8), %rax
+        movq	%rdx, 160(%r8)
+        sbbq	168(%rdi), %rax
+        movq	176(%r8), %rdx
+        movq	%rax, 168(%r8)
+        sbbq	176(%rdi), %rdx
+        movq	184(%r8), %rax
+        movq	%rdx, 176(%r8)
+        sbbq	184(%rdi), %rax
+        movq	192(%r8), %rdx
+        movq	%rax, 184(%r8)
+        sbbq	192(%rdi), %rdx
+        movq	200(%r8), %rax
+        movq	%rdx, 192(%r8)
+        sbbq	200(%rdi), %rax
+        movq	208(%r8), %rdx
+        movq	%rax, 200(%r8)
+        sbbq	208(%rdi), %rdx
+        movq	216(%r8), %rax
+        movq	%rdx, 208(%r8)
+        sbbq	216(%rdi), %rax
+        movq	224(%r8), %rdx
+        movq	%rax, 216(%r8)
+        sbbq	224(%rdi), %rdx
+        movq	232(%r8), %rax
+        movq	%rdx, 224(%r8)
+        sbbq	232(%rdi), %rax
+        movq	240(%r8), %rdx
+        movq	%rax, 232(%r8)
+        sbbq	240(%rdi), %rdx
+        movq	248(%r8), %rax
+        movq	%rdx, 240(%r8)
+        sbbq	248(%rdi), %rax
+        movq	256(%r8), %rdx
+        movq	%rax, 248(%r8)
+        sbbq	256(%rdi), %rdx
+        movq	264(%r8), %rax
+        movq	%rdx, 256(%r8)
+        sbbq	264(%rdi), %rax
+        movq	272(%r8), %rdx
+        movq	%rax, 264(%r8)
+        sbbq	272(%rdi), %rdx
+        movq	280(%r8), %rax
+        movq	%rdx, 272(%r8)
+        sbbq	280(%rdi), %rax
+        movq	288(%r8), %rdx
+        movq	%rax, 280(%r8)
+        sbbq	288(%rdi), %rdx
+        movq	296(%r8), %rax
+        movq	%rdx, 288(%r8)
+        sbbq	296(%rdi), %rax
+        movq	304(%r8), %rdx
+        movq	%rax, 296(%r8)
+        sbbq	304(%rdi), %rdx
+        movq	312(%r8), %rax
+        movq	%rdx, 304(%r8)
+        sbbq	312(%rdi), %rax
+        movq	320(%r8), %rdx
+        movq	%rax, 312(%r8)
+        sbbq	320(%rdi), %rdx
+        movq	328(%r8), %rax
+        movq	%rdx, 320(%r8)
+        sbbq	328(%rdi), %rax
+        movq	336(%r8), %rdx
+        movq	%rax, 328(%r8)
+        sbbq	336(%rdi), %rdx
+        movq	344(%r8), %rax
+        movq	%rdx, 336(%r8)
+        sbbq	344(%rdi), %rax
+        movq	352(%r8), %rdx
+        movq	%rax, 344(%r8)
+        sbbq	352(%rdi), %rdx
+        movq	360(%r8), %rax
+        movq	%rdx, 352(%r8)
+        sbbq	360(%rdi), %rax
+        movq	368(%r8), %rdx
+        movq	%rax, 360(%r8)
+        sbbq	368(%rdi), %rdx
+        movq	376(%r8), %rax
+        movq	%rdx, 368(%r8)
+        sbbq	376(%rdi), %rax
+        movq	%rax, 376(%r8)
+        sbbq	$0, %rcx
+        subq	$192, %r9
+        # Add in place
+        movq	(%r9), %rdx
+        addq	(%r8), %rdx
+        movq	8(%r9), %rax
+        movq	%rdx, (%r9)
+        adcq	8(%r8), %rax
+        movq	16(%r9), %rdx
+        movq	%rax, 8(%r9)
+        adcq	16(%r8), %rdx
+        movq	24(%r9), %rax
+        movq	%rdx, 16(%r9)
+        adcq	24(%r8), %rax
+        movq	32(%r9), %rdx
+        movq	%rax, 24(%r9)
+        adcq	32(%r8), %rdx
+        movq	40(%r9), %rax
+        movq	%rdx, 32(%r9)
+        adcq	40(%r8), %rax
+        movq	48(%r9), %rdx
+        movq	%rax, 40(%r9)
+        adcq	48(%r8), %rdx
+        movq	56(%r9), %rax
+        movq	%rdx, 48(%r9)
+        adcq	56(%r8), %rax
+        movq	64(%r9), %rdx
+        movq	%rax, 56(%r9)
+        adcq	64(%r8), %rdx
+        movq	72(%r9), %rax
+        movq	%rdx, 64(%r9)
+        adcq	72(%r8), %rax
+        movq	80(%r9), %rdx
+        movq	%rax, 72(%r9)
+        adcq	80(%r8), %rdx
+        movq	88(%r9), %rax
+        movq	%rdx, 80(%r9)
+        adcq	88(%r8), %rax
+        movq	96(%r9), %rdx
+        movq	%rax, 88(%r9)
+        adcq	96(%r8), %rdx
+        movq	104(%r9), %rax
+        movq	%rdx, 96(%r9)
+        adcq	104(%r8), %rax
+        movq	112(%r9), %rdx
+        movq	%rax, 104(%r9)
+        adcq	112(%r8), %rdx
+        movq	120(%r9), %rax
+        movq	%rdx, 112(%r9)
+        adcq	120(%r8), %rax
+        movq	128(%r9), %rdx
+        movq	%rax, 120(%r9)
+        adcq	128(%r8), %rdx
+        movq	136(%r9), %rax
+        movq	%rdx, 128(%r9)
+        adcq	136(%r8), %rax
+        movq	144(%r9), %rdx
+        movq	%rax, 136(%r9)
+        adcq	144(%r8), %rdx
+        movq	152(%r9), %rax
+        movq	%rdx, 144(%r9)
+        adcq	152(%r8), %rax
+        movq	160(%r9), %rdx
+        movq	%rax, 152(%r9)
+        adcq	160(%r8), %rdx
+        movq	168(%r9), %rax
+        movq	%rdx, 160(%r9)
+        adcq	168(%r8), %rax
+        movq	176(%r9), %rdx
+        movq	%rax, 168(%r9)
+        adcq	176(%r8), %rdx
+        movq	184(%r9), %rax
+        movq	%rdx, 176(%r9)
+        adcq	184(%r8), %rax
+        movq	192(%r9), %rdx
+        movq	%rax, 184(%r9)
+        adcq	192(%r8), %rdx
+        movq	200(%r9), %rax
+        movq	%rdx, 192(%r9)
+        adcq	200(%r8), %rax
+        movq	208(%r9), %rdx
+        movq	%rax, 200(%r9)
+        adcq	208(%r8), %rdx
+        movq	216(%r9), %rax
+        movq	%rdx, 208(%r9)
+        adcq	216(%r8), %rax
+        movq	224(%r9), %rdx
+        movq	%rax, 216(%r9)
+        adcq	224(%r8), %rdx
+        movq	232(%r9), %rax
+        movq	%rdx, 224(%r9)
+        adcq	232(%r8), %rax
+        movq	240(%r9), %rdx
+        movq	%rax, 232(%r9)
+        adcq	240(%r8), %rdx
+        movq	248(%r9), %rax
+        movq	%rdx, 240(%r9)
+        adcq	248(%r8), %rax
+        movq	256(%r9), %rdx
+        movq	%rax, 248(%r9)
+        adcq	256(%r8), %rdx
+        movq	264(%r9), %rax
+        movq	%rdx, 256(%r9)
+        adcq	264(%r8), %rax
+        movq	272(%r9), %rdx
+        movq	%rax, 264(%r9)
+        adcq	272(%r8), %rdx
+        movq	280(%r9), %rax
+        movq	%rdx, 272(%r9)
+        adcq	280(%r8), %rax
+        movq	288(%r9), %rdx
+        movq	%rax, 280(%r9)
+        adcq	288(%r8), %rdx
+        movq	296(%r9), %rax
+        movq	%rdx, 288(%r9)
+        adcq	296(%r8), %rax
+        movq	304(%r9), %rdx
+        movq	%rax, 296(%r9)
+        adcq	304(%r8), %rdx
+        movq	312(%r9), %rax
+        movq	%rdx, 304(%r9)
+        adcq	312(%r8), %rax
+        movq	320(%r9), %rdx
+        movq	%rax, 312(%r9)
+        adcq	320(%r8), %rdx
+        movq	328(%r9), %rax
+        movq	%rdx, 320(%r9)
+        adcq	328(%r8), %rax
+        movq	336(%r9), %rdx
+        movq	%rax, 328(%r9)
+        adcq	336(%r8), %rdx
+        movq	344(%r9), %rax
+        movq	%rdx, 336(%r9)
+        adcq	344(%r8), %rax
+        movq	352(%r9), %rdx
+        movq	%rax, 344(%r9)
+        adcq	352(%r8), %rdx
+        movq	360(%r9), %rax
+        movq	%rdx, 352(%r9)
+        adcq	360(%r8), %rax
+        movq	368(%r9), %rdx
+        movq	%rax, 360(%r9)
+        adcq	368(%r8), %rdx
+        movq	376(%r9), %rax
+        movq	%rdx, 368(%r9)
+        adcq	376(%r8), %rax
+        movq	%rax, 376(%r9)
+        adcq	$0, %rcx
+        movq	%rcx, 576(%rdi)
+        # Add in place
+        movq	192(%r9), %rdx
+        addq	(%rsi), %rdx
+        movq	200(%r9), %rax
+        movq	%rdx, 192(%r9)
+        adcq	8(%rsi), %rax
+        movq	208(%r9), %rdx
+        movq	%rax, 200(%r9)
+        adcq	16(%rsi), %rdx
+        movq	216(%r9), %rax
+        movq	%rdx, 208(%r9)
+        adcq	24(%rsi), %rax
+        movq	224(%r9), %rdx
+        movq	%rax, 216(%r9)
+        adcq	32(%rsi), %rdx
+        movq	232(%r9), %rax
+        movq	%rdx, 224(%r9)
+        adcq	40(%rsi), %rax
+        movq	240(%r9), %rdx
+        movq	%rax, 232(%r9)
+        adcq	48(%rsi), %rdx
+        movq	248(%r9), %rax
+        movq	%rdx, 240(%r9)
+        adcq	56(%rsi), %rax
+        movq	256(%r9), %rdx
+        movq	%rax, 248(%r9)
+        adcq	64(%rsi), %rdx
+        movq	264(%r9), %rax
+        movq	%rdx, 256(%r9)
+        adcq	72(%rsi), %rax
+        movq	272(%r9), %rdx
+        movq	%rax, 264(%r9)
+        adcq	80(%rsi), %rdx
+        movq	280(%r9), %rax
+        movq	%rdx, 272(%r9)
+        adcq	88(%rsi), %rax
+        movq	288(%r9), %rdx
+        movq	%rax, 280(%r9)
+        adcq	96(%rsi), %rdx
+        movq	296(%r9), %rax
+        movq	%rdx, 288(%r9)
+        adcq	104(%rsi), %rax
+        movq	304(%r9), %rdx
+        movq	%rax, 296(%r9)
+        adcq	112(%rsi), %rdx
+        movq	312(%r9), %rax
+        movq	%rdx, 304(%r9)
+        adcq	120(%rsi), %rax
+        movq	320(%r9), %rdx
+        movq	%rax, 312(%r9)
+        adcq	128(%rsi), %rdx
+        movq	328(%r9), %rax
+        movq	%rdx, 320(%r9)
+        adcq	136(%rsi), %rax
+        movq	336(%r9), %rdx
+        movq	%rax, 328(%r9)
+        adcq	144(%rsi), %rdx
+        movq	344(%r9), %rax
+        movq	%rdx, 336(%r9)
+        adcq	152(%rsi), %rax
+        movq	352(%r9), %rdx
+        movq	%rax, 344(%r9)
+        adcq	160(%rsi), %rdx
+        movq	360(%r9), %rax
+        movq	%rdx, 352(%r9)
+        adcq	168(%rsi), %rax
+        movq	368(%r9), %rdx
+        movq	%rax, 360(%r9)
+        adcq	176(%rsi), %rdx
+        movq	376(%r9), %rax
+        movq	%rdx, 368(%r9)
+        adcq	184(%rsi), %rax
+        movq	384(%r9), %rdx
+        movq	%rax, 376(%r9)
+        adcq	192(%rsi), %rdx
+        movq	%rdx, 384(%r9)
+        # Add to zero
+        movq	200(%rsi), %rdx
+        adcq	$0, %rdx
+        movq	208(%rsi), %rax
+        movq	%rdx, 392(%r9)
+        adcq	$0, %rax
+        movq	216(%rsi), %rdx
+        movq	%rax, 400(%r9)
+        adcq	$0, %rdx
+        movq	224(%rsi), %rax
+        movq	%rdx, 408(%r9)
+        adcq	$0, %rax
+        movq	232(%rsi), %rdx
+        movq	%rax, 416(%r9)
+        adcq	$0, %rdx
+        movq	240(%rsi), %rax
+        movq	%rdx, 424(%r9)
+        adcq	$0, %rax
+        movq	248(%rsi), %rdx
+        movq	%rax, 432(%r9)
+        adcq	$0, %rdx
+        movq	256(%rsi), %rax
+        movq	%rdx, 440(%r9)
+        adcq	$0, %rax
+        movq	264(%rsi), %rdx
+        movq	%rax, 448(%r9)
+        adcq	$0, %rdx
+        movq	272(%rsi), %rax
+        movq	%rdx, 456(%r9)
+        adcq	$0, %rax
+        movq	280(%rsi), %rdx
+        movq	%rax, 464(%r9)
+        adcq	$0, %rdx
+        movq	288(%rsi), %rax
+        movq	%rdx, 472(%r9)
+        adcq	$0, %rax
+        movq	296(%rsi), %rdx
+        movq	%rax, 480(%r9)
+        adcq	$0, %rdx
+        movq	304(%rsi), %rax
+        movq	%rdx, 488(%r9)
+        adcq	$0, %rax
+        movq	312(%rsi), %rdx
+        movq	%rax, 496(%r9)
+        adcq	$0, %rdx
+        movq	320(%rsi), %rax
+        movq	%rdx, 504(%r9)
+        adcq	$0, %rax
+        movq	328(%rsi), %rdx
+        movq	%rax, 512(%r9)
+        adcq	$0, %rdx
+        movq	336(%rsi), %rax
+        movq	%rdx, 520(%r9)
+        adcq	$0, %rax
+        movq	344(%rsi), %rdx
+        movq	%rax, 528(%r9)
+        adcq	$0, %rdx
+        movq	352(%rsi), %rax
+        movq	%rdx, 536(%r9)
+        adcq	$0, %rax
+        movq	360(%rsi), %rdx
+        movq	%rax, 544(%r9)
+        adcq	$0, %rdx
+        movq	368(%rsi), %rax
+        movq	%rdx, 552(%r9)
+        adcq	$0, %rax
+        movq	376(%rsi), %rdx
+        movq	%rax, 560(%r9)
+        adcq	$0, %rdx
+        movq	%rdx, 568(%r9)
+        addq	$984, %rsp
+        repz retq
+#ifndef __APPLE__
+.size	sp_3072_sqr_48,.-sp_3072_sqr_48
+#endif /* __APPLE__ */
+/* Multiply a and b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+#ifndef __APPLE__
+.globl	sp_3072_mul_avx2_48
+.type	sp_3072_mul_avx2_48,@function
+.align	16
+sp_3072_mul_avx2_48:
+#else
+.globl	_sp_3072_mul_avx2_48
+.p2align	4
+_sp_3072_mul_avx2_48:
+#endif /* __APPLE__ */
+        push	%r12
+        push	%r13
+        push	%r14
+        push	%r15
+        subq	$1192, %rsp
+        movq	%rdi, 1152(%rsp)
+        movq	%rsi, 1160(%rsp)
+        movq	%rdx, 1168(%rsp)
+        leaq	768(%rsp), %r10
+        leaq	192(%rsi), %r12
+        # Add
+        movq	(%rsi), %rax
+        xorq	%r13, %r13
+        addq	(%r12), %rax
+        movq	8(%rsi), %rcx
+        movq	%rax, (%r10)
+        adcq	8(%r12), %rcx
+        movq	16(%rsi), %r8
+        movq	%rcx, 8(%r10)
+        adcq	16(%r12), %r8
+        movq	24(%rsi), %rax
+        movq	%r8, 16(%r10)
+        adcq	24(%r12), %rax
+        movq	32(%rsi), %rcx
+        movq	%rax, 24(%r10)
+        adcq	32(%r12), %rcx
+        movq	40(%rsi), %r8
+        movq	%rcx, 32(%r10)
+        adcq	40(%r12), %r8
+        movq	48(%rsi), %rax
+        movq	%r8, 40(%r10)
+        adcq	48(%r12), %rax
+        movq	56(%rsi), %rcx
+        movq	%rax, 48(%r10)
+        adcq	56(%r12), %rcx
+        movq	64(%rsi), %r8
+        movq	%rcx, 56(%r10)
+        adcq	64(%r12), %r8
+        movq	72(%rsi), %rax
+        movq	%r8, 64(%r10)
+        adcq	72(%r12), %rax
+        movq	80(%rsi), %rcx
+        movq	%rax, 72(%r10)
+        adcq	80(%r12), %rcx
+        movq	88(%rsi), %r8
+        movq	%rcx, 80(%r10)
+        adcq	88(%r12), %r8
+        movq	96(%rsi), %rax
+        movq	%r8, 88(%r10)
+        adcq	96(%r12), %rax
+        movq	104(%rsi), %rcx
+        movq	%rax, 96(%r10)
+        adcq	104(%r12), %rcx
+        movq	112(%rsi), %r8
+        movq	%rcx, 104(%r10)
+        adcq	112(%r12), %r8
+        movq	120(%rsi), %rax
+        movq	%r8, 112(%r10)
+        adcq	120(%r12), %rax
+        movq	128(%rsi), %rcx
+        movq	%rax, 120(%r10)
+        adcq	128(%r12), %rcx
+        movq	136(%rsi), %r8
+        movq	%rcx, 128(%r10)
+        adcq	136(%r12), %r8
+        movq	144(%rsi), %rax
+        movq	%r8, 136(%r10)
+        adcq	144(%r12), %rax
+        movq	152(%rsi), %rcx
+        movq	%rax, 144(%r10)
+        adcq	152(%r12), %rcx
+        movq	160(%rsi), %r8
+        movq	%rcx, 152(%r10)
+        adcq	160(%r12), %r8
+        movq	168(%rsi), %rax
+        movq	%r8, 160(%r10)
+        adcq	168(%r12), %rax
+        movq	176(%rsi), %rcx
+        movq	%rax, 168(%r10)
+        adcq	176(%r12), %rcx
+        movq	184(%rsi), %r8
+        movq	%rcx, 176(%r10)
+        adcq	184(%r12), %r8
+        movq	%r8, 184(%r10)
+        adcq	$0, %r13
+        movq	%r13, 1176(%rsp)
+        leaq	960(%rsp), %r11
+        leaq	192(%rdx), %r12
+        # Add
+        movq	(%rdx), %rax
+        xorq	%r14, %r14
+        addq	(%r12), %rax
+        movq	8(%rdx), %rcx
+        movq	%rax, (%r11)
+        adcq	8(%r12), %rcx
+        movq	16(%rdx), %r8
+        movq	%rcx, 8(%r11)
+        adcq	16(%r12), %r8
+        movq	24(%rdx), %rax
+        movq	%r8, 16(%r11)
+        adcq	24(%r12), %rax
+        movq	32(%rdx), %rcx
+        movq	%rax, 24(%r11)
+        adcq	32(%r12), %rcx
+        movq	40(%rdx), %r8
+        movq	%rcx, 32(%r11)
+        adcq	40(%r12), %r8
+        movq	48(%rdx), %rax
+        movq	%r8, 40(%r11)
+        adcq	48(%r12), %rax
+        movq	56(%rdx), %rcx
+        movq	%rax, 48(%r11)
+        adcq	56(%r12), %rcx
+        movq	64(%rdx), %r8
+        movq	%rcx, 56(%r11)
+        adcq	64(%r12), %r8
+        movq	72(%rdx), %rax
+        movq	%r8, 64(%r11)
+        adcq	72(%r12), %rax
+        movq	80(%rdx), %rcx
+        movq	%rax, 72(%r11)
+        adcq	80(%r12), %rcx
+        movq	88(%rdx), %r8
+        movq	%rcx, 80(%r11)
+        adcq	88(%r12), %r8
+        movq	96(%rdx), %rax
+        movq	%r8, 88(%r11)
+        adcq	96(%r12), %rax
+        movq	104(%rdx), %rcx
+        movq	%rax, 96(%r11)
+        adcq	104(%r12), %rcx
+        movq	112(%rdx), %r8
+        movq	%rcx, 104(%r11)
+        adcq	112(%r12), %r8
+        movq	120(%rdx), %rax
+        movq	%r8, 112(%r11)
+        adcq	120(%r12), %rax
+        movq	128(%rdx), %rcx
+        movq	%rax, 120(%r11)
+        adcq	128(%r12), %rcx
+        movq	136(%rdx), %r8
+        movq	%rcx, 128(%r11)
+        adcq	136(%r12), %r8
+        movq	144(%rdx), %rax
+        movq	%r8, 136(%r11)
+        adcq	144(%r12), %rax
+        movq	152(%rdx), %rcx
+        movq	%rax, 144(%r11)
+        adcq	152(%r12), %rcx
+        movq	160(%rdx), %r8
+        movq	%rcx, 152(%r11)
+        adcq	160(%r12), %r8
+        movq	168(%rdx), %rax
+        movq	%r8, 160(%r11)
+        adcq	168(%r12), %rax
+        movq	176(%rdx), %rcx
+        movq	%rax, 168(%r11)
+        adcq	176(%r12), %rcx
+        movq	184(%rdx), %r8
+        movq	%rcx, 176(%r11)
+        adcq	184(%r12), %r8
+        movq	%r8, 184(%r11)
+        adcq	$0, %r14
+        movq	%r14, 1184(%rsp)
+        movq	%r11, %rdx
+        movq	%r10, %rsi
+        movq	%rsp, %rdi
+#ifndef __APPLE__
+        callq	sp_3072_mul_avx2_24@plt
+#else
+        callq	_sp_3072_mul_avx2_24
+#endif /* __APPLE__ */
+        movq	1168(%rsp), %rdx
+        movq	1160(%rsp), %rsi
+        leaq	384(%rsp), %rdi
+        addq	$192, %rdx
+        addq	$192, %rsi
+#ifndef __APPLE__
+        callq	sp_3072_mul_avx2_24@plt
+#else
+        callq	_sp_3072_mul_avx2_24
+#endif /* __APPLE__ */
+        movq	1168(%rsp), %rdx
+        movq	1160(%rsp), %rsi
+        movq	1152(%rsp), %rdi
+#ifndef __APPLE__
+        callq	sp_3072_mul_avx2_24@plt
+#else
+        callq	_sp_3072_mul_avx2_24
+#endif /* __APPLE__ */
+        movq	1176(%rsp), %r13
+        movq	1184(%rsp), %r14
+        movq	1152(%rsp), %r15
+        movq	%r13, %r9
+        leaq	768(%rsp), %r10
+        leaq	960(%rsp), %r11
+        andq	%r14, %r9
+        negq	%r13
+        negq	%r14
+        addq	$384, %r15
+        movq	(%r10), %rax
+        movq	(%r11), %rcx
+        pextq	%r14, %rax, %rax
+        pextq	%r13, %rcx, %rcx
+        addq	%rcx, %rax
+        movq	8(%r10), %rcx
+        movq	8(%r11), %r8
+        pextq	%r14, %rcx, %rcx
+        pextq	%r13, %r8, %r8
+        movq	%rax, (%r15)
+        adcq	%r8, %rcx
+        movq	16(%r10), %r8
+        movq	16(%r11), %rax
+        pextq	%r14, %r8, %r8
+        pextq	%r13, %rax, %rax
+        movq	%rcx, 8(%r15)
+        adcq	%rax, %r8
+        movq	24(%r10), %rax
+        movq	24(%r11), %rcx
+        pextq	%r14, %rax, %rax
+        pextq	%r13, %rcx, %rcx
+        movq	%r8, 16(%r15)
+        adcq	%rcx, %rax
+        movq	32(%r10), %rcx
+        movq	32(%r11), %r8
+        pextq	%r14, %rcx, %rcx
+        pextq	%r13, %r8, %r8
+        movq	%rax, 24(%r15)
+        adcq	%r8, %rcx
+        movq	40(%r10), %r8
+        movq	40(%r11), %rax
+        pextq	%r14, %r8, %r8
+        pextq	%r13, %rax, %rax
+        movq	%rcx, 32(%r15)
+        adcq	%rax, %r8
+        movq	48(%r10), %rax
+        movq	48(%r11), %rcx
+        pextq	%r14, %rax, %rax
+        pextq	%r13, %rcx, %rcx
+        movq	%r8, 40(%r15)
+        adcq	%rcx, %rax
+        movq	56(%r10), %rcx
+        movq	56(%r11), %r8
+        pextq	%r14, %rcx, %rcx
+        pextq	%r13, %r8, %r8
+        movq	%rax, 48(%r15)
+        adcq	%r8, %rcx
+        movq	64(%r10), %r8
+        movq	64(%r11), %rax
+        pextq	%r14, %r8, %r8
+        pextq	%r13, %rax, %rax
+        movq	%rcx, 56(%r15)
+        adcq	%rax, %r8
+        movq	72(%r10), %rax
+        movq	72(%r11), %rcx
+        pextq	%r14, %rax, %rax
+        pextq	%r13, %rcx, %rcx
+        movq	%r8, 64(%r15)
+        adcq	%rcx, %rax
+        movq	80(%r10), %rcx
+        movq	80(%r11), %r8
+        pextq	%r14, %rcx, %rcx
+        pextq	%r13, %r8, %r8
+        movq	%rax, 72(%r15)
+        adcq	%r8, %rcx
+        movq	88(%r10), %r8
+        movq	88(%r11), %rax
+        pextq	%r14, %r8, %r8
+        pextq	%r13, %rax, %rax
+        movq	%rcx, 80(%r15)
+        adcq	%rax, %r8
+        movq	96(%r10), %rax
+        movq	96(%r11), %rcx
+        pextq	%r14, %rax, %rax
+        pextq	%r13, %rcx, %rcx
+        movq	%r8, 88(%r15)
+        adcq	%rcx, %rax
+        movq	104(%r10), %rcx
+        movq	104(%r11), %r8
+        pextq	%r14, %rcx, %rcx
+        pextq	%r13, %r8, %r8
+        movq	%rax, 96(%r15)
+        adcq	%r8, %rcx
+        movq	112(%r10), %r8
+        movq	112(%r11), %rax
+        pextq	%r14, %r8, %r8
+        pextq	%r13, %rax, %rax
+        movq	%rcx, 104(%r15)
+        adcq	%rax, %r8
+        movq	120(%r10), %rax
+        movq	120(%r11), %rcx
+        pextq	%r14, %rax, %rax
+        pextq	%r13, %rcx, %rcx
+        movq	%r8, 112(%r15)
+        adcq	%rcx, %rax
+        movq	128(%r10), %rcx
+        movq	128(%r11), %r8
+        pextq	%r14, %rcx, %rcx
+        pextq	%r13, %r8, %r8
+        movq	%rax, 120(%r15)
+        adcq	%r8, %rcx
+        movq	136(%r10), %r8
+        movq	136(%r11), %rax
+        pextq	%r14, %r8, %r8
+        pextq	%r13, %rax, %rax
+        movq	%rcx, 128(%r15)
+        adcq	%rax, %r8
+        movq	144(%r10), %rax
+        movq	144(%r11), %rcx
+        pextq	%r14, %rax, %rax
+        pextq	%r13, %rcx, %rcx
+        movq	%r8, 136(%r15)
+        adcq	%rcx, %rax
+        movq	152(%r10), %rcx
+        movq	152(%r11), %r8
+        pextq	%r14, %rcx, %rcx
+        pextq	%r13, %r8, %r8
+        movq	%rax, 144(%r15)
+        adcq	%r8, %rcx
+        movq	160(%r10), %r8
+        movq	160(%r11), %rax
+        pextq	%r14, %r8, %r8
+        pextq	%r13, %rax, %rax
+        movq	%rcx, 152(%r15)
+        adcq	%rax, %r8
+        movq	168(%r10), %rax
+        movq	168(%r11), %rcx
+        pextq	%r14, %rax, %rax
+        pextq	%r13, %rcx, %rcx
+        movq	%r8, 160(%r15)
+        adcq	%rcx, %rax
+        movq	176(%r10), %rcx
+        movq	176(%r11), %r8
+        pextq	%r14, %rcx, %rcx
+        pextq	%r13, %r8, %r8
+        movq	%rax, 168(%r15)
+        adcq	%r8, %rcx
+        movq	184(%r10), %r8
+        movq	184(%r11), %rax
+        pextq	%r14, %r8, %r8
+        pextq	%r13, %rax, %rax
+        movq	%rcx, 176(%r15)
+        adcq	%rax, %r8
+        movq	%r8, 184(%r15)
+        adcq	$0, %r9
+        leaq	384(%rsp), %r11
+        movq	%rsp, %r10
+        movq	(%r10), %rax
+        subq	(%r11), %rax
+        movq	8(%r10), %rcx
+        movq	%rax, (%r10)
+        sbbq	8(%r11), %rcx
+        movq	16(%r10), %r8
+        movq	%rcx, 8(%r10)
+        sbbq	16(%r11), %r8
+        movq	24(%r10), %rax
+        movq	%r8, 16(%r10)
+        sbbq	24(%r11), %rax
+        movq	32(%r10), %rcx
+        movq	%rax, 24(%r10)
+        sbbq	32(%r11), %rcx
+        movq	40(%r10), %r8
+        movq	%rcx, 32(%r10)
+        sbbq	40(%r11), %r8
+        movq	48(%r10), %rax
+        movq	%r8, 40(%r10)
+        sbbq	48(%r11), %rax
+        movq	56(%r10), %rcx
+        movq	%rax, 48(%r10)
+        sbbq	56(%r11), %rcx
+        movq	64(%r10), %r8
+        movq	%rcx, 56(%r10)
+        sbbq	64(%r11), %r8
+        movq	72(%r10), %rax
+        movq	%r8, 64(%r10)
+        sbbq	72(%r11), %rax
+        movq	80(%r10), %rcx
+        movq	%rax, 72(%r10)
+        sbbq	80(%r11), %rcx
+        movq	88(%r10), %r8
+        movq	%rcx, 80(%r10)
+        sbbq	88(%r11), %r8
+        movq	96(%r10), %rax
+        movq	%r8, 88(%r10)
+        sbbq	96(%r11), %rax
+        movq	104(%r10), %rcx
+        movq	%rax, 96(%r10)
+        sbbq	104(%r11), %rcx
+        movq	112(%r10), %r8
+        movq	%rcx, 104(%r10)
+        sbbq	112(%r11), %r8
+        movq	120(%r10), %rax
+        movq	%r8, 112(%r10)
+        sbbq	120(%r11), %rax
+        movq	128(%r10), %rcx
+        movq	%rax, 120(%r10)
+        sbbq	128(%r11), %rcx
+        movq	136(%r10), %r8
+        movq	%rcx, 128(%r10)
+        sbbq	136(%r11), %r8
+        movq	144(%r10), %rax
+        movq	%r8, 136(%r10)
+        sbbq	144(%r11), %rax
+        movq	152(%r10), %rcx
+        movq	%rax, 144(%r10)
+        sbbq	152(%r11), %rcx
+        movq	160(%r10), %r8
+        movq	%rcx, 152(%r10)
+        sbbq	160(%r11), %r8
+        movq	168(%r10), %rax
+        movq	%r8, 160(%r10)
+        sbbq	168(%r11), %rax
+        movq	176(%r10), %rcx
+        movq	%rax, 168(%r10)
+        sbbq	176(%r11), %rcx
+        movq	184(%r10), %r8
+        movq	%rcx, 176(%r10)
+        sbbq	184(%r11), %r8
+        movq	192(%r10), %rax
+        movq	%r8, 184(%r10)
+        sbbq	192(%r11), %rax
+        movq	200(%r10), %rcx
+        movq	%rax, 192(%r10)
+        sbbq	200(%r11), %rcx
+        movq	208(%r10), %r8
+        movq	%rcx, 200(%r10)
+        sbbq	208(%r11), %r8
+        movq	216(%r10), %rax
+        movq	%r8, 208(%r10)
+        sbbq	216(%r11), %rax
+        movq	224(%r10), %rcx
+        movq	%rax, 216(%r10)
+        sbbq	224(%r11), %rcx
+        movq	232(%r10), %r8
+        movq	%rcx, 224(%r10)
+        sbbq	232(%r11), %r8
+        movq	240(%r10), %rax
+        movq	%r8, 232(%r10)
+        sbbq	240(%r11), %rax
+        movq	248(%r10), %rcx
+        movq	%rax, 240(%r10)
+        sbbq	248(%r11), %rcx
+        movq	256(%r10), %r8
+        movq	%rcx, 248(%r10)
+        sbbq	256(%r11), %r8
+        movq	264(%r10), %rax
+        movq	%r8, 256(%r10)
+        sbbq	264(%r11), %rax
+        movq	272(%r10), %rcx
+        movq	%rax, 264(%r10)
+        sbbq	272(%r11), %rcx
+        movq	280(%r10), %r8
+        movq	%rcx, 272(%r10)
+        sbbq	280(%r11), %r8
+        movq	288(%r10), %rax
+        movq	%r8, 280(%r10)
+        sbbq	288(%r11), %rax
+        movq	296(%r10), %rcx
+        movq	%rax, 288(%r10)
+        sbbq	296(%r11), %rcx
+        movq	304(%r10), %r8
+        movq	%rcx, 296(%r10)
+        sbbq	304(%r11), %r8
+        movq	312(%r10), %rax
+        movq	%r8, 304(%r10)
+        sbbq	312(%r11), %rax
+        movq	320(%r10), %rcx
+        movq	%rax, 312(%r10)
+        sbbq	320(%r11), %rcx
+        movq	328(%r10), %r8
+        movq	%rcx, 320(%r10)
+        sbbq	328(%r11), %r8
+        movq	336(%r10), %rax
+        movq	%r8, 328(%r10)
+        sbbq	336(%r11), %rax
+        movq	344(%r10), %rcx
+        movq	%rax, 336(%r10)
+        sbbq	344(%r11), %rcx
+        movq	352(%r10), %r8
+        movq	%rcx, 344(%r10)
+        sbbq	352(%r11), %r8
+        movq	360(%r10), %rax
+        movq	%r8, 352(%r10)
+        sbbq	360(%r11), %rax
+        movq	368(%r10), %rcx
+        movq	%rax, 360(%r10)
+        sbbq	368(%r11), %rcx
+        movq	376(%r10), %r8
+        movq	%rcx, 368(%r10)
+        sbbq	376(%r11), %r8
+        movq	%r8, 376(%r10)
+        sbbq	$0, %r9
+        movq	(%r10), %rax
+        subq	(%rdi), %rax
+        movq	8(%r10), %rcx
+        movq	%rax, (%r10)
+        sbbq	8(%rdi), %rcx
+        movq	16(%r10), %r8
+        movq	%rcx, 8(%r10)
+        sbbq	16(%rdi), %r8
+        movq	24(%r10), %rax
+        movq	%r8, 16(%r10)
+        sbbq	24(%rdi), %rax
+        movq	32(%r10), %rcx
+        movq	%rax, 24(%r10)
+        sbbq	32(%rdi), %rcx
+        movq	40(%r10), %r8
+        movq	%rcx, 32(%r10)
+        sbbq	40(%rdi), %r8
+        movq	48(%r10), %rax
+        movq	%r8, 40(%r10)
+        sbbq	48(%rdi), %rax
+        movq	56(%r10), %rcx
+        movq	%rax, 48(%r10)
+        sbbq	56(%rdi), %rcx
+        movq	64(%r10), %r8
+        movq	%rcx, 56(%r10)
+        sbbq	64(%rdi), %r8
+        movq	72(%r10), %rax
+        movq	%r8, 64(%r10)
+        sbbq	72(%rdi), %rax
+        movq	80(%r10), %rcx
+        movq	%rax, 72(%r10)
+        sbbq	80(%rdi), %rcx
+        movq	88(%r10), %r8
+        movq	%rcx, 80(%r10)
+        sbbq	88(%rdi), %r8
+        movq	96(%r10), %rax
+        movq	%r8, 88(%r10)
+        sbbq	96(%rdi), %rax
+        movq	104(%r10), %rcx
+        movq	%rax, 96(%r10)
+        sbbq	104(%rdi), %rcx
+        movq	112(%r10), %r8
+        movq	%rcx, 104(%r10)
+        sbbq	112(%rdi), %r8
+        movq	120(%r10), %rax
+        movq	%r8, 112(%r10)
+        sbbq	120(%rdi), %rax
+        movq	128(%r10), %rcx
+        movq	%rax, 120(%r10)
+        sbbq	128(%rdi), %rcx
+        movq	136(%r10), %r8
+        movq	%rcx, 128(%r10)
+        sbbq	136(%rdi), %r8
+        movq	144(%r10), %rax
+        movq	%r8, 136(%r10)
+        sbbq	144(%rdi), %rax
+        movq	152(%r10), %rcx
+        movq	%rax, 144(%r10)
+        sbbq	152(%rdi), %rcx
+        movq	160(%r10), %r8
+        movq	%rcx, 152(%r10)
+        sbbq	160(%rdi), %r8
+        movq	168(%r10), %rax
+        movq	%r8, 160(%r10)
+        sbbq	168(%rdi), %rax
+        movq	176(%r10), %rcx
+        movq	%rax, 168(%r10)
+        sbbq	176(%rdi), %rcx
+        movq	184(%r10), %r8
+        movq	%rcx, 176(%r10)
+        sbbq	184(%rdi), %r8
+        movq	192(%r10), %rax
+        movq	%r8, 184(%r10)
+        sbbq	192(%rdi), %rax
+        movq	200(%r10), %rcx
+        movq	%rax, 192(%r10)
+        sbbq	200(%rdi), %rcx
+        movq	208(%r10), %r8
+        movq	%rcx, 200(%r10)
+        sbbq	208(%rdi), %r8
+        movq	216(%r10), %rax
+        movq	%r8, 208(%r10)
+        sbbq	216(%rdi), %rax
+        movq	224(%r10), %rcx
+        movq	%rax, 216(%r10)
+        sbbq	224(%rdi), %rcx
+        movq	232(%r10), %r8
+        movq	%rcx, 224(%r10)
+        sbbq	232(%rdi), %r8
+        movq	240(%r10), %rax
+        movq	%r8, 232(%r10)
+        sbbq	240(%rdi), %rax
+        movq	248(%r10), %rcx
+        movq	%rax, 240(%r10)
+        sbbq	248(%rdi), %rcx
+        movq	256(%r10), %r8
+        movq	%rcx, 248(%r10)
+        sbbq	256(%rdi), %r8
+        movq	264(%r10), %rax
+        movq	%r8, 256(%r10)
+        sbbq	264(%rdi), %rax
+        movq	272(%r10), %rcx
+        movq	%rax, 264(%r10)
+        sbbq	272(%rdi), %rcx
+        movq	280(%r10), %r8
+        movq	%rcx, 272(%r10)
+        sbbq	280(%rdi), %r8
+        movq	288(%r10), %rax
+        movq	%r8, 280(%r10)
+        sbbq	288(%rdi), %rax
+        movq	296(%r10), %rcx
+        movq	%rax, 288(%r10)
+        sbbq	296(%rdi), %rcx
+        movq	304(%r10), %r8
+        movq	%rcx, 296(%r10)
+        sbbq	304(%rdi), %r8
+        movq	312(%r10), %rax
+        movq	%r8, 304(%r10)
+        sbbq	312(%rdi), %rax
+        movq	320(%r10), %rcx
+        movq	%rax, 312(%r10)
+        sbbq	320(%rdi), %rcx
+        movq	328(%r10), %r8
+        movq	%rcx, 320(%r10)
+        sbbq	328(%rdi), %r8
+        movq	336(%r10), %rax
+        movq	%r8, 328(%r10)
+        sbbq	336(%rdi), %rax
+        movq	344(%r10), %rcx
+        movq	%rax, 336(%r10)
+        sbbq	344(%rdi), %rcx
+        movq	352(%r10), %r8
+        movq	%rcx, 344(%r10)
+        sbbq	352(%rdi), %r8
+        movq	360(%r10), %rax
+        movq	%r8, 352(%r10)
+        sbbq	360(%rdi), %rax
+        movq	368(%r10), %rcx
+        movq	%rax, 360(%r10)
+        sbbq	368(%rdi), %rcx
+        movq	376(%r10), %r8
+        movq	%rcx, 368(%r10)
+        sbbq	376(%rdi), %r8
+        movq	%r8, 376(%r10)
+        sbbq	$0, %r9
+        subq	$192, %r15
+        # Add
+        movq	(%r15), %rax
+        addq	(%r10), %rax
+        movq	8(%r15), %rcx
+        movq	%rax, (%r15)
+        adcq	8(%r10), %rcx
+        movq	16(%r15), %r8
+        movq	%rcx, 8(%r15)
+        adcq	16(%r10), %r8
+        movq	24(%r15), %rax
+        movq	%r8, 16(%r15)
+        adcq	24(%r10), %rax
+        movq	32(%r15), %rcx
+        movq	%rax, 24(%r15)
+        adcq	32(%r10), %rcx
+        movq	40(%r15), %r8
+        movq	%rcx, 32(%r15)
+        adcq	40(%r10), %r8
+        movq	48(%r15), %rax
+        movq	%r8, 40(%r15)
+        adcq	48(%r10), %rax
+        movq	56(%r15), %rcx
+        movq	%rax, 48(%r15)
+        adcq	56(%r10), %rcx
+        movq	64(%r15), %r8
+        movq	%rcx, 56(%r15)
+        adcq	64(%r10), %r8
+        movq	72(%r15), %rax
+        movq	%r8, 64(%r15)
+        adcq	72(%r10), %rax
+        movq	80(%r15), %rcx
+        movq	%rax, 72(%r15)
+        adcq	80(%r10), %rcx
+        movq	88(%r15), %r8
+        movq	%rcx, 80(%r15)
+        adcq	88(%r10), %r8
+        movq	96(%r15), %rax
+        movq	%r8, 88(%r15)
+        adcq	96(%r10), %rax
+        movq	104(%r15), %rcx
+        movq	%rax, 96(%r15)
+        adcq	104(%r10), %rcx
+        movq	112(%r15), %r8
+        movq	%rcx, 104(%r15)
+        adcq	112(%r10), %r8
+        movq	120(%r15), %rax
+        movq	%r8, 112(%r15)
+        adcq	120(%r10), %rax
+        movq	128(%r15), %rcx
+        movq	%rax, 120(%r15)
+        adcq	128(%r10), %rcx
+        movq	136(%r15), %r8
+        movq	%rcx, 128(%r15)
+        adcq	136(%r10), %r8
+        movq	144(%r15), %rax
+        movq	%r8, 136(%r15)
+        adcq	144(%r10), %rax
+        movq	152(%r15), %rcx
+        movq	%rax, 144(%r15)
+        adcq	152(%r10), %rcx
+        movq	160(%r15), %r8
+        movq	%rcx, 152(%r15)
+        adcq	160(%r10), %r8
+        movq	168(%r15), %rax
+        movq	%r8, 160(%r15)
+        adcq	168(%r10), %rax
+        movq	176(%r15), %rcx
+        movq	%rax, 168(%r15)
+        adcq	176(%r10), %rcx
+        movq	184(%r15), %r8
+        movq	%rcx, 176(%r15)
+        adcq	184(%r10), %r8
+        movq	192(%r15), %rax
+        movq	%r8, 184(%r15)
+        adcq	192(%r10), %rax
+        movq	200(%r15), %rcx
+        movq	%rax, 192(%r15)
+        adcq	200(%r10), %rcx
+        movq	208(%r15), %r8
+        movq	%rcx, 200(%r15)
+        adcq	208(%r10), %r8
+        movq	216(%r15), %rax
+        movq	%r8, 208(%r15)
+        adcq	216(%r10), %rax
+        movq	224(%r15), %rcx
+        movq	%rax, 216(%r15)
+        adcq	224(%r10), %rcx
+        movq	232(%r15), %r8
+        movq	%rcx, 224(%r15)
+        adcq	232(%r10), %r8
+        movq	240(%r15), %rax
+        movq	%r8, 232(%r15)
+        adcq	240(%r10), %rax
+        movq	248(%r15), %rcx
+        movq	%rax, 240(%r15)
+        adcq	248(%r10), %rcx
+        movq	256(%r15), %r8
+        movq	%rcx, 248(%r15)
+        adcq	256(%r10), %r8
+        movq	264(%r15), %rax
+        movq	%r8, 256(%r15)
+        adcq	264(%r10), %rax
+        movq	272(%r15), %rcx
+        movq	%rax, 264(%r15)
+        adcq	272(%r10), %rcx
+        movq	280(%r15), %r8
+        movq	%rcx, 272(%r15)
+        adcq	280(%r10), %r8
+        movq	288(%r15), %rax
+        movq	%r8, 280(%r15)
+        adcq	288(%r10), %rax
+        movq	296(%r15), %rcx
+        movq	%rax, 288(%r15)
+        adcq	296(%r10), %rcx
+        movq	304(%r15), %r8
+        movq	%rcx, 296(%r15)
+        adcq	304(%r10), %r8
+        movq	312(%r15), %rax
+        movq	%r8, 304(%r15)
+        adcq	312(%r10), %rax
+        movq	320(%r15), %rcx
+        movq	%rax, 312(%r15)
+        adcq	320(%r10), %rcx
+        movq	328(%r15), %r8
+        movq	%rcx, 320(%r15)
+        adcq	328(%r10), %r8
+        movq	336(%r15), %rax
+        movq	%r8, 328(%r15)
+        adcq	336(%r10), %rax
+        movq	344(%r15), %rcx
+        movq	%rax, 336(%r15)
+        adcq	344(%r10), %rcx
+        movq	352(%r15), %r8
+        movq	%rcx, 344(%r15)
+        adcq	352(%r10), %r8
+        movq	360(%r15), %rax
+        movq	%r8, 352(%r15)
+        adcq	360(%r10), %rax
+        movq	368(%r15), %rcx
+        movq	%rax, 360(%r15)
+        adcq	368(%r10), %rcx
+        movq	376(%r15), %r8
+        movq	%rcx, 368(%r15)
+        adcq	376(%r10), %r8
+        movq	%r8, 376(%r15)
+        adcq	$0, %r9
+        movq	%r9, 576(%rdi)
+        addq	$192, %r15
+        # Add
+        movq	(%r15), %rax
+        addq	(%r11), %rax
+        movq	8(%r15), %rcx
+        movq	%rax, (%r15)
+        adcq	8(%r11), %rcx
+        movq	16(%r15), %r8
+        movq	%rcx, 8(%r15)
+        adcq	16(%r11), %r8
+        movq	24(%r15), %rax
+        movq	%r8, 16(%r15)
+        adcq	24(%r11), %rax
+        movq	32(%r15), %rcx
+        movq	%rax, 24(%r15)
+        adcq	32(%r11), %rcx
+        movq	40(%r15), %r8
+        movq	%rcx, 32(%r15)
+        adcq	40(%r11), %r8
+        movq	48(%r15), %rax
+        movq	%r8, 40(%r15)
+        adcq	48(%r11), %rax
+        movq	56(%r15), %rcx
+        movq	%rax, 48(%r15)
+        adcq	56(%r11), %rcx
+        movq	64(%r15), %r8
+        movq	%rcx, 56(%r15)
+        adcq	64(%r11), %r8
+        movq	72(%r15), %rax
+        movq	%r8, 64(%r15)
+        adcq	72(%r11), %rax
+        movq	80(%r15), %rcx
+        movq	%rax, 72(%r15)
+        adcq	80(%r11), %rcx
+        movq	88(%r15), %r8
+        movq	%rcx, 80(%r15)
+        adcq	88(%r11), %r8
+        movq	96(%r15), %rax
+        movq	%r8, 88(%r15)
+        adcq	96(%r11), %rax
+        movq	104(%r15), %rcx
+        movq	%rax, 96(%r15)
+        adcq	104(%r11), %rcx
+        movq	112(%r15), %r8
+        movq	%rcx, 104(%r15)
+        adcq	112(%r11), %r8
+        movq	120(%r15), %rax
+        movq	%r8, 112(%r15)
+        adcq	120(%r11), %rax
+        movq	128(%r15), %rcx
+        movq	%rax, 120(%r15)
+        adcq	128(%r11), %rcx
+        movq	136(%r15), %r8
+        movq	%rcx, 128(%r15)
+        adcq	136(%r11), %r8
+        movq	144(%r15), %rax
+        movq	%r8, 136(%r15)
+        adcq	144(%r11), %rax
+        movq	152(%r15), %rcx
+        movq	%rax, 144(%r15)
+        adcq	152(%r11), %rcx
+        movq	160(%r15), %r8
+        movq	%rcx, 152(%r15)
+        adcq	160(%r11), %r8
+        movq	168(%r15), %rax
+        movq	%r8, 160(%r15)
+        adcq	168(%r11), %rax
+        movq	176(%r15), %rcx
+        movq	%rax, 168(%r15)
+        adcq	176(%r11), %rcx
+        movq	184(%r15), %r8
+        movq	%rcx, 176(%r15)
+        adcq	184(%r11), %r8
+        movq	192(%r15), %rax
+        movq	%r8, 184(%r15)
+        adcq	192(%r11), %rax
+        movq	%rax, 192(%r15)
+        # Add to zero
+        movq	200(%r11), %rax
+        adcq	$0, %rax
+        movq	208(%r11), %rcx
+        movq	%rax, 200(%r15)
+        adcq	$0, %rcx
+        movq	216(%r11), %r8
+        movq	%rcx, 208(%r15)
+        adcq	$0, %r8
+        movq	224(%r11), %rax
+        movq	%r8, 216(%r15)
+        adcq	$0, %rax
+        movq	232(%r11), %rcx
+        movq	%rax, 224(%r15)
+        adcq	$0, %rcx
+        movq	240(%r11), %r8
+        movq	%rcx, 232(%r15)
+        adcq	$0, %r8
+        movq	248(%r11), %rax
+        movq	%r8, 240(%r15)
+        adcq	$0, %rax
+        movq	256(%r11), %rcx
+        movq	%rax, 248(%r15)
+        adcq	$0, %rcx
+        movq	264(%r11), %r8
+        movq	%rcx, 256(%r15)
+        adcq	$0, %r8
+        movq	272(%r11), %rax
+        movq	%r8, 264(%r15)
+        adcq	$0, %rax
+        movq	280(%r11), %rcx
+        movq	%rax, 272(%r15)
+        adcq	$0, %rcx
+        movq	288(%r11), %r8
+        movq	%rcx, 280(%r15)
+        adcq	$0, %r8
+        movq	296(%r11), %rax
+        movq	%r8, 288(%r15)
+        adcq	$0, %rax
+        movq	304(%r11), %rcx
+        movq	%rax, 296(%r15)
+        adcq	$0, %rcx
+        movq	312(%r11), %r8
+        movq	%rcx, 304(%r15)
+        adcq	$0, %r8
+        movq	320(%r11), %rax
+        movq	%r8, 312(%r15)
+        adcq	$0, %rax
+        movq	328(%r11), %rcx
+        movq	%rax, 320(%r15)
+        adcq	$0, %rcx
+        movq	336(%r11), %r8
+        movq	%rcx, 328(%r15)
+        adcq	$0, %r8
+        movq	344(%r11), %rax
+        movq	%r8, 336(%r15)
+        adcq	$0, %rax
+        movq	352(%r11), %rcx
+        movq	%rax, 344(%r15)
+        adcq	$0, %rcx
+        movq	360(%r11), %r8
+        movq	%rcx, 352(%r15)
+        adcq	$0, %r8
+        movq	368(%r11), %rax
+        movq	%r8, 360(%r15)
+        adcq	$0, %rax
+        movq	376(%r11), %rcx
+        movq	%rax, 368(%r15)
+        adcq	$0, %rcx
+        movq	%rcx, 376(%r15)
+        addq	$1192, %rsp
+        pop	%r15
+        pop	%r14
+        pop	%r13
+        pop	%r12
+        repz retq
+#ifndef __APPLE__
+.size	sp_3072_mul_avx2_48,.-sp_3072_mul_avx2_48
+#endif /* __APPLE__ */
+/* Square a and put result in r. (r = a * a)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ */
+#ifndef __APPLE__
+.globl	sp_3072_sqr_avx2_48
+.type	sp_3072_sqr_avx2_48,@function
+.align	16
+sp_3072_sqr_avx2_48:
+#else
+.globl	_sp_3072_sqr_avx2_48
+.p2align	4
+_sp_3072_sqr_avx2_48:
+#endif /* __APPLE__ */
+        subq	$984, %rsp
+        movq	%rdi, 960(%rsp)
+        movq	%rsi, 968(%rsp)
+        leaq	768(%rsp), %r8
+        leaq	192(%rsi), %r9
+        # Add
+        movq	(%rsi), %rdx
+        xorq	%rcx, %rcx
+        addq	(%r9), %rdx
+        movq	8(%rsi), %rax
+        movq	%rdx, (%r8)
+        adcq	8(%r9), %rax
+        movq	16(%rsi), %rdx
+        movq	%rax, 8(%r8)
+        adcq	16(%r9), %rdx
+        movq	24(%rsi), %rax
+        movq	%rdx, 16(%r8)
+        adcq	24(%r9), %rax
+        movq	32(%rsi), %rdx
+        movq	%rax, 24(%r8)
+        adcq	32(%r9), %rdx
+        movq	40(%rsi), %rax
+        movq	%rdx, 32(%r8)
+        adcq	40(%r9), %rax
+        movq	48(%rsi), %rdx
+        movq	%rax, 40(%r8)
+        adcq	48(%r9), %rdx
+        movq	56(%rsi), %rax
+        movq	%rdx, 48(%r8)
+        adcq	56(%r9), %rax
+        movq	64(%rsi), %rdx
+        movq	%rax, 56(%r8)
+        adcq	64(%r9), %rdx
+        movq	72(%rsi), %rax
+        movq	%rdx, 64(%r8)
+        adcq	72(%r9), %rax
+        movq	80(%rsi), %rdx
+        movq	%rax, 72(%r8)
+        adcq	80(%r9), %rdx
+        movq	88(%rsi), %rax
+        movq	%rdx, 80(%r8)
+        adcq	88(%r9), %rax
+        movq	96(%rsi), %rdx
+        movq	%rax, 88(%r8)
+        adcq	96(%r9), %rdx
+        movq	104(%rsi), %rax
+        movq	%rdx, 96(%r8)
+        adcq	104(%r9), %rax
+        movq	112(%rsi), %rdx
+        movq	%rax, 104(%r8)
+        adcq	112(%r9), %rdx
+        movq	120(%rsi), %rax
+        movq	%rdx, 112(%r8)
+        adcq	120(%r9), %rax
+        movq	128(%rsi), %rdx
+        movq	%rax, 120(%r8)
+        adcq	128(%r9), %rdx
+        movq	136(%rsi), %rax
+        movq	%rdx, 128(%r8)
+        adcq	136(%r9), %rax
+        movq	144(%rsi), %rdx
+        movq	%rax, 136(%r8)
+        adcq	144(%r9), %rdx
+        movq	152(%rsi), %rax
+        movq	%rdx, 144(%r8)
+        adcq	152(%r9), %rax
+        movq	160(%rsi), %rdx
+        movq	%rax, 152(%r8)
+        adcq	160(%r9), %rdx
+        movq	168(%rsi), %rax
+        movq	%rdx, 160(%r8)
+        adcq	168(%r9), %rax
+        movq	176(%rsi), %rdx
+        movq	%rax, 168(%r8)
+        adcq	176(%r9), %rdx
+        movq	184(%rsi), %rax
+        movq	%rdx, 176(%r8)
+        adcq	184(%r9), %rax
+        movq	%rax, 184(%r8)
+        adcq	$0, %rcx
+        movq	%rcx, 976(%rsp)
+        movq	%r8, %rsi
+        movq	%rsp, %rdi
+#ifndef __APPLE__
+        callq	sp_3072_sqr_avx2_24@plt
+#else
+        callq	_sp_3072_sqr_avx2_24
+#endif /* __APPLE__ */
+        movq	968(%rsp), %rsi
+        leaq	384(%rsp), %rdi
+        addq	$192, %rsi
+#ifndef __APPLE__
+        callq	sp_3072_sqr_avx2_24@plt
+#else
+        callq	_sp_3072_sqr_avx2_24
+#endif /* __APPLE__ */
+        movq	968(%rsp), %rsi
+        movq	960(%rsp), %rdi
+#ifndef __APPLE__
+        callq	sp_3072_sqr_avx2_24@plt
+#else
+        callq	_sp_3072_sqr_avx2_24
+#endif /* __APPLE__ */
+        movq	976(%rsp), %r10
+        movq	%rdi, %r9
+        leaq	768(%rsp), %r8
+        movq	%r10, %rcx
+        negq	%r10
+        addq	$384, %r9
+        movq	(%r8), %rdx
+        pextq	%r10, %rdx, %rdx
+        addq	%rdx, %rdx
+        movq	8(%r8), %rax
+        movq	%rdx, (%r9)
+        pextq	%r10, %rax, %rax
+        adcq	%rax, %rax
+        movq	16(%r8), %rdx
+        movq	%rax, 8(%r9)
+        pextq	%r10, %rdx, %rdx
+        adcq	%rdx, %rdx
+        movq	24(%r8), %rax
+        movq	%rdx, 16(%r9)
+        pextq	%r10, %rax, %rax
+        adcq	%rax, %rax
+        movq	32(%r8), %rdx
+        movq	%rax, 24(%r9)
+        pextq	%r10, %rdx, %rdx
+        adcq	%rdx, %rdx
+        movq	40(%r8), %rax
+        movq	%rdx, 32(%r9)
+        pextq	%r10, %rax, %rax
+        adcq	%rax, %rax
+        movq	48(%r8), %rdx
+        movq	%rax, 40(%r9)
+        pextq	%r10, %rdx, %rdx
+        adcq	%rdx, %rdx
+        movq	56(%r8), %rax
+        movq	%rdx, 48(%r9)
+        pextq	%r10, %rax, %rax
+        adcq	%rax, %rax
+        movq	64(%r8), %rdx
+        movq	%rax, 56(%r9)
+        pextq	%r10, %rdx, %rdx
+        adcq	%rdx, %rdx
+        movq	72(%r8), %rax
+        movq	%rdx, 64(%r9)
+        pextq	%r10, %rax, %rax
+        adcq	%rax, %rax
+        movq	80(%r8), %rdx
+        movq	%rax, 72(%r9)
+        pextq	%r10, %rdx, %rdx
+        adcq	%rdx, %rdx
+        movq	88(%r8), %rax
+        movq	%rdx, 80(%r9)
+        pextq	%r10, %rax, %rax
+        adcq	%rax, %rax
+        movq	96(%r8), %rdx
+        movq	%rax, 88(%r9)
+        pextq	%r10, %rdx, %rdx
+        adcq	%rdx, %rdx
+        movq	104(%r8), %rax
+        movq	%rdx, 96(%r9)
+        pextq	%r10, %rax, %rax
+        adcq	%rax, %rax
+        movq	112(%r8), %rdx
+        movq	%rax, 104(%r9)
+        pextq	%r10, %rdx, %rdx
+        adcq	%rdx, %rdx
+        movq	120(%r8), %rax
+        movq	%rdx, 112(%r9)
+        pextq	%r10, %rax, %rax
+        adcq	%rax, %rax
+        movq	128(%r8), %rdx
+        movq	%rax, 120(%r9)
+        pextq	%r10, %rdx, %rdx
+        adcq	%rdx, %rdx
+        movq	136(%r8), %rax
+        movq	%rdx, 128(%r9)
+        pextq	%r10, %rax, %rax
+        adcq	%rax, %rax
+        movq	144(%r8), %rdx
+        movq	%rax, 136(%r9)
+        pextq	%r10, %rdx, %rdx
+        adcq	%rdx, %rdx
+        movq	152(%r8), %rax
+        movq	%rdx, 144(%r9)
+        pextq	%r10, %rax, %rax
+        adcq	%rax, %rax
+        movq	160(%r8), %rdx
+        movq	%rax, 152(%r9)
+        pextq	%r10, %rdx, %rdx
+        adcq	%rdx, %rdx
+        movq	168(%r8), %rax
+        movq	%rdx, 160(%r9)
+        pextq	%r10, %rax, %rax
+        adcq	%rax, %rax
+        movq	176(%r8), %rdx
+        movq	%rax, 168(%r9)
+        pextq	%r10, %rdx, %rdx
+        adcq	%rdx, %rdx
+        movq	184(%r8), %rax
+        movq	%rdx, 176(%r9)
+        pextq	%r10, %rax, %rax
+        adcq	%rax, %rax
+        movq	%rax, 184(%r9)
+        adcq	$0, %rcx
+        leaq	384(%rsp), %rsi
+        movq	%rsp, %r8
+        movq	(%r8), %rdx
+        subq	(%rsi), %rdx
+        movq	8(%r8), %rax
+        movq	%rdx, (%r8)
+        sbbq	8(%rsi), %rax
+        movq	16(%r8), %rdx
+        movq	%rax, 8(%r8)
+        sbbq	16(%rsi), %rdx
+        movq	24(%r8), %rax
+        movq	%rdx, 16(%r8)
+        sbbq	24(%rsi), %rax
+        movq	32(%r8), %rdx
+        movq	%rax, 24(%r8)
+        sbbq	32(%rsi), %rdx
+        movq	40(%r8), %rax
+        movq	%rdx, 32(%r8)
+        sbbq	40(%rsi), %rax
+        movq	48(%r8), %rdx
+        movq	%rax, 40(%r8)
+        sbbq	48(%rsi), %rdx
+        movq	56(%r8), %rax
+        movq	%rdx, 48(%r8)
+        sbbq	56(%rsi), %rax
+        movq	64(%r8), %rdx
+        movq	%rax, 56(%r8)
+        sbbq	64(%rsi), %rdx
+        movq	72(%r8), %rax
+        movq	%rdx, 64(%r8)
+        sbbq	72(%rsi), %rax
+        movq	80(%r8), %rdx
+        movq	%rax, 72(%r8)
+        sbbq	80(%rsi), %rdx
+        movq	88(%r8), %rax
+        movq	%rdx, 80(%r8)
+        sbbq	88(%rsi), %rax
+        movq	96(%r8), %rdx
+        movq	%rax, 88(%r8)
+        sbbq	96(%rsi), %rdx
+        movq	104(%r8), %rax
+        movq	%rdx, 96(%r8)
+        sbbq	104(%rsi), %rax
+        movq	112(%r8), %rdx
+        movq	%rax, 104(%r8)
+        sbbq	112(%rsi), %rdx
+        movq	120(%r8), %rax
+        movq	%rdx, 112(%r8)
+        sbbq	120(%rsi), %rax
+        movq	128(%r8), %rdx
+        movq	%rax, 120(%r8)
+        sbbq	128(%rsi), %rdx
+        movq	136(%r8), %rax
+        movq	%rdx, 128(%r8)
+        sbbq	136(%rsi), %rax
+        movq	144(%r8), %rdx
+        movq	%rax, 136(%r8)
+        sbbq	144(%rsi), %rdx
+        movq	152(%r8), %rax
+        movq	%rdx, 144(%r8)
+        sbbq	152(%rsi), %rax
+        movq	160(%r8), %rdx
+        movq	%rax, 152(%r8)
+        sbbq	160(%rsi), %rdx
+        movq	168(%r8), %rax
+        movq	%rdx, 160(%r8)
+        sbbq	168(%rsi), %rax
+        movq	176(%r8), %rdx
+        movq	%rax, 168(%r8)
+        sbbq	176(%rsi), %rdx
+        movq	184(%r8), %rax
+        movq	%rdx, 176(%r8)
+        sbbq	184(%rsi), %rax
+        movq	192(%r8), %rdx
+        movq	%rax, 184(%r8)
+        sbbq	192(%rsi), %rdx
+        movq	200(%r8), %rax
+        movq	%rdx, 192(%r8)
+        sbbq	200(%rsi), %rax
+        movq	208(%r8), %rdx
+        movq	%rax, 200(%r8)
+        sbbq	208(%rsi), %rdx
+        movq	216(%r8), %rax
+        movq	%rdx, 208(%r8)
+        sbbq	216(%rsi), %rax
+        movq	224(%r8), %rdx
+        movq	%rax, 216(%r8)
+        sbbq	224(%rsi), %rdx
+        movq	232(%r8), %rax
+        movq	%rdx, 224(%r8)
+        sbbq	232(%rsi), %rax
+        movq	240(%r8), %rdx
+        movq	%rax, 232(%r8)
+        sbbq	240(%rsi), %rdx
+        movq	248(%r8), %rax
+        movq	%rdx, 240(%r8)
+        sbbq	248(%rsi), %rax
+        movq	256(%r8), %rdx
+        movq	%rax, 248(%r8)
+        sbbq	256(%rsi), %rdx
+        movq	264(%r8), %rax
+        movq	%rdx, 256(%r8)
+        sbbq	264(%rsi), %rax
+        movq	272(%r8), %rdx
+        movq	%rax, 264(%r8)
+        sbbq	272(%rsi), %rdx
+        movq	280(%r8), %rax
+        movq	%rdx, 272(%r8)
+        sbbq	280(%rsi), %rax
+        movq	288(%r8), %rdx
+        movq	%rax, 280(%r8)
+        sbbq	288(%rsi), %rdx
+        movq	296(%r8), %rax
+        movq	%rdx, 288(%r8)
+        sbbq	296(%rsi), %rax
+        movq	304(%r8), %rdx
+        movq	%rax, 296(%r8)
+        sbbq	304(%rsi), %rdx
+        movq	312(%r8), %rax
+        movq	%rdx, 304(%r8)
+        sbbq	312(%rsi), %rax
+        movq	320(%r8), %rdx
+        movq	%rax, 312(%r8)
+        sbbq	320(%rsi), %rdx
+        movq	328(%r8), %rax
+        movq	%rdx, 320(%r8)
+        sbbq	328(%rsi), %rax
+        movq	336(%r8), %rdx
+        movq	%rax, 328(%r8)
+        sbbq	336(%rsi), %rdx
+        movq	344(%r8), %rax
+        movq	%rdx, 336(%r8)
+        sbbq	344(%rsi), %rax
+        movq	352(%r8), %rdx
+        movq	%rax, 344(%r8)
+        sbbq	352(%rsi), %rdx
+        movq	360(%r8), %rax
+        movq	%rdx, 352(%r8)
+        sbbq	360(%rsi), %rax
+        movq	368(%r8), %rdx
+        movq	%rax, 360(%r8)
+        sbbq	368(%rsi), %rdx
+        movq	376(%r8), %rax
+        movq	%rdx, 368(%r8)
+        sbbq	376(%rsi), %rax
+        movq	%rax, 376(%r8)
+        sbbq	$0, %rcx
+        movq	(%r8), %rdx
+        subq	(%rdi), %rdx
+        movq	8(%r8), %rax
+        movq	%rdx, (%r8)
+        sbbq	8(%rdi), %rax
+        movq	16(%r8), %rdx
+        movq	%rax, 8(%r8)
+        sbbq	16(%rdi), %rdx
+        movq	24(%r8), %rax
+        movq	%rdx, 16(%r8)
+        sbbq	24(%rdi), %rax
+        movq	32(%r8), %rdx
+        movq	%rax, 24(%r8)
+        sbbq	32(%rdi), %rdx
+        movq	40(%r8), %rax
+        movq	%rdx, 32(%r8)
+        sbbq	40(%rdi), %rax
+        movq	48(%r8), %rdx
+        movq	%rax, 40(%r8)
+        sbbq	48(%rdi), %rdx
+        movq	56(%r8), %rax
+        movq	%rdx, 48(%r8)
+        sbbq	56(%rdi), %rax
+        movq	64(%r8), %rdx
+        movq	%rax, 56(%r8)
+        sbbq	64(%rdi), %rdx
+        movq	72(%r8), %rax
+        movq	%rdx, 64(%r8)
+        sbbq	72(%rdi), %rax
+        movq	80(%r8), %rdx
+        movq	%rax, 72(%r8)
+        sbbq	80(%rdi), %rdx
+        movq	88(%r8), %rax
+        movq	%rdx, 80(%r8)
+        sbbq	88(%rdi), %rax
+        movq	96(%r8), %rdx
+        movq	%rax, 88(%r8)
+        sbbq	96(%rdi), %rdx
+        movq	104(%r8), %rax
+        movq	%rdx, 96(%r8)
+        sbbq	104(%rdi), %rax
+        movq	112(%r8), %rdx
+        movq	%rax, 104(%r8)
+        sbbq	112(%rdi), %rdx
+        movq	120(%r8), %rax
+        movq	%rdx, 112(%r8)
+        sbbq	120(%rdi), %rax
+        movq	128(%r8), %rdx
+        movq	%rax, 120(%r8)
+        sbbq	128(%rdi), %rdx
+        movq	136(%r8), %rax
+        movq	%rdx, 128(%r8)
+        sbbq	136(%rdi), %rax
+        movq	144(%r8), %rdx
+        movq	%rax, 136(%r8)
+        sbbq	144(%rdi), %rdx
+        movq	152(%r8), %rax
+        movq	%rdx, 144(%r8)
+        sbbq	152(%rdi), %rax
+        movq	160(%r8), %rdx
+        movq	%rax, 152(%r8)
+        sbbq	160(%rdi), %rdx
+        movq	168(%r8), %rax
+        movq	%rdx, 160(%r8)
+        sbbq	168(%rdi), %rax
+        movq	176(%r8), %rdx
+        movq	%rax, 168(%r8)
+        sbbq	176(%rdi), %rdx
+        movq	184(%r8), %rax
+        movq	%rdx, 176(%r8)
+        sbbq	184(%rdi), %rax
+        movq	192(%r8), %rdx
+        movq	%rax, 184(%r8)
+        sbbq	192(%rdi), %rdx
+        movq	200(%r8), %rax
+        movq	%rdx, 192(%r8)
+        sbbq	200(%rdi), %rax
+        movq	208(%r8), %rdx
+        movq	%rax, 200(%r8)
+        sbbq	208(%rdi), %rdx
+        movq	216(%r8), %rax
+        movq	%rdx, 208(%r8)
+        sbbq	216(%rdi), %rax
+        movq	224(%r8), %rdx
+        movq	%rax, 216(%r8)
+        sbbq	224(%rdi), %rdx
+        movq	232(%r8), %rax
+        movq	%rdx, 224(%r8)
+        sbbq	232(%rdi), %rax
+        movq	240(%r8), %rdx
+        movq	%rax, 232(%r8)
+        sbbq	240(%rdi), %rdx
+        movq	248(%r8), %rax
+        movq	%rdx, 240(%r8)
+        sbbq	248(%rdi), %rax
+        movq	256(%r8), %rdx
+        movq	%rax, 248(%r8)
+        sbbq	256(%rdi), %rdx
+        movq	264(%r8), %rax
+        movq	%rdx, 256(%r8)
+        sbbq	264(%rdi), %rax
+        movq	272(%r8), %rdx
+        movq	%rax, 264(%r8)
+        sbbq	272(%rdi), %rdx
+        movq	280(%r8), %rax
+        movq	%rdx, 272(%r8)
+        sbbq	280(%rdi), %rax
+        movq	288(%r8), %rdx
+        movq	%rax, 280(%r8)
+        sbbq	288(%rdi), %rdx
+        movq	296(%r8), %rax
+        movq	%rdx, 288(%r8)
+        sbbq	296(%rdi), %rax
+        movq	304(%r8), %rdx
+        movq	%rax, 296(%r8)
+        sbbq	304(%rdi), %rdx
+        movq	312(%r8), %rax
+        movq	%rdx, 304(%r8)
+        sbbq	312(%rdi), %rax
+        movq	320(%r8), %rdx
+        movq	%rax, 312(%r8)
+        sbbq	320(%rdi), %rdx
+        movq	328(%r8), %rax
+        movq	%rdx, 320(%r8)
+        sbbq	328(%rdi), %rax
+        movq	336(%r8), %rdx
+        movq	%rax, 328(%r8)
+        sbbq	336(%rdi), %rdx
+        movq	344(%r8), %rax
+        movq	%rdx, 336(%r8)
+        sbbq	344(%rdi), %rax
+        movq	352(%r8), %rdx
+        movq	%rax, 344(%r8)
+        sbbq	352(%rdi), %rdx
+        movq	360(%r8), %rax
+        movq	%rdx, 352(%r8)
+        sbbq	360(%rdi), %rax
+        movq	368(%r8), %rdx
+        movq	%rax, 360(%r8)
+        sbbq	368(%rdi), %rdx
+        movq	376(%r8), %rax
+        movq	%rdx, 368(%r8)
+        sbbq	376(%rdi), %rax
+        movq	%rax, 376(%r8)
+        sbbq	$0, %rcx
+        subq	$192, %r9
+        # Add in place
+        movq	(%r9), %rdx
+        addq	(%r8), %rdx
+        movq	8(%r9), %rax
+        movq	%rdx, (%r9)
+        adcq	8(%r8), %rax
+        movq	16(%r9), %rdx
+        movq	%rax, 8(%r9)
+        adcq	16(%r8), %rdx
+        movq	24(%r9), %rax
+        movq	%rdx, 16(%r9)
+        adcq	24(%r8), %rax
+        movq	32(%r9), %rdx
+        movq	%rax, 24(%r9)
+        adcq	32(%r8), %rdx
+        movq	40(%r9), %rax
+        movq	%rdx, 32(%r9)
+        adcq	40(%r8), %rax
+        movq	48(%r9), %rdx
+        movq	%rax, 40(%r9)
+        adcq	48(%r8), %rdx
+        movq	56(%r9), %rax
+        movq	%rdx, 48(%r9)
+        adcq	56(%r8), %rax
+        movq	64(%r9), %rdx
+        movq	%rax, 56(%r9)
+        adcq	64(%r8), %rdx
+        movq	72(%r9), %rax
+        movq	%rdx, 64(%r9)
+        adcq	72(%r8), %rax
+        movq	80(%r9), %rdx
+        movq	%rax, 72(%r9)
+        adcq	80(%r8), %rdx
+        movq	88(%r9), %rax
+        movq	%rdx, 80(%r9)
+        adcq	88(%r8), %rax
+        movq	96(%r9), %rdx
+        movq	%rax, 88(%r9)
+        adcq	96(%r8), %rdx
+        movq	104(%r9), %rax
+        movq	%rdx, 96(%r9)
+        adcq	104(%r8), %rax
+        movq	112(%r9), %rdx
+        movq	%rax, 104(%r9)
+        adcq	112(%r8), %rdx
+        movq	120(%r9), %rax
+        movq	%rdx, 112(%r9)
+        adcq	120(%r8), %rax
+        movq	128(%r9), %rdx
+        movq	%rax, 120(%r9)
+        adcq	128(%r8), %rdx
+        movq	136(%r9), %rax
+        movq	%rdx, 128(%r9)
+        adcq	136(%r8), %rax
+        movq	144(%r9), %rdx
+        movq	%rax, 136(%r9)
+        adcq	144(%r8), %rdx
+        movq	152(%r9), %rax
+        movq	%rdx, 144(%r9)
+        adcq	152(%r8), %rax
+        movq	160(%r9), %rdx
+        movq	%rax, 152(%r9)
+        adcq	160(%r8), %rdx
+        movq	168(%r9), %rax
+        movq	%rdx, 160(%r9)
+        adcq	168(%r8), %rax
+        movq	176(%r9), %rdx
+        movq	%rax, 168(%r9)
+        adcq	176(%r8), %rdx
+        movq	184(%r9), %rax
+        movq	%rdx, 176(%r9)
+        adcq	184(%r8), %rax
+        movq	192(%r9), %rdx
+        movq	%rax, 184(%r9)
+        adcq	192(%r8), %rdx
+        movq	200(%r9), %rax
+        movq	%rdx, 192(%r9)
+        adcq	200(%r8), %rax
+        movq	208(%r9), %rdx
+        movq	%rax, 200(%r9)
+        adcq	208(%r8), %rdx
+        movq	216(%r9), %rax
+        movq	%rdx, 208(%r9)
+        adcq	216(%r8), %rax
+        movq	224(%r9), %rdx
+        movq	%rax, 216(%r9)
+        adcq	224(%r8), %rdx
+        movq	232(%r9), %rax
+        movq	%rdx, 224(%r9)
+        adcq	232(%r8), %rax
+        movq	240(%r9), %rdx
+        movq	%rax, 232(%r9)
+        adcq	240(%r8), %rdx
+        movq	248(%r9), %rax
+        movq	%rdx, 240(%r9)
+        adcq	248(%r8), %rax
+        movq	256(%r9), %rdx
+        movq	%rax, 248(%r9)
+        adcq	256(%r8), %rdx
+        movq	264(%r9), %rax
+        movq	%rdx, 256(%r9)
+        adcq	264(%r8), %rax
+        movq	272(%r9), %rdx
+        movq	%rax, 264(%r9)
+        adcq	272(%r8), %rdx
+        movq	280(%r9), %rax
+        movq	%rdx, 272(%r9)
+        adcq	280(%r8), %rax
+        movq	288(%r9), %rdx
+        movq	%rax, 280(%r9)
+        adcq	288(%r8), %rdx
+        movq	296(%r9), %rax
+        movq	%rdx, 288(%r9)
+        adcq	296(%r8), %rax
+        movq	304(%r9), %rdx
+        movq	%rax, 296(%r9)
+        adcq	304(%r8), %rdx
+        movq	312(%r9), %rax
+        movq	%rdx, 304(%r9)
+        adcq	312(%r8), %rax
+        movq	320(%r9), %rdx
+        movq	%rax, 312(%r9)
+        adcq	320(%r8), %rdx
+        movq	328(%r9), %rax
+        movq	%rdx, 320(%r9)
+        adcq	328(%r8), %rax
+        movq	336(%r9), %rdx
+        movq	%rax, 328(%r9)
+        adcq	336(%r8), %rdx
+        movq	344(%r9), %rax
+        movq	%rdx, 336(%r9)
+        adcq	344(%r8), %rax
+        movq	352(%r9), %rdx
+        movq	%rax, 344(%r9)
+        adcq	352(%r8), %rdx
+        movq	360(%r9), %rax
+        movq	%rdx, 352(%r9)
+        adcq	360(%r8), %rax
+        movq	368(%r9), %rdx
+        movq	%rax, 360(%r9)
+        adcq	368(%r8), %rdx
+        movq	376(%r9), %rax
+        movq	%rdx, 368(%r9)
+        adcq	376(%r8), %rax
+        movq	%rax, 376(%r9)
+        adcq	$0, %rcx
+        movq	%rcx, 576(%rdi)
+        # Add in place
+        movq	192(%r9), %rdx
+        addq	(%rsi), %rdx
+        movq	200(%r9), %rax
+        movq	%rdx, 192(%r9)
+        adcq	8(%rsi), %rax
+        movq	208(%r9), %rdx
+        movq	%rax, 200(%r9)
+        adcq	16(%rsi), %rdx
+        movq	216(%r9), %rax
+        movq	%rdx, 208(%r9)
+        adcq	24(%rsi), %rax
+        movq	224(%r9), %rdx
+        movq	%rax, 216(%r9)
+        adcq	32(%rsi), %rdx
+        movq	232(%r9), %rax
+        movq	%rdx, 224(%r9)
+        adcq	40(%rsi), %rax
+        movq	240(%r9), %rdx
+        movq	%rax, 232(%r9)
+        adcq	48(%rsi), %rdx
+        movq	248(%r9), %rax
+        movq	%rdx, 240(%r9)
+        adcq	56(%rsi), %rax
+        movq	256(%r9), %rdx
+        movq	%rax, 248(%r9)
+        adcq	64(%rsi), %rdx
+        movq	264(%r9), %rax
+        movq	%rdx, 256(%r9)
+        adcq	72(%rsi), %rax
+        movq	272(%r9), %rdx
+        movq	%rax, 264(%r9)
+        adcq	80(%rsi), %rdx
+        movq	280(%r9), %rax
+        movq	%rdx, 272(%r9)
+        adcq	88(%rsi), %rax
+        movq	288(%r9), %rdx
+        movq	%rax, 280(%r9)
+        adcq	96(%rsi), %rdx
+        movq	296(%r9), %rax
+        movq	%rdx, 288(%r9)
+        adcq	104(%rsi), %rax
+        movq	304(%r9), %rdx
+        movq	%rax, 296(%r9)
+        adcq	112(%rsi), %rdx
+        movq	312(%r9), %rax
+        movq	%rdx, 304(%r9)
+        adcq	120(%rsi), %rax
+        movq	320(%r9), %rdx
+        movq	%rax, 312(%r9)
+        adcq	128(%rsi), %rdx
+        movq	328(%r9), %rax
+        movq	%rdx, 320(%r9)
+        adcq	136(%rsi), %rax
+        movq	336(%r9), %rdx
+        movq	%rax, 328(%r9)
+        adcq	144(%rsi), %rdx
+        movq	344(%r9), %rax
+        movq	%rdx, 336(%r9)
+        adcq	152(%rsi), %rax
+        movq	352(%r9), %rdx
+        movq	%rax, 344(%r9)
+        adcq	160(%rsi), %rdx
+        movq	360(%r9), %rax
+        movq	%rdx, 352(%r9)
+        adcq	168(%rsi), %rax
+        movq	368(%r9), %rdx
+        movq	%rax, 360(%r9)
+        adcq	176(%rsi), %rdx
+        movq	376(%r9), %rax
+        movq	%rdx, 368(%r9)
+        adcq	184(%rsi), %rax
+        movq	384(%r9), %rdx
+        movq	%rax, 376(%r9)
+        adcq	192(%rsi), %rdx
+        movq	%rdx, 384(%r9)
+        # Add to zero
+        movq	200(%rsi), %rdx
+        adcq	$0, %rdx
+        movq	208(%rsi), %rax
+        movq	%rdx, 392(%r9)
+        adcq	$0, %rax
+        movq	216(%rsi), %rdx
+        movq	%rax, 400(%r9)
+        adcq	$0, %rdx
+        movq	224(%rsi), %rax
+        movq	%rdx, 408(%r9)
+        adcq	$0, %rax
+        movq	232(%rsi), %rdx
+        movq	%rax, 416(%r9)
+        adcq	$0, %rdx
+        movq	240(%rsi), %rax
+        movq	%rdx, 424(%r9)
+        adcq	$0, %rax
+        movq	248(%rsi), %rdx
+        movq	%rax, 432(%r9)
+        adcq	$0, %rdx
+        movq	256(%rsi), %rax
+        movq	%rdx, 440(%r9)
+        adcq	$0, %rax
+        movq	264(%rsi), %rdx
+        movq	%rax, 448(%r9)
+        adcq	$0, %rdx
+        movq	272(%rsi), %rax
+        movq	%rdx, 456(%r9)
+        adcq	$0, %rax
+        movq	280(%rsi), %rdx
+        movq	%rax, 464(%r9)
+        adcq	$0, %rdx
+        movq	288(%rsi), %rax
+        movq	%rdx, 472(%r9)
+        adcq	$0, %rax
+        movq	296(%rsi), %rdx
+        movq	%rax, 480(%r9)
+        adcq	$0, %rdx
+        movq	304(%rsi), %rax
+        movq	%rdx, 488(%r9)
+        adcq	$0, %rax
+        movq	312(%rsi), %rdx
+        movq	%rax, 496(%r9)
+        adcq	$0, %rdx
+        movq	320(%rsi), %rax
+        movq	%rdx, 504(%r9)
+        adcq	$0, %rax
+        movq	328(%rsi), %rdx
+        movq	%rax, 512(%r9)
+        adcq	$0, %rdx
+        movq	336(%rsi), %rax
+        movq	%rdx, 520(%r9)
+        adcq	$0, %rax
+        movq	344(%rsi), %rdx
+        movq	%rax, 528(%r9)
+        adcq	$0, %rdx
+        movq	352(%rsi), %rax
+        movq	%rdx, 536(%r9)
+        adcq	$0, %rax
+        movq	360(%rsi), %rdx
+        movq	%rax, 544(%r9)
+        adcq	$0, %rdx
+        movq	368(%rsi), %rax
+        movq	%rdx, 552(%r9)
+        adcq	$0, %rax
+        movq	376(%rsi), %rdx
+        movq	%rax, 560(%r9)
+        adcq	$0, %rdx
+        movq	%rdx, 568(%r9)
+        addq	$984, %rsp
+        repz retq
+#ifndef __APPLE__
+.size	sp_3072_sqr_avx2_48,.-sp_3072_sqr_avx2_48
+#endif /* __APPLE__ */
+/* Mul a by digit b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision digit.
+ */
+#ifndef __APPLE__
+.globl	sp_3072_mul_d_48
+.type	sp_3072_mul_d_48,@function
+.align	16
+sp_3072_mul_d_48:
+#else
+.globl	_sp_3072_mul_d_48
+.p2align	4
+_sp_3072_mul_d_48:
+#endif /* __APPLE__ */
+        movq	%rdx, %rcx
+        # A[0] * B
+        movq	%rcx, %rax
+        xorq	%r10, %r10
+        mulq	(%rsi)
+        movq	%rax, %r8
+        movq	%rdx, %r9
+        movq	%r8, (%rdi)
+        # A[1] * B
+        movq	%rcx, %rax
+        xorq	%r8, %r8
+        mulq	8(%rsi)
+        addq	%rax, %r9
+        movq	%r9, 8(%rdi)
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[2] * B
+        movq	%rcx, %rax
+        xorq	%r9, %r9
+        mulq	16(%rsi)
+        addq	%rax, %r10
+        movq	%r10, 16(%rdi)
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[3] * B
+        movq	%rcx, %rax
+        xorq	%r10, %r10
+        mulq	24(%rsi)
+        addq	%rax, %r8
+        movq	%r8, 24(%rdi)
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[4] * B
+        movq	%rcx, %rax
+        xorq	%r8, %r8
+        mulq	32(%rsi)
+        addq	%rax, %r9
+        movq	%r9, 32(%rdi)
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[5] * B
+        movq	%rcx, %rax
+        xorq	%r9, %r9
+        mulq	40(%rsi)
+        addq	%rax, %r10
+        movq	%r10, 40(%rdi)
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[6] * B
+        movq	%rcx, %rax
+        xorq	%r10, %r10
+        mulq	48(%rsi)
+        addq	%rax, %r8
+        movq	%r8, 48(%rdi)
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[7] * B
+        movq	%rcx, %rax
+        xorq	%r8, %r8
+        mulq	56(%rsi)
+        addq	%rax, %r9
+        movq	%r9, 56(%rdi)
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[8] * B
+        movq	%rcx, %rax
+        xorq	%r9, %r9
+        mulq	64(%rsi)
+        addq	%rax, %r10
+        movq	%r10, 64(%rdi)
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[9] * B
+        movq	%rcx, %rax
+        xorq	%r10, %r10
+        mulq	72(%rsi)
+        addq	%rax, %r8
+        movq	%r8, 72(%rdi)
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[10] * B
+        movq	%rcx, %rax
+        xorq	%r8, %r8
+        mulq	80(%rsi)
+        addq	%rax, %r9
+        movq	%r9, 80(%rdi)
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[11] * B
+        movq	%rcx, %rax
+        xorq	%r9, %r9
+        mulq	88(%rsi)
+        addq	%rax, %r10
+        movq	%r10, 88(%rdi)
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[12] * B
+        movq	%rcx, %rax
+        xorq	%r10, %r10
+        mulq	96(%rsi)
+        addq	%rax, %r8
+        movq	%r8, 96(%rdi)
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[13] * B
+        movq	%rcx, %rax
+        xorq	%r8, %r8
+        mulq	104(%rsi)
+        addq	%rax, %r9
+        movq	%r9, 104(%rdi)
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[14] * B
+        movq	%rcx, %rax
+        xorq	%r9, %r9
+        mulq	112(%rsi)
+        addq	%rax, %r10
+        movq	%r10, 112(%rdi)
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[15] * B
+        movq	%rcx, %rax
+        xorq	%r10, %r10
+        mulq	120(%rsi)
+        addq	%rax, %r8
+        movq	%r8, 120(%rdi)
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[16] * B
+        movq	%rcx, %rax
+        xorq	%r8, %r8
+        mulq	128(%rsi)
+        addq	%rax, %r9
+        movq	%r9, 128(%rdi)
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[17] * B
+        movq	%rcx, %rax
+        xorq	%r9, %r9
+        mulq	136(%rsi)
+        addq	%rax, %r10
+        movq	%r10, 136(%rdi)
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[18] * B
+        movq	%rcx, %rax
+        xorq	%r10, %r10
+        mulq	144(%rsi)
+        addq	%rax, %r8
+        movq	%r8, 144(%rdi)
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[19] * B
+        movq	%rcx, %rax
+        xorq	%r8, %r8
+        mulq	152(%rsi)
+        addq	%rax, %r9
+        movq	%r9, 152(%rdi)
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[20] * B
+        movq	%rcx, %rax
+        xorq	%r9, %r9
+        mulq	160(%rsi)
+        addq	%rax, %r10
+        movq	%r10, 160(%rdi)
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[21] * B
+        movq	%rcx, %rax
+        xorq	%r10, %r10
+        mulq	168(%rsi)
+        addq	%rax, %r8
+        movq	%r8, 168(%rdi)
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[22] * B
+        movq	%rcx, %rax
+        xorq	%r8, %r8
+        mulq	176(%rsi)
+        addq	%rax, %r9
+        movq	%r9, 176(%rdi)
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[23] * B
+        movq	%rcx, %rax
+        xorq	%r9, %r9
+        mulq	184(%rsi)
+        addq	%rax, %r10
+        movq	%r10, 184(%rdi)
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[24] * B
+        movq	%rcx, %rax
+        xorq	%r10, %r10
+        mulq	192(%rsi)
+        addq	%rax, %r8
+        movq	%r8, 192(%rdi)
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[25] * B
+        movq	%rcx, %rax
+        xorq	%r8, %r8
+        mulq	200(%rsi)
+        addq	%rax, %r9
+        movq	%r9, 200(%rdi)
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[26] * B
+        movq	%rcx, %rax
+        xorq	%r9, %r9
+        mulq	208(%rsi)
+        addq	%rax, %r10
+        movq	%r10, 208(%rdi)
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[27] * B
+        movq	%rcx, %rax
+        xorq	%r10, %r10
+        mulq	216(%rsi)
+        addq	%rax, %r8
+        movq	%r8, 216(%rdi)
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[28] * B
+        movq	%rcx, %rax
+        xorq	%r8, %r8
+        mulq	224(%rsi)
+        addq	%rax, %r9
+        movq	%r9, 224(%rdi)
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[29] * B
+        movq	%rcx, %rax
+        xorq	%r9, %r9
+        mulq	232(%rsi)
+        addq	%rax, %r10
+        movq	%r10, 232(%rdi)
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[30] * B
+        movq	%rcx, %rax
+        xorq	%r10, %r10
+        mulq	240(%rsi)
+        addq	%rax, %r8
+        movq	%r8, 240(%rdi)
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[31] * B
+        movq	%rcx, %rax
+        xorq	%r8, %r8
+        mulq	248(%rsi)
+        addq	%rax, %r9
+        movq	%r9, 248(%rdi)
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[32] * B
+        movq	%rcx, %rax
+        xorq	%r9, %r9
+        mulq	256(%rsi)
+        addq	%rax, %r10
+        movq	%r10, 256(%rdi)
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[33] * B
+        movq	%rcx, %rax
+        xorq	%r10, %r10
+        mulq	264(%rsi)
+        addq	%rax, %r8
+        movq	%r8, 264(%rdi)
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[34] * B
+        movq	%rcx, %rax
+        xorq	%r8, %r8
+        mulq	272(%rsi)
+        addq	%rax, %r9
+        movq	%r9, 272(%rdi)
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[35] * B
+        movq	%rcx, %rax
+        xorq	%r9, %r9
+        mulq	280(%rsi)
+        addq	%rax, %r10
+        movq	%r10, 280(%rdi)
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[36] * B
+        movq	%rcx, %rax
+        xorq	%r10, %r10
+        mulq	288(%rsi)
+        addq	%rax, %r8
+        movq	%r8, 288(%rdi)
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[37] * B
+        movq	%rcx, %rax
+        xorq	%r8, %r8
+        mulq	296(%rsi)
+        addq	%rax, %r9
+        movq	%r9, 296(%rdi)
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[38] * B
+        movq	%rcx, %rax
+        xorq	%r9, %r9
+        mulq	304(%rsi)
+        addq	%rax, %r10
+        movq	%r10, 304(%rdi)
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[39] * B
+        movq	%rcx, %rax
+        xorq	%r10, %r10
+        mulq	312(%rsi)
+        addq	%rax, %r8
+        movq	%r8, 312(%rdi)
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[40] * B
+        movq	%rcx, %rax
+        xorq	%r8, %r8
+        mulq	320(%rsi)
+        addq	%rax, %r9
+        movq	%r9, 320(%rdi)
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[41] * B
+        movq	%rcx, %rax
+        xorq	%r9, %r9
+        mulq	328(%rsi)
+        addq	%rax, %r10
+        movq	%r10, 328(%rdi)
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[42] * B
+        movq	%rcx, %rax
+        xorq	%r10, %r10
+        mulq	336(%rsi)
+        addq	%rax, %r8
+        movq	%r8, 336(%rdi)
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[43] * B
+        movq	%rcx, %rax
+        xorq	%r8, %r8
+        mulq	344(%rsi)
+        addq	%rax, %r9
+        movq	%r9, 344(%rdi)
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[44] * B
+        movq	%rcx, %rax
+        xorq	%r9, %r9
+        mulq	352(%rsi)
+        addq	%rax, %r10
+        movq	%r10, 352(%rdi)
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[45] * B
+        movq	%rcx, %rax
+        xorq	%r10, %r10
+        mulq	360(%rsi)
+        addq	%rax, %r8
+        movq	%r8, 360(%rdi)
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[46] * B
+        movq	%rcx, %rax
+        xorq	%r8, %r8
+        mulq	368(%rsi)
+        addq	%rax, %r9
+        movq	%r9, 368(%rdi)
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[47] * B
+        movq	%rcx, %rax
+        mulq	376(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r8
+        movq	%r10, 376(%rdi)
+        movq	%r8, 384(%rdi)
+        repz retq
+#ifndef __APPLE__
+.size	sp_3072_mul_d_48,.-sp_3072_mul_d_48
+#endif /* __APPLE__ */
+/* Conditionally subtract b from a using the mask m.
+ * m is -1 to subtract and 0 when not copying.
+ *
+ * r  A single precision number representing condition subtract result.
+ * a  A single precision number to subtract from.
+ * b  A single precision number to subtract.
+ * m  Mask value to apply.
+ */
+#ifndef __APPLE__
+.globl	sp_3072_cond_sub_24
+.type	sp_3072_cond_sub_24,@function
+.align	16
+sp_3072_cond_sub_24:
+#else
+.globl	_sp_3072_cond_sub_24
+.p2align	4
+_sp_3072_cond_sub_24:
+#endif /* __APPLE__ */
+        subq	$192, %rsp
+        movq	$0, %rax
+        movq	(%rdx), %r8
+        movq	8(%rdx), %r9
+        andq	%rcx, %r8
+        andq	%rcx, %r9
+        movq	%r8, (%rsp)
+        movq	%r9, 8(%rsp)
+        movq	16(%rdx), %r8
+        movq	24(%rdx), %r9
+        andq	%rcx, %r8
+        andq	%rcx, %r9
+        movq	%r8, 16(%rsp)
+        movq	%r9, 24(%rsp)
+        movq	32(%rdx), %r8
+        movq	40(%rdx), %r9
+        andq	%rcx, %r8
+        andq	%rcx, %r9
+        movq	%r8, 32(%rsp)
+        movq	%r9, 40(%rsp)
+        movq	48(%rdx), %r8
+        movq	56(%rdx), %r9
+        andq	%rcx, %r8
+        andq	%rcx, %r9
+        movq	%r8, 48(%rsp)
+        movq	%r9, 56(%rsp)
+        movq	64(%rdx), %r8
+        movq	72(%rdx), %r9
+        andq	%rcx, %r8
+        andq	%rcx, %r9
+        movq	%r8, 64(%rsp)
+        movq	%r9, 72(%rsp)
+        movq	80(%rdx), %r8
+        movq	88(%rdx), %r9
+        andq	%rcx, %r8
+        andq	%rcx, %r9
+        movq	%r8, 80(%rsp)
+        movq	%r9, 88(%rsp)
+        movq	96(%rdx), %r8
+        movq	104(%rdx), %r9
+        andq	%rcx, %r8
+        andq	%rcx, %r9
+        movq	%r8, 96(%rsp)
+        movq	%r9, 104(%rsp)
+        movq	112(%rdx), %r8
+        movq	120(%rdx), %r9
+        andq	%rcx, %r8
+        andq	%rcx, %r9
+        movq	%r8, 112(%rsp)
+        movq	%r9, 120(%rsp)
+        movq	128(%rdx), %r8
+        movq	136(%rdx), %r9
+        andq	%rcx, %r8
+        andq	%rcx, %r9
+        movq	%r8, 128(%rsp)
+        movq	%r9, 136(%rsp)
+        movq	144(%rdx), %r8
+        movq	152(%rdx), %r9
+        andq	%rcx, %r8
+        andq	%rcx, %r9
+        movq	%r8, 144(%rsp)
+        movq	%r9, 152(%rsp)
+        movq	160(%rdx), %r8
+        movq	168(%rdx), %r9
+        andq	%rcx, %r8
+        andq	%rcx, %r9
+        movq	%r8, 160(%rsp)
+        movq	%r9, 168(%rsp)
+        movq	176(%rdx), %r8
+        movq	184(%rdx), %r9
+        andq	%rcx, %r8
+        andq	%rcx, %r9
+        movq	%r8, 176(%rsp)
+        movq	%r9, 184(%rsp)
+        movq	(%rsi), %r8
+        movq	(%rsp), %rdx
+        subq	%rdx, %r8
+        movq	8(%rsi), %r9
+        movq	8(%rsp), %rdx
+        sbbq	%rdx, %r9
+        movq	%r8, (%rdi)
+        movq	16(%rsi), %r8
+        movq	16(%rsp), %rdx
+        sbbq	%rdx, %r8
+        movq	%r9, 8(%rdi)
+        movq	24(%rsi), %r9
+        movq	24(%rsp), %rdx
+        sbbq	%rdx, %r9
+        movq	%r8, 16(%rdi)
+        movq	32(%rsi), %r8
+        movq	32(%rsp), %rdx
+        sbbq	%rdx, %r8
+        movq	%r9, 24(%rdi)
+        movq	40(%rsi), %r9
+        movq	40(%rsp), %rdx
+        sbbq	%rdx, %r9
+        movq	%r8, 32(%rdi)
+        movq	48(%rsi), %r8
+        movq	48(%rsp), %rdx
+        sbbq	%rdx, %r8
+        movq	%r9, 40(%rdi)
+        movq	56(%rsi), %r9
+        movq	56(%rsp), %rdx
+        sbbq	%rdx, %r9
+        movq	%r8, 48(%rdi)
+        movq	64(%rsi), %r8
+        movq	64(%rsp), %rdx
+        sbbq	%rdx, %r8
+        movq	%r9, 56(%rdi)
+        movq	72(%rsi), %r9
+        movq	72(%rsp), %rdx
+        sbbq	%rdx, %r9
+        movq	%r8, 64(%rdi)
+        movq	80(%rsi), %r8
+        movq	80(%rsp), %rdx
+        sbbq	%rdx, %r8
+        movq	%r9, 72(%rdi)
+        movq	88(%rsi), %r9
+        movq	88(%rsp), %rdx
+        sbbq	%rdx, %r9
+        movq	%r8, 80(%rdi)
+        movq	96(%rsi), %r8
+        movq	96(%rsp), %rdx
+        sbbq	%rdx, %r8
+        movq	%r9, 88(%rdi)
+        movq	104(%rsi), %r9
+        movq	104(%rsp), %rdx
+        sbbq	%rdx, %r9
+        movq	%r8, 96(%rdi)
+        movq	112(%rsi), %r8
+        movq	112(%rsp), %rdx
+        sbbq	%rdx, %r8
+        movq	%r9, 104(%rdi)
+        movq	120(%rsi), %r9
+        movq	120(%rsp), %rdx
+        sbbq	%rdx, %r9
+        movq	%r8, 112(%rdi)
+        movq	128(%rsi), %r8
+        movq	128(%rsp), %rdx
+        sbbq	%rdx, %r8
+        movq	%r9, 120(%rdi)
+        movq	136(%rsi), %r9
+        movq	136(%rsp), %rdx
+        sbbq	%rdx, %r9
+        movq	%r8, 128(%rdi)
+        movq	144(%rsi), %r8
+        movq	144(%rsp), %rdx
+        sbbq	%rdx, %r8
+        movq	%r9, 136(%rdi)
+        movq	152(%rsi), %r9
+        movq	152(%rsp), %rdx
+        sbbq	%rdx, %r9
+        movq	%r8, 144(%rdi)
+        movq	160(%rsi), %r8
+        movq	160(%rsp), %rdx
+        sbbq	%rdx, %r8
+        movq	%r9, 152(%rdi)
+        movq	168(%rsi), %r9
+        movq	168(%rsp), %rdx
+        sbbq	%rdx, %r9
+        movq	%r8, 160(%rdi)
+        movq	176(%rsi), %r8
+        movq	176(%rsp), %rdx
+        sbbq	%rdx, %r8
+        movq	%r9, 168(%rdi)
+        movq	184(%rsi), %r9
+        movq	184(%rsp), %rdx
+        sbbq	%rdx, %r9
+        movq	%r8, 176(%rdi)
+        movq	%r9, 184(%rdi)
+        sbbq	$0, %rax
+        addq	$192, %rsp
+        repz retq
+#ifndef __APPLE__
+.size	sp_3072_cond_sub_24,.-sp_3072_cond_sub_24
+#endif /* __APPLE__ */
+/* Reduce the number back to 3072 bits using Montgomery reduction.
+ *
+ * a   A single precision number to reduce in place.
+ * m   The single precision number representing the modulus.
+ * mp  The digit representing the negative inverse of m mod 2^n.
+ */
+#ifndef __APPLE__
+.globl	sp_3072_mont_reduce_24
+.type	sp_3072_mont_reduce_24,@function
+.align	16
+sp_3072_mont_reduce_24:
+#else
+.globl	_sp_3072_mont_reduce_24
+.p2align	4
+_sp_3072_mont_reduce_24:
+#endif /* __APPLE__ */
+        push	%r12
+        push	%r13
+        push	%r14
+        push	%r15
+        movq	%rdx, %rcx
+        xorq	%r15, %r15
+        # i = 24
+        movq	$24, %r8
+        movq	(%rdi), %r13
+        movq	8(%rdi), %r14
+L_mont_loop_24:
+        # mu = a[i] * mp
+        movq	%r13, %r11
+        imulq	%rcx, %r11
+        # a[i+0] += m[0] * mu
+        movq	%r11, %rax
+        xorq	%r10, %r10
+        mulq	(%rsi)
+        addq	%rax, %r13
+        adcq	%rdx, %r10
+        # a[i+1] += m[1] * mu
+        movq	%r11, %rax
+        xorq	%r9, %r9
+        mulq	8(%rsi)
+        movq	%r14, %r13
+        addq	%rax, %r13
+        adcq	%rdx, %r9
+        addq	%r10, %r13
+        adcq	$0, %r9
+        # a[i+2] += m[2] * mu
+        movq	%r11, %rax
+        xorq	%r10, %r10
+        mulq	16(%rsi)
+        movq	16(%rdi), %r14
+        addq	%rax, %r14
+        adcq	%rdx, %r10
+        addq	%r9, %r14
+        adcq	$0, %r10
+        # a[i+3] += m[3] * mu
+        movq	%r11, %rax
+        xorq	%r9, %r9
+        mulq	24(%rsi)
+        movq	24(%rdi), %r12
+        addq	%rax, %r12
+        adcq	%rdx, %r9
+        addq	%r10, %r12
+        movq	%r12, 24(%rdi)
+        adcq	$0, %r9
+        # a[i+4] += m[4] * mu
+        movq	%r11, %rax
+        xorq	%r10, %r10
+        mulq	32(%rsi)
+        movq	32(%rdi), %r12
+        addq	%rax, %r12
+        adcq	%rdx, %r10
+        addq	%r9, %r12
+        movq	%r12, 32(%rdi)
+        adcq	$0, %r10
+        # a[i+5] += m[5] * mu
+        movq	%r11, %rax
+        xorq	%r9, %r9
+        mulq	40(%rsi)
+        movq	40(%rdi), %r12
+        addq	%rax, %r12
+        adcq	%rdx, %r9
+        addq	%r10, %r12
+        movq	%r12, 40(%rdi)
+        adcq	$0, %r9
+        # a[i+6] += m[6] * mu
+        movq	%r11, %rax
+        xorq	%r10, %r10
+        mulq	48(%rsi)
+        movq	48(%rdi), %r12
+        addq	%rax, %r12
+        adcq	%rdx, %r10
+        addq	%r9, %r12
+        movq	%r12, 48(%rdi)
+        adcq	$0, %r10
+        # a[i+7] += m[7] * mu
+        movq	%r11, %rax
+        xorq	%r9, %r9
+        mulq	56(%rsi)
+        movq	56(%rdi), %r12
+        addq	%rax, %r12
+        adcq	%rdx, %r9
+        addq	%r10, %r12
+        movq	%r12, 56(%rdi)
+        adcq	$0, %r9
+        # a[i+8] += m[8] * mu
+        movq	%r11, %rax
+        xorq	%r10, %r10
+        mulq	64(%rsi)
+        movq	64(%rdi), %r12
+        addq	%rax, %r12
+        adcq	%rdx, %r10
+        addq	%r9, %r12
+        movq	%r12, 64(%rdi)
+        adcq	$0, %r10
+        # a[i+9] += m[9] * mu
+        movq	%r11, %rax
+        xorq	%r9, %r9
+        mulq	72(%rsi)
+        movq	72(%rdi), %r12
+        addq	%rax, %r12
+        adcq	%rdx, %r9
+        addq	%r10, %r12
+        movq	%r12, 72(%rdi)
+        adcq	$0, %r9
+        # a[i+10] += m[10] * mu
+        movq	%r11, %rax
+        xorq	%r10, %r10
+        mulq	80(%rsi)
+        movq	80(%rdi), %r12
+        addq	%rax, %r12
+        adcq	%rdx, %r10
+        addq	%r9, %r12
+        movq	%r12, 80(%rdi)
+        adcq	$0, %r10
+        # a[i+11] += m[11] * mu
+        movq	%r11, %rax
+        xorq	%r9, %r9
+        mulq	88(%rsi)
+        movq	88(%rdi), %r12
+        addq	%rax, %r12
+        adcq	%rdx, %r9
+        addq	%r10, %r12
+        movq	%r12, 88(%rdi)
+        adcq	$0, %r9
+        # a[i+12] += m[12] * mu
+        movq	%r11, %rax
+        xorq	%r10, %r10
+        mulq	96(%rsi)
+        movq	96(%rdi), %r12
+        addq	%rax, %r12
+        adcq	%rdx, %r10
+        addq	%r9, %r12
+        movq	%r12, 96(%rdi)
+        adcq	$0, %r10
+        # a[i+13] += m[13] * mu
+        movq	%r11, %rax
+        xorq	%r9, %r9
+        mulq	104(%rsi)
+        movq	104(%rdi), %r12
+        addq	%rax, %r12
+        adcq	%rdx, %r9
+        addq	%r10, %r12
+        movq	%r12, 104(%rdi)
+        adcq	$0, %r9
+        # a[i+14] += m[14] * mu
+        movq	%r11, %rax
+        xorq	%r10, %r10
+        mulq	112(%rsi)
+        movq	112(%rdi), %r12
+        addq	%rax, %r12
+        adcq	%rdx, %r10
+        addq	%r9, %r12
+        movq	%r12, 112(%rdi)
+        adcq	$0, %r10
+        # a[i+15] += m[15] * mu
+        movq	%r11, %rax
+        xorq	%r9, %r9
+        mulq	120(%rsi)
+        movq	120(%rdi), %r12
+        addq	%rax, %r12
+        adcq	%rdx, %r9
+        addq	%r10, %r12
+        movq	%r12, 120(%rdi)
+        adcq	$0, %r9
+        # a[i+16] += m[16] * mu
+        movq	%r11, %rax
+        xorq	%r10, %r10
+        mulq	128(%rsi)
+        movq	128(%rdi), %r12
+        addq	%rax, %r12
+        adcq	%rdx, %r10
+        addq	%r9, %r12
+        movq	%r12, 128(%rdi)
+        adcq	$0, %r10
+        # a[i+17] += m[17] * mu
+        movq	%r11, %rax
+        xorq	%r9, %r9
+        mulq	136(%rsi)
+        movq	136(%rdi), %r12
+        addq	%rax, %r12
+        adcq	%rdx, %r9
+        addq	%r10, %r12
+        movq	%r12, 136(%rdi)
+        adcq	$0, %r9
+        # a[i+18] += m[18] * mu
+        movq	%r11, %rax
+        xorq	%r10, %r10
+        mulq	144(%rsi)
+        movq	144(%rdi), %r12
+        addq	%rax, %r12
+        adcq	%rdx, %r10
+        addq	%r9, %r12
+        movq	%r12, 144(%rdi)
+        adcq	$0, %r10
+        # a[i+19] += m[19] * mu
+        movq	%r11, %rax
+        xorq	%r9, %r9
+        mulq	152(%rsi)
+        movq	152(%rdi), %r12
+        addq	%rax, %r12
+        adcq	%rdx, %r9
+        addq	%r10, %r12
+        movq	%r12, 152(%rdi)
+        adcq	$0, %r9
+        # a[i+20] += m[20] * mu
+        movq	%r11, %rax
+        xorq	%r10, %r10
+        mulq	160(%rsi)
+        movq	160(%rdi), %r12
+        addq	%rax, %r12
+        adcq	%rdx, %r10
+        addq	%r9, %r12
+        movq	%r12, 160(%rdi)
+        adcq	$0, %r10
+        # a[i+21] += m[21] * mu
+        movq	%r11, %rax
+        xorq	%r9, %r9
+        mulq	168(%rsi)
+        movq	168(%rdi), %r12
+        addq	%rax, %r12
+        adcq	%rdx, %r9
+        addq	%r10, %r12
+        movq	%r12, 168(%rdi)
+        adcq	$0, %r9
+        # a[i+22] += m[22] * mu
+        movq	%r11, %rax
+        xorq	%r10, %r10
+        mulq	176(%rsi)
+        movq	176(%rdi), %r12
+        addq	%rax, %r12
+        adcq	%rdx, %r10
+        addq	%r9, %r12
+        movq	%r12, 176(%rdi)
+        adcq	$0, %r10
+        # a[i+23] += m[23] * mu
+        movq	%r11, %rax
+        mulq	184(%rsi)
+        movq	184(%rdi), %r12
+        addq	%rax, %r10
+        adcq	%r15, %rdx
+        movq	$0, %r15
+        adcq	$0, %r15
+        addq	%r10, %r12
+        movq	%r12, 184(%rdi)
+        adcq	%rdx, 192(%rdi)
+        adcq	$0, %r15
+        # i -= 1
+        addq	$8, %rdi
+        decq	%r8
+        jnz	L_mont_loop_24
+        movq	%r13, (%rdi)
+        movq	%r14, 8(%rdi)
+        negq	%r15
+        movq	%r15, %rcx
+        movq	%rsi, %rdx
+        movq	%rdi, %rsi
+        subq	$192, %rdi
+#ifndef __APPLE__
+        callq	sp_3072_cond_sub_24@plt
+#else
+        callq	_sp_3072_cond_sub_24
+#endif /* __APPLE__ */
+        pop	%r15
+        pop	%r14
+        pop	%r13
+        pop	%r12
+        repz retq
+#ifndef __APPLE__
+.size	sp_3072_mont_reduce_24,.-sp_3072_mont_reduce_24
+#endif /* __APPLE__ */
+/* Conditionally subtract b from a using the mask m.
+ * m is -1 to subtract and 0 when not copying.
+ *
+ * r  A single precision number representing condition subtract result.
+ * a  A single precision number to subtract from.
+ * b  A single precision number to subtract.
+ * m  Mask value to apply.
+ */
+#ifndef __APPLE__
+.globl	sp_3072_cond_sub_avx2_24
+.type	sp_3072_cond_sub_avx2_24,@function
+.align	16
+sp_3072_cond_sub_avx2_24:
+#else
+.globl	_sp_3072_cond_sub_avx2_24
+.p2align	4
+_sp_3072_cond_sub_avx2_24:
+#endif /* __APPLE__ */
+        movq	$0, %rax
+        movq	(%rdx), %r10
+        movq	(%rsi), %r8
+        pextq	%rcx, %r10, %r10
+        subq	%r10, %r8
+        movq	8(%rdx), %r10
+        movq	8(%rsi), %r9
+        pextq	%rcx, %r10, %r10
+        movq	%r8, (%rdi)
+        sbbq	%r10, %r9
+        movq	16(%rdx), %r8
+        movq	16(%rsi), %r10
+        pextq	%rcx, %r8, %r8
+        movq	%r9, 8(%rdi)
+        sbbq	%r8, %r10
+        movq	24(%rdx), %r9
+        movq	24(%rsi), %r8
+        pextq	%rcx, %r9, %r9
+        movq	%r10, 16(%rdi)
+        sbbq	%r9, %r8
+        movq	32(%rdx), %r10
+        movq	32(%rsi), %r9
+        pextq	%rcx, %r10, %r10
+        movq	%r8, 24(%rdi)
+        sbbq	%r10, %r9
+        movq	40(%rdx), %r8
+        movq	40(%rsi), %r10
+        pextq	%rcx, %r8, %r8
+        movq	%r9, 32(%rdi)
+        sbbq	%r8, %r10
+        movq	48(%rdx), %r9
+        movq	48(%rsi), %r8
+        pextq	%rcx, %r9, %r9
+        movq	%r10, 40(%rdi)
+        sbbq	%r9, %r8
+        movq	56(%rdx), %r10
+        movq	56(%rsi), %r9
+        pextq	%rcx, %r10, %r10
+        movq	%r8, 48(%rdi)
+        sbbq	%r10, %r9
+        movq	64(%rdx), %r8
+        movq	64(%rsi), %r10
+        pextq	%rcx, %r8, %r8
+        movq	%r9, 56(%rdi)
+        sbbq	%r8, %r10
+        movq	72(%rdx), %r9
+        movq	72(%rsi), %r8
+        pextq	%rcx, %r9, %r9
+        movq	%r10, 64(%rdi)
+        sbbq	%r9, %r8
+        movq	80(%rdx), %r10
+        movq	80(%rsi), %r9
+        pextq	%rcx, %r10, %r10
+        movq	%r8, 72(%rdi)
+        sbbq	%r10, %r9
+        movq	88(%rdx), %r8
+        movq	88(%rsi), %r10
+        pextq	%rcx, %r8, %r8
+        movq	%r9, 80(%rdi)
+        sbbq	%r8, %r10
+        movq	96(%rdx), %r9
+        movq	96(%rsi), %r8
+        pextq	%rcx, %r9, %r9
+        movq	%r10, 88(%rdi)
+        sbbq	%r9, %r8
+        movq	104(%rdx), %r10
+        movq	104(%rsi), %r9
+        pextq	%rcx, %r10, %r10
+        movq	%r8, 96(%rdi)
+        sbbq	%r10, %r9
+        movq	112(%rdx), %r8
+        movq	112(%rsi), %r10
+        pextq	%rcx, %r8, %r8
+        movq	%r9, 104(%rdi)
+        sbbq	%r8, %r10
+        movq	120(%rdx), %r9
+        movq	120(%rsi), %r8
+        pextq	%rcx, %r9, %r9
+        movq	%r10, 112(%rdi)
+        sbbq	%r9, %r8
+        movq	128(%rdx), %r10
+        movq	128(%rsi), %r9
+        pextq	%rcx, %r10, %r10
+        movq	%r8, 120(%rdi)
+        sbbq	%r10, %r9
+        movq	136(%rdx), %r8
+        movq	136(%rsi), %r10
+        pextq	%rcx, %r8, %r8
+        movq	%r9, 128(%rdi)
+        sbbq	%r8, %r10
+        movq	144(%rdx), %r9
+        movq	144(%rsi), %r8
+        pextq	%rcx, %r9, %r9
+        movq	%r10, 136(%rdi)
+        sbbq	%r9, %r8
+        movq	152(%rdx), %r10
+        movq	152(%rsi), %r9
+        pextq	%rcx, %r10, %r10
+        movq	%r8, 144(%rdi)
+        sbbq	%r10, %r9
+        movq	160(%rdx), %r8
+        movq	160(%rsi), %r10
+        pextq	%rcx, %r8, %r8
+        movq	%r9, 152(%rdi)
+        sbbq	%r8, %r10
+        movq	168(%rdx), %r9
+        movq	168(%rsi), %r8
+        pextq	%rcx, %r9, %r9
+        movq	%r10, 160(%rdi)
+        sbbq	%r9, %r8
+        movq	176(%rdx), %r10
+        movq	176(%rsi), %r9
+        pextq	%rcx, %r10, %r10
+        movq	%r8, 168(%rdi)
+        sbbq	%r10, %r9
+        movq	184(%rdx), %r8
+        movq	184(%rsi), %r10
+        pextq	%rcx, %r8, %r8
+        movq	%r9, 176(%rdi)
+        sbbq	%r8, %r10
+        movq	%r10, 184(%rdi)
+        sbbq	$0, %rax
+        repz retq
+#ifndef __APPLE__
+.size	sp_3072_cond_sub_avx2_24,.-sp_3072_cond_sub_avx2_24
+#endif /* __APPLE__ */
+/* Mul a by digit b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision digit.
+ */
+#ifndef __APPLE__
+.globl	sp_3072_mul_d_24
+.type	sp_3072_mul_d_24,@function
+.align	16
+sp_3072_mul_d_24:
+#else
+.globl	_sp_3072_mul_d_24
+.p2align	4
+_sp_3072_mul_d_24:
+#endif /* __APPLE__ */
+        movq	%rdx, %rcx
+        # A[0] * B
+        movq	%rcx, %rax
+        xorq	%r10, %r10
+        mulq	(%rsi)
+        movq	%rax, %r8
+        movq	%rdx, %r9
+        movq	%r8, (%rdi)
+        # A[1] * B
+        movq	%rcx, %rax
+        xorq	%r8, %r8
+        mulq	8(%rsi)
+        addq	%rax, %r9
+        movq	%r9, 8(%rdi)
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[2] * B
+        movq	%rcx, %rax
+        xorq	%r9, %r9
+        mulq	16(%rsi)
+        addq	%rax, %r10
+        movq	%r10, 16(%rdi)
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[3] * B
+        movq	%rcx, %rax
+        xorq	%r10, %r10
+        mulq	24(%rsi)
+        addq	%rax, %r8
+        movq	%r8, 24(%rdi)
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[4] * B
+        movq	%rcx, %rax
+        xorq	%r8, %r8
+        mulq	32(%rsi)
+        addq	%rax, %r9
+        movq	%r9, 32(%rdi)
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[5] * B
+        movq	%rcx, %rax
+        xorq	%r9, %r9
+        mulq	40(%rsi)
+        addq	%rax, %r10
+        movq	%r10, 40(%rdi)
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[6] * B
+        movq	%rcx, %rax
+        xorq	%r10, %r10
+        mulq	48(%rsi)
+        addq	%rax, %r8
+        movq	%r8, 48(%rdi)
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[7] * B
+        movq	%rcx, %rax
+        xorq	%r8, %r8
+        mulq	56(%rsi)
+        addq	%rax, %r9
+        movq	%r9, 56(%rdi)
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[8] * B
+        movq	%rcx, %rax
+        xorq	%r9, %r9
+        mulq	64(%rsi)
+        addq	%rax, %r10
+        movq	%r10, 64(%rdi)
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[9] * B
+        movq	%rcx, %rax
+        xorq	%r10, %r10
+        mulq	72(%rsi)
+        addq	%rax, %r8
+        movq	%r8, 72(%rdi)
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[10] * B
+        movq	%rcx, %rax
+        xorq	%r8, %r8
+        mulq	80(%rsi)
+        addq	%rax, %r9
+        movq	%r9, 80(%rdi)
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[11] * B
+        movq	%rcx, %rax
+        xorq	%r9, %r9
+        mulq	88(%rsi)
+        addq	%rax, %r10
+        movq	%r10, 88(%rdi)
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[12] * B
+        movq	%rcx, %rax
+        xorq	%r10, %r10
+        mulq	96(%rsi)
+        addq	%rax, %r8
+        movq	%r8, 96(%rdi)
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[13] * B
+        movq	%rcx, %rax
+        xorq	%r8, %r8
+        mulq	104(%rsi)
+        addq	%rax, %r9
+        movq	%r9, 104(%rdi)
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[14] * B
+        movq	%rcx, %rax
+        xorq	%r9, %r9
+        mulq	112(%rsi)
+        addq	%rax, %r10
+        movq	%r10, 112(%rdi)
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[15] * B
+        movq	%rcx, %rax
+        xorq	%r10, %r10
+        mulq	120(%rsi)
+        addq	%rax, %r8
+        movq	%r8, 120(%rdi)
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[16] * B
+        movq	%rcx, %rax
+        xorq	%r8, %r8
+        mulq	128(%rsi)
+        addq	%rax, %r9
+        movq	%r9, 128(%rdi)
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[17] * B
+        movq	%rcx, %rax
+        xorq	%r9, %r9
+        mulq	136(%rsi)
+        addq	%rax, %r10
+        movq	%r10, 136(%rdi)
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[18] * B
+        movq	%rcx, %rax
+        xorq	%r10, %r10
+        mulq	144(%rsi)
+        addq	%rax, %r8
+        movq	%r8, 144(%rdi)
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[19] * B
+        movq	%rcx, %rax
+        xorq	%r8, %r8
+        mulq	152(%rsi)
+        addq	%rax, %r9
+        movq	%r9, 152(%rdi)
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[20] * B
+        movq	%rcx, %rax
+        xorq	%r9, %r9
+        mulq	160(%rsi)
+        addq	%rax, %r10
+        movq	%r10, 160(%rdi)
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[21] * B
+        movq	%rcx, %rax
+        xorq	%r10, %r10
+        mulq	168(%rsi)
+        addq	%rax, %r8
+        movq	%r8, 168(%rdi)
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[22] * B
+        movq	%rcx, %rax
+        xorq	%r8, %r8
+        mulq	176(%rsi)
+        addq	%rax, %r9
+        movq	%r9, 176(%rdi)
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[23] * B
+        movq	%rcx, %rax
+        mulq	184(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r8
+        movq	%r10, 184(%rdi)
+        movq	%r8, 192(%rdi)
+        repz retq
+#ifndef __APPLE__
+.size	sp_3072_mul_d_24,.-sp_3072_mul_d_24
+#endif /* __APPLE__ */
+#ifdef HAVE_INTEL_AVX2
+/* Mul a by digit b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision digit.
+ */
+#ifndef __APPLE__
+.globl	sp_3072_mul_d_avx2_24
+.type	sp_3072_mul_d_avx2_24,@function
+.align	16
+sp_3072_mul_d_avx2_24:
+#else
+.globl	_sp_3072_mul_d_avx2_24
+.p2align	4
+_sp_3072_mul_d_avx2_24:
+#endif /* __APPLE__ */
+        movq	%rdx, %rax
+        # A[0] * B
+        movq	%rax, %rdx
+        xorq	%r11, %r11
+        mulxq	(%rsi), %r9, %r10
+        movq	%r9, (%rdi)
+        # A[1] * B
+        mulxq	8(%rsi), %rcx, %r8
+        movq	%r11, %r9
+        adcxq	%rcx, %r10
+        movq	%r10, 8(%rdi)
+        adoxq	%r8, %r9
+        # A[2] * B
+        mulxq	16(%rsi), %rcx, %r8
+        movq	%r11, %r10
+        adcxq	%rcx, %r9
+        movq	%r9, 16(%rdi)
+        adoxq	%r8, %r10
+        # A[3] * B
+        mulxq	24(%rsi), %rcx, %r8
+        movq	%r11, %r9
+        adcxq	%rcx, %r10
+        movq	%r10, 24(%rdi)
+        adoxq	%r8, %r9
+        # A[4] * B
+        mulxq	32(%rsi), %rcx, %r8
+        movq	%r11, %r10
+        adcxq	%rcx, %r9
+        movq	%r9, 32(%rdi)
+        adoxq	%r8, %r10
+        # A[5] * B
+        mulxq	40(%rsi), %rcx, %r8
+        movq	%r11, %r9
+        adcxq	%rcx, %r10
+        movq	%r10, 40(%rdi)
+        adoxq	%r8, %r9
+        # A[6] * B
+        mulxq	48(%rsi), %rcx, %r8
+        movq	%r11, %r10
+        adcxq	%rcx, %r9
+        movq	%r9, 48(%rdi)
+        adoxq	%r8, %r10
+        # A[7] * B
+        mulxq	56(%rsi), %rcx, %r8
+        movq	%r11, %r9
+        adcxq	%rcx, %r10
+        movq	%r10, 56(%rdi)
+        adoxq	%r8, %r9
+        # A[8] * B
+        mulxq	64(%rsi), %rcx, %r8
+        movq	%r11, %r10
+        adcxq	%rcx, %r9
+        movq	%r9, 64(%rdi)
+        adoxq	%r8, %r10
+        # A[9] * B
+        mulxq	72(%rsi), %rcx, %r8
+        movq	%r11, %r9
+        adcxq	%rcx, %r10
+        movq	%r10, 72(%rdi)
+        adoxq	%r8, %r9
+        # A[10] * B
+        mulxq	80(%rsi), %rcx, %r8
+        movq	%r11, %r10
+        adcxq	%rcx, %r9
+        movq	%r9, 80(%rdi)
+        adoxq	%r8, %r10
+        # A[11] * B
+        mulxq	88(%rsi), %rcx, %r8
+        movq	%r11, %r9
+        adcxq	%rcx, %r10
+        movq	%r10, 88(%rdi)
+        adoxq	%r8, %r9
+        # A[12] * B
+        mulxq	96(%rsi), %rcx, %r8
+        movq	%r11, %r10
+        adcxq	%rcx, %r9
+        movq	%r9, 96(%rdi)
+        adoxq	%r8, %r10
+        # A[13] * B
+        mulxq	104(%rsi), %rcx, %r8
+        movq	%r11, %r9
+        adcxq	%rcx, %r10
+        movq	%r10, 104(%rdi)
+        adoxq	%r8, %r9
+        # A[14] * B
+        mulxq	112(%rsi), %rcx, %r8
+        movq	%r11, %r10
+        adcxq	%rcx, %r9
+        movq	%r9, 112(%rdi)
+        adoxq	%r8, %r10
+        # A[15] * B
+        mulxq	120(%rsi), %rcx, %r8
+        movq	%r11, %r9
+        adcxq	%rcx, %r10
+        movq	%r10, 120(%rdi)
+        adoxq	%r8, %r9
+        # A[16] * B
+        mulxq	128(%rsi), %rcx, %r8
+        movq	%r11, %r10
+        adcxq	%rcx, %r9
+        movq	%r9, 128(%rdi)
+        adoxq	%r8, %r10
+        # A[17] * B
+        mulxq	136(%rsi), %rcx, %r8
+        movq	%r11, %r9
+        adcxq	%rcx, %r10
+        movq	%r10, 136(%rdi)
+        adoxq	%r8, %r9
+        # A[18] * B
+        mulxq	144(%rsi), %rcx, %r8
+        movq	%r11, %r10
+        adcxq	%rcx, %r9
+        movq	%r9, 144(%rdi)
+        adoxq	%r8, %r10
+        # A[19] * B
+        mulxq	152(%rsi), %rcx, %r8
+        movq	%r11, %r9
+        adcxq	%rcx, %r10
+        movq	%r10, 152(%rdi)
+        adoxq	%r8, %r9
+        # A[20] * B
+        mulxq	160(%rsi), %rcx, %r8
+        movq	%r11, %r10
+        adcxq	%rcx, %r9
+        movq	%r9, 160(%rdi)
+        adoxq	%r8, %r10
+        # A[21] * B
+        mulxq	168(%rsi), %rcx, %r8
+        movq	%r11, %r9
+        adcxq	%rcx, %r10
+        movq	%r10, 168(%rdi)
+        adoxq	%r8, %r9
+        # A[22] * B
+        mulxq	176(%rsi), %rcx, %r8
+        movq	%r11, %r10
+        adcxq	%rcx, %r9
+        movq	%r9, 176(%rdi)
+        adoxq	%r8, %r10
+        # A[23] * B
+        mulxq	184(%rsi), %rcx, %r8
+        movq	%r11, %r9
+        adcxq	%rcx, %r10
+        adoxq	%r8, %r9
+        adcxq	%r11, %r9
+        movq	%r10, 184(%rdi)
+        movq	%r9, 192(%rdi)
+        repz retq
+#ifndef __APPLE__
+.size	sp_3072_mul_d_avx2_24,.-sp_3072_mul_d_avx2_24
+#endif /* __APPLE__ */
+#endif /* HAVE_INTEL_AVX2 */
+/* Compare a with b in constant time.
+ *
+ * a  A single precision integer.
+ * b  A single precision integer.
+ * return -ve, 0 or +ve if a is less than, equal to or greater than b
+ * respectively.
+ */
+#ifndef __APPLE__
+.globl	sp_3072_cmp_24
+.type	sp_3072_cmp_24,@function
+.align	16
+sp_3072_cmp_24:
+#else
+.globl	_sp_3072_cmp_24
+.p2align	4
+_sp_3072_cmp_24:
+#endif /* __APPLE__ */
+        xorq	%rcx, %rcx
+        movq	$-1, %rdx
+        movq	$-1, %rax
+        movq	$1, %r8
+        movq	184(%rdi), %r9
+        movq	184(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	176(%rdi), %r9
+        movq	176(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	168(%rdi), %r9
+        movq	168(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	160(%rdi), %r9
+        movq	160(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	152(%rdi), %r9
+        movq	152(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	144(%rdi), %r9
+        movq	144(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	136(%rdi), %r9
+        movq	136(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	128(%rdi), %r9
+        movq	128(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	120(%rdi), %r9
+        movq	120(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	112(%rdi), %r9
+        movq	112(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	104(%rdi), %r9
+        movq	104(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	96(%rdi), %r9
+        movq	96(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	88(%rdi), %r9
+        movq	88(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	80(%rdi), %r9
+        movq	80(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	72(%rdi), %r9
+        movq	72(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	64(%rdi), %r9
+        movq	64(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	56(%rdi), %r9
+        movq	56(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	48(%rdi), %r9
+        movq	48(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	40(%rdi), %r9
+        movq	40(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	32(%rdi), %r9
+        movq	32(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	24(%rdi), %r9
+        movq	24(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	16(%rdi), %r9
+        movq	16(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	8(%rdi), %r9
+        movq	8(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	(%rdi), %r9
+        movq	(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        xorq	%rdx, %rax
+        repz retq
+#ifndef __APPLE__
+.size	sp_3072_cmp_24,.-sp_3072_cmp_24
+#endif /* __APPLE__ */
+#ifdef HAVE_INTEL_AVX2
+/* Reduce the number back to 3072 bits using Montgomery reduction.
+ *
+ * a   A single precision number to reduce in place.
+ * m   The single precision number representing the modulus.
+ * mp  The digit representing the negative inverse of m mod 2^n.
+ */
+#ifndef __APPLE__
+.globl	sp_3072_mont_reduce_avx2_24
+.type	sp_3072_mont_reduce_avx2_24,@function
+.align	16
+sp_3072_mont_reduce_avx2_24:
+#else
+.globl	_sp_3072_mont_reduce_avx2_24
+.p2align	4
+_sp_3072_mont_reduce_avx2_24:
+#endif /* __APPLE__ */
+        push	%r12
+        push	%r13
+        push	%r14
+        movq	%rdx, %r8
+        xorq	%r14, %r14
+        # i = 24
+        movq	$24, %r9
+        movq	(%rdi), %r13
+        addq	$96, %rdi
+        xorq	%r12, %r12
+L_mont_loop_avx2_24:
+        # mu = a[i] * mp
+        movq	%r13, %rdx
+        movq	%r13, %r10
+        imulq	%r8, %rdx
+        xorq	%r12, %r12
+        # a[i+0] += m[0] * mu
+        mulxq	(%rsi), %rax, %rcx
+        movq	-88(%rdi), %r13
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r13
+        # a[i+1] += m[1] * mu
+        mulxq	8(%rsi), %rax, %rcx
+        movq	-80(%rdi), %r10
+        adcxq	%rax, %r13
+        adoxq	%rcx, %r10
+        # a[i+2] += m[2] * mu
+        mulxq	16(%rsi), %rax, %rcx
+        movq	-72(%rdi), %r11
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r11
+        movq	%r10, -80(%rdi)
+        # a[i+3] += m[3] * mu
+        mulxq	24(%rsi), %rax, %rcx
+        movq	-64(%rdi), %r10
+        adcxq	%rax, %r11
+        adoxq	%rcx, %r10
+        movq	%r11, -72(%rdi)
+        # a[i+4] += m[4] * mu
+        mulxq	32(%rsi), %rax, %rcx
+        movq	-56(%rdi), %r11
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r11
+        movq	%r10, -64(%rdi)
+        # a[i+5] += m[5] * mu
+        mulxq	40(%rsi), %rax, %rcx
+        movq	-48(%rdi), %r10
+        adcxq	%rax, %r11
+        adoxq	%rcx, %r10
+        movq	%r11, -56(%rdi)
+        # a[i+6] += m[6] * mu
+        mulxq	48(%rsi), %rax, %rcx
+        movq	-40(%rdi), %r11
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r11
+        movq	%r10, -48(%rdi)
+        # a[i+7] += m[7] * mu
+        mulxq	56(%rsi), %rax, %rcx
+        movq	-32(%rdi), %r10
+        adcxq	%rax, %r11
+        adoxq	%rcx, %r10
+        movq	%r11, -40(%rdi)
+        # a[i+8] += m[8] * mu
+        mulxq	64(%rsi), %rax, %rcx
+        movq	-24(%rdi), %r11
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r11
+        movq	%r10, -32(%rdi)
+        # a[i+9] += m[9] * mu
+        mulxq	72(%rsi), %rax, %rcx
+        movq	-16(%rdi), %r10
+        adcxq	%rax, %r11
+        adoxq	%rcx, %r10
+        movq	%r11, -24(%rdi)
+        # a[i+10] += m[10] * mu
+        mulxq	80(%rsi), %rax, %rcx
+        movq	-8(%rdi), %r11
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r11
+        movq	%r10, -16(%rdi)
+        # a[i+11] += m[11] * mu
+        mulxq	88(%rsi), %rax, %rcx
+        movq	(%rdi), %r10
+        adcxq	%rax, %r11
+        adoxq	%rcx, %r10
+        movq	%r11, -8(%rdi)
+        # a[i+12] += m[12] * mu
+        mulxq	96(%rsi), %rax, %rcx
+        movq	8(%rdi), %r11
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r11
+        movq	%r10, (%rdi)
+        # a[i+13] += m[13] * mu
+        mulxq	104(%rsi), %rax, %rcx
+        movq	16(%rdi), %r10
+        adcxq	%rax, %r11
+        adoxq	%rcx, %r10
+        movq	%r11, 8(%rdi)
+        # a[i+14] += m[14] * mu
+        mulxq	112(%rsi), %rax, %rcx
+        movq	24(%rdi), %r11
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r11
+        movq	%r10, 16(%rdi)
+        # a[i+15] += m[15] * mu
+        mulxq	120(%rsi), %rax, %rcx
+        movq	32(%rdi), %r10
+        adcxq	%rax, %r11
+        adoxq	%rcx, %r10
+        movq	%r11, 24(%rdi)
+        # a[i+16] += m[16] * mu
+        mulxq	128(%rsi), %rax, %rcx
+        movq	40(%rdi), %r11
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r11
+        movq	%r10, 32(%rdi)
+        # a[i+17] += m[17] * mu
+        mulxq	136(%rsi), %rax, %rcx
+        movq	48(%rdi), %r10
+        adcxq	%rax, %r11
+        adoxq	%rcx, %r10
+        movq	%r11, 40(%rdi)
+        # a[i+18] += m[18] * mu
+        mulxq	144(%rsi), %rax, %rcx
+        movq	56(%rdi), %r11
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r11
+        movq	%r10, 48(%rdi)
+        # a[i+19] += m[19] * mu
+        mulxq	152(%rsi), %rax, %rcx
+        movq	64(%rdi), %r10
+        adcxq	%rax, %r11
+        adoxq	%rcx, %r10
+        movq	%r11, 56(%rdi)
+        # a[i+20] += m[20] * mu
+        mulxq	160(%rsi), %rax, %rcx
+        movq	72(%rdi), %r11
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r11
+        movq	%r10, 64(%rdi)
+        # a[i+21] += m[21] * mu
+        mulxq	168(%rsi), %rax, %rcx
+        movq	80(%rdi), %r10
+        adcxq	%rax, %r11
+        adoxq	%rcx, %r10
+        movq	%r11, 72(%rdi)
+        # a[i+22] += m[22] * mu
+        mulxq	176(%rsi), %rax, %rcx
+        movq	88(%rdi), %r11
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r11
+        movq	%r10, 80(%rdi)
+        # a[i+23] += m[23] * mu
+        mulxq	184(%rsi), %rax, %rcx
+        movq	96(%rdi), %r10
+        adcxq	%rax, %r11
+        adoxq	%rcx, %r10
+        movq	%r11, 88(%rdi)
+        adcxq	%r14, %r10
+        movq	%r10, 96(%rdi)
+        movq	%r12, %r14
+        adoxq	%r12, %r14
+        adcxq	%r12, %r14
+        # a += 1
+        addq	$8, %rdi
+        # i -= 1
+        subq	$1, %r9
+        jnz	L_mont_loop_avx2_24
+        subq	$96, %rdi
+        negq	%r14
+        movq	%rdi, %r8
+        subq	$192, %rdi
+        movq	(%rsi), %rcx
+        movq	%r13, %rdx
+        pextq	%r14, %rcx, %rcx
+        subq	%rcx, %rdx
+        movq	8(%rsi), %rcx
+        movq	8(%r8), %rax
+        pextq	%r14, %rcx, %rcx
+        movq	%rdx, (%rdi)
+        sbbq	%rcx, %rax
+        movq	16(%rsi), %rdx
+        movq	16(%r8), %rcx
+        pextq	%r14, %rdx, %rdx
+        movq	%rax, 8(%rdi)
+        sbbq	%rdx, %rcx
+        movq	24(%rsi), %rax
+        movq	24(%r8), %rdx
+        pextq	%r14, %rax, %rax
+        movq	%rcx, 16(%rdi)
+        sbbq	%rax, %rdx
+        movq	32(%rsi), %rcx
+        movq	32(%r8), %rax
+        pextq	%r14, %rcx, %rcx
+        movq	%rdx, 24(%rdi)
+        sbbq	%rcx, %rax
+        movq	40(%rsi), %rdx
+        movq	40(%r8), %rcx
+        pextq	%r14, %rdx, %rdx
+        movq	%rax, 32(%rdi)
+        sbbq	%rdx, %rcx
+        movq	48(%rsi), %rax
+        movq	48(%r8), %rdx
+        pextq	%r14, %rax, %rax
+        movq	%rcx, 40(%rdi)
+        sbbq	%rax, %rdx
+        movq	56(%rsi), %rcx
+        movq	56(%r8), %rax
+        pextq	%r14, %rcx, %rcx
+        movq	%rdx, 48(%rdi)
+        sbbq	%rcx, %rax
+        movq	64(%rsi), %rdx
+        movq	64(%r8), %rcx
+        pextq	%r14, %rdx, %rdx
+        movq	%rax, 56(%rdi)
+        sbbq	%rdx, %rcx
+        movq	72(%rsi), %rax
+        movq	72(%r8), %rdx
+        pextq	%r14, %rax, %rax
+        movq	%rcx, 64(%rdi)
+        sbbq	%rax, %rdx
+        movq	80(%rsi), %rcx
+        movq	80(%r8), %rax
+        pextq	%r14, %rcx, %rcx
+        movq	%rdx, 72(%rdi)
+        sbbq	%rcx, %rax
+        movq	88(%rsi), %rdx
+        movq	88(%r8), %rcx
+        pextq	%r14, %rdx, %rdx
+        movq	%rax, 80(%rdi)
+        sbbq	%rdx, %rcx
+        movq	96(%rsi), %rax
+        movq	96(%r8), %rdx
+        pextq	%r14, %rax, %rax
+        movq	%rcx, 88(%rdi)
+        sbbq	%rax, %rdx
+        movq	104(%rsi), %rcx
+        movq	104(%r8), %rax
+        pextq	%r14, %rcx, %rcx
+        movq	%rdx, 96(%rdi)
+        sbbq	%rcx, %rax
+        movq	112(%rsi), %rdx
+        movq	112(%r8), %rcx
+        pextq	%r14, %rdx, %rdx
+        movq	%rax, 104(%rdi)
+        sbbq	%rdx, %rcx
+        movq	120(%rsi), %rax
+        movq	120(%r8), %rdx
+        pextq	%r14, %rax, %rax
+        movq	%rcx, 112(%rdi)
+        sbbq	%rax, %rdx
+        movq	128(%rsi), %rcx
+        movq	128(%r8), %rax
+        pextq	%r14, %rcx, %rcx
+        movq	%rdx, 120(%rdi)
+        sbbq	%rcx, %rax
+        movq	136(%rsi), %rdx
+        movq	136(%r8), %rcx
+        pextq	%r14, %rdx, %rdx
+        movq	%rax, 128(%rdi)
+        sbbq	%rdx, %rcx
+        movq	144(%rsi), %rax
+        movq	144(%r8), %rdx
+        pextq	%r14, %rax, %rax
+        movq	%rcx, 136(%rdi)
+        sbbq	%rax, %rdx
+        movq	152(%rsi), %rcx
+        movq	152(%r8), %rax
+        pextq	%r14, %rcx, %rcx
+        movq	%rdx, 144(%rdi)
+        sbbq	%rcx, %rax
+        movq	160(%rsi), %rdx
+        movq	160(%r8), %rcx
+        pextq	%r14, %rdx, %rdx
+        movq	%rax, 152(%rdi)
+        sbbq	%rdx, %rcx
+        movq	168(%rsi), %rax
+        movq	168(%r8), %rdx
+        pextq	%r14, %rax, %rax
+        movq	%rcx, 160(%rdi)
+        sbbq	%rax, %rdx
+        movq	176(%rsi), %rcx
+        movq	176(%r8), %rax
+        pextq	%r14, %rcx, %rcx
+        movq	%rdx, 168(%rdi)
+        sbbq	%rcx, %rax
+        movq	184(%rsi), %rdx
+        movq	184(%r8), %rcx
+        pextq	%r14, %rdx, %rdx
+        movq	%rax, 176(%rdi)
+        sbbq	%rdx, %rcx
+        movq	%rcx, 184(%rdi)
+        pop	%r14
+        pop	%r13
+        pop	%r12
+        repz retq
+#ifndef __APPLE__
+.size	sp_3072_mont_reduce_avx2_24,.-sp_3072_mont_reduce_avx2_24
+#endif /* __APPLE__ */
+#endif /* HAVE_INTEL_AVX2 */
+/* Conditionally subtract b from a using the mask m.
+ * m is -1 to subtract and 0 when not copying.
+ *
+ * r  A single precision number representing condition subtract result.
+ * a  A single precision number to subtract from.
+ * b  A single precision number to subtract.
+ * m  Mask value to apply.
+ */
+#ifndef __APPLE__
+.globl	sp_3072_cond_sub_48
+.type	sp_3072_cond_sub_48,@function
+.align	16
+sp_3072_cond_sub_48:
+#else
+.globl	_sp_3072_cond_sub_48
+.p2align	4
+_sp_3072_cond_sub_48:
+#endif /* __APPLE__ */
+        subq	$384, %rsp
+        movq	$0, %rax
+        movq	(%rdx), %r8
+        movq	8(%rdx), %r9
+        andq	%rcx, %r8
+        andq	%rcx, %r9
+        movq	%r8, (%rsp)
+        movq	%r9, 8(%rsp)
+        movq	16(%rdx), %r8
+        movq	24(%rdx), %r9
+        andq	%rcx, %r8
+        andq	%rcx, %r9
+        movq	%r8, 16(%rsp)
+        movq	%r9, 24(%rsp)
+        movq	32(%rdx), %r8
+        movq	40(%rdx), %r9
+        andq	%rcx, %r8
+        andq	%rcx, %r9
+        movq	%r8, 32(%rsp)
+        movq	%r9, 40(%rsp)
+        movq	48(%rdx), %r8
+        movq	56(%rdx), %r9
+        andq	%rcx, %r8
+        andq	%rcx, %r9
+        movq	%r8, 48(%rsp)
+        movq	%r9, 56(%rsp)
+        movq	64(%rdx), %r8
+        movq	72(%rdx), %r9
+        andq	%rcx, %r8
+        andq	%rcx, %r9
+        movq	%r8, 64(%rsp)
+        movq	%r9, 72(%rsp)
+        movq	80(%rdx), %r8
+        movq	88(%rdx), %r9
+        andq	%rcx, %r8
+        andq	%rcx, %r9
+        movq	%r8, 80(%rsp)
+        movq	%r9, 88(%rsp)
+        movq	96(%rdx), %r8
+        movq	104(%rdx), %r9
+        andq	%rcx, %r8
+        andq	%rcx, %r9
+        movq	%r8, 96(%rsp)
+        movq	%r9, 104(%rsp)
+        movq	112(%rdx), %r8
+        movq	120(%rdx), %r9
+        andq	%rcx, %r8
+        andq	%rcx, %r9
+        movq	%r8, 112(%rsp)
+        movq	%r9, 120(%rsp)
+        movq	128(%rdx), %r8
+        movq	136(%rdx), %r9
+        andq	%rcx, %r8
+        andq	%rcx, %r9
+        movq	%r8, 128(%rsp)
+        movq	%r9, 136(%rsp)
+        movq	144(%rdx), %r8
+        movq	152(%rdx), %r9
+        andq	%rcx, %r8
+        andq	%rcx, %r9
+        movq	%r8, 144(%rsp)
+        movq	%r9, 152(%rsp)
+        movq	160(%rdx), %r8
+        movq	168(%rdx), %r9
+        andq	%rcx, %r8
+        andq	%rcx, %r9
+        movq	%r8, 160(%rsp)
+        movq	%r9, 168(%rsp)
+        movq	176(%rdx), %r8
+        movq	184(%rdx), %r9
+        andq	%rcx, %r8
+        andq	%rcx, %r9
+        movq	%r8, 176(%rsp)
+        movq	%r9, 184(%rsp)
+        movq	192(%rdx), %r8
+        movq	200(%rdx), %r9
+        andq	%rcx, %r8
+        andq	%rcx, %r9
+        movq	%r8, 192(%rsp)
+        movq	%r9, 200(%rsp)
+        movq	208(%rdx), %r8
+        movq	216(%rdx), %r9
+        andq	%rcx, %r8
+        andq	%rcx, %r9
+        movq	%r8, 208(%rsp)
+        movq	%r9, 216(%rsp)
+        movq	224(%rdx), %r8
+        movq	232(%rdx), %r9
+        andq	%rcx, %r8
+        andq	%rcx, %r9
+        movq	%r8, 224(%rsp)
+        movq	%r9, 232(%rsp)
+        movq	240(%rdx), %r8
+        movq	248(%rdx), %r9
+        andq	%rcx, %r8
+        andq	%rcx, %r9
+        movq	%r8, 240(%rsp)
+        movq	%r9, 248(%rsp)
+        movq	256(%rdx), %r8
+        movq	264(%rdx), %r9
+        andq	%rcx, %r8
+        andq	%rcx, %r9
+        movq	%r8, 256(%rsp)
+        movq	%r9, 264(%rsp)
+        movq	272(%rdx), %r8
+        movq	280(%rdx), %r9
+        andq	%rcx, %r8
+        andq	%rcx, %r9
+        movq	%r8, 272(%rsp)
+        movq	%r9, 280(%rsp)
+        movq	288(%rdx), %r8
+        movq	296(%rdx), %r9
+        andq	%rcx, %r8
+        andq	%rcx, %r9
+        movq	%r8, 288(%rsp)
+        movq	%r9, 296(%rsp)
+        movq	304(%rdx), %r8
+        movq	312(%rdx), %r9
+        andq	%rcx, %r8
+        andq	%rcx, %r9
+        movq	%r8, 304(%rsp)
+        movq	%r9, 312(%rsp)
+        movq	320(%rdx), %r8
+        movq	328(%rdx), %r9
+        andq	%rcx, %r8
+        andq	%rcx, %r9
+        movq	%r8, 320(%rsp)
+        movq	%r9, 328(%rsp)
+        movq	336(%rdx), %r8
+        movq	344(%rdx), %r9
+        andq	%rcx, %r8
+        andq	%rcx, %r9
+        movq	%r8, 336(%rsp)
+        movq	%r9, 344(%rsp)
+        movq	352(%rdx), %r8
+        movq	360(%rdx), %r9
+        andq	%rcx, %r8
+        andq	%rcx, %r9
+        movq	%r8, 352(%rsp)
+        movq	%r9, 360(%rsp)
+        movq	368(%rdx), %r8
+        movq	376(%rdx), %r9
+        andq	%rcx, %r8
+        andq	%rcx, %r9
+        movq	%r8, 368(%rsp)
+        movq	%r9, 376(%rsp)
+        movq	(%rsi), %r8
+        movq	(%rsp), %rdx
+        subq	%rdx, %r8
+        movq	8(%rsi), %r9
+        movq	8(%rsp), %rdx
+        sbbq	%rdx, %r9
+        movq	%r8, (%rdi)
+        movq	16(%rsi), %r8
+        movq	16(%rsp), %rdx
+        sbbq	%rdx, %r8
+        movq	%r9, 8(%rdi)
+        movq	24(%rsi), %r9
+        movq	24(%rsp), %rdx
+        sbbq	%rdx, %r9
+        movq	%r8, 16(%rdi)
+        movq	32(%rsi), %r8
+        movq	32(%rsp), %rdx
+        sbbq	%rdx, %r8
+        movq	%r9, 24(%rdi)
+        movq	40(%rsi), %r9
+        movq	40(%rsp), %rdx
+        sbbq	%rdx, %r9
+        movq	%r8, 32(%rdi)
+        movq	48(%rsi), %r8
+        movq	48(%rsp), %rdx
+        sbbq	%rdx, %r8
+        movq	%r9, 40(%rdi)
+        movq	56(%rsi), %r9
+        movq	56(%rsp), %rdx
+        sbbq	%rdx, %r9
+        movq	%r8, 48(%rdi)
+        movq	64(%rsi), %r8
+        movq	64(%rsp), %rdx
+        sbbq	%rdx, %r8
+        movq	%r9, 56(%rdi)
+        movq	72(%rsi), %r9
+        movq	72(%rsp), %rdx
+        sbbq	%rdx, %r9
+        movq	%r8, 64(%rdi)
+        movq	80(%rsi), %r8
+        movq	80(%rsp), %rdx
+        sbbq	%rdx, %r8
+        movq	%r9, 72(%rdi)
+        movq	88(%rsi), %r9
+        movq	88(%rsp), %rdx
+        sbbq	%rdx, %r9
+        movq	%r8, 80(%rdi)
+        movq	96(%rsi), %r8
+        movq	96(%rsp), %rdx
+        sbbq	%rdx, %r8
+        movq	%r9, 88(%rdi)
+        movq	104(%rsi), %r9
+        movq	104(%rsp), %rdx
+        sbbq	%rdx, %r9
+        movq	%r8, 96(%rdi)
+        movq	112(%rsi), %r8
+        movq	112(%rsp), %rdx
+        sbbq	%rdx, %r8
+        movq	%r9, 104(%rdi)
+        movq	120(%rsi), %r9
+        movq	120(%rsp), %rdx
+        sbbq	%rdx, %r9
+        movq	%r8, 112(%rdi)
+        movq	128(%rsi), %r8
+        movq	128(%rsp), %rdx
+        sbbq	%rdx, %r8
+        movq	%r9, 120(%rdi)
+        movq	136(%rsi), %r9
+        movq	136(%rsp), %rdx
+        sbbq	%rdx, %r9
+        movq	%r8, 128(%rdi)
+        movq	144(%rsi), %r8
+        movq	144(%rsp), %rdx
+        sbbq	%rdx, %r8
+        movq	%r9, 136(%rdi)
+        movq	152(%rsi), %r9
+        movq	152(%rsp), %rdx
+        sbbq	%rdx, %r9
+        movq	%r8, 144(%rdi)
+        movq	160(%rsi), %r8
+        movq	160(%rsp), %rdx
+        sbbq	%rdx, %r8
+        movq	%r9, 152(%rdi)
+        movq	168(%rsi), %r9
+        movq	168(%rsp), %rdx
+        sbbq	%rdx, %r9
+        movq	%r8, 160(%rdi)
+        movq	176(%rsi), %r8
+        movq	176(%rsp), %rdx
+        sbbq	%rdx, %r8
+        movq	%r9, 168(%rdi)
+        movq	184(%rsi), %r9
+        movq	184(%rsp), %rdx
+        sbbq	%rdx, %r9
+        movq	%r8, 176(%rdi)
+        movq	192(%rsi), %r8
+        movq	192(%rsp), %rdx
+        sbbq	%rdx, %r8
+        movq	%r9, 184(%rdi)
+        movq	200(%rsi), %r9
+        movq	200(%rsp), %rdx
+        sbbq	%rdx, %r9
+        movq	%r8, 192(%rdi)
+        movq	208(%rsi), %r8
+        movq	208(%rsp), %rdx
+        sbbq	%rdx, %r8
+        movq	%r9, 200(%rdi)
+        movq	216(%rsi), %r9
+        movq	216(%rsp), %rdx
+        sbbq	%rdx, %r9
+        movq	%r8, 208(%rdi)
+        movq	224(%rsi), %r8
+        movq	224(%rsp), %rdx
+        sbbq	%rdx, %r8
+        movq	%r9, 216(%rdi)
+        movq	232(%rsi), %r9
+        movq	232(%rsp), %rdx
+        sbbq	%rdx, %r9
+        movq	%r8, 224(%rdi)
+        movq	240(%rsi), %r8
+        movq	240(%rsp), %rdx
+        sbbq	%rdx, %r8
+        movq	%r9, 232(%rdi)
+        movq	248(%rsi), %r9
+        movq	248(%rsp), %rdx
+        sbbq	%rdx, %r9
+        movq	%r8, 240(%rdi)
+        movq	256(%rsi), %r8
+        movq	256(%rsp), %rdx
+        sbbq	%rdx, %r8
+        movq	%r9, 248(%rdi)
+        movq	264(%rsi), %r9
+        movq	264(%rsp), %rdx
+        sbbq	%rdx, %r9
+        movq	%r8, 256(%rdi)
+        movq	272(%rsi), %r8
+        movq	272(%rsp), %rdx
+        sbbq	%rdx, %r8
+        movq	%r9, 264(%rdi)
+        movq	280(%rsi), %r9
+        movq	280(%rsp), %rdx
+        sbbq	%rdx, %r9
+        movq	%r8, 272(%rdi)
+        movq	288(%rsi), %r8
+        movq	288(%rsp), %rdx
+        sbbq	%rdx, %r8
+        movq	%r9, 280(%rdi)
+        movq	296(%rsi), %r9
+        movq	296(%rsp), %rdx
+        sbbq	%rdx, %r9
+        movq	%r8, 288(%rdi)
+        movq	304(%rsi), %r8
+        movq	304(%rsp), %rdx
+        sbbq	%rdx, %r8
+        movq	%r9, 296(%rdi)
+        movq	312(%rsi), %r9
+        movq	312(%rsp), %rdx
+        sbbq	%rdx, %r9
+        movq	%r8, 304(%rdi)
+        movq	320(%rsi), %r8
+        movq	320(%rsp), %rdx
+        sbbq	%rdx, %r8
+        movq	%r9, 312(%rdi)
+        movq	328(%rsi), %r9
+        movq	328(%rsp), %rdx
+        sbbq	%rdx, %r9
+        movq	%r8, 320(%rdi)
+        movq	336(%rsi), %r8
+        movq	336(%rsp), %rdx
+        sbbq	%rdx, %r8
+        movq	%r9, 328(%rdi)
+        movq	344(%rsi), %r9
+        movq	344(%rsp), %rdx
+        sbbq	%rdx, %r9
+        movq	%r8, 336(%rdi)
+        movq	352(%rsi), %r8
+        movq	352(%rsp), %rdx
+        sbbq	%rdx, %r8
+        movq	%r9, 344(%rdi)
+        movq	360(%rsi), %r9
+        movq	360(%rsp), %rdx
+        sbbq	%rdx, %r9
+        movq	%r8, 352(%rdi)
+        movq	368(%rsi), %r8
+        movq	368(%rsp), %rdx
+        sbbq	%rdx, %r8
+        movq	%r9, 360(%rdi)
+        movq	376(%rsi), %r9
+        movq	376(%rsp), %rdx
+        sbbq	%rdx, %r9
+        movq	%r8, 368(%rdi)
+        movq	%r9, 376(%rdi)
+        sbbq	$0, %rax
+        addq	$384, %rsp
+        repz retq
+#ifndef __APPLE__
+.size	sp_3072_cond_sub_48,.-sp_3072_cond_sub_48
+#endif /* __APPLE__ */
+/* Reduce the number back to 3072 bits using Montgomery reduction.
+ *
+ * a   A single precision number to reduce in place.
+ * m   The single precision number representing the modulus.
+ * mp  The digit representing the negative inverse of m mod 2^n.
+ */
+#ifndef __APPLE__
+.globl	sp_3072_mont_reduce_48
+.type	sp_3072_mont_reduce_48,@function
+.align	16
+sp_3072_mont_reduce_48:
+#else
+.globl	_sp_3072_mont_reduce_48
+.p2align	4
+_sp_3072_mont_reduce_48:
+#endif /* __APPLE__ */
+        push	%r12
+        push	%r13
+        push	%r14
+        push	%r15
+        movq	%rdx, %rcx
+        xorq	%r15, %r15
+        # i = 48
+        movq	$48, %r8
+        movq	(%rdi), %r13
+        movq	8(%rdi), %r14
+L_mont_loop_48:
+        # mu = a[i] * mp
+        movq	%r13, %r11
+        imulq	%rcx, %r11
+        # a[i+0] += m[0] * mu
+        movq	%r11, %rax
+        xorq	%r10, %r10
+        mulq	(%rsi)
+        addq	%rax, %r13
+        adcq	%rdx, %r10
+        # a[i+1] += m[1] * mu
+        movq	%r11, %rax
+        xorq	%r9, %r9
+        mulq	8(%rsi)
+        movq	%r14, %r13
+        addq	%rax, %r13
+        adcq	%rdx, %r9
+        addq	%r10, %r13
+        adcq	$0, %r9
+        # a[i+2] += m[2] * mu
+        movq	%r11, %rax
+        xorq	%r10, %r10
+        mulq	16(%rsi)
+        movq	16(%rdi), %r14
+        addq	%rax, %r14
+        adcq	%rdx, %r10
+        addq	%r9, %r14
+        adcq	$0, %r10
+        # a[i+3] += m[3] * mu
+        movq	%r11, %rax
+        xorq	%r9, %r9
+        mulq	24(%rsi)
+        movq	24(%rdi), %r12
+        addq	%rax, %r12
+        adcq	%rdx, %r9
+        addq	%r10, %r12
+        movq	%r12, 24(%rdi)
+        adcq	$0, %r9
+        # a[i+4] += m[4] * mu
+        movq	%r11, %rax
+        xorq	%r10, %r10
+        mulq	32(%rsi)
+        movq	32(%rdi), %r12
+        addq	%rax, %r12
+        adcq	%rdx, %r10
+        addq	%r9, %r12
+        movq	%r12, 32(%rdi)
+        adcq	$0, %r10
+        # a[i+5] += m[5] * mu
+        movq	%r11, %rax
+        xorq	%r9, %r9
+        mulq	40(%rsi)
+        movq	40(%rdi), %r12
+        addq	%rax, %r12
+        adcq	%rdx, %r9
+        addq	%r10, %r12
+        movq	%r12, 40(%rdi)
+        adcq	$0, %r9
+        # a[i+6] += m[6] * mu
+        movq	%r11, %rax
+        xorq	%r10, %r10
+        mulq	48(%rsi)
+        movq	48(%rdi), %r12
+        addq	%rax, %r12
+        adcq	%rdx, %r10
+        addq	%r9, %r12
+        movq	%r12, 48(%rdi)
+        adcq	$0, %r10
+        # a[i+7] += m[7] * mu
+        movq	%r11, %rax
+        xorq	%r9, %r9
+        mulq	56(%rsi)
+        movq	56(%rdi), %r12
+        addq	%rax, %r12
+        adcq	%rdx, %r9
+        addq	%r10, %r12
+        movq	%r12, 56(%rdi)
+        adcq	$0, %r9
+        # a[i+8] += m[8] * mu
+        movq	%r11, %rax
+        xorq	%r10, %r10
+        mulq	64(%rsi)
+        movq	64(%rdi), %r12
+        addq	%rax, %r12
+        adcq	%rdx, %r10
+        addq	%r9, %r12
+        movq	%r12, 64(%rdi)
+        adcq	$0, %r10
+        # a[i+9] += m[9] * mu
+        movq	%r11, %rax
+        xorq	%r9, %r9
+        mulq	72(%rsi)
+        movq	72(%rdi), %r12
+        addq	%rax, %r12
+        adcq	%rdx, %r9
+        addq	%r10, %r12
+        movq	%r12, 72(%rdi)
+        adcq	$0, %r9
+        # a[i+10] += m[10] * mu
+        movq	%r11, %rax
+        xorq	%r10, %r10
+        mulq	80(%rsi)
+        movq	80(%rdi), %r12
+        addq	%rax, %r12
+        adcq	%rdx, %r10
+        addq	%r9, %r12
+        movq	%r12, 80(%rdi)
+        adcq	$0, %r10
+        # a[i+11] += m[11] * mu
+        movq	%r11, %rax
+        xorq	%r9, %r9
+        mulq	88(%rsi)
+        movq	88(%rdi), %r12
+        addq	%rax, %r12
+        adcq	%rdx, %r9
+        addq	%r10, %r12
+        movq	%r12, 88(%rdi)
+        adcq	$0, %r9
+        # a[i+12] += m[12] * mu
+        movq	%r11, %rax
+        xorq	%r10, %r10
+        mulq	96(%rsi)
+        movq	96(%rdi), %r12
+        addq	%rax, %r12
+        adcq	%rdx, %r10
+        addq	%r9, %r12
+        movq	%r12, 96(%rdi)
+        adcq	$0, %r10
+        # a[i+13] += m[13] * mu
+        movq	%r11, %rax
+        xorq	%r9, %r9
+        mulq	104(%rsi)
+        movq	104(%rdi), %r12
+        addq	%rax, %r12
+        adcq	%rdx, %r9
+        addq	%r10, %r12
+        movq	%r12, 104(%rdi)
+        adcq	$0, %r9
+        # a[i+14] += m[14] * mu
+        movq	%r11, %rax
+        xorq	%r10, %r10
+        mulq	112(%rsi)
+        movq	112(%rdi), %r12
+        addq	%rax, %r12
+        adcq	%rdx, %r10
+        addq	%r9, %r12
+        movq	%r12, 112(%rdi)
+        adcq	$0, %r10
+        # a[i+15] += m[15] * mu
+        movq	%r11, %rax
+        xorq	%r9, %r9
+        mulq	120(%rsi)
+        movq	120(%rdi), %r12
+        addq	%rax, %r12
+        adcq	%rdx, %r9
+        addq	%r10, %r12
+        movq	%r12, 120(%rdi)
+        adcq	$0, %r9
+        # a[i+16] += m[16] * mu
+        movq	%r11, %rax
+        xorq	%r10, %r10
+        mulq	128(%rsi)
+        movq	128(%rdi), %r12
+        addq	%rax, %r12
+        adcq	%rdx, %r10
+        addq	%r9, %r12
+        movq	%r12, 128(%rdi)
+        adcq	$0, %r10
+        # a[i+17] += m[17] * mu
+        movq	%r11, %rax
+        xorq	%r9, %r9
+        mulq	136(%rsi)
+        movq	136(%rdi), %r12
+        addq	%rax, %r12
+        adcq	%rdx, %r9
+        addq	%r10, %r12
+        movq	%r12, 136(%rdi)
+        adcq	$0, %r9
+        # a[i+18] += m[18] * mu
+        movq	%r11, %rax
+        xorq	%r10, %r10
+        mulq	144(%rsi)
+        movq	144(%rdi), %r12
+        addq	%rax, %r12
+        adcq	%rdx, %r10
+        addq	%r9, %r12
+        movq	%r12, 144(%rdi)
+        adcq	$0, %r10
+        # a[i+19] += m[19] * mu
+        movq	%r11, %rax
+        xorq	%r9, %r9
+        mulq	152(%rsi)
+        movq	152(%rdi), %r12
+        addq	%rax, %r12
+        adcq	%rdx, %r9
+        addq	%r10, %r12
+        movq	%r12, 152(%rdi)
+        adcq	$0, %r9
+        # a[i+20] += m[20] * mu
+        movq	%r11, %rax
+        xorq	%r10, %r10
+        mulq	160(%rsi)
+        movq	160(%rdi), %r12
+        addq	%rax, %r12
+        adcq	%rdx, %r10
+        addq	%r9, %r12
+        movq	%r12, 160(%rdi)
+        adcq	$0, %r10
+        # a[i+21] += m[21] * mu
+        movq	%r11, %rax
+        xorq	%r9, %r9
+        mulq	168(%rsi)
+        movq	168(%rdi), %r12
+        addq	%rax, %r12
+        adcq	%rdx, %r9
+        addq	%r10, %r12
+        movq	%r12, 168(%rdi)
+        adcq	$0, %r9
+        # a[i+22] += m[22] * mu
+        movq	%r11, %rax
+        xorq	%r10, %r10
+        mulq	176(%rsi)
+        movq	176(%rdi), %r12
+        addq	%rax, %r12
+        adcq	%rdx, %r10
+        addq	%r9, %r12
+        movq	%r12, 176(%rdi)
+        adcq	$0, %r10
+        # a[i+23] += m[23] * mu
+        movq	%r11, %rax
+        xorq	%r9, %r9
+        mulq	184(%rsi)
+        movq	184(%rdi), %r12
+        addq	%rax, %r12
+        adcq	%rdx, %r9
+        addq	%r10, %r12
+        movq	%r12, 184(%rdi)
+        adcq	$0, %r9
+        # a[i+24] += m[24] * mu
+        movq	%r11, %rax
+        xorq	%r10, %r10
+        mulq	192(%rsi)
+        movq	192(%rdi), %r12
+        addq	%rax, %r12
+        adcq	%rdx, %r10
+        addq	%r9, %r12
+        movq	%r12, 192(%rdi)
+        adcq	$0, %r10
+        # a[i+25] += m[25] * mu
+        movq	%r11, %rax
+        xorq	%r9, %r9
+        mulq	200(%rsi)
+        movq	200(%rdi), %r12
+        addq	%rax, %r12
+        adcq	%rdx, %r9
+        addq	%r10, %r12
+        movq	%r12, 200(%rdi)
+        adcq	$0, %r9
+        # a[i+26] += m[26] * mu
+        movq	%r11, %rax
+        xorq	%r10, %r10
+        mulq	208(%rsi)
+        movq	208(%rdi), %r12
+        addq	%rax, %r12
+        adcq	%rdx, %r10
+        addq	%r9, %r12
+        movq	%r12, 208(%rdi)
+        adcq	$0, %r10
+        # a[i+27] += m[27] * mu
+        movq	%r11, %rax
+        xorq	%r9, %r9
+        mulq	216(%rsi)
+        movq	216(%rdi), %r12
+        addq	%rax, %r12
+        adcq	%rdx, %r9
+        addq	%r10, %r12
+        movq	%r12, 216(%rdi)
+        adcq	$0, %r9
+        # a[i+28] += m[28] * mu
+        movq	%r11, %rax
+        xorq	%r10, %r10
+        mulq	224(%rsi)
+        movq	224(%rdi), %r12
+        addq	%rax, %r12
+        adcq	%rdx, %r10
+        addq	%r9, %r12
+        movq	%r12, 224(%rdi)
+        adcq	$0, %r10
+        # a[i+29] += m[29] * mu
+        movq	%r11, %rax
+        xorq	%r9, %r9
+        mulq	232(%rsi)
+        movq	232(%rdi), %r12
+        addq	%rax, %r12
+        adcq	%rdx, %r9
+        addq	%r10, %r12
+        movq	%r12, 232(%rdi)
+        adcq	$0, %r9
+        # a[i+30] += m[30] * mu
+        movq	%r11, %rax
+        xorq	%r10, %r10
+        mulq	240(%rsi)
+        movq	240(%rdi), %r12
+        addq	%rax, %r12
+        adcq	%rdx, %r10
+        addq	%r9, %r12
+        movq	%r12, 240(%rdi)
+        adcq	$0, %r10
+        # a[i+31] += m[31] * mu
+        movq	%r11, %rax
+        xorq	%r9, %r9
+        mulq	248(%rsi)
+        movq	248(%rdi), %r12
+        addq	%rax, %r12
+        adcq	%rdx, %r9
+        addq	%r10, %r12
+        movq	%r12, 248(%rdi)
+        adcq	$0, %r9
+        # a[i+32] += m[32] * mu
+        movq	%r11, %rax
+        xorq	%r10, %r10
+        mulq	256(%rsi)
+        movq	256(%rdi), %r12
+        addq	%rax, %r12
+        adcq	%rdx, %r10
+        addq	%r9, %r12
+        movq	%r12, 256(%rdi)
+        adcq	$0, %r10
+        # a[i+33] += m[33] * mu
+        movq	%r11, %rax
+        xorq	%r9, %r9
+        mulq	264(%rsi)
+        movq	264(%rdi), %r12
+        addq	%rax, %r12
+        adcq	%rdx, %r9
+        addq	%r10, %r12
+        movq	%r12, 264(%rdi)
+        adcq	$0, %r9
+        # a[i+34] += m[34] * mu
+        movq	%r11, %rax
+        xorq	%r10, %r10
+        mulq	272(%rsi)
+        movq	272(%rdi), %r12
+        addq	%rax, %r12
+        adcq	%rdx, %r10
+        addq	%r9, %r12
+        movq	%r12, 272(%rdi)
+        adcq	$0, %r10
+        # a[i+35] += m[35] * mu
+        movq	%r11, %rax
+        xorq	%r9, %r9
+        mulq	280(%rsi)
+        movq	280(%rdi), %r12
+        addq	%rax, %r12
+        adcq	%rdx, %r9
+        addq	%r10, %r12
+        movq	%r12, 280(%rdi)
+        adcq	$0, %r9
+        # a[i+36] += m[36] * mu
+        movq	%r11, %rax
+        xorq	%r10, %r10
+        mulq	288(%rsi)
+        movq	288(%rdi), %r12
+        addq	%rax, %r12
+        adcq	%rdx, %r10
+        addq	%r9, %r12
+        movq	%r12, 288(%rdi)
+        adcq	$0, %r10
+        # a[i+37] += m[37] * mu
+        movq	%r11, %rax
+        xorq	%r9, %r9
+        mulq	296(%rsi)
+        movq	296(%rdi), %r12
+        addq	%rax, %r12
+        adcq	%rdx, %r9
+        addq	%r10, %r12
+        movq	%r12, 296(%rdi)
+        adcq	$0, %r9
+        # a[i+38] += m[38] * mu
+        movq	%r11, %rax
+        xorq	%r10, %r10
+        mulq	304(%rsi)
+        movq	304(%rdi), %r12
+        addq	%rax, %r12
+        adcq	%rdx, %r10
+        addq	%r9, %r12
+        movq	%r12, 304(%rdi)
+        adcq	$0, %r10
+        # a[i+39] += m[39] * mu
+        movq	%r11, %rax
+        xorq	%r9, %r9
+        mulq	312(%rsi)
+        movq	312(%rdi), %r12
+        addq	%rax, %r12
+        adcq	%rdx, %r9
+        addq	%r10, %r12
+        movq	%r12, 312(%rdi)
+        adcq	$0, %r9
+        # a[i+40] += m[40] * mu
+        movq	%r11, %rax
+        xorq	%r10, %r10
+        mulq	320(%rsi)
+        movq	320(%rdi), %r12
+        addq	%rax, %r12
+        adcq	%rdx, %r10
+        addq	%r9, %r12
+        movq	%r12, 320(%rdi)
+        adcq	$0, %r10
+        # a[i+41] += m[41] * mu
+        movq	%r11, %rax
+        xorq	%r9, %r9
+        mulq	328(%rsi)
+        movq	328(%rdi), %r12
+        addq	%rax, %r12
+        adcq	%rdx, %r9
+        addq	%r10, %r12
+        movq	%r12, 328(%rdi)
+        adcq	$0, %r9
+        # a[i+42] += m[42] * mu
+        movq	%r11, %rax
+        xorq	%r10, %r10
+        mulq	336(%rsi)
+        movq	336(%rdi), %r12
+        addq	%rax, %r12
+        adcq	%rdx, %r10
+        addq	%r9, %r12
+        movq	%r12, 336(%rdi)
+        adcq	$0, %r10
+        # a[i+43] += m[43] * mu
+        movq	%r11, %rax
+        xorq	%r9, %r9
+        mulq	344(%rsi)
+        movq	344(%rdi), %r12
+        addq	%rax, %r12
+        adcq	%rdx, %r9
+        addq	%r10, %r12
+        movq	%r12, 344(%rdi)
+        adcq	$0, %r9
+        # a[i+44] += m[44] * mu
+        movq	%r11, %rax
+        xorq	%r10, %r10
+        mulq	352(%rsi)
+        movq	352(%rdi), %r12
+        addq	%rax, %r12
+        adcq	%rdx, %r10
+        addq	%r9, %r12
+        movq	%r12, 352(%rdi)
+        adcq	$0, %r10
+        # a[i+45] += m[45] * mu
+        movq	%r11, %rax
+        xorq	%r9, %r9
+        mulq	360(%rsi)
+        movq	360(%rdi), %r12
+        addq	%rax, %r12
+        adcq	%rdx, %r9
+        addq	%r10, %r12
+        movq	%r12, 360(%rdi)
+        adcq	$0, %r9
+        # a[i+46] += m[46] * mu
+        movq	%r11, %rax
+        xorq	%r10, %r10
+        mulq	368(%rsi)
+        movq	368(%rdi), %r12
+        addq	%rax, %r12
+        adcq	%rdx, %r10
+        addq	%r9, %r12
+        movq	%r12, 368(%rdi)
+        adcq	$0, %r10
+        # a[i+47] += m[47] * mu
+        movq	%r11, %rax
+        mulq	376(%rsi)
+        movq	376(%rdi), %r12
+        addq	%rax, %r10
+        adcq	%r15, %rdx
+        movq	$0, %r15
+        adcq	$0, %r15
+        addq	%r10, %r12
+        movq	%r12, 376(%rdi)
+        adcq	%rdx, 384(%rdi)
+        adcq	$0, %r15
+        # i -= 1
+        addq	$8, %rdi
+        decq	%r8
+        jnz	L_mont_loop_48
+        movq	%r13, (%rdi)
+        movq	%r14, 8(%rdi)
+        negq	%r15
+        movq	%r15, %rcx
+        movq	%rsi, %rdx
+        movq	%rdi, %rsi
+        subq	$384, %rdi
+#ifndef __APPLE__
+        callq	sp_3072_cond_sub_48@plt
+#else
+        callq	_sp_3072_cond_sub_48
+#endif /* __APPLE__ */
+        pop	%r15
+        pop	%r14
+        pop	%r13
+        pop	%r12
+        repz retq
+#ifndef __APPLE__
+.size	sp_3072_mont_reduce_48,.-sp_3072_mont_reduce_48
+#endif /* __APPLE__ */
+/* Conditionally subtract b from a using the mask m.
+ * m is -1 to subtract and 0 when not copying.
+ *
+ * r  A single precision number representing condition subtract result.
+ * a  A single precision number to subtract from.
+ * b  A single precision number to subtract.
+ * m  Mask value to apply.
+ */
+#ifndef __APPLE__
+.globl	sp_3072_cond_sub_avx2_48
+.type	sp_3072_cond_sub_avx2_48,@function
+.align	16
+sp_3072_cond_sub_avx2_48:
+#else
+.globl	_sp_3072_cond_sub_avx2_48
+.p2align	4
+_sp_3072_cond_sub_avx2_48:
+#endif /* __APPLE__ */
+        movq	$0, %rax
+        movq	(%rdx), %r10
+        movq	(%rsi), %r8
+        pextq	%rcx, %r10, %r10
+        subq	%r10, %r8
+        movq	8(%rdx), %r10
+        movq	8(%rsi), %r9
+        pextq	%rcx, %r10, %r10
+        movq	%r8, (%rdi)
+        sbbq	%r10, %r9
+        movq	16(%rdx), %r8
+        movq	16(%rsi), %r10
+        pextq	%rcx, %r8, %r8
+        movq	%r9, 8(%rdi)
+        sbbq	%r8, %r10
+        movq	24(%rdx), %r9
+        movq	24(%rsi), %r8
+        pextq	%rcx, %r9, %r9
+        movq	%r10, 16(%rdi)
+        sbbq	%r9, %r8
+        movq	32(%rdx), %r10
+        movq	32(%rsi), %r9
+        pextq	%rcx, %r10, %r10
+        movq	%r8, 24(%rdi)
+        sbbq	%r10, %r9
+        movq	40(%rdx), %r8
+        movq	40(%rsi), %r10
+        pextq	%rcx, %r8, %r8
+        movq	%r9, 32(%rdi)
+        sbbq	%r8, %r10
+        movq	48(%rdx), %r9
+        movq	48(%rsi), %r8
+        pextq	%rcx, %r9, %r9
+        movq	%r10, 40(%rdi)
+        sbbq	%r9, %r8
+        movq	56(%rdx), %r10
+        movq	56(%rsi), %r9
+        pextq	%rcx, %r10, %r10
+        movq	%r8, 48(%rdi)
+        sbbq	%r10, %r9
+        movq	64(%rdx), %r8
+        movq	64(%rsi), %r10
+        pextq	%rcx, %r8, %r8
+        movq	%r9, 56(%rdi)
+        sbbq	%r8, %r10
+        movq	72(%rdx), %r9
+        movq	72(%rsi), %r8
+        pextq	%rcx, %r9, %r9
+        movq	%r10, 64(%rdi)
+        sbbq	%r9, %r8
+        movq	80(%rdx), %r10
+        movq	80(%rsi), %r9
+        pextq	%rcx, %r10, %r10
+        movq	%r8, 72(%rdi)
+        sbbq	%r10, %r9
+        movq	88(%rdx), %r8
+        movq	88(%rsi), %r10
+        pextq	%rcx, %r8, %r8
+        movq	%r9, 80(%rdi)
+        sbbq	%r8, %r10
+        movq	96(%rdx), %r9
+        movq	96(%rsi), %r8
+        pextq	%rcx, %r9, %r9
+        movq	%r10, 88(%rdi)
+        sbbq	%r9, %r8
+        movq	104(%rdx), %r10
+        movq	104(%rsi), %r9
+        pextq	%rcx, %r10, %r10
+        movq	%r8, 96(%rdi)
+        sbbq	%r10, %r9
+        movq	112(%rdx), %r8
+        movq	112(%rsi), %r10
+        pextq	%rcx, %r8, %r8
+        movq	%r9, 104(%rdi)
+        sbbq	%r8, %r10
+        movq	120(%rdx), %r9
+        movq	120(%rsi), %r8
+        pextq	%rcx, %r9, %r9
+        movq	%r10, 112(%rdi)
+        sbbq	%r9, %r8
+        movq	128(%rdx), %r10
+        movq	128(%rsi), %r9
+        pextq	%rcx, %r10, %r10
+        movq	%r8, 120(%rdi)
+        sbbq	%r10, %r9
+        movq	136(%rdx), %r8
+        movq	136(%rsi), %r10
+        pextq	%rcx, %r8, %r8
+        movq	%r9, 128(%rdi)
+        sbbq	%r8, %r10
+        movq	144(%rdx), %r9
+        movq	144(%rsi), %r8
+        pextq	%rcx, %r9, %r9
+        movq	%r10, 136(%rdi)
+        sbbq	%r9, %r8
+        movq	152(%rdx), %r10
+        movq	152(%rsi), %r9
+        pextq	%rcx, %r10, %r10
+        movq	%r8, 144(%rdi)
+        sbbq	%r10, %r9
+        movq	160(%rdx), %r8
+        movq	160(%rsi), %r10
+        pextq	%rcx, %r8, %r8
+        movq	%r9, 152(%rdi)
+        sbbq	%r8, %r10
+        movq	168(%rdx), %r9
+        movq	168(%rsi), %r8
+        pextq	%rcx, %r9, %r9
+        movq	%r10, 160(%rdi)
+        sbbq	%r9, %r8
+        movq	176(%rdx), %r10
+        movq	176(%rsi), %r9
+        pextq	%rcx, %r10, %r10
+        movq	%r8, 168(%rdi)
+        sbbq	%r10, %r9
+        movq	184(%rdx), %r8
+        movq	184(%rsi), %r10
+        pextq	%rcx, %r8, %r8
+        movq	%r9, 176(%rdi)
+        sbbq	%r8, %r10
+        movq	192(%rdx), %r9
+        movq	192(%rsi), %r8
+        pextq	%rcx, %r9, %r9
+        movq	%r10, 184(%rdi)
+        sbbq	%r9, %r8
+        movq	200(%rdx), %r10
+        movq	200(%rsi), %r9
+        pextq	%rcx, %r10, %r10
+        movq	%r8, 192(%rdi)
+        sbbq	%r10, %r9
+        movq	208(%rdx), %r8
+        movq	208(%rsi), %r10
+        pextq	%rcx, %r8, %r8
+        movq	%r9, 200(%rdi)
+        sbbq	%r8, %r10
+        movq	216(%rdx), %r9
+        movq	216(%rsi), %r8
+        pextq	%rcx, %r9, %r9
+        movq	%r10, 208(%rdi)
+        sbbq	%r9, %r8
+        movq	224(%rdx), %r10
+        movq	224(%rsi), %r9
+        pextq	%rcx, %r10, %r10
+        movq	%r8, 216(%rdi)
+        sbbq	%r10, %r9
+        movq	232(%rdx), %r8
+        movq	232(%rsi), %r10
+        pextq	%rcx, %r8, %r8
+        movq	%r9, 224(%rdi)
+        sbbq	%r8, %r10
+        movq	240(%rdx), %r9
+        movq	240(%rsi), %r8
+        pextq	%rcx, %r9, %r9
+        movq	%r10, 232(%rdi)
+        sbbq	%r9, %r8
+        movq	248(%rdx), %r10
+        movq	248(%rsi), %r9
+        pextq	%rcx, %r10, %r10
+        movq	%r8, 240(%rdi)
+        sbbq	%r10, %r9
+        movq	256(%rdx), %r8
+        movq	256(%rsi), %r10
+        pextq	%rcx, %r8, %r8
+        movq	%r9, 248(%rdi)
+        sbbq	%r8, %r10
+        movq	264(%rdx), %r9
+        movq	264(%rsi), %r8
+        pextq	%rcx, %r9, %r9
+        movq	%r10, 256(%rdi)
+        sbbq	%r9, %r8
+        movq	272(%rdx), %r10
+        movq	272(%rsi), %r9
+        pextq	%rcx, %r10, %r10
+        movq	%r8, 264(%rdi)
+        sbbq	%r10, %r9
+        movq	280(%rdx), %r8
+        movq	280(%rsi), %r10
+        pextq	%rcx, %r8, %r8
+        movq	%r9, 272(%rdi)
+        sbbq	%r8, %r10
+        movq	288(%rdx), %r9
+        movq	288(%rsi), %r8
+        pextq	%rcx, %r9, %r9
+        movq	%r10, 280(%rdi)
+        sbbq	%r9, %r8
+        movq	296(%rdx), %r10
+        movq	296(%rsi), %r9
+        pextq	%rcx, %r10, %r10
+        movq	%r8, 288(%rdi)
+        sbbq	%r10, %r9
+        movq	304(%rdx), %r8
+        movq	304(%rsi), %r10
+        pextq	%rcx, %r8, %r8
+        movq	%r9, 296(%rdi)
+        sbbq	%r8, %r10
+        movq	312(%rdx), %r9
+        movq	312(%rsi), %r8
+        pextq	%rcx, %r9, %r9
+        movq	%r10, 304(%rdi)
+        sbbq	%r9, %r8
+        movq	320(%rdx), %r10
+        movq	320(%rsi), %r9
+        pextq	%rcx, %r10, %r10
+        movq	%r8, 312(%rdi)
+        sbbq	%r10, %r9
+        movq	328(%rdx), %r8
+        movq	328(%rsi), %r10
+        pextq	%rcx, %r8, %r8
+        movq	%r9, 320(%rdi)
+        sbbq	%r8, %r10
+        movq	336(%rdx), %r9
+        movq	336(%rsi), %r8
+        pextq	%rcx, %r9, %r9
+        movq	%r10, 328(%rdi)
+        sbbq	%r9, %r8
+        movq	344(%rdx), %r10
+        movq	344(%rsi), %r9
+        pextq	%rcx, %r10, %r10
+        movq	%r8, 336(%rdi)
+        sbbq	%r10, %r9
+        movq	352(%rdx), %r8
+        movq	352(%rsi), %r10
+        pextq	%rcx, %r8, %r8
+        movq	%r9, 344(%rdi)
+        sbbq	%r8, %r10
+        movq	360(%rdx), %r9
+        movq	360(%rsi), %r8
+        pextq	%rcx, %r9, %r9
+        movq	%r10, 352(%rdi)
+        sbbq	%r9, %r8
+        movq	368(%rdx), %r10
+        movq	368(%rsi), %r9
+        pextq	%rcx, %r10, %r10
+        movq	%r8, 360(%rdi)
+        sbbq	%r10, %r9
+        movq	376(%rdx), %r8
+        movq	376(%rsi), %r10
+        pextq	%rcx, %r8, %r8
+        movq	%r9, 368(%rdi)
+        sbbq	%r8, %r10
+        movq	%r10, 376(%rdi)
+        sbbq	$0, %rax
+        repz retq
+#ifndef __APPLE__
+.size	sp_3072_cond_sub_avx2_48,.-sp_3072_cond_sub_avx2_48
+#endif /* __APPLE__ */
+#ifdef HAVE_INTEL_AVX2
+/* Mul a by digit b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision digit.
+ */
+#ifndef __APPLE__
+.globl	sp_3072_mul_d_avx2_48
+.type	sp_3072_mul_d_avx2_48,@function
+.align	16
+sp_3072_mul_d_avx2_48:
+#else
+.globl	_sp_3072_mul_d_avx2_48
+.p2align	4
+_sp_3072_mul_d_avx2_48:
+#endif /* __APPLE__ */
+        movq	%rdx, %rax
+        # A[0] * B
+        movq	%rax, %rdx
+        xorq	%r11, %r11
+        mulxq	(%rsi), %r9, %r10
+        movq	%r9, (%rdi)
+        # A[1] * B
+        mulxq	8(%rsi), %rcx, %r8
+        movq	%r11, %r9
+        adcxq	%rcx, %r10
+        movq	%r10, 8(%rdi)
+        adoxq	%r8, %r9
+        # A[2] * B
+        mulxq	16(%rsi), %rcx, %r8
+        movq	%r11, %r10
+        adcxq	%rcx, %r9
+        movq	%r9, 16(%rdi)
+        adoxq	%r8, %r10
+        # A[3] * B
+        mulxq	24(%rsi), %rcx, %r8
+        movq	%r11, %r9
+        adcxq	%rcx, %r10
+        movq	%r10, 24(%rdi)
+        adoxq	%r8, %r9
+        # A[4] * B
+        mulxq	32(%rsi), %rcx, %r8
+        movq	%r11, %r10
+        adcxq	%rcx, %r9
+        movq	%r9, 32(%rdi)
+        adoxq	%r8, %r10
+        # A[5] * B
+        mulxq	40(%rsi), %rcx, %r8
+        movq	%r11, %r9
+        adcxq	%rcx, %r10
+        movq	%r10, 40(%rdi)
+        adoxq	%r8, %r9
+        # A[6] * B
+        mulxq	48(%rsi), %rcx, %r8
+        movq	%r11, %r10
+        adcxq	%rcx, %r9
+        movq	%r9, 48(%rdi)
+        adoxq	%r8, %r10
+        # A[7] * B
+        mulxq	56(%rsi), %rcx, %r8
+        movq	%r11, %r9
+        adcxq	%rcx, %r10
+        movq	%r10, 56(%rdi)
+        adoxq	%r8, %r9
+        # A[8] * B
+        mulxq	64(%rsi), %rcx, %r8
+        movq	%r11, %r10
+        adcxq	%rcx, %r9
+        movq	%r9, 64(%rdi)
+        adoxq	%r8, %r10
+        # A[9] * B
+        mulxq	72(%rsi), %rcx, %r8
+        movq	%r11, %r9
+        adcxq	%rcx, %r10
+        movq	%r10, 72(%rdi)
+        adoxq	%r8, %r9
+        # A[10] * B
+        mulxq	80(%rsi), %rcx, %r8
+        movq	%r11, %r10
+        adcxq	%rcx, %r9
+        movq	%r9, 80(%rdi)
+        adoxq	%r8, %r10
+        # A[11] * B
+        mulxq	88(%rsi), %rcx, %r8
+        movq	%r11, %r9
+        adcxq	%rcx, %r10
+        movq	%r10, 88(%rdi)
+        adoxq	%r8, %r9
+        # A[12] * B
+        mulxq	96(%rsi), %rcx, %r8
+        movq	%r11, %r10
+        adcxq	%rcx, %r9
+        movq	%r9, 96(%rdi)
+        adoxq	%r8, %r10
+        # A[13] * B
+        mulxq	104(%rsi), %rcx, %r8
+        movq	%r11, %r9
+        adcxq	%rcx, %r10
+        movq	%r10, 104(%rdi)
+        adoxq	%r8, %r9
+        # A[14] * B
+        mulxq	112(%rsi), %rcx, %r8
+        movq	%r11, %r10
+        adcxq	%rcx, %r9
+        movq	%r9, 112(%rdi)
+        adoxq	%r8, %r10
+        # A[15] * B
+        mulxq	120(%rsi), %rcx, %r8
+        movq	%r11, %r9
+        adcxq	%rcx, %r10
+        movq	%r10, 120(%rdi)
+        adoxq	%r8, %r9
+        # A[16] * B
+        mulxq	128(%rsi), %rcx, %r8
+        movq	%r11, %r10
+        adcxq	%rcx, %r9
+        movq	%r9, 128(%rdi)
+        adoxq	%r8, %r10
+        # A[17] * B
+        mulxq	136(%rsi), %rcx, %r8
+        movq	%r11, %r9
+        adcxq	%rcx, %r10
+        movq	%r10, 136(%rdi)
+        adoxq	%r8, %r9
+        # A[18] * B
+        mulxq	144(%rsi), %rcx, %r8
+        movq	%r11, %r10
+        adcxq	%rcx, %r9
+        movq	%r9, 144(%rdi)
+        adoxq	%r8, %r10
+        # A[19] * B
+        mulxq	152(%rsi), %rcx, %r8
+        movq	%r11, %r9
+        adcxq	%rcx, %r10
+        movq	%r10, 152(%rdi)
+        adoxq	%r8, %r9
+        # A[20] * B
+        mulxq	160(%rsi), %rcx, %r8
+        movq	%r11, %r10
+        adcxq	%rcx, %r9
+        movq	%r9, 160(%rdi)
+        adoxq	%r8, %r10
+        # A[21] * B
+        mulxq	168(%rsi), %rcx, %r8
+        movq	%r11, %r9
+        adcxq	%rcx, %r10
+        movq	%r10, 168(%rdi)
+        adoxq	%r8, %r9
+        # A[22] * B
+        mulxq	176(%rsi), %rcx, %r8
+        movq	%r11, %r10
+        adcxq	%rcx, %r9
+        movq	%r9, 176(%rdi)
+        adoxq	%r8, %r10
+        # A[23] * B
+        mulxq	184(%rsi), %rcx, %r8
+        movq	%r11, %r9
+        adcxq	%rcx, %r10
+        movq	%r10, 184(%rdi)
+        adoxq	%r8, %r9
+        # A[24] * B
+        mulxq	192(%rsi), %rcx, %r8
+        movq	%r11, %r10
+        adcxq	%rcx, %r9
+        movq	%r9, 192(%rdi)
+        adoxq	%r8, %r10
+        # A[25] * B
+        mulxq	200(%rsi), %rcx, %r8
+        movq	%r11, %r9
+        adcxq	%rcx, %r10
+        movq	%r10, 200(%rdi)
+        adoxq	%r8, %r9
+        # A[26] * B
+        mulxq	208(%rsi), %rcx, %r8
+        movq	%r11, %r10
+        adcxq	%rcx, %r9
+        movq	%r9, 208(%rdi)
+        adoxq	%r8, %r10
+        # A[27] * B
+        mulxq	216(%rsi), %rcx, %r8
+        movq	%r11, %r9
+        adcxq	%rcx, %r10
+        movq	%r10, 216(%rdi)
+        adoxq	%r8, %r9
+        # A[28] * B
+        mulxq	224(%rsi), %rcx, %r8
+        movq	%r11, %r10
+        adcxq	%rcx, %r9
+        movq	%r9, 224(%rdi)
+        adoxq	%r8, %r10
+        # A[29] * B
+        mulxq	232(%rsi), %rcx, %r8
+        movq	%r11, %r9
+        adcxq	%rcx, %r10
+        movq	%r10, 232(%rdi)
+        adoxq	%r8, %r9
+        # A[30] * B
+        mulxq	240(%rsi), %rcx, %r8
+        movq	%r11, %r10
+        adcxq	%rcx, %r9
+        movq	%r9, 240(%rdi)
+        adoxq	%r8, %r10
+        # A[31] * B
+        mulxq	248(%rsi), %rcx, %r8
+        movq	%r11, %r9
+        adcxq	%rcx, %r10
+        movq	%r10, 248(%rdi)
+        adoxq	%r8, %r9
+        # A[32] * B
+        mulxq	256(%rsi), %rcx, %r8
+        movq	%r11, %r10
+        adcxq	%rcx, %r9
+        movq	%r9, 256(%rdi)
+        adoxq	%r8, %r10
+        # A[33] * B
+        mulxq	264(%rsi), %rcx, %r8
+        movq	%r11, %r9
+        adcxq	%rcx, %r10
+        movq	%r10, 264(%rdi)
+        adoxq	%r8, %r9
+        # A[34] * B
+        mulxq	272(%rsi), %rcx, %r8
+        movq	%r11, %r10
+        adcxq	%rcx, %r9
+        movq	%r9, 272(%rdi)
+        adoxq	%r8, %r10
+        # A[35] * B
+        mulxq	280(%rsi), %rcx, %r8
+        movq	%r11, %r9
+        adcxq	%rcx, %r10
+        movq	%r10, 280(%rdi)
+        adoxq	%r8, %r9
+        # A[36] * B
+        mulxq	288(%rsi), %rcx, %r8
+        movq	%r11, %r10
+        adcxq	%rcx, %r9
+        movq	%r9, 288(%rdi)
+        adoxq	%r8, %r10
+        # A[37] * B
+        mulxq	296(%rsi), %rcx, %r8
+        movq	%r11, %r9
+        adcxq	%rcx, %r10
+        movq	%r10, 296(%rdi)
+        adoxq	%r8, %r9
+        # A[38] * B
+        mulxq	304(%rsi), %rcx, %r8
+        movq	%r11, %r10
+        adcxq	%rcx, %r9
+        movq	%r9, 304(%rdi)
+        adoxq	%r8, %r10
+        # A[39] * B
+        mulxq	312(%rsi), %rcx, %r8
+        movq	%r11, %r9
+        adcxq	%rcx, %r10
+        movq	%r10, 312(%rdi)
+        adoxq	%r8, %r9
+        # A[40] * B
+        mulxq	320(%rsi), %rcx, %r8
+        movq	%r11, %r10
+        adcxq	%rcx, %r9
+        movq	%r9, 320(%rdi)
+        adoxq	%r8, %r10
+        # A[41] * B
+        mulxq	328(%rsi), %rcx, %r8
+        movq	%r11, %r9
+        adcxq	%rcx, %r10
+        movq	%r10, 328(%rdi)
+        adoxq	%r8, %r9
+        # A[42] * B
+        mulxq	336(%rsi), %rcx, %r8
+        movq	%r11, %r10
+        adcxq	%rcx, %r9
+        movq	%r9, 336(%rdi)
+        adoxq	%r8, %r10
+        # A[43] * B
+        mulxq	344(%rsi), %rcx, %r8
+        movq	%r11, %r9
+        adcxq	%rcx, %r10
+        movq	%r10, 344(%rdi)
+        adoxq	%r8, %r9
+        # A[44] * B
+        mulxq	352(%rsi), %rcx, %r8
+        movq	%r11, %r10
+        adcxq	%rcx, %r9
+        movq	%r9, 352(%rdi)
+        adoxq	%r8, %r10
+        # A[45] * B
+        mulxq	360(%rsi), %rcx, %r8
+        movq	%r11, %r9
+        adcxq	%rcx, %r10
+        movq	%r10, 360(%rdi)
+        adoxq	%r8, %r9
+        # A[46] * B
+        mulxq	368(%rsi), %rcx, %r8
+        movq	%r11, %r10
+        adcxq	%rcx, %r9
+        movq	%r9, 368(%rdi)
+        adoxq	%r8, %r10
+        # A[47] * B
+        mulxq	376(%rsi), %rcx, %r8
+        movq	%r11, %r9
+        adcxq	%rcx, %r10
+        adoxq	%r8, %r9
+        adcxq	%r11, %r9
+        movq	%r10, 376(%rdi)
+        movq	%r9, 384(%rdi)
+        repz retq
+#ifndef __APPLE__
+.size	sp_3072_mul_d_avx2_48,.-sp_3072_mul_d_avx2_48
+#endif /* __APPLE__ */
+#endif /* HAVE_INTEL_AVX2 */
+/* Compare a with b in constant time.
+ *
+ * a  A single precision integer.
+ * b  A single precision integer.
+ * return -ve, 0 or +ve if a is less than, equal to or greater than b
+ * respectively.
+ */
+#ifndef __APPLE__
+.globl	sp_3072_cmp_48
+.type	sp_3072_cmp_48,@function
+.align	16
+sp_3072_cmp_48:
+#else
+.globl	_sp_3072_cmp_48
+.p2align	4
+_sp_3072_cmp_48:
+#endif /* __APPLE__ */
+        xorq	%rcx, %rcx
+        movq	$-1, %rdx
+        movq	$-1, %rax
+        movq	$1, %r8
+        movq	376(%rdi), %r9
+        movq	376(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	368(%rdi), %r9
+        movq	368(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	360(%rdi), %r9
+        movq	360(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	352(%rdi), %r9
+        movq	352(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	344(%rdi), %r9
+        movq	344(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	336(%rdi), %r9
+        movq	336(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	328(%rdi), %r9
+        movq	328(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	320(%rdi), %r9
+        movq	320(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	312(%rdi), %r9
+        movq	312(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	304(%rdi), %r9
+        movq	304(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	296(%rdi), %r9
+        movq	296(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	288(%rdi), %r9
+        movq	288(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	280(%rdi), %r9
+        movq	280(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	272(%rdi), %r9
+        movq	272(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	264(%rdi), %r9
+        movq	264(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	256(%rdi), %r9
+        movq	256(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	248(%rdi), %r9
+        movq	248(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	240(%rdi), %r9
+        movq	240(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	232(%rdi), %r9
+        movq	232(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	224(%rdi), %r9
+        movq	224(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	216(%rdi), %r9
+        movq	216(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	208(%rdi), %r9
+        movq	208(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	200(%rdi), %r9
+        movq	200(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	192(%rdi), %r9
+        movq	192(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	184(%rdi), %r9
+        movq	184(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	176(%rdi), %r9
+        movq	176(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	168(%rdi), %r9
+        movq	168(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	160(%rdi), %r9
+        movq	160(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	152(%rdi), %r9
+        movq	152(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	144(%rdi), %r9
+        movq	144(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	136(%rdi), %r9
+        movq	136(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	128(%rdi), %r9
+        movq	128(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	120(%rdi), %r9
+        movq	120(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	112(%rdi), %r9
+        movq	112(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	104(%rdi), %r9
+        movq	104(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	96(%rdi), %r9
+        movq	96(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	88(%rdi), %r9
+        movq	88(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	80(%rdi), %r9
+        movq	80(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	72(%rdi), %r9
+        movq	72(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	64(%rdi), %r9
+        movq	64(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	56(%rdi), %r9
+        movq	56(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	48(%rdi), %r9
+        movq	48(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	40(%rdi), %r9
+        movq	40(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	32(%rdi), %r9
+        movq	32(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	24(%rdi), %r9
+        movq	24(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	16(%rdi), %r9
+        movq	16(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	8(%rdi), %r9
+        movq	8(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	(%rdi), %r9
+        movq	(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        xorq	%rdx, %rax
+        repz retq
+#ifndef __APPLE__
+.size	sp_3072_cmp_48,.-sp_3072_cmp_48
+#endif /* __APPLE__ */
+/* Sub b from a into r. (r = a - b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+#ifndef __APPLE__
+.globl	sp_3072_sub_48
+.type	sp_3072_sub_48,@function
+.align	16
+sp_3072_sub_48:
+#else
+.globl	_sp_3072_sub_48
+.p2align	4
+_sp_3072_sub_48:
+#endif /* __APPLE__ */
+        movq	(%rsi), %rcx
+        xorq	%rax, %rax
+        subq	(%rdx), %rcx
+        movq	8(%rsi), %r8
+        movq	%rcx, (%rdi)
+        sbbq	8(%rdx), %r8
+        movq	16(%rsi), %rcx
+        movq	%r8, 8(%rdi)
+        sbbq	16(%rdx), %rcx
+        movq	24(%rsi), %r8
+        movq	%rcx, 16(%rdi)
+        sbbq	24(%rdx), %r8
+        movq	32(%rsi), %rcx
+        movq	%r8, 24(%rdi)
+        sbbq	32(%rdx), %rcx
+        movq	40(%rsi), %r8
+        movq	%rcx, 32(%rdi)
+        sbbq	40(%rdx), %r8
+        movq	48(%rsi), %rcx
+        movq	%r8, 40(%rdi)
+        sbbq	48(%rdx), %rcx
+        movq	56(%rsi), %r8
+        movq	%rcx, 48(%rdi)
+        sbbq	56(%rdx), %r8
+        movq	64(%rsi), %rcx
+        movq	%r8, 56(%rdi)
+        sbbq	64(%rdx), %rcx
+        movq	72(%rsi), %r8
+        movq	%rcx, 64(%rdi)
+        sbbq	72(%rdx), %r8
+        movq	80(%rsi), %rcx
+        movq	%r8, 72(%rdi)
+        sbbq	80(%rdx), %rcx
+        movq	88(%rsi), %r8
+        movq	%rcx, 80(%rdi)
+        sbbq	88(%rdx), %r8
+        movq	96(%rsi), %rcx
+        movq	%r8, 88(%rdi)
+        sbbq	96(%rdx), %rcx
+        movq	104(%rsi), %r8
+        movq	%rcx, 96(%rdi)
+        sbbq	104(%rdx), %r8
+        movq	112(%rsi), %rcx
+        movq	%r8, 104(%rdi)
+        sbbq	112(%rdx), %rcx
+        movq	120(%rsi), %r8
+        movq	%rcx, 112(%rdi)
+        sbbq	120(%rdx), %r8
+        movq	128(%rsi), %rcx
+        movq	%r8, 120(%rdi)
+        sbbq	128(%rdx), %rcx
+        movq	136(%rsi), %r8
+        movq	%rcx, 128(%rdi)
+        sbbq	136(%rdx), %r8
+        movq	144(%rsi), %rcx
+        movq	%r8, 136(%rdi)
+        sbbq	144(%rdx), %rcx
+        movq	152(%rsi), %r8
+        movq	%rcx, 144(%rdi)
+        sbbq	152(%rdx), %r8
+        movq	160(%rsi), %rcx
+        movq	%r8, 152(%rdi)
+        sbbq	160(%rdx), %rcx
+        movq	168(%rsi), %r8
+        movq	%rcx, 160(%rdi)
+        sbbq	168(%rdx), %r8
+        movq	176(%rsi), %rcx
+        movq	%r8, 168(%rdi)
+        sbbq	176(%rdx), %rcx
+        movq	184(%rsi), %r8
+        movq	%rcx, 176(%rdi)
+        sbbq	184(%rdx), %r8
+        movq	192(%rsi), %rcx
+        movq	%r8, 184(%rdi)
+        sbbq	192(%rdx), %rcx
+        movq	200(%rsi), %r8
+        movq	%rcx, 192(%rdi)
+        sbbq	200(%rdx), %r8
+        movq	208(%rsi), %rcx
+        movq	%r8, 200(%rdi)
+        sbbq	208(%rdx), %rcx
+        movq	216(%rsi), %r8
+        movq	%rcx, 208(%rdi)
+        sbbq	216(%rdx), %r8
+        movq	224(%rsi), %rcx
+        movq	%r8, 216(%rdi)
+        sbbq	224(%rdx), %rcx
+        movq	232(%rsi), %r8
+        movq	%rcx, 224(%rdi)
+        sbbq	232(%rdx), %r8
+        movq	240(%rsi), %rcx
+        movq	%r8, 232(%rdi)
+        sbbq	240(%rdx), %rcx
+        movq	248(%rsi), %r8
+        movq	%rcx, 240(%rdi)
+        sbbq	248(%rdx), %r8
+        movq	256(%rsi), %rcx
+        movq	%r8, 248(%rdi)
+        sbbq	256(%rdx), %rcx
+        movq	264(%rsi), %r8
+        movq	%rcx, 256(%rdi)
+        sbbq	264(%rdx), %r8
+        movq	272(%rsi), %rcx
+        movq	%r8, 264(%rdi)
+        sbbq	272(%rdx), %rcx
+        movq	280(%rsi), %r8
+        movq	%rcx, 272(%rdi)
+        sbbq	280(%rdx), %r8
+        movq	288(%rsi), %rcx
+        movq	%r8, 280(%rdi)
+        sbbq	288(%rdx), %rcx
+        movq	296(%rsi), %r8
+        movq	%rcx, 288(%rdi)
+        sbbq	296(%rdx), %r8
+        movq	304(%rsi), %rcx
+        movq	%r8, 296(%rdi)
+        sbbq	304(%rdx), %rcx
+        movq	312(%rsi), %r8
+        movq	%rcx, 304(%rdi)
+        sbbq	312(%rdx), %r8
+        movq	320(%rsi), %rcx
+        movq	%r8, 312(%rdi)
+        sbbq	320(%rdx), %rcx
+        movq	328(%rsi), %r8
+        movq	%rcx, 320(%rdi)
+        sbbq	328(%rdx), %r8
+        movq	336(%rsi), %rcx
+        movq	%r8, 328(%rdi)
+        sbbq	336(%rdx), %rcx
+        movq	344(%rsi), %r8
+        movq	%rcx, 336(%rdi)
+        sbbq	344(%rdx), %r8
+        movq	352(%rsi), %rcx
+        movq	%r8, 344(%rdi)
+        sbbq	352(%rdx), %rcx
+        movq	360(%rsi), %r8
+        movq	%rcx, 352(%rdi)
+        sbbq	360(%rdx), %r8
+        movq	368(%rsi), %rcx
+        movq	%r8, 360(%rdi)
+        sbbq	368(%rdx), %rcx
+        movq	376(%rsi), %r8
+        movq	%rcx, 368(%rdi)
+        sbbq	376(%rdx), %r8
+        movq	%r8, 376(%rdi)
+        sbbq	$0, %rax
+        repz retq
+#ifndef __APPLE__
+.size	sp_3072_sub_48,.-sp_3072_sub_48
+#endif /* __APPLE__ */
+#ifdef HAVE_INTEL_AVX2
+/* Reduce the number back to 3072 bits using Montgomery reduction.
+ *
+ * a   A single precision number to reduce in place.
+ * m   The single precision number representing the modulus.
+ * mp  The digit representing the negative inverse of m mod 2^n.
+ */
+#ifndef __APPLE__
+.globl	sp_3072_mont_reduce_avx2_48
+.type	sp_3072_mont_reduce_avx2_48,@function
+.align	16
+sp_3072_mont_reduce_avx2_48:
+#else
+.globl	_sp_3072_mont_reduce_avx2_48
+.p2align	4
+_sp_3072_mont_reduce_avx2_48:
+#endif /* __APPLE__ */
+        push	%r12
+        push	%r13
+        push	%r14
+        movq	%rdx, %r8
+        xorq	%r14, %r14
+        # i = 48
+        movq	$48, %r9
+        movq	(%rdi), %r13
+        addq	$192, %rdi
+        xorq	%r12, %r12
+L_mont_loop_avx2_48:
+        # mu = a[i] * mp
+        movq	%r13, %rdx
+        movq	%r13, %r10
+        imulq	%r8, %rdx
+        xorq	%r12, %r12
+        # a[i+0] += m[0] * mu
+        mulxq	(%rsi), %rax, %rcx
+        movq	-184(%rdi), %r13
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r13
+        # a[i+1] += m[1] * mu
+        mulxq	8(%rsi), %rax, %rcx
+        movq	-176(%rdi), %r10
+        adcxq	%rax, %r13
+        adoxq	%rcx, %r10
+        # a[i+2] += m[2] * mu
+        mulxq	16(%rsi), %rax, %rcx
+        movq	-168(%rdi), %r11
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r11
+        movq	%r10, -176(%rdi)
+        # a[i+3] += m[3] * mu
+        mulxq	24(%rsi), %rax, %rcx
+        movq	-160(%rdi), %r10
+        adcxq	%rax, %r11
+        adoxq	%rcx, %r10
+        movq	%r11, -168(%rdi)
+        # a[i+4] += m[4] * mu
+        mulxq	32(%rsi), %rax, %rcx
+        movq	-152(%rdi), %r11
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r11
+        movq	%r10, -160(%rdi)
+        # a[i+5] += m[5] * mu
+        mulxq	40(%rsi), %rax, %rcx
+        movq	-144(%rdi), %r10
+        adcxq	%rax, %r11
+        adoxq	%rcx, %r10
+        movq	%r11, -152(%rdi)
+        # a[i+6] += m[6] * mu
+        mulxq	48(%rsi), %rax, %rcx
+        movq	-136(%rdi), %r11
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r11
+        movq	%r10, -144(%rdi)
+        # a[i+7] += m[7] * mu
+        mulxq	56(%rsi), %rax, %rcx
+        movq	-128(%rdi), %r10
+        adcxq	%rax, %r11
+        adoxq	%rcx, %r10
+        movq	%r11, -136(%rdi)
+        # a[i+8] += m[8] * mu
+        mulxq	64(%rsi), %rax, %rcx
+        movq	-120(%rdi), %r11
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r11
+        movq	%r10, -128(%rdi)
+        # a[i+9] += m[9] * mu
+        mulxq	72(%rsi), %rax, %rcx
+        movq	-112(%rdi), %r10
+        adcxq	%rax, %r11
+        adoxq	%rcx, %r10
+        movq	%r11, -120(%rdi)
+        # a[i+10] += m[10] * mu
+        mulxq	80(%rsi), %rax, %rcx
+        movq	-104(%rdi), %r11
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r11
+        movq	%r10, -112(%rdi)
+        # a[i+11] += m[11] * mu
+        mulxq	88(%rsi), %rax, %rcx
+        movq	-96(%rdi), %r10
+        adcxq	%rax, %r11
+        adoxq	%rcx, %r10
+        movq	%r11, -104(%rdi)
+        # a[i+12] += m[12] * mu
+        mulxq	96(%rsi), %rax, %rcx
+        movq	-88(%rdi), %r11
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r11
+        movq	%r10, -96(%rdi)
+        # a[i+13] += m[13] * mu
+        mulxq	104(%rsi), %rax, %rcx
+        movq	-80(%rdi), %r10
+        adcxq	%rax, %r11
+        adoxq	%rcx, %r10
+        movq	%r11, -88(%rdi)
+        # a[i+14] += m[14] * mu
+        mulxq	112(%rsi), %rax, %rcx
+        movq	-72(%rdi), %r11
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r11
+        movq	%r10, -80(%rdi)
+        # a[i+15] += m[15] * mu
+        mulxq	120(%rsi), %rax, %rcx
+        movq	-64(%rdi), %r10
+        adcxq	%rax, %r11
+        adoxq	%rcx, %r10
+        movq	%r11, -72(%rdi)
+        # a[i+16] += m[16] * mu
+        mulxq	128(%rsi), %rax, %rcx
+        movq	-56(%rdi), %r11
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r11
+        movq	%r10, -64(%rdi)
+        # a[i+17] += m[17] * mu
+        mulxq	136(%rsi), %rax, %rcx
+        movq	-48(%rdi), %r10
+        adcxq	%rax, %r11
+        adoxq	%rcx, %r10
+        movq	%r11, -56(%rdi)
+        # a[i+18] += m[18] * mu
+        mulxq	144(%rsi), %rax, %rcx
+        movq	-40(%rdi), %r11
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r11
+        movq	%r10, -48(%rdi)
+        # a[i+19] += m[19] * mu
+        mulxq	152(%rsi), %rax, %rcx
+        movq	-32(%rdi), %r10
+        adcxq	%rax, %r11
+        adoxq	%rcx, %r10
+        movq	%r11, -40(%rdi)
+        # a[i+20] += m[20] * mu
+        mulxq	160(%rsi), %rax, %rcx
+        movq	-24(%rdi), %r11
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r11
+        movq	%r10, -32(%rdi)
+        # a[i+21] += m[21] * mu
+        mulxq	168(%rsi), %rax, %rcx
+        movq	-16(%rdi), %r10
+        adcxq	%rax, %r11
+        adoxq	%rcx, %r10
+        movq	%r11, -24(%rdi)
+        # a[i+22] += m[22] * mu
+        mulxq	176(%rsi), %rax, %rcx
+        movq	-8(%rdi), %r11
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r11
+        movq	%r10, -16(%rdi)
+        # a[i+23] += m[23] * mu
+        mulxq	184(%rsi), %rax, %rcx
+        movq	(%rdi), %r10
+        adcxq	%rax, %r11
+        adoxq	%rcx, %r10
+        movq	%r11, -8(%rdi)
+        # a[i+24] += m[24] * mu
+        mulxq	192(%rsi), %rax, %rcx
+        movq	8(%rdi), %r11
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r11
+        movq	%r10, (%rdi)
+        # a[i+25] += m[25] * mu
+        mulxq	200(%rsi), %rax, %rcx
+        movq	16(%rdi), %r10
+        adcxq	%rax, %r11
+        adoxq	%rcx, %r10
+        movq	%r11, 8(%rdi)
+        # a[i+26] += m[26] * mu
+        mulxq	208(%rsi), %rax, %rcx
+        movq	24(%rdi), %r11
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r11
+        movq	%r10, 16(%rdi)
+        # a[i+27] += m[27] * mu
+        mulxq	216(%rsi), %rax, %rcx
+        movq	32(%rdi), %r10
+        adcxq	%rax, %r11
+        adoxq	%rcx, %r10
+        movq	%r11, 24(%rdi)
+        # a[i+28] += m[28] * mu
+        mulxq	224(%rsi), %rax, %rcx
+        movq	40(%rdi), %r11
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r11
+        movq	%r10, 32(%rdi)
+        # a[i+29] += m[29] * mu
+        mulxq	232(%rsi), %rax, %rcx
+        movq	48(%rdi), %r10
+        adcxq	%rax, %r11
+        adoxq	%rcx, %r10
+        movq	%r11, 40(%rdi)
+        # a[i+30] += m[30] * mu
+        mulxq	240(%rsi), %rax, %rcx
+        movq	56(%rdi), %r11
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r11
+        movq	%r10, 48(%rdi)
+        # a[i+31] += m[31] * mu
+        mulxq	248(%rsi), %rax, %rcx
+        movq	64(%rdi), %r10
+        adcxq	%rax, %r11
+        adoxq	%rcx, %r10
+        movq	%r11, 56(%rdi)
+        # a[i+32] += m[32] * mu
+        mulxq	256(%rsi), %rax, %rcx
+        movq	72(%rdi), %r11
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r11
+        movq	%r10, 64(%rdi)
+        # a[i+33] += m[33] * mu
+        mulxq	264(%rsi), %rax, %rcx
+        movq	80(%rdi), %r10
+        adcxq	%rax, %r11
+        adoxq	%rcx, %r10
+        movq	%r11, 72(%rdi)
+        # a[i+34] += m[34] * mu
+        mulxq	272(%rsi), %rax, %rcx
+        movq	88(%rdi), %r11
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r11
+        movq	%r10, 80(%rdi)
+        # a[i+35] += m[35] * mu
+        mulxq	280(%rsi), %rax, %rcx
+        movq	96(%rdi), %r10
+        adcxq	%rax, %r11
+        adoxq	%rcx, %r10
+        movq	%r11, 88(%rdi)
+        # a[i+36] += m[36] * mu
+        mulxq	288(%rsi), %rax, %rcx
+        movq	104(%rdi), %r11
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r11
+        movq	%r10, 96(%rdi)
+        # a[i+37] += m[37] * mu
+        mulxq	296(%rsi), %rax, %rcx
+        movq	112(%rdi), %r10
+        adcxq	%rax, %r11
+        adoxq	%rcx, %r10
+        movq	%r11, 104(%rdi)
+        # a[i+38] += m[38] * mu
+        mulxq	304(%rsi), %rax, %rcx
+        movq	120(%rdi), %r11
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r11
+        movq	%r10, 112(%rdi)
+        # a[i+39] += m[39] * mu
+        mulxq	312(%rsi), %rax, %rcx
+        movq	128(%rdi), %r10
+        adcxq	%rax, %r11
+        adoxq	%rcx, %r10
+        movq	%r11, 120(%rdi)
+        # a[i+40] += m[40] * mu
+        mulxq	320(%rsi), %rax, %rcx
+        movq	136(%rdi), %r11
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r11
+        movq	%r10, 128(%rdi)
+        # a[i+41] += m[41] * mu
+        mulxq	328(%rsi), %rax, %rcx
+        movq	144(%rdi), %r10
+        adcxq	%rax, %r11
+        adoxq	%rcx, %r10
+        movq	%r11, 136(%rdi)
+        # a[i+42] += m[42] * mu
+        mulxq	336(%rsi), %rax, %rcx
+        movq	152(%rdi), %r11
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r11
+        movq	%r10, 144(%rdi)
+        # a[i+43] += m[43] * mu
+        mulxq	344(%rsi), %rax, %rcx
+        movq	160(%rdi), %r10
+        adcxq	%rax, %r11
+        adoxq	%rcx, %r10
+        movq	%r11, 152(%rdi)
+        # a[i+44] += m[44] * mu
+        mulxq	352(%rsi), %rax, %rcx
+        movq	168(%rdi), %r11
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r11
+        movq	%r10, 160(%rdi)
+        # a[i+45] += m[45] * mu
+        mulxq	360(%rsi), %rax, %rcx
+        movq	176(%rdi), %r10
+        adcxq	%rax, %r11
+        adoxq	%rcx, %r10
+        movq	%r11, 168(%rdi)
+        # a[i+46] += m[46] * mu
+        mulxq	368(%rsi), %rax, %rcx
+        movq	184(%rdi), %r11
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r11
+        movq	%r10, 176(%rdi)
+        # a[i+47] += m[47] * mu
+        mulxq	376(%rsi), %rax, %rcx
+        movq	192(%rdi), %r10
+        adcxq	%rax, %r11
+        adoxq	%rcx, %r10
+        movq	%r11, 184(%rdi)
+        adcxq	%r14, %r10
+        movq	%r10, 192(%rdi)
+        movq	%r12, %r14
+        adoxq	%r12, %r14
+        adcxq	%r12, %r14
+        # a += 1
+        addq	$8, %rdi
+        # i -= 1
+        subq	$1, %r9
+        jnz	L_mont_loop_avx2_48
+        subq	$192, %rdi
+        negq	%r14
+        movq	%rdi, %r8
+        subq	$384, %rdi
+        movq	(%rsi), %rcx
+        movq	%r13, %rdx
+        pextq	%r14, %rcx, %rcx
+        subq	%rcx, %rdx
+        movq	8(%rsi), %rcx
+        movq	8(%r8), %rax
+        pextq	%r14, %rcx, %rcx
+        movq	%rdx, (%rdi)
+        sbbq	%rcx, %rax
+        movq	16(%rsi), %rdx
+        movq	16(%r8), %rcx
+        pextq	%r14, %rdx, %rdx
+        movq	%rax, 8(%rdi)
+        sbbq	%rdx, %rcx
+        movq	24(%rsi), %rax
+        movq	24(%r8), %rdx
+        pextq	%r14, %rax, %rax
+        movq	%rcx, 16(%rdi)
+        sbbq	%rax, %rdx
+        movq	32(%rsi), %rcx
+        movq	32(%r8), %rax
+        pextq	%r14, %rcx, %rcx
+        movq	%rdx, 24(%rdi)
+        sbbq	%rcx, %rax
+        movq	40(%rsi), %rdx
+        movq	40(%r8), %rcx
+        pextq	%r14, %rdx, %rdx
+        movq	%rax, 32(%rdi)
+        sbbq	%rdx, %rcx
+        movq	48(%rsi), %rax
+        movq	48(%r8), %rdx
+        pextq	%r14, %rax, %rax
+        movq	%rcx, 40(%rdi)
+        sbbq	%rax, %rdx
+        movq	56(%rsi), %rcx
+        movq	56(%r8), %rax
+        pextq	%r14, %rcx, %rcx
+        movq	%rdx, 48(%rdi)
+        sbbq	%rcx, %rax
+        movq	64(%rsi), %rdx
+        movq	64(%r8), %rcx
+        pextq	%r14, %rdx, %rdx
+        movq	%rax, 56(%rdi)
+        sbbq	%rdx, %rcx
+        movq	72(%rsi), %rax
+        movq	72(%r8), %rdx
+        pextq	%r14, %rax, %rax
+        movq	%rcx, 64(%rdi)
+        sbbq	%rax, %rdx
+        movq	80(%rsi), %rcx
+        movq	80(%r8), %rax
+        pextq	%r14, %rcx, %rcx
+        movq	%rdx, 72(%rdi)
+        sbbq	%rcx, %rax
+        movq	88(%rsi), %rdx
+        movq	88(%r8), %rcx
+        pextq	%r14, %rdx, %rdx
+        movq	%rax, 80(%rdi)
+        sbbq	%rdx, %rcx
+        movq	96(%rsi), %rax
+        movq	96(%r8), %rdx
+        pextq	%r14, %rax, %rax
+        movq	%rcx, 88(%rdi)
+        sbbq	%rax, %rdx
+        movq	104(%rsi), %rcx
+        movq	104(%r8), %rax
+        pextq	%r14, %rcx, %rcx
+        movq	%rdx, 96(%rdi)
+        sbbq	%rcx, %rax
+        movq	112(%rsi), %rdx
+        movq	112(%r8), %rcx
+        pextq	%r14, %rdx, %rdx
+        movq	%rax, 104(%rdi)
+        sbbq	%rdx, %rcx
+        movq	120(%rsi), %rax
+        movq	120(%r8), %rdx
+        pextq	%r14, %rax, %rax
+        movq	%rcx, 112(%rdi)
+        sbbq	%rax, %rdx
+        movq	128(%rsi), %rcx
+        movq	128(%r8), %rax
+        pextq	%r14, %rcx, %rcx
+        movq	%rdx, 120(%rdi)
+        sbbq	%rcx, %rax
+        movq	136(%rsi), %rdx
+        movq	136(%r8), %rcx
+        pextq	%r14, %rdx, %rdx
+        movq	%rax, 128(%rdi)
+        sbbq	%rdx, %rcx
+        movq	144(%rsi), %rax
+        movq	144(%r8), %rdx
+        pextq	%r14, %rax, %rax
+        movq	%rcx, 136(%rdi)
+        sbbq	%rax, %rdx
+        movq	152(%rsi), %rcx
+        movq	152(%r8), %rax
+        pextq	%r14, %rcx, %rcx
+        movq	%rdx, 144(%rdi)
+        sbbq	%rcx, %rax
+        movq	160(%rsi), %rdx
+        movq	160(%r8), %rcx
+        pextq	%r14, %rdx, %rdx
+        movq	%rax, 152(%rdi)
+        sbbq	%rdx, %rcx
+        movq	168(%rsi), %rax
+        movq	168(%r8), %rdx
+        pextq	%r14, %rax, %rax
+        movq	%rcx, 160(%rdi)
+        sbbq	%rax, %rdx
+        movq	176(%rsi), %rcx
+        movq	176(%r8), %rax
+        pextq	%r14, %rcx, %rcx
+        movq	%rdx, 168(%rdi)
+        sbbq	%rcx, %rax
+        movq	184(%rsi), %rdx
+        movq	184(%r8), %rcx
+        pextq	%r14, %rdx, %rdx
+        movq	%rax, 176(%rdi)
+        sbbq	%rdx, %rcx
+        movq	192(%rsi), %rax
+        movq	192(%r8), %rdx
+        pextq	%r14, %rax, %rax
+        movq	%rcx, 184(%rdi)
+        sbbq	%rax, %rdx
+        movq	200(%rsi), %rcx
+        movq	200(%r8), %rax
+        pextq	%r14, %rcx, %rcx
+        movq	%rdx, 192(%rdi)
+        sbbq	%rcx, %rax
+        movq	208(%rsi), %rdx
+        movq	208(%r8), %rcx
+        pextq	%r14, %rdx, %rdx
+        movq	%rax, 200(%rdi)
+        sbbq	%rdx, %rcx
+        movq	216(%rsi), %rax
+        movq	216(%r8), %rdx
+        pextq	%r14, %rax, %rax
+        movq	%rcx, 208(%rdi)
+        sbbq	%rax, %rdx
+        movq	224(%rsi), %rcx
+        movq	224(%r8), %rax
+        pextq	%r14, %rcx, %rcx
+        movq	%rdx, 216(%rdi)
+        sbbq	%rcx, %rax
+        movq	232(%rsi), %rdx
+        movq	232(%r8), %rcx
+        pextq	%r14, %rdx, %rdx
+        movq	%rax, 224(%rdi)
+        sbbq	%rdx, %rcx
+        movq	240(%rsi), %rax
+        movq	240(%r8), %rdx
+        pextq	%r14, %rax, %rax
+        movq	%rcx, 232(%rdi)
+        sbbq	%rax, %rdx
+        movq	248(%rsi), %rcx
+        movq	248(%r8), %rax
+        pextq	%r14, %rcx, %rcx
+        movq	%rdx, 240(%rdi)
+        sbbq	%rcx, %rax
+        movq	256(%rsi), %rdx
+        movq	256(%r8), %rcx
+        pextq	%r14, %rdx, %rdx
+        movq	%rax, 248(%rdi)
+        sbbq	%rdx, %rcx
+        movq	264(%rsi), %rax
+        movq	264(%r8), %rdx
+        pextq	%r14, %rax, %rax
+        movq	%rcx, 256(%rdi)
+        sbbq	%rax, %rdx
+        movq	272(%rsi), %rcx
+        movq	272(%r8), %rax
+        pextq	%r14, %rcx, %rcx
+        movq	%rdx, 264(%rdi)
+        sbbq	%rcx, %rax
+        movq	280(%rsi), %rdx
+        movq	280(%r8), %rcx
+        pextq	%r14, %rdx, %rdx
+        movq	%rax, 272(%rdi)
+        sbbq	%rdx, %rcx
+        movq	288(%rsi), %rax
+        movq	288(%r8), %rdx
+        pextq	%r14, %rax, %rax
+        movq	%rcx, 280(%rdi)
+        sbbq	%rax, %rdx
+        movq	296(%rsi), %rcx
+        movq	296(%r8), %rax
+        pextq	%r14, %rcx, %rcx
+        movq	%rdx, 288(%rdi)
+        sbbq	%rcx, %rax
+        movq	304(%rsi), %rdx
+        movq	304(%r8), %rcx
+        pextq	%r14, %rdx, %rdx
+        movq	%rax, 296(%rdi)
+        sbbq	%rdx, %rcx
+        movq	312(%rsi), %rax
+        movq	312(%r8), %rdx
+        pextq	%r14, %rax, %rax
+        movq	%rcx, 304(%rdi)
+        sbbq	%rax, %rdx
+        movq	320(%rsi), %rcx
+        movq	320(%r8), %rax
+        pextq	%r14, %rcx, %rcx
+        movq	%rdx, 312(%rdi)
+        sbbq	%rcx, %rax
+        movq	328(%rsi), %rdx
+        movq	328(%r8), %rcx
+        pextq	%r14, %rdx, %rdx
+        movq	%rax, 320(%rdi)
+        sbbq	%rdx, %rcx
+        movq	336(%rsi), %rax
+        movq	336(%r8), %rdx
+        pextq	%r14, %rax, %rax
+        movq	%rcx, 328(%rdi)
+        sbbq	%rax, %rdx
+        movq	344(%rsi), %rcx
+        movq	344(%r8), %rax
+        pextq	%r14, %rcx, %rcx
+        movq	%rdx, 336(%rdi)
+        sbbq	%rcx, %rax
+        movq	352(%rsi), %rdx
+        movq	352(%r8), %rcx
+        pextq	%r14, %rdx, %rdx
+        movq	%rax, 344(%rdi)
+        sbbq	%rdx, %rcx
+        movq	360(%rsi), %rax
+        movq	360(%r8), %rdx
+        pextq	%r14, %rax, %rax
+        movq	%rcx, 352(%rdi)
+        sbbq	%rax, %rdx
+        movq	368(%rsi), %rcx
+        movq	368(%r8), %rax
+        pextq	%r14, %rcx, %rcx
+        movq	%rdx, 360(%rdi)
+        sbbq	%rcx, %rax
+        movq	376(%rsi), %rdx
+        movq	376(%r8), %rcx
+        pextq	%r14, %rdx, %rdx
+        movq	%rax, 368(%rdi)
+        sbbq	%rdx, %rcx
+        movq	%rcx, 376(%rdi)
+        pop	%r14
+        pop	%r13
+        pop	%r12
+        repz retq
+#ifndef __APPLE__
+.size	sp_3072_mont_reduce_avx2_48,.-sp_3072_mont_reduce_avx2_48
+#endif /* __APPLE__ */
+#endif /* HAVE_INTEL_AVX2 */
+/* Conditionally add a and b using the mask m.
+ * m is -1 to add and 0 when not.
+ *
+ * r  A single precision number representing conditional add result.
+ * a  A single precision number to add with.
+ * b  A single precision number to add.
+ * m  Mask value to apply.
+ */
+#ifndef __APPLE__
+.globl	sp_3072_cond_add_24
+.type	sp_3072_cond_add_24,@function
+.align	16
+sp_3072_cond_add_24:
+#else
+.globl	_sp_3072_cond_add_24
+.p2align	4
+_sp_3072_cond_add_24:
+#endif /* __APPLE__ */
+        subq	$192, %rsp
+        movq	$0, %rax
+        movq	(%rdx), %r8
+        movq	8(%rdx), %r9
+        andq	%rcx, %r8
+        andq	%rcx, %r9
+        movq	%r8, (%rsp)
+        movq	%r9, 8(%rsp)
+        movq	16(%rdx), %r8
+        movq	24(%rdx), %r9
+        andq	%rcx, %r8
+        andq	%rcx, %r9
+        movq	%r8, 16(%rsp)
+        movq	%r9, 24(%rsp)
+        movq	32(%rdx), %r8
+        movq	40(%rdx), %r9
+        andq	%rcx, %r8
+        andq	%rcx, %r9
+        movq	%r8, 32(%rsp)
+        movq	%r9, 40(%rsp)
+        movq	48(%rdx), %r8
+        movq	56(%rdx), %r9
+        andq	%rcx, %r8
+        andq	%rcx, %r9
+        movq	%r8, 48(%rsp)
+        movq	%r9, 56(%rsp)
+        movq	64(%rdx), %r8
+        movq	72(%rdx), %r9
+        andq	%rcx, %r8
+        andq	%rcx, %r9
+        movq	%r8, 64(%rsp)
+        movq	%r9, 72(%rsp)
+        movq	80(%rdx), %r8
+        movq	88(%rdx), %r9
+        andq	%rcx, %r8
+        andq	%rcx, %r9
+        movq	%r8, 80(%rsp)
+        movq	%r9, 88(%rsp)
+        movq	96(%rdx), %r8
+        movq	104(%rdx), %r9
+        andq	%rcx, %r8
+        andq	%rcx, %r9
+        movq	%r8, 96(%rsp)
+        movq	%r9, 104(%rsp)
+        movq	112(%rdx), %r8
+        movq	120(%rdx), %r9
+        andq	%rcx, %r8
+        andq	%rcx, %r9
+        movq	%r8, 112(%rsp)
+        movq	%r9, 120(%rsp)
+        movq	128(%rdx), %r8
+        movq	136(%rdx), %r9
+        andq	%rcx, %r8
+        andq	%rcx, %r9
+        movq	%r8, 128(%rsp)
+        movq	%r9, 136(%rsp)
+        movq	144(%rdx), %r8
+        movq	152(%rdx), %r9
+        andq	%rcx, %r8
+        andq	%rcx, %r9
+        movq	%r8, 144(%rsp)
+        movq	%r9, 152(%rsp)
+        movq	160(%rdx), %r8
+        movq	168(%rdx), %r9
+        andq	%rcx, %r8
+        andq	%rcx, %r9
+        movq	%r8, 160(%rsp)
+        movq	%r9, 168(%rsp)
+        movq	176(%rdx), %r8
+        movq	184(%rdx), %r9
+        andq	%rcx, %r8
+        andq	%rcx, %r9
+        movq	%r8, 176(%rsp)
+        movq	%r9, 184(%rsp)
+        movq	(%rsi), %r8
+        movq	(%rsp), %rdx
+        addq	%rdx, %r8
+        movq	8(%rsi), %r9
+        movq	8(%rsp), %rdx
+        adcq	%rdx, %r9
+        movq	%r8, (%rdi)
+        movq	16(%rsi), %r8
+        movq	16(%rsp), %rdx
+        adcq	%rdx, %r8
+        movq	%r9, 8(%rdi)
+        movq	24(%rsi), %r9
+        movq	24(%rsp), %rdx
+        adcq	%rdx, %r9
+        movq	%r8, 16(%rdi)
+        movq	32(%rsi), %r8
+        movq	32(%rsp), %rdx
+        adcq	%rdx, %r8
+        movq	%r9, 24(%rdi)
+        movq	40(%rsi), %r9
+        movq	40(%rsp), %rdx
+        adcq	%rdx, %r9
+        movq	%r8, 32(%rdi)
+        movq	48(%rsi), %r8
+        movq	48(%rsp), %rdx
+        adcq	%rdx, %r8
+        movq	%r9, 40(%rdi)
+        movq	56(%rsi), %r9
+        movq	56(%rsp), %rdx
+        adcq	%rdx, %r9
+        movq	%r8, 48(%rdi)
+        movq	64(%rsi), %r8
+        movq	64(%rsp), %rdx
+        adcq	%rdx, %r8
+        movq	%r9, 56(%rdi)
+        movq	72(%rsi), %r9
+        movq	72(%rsp), %rdx
+        adcq	%rdx, %r9
+        movq	%r8, 64(%rdi)
+        movq	80(%rsi), %r8
+        movq	80(%rsp), %rdx
+        adcq	%rdx, %r8
+        movq	%r9, 72(%rdi)
+        movq	88(%rsi), %r9
+        movq	88(%rsp), %rdx
+        adcq	%rdx, %r9
+        movq	%r8, 80(%rdi)
+        movq	96(%rsi), %r8
+        movq	96(%rsp), %rdx
+        adcq	%rdx, %r8
+        movq	%r9, 88(%rdi)
+        movq	104(%rsi), %r9
+        movq	104(%rsp), %rdx
+        adcq	%rdx, %r9
+        movq	%r8, 96(%rdi)
+        movq	112(%rsi), %r8
+        movq	112(%rsp), %rdx
+        adcq	%rdx, %r8
+        movq	%r9, 104(%rdi)
+        movq	120(%rsi), %r9
+        movq	120(%rsp), %rdx
+        adcq	%rdx, %r9
+        movq	%r8, 112(%rdi)
+        movq	128(%rsi), %r8
+        movq	128(%rsp), %rdx
+        adcq	%rdx, %r8
+        movq	%r9, 120(%rdi)
+        movq	136(%rsi), %r9
+        movq	136(%rsp), %rdx
+        adcq	%rdx, %r9
+        movq	%r8, 128(%rdi)
+        movq	144(%rsi), %r8
+        movq	144(%rsp), %rdx
+        adcq	%rdx, %r8
+        movq	%r9, 136(%rdi)
+        movq	152(%rsi), %r9
+        movq	152(%rsp), %rdx
+        adcq	%rdx, %r9
+        movq	%r8, 144(%rdi)
+        movq	160(%rsi), %r8
+        movq	160(%rsp), %rdx
+        adcq	%rdx, %r8
+        movq	%r9, 152(%rdi)
+        movq	168(%rsi), %r9
+        movq	168(%rsp), %rdx
+        adcq	%rdx, %r9
+        movq	%r8, 160(%rdi)
+        movq	176(%rsi), %r8
+        movq	176(%rsp), %rdx
+        adcq	%rdx, %r8
+        movq	%r9, 168(%rdi)
+        movq	184(%rsi), %r9
+        movq	184(%rsp), %rdx
+        adcq	%rdx, %r9
+        movq	%r8, 176(%rdi)
+        movq	%r9, 184(%rdi)
+        adcq	$0, %rax
+        addq	$192, %rsp
+        repz retq
+#ifndef __APPLE__
+.size	sp_3072_cond_add_24,.-sp_3072_cond_add_24
+#endif /* __APPLE__ */
+/* Conditionally add a and b using the mask m.
+ * m is -1 to add and 0 when not.
+ *
+ * r  A single precision number representing conditional add result.
+ * a  A single precision number to add with.
+ * b  A single precision number to add.
+ * m  Mask value to apply.
+ */
+#ifndef __APPLE__
+.globl	sp_3072_cond_add_avx2_24
+.type	sp_3072_cond_add_avx2_24,@function
+.align	16
+sp_3072_cond_add_avx2_24:
+#else
+.globl	_sp_3072_cond_add_avx2_24
+.p2align	4
+_sp_3072_cond_add_avx2_24:
+#endif /* __APPLE__ */
+        movq	$0, %rax
+        movq	(%rdx), %r10
+        movq	(%rsi), %r8
+        pextq	%rcx, %r10, %r10
+        addq	%r10, %r8
+        movq	8(%rdx), %r10
+        movq	8(%rsi), %r9
+        pextq	%rcx, %r10, %r10
+        movq	%r8, (%rdi)
+        adcq	%r10, %r9
+        movq	16(%rdx), %r8
+        movq	16(%rsi), %r10
+        pextq	%rcx, %r8, %r8
+        movq	%r9, 8(%rdi)
+        adcq	%r8, %r10
+        movq	24(%rdx), %r9
+        movq	24(%rsi), %r8
+        pextq	%rcx, %r9, %r9
+        movq	%r10, 16(%rdi)
+        adcq	%r9, %r8
+        movq	32(%rdx), %r10
+        movq	32(%rsi), %r9
+        pextq	%rcx, %r10, %r10
+        movq	%r8, 24(%rdi)
+        adcq	%r10, %r9
+        movq	40(%rdx), %r8
+        movq	40(%rsi), %r10
+        pextq	%rcx, %r8, %r8
+        movq	%r9, 32(%rdi)
+        adcq	%r8, %r10
+        movq	48(%rdx), %r9
+        movq	48(%rsi), %r8
+        pextq	%rcx, %r9, %r9
+        movq	%r10, 40(%rdi)
+        adcq	%r9, %r8
+        movq	56(%rdx), %r10
+        movq	56(%rsi), %r9
+        pextq	%rcx, %r10, %r10
+        movq	%r8, 48(%rdi)
+        adcq	%r10, %r9
+        movq	64(%rdx), %r8
+        movq	64(%rsi), %r10
+        pextq	%rcx, %r8, %r8
+        movq	%r9, 56(%rdi)
+        adcq	%r8, %r10
+        movq	72(%rdx), %r9
+        movq	72(%rsi), %r8
+        pextq	%rcx, %r9, %r9
+        movq	%r10, 64(%rdi)
+        adcq	%r9, %r8
+        movq	80(%rdx), %r10
+        movq	80(%rsi), %r9
+        pextq	%rcx, %r10, %r10
+        movq	%r8, 72(%rdi)
+        adcq	%r10, %r9
+        movq	88(%rdx), %r8
+        movq	88(%rsi), %r10
+        pextq	%rcx, %r8, %r8
+        movq	%r9, 80(%rdi)
+        adcq	%r8, %r10
+        movq	96(%rdx), %r9
+        movq	96(%rsi), %r8
+        pextq	%rcx, %r9, %r9
+        movq	%r10, 88(%rdi)
+        adcq	%r9, %r8
+        movq	104(%rdx), %r10
+        movq	104(%rsi), %r9
+        pextq	%rcx, %r10, %r10
+        movq	%r8, 96(%rdi)
+        adcq	%r10, %r9
+        movq	112(%rdx), %r8
+        movq	112(%rsi), %r10
+        pextq	%rcx, %r8, %r8
+        movq	%r9, 104(%rdi)
+        adcq	%r8, %r10
+        movq	120(%rdx), %r9
+        movq	120(%rsi), %r8
+        pextq	%rcx, %r9, %r9
+        movq	%r10, 112(%rdi)
+        adcq	%r9, %r8
+        movq	128(%rdx), %r10
+        movq	128(%rsi), %r9
+        pextq	%rcx, %r10, %r10
+        movq	%r8, 120(%rdi)
+        adcq	%r10, %r9
+        movq	136(%rdx), %r8
+        movq	136(%rsi), %r10
+        pextq	%rcx, %r8, %r8
+        movq	%r9, 128(%rdi)
+        adcq	%r8, %r10
+        movq	144(%rdx), %r9
+        movq	144(%rsi), %r8
+        pextq	%rcx, %r9, %r9
+        movq	%r10, 136(%rdi)
+        adcq	%r9, %r8
+        movq	152(%rdx), %r10
+        movq	152(%rsi), %r9
+        pextq	%rcx, %r10, %r10
+        movq	%r8, 144(%rdi)
+        adcq	%r10, %r9
+        movq	160(%rdx), %r8
+        movq	160(%rsi), %r10
+        pextq	%rcx, %r8, %r8
+        movq	%r9, 152(%rdi)
+        adcq	%r8, %r10
+        movq	168(%rdx), %r9
+        movq	168(%rsi), %r8
+        pextq	%rcx, %r9, %r9
+        movq	%r10, 160(%rdi)
+        adcq	%r9, %r8
+        movq	176(%rdx), %r10
+        movq	176(%rsi), %r9
+        pextq	%rcx, %r10, %r10
+        movq	%r8, 168(%rdi)
+        adcq	%r10, %r9
+        movq	184(%rdx), %r8
+        movq	184(%rsi), %r10
+        pextq	%rcx, %r8, %r8
+        movq	%r9, 176(%rdi)
+        adcq	%r8, %r10
+        movq	%r10, 184(%rdi)
+        adcq	$0, %rax
+        repz retq
+#ifndef __APPLE__
+.size	sp_3072_cond_add_avx2_24,.-sp_3072_cond_add_avx2_24
+#endif /* __APPLE__ */
+/* Shift number left by n bit. (r = a << n)
+ *
+ * r  Result of left shift by n.
+ * a  Number to shift.
+ * n  Amoutnt o shift.
+ */
+#ifndef __APPLE__
+.globl	sp_3072_lshift_48
+.type	sp_3072_lshift_48,@function
+.align	16
+sp_3072_lshift_48:
+#else
+.globl	_sp_3072_lshift_48
+.p2align	4
+_sp_3072_lshift_48:
+#endif /* __APPLE__ */
+        movq	%rdx, %rcx
+        movq	$0, %r10
+        movq	344(%rsi), %r11
+        movq	352(%rsi), %rdx
+        movq	360(%rsi), %rax
+        movq	368(%rsi), %r8
+        movq	376(%rsi), %r9
+        shldq	%cl, %r9, %r10
+        shldq	%cl, %r8, %r9
+        shldq	%cl, %rax, %r8
+        shldq	%cl, %rdx, %rax
+        shldq	%cl, %r11, %rdx
+        movq	%rdx, 352(%rdi)
+        movq	%rax, 360(%rdi)
+        movq	%r8, 368(%rdi)
+        movq	%r9, 376(%rdi)
+        movq	%r10, 384(%rdi)
+        movq	312(%rsi), %r9
+        movq	320(%rsi), %rdx
+        movq	328(%rsi), %rax
+        movq	336(%rsi), %r8
+        shldq	%cl, %r8, %r11
+        shldq	%cl, %rax, %r8
+        shldq	%cl, %rdx, %rax
+        shldq	%cl, %r9, %rdx
+        movq	%rdx, 320(%rdi)
+        movq	%rax, 328(%rdi)
+        movq	%r8, 336(%rdi)
+        movq	%r11, 344(%rdi)
+        movq	280(%rsi), %r11
+        movq	288(%rsi), %rdx
+        movq	296(%rsi), %rax
+        movq	304(%rsi), %r8
+        shldq	%cl, %r8, %r9
+        shldq	%cl, %rax, %r8
+        shldq	%cl, %rdx, %rax
+        shldq	%cl, %r11, %rdx
+        movq	%rdx, 288(%rdi)
+        movq	%rax, 296(%rdi)
+        movq	%r8, 304(%rdi)
+        movq	%r9, 312(%rdi)
+        movq	248(%rsi), %r9
+        movq	256(%rsi), %rdx
+        movq	264(%rsi), %rax
+        movq	272(%rsi), %r8
+        shldq	%cl, %r8, %r11
+        shldq	%cl, %rax, %r8
+        shldq	%cl, %rdx, %rax
+        shldq	%cl, %r9, %rdx
+        movq	%rdx, 256(%rdi)
+        movq	%rax, 264(%rdi)
+        movq	%r8, 272(%rdi)
+        movq	%r11, 280(%rdi)
+        movq	216(%rsi), %r11
+        movq	224(%rsi), %rdx
+        movq	232(%rsi), %rax
+        movq	240(%rsi), %r8
+        shldq	%cl, %r8, %r9
+        shldq	%cl, %rax, %r8
+        shldq	%cl, %rdx, %rax
+        shldq	%cl, %r11, %rdx
+        movq	%rdx, 224(%rdi)
+        movq	%rax, 232(%rdi)
+        movq	%r8, 240(%rdi)
+        movq	%r9, 248(%rdi)
+        movq	184(%rsi), %r9
+        movq	192(%rsi), %rdx
+        movq	200(%rsi), %rax
+        movq	208(%rsi), %r8
+        shldq	%cl, %r8, %r11
+        shldq	%cl, %rax, %r8
+        shldq	%cl, %rdx, %rax
+        shldq	%cl, %r9, %rdx
+        movq	%rdx, 192(%rdi)
+        movq	%rax, 200(%rdi)
+        movq	%r8, 208(%rdi)
+        movq	%r11, 216(%rdi)
+        movq	152(%rsi), %r11
+        movq	160(%rsi), %rdx
+        movq	168(%rsi), %rax
+        movq	176(%rsi), %r8
+        shldq	%cl, %r8, %r9
+        shldq	%cl, %rax, %r8
+        shldq	%cl, %rdx, %rax
+        shldq	%cl, %r11, %rdx
+        movq	%rdx, 160(%rdi)
+        movq	%rax, 168(%rdi)
+        movq	%r8, 176(%rdi)
+        movq	%r9, 184(%rdi)
+        movq	120(%rsi), %r9
+        movq	128(%rsi), %rdx
+        movq	136(%rsi), %rax
+        movq	144(%rsi), %r8
+        shldq	%cl, %r8, %r11
+        shldq	%cl, %rax, %r8
+        shldq	%cl, %rdx, %rax
+        shldq	%cl, %r9, %rdx
+        movq	%rdx, 128(%rdi)
+        movq	%rax, 136(%rdi)
+        movq	%r8, 144(%rdi)
+        movq	%r11, 152(%rdi)
+        movq	88(%rsi), %r11
+        movq	96(%rsi), %rdx
+        movq	104(%rsi), %rax
+        movq	112(%rsi), %r8
+        shldq	%cl, %r8, %r9
+        shldq	%cl, %rax, %r8
+        shldq	%cl, %rdx, %rax
+        shldq	%cl, %r11, %rdx
+        movq	%rdx, 96(%rdi)
+        movq	%rax, 104(%rdi)
+        movq	%r8, 112(%rdi)
+        movq	%r9, 120(%rdi)
+        movq	56(%rsi), %r9
+        movq	64(%rsi), %rdx
+        movq	72(%rsi), %rax
+        movq	80(%rsi), %r8
+        shldq	%cl, %r8, %r11
+        shldq	%cl, %rax, %r8
+        shldq	%cl, %rdx, %rax
+        shldq	%cl, %r9, %rdx
+        movq	%rdx, 64(%rdi)
+        movq	%rax, 72(%rdi)
+        movq	%r8, 80(%rdi)
+        movq	%r11, 88(%rdi)
+        movq	24(%rsi), %r11
+        movq	32(%rsi), %rdx
+        movq	40(%rsi), %rax
+        movq	48(%rsi), %r8
+        shldq	%cl, %r8, %r9
+        shldq	%cl, %rax, %r8
+        shldq	%cl, %rdx, %rax
+        shldq	%cl, %r11, %rdx
+        movq	%rdx, 32(%rdi)
+        movq	%rax, 40(%rdi)
+        movq	%r8, 48(%rdi)
+        movq	%r9, 56(%rdi)
+        movq	(%rsi), %rdx
+        movq	8(%rsi), %rax
+        movq	16(%rsi), %r8
+        shldq	%cl, %r8, %r11
+        shldq	%cl, %rax, %r8
+        shldq	%cl, %rdx, %rax
+        shlq	%cl, %rdx
+        movq	%rdx, (%rdi)
+        movq	%rax, 8(%rdi)
+        movq	%r8, 16(%rdi)
+        movq	%r11, 24(%rdi)
+        repz retq
+#endif /* !WOLFSSL_SP_NO_3072 */
+#endif /* !WOLFSSL_SP_NO_3072 */
+#ifdef WOLFSSL_SP_4096
+#ifdef WOLFSSL_SP_4096
+/* Read big endian unsigned byte array into r.
+ *
+ * r  A single precision integer.
+ * size  Maximum number of bytes to convert
+ * a  Byte array.
+ * n  Number of bytes in array to read.
+ */
+#ifndef __APPLE__
+.globl	sp_4096_from_bin
+.type	sp_4096_from_bin,@function
+.align	16
+sp_4096_from_bin:
+#else
+.globl	_sp_4096_from_bin
+.p2align	4
+_sp_4096_from_bin:
+#endif /* __APPLE__ */
+        movq	%rdx, %r9
+        movq	%rdi, %r10
+        addq	%rcx, %r9
+        addq	$512, %r10
+        xorq	%r11, %r11
+        jmp	L_4096_from_bin_64_end
+L_4096_from_bin_64_start:
+        subq	$64, %r9
+        movbeq	56(%r9), %rax
+        movbeq	48(%r9), %r8
+        movq	%rax, (%rdi)
+        movq	%r8, 8(%rdi)
+        movbeq	40(%r9), %rax
+        movbeq	32(%r9), %r8
+        movq	%rax, 16(%rdi)
+        movq	%r8, 24(%rdi)
+        movbeq	24(%r9), %rax
+        movbeq	16(%r9), %r8
+        movq	%rax, 32(%rdi)
+        movq	%r8, 40(%rdi)
+        movbeq	8(%r9), %rax
+        movbeq	(%r9), %r8
+        movq	%rax, 48(%rdi)
+        movq	%r8, 56(%rdi)
+        addq	$64, %rdi
+        subq	$64, %rcx
+L_4096_from_bin_64_end:
+        cmpq	$63, %rcx
+        jg	L_4096_from_bin_64_start
+        jmp	L_4096_from_bin_8_end
+L_4096_from_bin_8_start:
+        subq	$8, %r9
+        movbeq	(%r9), %rax
+        movq	%rax, (%rdi)
+        addq	$8, %rdi
+        subq	$8, %rcx
+L_4096_from_bin_8_end:
+        cmpq	$7, %rcx
+        jg	L_4096_from_bin_8_start
+        cmpq	%r11, %rcx
+        je	L_4096_from_bin_hi_end
+        movq	%r11, %r8
+        movq	%r11, %rax
+L_4096_from_bin_hi_start:
+        movb	(%rdx), %al
+        shlq	$8, %r8
+        incq	%rdx
+        addq	%rax, %r8
+        decq	%rcx
+        jg	L_4096_from_bin_hi_start
+        movq	%r8, (%rdi)
+        addq	$8, %rdi
+L_4096_from_bin_hi_end:
+        cmpq	%r10, %rdi
+        je	L_4096_from_bin_zero_end
+L_4096_from_bin_zero_start:
+        movq	%r11, (%rdi)
+        addq	$8, %rdi
+        cmpq	%r10, %rdi
+        jl	L_4096_from_bin_zero_start
+L_4096_from_bin_zero_end:
+        repz retq
+#ifndef __APPLE__
+.size	sp_4096_from_bin,.-sp_4096_from_bin
+#endif /* __APPLE__ */
+/* Write r as big endian to byte array.
+ * Fixed length number of bytes written: 512
+ *
+ * r  A single precision integer.
+ * a  Byte array.
+ */
+#ifndef __APPLE__
+.globl	sp_4096_to_bin
+.type	sp_4096_to_bin,@function
+.align	16
+sp_4096_to_bin:
+#else
+.globl	_sp_4096_to_bin
+.p2align	4
+_sp_4096_to_bin:
+#endif /* __APPLE__ */
+        movbeq	504(%rdi), %rdx
+        movbeq	496(%rdi), %rax
+        movq	%rdx, (%rsi)
+        movq	%rax, 8(%rsi)
+        movbeq	488(%rdi), %rdx
+        movbeq	480(%rdi), %rax
+        movq	%rdx, 16(%rsi)
+        movq	%rax, 24(%rsi)
+        movbeq	472(%rdi), %rdx
+        movbeq	464(%rdi), %rax
+        movq	%rdx, 32(%rsi)
+        movq	%rax, 40(%rsi)
+        movbeq	456(%rdi), %rdx
+        movbeq	448(%rdi), %rax
+        movq	%rdx, 48(%rsi)
+        movq	%rax, 56(%rsi)
+        movbeq	440(%rdi), %rdx
+        movbeq	432(%rdi), %rax
+        movq	%rdx, 64(%rsi)
+        movq	%rax, 72(%rsi)
+        movbeq	424(%rdi), %rdx
+        movbeq	416(%rdi), %rax
+        movq	%rdx, 80(%rsi)
+        movq	%rax, 88(%rsi)
+        movbeq	408(%rdi), %rdx
+        movbeq	400(%rdi), %rax
+        movq	%rdx, 96(%rsi)
+        movq	%rax, 104(%rsi)
+        movbeq	392(%rdi), %rdx
+        movbeq	384(%rdi), %rax
+        movq	%rdx, 112(%rsi)
+        movq	%rax, 120(%rsi)
+        movbeq	376(%rdi), %rdx
+        movbeq	368(%rdi), %rax
+        movq	%rdx, 128(%rsi)
+        movq	%rax, 136(%rsi)
+        movbeq	360(%rdi), %rdx
+        movbeq	352(%rdi), %rax
+        movq	%rdx, 144(%rsi)
+        movq	%rax, 152(%rsi)
+        movbeq	344(%rdi), %rdx
+        movbeq	336(%rdi), %rax
+        movq	%rdx, 160(%rsi)
+        movq	%rax, 168(%rsi)
+        movbeq	328(%rdi), %rdx
+        movbeq	320(%rdi), %rax
+        movq	%rdx, 176(%rsi)
+        movq	%rax, 184(%rsi)
+        movbeq	312(%rdi), %rdx
+        movbeq	304(%rdi), %rax
+        movq	%rdx, 192(%rsi)
+        movq	%rax, 200(%rsi)
+        movbeq	296(%rdi), %rdx
+        movbeq	288(%rdi), %rax
+        movq	%rdx, 208(%rsi)
+        movq	%rax, 216(%rsi)
+        movbeq	280(%rdi), %rdx
+        movbeq	272(%rdi), %rax
+        movq	%rdx, 224(%rsi)
+        movq	%rax, 232(%rsi)
+        movbeq	264(%rdi), %rdx
+        movbeq	256(%rdi), %rax
+        movq	%rdx, 240(%rsi)
+        movq	%rax, 248(%rsi)
+        movbeq	248(%rdi), %rdx
+        movbeq	240(%rdi), %rax
+        movq	%rdx, 256(%rsi)
+        movq	%rax, 264(%rsi)
+        movbeq	232(%rdi), %rdx
+        movbeq	224(%rdi), %rax
+        movq	%rdx, 272(%rsi)
+        movq	%rax, 280(%rsi)
+        movbeq	216(%rdi), %rdx
+        movbeq	208(%rdi), %rax
+        movq	%rdx, 288(%rsi)
+        movq	%rax, 296(%rsi)
+        movbeq	200(%rdi), %rdx
+        movbeq	192(%rdi), %rax
+        movq	%rdx, 304(%rsi)
+        movq	%rax, 312(%rsi)
+        movbeq	184(%rdi), %rdx
+        movbeq	176(%rdi), %rax
+        movq	%rdx, 320(%rsi)
+        movq	%rax, 328(%rsi)
+        movbeq	168(%rdi), %rdx
+        movbeq	160(%rdi), %rax
+        movq	%rdx, 336(%rsi)
+        movq	%rax, 344(%rsi)
+        movbeq	152(%rdi), %rdx
+        movbeq	144(%rdi), %rax
+        movq	%rdx, 352(%rsi)
+        movq	%rax, 360(%rsi)
+        movbeq	136(%rdi), %rdx
+        movbeq	128(%rdi), %rax
+        movq	%rdx, 368(%rsi)
+        movq	%rax, 376(%rsi)
+        movbeq	120(%rdi), %rdx
+        movbeq	112(%rdi), %rax
+        movq	%rdx, 384(%rsi)
+        movq	%rax, 392(%rsi)
+        movbeq	104(%rdi), %rdx
+        movbeq	96(%rdi), %rax
+        movq	%rdx, 400(%rsi)
+        movq	%rax, 408(%rsi)
+        movbeq	88(%rdi), %rdx
+        movbeq	80(%rdi), %rax
+        movq	%rdx, 416(%rsi)
+        movq	%rax, 424(%rsi)
+        movbeq	72(%rdi), %rdx
+        movbeq	64(%rdi), %rax
+        movq	%rdx, 432(%rsi)
+        movq	%rax, 440(%rsi)
+        movbeq	56(%rdi), %rdx
+        movbeq	48(%rdi), %rax
+        movq	%rdx, 448(%rsi)
+        movq	%rax, 456(%rsi)
+        movbeq	40(%rdi), %rdx
+        movbeq	32(%rdi), %rax
+        movq	%rdx, 464(%rsi)
+        movq	%rax, 472(%rsi)
+        movbeq	24(%rdi), %rdx
+        movbeq	16(%rdi), %rax
+        movq	%rdx, 480(%rsi)
+        movq	%rax, 488(%rsi)
+        movbeq	8(%rdi), %rdx
+        movbeq	(%rdi), %rax
+        movq	%rdx, 496(%rsi)
+        movq	%rax, 504(%rsi)
+        repz retq
+#ifndef __APPLE__
+.size	sp_4096_to_bin,.-sp_4096_to_bin
+#endif /* __APPLE__ */
+/* Sub b from a into a. (a -= b)
+ *
+ * a  A single precision integer and result.
+ * b  A single precision integer.
+ */
+#ifndef __APPLE__
+.globl	sp_4096_sub_in_place_64
+.type	sp_4096_sub_in_place_64,@function
+.align	16
+sp_4096_sub_in_place_64:
+#else
+.globl	_sp_4096_sub_in_place_64
+.p2align	4
+_sp_4096_sub_in_place_64:
+#endif /* __APPLE__ */
+        movq	(%rdi), %rdx
+        xorq	%rax, %rax
+        subq	(%rsi), %rdx
+        movq	8(%rdi), %rcx
+        movq	%rdx, (%rdi)
+        sbbq	8(%rsi), %rcx
+        movq	16(%rdi), %rdx
+        movq	%rcx, 8(%rdi)
+        sbbq	16(%rsi), %rdx
+        movq	24(%rdi), %rcx
+        movq	%rdx, 16(%rdi)
+        sbbq	24(%rsi), %rcx
+        movq	32(%rdi), %rdx
+        movq	%rcx, 24(%rdi)
+        sbbq	32(%rsi), %rdx
+        movq	40(%rdi), %rcx
+        movq	%rdx, 32(%rdi)
+        sbbq	40(%rsi), %rcx
+        movq	48(%rdi), %rdx
+        movq	%rcx, 40(%rdi)
+        sbbq	48(%rsi), %rdx
+        movq	56(%rdi), %rcx
+        movq	%rdx, 48(%rdi)
+        sbbq	56(%rsi), %rcx
+        movq	64(%rdi), %rdx
+        movq	%rcx, 56(%rdi)
+        sbbq	64(%rsi), %rdx
+        movq	72(%rdi), %rcx
+        movq	%rdx, 64(%rdi)
+        sbbq	72(%rsi), %rcx
+        movq	80(%rdi), %rdx
+        movq	%rcx, 72(%rdi)
+        sbbq	80(%rsi), %rdx
+        movq	88(%rdi), %rcx
+        movq	%rdx, 80(%rdi)
+        sbbq	88(%rsi), %rcx
+        movq	96(%rdi), %rdx
+        movq	%rcx, 88(%rdi)
+        sbbq	96(%rsi), %rdx
+        movq	104(%rdi), %rcx
+        movq	%rdx, 96(%rdi)
+        sbbq	104(%rsi), %rcx
+        movq	112(%rdi), %rdx
+        movq	%rcx, 104(%rdi)
+        sbbq	112(%rsi), %rdx
+        movq	120(%rdi), %rcx
+        movq	%rdx, 112(%rdi)
+        sbbq	120(%rsi), %rcx
+        movq	128(%rdi), %rdx
+        movq	%rcx, 120(%rdi)
+        sbbq	128(%rsi), %rdx
+        movq	136(%rdi), %rcx
+        movq	%rdx, 128(%rdi)
+        sbbq	136(%rsi), %rcx
+        movq	144(%rdi), %rdx
+        movq	%rcx, 136(%rdi)
+        sbbq	144(%rsi), %rdx
+        movq	152(%rdi), %rcx
+        movq	%rdx, 144(%rdi)
+        sbbq	152(%rsi), %rcx
+        movq	160(%rdi), %rdx
+        movq	%rcx, 152(%rdi)
+        sbbq	160(%rsi), %rdx
+        movq	168(%rdi), %rcx
+        movq	%rdx, 160(%rdi)
+        sbbq	168(%rsi), %rcx
+        movq	176(%rdi), %rdx
+        movq	%rcx, 168(%rdi)
+        sbbq	176(%rsi), %rdx
+        movq	184(%rdi), %rcx
+        movq	%rdx, 176(%rdi)
+        sbbq	184(%rsi), %rcx
+        movq	192(%rdi), %rdx
+        movq	%rcx, 184(%rdi)
+        sbbq	192(%rsi), %rdx
+        movq	200(%rdi), %rcx
+        movq	%rdx, 192(%rdi)
+        sbbq	200(%rsi), %rcx
+        movq	208(%rdi), %rdx
+        movq	%rcx, 200(%rdi)
+        sbbq	208(%rsi), %rdx
+        movq	216(%rdi), %rcx
+        movq	%rdx, 208(%rdi)
+        sbbq	216(%rsi), %rcx
+        movq	224(%rdi), %rdx
+        movq	%rcx, 216(%rdi)
+        sbbq	224(%rsi), %rdx
+        movq	232(%rdi), %rcx
+        movq	%rdx, 224(%rdi)
+        sbbq	232(%rsi), %rcx
+        movq	240(%rdi), %rdx
+        movq	%rcx, 232(%rdi)
+        sbbq	240(%rsi), %rdx
+        movq	248(%rdi), %rcx
+        movq	%rdx, 240(%rdi)
+        sbbq	248(%rsi), %rcx
+        movq	256(%rdi), %rdx
+        movq	%rcx, 248(%rdi)
+        sbbq	256(%rsi), %rdx
+        movq	264(%rdi), %rcx
+        movq	%rdx, 256(%rdi)
+        sbbq	264(%rsi), %rcx
+        movq	272(%rdi), %rdx
+        movq	%rcx, 264(%rdi)
+        sbbq	272(%rsi), %rdx
+        movq	280(%rdi), %rcx
+        movq	%rdx, 272(%rdi)
+        sbbq	280(%rsi), %rcx
+        movq	288(%rdi), %rdx
+        movq	%rcx, 280(%rdi)
+        sbbq	288(%rsi), %rdx
+        movq	296(%rdi), %rcx
+        movq	%rdx, 288(%rdi)
+        sbbq	296(%rsi), %rcx
+        movq	304(%rdi), %rdx
+        movq	%rcx, 296(%rdi)
+        sbbq	304(%rsi), %rdx
+        movq	312(%rdi), %rcx
+        movq	%rdx, 304(%rdi)
+        sbbq	312(%rsi), %rcx
+        movq	320(%rdi), %rdx
+        movq	%rcx, 312(%rdi)
+        sbbq	320(%rsi), %rdx
+        movq	328(%rdi), %rcx
+        movq	%rdx, 320(%rdi)
+        sbbq	328(%rsi), %rcx
+        movq	336(%rdi), %rdx
+        movq	%rcx, 328(%rdi)
+        sbbq	336(%rsi), %rdx
+        movq	344(%rdi), %rcx
+        movq	%rdx, 336(%rdi)
+        sbbq	344(%rsi), %rcx
+        movq	352(%rdi), %rdx
+        movq	%rcx, 344(%rdi)
+        sbbq	352(%rsi), %rdx
+        movq	360(%rdi), %rcx
+        movq	%rdx, 352(%rdi)
+        sbbq	360(%rsi), %rcx
+        movq	368(%rdi), %rdx
+        movq	%rcx, 360(%rdi)
+        sbbq	368(%rsi), %rdx
+        movq	376(%rdi), %rcx
+        movq	%rdx, 368(%rdi)
+        sbbq	376(%rsi), %rcx
+        movq	384(%rdi), %rdx
+        movq	%rcx, 376(%rdi)
+        sbbq	384(%rsi), %rdx
+        movq	392(%rdi), %rcx
+        movq	%rdx, 384(%rdi)
+        sbbq	392(%rsi), %rcx
+        movq	400(%rdi), %rdx
+        movq	%rcx, 392(%rdi)
+        sbbq	400(%rsi), %rdx
+        movq	408(%rdi), %rcx
+        movq	%rdx, 400(%rdi)
+        sbbq	408(%rsi), %rcx
+        movq	416(%rdi), %rdx
+        movq	%rcx, 408(%rdi)
+        sbbq	416(%rsi), %rdx
+        movq	424(%rdi), %rcx
+        movq	%rdx, 416(%rdi)
+        sbbq	424(%rsi), %rcx
+        movq	432(%rdi), %rdx
+        movq	%rcx, 424(%rdi)
+        sbbq	432(%rsi), %rdx
+        movq	440(%rdi), %rcx
+        movq	%rdx, 432(%rdi)
+        sbbq	440(%rsi), %rcx
+        movq	448(%rdi), %rdx
+        movq	%rcx, 440(%rdi)
+        sbbq	448(%rsi), %rdx
+        movq	456(%rdi), %rcx
+        movq	%rdx, 448(%rdi)
+        sbbq	456(%rsi), %rcx
+        movq	464(%rdi), %rdx
+        movq	%rcx, 456(%rdi)
+        sbbq	464(%rsi), %rdx
+        movq	472(%rdi), %rcx
+        movq	%rdx, 464(%rdi)
+        sbbq	472(%rsi), %rcx
+        movq	480(%rdi), %rdx
+        movq	%rcx, 472(%rdi)
+        sbbq	480(%rsi), %rdx
+        movq	488(%rdi), %rcx
+        movq	%rdx, 480(%rdi)
+        sbbq	488(%rsi), %rcx
+        movq	496(%rdi), %rdx
+        movq	%rcx, 488(%rdi)
+        sbbq	496(%rsi), %rdx
+        movq	504(%rdi), %rcx
+        movq	%rdx, 496(%rdi)
+        sbbq	504(%rsi), %rcx
+        movq	%rcx, 504(%rdi)
+        sbbq	$0, %rax
+        repz retq
+#ifndef __APPLE__
+.size	sp_4096_sub_in_place_64,.-sp_4096_sub_in_place_64
+#endif /* __APPLE__ */
+/* Add b to a into r. (r = a + b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+#ifndef __APPLE__
+.globl	sp_4096_add_64
+.type	sp_4096_add_64,@function
+.align	16
+sp_4096_add_64:
+#else
+.globl	_sp_4096_add_64
+.p2align	4
+_sp_4096_add_64:
+#endif /* __APPLE__ */
+        # Add
+        movq	(%rsi), %rcx
+        xorq	%rax, %rax
+        addq	(%rdx), %rcx
+        movq	8(%rsi), %r8
+        movq	%rcx, (%rdi)
+        adcq	8(%rdx), %r8
+        movq	16(%rsi), %rcx
+        movq	%r8, 8(%rdi)
+        adcq	16(%rdx), %rcx
+        movq	24(%rsi), %r8
+        movq	%rcx, 16(%rdi)
+        adcq	24(%rdx), %r8
+        movq	32(%rsi), %rcx
+        movq	%r8, 24(%rdi)
+        adcq	32(%rdx), %rcx
+        movq	40(%rsi), %r8
+        movq	%rcx, 32(%rdi)
+        adcq	40(%rdx), %r8
+        movq	48(%rsi), %rcx
+        movq	%r8, 40(%rdi)
+        adcq	48(%rdx), %rcx
+        movq	56(%rsi), %r8
+        movq	%rcx, 48(%rdi)
+        adcq	56(%rdx), %r8
+        movq	64(%rsi), %rcx
+        movq	%r8, 56(%rdi)
+        adcq	64(%rdx), %rcx
+        movq	72(%rsi), %r8
+        movq	%rcx, 64(%rdi)
+        adcq	72(%rdx), %r8
+        movq	80(%rsi), %rcx
+        movq	%r8, 72(%rdi)
+        adcq	80(%rdx), %rcx
+        movq	88(%rsi), %r8
+        movq	%rcx, 80(%rdi)
+        adcq	88(%rdx), %r8
+        movq	96(%rsi), %rcx
+        movq	%r8, 88(%rdi)
+        adcq	96(%rdx), %rcx
+        movq	104(%rsi), %r8
+        movq	%rcx, 96(%rdi)
+        adcq	104(%rdx), %r8
+        movq	112(%rsi), %rcx
+        movq	%r8, 104(%rdi)
+        adcq	112(%rdx), %rcx
+        movq	120(%rsi), %r8
+        movq	%rcx, 112(%rdi)
+        adcq	120(%rdx), %r8
+        movq	128(%rsi), %rcx
+        movq	%r8, 120(%rdi)
+        adcq	128(%rdx), %rcx
+        movq	136(%rsi), %r8
+        movq	%rcx, 128(%rdi)
+        adcq	136(%rdx), %r8
+        movq	144(%rsi), %rcx
+        movq	%r8, 136(%rdi)
+        adcq	144(%rdx), %rcx
+        movq	152(%rsi), %r8
+        movq	%rcx, 144(%rdi)
+        adcq	152(%rdx), %r8
+        movq	160(%rsi), %rcx
+        movq	%r8, 152(%rdi)
+        adcq	160(%rdx), %rcx
+        movq	168(%rsi), %r8
+        movq	%rcx, 160(%rdi)
+        adcq	168(%rdx), %r8
+        movq	176(%rsi), %rcx
+        movq	%r8, 168(%rdi)
+        adcq	176(%rdx), %rcx
+        movq	184(%rsi), %r8
+        movq	%rcx, 176(%rdi)
+        adcq	184(%rdx), %r8
+        movq	192(%rsi), %rcx
+        movq	%r8, 184(%rdi)
+        adcq	192(%rdx), %rcx
+        movq	200(%rsi), %r8
+        movq	%rcx, 192(%rdi)
+        adcq	200(%rdx), %r8
+        movq	208(%rsi), %rcx
+        movq	%r8, 200(%rdi)
+        adcq	208(%rdx), %rcx
+        movq	216(%rsi), %r8
+        movq	%rcx, 208(%rdi)
+        adcq	216(%rdx), %r8
+        movq	224(%rsi), %rcx
+        movq	%r8, 216(%rdi)
+        adcq	224(%rdx), %rcx
+        movq	232(%rsi), %r8
+        movq	%rcx, 224(%rdi)
+        adcq	232(%rdx), %r8
+        movq	240(%rsi), %rcx
+        movq	%r8, 232(%rdi)
+        adcq	240(%rdx), %rcx
+        movq	248(%rsi), %r8
+        movq	%rcx, 240(%rdi)
+        adcq	248(%rdx), %r8
+        movq	256(%rsi), %rcx
+        movq	%r8, 248(%rdi)
+        adcq	256(%rdx), %rcx
+        movq	264(%rsi), %r8
+        movq	%rcx, 256(%rdi)
+        adcq	264(%rdx), %r8
+        movq	272(%rsi), %rcx
+        movq	%r8, 264(%rdi)
+        adcq	272(%rdx), %rcx
+        movq	280(%rsi), %r8
+        movq	%rcx, 272(%rdi)
+        adcq	280(%rdx), %r8
+        movq	288(%rsi), %rcx
+        movq	%r8, 280(%rdi)
+        adcq	288(%rdx), %rcx
+        movq	296(%rsi), %r8
+        movq	%rcx, 288(%rdi)
+        adcq	296(%rdx), %r8
+        movq	304(%rsi), %rcx
+        movq	%r8, 296(%rdi)
+        adcq	304(%rdx), %rcx
+        movq	312(%rsi), %r8
+        movq	%rcx, 304(%rdi)
+        adcq	312(%rdx), %r8
+        movq	320(%rsi), %rcx
+        movq	%r8, 312(%rdi)
+        adcq	320(%rdx), %rcx
+        movq	328(%rsi), %r8
+        movq	%rcx, 320(%rdi)
+        adcq	328(%rdx), %r8
+        movq	336(%rsi), %rcx
+        movq	%r8, 328(%rdi)
+        adcq	336(%rdx), %rcx
+        movq	344(%rsi), %r8
+        movq	%rcx, 336(%rdi)
+        adcq	344(%rdx), %r8
+        movq	352(%rsi), %rcx
+        movq	%r8, 344(%rdi)
+        adcq	352(%rdx), %rcx
+        movq	360(%rsi), %r8
+        movq	%rcx, 352(%rdi)
+        adcq	360(%rdx), %r8
+        movq	368(%rsi), %rcx
+        movq	%r8, 360(%rdi)
+        adcq	368(%rdx), %rcx
+        movq	376(%rsi), %r8
+        movq	%rcx, 368(%rdi)
+        adcq	376(%rdx), %r8
+        movq	384(%rsi), %rcx
+        movq	%r8, 376(%rdi)
+        adcq	384(%rdx), %rcx
+        movq	392(%rsi), %r8
+        movq	%rcx, 384(%rdi)
+        adcq	392(%rdx), %r8
+        movq	400(%rsi), %rcx
+        movq	%r8, 392(%rdi)
+        adcq	400(%rdx), %rcx
+        movq	408(%rsi), %r8
+        movq	%rcx, 400(%rdi)
+        adcq	408(%rdx), %r8
+        movq	416(%rsi), %rcx
+        movq	%r8, 408(%rdi)
+        adcq	416(%rdx), %rcx
+        movq	424(%rsi), %r8
+        movq	%rcx, 416(%rdi)
+        adcq	424(%rdx), %r8
+        movq	432(%rsi), %rcx
+        movq	%r8, 424(%rdi)
+        adcq	432(%rdx), %rcx
+        movq	440(%rsi), %r8
+        movq	%rcx, 432(%rdi)
+        adcq	440(%rdx), %r8
+        movq	448(%rsi), %rcx
+        movq	%r8, 440(%rdi)
+        adcq	448(%rdx), %rcx
+        movq	456(%rsi), %r8
+        movq	%rcx, 448(%rdi)
+        adcq	456(%rdx), %r8
+        movq	464(%rsi), %rcx
+        movq	%r8, 456(%rdi)
+        adcq	464(%rdx), %rcx
+        movq	472(%rsi), %r8
+        movq	%rcx, 464(%rdi)
+        adcq	472(%rdx), %r8
+        movq	480(%rsi), %rcx
+        movq	%r8, 472(%rdi)
+        adcq	480(%rdx), %rcx
+        movq	488(%rsi), %r8
+        movq	%rcx, 480(%rdi)
+        adcq	488(%rdx), %r8
+        movq	496(%rsi), %rcx
+        movq	%r8, 488(%rdi)
+        adcq	496(%rdx), %rcx
+        movq	504(%rsi), %r8
+        movq	%rcx, 496(%rdi)
+        adcq	504(%rdx), %r8
+        movq	%r8, 504(%rdi)
+        adcq	$0, %rax
+        repz retq
+#ifndef __APPLE__
+.size	sp_4096_add_64,.-sp_4096_add_64
+#endif /* __APPLE__ */
+/* Multiply a and b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+#ifndef __APPLE__
+.globl	sp_4096_mul_64
+.type	sp_4096_mul_64,@function
+.align	16
+sp_4096_mul_64:
+#else
+.globl	_sp_4096_mul_64
+.p2align	4
+_sp_4096_mul_64:
+#endif /* __APPLE__ */
+        push	%r12
+        push	%r13
+        push	%r14
+        push	%r15
+        subq	$1576, %rsp
+        movq	%rdi, 1536(%rsp)
+        movq	%rsi, 1544(%rsp)
+        movq	%rdx, 1552(%rsp)
+        leaq	1024(%rsp), %r10
+        leaq	256(%rsi), %r12
+        # Add
+        movq	(%rsi), %rax
+        xorq	%r13, %r13
+        addq	(%r12), %rax
+        movq	8(%rsi), %rcx
+        movq	%rax, (%r10)
+        adcq	8(%r12), %rcx
+        movq	16(%rsi), %r8
+        movq	%rcx, 8(%r10)
+        adcq	16(%r12), %r8
+        movq	24(%rsi), %rax
+        movq	%r8, 16(%r10)
+        adcq	24(%r12), %rax
+        movq	32(%rsi), %rcx
+        movq	%rax, 24(%r10)
+        adcq	32(%r12), %rcx
+        movq	40(%rsi), %r8
+        movq	%rcx, 32(%r10)
+        adcq	40(%r12), %r8
+        movq	48(%rsi), %rax
+        movq	%r8, 40(%r10)
+        adcq	48(%r12), %rax
+        movq	56(%rsi), %rcx
+        movq	%rax, 48(%r10)
+        adcq	56(%r12), %rcx
+        movq	64(%rsi), %r8
+        movq	%rcx, 56(%r10)
+        adcq	64(%r12), %r8
+        movq	72(%rsi), %rax
+        movq	%r8, 64(%r10)
+        adcq	72(%r12), %rax
+        movq	80(%rsi), %rcx
+        movq	%rax, 72(%r10)
+        adcq	80(%r12), %rcx
+        movq	88(%rsi), %r8
+        movq	%rcx, 80(%r10)
+        adcq	88(%r12), %r8
+        movq	96(%rsi), %rax
+        movq	%r8, 88(%r10)
+        adcq	96(%r12), %rax
+        movq	104(%rsi), %rcx
+        movq	%rax, 96(%r10)
+        adcq	104(%r12), %rcx
+        movq	112(%rsi), %r8
+        movq	%rcx, 104(%r10)
+        adcq	112(%r12), %r8
+        movq	120(%rsi), %rax
+        movq	%r8, 112(%r10)
+        adcq	120(%r12), %rax
+        movq	128(%rsi), %rcx
+        movq	%rax, 120(%r10)
+        adcq	128(%r12), %rcx
+        movq	136(%rsi), %r8
+        movq	%rcx, 128(%r10)
+        adcq	136(%r12), %r8
+        movq	144(%rsi), %rax
+        movq	%r8, 136(%r10)
+        adcq	144(%r12), %rax
+        movq	152(%rsi), %rcx
+        movq	%rax, 144(%r10)
+        adcq	152(%r12), %rcx
+        movq	160(%rsi), %r8
+        movq	%rcx, 152(%r10)
+        adcq	160(%r12), %r8
+        movq	168(%rsi), %rax
+        movq	%r8, 160(%r10)
+        adcq	168(%r12), %rax
+        movq	176(%rsi), %rcx
+        movq	%rax, 168(%r10)
+        adcq	176(%r12), %rcx
+        movq	184(%rsi), %r8
+        movq	%rcx, 176(%r10)
+        adcq	184(%r12), %r8
+        movq	192(%rsi), %rax
+        movq	%r8, 184(%r10)
+        adcq	192(%r12), %rax
+        movq	200(%rsi), %rcx
+        movq	%rax, 192(%r10)
+        adcq	200(%r12), %rcx
+        movq	208(%rsi), %r8
+        movq	%rcx, 200(%r10)
+        adcq	208(%r12), %r8
+        movq	216(%rsi), %rax
+        movq	%r8, 208(%r10)
+        adcq	216(%r12), %rax
+        movq	224(%rsi), %rcx
+        movq	%rax, 216(%r10)
+        adcq	224(%r12), %rcx
+        movq	232(%rsi), %r8
+        movq	%rcx, 224(%r10)
+        adcq	232(%r12), %r8
+        movq	240(%rsi), %rax
+        movq	%r8, 232(%r10)
+        adcq	240(%r12), %rax
+        movq	248(%rsi), %rcx
+        movq	%rax, 240(%r10)
+        adcq	248(%r12), %rcx
+        movq	%rcx, 248(%r10)
+        adcq	$0, %r13
+        movq	%r13, 1560(%rsp)
+        leaq	1280(%rsp), %r11
+        leaq	256(%rdx), %r12
+        # Add
+        movq	(%rdx), %rax
+        xorq	%r14, %r14
+        addq	(%r12), %rax
+        movq	8(%rdx), %rcx
+        movq	%rax, (%r11)
+        adcq	8(%r12), %rcx
+        movq	16(%rdx), %r8
+        movq	%rcx, 8(%r11)
+        adcq	16(%r12), %r8
+        movq	24(%rdx), %rax
+        movq	%r8, 16(%r11)
+        adcq	24(%r12), %rax
+        movq	32(%rdx), %rcx
+        movq	%rax, 24(%r11)
+        adcq	32(%r12), %rcx
+        movq	40(%rdx), %r8
+        movq	%rcx, 32(%r11)
+        adcq	40(%r12), %r8
+        movq	48(%rdx), %rax
+        movq	%r8, 40(%r11)
+        adcq	48(%r12), %rax
+        movq	56(%rdx), %rcx
+        movq	%rax, 48(%r11)
+        adcq	56(%r12), %rcx
+        movq	64(%rdx), %r8
+        movq	%rcx, 56(%r11)
+        adcq	64(%r12), %r8
+        movq	72(%rdx), %rax
+        movq	%r8, 64(%r11)
+        adcq	72(%r12), %rax
+        movq	80(%rdx), %rcx
+        movq	%rax, 72(%r11)
+        adcq	80(%r12), %rcx
+        movq	88(%rdx), %r8
+        movq	%rcx, 80(%r11)
+        adcq	88(%r12), %r8
+        movq	96(%rdx), %rax
+        movq	%r8, 88(%r11)
+        adcq	96(%r12), %rax
+        movq	104(%rdx), %rcx
+        movq	%rax, 96(%r11)
+        adcq	104(%r12), %rcx
+        movq	112(%rdx), %r8
+        movq	%rcx, 104(%r11)
+        adcq	112(%r12), %r8
+        movq	120(%rdx), %rax
+        movq	%r8, 112(%r11)
+        adcq	120(%r12), %rax
+        movq	128(%rdx), %rcx
+        movq	%rax, 120(%r11)
+        adcq	128(%r12), %rcx
+        movq	136(%rdx), %r8
+        movq	%rcx, 128(%r11)
+        adcq	136(%r12), %r8
+        movq	144(%rdx), %rax
+        movq	%r8, 136(%r11)
+        adcq	144(%r12), %rax
+        movq	152(%rdx), %rcx
+        movq	%rax, 144(%r11)
+        adcq	152(%r12), %rcx
+        movq	160(%rdx), %r8
+        movq	%rcx, 152(%r11)
+        adcq	160(%r12), %r8
+        movq	168(%rdx), %rax
+        movq	%r8, 160(%r11)
+        adcq	168(%r12), %rax
+        movq	176(%rdx), %rcx
+        movq	%rax, 168(%r11)
+        adcq	176(%r12), %rcx
+        movq	184(%rdx), %r8
+        movq	%rcx, 176(%r11)
+        adcq	184(%r12), %r8
+        movq	192(%rdx), %rax
+        movq	%r8, 184(%r11)
+        adcq	192(%r12), %rax
+        movq	200(%rdx), %rcx
+        movq	%rax, 192(%r11)
+        adcq	200(%r12), %rcx
+        movq	208(%rdx), %r8
+        movq	%rcx, 200(%r11)
+        adcq	208(%r12), %r8
+        movq	216(%rdx), %rax
+        movq	%r8, 208(%r11)
+        adcq	216(%r12), %rax
+        movq	224(%rdx), %rcx
+        movq	%rax, 216(%r11)
+        adcq	224(%r12), %rcx
+        movq	232(%rdx), %r8
+        movq	%rcx, 224(%r11)
+        adcq	232(%r12), %r8
+        movq	240(%rdx), %rax
+        movq	%r8, 232(%r11)
+        adcq	240(%r12), %rax
+        movq	248(%rdx), %rcx
+        movq	%rax, 240(%r11)
+        adcq	248(%r12), %rcx
+        movq	%rcx, 248(%r11)
+        adcq	$0, %r14
+        movq	%r14, 1568(%rsp)
+        movq	%r11, %rdx
+        movq	%r10, %rsi
+        movq	%rsp, %rdi
+#ifndef __APPLE__
+        callq	sp_2048_mul_32@plt
+#else
+        callq	_sp_2048_mul_32
+#endif /* __APPLE__ */
+        movq	1552(%rsp), %rdx
+        movq	1544(%rsp), %rsi
+        leaq	512(%rsp), %rdi
+        addq	$256, %rdx
+        addq	$256, %rsi
+#ifndef __APPLE__
+        callq	sp_2048_mul_32@plt
+#else
+        callq	_sp_2048_mul_32
+#endif /* __APPLE__ */
+        movq	1552(%rsp), %rdx
+        movq	1544(%rsp), %rsi
+        movq	1536(%rsp), %rdi
+#ifndef __APPLE__
+        callq	sp_2048_mul_32@plt
+#else
+        callq	_sp_2048_mul_32
+#endif /* __APPLE__ */
+        movq	1560(%rsp), %r13
+        movq	1568(%rsp), %r14
+        movq	1536(%rsp), %r15
+        movq	%r13, %r9
+        leaq	1024(%rsp), %r10
+        leaq	1280(%rsp), %r11
+        andq	%r14, %r9
+        negq	%r13
+        negq	%r14
+        addq	$512, %r15
+        movq	(%r10), %rax
+        movq	(%r11), %rcx
+        andq	%r14, %rax
+        andq	%r13, %rcx
+        movq	%rax, (%r10)
+        movq	%rcx, (%r11)
+        movq	8(%r10), %rax
+        movq	8(%r11), %rcx
+        andq	%r14, %rax
+        andq	%r13, %rcx
+        movq	%rax, 8(%r10)
+        movq	%rcx, 8(%r11)
+        movq	16(%r10), %rax
+        movq	16(%r11), %rcx
+        andq	%r14, %rax
+        andq	%r13, %rcx
+        movq	%rax, 16(%r10)
+        movq	%rcx, 16(%r11)
+        movq	24(%r10), %rax
+        movq	24(%r11), %rcx
+        andq	%r14, %rax
+        andq	%r13, %rcx
+        movq	%rax, 24(%r10)
+        movq	%rcx, 24(%r11)
+        movq	32(%r10), %rax
+        movq	32(%r11), %rcx
+        andq	%r14, %rax
+        andq	%r13, %rcx
+        movq	%rax, 32(%r10)
+        movq	%rcx, 32(%r11)
+        movq	40(%r10), %rax
+        movq	40(%r11), %rcx
+        andq	%r14, %rax
+        andq	%r13, %rcx
+        movq	%rax, 40(%r10)
+        movq	%rcx, 40(%r11)
+        movq	48(%r10), %rax
+        movq	48(%r11), %rcx
+        andq	%r14, %rax
+        andq	%r13, %rcx
+        movq	%rax, 48(%r10)
+        movq	%rcx, 48(%r11)
+        movq	56(%r10), %rax
+        movq	56(%r11), %rcx
+        andq	%r14, %rax
+        andq	%r13, %rcx
+        movq	%rax, 56(%r10)
+        movq	%rcx, 56(%r11)
+        movq	64(%r10), %rax
+        movq	64(%r11), %rcx
+        andq	%r14, %rax
+        andq	%r13, %rcx
+        movq	%rax, 64(%r10)
+        movq	%rcx, 64(%r11)
+        movq	72(%r10), %rax
+        movq	72(%r11), %rcx
+        andq	%r14, %rax
+        andq	%r13, %rcx
+        movq	%rax, 72(%r10)
+        movq	%rcx, 72(%r11)
+        movq	80(%r10), %rax
+        movq	80(%r11), %rcx
+        andq	%r14, %rax
+        andq	%r13, %rcx
+        movq	%rax, 80(%r10)
+        movq	%rcx, 80(%r11)
+        movq	88(%r10), %rax
+        movq	88(%r11), %rcx
+        andq	%r14, %rax
+        andq	%r13, %rcx
+        movq	%rax, 88(%r10)
+        movq	%rcx, 88(%r11)
+        movq	96(%r10), %rax
+        movq	96(%r11), %rcx
+        andq	%r14, %rax
+        andq	%r13, %rcx
+        movq	%rax, 96(%r10)
+        movq	%rcx, 96(%r11)
+        movq	104(%r10), %rax
+        movq	104(%r11), %rcx
+        andq	%r14, %rax
+        andq	%r13, %rcx
+        movq	%rax, 104(%r10)
+        movq	%rcx, 104(%r11)
+        movq	112(%r10), %rax
+        movq	112(%r11), %rcx
+        andq	%r14, %rax
+        andq	%r13, %rcx
+        movq	%rax, 112(%r10)
+        movq	%rcx, 112(%r11)
+        movq	120(%r10), %rax
+        movq	120(%r11), %rcx
+        andq	%r14, %rax
+        andq	%r13, %rcx
+        movq	%rax, 120(%r10)
+        movq	%rcx, 120(%r11)
+        movq	128(%r10), %rax
+        movq	128(%r11), %rcx
+        andq	%r14, %rax
+        andq	%r13, %rcx
+        movq	%rax, 128(%r10)
+        movq	%rcx, 128(%r11)
+        movq	136(%r10), %rax
+        movq	136(%r11), %rcx
+        andq	%r14, %rax
+        andq	%r13, %rcx
+        movq	%rax, 136(%r10)
+        movq	%rcx, 136(%r11)
+        movq	144(%r10), %rax
+        movq	144(%r11), %rcx
+        andq	%r14, %rax
+        andq	%r13, %rcx
+        movq	%rax, 144(%r10)
+        movq	%rcx, 144(%r11)
+        movq	152(%r10), %rax
+        movq	152(%r11), %rcx
+        andq	%r14, %rax
+        andq	%r13, %rcx
+        movq	%rax, 152(%r10)
+        movq	%rcx, 152(%r11)
+        movq	160(%r10), %rax
+        movq	160(%r11), %rcx
+        andq	%r14, %rax
+        andq	%r13, %rcx
+        movq	%rax, 160(%r10)
+        movq	%rcx, 160(%r11)
+        movq	168(%r10), %rax
+        movq	168(%r11), %rcx
+        andq	%r14, %rax
+        andq	%r13, %rcx
+        movq	%rax, 168(%r10)
+        movq	%rcx, 168(%r11)
+        movq	176(%r10), %rax
+        movq	176(%r11), %rcx
+        andq	%r14, %rax
+        andq	%r13, %rcx
+        movq	%rax, 176(%r10)
+        movq	%rcx, 176(%r11)
+        movq	184(%r10), %rax
+        movq	184(%r11), %rcx
+        andq	%r14, %rax
+        andq	%r13, %rcx
+        movq	%rax, 184(%r10)
+        movq	%rcx, 184(%r11)
+        movq	192(%r10), %rax
+        movq	192(%r11), %rcx
+        andq	%r14, %rax
+        andq	%r13, %rcx
+        movq	%rax, 192(%r10)
+        movq	%rcx, 192(%r11)
+        movq	200(%r10), %rax
+        movq	200(%r11), %rcx
+        andq	%r14, %rax
+        andq	%r13, %rcx
+        movq	%rax, 200(%r10)
+        movq	%rcx, 200(%r11)
+        movq	208(%r10), %rax
+        movq	208(%r11), %rcx
+        andq	%r14, %rax
+        andq	%r13, %rcx
+        movq	%rax, 208(%r10)
+        movq	%rcx, 208(%r11)
+        movq	216(%r10), %rax
+        movq	216(%r11), %rcx
+        andq	%r14, %rax
+        andq	%r13, %rcx
+        movq	%rax, 216(%r10)
+        movq	%rcx, 216(%r11)
+        movq	224(%r10), %rax
+        movq	224(%r11), %rcx
+        andq	%r14, %rax
+        andq	%r13, %rcx
+        movq	%rax, 224(%r10)
+        movq	%rcx, 224(%r11)
+        movq	232(%r10), %rax
+        movq	232(%r11), %rcx
+        andq	%r14, %rax
+        andq	%r13, %rcx
+        movq	%rax, 232(%r10)
+        movq	%rcx, 232(%r11)
+        movq	240(%r10), %rax
+        movq	240(%r11), %rcx
+        andq	%r14, %rax
+        andq	%r13, %rcx
+        movq	%rax, 240(%r10)
+        movq	%rcx, 240(%r11)
+        movq	248(%r10), %rax
+        movq	248(%r11), %rcx
+        andq	%r14, %rax
+        andq	%r13, %rcx
+        movq	%rax, 248(%r10)
+        movq	%rcx, 248(%r11)
+        movq	(%r10), %rax
+        addq	(%r11), %rax
+        movq	8(%r10), %rcx
+        movq	%rax, (%r15)
+        adcq	8(%r11), %rcx
+        movq	16(%r10), %r8
+        movq	%rcx, 8(%r15)
+        adcq	16(%r11), %r8
+        movq	24(%r10), %rax
+        movq	%r8, 16(%r15)
+        adcq	24(%r11), %rax
+        movq	32(%r10), %rcx
+        movq	%rax, 24(%r15)
+        adcq	32(%r11), %rcx
+        movq	40(%r10), %r8
+        movq	%rcx, 32(%r15)
+        adcq	40(%r11), %r8
+        movq	48(%r10), %rax
+        movq	%r8, 40(%r15)
+        adcq	48(%r11), %rax
+        movq	56(%r10), %rcx
+        movq	%rax, 48(%r15)
+        adcq	56(%r11), %rcx
+        movq	64(%r10), %r8
+        movq	%rcx, 56(%r15)
+        adcq	64(%r11), %r8
+        movq	72(%r10), %rax
+        movq	%r8, 64(%r15)
+        adcq	72(%r11), %rax
+        movq	80(%r10), %rcx
+        movq	%rax, 72(%r15)
+        adcq	80(%r11), %rcx
+        movq	88(%r10), %r8
+        movq	%rcx, 80(%r15)
+        adcq	88(%r11), %r8
+        movq	96(%r10), %rax
+        movq	%r8, 88(%r15)
+        adcq	96(%r11), %rax
+        movq	104(%r10), %rcx
+        movq	%rax, 96(%r15)
+        adcq	104(%r11), %rcx
+        movq	112(%r10), %r8
+        movq	%rcx, 104(%r15)
+        adcq	112(%r11), %r8
+        movq	120(%r10), %rax
+        movq	%r8, 112(%r15)
+        adcq	120(%r11), %rax
+        movq	128(%r10), %rcx
+        movq	%rax, 120(%r15)
+        adcq	128(%r11), %rcx
+        movq	136(%r10), %r8
+        movq	%rcx, 128(%r15)
+        adcq	136(%r11), %r8
+        movq	144(%r10), %rax
+        movq	%r8, 136(%r15)
+        adcq	144(%r11), %rax
+        movq	152(%r10), %rcx
+        movq	%rax, 144(%r15)
+        adcq	152(%r11), %rcx
+        movq	160(%r10), %r8
+        movq	%rcx, 152(%r15)
+        adcq	160(%r11), %r8
+        movq	168(%r10), %rax
+        movq	%r8, 160(%r15)
+        adcq	168(%r11), %rax
+        movq	176(%r10), %rcx
+        movq	%rax, 168(%r15)
+        adcq	176(%r11), %rcx
+        movq	184(%r10), %r8
+        movq	%rcx, 176(%r15)
+        adcq	184(%r11), %r8
+        movq	192(%r10), %rax
+        movq	%r8, 184(%r15)
+        adcq	192(%r11), %rax
+        movq	200(%r10), %rcx
+        movq	%rax, 192(%r15)
+        adcq	200(%r11), %rcx
+        movq	208(%r10), %r8
+        movq	%rcx, 200(%r15)
+        adcq	208(%r11), %r8
+        movq	216(%r10), %rax
+        movq	%r8, 208(%r15)
+        adcq	216(%r11), %rax
+        movq	224(%r10), %rcx
+        movq	%rax, 216(%r15)
+        adcq	224(%r11), %rcx
+        movq	232(%r10), %r8
+        movq	%rcx, 224(%r15)
+        adcq	232(%r11), %r8
+        movq	240(%r10), %rax
+        movq	%r8, 232(%r15)
+        adcq	240(%r11), %rax
+        movq	248(%r10), %rcx
+        movq	%rax, 240(%r15)
+        adcq	248(%r11), %rcx
+        movq	%rcx, 248(%r15)
+        adcq	$0, %r9
+        leaq	512(%rsp), %r11
+        movq	%rsp, %r10
+        movq	(%r10), %rax
+        subq	(%r11), %rax
+        movq	8(%r10), %rcx
+        movq	%rax, (%r10)
+        sbbq	8(%r11), %rcx
+        movq	16(%r10), %r8
+        movq	%rcx, 8(%r10)
+        sbbq	16(%r11), %r8
+        movq	24(%r10), %rax
+        movq	%r8, 16(%r10)
+        sbbq	24(%r11), %rax
+        movq	32(%r10), %rcx
+        movq	%rax, 24(%r10)
+        sbbq	32(%r11), %rcx
+        movq	40(%r10), %r8
+        movq	%rcx, 32(%r10)
+        sbbq	40(%r11), %r8
+        movq	48(%r10), %rax
+        movq	%r8, 40(%r10)
+        sbbq	48(%r11), %rax
+        movq	56(%r10), %rcx
+        movq	%rax, 48(%r10)
+        sbbq	56(%r11), %rcx
+        movq	64(%r10), %r8
+        movq	%rcx, 56(%r10)
+        sbbq	64(%r11), %r8
+        movq	72(%r10), %rax
+        movq	%r8, 64(%r10)
+        sbbq	72(%r11), %rax
+        movq	80(%r10), %rcx
+        movq	%rax, 72(%r10)
+        sbbq	80(%r11), %rcx
+        movq	88(%r10), %r8
+        movq	%rcx, 80(%r10)
+        sbbq	88(%r11), %r8
+        movq	96(%r10), %rax
+        movq	%r8, 88(%r10)
+        sbbq	96(%r11), %rax
+        movq	104(%r10), %rcx
+        movq	%rax, 96(%r10)
+        sbbq	104(%r11), %rcx
+        movq	112(%r10), %r8
+        movq	%rcx, 104(%r10)
+        sbbq	112(%r11), %r8
+        movq	120(%r10), %rax
+        movq	%r8, 112(%r10)
+        sbbq	120(%r11), %rax
+        movq	128(%r10), %rcx
+        movq	%rax, 120(%r10)
+        sbbq	128(%r11), %rcx
+        movq	136(%r10), %r8
+        movq	%rcx, 128(%r10)
+        sbbq	136(%r11), %r8
+        movq	144(%r10), %rax
+        movq	%r8, 136(%r10)
+        sbbq	144(%r11), %rax
+        movq	152(%r10), %rcx
+        movq	%rax, 144(%r10)
+        sbbq	152(%r11), %rcx
+        movq	160(%r10), %r8
+        movq	%rcx, 152(%r10)
+        sbbq	160(%r11), %r8
+        movq	168(%r10), %rax
+        movq	%r8, 160(%r10)
+        sbbq	168(%r11), %rax
+        movq	176(%r10), %rcx
+        movq	%rax, 168(%r10)
+        sbbq	176(%r11), %rcx
+        movq	184(%r10), %r8
+        movq	%rcx, 176(%r10)
+        sbbq	184(%r11), %r8
+        movq	192(%r10), %rax
+        movq	%r8, 184(%r10)
+        sbbq	192(%r11), %rax
+        movq	200(%r10), %rcx
+        movq	%rax, 192(%r10)
+        sbbq	200(%r11), %rcx
+        movq	208(%r10), %r8
+        movq	%rcx, 200(%r10)
+        sbbq	208(%r11), %r8
+        movq	216(%r10), %rax
+        movq	%r8, 208(%r10)
+        sbbq	216(%r11), %rax
+        movq	224(%r10), %rcx
+        movq	%rax, 216(%r10)
+        sbbq	224(%r11), %rcx
+        movq	232(%r10), %r8
+        movq	%rcx, 224(%r10)
+        sbbq	232(%r11), %r8
+        movq	240(%r10), %rax
+        movq	%r8, 232(%r10)
+        sbbq	240(%r11), %rax
+        movq	248(%r10), %rcx
+        movq	%rax, 240(%r10)
+        sbbq	248(%r11), %rcx
+        movq	256(%r10), %r8
+        movq	%rcx, 248(%r10)
+        sbbq	256(%r11), %r8
+        movq	264(%r10), %rax
+        movq	%r8, 256(%r10)
+        sbbq	264(%r11), %rax
+        movq	272(%r10), %rcx
+        movq	%rax, 264(%r10)
+        sbbq	272(%r11), %rcx
+        movq	280(%r10), %r8
+        movq	%rcx, 272(%r10)
+        sbbq	280(%r11), %r8
+        movq	288(%r10), %rax
+        movq	%r8, 280(%r10)
+        sbbq	288(%r11), %rax
+        movq	296(%r10), %rcx
+        movq	%rax, 288(%r10)
+        sbbq	296(%r11), %rcx
+        movq	304(%r10), %r8
+        movq	%rcx, 296(%r10)
+        sbbq	304(%r11), %r8
+        movq	312(%r10), %rax
+        movq	%r8, 304(%r10)
+        sbbq	312(%r11), %rax
+        movq	320(%r10), %rcx
+        movq	%rax, 312(%r10)
+        sbbq	320(%r11), %rcx
+        movq	328(%r10), %r8
+        movq	%rcx, 320(%r10)
+        sbbq	328(%r11), %r8
+        movq	336(%r10), %rax
+        movq	%r8, 328(%r10)
+        sbbq	336(%r11), %rax
+        movq	344(%r10), %rcx
+        movq	%rax, 336(%r10)
+        sbbq	344(%r11), %rcx
+        movq	352(%r10), %r8
+        movq	%rcx, 344(%r10)
+        sbbq	352(%r11), %r8
+        movq	360(%r10), %rax
+        movq	%r8, 352(%r10)
+        sbbq	360(%r11), %rax
+        movq	368(%r10), %rcx
+        movq	%rax, 360(%r10)
+        sbbq	368(%r11), %rcx
+        movq	376(%r10), %r8
+        movq	%rcx, 368(%r10)
+        sbbq	376(%r11), %r8
+        movq	384(%r10), %rax
+        movq	%r8, 376(%r10)
+        sbbq	384(%r11), %rax
+        movq	392(%r10), %rcx
+        movq	%rax, 384(%r10)
+        sbbq	392(%r11), %rcx
+        movq	400(%r10), %r8
+        movq	%rcx, 392(%r10)
+        sbbq	400(%r11), %r8
+        movq	408(%r10), %rax
+        movq	%r8, 400(%r10)
+        sbbq	408(%r11), %rax
+        movq	416(%r10), %rcx
+        movq	%rax, 408(%r10)
+        sbbq	416(%r11), %rcx
+        movq	424(%r10), %r8
+        movq	%rcx, 416(%r10)
+        sbbq	424(%r11), %r8
+        movq	432(%r10), %rax
+        movq	%r8, 424(%r10)
+        sbbq	432(%r11), %rax
+        movq	440(%r10), %rcx
+        movq	%rax, 432(%r10)
+        sbbq	440(%r11), %rcx
+        movq	448(%r10), %r8
+        movq	%rcx, 440(%r10)
+        sbbq	448(%r11), %r8
+        movq	456(%r10), %rax
+        movq	%r8, 448(%r10)
+        sbbq	456(%r11), %rax
+        movq	464(%r10), %rcx
+        movq	%rax, 456(%r10)
+        sbbq	464(%r11), %rcx
+        movq	472(%r10), %r8
+        movq	%rcx, 464(%r10)
+        sbbq	472(%r11), %r8
+        movq	480(%r10), %rax
+        movq	%r8, 472(%r10)
+        sbbq	480(%r11), %rax
+        movq	488(%r10), %rcx
+        movq	%rax, 480(%r10)
+        sbbq	488(%r11), %rcx
+        movq	496(%r10), %r8
+        movq	%rcx, 488(%r10)
+        sbbq	496(%r11), %r8
+        movq	504(%r10), %rax
+        movq	%r8, 496(%r10)
+        sbbq	504(%r11), %rax
+        movq	%rax, 504(%r10)
+        sbbq	$0, %r9
+        movq	(%r10), %rax
+        subq	(%rdi), %rax
+        movq	8(%r10), %rcx
+        movq	%rax, (%r10)
+        sbbq	8(%rdi), %rcx
+        movq	16(%r10), %r8
+        movq	%rcx, 8(%r10)
+        sbbq	16(%rdi), %r8
+        movq	24(%r10), %rax
+        movq	%r8, 16(%r10)
+        sbbq	24(%rdi), %rax
+        movq	32(%r10), %rcx
+        movq	%rax, 24(%r10)
+        sbbq	32(%rdi), %rcx
+        movq	40(%r10), %r8
+        movq	%rcx, 32(%r10)
+        sbbq	40(%rdi), %r8
+        movq	48(%r10), %rax
+        movq	%r8, 40(%r10)
+        sbbq	48(%rdi), %rax
+        movq	56(%r10), %rcx
+        movq	%rax, 48(%r10)
+        sbbq	56(%rdi), %rcx
+        movq	64(%r10), %r8
+        movq	%rcx, 56(%r10)
+        sbbq	64(%rdi), %r8
+        movq	72(%r10), %rax
+        movq	%r8, 64(%r10)
+        sbbq	72(%rdi), %rax
+        movq	80(%r10), %rcx
+        movq	%rax, 72(%r10)
+        sbbq	80(%rdi), %rcx
+        movq	88(%r10), %r8
+        movq	%rcx, 80(%r10)
+        sbbq	88(%rdi), %r8
+        movq	96(%r10), %rax
+        movq	%r8, 88(%r10)
+        sbbq	96(%rdi), %rax
+        movq	104(%r10), %rcx
+        movq	%rax, 96(%r10)
+        sbbq	104(%rdi), %rcx
+        movq	112(%r10), %r8
+        movq	%rcx, 104(%r10)
+        sbbq	112(%rdi), %r8
+        movq	120(%r10), %rax
+        movq	%r8, 112(%r10)
+        sbbq	120(%rdi), %rax
+        movq	128(%r10), %rcx
+        movq	%rax, 120(%r10)
+        sbbq	128(%rdi), %rcx
+        movq	136(%r10), %r8
+        movq	%rcx, 128(%r10)
+        sbbq	136(%rdi), %r8
+        movq	144(%r10), %rax
+        movq	%r8, 136(%r10)
+        sbbq	144(%rdi), %rax
+        movq	152(%r10), %rcx
+        movq	%rax, 144(%r10)
+        sbbq	152(%rdi), %rcx
+        movq	160(%r10), %r8
+        movq	%rcx, 152(%r10)
+        sbbq	160(%rdi), %r8
+        movq	168(%r10), %rax
+        movq	%r8, 160(%r10)
+        sbbq	168(%rdi), %rax
+        movq	176(%r10), %rcx
+        movq	%rax, 168(%r10)
+        sbbq	176(%rdi), %rcx
+        movq	184(%r10), %r8
+        movq	%rcx, 176(%r10)
+        sbbq	184(%rdi), %r8
+        movq	192(%r10), %rax
+        movq	%r8, 184(%r10)
+        sbbq	192(%rdi), %rax
+        movq	200(%r10), %rcx
+        movq	%rax, 192(%r10)
+        sbbq	200(%rdi), %rcx
+        movq	208(%r10), %r8
+        movq	%rcx, 200(%r10)
+        sbbq	208(%rdi), %r8
+        movq	216(%r10), %rax
+        movq	%r8, 208(%r10)
+        sbbq	216(%rdi), %rax
+        movq	224(%r10), %rcx
+        movq	%rax, 216(%r10)
+        sbbq	224(%rdi), %rcx
+        movq	232(%r10), %r8
+        movq	%rcx, 224(%r10)
+        sbbq	232(%rdi), %r8
+        movq	240(%r10), %rax
+        movq	%r8, 232(%r10)
+        sbbq	240(%rdi), %rax
+        movq	248(%r10), %rcx
+        movq	%rax, 240(%r10)
+        sbbq	248(%rdi), %rcx
+        movq	256(%r10), %r8
+        movq	%rcx, 248(%r10)
+        sbbq	256(%rdi), %r8
+        movq	264(%r10), %rax
+        movq	%r8, 256(%r10)
+        sbbq	264(%rdi), %rax
+        movq	272(%r10), %rcx
+        movq	%rax, 264(%r10)
+        sbbq	272(%rdi), %rcx
+        movq	280(%r10), %r8
+        movq	%rcx, 272(%r10)
+        sbbq	280(%rdi), %r8
+        movq	288(%r10), %rax
+        movq	%r8, 280(%r10)
+        sbbq	288(%rdi), %rax
+        movq	296(%r10), %rcx
+        movq	%rax, 288(%r10)
+        sbbq	296(%rdi), %rcx
+        movq	304(%r10), %r8
+        movq	%rcx, 296(%r10)
+        sbbq	304(%rdi), %r8
+        movq	312(%r10), %rax
+        movq	%r8, 304(%r10)
+        sbbq	312(%rdi), %rax
+        movq	320(%r10), %rcx
+        movq	%rax, 312(%r10)
+        sbbq	320(%rdi), %rcx
+        movq	328(%r10), %r8
+        movq	%rcx, 320(%r10)
+        sbbq	328(%rdi), %r8
+        movq	336(%r10), %rax
+        movq	%r8, 328(%r10)
+        sbbq	336(%rdi), %rax
+        movq	344(%r10), %rcx
+        movq	%rax, 336(%r10)
+        sbbq	344(%rdi), %rcx
+        movq	352(%r10), %r8
+        movq	%rcx, 344(%r10)
+        sbbq	352(%rdi), %r8
+        movq	360(%r10), %rax
+        movq	%r8, 352(%r10)
+        sbbq	360(%rdi), %rax
+        movq	368(%r10), %rcx
+        movq	%rax, 360(%r10)
+        sbbq	368(%rdi), %rcx
+        movq	376(%r10), %r8
+        movq	%rcx, 368(%r10)
+        sbbq	376(%rdi), %r8
+        movq	384(%r10), %rax
+        movq	%r8, 376(%r10)
+        sbbq	384(%rdi), %rax
+        movq	392(%r10), %rcx
+        movq	%rax, 384(%r10)
+        sbbq	392(%rdi), %rcx
+        movq	400(%r10), %r8
+        movq	%rcx, 392(%r10)
+        sbbq	400(%rdi), %r8
+        movq	408(%r10), %rax
+        movq	%r8, 400(%r10)
+        sbbq	408(%rdi), %rax
+        movq	416(%r10), %rcx
+        movq	%rax, 408(%r10)
+        sbbq	416(%rdi), %rcx
+        movq	424(%r10), %r8
+        movq	%rcx, 416(%r10)
+        sbbq	424(%rdi), %r8
+        movq	432(%r10), %rax
+        movq	%r8, 424(%r10)
+        sbbq	432(%rdi), %rax
+        movq	440(%r10), %rcx
+        movq	%rax, 432(%r10)
+        sbbq	440(%rdi), %rcx
+        movq	448(%r10), %r8
+        movq	%rcx, 440(%r10)
+        sbbq	448(%rdi), %r8
+        movq	456(%r10), %rax
+        movq	%r8, 448(%r10)
+        sbbq	456(%rdi), %rax
+        movq	464(%r10), %rcx
+        movq	%rax, 456(%r10)
+        sbbq	464(%rdi), %rcx
+        movq	472(%r10), %r8
+        movq	%rcx, 464(%r10)
+        sbbq	472(%rdi), %r8
+        movq	480(%r10), %rax
+        movq	%r8, 472(%r10)
+        sbbq	480(%rdi), %rax
+        movq	488(%r10), %rcx
+        movq	%rax, 480(%r10)
+        sbbq	488(%rdi), %rcx
+        movq	496(%r10), %r8
+        movq	%rcx, 488(%r10)
+        sbbq	496(%rdi), %r8
+        movq	504(%r10), %rax
+        movq	%r8, 496(%r10)
+        sbbq	504(%rdi), %rax
+        movq	%rax, 504(%r10)
+        sbbq	$0, %r9
+        subq	$256, %r15
+        # Add
+        movq	(%r15), %rax
+        addq	(%r10), %rax
+        movq	8(%r15), %rcx
+        movq	%rax, (%r15)
+        adcq	8(%r10), %rcx
+        movq	16(%r15), %r8
+        movq	%rcx, 8(%r15)
+        adcq	16(%r10), %r8
+        movq	24(%r15), %rax
+        movq	%r8, 16(%r15)
+        adcq	24(%r10), %rax
+        movq	32(%r15), %rcx
+        movq	%rax, 24(%r15)
+        adcq	32(%r10), %rcx
+        movq	40(%r15), %r8
+        movq	%rcx, 32(%r15)
+        adcq	40(%r10), %r8
+        movq	48(%r15), %rax
+        movq	%r8, 40(%r15)
+        adcq	48(%r10), %rax
+        movq	56(%r15), %rcx
+        movq	%rax, 48(%r15)
+        adcq	56(%r10), %rcx
+        movq	64(%r15), %r8
+        movq	%rcx, 56(%r15)
+        adcq	64(%r10), %r8
+        movq	72(%r15), %rax
+        movq	%r8, 64(%r15)
+        adcq	72(%r10), %rax
+        movq	80(%r15), %rcx
+        movq	%rax, 72(%r15)
+        adcq	80(%r10), %rcx
+        movq	88(%r15), %r8
+        movq	%rcx, 80(%r15)
+        adcq	88(%r10), %r8
+        movq	96(%r15), %rax
+        movq	%r8, 88(%r15)
+        adcq	96(%r10), %rax
+        movq	104(%r15), %rcx
+        movq	%rax, 96(%r15)
+        adcq	104(%r10), %rcx
+        movq	112(%r15), %r8
+        movq	%rcx, 104(%r15)
+        adcq	112(%r10), %r8
+        movq	120(%r15), %rax
+        movq	%r8, 112(%r15)
+        adcq	120(%r10), %rax
+        movq	128(%r15), %rcx
+        movq	%rax, 120(%r15)
+        adcq	128(%r10), %rcx
+        movq	136(%r15), %r8
+        movq	%rcx, 128(%r15)
+        adcq	136(%r10), %r8
+        movq	144(%r15), %rax
+        movq	%r8, 136(%r15)
+        adcq	144(%r10), %rax
+        movq	152(%r15), %rcx
+        movq	%rax, 144(%r15)
+        adcq	152(%r10), %rcx
+        movq	160(%r15), %r8
+        movq	%rcx, 152(%r15)
+        adcq	160(%r10), %r8
+        movq	168(%r15), %rax
+        movq	%r8, 160(%r15)
+        adcq	168(%r10), %rax
+        movq	176(%r15), %rcx
+        movq	%rax, 168(%r15)
+        adcq	176(%r10), %rcx
+        movq	184(%r15), %r8
+        movq	%rcx, 176(%r15)
+        adcq	184(%r10), %r8
+        movq	192(%r15), %rax
+        movq	%r8, 184(%r15)
+        adcq	192(%r10), %rax
+        movq	200(%r15), %rcx
+        movq	%rax, 192(%r15)
+        adcq	200(%r10), %rcx
+        movq	208(%r15), %r8
+        movq	%rcx, 200(%r15)
+        adcq	208(%r10), %r8
+        movq	216(%r15), %rax
+        movq	%r8, 208(%r15)
+        adcq	216(%r10), %rax
+        movq	224(%r15), %rcx
+        movq	%rax, 216(%r15)
+        adcq	224(%r10), %rcx
+        movq	232(%r15), %r8
+        movq	%rcx, 224(%r15)
+        adcq	232(%r10), %r8
+        movq	240(%r15), %rax
+        movq	%r8, 232(%r15)
+        adcq	240(%r10), %rax
+        movq	248(%r15), %rcx
+        movq	%rax, 240(%r15)
+        adcq	248(%r10), %rcx
+        movq	256(%r15), %r8
+        movq	%rcx, 248(%r15)
+        adcq	256(%r10), %r8
+        movq	264(%r15), %rax
+        movq	%r8, 256(%r15)
+        adcq	264(%r10), %rax
+        movq	272(%r15), %rcx
+        movq	%rax, 264(%r15)
+        adcq	272(%r10), %rcx
+        movq	280(%r15), %r8
+        movq	%rcx, 272(%r15)
+        adcq	280(%r10), %r8
+        movq	288(%r15), %rax
+        movq	%r8, 280(%r15)
+        adcq	288(%r10), %rax
+        movq	296(%r15), %rcx
+        movq	%rax, 288(%r15)
+        adcq	296(%r10), %rcx
+        movq	304(%r15), %r8
+        movq	%rcx, 296(%r15)
+        adcq	304(%r10), %r8
+        movq	312(%r15), %rax
+        movq	%r8, 304(%r15)
+        adcq	312(%r10), %rax
+        movq	320(%r15), %rcx
+        movq	%rax, 312(%r15)
+        adcq	320(%r10), %rcx
+        movq	328(%r15), %r8
+        movq	%rcx, 320(%r15)
+        adcq	328(%r10), %r8
+        movq	336(%r15), %rax
+        movq	%r8, 328(%r15)
+        adcq	336(%r10), %rax
+        movq	344(%r15), %rcx
+        movq	%rax, 336(%r15)
+        adcq	344(%r10), %rcx
+        movq	352(%r15), %r8
+        movq	%rcx, 344(%r15)
+        adcq	352(%r10), %r8
+        movq	360(%r15), %rax
+        movq	%r8, 352(%r15)
+        adcq	360(%r10), %rax
+        movq	368(%r15), %rcx
+        movq	%rax, 360(%r15)
+        adcq	368(%r10), %rcx
+        movq	376(%r15), %r8
+        movq	%rcx, 368(%r15)
+        adcq	376(%r10), %r8
+        movq	384(%r15), %rax
+        movq	%r8, 376(%r15)
+        adcq	384(%r10), %rax
+        movq	392(%r15), %rcx
+        movq	%rax, 384(%r15)
+        adcq	392(%r10), %rcx
+        movq	400(%r15), %r8
+        movq	%rcx, 392(%r15)
+        adcq	400(%r10), %r8
+        movq	408(%r15), %rax
+        movq	%r8, 400(%r15)
+        adcq	408(%r10), %rax
+        movq	416(%r15), %rcx
+        movq	%rax, 408(%r15)
+        adcq	416(%r10), %rcx
+        movq	424(%r15), %r8
+        movq	%rcx, 416(%r15)
+        adcq	424(%r10), %r8
+        movq	432(%r15), %rax
+        movq	%r8, 424(%r15)
+        adcq	432(%r10), %rax
+        movq	440(%r15), %rcx
+        movq	%rax, 432(%r15)
+        adcq	440(%r10), %rcx
+        movq	448(%r15), %r8
+        movq	%rcx, 440(%r15)
+        adcq	448(%r10), %r8
+        movq	456(%r15), %rax
+        movq	%r8, 448(%r15)
+        adcq	456(%r10), %rax
+        movq	464(%r15), %rcx
+        movq	%rax, 456(%r15)
+        adcq	464(%r10), %rcx
+        movq	472(%r15), %r8
+        movq	%rcx, 464(%r15)
+        adcq	472(%r10), %r8
+        movq	480(%r15), %rax
+        movq	%r8, 472(%r15)
+        adcq	480(%r10), %rax
+        movq	488(%r15), %rcx
+        movq	%rax, 480(%r15)
+        adcq	488(%r10), %rcx
+        movq	496(%r15), %r8
+        movq	%rcx, 488(%r15)
+        adcq	496(%r10), %r8
+        movq	504(%r15), %rax
+        movq	%r8, 496(%r15)
+        adcq	504(%r10), %rax
+        movq	%rax, 504(%r15)
+        adcq	$0, %r9
+        movq	%r9, 768(%rdi)
+        addq	$256, %r15
+        # Add
+        movq	(%r15), %rax
+        xorq	%r9, %r9
+        addq	(%r11), %rax
+        movq	8(%r15), %rcx
+        movq	%rax, (%r15)
+        adcq	8(%r11), %rcx
+        movq	16(%r15), %r8
+        movq	%rcx, 8(%r15)
+        adcq	16(%r11), %r8
+        movq	24(%r15), %rax
+        movq	%r8, 16(%r15)
+        adcq	24(%r11), %rax
+        movq	32(%r15), %rcx
+        movq	%rax, 24(%r15)
+        adcq	32(%r11), %rcx
+        movq	40(%r15), %r8
+        movq	%rcx, 32(%r15)
+        adcq	40(%r11), %r8
+        movq	48(%r15), %rax
+        movq	%r8, 40(%r15)
+        adcq	48(%r11), %rax
+        movq	56(%r15), %rcx
+        movq	%rax, 48(%r15)
+        adcq	56(%r11), %rcx
+        movq	64(%r15), %r8
+        movq	%rcx, 56(%r15)
+        adcq	64(%r11), %r8
+        movq	72(%r15), %rax
+        movq	%r8, 64(%r15)
+        adcq	72(%r11), %rax
+        movq	80(%r15), %rcx
+        movq	%rax, 72(%r15)
+        adcq	80(%r11), %rcx
+        movq	88(%r15), %r8
+        movq	%rcx, 80(%r15)
+        adcq	88(%r11), %r8
+        movq	96(%r15), %rax
+        movq	%r8, 88(%r15)
+        adcq	96(%r11), %rax
+        movq	104(%r15), %rcx
+        movq	%rax, 96(%r15)
+        adcq	104(%r11), %rcx
+        movq	112(%r15), %r8
+        movq	%rcx, 104(%r15)
+        adcq	112(%r11), %r8
+        movq	120(%r15), %rax
+        movq	%r8, 112(%r15)
+        adcq	120(%r11), %rax
+        movq	128(%r15), %rcx
+        movq	%rax, 120(%r15)
+        adcq	128(%r11), %rcx
+        movq	136(%r15), %r8
+        movq	%rcx, 128(%r15)
+        adcq	136(%r11), %r8
+        movq	144(%r15), %rax
+        movq	%r8, 136(%r15)
+        adcq	144(%r11), %rax
+        movq	152(%r15), %rcx
+        movq	%rax, 144(%r15)
+        adcq	152(%r11), %rcx
+        movq	160(%r15), %r8
+        movq	%rcx, 152(%r15)
+        adcq	160(%r11), %r8
+        movq	168(%r15), %rax
+        movq	%r8, 160(%r15)
+        adcq	168(%r11), %rax
+        movq	176(%r15), %rcx
+        movq	%rax, 168(%r15)
+        adcq	176(%r11), %rcx
+        movq	184(%r15), %r8
+        movq	%rcx, 176(%r15)
+        adcq	184(%r11), %r8
+        movq	192(%r15), %rax
+        movq	%r8, 184(%r15)
+        adcq	192(%r11), %rax
+        movq	200(%r15), %rcx
+        movq	%rax, 192(%r15)
+        adcq	200(%r11), %rcx
+        movq	208(%r15), %r8
+        movq	%rcx, 200(%r15)
+        adcq	208(%r11), %r8
+        movq	216(%r15), %rax
+        movq	%r8, 208(%r15)
+        adcq	216(%r11), %rax
+        movq	224(%r15), %rcx
+        movq	%rax, 216(%r15)
+        adcq	224(%r11), %rcx
+        movq	232(%r15), %r8
+        movq	%rcx, 224(%r15)
+        adcq	232(%r11), %r8
+        movq	240(%r15), %rax
+        movq	%r8, 232(%r15)
+        adcq	240(%r11), %rax
+        movq	248(%r15), %rcx
+        movq	%rax, 240(%r15)
+        adcq	248(%r11), %rcx
+        movq	256(%r15), %r8
+        movq	%rcx, 248(%r15)
+        adcq	256(%r11), %r8
+        movq	%r8, 256(%r15)
+        adcq	$0, %r9
+        # Add to zero
+        movq	264(%r11), %rax
+        adcq	$0, %rax
+        movq	272(%r11), %rcx
+        movq	%rax, 264(%r15)
+        adcq	$0, %rcx
+        movq	280(%r11), %r8
+        movq	%rcx, 272(%r15)
+        adcq	$0, %r8
+        movq	288(%r11), %rax
+        movq	%r8, 280(%r15)
+        adcq	$0, %rax
+        movq	296(%r11), %rcx
+        movq	%rax, 288(%r15)
+        adcq	$0, %rcx
+        movq	304(%r11), %r8
+        movq	%rcx, 296(%r15)
+        adcq	$0, %r8
+        movq	312(%r11), %rax
+        movq	%r8, 304(%r15)
+        adcq	$0, %rax
+        movq	320(%r11), %rcx
+        movq	%rax, 312(%r15)
+        adcq	$0, %rcx
+        movq	328(%r11), %r8
+        movq	%rcx, 320(%r15)
+        adcq	$0, %r8
+        movq	336(%r11), %rax
+        movq	%r8, 328(%r15)
+        adcq	$0, %rax
+        movq	344(%r11), %rcx
+        movq	%rax, 336(%r15)
+        adcq	$0, %rcx
+        movq	352(%r11), %r8
+        movq	%rcx, 344(%r15)
+        adcq	$0, %r8
+        movq	360(%r11), %rax
+        movq	%r8, 352(%r15)
+        adcq	$0, %rax
+        movq	368(%r11), %rcx
+        movq	%rax, 360(%r15)
+        adcq	$0, %rcx
+        movq	376(%r11), %r8
+        movq	%rcx, 368(%r15)
+        adcq	$0, %r8
+        movq	384(%r11), %rax
+        movq	%r8, 376(%r15)
+        adcq	$0, %rax
+        movq	392(%r11), %rcx
+        movq	%rax, 384(%r15)
+        adcq	$0, %rcx
+        movq	400(%r11), %r8
+        movq	%rcx, 392(%r15)
+        adcq	$0, %r8
+        movq	408(%r11), %rax
+        movq	%r8, 400(%r15)
+        adcq	$0, %rax
+        movq	416(%r11), %rcx
+        movq	%rax, 408(%r15)
+        adcq	$0, %rcx
+        movq	424(%r11), %r8
+        movq	%rcx, 416(%r15)
+        adcq	$0, %r8
+        movq	432(%r11), %rax
+        movq	%r8, 424(%r15)
+        adcq	$0, %rax
+        movq	440(%r11), %rcx
+        movq	%rax, 432(%r15)
+        adcq	$0, %rcx
+        movq	448(%r11), %r8
+        movq	%rcx, 440(%r15)
+        adcq	$0, %r8
+        movq	456(%r11), %rax
+        movq	%r8, 448(%r15)
+        adcq	$0, %rax
+        movq	464(%r11), %rcx
+        movq	%rax, 456(%r15)
+        adcq	$0, %rcx
+        movq	472(%r11), %r8
+        movq	%rcx, 464(%r15)
+        adcq	$0, %r8
+        movq	480(%r11), %rax
+        movq	%r8, 472(%r15)
+        adcq	$0, %rax
+        movq	488(%r11), %rcx
+        movq	%rax, 480(%r15)
+        adcq	$0, %rcx
+        movq	496(%r11), %r8
+        movq	%rcx, 488(%r15)
+        adcq	$0, %r8
+        movq	504(%r11), %rax
+        movq	%r8, 496(%r15)
+        adcq	$0, %rax
+        movq	%rax, 504(%r15)
+        addq	$1576, %rsp
+        pop	%r15
+        pop	%r14
+        pop	%r13
+        pop	%r12
+        repz retq
+#ifndef __APPLE__
+.size	sp_4096_mul_64,.-sp_4096_mul_64
+#endif /* __APPLE__ */
+/* Add a to a into r. (r = a + a)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ */
+#ifndef __APPLE__
+.globl	sp_2048_dbl_32
+.type	sp_2048_dbl_32,@function
+.align	16
+sp_2048_dbl_32:
+#else
+.globl	_sp_2048_dbl_32
+.p2align	4
+_sp_2048_dbl_32:
+#endif /* __APPLE__ */
+        movq	(%rsi), %rdx
+        xorq	%rax, %rax
+        addq	%rdx, %rdx
+        movq	8(%rsi), %rcx
+        movq	%rdx, (%rdi)
+        adcq	%rcx, %rcx
+        movq	16(%rsi), %rdx
+        movq	%rcx, 8(%rdi)
+        adcq	%rdx, %rdx
+        movq	24(%rsi), %rcx
+        movq	%rdx, 16(%rdi)
+        adcq	%rcx, %rcx
+        movq	32(%rsi), %rdx
+        movq	%rcx, 24(%rdi)
+        adcq	%rdx, %rdx
+        movq	40(%rsi), %rcx
+        movq	%rdx, 32(%rdi)
+        adcq	%rcx, %rcx
+        movq	48(%rsi), %rdx
+        movq	%rcx, 40(%rdi)
+        adcq	%rdx, %rdx
+        movq	56(%rsi), %rcx
+        movq	%rdx, 48(%rdi)
+        adcq	%rcx, %rcx
+        movq	64(%rsi), %rdx
+        movq	%rcx, 56(%rdi)
+        adcq	%rdx, %rdx
+        movq	72(%rsi), %rcx
+        movq	%rdx, 64(%rdi)
+        adcq	%rcx, %rcx
+        movq	80(%rsi), %rdx
+        movq	%rcx, 72(%rdi)
+        adcq	%rdx, %rdx
+        movq	88(%rsi), %rcx
+        movq	%rdx, 80(%rdi)
+        adcq	%rcx, %rcx
+        movq	96(%rsi), %rdx
+        movq	%rcx, 88(%rdi)
+        adcq	%rdx, %rdx
+        movq	104(%rsi), %rcx
+        movq	%rdx, 96(%rdi)
+        adcq	%rcx, %rcx
+        movq	112(%rsi), %rdx
+        movq	%rcx, 104(%rdi)
+        adcq	%rdx, %rdx
+        movq	120(%rsi), %rcx
+        movq	%rdx, 112(%rdi)
+        adcq	%rcx, %rcx
+        movq	128(%rsi), %rdx
+        movq	%rcx, 120(%rdi)
+        adcq	%rdx, %rdx
+        movq	136(%rsi), %rcx
+        movq	%rdx, 128(%rdi)
+        adcq	%rcx, %rcx
+        movq	144(%rsi), %rdx
+        movq	%rcx, 136(%rdi)
+        adcq	%rdx, %rdx
+        movq	152(%rsi), %rcx
+        movq	%rdx, 144(%rdi)
+        adcq	%rcx, %rcx
+        movq	160(%rsi), %rdx
+        movq	%rcx, 152(%rdi)
+        adcq	%rdx, %rdx
+        movq	168(%rsi), %rcx
+        movq	%rdx, 160(%rdi)
+        adcq	%rcx, %rcx
+        movq	176(%rsi), %rdx
+        movq	%rcx, 168(%rdi)
+        adcq	%rdx, %rdx
+        movq	184(%rsi), %rcx
+        movq	%rdx, 176(%rdi)
+        adcq	%rcx, %rcx
+        movq	192(%rsi), %rdx
+        movq	%rcx, 184(%rdi)
+        adcq	%rdx, %rdx
+        movq	200(%rsi), %rcx
+        movq	%rdx, 192(%rdi)
+        adcq	%rcx, %rcx
+        movq	208(%rsi), %rdx
+        movq	%rcx, 200(%rdi)
+        adcq	%rdx, %rdx
+        movq	216(%rsi), %rcx
+        movq	%rdx, 208(%rdi)
+        adcq	%rcx, %rcx
+        movq	224(%rsi), %rdx
+        movq	%rcx, 216(%rdi)
+        adcq	%rdx, %rdx
+        movq	232(%rsi), %rcx
+        movq	%rdx, 224(%rdi)
+        adcq	%rcx, %rcx
+        movq	240(%rsi), %rdx
+        movq	%rcx, 232(%rdi)
+        adcq	%rdx, %rdx
+        movq	248(%rsi), %rcx
+        movq	%rdx, 240(%rdi)
+        adcq	%rcx, %rcx
+        movq	%rcx, 248(%rdi)
+        adcq	$0, %rax
+        repz retq
+#ifndef __APPLE__
+.size	sp_2048_dbl_32,.-sp_2048_dbl_32
+#endif /* __APPLE__ */
+/* Square a and put result in r. (r = a * a)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ */
+#ifndef __APPLE__
+.globl	sp_4096_sqr_64
+.type	sp_4096_sqr_64,@function
+.align	16
+sp_4096_sqr_64:
+#else
+.globl	_sp_4096_sqr_64
+.p2align	4
+_sp_4096_sqr_64:
+#endif /* __APPLE__ */
+        subq	$1304, %rsp
+        movq	%rdi, 1280(%rsp)
+        movq	%rsi, 1288(%rsp)
+        leaq	1024(%rsp), %r8
+        leaq	256(%rsi), %r9
+        # Add
+        movq	(%rsi), %rdx
+        xorq	%rcx, %rcx
+        addq	(%r9), %rdx
+        movq	8(%rsi), %rax
+        movq	%rdx, (%r8)
+        adcq	8(%r9), %rax
+        movq	16(%rsi), %rdx
+        movq	%rax, 8(%r8)
+        adcq	16(%r9), %rdx
+        movq	24(%rsi), %rax
+        movq	%rdx, 16(%r8)
+        adcq	24(%r9), %rax
+        movq	32(%rsi), %rdx
+        movq	%rax, 24(%r8)
+        adcq	32(%r9), %rdx
+        movq	40(%rsi), %rax
+        movq	%rdx, 32(%r8)
+        adcq	40(%r9), %rax
+        movq	48(%rsi), %rdx
+        movq	%rax, 40(%r8)
+        adcq	48(%r9), %rdx
+        movq	56(%rsi), %rax
+        movq	%rdx, 48(%r8)
+        adcq	56(%r9), %rax
+        movq	64(%rsi), %rdx
+        movq	%rax, 56(%r8)
+        adcq	64(%r9), %rdx
+        movq	72(%rsi), %rax
+        movq	%rdx, 64(%r8)
+        adcq	72(%r9), %rax
+        movq	80(%rsi), %rdx
+        movq	%rax, 72(%r8)
+        adcq	80(%r9), %rdx
+        movq	88(%rsi), %rax
+        movq	%rdx, 80(%r8)
+        adcq	88(%r9), %rax
+        movq	96(%rsi), %rdx
+        movq	%rax, 88(%r8)
+        adcq	96(%r9), %rdx
+        movq	104(%rsi), %rax
+        movq	%rdx, 96(%r8)
+        adcq	104(%r9), %rax
+        movq	112(%rsi), %rdx
+        movq	%rax, 104(%r8)
+        adcq	112(%r9), %rdx
+        movq	120(%rsi), %rax
+        movq	%rdx, 112(%r8)
+        adcq	120(%r9), %rax
+        movq	128(%rsi), %rdx
+        movq	%rax, 120(%r8)
+        adcq	128(%r9), %rdx
+        movq	136(%rsi), %rax
+        movq	%rdx, 128(%r8)
+        adcq	136(%r9), %rax
+        movq	144(%rsi), %rdx
+        movq	%rax, 136(%r8)
+        adcq	144(%r9), %rdx
+        movq	152(%rsi), %rax
+        movq	%rdx, 144(%r8)
+        adcq	152(%r9), %rax
+        movq	160(%rsi), %rdx
+        movq	%rax, 152(%r8)
+        adcq	160(%r9), %rdx
+        movq	168(%rsi), %rax
+        movq	%rdx, 160(%r8)
+        adcq	168(%r9), %rax
+        movq	176(%rsi), %rdx
+        movq	%rax, 168(%r8)
+        adcq	176(%r9), %rdx
+        movq	184(%rsi), %rax
+        movq	%rdx, 176(%r8)
+        adcq	184(%r9), %rax
+        movq	192(%rsi), %rdx
+        movq	%rax, 184(%r8)
+        adcq	192(%r9), %rdx
+        movq	200(%rsi), %rax
+        movq	%rdx, 192(%r8)
+        adcq	200(%r9), %rax
+        movq	208(%rsi), %rdx
+        movq	%rax, 200(%r8)
+        adcq	208(%r9), %rdx
+        movq	216(%rsi), %rax
+        movq	%rdx, 208(%r8)
+        adcq	216(%r9), %rax
+        movq	224(%rsi), %rdx
+        movq	%rax, 216(%r8)
+        adcq	224(%r9), %rdx
+        movq	232(%rsi), %rax
+        movq	%rdx, 224(%r8)
+        adcq	232(%r9), %rax
+        movq	240(%rsi), %rdx
+        movq	%rax, 232(%r8)
+        adcq	240(%r9), %rdx
+        movq	248(%rsi), %rax
+        movq	%rdx, 240(%r8)
+        adcq	248(%r9), %rax
+        movq	%rax, 248(%r8)
+        adcq	$0, %rcx
+        movq	%rcx, 1296(%rsp)
+        movq	%r8, %rsi
+        movq	%rsp, %rdi
+#ifndef __APPLE__
+        callq	sp_2048_sqr_32@plt
+#else
+        callq	_sp_2048_sqr_32
+#endif /* __APPLE__ */
+        movq	1288(%rsp), %rsi
+        leaq	512(%rsp), %rdi
+        addq	$256, %rsi
+#ifndef __APPLE__
+        callq	sp_2048_sqr_32@plt
+#else
+        callq	_sp_2048_sqr_32
+#endif /* __APPLE__ */
+        movq	1288(%rsp), %rsi
+        movq	1280(%rsp), %rdi
+#ifndef __APPLE__
+        callq	sp_2048_sqr_32@plt
+#else
+        callq	_sp_2048_sqr_32
+#endif /* __APPLE__ */
+        movq	1296(%rsp), %r10
+        leaq	1024(%rsp), %r8
+        movq	%r10, %rcx
+        negq	%r10
+        movq	(%r8), %rdx
+        movq	8(%r8), %rax
+        andq	%r10, %rdx
+        andq	%r10, %rax
+        movq	%rdx, 512(%rdi)
+        movq	%rax, 520(%rdi)
+        movq	16(%r8), %rdx
+        movq	24(%r8), %rax
+        andq	%r10, %rdx
+        andq	%r10, %rax
+        movq	%rdx, 528(%rdi)
+        movq	%rax, 536(%rdi)
+        movq	32(%r8), %rdx
+        movq	40(%r8), %rax
+        andq	%r10, %rdx
+        andq	%r10, %rax
+        movq	%rdx, 544(%rdi)
+        movq	%rax, 552(%rdi)
+        movq	48(%r8), %rdx
+        movq	56(%r8), %rax
+        andq	%r10, %rdx
+        andq	%r10, %rax
+        movq	%rdx, 560(%rdi)
+        movq	%rax, 568(%rdi)
+        movq	64(%r8), %rdx
+        movq	72(%r8), %rax
+        andq	%r10, %rdx
+        andq	%r10, %rax
+        movq	%rdx, 576(%rdi)
+        movq	%rax, 584(%rdi)
+        movq	80(%r8), %rdx
+        movq	88(%r8), %rax
+        andq	%r10, %rdx
+        andq	%r10, %rax
+        movq	%rdx, 592(%rdi)
+        movq	%rax, 600(%rdi)
+        movq	96(%r8), %rdx
+        movq	104(%r8), %rax
+        andq	%r10, %rdx
+        andq	%r10, %rax
+        movq	%rdx, 608(%rdi)
+        movq	%rax, 616(%rdi)
+        movq	112(%r8), %rdx
+        movq	120(%r8), %rax
+        andq	%r10, %rdx
+        andq	%r10, %rax
+        movq	%rdx, 624(%rdi)
+        movq	%rax, 632(%rdi)
+        movq	128(%r8), %rdx
+        movq	136(%r8), %rax
+        andq	%r10, %rdx
+        andq	%r10, %rax
+        movq	%rdx, 640(%rdi)
+        movq	%rax, 648(%rdi)
+        movq	144(%r8), %rdx
+        movq	152(%r8), %rax
+        andq	%r10, %rdx
+        andq	%r10, %rax
+        movq	%rdx, 656(%rdi)
+        movq	%rax, 664(%rdi)
+        movq	160(%r8), %rdx
+        movq	168(%r8), %rax
+        andq	%r10, %rdx
+        andq	%r10, %rax
+        movq	%rdx, 672(%rdi)
+        movq	%rax, 680(%rdi)
+        movq	176(%r8), %rdx
+        movq	184(%r8), %rax
+        andq	%r10, %rdx
+        andq	%r10, %rax
+        movq	%rdx, 688(%rdi)
+        movq	%rax, 696(%rdi)
+        movq	192(%r8), %rdx
+        movq	200(%r8), %rax
+        andq	%r10, %rdx
+        andq	%r10, %rax
+        movq	%rdx, 704(%rdi)
+        movq	%rax, 712(%rdi)
+        movq	208(%r8), %rdx
+        movq	216(%r8), %rax
+        andq	%r10, %rdx
+        andq	%r10, %rax
+        movq	%rdx, 720(%rdi)
+        movq	%rax, 728(%rdi)
+        movq	224(%r8), %rdx
+        movq	232(%r8), %rax
+        andq	%r10, %rdx
+        andq	%r10, %rax
+        movq	%rdx, 736(%rdi)
+        movq	%rax, 744(%rdi)
+        movq	240(%r8), %rdx
+        movq	248(%r8), %rax
+        andq	%r10, %rdx
+        andq	%r10, %rax
+        movq	%rdx, 752(%rdi)
+        movq	%rax, 760(%rdi)
+        movq	512(%rdi), %rdx
+        addq	%rdx, %rdx
+        movq	520(%rdi), %rax
+        movq	%rdx, 512(%rdi)
+        adcq	%rax, %rax
+        movq	528(%rdi), %rdx
+        movq	%rax, 520(%rdi)
+        adcq	%rdx, %rdx
+        movq	536(%rdi), %rax
+        movq	%rdx, 528(%rdi)
+        adcq	%rax, %rax
+        movq	544(%rdi), %rdx
+        movq	%rax, 536(%rdi)
+        adcq	%rdx, %rdx
+        movq	552(%rdi), %rax
+        movq	%rdx, 544(%rdi)
+        adcq	%rax, %rax
+        movq	560(%rdi), %rdx
+        movq	%rax, 552(%rdi)
+        adcq	%rdx, %rdx
+        movq	568(%rdi), %rax
+        movq	%rdx, 560(%rdi)
+        adcq	%rax, %rax
+        movq	576(%rdi), %rdx
+        movq	%rax, 568(%rdi)
+        adcq	%rdx, %rdx
+        movq	584(%rdi), %rax
+        movq	%rdx, 576(%rdi)
+        adcq	%rax, %rax
+        movq	592(%rdi), %rdx
+        movq	%rax, 584(%rdi)
+        adcq	%rdx, %rdx
+        movq	600(%rdi), %rax
+        movq	%rdx, 592(%rdi)
+        adcq	%rax, %rax
+        movq	608(%rdi), %rdx
+        movq	%rax, 600(%rdi)
+        adcq	%rdx, %rdx
+        movq	616(%rdi), %rax
+        movq	%rdx, 608(%rdi)
+        adcq	%rax, %rax
+        movq	624(%rdi), %rdx
+        movq	%rax, 616(%rdi)
+        adcq	%rdx, %rdx
+        movq	632(%rdi), %rax
+        movq	%rdx, 624(%rdi)
+        adcq	%rax, %rax
+        movq	640(%rdi), %rdx
+        movq	%rax, 632(%rdi)
+        adcq	%rdx, %rdx
+        movq	648(%rdi), %rax
+        movq	%rdx, 640(%rdi)
+        adcq	%rax, %rax
+        movq	656(%rdi), %rdx
+        movq	%rax, 648(%rdi)
+        adcq	%rdx, %rdx
+        movq	664(%rdi), %rax
+        movq	%rdx, 656(%rdi)
+        adcq	%rax, %rax
+        movq	672(%rdi), %rdx
+        movq	%rax, 664(%rdi)
+        adcq	%rdx, %rdx
+        movq	680(%rdi), %rax
+        movq	%rdx, 672(%rdi)
+        adcq	%rax, %rax
+        movq	688(%rdi), %rdx
+        movq	%rax, 680(%rdi)
+        adcq	%rdx, %rdx
+        movq	696(%rdi), %rax
+        movq	%rdx, 688(%rdi)
+        adcq	%rax, %rax
+        movq	704(%rdi), %rdx
+        movq	%rax, 696(%rdi)
+        adcq	%rdx, %rdx
+        movq	712(%rdi), %rax
+        movq	%rdx, 704(%rdi)
+        adcq	%rax, %rax
+        movq	720(%rdi), %rdx
+        movq	%rax, 712(%rdi)
+        adcq	%rdx, %rdx
+        movq	728(%rdi), %rax
+        movq	%rdx, 720(%rdi)
+        adcq	%rax, %rax
+        movq	736(%rdi), %rdx
+        movq	%rax, 728(%rdi)
+        adcq	%rdx, %rdx
+        movq	744(%rdi), %rax
+        movq	%rdx, 736(%rdi)
+        adcq	%rax, %rax
+        movq	752(%rdi), %rdx
+        movq	%rax, 744(%rdi)
+        adcq	%rdx, %rdx
+        movq	760(%rdi), %rax
+        movq	%rdx, 752(%rdi)
+        adcq	%rax, %rax
+        movq	%rax, 760(%rdi)
+        adcq	$0, %rcx
+        leaq	512(%rsp), %rsi
+        movq	%rsp, %r8
+        movq	(%r8), %rdx
+        subq	(%rsi), %rdx
+        movq	8(%r8), %rax
+        movq	%rdx, (%r8)
+        sbbq	8(%rsi), %rax
+        movq	16(%r8), %rdx
+        movq	%rax, 8(%r8)
+        sbbq	16(%rsi), %rdx
+        movq	24(%r8), %rax
+        movq	%rdx, 16(%r8)
+        sbbq	24(%rsi), %rax
+        movq	32(%r8), %rdx
+        movq	%rax, 24(%r8)
+        sbbq	32(%rsi), %rdx
+        movq	40(%r8), %rax
+        movq	%rdx, 32(%r8)
+        sbbq	40(%rsi), %rax
+        movq	48(%r8), %rdx
+        movq	%rax, 40(%r8)
+        sbbq	48(%rsi), %rdx
+        movq	56(%r8), %rax
+        movq	%rdx, 48(%r8)
+        sbbq	56(%rsi), %rax
+        movq	64(%r8), %rdx
+        movq	%rax, 56(%r8)
+        sbbq	64(%rsi), %rdx
+        movq	72(%r8), %rax
+        movq	%rdx, 64(%r8)
+        sbbq	72(%rsi), %rax
+        movq	80(%r8), %rdx
+        movq	%rax, 72(%r8)
+        sbbq	80(%rsi), %rdx
+        movq	88(%r8), %rax
+        movq	%rdx, 80(%r8)
+        sbbq	88(%rsi), %rax
+        movq	96(%r8), %rdx
+        movq	%rax, 88(%r8)
+        sbbq	96(%rsi), %rdx
+        movq	104(%r8), %rax
+        movq	%rdx, 96(%r8)
+        sbbq	104(%rsi), %rax
+        movq	112(%r8), %rdx
+        movq	%rax, 104(%r8)
+        sbbq	112(%rsi), %rdx
+        movq	120(%r8), %rax
+        movq	%rdx, 112(%r8)
+        sbbq	120(%rsi), %rax
+        movq	128(%r8), %rdx
+        movq	%rax, 120(%r8)
+        sbbq	128(%rsi), %rdx
+        movq	136(%r8), %rax
+        movq	%rdx, 128(%r8)
+        sbbq	136(%rsi), %rax
+        movq	144(%r8), %rdx
+        movq	%rax, 136(%r8)
+        sbbq	144(%rsi), %rdx
+        movq	152(%r8), %rax
+        movq	%rdx, 144(%r8)
+        sbbq	152(%rsi), %rax
+        movq	160(%r8), %rdx
+        movq	%rax, 152(%r8)
+        sbbq	160(%rsi), %rdx
+        movq	168(%r8), %rax
+        movq	%rdx, 160(%r8)
+        sbbq	168(%rsi), %rax
+        movq	176(%r8), %rdx
+        movq	%rax, 168(%r8)
+        sbbq	176(%rsi), %rdx
+        movq	184(%r8), %rax
+        movq	%rdx, 176(%r8)
+        sbbq	184(%rsi), %rax
+        movq	192(%r8), %rdx
+        movq	%rax, 184(%r8)
+        sbbq	192(%rsi), %rdx
+        movq	200(%r8), %rax
+        movq	%rdx, 192(%r8)
+        sbbq	200(%rsi), %rax
+        movq	208(%r8), %rdx
+        movq	%rax, 200(%r8)
+        sbbq	208(%rsi), %rdx
+        movq	216(%r8), %rax
+        movq	%rdx, 208(%r8)
+        sbbq	216(%rsi), %rax
+        movq	224(%r8), %rdx
+        movq	%rax, 216(%r8)
+        sbbq	224(%rsi), %rdx
+        movq	232(%r8), %rax
+        movq	%rdx, 224(%r8)
+        sbbq	232(%rsi), %rax
+        movq	240(%r8), %rdx
+        movq	%rax, 232(%r8)
+        sbbq	240(%rsi), %rdx
+        movq	248(%r8), %rax
+        movq	%rdx, 240(%r8)
+        sbbq	248(%rsi), %rax
+        movq	256(%r8), %rdx
+        movq	%rax, 248(%r8)
+        sbbq	256(%rsi), %rdx
+        movq	264(%r8), %rax
+        movq	%rdx, 256(%r8)
+        sbbq	264(%rsi), %rax
+        movq	272(%r8), %rdx
+        movq	%rax, 264(%r8)
+        sbbq	272(%rsi), %rdx
+        movq	280(%r8), %rax
+        movq	%rdx, 272(%r8)
+        sbbq	280(%rsi), %rax
+        movq	288(%r8), %rdx
+        movq	%rax, 280(%r8)
+        sbbq	288(%rsi), %rdx
+        movq	296(%r8), %rax
+        movq	%rdx, 288(%r8)
+        sbbq	296(%rsi), %rax
+        movq	304(%r8), %rdx
+        movq	%rax, 296(%r8)
+        sbbq	304(%rsi), %rdx
+        movq	312(%r8), %rax
+        movq	%rdx, 304(%r8)
+        sbbq	312(%rsi), %rax
+        movq	320(%r8), %rdx
+        movq	%rax, 312(%r8)
+        sbbq	320(%rsi), %rdx
+        movq	328(%r8), %rax
+        movq	%rdx, 320(%r8)
+        sbbq	328(%rsi), %rax
+        movq	336(%r8), %rdx
+        movq	%rax, 328(%r8)
+        sbbq	336(%rsi), %rdx
+        movq	344(%r8), %rax
+        movq	%rdx, 336(%r8)
+        sbbq	344(%rsi), %rax
+        movq	352(%r8), %rdx
+        movq	%rax, 344(%r8)
+        sbbq	352(%rsi), %rdx
+        movq	360(%r8), %rax
+        movq	%rdx, 352(%r8)
+        sbbq	360(%rsi), %rax
+        movq	368(%r8), %rdx
+        movq	%rax, 360(%r8)
+        sbbq	368(%rsi), %rdx
+        movq	376(%r8), %rax
+        movq	%rdx, 368(%r8)
+        sbbq	376(%rsi), %rax
+        movq	384(%r8), %rdx
+        movq	%rax, 376(%r8)
+        sbbq	384(%rsi), %rdx
+        movq	392(%r8), %rax
+        movq	%rdx, 384(%r8)
+        sbbq	392(%rsi), %rax
+        movq	400(%r8), %rdx
+        movq	%rax, 392(%r8)
+        sbbq	400(%rsi), %rdx
+        movq	408(%r8), %rax
+        movq	%rdx, 400(%r8)
+        sbbq	408(%rsi), %rax
+        movq	416(%r8), %rdx
+        movq	%rax, 408(%r8)
+        sbbq	416(%rsi), %rdx
+        movq	424(%r8), %rax
+        movq	%rdx, 416(%r8)
+        sbbq	424(%rsi), %rax
+        movq	432(%r8), %rdx
+        movq	%rax, 424(%r8)
+        sbbq	432(%rsi), %rdx
+        movq	440(%r8), %rax
+        movq	%rdx, 432(%r8)
+        sbbq	440(%rsi), %rax
+        movq	448(%r8), %rdx
+        movq	%rax, 440(%r8)
+        sbbq	448(%rsi), %rdx
+        movq	456(%r8), %rax
+        movq	%rdx, 448(%r8)
+        sbbq	456(%rsi), %rax
+        movq	464(%r8), %rdx
+        movq	%rax, 456(%r8)
+        sbbq	464(%rsi), %rdx
+        movq	472(%r8), %rax
+        movq	%rdx, 464(%r8)
+        sbbq	472(%rsi), %rax
+        movq	480(%r8), %rdx
+        movq	%rax, 472(%r8)
+        sbbq	480(%rsi), %rdx
+        movq	488(%r8), %rax
+        movq	%rdx, 480(%r8)
+        sbbq	488(%rsi), %rax
+        movq	496(%r8), %rdx
+        movq	%rax, 488(%r8)
+        sbbq	496(%rsi), %rdx
+        movq	504(%r8), %rax
+        movq	%rdx, 496(%r8)
+        sbbq	504(%rsi), %rax
+        movq	%rax, 504(%r8)
+        sbbq	$0, %rcx
+        movq	(%r8), %rdx
+        subq	(%rdi), %rdx
+        movq	8(%r8), %rax
+        movq	%rdx, (%r8)
+        sbbq	8(%rdi), %rax
+        movq	16(%r8), %rdx
+        movq	%rax, 8(%r8)
+        sbbq	16(%rdi), %rdx
+        movq	24(%r8), %rax
+        movq	%rdx, 16(%r8)
+        sbbq	24(%rdi), %rax
+        movq	32(%r8), %rdx
+        movq	%rax, 24(%r8)
+        sbbq	32(%rdi), %rdx
+        movq	40(%r8), %rax
+        movq	%rdx, 32(%r8)
+        sbbq	40(%rdi), %rax
+        movq	48(%r8), %rdx
+        movq	%rax, 40(%r8)
+        sbbq	48(%rdi), %rdx
+        movq	56(%r8), %rax
+        movq	%rdx, 48(%r8)
+        sbbq	56(%rdi), %rax
+        movq	64(%r8), %rdx
+        movq	%rax, 56(%r8)
+        sbbq	64(%rdi), %rdx
+        movq	72(%r8), %rax
+        movq	%rdx, 64(%r8)
+        sbbq	72(%rdi), %rax
+        movq	80(%r8), %rdx
+        movq	%rax, 72(%r8)
+        sbbq	80(%rdi), %rdx
+        movq	88(%r8), %rax
+        movq	%rdx, 80(%r8)
+        sbbq	88(%rdi), %rax
+        movq	96(%r8), %rdx
+        movq	%rax, 88(%r8)
+        sbbq	96(%rdi), %rdx
+        movq	104(%r8), %rax
+        movq	%rdx, 96(%r8)
+        sbbq	104(%rdi), %rax
+        movq	112(%r8), %rdx
+        movq	%rax, 104(%r8)
+        sbbq	112(%rdi), %rdx
+        movq	120(%r8), %rax
+        movq	%rdx, 112(%r8)
+        sbbq	120(%rdi), %rax
+        movq	128(%r8), %rdx
+        movq	%rax, 120(%r8)
+        sbbq	128(%rdi), %rdx
+        movq	136(%r8), %rax
+        movq	%rdx, 128(%r8)
+        sbbq	136(%rdi), %rax
+        movq	144(%r8), %rdx
+        movq	%rax, 136(%r8)
+        sbbq	144(%rdi), %rdx
+        movq	152(%r8), %rax
+        movq	%rdx, 144(%r8)
+        sbbq	152(%rdi), %rax
+        movq	160(%r8), %rdx
+        movq	%rax, 152(%r8)
+        sbbq	160(%rdi), %rdx
+        movq	168(%r8), %rax
+        movq	%rdx, 160(%r8)
+        sbbq	168(%rdi), %rax
+        movq	176(%r8), %rdx
+        movq	%rax, 168(%r8)
+        sbbq	176(%rdi), %rdx
+        movq	184(%r8), %rax
+        movq	%rdx, 176(%r8)
+        sbbq	184(%rdi), %rax
+        movq	192(%r8), %rdx
+        movq	%rax, 184(%r8)
+        sbbq	192(%rdi), %rdx
+        movq	200(%r8), %rax
+        movq	%rdx, 192(%r8)
+        sbbq	200(%rdi), %rax
+        movq	208(%r8), %rdx
+        movq	%rax, 200(%r8)
+        sbbq	208(%rdi), %rdx
+        movq	216(%r8), %rax
+        movq	%rdx, 208(%r8)
+        sbbq	216(%rdi), %rax
+        movq	224(%r8), %rdx
+        movq	%rax, 216(%r8)
+        sbbq	224(%rdi), %rdx
+        movq	232(%r8), %rax
+        movq	%rdx, 224(%r8)
+        sbbq	232(%rdi), %rax
+        movq	240(%r8), %rdx
+        movq	%rax, 232(%r8)
+        sbbq	240(%rdi), %rdx
+        movq	248(%r8), %rax
+        movq	%rdx, 240(%r8)
+        sbbq	248(%rdi), %rax
+        movq	256(%r8), %rdx
+        movq	%rax, 248(%r8)
+        sbbq	256(%rdi), %rdx
+        movq	264(%r8), %rax
+        movq	%rdx, 256(%r8)
+        sbbq	264(%rdi), %rax
+        movq	272(%r8), %rdx
+        movq	%rax, 264(%r8)
+        sbbq	272(%rdi), %rdx
+        movq	280(%r8), %rax
+        movq	%rdx, 272(%r8)
+        sbbq	280(%rdi), %rax
+        movq	288(%r8), %rdx
+        movq	%rax, 280(%r8)
+        sbbq	288(%rdi), %rdx
+        movq	296(%r8), %rax
+        movq	%rdx, 288(%r8)
+        sbbq	296(%rdi), %rax
+        movq	304(%r8), %rdx
+        movq	%rax, 296(%r8)
+        sbbq	304(%rdi), %rdx
+        movq	312(%r8), %rax
+        movq	%rdx, 304(%r8)
+        sbbq	312(%rdi), %rax
+        movq	320(%r8), %rdx
+        movq	%rax, 312(%r8)
+        sbbq	320(%rdi), %rdx
+        movq	328(%r8), %rax
+        movq	%rdx, 320(%r8)
+        sbbq	328(%rdi), %rax
+        movq	336(%r8), %rdx
+        movq	%rax, 328(%r8)
+        sbbq	336(%rdi), %rdx
+        movq	344(%r8), %rax
+        movq	%rdx, 336(%r8)
+        sbbq	344(%rdi), %rax
+        movq	352(%r8), %rdx
+        movq	%rax, 344(%r8)
+        sbbq	352(%rdi), %rdx
+        movq	360(%r8), %rax
+        movq	%rdx, 352(%r8)
+        sbbq	360(%rdi), %rax
+        movq	368(%r8), %rdx
+        movq	%rax, 360(%r8)
+        sbbq	368(%rdi), %rdx
+        movq	376(%r8), %rax
+        movq	%rdx, 368(%r8)
+        sbbq	376(%rdi), %rax
+        movq	384(%r8), %rdx
+        movq	%rax, 376(%r8)
+        sbbq	384(%rdi), %rdx
+        movq	392(%r8), %rax
+        movq	%rdx, 384(%r8)
+        sbbq	392(%rdi), %rax
+        movq	400(%r8), %rdx
+        movq	%rax, 392(%r8)
+        sbbq	400(%rdi), %rdx
+        movq	408(%r8), %rax
+        movq	%rdx, 400(%r8)
+        sbbq	408(%rdi), %rax
+        movq	416(%r8), %rdx
+        movq	%rax, 408(%r8)
+        sbbq	416(%rdi), %rdx
+        movq	424(%r8), %rax
+        movq	%rdx, 416(%r8)
+        sbbq	424(%rdi), %rax
+        movq	432(%r8), %rdx
+        movq	%rax, 424(%r8)
+        sbbq	432(%rdi), %rdx
+        movq	440(%r8), %rax
+        movq	%rdx, 432(%r8)
+        sbbq	440(%rdi), %rax
+        movq	448(%r8), %rdx
+        movq	%rax, 440(%r8)
+        sbbq	448(%rdi), %rdx
+        movq	456(%r8), %rax
+        movq	%rdx, 448(%r8)
+        sbbq	456(%rdi), %rax
+        movq	464(%r8), %rdx
+        movq	%rax, 456(%r8)
+        sbbq	464(%rdi), %rdx
+        movq	472(%r8), %rax
+        movq	%rdx, 464(%r8)
+        sbbq	472(%rdi), %rax
+        movq	480(%r8), %rdx
+        movq	%rax, 472(%r8)
+        sbbq	480(%rdi), %rdx
+        movq	488(%r8), %rax
+        movq	%rdx, 480(%r8)
+        sbbq	488(%rdi), %rax
+        movq	496(%r8), %rdx
+        movq	%rax, 488(%r8)
+        sbbq	496(%rdi), %rdx
+        movq	504(%r8), %rax
+        movq	%rdx, 496(%r8)
+        sbbq	504(%rdi), %rax
+        movq	%rax, 504(%r8)
+        sbbq	$0, %rcx
+        # Add in place
+        movq	256(%rdi), %rdx
+        addq	(%r8), %rdx
+        movq	264(%rdi), %rax
+        movq	%rdx, 256(%rdi)
+        adcq	8(%r8), %rax
+        movq	272(%rdi), %rdx
+        movq	%rax, 264(%rdi)
+        adcq	16(%r8), %rdx
+        movq	280(%rdi), %rax
+        movq	%rdx, 272(%rdi)
+        adcq	24(%r8), %rax
+        movq	288(%rdi), %rdx
+        movq	%rax, 280(%rdi)
+        adcq	32(%r8), %rdx
+        movq	296(%rdi), %rax
+        movq	%rdx, 288(%rdi)
+        adcq	40(%r8), %rax
+        movq	304(%rdi), %rdx
+        movq	%rax, 296(%rdi)
+        adcq	48(%r8), %rdx
+        movq	312(%rdi), %rax
+        movq	%rdx, 304(%rdi)
+        adcq	56(%r8), %rax
+        movq	320(%rdi), %rdx
+        movq	%rax, 312(%rdi)
+        adcq	64(%r8), %rdx
+        movq	328(%rdi), %rax
+        movq	%rdx, 320(%rdi)
+        adcq	72(%r8), %rax
+        movq	336(%rdi), %rdx
+        movq	%rax, 328(%rdi)
+        adcq	80(%r8), %rdx
+        movq	344(%rdi), %rax
+        movq	%rdx, 336(%rdi)
+        adcq	88(%r8), %rax
+        movq	352(%rdi), %rdx
+        movq	%rax, 344(%rdi)
+        adcq	96(%r8), %rdx
+        movq	360(%rdi), %rax
+        movq	%rdx, 352(%rdi)
+        adcq	104(%r8), %rax
+        movq	368(%rdi), %rdx
+        movq	%rax, 360(%rdi)
+        adcq	112(%r8), %rdx
+        movq	376(%rdi), %rax
+        movq	%rdx, 368(%rdi)
+        adcq	120(%r8), %rax
+        movq	384(%rdi), %rdx
+        movq	%rax, 376(%rdi)
+        adcq	128(%r8), %rdx
+        movq	392(%rdi), %rax
+        movq	%rdx, 384(%rdi)
+        adcq	136(%r8), %rax
+        movq	400(%rdi), %rdx
+        movq	%rax, 392(%rdi)
+        adcq	144(%r8), %rdx
+        movq	408(%rdi), %rax
+        movq	%rdx, 400(%rdi)
+        adcq	152(%r8), %rax
+        movq	416(%rdi), %rdx
+        movq	%rax, 408(%rdi)
+        adcq	160(%r8), %rdx
+        movq	424(%rdi), %rax
+        movq	%rdx, 416(%rdi)
+        adcq	168(%r8), %rax
+        movq	432(%rdi), %rdx
+        movq	%rax, 424(%rdi)
+        adcq	176(%r8), %rdx
+        movq	440(%rdi), %rax
+        movq	%rdx, 432(%rdi)
+        adcq	184(%r8), %rax
+        movq	448(%rdi), %rdx
+        movq	%rax, 440(%rdi)
+        adcq	192(%r8), %rdx
+        movq	456(%rdi), %rax
+        movq	%rdx, 448(%rdi)
+        adcq	200(%r8), %rax
+        movq	464(%rdi), %rdx
+        movq	%rax, 456(%rdi)
+        adcq	208(%r8), %rdx
+        movq	472(%rdi), %rax
+        movq	%rdx, 464(%rdi)
+        adcq	216(%r8), %rax
+        movq	480(%rdi), %rdx
+        movq	%rax, 472(%rdi)
+        adcq	224(%r8), %rdx
+        movq	488(%rdi), %rax
+        movq	%rdx, 480(%rdi)
+        adcq	232(%r8), %rax
+        movq	496(%rdi), %rdx
+        movq	%rax, 488(%rdi)
+        adcq	240(%r8), %rdx
+        movq	504(%rdi), %rax
+        movq	%rdx, 496(%rdi)
+        adcq	248(%r8), %rax
+        movq	512(%rdi), %rdx
+        movq	%rax, 504(%rdi)
+        adcq	256(%r8), %rdx
+        movq	520(%rdi), %rax
+        movq	%rdx, 512(%rdi)
+        adcq	264(%r8), %rax
+        movq	528(%rdi), %rdx
+        movq	%rax, 520(%rdi)
+        adcq	272(%r8), %rdx
+        movq	536(%rdi), %rax
+        movq	%rdx, 528(%rdi)
+        adcq	280(%r8), %rax
+        movq	544(%rdi), %rdx
+        movq	%rax, 536(%rdi)
+        adcq	288(%r8), %rdx
+        movq	552(%rdi), %rax
+        movq	%rdx, 544(%rdi)
+        adcq	296(%r8), %rax
+        movq	560(%rdi), %rdx
+        movq	%rax, 552(%rdi)
+        adcq	304(%r8), %rdx
+        movq	568(%rdi), %rax
+        movq	%rdx, 560(%rdi)
+        adcq	312(%r8), %rax
+        movq	576(%rdi), %rdx
+        movq	%rax, 568(%rdi)
+        adcq	320(%r8), %rdx
+        movq	584(%rdi), %rax
+        movq	%rdx, 576(%rdi)
+        adcq	328(%r8), %rax
+        movq	592(%rdi), %rdx
+        movq	%rax, 584(%rdi)
+        adcq	336(%r8), %rdx
+        movq	600(%rdi), %rax
+        movq	%rdx, 592(%rdi)
+        adcq	344(%r8), %rax
+        movq	608(%rdi), %rdx
+        movq	%rax, 600(%rdi)
+        adcq	352(%r8), %rdx
+        movq	616(%rdi), %rax
+        movq	%rdx, 608(%rdi)
+        adcq	360(%r8), %rax
+        movq	624(%rdi), %rdx
+        movq	%rax, 616(%rdi)
+        adcq	368(%r8), %rdx
+        movq	632(%rdi), %rax
+        movq	%rdx, 624(%rdi)
+        adcq	376(%r8), %rax
+        movq	640(%rdi), %rdx
+        movq	%rax, 632(%rdi)
+        adcq	384(%r8), %rdx
+        movq	648(%rdi), %rax
+        movq	%rdx, 640(%rdi)
+        adcq	392(%r8), %rax
+        movq	656(%rdi), %rdx
+        movq	%rax, 648(%rdi)
+        adcq	400(%r8), %rdx
+        movq	664(%rdi), %rax
+        movq	%rdx, 656(%rdi)
+        adcq	408(%r8), %rax
+        movq	672(%rdi), %rdx
+        movq	%rax, 664(%rdi)
+        adcq	416(%r8), %rdx
+        movq	680(%rdi), %rax
+        movq	%rdx, 672(%rdi)
+        adcq	424(%r8), %rax
+        movq	688(%rdi), %rdx
+        movq	%rax, 680(%rdi)
+        adcq	432(%r8), %rdx
+        movq	696(%rdi), %rax
+        movq	%rdx, 688(%rdi)
+        adcq	440(%r8), %rax
+        movq	704(%rdi), %rdx
+        movq	%rax, 696(%rdi)
+        adcq	448(%r8), %rdx
+        movq	712(%rdi), %rax
+        movq	%rdx, 704(%rdi)
+        adcq	456(%r8), %rax
+        movq	720(%rdi), %rdx
+        movq	%rax, 712(%rdi)
+        adcq	464(%r8), %rdx
+        movq	728(%rdi), %rax
+        movq	%rdx, 720(%rdi)
+        adcq	472(%r8), %rax
+        movq	736(%rdi), %rdx
+        movq	%rax, 728(%rdi)
+        adcq	480(%r8), %rdx
+        movq	744(%rdi), %rax
+        movq	%rdx, 736(%rdi)
+        adcq	488(%r8), %rax
+        movq	752(%rdi), %rdx
+        movq	%rax, 744(%rdi)
+        adcq	496(%r8), %rdx
+        movq	760(%rdi), %rax
+        movq	%rdx, 752(%rdi)
+        adcq	504(%r8), %rax
+        movq	%rax, 760(%rdi)
+        adcq	$0, %rcx
+        movq	%rcx, 768(%rdi)
+        # Add in place
+        movq	512(%rdi), %rdx
+        xorq	%rcx, %rcx
+        addq	(%rsi), %rdx
+        movq	520(%rdi), %rax
+        movq	%rdx, 512(%rdi)
+        adcq	8(%rsi), %rax
+        movq	528(%rdi), %rdx
+        movq	%rax, 520(%rdi)
+        adcq	16(%rsi), %rdx
+        movq	536(%rdi), %rax
+        movq	%rdx, 528(%rdi)
+        adcq	24(%rsi), %rax
+        movq	544(%rdi), %rdx
+        movq	%rax, 536(%rdi)
+        adcq	32(%rsi), %rdx
+        movq	552(%rdi), %rax
+        movq	%rdx, 544(%rdi)
+        adcq	40(%rsi), %rax
+        movq	560(%rdi), %rdx
+        movq	%rax, 552(%rdi)
+        adcq	48(%rsi), %rdx
+        movq	568(%rdi), %rax
+        movq	%rdx, 560(%rdi)
+        adcq	56(%rsi), %rax
+        movq	576(%rdi), %rdx
+        movq	%rax, 568(%rdi)
+        adcq	64(%rsi), %rdx
+        movq	584(%rdi), %rax
+        movq	%rdx, 576(%rdi)
+        adcq	72(%rsi), %rax
+        movq	592(%rdi), %rdx
+        movq	%rax, 584(%rdi)
+        adcq	80(%rsi), %rdx
+        movq	600(%rdi), %rax
+        movq	%rdx, 592(%rdi)
+        adcq	88(%rsi), %rax
+        movq	608(%rdi), %rdx
+        movq	%rax, 600(%rdi)
+        adcq	96(%rsi), %rdx
+        movq	616(%rdi), %rax
+        movq	%rdx, 608(%rdi)
+        adcq	104(%rsi), %rax
+        movq	624(%rdi), %rdx
+        movq	%rax, 616(%rdi)
+        adcq	112(%rsi), %rdx
+        movq	632(%rdi), %rax
+        movq	%rdx, 624(%rdi)
+        adcq	120(%rsi), %rax
+        movq	640(%rdi), %rdx
+        movq	%rax, 632(%rdi)
+        adcq	128(%rsi), %rdx
+        movq	648(%rdi), %rax
+        movq	%rdx, 640(%rdi)
+        adcq	136(%rsi), %rax
+        movq	656(%rdi), %rdx
+        movq	%rax, 648(%rdi)
+        adcq	144(%rsi), %rdx
+        movq	664(%rdi), %rax
+        movq	%rdx, 656(%rdi)
+        adcq	152(%rsi), %rax
+        movq	672(%rdi), %rdx
+        movq	%rax, 664(%rdi)
+        adcq	160(%rsi), %rdx
+        movq	680(%rdi), %rax
+        movq	%rdx, 672(%rdi)
+        adcq	168(%rsi), %rax
+        movq	688(%rdi), %rdx
+        movq	%rax, 680(%rdi)
+        adcq	176(%rsi), %rdx
+        movq	696(%rdi), %rax
+        movq	%rdx, 688(%rdi)
+        adcq	184(%rsi), %rax
+        movq	704(%rdi), %rdx
+        movq	%rax, 696(%rdi)
+        adcq	192(%rsi), %rdx
+        movq	712(%rdi), %rax
+        movq	%rdx, 704(%rdi)
+        adcq	200(%rsi), %rax
+        movq	720(%rdi), %rdx
+        movq	%rax, 712(%rdi)
+        adcq	208(%rsi), %rdx
+        movq	728(%rdi), %rax
+        movq	%rdx, 720(%rdi)
+        adcq	216(%rsi), %rax
+        movq	736(%rdi), %rdx
+        movq	%rax, 728(%rdi)
+        adcq	224(%rsi), %rdx
+        movq	744(%rdi), %rax
+        movq	%rdx, 736(%rdi)
+        adcq	232(%rsi), %rax
+        movq	752(%rdi), %rdx
+        movq	%rax, 744(%rdi)
+        adcq	240(%rsi), %rdx
+        movq	760(%rdi), %rax
+        movq	%rdx, 752(%rdi)
+        adcq	248(%rsi), %rax
+        movq	768(%rdi), %rdx
+        movq	%rax, 760(%rdi)
+        adcq	256(%rsi), %rdx
+        movq	%rdx, 768(%rdi)
+        adcq	$0, %rcx
+        # Add to zero
+        movq	264(%rsi), %rdx
+        adcq	$0, %rdx
+        movq	272(%rsi), %rax
+        movq	%rdx, 776(%rdi)
+        adcq	$0, %rax
+        movq	280(%rsi), %rdx
+        movq	%rax, 784(%rdi)
+        adcq	$0, %rdx
+        movq	288(%rsi), %rax
+        movq	%rdx, 792(%rdi)
+        adcq	$0, %rax
+        movq	296(%rsi), %rdx
+        movq	%rax, 800(%rdi)
+        adcq	$0, %rdx
+        movq	304(%rsi), %rax
+        movq	%rdx, 808(%rdi)
+        adcq	$0, %rax
+        movq	312(%rsi), %rdx
+        movq	%rax, 816(%rdi)
+        adcq	$0, %rdx
+        movq	320(%rsi), %rax
+        movq	%rdx, 824(%rdi)
+        adcq	$0, %rax
+        movq	328(%rsi), %rdx
+        movq	%rax, 832(%rdi)
+        adcq	$0, %rdx
+        movq	336(%rsi), %rax
+        movq	%rdx, 840(%rdi)
+        adcq	$0, %rax
+        movq	344(%rsi), %rdx
+        movq	%rax, 848(%rdi)
+        adcq	$0, %rdx
+        movq	352(%rsi), %rax
+        movq	%rdx, 856(%rdi)
+        adcq	$0, %rax
+        movq	360(%rsi), %rdx
+        movq	%rax, 864(%rdi)
+        adcq	$0, %rdx
+        movq	368(%rsi), %rax
+        movq	%rdx, 872(%rdi)
+        adcq	$0, %rax
+        movq	376(%rsi), %rdx
+        movq	%rax, 880(%rdi)
+        adcq	$0, %rdx
+        movq	384(%rsi), %rax
+        movq	%rdx, 888(%rdi)
+        adcq	$0, %rax
+        movq	392(%rsi), %rdx
+        movq	%rax, 896(%rdi)
+        adcq	$0, %rdx
+        movq	400(%rsi), %rax
+        movq	%rdx, 904(%rdi)
+        adcq	$0, %rax
+        movq	408(%rsi), %rdx
+        movq	%rax, 912(%rdi)
+        adcq	$0, %rdx
+        movq	416(%rsi), %rax
+        movq	%rdx, 920(%rdi)
+        adcq	$0, %rax
+        movq	424(%rsi), %rdx
+        movq	%rax, 928(%rdi)
+        adcq	$0, %rdx
+        movq	432(%rsi), %rax
+        movq	%rdx, 936(%rdi)
+        adcq	$0, %rax
+        movq	440(%rsi), %rdx
+        movq	%rax, 944(%rdi)
+        adcq	$0, %rdx
+        movq	448(%rsi), %rax
+        movq	%rdx, 952(%rdi)
+        adcq	$0, %rax
+        movq	456(%rsi), %rdx
+        movq	%rax, 960(%rdi)
+        adcq	$0, %rdx
+        movq	464(%rsi), %rax
+        movq	%rdx, 968(%rdi)
+        adcq	$0, %rax
+        movq	472(%rsi), %rdx
+        movq	%rax, 976(%rdi)
+        adcq	$0, %rdx
+        movq	480(%rsi), %rax
+        movq	%rdx, 984(%rdi)
+        adcq	$0, %rax
+        movq	488(%rsi), %rdx
+        movq	%rax, 992(%rdi)
+        adcq	$0, %rdx
+        movq	496(%rsi), %rax
+        movq	%rdx, 1000(%rdi)
+        adcq	$0, %rax
+        movq	504(%rsi), %rdx
+        movq	%rax, 1008(%rdi)
+        adcq	$0, %rdx
+        movq	%rdx, 1016(%rdi)
+        addq	$1304, %rsp
+        repz retq
+#ifndef __APPLE__
+.size	sp_4096_sqr_64,.-sp_4096_sqr_64
+#endif /* __APPLE__ */
+/* Multiply a and b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+#ifndef __APPLE__
+.globl	sp_4096_mul_avx2_64
+.type	sp_4096_mul_avx2_64,@function
+.align	16
+sp_4096_mul_avx2_64:
+#else
+.globl	_sp_4096_mul_avx2_64
+.p2align	4
+_sp_4096_mul_avx2_64:
+#endif /* __APPLE__ */
+        push	%r12
+        push	%r13
+        push	%r14
+        push	%r15
+        subq	$1576, %rsp
+        movq	%rdi, 1536(%rsp)
+        movq	%rsi, 1544(%rsp)
+        movq	%rdx, 1552(%rsp)
+        leaq	1024(%rsp), %r10
+        leaq	256(%rsi), %r12
+        # Add
+        movq	(%rsi), %rax
+        xorq	%r13, %r13
+        addq	(%r12), %rax
+        movq	8(%rsi), %rcx
+        movq	%rax, (%r10)
+        adcq	8(%r12), %rcx
+        movq	16(%rsi), %r8
+        movq	%rcx, 8(%r10)
+        adcq	16(%r12), %r8
+        movq	24(%rsi), %rax
+        movq	%r8, 16(%r10)
+        adcq	24(%r12), %rax
+        movq	32(%rsi), %rcx
+        movq	%rax, 24(%r10)
+        adcq	32(%r12), %rcx
+        movq	40(%rsi), %r8
+        movq	%rcx, 32(%r10)
+        adcq	40(%r12), %r8
+        movq	48(%rsi), %rax
+        movq	%r8, 40(%r10)
+        adcq	48(%r12), %rax
+        movq	56(%rsi), %rcx
+        movq	%rax, 48(%r10)
+        adcq	56(%r12), %rcx
+        movq	64(%rsi), %r8
+        movq	%rcx, 56(%r10)
+        adcq	64(%r12), %r8
+        movq	72(%rsi), %rax
+        movq	%r8, 64(%r10)
+        adcq	72(%r12), %rax
+        movq	80(%rsi), %rcx
+        movq	%rax, 72(%r10)
+        adcq	80(%r12), %rcx
+        movq	88(%rsi), %r8
+        movq	%rcx, 80(%r10)
+        adcq	88(%r12), %r8
+        movq	96(%rsi), %rax
+        movq	%r8, 88(%r10)
+        adcq	96(%r12), %rax
+        movq	104(%rsi), %rcx
+        movq	%rax, 96(%r10)
+        adcq	104(%r12), %rcx
+        movq	112(%rsi), %r8
+        movq	%rcx, 104(%r10)
+        adcq	112(%r12), %r8
+        movq	120(%rsi), %rax
+        movq	%r8, 112(%r10)
+        adcq	120(%r12), %rax
+        movq	128(%rsi), %rcx
+        movq	%rax, 120(%r10)
+        adcq	128(%r12), %rcx
+        movq	136(%rsi), %r8
+        movq	%rcx, 128(%r10)
+        adcq	136(%r12), %r8
+        movq	144(%rsi), %rax
+        movq	%r8, 136(%r10)
+        adcq	144(%r12), %rax
+        movq	152(%rsi), %rcx
+        movq	%rax, 144(%r10)
+        adcq	152(%r12), %rcx
+        movq	160(%rsi), %r8
+        movq	%rcx, 152(%r10)
+        adcq	160(%r12), %r8
+        movq	168(%rsi), %rax
+        movq	%r8, 160(%r10)
+        adcq	168(%r12), %rax
+        movq	176(%rsi), %rcx
+        movq	%rax, 168(%r10)
+        adcq	176(%r12), %rcx
+        movq	184(%rsi), %r8
+        movq	%rcx, 176(%r10)
+        adcq	184(%r12), %r8
+        movq	192(%rsi), %rax
+        movq	%r8, 184(%r10)
+        adcq	192(%r12), %rax
+        movq	200(%rsi), %rcx
+        movq	%rax, 192(%r10)
+        adcq	200(%r12), %rcx
+        movq	208(%rsi), %r8
+        movq	%rcx, 200(%r10)
+        adcq	208(%r12), %r8
+        movq	216(%rsi), %rax
+        movq	%r8, 208(%r10)
+        adcq	216(%r12), %rax
+        movq	224(%rsi), %rcx
+        movq	%rax, 216(%r10)
+        adcq	224(%r12), %rcx
+        movq	232(%rsi), %r8
+        movq	%rcx, 224(%r10)
+        adcq	232(%r12), %r8
+        movq	240(%rsi), %rax
+        movq	%r8, 232(%r10)
+        adcq	240(%r12), %rax
+        movq	248(%rsi), %rcx
+        movq	%rax, 240(%r10)
+        adcq	248(%r12), %rcx
+        movq	%rcx, 248(%r10)
+        adcq	$0, %r13
+        movq	%r13, 1560(%rsp)
+        leaq	1280(%rsp), %r11
+        leaq	256(%rdx), %r12
+        # Add
+        movq	(%rdx), %rax
+        xorq	%r14, %r14
+        addq	(%r12), %rax
+        movq	8(%rdx), %rcx
+        movq	%rax, (%r11)
+        adcq	8(%r12), %rcx
+        movq	16(%rdx), %r8
+        movq	%rcx, 8(%r11)
+        adcq	16(%r12), %r8
+        movq	24(%rdx), %rax
+        movq	%r8, 16(%r11)
+        adcq	24(%r12), %rax
+        movq	32(%rdx), %rcx
+        movq	%rax, 24(%r11)
+        adcq	32(%r12), %rcx
+        movq	40(%rdx), %r8
+        movq	%rcx, 32(%r11)
+        adcq	40(%r12), %r8
+        movq	48(%rdx), %rax
+        movq	%r8, 40(%r11)
+        adcq	48(%r12), %rax
+        movq	56(%rdx), %rcx
+        movq	%rax, 48(%r11)
+        adcq	56(%r12), %rcx
+        movq	64(%rdx), %r8
+        movq	%rcx, 56(%r11)
+        adcq	64(%r12), %r8
+        movq	72(%rdx), %rax
+        movq	%r8, 64(%r11)
+        adcq	72(%r12), %rax
+        movq	80(%rdx), %rcx
+        movq	%rax, 72(%r11)
+        adcq	80(%r12), %rcx
+        movq	88(%rdx), %r8
+        movq	%rcx, 80(%r11)
+        adcq	88(%r12), %r8
+        movq	96(%rdx), %rax
+        movq	%r8, 88(%r11)
+        adcq	96(%r12), %rax
+        movq	104(%rdx), %rcx
+        movq	%rax, 96(%r11)
+        adcq	104(%r12), %rcx
+        movq	112(%rdx), %r8
+        movq	%rcx, 104(%r11)
+        adcq	112(%r12), %r8
+        movq	120(%rdx), %rax
+        movq	%r8, 112(%r11)
+        adcq	120(%r12), %rax
+        movq	128(%rdx), %rcx
+        movq	%rax, 120(%r11)
+        adcq	128(%r12), %rcx
+        movq	136(%rdx), %r8
+        movq	%rcx, 128(%r11)
+        adcq	136(%r12), %r8
+        movq	144(%rdx), %rax
+        movq	%r8, 136(%r11)
+        adcq	144(%r12), %rax
+        movq	152(%rdx), %rcx
+        movq	%rax, 144(%r11)
+        adcq	152(%r12), %rcx
+        movq	160(%rdx), %r8
+        movq	%rcx, 152(%r11)
+        adcq	160(%r12), %r8
+        movq	168(%rdx), %rax
+        movq	%r8, 160(%r11)
+        adcq	168(%r12), %rax
+        movq	176(%rdx), %rcx
+        movq	%rax, 168(%r11)
+        adcq	176(%r12), %rcx
+        movq	184(%rdx), %r8
+        movq	%rcx, 176(%r11)
+        adcq	184(%r12), %r8
+        movq	192(%rdx), %rax
+        movq	%r8, 184(%r11)
+        adcq	192(%r12), %rax
+        movq	200(%rdx), %rcx
+        movq	%rax, 192(%r11)
+        adcq	200(%r12), %rcx
+        movq	208(%rdx), %r8
+        movq	%rcx, 200(%r11)
+        adcq	208(%r12), %r8
+        movq	216(%rdx), %rax
+        movq	%r8, 208(%r11)
+        adcq	216(%r12), %rax
+        movq	224(%rdx), %rcx
+        movq	%rax, 216(%r11)
+        adcq	224(%r12), %rcx
+        movq	232(%rdx), %r8
+        movq	%rcx, 224(%r11)
+        adcq	232(%r12), %r8
+        movq	240(%rdx), %rax
+        movq	%r8, 232(%r11)
+        adcq	240(%r12), %rax
+        movq	248(%rdx), %rcx
+        movq	%rax, 240(%r11)
+        adcq	248(%r12), %rcx
+        movq	%rcx, 248(%r11)
+        adcq	$0, %r14
+        movq	%r14, 1568(%rsp)
+        movq	%r11, %rdx
+        movq	%r10, %rsi
+        movq	%rsp, %rdi
+#ifndef __APPLE__
+        callq	sp_2048_mul_avx2_32@plt
+#else
+        callq	_sp_2048_mul_avx2_32
+#endif /* __APPLE__ */
+        movq	1552(%rsp), %rdx
+        movq	1544(%rsp), %rsi
+        leaq	512(%rsp), %rdi
+        addq	$256, %rdx
+        addq	$256, %rsi
+#ifndef __APPLE__
+        callq	sp_2048_mul_avx2_32@plt
+#else
+        callq	_sp_2048_mul_avx2_32
+#endif /* __APPLE__ */
+        movq	1552(%rsp), %rdx
+        movq	1544(%rsp), %rsi
+        movq	1536(%rsp), %rdi
+#ifndef __APPLE__
+        callq	sp_2048_mul_avx2_32@plt
+#else
+        callq	_sp_2048_mul_avx2_32
+#endif /* __APPLE__ */
+        movq	1560(%rsp), %r13
+        movq	1568(%rsp), %r14
+        movq	1536(%rsp), %r15
+        movq	%r13, %r9
+        leaq	1024(%rsp), %r10
+        leaq	1280(%rsp), %r11
+        andq	%r14, %r9
+        negq	%r13
+        negq	%r14
+        addq	$512, %r15
+        movq	(%r10), %rax
+        movq	(%r11), %rcx
+        pextq	%r14, %rax, %rax
+        pextq	%r13, %rcx, %rcx
+        addq	%rcx, %rax
+        movq	8(%r10), %rcx
+        movq	8(%r11), %r8
+        pextq	%r14, %rcx, %rcx
+        pextq	%r13, %r8, %r8
+        movq	%rax, (%r15)
+        adcq	%r8, %rcx
+        movq	16(%r10), %r8
+        movq	16(%r11), %rax
+        pextq	%r14, %r8, %r8
+        pextq	%r13, %rax, %rax
+        movq	%rcx, 8(%r15)
+        adcq	%rax, %r8
+        movq	24(%r10), %rax
+        movq	24(%r11), %rcx
+        pextq	%r14, %rax, %rax
+        pextq	%r13, %rcx, %rcx
+        movq	%r8, 16(%r15)
+        adcq	%rcx, %rax
+        movq	32(%r10), %rcx
+        movq	32(%r11), %r8
+        pextq	%r14, %rcx, %rcx
+        pextq	%r13, %r8, %r8
+        movq	%rax, 24(%r15)
+        adcq	%r8, %rcx
+        movq	40(%r10), %r8
+        movq	40(%r11), %rax
+        pextq	%r14, %r8, %r8
+        pextq	%r13, %rax, %rax
+        movq	%rcx, 32(%r15)
+        adcq	%rax, %r8
+        movq	48(%r10), %rax
+        movq	48(%r11), %rcx
+        pextq	%r14, %rax, %rax
+        pextq	%r13, %rcx, %rcx
+        movq	%r8, 40(%r15)
+        adcq	%rcx, %rax
+        movq	56(%r10), %rcx
+        movq	56(%r11), %r8
+        pextq	%r14, %rcx, %rcx
+        pextq	%r13, %r8, %r8
+        movq	%rax, 48(%r15)
+        adcq	%r8, %rcx
+        movq	64(%r10), %r8
+        movq	64(%r11), %rax
+        pextq	%r14, %r8, %r8
+        pextq	%r13, %rax, %rax
+        movq	%rcx, 56(%r15)
+        adcq	%rax, %r8
+        movq	72(%r10), %rax
+        movq	72(%r11), %rcx
+        pextq	%r14, %rax, %rax
+        pextq	%r13, %rcx, %rcx
+        movq	%r8, 64(%r15)
+        adcq	%rcx, %rax
+        movq	80(%r10), %rcx
+        movq	80(%r11), %r8
+        pextq	%r14, %rcx, %rcx
+        pextq	%r13, %r8, %r8
+        movq	%rax, 72(%r15)
+        adcq	%r8, %rcx
+        movq	88(%r10), %r8
+        movq	88(%r11), %rax
+        pextq	%r14, %r8, %r8
+        pextq	%r13, %rax, %rax
+        movq	%rcx, 80(%r15)
+        adcq	%rax, %r8
+        movq	96(%r10), %rax
+        movq	96(%r11), %rcx
+        pextq	%r14, %rax, %rax
+        pextq	%r13, %rcx, %rcx
+        movq	%r8, 88(%r15)
+        adcq	%rcx, %rax
+        movq	104(%r10), %rcx
+        movq	104(%r11), %r8
+        pextq	%r14, %rcx, %rcx
+        pextq	%r13, %r8, %r8
+        movq	%rax, 96(%r15)
+        adcq	%r8, %rcx
+        movq	112(%r10), %r8
+        movq	112(%r11), %rax
+        pextq	%r14, %r8, %r8
+        pextq	%r13, %rax, %rax
+        movq	%rcx, 104(%r15)
+        adcq	%rax, %r8
+        movq	120(%r10), %rax
+        movq	120(%r11), %rcx
+        pextq	%r14, %rax, %rax
+        pextq	%r13, %rcx, %rcx
+        movq	%r8, 112(%r15)
+        adcq	%rcx, %rax
+        movq	128(%r10), %rcx
+        movq	128(%r11), %r8
+        pextq	%r14, %rcx, %rcx
+        pextq	%r13, %r8, %r8
+        movq	%rax, 120(%r15)
+        adcq	%r8, %rcx
+        movq	136(%r10), %r8
+        movq	136(%r11), %rax
+        pextq	%r14, %r8, %r8
+        pextq	%r13, %rax, %rax
+        movq	%rcx, 128(%r15)
+        adcq	%rax, %r8
+        movq	144(%r10), %rax
+        movq	144(%r11), %rcx
+        pextq	%r14, %rax, %rax
+        pextq	%r13, %rcx, %rcx
+        movq	%r8, 136(%r15)
+        adcq	%rcx, %rax
+        movq	152(%r10), %rcx
+        movq	152(%r11), %r8
+        pextq	%r14, %rcx, %rcx
+        pextq	%r13, %r8, %r8
+        movq	%rax, 144(%r15)
+        adcq	%r8, %rcx
+        movq	160(%r10), %r8
+        movq	160(%r11), %rax
+        pextq	%r14, %r8, %r8
+        pextq	%r13, %rax, %rax
+        movq	%rcx, 152(%r15)
+        adcq	%rax, %r8
+        movq	168(%r10), %rax
+        movq	168(%r11), %rcx
+        pextq	%r14, %rax, %rax
+        pextq	%r13, %rcx, %rcx
+        movq	%r8, 160(%r15)
+        adcq	%rcx, %rax
+        movq	176(%r10), %rcx
+        movq	176(%r11), %r8
+        pextq	%r14, %rcx, %rcx
+        pextq	%r13, %r8, %r8
+        movq	%rax, 168(%r15)
+        adcq	%r8, %rcx
+        movq	184(%r10), %r8
+        movq	184(%r11), %rax
+        pextq	%r14, %r8, %r8
+        pextq	%r13, %rax, %rax
+        movq	%rcx, 176(%r15)
+        adcq	%rax, %r8
+        movq	192(%r10), %rax
+        movq	192(%r11), %rcx
+        pextq	%r14, %rax, %rax
+        pextq	%r13, %rcx, %rcx
+        movq	%r8, 184(%r15)
+        adcq	%rcx, %rax
+        movq	200(%r10), %rcx
+        movq	200(%r11), %r8
+        pextq	%r14, %rcx, %rcx
+        pextq	%r13, %r8, %r8
+        movq	%rax, 192(%r15)
+        adcq	%r8, %rcx
+        movq	208(%r10), %r8
+        movq	208(%r11), %rax
+        pextq	%r14, %r8, %r8
+        pextq	%r13, %rax, %rax
+        movq	%rcx, 200(%r15)
+        adcq	%rax, %r8
+        movq	216(%r10), %rax
+        movq	216(%r11), %rcx
+        pextq	%r14, %rax, %rax
+        pextq	%r13, %rcx, %rcx
+        movq	%r8, 208(%r15)
+        adcq	%rcx, %rax
+        movq	224(%r10), %rcx
+        movq	224(%r11), %r8
+        pextq	%r14, %rcx, %rcx
+        pextq	%r13, %r8, %r8
+        movq	%rax, 216(%r15)
+        adcq	%r8, %rcx
+        movq	232(%r10), %r8
+        movq	232(%r11), %rax
+        pextq	%r14, %r8, %r8
+        pextq	%r13, %rax, %rax
+        movq	%rcx, 224(%r15)
+        adcq	%rax, %r8
+        movq	240(%r10), %rax
+        movq	240(%r11), %rcx
+        pextq	%r14, %rax, %rax
+        pextq	%r13, %rcx, %rcx
+        movq	%r8, 232(%r15)
+        adcq	%rcx, %rax
+        movq	248(%r10), %rcx
+        movq	248(%r11), %r8
+        pextq	%r14, %rcx, %rcx
+        pextq	%r13, %r8, %r8
+        movq	%rax, 240(%r15)
+        adcq	%r8, %rcx
+        movq	%rcx, 248(%r15)
+        adcq	$0, %r9
+        leaq	512(%rsp), %r11
+        movq	%rsp, %r10
+        movq	(%r10), %rax
+        subq	(%r11), %rax
+        movq	8(%r10), %rcx
+        movq	%rax, (%r10)
+        sbbq	8(%r11), %rcx
+        movq	16(%r10), %r8
+        movq	%rcx, 8(%r10)
+        sbbq	16(%r11), %r8
+        movq	24(%r10), %rax
+        movq	%r8, 16(%r10)
+        sbbq	24(%r11), %rax
+        movq	32(%r10), %rcx
+        movq	%rax, 24(%r10)
+        sbbq	32(%r11), %rcx
+        movq	40(%r10), %r8
+        movq	%rcx, 32(%r10)
+        sbbq	40(%r11), %r8
+        movq	48(%r10), %rax
+        movq	%r8, 40(%r10)
+        sbbq	48(%r11), %rax
+        movq	56(%r10), %rcx
+        movq	%rax, 48(%r10)
+        sbbq	56(%r11), %rcx
+        movq	64(%r10), %r8
+        movq	%rcx, 56(%r10)
+        sbbq	64(%r11), %r8
+        movq	72(%r10), %rax
+        movq	%r8, 64(%r10)
+        sbbq	72(%r11), %rax
+        movq	80(%r10), %rcx
+        movq	%rax, 72(%r10)
+        sbbq	80(%r11), %rcx
+        movq	88(%r10), %r8
+        movq	%rcx, 80(%r10)
+        sbbq	88(%r11), %r8
+        movq	96(%r10), %rax
+        movq	%r8, 88(%r10)
+        sbbq	96(%r11), %rax
+        movq	104(%r10), %rcx
+        movq	%rax, 96(%r10)
+        sbbq	104(%r11), %rcx
+        movq	112(%r10), %r8
+        movq	%rcx, 104(%r10)
+        sbbq	112(%r11), %r8
+        movq	120(%r10), %rax
+        movq	%r8, 112(%r10)
+        sbbq	120(%r11), %rax
+        movq	128(%r10), %rcx
+        movq	%rax, 120(%r10)
+        sbbq	128(%r11), %rcx
+        movq	136(%r10), %r8
+        movq	%rcx, 128(%r10)
+        sbbq	136(%r11), %r8
+        movq	144(%r10), %rax
+        movq	%r8, 136(%r10)
+        sbbq	144(%r11), %rax
+        movq	152(%r10), %rcx
+        movq	%rax, 144(%r10)
+        sbbq	152(%r11), %rcx
+        movq	160(%r10), %r8
+        movq	%rcx, 152(%r10)
+        sbbq	160(%r11), %r8
+        movq	168(%r10), %rax
+        movq	%r8, 160(%r10)
+        sbbq	168(%r11), %rax
+        movq	176(%r10), %rcx
+        movq	%rax, 168(%r10)
+        sbbq	176(%r11), %rcx
+        movq	184(%r10), %r8
+        movq	%rcx, 176(%r10)
+        sbbq	184(%r11), %r8
+        movq	192(%r10), %rax
+        movq	%r8, 184(%r10)
+        sbbq	192(%r11), %rax
+        movq	200(%r10), %rcx
+        movq	%rax, 192(%r10)
+        sbbq	200(%r11), %rcx
+        movq	208(%r10), %r8
+        movq	%rcx, 200(%r10)
+        sbbq	208(%r11), %r8
+        movq	216(%r10), %rax
+        movq	%r8, 208(%r10)
+        sbbq	216(%r11), %rax
+        movq	224(%r10), %rcx
+        movq	%rax, 216(%r10)
+        sbbq	224(%r11), %rcx
+        movq	232(%r10), %r8
+        movq	%rcx, 224(%r10)
+        sbbq	232(%r11), %r8
+        movq	240(%r10), %rax
+        movq	%r8, 232(%r10)
+        sbbq	240(%r11), %rax
+        movq	248(%r10), %rcx
+        movq	%rax, 240(%r10)
+        sbbq	248(%r11), %rcx
+        movq	256(%r10), %r8
+        movq	%rcx, 248(%r10)
+        sbbq	256(%r11), %r8
+        movq	264(%r10), %rax
+        movq	%r8, 256(%r10)
+        sbbq	264(%r11), %rax
+        movq	272(%r10), %rcx
+        movq	%rax, 264(%r10)
+        sbbq	272(%r11), %rcx
+        movq	280(%r10), %r8
+        movq	%rcx, 272(%r10)
+        sbbq	280(%r11), %r8
+        movq	288(%r10), %rax
+        movq	%r8, 280(%r10)
+        sbbq	288(%r11), %rax
+        movq	296(%r10), %rcx
+        movq	%rax, 288(%r10)
+        sbbq	296(%r11), %rcx
+        movq	304(%r10), %r8
+        movq	%rcx, 296(%r10)
+        sbbq	304(%r11), %r8
+        movq	312(%r10), %rax
+        movq	%r8, 304(%r10)
+        sbbq	312(%r11), %rax
+        movq	320(%r10), %rcx
+        movq	%rax, 312(%r10)
+        sbbq	320(%r11), %rcx
+        movq	328(%r10), %r8
+        movq	%rcx, 320(%r10)
+        sbbq	328(%r11), %r8
+        movq	336(%r10), %rax
+        movq	%r8, 328(%r10)
+        sbbq	336(%r11), %rax
+        movq	344(%r10), %rcx
+        movq	%rax, 336(%r10)
+        sbbq	344(%r11), %rcx
+        movq	352(%r10), %r8
+        movq	%rcx, 344(%r10)
+        sbbq	352(%r11), %r8
+        movq	360(%r10), %rax
+        movq	%r8, 352(%r10)
+        sbbq	360(%r11), %rax
+        movq	368(%r10), %rcx
+        movq	%rax, 360(%r10)
+        sbbq	368(%r11), %rcx
+        movq	376(%r10), %r8
+        movq	%rcx, 368(%r10)
+        sbbq	376(%r11), %r8
+        movq	384(%r10), %rax
+        movq	%r8, 376(%r10)
+        sbbq	384(%r11), %rax
+        movq	392(%r10), %rcx
+        movq	%rax, 384(%r10)
+        sbbq	392(%r11), %rcx
+        movq	400(%r10), %r8
+        movq	%rcx, 392(%r10)
+        sbbq	400(%r11), %r8
+        movq	408(%r10), %rax
+        movq	%r8, 400(%r10)
+        sbbq	408(%r11), %rax
+        movq	416(%r10), %rcx
+        movq	%rax, 408(%r10)
+        sbbq	416(%r11), %rcx
+        movq	424(%r10), %r8
+        movq	%rcx, 416(%r10)
+        sbbq	424(%r11), %r8
+        movq	432(%r10), %rax
+        movq	%r8, 424(%r10)
+        sbbq	432(%r11), %rax
+        movq	440(%r10), %rcx
+        movq	%rax, 432(%r10)
+        sbbq	440(%r11), %rcx
+        movq	448(%r10), %r8
+        movq	%rcx, 440(%r10)
+        sbbq	448(%r11), %r8
+        movq	456(%r10), %rax
+        movq	%r8, 448(%r10)
+        sbbq	456(%r11), %rax
+        movq	464(%r10), %rcx
+        movq	%rax, 456(%r10)
+        sbbq	464(%r11), %rcx
+        movq	472(%r10), %r8
+        movq	%rcx, 464(%r10)
+        sbbq	472(%r11), %r8
+        movq	480(%r10), %rax
+        movq	%r8, 472(%r10)
+        sbbq	480(%r11), %rax
+        movq	488(%r10), %rcx
+        movq	%rax, 480(%r10)
+        sbbq	488(%r11), %rcx
+        movq	496(%r10), %r8
+        movq	%rcx, 488(%r10)
+        sbbq	496(%r11), %r8
+        movq	504(%r10), %rax
+        movq	%r8, 496(%r10)
+        sbbq	504(%r11), %rax
+        movq	%rax, 504(%r10)
+        sbbq	$0, %r9
+        movq	(%r10), %rax
+        subq	(%rdi), %rax
+        movq	8(%r10), %rcx
+        movq	%rax, (%r10)
+        sbbq	8(%rdi), %rcx
+        movq	16(%r10), %r8
+        movq	%rcx, 8(%r10)
+        sbbq	16(%rdi), %r8
+        movq	24(%r10), %rax
+        movq	%r8, 16(%r10)
+        sbbq	24(%rdi), %rax
+        movq	32(%r10), %rcx
+        movq	%rax, 24(%r10)
+        sbbq	32(%rdi), %rcx
+        movq	40(%r10), %r8
+        movq	%rcx, 32(%r10)
+        sbbq	40(%rdi), %r8
+        movq	48(%r10), %rax
+        movq	%r8, 40(%r10)
+        sbbq	48(%rdi), %rax
+        movq	56(%r10), %rcx
+        movq	%rax, 48(%r10)
+        sbbq	56(%rdi), %rcx
+        movq	64(%r10), %r8
+        movq	%rcx, 56(%r10)
+        sbbq	64(%rdi), %r8
+        movq	72(%r10), %rax
+        movq	%r8, 64(%r10)
+        sbbq	72(%rdi), %rax
+        movq	80(%r10), %rcx
+        movq	%rax, 72(%r10)
+        sbbq	80(%rdi), %rcx
+        movq	88(%r10), %r8
+        movq	%rcx, 80(%r10)
+        sbbq	88(%rdi), %r8
+        movq	96(%r10), %rax
+        movq	%r8, 88(%r10)
+        sbbq	96(%rdi), %rax
+        movq	104(%r10), %rcx
+        movq	%rax, 96(%r10)
+        sbbq	104(%rdi), %rcx
+        movq	112(%r10), %r8
+        movq	%rcx, 104(%r10)
+        sbbq	112(%rdi), %r8
+        movq	120(%r10), %rax
+        movq	%r8, 112(%r10)
+        sbbq	120(%rdi), %rax
+        movq	128(%r10), %rcx
+        movq	%rax, 120(%r10)
+        sbbq	128(%rdi), %rcx
+        movq	136(%r10), %r8
+        movq	%rcx, 128(%r10)
+        sbbq	136(%rdi), %r8
+        movq	144(%r10), %rax
+        movq	%r8, 136(%r10)
+        sbbq	144(%rdi), %rax
+        movq	152(%r10), %rcx
+        movq	%rax, 144(%r10)
+        sbbq	152(%rdi), %rcx
+        movq	160(%r10), %r8
+        movq	%rcx, 152(%r10)
+        sbbq	160(%rdi), %r8
+        movq	168(%r10), %rax
+        movq	%r8, 160(%r10)
+        sbbq	168(%rdi), %rax
+        movq	176(%r10), %rcx
+        movq	%rax, 168(%r10)
+        sbbq	176(%rdi), %rcx
+        movq	184(%r10), %r8
+        movq	%rcx, 176(%r10)
+        sbbq	184(%rdi), %r8
+        movq	192(%r10), %rax
+        movq	%r8, 184(%r10)
+        sbbq	192(%rdi), %rax
+        movq	200(%r10), %rcx
+        movq	%rax, 192(%r10)
+        sbbq	200(%rdi), %rcx
+        movq	208(%r10), %r8
+        movq	%rcx, 200(%r10)
+        sbbq	208(%rdi), %r8
+        movq	216(%r10), %rax
+        movq	%r8, 208(%r10)
+        sbbq	216(%rdi), %rax
+        movq	224(%r10), %rcx
+        movq	%rax, 216(%r10)
+        sbbq	224(%rdi), %rcx
+        movq	232(%r10), %r8
+        movq	%rcx, 224(%r10)
+        sbbq	232(%rdi), %r8
+        movq	240(%r10), %rax
+        movq	%r8, 232(%r10)
+        sbbq	240(%rdi), %rax
+        movq	248(%r10), %rcx
+        movq	%rax, 240(%r10)
+        sbbq	248(%rdi), %rcx
+        movq	256(%r10), %r8
+        movq	%rcx, 248(%r10)
+        sbbq	256(%rdi), %r8
+        movq	264(%r10), %rax
+        movq	%r8, 256(%r10)
+        sbbq	264(%rdi), %rax
+        movq	272(%r10), %rcx
+        movq	%rax, 264(%r10)
+        sbbq	272(%rdi), %rcx
+        movq	280(%r10), %r8
+        movq	%rcx, 272(%r10)
+        sbbq	280(%rdi), %r8
+        movq	288(%r10), %rax
+        movq	%r8, 280(%r10)
+        sbbq	288(%rdi), %rax
+        movq	296(%r10), %rcx
+        movq	%rax, 288(%r10)
+        sbbq	296(%rdi), %rcx
+        movq	304(%r10), %r8
+        movq	%rcx, 296(%r10)
+        sbbq	304(%rdi), %r8
+        movq	312(%r10), %rax
+        movq	%r8, 304(%r10)
+        sbbq	312(%rdi), %rax
+        movq	320(%r10), %rcx
+        movq	%rax, 312(%r10)
+        sbbq	320(%rdi), %rcx
+        movq	328(%r10), %r8
+        movq	%rcx, 320(%r10)
+        sbbq	328(%rdi), %r8
+        movq	336(%r10), %rax
+        movq	%r8, 328(%r10)
+        sbbq	336(%rdi), %rax
+        movq	344(%r10), %rcx
+        movq	%rax, 336(%r10)
+        sbbq	344(%rdi), %rcx
+        movq	352(%r10), %r8
+        movq	%rcx, 344(%r10)
+        sbbq	352(%rdi), %r8
+        movq	360(%r10), %rax
+        movq	%r8, 352(%r10)
+        sbbq	360(%rdi), %rax
+        movq	368(%r10), %rcx
+        movq	%rax, 360(%r10)
+        sbbq	368(%rdi), %rcx
+        movq	376(%r10), %r8
+        movq	%rcx, 368(%r10)
+        sbbq	376(%rdi), %r8
+        movq	384(%r10), %rax
+        movq	%r8, 376(%r10)
+        sbbq	384(%rdi), %rax
+        movq	392(%r10), %rcx
+        movq	%rax, 384(%r10)
+        sbbq	392(%rdi), %rcx
+        movq	400(%r10), %r8
+        movq	%rcx, 392(%r10)
+        sbbq	400(%rdi), %r8
+        movq	408(%r10), %rax
+        movq	%r8, 400(%r10)
+        sbbq	408(%rdi), %rax
+        movq	416(%r10), %rcx
+        movq	%rax, 408(%r10)
+        sbbq	416(%rdi), %rcx
+        movq	424(%r10), %r8
+        movq	%rcx, 416(%r10)
+        sbbq	424(%rdi), %r8
+        movq	432(%r10), %rax
+        movq	%r8, 424(%r10)
+        sbbq	432(%rdi), %rax
+        movq	440(%r10), %rcx
+        movq	%rax, 432(%r10)
+        sbbq	440(%rdi), %rcx
+        movq	448(%r10), %r8
+        movq	%rcx, 440(%r10)
+        sbbq	448(%rdi), %r8
+        movq	456(%r10), %rax
+        movq	%r8, 448(%r10)
+        sbbq	456(%rdi), %rax
+        movq	464(%r10), %rcx
+        movq	%rax, 456(%r10)
+        sbbq	464(%rdi), %rcx
+        movq	472(%r10), %r8
+        movq	%rcx, 464(%r10)
+        sbbq	472(%rdi), %r8
+        movq	480(%r10), %rax
+        movq	%r8, 472(%r10)
+        sbbq	480(%rdi), %rax
+        movq	488(%r10), %rcx
+        movq	%rax, 480(%r10)
+        sbbq	488(%rdi), %rcx
+        movq	496(%r10), %r8
+        movq	%rcx, 488(%r10)
+        sbbq	496(%rdi), %r8
+        movq	504(%r10), %rax
+        movq	%r8, 496(%r10)
+        sbbq	504(%rdi), %rax
+        movq	%rax, 504(%r10)
+        sbbq	$0, %r9
+        subq	$256, %r15
+        # Add
+        movq	(%r15), %rax
+        addq	(%r10), %rax
+        movq	8(%r15), %rcx
+        movq	%rax, (%r15)
+        adcq	8(%r10), %rcx
+        movq	16(%r15), %r8
+        movq	%rcx, 8(%r15)
+        adcq	16(%r10), %r8
+        movq	24(%r15), %rax
+        movq	%r8, 16(%r15)
+        adcq	24(%r10), %rax
+        movq	32(%r15), %rcx
+        movq	%rax, 24(%r15)
+        adcq	32(%r10), %rcx
+        movq	40(%r15), %r8
+        movq	%rcx, 32(%r15)
+        adcq	40(%r10), %r8
+        movq	48(%r15), %rax
+        movq	%r8, 40(%r15)
+        adcq	48(%r10), %rax
+        movq	56(%r15), %rcx
+        movq	%rax, 48(%r15)
+        adcq	56(%r10), %rcx
+        movq	64(%r15), %r8
+        movq	%rcx, 56(%r15)
+        adcq	64(%r10), %r8
+        movq	72(%r15), %rax
+        movq	%r8, 64(%r15)
+        adcq	72(%r10), %rax
+        movq	80(%r15), %rcx
+        movq	%rax, 72(%r15)
+        adcq	80(%r10), %rcx
+        movq	88(%r15), %r8
+        movq	%rcx, 80(%r15)
+        adcq	88(%r10), %r8
+        movq	96(%r15), %rax
+        movq	%r8, 88(%r15)
+        adcq	96(%r10), %rax
+        movq	104(%r15), %rcx
+        movq	%rax, 96(%r15)
+        adcq	104(%r10), %rcx
+        movq	112(%r15), %r8
+        movq	%rcx, 104(%r15)
+        adcq	112(%r10), %r8
+        movq	120(%r15), %rax
+        movq	%r8, 112(%r15)
+        adcq	120(%r10), %rax
+        movq	128(%r15), %rcx
+        movq	%rax, 120(%r15)
+        adcq	128(%r10), %rcx
+        movq	136(%r15), %r8
+        movq	%rcx, 128(%r15)
+        adcq	136(%r10), %r8
+        movq	144(%r15), %rax
+        movq	%r8, 136(%r15)
+        adcq	144(%r10), %rax
+        movq	152(%r15), %rcx
+        movq	%rax, 144(%r15)
+        adcq	152(%r10), %rcx
+        movq	160(%r15), %r8
+        movq	%rcx, 152(%r15)
+        adcq	160(%r10), %r8
+        movq	168(%r15), %rax
+        movq	%r8, 160(%r15)
+        adcq	168(%r10), %rax
+        movq	176(%r15), %rcx
+        movq	%rax, 168(%r15)
+        adcq	176(%r10), %rcx
+        movq	184(%r15), %r8
+        movq	%rcx, 176(%r15)
+        adcq	184(%r10), %r8
+        movq	192(%r15), %rax
+        movq	%r8, 184(%r15)
+        adcq	192(%r10), %rax
+        movq	200(%r15), %rcx
+        movq	%rax, 192(%r15)
+        adcq	200(%r10), %rcx
+        movq	208(%r15), %r8
+        movq	%rcx, 200(%r15)
+        adcq	208(%r10), %r8
+        movq	216(%r15), %rax
+        movq	%r8, 208(%r15)
+        adcq	216(%r10), %rax
+        movq	224(%r15), %rcx
+        movq	%rax, 216(%r15)
+        adcq	224(%r10), %rcx
+        movq	232(%r15), %r8
+        movq	%rcx, 224(%r15)
+        adcq	232(%r10), %r8
+        movq	240(%r15), %rax
+        movq	%r8, 232(%r15)
+        adcq	240(%r10), %rax
+        movq	248(%r15), %rcx
+        movq	%rax, 240(%r15)
+        adcq	248(%r10), %rcx
+        movq	256(%r15), %r8
+        movq	%rcx, 248(%r15)
+        adcq	256(%r10), %r8
+        movq	264(%r15), %rax
+        movq	%r8, 256(%r15)
+        adcq	264(%r10), %rax
+        movq	272(%r15), %rcx
+        movq	%rax, 264(%r15)
+        adcq	272(%r10), %rcx
+        movq	280(%r15), %r8
+        movq	%rcx, 272(%r15)
+        adcq	280(%r10), %r8
+        movq	288(%r15), %rax
+        movq	%r8, 280(%r15)
+        adcq	288(%r10), %rax
+        movq	296(%r15), %rcx
+        movq	%rax, 288(%r15)
+        adcq	296(%r10), %rcx
+        movq	304(%r15), %r8
+        movq	%rcx, 296(%r15)
+        adcq	304(%r10), %r8
+        movq	312(%r15), %rax
+        movq	%r8, 304(%r15)
+        adcq	312(%r10), %rax
+        movq	320(%r15), %rcx
+        movq	%rax, 312(%r15)
+        adcq	320(%r10), %rcx
+        movq	328(%r15), %r8
+        movq	%rcx, 320(%r15)
+        adcq	328(%r10), %r8
+        movq	336(%r15), %rax
+        movq	%r8, 328(%r15)
+        adcq	336(%r10), %rax
+        movq	344(%r15), %rcx
+        movq	%rax, 336(%r15)
+        adcq	344(%r10), %rcx
+        movq	352(%r15), %r8
+        movq	%rcx, 344(%r15)
+        adcq	352(%r10), %r8
+        movq	360(%r15), %rax
+        movq	%r8, 352(%r15)
+        adcq	360(%r10), %rax
+        movq	368(%r15), %rcx
+        movq	%rax, 360(%r15)
+        adcq	368(%r10), %rcx
+        movq	376(%r15), %r8
+        movq	%rcx, 368(%r15)
+        adcq	376(%r10), %r8
+        movq	384(%r15), %rax
+        movq	%r8, 376(%r15)
+        adcq	384(%r10), %rax
+        movq	392(%r15), %rcx
+        movq	%rax, 384(%r15)
+        adcq	392(%r10), %rcx
+        movq	400(%r15), %r8
+        movq	%rcx, 392(%r15)
+        adcq	400(%r10), %r8
+        movq	408(%r15), %rax
+        movq	%r8, 400(%r15)
+        adcq	408(%r10), %rax
+        movq	416(%r15), %rcx
+        movq	%rax, 408(%r15)
+        adcq	416(%r10), %rcx
+        movq	424(%r15), %r8
+        movq	%rcx, 416(%r15)
+        adcq	424(%r10), %r8
+        movq	432(%r15), %rax
+        movq	%r8, 424(%r15)
+        adcq	432(%r10), %rax
+        movq	440(%r15), %rcx
+        movq	%rax, 432(%r15)
+        adcq	440(%r10), %rcx
+        movq	448(%r15), %r8
+        movq	%rcx, 440(%r15)
+        adcq	448(%r10), %r8
+        movq	456(%r15), %rax
+        movq	%r8, 448(%r15)
+        adcq	456(%r10), %rax
+        movq	464(%r15), %rcx
+        movq	%rax, 456(%r15)
+        adcq	464(%r10), %rcx
+        movq	472(%r15), %r8
+        movq	%rcx, 464(%r15)
+        adcq	472(%r10), %r8
+        movq	480(%r15), %rax
+        movq	%r8, 472(%r15)
+        adcq	480(%r10), %rax
+        movq	488(%r15), %rcx
+        movq	%rax, 480(%r15)
+        adcq	488(%r10), %rcx
+        movq	496(%r15), %r8
+        movq	%rcx, 488(%r15)
+        adcq	496(%r10), %r8
+        movq	504(%r15), %rax
+        movq	%r8, 496(%r15)
+        adcq	504(%r10), %rax
+        movq	%rax, 504(%r15)
+        adcq	$0, %r9
+        movq	%r9, 768(%rdi)
+        addq	$256, %r15
+        # Add
+        movq	(%r15), %rax
+        xorq	%r9, %r9
+        addq	(%r11), %rax
+        movq	8(%r15), %rcx
+        movq	%rax, (%r15)
+        adcq	8(%r11), %rcx
+        movq	16(%r15), %r8
+        movq	%rcx, 8(%r15)
+        adcq	16(%r11), %r8
+        movq	24(%r15), %rax
+        movq	%r8, 16(%r15)
+        adcq	24(%r11), %rax
+        movq	32(%r15), %rcx
+        movq	%rax, 24(%r15)
+        adcq	32(%r11), %rcx
+        movq	40(%r15), %r8
+        movq	%rcx, 32(%r15)
+        adcq	40(%r11), %r8
+        movq	48(%r15), %rax
+        movq	%r8, 40(%r15)
+        adcq	48(%r11), %rax
+        movq	56(%r15), %rcx
+        movq	%rax, 48(%r15)
+        adcq	56(%r11), %rcx
+        movq	64(%r15), %r8
+        movq	%rcx, 56(%r15)
+        adcq	64(%r11), %r8
+        movq	72(%r15), %rax
+        movq	%r8, 64(%r15)
+        adcq	72(%r11), %rax
+        movq	80(%r15), %rcx
+        movq	%rax, 72(%r15)
+        adcq	80(%r11), %rcx
+        movq	88(%r15), %r8
+        movq	%rcx, 80(%r15)
+        adcq	88(%r11), %r8
+        movq	96(%r15), %rax
+        movq	%r8, 88(%r15)
+        adcq	96(%r11), %rax
+        movq	104(%r15), %rcx
+        movq	%rax, 96(%r15)
+        adcq	104(%r11), %rcx
+        movq	112(%r15), %r8
+        movq	%rcx, 104(%r15)
+        adcq	112(%r11), %r8
+        movq	120(%r15), %rax
+        movq	%r8, 112(%r15)
+        adcq	120(%r11), %rax
+        movq	128(%r15), %rcx
+        movq	%rax, 120(%r15)
+        adcq	128(%r11), %rcx
+        movq	136(%r15), %r8
+        movq	%rcx, 128(%r15)
+        adcq	136(%r11), %r8
+        movq	144(%r15), %rax
+        movq	%r8, 136(%r15)
+        adcq	144(%r11), %rax
+        movq	152(%r15), %rcx
+        movq	%rax, 144(%r15)
+        adcq	152(%r11), %rcx
+        movq	160(%r15), %r8
+        movq	%rcx, 152(%r15)
+        adcq	160(%r11), %r8
+        movq	168(%r15), %rax
+        movq	%r8, 160(%r15)
+        adcq	168(%r11), %rax
+        movq	176(%r15), %rcx
+        movq	%rax, 168(%r15)
+        adcq	176(%r11), %rcx
+        movq	184(%r15), %r8
+        movq	%rcx, 176(%r15)
+        adcq	184(%r11), %r8
+        movq	192(%r15), %rax
+        movq	%r8, 184(%r15)
+        adcq	192(%r11), %rax
+        movq	200(%r15), %rcx
+        movq	%rax, 192(%r15)
+        adcq	200(%r11), %rcx
+        movq	208(%r15), %r8
+        movq	%rcx, 200(%r15)
+        adcq	208(%r11), %r8
+        movq	216(%r15), %rax
+        movq	%r8, 208(%r15)
+        adcq	216(%r11), %rax
+        movq	224(%r15), %rcx
+        movq	%rax, 216(%r15)
+        adcq	224(%r11), %rcx
+        movq	232(%r15), %r8
+        movq	%rcx, 224(%r15)
+        adcq	232(%r11), %r8
+        movq	240(%r15), %rax
+        movq	%r8, 232(%r15)
+        adcq	240(%r11), %rax
+        movq	248(%r15), %rcx
+        movq	%rax, 240(%r15)
+        adcq	248(%r11), %rcx
+        movq	256(%r15), %r8
+        movq	%rcx, 248(%r15)
+        adcq	256(%r11), %r8
+        movq	%r8, 256(%r15)
+        adcq	$0, %r9
+        # Add to zero
+        movq	264(%r11), %rax
+        adcq	$0, %rax
+        movq	272(%r11), %rcx
+        movq	%rax, 264(%r15)
+        adcq	$0, %rcx
+        movq	280(%r11), %r8
+        movq	%rcx, 272(%r15)
+        adcq	$0, %r8
+        movq	288(%r11), %rax
+        movq	%r8, 280(%r15)
+        adcq	$0, %rax
+        movq	296(%r11), %rcx
+        movq	%rax, 288(%r15)
+        adcq	$0, %rcx
+        movq	304(%r11), %r8
+        movq	%rcx, 296(%r15)
+        adcq	$0, %r8
+        movq	312(%r11), %rax
+        movq	%r8, 304(%r15)
+        adcq	$0, %rax
+        movq	320(%r11), %rcx
+        movq	%rax, 312(%r15)
+        adcq	$0, %rcx
+        movq	328(%r11), %r8
+        movq	%rcx, 320(%r15)
+        adcq	$0, %r8
+        movq	336(%r11), %rax
+        movq	%r8, 328(%r15)
+        adcq	$0, %rax
+        movq	344(%r11), %rcx
+        movq	%rax, 336(%r15)
+        adcq	$0, %rcx
+        movq	352(%r11), %r8
+        movq	%rcx, 344(%r15)
+        adcq	$0, %r8
+        movq	360(%r11), %rax
+        movq	%r8, 352(%r15)
+        adcq	$0, %rax
+        movq	368(%r11), %rcx
+        movq	%rax, 360(%r15)
+        adcq	$0, %rcx
+        movq	376(%r11), %r8
+        movq	%rcx, 368(%r15)
+        adcq	$0, %r8
+        movq	384(%r11), %rax
+        movq	%r8, 376(%r15)
+        adcq	$0, %rax
+        movq	392(%r11), %rcx
+        movq	%rax, 384(%r15)
+        adcq	$0, %rcx
+        movq	400(%r11), %r8
+        movq	%rcx, 392(%r15)
+        adcq	$0, %r8
+        movq	408(%r11), %rax
+        movq	%r8, 400(%r15)
+        adcq	$0, %rax
+        movq	416(%r11), %rcx
+        movq	%rax, 408(%r15)
+        adcq	$0, %rcx
+        movq	424(%r11), %r8
+        movq	%rcx, 416(%r15)
+        adcq	$0, %r8
+        movq	432(%r11), %rax
+        movq	%r8, 424(%r15)
+        adcq	$0, %rax
+        movq	440(%r11), %rcx
+        movq	%rax, 432(%r15)
+        adcq	$0, %rcx
+        movq	448(%r11), %r8
+        movq	%rcx, 440(%r15)
+        adcq	$0, %r8
+        movq	456(%r11), %rax
+        movq	%r8, 448(%r15)
+        adcq	$0, %rax
+        movq	464(%r11), %rcx
+        movq	%rax, 456(%r15)
+        adcq	$0, %rcx
+        movq	472(%r11), %r8
+        movq	%rcx, 464(%r15)
+        adcq	$0, %r8
+        movq	480(%r11), %rax
+        movq	%r8, 472(%r15)
+        adcq	$0, %rax
+        movq	488(%r11), %rcx
+        movq	%rax, 480(%r15)
+        adcq	$0, %rcx
+        movq	496(%r11), %r8
+        movq	%rcx, 488(%r15)
+        adcq	$0, %r8
+        movq	504(%r11), %rax
+        movq	%r8, 496(%r15)
+        adcq	$0, %rax
+        movq	%rax, 504(%r15)
+        addq	$1576, %rsp
+        pop	%r15
+        pop	%r14
+        pop	%r13
+        pop	%r12
+        repz retq
+#ifndef __APPLE__
+.size	sp_4096_mul_avx2_64,.-sp_4096_mul_avx2_64
+#endif /* __APPLE__ */
+/* Square a and put result in r. (r = a * a)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ */
+#ifndef __APPLE__
+.globl	sp_4096_sqr_avx2_64
+.type	sp_4096_sqr_avx2_64,@function
+.align	16
+sp_4096_sqr_avx2_64:
+#else
+.globl	_sp_4096_sqr_avx2_64
+.p2align	4
+_sp_4096_sqr_avx2_64:
+#endif /* __APPLE__ */
+        subq	$1304, %rsp
+        movq	%rdi, 1280(%rsp)
+        movq	%rsi, 1288(%rsp)
+        leaq	1024(%rsp), %r8
+        leaq	256(%rsi), %r9
+        # Add
+        movq	(%rsi), %rdx
+        xorq	%rcx, %rcx
+        addq	(%r9), %rdx
+        movq	8(%rsi), %rax
+        movq	%rdx, (%r8)
+        adcq	8(%r9), %rax
+        movq	16(%rsi), %rdx
+        movq	%rax, 8(%r8)
+        adcq	16(%r9), %rdx
+        movq	24(%rsi), %rax
+        movq	%rdx, 16(%r8)
+        adcq	24(%r9), %rax
+        movq	32(%rsi), %rdx
+        movq	%rax, 24(%r8)
+        adcq	32(%r9), %rdx
+        movq	40(%rsi), %rax
+        movq	%rdx, 32(%r8)
+        adcq	40(%r9), %rax
+        movq	48(%rsi), %rdx
+        movq	%rax, 40(%r8)
+        adcq	48(%r9), %rdx
+        movq	56(%rsi), %rax
+        movq	%rdx, 48(%r8)
+        adcq	56(%r9), %rax
+        movq	64(%rsi), %rdx
+        movq	%rax, 56(%r8)
+        adcq	64(%r9), %rdx
+        movq	72(%rsi), %rax
+        movq	%rdx, 64(%r8)
+        adcq	72(%r9), %rax
+        movq	80(%rsi), %rdx
+        movq	%rax, 72(%r8)
+        adcq	80(%r9), %rdx
+        movq	88(%rsi), %rax
+        movq	%rdx, 80(%r8)
+        adcq	88(%r9), %rax
+        movq	96(%rsi), %rdx
+        movq	%rax, 88(%r8)
+        adcq	96(%r9), %rdx
+        movq	104(%rsi), %rax
+        movq	%rdx, 96(%r8)
+        adcq	104(%r9), %rax
+        movq	112(%rsi), %rdx
+        movq	%rax, 104(%r8)
+        adcq	112(%r9), %rdx
+        movq	120(%rsi), %rax
+        movq	%rdx, 112(%r8)
+        adcq	120(%r9), %rax
+        movq	128(%rsi), %rdx
+        movq	%rax, 120(%r8)
+        adcq	128(%r9), %rdx
+        movq	136(%rsi), %rax
+        movq	%rdx, 128(%r8)
+        adcq	136(%r9), %rax
+        movq	144(%rsi), %rdx
+        movq	%rax, 136(%r8)
+        adcq	144(%r9), %rdx
+        movq	152(%rsi), %rax
+        movq	%rdx, 144(%r8)
+        adcq	152(%r9), %rax
+        movq	160(%rsi), %rdx
+        movq	%rax, 152(%r8)
+        adcq	160(%r9), %rdx
+        movq	168(%rsi), %rax
+        movq	%rdx, 160(%r8)
+        adcq	168(%r9), %rax
+        movq	176(%rsi), %rdx
+        movq	%rax, 168(%r8)
+        adcq	176(%r9), %rdx
+        movq	184(%rsi), %rax
+        movq	%rdx, 176(%r8)
+        adcq	184(%r9), %rax
+        movq	192(%rsi), %rdx
+        movq	%rax, 184(%r8)
+        adcq	192(%r9), %rdx
+        movq	200(%rsi), %rax
+        movq	%rdx, 192(%r8)
+        adcq	200(%r9), %rax
+        movq	208(%rsi), %rdx
+        movq	%rax, 200(%r8)
+        adcq	208(%r9), %rdx
+        movq	216(%rsi), %rax
+        movq	%rdx, 208(%r8)
+        adcq	216(%r9), %rax
+        movq	224(%rsi), %rdx
+        movq	%rax, 216(%r8)
+        adcq	224(%r9), %rdx
+        movq	232(%rsi), %rax
+        movq	%rdx, 224(%r8)
+        adcq	232(%r9), %rax
+        movq	240(%rsi), %rdx
+        movq	%rax, 232(%r8)
+        adcq	240(%r9), %rdx
+        movq	248(%rsi), %rax
+        movq	%rdx, 240(%r8)
+        adcq	248(%r9), %rax
+        movq	%rax, 248(%r8)
+        adcq	$0, %rcx
+        movq	%rcx, 1296(%rsp)
+        movq	%r8, %rsi
+        movq	%rsp, %rdi
+#ifndef __APPLE__
+        callq	sp_2048_sqr_avx2_32@plt
+#else
+        callq	_sp_2048_sqr_avx2_32
+#endif /* __APPLE__ */
+        movq	1288(%rsp), %rsi
+        leaq	512(%rsp), %rdi
+        addq	$256, %rsi
+#ifndef __APPLE__
+        callq	sp_2048_sqr_avx2_32@plt
+#else
+        callq	_sp_2048_sqr_avx2_32
+#endif /* __APPLE__ */
+        movq	1288(%rsp), %rsi
+        movq	1280(%rsp), %rdi
+#ifndef __APPLE__
+        callq	sp_2048_sqr_avx2_32@plt
+#else
+        callq	_sp_2048_sqr_avx2_32
+#endif /* __APPLE__ */
+        movq	1296(%rsp), %r10
+        leaq	1024(%rsp), %r8
+        movq	%r10, %rcx
+        negq	%r10
+        movq	(%r8), %rdx
+        pextq	%r10, %rdx, %rdx
+        addq	%rdx, %rdx
+        movq	8(%r8), %rax
+        movq	%rdx, 512(%rdi)
+        pextq	%r10, %rax, %rax
+        adcq	%rax, %rax
+        movq	16(%r8), %rdx
+        movq	%rax, 520(%rdi)
+        pextq	%r10, %rdx, %rdx
+        adcq	%rdx, %rdx
+        movq	24(%r8), %rax
+        movq	%rdx, 528(%rdi)
+        pextq	%r10, %rax, %rax
+        adcq	%rax, %rax
+        movq	32(%r8), %rdx
+        movq	%rax, 536(%rdi)
+        pextq	%r10, %rdx, %rdx
+        adcq	%rdx, %rdx
+        movq	40(%r8), %rax
+        movq	%rdx, 544(%rdi)
+        pextq	%r10, %rax, %rax
+        adcq	%rax, %rax
+        movq	48(%r8), %rdx
+        movq	%rax, 552(%rdi)
+        pextq	%r10, %rdx, %rdx
+        adcq	%rdx, %rdx
+        movq	56(%r8), %rax
+        movq	%rdx, 560(%rdi)
+        pextq	%r10, %rax, %rax
+        adcq	%rax, %rax
+        movq	64(%r8), %rdx
+        movq	%rax, 568(%rdi)
+        pextq	%r10, %rdx, %rdx
+        adcq	%rdx, %rdx
+        movq	72(%r8), %rax
+        movq	%rdx, 576(%rdi)
+        pextq	%r10, %rax, %rax
+        adcq	%rax, %rax
+        movq	80(%r8), %rdx
+        movq	%rax, 584(%rdi)
+        pextq	%r10, %rdx, %rdx
+        adcq	%rdx, %rdx
+        movq	88(%r8), %rax
+        movq	%rdx, 592(%rdi)
+        pextq	%r10, %rax, %rax
+        adcq	%rax, %rax
+        movq	96(%r8), %rdx
+        movq	%rax, 600(%rdi)
+        pextq	%r10, %rdx, %rdx
+        adcq	%rdx, %rdx
+        movq	104(%r8), %rax
+        movq	%rdx, 608(%rdi)
+        pextq	%r10, %rax, %rax
+        adcq	%rax, %rax
+        movq	112(%r8), %rdx
+        movq	%rax, 616(%rdi)
+        pextq	%r10, %rdx, %rdx
+        adcq	%rdx, %rdx
+        movq	120(%r8), %rax
+        movq	%rdx, 624(%rdi)
+        pextq	%r10, %rax, %rax
+        adcq	%rax, %rax
+        movq	128(%r8), %rdx
+        movq	%rax, 632(%rdi)
+        pextq	%r10, %rdx, %rdx
+        adcq	%rdx, %rdx
+        movq	136(%r8), %rax
+        movq	%rdx, 640(%rdi)
+        pextq	%r10, %rax, %rax
+        adcq	%rax, %rax
+        movq	144(%r8), %rdx
+        movq	%rax, 648(%rdi)
+        pextq	%r10, %rdx, %rdx
+        adcq	%rdx, %rdx
+        movq	152(%r8), %rax
+        movq	%rdx, 656(%rdi)
+        pextq	%r10, %rax, %rax
+        adcq	%rax, %rax
+        movq	160(%r8), %rdx
+        movq	%rax, 664(%rdi)
+        pextq	%r10, %rdx, %rdx
+        adcq	%rdx, %rdx
+        movq	168(%r8), %rax
+        movq	%rdx, 672(%rdi)
+        pextq	%r10, %rax, %rax
+        adcq	%rax, %rax
+        movq	176(%r8), %rdx
+        movq	%rax, 680(%rdi)
+        pextq	%r10, %rdx, %rdx
+        adcq	%rdx, %rdx
+        movq	184(%r8), %rax
+        movq	%rdx, 688(%rdi)
+        pextq	%r10, %rax, %rax
+        adcq	%rax, %rax
+        movq	192(%r8), %rdx
+        movq	%rax, 696(%rdi)
+        pextq	%r10, %rdx, %rdx
+        adcq	%rdx, %rdx
+        movq	200(%r8), %rax
+        movq	%rdx, 704(%rdi)
+        pextq	%r10, %rax, %rax
+        adcq	%rax, %rax
+        movq	208(%r8), %rdx
+        movq	%rax, 712(%rdi)
+        pextq	%r10, %rdx, %rdx
+        adcq	%rdx, %rdx
+        movq	216(%r8), %rax
+        movq	%rdx, 720(%rdi)
+        pextq	%r10, %rax, %rax
+        adcq	%rax, %rax
+        movq	224(%r8), %rdx
+        movq	%rax, 728(%rdi)
+        pextq	%r10, %rdx, %rdx
+        adcq	%rdx, %rdx
+        movq	232(%r8), %rax
+        movq	%rdx, 736(%rdi)
+        pextq	%r10, %rax, %rax
+        adcq	%rax, %rax
+        movq	240(%r8), %rdx
+        movq	%rax, 744(%rdi)
+        pextq	%r10, %rdx, %rdx
+        adcq	%rdx, %rdx
+        movq	248(%r8), %rax
+        movq	%rdx, 752(%rdi)
+        pextq	%r10, %rax, %rax
+        adcq	%rax, %rax
+        movq	%rax, 760(%rdi)
+        adcq	$0, %rcx
+        leaq	512(%rsp), %rsi
+        movq	%rsp, %r8
+        movq	(%r8), %rdx
+        subq	(%rsi), %rdx
+        movq	8(%r8), %rax
+        movq	%rdx, (%r8)
+        sbbq	8(%rsi), %rax
+        movq	16(%r8), %rdx
+        movq	%rax, 8(%r8)
+        sbbq	16(%rsi), %rdx
+        movq	24(%r8), %rax
+        movq	%rdx, 16(%r8)
+        sbbq	24(%rsi), %rax
+        movq	32(%r8), %rdx
+        movq	%rax, 24(%r8)
+        sbbq	32(%rsi), %rdx
+        movq	40(%r8), %rax
+        movq	%rdx, 32(%r8)
+        sbbq	40(%rsi), %rax
+        movq	48(%r8), %rdx
+        movq	%rax, 40(%r8)
+        sbbq	48(%rsi), %rdx
+        movq	56(%r8), %rax
+        movq	%rdx, 48(%r8)
+        sbbq	56(%rsi), %rax
+        movq	64(%r8), %rdx
+        movq	%rax, 56(%r8)
+        sbbq	64(%rsi), %rdx
+        movq	72(%r8), %rax
+        movq	%rdx, 64(%r8)
+        sbbq	72(%rsi), %rax
+        movq	80(%r8), %rdx
+        movq	%rax, 72(%r8)
+        sbbq	80(%rsi), %rdx
+        movq	88(%r8), %rax
+        movq	%rdx, 80(%r8)
+        sbbq	88(%rsi), %rax
+        movq	96(%r8), %rdx
+        movq	%rax, 88(%r8)
+        sbbq	96(%rsi), %rdx
+        movq	104(%r8), %rax
+        movq	%rdx, 96(%r8)
+        sbbq	104(%rsi), %rax
+        movq	112(%r8), %rdx
+        movq	%rax, 104(%r8)
+        sbbq	112(%rsi), %rdx
+        movq	120(%r8), %rax
+        movq	%rdx, 112(%r8)
+        sbbq	120(%rsi), %rax
+        movq	128(%r8), %rdx
+        movq	%rax, 120(%r8)
+        sbbq	128(%rsi), %rdx
+        movq	136(%r8), %rax
+        movq	%rdx, 128(%r8)
+        sbbq	136(%rsi), %rax
+        movq	144(%r8), %rdx
+        movq	%rax, 136(%r8)
+        sbbq	144(%rsi), %rdx
+        movq	152(%r8), %rax
+        movq	%rdx, 144(%r8)
+        sbbq	152(%rsi), %rax
+        movq	160(%r8), %rdx
+        movq	%rax, 152(%r8)
+        sbbq	160(%rsi), %rdx
+        movq	168(%r8), %rax
+        movq	%rdx, 160(%r8)
+        sbbq	168(%rsi), %rax
+        movq	176(%r8), %rdx
+        movq	%rax, 168(%r8)
+        sbbq	176(%rsi), %rdx
+        movq	184(%r8), %rax
+        movq	%rdx, 176(%r8)
+        sbbq	184(%rsi), %rax
+        movq	192(%r8), %rdx
+        movq	%rax, 184(%r8)
+        sbbq	192(%rsi), %rdx
+        movq	200(%r8), %rax
+        movq	%rdx, 192(%r8)
+        sbbq	200(%rsi), %rax
+        movq	208(%r8), %rdx
+        movq	%rax, 200(%r8)
+        sbbq	208(%rsi), %rdx
+        movq	216(%r8), %rax
+        movq	%rdx, 208(%r8)
+        sbbq	216(%rsi), %rax
+        movq	224(%r8), %rdx
+        movq	%rax, 216(%r8)
+        sbbq	224(%rsi), %rdx
+        movq	232(%r8), %rax
+        movq	%rdx, 224(%r8)
+        sbbq	232(%rsi), %rax
+        movq	240(%r8), %rdx
+        movq	%rax, 232(%r8)
+        sbbq	240(%rsi), %rdx
+        movq	248(%r8), %rax
+        movq	%rdx, 240(%r8)
+        sbbq	248(%rsi), %rax
+        movq	256(%r8), %rdx
+        movq	%rax, 248(%r8)
+        sbbq	256(%rsi), %rdx
+        movq	264(%r8), %rax
+        movq	%rdx, 256(%r8)
+        sbbq	264(%rsi), %rax
+        movq	272(%r8), %rdx
+        movq	%rax, 264(%r8)
+        sbbq	272(%rsi), %rdx
+        movq	280(%r8), %rax
+        movq	%rdx, 272(%r8)
+        sbbq	280(%rsi), %rax
+        movq	288(%r8), %rdx
+        movq	%rax, 280(%r8)
+        sbbq	288(%rsi), %rdx
+        movq	296(%r8), %rax
+        movq	%rdx, 288(%r8)
+        sbbq	296(%rsi), %rax
+        movq	304(%r8), %rdx
+        movq	%rax, 296(%r8)
+        sbbq	304(%rsi), %rdx
+        movq	312(%r8), %rax
+        movq	%rdx, 304(%r8)
+        sbbq	312(%rsi), %rax
+        movq	320(%r8), %rdx
+        movq	%rax, 312(%r8)
+        sbbq	320(%rsi), %rdx
+        movq	328(%r8), %rax
+        movq	%rdx, 320(%r8)
+        sbbq	328(%rsi), %rax
+        movq	336(%r8), %rdx
+        movq	%rax, 328(%r8)
+        sbbq	336(%rsi), %rdx
+        movq	344(%r8), %rax
+        movq	%rdx, 336(%r8)
+        sbbq	344(%rsi), %rax
+        movq	352(%r8), %rdx
+        movq	%rax, 344(%r8)
+        sbbq	352(%rsi), %rdx
+        movq	360(%r8), %rax
+        movq	%rdx, 352(%r8)
+        sbbq	360(%rsi), %rax
+        movq	368(%r8), %rdx
+        movq	%rax, 360(%r8)
+        sbbq	368(%rsi), %rdx
+        movq	376(%r8), %rax
+        movq	%rdx, 368(%r8)
+        sbbq	376(%rsi), %rax
+        movq	384(%r8), %rdx
+        movq	%rax, 376(%r8)
+        sbbq	384(%rsi), %rdx
+        movq	392(%r8), %rax
+        movq	%rdx, 384(%r8)
+        sbbq	392(%rsi), %rax
+        movq	400(%r8), %rdx
+        movq	%rax, 392(%r8)
+        sbbq	400(%rsi), %rdx
+        movq	408(%r8), %rax
+        movq	%rdx, 400(%r8)
+        sbbq	408(%rsi), %rax
+        movq	416(%r8), %rdx
+        movq	%rax, 408(%r8)
+        sbbq	416(%rsi), %rdx
+        movq	424(%r8), %rax
+        movq	%rdx, 416(%r8)
+        sbbq	424(%rsi), %rax
+        movq	432(%r8), %rdx
+        movq	%rax, 424(%r8)
+        sbbq	432(%rsi), %rdx
+        movq	440(%r8), %rax
+        movq	%rdx, 432(%r8)
+        sbbq	440(%rsi), %rax
+        movq	448(%r8), %rdx
+        movq	%rax, 440(%r8)
+        sbbq	448(%rsi), %rdx
+        movq	456(%r8), %rax
+        movq	%rdx, 448(%r8)
+        sbbq	456(%rsi), %rax
+        movq	464(%r8), %rdx
+        movq	%rax, 456(%r8)
+        sbbq	464(%rsi), %rdx
+        movq	472(%r8), %rax
+        movq	%rdx, 464(%r8)
+        sbbq	472(%rsi), %rax
+        movq	480(%r8), %rdx
+        movq	%rax, 472(%r8)
+        sbbq	480(%rsi), %rdx
+        movq	488(%r8), %rax
+        movq	%rdx, 480(%r8)
+        sbbq	488(%rsi), %rax
+        movq	496(%r8), %rdx
+        movq	%rax, 488(%r8)
+        sbbq	496(%rsi), %rdx
+        movq	504(%r8), %rax
+        movq	%rdx, 496(%r8)
+        sbbq	504(%rsi), %rax
+        movq	%rax, 504(%r8)
+        sbbq	$0, %rcx
+        movq	(%r8), %rdx
+        subq	(%rdi), %rdx
+        movq	8(%r8), %rax
+        movq	%rdx, (%r8)
+        sbbq	8(%rdi), %rax
+        movq	16(%r8), %rdx
+        movq	%rax, 8(%r8)
+        sbbq	16(%rdi), %rdx
+        movq	24(%r8), %rax
+        movq	%rdx, 16(%r8)
+        sbbq	24(%rdi), %rax
+        movq	32(%r8), %rdx
+        movq	%rax, 24(%r8)
+        sbbq	32(%rdi), %rdx
+        movq	40(%r8), %rax
+        movq	%rdx, 32(%r8)
+        sbbq	40(%rdi), %rax
+        movq	48(%r8), %rdx
+        movq	%rax, 40(%r8)
+        sbbq	48(%rdi), %rdx
+        movq	56(%r8), %rax
+        movq	%rdx, 48(%r8)
+        sbbq	56(%rdi), %rax
+        movq	64(%r8), %rdx
+        movq	%rax, 56(%r8)
+        sbbq	64(%rdi), %rdx
+        movq	72(%r8), %rax
+        movq	%rdx, 64(%r8)
+        sbbq	72(%rdi), %rax
+        movq	80(%r8), %rdx
+        movq	%rax, 72(%r8)
+        sbbq	80(%rdi), %rdx
+        movq	88(%r8), %rax
+        movq	%rdx, 80(%r8)
+        sbbq	88(%rdi), %rax
+        movq	96(%r8), %rdx
+        movq	%rax, 88(%r8)
+        sbbq	96(%rdi), %rdx
+        movq	104(%r8), %rax
+        movq	%rdx, 96(%r8)
+        sbbq	104(%rdi), %rax
+        movq	112(%r8), %rdx
+        movq	%rax, 104(%r8)
+        sbbq	112(%rdi), %rdx
+        movq	120(%r8), %rax
+        movq	%rdx, 112(%r8)
+        sbbq	120(%rdi), %rax
+        movq	128(%r8), %rdx
+        movq	%rax, 120(%r8)
+        sbbq	128(%rdi), %rdx
+        movq	136(%r8), %rax
+        movq	%rdx, 128(%r8)
+        sbbq	136(%rdi), %rax
+        movq	144(%r8), %rdx
+        movq	%rax, 136(%r8)
+        sbbq	144(%rdi), %rdx
+        movq	152(%r8), %rax
+        movq	%rdx, 144(%r8)
+        sbbq	152(%rdi), %rax
+        movq	160(%r8), %rdx
+        movq	%rax, 152(%r8)
+        sbbq	160(%rdi), %rdx
+        movq	168(%r8), %rax
+        movq	%rdx, 160(%r8)
+        sbbq	168(%rdi), %rax
+        movq	176(%r8), %rdx
+        movq	%rax, 168(%r8)
+        sbbq	176(%rdi), %rdx
+        movq	184(%r8), %rax
+        movq	%rdx, 176(%r8)
+        sbbq	184(%rdi), %rax
+        movq	192(%r8), %rdx
+        movq	%rax, 184(%r8)
+        sbbq	192(%rdi), %rdx
+        movq	200(%r8), %rax
+        movq	%rdx, 192(%r8)
+        sbbq	200(%rdi), %rax
+        movq	208(%r8), %rdx
+        movq	%rax, 200(%r8)
+        sbbq	208(%rdi), %rdx
+        movq	216(%r8), %rax
+        movq	%rdx, 208(%r8)
+        sbbq	216(%rdi), %rax
+        movq	224(%r8), %rdx
+        movq	%rax, 216(%r8)
+        sbbq	224(%rdi), %rdx
+        movq	232(%r8), %rax
+        movq	%rdx, 224(%r8)
+        sbbq	232(%rdi), %rax
+        movq	240(%r8), %rdx
+        movq	%rax, 232(%r8)
+        sbbq	240(%rdi), %rdx
+        movq	248(%r8), %rax
+        movq	%rdx, 240(%r8)
+        sbbq	248(%rdi), %rax
+        movq	256(%r8), %rdx
+        movq	%rax, 248(%r8)
+        sbbq	256(%rdi), %rdx
+        movq	264(%r8), %rax
+        movq	%rdx, 256(%r8)
+        sbbq	264(%rdi), %rax
+        movq	272(%r8), %rdx
+        movq	%rax, 264(%r8)
+        sbbq	272(%rdi), %rdx
+        movq	280(%r8), %rax
+        movq	%rdx, 272(%r8)
+        sbbq	280(%rdi), %rax
+        movq	288(%r8), %rdx
+        movq	%rax, 280(%r8)
+        sbbq	288(%rdi), %rdx
+        movq	296(%r8), %rax
+        movq	%rdx, 288(%r8)
+        sbbq	296(%rdi), %rax
+        movq	304(%r8), %rdx
+        movq	%rax, 296(%r8)
+        sbbq	304(%rdi), %rdx
+        movq	312(%r8), %rax
+        movq	%rdx, 304(%r8)
+        sbbq	312(%rdi), %rax
+        movq	320(%r8), %rdx
+        movq	%rax, 312(%r8)
+        sbbq	320(%rdi), %rdx
+        movq	328(%r8), %rax
+        movq	%rdx, 320(%r8)
+        sbbq	328(%rdi), %rax
+        movq	336(%r8), %rdx
+        movq	%rax, 328(%r8)
+        sbbq	336(%rdi), %rdx
+        movq	344(%r8), %rax
+        movq	%rdx, 336(%r8)
+        sbbq	344(%rdi), %rax
+        movq	352(%r8), %rdx
+        movq	%rax, 344(%r8)
+        sbbq	352(%rdi), %rdx
+        movq	360(%r8), %rax
+        movq	%rdx, 352(%r8)
+        sbbq	360(%rdi), %rax
+        movq	368(%r8), %rdx
+        movq	%rax, 360(%r8)
+        sbbq	368(%rdi), %rdx
+        movq	376(%r8), %rax
+        movq	%rdx, 368(%r8)
+        sbbq	376(%rdi), %rax
+        movq	384(%r8), %rdx
+        movq	%rax, 376(%r8)
+        sbbq	384(%rdi), %rdx
+        movq	392(%r8), %rax
+        movq	%rdx, 384(%r8)
+        sbbq	392(%rdi), %rax
+        movq	400(%r8), %rdx
+        movq	%rax, 392(%r8)
+        sbbq	400(%rdi), %rdx
+        movq	408(%r8), %rax
+        movq	%rdx, 400(%r8)
+        sbbq	408(%rdi), %rax
+        movq	416(%r8), %rdx
+        movq	%rax, 408(%r8)
+        sbbq	416(%rdi), %rdx
+        movq	424(%r8), %rax
+        movq	%rdx, 416(%r8)
+        sbbq	424(%rdi), %rax
+        movq	432(%r8), %rdx
+        movq	%rax, 424(%r8)
+        sbbq	432(%rdi), %rdx
+        movq	440(%r8), %rax
+        movq	%rdx, 432(%r8)
+        sbbq	440(%rdi), %rax
+        movq	448(%r8), %rdx
+        movq	%rax, 440(%r8)
+        sbbq	448(%rdi), %rdx
+        movq	456(%r8), %rax
+        movq	%rdx, 448(%r8)
+        sbbq	456(%rdi), %rax
+        movq	464(%r8), %rdx
+        movq	%rax, 456(%r8)
+        sbbq	464(%rdi), %rdx
+        movq	472(%r8), %rax
+        movq	%rdx, 464(%r8)
+        sbbq	472(%rdi), %rax
+        movq	480(%r8), %rdx
+        movq	%rax, 472(%r8)
+        sbbq	480(%rdi), %rdx
+        movq	488(%r8), %rax
+        movq	%rdx, 480(%r8)
+        sbbq	488(%rdi), %rax
+        movq	496(%r8), %rdx
+        movq	%rax, 488(%r8)
+        sbbq	496(%rdi), %rdx
+        movq	504(%r8), %rax
+        movq	%rdx, 496(%r8)
+        sbbq	504(%rdi), %rax
+        movq	%rax, 504(%r8)
+        sbbq	$0, %rcx
+        # Add in place
+        movq	256(%rdi), %rdx
+        addq	(%r8), %rdx
+        movq	264(%rdi), %rax
+        movq	%rdx, 256(%rdi)
+        adcq	8(%r8), %rax
+        movq	272(%rdi), %rdx
+        movq	%rax, 264(%rdi)
+        adcq	16(%r8), %rdx
+        movq	280(%rdi), %rax
+        movq	%rdx, 272(%rdi)
+        adcq	24(%r8), %rax
+        movq	288(%rdi), %rdx
+        movq	%rax, 280(%rdi)
+        adcq	32(%r8), %rdx
+        movq	296(%rdi), %rax
+        movq	%rdx, 288(%rdi)
+        adcq	40(%r8), %rax
+        movq	304(%rdi), %rdx
+        movq	%rax, 296(%rdi)
+        adcq	48(%r8), %rdx
+        movq	312(%rdi), %rax
+        movq	%rdx, 304(%rdi)
+        adcq	56(%r8), %rax
+        movq	320(%rdi), %rdx
+        movq	%rax, 312(%rdi)
+        adcq	64(%r8), %rdx
+        movq	328(%rdi), %rax
+        movq	%rdx, 320(%rdi)
+        adcq	72(%r8), %rax
+        movq	336(%rdi), %rdx
+        movq	%rax, 328(%rdi)
+        adcq	80(%r8), %rdx
+        movq	344(%rdi), %rax
+        movq	%rdx, 336(%rdi)
+        adcq	88(%r8), %rax
+        movq	352(%rdi), %rdx
+        movq	%rax, 344(%rdi)
+        adcq	96(%r8), %rdx
+        movq	360(%rdi), %rax
+        movq	%rdx, 352(%rdi)
+        adcq	104(%r8), %rax
+        movq	368(%rdi), %rdx
+        movq	%rax, 360(%rdi)
+        adcq	112(%r8), %rdx
+        movq	376(%rdi), %rax
+        movq	%rdx, 368(%rdi)
+        adcq	120(%r8), %rax
+        movq	384(%rdi), %rdx
+        movq	%rax, 376(%rdi)
+        adcq	128(%r8), %rdx
+        movq	392(%rdi), %rax
+        movq	%rdx, 384(%rdi)
+        adcq	136(%r8), %rax
+        movq	400(%rdi), %rdx
+        movq	%rax, 392(%rdi)
+        adcq	144(%r8), %rdx
+        movq	408(%rdi), %rax
+        movq	%rdx, 400(%rdi)
+        adcq	152(%r8), %rax
+        movq	416(%rdi), %rdx
+        movq	%rax, 408(%rdi)
+        adcq	160(%r8), %rdx
+        movq	424(%rdi), %rax
+        movq	%rdx, 416(%rdi)
+        adcq	168(%r8), %rax
+        movq	432(%rdi), %rdx
+        movq	%rax, 424(%rdi)
+        adcq	176(%r8), %rdx
+        movq	440(%rdi), %rax
+        movq	%rdx, 432(%rdi)
+        adcq	184(%r8), %rax
+        movq	448(%rdi), %rdx
+        movq	%rax, 440(%rdi)
+        adcq	192(%r8), %rdx
+        movq	456(%rdi), %rax
+        movq	%rdx, 448(%rdi)
+        adcq	200(%r8), %rax
+        movq	464(%rdi), %rdx
+        movq	%rax, 456(%rdi)
+        adcq	208(%r8), %rdx
+        movq	472(%rdi), %rax
+        movq	%rdx, 464(%rdi)
+        adcq	216(%r8), %rax
+        movq	480(%rdi), %rdx
+        movq	%rax, 472(%rdi)
+        adcq	224(%r8), %rdx
+        movq	488(%rdi), %rax
+        movq	%rdx, 480(%rdi)
+        adcq	232(%r8), %rax
+        movq	496(%rdi), %rdx
+        movq	%rax, 488(%rdi)
+        adcq	240(%r8), %rdx
+        movq	504(%rdi), %rax
+        movq	%rdx, 496(%rdi)
+        adcq	248(%r8), %rax
+        movq	512(%rdi), %rdx
+        movq	%rax, 504(%rdi)
+        adcq	256(%r8), %rdx
+        movq	520(%rdi), %rax
+        movq	%rdx, 512(%rdi)
+        adcq	264(%r8), %rax
+        movq	528(%rdi), %rdx
+        movq	%rax, 520(%rdi)
+        adcq	272(%r8), %rdx
+        movq	536(%rdi), %rax
+        movq	%rdx, 528(%rdi)
+        adcq	280(%r8), %rax
+        movq	544(%rdi), %rdx
+        movq	%rax, 536(%rdi)
+        adcq	288(%r8), %rdx
+        movq	552(%rdi), %rax
+        movq	%rdx, 544(%rdi)
+        adcq	296(%r8), %rax
+        movq	560(%rdi), %rdx
+        movq	%rax, 552(%rdi)
+        adcq	304(%r8), %rdx
+        movq	568(%rdi), %rax
+        movq	%rdx, 560(%rdi)
+        adcq	312(%r8), %rax
+        movq	576(%rdi), %rdx
+        movq	%rax, 568(%rdi)
+        adcq	320(%r8), %rdx
+        movq	584(%rdi), %rax
+        movq	%rdx, 576(%rdi)
+        adcq	328(%r8), %rax
+        movq	592(%rdi), %rdx
+        movq	%rax, 584(%rdi)
+        adcq	336(%r8), %rdx
+        movq	600(%rdi), %rax
+        movq	%rdx, 592(%rdi)
+        adcq	344(%r8), %rax
+        movq	608(%rdi), %rdx
+        movq	%rax, 600(%rdi)
+        adcq	352(%r8), %rdx
+        movq	616(%rdi), %rax
+        movq	%rdx, 608(%rdi)
+        adcq	360(%r8), %rax
+        movq	624(%rdi), %rdx
+        movq	%rax, 616(%rdi)
+        adcq	368(%r8), %rdx
+        movq	632(%rdi), %rax
+        movq	%rdx, 624(%rdi)
+        adcq	376(%r8), %rax
+        movq	640(%rdi), %rdx
+        movq	%rax, 632(%rdi)
+        adcq	384(%r8), %rdx
+        movq	648(%rdi), %rax
+        movq	%rdx, 640(%rdi)
+        adcq	392(%r8), %rax
+        movq	656(%rdi), %rdx
+        movq	%rax, 648(%rdi)
+        adcq	400(%r8), %rdx
+        movq	664(%rdi), %rax
+        movq	%rdx, 656(%rdi)
+        adcq	408(%r8), %rax
+        movq	672(%rdi), %rdx
+        movq	%rax, 664(%rdi)
+        adcq	416(%r8), %rdx
+        movq	680(%rdi), %rax
+        movq	%rdx, 672(%rdi)
+        adcq	424(%r8), %rax
+        movq	688(%rdi), %rdx
+        movq	%rax, 680(%rdi)
+        adcq	432(%r8), %rdx
+        movq	696(%rdi), %rax
+        movq	%rdx, 688(%rdi)
+        adcq	440(%r8), %rax
+        movq	704(%rdi), %rdx
+        movq	%rax, 696(%rdi)
+        adcq	448(%r8), %rdx
+        movq	712(%rdi), %rax
+        movq	%rdx, 704(%rdi)
+        adcq	456(%r8), %rax
+        movq	720(%rdi), %rdx
+        movq	%rax, 712(%rdi)
+        adcq	464(%r8), %rdx
+        movq	728(%rdi), %rax
+        movq	%rdx, 720(%rdi)
+        adcq	472(%r8), %rax
+        movq	736(%rdi), %rdx
+        movq	%rax, 728(%rdi)
+        adcq	480(%r8), %rdx
+        movq	744(%rdi), %rax
+        movq	%rdx, 736(%rdi)
+        adcq	488(%r8), %rax
+        movq	752(%rdi), %rdx
+        movq	%rax, 744(%rdi)
+        adcq	496(%r8), %rdx
+        movq	760(%rdi), %rax
+        movq	%rdx, 752(%rdi)
+        adcq	504(%r8), %rax
+        movq	%rax, 760(%rdi)
+        adcq	$0, %rcx
+        movq	%rcx, 768(%rdi)
+        # Add in place
+        movq	512(%rdi), %rdx
+        xorq	%rcx, %rcx
+        addq	(%rsi), %rdx
+        movq	520(%rdi), %rax
+        movq	%rdx, 512(%rdi)
+        adcq	8(%rsi), %rax
+        movq	528(%rdi), %rdx
+        movq	%rax, 520(%rdi)
+        adcq	16(%rsi), %rdx
+        movq	536(%rdi), %rax
+        movq	%rdx, 528(%rdi)
+        adcq	24(%rsi), %rax
+        movq	544(%rdi), %rdx
+        movq	%rax, 536(%rdi)
+        adcq	32(%rsi), %rdx
+        movq	552(%rdi), %rax
+        movq	%rdx, 544(%rdi)
+        adcq	40(%rsi), %rax
+        movq	560(%rdi), %rdx
+        movq	%rax, 552(%rdi)
+        adcq	48(%rsi), %rdx
+        movq	568(%rdi), %rax
+        movq	%rdx, 560(%rdi)
+        adcq	56(%rsi), %rax
+        movq	576(%rdi), %rdx
+        movq	%rax, 568(%rdi)
+        adcq	64(%rsi), %rdx
+        movq	584(%rdi), %rax
+        movq	%rdx, 576(%rdi)
+        adcq	72(%rsi), %rax
+        movq	592(%rdi), %rdx
+        movq	%rax, 584(%rdi)
+        adcq	80(%rsi), %rdx
+        movq	600(%rdi), %rax
+        movq	%rdx, 592(%rdi)
+        adcq	88(%rsi), %rax
+        movq	608(%rdi), %rdx
+        movq	%rax, 600(%rdi)
+        adcq	96(%rsi), %rdx
+        movq	616(%rdi), %rax
+        movq	%rdx, 608(%rdi)
+        adcq	104(%rsi), %rax
+        movq	624(%rdi), %rdx
+        movq	%rax, 616(%rdi)
+        adcq	112(%rsi), %rdx
+        movq	632(%rdi), %rax
+        movq	%rdx, 624(%rdi)
+        adcq	120(%rsi), %rax
+        movq	640(%rdi), %rdx
+        movq	%rax, 632(%rdi)
+        adcq	128(%rsi), %rdx
+        movq	648(%rdi), %rax
+        movq	%rdx, 640(%rdi)
+        adcq	136(%rsi), %rax
+        movq	656(%rdi), %rdx
+        movq	%rax, 648(%rdi)
+        adcq	144(%rsi), %rdx
+        movq	664(%rdi), %rax
+        movq	%rdx, 656(%rdi)
+        adcq	152(%rsi), %rax
+        movq	672(%rdi), %rdx
+        movq	%rax, 664(%rdi)
+        adcq	160(%rsi), %rdx
+        movq	680(%rdi), %rax
+        movq	%rdx, 672(%rdi)
+        adcq	168(%rsi), %rax
+        movq	688(%rdi), %rdx
+        movq	%rax, 680(%rdi)
+        adcq	176(%rsi), %rdx
+        movq	696(%rdi), %rax
+        movq	%rdx, 688(%rdi)
+        adcq	184(%rsi), %rax
+        movq	704(%rdi), %rdx
+        movq	%rax, 696(%rdi)
+        adcq	192(%rsi), %rdx
+        movq	712(%rdi), %rax
+        movq	%rdx, 704(%rdi)
+        adcq	200(%rsi), %rax
+        movq	720(%rdi), %rdx
+        movq	%rax, 712(%rdi)
+        adcq	208(%rsi), %rdx
+        movq	728(%rdi), %rax
+        movq	%rdx, 720(%rdi)
+        adcq	216(%rsi), %rax
+        movq	736(%rdi), %rdx
+        movq	%rax, 728(%rdi)
+        adcq	224(%rsi), %rdx
+        movq	744(%rdi), %rax
+        movq	%rdx, 736(%rdi)
+        adcq	232(%rsi), %rax
+        movq	752(%rdi), %rdx
+        movq	%rax, 744(%rdi)
+        adcq	240(%rsi), %rdx
+        movq	760(%rdi), %rax
+        movq	%rdx, 752(%rdi)
+        adcq	248(%rsi), %rax
+        movq	768(%rdi), %rdx
+        movq	%rax, 760(%rdi)
+        adcq	256(%rsi), %rdx
+        movq	%rdx, 768(%rdi)
+        adcq	$0, %rcx
+        # Add to zero
+        movq	264(%rsi), %rdx
+        adcq	$0, %rdx
+        movq	272(%rsi), %rax
+        movq	%rdx, 776(%rdi)
+        adcq	$0, %rax
+        movq	280(%rsi), %rdx
+        movq	%rax, 784(%rdi)
+        adcq	$0, %rdx
+        movq	288(%rsi), %rax
+        movq	%rdx, 792(%rdi)
+        adcq	$0, %rax
+        movq	296(%rsi), %rdx
+        movq	%rax, 800(%rdi)
+        adcq	$0, %rdx
+        movq	304(%rsi), %rax
+        movq	%rdx, 808(%rdi)
+        adcq	$0, %rax
+        movq	312(%rsi), %rdx
+        movq	%rax, 816(%rdi)
+        adcq	$0, %rdx
+        movq	320(%rsi), %rax
+        movq	%rdx, 824(%rdi)
+        adcq	$0, %rax
+        movq	328(%rsi), %rdx
+        movq	%rax, 832(%rdi)
+        adcq	$0, %rdx
+        movq	336(%rsi), %rax
+        movq	%rdx, 840(%rdi)
+        adcq	$0, %rax
+        movq	344(%rsi), %rdx
+        movq	%rax, 848(%rdi)
+        adcq	$0, %rdx
+        movq	352(%rsi), %rax
+        movq	%rdx, 856(%rdi)
+        adcq	$0, %rax
+        movq	360(%rsi), %rdx
+        movq	%rax, 864(%rdi)
+        adcq	$0, %rdx
+        movq	368(%rsi), %rax
+        movq	%rdx, 872(%rdi)
+        adcq	$0, %rax
+        movq	376(%rsi), %rdx
+        movq	%rax, 880(%rdi)
+        adcq	$0, %rdx
+        movq	384(%rsi), %rax
+        movq	%rdx, 888(%rdi)
+        adcq	$0, %rax
+        movq	392(%rsi), %rdx
+        movq	%rax, 896(%rdi)
+        adcq	$0, %rdx
+        movq	400(%rsi), %rax
+        movq	%rdx, 904(%rdi)
+        adcq	$0, %rax
+        movq	408(%rsi), %rdx
+        movq	%rax, 912(%rdi)
+        adcq	$0, %rdx
+        movq	416(%rsi), %rax
+        movq	%rdx, 920(%rdi)
+        adcq	$0, %rax
+        movq	424(%rsi), %rdx
+        movq	%rax, 928(%rdi)
+        adcq	$0, %rdx
+        movq	432(%rsi), %rax
+        movq	%rdx, 936(%rdi)
+        adcq	$0, %rax
+        movq	440(%rsi), %rdx
+        movq	%rax, 944(%rdi)
+        adcq	$0, %rdx
+        movq	448(%rsi), %rax
+        movq	%rdx, 952(%rdi)
+        adcq	$0, %rax
+        movq	456(%rsi), %rdx
+        movq	%rax, 960(%rdi)
+        adcq	$0, %rdx
+        movq	464(%rsi), %rax
+        movq	%rdx, 968(%rdi)
+        adcq	$0, %rax
+        movq	472(%rsi), %rdx
+        movq	%rax, 976(%rdi)
+        adcq	$0, %rdx
+        movq	480(%rsi), %rax
+        movq	%rdx, 984(%rdi)
+        adcq	$0, %rax
+        movq	488(%rsi), %rdx
+        movq	%rax, 992(%rdi)
+        adcq	$0, %rdx
+        movq	496(%rsi), %rax
+        movq	%rdx, 1000(%rdi)
+        adcq	$0, %rax
+        movq	504(%rsi), %rdx
+        movq	%rax, 1008(%rdi)
+        adcq	$0, %rdx
+        movq	%rdx, 1016(%rdi)
+        addq	$1304, %rsp
+        repz retq
+#ifndef __APPLE__
+.size	sp_4096_sqr_avx2_64,.-sp_4096_sqr_avx2_64
+#endif /* __APPLE__ */
+/* Mul a by digit b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision digit.
+ */
+#ifndef __APPLE__
+.globl	sp_4096_mul_d_64
+.type	sp_4096_mul_d_64,@function
+.align	16
+sp_4096_mul_d_64:
+#else
+.globl	_sp_4096_mul_d_64
+.p2align	4
+_sp_4096_mul_d_64:
+#endif /* __APPLE__ */
+        movq	%rdx, %rcx
+        # A[0] * B
+        movq	%rcx, %rax
+        xorq	%r10, %r10
+        mulq	(%rsi)
+        movq	%rax, %r8
+        movq	%rdx, %r9
+        movq	%r8, (%rdi)
+        # A[1] * B
+        movq	%rcx, %rax
+        xorq	%r8, %r8
+        mulq	8(%rsi)
+        addq	%rax, %r9
+        movq	%r9, 8(%rdi)
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[2] * B
+        movq	%rcx, %rax
+        xorq	%r9, %r9
+        mulq	16(%rsi)
+        addq	%rax, %r10
+        movq	%r10, 16(%rdi)
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[3] * B
+        movq	%rcx, %rax
+        xorq	%r10, %r10
+        mulq	24(%rsi)
+        addq	%rax, %r8
+        movq	%r8, 24(%rdi)
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[4] * B
+        movq	%rcx, %rax
+        xorq	%r8, %r8
+        mulq	32(%rsi)
+        addq	%rax, %r9
+        movq	%r9, 32(%rdi)
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[5] * B
+        movq	%rcx, %rax
+        xorq	%r9, %r9
+        mulq	40(%rsi)
+        addq	%rax, %r10
+        movq	%r10, 40(%rdi)
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[6] * B
+        movq	%rcx, %rax
+        xorq	%r10, %r10
+        mulq	48(%rsi)
+        addq	%rax, %r8
+        movq	%r8, 48(%rdi)
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[7] * B
+        movq	%rcx, %rax
+        xorq	%r8, %r8
+        mulq	56(%rsi)
+        addq	%rax, %r9
+        movq	%r9, 56(%rdi)
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[8] * B
+        movq	%rcx, %rax
+        xorq	%r9, %r9
+        mulq	64(%rsi)
+        addq	%rax, %r10
+        movq	%r10, 64(%rdi)
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[9] * B
+        movq	%rcx, %rax
+        xorq	%r10, %r10
+        mulq	72(%rsi)
+        addq	%rax, %r8
+        movq	%r8, 72(%rdi)
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[10] * B
+        movq	%rcx, %rax
+        xorq	%r8, %r8
+        mulq	80(%rsi)
+        addq	%rax, %r9
+        movq	%r9, 80(%rdi)
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[11] * B
+        movq	%rcx, %rax
+        xorq	%r9, %r9
+        mulq	88(%rsi)
+        addq	%rax, %r10
+        movq	%r10, 88(%rdi)
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[12] * B
+        movq	%rcx, %rax
+        xorq	%r10, %r10
+        mulq	96(%rsi)
+        addq	%rax, %r8
+        movq	%r8, 96(%rdi)
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[13] * B
+        movq	%rcx, %rax
+        xorq	%r8, %r8
+        mulq	104(%rsi)
+        addq	%rax, %r9
+        movq	%r9, 104(%rdi)
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[14] * B
+        movq	%rcx, %rax
+        xorq	%r9, %r9
+        mulq	112(%rsi)
+        addq	%rax, %r10
+        movq	%r10, 112(%rdi)
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[15] * B
+        movq	%rcx, %rax
+        xorq	%r10, %r10
+        mulq	120(%rsi)
+        addq	%rax, %r8
+        movq	%r8, 120(%rdi)
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[16] * B
+        movq	%rcx, %rax
+        xorq	%r8, %r8
+        mulq	128(%rsi)
+        addq	%rax, %r9
+        movq	%r9, 128(%rdi)
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[17] * B
+        movq	%rcx, %rax
+        xorq	%r9, %r9
+        mulq	136(%rsi)
+        addq	%rax, %r10
+        movq	%r10, 136(%rdi)
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[18] * B
+        movq	%rcx, %rax
+        xorq	%r10, %r10
+        mulq	144(%rsi)
+        addq	%rax, %r8
+        movq	%r8, 144(%rdi)
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[19] * B
+        movq	%rcx, %rax
+        xorq	%r8, %r8
+        mulq	152(%rsi)
+        addq	%rax, %r9
+        movq	%r9, 152(%rdi)
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[20] * B
+        movq	%rcx, %rax
+        xorq	%r9, %r9
+        mulq	160(%rsi)
+        addq	%rax, %r10
+        movq	%r10, 160(%rdi)
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[21] * B
+        movq	%rcx, %rax
+        xorq	%r10, %r10
+        mulq	168(%rsi)
+        addq	%rax, %r8
+        movq	%r8, 168(%rdi)
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[22] * B
+        movq	%rcx, %rax
+        xorq	%r8, %r8
+        mulq	176(%rsi)
+        addq	%rax, %r9
+        movq	%r9, 176(%rdi)
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[23] * B
+        movq	%rcx, %rax
+        xorq	%r9, %r9
+        mulq	184(%rsi)
+        addq	%rax, %r10
+        movq	%r10, 184(%rdi)
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[24] * B
+        movq	%rcx, %rax
+        xorq	%r10, %r10
+        mulq	192(%rsi)
+        addq	%rax, %r8
+        movq	%r8, 192(%rdi)
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[25] * B
+        movq	%rcx, %rax
+        xorq	%r8, %r8
+        mulq	200(%rsi)
+        addq	%rax, %r9
+        movq	%r9, 200(%rdi)
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[26] * B
+        movq	%rcx, %rax
+        xorq	%r9, %r9
+        mulq	208(%rsi)
+        addq	%rax, %r10
+        movq	%r10, 208(%rdi)
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[27] * B
+        movq	%rcx, %rax
+        xorq	%r10, %r10
+        mulq	216(%rsi)
+        addq	%rax, %r8
+        movq	%r8, 216(%rdi)
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[28] * B
+        movq	%rcx, %rax
+        xorq	%r8, %r8
+        mulq	224(%rsi)
+        addq	%rax, %r9
+        movq	%r9, 224(%rdi)
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[29] * B
+        movq	%rcx, %rax
+        xorq	%r9, %r9
+        mulq	232(%rsi)
+        addq	%rax, %r10
+        movq	%r10, 232(%rdi)
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[30] * B
+        movq	%rcx, %rax
+        xorq	%r10, %r10
+        mulq	240(%rsi)
+        addq	%rax, %r8
+        movq	%r8, 240(%rdi)
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[31] * B
+        movq	%rcx, %rax
+        xorq	%r8, %r8
+        mulq	248(%rsi)
+        addq	%rax, %r9
+        movq	%r9, 248(%rdi)
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[32] * B
+        movq	%rcx, %rax
+        xorq	%r9, %r9
+        mulq	256(%rsi)
+        addq	%rax, %r10
+        movq	%r10, 256(%rdi)
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[33] * B
+        movq	%rcx, %rax
+        xorq	%r10, %r10
+        mulq	264(%rsi)
+        addq	%rax, %r8
+        movq	%r8, 264(%rdi)
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[34] * B
+        movq	%rcx, %rax
+        xorq	%r8, %r8
+        mulq	272(%rsi)
+        addq	%rax, %r9
+        movq	%r9, 272(%rdi)
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[35] * B
+        movq	%rcx, %rax
+        xorq	%r9, %r9
+        mulq	280(%rsi)
+        addq	%rax, %r10
+        movq	%r10, 280(%rdi)
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[36] * B
+        movq	%rcx, %rax
+        xorq	%r10, %r10
+        mulq	288(%rsi)
+        addq	%rax, %r8
+        movq	%r8, 288(%rdi)
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[37] * B
+        movq	%rcx, %rax
+        xorq	%r8, %r8
+        mulq	296(%rsi)
+        addq	%rax, %r9
+        movq	%r9, 296(%rdi)
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[38] * B
+        movq	%rcx, %rax
+        xorq	%r9, %r9
+        mulq	304(%rsi)
+        addq	%rax, %r10
+        movq	%r10, 304(%rdi)
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[39] * B
+        movq	%rcx, %rax
+        xorq	%r10, %r10
+        mulq	312(%rsi)
+        addq	%rax, %r8
+        movq	%r8, 312(%rdi)
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[40] * B
+        movq	%rcx, %rax
+        xorq	%r8, %r8
+        mulq	320(%rsi)
+        addq	%rax, %r9
+        movq	%r9, 320(%rdi)
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[41] * B
+        movq	%rcx, %rax
+        xorq	%r9, %r9
+        mulq	328(%rsi)
+        addq	%rax, %r10
+        movq	%r10, 328(%rdi)
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[42] * B
+        movq	%rcx, %rax
+        xorq	%r10, %r10
+        mulq	336(%rsi)
+        addq	%rax, %r8
+        movq	%r8, 336(%rdi)
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[43] * B
+        movq	%rcx, %rax
+        xorq	%r8, %r8
+        mulq	344(%rsi)
+        addq	%rax, %r9
+        movq	%r9, 344(%rdi)
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[44] * B
+        movq	%rcx, %rax
+        xorq	%r9, %r9
+        mulq	352(%rsi)
+        addq	%rax, %r10
+        movq	%r10, 352(%rdi)
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[45] * B
+        movq	%rcx, %rax
+        xorq	%r10, %r10
+        mulq	360(%rsi)
+        addq	%rax, %r8
+        movq	%r8, 360(%rdi)
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[46] * B
+        movq	%rcx, %rax
+        xorq	%r8, %r8
+        mulq	368(%rsi)
+        addq	%rax, %r9
+        movq	%r9, 368(%rdi)
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[47] * B
+        movq	%rcx, %rax
+        xorq	%r9, %r9
+        mulq	376(%rsi)
+        addq	%rax, %r10
+        movq	%r10, 376(%rdi)
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[48] * B
+        movq	%rcx, %rax
+        xorq	%r10, %r10
+        mulq	384(%rsi)
+        addq	%rax, %r8
+        movq	%r8, 384(%rdi)
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[49] * B
+        movq	%rcx, %rax
+        xorq	%r8, %r8
+        mulq	392(%rsi)
+        addq	%rax, %r9
+        movq	%r9, 392(%rdi)
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[50] * B
+        movq	%rcx, %rax
+        xorq	%r9, %r9
+        mulq	400(%rsi)
+        addq	%rax, %r10
+        movq	%r10, 400(%rdi)
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[51] * B
+        movq	%rcx, %rax
+        xorq	%r10, %r10
+        mulq	408(%rsi)
+        addq	%rax, %r8
+        movq	%r8, 408(%rdi)
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[52] * B
+        movq	%rcx, %rax
+        xorq	%r8, %r8
+        mulq	416(%rsi)
+        addq	%rax, %r9
+        movq	%r9, 416(%rdi)
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[53] * B
+        movq	%rcx, %rax
+        xorq	%r9, %r9
+        mulq	424(%rsi)
+        addq	%rax, %r10
+        movq	%r10, 424(%rdi)
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[54] * B
+        movq	%rcx, %rax
+        xorq	%r10, %r10
+        mulq	432(%rsi)
+        addq	%rax, %r8
+        movq	%r8, 432(%rdi)
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[55] * B
+        movq	%rcx, %rax
+        xorq	%r8, %r8
+        mulq	440(%rsi)
+        addq	%rax, %r9
+        movq	%r9, 440(%rdi)
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[56] * B
+        movq	%rcx, %rax
+        xorq	%r9, %r9
+        mulq	448(%rsi)
+        addq	%rax, %r10
+        movq	%r10, 448(%rdi)
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[57] * B
+        movq	%rcx, %rax
+        xorq	%r10, %r10
+        mulq	456(%rsi)
+        addq	%rax, %r8
+        movq	%r8, 456(%rdi)
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[58] * B
+        movq	%rcx, %rax
+        xorq	%r8, %r8
+        mulq	464(%rsi)
+        addq	%rax, %r9
+        movq	%r9, 464(%rdi)
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[59] * B
+        movq	%rcx, %rax
+        xorq	%r9, %r9
+        mulq	472(%rsi)
+        addq	%rax, %r10
+        movq	%r10, 472(%rdi)
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[60] * B
+        movq	%rcx, %rax
+        xorq	%r10, %r10
+        mulq	480(%rsi)
+        addq	%rax, %r8
+        movq	%r8, 480(%rdi)
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[61] * B
+        movq	%rcx, %rax
+        xorq	%r8, %r8
+        mulq	488(%rsi)
+        addq	%rax, %r9
+        movq	%r9, 488(%rdi)
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[62] * B
+        movq	%rcx, %rax
+        xorq	%r9, %r9
+        mulq	496(%rsi)
+        addq	%rax, %r10
+        movq	%r10, 496(%rdi)
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[63] * B
+        movq	%rcx, %rax
+        mulq	504(%rsi)
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        movq	%r8, 504(%rdi)
+        movq	%r9, 512(%rdi)
+        repz retq
+#ifndef __APPLE__
+.size	sp_4096_mul_d_64,.-sp_4096_mul_d_64
+#endif /* __APPLE__ */
+/* Conditionally subtract b from a using the mask m.
+ * m is -1 to subtract and 0 when not copying.
+ *
+ * r  A single precision number representing condition subtract result.
+ * a  A single precision number to subtract from.
+ * b  A single precision number to subtract.
+ * m  Mask value to apply.
+ */
+#ifndef __APPLE__
+.globl	sp_4096_cond_sub_64
+.type	sp_4096_cond_sub_64,@function
+.align	16
+sp_4096_cond_sub_64:
+#else
+.globl	_sp_4096_cond_sub_64
+.p2align	4
+_sp_4096_cond_sub_64:
+#endif /* __APPLE__ */
+        subq	$512, %rsp
+        movq	$0, %rax
+        movq	(%rdx), %r8
+        movq	8(%rdx), %r9
+        andq	%rcx, %r8
+        andq	%rcx, %r9
+        movq	%r8, (%rsp)
+        movq	%r9, 8(%rsp)
+        movq	16(%rdx), %r8
+        movq	24(%rdx), %r9
+        andq	%rcx, %r8
+        andq	%rcx, %r9
+        movq	%r8, 16(%rsp)
+        movq	%r9, 24(%rsp)
+        movq	32(%rdx), %r8
+        movq	40(%rdx), %r9
+        andq	%rcx, %r8
+        andq	%rcx, %r9
+        movq	%r8, 32(%rsp)
+        movq	%r9, 40(%rsp)
+        movq	48(%rdx), %r8
+        movq	56(%rdx), %r9
+        andq	%rcx, %r8
+        andq	%rcx, %r9
+        movq	%r8, 48(%rsp)
+        movq	%r9, 56(%rsp)
+        movq	64(%rdx), %r8
+        movq	72(%rdx), %r9
+        andq	%rcx, %r8
+        andq	%rcx, %r9
+        movq	%r8, 64(%rsp)
+        movq	%r9, 72(%rsp)
+        movq	80(%rdx), %r8
+        movq	88(%rdx), %r9
+        andq	%rcx, %r8
+        andq	%rcx, %r9
+        movq	%r8, 80(%rsp)
+        movq	%r9, 88(%rsp)
+        movq	96(%rdx), %r8
+        movq	104(%rdx), %r9
+        andq	%rcx, %r8
+        andq	%rcx, %r9
+        movq	%r8, 96(%rsp)
+        movq	%r9, 104(%rsp)
+        movq	112(%rdx), %r8
+        movq	120(%rdx), %r9
+        andq	%rcx, %r8
+        andq	%rcx, %r9
+        movq	%r8, 112(%rsp)
+        movq	%r9, 120(%rsp)
+        movq	128(%rdx), %r8
+        movq	136(%rdx), %r9
+        andq	%rcx, %r8
+        andq	%rcx, %r9
+        movq	%r8, 128(%rsp)
+        movq	%r9, 136(%rsp)
+        movq	144(%rdx), %r8
+        movq	152(%rdx), %r9
+        andq	%rcx, %r8
+        andq	%rcx, %r9
+        movq	%r8, 144(%rsp)
+        movq	%r9, 152(%rsp)
+        movq	160(%rdx), %r8
+        movq	168(%rdx), %r9
+        andq	%rcx, %r8
+        andq	%rcx, %r9
+        movq	%r8, 160(%rsp)
+        movq	%r9, 168(%rsp)
+        movq	176(%rdx), %r8
+        movq	184(%rdx), %r9
+        andq	%rcx, %r8
+        andq	%rcx, %r9
+        movq	%r8, 176(%rsp)
+        movq	%r9, 184(%rsp)
+        movq	192(%rdx), %r8
+        movq	200(%rdx), %r9
+        andq	%rcx, %r8
+        andq	%rcx, %r9
+        movq	%r8, 192(%rsp)
+        movq	%r9, 200(%rsp)
+        movq	208(%rdx), %r8
+        movq	216(%rdx), %r9
+        andq	%rcx, %r8
+        andq	%rcx, %r9
+        movq	%r8, 208(%rsp)
+        movq	%r9, 216(%rsp)
+        movq	224(%rdx), %r8
+        movq	232(%rdx), %r9
+        andq	%rcx, %r8
+        andq	%rcx, %r9
+        movq	%r8, 224(%rsp)
+        movq	%r9, 232(%rsp)
+        movq	240(%rdx), %r8
+        movq	248(%rdx), %r9
+        andq	%rcx, %r8
+        andq	%rcx, %r9
+        movq	%r8, 240(%rsp)
+        movq	%r9, 248(%rsp)
+        movq	256(%rdx), %r8
+        movq	264(%rdx), %r9
+        andq	%rcx, %r8
+        andq	%rcx, %r9
+        movq	%r8, 256(%rsp)
+        movq	%r9, 264(%rsp)
+        movq	272(%rdx), %r8
+        movq	280(%rdx), %r9
+        andq	%rcx, %r8
+        andq	%rcx, %r9
+        movq	%r8, 272(%rsp)
+        movq	%r9, 280(%rsp)
+        movq	288(%rdx), %r8
+        movq	296(%rdx), %r9
+        andq	%rcx, %r8
+        andq	%rcx, %r9
+        movq	%r8, 288(%rsp)
+        movq	%r9, 296(%rsp)
+        movq	304(%rdx), %r8
+        movq	312(%rdx), %r9
+        andq	%rcx, %r8
+        andq	%rcx, %r9
+        movq	%r8, 304(%rsp)
+        movq	%r9, 312(%rsp)
+        movq	320(%rdx), %r8
+        movq	328(%rdx), %r9
+        andq	%rcx, %r8
+        andq	%rcx, %r9
+        movq	%r8, 320(%rsp)
+        movq	%r9, 328(%rsp)
+        movq	336(%rdx), %r8
+        movq	344(%rdx), %r9
+        andq	%rcx, %r8
+        andq	%rcx, %r9
+        movq	%r8, 336(%rsp)
+        movq	%r9, 344(%rsp)
+        movq	352(%rdx), %r8
+        movq	360(%rdx), %r9
+        andq	%rcx, %r8
+        andq	%rcx, %r9
+        movq	%r8, 352(%rsp)
+        movq	%r9, 360(%rsp)
+        movq	368(%rdx), %r8
+        movq	376(%rdx), %r9
+        andq	%rcx, %r8
+        andq	%rcx, %r9
+        movq	%r8, 368(%rsp)
+        movq	%r9, 376(%rsp)
+        movq	384(%rdx), %r8
+        movq	392(%rdx), %r9
+        andq	%rcx, %r8
+        andq	%rcx, %r9
+        movq	%r8, 384(%rsp)
+        movq	%r9, 392(%rsp)
+        movq	400(%rdx), %r8
+        movq	408(%rdx), %r9
+        andq	%rcx, %r8
+        andq	%rcx, %r9
+        movq	%r8, 400(%rsp)
+        movq	%r9, 408(%rsp)
+        movq	416(%rdx), %r8
+        movq	424(%rdx), %r9
+        andq	%rcx, %r8
+        andq	%rcx, %r9
+        movq	%r8, 416(%rsp)
+        movq	%r9, 424(%rsp)
+        movq	432(%rdx), %r8
+        movq	440(%rdx), %r9
+        andq	%rcx, %r8
+        andq	%rcx, %r9
+        movq	%r8, 432(%rsp)
+        movq	%r9, 440(%rsp)
+        movq	448(%rdx), %r8
+        movq	456(%rdx), %r9
+        andq	%rcx, %r8
+        andq	%rcx, %r9
+        movq	%r8, 448(%rsp)
+        movq	%r9, 456(%rsp)
+        movq	464(%rdx), %r8
+        movq	472(%rdx), %r9
+        andq	%rcx, %r8
+        andq	%rcx, %r9
+        movq	%r8, 464(%rsp)
+        movq	%r9, 472(%rsp)
+        movq	480(%rdx), %r8
+        movq	488(%rdx), %r9
+        andq	%rcx, %r8
+        andq	%rcx, %r9
+        movq	%r8, 480(%rsp)
+        movq	%r9, 488(%rsp)
+        movq	496(%rdx), %r8
+        movq	504(%rdx), %r9
+        andq	%rcx, %r8
+        andq	%rcx, %r9
+        movq	%r8, 496(%rsp)
+        movq	%r9, 504(%rsp)
+        movq	(%rsi), %r8
+        movq	(%rsp), %rdx
+        subq	%rdx, %r8
+        movq	8(%rsi), %r9
+        movq	8(%rsp), %rdx
+        sbbq	%rdx, %r9
+        movq	%r8, (%rdi)
+        movq	16(%rsi), %r8
+        movq	16(%rsp), %rdx
+        sbbq	%rdx, %r8
+        movq	%r9, 8(%rdi)
+        movq	24(%rsi), %r9
+        movq	24(%rsp), %rdx
+        sbbq	%rdx, %r9
+        movq	%r8, 16(%rdi)
+        movq	32(%rsi), %r8
+        movq	32(%rsp), %rdx
+        sbbq	%rdx, %r8
+        movq	%r9, 24(%rdi)
+        movq	40(%rsi), %r9
+        movq	40(%rsp), %rdx
+        sbbq	%rdx, %r9
+        movq	%r8, 32(%rdi)
+        movq	48(%rsi), %r8
+        movq	48(%rsp), %rdx
+        sbbq	%rdx, %r8
+        movq	%r9, 40(%rdi)
+        movq	56(%rsi), %r9
+        movq	56(%rsp), %rdx
+        sbbq	%rdx, %r9
+        movq	%r8, 48(%rdi)
+        movq	64(%rsi), %r8
+        movq	64(%rsp), %rdx
+        sbbq	%rdx, %r8
+        movq	%r9, 56(%rdi)
+        movq	72(%rsi), %r9
+        movq	72(%rsp), %rdx
+        sbbq	%rdx, %r9
+        movq	%r8, 64(%rdi)
+        movq	80(%rsi), %r8
+        movq	80(%rsp), %rdx
+        sbbq	%rdx, %r8
+        movq	%r9, 72(%rdi)
+        movq	88(%rsi), %r9
+        movq	88(%rsp), %rdx
+        sbbq	%rdx, %r9
+        movq	%r8, 80(%rdi)
+        movq	96(%rsi), %r8
+        movq	96(%rsp), %rdx
+        sbbq	%rdx, %r8
+        movq	%r9, 88(%rdi)
+        movq	104(%rsi), %r9
+        movq	104(%rsp), %rdx
+        sbbq	%rdx, %r9
+        movq	%r8, 96(%rdi)
+        movq	112(%rsi), %r8
+        movq	112(%rsp), %rdx
+        sbbq	%rdx, %r8
+        movq	%r9, 104(%rdi)
+        movq	120(%rsi), %r9
+        movq	120(%rsp), %rdx
+        sbbq	%rdx, %r9
+        movq	%r8, 112(%rdi)
+        movq	128(%rsi), %r8
+        movq	128(%rsp), %rdx
+        sbbq	%rdx, %r8
+        movq	%r9, 120(%rdi)
+        movq	136(%rsi), %r9
+        movq	136(%rsp), %rdx
+        sbbq	%rdx, %r9
+        movq	%r8, 128(%rdi)
+        movq	144(%rsi), %r8
+        movq	144(%rsp), %rdx
+        sbbq	%rdx, %r8
+        movq	%r9, 136(%rdi)
+        movq	152(%rsi), %r9
+        movq	152(%rsp), %rdx
+        sbbq	%rdx, %r9
+        movq	%r8, 144(%rdi)
+        movq	160(%rsi), %r8
+        movq	160(%rsp), %rdx
+        sbbq	%rdx, %r8
+        movq	%r9, 152(%rdi)
+        movq	168(%rsi), %r9
+        movq	168(%rsp), %rdx
+        sbbq	%rdx, %r9
+        movq	%r8, 160(%rdi)
+        movq	176(%rsi), %r8
+        movq	176(%rsp), %rdx
+        sbbq	%rdx, %r8
+        movq	%r9, 168(%rdi)
+        movq	184(%rsi), %r9
+        movq	184(%rsp), %rdx
+        sbbq	%rdx, %r9
+        movq	%r8, 176(%rdi)
+        movq	192(%rsi), %r8
+        movq	192(%rsp), %rdx
+        sbbq	%rdx, %r8
+        movq	%r9, 184(%rdi)
+        movq	200(%rsi), %r9
+        movq	200(%rsp), %rdx
+        sbbq	%rdx, %r9
+        movq	%r8, 192(%rdi)
+        movq	208(%rsi), %r8
+        movq	208(%rsp), %rdx
+        sbbq	%rdx, %r8
+        movq	%r9, 200(%rdi)
+        movq	216(%rsi), %r9
+        movq	216(%rsp), %rdx
+        sbbq	%rdx, %r9
+        movq	%r8, 208(%rdi)
+        movq	224(%rsi), %r8
+        movq	224(%rsp), %rdx
+        sbbq	%rdx, %r8
+        movq	%r9, 216(%rdi)
+        movq	232(%rsi), %r9
+        movq	232(%rsp), %rdx
+        sbbq	%rdx, %r9
+        movq	%r8, 224(%rdi)
+        movq	240(%rsi), %r8
+        movq	240(%rsp), %rdx
+        sbbq	%rdx, %r8
+        movq	%r9, 232(%rdi)
+        movq	248(%rsi), %r9
+        movq	248(%rsp), %rdx
+        sbbq	%rdx, %r9
+        movq	%r8, 240(%rdi)
+        movq	256(%rsi), %r8
+        movq	256(%rsp), %rdx
+        sbbq	%rdx, %r8
+        movq	%r9, 248(%rdi)
+        movq	264(%rsi), %r9
+        movq	264(%rsp), %rdx
+        sbbq	%rdx, %r9
+        movq	%r8, 256(%rdi)
+        movq	272(%rsi), %r8
+        movq	272(%rsp), %rdx
+        sbbq	%rdx, %r8
+        movq	%r9, 264(%rdi)
+        movq	280(%rsi), %r9
+        movq	280(%rsp), %rdx
+        sbbq	%rdx, %r9
+        movq	%r8, 272(%rdi)
+        movq	288(%rsi), %r8
+        movq	288(%rsp), %rdx
+        sbbq	%rdx, %r8
+        movq	%r9, 280(%rdi)
+        movq	296(%rsi), %r9
+        movq	296(%rsp), %rdx
+        sbbq	%rdx, %r9
+        movq	%r8, 288(%rdi)
+        movq	304(%rsi), %r8
+        movq	304(%rsp), %rdx
+        sbbq	%rdx, %r8
+        movq	%r9, 296(%rdi)
+        movq	312(%rsi), %r9
+        movq	312(%rsp), %rdx
+        sbbq	%rdx, %r9
+        movq	%r8, 304(%rdi)
+        movq	320(%rsi), %r8
+        movq	320(%rsp), %rdx
+        sbbq	%rdx, %r8
+        movq	%r9, 312(%rdi)
+        movq	328(%rsi), %r9
+        movq	328(%rsp), %rdx
+        sbbq	%rdx, %r9
+        movq	%r8, 320(%rdi)
+        movq	336(%rsi), %r8
+        movq	336(%rsp), %rdx
+        sbbq	%rdx, %r8
+        movq	%r9, 328(%rdi)
+        movq	344(%rsi), %r9
+        movq	344(%rsp), %rdx
+        sbbq	%rdx, %r9
+        movq	%r8, 336(%rdi)
+        movq	352(%rsi), %r8
+        movq	352(%rsp), %rdx
+        sbbq	%rdx, %r8
+        movq	%r9, 344(%rdi)
+        movq	360(%rsi), %r9
+        movq	360(%rsp), %rdx
+        sbbq	%rdx, %r9
+        movq	%r8, 352(%rdi)
+        movq	368(%rsi), %r8
+        movq	368(%rsp), %rdx
+        sbbq	%rdx, %r8
+        movq	%r9, 360(%rdi)
+        movq	376(%rsi), %r9
+        movq	376(%rsp), %rdx
+        sbbq	%rdx, %r9
+        movq	%r8, 368(%rdi)
+        movq	384(%rsi), %r8
+        movq	384(%rsp), %rdx
+        sbbq	%rdx, %r8
+        movq	%r9, 376(%rdi)
+        movq	392(%rsi), %r9
+        movq	392(%rsp), %rdx
+        sbbq	%rdx, %r9
+        movq	%r8, 384(%rdi)
+        movq	400(%rsi), %r8
+        movq	400(%rsp), %rdx
+        sbbq	%rdx, %r8
+        movq	%r9, 392(%rdi)
+        movq	408(%rsi), %r9
+        movq	408(%rsp), %rdx
+        sbbq	%rdx, %r9
+        movq	%r8, 400(%rdi)
+        movq	416(%rsi), %r8
+        movq	416(%rsp), %rdx
+        sbbq	%rdx, %r8
+        movq	%r9, 408(%rdi)
+        movq	424(%rsi), %r9
+        movq	424(%rsp), %rdx
+        sbbq	%rdx, %r9
+        movq	%r8, 416(%rdi)
+        movq	432(%rsi), %r8
+        movq	432(%rsp), %rdx
+        sbbq	%rdx, %r8
+        movq	%r9, 424(%rdi)
+        movq	440(%rsi), %r9
+        movq	440(%rsp), %rdx
+        sbbq	%rdx, %r9
+        movq	%r8, 432(%rdi)
+        movq	448(%rsi), %r8
+        movq	448(%rsp), %rdx
+        sbbq	%rdx, %r8
+        movq	%r9, 440(%rdi)
+        movq	456(%rsi), %r9
+        movq	456(%rsp), %rdx
+        sbbq	%rdx, %r9
+        movq	%r8, 448(%rdi)
+        movq	464(%rsi), %r8
+        movq	464(%rsp), %rdx
+        sbbq	%rdx, %r8
+        movq	%r9, 456(%rdi)
+        movq	472(%rsi), %r9
+        movq	472(%rsp), %rdx
+        sbbq	%rdx, %r9
+        movq	%r8, 464(%rdi)
+        movq	480(%rsi), %r8
+        movq	480(%rsp), %rdx
+        sbbq	%rdx, %r8
+        movq	%r9, 472(%rdi)
+        movq	488(%rsi), %r9
+        movq	488(%rsp), %rdx
+        sbbq	%rdx, %r9
+        movq	%r8, 480(%rdi)
+        movq	496(%rsi), %r8
+        movq	496(%rsp), %rdx
+        sbbq	%rdx, %r8
+        movq	%r9, 488(%rdi)
+        movq	504(%rsi), %r9
+        movq	504(%rsp), %rdx
+        sbbq	%rdx, %r9
+        movq	%r8, 496(%rdi)
+        movq	%r9, 504(%rdi)
+        sbbq	$0, %rax
+        addq	$512, %rsp
+        repz retq
+#ifndef __APPLE__
+.size	sp_4096_cond_sub_64,.-sp_4096_cond_sub_64
+#endif /* __APPLE__ */
+/* Reduce the number back to 4096 bits using Montgomery reduction.
+ *
+ * a   A single precision number to reduce in place.
+ * m   The single precision number representing the modulus.
+ * mp  The digit representing the negative inverse of m mod 2^n.
+ */
+#ifndef __APPLE__
+.globl	sp_4096_mont_reduce_64
+.type	sp_4096_mont_reduce_64,@function
+.align	16
+sp_4096_mont_reduce_64:
+#else
+.globl	_sp_4096_mont_reduce_64
+.p2align	4
+_sp_4096_mont_reduce_64:
+#endif /* __APPLE__ */
+        push	%r12
+        push	%r13
+        push	%r14
+        push	%r15
+        movq	%rdx, %rcx
+        xorq	%r15, %r15
+        # i = 64
+        movq	$64, %r8
+        movq	(%rdi), %r13
+        movq	8(%rdi), %r14
+L_mont_loop_64:
+        # mu = a[i] * mp
+        movq	%r13, %r11
+        imulq	%rcx, %r11
+        # a[i+0] += m[0] * mu
+        movq	%r11, %rax
+        xorq	%r10, %r10
+        mulq	(%rsi)
+        addq	%rax, %r13
+        adcq	%rdx, %r10
+        # a[i+1] += m[1] * mu
+        movq	%r11, %rax
+        xorq	%r9, %r9
+        mulq	8(%rsi)
+        movq	%r14, %r13
+        addq	%rax, %r13
+        adcq	%rdx, %r9
+        addq	%r10, %r13
+        adcq	$0, %r9
+        # a[i+2] += m[2] * mu
+        movq	%r11, %rax
+        xorq	%r10, %r10
+        mulq	16(%rsi)
+        movq	16(%rdi), %r14
+        addq	%rax, %r14
+        adcq	%rdx, %r10
+        addq	%r9, %r14
+        adcq	$0, %r10
+        # a[i+3] += m[3] * mu
+        movq	%r11, %rax
+        xorq	%r9, %r9
+        mulq	24(%rsi)
+        movq	24(%rdi), %r12
+        addq	%rax, %r12
+        adcq	%rdx, %r9
+        addq	%r10, %r12
+        movq	%r12, 24(%rdi)
+        adcq	$0, %r9
+        # a[i+4] += m[4] * mu
+        movq	%r11, %rax
+        xorq	%r10, %r10
+        mulq	32(%rsi)
+        movq	32(%rdi), %r12
+        addq	%rax, %r12
+        adcq	%rdx, %r10
+        addq	%r9, %r12
+        movq	%r12, 32(%rdi)
+        adcq	$0, %r10
+        # a[i+5] += m[5] * mu
+        movq	%r11, %rax
+        xorq	%r9, %r9
+        mulq	40(%rsi)
+        movq	40(%rdi), %r12
+        addq	%rax, %r12
+        adcq	%rdx, %r9
+        addq	%r10, %r12
+        movq	%r12, 40(%rdi)
+        adcq	$0, %r9
+        # a[i+6] += m[6] * mu
+        movq	%r11, %rax
+        xorq	%r10, %r10
+        mulq	48(%rsi)
+        movq	48(%rdi), %r12
+        addq	%rax, %r12
+        adcq	%rdx, %r10
+        addq	%r9, %r12
+        movq	%r12, 48(%rdi)
+        adcq	$0, %r10
+        # a[i+7] += m[7] * mu
+        movq	%r11, %rax
+        xorq	%r9, %r9
+        mulq	56(%rsi)
+        movq	56(%rdi), %r12
+        addq	%rax, %r12
+        adcq	%rdx, %r9
+        addq	%r10, %r12
+        movq	%r12, 56(%rdi)
+        adcq	$0, %r9
+        # a[i+8] += m[8] * mu
+        movq	%r11, %rax
+        xorq	%r10, %r10
+        mulq	64(%rsi)
+        movq	64(%rdi), %r12
+        addq	%rax, %r12
+        adcq	%rdx, %r10
+        addq	%r9, %r12
+        movq	%r12, 64(%rdi)
+        adcq	$0, %r10
+        # a[i+9] += m[9] * mu
+        movq	%r11, %rax
+        xorq	%r9, %r9
+        mulq	72(%rsi)
+        movq	72(%rdi), %r12
+        addq	%rax, %r12
+        adcq	%rdx, %r9
+        addq	%r10, %r12
+        movq	%r12, 72(%rdi)
+        adcq	$0, %r9
+        # a[i+10] += m[10] * mu
+        movq	%r11, %rax
+        xorq	%r10, %r10
+        mulq	80(%rsi)
+        movq	80(%rdi), %r12
+        addq	%rax, %r12
+        adcq	%rdx, %r10
+        addq	%r9, %r12
+        movq	%r12, 80(%rdi)
+        adcq	$0, %r10
+        # a[i+11] += m[11] * mu
+        movq	%r11, %rax
+        xorq	%r9, %r9
+        mulq	88(%rsi)
+        movq	88(%rdi), %r12
+        addq	%rax, %r12
+        adcq	%rdx, %r9
+        addq	%r10, %r12
+        movq	%r12, 88(%rdi)
+        adcq	$0, %r9
+        # a[i+12] += m[12] * mu
+        movq	%r11, %rax
+        xorq	%r10, %r10
+        mulq	96(%rsi)
+        movq	96(%rdi), %r12
+        addq	%rax, %r12
+        adcq	%rdx, %r10
+        addq	%r9, %r12
+        movq	%r12, 96(%rdi)
+        adcq	$0, %r10
+        # a[i+13] += m[13] * mu
+        movq	%r11, %rax
+        xorq	%r9, %r9
+        mulq	104(%rsi)
+        movq	104(%rdi), %r12
+        addq	%rax, %r12
+        adcq	%rdx, %r9
+        addq	%r10, %r12
+        movq	%r12, 104(%rdi)
+        adcq	$0, %r9
+        # a[i+14] += m[14] * mu
+        movq	%r11, %rax
+        xorq	%r10, %r10
+        mulq	112(%rsi)
+        movq	112(%rdi), %r12
+        addq	%rax, %r12
+        adcq	%rdx, %r10
+        addq	%r9, %r12
+        movq	%r12, 112(%rdi)
+        adcq	$0, %r10
+        # a[i+15] += m[15] * mu
+        movq	%r11, %rax
+        xorq	%r9, %r9
+        mulq	120(%rsi)
+        movq	120(%rdi), %r12
+        addq	%rax, %r12
+        adcq	%rdx, %r9
+        addq	%r10, %r12
+        movq	%r12, 120(%rdi)
+        adcq	$0, %r9
+        # a[i+16] += m[16] * mu
+        movq	%r11, %rax
+        xorq	%r10, %r10
+        mulq	128(%rsi)
+        movq	128(%rdi), %r12
+        addq	%rax, %r12
+        adcq	%rdx, %r10
+        addq	%r9, %r12
+        movq	%r12, 128(%rdi)
+        adcq	$0, %r10
+        # a[i+17] += m[17] * mu
+        movq	%r11, %rax
+        xorq	%r9, %r9
+        mulq	136(%rsi)
+        movq	136(%rdi), %r12
+        addq	%rax, %r12
+        adcq	%rdx, %r9
+        addq	%r10, %r12
+        movq	%r12, 136(%rdi)
+        adcq	$0, %r9
+        # a[i+18] += m[18] * mu
+        movq	%r11, %rax
+        xorq	%r10, %r10
+        mulq	144(%rsi)
+        movq	144(%rdi), %r12
+        addq	%rax, %r12
+        adcq	%rdx, %r10
+        addq	%r9, %r12
+        movq	%r12, 144(%rdi)
+        adcq	$0, %r10
+        # a[i+19] += m[19] * mu
+        movq	%r11, %rax
+        xorq	%r9, %r9
+        mulq	152(%rsi)
+        movq	152(%rdi), %r12
+        addq	%rax, %r12
+        adcq	%rdx, %r9
+        addq	%r10, %r12
+        movq	%r12, 152(%rdi)
+        adcq	$0, %r9
+        # a[i+20] += m[20] * mu
+        movq	%r11, %rax
+        xorq	%r10, %r10
+        mulq	160(%rsi)
+        movq	160(%rdi), %r12
+        addq	%rax, %r12
+        adcq	%rdx, %r10
+        addq	%r9, %r12
+        movq	%r12, 160(%rdi)
+        adcq	$0, %r10
+        # a[i+21] += m[21] * mu
+        movq	%r11, %rax
+        xorq	%r9, %r9
+        mulq	168(%rsi)
+        movq	168(%rdi), %r12
+        addq	%rax, %r12
+        adcq	%rdx, %r9
+        addq	%r10, %r12
+        movq	%r12, 168(%rdi)
+        adcq	$0, %r9
+        # a[i+22] += m[22] * mu
+        movq	%r11, %rax
+        xorq	%r10, %r10
+        mulq	176(%rsi)
+        movq	176(%rdi), %r12
+        addq	%rax, %r12
+        adcq	%rdx, %r10
+        addq	%r9, %r12
+        movq	%r12, 176(%rdi)
+        adcq	$0, %r10
+        # a[i+23] += m[23] * mu
+        movq	%r11, %rax
+        xorq	%r9, %r9
+        mulq	184(%rsi)
+        movq	184(%rdi), %r12
+        addq	%rax, %r12
+        adcq	%rdx, %r9
+        addq	%r10, %r12
+        movq	%r12, 184(%rdi)
+        adcq	$0, %r9
+        # a[i+24] += m[24] * mu
+        movq	%r11, %rax
+        xorq	%r10, %r10
+        mulq	192(%rsi)
+        movq	192(%rdi), %r12
+        addq	%rax, %r12
+        adcq	%rdx, %r10
+        addq	%r9, %r12
+        movq	%r12, 192(%rdi)
+        adcq	$0, %r10
+        # a[i+25] += m[25] * mu
+        movq	%r11, %rax
+        xorq	%r9, %r9
+        mulq	200(%rsi)
+        movq	200(%rdi), %r12
+        addq	%rax, %r12
+        adcq	%rdx, %r9
+        addq	%r10, %r12
+        movq	%r12, 200(%rdi)
+        adcq	$0, %r9
+        # a[i+26] += m[26] * mu
+        movq	%r11, %rax
+        xorq	%r10, %r10
+        mulq	208(%rsi)
+        movq	208(%rdi), %r12
+        addq	%rax, %r12
+        adcq	%rdx, %r10
+        addq	%r9, %r12
+        movq	%r12, 208(%rdi)
+        adcq	$0, %r10
+        # a[i+27] += m[27] * mu
+        movq	%r11, %rax
+        xorq	%r9, %r9
+        mulq	216(%rsi)
+        movq	216(%rdi), %r12
+        addq	%rax, %r12
+        adcq	%rdx, %r9
+        addq	%r10, %r12
+        movq	%r12, 216(%rdi)
+        adcq	$0, %r9
+        # a[i+28] += m[28] * mu
+        movq	%r11, %rax
+        xorq	%r10, %r10
+        mulq	224(%rsi)
+        movq	224(%rdi), %r12
+        addq	%rax, %r12
+        adcq	%rdx, %r10
+        addq	%r9, %r12
+        movq	%r12, 224(%rdi)
+        adcq	$0, %r10
+        # a[i+29] += m[29] * mu
+        movq	%r11, %rax
+        xorq	%r9, %r9
+        mulq	232(%rsi)
+        movq	232(%rdi), %r12
+        addq	%rax, %r12
+        adcq	%rdx, %r9
+        addq	%r10, %r12
+        movq	%r12, 232(%rdi)
+        adcq	$0, %r9
+        # a[i+30] += m[30] * mu
+        movq	%r11, %rax
+        xorq	%r10, %r10
+        mulq	240(%rsi)
+        movq	240(%rdi), %r12
+        addq	%rax, %r12
+        adcq	%rdx, %r10
+        addq	%r9, %r12
+        movq	%r12, 240(%rdi)
+        adcq	$0, %r10
+        # a[i+31] += m[31] * mu
+        movq	%r11, %rax
+        xorq	%r9, %r9
+        mulq	248(%rsi)
+        movq	248(%rdi), %r12
+        addq	%rax, %r12
+        adcq	%rdx, %r9
+        addq	%r10, %r12
+        movq	%r12, 248(%rdi)
+        adcq	$0, %r9
+        # a[i+32] += m[32] * mu
+        movq	%r11, %rax
+        xorq	%r10, %r10
+        mulq	256(%rsi)
+        movq	256(%rdi), %r12
+        addq	%rax, %r12
+        adcq	%rdx, %r10
+        addq	%r9, %r12
+        movq	%r12, 256(%rdi)
+        adcq	$0, %r10
+        # a[i+33] += m[33] * mu
+        movq	%r11, %rax
+        xorq	%r9, %r9
+        mulq	264(%rsi)
+        movq	264(%rdi), %r12
+        addq	%rax, %r12
+        adcq	%rdx, %r9
+        addq	%r10, %r12
+        movq	%r12, 264(%rdi)
+        adcq	$0, %r9
+        # a[i+34] += m[34] * mu
+        movq	%r11, %rax
+        xorq	%r10, %r10
+        mulq	272(%rsi)
+        movq	272(%rdi), %r12
+        addq	%rax, %r12
+        adcq	%rdx, %r10
+        addq	%r9, %r12
+        movq	%r12, 272(%rdi)
+        adcq	$0, %r10
+        # a[i+35] += m[35] * mu
+        movq	%r11, %rax
+        xorq	%r9, %r9
+        mulq	280(%rsi)
+        movq	280(%rdi), %r12
+        addq	%rax, %r12
+        adcq	%rdx, %r9
+        addq	%r10, %r12
+        movq	%r12, 280(%rdi)
+        adcq	$0, %r9
+        # a[i+36] += m[36] * mu
+        movq	%r11, %rax
+        xorq	%r10, %r10
+        mulq	288(%rsi)
+        movq	288(%rdi), %r12
+        addq	%rax, %r12
+        adcq	%rdx, %r10
+        addq	%r9, %r12
+        movq	%r12, 288(%rdi)
+        adcq	$0, %r10
+        # a[i+37] += m[37] * mu
+        movq	%r11, %rax
+        xorq	%r9, %r9
+        mulq	296(%rsi)
+        movq	296(%rdi), %r12
+        addq	%rax, %r12
+        adcq	%rdx, %r9
+        addq	%r10, %r12
+        movq	%r12, 296(%rdi)
+        adcq	$0, %r9
+        # a[i+38] += m[38] * mu
+        movq	%r11, %rax
+        xorq	%r10, %r10
+        mulq	304(%rsi)
+        movq	304(%rdi), %r12
+        addq	%rax, %r12
+        adcq	%rdx, %r10
+        addq	%r9, %r12
+        movq	%r12, 304(%rdi)
+        adcq	$0, %r10
+        # a[i+39] += m[39] * mu
+        movq	%r11, %rax
+        xorq	%r9, %r9
+        mulq	312(%rsi)
+        movq	312(%rdi), %r12
+        addq	%rax, %r12
+        adcq	%rdx, %r9
+        addq	%r10, %r12
+        movq	%r12, 312(%rdi)
+        adcq	$0, %r9
+        # a[i+40] += m[40] * mu
+        movq	%r11, %rax
+        xorq	%r10, %r10
+        mulq	320(%rsi)
+        movq	320(%rdi), %r12
+        addq	%rax, %r12
+        adcq	%rdx, %r10
+        addq	%r9, %r12
+        movq	%r12, 320(%rdi)
+        adcq	$0, %r10
+        # a[i+41] += m[41] * mu
+        movq	%r11, %rax
+        xorq	%r9, %r9
+        mulq	328(%rsi)
+        movq	328(%rdi), %r12
+        addq	%rax, %r12
+        adcq	%rdx, %r9
+        addq	%r10, %r12
+        movq	%r12, 328(%rdi)
+        adcq	$0, %r9
+        # a[i+42] += m[42] * mu
+        movq	%r11, %rax
+        xorq	%r10, %r10
+        mulq	336(%rsi)
+        movq	336(%rdi), %r12
+        addq	%rax, %r12
+        adcq	%rdx, %r10
+        addq	%r9, %r12
+        movq	%r12, 336(%rdi)
+        adcq	$0, %r10
+        # a[i+43] += m[43] * mu
+        movq	%r11, %rax
+        xorq	%r9, %r9
+        mulq	344(%rsi)
+        movq	344(%rdi), %r12
+        addq	%rax, %r12
+        adcq	%rdx, %r9
+        addq	%r10, %r12
+        movq	%r12, 344(%rdi)
+        adcq	$0, %r9
+        # a[i+44] += m[44] * mu
+        movq	%r11, %rax
+        xorq	%r10, %r10
+        mulq	352(%rsi)
+        movq	352(%rdi), %r12
+        addq	%rax, %r12
+        adcq	%rdx, %r10
+        addq	%r9, %r12
+        movq	%r12, 352(%rdi)
+        adcq	$0, %r10
+        # a[i+45] += m[45] * mu
+        movq	%r11, %rax
+        xorq	%r9, %r9
+        mulq	360(%rsi)
+        movq	360(%rdi), %r12
+        addq	%rax, %r12
+        adcq	%rdx, %r9
+        addq	%r10, %r12
+        movq	%r12, 360(%rdi)
+        adcq	$0, %r9
+        # a[i+46] += m[46] * mu
+        movq	%r11, %rax
+        xorq	%r10, %r10
+        mulq	368(%rsi)
+        movq	368(%rdi), %r12
+        addq	%rax, %r12
+        adcq	%rdx, %r10
+        addq	%r9, %r12
+        movq	%r12, 368(%rdi)
+        adcq	$0, %r10
+        # a[i+47] += m[47] * mu
+        movq	%r11, %rax
+        xorq	%r9, %r9
+        mulq	376(%rsi)
+        movq	376(%rdi), %r12
+        addq	%rax, %r12
+        adcq	%rdx, %r9
+        addq	%r10, %r12
+        movq	%r12, 376(%rdi)
+        adcq	$0, %r9
+        # a[i+48] += m[48] * mu
+        movq	%r11, %rax
+        xorq	%r10, %r10
+        mulq	384(%rsi)
+        movq	384(%rdi), %r12
+        addq	%rax, %r12
+        adcq	%rdx, %r10
+        addq	%r9, %r12
+        movq	%r12, 384(%rdi)
+        adcq	$0, %r10
+        # a[i+49] += m[49] * mu
+        movq	%r11, %rax
+        xorq	%r9, %r9
+        mulq	392(%rsi)
+        movq	392(%rdi), %r12
+        addq	%rax, %r12
+        adcq	%rdx, %r9
+        addq	%r10, %r12
+        movq	%r12, 392(%rdi)
+        adcq	$0, %r9
+        # a[i+50] += m[50] * mu
+        movq	%r11, %rax
+        xorq	%r10, %r10
+        mulq	400(%rsi)
+        movq	400(%rdi), %r12
+        addq	%rax, %r12
+        adcq	%rdx, %r10
+        addq	%r9, %r12
+        movq	%r12, 400(%rdi)
+        adcq	$0, %r10
+        # a[i+51] += m[51] * mu
+        movq	%r11, %rax
+        xorq	%r9, %r9
+        mulq	408(%rsi)
+        movq	408(%rdi), %r12
+        addq	%rax, %r12
+        adcq	%rdx, %r9
+        addq	%r10, %r12
+        movq	%r12, 408(%rdi)
+        adcq	$0, %r9
+        # a[i+52] += m[52] * mu
+        movq	%r11, %rax
+        xorq	%r10, %r10
+        mulq	416(%rsi)
+        movq	416(%rdi), %r12
+        addq	%rax, %r12
+        adcq	%rdx, %r10
+        addq	%r9, %r12
+        movq	%r12, 416(%rdi)
+        adcq	$0, %r10
+        # a[i+53] += m[53] * mu
+        movq	%r11, %rax
+        xorq	%r9, %r9
+        mulq	424(%rsi)
+        movq	424(%rdi), %r12
+        addq	%rax, %r12
+        adcq	%rdx, %r9
+        addq	%r10, %r12
+        movq	%r12, 424(%rdi)
+        adcq	$0, %r9
+        # a[i+54] += m[54] * mu
+        movq	%r11, %rax
+        xorq	%r10, %r10
+        mulq	432(%rsi)
+        movq	432(%rdi), %r12
+        addq	%rax, %r12
+        adcq	%rdx, %r10
+        addq	%r9, %r12
+        movq	%r12, 432(%rdi)
+        adcq	$0, %r10
+        # a[i+55] += m[55] * mu
+        movq	%r11, %rax
+        xorq	%r9, %r9
+        mulq	440(%rsi)
+        movq	440(%rdi), %r12
+        addq	%rax, %r12
+        adcq	%rdx, %r9
+        addq	%r10, %r12
+        movq	%r12, 440(%rdi)
+        adcq	$0, %r9
+        # a[i+56] += m[56] * mu
+        movq	%r11, %rax
+        xorq	%r10, %r10
+        mulq	448(%rsi)
+        movq	448(%rdi), %r12
+        addq	%rax, %r12
+        adcq	%rdx, %r10
+        addq	%r9, %r12
+        movq	%r12, 448(%rdi)
+        adcq	$0, %r10
+        # a[i+57] += m[57] * mu
+        movq	%r11, %rax
+        xorq	%r9, %r9
+        mulq	456(%rsi)
+        movq	456(%rdi), %r12
+        addq	%rax, %r12
+        adcq	%rdx, %r9
+        addq	%r10, %r12
+        movq	%r12, 456(%rdi)
+        adcq	$0, %r9
+        # a[i+58] += m[58] * mu
+        movq	%r11, %rax
+        xorq	%r10, %r10
+        mulq	464(%rsi)
+        movq	464(%rdi), %r12
+        addq	%rax, %r12
+        adcq	%rdx, %r10
+        addq	%r9, %r12
+        movq	%r12, 464(%rdi)
+        adcq	$0, %r10
+        # a[i+59] += m[59] * mu
+        movq	%r11, %rax
+        xorq	%r9, %r9
+        mulq	472(%rsi)
+        movq	472(%rdi), %r12
+        addq	%rax, %r12
+        adcq	%rdx, %r9
+        addq	%r10, %r12
+        movq	%r12, 472(%rdi)
+        adcq	$0, %r9
+        # a[i+60] += m[60] * mu
+        movq	%r11, %rax
+        xorq	%r10, %r10
+        mulq	480(%rsi)
+        movq	480(%rdi), %r12
+        addq	%rax, %r12
+        adcq	%rdx, %r10
+        addq	%r9, %r12
+        movq	%r12, 480(%rdi)
+        adcq	$0, %r10
+        # a[i+61] += m[61] * mu
+        movq	%r11, %rax
+        xorq	%r9, %r9
+        mulq	488(%rsi)
+        movq	488(%rdi), %r12
+        addq	%rax, %r12
+        adcq	%rdx, %r9
+        addq	%r10, %r12
+        movq	%r12, 488(%rdi)
+        adcq	$0, %r9
+        # a[i+62] += m[62] * mu
+        movq	%r11, %rax
+        xorq	%r10, %r10
+        mulq	496(%rsi)
+        movq	496(%rdi), %r12
+        addq	%rax, %r12
+        adcq	%rdx, %r10
+        addq	%r9, %r12
+        movq	%r12, 496(%rdi)
+        adcq	$0, %r10
+        # a[i+63] += m[63] * mu
+        movq	%r11, %rax
+        mulq	504(%rsi)
+        movq	504(%rdi), %r12
+        addq	%rax, %r10
+        adcq	%r15, %rdx
+        movq	$0, %r15
+        adcq	$0, %r15
+        addq	%r10, %r12
+        movq	%r12, 504(%rdi)
+        adcq	%rdx, 512(%rdi)
+        adcq	$0, %r15
+        # i -= 1
+        addq	$8, %rdi
+        decq	%r8
+        jnz	L_mont_loop_64
+        movq	%r13, (%rdi)
+        movq	%r14, 8(%rdi)
+        negq	%r15
+        movq	%r15, %rcx
+        movq	%rsi, %rdx
+        movq	%rdi, %rsi
+        subq	$512, %rdi
+#ifndef __APPLE__
+        callq	sp_4096_cond_sub_64@plt
+#else
+        callq	_sp_4096_cond_sub_64
+#endif /* __APPLE__ */
+        pop	%r15
+        pop	%r14
+        pop	%r13
+        pop	%r12
+        repz retq
+#ifndef __APPLE__
+.size	sp_4096_mont_reduce_64,.-sp_4096_mont_reduce_64
+#endif /* __APPLE__ */
+/* Conditionally subtract b from a using the mask m.
+ * m is -1 to subtract and 0 when not copying.
+ *
+ * r  A single precision number representing condition subtract result.
+ * a  A single precision number to subtract from.
+ * b  A single precision number to subtract.
+ * m  Mask value to apply.
+ */
+#ifndef __APPLE__
+.globl	sp_4096_cond_sub_avx2_64
+.type	sp_4096_cond_sub_avx2_64,@function
+.align	16
+sp_4096_cond_sub_avx2_64:
+#else
+.globl	_sp_4096_cond_sub_avx2_64
+.p2align	4
+_sp_4096_cond_sub_avx2_64:
+#endif /* __APPLE__ */
+        movq	$0, %rax
+        movq	(%rdx), %r10
+        movq	(%rsi), %r8
+        pextq	%rcx, %r10, %r10
+        subq	%r10, %r8
+        movq	8(%rdx), %r10
+        movq	8(%rsi), %r9
+        pextq	%rcx, %r10, %r10
+        movq	%r8, (%rdi)
+        sbbq	%r10, %r9
+        movq	16(%rdx), %r8
+        movq	16(%rsi), %r10
+        pextq	%rcx, %r8, %r8
+        movq	%r9, 8(%rdi)
+        sbbq	%r8, %r10
+        movq	24(%rdx), %r9
+        movq	24(%rsi), %r8
+        pextq	%rcx, %r9, %r9
+        movq	%r10, 16(%rdi)
+        sbbq	%r9, %r8
+        movq	32(%rdx), %r10
+        movq	32(%rsi), %r9
+        pextq	%rcx, %r10, %r10
+        movq	%r8, 24(%rdi)
+        sbbq	%r10, %r9
+        movq	40(%rdx), %r8
+        movq	40(%rsi), %r10
+        pextq	%rcx, %r8, %r8
+        movq	%r9, 32(%rdi)
+        sbbq	%r8, %r10
+        movq	48(%rdx), %r9
+        movq	48(%rsi), %r8
+        pextq	%rcx, %r9, %r9
+        movq	%r10, 40(%rdi)
+        sbbq	%r9, %r8
+        movq	56(%rdx), %r10
+        movq	56(%rsi), %r9
+        pextq	%rcx, %r10, %r10
+        movq	%r8, 48(%rdi)
+        sbbq	%r10, %r9
+        movq	64(%rdx), %r8
+        movq	64(%rsi), %r10
+        pextq	%rcx, %r8, %r8
+        movq	%r9, 56(%rdi)
+        sbbq	%r8, %r10
+        movq	72(%rdx), %r9
+        movq	72(%rsi), %r8
+        pextq	%rcx, %r9, %r9
+        movq	%r10, 64(%rdi)
+        sbbq	%r9, %r8
+        movq	80(%rdx), %r10
+        movq	80(%rsi), %r9
+        pextq	%rcx, %r10, %r10
+        movq	%r8, 72(%rdi)
+        sbbq	%r10, %r9
+        movq	88(%rdx), %r8
+        movq	88(%rsi), %r10
+        pextq	%rcx, %r8, %r8
+        movq	%r9, 80(%rdi)
+        sbbq	%r8, %r10
+        movq	96(%rdx), %r9
+        movq	96(%rsi), %r8
+        pextq	%rcx, %r9, %r9
+        movq	%r10, 88(%rdi)
+        sbbq	%r9, %r8
+        movq	104(%rdx), %r10
+        movq	104(%rsi), %r9
+        pextq	%rcx, %r10, %r10
+        movq	%r8, 96(%rdi)
+        sbbq	%r10, %r9
+        movq	112(%rdx), %r8
+        movq	112(%rsi), %r10
+        pextq	%rcx, %r8, %r8
+        movq	%r9, 104(%rdi)
+        sbbq	%r8, %r10
+        movq	120(%rdx), %r9
+        movq	120(%rsi), %r8
+        pextq	%rcx, %r9, %r9
+        movq	%r10, 112(%rdi)
+        sbbq	%r9, %r8
+        movq	128(%rdx), %r10
+        movq	128(%rsi), %r9
+        pextq	%rcx, %r10, %r10
+        movq	%r8, 120(%rdi)
+        sbbq	%r10, %r9
+        movq	136(%rdx), %r8
+        movq	136(%rsi), %r10
+        pextq	%rcx, %r8, %r8
+        movq	%r9, 128(%rdi)
+        sbbq	%r8, %r10
+        movq	144(%rdx), %r9
+        movq	144(%rsi), %r8
+        pextq	%rcx, %r9, %r9
+        movq	%r10, 136(%rdi)
+        sbbq	%r9, %r8
+        movq	152(%rdx), %r10
+        movq	152(%rsi), %r9
+        pextq	%rcx, %r10, %r10
+        movq	%r8, 144(%rdi)
+        sbbq	%r10, %r9
+        movq	160(%rdx), %r8
+        movq	160(%rsi), %r10
+        pextq	%rcx, %r8, %r8
+        movq	%r9, 152(%rdi)
+        sbbq	%r8, %r10
+        movq	168(%rdx), %r9
+        movq	168(%rsi), %r8
+        pextq	%rcx, %r9, %r9
+        movq	%r10, 160(%rdi)
+        sbbq	%r9, %r8
+        movq	176(%rdx), %r10
+        movq	176(%rsi), %r9
+        pextq	%rcx, %r10, %r10
+        movq	%r8, 168(%rdi)
+        sbbq	%r10, %r9
+        movq	184(%rdx), %r8
+        movq	184(%rsi), %r10
+        pextq	%rcx, %r8, %r8
+        movq	%r9, 176(%rdi)
+        sbbq	%r8, %r10
+        movq	192(%rdx), %r9
+        movq	192(%rsi), %r8
+        pextq	%rcx, %r9, %r9
+        movq	%r10, 184(%rdi)
+        sbbq	%r9, %r8
+        movq	200(%rdx), %r10
+        movq	200(%rsi), %r9
+        pextq	%rcx, %r10, %r10
+        movq	%r8, 192(%rdi)
+        sbbq	%r10, %r9
+        movq	208(%rdx), %r8
+        movq	208(%rsi), %r10
+        pextq	%rcx, %r8, %r8
+        movq	%r9, 200(%rdi)
+        sbbq	%r8, %r10
+        movq	216(%rdx), %r9
+        movq	216(%rsi), %r8
+        pextq	%rcx, %r9, %r9
+        movq	%r10, 208(%rdi)
+        sbbq	%r9, %r8
+        movq	224(%rdx), %r10
+        movq	224(%rsi), %r9
+        pextq	%rcx, %r10, %r10
+        movq	%r8, 216(%rdi)
+        sbbq	%r10, %r9
+        movq	232(%rdx), %r8
+        movq	232(%rsi), %r10
+        pextq	%rcx, %r8, %r8
+        movq	%r9, 224(%rdi)
+        sbbq	%r8, %r10
+        movq	240(%rdx), %r9
+        movq	240(%rsi), %r8
+        pextq	%rcx, %r9, %r9
+        movq	%r10, 232(%rdi)
+        sbbq	%r9, %r8
+        movq	248(%rdx), %r10
+        movq	248(%rsi), %r9
+        pextq	%rcx, %r10, %r10
+        movq	%r8, 240(%rdi)
+        sbbq	%r10, %r9
+        movq	256(%rdx), %r8
+        movq	256(%rsi), %r10
+        pextq	%rcx, %r8, %r8
+        movq	%r9, 248(%rdi)
+        sbbq	%r8, %r10
+        movq	264(%rdx), %r9
+        movq	264(%rsi), %r8
+        pextq	%rcx, %r9, %r9
+        movq	%r10, 256(%rdi)
+        sbbq	%r9, %r8
+        movq	272(%rdx), %r10
+        movq	272(%rsi), %r9
+        pextq	%rcx, %r10, %r10
+        movq	%r8, 264(%rdi)
+        sbbq	%r10, %r9
+        movq	280(%rdx), %r8
+        movq	280(%rsi), %r10
+        pextq	%rcx, %r8, %r8
+        movq	%r9, 272(%rdi)
+        sbbq	%r8, %r10
+        movq	288(%rdx), %r9
+        movq	288(%rsi), %r8
+        pextq	%rcx, %r9, %r9
+        movq	%r10, 280(%rdi)
+        sbbq	%r9, %r8
+        movq	296(%rdx), %r10
+        movq	296(%rsi), %r9
+        pextq	%rcx, %r10, %r10
+        movq	%r8, 288(%rdi)
+        sbbq	%r10, %r9
+        movq	304(%rdx), %r8
+        movq	304(%rsi), %r10
+        pextq	%rcx, %r8, %r8
+        movq	%r9, 296(%rdi)
+        sbbq	%r8, %r10
+        movq	312(%rdx), %r9
+        movq	312(%rsi), %r8
+        pextq	%rcx, %r9, %r9
+        movq	%r10, 304(%rdi)
+        sbbq	%r9, %r8
+        movq	320(%rdx), %r10
+        movq	320(%rsi), %r9
+        pextq	%rcx, %r10, %r10
+        movq	%r8, 312(%rdi)
+        sbbq	%r10, %r9
+        movq	328(%rdx), %r8
+        movq	328(%rsi), %r10
+        pextq	%rcx, %r8, %r8
+        movq	%r9, 320(%rdi)
+        sbbq	%r8, %r10
+        movq	336(%rdx), %r9
+        movq	336(%rsi), %r8
+        pextq	%rcx, %r9, %r9
+        movq	%r10, 328(%rdi)
+        sbbq	%r9, %r8
+        movq	344(%rdx), %r10
+        movq	344(%rsi), %r9
+        pextq	%rcx, %r10, %r10
+        movq	%r8, 336(%rdi)
+        sbbq	%r10, %r9
+        movq	352(%rdx), %r8
+        movq	352(%rsi), %r10
+        pextq	%rcx, %r8, %r8
+        movq	%r9, 344(%rdi)
+        sbbq	%r8, %r10
+        movq	360(%rdx), %r9
+        movq	360(%rsi), %r8
+        pextq	%rcx, %r9, %r9
+        movq	%r10, 352(%rdi)
+        sbbq	%r9, %r8
+        movq	368(%rdx), %r10
+        movq	368(%rsi), %r9
+        pextq	%rcx, %r10, %r10
+        movq	%r8, 360(%rdi)
+        sbbq	%r10, %r9
+        movq	376(%rdx), %r8
+        movq	376(%rsi), %r10
+        pextq	%rcx, %r8, %r8
+        movq	%r9, 368(%rdi)
+        sbbq	%r8, %r10
+        movq	384(%rdx), %r9
+        movq	384(%rsi), %r8
+        pextq	%rcx, %r9, %r9
+        movq	%r10, 376(%rdi)
+        sbbq	%r9, %r8
+        movq	392(%rdx), %r10
+        movq	392(%rsi), %r9
+        pextq	%rcx, %r10, %r10
+        movq	%r8, 384(%rdi)
+        sbbq	%r10, %r9
+        movq	400(%rdx), %r8
+        movq	400(%rsi), %r10
+        pextq	%rcx, %r8, %r8
+        movq	%r9, 392(%rdi)
+        sbbq	%r8, %r10
+        movq	408(%rdx), %r9
+        movq	408(%rsi), %r8
+        pextq	%rcx, %r9, %r9
+        movq	%r10, 400(%rdi)
+        sbbq	%r9, %r8
+        movq	416(%rdx), %r10
+        movq	416(%rsi), %r9
+        pextq	%rcx, %r10, %r10
+        movq	%r8, 408(%rdi)
+        sbbq	%r10, %r9
+        movq	424(%rdx), %r8
+        movq	424(%rsi), %r10
+        pextq	%rcx, %r8, %r8
+        movq	%r9, 416(%rdi)
+        sbbq	%r8, %r10
+        movq	432(%rdx), %r9
+        movq	432(%rsi), %r8
+        pextq	%rcx, %r9, %r9
+        movq	%r10, 424(%rdi)
+        sbbq	%r9, %r8
+        movq	440(%rdx), %r10
+        movq	440(%rsi), %r9
+        pextq	%rcx, %r10, %r10
+        movq	%r8, 432(%rdi)
+        sbbq	%r10, %r9
+        movq	448(%rdx), %r8
+        movq	448(%rsi), %r10
+        pextq	%rcx, %r8, %r8
+        movq	%r9, 440(%rdi)
+        sbbq	%r8, %r10
+        movq	456(%rdx), %r9
+        movq	456(%rsi), %r8
+        pextq	%rcx, %r9, %r9
+        movq	%r10, 448(%rdi)
+        sbbq	%r9, %r8
+        movq	464(%rdx), %r10
+        movq	464(%rsi), %r9
+        pextq	%rcx, %r10, %r10
+        movq	%r8, 456(%rdi)
+        sbbq	%r10, %r9
+        movq	472(%rdx), %r8
+        movq	472(%rsi), %r10
+        pextq	%rcx, %r8, %r8
+        movq	%r9, 464(%rdi)
+        sbbq	%r8, %r10
+        movq	480(%rdx), %r9
+        movq	480(%rsi), %r8
+        pextq	%rcx, %r9, %r9
+        movq	%r10, 472(%rdi)
+        sbbq	%r9, %r8
+        movq	488(%rdx), %r10
+        movq	488(%rsi), %r9
+        pextq	%rcx, %r10, %r10
+        movq	%r8, 480(%rdi)
+        sbbq	%r10, %r9
+        movq	496(%rdx), %r8
+        movq	496(%rsi), %r10
+        pextq	%rcx, %r8, %r8
+        movq	%r9, 488(%rdi)
+        sbbq	%r8, %r10
+        movq	504(%rdx), %r9
+        movq	504(%rsi), %r8
+        pextq	%rcx, %r9, %r9
+        movq	%r10, 496(%rdi)
+        sbbq	%r9, %r8
+        movq	%r8, 504(%rdi)
+        sbbq	$0, %rax
+        repz retq
+#ifndef __APPLE__
+.size	sp_4096_cond_sub_avx2_64,.-sp_4096_cond_sub_avx2_64
+#endif /* __APPLE__ */
+#ifdef HAVE_INTEL_AVX2
+/* Mul a by digit b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision digit.
+ */
+#ifndef __APPLE__
+.globl	sp_4096_mul_d_avx2_64
+.type	sp_4096_mul_d_avx2_64,@function
+.align	16
+sp_4096_mul_d_avx2_64:
+#else
+.globl	_sp_4096_mul_d_avx2_64
+.p2align	4
+_sp_4096_mul_d_avx2_64:
+#endif /* __APPLE__ */
+        movq	%rdx, %rax
+        # A[0] * B
+        movq	%rax, %rdx
+        xorq	%r11, %r11
+        mulxq	(%rsi), %r9, %r10
+        movq	%r9, (%rdi)
+        # A[1] * B
+        mulxq	8(%rsi), %rcx, %r8
+        movq	%r11, %r9
+        adcxq	%rcx, %r10
+        movq	%r10, 8(%rdi)
+        adoxq	%r8, %r9
+        # A[2] * B
+        mulxq	16(%rsi), %rcx, %r8
+        movq	%r11, %r10
+        adcxq	%rcx, %r9
+        movq	%r9, 16(%rdi)
+        adoxq	%r8, %r10
+        # A[3] * B
+        mulxq	24(%rsi), %rcx, %r8
+        movq	%r11, %r9
+        adcxq	%rcx, %r10
+        movq	%r10, 24(%rdi)
+        adoxq	%r8, %r9
+        # A[4] * B
+        mulxq	32(%rsi), %rcx, %r8
+        movq	%r11, %r10
+        adcxq	%rcx, %r9
+        movq	%r9, 32(%rdi)
+        adoxq	%r8, %r10
+        # A[5] * B
+        mulxq	40(%rsi), %rcx, %r8
+        movq	%r11, %r9
+        adcxq	%rcx, %r10
+        movq	%r10, 40(%rdi)
+        adoxq	%r8, %r9
+        # A[6] * B
+        mulxq	48(%rsi), %rcx, %r8
+        movq	%r11, %r10
+        adcxq	%rcx, %r9
+        movq	%r9, 48(%rdi)
+        adoxq	%r8, %r10
+        # A[7] * B
+        mulxq	56(%rsi), %rcx, %r8
+        movq	%r11, %r9
+        adcxq	%rcx, %r10
+        movq	%r10, 56(%rdi)
+        adoxq	%r8, %r9
+        # A[8] * B
+        mulxq	64(%rsi), %rcx, %r8
+        movq	%r11, %r10
+        adcxq	%rcx, %r9
+        movq	%r9, 64(%rdi)
+        adoxq	%r8, %r10
+        # A[9] * B
+        mulxq	72(%rsi), %rcx, %r8
+        movq	%r11, %r9
+        adcxq	%rcx, %r10
+        movq	%r10, 72(%rdi)
+        adoxq	%r8, %r9
+        # A[10] * B
+        mulxq	80(%rsi), %rcx, %r8
+        movq	%r11, %r10
+        adcxq	%rcx, %r9
+        movq	%r9, 80(%rdi)
+        adoxq	%r8, %r10
+        # A[11] * B
+        mulxq	88(%rsi), %rcx, %r8
+        movq	%r11, %r9
+        adcxq	%rcx, %r10
+        movq	%r10, 88(%rdi)
+        adoxq	%r8, %r9
+        # A[12] * B
+        mulxq	96(%rsi), %rcx, %r8
+        movq	%r11, %r10
+        adcxq	%rcx, %r9
+        movq	%r9, 96(%rdi)
+        adoxq	%r8, %r10
+        # A[13] * B
+        mulxq	104(%rsi), %rcx, %r8
+        movq	%r11, %r9
+        adcxq	%rcx, %r10
+        movq	%r10, 104(%rdi)
+        adoxq	%r8, %r9
+        # A[14] * B
+        mulxq	112(%rsi), %rcx, %r8
+        movq	%r11, %r10
+        adcxq	%rcx, %r9
+        movq	%r9, 112(%rdi)
+        adoxq	%r8, %r10
+        # A[15] * B
+        mulxq	120(%rsi), %rcx, %r8
+        movq	%r11, %r9
+        adcxq	%rcx, %r10
+        movq	%r10, 120(%rdi)
+        adoxq	%r8, %r9
+        # A[16] * B
+        mulxq	128(%rsi), %rcx, %r8
+        movq	%r11, %r10
+        adcxq	%rcx, %r9
+        movq	%r9, 128(%rdi)
+        adoxq	%r8, %r10
+        # A[17] * B
+        mulxq	136(%rsi), %rcx, %r8
+        movq	%r11, %r9
+        adcxq	%rcx, %r10
+        movq	%r10, 136(%rdi)
+        adoxq	%r8, %r9
+        # A[18] * B
+        mulxq	144(%rsi), %rcx, %r8
+        movq	%r11, %r10
+        adcxq	%rcx, %r9
+        movq	%r9, 144(%rdi)
+        adoxq	%r8, %r10
+        # A[19] * B
+        mulxq	152(%rsi), %rcx, %r8
+        movq	%r11, %r9
+        adcxq	%rcx, %r10
+        movq	%r10, 152(%rdi)
+        adoxq	%r8, %r9
+        # A[20] * B
+        mulxq	160(%rsi), %rcx, %r8
+        movq	%r11, %r10
+        adcxq	%rcx, %r9
+        movq	%r9, 160(%rdi)
+        adoxq	%r8, %r10
+        # A[21] * B
+        mulxq	168(%rsi), %rcx, %r8
+        movq	%r11, %r9
+        adcxq	%rcx, %r10
+        movq	%r10, 168(%rdi)
+        adoxq	%r8, %r9
+        # A[22] * B
+        mulxq	176(%rsi), %rcx, %r8
+        movq	%r11, %r10
+        adcxq	%rcx, %r9
+        movq	%r9, 176(%rdi)
+        adoxq	%r8, %r10
+        # A[23] * B
+        mulxq	184(%rsi), %rcx, %r8
+        movq	%r11, %r9
+        adcxq	%rcx, %r10
+        movq	%r10, 184(%rdi)
+        adoxq	%r8, %r9
+        # A[24] * B
+        mulxq	192(%rsi), %rcx, %r8
+        movq	%r11, %r10
+        adcxq	%rcx, %r9
+        movq	%r9, 192(%rdi)
+        adoxq	%r8, %r10
+        # A[25] * B
+        mulxq	200(%rsi), %rcx, %r8
+        movq	%r11, %r9
+        adcxq	%rcx, %r10
+        movq	%r10, 200(%rdi)
+        adoxq	%r8, %r9
+        # A[26] * B
+        mulxq	208(%rsi), %rcx, %r8
+        movq	%r11, %r10
+        adcxq	%rcx, %r9
+        movq	%r9, 208(%rdi)
+        adoxq	%r8, %r10
+        # A[27] * B
+        mulxq	216(%rsi), %rcx, %r8
+        movq	%r11, %r9
+        adcxq	%rcx, %r10
+        movq	%r10, 216(%rdi)
+        adoxq	%r8, %r9
+        # A[28] * B
+        mulxq	224(%rsi), %rcx, %r8
+        movq	%r11, %r10
+        adcxq	%rcx, %r9
+        movq	%r9, 224(%rdi)
+        adoxq	%r8, %r10
+        # A[29] * B
+        mulxq	232(%rsi), %rcx, %r8
+        movq	%r11, %r9
+        adcxq	%rcx, %r10
+        movq	%r10, 232(%rdi)
+        adoxq	%r8, %r9
+        # A[30] * B
+        mulxq	240(%rsi), %rcx, %r8
+        movq	%r11, %r10
+        adcxq	%rcx, %r9
+        movq	%r9, 240(%rdi)
+        adoxq	%r8, %r10
+        # A[31] * B
+        mulxq	248(%rsi), %rcx, %r8
+        movq	%r11, %r9
+        adcxq	%rcx, %r10
+        movq	%r10, 248(%rdi)
+        adoxq	%r8, %r9
+        # A[32] * B
+        mulxq	256(%rsi), %rcx, %r8
+        movq	%r11, %r10
+        adcxq	%rcx, %r9
+        movq	%r9, 256(%rdi)
+        adoxq	%r8, %r10
+        # A[33] * B
+        mulxq	264(%rsi), %rcx, %r8
+        movq	%r11, %r9
+        adcxq	%rcx, %r10
+        movq	%r10, 264(%rdi)
+        adoxq	%r8, %r9
+        # A[34] * B
+        mulxq	272(%rsi), %rcx, %r8
+        movq	%r11, %r10
+        adcxq	%rcx, %r9
+        movq	%r9, 272(%rdi)
+        adoxq	%r8, %r10
+        # A[35] * B
+        mulxq	280(%rsi), %rcx, %r8
+        movq	%r11, %r9
+        adcxq	%rcx, %r10
+        movq	%r10, 280(%rdi)
+        adoxq	%r8, %r9
+        # A[36] * B
+        mulxq	288(%rsi), %rcx, %r8
+        movq	%r11, %r10
+        adcxq	%rcx, %r9
+        movq	%r9, 288(%rdi)
+        adoxq	%r8, %r10
+        # A[37] * B
+        mulxq	296(%rsi), %rcx, %r8
+        movq	%r11, %r9
+        adcxq	%rcx, %r10
+        movq	%r10, 296(%rdi)
+        adoxq	%r8, %r9
+        # A[38] * B
+        mulxq	304(%rsi), %rcx, %r8
+        movq	%r11, %r10
+        adcxq	%rcx, %r9
+        movq	%r9, 304(%rdi)
+        adoxq	%r8, %r10
+        # A[39] * B
+        mulxq	312(%rsi), %rcx, %r8
+        movq	%r11, %r9
+        adcxq	%rcx, %r10
+        movq	%r10, 312(%rdi)
+        adoxq	%r8, %r9
+        # A[40] * B
+        mulxq	320(%rsi), %rcx, %r8
+        movq	%r11, %r10
+        adcxq	%rcx, %r9
+        movq	%r9, 320(%rdi)
+        adoxq	%r8, %r10
+        # A[41] * B
+        mulxq	328(%rsi), %rcx, %r8
+        movq	%r11, %r9
+        adcxq	%rcx, %r10
+        movq	%r10, 328(%rdi)
+        adoxq	%r8, %r9
+        # A[42] * B
+        mulxq	336(%rsi), %rcx, %r8
+        movq	%r11, %r10
+        adcxq	%rcx, %r9
+        movq	%r9, 336(%rdi)
+        adoxq	%r8, %r10
+        # A[43] * B
+        mulxq	344(%rsi), %rcx, %r8
+        movq	%r11, %r9
+        adcxq	%rcx, %r10
+        movq	%r10, 344(%rdi)
+        adoxq	%r8, %r9
+        # A[44] * B
+        mulxq	352(%rsi), %rcx, %r8
+        movq	%r11, %r10
+        adcxq	%rcx, %r9
+        movq	%r9, 352(%rdi)
+        adoxq	%r8, %r10
+        # A[45] * B
+        mulxq	360(%rsi), %rcx, %r8
+        movq	%r11, %r9
+        adcxq	%rcx, %r10
+        movq	%r10, 360(%rdi)
+        adoxq	%r8, %r9
+        # A[46] * B
+        mulxq	368(%rsi), %rcx, %r8
+        movq	%r11, %r10
+        adcxq	%rcx, %r9
+        movq	%r9, 368(%rdi)
+        adoxq	%r8, %r10
+        # A[47] * B
+        mulxq	376(%rsi), %rcx, %r8
+        movq	%r11, %r9
+        adcxq	%rcx, %r10
+        movq	%r10, 376(%rdi)
+        adoxq	%r8, %r9
+        # A[48] * B
+        mulxq	384(%rsi), %rcx, %r8
+        movq	%r11, %r10
+        adcxq	%rcx, %r9
+        movq	%r9, 384(%rdi)
+        adoxq	%r8, %r10
+        # A[49] * B
+        mulxq	392(%rsi), %rcx, %r8
+        movq	%r11, %r9
+        adcxq	%rcx, %r10
+        movq	%r10, 392(%rdi)
+        adoxq	%r8, %r9
+        # A[50] * B
+        mulxq	400(%rsi), %rcx, %r8
+        movq	%r11, %r10
+        adcxq	%rcx, %r9
+        movq	%r9, 400(%rdi)
+        adoxq	%r8, %r10
+        # A[51] * B
+        mulxq	408(%rsi), %rcx, %r8
+        movq	%r11, %r9
+        adcxq	%rcx, %r10
+        movq	%r10, 408(%rdi)
+        adoxq	%r8, %r9
+        # A[52] * B
+        mulxq	416(%rsi), %rcx, %r8
+        movq	%r11, %r10
+        adcxq	%rcx, %r9
+        movq	%r9, 416(%rdi)
+        adoxq	%r8, %r10
+        # A[53] * B
+        mulxq	424(%rsi), %rcx, %r8
+        movq	%r11, %r9
+        adcxq	%rcx, %r10
+        movq	%r10, 424(%rdi)
+        adoxq	%r8, %r9
+        # A[54] * B
+        mulxq	432(%rsi), %rcx, %r8
+        movq	%r11, %r10
+        adcxq	%rcx, %r9
+        movq	%r9, 432(%rdi)
+        adoxq	%r8, %r10
+        # A[55] * B
+        mulxq	440(%rsi), %rcx, %r8
+        movq	%r11, %r9
+        adcxq	%rcx, %r10
+        movq	%r10, 440(%rdi)
+        adoxq	%r8, %r9
+        # A[56] * B
+        mulxq	448(%rsi), %rcx, %r8
+        movq	%r11, %r10
+        adcxq	%rcx, %r9
+        movq	%r9, 448(%rdi)
+        adoxq	%r8, %r10
+        # A[57] * B
+        mulxq	456(%rsi), %rcx, %r8
+        movq	%r11, %r9
+        adcxq	%rcx, %r10
+        movq	%r10, 456(%rdi)
+        adoxq	%r8, %r9
+        # A[58] * B
+        mulxq	464(%rsi), %rcx, %r8
+        movq	%r11, %r10
+        adcxq	%rcx, %r9
+        movq	%r9, 464(%rdi)
+        adoxq	%r8, %r10
+        # A[59] * B
+        mulxq	472(%rsi), %rcx, %r8
+        movq	%r11, %r9
+        adcxq	%rcx, %r10
+        movq	%r10, 472(%rdi)
+        adoxq	%r8, %r9
+        # A[60] * B
+        mulxq	480(%rsi), %rcx, %r8
+        movq	%r11, %r10
+        adcxq	%rcx, %r9
+        movq	%r9, 480(%rdi)
+        adoxq	%r8, %r10
+        # A[61] * B
+        mulxq	488(%rsi), %rcx, %r8
+        movq	%r11, %r9
+        adcxq	%rcx, %r10
+        movq	%r10, 488(%rdi)
+        adoxq	%r8, %r9
+        # A[62] * B
+        mulxq	496(%rsi), %rcx, %r8
+        movq	%r11, %r10
+        adcxq	%rcx, %r9
+        movq	%r9, 496(%rdi)
+        adoxq	%r8, %r10
+        # A[63] * B
+        mulxq	504(%rsi), %rcx, %r8
+        movq	%r11, %r9
+        adcxq	%rcx, %r10
+        adoxq	%r8, %r9
+        adcxq	%r11, %r9
+        movq	%r10, 504(%rdi)
+        movq	%r9, 512(%rdi)
+        repz retq
+#ifndef __APPLE__
+.size	sp_4096_mul_d_avx2_64,.-sp_4096_mul_d_avx2_64
+#endif /* __APPLE__ */
+#endif /* HAVE_INTEL_AVX2 */
+/* Compare a with b in constant time.
+ *
+ * a  A single precision integer.
+ * b  A single precision integer.
+ * return -ve, 0 or +ve if a is less than, equal to or greater than b
+ * respectively.
+ */
+#ifndef __APPLE__
+.globl	sp_4096_cmp_64
+.type	sp_4096_cmp_64,@function
+.align	16
+sp_4096_cmp_64:
+#else
+.globl	_sp_4096_cmp_64
+.p2align	4
+_sp_4096_cmp_64:
+#endif /* __APPLE__ */
+        xorq	%rcx, %rcx
+        movq	$-1, %rdx
+        movq	$-1, %rax
+        movq	$1, %r8
+        movq	504(%rdi), %r9
+        movq	504(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	496(%rdi), %r9
+        movq	496(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	488(%rdi), %r9
+        movq	488(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	480(%rdi), %r9
+        movq	480(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	472(%rdi), %r9
+        movq	472(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	464(%rdi), %r9
+        movq	464(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	456(%rdi), %r9
+        movq	456(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	448(%rdi), %r9
+        movq	448(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	440(%rdi), %r9
+        movq	440(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	432(%rdi), %r9
+        movq	432(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	424(%rdi), %r9
+        movq	424(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	416(%rdi), %r9
+        movq	416(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	408(%rdi), %r9
+        movq	408(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	400(%rdi), %r9
+        movq	400(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	392(%rdi), %r9
+        movq	392(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	384(%rdi), %r9
+        movq	384(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	376(%rdi), %r9
+        movq	376(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	368(%rdi), %r9
+        movq	368(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	360(%rdi), %r9
+        movq	360(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	352(%rdi), %r9
+        movq	352(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	344(%rdi), %r9
+        movq	344(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	336(%rdi), %r9
+        movq	336(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	328(%rdi), %r9
+        movq	328(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	320(%rdi), %r9
+        movq	320(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	312(%rdi), %r9
+        movq	312(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	304(%rdi), %r9
+        movq	304(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	296(%rdi), %r9
+        movq	296(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	288(%rdi), %r9
+        movq	288(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	280(%rdi), %r9
+        movq	280(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	272(%rdi), %r9
+        movq	272(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	264(%rdi), %r9
+        movq	264(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	256(%rdi), %r9
+        movq	256(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	248(%rdi), %r9
+        movq	248(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	240(%rdi), %r9
+        movq	240(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	232(%rdi), %r9
+        movq	232(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	224(%rdi), %r9
+        movq	224(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	216(%rdi), %r9
+        movq	216(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	208(%rdi), %r9
+        movq	208(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	200(%rdi), %r9
+        movq	200(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	192(%rdi), %r9
+        movq	192(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	184(%rdi), %r9
+        movq	184(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	176(%rdi), %r9
+        movq	176(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	168(%rdi), %r9
+        movq	168(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	160(%rdi), %r9
+        movq	160(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	152(%rdi), %r9
+        movq	152(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	144(%rdi), %r9
+        movq	144(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	136(%rdi), %r9
+        movq	136(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	128(%rdi), %r9
+        movq	128(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	120(%rdi), %r9
+        movq	120(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	112(%rdi), %r9
+        movq	112(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	104(%rdi), %r9
+        movq	104(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	96(%rdi), %r9
+        movq	96(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	88(%rdi), %r9
+        movq	88(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	80(%rdi), %r9
+        movq	80(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	72(%rdi), %r9
+        movq	72(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	64(%rdi), %r9
+        movq	64(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	56(%rdi), %r9
+        movq	56(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	48(%rdi), %r9
+        movq	48(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	40(%rdi), %r9
+        movq	40(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	32(%rdi), %r9
+        movq	32(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	24(%rdi), %r9
+        movq	24(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	16(%rdi), %r9
+        movq	16(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	8(%rdi), %r9
+        movq	8(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	(%rdi), %r9
+        movq	(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        xorq	%rdx, %rax
+        repz retq
+#ifndef __APPLE__
+.size	sp_4096_cmp_64,.-sp_4096_cmp_64
+#endif /* __APPLE__ */
+/* Sub b from a into r. (r = a - b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+#ifndef __APPLE__
+.globl	sp_4096_sub_64
+.type	sp_4096_sub_64,@function
+.align	16
+sp_4096_sub_64:
+#else
+.globl	_sp_4096_sub_64
+.p2align	4
+_sp_4096_sub_64:
+#endif /* __APPLE__ */
+        movq	(%rsi), %rcx
+        xorq	%rax, %rax
+        subq	(%rdx), %rcx
+        movq	8(%rsi), %r8
+        movq	%rcx, (%rdi)
+        sbbq	8(%rdx), %r8
+        movq	16(%rsi), %rcx
+        movq	%r8, 8(%rdi)
+        sbbq	16(%rdx), %rcx
+        movq	24(%rsi), %r8
+        movq	%rcx, 16(%rdi)
+        sbbq	24(%rdx), %r8
+        movq	32(%rsi), %rcx
+        movq	%r8, 24(%rdi)
+        sbbq	32(%rdx), %rcx
+        movq	40(%rsi), %r8
+        movq	%rcx, 32(%rdi)
+        sbbq	40(%rdx), %r8
+        movq	48(%rsi), %rcx
+        movq	%r8, 40(%rdi)
+        sbbq	48(%rdx), %rcx
+        movq	56(%rsi), %r8
+        movq	%rcx, 48(%rdi)
+        sbbq	56(%rdx), %r8
+        movq	64(%rsi), %rcx
+        movq	%r8, 56(%rdi)
+        sbbq	64(%rdx), %rcx
+        movq	72(%rsi), %r8
+        movq	%rcx, 64(%rdi)
+        sbbq	72(%rdx), %r8
+        movq	80(%rsi), %rcx
+        movq	%r8, 72(%rdi)
+        sbbq	80(%rdx), %rcx
+        movq	88(%rsi), %r8
+        movq	%rcx, 80(%rdi)
+        sbbq	88(%rdx), %r8
+        movq	96(%rsi), %rcx
+        movq	%r8, 88(%rdi)
+        sbbq	96(%rdx), %rcx
+        movq	104(%rsi), %r8
+        movq	%rcx, 96(%rdi)
+        sbbq	104(%rdx), %r8
+        movq	112(%rsi), %rcx
+        movq	%r8, 104(%rdi)
+        sbbq	112(%rdx), %rcx
+        movq	120(%rsi), %r8
+        movq	%rcx, 112(%rdi)
+        sbbq	120(%rdx), %r8
+        movq	128(%rsi), %rcx
+        movq	%r8, 120(%rdi)
+        sbbq	128(%rdx), %rcx
+        movq	136(%rsi), %r8
+        movq	%rcx, 128(%rdi)
+        sbbq	136(%rdx), %r8
+        movq	144(%rsi), %rcx
+        movq	%r8, 136(%rdi)
+        sbbq	144(%rdx), %rcx
+        movq	152(%rsi), %r8
+        movq	%rcx, 144(%rdi)
+        sbbq	152(%rdx), %r8
+        movq	160(%rsi), %rcx
+        movq	%r8, 152(%rdi)
+        sbbq	160(%rdx), %rcx
+        movq	168(%rsi), %r8
+        movq	%rcx, 160(%rdi)
+        sbbq	168(%rdx), %r8
+        movq	176(%rsi), %rcx
+        movq	%r8, 168(%rdi)
+        sbbq	176(%rdx), %rcx
+        movq	184(%rsi), %r8
+        movq	%rcx, 176(%rdi)
+        sbbq	184(%rdx), %r8
+        movq	192(%rsi), %rcx
+        movq	%r8, 184(%rdi)
+        sbbq	192(%rdx), %rcx
+        movq	200(%rsi), %r8
+        movq	%rcx, 192(%rdi)
+        sbbq	200(%rdx), %r8
+        movq	208(%rsi), %rcx
+        movq	%r8, 200(%rdi)
+        sbbq	208(%rdx), %rcx
+        movq	216(%rsi), %r8
+        movq	%rcx, 208(%rdi)
+        sbbq	216(%rdx), %r8
+        movq	224(%rsi), %rcx
+        movq	%r8, 216(%rdi)
+        sbbq	224(%rdx), %rcx
+        movq	232(%rsi), %r8
+        movq	%rcx, 224(%rdi)
+        sbbq	232(%rdx), %r8
+        movq	240(%rsi), %rcx
+        movq	%r8, 232(%rdi)
+        sbbq	240(%rdx), %rcx
+        movq	248(%rsi), %r8
+        movq	%rcx, 240(%rdi)
+        sbbq	248(%rdx), %r8
+        movq	256(%rsi), %rcx
+        movq	%r8, 248(%rdi)
+        sbbq	256(%rdx), %rcx
+        movq	264(%rsi), %r8
+        movq	%rcx, 256(%rdi)
+        sbbq	264(%rdx), %r8
+        movq	272(%rsi), %rcx
+        movq	%r8, 264(%rdi)
+        sbbq	272(%rdx), %rcx
+        movq	280(%rsi), %r8
+        movq	%rcx, 272(%rdi)
+        sbbq	280(%rdx), %r8
+        movq	288(%rsi), %rcx
+        movq	%r8, 280(%rdi)
+        sbbq	288(%rdx), %rcx
+        movq	296(%rsi), %r8
+        movq	%rcx, 288(%rdi)
+        sbbq	296(%rdx), %r8
+        movq	304(%rsi), %rcx
+        movq	%r8, 296(%rdi)
+        sbbq	304(%rdx), %rcx
+        movq	312(%rsi), %r8
+        movq	%rcx, 304(%rdi)
+        sbbq	312(%rdx), %r8
+        movq	320(%rsi), %rcx
+        movq	%r8, 312(%rdi)
+        sbbq	320(%rdx), %rcx
+        movq	328(%rsi), %r8
+        movq	%rcx, 320(%rdi)
+        sbbq	328(%rdx), %r8
+        movq	336(%rsi), %rcx
+        movq	%r8, 328(%rdi)
+        sbbq	336(%rdx), %rcx
+        movq	344(%rsi), %r8
+        movq	%rcx, 336(%rdi)
+        sbbq	344(%rdx), %r8
+        movq	352(%rsi), %rcx
+        movq	%r8, 344(%rdi)
+        sbbq	352(%rdx), %rcx
+        movq	360(%rsi), %r8
+        movq	%rcx, 352(%rdi)
+        sbbq	360(%rdx), %r8
+        movq	368(%rsi), %rcx
+        movq	%r8, 360(%rdi)
+        sbbq	368(%rdx), %rcx
+        movq	376(%rsi), %r8
+        movq	%rcx, 368(%rdi)
+        sbbq	376(%rdx), %r8
+        movq	384(%rsi), %rcx
+        movq	%r8, 376(%rdi)
+        sbbq	384(%rdx), %rcx
+        movq	392(%rsi), %r8
+        movq	%rcx, 384(%rdi)
+        sbbq	392(%rdx), %r8
+        movq	400(%rsi), %rcx
+        movq	%r8, 392(%rdi)
+        sbbq	400(%rdx), %rcx
+        movq	408(%rsi), %r8
+        movq	%rcx, 400(%rdi)
+        sbbq	408(%rdx), %r8
+        movq	416(%rsi), %rcx
+        movq	%r8, 408(%rdi)
+        sbbq	416(%rdx), %rcx
+        movq	424(%rsi), %r8
+        movq	%rcx, 416(%rdi)
+        sbbq	424(%rdx), %r8
+        movq	432(%rsi), %rcx
+        movq	%r8, 424(%rdi)
+        sbbq	432(%rdx), %rcx
+        movq	440(%rsi), %r8
+        movq	%rcx, 432(%rdi)
+        sbbq	440(%rdx), %r8
+        movq	448(%rsi), %rcx
+        movq	%r8, 440(%rdi)
+        sbbq	448(%rdx), %rcx
+        movq	456(%rsi), %r8
+        movq	%rcx, 448(%rdi)
+        sbbq	456(%rdx), %r8
+        movq	464(%rsi), %rcx
+        movq	%r8, 456(%rdi)
+        sbbq	464(%rdx), %rcx
+        movq	472(%rsi), %r8
+        movq	%rcx, 464(%rdi)
+        sbbq	472(%rdx), %r8
+        movq	480(%rsi), %rcx
+        movq	%r8, 472(%rdi)
+        sbbq	480(%rdx), %rcx
+        movq	488(%rsi), %r8
+        movq	%rcx, 480(%rdi)
+        sbbq	488(%rdx), %r8
+        movq	496(%rsi), %rcx
+        movq	%r8, 488(%rdi)
+        sbbq	496(%rdx), %rcx
+        movq	504(%rsi), %r8
+        movq	%rcx, 496(%rdi)
+        sbbq	504(%rdx), %r8
+        movq	%r8, 504(%rdi)
+        sbbq	$0, %rax
+        repz retq
+#ifndef __APPLE__
+.size	sp_4096_sub_64,.-sp_4096_sub_64
+#endif /* __APPLE__ */
+#ifdef HAVE_INTEL_AVX2
+/* Reduce the number back to 4096 bits using Montgomery reduction.
+ *
+ * a   A single precision number to reduce in place.
+ * m   The single precision number representing the modulus.
+ * mp  The digit representing the negative inverse of m mod 2^n.
+ */
+#ifndef __APPLE__
+.globl	sp_4096_mont_reduce_avx2_64
+.type	sp_4096_mont_reduce_avx2_64,@function
+.align	16
+sp_4096_mont_reduce_avx2_64:
+#else
+.globl	_sp_4096_mont_reduce_avx2_64
+.p2align	4
+_sp_4096_mont_reduce_avx2_64:
+#endif /* __APPLE__ */
+        push	%r12
+        push	%r13
+        push	%r14
+        movq	%rdx, %r8
+        xorq	%r14, %r14
+        # i = 64
+        movq	$64, %r9
+        movq	(%rdi), %r13
+        addq	$256, %rdi
+        xorq	%r12, %r12
+L_mont_loop_avx2_64:
+        # mu = a[i] * mp
+        movq	%r13, %rdx
+        movq	%r13, %r10
+        imulq	%r8, %rdx
+        xorq	%r12, %r12
+        # a[i+0] += m[0] * mu
+        mulxq	(%rsi), %rax, %rcx
+        movq	-248(%rdi), %r13
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r13
+        # a[i+1] += m[1] * mu
+        mulxq	8(%rsi), %rax, %rcx
+        movq	-240(%rdi), %r10
+        adcxq	%rax, %r13
+        adoxq	%rcx, %r10
+        # a[i+2] += m[2] * mu
+        mulxq	16(%rsi), %rax, %rcx
+        movq	-232(%rdi), %r11
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r11
+        movq	%r10, -240(%rdi)
+        # a[i+3] += m[3] * mu
+        mulxq	24(%rsi), %rax, %rcx
+        movq	-224(%rdi), %r10
+        adcxq	%rax, %r11
+        adoxq	%rcx, %r10
+        movq	%r11, -232(%rdi)
+        # a[i+4] += m[4] * mu
+        mulxq	32(%rsi), %rax, %rcx
+        movq	-216(%rdi), %r11
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r11
+        movq	%r10, -224(%rdi)
+        # a[i+5] += m[5] * mu
+        mulxq	40(%rsi), %rax, %rcx
+        movq	-208(%rdi), %r10
+        adcxq	%rax, %r11
+        adoxq	%rcx, %r10
+        movq	%r11, -216(%rdi)
+        # a[i+6] += m[6] * mu
+        mulxq	48(%rsi), %rax, %rcx
+        movq	-200(%rdi), %r11
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r11
+        movq	%r10, -208(%rdi)
+        # a[i+7] += m[7] * mu
+        mulxq	56(%rsi), %rax, %rcx
+        movq	-192(%rdi), %r10
+        adcxq	%rax, %r11
+        adoxq	%rcx, %r10
+        movq	%r11, -200(%rdi)
+        # a[i+8] += m[8] * mu
+        mulxq	64(%rsi), %rax, %rcx
+        movq	-184(%rdi), %r11
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r11
+        movq	%r10, -192(%rdi)
+        # a[i+9] += m[9] * mu
+        mulxq	72(%rsi), %rax, %rcx
+        movq	-176(%rdi), %r10
+        adcxq	%rax, %r11
+        adoxq	%rcx, %r10
+        movq	%r11, -184(%rdi)
+        # a[i+10] += m[10] * mu
+        mulxq	80(%rsi), %rax, %rcx
+        movq	-168(%rdi), %r11
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r11
+        movq	%r10, -176(%rdi)
+        # a[i+11] += m[11] * mu
+        mulxq	88(%rsi), %rax, %rcx
+        movq	-160(%rdi), %r10
+        adcxq	%rax, %r11
+        adoxq	%rcx, %r10
+        movq	%r11, -168(%rdi)
+        # a[i+12] += m[12] * mu
+        mulxq	96(%rsi), %rax, %rcx
+        movq	-152(%rdi), %r11
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r11
+        movq	%r10, -160(%rdi)
+        # a[i+13] += m[13] * mu
+        mulxq	104(%rsi), %rax, %rcx
+        movq	-144(%rdi), %r10
+        adcxq	%rax, %r11
+        adoxq	%rcx, %r10
+        movq	%r11, -152(%rdi)
+        # a[i+14] += m[14] * mu
+        mulxq	112(%rsi), %rax, %rcx
+        movq	-136(%rdi), %r11
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r11
+        movq	%r10, -144(%rdi)
+        # a[i+15] += m[15] * mu
+        mulxq	120(%rsi), %rax, %rcx
+        movq	-128(%rdi), %r10
+        adcxq	%rax, %r11
+        adoxq	%rcx, %r10
+        movq	%r11, -136(%rdi)
+        # a[i+16] += m[16] * mu
+        mulxq	128(%rsi), %rax, %rcx
+        movq	-120(%rdi), %r11
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r11
+        movq	%r10, -128(%rdi)
+        # a[i+17] += m[17] * mu
+        mulxq	136(%rsi), %rax, %rcx
+        movq	-112(%rdi), %r10
+        adcxq	%rax, %r11
+        adoxq	%rcx, %r10
+        movq	%r11, -120(%rdi)
+        # a[i+18] += m[18] * mu
+        mulxq	144(%rsi), %rax, %rcx
+        movq	-104(%rdi), %r11
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r11
+        movq	%r10, -112(%rdi)
+        # a[i+19] += m[19] * mu
+        mulxq	152(%rsi), %rax, %rcx
+        movq	-96(%rdi), %r10
+        adcxq	%rax, %r11
+        adoxq	%rcx, %r10
+        movq	%r11, -104(%rdi)
+        # a[i+20] += m[20] * mu
+        mulxq	160(%rsi), %rax, %rcx
+        movq	-88(%rdi), %r11
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r11
+        movq	%r10, -96(%rdi)
+        # a[i+21] += m[21] * mu
+        mulxq	168(%rsi), %rax, %rcx
+        movq	-80(%rdi), %r10
+        adcxq	%rax, %r11
+        adoxq	%rcx, %r10
+        movq	%r11, -88(%rdi)
+        # a[i+22] += m[22] * mu
+        mulxq	176(%rsi), %rax, %rcx
+        movq	-72(%rdi), %r11
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r11
+        movq	%r10, -80(%rdi)
+        # a[i+23] += m[23] * mu
+        mulxq	184(%rsi), %rax, %rcx
+        movq	-64(%rdi), %r10
+        adcxq	%rax, %r11
+        adoxq	%rcx, %r10
+        movq	%r11, -72(%rdi)
+        # a[i+24] += m[24] * mu
+        mulxq	192(%rsi), %rax, %rcx
+        movq	-56(%rdi), %r11
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r11
+        movq	%r10, -64(%rdi)
+        # a[i+25] += m[25] * mu
+        mulxq	200(%rsi), %rax, %rcx
+        movq	-48(%rdi), %r10
+        adcxq	%rax, %r11
+        adoxq	%rcx, %r10
+        movq	%r11, -56(%rdi)
+        # a[i+26] += m[26] * mu
+        mulxq	208(%rsi), %rax, %rcx
+        movq	-40(%rdi), %r11
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r11
+        movq	%r10, -48(%rdi)
+        # a[i+27] += m[27] * mu
+        mulxq	216(%rsi), %rax, %rcx
+        movq	-32(%rdi), %r10
+        adcxq	%rax, %r11
+        adoxq	%rcx, %r10
+        movq	%r11, -40(%rdi)
+        # a[i+28] += m[28] * mu
+        mulxq	224(%rsi), %rax, %rcx
+        movq	-24(%rdi), %r11
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r11
+        movq	%r10, -32(%rdi)
+        # a[i+29] += m[29] * mu
+        mulxq	232(%rsi), %rax, %rcx
+        movq	-16(%rdi), %r10
+        adcxq	%rax, %r11
+        adoxq	%rcx, %r10
+        movq	%r11, -24(%rdi)
+        # a[i+30] += m[30] * mu
+        mulxq	240(%rsi), %rax, %rcx
+        movq	-8(%rdi), %r11
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r11
+        movq	%r10, -16(%rdi)
+        # a[i+31] += m[31] * mu
+        mulxq	248(%rsi), %rax, %rcx
+        movq	(%rdi), %r10
+        adcxq	%rax, %r11
+        adoxq	%rcx, %r10
+        movq	%r11, -8(%rdi)
+        # a[i+32] += m[32] * mu
+        mulxq	256(%rsi), %rax, %rcx
+        movq	8(%rdi), %r11
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r11
+        movq	%r10, (%rdi)
+        # a[i+33] += m[33] * mu
+        mulxq	264(%rsi), %rax, %rcx
+        movq	16(%rdi), %r10
+        adcxq	%rax, %r11
+        adoxq	%rcx, %r10
+        movq	%r11, 8(%rdi)
+        # a[i+34] += m[34] * mu
+        mulxq	272(%rsi), %rax, %rcx
+        movq	24(%rdi), %r11
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r11
+        movq	%r10, 16(%rdi)
+        # a[i+35] += m[35] * mu
+        mulxq	280(%rsi), %rax, %rcx
+        movq	32(%rdi), %r10
+        adcxq	%rax, %r11
+        adoxq	%rcx, %r10
+        movq	%r11, 24(%rdi)
+        # a[i+36] += m[36] * mu
+        mulxq	288(%rsi), %rax, %rcx
+        movq	40(%rdi), %r11
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r11
+        movq	%r10, 32(%rdi)
+        # a[i+37] += m[37] * mu
+        mulxq	296(%rsi), %rax, %rcx
+        movq	48(%rdi), %r10
+        adcxq	%rax, %r11
+        adoxq	%rcx, %r10
+        movq	%r11, 40(%rdi)
+        # a[i+38] += m[38] * mu
+        mulxq	304(%rsi), %rax, %rcx
+        movq	56(%rdi), %r11
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r11
+        movq	%r10, 48(%rdi)
+        # a[i+39] += m[39] * mu
+        mulxq	312(%rsi), %rax, %rcx
+        movq	64(%rdi), %r10
+        adcxq	%rax, %r11
+        adoxq	%rcx, %r10
+        movq	%r11, 56(%rdi)
+        # a[i+40] += m[40] * mu
+        mulxq	320(%rsi), %rax, %rcx
+        movq	72(%rdi), %r11
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r11
+        movq	%r10, 64(%rdi)
+        # a[i+41] += m[41] * mu
+        mulxq	328(%rsi), %rax, %rcx
+        movq	80(%rdi), %r10
+        adcxq	%rax, %r11
+        adoxq	%rcx, %r10
+        movq	%r11, 72(%rdi)
+        # a[i+42] += m[42] * mu
+        mulxq	336(%rsi), %rax, %rcx
+        movq	88(%rdi), %r11
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r11
+        movq	%r10, 80(%rdi)
+        # a[i+43] += m[43] * mu
+        mulxq	344(%rsi), %rax, %rcx
+        movq	96(%rdi), %r10
+        adcxq	%rax, %r11
+        adoxq	%rcx, %r10
+        movq	%r11, 88(%rdi)
+        # a[i+44] += m[44] * mu
+        mulxq	352(%rsi), %rax, %rcx
+        movq	104(%rdi), %r11
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r11
+        movq	%r10, 96(%rdi)
+        # a[i+45] += m[45] * mu
+        mulxq	360(%rsi), %rax, %rcx
+        movq	112(%rdi), %r10
+        adcxq	%rax, %r11
+        adoxq	%rcx, %r10
+        movq	%r11, 104(%rdi)
+        # a[i+46] += m[46] * mu
+        mulxq	368(%rsi), %rax, %rcx
+        movq	120(%rdi), %r11
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r11
+        movq	%r10, 112(%rdi)
+        # a[i+47] += m[47] * mu
+        mulxq	376(%rsi), %rax, %rcx
+        movq	128(%rdi), %r10
+        adcxq	%rax, %r11
+        adoxq	%rcx, %r10
+        movq	%r11, 120(%rdi)
+        # a[i+48] += m[48] * mu
+        mulxq	384(%rsi), %rax, %rcx
+        movq	136(%rdi), %r11
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r11
+        movq	%r10, 128(%rdi)
+        # a[i+49] += m[49] * mu
+        mulxq	392(%rsi), %rax, %rcx
+        movq	144(%rdi), %r10
+        adcxq	%rax, %r11
+        adoxq	%rcx, %r10
+        movq	%r11, 136(%rdi)
+        # a[i+50] += m[50] * mu
+        mulxq	400(%rsi), %rax, %rcx
+        movq	152(%rdi), %r11
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r11
+        movq	%r10, 144(%rdi)
+        # a[i+51] += m[51] * mu
+        mulxq	408(%rsi), %rax, %rcx
+        movq	160(%rdi), %r10
+        adcxq	%rax, %r11
+        adoxq	%rcx, %r10
+        movq	%r11, 152(%rdi)
+        # a[i+52] += m[52] * mu
+        mulxq	416(%rsi), %rax, %rcx
+        movq	168(%rdi), %r11
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r11
+        movq	%r10, 160(%rdi)
+        # a[i+53] += m[53] * mu
+        mulxq	424(%rsi), %rax, %rcx
+        movq	176(%rdi), %r10
+        adcxq	%rax, %r11
+        adoxq	%rcx, %r10
+        movq	%r11, 168(%rdi)
+        # a[i+54] += m[54] * mu
+        mulxq	432(%rsi), %rax, %rcx
+        movq	184(%rdi), %r11
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r11
+        movq	%r10, 176(%rdi)
+        # a[i+55] += m[55] * mu
+        mulxq	440(%rsi), %rax, %rcx
+        movq	192(%rdi), %r10
+        adcxq	%rax, %r11
+        adoxq	%rcx, %r10
+        movq	%r11, 184(%rdi)
+        # a[i+56] += m[56] * mu
+        mulxq	448(%rsi), %rax, %rcx
+        movq	200(%rdi), %r11
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r11
+        movq	%r10, 192(%rdi)
+        # a[i+57] += m[57] * mu
+        mulxq	456(%rsi), %rax, %rcx
+        movq	208(%rdi), %r10
+        adcxq	%rax, %r11
+        adoxq	%rcx, %r10
+        movq	%r11, 200(%rdi)
+        # a[i+58] += m[58] * mu
+        mulxq	464(%rsi), %rax, %rcx
+        movq	216(%rdi), %r11
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r11
+        movq	%r10, 208(%rdi)
+        # a[i+59] += m[59] * mu
+        mulxq	472(%rsi), %rax, %rcx
+        movq	224(%rdi), %r10
+        adcxq	%rax, %r11
+        adoxq	%rcx, %r10
+        movq	%r11, 216(%rdi)
+        # a[i+60] += m[60] * mu
+        mulxq	480(%rsi), %rax, %rcx
+        movq	232(%rdi), %r11
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r11
+        movq	%r10, 224(%rdi)
+        # a[i+61] += m[61] * mu
+        mulxq	488(%rsi), %rax, %rcx
+        movq	240(%rdi), %r10
+        adcxq	%rax, %r11
+        adoxq	%rcx, %r10
+        movq	%r11, 232(%rdi)
+        # a[i+62] += m[62] * mu
+        mulxq	496(%rsi), %rax, %rcx
+        movq	248(%rdi), %r11
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r11
+        movq	%r10, 240(%rdi)
+        # a[i+63] += m[63] * mu
+        mulxq	504(%rsi), %rax, %rcx
+        movq	256(%rdi), %r10
+        adcxq	%rax, %r11
+        adoxq	%rcx, %r10
+        movq	%r11, 248(%rdi)
+        adcxq	%r14, %r10
+        movq	%r10, 256(%rdi)
+        movq	%r12, %r14
+        adoxq	%r12, %r14
+        adcxq	%r12, %r14
+        # a += 1
+        addq	$8, %rdi
+        # i -= 1
+        subq	$1, %r9
+        jnz	L_mont_loop_avx2_64
+        subq	$256, %rdi
+        negq	%r14
+        movq	%rdi, %r8
+        subq	$512, %rdi
+        movq	(%rsi), %rcx
+        movq	%r13, %rdx
+        pextq	%r14, %rcx, %rcx
+        subq	%rcx, %rdx
+        movq	8(%rsi), %rcx
+        movq	8(%r8), %rax
+        pextq	%r14, %rcx, %rcx
+        movq	%rdx, (%rdi)
+        sbbq	%rcx, %rax
+        movq	16(%rsi), %rdx
+        movq	16(%r8), %rcx
+        pextq	%r14, %rdx, %rdx
+        movq	%rax, 8(%rdi)
+        sbbq	%rdx, %rcx
+        movq	24(%rsi), %rax
+        movq	24(%r8), %rdx
+        pextq	%r14, %rax, %rax
+        movq	%rcx, 16(%rdi)
+        sbbq	%rax, %rdx
+        movq	32(%rsi), %rcx
+        movq	32(%r8), %rax
+        pextq	%r14, %rcx, %rcx
+        movq	%rdx, 24(%rdi)
+        sbbq	%rcx, %rax
+        movq	40(%rsi), %rdx
+        movq	40(%r8), %rcx
+        pextq	%r14, %rdx, %rdx
+        movq	%rax, 32(%rdi)
+        sbbq	%rdx, %rcx
+        movq	48(%rsi), %rax
+        movq	48(%r8), %rdx
+        pextq	%r14, %rax, %rax
+        movq	%rcx, 40(%rdi)
+        sbbq	%rax, %rdx
+        movq	56(%rsi), %rcx
+        movq	56(%r8), %rax
+        pextq	%r14, %rcx, %rcx
+        movq	%rdx, 48(%rdi)
+        sbbq	%rcx, %rax
+        movq	64(%rsi), %rdx
+        movq	64(%r8), %rcx
+        pextq	%r14, %rdx, %rdx
+        movq	%rax, 56(%rdi)
+        sbbq	%rdx, %rcx
+        movq	72(%rsi), %rax
+        movq	72(%r8), %rdx
+        pextq	%r14, %rax, %rax
+        movq	%rcx, 64(%rdi)
+        sbbq	%rax, %rdx
+        movq	80(%rsi), %rcx
+        movq	80(%r8), %rax
+        pextq	%r14, %rcx, %rcx
+        movq	%rdx, 72(%rdi)
+        sbbq	%rcx, %rax
+        movq	88(%rsi), %rdx
+        movq	88(%r8), %rcx
+        pextq	%r14, %rdx, %rdx
+        movq	%rax, 80(%rdi)
+        sbbq	%rdx, %rcx
+        movq	96(%rsi), %rax
+        movq	96(%r8), %rdx
+        pextq	%r14, %rax, %rax
+        movq	%rcx, 88(%rdi)
+        sbbq	%rax, %rdx
+        movq	104(%rsi), %rcx
+        movq	104(%r8), %rax
+        pextq	%r14, %rcx, %rcx
+        movq	%rdx, 96(%rdi)
+        sbbq	%rcx, %rax
+        movq	112(%rsi), %rdx
+        movq	112(%r8), %rcx
+        pextq	%r14, %rdx, %rdx
+        movq	%rax, 104(%rdi)
+        sbbq	%rdx, %rcx
+        movq	120(%rsi), %rax
+        movq	120(%r8), %rdx
+        pextq	%r14, %rax, %rax
+        movq	%rcx, 112(%rdi)
+        sbbq	%rax, %rdx
+        movq	128(%rsi), %rcx
+        movq	128(%r8), %rax
+        pextq	%r14, %rcx, %rcx
+        movq	%rdx, 120(%rdi)
+        sbbq	%rcx, %rax
+        movq	136(%rsi), %rdx
+        movq	136(%r8), %rcx
+        pextq	%r14, %rdx, %rdx
+        movq	%rax, 128(%rdi)
+        sbbq	%rdx, %rcx
+        movq	144(%rsi), %rax
+        movq	144(%r8), %rdx
+        pextq	%r14, %rax, %rax
+        movq	%rcx, 136(%rdi)
+        sbbq	%rax, %rdx
+        movq	152(%rsi), %rcx
+        movq	152(%r8), %rax
+        pextq	%r14, %rcx, %rcx
+        movq	%rdx, 144(%rdi)
+        sbbq	%rcx, %rax
+        movq	160(%rsi), %rdx
+        movq	160(%r8), %rcx
+        pextq	%r14, %rdx, %rdx
+        movq	%rax, 152(%rdi)
+        sbbq	%rdx, %rcx
+        movq	168(%rsi), %rax
+        movq	168(%r8), %rdx
+        pextq	%r14, %rax, %rax
+        movq	%rcx, 160(%rdi)
+        sbbq	%rax, %rdx
+        movq	176(%rsi), %rcx
+        movq	176(%r8), %rax
+        pextq	%r14, %rcx, %rcx
+        movq	%rdx, 168(%rdi)
+        sbbq	%rcx, %rax
+        movq	184(%rsi), %rdx
+        movq	184(%r8), %rcx
+        pextq	%r14, %rdx, %rdx
+        movq	%rax, 176(%rdi)
+        sbbq	%rdx, %rcx
+        movq	192(%rsi), %rax
+        movq	192(%r8), %rdx
+        pextq	%r14, %rax, %rax
+        movq	%rcx, 184(%rdi)
+        sbbq	%rax, %rdx
+        movq	200(%rsi), %rcx
+        movq	200(%r8), %rax
+        pextq	%r14, %rcx, %rcx
+        movq	%rdx, 192(%rdi)
+        sbbq	%rcx, %rax
+        movq	208(%rsi), %rdx
+        movq	208(%r8), %rcx
+        pextq	%r14, %rdx, %rdx
+        movq	%rax, 200(%rdi)
+        sbbq	%rdx, %rcx
+        movq	216(%rsi), %rax
+        movq	216(%r8), %rdx
+        pextq	%r14, %rax, %rax
+        movq	%rcx, 208(%rdi)
+        sbbq	%rax, %rdx
+        movq	224(%rsi), %rcx
+        movq	224(%r8), %rax
+        pextq	%r14, %rcx, %rcx
+        movq	%rdx, 216(%rdi)
+        sbbq	%rcx, %rax
+        movq	232(%rsi), %rdx
+        movq	232(%r8), %rcx
+        pextq	%r14, %rdx, %rdx
+        movq	%rax, 224(%rdi)
+        sbbq	%rdx, %rcx
+        movq	240(%rsi), %rax
+        movq	240(%r8), %rdx
+        pextq	%r14, %rax, %rax
+        movq	%rcx, 232(%rdi)
+        sbbq	%rax, %rdx
+        movq	248(%rsi), %rcx
+        movq	248(%r8), %rax
+        pextq	%r14, %rcx, %rcx
+        movq	%rdx, 240(%rdi)
+        sbbq	%rcx, %rax
+        movq	256(%rsi), %rdx
+        movq	256(%r8), %rcx
+        pextq	%r14, %rdx, %rdx
+        movq	%rax, 248(%rdi)
+        sbbq	%rdx, %rcx
+        movq	264(%rsi), %rax
+        movq	264(%r8), %rdx
+        pextq	%r14, %rax, %rax
+        movq	%rcx, 256(%rdi)
+        sbbq	%rax, %rdx
+        movq	272(%rsi), %rcx
+        movq	272(%r8), %rax
+        pextq	%r14, %rcx, %rcx
+        movq	%rdx, 264(%rdi)
+        sbbq	%rcx, %rax
+        movq	280(%rsi), %rdx
+        movq	280(%r8), %rcx
+        pextq	%r14, %rdx, %rdx
+        movq	%rax, 272(%rdi)
+        sbbq	%rdx, %rcx
+        movq	288(%rsi), %rax
+        movq	288(%r8), %rdx
+        pextq	%r14, %rax, %rax
+        movq	%rcx, 280(%rdi)
+        sbbq	%rax, %rdx
+        movq	296(%rsi), %rcx
+        movq	296(%r8), %rax
+        pextq	%r14, %rcx, %rcx
+        movq	%rdx, 288(%rdi)
+        sbbq	%rcx, %rax
+        movq	304(%rsi), %rdx
+        movq	304(%r8), %rcx
+        pextq	%r14, %rdx, %rdx
+        movq	%rax, 296(%rdi)
+        sbbq	%rdx, %rcx
+        movq	312(%rsi), %rax
+        movq	312(%r8), %rdx
+        pextq	%r14, %rax, %rax
+        movq	%rcx, 304(%rdi)
+        sbbq	%rax, %rdx
+        movq	320(%rsi), %rcx
+        movq	320(%r8), %rax
+        pextq	%r14, %rcx, %rcx
+        movq	%rdx, 312(%rdi)
+        sbbq	%rcx, %rax
+        movq	328(%rsi), %rdx
+        movq	328(%r8), %rcx
+        pextq	%r14, %rdx, %rdx
+        movq	%rax, 320(%rdi)
+        sbbq	%rdx, %rcx
+        movq	336(%rsi), %rax
+        movq	336(%r8), %rdx
+        pextq	%r14, %rax, %rax
+        movq	%rcx, 328(%rdi)
+        sbbq	%rax, %rdx
+        movq	344(%rsi), %rcx
+        movq	344(%r8), %rax
+        pextq	%r14, %rcx, %rcx
+        movq	%rdx, 336(%rdi)
+        sbbq	%rcx, %rax
+        movq	352(%rsi), %rdx
+        movq	352(%r8), %rcx
+        pextq	%r14, %rdx, %rdx
+        movq	%rax, 344(%rdi)
+        sbbq	%rdx, %rcx
+        movq	360(%rsi), %rax
+        movq	360(%r8), %rdx
+        pextq	%r14, %rax, %rax
+        movq	%rcx, 352(%rdi)
+        sbbq	%rax, %rdx
+        movq	368(%rsi), %rcx
+        movq	368(%r8), %rax
+        pextq	%r14, %rcx, %rcx
+        movq	%rdx, 360(%rdi)
+        sbbq	%rcx, %rax
+        movq	376(%rsi), %rdx
+        movq	376(%r8), %rcx
+        pextq	%r14, %rdx, %rdx
+        movq	%rax, 368(%rdi)
+        sbbq	%rdx, %rcx
+        movq	384(%rsi), %rax
+        movq	384(%r8), %rdx
+        pextq	%r14, %rax, %rax
+        movq	%rcx, 376(%rdi)
+        sbbq	%rax, %rdx
+        movq	392(%rsi), %rcx
+        movq	392(%r8), %rax
+        pextq	%r14, %rcx, %rcx
+        movq	%rdx, 384(%rdi)
+        sbbq	%rcx, %rax
+        movq	400(%rsi), %rdx
+        movq	400(%r8), %rcx
+        pextq	%r14, %rdx, %rdx
+        movq	%rax, 392(%rdi)
+        sbbq	%rdx, %rcx
+        movq	408(%rsi), %rax
+        movq	408(%r8), %rdx
+        pextq	%r14, %rax, %rax
+        movq	%rcx, 400(%rdi)
+        sbbq	%rax, %rdx
+        movq	416(%rsi), %rcx
+        movq	416(%r8), %rax
+        pextq	%r14, %rcx, %rcx
+        movq	%rdx, 408(%rdi)
+        sbbq	%rcx, %rax
+        movq	424(%rsi), %rdx
+        movq	424(%r8), %rcx
+        pextq	%r14, %rdx, %rdx
+        movq	%rax, 416(%rdi)
+        sbbq	%rdx, %rcx
+        movq	432(%rsi), %rax
+        movq	432(%r8), %rdx
+        pextq	%r14, %rax, %rax
+        movq	%rcx, 424(%rdi)
+        sbbq	%rax, %rdx
+        movq	440(%rsi), %rcx
+        movq	440(%r8), %rax
+        pextq	%r14, %rcx, %rcx
+        movq	%rdx, 432(%rdi)
+        sbbq	%rcx, %rax
+        movq	448(%rsi), %rdx
+        movq	448(%r8), %rcx
+        pextq	%r14, %rdx, %rdx
+        movq	%rax, 440(%rdi)
+        sbbq	%rdx, %rcx
+        movq	456(%rsi), %rax
+        movq	456(%r8), %rdx
+        pextq	%r14, %rax, %rax
+        movq	%rcx, 448(%rdi)
+        sbbq	%rax, %rdx
+        movq	464(%rsi), %rcx
+        movq	464(%r8), %rax
+        pextq	%r14, %rcx, %rcx
+        movq	%rdx, 456(%rdi)
+        sbbq	%rcx, %rax
+        movq	472(%rsi), %rdx
+        movq	472(%r8), %rcx
+        pextq	%r14, %rdx, %rdx
+        movq	%rax, 464(%rdi)
+        sbbq	%rdx, %rcx
+        movq	480(%rsi), %rax
+        movq	480(%r8), %rdx
+        pextq	%r14, %rax, %rax
+        movq	%rcx, 472(%rdi)
+        sbbq	%rax, %rdx
+        movq	488(%rsi), %rcx
+        movq	488(%r8), %rax
+        pextq	%r14, %rcx, %rcx
+        movq	%rdx, 480(%rdi)
+        sbbq	%rcx, %rax
+        movq	496(%rsi), %rdx
+        movq	496(%r8), %rcx
+        pextq	%r14, %rdx, %rdx
+        movq	%rax, 488(%rdi)
+        sbbq	%rdx, %rcx
+        movq	504(%rsi), %rax
+        movq	504(%r8), %rdx
+        pextq	%r14, %rax, %rax
+        movq	%rcx, 496(%rdi)
+        sbbq	%rax, %rdx
+        movq	%rdx, 504(%rdi)
+        pop	%r14
+        pop	%r13
+        pop	%r12
+        repz retq
+#ifndef __APPLE__
+.size	sp_4096_mont_reduce_avx2_64,.-sp_4096_mont_reduce_avx2_64
+#endif /* __APPLE__ */
+#endif /* HAVE_INTEL_AVX2 */
+/* Conditionally add a and b using the mask m.
+ * m is -1 to add and 0 when not.
+ *
+ * r  A single precision number representing conditional add result.
+ * a  A single precision number to add with.
+ * b  A single precision number to add.
+ * m  Mask value to apply.
+ */
+#ifndef __APPLE__
+.globl	sp_4096_cond_add_32
+.type	sp_4096_cond_add_32,@function
+.align	16
+sp_4096_cond_add_32:
+#else
+.globl	_sp_4096_cond_add_32
+.p2align	4
+_sp_4096_cond_add_32:
+#endif /* __APPLE__ */
+        subq	$256, %rsp
+        movq	$0, %rax
+        movq	(%rdx), %r8
+        movq	8(%rdx), %r9
+        andq	%rcx, %r8
+        andq	%rcx, %r9
+        movq	%r8, (%rsp)
+        movq	%r9, 8(%rsp)
+        movq	16(%rdx), %r8
+        movq	24(%rdx), %r9
+        andq	%rcx, %r8
+        andq	%rcx, %r9
+        movq	%r8, 16(%rsp)
+        movq	%r9, 24(%rsp)
+        movq	32(%rdx), %r8
+        movq	40(%rdx), %r9
+        andq	%rcx, %r8
+        andq	%rcx, %r9
+        movq	%r8, 32(%rsp)
+        movq	%r9, 40(%rsp)
+        movq	48(%rdx), %r8
+        movq	56(%rdx), %r9
+        andq	%rcx, %r8
+        andq	%rcx, %r9
+        movq	%r8, 48(%rsp)
+        movq	%r9, 56(%rsp)
+        movq	64(%rdx), %r8
+        movq	72(%rdx), %r9
+        andq	%rcx, %r8
+        andq	%rcx, %r9
+        movq	%r8, 64(%rsp)
+        movq	%r9, 72(%rsp)
+        movq	80(%rdx), %r8
+        movq	88(%rdx), %r9
+        andq	%rcx, %r8
+        andq	%rcx, %r9
+        movq	%r8, 80(%rsp)
+        movq	%r9, 88(%rsp)
+        movq	96(%rdx), %r8
+        movq	104(%rdx), %r9
+        andq	%rcx, %r8
+        andq	%rcx, %r9
+        movq	%r8, 96(%rsp)
+        movq	%r9, 104(%rsp)
+        movq	112(%rdx), %r8
+        movq	120(%rdx), %r9
+        andq	%rcx, %r8
+        andq	%rcx, %r9
+        movq	%r8, 112(%rsp)
+        movq	%r9, 120(%rsp)
+        movq	128(%rdx), %r8
+        movq	136(%rdx), %r9
+        andq	%rcx, %r8
+        andq	%rcx, %r9
+        movq	%r8, 128(%rsp)
+        movq	%r9, 136(%rsp)
+        movq	144(%rdx), %r8
+        movq	152(%rdx), %r9
+        andq	%rcx, %r8
+        andq	%rcx, %r9
+        movq	%r8, 144(%rsp)
+        movq	%r9, 152(%rsp)
+        movq	160(%rdx), %r8
+        movq	168(%rdx), %r9
+        andq	%rcx, %r8
+        andq	%rcx, %r9
+        movq	%r8, 160(%rsp)
+        movq	%r9, 168(%rsp)
+        movq	176(%rdx), %r8
+        movq	184(%rdx), %r9
+        andq	%rcx, %r8
+        andq	%rcx, %r9
+        movq	%r8, 176(%rsp)
+        movq	%r9, 184(%rsp)
+        movq	192(%rdx), %r8
+        movq	200(%rdx), %r9
+        andq	%rcx, %r8
+        andq	%rcx, %r9
+        movq	%r8, 192(%rsp)
+        movq	%r9, 200(%rsp)
+        movq	208(%rdx), %r8
+        movq	216(%rdx), %r9
+        andq	%rcx, %r8
+        andq	%rcx, %r9
+        movq	%r8, 208(%rsp)
+        movq	%r9, 216(%rsp)
+        movq	224(%rdx), %r8
+        movq	232(%rdx), %r9
+        andq	%rcx, %r8
+        andq	%rcx, %r9
+        movq	%r8, 224(%rsp)
+        movq	%r9, 232(%rsp)
+        movq	240(%rdx), %r8
+        movq	248(%rdx), %r9
+        andq	%rcx, %r8
+        andq	%rcx, %r9
+        movq	%r8, 240(%rsp)
+        movq	%r9, 248(%rsp)
+        movq	(%rsi), %r8
+        movq	(%rsp), %rdx
+        addq	%rdx, %r8
+        movq	8(%rsi), %r9
+        movq	8(%rsp), %rdx
+        adcq	%rdx, %r9
+        movq	%r8, (%rdi)
+        movq	16(%rsi), %r8
+        movq	16(%rsp), %rdx
+        adcq	%rdx, %r8
+        movq	%r9, 8(%rdi)
+        movq	24(%rsi), %r9
+        movq	24(%rsp), %rdx
+        adcq	%rdx, %r9
+        movq	%r8, 16(%rdi)
+        movq	32(%rsi), %r8
+        movq	32(%rsp), %rdx
+        adcq	%rdx, %r8
+        movq	%r9, 24(%rdi)
+        movq	40(%rsi), %r9
+        movq	40(%rsp), %rdx
+        adcq	%rdx, %r9
+        movq	%r8, 32(%rdi)
+        movq	48(%rsi), %r8
+        movq	48(%rsp), %rdx
+        adcq	%rdx, %r8
+        movq	%r9, 40(%rdi)
+        movq	56(%rsi), %r9
+        movq	56(%rsp), %rdx
+        adcq	%rdx, %r9
+        movq	%r8, 48(%rdi)
+        movq	64(%rsi), %r8
+        movq	64(%rsp), %rdx
+        adcq	%rdx, %r8
+        movq	%r9, 56(%rdi)
+        movq	72(%rsi), %r9
+        movq	72(%rsp), %rdx
+        adcq	%rdx, %r9
+        movq	%r8, 64(%rdi)
+        movq	80(%rsi), %r8
+        movq	80(%rsp), %rdx
+        adcq	%rdx, %r8
+        movq	%r9, 72(%rdi)
+        movq	88(%rsi), %r9
+        movq	88(%rsp), %rdx
+        adcq	%rdx, %r9
+        movq	%r8, 80(%rdi)
+        movq	96(%rsi), %r8
+        movq	96(%rsp), %rdx
+        adcq	%rdx, %r8
+        movq	%r9, 88(%rdi)
+        movq	104(%rsi), %r9
+        movq	104(%rsp), %rdx
+        adcq	%rdx, %r9
+        movq	%r8, 96(%rdi)
+        movq	112(%rsi), %r8
+        movq	112(%rsp), %rdx
+        adcq	%rdx, %r8
+        movq	%r9, 104(%rdi)
+        movq	120(%rsi), %r9
+        movq	120(%rsp), %rdx
+        adcq	%rdx, %r9
+        movq	%r8, 112(%rdi)
+        movq	128(%rsi), %r8
+        movq	128(%rsp), %rdx
+        adcq	%rdx, %r8
+        movq	%r9, 120(%rdi)
+        movq	136(%rsi), %r9
+        movq	136(%rsp), %rdx
+        adcq	%rdx, %r9
+        movq	%r8, 128(%rdi)
+        movq	144(%rsi), %r8
+        movq	144(%rsp), %rdx
+        adcq	%rdx, %r8
+        movq	%r9, 136(%rdi)
+        movq	152(%rsi), %r9
+        movq	152(%rsp), %rdx
+        adcq	%rdx, %r9
+        movq	%r8, 144(%rdi)
+        movq	160(%rsi), %r8
+        movq	160(%rsp), %rdx
+        adcq	%rdx, %r8
+        movq	%r9, 152(%rdi)
+        movq	168(%rsi), %r9
+        movq	168(%rsp), %rdx
+        adcq	%rdx, %r9
+        movq	%r8, 160(%rdi)
+        movq	176(%rsi), %r8
+        movq	176(%rsp), %rdx
+        adcq	%rdx, %r8
+        movq	%r9, 168(%rdi)
+        movq	184(%rsi), %r9
+        movq	184(%rsp), %rdx
+        adcq	%rdx, %r9
+        movq	%r8, 176(%rdi)
+        movq	192(%rsi), %r8
+        movq	192(%rsp), %rdx
+        adcq	%rdx, %r8
+        movq	%r9, 184(%rdi)
+        movq	200(%rsi), %r9
+        movq	200(%rsp), %rdx
+        adcq	%rdx, %r9
+        movq	%r8, 192(%rdi)
+        movq	208(%rsi), %r8
+        movq	208(%rsp), %rdx
+        adcq	%rdx, %r8
+        movq	%r9, 200(%rdi)
+        movq	216(%rsi), %r9
+        movq	216(%rsp), %rdx
+        adcq	%rdx, %r9
+        movq	%r8, 208(%rdi)
+        movq	224(%rsi), %r8
+        movq	224(%rsp), %rdx
+        adcq	%rdx, %r8
+        movq	%r9, 216(%rdi)
+        movq	232(%rsi), %r9
+        movq	232(%rsp), %rdx
+        adcq	%rdx, %r9
+        movq	%r8, 224(%rdi)
+        movq	240(%rsi), %r8
+        movq	240(%rsp), %rdx
+        adcq	%rdx, %r8
+        movq	%r9, 232(%rdi)
+        movq	248(%rsi), %r9
+        movq	248(%rsp), %rdx
+        adcq	%rdx, %r9
+        movq	%r8, 240(%rdi)
+        movq	%r9, 248(%rdi)
+        adcq	$0, %rax
+        addq	$256, %rsp
+        repz retq
+#ifndef __APPLE__
+.size	sp_4096_cond_add_32,.-sp_4096_cond_add_32
+#endif /* __APPLE__ */
+/* Conditionally add a and b using the mask m.
+ * m is -1 to add and 0 when not.
+ *
+ * r  A single precision number representing conditional add result.
+ * a  A single precision number to add with.
+ * b  A single precision number to add.
+ * m  Mask value to apply.
+ */
+#ifndef __APPLE__
+.globl	sp_4096_cond_add_avx2_32
+.type	sp_4096_cond_add_avx2_32,@function
+.align	16
+sp_4096_cond_add_avx2_32:
+#else
+.globl	_sp_4096_cond_add_avx2_32
+.p2align	4
+_sp_4096_cond_add_avx2_32:
+#endif /* __APPLE__ */
+        movq	$0, %rax
+        movq	(%rdx), %r10
+        movq	(%rsi), %r8
+        pextq	%rcx, %r10, %r10
+        addq	%r10, %r8
+        movq	8(%rdx), %r10
+        movq	8(%rsi), %r9
+        pextq	%rcx, %r10, %r10
+        movq	%r8, (%rdi)
+        adcq	%r10, %r9
+        movq	16(%rdx), %r8
+        movq	16(%rsi), %r10
+        pextq	%rcx, %r8, %r8
+        movq	%r9, 8(%rdi)
+        adcq	%r8, %r10
+        movq	24(%rdx), %r9
+        movq	24(%rsi), %r8
+        pextq	%rcx, %r9, %r9
+        movq	%r10, 16(%rdi)
+        adcq	%r9, %r8
+        movq	32(%rdx), %r10
+        movq	32(%rsi), %r9
+        pextq	%rcx, %r10, %r10
+        movq	%r8, 24(%rdi)
+        adcq	%r10, %r9
+        movq	40(%rdx), %r8
+        movq	40(%rsi), %r10
+        pextq	%rcx, %r8, %r8
+        movq	%r9, 32(%rdi)
+        adcq	%r8, %r10
+        movq	48(%rdx), %r9
+        movq	48(%rsi), %r8
+        pextq	%rcx, %r9, %r9
+        movq	%r10, 40(%rdi)
+        adcq	%r9, %r8
+        movq	56(%rdx), %r10
+        movq	56(%rsi), %r9
+        pextq	%rcx, %r10, %r10
+        movq	%r8, 48(%rdi)
+        adcq	%r10, %r9
+        movq	64(%rdx), %r8
+        movq	64(%rsi), %r10
+        pextq	%rcx, %r8, %r8
+        movq	%r9, 56(%rdi)
+        adcq	%r8, %r10
+        movq	72(%rdx), %r9
+        movq	72(%rsi), %r8
+        pextq	%rcx, %r9, %r9
+        movq	%r10, 64(%rdi)
+        adcq	%r9, %r8
+        movq	80(%rdx), %r10
+        movq	80(%rsi), %r9
+        pextq	%rcx, %r10, %r10
+        movq	%r8, 72(%rdi)
+        adcq	%r10, %r9
+        movq	88(%rdx), %r8
+        movq	88(%rsi), %r10
+        pextq	%rcx, %r8, %r8
+        movq	%r9, 80(%rdi)
+        adcq	%r8, %r10
+        movq	96(%rdx), %r9
+        movq	96(%rsi), %r8
+        pextq	%rcx, %r9, %r9
+        movq	%r10, 88(%rdi)
+        adcq	%r9, %r8
+        movq	104(%rdx), %r10
+        movq	104(%rsi), %r9
+        pextq	%rcx, %r10, %r10
+        movq	%r8, 96(%rdi)
+        adcq	%r10, %r9
+        movq	112(%rdx), %r8
+        movq	112(%rsi), %r10
+        pextq	%rcx, %r8, %r8
+        movq	%r9, 104(%rdi)
+        adcq	%r8, %r10
+        movq	120(%rdx), %r9
+        movq	120(%rsi), %r8
+        pextq	%rcx, %r9, %r9
+        movq	%r10, 112(%rdi)
+        adcq	%r9, %r8
+        movq	128(%rdx), %r10
+        movq	128(%rsi), %r9
+        pextq	%rcx, %r10, %r10
+        movq	%r8, 120(%rdi)
+        adcq	%r10, %r9
+        movq	136(%rdx), %r8
+        movq	136(%rsi), %r10
+        pextq	%rcx, %r8, %r8
+        movq	%r9, 128(%rdi)
+        adcq	%r8, %r10
+        movq	144(%rdx), %r9
+        movq	144(%rsi), %r8
+        pextq	%rcx, %r9, %r9
+        movq	%r10, 136(%rdi)
+        adcq	%r9, %r8
+        movq	152(%rdx), %r10
+        movq	152(%rsi), %r9
+        pextq	%rcx, %r10, %r10
+        movq	%r8, 144(%rdi)
+        adcq	%r10, %r9
+        movq	160(%rdx), %r8
+        movq	160(%rsi), %r10
+        pextq	%rcx, %r8, %r8
+        movq	%r9, 152(%rdi)
+        adcq	%r8, %r10
+        movq	168(%rdx), %r9
+        movq	168(%rsi), %r8
+        pextq	%rcx, %r9, %r9
+        movq	%r10, 160(%rdi)
+        adcq	%r9, %r8
+        movq	176(%rdx), %r10
+        movq	176(%rsi), %r9
+        pextq	%rcx, %r10, %r10
+        movq	%r8, 168(%rdi)
+        adcq	%r10, %r9
+        movq	184(%rdx), %r8
+        movq	184(%rsi), %r10
+        pextq	%rcx, %r8, %r8
+        movq	%r9, 176(%rdi)
+        adcq	%r8, %r10
+        movq	192(%rdx), %r9
+        movq	192(%rsi), %r8
+        pextq	%rcx, %r9, %r9
+        movq	%r10, 184(%rdi)
+        adcq	%r9, %r8
+        movq	200(%rdx), %r10
+        movq	200(%rsi), %r9
+        pextq	%rcx, %r10, %r10
+        movq	%r8, 192(%rdi)
+        adcq	%r10, %r9
+        movq	208(%rdx), %r8
+        movq	208(%rsi), %r10
+        pextq	%rcx, %r8, %r8
+        movq	%r9, 200(%rdi)
+        adcq	%r8, %r10
+        movq	216(%rdx), %r9
+        movq	216(%rsi), %r8
+        pextq	%rcx, %r9, %r9
+        movq	%r10, 208(%rdi)
+        adcq	%r9, %r8
+        movq	224(%rdx), %r10
+        movq	224(%rsi), %r9
+        pextq	%rcx, %r10, %r10
+        movq	%r8, 216(%rdi)
+        adcq	%r10, %r9
+        movq	232(%rdx), %r8
+        movq	232(%rsi), %r10
+        pextq	%rcx, %r8, %r8
+        movq	%r9, 224(%rdi)
+        adcq	%r8, %r10
+        movq	240(%rdx), %r9
+        movq	240(%rsi), %r8
+        pextq	%rcx, %r9, %r9
+        movq	%r10, 232(%rdi)
+        adcq	%r9, %r8
+        movq	248(%rdx), %r10
+        movq	248(%rsi), %r9
+        pextq	%rcx, %r10, %r10
+        movq	%r8, 240(%rdi)
+        adcq	%r10, %r9
+        movq	%r9, 248(%rdi)
+        adcq	$0, %rax
+        repz retq
+#ifndef __APPLE__
+.size	sp_4096_cond_add_avx2_32,.-sp_4096_cond_add_avx2_32
+#endif /* __APPLE__ */
+/* Shift number left by n bit. (r = a << n)
+ *
+ * r  Result of left shift by n.
+ * a  Number to shift.
+ * n  Amoutnt o shift.
+ */
+#ifndef __APPLE__
+.globl	sp_4096_lshift_64
+.type	sp_4096_lshift_64,@function
+.align	16
+sp_4096_lshift_64:
+#else
+.globl	_sp_4096_lshift_64
+.p2align	4
+_sp_4096_lshift_64:
+#endif /* __APPLE__ */
+        movq	%rdx, %rcx
+        movq	$0, %r10
+        movq	472(%rsi), %r11
+        movq	480(%rsi), %rdx
+        movq	488(%rsi), %rax
+        movq	496(%rsi), %r8
+        movq	504(%rsi), %r9
+        shldq	%cl, %r9, %r10
+        shldq	%cl, %r8, %r9
+        shldq	%cl, %rax, %r8
+        shldq	%cl, %rdx, %rax
+        shldq	%cl, %r11, %rdx
+        movq	%rdx, 480(%rdi)
+        movq	%rax, 488(%rdi)
+        movq	%r8, 496(%rdi)
+        movq	%r9, 504(%rdi)
+        movq	%r10, 512(%rdi)
+        movq	440(%rsi), %r9
+        movq	448(%rsi), %rdx
+        movq	456(%rsi), %rax
+        movq	464(%rsi), %r8
+        shldq	%cl, %r8, %r11
+        shldq	%cl, %rax, %r8
+        shldq	%cl, %rdx, %rax
+        shldq	%cl, %r9, %rdx
+        movq	%rdx, 448(%rdi)
+        movq	%rax, 456(%rdi)
+        movq	%r8, 464(%rdi)
+        movq	%r11, 472(%rdi)
+        movq	408(%rsi), %r11
+        movq	416(%rsi), %rdx
+        movq	424(%rsi), %rax
+        movq	432(%rsi), %r8
+        shldq	%cl, %r8, %r9
+        shldq	%cl, %rax, %r8
+        shldq	%cl, %rdx, %rax
+        shldq	%cl, %r11, %rdx
+        movq	%rdx, 416(%rdi)
+        movq	%rax, 424(%rdi)
+        movq	%r8, 432(%rdi)
+        movq	%r9, 440(%rdi)
+        movq	376(%rsi), %r9
+        movq	384(%rsi), %rdx
+        movq	392(%rsi), %rax
+        movq	400(%rsi), %r8
+        shldq	%cl, %r8, %r11
+        shldq	%cl, %rax, %r8
+        shldq	%cl, %rdx, %rax
+        shldq	%cl, %r9, %rdx
+        movq	%rdx, 384(%rdi)
+        movq	%rax, 392(%rdi)
+        movq	%r8, 400(%rdi)
+        movq	%r11, 408(%rdi)
+        movq	344(%rsi), %r11
+        movq	352(%rsi), %rdx
+        movq	360(%rsi), %rax
+        movq	368(%rsi), %r8
+        shldq	%cl, %r8, %r9
+        shldq	%cl, %rax, %r8
+        shldq	%cl, %rdx, %rax
+        shldq	%cl, %r11, %rdx
+        movq	%rdx, 352(%rdi)
+        movq	%rax, 360(%rdi)
+        movq	%r8, 368(%rdi)
+        movq	%r9, 376(%rdi)
+        movq	312(%rsi), %r9
+        movq	320(%rsi), %rdx
+        movq	328(%rsi), %rax
+        movq	336(%rsi), %r8
+        shldq	%cl, %r8, %r11
+        shldq	%cl, %rax, %r8
+        shldq	%cl, %rdx, %rax
+        shldq	%cl, %r9, %rdx
+        movq	%rdx, 320(%rdi)
+        movq	%rax, 328(%rdi)
+        movq	%r8, 336(%rdi)
+        movq	%r11, 344(%rdi)
+        movq	280(%rsi), %r11
+        movq	288(%rsi), %rdx
+        movq	296(%rsi), %rax
+        movq	304(%rsi), %r8
+        shldq	%cl, %r8, %r9
+        shldq	%cl, %rax, %r8
+        shldq	%cl, %rdx, %rax
+        shldq	%cl, %r11, %rdx
+        movq	%rdx, 288(%rdi)
+        movq	%rax, 296(%rdi)
+        movq	%r8, 304(%rdi)
+        movq	%r9, 312(%rdi)
+        movq	248(%rsi), %r9
+        movq	256(%rsi), %rdx
+        movq	264(%rsi), %rax
+        movq	272(%rsi), %r8
+        shldq	%cl, %r8, %r11
+        shldq	%cl, %rax, %r8
+        shldq	%cl, %rdx, %rax
+        shldq	%cl, %r9, %rdx
+        movq	%rdx, 256(%rdi)
+        movq	%rax, 264(%rdi)
+        movq	%r8, 272(%rdi)
+        movq	%r11, 280(%rdi)
+        movq	216(%rsi), %r11
+        movq	224(%rsi), %rdx
+        movq	232(%rsi), %rax
+        movq	240(%rsi), %r8
+        shldq	%cl, %r8, %r9
+        shldq	%cl, %rax, %r8
+        shldq	%cl, %rdx, %rax
+        shldq	%cl, %r11, %rdx
+        movq	%rdx, 224(%rdi)
+        movq	%rax, 232(%rdi)
+        movq	%r8, 240(%rdi)
+        movq	%r9, 248(%rdi)
+        movq	184(%rsi), %r9
+        movq	192(%rsi), %rdx
+        movq	200(%rsi), %rax
+        movq	208(%rsi), %r8
+        shldq	%cl, %r8, %r11
+        shldq	%cl, %rax, %r8
+        shldq	%cl, %rdx, %rax
+        shldq	%cl, %r9, %rdx
+        movq	%rdx, 192(%rdi)
+        movq	%rax, 200(%rdi)
+        movq	%r8, 208(%rdi)
+        movq	%r11, 216(%rdi)
+        movq	152(%rsi), %r11
+        movq	160(%rsi), %rdx
+        movq	168(%rsi), %rax
+        movq	176(%rsi), %r8
+        shldq	%cl, %r8, %r9
+        shldq	%cl, %rax, %r8
+        shldq	%cl, %rdx, %rax
+        shldq	%cl, %r11, %rdx
+        movq	%rdx, 160(%rdi)
+        movq	%rax, 168(%rdi)
+        movq	%r8, 176(%rdi)
+        movq	%r9, 184(%rdi)
+        movq	120(%rsi), %r9
+        movq	128(%rsi), %rdx
+        movq	136(%rsi), %rax
+        movq	144(%rsi), %r8
+        shldq	%cl, %r8, %r11
+        shldq	%cl, %rax, %r8
+        shldq	%cl, %rdx, %rax
+        shldq	%cl, %r9, %rdx
+        movq	%rdx, 128(%rdi)
+        movq	%rax, 136(%rdi)
+        movq	%r8, 144(%rdi)
+        movq	%r11, 152(%rdi)
+        movq	88(%rsi), %r11
+        movq	96(%rsi), %rdx
+        movq	104(%rsi), %rax
+        movq	112(%rsi), %r8
+        shldq	%cl, %r8, %r9
+        shldq	%cl, %rax, %r8
+        shldq	%cl, %rdx, %rax
+        shldq	%cl, %r11, %rdx
+        movq	%rdx, 96(%rdi)
+        movq	%rax, 104(%rdi)
+        movq	%r8, 112(%rdi)
+        movq	%r9, 120(%rdi)
+        movq	56(%rsi), %r9
+        movq	64(%rsi), %rdx
+        movq	72(%rsi), %rax
+        movq	80(%rsi), %r8
+        shldq	%cl, %r8, %r11
+        shldq	%cl, %rax, %r8
+        shldq	%cl, %rdx, %rax
+        shldq	%cl, %r9, %rdx
+        movq	%rdx, 64(%rdi)
+        movq	%rax, 72(%rdi)
+        movq	%r8, 80(%rdi)
+        movq	%r11, 88(%rdi)
+        movq	24(%rsi), %r11
+        movq	32(%rsi), %rdx
+        movq	40(%rsi), %rax
+        movq	48(%rsi), %r8
+        shldq	%cl, %r8, %r9
+        shldq	%cl, %rax, %r8
+        shldq	%cl, %rdx, %rax
+        shldq	%cl, %r11, %rdx
+        movq	%rdx, 32(%rdi)
+        movq	%rax, 40(%rdi)
+        movq	%r8, 48(%rdi)
+        movq	%r9, 56(%rdi)
+        movq	(%rsi), %rdx
+        movq	8(%rsi), %rax
+        movq	16(%rsi), %r8
+        shldq	%cl, %r8, %r11
+        shldq	%cl, %rax, %r8
+        shldq	%cl, %rdx, %rax
+        shlq	%cl, %rdx
+        movq	%rdx, (%rdi)
+        movq	%rax, 8(%rdi)
+        movq	%r8, 16(%rdi)
+        movq	%r11, 24(%rdi)
+        repz retq
+#endif /* WOLFSSL_SP_4096 */
+#endif /* WOLFSSL_SP_4096 */
+#ifndef WOLFSSL_SP_NO_256
+/* Conditionally copy a into r using the mask m.
+ * m is -1 to copy and 0 when not.
+ *
+ * r  A single precision number to copy over.
+ * a  A single precision number to copy.
+ * m  Mask value to apply.
+ */
+#ifndef __APPLE__
+.globl	sp_256_cond_copy_4
+.type	sp_256_cond_copy_4,@function
+.align	16
+sp_256_cond_copy_4:
+#else
+.globl	_sp_256_cond_copy_4
+.p2align	4
+_sp_256_cond_copy_4:
+#endif /* __APPLE__ */
+        movq	(%rdi), %rax
+        movq	8(%rdi), %rcx
+        movq	16(%rdi), %r8
+        movq	24(%rdi), %r9
+        xorq	(%rsi), %rax
+        xorq	8(%rsi), %rcx
+        xorq	16(%rsi), %r8
+        xorq	24(%rsi), %r9
+        andq	%rdx, %rax
+        andq	%rdx, %rcx
+        andq	%rdx, %r8
+        andq	%rdx, %r9
+        xorq	%rax, (%rdi)
+        xorq	%rcx, 8(%rdi)
+        xorq	%r8, 16(%rdi)
+        xorq	%r9, 24(%rdi)
+        repz retq
+#ifndef __APPLE__
+.size	sp_256_cond_copy_4,.-sp_256_cond_copy_4
+#endif /* __APPLE__ */
+/* Multiply two Montogmery form numbers mod the modulus (prime).
+ * (r = a * b mod m)
+ *
+ * r   Result of multiplication.
+ * a   First number to multiply in Montogmery form.
+ * b   Second number to multiply in Montogmery form.
+ * m   Modulus (prime).
+ * mp  Montogmery mulitplier.
+ */
+#ifndef __APPLE__
+.globl	sp_256_mont_mul_4
+.type	sp_256_mont_mul_4,@function
+.align	16
+sp_256_mont_mul_4:
+#else
+.globl	_sp_256_mont_mul_4
+.p2align	4
+_sp_256_mont_mul_4:
+#endif /* __APPLE__ */
+        push	%r12
+        push	%r13
+        push	%r14
+        push	%r15
+        push	%rbx
+        movq	%rdx, %r8
+        #  A[0] * B[0]
+        movq	(%r8), %rax
+        mulq	(%rsi)
+        movq	%rax, %r9
+        movq	%rdx, %r10
+        #  A[0] * B[1]
+        movq	8(%r8), %rax
+        mulq	(%rsi)
+        xorq	%r11, %r11
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        #  A[1] * B[0]
+        movq	(%r8), %rax
+        mulq	8(%rsi)
+        xorq	%r12, %r12
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0, %r12
+        #  A[0] * B[2]
+        movq	16(%r8), %rax
+        mulq	(%rsi)
+        addq	%rax, %r11
+        adcq	%rdx, %r12
+        #  A[1] * B[1]
+        movq	8(%r8), %rax
+        mulq	8(%rsi)
+        xorq	%r13, %r13
+        addq	%rax, %r11
+        adcq	%rdx, %r12
+        adcq	$0, %r13
+        #  A[2] * B[0]
+        movq	(%r8), %rax
+        mulq	16(%rsi)
+        addq	%rax, %r11
+        adcq	%rdx, %r12
+        adcq	$0, %r13
+        #  A[0] * B[3]
+        movq	24(%r8), %rax
+        mulq	(%rsi)
+        xorq	%r14, %r14
+        addq	%rax, %r12
+        adcq	%rdx, %r13
+        adcq	$0, %r14
+        #  A[1] * B[2]
+        movq	16(%r8), %rax
+        mulq	8(%rsi)
+        addq	%rax, %r12
+        adcq	%rdx, %r13
+        adcq	$0, %r14
+        #  A[2] * B[1]
+        movq	8(%r8), %rax
+        mulq	16(%rsi)
+        addq	%rax, %r12
+        adcq	%rdx, %r13
+        adcq	$0, %r14
+        #  A[3] * B[0]
+        movq	(%r8), %rax
+        mulq	24(%rsi)
+        addq	%rax, %r12
+        adcq	%rdx, %r13
+        adcq	$0, %r14
+        #  A[1] * B[3]
+        movq	24(%r8), %rax
+        mulq	8(%rsi)
+        xorq	%r15, %r15
+        addq	%rax, %r13
+        adcq	%rdx, %r14
+        adcq	$0, %r15
+        #  A[2] * B[2]
+        movq	16(%r8), %rax
+        mulq	16(%rsi)
+        addq	%rax, %r13
+        adcq	%rdx, %r14
+        adcq	$0, %r15
+        #  A[3] * B[1]
+        movq	8(%r8), %rax
+        mulq	24(%rsi)
+        addq	%rax, %r13
+        adcq	%rdx, %r14
+        adcq	$0, %r15
+        #  A[2] * B[3]
+        movq	24(%r8), %rax
+        mulq	16(%rsi)
+        xorq	%rbx, %rbx
+        addq	%rax, %r14
+        adcq	%rdx, %r15
+        adcq	$0, %rbx
+        #  A[3] * B[2]
+        movq	16(%r8), %rax
+        mulq	24(%rsi)
+        addq	%rax, %r14
+        adcq	%rdx, %r15
+        adcq	$0, %rbx
+        #  A[3] * B[3]
+        movq	24(%r8), %rax
+        mulq	24(%rsi)
+        addq	%rax, %r15
+        adcq	%rdx, %rbx
+        # Start Reduction
+        # mu = a[0]-a[3] + a[0]-a[2] << 32 << 64 + (a[0] * 2) << 192
+        #    - a[0] << 32 << 192
+        #   + (a[0] * 2) << 192
+        movq	%r9, %rax
+        movq	%r12, %rdx
+        addq	%r9, %rdx
+        movq	%r10, %rsi
+        addq	%r9, %rdx
+        movq	%r11, %r8
+        #   a[0]-a[2] << 32
+        shlq	$32, %r9
+        shldq	$32, %rsi, %r11
+        shldq	$32, %rax, %r10
+        #   - a[0] << 32 << 192
+        subq	%r9, %rdx
+        #   + a[0]-a[2] << 32 << 64
+        addq	%r9, %rsi
+        adcq	%r10, %r8
+        adcq	%r11, %rdx
+        # a += (mu << 256) - (mu << 224) + (mu << 192) + (mu << 96) - mu
+        #   a += mu << 256
+        xorq	%r9, %r9
+        addq	%rax, %r13
+        adcq	%rsi, %r14
+        adcq	%r8, %r15
+        adcq	%rdx, %rbx
+        sbbq	$0, %r9
+        #   a += mu << 192
+        addq	%rax, %r12
+        adcq	%rsi, %r13
+        adcq	%r8, %r14
+        adcq	%rdx, %r15
+        adcq	$0, %rbx
+        sbbq	$0, %r9
+        # mu <<= 32
+        movq	%rdx, %rcx
+        shldq	$32, %r8, %rdx
+        shldq	$32, %rsi, %r8
+        shldq	$32, %rax, %rsi
+        shrq	$32, %rcx
+        shlq	$32, %rax
+        #   a += (mu << 32) << 64
+        addq	%r8, %r12
+        adcq	%rdx, %r13
+        adcq	%rcx, %r14
+        adcq	$0, %r15
+        adcq	$0, %rbx
+        sbbq	$0, %r9
+        #   a -= (mu << 32) << 192
+        subq	%rax, %r12
+        sbbq	%rsi, %r13
+        sbbq	%r8, %r14
+        sbbq	%rdx, %r15
+        sbbq	%rcx, %rbx
+        adcq	$0, %r9
+        movq	$4294967295, %rax
+        movq	$18446744069414584321, %rsi
+        # mask m and sub from result if overflow
+        #  m[0] = -1 & mask = mask
+        andq	%r9, %rax
+        #  m[2] =  0 & mask = 0
+        andq	%r9, %rsi
+        subq	%r9, %r13
+        sbbq	%rax, %r14
+        sbbq	$0, %r15
+        sbbq	%rsi, %rbx
+        movq	%r13, (%rdi)
+        movq	%r14, 8(%rdi)
+        movq	%r15, 16(%rdi)
+        movq	%rbx, 24(%rdi)
+        pop	%rbx
+        pop	%r15
+        pop	%r14
+        pop	%r13
+        pop	%r12
+        repz retq
+#ifndef __APPLE__
+.size	sp_256_mont_mul_4,.-sp_256_mont_mul_4
+#endif /* __APPLE__ */
+/* Square the Montgomery form number mod the modulus (prime). (r = a * a mod m)
+ *
+ * r   Result of squaring.
+ * a   Number to square in Montogmery form.
+ * m   Modulus (prime).
+ * mp  Montogmery mulitplier.
+ */
+#ifndef __APPLE__
+.globl	sp_256_mont_sqr_4
+.type	sp_256_mont_sqr_4,@function
+.align	16
+sp_256_mont_sqr_4:
+#else
+.globl	_sp_256_mont_sqr_4
+.p2align	4
+_sp_256_mont_sqr_4:
+#endif /* __APPLE__ */
+        push	%r12
+        push	%r13
+        push	%r14
+        push	%r15
+        push	%rbx
+        #  A[0] * A[1]
+        movq	(%rsi), %rax
+        mulq	8(%rsi)
+        movq	%rax, %r10
+        movq	%rdx, %r11
+        #  A[0] * A[2]
+        movq	(%rsi), %rax
+        mulq	16(%rsi)
+        xorq	%r12, %r12
+        addq	%rax, %r11
+        adcq	%rdx, %r12
+        #  A[0] * A[3]
+        movq	(%rsi), %rax
+        mulq	24(%rsi)
+        xorq	%r13, %r13
+        addq	%rax, %r12
+        adcq	%rdx, %r13
+        #  A[1] * A[2]
+        movq	8(%rsi), %rax
+        mulq	16(%rsi)
+        xorq	%r14, %r14
+        addq	%rax, %r12
+        adcq	%rdx, %r13
+        adcq	$0, %r14
+        #  A[1] * A[3]
+        movq	8(%rsi), %rax
+        mulq	24(%rsi)
+        addq	%rax, %r13
+        adcq	%rdx, %r14
+        #  A[2] * A[3]
+        movq	16(%rsi), %rax
+        mulq	24(%rsi)
+        xorq	%r15, %r15
+        addq	%rax, %r14
+        adcq	%rdx, %r15
+        # Double
+        xorq	%rbx, %rbx
+        addq	%r10, %r10
+        adcq	%r11, %r11
+        adcq	%r12, %r12
+        adcq	%r13, %r13
+        adcq	%r14, %r14
+        adcq	%r15, %r15
+        adcq	$0, %rbx
+        #  A[0] * A[0]
+        movq	(%rsi), %rax
+        mulq	%rax
+        movq	%rax, %rax
+        movq	%rdx, %rdx
+        movq	%rax, %r9
+        movq	%rdx, %r8
+        #  A[1] * A[1]
+        movq	8(%rsi), %rax
+        mulq	%rax
+        movq	%rax, %rax
+        movq	%rdx, %rdx
+        addq	%r8, %r10
+        adcq	%rax, %r11
+        adcq	$0, %rdx
+        movq	%rdx, %r8
+        #  A[2] * A[2]
+        movq	16(%rsi), %rax
+        mulq	%rax
+        movq	%rax, %rax
+        movq	%rdx, %rdx
+        addq	%r8, %r12
+        adcq	%rax, %r13
+        adcq	$0, %rdx
+        movq	%rdx, %r8
+        #  A[3] * A[3]
+        movq	24(%rsi), %rax
+        mulq	%rax
+        addq	%rax, %r15
+        adcq	%rdx, %rbx
+        addq	%r8, %r14
+        adcq	$0, %r15
+        adcq	$0, %rbx
+        # Start Reduction
+        # mu = a[0]-a[3] + a[0]-a[2] << 32 << 64 + (a[0] * 2) << 192
+        #    - a[0] << 32 << 192
+        #   + (a[0] * 2) << 192
+        movq	%r9, %rax
+        movq	%r12, %rdx
+        addq	%r9, %rdx
+        movq	%r10, %rsi
+        addq	%r9, %rdx
+        movq	%r11, %r8
+        #   a[0]-a[2] << 32
+        shlq	$32, %r9
+        shldq	$32, %rsi, %r11
+        shldq	$32, %rax, %r10
+        #   - a[0] << 32 << 192
+        subq	%r9, %rdx
+        #   + a[0]-a[2] << 32 << 64
+        addq	%r9, %rsi
+        adcq	%r10, %r8
+        adcq	%r11, %rdx
+        # a += (mu << 256) - (mu << 224) + (mu << 192) + (mu << 96) - mu
+        #   a += mu << 256
+        xorq	%r9, %r9
+        addq	%rax, %r13
+        adcq	%rsi, %r14
+        adcq	%r8, %r15
+        adcq	%rdx, %rbx
+        sbbq	$0, %r9
+        #   a += mu << 192
+        addq	%rax, %r12
+        adcq	%rsi, %r13
+        adcq	%r8, %r14
+        adcq	%rdx, %r15
+        adcq	$0, %rbx
+        sbbq	$0, %r9
+        # mu <<= 32
+        movq	%rdx, %rcx
+        shldq	$32, %r8, %rdx
+        shldq	$32, %rsi, %r8
+        shldq	$32, %rax, %rsi
+        shrq	$32, %rcx
+        shlq	$32, %rax
+        #   a += (mu << 32) << 64
+        addq	%r8, %r12
+        adcq	%rdx, %r13
+        adcq	%rcx, %r14
+        adcq	$0, %r15
+        adcq	$0, %rbx
+        sbbq	$0, %r9
+        #   a -= (mu << 32) << 192
+        subq	%rax, %r12
+        sbbq	%rsi, %r13
+        sbbq	%r8, %r14
+        sbbq	%rdx, %r15
+        sbbq	%rcx, %rbx
+        adcq	$0, %r9
+        movq	$4294967295, %rax
+        movq	$18446744069414584321, %rsi
+        # mask m and sub from result if overflow
+        #  m[0] = -1 & mask = mask
+        andq	%r9, %rax
+        #  m[2] =  0 & mask = 0
+        andq	%r9, %rsi
+        subq	%r9, %r13
+        sbbq	%rax, %r14
+        sbbq	$0, %r15
+        sbbq	%rsi, %rbx
+        movq	%r13, (%rdi)
+        movq	%r14, 8(%rdi)
+        movq	%r15, 16(%rdi)
+        movq	%rbx, 24(%rdi)
+        pop	%rbx
+        pop	%r15
+        pop	%r14
+        pop	%r13
+        pop	%r12
+        repz retq
+#ifndef __APPLE__
+.size	sp_256_mont_sqr_4,.-sp_256_mont_sqr_4
+#endif /* __APPLE__ */
+/* Compare a with b in constant time.
+ *
+ * a  A single precision integer.
+ * b  A single precision integer.
+ * return -ve, 0 or +ve if a is less than, equal to or greater than b
+ * respectively.
+ */
+#ifndef __APPLE__
+.globl	sp_256_cmp_4
+.type	sp_256_cmp_4,@function
+.align	16
+sp_256_cmp_4:
+#else
+.globl	_sp_256_cmp_4
+.p2align	4
+_sp_256_cmp_4:
+#endif /* __APPLE__ */
+        xorq	%rcx, %rcx
+        movq	$-1, %rdx
+        movq	$-1, %rax
+        movq	$1, %r8
+        movq	24(%rdi), %r9
+        movq	24(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	16(%rdi), %r9
+        movq	16(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	8(%rdi), %r9
+        movq	8(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	(%rdi), %r9
+        movq	(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        xorq	%rdx, %rax
+        repz retq
+#ifndef __APPLE__
+.size	sp_256_cmp_4,.-sp_256_cmp_4
+#endif /* __APPLE__ */
+/* Conditionally subtract b from a using the mask m.
+ * m is -1 to subtract and 0 when not copying.
+ *
+ * r  A single precision number representing condition subtract result.
+ * a  A single precision number to subtract from.
+ * b  A single precision number to subtract.
+ * m  Mask value to apply.
+ */
+#ifndef __APPLE__
+.globl	sp_256_cond_sub_4
+.type	sp_256_cond_sub_4,@function
+.align	16
+sp_256_cond_sub_4:
+#else
+.globl	_sp_256_cond_sub_4
+.p2align	4
+_sp_256_cond_sub_4:
+#endif /* __APPLE__ */
+        push	%r12
+        push	%r13
+        push	%r14
+        push	%r15
+        movq	$0, %rax
+        movq	(%rdx), %r12
+        movq	8(%rdx), %r13
+        movq	16(%rdx), %r14
+        movq	24(%rdx), %r15
+        andq	%rcx, %r12
+        andq	%rcx, %r13
+        andq	%rcx, %r14
+        andq	%rcx, %r15
+        movq	(%rsi), %r8
+        movq	8(%rsi), %r9
+        movq	16(%rsi), %r10
+        movq	24(%rsi), %r11
+        subq	%r12, %r8
+        sbbq	%r13, %r9
+        sbbq	%r14, %r10
+        sbbq	%r15, %r11
+        movq	%r8, (%rdi)
+        movq	%r9, 8(%rdi)
+        movq	%r10, 16(%rdi)
+        movq	%r11, 24(%rdi)
+        sbbq	$0, %rax
+        pop	%r15
+        pop	%r14
+        pop	%r13
+        pop	%r12
+        repz retq
+#ifndef __APPLE__
+.size	sp_256_cond_sub_4,.-sp_256_cond_sub_4
+#endif /* __APPLE__ */
+/* Sub b from a into r. (r = a - b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+#ifndef __APPLE__
+.globl	sp_256_sub_4
+.type	sp_256_sub_4,@function
+.align	16
+sp_256_sub_4:
+#else
+.globl	_sp_256_sub_4
+.p2align	4
+_sp_256_sub_4:
+#endif /* __APPLE__ */
+        xorq	%rax, %rax
+        movq	(%rsi), %rcx
+        movq	8(%rsi), %r8
+        movq	16(%rsi), %r9
+        movq	24(%rsi), %r10
+        subq	(%rdx), %rcx
+        sbbq	8(%rdx), %r8
+        sbbq	16(%rdx), %r9
+        sbbq	24(%rdx), %r10
+        movq	%rcx, (%rdi)
+        movq	%r8, 8(%rdi)
+        movq	%r9, 16(%rdi)
+        movq	%r10, 24(%rdi)
+        sbbq	$0, %rax
+        repz retq
+#ifndef __APPLE__
+.size	sp_256_sub_4,.-sp_256_sub_4
+#endif /* __APPLE__ */
+/* Reduce the number back to 256 bits using Montgomery reduction.
+ *
+ * a   A single precision number to reduce in place.
+ * m   The single precision number representing the modulus.
+ * mp  The digit representing the negative inverse of m mod 2^n.
+ */
+#ifndef __APPLE__
+.globl	sp_256_mont_reduce_4
+.type	sp_256_mont_reduce_4,@function
+.align	16
+sp_256_mont_reduce_4:
+#else
+.globl	_sp_256_mont_reduce_4
+.p2align	4
+_sp_256_mont_reduce_4:
+#endif /* __APPLE__ */
+        push	%r12
+        push	%r13
+        push	%r14
+        push	%r15
+        movq	%rdx, %rcx
+        # i = 0
+        xorq	%r14, %r14
+        movq	$4, %r8
+        movq	%rdi, %r13
+L_mont_loop_4:
+        # mu = a[i] * mp
+        movq	(%r13), %r12
+        imulq	%rcx, %r12
+        # a[i+0] += m[0] * mu
+        movq	(%rsi), %rax
+        movq	8(%rsi), %r10
+        mulq	%r12
+        movq	(%r13), %r15
+        addq	%rax, %r15
+        movq	%rdx, %r9
+        movq	%r15, (%r13)
+        adcq	$0, %r9
+        # a[i+1] += m[1] * mu
+        movq	%r10, %rax
+        mulq	%r12
+        movq	16(%rsi), %r10
+        movq	8(%r13), %r15
+        addq	%r9, %rax
+        movq	%rdx, %r11
+        adcq	$0, %r11
+        addq	%rax, %r15
+        movq	%r15, 8(%r13)
+        adcq	$0, %r11
+        # a[i+2] += m[2] * mu
+        movq	%r10, %rax
+        mulq	%r12
+        movq	24(%rsi), %r10
+        movq	16(%r13), %r15
+        addq	%r11, %rax
+        movq	%rdx, %r9
+        adcq	$0, %r9
+        addq	%rax, %r15
+        movq	%r15, 16(%r13)
+        adcq	$0, %r9
+        # a[i+3] += m[3] * mu
+        movq	%r10, %rax
+        mulq	%r12
+        movq	24(%r13), %r15
+        addq	%r9, %rax
+        adcq	%r14, %rdx
+        movq	$0, %r14
+        adcq	$0, %r14
+        addq	%rax, %r15
+        movq	%r15, 24(%r13)
+        adcq	%rdx, 32(%r13)
+        adcq	$0, %r14
+        # i += 1
+        addq	$8, %r13
+        decq	%r8
+        jnz	L_mont_loop_4
+        xorq	%rax, %rax
+        movq	32(%rdi), %rdx
+        movq	40(%rdi), %r8
+        movq	48(%rdi), %r15
+        movq	56(%rdi), %r9
+        subq	%r14, %rax
+        movq	(%rsi), %r10
+        movq	8(%rsi), %r11
+        movq	16(%rsi), %r12
+        movq	24(%rsi), %r13
+        andq	%rax, %r10
+        andq	%rax, %r11
+        andq	%rax, %r12
+        andq	%rax, %r13
+        subq	%r10, %rdx
+        sbbq	%r11, %r8
+        sbbq	%r12, %r15
+        sbbq	%r13, %r9
+        movq	%rdx, (%rdi)
+        movq	%r8, 8(%rdi)
+        movq	%r15, 16(%rdi)
+        movq	%r9, 24(%rdi)
+        pop	%r15
+        pop	%r14
+        pop	%r13
+        pop	%r12
+        repz retq
+#ifndef __APPLE__
+.size	sp_256_mont_reduce_4,.-sp_256_mont_reduce_4
+#endif /* __APPLE__ */
+/* Add two Montgomery form numbers (r = a + b % m).
+ *
+ * r   Result of addition.
+ * a   First number to add in Montogmery form.
+ * b   Second number to add in Montogmery form.
+ * m   Modulus (prime).
+ */
+#ifndef __APPLE__
+.globl	sp_256_mont_add_4
+.type	sp_256_mont_add_4,@function
+.align	16
+sp_256_mont_add_4:
+#else
+.globl	_sp_256_mont_add_4
+.p2align	4
+_sp_256_mont_add_4:
+#endif /* __APPLE__ */
+        movq	(%rsi), %rax
+        movq	8(%rsi), %rcx
+        movq	16(%rsi), %r8
+        movq	24(%rsi), %r9
+        movq	$4294967295, %r10
+        movq	$18446744069414584321, %r11
+        addq	(%rdx), %rax
+        adcq	8(%rdx), %rcx
+        adcq	16(%rdx), %r8
+        movq	$0, %rsi
+        adcq	24(%rdx), %r9
+        sbbq	$0, %rsi
+        andq	%rsi, %r10
+        andq	%rsi, %r11
+        subq	%rsi, %rax
+        sbbq	%r10, %rcx
+        movq	%rax, (%rdi)
+        sbbq	$0, %r8
+        movq	%rcx, 8(%rdi)
+        sbbq	%r11, %r9
+        movq	%r8, 16(%rdi)
+        movq	%r9, 24(%rdi)
+        repz retq
+#ifndef __APPLE__
+.size	sp_256_mont_add_4,.-sp_256_mont_add_4
+#endif /* __APPLE__ */
+/* Double a Montgomery form number (r = a + a % m).
+ *
+ * r   Result of doubling.
+ * a   Number to double in Montogmery form.
+ * m   Modulus (prime).
+ */
+#ifndef __APPLE__
+.globl	sp_256_mont_dbl_4
+.type	sp_256_mont_dbl_4,@function
+.align	16
+sp_256_mont_dbl_4:
+#else
+.globl	_sp_256_mont_dbl_4
+.p2align	4
+_sp_256_mont_dbl_4:
+#endif /* __APPLE__ */
+        movq	(%rsi), %rdx
+        movq	8(%rsi), %rax
+        movq	16(%rsi), %rcx
+        movq	24(%rsi), %r8
+        movq	$4294967295, %r9
+        movq	$18446744069414584321, %r10
+        addq	%rdx, %rdx
+        adcq	%rax, %rax
+        adcq	%rcx, %rcx
+        movq	$0, %r11
+        adcq	%r8, %r8
+        sbbq	$0, %r11
+        andq	%r11, %r9
+        andq	%r11, %r10
+        subq	%r11, %rdx
+        sbbq	%r9, %rax
+        movq	%rdx, (%rdi)
+        sbbq	$0, %rcx
+        movq	%rax, 8(%rdi)
+        sbbq	%r10, %r8
+        movq	%rcx, 16(%rdi)
+        movq	%r8, 24(%rdi)
+        repz retq
+#ifndef __APPLE__
+.size	sp_256_mont_dbl_4,.-sp_256_mont_dbl_4
+#endif /* __APPLE__ */
+/* Triple a Montgomery form number (r = a + a + a % m).
+ *
+ * r   Result of Tripling.
+ * a   Number to triple in Montogmery form.
+ * m   Modulus (prime).
+ */
+#ifndef __APPLE__
+.globl	sp_256_mont_tpl_4
+.type	sp_256_mont_tpl_4,@function
+.align	16
+sp_256_mont_tpl_4:
+#else
+.globl	_sp_256_mont_tpl_4
+.p2align	4
+_sp_256_mont_tpl_4:
+#endif /* __APPLE__ */
+        movq	(%rsi), %rdx
+        movq	8(%rsi), %rax
+        movq	16(%rsi), %rcx
+        movq	24(%rsi), %r8
+        movq	$4294967295, %r9
+        movq	$18446744069414584321, %r10
+        addq	%rdx, %rdx
+        adcq	%rax, %rax
+        adcq	%rcx, %rcx
+        movq	$0, %r11
+        adcq	%r8, %r8
+        sbbq	$0, %r11
+        andq	%r11, %r9
+        andq	%r11, %r10
+        subq	%r11, %rdx
+        sbbq	%r9, %rax
+        sbbq	$0, %rcx
+        sbbq	%r10, %r8
+        movq	$4294967295, %r9
+        movq	$18446744069414584321, %r10
+        addq	(%rsi), %rdx
+        adcq	8(%rsi), %rax
+        adcq	16(%rsi), %rcx
+        movq	$0, %r11
+        adcq	24(%rsi), %r8
+        sbbq	$0, %r11
+        andq	%r11, %r9
+        andq	%r11, %r10
+        subq	%r11, %rdx
+        sbbq	%r9, %rax
+        movq	%rdx, (%rdi)
+        sbbq	$0, %rcx
+        movq	%rax, 8(%rdi)
+        sbbq	%r10, %r8
+        movq	%rcx, 16(%rdi)
+        movq	%r8, 24(%rdi)
+        repz retq
+#ifndef __APPLE__
+.size	sp_256_mont_tpl_4,.-sp_256_mont_tpl_4
+#endif /* __APPLE__ */
+/* Subtract two Montgomery form numbers (r = a - b % m).
+ *
+ * r   Result of subtration.
+ * a   Number to subtract from in Montogmery form.
+ * b   Number to subtract with in Montogmery form.
+ * m   Modulus (prime).
+ */
+#ifndef __APPLE__
+.globl	sp_256_mont_sub_4
+.type	sp_256_mont_sub_4,@function
+.align	16
+sp_256_mont_sub_4:
+#else
+.globl	_sp_256_mont_sub_4
+.p2align	4
+_sp_256_mont_sub_4:
+#endif /* __APPLE__ */
+        movq	(%rsi), %rax
+        movq	8(%rsi), %rcx
+        movq	16(%rsi), %r8
+        movq	24(%rsi), %r9
+        movq	$4294967295, %r10
+        movq	$18446744069414584321, %r11
+        subq	(%rdx), %rax
+        sbbq	8(%rdx), %rcx
+        sbbq	16(%rdx), %r8
+        movq	$0, %rsi
+        sbbq	24(%rdx), %r9
+        sbbq	$0, %rsi
+        andq	%rsi, %r10
+        andq	%rsi, %r11
+        addq	%rsi, %rax
+        adcq	%r10, %rcx
+        movq	%rax, (%rdi)
+        adcq	$0, %r8
+        movq	%rcx, 8(%rdi)
+        adcq	%r11, %r9
+        movq	%r8, 16(%rdi)
+        movq	%r9, 24(%rdi)
+        repz retq
+#ifndef __APPLE__
+.size	sp_256_mont_sub_4,.-sp_256_mont_sub_4
+#endif /* __APPLE__ */
+/* Divide the number by 2 mod the modulus (prime). (r = a / 2 % m)
+ *
+ * r  Result of division by 2.
+ * a  Number to divide.
+ * m  Modulus (prime).
+ */
+#ifndef __APPLE__
+.globl	sp_256_div2_4
+.type	sp_256_div2_4,@function
+.align	16
+sp_256_div2_4:
+#else
+.globl	_sp_256_div2_4
+.p2align	4
+_sp_256_div2_4:
+#endif /* __APPLE__ */
+        movq	(%rsi), %rdx
+        movq	8(%rsi), %rax
+        movq	16(%rsi), %rcx
+        movq	24(%rsi), %r8
+        movq	$4294967295, %r9
+        movq	$18446744069414584321, %r10
+        movq	%rdx, %r11
+        andq	$1, %r11
+        negq	%r11
+        andq	%r11, %r9
+        andq	%r11, %r10
+        addq	%r11, %rdx
+        adcq	%r9, %rax
+        adcq	$0, %rcx
+        adcq	%r10, %r8
+        movq	$0, %r11
+        adcq	$0, %r11
+        shrdq	$1, %rax, %rdx
+        shrdq	$1, %rcx, %rax
+        shrdq	$1, %r8, %rcx
+        shrdq	$1, %r11, %r8
+        movq	%rdx, (%rdi)
+        movq	%rax, 8(%rdi)
+        movq	%rcx, 16(%rdi)
+        movq	%r8, 24(%rdi)
+        repz retq
+#ifndef __APPLE__
+.size	sp_256_div2_4,.-sp_256_div2_4
+#endif /* __APPLE__ */
+/* Multiply two Montogmery form numbers mod the modulus (prime).
+ * (r = a * b mod m)
+ *
+ * r   Result of multiplication.
+ * a   First number to multiply in Montogmery form.
+ * b   Second number to multiply in Montogmery form.
+ * m   Modulus (prime).
+ * mp  Montogmery mulitplier.
+ */
+#ifndef __APPLE__
+.globl	sp_256_mont_mul_avx2_4
+.type	sp_256_mont_mul_avx2_4,@function
+.align	16
+sp_256_mont_mul_avx2_4:
+#else
+.globl	_sp_256_mont_mul_avx2_4
+.p2align	4
+_sp_256_mont_mul_avx2_4:
+#endif /* __APPLE__ */
+        push	%rbx
+        push	%rbp
+        push	%r12
+        push	%r13
+        push	%r14
+        push	%r15
+        movq	%rdx, %rbp
+        #  A[0] * B[0]
+        movq	(%rbp), %rdx
+        mulxq	(%rsi), %r8, %r9
+        #  A[2] * B[0]
+        mulxq	16(%rsi), %r10, %r11
+        #  A[1] * B[0]
+        mulxq	8(%rsi), %rax, %rcx
+        xorq	%r15, %r15
+        adcxq	%rax, %r9
+        #  A[1] * B[3]
+        movq	24(%rbp), %rdx
+        mulxq	8(%rsi), %r12, %r13
+        adcxq	%rcx, %r10
+        #  A[0] * B[1]
+        movq	8(%rbp), %rdx
+        mulxq	(%rsi), %rax, %rcx
+        adoxq	%rax, %r9
+        #  A[2] * B[1]
+        mulxq	16(%rsi), %rax, %r14
+        adoxq	%rcx, %r10
+        adcxq	%rax, %r11
+        #  A[1] * B[2]
+        movq	16(%rbp), %rdx
+        mulxq	8(%rsi), %rax, %rcx
+        adcxq	%r14, %r12
+        adoxq	%rax, %r11
+        adcxq	%r15, %r13
+        adoxq	%rcx, %r12
+        #  A[0] * B[2]
+        mulxq	(%rsi), %rax, %rcx
+        adoxq	%r15, %r13
+        xorq	%r14, %r14
+        adcxq	%rax, %r10
+        #  A[1] * B[1]
+        movq	8(%rbp), %rdx
+        mulxq	8(%rsi), %rdx, %rax
+        adcxq	%rcx, %r11
+        adoxq	%rdx, %r10
+        #  A[3] * B[1]
+        movq	8(%rbp), %rdx
+        adoxq	%rax, %r11
+        mulxq	24(%rsi), %rax, %rcx
+        adcxq	%rax, %r12
+        #  A[2] * B[2]
+        movq	16(%rbp), %rdx
+        mulxq	16(%rsi), %rdx, %rax
+        adcxq	%rcx, %r13
+        adoxq	%rdx, %r12
+        #  A[3] * B[3]
+        movq	24(%rbp), %rdx
+        adoxq	%rax, %r13
+        mulxq	24(%rsi), %rax, %rcx
+        adoxq	%r15, %r14
+        adcxq	%rax, %r14
+        #  A[0] * B[3]
+        mulxq	(%rsi), %rdx, %rax
+        adcxq	%rcx, %r15
+        xorq	%rcx, %rcx
+        adcxq	%rdx, %r11
+        #  A[3] * B[0]
+        movq	24(%rsi), %rdx
+        adcxq	%rax, %r12
+        mulxq	(%rbp), %rbx, %rax
+        adoxq	%rbx, %r11
+        adoxq	%rax, %r12
+        #  A[3] * B[2]
+        mulxq	16(%rbp), %rdx, %rax
+        adcxq	%rdx, %r13
+        #  A[2] * B[3]
+        movq	24(%rbp), %rdx
+        adcxq	%rax, %r14
+        mulxq	16(%rsi), %rax, %rdx
+        adcxq	%rcx, %r15
+        adoxq	%rax, %r13
+        adoxq	%rdx, %r14
+        adoxq	%rcx, %r15
+        # Start Reduction
+        # mu = a[0]-a[3] + a[0]-a[2] << 32 << 64 + (a[0] * 2) << 192
+        #    - a[0] << 32 << 192
+        #   + (a[0] * 2) << 192
+        movq	%r8, %rax
+        movq	%r11, %rdx
+        addq	%r8, %rdx
+        movq	%r9, %rsi
+        addq	%r8, %rdx
+        movq	%r10, %rbp
+        #   a[0]-a[2] << 32
+        shlq	$32, %r8
+        shldq	$32, %rsi, %r10
+        shldq	$32, %rax, %r9
+        #   - a[0] << 32 << 192
+        subq	%r8, %rdx
+        #   + a[0]-a[2] << 32 << 64
+        addq	%r8, %rsi
+        adcq	%r9, %rbp
+        adcq	%r10, %rdx
+        # a += (mu << 256) - (mu << 224) + (mu << 192) + (mu << 96) - mu
+        #   a += mu << 256
+        xorq	%r8, %r8
+        addq	%rax, %r12
+        adcq	%rsi, %r13
+        adcq	%rbp, %r14
+        adcq	%rdx, %r15
+        sbbq	$0, %r8
+        #   a += mu << 192
+        addq	%rax, %r11
+        adcq	%rsi, %r12
+        adcq	%rbp, %r13
+        adcq	%rdx, %r14
+        adcq	$0, %r15
+        sbbq	$0, %r8
+        # mu <<= 32
+        movq	%rdx, %rcx
+        shldq	$32, %rbp, %rdx
+        shldq	$32, %rsi, %rbp
+        shldq	$32, %rax, %rsi
+        shrq	$32, %rcx
+        shlq	$32, %rax
+        #   a += (mu << 32) << 64
+        addq	%rbp, %r11
+        adcq	%rdx, %r12
+        adcq	%rcx, %r13
+        adcq	$0, %r14
+        adcq	$0, %r15
+        sbbq	$0, %r8
+        #   a -= (mu << 32) << 192
+        subq	%rax, %r11
+        sbbq	%rsi, %r12
+        sbbq	%rbp, %r13
+        sbbq	%rdx, %r14
+        sbbq	%rcx, %r15
+        adcq	$0, %r8
+        movq	$4294967295, %rax
+        movq	$18446744069414584321, %rsi
+        # mask m and sub from result if overflow
+        #  m[0] = -1 & mask = mask
+        andq	%r8, %rax
+        #  m[2] =  0 & mask = 0
+        andq	%r8, %rsi
+        subq	%r8, %r12
+        sbbq	%rax, %r13
+        sbbq	$0, %r14
+        sbbq	%rsi, %r15
+        movq	%r12, (%rdi)
+        movq	%r13, 8(%rdi)
+        movq	%r14, 16(%rdi)
+        movq	%r15, 24(%rdi)
+        pop	%r15
+        pop	%r14
+        pop	%r13
+        pop	%r12
+        pop	%rbp
+        pop	%rbx
+        repz retq
+#ifndef __APPLE__
+.size	sp_256_mont_mul_avx2_4,.-sp_256_mont_mul_avx2_4
+#endif /* __APPLE__ */
+/* Square the Montgomery form number mod the modulus (prime). (r = a * a mod m)
+ *
+ * r   Result of squaring.
+ * a   Number to square in Montogmery form.
+ * m   Modulus (prime).
+ * mp  Montogmery mulitplier.
+ */
+#ifndef __APPLE__
+.globl	sp_256_mont_sqr_avx2_4
+.type	sp_256_mont_sqr_avx2_4,@function
+.align	16
+sp_256_mont_sqr_avx2_4:
+#else
+.globl	_sp_256_mont_sqr_avx2_4
+.p2align	4
+_sp_256_mont_sqr_avx2_4:
+#endif /* __APPLE__ */
+        push	%r12
+        push	%r13
+        push	%r14
+        push	%r15
+        push	%rbx
+        # A[0] * A[1]
+        movq	(%rsi), %rdx
+        movq	16(%rsi), %r15
+        mulxq	8(%rsi), %r9, %r10
+        # A[0] * A[3]
+        mulxq	24(%rsi), %r11, %r12
+        # A[2] * A[1]
+        movq	%r15, %rdx
+        mulxq	8(%rsi), %rcx, %rbx
+        # A[2] * A[3]
+        mulxq	24(%rsi), %r13, %r14
+        xorq	%r15, %r15
+        adoxq	%rcx, %r11
+        adoxq	%rbx, %r12
+        # A[2] * A[0]
+        mulxq	(%rsi), %rcx, %rbx
+        # A[1] * A[3]
+        movq	8(%rsi), %rdx
+        adoxq	%r15, %r13
+        mulxq	24(%rsi), %rax, %r8
+        adcxq	%rcx, %r10
+        adoxq	%r15, %r14
+        adcxq	%rbx, %r11
+        adcxq	%rax, %r12
+        adcxq	%r8, %r13
+        adcxq	%r15, %r14
+        # Double with Carry Flag
+        xorq	%r15, %r15
+        # A[0] * A[0]
+        movq	(%rsi), %rdx
+        mulxq	%rdx, %r8, %rax
+        adcxq	%r9, %r9
+        adcxq	%r10, %r10
+        adoxq	%rax, %r9
+        # A[1] * A[1]
+        movq	8(%rsi), %rdx
+        mulxq	%rdx, %rcx, %rbx
+        adcxq	%r11, %r11
+        adoxq	%rcx, %r10
+        # A[2] * A[2]
+        movq	16(%rsi), %rdx
+        mulxq	%rdx, %rax, %rcx
+        adcxq	%r12, %r12
+        adoxq	%rbx, %r11
+        adcxq	%r13, %r13
+        adoxq	%rax, %r12
+        adcxq	%r14, %r14
+        # A[3] * A[3]
+        movq	24(%rsi), %rdx
+        mulxq	%rdx, %rax, %rbx
+        adoxq	%rcx, %r13
+        adcxq	%r15, %r15
+        adoxq	%rax, %r14
+        adoxq	%rbx, %r15
+        # Start Reduction
+        # mu = a[0]-a[3] + a[0]-a[2] << 32 << 64 + (a[0] * 2) << 192
+        #    - a[0] << 32 << 192
+        #   + (a[0] * 2) << 192
+        movq	%r8, %rax
+        movq	%r11, %rdx
+        addq	%r8, %rdx
+        movq	%r9, %rsi
+        addq	%r8, %rdx
+        movq	%r10, %rcx
+        #   a[0]-a[2] << 32
+        shlq	$32, %r8
+        shldq	$32, %rsi, %r10
+        shldq	$32, %rax, %r9
+        #   - a[0] << 32 << 192
+        subq	%r8, %rdx
+        #   + a[0]-a[2] << 32 << 64
+        addq	%r8, %rsi
+        adcq	%r9, %rcx
+        adcq	%r10, %rdx
+        # a += (mu << 256) - (mu << 224) + (mu << 192) + (mu << 96) - mu
+        #   a += mu << 256
+        xorq	%r8, %r8
+        addq	%rax, %r12
+        adcq	%rsi, %r13
+        adcq	%rcx, %r14
+        adcq	%rdx, %r15
+        sbbq	$0, %r8
+        #   a += mu << 192
+        addq	%rax, %r11
+        adcq	%rsi, %r12
+        adcq	%rcx, %r13
+        adcq	%rdx, %r14
+        adcq	$0, %r15
+        sbbq	$0, %r8
+        # mu <<= 32
+        movq	%rdx, %rbx
+        shldq	$32, %rcx, %rdx
+        shldq	$32, %rsi, %rcx
+        shldq	$32, %rax, %rsi
+        shrq	$32, %rbx
+        shlq	$32, %rax
+        #   a += (mu << 32) << 64
+        addq	%rcx, %r11
+        adcq	%rdx, %r12
+        adcq	%rbx, %r13
+        adcq	$0, %r14
+        adcq	$0, %r15
+        sbbq	$0, %r8
+        #   a -= (mu << 32) << 192
+        subq	%rax, %r11
+        sbbq	%rsi, %r12
+        sbbq	%rcx, %r13
+        sbbq	%rdx, %r14
+        sbbq	%rbx, %r15
+        adcq	$0, %r8
+        movq	$4294967295, %rax
+        movq	$18446744069414584321, %rsi
+        # mask m and sub from result if overflow
+        #  m[0] = -1 & mask = mask
+        andq	%r8, %rax
+        #  m[2] =  0 & mask = 0
+        andq	%r8, %rsi
+        subq	%r8, %r12
+        sbbq	%rax, %r13
+        sbbq	$0, %r14
+        sbbq	%rsi, %r15
+        movq	%r12, (%rdi)
+        movq	%r13, 8(%rdi)
+        movq	%r14, 16(%rdi)
+        movq	%r15, 24(%rdi)
+        pop	%rbx
+        pop	%r15
+        pop	%r14
+        pop	%r13
+        pop	%r12
+        repz retq
+#ifndef __APPLE__
+.size	sp_256_mont_sqr_avx2_4,.-sp_256_mont_sqr_avx2_4
+#endif /* __APPLE__ */
+/* Add 1 to a. (a = a + 1)
+ *
+ * a  A single precision integer.
+ */
+#ifndef __APPLE__
+.globl	sp_256_add_one_4
+.type	sp_256_add_one_4,@function
+.align	16
+sp_256_add_one_4:
+#else
+.globl	_sp_256_add_one_4
+.p2align	4
+_sp_256_add_one_4:
+#endif /* __APPLE__ */
+        addq	$1, (%rdi)
+        adcq	$0, 8(%rdi)
+        adcq	$0, 16(%rdi)
+        adcq	$0, 24(%rdi)
+        repz retq
+#ifndef __APPLE__
+.size	sp_256_add_one_4,.-sp_256_add_one_4
+#endif /* __APPLE__ */
+/* Read big endian unsigned byte array into r.
+ *
+ * r  A single precision integer.
+ * size  Maximum number of bytes to convert
+ * a  Byte array.
+ * n  Number of bytes in array to read.
+ */
+#ifndef __APPLE__
+.globl	sp_256_from_bin
+.type	sp_256_from_bin,@function
+.align	16
+sp_256_from_bin:
+#else
+.globl	_sp_256_from_bin
+.p2align	4
+_sp_256_from_bin:
+#endif /* __APPLE__ */
+        movq	%rdx, %r9
+        movq	%rdi, %r10
+        addq	%rcx, %r9
+        addq	$32, %r10
+        xorq	%r11, %r11
+        jmp	L_256_from_bin_64_end
+L_256_from_bin_64_start:
+        subq	$64, %r9
+        movbeq	56(%r9), %rax
+        movbeq	48(%r9), %r8
+        movq	%rax, (%rdi)
+        movq	%r8, 8(%rdi)
+        movbeq	40(%r9), %rax
+        movbeq	32(%r9), %r8
+        movq	%rax, 16(%rdi)
+        movq	%r8, 24(%rdi)
+        movbeq	24(%r9), %rax
+        movbeq	16(%r9), %r8
+        movq	%rax, 32(%rdi)
+        movq	%r8, 40(%rdi)
+        movbeq	8(%r9), %rax
+        movbeq	(%r9), %r8
+        movq	%rax, 48(%rdi)
+        movq	%r8, 56(%rdi)
+        addq	$64, %rdi
+        subq	$64, %rcx
+L_256_from_bin_64_end:
+        cmpq	$63, %rcx
+        jg	L_256_from_bin_64_start
+        jmp	L_256_from_bin_8_end
+L_256_from_bin_8_start:
+        subq	$8, %r9
+        movbeq	(%r9), %rax
+        movq	%rax, (%rdi)
+        addq	$8, %rdi
+        subq	$8, %rcx
+L_256_from_bin_8_end:
+        cmpq	$7, %rcx
+        jg	L_256_from_bin_8_start
+        cmpq	%r11, %rcx
+        je	L_256_from_bin_hi_end
+        movq	%r11, %r8
+        movq	%r11, %rax
+L_256_from_bin_hi_start:
+        movb	(%rdx), %al
+        shlq	$8, %r8
+        incq	%rdx
+        addq	%rax, %r8
+        decq	%rcx
+        jg	L_256_from_bin_hi_start
+        movq	%r8, (%rdi)
+        addq	$8, %rdi
+L_256_from_bin_hi_end:
+        cmpq	%r10, %rdi
+        je	L_256_from_bin_zero_end
+L_256_from_bin_zero_start:
+        movq	%r11, (%rdi)
+        addq	$8, %rdi
+        cmpq	%r10, %rdi
+        jl	L_256_from_bin_zero_start
+L_256_from_bin_zero_end:
+        repz retq
+#ifndef __APPLE__
+.size	sp_256_from_bin,.-sp_256_from_bin
+#endif /* __APPLE__ */
+/* Write r as big endian to byte array.
+ * Fixed length number of bytes written: 32
+ *
+ * r  A single precision integer.
+ * a  Byte array.
+ */
+#ifndef __APPLE__
+.globl	sp_256_to_bin
+.type	sp_256_to_bin,@function
+.align	16
+sp_256_to_bin:
+#else
+.globl	_sp_256_to_bin
+.p2align	4
+_sp_256_to_bin:
+#endif /* __APPLE__ */
+        movbeq	24(%rdi), %rdx
+        movbeq	16(%rdi), %rax
+        movq	%rdx, (%rsi)
+        movq	%rax, 8(%rsi)
+        movbeq	8(%rdi), %rdx
+        movbeq	(%rdi), %rax
+        movq	%rdx, 16(%rsi)
+        movq	%rax, 24(%rsi)
+        repz retq
+#ifndef __APPLE__
+.size	sp_256_to_bin,.-sp_256_to_bin
+#endif /* __APPLE__ */
+/* Add b to a into r. (r = a + b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+#ifndef __APPLE__
+.globl	sp_256_add_4
+.type	sp_256_add_4,@function
+.align	16
+sp_256_add_4:
+#else
+.globl	_sp_256_add_4
+.p2align	4
+_sp_256_add_4:
+#endif /* __APPLE__ */
+        # Add
+        movq	(%rsi), %rcx
+        xorq	%rax, %rax
+        addq	(%rdx), %rcx
+        movq	8(%rsi), %r8
+        movq	%rcx, (%rdi)
+        adcq	8(%rdx), %r8
+        movq	16(%rsi), %rcx
+        movq	%r8, 8(%rdi)
+        adcq	16(%rdx), %rcx
+        movq	24(%rsi), %r8
+        movq	%rcx, 16(%rdi)
+        adcq	24(%rdx), %r8
+        movq	%r8, 24(%rdi)
+        adcq	$0, %rax
+        repz retq
+#ifndef __APPLE__
+.size	sp_256_add_4,.-sp_256_add_4
+#endif /* __APPLE__ */
+/* Multiply a and b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+#ifndef __APPLE__
+.globl	sp_256_mul_4
+.type	sp_256_mul_4,@function
+.align	16
+sp_256_mul_4:
+#else
+.globl	_sp_256_mul_4
+.p2align	4
+_sp_256_mul_4:
+#endif /* __APPLE__ */
+        movq	%rdx, %rcx
+        subq	$32, %rsp
+        # A[0] * B[0]
+        movq	(%rcx), %rax
+        mulq	(%rsi)
+        xorq	%r10, %r10
+        movq	%rax, (%rsp)
+        movq	%rdx, %r9
+        # A[0] * B[1]
+        movq	8(%rcx), %rax
+        mulq	(%rsi)
+        xorq	%r8, %r8
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[1] * B[0]
+        movq	(%rcx), %rax
+        mulq	8(%rsi)
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        movq	%r9, 8(%rsp)
+        # A[0] * B[2]
+        movq	16(%rcx), %rax
+        mulq	(%rsi)
+        xorq	%r9, %r9
+        addq	%rax, %r10
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[1] * B[1]
+        movq	8(%rcx), %rax
+        mulq	8(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[2] * B[0]
+        movq	(%rcx), %rax
+        mulq	16(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        movq	%r10, 16(%rsp)
+        # A[0] * B[3]
+        movq	24(%rcx), %rax
+        mulq	(%rsi)
+        xorq	%r10, %r10
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[1] * B[2]
+        movq	16(%rcx), %rax
+        mulq	8(%rsi)
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[2] * B[1]
+        movq	8(%rcx), %rax
+        mulq	16(%rsi)
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[3] * B[0]
+        movq	(%rcx), %rax
+        mulq	24(%rsi)
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        movq	%r8, 24(%rsp)
+        # A[1] * B[3]
+        movq	24(%rcx), %rax
+        mulq	8(%rsi)
+        xorq	%r8, %r8
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[2] * B[2]
+        movq	16(%rcx), %rax
+        mulq	16(%rsi)
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[3] * B[1]
+        movq	8(%rcx), %rax
+        mulq	24(%rsi)
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        movq	%r9, 32(%rdi)
+        # A[2] * B[3]
+        movq	24(%rcx), %rax
+        mulq	16(%rsi)
+        xorq	%r9, %r9
+        addq	%rax, %r10
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[3] * B[2]
+        movq	16(%rcx), %rax
+        mulq	24(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        movq	%r10, 40(%rdi)
+        # A[3] * B[3]
+        movq	24(%rcx), %rax
+        mulq	24(%rsi)
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        movq	%r8, 48(%rdi)
+        movq	%r9, 56(%rdi)
+        movq	(%rsp), %rax
+        movq	8(%rsp), %rdx
+        movq	16(%rsp), %r8
+        movq	24(%rsp), %r9
+        movq	%rax, (%rdi)
+        movq	%rdx, 8(%rdi)
+        movq	%r8, 16(%rdi)
+        movq	%r9, 24(%rdi)
+        addq	$32, %rsp
+        repz retq
+#ifndef __APPLE__
+.size	sp_256_mul_4,.-sp_256_mul_4
+#endif /* __APPLE__ */
+/* Multiply a and b into r. (r = a * b)
+ *
+ * r   Result of multiplication.
+ * a   First number to multiply.
+ * b   Second number to multiply.
+ */
+#ifndef __APPLE__
+.globl	sp_256_mul_avx2_4
+.type	sp_256_mul_avx2_4,@function
+.align	16
+sp_256_mul_avx2_4:
+#else
+.globl	_sp_256_mul_avx2_4
+.p2align	4
+_sp_256_mul_avx2_4:
+#endif /* __APPLE__ */
+        push	%rbx
+        push	%rbp
+        push	%r12
+        push	%r13
+        push	%r14
+        push	%r15
+        movq	%rdx, %rbp
+        #  A[0] * B[0]
+        movq	(%rbp), %rdx
+        mulxq	(%rsi), %r8, %r9
+        #  A[2] * B[0]
+        mulxq	16(%rsi), %r10, %r11
+        #  A[1] * B[0]
+        mulxq	8(%rsi), %rax, %rcx
+        xorq	%r15, %r15
+        adcxq	%rax, %r9
+        #  A[1] * B[3]
+        movq	24(%rbp), %rdx
+        mulxq	8(%rsi), %r12, %r13
+        adcxq	%rcx, %r10
+        #  A[0] * B[1]
+        movq	8(%rbp), %rdx
+        mulxq	(%rsi), %rax, %rcx
+        adoxq	%rax, %r9
+        #  A[2] * B[1]
+        mulxq	16(%rsi), %rax, %r14
+        adoxq	%rcx, %r10
+        adcxq	%rax, %r11
+        #  A[1] * B[2]
+        movq	16(%rbp), %rdx
+        mulxq	8(%rsi), %rax, %rcx
+        adcxq	%r14, %r12
+        adoxq	%rax, %r11
+        adcxq	%r15, %r13
+        adoxq	%rcx, %r12
+        #  A[0] * B[2]
+        mulxq	(%rsi), %rax, %rcx
+        adoxq	%r15, %r13
+        xorq	%r14, %r14
+        adcxq	%rax, %r10
+        #  A[1] * B[1]
+        movq	8(%rbp), %rdx
+        mulxq	8(%rsi), %rdx, %rax
+        adcxq	%rcx, %r11
+        adoxq	%rdx, %r10
+        #  A[3] * B[1]
+        movq	8(%rbp), %rdx
+        adoxq	%rax, %r11
+        mulxq	24(%rsi), %rax, %rcx
+        adcxq	%rax, %r12
+        #  A[2] * B[2]
+        movq	16(%rbp), %rdx
+        mulxq	16(%rsi), %rdx, %rax
+        adcxq	%rcx, %r13
+        adoxq	%rdx, %r12
+        #  A[3] * B[3]
+        movq	24(%rbp), %rdx
+        adoxq	%rax, %r13
+        mulxq	24(%rsi), %rax, %rcx
+        adoxq	%r15, %r14
+        adcxq	%rax, %r14
+        #  A[0] * B[3]
+        mulxq	(%rsi), %rdx, %rax
+        adcxq	%rcx, %r15
+        xorq	%rcx, %rcx
+        adcxq	%rdx, %r11
+        #  A[3] * B[0]
+        movq	24(%rsi), %rdx
+        adcxq	%rax, %r12
+        mulxq	(%rbp), %rbx, %rax
+        adoxq	%rbx, %r11
+        adoxq	%rax, %r12
+        #  A[3] * B[2]
+        mulxq	16(%rbp), %rdx, %rax
+        adcxq	%rdx, %r13
+        #  A[2] * B[3]
+        movq	24(%rbp), %rdx
+        adcxq	%rax, %r14
+        mulxq	16(%rsi), %rax, %rdx
+        adcxq	%rcx, %r15
+        adoxq	%rax, %r13
+        adoxq	%rdx, %r14
+        adoxq	%rcx, %r15
+        movq	%r8, (%rdi)
+        movq	%r9, 8(%rdi)
+        movq	%r10, 16(%rdi)
+        movq	%r11, 24(%rdi)
+        movq	%r12, 32(%rdi)
+        movq	%r13, 40(%rdi)
+        movq	%r14, 48(%rdi)
+        movq	%r15, 56(%rdi)
+        pop	%r15
+        pop	%r14
+        pop	%r13
+        pop	%r12
+        pop	%rbp
+        pop	%rbx
+        repz retq
+#ifndef __APPLE__
+.size	sp_256_mul_avx2_4,.-sp_256_mul_avx2_4
+#endif /* __APPLE__ */
+/* Sub b from a into a. (a -= b)
+ *
+ * a  A single precision integer and result.
+ * b  A single precision integer.
+ */
+#ifndef __APPLE__
+.globl	sp_256_sub_in_place_4
+.type	sp_256_sub_in_place_4,@function
+.align	16
+sp_256_sub_in_place_4:
+#else
+.globl	_sp_256_sub_in_place_4
+.p2align	4
+_sp_256_sub_in_place_4:
+#endif /* __APPLE__ */
+        xorq	%rax, %rax
+        movq	(%rsi), %rdx
+        movq	8(%rsi), %rcx
+        movq	16(%rsi), %r8
+        movq	24(%rsi), %r9
+        subq	%rdx, (%rdi)
+        sbbq	%rcx, 8(%rdi)
+        sbbq	%r8, 16(%rdi)
+        sbbq	%r9, 24(%rdi)
+        sbbq	$0, %rax
+        repz retq
+#ifndef __APPLE__
+.size	sp_256_sub_in_place_4,.-sp_256_sub_in_place_4
+#endif /* __APPLE__ */
+/* Conditionally subtract b from a using the mask m.
+ * m is -1 to subtract and 0 when not copying.
+ *
+ * r  A single precision number representing condition subtract result.
+ * a  A single precision number to subtract from.
+ * b  A single precision number to subtract.
+ * m  Mask value to apply.
+ */
+#ifndef __APPLE__
+.globl	sp_256_cond_sub_avx2_4
+.type	sp_256_cond_sub_avx2_4,@function
+.align	16
+sp_256_cond_sub_avx2_4:
+#else
+.globl	_sp_256_cond_sub_avx2_4
+.p2align	4
+_sp_256_cond_sub_avx2_4:
+#endif /* __APPLE__ */
+        push	%r12
+        push	%r13
+        push	%r14
+        push	%r15
+        movq	$0, %rax
+        movq	(%rdx), %r12
+        movq	8(%rdx), %r13
+        movq	16(%rdx), %r14
+        movq	24(%rdx), %r15
+        andq	%rcx, %r12
+        andq	%rcx, %r13
+        andq	%rcx, %r14
+        andq	%rcx, %r15
+        movq	(%rsi), %r8
+        movq	8(%rsi), %r9
+        movq	16(%rsi), %r10
+        movq	24(%rsi), %r11
+        subq	%r12, %r8
+        sbbq	%r13, %r9
+        sbbq	%r14, %r10
+        sbbq	%r15, %r11
+        movq	%r8, (%rdi)
+        movq	%r9, 8(%rdi)
+        movq	%r10, 16(%rdi)
+        movq	%r11, 24(%rdi)
+        sbbq	$0, %rax
+        pop	%r15
+        pop	%r14
+        pop	%r13
+        pop	%r12
+        repz retq
+#ifndef __APPLE__
+.size	sp_256_cond_sub_avx2_4,.-sp_256_cond_sub_avx2_4
+#endif /* __APPLE__ */
+/* Mul a by digit b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision digit.
+ */
+#ifndef __APPLE__
+.globl	sp_256_mul_d_4
+.type	sp_256_mul_d_4,@function
+.align	16
+sp_256_mul_d_4:
+#else
+.globl	_sp_256_mul_d_4
+.p2align	4
+_sp_256_mul_d_4:
+#endif /* __APPLE__ */
+        movq	%rdx, %rcx
+        # A[0] * B
+        movq	%rcx, %rax
+        xorq	%r10, %r10
+        mulq	(%rsi)
+        movq	%rax, %r8
+        movq	%rdx, %r9
+        movq	%r8, (%rdi)
+        # A[1] * B
+        movq	%rcx, %rax
+        xorq	%r8, %r8
+        mulq	8(%rsi)
+        addq	%rax, %r9
+        movq	%r9, 8(%rdi)
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[2] * B
+        movq	%rcx, %rax
+        xorq	%r9, %r9
+        mulq	16(%rsi)
+        addq	%rax, %r10
+        movq	%r10, 16(%rdi)
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[3] * B
+        movq	%rcx, %rax
+        mulq	24(%rsi)
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        movq	%r8, 24(%rdi)
+        movq	%r9, 32(%rdi)
+        repz retq
+#ifndef __APPLE__
+.size	sp_256_mul_d_4,.-sp_256_mul_d_4
+#endif /* __APPLE__ */
+#ifdef HAVE_INTEL_AVX2
+/* Mul a by digit b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision digit.
+ */
+#ifndef __APPLE__
+.globl	sp_256_mul_d_avx2_4
+.type	sp_256_mul_d_avx2_4,@function
+.align	16
+sp_256_mul_d_avx2_4:
+#else
+.globl	_sp_256_mul_d_avx2_4
+.p2align	4
+_sp_256_mul_d_avx2_4:
+#endif /* __APPLE__ */
+        movq	%rdx, %rax
+        # A[0] * B
+        movq	%rax, %rdx
+        xorq	%r11, %r11
+        mulxq	(%rsi), %r9, %r10
+        movq	%r9, (%rdi)
+        # A[1] * B
+        mulxq	8(%rsi), %rcx, %r8
+        movq	%r11, %r9
+        adcxq	%rcx, %r10
+        movq	%r10, 8(%rdi)
+        adoxq	%r8, %r9
+        # A[2] * B
+        mulxq	16(%rsi), %rcx, %r8
+        movq	%r11, %r10
+        adcxq	%rcx, %r9
+        movq	%r9, 16(%rdi)
+        adoxq	%r8, %r10
+        # A[3] * B
+        mulxq	24(%rsi), %rcx, %r8
+        movq	%r11, %r9
+        adcxq	%rcx, %r10
+        adoxq	%r8, %r9
+        adcxq	%r11, %r9
+        movq	%r10, 24(%rdi)
+        movq	%r9, 32(%rdi)
+        repz retq
+#ifndef __APPLE__
+.size	sp_256_mul_d_avx2_4,.-sp_256_mul_d_avx2_4
+#endif /* __APPLE__ */
+#endif /* HAVE_INTEL_AVX2 */
+/* Square a and put result in r. (r = a * a)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ */
+#ifndef __APPLE__
+.globl	sp_256_sqr_4
+.type	sp_256_sqr_4,@function
+.align	16
+sp_256_sqr_4:
+#else
+.globl	_sp_256_sqr_4
+.p2align	4
+_sp_256_sqr_4:
+#endif /* __APPLE__ */
+        push	%r12
+        subq	$32, %rsp
+        # A[0] * A[0]
+        movq	(%rsi), %rax
+        mulq	%rax
+        xorq	%r9, %r9
+        movq	%rax, (%rsp)
+        movq	%rdx, %r8
+        # A[0] * A[1]
+        movq	8(%rsi), %rax
+        mulq	(%rsi)
+        xorq	%rcx, %rcx
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %rcx
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %rcx
+        movq	%r8, 8(%rsp)
+        # A[0] * A[2]
+        movq	16(%rsi), %rax
+        mulq	(%rsi)
+        xorq	%r8, %r8
+        addq	%rax, %r9
+        adcq	%rdx, %rcx
+        adcq	$0, %r8
+        addq	%rax, %r9
+        adcq	%rdx, %rcx
+        adcq	$0, %r8
+        # A[1] * A[1]
+        movq	8(%rsi), %rax
+        mulq	%rax
+        addq	%rax, %r9
+        adcq	%rdx, %rcx
+        adcq	$0, %r8
+        movq	%r9, 16(%rsp)
+        # A[0] * A[3]
+        movq	24(%rsi), %rax
+        mulq	(%rsi)
+        xorq	%r9, %r9
+        addq	%rax, %rcx
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        addq	%rax, %rcx
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[1] * A[2]
+        movq	16(%rsi), %rax
+        mulq	8(%rsi)
+        addq	%rax, %rcx
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        addq	%rax, %rcx
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        movq	%rcx, 24(%rsp)
+        # A[1] * A[3]
+        movq	24(%rsi), %rax
+        mulq	8(%rsi)
+        xorq	%rcx, %rcx
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %rcx
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %rcx
+        # A[2] * A[2]
+        movq	16(%rsi), %rax
+        mulq	%rax
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %rcx
+        movq	%r8, 32(%rdi)
+        # A[2] * A[3]
+        movq	24(%rsi), %rax
+        mulq	16(%rsi)
+        xorq	%r8, %r8
+        addq	%rax, %r9
+        adcq	%rdx, %rcx
+        adcq	$0, %r8
+        addq	%rax, %r9
+        adcq	%rdx, %rcx
+        adcq	$0, %r8
+        movq	%r9, 40(%rdi)
+        # A[3] * A[3]
+        movq	24(%rsi), %rax
+        mulq	%rax
+        addq	%rax, %rcx
+        adcq	%rdx, %r8
+        movq	%rcx, 48(%rdi)
+        movq	%r8, 56(%rdi)
+        movq	(%rsp), %rax
+        movq	8(%rsp), %rdx
+        movq	16(%rsp), %r10
+        movq	24(%rsp), %r11
+        movq	%rax, (%rdi)
+        movq	%rdx, 8(%rdi)
+        movq	%r10, 16(%rdi)
+        movq	%r11, 24(%rdi)
+        addq	$32, %rsp
+        pop	%r12
+        repz retq
+#ifndef __APPLE__
+.size	sp_256_sqr_4,.-sp_256_sqr_4
+#endif /* __APPLE__ */
+/* Square a and put result in r. (r = a * a)
+ *
+ * r   Result of squaring.
+ * a   Number to square in Montogmery form.
+ */
+#ifndef __APPLE__
+.globl	sp_256_sqr_avx2_4
+.type	sp_256_sqr_avx2_4,@function
+.align	16
+sp_256_sqr_avx2_4:
+#else
+.globl	_sp_256_sqr_avx2_4
+.p2align	4
+_sp_256_sqr_avx2_4:
+#endif /* __APPLE__ */
+        push	%r12
+        push	%r13
+        push	%r14
+        push	%r15
+        push	%rbx
+        # A[0] * A[1]
+        movq	(%rsi), %rdx
+        movq	16(%rsi), %r15
+        mulxq	8(%rsi), %r9, %r10
+        # A[0] * A[3]
+        mulxq	24(%rsi), %r11, %r12
+        # A[2] * A[1]
+        movq	%r15, %rdx
+        mulxq	8(%rsi), %rcx, %rbx
+        # A[2] * A[3]
+        mulxq	24(%rsi), %r13, %r14
+        xorq	%r15, %r15
+        adoxq	%rcx, %r11
+        adoxq	%rbx, %r12
+        # A[2] * A[0]
+        mulxq	(%rsi), %rcx, %rbx
+        # A[1] * A[3]
+        movq	8(%rsi), %rdx
+        adoxq	%r15, %r13
+        mulxq	24(%rsi), %rax, %r8
+        adcxq	%rcx, %r10
+        adoxq	%r15, %r14
+        adcxq	%rbx, %r11
+        adcxq	%rax, %r12
+        adcxq	%r8, %r13
+        adcxq	%r15, %r14
+        # Double with Carry Flag
+        xorq	%r15, %r15
+        # A[0] * A[0]
+        movq	(%rsi), %rdx
+        mulxq	%rdx, %r8, %rax
+        adcxq	%r9, %r9
+        adcxq	%r10, %r10
+        adoxq	%rax, %r9
+        # A[1] * A[1]
+        movq	8(%rsi), %rdx
+        mulxq	%rdx, %rcx, %rbx
+        adcxq	%r11, %r11
+        adoxq	%rcx, %r10
+        # A[2] * A[2]
+        movq	16(%rsi), %rdx
+        mulxq	%rdx, %rax, %rcx
+        adcxq	%r12, %r12
+        adoxq	%rbx, %r11
+        adcxq	%r13, %r13
+        adoxq	%rax, %r12
+        adcxq	%r14, %r14
+        # A[3] * A[3]
+        movq	24(%rsi), %rdx
+        mulxq	%rdx, %rax, %rbx
+        adoxq	%rcx, %r13
+        adcxq	%r15, %r15
+        adoxq	%rax, %r14
+        adoxq	%rbx, %r15
+        movq	%r8, (%rdi)
+        movq	%r9, 8(%rdi)
+        movq	%r10, 16(%rdi)
+        movq	%r11, 24(%rdi)
+        movq	%r12, 32(%rdi)
+        movq	%r13, 40(%rdi)
+        movq	%r14, 48(%rdi)
+        movq	%r15, 56(%rdi)
+        pop	%rbx
+        pop	%r15
+        pop	%r14
+        pop	%r13
+        pop	%r12
+        repz retq
+#ifndef __APPLE__
+.size	sp_256_sqr_avx2_4,.-sp_256_sqr_avx2_4
+#endif /* __APPLE__ */
+#ifdef HAVE_INTEL_AVX2
+/* Reduce the number back to 256 bits using Montgomery reduction.
+ *
+ * a   A single precision number to reduce in place.
+ * m   The single precision number representing the modulus.
+ * mp  The digit representing the negative inverse of m mod 2^n.
+ */
+#ifndef __APPLE__
+.globl	sp_256_mont_reduce_avx2_4
+.type	sp_256_mont_reduce_avx2_4,@function
+.align	16
+sp_256_mont_reduce_avx2_4:
+#else
+.globl	_sp_256_mont_reduce_avx2_4
+.p2align	4
+_sp_256_mont_reduce_avx2_4:
+#endif /* __APPLE__ */
+        push	%r12
+        push	%r13
+        push	%r14
+        push	%r15
+        push	%rbx
+        movq	%rdx, %rax
+        movq	(%rdi), %r12
+        movq	8(%rdi), %r13
+        movq	16(%rdi), %r14
+        movq	24(%rdi), %r15
+        xorq	%r11, %r11
+        xorq	%r10, %r10
+        # a[0-4] += m[0-3] * mu = m[0-3] * (a[0] * mp)
+        movq	32(%rdi), %rbx
+        #   mu = a[0] * mp
+        movq	%r12, %rdx
+        mulxq	%rax, %rdx, %rcx
+        #   a[0] += m[0] * mu
+        mulx	(%rsi), %r8, %r9
+        adcxq	%r8, %r12
+        #   a[1] += m[1] * mu
+        mulx	8(%rsi), %r8, %rcx
+        adoxq	%r9, %r13
+        adcxq	%r8, %r13
+        #   a[2] += m[2] * mu
+        mulx	16(%rsi), %r8, %r9
+        adoxq	%rcx, %r14
+        adcxq	%r8, %r14
+        #   a[3] += m[3] * mu
+        mulx	24(%rsi), %r8, %rcx
+        adoxq	%r9, %r15
+        adcxq	%r8, %r15
+        #   a[4] += carry
+        adoxq	%rcx, %rbx
+        adcxq	%r10, %rbx
+        #   carry
+        adoxq	%r10, %r11
+        adcxq	%r10, %r11
+        # a[1-5] += m[0-3] * mu = m[0-3] * (a[1] * mp)
+        movq	40(%rdi), %r12
+        #   mu = a[1] * mp
+        movq	%r13, %rdx
+        mulxq	%rax, %rdx, %rcx
+        #   a[1] += m[0] * mu
+        mulx	(%rsi), %r8, %r9
+        adcxq	%r8, %r13
+        #   a[2] += m[1] * mu
+        mulx	8(%rsi), %r8, %rcx
+        adoxq	%r9, %r14
+        adcxq	%r8, %r14
+        #   a[3] += m[2] * mu
+        mulx	16(%rsi), %r8, %r9
+        adoxq	%rcx, %r15
+        adcxq	%r8, %r15
+        #   a[4] += m[3] * mu
+        mulx	24(%rsi), %r8, %rcx
+        adoxq	%r9, %rbx
+        adcxq	%r8, %rbx
+        #   a[5] += carry
+        adoxq	%rcx, %r12
+        adcxq	%r11, %r12
+        movq	%r10, %r11
+        #   carry
+        adoxq	%r10, %r11
+        adcxq	%r10, %r11
+        # a[2-6] += m[0-3] * mu = m[0-3] * (a[2] * mp)
+        movq	48(%rdi), %r13
+        #   mu = a[2] * mp
+        movq	%r14, %rdx
+        mulxq	%rax, %rdx, %rcx
+        #   a[2] += m[0] * mu
+        mulx	(%rsi), %r8, %r9
+        adcxq	%r8, %r14
+        #   a[3] += m[1] * mu
+        mulx	8(%rsi), %r8, %rcx
+        adoxq	%r9, %r15
+        adcxq	%r8, %r15
+        #   a[4] += m[2] * mu
+        mulx	16(%rsi), %r8, %r9
+        adoxq	%rcx, %rbx
+        adcxq	%r8, %rbx
+        #   a[5] += m[3] * mu
+        mulx	24(%rsi), %r8, %rcx
+        adoxq	%r9, %r12
+        adcxq	%r8, %r12
+        #   a[6] += carry
+        adoxq	%rcx, %r13
+        adcxq	%r11, %r13
+        movq	%r10, %r11
+        #   carry
+        adoxq	%r10, %r11
+        adcxq	%r10, %r11
+        # a[3-7] += m[0-3] * mu = m[0-3] * (a[3] * mp)
+        movq	56(%rdi), %r14
+        #   mu = a[3] * mp
+        movq	%r15, %rdx
+        mulxq	%rax, %rdx, %rcx
+        #   a[3] += m[0] * mu
+        mulx	(%rsi), %r8, %r9
+        adcxq	%r8, %r15
+        #   a[4] += m[1] * mu
+        mulx	8(%rsi), %r8, %rcx
+        adoxq	%r9, %rbx
+        adcxq	%r8, %rbx
+        #   a[5] += m[2] * mu
+        mulx	16(%rsi), %r8, %r9
+        adoxq	%rcx, %r12
+        adcxq	%r8, %r12
+        #   a[6] += m[3] * mu
+        mulx	24(%rsi), %r8, %rcx
+        adoxq	%r9, %r13
+        adcxq	%r8, %r13
+        #   a[7] += carry
+        adoxq	%rcx, %r14
+        adcxq	%r11, %r14
+        movq	%r10, %r11
+        #   carry
+        adoxq	%r10, %r11
+        adcxq	%r10, %r11
+        # Subtract mod if carry
+        negq	%r11
+        movq	$17562291160714782033, %r8
+        movq	$13611842547513532036, %r9
+        movq	$18446744069414584320, %rdx
+        andq	%r11, %r8
+        andq	%r11, %r9
+        andq	%r11, %rdx
+        subq	%r8, %rbx
+        sbbq	%r9, %r12
+        sbbq	%r11, %r13
+        sbbq	%rdx, %r14
+        movq	%rbx, (%rdi)
+        movq	%r12, 8(%rdi)
+        movq	%r13, 16(%rdi)
+        movq	%r14, 24(%rdi)
+        pop	%rbx
+        pop	%r15
+        pop	%r14
+        pop	%r13
+        pop	%r12
+        repz retq
+#ifndef __APPLE__
+.size	sp_256_mont_reduce_avx2_4,.-sp_256_mont_reduce_avx2_4
+#endif /* __APPLE__ */
+#endif /* HAVE_INTEL_AVX2 */
+#endif /* !WOLFSSL_SP_NO_256 */
+#ifdef WOLFSSL_SP_384
+/* Conditionally copy a into r using the mask m.
+ * m is -1 to copy and 0 when not.
+ *
+ * r  A single precision number to copy over.
+ * a  A single precision number to copy.
+ * m  Mask value to apply.
+ */
+#ifndef __APPLE__
+.globl	sp_384_cond_copy_6
+.type	sp_384_cond_copy_6,@function
+.align	16
+sp_384_cond_copy_6:
+#else
+.globl	_sp_384_cond_copy_6
+.p2align	4
+_sp_384_cond_copy_6:
+#endif /* __APPLE__ */
+        movq	(%rdi), %rax
+        movq	8(%rdi), %rcx
+        movq	16(%rdi), %r8
+        movq	24(%rdi), %r9
+        movq	32(%rdi), %r10
+        movq	40(%rdi), %r11
+        xorq	(%rsi), %rax
+        xorq	8(%rsi), %rcx
+        xorq	16(%rsi), %r8
+        xorq	24(%rsi), %r9
+        xorq	32(%rsi), %r10
+        xorq	40(%rsi), %r11
+        andq	%rdx, %rax
+        andq	%rdx, %rcx
+        andq	%rdx, %r8
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        andq	%rdx, %r11
+        xorq	%rax, (%rdi)
+        xorq	%rcx, 8(%rdi)
+        xorq	%r8, 16(%rdi)
+        xorq	%r9, 24(%rdi)
+        xorq	%r10, 32(%rdi)
+        xorq	%r11, 40(%rdi)
+        repz retq
+#ifndef __APPLE__
+.size	sp_384_cond_copy_6,.-sp_384_cond_copy_6
+#endif /* __APPLE__ */
+/* Multiply a and b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+#ifndef __APPLE__
+.globl	sp_384_mul_6
+.type	sp_384_mul_6,@function
+.align	16
+sp_384_mul_6:
+#else
+.globl	_sp_384_mul_6
+.p2align	4
+_sp_384_mul_6:
+#endif /* __APPLE__ */
+        movq	%rdx, %rcx
+        subq	$48, %rsp
+        # A[0] * B[0]
+        movq	(%rcx), %rax
+        mulq	(%rsi)
+        xorq	%r10, %r10
+        movq	%rax, (%rsp)
+        movq	%rdx, %r9
+        # A[0] * B[1]
+        movq	8(%rcx), %rax
+        mulq	(%rsi)
+        xorq	%r8, %r8
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[1] * B[0]
+        movq	(%rcx), %rax
+        mulq	8(%rsi)
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        movq	%r9, 8(%rsp)
+        # A[0] * B[2]
+        movq	16(%rcx), %rax
+        mulq	(%rsi)
+        xorq	%r9, %r9
+        addq	%rax, %r10
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[1] * B[1]
+        movq	8(%rcx), %rax
+        mulq	8(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[2] * B[0]
+        movq	(%rcx), %rax
+        mulq	16(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        movq	%r10, 16(%rsp)
+        # A[0] * B[3]
+        movq	24(%rcx), %rax
+        mulq	(%rsi)
+        xorq	%r10, %r10
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[1] * B[2]
+        movq	16(%rcx), %rax
+        mulq	8(%rsi)
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[2] * B[1]
+        movq	8(%rcx), %rax
+        mulq	16(%rsi)
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[3] * B[0]
+        movq	(%rcx), %rax
+        mulq	24(%rsi)
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        movq	%r8, 24(%rsp)
+        # A[0] * B[4]
+        movq	32(%rcx), %rax
+        mulq	(%rsi)
+        xorq	%r8, %r8
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[1] * B[3]
+        movq	24(%rcx), %rax
+        mulq	8(%rsi)
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[2] * B[2]
+        movq	16(%rcx), %rax
+        mulq	16(%rsi)
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[3] * B[1]
+        movq	8(%rcx), %rax
+        mulq	24(%rsi)
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[4] * B[0]
+        movq	(%rcx), %rax
+        mulq	32(%rsi)
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        movq	%r9, 32(%rsp)
+        # A[0] * B[5]
+        movq	40(%rcx), %rax
+        mulq	(%rsi)
+        xorq	%r9, %r9
+        addq	%rax, %r10
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[1] * B[4]
+        movq	32(%rcx), %rax
+        mulq	8(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[2] * B[3]
+        movq	24(%rcx), %rax
+        mulq	16(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[3] * B[2]
+        movq	16(%rcx), %rax
+        mulq	24(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[4] * B[1]
+        movq	8(%rcx), %rax
+        mulq	32(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[5] * B[0]
+        movq	(%rcx), %rax
+        mulq	40(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        movq	%r10, 40(%rsp)
+        # A[1] * B[5]
+        movq	40(%rcx), %rax
+        mulq	8(%rsi)
+        xorq	%r10, %r10
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[2] * B[4]
+        movq	32(%rcx), %rax
+        mulq	16(%rsi)
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[3] * B[3]
+        movq	24(%rcx), %rax
+        mulq	24(%rsi)
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[4] * B[2]
+        movq	16(%rcx), %rax
+        mulq	32(%rsi)
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[5] * B[1]
+        movq	8(%rcx), %rax
+        mulq	40(%rsi)
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        movq	%r8, 48(%rdi)
+        # A[2] * B[5]
+        movq	40(%rcx), %rax
+        mulq	16(%rsi)
+        xorq	%r8, %r8
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[3] * B[4]
+        movq	32(%rcx), %rax
+        mulq	24(%rsi)
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[4] * B[3]
+        movq	24(%rcx), %rax
+        mulq	32(%rsi)
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[5] * B[2]
+        movq	16(%rcx), %rax
+        mulq	40(%rsi)
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        movq	%r9, 56(%rdi)
+        # A[3] * B[5]
+        movq	40(%rcx), %rax
+        mulq	24(%rsi)
+        xorq	%r9, %r9
+        addq	%rax, %r10
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[4] * B[4]
+        movq	32(%rcx), %rax
+        mulq	32(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[5] * B[3]
+        movq	24(%rcx), %rax
+        mulq	40(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        movq	%r10, 64(%rdi)
+        # A[4] * B[5]
+        movq	40(%rcx), %rax
+        mulq	32(%rsi)
+        xorq	%r10, %r10
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[5] * B[4]
+        movq	32(%rcx), %rax
+        mulq	40(%rsi)
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        movq	%r8, 72(%rdi)
+        # A[5] * B[5]
+        movq	40(%rcx), %rax
+        mulq	40(%rsi)
+        addq	%rax, %r9
+        adcq	%rdx, %r10
+        movq	%r9, 80(%rdi)
+        movq	%r10, 88(%rdi)
+        movq	(%rsp), %rax
+        movq	8(%rsp), %rdx
+        movq	16(%rsp), %r8
+        movq	24(%rsp), %r9
+        movq	%rax, (%rdi)
+        movq	%rdx, 8(%rdi)
+        movq	%r8, 16(%rdi)
+        movq	%r9, 24(%rdi)
+        movq	32(%rsp), %rax
+        movq	40(%rsp), %rdx
+        movq	%rax, 32(%rdi)
+        movq	%rdx, 40(%rdi)
+        addq	$48, %rsp
+        repz retq
+#ifndef __APPLE__
+.size	sp_384_mul_6,.-sp_384_mul_6
+#endif /* __APPLE__ */
+/* Conditionally subtract b from a using the mask m.
+ * m is -1 to subtract and 0 when not copying.
+ *
+ * r  A single precision number representing condition subtract result.
+ * a  A single precision number to subtract from.
+ * b  A single precision number to subtract.
+ * m  Mask value to apply.
+ */
+#ifndef __APPLE__
+.globl	sp_384_cond_sub_6
+.type	sp_384_cond_sub_6,@function
+.align	16
+sp_384_cond_sub_6:
+#else
+.globl	_sp_384_cond_sub_6
+.p2align	4
+_sp_384_cond_sub_6:
+#endif /* __APPLE__ */
+        subq	$48, %rsp
+        movq	$0, %rax
+        movq	(%rdx), %r8
+        movq	8(%rdx), %r9
+        andq	%rcx, %r8
+        andq	%rcx, %r9
+        movq	%r8, (%rsp)
+        movq	%r9, 8(%rsp)
+        movq	16(%rdx), %r8
+        movq	24(%rdx), %r9
+        andq	%rcx, %r8
+        andq	%rcx, %r9
+        movq	%r8, 16(%rsp)
+        movq	%r9, 24(%rsp)
+        movq	32(%rdx), %r8
+        movq	40(%rdx), %r9
+        andq	%rcx, %r8
+        andq	%rcx, %r9
+        movq	%r8, 32(%rsp)
+        movq	%r9, 40(%rsp)
+        movq	(%rsi), %r8
+        movq	(%rsp), %rdx
+        subq	%rdx, %r8
+        movq	8(%rsi), %r9
+        movq	8(%rsp), %rdx
+        sbbq	%rdx, %r9
+        movq	%r8, (%rdi)
+        movq	16(%rsi), %r8
+        movq	16(%rsp), %rdx
+        sbbq	%rdx, %r8
+        movq	%r9, 8(%rdi)
+        movq	24(%rsi), %r9
+        movq	24(%rsp), %rdx
+        sbbq	%rdx, %r9
+        movq	%r8, 16(%rdi)
+        movq	32(%rsi), %r8
+        movq	32(%rsp), %rdx
+        sbbq	%rdx, %r8
+        movq	%r9, 24(%rdi)
+        movq	40(%rsi), %r9
+        movq	40(%rsp), %rdx
+        sbbq	%rdx, %r9
+        movq	%r8, 32(%rdi)
+        movq	%r9, 40(%rdi)
+        sbbq	$0, %rax
+        addq	$48, %rsp
+        repz retq
+#ifndef __APPLE__
+.size	sp_384_cond_sub_6,.-sp_384_cond_sub_6
+#endif /* __APPLE__ */
+#ifdef HAVE_INTEL_AVX2
+/* Reduce the number back to 384 bits using Montgomery reduction.
+ *
+ * a   A single precision number to reduce in place.
+ * m   The single precision number representing the modulus.
+ * mp  The digit representing the negative inverse of m mod 2^n.
+ */
+#ifndef __APPLE__
+.globl	sp_384_mont_reduce_6
+.type	sp_384_mont_reduce_6,@function
+.align	16
+sp_384_mont_reduce_6:
+#else
+.globl	_sp_384_mont_reduce_6
+.p2align	4
+_sp_384_mont_reduce_6:
+#endif /* __APPLE__ */
+        push	%r12
+        push	%r13
+        push	%r14
+        push	%r15
+        push	%rbx
+        push	%rbp
+        movq	(%rdi), %r11
+        movq	8(%rdi), %r12
+        movq	16(%rdi), %r13
+        movq	24(%rdi), %r14
+        movq	32(%rdi), %r15
+        movq	40(%rdi), %rsi
+        xorq	%r10, %r10
+        # a[0-7] += m[0-5] * mu[0..1] = m[0-5] * (a[0..1] * mp)
+        movq	48(%rdi), %rbx
+        movq	56(%rdi), %rbp
+        movq	%r11, %rdx
+        movq	%r12, %rax
+        shldq	$32, %rdx, %rax
+        shlq	$32, %rdx
+        addq	%r11, %rdx
+        adcq	%r12, %rax
+        addq	%r11, %rax
+        movq	%rdx, %rcx
+        movq	%rax, %r8
+        movq	%rax, %r9
+        shldq	$32, %rcx, %r8
+        shlq	$32, %rcx
+        shrq	$32, %r9
+        addq	%rcx, %r11
+        adcq	%r8, %r12
+        adcq	%r9, %r13
+        adcq	$0, %r14
+        adcq	$0, %r15
+        adcq	$0, %rsi
+        adcq	%rdx, %rbx
+        adcq	%rax, %rbp
+        adcq	$0, %r10
+        addq	%rax, %rcx
+        adcq	%rdx, %r8
+        adcq	%rax, %r9
+        movq	$0, %rax
+        adcq	$0, %rax
+        subq	%r8, %r13
+        sbbq	%r9, %r14
+        sbbq	%rax, %r15
+        sbbq	$0, %rsi
+        sbbq	$0, %rbx
+        sbbq	$0, %rbp
+        sbbq	$0, %r10
+        # a[2-9] += m[0-5] * mu[0..1] = m[0-5] * (a[2..3] * mp)
+        movq	64(%rdi), %r11
+        movq	72(%rdi), %r12
+        movq	%r13, %rdx
+        movq	%r14, %rax
+        shldq	$32, %rdx, %rax
+        shlq	$32, %rdx
+        addq	%r13, %rdx
+        adcq	%r14, %rax
+        addq	%r13, %rax
+        movq	%rdx, %rcx
+        movq	%rax, %r8
+        movq	%rax, %r9
+        shldq	$32, %rcx, %r8
+        shlq	$32, %rcx
+        shrq	$32, %r9
+        addq	%r10, %r11
+        adcq	$0, %r12
+        movq	$0, %r10
+        adcq	$0, %r10
+        addq	%rcx, %r13
+        adcq	%r8, %r14
+        adcq	%r9, %r15
+        adcq	$0, %rsi
+        adcq	$0, %rbx
+        adcq	$0, %rbp
+        adcq	%rdx, %r11
+        adcq	%rax, %r12
+        adcq	$0, %r10
+        addq	%rax, %rcx
+        adcq	%rdx, %r8
+        adcq	%rax, %r9
+        movq	$0, %rax
+        adcq	$0, %rax
+        subq	%r8, %r15
+        sbbq	%r9, %rsi
+        sbbq	%rax, %rbx
+        sbbq	$0, %rbp
+        sbbq	$0, %r11
+        sbbq	$0, %r12
+        sbbq	$0, %r10
+        # a[4-11] += m[0-5] * mu[0..1] = m[0-5] * (a[4..5] * mp)
+        movq	80(%rdi), %r13
+        movq	88(%rdi), %r14
+        movq	%r15, %rdx
+        movq	%rsi, %rax
+        shldq	$32, %rdx, %rax
+        shlq	$32, %rdx
+        addq	%r15, %rdx
+        adcq	%rsi, %rax
+        addq	%r15, %rax
+        movq	%rdx, %rcx
+        movq	%rax, %r8
+        movq	%rax, %r9
+        shldq	$32, %rcx, %r8
+        shlq	$32, %rcx
+        shrq	$32, %r9
+        addq	%r10, %r13
+        adcq	$0, %r14
+        movq	$0, %r10
+        adcq	$0, %r10
+        addq	%rcx, %r15
+        adcq	%r8, %rsi
+        adcq	%r9, %rbx
+        adcq	$0, %rbp
+        adcq	$0, %r11
+        adcq	$0, %r12
+        adcq	%rdx, %r13
+        adcq	%rax, %r14
+        adcq	$0, %r10
+        addq	%rax, %rcx
+        adcq	%rdx, %r8
+        adcq	%rax, %r9
+        movq	$0, %rax
+        adcq	$0, %rax
+        subq	%r8, %rbx
+        sbbq	%r9, %rbp
+        sbbq	%rax, %r11
+        sbbq	$0, %r12
+        sbbq	$0, %r13
+        sbbq	$0, %r14
+        sbbq	$0, %r10
+        # Subtract mod if carry
+        negq	%r10
+        movq	$18446744073709551614, %r9
+        movq	%r10, %rcx
+        movq	%r10, %r8
+        shrq	$32, %rcx
+        shlq	$32, %r8
+        andq	%r10, %r9
+        subq	%rcx, %rbx
+        sbbq	%r8, %rbp
+        sbbq	%r9, %r11
+        sbbq	%r10, %r12
+        sbbq	%r10, %r13
+        sbbq	%r10, %r14
+        movq	%rbx, (%rdi)
+        movq	%rbp, 8(%rdi)
+        movq	%r11, 16(%rdi)
+        movq	%r12, 24(%rdi)
+        movq	%r13, 32(%rdi)
+        movq	%r14, 40(%rdi)
+        pop	%rbp
+        pop	%rbx
+        pop	%r15
+        pop	%r14
+        pop	%r13
+        pop	%r12
+        repz retq
+#ifndef __APPLE__
+.size	sp_384_mont_reduce_6,.-sp_384_mont_reduce_6
+#endif /* __APPLE__ */
+#endif /* HAVE_INTEL_AVX2 */
+/* Reduce the number back to 384 bits using Montgomery reduction.
+ *
+ * a   A single precision number to reduce in place.
+ * m   The single precision number representing the modulus.
+ * mp  The digit representing the negative inverse of m mod 2^n.
+ */
+#ifndef __APPLE__
+.globl	sp_384_mont_reduce_order_6
+.type	sp_384_mont_reduce_order_6,@function
+.align	16
+sp_384_mont_reduce_order_6:
+#else
+.globl	_sp_384_mont_reduce_order_6
+.p2align	4
+_sp_384_mont_reduce_order_6:
+#endif /* __APPLE__ */
+        push	%r12
+        push	%r13
+        push	%r14
+        push	%r15
+        movq	%rdx, %rcx
+        xorq	%r15, %r15
+        # i = 6
+        movq	$6, %r8
+        movq	(%rdi), %r13
+        movq	8(%rdi), %r14
+L_mont_loop_order_6:
+        # mu = a[i] * mp
+        movq	%r13, %r11
+        imulq	%rcx, %r11
+        # a[i+0] += m[0] * mu
+        movq	%r11, %rax
+        xorq	%r10, %r10
+        mulq	(%rsi)
+        addq	%rax, %r13
+        adcq	%rdx, %r10
+        # a[i+1] += m[1] * mu
+        movq	%r11, %rax
+        xorq	%r9, %r9
+        mulq	8(%rsi)
+        movq	%r14, %r13
+        addq	%rax, %r13
+        adcq	%rdx, %r9
+        addq	%r10, %r13
+        adcq	$0, %r9
+        # a[i+2] += m[2] * mu
+        movq	%r11, %rax
+        xorq	%r10, %r10
+        mulq	16(%rsi)
+        movq	16(%rdi), %r14
+        addq	%rax, %r14
+        adcq	%rdx, %r10
+        addq	%r9, %r14
+        adcq	$0, %r10
+        # a[i+3] += m[3] * mu
+        movq	%r11, %rax
+        xorq	%r9, %r9
+        mulq	24(%rsi)
+        movq	24(%rdi), %r12
+        addq	%rax, %r12
+        adcq	%rdx, %r9
+        addq	%r10, %r12
+        movq	%r12, 24(%rdi)
+        adcq	$0, %r9
+        # a[i+4] += m[4] * mu
+        movq	%r11, %rax
+        xorq	%r10, %r10
+        mulq	32(%rsi)
+        movq	32(%rdi), %r12
+        addq	%rax, %r12
+        adcq	%rdx, %r10
+        addq	%r9, %r12
+        movq	%r12, 32(%rdi)
+        adcq	$0, %r10
+        # a[i+5] += m[5] * mu
+        movq	%r11, %rax
+        mulq	40(%rsi)
+        movq	40(%rdi), %r12
+        addq	%rax, %r10
+        adcq	%r15, %rdx
+        movq	$0, %r15
+        adcq	$0, %r15
+        addq	%r10, %r12
+        movq	%r12, 40(%rdi)
+        adcq	%rdx, 48(%rdi)
+        adcq	$0, %r15
+        # i -= 1
+        addq	$8, %rdi
+        decq	%r8
+        jnz	L_mont_loop_order_6
+        movq	%r13, (%rdi)
+        movq	%r14, 8(%rdi)
+        negq	%r15
+        movq	%r15, %rcx
+        movq	%rsi, %rdx
+        movq	%rdi, %rsi
+        subq	$48, %rdi
+#ifndef __APPLE__
+        callq	sp_384_cond_sub_6@plt
+#else
+        callq	_sp_384_cond_sub_6
+#endif /* __APPLE__ */
+        pop	%r15
+        pop	%r14
+        pop	%r13
+        pop	%r12
+        repz retq
+#ifndef __APPLE__
+.size	sp_384_mont_reduce_order_6,.-sp_384_mont_reduce_order_6
+#endif /* __APPLE__ */
+/* Square a and put result in r. (r = a * a)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ */
+#ifndef __APPLE__
+.globl	sp_384_sqr_6
+.type	sp_384_sqr_6,@function
+.align	16
+sp_384_sqr_6:
+#else
+.globl	_sp_384_sqr_6
+.p2align	4
+_sp_384_sqr_6:
+#endif /* __APPLE__ */
+        push	%r12
+        subq	$48, %rsp
+        # A[0] * A[0]
+        movq	(%rsi), %rax
+        mulq	%rax
+        xorq	%r9, %r9
+        movq	%rax, (%rsp)
+        movq	%rdx, %r8
+        # A[0] * A[1]
+        movq	8(%rsi), %rax
+        mulq	(%rsi)
+        xorq	%rcx, %rcx
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %rcx
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %rcx
+        movq	%r8, 8(%rsp)
+        # A[0] * A[2]
+        movq	16(%rsi), %rax
+        mulq	(%rsi)
+        xorq	%r8, %r8
+        addq	%rax, %r9
+        adcq	%rdx, %rcx
+        adcq	$0, %r8
+        addq	%rax, %r9
+        adcq	%rdx, %rcx
+        adcq	$0, %r8
+        # A[1] * A[1]
+        movq	8(%rsi), %rax
+        mulq	%rax
+        addq	%rax, %r9
+        adcq	%rdx, %rcx
+        adcq	$0, %r8
+        movq	%r9, 16(%rsp)
+        # A[0] * A[3]
+        movq	24(%rsi), %rax
+        mulq	(%rsi)
+        xorq	%r9, %r9
+        addq	%rax, %rcx
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        addq	%rax, %rcx
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[1] * A[2]
+        movq	16(%rsi), %rax
+        mulq	8(%rsi)
+        addq	%rax, %rcx
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        addq	%rax, %rcx
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        movq	%rcx, 24(%rsp)
+        # A[0] * A[4]
+        movq	32(%rsi), %rax
+        mulq	(%rsi)
+        xorq	%rcx, %rcx
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %rcx
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %rcx
+        # A[1] * A[3]
+        movq	24(%rsi), %rax
+        mulq	8(%rsi)
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %rcx
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %rcx
+        # A[2] * A[2]
+        movq	16(%rsi), %rax
+        mulq	%rax
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %rcx
+        movq	%r8, 32(%rsp)
+        # A[0] * A[5]
+        movq	40(%rsi), %rax
+        mulq	(%rsi)
+        xorq	%r8, %r8
+        xorq	%r12, %r12
+        movq	%rax, %r10
+        movq	%rdx, %r11
+        # A[1] * A[4]
+        movq	32(%rsi), %rax
+        mulq	8(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0, %r12
+        # A[2] * A[3]
+        movq	24(%rsi), %rax
+        mulq	16(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r11
+        adcq	$0, %r12
+        addq	%r10, %r10
+        adcq	%r11, %r11
+        adcq	%r12, %r12
+        addq	%r10, %r9
+        adcq	%r11, %rcx
+        adcq	%r12, %r8
+        movq	%r9, 40(%rsp)
+        # A[1] * A[5]
+        movq	40(%rsi), %rax
+        mulq	8(%rsi)
+        xorq	%r9, %r9
+        addq	%rax, %rcx
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        addq	%rax, %rcx
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[2] * A[4]
+        movq	32(%rsi), %rax
+        mulq	16(%rsi)
+        addq	%rax, %rcx
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        addq	%rax, %rcx
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[3] * A[3]
+        movq	24(%rsi), %rax
+        mulq	%rax
+        addq	%rax, %rcx
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        movq	%rcx, 48(%rdi)
+        # A[2] * A[5]
+        movq	40(%rsi), %rax
+        mulq	16(%rsi)
+        xorq	%rcx, %rcx
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %rcx
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %rcx
+        # A[3] * A[4]
+        movq	32(%rsi), %rax
+        mulq	24(%rsi)
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %rcx
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        adcq	$0, %rcx
+        movq	%r8, 56(%rdi)
+        # A[3] * A[5]
+        movq	40(%rsi), %rax
+        mulq	24(%rsi)
+        xorq	%r8, %r8
+        addq	%rax, %r9
+        adcq	%rdx, %rcx
+        adcq	$0, %r8
+        addq	%rax, %r9
+        adcq	%rdx, %rcx
+        adcq	$0, %r8
+        # A[4] * A[4]
+        movq	32(%rsi), %rax
+        mulq	%rax
+        addq	%rax, %r9
+        adcq	%rdx, %rcx
+        adcq	$0, %r8
+        movq	%r9, 64(%rdi)
+        # A[4] * A[5]
+        movq	40(%rsi), %rax
+        mulq	32(%rsi)
+        xorq	%r9, %r9
+        addq	%rax, %rcx
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        addq	%rax, %rcx
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        movq	%rcx, 72(%rdi)
+        # A[5] * A[5]
+        movq	40(%rsi), %rax
+        mulq	%rax
+        addq	%rax, %r8
+        adcq	%rdx, %r9
+        movq	%r8, 80(%rdi)
+        movq	%r9, 88(%rdi)
+        movq	(%rsp), %rax
+        movq	8(%rsp), %rdx
+        movq	16(%rsp), %r10
+        movq	24(%rsp), %r11
+        movq	%rax, (%rdi)
+        movq	%rdx, 8(%rdi)
+        movq	%r10, 16(%rdi)
+        movq	%r11, 24(%rdi)
+        movq	32(%rsp), %rax
+        movq	40(%rsp), %rdx
+        movq	%rax, 32(%rdi)
+        movq	%rdx, 40(%rdi)
+        addq	$48, %rsp
+        pop	%r12
+        repz retq
+#ifndef __APPLE__
+.size	sp_384_sqr_6,.-sp_384_sqr_6
+#endif /* __APPLE__ */
+/* Compare a with b in constant time.
+ *
+ * a  A single precision integer.
+ * b  A single precision integer.
+ * return -ve, 0 or +ve if a is less than, equal to or greater than b
+ * respectively.
+ */
+#ifndef __APPLE__
+.globl	sp_384_cmp_6
+.type	sp_384_cmp_6,@function
+.align	16
+sp_384_cmp_6:
+#else
+.globl	_sp_384_cmp_6
+.p2align	4
+_sp_384_cmp_6:
+#endif /* __APPLE__ */
+        xorq	%rcx, %rcx
+        movq	$-1, %rdx
+        movq	$-1, %rax
+        movq	$1, %r8
+        movq	40(%rdi), %r9
+        movq	40(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	32(%rdi), %r9
+        movq	32(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	24(%rdi), %r9
+        movq	24(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	16(%rdi), %r9
+        movq	16(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	8(%rdi), %r9
+        movq	8(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        movq	(%rdi), %r9
+        movq	(%rsi), %r10
+        andq	%rdx, %r9
+        andq	%rdx, %r10
+        subq	%r10, %r9
+        cmova	%r8, %rax
+        cmovc	%rdx, %rax
+        cmovnz	%rcx, %rdx
+        xorq	%rdx, %rax
+        repz retq
+#ifndef __APPLE__
+.size	sp_384_cmp_6,.-sp_384_cmp_6
+#endif /* __APPLE__ */
+/* Add b to a into r. (r = a + b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+#ifndef __APPLE__
+.globl	sp_384_add_6
+.type	sp_384_add_6,@function
+.align	16
+sp_384_add_6:
+#else
+.globl	_sp_384_add_6
+.p2align	4
+_sp_384_add_6:
+#endif /* __APPLE__ */
+        # Add
+        movq	(%rsi), %rcx
+        xorq	%rax, %rax
+        addq	(%rdx), %rcx
+        movq	8(%rsi), %r8
+        movq	%rcx, (%rdi)
+        adcq	8(%rdx), %r8
+        movq	16(%rsi), %rcx
+        movq	%r8, 8(%rdi)
+        adcq	16(%rdx), %rcx
+        movq	24(%rsi), %r8
+        movq	%rcx, 16(%rdi)
+        adcq	24(%rdx), %r8
+        movq	32(%rsi), %rcx
+        movq	%r8, 24(%rdi)
+        adcq	32(%rdx), %rcx
+        movq	40(%rsi), %r8
+        movq	%rcx, 32(%rdi)
+        adcq	40(%rdx), %r8
+        movq	%r8, 40(%rdi)
+        adcq	$0, %rax
+        repz retq
+#ifndef __APPLE__
+.size	sp_384_add_6,.-sp_384_add_6
+#endif /* __APPLE__ */
+/* Add a to a into r. (r = a + a)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ */
+#ifndef __APPLE__
+.globl	sp_384_dbl_6
+.type	sp_384_dbl_6,@function
+.align	16
+sp_384_dbl_6:
+#else
+.globl	_sp_384_dbl_6
+.p2align	4
+_sp_384_dbl_6:
+#endif /* __APPLE__ */
+        movq	(%rsi), %rdx
+        xorq	%rax, %rax
+        addq	%rdx, %rdx
+        movq	8(%rsi), %rcx
+        movq	%rdx, (%rdi)
+        adcq	%rcx, %rcx
+        movq	16(%rsi), %rdx
+        movq	%rcx, 8(%rdi)
+        adcq	%rdx, %rdx
+        movq	24(%rsi), %rcx
+        movq	%rdx, 16(%rdi)
+        adcq	%rcx, %rcx
+        movq	32(%rsi), %rdx
+        movq	%rcx, 24(%rdi)
+        adcq	%rdx, %rdx
+        movq	40(%rsi), %rcx
+        movq	%rdx, 32(%rdi)
+        adcq	%rcx, %rcx
+        movq	%rcx, 40(%rdi)
+        adcq	$0, %rax
+        repz retq
+#ifndef __APPLE__
+.size	sp_384_dbl_6,.-sp_384_dbl_6
+#endif /* __APPLE__ */
+/* Sub b from a into r. (r = a - b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision integer.
+ */
+#ifndef __APPLE__
+.globl	sp_384_sub_6
+.type	sp_384_sub_6,@function
+.align	16
+sp_384_sub_6:
+#else
+.globl	_sp_384_sub_6
+.p2align	4
+_sp_384_sub_6:
+#endif /* __APPLE__ */
+        push	%r12
+        xorq	%rax, %rax
+        movq	(%rsi), %rcx
+        movq	8(%rsi), %r8
+        movq	16(%rsi), %r9
+        movq	24(%rsi), %r10
+        movq	32(%rsi), %r11
+        movq	40(%rsi), %r12
+        subq	(%rdx), %rcx
+        sbbq	8(%rdx), %r8
+        sbbq	16(%rdx), %r9
+        sbbq	24(%rdx), %r10
+        sbbq	32(%rdx), %r11
+        sbbq	40(%rdx), %r12
+        movq	%rcx, (%rdi)
+        movq	%r8, 8(%rdi)
+        movq	%r9, 16(%rdi)
+        movq	%r10, 24(%rdi)
+        movq	%r11, 32(%rdi)
+        movq	%r12, 40(%rdi)
+        sbbq	$0, %rax
+        pop	%r12
+        repz retq
+#ifndef __APPLE__
+.size	sp_384_sub_6,.-sp_384_sub_6
+#endif /* __APPLE__ */
+/* Conditionally add a and b using the mask m.
+ * m is -1 to add and 0 when not.
+ *
+ * r  A single precision number representing conditional add result.
+ * a  A single precision number to add with.
+ * b  A single precision number to add.
+ * m  Mask value to apply.
+ */
+#ifndef __APPLE__
+.globl	sp_384_cond_add_6
+.type	sp_384_cond_add_6,@function
+.align	16
+sp_384_cond_add_6:
+#else
+.globl	_sp_384_cond_add_6
+.p2align	4
+_sp_384_cond_add_6:
+#endif /* __APPLE__ */
+        subq	$48, %rsp
+        movq	$0, %rax
+        movq	(%rdx), %r8
+        movq	8(%rdx), %r9
+        andq	%rcx, %r8
+        andq	%rcx, %r9
+        movq	%r8, (%rsp)
+        movq	%r9, 8(%rsp)
+        movq	16(%rdx), %r8
+        movq	24(%rdx), %r9
+        andq	%rcx, %r8
+        andq	%rcx, %r9
+        movq	%r8, 16(%rsp)
+        movq	%r9, 24(%rsp)
+        movq	32(%rdx), %r8
+        movq	40(%rdx), %r9
+        andq	%rcx, %r8
+        andq	%rcx, %r9
+        movq	%r8, 32(%rsp)
+        movq	%r9, 40(%rsp)
+        movq	(%rsi), %r8
+        movq	(%rsp), %rdx
+        addq	%rdx, %r8
+        movq	8(%rsi), %r9
+        movq	8(%rsp), %rdx
+        adcq	%rdx, %r9
+        movq	%r8, (%rdi)
+        movq	16(%rsi), %r8
+        movq	16(%rsp), %rdx
+        adcq	%rdx, %r8
+        movq	%r9, 8(%rdi)
+        movq	24(%rsi), %r9
+        movq	24(%rsp), %rdx
+        adcq	%rdx, %r9
+        movq	%r8, 16(%rdi)
+        movq	32(%rsi), %r8
+        movq	32(%rsp), %rdx
+        adcq	%rdx, %r8
+        movq	%r9, 24(%rdi)
+        movq	40(%rsi), %r9
+        movq	40(%rsp), %rdx
+        adcq	%rdx, %r9
+        movq	%r8, 32(%rdi)
+        movq	%r9, 40(%rdi)
+        adcq	$0, %rax
+        addq	$48, %rsp
+        repz retq
+#ifndef __APPLE__
+.size	sp_384_cond_add_6,.-sp_384_cond_add_6
+#endif /* __APPLE__ */
+/* Divide the number by 2 mod the modulus (prime). (r = a / 2 % m)
+ *
+ * r  Result of division by 2.
+ * a  Number to divide.
+ * m  Modulus (prime).
+ */
+#ifndef __APPLE__
+.globl	sp_384_div2_6
+.type	sp_384_div2_6,@function
+.align	16
+sp_384_div2_6:
+#else
+.globl	_sp_384_div2_6
+.p2align	4
+_sp_384_div2_6:
+#endif /* __APPLE__ */
+        subq	$48, %rsp
+        movq	(%rsi), %rax
+        movq	%rax, %r11
+        andq	$1, %r11
+        negq	%r11
+        xorq	%r10, %r10
+        movq	(%rdx), %r8
+        andq	%r11, %r8
+        movq	%r8, (%rsp)
+        movq	8(%rdx), %r8
+        andq	%r11, %r8
+        movq	%r8, 8(%rsp)
+        movq	16(%rdx), %r8
+        andq	%r11, %r8
+        movq	%r8, 16(%rsp)
+        movq	24(%rdx), %r8
+        andq	%r11, %r8
+        movq	%r8, 24(%rsp)
+        movq	32(%rdx), %r8
+        andq	%r11, %r8
+        movq	%r8, 32(%rsp)
+        movq	40(%rdx), %r8
+        andq	%r11, %r8
+        movq	%r8, 40(%rsp)
+        addq	%rax, (%rsp)
+        movq	8(%rsi), %rax
+        adcq	%rax, 8(%rsp)
+        movq	16(%rsi), %rax
+        adcq	%rax, 16(%rsp)
+        movq	24(%rsi), %rax
+        adcq	%rax, 24(%rsp)
+        movq	32(%rsi), %rax
+        adcq	%rax, 32(%rsp)
+        movq	40(%rsi), %rax
+        adcq	%rax, 40(%rsp)
+        adcq	$0, %r10
+        movq	(%rsp), %rax
+        movq	8(%rsp), %rcx
+        shrdq	$1, %rcx, %rax
+        movq	%rax, (%rdi)
+        movq	16(%rsp), %rax
+        shrdq	$1, %rax, %rcx
+        movq	%rcx, 8(%rdi)
+        movq	24(%rsp), %rcx
+        shrdq	$1, %rcx, %rax
+        movq	%rax, 16(%rdi)
+        movq	32(%rsp), %rax
+        shrdq	$1, %rax, %rcx
+        movq	%rcx, 24(%rdi)
+        movq	40(%rsp), %rcx
+        shrdq	$1, %rcx, %rax
+        movq	%rax, 32(%rdi)
+        shrdq	$1, %r10, %rcx
+        movq	%rcx, 40(%rdi)
+        addq	$48, %rsp
+        repz retq
+#ifndef __APPLE__
+.size	sp_384_div2_6,.-sp_384_div2_6
+#endif /* __APPLE__ */
+/* Multiply a and b into r. (r = a * b)
+ *
+ * r   Result of multiplication.
+ * a   First number to multiply.
+ * b   Second number to multiply.
+ */
+#ifndef __APPLE__
+.globl	sp_384_mul_avx2_6
+.type	sp_384_mul_avx2_6,@function
+.align	16
+sp_384_mul_avx2_6:
+#else
+.globl	_sp_384_mul_avx2_6
+.p2align	4
+_sp_384_mul_avx2_6:
+#endif /* __APPLE__ */
+        push	%r12
+        push	%r13
+        push	%r14
+        push	%r15
+        push	%rbx
+        movq	%rdx, %rax
+        subq	$40, %rsp
+        xorq	%rbx, %rbx
+        movq	(%rsi), %rdx
+        # A[0] * B[0]
+        mulxq	(%rax), %r9, %r10
+        # A[0] * B[1]
+        mulxq	8(%rax), %rcx, %r11
+        adcxq	%rcx, %r10
+        # A[0] * B[2]
+        mulxq	16(%rax), %rcx, %r12
+        adcxq	%rcx, %r11
+        # A[0] * B[3]
+        mulxq	24(%rax), %rcx, %r13
+        adcxq	%rcx, %r12
+        # A[0] * B[4]
+        mulxq	32(%rax), %rcx, %r14
+        adcxq	%rcx, %r13
+        # A[0] * B[5]
+        mulxq	40(%rax), %rcx, %r15
+        adcxq	%rcx, %r14
+        adcxq	%rbx, %r15
+        movq	%r9, (%rsp)
+        movq	$0, %r9
+        adcxq	%rbx, %r9
+        xorq	%rbx, %rbx
+        movq	8(%rsi), %rdx
+        # A[1] * B[0]
+        mulxq	(%rax), %rcx, %r8
+        adcxq	%rcx, %r10
+        adoxq	%r8, %r11
+        # A[1] * B[1]
+        mulxq	8(%rax), %rcx, %r8
+        adcxq	%rcx, %r11
+        adoxq	%r8, %r12
+        # A[1] * B[2]
+        mulxq	16(%rax), %rcx, %r8
+        adcxq	%rcx, %r12
+        adoxq	%r8, %r13
+        # A[1] * B[3]
+        mulxq	24(%rax), %rcx, %r8
+        adcxq	%rcx, %r13
+        adoxq	%r8, %r14
+        # A[1] * B[4]
+        mulxq	32(%rax), %rcx, %r8
+        adcxq	%rcx, %r14
+        adoxq	%r8, %r15
+        # A[1] * B[5]
+        mulxq	40(%rax), %rcx, %r8
+        adcxq	%rcx, %r15
+        adoxq	%r8, %r9
+        adcxq	%rbx, %r9
+        movq	%r10, 8(%rsp)
+        movq	$0, %r10
+        adcxq	%rbx, %r10
+        adoxq	%rbx, %r10
+        xorq	%rbx, %rbx
+        movq	16(%rsi), %rdx
+        # A[2] * B[0]
+        mulxq	(%rax), %rcx, %r8
+        adcxq	%rcx, %r11
+        adoxq	%r8, %r12
+        # A[2] * B[1]
+        mulxq	8(%rax), %rcx, %r8
+        adcxq	%rcx, %r12
+        adoxq	%r8, %r13
+        # A[2] * B[2]
+        mulxq	16(%rax), %rcx, %r8
+        adcxq	%rcx, %r13
+        adoxq	%r8, %r14
+        # A[2] * B[3]
+        mulxq	24(%rax), %rcx, %r8
+        adcxq	%rcx, %r14
+        adoxq	%r8, %r15
+        # A[2] * B[4]
+        mulxq	32(%rax), %rcx, %r8
+        adcxq	%rcx, %r15
+        adoxq	%r8, %r9
+        # A[2] * B[5]
+        mulxq	40(%rax), %rcx, %r8
+        adcxq	%rcx, %r9
+        adoxq	%r8, %r10
+        adcxq	%rbx, %r10
+        movq	%r11, 16(%rsp)
+        movq	$0, %r11
+        adcxq	%rbx, %r11
+        adoxq	%rbx, %r11
+        xorq	%rbx, %rbx
+        movq	24(%rsi), %rdx
+        # A[3] * B[0]
+        mulxq	(%rax), %rcx, %r8
+        adcxq	%rcx, %r12
+        adoxq	%r8, %r13
+        # A[3] * B[1]
+        mulxq	8(%rax), %rcx, %r8
+        adcxq	%rcx, %r13
+        adoxq	%r8, %r14
+        # A[3] * B[2]
+        mulxq	16(%rax), %rcx, %r8
+        adcxq	%rcx, %r14
+        adoxq	%r8, %r15
+        # A[3] * B[3]
+        mulxq	24(%rax), %rcx, %r8
+        adcxq	%rcx, %r15
+        adoxq	%r8, %r9
+        # A[3] * B[4]
+        mulxq	32(%rax), %rcx, %r8
+        adcxq	%rcx, %r9
+        adoxq	%r8, %r10
+        # A[3] * B[5]
+        mulxq	40(%rax), %rcx, %r8
+        adcxq	%rcx, %r10
+        adoxq	%r8, %r11
+        adcxq	%rbx, %r11
+        movq	%r12, 24(%rsp)
+        movq	$0, %r12
+        adcxq	%rbx, %r12
+        adoxq	%rbx, %r12
+        xorq	%rbx, %rbx
+        movq	32(%rsi), %rdx
+        # A[4] * B[0]
+        mulxq	(%rax), %rcx, %r8
+        adcxq	%rcx, %r13
+        adoxq	%r8, %r14
+        # A[4] * B[1]
+        mulxq	8(%rax), %rcx, %r8
+        adcxq	%rcx, %r14
+        adoxq	%r8, %r15
+        # A[4] * B[2]
+        mulxq	16(%rax), %rcx, %r8
+        adcxq	%rcx, %r15
+        adoxq	%r8, %r9
+        # A[4] * B[3]
+        mulxq	24(%rax), %rcx, %r8
+        adcxq	%rcx, %r9
+        adoxq	%r8, %r10
+        # A[4] * B[4]
+        mulxq	32(%rax), %rcx, %r8
+        adcxq	%rcx, %r10
+        adoxq	%r8, %r11
+        # A[4] * B[5]
+        mulxq	40(%rax), %rcx, %r8
+        adcxq	%rcx, %r11
+        adoxq	%r8, %r12
+        adcxq	%rbx, %r12
+        movq	%r13, 32(%rsp)
+        movq	40(%rsi), %rdx
+        # A[5] * B[0]
+        mulxq	(%rax), %rcx, %r8
+        adcxq	%rcx, %r14
+        adoxq	%r8, %r15
+        # A[5] * B[1]
+        mulxq	8(%rax), %rcx, %r8
+        adcxq	%rcx, %r15
+        adoxq	%r8, %r9
+        # A[5] * B[2]
+        mulxq	16(%rax), %rcx, %r8
+        adcxq	%rcx, %r9
+        adoxq	%r8, %r10
+        # A[5] * B[3]
+        mulxq	24(%rax), %rcx, %r8
+        adcxq	%rcx, %r10
+        adoxq	%r8, %r11
+        # A[5] * B[4]
+        mulxq	32(%rax), %rcx, %r8
+        adcxq	%rcx, %r11
+        adoxq	%r8, %r12
+        # A[5] * B[5]
+        mulxq	40(%rax), %rcx, %r13
+        adcxq	%rcx, %r12
+        adoxq	%rbx, %r13
+        adcxq	%rbx, %r13
+        movq	%r14, 40(%rdi)
+        movq	%r15, 48(%rdi)
+        movq	%r9, 56(%rdi)
+        movq	%r10, 64(%rdi)
+        movq	%r11, 72(%rdi)
+        movq	%r12, 80(%rdi)
+        movq	%r13, 88(%rdi)
+        movq	(%rsp), %r9
+        movq	8(%rsp), %r10
+        movq	16(%rsp), %r11
+        movq	24(%rsp), %r12
+        movq	32(%rsp), %r13
+        movq	%r9, (%rdi)
+        movq	%r10, 8(%rdi)
+        movq	%r11, 16(%rdi)
+        movq	%r12, 24(%rdi)
+        movq	%r13, 32(%rdi)
+        addq	$40, %rsp
+        pop	%rbx
+        pop	%r15
+        pop	%r14
+        pop	%r13
+        pop	%r12
+        repz retq
+#ifndef __APPLE__
+.size	sp_384_mul_avx2_6,.-sp_384_mul_avx2_6
+#endif /* __APPLE__ */
+#ifdef HAVE_INTEL_AVX2
+/* Reduce the number back to 384 bits using Montgomery reduction.
+ *
+ * a   A single precision number to reduce in place.
+ * m   The single precision number representing the modulus.
+ * mp  The digit representing the negative inverse of m mod 2^n.
+ */
+#ifndef __APPLE__
+.globl	sp_384_mont_reduce_order_avx2_6
+.type	sp_384_mont_reduce_order_avx2_6,@function
+.align	16
+sp_384_mont_reduce_order_avx2_6:
+#else
+.globl	_sp_384_mont_reduce_order_avx2_6
+.p2align	4
+_sp_384_mont_reduce_order_avx2_6:
+#endif /* __APPLE__ */
+        push	%r12
+        push	%r13
+        movq	%rdx, %rax
+        xorq	%r13, %r13
+        movq	(%rdi), %r12
+        xorq	%r11, %r11
+L_mont_loop_order_avx2_6:
+        # mu = a[i] * mp
+        movq	%r12, %rdx
+        movq	%r12, %r9
+        imulq	%rax, %rdx
+        xorq	%r11, %r11
+        # a[i+0] += m[0] * mu
+        mulxq	(%rsi), %rcx, %r8
+        movq	8(%rdi), %r12
+        adcxq	%rcx, %r9
+        adoxq	%r8, %r12
+        # a[i+1] += m[1] * mu
+        mulxq	8(%rsi), %rcx, %r8
+        movq	16(%rdi), %r9
+        adcxq	%rcx, %r12
+        adoxq	%r8, %r9
+        # a[i+2] += m[2] * mu
+        mulxq	16(%rsi), %rcx, %r8
+        movq	24(%rdi), %r10
+        adcxq	%rcx, %r9
+        adoxq	%r8, %r10
+        movq	%r9, 16(%rdi)
+        # a[i+3] += m[3] * mu
+        mulxq	24(%rsi), %rcx, %r8
+        movq	32(%rdi), %r9
+        adcxq	%rcx, %r10
+        adoxq	%r8, %r9
+        movq	%r10, 24(%rdi)
+        # a[i+4] += m[4] * mu
+        mulxq	32(%rsi), %rcx, %r8
+        movq	40(%rdi), %r10
+        adcxq	%rcx, %r9
+        adoxq	%r8, %r10
+        movq	%r9, 32(%rdi)
+        # a[i+5] += m[5] * mu
+        mulxq	40(%rsi), %rcx, %r8
+        movq	48(%rdi), %r9
+        adcxq	%rcx, %r10
+        adoxq	%r8, %r9
+        movq	%r10, 40(%rdi)
+        adcxq	%r13, %r9
+        movq	%r9, 48(%rdi)
+        movq	%r11, %r13
+        adoxq	%r11, %r13
+        adcxq	%r11, %r13
+        # mu = a[i] * mp
+        movq	%r12, %rdx
+        movq	%r12, %r9
+        imulq	%rax, %rdx
+        xorq	%r11, %r11
+        # a[i+0] += m[0] * mu
+        mulxq	(%rsi), %rcx, %r8
+        movq	16(%rdi), %r12
+        adcxq	%rcx, %r9
+        adoxq	%r8, %r12
+        # a[i+1] += m[1] * mu
+        mulxq	8(%rsi), %rcx, %r8
+        movq	24(%rdi), %r9
+        adcxq	%rcx, %r12
+        adoxq	%r8, %r9
+        # a[i+2] += m[2] * mu
+        mulxq	16(%rsi), %rcx, %r8
+        movq	32(%rdi), %r10
+        adcxq	%rcx, %r9
+        adoxq	%r8, %r10
+        movq	%r9, 24(%rdi)
+        # a[i+3] += m[3] * mu
+        mulxq	24(%rsi), %rcx, %r8
+        movq	40(%rdi), %r9
+        adcxq	%rcx, %r10
+        adoxq	%r8, %r9
+        movq	%r10, 32(%rdi)
+        # a[i+4] += m[4] * mu
+        mulxq	32(%rsi), %rcx, %r8
+        movq	48(%rdi), %r10
+        adcxq	%rcx, %r9
+        adoxq	%r8, %r10
+        movq	%r9, 40(%rdi)
+        # a[i+5] += m[5] * mu
+        mulxq	40(%rsi), %rcx, %r8
+        movq	56(%rdi), %r9
+        adcxq	%rcx, %r10
+        adoxq	%r8, %r9
+        movq	%r10, 48(%rdi)
+        adcxq	%r13, %r9
+        movq	%r9, 56(%rdi)
+        movq	%r11, %r13
+        adoxq	%r11, %r13
+        adcxq	%r11, %r13
+        # mu = a[i] * mp
+        movq	%r12, %rdx
+        movq	%r12, %r9
+        imulq	%rax, %rdx
+        xorq	%r11, %r11
+        # a[i+0] += m[0] * mu
+        mulxq	(%rsi), %rcx, %r8
+        movq	24(%rdi), %r12
+        adcxq	%rcx, %r9
+        adoxq	%r8, %r12
+        # a[i+1] += m[1] * mu
+        mulxq	8(%rsi), %rcx, %r8
+        movq	32(%rdi), %r9
+        adcxq	%rcx, %r12
+        adoxq	%r8, %r9
+        # a[i+2] += m[2] * mu
+        mulxq	16(%rsi), %rcx, %r8
+        movq	40(%rdi), %r10
+        adcxq	%rcx, %r9
+        adoxq	%r8, %r10
+        movq	%r9, 32(%rdi)
+        # a[i+3] += m[3] * mu
+        mulxq	24(%rsi), %rcx, %r8
+        movq	48(%rdi), %r9
+        adcxq	%rcx, %r10
+        adoxq	%r8, %r9
+        movq	%r10, 40(%rdi)
+        # a[i+4] += m[4] * mu
+        mulxq	32(%rsi), %rcx, %r8
+        movq	56(%rdi), %r10
+        adcxq	%rcx, %r9
+        adoxq	%r8, %r10
+        movq	%r9, 48(%rdi)
+        # a[i+5] += m[5] * mu
+        mulxq	40(%rsi), %rcx, %r8
+        movq	64(%rdi), %r9
+        adcxq	%rcx, %r10
+        adoxq	%r8, %r9
+        movq	%r10, 56(%rdi)
+        adcxq	%r13, %r9
+        movq	%r9, 64(%rdi)
+        movq	%r11, %r13
+        adoxq	%r11, %r13
+        adcxq	%r11, %r13
+        # mu = a[i] * mp
+        movq	%r12, %rdx
+        movq	%r12, %r9
+        imulq	%rax, %rdx
+        xorq	%r11, %r11
+        # a[i+0] += m[0] * mu
+        mulxq	(%rsi), %rcx, %r8
+        movq	32(%rdi), %r12
+        adcxq	%rcx, %r9
+        adoxq	%r8, %r12
+        # a[i+1] += m[1] * mu
+        mulxq	8(%rsi), %rcx, %r8
+        movq	40(%rdi), %r9
+        adcxq	%rcx, %r12
+        adoxq	%r8, %r9
+        # a[i+2] += m[2] * mu
+        mulxq	16(%rsi), %rcx, %r8
+        movq	48(%rdi), %r10
+        adcxq	%rcx, %r9
+        adoxq	%r8, %r10
+        movq	%r9, 40(%rdi)
+        # a[i+3] += m[3] * mu
+        mulxq	24(%rsi), %rcx, %r8
+        movq	56(%rdi), %r9
+        adcxq	%rcx, %r10
+        adoxq	%r8, %r9
+        movq	%r10, 48(%rdi)
+        # a[i+4] += m[4] * mu
+        mulxq	32(%rsi), %rcx, %r8
+        movq	64(%rdi), %r10
+        adcxq	%rcx, %r9
+        adoxq	%r8, %r10
+        movq	%r9, 56(%rdi)
+        # a[i+5] += m[5] * mu
+        mulxq	40(%rsi), %rcx, %r8
+        movq	72(%rdi), %r9
+        adcxq	%rcx, %r10
+        adoxq	%r8, %r9
+        movq	%r10, 64(%rdi)
+        adcxq	%r13, %r9
+        movq	%r9, 72(%rdi)
+        movq	%r11, %r13
+        adoxq	%r11, %r13
+        adcxq	%r11, %r13
+        # mu = a[i] * mp
+        movq	%r12, %rdx
+        movq	%r12, %r9
+        imulq	%rax, %rdx
+        xorq	%r11, %r11
+        # a[i+0] += m[0] * mu
+        mulxq	(%rsi), %rcx, %r8
+        movq	40(%rdi), %r12
+        adcxq	%rcx, %r9
+        adoxq	%r8, %r12
+        # a[i+1] += m[1] * mu
+        mulxq	8(%rsi), %rcx, %r8
+        movq	48(%rdi), %r9
+        adcxq	%rcx, %r12
+        adoxq	%r8, %r9
+        # a[i+2] += m[2] * mu
+        mulxq	16(%rsi), %rcx, %r8
+        movq	56(%rdi), %r10
+        adcxq	%rcx, %r9
+        adoxq	%r8, %r10
+        movq	%r9, 48(%rdi)
+        # a[i+3] += m[3] * mu
+        mulxq	24(%rsi), %rcx, %r8
+        movq	64(%rdi), %r9
+        adcxq	%rcx, %r10
+        adoxq	%r8, %r9
+        movq	%r10, 56(%rdi)
+        # a[i+4] += m[4] * mu
+        mulxq	32(%rsi), %rcx, %r8
+        movq	72(%rdi), %r10
+        adcxq	%rcx, %r9
+        adoxq	%r8, %r10
+        movq	%r9, 64(%rdi)
+        # a[i+5] += m[5] * mu
+        mulxq	40(%rsi), %rcx, %r8
+        movq	80(%rdi), %r9
+        adcxq	%rcx, %r10
+        adoxq	%r8, %r9
+        movq	%r10, 72(%rdi)
+        adcxq	%r13, %r9
+        movq	%r9, 80(%rdi)
+        movq	%r11, %r13
+        adoxq	%r11, %r13
+        adcxq	%r11, %r13
+        # mu = a[i] * mp
+        movq	%r12, %rdx
+        movq	%r12, %r9
+        imulq	%rax, %rdx
+        xorq	%r11, %r11
+        # a[i+0] += m[0] * mu
+        mulxq	(%rsi), %rcx, %r8
+        movq	48(%rdi), %r12
+        adcxq	%rcx, %r9
+        adoxq	%r8, %r12
+        # a[i+1] += m[1] * mu
+        mulxq	8(%rsi), %rcx, %r8
+        movq	56(%rdi), %r9
+        adcxq	%rcx, %r12
+        adoxq	%r8, %r9
+        # a[i+2] += m[2] * mu
+        mulxq	16(%rsi), %rcx, %r8
+        movq	64(%rdi), %r10
+        adcxq	%rcx, %r9
+        adoxq	%r8, %r10
+        movq	%r9, 56(%rdi)
+        # a[i+3] += m[3] * mu
+        mulxq	24(%rsi), %rcx, %r8
+        movq	72(%rdi), %r9
+        adcxq	%rcx, %r10
+        adoxq	%r8, %r9
+        movq	%r10, 64(%rdi)
+        # a[i+4] += m[4] * mu
+        mulxq	32(%rsi), %rcx, %r8
+        movq	80(%rdi), %r10
+        adcxq	%rcx, %r9
+        adoxq	%r8, %r10
+        movq	%r9, 72(%rdi)
+        # a[i+5] += m[5] * mu
+        mulxq	40(%rsi), %rcx, %r8
+        movq	88(%rdi), %r9
+        adcxq	%rcx, %r10
+        adoxq	%r8, %r9
+        movq	%r10, 80(%rdi)
+        adcxq	%r13, %r9
+        movq	%r9, 88(%rdi)
+        movq	%r11, %r13
+        adoxq	%r11, %r13
+        adcxq	%r11, %r13
+        negq	%r13
+        movq	%rdi, %rax
+        addq	$48, %rdi
+        movq	(%rsi), %r8
+        movq	%r12, %rdx
+        pextq	%r13, %r8, %r8
+        subq	%r8, %rdx
+        movq	8(%rsi), %r8
+        movq	8(%rdi), %rcx
+        pextq	%r13, %r8, %r8
+        movq	%rdx, (%rax)
+        sbbq	%r8, %rcx
+        movq	16(%rsi), %rdx
+        movq	16(%rdi), %r8
+        pextq	%r13, %rdx, %rdx
+        movq	%rcx, 8(%rax)
+        sbbq	%rdx, %r8
+        movq	24(%rsi), %rcx
+        movq	24(%rdi), %rdx
+        pextq	%r13, %rcx, %rcx
+        movq	%r8, 16(%rax)
+        sbbq	%rcx, %rdx
+        movq	32(%rsi), %r8
+        movq	32(%rdi), %rcx
+        pextq	%r13, %r8, %r8
+        movq	%rdx, 24(%rax)
+        sbbq	%r8, %rcx
+        movq	40(%rsi), %rdx
+        movq	40(%rdi), %r8
+        pextq	%r13, %rdx, %rdx
+        movq	%rcx, 32(%rax)
+        sbbq	%rdx, %r8
+        movq	%r8, 40(%rax)
+        pop	%r13
+        pop	%r12
+        repz retq
+#ifndef __APPLE__
+.size	sp_384_mont_reduce_order_avx2_6,.-sp_384_mont_reduce_order_avx2_6
+#endif /* __APPLE__ */
+#endif /* HAVE_INTEL_AVX2 */
+/* Square a and put result in r. (r = a * a)
+ *
+ * r   Result of squaring.
+ * a   Number to square in Montogmery form.
+ */
+#ifndef __APPLE__
+.globl	sp_384_sqr_avx2_6
+.type	sp_384_sqr_avx2_6,@function
+.align	16
+sp_384_sqr_avx2_6:
+#else
+.globl	_sp_384_sqr_avx2_6
+.p2align	4
+_sp_384_sqr_avx2_6:
+#endif /* __APPLE__ */
+        push	%r12
+        push	%r13
+        push	%r14
+        push	%r15
+        push	%rbx
+        push	%rbp
+        push	%rdi
+        xorq	%rdi, %rdi
+        movq	(%rsi), %rdx
+        movq	8(%rsi), %r15
+        movq	16(%rsi), %rbx
+        movq	24(%rsi), %rbp
+        # Diagonal 0
+        #   A[1] * A[0]
+        mulxq	8(%rsi), %r8, %r9
+        #   A[2] * A[0]
+        mulxq	16(%rsi), %rax, %r10
+        adcxq	%rax, %r9
+        #   A[3] * A[0]
+        mulxq	24(%rsi), %rax, %r11
+        adcxq	%rax, %r10
+        #   A[4] * A[0]
+        mulxq	32(%rsi), %rax, %r12
+        adcxq	%rax, %r11
+        #   A[5] * A[0]
+        mulxq	40(%rsi), %rax, %r13
+        adcxq	%rax, %r12
+        adcxq	%rdi, %r13
+        # Diagonal 1
+        movq	%r15, %rdx
+        #   A[2] * A[1]
+        mulxq	16(%rsi), %rax, %rcx
+        adcxq	%rax, %r10
+        adoxq	%rcx, %r11
+        #   A[3] * A[1]
+        mulxq	24(%rsi), %rax, %rcx
+        adcxq	%rax, %r11
+        adoxq	%rcx, %r12
+        #   A[4] * A[1]
+        mulxq	32(%rsi), %rax, %rcx
+        adcxq	%rax, %r12
+        adoxq	%rcx, %r13
+        #   A[5] * A[1]
+        mulxq	40(%rsi), %rax, %r14
+        adcxq	%rax, %r13
+        adoxq	%rdi, %r14
+        movq	%rbx, %rdx
+        #   A[5] * A[2]
+        mulxq	40(%rsi), %rax, %r15
+        adcxq	%rax, %r14
+        adoxq	%rdi, %r15
+        adcxq	%rdi, %r15
+        adcxq	%rdi, %rbx
+        # Diagonal 2
+        #   A[3] * A[2]
+        mulxq	24(%rsi), %rax, %rcx
+        adcxq	%rax, %r12
+        adoxq	%rcx, %r13
+        #   A[4] * A[2]
+        mulxq	32(%rsi), %rax, %rcx
+        adcxq	%rax, %r13
+        adoxq	%rcx, %r14
+        movq	%rbp, %rdx
+        #   A[4] * A[3]
+        mulxq	32(%rsi), %rax, %rcx
+        adcxq	%rax, %r14
+        adoxq	%rcx, %r15
+        #   A[5] * A[3]
+        mulxq	40(%rsi), %rax, %rbx
+        adcxq	%rax, %r15
+        adoxq	%rdi, %rbx
+        movq	32(%rsi), %rdx
+        #   A[5] * A[4]
+        mulxq	40(%rsi), %rax, %rbp
+        adcxq	%rax, %rbx
+        adoxq	%rdi, %rbp
+        adcxq	%rdi, %rbp
+        adcxq	%rdi, %rdi
+        # Doubling previous result as we add in square words results
+        # A[0] * A[0]
+        movq	(%rsi), %rdx
+        mulxq	%rdx, %rax, %rcx
+        pop	%rdx
+        movq	%rax, (%rdx)
+        adoxq	%r8, %r8
+        push	%rdx
+        adcxq	%rcx, %r8
+        # A[1] * A[1]
+        movq	8(%rsi), %rdx
+        mulxq	%rdx, %rax, %rcx
+        adoxq	%r9, %r9
+        adcxq	%rax, %r9
+        adoxq	%r10, %r10
+        adcxq	%rcx, %r10
+        # A[2] * A[2]
+        movq	16(%rsi), %rdx
+        mulxq	%rdx, %rax, %rcx
+        adoxq	%r11, %r11
+        adcxq	%rax, %r11
+        adoxq	%r12, %r12
+        adcxq	%rcx, %r12
+        # A[3] * A[3]
+        movq	24(%rsi), %rdx
+        mulxq	%rdx, %rax, %rcx
+        adoxq	%r13, %r13
+        adcxq	%rax, %r13
+        adoxq	%r14, %r14
+        adcxq	%rcx, %r14
+        # A[4] * A[4]
+        movq	32(%rsi), %rdx
+        mulxq	%rdx, %rax, %rcx
+        adoxq	%r15, %r15
+        adcxq	%rax, %r15
+        adoxq	%rbx, %rbx
+        adcxq	%rcx, %rbx
+        # A[5] * A[5]
+        movq	40(%rsi), %rdx
+        mulxq	%rdx, %rax, %rcx
+        adoxq	%rbp, %rbp
+        adcxq	%rax, %rbp
+        adcxq	%rdi, %rcx
+        movq	$0, %rax
+        adoxq	%rax, %rcx
+        pop	%rdi
+        movq	%r8, 8(%rdi)
+        movq	%r9, 16(%rdi)
+        movq	%r10, 24(%rdi)
+        movq	%r11, 32(%rdi)
+        movq	%r12, 40(%rdi)
+        movq	%r13, 48(%rdi)
+        movq	%r14, 56(%rdi)
+        movq	%r15, 64(%rdi)
+        movq	%rbx, 72(%rdi)
+        movq	%rbp, 80(%rdi)
+        movq	%rcx, 88(%rdi)
+        pop	%rbp
+        pop	%rbx
+        pop	%r15
+        pop	%r14
+        pop	%r13
+        pop	%r12
+        repz retq
+#ifndef __APPLE__
+.size	sp_384_sqr_avx2_6,.-sp_384_sqr_avx2_6
+#endif /* __APPLE__ */
+/* Add 1 to a. (a = a + 1)
+ *
+ * a  A single precision integer.
+ */
+#ifndef __APPLE__
+.globl	sp_384_add_one_6
+.type	sp_384_add_one_6,@function
+.align	16
+sp_384_add_one_6:
+#else
+.globl	_sp_384_add_one_6
+.p2align	4
+_sp_384_add_one_6:
+#endif /* __APPLE__ */
+        addq	$1, (%rdi)
+        adcq	$0, 8(%rdi)
+        adcq	$0, 16(%rdi)
+        adcq	$0, 24(%rdi)
+        adcq	$0, 32(%rdi)
+        adcq	$0, 40(%rdi)
+        repz retq
+#ifndef __APPLE__
+.size	sp_384_add_one_6,.-sp_384_add_one_6
+#endif /* __APPLE__ */
+/* Read big endian unsigned byte array into r.
+ *
+ * r  A single precision integer.
+ * size  Maximum number of bytes to convert
+ * a  Byte array.
+ * n  Number of bytes in array to read.
+ */
+#ifndef __APPLE__
+.globl	sp_384_from_bin
+.type	sp_384_from_bin,@function
+.align	16
+sp_384_from_bin:
+#else
+.globl	_sp_384_from_bin
+.p2align	4
+_sp_384_from_bin:
+#endif /* __APPLE__ */
+        movq	%rdx, %r9
+        movq	%rdi, %r10
+        addq	%rcx, %r9
+        addq	$48, %r10
+        xorq	%r11, %r11
+        jmp	L_384_from_bin_64_end
+L_384_from_bin_64_start:
+        subq	$64, %r9
+        movbeq	56(%r9), %rax
+        movbeq	48(%r9), %r8
+        movq	%rax, (%rdi)
+        movq	%r8, 8(%rdi)
+        movbeq	40(%r9), %rax
+        movbeq	32(%r9), %r8
+        movq	%rax, 16(%rdi)
+        movq	%r8, 24(%rdi)
+        movbeq	24(%r9), %rax
+        movbeq	16(%r9), %r8
+        movq	%rax, 32(%rdi)
+        movq	%r8, 40(%rdi)
+        movbeq	8(%r9), %rax
+        movbeq	(%r9), %r8
+        movq	%rax, 48(%rdi)
+        movq	%r8, 56(%rdi)
+        addq	$64, %rdi
+        subq	$64, %rcx
+L_384_from_bin_64_end:
+        cmpq	$63, %rcx
+        jg	L_384_from_bin_64_start
+        jmp	L_384_from_bin_8_end
+L_384_from_bin_8_start:
+        subq	$8, %r9
+        movbeq	(%r9), %rax
+        movq	%rax, (%rdi)
+        addq	$8, %rdi
+        subq	$8, %rcx
+L_384_from_bin_8_end:
+        cmpq	$7, %rcx
+        jg	L_384_from_bin_8_start
+        cmpq	%r11, %rcx
+        je	L_384_from_bin_hi_end
+        movq	%r11, %r8
+        movq	%r11, %rax
+L_384_from_bin_hi_start:
+        movb	(%rdx), %al
+        shlq	$8, %r8
+        incq	%rdx
+        addq	%rax, %r8
+        decq	%rcx
+        jg	L_384_from_bin_hi_start
+        movq	%r8, (%rdi)
+        addq	$8, %rdi
+L_384_from_bin_hi_end:
+        cmpq	%r10, %rdi
+        je	L_384_from_bin_zero_end
+L_384_from_bin_zero_start:
+        movq	%r11, (%rdi)
+        addq	$8, %rdi
+        cmpq	%r10, %rdi
+        jl	L_384_from_bin_zero_start
+L_384_from_bin_zero_end:
+        repz retq
+#ifndef __APPLE__
+.size	sp_384_from_bin,.-sp_384_from_bin
+#endif /* __APPLE__ */
+/* Write r as big endian to byte array.
+ * Fixed length number of bytes written: 48
+ *
+ * r  A single precision integer.
+ * a  Byte array.
+ */
+#ifndef __APPLE__
+.globl	sp_384_to_bin
+.type	sp_384_to_bin,@function
+.align	16
+sp_384_to_bin:
+#else
+.globl	_sp_384_to_bin
+.p2align	4
+_sp_384_to_bin:
+#endif /* __APPLE__ */
+        movbeq	40(%rdi), %rdx
+        movbeq	32(%rdi), %rax
+        movq	%rdx, (%rsi)
+        movq	%rax, 8(%rsi)
+        movbeq	24(%rdi), %rdx
+        movbeq	16(%rdi), %rax
+        movq	%rdx, 16(%rsi)
+        movq	%rax, 24(%rsi)
+        movbeq	8(%rdi), %rdx
+        movbeq	(%rdi), %rax
+        movq	%rdx, 32(%rsi)
+        movq	%rax, 40(%rsi)
+        repz retq
+#ifndef __APPLE__
+.size	sp_384_to_bin,.-sp_384_to_bin
+#endif /* __APPLE__ */
+/* Sub b from a into a. (a -= b)
+ *
+ * a  A single precision integer and result.
+ * b  A single precision integer.
+ */
+#ifndef __APPLE__
+.globl	sp_384_sub_in_place_6
+.type	sp_384_sub_in_place_6,@function
+.align	16
+sp_384_sub_in_place_6:
+#else
+.globl	_sp_384_sub_in_place_6
+.p2align	4
+_sp_384_sub_in_place_6:
+#endif /* __APPLE__ */
+        xorq	%rax, %rax
+        movq	(%rsi), %rdx
+        movq	8(%rsi), %rcx
+        movq	16(%rsi), %r8
+        movq	24(%rsi), %r9
+        movq	32(%rsi), %r10
+        movq	40(%rsi), %r11
+        subq	%rdx, (%rdi)
+        sbbq	%rcx, 8(%rdi)
+        sbbq	%r8, 16(%rdi)
+        sbbq	%r9, 24(%rdi)
+        sbbq	%r10, 32(%rdi)
+        sbbq	%r11, 40(%rdi)
+        sbbq	$0, %rax
+        repz retq
+#ifndef __APPLE__
+.size	sp_384_sub_in_place_6,.-sp_384_sub_in_place_6
+#endif /* __APPLE__ */
+/* Conditionally subtract b from a using the mask m.
+ * m is -1 to subtract and 0 when not copying.
+ *
+ * r  A single precision number representing condition subtract result.
+ * a  A single precision number to subtract from.
+ * b  A single precision number to subtract.
+ * m  Mask value to apply.
+ */
+#ifndef __APPLE__
+.globl	sp_384_cond_sub_avx2_6
+.type	sp_384_cond_sub_avx2_6,@function
+.align	16
+sp_384_cond_sub_avx2_6:
+#else
+.globl	_sp_384_cond_sub_avx2_6
+.p2align	4
+_sp_384_cond_sub_avx2_6:
+#endif /* __APPLE__ */
+        movq	$0, %rax
+        movq	(%rdx), %r10
+        movq	(%rsi), %r8
+        pextq	%rcx, %r10, %r10
+        subq	%r10, %r8
+        movq	8(%rdx), %r10
+        movq	8(%rsi), %r9
+        pextq	%rcx, %r10, %r10
+        movq	%r8, (%rdi)
+        sbbq	%r10, %r9
+        movq	16(%rdx), %r8
+        movq	16(%rsi), %r10
+        pextq	%rcx, %r8, %r8
+        movq	%r9, 8(%rdi)
+        sbbq	%r8, %r10
+        movq	24(%rdx), %r9
+        movq	24(%rsi), %r8
+        pextq	%rcx, %r9, %r9
+        movq	%r10, 16(%rdi)
+        sbbq	%r9, %r8
+        movq	32(%rdx), %r10
+        movq	32(%rsi), %r9
+        pextq	%rcx, %r10, %r10
+        movq	%r8, 24(%rdi)
+        sbbq	%r10, %r9
+        movq	40(%rdx), %r8
+        movq	40(%rsi), %r10
+        pextq	%rcx, %r8, %r8
+        movq	%r9, 32(%rdi)
+        sbbq	%r8, %r10
+        movq	%r10, 40(%rdi)
+        sbbq	$0, %rax
+        repz retq
+#ifndef __APPLE__
+.size	sp_384_cond_sub_avx2_6,.-sp_384_cond_sub_avx2_6
+#endif /* __APPLE__ */
+/* Mul a by digit b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision digit.
+ */
+#ifndef __APPLE__
+.globl	sp_384_mul_d_6
+.type	sp_384_mul_d_6,@function
+.align	16
+sp_384_mul_d_6:
+#else
+.globl	_sp_384_mul_d_6
+.p2align	4
+_sp_384_mul_d_6:
+#endif /* __APPLE__ */
+        movq	%rdx, %rcx
+        # A[0] * B
+        movq	%rcx, %rax
+        xorq	%r10, %r10
+        mulq	(%rsi)
+        movq	%rax, %r8
+        movq	%rdx, %r9
+        movq	%r8, (%rdi)
+        # A[1] * B
+        movq	%rcx, %rax
+        xorq	%r8, %r8
+        mulq	8(%rsi)
+        addq	%rax, %r9
+        movq	%r9, 8(%rdi)
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[2] * B
+        movq	%rcx, %rax
+        xorq	%r9, %r9
+        mulq	16(%rsi)
+        addq	%rax, %r10
+        movq	%r10, 16(%rdi)
+        adcq	%rdx, %r8
+        adcq	$0, %r9
+        # A[3] * B
+        movq	%rcx, %rax
+        xorq	%r10, %r10
+        mulq	24(%rsi)
+        addq	%rax, %r8
+        movq	%r8, 24(%rdi)
+        adcq	%rdx, %r9
+        adcq	$0, %r10
+        # A[4] * B
+        movq	%rcx, %rax
+        xorq	%r8, %r8
+        mulq	32(%rsi)
+        addq	%rax, %r9
+        movq	%r9, 32(%rdi)
+        adcq	%rdx, %r10
+        adcq	$0, %r8
+        # A[5] * B
+        movq	%rcx, %rax
+        mulq	40(%rsi)
+        addq	%rax, %r10
+        adcq	%rdx, %r8
+        movq	%r10, 40(%rdi)
+        movq	%r8, 48(%rdi)
+        repz retq
+#ifndef __APPLE__
+.size	sp_384_mul_d_6,.-sp_384_mul_d_6
+#endif /* __APPLE__ */
+#ifdef HAVE_INTEL_AVX2
+/* Mul a by digit b into r. (r = a * b)
+ *
+ * r  A single precision integer.
+ * a  A single precision integer.
+ * b  A single precision digit.
+ */
+#ifndef __APPLE__
+.globl	sp_384_mul_d_avx2_6
+.type	sp_384_mul_d_avx2_6,@function
+.align	16
+sp_384_mul_d_avx2_6:
+#else
+.globl	_sp_384_mul_d_avx2_6
+.p2align	4
+_sp_384_mul_d_avx2_6:
+#endif /* __APPLE__ */
+        movq	%rdx, %rax
+        # A[0] * B
+        movq	%rax, %rdx
+        xorq	%r11, %r11
+        mulxq	(%rsi), %r9, %r10
+        movq	%r9, (%rdi)
+        # A[1] * B
+        mulxq	8(%rsi), %rcx, %r8
+        movq	%r11, %r9
+        adcxq	%rcx, %r10
+        movq	%r10, 8(%rdi)
+        adoxq	%r8, %r9
+        # A[2] * B
+        mulxq	16(%rsi), %rcx, %r8
+        movq	%r11, %r10
+        adcxq	%rcx, %r9
+        movq	%r9, 16(%rdi)
+        adoxq	%r8, %r10
+        # A[3] * B
+        mulxq	24(%rsi), %rcx, %r8
+        movq	%r11, %r9
+        adcxq	%rcx, %r10
+        movq	%r10, 24(%rdi)
+        adoxq	%r8, %r9
+        # A[4] * B
+        mulxq	32(%rsi), %rcx, %r8
+        movq	%r11, %r10
+        adcxq	%rcx, %r9
+        movq	%r9, 32(%rdi)
+        adoxq	%r8, %r10
+        # A[5] * B
+        mulxq	40(%rsi), %rcx, %r8
+        movq	%r11, %r9
+        adcxq	%rcx, %r10
+        adoxq	%r8, %r9
+        adcxq	%r11, %r9
+        movq	%r10, 40(%rdi)
+        movq	%r9, 48(%rdi)
+        repz retq
+#ifndef __APPLE__
+.size	sp_384_mul_d_avx2_6,.-sp_384_mul_d_avx2_6
+#endif /* __APPLE__ */
+#endif /* HAVE_INTEL_AVX2 */
+#endif /* WOLFSSL_SP_384 */
diff --git a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/srp.c b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/srp.c
new file mode 100644
index 000000000..cf5eff19a
--- /dev/null
+++ b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/srp.c
@@ -0,0 +1,756 @@
+/* srp.c
+ *
+ * Copyright (C) 2006-2020 wolfSSL Inc.
+ *
+ * This file is part of wolfSSL.
+ *
+ * wolfSSL is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * wolfSSL is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
+ */
+
+
+#ifdef HAVE_CONFIG_H
+    #include <config.h>
+#endif
+
+#include <wolfssl/wolfcrypt/settings.h>
+
+#ifdef WOLFCRYPT_HAVE_SRP
+
+#include <wolfssl/wolfcrypt/srp.h>
+#include <wolfssl/wolfcrypt/random.h>
+#include <wolfssl/wolfcrypt/error-crypt.h>
+
+#ifdef NO_INLINE
+    #include <wolfssl/wolfcrypt/misc.h>
+#else
+    #define WOLFSSL_MISC_INCLUDED
+    #include <wolfcrypt/src/misc.c>
+#endif
+
+/** Computes the session key using the Mask Generation Function 1. */
+static int wc_SrpSetKey(Srp* srp, byte* secret, word32 size);
+
+static int SrpHashInit(SrpHash* hash, SrpType type)
+{
+    hash->type = type;
+
+    switch (type) {
+        case SRP_TYPE_SHA:
+            #ifndef NO_SHA
+                return wc_InitSha(&hash->data.sha);
+            #else
+                return BAD_FUNC_ARG;
+            #endif
+
+        case SRP_TYPE_SHA256:
+            #ifndef NO_SHA256
+                return wc_InitSha256(&hash->data.sha256);
+            #else
+                return BAD_FUNC_ARG;
+            #endif
+
+        case SRP_TYPE_SHA384:
+            #ifdef WOLFSSL_SHA384
+                return wc_InitSha384(&hash->data.sha384);
+            #else
+                return BAD_FUNC_ARG;
+            #endif
+
+        case SRP_TYPE_SHA512:
+            #ifdef WOLFSSL_SHA512
+                return wc_InitSha512(&hash->data.sha512);
+            #else
+                return BAD_FUNC_ARG;
+            #endif
+
+        default:
+            return BAD_FUNC_ARG;
+    }
+}
+
+static int SrpHashUpdate(SrpHash* hash, const byte* data, word32 size)
+{
+    switch (hash->type) {
+        case SRP_TYPE_SHA:
+            #ifndef NO_SHA
+                return wc_ShaUpdate(&hash->data.sha, data, size);
+            #else
+                return BAD_FUNC_ARG;
+            #endif
+
+        case SRP_TYPE_SHA256:
+            #ifndef NO_SHA256
+                return wc_Sha256Update(&hash->data.sha256, data, size);
+            #else
+                return BAD_FUNC_ARG;
+            #endif
+
+        case SRP_TYPE_SHA384:
+            #ifdef WOLFSSL_SHA384
+                return wc_Sha384Update(&hash->data.sha384, data, size);
+            #else
+                return BAD_FUNC_ARG;
+            #endif
+
+        case SRP_TYPE_SHA512:
+            #ifdef WOLFSSL_SHA512
+                return wc_Sha512Update(&hash->data.sha512, data, size);
+            #else
+                return BAD_FUNC_ARG;
+            #endif
+
+        default:
+            return BAD_FUNC_ARG;
+    }
+}
+
+static int SrpHashFinal(SrpHash* hash, byte* digest)
+{
+    switch (hash->type) {
+        case SRP_TYPE_SHA:
+            #ifndef NO_SHA
+                return wc_ShaFinal(&hash->data.sha, digest);
+            #else
+                return BAD_FUNC_ARG;
+            #endif
+
+        case SRP_TYPE_SHA256:
+            #ifndef NO_SHA256
+                return wc_Sha256Final(&hash->data.sha256, digest);
+            #else
+                return BAD_FUNC_ARG;
+            #endif
+
+        case SRP_TYPE_SHA384:
+            #ifdef WOLFSSL_SHA384
+                return wc_Sha384Final(&hash->data.sha384, digest);
+            #else
+                return BAD_FUNC_ARG;
+            #endif
+
+        case SRP_TYPE_SHA512:
+            #ifdef WOLFSSL_SHA512
+                return wc_Sha512Final(&hash->data.sha512, digest);
+            #else
+                return BAD_FUNC_ARG;
+            #endif
+
+        default:
+            return BAD_FUNC_ARG;
+    }
+}
+
+static word32 SrpHashSize(SrpType type)
+{
+    switch (type) {
+        case SRP_TYPE_SHA:
+            #ifndef NO_SHA
+                return WC_SHA_DIGEST_SIZE;
+            #else
+                return 0;
+            #endif
+
+        case SRP_TYPE_SHA256:
+            #ifndef NO_SHA256
+                return WC_SHA256_DIGEST_SIZE;
+            #else
+                return 0;
+            #endif
+
+        case SRP_TYPE_SHA384:
+            #ifdef WOLFSSL_SHA384
+                return WC_SHA384_DIGEST_SIZE;
+            #else
+                return 0;
+            #endif
+
+        case SRP_TYPE_SHA512:
+            #ifdef WOLFSSL_SHA512
+                return WC_SHA512_DIGEST_SIZE;
+            #else
+                return 0;
+            #endif
+
+        default:
+            return 0;
+    }
+}
+
+int wc_SrpInit(Srp* srp, SrpType type, SrpSide side)
+{
+    int r;
+
+    /* validating params */
+
+    if (!srp)
+        return BAD_FUNC_ARG;
+
+    if (side != SRP_CLIENT_SIDE && side != SRP_SERVER_SIDE)
+        return BAD_FUNC_ARG;
+
+    switch (type) {
+        case SRP_TYPE_SHA:
+            #ifdef NO_SHA
+                return NOT_COMPILED_IN;
+            #else
+                break; /* OK */
+            #endif
+
+        case SRP_TYPE_SHA256:
+            #ifdef NO_SHA256
+                return NOT_COMPILED_IN;
+            #else
+                break; /* OK */
+            #endif
+
+        case SRP_TYPE_SHA384:
+            #ifndef WOLFSSL_SHA384
+                return NOT_COMPILED_IN;
+            #else
+                break; /* OK */
+            #endif
+
+        case SRP_TYPE_SHA512:
+            #ifndef WOLFSSL_SHA512
+                return NOT_COMPILED_IN;
+            #else
+                break; /* OK */
+            #endif
+
+        default:
+            return BAD_FUNC_ARG;
+    }
+
+    /* initializing variables */
+
+    XMEMSET(srp, 0, sizeof(Srp));
+
+    if ((r = SrpHashInit(&srp->client_proof, type)) != 0)
+        return r;
+
+    if ((r = SrpHashInit(&srp->server_proof, type)) != 0)
+        return r;
+
+    if ((r = mp_init_multi(&srp->N,    &srp->g, &srp->auth,
+                           &srp->priv, 0, 0)) != 0)
+        return r;
+
+    srp->side = side;    srp->type   = type;
+    srp->salt = NULL;    srp->saltSz = 0;
+    srp->user = NULL;    srp->userSz = 0;
+    srp->key  = NULL;    srp->keySz  = 0;
+
+    srp->keyGenFunc_cb = wc_SrpSetKey;
+
+    /* default heap hint to NULL or test value */
+#ifdef WOLFSSL_HEAP_TEST
+    srp->heap = (void*)WOLFSSL_HEAP_TEST;
+#else
+    srp->heap = NULL;
+#endif
+
+    return 0;
+}
+
+void wc_SrpTerm(Srp* srp)
+{
+    if (srp) {
+        mp_clear(&srp->N);    mp_clear(&srp->g);
+        mp_clear(&srp->auth); mp_clear(&srp->priv);
+        if (srp->salt) {
+            ForceZero(srp->salt, srp->saltSz);
+            XFREE(srp->salt, srp->heap, DYNAMIC_TYPE_SRP);
+        }
+        if (srp->user) {
+            ForceZero(srp->user, srp->userSz);
+            XFREE(srp->user, srp->heap, DYNAMIC_TYPE_SRP);
+        }
+        if (srp->key) {
+            ForceZero(srp->key, srp->keySz);
+            XFREE(srp->key, srp->heap, DYNAMIC_TYPE_SRP);
+        }
+
+        ForceZero(srp, sizeof(Srp));
+    }
+}
+
+int wc_SrpSetUsername(Srp* srp, const byte* username, word32 size)
+{
+    if (!srp || !username)
+        return BAD_FUNC_ARG;
+
+    srp->user = (byte*)XMALLOC(size, srp->heap, DYNAMIC_TYPE_SRP);
+    if (srp->user == NULL)
+        return MEMORY_E;
+
+    srp->userSz = size;
+    XMEMCPY(srp->user, username, srp->userSz);
+
+    return 0;
+}
+
+int wc_SrpSetParams(Srp* srp, const byte* N,    word32 nSz,
+                              const byte* g,    word32 gSz,
+                              const byte* salt, word32 saltSz)
+{
+    SrpHash hash;
+    byte digest1[SRP_MAX_DIGEST_SIZE];
+    byte digest2[SRP_MAX_DIGEST_SIZE];
+    byte pad = 0;
+    int i, r;
+    int j = 0;
+
+    if (!srp || !N || !g || !salt || nSz < gSz)
+        return BAD_FUNC_ARG;
+
+    if (!srp->user)
+        return SRP_CALL_ORDER_E;
+
+    /* Set N */
+    if (mp_read_unsigned_bin(&srp->N, N, nSz) != MP_OKAY)
+        return MP_READ_E;
+
+    if (mp_count_bits(&srp->N) < SRP_MODULUS_MIN_BITS)
+        return BAD_FUNC_ARG;
+
+    /* Set g */
+    if (mp_read_unsigned_bin(&srp->g, g, gSz) != MP_OKAY)
+        return MP_READ_E;
+
+    if (mp_cmp(&srp->N, &srp->g) != MP_GT)
+        return BAD_FUNC_ARG;
+
+    /* Set salt */
+    if (srp->salt) {
+        ForceZero(srp->salt, srp->saltSz);
+        XFREE(srp->salt, srp->heap, DYNAMIC_TYPE_SRP);
+    }
+
+    srp->salt = (byte*)XMALLOC(saltSz, srp->heap, DYNAMIC_TYPE_SRP);
+    if (srp->salt == NULL)
+        return MEMORY_E;
+
+    XMEMCPY(srp->salt, salt, saltSz);
+    srp->saltSz = saltSz;
+
+    /* Set k = H(N, g) */
+            r = SrpHashInit(&hash, srp->type);
+    if (!r) r = SrpHashUpdate(&hash, (byte*) N, nSz);
+    for (i = 0; (word32)i < nSz - gSz; i++) {
+        if (!r) r = SrpHashUpdate(&hash, &pad, 1);
+    }
+    if (!r) r = SrpHashUpdate(&hash, (byte*) g, gSz);
+    if (!r) r = SrpHashFinal(&hash, srp->k);
+
+    /* update client proof */
+
+    /* digest1 = H(N) */
+    if (!r) r = SrpHashInit(&hash, srp->type);
+    if (!r) r = SrpHashUpdate(&hash, (byte*) N, nSz);
+    if (!r) r = SrpHashFinal(&hash, digest1);
+
+    /* digest2 = H(g) */
+    if (!r) r = SrpHashInit(&hash, srp->type);
+    if (!r) r = SrpHashUpdate(&hash, (byte*) g, gSz);
+    if (!r) r = SrpHashFinal(&hash, digest2);
+
+    /* digest1 = H(N) ^ H(g) */
+    if (r == 0) {
+        for (i = 0, j = SrpHashSize(srp->type); i < j; i++)
+            digest1[i] ^= digest2[i];
+    }
+
+    /* digest2 = H(user) */
+    if (!r) r = SrpHashInit(&hash, srp->type);
+    if (!r) r = SrpHashUpdate(&hash, srp->user, srp->userSz);
+    if (!r) r = SrpHashFinal(&hash, digest2);
+
+    /* client proof = H( H(N) ^ H(g) | H(user) | salt) */
+    if (!r) r = SrpHashUpdate(&srp->client_proof, digest1, j);
+    if (!r) r = SrpHashUpdate(&srp->client_proof, digest2, j);
+    if (!r) r = SrpHashUpdate(&srp->client_proof, salt, saltSz);
+
+    return r;
+}
+
+int wc_SrpSetPassword(Srp* srp, const byte* password, word32 size)
+{
+    SrpHash hash;
+    byte digest[SRP_MAX_DIGEST_SIZE];
+    word32 digestSz;
+    int r;
+
+    if (!srp || !password || srp->side != SRP_CLIENT_SIDE)
+        return BAD_FUNC_ARG;
+
+    if (!srp->salt)
+        return SRP_CALL_ORDER_E;
+
+    digestSz = SrpHashSize(srp->type);
+
+    /* digest = H(username | ':' | password) */
+            r = SrpHashInit(&hash, srp->type);
+    if (!r) r = SrpHashUpdate(&hash, srp->user, srp->userSz);
+    if (!r) r = SrpHashUpdate(&hash, (const byte*) ":", 1);
+    if (!r) r = SrpHashUpdate(&hash, password, size);
+    if (!r) r = SrpHashFinal(&hash, digest);
+
+    /* digest = H(salt | H(username | ':' | password)) */
+    if (!r) r = SrpHashInit(&hash, srp->type);
+    if (!r) r = SrpHashUpdate(&hash, srp->salt, srp->saltSz);
+    if (!r) r = SrpHashUpdate(&hash, digest, digestSz);
+    if (!r) r = SrpHashFinal(&hash, digest);
+
+    /* Set x (private key) */
+    if (!r) r = mp_read_unsigned_bin(&srp->auth, digest, digestSz);
+
+    ForceZero(digest, SRP_MAX_DIGEST_SIZE);
+
+    return r;
+}
+
+int wc_SrpGetVerifier(Srp* srp, byte* verifier, word32* size)
+{
+    mp_int v;
+    int r;
+
+    if (!srp || !verifier || !size || srp->side != SRP_CLIENT_SIDE)
+        return BAD_FUNC_ARG;
+
+    if (mp_iszero(&srp->auth) == MP_YES)
+        return SRP_CALL_ORDER_E;
+
+    r = mp_init(&v);
+    if (r != MP_OKAY)
+        return MP_INIT_E;
+
+    /* v = g ^ x % N */
+    if (!r) r = mp_exptmod(&srp->g, &srp->auth, &srp->N, &v);
+    if (!r) r = *size < (word32)mp_unsigned_bin_size(&v) ? BUFFER_E : MP_OKAY;
+    if (!r) r = mp_to_unsigned_bin(&v, verifier);
+    if (!r) *size = mp_unsigned_bin_size(&v);
+
+    mp_clear(&v);
+
+    return r;
+}
+
+int wc_SrpSetVerifier(Srp* srp, const byte* verifier, word32 size)
+{
+    if (!srp || !verifier || srp->side != SRP_SERVER_SIDE)
+        return BAD_FUNC_ARG;
+
+    return mp_read_unsigned_bin(&srp->auth, verifier, size);
+}
+
+int wc_SrpSetPrivate(Srp* srp, const byte* priv, word32 size)
+{
+    mp_int p;
+    int r;
+
+    if (!srp || !priv || !size)
+        return BAD_FUNC_ARG;
+
+    if (mp_iszero(&srp->auth) == MP_YES)
+        return SRP_CALL_ORDER_E;
+
+    r = mp_init(&p);
+    if (r != MP_OKAY)
+        return MP_INIT_E;
+    if (!r) r = mp_read_unsigned_bin(&p, priv, size);
+    if (!r) r = mp_mod(&p, &srp->N, &srp->priv);
+    if (!r) r = mp_iszero(&srp->priv) == MP_YES ? SRP_BAD_KEY_E : 0;
+
+    mp_clear(&p);
+
+    return r;
+}
+
+/** Generates random data using wolfcrypt RNG. */
+static int wc_SrpGenPrivate(Srp* srp, byte* priv, word32 size)
+{
+    WC_RNG rng;
+    int r = wc_InitRng(&rng);
+
+    if (!r) r = wc_RNG_GenerateBlock(&rng, priv, size);
+    if (!r) r = wc_SrpSetPrivate(srp, priv, size);
+    if (!r) wc_FreeRng(&rng);
+
+    return r;
+}
+
+int wc_SrpGetPublic(Srp* srp, byte* pub, word32* size)
+{
+    mp_int pubkey;
+    word32 modulusSz;
+    int r;
+
+    if (!srp || !pub || !size)
+        return BAD_FUNC_ARG;
+
+    if (mp_iszero(&srp->auth) == MP_YES)
+        return SRP_CALL_ORDER_E;
+
+    modulusSz = mp_unsigned_bin_size(&srp->N);
+    if (*size < modulusSz)
+        return BUFFER_E;
+
+    r = mp_init(&pubkey);
+    if (r != MP_OKAY)
+        return MP_INIT_E;
+
+    /* priv = random() */
+    if (mp_iszero(&srp->priv) == MP_YES)
+        r = wc_SrpGenPrivate(srp, pub, SRP_PRIVATE_KEY_MIN_BITS / 8);
+
+    /* client side: A = g ^ a % N */
+    if (srp->side == SRP_CLIENT_SIDE) {
+        if (!r) r = mp_exptmod(&srp->g, &srp->priv, &srp->N, &pubkey);
+
+    /* server side: B = (k * v + (g ^ b % N)) % N */
+    } else {
+        mp_int i, j;
+
+        if (mp_init_multi(&i, &j, 0, 0, 0, 0) == MP_OKAY) {
+            if (!r) r = mp_read_unsigned_bin(&i, srp->k,SrpHashSize(srp->type));
+            if (!r) r = mp_iszero(&i) == MP_YES ? SRP_BAD_KEY_E : 0;
+            if (!r) r = mp_exptmod(&srp->g, &srp->priv, &srp->N, &pubkey);
+            if (!r) r = mp_mulmod(&i, &srp->auth, &srp->N, &j);
+            if (!r) r = mp_add(&j, &pubkey, &i);
+            if (!r) r = mp_mod(&i, &srp->N, &pubkey);
+
+            mp_clear(&i); mp_clear(&j);
+        }
+    }
+
+    /* extract public key to buffer */
+    XMEMSET(pub, 0, modulusSz);
+    if (!r) r = mp_to_unsigned_bin(&pubkey, pub);
+    if (!r) *size = mp_unsigned_bin_size(&pubkey);
+    mp_clear(&pubkey);
+
+    return r;
+}
+
+static int wc_SrpSetKey(Srp* srp, byte* secret, word32 size)
+{
+    SrpHash hash;
+    byte digest[SRP_MAX_DIGEST_SIZE];
+    word32 i, j, digestSz = SrpHashSize(srp->type);
+    byte counter[4];
+    int r = BAD_FUNC_ARG;
+
+    XMEMSET(digest, 0, SRP_MAX_DIGEST_SIZE);
+
+    srp->key = (byte*)XMALLOC(2 * digestSz, srp->heap, DYNAMIC_TYPE_SRP);
+    if (srp->key == NULL)
+        return MEMORY_E;
+
+    srp->keySz = 2 * digestSz;
+
+    for (i = j = 0; j < srp->keySz; i++) {
+        counter[0] = (i >> 24) & 0xFF;
+        counter[1] = (i >> 16) & 0xFF;
+        counter[2] = (i >>  8) & 0xFF;
+        counter[3] =  i        & 0xFF;
+
+        r = SrpHashInit(&hash, srp->type);
+        if (!r) r = SrpHashUpdate(&hash, secret, size);
+        if (!r) r = SrpHashUpdate(&hash, counter, 4);
+
+        if (j + digestSz > srp->keySz) {
+            if (!r) r = SrpHashFinal(&hash, digest);
+            XMEMCPY(srp->key + j, digest, srp->keySz - j);
+            j = srp->keySz;
+        }
+        else {
+            if (!r) r = SrpHashFinal(&hash, srp->key + j);
+            j += digestSz;
+        }
+    }
+
+    ForceZero(digest, sizeof(digest));
+    ForceZero(&hash, sizeof(SrpHash));
+
+    return r;
+}
+
+int wc_SrpComputeKey(Srp* srp, byte* clientPubKey, word32 clientPubKeySz,
+                               byte* serverPubKey, word32 serverPubKeySz)
+{
+    SrpHash hash;
+    byte *secret;
+    byte digest[SRP_MAX_DIGEST_SIZE];
+    word32 i, secretSz, digestSz;
+    mp_int u, s, temp1, temp2;
+    byte pad = 0;
+    int r;
+
+    /* validating params */
+
+    if (!srp || !clientPubKey || clientPubKeySz == 0
+             || !serverPubKey || serverPubKeySz == 0)
+        return BAD_FUNC_ARG;
+
+    if (mp_iszero(&srp->priv) == MP_YES)
+        return SRP_CALL_ORDER_E;
+
+    /* initializing variables */
+
+    if ((r = SrpHashInit(&hash, srp->type)) != 0)
+        return r;
+
+    digestSz = SrpHashSize(srp->type);
+    secretSz = mp_unsigned_bin_size(&srp->N);
+
+    if ((secret = (byte*)XMALLOC(secretSz, srp->heap, DYNAMIC_TYPE_SRP)) ==NULL)
+        return MEMORY_E;
+
+    if ((r = mp_init_multi(&u, &s, &temp1, &temp2, 0, 0)) != MP_OKAY) {
+        XFREE(secret, srp->heap, DYNAMIC_TYPE_SRP);
+        return r;
+    }
+
+    /* building u (random scrambling parameter) */
+
+    /* H(A) */
+    for (i = 0; !r && i < secretSz - clientPubKeySz; i++)
+        r = SrpHashUpdate(&hash, &pad, 1);
+    if (!r) r = SrpHashUpdate(&hash, clientPubKey, clientPubKeySz);
+
+    /* H(A | B) */
+    for (i = 0; !r && i < secretSz - serverPubKeySz; i++)
+        r = SrpHashUpdate(&hash, &pad, 1);
+    if (!r) r = SrpHashUpdate(&hash, serverPubKey, serverPubKeySz);
+
+    /* set u */
+    if (!r) r = SrpHashFinal(&hash, digest);
+    if (!r) r = mp_read_unsigned_bin(&u, digest, SrpHashSize(srp->type));
+
+    /* building s (secret) */
+
+    if (!r && srp->side == SRP_CLIENT_SIDE) {
+
+        /* temp1 = B - k * v; rejects k == 0, B == 0 and B >= N. */
+        r = mp_read_unsigned_bin(&temp1, srp->k, digestSz);
+        if (!r) r = mp_iszero(&temp1) == MP_YES ? SRP_BAD_KEY_E : 0;
+        if (!r) r = mp_exptmod(&srp->g, &srp->auth, &srp->N, &temp2);
+        if (!r) r = mp_mulmod(&temp1, &temp2, &srp->N, &s);
+        if (!r) r = mp_read_unsigned_bin(&temp2, serverPubKey, serverPubKeySz);
+        if (!r) r = mp_iszero(&temp2) == MP_YES ? SRP_BAD_KEY_E : 0;
+        if (!r) r = mp_cmp(&temp2, &srp->N) != MP_LT ? SRP_BAD_KEY_E : 0;
+        if (!r) r = mp_sub(&temp2, &s, &temp1);
+
+        /* temp2 = a + u * x */
+        if (!r) r = mp_mulmod(&u, &srp->auth, &srp->N, &s);
+        if (!r) r = mp_add(&srp->priv, &s, &temp2);
+
+        /* secret = temp1 ^ temp2 % N */
+        if (!r) r = mp_exptmod(&temp1, &temp2, &srp->N, &s);
+
+    } else if (!r && srp->side == SRP_SERVER_SIDE) {
+        /* temp1 = v ^ u % N */
+        r = mp_exptmod(&srp->auth, &u, &srp->N, &temp1);
+
+        /* temp2 = A * temp1 % N; rejects A == 0, A >= N */
+        if (!r) r = mp_read_unsigned_bin(&s, clientPubKey, clientPubKeySz);
+        if (!r) r = mp_iszero(&s) == MP_YES ? SRP_BAD_KEY_E : 0;
+        if (!r) r = mp_cmp(&s, &srp->N) != MP_LT ? SRP_BAD_KEY_E : 0;
+        if (!r) r = mp_mulmod(&s, &temp1, &srp->N, &temp2);
+
+        /* rejects A * v ^ u % N >= 1, A * v ^ u % N == -1 % N */
+        if (!r) r = mp_read_unsigned_bin(&temp1, (const byte*)"\001", 1);
+        if (!r) r = mp_cmp(&temp2, &temp1) != MP_GT ? SRP_BAD_KEY_E : 0;
+        if (!r) r = mp_sub(&srp->N, &temp1, &s);
+        if (!r) r = mp_cmp(&temp2, &s) == MP_EQ ? SRP_BAD_KEY_E : 0;
+
+        /* secret = temp2 * b % N */
+        if (!r) r = mp_exptmod(&temp2, &srp->priv, &srp->N, &s);
+    }
+
+    /* building session key from secret */
+
+    if (!r) r = mp_to_unsigned_bin(&s, secret);
+    if (!r) r = srp->keyGenFunc_cb(srp, secret, mp_unsigned_bin_size(&s));
+
+    /* updating client proof = H( H(N) ^ H(g) | H(user) | salt | A | B | K) */
+
+    if (!r) r = SrpHashUpdate(&srp->client_proof, clientPubKey, clientPubKeySz);
+    if (!r) r = SrpHashUpdate(&srp->client_proof, serverPubKey, serverPubKeySz);
+    if (!r) r = SrpHashUpdate(&srp->client_proof, srp->key,     srp->keySz);
+
+    /* updating server proof = H(A) */
+
+    if (!r) r = SrpHashUpdate(&srp->server_proof, clientPubKey, clientPubKeySz);
+
+    XFREE(secret, srp->heap, DYNAMIC_TYPE_SRP);
+    mp_clear(&u); mp_clear(&s); mp_clear(&temp1); mp_clear(&temp2);
+
+    return r;
+}
+
+int wc_SrpGetProof(Srp* srp, byte* proof, word32* size)
+{
+    int r;
+
+    if (!srp || !proof || !size)
+        return BAD_FUNC_ARG;
+
+    if (*size < SrpHashSize(srp->type))
+        return BUFFER_E;
+
+    if ((r = SrpHashFinal(srp->side == SRP_CLIENT_SIDE
+                          ? &srp->client_proof
+                          : &srp->server_proof, proof)) != 0)
+        return r;
+
+    *size = SrpHashSize(srp->type);
+
+    if (srp->side == SRP_CLIENT_SIDE) {
+        /* server proof = H( A | client proof | K) */
+        if (!r) r = SrpHashUpdate(&srp->server_proof, proof, *size);
+        if (!r) r = SrpHashUpdate(&srp->server_proof, srp->key, srp->keySz);
+    }
+
+    return r;
+}
+
+int wc_SrpVerifyPeersProof(Srp* srp, byte* proof, word32 size)
+{
+    byte digest[SRP_MAX_DIGEST_SIZE];
+    int r;
+
+    if (!srp || !proof)
+        return BAD_FUNC_ARG;
+
+    if (size != SrpHashSize(srp->type))
+        return BUFFER_E;
+
+    r = SrpHashFinal(srp->side == SRP_CLIENT_SIDE ? &srp->server_proof
+                                                  : &srp->client_proof, digest);
+
+    if (srp->side == SRP_SERVER_SIDE) {
+        /* server proof = H( A | client proof | K) */
+        if (!r) r = SrpHashUpdate(&srp->server_proof, proof, size);
+        if (!r) r = SrpHashUpdate(&srp->server_proof, srp->key, srp->keySz);
+    }
+
+    if (!r && XMEMCMP(proof, digest, size) != 0)
+        r = SRP_VERIFY_E;
+
+    return r;
+}
+
+#endif /* WOLFCRYPT_HAVE_SRP */
diff --git a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/tfm.c b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/tfm.c
index 2c1e86c31..61b31f0e1 100644
--- a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/tfm.c
+++ b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/tfm.c
@@ -1,8 +1,8 @@
 /* tfm.c
  *
- * Copyright (C) 2006-2015 wolfSSL Inc.
+ * Copyright (C) 2006-2020 wolfSSL Inc.
  *
- * This file is part of wolfSSL. (formerly known as CyaSSL)
+ * This file is part of wolfSSL.
  *
  * wolfSSL is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -16,18 +16,19 @@
  *
  * You should have received a copy of the GNU General Public License
  * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
  */
 
 
+
 /*
  * Based on public domain TomsFastMath 0.10 by Tom St Denis, tomstdenis@iahu.ca,
  * http://math.libtomcrypt.com
  */
 
 /**
- *  Edited by Moisés Guimarães (moisesguimaraesm@gmail.com)
- *  to fit CyaSSL's needs.
+ *  Edited by Moises Guimaraes (moises@wolfssl.com)
+ *  to fit wolfSSL's needs.
  */
 
 #ifdef HAVE_CONFIG_H
@@ -36,19 +37,62 @@
 
 /* in case user set USE_FAST_MATH there */
 #include <wolfssl/wolfcrypt/settings.h>
+#ifdef NO_INLINE
+    #include <wolfssl/wolfcrypt/misc.h>
+#else
+    #define WOLFSSL_MISC_INCLUDED
+    #include <wolfcrypt/src/misc.c>
+#endif
 
 #ifdef USE_FAST_MATH
 
+#include <wolfssl/wolfcrypt/random.h>
 #include <wolfssl/wolfcrypt/tfm.h>
 #include <wolfcrypt/src/asm.c>  /* will define asm MACROS or C ones */
+#include <wolfssl/wolfcrypt/wolfmath.h> /* common functions */
 
+#if defined(FREESCALE_LTC_TFM)
+    #include <wolfssl/wolfcrypt/port/nxp/ksdk_port.h>
+#endif
+#ifdef WOLFSSL_DEBUG_MATH
+    #include <stdio.h>
+#endif
 
+#ifdef USE_WINDOWS_API
+    #pragma warning(disable:4127)
+    /* Disables the warning:
+     *   4127: conditional expression is constant
+     * in this file.
+     */
+#endif
+
+#if defined(WOLFSSL_HAVE_SP_RSA) || defined(WOLFSSL_HAVE_SP_DH)
+#ifdef __cplusplus
+    extern "C" {
+#endif
+WOLFSSL_LOCAL int sp_ModExp_1024(mp_int* base, mp_int* exp, mp_int* mod,
+    mp_int* res);
+WOLFSSL_LOCAL int sp_ModExp_1536(mp_int* base, mp_int* exp, mp_int* mod,
+    mp_int* res);
+WOLFSSL_LOCAL int sp_ModExp_2048(mp_int* base, mp_int* exp, mp_int* mod,
+    mp_int* res);
+WOLFSSL_LOCAL int sp_ModExp_3072(mp_int* base, mp_int* exp, mp_int* mod,
+    mp_int* res);
+WOLFSSL_LOCAL int sp_ModExp_4096(mp_int* base, mp_int* exp, mp_int* mod,
+    mp_int* res);
+#ifdef __cplusplus
+    } /* extern "C" */
+#endif
+#endif
+
+
+#ifndef WOLFSSL_SP_MATH
 /* math settings check */
 word32 CheckRunTimeSettings(void)
 {
     return CTC_SETTINGS;
 }
-
+#endif
 
 /* math settings size check */
 word32 CheckRunTimeFastMath(void)
@@ -92,12 +136,12 @@ void fp_add(fp_int *a, fp_int *b, fp_int *c)
 void s_fp_add(fp_int *a, fp_int *b, fp_int *c)
 {
   int      x, y, oldused;
-  register fp_word  t;
+  fp_word  t;
 
   y       = MAX(a->used, b->used);
   oldused = MIN(c->used, FP_SIZE);   /* help static analysis w/ largest size */
   c->used = y;
- 
+
   t = 0;
   for (x = 0; x < y; x++) {
       t         += ((fp_word)a->dp[x]) + ((fp_word)b->dp[x]);
@@ -110,6 +154,8 @@ void s_fp_add(fp_int *a, fp_int *b, fp_int *c)
   }
 
   c->used = x;
+
+  /* zero any excess digits on the destination that we didn't write to */
   for (; x < oldused; x++) {
      c->dp[x] = 0;
   }
@@ -171,6 +217,8 @@ void s_fp_sub(fp_int *a, fp_int *b, fp_int *c)
      c->dp[x]  = (fp_digit)t;
      t         = (t >> DIGIT_BIT)&1;
    }
+
+  /* zero any excess digits on the destination that we didn't write to */
   for (; x < oldused; x++) {
      c->dp[x] = 0;
   }
@@ -178,149 +226,166 @@ void s_fp_sub(fp_int *a, fp_int *b, fp_int *c)
 }
 
 /* c = a * b */
-void fp_mul(fp_int *A, fp_int *B, fp_int *C)
+int fp_mul(fp_int *A, fp_int *B, fp_int *C)
 {
-    int   y, yy;
+    int   ret = 0;
+    int   y, yy, oldused;
+
+#if defined(WOLFSSL_ESP32WROOM32_CRYPT_RSA_PRI) && \
+   !defined(NO_WOLFSSL_ESP32WROOM32_CRYPT_RSA_PRI)
+  ret = esp_mp_mul(A, B, C);
+  if(ret != -2) return ret;
+#endif
+
+    oldused = C->used;
 
     y  = MAX(A->used, B->used);
     yy = MIN(A->used, B->used);
 
     /* call generic if we're out of range */
     if (y + yy > FP_SIZE) {
-       fp_mul_comba(A, B, C);
-       return ;
+       ret = fp_mul_comba(A, B, C);
+       goto clean;
     }
 
     /* pick a comba (unrolled 4/8/16/32 x or rolled) based on the size
-       of the largest input.  We also want to avoid doing excess mults if the 
+       of the largest input.  We also want to avoid doing excess mults if the
        inputs are not close to the next power of two.  That is, for example,
-       if say y=17 then we would do (32-17)^2 = 225 unneeded multiplications 
+       if say y=17 then we would do (32-17)^2 = 225 unneeded multiplications
     */
 
-#ifdef TFM_MUL3
+#if defined(TFM_MUL3) && FP_SIZE >= 6
         if (y <= 3) {
-           fp_mul_comba3(A,B,C);
-           return;
+           ret = fp_mul_comba3(A,B,C);
+           goto clean;
         }
 #endif
-#ifdef TFM_MUL4
+#if defined(TFM_MUL4) && FP_SIZE >= 8
         if (y == 4) {
-           fp_mul_comba4(A,B,C);
-           return;
+           ret = fp_mul_comba4(A,B,C);
+           goto clean;
         }
 #endif
-#ifdef TFM_MUL6
+#if defined(TFM_MUL6) && FP_SIZE >= 12
         if (y <= 6) {
-           fp_mul_comba6(A,B,C);
-           return;
+           ret = fp_mul_comba6(A,B,C);
+           goto clean;
         }
 #endif
-#ifdef TFM_MUL7
+#if defined(TFM_MUL7) && FP_SIZE >= 14
         if (y == 7) {
-           fp_mul_comba7(A,B,C);
-           return;
+           ret = fp_mul_comba7(A,B,C);
+           goto clean;
         }
 #endif
-#ifdef TFM_MUL8
+#if defined(TFM_MUL8) && FP_SIZE >= 16
         if (y == 8) {
-           fp_mul_comba8(A,B,C);
-           return;
+           ret = fp_mul_comba8(A,B,C);
+           goto clean;
         }
 #endif
-#ifdef TFM_MUL9
+#if defined(TFM_MUL9) && FP_SIZE >= 18
         if (y == 9) {
-           fp_mul_comba9(A,B,C);
-           return;
+           ret = fp_mul_comba9(A,B,C);
+           goto clean;
         }
 #endif
-#ifdef TFM_MUL12
+#if defined(TFM_MUL12) && FP_SIZE >= 24
         if (y <= 12) {
-           fp_mul_comba12(A,B,C);
-           return;
+           ret = fp_mul_comba12(A,B,C);
+           goto clean;
         }
 #endif
-#ifdef TFM_MUL17
+#if defined(TFM_MUL17) && FP_SIZE >= 34
         if (y <= 17) {
-           fp_mul_comba17(A,B,C);
-           return;
+           ret = fp_mul_comba17(A,B,C);
+           goto clean;
         }
 #endif
 
-#ifdef TFM_SMALL_SET
+#if defined(TFM_SMALL_SET) && FP_SIZE >= 32
         if (y <= 16) {
-           fp_mul_comba_small(A,B,C);
-           return;
+           ret = fp_mul_comba_small(A,B,C);
+           goto clean;
         }
-#endif        
-#if defined(TFM_MUL20)
+#endif
+#if defined(TFM_MUL20) && FP_SIZE >= 40
         if (y <= 20) {
-           fp_mul_comba20(A,B,C);
-           return;
+           ret = fp_mul_comba20(A,B,C);
+           goto clean;
         }
 #endif
-#if defined(TFM_MUL24)
+#if defined(TFM_MUL24) && FP_SIZE >= 48
         if (yy >= 16 && y <= 24) {
-           fp_mul_comba24(A,B,C);
-           return;
+           ret = fp_mul_comba24(A,B,C);
+           goto clean;
         }
 #endif
-#if defined(TFM_MUL28)
+#if defined(TFM_MUL28) && FP_SIZE >= 56
         if (yy >= 20 && y <= 28) {
-           fp_mul_comba28(A,B,C);
-           return;
+           ret = fp_mul_comba28(A,B,C);
+           goto clean;
         }
 #endif
-#if defined(TFM_MUL32)
+#if defined(TFM_MUL32) && FP_SIZE >= 64
         if (yy >= 24 && y <= 32) {
-           fp_mul_comba32(A,B,C);
-           return;
+           ret = fp_mul_comba32(A,B,C);
+           goto clean;
         }
 #endif
-#if defined(TFM_MUL48)
+#if defined(TFM_MUL48) && FP_SIZE >= 96
         if (yy >= 40 && y <= 48) {
-           fp_mul_comba48(A,B,C);
-           return;
+          ret = fp_mul_comba48(A,B,C);
+          goto clean;
         }
-#endif        
-#if defined(TFM_MUL64)
+#endif
+#if defined(TFM_MUL64) && FP_SIZE >= 128
         if (yy >= 56 && y <= 64) {
-           fp_mul_comba64(A,B,C);
-           return;
+           ret = fp_mul_comba64(A,B,C);
+           goto clean;
         }
 #endif
-        fp_mul_comba(A,B,C);
+        ret = fp_mul_comba(A,B,C);
+
+clean:
+    /* zero any excess digits on the destination that we didn't write to */
+    for (y = C->used; y >= 0 && y < oldused; y++) {
+        C->dp[y] = 0;
+    }
+
+    return ret;
 }
 
 void fp_mul_2(fp_int * a, fp_int * b)
 {
   int     x, oldused;
-   
+
   oldused = b->used;
   b->used = a->used;
 
   {
-    register fp_digit r, rr, *tmpa, *tmpb;
+    fp_digit r, rr, *tmpa, *tmpb;
 
     /* alias for source */
     tmpa = a->dp;
-    
+
     /* alias for dest */
     tmpb = b->dp;
 
     /* carry */
     r = 0;
     for (x = 0; x < a->used; x++) {
-    
-      /* get what will be the *next* carry bit from the 
-       * MSB of the current digit 
+
+      /* get what will be the *next* carry bit from the
+       * MSB of the current digit
        */
       rr = *tmpa >> ((fp_digit)(DIGIT_BIT - 1));
-      
+
       /* now shift up this digit, add in the carry [from the previous] */
       *tmpb++ = ((*tmpa++ << ((fp_digit)1)) | r);
-      
-      /* copy the carry that would be from the source 
-       * digit into the next iteration 
+
+      /* copy the carry that would be from the source
+       * digit into the next iteration
        */
       r = rr;
     }
@@ -332,9 +397,7 @@ void fp_mul_2(fp_int * a, fp_int * b)
       ++(b->used);
     }
 
-    /* now zero any excess digits on the destination 
-     * that we didn't write to 
-     */
+    /* zero any excess digits on the destination that we didn't write to */
     tmpb = b->dp + b->used;
     for (x = b->used; x < oldused; x++) {
       *tmpb++ = 0;
@@ -362,7 +425,10 @@ void fp_mul_d(fp_int *a, fp_digit b, fp_int *c)
       c->dp[c->used++] = (fp_digit) w;
       ++x;
    }
-   for (; x < oldused; x++) {
+
+   /* zero any excess digits on the destination that we didn't write to */
+   /* also checking FP_SIZE here for static analysis */
+   for (; x < oldused && x < FP_SIZE; x++) {
       c->dp[x] = 0;
    }
    fp_clamp(c);
@@ -385,7 +451,7 @@ void fp_mul_2d(fp_int *a, int b, fp_int *c)
 
    /* shift the digits */
    if (b != 0) {
-      carry = 0;   
+      carry = 0;
       shift = DIGIT_BIT - b;
       for (x = 0; x < c->used; x++) {
           carrytmp = c->dp[x] >> shift;
@@ -403,24 +469,37 @@ void fp_mul_2d(fp_int *a, int b, fp_int *c)
 /* generic PxQ multiplier */
 #if defined(HAVE_INTEL_MULX)
 
-INLINE static void fp_mul_comba_mulx(fp_int *A, fp_int *B, fp_int *C)
+WC_INLINE static int fp_mul_comba_mulx(fp_int *A, fp_int *B, fp_int *C)
 
-{     
+{
    int       ix, iy, iz, pa;
-   fp_int    tmp, *dst;
+   fp_int    *dst;
+#ifndef WOLFSSL_SMALL_STACK
+   fp_int    tmp[1];
+#else
+   fp_int    *tmp;
+#endif
+ 
+   /* Variables used but not seen by cppcheck. */
+   (void)ix; (void)iy; (void)iz;
+
+#ifdef WOLFSSL_SMALL_STACK
+   tmp = (fp_int*)XMALLOC(sizeof(fp_int), NULL, DYNAMIC_TYPE_BIGINT);
+   if (tmp == NULL)
+       return FP_MEM;
+#endif
 
    /* get size of output and trim */
    pa = A->used + B->used;
    if (pa >= FP_SIZE) {
       pa = FP_SIZE-1;
    }
- 
-   if (A == C || B == C) {
-      fp_init(&tmp);
-      dst = &tmp;
-   } else {
-      fp_zero(C);
-      dst = C;
+
+   /* Always take branch to use tmp variable. This avoids a cache attack for
+    * determining if C equals A */
+   if (1) {
+      fp_init(tmp);
+      dst = tmp;
    }
 
    TFM_INTEL_MUL_COMBA(A, B, dst) ;
@@ -428,45 +507,62 @@ INLINE static void fp_mul_comba_mulx(fp_int *A, fp_int *B, fp_int *C)
   dst->used = pa;
   dst->sign = A->sign ^ B->sign;
   fp_clamp(dst);
-  fp_copy(dst, C);  
+  fp_copy(dst, C);
+
+#ifdef WOLFSSL_SMALL_STACK
+  XFREE(tmp, NULL, DYNAMIC_TYPE_BIGINT);
+#endif
+
+  return FP_OKAY;
 }
 #endif
 
-void fp_mul_comba(fp_int *A, fp_int *B, fp_int *C)
+int fp_mul_comba(fp_int *A, fp_int *B, fp_int *C)
 {
+   int       ret = 0;
    int       ix, iy, iz, tx, ty, pa;
    fp_digit  c0, c1, c2, *tmpx, *tmpy;
-   fp_int    tmp, *dst;
+   fp_int    *dst;
+#ifndef WOLFSSL_SMALL_STACK
+   fp_int    tmp[1];
+#else
+   fp_int    *tmp;
+#endif
+
+   IF_HAVE_INTEL_MULX(ret = fp_mul_comba_mulx(A, B, C), return ret) ;
 
-   IF_HAVE_INTEL_MULX(fp_mul_comba_mulx(A, B, C), return) ;
+#ifdef WOLFSSL_SMALL_STACK
+   tmp = (fp_int*)XMALLOC(sizeof(fp_int), NULL, DYNAMIC_TYPE_BIGINT);
+   if (tmp == NULL)
+       return FP_MEM;
+#endif
 
    COMBA_START;
    COMBA_CLEAR;
-   
+
    /* get size of output and trim */
    pa = A->used + B->used;
    if (pa >= FP_SIZE) {
       pa = FP_SIZE-1;
    }
 
-   if (A == C || B == C) {
-      fp_init(&tmp);
-      dst = &tmp;
-   } else {
-      fp_zero(C);
-      dst = C;
+   /* Always take branch to use tmp variable. This avoids a cache attack for
+    * determining if C equals A */
+   if (1) {
+      fp_init(tmp);
+      dst = tmp;
    }
 
    for (ix = 0; ix < pa; ix++) {
       /* get offsets into the two bignums */
-      ty = MIN(ix, B->used-1);
+      ty = MIN(ix, (B->used > 0 ? B->used - 1 : 0));
       tx = ix - ty;
 
       /* setup temp aliases */
       tmpx = A->dp + tx;
       tmpy = B->dp + ty;
 
-      /* this is the number of times the loop will iterrate, essentially its 
+      /* this is the number of times the loop will iterate, essentially its
          while (tx++ < a->used && ty-- >= 0) { ... }
        */
       iy = MIN(A->used-tx, ty+1);
@@ -474,8 +570,9 @@ void fp_mul_comba(fp_int *A, fp_int *B, fp_int *C)
       /* execute loop */
       COMBA_FORWARD;
       for (iz = 0; iz < iy; ++iz) {
-          /* TAO change COMBA_ADD back to MULADD */
-          MULADD(*tmpx++, *tmpy--);
+          fp_digit _tmpx = *tmpx++;
+          fp_digit _tmpy = *tmpy--;
+          MULADD(_tmpx, _tmpy);
       }
 
       /* store term */
@@ -487,16 +584,28 @@ void fp_mul_comba(fp_int *A, fp_int *B, fp_int *C)
   dst->sign = A->sign ^ B->sign;
   fp_clamp(dst);
   fp_copy(dst, C);
+  
+  /* Variables used but not seen by cppcheck. */
+  (void)c0; (void)c1; (void)c2;
+
+#ifdef WOLFSSL_SMALL_STACK
+  XFREE(tmp, NULL, DYNAMIC_TYPE_BIGINT);
+#endif
+  return ret;
 }
 
 /* a/b => cb + d == a */
 int fp_div(fp_int *a, fp_int *b, fp_int *c, fp_int *d)
 {
-  fp_int  q, x, y, t1, t2;
   int     n, t, i, norm, neg;
+#ifndef WOLFSSL_SMALL_STACK
+  fp_int  q[1], x[1], y[1], t1[1], t2[1];
+#else
+  fp_int  *q, *x, *y, *t1, *t2;
+#endif
 
   /* is divisor zero ? */
-  if (fp_iszero (b) == 1) {
+  if (fp_iszero (b) == FP_YES) {
     return FP_VAL;
   }
 
@@ -504,131 +613,140 @@ int fp_div(fp_int *a, fp_int *b, fp_int *c, fp_int *d)
   if (fp_cmp_mag (a, b) == FP_LT) {
     if (d != NULL) {
       fp_copy (a, d);
-    } 
+    }
     if (c != NULL) {
       fp_zero (c);
     }
     return FP_OKAY;
   }
 
-  fp_init(&q);
-  q.used = a->used + 2;
+#ifdef WOLFSSL_SMALL_STACK
+  q = (fp_int*)XMALLOC(sizeof(fp_int) * 5, NULL, DYNAMIC_TYPE_BIGINT);
+  if (q == NULL) {
+      return FP_MEM;
+  }
+  x = &q[1]; y = &q[2]; t1 = &q[3]; t2 = &q[4];
+#endif
+
+  fp_init(q);
+  q->used = a->used + 2;
 
-  fp_init(&t1);
-  fp_init(&t2);
-  fp_init_copy(&x, a);
-  fp_init_copy(&y, b);
+  fp_init(t1);
+  fp_init(t2);
+  fp_init_copy(x, a);
+  fp_init_copy(y, b);
 
   /* fix the sign */
   neg = (a->sign == b->sign) ? FP_ZPOS : FP_NEG;
-  x.sign = y.sign = FP_ZPOS;
+  x->sign = y->sign = FP_ZPOS;
 
   /* normalize both x and y, ensure that y >= b/2, [b == 2**DIGIT_BIT] */
-  norm = fp_count_bits(&y) % DIGIT_BIT;
+  norm = fp_count_bits(y) % DIGIT_BIT;
   if (norm < (int)(DIGIT_BIT-1)) {
      norm = (DIGIT_BIT-1) - norm;
-     fp_mul_2d (&x, norm, &x);
-     fp_mul_2d (&y, norm, &y);
+     fp_mul_2d (x, norm, x);
+     fp_mul_2d (y, norm, y);
   } else {
      norm = 0;
   }
 
   /* note hac does 0 based, so if used==5 then its 0,1,2,3,4, e.g. use 4 */
-  n = x.used - 1;
-  t = y.used - 1;
+  n = x->used - 1;
+  t = y->used - 1;
 
   /* while (x >= y*b**n-t) do { q[n-t] += 1; x -= y*b**{n-t} } */
-  fp_lshd (&y, n - t);                                             /* y = y*b**{n-t} */
+  fp_lshd (y, n - t); /* y = y*b**{n-t} */
 
-  while (fp_cmp (&x, &y) != FP_LT) {
-    ++(q.dp[n - t]);
-    fp_sub (&x, &y, &x);
+  while (fp_cmp (x, y) != FP_LT) {
+    ++(q->dp[n - t]);
+    fp_sub (x, y, x);
   }
 
   /* reset y by shifting it back down */
-  fp_rshd (&y, n - t);
+  fp_rshd (y, n - t);
 
   /* step 3. for i from n down to (t + 1) */
   for (i = n; i >= (t + 1); i--) {
-    if (i > x.used) {
+    if (i > x->used) {
       continue;
     }
 
-    /* step 3.1 if xi == yt then set q{i-t-1} to b-1, 
+    /* step 3.1 if xi == yt then set q{i-t-1} to b-1,
      * otherwise set q{i-t-1} to (xi*b + x{i-1})/yt */
-    if (x.dp[i] == y.dp[t]) {
-      q.dp[i - t - 1] = (fp_digit) ((((fp_word)1) << DIGIT_BIT) - 1);
+    if (x->dp[i] == y->dp[t]) {
+      q->dp[i - t - 1] = (fp_digit) ((((fp_word)1) << DIGIT_BIT) - 1);
     } else {
       fp_word tmp;
-      tmp = ((fp_word) x.dp[i]) << ((fp_word) DIGIT_BIT);
-      tmp |= ((fp_word) x.dp[i - 1]);
-      tmp /= ((fp_word)y.dp[t]);
-      q.dp[i - t - 1] = (fp_digit) (tmp);
+      tmp = ((fp_word) x->dp[i]) << ((fp_word) DIGIT_BIT);
+      tmp |= ((fp_word) x->dp[i - 1]);
+      tmp /= ((fp_word)y->dp[t]);
+      q->dp[i - t - 1] = (fp_digit) (tmp);
     }
 
-    /* while (q{i-t-1} * (yt * b + y{t-1})) > 
-             xi * b**2 + xi-1 * b + xi-2 
-     
-       do q{i-t-1} -= 1; 
+    /* while (q{i-t-1} * (yt * b + y{t-1})) >
+             xi * b**2 + xi-1 * b + xi-2
+
+       do q{i-t-1} -= 1;
     */
-    q.dp[i - t - 1] = (q.dp[i - t - 1] + 1);
+    q->dp[i - t - 1] = (q->dp[i - t - 1] + 1);
     do {
-      q.dp[i - t - 1] = (q.dp[i - t - 1] - 1);
+      q->dp[i - t - 1] = (q->dp[i - t - 1] - 1);
 
       /* find left hand */
-      fp_zero (&t1);
-      t1.dp[0] = (t - 1 < 0) ? 0 : y.dp[t - 1];
-      t1.dp[1] = y.dp[t];
-      t1.used = 2;
-      fp_mul_d (&t1, q.dp[i - t - 1], &t1);
+      fp_zero (t1);
+      t1->dp[0] = (t - 1 < 0) ? 0 : y->dp[t - 1];
+      t1->dp[1] = y->dp[t];
+      t1->used = 2;
+      fp_mul_d (t1, q->dp[i - t - 1], t1);
 
       /* find right hand */
-      t2.dp[0] = (i - 2 < 0) ? 0 : x.dp[i - 2];
-      t2.dp[1] = (i - 1 < 0) ? 0 : x.dp[i - 1];
-      t2.dp[2] = x.dp[i];
-      t2.used = 3;
-    } while (fp_cmp_mag(&t1, &t2) == FP_GT);
+      t2->dp[0] = (i - 2 < 0) ? 0 : x->dp[i - 2];
+      t2->dp[1] = (i - 1 < 0) ? 0 : x->dp[i - 1];
+      t2->dp[2] = x->dp[i];
+      t2->used = 3;
+    } while (fp_cmp_mag(t1, t2) == FP_GT);
 
     /* step 3.3 x = x - q{i-t-1} * y * b**{i-t-1} */
-    fp_mul_d (&y, q.dp[i - t - 1], &t1);
-    fp_lshd  (&t1, i - t - 1);
-    fp_sub   (&x, &t1, &x);
+    fp_mul_d (y, q->dp[i - t - 1], t1);
+    fp_lshd  (t1, i - t - 1);
+    fp_sub   (x, t1, x);
 
     /* if x < 0 then { x = x + y*b**{i-t-1}; q{i-t-1} -= 1; } */
-    if (x.sign == FP_NEG) {
-      fp_copy (&y, &t1);
-      fp_lshd (&t1, i - t - 1);
-      fp_add (&x, &t1, &x);
-      q.dp[i - t - 1] = q.dp[i - t - 1] - 1;
+    if (x->sign == FP_NEG) {
+      fp_copy (y, t1);
+      fp_lshd (t1, i - t - 1);
+      fp_add (x, t1, x);
+      q->dp[i - t - 1] = q->dp[i - t - 1] - 1;
     }
   }
 
-  /* now q is the quotient and x is the remainder 
-   * [which we have to normalize] 
+  /* now q is the quotient and x is the remainder
+   * [which we have to normalize]
    */
-  
+
   /* get sign before writing to c */
-  x.sign = x.used == 0 ? FP_ZPOS : a->sign;
+  x->sign = x->used == 0 ? FP_ZPOS : a->sign;
 
   if (c != NULL) {
-    fp_clamp (&q);
-    fp_copy (&q, c);
+    fp_clamp (q);
+    fp_copy (q, c);
     c->sign = neg;
   }
 
   if (d != NULL) {
-    fp_div_2d (&x, norm, &x, NULL);
+    fp_div_2d (x, norm, x, NULL);
 
-/* the following is a kludge, essentially we were seeing the right remainder but 
-   with excess digits that should have been zero
- */
-    for (i = b->used; i < x.used; i++) {
-        x.dp[i] = 0;
+    /* zero any excess digits on the destination that we didn't write to */
+    for (i = b->used; i < x->used; i++) {
+        x->dp[i] = 0;
     }
-    fp_clamp(&x);
-    fp_copy (&x, d);
+    fp_clamp(x);
+    fp_copy (x, d);
   }
 
+#ifdef WOLFSSL_SMALL_STACK
+  XFREE(q, NULL, DYNAMIC_TYPE_BIGINT);
+#endif
   return FP_OKAY;
 }
 
@@ -640,7 +758,7 @@ void fp_div_2(fp_int * a, fp_int * b)
   oldused = b->used;
   b->used = a->used;
   {
-    register fp_digit r, rr, *tmpa, *tmpb;
+    fp_digit r, rr, *tmpa, *tmpb;
 
     /* source alias */
     tmpa = a->dp + b->used - 1;
@@ -661,7 +779,7 @@ void fp_div_2(fp_int * a, fp_int * b)
       r = rr;
     }
 
-    /* zero excess digits */
+    /* zero any excess digits on the destination that we didn't write to */
     tmpb = b->dp + b->used;
     for (x = b->used; x < oldused; x++) {
       *tmpb++ = 0;
@@ -675,7 +793,6 @@ void fp_div_2(fp_int * a, fp_int * b)
 void fp_div_2d(fp_int *a, int b, fp_int *c, fp_int *d)
 {
   int      D;
-  fp_int   t;
 
   /* if the shift count is <= 0 then we do no work */
   if (b <= 0) {
@@ -686,11 +803,9 @@ void fp_div_2d(fp_int *a, int b, fp_int *c, fp_int *d)
     return;
   }
 
-  fp_init(&t);
-
-  /* get the remainder */
-  if (d != NULL) {
-    fp_mod_2d (a, b, &t);
+  /* get the remainder before a is changed in calculating c */
+  if (a == c && d != NULL) {
+    fp_mod_2d (a, b, d);
   }
 
   /* copy */
@@ -706,28 +821,45 @@ void fp_div_2d(fp_int *a, int b, fp_int *c, fp_int *d)
   if (D != 0) {
     fp_rshb(c, D);
   }
-  fp_clamp (c);
-  if (d != NULL) {
-    fp_copy (&t, d);
+
+  /* get the remainder if a is not changed in calculating c */
+  if (a != c && d != NULL) {
+    fp_mod_2d (a, b, d);
   }
+
+  fp_clamp (c);
 }
 
 /* c = a mod b, 0 <= c < b  */
 int fp_mod(fp_int *a, fp_int *b, fp_int *c)
 {
-   fp_int t;
+#ifndef WOLFSSL_SMALL_STACK
+   fp_int t[1];
+#else
+   fp_int *t;
+#endif
    int    err;
 
-   fp_init(&t);
-   if ((err = fp_div(a, b, NULL, &t)) != FP_OKAY) {
-      return err;
-   }
-   if (t.sign != b->sign) {
-      fp_add(&t, b, c);
-   } else {
-      fp_copy(&t, c);
+#ifdef WOLFSSL_SMALL_STACK
+   t = (fp_int*)XMALLOC(sizeof(fp_int), NULL, DYNAMIC_TYPE_BIGINT);
+   if (t == NULL)
+       return FP_MEM;
+#endif
+
+   fp_init(t);
+   err = fp_div(a, b, NULL, t);
+   if (err == FP_OKAY) {
+      if (t->sign != b->sign) {
+         fp_add(t, b, c);
+      } else {
+         fp_copy(t, c);
+     }
   }
-  return FP_OKAY;
+
+#ifdef WOLFSSL_SMALL_STACK
+  XFREE(t, NULL, DYNAMIC_TYPE_BIGINT);
+#endif
+  return err;
 }
 
 /* c = a mod 2**d */
@@ -743,7 +875,7 @@ void fp_mod_2d(fp_int *a, int b, fp_int *c)
 
    /* get copy of input */
    fp_copy(a, c);
- 
+
    /* if 2**d is larger than we just return */
    if (b >= (DIGIT_BIT * a->used)) {
       return;
@@ -760,218 +892,690 @@ void fp_mod_2d(fp_int *a, int b, fp_int *c)
 
 static int fp_invmod_slow (fp_int * a, fp_int * b, fp_int * c)
 {
-  fp_int  x, y, u, v, A, B, C, D;
-  int     res;
+#ifndef WOLFSSL_SMALL_STACK
+  fp_int  x[1], y[1], u[1], v[1], A[1], B[1], C[1], D[1];
+#else
+  fp_int  *x, *y, *u, *v, *A, *B, *C, *D;
+#endif
+  int     err;
 
   /* b cannot be negative */
-  if (b->sign == FP_NEG || fp_iszero(b) == 1) {
+  if (b->sign == FP_NEG || fp_iszero(b) == FP_YES) {
     return FP_VAL;
   }
+  if (fp_iszero(a) == FP_YES) {
+    return FP_VAL;
+  }
+
+#ifdef WOLFSSL_SMALL_STACK
+  x = (fp_int*)XMALLOC(sizeof(fp_int) * 8, NULL, DYNAMIC_TYPE_BIGINT);
+  if (x == NULL) {
+      return FP_MEM;
+  }
+  y = &x[1]; u = &x[2]; v = &x[3]; A = &x[4]; B = &x[5]; C = &x[6]; D = &x[7];
+#endif
 
   /* init temps */
-  fp_init(&x);    fp_init(&y);
-  fp_init(&u);    fp_init(&v);
-  fp_init(&A);    fp_init(&B);
-  fp_init(&C);    fp_init(&D);
+  fp_init(x);    fp_init(y);
+  fp_init(u);    fp_init(v);
+  fp_init(A);    fp_init(B);
+  fp_init(C);    fp_init(D);
 
   /* x = a, y = b */
-  if ((res = fp_mod(a, b, &x)) != FP_OKAY) {
-      return res;
+  if ((err = fp_mod(a, b, x)) != FP_OKAY) {
+  #ifdef WOLFSSL_SMALL_STACK
+    XFREE(x, NULL, DYNAMIC_TYPE_BIGINT);
+  #endif
+    return err;
   }
-  fp_copy(b, &y);
+  fp_copy(b, y);
 
   /* 2. [modified] if x,y are both even then return an error! */
-  if (fp_iseven (&x) == 1 && fp_iseven (&y) == 1) {
+  if (fp_iseven(x) == FP_YES && fp_iseven(y) == FP_YES) {
+  #ifdef WOLFSSL_SMALL_STACK
+    XFREE(x, NULL, DYNAMIC_TYPE_BIGINT);
+  #endif
     return FP_VAL;
   }
 
   /* 3. u=x, v=y, A=1, B=0, C=0,D=1 */
-  fp_copy (&x, &u);
-  fp_copy (&y, &v);
-  fp_set (&A, 1);
-  fp_set (&D, 1);
+  fp_copy (x, u);
+  fp_copy (y, v);
+  fp_set (A, 1);
+  fp_set (D, 1);
 
 top:
   /* 4.  while u is even do */
-  while (fp_iseven (&u) == 1) {
+  while (fp_iseven (u) == FP_YES) {
     /* 4.1 u = u/2 */
-    fp_div_2 (&u, &u);
+    fp_div_2 (u, u);
 
     /* 4.2 if A or B is odd then */
-    if (fp_isodd (&A) == 1 || fp_isodd (&B) == 1) {
+    if (fp_isodd (A) == FP_YES || fp_isodd (B) == FP_YES) {
       /* A = (A+y)/2, B = (B-x)/2 */
-      fp_add (&A, &y, &A);
-      fp_sub (&B, &x, &B);
+      fp_add (A, y, A);
+      fp_sub (B, x, B);
     }
     /* A = A/2, B = B/2 */
-    fp_div_2 (&A, &A);
-    fp_div_2 (&B, &B);
+    fp_div_2 (A, A);
+    fp_div_2 (B, B);
   }
 
   /* 5.  while v is even do */
-  while (fp_iseven (&v) == 1) {
+  while (fp_iseven (v) == FP_YES) {
     /* 5.1 v = v/2 */
-    fp_div_2 (&v, &v);
+    fp_div_2 (v, v);
 
     /* 5.2 if C or D is odd then */
-    if (fp_isodd (&C) == 1 || fp_isodd (&D) == 1) {
+    if (fp_isodd (C) == FP_YES || fp_isodd (D) == FP_YES) {
       /* C = (C+y)/2, D = (D-x)/2 */
-      fp_add (&C, &y, &C);
-      fp_sub (&D, &x, &D);
+      fp_add (C, y, C);
+      fp_sub (D, x, D);
     }
     /* C = C/2, D = D/2 */
-    fp_div_2 (&C, &C);
-    fp_div_2 (&D, &D);
+    fp_div_2 (C, C);
+    fp_div_2 (D, D);
   }
 
   /* 6.  if u >= v then */
-  if (fp_cmp (&u, &v) != FP_LT) {
+  if (fp_cmp (u, v) != FP_LT) {
     /* u = u - v, A = A - C, B = B - D */
-    fp_sub (&u, &v, &u);
-    fp_sub (&A, &C, &A);
-    fp_sub (&B, &D, &B);
+    fp_sub (u, v, u);
+    fp_sub (A, C, A);
+    fp_sub (B, D, B);
   } else {
     /* v - v - u, C = C - A, D = D - B */
-    fp_sub (&v, &u, &v);
-    fp_sub (&C, &A, &C);
-    fp_sub (&D, &B, &D);
+    fp_sub (v, u, v);
+    fp_sub (C, A, C);
+    fp_sub (D, B, D);
   }
 
   /* if not zero goto step 4 */
-  if (fp_iszero (&u) == 0)
+  if (fp_iszero (u) == FP_NO)
     goto top;
 
   /* now a = C, b = D, gcd == g*v */
 
   /* if v != 1 then there is no inverse */
-  if (fp_cmp_d (&v, 1) != FP_EQ) {
+  if (fp_cmp_d (v, 1) != FP_EQ) {
+  #ifdef WOLFSSL_SMALL_STACK
+    XFREE(x, NULL, DYNAMIC_TYPE_BIGINT);
+  #endif
     return FP_VAL;
   }
 
   /* if its too low */
-  while (fp_cmp_d(&C, 0) == FP_LT) {
-      fp_add(&C, b, &C);
+  while (fp_cmp_d(C, 0) == FP_LT) {
+      fp_add(C, b, C);
   }
-  
+
   /* too big */
-  while (fp_cmp_mag(&C, b) != FP_LT) {
-      fp_sub(&C, b, &C);
+  while (fp_cmp_mag(C, b) != FP_LT) {
+      fp_sub(C, b, C);
   }
-  
+
   /* C is now the inverse */
-  fp_copy(&C, c);
+  fp_copy(C, c);
+#ifdef WOLFSSL_SMALL_STACK
+  XFREE(x, NULL, DYNAMIC_TYPE_BIGINT);
+#endif
   return FP_OKAY;
 }
 
-
 /* c = 1/a (mod b) for odd b only */
 int fp_invmod(fp_int *a, fp_int *b, fp_int *c)
 {
-  fp_int  x, y, u, v, B, D;
-  int     neg, loop_check = 0;
+#ifndef WOLFSSL_SMALL_STACK
+  fp_int  x[1], y[1], u[1], v[1], B[1], D[1];
+#else
+  fp_int  *x, *y, *u, *v, *B, *D;
+#endif
+  int     neg;
+  int     err;
+
+  if (b->sign == FP_NEG || fp_iszero(b) == FP_YES) {
+    return FP_VAL;
+  }
+
+  /* [modified] sanity check on "a" */
+  if (fp_iszero(a) == FP_YES) {
+    return FP_VAL; /* can not divide by 0 here */
+  }
 
   /* 2. [modified] b must be odd   */
-  if (fp_iseven (b) == FP_YES) {
+  if (fp_iseven(b) == FP_YES) {
     return fp_invmod_slow(a,b,c);
   }
 
+#ifdef WOLFSSL_SMALL_STACK
+  x = (fp_int*)XMALLOC(sizeof(fp_int) * 6, NULL, DYNAMIC_TYPE_BIGINT);
+  if (x == NULL) {
+      return FP_MEM;
+  }
+  y = &x[1]; u = &x[2]; v = &x[3]; B = &x[4]; D = &x[5];
+#endif
+
   /* init all our temps */
-  fp_init(&x);  fp_init(&y);
-  fp_init(&u);  fp_init(&v);
-  fp_init(&B);  fp_init(&D);
+  fp_init(x);  fp_init(y);
+  fp_init(u);  fp_init(v);
+  fp_init(B);  fp_init(D);
+
+  if (fp_cmp(a, b) != MP_LT) {
+    err = mp_mod(a, b, y);
+    if (err != FP_OKAY) {
+    #ifdef WOLFSSL_SMALL_STACK
+      XFREE(x, NULL, DYNAMIC_TYPE_BIGINT);
+    #endif
+      return err;
+    }
+    a = y;
+  }
+
+  if (fp_iszero(a) == FP_YES) {
+  #ifdef WOLFSSL_SMALL_STACK
+    XFREE(x, NULL, DYNAMIC_TYPE_BIGINT);
+  #endif
+    return FP_VAL;
+  }
 
   /* x == modulus, y == value to invert */
-  fp_copy(b, &x);
+  fp_copy(b, x);
 
   /* we need y = |a| */
-  fp_abs(a, &y);
+  fp_abs(a, y);
 
   /* 3. u=x, v=y, A=1, B=0, C=0,D=1 */
-  fp_copy(&x, &u);
-  fp_copy(&y, &v);
-  fp_set (&D, 1);
+  fp_copy(x, u);
+  fp_copy(y, v);
+  fp_set (D, 1);
 
 top:
   /* 4.  while u is even do */
-  while (fp_iseven (&u) == FP_YES) {
+  while (fp_iseven (u) == FP_YES) {
     /* 4.1 u = u/2 */
-    fp_div_2 (&u, &u);
+    fp_div_2 (u, u);
 
     /* 4.2 if B is odd then */
-    if (fp_isodd (&B) == FP_YES) {
-      fp_sub (&B, &x, &B);
+    if (fp_isodd (B) == FP_YES) {
+      fp_sub (B, x, B);
     }
     /* B = B/2 */
-    fp_div_2 (&B, &B);
+    fp_div_2 (B, B);
   }
 
   /* 5.  while v is even do */
-  while (fp_iseven (&v) == FP_YES) {
+  while (fp_iseven (v) == FP_YES) {
     /* 5.1 v = v/2 */
-    fp_div_2 (&v, &v);
+    fp_div_2 (v, v);
 
     /* 5.2 if D is odd then */
-    if (fp_isodd (&D) == FP_YES) {
+    if (fp_isodd (D) == FP_YES) {
       /* D = (D-x)/2 */
-      fp_sub (&D, &x, &D);
+      fp_sub (D, x, D);
     }
     /* D = D/2 */
-    fp_div_2 (&D, &D);
+    fp_div_2 (D, D);
   }
 
   /* 6.  if u >= v then */
-  if (fp_cmp (&u, &v) != FP_LT) {
+  if (fp_cmp (u, v) != FP_LT) {
     /* u = u - v, B = B - D */
-    fp_sub (&u, &v, &u);
-    fp_sub (&B, &D, &B);
+    fp_sub (u, v, u);
+    fp_sub (B, D, B);
   } else {
     /* v - v - u, D = D - B */
-    fp_sub (&v, &u, &v);
-    fp_sub (&D, &B, &D);
+    fp_sub (v, u, v);
+    fp_sub (D, B, D);
   }
 
   /* if not zero goto step 4 */
-  if (fp_iszero (&u) == FP_NO) {
-    if (++loop_check > 1024) /* bad input */
-      return FP_VAL;
+  if (fp_iszero (u) == FP_NO) {
     goto top;
   }
 
   /* now a = C, b = D, gcd == g*v */
 
   /* if v != 1 then there is no inverse */
-  if (fp_cmp_d (&v, 1) != FP_EQ) {
+  if (fp_cmp_d (v, 1) != FP_EQ) {
+  #ifdef WOLFSSL_SMALL_STACK
+    XFREE(x, NULL, DYNAMIC_TYPE_BIGINT);
+  #endif
     return FP_VAL;
   }
 
   /* b is now the inverse */
   neg = a->sign;
-  while (D.sign == FP_NEG) {
-    fp_add (&D, b, &D);
+  while (D->sign == FP_NEG) {
+    fp_add (D, b, D);
+  }
+  /* too big */
+  while (fp_cmp_mag(D, b) != FP_LT) {
+    fp_sub(D, b, D);
   }
-  fp_copy (&D, c);
+  fp_copy (D, c);
   c->sign = neg;
+#ifdef WOLFSSL_SMALL_STACK
+  XFREE(x, NULL, DYNAMIC_TYPE_BIGINT);
+#endif
+  return FP_OKAY;
+}
+
+#define CT_INV_MOD_PRE_CNT      8
+
+/* modulus (b) must be greater than 2 and a prime */
+int fp_invmod_mont_ct(fp_int *a, fp_int *b, fp_int *c, fp_digit mp)
+{
+  int i, j;
+#ifndef WOLFSSL_SMALL_STACK
+  fp_int t[1], e[1];
+  fp_int pre[CT_INV_MOD_PRE_CNT];
+#else
+  fp_int* t;
+  fp_int* e;
+  fp_int* pre;
+#endif
+
+#ifdef WOLFSSL_SMALL_STACK
+  t = (fp_int*)XMALLOC(sizeof(fp_int) * (2 + CT_INV_MOD_PRE_CNT), NULL,
+                                                           DYNAMIC_TYPE_BIGINT);
+  if (t == NULL)
+    return FP_MEM;
+  e = t + 1;
+  pre = t + 2;
+#endif
+
+  fp_init(t);
+  fp_init(e);
+
+  fp_init(&pre[0]);
+  fp_copy(a, &pre[0]);
+  for (i = 1; i < CT_INV_MOD_PRE_CNT; i++) {
+    fp_init(&pre[i]);
+    fp_sqr(&pre[i-1], &pre[i]);
+    fp_montgomery_reduce(&pre[i], b, mp);
+    fp_mul(&pre[i], a, &pre[i]);
+    fp_montgomery_reduce(&pre[i], b, mp);
+  }
+
+  fp_sub_d(b, 2, e);
+  /* Highest bit is always set. */
+  for (i = fp_count_bits(e)-2, j = 1; i >= 0; i--, j++) {
+      if (!fp_is_bit_set(e, i) || j == CT_INV_MOD_PRE_CNT)
+          break;
+  }
+  fp_copy(&pre[j-1], t);
+  for (j = 0; i >= 0; i--) {
+    int set = fp_is_bit_set(e, i);
+
+    if ((j == CT_INV_MOD_PRE_CNT) || (!set && j > 0)) {
+      fp_mul(t, &pre[j-1], t);
+      fp_montgomery_reduce(t, b, mp);
+      j = 0;
+    }
+    fp_sqr(t, t);
+    fp_montgomery_reduce(t, b, mp);
+    j += set;
+  }
+  if (j > 0) {
+    fp_mul(t, &pre[j-1], c);
+    fp_montgomery_reduce(c, b, mp);
+  }
+  else 
+    fp_copy(t, c);
+
+#ifdef WOLFSSL_SMALL_STACK
+  XFREE(t, NULL, DYNAMIC_TYPE_BIGINT);
+#endif
   return FP_OKAY;
 }
 
 /* d = a * b (mod c) */
 int fp_mulmod(fp_int *a, fp_int *b, fp_int *c, fp_int *d)
 {
-  fp_int tmp;
-  fp_init(&tmp);
-  fp_mul(a, b, &tmp);
-  return fp_mod(&tmp, c, d);
+  int err;
+#ifndef WOLFSSL_SMALL_STACK
+   fp_int t[1];
+#else
+   fp_int *t;
+#endif
+
+#ifdef WOLFSSL_SMALL_STACK
+   t = (fp_int*)XMALLOC(sizeof(fp_int), NULL, DYNAMIC_TYPE_BIGINT);
+   if (t == NULL)
+       return FP_MEM;
+#endif
+
+  fp_init(t);
+  err = fp_mul(a, b, t);
+  if (err == FP_OKAY) {
+  #if defined(ALT_ECC_SIZE) || defined(HAVE_WOLF_BIGINT)
+    if (d->size < FP_SIZE) {
+      err = fp_mod(t, c, t);
+      fp_copy(t, d);
+    } else
+  #endif
+    {
+      err = fp_mod(t, c, d);
+    }
+  }
+
+#ifdef WOLFSSL_SMALL_STACK
+  XFREE(t, NULL, DYNAMIC_TYPE_BIGINT);
+#endif
+  return err;
+}
+
+/* d = a - b (mod c) */
+int fp_submod(fp_int *a, fp_int *b, fp_int *c, fp_int *d)
+{
+  int err;
+#ifndef WOLFSSL_SMALL_STACK
+   fp_int t[1];
+#else
+   fp_int *t;
+#endif
+
+#ifdef WOLFSSL_SMALL_STACK
+   t = (fp_int*)XMALLOC(sizeof(fp_int), NULL, DYNAMIC_TYPE_BIGINT);
+   if (t == NULL)
+       return FP_MEM;
+#endif
+
+  fp_init(t);
+  fp_sub(a, b, t);
+#if defined(ALT_ECC_SIZE) || defined(HAVE_WOLF_BIGINT)
+  if (d->size < FP_SIZE) {
+    err = fp_mod(t, c, t);
+    fp_copy(t, d);
+  } else
+#endif
+  {
+    err = fp_mod(t, c, d);
+  }
+
+#ifdef WOLFSSL_SMALL_STACK
+  XFREE(t, NULL, DYNAMIC_TYPE_BIGINT);
+#endif
+  return err;
+}
+
+/* d = a + b (mod c) */
+int fp_addmod(fp_int *a, fp_int *b, fp_int *c, fp_int *d)
+{
+  int err;
+#ifndef WOLFSSL_SMALL_STACK
+   fp_int t[1];
+#else
+   fp_int *t;
+#endif
+
+#ifdef WOLFSSL_SMALL_STACK
+   t = (fp_int*)XMALLOC(sizeof(fp_int), NULL, DYNAMIC_TYPE_BIGINT);
+   if (t == NULL)
+       return FP_MEM;
+#endif
+
+  fp_init(t);
+  fp_add(a, b, t);
+#if defined(ALT_ECC_SIZE) || defined(HAVE_WOLF_BIGINT)
+  if (d->size < FP_SIZE) {
+    err = fp_mod(t, c, t);
+    fp_copy(t, d);
+  } else
+#endif
+  {
+    err = fp_mod(t, c, d);
+  }
+
+#ifdef WOLFSSL_SMALL_STACK
+  XFREE(t, NULL, DYNAMIC_TYPE_BIGINT);
+#endif
+  return err;
 }
 
 #ifdef TFM_TIMING_RESISTANT
 
-/* timing resistant montgomery ladder based exptmod 
+#ifdef WC_RSA_NONBLOCK
+
+#ifdef WC_RSA_NONBLOCK_TIME
+  /* User can override the check-time at build-time using the
+   * FP_EXPTMOD_NB_CHECKTIME macro to define your own function */
+  #ifndef FP_EXPTMOD_NB_CHECKTIME
+    /* instruction count for each type of operation */
+    /* array lookup is using TFM_EXPTMOD_NB_* states */
+    static const word32 exptModNbInst[TFM_EXPTMOD_NB_COUNT] = {
+    #ifdef TFM_PPC32
+      #ifdef _DEBUG
+        11098, 8701, 3971, 178394, 858093, 1040, 822, 178056, 181574, 90883, 184339, 236813
+      #else
+        7050,  2554, 3187, 43178,  200422, 384,  275, 43024,  43550,  30450, 46270,  61376
+      #endif
+    #elif defined(TFM_X86_64)
+      #ifdef _DEBUG
+        954, 2377, 858, 19027, 90840, 287, 407, 20140, 7874,  11385, 8005,  6151
+      #else
+        765, 1007, 771, 5216,  34993, 248, 193, 4975,  4201,  3947,  4275,  3811
+      #endif
+    #else /* software only fast math */
+      #ifdef _DEBUG
+        798, 2245, 802, 16657, 66920, 352, 186, 16997, 16145, 12789, 16742, 15006
+      #else
+        775, 1084, 783, 4692,  37510, 207, 183, 4374,  4392,  3097,  4442,  4079
+      #endif
+    #endif
+    };
+
+    static int fp_exptmod_nb_checktime(exptModNb_t* nb)
+    {
+      word32 totalInst;
+
+      /* if no max time has been set then stop (do not block) */
+      if (nb->maxBlockInst == 0 || nb->state >= TFM_EXPTMOD_NB_COUNT) {
+        return TFM_EXPTMOD_NB_STOP;
+      }
+
+      /* if instruction table not set then use maxBlockInst as simple counter */
+      if (exptModNbInst[nb->state] == 0) {
+        if (++nb->totalInst < nb->maxBlockInst)
+          return TFM_EXPTMOD_NB_CONTINUE;
+
+        nb->totalInst = 0; /* reset counter */
+        return TFM_EXPTMOD_NB_STOP;
+      }
+
+      /* get total instruction count including next operation */
+      totalInst = nb->totalInst + exptModNbInst[nb->state];
+      /* if the next operation can completed within the maximum then continue */
+      if (totalInst <= nb->maxBlockInst) {
+        return TFM_EXPTMOD_NB_CONTINUE;
+      }
+
+      return TFM_EXPTMOD_NB_STOP;
+    }
+    #define FP_EXPTMOD_NB_CHECKTIME(nb) fp_exptmod_nb_checktime((nb))
+  #endif /* !FP_EXPTMOD_NB_CHECKTIME */
+#endif /* WC_RSA_NONBLOCK_TIME */
+
+/* non-blocking version of timing resistant fp_exptmod function */
+/* supports cache resistance */
+int fp_exptmod_nb(exptModNb_t* nb, fp_int* G, fp_int* X, fp_int* P, fp_int* Y)
+{
+  int err, ret = FP_WOULDBLOCK;
+
+  if (nb == NULL)
+    return FP_VAL;
+
+#ifdef WC_RSA_NONBLOCK_TIME
+  nb->totalInst = 0;
+  do {
+    nb->totalInst += exptModNbInst[nb->state];
+#endif
+
+  switch (nb->state) {
+  case TFM_EXPTMOD_NB_INIT:
+    /* now setup montgomery */
+    if ((err = fp_montgomery_setup(P, &nb->mp)) != FP_OKAY) {
+      nb->state = TFM_EXPTMOD_NB_INIT;
+      return err;
+    }
+
+    /* init ints */
+    fp_init(&nb->R[0]);
+    fp_init(&nb->R[1]);
+  #ifndef WC_NO_CACHE_RESISTANT
+    fp_init(&nb->R[2]);
+  #endif
+    nb->state = TFM_EXPTMOD_NB_MONT;
+    break;
+
+  case TFM_EXPTMOD_NB_MONT:
+    /* mod m -> R[0] */
+    fp_montgomery_calc_normalization(&nb->R[0], P);
+
+    nb->state = TFM_EXPTMOD_NB_MONT_RED;
+    break;
+
+  case TFM_EXPTMOD_NB_MONT_RED:
+    /* reduce G -> R[1] */
+    if (fp_cmp_mag(P, G) != FP_GT) {
+       /* G > P so we reduce it first */
+       fp_mod(G, P, &nb->R[1]);
+    } else {
+       fp_copy(G, &nb->R[1]);
+    }
+
+    nb->state = TFM_EXPTMOD_NB_MONT_MUL;
+    break;
+
+  case TFM_EXPTMOD_NB_MONT_MUL:
+    /* G (R[1]) * m (R[0]) */
+    err = fp_mul(&nb->R[1], &nb->R[0], &nb->R[1]);
+    if (err != FP_OKAY) {
+      nb->state = TFM_EXPTMOD_NB_INIT;
+      return err;
+    }
+
+    nb->state = TFM_EXPTMOD_NB_MONT_MOD;
+    break;
 
-   Based on work by Marc Joye, Sung-Ming Yen, "The Montgomery Powering Ladder", Cryptographic Hardware and Embedded Systems, CHES 2002
+  case TFM_EXPTMOD_NB_MONT_MOD:
+    /* mod m */
+    err = fp_div(&nb->R[1], P, NULL, &nb->R[1]);
+    if (err != FP_OKAY) {
+      nb->state = TFM_EXPTMOD_NB_INIT;
+      return err;
+    }
+
+    nb->state = TFM_EXPTMOD_NB_MONT_MODCHK;
+    break;
+
+  case TFM_EXPTMOD_NB_MONT_MODCHK:
+    /* m matches sign of (G * R mod m) */
+    if (nb->R[1].sign != P->sign) {
+       fp_add(&nb->R[1], P, &nb->R[1]);
+    }
+
+    /* set initial mode and bit cnt */
+    nb->bitcnt = 1;
+    nb->buf    = 0;
+    nb->digidx = X->used - 1;
+
+    nb->state = TFM_EXPTMOD_NB_NEXT;
+    break;
+
+  case TFM_EXPTMOD_NB_NEXT:
+    /* grab next digit as required */
+    if (--nb->bitcnt == 0) {
+      /* if nb->digidx == -1 we are out of digits so break */
+      if (nb->digidx == -1) {
+        nb->state = TFM_EXPTMOD_NB_RED;
+        break;
+      }
+      /* read next digit and reset nb->bitcnt */
+      nb->buf    = X->dp[nb->digidx--];
+      nb->bitcnt = (int)DIGIT_BIT;
+    }
+
+    /* grab the next msb from the exponent */
+    nb->y     = (int)(nb->buf >> (DIGIT_BIT - 1)) & 1;
+    nb->buf <<= (fp_digit)1;
+    nb->state = TFM_EXPTMOD_NB_MUL;
+    FALL_THROUGH;
+
+  case TFM_EXPTMOD_NB_MUL:
+    fp_mul(&nb->R[0], &nb->R[1], &nb->R[nb->y^1]);
+    nb->state = TFM_EXPTMOD_NB_MUL_RED;
+    break;
+
+  case TFM_EXPTMOD_NB_MUL_RED:
+    fp_montgomery_reduce(&nb->R[nb->y^1], P, nb->mp);
+    nb->state = TFM_EXPTMOD_NB_SQR;
+    break;
+
+  case TFM_EXPTMOD_NB_SQR:
+  #ifdef WC_NO_CACHE_RESISTANT
+    fp_sqr(&nb->R[nb->y], &nb->R[nb->y]);
+  #else
+    fp_copy((fp_int*) ( ((wolfssl_word)&nb->R[0] & wc_off_on_addr[nb->y^1]) +
+                        ((wolfssl_word)&nb->R[1] & wc_off_on_addr[nb->y]) ),
+            &nb->R[2]);
+    fp_sqr(&nb->R[2], &nb->R[2]);
+  #endif /* WC_NO_CACHE_RESISTANT */
+
+    nb->state = TFM_EXPTMOD_NB_SQR_RED;
+    break;
+
+  case TFM_EXPTMOD_NB_SQR_RED:
+  #ifdef WC_NO_CACHE_RESISTANT
+    fp_montgomery_reduce(&nb->R[nb->y], P, nb->mp);
+  #else
+    fp_montgomery_reduce(&nb->R[2], P, nb->mp);
+    fp_copy(&nb->R[2],
+            (fp_int*) ( ((wolfssl_word)&nb->R[0] & wc_off_on_addr[nb->y^1]) +
+                        ((wolfssl_word)&nb->R[1] & wc_off_on_addr[nb->y]) ) );
+  #endif /* WC_NO_CACHE_RESISTANT */
+
+    nb->state = TFM_EXPTMOD_NB_NEXT;
+    break;
+
+  case TFM_EXPTMOD_NB_RED:
+    /* final reduce */
+    fp_montgomery_reduce(&nb->R[0], P, nb->mp);
+    fp_copy(&nb->R[0], Y);
+
+    nb->state = TFM_EXPTMOD_NB_INIT;
+    ret = FP_OKAY;
+    break;
+  } /* switch */
+
+#ifdef WC_RSA_NONBLOCK_TIME
+  /* determine if maximum blocking time has been reached */
+  } while (ret == FP_WOULDBLOCK &&
+    FP_EXPTMOD_NB_CHECKTIME(nb) == TFM_EXPTMOD_NB_CONTINUE);
+#endif
+
+  return ret;
+}
+
+#endif /* WC_RSA_NONBLOCK */
+
+
+/* timing resistant montgomery ladder based exptmod
+   Based on work by Marc Joye, Sung-Ming Yen, "The Montgomery Powering Ladder",
+   Cryptographic Hardware and Embedded Systems, CHES 2002
 */
-static int _fp_exptmod(fp_int * G, fp_int * X, fp_int * P, fp_int * Y)
+static int _fp_exptmod_ct(fp_int * G, fp_int * X, int digits, fp_int * P,
+                          fp_int * Y)
 {
+#ifndef WOLFSSL_SMALL_STACK
+#ifdef WC_NO_CACHE_RESISTANT
   fp_int   R[2];
+#else
+  fp_int   R[3];   /* need a temp for cache resistance */
+#endif
+#else
+   fp_int  *R;
+#endif
   fp_digit buf, mp;
   int      err, bitcnt, digidx, y;
 
@@ -980,9 +1584,21 @@ static int _fp_exptmod(fp_int * G, fp_int * X, fp_int * P, fp_int * Y)
      return err;
   }
 
-  fp_init(&R[0]);   
-  fp_init(&R[1]);   
-   
+#ifdef WOLFSSL_SMALL_STACK
+#ifndef WC_NO_CACHE_RESISTANT
+   R = (fp_int*)XMALLOC(sizeof(fp_int) * 3, NULL, DYNAMIC_TYPE_BIGINT);
+#else
+   R = (fp_int*)XMALLOC(sizeof(fp_int) * 2, NULL, DYNAMIC_TYPE_BIGINT);
+#endif
+   if (R == NULL)
+       return FP_MEM;
+#endif
+  fp_init(&R[0]);
+  fp_init(&R[1]);
+#ifndef WC_NO_CACHE_RESISTANT
+  fp_init(&R[2]);
+#endif
+
   /* now we need R mod m */
   fp_montgomery_calc_normalization (&R[0], P);
 
@@ -998,11 +1614,11 @@ static int _fp_exptmod(fp_int * G, fp_int * X, fp_int * P, fp_int * Y)
   /* for j = t-1 downto 0 do
         r_!k = R0*R1; r_k = r_k^2
   */
-  
+
   /* set initial mode and bit cnt */
   bitcnt = 1;
   buf    = 0;
-  digidx = X->used - 1;
+  digidx = digits - 1;
 
   for (;;) {
     /* grab next digit as required */
@@ -1021,23 +1637,80 @@ static int _fp_exptmod(fp_int * G, fp_int * X, fp_int * P, fp_int * Y)
     buf <<= (fp_digit)1;
 
     /* do ops */
-    fp_mul(&R[0], &R[1], &R[y^1]); fp_montgomery_reduce(&R[y^1], P, mp);
-    fp_sqr(&R[y], &R[y]);          fp_montgomery_reduce(&R[y], P, mp);
+    err = fp_mul(&R[0], &R[1], &R[y^1]);
+    if (err != FP_OKAY) {
+    #ifdef WOLFSSL_SMALL_STACK
+      XFREE(R, NULL, DYNAMIC_TYPE_BIGINT);
+    #endif
+      return err;
+    }
+    err = fp_montgomery_reduce(&R[y^1], P, mp);
+    if (err != FP_OKAY) {
+    #ifdef WOLFSSL_SMALL_STACK
+      XFREE(R, NULL, DYNAMIC_TYPE_BIGINT);
+    #endif
+      return err;
+    }
+
+#ifdef WC_NO_CACHE_RESISTANT
+    err = fp_sqr(&R[y], &R[y]);
+    if (err != FP_OKAY) {
+    #ifdef WOLFSSL_SMALL_STACK
+      XFREE(R, NULL, DYNAMIC_TYPE_BIGINT);
+    #endif
+      return err;
+    }
+    err = fp_montgomery_reduce(&R[y], P, mp);
+    if (err != FP_OKAY) {
+    #ifdef WOLFSSL_SMALL_STACK
+      XFREE(R, NULL, DYNAMIC_TYPE_BIGINT);
+    #endif
+      return err;
+    }
+#else
+    /* instead of using R[y] for sqr, which leaks key bit to cache monitor,
+     * use R[2] as temp, make sure address calc is constant, keep
+     * &R[0] and &R[1] in cache */
+    fp_copy((fp_int*) ( ((wolfssl_word)&R[0] & wc_off_on_addr[y^1]) +
+                        ((wolfssl_word)&R[1] & wc_off_on_addr[y]) ),
+            &R[2]);
+    err = fp_sqr(&R[2], &R[2]);
+    if (err != FP_OKAY) {
+    #ifdef WOLFSSL_SMALL_STACK
+      XFREE(R, NULL, DYNAMIC_TYPE_BIGINT);
+    #endif
+      return err;
+    }
+    err = fp_montgomery_reduce(&R[2], P, mp);
+    if (err != FP_OKAY) {
+    #ifdef WOLFSSL_SMALL_STACK
+      XFREE(R, NULL, DYNAMIC_TYPE_BIGINT);
+    #endif
+      return err;
+    }
+    fp_copy(&R[2],
+            (fp_int*) ( ((wolfssl_word)&R[0] & wc_off_on_addr[y^1]) +
+                        ((wolfssl_word)&R[1] & wc_off_on_addr[y]) ) );
+#endif /* WC_NO_CACHE_RESISTANT */
   }
 
-   fp_montgomery_reduce(&R[0], P, mp);
+   err = fp_montgomery_reduce(&R[0], P, mp);
    fp_copy(&R[0], Y);
-   return FP_OKAY;
-}   
+#ifdef WOLFSSL_SMALL_STACK
+   XFREE(R, NULL, DYNAMIC_TYPE_BIGINT);
+#endif
+   return err;
+}
 
-#else
+#endif /* TFM_TIMING_RESISTANT */
 
-/* y = g**x (mod b) 
+/* y = g**x (mod b)
  * Some restrictions... x must be positive and < b
  */
-static int _fp_exptmod(fp_int * G, fp_int * X, fp_int * P, fp_int * Y)
+static int _fp_exptmod_nct(fp_int * G, fp_int * X, fp_int * P, fp_int * Y)
 {
-  fp_int   M[64], res;
+  fp_int  *res;
+  fp_int  *M;
   fp_digit buf, mp;
   int      err, bitbuf, bitcpy, bitcnt, mode, digidx, x, y, winsize;
 
@@ -1053,28 +1726,37 @@ static int _fp_exptmod(fp_int * G, fp_int * X, fp_int * P, fp_int * Y)
     winsize = 5;
   } else {
     winsize = 6;
-  } 
-
-  /* init M array */
-  XMEMSET(M, 0, sizeof(M)); 
+  }
 
   /* now setup montgomery  */
   if ((err = fp_montgomery_setup (P, &mp)) != FP_OKAY) {
      return err;
   }
 
+  /* only allocate space for what's needed for window plus res */
+  M = (fp_int*)XMALLOC(sizeof(fp_int)*((1 << winsize) + 1), NULL,
+                                                           DYNAMIC_TYPE_BIGINT);
+  if (M == NULL) {
+     return FP_MEM;
+  }
+  res = &M[1 << winsize];
+
+  /* init M array */
+  for(x = 0; x < (1 << winsize); x++)
+    fp_init(&M[x]);
+
   /* setup result */
-  fp_init(&res);
+  fp_init(res);
 
   /* create M table
    *
    * The M table contains powers of the input base, e.g. M[x] = G^x mod P
    *
-   * The first half of the table is not computed though accept for M[0] and M[1]
+   * The first half of the table is not computed though except for M[0] and M[1]
    */
 
    /* now we need R mod m */
-   fp_montgomery_calc_normalization (&res, P);
+   fp_montgomery_calc_normalization (res, P);
 
    /* now set M[1] to G * R mod m */
    if (fp_cmp_mag(P, G) != FP_GT) {
@@ -1083,24 +1765,37 @@ static int _fp_exptmod(fp_int * G, fp_int * X, fp_int * P, fp_int * Y)
    } else {
       fp_copy(G, &M[1]);
    }
-   fp_mulmod (&M[1], &res, P, &M[1]);
+   fp_mulmod (&M[1], res, P, &M[1]);
 
-  /* compute the value at M[1<<(winsize-1)] by squaring M[1] (winsize-1) times */
+  /* compute the value at M[1<<(winsize-1)] by
+   * squaring M[1] (winsize-1) times */
   fp_copy (&M[1], &M[1 << (winsize - 1)]);
   for (x = 0; x < (winsize - 1); x++) {
     fp_sqr (&M[1 << (winsize - 1)], &M[1 << (winsize - 1)]);
-    fp_montgomery_reduce (&M[1 << (winsize - 1)], P, mp);
+    err = fp_montgomery_reduce (&M[1 << (winsize - 1)], P, mp);
+    if (err != FP_OKAY) {
+      XFREE(M, NULL, DYNAMIC_TYPE_BIGINT);
+      return err;
+    }
   }
 
   /* create upper table */
   for (x = (1 << (winsize - 1)) + 1; x < (1 << winsize); x++) {
-    fp_mul(&M[x - 1], &M[1], &M[x]);
-    fp_montgomery_reduce(&M[x], P, mp);
+    err = fp_mul(&M[x - 1], &M[1], &M[x]);
+    if (err != FP_OKAY) {
+      XFREE(M, NULL, DYNAMIC_TYPE_BIGINT);
+      return err;
+    }
+    err = fp_montgomery_reduce(&M[x], P, mp);
+    if (err != FP_OKAY) {
+      XFREE(M, NULL, DYNAMIC_TYPE_BIGINT);
+      return err;
+    }
   }
 
   /* set initial mode and bit cnt */
   mode   = 0;
-  bitcnt = 1;
+  bitcnt = (x % DIGIT_BIT) + 1;
   buf    = 0;
   digidx = X->used - 1;
   bitcpy = 0;
@@ -1133,8 +1828,16 @@ static int _fp_exptmod(fp_int * G, fp_int * X, fp_int * P, fp_int * Y)
 
     /* if the bit is zero and mode == 1 then we square */
     if (mode == 1 && y == 0) {
-      fp_sqr(&res, &res);
-      fp_montgomery_reduce(&res, P, mp);
+      err = fp_sqr(res, res);
+      if (err != FP_OKAY) {
+        XFREE(M, NULL, DYNAMIC_TYPE_BIGINT);
+        return err;
+      }
+      fp_montgomery_reduce(res, P, mp);
+      if (err != FP_OKAY) {
+        XFREE(M, NULL, DYNAMIC_TYPE_BIGINT);
+        return err;
+      }
       continue;
     }
 
@@ -1146,13 +1849,29 @@ static int _fp_exptmod(fp_int * G, fp_int * X, fp_int * P, fp_int * Y)
       /* ok window is filled so square as required and multiply  */
       /* square first */
       for (x = 0; x < winsize; x++) {
-        fp_sqr(&res, &res);
-        fp_montgomery_reduce(&res, P, mp);
+        err = fp_sqr(res, res);
+        if (err != FP_OKAY) {
+          XFREE(M, NULL, DYNAMIC_TYPE_BIGINT);
+          return err;
+        }
+        err = fp_montgomery_reduce(res, P, mp);
+        if (err != FP_OKAY) {
+          XFREE(M, NULL, DYNAMIC_TYPE_BIGINT);
+          return err;
+        }
       }
 
       /* then multiply */
-      fp_mul(&res, &M[bitbuf], &res);
-      fp_montgomery_reduce(&res, P, mp);
+      err = fp_mul(res, &M[bitbuf], res);
+      if (err != FP_OKAY) {
+        XFREE(M, NULL, DYNAMIC_TYPE_BIGINT);
+        return err;
+      }
+      err = fp_montgomery_reduce(res, P, mp);
+      if (err != FP_OKAY) {
+        XFREE(M, NULL, DYNAMIC_TYPE_BIGINT);
+        return err;
+      }
 
       /* empty window and reset */
       bitcpy = 0;
@@ -1165,15 +1884,31 @@ static int _fp_exptmod(fp_int * G, fp_int * X, fp_int * P, fp_int * Y)
   if (mode == 2 && bitcpy > 0) {
     /* square then multiply if the bit is set */
     for (x = 0; x < bitcpy; x++) {
-      fp_sqr(&res, &res);
-      fp_montgomery_reduce(&res, P, mp);
+      err = fp_sqr(res, res);
+      if (err != FP_OKAY) {
+        XFREE(M, NULL, DYNAMIC_TYPE_BIGINT);
+        return err;
+      }
+      err = fp_montgomery_reduce(res, P, mp);
+      if (err != FP_OKAY) {
+        XFREE(M, NULL, DYNAMIC_TYPE_BIGINT);
+        return err;
+      }
 
       /* get next bit of the window */
       bitbuf <<= 1;
       if ((bitbuf & (1 << winsize)) != 0) {
         /* then multiply */
-        fp_mul(&res, &M[1], &res);
-        fp_montgomery_reduce(&res, P, mp);
+        err = fp_mul(res, &M[1], res);
+        if (err != FP_OKAY) {
+          XFREE(M, NULL, DYNAMIC_TYPE_BIGINT);
+          return err;
+        }
+        err = fp_montgomery_reduce(res, P, mp);
+        if (err != FP_OKAY) {
+          XFREE(M, NULL, DYNAMIC_TYPE_BIGINT);
+          return err;
+        }
       }
     }
   }
@@ -1184,45 +1919,553 @@ static int _fp_exptmod(fp_int * G, fp_int * X, fp_int * P, fp_int * Y)
    * to reduce one more time to cancel out the factor
    * of R.
    */
-  fp_montgomery_reduce(&res, P, mp);
+  err = fp_montgomery_reduce(res, P, mp);
 
   /* swap res with Y */
-  fp_copy (&res, Y);
-  return FP_OKAY;
+  fp_copy (res, Y);
+
+  XFREE(M, NULL, DYNAMIC_TYPE_BIGINT);
+  return err;
 }
 
+
+#ifdef TFM_TIMING_RESISTANT
+#if DIGIT_BIT <= 16
+    #define WINSIZE    2
+#elif DIGIT_BIT <= 32
+    #define WINSIZE    3
+#elif DIGIT_BIT <= 64
+    #define WINSIZE    4
+#elif DIGIT_BIT <= 128
+    #define WINSIZE    5
+#endif
+
+/* y = 2**x (mod b)
+ * Some restrictions... x must be positive and < b
+ */
+static int _fp_exptmod_base_2(fp_int * X, int digits, fp_int * P,
+                              fp_int * Y)
+{
+  fp_digit buf, mp;
+  int      err, bitbuf, bitcpy, bitcnt, digidx, x, y;
+#ifdef WOLFSSL_SMALL_STACK
+  fp_int  *res;
+  fp_int  *tmp;
+#else
+  fp_int   res[1];
+  fp_int   tmp[1];
+#endif
+
+#ifdef WOLFSSL_SMALL_STACK
+  res = (fp_int*)XMALLOC(2*sizeof(fp_int), NULL, DYNAMIC_TYPE_TMP_BUFFER);
+  if (res == NULL) {
+     return FP_MEM;
+  }
+  tmp = &res[1];
 #endif
 
+  /* now setup montgomery  */
+  if ((err = fp_montgomery_setup(P, &mp)) != FP_OKAY) {
+#ifdef WOLFSSL_SMALL_STACK
+     XFREE(res, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+#endif
+     return err;
+  }
+
+  /* setup result */
+  fp_init(res);
+  fp_init(tmp);
+
+  fp_mul_2d(P, 1 << WINSIZE, tmp);
+
+  /* now we need R mod m */
+  fp_montgomery_calc_normalization(res, P);
+
+  /* Get the top bits left over after taking WINSIZE bits starting at the
+   * least-significant.
+   */
+  digidx = digits - 1;
+  bitcpy = (digits * DIGIT_BIT) % WINSIZE;
+  if (bitcpy > 0) {
+      bitcnt = (int)DIGIT_BIT - bitcpy;
+      buf    = X->dp[digidx--];
+      bitbuf = (int)(buf >> bitcnt);
+      /* Multiply montgomery representation of 1 by 2 ^ top */
+      fp_mul_2d(res, bitbuf, res);
+      fp_add(res, tmp, res);
+      err = fp_mod(res, P, res);
+      if (err != FP_OKAY) {
+      #ifdef WOLFSSL_SMALL_STACK
+        XFREE(res, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+      #endif
+        return err;
+      }
+      /* Move out bits used */
+      buf  <<= bitcpy;
+      bitcnt++;
+  }
+  else {
+      bitcnt = 1;
+      buf    = 0;
+  }
+
+  /* empty window and reset  */
+  bitbuf = 0;
+  bitcpy = 0;
+
+  for (;;) {
+    /* grab next digit as required */
+    if (--bitcnt == 0) {
+      /* if digidx == -1 we are out of digits so break */
+      if (digidx == -1) {
+        break;
+      }
+      /* read next digit and reset bitcnt */
+      buf    = X->dp[digidx--];
+      bitcnt = (int)DIGIT_BIT;
+    }
+
+    /* grab the next msb from the exponent */
+    y       = (int)(buf >> (DIGIT_BIT - 1)) & 1;
+    buf   <<= (fp_digit)1;
+    /* add bit to the window */
+    bitbuf |= (y << (WINSIZE - ++bitcpy));
+
+    if (bitcpy == WINSIZE) {
+      /* ok window is filled so square as required and multiply  */
+      /* square first */
+      for (x = 0; x < WINSIZE; x++) {
+        err = fp_sqr(res, res);
+        if (err != FP_OKAY) {
+        #ifdef WOLFSSL_SMALL_STACK
+          XFREE(res, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+        #endif
+          return err;
+        }
+        err = fp_montgomery_reduce(res, P, mp);
+        if (err != FP_OKAY) {
+        #ifdef WOLFSSL_SMALL_STACK
+          XFREE(res, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+        #endif
+          return err;
+        }
+      }
+
+      /* then multiply by 2^bitbuf */
+      fp_mul_2d(res, bitbuf, res);
+      /* Add in value to make mod operation take same time */
+      fp_add(res, tmp, res);
+      err = fp_mod(res, P, res);
+      if (err != FP_OKAY) {
+      #ifdef WOLFSSL_SMALL_STACK
+        XFREE(res, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+      #endif
+        return err;
+      }
+
+      /* empty window and reset */
+      bitcpy = 0;
+      bitbuf = 0;
+    }
+  }
+
+  /* fixup result if Montgomery reduction is used
+   * recall that any value in a Montgomery system is
+   * actually multiplied by R mod n.  So we have
+   * to reduce one more time to cancel out the factor
+   * of R.
+   */
+  err = fp_montgomery_reduce(res, P, mp);
+
+  /* swap res with Y */
+  fp_copy(res, Y);
+
+#ifdef WOLFSSL_SMALL_STACK
+  XFREE(res, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+#endif
+  return err;
+}
+
+#undef WINSIZE
+#else
+#if DIGIT_BIT < 16
+    #define WINSIZE    3
+#elif DIGIT_BIT < 32
+    #define WINSIZE    4
+#elif DIGIT_BIT < 64
+    #define WINSIZE    5
+#elif DIGIT_BIT < 128
+    #define WINSIZE    6
+#elif DIGIT_BIT == 128
+    #define WINSIZE    7
+#endif
+
+/* y = 2**x (mod b)
+ * Some restrictions... x must be positive and < b
+ */
+static int _fp_exptmod_base_2(fp_int * X, int digits, fp_int * P,
+                              fp_int * Y)
+{
+  fp_digit buf, mp;
+  int      err, bitbuf, bitcpy, bitcnt, digidx, x, y;
+#ifdef WOLFSSL_SMALL_STACK
+  fp_int  *res;
+#else
+  fp_int   res[1];
+#endif
+
+#ifdef WOLFSSL_SMALL_STACK
+  res = (fp_int*)XMALLOC(sizeof(fp_int), NULL, DYNAMIC_TYPE_TMP_BUFFER);
+  if (res == NULL) {
+     return FP_MEM;
+  }
+#endif
+
+  /* now setup montgomery  */
+  if ((err = fp_montgomery_setup(P, &mp)) != FP_OKAY) {
+     return err;
+  }
+
+  /* setup result */
+  fp_init(res);
+
+  /* now we need R mod m */
+  fp_montgomery_calc_normalization(res, P);
+
+  /* Get the top bits left over after taking WINSIZE bits starting at the
+   * least-significant.
+   */
+  digidx = digits - 1;
+  bitcpy = (digits * DIGIT_BIT) % WINSIZE;
+  if (bitcpy > 0) {
+      bitcnt = (int)DIGIT_BIT - bitcpy;
+      buf    = X->dp[digidx--];
+      bitbuf = (int)(buf >> bitcnt);
+      /* Multiply montgomery representation of 1 by 2 ^ top */
+      fp_mul_2d(res, bitbuf, res);
+      err = fp_mod(res, P, res);
+      if (err != FP_OKAY) {
+      #ifdef WOLFSSL_SMALL_STACK
+        XFREE(res, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+      #endif
+        return err;
+      }
+      /* Move out bits used */
+      buf  <<= bitcpy;
+      bitcnt++;
+  }
+  else {
+      bitcnt = 1;
+      buf    = 0;
+  }
+
+  /* empty window and reset  */
+  bitbuf = 0;
+  bitcpy = 0;
+
+  for (;;) {
+    /* grab next digit as required */
+    if (--bitcnt == 0) {
+      /* if digidx == -1 we are out of digits so break */
+      if (digidx == -1) {
+        break;
+      }
+      /* read next digit and reset bitcnt */
+      buf    = X->dp[digidx--];
+      bitcnt = (int)DIGIT_BIT;
+    }
+
+    /* grab the next msb from the exponent */
+    y       = (int)(buf >> (DIGIT_BIT - 1)) & 1;
+    buf   <<= (fp_digit)1;
+    /* add bit to the window */
+    bitbuf |= (y << (WINSIZE - ++bitcpy));
+
+    if (bitcpy == WINSIZE) {
+      /* ok window is filled so square as required and multiply  */
+      /* square first */
+      for (x = 0; x < WINSIZE; x++) {
+        err = fp_sqr(res, res);
+        if (err != FP_OKAY) {
+        #ifdef WOLFSSL_SMALL_STACK
+          XFREE(res, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+        #endif
+          return err;
+        }
+        err = fp_montgomery_reduce(res, P, mp);
+        if (err != FP_OKAY) {
+        #ifdef WOLFSSL_SMALL_STACK
+          XFREE(res, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+        #endif
+          return err;
+        }
+      }
+
+      /* then multiply by 2^bitbuf */
+      fp_mul_2d(res, bitbuf, res);
+      err = fp_mod(res, P, res);
+      if (err != FP_OKAY) {
+      #ifdef WOLFSSL_SMALL_STACK
+        XFREE(res, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+      #endif
+        return err;
+      }
+
+      /* empty window and reset */
+      bitcpy = 0;
+      bitbuf = 0;
+    }
+  }
+
+  /* fixup result if Montgomery reduction is used
+   * recall that any value in a Montgomery system is
+   * actually multiplied by R mod n.  So we have
+   * to reduce one more time to cancel out the factor
+   * of R.
+   */
+  err = fp_montgomery_reduce(res, P, mp);
+
+  /* swap res with Y */
+  fp_copy(res, Y);
+
+#ifdef WOLFSSL_SMALL_STACK
+  XFREE(res, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+#endif
+  return err;
+}
+
+#undef WINSIZE
+#endif
+
+
 int fp_exptmod(fp_int * G, fp_int * X, fp_int * P, fp_int * Y)
 {
+
+#if defined(WOLFSSL_ESP32WROOM32_CRYPT_RSA_PRI) && \
+   !defined(NO_WOLFSSL_ESP32WROOM32_CRYPT_RSA_PRI)
+   int x = fp_count_bits (X);
+#endif
+
+   /* handle modulus of zero and prevent overflows */
+   if (fp_iszero(P) || (P->used > (FP_SIZE/2))) {
+      return FP_VAL;
+   }
+   if (fp_isone(P)) {
+      fp_set(Y, 0);
+      return FP_OKAY;
+   }
+   if (fp_iszero(X)) {
+      fp_set(Y, 1);
+      return FP_OKAY;
+   }
+   if (fp_iszero(G)) {
+      fp_set(Y, 0);
+      return FP_OKAY;
+   }
+
+#if defined(WOLFSSL_ESP32WROOM32_CRYPT_RSA_PRI) && \
+   !defined(NO_WOLFSSL_ESP32WROOM32_CRYPT_RSA_PRI)
+   if(x > EPS_RSA_EXPT_XBTIS) {
+      return esp_mp_exptmod(G, X, x, P, Y);
+   }
+#endif
+
+   if (X->sign == FP_NEG) {
+#ifndef POSITIVE_EXP_ONLY  /* reduce stack if assume no negatives */
+      int    err;
+   #ifndef WOLFSSL_SMALL_STACK
+      fp_int tmp[2];
+   #else
+      fp_int *tmp;
+   #endif
+
+   #ifdef WOLFSSL_SMALL_STACK
+      tmp = (fp_int*)XMALLOC(sizeof(fp_int) * 2, NULL, DYNAMIC_TYPE_BIGINT);
+      if (tmp == NULL)
+          return FP_MEM;
+   #endif
+
+      /* yes, copy G and invmod it */
+      fp_init_copy(&tmp[0], G);
+      fp_init_copy(&tmp[1], P);
+      tmp[1].sign = FP_ZPOS;
+      err = fp_invmod(&tmp[0], &tmp[1], &tmp[0]);
+      if (err == FP_OKAY) {
+         fp_copy(X, &tmp[1]);
+         tmp[1].sign = FP_ZPOS;
+#ifdef TFM_TIMING_RESISTANT
+         err =  _fp_exptmod_ct(&tmp[0], &tmp[1], tmp[1].used, P, Y);
+#else
+         err =  _fp_exptmod_nct(&tmp[0], &tmp[1], P, Y);
+#endif
+         if (P->sign == FP_NEG) {
+            fp_add(Y, P, Y);
+         }
+      }
+   #ifdef WOLFSSL_SMALL_STACK
+      XFREE(tmp, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+   #endif
+      return err;
+#else
+      return FP_VAL;
+#endif
+   }
+   else if (G->used == 1 && G->dp[0] == 2) {
+      return _fp_exptmod_base_2(X, X->used, P, Y);
+   }
+   else {
+      /* Positive exponent so just exptmod */
+#ifdef TFM_TIMING_RESISTANT
+      return _fp_exptmod_ct(G, X, X->used, P, Y);
+#else
+      return _fp_exptmod_nct(G, X, P, Y);
+#endif
+   }
+}
+
+int fp_exptmod_ex(fp_int * G, fp_int * X, int digits, fp_int * P, fp_int * Y)
+{
+
+#if defined(WOLFSSL_ESP32WROOM32_CRYPT_RSA_PRI) && \
+   !defined(NO_WOLFSSL_ESP32WROOM32_CRYPT_RSA_PRI)
+   int x = fp_count_bits (X);
+#endif
+
+   if (fp_iszero(G)) {
+      fp_set(G, 0);
+      return FP_OKAY;
+   }
+
    /* prevent overflows */
    if (P->used > (FP_SIZE/2)) {
       return FP_VAL;
    }
 
+#if defined(WOLFSSL_ESP32WROOM32_CRYPT_RSA_PRI) && \
+   !defined(NO_WOLFSSL_ESP32WROOM32_CRYPT_RSA_PRI)
+   if(x > EPS_RSA_EXPT_XBTIS) {
+      return esp_mp_exptmod(G, X, x, P, Y);
+   }
+#endif
+
    if (X->sign == FP_NEG) {
 #ifndef POSITIVE_EXP_ONLY  /* reduce stack if assume no negatives */
       int    err;
-      fp_int tmp;
+   #ifndef WOLFSSL_SMALL_STACK
+      fp_int tmp[2];
+   #else
+      fp_int *tmp;
+   #endif
+
+   #ifdef WOLFSSL_SMALL_STACK
+      tmp = (fp_int*)XMALLOC(sizeof(fp_int) * 2, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+      if (tmp == NULL)
+          return FP_MEM;
+   #endif
 
       /* yes, copy G and invmod it */
-      fp_copy(G, &tmp);
-      if ((err = fp_invmod(&tmp, P, &tmp)) != FP_OKAY) {
-         return err;
+      fp_init_copy(&tmp[0], G);
+      fp_init_copy(&tmp[1], P);
+      tmp[1].sign = FP_ZPOS;
+      err = fp_invmod(&tmp[0], &tmp[1], &tmp[0]);
+      if (err == FP_OKAY) {
+         X->sign = FP_ZPOS;
+#ifdef TFM_TIMING_RESISTANT
+         err =  _fp_exptmod_ct(&tmp[0], X, digits, P, Y);
+#else
+         err =  _fp_exptmod_nct(&tmp[0], X, P, Y);
+         (void)digits;
+#endif
+         if (X != Y) {
+            X->sign = FP_NEG;
+         }
+         if (P->sign == FP_NEG) {
+            fp_add(Y, P, Y);
+         }
       }
-      X->sign = FP_ZPOS;
-      err =  _fp_exptmod(&tmp, X, P, Y);
-      if (X != Y) {
-         X->sign = FP_NEG;
+   #ifdef WOLFSSL_SMALL_STACK
+      XFREE(tmp, NULL, DYNAMIC_TYPE_BIGINT);
+   #endif
+      return err;
+#else
+      return FP_VAL;
+#endif
+   }
+   else {
+      /* Positive exponent so just exptmod */
+#ifdef TFM_TIMING_RESISTANT
+      return _fp_exptmod_ct(G, X, digits, P, Y);
+#else
+      return  _fp_exptmod_nct(G, X, P, Y);
+#endif
+   }
+}
+
+int fp_exptmod_nct(fp_int * G, fp_int * X, fp_int * P, fp_int * Y)
+{
+#if defined(WOLFSSL_ESP32WROOM32_CRYPT_RSA_PRI) && \
+   !defined(NO_WOLFSSL_ESP32WROOM32_CRYPT_RSA_PRI)
+   int x = fp_count_bits (X);
+#endif
+
+   if (fp_iszero(G)) {
+      fp_set(G, 0);
+      return FP_OKAY;
+   }
+
+   /* prevent overflows */
+   if (P->used > (FP_SIZE/2)) {
+      return FP_VAL;
+   }
+
+#if defined(WOLFSSL_ESP32WROOM32_CRYPT_RSA_PRI) && \
+   !defined(NO_WOLFSSL_ESP32WROOM32_CRYPT_RSA_PRI)
+   if(x > EPS_RSA_EXPT_XBTIS) {
+      return esp_mp_exptmod(G, X, x, P, Y);
+   }
+#endif
+
+   if (X->sign == FP_NEG) {
+#ifndef POSITIVE_EXP_ONLY  /* reduce stack if assume no negatives */
+      int    err;
+   #ifndef WOLFSSL_SMALL_STACK
+      fp_int tmp[2];
+   #else
+      fp_int *tmp;
+   #endif
+
+   #ifdef WOLFSSL_SMALL_STACK
+      tmp = (fp_int*)XMALLOC(sizeof(fp_int) * 2, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+      if (tmp == NULL)
+          return FP_MEM;
+   #endif
+
+      /* yes, copy G and invmod it */
+      fp_init_copy(&tmp[0], G);
+      fp_init_copy(&tmp[1], P);
+      tmp[1].sign = FP_ZPOS;
+      err = fp_invmod(&tmp[0], &tmp[1], &tmp[0]);
+      if (err == FP_OKAY) {
+         X->sign = FP_ZPOS;
+         err =  _fp_exptmod_nct(&tmp[0], X, P, Y);
+         if (X != Y) {
+            X->sign = FP_NEG;
+         }
+         if (P->sign == FP_NEG) {
+            fp_add(Y, P, Y);
+         }
       }
+   #ifdef WOLFSSL_SMALL_STACK
+      XFREE(tmp, NULL, DYNAMIC_TYPE_BIGINT);
+   #endif
       return err;
 #else
       return FP_VAL;
-#endif 
+#endif
    }
    else {
       /* Positive exponent so just exptmod */
-      return _fp_exptmod(G, X, P, Y);
+      return  _fp_exptmod_nct(G, X, P, Y);
    }
 }
 
@@ -1234,13 +2477,13 @@ void fp_2expt(fp_int *a, int b)
    /* zero a as per default */
    fp_zero (a);
 
-   if (b < 0) { 
+   if (b < 0) {
       return;
    }
 
    z = b / DIGIT_BIT;
    if (z >= FP_SIZE) {
-      return; 
+      return;
    }
 
   /* set the used count of where the bit will go */
@@ -1251,118 +2494,141 @@ void fp_2expt(fp_int *a, int b)
 }
 
 /* b = a*a  */
-void fp_sqr(fp_int *A, fp_int *B)
+int fp_sqr(fp_int *A, fp_int *B)
 {
-    int y = A->used;
+    int err;
+    int y, oldused;
+
+    oldused = B->used;
+    y = A->used;
 
     /* call generic if we're out of range */
     if (y + y > FP_SIZE) {
-       fp_sqr_comba(A, B);
-       return ;
+       err = fp_sqr_comba(A, B);
+       goto clean;
     }
 
-#if defined(TFM_SQR3)
+#if defined(TFM_SQR3) && FP_SIZE >= 6
         if (y <= 3) {
-           fp_sqr_comba3(A,B);
-           return;
+           err = fp_sqr_comba3(A,B);
+           goto clean;
         }
 #endif
-#if defined(TFM_SQR4)
+#if defined(TFM_SQR4) && FP_SIZE >= 8
         if (y == 4) {
-           fp_sqr_comba4(A,B);
-           return;
+           err = fp_sqr_comba4(A,B);
+           goto clean;
         }
 #endif
-#if defined(TFM_SQR6)
+#if defined(TFM_SQR6) && FP_SIZE >= 12
         if (y <= 6) {
-           fp_sqr_comba6(A,B);
-           return;
+           err = fp_sqr_comba6(A,B);
+           goto clean;
         }
 #endif
-#if defined(TFM_SQR7)
+#if defined(TFM_SQR7) && FP_SIZE >= 14
         if (y == 7) {
-           fp_sqr_comba7(A,B);
-           return;
+           err = fp_sqr_comba7(A,B);
+           goto clean;
         }
 #endif
-#if defined(TFM_SQR8)
+#if defined(TFM_SQR8) && FP_SIZE >= 16
         if (y == 8) {
-           fp_sqr_comba8(A,B);
-           return;
+           err = fp_sqr_comba8(A,B);
+           goto clean;
         }
 #endif
-#if defined(TFM_SQR9)
+#if defined(TFM_SQR9) && FP_SIZE >= 18
         if (y == 9) {
-           fp_sqr_comba9(A,B);
-           return;
+           err = fp_sqr_comba9(A,B);
+           goto clean;
         }
 #endif
-#if defined(TFM_SQR12)
+#if defined(TFM_SQR12) && FP_SIZE >= 24
         if (y <= 12) {
-           fp_sqr_comba12(A,B);
-           return;
+           err = fp_sqr_comba12(A,B);
+           goto clean;
         }
 #endif
-#if defined(TFM_SQR17)
+#if defined(TFM_SQR17) && FP_SIZE >= 34
         if (y <= 17) {
-           fp_sqr_comba17(A,B);
-           return;
+           err = fp_sqr_comba17(A,B);
+           goto clean;
         }
 #endif
 #if defined(TFM_SMALL_SET)
         if (y <= 16) {
-           fp_sqr_comba_small(A,B);
-           return;
+           err = fp_sqr_comba_small(A,B);
+           goto clean;
         }
 #endif
-#if defined(TFM_SQR20)
+#if defined(TFM_SQR20) && FP_SIZE >= 40
         if (y <= 20) {
-           fp_sqr_comba20(A,B);
-           return;
+           err = fp_sqr_comba20(A,B);
+           goto clean;
         }
 #endif
-#if defined(TFM_SQR24)
+#if defined(TFM_SQR24) && FP_SIZE >= 48
         if (y <= 24) {
-           fp_sqr_comba24(A,B);
-           return;
+           err = fp_sqr_comba24(A,B);
+           goto clean;
         }
 #endif
-#if defined(TFM_SQR28)
+#if defined(TFM_SQR28) && FP_SIZE >= 56
         if (y <= 28) {
-           fp_sqr_comba28(A,B);
-           return;
+           err = fp_sqr_comba28(A,B);
+           goto clean;
         }
 #endif
-#if defined(TFM_SQR32)
+#if defined(TFM_SQR32) && FP_SIZE >= 64
         if (y <= 32) {
-           fp_sqr_comba32(A,B);
-           return;
+           err = fp_sqr_comba32(A,B);
+           goto clean;
         }
 #endif
-#if defined(TFM_SQR48)
+#if defined(TFM_SQR48) && FP_SIZE >= 96
         if (y <= 48) {
-           fp_sqr_comba48(A,B);
-           return;
+           err = fp_sqr_comba48(A,B);
+           goto clean;
         }
 #endif
-#if defined(TFM_SQR64)
+#if defined(TFM_SQR64) && FP_SIZE >= 128
         if (y <= 64) {
-           fp_sqr_comba64(A,B);
-           return;
+           err = fp_sqr_comba64(A,B);
+           goto clean;
         }
 #endif
-       fp_sqr_comba(A, B);
+       err = fp_sqr_comba(A, B);
+
+clean:
+  /* zero any excess digits on the destination that we didn't write to */
+  for (y = B->used; y >= 0 && y < oldused; y++) {
+    B->dp[y] = 0;
+  }
+
+  return err;
 }
 
 /* generic comba squarer */
-void fp_sqr_comba(fp_int *A, fp_int *B)
+int fp_sqr_comba(fp_int *A, fp_int *B)
 {
   int       pa, ix, iz;
   fp_digit  c0, c1, c2;
-  fp_int    tmp, *dst;
 #ifdef TFM_ISO
   fp_word   tt;
-#endif    
+#endif
+   fp_int    *dst;
+#ifndef WOLFSSL_SMALL_STACK
+   fp_int    tmp[1];
+#else
+   fp_int    *tmp;
+#endif
+
+#ifdef WOLFSSL_SMALL_STACK
+   tmp = (fp_int*)XMALLOC(sizeof(fp_int), NULL, DYNAMIC_TYPE_BIGINT);
+   if (tmp == NULL)
+       return FP_MEM;
+#endif
 
   /* get size of output and trim */
   pa = A->used + A->used;
@@ -1375,14 +2641,14 @@ void fp_sqr_comba(fp_int *A, fp_int *B)
   COMBA_CLEAR;
 
   if (A == B) {
-     fp_init(&tmp);
-     dst = &tmp;
+     fp_init(tmp);
+     dst = tmp;
   } else {
      fp_zero(B);
      dst = B;
   }
 
-  for (ix = 0; ix < pa; ix++) { 
+  for (ix = 0; ix < pa; ix++) {
       int      tx, ty, iy;
       fp_digit *tmpy, *tmpx;
 
@@ -1394,14 +2660,14 @@ void fp_sqr_comba(fp_int *A, fp_int *B)
       tmpx = A->dp + tx;
       tmpy = A->dp + ty;
 
-      /* this is the number of times the loop will iterrate,
+      /* this is the number of times the loop will iterate,
          while (tx++ < a->used && ty-- >= 0) { ... }
        */
       iy = MIN(A->used-tx, ty+1);
 
-      /* now for squaring tx can never equal ty 
-       * we halve the distance since they approach 
-       * at a rate of 2x and we have to round because 
+      /* now for squaring tx can never equal ty
+       * we halve the distance since they approach
+       * at a rate of 2x and we have to round because
        * odd cases need to be executed
        */
       iy = MIN(iy, (ty-tx+1)>>1);
@@ -1432,6 +2698,17 @@ void fp_sqr_comba(fp_int *A, fp_int *B)
   if (dst != B) {
      fp_copy(dst, B);
   }
+
+  /* Variables used but not seen by cppcheck. */
+  (void)c0; (void)c1; (void)c2;
+#ifdef TFM_ISO
+  (void)tt;
+#endif
+   
+#ifdef WOLFSSL_SMALL_STACK
+  XFREE(tmp, NULL, DYNAMIC_TYPE_BIGINT);
+#endif
+  return FP_OKAY;
 }
 
 int fp_cmp(fp_int *a, fp_int *b)
@@ -1454,6 +2731,10 @@ int fp_cmp(fp_int *a, fp_int *b)
 /* compare against a single digit */
 int fp_cmp_d(fp_int *a, fp_digit b)
 {
+  /* special case for zero*/
+  if (a->used == 0 && b == 0)
+    return FP_EQ;
+
   /* compare based on sign */
   if ((b && a->used == 0) || a->sign == FP_NEG) {
     return FP_LT;
@@ -1495,7 +2776,7 @@ int fp_cmp_mag(fp_int *a, fp_int *b)
    return FP_EQ;
 }
 
-/* setups the montgomery reduction */
+/* sets up the montgomery reduction */
 int fp_montgomery_setup(fp_int *a, fp_digit *rho)
 {
   fp_digit x, b;
@@ -1562,39 +2843,46 @@ void fp_montgomery_calc_normalization(fp_int *a, fp_int *b)
 #endif
 
 #ifdef HAVE_INTEL_MULX
-static inline void innermul8_mulx(fp_digit *c_mulx, fp_digit *cy_mulx, fp_digit *tmpm, fp_digit mu) 
+static WC_INLINE void innermul8_mulx(fp_digit *c_mulx, fp_digit *cy_mulx, fp_digit *tmpm, fp_digit mu)
 {
-    fp_digit _c0, _c1, _c2, _c3, _c4, _c5, _c6, _c7, cy ;
-
-    cy = *cy_mulx ;
-    _c0=c_mulx[0]; _c1=c_mulx[1]; _c2=c_mulx[2]; _c3=c_mulx[3]; _c4=c_mulx[4]; _c5=c_mulx[5]; _c6=c_mulx[6]; _c7=c_mulx[7];    
+    fp_digit cy = *cy_mulx ;
     INNERMUL8_MULX ;
-    c_mulx[0]=_c0; c_mulx[1]=_c1; c_mulx[2]=_c2; c_mulx[3]=_c3; c_mulx[4]=_c4; c_mulx[5]=_c5; c_mulx[6]=_c6; c_mulx[7]=_c7; 
     *cy_mulx = cy ;
 }
 
 /* computes x/R == x (mod N) via Montgomery Reduction */
-static void fp_montgomery_reduce_mulx(fp_int *a, fp_int *m, fp_digit mp)
+static int fp_montgomery_reduce_mulx(fp_int *a, fp_int *m, fp_digit mp)
 {
-   fp_digit c[FP_SIZE], *_c, *tmpm, mu = 0;
+#ifndef WOLFSSL_SMALL_STACK
+   fp_digit c[FP_SIZE+1];
+#else
+   fp_digit *c;
+#endif
+   fp_digit *_c, *tmpm, mu = 0;
    int      oldused, x, y, pa;
 
    /* bail if too large */
    if (m->used > (FP_SIZE/2)) {
       (void)mu;                     /* shut up compiler */
-      return;
+      return FP_OKAY;
    }
 
 #ifdef TFM_SMALL_MONT_SET
    if (m->used <= 16) {
-      fp_montgomery_reduce_small(a, m, mp);
-      return;
+      return fp_montgomery_reduce_small(a, m, mp);
    }
 #endif
 
+#ifdef WOLFSSL_SMALL_STACK
+   /* only allocate space for what's needed for window plus res */
+   c = (fp_digit*)XMALLOC(sizeof(fp_digit)*(FP_SIZE + 1), NULL, DYNAMIC_TYPE_BIGINT);
+   if (c == NULL) {
+      return FP_MEM;
+   }
+#endif
 
    /* now zero the buff */
-   XMEMSET(c, 0, sizeof c);
+   XMEMSET(c, 0, sizeof(fp_digit)*(FP_SIZE + 1));
    pa = m->used;
 
    /* copy the input */
@@ -1625,7 +2913,7 @@ static void fp_montgomery_reduce_mulx(fp_int *a, fp_int *m, fp_digit mp)
            PROPCARRY;
            ++_c;
        }
-  }         
+  }
 
   /* now copy out */
   _c   = c + pa;
@@ -1634,7 +2922,8 @@ static void fp_montgomery_reduce_mulx(fp_int *a, fp_int *m, fp_digit mp)
      *tmpm++ = *_c++;
   }
 
-  for (; x < oldused; x++)   {
+  /* zero any excess digits on the destination that we didn't write to */
+  for (; x < oldused; x++) {
      *tmpm++ = 0;
   }
 
@@ -1642,38 +2931,55 @@ static void fp_montgomery_reduce_mulx(fp_int *a, fp_int *m, fp_digit mp)
 
   a->used = pa+1;
   fp_clamp(a);
-  
+
   /* if A >= m then A = A - m */
   if (fp_cmp_mag (a, m) != FP_LT) {
     s_fp_sub (a, m, a);
   }
+
+#ifdef WOLFSSL_SMALL_STACK
+  XFREE(c, NULL, DYNAMIC_TYPE_BIGINT);
+#endif
+  return FP_OKAY;
 }
 #endif
 
 /* computes x/R == x (mod N) via Montgomery Reduction */
-void fp_montgomery_reduce(fp_int *a, fp_int *m, fp_digit mp)
+int fp_montgomery_reduce(fp_int *a, fp_int *m, fp_digit mp)
 {
-   fp_digit c[FP_SIZE], *_c, *tmpm, mu = 0;
-   int      oldused, x, y, pa;
+#ifndef WOLFSSL_SMALL_STACK
+   fp_digit c[FP_SIZE+1];
+#else
+   fp_digit *c;
+#endif
+   fp_digit *_c, *tmpm, mu = 0;
+   int      oldused, x, y, pa, err = 0;
 
-   IF_HAVE_INTEL_MULX(fp_montgomery_reduce_mulx(a, m, mp), return) ;
+   IF_HAVE_INTEL_MULX(err = fp_montgomery_reduce_mulx(a, m, mp), return err) ;
+   (void)err;
 
    /* bail if too large */
    if (m->used > (FP_SIZE/2)) {
       (void)mu;                     /* shut up compiler */
-      return;
+      return FP_OKAY;
    }
 
 #ifdef TFM_SMALL_MONT_SET
    if (m->used <= 16) {
-      fp_montgomery_reduce_small(a, m, mp);
-      return;
+      return fp_montgomery_reduce_small(a, m, mp);
    }
 #endif
 
+#ifdef WOLFSSL_SMALL_STACK
+   /* only allocate space for what's needed for window plus res */
+   c = (fp_digit*)XMALLOC(sizeof(fp_digit)*(FP_SIZE + 1), NULL, DYNAMIC_TYPE_BIGINT);
+   if (c == NULL) {
+      return FP_MEM;
+   }
+#endif
 
    /* now zero the buff */
-   XMEMSET(c, 0, sizeof c);
+   XMEMSET(c, 0, sizeof(fp_digit)*(FP_SIZE + 1));
    pa = m->used;
 
    /* copy the input */
@@ -1690,13 +2996,13 @@ void fp_montgomery_reduce(fp_int *a, fp_int *m, fp_digit mp)
        _c   = c + x;
        tmpm = m->dp;
        y = 0;
-       #if (defined(TFM_SSE2) || defined(TFM_X86_64))
+#if defined(INNERMUL8)
         for (; y < (pa & ~7); y += 8) {
               INNERMUL8 ;
               _c   += 8;
               tmpm += 8;
            }
-       #endif
+#endif
        for (; y < pa; y++) {
           INNERMUL;
           ++_c;
@@ -1706,7 +3012,7 @@ void fp_montgomery_reduce(fp_int *a, fp_int *m, fp_digit mp)
            PROPCARRY;
            ++_c;
        }
-  }         
+  }
 
   /* now copy out */
   _c   = c + pa;
@@ -1715,7 +3021,8 @@ void fp_montgomery_reduce(fp_int *a, fp_int *m, fp_digit mp)
      *tmpm++ = *_c++;
   }
 
-  for (; x < oldused; x++)   {
+  /* zero any excess digits on the destination that we didn't write to */
+  for (; x < oldused; x++) {
      *tmpm++ = 0;
   }
 
@@ -1723,21 +3030,40 @@ void fp_montgomery_reduce(fp_int *a, fp_int *m, fp_digit mp)
 
   a->used = pa+1;
   fp_clamp(a);
-  
+
   /* if A >= m then A = A - m */
   if (fp_cmp_mag (a, m) != FP_LT) {
     s_fp_sub (a, m, a);
   }
+
+#ifdef WOLFSSL_SMALL_STACK
+  XFREE(c, NULL, DYNAMIC_TYPE_BIGINT);
+#endif
+  return FP_OKAY;
 }
 
-void fp_read_unsigned_bin(fp_int *a, unsigned char *b, int c)
+void fp_read_unsigned_bin(fp_int *a, const unsigned char *b, int c)
 {
+#if defined(ALT_ECC_SIZE) || defined(HAVE_WOLF_BIGINT)
+  const word32 maxC = (a->size * sizeof(fp_digit));
+#else
+  const word32 maxC = (FP_SIZE * sizeof(fp_digit));
+#endif
+
   /* zero the int */
   fp_zero (a);
 
+  /* if input b excess max, then truncate */
+  if (c > 0 && (word32)c > maxC) {
+     int excess = (c - maxC);
+     c -= excess;
+     b += excess;
+  }
+
   /* If we know the endianness of this architecture, and we're using
      32-bit fp_digits, we can optimize this */
-#if (defined(LITTLE_ENDIAN_ORDER) || defined(BIG_ENDIAN_ORDER)) && defined(FP_32BIT)
+#if (defined(LITTLE_ENDIAN_ORDER) || defined(BIG_ENDIAN_ORDER)) && \
+    defined(FP_32BIT)
   /* But not for both simultaneously */
 #if defined(LITTLE_ENDIAN_ORDER) && defined(BIG_ENDIAN_ORDER)
 #error Both LITTLE_ENDIAN_ORDER and BIG_ENDIAN_ORDER defined.
@@ -1745,11 +3071,6 @@ void fp_read_unsigned_bin(fp_int *a, unsigned char *b, int c)
   {
      unsigned char *pd = (unsigned char *)a->dp;
 
-     if ((unsigned)c > (FP_SIZE * sizeof(fp_digit))) {
-        int excess = c - (FP_SIZE * sizeof(fp_digit));
-        c -= excess;
-        b += excess;
-     }
      a->used = (c + sizeof(fp_digit) - 1)/sizeof(fp_digit);
      /* read the bytes in */
 #ifdef BIG_ENDIAN_ORDER
@@ -1757,12 +3078,12 @@ void fp_read_unsigned_bin(fp_int *a, unsigned char *b, int c)
        /* Use Duff's device to unroll the loop. */
        int idx = (c - 1) & ~3;
        switch (c % 4) {
-       case 0:	do { pd[idx+0] = *b++;
-       case 3:	     pd[idx+1] = *b++;
-       case 2:	     pd[idx+2] = *b++;
-       case 1:	     pd[idx+3] = *b++;
+       case 0:    do { pd[idx+0] = *b++; // fallthrough
+       case 3:         pd[idx+1] = *b++; // fallthrough
+       case 2:         pd[idx+2] = *b++; // fallthrough
+       case 1:         pd[idx+3] = *b++; // fallthrough
                      idx -= 4;
-	 	        } while ((c -= 4) > 0);
+                 } while ((c -= 4) > 0);
        }
      }
 #else
@@ -1776,25 +3097,108 @@ void fp_read_unsigned_bin(fp_int *a, unsigned char *b, int c)
   for (; c > 0; c--) {
      fp_mul_2d (a, 8, a);
      a->dp[0] |= *b++;
-     a->used += 1;
+
+     if (a->used == 0) {
+         a->used = 1;
+     }
   }
 #endif
   fp_clamp (a);
 }
 
-void fp_to_unsigned_bin(fp_int *a, unsigned char *b)
+int fp_to_unsigned_bin_at_pos(int x, fp_int *t, unsigned char *b)
+{
+#if DIGIT_BIT == 64 || DIGIT_BIT == 32
+   int i, j;
+   fp_digit n;
+
+   for (j=0,i=0; i<t->used-1; ) {
+       b[x++] = (unsigned char)(t->dp[i] >> j);
+       j += 8;
+       i += j == DIGIT_BIT;
+       j &= DIGIT_BIT - 1;
+   }
+   n = t->dp[i];
+   while (n != 0) {
+       b[x++] = (unsigned char)n;
+       n >>= 8;
+   }
+   return x;
+#else
+   while (fp_iszero (t) == FP_NO) {
+      b[x++] = (unsigned char) (t->dp[0] & 255);
+      fp_div_2d (t, 8, t, NULL);
+  }
+  return x;
+#endif
+}
+
+int fp_to_unsigned_bin(fp_int *a, unsigned char *b)
+{
+  int     x;
+#ifndef WOLFSSL_SMALL_STACK
+   fp_int t[1];
+#else
+   fp_int *t;
+#endif
+
+#ifdef WOLFSSL_SMALL_STACK
+   t = (fp_int*)XMALLOC(sizeof(fp_int), NULL, DYNAMIC_TYPE_BIGINT);
+   if (t == NULL)
+       return FP_MEM;
+#endif
+
+  fp_init_copy(t, a);
+
+  x = fp_to_unsigned_bin_at_pos(0, t, b);
+  fp_reverse (b, x);
+
+#ifdef WOLFSSL_SMALL_STACK
+  XFREE(t, NULL, DYNAMIC_TYPE_BIGINT);
+#endif
+  return FP_OKAY;
+}
+
+int fp_to_unsigned_bin_len(fp_int *a, unsigned char *b, int c)
 {
+#if DIGIT_BIT == 64 || DIGIT_BIT == 32
+  int i, j, x;
+
+  for (x=c-1,j=0,i=0; x >= 0; x--) {
+     b[x] = (unsigned char)(a->dp[i] >> j);
+     j += 8;
+     i += j == DIGIT_BIT;
+     j &= DIGIT_BIT - 1;
+  }
+
+  return FP_OKAY;
+#else
   int     x;
-  fp_int  t;
+#ifndef WOLFSSL_SMALL_STACK
+   fp_int t[1];
+#else
+   fp_int *t;
+#endif
+
+#ifdef WOLFSSL_SMALL_STACK
+   t = (fp_int*)XMALLOC(sizeof(fp_int), NULL, DYNAMIC_TYPE_BIGINT);
+   if (t == NULL)
+       return FP_MEM;
+#endif
 
-  fp_init_copy(&t, a);
+  fp_init_copy(t, a);
 
-  x = 0;
-  while (fp_iszero (&t) == FP_NO) {
-      b[x++] = (unsigned char) (t.dp[0] & 255);
-      fp_div_2d (&t, 8, &t, NULL);
+  for (x = 0; x < c; x++) {
+      b[x] = (unsigned char) (t->dp[0] & 255);
+      fp_div_2d (t, 8, t, NULL);
   }
   fp_reverse (b, x);
+
+#ifdef WOLFSSL_SMALL_STACK
+  XFREE(t, NULL, DYNAMIC_TYPE_BIGINT);
+#endif
+  return FP_OKAY;
+#endif
 }
 
 int fp_unsigned_bin_size(fp_int *a)
@@ -1810,6 +3214,77 @@ void fp_set(fp_int *a, fp_digit b)
    a->used  = a->dp[0] ? 1 : 0;
 }
 
+
+#ifndef MP_SET_CHUNK_BITS
+    #define MP_SET_CHUNK_BITS 4
+#endif
+void fp_set_int(fp_int *a, unsigned long b)
+{
+  int x;
+
+  /* use direct fp_set if b is less than fp_digit max */
+  if (b < FP_DIGIT_MAX) {
+    fp_set (a, (fp_digit)b);
+    return;
+  }
+
+  fp_zero (a);
+
+  /* set chunk bits at a time */
+  for (x = 0; x < (int)(sizeof(b) * 8) / MP_SET_CHUNK_BITS; x++) {
+    fp_mul_2d (a, MP_SET_CHUNK_BITS, a);
+
+    /* OR in the top bits of the source */
+    a->dp[0] |= (b >> ((sizeof(b) * 8) - MP_SET_CHUNK_BITS)) &
+                                  ((1 << MP_SET_CHUNK_BITS) - 1);
+
+    /* shift the source up to the next chunk bits */
+    b <<= MP_SET_CHUNK_BITS;
+
+    /* ensure that digits are not clamped off */
+    a->used += 1;
+  }
+
+  /* clamp digits */
+  fp_clamp(a);
+}
+
+/* check if a bit is set */
+int fp_is_bit_set (fp_int *a, fp_digit b)
+{
+    fp_digit i;
+
+    if (b > FP_MAX_BITS)
+        return 0;
+    else
+        i = b/DIGIT_BIT;
+
+    if ((fp_digit)a->used < i)
+        return 0;
+
+    return (int)((a->dp[i] >> b%DIGIT_BIT) & (fp_digit)1);
+}
+
+/* set the b bit of a */
+int fp_set_bit (fp_int * a, fp_digit b)
+{
+    fp_digit i;
+
+    if (b > FP_MAX_BITS)
+        return 0;
+    else
+        i = b/DIGIT_BIT;
+
+    /* set the used count of where the bit will go if required */
+    if (a->used < (int)(i+1))
+        a->used = (int)(i+1);
+
+    /* put the single bit in its place */
+    a->dp[i] |= ((fp_digit)1) << (b % DIGIT_BIT);
+
+    return MP_OKAY;
+}
+
 int fp_count_bits (fp_int * a)
 {
   int     r;
@@ -1829,6 +3304,7 @@ int fp_count_bits (fp_int * a)
     ++r;
     q >>= ((fp_digit) 1);
   }
+
   return r;
 }
 
@@ -1853,36 +3329,38 @@ int fp_leading_bit(fp_int *a)
 
 void fp_lshd(fp_int *a, int x)
 {
-   int y;
+    int y;
 
-   /* move up and truncate as required */
-   y = MIN(a->used + x - 1, (int)(FP_SIZE-1));
+    /* move up and truncate as required */
+    y = MIN(a->used + x - 1, (int)(FP_SIZE-1));
 
-   /* store new size */
-   a->used = y + 1;
+    /* store new size */
+    a->used = y + 1;
 
-   /* move digits */
-   for (; y >= x; y--) {
-       a->dp[y] = a->dp[y-x];
-   }
- 
-   /* zero lower digits */
-   for (; y >= 0; y--) {
-       a->dp[y] = 0;
-   }
+    /* move digits */
+    for (; y >= x; y--) {
+        a->dp[y] = a->dp[y-x];
+    }
 
-   /* clamp digits */
-   fp_clamp(a);
+    /* zero lower digits */
+    for (; y >= 0; y--) {
+        a->dp[y] = 0;
+    }
+
+    /* clamp digits */
+    fp_clamp(a);
 }
 
 
 /* right shift by bit count */
 void fp_rshb(fp_int *c, int x)
 {
-    register fp_digit *tmpc, mask, shift;
+    fp_digit *tmpc, mask, shift;
     fp_digit r, rr;
     fp_digit D = x;
 
+    if (fp_iszero(c)) return;
+
     /* mask */
     mask = (((fp_digit)1) << D) - 1;
 
@@ -1905,6 +3383,9 @@ void fp_rshb(fp_int *c, int x)
       /* set the carry to the carry bits of the current word found above */
       r = rr;
     }
+
+    /* clamp digits */
+    fp_clamp(c);
 }
 
 
@@ -1927,7 +3408,7 @@ void fp_rshd(fp_int *a, int x)
    for (; y < a->used; y++) {
       a->dp[y] = 0;
    }
-   
+
    /* decrement count */
    a->used -= x;
    fp_clamp(a);
@@ -1952,16 +3433,40 @@ void fp_reverse (unsigned char *s, int len)
 
 
 /* c = a - b */
-void fp_sub_d(fp_int *a, fp_digit b, fp_int *c)
+int fp_sub_d(fp_int *a, fp_digit b, fp_int *c)
 {
-   fp_int tmp;
-   fp_init(&tmp);
-   fp_set(&tmp, b);
-   fp_sub(a, &tmp, c);
+#ifndef WOLFSSL_SMALL_STACK
+   fp_int    tmp[1];
+#else
+   fp_int    *tmp;
+#endif
+
+#ifdef WOLFSSL_SMALL_STACK
+   tmp = (fp_int*)XMALLOC(sizeof(fp_int), NULL, DYNAMIC_TYPE_BIGINT);
+   if (tmp == NULL)
+       return FP_MEM;
+#endif
+
+   fp_init(tmp);
+   fp_set(tmp, b);
+#if defined(ALT_ECC_SIZE) || defined(HAVE_WOLF_BIGINT)
+   if (c->size < FP_SIZE) {
+     fp_sub(a, tmp, tmp);
+     fp_copy(tmp, c);
+   } else
+#endif
+   {
+     fp_sub(a, tmp, c);
+   }
+
+#ifdef WOLFSSL_SMALL_STACK
+   XFREE(tmp, NULL, DYNAMIC_TYPE_BIGINT);
+#endif
+   return FP_OKAY;
 }
 
 
-/* CyaSSL callers from normal lib */
+/* wolfSSL callers from normal lib */
 
 /* init a new mp_int */
 int mp_init (mp_int * a)
@@ -1971,30 +3476,92 @@ int mp_init (mp_int * a)
   return MP_OKAY;
 }
 
-#ifdef ALT_ECC_SIZE
 void fp_init(fp_int *a)
 {
+#if defined(ALT_ECC_SIZE) || defined(HAVE_WOLF_BIGINT)
     a->size = FP_SIZE;
+#endif
+#ifdef HAVE_WOLF_BIGINT
+    wc_bigint_init(&a->raw);
+#endif
     fp_zero(a);
 }
 
 void fp_zero(fp_int *a)
 {
+    int size;
     a->used = 0;
     a->sign = FP_ZPOS;
-    XMEMSET(a->dp, 0, a->size * sizeof(fp_digit));
+#if defined(ALT_ECC_SIZE) || defined(HAVE_WOLF_BIGINT)
+    size = a->size;
+#else
+    size = FP_SIZE;
+#endif
+    XMEMSET(a->dp, 0, size * sizeof(fp_digit));
 }
+
+void fp_clear(fp_int *a)
+{
+    int size;
+    a->used = 0;
+    a->sign = FP_ZPOS;
+#if defined(ALT_ECC_SIZE) || defined(HAVE_WOLF_BIGINT)
+    size = a->size;
+#else
+    size = FP_SIZE;
+#endif
+    XMEMSET(a->dp, 0, size * sizeof(fp_digit));
+    fp_free(a);
+}
+
+void fp_forcezero (mp_int * a)
+{
+    int size;
+    a->used = 0;
+    a->sign = FP_ZPOS;
+#if defined(ALT_ECC_SIZE) || defined(HAVE_WOLF_BIGINT)
+    size = a->size;
+#else
+    size = FP_SIZE;
 #endif
+    ForceZero(a->dp, size * sizeof(fp_digit));
+#ifdef HAVE_WOLF_BIGINT
+    wc_bigint_zero(&a->raw);
+#endif
+    fp_free(a);
+}
+
+void mp_forcezero (mp_int * a)
+{
+    fp_forcezero(a);
+}
+
+void fp_free(fp_int* a)
+{
+#ifdef HAVE_WOLF_BIGINT
+    wc_bigint_free(&a->raw);
+#else
+    (void)a;
+#endif
+}
 
 
 /* clear one (frees)  */
 void mp_clear (mp_int * a)
 {
-  fp_zero(a);
+    if (a == NULL)
+        return;
+    fp_clear(a);
+}
+
+void mp_free(mp_int* a)
+{
+    fp_free(a);
 }
 
 /* handle up to 6 inits */
-int mp_init_multi(mp_int* a, mp_int* b, mp_int* c, mp_int* d, mp_int* e, mp_int* f)
+int mp_init_multi(mp_int* a, mp_int* b, mp_int* c, mp_int* d,
+                  mp_int* e, mp_int* f)
 {
     if (a)
         fp_init(a);
@@ -2027,40 +3594,103 @@ int mp_sub (mp_int * a, mp_int * b, mp_int * c)
 }
 
 /* high level multiplication (handles sign) */
+#if defined(FREESCALE_LTC_TFM)
+int wolfcrypt_mp_mul(mp_int * a, mp_int * b, mp_int * c)
+#else
 int mp_mul (mp_int * a, mp_int * b, mp_int * c)
+#endif
 {
-  fp_mul(a, b, c);
+  return fp_mul(a, b, c);
+}
+
+int mp_mul_d (mp_int * a, mp_digit b, mp_int * c)
+{
+  fp_mul_d(a, b, c);
   return MP_OKAY;
 }
 
 /* d = a * b (mod c) */
+#if defined(FREESCALE_LTC_TFM)
+int wolfcrypt_mp_mulmod (mp_int * a, mp_int * b, mp_int * c, mp_int * d)
+#else
 int mp_mulmod (mp_int * a, mp_int * b, mp_int * c, mp_int * d)
+#endif
+{
+ #if defined(WOLFSSL_ESP32WROOM32_CRYPT_RSA_PRI) && \
+    !defined(NO_WOLFSSL_ESP32WROOM32_CRYPT_RSA_PRI)
+    int A = fp_count_bits (a);
+    int B = fp_count_bits (b);
+
+    if( A >= ESP_RSA_MULM_BITS && B >= ESP_RSA_MULM_BITS)
+        return esp_mp_mulmod(a, b, c, d);
+    else
+ #endif
+   return fp_mulmod(a, b, c, d);
+}
+
+/* d = a - b (mod c) */
+int mp_submod(mp_int *a, mp_int *b, mp_int *c, mp_int *d)
+{
+  return fp_submod(a, b, c, d);
+}
+
+/* d = a + b (mod c) */
+int mp_addmod(mp_int *a, mp_int *b, mp_int *c, mp_int *d)
 {
-  return fp_mulmod(a, b, c, d);
+  return fp_addmod(a, b, c, d);
 }
 
 /* c = a mod b, 0 <= c < b */
+#if defined(FREESCALE_LTC_TFM)
+int wolfcrypt_mp_mod (mp_int * a, mp_int * b, mp_int * c)
+#else
 int mp_mod (mp_int * a, mp_int * b, mp_int * c)
+#endif
 {
   return fp_mod (a, b, c);
 }
 
 /* hac 14.61, pp608 */
+#if defined(FREESCALE_LTC_TFM)
+int wolfcrypt_mp_invmod (mp_int * a, mp_int * b, mp_int * c)
+#else
 int mp_invmod (mp_int * a, mp_int * b, mp_int * c)
+#endif
 {
   return fp_invmod(a, b, c);
 }
 
+/* hac 14.61, pp608 */
+int mp_invmod_mont_ct (mp_int * a, mp_int * b, mp_int * c, mp_digit mp)
+{
+  return fp_invmod_mont_ct(a, b, c, mp);
+}
+
 /* this is a shell function that calls either the normal or Montgomery
  * exptmod functions.  Originally the call to the montgomery code was
- * embedded in the normal function but that wasted alot of stack space
+ * embedded in the normal function but that wasted a lot of stack space
  * for nothing (since 99% of the time the Montgomery code would be called)
  */
+#if defined(FREESCALE_LTC_TFM)
+int wolfcrypt_mp_exptmod (mp_int * G, mp_int * X, mp_int * P, mp_int * Y)
+#else
 int mp_exptmod (mp_int * G, mp_int * X, mp_int * P, mp_int * Y)
+#endif
 {
   return fp_exptmod(G, X, P, Y);
 }
 
+int mp_exptmod_ex (mp_int * G, mp_int * X, int digits, mp_int * P, mp_int * Y)
+{
+  return fp_exptmod_ex(G, X, digits, P, Y);
+}
+
+int mp_exptmod_nct (mp_int * G, mp_int * X, mp_int * P, mp_int * Y)
+{
+  return fp_exptmod_nct(G, X, P, Y);
+}
+
+
 /* compare two ints (signed)*/
 int mp_cmp (mp_int * a, mp_int * b)
 {
@@ -2079,35 +3709,85 @@ int mp_unsigned_bin_size (mp_int * a)
   return fp_unsigned_bin_size(a);
 }
 
+int mp_to_unsigned_bin_at_pos(int x, fp_int *t, unsigned char *b)
+{
+    return fp_to_unsigned_bin_at_pos(x, t, b);
+}
+
 /* store in unsigned [big endian] format */
 int mp_to_unsigned_bin (mp_int * a, unsigned char *b)
 {
-  fp_to_unsigned_bin(a,b);
-  return MP_OKAY;
+  return fp_to_unsigned_bin(a,b);
 }
 
+int mp_to_unsigned_bin_len(mp_int * a, unsigned char *b, int c)
+{
+  return fp_to_unsigned_bin_len(a, b, c);
+}
 /* reads a unsigned char array, assumes the msb is stored first [big endian] */
 int mp_read_unsigned_bin (mp_int * a, const unsigned char *b, int c)
 {
-  fp_read_unsigned_bin(a, (unsigned char *)b, c);
+  fp_read_unsigned_bin(a, b, c);
   return MP_OKAY;
 }
 
 
 int mp_sub_d(fp_int *a, fp_digit b, fp_int *c)
 {
-    fp_sub_d(a, b, c);
+    return fp_sub_d(a, b, c);
+}
+
+int mp_mul_2d(fp_int *a, int b, fp_int *c)
+{
+    fp_mul_2d(a, b, c);
+	return MP_OKAY;
+}
+
+int mp_2expt(fp_int* a, int b)
+{
+    fp_2expt(a, b);
     return MP_OKAY;
 }
 
+int mp_div(fp_int * a, fp_int * b, fp_int * c, fp_int * d)
+{
+    return fp_div(a, b, c, d);
+}
 
-#ifdef ALT_ECC_SIZE
-void fp_copy(fp_int *a, fp_int* b)
+int mp_div_2d(fp_int* a, int b, fp_int* c, fp_int* d)
 {
+    fp_div_2d(a, b, c, d);
+    return MP_OKAY;
+}
+
+void fp_copy(fp_int *a, fp_int *b)
+{
+    /* if source and destination are different */
     if (a != b) {
+#if defined(ALT_ECC_SIZE) || defined(HAVE_WOLF_BIGINT)
+        /* verify a will fit in b */
+        if (b->size >= a->used) {
+            int x, oldused;
+            oldused = b->used;
+            b->used = a->used;
+            b->sign = a->sign;
+
+            XMEMCPY(b->dp, a->dp, a->used * sizeof(fp_digit));
+
+            /* zero any excess digits on the destination that we didn't write to */
+            for (x = b->used; x >= 0 && x < oldused; x++) {
+                b->dp[x] = 0;
+            }
+        }
+        else {
+            /* TODO: Handle error case */
+        }
+#else
+        /* all dp's are same size, so do straight copy */
         b->used = a->used;
         b->sign = a->sign;
-        XMEMCPY(b->dp, a->dp, a->used * sizeof(fp_digit));
+        XMEMCPY(b->dp, a->dp, FP_SIZE * sizeof(fp_digit));
+#endif
     }
 }
 
@@ -2118,67 +3798,98 @@ void fp_init_copy(fp_int *a, fp_int* b)
         fp_copy(b, a);
     }
 }
-#endif
 
-/* fast math conversion */
+/* fast math wrappers */
 int mp_copy(fp_int* a, fp_int* b)
 {
     fp_copy(a, b);
     return MP_OKAY;
 }
 
-
-/* fast math conversion */
 int mp_isodd(mp_int* a)
 {
     return fp_isodd(a);
 }
 
-
-/* fast math conversion */
 int mp_iszero(mp_int* a)
 {
     return fp_iszero(a);
 }
 
-
-/* fast math conversion */
 int mp_count_bits (mp_int* a)
 {
     return fp_count_bits(a);
 }
 
-
 int mp_leading_bit (mp_int* a)
 {
     return fp_leading_bit(a);
 }
 
-
-/* fast math conversion */
 void mp_rshb (mp_int* a, int x)
 {
     fp_rshb(a, x);
 }
 
+void mp_rshd (mp_int* a, int x)
+{
+    fp_rshd(a, x);
+}
 
-/* fast math wrappers */
-int mp_set_int(fp_int *a, fp_digit b)
+int mp_set_int(mp_int *a, unsigned long b)
 {
-    fp_set(a, b);
+    fp_set_int(a, b);
     return MP_OKAY;
 }
 
+int mp_is_bit_set (mp_int *a, mp_digit b)
+{
+    return fp_is_bit_set(a, b);
+}
 
-#if defined(WOLFSSL_KEY_GEN) || defined (HAVE_ECC)
+int mp_set_bit(mp_int *a, mp_digit b)
+{
+    return fp_set_bit(a, b);
+}
+
+#if defined(WOLFSSL_KEY_GEN) || defined (HAVE_ECC) || !defined(NO_DH) || \
+    !defined(NO_DSA) || !defined(NO_RSA)
 
 /* c = a * a (mod b) */
 int fp_sqrmod(fp_int *a, fp_int *b, fp_int *c)
 {
-  fp_int tmp;
-  fp_init(&tmp);
-  fp_sqr(a, &tmp);
-  return fp_mod(&tmp, b, c);
+  int err;
+#ifndef WOLFSSL_SMALL_STACK
+   fp_int t[1];
+#else
+   fp_int *t;
+#endif
+
+#ifdef WOLFSSL_SMALL_STACK
+   t = (fp_int*)XMALLOC(sizeof(fp_int), NULL, DYNAMIC_TYPE_BIGINT);
+   if (t == NULL)
+       return FP_MEM;
+#endif
+
+  fp_init(t);
+  err = fp_sqr(a, t);
+  if (err == FP_OKAY) {
+  #if defined(ALT_ECC_SIZE) || defined(HAVE_WOLF_BIGINT)
+    if (c->size < FP_SIZE) {
+      err = fp_mod(t, b, t);
+      fp_copy(t, c);
+    }
+    else
+  #endif
+    {
+      err = fp_mod(t, b, c);
+    }
+  }
+
+#ifdef WOLFSSL_SMALL_STACK
+  XFREE(t, NULL, DYNAMIC_TYPE_BIGINT);
+#endif
+  return err;
 }
 
 /* fast math conversion */
@@ -2197,7 +3908,37 @@ int mp_montgomery_calc_normalization(mp_int *a, mp_int *b)
 #endif /* WOLFSSL_KEYGEN || HAVE_ECC */
 
 
-#if defined(WOLFSSL_KEY_GEN) || defined(HAVE_COMP_KEY)
+#if defined(WC_MP_TO_RADIX) || !defined(NO_DH) || !defined(NO_DSA) || \
+    !defined(NO_RSA)
+
+#ifdef WOLFSSL_KEY_GEN
+/* swap the elements of two integers, for cases where you can't simply swap the
+ * mp_int pointers around
+ */
+static int fp_exch (fp_int * a, fp_int * b)
+{
+#ifndef WOLFSSL_SMALL_STACK
+    fp_int  t[1];
+#else
+    fp_int *t;
+#endif
+
+#ifdef WOLFSSL_SMALL_STACK
+   t = (fp_int*)XMALLOC(sizeof(fp_int), NULL, DYNAMIC_TYPE_BIGINT);
+   if (t == NULL)
+       return FP_MEM;
+#endif
+
+    *t = *a;
+    *a = *b;
+    *b = *t;
+
+#ifdef WOLFSSL_SMALL_STACK
+    XFREE(t, NULL, DYNAMIC_TYPE_BIGINT);
+#endif
+    return FP_OKAY;
+}
+#endif
 
 static const int lnz[16] = {
    4, 0, 1, 0, 2, 0, 1, 0, 3, 0, 1, 0, 2, 0, 1, 0
@@ -2210,12 +3951,12 @@ int fp_cnt_lsb(fp_int *a)
    fp_digit q, qq;
 
    /* easy out */
-   if (fp_iszero(a) == 1) {
+   if (fp_iszero(a) == FP_YES) {
       return 0;
    }
 
    /* scan lower digits until non-zero */
-   for (x = 0; x < a->used && a->dp[x] == 0; x++);
+   for (x = 0; x < a->used && a->dp[x] == 0; x++) {}
    q = a->dp[x];
    x *= DIGIT_BIT;
 
@@ -2231,30 +3972,32 @@ int fp_cnt_lsb(fp_int *a)
 }
 
 
-
-
 static int s_is_power_of_two(fp_digit b, int *p)
 {
    int x;
 
    /* fast return if no power of two */
    if ((b==0) || (b & (b-1))) {
-      return 0;
+      return FP_NO;
    }
 
    for (x = 0; x < DIGIT_BIT; x++) {
       if (b == (((fp_digit)1)<<x)) {
          *p = x;
-         return 1;
+         return FP_YES;
       }
    }
-   return 0;
+   return FP_NO;
 }
 
 /* a/b => cb + d == a */
 static int fp_div_d(fp_int *a, fp_digit b, fp_int *c, fp_digit *d)
 {
-  fp_int   q;
+#ifndef WOLFSSL_SMALL_STACK
+  fp_int   q[1];
+#else
+  fp_int   *q;
+#endif
   fp_word  w;
   fp_digit t;
   int      ix;
@@ -2265,7 +4008,7 @@ static int fp_div_d(fp_int *a, fp_digit b, fp_int *c, fp_digit *d)
   }
 
   /* quick outs */
-  if (b == 1 || fp_iszero(a) == 1) {
+  if (b == 1 || fp_iszero(a) == FP_YES) {
      if (d != NULL) {
         *d = 0;
      }
@@ -2276,7 +4019,7 @@ static int fp_div_d(fp_int *a, fp_digit b, fp_int *c, fp_digit *d)
   }
 
   /* power of two ? */
-  if (s_is_power_of_two(b, &ix) == 1) {
+  if (s_is_power_of_two(b, &ix) == FP_YES) {
      if (d != NULL) {
         *d = a->dp[0] & ((((fp_digit)1)<<ix) - 1);
      }
@@ -2286,33 +4029,45 @@ static int fp_div_d(fp_int *a, fp_digit b, fp_int *c, fp_digit *d)
      return FP_OKAY;
   }
 
-  /* no easy answer [c'est la vie].  Just division */
-  fp_init(&q);
-  
-  q.used = a->used;
-  q.sign = a->sign;
+#ifdef WOLFSSL_SMALL_STACK
+  q = (fp_int*)XMALLOC(sizeof(fp_int), NULL, DYNAMIC_TYPE_BIGINT);
+  if (q == NULL)
+      return FP_MEM;
+#endif
+
+  fp_init(q);
+
+  if (c != NULL) {
+    q->used = a->used;
+    q->sign = a->sign;
+  }
+
   w = 0;
   for (ix = a->used - 1; ix >= 0; ix--) {
      w = (w << ((fp_word)DIGIT_BIT)) | ((fp_word)a->dp[ix]);
-     
+
      if (w >= b) {
         t = (fp_digit)(w / b);
         w -= ((fp_word)t) * ((fp_word)b);
       } else {
         t = 0;
       }
-      q.dp[ix] = (fp_digit)t;
+      if (c != NULL)
+        q->dp[ix] = (fp_digit)t;
   }
-  
+
   if (d != NULL) {
      *d = (fp_digit)w;
   }
-  
+
   if (c != NULL) {
-     fp_clamp(&q);
-     fp_copy(&q, c);
+     fp_clamp(q);
+     fp_copy(q, c);
   }
- 
+
+#ifdef WOLFSSL_SMALL_STACK
+  XFREE(q, NULL, DYNAMIC_TYPE_BIGINT);
+#endif
   return FP_OKAY;
 }
 
@@ -2328,101 +4083,148 @@ int mp_mod_d(fp_int *a, fp_digit b, fp_digit *c)
    return fp_mod_d(a, b, c);
 }
 
-#endif /* defined(WOLFSSL_KEY_GEN) || defined(HAVE_COMP_KEY) */
-
-#ifdef WOLFSSL_KEY_GEN
-
-void fp_gcd(fp_int *a, fp_int *b, fp_int *c);
-void fp_lcm(fp_int *a, fp_int *b, fp_int *c);
-int  fp_isprime(fp_int *a);
+#endif /* WC_MP_TO_RADIX || !NO_DH || !NO_DSA || !NO_RSA */
 
-int mp_gcd(fp_int *a, fp_int *b, fp_int *c)
-{
-    fp_gcd(a, b, c);
-    return MP_OKAY;
-}
 
+#if !defined(NO_DH) || !defined(NO_DSA) || !defined(NO_RSA) || \
+    defined(WOLFSSL_KEY_GEN)
 
-int mp_lcm(fp_int *a, fp_int *b, fp_int *c)
-{
-    fp_lcm(a, b, c);
-    return MP_OKAY;
-}
+static int  fp_isprime_ex(fp_int *a, int t, int* result);
 
 
 int mp_prime_is_prime(mp_int* a, int t, int* result)
 {
-    (void)t;
-    *result = fp_isprime(a);
-    return MP_OKAY;
+    return fp_isprime_ex(a, t, result);
 }
 
-/* Miller-Rabin test of "a" to the base of "b" as described in 
+/* Miller-Rabin test of "a" to the base of "b" as described in
  * HAC pp. 139 Algorithm 4.24
  *
  * Sets result to 0 if definitely composite or 1 if probably prime.
- * Randomly the chance of error is no more than 1/4 and often 
+ * Randomly the chance of error is no more than 1/4 and often
  * very much lower.
  */
-static void fp_prime_miller_rabin (fp_int * a, fp_int * b, int *result)
+static int fp_prime_miller_rabin_ex(fp_int * a, fp_int * b, int *result,
+  fp_int *n1, fp_int *y, fp_int *r)
 {
-  fp_int  n1, y, r;
-  int     s, j;
+  int s, j;
+  int err;
 
   /* default */
   *result = FP_NO;
 
   /* ensure b > 1 */
   if (fp_cmp_d(b, 1) != FP_GT) {
-     return;
-  }     
+     return FP_OKAY;
+  }
 
   /* get n1 = a - 1 */
-  fp_init_copy(&n1, a);
-  fp_sub_d(&n1, 1, &n1);
+  fp_copy(a, n1);
+  err = fp_sub_d(n1, 1, n1);
+  if (err != FP_OKAY) {
+     return err;
+  }
 
   /* set 2**s * r = n1 */
-  fp_init_copy(&r, &n1);
+  fp_copy(n1, r);
 
   /* count the number of least significant bits
    * which are zero
    */
-  s = fp_cnt_lsb(&r);
+  s = fp_cnt_lsb(r);
 
   /* now divide n - 1 by 2**s */
-  fp_div_2d (&r, s, &r, NULL);
+  fp_div_2d (r, s, r, NULL);
 
   /* compute y = b**r mod a */
-  fp_init(&y);
-  fp_exptmod(b, &r, a, &y);
+  fp_zero(y);
+#if (defined(WOLFSSL_HAVE_SP_RSA) && !defined(WOLFSSL_RSA_PUBLIC_ONLY)) || \
+                                                     defined(WOLFSSL_HAVE_SP_DH)
+#ifndef WOLFSSL_SP_NO_2048
+  if (fp_count_bits(a) == 1024)
+      sp_ModExp_1024(b, r, a, y);
+  else if (fp_count_bits(a) == 2048)
+      sp_ModExp_2048(b, r, a, y);
+  else
+#endif
+#ifndef WOLFSSL_SP_NO_3072
+  if (fp_count_bits(a) == 1536)
+      sp_ModExp_1536(b, r, a, y);
+  else if (fp_count_bits(a) == 3072)
+      sp_ModExp_3072(b, r, a, y);
+  else
+#endif
+#ifdef WOLFSSL_SP_4096
+  if (fp_count_bits(a) == 4096)
+      sp_ModExp_4096(b, r, a, y);
+  else
+#endif
+#endif
+      fp_exptmod(b, r, a, y);
 
   /* if y != 1 and y != n1 do */
-  if (fp_cmp_d (&y, 1) != FP_EQ && fp_cmp (&y, &n1) != FP_EQ) {
+  if (fp_cmp_d (y, 1) != FP_EQ && fp_cmp (y, n1) != FP_EQ) {
     j = 1;
     /* while j <= s-1 and y != n1 */
-    while ((j <= (s - 1)) && fp_cmp (&y, &n1) != FP_EQ) {
-      fp_sqrmod (&y, a, &y);
+    while ((j <= (s - 1)) && fp_cmp (y, n1) != FP_EQ) {
+      fp_sqrmod (y, a, y);
 
       /* if y == 1 then composite */
-      if (fp_cmp_d (&y, 1) == FP_EQ) {
-         return;
+      if (fp_cmp_d (y, 1) == FP_EQ) {
+         return FP_OKAY;
       }
       ++j;
     }
 
     /* if y != n1 then composite */
-    if (fp_cmp (&y, &n1) != FP_EQ) {
-       return;
+    if (fp_cmp (y, n1) != FP_EQ) {
+       return FP_OKAY;
     }
   }
 
   /* probably prime now */
   *result = FP_YES;
+
+  return FP_OKAY;
+}
+
+static int fp_prime_miller_rabin(fp_int * a, fp_int * b, int *result)
+{
+  int err;
+#ifndef WOLFSSL_SMALL_STACK
+  fp_int  n1[1], y[1], r[1];
+#else
+  fp_int *n1, *y, *r;
+#endif
+
+#ifdef WOLFSSL_SMALL_STACK
+  n1 = (fp_int*)XMALLOC(sizeof(fp_int) * 3, NULL, DYNAMIC_TYPE_BIGINT);
+  if (n1 == NULL) {
+      return FP_MEM;
+  }
+  y = &n1[1]; r = &n1[2];
+#endif
+
+  fp_init(n1);
+  fp_init(y);
+  fp_init(r);
+
+  err = fp_prime_miller_rabin_ex(a, b, result, n1, y, r);
+
+  fp_clear(n1);
+  fp_clear(y);
+  fp_clear(r);
+
+#ifdef WOLFSSL_SMALL_STACK
+  XFREE(n1, NULL, DYNAMIC_TYPE_BIGINT);
+#endif
+
+  return err;
 }
 
 
 /* a few primes */
-static const fp_digit primes[256] = {
+static const fp_digit primes[FP_PRIME_SIZE] = {
   0x0002, 0x0003, 0x0005, 0x0007, 0x000B, 0x000D, 0x0011, 0x0013,
   0x0017, 0x001D, 0x001F, 0x0025, 0x0029, 0x002B, 0x002F, 0x0035,
   0x003B, 0x003D, 0x0043, 0x0047, 0x0049, 0x004F, 0x0053, 0x0059,
@@ -2460,104 +4262,427 @@ static const fp_digit primes[256] = {
   0x062B, 0x062F, 0x063D, 0x0641, 0x0647, 0x0649, 0x064D, 0x0653
 };
 
-int fp_isprime(fp_int *a)
+int fp_isprime_ex(fp_int *a, int t, int* result)
 {
-   fp_int   b;
-   fp_digit d = 0;
+#ifndef WOLFSSL_SMALL_STACK
+   fp_int   b[1];
+#else
+   fp_int   *b;
+#endif
+   fp_digit d;
    int      r, res;
 
+   if (t <= 0 || t > FP_PRIME_SIZE) {
+     *result = FP_NO;
+     return FP_VAL;
+   }
+
+   if (fp_isone(a)) {
+       *result = FP_NO;
+       return FP_OKAY;
+   }
+
+   /* check against primes table */
+   for (r = 0; r < FP_PRIME_SIZE; r++) {
+       if (fp_cmp_d(a, primes[r]) == FP_EQ) {
+           *result = FP_YES;
+           return FP_OKAY;
+       }
+   }
+
    /* do trial division */
-   for (r = 0; r < 256; r++) {
-       fp_mod_d(a, primes[r], &d);
-       if (d == 0) {
-          return FP_NO;
+   for (r = 0; r < FP_PRIME_SIZE; r++) {
+       res = fp_mod_d(a, primes[r], &d);
+       if (res != MP_OKAY || d == 0) {
+           *result = FP_NO;
+           return FP_OKAY;
        }
    }
 
-   /* now do 8 miller rabins */
-   fp_init(&b);
-   for (r = 0; r < 8; r++) {
-       fp_set(&b, primes[r]);
-       fp_prime_miller_rabin(a, &b, &res);
+#ifdef WOLFSSL_SMALL_STACK
+  b = (fp_int*)XMALLOC(sizeof(fp_int), NULL, DYNAMIC_TYPE_BIGINT);
+  if (b == NULL)
+      return FP_MEM;
+#endif
+   /* now do 't' miller rabins */
+   fp_init(b);
+   for (r = 0; r < t; r++) {
+       fp_set(b, primes[r]);
+       fp_prime_miller_rabin(a, b, &res);
        if (res == FP_NO) {
-          return FP_NO;
+          *result = FP_NO;
+       #ifdef WOLFSSL_SMALL_STACK
+          XFREE(b, NULL, DYNAMIC_TYPE_BIGINT);
+       #endif
+          return FP_OKAY;
        }
    }
-   return FP_YES;
+   *result = FP_YES;
+#ifdef WOLFSSL_SMALL_STACK
+   XFREE(b, NULL, DYNAMIC_TYPE_BIGINT);
+#endif
+   return FP_OKAY;
+}
+
+
+int mp_prime_is_prime_ex(mp_int* a, int t, int* result, WC_RNG* rng)
+{
+    int ret = FP_YES;
+    fp_digit d;
+    int i;
+
+    if (a == NULL || result == NULL || rng == NULL)
+        return FP_VAL;
+
+    if (fp_isone(a)) {
+        *result = FP_NO;
+        return FP_OKAY;
+    }
+
+    /* check against primes table */
+    for (i = 0; i < FP_PRIME_SIZE; i++) {
+        if (fp_cmp_d(a, primes[i]) == FP_EQ) {
+            *result = FP_YES;
+            return FP_OKAY;
+        }
+    }
+
+    /* do trial division */
+    for (i = 0; i < FP_PRIME_SIZE; i++) {
+        if (fp_mod_d(a, primes[i], &d) == MP_OKAY) {
+            if (d == 0) {
+                *result = FP_NO;
+                return FP_OKAY;
+            }
+        }
+        else
+            return FP_VAL;
+    }
+
+#ifndef WC_NO_RNG
+    /* now do a miller rabin with up to t random numbers, this should
+     * give a (1/4)^t chance of a false prime. */
+    {
+    #ifndef WOLFSSL_SMALL_STACK
+        fp_int b[1], c[1], n1[1], y[1], r[1];
+        byte   base[FP_MAX_PRIME_SIZE];
+    #else
+        fp_int *b, *c, *n1, *y, *r;
+        byte*  base;
+    #endif
+        word32 baseSz;
+        int    err;
+
+        baseSz = fp_count_bits(a);
+        /* The base size is the number of bits / 8. One is added if the number
+         * of bits isn't an even 8. */
+        baseSz = (baseSz / 8) + ((baseSz % 8) ? 1 : 0);
+
+    #ifndef WOLFSSL_SMALL_STACK
+        if (baseSz > sizeof(base))
+            return FP_MEM;
+    #else
+        base = (byte*)XMALLOC(baseSz, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+        if (base == NULL)
+            return FP_MEM;
+
+        b = (fp_int*)XMALLOC(sizeof(fp_int) * 5, NULL, DYNAMIC_TYPE_BIGINT);
+        if (b == NULL) {
+            return FP_MEM;
+        }
+        c = &b[1]; n1 = &b[2]; y= &b[3]; r = &b[4];
+    #endif
+
+        fp_init(b);
+        fp_init(c);
+        fp_init(n1);
+        fp_init(y);
+        fp_init(r);
+
+        err = fp_sub_d(a, 2, c);
+        if (err != FP_OKAY) {
+        #ifdef WOLFSSL_SMALL_STACK
+           XFREE(b, NULL, DYNAMIC_TYPE_BIGINT);
+           XFREE(base, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+        #endif
+           return err;
+        }
+        while (t > 0) {
+            if ((err = wc_RNG_GenerateBlock(rng, base, baseSz)) != 0) {
+            #ifdef WOLFSSL_SMALL_STACK
+               XFREE(b, NULL, DYNAMIC_TYPE_BIGINT);
+               XFREE(base, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+            #endif
+               return err;
+            }
+
+            fp_read_unsigned_bin(b, base, baseSz);
+            if (fp_cmp_d(b, 2) != FP_GT || fp_cmp(b, c) != FP_LT) {
+                continue;
+            }
+
+            fp_prime_miller_rabin_ex(a, b, &ret, n1, y, r);
+            if (ret == FP_NO)
+                break;
+            fp_zero(b);
+            t--;
+        }
+
+        fp_clear(n1);
+        fp_clear(y);
+        fp_clear(r);
+        fp_clear(b);
+        fp_clear(c);
+     #ifdef WOLFSSL_SMALL_STACK
+        XFREE(b, NULL, DYNAMIC_TYPE_BIGINT);
+        XFREE(base, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+     #endif
+    }
+#else
+    (void)t;
+#endif /* !WC_NO_RNG */
+
+    *result = ret;
+    return FP_OKAY;
 }
+#endif /* !NO_RSA || !NO_DSA || !NO_DH || WOLFSSL_KEY_GEN */
 
 
+#ifdef WOLFSSL_KEY_GEN
+
+static int  fp_gcd(fp_int *a, fp_int *b, fp_int *c);
+static int  fp_lcm(fp_int *a, fp_int *b, fp_int *c);
+static int  fp_randprime(fp_int* N, int len, WC_RNG* rng, void* heap);
+
+int mp_gcd(fp_int *a, fp_int *b, fp_int *c)
+{
+    return fp_gcd(a, b, c);
+}
+
+
+int mp_lcm(fp_int *a, fp_int *b, fp_int *c)
+{
+    return fp_lcm(a, b, c);
+}
+
+int mp_rand_prime(mp_int* N, int len, WC_RNG* rng, void* heap)
+{
+    int err;
+
+    err = fp_randprime(N, len, rng, heap);
+    switch(err) {
+        case FP_VAL:
+            return MP_VAL;
+        case FP_MEM:
+            return MP_MEM;
+        default:
+            break;
+    }
+
+    return MP_OKAY;
+}
+
+int mp_exch (mp_int * a, mp_int * b)
+{
+    return fp_exch(a, b);
+}
+
+
+
+int fp_randprime(fp_int* N, int len, WC_RNG* rng, void* heap)
+{
+    static const int USE_BBS = 1;
+    int   err, type;
+    int   isPrime = FP_YES;
+        /* Assume the candidate is probably prime and then test until
+         * it is proven composite. */
+    byte* buf;
+
+    (void)heap;
+
+    /* get type */
+    if (len < 0) {
+        type = USE_BBS;
+        len = -len;
+    } else {
+        type = 0;
+    }
+
+    /* allow sizes between 2 and 512 bytes for a prime size */
+    if (len < 2 || len > 512) {
+        return FP_VAL;
+    }
+
+    /* allocate buffer to work with */
+    buf = (byte*)XMALLOC(len, heap, DYNAMIC_TYPE_TMP_BUFFER);
+    if (buf == NULL) {
+        return FP_MEM;
+    }
+    XMEMSET(buf, 0, len);
+
+    do {
+#ifdef SHOW_GEN
+        printf(".");
+        fflush(stdout);
+#endif
+        /* generate value */
+        err = wc_RNG_GenerateBlock(rng, buf, len);
+        if (err != 0) {
+            XFREE(buf, heap, DYNAMIC_TYPE_TMP_BUFFER);
+            return FP_VAL;
+        }
+
+        /* munge bits */
+        buf[0]     |= 0x80 | 0x40;
+        buf[len-1] |= 0x01 | ((type & USE_BBS) ? 0x02 : 0x00);
+
+        /* load value */
+        fp_read_unsigned_bin(N, buf, len);
+
+        /* test */
+        /* Running Miller-Rabin up to 3 times gives us a 2^{-80} chance
+         * of a 1024-bit candidate being a false positive, when it is our
+         * prime candidate. (Note 4.49 of Handbook of Applied Cryptography.)
+         * Using 8 because we've always used 8 */
+        mp_prime_is_prime_ex(N, 8, &isPrime, rng);
+    } while (isPrime == FP_NO);
+
+    XMEMSET(buf, 0, len);
+    XFREE(buf, heap, DYNAMIC_TYPE_TMP_BUFFER);
+
+    return FP_OKAY;
+}
+
 /* c = [a, b] */
-void fp_lcm(fp_int *a, fp_int *b, fp_int *c)
+int fp_lcm(fp_int *a, fp_int *b, fp_int *c)
 {
-   fp_int  t1, t2;
+   int     err;
+#ifndef WOLFSSL_SMALL_STACK
+   fp_int  t[2];
+#else
+   fp_int  *t;
+#endif
 
-   fp_init(&t1);
-   fp_init(&t2);
-   fp_gcd(a, b, &t1);
-   if (fp_cmp_mag(a, b) == FP_GT) {
-      fp_div(a, &t1, &t2, NULL);
-      fp_mul(b, &t2, c);
-   } else {
-      fp_div(b, &t1, &t2, NULL);
-      fp_mul(a, &t2, c);
-   }   
+#ifdef WOLFSSL_SMALL_STACK
+   t = (fp_int*)XMALLOC(sizeof(fp_int) * 2, NULL, DYNAMIC_TYPE_BIGINT);
+   if (t == NULL) {
+       return FP_MEM;
+   }
+#endif
+
+   fp_init(&t[0]);
+   fp_init(&t[1]);
+   err = fp_gcd(a, b, &t[0]);
+   if (err == FP_OKAY) {
+      if (fp_cmp_mag(a, b) == FP_GT) {
+        err = fp_div(a, &t[0], &t[1], NULL);
+        if (err == FP_OKAY)
+          err = fp_mul(b, &t[1], c);
+     } else {
+        err = fp_div(b, &t[0], &t[1], NULL);
+        if (err == FP_OKAY)
+          err = fp_mul(a, &t[1], c);
+     }
+   }
+
+#ifdef WOLFSSL_SMALL_STACK
+   XFREE(t, NULL, DYNAMIC_TYPE_BIGINT);
+#endif
+   return err;
 }
 
 
 
 /* c = (a, b) */
-void fp_gcd(fp_int *a, fp_int *b, fp_int *c)
+int fp_gcd(fp_int *a, fp_int *b, fp_int *c)
 {
-   fp_int u, v, r;
+#ifndef WOLFSSL_SMALL_STACK
+   fp_int u[1], v[1], r[1];
+#else
+   fp_int *u, *v, *r;
+#endif
 
    /* either zero than gcd is the largest */
-   if (fp_iszero (a) == 1 && fp_iszero (b) == 0) {
+   if (fp_iszero (a) == FP_YES && fp_iszero (b) == FP_NO) {
      fp_abs (b, c);
-     return;
+     return FP_OKAY;
    }
-   if (fp_iszero (a) == 0 && fp_iszero (b) == 1) {
+   if (fp_iszero (a) == FP_NO && fp_iszero (b) == FP_YES) {
      fp_abs (a, c);
-     return;
+     return FP_OKAY;
    }
 
    /* optimized.  At this point if a == 0 then
     * b must equal zero too
     */
-   if (fp_iszero (a) == 1) {
+   if (fp_iszero (a) == FP_YES) {
      fp_zero(c);
-     return;
+     return FP_OKAY;
    }
 
+#ifdef WOLFSSL_SMALL_STACK
+   u = (fp_int*)XMALLOC(sizeof(fp_int) * 3, NULL, DYNAMIC_TYPE_BIGINT);
+   if (u == NULL) {
+       return FP_MEM;
+   }
+   v = &u[1]; r = &u[2];
+#endif
+
    /* sort inputs */
    if (fp_cmp_mag(a, b) != FP_LT) {
-      fp_init_copy(&u, a);
-      fp_init_copy(&v, b);
+      fp_init_copy(u, a);
+      fp_init_copy(v, b);
    } else {
-      fp_init_copy(&u, b);
-      fp_init_copy(&v, a);
+      fp_init_copy(u, b);
+      fp_init_copy(v, a);
    }
- 
-   fp_init(&r);
-   while (fp_iszero(&v) == FP_NO) {
-      fp_mod(&u, &v, &r);
-      fp_copy(&v, &u);
-      fp_copy(&r, &v);
+
+   u->sign = FP_ZPOS;
+   v->sign = FP_ZPOS;
+
+   fp_init(r);
+   while (fp_iszero(v) == FP_NO) {
+      fp_mod(u, v, r);
+      fp_copy(v, u);
+      fp_copy(r, v);
    }
-   fp_copy(&u, c);
+   fp_copy(u, c);
+
+#ifdef WOLFSSL_SMALL_STACK
+   XFREE(u, NULL, DYNAMIC_TYPE_BIGINT);
+#endif
+   return FP_OKAY;
 }
 
 #endif /* WOLFSSL_KEY_GEN */
 
 
-#if defined(HAVE_ECC) || !defined(NO_PWDBASED)
+#if defined(HAVE_ECC) || !defined(NO_PWDBASED) || defined(OPENSSL_EXTRA) || \
+    defined(WC_RSA_BLINDING) || !defined(NO_DSA) || \
+    (!defined(NO_RSA) && !defined(NO_RSA_BOUNDS_CHECK))
 /* c = a + b */
 void fp_add_d(fp_int *a, fp_digit b, fp_int *c)
 {
+#ifndef WOLFSSL_SMALL_STACK
    fp_int tmp;
    fp_init(&tmp);
    fp_set(&tmp, b);
-   fp_add(a,&tmp,c);
+   fp_add(a, &tmp, c);
+#else
+   int i;
+   fp_word t = b;
+
+   fp_copy(a, c);
+   for (i = 0; t != 0 && i < FP_SIZE && i < c->used; i++) {
+     t += c->dp[i];
+     c->dp[i] = (fp_digit)t;
+     t >>= DIGIT_BIT;
+   }
+   if (i == c->used && i < FP_SIZE && t != 0) {
+       c->dp[i] = t;
+       c->used++;
+   }
+#endif
 }
 
 /* external compatibility */
@@ -2567,19 +4692,78 @@ int mp_add_d(fp_int *a, fp_digit b, fp_int *c)
     return MP_OKAY;
 }
 
-#endif  /* HAVE_ECC || !NO_PWDBASED */
+#endif  /* HAVE_ECC || !NO_PWDBASED || OPENSSL_EXTRA || WC_RSA_BLINDING ||
+  !NO_DSA || (!NO_RSA && !NO_RSA_BOUNDS_CHECK) */
 
 
-#ifdef HAVE_ECC
+#if !defined(NO_DSA) || defined(HAVE_ECC) || defined(WOLFSSL_KEY_GEN) || \
+    defined(HAVE_COMP_KEY) || defined(WOLFSSL_DEBUG_MATH) || \
+    defined(DEBUG_WOLFSSL) || defined(OPENSSL_EXTRA) || defined(WC_MP_TO_RADIX)
 
 /* chars used in radix conversions */
-static const char *fp_s_rmap = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz+/";
+static wcchar fp_s_rmap = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ"
+                                     "abcdefghijklmnopqrstuvwxyz+/";
+#endif
+
+#if !defined(NO_DSA) || defined(HAVE_ECC)
+#if DIGIT_BIT == 64 || DIGIT_BIT == 32
+static int fp_read_radix_16(fp_int *a, const char *str)
+{
+  int     i, j, k, neg;
+  char    ch;
+
+  /* if the leading digit is a
+   * minus set the sign to negative.
+   */
+  if (*str == '-') {
+    ++str;
+    neg = FP_NEG;
+  } else {
+    neg = FP_ZPOS;
+  }
+
+  j = 0;
+  k = 0;
+  for (i = (int)(XSTRLEN(str) - 1); i >= 0; i--) {
+      ch = str[i];
+      if (ch >= '0' && ch <= '9')
+          ch -= '0';
+      else if (ch >= 'A' && ch <= 'F')
+          ch -= 'A' - 10;
+      else if (ch >= 'a' && ch <= 'f')
+          ch -= 'a' - 10;
+      else
+          return FP_VAL;
+
+      a->dp[k] |= ((fp_digit)ch) << j;
+      j += 4;
+      k += j == DIGIT_BIT;
+      j &= DIGIT_BIT - 1;
+  }
+
+  a->used = k + 1;
+  fp_clamp(a);
+  /* set the sign only if a != 0 */
+  if (fp_iszero(a) != FP_YES) {
+     a->sign = neg;
+  }
+  return FP_OKAY;
+}
+#endif
 
 static int fp_read_radix(fp_int *a, const char *str, int radix)
 {
   int     y, neg;
   char    ch;
 
+  /* set the integer to the default of zero */
+  fp_zero (a);
+
+#if DIGIT_BIT == 64 || DIGIT_BIT == 32
+  if (radix == 16)
+      return fp_read_radix_16(a, str);
+#endif
+
   /* make sure the radix is ok */
   if (radix < 2 || radix > 64) {
     return FP_VAL;
@@ -2595,16 +4779,13 @@ static int fp_read_radix(fp_int *a, const char *str, int radix)
     neg = FP_ZPOS;
   }
 
-  /* set the integer to the default of zero */
-  fp_zero (a);
-
   /* process each digit of the string */
   while (*str) {
-    /* if the radix < 36 the conversion is case insensitive
+    /* if the radix <= 36 the conversion is case insensitive
      * this allows numbers like 1AB and 1ab to represent the same  value
      * [e.g. in hex]
      */
-    ch = (char) ((radix < 36) ? XTOUPPER((unsigned char)*str) : *str);
+    ch = (char)((radix <= 36) ? XTOUPPER((unsigned char)*str) : *str);
     for (y = 0; y < 64; y++) {
       if (ch == fp_s_rmap[y]) {
          break;
@@ -2637,24 +4818,20 @@ int mp_read_radix(mp_int *a, const char *str, int radix)
     return fp_read_radix(a, str, radix);
 }
 
-/* fast math conversion */
-void mp_set(fp_int *a, fp_digit b)
-{
-    fp_set(a,b);
-}
+#endif /* !defined(NO_DSA) || defined(HAVE_ECC) */
+
+#ifdef HAVE_ECC
 
 /* fast math conversion */
 int mp_sqr(fp_int *A, fp_int *B)
 {
-    fp_sqr(A, B);
-    return MP_OKAY;
+    return fp_sqr(A, B);
 }
-  
+
 /* fast math conversion */
 int mp_montgomery_reduce(fp_int *a, fp_int *m, fp_digit mp)
 {
-    fp_montgomery_reduce(a, m, mp);
-    return MP_OKAY;
+    return fp_montgomery_reduce(a, m, mp);
 }
 
 
@@ -2677,25 +4854,215 @@ int mp_init_copy(fp_int * a, fp_int * b)
     return MP_OKAY;
 }
 
-
 #ifdef HAVE_COMP_KEY
 
 int mp_cnt_lsb(fp_int* a)
 {
-    fp_cnt_lsb(a);
-    return MP_OKAY;
+    return fp_cnt_lsb(a);
 }
 
-int mp_div_2d(fp_int* a, int b, fp_int* c, fp_int* d)
+#endif /* HAVE_COMP_KEY */
+
+#endif /* HAVE_ECC */
+
+#if defined(HAVE_ECC) || !defined(NO_RSA) || !defined(NO_DSA) || \
+    defined(WOLFSSL_KEY_GEN)
+/* fast math conversion */
+int mp_set(fp_int *a, fp_digit b)
 {
-    fp_div_2d(a, b, c, d);
+    fp_set(a,b);
     return MP_OKAY;
 }
+#endif
 
-#endif /* HAVE_COMP_KEY */
+#ifdef WC_MP_TO_RADIX
 
+/* returns size of ASCII representation */
+int mp_radix_size (mp_int *a, int radix, int *size)
+{
+    int      res, digs;
+    fp_digit d;
+#ifndef WOLFSSL_SMALL_STACK
+    fp_int   t[1];
+#else
+    fp_int   *t;
+#endif
 
-#endif /* HAVE_ECC */
+    *size = 0;
 
-#endif /* USE_FAST_MATH */
+    /* special case for binary */
+    if (radix == 2) {
+        *size = fp_count_bits (a) + (a->sign == FP_NEG ? 1 : 0) + 1;
+        return FP_YES;
+    }
+
+    /* make sure the radix is in range */
+    if (radix < 2 || radix > 64) {
+        return FP_VAL;
+    }
+
+    if (fp_iszero(a) == MP_YES) {
+        *size = 2;
+        return FP_OKAY;
+    }
+
+    /* digs is the digit count */
+    digs = 0;
+
+    /* if it's negative add one for the sign */
+    if (a->sign == FP_NEG) {
+        ++digs;
+    }
+
+#ifdef WOLFSSL_SMALL_STACK
+    t = (fp_int*)XMALLOC(sizeof(fp_int), NULL, DYNAMIC_TYPE_BIGINT);
+    if (t == NULL)
+        return FP_MEM;
+#endif
+
+    /* init a copy of the input */
+    fp_init_copy (t, a);
+
+    /* force temp to positive */
+    t->sign = FP_ZPOS;
+
+    /* fetch out all of the digits */
+    while (fp_iszero (t) == FP_NO) {
+        if ((res = fp_div_d (t, (mp_digit) radix, t, &d)) != FP_OKAY) {
+            fp_zero (t);
+        #ifdef WOLFSSL_SMALL_STACK
+            XFREE(t, NULL, DYNAMIC_TYPE_BIGINT);
+        #endif
+            return res;
+        }
+        ++digs;
+    }
+    fp_zero (t);
+
+    /* return digs + 1, the 1 is for the NULL byte that would be required. */
+    *size = digs + 1;
+#ifdef WOLFSSL_SMALL_STACK
+    XFREE(t, NULL, DYNAMIC_TYPE_BIGINT);
+#endif
+    return FP_OKAY;
+}
+
+/* stores a bignum as a ASCII string in a given radix (2..64) */
+int mp_toradix (mp_int *a, char *str, int radix)
+{
+    int      res, digs;
+    fp_digit d;
+    char     *_s = str;
+#ifndef WOLFSSL_SMALL_STACK
+    fp_int   t[1];
+#else
+    fp_int   *t;
+#endif
+
+    /* check range of the radix */
+    if (radix < 2 || radix > 64) {
+        return FP_VAL;
+    }
 
+    /* quick out if its zero */
+    if (fp_iszero(a) == FP_YES) {
+        *str++ = '0';
+        *str = '\0';
+        return FP_OKAY;
+    }
+
+#ifdef WOLFSSL_SMALL_STACK
+    t = (fp_int*)XMALLOC(sizeof(fp_int), NULL, DYNAMIC_TYPE_BIGINT);
+    if (t == NULL)
+        return FP_MEM;
+#endif
+
+    /* init a copy of the input */
+    fp_init_copy (t, a);
+
+    /* if it is negative output a - */
+    if (t->sign == FP_NEG) {
+        ++_s;
+        *str++ = '-';
+        t->sign = FP_ZPOS;
+    }
+
+    digs = 0;
+    while (fp_iszero (t) == FP_NO) {
+        if ((res = fp_div_d (t, (fp_digit) radix, t, &d)) != FP_OKAY) {
+            fp_zero (t);
+        #ifdef WOLFSSL_SMALL_STACK
+            XFREE(t, NULL, DYNAMIC_TYPE_BIGINT);
+        #endif
+            return res;
+        }
+        *str++ = fp_s_rmap[d];
+        ++digs;
+    }
+#ifndef WC_DISABLE_RADIX_ZERO_PAD
+    /* For hexadecimal output, add zero padding when number of digits is odd */
+    if ((digs & 1) && (radix == 16)) {
+        *str++ = fp_s_rmap[0];
+        ++digs;
+    }
+#endif
+    /* reverse the digits of the string.  In this case _s points
+     * to the first digit [excluding the sign] of the number]
+     */
+    fp_reverse ((unsigned char *)_s, digs);
+
+    /* append a NULL so the string is properly terminated */
+    *str = '\0';
+
+    fp_zero (t);
+#ifdef WOLFSSL_SMALL_STACK
+    XFREE(t, NULL, DYNAMIC_TYPE_BIGINT);
+#endif
+    return FP_OKAY;
+}
+
+#ifdef WOLFSSL_DEBUG_MATH
+void mp_dump(const char* desc, mp_int* a, byte verbose)
+{
+  char buffer[FP_SIZE * sizeof(fp_digit) * 2];
+  int size;
+
+#if defined(ALT_ECC_SIZE) || defined(HAVE_WOLF_BIGINT)
+  size = a->size;
+#else
+  size = FP_SIZE;
+#endif
+
+  printf("%s: ptr=%p, used=%d, sign=%d, size=%d, fpd=%d\n",
+    desc, a, a->used, a->sign, size, (int)sizeof(fp_digit));
+
+  mp_tohex(a, buffer);
+  printf("  %s\n  ", buffer);
+
+  if (verbose) {
+    int i;
+    for(i=0; i<size * (int)sizeof(fp_digit); i++) {
+      printf("%x ", *(((byte*)a->dp) + i));
+    }
+    printf("\n");
+  }
+}
+#endif /* WOLFSSL_DEBUG_MATH */
+
+#endif /* WC_MP_TO_RADIX */
+
+
+int mp_abs(mp_int* a, mp_int* b)
+{
+    fp_abs(a, b);
+    return FP_OKAY;
+}
+
+
+int mp_lshd (mp_int * a, int b)
+{
+    fp_lshd(a, b);
+    return FP_OKAY;
+}
+
+#endif /* USE_FAST_MATH */
diff --git a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/wc_dsp.c b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/wc_dsp.c
new file mode 100644
index 000000000..594ad0489
--- /dev/null
+++ b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/wc_dsp.c
@@ -0,0 +1,327 @@
+/* wc_dsp.c
+ *
+ * Copyright (C) 2006-2020 wolfSSL Inc.
+ *
+ * This file is part of wolfSSL.
+ *
+ * wolfSSL is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * wolfSSL is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
+ */
+
+#ifdef HAVE_CONFIG_H
+    #include <config.h>
+#endif
+
+#include <wolfssl/wolfcrypt/settings.h>
+#include <wolfssl/wolfcrypt/error-crypt.h>
+#include <wolfssl/wolfcrypt/cpuid.h>
+#include <wolfssl/wolfcrypt/logging.h>
+#ifdef NO_INLINE
+    #include <wolfssl/wolfcrypt/misc.h>
+#else
+    #define WOLFSSL_MISC_INCLUDED
+    #include <wolfcrypt/src/misc.c>
+#endif
+
+#if defined(WOLFSSL_DSP)
+#include "remote.h"
+#include "rpcmem.h"
+static wolfSSL_DSP_Handle_cb handle_function = NULL;
+static remote_handle64 defaultHandle;
+static wolfSSL_Mutex handle_mutex; /* mutex for access to single default handle */
+
+#define WOLFSSL_HANDLE_DONE 1
+#define WOLFSSL_HANDLE_GET 0
+
+/* callback function for setting the default handle in single threaded
+ * use cases */
+static int default_handle_cb(remote_handle64 *handle, int finished, void *ctx)
+{
+    (void)ctx;
+    if (finished == WOLFSSL_HANDLE_DONE) {
+        if (wc_UnLockMutex(&handle_mutex) != 0) {
+            WOLFSSL_MSG("Unlock handle mutex failed");
+            return -1;
+        }
+    }
+    else {
+        if (wc_LockMutex(&handle_mutex) != 0) {
+            WOLFSSL_MSG("Lock handle mutex failed");
+            return -1;
+        }
+        *handle = defaultHandle;
+    }
+    return 0;
+}
+
+
+/* Set global callback for getting handle to use
+ * return 0 on success */
+int wolfSSL_SetHandleCb(wolfSSL_DSP_Handle_cb in)
+{
+    handle_function = in;
+    return 0;
+}
+
+
+/* returns 1 if global handle callback is set and 0 if not */
+int wolfSSL_GetHandleCbSet()
+{
+    return (handle_function != NULL)? 1: 0;
+}
+
+
+/* Local function for setting up default handle
+ * returns 0 on success */
+int wolfSSL_InitHandle()
+{
+    char *sp_URI_value;
+    int ret;
+
+    sp_URI_value = wolfSSL_URI "&_dom=adsp";
+    ret = wolfSSL_open(sp_URI_value, &defaultHandle);
+    if (ret != 0) {
+        WOLFSSL_MSG("Unable to open aDSP?");
+        return -1;
+    }
+    wolfSSL_SetHandleCb(default_handle_cb);
+    ret = wc_InitMutex(&handle_mutex);
+    if (ret != 0) {
+        WOLFSSL_MSG("Unable to init handle mutex");
+        return -1;
+    }
+    return 0;
+}
+
+
+/* internal function that closes default handle and frees mutex */
+void wolfSSL_CleanupHandle()
+{
+    wolfSSL_close(defaultHandle);
+    wc_FreeMutex(&handle_mutex);
+}
+#if defined(WOLFSSL_HAVE_SP_ECC)
+
+/* ecc conversion from sp_c32.c */
+#include <wolfssl/wolfcrypt/sp.h>
+
+
+#ifndef WOLFSSL_SP_NO_256
+
+#ifdef HAVE_ECC_VERIFY
+/* Read big endian unsigned byte array into r.
+ *
+ * r  A single precision integer.
+ * size  Maximum number of bytes to convert
+ * a  Byte array.
+ * n  Number of bytes in array to read.
+ */
+static void int_256_from_bin(int32* r, int size, const byte* a, int n)
+{
+    int i, j = 0;
+    word32 s = 0;
+
+    r[0] = 0;
+    for (i = n-1; i >= 0; i--) {
+        r[j] |= (((int32)a[i]) << s);
+        if (s >= 18U) {
+            r[j] &= 0x3ffffff;
+            s = 26U - s;
+            if (j + 1 >= size) {
+                break;
+            }
+            r[++j] = (int32)a[i] >> s;
+            s = 8U - s;
+        }
+        else {
+            s += 8U;
+        }
+    }
+
+    for (j++; j < size; j++) {
+        r[j] = 0;
+    }
+}
+
+/* Convert an mp_int to an array of sp_digit.
+ *
+ * r  A single precision integer.
+ * size  Maximum number of bytes to convert
+ * a  A multi-precision integer.
+ */
+static void int_256_from_mp(int32* r, int size, const mp_int* a)
+{
+#if DIGIT_BIT == 26
+    int j;
+
+    XMEMCPY(r, a->dp, sizeof(int32) * a->used);
+
+    for (j = a->used; j < size; j++) {
+        r[j] = 0;
+    }
+#elif DIGIT_BIT > 26
+    int i, j = 0;
+    word32 s = 0;
+
+    r[0] = 0;
+    for (i = 0; i < a->used && j < size; i++) {
+        r[j] |= ((int32)a->dp[i] << s);
+        r[j] &= 0x3ffffff;
+        s = 26U - s;
+        if (j + 1 >= size) {
+            break;
+        }
+        /* lint allow cast of mismatch word32 and mp_digit */
+        r[++j] = (int32)(a->dp[i] >> s); /*lint !e9033*/
+        while ((s + 26U) <= (word32)DIGIT_BIT) {
+            s += 26U;
+            r[j] &= 0x3ffffff;
+            if (j + 1 >= size) {
+                break;
+            }
+            if (s < (word32)DIGIT_BIT) {
+                /* lint allow cast of mismatch word32 and mp_digit */
+                r[++j] = (int32)(a->dp[i] >> s); /*lint !e9033*/
+            }
+            else {
+                r[++j] = 0L;
+            }
+        }
+        s = (word32)DIGIT_BIT - s;
+    }
+
+    for (j++; j < size; j++) {
+        r[j] = 0;
+    }
+#else
+    int i, j = 0, s = 0;
+
+    r[0] = 0;
+    for (i = 0; i < a->used && j < size; i++) {
+        r[j] |= ((int32)a->dp[i]) << s;
+        if (s + DIGIT_BIT >= 26) {
+            r[j] &= 0x3ffffff;
+            if (j + 1 >= size) {
+                break;
+            }
+            s = 26 - s;
+            if (s == DIGIT_BIT) {
+                r[++j] = 0;
+                s = 0;
+            }
+            else {
+                r[++j] = a->dp[i] >> s;
+                s = DIGIT_BIT - s;
+            }
+        }
+        else {
+            s += DIGIT_BIT;
+        }
+    }
+
+    for (j++; j < size; j++) {
+        r[j] = 0;
+    }
+#endif
+}
+
+/* Verify the signature values with the hash and public key.
+ *   e = Truncate(hash, 256)
+ *   u1 = e/s mod order
+ *   u2 = r/s mod order
+ *   r == (u1.G + u2.Q)->x mod order
+ * Optimization: Leave point in projective form.
+ *   (x, y, 1) == (x' / z'*z', y' / z'*z'*z', z' / z')
+ *   (r + n*order).z'.z' mod prime == (u1.G + u2.Q)->x'
+ * The hash is truncated to the first 256 bits.
+ *
+ * hash     Hash to sign.
+ * hashLen  Length of the hash data.
+ * rng      Random number generator.
+ * priv     Private part of key - scalar.
+ * rm       First part of result as an mp_int.
+ * sm       Sirst part of result as an mp_int.
+ * heap     Heap to use for allocation.
+ * returns RNG failures, MEMORY_E when memory allocation fails and
+ * MP_OKAY on success.
+ */
+int sp_dsp_ecc_verify_256(remote_handle64 handleIn, const byte* hash, word32 hashLen, mp_int* pX,
+    mp_int* pY, mp_int* pZ, mp_int* r, mp_int* sm, int* res, void* heap)
+{
+    int ret;
+    remote_handle64 handle = handleIn;
+
+#if 0
+    /* calling to alloc memory on the ION using these settings slowed the performance down slightly */
+    int32 *x = (int32*)rpcmem_alloc(RPCMEM_HEAP_ID_SYSTEM, RPCMEM_DEFAULT_FLAGS, 10*sizeof(int));
+    int32 *y = (int32*)rpcmem_alloc(RPCMEM_HEAP_ID_SYSTEM, RPCMEM_DEFAULT_FLAGS, 10*sizeof(int));
+    int32 *z = (int32*)rpcmem_alloc(RPCMEM_HEAP_ID_SYSTEM, RPCMEM_DEFAULT_FLAGS, 10*sizeof(int));
+    int32 *s = (int32*)rpcmem_alloc(RPCMEM_HEAP_ID_SYSTEM, RPCMEM_DEFAULT_FLAGS, 10*sizeof(int));
+    int32 *u1 = (int32*)rpcmem_alloc(RPCMEM_HEAP_ID_SYSTEM, RPCMEM_DEFAULT_FLAGS, 10*sizeof(int));
+    int32 *u2 = (int32*)rpcmem_alloc(RPCMEM_HEAP_ID_SYSTEM, RPCMEM_DEFAULT_FLAGS, 10*sizeof(int));
+#endif
+    int32 x[10] __attribute__((aligned(128)));
+    int32 y[10] __attribute__((aligned(128)));
+    int32 z[10] __attribute__((aligned(128)));
+    int32 s[10] __attribute__((aligned(128)));
+    int32 u1[10] __attribute__((aligned(128)));
+    int32 u2[10] __attribute__((aligned(128)));
+
+    if (hashLen > 32U) {
+        hashLen = 32U;
+    }
+
+    int_256_from_bin(u1, 10, hash, (int)hashLen);
+    int_256_from_mp(u2, 10, r);
+    int_256_from_mp(s, 10, sm);
+    int_256_from_mp(x, 10, pX);
+    int_256_from_mp(y, 10, pY);
+    int_256_from_mp(z, 10, pZ);
+
+    if (handle_function != NULL) {
+        handle_function(&handle, WOLFSSL_HANDLE_GET, NULL);
+    }
+
+    *res = 0;
+    ret = wolfSSL_DSP_ECC_Verify_256(handle, u1, 10, u2, 10, s, 10, x, 10, y, 10, z, 10, res);
+
+    if (handle_function != NULL) {
+        handle_function(&handle, WOLFSSL_HANDLE_DONE, NULL);
+    }
+#if 0
+    rpcmem_free(x);
+    rpcmem_free(y);
+    rpcmem_free(z);
+    rpcmem_free(s);
+    rpcmem_free(u1);
+    rpcmem_free(u2);
+#endif
+    return ret;
+}
+
+
+/* Used to assign a handle to an ecc_key structure.
+ * returns 0 on success */
+int wc_ecc_set_handle(ecc_key* key, remote_handle64 handle)
+{
+    if (key == NULL) {
+        return BAD_FUNC_ARG;
+    }
+    key->handle = handle;
+    return 0;
+}
+#endif /* HAVE_ECC_VERIFY */
+#endif /* !WOLFSSL_SP_NO_256 */
+#endif /* WOLFSSL_HAVE_SP_ECC */
+#endif /* WOLFSSL_DSP */
diff --git a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/wc_encrypt.c b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/wc_encrypt.c
new file mode 100644
index 000000000..39dbeec5a
--- /dev/null
+++ b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/wc_encrypt.c
@@ -0,0 +1,660 @@
+/* wc_encrypt.c
+ *
+ * Copyright (C) 2006-2020 wolfSSL Inc.
+ *
+ * This file is part of wolfSSL.
+ *
+ * wolfSSL is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * wolfSSL is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
+ */
+
+
+#ifdef HAVE_CONFIG_H
+    #include <config.h>
+#endif
+
+#include <wolfssl/wolfcrypt/settings.h>
+#include <wolfssl/wolfcrypt/aes.h>
+#include <wolfssl/wolfcrypt/des3.h>
+#include <wolfssl/wolfcrypt/hash.h>
+#include <wolfssl/wolfcrypt/arc4.h>
+#include <wolfssl/wolfcrypt/wc_encrypt.h>
+#include <wolfssl/wolfcrypt/error-crypt.h>
+#include <wolfssl/wolfcrypt/asn.h>
+#include <wolfssl/wolfcrypt/coding.h>
+#include <wolfssl/wolfcrypt/pwdbased.h>
+#include <wolfssl/wolfcrypt/logging.h>
+
+#ifdef NO_INLINE
+    #include <wolfssl/wolfcrypt/misc.h>
+#else
+    #define WOLFSSL_MISC_INCLUDED
+    #include <wolfcrypt/src/misc.c>
+#endif
+
+#if !defined(NO_AES) && defined(HAVE_AES_CBC)
+#ifdef HAVE_AES_DECRYPT
+int wc_AesCbcDecryptWithKey(byte* out, const byte* in, word32 inSz,
+                                  const byte* key, word32 keySz, const byte* iv)
+{
+    int  ret = 0;
+#ifdef WOLFSSL_SMALL_STACK
+    Aes* aes = NULL;
+#else
+    Aes  aes[1];
+#endif
+
+    if (out == NULL || in == NULL || key == NULL || iv == NULL) {
+        return BAD_FUNC_ARG;
+    }
+
+#ifdef WOLFSSL_SMALL_STACK
+    aes = (Aes*)XMALLOC(sizeof(Aes), NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    if (aes == NULL)
+        return MEMORY_E;
+#endif
+
+    ret = wc_AesInit(aes, NULL, INVALID_DEVID);
+    if (ret == 0) {
+        ret = wc_AesSetKey(aes, key, keySz, iv, AES_DECRYPTION);
+        if (ret == 0)
+            ret = wc_AesCbcDecrypt(aes, out, in, inSz);
+
+        wc_AesFree(aes);
+    }
+
+#ifdef WOLFSSL_SMALL_STACK
+    XFREE(aes, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+#endif
+
+    return ret;
+}
+#endif /* HAVE_AES_DECRYPT */
+
+int wc_AesCbcEncryptWithKey(byte* out, const byte* in, word32 inSz,
+                            const byte* key, word32 keySz, const byte* iv)
+{
+    int  ret = 0;
+#ifdef WOLFSSL_SMALL_STACK
+    Aes* aes;
+#else
+    Aes  aes[1];
+#endif
+
+#ifdef WOLFSSL_SMALL_STACK
+    aes = (Aes*)XMALLOC(sizeof(Aes), NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    if (aes == NULL)
+        return MEMORY_E;
+#endif
+
+    ret = wc_AesInit(aes, NULL, INVALID_DEVID);
+    if (ret == 0) {
+        ret = wc_AesSetKey(aes, key, keySz, iv, AES_ENCRYPTION);
+        if (ret == 0)
+            ret = wc_AesCbcEncrypt(aes, out, in, inSz);
+
+        wc_AesFree(aes);
+    }
+
+#ifdef WOLFSSL_SMALL_STACK
+    XFREE(aes, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+#endif
+
+    return ret;
+}
+#endif /* !NO_AES && HAVE_AES_CBC */
+
+
+#if !defined(NO_DES3) && !defined(WOLFSSL_TI_CRYPT)
+int wc_Des_CbcEncryptWithKey(byte* out, const byte* in, word32 sz,
+                             const byte* key, const byte* iv)
+{
+    int ret  = 0;
+#ifdef WOLFSSL_SMALL_STACK
+    Des* des;
+#else
+    Des  des[1];
+#endif
+
+#ifdef WOLFSSL_SMALL_STACK
+    des = (Des*)XMALLOC(sizeof(Des), NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    if (des == NULL)
+        return MEMORY_E;
+#endif
+
+    ret = wc_Des_SetKey(des, key, iv, DES_ENCRYPTION);
+    if (ret == 0)
+        ret = wc_Des_CbcEncrypt(des, out, in, sz);
+
+#ifdef WOLFSSL_SMALL_STACK
+    XFREE(des, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+#endif
+
+    return ret;
+}
+
+int wc_Des_CbcDecryptWithKey(byte* out, const byte* in, word32 sz,
+                             const byte* key, const byte* iv)
+{
+    int ret  = 0;
+#ifdef WOLFSSL_SMALL_STACK
+    Des* des;
+#else
+    Des  des[1];
+#endif
+
+#ifdef WOLFSSL_SMALL_STACK
+    des = (Des*)XMALLOC(sizeof(Des), NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    if (des == NULL)
+        return MEMORY_E;
+#endif
+
+    ret = wc_Des_SetKey(des, key, iv, DES_DECRYPTION);
+    if (ret == 0)
+        ret = wc_Des_CbcDecrypt(des, out, in, sz);
+
+#ifdef WOLFSSL_SMALL_STACK
+    XFREE(des, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+#endif
+
+    return ret;
+}
+
+
+int wc_Des3_CbcEncryptWithKey(byte* out, const byte* in, word32 sz,
+                              const byte* key, const byte* iv)
+{
+    int ret    = 0;
+#ifdef WOLFSSL_SMALL_STACK
+    Des3* des3;
+#else
+    Des3  des3[1];
+#endif
+
+#ifdef WOLFSSL_SMALL_STACK
+    des3 = (Des3*)XMALLOC(sizeof(Des3), NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    if (des3 == NULL)
+        return MEMORY_E;
+#endif
+
+    ret = wc_Des3Init(des3, NULL, INVALID_DEVID);
+    if (ret == 0) {
+        ret = wc_Des3_SetKey(des3, key, iv, DES_ENCRYPTION);
+        if (ret == 0)
+            ret = wc_Des3_CbcEncrypt(des3, out, in, sz);
+        wc_Des3Free(des3);
+    }
+
+#ifdef WOLFSSL_SMALL_STACK
+    XFREE(des3, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+#endif
+
+    return ret;
+}
+
+
+int wc_Des3_CbcDecryptWithKey(byte* out, const byte* in, word32 sz,
+                              const byte* key, const byte* iv)
+{
+    int ret    = 0;
+#ifdef WOLFSSL_SMALL_STACK
+    Des3* des3;
+#else
+    Des3  des3[1];
+#endif
+
+#ifdef WOLFSSL_SMALL_STACK
+    des3 = (Des3*)XMALLOC(sizeof(Des3), NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    if (des3 == NULL)
+        return MEMORY_E;
+#endif
+
+    ret = wc_Des3Init(des3, NULL, INVALID_DEVID);
+    if (ret == 0) {
+        ret = wc_Des3_SetKey(des3, key, iv, DES_DECRYPTION);
+        if (ret == 0)
+            ret = wc_Des3_CbcDecrypt(des3, out, in, sz);
+        wc_Des3Free(des3);
+    }
+
+#ifdef WOLFSSL_SMALL_STACK
+    XFREE(des3, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+#endif
+
+    return ret;
+}
+
+#endif /* !NO_DES3 */
+
+
+#ifdef WOLFSSL_ENCRYPTED_KEYS
+
+int wc_BufferKeyDecrypt(EncryptedInfo* info, byte* der, word32 derSz,
+    const byte* password, int passwordSz, int hashType)
+{
+    int ret = NOT_COMPILED_IN;
+#ifdef WOLFSSL_SMALL_STACK
+    byte* key      = NULL;
+#else
+    byte  key[WC_MAX_SYM_KEY_SIZE];
+#endif
+
+    (void)derSz;
+    (void)passwordSz;
+    (void)hashType;
+
+    if (der == NULL || password == NULL || info == NULL || info->keySz == 0) {
+        return BAD_FUNC_ARG;
+    }
+
+    /* use file's salt for key derivation, hex decode first */
+    if (Base16_Decode(info->iv, info->ivSz, info->iv, &info->ivSz) != 0) {
+        return BUFFER_E;
+    }
+    if (info->ivSz < PKCS5_SALT_SZ)
+        return BUFFER_E;
+
+#ifdef WOLFSSL_SMALL_STACK
+    key = (byte*)XMALLOC(WC_MAX_SYM_KEY_SIZE, NULL, DYNAMIC_TYPE_SYMMETRIC_KEY);
+    if (key == NULL) {
+        return MEMORY_E;
+    }
+#endif
+
+    (void)XMEMSET(key, 0, WC_MAX_SYM_KEY_SIZE);
+
+#ifndef NO_PWDBASED
+    if ((ret = wc_PBKDF1(key, password, passwordSz, info->iv, PKCS5_SALT_SZ, 1,
+                                        info->keySz, hashType)) != 0) {
+#ifdef WOLFSSL_SMALL_STACK
+        XFREE(key, NULL, DYNAMIC_TYPE_SYMMETRIC_KEY);
+#endif
+        return ret;
+    }
+#endif
+
+#ifndef NO_DES3
+    if (info->cipherType == WC_CIPHER_DES)
+        ret = wc_Des_CbcDecryptWithKey(der, der, derSz, key, info->iv);
+    if (info->cipherType == WC_CIPHER_DES3)
+        ret = wc_Des3_CbcDecryptWithKey(der, der, derSz, key, info->iv);
+#endif /* NO_DES3 */
+#if !defined(NO_AES) && defined(HAVE_AES_CBC) && defined(HAVE_AES_DECRYPT)
+    if (info->cipherType == WC_CIPHER_AES_CBC)
+        ret = wc_AesCbcDecryptWithKey(der, der, derSz, key, info->keySz,
+            info->iv);
+#endif /* !NO_AES && HAVE_AES_CBC && HAVE_AES_DECRYPT */
+
+#ifdef WOLFSSL_SMALL_STACK
+    XFREE(key, NULL, DYNAMIC_TYPE_SYMMETRIC_KEY);
+#endif
+
+    return ret;
+}
+
+int wc_BufferKeyEncrypt(EncryptedInfo* info, byte* der, word32 derSz,
+    const byte* password, int passwordSz, int hashType)
+{
+    int ret = NOT_COMPILED_IN;
+#ifdef WOLFSSL_SMALL_STACK
+    byte* key      = NULL;
+#else
+    byte  key[WC_MAX_SYM_KEY_SIZE];
+#endif
+
+    (void)derSz;
+    (void)passwordSz;
+    (void)hashType;
+
+    if (der == NULL || password == NULL || info == NULL || info->keySz == 0 ||
+            info->ivSz < PKCS5_SALT_SZ) {
+        return BAD_FUNC_ARG;
+    }
+
+#ifdef WOLFSSL_SMALL_STACK
+    key = (byte*)XMALLOC(WC_MAX_SYM_KEY_SIZE, NULL, DYNAMIC_TYPE_SYMMETRIC_KEY);
+    if (key == NULL) {
+        return MEMORY_E;
+    }
+#endif /* WOLFSSL_SMALL_STACK */
+
+    (void)XMEMSET(key, 0, WC_MAX_SYM_KEY_SIZE);
+
+#ifndef NO_PWDBASED
+    if ((ret = wc_PBKDF1(key, password, passwordSz, info->iv, PKCS5_SALT_SZ, 1,
+                                        info->keySz, hashType)) != 0) {
+#ifdef WOLFSSL_SMALL_STACK
+        XFREE(key, NULL, DYNAMIC_TYPE_SYMMETRIC_KEY);
+#endif
+        return ret;
+    }
+#endif
+
+#ifndef NO_DES3
+    if (info->cipherType == WC_CIPHER_DES)
+        ret = wc_Des_CbcEncryptWithKey(der, der, derSz, key, info->iv);
+    if (info->cipherType == WC_CIPHER_DES3)
+        ret = wc_Des3_CbcEncryptWithKey(der, der, derSz, key, info->iv);
+#endif /* NO_DES3 */
+#if !defined(NO_AES) && defined(HAVE_AES_CBC)
+    if (info->cipherType == WC_CIPHER_AES_CBC)
+        ret = wc_AesCbcEncryptWithKey(der, der, derSz, key, info->keySz,
+            info->iv);
+#endif /* !NO_AES && HAVE_AES_CBC */
+
+#ifdef WOLFSSL_SMALL_STACK
+    XFREE(key, NULL, DYNAMIC_TYPE_SYMMETRIC_KEY);
+#endif
+
+    return ret;
+}
+
+#endif /* WOLFSSL_ENCRYPTED_KEYS */
+
+
+#if !defined(NO_PWDBASED) && !defined(NO_ASN)
+
+#if defined(HAVE_PKCS8) || defined(HAVE_PKCS12)
+/* Decrypt/Encrypt input in place from parameters based on id
+ *
+ * returns a negative value on fail case
+ */
+int wc_CryptKey(const char* password, int passwordSz, byte* salt,
+                      int saltSz, int iterations, int id, byte* input,
+                      int length, int version, byte* cbcIv, int enc, int shaOid)
+{
+    int typeH;
+    int derivedLen = 0;
+    int ret = 0;
+#ifdef WOLFSSL_SMALL_STACK
+    byte* key;
+#else
+    byte key[MAX_KEY_SIZE];
+#endif
+
+    (void)input;
+    (void)length;
+    (void)enc;
+
+    WOLFSSL_ENTER("wc_CryptKey");
+
+    switch (id) {
+    #ifndef NO_DES3
+        #ifndef NO_MD5
+        case PBE_MD5_DES:
+            typeH = WC_MD5;
+            derivedLen = 16;           /* may need iv for v1.5 */
+            break;
+        #endif
+        #ifndef NO_SHA
+        case PBE_SHA1_DES:
+            typeH = WC_SHA;
+            derivedLen = 16;           /* may need iv for v1.5 */
+            break;
+
+        case PBE_SHA1_DES3:
+            switch(shaOid) {
+                case HMAC_SHA256_OID:
+                    typeH = WC_SHA256;
+                    derivedLen = 32;
+                    break;
+                default:
+                    typeH = WC_SHA;
+                    derivedLen = 32;           /* may need iv for v1.5 */
+                    break;
+            }
+        break;
+        #endif /* !NO_SHA */
+    #endif /* !NO_DES3 */
+    #if !defined(NO_SHA) && !defined(NO_RC4)
+        case PBE_SHA1_RC4_128:
+            typeH = WC_SHA;
+            derivedLen = 16;
+            break;
+    #endif
+    #if defined(WOLFSSL_AES_256)
+        case PBE_AES256_CBC:
+            switch(shaOid) {
+                case HMAC_SHA256_OID:
+                    typeH = WC_SHA256;
+                    derivedLen = 32;
+                    break;
+            #ifndef NO_SHA
+                default:
+                    typeH = WC_SHA;
+                    derivedLen = 32;
+                    break;
+            #endif
+            }
+            break;
+    #endif /* WOLFSSL_AES_256 && !NO_SHA */
+    #if defined(WOLFSSL_AES_128)
+        case PBE_AES128_CBC:
+            switch(shaOid) {
+                case HMAC_SHA256_OID:
+                    typeH = WC_SHA256;
+                    derivedLen = 16;
+                    break;
+            #ifndef NO_SHA
+                default:
+                    typeH = WC_SHA;
+                    derivedLen = 16;
+                    break;
+            #endif
+            }
+            break;
+    #endif /* WOLFSSL_AES_128 && !NO_SHA */
+        default:
+            WOLFSSL_MSG("Unknown/Unsupported encrypt/decrypt id");
+            (void)shaOid;
+            return ALGO_ID_E;
+    }
+
+#ifdef WOLFSSL_SMALL_STACK
+    key = (byte*)XMALLOC(MAX_KEY_SIZE, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    if (key == NULL)
+        return MEMORY_E;
+#endif
+
+    if (version == PKCS5v2)
+        ret = wc_PBKDF2(key, (byte*)password, passwordSz,
+                        salt, saltSz, iterations, derivedLen, typeH);
+#ifndef NO_SHA
+    else if (version == PKCS5)
+        ret = wc_PBKDF1(key, (byte*)password, passwordSz,
+                        salt, saltSz, iterations, derivedLen, typeH);
+#endif
+#ifdef HAVE_PKCS12
+    else if (version == PKCS12v1) {
+        int  i, idx = 0;
+        byte unicodePasswd[MAX_UNICODE_SZ];
+
+        if ( (passwordSz * 2 + 2) > (int)sizeof(unicodePasswd)) {
+#ifdef WOLFSSL_SMALL_STACK
+            XFREE(key, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+#endif
+            return UNICODE_SIZE_E;
+        }
+
+        for (i = 0; i < passwordSz; i++) {
+            unicodePasswd[idx++] = 0x00;
+            unicodePasswd[idx++] = (byte)password[i];
+        }
+        /* add trailing NULL */
+        unicodePasswd[idx++] = 0x00;
+        unicodePasswd[idx++] = 0x00;
+
+        ret =  wc_PKCS12_PBKDF(key, unicodePasswd, idx, salt, saltSz,
+                            iterations, derivedLen, typeH, 1);
+        if (id != PBE_SHA1_RC4_128)
+            ret += wc_PKCS12_PBKDF(cbcIv, unicodePasswd, idx, salt, saltSz,
+                                iterations, 8, typeH, 2);
+    }
+#endif /* HAVE_PKCS12 */
+    else {
+#ifdef WOLFSSL_SMALL_STACK
+        XFREE(key, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+#endif
+        WOLFSSL_MSG("Unknown/Unsupported PKCS version");
+        return ALGO_ID_E;
+    }
+
+    if (ret != 0) {
+#ifdef WOLFSSL_SMALL_STACK
+        XFREE(key, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+#endif
+        return ret;
+    }
+
+    switch (id) {
+#ifndef NO_DES3
+    #if !defined(NO_SHA) || !defined(NO_MD5)
+        case PBE_MD5_DES:
+        case PBE_SHA1_DES:
+        {
+            Des    des;
+            byte*  desIv = key + 8;
+
+            if (version == PKCS5v2 || version == PKCS12v1)
+                desIv = cbcIv;
+
+            if (enc) {
+                ret = wc_Des_SetKey(&des, key, desIv, DES_ENCRYPTION);
+            }
+            else {
+                ret = wc_Des_SetKey(&des, key, desIv, DES_DECRYPTION);
+            }
+            if (ret != 0) {
+#ifdef WOLFSSL_SMALL_STACK
+                XFREE(key, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+#endif
+                return ret;
+            }
+
+            if (enc) {
+                wc_Des_CbcEncrypt(&des, input, input, length);
+            }
+            else {
+                wc_Des_CbcDecrypt(&des, input, input, length);
+            }
+            break;
+        }
+    #endif /* !NO_SHA || !NO_MD5 */
+
+    #ifndef NO_SHA
+        case PBE_SHA1_DES3:
+        {
+            Des3   des;
+            byte*  desIv = key + 24;
+
+            if (version == PKCS5v2 || version == PKCS12v1)
+                desIv = cbcIv;
+
+            ret = wc_Des3Init(&des, NULL, INVALID_DEVID);
+            if (ret != 0) {
+#ifdef WOLFSSL_SMALL_STACK
+                XFREE(key, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+#endif
+                return ret;
+            }
+            if (enc) {
+                ret = wc_Des3_SetKey(&des, key, desIv, DES_ENCRYPTION);
+            }
+            else {
+                ret = wc_Des3_SetKey(&des, key, desIv, DES_DECRYPTION);
+            }
+            if (ret != 0) {
+#ifdef WOLFSSL_SMALL_STACK
+                XFREE(key, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+#endif
+                return ret;
+            }
+            if (enc) {
+                ret = wc_Des3_CbcEncrypt(&des, input, input, length);
+            }
+            else {
+                ret = wc_Des3_CbcDecrypt(&des, input, input, length);
+            }
+            if (ret != 0) {
+#ifdef WOLFSSL_SMALL_STACK
+                XFREE(key, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+#endif
+                return ret;
+            }
+            break;
+        }
+    #endif /* !NO_SHA */
+#endif
+#if !defined(NO_RC4) && !defined(NO_SHA)
+        case PBE_SHA1_RC4_128:
+        {
+            Arc4    dec;
+
+            wc_Arc4SetKey(&dec, key, derivedLen);
+            wc_Arc4Process(&dec, input, input, length);
+            break;
+        }
+#endif
+#if !defined(NO_AES) && defined(HAVE_AES_CBC)
+    #ifdef WOLFSSL_AES_256
+        case PBE_AES256_CBC:
+        case PBE_AES128_CBC:
+        {
+            Aes aes;
+            ret = wc_AesInit(&aes, NULL, INVALID_DEVID);
+            if (ret == 0) {
+                if (enc) {
+                    ret = wc_AesSetKey(&aes, key, derivedLen, cbcIv,
+                                                                AES_ENCRYPTION);
+                }
+                else {
+                    ret = wc_AesSetKey(&aes, key, derivedLen, cbcIv,
+                                                                AES_DECRYPTION);
+                }
+            }
+            if (ret == 0) {
+                if (enc)
+                    ret = wc_AesCbcEncrypt(&aes, input, input, length);
+                else
+                    ret = wc_AesCbcDecrypt(&aes, input, input, length);
+            }
+            if (ret != 0) {
+#ifdef WOLFSSL_SMALL_STACK
+                XFREE(key, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+#endif
+                return ret;
+            }
+            ForceZero(&aes, sizeof(Aes));
+            break;
+        }
+    #endif /* WOLFSSL_AES_256 */
+#endif /* !NO_AES && HAVE_AES_CBC */
+
+        default:
+#ifdef WOLFSSL_SMALL_STACK
+            XFREE(key, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+#endif
+            WOLFSSL_MSG("Unknown/Unsupported encrypt/decryption algorithm");
+            return ALGO_ID_E;
+    }
+
+#ifdef WOLFSSL_SMALL_STACK
+    XFREE(key, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+#endif
+
+    return ret;
+}
+
+#endif /* HAVE_PKCS8 || HAVE_PKCS12 */
+#endif /* !NO_PWDBASED */
diff --git a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/wc_pkcs11.c b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/wc_pkcs11.c
new file mode 100644
index 000000000..cac0a0fcc
--- /dev/null
+++ b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/wc_pkcs11.c
@@ -0,0 +1,2546 @@
+/* wc_pkcs11.c
+ *
+ * Copyright (C) 2006-2020 wolfSSL Inc.
+ *
+ * This file is part of wolfSSL.
+ *
+ * wolfSSL is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * wolfSSL is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
+ */
+
+#ifdef HAVE_CONFIG_H
+    #include <config.h>
+#endif
+
+#include <wolfssl/wolfcrypt/settings.h>
+
+#ifdef HAVE_PKCS11
+
+#include <dlfcn.h>
+
+#include <wolfssl/wolfcrypt/wc_pkcs11.h>
+#include <wolfssl/wolfcrypt/error-crypt.h>
+#include <wolfssl/wolfcrypt/asn.h>
+#include <wolfssl/wolfcrypt/logging.h>
+#ifndef NO_RSA
+    #include <wolfssl/wolfcrypt/rsa.h>
+#endif
+#ifdef NO_INLINE
+    #include <wolfssl/wolfcrypt/misc.h>
+#else
+    #define WOLFSSL_MISC_INCLUDED
+    #include <wolfcrypt/src/misc.c>
+#endif
+
+#define MAX_EC_PARAM_LEN   16
+
+#if defined(NO_PKCS11_RSA) && !defined(NO_RSA)
+    #define NO_RSA
+#endif
+#if defined(NO_PKCS11_ECC) && defined(HAVE_ECC)
+    #undef HAVE_ECC
+#endif
+#if defined(NO_PKCS11_AES) && !defined(NO_AES)
+    #define NO_AES
+#endif
+#if defined(NO_PKCS11_AESGCM) && defined(HAVE_AESGCM)
+    #undef HAVE_AESGCM
+#endif
+#if defined(NO_PKCS11_AESCBC) && defined(HAVE_AES_CBC)
+    #undef HAVE_AES_CBC
+#endif
+#if defined(NO_PKCS11_HMAC) && !defined(NO_HMAC)
+    #define NO_HMAC
+#endif
+#if defined(NO_PKCS11_RNG) && !defined(WC_NO_RNG)
+    #define WC_NO_RNG
+#endif
+
+
+#if defined(HAVE_ECC) && !defined(NO_PKCS11_ECDH)
+static CK_BBOOL ckFalse = CK_FALSE;
+#endif
+#if !defined(NO_RSA) || defined(HAVE_ECC) || (!defined(NO_AES) && \
+           (defined(HAVE_AESGCM) || defined(HAVE_AES_CBC))) || !defined(NO_HMAC)
+static CK_BBOOL ckTrue  = CK_TRUE;
+#endif
+
+#ifndef NO_RSA
+static CK_KEY_TYPE rsaKeyType  = CKK_RSA;
+#endif
+#ifdef HAVE_ECC
+static CK_KEY_TYPE ecKeyType   = CKK_EC;
+#endif
+#if !defined(NO_RSA) || defined(HAVE_ECC)
+static CK_OBJECT_CLASS pubKeyClass     = CKO_PUBLIC_KEY;
+static CK_OBJECT_CLASS privKeyClass    = CKO_PRIVATE_KEY;
+#endif
+#if (!defined(NO_AES) && (defined(HAVE_AESGCM) || defined(HAVE_AES_CBC))) || \
+            !defined(NO_HMAC) || (defined(HAVE_ECC) && !defined(NO_PKCS11_ECDH))
+static CK_OBJECT_CLASS secretKeyClass  = CKO_SECRET_KEY;
+#endif
+
+/**
+ * Load library, get function list and initialize PKCS#11.
+ *
+ * @param  dev     [in]  Device object.
+ * @param  library [in]  Library name including path.
+ * @return  BAD_FUNC_ARG when dev or library are NULL pointers.
+ *          BAD_PATH_ERROR when dynamic library cannot be opened.
+ *          WC_INIT_E when the initialization PKCS#11 fails.
+ *          WC_HW_E when unable to get PKCS#11 function list.
+ *          0 on success.
+ */
+int wc_Pkcs11_Initialize(Pkcs11Dev* dev, const char* library, void* heap)
+{
+    int                  ret = 0;
+    void*                func;
+    CK_C_INITIALIZE_ARGS args;
+
+    if (dev == NULL || library == NULL)
+        ret = BAD_FUNC_ARG;
+
+    if (ret == 0) {
+        dev->heap = heap;
+        dev->dlHandle = dlopen(library, RTLD_NOW | RTLD_LOCAL);
+        if (dev->dlHandle == NULL) {
+            WOLFSSL_MSG(dlerror());
+            ret = BAD_PATH_ERROR;
+        }
+    }
+
+    if (ret == 0) {
+        dev->func = NULL;
+        func = dlsym(dev->dlHandle, "C_GetFunctionList");
+        if (func == NULL)
+            ret = WC_HW_E;
+    }
+    if (ret == 0) {
+        if (((CK_C_GetFunctionList)func)(&dev->func) != CKR_OK)
+            ret = WC_HW_E;
+    }
+
+    if (ret == 0) {
+        XMEMSET(&args, 0x00, sizeof(args));
+        args.flags = CKF_OS_LOCKING_OK;
+        if (dev->func->C_Initialize(&args) != CKR_OK)
+            ret = WC_INIT_E;
+    }
+
+    if (ret != 0)
+        wc_Pkcs11_Finalize(dev);
+
+    return ret;
+}
+
+/**
+ * Close the Pkcs#11 library.
+ *
+ * @param  dev  [in]  Device object.
+ */
+void wc_Pkcs11_Finalize(Pkcs11Dev* dev)
+{
+    if (dev != NULL && dev->dlHandle != NULL) {
+        if (dev->func != NULL) {
+            dev->func->C_Finalize(NULL);
+            dev->func = NULL;
+        }
+        dlclose(dev->dlHandle);
+        dev->dlHandle = NULL;
+    }
+}
+
+/**
+ * Set up a token for use.
+ *
+ * @param  token      [in]  Token object.
+ * @param  dev        [in]  PKCS#11 device object.
+ * @param  slotId     [in]  Slot number of the token.<br>
+ *                          Passing -1 uses the first available slot.
+ * @param  tokenName  [in]  Name of token to initialize.
+ * @param  userPin    [in]  PIN to use to login as user.
+ * @param  userPinSz  [in]  Number of bytes in PIN.
+ * @return  BAD_FUNC_ARG when token, dev and/or tokenName is NULL.
+ *          WC_INIT_E when initializing token fails.
+ *          WC_HW_E when another PKCS#11 library call fails.
+ *          -1 when no slot available.
+ *          0 on success.
+ */
+int wc_Pkcs11Token_Init(Pkcs11Token* token, Pkcs11Dev* dev, int slotId,
+    const char* tokenName, const unsigned char* userPin, int userPinSz)
+{
+    int         ret = 0;
+    CK_RV       rv;
+    CK_SLOT_ID* slot = NULL;
+    CK_ULONG    slotCnt = 0;
+
+    if (token == NULL || dev == NULL || tokenName == NULL)
+        ret = BAD_FUNC_ARG;
+
+    if (ret == 0) {
+        if (slotId < 0) {
+            /* Use first available slot with a token. */
+            rv = dev->func->C_GetSlotList(CK_TRUE, NULL, &slotCnt);
+            if (rv != CKR_OK)
+                ret = WC_HW_E;
+            if (ret == 0) {
+                slot = (CK_SLOT_ID*)XMALLOC(slotCnt * sizeof(*slot), dev->heap,
+                                                       DYNAMIC_TYPE_TMP_BUFFER);
+                if (slot == NULL)
+                    ret = MEMORY_E;
+            }
+            if (ret == 0) {
+                rv = dev->func->C_GetSlotList(CK_TRUE, slot, &slotCnt);
+                if (rv != CKR_OK)
+                    ret = WC_HW_E;
+            }
+            if (ret == 0) {
+                if (slotCnt > 0)
+                    slotId = (int)slot[0];
+                else
+                    ret = WC_HW_E;
+            }
+        }
+    }
+    if (ret == 0) {
+        token->func = dev->func;
+        token->slotId = (CK_SLOT_ID)slotId;
+        token->handle = NULL_PTR;
+        token->userPin = (CK_UTF8CHAR_PTR)userPin;
+        token->userPinSz = (CK_ULONG)userPinSz;
+    }
+
+    if (slot != NULL)
+        XFREE(slot, dev->heap, DYNAMIC_TYPE_TMP_BUFFER);
+
+    return ret;
+}
+
+/**
+ * Finalize token.
+ * Closes all sessions on token.
+ *
+ * @param  token  [in]  Token object.
+ */
+void wc_Pkcs11Token_Final(Pkcs11Token* token)
+{
+    if (token != NULL && token->func != NULL) {
+        token->func->C_CloseAllSessions(token->slotId);
+        token->handle = NULL_PTR;
+        ForceZero(token->userPin, (word32)token->userPinSz);
+    }
+}
+
+/**
+ * Open a session on a token.
+ *
+ * @param  token      [in]  Token object.
+ * @param  session    [in]  Session object.
+ * @param  readWrite  [in]  Boolean indicating to open session for Read/Write.
+ * @return  BAD_FUNC_ARG when token or session is NULL.
+ *          WC_HW_E when opening the session fails.
+ *          0 on success.
+ */
+static int Pkcs11OpenSession(Pkcs11Token* token, Pkcs11Session* session,
+                             int readWrite)
+{
+    int   ret = 0;
+    CK_RV rv;
+
+    if (token == NULL || session == NULL)
+        ret = BAD_FUNC_ARG;
+
+    if (ret == 0) {
+        if (token->handle != NULL_PTR)
+            session->handle = token->handle;
+        else {
+            /* Create a new session. */
+            CK_FLAGS flags = CKF_SERIAL_SESSION;
+
+            if (readWrite)
+                flags |= CKF_RW_SESSION;
+
+            rv = token->func->C_OpenSession(token->slotId, flags,
+                                            (CK_VOID_PTR)NULL, (CK_NOTIFY)NULL,
+                                            &session->handle);
+            if (rv != CKR_OK)
+                ret = WC_HW_E;
+            if (ret == 0 && token->userPin != NULL) {
+                rv = token->func->C_Login(session->handle, CKU_USER,
+                                              token->userPin, token->userPinSz);
+                if (rv != CKR_OK)
+                    ret = WC_HW_E;
+            }
+        }
+    }
+    if (ret == 0) {
+        session->func = token->func;
+        session->slotId = token->slotId;
+    }
+
+    return ret;
+}
+
+/**
+ * Close a session on a token.
+ * Won't close a session created externally.
+ *
+ * @param  token    [in]  Token object.
+ * @param  session  [in]  Session object.
+ */
+static void Pkcs11CloseSession(Pkcs11Token* token, Pkcs11Session* session)
+{
+    if (token != NULL && session != NULL && token->handle != session->handle) {
+        if (token->userPin != NULL)
+            session->func->C_Logout(session->handle);
+        session->func->C_CloseSession(session->handle);
+    }
+}
+
+/**
+ * Open a session on the token to be used for all operations.
+ *
+ * @param  token      [in]  Token object.
+ * @param  readWrite  [in]  Boolean indicating to open session for Read/Write.
+ * @return  BAD_FUNC_ARG when token is NULL.
+ *          WC_HW_E when opening the session fails.
+ *          0 on success.
+ */
+int wc_Pkcs11Token_Open(Pkcs11Token* token, int readWrite)
+{
+    int ret = 0;
+    Pkcs11Session session;
+
+    if (token == NULL)
+        ret = BAD_FUNC_ARG;
+
+    if (ret == 0) {
+        ret = Pkcs11OpenSession(token, &session, readWrite);
+        token->handle = session.handle;
+    }
+
+    return ret;
+}
+
+/**
+ * Close the token's session.
+ * All object, like keys, will be destroyed.
+ *
+ * @param  token    [in]  Token object.
+ */
+void wc_Pkcs11Token_Close(Pkcs11Token* token)
+{
+    Pkcs11Session session;
+
+    if (token != NULL) {
+        session.func = token->func;
+        session.handle = token->handle;
+        token->handle = NULL_PTR;
+        Pkcs11CloseSession(token, &session);
+    }
+}
+
+
+#if (!defined(NO_AES) && (defined(HAVE_AESGCM) || defined(HAVE_AES_CBC))) || \
+                                                               !defined(NO_HMAC)
+static int Pkcs11CreateSecretKey(CK_OBJECT_HANDLE* key, Pkcs11Session* session,
+                                 CK_KEY_TYPE keyType, unsigned char* data,
+                                 int len, unsigned char* id, int idLen)
+{
+    int              ret = 0;
+    CK_RV            rv;
+    CK_ATTRIBUTE     keyTemplate[] = {
+        { CKA_CLASS,    &secretKeyClass, sizeof(secretKeyClass) },
+        { CKA_KEY_TYPE, &keyType,        sizeof(keyType)        },
+        { CKA_ENCRYPT,  &ckTrue,         sizeof(ckTrue)         },
+        { CKA_VALUE,    NULL,            0                      },
+        { CKA_ID,       id,              (CK_ULONG)idLen        }
+    };
+    int              keyTmplCnt = 4;
+
+    WOLFSSL_MSG("PKCS#11: Create Secret Key");
+
+    /* Set the modulus and public exponent data. */
+    keyTemplate[3].pValue     = data;
+    keyTemplate[3].ulValueLen = (CK_ULONG)len;
+
+    if (idLen > 0)
+        keyTmplCnt++;
+
+    /* Create an object containing key data for device to use. */
+    rv = session->func->C_CreateObject(session->handle, keyTemplate, keyTmplCnt,
+                                                                           key);
+    if (rv != CKR_OK)
+        ret = WC_HW_E;
+
+    return ret;
+}
+#endif
+
+#ifndef NO_RSA
+/**
+ * Create a PKCS#11 object containing the RSA private key data.
+ *
+ * @param  privateKey [out]  Henadle to private key object.
+ * @param  session    [in]   Session object.
+ * @param  rsaKey     [in]   RSA key with private key data.
+ * @return  WC_HW_E when a PKCS#11 library call fails.
+ *          0 on success.
+ */
+static int Pkcs11CreateRsaPrivateKey(CK_OBJECT_HANDLE* privateKey,
+                                     Pkcs11Session* session,
+                                     RsaKey* rsaKey)
+{
+    int             ret = 0;
+    CK_RV           rv;
+    CK_ATTRIBUTE    keyTemplate[] = {
+        { CKA_CLASS,            &privKeyClass, sizeof(privKeyClass) },
+        { CKA_KEY_TYPE,         &rsaKeyType,   sizeof(rsaKeyType)   },
+        { CKA_DECRYPT,          &ckTrue,       sizeof(ckTrue)       },
+        { CKA_MODULUS,          NULL,          0                    },
+        { CKA_PRIVATE_EXPONENT, NULL,          0                    },
+        { CKA_PRIME_1,          NULL,          0                    },
+        { CKA_PRIME_2,          NULL,          0                    },
+        { CKA_EXPONENT_1,       NULL,          0                    },
+        { CKA_EXPONENT_2,       NULL,          0                    },
+        { CKA_COEFFICIENT,      NULL,          0                    },
+        { CKA_PUBLIC_EXPONENT,  NULL,          0                    }
+    };
+    CK_ULONG        keyTmplCnt = sizeof(keyTemplate) / sizeof(*keyTemplate);
+
+    /* Set the modulus and private key data. */
+    keyTemplate[ 3].pValue     = rsaKey->n.raw.buf;
+    keyTemplate[ 3].ulValueLen = rsaKey->n.raw.len;
+    keyTemplate[ 4].pValue     = rsaKey->d.raw.buf;
+    keyTemplate[ 4].ulValueLen = rsaKey->d.raw.len;
+    keyTemplate[ 5].pValue     = rsaKey->p.raw.buf;
+    keyTemplate[ 5].ulValueLen = rsaKey->p.raw.len;
+    keyTemplate[ 6].pValue     = rsaKey->q.raw.buf;
+    keyTemplate[ 6].ulValueLen = rsaKey->q.raw.len;
+    keyTemplate[ 7].pValue     = rsaKey->dP.raw.buf;
+    keyTemplate[ 7].ulValueLen = rsaKey->dP.raw.len;
+    keyTemplate[ 8].pValue     = rsaKey->dQ.raw.buf;
+    keyTemplate[ 8].ulValueLen = rsaKey->dQ.raw.len;
+    keyTemplate[ 9].pValue     = rsaKey->u.raw.buf;
+    keyTemplate[ 9].ulValueLen = rsaKey->u.raw.len;
+    keyTemplate[10].pValue     = rsaKey->e.raw.buf;
+    keyTemplate[10].ulValueLen = rsaKey->e.raw.len;
+
+    rv = session->func->C_CreateObject(session->handle, keyTemplate, keyTmplCnt,
+                                                                    privateKey);
+    if (rv != CKR_OK)
+        ret = WC_HW_E;
+
+    return ret;
+}
+#endif
+
+#ifdef HAVE_ECC
+/**
+ * Set the ECC parameters into the template.
+ *
+ * @param  key   [in]  ECC key.
+ * @param  tmpl  [in]  PKCS#11 template.
+ * @param  idx   [in]  Index of template to put parameters into.
+ * @return NOT_COMPILE_IN when the EC parameters are not known.
+ *         0 on success.
+ */
+static int Pkcs11EccSetParams(ecc_key* key, CK_ATTRIBUTE* tmpl, int idx)
+{
+    int ret = 0;
+
+    if (key->dp != NULL && key->dp->oid != NULL) {
+        unsigned char* derParams = tmpl[idx].pValue;
+        /* ASN.1 encoding: OBJ + ecc parameters OID */
+        tmpl[idx].ulValueLen = key->dp->oidSz + 2;
+        derParams[0] = ASN_OBJECT_ID;
+        derParams[1] = key->dp->oidSz;
+        XMEMCPY(derParams + 2, key->dp->oid, key->dp->oidSz);
+    }
+    else
+        ret = NOT_COMPILED_IN;
+
+    return ret;
+}
+
+/**
+ * Create a PKCS#11 object containing the ECC private key data.
+ *
+ * @param  privateKey   [out]  Henadle to private key object.
+ * @param  session      [in]   Session object.
+ * @param  private_key  [in]   ECC private key.
+ * @param  operation    [in]   Cryptographic operation key is to be used for.
+ * @return  WC_HW_E when a PKCS#11 library call fails.
+ *          0 on success.
+ */
+static int Pkcs11CreateEccPrivateKey(CK_OBJECT_HANDLE* privateKey,
+                                     Pkcs11Session* session,
+                                     ecc_key* private_key,
+                                     CK_ATTRIBUTE_TYPE operation)
+{
+    int             ret = 0;
+    CK_RV           rv;
+    CK_UTF8CHAR     params[MAX_EC_PARAM_LEN];
+    CK_ATTRIBUTE    keyTemplate[] = {
+        { CKA_CLASS,     &privKeyClass, sizeof(privKeyClass) },
+        { CKA_KEY_TYPE,  &ecKeyType,    sizeof(ecKeyType)    },
+        { operation,     &ckTrue,       sizeof(ckTrue)       },
+        { CKA_EC_PARAMS, params,        0                    },
+        { CKA_VALUE,     NULL,          0                    }
+    };
+    CK_ULONG        keyTmplCnt = sizeof(keyTemplate) / sizeof(*keyTemplate);
+
+    ret = Pkcs11EccSetParams(private_key, keyTemplate, 3);
+    if (ret == 0) {
+        keyTemplate[4].pValue     = private_key->k.raw.buf;
+        keyTemplate[4].ulValueLen = private_key->k.raw.len;
+
+        rv = session->func->C_CreateObject(session->handle, keyTemplate,
+                                                        keyTmplCnt, privateKey);
+        if (rv != CKR_OK)
+            ret = WC_HW_E;
+    }
+
+    return ret;
+}
+#endif
+
+#if !defined(NO_RSA) || defined(HAVE_ECC) || (!defined(NO_AES) && \
+           (defined(HAVE_AESGCM) || defined(HAVE_AES_CBC))) || !defined(NO_HMAC)
+/**
+ * Check if mechanism is available in session on token.
+ *
+ * @param  session  [in]  Session object.
+ * @param  mech     [in]  Mechanism to look for.
+ * @return  NOT_COMPILED_IN when mechanism not available.
+ *          0 when mechanism is available.
+ */
+static int Pkcs11MechAvail(Pkcs11Session* session, CK_MECHANISM_TYPE mech)
+{
+    int               ret = 0;
+    CK_RV             rv;
+    CK_MECHANISM_INFO mechInfo;
+
+    rv = session->func->C_GetMechanismInfo(session->slotId, mech, &mechInfo);
+    if (rv != CKR_OK)
+        ret = NOT_COMPILED_IN;
+
+    return ret;
+}
+#endif
+
+#ifndef NO_HMAC
+/**
+ * Return the mechanism type and key type for the digest type when using HMAC.
+ *
+ * @param  macType   [in]  Digest type - e.g. WC_SHA256.
+ * @param  mechType  [in]  Mechanism type - e.g. CKM_SHA256_HMAC.
+ * @param  keyType   [in]  Key type - e.g. CKK_SHA256_HMAC.
+ * @return  NOT_COMPILED_IN if the digest algorithm isn't recognised.
+ *          0 otherwise.
+ */
+static int Pkcs11HmacTypes(int macType, int* mechType, int* keyType)
+{
+    int ret = 0;
+
+    switch (macType)
+    {
+    #ifndef NO_MD5
+        case WC_MD5:
+            *mechType = CKM_MD5_HMAC;
+            *keyType = CKK_MD5_HMAC;
+            break;
+    #endif
+    #ifndef NO_SHA
+        case WC_SHA:
+            *mechType = CKM_SHA_1_HMAC;
+            *keyType = CKK_SHA_1_HMAC;
+            break;
+    #endif
+    #ifdef WOLFSSL_SHA224
+        case WC_SHA224:
+            *mechType = CKM_SHA224_HMAC;
+            *keyType = CKK_SHA224_HMAC;
+            break;
+    #endif
+    #ifndef NO_SHA256
+        case WC_SHA256:
+            *mechType = CKM_SHA256_HMAC;
+            *keyType = CKK_SHA256_HMAC;
+            break;
+    #endif
+    #ifdef WOLFSSL_SHA384
+        case WC_SHA384:
+            *mechType = CKM_SHA384_HMAC;
+            *keyType = CKK_SHA384_HMAC;
+            break;
+    #endif
+    #ifdef WOLFSSL_SHA512
+        case WC_SHA512:
+            *mechType = CKM_SHA512_HMAC;
+            *keyType = CKK_SHA512_HMAC;
+            break;
+    #endif
+        default:
+            ret = NOT_COMPILED_IN;
+            break;
+    }
+
+    return ret;
+}
+#endif
+
+/**
+ * Store the private key on the token in the session.
+ *
+ * @param  token  [in]  Token to store private key on.
+ * @param  type   [in]  Key type.
+ * @param  clear  [in]  Clear out the private data from software key.
+ * @param  key    [in]  Key type specific object.
+ * @return  NOT_COMPILED_IN when mechanism not available.
+ *          0 on success.
+ */
+int wc_Pkcs11StoreKey(Pkcs11Token* token, int type, int clear, void* key)
+{
+    int               ret = 0;
+    Pkcs11Session     session;
+    CK_OBJECT_HANDLE  privKey = NULL_PTR;
+
+    ret = Pkcs11OpenSession(token, &session, 1);
+    if (ret == 0) {
+        switch (type) {
+    #if !defined(NO_AES) && defined(HAVE_AESGCM)
+            case PKCS11_KEY_TYPE_AES_GCM: {
+                Aes* aes = (Aes*)key;
+
+                ret = Pkcs11MechAvail(&session, CKM_AES_GCM);
+                if (ret == 0) {
+                    ret = Pkcs11CreateSecretKey(&privKey, &session, CKK_AES,
+                                                (unsigned char*)aes->devKey,
+                                                aes->keylen,
+                                                (unsigned char*)aes->id,
+                                                aes->idLen);
+                }
+                if (ret == 0 && clear)
+                    ForceZero(aes->devKey, aes->keylen);
+                break;
+            }
+    #endif
+    #if !defined(NO_AES) && defined(HAVE_AES_CBC)
+            case PKCS11_KEY_TYPE_AES_CBC: {
+                Aes* aes = (Aes*)key;
+
+                ret = Pkcs11MechAvail(&session, CKM_AES_CBC);
+                if (ret == 0) {
+                    ret = Pkcs11CreateSecretKey(&privKey, &session, CKK_AES,
+                                                (unsigned char*)aes->devKey,
+                                                aes->keylen,
+                                                (unsigned char*)aes->id,
+                                                aes->idLen);
+                }
+                if (ret == 0 && clear)
+                    ForceZero(aes->devKey, aes->keylen);
+                break;
+            }
+    #endif
+    #ifndef NO_HMAC
+            case PKCS11_KEY_TYPE_HMAC: {
+                Hmac* hmac = (Hmac*)key;
+                int mechType;
+                int keyType;
+
+                ret = Pkcs11HmacTypes(hmac->macType, &mechType, &keyType);
+                if (ret == NOT_COMPILED_IN)
+                    break;
+
+                if (ret == 0)
+                    ret = Pkcs11MechAvail(&session, mechType);
+                if (ret == 0) {
+                    ret = Pkcs11CreateSecretKey(&privKey, &session, keyType,
+                                                (unsigned char*)hmac->keyRaw,
+                                                hmac->keyLen,
+                                                (unsigned char*)hmac->id,
+                                                hmac->idLen);
+                    if (ret == WC_HW_E) {
+                        ret = Pkcs11CreateSecretKey(&privKey, &session,
+                                                   CKK_GENERIC_SECRET,
+                                                   (unsigned char*)hmac->keyRaw,
+                                                   hmac->keyLen,
+                                                   (unsigned char*)hmac->id,
+                                                   hmac->idLen);
+                    }
+                }
+                break;
+            }
+    #endif
+    #ifndef NO_RSA
+            case PKCS11_KEY_TYPE_RSA: {
+                RsaKey* rsaKey = (RsaKey*)key;
+
+                ret = Pkcs11MechAvail(&session, CKM_RSA_X_509);
+                if (ret == 0)
+                    ret = Pkcs11CreateRsaPrivateKey(&privKey, &session, rsaKey);
+                if (ret == 0 && clear) {
+                    mp_forcezero(&rsaKey->u);
+                    mp_forcezero(&rsaKey->dQ);
+                    mp_forcezero(&rsaKey->dP);
+                    mp_forcezero(&rsaKey->q);
+                    mp_forcezero(&rsaKey->p);
+                    mp_forcezero(&rsaKey->d);
+                }
+                break;
+            }
+    #endif
+    #ifdef HAVE_ECC
+            case PKCS11_KEY_TYPE_EC: {
+                ecc_key* eccKey = (ecc_key*)key;
+                int      ret2 = NOT_COMPILED_IN;
+
+        #ifndef NO_PKCS11_ECDH
+                /* Try ECDH mechanism first. */
+                ret = Pkcs11MechAvail(&session, CKM_ECDH1_DERIVE);
+                if (ret == 0) {
+                    ret = Pkcs11CreateEccPrivateKey(&privKey, &session, eccKey,
+                                                                    CKA_DERIVE);
+                }
+         #endif
+                if (ret == 0 || ret == NOT_COMPILED_IN) {
+                    /* Try ECDSA mechanism next. */
+                    ret2 = Pkcs11MechAvail(&session, CKM_ECDSA);
+                    if (ret2 == 0) {
+                        ret2 = Pkcs11CreateEccPrivateKey(&privKey, &session,
+                                                              eccKey, CKA_SIGN);
+                    }
+                    /* OK for this to fail if set for ECDH. */
+                    if (ret == NOT_COMPILED_IN)
+                        ret = ret2;
+                }
+                if (ret == 0 && clear)
+                    mp_forcezero(&eccKey->k);
+                break;
+            }
+    #endif
+            default:
+                ret = NOT_COMPILED_IN;
+                break;
+        }
+
+        Pkcs11CloseSession(token, &session);
+    }
+
+    (void)privKey;
+    (void)clear;
+    (void)key;
+
+    return ret;
+}
+
+#if !defined(NO_RSA) || defined(HAVE_ECC) || (!defined(NO_AES) && \
+           (defined(HAVE_AESGCM) || defined(HAVE_AES_CBC))) || !defined(NO_HMAC)
+/**
+ * Find the PKCS#11 object containing the RSA public or private key data with
+ * the modulus specified.
+ *
+ * @param  key       [out]  Henadle to key object.
+ * @param  keyClass  [in]   Public or private key class.
+ * @param  keyType   [in]   Type of key.
+ * @param  session   [in]   Session object.
+ * @param  id        [in]   Identifier set against a key.
+ * @param  idLen     [in]   Length of identifier.
+ * @return  WC_HW_E when a PKCS#11 library call fails.
+ *          0 on success.
+ */
+static int Pkcs11FindKeyById(CK_OBJECT_HANDLE* key, CK_OBJECT_CLASS keyClass,
+                             CK_KEY_TYPE keyType, Pkcs11Session* session,
+                             byte* id, int idLen)
+{
+    int             ret = 0;
+    CK_RV           rv;
+    CK_ULONG        count;
+    CK_ATTRIBUTE    keyTemplate[] = {
+        { CKA_CLASS,           &keyClass, sizeof(keyClass) },
+        { CKA_KEY_TYPE,        &keyType,  sizeof(keyType)  },
+        { CKA_ID,              id,        (CK_ULONG)idLen  }
+    };
+    CK_ULONG        keyTmplCnt = sizeof(keyTemplate) / sizeof(*keyTemplate);
+
+    WOLFSSL_MSG("PKCS#11: Find Key By Id");
+
+    rv = session->func->C_FindObjectsInit(session->handle, keyTemplate,
+                                                                    keyTmplCnt);
+    if (rv != CKR_OK)
+        ret = WC_HW_E;
+    if (ret == 0) {
+        rv = session->func->C_FindObjects(session->handle, key, 1, &count);
+        if (rv != CKR_OK)
+            ret = WC_HW_E;
+        rv = session->func->C_FindObjectsFinal(session->handle);
+        if (rv != CKR_OK)
+            ret = WC_HW_E;
+    }
+    if (ret == 0 && count == 0)
+        ret = WC_HW_E;
+
+    return ret;
+}
+#endif
+
+#ifndef NO_RSA
+/**
+ * Find the PKCS#11 object containing the RSA public or private key data with
+ * the modulus specified.
+ *
+ * @param  key       [out]  Henadle to key object.
+ * @param  keyClass  [in]   Public or private key class.
+ * @param  session   [in]   Session object.
+ * @param  rsaKey    [in]   RSA key with modulus to search on.
+ * @return  WC_HW_E when a PKCS#11 library call fails.
+ *          0 on success.
+ */
+static int Pkcs11FindRsaKey(CK_OBJECT_HANDLE* key, CK_OBJECT_CLASS keyClass,
+                            Pkcs11Session* session, RsaKey* rsaKey)
+{
+    int             ret = 0;
+    CK_RV           rv;
+    CK_ULONG        count;
+    CK_ATTRIBUTE    keyTemplate[] = {
+        { CKA_CLASS,           &keyClass,   sizeof(keyClass)   },
+        { CKA_KEY_TYPE,        &rsaKeyType, sizeof(rsaKeyType) },
+        { CKA_MODULUS,         NULL,        0                  },
+    };
+    CK_ULONG        keyTmplCnt = sizeof(keyTemplate) / sizeof(*keyTemplate);
+
+    /* Set the modulus. */
+    keyTemplate[2].pValue     = rsaKey->n.raw.buf;
+    keyTemplate[2].ulValueLen = rsaKey->n.raw.len;
+
+    rv = session->func->C_FindObjectsInit(session->handle, keyTemplate,
+                                                                    keyTmplCnt);
+    if (rv != CKR_OK)
+        ret = WC_HW_E;
+    if (ret == 0) {
+        rv = session->func->C_FindObjects(session->handle, key, 1, &count);
+        if (rv != CKR_OK)
+            ret = WC_HW_E;
+        rv = session->func->C_FindObjectsFinal(session->handle);
+        if (rv != CKR_OK)
+            ret = WC_HW_E;
+    }
+
+    return ret;
+}
+
+/**
+ * Exponentiate the input with the public part of the RSA key.
+ * Used in public encrypt and decrypt.
+ *
+ * @param  session  [in]  Session object.
+ * @param  info     [in]  Cryptographic operation data.
+ * @return  WC_HW_E when a PKCS#11 library call fails.
+ *          0 on success.
+ */
+static int Pkcs11RsaPublic(Pkcs11Session* session, wc_CryptoInfo* info)
+{
+    int              ret = 0;
+    CK_RV            rv;
+    CK_MECHANISM     mech;
+    CK_ULONG         outLen;
+    CK_OBJECT_HANDLE publicKey = NULL_PTR;
+    int              sessionKey = 0;
+    CK_ATTRIBUTE     keyTemplate[] = {
+        { CKA_CLASS,           &pubKeyClass, sizeof(pubKeyClass) },
+        { CKA_KEY_TYPE,        &rsaKeyType,  sizeof(rsaKeyType)  },
+        { CKA_ENCRYPT,         &ckTrue,      sizeof(ckTrue)      },
+        { CKA_MODULUS,         NULL,         0                   },
+        { CKA_PUBLIC_EXPONENT, NULL,         0                   }
+    };
+    CK_ULONG        keyTmplCnt = sizeof(keyTemplate) / sizeof(*keyTemplate);
+
+    WOLFSSL_MSG("PKCS#11: RSA Public Key Operation");
+
+    if (info->pk.rsa.outLen == NULL) {
+        ret = BAD_FUNC_ARG;
+    }
+
+    if (ret == 0) {
+        if ((sessionKey = !mp_iszero(&info->pk.rsa.key->e))) {
+            /* Set the modulus and public exponent data. */
+            keyTemplate[3].pValue     = info->pk.rsa.key->n.raw.buf;
+            keyTemplate[3].ulValueLen = info->pk.rsa.key->n.raw.len;
+            keyTemplate[4].pValue     = info->pk.rsa.key->e.raw.buf;
+            keyTemplate[4].ulValueLen = info->pk.rsa.key->e.raw.len;
+
+            /* Create an object containing public key data for device to use. */
+            rv = session->func->C_CreateObject(session->handle, keyTemplate,
+                                                        keyTmplCnt, &publicKey);
+            if (rv != CKR_OK)
+                ret = WC_HW_E;
+        }
+        else {
+            ret = Pkcs11FindKeyById(&publicKey, CKO_PUBLIC_KEY, CKK_RSA,
+                                    session, info->pk.rsa.key->id,
+                                    info->pk.rsa.key->idLen);
+        }
+    }
+
+    if (ret == 0) {
+        /* Raw RSA encrypt/decrypt operation. */
+        mech.mechanism      = CKM_RSA_X_509;
+        mech.ulParameterLen = 0;
+        mech.pParameter     = NULL;
+
+        rv = session->func->C_EncryptInit(session->handle, &mech, publicKey);
+        if (rv != CKR_OK)
+            ret = WC_HW_E;
+    }
+    if (ret == 0) {
+        outLen = (CK_ULONG)*info->pk.rsa.outLen;
+        rv = session->func->C_Encrypt(session->handle,
+                (CK_BYTE_PTR)info->pk.rsa.in, info->pk.rsa.inLen,
+                info->pk.rsa.out, &outLen);
+        if (rv != CKR_OK)
+            ret = WC_HW_E;
+    }
+    if (ret == 0)
+        *info->pk.rsa.outLen = (word32)outLen;
+
+    if (sessionKey)
+        session->func->C_DestroyObject(session->handle, publicKey);
+
+    return ret;
+}
+
+/**
+ * Exponentiate the input with the private part of the RSA key.
+ * Used in private encrypt and decrypt.
+ *
+ * @param  session  [in]  Session object.
+ * @param  info     [in]  Cryptographic operation data.
+ * @return  WC_HW_E when a PKCS#11 library call fails.
+ *          0 on success.
+ */
+static int Pkcs11RsaPrivate(Pkcs11Session* session, wc_CryptoInfo* info)
+{
+    int              ret = 0;
+    CK_RV            rv;
+    CK_MECHANISM     mech;
+    CK_ULONG         outLen;
+    CK_OBJECT_HANDLE privateKey = NULL_PTR;
+    int              sessionKey = 0;
+
+    WOLFSSL_MSG("PKCS#11: RSA Private Key Operation");
+
+    if (info->pk.rsa.outLen == NULL) {
+        ret = BAD_FUNC_ARG;
+    }
+
+    if (ret == 0) {
+        if ((sessionKey = !mp_iszero(&info->pk.rsa.key->d))) {
+            ret = Pkcs11CreateRsaPrivateKey(&privateKey, session,
+                                                              info->pk.rsa.key);
+        }
+        else if (info->pk.rsa.key->idLen > 0) {
+            ret = Pkcs11FindKeyById(&privateKey, CKO_PRIVATE_KEY, CKK_RSA,
+                                    session, info->pk.rsa.key->id,
+                                    info->pk.rsa.key->idLen);
+        }
+        else {
+            ret = Pkcs11FindRsaKey(&privateKey, CKO_PRIVATE_KEY, session,
+                                                              info->pk.rsa.key);
+        }
+    }
+
+    if (ret == 0) {
+        /* Raw RSA encrypt/decrypt operation. */
+        mech.mechanism      = CKM_RSA_X_509;
+        mech.ulParameterLen = 0;
+        mech.pParameter     = NULL;
+
+        rv = session->func->C_DecryptInit(session->handle, &mech, privateKey);
+        if (rv != CKR_OK)
+            ret = WC_HW_E;
+    }
+    if (ret == 0) {
+        outLen = (CK_ULONG)*info->pk.rsa.outLen;
+        rv = session->func->C_Decrypt(session->handle,
+                (CK_BYTE_PTR)info->pk.rsa.in, info->pk.rsa.inLen,
+                info->pk.rsa.out, &outLen);
+        if (rv != CKR_OK)
+            ret = WC_HW_E;
+    }
+    if (ret == 0)
+        *info->pk.rsa.outLen = (word32)outLen;
+
+    if (sessionKey)
+        session->func->C_DestroyObject(session->handle, privateKey);
+
+    return ret;
+}
+
+/**
+ * Perform an RSA operation.
+ *
+ * @param  session  [in]  Session object.
+ * @param  info     [in]  Cryptographic operation data.
+ * @return  WC_HW_E when a PKCS#11 library call fails.
+ *          0 on success.
+ */
+static int Pkcs11Rsa(Pkcs11Session* session, wc_CryptoInfo* info)
+{
+    int               ret = 0;
+    CK_RV             rv;
+    CK_MECHANISM_INFO mechInfo;
+
+    /* Check operation is supported. */
+    rv = session->func->C_GetMechanismInfo(session->slotId, CKM_RSA_X_509,
+                                                                     &mechInfo);
+    if (rv != CKR_OK)
+        ret = NOT_COMPILED_IN;
+
+    if (ret == 0) {
+        if (info->pk.rsa.type == RSA_PUBLIC_ENCRYPT ||
+                                      info->pk.rsa.type == RSA_PUBLIC_DECRYPT) {
+            if ((mechInfo.flags & CKF_ENCRYPT) == 0)
+                ret = NOT_COMPILED_IN;
+            else
+                ret = Pkcs11RsaPublic(session, info);
+        }
+        else if (info->pk.rsa.type == RSA_PRIVATE_ENCRYPT ||
+                                     info->pk.rsa.type == RSA_PRIVATE_DECRYPT) {
+            if ((mechInfo.flags & CKF_DECRYPT) == 0)
+                ret = NOT_COMPILED_IN;
+            else
+                ret = Pkcs11RsaPrivate(session, info);
+        }
+        else
+            ret = NOT_COMPILED_IN;
+    }
+
+    return ret;
+}
+
+#ifdef WOLFSSL_KEY_GEN
+/**
+ * Get the RSA public key data from the PKCS#11 object.
+ *
+ * @param  key      [in]  RSA key to put the data into.
+ * @param  session  [in]  Session object.
+ * @param  pubkey   [in]  Public key object.
+ * @return  WC_HW_E when a PKCS#11 library call fails.
+ *          MEMORY_E when a memory allocation fails.
+ *          0 on success.
+ */
+static int Pkcs11GetRsaPublicKey(RsaKey* key, Pkcs11Session* session,
+                                 CK_OBJECT_HANDLE pubKey)
+{
+    int            ret = 0;
+    unsigned char* mod = NULL;
+    unsigned char* exp = NULL;
+    int            modSz, expSz;
+    CK_ATTRIBUTE   tmpl[] = {
+        { CKA_MODULUS,         NULL_PTR, 0 },
+        { CKA_PUBLIC_EXPONENT, NULL_PTR, 0 }
+    };
+    CK_ULONG       tmplCnt = sizeof(tmpl) / sizeof(*tmpl);
+    CK_RV rv;
+
+    rv = session->func->C_GetAttributeValue(session->handle, pubKey, tmpl,
+                                                                       tmplCnt);
+    if (rv != CKR_OK)
+        ret = WC_HW_E;
+
+    if (ret == 0) {
+        modSz = tmpl[0].ulValueLen;
+        expSz = tmpl[1].ulValueLen;
+        mod = (unsigned char*)XMALLOC(modSz, key->heap,
+                                                       DYNAMIC_TYPE_TMP_BUFFER);
+        if (mod == NULL)
+            ret = MEMORY_E;
+    }
+    if (ret == 0) {
+        exp = (unsigned char*)XMALLOC(expSz, key->heap,
+                                                       DYNAMIC_TYPE_TMP_BUFFER);
+        if (exp == NULL)
+            ret = MEMORY_E;
+    }
+    if (ret == 0) {
+        tmpl[0].pValue = mod;
+        tmpl[1].pValue = exp;
+
+        rv = session->func->C_GetAttributeValue(session->handle, pubKey,
+                                                                 tmpl, tmplCnt);
+        if (rv != CKR_OK)
+            ret = WC_HW_E;
+    }
+    if (ret == 0)
+        ret = wc_RsaPublicKeyDecodeRaw(mod, modSz, exp, expSz, key);
+
+    if (exp != NULL)
+        XFREE(exp, key->heap, DYNAMIC_TYPE_TMP_BUFFER);
+    if (mod != NULL)
+        XFREE(mod, key->heap, DYNAMIC_TYPE_TMP_BUFFER);
+
+    return ret;
+}
+
+/**
+ * Perform an RSA key generation operation.
+ * The private key data stays on the device.
+ *
+ * @param  session  [in]  Session object.
+ * @param  info     [in]  Cryptographic operation data.
+ * @return  WC_HW_E when a PKCS#11 library call fails.
+ *          0 on success.
+ */
+static int Pkcs11RsaKeyGen(Pkcs11Session* session, wc_CryptoInfo* info)
+{
+    int               ret = 0;
+    RsaKey*           key = info->pk.rsakg.key;
+    CK_RV             rv;
+    CK_ULONG          bits = info->pk.rsakg.size;
+    CK_OBJECT_HANDLE  pubKey = NULL_PTR, privKey = NULL_PTR;
+    CK_MECHANISM      mech;
+    static CK_BYTE    pub_exp[] = { 0x01, 0x00, 0x01, 0x00 };
+    CK_ATTRIBUTE      pubKeyTmpl[] = {
+        { CKA_MODULUS_BITS,    &bits,    sizeof(bits)    },
+        { CKA_ENCRYPT,         &ckTrue,  sizeof(ckTrue)  },
+        { CKA_VERIFY,          &ckTrue,  sizeof(ckTrue)  },
+        { CKA_PUBLIC_EXPONENT, &pub_exp, sizeof(pub_exp) }
+    };
+    CK_ULONG          pubTmplCnt = sizeof(pubKeyTmpl)/sizeof(*pubKeyTmpl);
+    CK_ATTRIBUTE      privKeyTmpl[] = {
+        {CKA_DECRYPT,  &ckTrue, sizeof(ckTrue) },
+        {CKA_SIGN,     &ckTrue, sizeof(ckTrue) },
+        {CKA_ID,       NULL,    0              }
+    };
+    int               privTmplCnt = 2;
+    int               i;
+
+    ret = Pkcs11MechAvail(session, CKM_RSA_PKCS_KEY_PAIR_GEN);
+    if (ret == 0) {
+        WOLFSSL_MSG("PKCS#11: RSA Key Generation Operation");
+
+        /* Most commonly used public exponent value (array initialized). */
+        if (info->pk.rsakg.e != WC_RSA_EXPONENT) {
+            for (i = 0; i < (int)sizeof(pub_exp); i++)
+                pub_exp[i] = (info->pk.rsakg.e >> (8 * i)) & 0xff;
+        }
+        for (i = (int)sizeof(pub_exp) - 1; pub_exp[i] == 0; i--) {
+        }
+        pubKeyTmpl[3].ulValueLen = i + 1;
+
+        if (key->idLen != 0) {
+            privKeyTmpl[privTmplCnt].pValue     = key->id;
+            privKeyTmpl[privTmplCnt].ulValueLen = key->idLen;
+            privTmplCnt++;
+        }
+
+        mech.mechanism      = CKM_RSA_PKCS_KEY_PAIR_GEN;
+        mech.ulParameterLen = 0;
+        mech.pParameter     = NULL;
+
+        rv = session->func->C_GenerateKeyPair(session->handle, &mech,
+                                                       pubKeyTmpl, pubTmplCnt,
+                                                       privKeyTmpl, privTmplCnt,
+                                                       &pubKey, &privKey);
+        if (rv != CKR_OK)
+            ret = -1;
+    }
+
+    if (ret == 0)
+        ret = Pkcs11GetRsaPublicKey(key, session, pubKey);
+
+    if (pubKey != NULL_PTR)
+        ret = session->func->C_DestroyObject(session->handle, pubKey);
+    if (ret != 0 && privKey != NULL_PTR)
+        ret = session->func->C_DestroyObject(session->handle, privKey);
+
+    return ret;
+}
+#endif /* WOLFSSL_KEY_GEN */
+#endif /* !NO_RSA */
+
+#ifdef HAVE_ECC
+/**
+ * Find the PKCS#11 object containing the ECC public or private key data with
+ * the modulus specified.
+ *
+ * @param  key       [out]  Henadle to key object.
+ * @param  keyClass  [in]   Public or private key class.
+ * @param  session   [in]   Session object.
+ * @param  eccKey    [in]   ECC key with parameters.
+ * @return  WC_HW_E when a PKCS#11 library call fails.
+ *          MEMORY_E when a memory allocation fails.
+ *          0 on success.
+ */
+static int Pkcs11FindEccKey(CK_OBJECT_HANDLE* key, CK_OBJECT_CLASS keyClass,
+                            Pkcs11Session* session, ecc_key* eccKey)
+{
+    int             ret = 0;
+    int             i;
+    unsigned char*  ecPoint = NULL;
+    word32          len = 0;
+    CK_RV           rv;
+    CK_ULONG        count;
+    CK_UTF8CHAR     params[MAX_EC_PARAM_LEN];
+    CK_ATTRIBUTE    keyTemplate[] = {
+        { CKA_CLASS,           &keyClass,  sizeof(keyClass)  },
+        { CKA_KEY_TYPE,        &ecKeyType, sizeof(ecKeyType) },
+        { CKA_EC_PARAMS,       params,     0                 },
+        { CKA_EC_POINT,        NULL,       0                 },
+    };
+    CK_ULONG        attrCnt = 3;
+
+    ret = Pkcs11EccSetParams(eccKey, keyTemplate, 2);
+    if (ret == 0 && keyClass == CKO_PUBLIC_KEY) {
+        /* ASN1 encoded: OCT + uncompressed point */
+        len = 3 + 1 + 2 * eccKey->dp->size;
+        ecPoint = (unsigned char*)XMALLOC(len, eccKey->heap, DYNAMIC_TYPE_ECC);
+        if (ecPoint == NULL)
+            ret = MEMORY_E;
+    }
+    if (ret == 0 && keyClass == CKO_PUBLIC_KEY) {
+        len -= 3;
+        i = 0;
+        ecPoint[i++] = ASN_OCTET_STRING;
+        if (len >= ASN_LONG_LENGTH)
+            ecPoint[i++] = (ASN_LONG_LENGTH | 1);
+        ecPoint[i++] = len;
+        ret = wc_ecc_export_x963(eccKey, ecPoint + i, &len);
+    }
+    if (ret == 0 && keyClass == CKO_PUBLIC_KEY) {
+        keyTemplate[3].pValue     = ecPoint;
+        keyTemplate[3].ulValueLen = len + i;
+        attrCnt++;
+    }
+    if (ret == 0) {
+        rv = session->func->C_FindObjectsInit(session->handle, keyTemplate,
+                                                                       attrCnt);
+        if (rv != CKR_OK)
+            ret = WC_HW_E;
+    }
+    if (ret == 0) {
+        rv = session->func->C_FindObjects(session->handle, key, 1, &count);
+        if (rv != CKR_OK)
+            ret = WC_HW_E;
+        rv = session->func->C_FindObjectsFinal(session->handle);
+        if (rv != CKR_OK)
+            ret = WC_HW_E;
+    }
+
+    if (ecPoint != NULL)
+        XFREE(ecPoint, eccKey->heap, DYNAMIC_TYPE_ECC);
+
+    return ret;
+}
+
+/**
+ * Create a PKCS#11 object containing the ECC public key data.
+ * Encode the public key as an OCTET_STRING of the encoded point.
+ *
+ * @param  publicKey    [out]  Henadle to public key object.
+ * @param  session      [in]   Session object.
+ * @param  public_key   [in]   ECC public key.
+ * @param  operation    [in]   Cryptographic operation key is to be used for.
+ * @return  WC_HW_E when a PKCS#11 library call fails.
+ *          MEMORY_E when a memory allocation fails.
+ *          0 on success.
+ */
+static int Pkcs11CreateEccPublicKey(CK_OBJECT_HANDLE* publicKey,
+                                    Pkcs11Session* session,
+                                    ecc_key* public_key,
+                                    CK_ATTRIBUTE_TYPE operation)
+{
+    int             ret = 0;
+    int             i;
+    unsigned char*  ecPoint = NULL;
+    word32          len;
+    CK_RV           rv;
+    CK_UTF8CHAR     params[MAX_EC_PARAM_LEN];
+    CK_ATTRIBUTE    keyTemplate[] = {
+        { CKA_CLASS,     &pubKeyClass, sizeof(pubKeyClass) },
+        { CKA_KEY_TYPE,  &ecKeyType,   sizeof(ecKeyType)   },
+        { operation,     &ckTrue,      sizeof(ckTrue)      },
+        { CKA_EC_PARAMS, params,       0                   },
+        { CKA_EC_POINT,  NULL,         0                   }
+    };
+    CK_ULONG        keyTmplCnt = sizeof(keyTemplate) / sizeof(*keyTemplate);
+
+    ret = Pkcs11EccSetParams(public_key, keyTemplate, 3);
+    if (ret == 0) {
+        /* ASN1 encoded: OCT + uncompressed point */
+        len = 3 + 1 + 2 * public_key->dp->size;
+        ecPoint = (unsigned char*)XMALLOC(len, public_key->heap,
+                                                              DYNAMIC_TYPE_ECC);
+        if (ecPoint == NULL)
+            ret = MEMORY_E;
+    }
+    if (ret == 0) {
+        len -= 3;
+        i = 0;
+        ecPoint[i++] = ASN_OCTET_STRING;
+        if (len >= ASN_LONG_LENGTH)
+            ecPoint[i++] = ASN_LONG_LENGTH | 1;
+        ecPoint[i++] = len;
+        ret = wc_ecc_export_x963(public_key, ecPoint + i, &len);
+    }
+    if (ret == 0) {
+        keyTemplate[4].pValue     = ecPoint;
+        keyTemplate[4].ulValueLen = len + i;
+
+        rv = session->func->C_CreateObject(session->handle, keyTemplate,
+                                                         keyTmplCnt, publicKey);
+        if (rv != CKR_OK)
+            ret = WC_HW_E;
+    }
+
+    if (ecPoint != NULL)
+        XFREE(ecPoint, public_key->heap, DYNAMIC_TYPE_ECC);
+
+    return ret;
+}
+
+#ifndef NO_PKCS11_EC_KEYGEN
+/**
+ * Gets the public key data from the PKCS#11 object and puts into the ECC key.
+ *
+ * @param  key      [in]  ECC public key.
+ * @param  session  [in]  Session object.
+ * @param  pubKey   [in]  ECC public key PKCS#11 object.
+ * @return  WC_HW_E when a PKCS#11 library call fails.
+ *          MEMORY_E when a memory allocation fails.
+ *          0 on success.
+ */
+static int Pkcs11GetEccPublicKey(ecc_key* key, Pkcs11Session* session,
+                                 CK_OBJECT_HANDLE pubKey)
+{
+    int            ret = 0;
+    word32         i = 0;
+    int            curveIdx;
+    unsigned char* point = NULL;
+    int            pointSz;
+    byte           tag;
+    CK_RV          rv;
+    CK_ATTRIBUTE   tmpl[] = {
+        { CKA_EC_POINT,  NULL_PTR, 0 },
+    };
+    CK_ULONG       tmplCnt = sizeof(tmpl) / sizeof(*tmpl);
+
+    rv = session->func->C_GetAttributeValue(session->handle, pubKey, tmpl,
+                                                                       tmplCnt);
+    if (rv != CKR_OK)
+        ret = WC_HW_E;
+
+    if (ret == 0) {
+        pointSz = (int)tmpl[0].ulValueLen;
+        point = (unsigned char*)XMALLOC(pointSz, key->heap, DYNAMIC_TYPE_ECC);
+        if (point == NULL)
+            ret = MEMORY_E;
+    }
+    if (ret == 0) {
+        tmpl[0].pValue = point;
+
+        rv = session->func->C_GetAttributeValue(session->handle, pubKey,
+                                                                 tmpl, tmplCnt);
+        if (rv != CKR_OK)
+            ret = WC_HW_E;
+    }
+
+    /* Make sure the data is big enough for ASN.1: OCT + uncompressed point */
+    if (ret == 0 && pointSz < key->dp->size * 2 + 1 + 2)
+        ret = ASN_PARSE_E;
+    /* Step over the OCTET_STRING wrapper. */
+    if (ret == 0 && GetASNTag(point, &i, &tag, pointSz) != 0)
+        ret = ASN_PARSE_E;
+    if (ret == 0 && tag != ASN_OCTET_STRING)
+        ret = ASN_PARSE_E;
+    if (ret == 0 && point[i] >= ASN_LONG_LENGTH) {
+        if (point[i++] != (ASN_LONG_LENGTH | 1))
+            ret = ASN_PARSE_E;
+        else if (pointSz < key->dp->size * 2 + 1 + 3)
+            ret = ASN_PARSE_E;
+    }
+    if (ret == 0 && point[i++] != key->dp->size * 2 + 1)
+        ret = ASN_PARSE_E;
+
+    if (ret == 0) {
+        curveIdx = wc_ecc_get_curve_idx(key->dp->id);
+        ret = wc_ecc_import_point_der(point + i, pointSz - i, curveIdx,
+                                                                  &key->pubkey);
+    }
+
+    if (point != NULL)
+        XFREE(point, key->heap, DYNAMIC_TYPE_ECC);
+
+    return ret;
+}
+
+/**
+ * Perform an ECC key generation operation.
+ * The private key data stays on the device.
+ *
+ * @param  session  [in]  Session object.
+ * @param  info     [in]  Cryptographic operation data.
+ * @return  WC_HW_E when a PKCS#11 library call fails.
+ *          0 on success.
+ */
+static int Pkcs11EcKeyGen(Pkcs11Session* session, wc_CryptoInfo* info)
+{
+    int               ret = 0;
+    ecc_key*          key = info->pk.eckg.key;
+    CK_RV             rv;
+    CK_OBJECT_HANDLE  pubKey = NULL_PTR, privKey = NULL_PTR;
+    CK_MECHANISM      mech;
+    CK_UTF8CHAR       params[MAX_EC_PARAM_LEN];
+    CK_ATTRIBUTE      pubKeyTmpl[] = {
+        { CKA_EC_PARAMS,       params,   0               },
+        { CKA_ENCRYPT,         &ckTrue,  sizeof(ckTrue)  },
+        { CKA_VERIFY,          &ckTrue,  sizeof(ckTrue)  },
+    };
+    int               pubTmplCnt = sizeof(pubKeyTmpl)/sizeof(*pubKeyTmpl);
+    CK_ATTRIBUTE      privKeyTmpl[] = {
+        { CKA_DECRYPT,  &ckTrue, sizeof(ckTrue) },
+        { CKA_SIGN,     &ckTrue, sizeof(ckTrue) },
+        { CKA_DERIVE,   &ckTrue, sizeof(ckTrue) },
+        { CKA_ID,       NULL,    0              },
+    };
+    int               privTmplCnt = 3;
+
+    ret = Pkcs11MechAvail(session, CKM_EC_KEY_PAIR_GEN);
+    if (ret == 0) {
+        WOLFSSL_MSG("PKCS#11: EC Key Generation Operation");
+
+        ret = Pkcs11EccSetParams(key, pubKeyTmpl, 0);
+    }
+    if (ret == 0) {
+        if (key->idLen != 0) {
+            privKeyTmpl[privTmplCnt].pValue     = key->id;
+            privKeyTmpl[privTmplCnt].ulValueLen = key->idLen;
+            privTmplCnt++;
+        }
+
+        mech.mechanism      = CKM_EC_KEY_PAIR_GEN;
+        mech.ulParameterLen = 0;
+        mech.pParameter     = NULL;
+
+        rv = session->func->C_GenerateKeyPair(session->handle, &mech,
+                                                       pubKeyTmpl, pubTmplCnt,
+                                                       privKeyTmpl, privTmplCnt,
+                                                       &pubKey, &privKey);
+        if (rv != CKR_OK)
+            ret = -1;
+    }
+
+    if (ret == 0)
+        ret = Pkcs11GetEccPublicKey(key, session, pubKey);
+
+    if (pubKey != NULL_PTR)
+        session->func->C_DestroyObject(session->handle, pubKey);
+    if (ret != 0 && privKey != NULL_PTR)
+        session->func->C_DestroyObject(session->handle, privKey);
+
+    return ret;
+}
+#endif
+
+#ifndef NO_PKCS11_ECDH
+/**
+ * Extracts the secret key data from the PKCS#11 object.
+ *
+ * @param  session  [in]      Session object.
+ * @param  secret   [in]      PKCS#11 object with the secret key data.
+ * @param  out      [in]      Buffer to hold secret data.
+ * @param  outLen   [in,out]  On in, length of buffer.
+ *                            On out, the length of data in buffer.
+ * @return  WC_HW_E when a PKCS#11 library call fails.
+ *          0 on success.
+ */
+static int Pkcs11ExtractSecret(Pkcs11Session* session, CK_OBJECT_HANDLE secret,
+    byte* out, word32* outLen)
+{
+    int ret = 0;
+    CK_ATTRIBUTE tmpl[] = {
+      {CKA_VALUE, NULL_PTR, 0}
+    };
+    CK_ULONG     tmplCnt = sizeof(tmpl) / sizeof(*tmpl);
+    CK_RV rv;
+
+    rv = session->func->C_GetAttributeValue(session->handle, secret, tmpl,
+                                                                       tmplCnt);
+    if (rv != CKR_OK)
+        ret = WC_HW_E;
+    if (ret == 0) {
+        if (tmpl[0].ulValueLen > *outLen)
+            ret = BUFFER_E;
+    }
+    if (ret == 0) {
+        tmpl[0].pValue = out;
+        rv = session->func->C_GetAttributeValue(session->handle, secret,
+                                                                 tmpl, tmplCnt);
+        if (rv != CKR_OK)
+            ret = WC_HW_E;
+        *outLen = (word32)tmpl[0].ulValueLen;
+    }
+
+    return ret;
+}
+
+/**
+ * Performs the ECDH secret generation operation.
+ *
+ * @param  session  [in]  Session object.
+ * @param  info     [in]  Cryptographic operation data.
+ * @return  WC_HW_E when a PKCS#11 library call fails.
+ *          0 on success.
+ */
+static int Pkcs11ECDH(Pkcs11Session* session, wc_CryptoInfo* info)
+{
+    int                    ret = 0;
+    int                    sessionKey = 0;
+    unsigned char*         point = NULL;
+    word32                 pointLen;
+    CK_RV                  rv;
+    CK_KEY_TYPE            keyType = CKK_GENERIC_SECRET;
+    CK_MECHANISM           mech;
+    CK_ECDH1_DERIVE_PARAMS params;
+    CK_OBJECT_HANDLE       privateKey = NULL_PTR;
+    CK_OBJECT_HANDLE       secret = CK_INVALID_HANDLE;
+    CK_ULONG               secSz;
+    CK_ATTRIBUTE           tmpl[] = {
+        { CKA_CLASS,       &secretKeyClass, sizeof(secretKeyClass) },
+        { CKA_KEY_TYPE,    &keyType,        sizeof(keyType)        },
+        { CKA_PRIVATE,     &ckFalse,        sizeof(ckFalse)        },
+        { CKA_SENSITIVE,   &ckFalse,        sizeof(ckFalse)        },
+        { CKA_EXTRACTABLE, &ckTrue,         sizeof(ckTrue)         },
+        { CKA_VALUE_LEN,   &secSz,          sizeof(secSz)          }
+    };
+    CK_ULONG               tmplCnt = sizeof(tmpl) / sizeof(*tmpl);
+
+    ret = Pkcs11MechAvail(session, CKM_ECDH1_DERIVE);
+    if (ret == 0 && info->pk.ecdh.outlen == NULL) {
+        ret = BAD_FUNC_ARG;
+    }
+    if (ret == 0) {
+        WOLFSSL_MSG("PKCS#11: EC Key Derivation Operation");
+
+
+        if ((sessionKey = !mp_iszero(&info->pk.ecdh.private_key->k)))
+            ret = Pkcs11CreateEccPrivateKey(&privateKey, session,
+                                         info->pk.ecdh.private_key, CKA_DERIVE);
+        else if (info->pk.ecdh.private_key->idLen > 0) {
+            ret = Pkcs11FindKeyById(&privateKey, CKO_PRIVATE_KEY, CKK_EC,
+                                    session, info->pk.ecdh.private_key->id,
+                                    info->pk.ecdh.private_key->idLen);
+        }
+        else {
+            ret = Pkcs11FindEccKey(&privateKey, CKO_PRIVATE_KEY, session,
+                                                      info->pk.ecdh.public_key);
+        }
+    }
+    if (ret == 0) {
+        ret = wc_ecc_export_x963(info->pk.ecdh.public_key, NULL, &pointLen);
+        if (ret == LENGTH_ONLY_E) {
+            point = (unsigned char*)XMALLOC(pointLen,
+                                                 info->pk.ecdh.public_key->heap,
+                                                       DYNAMIC_TYPE_ECC_BUFFER);
+            ret = wc_ecc_export_x963(info->pk.ecdh.public_key, point,
+                                                                     &pointLen);
+        }
+    }
+
+    if (ret == 0) {
+        secSz = *info->pk.ecdh.outlen;
+        if (secSz > (CK_ULONG)info->pk.ecdh.private_key->dp->size)
+            secSz = info->pk.ecdh.private_key->dp->size;
+
+        params.kdf             = CKD_NULL;
+        params.pSharedData     = NULL;
+        params.ulSharedDataLen = 0;
+        params.pPublicData     = point;
+        params.ulPublicDataLen = pointLen;
+
+        mech.mechanism      = CKM_ECDH1_DERIVE;
+        mech.ulParameterLen = sizeof(params);
+        mech.pParameter     = &params;
+
+        rv = session->func->C_DeriveKey(session->handle, &mech, privateKey,
+                                                        tmpl, tmplCnt, &secret);
+        if (rv != CKR_OK)
+            ret = WC_HW_E;
+    }
+
+    if (ret == 0) {
+        ret = Pkcs11ExtractSecret(session, secret, info->pk.ecdh.out,
+                                                          info->pk.ecdh.outlen);
+    }
+
+    if (sessionKey)
+        session->func->C_DestroyObject(session->handle, privateKey);
+
+    if (point != NULL)
+        XFREE(point, info->pk.ecdh.public_key->heap, DYNAMIC_TYPE_ECC_BUFFER);
+
+    return ret;
+}
+#endif
+
+/**
+ * Encode, in place, the ECDSA signature.
+ * Two fixed width values into ASN.1 DER encoded SEQ { INT, INT }
+ *
+ * @param  sig  [in,out]  Signature data.
+ * @param  sz   [in]      Size of original signature data.
+ * @return  Length of the ASN.1 DER enencoded signature.
+ */
+static word32 Pkcs11ECDSASig_Encode(byte* sig, word32 sz)
+{
+    word32 rHigh, sHigh, seqLen;
+    word32 rStart = 0, sStart = 0;
+    word32 sigSz, rSz, rLen, sSz, sLen;
+    word32 i;
+
+    /* Find first byte of data in r and s. */
+    while (rStart < sz - 1 && sig[rStart] == 0x00)
+        rStart++;
+    while (sStart < sz - 1 && sig[sz + sStart] == 0x00)
+        sStart++;
+    /* Check if 0 needs to be prepended to make integer a positive number. */
+    rHigh = sig[rStart] >> 7;
+    sHigh = sig[sz + sStart] >> 7;
+    /* Calculate length of integer to put into ASN.1 encoding. */
+    rLen = sz - rStart;
+    sLen = sz - sStart;
+    /* r and s: INT (2 bytes) + [ 0x00 ] + integer */
+    rSz = 2 + rHigh + rLen;
+    sSz = 2 + sHigh + sLen;
+    /* Calculate the complete ASN.1 DER encoded size. */
+    sigSz = rSz + sSz;
+    if (sigSz >= ASN_LONG_LENGTH)
+        seqLen = 3;
+    else
+        seqLen = 2;
+
+    /* Move s and then r integers into their final places. */
+    XMEMMOVE(sig + seqLen + rSz + (sSz - sLen), sig + sz + sStart, sLen);
+    XMEMMOVE(sig + seqLen       + (rSz - rLen), sig      + rStart, rLen);
+
+    /* Put the ASN.1 DER encoding around data. */
+    i = 0;
+    sig[i++] = ASN_CONSTRUCTED | ASN_SEQUENCE;
+    if (seqLen == 3)
+        sig[i++] = ASN_LONG_LENGTH | 0x01;
+    sig[i++] = sigSz;
+    sig[i++] = ASN_INTEGER;
+    sig[i++] = rHigh + (sz - rStart);
+    if (rHigh)
+        sig[i++] = 0x00;
+    i += sz - rStart;
+    sig[i++] = ASN_INTEGER;
+    sig[i++] = sHigh + (sz - sStart);
+    if (sHigh)
+        sig[i] = 0x00;
+
+    return seqLen + sigSz;
+}
+
+/**
+ * Decode the ECDSA signature.
+ * ASN.1 DER encode SEQ { INT, INT } converted to two fixed with values.
+ *
+ * @param  in    [in]  ASN.1 DER encoded signature.
+ * @param  inSz  [in]  Size of ASN.1 signature.
+ * @param  sig   [in]  Output buffer.
+ * @param  sz    [in]  Size of output buffer.
+ * @return  ASN_PARSE_E when the ASN.1 encoding is invalid.
+ *          0 on success.
+ */
+static int Pkcs11ECDSASig_Decode(const byte* in, word32 inSz, byte* sig,
+                                 word32 sz)
+{
+    int ret = 0;
+    word32 i = 0;
+    byte   tag;
+    int len, seqLen = 2;
+
+    /* Make sure zeros in place when decoding short integers. */
+    XMEMSET(sig, 0, sz * 2);
+
+    /* Check min data for: SEQ + INT. */
+    if (inSz < 5)
+        ret = ASN_PARSE_E;
+    /* Check SEQ */
+    if (ret == 0 && in[i++] != (ASN_CONSTRUCTED | ASN_SEQUENCE))
+        ret = ASN_PARSE_E;
+    if (ret == 0 && in[i] >= ASN_LONG_LENGTH) {
+        if (in[i] != (ASN_LONG_LENGTH | 0x01))
+            ret = ASN_PARSE_E;
+        else {
+            i++;
+            seqLen++;
+        }
+    }
+    if (ret == 0 && in[i++] != inSz - seqLen)
+        ret = ASN_PARSE_E;
+
+    /* Check INT */
+    if (ret == 0 && GetASNTag(in, &i, &tag, inSz) != 0)
+        ret = ASN_PARSE_E;
+    if (ret == 0 && tag != ASN_INTEGER)
+        ret = ASN_PARSE_E;
+    if (ret == 0 && (len = in[i++]) > sz + 1)
+        ret = ASN_PARSE_E;
+    /* Check there is space for INT data */
+    if (ret == 0 && i + len > inSz)
+        ret = ASN_PARSE_E;
+    if (ret == 0) {
+        /* Skip leading zero */
+        if (in[i] == 0x00) {
+            i++;
+            len--;
+        }
+        /* Copy r into sig. */
+        XMEMCPY(sig + sz - len, in + i, len);
+        i += len;
+    }
+
+    /* Check min data for: INT. */
+    if (ret == 0 && i + 2 > inSz)
+        ret = ASN_PARSE_E;
+    /* Check INT */
+    if (ret == 0 && GetASNTag(in, &i, &tag, inSz) != 0)
+        ret = ASN_PARSE_E;
+    if (ret == 0 && tag != ASN_INTEGER)
+        ret = ASN_PARSE_E;
+    if (ret == 0 && (len = in[i++]) > sz + 1)
+        ret = ASN_PARSE_E;
+    /* Check there is space for INT data */
+    if (ret == 0 && i + len > inSz)
+        ret = ASN_PARSE_E;
+    if (ret == 0) {
+        /* Skip leading zero */
+        if (in[i] == 0x00) {
+            i++;
+            len--;
+        }
+        /* Copy s into sig. */
+        XMEMCPY(sig + sz + sz - len, in + i, len);
+    }
+
+    return ret;
+}
+
+/**
+ * Get the parameters from the private key on the device.
+ *
+ * @param  session  [in]  Session object.
+ * @param  privKey  [in]  PKCS #11 object handle of private key..
+ * @param  key      [in]  Ecc key to set parameters against.
+ * @return  WC_HW_E when a PKCS#11 library call fails.
+ *          0 on success.
+ */
+static int Pkcs11GetEccParams(Pkcs11Session* session, CK_OBJECT_HANDLE privKey,
+                              ecc_key* key)
+{
+    int          ret = 0;
+    int          curveId;
+    CK_RV        rv;
+    byte         oid[16];
+    CK_ATTRIBUTE template[] = {
+        { CKA_EC_PARAMS, (CK_VOID_PTR)oid, sizeof(oid) }
+    };
+
+    rv = session->func->C_GetAttributeValue(session->handle, privKey, template,
+                                                                             1);
+    if (rv != CKR_OK)
+        ret = WC_HW_E;
+    if (ret == 0) {
+        /* PKCS #11 wraps the OID in ASN.1 */
+        curveId = wc_ecc_get_curve_id_from_oid(oid + 2,
+                                            (word32)template[0].ulValueLen - 2);
+        if (curveId == ECC_CURVE_INVALID)
+            ret = WC_HW_E;
+    }
+    if (ret == 0)
+        ret = wc_ecc_set_curve(key, 0, curveId);
+
+    return ret;
+}
+
+/**
+ * Performs the ECDSA signing operation.
+ *
+ * @param  session  [in]  Session object.
+ * @param  info     [in]  Cryptographic operation data.
+ * @return  WC_HW_E when a PKCS#11 library call fails.
+ *          0 on success.
+ */
+static int Pkcs11ECDSA_Sign(Pkcs11Session* session, wc_CryptoInfo* info)
+{
+    int                    ret = 0;
+    int                    sessionKey = 0;
+    word32                 sz;
+    CK_RV                  rv;
+    CK_ULONG               outLen;
+    CK_MECHANISM           mech;
+    CK_MECHANISM_INFO      mechInfo;
+    CK_OBJECT_HANDLE       privateKey = NULL_PTR;
+
+    /* Check operation is supported. */
+    rv = session->func->C_GetMechanismInfo(session->slotId, CKM_ECDSA,
+                                                                     &mechInfo);
+    if (rv != CKR_OK || (mechInfo.flags & CKF_SIGN) == 0)
+        ret = NOT_COMPILED_IN;
+
+    if (ret == 0 && info->pk.eccsign.outlen == NULL) {
+        ret = BAD_FUNC_ARG;
+    }
+    if (ret == 0) {
+        WOLFSSL_MSG("PKCS#11: EC Signing Operation");
+
+        if ((sessionKey = !mp_iszero(&info->pk.eccsign.key->k)))
+            ret = Pkcs11CreateEccPrivateKey(&privateKey, session,
+                                                info->pk.eccsign.key, CKA_SIGN);
+        else if (info->pk.eccsign.key->idLen > 0) {
+            ret = Pkcs11FindKeyById(&privateKey, CKO_PRIVATE_KEY, CKK_EC,
+                                    session, info->pk.eccsign.key->id,
+                                    info->pk.eccsign.key->idLen);
+            if (ret == 0 && info->pk.eccsign.key->dp == NULL) {
+                ret = Pkcs11GetEccParams(session, privateKey,
+                                                          info->pk.eccsign.key);
+            }
+        }
+        else {
+            ret = Pkcs11FindEccKey(&privateKey, CKO_PRIVATE_KEY, session,
+                                                          info->pk.eccsign.key);
+        }
+    }
+
+    if (ret == 0) {
+        sz = info->pk.eccsign.key->dp->size;
+        /* Maximum encoded size is two ordinates + 8 bytes of ASN.1. */
+        if (*info->pk.eccsign.outlen < (word32)wc_ecc_sig_size_calc(sz))
+            ret = BUFFER_E;
+    }
+
+    if (ret == 0) {
+        mech.mechanism      = CKM_ECDSA;
+        mech.ulParameterLen = 0;
+        mech.pParameter     = NULL;
+
+        rv = session->func->C_SignInit(session->handle, &mech, privateKey);
+        if (rv != CKR_OK)
+            ret = WC_HW_E;
+    }
+
+    if (ret == 0) {
+        outLen = *info->pk.eccsign.outlen;
+        rv = session->func->C_Sign(session->handle,
+                                   (CK_BYTE_PTR)info->pk.eccsign.in,
+                                   info->pk.eccsign.inlen, info->pk.eccsign.out,
+                                   &outLen);
+        if (rv != CKR_OK)
+            ret = WC_HW_E;
+    }
+
+    if (ret == 0) {
+        *info->pk.eccsign.outlen = Pkcs11ECDSASig_Encode(info->pk.eccsign.out,
+                                                         sz);
+    }
+
+    if (sessionKey)
+        session->func->C_DestroyObject(session->handle, privateKey);
+
+    return ret;
+}
+
+/**
+ * Performs the ECDSA verification operation.
+ *
+ * @param  session  [in]  Session object.
+ * @param  info     [in]  Cryptographic operation data.
+ * @return  WC_HW_E when a PKCS#11 library call fails.
+ *          MEMORY_E when a memory allocation fails.
+ *          0 on success.
+ */
+static int Pkcs11ECDSA_Verify(Pkcs11Session* session, wc_CryptoInfo* info)
+{
+    int                    ret = 0;
+    CK_RV                  rv;
+    CK_MECHANISM           mech;
+    CK_MECHANISM_INFO      mechInfo;
+    CK_OBJECT_HANDLE       publicKey = NULL_PTR;
+    unsigned char*         sig = NULL;
+    word32                 sz = info->pk.eccverify.key->dp->size;
+
+    /* Check operation is supported. */
+    rv = session->func->C_GetMechanismInfo(session->slotId, CKM_ECDSA,
+                                                                     &mechInfo);
+    if (rv != CKR_OK || (mechInfo.flags & CKF_VERIFY) == 0)
+        ret = NOT_COMPILED_IN;
+
+    if (ret == 0 && info->pk.eccverify.res == NULL) {
+        ret = BAD_FUNC_ARG;
+    }
+
+    if (ret == 0) {
+        WOLFSSL_MSG("PKCS#11: EC Verification Operation");
+
+        ret = Pkcs11CreateEccPublicKey(&publicKey, session,
+                                            info->pk.eccverify.key, CKA_VERIFY);
+    }
+
+    if (ret == 0) {
+        sig = XMALLOC(sz * 2, info->pk.eccverify.key->heap,
+                                                       DYNAMIC_TYPE_TMP_BUFFER);
+        if (sig == NULL)
+            ret = MEMORY_E;
+    }
+
+    if (ret == 0) {
+        ret = Pkcs11ECDSASig_Decode(info->pk.eccverify.sig,
+                                    info->pk.eccverify.siglen, sig, sz);
+    }
+    if (ret == 0) {
+        mech.mechanism      = CKM_ECDSA;
+        mech.ulParameterLen = 0;
+        mech.pParameter     = NULL;
+
+        rv = session->func->C_VerifyInit(session->handle, &mech, publicKey);
+        if (rv != CKR_OK)
+            ret = WC_HW_E;
+    }
+
+    if (ret == 0) {
+        *info->pk.eccverify.res = 0;
+        rv = session->func->C_Verify(session->handle,
+                                     (CK_BYTE_PTR)info->pk.eccverify.hash,
+                                     info->pk.eccverify.hashlen,
+                                     (CK_BYTE_PTR)sig, sz * 2);
+        if (rv == CKR_SIGNATURE_INVALID) {
+        }
+        else if (rv != CKR_OK)
+            ret = WC_HW_E;
+        else
+            *info->pk.eccverify.res = 1;
+    }
+
+    if (publicKey != NULL_PTR)
+        session->func->C_DestroyObject(session->handle, publicKey);
+
+    if (sig != NULL)
+        XFREE(sig, info->pk.eccverify.key->heap, DYNAMIC_TYPE_TMP_BUFFER);
+
+    return ret;
+}
+#endif
+
+#if !defined(NO_AES) && defined(HAVE_AESGCM)
+/**
+ * Performs the AES-GCM encryption operation.
+ *
+ * @param  session  [in]  Session object.
+ * @param  info     [in]  Cryptographic operation data.
+ * @return  WC_HW_E when a PKCS#11 library call fails.
+ *          MEMORY_E when a memory allocation fails.
+ *          0 on success.
+ */
+static int Pkcs11AesGcmEncrypt(Pkcs11Session* session, wc_CryptoInfo* info)
+{
+    int                ret = 0;
+    CK_RV              rv;
+    Aes*               aes = info->cipher.aesgcm_enc.aes;
+    CK_GCM_PARAMS      params;
+    CK_MECHANISM_INFO  mechInfo;
+    CK_OBJECT_HANDLE   key = NULL_PTR;
+    CK_MECHANISM       mech;
+    CK_ULONG           outLen;
+
+    /* Check operation is supported. */
+    rv = session->func->C_GetMechanismInfo(session->slotId, CKM_AES_GCM,
+                                                                     &mechInfo);
+    if (rv != CKR_OK || (mechInfo.flags & CKF_ENCRYPT) == 0)
+        ret = NOT_COMPILED_IN;
+
+    if (ret == 0) {
+        WOLFSSL_MSG("PKCS#11: AES-GCM Encryption Operation");
+    }
+
+    /* Create a private key object or find by id. */
+    if (ret == 0 && aes->idLen == 0) {
+        ret = Pkcs11CreateSecretKey(&key, session, CKK_AES,
+                                    (unsigned char*)aes->devKey, aes->keylen,
+                                    NULL, 0);
+
+    }
+    else if (ret == 0) {
+        ret = Pkcs11FindKeyById(&key, CKO_SECRET_KEY, CKK_AES, session, aes->id,
+                                                                    aes->idLen);
+    }
+
+    if (ret == 0) {
+        params.pIv       = (CK_BYTE_PTR)info->cipher.aesgcm_enc.iv;
+        params.ulIvLen   = info->cipher.aesgcm_enc.ivSz;
+        params.pAAD      = (CK_BYTE_PTR)info->cipher.aesgcm_enc.authIn;
+        params.ulAADLen  = info->cipher.aesgcm_enc.authInSz;
+        params.ulTagBits = info->cipher.aesgcm_enc.authTagSz * 8;
+
+        mech.mechanism      = CKM_AES_GCM;
+        mech.ulParameterLen = sizeof(params);
+        mech.pParameter     = &params;
+
+        rv = session->func->C_EncryptInit(session->handle, &mech, key);
+        if (rv != CKR_OK)
+            ret = WC_HW_E;
+    }
+    if (ret == 0) {
+        outLen = info->cipher.aesgcm_enc.sz;
+        rv = session->func->C_EncryptUpdate(session->handle,
+                                        (CK_BYTE_PTR)info->cipher.aesgcm_enc.in,
+                                        info->cipher.aesgcm_enc.sz,
+                                        info->cipher.aesgcm_enc.out,
+                                        &outLen);
+        if (rv != CKR_OK)
+            ret = WC_HW_E;
+    }
+    if (ret == 0) {
+        /* Authentication tag comes out in final block. */
+        outLen = info->cipher.aesgcm_enc.authTagSz;
+        rv = session->func->C_EncryptFinal(session->handle,
+                                           info->cipher.aesgcm_enc.authTag,
+                                           &outLen);
+        if (rv != CKR_OK)
+            ret = WC_HW_E;
+    }
+
+    if (aes->idLen == 0 && key != NULL_PTR)
+        session->func->C_DestroyObject(session->handle, key);
+
+    return ret;
+}
+
+/**
+ * Performs the AES-GCM decryption operation.
+ *
+ * @param  session  [in]  Session object.
+ * @param  info     [in]  Cryptographic operation data.
+ * @return  WC_HW_E when a PKCS#11 library call fails.
+ *          MEMORY_E when a memory allocation fails.
+ *          0 on success.
+ */
+static int Pkcs11AesGcmDecrypt(Pkcs11Session* session, wc_CryptoInfo* info)
+{
+    int                ret = 0;
+    CK_RV              rv;
+    Aes*               aes = info->cipher.aesgcm_enc.aes;
+    CK_GCM_PARAMS      params;
+    CK_MECHANISM_INFO  mechInfo;
+    CK_OBJECT_HANDLE   key = NULL_PTR;
+    CK_MECHANISM       mech;
+    CK_ULONG           outLen;
+    word32             len;
+
+    /* Check operation is supported. */
+    rv = session->func->C_GetMechanismInfo(session->slotId, CKM_AES_GCM,
+                                                                     &mechInfo);
+    if (rv != CKR_OK || (mechInfo.flags & CKF_DECRYPT) == 0)
+        ret = NOT_COMPILED_IN;
+
+    if (ret == 0) {
+        WOLFSSL_MSG("PKCS#11: AES-GCM Decryption Operation");
+    }
+
+    /* Create a private key object or find by id. */
+    if (ret == 0 && aes->idLen == 0) {
+        ret = Pkcs11CreateSecretKey(&key, session, CKK_AES,
+                                    (unsigned char*)aes->devKey, aes->keylen,
+                                    NULL, 0);
+    }
+    else if (ret == 0) {
+        ret = Pkcs11FindKeyById(&key, CKO_SECRET_KEY, CKK_AES, session, aes->id,
+                                                                    aes->idLen);
+    }
+
+    if (ret == 0) {
+        params.pIv       = (CK_BYTE_PTR)info->cipher.aesgcm_dec.iv;
+        params.ulIvLen   = info->cipher.aesgcm_dec.ivSz;
+        params.pAAD      = (CK_BYTE_PTR)info->cipher.aesgcm_dec.authIn;
+        params.ulAADLen  = info->cipher.aesgcm_dec.authInSz;
+        params.ulTagBits = info->cipher.aesgcm_dec.authTagSz * 8;
+
+        mech.mechanism      = CKM_AES_GCM;
+        mech.ulParameterLen = sizeof(params);
+        mech.pParameter     = &params;
+
+        rv = session->func->C_DecryptInit(session->handle, &mech, key);
+        if (rv != CKR_OK)
+            ret = WC_HW_E;
+    }
+    if (ret == 0) {
+        outLen = len = info->cipher.aesgcm_dec.sz;
+        rv = session->func->C_DecryptUpdate(session->handle,
+                                        (CK_BYTE_PTR)info->cipher.aesgcm_dec.in,
+                                        info->cipher.aesgcm_dec.sz,
+                                        info->cipher.aesgcm_dec.out,
+                                        &outLen);
+        if (rv != CKR_OK)
+            ret = WC_HW_E;
+    }
+    if (ret == 0) {
+        /* Put authentication tag in as encrypted data. */
+        outLen = len = (len + info->cipher.aesgcm_dec.authTagSz -
+                                                                (word32)outLen);
+        rv = session->func->C_DecryptUpdate(session->handle,
+                                   (CK_BYTE_PTR)info->cipher.aesgcm_dec.authTag,
+                                   info->cipher.aesgcm_dec.authTagSz,
+                                   info->cipher.aesgcm_dec.out,
+                                   &outLen);
+        if (rv != CKR_OK)
+            ret = WC_HW_E;
+    }
+    if (ret == 0) {
+        outLen = len = (len - (word32)outLen);
+        /* Decrypted data comes out now. */
+        rv = session->func->C_DecryptFinal(session->handle,
+                                           info->cipher.aesgcm_dec.out,
+                                           &outLen);
+        if (rv != CKR_OK)
+            ret = WC_HW_E;
+    }
+
+    if (aes->idLen == 0 && key != NULL_PTR)
+        session->func->C_DestroyObject(session->handle, key);
+
+    return ret;
+}
+#endif
+
+#if !defined(NO_AES) && defined(HAVE_AES_CBC)
+/**
+ * Performs the AES-CBC encryption operation.
+ *
+ * @param  session  [in]  Session object.
+ * @param  info     [in]  Cryptographic operation data.
+ * @return  WC_HW_E when a PKCS#11 library call fails.
+ *          MEMORY_E when a memory allocation fails.
+ *          0 on success.
+ */
+static int Pkcs11AesCbcEncrypt(Pkcs11Session* session, wc_CryptoInfo* info)
+{
+    int                ret = 0;
+    CK_RV              rv;
+    Aes*               aes = info->cipher.aescbc.aes;
+    CK_MECHANISM_INFO  mechInfo;
+    CK_OBJECT_HANDLE   key = NULL_PTR;
+    CK_MECHANISM       mech;
+    CK_ULONG           outLen;
+
+    /* Check operation is supported. */
+    rv = session->func->C_GetMechanismInfo(session->slotId, CKM_AES_CBC,
+                                                                     &mechInfo);
+    if (rv != CKR_OK || (mechInfo.flags & CKF_ENCRYPT) == 0)
+        ret = NOT_COMPILED_IN;
+
+    if (ret == 0) {
+        WOLFSSL_MSG("PKCS#11: AES-CBC Encryption Operation");
+    }
+
+    /* Create a private key object or find by id. */
+    if (ret == 0 && aes->idLen == 0) {
+        ret = Pkcs11CreateSecretKey(&key, session, CKK_AES,
+                                    (unsigned char*)aes->devKey, aes->keylen,
+                                    NULL, 0);
+
+    }
+    else if (ret == 0) {
+        ret = Pkcs11FindKeyById(&key, CKO_SECRET_KEY, CKK_AES, session, aes->id,
+                                                                    aes->idLen);
+    }
+
+    if (ret == 0) {
+        mech.mechanism      = CKM_AES_CBC;
+        mech.ulParameterLen = AES_BLOCK_SIZE;
+        mech.pParameter     = (CK_BYTE_PTR)info->cipher.aescbc.aes->reg;
+
+        rv = session->func->C_EncryptInit(session->handle, &mech, key);
+        if (rv != CKR_OK)
+            ret = WC_HW_E;
+    }
+    if (ret == 0) {
+        outLen = info->cipher.aescbc.sz;
+        rv = session->func->C_Encrypt(session->handle,
+                                      (CK_BYTE_PTR)info->cipher.aescbc.in,
+                                      info->cipher.aescbc.sz,
+                                      info->cipher.aescbc.out,
+                                      &outLen);
+        if (rv != CKR_OK)
+            ret = WC_HW_E;
+    }
+
+    if (aes->idLen == 0 && key != NULL_PTR)
+        session->func->C_DestroyObject(session->handle, key);
+
+    return ret;
+}
+
+/**
+ * Performs the AES-CBC decryption operation.
+ *
+ * @param  session  [in]  Session object.
+ * @param  info     [in]  Cryptographic operation data.
+ * @return  WC_HW_E when a PKCS#11 library call fails.
+ *          MEMORY_E when a memory allocation fails.
+ *          0 on success.
+ */
+static int Pkcs11AesCbcDecrypt(Pkcs11Session* session, wc_CryptoInfo* info)
+{
+    int                ret = 0;
+    CK_RV              rv;
+    Aes*               aes = info->cipher.aescbc.aes;
+    CK_MECHANISM_INFO  mechInfo;
+    CK_OBJECT_HANDLE   key = NULL_PTR;
+    CK_MECHANISM       mech;
+    CK_ULONG           outLen;
+
+    /* Check operation is supported. */
+    rv = session->func->C_GetMechanismInfo(session->slotId, CKM_AES_CBC,
+                                                                     &mechInfo);
+    if (rv != CKR_OK || (mechInfo.flags & CKF_DECRYPT) == 0)
+        ret = NOT_COMPILED_IN;
+
+    if (ret == 0) {
+        WOLFSSL_MSG("PKCS#11: AES-CBC Decryption Operation");
+    }
+
+    /* Create a private key object or find by id. */
+    if (ret == 0 && aes->idLen == 0) {
+        ret = Pkcs11CreateSecretKey(&key, session, CKK_AES,
+                                    (unsigned char*)aes->devKey, aes->keylen,
+                                    NULL, 0);
+    }
+    else if (ret == 0) {
+        ret = Pkcs11FindKeyById(&key, CKO_SECRET_KEY, CKK_AES, session, aes->id,
+                                                                    aes->idLen);
+    }
+
+    if (ret == 0) {
+        mech.mechanism      = CKM_AES_CBC;
+        mech.ulParameterLen = AES_BLOCK_SIZE;
+        mech.pParameter     = (CK_BYTE_PTR)info->cipher.aescbc.aes->reg;
+
+        rv = session->func->C_DecryptInit(session->handle, &mech, key);
+        if (rv != CKR_OK)
+            ret = WC_HW_E;
+    }
+    if (ret == 0) {
+        outLen = info->cipher.aescbc.sz;
+        rv = session->func->C_DecryptUpdate(session->handle,
+                                        (CK_BYTE_PTR)info->cipher.aescbc.in,
+                                        info->cipher.aescbc.sz,
+                                        info->cipher.aescbc.out,
+                                        &outLen);
+        if (rv != CKR_OK)
+            ret = WC_HW_E;
+    }
+
+    if (aes->idLen == 0 && key != NULL_PTR)
+        session->func->C_DestroyObject(session->handle, key);
+
+    return ret;
+}
+#endif
+
+#ifndef NO_HMAC
+/**
+ * Updates or calculates the HMAC of the data.
+ *
+ * @param  session  [in]  Session object.
+ * @param  info     [in]  Cryptographic operation data.
+ * @return  WC_HW_E when a PKCS#11 library call fails.
+ *          0 on success.
+ */
+static int Pkcs11Hmac(Pkcs11Session* session, wc_CryptoInfo* info)
+{
+    int                ret = 0;
+    CK_RV              rv;
+    Hmac*              hmac = info->hmac.hmac;
+    CK_MECHANISM_INFO  mechInfo;
+    CK_OBJECT_HANDLE   key = NULL_PTR;
+    CK_MECHANISM       mech;
+    CK_ULONG           outLen;
+    int                mechType;
+    int                keyType;
+
+    if (hmac->innerHashKeyed == WC_HMAC_INNER_HASH_KEYED_SW)
+        ret = NOT_COMPILED_IN;
+
+    if (ret == 0)
+        ret = Pkcs11HmacTypes(info->hmac.macType, &mechType, &keyType);
+    if (ret == 0) {
+        /* Check operation is supported. */
+        rv = session->func->C_GetMechanismInfo(session->slotId, mechType,
+                                                                     &mechInfo);
+        if (rv != CKR_OK || (mechInfo.flags & CKF_SIGN) == 0)
+            ret = NOT_COMPILED_IN;
+    }
+
+    /* Check whether key been used to initialized. */
+    if (ret == 0 && !hmac->innerHashKeyed) {
+        WOLFSSL_MSG("PKCS#11: HMAC Init");
+
+        /* Check device supports key length. */
+        if (mechInfo.ulMaxKeySize > 0 &&
+                                       (hmac->keyLen < mechInfo.ulMinKeySize ||
+                                        hmac->keyLen > mechInfo.ulMaxKeySize)) {
+            WOLFSSL_MSG("PKCS#11: Key Length not supported");
+            ret = NOT_COMPILED_IN;
+        }
+
+        /* Create a private key object or find by id. */
+        if (ret == 0 && hmac->idLen == 0) {
+            ret = Pkcs11CreateSecretKey(&key, session, keyType,
+                                    (unsigned char*)hmac->keyRaw, hmac->keyLen,
+                                    NULL, 0);
+            if (ret == WC_HW_E) {
+                ret = Pkcs11CreateSecretKey(&key, session, CKK_GENERIC_SECRET,
+                                    (unsigned char*)hmac->keyRaw, hmac->keyLen,
+                                    NULL, 0);
+            }
+
+        }
+        else if (ret == 0) {
+            ret = Pkcs11FindKeyById(&key, CKO_SECRET_KEY, keyType, session,
+                                                         hmac->id, hmac->idLen);
+            if (ret == WC_HW_E) {
+                ret = Pkcs11FindKeyById(&key, CKO_SECRET_KEY,
+                                          CKK_GENERIC_SECRET, session, hmac->id,
+                                          hmac->idLen);
+            }
+        }
+
+        /* Initialize HMAC operation */
+        if (ret == 0) {
+            mech.mechanism      = mechType;
+            mech.ulParameterLen = 0;
+            mech.pParameter     = NULL;
+
+            rv = session->func->C_SignInit(session->handle, &mech, key);
+            if (rv != CKR_OK)
+                ret = WC_HW_E;
+        }
+
+        /* Don't imitialize HMAC again if this succeeded */
+        if (ret == 0)
+            hmac->innerHashKeyed = WC_HMAC_INNER_HASH_KEYED_DEV;
+    }
+    /* Update the HMAC if input data passed in. */
+    if (ret == 0 && info->hmac.inSz > 0) {
+        WOLFSSL_MSG("PKCS#11: HMAC Update");
+
+        rv = session->func->C_SignUpdate(session->handle,
+                                         (CK_BYTE_PTR)info->hmac.in,
+                                         info->hmac.inSz);
+        /* Some algorithm implementations only support C_Sign. */
+        if (rv == CKR_MECHANISM_INVALID) {
+            WOLFSSL_MSG("PKCS#11: HMAC Update/Final not supported");
+            ret = NOT_COMPILED_IN;
+            /* Allow software implementation to set key. */
+            hmac->innerHashKeyed = 0;
+        }
+        else if (rv != CKR_OK)
+            ret = WC_HW_E;
+    }
+    /* Calculate the HMAC result if output buffer specified. */
+    if (ret == 0 && info->hmac.digest != NULL) {
+        WOLFSSL_MSG("PKCS#11: HMAC Final");
+
+        outLen = WC_MAX_DIGEST_SIZE;
+        rv = session->func->C_SignFinal(session->handle,
+                                        (CK_BYTE_PTR)info->hmac.digest,
+                                        &outLen);
+        /* Some algorithm implementations only support C_Sign. */
+        if (rv != CKR_OK)
+            ret = WC_HW_E;
+        else
+            hmac->innerHashKeyed = 0;
+    }
+
+    if (hmac->idLen == 0 && key != NULL_PTR)
+        session->func->C_DestroyObject(session->handle, key);
+
+    return ret;
+}
+#endif
+
+#ifndef WC_NO_RNG
+#ifndef HAVE_HASHDRBG
+/**
+ * Performs random number generation.
+ *
+ * @param  session  [in]  Session object.
+ * @param  info     [in]  Cryptographic operation data.
+ * @return  WC_HW_E when a PKCS#11 library call fails.
+ *          0 on success.
+ */
+static int Pkcs11RandomBlock(Pkcs11Session* session, wc_CryptoInfo* info)
+{
+    int                ret = 0;
+    CK_RV              rv;
+
+    rv = session->func->C_GenerateRandom(session->handle, info->rng.out,
+                                                                  info->rng.sz);
+    if (rv != CKR_OK)
+        ret = WC_HW_E;
+    return ret;
+}
+#endif
+
+/**
+ * Generates entropy (seed) data.
+ *
+ * @param  session  [in]  Session object.
+ * @param  info     [in]  Cryptographic operation data.
+ * @return  WC_HW_E when a PKCS#11 library call fails.
+ *          0 on success.
+ */
+static int Pkcs11RandomSeed(Pkcs11Session* session, wc_CryptoInfo* info)
+{
+    int                ret = 0;
+    CK_RV              rv;
+
+    rv = session->func->C_GenerateRandom(session->handle, info->seed.seed,
+                                                                 info->seed.sz);
+    if (rv != CKR_OK)
+        ret = WC_HW_E;
+    return ret;
+}
+#endif
+
+/**
+ * Perform a cryptographic operation using PKCS#11 device.
+ *
+ * @param  devId  [in]  Device identifier.
+ * @param  info   [in]  Cryptographic operation data.
+ * @param  ctx    [in]  Context data for device - the token object.
+ * @return  WC_HW_E when a PKCS#11 library call fails.
+ *          0 on success.
+ */
+int wc_Pkcs11_CryptoDevCb(int devId, wc_CryptoInfo* info, void* ctx)
+{
+    int ret = 0;
+    Pkcs11Token* token = (Pkcs11Token*)ctx;
+    Pkcs11Session session;
+    int readWrite = 0;
+
+    if (devId <= INVALID_DEVID || info == NULL || ctx == NULL)
+        ret = BAD_FUNC_ARG;
+
+    if (ret == 0) {
+        ret = Pkcs11OpenSession(token, &session, readWrite);
+        if (ret == 0) {
+            if (info->algo_type == WC_ALGO_TYPE_PK) {
+#if !defined(NO_RSA) || defined(HAVE_ECC)
+                switch (info->pk.type) {
+    #ifndef NO_RSA
+                    case WC_PK_TYPE_RSA:
+                        ret = Pkcs11Rsa(&session, info);
+                        break;
+        #ifdef WOLFSSL_KEY_GEN
+                    case WC_PK_TYPE_RSA_KEYGEN:
+                        ret = Pkcs11RsaKeyGen(&session, info);
+                        break;
+        #endif
+    #endif
+    #ifdef HAVE_ECC
+        #ifndef NO_PKCS11_EC_KEYGEN
+                    case WC_PK_TYPE_EC_KEYGEN:
+                        ret = Pkcs11EcKeyGen(&session, info);
+                        break;
+        #endif
+        #ifndef NO_PKCS11_ECDH
+                    case WC_PK_TYPE_ECDH:
+                        ret = Pkcs11ECDH(&session, info);
+                        break;
+        #endif
+                    case WC_PK_TYPE_ECDSA_SIGN:
+                        ret = Pkcs11ECDSA_Sign(&session, info);
+                        break;
+                    case WC_PK_TYPE_ECDSA_VERIFY:
+                        ret = Pkcs11ECDSA_Verify(&session, info);
+                        break;
+    #endif
+                    default:
+                        ret = NOT_COMPILED_IN;
+                        break;
+                }
+#else
+                ret = NOT_COMPILED_IN;
+#endif /* !NO_RSA || HAVE_ECC */
+            }
+            else if (info->algo_type == WC_ALGO_TYPE_CIPHER) {
+    #ifndef NO_AES
+                switch (info->cipher.type) {
+        #ifdef HAVE_AESGCM
+                    case WC_CIPHER_AES_GCM:
+                        if (info->cipher.enc)
+                            ret = Pkcs11AesGcmEncrypt(&session, info);
+                        else
+                            ret = Pkcs11AesGcmDecrypt(&session, info);
+                        break;
+        #endif
+        #ifdef HAVE_AES_CBC
+                    case WC_CIPHER_AES_CBC:
+                        if (info->cipher.enc)
+                            ret = Pkcs11AesCbcEncrypt(&session, info);
+                        else
+                            ret = Pkcs11AesCbcDecrypt(&session, info);
+                        break;
+        #endif
+                }
+    #else
+                ret = NOT_COMPILED_IN;
+    #endif
+            }
+            else if (info->algo_type == WC_ALGO_TYPE_HMAC) {
+    #ifndef NO_HMAC
+                ret = Pkcs11Hmac(&session, info);
+    #else
+                ret = NOT_COMPILED_IN;
+    #endif
+            }
+            else if (info->algo_type == WC_ALGO_TYPE_RNG) {
+    #if !defined(WC_NO_RNG) && !defined(HAVE_HASHDRBG)
+                ret = Pkcs11RandomBlock(&session, info);
+    #else
+                ret = NOT_COMPILED_IN;
+    #endif
+            }
+            else if (info->algo_type == WC_ALGO_TYPE_SEED) {
+    #ifndef WC_NO_RNG
+                ret = Pkcs11RandomSeed(&session, info);
+    #else
+                ret = NOT_COMPILED_IN;
+    #endif
+            }
+            else
+                ret = NOT_COMPILED_IN;
+
+            Pkcs11CloseSession(token, &session);
+        }
+    }
+
+    return ret;
+}
+
+#endif /* HAVE_PKCS11 */
+
diff --git a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/wc_port.c b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/wc_port.c
index 419033751..087807b71 100644
--- a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/wc_port.c
+++ b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/wc_port.c
@@ -1,8 +1,8 @@
 /* port.c
  *
- * Copyright (C) 2006-2015 wolfSSL Inc.
+ * Copyright (C) 2006-2020 wolfSSL Inc.
  *
- * This file is part of wolfSSL. (formerly known as CyaSSL)
+ * This file is part of wolfSSL.
  *
  * wolfSSL is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -16,9 +16,10 @@
  *
  * You should have received a copy of the GNU General Public License
  * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
  */
 
+
 #ifdef HAVE_CONFIG_H
     #include <config.h>
 #endif
@@ -26,631 +27,2250 @@
 #include <wolfssl/wolfcrypt/settings.h>
 #include <wolfssl/wolfcrypt/types.h>
 #include <wolfssl/wolfcrypt/error-crypt.h>
+#include <wolfssl/wolfcrypt/logging.h>
+#include <wolfssl/wolfcrypt/wc_port.h>
+#ifdef HAVE_ECC
+    #include <wolfssl/wolfcrypt/ecc.h>
+#endif
+#ifdef WOLFSSL_ASYNC_CRYPT
+    #include <wolfssl/wolfcrypt/async.h>
+#endif
+
+/* IPP header files for library initialization */
+#ifdef HAVE_FAST_RSA
+    #include <ipp.h>
+    #include <ippcp.h>
+#endif
+
+#ifdef FREESCALE_LTC_TFM
+    #include <wolfssl/wolfcrypt/port/nxp/ksdk_port.h>
+#endif
+
+#if defined(WOLFSSL_ATMEL) || defined(WOLFSSL_ATECC508A)
+    #include <wolfssl/wolfcrypt/port/atmel/atmel.h>
+#endif
+#if defined(WOLFSSL_RENESAS_TSIP)
+    #include <wolfssl/wolfcrypt/port/Renesas/renesas-tsip-crypt.h>
+#endif
+#if defined(WOLFSSL_STSAFEA100)
+    #include <wolfssl/wolfcrypt/port/st/stsafe.h>
+#endif
+
+#if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER)
+    #include <wolfssl/openssl/evp.h>
+#endif
+
+#if defined(USE_WOLFSSL_MEMORY) && defined(WOLFSSL_TRACK_MEMORY)
+    #include <wolfssl/wolfcrypt/memory.h>
+    #include <wolfssl/wolfcrypt/mem_track.h>
+#endif
+
+#if defined(WOLFSSL_IMX6_CAAM) || defined(WOLFSSL_IMX6_CAAM_RNG) || \
+    defined(WOLFSSL_IMX6_CAAM_BLOB)
+    #include <wolfssl/wolfcrypt/port/caam/wolfcaam.h>
+#endif
+
+#ifdef WOLF_CRYPTO_CB
+    #include <wolfssl/wolfcrypt/cryptocb.h>
+#endif
+
+#ifdef HAVE_INTEL_QA_SYNC
+    #include <wolfssl/wolfcrypt/port/intel/quickassist_sync.h>
+#endif
 
+#ifdef HAVE_CAVIUM_OCTEON_SYNC
+    #include <wolfssl/wolfcrypt/port/cavium/cavium_octeon_sync.h>
+#endif
+
+#ifdef WOLFSSL_SCE
+    #include "hal_data.h"
+#endif
+
+#if defined(WOLFSSL_DSP) && !defined(WOLFSSL_DSP_BUILD)
+    #include "rpcmem.h"
+#endif
 
 #ifdef _MSC_VER
     /* 4996 warning to use MS extensions e.g., strcpy_s instead of strncpy */
     #pragma warning(disable: 4996)
 #endif
 
+/* prevent multiple mutex initializations */
+static volatile int initRefCount = 0;
+
+/* Used to initialize state for wolfcrypt
+   return 0 on success
+ */
+int wolfCrypt_Init(void)
+{
+    int ret = 0;
+
+    if (initRefCount == 0) {
+        WOLFSSL_ENTER("wolfCrypt_Init");
 
+    #ifdef WOLFSSL_FORCE_MALLOC_FAIL_TEST
+        {
+            word32 rngMallocFail;
+            time_t seed = time(NULL);
+            srand((word32)seed);
+            rngMallocFail = rand() % 2000; /* max 2000 */
+            printf("\n--- RNG MALLOC FAIL AT %d---\n", rngMallocFail);
+            wolfSSL_SetMemFailCount(rngMallocFail);
+        }
+    #endif
 
-#ifdef SINGLE_THREADED
+    #ifdef WOLF_CRYPTO_CB
+        wc_CryptoCb_Init();
+    #endif
 
-int InitMutex(wolfSSL_Mutex* m)
-{
-    (void)m;
-    return 0;
-}
+    #ifdef WOLFSSL_ASYNC_CRYPT
+        ret = wolfAsync_HardwareStart();
+        if (ret != 0) {
+            WOLFSSL_MSG("Async hardware start failed");
+            /* don't return failure, allow operation to continue */
+        }
+    #endif
+
+    #if defined(WOLFSSL_RENESAS_TSIP_CRYPT)
+        ret = tsip_Open( );
+        if( ret != TSIP_SUCCESS ) {
+            WOLFSSL_MSG("RENESAS TSIP Open failed");
+            /* not return 1 since WOLFSSL_SUCCESS=1*/
+            ret = -1;/* FATAL ERROR */
+            return ret;
+        }
+    #endif
 
+    #if defined(WOLFSSL_TRACK_MEMORY) && !defined(WOLFSSL_STATIC_MEMORY)
+        ret = InitMemoryTracker();
+        if (ret != 0) {
+            WOLFSSL_MSG("InitMemoryTracker failed");
+            return ret;
+        }
+    #endif
+
+    #if WOLFSSL_CRYPT_HW_MUTEX
+        /* If crypto hardware mutex protection is enabled, then initialize it */
+        ret = wolfSSL_CryptHwMutexInit();
+        if (ret != 0) {
+            WOLFSSL_MSG("Hw crypt mutex init failed");
+            return ret;
+        }
+    #endif
+
+    /* if defined have fast RSA then initialize Intel IPP */
+    #ifdef HAVE_FAST_RSA
+        WOLFSSL_MSG("Attempting to use optimized IPP Library");
+        if ((ret = ippInit()) != ippStsNoErr) {
+            /* possible to get a CPU feature support status on optimized IPP
+              library but still use default library and see competitive speeds */
+            WOLFSSL_MSG("Warning when trying to set up optimization");
+            WOLFSSL_MSG(ippGetStatusString(ret));
+            WOLFSSL_MSG("Using default fast IPP library");
+            ret = 0;
+            (void)ret; /* suppress not read warning */
+        }
+    #endif
 
-int FreeMutex(wolfSSL_Mutex *m)
-{
-    (void)m;
-    return 0;
+    #if defined(FREESCALE_LTC_TFM) || defined(FREESCALE_LTC_ECC)
+        ret = ksdk_port_init();
+        if (ret != 0) {
+            WOLFSSL_MSG("KSDK port init failed");
+            return ret;
+        }
+    #endif
+
+    #if defined(WOLFSSL_ATMEL) || defined(WOLFSSL_ATECC508A)
+        ret = atmel_init();
+        if (ret != 0) {
+            WOLFSSL_MSG("CryptoAuthLib init failed");
+            return ret;
+        }
+    #endif
+    #if defined(WOLFSSL_CRYPTOCELL)
+        /* enable and initialize the ARM CryptoCell 3xx runtime library */
+        ret = cc310_Init();
+        if (ret != 0) {
+            WOLFSSL_MSG("CRYPTOCELL init failed");
+            return ret;
+        }
+    #endif
+    #if defined(WOLFSSL_STSAFEA100)
+        stsafe_interface_init();
+    #endif
+
+    #ifdef WOLFSSL_ARMASM
+        WOLFSSL_MSG("Using ARM hardware acceleration");
+    #endif
+
+    #ifdef WOLFSSL_AFALG
+	WOLFSSL_MSG("Using AF_ALG for crypto acceleration");
+    #endif
+
+    #if !defined(WOLFCRYPT_ONLY) && defined(OPENSSL_EXTRA)
+        wolfSSL_EVP_init();
+    #endif
+
+    #if defined(OPENSSL_EXTRA) || defined(DEBUG_WOLFSSL_VERBOSE)
+        if ((ret = wc_LoggingInit()) != 0) {
+            WOLFSSL_MSG("Error creating logging mutex");
+            return ret;
+        }
+    #endif
+
+#ifdef HAVE_ECC
+    #ifdef ECC_CACHE_CURVE
+        if ((ret = wc_ecc_curve_cache_init()) != 0) {
+            WOLFSSL_MSG("Error creating curve cache");
+            return ret;
+        }
+    #endif
+#endif
+
+#ifdef WOLFSSL_SCE
+        ret = (int)WOLFSSL_SCE_GSCE_HANDLE.p_api->open(
+                WOLFSSL_SCE_GSCE_HANDLE.p_ctrl, WOLFSSL_SCE_GSCE_HANDLE.p_cfg);
+        if (ret == SSP_ERR_CRYPTO_SCE_ALREADY_OPEN) {
+            WOLFSSL_MSG("SCE already open");
+            ret = 0;
+        }
+        if (ret != SSP_SUCCESS) {
+            WOLFSSL_MSG("Error opening SCE");
+            return -1; /* FATAL_ERROR */
+        }
+#endif
+
+#if defined(WOLFSSL_IMX6_CAAM) || defined(WOLFSSL_IMX6_CAAM_RNG) || \
+    defined(WOLFSSL_IMX6_CAAM_BLOB)
+        if ((ret = wc_caamInit()) != 0) {
+            return ret;
+        }
+#endif
+
+#if defined(WOLFSSL_DSP) && !defined(WOLFSSL_DSP_BUILD)
+	if ((ret = wolfSSL_InitHandle()) != 0) {
+            return ret;
+        }
+        rpcmem_init();
+#endif
+    }
+    initRefCount++;
+
+    return ret;
 }
 
 
-int LockMutex(wolfSSL_Mutex *m)
+/* return success value is the same as wolfCrypt_Init */
+int wolfCrypt_Cleanup(void)
 {
-    (void)m;
-    return 0;
+    int ret = 0;
+
+    initRefCount--;
+    if (initRefCount < 0)
+        initRefCount = 0;
+
+    if (initRefCount == 0) {
+        WOLFSSL_ENTER("wolfCrypt_Cleanup");
+
+#ifdef HAVE_ECC
+    #ifdef FP_ECC
+        wc_ecc_fp_free();
+    #endif
+    #ifdef ECC_CACHE_CURVE
+        wc_ecc_curve_cache_free();
+    #endif
+#endif /* HAVE_ECC */
+
+    #if defined(OPENSSL_EXTRA) || defined(DEBUG_WOLFSSL_VERBOSE)
+        ret = wc_LoggingCleanup();
+    #endif
+
+    #if defined(WOLFSSL_TRACK_MEMORY) && !defined(WOLFSSL_STATIC_MEMORY)
+        ShowMemoryTracker();
+    #endif
+
+    #ifdef WOLFSSL_ASYNC_CRYPT
+        wolfAsync_HardwareStop();
+    #endif
+    #ifdef WOLFSSL_SCE
+        WOLFSSL_SCE_GSCE_HANDLE.p_api->close(WOLFSSL_SCE_GSCE_HANDLE.p_ctrl);
+    #endif
+    #if defined(WOLFSSL_IMX6_CAAM) || defined(WOLFSSL_IMX6_CAAM_RNG) || \
+        defined(WOLFSSL_IMX6_CAAM_BLOB)
+        wc_caamFree();
+    #endif
+    #if defined(WOLFSSL_CRYPTOCELL)
+        cc310_Free();
+    #endif
+    #if defined(WOLFSSL_RENESAS_TSIP_CRYPT)
+        tsip_Close();
+    #endif
+    #if defined(WOLFSSL_DSP) && !defined(WOLFSSL_DSP_BUILD)
+        rpcmem_deinit();
+        wolfSSL_CleanupHandle();
+    #endif
+    }
+
+    return ret;
 }
 
+#if !defined(NO_FILESYSTEM) && !defined(NO_WOLFSSL_DIR) && \
+	!defined(WOLFSSL_NUCLEUS) && !defined(WOLFSSL_NUCLEUS_1_2)
 
-int UnLockMutex(wolfSSL_Mutex *m)
+/* File Handling Helpers */
+/* returns 0 if file found, WC_READDIR_NOFILE if no files or negative error */
+int wc_ReadDirFirst(ReadDirCtx* ctx, const char* path, char** name)
 {
-    (void)m;
-    return 0;
-}
+    int ret = WC_READDIR_NOFILE; /* default to no files found */
+    int pathLen = 0;
+    int dnameLen = 0;
 
-#else /* MULTI_THREAD */
+    if (name)
+        *name = NULL;
 
-    #if defined(FREERTOS)
+    if (ctx == NULL || path == NULL) {
+        return BAD_FUNC_ARG;
+    }
 
-        int InitMutex(wolfSSL_Mutex* m)
-        {
-            int iReturn;
+    XMEMSET(ctx->name, 0, MAX_FILENAME_SZ);
+    pathLen = (int)XSTRLEN(path);
 
-            *m = ( wolfSSL_Mutex ) xSemaphoreCreateMutex();
-            if( *m != NULL )
-                iReturn = 0;
-            else
-                iReturn = BAD_MUTEX_E;
+#ifdef USE_WINDOWS_API
+    if (pathLen > MAX_FILENAME_SZ - 3)
+        return BAD_PATH_ERROR;
 
-            return iReturn;
-        }
+    XSTRNCPY(ctx->name, path, MAX_FILENAME_SZ - 3);
+    XSTRNCPY(ctx->name + pathLen, "\\*", MAX_FILENAME_SZ - pathLen);
 
-        int FreeMutex(wolfSSL_Mutex* m)
-        {
-            vSemaphoreDelete( *m );
+    ctx->hFind = FindFirstFileA(ctx->name, &ctx->FindFileData);
+    if (ctx->hFind == INVALID_HANDLE_VALUE) {
+        WOLFSSL_MSG("FindFirstFile for path verify locations failed");
+        return BAD_PATH_ERROR;
+    }
+
+    do {
+        if (!(ctx->FindFileData.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY)) {
+            dnameLen = (int)XSTRLEN(ctx->FindFileData.cFileName);
+
+            if (pathLen + dnameLen + 2 > MAX_FILENAME_SZ) {
+                return BAD_PATH_ERROR;
+            }
+            XSTRNCPY(ctx->name, path, pathLen + 1);
+            ctx->name[pathLen] = '\\';
+            XSTRNCPY(ctx->name + pathLen + 1,
+                     ctx->FindFileData.cFileName,
+                     MAX_FILENAME_SZ - pathLen - 1);
+            if (name)
+                *name = ctx->name;
             return 0;
         }
-
-        int LockMutex(wolfSSL_Mutex* m)
-        {
-            /* Assume an infinite block, or should there be zero block? */
-            xSemaphoreTake( *m, portMAX_DELAY );
+    } while (FindNextFileA(ctx->hFind, &ctx->FindFileData));
+#elif defined(WOLFSSL_ZEPHYR)
+    if (fs_opendir(&ctx->dir, path) != 0) {
+        WOLFSSL_MSG("opendir path verify locations failed");
+        return BAD_PATH_ERROR;
+    }
+    ctx->dirp = &ctx->dir;
+
+    while ((fs_readdir(&ctx->dir, &ctx->entry)) != 0) {
+        dnameLen = (int)XSTRLEN(ctx->entry.name);
+
+        if (pathLen + dnameLen + 2 >= MAX_FILENAME_SZ) {
+            ret = BAD_PATH_ERROR;
+            break;
+        }
+        XSTRNCPY(ctx->name, path, pathLen + 1);
+        ctx->name[pathLen] = '/';
+
+        /* Use dnameLen + 1 for GCC 8 warnings of truncating d_name. Because
+         * of earlier check it is known that dnameLen is less than
+         * MAX_FILENAME_SZ - (pathLen + 2)  so dnameLen +1 will fit */
+        XSTRNCPY(ctx->name + pathLen + 1, ctx->entry.name, dnameLen + 1);
+        if (fs_stat(ctx->name, &ctx->s) != 0) {
+            WOLFSSL_MSG("stat on name failed");
+            ret = BAD_PATH_ERROR;
+            break;
+        } else if (ctx->s.type == FS_DIR_ENTRY_FILE) {
+            if (name)
+                *name = ctx->name;
             return 0;
         }
-
-        int UnLockMutex(wolfSSL_Mutex* m)
-        {
-            xSemaphoreGive( *m );
+    }
+#elif defined(WOLFSSL_TELIT_M2MB)
+    ctx->dir = m2mb_fs_opendir((const CHAR*)path);
+    if (ctx->dir == NULL) {
+        WOLFSSL_MSG("opendir path verify locations failed");
+        return BAD_PATH_ERROR;
+    }
+
+    while ((ctx->entry = m2mb_fs_readdir(ctx->dir)) != NULL) {
+        dnameLen = (int)XSTRLEN(ctx->entry->d_name);
+
+        if (pathLen + dnameLen + 2 >= MAX_FILENAME_SZ) {
+            ret = BAD_PATH_ERROR;
+            break;
+        }
+        XSTRNCPY(ctx->name, path, pathLen + 1);
+        ctx->name[pathLen] = '/';
+
+        /* Use dnameLen + 1 for GCC 8 warnings of truncating d_name. Because
+         * of earlier check it is known that dnameLen is less than
+         * MAX_FILENAME_SZ - (pathLen + 2)  so dnameLen +1 will fit */
+        XSTRNCPY(ctx->name + pathLen + 1, ctx->entry->d_name, dnameLen + 1);
+
+        if (m2mb_fs_stat(ctx->name, &ctx->s) != 0) {
+            WOLFSSL_MSG("stat on name failed");
+            ret = BAD_PATH_ERROR;
+            break;
+        }
+        else if (ctx->s.st_mode & M2MB_S_IFREG) {
+            if (name)
+                *name = ctx->name;
+            return 0;
+        }
+    }
+#else
+    ctx->dir = opendir(path);
+    if (ctx->dir == NULL) {
+        WOLFSSL_MSG("opendir path verify locations failed");
+        return BAD_PATH_ERROR;
+    }
+
+    while ((ctx->entry = readdir(ctx->dir)) != NULL) {
+        dnameLen = (int)XSTRLEN(ctx->entry->d_name);
+
+        if (pathLen + dnameLen + 2 >= MAX_FILENAME_SZ) {
+            ret = BAD_PATH_ERROR;
+            break;
+        }
+        XSTRNCPY(ctx->name, path, pathLen + 1);
+        ctx->name[pathLen] = '/';
+
+        /* Use dnameLen + 1 for GCC 8 warnings of truncating d_name. Because
+         * of earlier check it is known that dnameLen is less than
+         * MAX_FILENAME_SZ - (pathLen + 2)  so dnameLen +1 will fit */
+        XSTRNCPY(ctx->name + pathLen + 1, ctx->entry->d_name, dnameLen + 1);
+        if (stat(ctx->name, &ctx->s) != 0) {
+            WOLFSSL_MSG("stat on name failed");
+            ret = BAD_PATH_ERROR;
+            break;
+        } else if (S_ISREG(ctx->s.st_mode)) {
+            if (name)
+                *name = ctx->name;
             return 0;
         }
+    }
+#endif
+    wc_ReadDirClose(ctx);
 
-    #elif defined(WOLFSSL_SAFERTOS)
+    return ret;
+}
 
-        int InitMutex(wolfSSL_Mutex* m)
-        {
-            vSemaphoreCreateBinary(m->mutexBuffer, m->mutex);
-            if (m->mutex == NULL)
-                return BAD_MUTEX_E;
+/* returns 0 if file found, WC_READDIR_NOFILE if no more files */
+int wc_ReadDirNext(ReadDirCtx* ctx, const char* path, char** name)
+{
+    int ret = WC_READDIR_NOFILE; /* default to no file found */
+    int pathLen = 0;
+    int dnameLen = 0;
+
+    if (name)
+        *name = NULL;
 
+    if (ctx == NULL || path == NULL) {
+        return BAD_FUNC_ARG;
+    }
+
+    XMEMSET(ctx->name, 0, MAX_FILENAME_SZ);
+    pathLen = (int)XSTRLEN(path);
+
+#ifdef USE_WINDOWS_API
+    while (FindNextFileA(ctx->hFind, &ctx->FindFileData)) {
+        if (!(ctx->FindFileData.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY)) {
+            dnameLen = (int)XSTRLEN(ctx->FindFileData.cFileName);
+
+            if (pathLen + dnameLen + 2 > MAX_FILENAME_SZ) {
+                return BAD_PATH_ERROR;
+            }
+            XSTRNCPY(ctx->name, path, pathLen + 1);
+            ctx->name[pathLen] = '\\';
+            XSTRNCPY(ctx->name + pathLen + 1,
+                     ctx->FindFileData.cFileName,
+                     MAX_FILENAME_SZ - pathLen - 1);
+            if (name)
+                *name = ctx->name;
             return 0;
         }
-
-        int FreeMutex(wolfSSL_Mutex* m)
-        {
-            (void)m;
+    }
+#elif defined(WOLFSSL_ZEPHYR)
+    while ((fs_readdir(&ctx->dir, &ctx->entry)) != 0) {
+        dnameLen = (int)XSTRLEN(ctx->entry.name);
+
+        if (pathLen + dnameLen + 2 >= MAX_FILENAME_SZ) {
+            ret = BAD_PATH_ERROR;
+            break;
+        }
+        XSTRNCPY(ctx->name, path, pathLen + 1);
+        ctx->name[pathLen] = '/';
+        /* Use dnameLen + 1 for GCC 8 warnings of truncating d_name. Because
+         * of earlier check it is known that dnameLen is less than
+         * MAX_FILENAME_SZ - (pathLen + 2) so that dnameLen +1 will fit */
+        XSTRNCPY(ctx->name + pathLen + 1, ctx->entry.name, dnameLen + 1);
+
+        if (fs_stat(ctx->name, &ctx->s) != 0) {
+            WOLFSSL_MSG("stat on name failed");
+            ret = BAD_PATH_ERROR;
+            break;
+        } else if (ctx->s.type == FS_DIR_ENTRY_FILE) {
+            if (name)
+                *name = ctx->name;
             return 0;
         }
-
-        int LockMutex(wolfSSL_Mutex* m)
-        {
-            /* Assume an infinite block */
-            xSemaphoreTake(m->mutex, portMAX_DELAY);
+    }
+#elif defined(WOLFSSL_TELIT_M2MB)
+    while ((ctx->entry = m2mb_fs_readdir(ctx->dir)) != NULL) {
+        dnameLen = (int)XSTRLEN(ctx->entry->d_name);
+
+        if (pathLen + dnameLen + 2 >= MAX_FILENAME_SZ) {
+            ret = BAD_PATH_ERROR;
+            break;
+        }
+        XSTRNCPY(ctx->name, path, pathLen + 1);
+        ctx->name[pathLen] = '/';
+
+        /* Use dnameLen + 1 for GCC 8 warnings of truncating d_name. Because
+         * of earlier check it is known that dnameLen is less than
+         * MAX_FILENAME_SZ - (pathLen + 2)  so dnameLen +1 will fit */
+        XSTRNCPY(ctx->name + pathLen + 1, ctx->entry->d_name, dnameLen + 1);
+
+        if (m2mb_fs_stat(ctx->name, &ctx->s) != 0) {
+            WOLFSSL_MSG("stat on name failed");
+            ret = BAD_PATH_ERROR;
+            break;
+        }
+        else if (ctx->s.st_mode & M2MB_S_IFREG) {
+            if (name)
+                *name = ctx->name;
             return 0;
         }
-
-        int UnLockMutex(wolfSSL_Mutex* m)
-        {
-            xSemaphoreGive(m->mutex);
+    }
+#else
+    while ((ctx->entry = readdir(ctx->dir)) != NULL) {
+        dnameLen = (int)XSTRLEN(ctx->entry->d_name);
+
+        if (pathLen + dnameLen + 2 >= MAX_FILENAME_SZ) {
+            ret = BAD_PATH_ERROR;
+            break;
+        }
+        XSTRNCPY(ctx->name, path, pathLen + 1);
+        ctx->name[pathLen] = '/';
+        /* Use dnameLen + 1 for GCC 8 warnings of truncating d_name. Because
+         * of earlier check it is known that dnameLen is less than
+         * MAX_FILENAME_SZ - (pathLen + 2) so that dnameLen +1 will fit */
+        XSTRNCPY(ctx->name + pathLen + 1, ctx->entry->d_name, dnameLen + 1);
+
+        if (stat(ctx->name, &ctx->s) != 0) {
+            WOLFSSL_MSG("stat on name failed");
+            ret = BAD_PATH_ERROR;
+            break;
+        } else if (S_ISREG(ctx->s.st_mode)) {
+            if (name)
+                *name = ctx->name;
             return 0;
         }
+    }
+#endif
 
+    wc_ReadDirClose(ctx);
 
-    #elif defined(USE_WINDOWS_API)
+    return ret;
+}
 
-        int InitMutex(wolfSSL_Mutex* m)
-        {
-            InitializeCriticalSection(m);
-            return 0;
-        }
+void wc_ReadDirClose(ReadDirCtx* ctx)
+{
+    if (ctx == NULL) {
+        return;
+    }
+
+#ifdef USE_WINDOWS_API
+    if (ctx->hFind != INVALID_HANDLE_VALUE) {
+        FindClose(ctx->hFind);
+        ctx->hFind = INVALID_HANDLE_VALUE;
+    }
+#elif defined(WOLFSSL_ZEPHYR)
+    if (ctx->dirp) {
+        fs_closedir(ctx->dirp);
+        ctx->dirp = NULL;
+    }
+#elif defined(WOLFSSL_TELIT_M2MB)
+    if (ctx->dir) {
+        m2mb_fs_closedir(ctx->dir);
+        ctx->dir = NULL;
+    }
+#else
+    if (ctx->dir) {
+        closedir(ctx->dir);
+        ctx->dir = NULL;
+    }
+#endif
+}
 
+#endif /* !NO_FILESYSTEM && !NO_WOLFSSL_DIR */
 
-        int FreeMutex(wolfSSL_Mutex* m)
-        {
-            DeleteCriticalSection(m);
-            return 0;
+#if !defined(NO_FILESYSTEM) && defined(WOLFSSL_ZEPHYR)
+XFILE z_fs_open(const char* filename, const char* perm)
+{
+    XFILE file;
+
+    file = XMALLOC(sizeof(*file), NULL, DYNAMIC_TYPE_FILE);
+    if (file != NULL) {
+        if (fs_open(file, filename) != 0) {
+            XFREE(file, NULL, DYNAMIC_TYPE_FILE);
+            file = NULL;
         }
+    }
+
+    return file;
+}
 
+int z_fs_close(XFILE file)
+{
+    int ret;
 
-        int LockMutex(wolfSSL_Mutex* m)
-        {
-            EnterCriticalSection(m);
-            return 0;
-        }
+    if (file == NULL)
+        return -1;
+    ret = (fs_close(file) == 0) ? 0 : -1;
 
+    XFREE(file, NULL, DYNAMIC_TYPE_FILE);
 
-        int UnLockMutex(wolfSSL_Mutex* m)
-        {
-            LeaveCriticalSection(m);
-            return 0;
-        }
+    return ret;
+}
 
-    #elif defined(WOLFSSL_PTHREADS)
+#endif /* !NO_FILESYSTEM && !WOLFSSL_ZEPHYR */
 
-        int InitMutex(wolfSSL_Mutex* m)
-        {
-            if (pthread_mutex_init(m, 0) == 0)
-                return 0;
-            else
-                return BAD_MUTEX_E;
+
+wolfSSL_Mutex* wc_InitAndAllocMutex(void)
+{
+    wolfSSL_Mutex* m = (wolfSSL_Mutex*) XMALLOC(sizeof(wolfSSL_Mutex), NULL,
+            DYNAMIC_TYPE_MUTEX);
+    if (m != NULL) {
+        if (wc_InitMutex(m) != 0) {
+            WOLFSSL_MSG("Init Mutex failed");
+            XFREE(m, NULL, DYNAMIC_TYPE_MUTEX);
+            m = NULL;
         }
+    }
+    else {
+        WOLFSSL_MSG("Memory error with Mutex allocation");
+    }
 
+    return m;
+}
 
-        int FreeMutex(wolfSSL_Mutex* m)
-        {
-            if (pthread_mutex_destroy(m) == 0)
-                return 0;
-            else
-                return BAD_MUTEX_E;
+#ifdef USE_WOLF_STRTOK
+/* String token (delim) search. If str is null use nextp. */
+char* wc_strtok(char *str, const char *delim, char **nextp)
+{
+    char* ret;
+    int i, j;
+
+    /* Use next if str is NULL */
+    if (str == NULL && nextp)
+        str = *nextp;
+
+    /* verify str input */
+    if (str == NULL || *str == '\0')
+        return NULL;
+
+    /* match on entire delim */
+    for (i = 0; str[i]; i++) {
+        for (j = 0; delim[j]; j++) {
+            if (delim[j] == str[i])
+                break;
         }
+        if (!delim[j])
+            break;
+    }
+    str += i;
+    /* if end of string, not found so return NULL */
+    if (*str == '\0')
+        return NULL;
+
+    ret = str;
+
+    /* match on first delim */
+    for (i = 0; str[i]; i++) {
+        for (j = 0; delim[j]; j++) {
+            if (delim[j] == str[i])
+                break;
+        }
+        if (delim[j] == str[i])
+            break;
+    }
+    str += i;
 
+    /* null terminate found string */
+    if (*str)
+        *str++ = '\0';
 
-        int LockMutex(wolfSSL_Mutex* m)
-        {
-            if (pthread_mutex_lock(m) == 0)
-                return 0;
-            else
-                return BAD_MUTEX_E;
-        }
+    /* return pointer to next */
+    if (nextp)
+        *nextp = str;
 
+    return ret;
+}
+#endif /* USE_WOLF_STRTOK */
 
-        int UnLockMutex(wolfSSL_Mutex* m)
-        {
-            if (pthread_mutex_unlock(m) == 0)
-                return 0;
-            else
-                return BAD_MUTEX_E;
+#ifdef USE_WOLF_STRSEP
+char* wc_strsep(char **stringp, const char *delim)
+{
+    char *s, *tok;
+    const char *spanp;
+
+    /* null check */
+    if (stringp == NULL || *stringp == NULL)
+        return NULL;
+
+    s = *stringp;
+    for (tok = s; *tok; ++tok) {
+        for (spanp = delim; *spanp; ++spanp) {
+            /* found delimiter */
+            if (*tok == *spanp) {
+                *tok = '\0'; /* replace delim with null term */
+                *stringp = tok + 1; /* return past delim */
+                return s;
+            }
         }
+    }
 
-    #elif defined(THREADX)
-
-        int InitMutex(wolfSSL_Mutex* m)
-        {
-            if (tx_mutex_create(m, "wolfSSL Mutex", TX_NO_INHERIT) == 0)
-                return 0;
-            else
-                return BAD_MUTEX_E;
+    *stringp = NULL;
+    return s;
+}
+#endif /* USE_WOLF_STRSEP */
+
+#if WOLFSSL_CRYPT_HW_MUTEX
+/* Mutex for protection of cryptography hardware */
+static wolfSSL_Mutex wcCryptHwMutex;
+static int wcCryptHwMutexInit = 0;
+
+int wolfSSL_CryptHwMutexInit(void) {
+    int ret = 0;
+    if(wcCryptHwMutexInit == 0) {
+        ret = wc_InitMutex(&wcCryptHwMutex);
+        if(ret == 0) {
+            wcCryptHwMutexInit = 1;
         }
+    }
+    return ret;
+}
 
+int wolfSSL_CryptHwMutexLock(void) {
+    int ret = BAD_MUTEX_E;
 
-        int FreeMutex(wolfSSL_Mutex* m)
-        {
-            if (tx_mutex_delete(m) == 0)
-                return 0;
-            else
-                return BAD_MUTEX_E;
-        }
+    /* Make sure HW Mutex has been initialized */
+    wolfSSL_CryptHwMutexInit();
 
+    if(wcCryptHwMutexInit) {
+        ret = wc_LockMutex(&wcCryptHwMutex);
+    }
+    return ret;
+}
 
-        int LockMutex(wolfSSL_Mutex* m)
-        {
-            if (tx_mutex_get(m, TX_WAIT_FOREVER) == 0)
-                return 0;
-            else
-                return BAD_MUTEX_E;
+int wolfSSL_CryptHwMutexUnLock(void) {
+    int ret = BAD_MUTEX_E;
+
+    if(wcCryptHwMutexInit) {
+        ret = wc_UnLockMutex(&wcCryptHwMutex);
+    }
+    return ret;
+}
+#endif /* WOLFSSL_CRYPT_HW_MUTEX */
+
+
+/* ---------------------------------------------------------------------------*/
+/* Mutex Ports */
+/* ---------------------------------------------------------------------------*/
+#if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER)
+    static mutex_cb*     compat_mutex_cb = NULL;
+
+    /* Function that locks or unlocks a mutex based on the flag passed in.
+     *
+     * flag lock or unlock i.e. CRYPTO_LOCK
+     * type the type of lock to unlock or lock
+     * file name of the file calling
+     * line the line number from file calling
+     */
+    int wc_LockMutex_ex(int flag, int type, const char* file, int line)
+    {
+        if (compat_mutex_cb != NULL) {
+            compat_mutex_cb(flag, type, file, line);
+            return 0;
+        }
+        else {
+            WOLFSSL_MSG("Mutex call back function not set. Call wc_SetMutexCb");
+            return BAD_STATE_E;
         }
+    }
+
+
+    /* Set the callback function to use for locking/unlocking mutex
+     *
+     * cb callback function to use
+     */
+    int wc_SetMutexCb(mutex_cb* cb)
+    {
+        compat_mutex_cb = cb;
+        return 0;
+    }
+#endif /* defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER) */
+#ifdef SINGLE_THREADED
 
+    int wc_InitMutex(wolfSSL_Mutex* m)
+    {
+        (void)m;
+        return 0;
+    }
+
+    int wc_FreeMutex(wolfSSL_Mutex *m)
+    {
+        (void)m;
+        return 0;
+    }
+
+
+    int wc_LockMutex(wolfSSL_Mutex *m)
+    {
+        (void)m;
+        return 0;
+    }
+
+
+    int wc_UnLockMutex(wolfSSL_Mutex *m)
+    {
+        (void)m;
+        return 0;
+    }
+
+#elif defined(FREERTOS) || defined(FREERTOS_TCP) || \
+  defined(FREESCALE_FREE_RTOS)
+
+    int wc_InitMutex(wolfSSL_Mutex* m)
+    {
+        int iReturn;
+
+        *m = ( wolfSSL_Mutex ) xSemaphoreCreateMutex();
+        if( *m != NULL )
+            iReturn = 0;
+        else
+            iReturn = BAD_MUTEX_E;
+
+        return iReturn;
+    }
+
+    int wc_FreeMutex(wolfSSL_Mutex* m)
+    {
+        vSemaphoreDelete( *m );
+        return 0;
+    }
+
+    int wc_LockMutex(wolfSSL_Mutex* m)
+    {
+        /* Assume an infinite block, or should there be zero block? */
+        xSemaphoreTake( *m, portMAX_DELAY );
+        return 0;
+    }
+
+    int wc_UnLockMutex(wolfSSL_Mutex* m)
+    {
+        xSemaphoreGive( *m );
+        return 0;
+    }
+
+#elif defined(WOLFSSL_SAFERTOS)
+
+    int wc_InitMutex(wolfSSL_Mutex* m)
+    {
+        vSemaphoreCreateBinary(m->mutexBuffer, m->mutex);
+        if (m->mutex == NULL)
+            return BAD_MUTEX_E;
+
+        return 0;
+    }
+
+    int wc_FreeMutex(wolfSSL_Mutex* m)
+    {
+        (void)m;
+        return 0;
+    }
+
+    int wc_LockMutex(wolfSSL_Mutex* m)
+    {
+        /* Assume an infinite block */
+        xSemaphoreTake(m->mutex, portMAX_DELAY);
+        return 0;
+    }
+
+    int wc_UnLockMutex(wolfSSL_Mutex* m)
+    {
+        xSemaphoreGive(m->mutex);
+        return 0;
+    }
+
+#elif defined(USE_WINDOWS_API)
+
+    int wc_InitMutex(wolfSSL_Mutex* m)
+    {
+        InitializeCriticalSection(m);
+        return 0;
+    }
+
+
+    int wc_FreeMutex(wolfSSL_Mutex* m)
+    {
+        DeleteCriticalSection(m);
+        return 0;
+    }
+
+
+    int wc_LockMutex(wolfSSL_Mutex* m)
+    {
+        EnterCriticalSection(m);
+        return 0;
+    }
+
+
+    int wc_UnLockMutex(wolfSSL_Mutex* m)
+    {
+        LeaveCriticalSection(m);
+        return 0;
+    }
+
+#elif defined(WOLFSSL_PTHREADS)
+
+    int wc_InitMutex(wolfSSL_Mutex* m)
+    {
+        if (pthread_mutex_init(m, 0) == 0)
+            return 0;
+        else
+            return BAD_MUTEX_E;
+    }
 
-        int UnLockMutex(wolfSSL_Mutex* m)
-        {
-            if (tx_mutex_put(m) == 0)
-                return 0;
-            else
-                return BAD_MUTEX_E;
-        }
 
-    #elif defined(MICRIUM)
+    int wc_FreeMutex(wolfSSL_Mutex* m)
+    {
+        if (pthread_mutex_destroy(m) == 0)
+            return 0;
+        else
+            return BAD_MUTEX_E;
+    }
+
 
-        int InitMutex(wolfSSL_Mutex* m)
-        {
-            #if (NET_SECURE_MGR_CFG_EN == DEF_ENABLED)
-                if (NetSecure_OS_MutexCreate(m) == 0)
-                    return 0;
-                else
-                    return BAD_MUTEX_E;
-            #else
-                return 0;
-            #endif
-        }
+    int wc_LockMutex(wolfSSL_Mutex* m)
+    {
+        if (pthread_mutex_lock(m) == 0)
+            return 0;
+        else
+            return BAD_MUTEX_E;
+    }
 
 
-        int FreeMutex(wolfSSL_Mutex* m)
-        {
-            #if (NET_SECURE_MGR_CFG_EN == DEF_ENABLED)
-                if (NetSecure_OS_FreeMutex(m) == 0)
-                    return 0;
-                else
-                    return BAD_MUTEX_E;
-            #else
+    int wc_UnLockMutex(wolfSSL_Mutex* m)
+    {
+        if (pthread_mutex_unlock(m) == 0)
+            return 0;
+        else
+            return BAD_MUTEX_E;
+    }
+
+#elif defined(WOLFSSL_VXWORKS)
+
+    int wc_InitMutex(wolfSSL_Mutex* m)
+    {
+        if (m) {
+            if ((*m = semMCreate(0)) != SEM_ID_NULL)
                 return 0;
-            #endif
         }
+        return BAD_MUTEX_E;
+    }
 
 
-        int LockMutex(wolfSSL_Mutex* m)
-        {
-            #if (NET_SECURE_MGR_CFG_EN == DEF_ENABLED)
-                if (NetSecure_OS_LockMutex(m) == 0)
-                    return 0;
-                else
-                    return BAD_MUTEX_E;
-            #else
+    int wc_FreeMutex(wolfSSL_Mutex* m)
+    {
+        if (m) {
+            if (semDelete(*m) == OK)
                 return 0;
-            #endif
         }
+        return BAD_MUTEX_E;
+    }
 
 
-        int UnLockMutex(wolfSSL_Mutex* m)
-        {
-            #if (NET_SECURE_MGR_CFG_EN == DEF_ENABLED)
-                if (NetSecure_OS_UnLockMutex(m) == 0)
-                    return 0;
-                else
-                    return BAD_MUTEX_E;
-            #else
+    int wc_LockMutex(wolfSSL_Mutex* m)
+    {
+        if (m) {
+            if (semTake(*m, WAIT_FOREVER) == OK)
                 return 0;
-            #endif
-
         }
+        return BAD_MUTEX_E;
+    }
 
-    #elif defined(EBSNET)
 
-        int InitMutex(wolfSSL_Mutex* m)
-        {
-            if (rtp_sig_mutex_alloc(m, "wolfSSL Mutex") == -1)
-                return BAD_MUTEX_E;
-            else
+    int wc_UnLockMutex(wolfSSL_Mutex* m)
+    {
+        if (m) {
+            if (semGive(*m) == OK)
                 return 0;
         }
+        return BAD_MUTEX_E;
+    }
 
-        int FreeMutex(wolfSSL_Mutex* m)
-        {
-            rtp_sig_mutex_free(*m);
+#elif defined(THREADX)
+
+    int wc_InitMutex(wolfSSL_Mutex* m)
+    {
+        if (tx_mutex_create(m, "wolfSSL Mutex", TX_NO_INHERIT) == 0)
             return 0;
-        }
+        else
+            return BAD_MUTEX_E;
+    }
 
-        int LockMutex(wolfSSL_Mutex* m)
-        {
-            if (rtp_sig_mutex_claim_timed(*m, RTIP_INF) == 0)
-                return 0;
-            else
-                return BAD_MUTEX_E;
-        }
 
-        int UnLockMutex(wolfSSL_Mutex* m)
-        {
-            rtp_sig_mutex_release(*m);
+    int wc_FreeMutex(wolfSSL_Mutex* m)
+    {
+        if (tx_mutex_delete(m) == 0)
             return 0;
-        }
+        else
+            return BAD_MUTEX_E;
+    }
 
-    #elif defined(FREESCALE_MQX)
 
-        int InitMutex(wolfSSL_Mutex* m)
-        {
-            if (_mutex_init(m, NULL) == MQX_EOK)
+    int wc_LockMutex(wolfSSL_Mutex* m)
+    {
+        if (tx_mutex_get(m, TX_WAIT_FOREVER) == 0)
+            return 0;
+        else
+            return BAD_MUTEX_E;
+    }
+
+    int wc_UnLockMutex(wolfSSL_Mutex* m)
+    {
+        if (tx_mutex_put(m) == 0)
+            return 0;
+        else
+            return BAD_MUTEX_E;
+    }
+
+#elif defined(WOLFSSL_DEOS)
+
+    int wc_InitMutex(wolfSSL_Mutex* m)
+    {
+        mutexStatus mutStat;
+        /*
+        The empty string "" denotes an anonymous mutex, so objects do not cause name collisions.
+        `protectWolfSSLTemp` in an XML configuration element template describing a mutex.
+        */
+        if (m) {
+            mutStat = createMutex("", "protectWolfSSLTemp", m);
+            if (mutStat == mutexSuccess)
                 return 0;
-            else
-                return BAD_MUTEX_E;
+            else{
+                WOLFSSL_MSG("wc_InitMutex failed");
+                return mutStat;
+            }
         }
-
-        int FreeMutex(wolfSSL_Mutex* m)
-        {
-            if (_mutex_destroy(m) == MQX_EOK)
+        return BAD_MUTEX_E;
+    }
+
+    int wc_FreeMutex(wolfSSL_Mutex* m)
+    {
+        mutexStatus mutStat;
+        if (m) {
+            mutStat = deleteMutex(*m);
+            if (mutStat == mutexSuccess)
                 return 0;
-            else
-                return BAD_MUTEX_E;
+            else{
+                WOLFSSL_MSG("wc_FreeMutex failed");
+                return mutStat;
+            }
         }
-
-        int LockMutex(wolfSSL_Mutex* m)
-        {
-            if (_mutex_lock(m) == MQX_EOK)
+        return BAD_MUTEX_E;
+    }
+
+    int wc_LockMutex(wolfSSL_Mutex* m)
+    {
+        mutexStatus mutStat;
+        if (m) {
+            mutStat = lockMutex(*m);
+            if (mutStat == mutexSuccess)
                 return 0;
-            else
-                return BAD_MUTEX_E;
+            else{
+                WOLFSSL_MSG("wc_LockMutex failed");
+                return mutStat;
+            }
         }
+        return BAD_MUTEX_E;
+    }
+
+    int wc_UnLockMutex(wolfSSL_Mutex* m)
+    {
+        mutexStatus mutStat;
+        if (m) {
+            mutStat = unlockMutex(*m);
+            if (mutStat== mutexSuccess)
+                return 0;
+            else{
+                WOLFSSL_MSG("wc_UnLockMutex failed");
+                return mutStat;
+            }
+        }
+        return BAD_MUTEX_E;
+    }
 
-        int UnLockMutex(wolfSSL_Mutex* m)
-        {
-            if (_mutex_unlock(m) == MQX_EOK)
+#elif defined(MICRIUM)
+
+    int wc_InitMutex(wolfSSL_Mutex* m)
+    {
+        OS_ERR err;
+
+        OSMutexCreate(m, "wolfSSL Mutex", &err);
+
+        if (err == OS_ERR_NONE)
+            return 0;
+        else
+            return BAD_MUTEX_E;
+    }
+
+    int wc_FreeMutex(wolfSSL_Mutex* m)
+    {
+        #if (OS_CFG_MUTEX_DEL_EN == DEF_ENABLED)
+            OS_ERR err;
+
+            OSMutexDel(m, OS_OPT_DEL_ALWAYS, &err);
+
+            if (err == OS_ERR_NONE)
                 return 0;
             else
                 return BAD_MUTEX_E;
-        }
-
-    #elif defined (WOLFSSL_TIRTOS)
+        #else
+            return 0;
+        #endif
+    }
 
-        int InitMutex(wolfSSL_Mutex* m)
-        {
-           Semaphore_Params params;
+    int wc_LockMutex(wolfSSL_Mutex* m)
+    {
+        OS_ERR err;
 
-           Semaphore_Params_init(&params);
-           params.mode = Semaphore_Mode_BINARY;
+        OSMutexPend(m, 0, OS_OPT_PEND_BLOCKING, NULL, &err);
 
-           *m = Semaphore_create(1, &params, NULL);
+        if (err == OS_ERR_NONE)
+            return 0;
+        else
+            return BAD_MUTEX_E;
+    }
 
-           return 0;
-        }
+    int wc_UnLockMutex(wolfSSL_Mutex* m)
+    {
+        OS_ERR err;
 
-        int FreeMutex(wolfSSL_Mutex* m)
-        {
-            Semaphore_delete(m);
+        OSMutexPost(m, OS_OPT_POST_NONE, &err);
 
+        if (err == OS_ERR_NONE)
             return 0;
-        }
+        else
+            return BAD_MUTEX_E;
+    }
 
-        int LockMutex(wolfSSL_Mutex* m)
-        {
-            Semaphore_pend(*m, BIOS_WAIT_FOREVER);
+#elif defined(EBSNET)
 
+    int wc_InitMutex(wolfSSL_Mutex* m)
+    {
+        if (rtp_sig_mutex_alloc(m, "wolfSSL Mutex") == -1)
+            return BAD_MUTEX_E;
+        else
             return 0;
-        }
+    }
 
-        int UnLockMutex(wolfSSL_Mutex* m)
-        {
-            Semaphore_post(*m);
+    int wc_FreeMutex(wolfSSL_Mutex* m)
+    {
+        rtp_sig_mutex_free(*m);
+        return 0;
+    }
 
+    int wc_LockMutex(wolfSSL_Mutex* m)
+    {
+        if (rtp_sig_mutex_claim_timed(*m, RTIP_INF) == 0)
             return 0;
-        }
+        else
+            return BAD_MUTEX_E;
+    }
+
+    int wc_UnLockMutex(wolfSSL_Mutex* m)
+    {
+        rtp_sig_mutex_release(*m);
+        return 0;
+    }
+
+    int ebsnet_fseek(int a, long b, int c)
+    {
+        int retval;
+
+        retval = vf_lseek(a, b, c);
+        if (retval > 0)
+            retval = 0;
+        else
+            retval =  -1;
+
+        return(retval);
+    }
+
+#elif defined(FREESCALE_MQX) || defined(FREESCALE_KSDK_MQX)
+
+    int wc_InitMutex(wolfSSL_Mutex* m)
+    {
+        if (_mutex_init(m, NULL) == MQX_EOK)
+            return 0;
+        else
+            return BAD_MUTEX_E;
+    }
 
-    #elif defined(WOLFSSL_uITRON4)
-        #include "kernel.h"
-        int InitMutex(wolfSSL_Mutex* m)
-        {
-            int iReturn;
-            m->sem.sematr  = TA_TFIFO ;
-            m->sem.isemcnt = 1 ;
-            m->sem.maxsem  = 1 ;
-            m->sem.name    = NULL ;
-
-            m->id = acre_sem(&m->sem);
-            if( m->id != NULL )
-                iReturn = 0;
-            else
-                iReturn = BAD_MUTEX_E;
+    int wc_FreeMutex(wolfSSL_Mutex* m)
+    {
+        if (_mutex_destroy(m) == MQX_EOK)
+            return 0;
+        else
+            return BAD_MUTEX_E;
+    }
 
-            return iReturn;
-        }
+    int wc_LockMutex(wolfSSL_Mutex* m)
+    {
+        if (_mutex_lock(m) == MQX_EOK)
+            return 0;
+        else
+            return BAD_MUTEX_E;
+    }
 
-        int FreeMutex(wolfSSL_Mutex* m)
-        {
-            del_sem( m->id );
+    int wc_UnLockMutex(wolfSSL_Mutex* m)
+    {
+        if (_mutex_unlock(m) == MQX_EOK)
             return 0;
+        else
+            return BAD_MUTEX_E;
+    }
+
+#elif defined(WOLFSSL_TIRTOS)
+    #include <xdc/runtime/Error.h>
+
+    int wc_InitMutex(wolfSSL_Mutex* m)
+    {
+        Semaphore_Params params;
+        Error_Block eb;
+
+        Error_init(&eb);
+        Semaphore_Params_init(&params);
+        params.mode = Semaphore_Mode_BINARY;
+
+        *m = Semaphore_create(1, &params, &eb);
+        if (Error_check(&eb)) {
+            Error_raise(&eb, Error_E_generic, "Failed to Create the semaphore.",
+                NULL);
+            return BAD_MUTEX_E;
         }
-
-        int LockMutex(wolfSSL_Mutex* m)
-        {
-            wai_sem(m->id);
+        else
             return 0;
+    }
+
+    int wc_FreeMutex(wolfSSL_Mutex* m)
+    {
+        Semaphore_delete(m);
+
+        return 0;
+    }
+
+    int wc_LockMutex(wolfSSL_Mutex* m)
+    {
+        Semaphore_pend(*m, BIOS_WAIT_FOREVER);
+
+        return 0;
+    }
+
+    int wc_UnLockMutex(wolfSSL_Mutex* m)
+    {
+        Semaphore_post(*m);
+
+        return 0;
+    }
+
+#elif defined(WOLFSSL_uITRON4)
+
+    int wc_InitMutex(wolfSSL_Mutex* m)
+    {
+        int iReturn;
+        m->sem.sematr  = TA_TFIFO;
+        m->sem.isemcnt = 1;
+        m->sem.maxsem  = 1;
+        m->sem.name    = NULL;
+
+        m->id = acre_sem(&m->sem);
+        if( m->id != E_OK )
+            iReturn = 0;
+        else
+            iReturn = BAD_MUTEX_E;
+
+        return iReturn;
+    }
+
+    int wc_FreeMutex(wolfSSL_Mutex* m)
+    {
+        del_sem( m->id );
+        return 0;
+    }
+
+    int wc_LockMutex(wolfSSL_Mutex* m)
+    {
+        wai_sem(m->id);
+        return 0;
+    }
+
+    int wc_UnLockMutex(wolfSSL_Mutex* m)
+    {
+        sig_sem(m->id);
+        return 0;
+    }
+
+    /****  uITRON malloc/free ***/
+    static ID ID_wolfssl_MPOOL = 0;
+    static T_CMPL wolfssl_MPOOL = {TA_TFIFO, 0, NULL, "wolfSSL_MPOOL"};
+
+    int uITRON4_minit(size_t poolsz) {
+        ER ercd;
+        wolfssl_MPOOL.mplsz = poolsz;
+        ercd = acre_mpl(&wolfssl_MPOOL);
+        if (ercd > 0) {
+            ID_wolfssl_MPOOL = ercd;
+            return 0;
+        } else {
+            return -1;
         }
-
-        int UnLockMutex(wolfSSL_Mutex* m)
-        {
-            sig_sem(m->id);
+    }
+
+    void *uITRON4_malloc(size_t sz) {
+        ER ercd;
+        void *p = NULL;
+        ercd = get_mpl(ID_wolfssl_MPOOL, sz, (VP)&p);
+        if (ercd == E_OK) {
+            return p;
+        } else {
             return 0;
         }
+    }
+
+    void *uITRON4_realloc(void *p, size_t sz) {
+      ER ercd;
+      void *newp;
+      if(p) {
+          ercd = get_mpl(ID_wolfssl_MPOOL, sz, (VP)&newp);
+          if (ercd == E_OK) {
+              XMEMCPY(newp, p, sz);
+              ercd = rel_mpl(ID_wolfssl_MPOOL, (VP)p);
+              if (ercd == E_OK) {
+                  return newp;
+              }
+          }
+      }
+      return 0;
+    }
+
+    void uITRON4_free(void *p) {
+        ER ercd;
+        ercd = rel_mpl(ID_wolfssl_MPOOL, (VP)p);
+        if (ercd == E_OK) {
+            return;
+        } else {
+            return;
+        }
+    }
 
-        /****  uITRON malloc/free ***/
-        static ID ID_wolfssl_MPOOL = 0 ;
-        static T_CMPL wolfssl_MPOOL = {TA_TFIFO, 0, NULL, "wolfSSL_MPOOL"};
+#elif defined(WOLFSSL_uTKERNEL2)
 
-        int uITRON4_minit(size_t poolsz) {
-            ER ercd;
-            wolfssl_MPOOL.mplsz = poolsz ;
-            ercd = acre_mpl(&wolfssl_MPOOL);
-            if (ercd > 0) {
-                ID_wolfssl_MPOOL = ercd;
-                return 0;
-            } else {
-                return -1;
-            }
+    int wc_InitMutex(wolfSSL_Mutex* m)
+    {
+        int iReturn;
+        m->sem.sematr  = TA_TFIFO;
+        m->sem.isemcnt = 1;
+        m->sem.maxsem  = 1;
+
+        m->id = tk_cre_sem(&m->sem);
+        if( m->id != NULL )
+            iReturn = 0;
+        else
+            iReturn = BAD_MUTEX_E;
+
+        return iReturn;
+    }
+
+    int wc_FreeMutex(wolfSSL_Mutex* m)
+    {
+        tk_del_sem(m->id);
+        return 0;
+    }
+
+    int wc_LockMutex(wolfSSL_Mutex* m)
+    {
+        tk_wai_sem(m->id, 1, TMO_FEVR);
+        return 0;
+    }
+
+    int wc_UnLockMutex(wolfSSL_Mutex* m)
+    {
+        tk_sig_sem(m->id, 1);
+        return 0;
+    }
+
+    /****  uT-Kernel malloc/free ***/
+    static ID ID_wolfssl_MPOOL = 0;
+    static T_CMPL wolfssl_MPOOL = {
+        NULL,       /* Extended information */
+        TA_TFIFO,   /* Memory pool attribute */
+        0,          /* Size of whole memory pool (byte) */
+        "wolfSSL"   /* Object name (max 8-char) */
+    };
+
+    int uTKernel_init_mpool(unsigned int sz) {
+        ER ercd;
+        wolfssl_MPOOL.mplsz = sz;
+        ercd = tk_cre_mpl(&wolfssl_MPOOL);
+        if (ercd > 0) {
+            ID_wolfssl_MPOOL = ercd;
+            return 0;
+        } else {
+            return (int)ercd;
         }
-
-        void *uITRON4_malloc(size_t sz) {
-            ER ercd;
-            void *p ;
-            ercd = get_mpl(ID_wolfssl_MPOOL, sz, (VP)&p);
-            if (ercd == E_OK) {
-                return p;
-            } else {
-                return 0 ;
-            }
+    }
+
+    void *uTKernel_malloc(unsigned int sz) {
+        ER ercd;
+        void *p = NULL;
+        ercd = tk_get_mpl(ID_wolfssl_MPOOL, sz, (VP)&p, TMO_FEVR);
+        if (ercd == E_OK) {
+            return p;
+        } else {
+            return 0;
         }
-
-        void *uITRON4_realloc(void *p, size_t sz) {
-          ER ercd;
-          void *newp ;
-          if(p) {
-              ercd = get_mpl(ID_wolfssl_MPOOL, sz, (VP)&newp);
+    }
+
+    void *uTKernel_realloc(void *p, unsigned int sz) {
+      ER ercd;
+      void *newp;
+      if (p) {
+          ercd = tk_get_mpl(ID_wolfssl_MPOOL, sz, (VP)&newp, TMO_FEVR);
+          if (ercd == E_OK) {
+              XMEMCPY(newp, p, sz);
+              ercd = tk_rel_mpl(ID_wolfssl_MPOOL, (VP)p);
               if (ercd == E_OK) {
-                  memcpy(newp, p, sz) ;
-                  ercd = rel_mpl(ID_wolfssl_MPOOL, (VP)p);
-                  if (ercd == E_OK) {
-                      return newp;
-                  }
+                  return newp;
               }
           }
-          return 0 ;
+      }
+      return 0;
+    }
+
+    void uTKernel_free(void *p) {
+        ER ercd;
+        ercd = tk_rel_mpl(ID_wolfssl_MPOOL, (VP)p);
+        if (ercd == E_OK) {
+            return;
+        } else {
+            return;
         }
+    }
+
+#elif defined (WOLFSSL_FROSTED)
 
-        void uITRON4_free(void *p) {
-            ER ercd;
-            ercd = rel_mpl(ID_wolfssl_MPOOL, (VP)p);
-            if (ercd == E_OK) {
-                return ;
-            } else {
-                return ;
+    int wc_InitMutex(wolfSSL_Mutex* m)
+    {
+        *m = mutex_init();
+        if (*m)
+            return 0;
+        else
+            return -1;
+    }
+
+    int wc_FreeMutex(wolfSSL_Mutex* m)
+    {
+        mutex_destroy(*m);
+        return(0);
+    }
+
+    int wc_LockMutex(wolfSSL_Mutex* m)
+    {
+        mutex_lock(*m);
+        return 0;
+    }
+
+    int wc_UnLockMutex(wolfSSL_Mutex* m)
+    {
+        mutex_unlock(*m);
+        return 0;
+    }
+
+#elif defined(WOLFSSL_CMSIS_RTOS)
+
+    #define CMSIS_NMUTEX 10
+    osMutexDef(wolfSSL_mt0);  osMutexDef(wolfSSL_mt1);  osMutexDef(wolfSSL_mt2);
+    osMutexDef(wolfSSL_mt3);  osMutexDef(wolfSSL_mt4);  osMutexDef(wolfSSL_mt5);
+    osMutexDef(wolfSSL_mt6);  osMutexDef(wolfSSL_mt7);  osMutexDef(wolfSSL_mt8);
+    osMutexDef(wolfSSL_mt9);
+
+    static const osMutexDef_t *CMSIS_mutex[] = { osMutex(wolfSSL_mt0),
+        osMutex(wolfSSL_mt1),    osMutex(wolfSSL_mt2),   osMutex(wolfSSL_mt3),
+        osMutex(wolfSSL_mt4),    osMutex(wolfSSL_mt5),   osMutex(wolfSSL_mt6),
+        osMutex(wolfSSL_mt7),    osMutex(wolfSSL_mt8),   osMutex(wolfSSL_mt9) };
+
+    static osMutexId CMSIS_mutexID[CMSIS_NMUTEX] = {0};
+
+    int wc_InitMutex(wolfSSL_Mutex* m)
+    {
+        int i;
+        for (i=0; i<CMSIS_NMUTEX; i++) {
+            if(CMSIS_mutexID[i] == 0) {
+                CMSIS_mutexID[i] = osMutexCreate(CMSIS_mutex[i]);
+                (*m) = CMSIS_mutexID[i];
+            return 0;
             }
         }
+        return -1;
+    }
+
+    int wc_FreeMutex(wolfSSL_Mutex* m)
+    {
+        int i;
+        osMutexDelete   (*m);
+        for (i=0; i<CMSIS_NMUTEX; i++) {
+            if(CMSIS_mutexID[i] == (*m)) {
+                CMSIS_mutexID[i] = 0;
+                return(0);
+            }
+        }
+        return(-1);
+    }
+
+    int wc_LockMutex(wolfSSL_Mutex* m)
+    {
+        osMutexWait(*m, osWaitForever);
+        return(0);
+    }
+
+    int wc_UnLockMutex(wolfSSL_Mutex* m)
+    {
+        osMutexRelease (*m);
+        return 0;
+    }
+
+#elif defined(WOLFSSL_CMSIS_RTOSv2)
+    int wc_InitMutex(wolfSSL_Mutex *m)
+    {
+        static const osMutexAttr_t attr = {
+            "wolfSSL_mutex", osMutexRecursive, NULL, 0};
+
+        if ((*m = osMutexNew(&attr)) != NULL)
+            return 0;
+        else
+            return BAD_MUTEX_E;
+    }
 
-#elif defined(WOLFSSL_uTKERNEL2)
-        #include "tk/tkernel.h"
-        int InitMutex(wolfSSL_Mutex* m)
-        {
-            int iReturn;
-            m->sem.sematr  = TA_TFIFO ;
-            m->sem.isemcnt = 1 ;
-            m->sem.maxsem  = 1 ;
-
-            m->id = tk_cre_sem(&m->sem);
-            if( m->id != NULL )
-                iReturn = 0;
-            else
-                iReturn = BAD_MUTEX_E;
+    int wc_FreeMutex(wolfSSL_Mutex *m)
+    {
+        if (osMutexDelete(*m) == osOK)
+            return 0;
+        else
+            return BAD_MUTEX_E;
+    }
 
-            return iReturn;
-        }
 
-        int FreeMutex(wolfSSL_Mutex* m)
-        {
-            tk_del_sem( m->id );
+    int wc_LockMutex(wolfSSL_Mutex *m)
+    {
+        if (osMutexAcquire(*m, osWaitForever) == osOK)
             return 0;
-        }
+        else
+            return BAD_MUTEX_E;
+    }
 
-        int LockMutex(wolfSSL_Mutex* m)
-        {
-            tk_wai_sem(m->id, 1, TMO_FEVR);
+    int wc_UnLockMutex(wolfSSL_Mutex *m)
+    {
+        if (osMutexRelease(*m) == osOK)
             return 0;
+        else
+            return BAD_MUTEX_E;
+    }
+
+#elif defined(WOLFSSL_MDK_ARM)
+
+    int wc_InitMutex(wolfSSL_Mutex* m)
+    {
+        os_mut_init (m);
+        return 0;
+    }
+
+    int wc_FreeMutex(wolfSSL_Mutex* m)
+    {
+        return(0);
+    }
+
+    int wc_LockMutex(wolfSSL_Mutex* m)
+    {
+        os_mut_wait (m, 0xffff);
+        return(0);
+    }
+
+    int wc_UnLockMutex(wolfSSL_Mutex* m)
+    {
+        os_mut_release (m);
+        return 0;
+    }
+
+#elif defined(INTIME_RTOS)
+
+    int wc_InitMutex(wolfSSL_Mutex* m)
+    {
+        int ret = 0;
+
+        if (m == NULL)
+            return BAD_FUNC_ARG;
+
+        *m = CreateRtSemaphore(
+            1,                      /* initial unit count */
+            1,                      /* maximum unit count */
+            PRIORITY_QUEUING        /* creation flags: FIFO_QUEUING or PRIORITY_QUEUING */
+        );
+        if (*m == BAD_RTHANDLE) {
+            ret = GetLastRtError();
+            if (ret != E_OK)
+                ret = BAD_MUTEX_E;
         }
-
-        int UnLockMutex(wolfSSL_Mutex* m)
-        {
-            tk_sig_sem(m->id, 1);
+        return ret;
+    }
+
+    int wc_FreeMutex(wolfSSL_Mutex* m)
+    {
+        int ret = 0;
+        BOOLEAN del;
+
+        if (m == NULL)
+            return BAD_FUNC_ARG;
+
+        del = DeleteRtSemaphore(
+            *m                      /* handle for RT semaphore */
+        );
+    	if (del != TRUE)
+    		ret = BAD_MUTEX_E;
+
+        return ret;
+    }
+
+    int wc_LockMutex(wolfSSL_Mutex* m)
+    {
+        int ret = 0;
+        DWORD lck;
+
+        if (m == NULL)
+            return BAD_FUNC_ARG;
+
+        lck = WaitForRtSemaphore(
+            *m,                     /* handle for RT semaphore */
+            1,                      /* number of units to wait for */
+            WAIT_FOREVER            /* number of milliseconds to wait for units */
+        );
+        if (lck == WAIT_FAILED) {
+            ret = GetLastRtError();
+            if (ret != E_OK)
+                ret = BAD_MUTEX_E;
+        }
+        return ret;
+    }
+
+    int wc_UnLockMutex(wolfSSL_Mutex* m)
+    {
+        int ret = 0;
+        BOOLEAN rel;
+
+        if (m == NULL)
+            return BAD_FUNC_ARG;
+
+        rel = ReleaseRtSemaphore(
+            *m,                     /* handle for RT semaphore */
+            1                       /* number of units to release to semaphore */
+        );
+    	if (rel != TRUE)
+    		ret = BAD_MUTEX_E;
+
+        return ret;
+    }
+
+#elif defined(WOLFSSL_NUCLEUS_1_2)
+
+    int wc_InitMutex(wolfSSL_Mutex* m)
+    {
+        /* Call the Nucleus function to create the semaphore */
+        if (NU_Create_Semaphore(m, "WOLFSSL_MTX", 1,
+                                NU_PRIORITY) == NU_SUCCESS) {
             return 0;
         }
 
-        /****  uT-Kernel malloc/free ***/
-        static ID ID_wolfssl_MPOOL = 0 ;
-        static T_CMPL wolfssl_MPOOL =
-                     {(void *)NULL,
-        TA_TFIFO , 0,   "wolfSSL_MPOOL"};
+        return BAD_MUTEX_E;
+    }
 
-        int uTKernel_init_mpool(unsigned int sz) {
-            ER ercd;
-            wolfssl_MPOOL.mplsz = sz ;
-            ercd = tk_cre_mpl(&wolfssl_MPOOL);
-            if (ercd > 0) {
-                ID_wolfssl_MPOOL = ercd;
-                return 0;
-            } else {
-                return -1;
-            }
+    int wc_FreeMutex(wolfSSL_Mutex* m)
+    {
+        if (NU_Delete_Semaphore(m) == NU_SUCCESS)
+            return 0;
+
+        return BAD_MUTEX_E;
+    }
+
+    int wc_LockMutex(wolfSSL_Mutex* m)
+    {
+        /* passing suspend task option */
+        if (NU_Obtain_Semaphore(m, NU_SUSPEND) == NU_SUCCESS)
+            return 0;
+
+        return BAD_MUTEX_E;
+    }
+
+    int wc_UnLockMutex(wolfSSL_Mutex* m)
+    {
+        if (NU_Release_Semaphore(m) == NU_SUCCESS)
+            return 0;
+
+        return BAD_MUTEX_E;
+    }
+
+#elif defined(WOLFSSL_ZEPHYR)
+
+    int wc_InitMutex(wolfSSL_Mutex* m)
+    {
+        k_mutex_init(m);
+
+        return 0;
+    }
+
+    int wc_FreeMutex(wolfSSL_Mutex* m)
+    {
+        return 0;
+    }
+
+    int wc_LockMutex(wolfSSL_Mutex* m)
+    {
+        int ret = 0;
+
+        if (k_mutex_lock(m, K_FOREVER) != 0)
+            ret = BAD_MUTEX_E;
+
+        return ret;
+    }
+
+    int wc_UnLockMutex(wolfSSL_Mutex* m)
+    {
+        k_mutex_unlock(m);
+
+        return 0;
+    }
+
+#elif defined(WOLFSSL_TELIT_M2MB)
+
+    int wc_InitMutex(wolfSSL_Mutex* m)
+    {
+        M2MB_OS_RESULT_E        osRes;
+        M2MB_OS_MTX_ATTR_HANDLE mtxAttrHandle;
+        UINT32                  inheritVal = 1;
+
+        osRes = m2mb_os_mtx_setAttrItem(&mtxAttrHandle,
+                                    CMDS_ARGS(
+                                      M2MB_OS_MTX_SEL_CMD_CREATE_ATTR, NULL,
+                                      M2MB_OS_MTX_SEL_CMD_NAME, "wolfMtx",
+                                      M2MB_OS_MTX_SEL_CMD_INHERIT, inheritVal
+                                    )
+                                );
+        if (osRes != M2MB_OS_SUCCESS) {
+            return BAD_MUTEX_E;
         }
 
-        void *uTKernel_malloc(unsigned int sz) {
-            ER ercd;
-            void *p ;
-            ercd = tk_get_mpl(ID_wolfssl_MPOOL, sz, (VP)&p, TMO_FEVR);
-            if (ercd == E_OK) {
-                return p;
-            } else {
-                return 0 ;
-            }
+        osRes = m2mb_os_mtx_init(m, &mtxAttrHandle);
+        if (osRes != M2MB_OS_SUCCESS) {
+            return BAD_MUTEX_E;
         }
 
-        void *uTKernel_realloc(void *p, unsigned int sz) {
-          ER ercd;
-          void *newp ;
-          if(p) {
-              ercd = tk_get_mpl(ID_wolfssl_MPOOL, sz, (VP)&newp, TMO_FEVR);
-              if (ercd == E_OK) {
-                  memcpy(newp, p, sz) ;
-                  ercd = tk_rel_mpl(ID_wolfssl_MPOOL, (VP)p);
-                  if (ercd == E_OK) {
-                      return newp;
-                  }
-              }
-          }
-          return 0 ;
+        return 0;
+    }
+
+    int wc_FreeMutex(wolfSSL_Mutex* m)
+    {
+        M2MB_OS_RESULT_E osRes;
+
+        if (m == NULL)
+            return BAD_MUTEX_E;
+
+        osRes = m2mb_os_mtx_deinit(*m);
+        if (osRes != M2MB_OS_SUCCESS) {
+            return BAD_MUTEX_E;
         }
 
-        void uTKernel_free(void *p) {
-            ER ercd;
-            ercd = tk_rel_mpl(ID_wolfssl_MPOOL, (VP)p);
-            if (ercd == E_OK) {
-                return ;
-            } else {
-                return ;
-            }
+        return 0;
+    }
+
+    int wc_LockMutex(wolfSSL_Mutex* m)
+    {
+        M2MB_OS_RESULT_E osRes;
+
+        if (m == NULL)
+            return BAD_MUTEX_E;
+
+        osRes = m2mb_os_mtx_get(*m, M2MB_OS_WAIT_FOREVER);
+        if (osRes != M2MB_OS_SUCCESS) {
+            return BAD_MUTEX_E;
         }
 
-    #elif defined(WOLFSSL_MDK_ARM)|| defined(WOLFSSL_CMSIS_RTOS)
-    
-        #if defined(WOLFSSL_CMSIS_RTOS)
-            #include "cmsis_os.h"
-            #define CMSIS_NMUTEX 10
-            osMutexDef(wolfSSL_mt0) ;  osMutexDef(wolfSSL_mt1) ;  osMutexDef(wolfSSL_mt2) ;
-            osMutexDef(wolfSSL_mt3) ;  osMutexDef(wolfSSL_mt4) ;  osMutexDef(wolfSSL_mt5) ;  
-            osMutexDef(wolfSSL_mt6) ;  osMutexDef(wolfSSL_mt7) ;  osMutexDef(wolfSSL_mt8) ;  
-            osMutexDef(wolfSSL_mt9) ;  
-            
-            static const osMutexDef_t *CMSIS_mutex[] = { osMutex(wolfSSL_mt0),   
-                osMutex(wolfSSL_mt1),    osMutex(wolfSSL_mt2),   osMutex(wolfSSL_mt3),    
-                osMutex(wolfSSL_mt4),    osMutex(wolfSSL_mt5),   osMutex(wolfSSL_mt6),
-                osMutex(wolfSSL_mt7),    osMutex(wolfSSL_mt8),    osMutex(wolfSSL_mt9) } ;                 
-            
-            static osMutexId CMSIS_mutexID[CMSIS_NMUTEX] = {0} ;
-
-            int InitMutex(wolfSSL_Mutex* m)
-            {
-                int i ;
-                for (i=0; i<CMSIS_NMUTEX; i++) {
-                    if(CMSIS_mutexID[i] == 0) {
-                        CMSIS_mutexID[i] = osMutexCreate(CMSIS_mutex[i]) ;
-                        (*m) = CMSIS_mutexID[i] ;
-                    return 0 ;
-                    }
-                }
-                return -1 ;
-            }
+        return 0;
+    }
 
-            int FreeMutex(wolfSSL_Mutex* m)
-            {
-                int i ;
-                osMutexDelete   (*m) ;
-                for (i=0; i<CMSIS_NMUTEX; i++) {
-                    if(CMSIS_mutexID[i] == (*m)) {
-                        CMSIS_mutexID[i] = 0 ;
-                        return(0) ;
-                    }
-                }
-                return(-1) ;
-            }
-            
-            int LockMutex(wolfSSL_Mutex* m)
-            {
-                osMutexWait(*m, osWaitForever) ;
-                return(0) ;
-            }
+    int wc_UnLockMutex(wolfSSL_Mutex* m)
+    {
+        M2MB_OS_RESULT_E osRes;
 
-            int UnLockMutex(wolfSSL_Mutex* m)
-            {
-                osMutexRelease (*m);
-                return 0;
-            }
-        #else
-        int InitMutex(wolfSSL_Mutex* m)
-        {
-            os_mut_init (m); 
-            return 0;
+        if (m == NULL)
+            return BAD_MUTEX_E;
+
+        osRes = m2mb_os_mtx_put(*m);
+        if (osRes != M2MB_OS_SUCCESS) {
+            return BAD_MUTEX_E;
         }
 
-        int FreeMutex(wolfSSL_Mutex* m)
-        {
-            return(0) ;
+        return 0;
+    }
+
+#else
+    #warning No mutex handling defined
+
+#endif
+
+#ifndef NO_ASN_TIME
+#if defined(_WIN32_WCE)
+time_t windows_time(time_t* timer)
+{
+    SYSTEMTIME     sysTime;
+    FILETIME       fTime;
+    ULARGE_INTEGER intTime;
+    time_t         localTime;
+
+    if (timer == NULL)
+        timer = &localTime;
+
+    GetSystemTime(&sysTime);
+    SystemTimeToFileTime(&sysTime, &fTime);
+
+    XMEMCPY(&intTime, &fTime, sizeof(FILETIME));
+    /* subtract EPOCH */
+    intTime.QuadPart -= 0x19db1ded53e8000;
+    /* to secs */
+    intTime.QuadPart /= 10000000;
+    *timer = (time_t)intTime.QuadPart;
+
+    return *timer;
+}
+#endif /*  _WIN32_WCE */
+
+#if defined(WOLFSSL_APACHE_MYNEWT)
+#include "os/os_time.h"
+
+time_t mynewt_time(time_t* timer)
+{
+    time_t now;
+    struct os_timeval tv;
+    os_gettimeofday(&tv, NULL);
+    now = (time_t)tv.tv_sec;
+    if(timer != NULL) {
+        *timer = now;
+    }
+    return now;
+}
+#endif /* WOLFSSL_APACHE_MYNEWT */
+
+#if defined(WOLFSSL_GMTIME)
+struct tm* gmtime(const time_t* timer)
+{
+    #define YEAR0          1900
+    #define EPOCH_YEAR     1970
+    #define SECS_DAY       (24L * 60L * 60L)
+    #define LEAPYEAR(year) (!((year) % 4) && (((year) % 100) || !((year) %400)))
+    #define YEARSIZE(year) (LEAPYEAR(year) ? 366 : 365)
+
+    static const int _ytab[2][12] =
+    {
+        {31, 28, 31, 30, 31, 30, 31, 31, 30, 31, 30, 31},
+        {31, 29, 31, 30, 31, 30, 31, 31, 30, 31, 30, 31}
+    };
+
+    static struct tm st_time;
+    struct tm* ret = &st_time;
+    time_t secs = *timer;
+    unsigned long dayclock, dayno;
+    int year = EPOCH_YEAR;
+
+    dayclock = (unsigned long)secs % SECS_DAY;
+    dayno    = (unsigned long)secs / SECS_DAY;
+
+    ret->tm_sec  = (int) dayclock % 60;
+    ret->tm_min  = (int)(dayclock % 3600) / 60;
+    ret->tm_hour = (int) dayclock / 3600;
+    ret->tm_wday = (int) (dayno + 4) % 7;        /* day 0 a Thursday */
+
+    while(dayno >= (unsigned long)YEARSIZE(year)) {
+        dayno -= YEARSIZE(year);
+        year++;
+    }
+
+    ret->tm_year = year - YEAR0;
+    ret->tm_yday = (int)dayno;
+    ret->tm_mon  = 0;
+
+    while(dayno >= (unsigned long)_ytab[LEAPYEAR(year)][ret->tm_mon]) {
+        dayno -= _ytab[LEAPYEAR(year)][ret->tm_mon];
+        ret->tm_mon++;
+    }
+
+    ret->tm_mday  = (int)++dayno;
+    ret->tm_isdst = 0;
+
+    return ret;
+}
+#endif /* WOLFSSL_GMTIME */
+
+
+#if defined(HAVE_RTP_SYS)
+#define YEAR0          1900
+
+struct tm* rtpsys_gmtime(const time_t* timer)       /* has a gmtime() but hangs */
+{
+    static struct tm st_time;
+    struct tm* ret = &st_time;
+
+    DC_RTC_CALENDAR cal;
+    dc_rtc_time_get(&cal, TRUE);
+
+    ret->tm_year  = cal.year - YEAR0;       /* gm starts at 1900 */
+    ret->tm_mon   = cal.month - 1;          /* gm starts at 0 */
+    ret->tm_mday  = cal.day;
+    ret->tm_hour  = cal.hour;
+    ret->tm_min   = cal.minute;
+    ret->tm_sec   = cal.second;
+
+    return ret;
+}
+
+#endif /* HAVE_RTP_SYS */
+
+
+#if defined(MICROCHIP_TCPIP_V5) || defined(MICROCHIP_TCPIP)
+
+/*
+ * time() is just a stub in Microchip libraries. We need our own
+ * implementation. Use SNTP client to get seconds since epoch.
+ */
+time_t pic32_time(time_t* timer)
+{
+#ifdef MICROCHIP_TCPIP_V5
+    DWORD sec = 0;
+#else
+    uint32_t sec = 0;
+#endif
+    time_t localTime;
+
+    if (timer == NULL)
+        timer = &localTime;
+
+#ifdef MICROCHIP_MPLAB_HARMONY
+    sec = TCPIP_SNTP_UTCSecondsGet();
+#else
+    sec = SNTPGetUTCSeconds();
+#endif
+    *timer = (time_t) sec;
+
+    return *timer;
+}
+
+#endif /* MICROCHIP_TCPIP || MICROCHIP_TCPIP_V5 */
+
+#if defined(WOLFSSL_DEOS)
+
+time_t deos_time(time_t* timer)
+{
+    const uint32_t systemTickTimeInHz = 1000000 / systemTickInMicroseconds();
+    uint32_t *systemTickPtr = systemTickPointer();
+
+    if (timer != NULL)
+        *timer = *systemTickPtr/systemTickTimeInHz;
+
+    #if defined(CURRENT_UNIX_TIMESTAMP)
+        /* CURRENT_UNIX_TIMESTAMP is seconds since Jan 01 1970. (UTC) */
+        return (time_t) *systemTickPtr/systemTickTimeInHz + CURRENT_UNIX_TIMESTAMP;
+    #else
+        return (time_t) *systemTickPtr/systemTickTimeInHz;
+    #endif
+}
+#endif /* WOLFSSL_DEOS */
+
+#if defined(MICRIUM)
+
+time_t micrium_time(time_t* timer)
+{
+    CLK_TS_SEC sec;
+
+    Clk_GetTS_Unix(&sec);
+
+    if (timer != NULL)
+        *timer = sec;
+
+    return (time_t) sec;
+}
+
+#endif /* MICRIUM */
+
+#if defined(FREESCALE_MQX) || defined(FREESCALE_KSDK_MQX)
+
+time_t mqx_time(time_t* timer)
+{
+    time_t localTime;
+    TIME_STRUCT time_s;
+
+    if (timer == NULL)
+        timer = &localTime;
+
+    _time_get(&time_s);
+    *timer = (time_t) time_s.SECONDS;
+
+    return *timer;
+}
+
+#endif /* FREESCALE_MQX || FREESCALE_KSDK_MQX */
+
+
+#if defined(WOLFSSL_TIRTOS) && defined(USER_TIME)
+
+time_t XTIME(time_t * timer)
+{
+    time_t sec = 0;
+
+    sec = (time_t) Seconds_get();
+
+    if (timer != NULL)
+        *timer = sec;
+
+    return sec;
+}
+
+#endif /* WOLFSSL_TIRTOS */
+
+#if defined(WOLFSSL_XILINX)
+#include "xrtcpsu.h"
+
+time_t XTIME(time_t * timer)
+{
+    time_t sec = 0;
+    XRtcPsu_Config* con;
+    XRtcPsu         rtc;
+
+    con = XRtcPsu_LookupConfig(XPAR_XRTCPSU_0_DEVICE_ID);
+    if (con != NULL) {
+        if (XRtcPsu_CfgInitialize(&rtc, con, con->BaseAddr) == XST_SUCCESS) {
+            sec = (time_t)XRtcPsu_GetCurrentTime(&rtc);
+        }
+        else {
+            WOLFSSL_MSG("Unable to initialize RTC");
         }
+    }
 
-        int LockMutex(wolfSSL_Mutex* m)
-        {
-            os_mut_wait (m, 0xffff);
-            return(0) ;
+    if (timer != NULL)
+        *timer = sec;
+
+    return sec;
+}
+
+#endif /* WOLFSSL_XILINX */
+
+#if defined(WOLFSSL_ZEPHYR)
+
+time_t z_time(time_t * timer)
+{
+    struct timespec ts;
+
+    if (clock_gettime(CLOCK_REALTIME, &ts) == 0)
+        if (timer != NULL)
+            *timer = ts.tv_sec;
+
+    return ts.tv_sec;
+}
+
+#endif /* WOLFSSL_ZEPHYR */
+
+
+#if defined(WOLFSSL_WICED)
+    #ifndef WOLFSSL_WICED_PSEUDO_UNIX_EPOCH_TIME
+        #error Please define WOLFSSL_WICED_PSEUDO_UNIX_EPOCH_TIME at build time.
+    #endif /* WOLFSSL_WICED_PSEUDO_UNIX_EPOCH_TIME */
+
+time_t wiced_pseudo_unix_epoch_time(time_t * timer)
+{
+    time_t epoch_time;
+    /* The time() function return uptime on WICED platform. */
+    epoch_time = time(NULL) + WOLFSSL_WICED_PSEUDO_UNIX_EPOCH_TIME;
+
+    if (timer != NULL) {
+        *timer = epoch_time;
+    }
+    return epoch_time;
+}
+#endif /* WOLFSSL_WICED */
+
+#ifdef WOLFSSL_TELIT_M2MB
+    time_t m2mb_xtime(time_t * timer)
+    {
+        time_t myTime = 0;
+        INT32 fd = m2mb_rtc_open("/dev/rtc0", 0);
+        if (fd != -1) {
+            M2MB_RTC_TIMEVAL_T timeval;
+
+            m2mb_rtc_ioctl(fd, M2MB_RTC_IOCTL_GET_TIMEVAL, &timeval);
+
+            myTime = timeval.sec;
+
+            m2mb_rtc_close(fd);
         }
+        return myTime;
+    }
+    #ifdef WOLFSSL_TLS13
+    time_t m2mb_xtime_ms(time_t * timer)
+    {
+        time_t myTime = 0;
+        INT32 fd = m2mb_rtc_open("/dev/rtc0", 0);
+        if (fd != -1) {
+            M2MB_RTC_TIMEVAL_T timeval;
 
-        int UnLockMutex(wolfSSL_Mutex* m)
-        {
-            os_mut_release (m);
+            m2mb_rtc_ioctl(fd, M2MB_RTC_IOCTL_GET_TIMEVAL, &timeval);
+
+            myTime = timeval.sec + timeval.msec;
+
+            m2mb_rtc_close(fd);
+        }
+        return myTime;
+    }
+    #endif /* WOLFSSL_TLS13 */
+    #ifndef NO_CRYPT_BENCHMARK
+    double m2mb_xtime_bench(int reset)
+    {
+        double myTime = 0;
+        INT32 fd = m2mb_rtc_open("/dev/rtc0", 0);
+        if (fd != -1) {
+            M2MB_RTC_TIMEVAL_T timeval;
+
+            m2mb_rtc_ioctl(fd, M2MB_RTC_IOCTL_GET_TIMEVAL, &timeval);
+
+            myTime = (double)timeval.sec + ((double)timeval.msec / 1000);
+
+            m2mb_rtc_close(fd);
+        }
+        return myTime;
+    }
+    #endif /* !NO_CRYPT_BENCHMARK */
+#endif /* WOLFSSL_TELIT_M2MB */
+
+#endif /* !NO_ASN_TIME */
+
+#ifndef WOLFSSL_LEANPSK
+char* mystrnstr(const char* s1, const char* s2, unsigned int n)
+{
+    unsigned int s2_len = (unsigned int)XSTRLEN(s2);
+
+    if (s2_len == 0)
+        return (char*)s1;
+
+    while (n >= s2_len && s1[0]) {
+        if (s1[0] == s2[0])
+            if (XMEMCMP(s1, s2, s2_len) == 0)
+                return (char*)s1;
+        s1++;
+        n--;
+    }
+
+    return NULL;
+}
+#endif
+
+/* custom memory wrappers */
+#ifdef WOLFSSL_NUCLEUS_1_2
+
+    /* system memory pool */
+    extern NU_MEMORY_POOL System_Memory;
+
+    void* nucleus_malloc(unsigned long size, void* heap, int type)
+    {
+        STATUS status;
+        void*  stack_ptr;
+
+        status = NU_Allocate_Memory(&System_Memory, &stack_ptr, size,
+                                    NU_NO_SUSPEND);
+        if (status == NU_SUCCESS) {
             return 0;
+        } else {
+            return stack_ptr;
         }
-        #endif
-    #endif /* USE_WINDOWS_API */
+    }
+
+    void* nucleus_realloc(void* ptr, unsigned long size, void* heap, int type)
+    {
+        DM_HEADER* old_header;
+        word32     old_size, copy_size;
+        void*      new_mem;
+
+        /* if ptr is NULL, behave like malloc */
+        new_mem = nucleus_malloc(size, NULL, 0);
+        if (new_mem == 0 || ptr == 0) {
+            return new_mem;
+        }
+
+        /* calculate old memory block size */
+        /* mem pointers stored in block headers (ref dm_defs.h) */
+        old_header = (DM_HEADER*) ((byte*)ptr - DM_OVERHEAD);
+        old_size   = (byte*)old_header->dm_next_memory - (byte*)ptr;
+
+        /* copy old to new */
+        if (old_size < size) {
+            copy_size = old_size;
+        } else {
+            copy_size = size;
+        }
+        XMEMCPY(new_mem, ptr, copy_size);
 
-#endif /* SINGLE_THREADED */
-        
-#if defined(WOLFSSL_TI_CRYPT) ||  defined(WOLFSSL_TI_HASH)
+        /* free old */
+        nucleus_free(ptr, NULL, 0);
+
+        return new_mem;
+    }
+
+    void nucleus_free(void* ptr, void* heap, int type)
+    {
+        if (ptr != NULL)
+            NU_Deallocate_Memory(ptr);
+    }
+
+#endif /* WOLFSSL_NUCLEUS_1_2 */
+
+#if defined(WOLFSSL_TI_CRYPT) || defined(WOLFSSL_TI_HASH)
     #include <wolfcrypt/src/port/ti/ti-ccm.c>  /* initialize and Mutex for TI Crypt Engine */
     #include <wolfcrypt/src/port/ti/ti-hash.c> /* md5, sha1, sha224, sha256 */
 #endif
+
+#if defined(WOLFSSL_CRYPTOCELL)
+    #define WOLFSSL_CRYPTOCELL_C
+    #include <wolfcrypt/src/port/arm/cryptoCell.c> /* CC310, RTC and RNG */
+    #if !defined(NO_SHA256)
+        #define WOLFSSL_CRYPTOCELL_HASH_C
+        #include <wolfcrypt/src/port/arm/cryptoCellHash.c> /* sha256 */
+    #endif
+#endif
diff --git a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/wolfcrypt_first.c b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/wolfcrypt_first.c
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/wolfcrypt_first.c
diff --git a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/wolfcrypt_last.c b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/wolfcrypt_last.c
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/wolfcrypt_last.c
diff --git a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/wolfevent.c b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/wolfevent.c
new file mode 100644
index 000000000..20848cddc
--- /dev/null
+++ b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/wolfevent.c
@@ -0,0 +1,283 @@
+/* wolfevent.c
+ *
+ * Copyright (C) 2006-2020 wolfSSL Inc.
+ *
+ * This file is part of wolfSSL.
+ *
+ * wolfSSL is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * wolfSSL is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
+ */
+
+#ifdef HAVE_CONFIG_H
+    #include <config.h>
+#endif
+
+#include <wolfssl/wolfcrypt/settings.h>
+
+
+#ifdef HAVE_WOLF_EVENT
+
+#include <wolfssl/internal.h>
+#include <wolfssl/error-ssl.h>
+#include <wolfssl/wolfcrypt/error-crypt.h>
+
+#include <wolfssl/wolfcrypt/wolfevent.h>
+
+
+int wolfEvent_Init(WOLF_EVENT* event, WOLF_EVENT_TYPE type, void* context)
+{
+    if (event == NULL) {
+        return BAD_FUNC_ARG;
+    }
+
+    if (event->state == WOLF_EVENT_STATE_PENDING) {
+        WOLFSSL_MSG("Event already pending!");
+        return BAD_COND_E;
+    }
+
+    XMEMSET(event, 0, sizeof(WOLF_EVENT));
+    event->type = type;
+    event->context = context;
+
+    return 0;
+}
+
+int wolfEvent_Poll(WOLF_EVENT* event, WOLF_EVENT_FLAG flags)
+{
+    int ret = BAD_COND_E;
+
+    /* Check hardware */
+#ifdef WOLFSSL_ASYNC_CRYPT
+    if (event->type >= WOLF_EVENT_TYPE_ASYNC_FIRST &&
+        event->type <= WOLF_EVENT_TYPE_ASYNC_LAST)
+    {
+        ret = wolfAsync_EventPoll(event, flags);
+    }
+#endif /* WOLFSSL_ASYNC_CRYPT */
+
+    return ret;
+}
+
+int wolfEventQueue_Init(WOLF_EVENT_QUEUE* queue)
+{
+    int ret = 0;
+
+    if (queue == NULL) {
+        return BAD_FUNC_ARG;
+    }
+
+    XMEMSET(queue, 0, sizeof(WOLF_EVENT_QUEUE));
+#ifndef SINGLE_THREADED
+    ret = wc_InitMutex(&queue->lock);
+#endif
+    return ret;
+}
+
+
+int wolfEventQueue_Push(WOLF_EVENT_QUEUE* queue, WOLF_EVENT* event)
+{
+    int ret;
+
+    if (queue == NULL || event == NULL) {
+        return BAD_FUNC_ARG;
+    }
+
+#ifndef SINGLE_THREADED
+    if ((ret = wc_LockMutex(&queue->lock)) != 0) {
+        return ret;
+    }
+#endif
+
+    ret = wolfEventQueue_Add(queue, event);
+
+#ifndef SINGLE_THREADED
+    wc_UnLockMutex(&queue->lock);
+#endif
+
+    return ret;
+}
+
+int wolfEventQueue_Pop(WOLF_EVENT_QUEUE* queue, WOLF_EVENT** event)
+{
+    int ret = 0;
+
+    if (queue == NULL || event == NULL) {
+        return BAD_FUNC_ARG;
+    }
+
+#ifndef SINGLE_THREADED
+    /* In single threaded mode "event_queue.lock" doesn't exist */
+    if ((ret = wc_LockMutex(&queue->lock)) != 0) {
+        return ret;
+    }
+#endif
+
+    /* Pop first item off queue */
+    *event = queue->head;
+    ret = wolfEventQueue_Remove(queue, *event);
+
+#ifndef SINGLE_THREADED
+    wc_UnLockMutex(&queue->lock);
+#endif
+
+    return ret;
+}
+
+/* assumes queue is locked by caller */
+int wolfEventQueue_Add(WOLF_EVENT_QUEUE* queue, WOLF_EVENT* event)
+{
+    if (queue == NULL || event == NULL) {
+        return BAD_FUNC_ARG;
+    }
+
+    event->next = NULL; /* added to end */
+    event->prev = NULL;
+    if (queue->tail == NULL)  {
+        queue->head = event;
+    }
+    else {
+        queue->tail->next = event;
+        event->prev = queue->tail;
+    }
+    queue->tail = event;      /* add to the end either way */
+    queue->count++;
+
+    return 0;
+}
+
+/* assumes queue is locked by caller */
+int wolfEventQueue_Remove(WOLF_EVENT_QUEUE* queue, WOLF_EVENT* event)
+{
+    int ret = 0;
+
+    if (queue == NULL || event == NULL) {
+        return BAD_FUNC_ARG;
+    }
+
+    if (event == queue->head && event == queue->tail) {
+        queue->head = NULL;
+        queue->tail = NULL;
+    }
+    else if (event == queue->head) {
+        queue->head = event->next;
+        queue->head->prev = NULL;
+    }
+    else if (event == queue->tail) {
+        queue->tail = event->prev;
+        queue->tail->next = NULL;
+    }
+    else {
+        WOLF_EVENT* next = event->next;
+        WOLF_EVENT* prev = event->prev;
+        next->prev = prev;
+        prev->next = next;
+    }
+    queue->count--;
+
+    return ret;
+}
+
+int wolfEventQueue_Poll(WOLF_EVENT_QUEUE* queue, void* context_filter,
+    WOLF_EVENT** events, int maxEvents, WOLF_EVENT_FLAG flags, int* eventCount)
+{
+    WOLF_EVENT* event;
+    int ret = 0, count = 0;
+
+    if (queue == NULL) {
+        return BAD_FUNC_ARG;
+    }
+
+#ifndef SINGLE_THREADED
+    /* In single threaded mode "event_queue.lock" doesn't exist */
+    if ((ret = wc_LockMutex(&queue->lock)) != 0) {
+        return ret;
+    }
+#endif
+
+    /* itterate event queue */
+    for (event = queue->head; event != NULL; event = event->next)
+    {
+        /* optional filter based on context */
+        if (context_filter == NULL || event->context == context_filter) {
+
+            /* poll event */
+            ret = wolfEvent_Poll(event, flags);
+            if (ret < 0) break; /* exit for */
+
+            /* If event is done then process */
+            if (event->state == WOLF_EVENT_STATE_DONE) {
+                /* remove from queue */
+                ret = wolfEventQueue_Remove(queue, event);
+                if (ret < 0) break; /* exit for */
+
+                /* return pointer in 'events' arg */
+                if (events) {
+                    events[count] = event; /* return pointer */
+                }
+                count++;
+
+                /* check to make sure our event list isn't full */
+                if (events && count >= maxEvents) {
+                    break; /* exit for */
+                }
+            }
+        }
+    }
+
+#ifndef SINGLE_THREADED
+    wc_UnLockMutex(&queue->lock);
+#endif
+
+    /* return number of properly populated events */
+    if (eventCount) {
+        *eventCount = count;
+    }
+
+    return ret;
+}
+
+int wolfEventQueue_Count(WOLF_EVENT_QUEUE* queue)
+{
+    int ret;
+
+    if (queue == NULL) {
+        return BAD_FUNC_ARG;
+    }
+
+#ifndef SINGLE_THREADED
+    /* In single threaded mode "event_queue.lock" doesn't exist */
+    if ((ret = wc_LockMutex(&queue->lock)) != 0) {
+        return ret;
+    }
+#endif
+
+    ret = queue->count;
+
+#ifndef SINGLE_THREADED
+    wc_UnLockMutex(&queue->lock);
+#endif
+
+    return ret;
+}
+
+void wolfEventQueue_Free(WOLF_EVENT_QUEUE* queue)
+{
+    if (queue) {
+    #ifndef SINGLE_THREADED
+        wc_FreeMutex(&queue->lock);
+    #endif
+    }
+}
+
+#endif /* HAVE_WOLF_EVENT */
diff --git a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/wolfmath.c b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/wolfmath.c
new file mode 100644
index 000000000..0c17a0a27
--- /dev/null
+++ b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/wolfmath.c
@@ -0,0 +1,381 @@
+/* wolfmath.c
+ *
+ * Copyright (C) 2006-2020 wolfSSL Inc.
+ *
+ * This file is part of wolfSSL.
+ *
+ * wolfSSL is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * wolfSSL is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
+ */
+
+
+/* common functions for either math library */
+
+#ifdef HAVE_CONFIG_H
+    #include <config.h>
+#endif
+
+/* in case user set USE_FAST_MATH there */
+#include <wolfssl/wolfcrypt/settings.h>
+
+#include <wolfssl/wolfcrypt/integer.h>
+
+#include <wolfssl/wolfcrypt/error-crypt.h>
+#include <wolfssl/wolfcrypt/logging.h>
+
+#if defined(USE_FAST_MATH) || !defined(NO_BIG_INT)
+
+#ifdef WOLFSSL_ASYNC_CRYPT
+    #include <wolfssl/wolfcrypt/async.h>
+#endif
+
+#ifdef NO_INLINE
+    #include <wolfssl/wolfcrypt/misc.h>
+#else
+    #define WOLFSSL_MISC_INCLUDED
+    #include <wolfcrypt/src/misc.c>
+#endif
+
+
+#if !defined(WC_NO_CACHE_RESISTANT) && \
+    ((defined(HAVE_ECC) && defined(ECC_TIMING_RESISTANT)) || \
+     (defined(USE_FAST_MATH) && defined(TFM_TIMING_RESISTANT)))
+
+    /* all off / all on pointer addresses for constant calculations */
+    /* ecc.c uses same table */
+    const wolfssl_word wc_off_on_addr[2] =
+    {
+    #if defined(WC_64BIT_CPU)
+        W64LIT(0x0000000000000000),
+        W64LIT(0xffffffffffffffff)
+    #elif defined(WC_16BIT_CPU)
+        0x0000U,
+        0xffffU
+    #else
+        /* 32 bit */
+        0x00000000U,
+        0xffffffffU
+    #endif
+    };
+#endif
+
+
+#if !defined(WOLFSSL_SP_MATH)
+int get_digit_count(mp_int* a)
+{
+    if (a == NULL)
+        return 0;
+
+    return a->used;
+}
+#endif
+
+mp_digit get_digit(mp_int* a, int n)
+{
+    if (a == NULL)
+        return 0;
+
+    return (n >= a->used || n < 0) ? 0 : a->dp[n];
+}
+
+/* Conditionally copy a into b. Performed in constant time.
+ *
+ * a     MP integer to copy.
+ * copy  On 1, copy a into b. on 0 leave b unchanged.
+ * b     MP integer to copy into.
+ * returns BAD_FUNC_ARG when a or b is NULL, MEMORY_E when growing b fails and
+ *         MP_OKAY otherwise.
+ */
+int mp_cond_copy(mp_int* a, int copy, mp_int* b)
+{
+    int err = MP_OKAY;
+    int i;
+    mp_digit mask = (mp_digit)0 - copy;
+
+    if (a == NULL || b == NULL)
+        err = BAD_FUNC_ARG;
+
+    /* Ensure b has enough space to copy a into */
+    if (err == MP_OKAY)
+        err = mp_grow(b, a->used + 1);
+    if (err == MP_OKAY) {
+        /* When mask 0, b is unchanged2
+         * When mask all set, b ^ b ^ a = a
+         */
+        /* Conditionaly copy all digits and then number of used diigits.
+         * get_digit() returns 0 when index greater than available digit.
+         */
+        for (i = 0; i < a->used; i++) {
+            b->dp[i] ^= (get_digit(a, i) ^ get_digit(b, i)) & mask;
+        }
+        for (; i < b->used; i++) {
+            b->dp[i] ^= (get_digit(a, i) ^ get_digit(b, i)) & mask;
+        }
+        b->used ^= (a->used ^ b->used) & (int)mask;
+    }
+
+    return err;
+}
+
+#ifndef WC_NO_RNG
+int get_rand_digit(WC_RNG* rng, mp_digit* d)
+{
+    return wc_RNG_GenerateBlock(rng, (byte*)d, sizeof(mp_digit));
+}
+
+#ifdef WC_RSA_BLINDING
+int mp_rand(mp_int* a, int digits, WC_RNG* rng)
+{
+    int ret = 0;
+    int cnt = digits * sizeof(mp_digit);
+#if !defined(USE_FAST_MATH) && !defined(WOLFSSL_SP_MATH)
+    int i;
+#endif
+
+    if (rng == NULL) {
+        ret = MISSING_RNG_E;
+    }
+    else if (a == NULL) {
+        ret = BAD_FUNC_ARG;
+    }
+
+#if !defined(USE_FAST_MATH) && !defined(WOLFSSL_SP_MATH)
+    /* allocate space for digits */
+    if (ret == MP_OKAY) {
+        ret = mp_set_bit(a, digits * DIGIT_BIT - 1);
+    }
+#else
+#if defined(WOLFSSL_SP_MATH)
+    if ((ret == MP_OKAY) && (digits > SP_INT_DIGITS))
+#else
+    if ((ret == MP_OKAY) && (digits > FP_SIZE))
+#endif
+    {
+        ret = BAD_FUNC_ARG;
+    }
+    if (ret == MP_OKAY) {
+        a->used = digits;
+    }
+#endif
+    /* fill the data with random bytes */
+    if (ret == MP_OKAY) {
+        ret = wc_RNG_GenerateBlock(rng, (byte*)a->dp, cnt);
+    }
+    if (ret == MP_OKAY) {
+#if !defined(USE_FAST_MATH) && !defined(WOLFSSL_SP_MATH)
+        /* Mask down each digit to only bits used */
+        for (i = 0; i < a->used; i++) {
+            a->dp[i] &= MP_MASK;
+        }
+#endif
+        /* ensure top digit is not zero */
+        while ((ret == MP_OKAY) && (a->dp[a->used - 1] == 0)) {
+            ret = get_rand_digit(rng, &a->dp[a->used - 1]);
+#if !defined(USE_FAST_MATH) && !defined(WOLFSSL_SP_MATH)
+            a->dp[a->used - 1] &= MP_MASK;
+#endif
+        }
+    }
+
+    return ret;
+}
+#endif /* WC_RSA_BLINDING */
+#endif
+
+/* export an mp_int as unsigned char or hex string
+ * encType is WC_TYPE_UNSIGNED_BIN or WC_TYPE_HEX_STR
+ * return MP_OKAY on success */
+int wc_export_int(mp_int* mp, byte* buf, word32* len, word32 keySz,
+    int encType)
+{
+    int err;
+
+    if (mp == NULL)
+        return BAD_FUNC_ARG;
+
+    /* check buffer size */
+    if (*len < keySz) {
+        *len = keySz;
+        return BUFFER_E;
+    }
+
+    *len = keySz;
+    XMEMSET(buf, 0, *len);
+
+    if (encType == WC_TYPE_HEX_STR) {
+    #ifdef WC_MP_TO_RADIX
+        err = mp_tohex(mp, (char*)buf);
+    #else
+        err = NOT_COMPILED_IN;
+    #endif
+    }
+    else {
+        err = mp_to_unsigned_bin(mp, buf + (keySz - mp_unsigned_bin_size(mp)));
+    }
+
+    return err;
+}
+
+
+#ifdef HAVE_WOLF_BIGINT
+void wc_bigint_init(WC_BIGINT* a)
+{
+    if (a != NULL) {
+        a->buf = NULL;
+        a->len = 0;
+        a->heap = NULL;
+    }
+}
+
+int wc_bigint_alloc(WC_BIGINT* a, word32 sz)
+{
+    int err = MP_OKAY;
+
+    if (a == NULL)
+        return BAD_FUNC_ARG;
+
+    if (sz > 0) {
+        if (a->buf && sz > a->len) {
+            wc_bigint_free(a);
+        }
+        if (a->buf == NULL) {
+            a->buf = (byte*)XMALLOC(sz, a->heap, DYNAMIC_TYPE_WOLF_BIGINT);
+            if (a->buf == NULL) {
+                err = MP_MEM;
+            }
+        }
+        else {
+            XMEMSET(a->buf, 0, sz);
+        }
+    }
+    a->len = sz;
+
+    return err;
+}
+
+/* assumes input is big endian format */
+int wc_bigint_from_unsigned_bin(WC_BIGINT* a, const byte* in, word32 inlen)
+{
+    int err;
+
+    if (a == NULL || in == NULL || inlen == 0)
+        return BAD_FUNC_ARG;
+
+    err = wc_bigint_alloc(a, inlen);
+    if (err == 0) {
+        XMEMCPY(a->buf, in, inlen);
+    }
+
+    return err;
+}
+
+int wc_bigint_to_unsigned_bin(WC_BIGINT* a, byte* out, word32* outlen)
+{
+    word32 sz;
+
+    if (a == NULL || out == NULL || outlen == NULL || *outlen == 0)
+        return BAD_FUNC_ARG;
+
+    /* trim to fit into output buffer */
+    sz = a->len;
+    if (a->len > *outlen) {
+        WOLFSSL_MSG("wc_bigint_export: Truncating output");
+        sz = *outlen;
+    }
+
+    if (a->buf) {
+        XMEMCPY(out, a->buf, sz);
+    }
+
+    *outlen = sz;
+
+    return MP_OKAY;
+}
+
+void wc_bigint_zero(WC_BIGINT* a)
+{
+    if (a && a->buf) {
+        ForceZero(a->buf, a->len);
+    }
+}
+
+void wc_bigint_free(WC_BIGINT* a)
+{
+    if (a) {
+        if (a->buf) {
+          XFREE(a->buf, a->heap, DYNAMIC_TYPE_WOLF_BIGINT);
+        }
+        a->buf = NULL;
+        a->len = 0;
+    }
+}
+
+/* sz: make sure the buffer is at least that size and zero padded.
+ *     A `sz == 0` will use the size of `src`.
+ *     The calulcates sz is stored into dst->len in `wc_bigint_alloc`.
+ */
+int wc_mp_to_bigint_sz(mp_int* src, WC_BIGINT* dst, word32 sz)
+{
+    int err;
+    word32 x, y;
+
+    if (src == NULL || dst == NULL)
+        return BAD_FUNC_ARG;
+
+    /* get size of source */
+    x = mp_unsigned_bin_size(src);
+    if (sz < x)
+        sz = x;
+
+    /* make sure destination is allocated and large enough */
+    err = wc_bigint_alloc(dst, sz);
+    if (err == MP_OKAY) {
+
+        /* leading zero pad */
+        y = sz - x;
+        XMEMSET(dst->buf, 0, y);
+
+        /* export src as unsigned bin to destination buf */
+        err = mp_to_unsigned_bin(src, dst->buf + y);
+    }
+
+    return err;
+}
+
+int wc_mp_to_bigint(mp_int* src, WC_BIGINT* dst)
+{
+    if (src == NULL || dst == NULL)
+        return BAD_FUNC_ARG;
+
+    return wc_mp_to_bigint_sz(src, dst, 0);
+}
+
+int wc_bigint_to_mp(WC_BIGINT* src, mp_int* dst)
+{
+    int err;
+
+    if (src == NULL || dst == NULL)
+        return BAD_FUNC_ARG;
+
+    if (src->buf == NULL)
+        return BAD_FUNC_ARG;
+
+    err = mp_read_unsigned_bin(dst, src->buf, src->len);
+    wc_bigint_free(src);
+
+    return err;
+}
+#endif /* HAVE_WOLF_BIGINT */
+
+#endif /* USE_FAST_MATH || !NO_BIG_INT */
diff --git a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/test/include.am b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/test/include.am
index 950d7c601..b2fc302c1 100644
--- a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/test/include.am
+++ b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/test/include.am
@@ -1,11 +1,18 @@
 # vim:ft=automake
 # All paths should be given relative to the root
 
+if BUILD_WOLFCRYPT_TESTS
+noinst_PROGRAMS+= wolfcrypt/test/testwolfcrypt
+if BUILD_CRYPTONLY
+check_PROGRAMS+= wolfcrypt/test/testwolfcrypt
+endif
 noinst_PROGRAMS+= wolfcrypt/test/testwolfcrypt
 wolfcrypt_test_testwolfcrypt_SOURCES      = wolfcrypt/test/test.c
-wolfcrypt_test_testwolfcrypt_LDADD        = src/libwolfssl.la
+wolfcrypt_test_testwolfcrypt_LDADD        = src/libwolfssl.la $(LIB_STATIC_ADD)
 wolfcrypt_test_testwolfcrypt_DEPENDENCIES = src/libwolfssl.la
 noinst_HEADERS += wolfcrypt/test/test.h
+endif
 EXTRA_DIST += wolfcrypt/test/test.sln
 EXTRA_DIST += wolfcrypt/test/test.vcproj
+EXTRA_DIST += wolfcrypt/test/README.md
 DISTCLEANFILES+= wolfcrypt/test/.libs/testwolfcrypt
diff --git a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/test/test.c b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/test/test.c
index cf5dbe56e..399a29b75 100644
--- a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/test/test.c
+++ b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/test/test.c
@@ -1,8 +1,8 @@
 /* test.c
  *
- * Copyright (C) 2006-2015 wolfSSL Inc.
+ * Copyright (C) 2006-2020 wolfSSL Inc.
  *
- * This file is part of wolfSSL. (formerly known as CyaSSL)
+ * This file is part of wolfSSL.
  *
  * wolfSSL is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -16,22 +16,111 @@
  *
  * You should have received a copy of the GNU General Public License
  * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
  */
 
+
 #ifdef HAVE_CONFIG_H
     #include <config.h>
 #endif
 
+#ifndef WOLFSSL_USER_SETTINGS
+    #include <wolfssl/options.h>
+#endif
 #include <wolfssl/wolfcrypt/settings.h>
+#include <wolfssl/version.h>
+#include <wolfssl/wolfcrypt/wc_port.h>
+
+#ifndef NO_CRYPT_TEST
 
-#ifdef XMALLOC_USER
-    #include <stdlib.h>  /* we're using malloc / free direct here */
+/* only for stack size check */
+#ifdef HAVE_STACK_SIZE
+    #include <wolfssl/ssl.h>
+    #define err_sys err_sys_remap /* remap err_sys */
+    #include <wolfssl/test.h>
+    #undef err_sys
 #endif
 
-#ifndef NO_CRYPT_TEST
+#ifdef USE_FLAT_TEST_H
+    #include "test.h"
+#else
+    #include "wolfcrypt/test/test.h"
+#endif
 
-#ifdef WOLFSSL_TEST_CERT
+/* printf mappings */
+#if defined(FREESCALE_MQX) || defined(FREESCALE_KSDK_MQX)
+    #include <mqx.h>
+    #include <stdlib.h>
+    /* see wc_port.h for fio.h and nio.h includes */
+#elif defined(FREESCALE_KSDK_BM)
+    #include "fsl_debug_console.h"
+    #undef printf
+    #define printf PRINTF
+#elif defined(WOLFSSL_APACHE_MYNEWT)
+    #include <assert.h>
+    #include <string.h>
+    #include "sysinit/sysinit.h"
+    #include "os/os.h"
+    #ifdef ARCH_sim
+    #include "mcu/mcu_sim.h"
+    #endif
+    #include "os/os_time.h"
+#elif defined(WOLFSSL_ESPIDF)
+    #include <time.h>
+    #include <sys/time.h>
+#elif defined(WOLFSSL_ZEPHYR)
+    #include <stdio.h>
+
+    #define printf printk
+#elif defined(MICRIUM)
+    #include <bsp_ser.h>
+    void BSP_Ser_Printf (CPU_CHAR* format, ...);
+    #undef printf
+    #define printf BSP_Ser_Printf
+#elif defined(WOLFSSL_PB)
+    #include <stdarg.h>
+    int wolfssl_pb_print(const char*, ...);
+    #undef printf
+    #define printf wolfssl_pb_print
+#elif defined(WOLFSSL_TELIT_M2MB)
+    #include "wolfssl/wolfcrypt/wc_port.h" /* for m2mb headers */
+    #include "m2m_log.h" /* for M2M_LOG_INFO - not standard API */
+    /* remap printf */
+    #undef printf
+    #define printf M2M_LOG_INFO
+    /* OS requires occasional sleep() */
+    #ifndef TEST_SLEEP_MS
+        #define TEST_SLEEP_MS 50
+    #endif
+    #define TEST_SLEEP() m2mb_os_taskSleep(M2MB_OS_MS2TICKS(TEST_SLEEP_MS))
+    /* don't use file system for these tests, since ./certs dir isn't loaded */
+    #undef  NO_FILESYSTEM
+    #define NO_FILESYSTEM
+#elif defined(THREADX) && !defined(WOLFSSL_WICED) && !defined(THREADX_NO_DC_PRINTF)
+    /* since just testing, use THREADX log printf instead */
+    int dc_log_printf(char*, ...);
+    #undef printf
+    #define printf dc_log_printf
+#else
+    #ifdef XMALLOC_USER
+        #include <stdlib.h>  /* we're using malloc / free direct here */
+    #endif
+    #ifndef STRING_USER
+        #include <stdio.h>
+    #endif
+
+    /* enable way for customer to override test/bench printf */
+    #ifdef XPRINTF
+        #undef  printf
+        #define printf XPRINTF
+    #endif
+#endif
+
+#include <wolfssl/wolfcrypt/memory.h>
+#include <wolfssl/wolfcrypt/wc_port.h>
+#include <wolfssl/wolfcrypt/logging.h>
+#include <wolfssl/wolfcrypt/types.h>
+#if defined(WOLFSSL_TEST_CERT) || defined(ASN_BER_TO_DER)
     #include <wolfssl/wolfcrypt/asn.h>
 #else
     #include <wolfssl/wolfcrypt/asn_public.h>
@@ -43,16 +132,25 @@
 #include <wolfssl/wolfcrypt/sha256.h>
 #include <wolfssl/wolfcrypt/sha512.h>
 #include <wolfssl/wolfcrypt/arc4.h>
-#include <wolfssl/wolfcrypt/random.h>
+#if defined(WC_NO_RNG)
+    #include <wolfssl/wolfcrypt/integer.h>
+#else
+    #include <wolfssl/wolfcrypt/random.h>
+#endif
 #include <wolfssl/wolfcrypt/coding.h>
+#include <wolfssl/wolfcrypt/signature.h>
 #include <wolfssl/wolfcrypt/rsa.h>
 #include <wolfssl/wolfcrypt/des3.h>
 #include <wolfssl/wolfcrypt/aes.h>
+#include <wolfssl/wolfcrypt/wc_encrypt.h>
+#include <wolfssl/wolfcrypt/cmac.h>
 #include <wolfssl/wolfcrypt/poly1305.h>
 #include <wolfssl/wolfcrypt/camellia.h>
 #include <wolfssl/wolfcrypt/hmac.h>
 #include <wolfssl/wolfcrypt/dh.h>
 #include <wolfssl/wolfcrypt/dsa.h>
+#include <wolfssl/wolfcrypt/srp.h>
+#include <wolfssl/wolfcrypt/idea.h>
 #include <wolfssl/wolfcrypt/hc128.h>
 #include <wolfssl/wolfcrypt/rabbit.h>
 #include <wolfssl/wolfcrypt/chacha.h>
@@ -69,9 +167,18 @@
 #ifdef HAVE_ED25519
     #include <wolfssl/wolfcrypt/ed25519.h>
 #endif
-#ifdef HAVE_BLAKE2
+#ifdef HAVE_CURVE448
+    #include <wolfssl/wolfcrypt/curve448.h>
+#endif
+#ifdef HAVE_ED448
+    #include <wolfssl/wolfcrypt/ed448.h>
+#endif
+#if defined(HAVE_BLAKE2) || defined(HAVE_BLAKE2S)
     #include <wolfssl/wolfcrypt/blake2.h>
 #endif
+#ifdef WOLFSSL_SHA3
+    #include <wolfssl/wolfcrypt/sha3.h>
+#endif
 #ifdef HAVE_LIBZ
     #include <wolfssl/wolfcrypt/compress.h>
 #endif
@@ -81,6 +188,27 @@
 #ifdef HAVE_FIPS
     #include <wolfssl/wolfcrypt/fips_test.h>
 #endif
+#ifdef HAVE_SELFTEST
+    #include <wolfssl/wolfcrypt/selftest.h>
+#endif
+#ifdef WOLFSSL_ASYNC_CRYPT
+    #include <wolfssl/wolfcrypt/async.h>
+#endif
+#if defined(OPENSSL_EXTRA) || defined(DEBUG_WOLFSSL_VERBOSE)
+    #include <wolfssl/wolfcrypt/logging.h>
+#endif
+#ifdef WOLFSSL_IMX6_CAAM_BLOB
+    #include <wolfssl/wolfcrypt/port/caam/wolfcaam.h>
+#endif
+#ifdef WOLF_CRYPTO_CB
+    #include <wolfssl/wolfcrypt/cryptocb.h>
+    #ifdef HAVE_INTEL_QA_SYNC
+        #include <wolfssl/wolfcrypt/port/intel/quickassist_sync.h>
+    #endif
+    #ifdef HAVE_CAVIUM_OCTEON_SYNC
+        #include <wolfssl/wolfcrypt/port/cavium/cavium_octeon_sync.h>
+    #endif
+#endif
 
 #ifdef _MSC_VER
     /* 4996 warning to use MS extensions e.g., strcpy_s instead of strncpy */
@@ -88,59 +216,57 @@
 #endif
 
 #ifdef OPENSSL_EXTRA
+  #ifndef WOLFCRYPT_ONLY
     #include <wolfssl/openssl/evp.h>
+  #endif
     #include <wolfssl/openssl/rand.h>
     #include <wolfssl/openssl/hmac.h>
+    #include <wolfssl/openssl/aes.h>
     #include <wolfssl/openssl/des.h>
 #endif
 
-
-#if defined(USE_CERT_BUFFERS_1024) || defined(USE_CERT_BUFFERS_2048) \
-                                   || !defined(NO_DH)
-    /* include test cert and key buffers for use with NO_FILESYSTEM */
-    #if defined(WOLFSSL_MDK_ARM)
-        #include "cert_data.h"
-                        /* use certs_test.c for initial data, so other
-                                               commands can share the data. */
-    #else
-        #include <wolfssl/certs_test.h>
+#if defined(NO_FILESYSTEM)
+    #if !defined(USE_CERT_BUFFERS_1024) && !defined(USE_CERT_BUFFERS_2048) && \
+        !defined(USE_CERT_BUFFERS_3072) && !defined(USE_CERT_BUFFERS_4096)
+        #define USE_CERT_BUFFERS_2048
+    #endif
+    #if !defined(USE_CERT_BUFFERS_256)
+        #define USE_CERT_BUFFERS_256
     #endif
 #endif
 
-#if defined(WOLFSSL_MDK_ARM)
-        #include <stdio.h>
-        #include <stdlib.h>
-    extern FILE * wolfSSL_fopen(const char *fname, const char *mode) ;
-    #define fopen wolfSSL_fopen
+#if defined(WOLFSSL_CERT_GEN) && (defined(HAVE_ECC384) || defined(HAVE_ALL_CURVES))
+    #define ENABLE_ECC384_CERT_GEN_TEST
 #endif
 
+#include <wolfssl/certs_test.h>
+
 #ifdef HAVE_NTRU
-    #include "ntru_crypto.h"
-#endif
-#ifdef HAVE_CAVIUM
-    #include "cavium_sysdep.h"
-    #include "cavium_common.h"
-    #include "cavium_ioctl.h"
+    #include "libntruencrypt/ntru_crypto.h"
 #endif
 
-#ifdef FREESCALE_MQX
-    #include <mqx.h>
-    #include <fio.h>
-    #include <stdlib.h>
+#ifdef WOLFSSL_STATIC_MEMORY
+    static WOLFSSL_HEAP_HINT* HEAP_HINT;
 #else
-    #include <stdio.h>
-#endif
+    #define HEAP_HINT NULL
+#endif /* WOLFSSL_STATIC_MEMORY */
 
+/* these cases do not have intermediate hashing support */
+#if (defined(WOLFSSL_AFALG_XILINX_SHA3) && !defined(WOLFSSL_AFALG_HASH_KEEP)) \
+        && !defined(WOLFSSL_XILINX_CRYPT)
+    #define NO_INTM_HASH_TEST
+#endif
 
-#ifdef THREADX
-    /* since just testing, use THREADX log printf instead */
-    int dc_log_printf(char*, ...);
-        #undef printf
-        #define printf dc_log_printf
+#if defined(WOLFSSL_CERT_GEN) && defined(WOLFSSL_MULTI_ATTRIB)
+static void initDefaultName(void);
 #endif
 
-#include "wolfcrypt/test/test.h"
+/* for async devices */
+static int devId = INVALID_DEVID;
 
+#ifdef HAVE_WNR
+    const char* wnrConfigFile = "wnr-example.conf";
+#endif
 
 typedef struct testVector {
     const char*  input;
@@ -149,20 +275,30 @@ typedef struct testVector {
     size_t outLen;
 } testVector;
 
+int  error_test(void);
+int  base64_test(void);
+int  base16_test(void);
+int  asn_test(void);
 int  md2_test(void);
 int  md5_test(void);
 int  md4_test(void);
 int  sha_test(void);
+int  sha224_test(void);
 int  sha256_test(void);
 int  sha512_test(void);
 int  sha384_test(void);
+int  sha3_test(void);
+int  shake256_test(void);
+int  hash_test(void);
 int  hmac_md5_test(void);
 int  hmac_sha_test(void);
+int  hmac_sha224_test(void);
 int  hmac_sha256_test(void);
 int  hmac_sha384_test(void);
 int  hmac_sha512_test(void);
-int  hmac_blake2b_test(void);
+int  hmac_sha3_test(void);
 int  hkdf_test(void);
+int  x963kdf_test(void);
 int  arc4_test(void);
 int  hc128_test(void);
 int  rabbit_test(void);
@@ -171,26 +307,49 @@ int  chacha20_poly1305_aead_test(void);
 int  des_test(void);
 int  des3_test(void);
 int  aes_test(void);
+int  aes192_test(void);
+int  aes256_test(void);
+int  aesofb_test(void);
+int  cmac_test(void);
 int  poly1305_test(void);
 int  aesgcm_test(void);
+int  aesgcm_default_test(void);
 int  gmac_test(void);
 int  aesccm_test(void);
+int  aeskeywrap_test(void);
 int  camellia_test(void);
+int  rsa_no_pad_test(void);
 int  rsa_test(void);
 int  dh_test(void);
 int  dsa_test(void);
+int  srp_test(void);
+#ifndef WC_NO_RNG
 int  random_test(void);
+#endif /* WC_NO_RNG */
 int  pwdbased_test(void);
 int  ripemd_test(void);
+#if defined(OPENSSL_EXTRA) && !defined(WOLFCRYPT_ONLY)
 int  openssl_test(void);   /* test mini api */
+
+int  openssl_pkey_test(void);
+int  openssl_pkey0_test(void);
+int  openssl_pkey1_test(void);
+int  openSSL_evpMD_test(void);
+int  openssl_evpSig_test(void);
+#endif
+
 int pbkdf1_test(void);
 int pkcs12_test(void);
 int pbkdf2_test(void);
+int scrypt_test(void);
 #ifdef HAVE_ECC
     int  ecc_test(void);
     #ifdef HAVE_ECC_ENCRYPT
         int  ecc_encrypt_test(void);
     #endif
+    #ifdef USE_CERT_BUFFERS_256
+        int ecc_test_buffers(void);
+    #endif
 #endif
 #ifdef HAVE_CURVE25519
     int  curve25519_test(void);
@@ -198,36 +357,104 @@ int pbkdf2_test(void);
 #ifdef HAVE_ED25519
     int  ed25519_test(void);
 #endif
+#ifdef HAVE_CURVE448
+    int  curve448_test(void);
+#endif
+#ifdef HAVE_ED448
+    int  ed448_test(void);
+#endif
 #ifdef HAVE_BLAKE2
     int  blake2b_test(void);
 #endif
+#ifdef HAVE_BLAKE2S
+    int  blake2s_test(void);
+#endif
 #ifdef HAVE_LIBZ
     int compress_test(void);
 #endif
 #ifdef HAVE_PKCS7
-    int pkcs7enveloped_test(void);
+    #ifndef NO_PKCS7_ENCRYPTED_DATA
+        int pkcs7encrypted_test(void);
+    #endif
+    #if defined(HAVE_LIBZ) && !defined(NO_PKCS7_COMPRESSED_DATA)
+        int pkcs7compressed_test(void);
+    #endif
     int pkcs7signed_test(void);
+    int pkcs7enveloped_test(void);
+    #if defined(HAVE_AESGCM) || defined(HAVE_AESCCM)
+        int pkcs7authenveloped_test(void);
+    #endif
+    #ifndef NO_AES
+        int pkcs7callback_test(byte* cert, word32 certSz, byte* key,
+                word32 keySz);
+    #endif
+#endif
+#if !defined(NO_ASN_TIME) && !defined(NO_RSA) && defined(WOLFSSL_TEST_CERT) && \
+    !defined(NO_FILESYSTEM)
+int cert_test(void);
+#endif
+#if defined(WOLFSSL_CERT_EXT) && defined(WOLFSSL_TEST_CERT) && \
+   !defined(NO_FILESYSTEM)
+int  certext_test(void);
+#endif
+#if defined(WOLFSSL_CERT_GEN_CACHE) && defined(WOLFSSL_TEST_CERT) && \
+    defined(WOLFSSL_CERT_EXT) && defined(WOLFSSL_CERT_GEN)
+int decodedCertCache_test(void);
+#endif
+#ifdef HAVE_IDEA
+int idea_test(void);
+#endif
+int memory_test(void);
+#ifdef HAVE_VALGRIND
+int mp_test(void);
+#endif
+#if defined(WOLFSSL_PUBLIC_MP) && defined(WOLFSSL_KEY_GEN)
+int prime_test(void);
+#endif
+#ifdef ASN_BER_TO_DER
+int berder_test(void);
+#endif
+int logging_test(void);
+int mutex_test(void);
+#if defined(USE_WOLFSSL_MEMORY) && !defined(FREERTOS)
+int memcb_test(void);
+#endif
+#ifdef WOLFSSL_IMX6_CAAM_BLOB
+int blob_test(void);
 #endif
 
+#ifdef WOLF_CRYPTO_CB
+int cryptocb_test(void);
+#endif
+#ifdef WOLFSSL_CERT_PIV
+int certpiv_test(void);
+#endif
 
-/* General big buffer size for many tests. */ 
+/* General big buffer size for many tests. */
 #define FOURK_BUF 4096
 
 
-static int err_sys(const char* msg, int es)
+#define ERROR_OUT(err, eLabel) { ret = (err); goto eLabel; }
 
+#ifdef HAVE_STACK_SIZE
+static THREAD_RETURN err_sys(const char* msg, int es)
+#else
+static int err_sys(const char* msg, int es)
+#endif
 {
     printf("%s error = %d\n", msg, es);
-    return -1; /* error state */
+
+    EXIT_TEST(-1);
 }
 
-/* func_args from test.h, so don't have to pull in other junk */
+#ifndef HAVE_STACK_SIZE
+/* func_args from test.h, so don't have to pull in other stuff */
 typedef struct func_args {
     int    argc;
     char** argv;
     int    return_code;
 } func_args;
-
+#endif /* !HAVE_STACK_SIZE */
 
 #ifdef HAVE_FIPS
 
@@ -245,90 +472,268 @@ static void myFipsCb(int ok, int err, const char* hash)
 
 #endif /* HAVE_FIPS */
 
+#ifdef WOLFSSL_STATIC_MEMORY
+    #ifdef BENCH_EMBEDDED
+        static byte gTestMemory[14000];
+    #elif defined(WOLFSSL_CERT_EXT)
+        static byte gTestMemory[140000];
+    #elif defined(USE_FAST_MATH) && !defined(ALT_ECC_SIZE)
+        static byte gTestMemory[160000];
+    #else
+        static byte gTestMemory[80000];
+    #endif
+#endif
+
+#ifdef WOLFSSL_PB
+int wolfssl_pb_print(const char* msg, ...)
+{
+    int ret;
+    va_list args;
+    char tmpBuf[80];
+
+    va_start(args, msg);
+    ret = vsprint(tmpBuf, msg, args);
+    va_end(args);
+
+    fnDumpStringToSystemLog(tmpBuf);
 
+    return ret;
+}
+#endif /* WOLFSSL_PB */
+
+/* optional macro to add sleep between tests */
+#ifdef TEST_SLEEP
+    #include <stdarg.h> /* for var args */
+    static WC_INLINE void test_pass(const char* fmt, ...)
+    {
+        va_list args;
+        va_start(args, fmt);
+        printf(fmt, args);
+        va_end(args);
+        TEST_SLEEP();
+    }
+#else
+    /* redirect to printf */
+    #define test_pass printf
+    /* stub the sleep macro */
+    #define TEST_SLEEP()
+#endif
+
+#ifdef HAVE_STACK_SIZE
+THREAD_RETURN WOLFSSL_THREAD wolfcrypt_test(void* args)
+#else
 int wolfcrypt_test(void* args)
+#endif
 {
-    int ret = 0;
+    int ret;
+
+    printf("------------------------------------------------------------------------------\n");
+    printf(" wolfSSL version %s\n", LIBWOLFSSL_VERSION_STRING);
+    printf("------------------------------------------------------------------------------\n");
+
+    if (args)
+        ((func_args*)args)->return_code = -1; /* error state */
+
+#ifdef WOLFSSL_STATIC_MEMORY
+    if (wc_LoadStaticMemory(&HEAP_HINT, gTestMemory, sizeof(gTestMemory),
+                                                WOLFMEM_GENERAL, 1) != 0) {
+        printf("unable to load static memory");
+        return(EXIT_FAILURE);
+    }
+#endif
+
+#if defined(DEBUG_WOLFSSL) && !defined(HAVE_VALGRIND)
+    wolfSSL_Debugging_ON();
+#endif
 
-    ((func_args*)args)->return_code = -1; /* error state */
+#if defined(OPENSSL_EXTRA) || defined(DEBUG_WOLFSSL_VERBOSE)
+    wc_SetLoggingHeap(HEAP_HINT);
+#endif
 
 #ifdef HAVE_FIPS
     wolfCrypt_SetCb_fips(myFipsCb);
 #endif
 
 #if !defined(NO_BIG_INT)
-    if (CheckCtcSettings() != 1)
-        return err_sys("Build vs runtime math mismatch\n", -1234);
+    if (CheckCtcSettings() != 1) {
+        printf("Sizeof mismatch (build) %x != (run) %x\n",
+            CTC_SETTINGS, CheckRunTimeSettings());
+        return err_sys("Build vs runtime math mismatch\n", -1000);
+    }
 
-#ifdef USE_FAST_MATH
+#if defined(USE_FAST_MATH) && \
+	(!defined(NO_RSA) || !defined(NO_DH) || defined(HAVE_ECC))
     if (CheckFastMathSettings() != 1)
         return err_sys("Build vs runtime fastmath FP_MAX_BITS mismatch\n",
-                       -1235);
+                       -1001);
 #endif /* USE_FAST_MATH */
 #endif /* !NO_BIG_INT */
 
+#if defined(WOLFSSL_CERT_GEN) && defined(WOLFSSL_MULTI_ATTRIB)
+initDefaultName();
+#endif
+
+#ifdef WOLFSSL_ASYNC_CRYPT
+    ret = wolfAsync_DevOpen(&devId);
+    if (ret < 0) {
+        printf("Async device open failed\nRunning without async\n");
+    }
+#else
+    (void)devId;
+#endif /* WOLFSSL_ASYNC_CRYPT */
+
+#ifdef WOLF_CRYPTO_CB
+#ifdef HAVE_INTEL_QA_SYNC
+    devId = wc_CryptoCb_InitIntelQa();
+    if (INVALID_DEVID == devId) {
+        printf("Couldn't init the Intel QA\n");
+    }
+#endif
+#ifdef HAVE_CAVIUM_OCTEON_SYNC
+    devId = wc_CryptoCb_InitOcteon();
+    if (INVALID_DEVID == devId) {
+        printf("Couldn't init the Cavium Octeon\n");
+    }
+#endif
+#endif
+
+#ifdef HAVE_SELFTEST
+    if ( (ret = wolfCrypt_SelfTest()) != 0)
+        return err_sys("CAVP selftest failed!\n", ret);
+    else
+        test_pass("CAVP selftest passed!\n");
+#endif
+
+    if ( (ret = error_test()) != 0)
+        return err_sys("error    test failed!\n", ret);
+    else
+        test_pass("error    test passed!\n");
+
+    if ( (ret = memory_test()) != 0)
+        return err_sys("MEMORY   test failed!\n", ret);
+    else
+        test_pass("MEMORY   test passed!\n");
+
+#ifndef NO_CODING
+    if ( (ret = base64_test()) != 0)
+        return err_sys("base64   test failed!\n", ret);
+    else
+        test_pass("base64   test passed!\n");
+#ifdef WOLFSSL_BASE16
+    if ( (ret = base16_test()) != 0)
+        return err_sys("base16   test failed!\n", ret);
+    else
+        test_pass("base16   test passed!\n");
+#endif
+#endif /* !NO_CODING */
+
+#ifndef NO_ASN
+    if ( (ret = asn_test()) != 0)
+        return err_sys("asn      test failed!\n", ret);
+    else
+        test_pass("asn      test passed!\n");
+#endif
+
+#ifndef WC_NO_RNG
+    if ( (ret = random_test()) != 0)
+        return err_sys("RANDOM   test failed!\n", ret);
+    else
+        test_pass("RANDOM   test passed!\n");
+#endif /* WC_NO_RNG */
 
 #ifndef NO_MD5
     if ( (ret = md5_test()) != 0)
         return err_sys("MD5      test failed!\n", ret);
     else
-        printf( "MD5      test passed!\n");
+        test_pass("MD5      test passed!\n");
 #endif
 
 #ifdef WOLFSSL_MD2
     if ( (ret = md2_test()) != 0)
         return err_sys("MD2      test failed!\n", ret);
     else
-        printf( "MD2      test passed!\n");
+        test_pass("MD2      test passed!\n");
 #endif
 
 #ifndef NO_MD4
     if ( (ret = md4_test()) != 0)
         return err_sys("MD4      test failed!\n", ret);
     else
-        printf( "MD4      test passed!\n");
+        test_pass("MD4      test passed!\n");
 #endif
 
 #ifndef NO_SHA
     if ( (ret = sha_test()) != 0)
         return err_sys("SHA      test failed!\n", ret);
     else
-        printf( "SHA      test passed!\n");
+        test_pass("SHA      test passed!\n");
+#endif
+
+#ifdef WOLFSSL_SHA224
+    if ( (ret = sha224_test()) != 0)
+        return err_sys("SHA-224  test failed!\n", ret);
+    else
+        test_pass("SHA-224  test passed!\n");
 #endif
 
 #ifndef NO_SHA256
     if ( (ret = sha256_test()) != 0)
         return err_sys("SHA-256  test failed!\n", ret);
     else
-        printf( "SHA-256  test passed!\n");
+        test_pass("SHA-256  test passed!\n");
 #endif
 
 #ifdef WOLFSSL_SHA384
     if ( (ret = sha384_test()) != 0)
         return err_sys("SHA-384  test failed!\n", ret);
     else
-        printf( "SHA-384  test passed!\n");
+        test_pass("SHA-384  test passed!\n");
 #endif
 
 #ifdef WOLFSSL_SHA512
     if ( (ret = sha512_test()) != 0)
         return err_sys("SHA-512  test failed!\n", ret);
     else
-        printf( "SHA-512  test passed!\n");
+        test_pass("SHA-512  test passed!\n");
+#endif
+
+#ifdef WOLFSSL_SHA3
+    if ( (ret = sha3_test()) != 0)
+        return err_sys("SHA-3    test failed!\n", ret);
+    else
+        test_pass("SHA-3    test passed!\n");
+#endif
+
+#ifdef WOLFSSL_SHAKE256
+    if ( (ret = shake256_test()) != 0)
+        return err_sys("SHAKE256 test failed!\n", ret);
+    else
+        test_pass("SHAKE256 test passed!\n");
 #endif
 
+    if ( (ret = hash_test()) != 0)
+        return err_sys("Hash     test failed!\n", ret);
+    else
+        test_pass("Hash     test passed!\n");
+
 #ifdef WOLFSSL_RIPEMD
     if ( (ret = ripemd_test()) != 0)
         return err_sys("RIPEMD   test failed!\n", ret);
     else
-        printf( "RIPEMD   test passed!\n");
+        test_pass("RIPEMD   test passed!\n");
 #endif
 
 #ifdef HAVE_BLAKE2
     if ( (ret = blake2b_test()) != 0)
         return err_sys("BLAKE2b  test failed!\n", ret);
     else
-        printf( "BLAKE2b  test passed!\n");
+        test_pass("BLAKE2b  test passed!\n");
+#endif
+#ifdef HAVE_BLAKE2S
+    if ( (ret = blake2s_test()) != 0)
+        return err_sys("BLAKE2s  test failed!\n", ret);
+    else
+        test_pass("BLAKE2s  test passed!\n");
 #endif
 
 #ifndef NO_HMAC
@@ -336,134 +741,185 @@ int wolfcrypt_test(void* args)
         if ( (ret = hmac_md5_test()) != 0)
             return err_sys("HMAC-MD5 test failed!\n", ret);
         else
-            printf( "HMAC-MD5 test passed!\n");
+            test_pass("HMAC-MD5 test passed!\n");
     #endif
 
     #ifndef NO_SHA
     if ( (ret = hmac_sha_test()) != 0)
         return err_sys("HMAC-SHA test failed!\n", ret);
     else
-        printf( "HMAC-SHA test passed!\n");
+        test_pass("HMAC-SHA test passed!\n");
+    #endif
+
+    #ifdef WOLFSSL_SHA224
+        if ( (ret = hmac_sha224_test()) != 0)
+            return err_sys("HMAC-SHA224 test failed!\n", ret);
+        else
+            test_pass("HMAC-SHA224 test passed!\n");
     #endif
 
     #ifndef NO_SHA256
         if ( (ret = hmac_sha256_test()) != 0)
             return err_sys("HMAC-SHA256 test failed!\n", ret);
         else
-            printf( "HMAC-SHA256 test passed!\n");
+            test_pass("HMAC-SHA256 test passed!\n");
     #endif
 
     #ifdef WOLFSSL_SHA384
         if ( (ret = hmac_sha384_test()) != 0)
             return err_sys("HMAC-SHA384 test failed!\n", ret);
         else
-            printf( "HMAC-SHA384 test passed!\n");
+            test_pass("HMAC-SHA384 test passed!\n");
     #endif
 
     #ifdef WOLFSSL_SHA512
         if ( (ret = hmac_sha512_test()) != 0)
             return err_sys("HMAC-SHA512 test failed!\n", ret);
         else
-            printf( "HMAC-SHA512 test passed!\n");
+            test_pass("HMAC-SHA512 test passed!\n");
     #endif
 
-    #ifdef HAVE_BLAKE2
-        if ( (ret = hmac_blake2b_test()) != 0)
-            return err_sys("HMAC-BLAKE2 test failed!\n", ret);
+    #if !defined(NO_HMAC) && defined(WOLFSSL_SHA3) && \
+      !defined(WOLFSSL_NOSHA3_224) && !defined(WOLFSSL_NOSHA3_256) && \
+      !defined(WOLFSSL_NOSHA3_384) && !defined(WOLFSSL_NOSHA3_512)
+        if ( (ret = hmac_sha3_test()) != 0)
+            return err_sys("HMAC-SHA3   test failed!\n", ret);
         else
-            printf( "HMAC-BLAKE2 test passed!\n");
+            test_pass("HMAC-SHA3   test passed!\n");
     #endif
 
     #ifdef HAVE_HKDF
         if ( (ret = hkdf_test()) != 0)
             return err_sys("HMAC-KDF    test failed!\n", ret);
         else
-            printf( "HMAC-KDF    test passed!\n");
+            test_pass("HMAC-KDF    test passed!\n");
     #endif
+#endif /* !NO_HMAC */
 
+#if defined(HAVE_X963_KDF) && defined(HAVE_ECC)
+    if ( (ret = x963kdf_test()) != 0)
+        return err_sys("X963-KDF    test failed!\n", ret);
+    else
+        test_pass("X963-KDF    test passed!\n");
 #endif
 
-#ifdef HAVE_AESGCM
+#if defined(HAVE_AESGCM) && defined(WOLFSSL_AES_128) && \
+   !defined(WOLFSSL_AFALG_XILINX_AES) && !defined(WOLFSSL_XILINX_CRYPT)
     if ( (ret = gmac_test()) != 0)
-        return err_sys("GMAC     test passed!\n", ret);
+        return err_sys("GMAC     test failed!\n", ret);
     else
-        printf( "GMAC     test passed!\n");
+        test_pass("GMAC     test passed!\n");
 #endif
 
 #ifndef NO_RC4
     if ( (ret = arc4_test()) != 0)
         return err_sys("ARC4     test failed!\n", ret);
     else
-        printf( "ARC4     test passed!\n");
+        test_pass("ARC4     test passed!\n");
 #endif
 
 #ifndef NO_HC128
     if ( (ret = hc128_test()) != 0)
         return err_sys("HC-128   test failed!\n", ret);
     else
-        printf( "HC-128   test passed!\n");
+        test_pass("HC-128   test passed!\n");
 #endif
 
 #ifndef NO_RABBIT
     if ( (ret = rabbit_test()) != 0)
         return err_sys("Rabbit   test failed!\n", ret);
     else
-        printf( "Rabbit   test passed!\n");
+        test_pass("Rabbit   test passed!\n");
 #endif
 
 #ifdef HAVE_CHACHA
     if ( (ret = chacha_test()) != 0)
         return err_sys("Chacha   test failed!\n", ret);
     else
-        printf( "Chacha   test passed!\n");
+        test_pass("Chacha   test passed!\n");
 #endif
 
 #ifdef HAVE_POLY1305
     if ( (ret = poly1305_test()) != 0)
         return err_sys("POLY1305 test failed!\n", ret);
     else
-        printf( "POLY1305 test passed!\n");
+        test_pass("POLY1305 test passed!\n");
 #endif
 
 #if defined(HAVE_CHACHA) && defined(HAVE_POLY1305)
     if ( (ret = chacha20_poly1305_aead_test()) != 0)
         return err_sys("ChaCha20-Poly1305 AEAD test failed!\n", ret);
     else
-        printf( "ChaCha20-Poly1305 AEAD test passed!\n");
+        test_pass("ChaCha20-Poly1305 AEAD test passed!\n");
 #endif
 
 #ifndef NO_DES3
     if ( (ret = des_test()) != 0)
         return err_sys("DES      test failed!\n", ret);
     else
-        printf( "DES      test passed!\n");
+        test_pass("DES      test passed!\n");
 #endif
 
 #ifndef NO_DES3
     if ( (ret = des3_test()) != 0)
         return err_sys("DES3     test failed!\n", ret);
     else
-        printf( "DES3     test passed!\n");
+        test_pass("DES3     test passed!\n");
 #endif
 
 #ifndef NO_AES
     if ( (ret = aes_test()) != 0)
         return err_sys("AES      test failed!\n", ret);
     else
-        printf( "AES      test passed!\n");
+        test_pass("AES      test passed!\n");
+
+#ifdef WOLFSSL_AES_192
+    if ( (ret = aes192_test()) != 0)
+        return err_sys("AES192   test failed!\n", ret);
+    else
+        test_pass("AES192   test passed!\n");
+#endif
+
+#ifdef WOLFSSL_AES_256
+    if ( (ret = aes256_test()) != 0)
+        return err_sys("AES256   test failed!\n", ret);
+    else
+        test_pass("AES256   test passed!\n");
+#endif
+
+#ifdef WOLFSSL_AES_OFB
+    if ( (ret = aesofb_test()) != 0)
+        return err_sys("AES-OFB  test failed!\n", ret);
+    else
+        test_pass("AESOFB   test passed!\n");
+#endif
 
 #ifdef HAVE_AESGCM
+    #if !defined(WOLFSSL_AFALG) && !defined(WOLFSSL_DEVCRYPTO)
     if ( (ret = aesgcm_test()) != 0)
         return err_sys("AES-GCM  test failed!\n", ret);
-    else
-        printf( "AES-GCM  test passed!\n");
+    #endif
+    #if !defined(WOLFSSL_AFALG_XILINX_AES) && !defined(WOLFSSL_XILINX_CRYPT) && \
+        !(defined(WOLF_CRYPTO_CB) && \
+            (defined(HAVE_INTEL_QA_SYNC) || defined(HAVE_CAVIUM_OCTEON_SYNC)))
+    if ((ret = aesgcm_default_test()) != 0) {
+        return err_sys("AES-GCM  test failed!\n", ret);
+    }
+    #endif
+    test_pass("AES-GCM  test passed!\n");
 #endif
 
-#ifdef HAVE_AESCCM
+#if defined(HAVE_AESCCM) && defined(WOLFSSL_AES_128)
     if ( (ret = aesccm_test()) != 0)
         return err_sys("AES-CCM  test failed!\n", ret);
     else
-        printf( "AES-CCM  test passed!\n");
+        test_pass("AES-CCM  test passed!\n");
+#endif
+#ifdef HAVE_AES_KEYWRAP
+    if ( (ret = aeskeywrap_test()) != 0)
+        return err_sys("AES Key Wrap test failed!\n", ret);
+    else
+        test_pass("AES Key Wrap test passed!\n");
 #endif
 #endif
 
@@ -471,159 +927,675 @@ int wolfcrypt_test(void* args)
     if ( (ret = camellia_test()) != 0)
         return err_sys("CAMELLIA test failed!\n", ret);
     else
-        printf( "CAMELLIA test passed!\n");
+        test_pass("CAMELLIA test passed!\n");
 #endif
 
-    if ( (ret = random_test()) != 0)
-        return err_sys("RANDOM   test failed!\n", ret);
+#ifdef HAVE_IDEA
+    if ( (ret = idea_test()) != 0)
+        return err_sys("IDEA     test failed!\n", ret);
     else
-        printf( "RANDOM   test passed!\n");
+        test_pass("IDEA     test passed!\n");
+#endif
 
 #ifndef NO_RSA
+    #ifdef WC_RSA_NO_PADDING
+    if ( (ret = rsa_no_pad_test()) != 0)
+        return err_sys("RSA NOPAD test failed!\n", ret);
+    else
+        test_pass("RSA NOPAD test passed!\n");
+    #endif
     if ( (ret = rsa_test()) != 0)
         return err_sys("RSA      test failed!\n", ret);
     else
-        printf( "RSA      test passed!\n");
+        test_pass("RSA      test passed!\n");
 #endif
 
 #ifndef NO_DH
     if ( (ret = dh_test()) != 0)
         return err_sys("DH       test failed!\n", ret);
     else
-        printf( "DH       test passed!\n");
+        test_pass("DH       test passed!\n");
 #endif
 
 #ifndef NO_DSA
     if ( (ret = dsa_test()) != 0)
         return err_sys("DSA      test failed!\n", ret);
     else
-        printf( "DSA      test passed!\n");
+        test_pass("DSA      test passed!\n");
+#endif
+
+#ifdef WOLFCRYPT_HAVE_SRP
+    if ( (ret = srp_test()) != 0)
+        return err_sys("SRP      test failed!\n", ret);
+    else
+        test_pass("SRP      test passed!\n");
 #endif
 
 #ifndef NO_PWDBASED
     if ( (ret = pwdbased_test()) != 0)
         return err_sys("PWDBASED test failed!\n", ret);
     else
-        printf( "PWDBASED test passed!\n");
+        test_pass("PWDBASED test passed!\n");
 #endif
 
-#ifdef OPENSSL_EXTRA
+#if defined(OPENSSL_EXTRA) && !defined(WOLFCRYPT_ONLY)
     if ( (ret = openssl_test()) != 0)
         return err_sys("OPENSSL  test failed!\n", ret);
     else
-        printf( "OPENSSL  test passed!\n");
+        test_pass("OPENSSL  test passed!\n");
+
+    if ( (ret = openSSL_evpMD_test()) != 0)
+        return err_sys("OPENSSL (EVP MD) test failed!\n", ret);
+    else
+        test_pass("OPENSSL (EVP MD) passed!\n");
+
+    if ( (ret = openssl_pkey0_test()) != 0)
+        return err_sys("OPENSSL (PKEY0) test failed!\n", ret);
+    else
+        test_pass("OPENSSL (PKEY0) passed!\n");
+
+    if ( (ret = openssl_pkey1_test()) != 0)
+        return err_sys("OPENSSL (PKEY1) test failed!\n", ret);
+    else
+        test_pass("OPENSSL (PKEY1) passed!\n");
+
+    if ( (ret = openssl_evpSig_test()) != 0)
+        return err_sys("OPENSSL (EVP Sign/Verify) test failed!\n", ret);
+    else
+        test_pass("OPENSSL (EVP Sign/Verify) passed!\n");
+
 #endif
 
 #ifdef HAVE_ECC
     if ( (ret = ecc_test()) != 0)
         return err_sys("ECC      test failed!\n", ret);
     else
-        printf( "ECC      test passed!\n");
-    #ifdef HAVE_ECC_ENCRYPT
+        test_pass("ECC      test passed!\n");
+    #if defined(HAVE_ECC_ENCRYPT) && defined(WOLFSSL_AES_128)
         if ( (ret = ecc_encrypt_test()) != 0)
             return err_sys("ECC Enc  test failed!\n", ret);
         else
-            printf( "ECC Enc  test passed!\n");
+            test_pass("ECC Enc  test passed!\n");
     #endif
+    #ifdef USE_CERT_BUFFERS_256
+        if ( (ret = ecc_test_buffers()) != 0)
+            return err_sys("ECC buffer test failed!\n", ret);
+        else
+            test_pass("ECC buffer test passed!\n");
+    #endif
+#endif
+
+#if !defined(NO_ASN_TIME) && !defined(NO_RSA) && defined(WOLFSSL_TEST_CERT) && \
+    !defined(NO_FILESYSTEM)
+    if ( (ret = cert_test()) != 0)
+        return err_sys("CERT     test failed!\n", ret);
+    else
+        test_pass("CERT     test passed!\n");
+#endif
+
+#if defined(WOLFSSL_CERT_EXT) && defined(WOLFSSL_TEST_CERT) && \
+   !defined(NO_FILESYSTEM)
+    if ( (ret = certext_test()) != 0)
+        return err_sys("CERT EXT test failed!\n", ret);
+    else
+        test_pass("CERT EXT test passed!\n");
+#endif
+
+#if defined(WOLFSSL_CERT_GEN_CACHE) && defined(WOLFSSL_TEST_CERT) && \
+    defined(WOLFSSL_CERT_EXT) && defined(WOLFSSL_CERT_GEN)
+    if ( (ret = decodedCertCache_test()) != 0)
+        return err_sys("DECODED CERT CACHE test failed!\n", ret);
+    else
+        test_pass("DECODED CERT CACHE test passed!\n");
 #endif
 
 #ifdef HAVE_CURVE25519
     if ( (ret = curve25519_test()) != 0)
         return err_sys("CURVE25519 test failed!\n", ret);
     else
-        printf( "CURVE25519 test passed!\n");
+        test_pass("CURVE25519 test passed!\n");
 #endif
 
 #ifdef HAVE_ED25519
     if ( (ret = ed25519_test()) != 0)
         return err_sys("ED25519  test failed!\n", ret);
     else
-        printf( "ED25519  test passed!\n");
+        test_pass("ED25519  test passed!\n");
+#endif
+
+#ifdef HAVE_CURVE448
+    if ( (ret = curve448_test()) != 0)
+        return err_sys("CURVE448 test failed!\n", ret);
+    else
+        test_pass("CURVE448 test passed!\n");
+#endif
+
+#ifdef HAVE_ED448
+    if ( (ret = ed448_test()) != 0)
+        return err_sys("ED448  test failed!\n", ret);
+    else
+        test_pass("ED448  test passed!\n");
+#endif
+
+#if defined(WOLFSSL_CMAC) && !defined(NO_AES)
+    if ( (ret = cmac_test()) != 0)
+        return err_sys("CMAC     test failed!\n", ret);
+    else
+        test_pass("CMAC     test passed!\n");
 #endif
 
 #ifdef HAVE_LIBZ
     if ( (ret = compress_test()) != 0)
         return err_sys("COMPRESS test failed!\n", ret);
     else
-        printf( "COMPRESS test passed!\n");
+        test_pass("COMPRESS test passed!\n");
 #endif
 
 #ifdef HAVE_PKCS7
+    #ifndef NO_PKCS7_ENCRYPTED_DATA
+        if ( (ret = pkcs7encrypted_test()) != 0)
+            return err_sys("PKCS7encrypted  test failed!\n", ret);
+        else
+            test_pass("PKCS7encrypted  test passed!\n");
+    #endif
+    #if defined(HAVE_LIBZ) && !defined(NO_PKCS7_COMPRESSED_DATA)
+        if ( (ret = pkcs7compressed_test()) != 0)
+            return err_sys("PKCS7compressed test failed!\n", ret);
+        else
+            test_pass("PKCS7compressed test passed!\n");
+    #endif
+    if ( (ret = pkcs7signed_test()) != 0)
+        return err_sys("PKCS7signed     test failed!\n", ret);
+    else
+        test_pass("PKCS7signed     test passed!\n");
+
     if ( (ret = pkcs7enveloped_test()) != 0)
-        return err_sys("PKCS7enveloped test failed!\n", ret);
+        return err_sys("PKCS7enveloped  test failed!\n", ret);
     else
-        printf( "PKCS7enveloped test passed!\n");
+        test_pass("PKCS7enveloped  test passed!\n");
 
-    if ( (ret = pkcs7signed_test()) != 0)
-        return err_sys("PKCS7signed    test failed!\n", ret);
+    #if defined(HAVE_AESGCM) || defined(HAVE_AESCCM)
+        if ( (ret = pkcs7authenveloped_test()) != 0)
+            return err_sys("PKCS7authenveloped  test failed!\n", ret);
+        else
+            test_pass("PKCS7authenveloped  test passed!\n");
+    #endif
+#endif
+
+#ifdef HAVE_VALGRIND
+    if ( (ret = mp_test()) != 0)
+        return err_sys("mp       test failed!\n", ret);
     else
-        printf( "PKCS7signed    test passed!\n");
+        test_pass("mp       test passed!\n");
 #endif
 
-    ((func_args*)args)->return_code = ret;
+#if defined(WOLFSSL_PUBLIC_MP) && defined(WOLFSSL_KEY_GEN)
+    if ( (ret = prime_test()) != 0)
+        return err_sys("prime    test failed!\n", ret);
+    else
+        test_pass("prime    test passed!\n");
+#endif
 
-    return ret;
-}
+#if defined(ASN_BER_TO_DER) && \
+    (defined(WOLFSSL_TEST_CERT) || defined(OPENSSL_EXTRA) || \
+     defined(OPENSSL_EXTRA_X509_SMALL))
+    if ( (ret = berder_test()) != 0)
+        return err_sys("ber-der  test failed!\n", ret);
+    else
+        test_pass("ber-der  test passed!\n");
+#endif
+
+    if ( (ret = logging_test()) != 0)
+        return err_sys("logging  test failed!\n", ret);
+    else
+        test_pass("logging  test passed!\n");
 
+    if ( (ret = mutex_test()) != 0)
+        return err_sys("mutex    test failed!\n", ret);
+    else
+        test_pass("mutex    test passed!\n");
 
-#ifndef NO_MAIN_DRIVER
+#if defined(USE_WOLFSSL_MEMORY) && !defined(FREERTOS)
+    if ( (ret = memcb_test()) != 0)
+        return err_sys("memcb    test failed!\n", ret);
+    else
+        test_pass("memcb    test passed!\n");
+#endif
 
-#ifdef HAVE_CAVIUM
+#ifdef WOLFSSL_IMX6_CAAM_BLOB
+    if ( (ret = blob_test()) != 0)
+        return err_sys("blob     test failed!\n", ret);
+    else
+        test_pass("blob     test passed!\n");
+#endif
 
-static int OpenNitroxDevice(int dma_mode,int dev_id)
-{
-   Csp1CoreAssignment core_assign;
-   Uint32             device;
+#if defined(WOLF_CRYPTO_CB) && \
+    !(defined(HAVE_INTEL_QAT_SYNC) || defined(HAVE_CAVIUM_OCTEON_SYNC))
+    if ( (ret = cryptocb_test()) != 0)
+        return err_sys("crypto callback test failed!\n", ret);
+    else
+        test_pass("crypto callback test passed!\n");
+#endif
 
-   if (CspInitialize(CAVIUM_DIRECT,CAVIUM_DEV_ID))
-      return -1;
-   if (Csp1GetDevType(&device))
-      return -1;
-   if (device != NPX_DEVICE) {
-      if (ioctl(gpkpdev_hdlr[CAVIUM_DEV_ID], IOCTL_CSP1_GET_CORE_ASSIGNMENT,
-                (Uint32 *)&core_assign)!= 0)
-         return -1;
-   }
-   CspShutdown(CAVIUM_DEV_ID);
+#ifdef WOLFSSL_CERT_PIV
+    if ( (ret = certpiv_test()) != 0)
+        return err_sys("cert piv test failed!\n", ret);
+    else
+        test_pass("cert piv test passed!\n");
+#endif
 
-   return CspInitialize(dma_mode, dev_id);
+#ifdef WOLF_CRYPTO_CB
+#ifdef HAVE_INTEL_QA_SYNC
+    wc_CryptoCb_CleanupIntelQa(&devId);
+#endif
+#ifdef HAVE_CAVIUM_OCTEON_SYNC
+    wc_CryptoCb_CleanupOcteon(&devId);
+#endif
+#endif
+
+#ifdef WOLFSSL_ASYNC_CRYPT
+    wolfAsync_DevClose(&devId);
+#endif
+
+    /* cleanup the thread if fixed point cache is enabled and have thread local */
+#if defined(HAVE_THREAD_LS) && defined(HAVE_ECC) && defined(FP_ECC)
+    wc_ecc_fp_free();
+#endif
+
+    if (args)
+        ((func_args*)args)->return_code = ret;
+
+    test_pass("Test complete\n");
+
+    EXIT_TEST(ret);
 }
 
-#endif /* HAVE_CAVIUM */
 
-    /* so overall tests can pull in test function */
+#ifndef NO_MAIN_DRIVER
 
+    /* so overall tests can pull in test function */
+#ifdef WOLFSSL_ESPIDF
+    void app_main( )
+#else
     int main(int argc, char** argv)
+#endif
     {
-
+        int ret;
         func_args args;
+#ifdef WOLFSSL_ESPIDF
+        /* set dummy wallclock time. */
+        struct timeval utctime;
+        struct timezone tz;
+        utctime.tv_sec = 1521725159; /* dummy time: 2018-03-22T13:25:59+00:00 */
+        utctime.tv_usec = 0;
+        tz.tz_minuteswest = 0;
+        tz.tz_dsttime = 0;
+        settimeofday(&utctime, &tz);
+#endif
+#ifdef WOLFSSL_APACHE_MYNEWT
+        #ifdef ARCH_sim
+        mcu_sim_parse_args(argc, argv);
+        #endif
+        sysinit();
+
+        /* set dummy wallclock time. */
+        struct os_timeval utctime;
+        struct os_timezone tz;
+        utctime.tv_sec = 1521725159; /* dummy time: 2018-03-22T13:25:59+00:00 */
+        utctime.tv_usec = 0;
+        tz.tz_minuteswest = 0;
+        tz.tz_dsttime = 0;
+        os_settimeofday(&utctime, &tz);
+#endif
 
-
-#ifdef HAVE_CAVIUM
-        int ret = OpenNitroxDevice(CAVIUM_DIRECT, CAVIUM_DEV_ID);
-        if (ret != 0) {
-            err_sys("Cavium OpenNitroxDevice failed", -1236);
-            return -1236;
+#ifdef HAVE_WNR
+        if (wc_InitNetRandom(wnrConfigFile, NULL, 5000) != 0) {
+            err_sys("Whitewood netRandom global config failed", -1001);
+            return -1002;
         }
-#endif /* HAVE_CAVIUM */
-
+#endif
+#ifndef WOLFSSL_ESPIDF
         args.argc = argc;
         args.argv = argv;
+#endif
+        if ((ret = wolfCrypt_Init()) != 0) {
+            printf("wolfCrypt_Init failed %d\n", ret);
+            err_sys("Error with wolfCrypt_Init!\n", -1003);
+        }
 
+    #ifdef HAVE_STACK_SIZE
+        StackSizeCheck(&args, wolfcrypt_test);
+    #else
         wolfcrypt_test(&args);
+    #endif
 
-#ifdef HAVE_CAVIUM
-        CspShutdown(CAVIUM_DEV_ID);
-#endif
+        if ((ret = wolfCrypt_Cleanup()) != 0) {
+            printf("wolfCrypt_Cleanup failed %d\n", ret);
+            err_sys("Error with wolfCrypt_Cleanup!\n", -1004);
+        }
 
+#ifdef HAVE_WNR
+        if (wc_FreeNetRandom() < 0)
+            err_sys("Failed to free netRandom context", -1005);
+#endif /* HAVE_WNR */
+#ifndef WOLFSSL_ESPIDF
         return args.return_code;
+#endif
     }
 
 #endif /* NO_MAIN_DRIVER */
 
+/* helper to save DER, convert to PEM and save PEM */
+#if !defined(NO_ASN) && (!defined(NO_RSA) || defined(HAVE_ECC)) && \
+    (defined(WOLFSSL_KEY_GEN) || defined(WOLFSSL_CERT_GEN))
+
+#if !defined(NO_FILESYSTEM) && !defined(NO_WRITE_TEMP_FILES)
+#define SaveDerAndPem(d, dSz, p, pSz, fD, fP, pT, eB) _SaveDerAndPem(d, dSz, p, pSz, fD, fP, pT, eB)
+#else
+#define SaveDerAndPem(d, dSz, p, pSz, fD, fP, pT, eB) _SaveDerAndPem(d, dSz, p, pSz, NULL, NULL, pT, eB)
+#endif
+
+static int _SaveDerAndPem(const byte* der, int derSz,
+    byte* pem, int pemSz, const char* fileDer,
+    const char* filePem, int pemType, int errBase)
+{
+#if !defined(NO_FILESYSTEM) && !defined(NO_WRITE_TEMP_FILES)
+    int ret;
+    XFILE derFile;
+
+    derFile = XFOPEN(fileDer, "wb");
+    if (!derFile) {
+        return errBase + 0;
+    }
+    ret = (int)XFWRITE(der, 1, derSz, derFile);
+    XFCLOSE(derFile);
+    if (ret != derSz) {
+        return errBase + 1;
+    }
+#endif
+
+    if (pem && filePem) {
+    #if !defined(NO_FILESYSTEM) && !defined(NO_WRITE_TEMP_FILES)
+        XFILE pemFile;
+    #endif
+    #ifdef WOLFSSL_DER_TO_PEM
+        pemSz = wc_DerToPem(der, derSz, pem, pemSz, pemType);
+        if (pemSz < 0) {
+            return errBase + 2;
+        }
+    #endif
+    #if !defined(NO_FILESYSTEM) && !defined(NO_WRITE_TEMP_FILES)
+        pemFile = XFOPEN(filePem, "wb");
+        if (!pemFile) {
+            return errBase + 3;
+        }
+        ret = (int)XFWRITE(pem, 1, pemSz, pemFile);
+        XFCLOSE(pemFile);
+        if (ret != pemSz) {
+            return errBase + 4;
+        }
+    #endif
+    }
+
+    /* suppress unused variable warnings */
+    (void)filePem;
+    (void)fileDer;
+
+    return 0;
+}
+#endif /* WOLFSSL_KEY_GEN || WOLFSSL_CERT_GEN */
+
+int error_test(void)
+{
+    const char* errStr;
+    char        out[WOLFSSL_MAX_ERROR_SZ];
+    const char* unknownStr = wc_GetErrorString(0);
+
+#ifdef NO_ERROR_STRINGS
+    /* Ensure a valid error code's string matches an invalid code's.
+     * The string is that error strings are not available.
+     */
+    errStr = wc_GetErrorString(OPEN_RAN_E);
+    wc_ErrorString(OPEN_RAN_E, out);
+    if (XSTRNCMP(errStr, unknownStr, XSTRLEN(unknownStr)) != 0)
+        return -1100;
+    if (XSTRNCMP(out, unknownStr, XSTRLEN(unknownStr)) != 0)
+        return -1101;
+#else
+    int i;
+    int j = 0;
+    /* Values that are not or no longer error codes. */
+    int missing[] = { -122, -123, -124,       -127, -128, -129,
+                      -163, -164, -165, -166, -167, -168, -169,
+                      -179,       -233,
+                      0 };
+
+    /* Check that all errors have a string and it's the same through the two
+     * APIs. Check that the values that are not errors map to the unknown
+     * string.
+     */
+    for (i = MAX_CODE_E-1; i >= WC_LAST_E; i--) {
+        errStr = wc_GetErrorString(i);
+        wc_ErrorString(i, out);
+
+        if (i != missing[j]) {
+            if (XSTRNCMP(errStr, unknownStr, XSTRLEN(unknownStr)) == 0)
+                return -1102;
+            if (XSTRNCMP(out, unknownStr, XSTRLEN(unknownStr)) == 0)
+                return -1103;
+            if (XSTRNCMP(errStr, out, XSTRLEN(errStr)) != 0)
+                return -1104;
+            if (XSTRLEN(errStr) >= WOLFSSL_MAX_ERROR_SZ)
+                return -1105;
+        }
+        else {
+            j++;
+            if (XSTRNCMP(errStr, unknownStr, XSTRLEN(unknownStr)) != 0)
+                return -1106;
+            if (XSTRNCMP(out, unknownStr, XSTRLEN(unknownStr)) != 0)
+                return -1107;
+        }
+    }
+
+    /* Check if the next possible value has been given a string. */
+    errStr = wc_GetErrorString(i);
+    wc_ErrorString(i, out);
+    if (XSTRNCMP(errStr, unknownStr, XSTRLEN(unknownStr)) != 0)
+        return -1108;
+    if (XSTRNCMP(out, unknownStr, XSTRLEN(unknownStr)) != 0)
+        return -1109;
+#endif
+
+    return 0;
+}
+
+#ifndef NO_CODING
+
+int base64_test(void)
+{
+    int        ret;
+    const byte good[] = "A+Gd\0\0\0";
+    const byte goodEnd[] = "A+Gd \r\n";
+    byte       out[128];
+    word32     outLen;
+#ifdef WOLFSSL_BASE64_ENCODE
+    byte       data[3];
+    word32     dataLen;
+    byte       longData[79] = { 0 };
+    const byte symbols[] = "+/A=";
+#endif
+    const byte badSmall[] = "AAA Gdj=";
+    const byte badLarge[] = "AAA~Gdj=";
+    const byte badEOL[] = "A+Gd AA";
+    int        i;
+
+    /* Good Base64 encodings. */
+    outLen = sizeof(out);
+    ret = Base64_Decode(good, sizeof(good), out, &outLen);
+    if (ret != 0)
+        return -1200;
+    outLen = sizeof(out);
+    ret = Base64_Decode(goodEnd, sizeof(goodEnd), out, &outLen);
+    if (ret != 0)
+        return -1201;
+
+    /* Bad parameters. */
+    outLen = 1;
+    ret = Base64_Decode(good, sizeof(good), out, &outLen);
+    if (ret != BAD_FUNC_ARG)
+        return -1202;
+
+    outLen = sizeof(out);
+    ret = Base64_Decode(badEOL, sizeof(badEOL), out, &outLen);
+    if (ret != ASN_INPUT_E)
+        return -1203;
+    /* Bad character at each offset 0-3. */
+    for (i = 0; i < 4; i++) {
+        outLen = sizeof(out);
+        ret = Base64_Decode(badSmall + i, 4, out, &outLen);
+        if (ret != ASN_INPUT_E)
+            return -1204 - i;
+        ret = Base64_Decode(badLarge + i, 4, out, &outLen);
+        if (ret != ASN_INPUT_E)
+            return -1214 - i;
+    }
+
+#ifdef WOLFSSL_BASE64_ENCODE
+    /* Decode and encode all symbols - non-alphanumeric. */
+    dataLen = sizeof(data);
+    ret = Base64_Decode(symbols, sizeof(symbols), data, &dataLen);
+    if (ret != 0)
+        return -1224;
+    outLen = sizeof(out);
+    ret = Base64_Encode(data, dataLen, NULL, &outLen);
+    if (ret != LENGTH_ONLY_E)
+        return -1225;
+    outLen = sizeof(out);
+    ret = Base64_Encode(data, dataLen, out, &outLen);
+    if (ret != 0)
+        return -1226;
+    outLen = 7;
+    ret = Base64_EncodeEsc(data, dataLen, out, &outLen);
+    if (ret != BUFFER_E)
+        return -1227;
+    outLen = sizeof(out);
+    ret = Base64_EncodeEsc(data, dataLen, NULL, &outLen);
+    if (ret != LENGTH_ONLY_E)
+        return -1228;
+    outLen = sizeof(out);
+    ret = Base64_EncodeEsc(data, dataLen, out, &outLen);
+    if (ret != 0)
+        return -1229;
+    outLen = sizeof(out);
+    ret = Base64_Encode_NoNl(data, dataLen, out, &outLen);
+    if (ret != 0)
+        return -1230;
+
+    /* Data that results in an encoding longer than one line. */
+    outLen = sizeof(out);
+    dataLen = sizeof(longData);
+    ret = Base64_Encode(longData, dataLen, out, &outLen);
+    if (ret != 0)
+        return -1231;
+    outLen = sizeof(out);
+    ret = Base64_EncodeEsc(longData, dataLen, out, &outLen);
+    if (ret != 0)
+        return -1232;
+    outLen = sizeof(out);
+    ret = Base64_Encode_NoNl(longData, dataLen, out, &outLen);
+    if (ret != 0)
+        return -1233;
+#endif
+
+    return 0;
+}
+
+#ifdef WOLFSSL_BASE16
+int base16_test(void)
+{
+    int ret;
+    const byte testData[] = "SomeDataToEncode\n";
+    const byte encodedTestData[] = "536F6D6544617461546F456E636F64650A00";
+    byte   encoded[40];
+    word32 encodedLen;
+    byte   plain[40];
+    word32 len;
+
+    /* length returned includes null termination */
+    encodedLen = sizeof(encoded);
+    ret = Base16_Encode(testData, sizeof(testData), encoded, &encodedLen);
+    if (ret != 0)
+        return -1300;
+
+    len = (word32)XSTRLEN((char*)encoded);
+    if (len != encodedLen - 1)
+        return -1301;
+
+    len = sizeof(plain);
+    ret = Base16_Decode(encoded, encodedLen - 1, plain, &len);
+    if (ret != 0)
+        return -1302;
+
+    if (len != sizeof(testData) || XMEMCMP(testData, plain, len) != 0)
+        return -1303;
+
+    if (encodedLen != sizeof(encodedTestData) ||
+        XMEMCMP(encoded, encodedTestData, encodedLen) != 0) {
+        return -1304;
+    }
+
+    return 0;
+}
+#endif /* WOLFSSL_BASE16 */
+#endif /* !NO_CODING */
+
+#ifndef NO_ASN
+int asn_test(void)
+{
+    int ret;
+    /* ASN1 encoded date buffer */
+    const byte dateBuf[] = {0x17, 0x0d, 0x31, 0x36, 0x30, 0x38, 0x31, 0x31,
+                            0x32, 0x30, 0x30, 0x37, 0x33, 0x37, 0x5a};
+    byte format;
+    int length;
+    const byte* datePart;
+#ifndef NO_ASN_TIME
+    struct tm timearg;
+    time_t now;
+#endif
+
+    ret = wc_GetDateInfo(dateBuf, (int)sizeof(dateBuf), &datePart, &format,
+                         &length);
+    if (ret != 0)
+        return -1400;
+
+#ifndef NO_ASN_TIME
+    /* Parameter Validation tests. */
+    if (wc_GetTime(NULL, sizeof(now)) != BAD_FUNC_ARG)
+        return -1401;
+    if (wc_GetTime(&now, 0) != BUFFER_E)
+        return -1402;
+
+    now = 0;
+    if (wc_GetTime(&now, sizeof(now)) != 0) {
+        return -1403;
+    }
+    if (now == 0) {
+        printf("RTC/Time not set!\n");
+        return -1404;
+    }
+
+    ret = wc_GetDateAsCalendarTime(datePart, length, format, &timearg);
+    if (ret != 0)
+        return -1405;
+#endif /* !NO_ASN_TIME */
+
+    return 0;
+}
+#endif /* !NO_ASN */
 
 #ifdef WOLFSSL_MD2
-int md2_test()
+int md2_test(void)
 {
     Md2  md2;
     byte hash[MD2_DIGEST_SIZE];
@@ -635,45 +1607,45 @@ int md2_test()
     a.input  = "";
     a.output = "\x83\x50\xe5\xa3\xe2\x4c\x15\x3d\xf2\x27\x5c\x9f\x80\x69"
                "\x27\x73";
-    a.inLen  = strlen(a.input);
+    a.inLen  = XSTRLEN(a.input);
     a.outLen = MD2_DIGEST_SIZE;
 
     b.input  = "a";
     b.output = "\x32\xec\x01\xec\x4a\x6d\xac\x72\xc0\xab\x96\xfb\x34\xc0"
                "\xb5\xd1";
-    b.inLen  = strlen(b.input);
+    b.inLen  = XSTRLEN(b.input);
     b.outLen = MD2_DIGEST_SIZE;
 
     c.input  = "abc";
     c.output = "\xda\x85\x3b\x0d\x3f\x88\xd9\x9b\x30\x28\x3a\x69\xe6\xde"
                "\xd6\xbb";
-    c.inLen  = strlen(c.input);
+    c.inLen  = XSTRLEN(c.input);
     c.outLen = MD2_DIGEST_SIZE;
 
     d.input  = "message digest";
     d.output = "\xab\x4f\x49\x6b\xfb\x2a\x53\x0b\x21\x9f\xf3\x30\x31\xfe"
                "\x06\xb0";
-    d.inLen  = strlen(d.input);
+    d.inLen  = XSTRLEN(d.input);
     d.outLen = MD2_DIGEST_SIZE;
 
     e.input  = "abcdefghijklmnopqrstuvwxyz";
     e.output = "\x4e\x8d\xdf\xf3\x65\x02\x92\xab\x5a\x41\x08\xc3\xaa\x47"
                "\x94\x0b";
-    e.inLen  = strlen(e.input);
+    e.inLen  = XSTRLEN(e.input);
     e.outLen = MD2_DIGEST_SIZE;
 
     f.input  = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz012345"
                "6789";
     f.output = "\xda\x33\xde\xf2\xa4\x2d\xf1\x39\x75\x35\x28\x46\xc3\x03"
                "\x38\xcd";
-    f.inLen  = strlen(f.input);
+    f.inLen  = XSTRLEN(f.input);
     f.outLen = MD2_DIGEST_SIZE;
 
     g.input  = "1234567890123456789012345678901234567890123456789012345678"
                "9012345678901234567890";
     g.output = "\xd5\x97\x6f\x79\xd8\x3d\x3a\x0d\xc9\x80\x6c\x3c\x66\xf3"
                "\xef\xd8";
-    g.inLen  = strlen(g.input);
+    g.inLen  = XSTRLEN(g.input);
     g.outLen = MD2_DIGEST_SIZE;
 
     test_md2[0] = a;
@@ -690,8 +1662,8 @@ int md2_test()
         wc_Md2Update(&md2, (byte*)test_md2[i].input, (word32)test_md2[i].inLen);
         wc_Md2Final(&md2, hash);
 
-        if (memcmp(hash, test_md2[i].output, MD2_DIGEST_SIZE) != 0)
-            return -155 - i;
+        if (XMEMCMP(hash, test_md2[i].output, MD2_DIGEST_SIZE) != 0)
+            return -1500 - i;
     }
 
     return 0;
@@ -701,62 +1673,126 @@ int md2_test()
 #ifndef NO_MD5
 int md5_test(void)
 {
-    Md5  md5;
-    byte hash[MD5_DIGEST_SIZE];
-
-    testVector a, b, c, d, e;
-    testVector test_md5[5];
+    int ret = 0;
+    wc_Md5 md5, md5Copy;
+    byte hash[WC_MD5_DIGEST_SIZE];
+    byte hashcopy[WC_MD5_DIGEST_SIZE];
+    testVector a, b, c, d, e, f;
+    testVector test_md5[6];
     int times = sizeof(test_md5) / sizeof(testVector), i;
 
-    a.input  = "abc";
-    a.output = "\x90\x01\x50\x98\x3c\xd2\x4f\xb0\xd6\x96\x3f\x7d\x28\xe1\x7f"
+    a.input  = "";
+    a.output = "\xd4\x1d\x8c\xd9\x8f\x00\xb2\x04\xe9\x80\x09\x98\xec\xf8\x42"
+               "\x7e";
+    a.inLen  = XSTRLEN(a.input);
+    a.outLen = WC_MD5_DIGEST_SIZE;
+
+    b.input  = "abc";
+    b.output = "\x90\x01\x50\x98\x3c\xd2\x4f\xb0\xd6\x96\x3f\x7d\x28\xe1\x7f"
                "\x72";
-    a.inLen  = strlen(a.input);
-    a.outLen = MD5_DIGEST_SIZE;
+    b.inLen  = XSTRLEN(b.input);
+    b.outLen = WC_MD5_DIGEST_SIZE;
 
-    b.input  = "message digest";
-    b.output = "\xf9\x6b\x69\x7d\x7c\xb7\x93\x8d\x52\x5a\x2f\x31\xaa\xf1\x61"
+    c.input  = "message digest";
+    c.output = "\xf9\x6b\x69\x7d\x7c\xb7\x93\x8d\x52\x5a\x2f\x31\xaa\xf1\x61"
                "\xd0";
-    b.inLen  = strlen(b.input);
-    b.outLen = MD5_DIGEST_SIZE;
+    c.inLen  = XSTRLEN(c.input);
+    c.outLen = WC_MD5_DIGEST_SIZE;
 
-    c.input  = "abcdefghijklmnopqrstuvwxyz";
-    c.output = "\xc3\xfc\xd3\xd7\x61\x92\xe4\x00\x7d\xfb\x49\x6c\xca\x67\xe1"
+    d.input  = "abcdefghijklmnopqrstuvwxyz";
+    d.output = "\xc3\xfc\xd3\xd7\x61\x92\xe4\x00\x7d\xfb\x49\x6c\xca\x67\xe1"
                "\x3b";
-    c.inLen  = strlen(c.input);
-    c.outLen = MD5_DIGEST_SIZE;
+    d.inLen  = XSTRLEN(d.input);
+    d.outLen = WC_MD5_DIGEST_SIZE;
 
-    d.input  = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz012345"
+    e.input  = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz012345"
                "6789";
-    d.output = "\xd1\x74\xab\x98\xd2\x77\xd9\xf5\xa5\x61\x1c\x2c\x9f\x41\x9d"
+    e.output = "\xd1\x74\xab\x98\xd2\x77\xd9\xf5\xa5\x61\x1c\x2c\x9f\x41\x9d"
                "\x9f";
-    d.inLen  = strlen(d.input);
-    d.outLen = MD5_DIGEST_SIZE;
+    e.inLen  = XSTRLEN(e.input);
+    e.outLen = WC_MD5_DIGEST_SIZE;
 
-    e.input  = "1234567890123456789012345678901234567890123456789012345678"
+    f.input  = "1234567890123456789012345678901234567890123456789012345678"
                "9012345678901234567890";
-    e.output = "\x57\xed\xf4\xa2\x2b\xe3\xc9\x55\xac\x49\xda\x2e\x21\x07\xb6"
+    f.output = "\x57\xed\xf4\xa2\x2b\xe3\xc9\x55\xac\x49\xda\x2e\x21\x07\xb6"
                "\x7a";
-    e.inLen  = strlen(e.input);
-    e.outLen = MD5_DIGEST_SIZE;
+    f.inLen  = XSTRLEN(f.input);
+    f.outLen = WC_MD5_DIGEST_SIZE;
 
     test_md5[0] = a;
     test_md5[1] = b;
     test_md5[2] = c;
     test_md5[3] = d;
     test_md5[4] = e;
+    test_md5[5] = f;
 
-    wc_InitMd5(&md5);
+    ret = wc_InitMd5_ex(&md5, HEAP_HINT, devId);
+    if (ret != 0)
+        return -1600;
+    ret = wc_InitMd5_ex(&md5Copy, HEAP_HINT, devId);
+    if (ret != 0) {
+        wc_Md5Free(&md5);
+        return -1601;
+    }
 
     for (i = 0; i < times; ++i) {
-        wc_Md5Update(&md5, (byte*)test_md5[i].input, (word32)test_md5[i].inLen);
-        wc_Md5Final(&md5, hash);
+        ret = wc_Md5Update(&md5, (byte*)test_md5[i].input,
+            (word32)test_md5[i].inLen);
+        if (ret != 0)
+            ERROR_OUT(-1602 - i, exit);
+
+        ret = wc_Md5GetHash(&md5, hashcopy);
+        if (ret != 0)
+            ERROR_OUT(-1603 - i, exit);
+
+        ret = wc_Md5Copy(&md5, &md5Copy);
+        if (ret != 0)
+            ERROR_OUT(-1604 - i, exit);
+
+        ret = wc_Md5Final(&md5, hash);
+        if (ret != 0)
+            ERROR_OUT(-1605 - i, exit);
+
+        wc_Md5Free(&md5Copy);
 
-        if (memcmp(hash, test_md5[i].output, MD5_DIGEST_SIZE) != 0)
-            return -5 - i;
+        if (XMEMCMP(hash, test_md5[i].output, WC_MD5_DIGEST_SIZE) != 0)
+            ERROR_OUT(-1606 - i, exit);
+
+        if (XMEMCMP(hash, hashcopy, WC_MD5_DIGEST_SIZE) != 0)
+            ERROR_OUT(-1607 - i, exit);
     }
 
-    return 0;
+    /* BEGIN LARGE HASH TEST */ {
+    byte large_input[1024];
+    const char* large_digest =
+        "\x44\xd0\x88\xce\xf1\x36\xd1\x78\xe9\xc8\xba\x84\xc3\xfd\xf6\xca";
+
+    for (i = 0; i < (int)sizeof(large_input); i++) {
+        large_input[i] = (byte)(i & 0xFF);
+    }
+    times = 100;
+#ifdef WOLFSSL_PIC32MZ_HASH
+    wc_Md5SizeSet(&md5, times * sizeof(large_input));
+#endif
+    for (i = 0; i < times; ++i) {
+        ret = wc_Md5Update(&md5, (byte*)large_input,
+            (word32)sizeof(large_input));
+        if (ret != 0)
+            ERROR_OUT(-1608, exit);
+    }
+    ret = wc_Md5Final(&md5, hash);
+    if (ret != 0)
+        ERROR_OUT(-1609, exit);
+    if (XMEMCMP(hash, large_digest, WC_MD5_DIGEST_SIZE) != 0)
+        ERROR_OUT(-1610, exit);
+    } /* END LARGE HASH TEST */
+
+exit:
+
+    wc_Md5Free(&md5);
+    wc_Md5Free(&md5Copy);
+
+    return ret;
 }
 #endif /* NO_MD5 */
 
@@ -775,45 +1811,45 @@ int md4_test(void)
     a.input  = "";
     a.output = "\x31\xd6\xcf\xe0\xd1\x6a\xe9\x31\xb7\x3c\x59\xd7\xe0\xc0\x89"
                "\xc0";
-    a.inLen  = strlen(a.input);
+    a.inLen  = XSTRLEN(a.input);
     a.outLen = MD4_DIGEST_SIZE;
 
     b.input  = "a";
     b.output = "\xbd\xe5\x2c\xb3\x1d\xe3\x3e\x46\x24\x5e\x05\xfb\xdb\xd6\xfb"
                "\x24";
-    b.inLen  = strlen(b.input);
+    b.inLen  = XSTRLEN(b.input);
     b.outLen = MD4_DIGEST_SIZE;
 
     c.input  = "abc";
     c.output = "\xa4\x48\x01\x7a\xaf\x21\xd8\x52\x5f\xc1\x0a\xe8\x7a\xa6\x72"
                "\x9d";
-    c.inLen  = strlen(c.input);
+    c.inLen  = XSTRLEN(c.input);
     c.outLen = MD4_DIGEST_SIZE;
 
     d.input  = "message digest";
     d.output = "\xd9\x13\x0a\x81\x64\x54\x9f\xe8\x18\x87\x48\x06\xe1\xc7\x01"
                "\x4b";
-    d.inLen  = strlen(d.input);
+    d.inLen  = XSTRLEN(d.input);
     d.outLen = MD4_DIGEST_SIZE;
 
     e.input  = "abcdefghijklmnopqrstuvwxyz";
     e.output = "\xd7\x9e\x1c\x30\x8a\xa5\xbb\xcd\xee\xa8\xed\x63\xdf\x41\x2d"
                "\xa9";
-    e.inLen  = strlen(e.input);
+    e.inLen  = XSTRLEN(e.input);
     e.outLen = MD4_DIGEST_SIZE;
 
     f.input  = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz012345"
                "6789";
     f.output = "\x04\x3f\x85\x82\xf2\x41\xdb\x35\x1c\xe6\x27\xe1\x53\xe7\xf0"
                "\xe4";
-    f.inLen  = strlen(f.input);
+    f.inLen  = XSTRLEN(f.input);
     f.outLen = MD4_DIGEST_SIZE;
 
     g.input  = "1234567890123456789012345678901234567890123456789012345678"
                "9012345678901234567890";
     g.output = "\xe3\x3b\x4d\xdc\x9c\x38\xf2\x19\x9c\x3e\x7b\x16\x4f\xcc\x05"
                "\x36";
-    g.inLen  = strlen(g.input);
+    g.inLen  = XSTRLEN(g.input);
     g.outLen = MD4_DIGEST_SIZE;
 
     test_md4[0] = a;
@@ -830,8 +1866,8 @@ int md4_test(void)
         wc_Md4Update(&md4, (byte*)test_md4[i].input, (word32)test_md4[i].inLen);
         wc_Md4Final(&md4, hash);
 
-        if (memcmp(hash, test_md4[i].output, MD4_DIGEST_SIZE) != 0)
-            return -205 - i;
+        if (XMEMCMP(hash, test_md4[i].output, MD4_DIGEST_SIZE) != 0)
+            return -1700 - i;
     }
 
     return 0;
@@ -843,59 +1879,125 @@ int md4_test(void)
 
 int sha_test(void)
 {
-    Sha  sha;
-    byte hash[SHA_DIGEST_SIZE];
-
-    testVector a, b, c, d;
-    testVector test_sha[4];
-    int ret;
+    int ret = 0;
+    wc_Sha sha, shaCopy;
+    byte hash[WC_SHA_DIGEST_SIZE];
+    byte hashcopy[WC_SHA_DIGEST_SIZE];
+    testVector a, b, c, d, e;
+    testVector test_sha[5];
     int times = sizeof(test_sha) / sizeof(struct testVector), i;
 
-    a.input  = "abc";
-    a.output = "\xA9\x99\x3E\x36\x47\x06\x81\x6A\xBA\x3E\x25\x71\x78\x50\xC2"
+    a.input  = "";
+    a.output = "\xda\x39\xa3\xee\x5e\x6b\x4b\x0d\x32\x55\xbf\xef\x95\x60\x18"
+               "\x90\xaf\xd8\x07\x09";
+    a.inLen  = XSTRLEN(a.input);
+    a.outLen = WC_SHA_DIGEST_SIZE;
+
+    b.input  = "abc";
+    b.output = "\xA9\x99\x3E\x36\x47\x06\x81\x6A\xBA\x3E\x25\x71\x78\x50\xC2"
                "\x6C\x9C\xD0\xD8\x9D";
-    a.inLen  = strlen(a.input);
-    a.outLen = SHA_DIGEST_SIZE;
+    b.inLen  = XSTRLEN(b.input);
+    b.outLen = WC_SHA_DIGEST_SIZE;
 
-    b.input  = "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq";
-    b.output = "\x84\x98\x3E\x44\x1C\x3B\xD2\x6E\xBA\xAE\x4A\xA1\xF9\x51\x29"
+    c.input  = "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq";
+    c.output = "\x84\x98\x3E\x44\x1C\x3B\xD2\x6E\xBA\xAE\x4A\xA1\xF9\x51\x29"
                "\xE5\xE5\x46\x70\xF1";
-    b.inLen  = strlen(b.input);
-    b.outLen = SHA_DIGEST_SIZE;
+    c.inLen  = XSTRLEN(c.input);
+    c.outLen = WC_SHA_DIGEST_SIZE;
 
-    c.input  = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
+    d.input  = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
                "aaaaaa";
-    c.output = "\x00\x98\xBA\x82\x4B\x5C\x16\x42\x7B\xD7\xA1\x12\x2A\x5A\x44"
+    d.output = "\x00\x98\xBA\x82\x4B\x5C\x16\x42\x7B\xD7\xA1\x12\x2A\x5A\x44"
                "\x2A\x25\xEC\x64\x4D";
-    c.inLen  = strlen(c.input);
-    c.outLen = SHA_DIGEST_SIZE;
+    d.inLen  = XSTRLEN(d.input);
+    d.outLen = WC_SHA_DIGEST_SIZE;
 
-    d.input  = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
+    e.input  = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
                "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
                "aaaaaaaaaa";
-    d.output = "\xAD\x5B\x3F\xDB\xCB\x52\x67\x78\xC2\x83\x9D\x2F\x15\x1E\xA7"
+    e.output = "\xAD\x5B\x3F\xDB\xCB\x52\x67\x78\xC2\x83\x9D\x2F\x15\x1E\xA7"
                "\x53\x99\x5E\x26\xA0";
-    d.inLen  = strlen(d.input);
-    d.outLen = SHA_DIGEST_SIZE;
+    e.inLen  = XSTRLEN(e.input);
+    e.outLen = WC_SHA_DIGEST_SIZE;
 
     test_sha[0] = a;
     test_sha[1] = b;
     test_sha[2] = c;
     test_sha[3] = d;
+    test_sha[4] = e;
 
-    ret = wc_InitSha(&sha);
+    ret = wc_InitSha_ex(&sha, HEAP_HINT, devId);
     if (ret != 0)
-        return -4001;
+        return -1800;
+    ret = wc_InitSha_ex(&shaCopy, HEAP_HINT, devId);
+    if (ret != 0) {
+        wc_ShaFree(&sha);
+        return -1801;
+    }
 
     for (i = 0; i < times; ++i) {
-        wc_ShaUpdate(&sha, (byte*)test_sha[i].input, (word32)test_sha[i].inLen);
-        wc_ShaFinal(&sha, hash);
+        ret = wc_ShaUpdate(&sha, (byte*)test_sha[i].input,
+            (word32)test_sha[i].inLen);
+        if (ret != 0)
+            ERROR_OUT(-1802 - i, exit);
+        ret = wc_ShaGetHash(&sha, hashcopy);
+        if (ret != 0)
+            ERROR_OUT(-1803 - i, exit);
+        ret = wc_ShaCopy(&sha, &shaCopy);
+        if (ret != 0)
+            ERROR_OUT(-1804 - i, exit);
+        ret = wc_ShaFinal(&sha, hash);
+        if (ret != 0)
+            ERROR_OUT(-1805 - i, exit);
+        wc_ShaFree(&shaCopy);
 
-        if (memcmp(hash, test_sha[i].output, SHA_DIGEST_SIZE) != 0)
-            return -10 - i;
+        if (XMEMCMP(hash, test_sha[i].output, WC_SHA_DIGEST_SIZE) != 0)
+            ERROR_OUT(-1806 - i, exit);
+        if (XMEMCMP(hash, hashcopy, WC_SHA_DIGEST_SIZE) != 0)
+            ERROR_OUT(-1807 - i, exit);
     }
 
-    return 0;
+    /* BEGIN LARGE HASH TEST */ {
+    byte large_input[1024];
+#ifdef WOLFSSL_RENESAS_TSIP
+    const char* large_digest =
+            "\x1d\x6a\x5a\xf6\xe5\x7c\x86\xce\x7f\x7c\xaf\xd5\xdb\x08\xcd\x59"
+            "\x15\x8c\x6d\xb6";
+#else
+    const char* large_digest =
+           "\x8b\x77\x02\x48\x39\xe8\xdb\xd3\x9a\xf4\x05\x24\x66\x12\x2d\x9e"
+           "\xc5\xd9\x0a\xac";
+#endif
+    for (i = 0; i < (int)sizeof(large_input); i++) {
+        large_input[i] = (byte)(i & 0xFF);
+    }
+#ifdef WOLFSSL_RENESAS_TSIP
+    times = 20;
+#else
+    times = 100;
+#endif
+#ifdef WOLFSSL_PIC32MZ_HASH
+    wc_ShaSizeSet(&sha, times * sizeof(large_input));
+#endif
+    for (i = 0; i < times; ++i) {
+        ret = wc_ShaUpdate(&sha, (byte*)large_input,
+            (word32)sizeof(large_input));
+        if (ret != 0)
+            ERROR_OUT(-1808, exit);
+    }
+    ret = wc_ShaFinal(&sha, hash);
+    if (ret != 0)
+        ERROR_OUT(-1809, exit);
+    if (XMEMCMP(hash, large_digest, WC_SHA_DIGEST_SIZE) != 0)
+        ERROR_OUT(-1810, exit);
+    } /* END LARGE HASH TEST */
+
+exit:
+
+    wc_ShaFree(&sha);
+    wc_ShaFree(&shaCopy);
+
+    return ret;
 }
 
 #endif /* NO_SHA */
@@ -904,6 +2006,7 @@ int sha_test(void)
 int ripemd_test(void)
 {
     RipeMd  ripemd;
+    int ret;
     byte hash[RIPEMD_DIGEST_SIZE];
 
     testVector a, b, c, d;
@@ -913,26 +2016,26 @@ int ripemd_test(void)
     a.input  = "abc";
     a.output = "\x8e\xb2\x08\xf7\xe0\x5d\x98\x7a\x9b\x04\x4a\x8e\x98\xc6"
                "\xb0\x87\xf1\x5a\x0b\xfc";
-    a.inLen  = strlen(a.input);
+    a.inLen  = XSTRLEN(a.input);
     a.outLen = RIPEMD_DIGEST_SIZE;
 
     b.input  = "message digest";
     b.output = "\x5d\x06\x89\xef\x49\xd2\xfa\xe5\x72\xb8\x81\xb1\x23\xa8"
                "\x5f\xfa\x21\x59\x5f\x36";
-    b.inLen  = strlen(b.input);
+    b.inLen  = XSTRLEN(b.input);
     b.outLen = RIPEMD_DIGEST_SIZE;
 
     c.input  = "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq";
     c.output = "\x12\xa0\x53\x38\x4a\x9c\x0c\x88\xe4\x05\xa0\x6c\x27\xdc"
                "\xf4\x9a\xda\x62\xeb\x2b";
-    c.inLen  = strlen(c.input);
+    c.inLen  = XSTRLEN(c.input);
     c.outLen = RIPEMD_DIGEST_SIZE;
 
     d.input  = "12345678901234567890123456789012345678901234567890123456"
                "789012345678901234567890";
     d.output = "\x9b\x75\x2e\x45\x57\x3d\x4b\x39\xf4\xdb\xd3\x32\x3c\xab"
                "\x82\xbf\x63\x32\x6b\xfb";
-    d.inLen  = strlen(d.input);
+    d.inLen  = XSTRLEN(d.input);
     d.outLen = RIPEMD_DIGEST_SIZE;
 
     test_ripemd[0] = a;
@@ -940,15 +2043,25 @@ int ripemd_test(void)
     test_ripemd[2] = c;
     test_ripemd[3] = d;
 
-    wc_InitRipeMd(&ripemd);
+    ret = wc_InitRipeMd(&ripemd);
+    if (ret != 0) {
+        return -1900;
+    }
 
     for (i = 0; i < times; ++i) {
-        wc_RipeMdUpdate(&ripemd, (byte*)test_ripemd[i].input,
-                     (word32)test_ripemd[i].inLen);
-        wc_RipeMdFinal(&ripemd, hash);
+        ret = wc_RipeMdUpdate(&ripemd, (byte*)test_ripemd[i].input,
+                              (word32)test_ripemd[i].inLen);
+        if (ret != 0) {
+            return -1901 - i;
+        }
+
+        ret = wc_RipeMdFinal(&ripemd, hash);
+        if (ret != 0) {
+            return -1911 - i;
+        }
 
-        if (memcmp(hash, test_ripemd[i].output, RIPEMD_DIGEST_SIZE) != 0)
-            return -10 - i;
+        if (XMEMCMP(hash, test_ripemd[i].output, RIPEMD_DIGEST_SIZE) != 0)
+            return -1921 - i;
     }
 
     return 0;
@@ -959,9 +2072,9 @@ int ripemd_test(void)
 #ifdef HAVE_BLAKE2
 
 
-#define BLAKE2_TESTS 3
+#define BLAKE2B_TESTS 3
 
-static const byte blake2b_vec[BLAKE2_TESTS][BLAKE2B_OUTBYTES] =
+static const byte blake2b_vec[BLAKE2B_TESTS][BLAKE2B_OUTBYTES] =
 {
   {
     0x78, 0x6A, 0x02, 0xF7, 0x42, 0x01, 0x59, 0x03,
@@ -1007,21 +2120,21 @@ int blake2b_test(void)
     for (i = 0; i < (int)sizeof(input); i++)
         input[i] = (byte)i;
 
-    for (i = 0; i < BLAKE2_TESTS; i++) {
+    for (i = 0; i < BLAKE2B_TESTS; i++) {
         ret = wc_InitBlake2b(&b2b, 64);
         if (ret != 0)
-            return -4002;
+            return -2000 - i;
 
         ret = wc_Blake2bUpdate(&b2b, input, i);
         if (ret != 0)
-            return -4003;
+            return -2010 - 1;
 
         ret = wc_Blake2bFinal(&b2b, digest, 64);
         if (ret != 0)
-            return -4004;
+            return -2020 - i;
 
-        if (memcmp(digest, blake2b_vec[i], 64) != 0) {
-            return -300 - i;
+        if (XMEMCMP(digest, blake2b_vec[i], 64) != 0) {
+            return -2030 - i;
         }
     }
 
@@ -1029,52 +2142,252 @@ int blake2b_test(void)
 }
 #endif /* HAVE_BLAKE2 */
 
+#ifdef HAVE_BLAKE2S
+
+
+#define BLAKE2S_TESTS 3
+
+static const byte blake2s_vec[BLAKE2S_TESTS][BLAKE2S_OUTBYTES] =
+{
+  {
+    0x69, 0x21, 0x7a, 0x30, 0x79, 0x90, 0x80, 0x94,
+    0xe1, 0x11, 0x21, 0xd0, 0x42, 0x35, 0x4a, 0x7c,
+    0x1f, 0x55, 0xb6, 0x48, 0x2c, 0xa1, 0xa5, 0x1e,
+    0x1b, 0x25, 0x0d, 0xfd, 0x1e, 0xd0, 0xee, 0xf9,
+  },
+  {
+    0xe3, 0x4d, 0x74, 0xdb, 0xaf, 0x4f, 0xf4, 0xc6,
+    0xab, 0xd8, 0x71, 0xcc, 0x22, 0x04, 0x51, 0xd2,
+    0xea, 0x26, 0x48, 0x84, 0x6c, 0x77, 0x57, 0xfb,
+    0xaa, 0xc8, 0x2f, 0xe5, 0x1a, 0xd6, 0x4b, 0xea,
+  },
+  {
+    0xdd, 0xad, 0x9a, 0xb1, 0x5d, 0xac, 0x45, 0x49,
+    0xba, 0x42, 0xf4, 0x9d, 0x26, 0x24, 0x96, 0xbe,
+    0xf6, 0xc0, 0xba, 0xe1, 0xdd, 0x34, 0x2a, 0x88,
+    0x08, 0xf8, 0xea, 0x26, 0x7c, 0x6e, 0x21, 0x0c,
+  }
+};
+
+
+
+int blake2s_test(void)
+{
+    Blake2s b2s;
+    byte    digest[32];
+    byte    input[64];
+    int     i, ret;
+
+    for (i = 0; i < (int)sizeof(input); i++)
+        input[i] = (byte)i;
+
+    for (i = 0; i < BLAKE2S_TESTS; i++) {
+        ret = wc_InitBlake2s(&b2s, 32);
+        if (ret != 0)
+            return -2100 - i;
+
+        ret = wc_Blake2sUpdate(&b2s, input, i);
+        if (ret != 0)
+            return -2110 - 1;
+
+        ret = wc_Blake2sFinal(&b2s, digest, 32);
+        if (ret != 0)
+            return -2120 - i;
+
+        if (XMEMCMP(digest, blake2s_vec[i], 32) != 0) {
+            return -2130 - i;
+        }
+    }
+
+    return 0;
+}
+#endif /* HAVE_BLAKE2S */
+
+
+#ifdef WOLFSSL_SHA224
+int sha224_test(void)
+{
+    wc_Sha224 sha, shaCopy;
+    byte      hash[WC_SHA224_DIGEST_SIZE];
+    byte      hashcopy[WC_SHA224_DIGEST_SIZE];
+    int       ret = 0;
+
+    testVector a, b, c;
+    testVector test_sha[3];
+    int times = sizeof(test_sha) / sizeof(struct testVector), i;
+
+    a.input  = "";
+    a.output = "\xd1\x4a\x02\x8c\x2a\x3a\x2b\xc9\x47\x61\x02\xbb\x28\x82\x34"
+               "\xc4\x15\xa2\xb0\x1f\x82\x8e\xa6\x2a\xc5\xb3\xe4\x2f";
+    a.inLen  = XSTRLEN(a.input);
+    a.outLen = WC_SHA224_DIGEST_SIZE;
+
+    b.input  = "abc";
+    b.output = "\x23\x09\x7d\x22\x34\x05\xd8\x22\x86\x42\xa4\x77\xbd\xa2\x55"
+               "\xb3\x2a\xad\xbc\xe4\xbd\xa0\xb3\xf7\xe3\x6c\x9d\xa7";
+    b.inLen  = XSTRLEN(b.input);
+    b.outLen = WC_SHA224_DIGEST_SIZE;
+
+    c.input  = "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq";
+    c.output = "\x75\x38\x8b\x16\x51\x27\x76\xcc\x5d\xba\x5d\xa1\xfd\x89\x01"
+               "\x50\xb0\xc6\x45\x5c\xb4\xf5\x8b\x19\x52\x52\x25\x25";
+    c.inLen  = XSTRLEN(c.input);
+    c.outLen = WC_SHA224_DIGEST_SIZE;
+
+    test_sha[0] = a;
+    test_sha[1] = b;
+    test_sha[2] = c;
+
+    ret = wc_InitSha224_ex(&sha, HEAP_HINT, devId);
+    if (ret != 0)
+        return -2200;
+    ret = wc_InitSha224_ex(&shaCopy, HEAP_HINT, devId);
+    if (ret != 0) {
+        wc_Sha224Free(&sha);
+        return -2201;
+    }
+
+    for (i = 0; i < times; ++i) {
+        ret = wc_Sha224Update(&sha, (byte*)test_sha[i].input,
+            (word32)test_sha[i].inLen);
+        if (ret != 0)
+            ERROR_OUT(-2202 - i, exit);
+        ret = wc_Sha224GetHash(&sha, hashcopy);
+        if (ret != 0)
+            ERROR_OUT(-2203 - i, exit);
+        ret = wc_Sha224Copy(&sha, &shaCopy);
+        if (ret != 0)
+            ERROR_OUT(-2204 - i, exit);
+        ret = wc_Sha224Final(&sha, hash);
+        if (ret != 0)
+            ERROR_OUT(-2205 - i, exit);
+        wc_Sha224Free(&shaCopy);
+
+        if (XMEMCMP(hash, test_sha[i].output, WC_SHA224_DIGEST_SIZE) != 0)
+            ERROR_OUT(-2206 - i, exit);
+        if (XMEMCMP(hash, hashcopy, WC_SHA224_DIGEST_SIZE) != 0)
+            ERROR_OUT(-2207 - i, exit);
+    }
+
+exit:
+    wc_Sha224Free(&sha);
+    wc_Sha224Free(&shaCopy);
+
+    return ret;
+}
+#endif
+
 
 #ifndef NO_SHA256
 int sha256_test(void)
 {
-    Sha256 sha;
-    byte   hash[SHA256_DIGEST_SIZE];
+    wc_Sha256 sha, shaCopy;
+    byte      hash[WC_SHA256_DIGEST_SIZE];
+    byte      hashcopy[WC_SHA256_DIGEST_SIZE];
+    int       ret = 0;
 
-    testVector a, b;
-    testVector test_sha[2];
-    int ret;
+    testVector a, b, c;
+    testVector test_sha[3];
     int times = sizeof(test_sha) / sizeof(struct testVector), i;
 
-    a.input  = "abc";
-    a.output = "\xBA\x78\x16\xBF\x8F\x01\xCF\xEA\x41\x41\x40\xDE\x5D\xAE\x22"
+    a.input  = "";
+    a.output = "\xe3\xb0\xc4\x42\x98\xfc\x1c\x14\x9a\xfb\xf4\xc8\x99\x6f\xb9"
+               "\x24\x27\xae\x41\xe4\x64\x9b\x93\x4c\xa4\x95\x99\x1b\x78\x52"
+               "\xb8\x55";
+    a.inLen  = XSTRLEN(a.input);
+    a.outLen = WC_SHA256_DIGEST_SIZE;
+
+    b.input  = "abc";
+    b.output = "\xBA\x78\x16\xBF\x8F\x01\xCF\xEA\x41\x41\x40\xDE\x5D\xAE\x22"
                "\x23\xB0\x03\x61\xA3\x96\x17\x7A\x9C\xB4\x10\xFF\x61\xF2\x00"
                "\x15\xAD";
-    a.inLen  = strlen(a.input);
-    a.outLen = SHA256_DIGEST_SIZE;
+    b.inLen  = XSTRLEN(b.input);
+    b.outLen = WC_SHA256_DIGEST_SIZE;
 
-    b.input  = "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq";
-    b.output = "\x24\x8D\x6A\x61\xD2\x06\x38\xB8\xE5\xC0\x26\x93\x0C\x3E\x60"
+    c.input  = "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq";
+    c.output = "\x24\x8D\x6A\x61\xD2\x06\x38\xB8\xE5\xC0\x26\x93\x0C\x3E\x60"
                "\x39\xA3\x3C\xE4\x59\x64\xFF\x21\x67\xF6\xEC\xED\xD4\x19\xDB"
                "\x06\xC1";
-    b.inLen  = strlen(b.input);
-    b.outLen = SHA256_DIGEST_SIZE;
+    c.inLen  = XSTRLEN(c.input);
+    c.outLen = WC_SHA256_DIGEST_SIZE;
 
     test_sha[0] = a;
     test_sha[1] = b;
+    test_sha[2] = c;
 
-    ret = wc_InitSha256(&sha);
+    ret = wc_InitSha256_ex(&sha, HEAP_HINT, devId);
     if (ret != 0)
-        return -4005;
+        return -2300;
+    ret = wc_InitSha256_ex(&shaCopy, HEAP_HINT, devId);
+    if (ret != 0) {
+        wc_Sha256Free(&sha);
+        return -2301;
+    }
 
     for (i = 0; i < times; ++i) {
-        ret = wc_Sha256Update(&sha, (byte*)test_sha[i].input,(word32)test_sha[i].inLen);
+        ret = wc_Sha256Update(&sha, (byte*)test_sha[i].input,
+            (word32)test_sha[i].inLen);
+        if (ret != 0) {
+            ERROR_OUT(-2302 - i, exit);
+	}
+        ret = wc_Sha256GetHash(&sha, hashcopy);
         if (ret != 0)
-            return -4006;
+            ERROR_OUT(-2303 - i, exit);
+        ret = wc_Sha256Copy(&sha, &shaCopy);
+        if (ret != 0)
+            ERROR_OUT(-2304 - i, exit);
         ret = wc_Sha256Final(&sha, hash);
         if (ret != 0)
-            return -4007;
+            ERROR_OUT(-2305 - i, exit);
+        wc_Sha256Free(&shaCopy);
 
-        if (memcmp(hash, test_sha[i].output, SHA256_DIGEST_SIZE) != 0)
-            return -10 - i;
+        if (XMEMCMP(hash, test_sha[i].output, WC_SHA256_DIGEST_SIZE) != 0)
+            ERROR_OUT(-2306 - i, exit);
+        if (XMEMCMP(hash, hashcopy, WC_SHA256_DIGEST_SIZE) != 0)
+            ERROR_OUT(-2307 - i, exit);
     }
 
-    return 0;
+    /* BEGIN LARGE HASH TEST */ {
+    byte large_input[1024];
+#ifdef WOLFSSL_RENESAS_TSIP_CRYPT
+    const char* large_digest =
+            "\xa4\x75\x9e\x7a\xa2\x03\x38\x32\x88\x66\xa2\xea\x17\xea\xf8\xc7"
+            "\xfe\x4e\xc6\xbb\xe3\xbb\x71\xce\xe7\xdf\x7c\x04\x61\xb3\xc2\x2f";
+#else
+    const char* large_digest =
+           "\x27\x78\x3e\x87\x96\x3a\x4e\xfb\x68\x29\xb5\x31\xc9\xba\x57\xb4"
+           "\x4f\x45\x79\x7f\x67\x70\xbd\x63\x7f\xbf\x0d\x80\x7c\xbd\xba\xe0";
+#endif
+    for (i = 0; i < (int)sizeof(large_input); i++) {
+        large_input[i] = (byte)(i & 0xFF);
+    }
+#ifdef WOLFSSL_RENESAS_TSIP
+    times = 20;
+#else
+    times = 100;
+#endif
+#ifdef WOLFSSL_PIC32MZ_HASH
+    wc_Sha256SizeSet(&sha, times * sizeof(large_input));
+#endif
+    for (i = 0; i < times; ++i) {
+        ret = wc_Sha256Update(&sha, (byte*)large_input,
+            (word32)sizeof(large_input));
+        if (ret != 0)
+            ERROR_OUT(-2308, exit);
+    }
+    ret = wc_Sha256Final(&sha, hash);
+    if (ret != 0)
+        ERROR_OUT(-2309, exit);
+    if (XMEMCMP(hash, large_digest, WC_SHA256_DIGEST_SIZE) != 0)
+        ERROR_OUT(-2310, exit);
+    } /* END LARGE HASH TEST */
+
+exit:
+
+    wc_Sha256Free(&sha);
+    wc_Sha256Free(&shaCopy);
+
+    return ret;
 }
 #endif
 
@@ -1082,54 +2395,108 @@ int sha256_test(void)
 #ifdef WOLFSSL_SHA512
 int sha512_test(void)
 {
-    Sha512 sha;
-    byte   hash[SHA512_DIGEST_SIZE];
-    int    ret;
+    wc_Sha512 sha, shaCopy;
+    byte      hash[WC_SHA512_DIGEST_SIZE];
+    byte      hashcopy[WC_SHA512_DIGEST_SIZE];
+    int       ret = 0;
 
-    testVector a, b;
-    testVector test_sha[2];
+    testVector a, b, c;
+    testVector test_sha[3];
     int times = sizeof(test_sha) / sizeof(struct testVector), i;
 
-    a.input  = "abc";
-    a.output = "\xdd\xaf\x35\xa1\x93\x61\x7a\xba\xcc\x41\x73\x49\xae\x20\x41"
+    a.input  = "";
+    a.output = "\xcf\x83\xe1\x35\x7e\xef\xb8\xbd\xf1\x54\x28\x50\xd6\x6d\x80"
+               "\x07\xd6\x20\xe4\x05\x0b\x57\x15\xdc\x83\xf4\xa9\x21\xd3\x6c"
+               "\xe9\xce\x47\xd0\xd1\x3c\x5d\x85\xf2\xb0\xff\x83\x18\xd2\x87"
+               "\x7e\xec\x2f\x63\xb9\x31\xbd\x47\x41\x7a\x81\xa5\x38\x32\x7a"
+               "\xf9\x27\xda\x3e";
+    a.inLen  = XSTRLEN(a.input);
+    a.outLen = WC_SHA512_DIGEST_SIZE;
+
+    b.input  = "abc";
+    b.output = "\xdd\xaf\x35\xa1\x93\x61\x7a\xba\xcc\x41\x73\x49\xae\x20\x41"
                "\x31\x12\xe6\xfa\x4e\x89\xa9\x7e\xa2\x0a\x9e\xee\xe6\x4b\x55"
                "\xd3\x9a\x21\x92\x99\x2a\x27\x4f\xc1\xa8\x36\xba\x3c\x23\xa3"
                "\xfe\xeb\xbd\x45\x4d\x44\x23\x64\x3c\xe8\x0e\x2a\x9a\xc9\x4f"
                "\xa5\x4c\xa4\x9f";
-    a.inLen  = strlen(a.input);
-    a.outLen = SHA512_DIGEST_SIZE;
+    b.inLen  = XSTRLEN(b.input);
+    b.outLen = WC_SHA512_DIGEST_SIZE;
 
-    b.input  = "abcdefghbcdefghicdefghijdefghijkefghijklfghijklmghijklmnhi"
+    c.input  = "abcdefghbcdefghicdefghijdefghijkefghijklfghijklmghijklmnhi"
                "jklmnoijklmnopjklmnopqklmnopqrlmnopqrsmnopqrstnopqrstu";
-    b.output = "\x8e\x95\x9b\x75\xda\xe3\x13\xda\x8c\xf4\xf7\x28\x14\xfc\x14"
+    c.output = "\x8e\x95\x9b\x75\xda\xe3\x13\xda\x8c\xf4\xf7\x28\x14\xfc\x14"
                "\x3f\x8f\x77\x79\xc6\xeb\x9f\x7f\xa1\x72\x99\xae\xad\xb6\x88"
                "\x90\x18\x50\x1d\x28\x9e\x49\x00\xf7\xe4\x33\x1b\x99\xde\xc4"
                "\xb5\x43\x3a\xc7\xd3\x29\xee\xb6\xdd\x26\x54\x5e\x96\xe5\x5b"
                "\x87\x4b\xe9\x09";
-    b.inLen  = strlen(b.input);
-    b.outLen = SHA512_DIGEST_SIZE;
+    c.inLen  = XSTRLEN(c.input);
+    c.outLen = WC_SHA512_DIGEST_SIZE;
 
     test_sha[0] = a;
     test_sha[1] = b;
+    test_sha[2] = c;
 
-    ret = wc_InitSha512(&sha);
+    ret = wc_InitSha512_ex(&sha, HEAP_HINT, devId);
     if (ret != 0)
-        return -4009;
+        return -2400;
+    ret = wc_InitSha512_ex(&shaCopy, HEAP_HINT, devId);
+    if (ret != 0) {
+        wc_Sha512Free(&sha);
+        return -2401;
+    }
 
     for (i = 0; i < times; ++i) {
-        ret = wc_Sha512Update(&sha, (byte*)test_sha[i].input,(word32)test_sha[i].inLen);
+        ret = wc_Sha512Update(&sha, (byte*)test_sha[i].input,
+            (word32)test_sha[i].inLen);
         if (ret != 0)
-            return -4010;
-
+            ERROR_OUT(-2402 - i, exit);
+        ret = wc_Sha512GetHash(&sha, hashcopy);
+        if (ret != 0)
+            ERROR_OUT(-2403 - i, exit);
+        ret = wc_Sha512Copy(&sha, &shaCopy);
+        if (ret != 0)
+            ERROR_OUT(-2404 - i, exit);
         ret = wc_Sha512Final(&sha, hash);
         if (ret != 0)
-            return -4011;
+            ERROR_OUT(-2405 - i, exit);
+        wc_Sha512Free(&shaCopy);
 
-        if (memcmp(hash, test_sha[i].output, SHA512_DIGEST_SIZE) != 0)
-            return -10 - i;
+        if (XMEMCMP(hash, test_sha[i].output, WC_SHA512_DIGEST_SIZE) != 0)
+            ERROR_OUT(-2406 - i, exit);
+        if (XMEMCMP(hash, hashcopy, WC_SHA512_DIGEST_SIZE) != 0)
+            ERROR_OUT(-2407 - i, exit);
     }
 
-    return 0;
+    /* BEGIN LARGE HASH TEST */ {
+    byte large_input[1024];
+    const char* large_digest =
+        "\x5a\x1f\x73\x90\xbd\x8c\xe4\x63\x54\xce\xa0\x9b\xef\x32\x78\x2d"
+        "\x2e\xe7\x0d\x5e\x2f\x9d\x15\x1b\xdd\x2d\xde\x65\x0c\x7b\xfa\x83"
+        "\x5e\x80\x02\x13\x84\xb8\x3f\xff\x71\x62\xb5\x09\x89\x63\xe1\xdc"
+        "\xa5\xdc\xfc\xfa\x9d\x1a\x4d\xc0\xfa\x3a\x14\xf6\x01\x51\x90\xa4";
+
+    for (i = 0; i < (int)sizeof(large_input); i++) {
+        large_input[i] = (byte)(i & 0xFF);
+    }
+    times = 100;
+    for (i = 0; i < times; ++i) {
+        ret = wc_Sha512Update(&sha, (byte*)large_input,
+            (word32)sizeof(large_input));
+        if (ret != 0)
+            ERROR_OUT(-2408, exit);
+    }
+    ret = wc_Sha512Final(&sha, hash);
+    if (ret != 0)
+        ERROR_OUT(-2409, exit);
+    if (XMEMCMP(hash, large_digest, WC_SHA512_DIGEST_SIZE) != 0)
+        ERROR_OUT(-2410, exit);
+    } /* END LARGE HASH TEST */
+
+exit:
+    wc_Sha512Free(&sha);
+    wc_Sha512Free(&shaCopy);
+
+    return ret;
 }
 #endif
 
@@ -1137,61 +2504,971 @@ int sha512_test(void)
 #ifdef WOLFSSL_SHA384
 int sha384_test(void)
 {
-    Sha384 sha;
-    byte   hash[SHA384_DIGEST_SIZE];
-    int    ret;
+    wc_Sha384 sha, shaCopy;
+    byte      hash[WC_SHA384_DIGEST_SIZE];
+    byte      hashcopy[WC_SHA384_DIGEST_SIZE];
+    int       ret = 0;
 
-    testVector a, b;
-    testVector test_sha[2];
+    testVector a, b, c;
+    testVector test_sha[3];
     int times = sizeof(test_sha) / sizeof(struct testVector), i;
 
-    a.input  = "abc";
-    a.output = "\xcb\x00\x75\x3f\x45\xa3\x5e\x8b\xb5\xa0\x3d\x69\x9a\xc6\x50"
+    a.input  = "";
+
+    a.output = "\x38\xb0\x60\xa7\x51\xac\x96\x38\x4c\xd9\x32\x7e\xb1\xb1\xe3"
+               "\x6a\x21\xfd\xb7\x11\x14\xbe\x07\x43\x4c\x0c\xc7\xbf\x63\xf6"
+               "\xe1\xda\x27\x4e\xde\xbf\xe7\x6f\x65\xfb\xd5\x1a\xd2\xf1\x48"
+               "\x98\xb9\x5b";
+    a.inLen  = XSTRLEN(a.input);
+    a.outLen = WC_SHA384_DIGEST_SIZE;
+
+    b.input  = "abc";
+    b.output = "\xcb\x00\x75\x3f\x45\xa3\x5e\x8b\xb5\xa0\x3d\x69\x9a\xc6\x50"
                "\x07\x27\x2c\x32\xab\x0e\xde\xd1\x63\x1a\x8b\x60\x5a\x43\xff"
                "\x5b\xed\x80\x86\x07\x2b\xa1\xe7\xcc\x23\x58\xba\xec\xa1\x34"
                "\xc8\x25\xa7";
-    a.inLen  = strlen(a.input);
-    a.outLen = SHA384_DIGEST_SIZE;
+    b.inLen  = XSTRLEN(b.input);
+    b.outLen = WC_SHA384_DIGEST_SIZE;
 
-    b.input  = "abcdefghbcdefghicdefghijdefghijkefghijklfghijklmghijklmnhi"
+    c.input  = "abcdefghbcdefghicdefghijdefghijkefghijklfghijklmghijklmnhi"
                "jklmnoijklmnopjklmnopqklmnopqrlmnopqrsmnopqrstnopqrstu";
-    b.output = "\x09\x33\x0c\x33\xf7\x11\x47\xe8\x3d\x19\x2f\xc7\x82\xcd\x1b"
+    c.output = "\x09\x33\x0c\x33\xf7\x11\x47\xe8\x3d\x19\x2f\xc7\x82\xcd\x1b"
                "\x47\x53\x11\x1b\x17\x3b\x3b\x05\xd2\x2f\xa0\x80\x86\xe3\xb0"
                "\xf7\x12\xfc\xc7\xc7\x1a\x55\x7e\x2d\xb9\x66\xc3\xe9\xfa\x91"
                "\x74\x60\x39";
-    b.inLen  = strlen(b.input);
-    b.outLen = SHA384_DIGEST_SIZE;
+    c.inLen  = XSTRLEN(c.input);
+    c.outLen = WC_SHA384_DIGEST_SIZE;
 
     test_sha[0] = a;
     test_sha[1] = b;
+    test_sha[2] = c;
 
-    ret = wc_InitSha384(&sha);
+    ret = wc_InitSha384_ex(&sha, HEAP_HINT, devId);
     if (ret != 0)
-        return -4012;
+        return -2500;
+    ret = wc_InitSha384_ex(&shaCopy, HEAP_HINT, devId);
+    if (ret != 0) {
+        wc_Sha384Free(&sha);
+        return -2501;
+    }
 
     for (i = 0; i < times; ++i) {
-        ret = wc_Sha384Update(&sha, (byte*)test_sha[i].input,(word32)test_sha[i].inLen);
+        ret = wc_Sha384Update(&sha, (byte*)test_sha[i].input,
+            (word32)test_sha[i].inLen);
         if (ret != 0)
-            return -4013;
-
+            ERROR_OUT(-2502 - i, exit);
+        ret = wc_Sha384GetHash(&sha, hashcopy);
+        if (ret != 0)
+            ERROR_OUT(-2503 - i, exit);
+        ret = wc_Sha384Copy(&sha, &shaCopy);
+        if (ret != 0)
+            ERROR_OUT(-2504 - i, exit);
         ret = wc_Sha384Final(&sha, hash);
         if (ret != 0)
-            return -4014;
+            ERROR_OUT(-2505 - i, exit);
+        wc_Sha384Free(&shaCopy);
 
-        if (memcmp(hash, test_sha[i].output, SHA384_DIGEST_SIZE) != 0)
-            return -10 - i;
+        if (XMEMCMP(hash, test_sha[i].output, WC_SHA384_DIGEST_SIZE) != 0)
+            ERROR_OUT(-2506 - i, exit);
+        if (XMEMCMP(hash, hashcopy, WC_SHA384_DIGEST_SIZE) != 0)
+            ERROR_OUT(-2507 - i, exit);
     }
 
-    return 0;
+    /* BEGIN LARGE HASH TEST */ {
+    byte large_input[1024];
+    const char* large_digest =
+        "\x37\x01\xdb\xff\x1e\x40\x4f\xe1\xe2\xea\x0b\x40\xbb\x3b\x39\x9a"
+        "\xcc\xe8\x44\x8e\x7e\xe5\x64\xb5\x6b\x7f\x56\x64\xa7\x2b\x84\xe3"
+        "\xc5\xd7\x79\x03\x25\x90\xf7\xa4\x58\xcb\x97\xa8\x8b\xb1\xa4\x81";
+
+    for (i = 0; i < (int)sizeof(large_input); i++) {
+        large_input[i] = (byte)(i & 0xFF);
+    }
+    times = 100;
+    for (i = 0; i < times; ++i) {
+        ret = wc_Sha384Update(&sha, (byte*)large_input,
+            (word32)sizeof(large_input));
+        if (ret != 0)
+            ERROR_OUT(-2508, exit);
+    }
+    ret = wc_Sha384Final(&sha, hash);
+    if (ret != 0)
+        ERROR_OUT(-2509, exit);
+    if (XMEMCMP(hash, large_digest, WC_SHA384_DIGEST_SIZE) != 0)
+        ERROR_OUT(-2510, exit);
+    } /* END LARGE HASH TEST */
+
+exit:
+
+    wc_Sha384Free(&sha);
+    wc_Sha384Free(&shaCopy);
+
+    return ret;
 }
 #endif /* WOLFSSL_SHA384 */
 
+#ifdef WOLFSSL_SHA3
+#ifndef WOLFSSL_NOSHA3_224
+static int sha3_224_test(void)
+{
+    wc_Sha3  sha;
+    byte  hash[WC_SHA3_224_DIGEST_SIZE];
+    byte  hashcopy[WC_SHA3_224_DIGEST_SIZE];
+
+    testVector a, b, c;
+    testVector test_sha[3];
+    int ret = 0;
+    int times = sizeof(test_sha) / sizeof(struct testVector), i;
+
+    a.input  = "";
+    a.output = "\x6b\x4e\x03\x42\x36\x67\xdb\xb7\x3b\x6e\x15\x45\x4f\x0e\xb1"
+               "\xab\xd4\x59\x7f\x9a\x1b\x07\x8e\x3f\x5b\x5a\x6b\xc7";
+    a.inLen  = XSTRLEN(a.input);
+    a.outLen = WC_SHA3_224_DIGEST_SIZE;
+
+    b.input  = "abc";
+    b.output = "\xe6\x42\x82\x4c\x3f\x8c\xf2\x4a\xd0\x92\x34\xee\x7d\x3c\x76"
+               "\x6f\xc9\xa3\xa5\x16\x8d\x0c\x94\xad\x73\xb4\x6f\xdf";
+    b.inLen  = XSTRLEN(b.input);
+    b.outLen = WC_SHA3_224_DIGEST_SIZE;
+
+    c.input  = "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq";
+    c.output = "\x8a\x24\x10\x8b\x15\x4a\xda\x21\xc9\xfd\x55\x74\x49\x44\x79"
+               "\xba\x5c\x7e\x7a\xb7\x6e\xf2\x64\xea\xd0\xfc\xce\x33";
+    c.inLen  = XSTRLEN(c.input);
+    c.outLen = WC_SHA3_224_DIGEST_SIZE;
+
+    test_sha[0] = a;
+    test_sha[1] = b;
+    test_sha[2] = c;
+
+    ret = wc_InitSha3_224(&sha, HEAP_HINT, devId);
+    if (ret != 0)
+        return -2600;
+
+    for (i = 0; i < times; ++i) {
+        ret = wc_Sha3_224_Update(&sha, (byte*)test_sha[i].input,
+            (word32)test_sha[i].inLen);
+        if (ret != 0)
+            ERROR_OUT(-2601 - i, exit);
+        ret = wc_Sha3_224_GetHash(&sha, hashcopy);
+        if (ret != 0)
+            ERROR_OUT(-2602 - i, exit);
+        ret = wc_Sha3_224_Final(&sha, hash);
+        if (ret != 0)
+            ERROR_OUT(-2603 - i, exit);
+
+        if (XMEMCMP(hash, test_sha[i].output, WC_SHA3_224_DIGEST_SIZE) != 0)
+            ERROR_OUT(-2604 - i, exit);
+        if (XMEMCMP(hash, hashcopy, WC_SHA3_224_DIGEST_SIZE) != 0)
+            ERROR_OUT(-2605 - i, exit);
+    }
+
+    /* BEGIN LARGE HASH TEST */ {
+    byte large_input[1024];
+    const char* large_digest =
+        "\x13\xe5\xd3\x98\x7b\x94\xda\x41\x12\xc7\x1e\x92\x3a\x19"
+        "\x21\x20\x86\x6f\x24\xbf\x0a\x31\xbc\xfd\xd6\x70\x36\xf3";
+
+    for (i = 0; i < (int)sizeof(large_input); i++) {
+        large_input[i] = (byte)(i & 0xFF);
+    }
+    times = 100;
+    for (i = 0; i < times; ++i) {
+        ret = wc_Sha3_224_Update(&sha, (byte*)large_input,
+            (word32)sizeof(large_input));
+        if (ret != 0)
+            ERROR_OUT(-2606, exit);
+    }
+    ret = wc_Sha3_224_Final(&sha, hash);
+    if (ret != 0)
+        ERROR_OUT(-2607, exit);
+    if (XMEMCMP(hash, large_digest, WC_SHA3_224_DIGEST_SIZE) != 0)
+        ERROR_OUT(-2608, exit);
+    } /* END LARGE HASH TEST */
+
+exit:
+    wc_Sha3_224_Free(&sha);
+
+    return ret;
+}
+#endif /* WOLFSSL_NOSHA3_224 */
+
+#ifndef WOLFSSL_NOSHA3_256
+static int sha3_256_test(void)
+{
+    wc_Sha3  sha;
+    byte  hash[WC_SHA3_256_DIGEST_SIZE];
+    byte  hashcopy[WC_SHA3_256_DIGEST_SIZE];
+
+    testVector a, b, c;
+    testVector test_sha[3];
+    int ret = 0;
+    int times = sizeof(test_sha) / sizeof(struct testVector), i;
+
+    byte large_input[1024];
+    const char* large_digest =
+        "\xdc\x90\xc0\xb1\x25\xdb\x2c\x34\x81\xa3\xff\xbc\x1e\x2e\x87\xeb"
+        "\x6d\x70\x85\x61\xe0\xe9\x63\x61\xff\xe5\x84\x4b\x1f\x68\x05\x15";
+
+#if defined(WOLFSSL_HASH_FLAGS) && !defined(WOLFSSL_ASYNC_CRYPT)
+    /* test vector with hash of empty string */
+    const char* Keccak256EmptyOut =
+        "\xc5\xd2\x46\x01\x86\xf7\x23\x3c\x92\x7e\x7d\xb2\xdc\xc7\x03\xc0"
+        "\xe5\x00\xb6\x53\xca\x82\x27\x3b\x7b\xfa\xd8\x04\x5d\x85\xa4\x70";
+#endif
+
+    a.input  = "";
+    a.output = "\xa7\xff\xc6\xf8\xbf\x1e\xd7\x66\x51\xc1\x47\x56\xa0\x61\xd6"
+               "\x62\xf5\x80\xff\x4d\xe4\x3b\x49\xfa\x82\xd8\x0a\x4b\x80\xf8"
+               "\x43\x4a";
+    a.inLen  = XSTRLEN(a.input);
+    a.outLen = WC_SHA3_256_DIGEST_SIZE;
+
+    b.input  = "abc";
+    b.output = "\x3a\x98\x5d\xa7\x4f\xe2\x25\xb2\x04\x5c\x17\x2d\x6b\xd3\x90"
+               "\xbd\x85\x5f\x08\x6e\x3e\x9d\x52\x5b\x46\xbf\xe2\x45\x11\x43"
+               "\x15\x32";
+    b.inLen  = XSTRLEN(b.input);
+    b.outLen = WC_SHA3_256_DIGEST_SIZE;
+
+    c.input  = "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq";
+    c.output = "\x41\xc0\xdb\xa2\xa9\xd6\x24\x08\x49\x10\x03\x76\xa8\x23\x5e"
+               "\x2c\x82\xe1\xb9\x99\x8a\x99\x9e\x21\xdb\x32\xdd\x97\x49\x6d"
+               "\x33\x76";
+    c.inLen  = XSTRLEN(c.input);
+    c.outLen = WC_SHA3_256_DIGEST_SIZE;
+
+    test_sha[0] = a;
+    test_sha[1] = b;
+    test_sha[2] = c;
+
+    ret = wc_InitSha3_256(&sha, HEAP_HINT, devId);
+    if (ret != 0)
+        return -2700;
+
+    for (i = 0; i < times; ++i) {
+        ret = wc_Sha3_256_Update(&sha, (byte*)test_sha[i].input,
+            (word32)test_sha[i].inLen);
+        if (ret != 0)
+            ERROR_OUT(-2701 - i, exit);
+        ret = wc_Sha3_256_GetHash(&sha, hashcopy);
+        if (ret != 0)
+            ERROR_OUT(-2702 - i, exit);
+        ret = wc_Sha3_256_Final(&sha, hash);
+        if (ret != 0)
+            ERROR_OUT(-2703 - i, exit);
+
+        if (XMEMCMP(hash, test_sha[i].output, WC_SHA3_256_DIGEST_SIZE) != 0)
+            ERROR_OUT(-2704 - i, exit);
+        if (XMEMCMP(hash, hashcopy, WC_SHA3_256_DIGEST_SIZE) != 0)
+            ERROR_OUT(-2705 - i, exit);
+    }
+
+    /* BEGIN LARGE HASH TEST */ {
+    for (i = 0; i < (int)sizeof(large_input); i++) {
+        large_input[i] = (byte)(i & 0xFF);
+    }
+    times = 100;
+    for (i = 0; i < times; ++i) {
+        ret = wc_Sha3_256_Update(&sha, (byte*)large_input,
+            (word32)sizeof(large_input));
+        if (ret != 0)
+            ERROR_OUT(-2706, exit);
+    }
+    ret = wc_Sha3_256_Final(&sha, hash);
+    if (ret != 0)
+        ERROR_OUT(-2707, exit);
+    if (XMEMCMP(hash, large_digest, WC_SHA3_256_DIGEST_SIZE) != 0)
+        ERROR_OUT(-2708, exit);
+    } /* END LARGE HASH TEST */
+
+    /* this is a software only variant of SHA3 not supported by external hardware devices */
+#if defined(WOLFSSL_HASH_FLAGS) && !defined(WOLFSSL_ASYNC_CRYPT)
+    /* Test for Keccak256 */
+    ret = wc_Sha3_SetFlags(&sha, WC_HASH_SHA3_KECCAK256);
+    if (ret != 0) {
+        ERROR_OUT(-2709, exit);
+    }
+    ret = wc_Sha3_256_Update(&sha, (byte*)"", 0);
+    if (ret != 0) {
+        ERROR_OUT(-2710, exit);
+    }
+    ret = wc_Sha3_256_Final(&sha, hash);
+    if (ret != 0) {
+        ERROR_OUT(-2711, exit);
+    }
+    if (XMEMCMP(hash, Keccak256EmptyOut, WC_SHA3_256_DIGEST_SIZE) != 0) {
+        ERROR_OUT(-2712, exit);
+    }
+#endif /* WOLFSSL_HASH_FLAGS && !WOLFSSL_ASYNC_CRYPT */
+
+exit:
+    wc_Sha3_256_Free(&sha);
+
+    return ret;
+}
+#endif /* WOLFSSL_NOSHA3_256 */
+
+#ifndef WOLFSSL_NOSHA3_384
+static int sha3_384_test(void)
+{
+    wc_Sha3  sha;
+    byte  hash[WC_SHA3_384_DIGEST_SIZE];
+#ifndef NO_INTM_HASH_TEST
+    byte  hashcopy[WC_SHA3_384_DIGEST_SIZE];
+#endif
+
+    testVector a, b, c;
+    testVector test_sha[3];
+    int ret;
+    int times = sizeof(test_sha) / sizeof(struct testVector), i;
+
+    a.input  = "";
+    a.output = "\x0c\x63\xa7\x5b\x84\x5e\x4f\x7d\x01\x10\x7d\x85\x2e\x4c\x24"
+               "\x85\xc5\x1a\x50\xaa\xaa\x94\xfc\x61\x99\x5e\x71\xbb\xee\x98"
+               "\x3a\x2a\xc3\x71\x38\x31\x26\x4a\xdb\x47\xfb\x6b\xd1\xe0\x58"
+               "\xd5\xf0\x04";
+    a.inLen  = XSTRLEN(a.input);
+    a.outLen = WC_SHA3_384_DIGEST_SIZE;
+
+#if defined(WOLFSSL_AFALG_XILINX_SHA3) || defined(WOLFSSL_XILINX_CRYPT)
+    /* NIST test vector with a length that is a multiple of 4 */
+    b.input  = "\x7d\x80\xb1\x60\xc4\xb5\x36\xa3\xbe\xb7\x99\x80\x59\x93\x44"
+               "\x04\x7c\x5f\x82\xa1\xdf\xc3\xee\xd4";
+    b.output = "\x04\x1c\xc5\x86\x1b\xa3\x34\x56\x3c\x61\xd4\xef\x97\x10\xd4"
+               "\x89\x6c\x31\x1c\x92\xed\xbe\x0d\x7c\xd5\x3e\x80\x3b\xf2\xf4"
+               "\xeb\x60\x57\x23\x55\x70\x77\x0c\xe8\x7c\x55\x20\xd7\xec\x14"
+               "\x19\x87\x22";
+    b.inLen  = XSTRLEN(b.input);
+    b.outLen = WC_SHA3_384_DIGEST_SIZE;
+#else
+    b.input  = "abc";
+    b.output = "\xec\x01\x49\x82\x88\x51\x6f\xc9\x26\x45\x9f\x58\xe2\xc6\xad"
+               "\x8d\xf9\xb4\x73\xcb\x0f\xc0\x8c\x25\x96\xda\x7c\xf0\xe4\x9b"
+               "\xe4\xb2\x98\xd8\x8c\xea\x92\x7a\xc7\xf5\x39\xf1\xed\xf2\x28"
+               "\x37\x6d\x25";
+    b.inLen  = XSTRLEN(b.input);
+    b.outLen = WC_SHA3_384_DIGEST_SIZE;
+#endif
+    c.input  = "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq";
+    c.output = "\x99\x1c\x66\x57\x55\xeb\x3a\x4b\x6b\xbd\xfb\x75\xc7\x8a\x49"
+               "\x2e\x8c\x56\xa2\x2c\x5c\x4d\x7e\x42\x9b\xfd\xbc\x32\xb9\xd4"
+               "\xad\x5a\xa0\x4a\x1f\x07\x6e\x62\xfe\xa1\x9e\xef\x51\xac\xd0"
+               "\x65\x7c\x22";
+    c.inLen  = XSTRLEN(c.input);
+    c.outLen = WC_SHA3_384_DIGEST_SIZE;
+
+#ifdef WOLFSSL_XILINX_CRYPT
+    test_sha[0] = b; /* hardware acc. can not handle "" string */
+#else
+    test_sha[0] = a;
+#endif
+    test_sha[1] = b;
+    test_sha[2] = c;
+
+    ret = wc_InitSha3_384(&sha, HEAP_HINT, devId);
+    if (ret != 0)
+        return -2800;
+
+    for (i = 0; i < times; ++i) {
+        ret = wc_Sha3_384_Update(&sha, (byte*)test_sha[i].input,
+            (word32)test_sha[i].inLen);
+        if (ret != 0)
+            ERROR_OUT(-2801 - i, exit);
+    #ifndef NO_INTM_HASH_TEST
+        ret = wc_Sha3_384_GetHash(&sha, hashcopy);
+        if (ret != 0)
+            ERROR_OUT(-2802 - i, exit);
+    #endif
+        ret = wc_Sha3_384_Final(&sha, hash);
+        if (ret != 0)
+            ERROR_OUT(-2803 - i, exit);
+
+        if (XMEMCMP(hash, test_sha[i].output, WC_SHA3_384_DIGEST_SIZE) != 0)
+            ERROR_OUT(-2804 - i, exit);
+    #ifndef NO_INTM_HASH_TEST
+        if (XMEMCMP(hash, hashcopy, WC_SHA3_384_DIGEST_SIZE) != 0)
+            ERROR_OUT(-2805 - i, exit);
+    #endif
+    }
+
+    /* BEGIN LARGE HASH TEST */ {
+    byte large_input[1024];
+    const char* large_digest =
+        "\x30\x44\xec\x17\xef\x47\x9f\x55\x36\x11\xd6\x3f\x8a\x31\x5a\x71"
+        "\x8a\x71\xa7\x1d\x8e\x84\xe8\x6c\x24\x02\x2f\x7a\x08\x4e\xea\xd7"
+        "\x42\x36\x5d\xa8\xc2\xb7\x42\xad\xec\x19\xfb\xca\xc6\x64\xb3\xa4";
+
+    for (i = 0; i < (int)sizeof(large_input); i++) {
+        large_input[i] = (byte)(i & 0xFF);
+    }
+    times = 100;
+    for (i = 0; i < times; ++i) {
+        ret = wc_Sha3_384_Update(&sha, (byte*)large_input,
+            (word32)sizeof(large_input));
+        if (ret != 0)
+            ERROR_OUT(-2806, exit);
+    }
+    ret = wc_Sha3_384_Final(&sha, hash);
+    if (ret != 0)
+        ERROR_OUT(-2807, exit);
+    if (XMEMCMP(hash, large_digest, WC_SHA3_384_DIGEST_SIZE) != 0)
+        ERROR_OUT(-2808, exit);
+    } /* END LARGE HASH TEST */
+
+exit:
+    wc_Sha3_384_Free(&sha);
+
+    return ret;
+}
+#endif /* WOLFSSL_NOSHA3_384 */
+
+#ifndef WOLFSSL_NOSHA3_512
+static int sha3_512_test(void)
+{
+    wc_Sha3  sha;
+    byte  hash[WC_SHA3_512_DIGEST_SIZE];
+    byte  hashcopy[WC_SHA3_512_DIGEST_SIZE];
+
+    testVector a, b, c;
+    testVector test_sha[3];
+    int ret;
+    int times = sizeof(test_sha) / sizeof(struct testVector), i;
+
+    a.input  = "";
+    a.output = "\xa6\x9f\x73\xcc\xa2\x3a\x9a\xc5\xc8\xb5\x67\xdc\x18\x5a\x75"
+               "\x6e\x97\xc9\x82\x16\x4f\xe2\x58\x59\xe0\xd1\xdc\xc1\x47\x5c"
+               "\x80\xa6\x15\xb2\x12\x3a\xf1\xf5\xf9\x4c\x11\xe3\xe9\x40\x2c"
+               "\x3a\xc5\x58\xf5\x00\x19\x9d\x95\xb6\xd3\xe3\x01\x75\x85\x86"
+               "\x28\x1d\xcd\x26";
+    a.inLen  = XSTRLEN(a.input);
+    a.outLen = WC_SHA3_512_DIGEST_SIZE;
+
+    b.input  = "abc";
+    b.output = "\xb7\x51\x85\x0b\x1a\x57\x16\x8a\x56\x93\xcd\x92\x4b\x6b\x09"
+               "\x6e\x08\xf6\x21\x82\x74\x44\xf7\x0d\x88\x4f\x5d\x02\x40\xd2"
+               "\x71\x2e\x10\xe1\x16\xe9\x19\x2a\xf3\xc9\x1a\x7e\xc5\x76\x47"
+               "\xe3\x93\x40\x57\x34\x0b\x4c\xf4\x08\xd5\xa5\x65\x92\xf8\x27"
+               "\x4e\xec\x53\xf0";
+    b.inLen  = XSTRLEN(b.input);
+    b.outLen = WC_SHA3_512_DIGEST_SIZE;
+
+    c.input  = "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq";
+    c.output = "\x04\xa3\x71\xe8\x4e\xcf\xb5\xb8\xb7\x7c\xb4\x86\x10\xfc\xa8"
+               "\x18\x2d\xd4\x57\xce\x6f\x32\x6a\x0f\xd3\xd7\xec\x2f\x1e\x91"
+               "\x63\x6d\xee\x69\x1f\xbe\x0c\x98\x53\x02\xba\x1b\x0d\x8d\xc7"
+               "\x8c\x08\x63\x46\xb5\x33\xb4\x9c\x03\x0d\x99\xa2\x7d\xaf\x11"
+               "\x39\xd6\xe7\x5e";
+    c.inLen  = XSTRLEN(c.input);
+    c.outLen = WC_SHA3_512_DIGEST_SIZE;
+
+    test_sha[0] = a;
+    test_sha[1] = b;
+    test_sha[2] = c;
+
+    ret = wc_InitSha3_512(&sha, HEAP_HINT, devId);
+    if (ret != 0)
+        return -2900;
+
+    for (i = 0; i < times; ++i) {
+        ret = wc_Sha3_512_Update(&sha, (byte*)test_sha[i].input,
+            (word32)test_sha[i].inLen);
+        if (ret != 0)
+            ERROR_OUT(-2901 - i, exit);
+        ret = wc_Sha3_512_GetHash(&sha, hashcopy);
+        if (ret != 0)
+            ERROR_OUT(-2902 - i, exit);
+        ret = wc_Sha3_512_Final(&sha, hash);
+        if (ret != 0)
+            ERROR_OUT(-2903 - i, exit);
+
+        if (XMEMCMP(hash, test_sha[i].output, WC_SHA3_512_DIGEST_SIZE) != 0)
+            ERROR_OUT(-2904 - i, exit);
+        if (XMEMCMP(hash, hashcopy, WC_SHA3_512_DIGEST_SIZE) != 0)
+            ERROR_OUT(-2905 - i, exit);
+    }
+
+    /* BEGIN LARGE HASH TEST */ {
+    byte large_input[1024];
+    const char* large_digest =
+        "\x9c\x13\x26\xb6\x26\xb2\x94\x31\xbc\xf4\x34\xe9\x6f\xf2\xd6\x29"
+        "\x9a\xd0\x9b\x32\x63\x2f\x18\xa7\x5f\x23\xc9\x60\xc2\x32\x0c\xbc"
+        "\x57\x77\x33\xf1\x83\x81\x8a\xd3\x15\x7c\x93\xdc\x80\x9f\xed\x61"
+        "\x41\xa7\x5b\xfd\x32\x0e\x38\x15\xb0\x46\x3b\x7a\x4f\xfd\x44\x88";
+
+    for (i = 0; i < (int)sizeof(large_input); i++) {
+        large_input[i] = (byte)(i & 0xFF);
+    }
+    times = 100;
+    for (i = 0; i < times; ++i) {
+        ret = wc_Sha3_512_Update(&sha, (byte*)large_input,
+            (word32)sizeof(large_input));
+        if (ret != 0)
+            ERROR_OUT(-2906, exit);
+    }
+    ret = wc_Sha3_512_Final(&sha, hash);
+    if (ret != 0)
+        ERROR_OUT(-2907, exit);
+    if (XMEMCMP(hash, large_digest, WC_SHA3_512_DIGEST_SIZE) != 0)
+        ERROR_OUT(-2908, exit);
+    } /* END LARGE HASH TEST */
+
+exit:
+    wc_Sha3_512_Free(&sha);
+
+    return ret;
+}
+#endif /* WOLFSSL_NOSHA3_512 */
+
+int sha3_test(void)
+{
+    int ret;
+
+    (void)ret;
+
+#ifndef WOLFSSL_NOSHA3_224
+    if ((ret = sha3_224_test()) != 0)
+        return ret;
+#endif
+#ifndef WOLFSSL_NOSHA3_256
+    if ((ret = sha3_256_test()) != 0)
+        return ret;
+#endif
+#ifndef WOLFSSL_NOSHA3_384
+    if ((ret = sha3_384_test()) != 0)
+        return ret;
+#endif
+#ifndef WOLFSSL_NOSHA3_512
+    if ((ret = sha3_512_test()) != 0)
+        return ret;
+#endif
+
+    return 0;
+}
+#endif /* WOLFSSL_SHA3 */
+
+#ifdef WOLFSSL_SHAKE256
+int shake256_test(void)
+{
+#ifndef WOLFSSL_NO_SHAKE256
+    wc_Shake  sha;
+    byte  hash[114];
+
+    testVector a, b, c;
+    testVector test_sha[3];
+    int ret = 0;
+    int times = sizeof(test_sha) / sizeof(struct testVector), i;
+
+    byte large_input[1024];
+    const char* large_digest =
+        "\x90\x32\x4a\xcc\xd1\xdf\xb8\x0b\x79\x1f\xb8\xc8\x5b\x54\xc8\xe7"
+        "\x45\xf5\x60\x6b\x38\x26\xb2\x0a\xee\x38\x01\xf3\xd9\xfa\x96\x9f"
+        "\x6a\xd7\x15\xdf\xb6\xc2\xf4\x20\x33\x44\x55\xe8\x2a\x09\x2b\x68"
+        "\x2e\x18\x65\x5e\x65\x93\x28\xbc\xb1\x9e\xe2\xb1\x92\xea\x98\xac"
+        "\x21\xef\x4c\xe1\xb4\xb7\xbe\x81\x5c\x1d\xd3\xb7\x17\xe5\xbb\xc5"
+        "\x8c\x68\xb7\xfb\xac\x55\x8a\x9b\x4d\x91\xe4\x9f\x72\xbb\x6e\x38"
+        "\xaf\x21\x7d\x21\xaa\x98\x4e\x75\xc4\xb4\x1c\x7c\x50\x45\x54\xf9"
+        "\xea\x26";
+
+    a.input  = "";
+    a.output = "\x46\xb9\xdd\x2b\x0b\xa8\x8d\x13\x23\x3b\x3f\xeb\x74\x3e\xeb"
+               "\x24\x3f\xcd\x52\xea\x62\xb8\x1b\x82\xb5\x0c\x27\x64\x6e\xd5"
+               "\x76\x2f\xd7\x5d\xc4\xdd\xd8\xc0\xf2\x00\xcb\x05\x01\x9d\x67"
+               "\xb5\x92\xf6\xfc\x82\x1c\x49\x47\x9a\xb4\x86\x40\x29\x2e\xac"
+               "\xb3\xb7\xc4\xbe\x14\x1e\x96\x61\x6f\xb1\x39\x57\x69\x2c\xc7"
+               "\xed\xd0\xb4\x5a\xe3\xdc\x07\x22\x3c\x8e\x92\x93\x7b\xef\x84"
+               "\xbc\x0e\xab\x86\x28\x53\x34\x9e\xc7\x55\x46\xf5\x8f\xb7\xc2"
+               "\x77\x5c\x38\x46\x2c\x50\x10\xd8\x46";
+    a.inLen  = XSTRLEN(a.input);
+    a.outLen = sizeof(hash);
+
+    b.input  = "abc";
+    b.output = "\x48\x33\x66\x60\x13\x60\xa8\x77\x1c\x68\x63\x08\x0c\xc4\x11"
+               "\x4d\x8d\xb4\x45\x30\xf8\xf1\xe1\xee\x4f\x94\xea\x37\xe7\x8b"
+               "\x57\x39\xd5\xa1\x5b\xef\x18\x6a\x53\x86\xc7\x57\x44\xc0\x52"
+               "\x7e\x1f\xaa\x9f\x87\x26\xe4\x62\xa1\x2a\x4f\xeb\x06\xbd\x88"
+               "\x01\xe7\x51\xe4\x13\x85\x14\x12\x04\xf3\x29\x97\x9f\xd3\x04"
+               "\x7a\x13\xc5\x65\x77\x24\xad\xa6\x4d\x24\x70\x15\x7b\x3c\xdc"
+               "\x28\x86\x20\x94\x4d\x78\xdb\xcd\xdb\xd9\x12\x99\x3f\x09\x13"
+               "\xf1\x64\xfb\x2c\xe9\x51\x31\xa2\xd0";
+    b.inLen  = XSTRLEN(b.input);
+    b.outLen = sizeof(hash);
+
+    c.input  = "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq";
+    c.output = "\x4d\x8c\x2d\xd2\x43\x5a\x01\x28\xee\xfb\xb8\xc3\x6f\x6f\x87"
+               "\x13\x3a\x79\x11\xe1\x8d\x97\x9e\xe1\xae\x6b\xe5\xd4\xfd\x2e"
+               "\x33\x29\x40\xd8\x68\x8a\x4e\x6a\x59\xaa\x80\x60\xf1\xf9\xbc"
+               "\x99\x6c\x05\xac\xa3\xc6\x96\xa8\xb6\x62\x79\xdc\x67\x2c\x74"
+               "\x0b\xb2\x24\xec\x37\xa9\x2b\x65\xdb\x05\x39\xc0\x20\x34\x55"
+               "\xf5\x1d\x97\xcc\xe4\xcf\xc4\x91\x27\xd7\x26\x0a\xfc\x67\x3a"
+               "\xf2\x08\xba\xf1\x9b\xe2\x12\x33\xf3\xde\xbe\x78\xd0\x67\x60"
+               "\xcf\xa5\x51\xee\x1e\x07\x91\x41\xd4";
+    c.inLen  = XSTRLEN(c.input);
+    c.outLen = sizeof(hash);
+
+    test_sha[0] = a;
+    test_sha[1] = b;
+    test_sha[2] = c;
+
+    ret = wc_InitShake256(&sha, HEAP_HINT, devId);
+    if (ret != 0)
+        return -3100;
+
+    for (i = 0; i < times; ++i) {
+        ret = wc_Shake256_Update(&sha, (byte*)test_sha[i].input,
+            (word32)test_sha[i].inLen);
+        if (ret != 0)
+            ERROR_OUT(-3101 - i, exit);
+        ret = wc_Shake256_Final(&sha, hash, (word32)test_sha[i].outLen);
+        if (ret != 0)
+            ERROR_OUT(-3102 - i, exit);
+
+        if (XMEMCMP(hash, test_sha[i].output, test_sha[i].outLen) != 0)
+            ERROR_OUT(-3103 - i, exit);
+    }
+
+    /* BEGIN LARGE HASH TEST */ {
+    for (i = 0; i < (int)sizeof(large_input); i++) {
+        large_input[i] = (byte)(i & 0xFF);
+    }
+    times = 100;
+    for (i = 0; i < times; ++i) {
+        ret = wc_Shake256_Update(&sha, (byte*)large_input,
+            (word32)sizeof(large_input));
+        if (ret != 0)
+            ERROR_OUT(-3104, exit);
+    }
+    ret = wc_Shake256_Final(&sha, hash, (word32)sizeof(hash));
+    if (ret != 0)
+        ERROR_OUT(-3105, exit);
+    if (XMEMCMP(hash, large_digest, sizeof(hash)) != 0)
+        ERROR_OUT(-3106, exit);
+    } /* END LARGE HASH TEST */
+
+exit:
+    wc_Shake256_Free(&sha);
+
+    return ret;
+#else
+    return 0;
+#endif
+}
+#endif
+
+
+int hash_test(void)
+{
+    wc_HashAlg       hash;
+    int              ret, exp_ret;
+    int              i, j;
+    int              digestSz;
+    byte             data[] = "0123456789abcdef0123456789abcdef0123456";
+    byte             out[WC_MAX_DIGEST_SIZE];
+    byte             hashOut[WC_MAX_DIGEST_SIZE];
+#if !defined(NO_ASN) || !defined(NO_DH) || defined(HAVE_ECC)
+    enum wc_HashType hashType;
+#endif
+    enum wc_HashType typesGood[] = { WC_HASH_TYPE_MD5, WC_HASH_TYPE_SHA,
+                                     WC_HASH_TYPE_SHA224, WC_HASH_TYPE_SHA256,
+                                     WC_HASH_TYPE_SHA384, WC_HASH_TYPE_SHA512,
+                                     WC_HASH_TYPE_SHA3_224,
+                                     WC_HASH_TYPE_SHA3_256,
+                                     WC_HASH_TYPE_SHA3_384,
+                                     WC_HASH_TYPE_SHA3_512 };
+    enum wc_HashType typesNoImpl[] = {
+#ifdef NO_MD5
+                                        WC_HASH_TYPE_MD5,
+#endif
+#ifdef NO_SHA
+                                        WC_HASH_TYPE_SHA,
+#endif
+#ifndef WOLFSSL_SHA224
+                                        WC_HASH_TYPE_SHA224,
+#endif
+#ifdef NO_SHA256
+                                        WC_HASH_TYPE_SHA256,
+#endif
+#ifndef WOLFSSL_SHA384
+                                        WC_HASH_TYPE_SHA384,
+#endif
+#ifndef WOLFSSL_SHA512
+                                        WC_HASH_TYPE_SHA512,
+#endif
+#if !defined(WOLFSSL_SHA3) || defined(WOLFSSL_NOSHA3_224)
+                                        WC_HASH_TYPE_SHA3_224,
+#endif
+#if !defined(WOLFSSL_SHA3) || defined(WOLFSSL_NOSHA3_256)
+                                        WC_HASH_TYPE_SHA3_256,
+#endif
+#if !defined(WOLFSSL_SHA3) || defined(WOLFSSL_NOSHA3_384)
+                                        WC_HASH_TYPE_SHA3_384,
+#endif
+#if !defined(WOLFSSL_SHA3) || defined(WOLFSSL_NOSHA3_512)
+                                        WC_HASH_TYPE_SHA3_512,
+#endif
+                                        WC_HASH_TYPE_NONE
+                                     };
+    enum wc_HashType typesBad[]  = { WC_HASH_TYPE_NONE, WC_HASH_TYPE_MD5_SHA,
+                                     WC_HASH_TYPE_MD2, WC_HASH_TYPE_MD4 };
+    enum wc_HashType typesHashBad[] = { WC_HASH_TYPE_MD2, WC_HASH_TYPE_MD4,
+                                        WC_HASH_TYPE_BLAKE2B,
+                                        WC_HASH_TYPE_NONE };
+
+    /* Parameter Validation testing. */
+    ret = wc_HashInit(NULL, WC_HASH_TYPE_SHA256);
+    if (ret != BAD_FUNC_ARG)
+        return -3200;
+    ret = wc_HashUpdate(NULL, WC_HASH_TYPE_SHA256, NULL, sizeof(data));
+    if (ret != BAD_FUNC_ARG)
+        return -3201;
+    ret = wc_HashUpdate(&hash, WC_HASH_TYPE_SHA256, NULL, sizeof(data));
+    if (ret != BAD_FUNC_ARG)
+        return -3202;
+    ret = wc_HashUpdate(NULL, WC_HASH_TYPE_SHA256, data, sizeof(data));
+    if (ret != BAD_FUNC_ARG)
+        return -3203;
+    ret = wc_HashFinal(NULL, WC_HASH_TYPE_SHA256, NULL);
+    if (ret != BAD_FUNC_ARG)
+        return -3204;
+    ret = wc_HashFinal(&hash, WC_HASH_TYPE_SHA256, NULL);
+    if (ret != BAD_FUNC_ARG)
+        return -3205;
+    ret = wc_HashFinal(NULL, WC_HASH_TYPE_SHA256, out);
+    if (ret != BAD_FUNC_ARG)
+        return -3206;
+
+    /* Try invalid hash algorithms. */
+    for (i = 0; i < (int)(sizeof(typesBad)/sizeof(*typesBad)); i++) {
+        ret = wc_HashInit(&hash, typesBad[i]);
+        if (ret != BAD_FUNC_ARG)
+            return -3207 - i;
+        ret = wc_HashUpdate(&hash, typesBad[i], data, sizeof(data));
+        if (ret != BAD_FUNC_ARG)
+            return -3217 - i;
+        ret = wc_HashFinal(&hash, typesBad[i], out);
+        if (ret != BAD_FUNC_ARG)
+            return -3227 - i;
+        wc_HashFree(&hash, typesBad[i]);
+    }
+
+    /* Try valid hash algorithms. */
+    for (i = 0, j = 0; i < (int)(sizeof(typesGood)/sizeof(*typesGood)); i++) {
+        exp_ret = 0;
+        if (typesGood[i] == typesNoImpl[j]) {
+            /* Recognized but no implementation compiled in. */
+            exp_ret = HASH_TYPE_E;
+            j++;
+        }
+        ret = wc_HashInit(&hash, typesGood[i]);
+        if (ret != exp_ret)
+            return -3237 - i;
+        ret = wc_HashUpdate(&hash, typesGood[i], data, sizeof(data));
+        if (ret != exp_ret)
+            return -3247 - i;
+        ret = wc_HashFinal(&hash, typesGood[i], out);
+        if (ret != exp_ret)
+            return -3257 - i;
+        wc_HashFree(&hash, typesGood[i]);
+
+        digestSz = wc_HashGetDigestSize(typesGood[i]);
+        if (exp_ret < 0 && digestSz != exp_ret)
+            return -3267 - i;
+        if (exp_ret == 0 && digestSz < 0)
+            return -3277 - i;
+        if (exp_ret == 0) {
+            ret = wc_Hash(typesGood[i], data, sizeof(data), hashOut,
+                                                                  digestSz - 1);
+            if (ret != BUFFER_E)
+                return -3287 - i;
+        }
+        ret = wc_Hash(typesGood[i], data, sizeof(data), hashOut, digestSz);
+        if (ret != exp_ret)
+            return -3297 - i;
+        if (exp_ret == 0 && XMEMCMP(out, hashOut, digestSz) != 0)
+            return -3307 -i;
+
+        ret = wc_HashGetBlockSize(typesGood[i]);
+        if (exp_ret < 0 && ret != exp_ret)
+            return -3308 - i;
+        if (exp_ret == 0 && ret < 0)
+            return -3318 - i;
+
+#if !defined(NO_ASN) || !defined(NO_DH) || defined(HAVE_ECC)
+        ret = wc_HashGetOID(typesGood[i]);
+        if (ret == BAD_FUNC_ARG ||
+                (exp_ret == 0 && ret == HASH_TYPE_E) ||
+                (exp_ret != 0 && ret != HASH_TYPE_E)) {
+            return -3328 - i;
+        }
+
+        hashType = wc_OidGetHash(ret);
+        if (exp_ret < 0 && ret != exp_ret)
+            return -3338 - i;
+        if (exp_ret == 0 && hashType != typesGood[i])
+            return -3348 - i;
+#endif /* !defined(NO_ASN) || !defined(NO_DH) || defined(HAVE_ECC) */
+    }
+
+    for (i = 0; i < (int)(sizeof(typesHashBad)/sizeof(*typesHashBad)); i++) {
+        ret = wc_Hash(typesHashBad[i], data, sizeof(data), out, sizeof(out));
+        if (ret != BAD_FUNC_ARG && ret != BUFFER_E)
+            return -3358 - i;
+    }
+
+#if !defined(NO_ASN) || !defined(NO_DH) || defined(HAVE_ECC)
+    ret = wc_HashGetOID(WC_HASH_TYPE_MD2);
+#ifdef WOLFSSL_MD2
+    if (ret == HASH_TYPE_E || ret == BAD_FUNC_ARG)
+        return -3368;
+#else
+    if (ret != HASH_TYPE_E)
+        return -3369;
+#endif
+    hashType = wc_OidGetHash(646); /* Md2h */
+#ifdef WOLFSSL_MD2
+    if (hashType != WC_HASH_TYPE_MD2)
+        return -3370;
+#else
+    if (hashType != WC_HASH_TYPE_NONE)
+        return -3371;
+#endif
+
+    ret = wc_HashGetOID(WC_HASH_TYPE_MD5_SHA);
+#ifndef NO_MD5
+    if (ret == HASH_TYPE_E || ret == BAD_FUNC_ARG)
+        return -3372;
+#else
+    if (ret != HASH_TYPE_E)
+        return -3373;
+#endif
+    ret = wc_HashGetOID(WC_HASH_TYPE_MD4);
+    if (ret != BAD_FUNC_ARG)
+        return -3374;
+    ret = wc_HashGetOID(WC_HASH_TYPE_NONE);
+    if (ret != BAD_FUNC_ARG)
+        return -3375;
+
+    hashType = wc_OidGetHash(0);
+    if (hashType != WC_HASH_TYPE_NONE)
+        return -3376;
+#endif /* !defined(NO_ASN) || !defined(NO_DH) || defined(HAVE_ECC) */
+
+    ret = wc_HashGetBlockSize(WC_HASH_TYPE_MD2);
+#ifdef WOLFSSL_MD2
+    if (ret == HASH_TYPE_E || ret == BAD_FUNC_ARG)
+        return -3377;
+#else
+    if (ret != HASH_TYPE_E)
+        return -3378;
+#endif
+    ret = wc_HashGetDigestSize(WC_HASH_TYPE_MD2);
+#ifdef WOLFSSL_MD2
+    if (ret == HASH_TYPE_E || ret == BAD_FUNC_ARG)
+        return -3379;
+#else
+    if (ret != HASH_TYPE_E)
+        return -3380;
+#endif
+
+    ret = wc_HashGetBlockSize(WC_HASH_TYPE_MD4);
+#ifndef NO_MD4
+    if (ret == HASH_TYPE_E || ret == BAD_FUNC_ARG)
+        return -3381;
+#else
+    if (ret != HASH_TYPE_E)
+        return -3382;
+#endif
+    ret = wc_HashGetDigestSize(WC_HASH_TYPE_MD4);
+#ifndef NO_MD4
+    if (ret == HASH_TYPE_E || ret == BAD_FUNC_ARG)
+        return -3383;
+#else
+    if (ret != HASH_TYPE_E)
+        return -3384;
+#endif
+    ret = wc_HashGetBlockSize(WC_HASH_TYPE_MD5_SHA);
+#if !defined(NO_MD5) && !defined(NO_SHA)
+    if (ret == HASH_TYPE_E || ret == BAD_FUNC_ARG)
+        return -3385;
+#else
+    if (ret != HASH_TYPE_E)
+        return -3386;
+#endif
+
+    ret = wc_HashGetBlockSize(WC_HASH_TYPE_BLAKE2B);
+#if defined(HAVE_BLAKE2) || defined(HAVE_BLAKE2S)
+    if (ret == HASH_TYPE_E || ret == BAD_FUNC_ARG)
+        return -3387;
+#else
+    if (ret != HASH_TYPE_E)
+        return -3388;
+#endif
+    ret = wc_HashGetDigestSize(WC_HASH_TYPE_BLAKE2B);
+#if defined(HAVE_BLAKE2) || defined(HAVE_BLAKE2S)
+    if (ret == HASH_TYPE_E || ret == BAD_FUNC_ARG)
+        return -3389;
+#else
+    if (ret != HASH_TYPE_E)
+        return -3390;
+#endif
+
+    ret = wc_HashGetBlockSize(WC_HASH_TYPE_NONE);
+    if (ret != BAD_FUNC_ARG)
+        return -3391;
+    ret = wc_HashGetDigestSize(WC_HASH_TYPE_NONE);
+    if (ret != BAD_FUNC_ARG)
+        return -3392;
+
+#ifndef NO_CERTS
+#if defined(WOLFSSL_MD2) && !defined(HAVE_SELFTEST)
+    ret = wc_GetCTC_HashOID(MD2);
+    if (ret == 0)
+        return -3393;
+#endif
+#ifndef NO_MD5
+    ret = wc_GetCTC_HashOID(WC_MD5);
+    if (ret == 0)
+        return -3394;
+#endif
+#ifndef NO_SHA
+    ret = wc_GetCTC_HashOID(WC_SHA);
+    if (ret == 0)
+        return -3395;
+#endif
+#ifdef WOLFSSL_SHA224
+    ret = wc_GetCTC_HashOID(WC_SHA224);
+    if (ret == 0)
+        return -3396;
+#endif
+#ifndef NO_SHA256
+    ret = wc_GetCTC_HashOID(WC_SHA256);
+    if (ret == 0)
+        return -3397;
+#endif
+#ifdef WOLFSSL_SHA384
+    ret = wc_GetCTC_HashOID(WC_SHA384);
+    if (ret == 0)
+        return -3398;
+#endif
+#ifdef WOLFSSL_SHA512
+    ret = wc_GetCTC_HashOID(WC_SHA512);
+    if (ret == 0)
+        return -3399;
+#endif
+    ret = wc_GetCTC_HashOID(-1);
+    if (ret != 0)
+        return -3400;
+#endif
+
+    return 0;
+}
 
 #if !defined(NO_HMAC) && !defined(NO_MD5)
 int hmac_md5_test(void)
 {
     Hmac hmac;
-    byte hash[MD5_DIGEST_SIZE];
+    byte hash[WC_MD5_DIGEST_SIZE];
 
     const char* keys[]=
     {
@@ -1209,14 +3486,14 @@ int hmac_md5_test(void)
     a.input  = "Hi There";
     a.output = "\x92\x94\x72\x7a\x36\x38\xbb\x1c\x13\xf4\x8e\xf8\x15\x8b\xfc"
                "\x9d";
-    a.inLen  = strlen(a.input);
-    a.outLen = MD5_DIGEST_SIZE;
+    a.inLen  = XSTRLEN(a.input);
+    a.outLen = WC_MD5_DIGEST_SIZE;
 
     b.input  = "what do ya want for nothing?";
     b.output = "\x75\x0c\x78\x3e\x6a\xb0\xb5\x03\xea\xa8\x6e\x31\x0a\x5d\xb7"
                "\x38";
-    b.inLen  = strlen(b.input);
-    b.outLen = MD5_DIGEST_SIZE;
+    b.inLen  = XSTRLEN(b.input);
+    b.outLen = WC_MD5_DIGEST_SIZE;
 
     c.input  = "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"
                "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"
@@ -1224,40 +3501,47 @@ int hmac_md5_test(void)
                "\xDD\xDD\xDD\xDD\xDD\xDD";
     c.output = "\x56\xbe\x34\x52\x1d\x14\x4c\x88\xdb\xb8\xc7\x33\xf0\xe8\xb3"
                "\xf6";
-    c.inLen  = strlen(c.input);
-    c.outLen = MD5_DIGEST_SIZE;
+    c.inLen  = XSTRLEN(c.input);
+    c.outLen = WC_MD5_DIGEST_SIZE;
 
     test_hmac[0] = a;
     test_hmac[1] = b;
     test_hmac[2] = c;
 
     for (i = 0; i < times; ++i) {
-#if defined(HAVE_FIPS) || defined(HAVE_CAVIUM)
-        if (i == 1)
+    #if defined(HAVE_FIPS) || defined(HAVE_CAVIUM)
+        if (i == 1) {
             continue; /* cavium can't handle short keys, fips not allowed */
-#endif
-#ifdef HAVE_CAVIUM
-        if (wc_HmacInitCavium(&hmac, CAVIUM_DEV_ID) != 0)
-            return -20009;
-#endif
-        ret = wc_HmacSetKey(&hmac, MD5, (byte*)keys[i], (word32)strlen(keys[i]));
+        }
+    #endif
+
+        if (wc_HmacInit(&hmac, HEAP_HINT, devId) != 0) {
+            return -3500;
+        }
+
+        ret = wc_HmacSetKey(&hmac, WC_MD5, (byte*)keys[i],
+            (word32)XSTRLEN(keys[i]));
         if (ret != 0)
-            return -4015;
+            return -3501;
         ret = wc_HmacUpdate(&hmac, (byte*)test_hmac[i].input,
                    (word32)test_hmac[i].inLen);
         if (ret != 0)
-            return -4016;
+            return -3502;
         ret = wc_HmacFinal(&hmac, hash);
         if (ret != 0)
-            return -4017;
+            return -3503;
 
-        if (memcmp(hash, test_hmac[i].output, MD5_DIGEST_SIZE) != 0)
-            return -20 - i;
-#ifdef HAVE_CAVIUM
-        wc_HmacFreeCavium(&hmac);
-#endif
+        if (XMEMCMP(hash, test_hmac[i].output, WC_MD5_DIGEST_SIZE) != 0)
+            return -3504 - i;
+
+        wc_HmacFree(&hmac);
     }
 
+#ifndef HAVE_FIPS
+    if (wc_HmacSizeByType(WC_MD5) != WC_MD5_DIGEST_SIZE)
+        return -3514;
+#endif
+
     return 0;
 }
 #endif /* NO_HMAC && NO_MD5 */
@@ -1266,7 +3550,7 @@ int hmac_md5_test(void)
 int hmac_sha_test(void)
 {
     Hmac hmac;
-    byte hash[SHA_DIGEST_SIZE];
+    byte hash[WC_SHA_DIGEST_SIZE];
 
     const char* keys[]=
     {
@@ -1286,14 +3570,14 @@ int hmac_sha_test(void)
     a.input  = "Hi There";
     a.output = "\xb6\x17\x31\x86\x55\x05\x72\x64\xe2\x8b\xc0\xb6\xfb\x37\x8c"
                "\x8e\xf1\x46\xbe\x00";
-    a.inLen  = strlen(a.input);
-    a.outLen = SHA_DIGEST_SIZE;
+    a.inLen  = XSTRLEN(a.input);
+    a.outLen = WC_SHA_DIGEST_SIZE;
 
     b.input  = "what do ya want for nothing?";
     b.output = "\xef\xfc\xdf\x6a\xe5\xeb\x2f\xa2\xd2\x74\x16\xd5\xf1\x84\xdf"
                "\x9c\x25\x9a\x7c\x79";
-    b.inLen  = strlen(b.input);
-    b.outLen = SHA_DIGEST_SIZE;
+    b.inLen  = XSTRLEN(b.input);
+    b.outLen = WC_SHA_DIGEST_SIZE;
 
     c.input  = "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"
                "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"
@@ -1301,8 +3585,8 @@ int hmac_sha_test(void)
                "\xDD\xDD\xDD\xDD\xDD\xDD";
     c.output = "\x12\x5d\x73\x42\xb9\xac\x11\xcd\x91\xa3\x9a\xf4\x8a\xa1\x7b"
                "\x4f\x63\xf1\x75\xd3";
-    c.inLen  = strlen(c.input);
-    c.outLen = SHA_DIGEST_SIZE;
+    c.inLen  = XSTRLEN(c.input);
+    c.outLen = WC_SHA_DIGEST_SIZE;
 
     test_hmac[0] = a;
     test_hmac[1] = b;
@@ -1313,38 +3597,43 @@ int hmac_sha_test(void)
         if (i == 1)
             continue; /* cavium can't handle short keys, fips not allowed */
 #endif
-#ifdef HAVE_CAVIUM
-        if (wc_HmacInitCavium(&hmac, CAVIUM_DEV_ID) != 0)
-            return -20010;
-#endif
-        ret = wc_HmacSetKey(&hmac, SHA, (byte*)keys[i], (word32)strlen(keys[i]));
+
+        if (wc_HmacInit(&hmac, HEAP_HINT, devId) != 0)
+            return -3600;
+
+        ret = wc_HmacSetKey(&hmac, WC_SHA, (byte*)keys[i],
+            (word32)XSTRLEN(keys[i]));
         if (ret != 0)
-            return -4018;
+            return -3601;
         ret = wc_HmacUpdate(&hmac, (byte*)test_hmac[i].input,
                    (word32)test_hmac[i].inLen);
         if (ret != 0)
-            return -4019;
+            return -3602;
         ret = wc_HmacFinal(&hmac, hash);
         if (ret != 0)
-            return -4020;
+            return -3603;
 
-        if (memcmp(hash, test_hmac[i].output, SHA_DIGEST_SIZE) != 0)
-            return -20 - i;
-#ifdef HAVE_CAVIUM
-        wc_HmacFreeCavium(&hmac);
-#endif
+        if (XMEMCMP(hash, test_hmac[i].output, WC_SHA_DIGEST_SIZE) != 0)
+            return -3604 - i;
+
+        wc_HmacFree(&hmac);
     }
 
+#ifndef HAVE_FIPS
+    if (wc_HmacSizeByType(WC_SHA) != WC_SHA_DIGEST_SIZE)
+        return -3614;
+#endif
+
     return 0;
 }
 #endif
 
 
-#if !defined(NO_HMAC) && !defined(NO_SHA256)
-int hmac_sha256_test(void)
+#if !defined(NO_HMAC) && defined(WOLFSSL_SHA224)
+int hmac_sha224_test(void)
 {
     Hmac hmac;
-    byte hash[SHA256_DIGEST_SIZE];
+    byte hash[WC_SHA224_DIGEST_SIZE];
 
     const char* keys[]=
     {
@@ -1352,80 +3641,94 @@ int hmac_sha256_test(void)
                                                                 "\x0b\x0b\x0b",
         "Jefe",
         "\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA"
-                                                                "\xAA\xAA\xAA"
+                                                                "\xAA\xAA\xAA",
+        "\x01\x02\x03\x04\x05\x06\x07\x08\x01\x02\x03\x04\x05\x06\x07\x08"
+        "\x01\x02\x03\x04\x05\x06\x07\x08\x01\x02\x03\x04\x05\x06\x07\x08"
+        "\x01\x02\x03\x04\x05\x06\x07\x08\x01\x02\x03\x04\x05\x06\x07\x08"
+        "\x01\x02\x03\x04\x05\x06\x07\x08\x01\x02\x03\x04\x05\x06\x07\x08"
+        "\x01\x02\x03\x04\x05\x06\x07\x08\x01\x02\x03\x04\x05\x06\x07\x08"
     };
 
-    testVector a, b, c;
-    testVector test_hmac[3];
+    testVector a, b, c, d;
+    testVector test_hmac[4];
 
     int ret;
     int times = sizeof(test_hmac) / sizeof(testVector), i;
 
     a.input  = "Hi There";
-    a.output = "\xb0\x34\x4c\x61\xd8\xdb\x38\x53\x5c\xa8\xaf\xce\xaf\x0b\xf1"
-               "\x2b\x88\x1d\xc2\x00\xc9\x83\x3d\xa7\x26\xe9\x37\x6c\x2e\x32"
-               "\xcf\xf7";
-    a.inLen  = strlen(a.input);
-    a.outLen = SHA256_DIGEST_SIZE;
+    a.output = "\x89\x6f\xb1\x12\x8a\xbb\xdf\x19\x68\x32\x10\x7c\xd4\x9d\xf3"
+               "\x3f\x47\xb4\xb1\x16\x99\x12\xba\x4f\x53\x68\x4b\x22";
+    a.inLen  = XSTRLEN(a.input);
+    a.outLen = WC_SHA224_DIGEST_SIZE;
 
     b.input  = "what do ya want for nothing?";
-    b.output = "\x5b\xdc\xc1\x46\xbf\x60\x75\x4e\x6a\x04\x24\x26\x08\x95\x75"
-               "\xc7\x5a\x00\x3f\x08\x9d\x27\x39\x83\x9d\xec\x58\xb9\x64\xec"
-               "\x38\x43";
-    b.inLen  = strlen(b.input);
-    b.outLen = SHA256_DIGEST_SIZE;
+    b.output = "\xa3\x0e\x01\x09\x8b\xc6\xdb\xbf\x45\x69\x0f\x3a\x7e\x9e\x6d"
+               "\x0f\x8b\xbe\xa2\xa3\x9e\x61\x48\x00\x8f\xd0\x5e\x44";
+    b.inLen  = XSTRLEN(b.input);
+    b.outLen = WC_SHA224_DIGEST_SIZE;
 
     c.input  = "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"
                "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"
                "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"
                "\xDD\xDD\xDD\xDD\xDD\xDD";
-    c.output = "\x77\x3e\xa9\x1e\x36\x80\x0e\x46\x85\x4d\xb8\xeb\xd0\x91\x81"
-               "\xa7\x29\x59\x09\x8b\x3e\xf8\xc1\x22\xd9\x63\x55\x14\xce\xd5"
-               "\x65\xfe";
-    c.inLen  = strlen(c.input);
-    c.outLen = SHA256_DIGEST_SIZE;
+    c.output = "\x7f\xb3\xcb\x35\x88\xc6\xc1\xf6\xff\xa9\x69\x4d\x7d\x6a\xd2"
+               "\x64\x93\x65\xb0\xc1\xf6\x5d\x69\xd1\xec\x83\x33\xea";
+    c.inLen  = XSTRLEN(c.input);
+    c.outLen = WC_SHA224_DIGEST_SIZE;
+
+    d.input  = "Big Key Input";
+    d.output = "\xe7\x4e\x2b\x8a\xa9\xf0\x37\x2f\xed\xae\x70\x0c\x49\x47\xf1"
+               "\x46\x54\xa7\x32\x6b\x55\x01\x87\xd2\xc8\x02\x0e\x3a";
+    d.inLen  = XSTRLEN(d.input);
+    d.outLen = WC_SHA224_DIGEST_SIZE;
 
     test_hmac[0] = a;
     test_hmac[1] = b;
     test_hmac[2] = c;
+    test_hmac[3] = d;
 
     for (i = 0; i < times; ++i) {
 #if defined(HAVE_FIPS) || defined(HAVE_CAVIUM)
         if (i == 1)
             continue; /* cavium can't handle short keys, fips not allowed */
 #endif
-#ifdef HAVE_CAVIUM
-        if (wc_HmacInitCavium(&hmac, CAVIUM_DEV_ID) != 0)
-            return -20011;
-#endif
-        ret = wc_HmacSetKey(&hmac, SHA256, (byte*)keys[i],(word32)strlen(keys[i]));
+
+        if (wc_HmacInit(&hmac, HEAP_HINT, devId) != 0)
+            return -3700;
+
+        ret = wc_HmacSetKey(&hmac, WC_SHA224, (byte*)keys[i],
+            (word32)XSTRLEN(keys[i]));
         if (ret != 0)
-            return -4021;
+            return -3701;
         ret = wc_HmacUpdate(&hmac, (byte*)test_hmac[i].input,
                    (word32)test_hmac[i].inLen);
         if (ret != 0)
-            return -4022;
+            return -3702;
         ret = wc_HmacFinal(&hmac, hash);
         if (ret != 0)
-            return -4023;
+            return -3703;
 
-        if (memcmp(hash, test_hmac[i].output, SHA256_DIGEST_SIZE) != 0)
-            return -20 - i;
-#ifdef HAVE_CAVIUM
-        wc_HmacFreeCavium(&hmac);
-#endif
+        if (XMEMCMP(hash, test_hmac[i].output, WC_SHA224_DIGEST_SIZE) != 0)
+            return -3704 - i;
+
+        wc_HmacFree(&hmac);
     }
 
+#ifndef HAVE_FIPS
+    if (wc_HmacSizeByType(WC_SHA224) != WC_SHA224_DIGEST_SIZE)
+        return -3714;
+#endif
+
     return 0;
 }
 #endif
 
 
-#if !defined(NO_HMAC) && defined(HAVE_BLAKE2)
-int hmac_blake2b_test(void)
+#if !defined(NO_HMAC) && !defined(NO_SHA256)
+int hmac_sha256_test(void)
 {
     Hmac hmac;
-    byte hash[BLAKE2B_256];
+    byte hash[WC_SHA256_DIGEST_SIZE];
 
     const char* keys[]=
     {
@@ -1433,71 +3736,95 @@ int hmac_blake2b_test(void)
                                                                 "\x0b\x0b\x0b",
         "Jefe",
         "\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA"
-                                                                "\xAA\xAA\xAA"
+                                                                "\xAA\xAA\xAA",
+        "\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA"
+                                                                "\xAA\xAA\xAA",
     };
 
-    testVector a, b, c;
-    testVector test_hmac[3];
+    testVector a, b, c, d;
+    testVector test_hmac[4];
 
     int ret;
     int times = sizeof(test_hmac) / sizeof(testVector), i;
 
     a.input  = "Hi There";
-    a.output = "\x72\x93\x0d\xdd\xf5\xf7\xe1\x78\x38\x07\x44\x18\x0b\x3f\x51"
-               "\x37\x25\xb5\x82\xc2\x08\x83\x2f\x1c\x99\xfd\x03\xa0\x16\x75"
-               "\xac\xfd";
-    a.inLen  = strlen(a.input);
-    a.outLen = BLAKE2B_256;
+    a.output = "\xb0\x34\x4c\x61\xd8\xdb\x38\x53\x5c\xa8\xaf\xce\xaf\x0b\xf1"
+               "\x2b\x88\x1d\xc2\x00\xc9\x83\x3d\xa7\x26\xe9\x37\x6c\x2e\x32"
+               "\xcf\xf7";
+    a.inLen  = XSTRLEN(a.input);
+    a.outLen = WC_SHA256_DIGEST_SIZE;
 
     b.input  = "what do ya want for nothing?";
-    b.output = "\x3d\x20\x50\x71\x05\xc0\x8c\x0c\x38\x44\x1e\xf7\xf9\xd1\x67"
-               "\x21\xff\x64\xf5\x94\x00\xcf\xf9\x75\x41\xda\x88\x61\x9d\x7c"
-               "\xda\x2b";
-    b.inLen  = strlen(b.input);
-    b.outLen = BLAKE2B_256;
+    b.output = "\x5b\xdc\xc1\x46\xbf\x60\x75\x4e\x6a\x04\x24\x26\x08\x95\x75"
+               "\xc7\x5a\x00\x3f\x08\x9d\x27\x39\x83\x9d\xec\x58\xb9\x64\xec"
+               "\x38\x43";
+    b.inLen  = XSTRLEN(b.input);
+    b.outLen = WC_SHA256_DIGEST_SIZE;
 
     c.input  = "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"
                "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"
                "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"
                "\xDD\xDD\xDD\xDD\xDD\xDD";
-    c.output = "\xda\xfe\x2a\x24\xfc\xe7\xea\x36\x34\xbe\x41\x92\xc7\x11\xa7"
-               "\x00\xae\x53\x9c\x11\x9c\x80\x74\x55\x22\x25\x4a\xb9\x55\xd3"
-               "\x0f\x87";
-    c.inLen  = strlen(c.input);
-    c.outLen = BLAKE2B_256;
+    c.output = "\x77\x3e\xa9\x1e\x36\x80\x0e\x46\x85\x4d\xb8\xeb\xd0\x91\x81"
+               "\xa7\x29\x59\x09\x8b\x3e\xf8\xc1\x22\xd9\x63\x55\x14\xce\xd5"
+               "\x65\xfe";
+    c.inLen  = XSTRLEN(c.input);
+    c.outLen = WC_SHA256_DIGEST_SIZE;
+
+    d.input  = 0;
+    d.output = "\x86\xe5\x4f\xd4\x48\x72\x5d\x7e\x5d\xcf\xe2\x23\x53\xc8\x28"
+               "\xaf\x48\x78\x1e\xb4\x8c\xae\x81\x06\xa7\xe1\xd4\x98\x94\x9f"
+               "\x3e\x46";
+    d.inLen  = 0;
+    d.outLen = WC_SHA256_DIGEST_SIZE;
 
     test_hmac[0] = a;
     test_hmac[1] = b;
     test_hmac[2] = c;
+    test_hmac[3] = d;
 
     for (i = 0; i < times; ++i) {
 #if defined(HAVE_FIPS) || defined(HAVE_CAVIUM)
         if (i == 1)
             continue; /* cavium can't handle short keys, fips not allowed */
 #endif
-#ifdef HAVE_CAVIUM
-        if (wc_HmacInitCavium(&hmac, CAVIUM_DEV_ID) != 0)
-            return -20011;
+#if defined(HAVE_INTEL_QA) || defined(HAVE_CAVIUM)
+        if (i == 3)
+            continue; /* QuickAssist can't handle empty HMAC */
 #endif
-        ret = wc_HmacSetKey(&hmac, BLAKE2B_ID, (byte*)keys[i],
-                         (word32)strlen(keys[i]));
-        if (ret != 0)
-            return -4024;
-        ret = wc_HmacUpdate(&hmac, (byte*)test_hmac[i].input,
-                   (word32)test_hmac[i].inLen);
+
+        if (wc_HmacInit(&hmac, HEAP_HINT, devId) != 0)
+            return -3800 - i;
+
+        ret = wc_HmacSetKey(&hmac, WC_SHA256, (byte*)keys[i],
+            (word32)XSTRLEN(keys[i]));
         if (ret != 0)
-            return -4025;
+            return -3810 - i;
+        if (test_hmac[i].input != NULL) {
+            ret = wc_HmacUpdate(&hmac, (byte*)test_hmac[i].input,
+                       (word32)test_hmac[i].inLen);
+            if (ret != 0)
+                return -3820 - i;
+        }
         ret = wc_HmacFinal(&hmac, hash);
         if (ret != 0)
-            return -4026;
+            return -3830 - i;
 
-        if (memcmp(hash, test_hmac[i].output, BLAKE2B_256) != 0)
-            return -20 - i;
-#ifdef HAVE_CAVIUM
-        wc_HmacFreeCavium(&hmac);
-#endif
+        if (XMEMCMP(hash, test_hmac[i].output, WC_SHA256_DIGEST_SIZE) != 0)
+            return -3840 - i;
+
+        wc_HmacFree(&hmac);
     }
 
+#ifndef HAVE_FIPS
+    if (wc_HmacSizeByType(WC_SHA256) != WC_SHA256_DIGEST_SIZE)
+        return -3850;
+    if (wc_HmacSizeByType(20) != BAD_FUNC_ARG)
+        return -3851;
+#endif
+    if (wolfSSL_GetHmacMaxSize() != WC_MAX_DIGEST_SIZE)
+        return -3852;
+
     return 0;
 }
 #endif
@@ -1507,7 +3834,7 @@ int hmac_blake2b_test(void)
 int hmac_sha384_test(void)
 {
     Hmac hmac;
-    byte hash[SHA384_DIGEST_SIZE];
+    byte hash[WC_SHA384_DIGEST_SIZE];
 
     const char* keys[]=
     {
@@ -1515,11 +3842,20 @@ int hmac_sha384_test(void)
                                                                 "\x0b\x0b\x0b",
         "Jefe",
         "\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA"
-                                                                "\xAA\xAA\xAA"
+                                                                "\xAA\xAA\xAA",
+        "\x01\x02\x03\x04\x05\x06\x07\x08\x01\x02\x03\x04\x05\x06\x07\x08"
+        "\x01\x02\x03\x04\x05\x06\x07\x08\x01\x02\x03\x04\x05\x06\x07\x08"
+        "\x01\x02\x03\x04\x05\x06\x07\x08\x01\x02\x03\x04\x05\x06\x07\x08"
+        "\x01\x02\x03\x04\x05\x06\x07\x08\x01\x02\x03\x04\x05\x06\x07\x08"
+        "\x01\x02\x03\x04\x05\x06\x07\x08\x01\x02\x03\x04\x05\x06\x07\x08"
+        "\x01\x02\x03\x04\x05\x06\x07\x08\x01\x02\x03\x04\x05\x06\x07\x08"
+        "\x01\x02\x03\x04\x05\x06\x07\x08\x01\x02\x03\x04\x05\x06\x07\x08"
+        "\x01\x02\x03\x04\x05\x06\x07\x08\x01\x02\x03\x04\x05\x06\x07\x08"
+        "\x01\x02\x03\x04\x05\x06\x07\x08\x01\x02\x03\x04\x05\x06\x07\x08"
     };
 
-    testVector a, b, c;
-    testVector test_hmac[3];
+    testVector a, b, c, d;
+    testVector test_hmac[4];
 
     int ret;
     int times = sizeof(test_hmac) / sizeof(testVector), i;
@@ -1529,16 +3865,16 @@ int hmac_sha384_test(void)
                "\x7f\x15\xf9\xda\xdb\xe4\x10\x1e\xc6\x82\xaa\x03\x4c\x7c\xeb"
                "\xc5\x9c\xfa\xea\x9e\xa9\x07\x6e\xde\x7f\x4a\xf1\x52\xe8\xb2"
                "\xfa\x9c\xb6";
-    a.inLen  = strlen(a.input);
-    a.outLen = SHA384_DIGEST_SIZE;
+    a.inLen  = XSTRLEN(a.input);
+    a.outLen = WC_SHA384_DIGEST_SIZE;
 
     b.input  = "what do ya want for nothing?";
     b.output = "\xaf\x45\xd2\xe3\x76\x48\x40\x31\x61\x7f\x78\xd2\xb5\x8a\x6b"
                "\x1b\x9c\x7e\xf4\x64\xf5\xa0\x1b\x47\xe4\x2e\xc3\x73\x63\x22"
                "\x44\x5e\x8e\x22\x40\xca\x5e\x69\xe2\xc7\x8b\x32\x39\xec\xfa"
                "\xb2\x16\x49";
-    b.inLen  = strlen(b.input);
-    b.outLen = SHA384_DIGEST_SIZE;
+    b.inLen  = XSTRLEN(b.input);
+    b.outLen = WC_SHA384_DIGEST_SIZE;
 
     c.input  = "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"
                "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"
@@ -1548,33 +3884,54 @@ int hmac_sha384_test(void)
                "\x6f\x0a\xa6\x35\xd9\x47\xac\x9f\xeb\xe8\x3e\xf4\xe5\x59\x66"
                "\x14\x4b\x2a\x5a\xb3\x9d\xc1\x38\x14\xb9\x4e\x3a\xb6\xe1\x01"
                "\xa3\x4f\x27";
-    c.inLen  = strlen(c.input);
-    c.outLen = SHA384_DIGEST_SIZE;
+    c.inLen  = XSTRLEN(c.input);
+    c.outLen = WC_SHA384_DIGEST_SIZE;
+
+    d.input  = "Big Key Input";
+    d.output = "\xd2\x3d\x29\x6e\xf5\x1e\x23\x23\x49\x18\xb3\xbf\x4c\x38\x7b"
+               "\x31\x21\x17\xbb\x09\x73\x27\xf8\x12\x9d\xe9\xc6\x5d\xf9\x54"
+               "\xd6\x38\x5a\x68\x53\x14\xee\xe0\xa6\x4f\x36\x7e\xb2\xf3\x1a"
+               "\x57\x41\x69";
+    d.inLen  = XSTRLEN(d.input);
+    d.outLen = WC_SHA384_DIGEST_SIZE;
 
     test_hmac[0] = a;
     test_hmac[1] = b;
     test_hmac[2] = c;
+    test_hmac[3] = d;
 
     for (i = 0; i < times; ++i) {
 #if defined(HAVE_FIPS)
         if (i == 1)
             continue; /* fips not allowed */
 #endif
-        ret = wc_HmacSetKey(&hmac, SHA384, (byte*)keys[i],(word32)strlen(keys[i]));
+
+        if (wc_HmacInit(&hmac, HEAP_HINT, devId) != 0)
+            return -3900;
+
+        ret = wc_HmacSetKey(&hmac, WC_SHA384, (byte*)keys[i],
+            (word32)XSTRLEN(keys[i]));
         if (ret != 0)
-            return -4027;
+            return -3901;
         ret = wc_HmacUpdate(&hmac, (byte*)test_hmac[i].input,
                    (word32)test_hmac[i].inLen);
         if (ret != 0)
-            return -4028;
+            return -3902;
         ret = wc_HmacFinal(&hmac, hash);
         if (ret != 0)
-            return -4029;
+            return -3903;
+
+        if (XMEMCMP(hash, test_hmac[i].output, WC_SHA384_DIGEST_SIZE) != 0)
+            return -3904 - i;
 
-        if (memcmp(hash, test_hmac[i].output, SHA384_DIGEST_SIZE) != 0)
-            return -20 - i;
+        wc_HmacFree(&hmac);
     }
 
+#ifndef HAVE_FIPS
+    if (wc_HmacSizeByType(WC_SHA384) != WC_SHA384_DIGEST_SIZE)
+        return -3914;
+#endif
+
     return 0;
 }
 #endif
@@ -1584,7 +3941,7 @@ int hmac_sha384_test(void)
 int hmac_sha512_test(void)
 {
     Hmac hmac;
-    byte hash[SHA512_DIGEST_SIZE];
+    byte hash[WC_SHA512_DIGEST_SIZE];
 
     const char* keys[]=
     {
@@ -1592,11 +3949,20 @@ int hmac_sha512_test(void)
                                                                 "\x0b\x0b\x0b",
         "Jefe",
         "\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA"
-                                                                "\xAA\xAA\xAA"
+                                                                "\xAA\xAA\xAA",
+        "\x01\x02\x03\x04\x05\x06\x07\x08\x01\x02\x03\x04\x05\x06\x07\x08"
+        "\x01\x02\x03\x04\x05\x06\x07\x08\x01\x02\x03\x04\x05\x06\x07\x08"
+        "\x01\x02\x03\x04\x05\x06\x07\x08\x01\x02\x03\x04\x05\x06\x07\x08"
+        "\x01\x02\x03\x04\x05\x06\x07\x08\x01\x02\x03\x04\x05\x06\x07\x08"
+        "\x01\x02\x03\x04\x05\x06\x07\x08\x01\x02\x03\x04\x05\x06\x07\x08"
+        "\x01\x02\x03\x04\x05\x06\x07\x08\x01\x02\x03\x04\x05\x06\x07\x08"
+        "\x01\x02\x03\x04\x05\x06\x07\x08\x01\x02\x03\x04\x05\x06\x07\x08"
+        "\x01\x02\x03\x04\x05\x06\x07\x08\x01\x02\x03\x04\x05\x06\x07\x08"
+        "\x01\x02\x03\x04\x05\x06\x07\x08\x01\x02\x03\x04\x05\x06\x07\x08"
     };
 
-    testVector a, b, c;
-    testVector test_hmac[3];
+    testVector a, b, c, d;
+    testVector test_hmac[4];
 
     int ret;
     int times = sizeof(test_hmac) / sizeof(testVector), i;
@@ -1607,8 +3973,8 @@ int hmac_sha512_test(void)
                "\x7c\xde\xda\xa8\x33\xb7\xd6\xb8\xa7\x02\x03\x8b\x27\x4e\xae"
                "\xa3\xf4\xe4\xbe\x9d\x91\x4e\xeb\x61\xf1\x70\x2e\x69\x6c\x20"
                "\x3a\x12\x68\x54";
-    a.inLen  = strlen(a.input);
-    a.outLen = SHA512_DIGEST_SIZE;
+    a.inLen  = XSTRLEN(a.input);
+    a.outLen = WC_SHA512_DIGEST_SIZE;
 
     b.input  = "what do ya want for nothing?";
     b.output = "\x16\x4b\x7a\x7b\xfc\xf8\x19\xe2\xe3\x95\xfb\xe7\x3b\x56\xe0"
@@ -1616,8 +3982,8 @@ int hmac_sha512_test(void)
                "\x05\x54\x97\x58\xbf\x75\xc0\x5a\x99\x4a\x6d\x03\x4f\x65\xf8"
                "\xf0\xe6\xfd\xca\xea\xb1\xa3\x4d\x4a\x6b\x4b\x63\x6e\x07\x0a"
                "\x38\xbc\xe7\x37";
-    b.inLen  = strlen(b.input);
-    b.outLen = SHA512_DIGEST_SIZE;
+    b.inLen  = XSTRLEN(b.input);
+    b.outLen = WC_SHA512_DIGEST_SIZE;
 
     c.input  = "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"
                "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"
@@ -1628,31 +3994,227 @@ int hmac_sha512_test(void)
                "\x9d\x39\xbf\x3e\x84\x82\x79\xa7\x22\xc8\x06\xb4\x85\xa4\x7e"
                "\x67\xc8\x07\xb9\x46\xa3\x37\xbe\xe8\x94\x26\x74\x27\x88\x59"
                "\xe1\x32\x92\xfb";
-    c.inLen  = strlen(c.input);
-    c.outLen = SHA512_DIGEST_SIZE;
+    c.inLen  = XSTRLEN(c.input);
+    c.outLen = WC_SHA512_DIGEST_SIZE;
+
+    d.input  = "Big Key Input";
+    d.output = "\x3f\xa9\xc9\xe1\xbd\xbb\x04\x55\x1f\xef\xcc\x92\x33\x08\xeb"
+               "\xcf\xc1\x9a\x5b\x5b\xc0\x7c\x86\x84\xae\x8c\x40\xaf\xb1\x27"
+               "\x87\x38\x92\x04\xa8\xed\xd7\xd7\x07\xa9\x85\xa0\xc2\xcd\x30"
+               "\xc0\x56\x14\x49\xbc\x2f\x69\x15\x6a\x97\xd8\x79\x2f\xb3\x3b"
+               "\x1e\x18\xfe\xfa";
+    d.inLen  = XSTRLEN(d.input);
+    d.outLen = WC_SHA512_DIGEST_SIZE;
 
     test_hmac[0] = a;
     test_hmac[1] = b;
     test_hmac[2] = c;
+    test_hmac[3] = d;
 
     for (i = 0; i < times; ++i) {
 #if defined(HAVE_FIPS)
         if (i == 1)
             continue; /* fips not allowed */
 #endif
-        ret = wc_HmacSetKey(&hmac, SHA512, (byte*)keys[i],(word32)strlen(keys[i]));
+
+        if (wc_HmacInit(&hmac, HEAP_HINT, devId) != 0)
+            return -4000;
+
+        ret = wc_HmacSetKey(&hmac, WC_SHA512, (byte*)keys[i],
+            (word32)XSTRLEN(keys[i]));
         if (ret != 0)
-            return -4030;
+            return -4001;
         ret = wc_HmacUpdate(&hmac, (byte*)test_hmac[i].input,
                    (word32)test_hmac[i].inLen);
         if (ret != 0)
-            return -4031;
+            return -4002;
         ret = wc_HmacFinal(&hmac, hash);
         if (ret != 0)
-            return -4032;
+            return -4003;
+
+        if (XMEMCMP(hash, test_hmac[i].output, WC_SHA512_DIGEST_SIZE) != 0)
+            return -4004 - i;
+
+        wc_HmacFree(&hmac);
+    }
+
+#ifndef HAVE_FIPS
+    if (wc_HmacSizeByType(WC_SHA512) != WC_SHA512_DIGEST_SIZE)
+        return -4014;
+#endif
+
+    return 0;
+}
+#endif
+
+
+#if !defined(NO_HMAC) && defined(WOLFSSL_SHA3) && \
+    !defined(WOLFSSL_NOSHA3_224) && !defined(WOLFSSL_NOSHA3_256) && \
+    !defined(WOLFSSL_NOSHA3_384) && !defined(WOLFSSL_NOSHA3_512)
+int hmac_sha3_test(void)
+{
+    Hmac hmac;
+    byte hash[WC_SHA3_512_DIGEST_SIZE];
+
+    const char* key[4] =
+    {
+        "Jefe",
+
+        "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b"
+        "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b",
+
+        "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+        "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa",
+
+        "\x01\x02\x03\x04\x05\x06\x07\x08\x01\x02\x03\x04\x05\x06\x07\x08"
+        "\x01\x02\x03\x04\x05\x06\x07\x08\x01\x02\x03\x04\x05\x06\x07\x08"
+        "\x01\x02\x03\x04\x05\x06\x07\x08\x01\x02\x03\x04\x05\x06\x07\x08"
+        "\x01\x02\x03\x04\x05\x06\x07\x08\x01\x02\x03\x04\x05\x06\x07\x08"
+        "\x01\x02\x03\x04\x05\x06\x07\x08\x01\x02\x03\x04\x05\x06\x07\x08"
+        "\x01\x02\x03\x04\x05\x06\x07\x08\x01\x02\x03\x04\x05\x06\x07\x08"
+        "\x01\x02\x03\x04\x05\x06\x07\x08\x01\x02\x03\x04\x05\x06\x07\x08"
+        "\x01\x02\x03\x04\x05\x06\x07\x08\x01\x02\x03\x04\x05\x06\x07\x08"
+        "\x01\x02\x03\x04\x05\x06\x07\x08\x01\x02\x03\x04\x05\x06\x07\x08"
+        "\x01\x02\x03\x04\x05\x06\x07\x08\x01\x02\x03\x04\x05\x06\x07\x08"
+    };
 
-        if (memcmp(hash, test_hmac[i].output, SHA512_DIGEST_SIZE) != 0)
-            return -20 - i;
+    const char* input[4] =
+    {
+        "what do ya want for nothing?",
+
+        "Hi There",
+
+        "\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+        "\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+        "\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+        "\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
+        "\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd",
+
+        "Big Key Input"
+    };
+
+    const int hashType[4] =
+    {
+        WC_SHA3_224, WC_SHA3_256, WC_SHA3_384, WC_SHA3_512
+    };
+
+    const int hashSz[4] =
+    {
+        WC_SHA3_224_DIGEST_SIZE, WC_SHA3_256_DIGEST_SIZE,
+        WC_SHA3_384_DIGEST_SIZE, WC_SHA3_512_DIGEST_SIZE
+    };
+
+    const char* output[16] =
+    {
+        /* key = jefe, input = what do ya want for nothing? */
+            /* HMAC-SHA3-224 */
+            "\x7f\xdb\x8d\xd8\x8b\xd2\xf6\x0d\x1b\x79\x86\x34\xad\x38\x68\x11"
+            "\xc2\xcf\xc8\x5b\xfa\xf5\xd5\x2b\xba\xce\x5e\x66",
+            /* HMAC-SHA3-256 */
+            "\xc7\xd4\x07\x2e\x78\x88\x77\xae\x35\x96\xbb\xb0\xda\x73\xb8\x87"
+            "\xc9\x17\x1f\x93\x09\x5b\x29\x4a\xe8\x57\xfb\xe2\x64\x5e\x1b\xa5",
+            /* HMAC-SHA3-384 */
+            "\xf1\x10\x1f\x8c\xbf\x97\x66\xfd\x67\x64\xd2\xed\x61\x90\x3f\x21"
+            "\xca\x9b\x18\xf5\x7c\xf3\xe1\xa2\x3c\xa1\x35\x08\xa9\x32\x43\xce"
+            "\x48\xc0\x45\xdc\x00\x7f\x26\xa2\x1b\x3f\x5e\x0e\x9d\xf4\xc2\x0a",
+            /* HMAC-SHA3-512 */
+            "\x5a\x4b\xfe\xab\x61\x66\x42\x7c\x7a\x36\x47\xb7\x47\x29\x2b\x83"
+            "\x84\x53\x7c\xdb\x89\xaf\xb3\xbf\x56\x65\xe4\xc5\xe7\x09\x35\x0b"
+            "\x28\x7b\xae\xc9\x21\xfd\x7c\xa0\xee\x7a\x0c\x31\xd0\x22\xa9\x5e"
+            "\x1f\xc9\x2b\xa9\xd7\x7d\xf8\x83\x96\x02\x75\xbe\xb4\xe6\x20\x24",
+
+        /* key = 0b..., input = Hi There */
+            /* HMAC-SHA3-224 */
+            "\x3b\x16\x54\x6b\xbc\x7b\xe2\x70\x6a\x03\x1d\xca\xfd\x56\x37\x3d"
+            "\x98\x84\x36\x76\x41\xd8\xc5\x9a\xf3\xc8\x60\xf7",
+            /* HMAC-SHA3-256 */
+            "\xba\x85\x19\x23\x10\xdf\xfa\x96\xe2\xa3\xa4\x0e\x69\x77\x43\x51"
+            "\x14\x0b\xb7\x18\x5e\x12\x02\xcd\xcc\x91\x75\x89\xf9\x5e\x16\xbb",
+            /* HMAC-SHA3-384 */
+            "\x68\xd2\xdc\xf7\xfd\x4d\xdd\x0a\x22\x40\xc8\xa4\x37\x30\x5f\x61"
+            "\xfb\x73\x34\xcf\xb5\xd0\x22\x6e\x1b\xc2\x7d\xc1\x0a\x2e\x72\x3a"
+            "\x20\xd3\x70\xb4\x77\x43\x13\x0e\x26\xac\x7e\x3d\x53\x28\x86\xbd",
+            /* HMAC-SHA3-512 */
+            "\xeb\x3f\xbd\x4b\x2e\xaa\xb8\xf5\xc5\x04\xbd\x3a\x41\x46\x5a\xac"
+            "\xec\x15\x77\x0a\x7c\xab\xac\x53\x1e\x48\x2f\x86\x0b\x5e\xc7\xba"
+            "\x47\xcc\xb2\xc6\xf2\xaf\xce\x8f\x88\xd2\x2b\x6d\xc6\x13\x80\xf2"
+            "\x3a\x66\x8f\xd3\x88\x8b\xb8\x05\x37\xc0\xa0\xb8\x64\x07\x68\x9e",
+
+        /* key = aa..., output = dd... */
+            /* HMAC-SHA3-224 */
+            "\x67\x6c\xfc\x7d\x16\x15\x36\x38\x78\x03\x90\x69\x2b\xe1\x42\xd2"
+            "\xdf\x7c\xe9\x24\xb9\x09\xc0\xc0\x8d\xbf\xdc\x1a",
+            /* HMAC-SHA3-256 */
+            "\x84\xec\x79\x12\x4a\x27\x10\x78\x65\xce\xdd\x8b\xd8\x2d\xa9\x96"
+            "\x5e\x5e\xd8\xc3\x7b\x0a\xc9\x80\x05\xa7\xf3\x9e\xd5\x8a\x42\x07",
+            /* HMAC-SHA3-384 */
+            "\x27\x5c\xd0\xe6\x61\xbb\x8b\x15\x1c\x64\xd2\x88\xf1\xf7\x82\xfb"
+            "\x91\xa8\xab\xd5\x68\x58\xd7\x2b\xab\xb2\xd4\x76\xf0\x45\x83\x73"
+            "\xb4\x1b\x6a\xb5\xbf\x17\x4b\xec\x42\x2e\x53\xfc\x31\x35\xac\x6e",
+            /* HMAC-SHA3-512 */
+            "\x30\x9e\x99\xf9\xec\x07\x5e\xc6\xc6\xd4\x75\xed\xa1\x18\x06\x87"
+            "\xfc\xf1\x53\x11\x95\x80\x2a\x99\xb5\x67\x74\x49\xa8\x62\x51\x82"
+            "\x85\x1c\xb3\x32\xaf\xb6\xa8\x9c\x41\x13\x25\xfb\xcb\xcd\x42\xaf"
+            "\xcb\x7b\x6e\x5a\xab\x7e\xa4\x2c\x66\x0f\x97\xfd\x85\x84\xbf\x03",
+
+        /* key = big key, input = Big Key Input */
+            /* HMAC-SHA3-224 */
+            "\x29\xe0\x5e\x46\xc4\xa4\x5e\x46\x74\xbf\xd7\x2d\x1a\xd8\x66\xdb"
+            "\x2d\x0d\x10\x4e\x2b\xfa\xad\x53\x7d\x15\x69\x8b",
+            /* HMAC-SHA3-256 */
+            "\xb5\x5b\x8d\x64\xb6\x9c\x21\xd0\xbf\x20\x5c\xa2\xf7\xb9\xb1\x4e"
+            "\x88\x21\x61\x2c\x66\xc3\x91\xae\x6c\x95\x16\x85\x83\xe6\xf4\x9b",
+            /* HMAC-SHA3-384 */
+            "\xaa\x91\xb3\xa6\x2f\x56\xa1\xbe\x8c\x3e\x74\x38\xdb\x58\xd9\xd3"
+            "\x34\xde\xa0\x60\x6d\x8d\x46\xe0\xec\xa9\xf6\x06\x35\x14\xe6\xed"
+            "\x83\xe6\x7c\x77\x24\x6c\x11\xb5\x90\x82\xb5\x75\xda\x7b\x83\x2d",
+            /* HMAC-SHA3-512 */
+            "\x1c\xc3\xa9\x24\x4a\x4a\x3f\xbd\xc7\x20\x00\x16\x9b\x79\x47\x03"
+            "\x78\x75\x2c\xb5\xf1\x2e\x62\x7c\xbe\xef\x4e\x8f\x0b\x11\x2b\x32"
+            "\xa0\xee\xc9\xd0\x4d\x64\x64\x0b\x37\xf4\xdd\x66\xf7\x8b\xb3\xad"
+            "\x52\x52\x6b\x65\x12\xde\x0d\x7c\xc0\x8b\x60\x01\x6c\x37\xd7\xa8"
+
+    };
+
+    int i = 0, iMax = sizeof(input) / sizeof(input[0]),
+        j, jMax = sizeof(hashType) / sizeof(hashType[0]),
+        ret;
+
+#ifdef HAVE_FIPS
+    /* FIPS requires a minimum length for HMAC keys, and "Jefe" is too
+     * short. Skip it in FIPS builds. */
+    i = 1;
+#endif
+    for (; i < iMax; i++) {
+        for (j = 0; j < jMax; j++) {
+            if (wc_HmacInit(&hmac, HEAP_HINT, devId) != 0)
+                return -4100;
+
+            ret = wc_HmacSetKey(&hmac, hashType[j], (byte*)key[i],
+                                                       (word32)XSTRLEN(key[i]));
+            if (ret != 0)
+                return -4101;
+            ret = wc_HmacUpdate(&hmac, (byte*)input[i],
+                                                     (word32)XSTRLEN(input[i]));
+            if (ret != 0)
+                return -4102;
+            ret = wc_HmacFinal(&hmac, hash);
+            if (ret != 0)
+                return -4103;
+            if (XMEMCMP(hash, output[(i*jMax) + j], hashSz[j]) != 0)
+                return -4104;
+
+            wc_HmacFree(&hmac);
+
+            if (i > 0)
+                continue;
+
+        #ifndef HAVE_FIPS
+            ret = wc_HmacSizeByType(hashType[j]);
+            if (ret != hashSz[j])
+                return -4105;
+        #endif
+        }
     }
 
     return 0;
@@ -1707,16 +4269,14 @@ int arc4_test(void)
     for (i = 0; i < times; ++i) {
         Arc4 enc;
         Arc4 dec;
-        int  keylen = 8;  /* strlen with key 0x00 not good */
+        int  keylen = 8;  /* XSTRLEN with key 0x00 not good */
         if (i == 3)
             keylen = 4;
 
-#ifdef HAVE_CAVIUM
-        if (wc_Arc4InitCavium(&enc, CAVIUM_DEV_ID) != 0)
-            return -20001;
-        if (wc_Arc4InitCavium(&dec, CAVIUM_DEV_ID) != 0)
-            return -20002;
-#endif
+        if (wc_Arc4Init(&enc, HEAP_HINT, devId) != 0)
+            return -4200;
+        if (wc_Arc4Init(&dec, HEAP_HINT, devId) != 0)
+            return -4201;
 
         wc_Arc4SetKey(&enc, (byte*)keys[i], keylen);
         wc_Arc4SetKey(&dec, (byte*)keys[i], keylen);
@@ -1725,16 +4285,14 @@ int arc4_test(void)
                     (word32)test_arc4[i].outLen);
         wc_Arc4Process(&dec, plain,  cipher, (word32)test_arc4[i].outLen);
 
-        if (memcmp(plain, test_arc4[i].input, test_arc4[i].outLen))
-            return -20 - i;
+        if (XMEMCMP(plain, test_arc4[i].input, test_arc4[i].outLen))
+            return -4202 - i;
 
-        if (memcmp(cipher, test_arc4[i].output, test_arc4[i].outLen))
-            return -20 - 5 - i;
+        if (XMEMCMP(cipher, test_arc4[i].output, test_arc4[i].outLen))
+            return -4212 - i;
 
-#ifdef HAVE_CAVIUM
-        wc_Arc4FreeCavium(&enc);
-        wc_Arc4FreeCavium(&dec);
-#endif
+        wc_Arc4Free(&enc);
+        wc_Arc4Free(&dec);
     }
 
     return 0;
@@ -1800,22 +4358,28 @@ int hc128_test(void)
         HC128 dec;
 
         /* align keys/ivs in plain/cipher buffers */
-        memcpy(plain,  keys[i], 16);
-        memcpy(cipher, ivs[i],  16);
+        XMEMCPY(plain,  keys[i], 16);
+        XMEMCPY(cipher, ivs[i],  16);
 
         wc_Hc128_SetKey(&enc, plain, cipher);
         wc_Hc128_SetKey(&dec, plain, cipher);
 
         /* align input */
-        memcpy(plain, test_hc128[i].input, test_hc128[i].outLen);
-        wc_Hc128_Process(&enc, cipher, plain,  (word32)test_hc128[i].outLen);
-        wc_Hc128_Process(&dec, plain,  cipher, (word32)test_hc128[i].outLen);
+        XMEMCPY(plain, test_hc128[i].input, test_hc128[i].outLen);
+        if (wc_Hc128_Process(&enc, cipher, plain,
+                                           (word32)test_hc128[i].outLen) != 0) {
+            return -4300;
+        }
+        if (wc_Hc128_Process(&dec, plain, cipher,
+                                           (word32)test_hc128[i].outLen) != 0) {
+            return -4301;
+        }
 
-        if (memcmp(plain, test_hc128[i].input, test_hc128[i].outLen))
-            return -120 - i;
+        if (XMEMCMP(plain, test_hc128[i].input, test_hc128[i].outLen))
+            return -4302 - i;
 
-        if (memcmp(cipher, test_hc128[i].output, test_hc128[i].outLen))
-            return -120 - 5 - i;
+        if (XMEMCMP(cipher, test_hc128[i].output, test_hc128[i].outLen))
+            return -4312 - i;
     }
 
 #endif /* HAVE_HC128 */
@@ -1873,9 +4437,9 @@ int rabbit_test(void)
         byte*  iv;
 
         /* align keys/ivs in plain/cipher buffers */
-        memcpy(plain,  keys[i], 16);
+        XMEMCPY(plain,  keys[i], 16);
         if (ivs[i]) {
-            memcpy(cipher, ivs[i],   8);
+            XMEMCPY(cipher, ivs[i],   8);
             iv = cipher;
         } else
             iv = NULL;
@@ -1883,15 +4447,15 @@ int rabbit_test(void)
         wc_RabbitSetKey(&dec, plain, iv);
 
         /* align input */
-        memcpy(plain, test_rabbit[i].input, test_rabbit[i].outLen);
+        XMEMCPY(plain, test_rabbit[i].input, test_rabbit[i].outLen);
         wc_RabbitProcess(&enc, cipher, plain,  (word32)test_rabbit[i].outLen);
         wc_RabbitProcess(&dec, plain,  cipher, (word32)test_rabbit[i].outLen);
 
-        if (memcmp(plain, test_rabbit[i].input, test_rabbit[i].outLen))
-            return -130 - i;
+        if (XMEMCMP(plain, test_rabbit[i].input, test_rabbit[i].outLen))
+            return -4400 - i;
 
-        if (memcmp(cipher, test_rabbit[i].output, test_rabbit[i].outLen))
-            return -130 - 5 - i;
+        if (XMEMCMP(cipher, test_rabbit[i].output, test_rabbit[i].outLen))
+            return -4410 - i;
     }
 
     return 0;
@@ -1904,10 +4468,12 @@ int chacha_test(void)
 {
     ChaCha enc;
     ChaCha dec;
-    byte   cipher[32];
-    byte   plain[32];
+    byte   cipher[128];
+    byte   plain[128];
+    byte   sliver[64];
     byte   input[] = {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0};
-    word32 keySz;
+    word32 keySz = 32;
+    int    ret = 0;
     int    i;
     int    times = 4;
 
@@ -1945,14 +4511,138 @@ int chacha_test(void)
 
     const byte* keys[] = {key1, key2, key3, key4};
 
-    static const byte ivs1[] = {0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
-    static const byte ivs2[] = {0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
-    static const byte ivs3[] = {0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01};
-    static const byte ivs4[] = {0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
+    static const byte ivs1[] = {0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
+    static const byte ivs2[] = {0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
+    static const byte ivs3[] = {0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00};
+    static const byte ivs4[] = {0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
 
 
     const byte* ivs[] = {ivs1, ivs2, ivs3, ivs4};
 
+#ifndef BENCH_EMBEDDED
+    static const byte cipher_big_result[] = {
+        0x06, 0xa6, 0x5d, 0x31, 0x21, 0x6c, 0xdb, 0x37, 0x48, 0x7c, 0x01, 0x9d,
+        0x72, 0xdf, 0x0a, 0x5b, 0x64, 0x74, 0x20, 0xba, 0x9e, 0xe0, 0x26, 0x7a,
+        0xbf, 0xdf, 0x83, 0x34, 0x3b, 0x4f, 0x94, 0x3f, 0x37, 0x89, 0xaf, 0x00,
+        0xdf, 0x0f, 0x2e, 0x75, 0x16, 0x41, 0xf6, 0x7a, 0x86, 0x94, 0x9d, 0x32,
+        0x56, 0xf0, 0x79, 0x71, 0x68, 0x6f, 0xa6, 0x6b, 0xc6, 0x59, 0x49, 0xf6,
+        0x10, 0x34, 0x03, 0x03, 0x16, 0x53, 0x9a, 0x98, 0x2a, 0x46, 0xde, 0x17,
+        0x06, 0x65, 0x70, 0xca, 0x0a, 0x1f, 0xab, 0x80, 0x26, 0x96, 0x3f, 0x3e,
+        0x7a, 0x3c, 0xa8, 0x87, 0xbb, 0x65, 0xdd, 0x5e, 0x07, 0x7b, 0x34, 0xe0,
+        0x56, 0xda, 0x32, 0x13, 0x30, 0xc9, 0x0c, 0xd7, 0xba, 0xe4, 0x1f, 0xa6,
+        0x91, 0x4f, 0x72, 0x9f, 0xd9, 0x5c, 0x62, 0x7d, 0xa6, 0xc2, 0xbc, 0x87,
+        0xae, 0x64, 0x11, 0x94, 0x3b, 0xbc, 0x6c, 0x23, 0xbd, 0x7d, 0x00, 0xb4,
+        0x99, 0xf2, 0x68, 0xb5, 0x59, 0x70, 0x93, 0xad, 0x69, 0xd0, 0xb1, 0x28,
+        0x70, 0x92, 0xeb, 0xec, 0x39, 0x80, 0x82, 0xde, 0x44, 0xe2, 0x8a, 0x26,
+        0xb3, 0xe9, 0x45, 0xcf, 0x83, 0x76, 0x9f, 0x6a, 0xa0, 0x46, 0x4a, 0x3d,
+        0x26, 0x56, 0xaf, 0x49, 0x41, 0x26, 0x1b, 0x6a, 0x41, 0x37, 0x65, 0x91,
+        0x72, 0xc4, 0xe7, 0x3c, 0x17, 0x31, 0xae, 0x2e, 0x2b, 0x31, 0x45, 0xe4,
+        0x93, 0xd3, 0x10, 0xaa, 0xc5, 0x62, 0xd5, 0x11, 0x4b, 0x57, 0x1d, 0xad,
+        0x48, 0x06, 0xd0, 0x0d, 0x98, 0xa5, 0xc6, 0x5b, 0xd0, 0x9e, 0x22, 0xc0,
+        0x00, 0x32, 0x5a, 0xf5, 0x1c, 0x89, 0x6d, 0x54, 0x97, 0x55, 0x6b, 0x46,
+        0xc5, 0xc7, 0xc4, 0x48, 0x9c, 0xbf, 0x47, 0xdc, 0x03, 0xc4, 0x1b, 0xcb,
+        0x65, 0xa6, 0x91, 0x9d, 0x6d, 0xf1, 0xb0, 0x7a, 0x4d, 0x3b, 0x03, 0x95,
+        0xf4, 0x8b, 0x0b, 0xae, 0x39, 0xff, 0x3f, 0xf6, 0xc0, 0x14, 0x18, 0x8a,
+        0xe5, 0x19, 0xbd, 0xc1, 0xb4, 0x05, 0x4e, 0x29, 0x2f, 0x0b, 0x33, 0x76,
+        0x28, 0x16, 0xa4, 0xa6, 0x93, 0x04, 0xb5, 0x55, 0x6b, 0x89, 0x3d, 0xa5,
+        0x0f, 0xd3, 0xad, 0xfa, 0xd9, 0xfd, 0x05, 0x5d, 0x48, 0x94, 0x25, 0x5a,
+        0x2c, 0x9a, 0x94, 0x80, 0xb0, 0xe7, 0xcb, 0x4d, 0x77, 0xbf, 0xca, 0xd8,
+        0x55, 0x48, 0xbd, 0x66, 0xb1, 0x85, 0x81, 0xb1, 0x37, 0x79, 0xab, 0x52,
+        0x08, 0x14, 0x12, 0xac, 0xcd, 0x45, 0x4d, 0x53, 0x6b, 0xca, 0x96, 0xc7,
+        0x3b, 0x2f, 0x73, 0xb1, 0x5a, 0x23, 0xbd, 0x65, 0xd5, 0xea, 0x17, 0xb3,
+        0xdc, 0xa1, 0x17, 0x1b, 0x2d, 0xb3, 0x9c, 0xd0, 0xdb, 0x41, 0x77, 0xef,
+        0x93, 0x20, 0x52, 0x3e, 0x9d, 0xf5, 0xbf, 0x33, 0xf7, 0x52, 0xc1, 0x90,
+        0xa0, 0x15, 0x17, 0xce, 0xf7, 0xf7, 0xd0, 0x3a, 0x3b, 0xd1, 0x72, 0x56,
+        0x31, 0x81, 0xae, 0x60, 0xab, 0x40, 0xc1, 0xd1, 0x28, 0x77, 0x53, 0xac,
+        0x9f, 0x11, 0x0a, 0x88, 0x36, 0x4b, 0xda, 0x57, 0xa7, 0x28, 0x5c, 0x85,
+        0xd3, 0x85, 0x9b, 0x79, 0xad, 0x05, 0x1c, 0x37, 0x14, 0x5e, 0x0d, 0xd0,
+        0x23, 0x03, 0x42, 0x1d, 0x48, 0x5d, 0xc5, 0x3c, 0x5a, 0x08, 0xa9, 0x0d,
+        0x6e, 0x82, 0x7c, 0x2e, 0x3c, 0x41, 0xcc, 0x96, 0x8e, 0xad, 0xee, 0x2a,
+        0x61, 0x0b, 0x16, 0x0f, 0xa9, 0x24, 0x40, 0x85, 0xbc, 0x9f, 0x28, 0x8d,
+        0xe6, 0x68, 0x4d, 0x8f, 0x30, 0x48, 0xd9, 0x73, 0x73, 0x6c, 0x9a, 0x7f,
+        0x67, 0xf7, 0xde, 0x4c, 0x0a, 0x8b, 0xe4, 0xb3, 0x08, 0x2a, 0x52, 0xda,
+        0x54, 0xee, 0xcd, 0xb5, 0x62, 0x4a, 0x26, 0x20, 0xfb, 0x40, 0xbb, 0x39,
+        0x3a, 0x0f, 0x09, 0xe8, 0x00, 0xd1, 0x24, 0x97, 0x60, 0xe9, 0x83, 0x83,
+        0xfe, 0x9f, 0x9c, 0x15, 0xcf, 0x69, 0x03, 0x9f, 0x03, 0xe1, 0xe8, 0x6e,
+        0xbd, 0x87, 0x58, 0x68, 0xee, 0xec, 0xd8, 0x29, 0x46, 0x23, 0x49, 0x92,
+        0x72, 0x95, 0x5b, 0x49, 0xca, 0xe0, 0x45, 0x59, 0xb2, 0xca, 0xf4, 0xfc,
+        0xb7, 0x59, 0x37, 0x49, 0x28, 0xbc, 0xf3, 0xd7, 0x61, 0xbc, 0x4b, 0xf3,
+        0xa9, 0x4b, 0x2f, 0x05, 0xa8, 0x01, 0xa5, 0xdc, 0x00, 0x6e, 0x01, 0xb6,
+        0x45, 0x3c, 0xd5, 0x49, 0x7d, 0x5c, 0x25, 0xe8, 0x31, 0x87, 0xb2, 0xb9,
+        0xbf, 0xb3, 0x01, 0x62, 0x0c, 0xd0, 0x48, 0x77, 0xa2, 0x34, 0x0f, 0x16,
+        0x22, 0x28, 0xee, 0x54, 0x08, 0x93, 0x3b, 0xe4, 0xde, 0x7e, 0x63, 0xf7,
+        0x97, 0x16, 0x5d, 0x71, 0x58, 0xc2, 0x2e, 0xf2, 0x36, 0xa6, 0x12, 0x65,
+        0x94, 0x17, 0xac, 0x66, 0x23, 0x7e, 0xc6, 0x72, 0x79, 0x24, 0xce, 0x8f,
+        0x55, 0x19, 0x97, 0x44, 0xfc, 0x55, 0xec, 0x85, 0x26, 0x27, 0xdb, 0x38,
+        0xb1, 0x42, 0x0a, 0xdd, 0x05, 0x99, 0x28, 0xeb, 0x03, 0x6c, 0x9a, 0xe9,
+        0x17, 0xf6, 0x2c, 0xb0, 0xfe, 0xe7, 0xa4, 0xa7, 0x31, 0xda, 0x4d, 0xb0,
+        0x29, 0xdb, 0xdd, 0x8d, 0x12, 0x13, 0x9c, 0xb4, 0xcc, 0x83, 0x97, 0xfb,
+        0x1a, 0xdc, 0x08, 0xd6, 0x30, 0x62, 0xe8, 0xeb, 0x8b, 0x61, 0xcb, 0x1d,
+        0x06, 0xe3, 0xa5, 0x4d, 0x35, 0xdb, 0x59, 0xa8, 0x2d, 0x87, 0x27, 0x44,
+        0x6f, 0xc0, 0x38, 0x97, 0xe4, 0x85, 0x00, 0x02, 0x09, 0xf6, 0x69, 0x3a,
+        0xcf, 0x08, 0x1b, 0x21, 0xbb, 0x79, 0xb1, 0xa1, 0x34, 0x09, 0xe0, 0x80,
+        0xca, 0xb0, 0x78, 0x8a, 0x11, 0x97, 0xd4, 0x07, 0xbe, 0x1b, 0x6a, 0x5d,
+        0xdb, 0xd6, 0x1f, 0x76, 0x6b, 0x16, 0xf0, 0x58, 0x84, 0x5f, 0x59, 0xce,
+        0x62, 0x34, 0xc3, 0xdf, 0x94, 0xb8, 0x2f, 0x84, 0x68, 0xf0, 0xb8, 0x51,
+        0xd9, 0x6d, 0x8e, 0x4a, 0x1d, 0xe6, 0x5c, 0xd8, 0x86, 0x25, 0xe3, 0x24,
+        0xfd, 0x21, 0x61, 0x13, 0x48, 0x3e, 0xf6, 0x7d, 0xa6, 0x71, 0x9b, 0xd2,
+        0x6e, 0xe6, 0xd2, 0x08, 0x94, 0x62, 0x6c, 0x98, 0xfe, 0x2f, 0x9c, 0x88,
+        0x7e, 0x78, 0x15, 0x02, 0x00, 0xf0, 0xba, 0x24, 0x91, 0xf2, 0xdc, 0x47,
+        0x51, 0x4d, 0x15, 0x5e, 0x91, 0x5f, 0x57, 0x5b, 0x1d, 0x35, 0x24, 0x45,
+        0x75, 0x9b, 0x88, 0x75, 0xf1, 0x2f, 0x85, 0xe7, 0x89, 0xd1, 0x01, 0xb4,
+        0xc8, 0x18, 0xb7, 0x97, 0xef, 0x4b, 0x90, 0xf4, 0xbf, 0x10, 0x27, 0x3c,
+        0x60, 0xff, 0xc4, 0x94, 0x20, 0x2f, 0x93, 0x4b, 0x4d, 0xe3, 0x80, 0xf7,
+        0x2c, 0x71, 0xd9, 0xe3, 0x68, 0xb4, 0x77, 0x2b, 0xc7, 0x0d, 0x39, 0x92,
+        0xef, 0x91, 0x0d, 0xb2, 0x11, 0x50, 0x0e, 0xe8, 0xad, 0x3b, 0xf6, 0xb5,
+        0xc6, 0x14, 0x4d, 0x33, 0x53, 0xa7, 0x60, 0x15, 0xc7, 0x27, 0x51, 0xdc,
+        0x54, 0x29, 0xa7, 0x0d, 0x6a, 0x7b, 0x72, 0x13, 0xad, 0x7d, 0x41, 0x19,
+        0x4e, 0x42, 0x49, 0xcc, 0x42, 0xe4, 0xbd, 0x99, 0x13, 0xd9, 0x7f, 0xf3,
+        0x38, 0xa4, 0xb6, 0x33, 0xed, 0x07, 0x48, 0x7e, 0x8e, 0x82, 0xfe, 0x3a,
+        0x9d, 0x75, 0x93, 0xba, 0x25, 0x4e, 0x37, 0x3c, 0x0c, 0xd5, 0x69, 0xa9,
+        0x2d, 0x9e, 0xfd, 0xe8, 0xbb, 0xf5, 0x0c, 0xe2, 0x86, 0xb9, 0x5e, 0x6f,
+        0x28, 0xe4, 0x19, 0xb3, 0x0b, 0xa4, 0x86, 0xd7, 0x24, 0xd0, 0xb8, 0x89,
+        0x7b, 0x76, 0xec, 0x05, 0x10, 0x5b, 0x68, 0xe9, 0x58, 0x66, 0xa3, 0xc5,
+        0xb6, 0x63, 0x20, 0x0e, 0x0e, 0xea, 0x3d, 0x61, 0x5e, 0xda, 0x3d, 0x3c,
+        0xf9, 0xfd, 0xed, 0xa9, 0xdb, 0x52, 0x94, 0x8a, 0x00, 0xca, 0x3c, 0x8d,
+        0x66, 0x8f, 0xb0, 0xf0, 0x5a, 0xca, 0x3f, 0x63, 0x71, 0xbf, 0xca, 0x99,
+        0x37, 0x9b, 0x75, 0x97, 0x89, 0x10, 0x6e, 0xcf, 0xf2, 0xf5, 0xe3, 0xd5,
+        0x45, 0x9b, 0xad, 0x10, 0x71, 0x6c, 0x5f, 0x6f, 0x7f, 0x22, 0x77, 0x18,
+        0x2f, 0xf9, 0x99, 0xc5, 0x69, 0x58, 0x03, 0x12, 0x86, 0x82, 0x3e, 0xbf,
+        0xc2, 0x12, 0x35, 0x43, 0xa3, 0xd9, 0x18, 0x4f, 0x41, 0x11, 0x6b, 0xf3,
+        0x67, 0xaf, 0x3d, 0x78, 0xe4, 0x22, 0x2d, 0xb3, 0x48, 0x43, 0x31, 0x1d,
+        0xef, 0xa8, 0xba, 0x49, 0x8e, 0xa9, 0xa7, 0xb6, 0x18, 0x77, 0x84, 0xca,
+        0xbd, 0xa2, 0x02, 0x1b, 0x6a, 0xf8, 0x5f, 0xda, 0xff, 0xcf, 0x01, 0x6a,
+        0x86, 0x69, 0xa9, 0xe9, 0xcb, 0x60, 0x1e, 0x15, 0xdc, 0x8f, 0x5d, 0x39,
+        0xb5, 0xce, 0x55, 0x5f, 0x47, 0x97, 0xb1, 0x19, 0x6e, 0x21, 0xd6, 0x13,
+        0x39, 0xb2, 0x24, 0xe0, 0x62, 0x82, 0x9f, 0xed, 0x12, 0x81, 0xed, 0xee,
+        0xab, 0xd0, 0x2f, 0x19, 0x89, 0x3f, 0x57, 0x2e, 0xc2, 0xe2, 0x67, 0xe8,
+        0xae, 0x03, 0x56, 0xba, 0xd4, 0xd0, 0xa4, 0x89, 0x03, 0x06, 0x5b, 0xcc,
+        0xf2, 0x22, 0xb8, 0x0e, 0x76, 0x79, 0x4a, 0x42, 0x1d, 0x37, 0x51, 0x5a,
+        0xaa, 0x46, 0x6c, 0x2a, 0xdd, 0x66, 0xfe, 0xc6, 0x68, 0xc3, 0x38, 0xa2,
+        0xae, 0x5b, 0x98, 0x24, 0x5d, 0x43, 0x05, 0x82, 0x38, 0x12, 0xd3, 0xd1,
+        0x75, 0x2d, 0x4f, 0x61, 0xbd, 0xb9, 0x10, 0x87, 0x44, 0x2a, 0x78, 0x07,
+        0xff, 0xf4, 0x0f, 0xa1, 0xf3, 0x68, 0x9f, 0xbe, 0xae, 0xa2, 0x91, 0xf0,
+        0xc7, 0x55, 0x7a, 0x52, 0xd5, 0xa3, 0x8d, 0x6f, 0xe4, 0x90, 0x5c, 0xf3,
+        0x5f, 0xce, 0x3d, 0x23, 0xf9, 0x8e, 0xae, 0x14, 0xfb, 0x82, 0x9a, 0xa3,
+        0x04, 0x5f, 0xbf, 0xad, 0x3e, 0xf2, 0x97, 0x0a, 0x60, 0x40, 0x70, 0x19,
+        0x72, 0xad, 0x66, 0xfb, 0x78, 0x1b, 0x84, 0x6c, 0x98, 0xbc, 0x8c, 0xf8,
+        0x4f, 0xcb, 0xb5, 0xf6, 0xaf, 0x7a, 0xb7, 0x93, 0xef, 0x67, 0x48, 0x02,
+        0x2c, 0xcb, 0xe6, 0x77, 0x0f, 0x7b, 0xc1, 0xee, 0xc5, 0xb6, 0x2d, 0x7e,
+        0x62, 0xa0, 0xc0, 0xa7, 0xa5, 0x80, 0x31, 0x92, 0x50, 0xa1, 0x28, 0x22,
+        0x95, 0x03, 0x17, 0xd1, 0x0f, 0xf6, 0x08, 0xe5, 0xec
+    };
+#define CHACHA_BIG_TEST_SIZE 1305
+#ifndef WOLFSSL_SMALL_STACK
+    byte   cipher_big[CHACHA_BIG_TEST_SIZE] = {0};
+    byte   plain_big[CHACHA_BIG_TEST_SIZE] = {0};
+    byte   input_big[CHACHA_BIG_TEST_SIZE] = {0};
+#else
+    byte*  cipher_big;
+    byte*  plain_big;
+    byte*  input_big;
+#endif /* WOLFSSL_SMALL_STACK */
+    int    block_size;
+#endif /* BENCH_EMBEDDED */
 
     byte a[] = {0x76,0xb8,0xe0,0xad,0xa0,0xf1,0x3d,0x90};
     byte b[] = {0x45,0x40,0xf0,0x5a,0x9f,0x1f,0xb2,0x96};
@@ -1966,6 +4656,29 @@ int chacha_test(void)
     test_chacha[2] = c;
     test_chacha[3] = d;
 
+#ifndef BENCH_EMBEDDED
+#ifdef WOLFSSL_SMALL_STACK
+    cipher_big = (byte*)XMALLOC(CHACHA_BIG_TEST_SIZE, NULL,
+                                                       DYNAMIC_TYPE_TMP_BUFFER);
+    if (cipher_big == NULL) {
+        return MEMORY_E;
+    }
+    plain_big = (byte*)XMALLOC(CHACHA_BIG_TEST_SIZE, NULL,
+                                                       DYNAMIC_TYPE_TMP_BUFFER);
+    if (plain_big == NULL) {
+        return MEMORY_E;
+    }
+    input_big = (byte*)XMALLOC(CHACHA_BIG_TEST_SIZE, NULL,
+                                                       DYNAMIC_TYPE_TMP_BUFFER);
+    if (input_big == NULL) {
+        return MEMORY_E;
+    }
+    XMEMSET(cipher_big, 0, CHACHA_BIG_TEST_SIZE);
+    XMEMSET(plain_big, 0, CHACHA_BIG_TEST_SIZE);
+    XMEMSET(input_big, 0, CHACHA_BIG_TEST_SIZE);
+#endif /* WOLFSSL_SMALL_STACK */
+#endif /* BENCH_EMBEDDED */
+
     for (i = 0; i < times; ++i) {
         if (i < 3) {
             keySz = 32;
@@ -1978,23 +4691,115 @@ int chacha_test(void)
         XMEMSET(cipher, 0, 32);
         XMEMCPY(cipher + 4, ivs[i], 8);
 
-        wc_Chacha_SetKey(&enc, keys[i], keySz);
-        wc_Chacha_SetKey(&dec, keys[i], keySz);
+        ret |= wc_Chacha_SetKey(&enc, keys[i], keySz);
+        ret |= wc_Chacha_SetKey(&dec, keys[i], keySz);
+        if (ret != 0)
+            return ret;
 
-        wc_Chacha_SetIV(&enc, cipher, 0);
-        wc_Chacha_SetIV(&dec, cipher, 0);
+        ret |= wc_Chacha_SetIV(&enc, cipher, 0);
+        ret |= wc_Chacha_SetIV(&dec, cipher, 0);
+        if (ret != 0)
+            return ret;
         XMEMCPY(plain, input, 8);
 
-        wc_Chacha_Process(&enc, cipher, plain,  (word32)8);
-        wc_Chacha_Process(&dec, plain,  cipher, (word32)8);
+        ret |= wc_Chacha_Process(&enc, cipher, plain,  (word32)8);
+        ret |= wc_Chacha_Process(&dec, plain,  cipher, (word32)8);
+        if (ret != 0)
+            return ret;
+
+        if (XMEMCMP(test_chacha[i], cipher, 8))
+            return -4500 - i;
+
+        if (XMEMCMP(plain, input, 8))
+            return -4510 - i;
+    }
+
+    /* test of starting at a different counter
+       encrypts all of the information and decrypts starting at 2nd chunk */
+    XMEMSET(plain,  0, sizeof(plain));
+    XMEMSET(sliver, 1, sizeof(sliver)); /* set as 1's to not match plain */
+    XMEMSET(cipher, 0, sizeof(cipher));
+    XMEMCPY(cipher + 4, ivs[0], 8);
+
+    ret |= wc_Chacha_SetKey(&enc, keys[0], keySz);
+    ret |= wc_Chacha_SetKey(&dec, keys[0], keySz);
+    if (ret != 0)
+        return ret;
+
+    ret |= wc_Chacha_SetIV(&enc, cipher, 0);
+    ret |= wc_Chacha_SetIV(&dec, cipher, 1);
+    if (ret != 0)
+        return ret;
+
+    ret |= wc_Chacha_Process(&enc, cipher, plain,  sizeof(plain));
+    ret |= wc_Chacha_Process(&dec, sliver,  cipher + 64, sizeof(sliver));
+    if (ret != 0)
+        return ret;
+
+    if (XMEMCMP(plain + 64, sliver, 64))
+        return -4520;
+
+#ifndef BENCH_EMBEDDED
+    /* test of encrypting more data */
+    keySz = 32;
+
+    ret |= wc_Chacha_SetKey(&enc, keys[0], keySz);
+    ret |= wc_Chacha_SetKey(&dec, keys[0], keySz);
+    if (ret != 0)
+        return ret;
+
+    ret |= wc_Chacha_SetIV(&enc, ivs[2], 0);
+    ret |= wc_Chacha_SetIV(&dec, ivs[2], 0);
+    if (ret != 0)
+        return ret;
+
+    ret |= wc_Chacha_Process(&enc, cipher_big, plain_big, CHACHA_BIG_TEST_SIZE);
+    ret |= wc_Chacha_Process(&dec, plain_big,  cipher_big,
+                                                          CHACHA_BIG_TEST_SIZE);
+    if (ret != 0)
+        return ret;
 
-        if (memcmp(test_chacha[i], cipher, 8))
-            return -130 - 5 - i;
+    if (XMEMCMP(plain_big, input_big, CHACHA_BIG_TEST_SIZE))
+        return -4521;
 
-        if (memcmp(plain, input, 8))
-            return -130 - i;
+    if (XMEMCMP(cipher_big, cipher_big_result, CHACHA_BIG_TEST_SIZE))
+        return -4522;
+
+    for (i = 0; i < 18; ++i) {
+        /* this will test all paths */
+        // block sizes: 1 2 3 4 7 8 15 16 31 32 63 64 127 128 255 256 511 512
+        block_size = (2 << (i%9)) - (i<9?1:0);
+        keySz = 32;
+
+        ret |= wc_Chacha_SetKey(&enc, keys[0], keySz);
+        ret |= wc_Chacha_SetKey(&dec, keys[0], keySz);
+        if (ret != 0)
+            return ret;
+
+        ret |= wc_Chacha_SetIV(&enc, ivs[2], 0);
+        ret |= wc_Chacha_SetIV(&dec, ivs[2], 0);
+        if (ret != 0)
+            return ret;
+
+        ret |= wc_Chacha_Process(&enc, cipher_big, plain_big,  block_size);
+        ret |= wc_Chacha_Process(&dec, plain_big,  cipher_big, block_size);
+        if (ret != 0)
+            return ret;
+
+        if (XMEMCMP(plain_big, input_big, block_size))
+            return -4523-i;
+
+        if (XMEMCMP(cipher_big, cipher_big_result, block_size))
+            return -4524-i;
     }
 
+#ifdef WOLFSSL_SMALL_STACK
+    XFREE(cipher_big, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    XFREE(plain_big, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    XFREE(input_big, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+#endif /* WOLFSSL_SMALL_STACK */
+#endif /* BENCH_EMBEDDED */
+
     return 0;
 }
 #endif /* HAVE_CHACHA */
@@ -2008,7 +4813,7 @@ int poly1305_test(void)
     byte     tag[16];
     Poly1305 enc;
 
-    const byte msg[] =
+    static const byte msg1[] =
     {
         0x43,0x72,0x79,0x70,0x74,0x6f,0x67,0x72,
         0x61,0x70,0x68,0x69,0x63,0x20,0x46,0x6f,
@@ -2017,13 +4822,13 @@ int poly1305_test(void)
         0x75,0x70
     };
 
-    const byte msg2[] =
+    static const byte msg2[] =
     {
         0x48,0x65,0x6c,0x6c,0x6f,0x20,0x77,0x6f,0x72,
         0x6c,0x64,0x21
     };
 
-    const byte msg3[] =
+    static const byte msg3[] =
     {
         0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
         0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
@@ -2031,61 +4836,181 @@ int poly1305_test(void)
         0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
     };
 
-    const byte correct[] =
+    static const byte msg4[] =
+    {
+        0xd3,0x1a,0x8d,0x34,0x64,0x8e,0x60,0xdb,
+        0x7b,0x86,0xaf,0xbc,0x53,0xef,0x7e,0xc2,
+        0xa4,0xad,0xed,0x51,0x29,0x6e,0x08,0xfe,
+        0xa9,0xe2,0xb5,0xa7,0x36,0xee,0x62,0xd6,
+        0x3d,0xbe,0xa4,0x5e,0x8c,0xa9,0x67,0x12,
+        0x82,0xfa,0xfb,0x69,0xda,0x92,0x72,0x8b,
+        0x1a,0x71,0xde,0x0a,0x9e,0x06,0x0b,0x29,
+        0x05,0xd6,0xa5,0xb6,0x7e,0xcd,0x3b,0x36,
+        0x92,0xdd,0xbd,0x7f,0x2d,0x77,0x8b,0x8c,
+        0x98,0x03,0xae,0xe3,0x28,0x09,0x1b,0x58,
+        0xfa,0xb3,0x24,0xe4,0xfa,0xd6,0x75,0x94,
+        0x55,0x85,0x80,0x8b,0x48,0x31,0xd7,0xbc,
+        0x3f,0xf4,0xde,0xf0,0x8e,0x4b,0x7a,0x9d,
+        0xe5,0x76,0xd2,0x65,0x86,0xce,0xc6,0x4b,
+        0x61,0x16
+    };
+
+    static const byte msg5[] =
+    {
+        0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,
+        0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,
+    };
+
+    static const byte msg6[] =
+    {
+        0xd3,0x1a,0x8d,0x34,0x64,0x8e,0x60,0xdb,
+        0x7b,0x86,0xaf,0xbc,0x53,0xef,0x7e,0xc2,
+        0xa4,0xad,0xed,0x51,0x29,0x6e,0x08,0xfe,
+        0xa9,0xe2,0xb5,0xa7,0x36,0xee,0x62,0xd6,
+        0x3d,0xbe,0xa4,0x5e,0x8c,0xa9,0x67,0x12,
+        0x82,0xfa,0xfb,0x69,0xda,0x92,0x72,0x8b,
+        0xfa,0xb3,0x24,0xe4,0xfa,0xd6,0x75,0x94,
+        0x1a,0x71,0xde,0x0a,0x9e,0x06,0x0b,0x29,
+        0xa9,0xe2,0xb5,0xa7,0x36,0xee,0x62,0xd6,
+        0x3d,0xbe,0xa4,0x5e,0x8c,0xa9,0x67,0x12,
+        0xfa,0xb3,0x24,0xe4,0xfa,0xd6,0x75,0x94,
+        0x05,0xd6,0xa5,0xb6,0x7e,0xcd,0x3b,0x36,
+        0x92,0xdd,0xbd,0x7f,0x2d,0x77,0x8b,0x8c,
+        0x7b,0x86,0xaf,0xbc,0x53,0xef,0x7e,0xc2,
+        0x98,0x03,0xae,0xe3,0x28,0x09,0x1b,0x58,
+        0xfa,0xb3,0x24,0xe4,0xfa,0xd6,0x75,0x94,
+        0x55,0x85,0x80,0x8b,0x48,0x31,0xd7,0xbc,
+        0x3f,0xf4,0xde,0xf0,0x8e,0x4b,0x7a,0x9d,
+        0xe5,0x76,0xd2,0x65,0x86,0xce,0xc6,0x4b,
+        0x61,0x16
+    };
+
+    byte additional[] =
+    {
+        0x50,0x51,0x52,0x53,0xc0,0xc1,0xc2,0xc3,
+        0xc4,0xc5,0xc6,0xc7
+    };
+
+    static const byte correct0[] =
+    {
+        0x01,0x03,0x80,0x8a,0xfb,0x0d,0xb2,0xfd,
+        0x4a,0xbf,0xf6,0xaf,0x41,0x49,0xf5,0x1b
+    };
+
+    static const byte correct1[] =
     {
         0xa8,0x06,0x1d,0xc1,0x30,0x51,0x36,0xc6,
         0xc2,0x2b,0x8b,0xaf,0x0c,0x01,0x27,0xa9
-
     };
 
-    const byte correct2[] =
+    static const byte correct2[] =
     {
         0xa6,0xf7,0x45,0x00,0x8f,0x81,0xc9,0x16,
         0xa2,0x0d,0xcc,0x74,0xee,0xf2,0xb2,0xf0
     };
 
-    const byte correct3[] =
+    static const byte correct3[] =
     {
         0x49,0xec,0x78,0x09,0x0e,0x48,0x1e,0xc6,
         0xc2,0x6b,0x33,0xb9,0x1c,0xcc,0x03,0x07
     };
 
-    const byte key[] = {
+    static const byte correct4[] =
+    {
+        0x1a,0xe1,0x0b,0x59,0x4f,0x09,0xe2,0x6a,
+        0x7e,0x90,0x2e,0xcb,0xd0,0x60,0x06,0x91
+    };
+
+    static const byte correct5[] =
+    {
+        0x03,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+        0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+    };
+
+    static const byte correct6[] =
+    {
+        0xea,0x11,0x5c,0x4f,0xd0,0xc0,0x10,0xae,
+        0xf7,0xdf,0xda,0x77,0xa2,0xe9,0xaf,0xca
+    };
+
+    static const byte key[] = {
         0x85,0xd6,0xbe,0x78,0x57,0x55,0x6d,0x33,
         0x7f,0x44,0x52,0xfe,0x42,0xd5,0x06,0xa8,
         0x01,0x03,0x80,0x8a,0xfb,0x0d,0xb2,0xfd,
         0x4a,0xbf,0xf6,0xaf,0x41,0x49,0xf5,0x1b
     };
 
-    const byte key2[] = {
+    static const byte key2[] = {
         0x74,0x68,0x69,0x73,0x20,0x69,0x73,0x20,
         0x33,0x32,0x2d,0x62,0x79,0x74,0x65,0x20,
         0x6b,0x65,0x79,0x20,0x66,0x6f,0x72,0x20,
         0x50,0x6f,0x6c,0x79,0x31,0x33,0x30,0x35
     };
 
-    const byte* msgs[]  = {msg, msg2, msg3};
-    word32      szm[]   = {sizeof(msg),sizeof(msg2),sizeof(msg3)};
-    const byte* keys[]  = {key, key2, key2};
-    const byte* tests[] = {correct, correct2, correct3};
+    static const byte key4[] = {
+        0x7b,0xac,0x2b,0x25,0x2d,0xb4,0x47,0xaf,
+        0x09,0xb6,0x7a,0x55,0xa4,0xe9,0x55,0x84,
+        0x0a,0xe1,0xd6,0x73,0x10,0x75,0xd9,0xeb,
+        0x2a,0x93,0x75,0x78,0x3e,0xd5,0x53,0xff
+    };
+
+    static const byte key5[] = {
+        0x02,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+        0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+        0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+        0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
+    };
+
+    const byte* msgs[]  = {NULL, msg1, msg2, msg3, msg5, msg6};
+    word32      szm[]   = {0, sizeof(msg1), sizeof(msg2),
+                           sizeof(msg3), sizeof(msg5), sizeof(msg6)};
+    const byte* keys[]  = {key, key, key2, key2, key5, key};
+    const byte* tests[] = {correct0, correct1, correct2, correct3, correct5,
+                           correct6};
 
-    for (i = 0; i < 3; i++) {
+    for (i = 0; i < 6; i++) {
         ret = wc_Poly1305SetKey(&enc, keys[i], 32);
         if (ret != 0)
-            return -1001;
+            return -4600 - i;
 
         ret = wc_Poly1305Update(&enc, msgs[i], szm[i]);
         if (ret != 0)
-            return -1005;
+            return -4610 - i;
 
         ret = wc_Poly1305Final(&enc, tag);
         if (ret != 0)
-            return -60;
+            return -4620 - i;
 
-        if (memcmp(tag, tests[i], sizeof(tag)))
-            return -61;
+        if (XMEMCMP(tag, tests[i], sizeof(tag)))
+            return -4630 - i;
     }
 
+    /* Check TLS MAC function from 2.8.2 https://tools.ietf.org/html/rfc7539 */
+    XMEMSET(tag, 0, sizeof(tag));
+    ret = wc_Poly1305SetKey(&enc, key4, sizeof(key4));
+    if (ret != 0)
+        return -4640;
+
+    ret = wc_Poly1305_MAC(&enc, additional, sizeof(additional),
+                                   (byte*)msg4, sizeof(msg4), tag, sizeof(tag));
+    if (ret != 0)
+        return -4641;
+
+    if (XMEMCMP(tag, correct4, sizeof(tag)))
+        return -4642;
+
+    /* Check fail of TLS MAC function if altering additional data */
+    XMEMSET(tag, 0, sizeof(tag));
+	additional[0]++;
+    ret = wc_Poly1305_MAC(&enc, additional, sizeof(additional),
+                                   (byte*)msg4, sizeof(msg4), tag, sizeof(tag));
+    if (ret != 0)
+        return -4643;
+
+    if (XMEMCMP(tag, correct4, sizeof(tag)) == 0)
+        return -4644;
+
+
     return 0;
 }
 #endif /* HAVE_POLY1305 */
@@ -2254,95 +5179,350 @@ int chacha20_poly1305_aead_test(void)
         0x39, 0x23, 0x36, 0xfe, 0xa1, 0x85, 0x1f, 0x38
     };
 
-    byte generatedCiphertext[272];
-    byte generatedPlaintext[272];
+    byte generatedCiphertext[265]; /* max plaintext2/cipher2 */
+    byte generatedPlaintext[265];  /* max plaintext2/cipher2 */
     byte generatedAuthTag[CHACHA20_POLY1305_AEAD_AUTHTAG_SIZE];
     int err;
 
+    ChaChaPoly_Aead aead;
+
+#if !defined(USE_INTEL_CHACHA_SPEEDUP) && !defined(WOLFSSL_ARMASM)
+    #define TEST_SMALL_CHACHA_CHUNKS 32
+#else
+    #define TEST_SMALL_CHACHA_CHUNKS 64
+#endif
+    #ifdef TEST_SMALL_CHACHA_CHUNKS
+    word32 testLen;
+    #endif
+
     XMEMSET(generatedCiphertext, 0, sizeof(generatedCiphertext));
     XMEMSET(generatedAuthTag, 0, sizeof(generatedAuthTag));
     XMEMSET(generatedPlaintext, 0, sizeof(generatedPlaintext));
 
-    /* Test #1 */
+    /* Parameter Validation testing */
+    /* Encrypt */
+    err = wc_ChaCha20Poly1305_Encrypt(NULL, iv1, aad1, sizeof(aad1), plaintext1,
+            sizeof(plaintext1), generatedCiphertext, generatedAuthTag);
+    if (err != BAD_FUNC_ARG)
+        return -4700;
+    err = wc_ChaCha20Poly1305_Encrypt(key1, NULL, aad1, sizeof(aad1),
+            plaintext1, sizeof(plaintext1), generatedCiphertext,
+            generatedAuthTag);
+    if (err != BAD_FUNC_ARG)
+        return -4701;
+    err = wc_ChaCha20Poly1305_Encrypt(key1, iv1, aad1, sizeof(aad1), NULL,
+            sizeof(plaintext1), generatedCiphertext, generatedAuthTag);
+    if (err != BAD_FUNC_ARG)
+        return -4702;
+    err = wc_ChaCha20Poly1305_Encrypt(key1, iv1, aad1, sizeof(aad1), plaintext1,
+            sizeof(plaintext1), NULL, generatedAuthTag);
+    if (err != BAD_FUNC_ARG)
+        return -4703;
+    err = wc_ChaCha20Poly1305_Encrypt(key1, iv1, aad1, sizeof(aad1), plaintext1,
+            sizeof(plaintext1), generatedCiphertext, NULL);
+    if (err != BAD_FUNC_ARG)
+        return -4704;
+    err = wc_ChaCha20Poly1305_Encrypt(key1, iv1, aad1, sizeof(aad1), plaintext1,
+            0, generatedCiphertext, generatedAuthTag);
+    if (err != BAD_FUNC_ARG)
+        return -4705;
+    /* Decrypt */
+    err = wc_ChaCha20Poly1305_Decrypt(NULL, iv2, aad2, sizeof(aad2), cipher2,
+            sizeof(cipher2), authTag2, generatedPlaintext);
+    if (err != BAD_FUNC_ARG)
+        return -4706;
+    err = wc_ChaCha20Poly1305_Decrypt(key2, NULL, aad2, sizeof(aad2), cipher2,
+            sizeof(cipher2), authTag2, generatedPlaintext);
+    if (err != BAD_FUNC_ARG)
+        return -4707;
+    err = wc_ChaCha20Poly1305_Decrypt(key2, iv2, aad2, sizeof(aad2), NULL,
+            sizeof(cipher2), authTag2, generatedPlaintext);
+    if (err != BAD_FUNC_ARG)
+        return -4708;
+    err = wc_ChaCha20Poly1305_Decrypt(key2, iv2, aad2, sizeof(aad2), cipher2,
+            sizeof(cipher2), NULL, generatedPlaintext);
+    if (err != BAD_FUNC_ARG)
+        return -4709;
+    err = wc_ChaCha20Poly1305_Decrypt(key2, iv2, aad2, sizeof(aad2), cipher2,
+            sizeof(cipher2), authTag2, NULL);
+    if (err != BAD_FUNC_ARG)
+        return -4710;
+    err = wc_ChaCha20Poly1305_Decrypt(key2, iv2, aad2, sizeof(aad2), cipher2,
+            0, authTag2, generatedPlaintext);
+    if (err != BAD_FUNC_ARG)
+        return -4711;
 
+
+    /* Test #1 */
     err = wc_ChaCha20Poly1305_Encrypt(key1, iv1,
                                        aad1, sizeof(aad1),
                                        plaintext1, sizeof(plaintext1),
                                        generatedCiphertext, generatedAuthTag);
-    if (err)
-    {
+    if (err) {
         return err;
     }
 
     /* -- Check the ciphertext and authtag */
-
-    if (XMEMCMP(generatedCiphertext, cipher1, sizeof(cipher1)))
-    {
-        return -1064;
+    if (XMEMCMP(generatedCiphertext, cipher1, sizeof(cipher1))) {
+        return -4712;
     }
-
-    if (XMEMCMP(generatedAuthTag, authTag1, sizeof(authTag1)))
-    {
-        return -1065;
+    if (XMEMCMP(generatedAuthTag, authTag1, sizeof(authTag1))) {
+        return -4713;
     }
 
     /* -- Verify decryption works */
-
     err = wc_ChaCha20Poly1305_Decrypt(key1, iv1,
                                        aad1, sizeof(aad1),
                                        cipher1, sizeof(cipher1),
                                        authTag1, generatedPlaintext);
-    if (err)
-    {
+    if (err) {
         return err;
     }
-
-    if (XMEMCMP(generatedPlaintext, plaintext1, sizeof( plaintext1)))
-    {
-        return -1066;
+    if (XMEMCMP(generatedPlaintext, plaintext1, sizeof(plaintext1))) {
+        return -4714;
     }
 
+
     XMEMSET(generatedCiphertext, 0, sizeof(generatedCiphertext));
     XMEMSET(generatedAuthTag, 0, sizeof(generatedAuthTag));
     XMEMSET(generatedPlaintext, 0, sizeof(generatedPlaintext));
 
     /* Test #2 */
-
     err = wc_ChaCha20Poly1305_Encrypt(key2, iv2,
                                        aad2, sizeof(aad2),
                                        plaintext2, sizeof(plaintext2),
                                        generatedCiphertext, generatedAuthTag);
-    if (err)
-    {
+    if (err) {
         return err;
     }
 
     /* -- Check the ciphertext and authtag */
-
-    if (XMEMCMP(generatedCiphertext, cipher2, sizeof(cipher2)))
-    {
-        return -1067;
+    if (XMEMCMP(generatedCiphertext, cipher2, sizeof(cipher2))) {
+        return -4715;
     }
-
-    if (XMEMCMP(generatedAuthTag, authTag2, sizeof(authTag2)))
-    {
-        return -1068;
+    if (XMEMCMP(generatedAuthTag, authTag2, sizeof(authTag2))) {
+        return -4716;
     }
 
     /* -- Verify decryption works */
-
     err = wc_ChaCha20Poly1305_Decrypt(key2, iv2,
                                       aad2, sizeof(aad2),
                                       cipher2, sizeof(cipher2),
                                       authTag2, generatedPlaintext);
-    if (err)
-    {
+    if (err) {
         return err;
     }
 
-    if (XMEMCMP(generatedPlaintext, plaintext2, sizeof(plaintext2)))
-    {
-        return -1069;
+    if (XMEMCMP(generatedPlaintext, plaintext2, sizeof(plaintext2))) {
+        return -4717;
+    }
+
+
+    /* AEAD init/update/final */
+    err = wc_ChaCha20Poly1305_Init(NULL, key1, iv1,
+        CHACHA20_POLY1305_AEAD_DECRYPT);
+    if (err != BAD_FUNC_ARG)
+        return -4718;
+    err = wc_ChaCha20Poly1305_Init(&aead, NULL, iv1,
+        CHACHA20_POLY1305_AEAD_DECRYPT);
+    if (err != BAD_FUNC_ARG)
+        return -4719;
+    err = wc_ChaCha20Poly1305_Init(&aead, key1, NULL,
+        CHACHA20_POLY1305_AEAD_DECRYPT);
+    if (err != BAD_FUNC_ARG)
+        return -4720;
+    err = wc_ChaCha20Poly1305_UpdateAad(NULL, aad1, sizeof(aad1));
+    if (err != BAD_FUNC_ARG)
+        return -4721;
+    err = wc_ChaCha20Poly1305_UpdateAad(&aead, NULL, sizeof(aad1));
+    if (err != BAD_FUNC_ARG)
+        return -4722;
+    err = wc_ChaCha20Poly1305_UpdateData(NULL, generatedPlaintext,
+        generatedPlaintext, sizeof(plaintext1));
+    if (err != BAD_FUNC_ARG)
+        return -4723;
+    err = wc_ChaCha20Poly1305_UpdateData(&aead, generatedPlaintext, NULL,
+        sizeof(plaintext1));
+    if (err != BAD_FUNC_ARG)
+        return -4724;
+    err = wc_ChaCha20Poly1305_UpdateData(&aead, NULL, generatedPlaintext,
+        sizeof(plaintext1));
+    if (err != BAD_FUNC_ARG)
+        return -4725;
+    err = wc_ChaCha20Poly1305_Final(NULL, generatedAuthTag);
+    if (err != BAD_FUNC_ARG)
+        return -4726;
+    err = wc_ChaCha20Poly1305_Final(&aead, NULL);
+    if (err != BAD_FUNC_ARG)
+        return -4727;
+
+    /* AEAD init/update/final - state tests */
+    aead.state = CHACHA20_POLY1305_STATE_INIT;
+    err = wc_ChaCha20Poly1305_UpdateAad(&aead, aad1, sizeof(aad1));
+    if (err != BAD_STATE_E)
+        return -4728;
+    aead.state = CHACHA20_POLY1305_STATE_DATA;
+    err = wc_ChaCha20Poly1305_UpdateAad(&aead, aad1, sizeof(aad1));
+    if (err != BAD_STATE_E)
+        return -4729;
+    aead.state = CHACHA20_POLY1305_STATE_INIT;
+    err = wc_ChaCha20Poly1305_UpdateData(&aead, generatedPlaintext,
+        generatedPlaintext, sizeof(plaintext1));
+    if (err != BAD_STATE_E)
+        return -4730;
+    aead.state = CHACHA20_POLY1305_STATE_INIT;
+    err = wc_ChaCha20Poly1305_Final(&aead, generatedAuthTag);
+    if (err != BAD_STATE_E)
+        return -4731;
+    aead.state = CHACHA20_POLY1305_STATE_READY;
+    err = wc_ChaCha20Poly1305_Final(&aead, generatedAuthTag);
+    if (err != BAD_STATE_E)
+        return -4732;
+
+    XMEMSET(generatedCiphertext, 0, sizeof(generatedCiphertext));
+    XMEMSET(generatedAuthTag, 0, sizeof(generatedAuthTag));
+    XMEMSET(generatedPlaintext, 0, sizeof(generatedPlaintext));
+
+    /* Test 1 - Encrypt */
+    err = wc_ChaCha20Poly1305_Init(&aead, key1, iv1,
+        CHACHA20_POLY1305_AEAD_ENCRYPT);
+    if (err != 0)
+        return -4733;
+    err = wc_ChaCha20Poly1305_UpdateAad(&aead, aad1, sizeof(aad1));
+    if (err != 0)
+        return -4734;
+#ifdef TEST_SMALL_CHACHA_CHUNKS
+    /* test doing data in smaller chunks */
+    for (testLen=0; testLen<sizeof(plaintext1); ) {
+        word32 dataLen = sizeof(plaintext1) - testLen;
+        if (dataLen > TEST_SMALL_CHACHA_CHUNKS)
+            dataLen = TEST_SMALL_CHACHA_CHUNKS;
+        err = wc_ChaCha20Poly1305_UpdateData(&aead, &plaintext1[testLen],
+            &generatedCiphertext[testLen], dataLen);
+        if (err != 0)
+            return -4735;
+        testLen += dataLen;
+    }
+#else
+    err = wc_ChaCha20Poly1305_UpdateData(&aead, plaintext1,
+        generatedCiphertext, sizeof(plaintext1));
+#endif
+    err = wc_ChaCha20Poly1305_Final(&aead, generatedAuthTag);
+    if (err != 0)
+        return -4736;
+    err = wc_ChaCha20Poly1305_CheckTag(generatedAuthTag, authTag1);
+    if (err != 0)
+        return -4737;
+    if (XMEMCMP(generatedCiphertext, cipher1, sizeof(cipher1))) {
+        return -4738;
+    }
+
+    /* Test 1 - Decrypt */
+    err = wc_ChaCha20Poly1305_Init(&aead, key1, iv1,
+        CHACHA20_POLY1305_AEAD_DECRYPT);
+    if (err != 0)
+        return -4739;
+    err = wc_ChaCha20Poly1305_UpdateAad(&aead, aad1, sizeof(aad1));
+    if (err != 0)
+        return -4740;
+#ifdef TEST_SMALL_CHACHA_CHUNKS
+    /* test doing data in smaller chunks */
+    for (testLen=0; testLen<sizeof(plaintext1); ) {
+        word32 dataLen = sizeof(plaintext1) - testLen;
+        if (dataLen > TEST_SMALL_CHACHA_CHUNKS)
+            dataLen = TEST_SMALL_CHACHA_CHUNKS;
+        err = wc_ChaCha20Poly1305_UpdateData(&aead,
+            &generatedCiphertext[testLen], &generatedPlaintext[testLen],
+            dataLen);
+        if (err != 0)
+            return -4741;
+        testLen += dataLen;
+    }
+#else
+    err = wc_ChaCha20Poly1305_UpdateData(&aead, generatedCiphertext,
+        generatedPlaintext, sizeof(cipher1));
+#endif
+    err = wc_ChaCha20Poly1305_Final(&aead, generatedAuthTag);
+    if (err != 0)
+        return -4742;
+    err = wc_ChaCha20Poly1305_CheckTag(generatedAuthTag, authTag1);
+    if (err != 0)
+        return -4743;
+    if (XMEMCMP(generatedPlaintext, plaintext1, sizeof(plaintext1))) {
+        return -4744;
+    }
+
+    XMEMSET(generatedCiphertext, 0, sizeof(generatedCiphertext));
+    XMEMSET(generatedAuthTag, 0, sizeof(generatedAuthTag));
+    XMEMSET(generatedPlaintext, 0, sizeof(generatedPlaintext));
+
+    /* Test 2 - Encrypt */
+    err = wc_ChaCha20Poly1305_Init(&aead, key2, iv2,
+        CHACHA20_POLY1305_AEAD_ENCRYPT);
+    if (err != 0)
+        return -4745;
+    err = wc_ChaCha20Poly1305_UpdateAad(&aead, aad2, sizeof(aad2));
+    if (err != 0)
+        return -4746;
+#ifdef TEST_SMALL_CHACHA_CHUNKS
+    /* test doing data in smaller chunks */
+    for (testLen=0; testLen<sizeof(plaintext2); ) {
+        word32 dataLen = sizeof(plaintext2) - testLen;
+        if (dataLen > TEST_SMALL_CHACHA_CHUNKS)
+            dataLen = TEST_SMALL_CHACHA_CHUNKS;
+        err = wc_ChaCha20Poly1305_UpdateData(&aead, &plaintext2[testLen],
+            &generatedCiphertext[testLen], dataLen);
+        if (err != 0)
+            return -4747;
+        testLen += dataLen;
+    }
+#else
+    err = wc_ChaCha20Poly1305_UpdateData(&aead, plaintext2, generatedCiphertext,
+        sizeof(plaintext2));
+#endif
+    err = wc_ChaCha20Poly1305_Final(&aead, generatedAuthTag);
+    if (err != 0)
+        return -4748;
+    err = wc_ChaCha20Poly1305_CheckTag(generatedAuthTag, authTag2);
+    if (err != 0)
+        return -4749;
+    if (XMEMCMP(generatedCiphertext, cipher2, sizeof(cipher2))) {
+        return -4750;
+    }
+
+    /* Test 2 - Decrypt */
+    err = wc_ChaCha20Poly1305_Init(&aead, key2, iv2,
+        CHACHA20_POLY1305_AEAD_DECRYPT);
+    if (err != 0)
+        return -4751;
+    err = wc_ChaCha20Poly1305_UpdateAad(&aead, aad2, sizeof(aad2));
+    if (err != 0)
+        return -4752;
+#ifdef TEST_SMALL_CHACHA_CHUNKS
+    /* test doing data in smaller chunks */
+    for (testLen=0; testLen<sizeof(plaintext2); ) {
+        word32 dataLen = sizeof(plaintext2) - testLen;
+        if (dataLen > TEST_SMALL_CHACHA_CHUNKS)
+            dataLen = TEST_SMALL_CHACHA_CHUNKS;
+        err = wc_ChaCha20Poly1305_UpdateData(&aead,
+            &generatedCiphertext[testLen], &generatedPlaintext[testLen],
+            dataLen);
+        if (err != 0)
+            return -4753;
+        testLen += dataLen;
+    }
+#else
+    err = wc_ChaCha20Poly1305_UpdateData(&aead, generatedCiphertext,
+        generatedPlaintext, sizeof(cipher2));
+#endif
+    err = wc_ChaCha20Poly1305_Final(&aead, generatedAuthTag);
+    if (err != 0)
+        return -4754;
+    err = wc_ChaCha20Poly1305_CheckTag(generatedAuthTag, authTag2);
+    if (err != 0)
+        return -4755;
+    if (XMEMCMP(generatedPlaintext, plaintext2, sizeof(plaintext2))) {
+        return -4756;
     }
 
     return err;
@@ -2386,19 +5566,57 @@ int des_test(void)
 
     ret = wc_Des_SetKey(&enc, key, iv, DES_ENCRYPTION);
     if (ret != 0)
-        return -31;
+        return -4800;
+
+    ret = wc_Des_CbcEncrypt(&enc, cipher, vector, sizeof(vector));
+    if (ret != 0)
+        return -4801;
 
-    wc_Des_CbcEncrypt(&enc, cipher, vector, sizeof(vector));
     ret = wc_Des_SetKey(&dec, key, iv, DES_DECRYPTION);
     if (ret != 0)
-        return -32;
-    wc_Des_CbcDecrypt(&dec, plain, cipher, sizeof(cipher));
+        return -4802;
 
-    if (memcmp(plain, vector, sizeof(plain)))
-        return -33;
+    ret = wc_Des_CbcDecrypt(&dec, plain, cipher, sizeof(cipher));
+    if (ret != 0)
+        return -4803;
 
-    if (memcmp(cipher, verify, sizeof(cipher)))
-        return -34;
+    if (XMEMCMP(plain, vector, sizeof(plain)))
+        return -4804;
+
+    if (XMEMCMP(cipher, verify, sizeof(cipher)))
+        return -4805;
+
+    ret = wc_Des_CbcEncryptWithKey(cipher, vector, sizeof(vector), key, iv);
+    if (ret != 0)
+        return -4806;
+
+#if defined(WOLFSSL_ENCRYPTED_KEYS) && !defined(NO_SHA)
+    {
+        EncryptedInfo info;
+        XMEMSET(&info, 0, sizeof(EncryptedInfo));
+        XMEMCPY(info.iv, iv, sizeof(iv));
+        info.ivSz = sizeof(iv);
+        info.keySz = sizeof(key);
+        info.cipherType = WC_CIPHER_DES;
+
+        ret = wc_BufferKeyEncrypt(&info, cipher, sizeof(cipher), key,
+                sizeof(key), WC_HASH_TYPE_SHA);
+        if (ret != 0)
+            return -4807;
+
+        /* Test invalid info ptr */
+        ret = wc_BufferKeyEncrypt(NULL, cipher, sizeof(cipher), key,
+                sizeof(key), WC_HASH_TYPE_SHA);
+        if (ret != BAD_FUNC_ARG)
+            return -4808;
+
+        /* Test invalid hash type */
+        ret = wc_BufferKeyEncrypt(&info, cipher, sizeof(cipher), key,
+                sizeof(key), WC_HASH_TYPE_NONE);
+        if (ret == 0)
+            return -4809;
+    }
+#endif
 
     return 0;
 }
@@ -2444,46 +5662,1852 @@ int des3_test(void)
     int ret;
 
 
-#ifdef HAVE_CAVIUM
-    if (wc_Des3_InitCavium(&enc, CAVIUM_DEV_ID) != 0)
-        return -20005;
-    if (wc_Des3_InitCavium(&dec, CAVIUM_DEV_ID) != 0)
-        return -20006;
-#endif
+    if (wc_Des3Init(&enc, HEAP_HINT, devId) != 0)
+        return -4900;
+    if (wc_Des3Init(&dec, HEAP_HINT, devId) != 0)
+        return -4901;
+
     ret = wc_Des3_SetKey(&enc, key3, iv3, DES_ENCRYPTION);
     if (ret != 0)
-        return -31;
+        return -4902;
     ret = wc_Des3_SetKey(&dec, key3, iv3, DES_DECRYPTION);
     if (ret != 0)
-        return -32;
+        return -4903;
     ret = wc_Des3_CbcEncrypt(&enc, cipher, vector, sizeof(vector));
+#if defined(WOLFSSL_ASYNC_CRYPT)
+    ret = wc_AsyncWait(ret, &enc.asyncDev, WC_ASYNC_FLAG_NONE);
+#endif
     if (ret != 0)
-        return -33;
+        return -4904;
     ret = wc_Des3_CbcDecrypt(&dec, plain, cipher, sizeof(cipher));
+#if defined(WOLFSSL_ASYNC_CRYPT)
+    ret = wc_AsyncWait(ret, &dec.asyncDev, WC_ASYNC_FLAG_NONE);
+#endif
     if (ret != 0)
-        return -34;
+        return -4905;
+
+    if (XMEMCMP(plain, vector, sizeof(plain)))
+        return -4906;
+
+    if (XMEMCMP(cipher, verify3, sizeof(cipher)))
+        return -4907;
 
-    if (memcmp(plain, vector, sizeof(plain)))
-        return -35;
+#if defined(OPENSSL_EXTRA) && !defined(WOLFCRYPT_ONLY)
+    /* test the same vectors with using compatibility layer */
+    {
+        DES_key_schedule ks1;
+        DES_key_schedule ks2;
+        DES_key_schedule ks3;
+        DES_cblock iv4;
+
+        XMEMCPY(ks1, key3, sizeof(DES_key_schedule));
+        XMEMCPY(ks2, key3 + 8, sizeof(DES_key_schedule));
+        XMEMCPY(ks3, key3 + 16, sizeof(DES_key_schedule));
+        XMEMCPY(iv4, iv3, sizeof(DES_cblock));
+
+        XMEMSET(plain, 0, sizeof(plain));
+        XMEMSET(cipher, 0, sizeof(cipher));
+
+        DES_ede3_cbc_encrypt(vector, cipher, sizeof(vector), &ks1, &ks2, &ks3,
+                &iv4, DES_ENCRYPT);
+        DES_ede3_cbc_encrypt(cipher, plain, sizeof(cipher), &ks1, &ks2, &ks3,
+                &iv4, DES_DECRYPT);
 
-    if (memcmp(cipher, verify3, sizeof(cipher)))
-        return -36;
+        if (XMEMCMP(plain, vector, sizeof(plain)))
+            return -4908;
+
+        if (XMEMCMP(cipher, verify3, sizeof(cipher)))
+            return -4909;
+    }
+#endif /* OPENSSL_EXTRA */
 
-#ifdef HAVE_CAVIUM
-    wc_Des3_FreeCavium(&enc);
-    wc_Des3_FreeCavium(&dec);
+    wc_Des3Free(&enc);
+    wc_Des3Free(&dec);
+
+#if defined(WOLFSSL_ENCRYPTED_KEYS) && !defined(NO_SHA)
+    {
+        EncryptedInfo info;
+        XMEMSET(&info, 0, sizeof(EncryptedInfo));
+        XMEMCPY(info.iv, iv3, sizeof(iv3));
+        info.ivSz = sizeof(iv3);
+        info.keySz = sizeof(key3);
+        info.cipherType = WC_CIPHER_DES3;
+
+        ret = wc_BufferKeyEncrypt(&info, cipher, sizeof(cipher), key3,
+                sizeof(key3), WC_HASH_TYPE_SHA);
+        if (ret != 0)
+            return -4910;
+    }
 #endif
+
     return 0;
 }
 #endif /* NO_DES */
 
 
 #ifndef NO_AES
+
+#if defined(WOLFSSL_AES_OFB) || defined(WOLFSSL_AES_CFB)
+#if defined(OPENSSL_EXTRA) && !defined(HAVE_SELFTEST) && !defined(HAVE_FIPS)
+/* pass in the function, key, iv, plain text and expected and this function
+ * tests that the encryption and decryption is successful */
+static int EVP_test(const WOLFSSL_EVP_CIPHER* type, const byte* key,
+        const byte* iv, const byte* plain, int plainSz,
+        const byte* expected, int expectedSz)
+{
+    EVP_CIPHER_CTX ctx;
+    int idx, ret = 0, cipherSz;
+    byte* cipher;
+
+    cipher = (byte*)XMALLOC(plainSz, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    if (cipher == NULL) {
+        return -4911;
+    }
+
+    /* test encrypt */
+    EVP_CIPHER_CTX_init(&ctx);
+    if (EVP_CipherInit(&ctx, type, key, iv, 1) == 0) {
+        ret = -4912;
+        goto EVP_TEST_END;
+    }
+
+    if (EVP_CipherUpdate(&ctx, cipher, &idx, plain, expectedSz) == 0) {
+        ret = -4913;
+        goto EVP_TEST_END;
+    }
+
+    cipherSz = idx;
+    if (EVP_CipherFinal(&ctx, cipher + cipherSz, &idx) == 0) {
+        ret = -4914;
+        goto EVP_TEST_END;
+    }
+    cipherSz += idx;
+
+    if (XMEMCMP(cipher, expected, plainSz)) {
+        ret = -4915;
+        goto EVP_TEST_END;
+    }
+
+    /* test decrypt */
+    EVP_CIPHER_CTX_init(&ctx);
+    if (EVP_CipherInit(&ctx, type, key, iv, 0) == 0) {
+        ret = -4916;
+        goto EVP_TEST_END;
+    }
+
+    if (EVP_CipherUpdate(&ctx, cipher, &idx, cipher, expectedSz) == 0) {
+        ret = -4917;
+        goto EVP_TEST_END;
+    }
+
+    cipherSz = idx;
+    if (EVP_CipherFinal(&ctx, cipher + cipherSz, &idx) == 0) {
+        ret = -4918;
+        goto EVP_TEST_END;
+    }
+    cipherSz += idx;
+
+    if ((expectedSz != cipherSz) || XMEMCMP(plain, cipher, plainSz)) {
+        ret = -4919;
+        goto EVP_TEST_END;
+    }
+
+EVP_TEST_END:
+    XFREE(cipher, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    (void)cipherSz;
+    return ret;
+}
+#endif /* OPENSSL_EXTRA */
+#endif /* WOLFSSL_AES_OFB || WOLFSSL_AES_CFB */
+
+#ifdef WOLFSSL_AES_OFB
+    /* test vector from https://csrc.nist.gov/Projects/cryptographic-algorithm-validation-program/Block-Ciphers */
+    int aesofb_test(void)
+    {
+    #ifdef WOLFSSL_AES_256
+        const byte key1[] =
+        {
+            0xc4,0xc7,0xfa,0xd6,0x53,0x5c,0xb8,0x71,
+            0x4a,0x5c,0x40,0x77,0x9a,0x8b,0xa1,0xd2,
+            0x53,0x3e,0x23,0xb4,0xb2,0x58,0x73,0x2a,
+            0x5b,0x78,0x01,0xf4,0xe3,0x71,0xa7,0x94
+        };
+        const byte iv1[] =
+        {
+            0x5e,0xb9,0x33,0x13,0xb8,0x71,0xff,0x16,
+            0xb9,0x8a,0x9b,0xcb,0x43,0x33,0x0d,0x6f
+        };
+        const byte plain1[] =
+        {
+            0x6d,0x0b,0xb0,0x79,0x63,0x84,0x71,0xe9,
+            0x39,0xd4,0x53,0x14,0x86,0xc1,0x4c,0x25,
+            0x9a,0xee,0xc6,0xf3,0xc0,0x0d,0xfd,0xd6,
+            0xc0,0x50,0xa8,0xba,0xa8,0x20,0xdb,0x71,
+            0xcc,0x12,0x2c,0x4e,0x0c,0x17,0x15,0xef,
+            0x55,0xf3,0x99,0x5a,0x6b,0xf0,0x2a,0x4c
+        };
+        const byte cipher1[] =
+        {
+            0x0f,0x54,0x61,0x71,0x59,0xd0,0x3f,0xfc,
+            0x1b,0xfa,0xfb,0x60,0x29,0x30,0xd7,0x00,
+            0xf4,0xa4,0xa8,0xe6,0xdd,0x93,0x94,0x46,
+            0x64,0xd2,0x19,0xc4,0xc5,0x4d,0xde,0x1b,
+            0x04,0x53,0xe1,0x73,0xf5,0x18,0x74,0xae,
+            0xfd,0x64,0xa2,0xe1,0xe2,0x76,0x13,0xb0
+        };
+    #endif /* WOLFSSL_AES_256 */
+
+
+    #ifdef WOLFSSL_AES_128
+        const byte key2[] =
+        {
+            0x10,0xa5,0x88,0x69,0xd7,0x4b,0xe5,0xa3,
+            0x74,0xcf,0x86,0x7c,0xfb,0x47,0x38,0x59
+        };
+        const byte iv2[] =
+        {
+            0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+            0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
+        };
+        const byte plain2[] =
+        {
+            0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+            0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
+        };
+        const byte cipher2[] =
+        {
+            0x6d,0x25,0x1e,0x69,0x44,0xb0,0x51,0xe0,
+            0x4e,0xaa,0x6f,0xb4,0xdb,0xf7,0x84,0x65
+        };
+    #endif /* WOLFSSL_AES_128 */
+
+
+    #ifdef WOLFSSL_AES_192
+        const byte key3[] = {
+            0xd0,0x77,0xa0,0x3b,0xd8,0xa3,0x89,0x73,
+            0x92,0x8c,0xca,0xfe,0x4a,0x9d,0x2f,0x45,
+            0x51,0x30,0xbd,0x0a,0xf5,0xae,0x46,0xa9
+        };
+        const byte iv3[] =
+        {
+            0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+            0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
+        };
+        const byte cipher3[] =
+        {
+            0xab,0xc7,0x86,0xfb,0x1e,0xdb,0x50,0x45,
+            0x80,0xc4,0xd8,0x82,0xef,0x29,0xa0,0xc7
+        };
+        const byte plain3[] =
+        {
+            0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+            0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
+        };
+    #endif /* WOLFSSL_AES_192 */
+
+        Aes enc;
+        byte cipher[AES_BLOCK_SIZE * 4];
+    #ifdef HAVE_AES_DECRYPT
+        Aes dec;
+        byte plain [AES_BLOCK_SIZE * 4];
+    #endif
+        int  ret = 0;
+
+        (void)enc;
+    #ifdef HAVE_AES_DECRYPT
+        (void)dec;
+    #endif
+
+#ifdef WOLFSSL_AES_128
+        /* 128 key size test */
+    #ifdef OPENSSL_EXTRA
+        ret = EVP_test(EVP_aes_128_ofb(), key2, iv2, plain2, sizeof(plain2),
+                cipher2, sizeof(cipher2));
+        if (ret != 0) {
+            return ret;
+        }
+    #endif
+
+        ret = wc_AesSetKey(&enc, key2, sizeof(key2), iv2, AES_ENCRYPTION);
+        if (ret != 0)
+            return -4920;
+    #ifdef HAVE_AES_DECRYPT
+        /* decrypt uses AES_ENCRYPTION */
+        ret = wc_AesSetKey(&dec, key2, sizeof(key2), iv2, AES_ENCRYPTION);
+        if (ret != 0)
+            return -4921;
+    #endif
+
+        XMEMSET(cipher, 0, sizeof(cipher));
+        ret = wc_AesOfbEncrypt(&enc, cipher, plain2, AES_BLOCK_SIZE);
+        if (ret != 0)
+            return -4922;
+
+        if (XMEMCMP(cipher, cipher2, AES_BLOCK_SIZE))
+            return -4923;
+
+    #ifdef HAVE_AES_DECRYPT
+        ret = wc_AesOfbDecrypt(&dec, plain, cipher2, AES_BLOCK_SIZE);
+        if (ret != 0)
+            return -4924;
+
+        if (XMEMCMP(plain, plain2, AES_BLOCK_SIZE))
+            return -4925;
+    #endif /* HAVE_AES_DECRYPT */
+#endif /* WOLFSSL_AES_128 */
+
+#ifdef WOLFSSL_AES_192
+        /* 192 key size test */
+    #ifdef OPENSSL_EXTRA
+        ret = EVP_test(EVP_aes_192_ofb(), key3, iv3, plain3, sizeof(plain3),
+                cipher3, sizeof(cipher3));
+        if (ret != 0) {
+            return ret;
+        }
+    #endif
+
+        ret = wc_AesSetKey(&enc, key3, sizeof(key3), iv3, AES_ENCRYPTION);
+        if (ret != 0)
+            return -4926;
+    #ifdef HAVE_AES_DECRYPT
+        /* decrypt uses AES_ENCRYPTION */
+        ret = wc_AesSetKey(&dec, key3, sizeof(key3), iv3, AES_ENCRYPTION);
+        if (ret != 0)
+            return -4927;
+    #endif
+
+        XMEMSET(cipher, 0, sizeof(cipher));
+        ret = wc_AesOfbEncrypt(&enc, cipher, plain3, AES_BLOCK_SIZE);
+        if (ret != 0)
+            return -4928;
+
+        if (XMEMCMP(cipher, cipher3, AES_BLOCK_SIZE))
+            return -4929;
+
+    #ifdef HAVE_AES_DECRYPT
+        ret = wc_AesOfbDecrypt(&dec, plain, cipher3, AES_BLOCK_SIZE);
+        if (ret != 0)
+            return -4930;
+
+        if (XMEMCMP(plain, plain3, AES_BLOCK_SIZE))
+            return -4931;
+    #endif /* HAVE_AES_DECRYPT */
+#endif /* WOLFSSL_AES_192 */
+
+#ifdef WOLFSSL_AES_256
+        /* 256 key size test */
+    #ifdef OPENSSL_EXTRA
+        ret = EVP_test(EVP_aes_256_ofb(), key1, iv1, plain1, sizeof(plain1),
+                cipher1, sizeof(cipher1));
+        if (ret != 0) {
+            return ret;
+        }
+    #endif
+
+        ret = wc_AesSetKey(&enc, key1, sizeof(key1), iv1, AES_ENCRYPTION);
+        if (ret != 0)
+            return -4932;
+    #ifdef HAVE_AES_DECRYPT
+        /* decrypt uses AES_ENCRYPTION */
+        ret = wc_AesSetKey(&dec, key1, sizeof(key1), iv1, AES_ENCRYPTION);
+        if (ret != 0)
+            return -4933;
+    #endif
+
+        XMEMSET(cipher, 0, sizeof(cipher));
+        ret = wc_AesOfbEncrypt(&enc, cipher, plain1, AES_BLOCK_SIZE);
+        if (ret != 0)
+            return -4934;
+
+        if (XMEMCMP(cipher, cipher1, AES_BLOCK_SIZE))
+            return -4935;
+
+        ret = wc_AesOfbEncrypt(&enc, cipher + AES_BLOCK_SIZE,
+                plain1 + AES_BLOCK_SIZE, AES_BLOCK_SIZE);
+        if (ret != 0)
+            return -4936;
+
+        if (XMEMCMP(cipher + AES_BLOCK_SIZE, cipher1 + AES_BLOCK_SIZE,
+                    AES_BLOCK_SIZE))
+            return -4937;
+
+    #ifdef HAVE_AES_DECRYPT
+        ret = wc_AesOfbDecrypt(&dec, plain, cipher1, AES_BLOCK_SIZE);
+        if (ret != 0)
+            return -4938;
+
+        if (XMEMCMP(plain, plain1, AES_BLOCK_SIZE))
+            return -4939;
+
+        ret = wc_AesOfbDecrypt(&dec, plain + AES_BLOCK_SIZE,
+                cipher1 + AES_BLOCK_SIZE, AES_BLOCK_SIZE);
+        if (ret != 0)
+            return -4940;
+
+        if (XMEMCMP(plain + AES_BLOCK_SIZE, plain1 + AES_BLOCK_SIZE,
+                    AES_BLOCK_SIZE))
+            return -4941;
+    #endif /* HAVE_AES_DECRYPT */
+
+        /* multiple blocks at once */
+        ret = wc_AesSetKey(&enc, key1, sizeof(key1), iv1, AES_ENCRYPTION);
+        if (ret != 0)
+            return -4942;
+    #ifdef HAVE_AES_DECRYPT
+        /* decrypt uses AES_ENCRYPTION */
+        ret = wc_AesSetKey(&dec, key1, sizeof(key1), iv1, AES_ENCRYPTION);
+        if (ret != 0)
+            return -4943;
+    #endif
+
+        XMEMSET(cipher, 0, sizeof(cipher));
+        ret = wc_AesOfbEncrypt(&enc, cipher, plain1, AES_BLOCK_SIZE * 3);
+        if (ret != 0)
+            return -4944;
+
+        if (XMEMCMP(cipher, cipher1, AES_BLOCK_SIZE * 3))
+            return -4945;
+
+    #ifdef HAVE_AES_DECRYPT
+        ret = wc_AesOfbDecrypt(&dec, plain, cipher1, AES_BLOCK_SIZE * 3);
+        if (ret != 0)
+            return -4946;
+
+        if (XMEMCMP(plain, plain1, AES_BLOCK_SIZE * 3))
+            return -4947;
+    #endif /* HAVE_AES_DECRYPT */
+
+        /* inline decrypt/encrypt*/
+        ret = wc_AesSetKey(&enc, key1, sizeof(key1), iv1, AES_ENCRYPTION);
+        if (ret != 0)
+            return -4948;
+    #ifdef HAVE_AES_DECRYPT
+        /* decrypt uses AES_ENCRYPTION */
+        ret = wc_AesSetKey(&dec, key1, sizeof(key1), iv1, AES_ENCRYPTION);
+        if (ret != 0)
+            return -4949;
+    #endif
+
+        XMEMCPY(cipher, plain1, AES_BLOCK_SIZE * 2);
+        ret = wc_AesOfbEncrypt(&enc, cipher, cipher, AES_BLOCK_SIZE * 2);
+        if (ret != 0)
+            return -4950;
+
+        if (XMEMCMP(cipher, cipher1, AES_BLOCK_SIZE * 2))
+            return -4951;
+
+    #ifdef HAVE_AES_DECRYPT
+        ret = wc_AesOfbDecrypt(&dec, cipher, cipher, AES_BLOCK_SIZE * 2);
+        if (ret != 0)
+            return -4952;
+
+        if (XMEMCMP(cipher, plain1, AES_BLOCK_SIZE * 2))
+            return -4953;
+    #endif /* HAVE_AES_DECRYPT */
+
+        /* 256 key size test leftover support */
+        ret = wc_AesSetKey(&enc, key1, sizeof(key1), iv1, AES_ENCRYPTION);
+        if (ret != 0)
+            return -4954;
+    #ifdef HAVE_AES_DECRYPT
+        /* decrypt uses AES_ENCRYPTION */
+        ret = wc_AesSetKey(&dec, key1, sizeof(key1), iv1, AES_ENCRYPTION);
+        if (ret != 0)
+            return -4955;
+    #endif
+
+        XMEMSET(cipher, 0, sizeof(cipher));
+        ret = wc_AesOfbEncrypt(&enc, cipher, plain1, 3);
+        if (ret != 0)
+            return -4956;
+
+        if (XMEMCMP(cipher, cipher1, 3))
+            return -4957;
+
+        ret = wc_AesOfbEncrypt(&enc, cipher + 3, plain1 + 3, AES_BLOCK_SIZE);
+        if (ret != 0)
+            return -4958;
+
+        if (XMEMCMP(cipher + 3, cipher1 + 3, AES_BLOCK_SIZE))
+            return -4959;
+
+    #ifdef HAVE_AES_DECRYPT
+        ret = wc_AesOfbDecrypt(&dec, plain, cipher1, 6);
+        if (ret != 0)
+            return -4960;
+
+        if (XMEMCMP(plain, plain1, 6))
+            return -4961;
+
+        ret = wc_AesOfbDecrypt(&dec, plain + 6, cipher1 + 6, AES_BLOCK_SIZE);
+        if (ret != 0)
+            return -4962;
+
+        if (XMEMCMP(plain + 6, plain1 + 6, AES_BLOCK_SIZE))
+            return -4963;
+    #endif /* HAVE_AES_DECRYPT */
+#endif /* WOLFSSL_AES_256 */
+
+        return 0;
+    }
+#endif /* WOLFSSL_AES_OFB */
+
+#if defined(WOLFSSL_AES_CFB)
+    /* Test cases from NIST SP 800-38A, Recommendation for Block Cipher Modes of Operation Methods an*/
+    static int aescfb_test(void)
+    {
+        Aes enc;
+        byte cipher[AES_BLOCK_SIZE * 4];
+    #ifdef HAVE_AES_DECRYPT
+        Aes dec;
+        byte plain [AES_BLOCK_SIZE * 4];
+    #endif
+        int  ret = 0;
+
+        const byte iv[] = {
+            0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,
+            0x08,0x09,0x0a,0x0b,0x0c,0x0d,0x0e,0x0f
+        };
+
+#ifdef WOLFSSL_AES_128
+        const byte key1[] =
+        {
+            0x2b,0x7e,0x15,0x16,0x28,0xae,0xd2,0xa6,
+            0xab,0xf7,0x15,0x88,0x09,0xcf,0x4f,0x3c
+        };
+
+        const byte cipher1[] =
+        {
+            0x3b,0x3f,0xd9,0x2e,0xb7,0x2d,0xad,0x20,
+            0x33,0x34,0x49,0xf8,0xe8,0x3c,0xfb,0x4a,
+            0xc8,0xa6,0x45,0x37,0xa0,0xb3,0xa9,0x3f,
+            0xcd,0xe3,0xcd,0xad,0x9f,0x1c,0xe5,0x8b,
+            0x26,0x75,0x1f,0x67,0xa3,0xcb,0xb1,0x40,
+            0xb1,0x80,0x8c,0xf1,0x87,0xa4,0xf4,0xdf
+        };
+
+        const byte msg1[] =
+        {
+            0x6b,0xc1,0xbe,0xe2,0x2e,0x40,0x9f,0x96,
+            0xe9,0x3d,0x7e,0x11,0x73,0x93,0x17,0x2a,
+            0xae,0x2d,0x8a,0x57,0x1e,0x03,0xac,0x9c,
+            0x9e,0xb7,0x6f,0xac,0x45,0xaf,0x8e,0x51,
+            0x30,0xc8,0x1c,0x46,0xa3,0x5c,0xe4,0x11,
+            0xe5,0xfb,0xc1,0x19,0x1a,0x0a,0x52,0xef
+        };
+#endif /* WOLFSSL_AES_128 */
+
+#ifdef WOLFSSL_AES_192
+        /* 192 size key test */
+        const byte key2[] =
+        {
+            0x8e,0x73,0xb0,0xf7,0xda,0x0e,0x64,0x52,
+            0xc8,0x10,0xf3,0x2b,0x80,0x90,0x79,0xe5,
+            0x62,0xf8,0xea,0xd2,0x52,0x2c,0x6b,0x7b
+        };
+
+        const byte cipher2[] =
+        {
+            0xcd,0xc8,0x0d,0x6f,0xdd,0xf1,0x8c,0xab,
+            0x34,0xc2,0x59,0x09,0xc9,0x9a,0x41,0x74,
+            0x67,0xce,0x7f,0x7f,0x81,0x17,0x36,0x21,
+            0x96,0x1a,0x2b,0x70,0x17,0x1d,0x3d,0x7a,
+            0x2e,0x1e,0x8a,0x1d,0xd5,0x9b,0x88,0xb1,
+            0xc8,0xe6,0x0f,0xed,0x1e,0xfa,0xc4,0xc9,
+            0xc0,0x5f,0x9f,0x9c,0xa9,0x83,0x4f,0xa0,
+            0x42,0xae,0x8f,0xba,0x58,0x4b,0x09,0xff
+        };
+
+        const byte msg2[] =
+        {
+            0x6b,0xc1,0xbe,0xe2,0x2e,0x40,0x9f,0x96,
+            0xe9,0x3d,0x7e,0x11,0x73,0x93,0x17,0x2a,
+            0xae,0x2d,0x8a,0x57,0x1e,0x03,0xac,0x9c,
+            0x9e,0xb7,0x6f,0xac,0x45,0xaf,0x8e,0x51,
+            0x30,0xc8,0x1c,0x46,0xa3,0x5c,0xe4,0x11,
+            0xe5,0xfb,0xc1,0x19,0x1a,0x0a,0x52,0xef,
+            0xf6,0x9f,0x24,0x45,0xdf,0x4f,0x9b,0x17,
+            0xad,0x2b,0x41,0x7b,0xe6,0x6c,0x37,0x10
+        };
+#endif /* WOLFSSL_AES_192 */
+
+#ifdef WOLFSSL_AES_256
+        /* 256 size key simple test */
+        const byte key3[] =
+        {
+            0x60,0x3d,0xeb,0x10,0x15,0xca,0x71,0xbe,
+            0x2b,0x73,0xae,0xf0,0x85,0x7d,0x77,0x81,
+            0x1f,0x35,0x2c,0x07,0x3b,0x61,0x08,0xd7,
+            0x2d,0x98,0x10,0xa3,0x09,0x14,0xdf,0xf4
+        };
+
+        const byte cipher3[] =
+        {
+            0xdc,0x7e,0x84,0xbf,0xda,0x79,0x16,0x4b,
+            0x7e,0xcd,0x84,0x86,0x98,0x5d,0x38,0x60,
+            0x39,0xff,0xed,0x14,0x3b,0x28,0xb1,0xc8,
+            0x32,0x11,0x3c,0x63,0x31,0xe5,0x40,0x7b,
+            0xdf,0x10,0x13,0x24,0x15,0xe5,0x4b,0x92,
+            0xa1,0x3e,0xd0,0xa8,0x26,0x7a,0xe2,0xf9,
+            0x75,0xa3,0x85,0x74,0x1a,0xb9,0xce,0xf8,
+            0x20,0x31,0x62,0x3d,0x55,0xb1,0xe4,0x71
+        };
+
+        const byte msg3[] =
+        {
+            0x6b,0xc1,0xbe,0xe2,0x2e,0x40,0x9f,0x96,
+            0xe9,0x3d,0x7e,0x11,0x73,0x93,0x17,0x2a,
+            0xae,0x2d,0x8a,0x57,0x1e,0x03,0xac,0x9c,
+            0x9e,0xb7,0x6f,0xac,0x45,0xaf,0x8e,0x51,
+            0x30,0xc8,0x1c,0x46,0xa3,0x5c,0xe4,0x11,
+            0xe5,0xfb,0xc1,0x19,0x1a,0x0a,0x52,0xef,
+            0xf6,0x9f,0x24,0x45,0xdf,0x4f,0x9b,0x17,
+            0xad,0x2b,0x41,0x7b,0xe6,0x6c,0x37,0x10
+        };
+#endif /* WOLFSSL_AES_256 */
+
+
+    if (wc_AesInit(&enc, HEAP_HINT, devId) != 0)
+        return -4964;
+#ifdef HAVE_AES_DECRYPT
+    if (wc_AesInit(&dec, HEAP_HINT, devId) != 0)
+        return -4965;
+#endif
+
+#ifdef WOLFSSL_AES_128
+        /* 128 key tests */
+    #if defined(OPENSSL_EXTRA) && !defined(HAVE_SELFTEST) && !defined(HAVE_FIPS)
+        ret = EVP_test(EVP_aes_128_cfb128(), key1, iv, msg1, sizeof(msg1),
+                cipher1, sizeof(cipher1));
+        if (ret != 0) {
+            return ret;
+        }
+    #endif
+
+        ret = wc_AesSetKey(&enc, key1, AES_BLOCK_SIZE, iv, AES_ENCRYPTION);
+        if (ret != 0)
+            return -4966;
+    #ifdef HAVE_AES_DECRYPT
+        /* decrypt uses AES_ENCRYPTION */
+        ret = wc_AesSetKey(&dec, key1, AES_BLOCK_SIZE, iv, AES_ENCRYPTION);
+        if (ret != 0)
+            return -4967;
+    #endif
+
+        XMEMSET(cipher, 0, sizeof(cipher));
+        ret = wc_AesCfbEncrypt(&enc, cipher, msg1, AES_BLOCK_SIZE * 2);
+        if (ret != 0)
+            return -4968;
+
+        if (XMEMCMP(cipher, cipher1, AES_BLOCK_SIZE * 2))
+            return -4969;
+
+        /* test restarting encryption process */
+        ret = wc_AesCfbEncrypt(&enc, cipher + (AES_BLOCK_SIZE * 2),
+                msg1 + (AES_BLOCK_SIZE * 2), AES_BLOCK_SIZE);
+        if (ret != 0)
+            return -4970;
+
+        if (XMEMCMP(cipher + (AES_BLOCK_SIZE * 2),
+                    cipher1 + (AES_BLOCK_SIZE * 2), AES_BLOCK_SIZE))
+            return -4971;
+
+    #ifdef HAVE_AES_DECRYPT
+        ret = wc_AesCfbDecrypt(&dec, plain, cipher, AES_BLOCK_SIZE * 3);
+        if (ret != 0)
+            return -4972;
+
+        if (XMEMCMP(plain, msg1, AES_BLOCK_SIZE * 3))
+            return -4973;
+    #endif /* HAVE_AES_DECRYPT */
+#endif /* WOLFSSL_AES_128 */
+
+#ifdef WOLFSSL_AES_192
+        /* 192 key size test */
+    #if defined(OPENSSL_EXTRA) && !defined(HAVE_SELFTEST) && !defined(HAVE_FIPS)
+        ret = EVP_test(EVP_aes_192_cfb128(), key2, iv, msg2, sizeof(msg2),
+                cipher2, sizeof(cipher2));
+        if (ret != 0) {
+            return ret;
+        }
+    #endif
+
+        ret = wc_AesSetKey(&enc, key2, sizeof(key2), iv, AES_ENCRYPTION);
+        if (ret != 0)
+            return -4974;
+    #ifdef HAVE_AES_DECRYPT
+        /* decrypt uses AES_ENCRYPTION */
+        ret = wc_AesSetKey(&dec, key2, sizeof(key2), iv, AES_ENCRYPTION);
+        if (ret != 0)
+            return -4975;
+    #endif
+
+        XMEMSET(cipher, 0, sizeof(cipher));
+        ret = wc_AesCfbEncrypt(&enc, cipher, msg2, AES_BLOCK_SIZE * 4);
+        if (ret != 0)
+            return -4976;
+
+        if (XMEMCMP(cipher, cipher2, AES_BLOCK_SIZE * 4))
+            return -4977;
+
+    #ifdef HAVE_AES_DECRYPT
+        ret = wc_AesCfbDecrypt(&dec, plain, cipher, AES_BLOCK_SIZE * 4);
+        if (ret != 0)
+            return -4978;
+
+        if (XMEMCMP(plain, msg2, AES_BLOCK_SIZE * 4))
+            return -4979;
+    #endif /* HAVE_AES_DECRYPT */
+#endif /* WOLFSSL_AES_192 */
+
+#ifdef WOLFSSL_AES_256
+        /* 256 key size test */
+    #if defined(OPENSSL_EXTRA) && !defined(HAVE_SELFTEST) && !defined(HAVE_FIPS)
+        ret = EVP_test(EVP_aes_256_cfb128(), key3, iv, msg3, sizeof(msg3),
+                cipher3, sizeof(cipher3));
+        if (ret != 0) {
+            return ret;
+        }
+    #endif
+        ret = wc_AesSetKey(&enc, key3, sizeof(key3), iv, AES_ENCRYPTION);
+        if (ret != 0)
+            return -4980;
+    #ifdef HAVE_AES_DECRYPT
+        /* decrypt uses AES_ENCRYPTION */
+        ret = wc_AesSetKey(&dec, key3, sizeof(key3), iv, AES_ENCRYPTION);
+        if (ret != 0)
+            return -4981;
+    #endif
+
+        /* test with data left overs, magic lengths are checking near edges */
+        XMEMSET(cipher, 0, sizeof(cipher));
+        ret = wc_AesCfbEncrypt(&enc, cipher, msg3, 4);
+        if (ret != 0)
+            return -4982;
+
+        if (XMEMCMP(cipher, cipher3, 4))
+            return -4983;
+
+        ret = wc_AesCfbEncrypt(&enc, cipher + 4, msg3 + 4, 27);
+        if (ret != 0)
+            return -4984;
+
+        if (XMEMCMP(cipher + 4, cipher3 + 4, 27))
+            return -4985;
+
+        ret = wc_AesCfbEncrypt(&enc, cipher + 31, msg3 + 31,
+                (AES_BLOCK_SIZE * 4) - 31);
+        if (ret != 0)
+            return -4986;
+
+        if (XMEMCMP(cipher, cipher3, AES_BLOCK_SIZE * 4))
+            return -4987;
+
+    #ifdef HAVE_AES_DECRYPT
+        ret = wc_AesCfbDecrypt(&dec, plain, cipher, 4);
+        if (ret != 0)
+            return -4988;
+
+        if (XMEMCMP(plain, msg3, 4))
+            return -4989;
+
+        ret = wc_AesCfbDecrypt(&dec, plain + 4, cipher + 4, 4);
+        if (ret != 0)
+            return -4990;
+
+        ret = wc_AesCfbDecrypt(&dec, plain + 8, cipher + 8, 23);
+        if (ret != 0)
+            return -4991;
+
+        if (XMEMCMP(plain + 4, msg3 + 4, 27))
+            return -4992;
+
+        ret = wc_AesCfbDecrypt(&dec, plain + 31, cipher + 31,
+                (AES_BLOCK_SIZE * 4) - 31);
+        if (ret != 0)
+            return -4993;
+
+        if (XMEMCMP(plain, msg3, AES_BLOCK_SIZE * 4))
+            return -4994;
+    #endif /* HAVE_AES_DECRYPT */
+#endif /* WOLFSSL_AES_256 */
+
+        return ret;
+    }
+
+#if !defined(HAVE_SELFTEST) && !defined(HAVE_FIPS)
+    static int aescfb1_test(void)
+    {
+        Aes enc;
+        byte cipher[AES_BLOCK_SIZE];
+    #ifdef HAVE_AES_DECRYPT
+        Aes dec;
+        byte plain [AES_BLOCK_SIZE];
+    #endif
+        int  ret = 0;
+
+#ifdef WOLFSSL_AES_128
+        const byte iv[] = {
+            0x4d,0xbb,0xdc,0xaa,0x59,0xf3,0x63,0xc9,
+            0x2a,0x3b,0x98,0x43,0xad,0x20,0xe2,0xb7
+        };
+
+        const byte key1[] =
+        {
+            0xcd,0xef,0x9d,0x06,0x61,0xba,0xe4,0x73,
+            0x8d,0x1a,0x58,0xa2,0xa6,0x22,0x8b,0x66
+        };
+
+        const byte cipher1[] =
+        {
+            0x00
+        };
+
+        const byte msg1[] =
+        {
+            0xC0
+        };
+#endif /* WOLFSSL_AES_128 */
+#ifdef WOLFSSL_AES_192
+        const byte iv2[] = {
+            0x57,0xc6,0x89,0x7c,0x99,0x52,0x28,0x13,
+            0xbf,0x67,0x9c,0xe1,0x13,0x70,0xaf,0x5e
+        };
+
+        const byte key2[] =
+        {
+            0xba,0xa1,0x58,0xa1,0x6b,0x50,0x4a,0x10,
+            0x8e,0xd4,0x33,0x2e,0xe7,0xf2,0x9b,0xf6,
+            0xd1,0xac,0x46,0xa8,0xde,0x5a,0xfe,0x7a
+        };
+
+        const byte cipher2[] =
+        {
+            0x30
+        };
+
+        const byte msg2[] =
+        {
+            0x80
+        };
+#endif /* WOLFSSL_AES_192 */
+#ifdef WOLFSSL_AES_256
+        const byte iv3[] = {
+            0x63,0x2e,0x9f,0x83,0x1f,0xa3,0x80,0x5e,
+            0x52,0x02,0xbc,0xe0,0x6d,0x04,0xf9,0xa0
+        };
+
+        const byte key3[] =
+        {
+            0xf6,0xfa,0xe4,0xf1,0x5d,0x91,0xfc,0x50,
+            0x88,0x78,0x4f,0x84,0xa5,0x37,0x12,0x7e,
+            0x32,0x63,0x55,0x9c,0x62,0x73,0x88,0x20,
+            0xc2,0xcf,0x3d,0xe1,0x1c,0x2a,0x30,0x40
+        };
+
+        const byte cipher3[] =
+        {
+            0xF7, 0x00
+        };
+
+        const byte msg3[] =
+        {
+            0x41, 0xC0
+        };
+#endif /* WOLFSSL_AES_256 */
+
+    if (wc_AesInit(&enc, HEAP_HINT, devId) != 0)
+        return -4995;
+#ifdef HAVE_AES_DECRYPT
+    if (wc_AesInit(&dec, HEAP_HINT, devId) != 0)
+        return -4996;
+#endif
+
+#ifdef WOLFSSL_AES_128
+        /* 128 key tests */
+        ret = wc_AesSetKey(&enc, key1, AES_BLOCK_SIZE, iv, AES_ENCRYPTION);
+        if (ret != 0)
+            return -4997;
+    #ifdef HAVE_AES_DECRYPT
+        /* decrypt uses AES_ENCRYPTION */
+        ret = wc_AesSetKey(&dec, key1, AES_BLOCK_SIZE, iv, AES_ENCRYPTION);
+        if (ret != 0)
+            return -4998;
+    #endif
+
+        XMEMSET(cipher, 0, sizeof(cipher));
+        ret = wc_AesCfb1Encrypt(&enc, cipher, msg1, 2);
+        if (ret != 0)
+            return -4999;
+
+        if (cipher[0] != cipher1[0])
+            return -5000;
+
+    #ifdef HAVE_AES_DECRYPT
+        ret = wc_AesCfb1Decrypt(&dec, plain, cipher, 2);
+        if (ret != 0)
+            return -5001;
+
+        if (plain[0] != msg1[0])
+            return -5002;
+    #endif /* HAVE_AES_DECRYPT */
+
+    #ifdef OPENSSL_EXTRA
+        ret = wc_AesSetKey(&enc, key1, AES_BLOCK_SIZE, iv, AES_ENCRYPTION);
+        if (ret != 0)
+            return -5003;
+
+        XMEMSET(cipher, 0, sizeof(cipher));
+        ret = wc_AesCfb1Encrypt(&enc, cipher, msg1,
+                sizeof(msg1) * WOLFSSL_BIT_SIZE);
+        if (ret != 0)
+            return -5004;
+
+        ret = EVP_test(EVP_aes_128_cfb1(), key1, iv, msg1, sizeof(msg1),
+                cipher, sizeof(msg1));
+        if (ret != 0) {
+            return ret;
+        }
+    #endif
+#endif /* WOLFSSL_AES_128 */
+#ifdef WOLFSSL_AES_192
+        /* 192 key tests */
+        ret = wc_AesSetKey(&enc, key2, sizeof(key2), iv2, AES_ENCRYPTION);
+        if (ret != 0)
+            return -5005;
+
+        XMEMSET(cipher, 0, sizeof(cipher));
+        ret = wc_AesCfb1Encrypt(&enc, cipher, msg2, 4);
+        if (ret != 0)
+            return -5006;
+        if (XMEMCMP(cipher, cipher2, sizeof(cipher2)) != 0)
+            return -5007;
+
+    #ifdef OPENSSL_EXTRA
+        ret = wc_AesSetKey(&enc, key2, sizeof(key2), iv2, AES_ENCRYPTION);
+        if (ret != 0)
+            return -5008;
+
+        XMEMSET(cipher, 0, sizeof(cipher));
+        ret = wc_AesCfb1Encrypt(&enc, cipher, msg2,
+                sizeof(msg2) * WOLFSSL_BIT_SIZE);
+        if (ret != 0)
+            return -5009;
+
+        ret = EVP_test(EVP_aes_192_cfb1(), key2, iv2, msg2, sizeof(msg2),
+                cipher, sizeof(msg2));
+        if (ret != 0) {
+            return ret;
+        }
+    #endif
+#endif /* WOLFSSL_AES_192 */
+
+#ifdef WOLFSSL_AES_256
+        /* 256 key tests */
+        ret = wc_AesSetKey(&enc, key3, sizeof(key3), iv3, AES_ENCRYPTION);
+        if (ret != 0)
+            return -5010;
+
+        XMEMSET(cipher, 0, sizeof(cipher));
+        ret = wc_AesCfb1Encrypt(&enc, cipher, msg3, 10);
+        if (ret != 0)
+            return -5011;
+        if (XMEMCMP(cipher, cipher3, sizeof(cipher3)) != 0)
+            return -5012;
+
+    #ifdef OPENSSL_EXTRA
+        ret = wc_AesSetKey(&enc, key3, sizeof(key3), iv3, AES_ENCRYPTION);
+        if (ret != 0)
+            return -5013;
+
+        XMEMSET(cipher, 0, sizeof(cipher));
+        ret = wc_AesCfb1Encrypt(&enc, cipher, msg3,
+                sizeof(msg3) * WOLFSSL_BIT_SIZE);
+        if (ret != 0)
+            return -5014;
+
+        ret = EVP_test(EVP_aes_256_cfb1(), key3, iv3, msg3, sizeof(msg3),
+                cipher, sizeof(msg3));
+        if (ret != 0) {
+            return ret;
+        }
+    #endif
+#endif /* WOLFSSL_AES_256 */
+        return ret;
+    }
+
+    static int aescfb8_test(void)
+    {
+        Aes enc;
+        byte cipher[AES_BLOCK_SIZE];
+    #ifdef HAVE_AES_DECRYPT
+        Aes dec;
+        byte plain [AES_BLOCK_SIZE];
+    #endif
+        int  ret = 0;
+
+#ifdef WOLFSSL_AES_128
+        const byte iv[] = {
+            0xf4,0x75,0xc6,0x49,0x91,0xb2,0x0e,0xae,
+            0xe1,0x83,0xa2,0x26,0x29,0xe2,0x1e,0x22
+        };
+
+        const byte key1[] =
+        {
+            0xc8,0xfe,0x9b,0xf7,0x7b,0x93,0x0f,0x46,
+            0xd2,0x07,0x8b,0x8c,0x0e,0x65,0x7c,0xd4
+        };
+
+        const byte cipher1[] =
+        {
+            0xd2,0x76,0x91
+        };
+
+        const byte msg1[] =
+        {
+            0xc9,0x06,0x35
+        };
+#endif /* WOLFSSL_AES_128 */
+#ifdef WOLFSSL_AES_192
+        const byte iv2[] = {
+            0x0a,0x02,0x84,0x6b,0x62,0xab,0xb6,0x93,
+            0xef,0x31,0xd7,0x54,0x84,0x2e,0xed,0x29
+        };
+
+        const byte key2[] =
+        {
+            0xba,0xf0,0x8b,0x76,0x31,0x7a,0x65,0xc5,
+            0xf0,0x7a,0xe6,0xf5,0x7e,0xb0,0xe6,0x54,
+            0x88,0x65,0x93,0x24,0xd2,0x97,0x09,0xe3
+        };
+
+        const byte cipher2[] =
+        {
+            0x72,0x9c,0x0b,0x6d,0xeb,0x75,0xfa,0x6e,
+            0xb5,0xe8
+        };
+
+        const byte msg2[] =
+        {
+            0x98,0x95,0x93,0x24,0x02,0x39,0x3d,0xc3,
+            0x3a,0x60
+        };
+#endif
+#ifdef WOLFSSL_AES_256
+        const byte iv3[] = {
+            0x33,0x8c,0x55,0x2f,0xf1,0xec,0xa1,0x44,
+            0x08,0xe0,0x5d,0x8c,0xf9,0xf3,0xb3,0x1b
+        };
+
+        const byte key3[] =
+        {
+            0x06,0x48,0x74,0x09,0x2f,0x7a,0x13,0xcc,
+            0x44,0x62,0x24,0x7a,0xd4,0x23,0xd0,0xe9,
+            0x6e,0xdf,0x42,0xe8,0xb6,0x7a,0x5a,0x23,
+            0xb7,0xa0,0xa6,0x47,0x7b,0x09,0x8e,0x66
+        };
+
+        const byte cipher3[] =
+        {
+            0x1c,0xff,0x95
+        };
+
+        const byte msg3[] =
+        {
+            0xb9,0x74,0xfa
+        };
+#endif
+
+    if (wc_AesInit(&enc, HEAP_HINT, devId) != 0)
+        return -5015;
+#ifdef HAVE_AES_DECRYPT
+    if (wc_AesInit(&dec, HEAP_HINT, devId) != 0)
+        return -5016;
+#endif
+
+#ifdef WOLFSSL_AES_128
+        /* 128 key tests */
+    #ifdef OPENSSL_EXTRA
+        ret = EVP_test(EVP_aes_128_cfb8(), key1, iv, msg1, sizeof(msg1),
+                cipher1, sizeof(cipher1));
+        if (ret != 0) {
+            return ret;
+        }
+    #endif
+        ret = wc_AesSetKey(&enc, key1, AES_BLOCK_SIZE, iv, AES_ENCRYPTION);
+        if (ret != 0)
+            return -5017;
+    #ifdef HAVE_AES_DECRYPT
+        /* decrypt uses AES_ENCRYPTION */
+        ret = wc_AesSetKey(&dec, key1, AES_BLOCK_SIZE, iv, AES_ENCRYPTION);
+        if (ret != 0)
+            return -5018;
+    #endif
+
+        XMEMSET(cipher, 0, sizeof(cipher));
+        ret = wc_AesCfb8Encrypt(&enc, cipher, msg1, sizeof(msg1));
+        if (ret != 0)
+            return -5019;
+
+        if (XMEMCMP(cipher, cipher1, sizeof(cipher1)) != 0)
+            return -5020;
+
+    #ifdef HAVE_AES_DECRYPT
+        ret = wc_AesCfb8Decrypt(&dec, plain, cipher, sizeof(msg1));
+        if (ret != 0)
+            return -5021;
+
+        if (XMEMCMP(plain, msg1, sizeof(msg1)) != 0)
+            return -5022;
+    #endif /* HAVE_AES_DECRYPT */
+#endif /* WOLFSSL_AES_128 */
+#ifdef WOLFSSL_AES_192
+        /* 192 key tests */
+        ret = wc_AesSetKey(&enc, key2, sizeof(key2), iv2, AES_ENCRYPTION);
+        if (ret != 0)
+            return -5023;
+
+        XMEMSET(cipher, 0, sizeof(cipher));
+        ret = wc_AesCfb8Encrypt(&enc, cipher, msg2, sizeof(msg2));
+        if (ret != 0)
+            return -5024;
+        if (XMEMCMP(cipher, cipher2, sizeof(msg2)) != 0)
+            return -5025;
+#ifdef OPENSSL_EXTRA
+        ret = EVP_test(EVP_aes_192_cfb8(), key2, iv2, msg2, sizeof(msg2),
+                cipher2, sizeof(msg2));
+        if (ret != 0) {
+            return ret;
+        }
+#endif
+
+#endif /* WOLFSSL_AES_192 */
+
+#ifdef WOLFSSL_AES_256
+        /* 256 key tests */
+        ret = wc_AesSetKey(&enc, key3, sizeof(key3), iv3, AES_ENCRYPTION);
+        if (ret != 0)
+            return -5026;
+
+        XMEMSET(cipher, 0, sizeof(cipher));
+        ret = wc_AesCfb8Encrypt(&enc, cipher, msg3, sizeof(msg3));
+        if (ret != 0)
+            return -5027;
+        if (XMEMCMP(cipher, cipher3, sizeof(cipher3)) != 0)
+            return -5028;
+
+    #ifdef OPENSSL_EXTRA
+        ret = EVP_test(EVP_aes_256_cfb8(), key3, iv3, msg3, sizeof(msg3),
+                cipher3, sizeof(msg3));
+        if (ret != 0) {
+            return ret;
+        }
+    #endif
+#endif /* WOLFSSL_AES_256 */
+
+        return ret;
+    }
+#endif /* !HAVE_SELFTEST && !HAVE_FIPS */
+#endif /* WOLFSSL_AES_CFB */
+
+
+static int aes_key_size_test(void)
+{
+    int    ret;
+    Aes    aes;
+    byte   key16[] = { 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
+                       0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66 };
+    byte   key24[] = { 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
+                       0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66,
+                       0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37 };
+    byte   key32[] = { 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
+                       0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66,
+                       0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
+                       0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66 };
+    byte   iv[]    = "1234567890abcdef";
+#ifndef HAVE_FIPS
+    word32 keySize;
+#endif
+
+#if !defined(HAVE_FIPS) || \
+    defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2)
+    /* w/ FIPS v1 (cert 2425) wc_AesInit just returns 0 always as it's not
+     * supported with that FIPS version */
+    ret = wc_AesInit(NULL, HEAP_HINT, devId);
+    if (ret != BAD_FUNC_ARG)
+        return -5100;
+#endif
+
+    ret = wc_AesInit(&aes, HEAP_HINT, devId);
+    /* 0 check OK for FIPSv1 */
+    if (ret != 0)
+        return -5101;
+
+#ifndef HAVE_FIPS
+    /* Parameter Validation testing. */
+    ret = wc_AesGetKeySize(NULL, NULL);
+    if (ret != BAD_FUNC_ARG)
+        return -5102;
+    ret = wc_AesGetKeySize(&aes, NULL);
+    if (ret != BAD_FUNC_ARG)
+        return -5103;
+    ret = wc_AesGetKeySize(NULL, &keySize);
+    if (ret != BAD_FUNC_ARG)
+        return -5104;
+    /* Crashes in FIPS */
+    ret = wc_AesSetKey(NULL, key16, sizeof(key16), iv, AES_ENCRYPTION);
+    if (ret != BAD_FUNC_ARG)
+        return -5105;
+#endif
+    /* NULL IV indicates to use all zeros IV. */
+    ret = wc_AesSetKey(&aes, key16, sizeof(key16), NULL, AES_ENCRYPTION);
+#ifdef WOLFSSL_AES_128
+    if (ret != 0)
+#else
+    if (ret != BAD_FUNC_ARG)
+#endif
+        return -5106;
+    ret = wc_AesSetKey(&aes, key32, sizeof(key32) - 1, iv, AES_ENCRYPTION);
+    if (ret != BAD_FUNC_ARG)
+        return -5107;
+/* CryptoCell handles rounds internally */
+#if !defined(HAVE_FIPS) && !defined(WOLFSSL_CRYPTOCELL)
+    /* Force invalid rounds */
+    aes.rounds = 16;
+    ret = wc_AesGetKeySize(&aes, &keySize);
+    if (ret != BAD_FUNC_ARG)
+        return -5108;
+#endif
+
+    ret = wc_AesSetKey(&aes, key16, sizeof(key16), iv, AES_ENCRYPTION);
+#ifdef WOLFSSL_AES_128
+    if (ret != 0)
+#else
+    if (ret != BAD_FUNC_ARG)
+#endif
+        return -5109;
+#if !defined(HAVE_FIPS) && defined(WOLFSSL_AES_128)
+    ret = wc_AesGetKeySize(&aes, &keySize);
+    if (ret != 0 || keySize != sizeof(key16))
+        return -5110;
+#endif
+
+    ret = wc_AesSetKey(&aes, key24, sizeof(key24), iv, AES_ENCRYPTION);
+#ifdef WOLFSSL_AES_192
+    if (ret != 0)
+#else
+    if (ret != BAD_FUNC_ARG)
+#endif
+        return -5111;
+#if !defined(HAVE_FIPS) && defined(WOLFSSL_AES_192)
+    ret = wc_AesGetKeySize(&aes, &keySize);
+    if (ret != 0 || keySize != sizeof(key24))
+        return -5112;
+#endif
+
+    ret = wc_AesSetKey(&aes, key32, sizeof(key32), iv, AES_ENCRYPTION);
+#ifdef WOLFSSL_AES_256
+    if (ret != 0)
+#else
+    if (ret != BAD_FUNC_ARG)
+#endif
+        return -5113;
+#if !defined(HAVE_FIPS) && defined(WOLFSSL_AES_256)
+    ret = wc_AesGetKeySize(&aes, &keySize);
+    if (ret != 0 || keySize != sizeof(key32))
+        return -5114;
+#endif
+
+    return 0;
+}
+
+#if defined(WOLFSSL_AES_XTS)
+/* test vectors from http://csrc.nist.gov/groups/STM/cavp/block-cipher-modes.html */
+#ifdef WOLFSSL_AES_128
+static int aes_xts_128_test(void)
+{
+    XtsAes aes;
+    int ret = 0;
+    unsigned char buf[AES_BLOCK_SIZE * 2];
+    unsigned char cipher[AES_BLOCK_SIZE * 2];
+
+    /* 128 key tests */
+    static unsigned char k1[] = {
+        0xa1, 0xb9, 0x0c, 0xba, 0x3f, 0x06, 0xac, 0x35,
+        0x3b, 0x2c, 0x34, 0x38, 0x76, 0x08, 0x17, 0x62,
+        0x09, 0x09, 0x23, 0x02, 0x6e, 0x91, 0x77, 0x18,
+        0x15, 0xf2, 0x9d, 0xab, 0x01, 0x93, 0x2f, 0x2f
+    };
+
+    static unsigned char i1[] = {
+        0x4f, 0xae, 0xf7, 0x11, 0x7c, 0xda, 0x59, 0xc6,
+        0x6e, 0x4b, 0x92, 0x01, 0x3e, 0x76, 0x8a, 0xd5
+    };
+
+    static unsigned char p1[] = {
+        0xeb, 0xab, 0xce, 0x95, 0xb1, 0x4d, 0x3c, 0x8d,
+        0x6f, 0xb3, 0x50, 0x39, 0x07, 0x90, 0x31, 0x1c
+    };
+
+    /* plain text test of partial block is not from NIST test vector list */
+    static unsigned char pp[] = {
+        0xeb, 0xab, 0xce, 0x95, 0xb1, 0x4d, 0x3c, 0x8d,
+        0x6f, 0xb3, 0x50, 0x39, 0x07, 0x90, 0x31, 0x1c,
+        0x6e, 0x4b, 0x92, 0x01, 0x3e, 0x76, 0x8a, 0xd5
+    };
+
+    static unsigned char c1[] = {
+        0x77, 0x8a, 0xe8, 0xb4, 0x3c, 0xb9, 0x8d, 0x5a,
+        0x82, 0x50, 0x81, 0xd5, 0xbe, 0x47, 0x1c, 0x63
+    };
+
+    static unsigned char k2[] = {
+        0x39, 0x25, 0x79, 0x05, 0xdf, 0xcc, 0x77, 0x76,
+        0x6c, 0x87, 0x0a, 0x80, 0x6a, 0x60, 0xe3, 0xc0,
+        0x93, 0xd1, 0x2a, 0xcf, 0xcb, 0x51, 0x42, 0xfa,
+        0x09, 0x69, 0x89, 0x62, 0x5b, 0x60, 0xdb, 0x16
+    };
+
+    static unsigned char i2[] = {
+        0x5c, 0xf7, 0x9d, 0xb6, 0xc5, 0xcd, 0x99, 0x1a,
+        0x1c, 0x78, 0x81, 0x42, 0x24, 0x95, 0x1e, 0x84
+    };
+
+    static unsigned char p2[] = {
+        0xbd, 0xc5, 0x46, 0x8f, 0xbc, 0x8d, 0x50, 0xa1,
+        0x0d, 0x1c, 0x85, 0x7f, 0x79, 0x1c, 0x5c, 0xba,
+        0xb3, 0x81, 0x0d, 0x0d, 0x73, 0xcf, 0x8f, 0x20,
+        0x46, 0xb1, 0xd1, 0x9e, 0x7d, 0x5d, 0x8a, 0x56
+    };
+
+    static unsigned char c2[] = {
+        0xd6, 0xbe, 0x04, 0x6d, 0x41, 0xf2, 0x3b, 0x5e,
+        0xd7, 0x0b, 0x6b, 0x3d, 0x5c, 0x8e, 0x66, 0x23,
+        0x2b, 0xe6, 0xb8, 0x07, 0xd4, 0xdc, 0xc6, 0x0e,
+        0xff, 0x8d, 0xbc, 0x1d, 0x9f, 0x7f, 0xc8, 0x22
+    };
+
+#ifdef OPENSSL_EXTRA
+    ret = EVP_test(EVP_aes_128_xts(), k2, i2, p2, sizeof(p2), c2, sizeof(c2));
+    if (ret != 0) {
+        printf("EVP_aes_128_xts failed!\n");
+        return ret;
+    }
+#endif
+
+    XMEMSET(buf, 0, sizeof(buf));
+    if (wc_AesXtsSetKey(&aes, k2, sizeof(k2), AES_ENCRYPTION,
+            HEAP_HINT, devId) != 0)
+        return -5200;
+
+    ret = wc_AesXtsEncrypt(&aes, buf, p2, sizeof(p2), i2, sizeof(i2));
+#if defined(WOLFSSL_ASYNC_CRYPT)
+    ret = wc_AsyncWait(ret, &aes.aes.asyncDev, WC_ASYNC_FLAG_NONE);
+#endif
+    if (ret != 0)
+        return -5201;
+    if (XMEMCMP(c2, buf, sizeof(c2)))
+        return -5202;
+
+    XMEMSET(buf, 0, sizeof(buf));
+    if (wc_AesXtsSetKey(&aes, k1, sizeof(k1), AES_ENCRYPTION,
+            HEAP_HINT, devId) != 0)
+        return -5203;
+    ret = wc_AesXtsEncrypt(&aes, buf, p1, sizeof(p1), i1, sizeof(i1));
+#if defined(WOLFSSL_ASYNC_CRYPT)
+    ret = wc_AsyncWait(ret, &aes.aes.asyncDev, WC_ASYNC_FLAG_NONE);
+#endif
+    if (ret != 0)
+        return -5204;
+    if (XMEMCMP(c1, buf, AES_BLOCK_SIZE))
+        return -5205;
+
+    /* partial block encryption test */
+    XMEMSET(cipher, 0, sizeof(cipher));
+    ret = wc_AesXtsEncrypt(&aes, cipher, pp, sizeof(pp), i1, sizeof(i1));
+#if defined(WOLFSSL_ASYNC_CRYPT)
+    ret = wc_AsyncWait(ret, &aes.aes.asyncDev, WC_ASYNC_FLAG_NONE);
+#endif
+    if (ret != 0)
+        return -5206;
+    wc_AesXtsFree(&aes);
+
+    /* partial block decrypt test */
+    XMEMSET(buf, 0, sizeof(buf));
+    if (wc_AesXtsSetKey(&aes, k1, sizeof(k1), AES_DECRYPTION,
+            HEAP_HINT, devId) != 0)
+        return -5207;
+    ret = wc_AesXtsDecrypt(&aes, buf, cipher, sizeof(pp), i1, sizeof(i1));
+#if defined(WOLFSSL_ASYNC_CRYPT)
+    ret = wc_AsyncWait(ret, &aes.aes.asyncDev, WC_ASYNC_FLAG_NONE);
+#endif
+    if (ret != 0)
+        return -5208;
+    if (XMEMCMP(pp, buf, sizeof(pp)))
+        return -5209;
+
+    /* NIST decrypt test vector */
+    XMEMSET(buf, 0, sizeof(buf));
+    ret = wc_AesXtsDecrypt(&aes, buf, c1, sizeof(c1), i1, sizeof(i1));
+#if defined(WOLFSSL_ASYNC_CRYPT)
+    ret = wc_AsyncWait(ret, &aes.aes.asyncDev, WC_ASYNC_FLAG_NONE);
+#endif
+    if (ret != 0)
+        return -5210;
+    if (XMEMCMP(p1, buf, AES_BLOCK_SIZE))
+        return -5211;
+
+    /* fail case with decrypting using wrong key */
+    XMEMSET(buf, 0, sizeof(buf));
+    ret = wc_AesXtsDecrypt(&aes, buf, c2, sizeof(c2), i2, sizeof(i2));
+#if defined(WOLFSSL_ASYNC_CRYPT)
+    ret = wc_AsyncWait(ret, &aes.aes.asyncDev, WC_ASYNC_FLAG_NONE);
+#endif
+    if (ret != 0)
+        return -5212;
+    if (XMEMCMP(p2, buf, sizeof(p2)) == 0) /* fail case with wrong key */
+        return -5213;
+
+    /* set correct key and retest */
+    XMEMSET(buf, 0, sizeof(buf));
+    if (wc_AesXtsSetKey(&aes, k2, sizeof(k2), AES_DECRYPTION,
+            HEAP_HINT, devId) != 0)
+        return -5214;
+    ret = wc_AesXtsDecrypt(&aes, buf, c2, sizeof(c2), i2, sizeof(i2));
+#if defined(WOLFSSL_ASYNC_CRYPT)
+    ret = wc_AsyncWait(ret, &aes.aes.asyncDev, WC_ASYNC_FLAG_NONE);
+#endif
+    if (ret != 0)
+        return -5215;
+    if (XMEMCMP(p2, buf, sizeof(p2)))
+        return -5216;
+    wc_AesXtsFree(&aes);
+
+    return ret;
+}
+#endif /* WOLFSSL_AES_128 */
+
+
+#ifdef WOLFSSL_AES_256
+static int aes_xts_256_test(void)
+{
+    XtsAes aes;
+    int ret = 0;
+    unsigned char buf[AES_BLOCK_SIZE * 3];
+    unsigned char cipher[AES_BLOCK_SIZE * 3];
+
+    /* 256 key tests */
+    static unsigned char k1[] = {
+        0x1e, 0xa6, 0x61, 0xc5, 0x8d, 0x94, 0x3a, 0x0e,
+        0x48, 0x01, 0xe4, 0x2f, 0x4b, 0x09, 0x47, 0x14,
+        0x9e, 0x7f, 0x9f, 0x8e, 0x3e, 0x68, 0xd0, 0xc7,
+        0x50, 0x52, 0x10, 0xbd, 0x31, 0x1a, 0x0e, 0x7c,
+        0xd6, 0xe1, 0x3f, 0xfd, 0xf2, 0x41, 0x8d, 0x8d,
+        0x19, 0x11, 0xc0, 0x04, 0xcd, 0xa5, 0x8d, 0xa3,
+        0xd6, 0x19, 0xb7, 0xe2, 0xb9, 0x14, 0x1e, 0x58,
+        0x31, 0x8e, 0xea, 0x39, 0x2c, 0xf4, 0x1b, 0x08
+    };
+
+    static unsigned char i1[] = {
+        0xad, 0xf8, 0xd9, 0x26, 0x27, 0x46, 0x4a, 0xd2,
+        0xf0, 0x42, 0x8e, 0x84, 0xa9, 0xf8, 0x75, 0x64
+    };
+
+    static unsigned char p1[] = {
+        0x2e, 0xed, 0xea, 0x52, 0xcd, 0x82, 0x15, 0xe1,
+        0xac, 0xc6, 0x47, 0xe8, 0x10, 0xbb, 0xc3, 0x64,
+        0x2e, 0x87, 0x28, 0x7f, 0x8d, 0x2e, 0x57, 0xe3,
+        0x6c, 0x0a, 0x24, 0xfb, 0xc1, 0x2a, 0x20, 0x2e
+    };
+
+    /* plain text test of partial block is not from NIST test vector list */
+    static unsigned char pp[] = {
+        0xeb, 0xab, 0xce, 0x95, 0xb1, 0x4d, 0x3c, 0x8d,
+        0x6f, 0xb3, 0x50, 0x39, 0x07, 0x90, 0x31, 0x1c,
+        0x6e, 0x4b, 0x92, 0x01, 0x3e, 0x76, 0x8a, 0xd5
+    };
+
+    static unsigned char c1[] = {
+        0xcb, 0xaa, 0xd0, 0xe2, 0xf6, 0xce, 0xa3, 0xf5,
+        0x0b, 0x37, 0xf9, 0x34, 0xd4, 0x6a, 0x9b, 0x13,
+        0x0b, 0x9d, 0x54, 0xf0, 0x7e, 0x34, 0xf3, 0x6a,
+        0xf7, 0x93, 0xe8, 0x6f, 0x73, 0xc6, 0xd7, 0xdb
+    };
+
+    static unsigned char k2[] = {
+        0xad, 0x50, 0x4b, 0x85, 0xd7, 0x51, 0xbf, 0xba,
+        0x69, 0x13, 0xb4, 0xcc, 0x79, 0xb6, 0x5a, 0x62,
+        0xf7, 0xf3, 0x9d, 0x36, 0x0f, 0x35, 0xb5, 0xec,
+        0x4a, 0x7e, 0x95, 0xbd, 0x9b, 0xa5, 0xf2, 0xec,
+        0xc1, 0xd7, 0x7e, 0xa3, 0xc3, 0x74, 0xbd, 0x4b,
+        0x13, 0x1b, 0x07, 0x83, 0x87, 0xdd, 0x55, 0x5a,
+        0xb5, 0xb0, 0xc7, 0xe5, 0x2d, 0xb5, 0x06, 0x12,
+        0xd2, 0xb5, 0x3a, 0xcb, 0x47, 0x8a, 0x53, 0xb4
+    };
+
+    static unsigned char i2[] = {
+        0xe6, 0x42, 0x19, 0xed, 0xe0, 0xe1, 0xc2, 0xa0,
+        0x0e, 0xf5, 0x58, 0x6a, 0xc4, 0x9b, 0xeb, 0x6f
+    };
+
+    static unsigned char p2[] = {
+        0x24, 0xcb, 0x76, 0x22, 0x55, 0xb5, 0xa8, 0x00,
+        0xf4, 0x6e, 0x80, 0x60, 0x56, 0x9e, 0x05, 0x53,
+        0xbc, 0xfe, 0x86, 0x55, 0x3b, 0xca, 0xd5, 0x89,
+        0xc7, 0x54, 0x1a, 0x73, 0xac, 0xc3, 0x9a, 0xbd,
+        0x53, 0xc4, 0x07, 0x76, 0xd8, 0xe8, 0x22, 0x61,
+        0x9e, 0xa9, 0xad, 0x77, 0xa0, 0x13, 0x4c, 0xfc
+    };
+
+    static unsigned char c2[] = {
+        0xa3, 0xc6, 0xf3, 0xf3, 0x82, 0x79, 0x5b, 0x10,
+        0x87, 0xd7, 0x02, 0x50, 0xdb, 0x2c, 0xd3, 0xb1,
+        0xa1, 0x62, 0xa8, 0xb6, 0xdc, 0x12, 0x60, 0x61,
+        0xc1, 0x0a, 0x84, 0xa5, 0x85, 0x3f, 0x3a, 0x89,
+        0xe6, 0x6c, 0xdb, 0xb7, 0x9a, 0xb4, 0x28, 0x9b,
+        0xc3, 0xea, 0xd8, 0x10, 0xe9, 0xc0, 0xaf, 0x92
+    };
+
+#ifdef OPENSSL_EXTRA
+    ret = EVP_test(EVP_aes_256_xts(), k2, i2, p2, sizeof(p2), c2, sizeof(c2));
+    if (ret != 0) {
+        printf("EVP_aes_256_xts failed\n");
+        return ret;
+    }
+#endif
+
+    XMEMSET(buf, 0, sizeof(buf));
+    if (wc_AesXtsSetKey(&aes, k2, sizeof(k2), AES_ENCRYPTION,
+            HEAP_HINT, devId) != 0)
+        return -5300;
+    ret = wc_AesXtsEncrypt(&aes, buf, p2, sizeof(p2), i2, sizeof(i2));
+#if defined(WOLFSSL_ASYNC_CRYPT)
+    ret = wc_AsyncWait(ret, &aes.aes.asyncDev, WC_ASYNC_FLAG_NONE);
+#endif
+    if (ret != 0)
+        return -5301;
+    if (XMEMCMP(c2, buf, sizeof(c2)))
+        return -5302;
+
+    XMEMSET(buf, 0, sizeof(buf));
+    if (wc_AesXtsSetKey(&aes, k1, sizeof(k1), AES_ENCRYPTION,
+            HEAP_HINT, devId) != 0)
+        return -5303;
+    ret = wc_AesXtsEncrypt(&aes, buf, p1, sizeof(p1), i1, sizeof(i1));
+#if defined(WOLFSSL_ASYNC_CRYPT)
+    ret = wc_AsyncWait(ret, &aes.aes.asyncDev, WC_ASYNC_FLAG_NONE);
+#endif
+    if (ret != 0)
+        return -5304;
+    if (XMEMCMP(c1, buf, AES_BLOCK_SIZE))
+        return -5305;
+
+    /* partial block encryption test */
+    XMEMSET(cipher, 0, sizeof(cipher));
+    ret = wc_AesXtsEncrypt(&aes, cipher, pp, sizeof(pp), i1, sizeof(i1));
+#if defined(WOLFSSL_ASYNC_CRYPT)
+    ret = wc_AsyncWait(ret, &aes.aes.asyncDev, WC_ASYNC_FLAG_NONE);
+#endif
+    if (ret != 0)
+        return -5306;
+    wc_AesXtsFree(&aes);
+
+    /* partial block decrypt test */
+    XMEMSET(buf, 0, sizeof(buf));
+    if (wc_AesXtsSetKey(&aes, k1, sizeof(k1), AES_DECRYPTION,
+            HEAP_HINT, devId) != 0)
+        return -5307;
+    ret = wc_AesXtsDecrypt(&aes, buf, cipher, sizeof(pp), i1, sizeof(i1));
+#if defined(WOLFSSL_ASYNC_CRYPT)
+    ret = wc_AsyncWait(ret, &aes.aes.asyncDev, WC_ASYNC_FLAG_NONE);
+#endif
+    if (ret != 0)
+        return -5308;
+    if (XMEMCMP(pp, buf, sizeof(pp)))
+        return -5309;
+
+    /* NIST decrypt test vector */
+    XMEMSET(buf, 0, sizeof(buf));
+    ret = wc_AesXtsDecrypt(&aes, buf, c1, sizeof(c1), i1, sizeof(i1));
+#if defined(WOLFSSL_ASYNC_CRYPT)
+    ret = wc_AsyncWait(ret, &aes.aes.asyncDev, WC_ASYNC_FLAG_NONE);
+#endif
+    if (ret != 0)
+        return -5310;
+    if (XMEMCMP(p1, buf, AES_BLOCK_SIZE))
+        return -5311;
+
+    XMEMSET(buf, 0, sizeof(buf));
+    if (wc_AesXtsSetKey(&aes, k2, sizeof(k2), AES_DECRYPTION,
+            HEAP_HINT, devId) != 0)
+        return -5312;
+    ret = wc_AesXtsDecrypt(&aes, buf, c2, sizeof(c2), i2, sizeof(i2));
+#if defined(WOLFSSL_ASYNC_CRYPT)
+    ret = wc_AsyncWait(ret, &aes.aes.asyncDev, WC_ASYNC_FLAG_NONE);
+#endif
+    if (ret != 0)
+        return -5313;
+    if (XMEMCMP(p2, buf, sizeof(p2)))
+        return -5314;
+    wc_AesXtsFree(&aes);
+
+    return ret;
+}
+#endif /* WOLFSSL_AES_256 */
+
+
+#if defined(WOLFSSL_AES_128) && defined(WOLFSSL_AES_256)
+/* both 128 and 256 bit key test */
+static int aes_xts_sector_test(void)
+{
+    XtsAes aes;
+    int ret = 0;
+    unsigned char buf[AES_BLOCK_SIZE * 2];
+
+    /* 128 key tests */
+    static unsigned char k1[] = {
+        0xa3, 0xe4, 0x0d, 0x5b, 0xd4, 0xb6, 0xbb, 0xed,
+        0xb2, 0xd1, 0x8c, 0x70, 0x0a, 0xd2, 0xdb, 0x22,
+        0x10, 0xc8, 0x11, 0x90, 0x64, 0x6d, 0x67, 0x3c,
+        0xbc, 0xa5, 0x3f, 0x13, 0x3e, 0xab, 0x37, 0x3c
+    };
+
+    static unsigned char p1[] = {
+        0x20, 0xe0, 0x71, 0x94, 0x05, 0x99, 0x3f, 0x09,
+        0xa6, 0x6a, 0xe5, 0xbb, 0x50, 0x0e, 0x56, 0x2c
+    };
+
+    static unsigned char c1[] = {
+        0x74, 0x62, 0x35, 0x51, 0x21, 0x02, 0x16, 0xac,
+        0x92, 0x6b, 0x96, 0x50, 0xb6, 0xd3, 0xfa, 0x52
+    };
+    word64 s1 = 141;
+
+    /* 256 key tests */
+    static unsigned char k2[] = {
+        0xef, 0x01, 0x0c, 0xa1, 0xa3, 0x66, 0x3e, 0x32,
+        0x53, 0x43, 0x49, 0xbc, 0x0b, 0xae, 0x62, 0x23,
+        0x2a, 0x15, 0x73, 0x34, 0x85, 0x68, 0xfb, 0x9e,
+        0xf4, 0x17, 0x68, 0xa7, 0x67, 0x4f, 0x50, 0x7a,
+        0x72, 0x7f, 0x98, 0x75, 0x53, 0x97, 0xd0, 0xe0,
+        0xaa, 0x32, 0xf8, 0x30, 0x33, 0x8c, 0xc7, 0xa9,
+        0x26, 0xc7, 0x73, 0xf0, 0x9e, 0x57, 0xb3, 0x57,
+        0xcd, 0x15, 0x6a, 0xfb, 0xca, 0x46, 0xe1, 0xa0
+    };
+
+    static unsigned char p2[] = {
+        0xed, 0x98, 0xe0, 0x17, 0x70, 0xa8, 0x53, 0xb4,
+        0x9d, 0xb9, 0xe6, 0xaa, 0xf8, 0x8f, 0x0a, 0x41,
+        0xb9, 0xb5, 0x6e, 0x91, 0xa5, 0xa2, 0xb1, 0x1d,
+        0x40, 0x52, 0x92, 0x54, 0xf5, 0x52, 0x3e, 0x75
+    };
+
+    static unsigned char c2[] = {
+        0xca, 0x20, 0xc5, 0x5e, 0x8d, 0xc1, 0x49, 0x68,
+        0x7d, 0x25, 0x41, 0xde, 0x39, 0xc3, 0xdf, 0x63,
+        0x00, 0xbb, 0x5a, 0x16, 0x3c, 0x10, 0xce, 0xd3,
+        0x66, 0x6b, 0x13, 0x57, 0xdb, 0x8b, 0xd3, 0x9d
+    };
+    word64 s2 = 187;
+
+    XMEMSET(buf, 0, sizeof(buf));
+    if (wc_AesXtsSetKey(&aes, k1, sizeof(k1), AES_ENCRYPTION,
+            HEAP_HINT, devId) != 0)
+        return -5400;
+    ret = wc_AesXtsEncryptSector(&aes, buf, p1, sizeof(p1), s1);
+#if defined(WOLFSSL_ASYNC_CRYPT)
+    ret = wc_AsyncWait(ret, &aes.aes.asyncDev, WC_ASYNC_FLAG_NONE);
+#endif
+    if (ret != 0)
+        return -5401;
+    if (XMEMCMP(c1, buf, AES_BLOCK_SIZE))
+        return -5402;
+
+    /* decrypt test */
+    XMEMSET(buf, 0, sizeof(buf));
+    if (wc_AesXtsSetKey(&aes, k1, sizeof(k1), AES_DECRYPTION,
+            HEAP_HINT, devId) != 0)
+        return -5403;
+    ret = wc_AesXtsDecryptSector(&aes, buf, c1, sizeof(c1), s1);
+#if defined(WOLFSSL_ASYNC_CRYPT)
+    ret = wc_AsyncWait(ret, &aes.aes.asyncDev, WC_ASYNC_FLAG_NONE);
+#endif
+    if (ret != 0)
+        return -5404;
+    if (XMEMCMP(p1, buf, AES_BLOCK_SIZE))
+        return -5405;
+    wc_AesXtsFree(&aes);
+
+    /* 256 bit key tests */
+    XMEMSET(buf, 0, sizeof(buf));
+    if (wc_AesXtsSetKey(&aes, k2, sizeof(k2), AES_ENCRYPTION,
+            HEAP_HINT, devId) != 0)
+        return -5406;
+    ret = wc_AesXtsEncryptSector(&aes, buf, p2, sizeof(p2), s2);
+#if defined(WOLFSSL_ASYNC_CRYPT)
+    ret = wc_AsyncWait(ret, &aes.aes.asyncDev, WC_ASYNC_FLAG_NONE);
+#endif
+    if (ret != 0)
+        return -5407;
+    if (XMEMCMP(c2, buf, sizeof(c2)))
+        return -5408;
+
+    /* decrypt test */
+    XMEMSET(buf, 0, sizeof(buf));
+    if (wc_AesXtsSetKey(&aes, k2, sizeof(k2), AES_DECRYPTION,
+            HEAP_HINT, devId) != 0)
+        return -5409;
+    ret = wc_AesXtsDecryptSector(&aes, buf, c2, sizeof(c2), s2);
+#if defined(WOLFSSL_ASYNC_CRYPT)
+    ret = wc_AsyncWait(ret, &aes.aes.asyncDev, WC_ASYNC_FLAG_NONE);
+#endif
+    if (ret != 0)
+        return -5410;
+    if (XMEMCMP(p2, buf, sizeof(p2)))
+        return -5411;
+    wc_AesXtsFree(&aes);
+
+    return ret;
+}
+#endif /* WOLFSSL_AES_128 && WOLFSSL_AES_256 */
+
+
+#ifdef WOLFSSL_AES_128
+/* testing of bad arguments */
+static int aes_xts_args_test(void)
+{
+    XtsAes aes;
+    int ret = 0;
+    unsigned char buf[AES_BLOCK_SIZE * 2];
+
+    /* 128 key tests */
+    static unsigned char k1[] = {
+        0xa3, 0xe4, 0x0d, 0x5b, 0xd4, 0xb6, 0xbb, 0xed,
+        0xb2, 0xd1, 0x8c, 0x70, 0x0a, 0xd2, 0xdb, 0x22,
+        0x10, 0xc8, 0x11, 0x90, 0x64, 0x6d, 0x67, 0x3c,
+        0xbc, 0xa5, 0x3f, 0x13, 0x3e, 0xab, 0x37, 0x3c
+    };
+
+    static unsigned char p1[] = {
+        0x20, 0xe0, 0x71, 0x94, 0x05, 0x99, 0x3f, 0x09,
+        0xa6, 0x6a, 0xe5, 0xbb, 0x50, 0x0e, 0x56, 0x2c
+    };
+
+    static unsigned char c1[] = {
+        0x74, 0x62, 0x35, 0x51, 0x21, 0x02, 0x16, 0xac,
+        0x92, 0x6b, 0x96, 0x50, 0xb6, 0xd3, 0xfa, 0x52
+    };
+    word64 s1 = 141;
+
+    if (wc_AesXtsSetKey(NULL, k1, sizeof(k1), AES_ENCRYPTION,
+            HEAP_HINT, devId) == 0)
+        return -5500;
+    if (wc_AesXtsSetKey(&aes, NULL, sizeof(k1), AES_ENCRYPTION,
+            HEAP_HINT, devId) == 0)
+        return -5501;
+
+    /* encryption operations */
+    if (wc_AesXtsSetKey(&aes, k1, sizeof(k1), AES_ENCRYPTION,
+            HEAP_HINT, devId) != 0)
+        return -5502;
+    ret = wc_AesXtsEncryptSector(NULL, buf, p1, sizeof(p1), s1);
+#if defined(WOLFSSL_ASYNC_CRYPT)
+    ret = wc_AsyncWait(ret, &aes.aes.asyncDev, WC_ASYNC_FLAG_NONE);
+#endif
+    if (ret == 0)
+        return -5503;
+
+    ret = wc_AesXtsEncryptSector(&aes, NULL, p1, sizeof(p1), s1);
+#if defined(WOLFSSL_ASYNC_CRYPT)
+    ret = wc_AsyncWait(ret, &aes.aes.asyncDev, WC_ASYNC_FLAG_NONE);
+#endif
+    if (ret == 0)
+        return -5504;
+    wc_AesXtsFree(&aes);
+
+    /* decryption operations */
+    if (wc_AesXtsSetKey(&aes, k1, sizeof(k1), AES_DECRYPTION,
+            HEAP_HINT, devId) != 0)
+        return -5505;
+    ret = wc_AesXtsDecryptSector(NULL, buf, c1, sizeof(c1), s1);
+#if defined(WOLFSSL_ASYNC_CRYPT)
+    ret = wc_AsyncWait(ret, &aes.aes.asyncDev, WC_ASYNC_FLAG_NONE);
+#endif
+    if (ret == 0)
+        return -5506;
+
+    ret = wc_AesXtsDecryptSector(&aes, NULL, c1, sizeof(c1), s1);
+#if defined(WOLFSSL_ASYNC_CRYPT)
+    ret = wc_AsyncWait(ret, &aes.aes.asyncDev, WC_ASYNC_FLAG_NONE);
+#endif
+    if (ret == 0)
+        return -5507;
+    wc_AesXtsFree(&aes);
+
+    return 0;
+}
+#endif /* WOLFSSL_AES_128 */
+#endif /* WOLFSSL_AES_XTS */
+
+#if defined(HAVE_AES_CBC) && defined(WOLFSSL_AES_128)
+static int aes_cbc_test(void)
+{
+    byte cipher[AES_BLOCK_SIZE];
+    byte plain[AES_BLOCK_SIZE];
+    int  ret;
+    const byte msg[] = { /* "Now is the time for all " w/o trailing 0 */
+        0x6e,0x6f,0x77,0x20,0x69,0x73,0x20,0x74,
+        0x68,0x65,0x20,0x74,0x69,0x6d,0x65,0x20,
+        0x66,0x6f,0x72,0x20,0x61,0x6c,0x6c,0x20
+    };
+    byte key[] = "0123456789abcdef   ";  /* align */
+    byte iv[]  = "1234567890abcdef   ";  /* align */
+
+    XMEMSET(cipher, 0, AES_BLOCK_SIZE);
+    XMEMSET(plain, 0, AES_BLOCK_SIZE);
+
+    /* Parameter Validation testing. */
+    ret = wc_AesCbcEncryptWithKey(cipher, msg, AES_BLOCK_SIZE, key, 17, NULL);
+    if (ret != BAD_FUNC_ARG)
+        return -5600;
+#ifdef HAVE_AES_DECRYPT
+    ret = wc_AesCbcDecryptWithKey(plain, cipher, AES_BLOCK_SIZE, key, 17, NULL);
+    if (ret != BAD_FUNC_ARG)
+        return -5601;
+#endif
+
+    ret = wc_AesCbcEncryptWithKey(cipher, msg, AES_BLOCK_SIZE, key,
+                                  AES_BLOCK_SIZE, iv);
+    if (ret != 0)
+        return -5602;
+#ifdef HAVE_AES_DECRYPT
+    ret = wc_AesCbcDecryptWithKey(plain, cipher, AES_BLOCK_SIZE, key,
+                                  AES_BLOCK_SIZE, iv);
+    if (ret != 0)
+        return -5603;
+    if (XMEMCMP(plain, msg, AES_BLOCK_SIZE) != 0)
+        return -5604;
+#endif /* HAVE_AES_DECRYPT */
+
+    (void)plain;
+    return 0;
+}
+#endif
+
 int aes_test(void)
 {
+#if defined(HAVE_AES_CBC) || defined(WOLFSSL_AES_COUNTER)
     Aes enc;
+    byte cipher[AES_BLOCK_SIZE * 4];
+#if defined(HAVE_AES_DECRYPT) || defined(WOLFSSL_AES_COUNTER)
     Aes dec;
+    byte plain [AES_BLOCK_SIZE * 4];
+#endif
+#endif /* HAVE_AES_CBC || WOLFSSL_AES_COUNTER */
+    int  ret = 0;
 
+#ifdef HAVE_AES_CBC
+#ifdef WOLFSSL_AES_128
     const byte msg[] = { /* "Now is the time for all " w/o trailing 0 */
         0x6e,0x6f,0x77,0x20,0x69,0x73,0x20,0x74,
         0x68,0x65,0x20,0x74,0x69,0x6d,0x65,0x20,
@@ -2499,55 +7523,235 @@ int aes_test(void)
     byte key[] = "0123456789abcdef   ";  /* align */
     byte iv[]  = "1234567890abcdef   ";  /* align */
 
-    byte cipher[AES_BLOCK_SIZE * 4];
-    byte plain [AES_BLOCK_SIZE * 4];
-    int  ret;
-
-#ifdef HAVE_CAVIUM
-        if (wc_AesInitCavium(&enc, CAVIUM_DEV_ID) != 0)
-            return -20003;
-        if (wc_AesInitCavium(&dec, CAVIUM_DEV_ID) != 0)
-            return -20004;
+    if (wc_AesInit(&enc, HEAP_HINT, devId) != 0)
+        return -5700;
+#if defined(HAVE_AES_DECRYPT) || defined(WOLFSSL_AES_COUNTER)
+    if (wc_AesInit(&dec, HEAP_HINT, devId) != 0)
+        return -5701;
 #endif
     ret = wc_AesSetKey(&enc, key, AES_BLOCK_SIZE, iv, AES_ENCRYPTION);
     if (ret != 0)
-        return -1001;
+        return -5702;
+#if defined(HAVE_AES_DECRYPT) || defined(WOLFSSL_AES_COUNTER)
     ret = wc_AesSetKey(&dec, key, AES_BLOCK_SIZE, iv, AES_DECRYPTION);
     if (ret != 0)
-        return -1002;
+        return -5703;
+#endif
 
-    ret = wc_AesCbcEncrypt(&enc, cipher, msg,   AES_BLOCK_SIZE);
+    XMEMSET(cipher, 0, AES_BLOCK_SIZE * 4);
+    ret = wc_AesCbcEncrypt(&enc, cipher, msg, AES_BLOCK_SIZE);
+#if defined(WOLFSSL_ASYNC_CRYPT)
+    ret = wc_AsyncWait(ret, &enc.asyncDev, WC_ASYNC_FLAG_NONE);
+#endif
     if (ret != 0)
-        return -1005;
+        return -5704;
+#ifdef HAVE_AES_DECRYPT
+    XMEMSET(plain, 0, AES_BLOCK_SIZE * 4);
     ret = wc_AesCbcDecrypt(&dec, plain, cipher, AES_BLOCK_SIZE);
+#if defined(WOLFSSL_ASYNC_CRYPT)
+    ret = wc_AsyncWait(ret, &dec.asyncDev, WC_ASYNC_FLAG_NONE);
+#endif
     if (ret != 0)
-        return -1006;
+        return -5705;
 
-    if (memcmp(plain, msg, AES_BLOCK_SIZE))
-        return -60;
+    if (XMEMCMP(plain, msg, AES_BLOCK_SIZE))
+        return -5706;
+#endif /* HAVE_AES_DECRYPT */
+    if (XMEMCMP(cipher, verify, AES_BLOCK_SIZE))
+        return -5707;
+#endif /* WOLFSSL_AES_128 */
 
-    if (memcmp(cipher, verify, AES_BLOCK_SIZE))
-        return -61;
+#if defined(WOLFSSL_AESNI) && defined(HAVE_AES_DECRYPT)
+    {
+        const byte bigMsg[] = {
+            /* "All work and no play makes Jack a dull boy. " */
+            0x41,0x6c,0x6c,0x20,0x77,0x6f,0x72,0x6b,
+            0x20,0x61,0x6e,0x64,0x20,0x6e,0x6f,0x20,
+            0x70,0x6c,0x61,0x79,0x20,0x6d,0x61,0x6b,
+            0x65,0x73,0x20,0x4a,0x61,0x63,0x6b,0x20,
+            0x61,0x20,0x64,0x75,0x6c,0x6c,0x20,0x62,
+            0x6f,0x79,0x2e,0x20,0x41,0x6c,0x6c,0x20,
+            0x77,0x6f,0x72,0x6b,0x20,0x61,0x6e,0x64,
+            0x20,0x6e,0x6f,0x20,0x70,0x6c,0x61,0x79,
+            0x20,0x6d,0x61,0x6b,0x65,0x73,0x20,0x4a,
+            0x61,0x63,0x6b,0x20,0x61,0x20,0x64,0x75,
+            0x6c,0x6c,0x20,0x62,0x6f,0x79,0x2e,0x20,
+            0x41,0x6c,0x6c,0x20,0x77,0x6f,0x72,0x6b,
+            0x20,0x61,0x6e,0x64,0x20,0x6e,0x6f,0x20,
+            0x70,0x6c,0x61,0x79,0x20,0x6d,0x61,0x6b,
+            0x65,0x73,0x20,0x4a,0x61,0x63,0x6b,0x20,
+            0x61,0x20,0x64,0x75,0x6c,0x6c,0x20,0x62,
+            0x6f,0x79,0x2e,0x20,0x41,0x6c,0x6c,0x20,
+            0x77,0x6f,0x72,0x6b,0x20,0x61,0x6e,0x64,
+            0x20,0x6e,0x6f,0x20,0x70,0x6c,0x61,0x79,
+            0x20,0x6d,0x61,0x6b,0x65,0x73,0x20,0x4a,
+            0x61,0x63,0x6b,0x20,0x61,0x20,0x64,0x75,
+            0x6c,0x6c,0x20,0x62,0x6f,0x79,0x2e,0x20,
+            0x41,0x6c,0x6c,0x20,0x77,0x6f,0x72,0x6b,
+            0x20,0x61,0x6e,0x64,0x20,0x6e,0x6f,0x20,
+            0x70,0x6c,0x61,0x79,0x20,0x6d,0x61,0x6b,
+            0x65,0x73,0x20,0x4a,0x61,0x63,0x6b,0x20,
+            0x61,0x20,0x64,0x75,0x6c,0x6c,0x20,0x62,
+            0x6f,0x79,0x2e,0x20,0x41,0x6c,0x6c,0x20,
+            0x77,0x6f,0x72,0x6b,0x20,0x61,0x6e,0x64,
+            0x20,0x6e,0x6f,0x20,0x70,0x6c,0x61,0x79,
+            0x20,0x6d,0x61,0x6b,0x65,0x73,0x20,0x4a,
+            0x61,0x63,0x6b,0x20,0x61,0x20,0x64,0x75,
+            0x6c,0x6c,0x20,0x62,0x6f,0x79,0x2e,0x20,
+            0x41,0x6c,0x6c,0x20,0x77,0x6f,0x72,0x6b,
+            0x20,0x61,0x6e,0x64,0x20,0x6e,0x6f,0x20,
+            0x70,0x6c,0x61,0x79,0x20,0x6d,0x61,0x6b,
+            0x65,0x73,0x20,0x4a,0x61,0x63,0x6b,0x20,
+            0x61,0x20,0x64,0x75,0x6c,0x6c,0x20,0x62,
+            0x6f,0x79,0x2e,0x20,0x41,0x6c,0x6c,0x20,
+            0x77,0x6f,0x72,0x6b,0x20,0x61,0x6e,0x64,
+            0x20,0x6e,0x6f,0x20,0x70,0x6c,0x61,0x79,
+            0x20,0x6d,0x61,0x6b,0x65,0x73,0x20,0x4a,
+            0x61,0x63,0x6b,0x20,0x61,0x20,0x64,0x75,
+            0x6c,0x6c,0x20,0x62,0x6f,0x79,0x2e,0x20,
+            0x41,0x6c,0x6c,0x20,0x77,0x6f,0x72,0x6b,
+            0x20,0x61,0x6e,0x64,0x20,0x6e,0x6f,0x20,
+            0x70,0x6c,0x61,0x79,0x20,0x6d,0x61,0x6b,
+            0x65,0x73,0x20,0x4a,0x61,0x63,0x6b,0x20
+        };
+        const byte bigKey[] = "0123456789abcdeffedcba9876543210";
+        byte bigCipher[sizeof(bigMsg)];
+        byte bigPlain[sizeof(bigMsg)];
+        word32 keySz, msgSz;
+
+        /* Iterate from one AES_BLOCK_SIZE of bigMsg through the whole
+         * message by AES_BLOCK_SIZE for each size of AES key. */
+        for (keySz = 16; keySz <= 32; keySz += 8) {
+            for (msgSz = AES_BLOCK_SIZE;
+                 msgSz <= sizeof(bigMsg);
+                 msgSz += AES_BLOCK_SIZE) {
+
+                XMEMSET(bigCipher, 0, sizeof(bigCipher));
+                XMEMSET(bigPlain, 0, sizeof(bigPlain));
+                ret = wc_AesSetKey(&enc, bigKey, keySz, iv, AES_ENCRYPTION);
+                if (ret != 0)
+                    return -5708;
+                ret = wc_AesSetKey(&dec, bigKey, keySz, iv, AES_DECRYPTION);
+                if (ret != 0)
+                    return -5709;
+
+                ret = wc_AesCbcEncrypt(&enc, bigCipher, bigMsg, msgSz);
+            #if defined(WOLFSSL_ASYNC_CRYPT)
+                ret = wc_AsyncWait(ret, &enc.asyncDev, WC_ASYNC_FLAG_NONE);
+            #endif
+                if (ret != 0)
+                    return -5710;
 
-#ifdef HAVE_CAVIUM
-        wc_AesFreeCavium(&enc);
-        wc_AesFreeCavium(&dec);
-#endif
-#ifdef WOLFSSL_AES_COUNTER
+                ret = wc_AesCbcDecrypt(&dec, bigPlain, bigCipher, msgSz);
+            #if defined(WOLFSSL_ASYNC_CRYPT)
+                ret = wc_AsyncWait(ret, &dec.asyncDev, WC_ASYNC_FLAG_NONE);
+            #endif
+                if (ret != 0)
+                    return -5711;
+
+                if (XMEMCMP(bigPlain, bigMsg, msgSz))
+                    return -5712;
+            }
+        }
+    }
+#endif /* WOLFSSL_AESNI && HAVE_AES_DECRYPT */
+
+    /* Test of AES IV state with encrypt/decrypt */
+#ifdef WOLFSSL_AES_128
     {
-        const byte ctrKey[] =
+        /* Test Vector from "NIST Special Publication 800-38A, 2001 Edition"
+         * https://nvlpubs.nist.gov/nistpubs/legacy/sp/nistspecialpublication800-38a.pdf
+         */
+        const byte msg2[] =
         {
-            0x2b,0x7e,0x15,0x16,0x28,0xae,0xd2,0xa6,
-            0xab,0xf7,0x15,0x88,0x09,0xcf,0x4f,0x3c
+            0x6b, 0xc1, 0xbe, 0xe2, 0x2e, 0x40, 0x9f, 0x96,
+            0xe9, 0x3d, 0x7e, 0x11, 0x73, 0x93, 0x17, 0x2a,
+            0xae, 0x2d, 0x8a, 0x57, 0x1e, 0x03, 0xac, 0x9c,
+            0x9e, 0xb7, 0x6f, 0xac, 0x45, 0xaf, 0x8e, 0x51
+        };
+
+        const byte verify2[] =
+        {
+            0x76, 0x49, 0xab, 0xac, 0x81, 0x19, 0xb2, 0x46,
+            0xce, 0xe9, 0x8e, 0x9b, 0x12, 0xe9, 0x19, 0x7d,
+            0x50, 0x86, 0xcb, 0x9b, 0x50, 0x72, 0x19, 0xee,
+            0x95, 0xdb, 0x11, 0x3a, 0x91, 0x76, 0x78, 0xb2
+        };
+        byte key2[] = {
+            0x2b, 0x7e, 0x15, 0x16, 0x28, 0xae, 0xd2, 0xa6,
+            0xab, 0xf7, 0x15, 0x88, 0x09, 0xcf, 0x4f, 0x3c
+        };
+        byte iv2[]  = {
+            0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
+            0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f
         };
 
+
+        ret = wc_AesSetKey(&enc, key2, sizeof(key2), iv2, AES_ENCRYPTION);
+        if (ret != 0)
+            return -5713;
+        XMEMSET(cipher, 0, AES_BLOCK_SIZE * 2);
+        ret = wc_AesCbcEncrypt(&enc, cipher, msg2, AES_BLOCK_SIZE);
+    #if defined(WOLFSSL_ASYNC_CRYPT)
+        ret = wc_AsyncWait(ret, &enc.asyncDev, WC_ASYNC_FLAG_NONE);
+    #endif
+        if (ret != 0)
+            return -5714;
+        if (XMEMCMP(cipher, verify2, AES_BLOCK_SIZE))
+            return -5715;
+
+        ret = wc_AesCbcEncrypt(&enc, cipher + AES_BLOCK_SIZE,
+                msg2 + AES_BLOCK_SIZE, AES_BLOCK_SIZE);
+    #if defined(WOLFSSL_ASYNC_CRYPT)
+        ret = wc_AsyncWait(ret, &enc.asyncDev, WC_ASYNC_FLAG_NONE);
+    #endif
+        if (ret != 0)
+            return -5716;
+        if (XMEMCMP(cipher + AES_BLOCK_SIZE, verify2 + AES_BLOCK_SIZE,
+                    AES_BLOCK_SIZE))
+            return -5717;
+
+        #if defined(HAVE_AES_DECRYPT)
+        ret = wc_AesSetKey(&dec, key2, sizeof(key2), iv2, AES_DECRYPTION);
+        if (ret != 0)
+            return -5718;
+        XMEMSET(plain, 0, AES_BLOCK_SIZE * 2);
+        ret = wc_AesCbcDecrypt(&dec, plain, verify2, AES_BLOCK_SIZE);
+    #if defined(WOLFSSL_ASYNC_CRYPT)
+        ret = wc_AsyncWait(ret, &dec.asyncDev, WC_ASYNC_FLAG_NONE);
+    #endif
+        if (ret != 0)
+            return -5719;
+        if (XMEMCMP(plain, msg2, AES_BLOCK_SIZE))
+            return -5720;
+
+        ret = wc_AesCbcDecrypt(&dec, plain + AES_BLOCK_SIZE,
+                verify2 + AES_BLOCK_SIZE, AES_BLOCK_SIZE);
+    #if defined(WOLFSSL_ASYNC_CRYPT)
+        ret = wc_AsyncWait(ret, &dec.asyncDev, WC_ASYNC_FLAG_NONE);
+    #endif
+        if (ret != 0)
+            return -5721;
+        if (XMEMCMP(plain + AES_BLOCK_SIZE, msg2 + AES_BLOCK_SIZE,
+                    AES_BLOCK_SIZE))
+            return -5722;
+
+        #endif /* HAVE_AES_DECRYPT */
+    }
+#endif /* WOLFSSL_AES_128 */
+#endif /* HAVE_AES_CBC */
+
+#ifdef WOLFSSL_AES_COUNTER
+    {
+        /* test vectors from "Recommendation for Block Cipher Modes of
+         * Operation" NIST Special Publication 800-38A */
+
         const byte ctrIv[] =
         {
             0xf0,0xf1,0xf2,0xf3,0xf4,0xf5,0xf6,0xf7,
             0xf8,0xf9,0xfa,0xfb,0xfc,0xfd,0xfe,0xff
         };
 
-
         const byte ctrPlain[] =
         {
             0x6b,0xc1,0xbe,0xe2,0x2e,0x40,0x9f,0x96,
@@ -2560,7 +7764,20 @@ int aes_test(void)
             0xad,0x2b,0x41,0x7b,0xe6,0x6c,0x37,0x10
         };
 
-        const byte ctrCipher[] =
+#ifdef WOLFSSL_AES_128
+        const byte oddCipher[] =
+        {
+            0xb9,0xd7,0xcb,0x08,0xb0,0xe1,0x7b,0xa0,
+            0xc2
+        };
+
+        const byte ctr128Key[] =
+        {
+            0x2b,0x7e,0x15,0x16,0x28,0xae,0xd2,0xa6,
+            0xab,0xf7,0x15,0x88,0x09,0xcf,0x4f,0x3c
+        };
+
+        const byte ctr128Cipher[] =
         {
             0x87,0x4d,0x61,0x91,0xb6,0x20,0xe3,0x26,
             0x1b,0xef,0x68,0x64,0x99,0x0d,0xb6,0xce,
@@ -2571,53 +7788,163 @@ int aes_test(void)
             0x1e,0x03,0x1d,0xda,0x2f,0xbe,0x03,0xd1,
             0x79,0x21,0x70,0xa0,0xf3,0x00,0x9c,0xee
         };
+#endif /* WOLFSSL_AES_128 */
 
-        const byte oddCipher[] =
+#ifdef WOLFSSL_AES_192
+        const byte ctr192Key[] =
         {
-            0xb9,0xd7,0xcb,0x08,0xb0,0xe1,0x7b,0xa0,
-            0xc2
+            0x8e,0x73,0xb0,0xf7,0xda,0x0e,0x64,0x52,
+            0xc8,0x10,0xf3,0x2b,0x80,0x90,0x79,0xe5,
+            0x62,0xf8,0xea,0xd2,0x52,0x2c,0x6b,0x7b
         };
 
-        wc_AesSetKeyDirect(&enc, ctrKey, AES_BLOCK_SIZE, ctrIv, AES_ENCRYPTION);
-        /* Ctr only uses encrypt, even on key setup */
-        wc_AesSetKeyDirect(&dec, ctrKey, AES_BLOCK_SIZE, ctrIv, AES_ENCRYPTION);
+        const byte ctr192Cipher[] =
+        {
+            0x1a,0xbc,0x93,0x24,0x17,0x52,0x1c,0xa2,
+            0x4f,0x2b,0x04,0x59,0xfe,0x7e,0x6e,0x0b,
+            0x09,0x03,0x39,0xec,0x0a,0xa6,0xfa,0xef,
+            0xd5,0xcc,0xc2,0xc6,0xf4,0xce,0x8e,0x94,
+            0x1e,0x36,0xb2,0x6b,0xd1,0xeb,0xc6,0x70,
+            0xd1,0xbd,0x1d,0x66,0x56,0x20,0xab,0xf7,
+            0x4f,0x78,0xa7,0xf6,0xd2,0x98,0x09,0x58,
+            0x5a,0x97,0xda,0xec,0x58,0xc6,0xb0,0x50
+        };
+#endif
+#ifdef WOLFSSL_AES_256
+        const byte ctr256Key[] =
+        {
+            0x60,0x3d,0xeb,0x10,0x15,0xca,0x71,0xbe,
+            0x2b,0x73,0xae,0xf0,0x85,0x7d,0x77,0x81,
+            0x1f,0x35,0x2c,0x07,0x3b,0x61,0x08,0xd7,
+            0x2d,0x98,0x10,0xa3,0x09,0x14,0xdf,0xf4
+        };
 
-        wc_AesCtrEncrypt(&enc, cipher, ctrPlain, AES_BLOCK_SIZE*4);
-        wc_AesCtrEncrypt(&dec, plain, cipher, AES_BLOCK_SIZE*4);
+        const byte ctr256Cipher[] =
+        {
+            0x60,0x1e,0xc3,0x13,0x77,0x57,0x89,0xa5,
+            0xb7,0xa7,0xf5,0x04,0xbb,0xf3,0xd2,0x28,
+            0xf4,0x43,0xe3,0xca,0x4d,0x62,0xb5,0x9a,
+            0xca,0x84,0xe9,0x90,0xca,0xca,0xf5,0xc5,
+            0x2b,0x09,0x30,0xda,0xa2,0x3d,0xe9,0x4c,
+            0xe8,0x70,0x17,0xba,0x2d,0x84,0x98,0x8d,
+            0xdf,0xc9,0xc5,0x8d,0xb6,0x7a,0xad,0xa6,
+            0x13,0xc2,0xdd,0x08,0x45,0x79,0x41,0xa6
+        };
+#endif
 
-        if (memcmp(plain, ctrPlain, AES_BLOCK_SIZE*4))
-            return -66;
+#ifdef WOLFSSL_AES_128
+        wc_AesSetKeyDirect(&enc, ctr128Key, sizeof(ctr128Key),
+                           ctrIv, AES_ENCRYPTION);
+        /* Ctr only uses encrypt, even on key setup */
+        wc_AesSetKeyDirect(&dec, ctr128Key, sizeof(ctr128Key),
+                           ctrIv, AES_ENCRYPTION);
+
+        ret = wc_AesCtrEncrypt(&enc, cipher, ctrPlain, sizeof(ctrPlain));
+        if (ret != 0) {
+            return -5723;
+        }
+        ret = wc_AesCtrEncrypt(&dec, plain, cipher, sizeof(ctrPlain));
+        if (ret != 0) {
+            return -5724;
+        }
+        if (XMEMCMP(plain, ctrPlain, sizeof(ctrPlain)))
+            return -5725;
 
-        if (memcmp(cipher, ctrCipher, AES_BLOCK_SIZE*4))
-            return -67;
+        if (XMEMCMP(cipher, ctr128Cipher, sizeof(ctr128Cipher)))
+            return -5726;
 
         /* let's try with just 9 bytes, non block size test */
-        wc_AesSetKeyDirect(&enc, ctrKey, AES_BLOCK_SIZE, ctrIv, AES_ENCRYPTION);
+        wc_AesSetKeyDirect(&enc, ctr128Key, AES_BLOCK_SIZE,
+                           ctrIv, AES_ENCRYPTION);
         /* Ctr only uses encrypt, even on key setup */
-        wc_AesSetKeyDirect(&dec, ctrKey, AES_BLOCK_SIZE, ctrIv, AES_ENCRYPTION);
+        wc_AesSetKeyDirect(&dec, ctr128Key, AES_BLOCK_SIZE,
+                           ctrIv, AES_ENCRYPTION);
 
-        wc_AesCtrEncrypt(&enc, cipher, ctrPlain, 9);
-        wc_AesCtrEncrypt(&dec, plain, cipher, 9);
+        ret = wc_AesCtrEncrypt(&enc, cipher, ctrPlain, sizeof(oddCipher));
+        if (ret != 0) {
+            return -5727;
+        }
+        ret = wc_AesCtrEncrypt(&dec, plain, cipher, sizeof(oddCipher));
+        if (ret != 0) {
+            return -5728;
+        }
 
-        if (memcmp(plain, ctrPlain, 9))
-            return -68;
+        if (XMEMCMP(plain, ctrPlain, sizeof(oddCipher)))
+            return -5729;
 
-        if (memcmp(cipher, ctrCipher, 9))
-            return -69;
+        if (XMEMCMP(cipher, ctr128Cipher, sizeof(oddCipher)))
+            return -5730;
 
         /* and an additional 9 bytes to reuse tmp left buffer */
-        wc_AesCtrEncrypt(&enc, cipher, ctrPlain, 9);
-        wc_AesCtrEncrypt(&dec, plain, cipher, 9);
+        ret = wc_AesCtrEncrypt(&enc, cipher, ctrPlain, sizeof(oddCipher));
+        if (ret != 0) {
+            return -5731;
+        }
+        ret = wc_AesCtrEncrypt(&dec, plain, cipher, sizeof(oddCipher));
+        if (ret != 0) {
+            return -5732;
+        }
 
-        if (memcmp(plain, ctrPlain, 9))
-            return -70;
+        if (XMEMCMP(plain, ctrPlain, sizeof(oddCipher)))
+            return -5733;
+
+        if (XMEMCMP(cipher, oddCipher, sizeof(oddCipher)))
+            return -5734;
+#endif /* WOLFSSL_AES_128 */
+
+#ifdef WOLFSSL_AES_192
+        /* 192 bit key */
+        wc_AesSetKeyDirect(&enc, ctr192Key, sizeof(ctr192Key),
+                           ctrIv, AES_ENCRYPTION);
+        /* Ctr only uses encrypt, even on key setup */
+        wc_AesSetKeyDirect(&dec, ctr192Key, sizeof(ctr192Key),
+                           ctrIv, AES_ENCRYPTION);
 
-        if (memcmp(cipher, oddCipher, 9))
-            return -71;
+        XMEMSET(plain, 0, sizeof(plain));
+        ret = wc_AesCtrEncrypt(&enc, plain, ctr192Cipher, sizeof(ctr192Cipher));
+        if (ret != 0) {
+            return -5735;
+        }
+
+        if (XMEMCMP(plain, ctrPlain, sizeof(ctr192Cipher)))
+            return -5736;
+
+        ret = wc_AesCtrEncrypt(&dec, cipher, ctrPlain, sizeof(ctrPlain));
+        if (ret != 0) {
+            return -5737;
+        }
+        if (XMEMCMP(ctr192Cipher, cipher, sizeof(ctr192Cipher)))
+            return -5738;
+#endif /* WOLFSSL_AES_192 */
+
+#ifdef WOLFSSL_AES_256
+        /* 256 bit key */
+        wc_AesSetKeyDirect(&enc, ctr256Key, sizeof(ctr256Key),
+                           ctrIv, AES_ENCRYPTION);
+        /* Ctr only uses encrypt, even on key setup */
+        wc_AesSetKeyDirect(&dec, ctr256Key, sizeof(ctr256Key),
+                           ctrIv, AES_ENCRYPTION);
+
+        XMEMSET(plain, 0, sizeof(plain));
+        ret = wc_AesCtrEncrypt(&enc, plain, ctr256Cipher, sizeof(ctr256Cipher));
+        if (ret != 0) {
+            return -5739;
+        }
+
+        if (XMEMCMP(plain, ctrPlain, sizeof(ctrPlain)))
+            return -5740;
+
+        ret = wc_AesCtrEncrypt(&dec, cipher, ctrPlain, sizeof(ctrPlain));
+        if (ret != 0) {
+            return -5741;
+        }
+        if (XMEMCMP(ctr256Cipher, cipher, sizeof(ctr256Cipher)))
+            return -5742;
+#endif /* WOLFSSL_AES_256 */
     }
 #endif /* WOLFSSL_AES_COUNTER */
 
-#if defined(WOLFSSL_AESNI) && defined(WOLFSSL_AES_DIRECT)
+#if defined(WOLFSSL_AES_DIRECT) && defined(WOLFSSL_AES_256)
     {
         const byte niPlain[] =
         {
@@ -2642,48 +7969,444 @@ int aes_test(void)
         XMEMSET(cipher, 0, AES_BLOCK_SIZE);
         ret = wc_AesSetKey(&enc, niKey, sizeof(niKey), cipher, AES_ENCRYPTION);
         if (ret != 0)
-            return -1003;
+            return -5743;
         wc_AesEncryptDirect(&enc, cipher, niPlain);
         if (XMEMCMP(cipher, niCipher, AES_BLOCK_SIZE) != 0)
-            return -20006;
+            return -5744;
 
         XMEMSET(plain, 0, AES_BLOCK_SIZE);
         ret = wc_AesSetKey(&dec, niKey, sizeof(niKey), plain, AES_DECRYPTION);
         if (ret != 0)
-            return -1004;
+            return -5745;
         wc_AesDecryptDirect(&dec, plain, niCipher);
         if (XMEMCMP(plain, niPlain, AES_BLOCK_SIZE) != 0)
-            return -20007;
+            return -5746;
     }
-#endif /* WOLFSSL_AESNI && WOLFSSL_AES_DIRECT */
+#endif /* WOLFSSL_AES_DIRECT && WOLFSSL_AES_256 */
 
-    return 0;
+    ret = aes_key_size_test();
+    if (ret != 0)
+        return ret;
+
+#if defined(HAVE_AES_CBC) && defined(WOLFSSL_AES_128)
+    ret = aes_cbc_test();
+    if (ret != 0)
+        return ret;
+#endif
+
+#if defined(WOLFSSL_AES_XTS)
+    #ifdef WOLFSSL_AES_128
+    ret = aes_xts_128_test();
+    if (ret != 0)
+        return ret;
+    #endif
+    #ifdef WOLFSSL_AES_256
+    ret = aes_xts_256_test();
+    if (ret != 0)
+        return ret;
+    #endif
+    #if defined(WOLFSSL_AES_128) && defined(WOLFSSL_AES_256)
+    ret = aes_xts_sector_test();
+    if (ret != 0)
+        return ret;
+    #endif
+    #ifdef WOLFSSL_AES_128
+    ret = aes_xts_args_test();
+    if (ret != 0)
+        return ret;
+    #endif
+#endif
+
+#if defined(WOLFSSL_AES_CFB)
+    ret = aescfb_test();
+    if (ret != 0)
+        return ret;
+#if !defined(HAVE_SELFTEST) && !defined(HAVE_FIPS)
+    ret = aescfb1_test();
+    if (ret != 0)
+        return ret;
+
+    ret = aescfb8_test();
+    if (ret != 0)
+        return ret;
+#endif
+#endif
+
+
+#if defined(HAVE_AES_CBC) || defined(WOLFSSL_AES_COUNTER)
+    wc_AesFree(&enc);
+    (void)cipher;
+#if defined(HAVE_AES_DECRYPT) || defined(WOLFSSL_AES_COUNTER)
+    wc_AesFree(&dec);
+    (void)plain;
+#endif
+#endif
+
+    return ret;
+}
+
+#ifdef WOLFSSL_AES_192
+int aes192_test(void)
+{
+#ifdef HAVE_AES_CBC
+    Aes enc;
+    byte cipher[AES_BLOCK_SIZE];
+#ifdef HAVE_AES_DECRYPT
+    Aes dec;
+    byte plain[AES_BLOCK_SIZE];
+#endif
+#endif /* HAVE_AES_CBC */
+    int  ret = 0;
+
+#ifdef HAVE_AES_CBC
+    /* Test vectors from NIST Special Publication 800-38A, 2001 Edition
+     * Appendix F.2.3  */
+
+    const byte msg[] = {
+        0x6b,0xc1,0xbe,0xe2,0x2e,0x40,0x9f,0x96,
+        0xe9,0x3d,0x7e,0x11,0x73,0x93,0x17,0x2a
+    };
+
+    const byte verify[] =
+    {
+        0x4f,0x02,0x1d,0xb2,0x43,0xbc,0x63,0x3d,
+        0x71,0x78,0x18,0x3a,0x9f,0xa0,0x71,0xe8
+    };
+
+    byte key[] = {
+        0x8e,0x73,0xb0,0xf7,0xda,0x0e,0x64,0x52,
+        0xc8,0x10,0xf3,0x2b,0x80,0x90,0x79,0xe5,
+        0x62,0xf8,0xea,0xd2,0x52,0x2c,0x6b,0x7b
+    };
+    byte iv[]  = {
+        0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,
+        0x08,0x09,0x0A,0x0B,0x0C,0x0D,0x0E,0x0F
+    };
+
+
+    if (wc_AesInit(&enc, HEAP_HINT, devId) != 0)
+        return -5800;
+#ifdef HAVE_AES_DECRYPT
+    if (wc_AesInit(&dec, HEAP_HINT, devId) != 0)
+        return -5801;
+#endif
+
+    ret = wc_AesSetKey(&enc, key, (int) sizeof(key), iv, AES_ENCRYPTION);
+    if (ret != 0)
+        return -5802;
+#ifdef HAVE_AES_DECRYPT
+    ret = wc_AesSetKey(&dec, key, (int) sizeof(key), iv, AES_DECRYPTION);
+    if (ret != 0)
+        return -5803;
+#endif
+
+    XMEMSET(cipher, 0, AES_BLOCK_SIZE);
+    ret = wc_AesCbcEncrypt(&enc, cipher, msg, (int) sizeof(msg));
+#if defined(WOLFSSL_ASYNC_CRYPT)
+    ret = wc_AsyncWait(ret, &enc.asyncDev, WC_ASYNC_FLAG_NONE);
+#endif
+    if (ret != 0)
+        return -5804;
+#ifdef HAVE_AES_DECRYPT
+    XMEMSET(plain, 0, AES_BLOCK_SIZE);
+    ret = wc_AesCbcDecrypt(&dec, plain, cipher, (int) sizeof(cipher));
+#if defined(WOLFSSL_ASYNC_CRYPT)
+    ret = wc_AsyncWait(ret, &dec.asyncDev, WC_ASYNC_FLAG_NONE);
+#endif
+    if (ret != 0)
+        return -5805;
+    if (XMEMCMP(plain, msg, (int) sizeof(plain))) {
+        return -5806;
+    }
+#endif
+
+    if (XMEMCMP(cipher, verify, (int) sizeof(cipher)))
+        return -5807;
+
+    wc_AesFree(&enc);
+#ifdef HAVE_AES_DECRYPT
+    wc_AesFree(&dec);
+#endif
+
+#endif /* HAVE_AES_CBC */
+
+    return ret;
+}
+#endif /* WOLFSSL_AES_192 */
+
+#ifdef WOLFSSL_AES_256
+int aes256_test(void)
+{
+#ifdef HAVE_AES_CBC
+    Aes enc;
+    byte cipher[AES_BLOCK_SIZE];
+#ifdef HAVE_AES_DECRYPT
+    Aes dec;
+    byte plain[AES_BLOCK_SIZE];
+#endif
+#endif /* HAVE_AES_CBC */
+    int  ret = 0;
+
+#ifdef HAVE_AES_CBC
+    /* Test vectors from NIST Special Publication 800-38A, 2001 Edition,
+     * Appendix F.2.5  */
+    const byte msg[] = {
+        0x6b,0xc1,0xbe,0xe2,0x2e,0x40,0x9f,0x96,
+        0xe9,0x3d,0x7e,0x11,0x73,0x93,0x17,0x2a
+    };
+
+    const byte verify[] =
+    {
+        0xf5,0x8c,0x4c,0x04,0xd6,0xe5,0xf1,0xba,
+        0x77,0x9e,0xab,0xfb,0x5f,0x7b,0xfb,0xd6
+    };
+
+    byte key[] = {
+        0x60,0x3d,0xeb,0x10,0x15,0xca,0x71,0xbe,
+        0x2b,0x73,0xae,0xf0,0x85,0x7d,0x77,0x81,
+        0x1f,0x35,0x2c,0x07,0x3b,0x61,0x08,0xd7,
+        0x2d,0x98,0x10,0xa3,0x09,0x14,0xdf,0xf4
+    };
+    byte iv[]  = {
+        0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,
+        0x08,0x09,0x0A,0x0B,0x0C,0x0D,0x0E,0x0F
+    };
+
+
+    if (wc_AesInit(&enc, HEAP_HINT, devId) != 0)
+        return -5900;
+#ifdef HAVE_AES_DECRYPT
+    if (wc_AesInit(&dec, HEAP_HINT, devId) != 0)
+        return -5901;
+#endif
+
+    ret = wc_AesSetKey(&enc, key, (int) sizeof(key), iv, AES_ENCRYPTION);
+    if (ret != 0)
+        return -5902;
+#ifdef HAVE_AES_DECRYPT
+    ret = wc_AesSetKey(&dec, key, (int) sizeof(key), iv, AES_DECRYPTION);
+    if (ret != 0)
+        return -5903;
+#endif
+
+    XMEMSET(cipher, 0, AES_BLOCK_SIZE);
+    ret = wc_AesCbcEncrypt(&enc, cipher, msg, (int) sizeof(msg));
+#if defined(WOLFSSL_ASYNC_CRYPT)
+    ret = wc_AsyncWait(ret, &enc.asyncDev, WC_ASYNC_FLAG_NONE);
+#endif
+    if (ret != 0)
+        return -5904;
+#ifdef HAVE_AES_DECRYPT
+    XMEMSET(plain, 0, AES_BLOCK_SIZE);
+    ret = wc_AesCbcDecrypt(&dec, plain, cipher, (int) sizeof(cipher));
+#if defined(WOLFSSL_ASYNC_CRYPT)
+    ret = wc_AsyncWait(ret, &dec.asyncDev, WC_ASYNC_FLAG_NONE);
+#endif
+    if (ret != 0)
+        return -5905;
+    if (XMEMCMP(plain, msg, (int) sizeof(plain))) {
+        return -5906;
+    }
+#endif
+
+    if (XMEMCMP(cipher, verify, (int) sizeof(cipher)))
+        return -5907;
+
+    wc_AesFree(&enc);
+#ifdef HAVE_AES_DECRYPT
+    wc_AesFree(&dec);
+#endif
+
+#endif /* HAVE_AES_CBC */
+
+    return ret;
 }
+#endif /* WOLFSSL_AES_256 */
+
 
 #ifdef HAVE_AESGCM
+
+static int aesgcm_default_test_helper(byte* key, int keySz, byte* iv, int ivSz,
+		byte* plain, int plainSz, byte* cipher, int cipherSz,
+		byte* aad, int aadSz, byte* tag, int tagSz)
+{
+    Aes enc;
+    Aes dec;
+
+    byte resultT[AES_BLOCK_SIZE];
+    byte resultP[AES_BLOCK_SIZE * 3];
+    byte resultC[AES_BLOCK_SIZE * 3];
+    int  result;
+
+    XMEMSET(resultT, 0, sizeof(resultT));
+    XMEMSET(resultC, 0, sizeof(resultC));
+    XMEMSET(resultP, 0, sizeof(resultP));
+
+    if (wc_AesInit(&enc, HEAP_HINT, devId) != 0) {
+        return -5908;
+    }
+    if (wc_AesInit(&dec, HEAP_HINT, devId) != 0) {
+        return -5909;
+    }
+
+    result = wc_AesGcmSetKey(&enc, key, keySz);
+    if (result != 0)
+        return -5910;
+
+    /* AES-GCM encrypt and decrypt both use AES encrypt internally */
+    result = wc_AesGcmEncrypt(&enc, resultC, plain, plainSz, iv, ivSz,
+                                        resultT, tagSz, aad, aadSz);
+
+#if defined(WOLFSSL_ASYNC_CRYPT)
+    result = wc_AsyncWait(result, &enc.asyncDev, WC_ASYNC_FLAG_NONE);
+#endif
+    if (result != 0)
+        return -5911;
+    if (cipher != NULL) {
+        if (XMEMCMP(cipher, resultC, cipherSz))
+            return -5912;
+    }
+    if (XMEMCMP(tag, resultT, tagSz))
+        return -5913;
+
+    wc_AesFree(&enc);
+
+#ifdef HAVE_AES_DECRYPT
+    result = wc_AesGcmSetKey(&dec, key, keySz);
+    if (result != 0)
+        return -5914;
+
+    result = wc_AesGcmDecrypt(&dec, resultP, resultC, cipherSz,
+                      iv, ivSz, resultT, tagSz, aad, aadSz);
+#if defined(WOLFSSL_ASYNC_CRYPT)
+    result = wc_AsyncWait(result, &dec.asyncDev, WC_ASYNC_FLAG_NONE);
+#endif
+    if (result != 0)
+        return -5915;
+    if (plain != NULL) {
+        if (XMEMCMP(plain, resultP, plainSz))
+            return -5916;
+    }
+
+    wc_AesFree(&dec);
+#endif /* HAVE_AES_DECRYPT */
+
+    return 0;
+}
+
+
+/* tests that only use 12 byte IV and 16 or less byte AAD
+ * test vectors are from NIST SP 800-38D
+ * https://csrc.nist.gov/Projects/Cryptographic-Algorithm-Validation-Program/CAVP-TESTING-BLOCK-CIPHER-MODES*/
+int aesgcm_default_test(void)
+{
+    byte key1[] = {
+        0x29, 0x8e, 0xfa, 0x1c, 0xcf, 0x29, 0xcf, 0x62,
+        0xae, 0x68, 0x24, 0xbf, 0xc1, 0x95, 0x57, 0xfc
+    };
+
+    byte iv1[] = {
+        0x6f, 0x58, 0xa9, 0x3f, 0xe1, 0xd2, 0x07, 0xfa,
+        0xe4, 0xed, 0x2f, 0x6d
+    };
+
+    ALIGN64 byte plain1[] = {
+        0xcc, 0x38, 0xbc, 0xcd, 0x6b, 0xc5, 0x36, 0xad,
+        0x91, 0x9b, 0x13, 0x95, 0xf5, 0xd6, 0x38, 0x01,
+        0xf9, 0x9f, 0x80, 0x68, 0xd6, 0x5c, 0xa5, 0xac,
+        0x63, 0x87, 0x2d, 0xaf, 0x16, 0xb9, 0x39, 0x01
+    };
+
+    byte aad1[] = {
+        0x02, 0x1f, 0xaf, 0xd2, 0x38, 0x46, 0x39, 0x73,
+        0xff, 0xe8, 0x02, 0x56, 0xe5, 0xb1, 0xc6, 0xb1
+    };
+
+    ALIGN64 byte cipher1[] = {
+        0xdf, 0xce, 0x4e, 0x9c, 0xd2, 0x91, 0x10, 0x3d,
+        0x7f, 0xe4, 0xe6, 0x33, 0x51, 0xd9, 0xe7, 0x9d,
+        0x3d, 0xfd, 0x39, 0x1e, 0x32, 0x67, 0x10, 0x46,
+        0x58, 0x21, 0x2d, 0xa9, 0x65, 0x21, 0xb7, 0xdb
+    };
+
+    byte tag1[] = {
+        0x54, 0x24, 0x65, 0xef, 0x59, 0x93, 0x16, 0xf7,
+        0x3a, 0x7a, 0x56, 0x05, 0x09, 0xa2, 0xd9, 0xf2
+    };
+
+    byte key2[] = {
+        0x01, 0x6d, 0xbb, 0x38, 0xda, 0xa7, 0x6d, 0xfe,
+        0x7d, 0xa3, 0x84, 0xeb, 0xf1, 0x24, 0x03, 0x64
+    };
+
+    byte iv2[] = {
+        0x07, 0x93, 0xef, 0x3a, 0xda, 0x78, 0x2f, 0x78,
+        0xc9, 0x8a, 0xff, 0xe3
+    };
+
+    ALIGN64 byte plain2[] = {
+        0x4b, 0x34, 0xa9, 0xec, 0x57, 0x63, 0x52, 0x4b,
+        0x19, 0x1d, 0x56, 0x16, 0xc5, 0x47, 0xf6, 0xb7
+    };
+
+    ALIGN64 byte cipher2[] = {
+        0x60, 0x9a, 0xa3, 0xf4, 0x54, 0x1b, 0xc0, 0xfe,
+        0x99, 0x31, 0xda, 0xad, 0x2e, 0xe1, 0x5d, 0x0c
+    };
+
+    byte tag2[] = {
+        0x33, 0xaf, 0xec, 0x59, 0xc4, 0x5b, 0xaf, 0x68,
+        0x9a, 0x5e, 0x1b, 0x13, 0xae, 0x42, 0x36, 0x19
+    };
+
+    byte key3[] = {
+        0xb0, 0x1e, 0x45, 0xcc, 0x30, 0x88, 0xaa, 0xba,
+        0x9f, 0xa4, 0x3d, 0x81, 0xd4, 0x81, 0x82, 0x3f
+    };
+
+    byte iv3[] = {
+        0x5a, 0x2c, 0x4a, 0x66, 0x46, 0x87, 0x13, 0x45,
+        0x6a, 0x4b, 0xd5, 0xe1
+    };
+
+    byte tag3[] = {
+        0x01, 0x42, 0x80, 0xf9, 0x44, 0xf5, 0x3c, 0x68,
+        0x11, 0x64, 0xb2, 0xff
+    };
+
+    int ret;
+	ret = aesgcm_default_test_helper(key1, sizeof(key1), iv1, sizeof(iv1),
+		plain1, sizeof(plain1), cipher1, sizeof(cipher1),
+		aad1, sizeof(aad1), tag1, sizeof(tag1));
+	if (ret != 0) {
+		return ret;
+	}
+	ret = aesgcm_default_test_helper(key2, sizeof(key2), iv2, sizeof(iv2),
+		plain2, sizeof(plain2), cipher2, sizeof(cipher2),
+		NULL, 0, tag2, sizeof(tag2));
+	if (ret != 0) {
+		return ret;
+	}
+	ret = aesgcm_default_test_helper(key3, sizeof(key3), iv3, sizeof(iv3),
+		NULL, 0, NULL, 0,
+		NULL, 0, tag3, sizeof(tag3));
+	if (ret != 0) {
+		return ret;
+	}
+
+	return 0;
+}
+
 int aesgcm_test(void)
 {
     Aes enc;
+    Aes dec;
 
     /*
      * This is Test Case 16 from the document Galois/
      * Counter Mode of Operation (GCM) by McGrew and
      * Viega.
      */
-    const byte k[] =
-    {
-        0xfe, 0xff, 0xe9, 0x92, 0x86, 0x65, 0x73, 0x1c,
-        0x6d, 0x6a, 0x8f, 0x94, 0x67, 0x30, 0x83, 0x08,
-        0xfe, 0xff, 0xe9, 0x92, 0x86, 0x65, 0x73, 0x1c,
-        0x6d, 0x6a, 0x8f, 0x94, 0x67, 0x30, 0x83, 0x08
-    };
-
-    const byte iv[] =
-    {
-        0xca, 0xfe, 0xba, 0xbe, 0xfa, 0xce, 0xdb, 0xad,
-        0xde, 0xca, 0xf8, 0x88
-    };
-
     const byte p[] =
     {
         0xd9, 0x31, 0x32, 0x25, 0xf8, 0x84, 0x06, 0xe5,
@@ -2696,14 +8419,31 @@ int aesgcm_test(void)
         0xba, 0x63, 0x7b, 0x39
     };
 
+#if defined(HAVE_AES_DECRYPT) || defined(WOLFSSL_AES_256)
     const byte a[] =
     {
         0xfe, 0xed, 0xfa, 0xce, 0xde, 0xad, 0xbe, 0xef,
         0xfe, 0xed, 0xfa, 0xce, 0xde, 0xad, 0xbe, 0xef,
         0xab, 0xad, 0xda, 0xd2
     };
+#endif
 
-    const byte c[] =
+#ifdef WOLFSSL_AES_256
+    const byte k1[] =
+    {
+        0xfe, 0xff, 0xe9, 0x92, 0x86, 0x65, 0x73, 0x1c,
+        0x6d, 0x6a, 0x8f, 0x94, 0x67, 0x30, 0x83, 0x08,
+        0xfe, 0xff, 0xe9, 0x92, 0x86, 0x65, 0x73, 0x1c,
+        0x6d, 0x6a, 0x8f, 0x94, 0x67, 0x30, 0x83, 0x08
+    };
+
+    const byte iv1[] =
+    {
+        0xca, 0xfe, 0xba, 0xbe, 0xfa, 0xce, 0xdb, 0xad,
+        0xde, 0xca, 0xf8, 0x88
+    };
+
+    const byte c1[] =
     {
         0x52, 0x2d, 0xc1, 0xf0, 0x99, 0x56, 0x7d, 0x07,
         0xf4, 0x7f, 0x37, 0xa3, 0x2a, 0x84, 0x42, 0x7d,
@@ -2714,42 +8454,478 @@ int aesgcm_test(void)
         0xc5, 0xf6, 0x1e, 0x63, 0x93, 0xba, 0x7a, 0x0a,
         0xbc, 0xc9, 0xf6, 0x62
     };
+#endif /* WOLFSSL_AES_256 */
 
-    const byte t[] =
+    const byte t1[] =
     {
         0x76, 0xfc, 0x6e, 0xce, 0x0f, 0x4e, 0x17, 0x68,
         0xcd, 0xdf, 0x88, 0x53, 0xbb, 0x2d, 0x55, 0x1b
     };
 
-    byte t2[sizeof(t)];
-    byte p2[sizeof(c)];
-    byte c2[sizeof(p)];
+    /* FIPS, QAT and PIC32MZ HW Crypto only support 12-byte IV */
+#if !defined(HAVE_FIPS) && \
+        !defined(WOLFSSL_PIC32MZ_CRYPT) && \
+        !defined(FREESCALE_LTC) && !defined(FREESCALE_MMCAU) && \
+        !defined(WOLFSSL_XILINX_CRYPT) && !defined(WOLFSSL_AFALG_XILINX_AES) && \
+        !(defined(WOLF_CRYPTO_CB) && \
+            (defined(HAVE_INTEL_QA_SYNC) || defined(HAVE_CAVIUM_OCTEON_SYNC)))
+
+    #define ENABLE_NON_12BYTE_IV_TEST
+#ifdef WOLFSSL_AES_192
+    /* Test Case 12, uses same plaintext and AAD data. */
+    const byte k2[] =
+    {
+        0xfe, 0xff, 0xe9, 0x92, 0x86, 0x65, 0x73, 0x1c,
+        0x6d, 0x6a, 0x8f, 0x94, 0x67, 0x30, 0x83, 0x08,
+        0xfe, 0xff, 0xe9, 0x92, 0x86, 0x65, 0x73, 0x1c
+    };
 
-    int result;
+    const byte iv2[] =
+    {
+        0x93, 0x13, 0x22, 0x5d, 0xf8, 0x84, 0x06, 0xe5,
+        0x55, 0x90, 0x9c, 0x5a, 0xff, 0x52, 0x69, 0xaa,
+        0x6a, 0x7a, 0x95, 0x38, 0x53, 0x4f, 0x7d, 0xa1,
+        0xe4, 0xc3, 0x03, 0xd2, 0xa3, 0x18, 0xa7, 0x28,
+        0xc3, 0xc0, 0xc9, 0x51, 0x56, 0x80, 0x95, 0x39,
+        0xfc, 0xf0, 0xe2, 0x42, 0x9a, 0x6b, 0x52, 0x54,
+        0x16, 0xae, 0xdb, 0xf5, 0xa0, 0xde, 0x6a, 0x57,
+        0xa6, 0x37, 0xb3, 0x9b
+    };
 
-    memset(t2, 0, sizeof(t2));
-    memset(c2, 0, sizeof(c2));
-    memset(p2, 0, sizeof(p2));
+    const byte c2[] =
+    {
+        0xd2, 0x7e, 0x88, 0x68, 0x1c, 0xe3, 0x24, 0x3c,
+        0x48, 0x30, 0x16, 0x5a, 0x8f, 0xdc, 0xf9, 0xff,
+        0x1d, 0xe9, 0xa1, 0xd8, 0xe6, 0xb4, 0x47, 0xef,
+        0x6e, 0xf7, 0xb7, 0x98, 0x28, 0x66, 0x6e, 0x45,
+        0x81, 0xe7, 0x90, 0x12, 0xaf, 0x34, 0xdd, 0xd9,
+        0xe2, 0xf0, 0x37, 0x58, 0x9b, 0x29, 0x2d, 0xb3,
+        0xe6, 0x7c, 0x03, 0x67, 0x45, 0xfa, 0x22, 0xe7,
+        0xe9, 0xb7, 0x37, 0x3b
+    };
+
+    const byte t2[] =
+    {
+        0xdc, 0xf5, 0x66, 0xff, 0x29, 0x1c, 0x25, 0xbb,
+        0xb8, 0x56, 0x8f, 0xc3, 0xd3, 0x76, 0xa6, 0xd9
+    };
+#endif /* WOLFSSL_AES_192 */
+#ifdef WOLFSSL_AES_128
+    /* The following is an interesting test case from the example
+     * FIPS test vectors for AES-GCM. IVlen = 1 byte */
+    const byte p3[] =
+    {
+        0x57, 0xce, 0x45, 0x1f, 0xa5, 0xe2, 0x35, 0xa5,
+        0x8e, 0x1a, 0xa2, 0x3b, 0x77, 0xcb, 0xaf, 0xe2
+    };
+
+    const byte k3[] =
+    {
+        0xbb, 0x01, 0xd7, 0x03, 0x81, 0x1c, 0x10, 0x1a,
+        0x35, 0xe0, 0xff, 0xd2, 0x91, 0xba, 0xf2, 0x4b
+    };
+
+    const byte iv3[] =
+    {
+        0xca
+    };
+
+    const byte c3[] =
+    {
+        0x6b, 0x5f, 0xb3, 0x9d, 0xc1, 0xc5, 0x7a, 0x4f,
+        0xf3, 0x51, 0x4d, 0xc2, 0xd5, 0xf0, 0xd0, 0x07
+    };
+
+    const byte a3[] =
+    {
+        0x40, 0xfc, 0xdc, 0xd7, 0x4a, 0xd7, 0x8b, 0xf1,
+        0x3e, 0x7c, 0x60, 0x55, 0x50, 0x51, 0xdd, 0x54
+    };
+
+    const byte t3[] =
+    {
+        0x06, 0x90, 0xed, 0x01, 0x34, 0xdd, 0xc6, 0x95,
+        0x31, 0x2e, 0x2a, 0xf9, 0x57, 0x7a, 0x1e, 0xa6
+    };
+#endif /* WOLFSSL_AES_128 */
+#ifdef WOLFSSL_AES_256
+    int ivlen;
+#endif
+#endif
+
+    byte resultT[sizeof(t1)];
+    byte resultP[sizeof(p) + AES_BLOCK_SIZE];
+    byte resultC[sizeof(p) + AES_BLOCK_SIZE];
+    int  result;
+#ifdef WOLFSSL_AES_256
+    int  alen;
+    #if !defined(WOLFSSL_AFALG_XILINX_AES) && !defined(WOLFSSL_XILINX_CRYPT)
+    int  plen;
+    #endif
+#endif
+
+#if !defined(BENCH_EMBEDDED)
+    #ifndef BENCH_AESGCM_LARGE
+        #define BENCH_AESGCM_LARGE 1024
+    #endif
+    byte large_input[BENCH_AESGCM_LARGE];
+    byte large_output[BENCH_AESGCM_LARGE + AES_BLOCK_SIZE];
+    byte large_outdec[BENCH_AESGCM_LARGE];
+
+    XMEMSET(large_input, 0, sizeof(large_input));
+    XMEMSET(large_output, 0, sizeof(large_output));
+    XMEMSET(large_outdec, 0, sizeof(large_outdec));
+#endif
+
+    (void)result;
+
+    XMEMSET(resultT, 0, sizeof(resultT));
+    XMEMSET(resultC, 0, sizeof(resultC));
+    XMEMSET(resultP, 0, sizeof(resultP));
+
+    if (wc_AesInit(&enc, HEAP_HINT, devId) != 0) {
+        return -6100;
+    }
+    if (wc_AesInit(&dec, HEAP_HINT, devId) != 0) {
+        return -6101;
+    }
+
+#ifdef WOLFSSL_AES_256
+    result = wc_AesGcmSetKey(&enc, k1, sizeof(k1));
+    if (result != 0)
+        return -6102;
 
-    wc_AesGcmSetKey(&enc, k, sizeof(k));
     /* AES-GCM encrypt and decrypt both use AES encrypt internally */
-    wc_AesGcmEncrypt(&enc, c2, p, sizeof(c2), iv, sizeof(iv),
-                                                 t2, sizeof(t2), a, sizeof(a));
-    if (memcmp(c, c2, sizeof(c2)))
-        return -68;
-    if (memcmp(t, t2, sizeof(t2)))
-        return -69;
+    result = wc_AesGcmEncrypt(&enc, resultC, p, sizeof(p), iv1, sizeof(iv1),
+                                        resultT, sizeof(resultT), a, sizeof(a));
+#if defined(WOLFSSL_ASYNC_CRYPT)
+    result = wc_AsyncWait(result, &enc.asyncDev, WC_ASYNC_FLAG_NONE);
+#endif
+    if (result != 0)
+        return -6103;
+    if (XMEMCMP(c1, resultC, sizeof(c1)))
+        return -6104;
+    if (XMEMCMP(t1, resultT, sizeof(resultT)))
+        return -6105;
+
+#ifdef HAVE_AES_DECRYPT
+    result = wc_AesGcmSetKey(&dec, k1, sizeof(k1));
+    if (result != 0)
+        return -6106;
 
-    result = wc_AesGcmDecrypt(&enc, p2, c2, sizeof(p2), iv, sizeof(iv),
-                                                 t2, sizeof(t2), a, sizeof(a));
+    result = wc_AesGcmDecrypt(&dec, resultP, resultC, sizeof(c1),
+                      iv1, sizeof(iv1), resultT, sizeof(resultT), a, sizeof(a));
+#if defined(WOLFSSL_ASYNC_CRYPT)
+    result = wc_AsyncWait(result, &dec.asyncDev, WC_ASYNC_FLAG_NONE);
+#endif
+    if (result != 0)
+        return -6107;
+    if (XMEMCMP(p, resultP, sizeof(p)))
+        return -6108;
+#endif /* HAVE_AES_DECRYPT */
+
+    /* Large buffer test */
+#ifdef BENCH_AESGCM_LARGE
+    /* setup test buffer */
+    for (alen=0; alen<BENCH_AESGCM_LARGE; alen++)
+        large_input[alen] = (byte)alen;
+
+    /* AES-GCM encrypt and decrypt both use AES encrypt internally */
+    result = wc_AesGcmEncrypt(&enc, large_output, large_input,
+                              BENCH_AESGCM_LARGE, iv1, sizeof(iv1),
+                              resultT, sizeof(resultT), a, sizeof(a));
+#if defined(WOLFSSL_ASYNC_CRYPT)
+    result = wc_AsyncWait(result, &enc.asyncDev, WC_ASYNC_FLAG_NONE);
+#endif
+    if (result != 0)
+        return -6109;
+
+#ifdef HAVE_AES_DECRYPT
+    result = wc_AesGcmDecrypt(&dec, large_outdec, large_output,
+                              BENCH_AESGCM_LARGE, iv1, sizeof(iv1), resultT,
+                              sizeof(resultT), a, sizeof(a));
+#if defined(WOLFSSL_ASYNC_CRYPT)
+    result = wc_AsyncWait(result, &dec.asyncDev, WC_ASYNC_FLAG_NONE);
+#endif
+    if (result != 0)
+        return -6110;
+    if (XMEMCMP(large_input, large_outdec, BENCH_AESGCM_LARGE))
+        return -6111;
+#endif /* HAVE_AES_DECRYPT */
+#endif /* BENCH_AESGCM_LARGE */
+#if defined(ENABLE_NON_12BYTE_IV_TEST) && defined(WOLFSSL_AES_256)
+    /* Variable IV length test */
+    for (ivlen=1; ivlen<(int)sizeof(k1); ivlen++) {
+         /* AES-GCM encrypt and decrypt both use AES encrypt internally */
+         result = wc_AesGcmEncrypt(&enc, resultC, p, sizeof(p), k1,
+                         (word32)ivlen, resultT, sizeof(resultT), a, sizeof(a));
+#if defined(WOLFSSL_ASYNC_CRYPT)
+        result = wc_AsyncWait(result, &enc.asyncDev, WC_ASYNC_FLAG_NONE);
+#endif
+        if (result != 0)
+            return -6112;
+#ifdef HAVE_AES_DECRYPT
+        result = wc_AesGcmDecrypt(&dec, resultP, resultC, sizeof(c1), k1,
+                         (word32)ivlen, resultT, sizeof(resultT), a, sizeof(a));
+#if defined(WOLFSSL_ASYNC_CRYPT)
+        result = wc_AsyncWait(result, &dec.asyncDev, WC_ASYNC_FLAG_NONE);
+#endif
+        if (result != 0)
+            return -6113;
+#endif /* HAVE_AES_DECRYPT */
+    }
+#endif
+
+#if !(defined(WOLF_CRYPTO_CB) && defined(HAVE_INTEL_QA_SYNC))
+    /* Variable authenticated data length test */
+    for (alen=0; alen<(int)sizeof(p); alen++) {
+         /* AES-GCM encrypt and decrypt both use AES encrypt internally */
+         result = wc_AesGcmEncrypt(&enc, resultC, p, sizeof(p), iv1,
+                        sizeof(iv1), resultT, sizeof(resultT), p, (word32)alen);
+#if defined(WOLFSSL_ASYNC_CRYPT)
+        result = wc_AsyncWait(result, &enc.asyncDev, WC_ASYNC_FLAG_NONE);
+#endif
+        if (result != 0)
+            return -6114;
+#ifdef HAVE_AES_DECRYPT
+        result = wc_AesGcmDecrypt(&dec, resultP, resultC, sizeof(c1), iv1,
+                        sizeof(iv1), resultT, sizeof(resultT), p, (word32)alen);
+#if defined(WOLFSSL_ASYNC_CRYPT)
+        result = wc_AsyncWait(result, &dec.asyncDev, WC_ASYNC_FLAG_NONE);
+#endif
+        if (result != 0)
+            return -6115;
+#endif /* HAVE_AES_DECRYPT */
+    }
+#endif
+
+#if !defined(WOLFSSL_AFALG_XILINX_AES) && !defined(WOLFSSL_XILINX_CRYPT)
+#ifdef BENCH_AESGCM_LARGE
+    /* Variable plain text length test */
+    for (plen=1; plen<BENCH_AESGCM_LARGE; plen++) {
+        /* AES-GCM encrypt and decrypt both use AES encrypt internally */
+        result = wc_AesGcmEncrypt(&enc, large_output, large_input,
+                                  plen, iv1, sizeof(iv1), resultT,
+                                  sizeof(resultT), a, sizeof(a));
+#if defined(WOLFSSL_ASYNC_CRYPT)
+        result = wc_AsyncWait(result, &enc.asyncDev, WC_ASYNC_FLAG_NONE);
+#endif
+        if (result != 0)
+            return -6116;
+
+#ifdef HAVE_AES_DECRYPT
+        result = wc_AesGcmDecrypt(&dec, large_outdec, large_output,
+                                  plen, iv1, sizeof(iv1), resultT,
+                                  sizeof(resultT), a, sizeof(a));
+#if defined(WOLFSSL_ASYNC_CRYPT)
+        result = wc_AsyncWait(result, &dec.asyncDev, WC_ASYNC_FLAG_NONE);
+#endif
+        if (result != 0)
+            return -6117;
+#endif /* HAVE_AES_DECRYPT */
+    }
+#else /* BENCH_AESGCM_LARGE */
+    /* Variable plain text length test */
+    for (plen=1; plen<(int)sizeof(p); plen++) {
+         /* AES-GCM encrypt and decrypt both use AES encrypt internally */
+         result = wc_AesGcmEncrypt(&enc, resultC, p, (word32)plen, iv1,
+                           sizeof(iv1), resultT, sizeof(resultT), a, sizeof(a));
+#if defined(WOLFSSL_ASYNC_CRYPT)
+        result = wc_AsyncWait(result, &enc.asyncDev, WC_ASYNC_FLAG_NONE);
+#endif
+        if (result != 0)
+            return -6118;
+#ifdef HAVE_AES_DECRYPT
+        result = wc_AesGcmDecrypt(&dec, resultP, resultC, (word32)plen, iv1,
+                           sizeof(iv1), resultT, sizeof(resultT), a, sizeof(a));
+#if defined(WOLFSSL_ASYNC_CRYPT)
+        result = wc_AsyncWait(result, &dec.asyncDev, WC_ASYNC_FLAG_NONE);
+#endif
+        if (result != 0)
+            return -6119;
+#endif /* HAVE_AES_DECRYPT */
+    }
+#endif /* BENCH_AESGCM_LARGE */
+#endif
+#endif /* WOLFSSL_AES_256 */
+
+    /* test with IV != 12 bytes */
+#ifdef ENABLE_NON_12BYTE_IV_TEST
+    XMEMSET(resultT, 0, sizeof(resultT));
+    XMEMSET(resultC, 0, sizeof(resultC));
+    XMEMSET(resultP, 0, sizeof(resultP));
+
+#ifdef WOLFSSL_AES_192
+    wc_AesGcmSetKey(&enc, k2, sizeof(k2));
+    /* AES-GCM encrypt and decrypt both use AES encrypt internally */
+    result = wc_AesGcmEncrypt(&enc, resultC, p, sizeof(p), iv2, sizeof(iv2),
+                                        resultT, sizeof(resultT), a, sizeof(a));
+#if defined(WOLFSSL_ASYNC_CRYPT)
+    result = wc_AsyncWait(result, &enc.asyncDev, WC_ASYNC_FLAG_NONE);
+#endif
     if (result != 0)
-        return -70;
-    if (memcmp(p, p2, sizeof(p2)))
-        return -71;
+        return -6120;
+    if (XMEMCMP(c2, resultC, sizeof(c2)))
+        return -6121;
+    if (XMEMCMP(t2, resultT, sizeof(resultT)))
+        return -6122;
+
+#ifdef HAVE_AES_DECRYPT
+    result = wc_AesGcmDecrypt(&enc, resultP, resultC, sizeof(c1),
+                      iv2, sizeof(iv2), resultT, sizeof(resultT), a, sizeof(a));
+#if defined(WOLFSSL_ASYNC_CRYPT)
+    result = wc_AsyncWait(result, &enc.asyncDev, WC_ASYNC_FLAG_NONE);
+#endif
+    if (result != 0)
+        return -6123;
+    if (XMEMCMP(p, resultP, sizeof(p)))
+        return -6124;
+#endif /* HAVE_AES_DECRYPT */
+
+    XMEMSET(resultT, 0, sizeof(resultT));
+    XMEMSET(resultC, 0, sizeof(resultC));
+    XMEMSET(resultP, 0, sizeof(resultP));
+#endif /* WOLFSSL_AES_192 */
+#ifdef WOLFSSL_AES_128
+    wc_AesGcmSetKey(&enc, k3, sizeof(k3));
+    /* AES-GCM encrypt and decrypt both use AES encrypt internally */
+    result = wc_AesGcmEncrypt(&enc, resultC, p3, sizeof(p3), iv3, sizeof(iv3),
+                                        resultT, sizeof(t3), a3, sizeof(a3));
+#if defined(WOLFSSL_ASYNC_CRYPT)
+    result = wc_AsyncWait(result, &enc.asyncDev, WC_ASYNC_FLAG_NONE);
+#endif
+    if (result != 0)
+        return -6125;
+    if (XMEMCMP(c3, resultC, sizeof(c3)))
+        return -6126;
+    if (XMEMCMP(t3, resultT, sizeof(t3)))
+        return -6127;
+
+#ifdef HAVE_AES_DECRYPT
+    result = wc_AesGcmDecrypt(&enc, resultP, resultC, sizeof(c3),
+                      iv3, sizeof(iv3), resultT, sizeof(t3), a3, sizeof(a3));
+#if defined(WOLFSSL_ASYNC_CRYPT)
+    result = wc_AsyncWait(result, &enc.asyncDev, WC_ASYNC_FLAG_NONE);
+#endif
+    if (result != 0)
+        return -6128;
+    if (XMEMCMP(p3, resultP, sizeof(p3)))
+        return -6129;
+#endif /* HAVE_AES_DECRYPT */
+#endif /* WOLFSSL_AES_128 */
+#endif /* ENABLE_NON_12BYTE_IV_TEST */
+
+#if defined(WOLFSSL_AES_256) && !defined(WOLFSSL_AFALG_XILINX_AES) && \
+    !defined(WOLFSSL_XILINX_CRYPT) && \
+    !(defined(WOLF_CRYPTO_CB) && \
+        defined(HAVE_INTEL_QA_SYNC) || defined(HAVE_CAVIUM_OCTEON_SYNC))
+    XMEMSET(resultT, 0, sizeof(resultT));
+    XMEMSET(resultC, 0, sizeof(resultC));
+    XMEMSET(resultP, 0, sizeof(resultP));
+
+    wc_AesGcmSetKey(&enc, k1, sizeof(k1));
+    /* AES-GCM encrypt and decrypt both use AES encrypt internally */
+    result = wc_AesGcmEncrypt(&enc, resultC, p, sizeof(p), iv1, sizeof(iv1),
+                                resultT + 1, sizeof(resultT) - 1, a, sizeof(a));
+#if defined(WOLFSSL_ASYNC_CRYPT)
+    result = wc_AsyncWait(result, &enc.asyncDev, WC_ASYNC_FLAG_NONE);
+#endif
+    if (result != 0)
+        return -6130;
+    if (XMEMCMP(c1, resultC, sizeof(c1)))
+        return -6131;
+    if (XMEMCMP(t1, resultT + 1, sizeof(resultT) - 1))
+        return -6132;
+
+#ifdef HAVE_AES_DECRYPT
+    result = wc_AesGcmDecrypt(&enc, resultP, resultC, sizeof(p),
+              iv1, sizeof(iv1), resultT + 1, sizeof(resultT) - 1, a, sizeof(a));
+#if defined(WOLFSSL_ASYNC_CRYPT)
+    result = wc_AsyncWait(result, &enc.asyncDev, WC_ASYNC_FLAG_NONE);
+#endif
+    if (result != 0)
+        return -6133;
+    if (XMEMCMP(p, resultP, sizeof(p)))
+        return -6134;
+#endif /* HAVE_AES_DECRYPT */
+#endif /* WOLFSSL_AES_256 */
+
+#if !defined(HAVE_FIPS) || \
+    (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2))
+    /* Test encrypt with internally generated IV */
+#if defined(WOLFSSL_AES_256) && !(defined(WC_NO_RNG) || defined(HAVE_SELFTEST)) \
+    && !(defined(WOLF_CRYPTO_CB) && defined(HAVE_CAVIUM_OCTEON_SYNC))
+    {
+        WC_RNG rng;
+        byte randIV[12];
+
+        result = wc_InitRng(&rng);
+        if (result != 0)
+            return -6135;
+
+        XMEMSET(randIV, 0, sizeof(randIV));
+        XMEMSET(resultT, 0, sizeof(resultT));
+        XMEMSET(resultC, 0, sizeof(resultC));
+        XMEMSET(resultP, 0, sizeof(resultP));
+
+        wc_AesGcmSetKey(&enc, k1, sizeof(k1));
+        result = wc_AesGcmSetIV(&enc, sizeof(randIV), NULL, 0, &rng);
+        if (result != 0)
+            return -6136;
+
+        result = wc_AesGcmEncrypt_ex(&enc,
+                        resultC, p, sizeof(p),
+                        randIV, sizeof(randIV),
+                        resultT, sizeof(resultT),
+                        a, sizeof(a));
+    #if defined(WOLFSSL_ASYNC_CRYPT)
+        result = wc_AsyncWait(result, &enc.asyncDev, WC_ASYNC_FLAG_NONE);
+    #endif
+        if (result != 0)
+            return -6137;
+
+        /* Check the IV has been set. */
+        {
+            word32 i, ivSum = 0;
+
+            for (i = 0; i < sizeof(randIV); i++)
+                ivSum += randIV[i];
+            if (ivSum == 0)
+                return -6138;
+        }
+
+#ifdef HAVE_AES_DECRYPT
+        wc_AesGcmSetKey(&dec, k1, sizeof(k1));
+        result = wc_AesGcmSetIV(&dec, sizeof(randIV), NULL, 0, &rng);
+        if (result != 0)
+            return -6139;
+
+        result = wc_AesGcmDecrypt(&dec,
+                          resultP, resultC, sizeof(c1),
+                          randIV, sizeof(randIV),
+                          resultT, sizeof(resultT),
+                          a, sizeof(a));
+#if defined(WOLFSSL_ASYNC_CRYPT)
+        result = wc_AsyncWait(result, &dec.asyncDev, WC_ASYNC_FLAG_NONE);
+#endif
+        if (result != 0)
+            return -6140;
+        if (XMEMCMP(p, resultP, sizeof(p)))
+            return -6141;
+#endif /* HAVE_AES_DECRYPT */
+
+        wc_FreeRng(&rng);
+    }
+#endif /* WOLFSSL_AES_256 && !(WC_NO_RNG || HAVE_SELFTEST) */
+#endif /* HAVE_FIPS_VERSION >= 2 */
+
+    wc_AesFree(&enc);
+    wc_AesFree(&dec);
 
     return 0;
 }
 
+#ifdef WOLFSSL_AES_128
 int gmac_test(void)
 {
     Gmac gmac;
@@ -2775,6 +8951,10 @@ int gmac_test(void)
         0xaa, 0x10, 0xf1, 0x6d, 0x22, 0x7d, 0xc4, 0x1b
     };
 
+#if !defined(HAVE_FIPS) || \
+    (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2))
+	/* FIPS builds only allow 16-byte auth tags. */
+	/* This sample uses a 15-byte auth tag. */
     const byte k2[] =
     {
         0x40, 0xf7, 0xec, 0xb2, 0x52, 0x6d, 0xaa, 0xd4,
@@ -2795,52 +8975,74 @@ int gmac_test(void)
         0xc6, 0x81, 0x79, 0x8e, 0x3d, 0xda, 0xb0, 0x9f,
         0x8d, 0x83, 0xb0, 0xbb, 0x14, 0xb6, 0x91
     };
-
-    const byte k3[] =
-    {
-        0xb8, 0xe4, 0x9a, 0x5e, 0x37, 0xf9, 0x98, 0x2b,
-        0xb9, 0x6d, 0xd0, 0xc9, 0xb6, 0xab, 0x26, 0xac
-    };
-    const byte iv3[] =
-    {
-        0xe4, 0x4a, 0x42, 0x18, 0x8c, 0xae, 0x94, 0x92,
-        0x6a, 0x9c, 0x26, 0xb0
-    };
-    const byte a3[] =
-    {
-        0x9d, 0xb9, 0x61, 0x68, 0xa6, 0x76, 0x7a, 0x31,
-        0xf8, 0x29, 0xe4, 0x72, 0x61, 0x68, 0x3f, 0x8a
-    };
-    const byte t3[] =
-    {
-        0x23, 0xe2, 0x9f, 0x66, 0xe4, 0xc6, 0x52, 0x48
-    };
+#endif
 
     byte tag[16];
 
-    memset(tag, 0, sizeof(tag));
+    XMEMSET(&gmac, 0, sizeof(Gmac)); /* clear context */
+    (void)wc_AesInit((Aes*)&gmac, HEAP_HINT, INVALID_DEVID); /* Make sure devId updated */
+    XMEMSET(tag, 0, sizeof(tag));
     wc_GmacSetKey(&gmac, k1, sizeof(k1));
     wc_GmacUpdate(&gmac, iv1, sizeof(iv1), a1, sizeof(a1), tag, sizeof(t1));
-    if (memcmp(t1, tag, sizeof(t1)) != 0)
-        return -126;
+    if (XMEMCMP(t1, tag, sizeof(t1)) != 0)
+        return -6200;
 
-    memset(tag, 0, sizeof(tag));
+#if !defined(HAVE_FIPS) || \
+    (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2))
+    XMEMSET(tag, 0, sizeof(tag));
     wc_GmacSetKey(&gmac, k2, sizeof(k2));
     wc_GmacUpdate(&gmac, iv2, sizeof(iv2), a2, sizeof(a2), tag, sizeof(t2));
-    if (memcmp(t2, tag, sizeof(t2)) != 0)
-        return -127;
+    if (XMEMCMP(t2, tag, sizeof(t2)) != 0)
+        return -6201;
 
-    memset(tag, 0, sizeof(tag));
-    wc_GmacSetKey(&gmac, k3, sizeof(k3));
-    wc_GmacUpdate(&gmac, iv3, sizeof(iv3), a3, sizeof(a3), tag, sizeof(t3));
-    if (memcmp(t3, tag, sizeof(t3)) != 0)
-        return -128;
+#if !(defined(WC_NO_RNG) || defined(HAVE_SELFTEST))
+    {
+        const byte badT[] =
+        {
+            0xde, 0xad, 0xbe, 0xef, 0x17, 0x2e, 0xd0, 0x43,
+            0xaa, 0x10, 0xf1, 0x6d, 0x22, 0x7d, 0xc4, 0x1b
+        };
+
+        WC_RNG rng;
+        byte iv[12];
+
+        #ifndef HAVE_FIPS
+            if (wc_InitRng_ex(&rng, HEAP_HINT, devId) != 0)
+                return -6202;
+        #else
+            if (wc_InitRng(&rng) != 0)
+                return -6203;
+        #endif
+
+        if (wc_GmacVerify(k1, sizeof(k1), iv1, sizeof(iv1), a1, sizeof(a1),
+                    t1, sizeof(t1)) != 0)
+            return -6204;
+        if (wc_GmacVerify(k1, sizeof(k1), iv1, sizeof(iv1), a1, sizeof(a1),
+                    badT, sizeof(badT)) != AES_GCM_AUTH_E)
+            return -6205;
+        if (wc_GmacVerify(k2, sizeof(k2), iv2, sizeof(iv2), a2, sizeof(a2),
+                    t2, sizeof(t2)) != 0)
+            return -6206;
+
+        XMEMSET(tag, 0, sizeof(tag));
+        XMEMSET(iv, 0, sizeof(iv));
+        if (wc_Gmac(k1, sizeof(k1), iv, sizeof(iv), a1, sizeof(a1),
+                    tag, sizeof(tag), &rng) != 0)
+            return -6207;
+        if (wc_GmacVerify(k1, sizeof(k1), iv, sizeof(iv), a1, sizeof(a1),
+                    tag, sizeof(tag)) != 0)
+            return -6208;
+        wc_FreeRng(&rng);
+    }
+#endif /* WC_NO_RNG HAVE_SELFTEST */
+#endif /* HAVE_FIPS */
 
     return 0;
 }
+#endif /* WOLFSSL_AES_128 */
 #endif /* HAVE_AESGCM */
 
-#ifdef HAVE_AESCCM
+#if defined(HAVE_AESCCM) && defined(WOLFSSL_AES_128)
 int aesccm_test(void)
 {
     Aes enc;
@@ -2887,45 +9089,280 @@ int aesccm_test(void)
     byte t2[sizeof(t)];
     byte p2[sizeof(p)];
     byte c2[sizeof(c)];
+    byte iv2[sizeof(iv)];
 
     int result;
 
-    memset(t2, 0, sizeof(t2));
-    memset(c2, 0, sizeof(c2));
-    memset(p2, 0, sizeof(p2));
+    XMEMSET(&enc, 0, sizeof(Aes)); /* clear context */
+    XMEMSET(t2, 0, sizeof(t2));
+    XMEMSET(c2, 0, sizeof(c2));
+    XMEMSET(p2, 0, sizeof(p2));
+
+    result = wc_AesCcmSetKey(&enc, k, sizeof(k));
+    if (result != 0)
+        return -6300;
 
-    wc_AesCcmSetKey(&enc, k, sizeof(k));
     /* AES-CCM encrypt and decrypt both use AES encrypt internally */
-    wc_AesCcmEncrypt(&enc, c2, p, sizeof(c2), iv, sizeof(iv),
+    result = wc_AesCcmEncrypt(&enc, c2, p, sizeof(c2), iv, sizeof(iv),
                                                  t2, sizeof(t2), a, sizeof(a));
-    if (memcmp(c, c2, sizeof(c2)))
-        return -107;
-    if (memcmp(t, t2, sizeof(t2)))
-        return -108;
+    if (result != 0)
+        return -6301;
+    if (XMEMCMP(c, c2, sizeof(c2)))
+        return -6302;
+    if (XMEMCMP(t, t2, sizeof(t2)))
+        return -6303;
 
     result = wc_AesCcmDecrypt(&enc, p2, c2, sizeof(p2), iv, sizeof(iv),
                                                  t2, sizeof(t2), a, sizeof(a));
     if (result != 0)
-        return -109;
-    if (memcmp(p, p2, sizeof(p2)))
-        return -110;
+        return -6304;
+    if (XMEMCMP(p, p2, sizeof(p2)))
+        return -6305;
 
     /* Test the authentication failure */
     t2[0]++; /* Corrupt the authentication tag. */
     result = wc_AesCcmDecrypt(&enc, p2, c, sizeof(p2), iv, sizeof(iv),
                                                  t2, sizeof(t2), a, sizeof(a));
     if (result == 0)
-        return -111;
+        return -6306;
 
     /* Clear c2 to compare against p2. p2 should be set to zero in case of
      * authentication fail. */
-    memset(c2, 0, sizeof(c2));
-    if (memcmp(p2, c2, sizeof(p2)))
-        return -112;
+    XMEMSET(c2, 0, sizeof(c2));
+    if (XMEMCMP(p2, c2, sizeof(p2)))
+        return -6307;
+
+    XMEMSET(&enc, 0, sizeof(Aes)); /* clear context */
+    XMEMSET(t2, 0, sizeof(t2));
+    XMEMSET(c2, 0, sizeof(c2));
+    XMEMSET(p2, 0, sizeof(p2));
+    XMEMSET(iv2, 0, sizeof(iv2));
+
+#ifndef HAVE_SELFTEST
+    /* selftest build does not have wc_AesCcmSetNonce() or
+     * wc_AesCcmEncrypt_ex() */
+    if (wc_AesCcmSetKey(&enc, k, sizeof(k)) != 0)
+        return -6308;
+
+    if (wc_AesCcmSetNonce(&enc, iv, sizeof(iv)) != 0)
+        return -6309;
+    if (wc_AesCcmEncrypt_ex(&enc, c2, p, sizeof(c2), iv2, sizeof(iv2),
+                            t2, sizeof(t2), a, sizeof(a)) != 0)
+        return -6310;
+    if (XMEMCMP(iv, iv2, sizeof(iv2)))
+        return -6311;
+    if (XMEMCMP(c, c2, sizeof(c2)))
+        return -6312;
+    if (XMEMCMP(t, t2, sizeof(t2)))
+        return -6313;
+#endif
 
     return 0;
 }
-#endif /* HAVE_AESCCM */
+#endif /* HAVE_AESCCM WOLFSSL_AES_128 */
+
+
+#ifdef HAVE_AES_KEYWRAP
+
+#define MAX_KEYWRAP_TEST_OUTLEN 40
+#define MAX_KEYWRAP_TEST_PLAINLEN 32
+
+typedef struct keywrapVector {
+    const byte* kek;
+    const byte* data;
+    const byte* verify;
+    word32 kekLen;
+    word32 dataLen;
+    word32 verifyLen;
+} keywrapVector;
+
+int aeskeywrap_test(void)
+{
+    int wrapSz, plainSz, testSz, i;
+
+    /* test vectors from RFC 3394 (kek, data, verify) */
+
+#ifdef WOLFSSL_AES_128
+    /* Wrap 128 bits of Key Data with a 128-bit KEK */
+    const byte k1[] = {
+        0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
+        0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
+    };
+
+    const byte d1[] = {
+        0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,
+        0x88, 0x99, 0xAA, 0xBB, 0xCC, 0xDD, 0xEE, 0xFF
+    };
+
+    const byte v1[] = {
+        0x1F, 0xA6, 0x8B, 0x0A, 0x81, 0x12, 0xB4, 0x47,
+        0xAE, 0xF3, 0x4B, 0xD8, 0xFB, 0x5A, 0x7B, 0x82,
+        0x9D, 0x3E, 0x86, 0x23, 0x71, 0xD2, 0xCF, 0xE5
+    };
+#endif /* WOLFSSL_AES_128 */
+
+#ifdef WOLFSSL_AES_192
+    /* Wrap 128 bits of Key Data with a 192-bit KEK */
+    const byte k2[] = {
+        0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
+        0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
+        0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17
+    };
+
+    const byte d2[] = {
+        0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,
+        0x88, 0x99, 0xAA, 0xBB, 0xCC, 0xDD, 0xEE, 0xFF
+    };
+
+    const byte v2[] = {
+        0x96, 0x77, 0x8B, 0x25, 0xAE, 0x6C, 0xA4, 0x35,
+        0xF9, 0x2B, 0x5B, 0x97, 0xC0, 0x50, 0xAE, 0xD2,
+        0x46, 0x8A, 0xB8, 0xA1, 0x7A, 0xD8, 0x4E, 0x5D
+    };
+#endif
+
+#ifdef WOLFSSL_AES_256
+    /* Wrap 128 bits of Key Data with a 256-bit KEK */
+    const byte k3[] = {
+        0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
+        0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
+        0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
+        0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F
+    };
+
+    const byte d3[] = {
+        0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,
+        0x88, 0x99, 0xAA, 0xBB, 0xCC, 0xDD, 0xEE, 0xFF
+    };
+
+    const byte v3[] = {
+        0x64, 0xE8, 0xC3, 0xF9, 0xCE, 0x0F, 0x5B, 0xA2,
+        0x63, 0xE9, 0x77, 0x79, 0x05, 0x81, 0x8A, 0x2A,
+        0x93, 0xC8, 0x19, 0x1E, 0x7D, 0x6E, 0x8A, 0xE7
+    };
+#endif
+
+#ifdef WOLFSSL_AES_192
+    /* Wrap 192 bits of Key Data with a 192-bit KEK */
+    const byte k4[] = {
+        0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
+        0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
+        0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17
+    };
+
+    const byte d4[] = {
+        0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,
+        0x88, 0x99, 0xAA, 0xBB, 0xCC, 0xDD, 0xEE, 0xFF,
+        0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07
+    };
+
+    const byte v4[] = {
+        0x03, 0x1D, 0x33, 0x26, 0x4E, 0x15, 0xD3, 0x32,
+        0x68, 0xF2, 0x4E, 0xC2, 0x60, 0x74, 0x3E, 0xDC,
+        0xE1, 0xC6, 0xC7, 0xDD, 0xEE, 0x72, 0x5A, 0x93,
+        0x6B, 0xA8, 0x14, 0x91, 0x5C, 0x67, 0x62, 0xD2
+    };
+#endif
+
+#ifdef WOLFSSL_AES_256
+    /* Wrap 192 bits of Key Data with a 256-bit KEK */
+    const byte k5[] = {
+        0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
+        0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
+        0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
+        0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F
+    };
+
+    const byte d5[] = {
+        0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,
+        0x88, 0x99, 0xAA, 0xBB, 0xCC, 0xDD, 0xEE, 0xFF,
+        0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07
+    };
+
+    const byte v5[] = {
+        0xA8, 0xF9, 0xBC, 0x16, 0x12, 0xC6, 0x8B, 0x3F,
+        0xF6, 0xE6, 0xF4, 0xFB, 0xE3, 0x0E, 0x71, 0xE4,
+        0x76, 0x9C, 0x8B, 0x80, 0xA3, 0x2C, 0xB8, 0x95,
+        0x8C, 0xD5, 0xD1, 0x7D, 0x6B, 0x25, 0x4D, 0xA1
+    };
+
+    /* Wrap 256 bits of Key Data with a 256-bit KEK */
+    const byte k6[] = {
+        0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
+        0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
+        0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
+        0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F
+    };
+
+    const byte d6[] = {
+        0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,
+        0x88, 0x99, 0xAA, 0xBB, 0xCC, 0xDD, 0xEE, 0xFF,
+        0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
+        0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
+    };
+
+    const byte v6[] = {
+        0x28, 0xC9, 0xF4, 0x04, 0xC4, 0xB8, 0x10, 0xF4,
+        0xCB, 0xCC, 0xB3, 0x5C, 0xFB, 0x87, 0xF8, 0x26,
+        0x3F, 0x57, 0x86, 0xE2, 0xD8, 0x0E, 0xD3, 0x26,
+        0xCB, 0xC7, 0xF0, 0xE7, 0x1A, 0x99, 0xF4, 0x3B,
+        0xFB, 0x98, 0x8B, 0x9B, 0x7A, 0x02, 0xDD, 0x21
+    };
+#endif /* WOLFSSL_AES_256 */
+
+    byte output[MAX_KEYWRAP_TEST_OUTLEN];
+    byte plain [MAX_KEYWRAP_TEST_PLAINLEN];
+
+    const keywrapVector test_wrap[] =
+    {
+    #ifdef WOLFSSL_AES_128
+        {k1, d1, v1, sizeof(k1), sizeof(d1), sizeof(v1)},
+    #endif
+    #ifdef WOLFSSL_AES_192
+        {k2, d2, v2, sizeof(k2), sizeof(d2), sizeof(v2)},
+    #endif
+    #ifdef WOLFSSL_AES_256
+        {k3, d3, v3, sizeof(k3), sizeof(d3), sizeof(v3)},
+    #endif
+    #ifdef WOLFSSL_AES_192
+        {k4, d4, v4, sizeof(k4), sizeof(d4), sizeof(v4)},
+    #endif
+    #ifdef WOLFSSL_AES_256
+        {k5, d5, v5, sizeof(k5), sizeof(d5), sizeof(v5)},
+        {k6, d6, v6, sizeof(k6), sizeof(d6), sizeof(v6)}
+    #endif
+    };
+    testSz = sizeof(test_wrap) / sizeof(keywrapVector);
+
+    XMEMSET(output, 0, sizeof(output));
+    XMEMSET(plain,  0, sizeof(plain));
+
+    for (i = 0; i < testSz; i++) {
+
+        wrapSz = wc_AesKeyWrap(test_wrap[i].kek, test_wrap[i].kekLen,
+                               test_wrap[i].data, test_wrap[i].dataLen,
+                               output, sizeof(output), NULL);
+
+        if ( (wrapSz < 0) || (wrapSz != (int)test_wrap[i].verifyLen) )
+            return -6400;
+
+        if (XMEMCMP(output, test_wrap[i].verify, test_wrap[i].verifyLen) != 0)
+            return -6401;
+
+        plainSz = wc_AesKeyUnWrap((byte*)test_wrap[i].kek, test_wrap[i].kekLen,
+                                  output, wrapSz,
+                                  plain, sizeof(plain), NULL);
+
+        if ( (plainSz < 0) || (plainSz != (int)test_wrap[i].dataLen) )
+            return -6402;
+
+        if (XMEMCMP(plain, test_wrap[i].data, test_wrap[i].dataLen) != 0)
+            return -6403 - i;
+    }
+
+    return 0;
+}
+#endif /* HAVE_AES_KEYWRAP */
 
 
 #endif /* NO_AES */
@@ -3053,7 +9490,7 @@ int camellia_test(void)
 
     byte out[CAMELLIA_BLOCK_SIZE];
     Camellia cam;
-    int i, testsSz;
+    int i, testsSz, ret;
     const test_vector_t testVectors[] =
     {
         {CAM_ECB_ENC, pte, ive, c1, k1, sizeof(k1), -114},
@@ -3078,25 +9515,31 @@ int camellia_test(void)
 
         switch (testVectors[i].type) {
             case CAM_ECB_ENC:
-                wc_CamelliaEncryptDirect(&cam, out, testVectors[i].plaintext);
-                if (memcmp(out, testVectors[i].ciphertext, CAMELLIA_BLOCK_SIZE))
+                ret = wc_CamelliaEncryptDirect(&cam, out,
+                                                testVectors[i].plaintext);
+                if (ret != 0 || XMEMCMP(out, testVectors[i].ciphertext,
+                                                        CAMELLIA_BLOCK_SIZE))
                     return testVectors[i].errorCode;
                 break;
             case CAM_ECB_DEC:
-                wc_CamelliaDecryptDirect(&cam, out, testVectors[i].ciphertext);
-                if (memcmp(out, testVectors[i].plaintext, CAMELLIA_BLOCK_SIZE))
+                ret = wc_CamelliaDecryptDirect(&cam, out,
+                                                    testVectors[i].ciphertext);
+                if (ret != 0 || XMEMCMP(out, testVectors[i].plaintext,
+                                                        CAMELLIA_BLOCK_SIZE))
                     return testVectors[i].errorCode;
                 break;
             case CAM_CBC_ENC:
-                wc_CamelliaCbcEncrypt(&cam, out, testVectors[i].plaintext,
+                ret = wc_CamelliaCbcEncrypt(&cam, out, testVectors[i].plaintext,
                                                            CAMELLIA_BLOCK_SIZE);
-                if (memcmp(out, testVectors[i].ciphertext, CAMELLIA_BLOCK_SIZE))
+                if (ret != 0 || XMEMCMP(out, testVectors[i].ciphertext,
+                                                        CAMELLIA_BLOCK_SIZE))
                     return testVectors[i].errorCode;
                 break;
             case CAM_CBC_DEC:
-                wc_CamelliaCbcDecrypt(&cam, out, testVectors[i].ciphertext,
-                                                           CAMELLIA_BLOCK_SIZE);
-                if (memcmp(out, testVectors[i].plaintext, CAMELLIA_BLOCK_SIZE))
+                ret = wc_CamelliaCbcDecrypt(&cam, out,
+                                testVectors[i].ciphertext, CAMELLIA_BLOCK_SIZE);
+                if (ret != 0 || XMEMCMP(out, testVectors[i].plaintext,
+                                                           CAMELLIA_BLOCK_SIZE))
                     return testVectors[i].errorCode;
                 break;
             default:
@@ -3105,33 +9548,390 @@ int camellia_test(void)
     }
 
     /* Setting the IV and checking it was actually set. */
-    wc_CamelliaSetIV(&cam, ivc);
-    if (XMEMCMP(cam.reg, ivc, CAMELLIA_BLOCK_SIZE))
-        return -1;
+    ret = wc_CamelliaSetIV(&cam, ivc);
+    if (ret != 0 || XMEMCMP(cam.reg, ivc, CAMELLIA_BLOCK_SIZE))
+        return -6500;
 
     /* Setting the IV to NULL should be same as all zeros IV */
     if (wc_CamelliaSetIV(&cam, NULL) != 0 ||
                                     XMEMCMP(cam.reg, ive, CAMELLIA_BLOCK_SIZE))
-        return -1;
+        return -6501;
 
     /* First parameter should never be null */
     if (wc_CamelliaSetIV(NULL, NULL) == 0)
-        return -1;
+        return -6502;
 
     /* First parameter should never be null, check it fails */
     if (wc_CamelliaSetKey(NULL, k1, sizeof(k1), NULL) == 0)
-        return -1;
+        return -6503;
 
     /* Key should have a size of 16, 24, or 32 */
     if (wc_CamelliaSetKey(&cam, k1, 0, NULL) == 0)
-        return -1;
+        return -6504;
 
     return 0;
 }
 #endif /* HAVE_CAMELLIA */
 
+#ifdef HAVE_IDEA
+int idea_test(void)
+{
+    int ret;
+    word16 i, j;
+
+    Idea idea;
+    byte data[IDEA_BLOCK_SIZE];
+
+    /* Project NESSIE test vectors */
+#define IDEA_NB_TESTS   6
+#define IDEA_NB_TESTS_EXTRA 4
+
+    const byte v_key[IDEA_NB_TESTS][IDEA_KEY_SIZE] = {
+        { 0x37, 0x37, 0x37, 0x37, 0x37, 0x37, 0x37, 0x37,
+            0x37, 0x37, 0x37, 0x37, 0x37, 0x37, 0x37, 0x37 },
+        { 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57,
+            0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57 },
+        { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
+            0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F },
+        { 0x2B, 0xD6, 0x45, 0x9F, 0x82, 0xC5, 0xB3, 0x00,
+            0x95, 0x2C, 0x49, 0x10, 0x48, 0x81, 0xFF, 0x48 },
+        { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
+            0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F },
+        { 0x2B, 0xD6, 0x45, 0x9F, 0x82, 0xC5, 0xB3, 0x00,
+            0x95, 0x2C, 0x49, 0x10, 0x48, 0x81, 0xFF, 0x48 },
+    };
 
-#if defined(HAVE_HASHDRBG) || defined(NO_RC4)
+    const byte v1_plain[IDEA_NB_TESTS][IDEA_BLOCK_SIZE] = {
+        { 0x37, 0x37, 0x37, 0x37, 0x37, 0x37, 0x37, 0x37 },
+        { 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57, 0x57 },
+        { 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77 },
+        { 0xEA, 0x02, 0x47, 0x14, 0xAD, 0x5C, 0x4D, 0x84 },
+        { 0xDB, 0x2D, 0x4A, 0x92, 0xAA, 0x68, 0x27, 0x3F },
+        { 0xF1, 0x29, 0xA6, 0x60, 0x1E, 0xF6, 0x2A, 0x47 },
+    };
+
+    byte v1_cipher[IDEA_NB_TESTS][IDEA_BLOCK_SIZE] = {
+        { 0x54, 0xCF, 0x21, 0xE3, 0x89, 0xD8, 0x73, 0xEC },
+        { 0x85, 0x52, 0x4D, 0x41, 0x0E, 0xB4, 0x28, 0xAE },
+        { 0xF5, 0x26, 0xAB, 0x9A, 0x62, 0xC0, 0xD2, 0x58 },
+        { 0xC8, 0xFB, 0x51, 0xD3, 0x51, 0x66, 0x27, 0xA8 },
+        { 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77 },
+        { 0xEA, 0x02, 0x47, 0x14, 0xAD, 0x5C, 0x4D, 0x84 },
+    };
+
+    byte v1_cipher_100[IDEA_NB_TESTS_EXTRA][IDEA_BLOCK_SIZE]  = {
+        { 0x12, 0x46, 0x2F, 0xD0, 0xFB, 0x3A, 0x63, 0x39 },
+        { 0x15, 0x61, 0xE8, 0xC9, 0x04, 0x54, 0x8B, 0xE9 },
+        { 0x42, 0x12, 0x2A, 0x94, 0xB0, 0xF6, 0xD2, 0x43 },
+        { 0x53, 0x4D, 0xCD, 0x48, 0xDD, 0xD5, 0xF5, 0x9C },
+    };
+
+    byte v1_cipher_1000[IDEA_NB_TESTS_EXTRA][IDEA_BLOCK_SIZE] = {
+        { 0x44, 0x1B, 0x38, 0x5C, 0x77, 0x29, 0x75, 0x34 },
+        { 0xF0, 0x4E, 0x58, 0x88, 0x44, 0x99, 0x22, 0x2D },
+        { 0xB3, 0x5F, 0x93, 0x7F, 0x6A, 0xA0, 0xCD, 0x1F },
+        { 0x9A, 0xEA, 0x46, 0x8F, 0x42, 0x9B, 0xBA, 0x15 },
+    };
+
+    /* CBC test */
+    const char *message = "International Data Encryption Algorithm";
+    byte msg_enc[40], msg_dec[40];
+
+    for (i = 0; i < IDEA_NB_TESTS; i++) {
+        /* Set encryption key */
+        XMEMSET(&idea, 0, sizeof(Idea));
+        ret = wc_IdeaSetKey(&idea, v_key[i], IDEA_KEY_SIZE,
+                            NULL, IDEA_ENCRYPTION);
+        if (ret != 0) {
+            printf("wc_IdeaSetKey (enc) failed\n");
+            return -6600;
+        }
+
+        /* Data encryption */
+        ret = wc_IdeaCipher(&idea, data, v1_plain[i]);
+        if (ret != 0 || XMEMCMP(&v1_cipher[i], data, IDEA_BLOCK_SIZE)) {
+            printf("Bad encryption\n");
+            return -6601;
+        }
+
+        /* Set decryption key */
+        XMEMSET(&idea, 0, sizeof(Idea));
+        ret = wc_IdeaSetKey(&idea, v_key[i], IDEA_KEY_SIZE,
+                            NULL, IDEA_DECRYPTION);
+        if (ret != 0) {
+            printf("wc_IdeaSetKey (dec) failed\n");
+            return -6602;
+        }
+
+        /* Data decryption */
+        ret = wc_IdeaCipher(&idea, data, data);
+        if (ret != 0 || XMEMCMP(v1_plain[i], data, IDEA_BLOCK_SIZE)) {
+            printf("Bad decryption\n");
+            return -6603;
+        }
+
+        /* Set encryption key */
+        XMEMSET(&idea, 0, sizeof(Idea));
+        ret = wc_IdeaSetKey(&idea, v_key[i], IDEA_KEY_SIZE,
+                            v_key[i], IDEA_ENCRYPTION);
+        if (ret != 0) {
+            printf("wc_IdeaSetKey (enc) failed\n");
+            return -6604;
+        }
+
+        XMEMSET(msg_enc, 0, sizeof(msg_enc));
+        ret = wc_IdeaCbcEncrypt(&idea, msg_enc, (byte *)message,
+                                (word32)XSTRLEN(message)+1);
+        if (ret != 0) {
+            printf("wc_IdeaCbcEncrypt failed\n");
+            return -6605;
+        }
+
+        /* Set decryption key */
+        XMEMSET(&idea, 0, sizeof(Idea));
+        ret = wc_IdeaSetKey(&idea, v_key[i], IDEA_KEY_SIZE,
+                            v_key[i], IDEA_DECRYPTION);
+        if (ret != 0) {
+            printf("wc_IdeaSetKey (dec) failed\n");
+            return -6606;
+        }
+
+        XMEMSET(msg_dec, 0, sizeof(msg_dec));
+        ret = wc_IdeaCbcDecrypt(&idea, msg_dec, msg_enc,
+                                (word32)XSTRLEN(message)+1);
+        if (ret != 0) {
+            printf("wc_IdeaCbcDecrypt failed\n");
+            return -6607;
+        }
+
+        if (XMEMCMP(message, msg_dec, (word32)XSTRLEN(message))) {
+            printf("Bad CBC decryption\n");
+            return -6608;
+        }
+    }
+
+    for (i = 0; i < IDEA_NB_TESTS_EXTRA; i++) {
+        /* Set encryption key */
+        XMEMSET(&idea, 0, sizeof(Idea));
+        ret = wc_IdeaSetKey(&idea, v_key[i], IDEA_KEY_SIZE,
+                            NULL, IDEA_ENCRYPTION);
+        if (ret != 0) {
+            printf("wc_IdeaSetKey (enc) failed\n");
+            return -6609;
+        }
+
+        /* 100 times data encryption */
+        XMEMCPY(data, v1_plain[i], IDEA_BLOCK_SIZE);
+        for (j = 0; j < 100; j++) {
+            ret = wc_IdeaCipher(&idea, data, data);
+            if (ret != 0) {
+                return -6610;
+            }
+        }
+
+        if (XMEMCMP(v1_cipher_100[i], data, IDEA_BLOCK_SIZE)) {
+            printf("Bad encryption (100 times)\n");
+            return -6611;
+        }
+
+        /* 1000 times data encryption */
+        XMEMCPY(data, v1_plain[i], IDEA_BLOCK_SIZE);
+        for (j = 0; j < 1000; j++) {
+            ret = wc_IdeaCipher(&idea, data, data);
+            if (ret != 0) {
+                return -6612;
+            }
+        }
+
+        if (XMEMCMP(v1_cipher_1000[i], data, IDEA_BLOCK_SIZE)) {
+            printf("Bad encryption (100 times)\n");
+            return -6613;
+        }
+    }
+
+#ifndef WC_NO_RNG
+    /* random test for CBC */
+    {
+        WC_RNG rng;
+        byte key[IDEA_KEY_SIZE], iv[IDEA_BLOCK_SIZE],
+        rnd[1000], enc[1000], dec[1000];
+
+        /* random values */
+    #ifndef HAVE_FIPS
+        ret = wc_InitRng_ex(&rng, HEAP_HINT, devId);
+    #else
+        ret = wc_InitRng(&rng);
+    #endif
+        if (ret != 0)
+            return -6614;
+
+        for (i = 0; i < 1000; i++) {
+            /* random key */
+            ret = wc_RNG_GenerateBlock(&rng, key, sizeof(key));
+            if (ret != 0)
+                return -6615;
+
+            /* random iv */
+            ret = wc_RNG_GenerateBlock(&rng, iv, sizeof(iv));
+            if (ret != 0)
+                return -6616;
+
+            /* random data */
+            ret = wc_RNG_GenerateBlock(&rng, rnd, sizeof(rnd));
+            if (ret != 0)
+                return -6617;
+
+            /* Set encryption key */
+            XMEMSET(&idea, 0, sizeof(Idea));
+            ret = wc_IdeaSetKey(&idea, key, IDEA_KEY_SIZE, iv, IDEA_ENCRYPTION);
+            if (ret != 0) {
+                printf("wc_IdeaSetKey (enc) failed\n");
+                return -6618;
+            }
+
+            /* Data encryption */
+            XMEMSET(enc, 0, sizeof(enc));
+            ret = wc_IdeaCbcEncrypt(&idea, enc, rnd, sizeof(rnd));
+            if (ret != 0) {
+                printf("wc_IdeaCbcEncrypt failed\n");
+                return -6619;
+            }
+
+            /* Set decryption key */
+            XMEMSET(&idea, 0, sizeof(Idea));
+            ret = wc_IdeaSetKey(&idea, key, IDEA_KEY_SIZE, iv, IDEA_DECRYPTION);
+            if (ret != 0) {
+                printf("wc_IdeaSetKey (enc) failed\n");
+                return -6620;
+            }
+
+            /* Data decryption */
+            XMEMSET(dec, 0, sizeof(dec));
+            ret = wc_IdeaCbcDecrypt(&idea, dec, enc, sizeof(enc));
+            if (ret != 0) {
+                printf("wc_IdeaCbcDecrypt failed\n");
+                return -6621;
+            }
+
+            if (XMEMCMP(rnd, dec, sizeof(rnd))) {
+                printf("Bad CBC decryption\n");
+                return -6622;
+            }
+        }
+
+        wc_FreeRng(&rng);
+    }
+#endif /* WC_NO_RNG */
+
+    return 0;
+}
+#endif /* HAVE_IDEA */
+
+
+#ifndef WC_NO_RNG
+static int _rng_test(WC_RNG* rng, int errorOffset)
+{
+    byte block[32];
+    int ret, i;
+
+    XMEMSET(block, 0, sizeof(block));
+
+    ret = wc_RNG_GenerateBlock(rng, block, sizeof(block));
+    if (ret != 0) {
+        ret = -6623;
+        goto exit;
+    }
+
+    /* Check for 0's */
+    for (i=0; i<(int)sizeof(block); i++) {
+        if (block[i] == 0) {
+            ret++;
+        }
+    }
+    /* All zeros count check */
+    if (ret >= (int)sizeof(block)) {
+        ret = -6624;
+        goto exit;
+    }
+
+    ret = wc_RNG_GenerateByte(rng, block);
+    if (ret != 0) {
+        ret = -6625;
+        goto exit;
+    }
+
+    /* Parameter validation testing. */
+    ret = wc_RNG_GenerateBlock(NULL, block, sizeof(block));
+    if (ret != BAD_FUNC_ARG) {
+        ret = -6626;
+        goto exit;
+    }
+    ret = wc_RNG_GenerateBlock(rng, NULL, sizeof(block));
+    if (ret != BAD_FUNC_ARG) {
+        ret = -6627;
+        goto exit;
+    }
+
+    ret = wc_RNG_GenerateByte(NULL, block);
+    if (ret != BAD_FUNC_ARG) {
+        ret = -6628;
+        goto exit;
+    }
+    ret = wc_RNG_GenerateByte(rng, NULL);
+    if (ret != BAD_FUNC_ARG) {
+        ret = -6629;
+        goto exit;
+    }
+
+    ret = 0;
+
+exit:
+    if (ret != 0)
+        ret += errorOffset;
+
+    return ret;
+}
+
+
+static int random_rng_test(void)
+{
+    WC_RNG localRng;
+    WC_RNG* rng;
+    int ret;
+
+    rng = &localRng;
+    /* Test stack based RNG. */
+#ifndef HAVE_FIPS
+    ret = wc_InitRng_ex(rng, HEAP_HINT, devId);
+#else
+    ret = wc_InitRng(rng);
+#endif
+    if (ret != 0) return -6700;
+
+    ret = _rng_test(rng, -6300);
+
+    /* Make sure and free RNG */
+    wc_FreeRng(rng);
+
+    if (ret != 0) return ret;
+
+#if !defined(HAVE_FIPS) && !defined(HAVE_SELFTEST)
+    {
+        byte nonce[8] = { 0 };
+        /* Test dynamic RNG. */
+        rng = wc_rng_new(nonce, (word32)sizeof(nonce), HEAP_HINT);
+        if (rng == NULL) return -6701;
+
+        ret = _rng_test(rng, -6310);
+
+        wc_rng_free(rng);
+    }
+#endif
+
+    return ret;
+}
+
+#if defined(HAVE_HASHDRBG) && !defined(CUSTOM_RAND_GENERATE_BLOCK)
 
 int random_test(void)
 {
@@ -3184,53 +9984,240 @@ int random_test(void)
         0xa1, 0x80, 0x18, 0x3a, 0x07, 0xdf, 0xae, 0x17
     };
 
-    byte output[SHA256_DIGEST_SIZE * 4];
+    byte output[WC_SHA256_DIGEST_SIZE * 4];
     int ret;
 
     ret = wc_RNG_HealthTest(0, test1Entropy, sizeof(test1Entropy), NULL, 0,
                             output, sizeof(output));
     if (ret != 0)
-        return -39;
+        return -6800;
 
     if (XMEMCMP(test1Output, output, sizeof(output)) != 0)
-        return -40;
+        return -6801;
 
     ret = wc_RNG_HealthTest(1, test2EntropyA, sizeof(test2EntropyA),
                             test2EntropyB, sizeof(test2EntropyB),
                             output, sizeof(output));
     if (ret != 0)
-        return -41;
+        return -6802;
 
     if (XMEMCMP(test2Output, output, sizeof(output)) != 0)
-        return -42;
+        return -6803;
 
+    /* Basic RNG generate block test */
+    if ((ret = random_rng_test()) != 0)
+        return ret;
+
+    /* Test the seed check function. */
+#if !(defined(HAVE_FIPS) || defined(HAVE_SELFTEST)) || \
+    (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2))
+    {
+        word32 i, outputSz;
+
+        /* Repeat the same byte over and over. Should fail. */
+        outputSz = sizeof(output);
+        XMEMSET(output, 1, outputSz);
+        ret = wc_RNG_TestSeed(output, outputSz);
+        if (ret == 0)
+            return -6804;
+
+        /* Every byte of the entropy scratch is different,
+         * entropy is a single byte that shouldn't match. */
+        outputSz = (sizeof(word32) * 2) + 1;
+        for (i = 0; i < outputSz; i++)
+            output[i] = (byte)i;
+        ret = wc_RNG_TestSeed(output, outputSz);
+        if (ret != 0)
+            return -6805;
+
+        outputSz = sizeof(output);
+        for (i = 0; i < outputSz; i++)
+            output[i] = (byte)i;
+        ret = wc_RNG_TestSeed(output, outputSz);
+        if (ret != 0)
+            return -6806;
+    }
+#endif
     return 0;
 }
 
-#else /* HAVE_HASHDRBG || NO_RC4 */
+#else
 
 int random_test(void)
 {
-    RNG  rng;
-    byte block[32];
-    int ret;
+    /* Basic RNG generate block test */
+    return random_rng_test();
+}
 
-#ifdef HAVE_CAVIUM
-    ret = wc_InitRngCavium(&rng, CAVIUM_DEV_ID);
-    if (ret != 0) return -2007;
-#endif
-    ret = wc_InitRng(&rng);
-    if (ret != 0) return -39;
+#endif /* HAVE_HASHDRBG && !CUSTOM_RAND_GENERATE_BLOCK */
+#endif /* WC_NO_RNG */
 
-    ret = wc_RNG_GenerateBlock(&rng, block, sizeof(block));
-    if (ret != 0) return -40;
+#ifndef MEM_TEST_SZ
+    #define MEM_TEST_SZ 1024
+#endif
 
-    wc_FreeRng(&rng);
+#if defined(WOLFSSL_STATIC_MEMORY) || !defined(WOLFSSL_NO_MALLOC)
+static int simple_mem_test(int sz)
+{
+    int ret = 0;
+    byte* b;
+    int i;
 
-    return 0;
+    b = (byte*)XMALLOC(sz, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+    if (b == NULL) {
+        return -6900;
+    }
+    /* utilize memory */
+    for (i = 0; i < sz; i++) {
+        b[i] = (byte)i;
+    }
+    /* read back and verify */
+    for (i = 0; i < sz; i++) {
+        if (b[i] != (byte)i) {
+            ret = -6901;
+            break;
+        }
+    }
+    XFREE(b, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+    return ret;
 }
+#endif
+
+int memory_test(void)
+{
+    int ret = 0;
+#ifndef USE_FAST_MATH
+    byte* b = NULL;
+#endif
+#if defined(COMPLEX_MEM_TEST) || defined(WOLFSSL_STATIC_MEMORY)
+    int i;
+#endif
+#ifdef WOLFSSL_STATIC_MEMORY
+    word32 size[] = { WOLFMEM_BUCKETS };
+    word32 dist[] = { WOLFMEM_DIST };
+    byte buffer[30000]; /* make large enough to involve many bucket sizes */
+    int pad = -(int)((wolfssl_word)buffer) & (WOLFSSL_STATIC_ALIGN - 1);
+              /* pad to account for if head of buffer is not at set memory
+               * alignment when tests are ran */
+#endif
+
+#ifdef WOLFSSL_STATIC_MEMORY
+    /* check macro settings */
+    if (sizeof(size)/sizeof(word32) != WOLFMEM_MAX_BUCKETS) {
+        return -7000;
+    }
+
+    if (sizeof(dist)/sizeof(word32) != WOLFMEM_MAX_BUCKETS) {
+        return -7001;
+    }
+
+    for (i = 0; i < WOLFMEM_MAX_BUCKETS; i++) {
+        if ((size[i] % WOLFSSL_STATIC_ALIGN) != 0) {
+            /* each element in array should be divisible by alignment size */
+            return -7002;
+        }
+    }
+
+    for (i = 1; i < WOLFMEM_MAX_BUCKETS; i++) {
+        if (size[i - 1] >= size[i]) {
+            return -7003; /* sizes should be in increasing order  */
+        }
+    }
+
+    /* check that padding size returned is possible */
+    if (wolfSSL_MemoryPaddingSz() < WOLFSSL_STATIC_ALIGN) {
+        return -7004; /* no room for wc_Memory struct */
+    }
+
+    if (wolfSSL_MemoryPaddingSz() < 0) {
+        return -7005;
+    }
+
+    if (wolfSSL_MemoryPaddingSz() % WOLFSSL_STATIC_ALIGN != 0) {
+        return -7006; /* not aligned! */
+    }
+
+    /* check function to return optimum buffer size (rounded down) */
+    ret = wolfSSL_StaticBufferSz(buffer, sizeof(buffer), WOLFMEM_GENERAL);
+    if ((ret - pad) % WOLFSSL_STATIC_ALIGN != 0) {
+        return -7007; /* not aligned! */
+    }
+
+    if (ret < 0) {
+        return -7008;
+    }
+
+    if ((unsigned int)ret > sizeof(buffer)) {
+        return -7009; /* did not round down as expected */
+    }
+
+    if (ret != wolfSSL_StaticBufferSz(buffer, ret, WOLFMEM_GENERAL)) {
+        return -7010; /* return value changed when using suggested value */
+    }
+
+    ret = wolfSSL_MemoryPaddingSz();
+    ret += pad; /* add space that is going to be needed if buffer not aligned */
+    if (wolfSSL_StaticBufferSz(buffer, size[0] + ret + 1, WOLFMEM_GENERAL) !=
+            (ret + (int)size[0])) {
+        return -7011; /* did not round down to nearest bucket value */
+    }
+
+    ret = wolfSSL_StaticBufferSz(buffer, sizeof(buffer), WOLFMEM_IO_POOL);
+    if ((ret - pad) < 0) {
+        return -7012;
+    }
+
+    if (((ret - pad) % (WOLFMEM_IO_SZ + wolfSSL_MemoryPaddingSz())) != 0) {
+        return -7013; /* not even chunks of memory for IO size */
+    }
+
+    if (((ret - pad) % WOLFSSL_STATIC_ALIGN) != 0) {
+        return -7014; /* memory not aligned */
+    }
+
+    /* check for passing bad or unknown arguments to functions */
+    if (wolfSSL_StaticBufferSz(NULL, 1, WOLFMEM_GENERAL) > 0) {
+        return -7015;
+    }
+
+    if (wolfSSL_StaticBufferSz(buffer, 1, WOLFMEM_GENERAL) != 0) {
+        return -7016; /* should round to 0 since struct + bucket will not fit */
+    }
+
+    (void)dist; /* avoid static analysis warning of variable not used */
+#endif
+
+#if defined(WOLFSSL_STATIC_MEMORY) || !defined(WOLFSSL_NO_MALLOC)
+    /* simple test */
+    ret = simple_mem_test(MEM_TEST_SZ);
+    if (ret != 0)
+        return ret;
+#endif
+
+#ifdef COMPLEX_MEM_TEST
+    /* test various size blocks */
+    for (i = 1; i < MEM_TEST_SZ; i*=2) {
+        ret = simple_mem_test(i);
+        if (ret != 0)
+            return ret;
+    }
+#endif
+
+#ifndef USE_FAST_MATH
+    /* realloc test */
+    b = (byte*)XMALLOC(MEM_TEST_SZ, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+    if (b) {
+        b = (byte*)XREALLOC(b, MEM_TEST_SZ+sizeof(word32), HEAP_HINT,
+            DYNAMIC_TYPE_TMP_BUFFER);
+    }
+    if (b == NULL) {
+        return -7017;
+    }
+    XFREE(b, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+#endif
 
-#endif /* HAVE_HASHDRBG || NO_RC4 */
+    return ret;
+}
 
 
 #ifdef HAVE_NTRU
@@ -3239,7 +10226,7 @@ byte GetEntropy(ENTROPY_CMD cmd, byte* out);
 
 byte GetEntropy(ENTROPY_CMD cmd, byte* out)
 {
-    static RNG rng;
+    static WC_RNG rng;
 
     if (cmd == INIT)
         return (wc_InitRng(&rng) == 0) ? 1 : 0;
@@ -3260,708 +10247,3347 @@ byte GetEntropy(ENTROPY_CMD cmd, byte* out)
 
 #endif /* HAVE_NTRU */
 
-#ifndef NO_RSA
 
+#ifndef NO_FILESYSTEM
+
+/* Cert Paths */
+#ifdef FREESCALE_MQX
+    #define CERT_PREFIX "a:\\"
+    #define CERT_PATH_SEP "\\"
+#elif defined(WOLFSSL_uTKERNEL2)
+    #define CERT_PREFIX "/uda/"
+    #define CERT_PATH_SEP "/"
+#else
+    #define CERT_PREFIX "./"
+    #define CERT_PATH_SEP "/"
+#endif
+#define CERT_ROOT CERT_PREFIX "certs" CERT_PATH_SEP
+
+/* Generated Test Certs */
+#if !defined(USE_CERT_BUFFERS_1024) && !defined(USE_CERT_BUFFERS_2048) && \
+    !defined(USE_CERT_BUFFERS_3072) && !defined(USE_CERT_BUFFERS_4096)
+    #if !defined(NO_RSA) && !defined(NO_ASN)
+        static const char* clientKey  = CERT_ROOT "client-key.der";
+        static const char* clientCert = CERT_ROOT "client-cert.der";
+        #ifdef WOLFSSL_CERT_EXT
+            static const char* clientKeyPub  = CERT_ROOT "client-keyPub.der";
+        #endif
+    #endif /* !NO_RSA && !NO_ASN */
+#endif
 #if !defined(USE_CERT_BUFFERS_1024) && !defined(USE_CERT_BUFFERS_2048)
-    #ifdef FREESCALE_MQX
-        static const char* clientKey  = "a:\\certs\\client-key.der";
-        static const char* clientCert = "a:\\certs\\client-cert.der";
-        #ifdef WOLFSSL_CERT_GEN
-            static const char* caKeyFile  = "a:\\certs\\ca-key.der";
-            static const char* caCertFile = "a:\\certs\\ca-cert.pem";
-            #ifdef HAVE_ECC
-                static const char* eccCaKeyFile  = "a:\\certs\\ecc-key.der";
-                static const char* eccCaCertFile = "a:\\certs\\server-ecc.pem";
+    #if !defined(NO_RSA) && !defined(NO_ASN)
+        #if defined(WOLFSSL_CERT_GEN) || defined(HAVE_PKCS7)
+            static const char* rsaCaKeyFile  = CERT_ROOT "ca-key.der";
+            #ifdef WOLFSSL_CERT_GEN
+            static const char* rsaCaCertFile = CERT_ROOT "ca-cert.pem";
             #endif
-        #endif
-    #elif defined(WOLFSSL_MKD_SHELL)
-        static char* clientKey = "certs/client-key.der";
-        static char* clientCert = "certs/client-cert.der";
-        void set_clientKey(char *key) {  clientKey = key ; }
-        void set_clientCert(char *cert) {  clientCert = cert ; }
-        #ifdef WOLFSSL_CERT_GEN
-            static char* caKeyFile  = "certs/ca-key.der";
-            static char* caCertFile = "certs/ca-cert.pem";
-            void set_caKeyFile (char * key)  { caKeyFile   = key ; }
-            void set_caCertFile(char * cert) { caCertFile = cert ; }
-            #ifdef HAVE_ECC
-                static const char* eccCaKeyFile  = "certs/ecc-key.der";
-                static const char* eccCaCertFile = "certs/server-ecc.pem";
-                void set_eccCaKeyFile (char * key)  { eccCaKeyFile  = key ; }
-                void set_eccCaCertFile(char * cert) { eccCaCertFile = cert ; }
+            #if defined(WOLFSSL_ALT_NAMES) || defined(HAVE_PKCS7)
+            static const char* rsaCaCertDerFile = CERT_ROOT "ca-cert.der";
+            #endif
+            #ifdef HAVE_PKCS7
+                static const char* rsaServerCertDerFile =
+                                               CERT_ROOT "server-cert.der";
+                static const char* rsaServerKeyDerFile =
+                                               CERT_ROOT "server-key.der";
             #endif
         #endif
-    #else
-        static const char* clientKey  = "./certs/client-key.der";
-        static const char* clientCert = "./certs/client-cert.der";
-        #ifdef WOLFSSL_CERT_GEN
-            static const char* caKeyFile  = "./certs/ca-key.der";
-            static const char* caCertFile = "./certs/ca-cert.pem";
-            #ifdef HAVE_ECC
-                static const char* eccCaKeyFile  = "./certs/ecc-key.der";
-                static const char* eccCaCertFile = "./certs/server-ecc.pem";
+    #endif /* !NO_RSA && !NO_ASN */
+#endif /* !USE_CERT_BUFFER_* */
+#if !defined(USE_CERT_BUFFERS_1024) && !defined(USE_CERT_BUFFERS_2048) && \
+    !defined(USE_CERT_BUFFERS_3072) && !defined(USE_CERT_BUFFERS_4096) && \
+    !defined(NO_ASN)
+    #ifndef NO_DH
+        static const char* dhKey = CERT_ROOT "dh2048.der";
+    #endif
+    #ifndef NO_DSA
+        static const char* dsaKey = CERT_ROOT "dsa2048.der";
+    #endif
+#endif /* !USE_CERT_BUFFER_* */
+#if !defined(USE_CERT_BUFFERS_256)
+    #ifdef HAVE_ECC
+        /* cert files to be used in rsa cert gen test, check if RSA enabled */
+        #ifdef HAVE_ECC_KEY_IMPORT
+            static const char* eccKeyDerFile = CERT_ROOT "ecc-key.der";
+        #endif
+#endif
+#if !defined(USE_CERT_BUFFERS_256) && !defined(NO_ASN)
+        #if defined(HAVE_ECC) && defined(WOLFSSL_CERT_GEN)
+            #ifndef NO_RSA
+                /* eccKeyPubFile is used in a test that requires RSA. */
+                static const char* eccKeyPubFile = CERT_ROOT "ecc-keyPub.der";
             #endif
+            static const char* eccCaKeyFile  = CERT_ROOT "ca-ecc-key.der";
+            static const char* eccCaCertFile = CERT_ROOT "ca-ecc-cert.pem";
+            #ifdef ENABLE_ECC384_CERT_GEN_TEST
+                static const char* eccCaKey384File =
+                                               CERT_ROOT "ca-ecc384-key.der";
+                static const char* eccCaCert384File =
+                                               CERT_ROOT "ca-ecc384-cert.pem";
+            #endif
+        #endif
+        #if defined(HAVE_PKCS7) && defined(HAVE_ECC)
+            static const char* eccClientKey  = CERT_ROOT "ecc-client-key.der";
+            static const char* eccClientCert = CERT_ROOT "client-ecc-cert.der";
+        #endif
+    #endif /* HAVE_ECC */
+    #ifdef HAVE_ED25519
+        #ifdef WOLFSSL_TEST_CERT
+            static const char* serverEd25519Cert =
+                                         CERT_ROOT "ed25519/server-ed25519.der";
+            static const char* caEd25519Cert     =
+                                             CERT_ROOT "ed25519/ca-ed25519.der";
         #endif
     #endif
+    #ifdef HAVE_ED448
+        #ifdef WOLFSSL_TEST_CERT
+            static const char* serverEd448Cert =
+                                             CERT_ROOT "ed448/server-ed448.der";
+            static const char* caEd448Cert     = CERT_ROOT "ed448/ca-ed448.der";
+        #endif
+    #endif
+#endif /* !USE_CERT_BUFFER_* */
+
+#ifndef NO_WRITE_TEMP_FILES
+#ifdef HAVE_ECC
+    #ifdef WOLFSSL_CERT_GEN
+         static const char* certEccPemFile =   CERT_PREFIX "certecc.pem";
+    #endif
+    #if defined(WOLFSSL_CERT_GEN) && !defined(NO_RSA)
+        static const char* certEccRsaPemFile = CERT_PREFIX "certeccrsa.pem";
+        static const char* certEccRsaDerFile = CERT_PREFIX "certeccrsa.der";
+    #endif
+    #ifdef WOLFSSL_KEY_GEN
+        static const char* eccCaKeyPemFile  = CERT_PREFIX "ecc-key.pem";
+        static const char* eccPubKeyDerFile = CERT_PREFIX "ecc-public-key.der";
+        static const char* eccCaKeyTempFile = CERT_PREFIX "ecc-key.der";
+        static const char* eccPkcs8KeyDerFile = CERT_PREFIX "ecc-key-pkcs8.der";
+    #endif
+    #if defined(WOLFSSL_CERT_GEN) || \
+            (defined(WOLFSSL_CERT_EXT) && defined(WOLFSSL_TEST_CERT))
+        static const char* certEccDerFile = CERT_PREFIX "certecc.der";
+    #endif
+#endif /* HAVE_ECC */
+
+#ifndef NO_RSA
+    #if defined(WOLFSSL_CERT_GEN) || \
+        (defined(WOLFSSL_CERT_EXT) && defined(WOLFSSL_TEST_CERT))
+        static const char* otherCertDerFile = CERT_PREFIX "othercert.der";
+        static const char* certDerFile = CERT_PREFIX "cert.der";
+    #endif
+    #ifdef WOLFSSL_CERT_GEN
+        static const char* otherCertPemFile = CERT_PREFIX "othercert.pem";
+        static const char* certPemFile = CERT_PREFIX "cert.pem";
+    #endif
+    #ifdef WOLFSSL_CERT_REQ
+        static const char* certReqDerFile = CERT_PREFIX "certreq.der";
+        static const char* certReqPemFile = CERT_PREFIX "certreq.pem";
+    #endif
+#endif /* !NO_RSA */
+
+#if !defined(NO_RSA) || !defined(NO_DSA)
+    #ifdef WOLFSSL_KEY_GEN
+        static const char* keyDerFile = CERT_PREFIX "key.der";
+        static const char* keyPemFile = CERT_PREFIX "key.pem";
+    #endif
 #endif
 
+#endif /* !NO_WRITE_TEMP_FILES */
+#endif /* !NO_FILESYSTEM */
 
-int rsa_test(void)
+
+#if defined(WOLFSSL_CERT_GEN) && (!defined(NO_RSA) || defined(HAVE_ECC)) || \
+  (defined(WOLFSSL_TEST_CERT) && (defined(HAVE_ED25519) || defined(HAVE_ED448)))
+#ifdef WOLFSSL_MULTI_ATTRIB
+static CertName certDefaultName;
+static void initDefaultName(void)
 {
-    byte*   tmp;
-    size_t bytes;
-    RsaKey key;
-    RNG    rng;
-    word32 idx = 0;
-    int    ret;
-    byte   in[] = "Everyone gets Friday off.";
-    word32 inLen = (word32)strlen((char*)in);
-    byte   out[256];
-    byte   plain[256];
-#if !defined(USE_CERT_BUFFERS_1024) && !defined(USE_CERT_BUFFERS_2048)
-    FILE*  file, * file2;
+    XMEMCPY(certDefaultName.country, "US", sizeof("US"));
+    certDefaultName.countryEnc = CTC_PRINTABLE;
+    XMEMCPY(certDefaultName.state, "Oregon", sizeof("Oregon"));
+    certDefaultName.stateEnc = CTC_UTF8;
+    XMEMCPY(certDefaultName.locality, "Portland", sizeof("Portland"));
+    certDefaultName.localityEnc = CTC_UTF8;
+    XMEMCPY(certDefaultName.sur, "Test", sizeof("Test"));
+    certDefaultName.surEnc = CTC_UTF8;
+    XMEMCPY(certDefaultName.org, "wolfSSL", sizeof("wolfSSL"));
+    certDefaultName.orgEnc = CTC_UTF8;
+    XMEMCPY(certDefaultName.unit, "Development", sizeof("Development"));
+    certDefaultName.unitEnc = CTC_UTF8;
+    XMEMCPY(certDefaultName.commonName, "www.wolfssl.com", sizeof("www.wolfssl.com"));
+    certDefaultName.commonNameEnc = CTC_UTF8;
+    XMEMCPY(certDefaultName.serialDev, "wolfSSL12345", sizeof("wolfSSL12345"));
+    certDefaultName.serialDevEnc = CTC_PRINTABLE;
+#ifdef WOLFSSL_CERT_EXT
+    XMEMCPY(certDefaultName.busCat, "Private Organization", sizeof("Private Organization"));
+    certDefaultName.busCatEnc = CTC_UTF8;
 #endif
+    XMEMCPY(certDefaultName.email, "info@wolfssl.com", sizeof("info@wolfssl.com"));
+
 #ifdef WOLFSSL_TEST_CERT
-    DecodedCert cert;
+    {
+        NameAttrib* n;
+        /* test having additional OUs and setting DC */
+        n = &certDefaultName.name[0];
+        n->id   = ASN_ORGUNIT_NAME;
+        n->type = CTC_UTF8;
+        n->sz   = sizeof("Development-2");
+        XMEMCPY(n->value, "Development-2", sizeof("Development-2"));
+
+    #if CTC_MAX_ATTRIB > 3
+        n = &certDefaultName.name[1];
+        n->id   = ASN_DOMAIN_COMPONENT;
+        n->type = CTC_UTF8;
+        n->sz   = sizeof("com");
+        XMEMCPY(n->value, "com", sizeof("com"));
+
+        n = &certDefaultName.name[2];
+        n->id   = ASN_DOMAIN_COMPONENT;
+        n->type = CTC_UTF8;
+        n->sz   = sizeof("wolfssl");
+        XMEMCPY(n->value, "wolfssl", sizeof("wolfssl"));
+
+    #endif
+    }
+#endif /* WOLFSSL_TEST_CERT */
+}
+#else
+static const CertName certDefaultName = {
+    "US",               CTC_PRINTABLE,  /* country */
+    "Oregon",           CTC_UTF8,       /* state */
+    "Portland",         CTC_UTF8,       /* locality */
+    "Test",             CTC_UTF8,       /* sur */
+    "wolfSSL",          CTC_UTF8,       /* org */
+    "Development",      CTC_UTF8,       /* unit */
+    "www.wolfssl.com",  CTC_UTF8,       /* commonName */
+    "wolfSSL12345",     CTC_PRINTABLE,  /* serial number of device */
+#ifdef WOLFSSL_CERT_EXT
+    "Private Organization", CTC_UTF8,   /* businessCategory */
+    "US",               CTC_PRINTABLE,  /* jurisdiction country */
+    "Oregon",           CTC_PRINTABLE,  /* jurisdiction state */
 #endif
+    "info@wolfssl.com"                  /* email */
+};
+#endif /* WOLFSSL_MULTI_ATTRIB */
 
-    tmp = (byte*)malloc(FOURK_BUF);
-    if (tmp == NULL)
-        return -40;
+#ifdef WOLFSSL_CERT_EXT
+    #if ((defined(HAVE_ED25519) || defined(HAVE_ED448)) && \
+                                defined(WOLFSSL_TEST_CERT)) || defined(HAVE_ECC)
+    static const char certKeyUsage[] =
+        "digitalSignature,nonRepudiation";
+    #endif
+    #if (defined(WOLFSSL_CERT_REQ) || defined(HAVE_NTRU)) && !defined(NO_RSA)
+        static const char certKeyUsage2[] =
+        "digitalSignature,nonRepudiation,keyEncipherment,keyAgreement";
+    #endif
+#endif /* WOLFSSL_CERT_EXT */
+#endif /* WOLFSSL_CERT_GEN */
 
-#ifdef USE_CERT_BUFFERS_1024
-    XMEMCPY(tmp, client_key_der_1024, sizeof_client_key_der_1024);
-    bytes = sizeof_client_key_der_1024;
-#elif defined(USE_CERT_BUFFERS_2048)
-    XMEMCPY(tmp, client_key_der_2048, sizeof_client_key_der_2048);
-    bytes = sizeof_client_key_der_2048;
-#else
-    file = fopen(clientKey, "rb");
+#ifndef NO_RSA
 
-    if (!file) {
-        err_sys("can't open ./certs/client-key.der, "
-                "Please run from wolfSSL home dir", -40);
-        free(tmp);
-        return -40;
-    }
+#if !defined(NO_ASN_TIME) && !defined(NO_RSA) && defined(WOLFSSL_TEST_CERT) && \
+    !defined(NO_FILESYSTEM)
+static byte minSerial[] = { 0x02, 0x01, 0x01 };
+static byte minName[] = { 0x30, 0x00 };
+static byte nameBad[] = {
+    0x30, 0x08,
+          0x31, 0x06,
+                0x30, 0x04,
+                      0x06, 0x02,
+                            0x55, 0x04,
+};
+static byte minDates[] = {
+    0x30, 0x1e,
+          0x17, 0x0d,
+                0x31, 0x38, 0x30, 0x34, 0x31, 0x33, 0x31, 0x35,
+                0x32, 0x33, 0x31, 0x30, 0x5a,
+          0x17, 0x0d,
+                0x32, 0x31, 0x30, 0x31, 0x30, 0x37, 0x31, 0x35,
+                0x32, 0x33, 0x31, 0x30, 0x5a
+};
+static byte minPubKey[] = {
+    0x30, 0x1b,
+          0x30, 0x0d,
+                0x06, 0x09,
+                      0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01,
+                      0x01,
+                0x05, 0x00,
+          0x03, 0x0b,
+                0x00, 0x30, 0x08,
+                            0x02, 0x01,
+                                  0x03,
+                            0x02, 0x03,
+                                  0x01, 0x00, 0x01
+};
+static byte minSigAlg[] = {
+    0x30, 0x0d,
+          0x06, 0x09,
+                0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01,
+                0x0b,
+          0x05, 0x00
+};
+static byte minSig[] = {
+    0x03, 0x01,
+          0x00
+};
 
-    bytes = fread(tmp, 1, FOURK_BUF, file);
-    fclose(file);
-#endif /* USE_CERT_BUFFERS */
+static int add_seq(byte* certData, int offset, byte* data, byte length)
+{
+    XMEMMOVE(certData + offset + 2, data, length);
+    certData[offset++] = 0x30;
+    certData[offset++] = length;
+    return offset + length;
+}
+static int add_data(byte* certData, int offset, byte* data, byte length)
+{
+    XMEMCPY(certData + offset, data, length);
+    return offset + length;
+}
 
-#ifdef HAVE_CAVIUM
-    wc_RsaInitCavium(&key, CAVIUM_DEV_ID);
-#endif
-    ret = wc_InitRsaKey(&key, 0);
+static int cert_asn1_test(void)
+{
+    int ret;
+    int len[3];
+    DecodedCert cert;
+    byte certData[106];
+    byte* badCert = NULL;
+
+    len[2] = add_data(certData, 0, minSerial, (byte)sizeof(minSerial));
+    len[2] = add_data(certData, len[2], minSigAlg, (byte)sizeof(minSigAlg));
+    len[2] = add_data(certData, len[2], minName, (byte)sizeof(minName));
+    len[2] = add_data(certData, len[2], minDates, (byte)sizeof(minDates));
+    len[2] = add_data(certData, len[2], minName, (byte)sizeof(minName));
+    len[2] = add_data(certData, len[2], minPubKey, (byte)sizeof(minPubKey));
+    len[1] = add_seq(certData, 0, certData, len[2]);
+    len[1] = add_data(certData, len[1], minSigAlg, (byte)sizeof(minSigAlg));
+    len[1] = add_data(certData, len[1], minSig, (byte)sizeof(minSig));
+    len[0] = add_seq(certData, 0, certData, len[1]);
+
+    /* Minimal good certificate */
+    InitDecodedCert(&cert, certData, len[0], 0);
+    ret = ParseCert(&cert, CERT_TYPE, NO_VERIFY, NULL);
+    FreeDecodedCert(&cert);
     if (ret != 0) {
-        free(tmp);
-        return -39;
+        ERROR_OUT(-7100, done);
     }
-    ret = wc_RsaPrivateKeyDecode(tmp, &idx, &key, (word32)bytes);
-    if (ret != 0) {
-        free(tmp);
-        return -41;
+
+    /* Bad issuer name */
+    len[2] = add_data(certData, 0, minSerial, (byte)sizeof(minSerial));
+    len[2] = add_data(certData, len[2], minSigAlg, (byte)sizeof(minSigAlg));
+    len[2] = add_data(certData, len[2], nameBad, (byte)sizeof(nameBad));
+    len[1] = add_seq(certData, 0, certData, len[2]);
+    len[0] = add_seq(certData, 0, certData, len[1]);
+    /* Put data into allocated buffer to allow access error checking. */
+    badCert = (byte*)XMALLOC(len[0], HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+    XMEMCPY(badCert, certData, len[0]);
+    InitDecodedCert(&cert, badCert, len[0], 0);
+    ret = ParseCert(&cert, CERT_TYPE, NO_VERIFY, NULL);
+    FreeDecodedCert(&cert);
+    if (ret != ASN_PARSE_E) {
+        ERROR_OUT(-7101, done);
     }
-    ret = wc_InitRng(&rng);
-    if (ret != 0) {
-        free(tmp);
-        return -42;
+    XFREE(badCert, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+    badCert = NULL;
+    ret = 0;
+
+done:
+    if (badCert != NULL)
+        XFREE(badCert, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+    return ret;
+}
+
+int cert_test(void)
+{
+#if !defined(NO_FILESYSTEM)
+    DecodedCert cert;
+    byte*       tmp;
+    size_t      bytes;
+    XFILE       file;
+    int         ret;
+
+    tmp = (byte*)XMALLOC(FOURK_BUF, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+    if (tmp == NULL)
+        return -7200;
+
+    /* Certificate with Name Constraints extension. */
+#ifdef FREESCALE_MQX
+    file = XFOPEN(".\\certs\\test\\cert-ext-nc.der", "rb");
+#else
+    file = XFOPEN("./certs/test/cert-ext-nc.der", "rb");
+#endif
+    if (!file) {
+        ERROR_OUT(-7201, done);
     }
-    ret = wc_RsaPublicEncrypt(in, inLen, out, sizeof(out), &key, &rng);
-    if (ret < 0) {
-        free(tmp);
-        return -43;
+    bytes = XFREAD(tmp, 1, FOURK_BUF, file);
+    XFCLOSE(file);
+    InitDecodedCert(&cert, tmp, (word32)bytes, 0);
+    ret = ParseCert(&cert, CERT_TYPE, NO_VERIFY, NULL);
+    if (ret != 0) {
+        ERROR_OUT(-7202, done);
     }
-    ret = wc_RsaPrivateDecrypt(out, ret, plain, sizeof(plain), &key);
-    if (ret < 0) {
-        free(tmp);
-        return -44;
+    FreeDecodedCert(&cert);
+
+    /* Certificate with Inhibit Any Policy extension. */
+#ifdef FREESCALE_MQX
+    file = XFOPEN(".\\certs\\test\\cert-ext-ia.der", "rb");
+#else
+    file = XFOPEN("./certs/test/cert-ext-ia.der", "rb");
+#endif
+    if (!file) {
+        ERROR_OUT(-7203, done);
     }
-    if (memcmp(plain, in, inLen)) {
-        free(tmp);
-        return -45;
+    bytes = XFREAD(tmp, 1, FOURK_BUF, file);
+    XFCLOSE(file);
+    InitDecodedCert(&cert, tmp, (word32)bytes, 0);
+    ret = ParseCert(&cert, CERT_TYPE, NO_VERIFY, NULL);
+    if (ret != 0) {
+        ERROR_OUT(-7204, done);
     }
-    ret = wc_RsaSSL_Sign(in, inLen, out, sizeof(out), &key, &rng);
-    if (ret < 0) {
-        free(tmp);
-        return -46;
+    FreeDecodedCert(&cert);
+
+    /* Certificate with Netscape Certificate Type extension. */
+#ifdef FREESCALE_MQX
+    file = XFOPEN(".\\certs\\test\\cert-ext-nct.der", "rb");
+#else
+    file = XFOPEN("./certs/test/cert-ext-nct.der", "rb");
+#endif
+    if (!file) {
+        ERROR_OUT(-7203, done);
     }
-    memset(plain, 0, sizeof(plain));
-    ret = wc_RsaSSL_Verify(out, ret, plain, sizeof(plain), &key);
-    if (ret < 0) {
-        free(tmp);
-        return -47;
+    bytes = XFREAD(tmp, 1, FOURK_BUF, file);
+    XFCLOSE(file);
+    InitDecodedCert(&cert, tmp, (word32)bytes, 0);
+    ret = ParseCert(&cert, CERT_TYPE, NO_VERIFY, NULL);
+#ifndef IGNORE_NETSCAPE_CERT_TYPE
+    if (ret != 0) {
+        ERROR_OUT(-7204, done);
     }
-    if (memcmp(plain, in, ret)) {
-        free(tmp);
-        return -48;
+#else
+    if (ret != ASN_CRIT_EXT_E) {
+        ERROR_OUT(-7205, done);
     }
-#if defined(WOLFSSL_MDK_ARM)
-    #define sizeof(s) strlen((char *)(s))
+    ret = 0;
 #endif
 
-#ifdef USE_CERT_BUFFERS_1024
-    XMEMCPY(tmp, client_cert_der_1024, sizeof_client_cert_der_1024);
-    bytes = sizeof_client_cert_der_1024;
-#elif defined(USE_CERT_BUFFERS_2048)
-    XMEMCPY(tmp, client_cert_der_2048, sizeof_client_cert_der_2048);
-    bytes = sizeof_client_cert_der_2048;
+done:
+    FreeDecodedCert(&cert);
+    XFREE(tmp, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+#endif /* !NO_FILESYSTEM */
+
+    if (ret == 0)
+        ret = cert_asn1_test();
+
+    return ret;
+}
+#endif /* WOLFSSL_TEST_CERT */
+
+#if defined(WOLFSSL_CERT_EXT) && defined(WOLFSSL_TEST_CERT) && \
+   !defined(NO_FILESYSTEM)
+int certext_test(void)
+{
+    DecodedCert cert;
+    byte*       tmp;
+    size_t      bytes;
+    XFILE       file;
+    int         ret;
+
+    /* created from rsa_test : othercert.der */
+    byte skid_rsa[]   = "\x33\xD8\x45\x66\xD7\x68\x87\x18\x7E\x54"
+                        "\x0D\x70\x27\x91\xC7\x26\xD7\x85\x65\xC0";
+
+    /* created from rsa_test : othercert.der */
+    byte akid_rsa[] = "\x27\x8E\x67\x11\x74\xC3\x26\x1D\x3F\xED"
+                      "\x33\x63\xB3\xA4\xD8\x1D\x30\xE5\xE8\xD5";
+
+#ifdef HAVE_ECC
+   /* created from ecc_test_cert_gen : certecc.der */
+#ifdef ENABLE_ECC384_CERT_GEN_TEST
+    /* Authority key id from ./certs/ca-ecc384-cert.pem */
+    byte akid_ecc[] = "\xAB\xE0\xC3\x26\x4C\x18\xD4\x72\xBB\xD2"
+                      "\x84\x8C\x9C\x0A\x05\x92\x80\x12\x53\x52";
 #else
-    file2 = fopen(clientCert, "rb");
-    if (!file2) {
-        free(tmp);
-        return -49;
+    /* Authority key id from ./certs/ca-ecc-cert.pem */
+    byte akid_ecc[] = "\x56\x8E\x9A\xC3\xF0\x42\xDE\x18\xB9\x45"
+                      "\x55\x6E\xF9\x93\xCF\xEA\xC3\xF3\xA5\x21";
+#endif
+#endif /* HAVE_ECC */
+
+    /* created from rsa_test : cert.der */
+    byte kid_ca[] = "\x33\xD8\x45\x66\xD7\x68\x87\x18\x7E\x54"
+                    "\x0D\x70\x27\x91\xC7\x26\xD7\x85\x65\xC0";
+
+    tmp = (byte*)XMALLOC(FOURK_BUF, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+    if (tmp == NULL)
+        return -7300;
+
+    /* load othercert.der (Cert signed by an authority) */
+    file = XFOPEN(otherCertDerFile, "rb");
+    if (!file) {
+        XFREE(tmp, HEAP_HINT ,DYNAMIC_TYPE_TMP_BUFFER);
+        return -7301;
     }
 
-    bytes = fread(tmp, 1, FOURK_BUF, file2);
-    fclose(file2);
+    bytes = XFREAD(tmp, 1, FOURK_BUF, file);
+    XFCLOSE(file);
+
+    InitDecodedCert(&cert, tmp, (word32)bytes, 0);
+
+    ret = ParseCert(&cert, CERT_TYPE, NO_VERIFY, 0);
+    if (ret != 0)
+        return -7302;
+
+    /* check the SKID from a RSA certificate */
+    if (XMEMCMP(skid_rsa, cert.extSubjKeyId, sizeof(cert.extSubjKeyId)))
+        return -7303;
+
+    /* check the AKID from an RSA certificate */
+    if (XMEMCMP(akid_rsa, cert.extAuthKeyId, sizeof(cert.extAuthKeyId)))
+        return -7304;
+
+    /* check the Key Usage from an RSA certificate */
+    if (!cert.extKeyUsageSet)
+        return -7305;
+
+    if (cert.extKeyUsage != (KEYUSE_KEY_ENCIPHER|KEYUSE_KEY_AGREE))
+        return -7306;
+
+    /* check the CA Basic Constraints from an RSA certificate */
+    if (cert.isCA)
+        return -7307;
+
+#ifndef WOLFSSL_SEP /* test only if not using SEP policies */
+    /* check the Certificate Policies Id */
+    if (cert.extCertPoliciesNb != 1)
+        return -7308;
+
+    if (strncmp(cert.extCertPolicies[0], "2.16.840.1.101.3.4.1.42", 23))
+        return -7309;
 #endif
 
-#ifdef sizeof
-		#undef sizeof
+    FreeDecodedCert(&cert);
+
+#ifdef HAVE_ECC
+    /* load certecc.der (Cert signed by our ECC CA test in ecc_test_cert_gen) */
+    file = XFOPEN(certEccDerFile, "rb");
+    if (!file) {
+        XFREE(tmp, HEAP_HINT ,DYNAMIC_TYPE_TMP_BUFFER);
+        return -7310;
+    }
+
+    bytes = XFREAD(tmp, 1, FOURK_BUF, file);
+    XFCLOSE(file);
+
+    InitDecodedCert(&cert, tmp, (word32)bytes, 0);
+
+    ret = ParseCert(&cert, CERT_TYPE, NO_VERIFY, 0);
+    if (ret != 0)
+        return -7311;
+
+    /* check the SKID from a ECC certificate - generated dynamically */
+
+    /* check the AKID from an ECC certificate */
+    if (XMEMCMP(akid_ecc, cert.extAuthKeyId, sizeof(cert.extAuthKeyId)))
+        return -7312;
+
+    /* check the Key Usage from an ECC certificate */
+    if (!cert.extKeyUsageSet)
+        return -7313;
+
+    if (cert.extKeyUsage != (KEYUSE_DIGITAL_SIG|KEYUSE_CONTENT_COMMIT))
+        return -7314;
+
+    /* check the CA Basic Constraints from an ECC certificate */
+    if (cert.isCA)
+        return -7315;
+
+#ifndef WOLFSSL_SEP /* test only if not using SEP policies */
+    /* check the Certificate Policies Id */
+    if (cert.extCertPoliciesNb != 2)
+        return -7316;
+
+    if (strncmp(cert.extCertPolicies[0], "2.4.589440.587.101.2.1.9632587.1", 32))
+        return -7317;
+
+    if (strncmp(cert.extCertPolicies[1], "1.2.13025.489.1.113549", 22))
+        return -7318;
 #endif
 
-#ifdef WOLFSSL_TEST_CERT
+    FreeDecodedCert(&cert);
+#endif /* HAVE_ECC */
+
+    /* load cert.der (self signed certificate) */
+    file = XFOPEN(certDerFile, "rb");
+    if (!file) {
+        XFREE(tmp, HEAP_HINT ,DYNAMIC_TYPE_TMP_BUFFER);
+        return -7319;
+    }
+
+    bytes = XFREAD(tmp, 1, FOURK_BUF, file);
+    XFCLOSE(file);
+
     InitDecodedCert(&cert, tmp, (word32)bytes, 0);
 
     ret = ParseCert(&cert, CERT_TYPE, NO_VERIFY, 0);
-    if (ret != 0) return -491;
+    if (ret != 0)
+        return -7320;
+
+    /* check the SKID from a CA certificate */
+    if (XMEMCMP(kid_ca, cert.extSubjKeyId, sizeof(cert.extSubjKeyId)))
+        return -7321;
+
+    /* check the AKID from an CA certificate */
+    if (XMEMCMP(kid_ca, cert.extAuthKeyId, sizeof(cert.extAuthKeyId)))
+        return -7322;
+
+    /* check the Key Usage from CA certificate */
+    if (!cert.extKeyUsageSet)
+        return -7323;
+
+    if (cert.extKeyUsage != (KEYUSE_KEY_CERT_SIGN|KEYUSE_CRL_SIGN))
+        return -7324;
+
+    /* check the CA Basic Constraints CA certificate */
+    if (!cert.isCA)
+        return -7325;
+
+#ifndef WOLFSSL_SEP /* test only if not using SEP policies */
+    /* check the Certificate Policies Id */
+    if (cert.extCertPoliciesNb != 2)
+        return -7326;
+
+    if (strncmp(cert.extCertPolicies[0], "2.16.840.1.101.3.4.1.42", 23))
+        return -7327;
+
+    if (strncmp(cert.extCertPolicies[1], "1.2.840.113549.1.9.16.6.5", 25))
+        return -7328;
+#endif
 
     FreeDecodedCert(&cert);
+    XFREE(tmp, HEAP_HINT ,DYNAMIC_TYPE_TMP_BUFFER);
+
+    return 0;
+}
+#endif /* WOLFSSL_CERT_EXT && WOLFSSL_TEST_CERT */
+
+#if defined(WOLFSSL_CERT_GEN_CACHE) && defined(WOLFSSL_TEST_CERT) && \
+    defined(WOLFSSL_CERT_EXT) && defined(WOLFSSL_CERT_GEN)
+int decodedCertCache_test(void)
+{
+    int ret = 0;
+    Cert cert;
+    FILE* file;
+    byte* der;
+    word32 derSz;
+
+    derSz = FOURK_BUF;
+    der = XMALLOC(FOURK_BUF, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+    if (der == NULL)
+        ret = -7400;
+
+    if (ret == 0) {
+        /* load cert.der */
+        file = XFOPEN(certDerFile, "rb");
+        if (file != NULL) {
+            derSz = XFREAD(der, 1, FOURK_BUF, file);
+            XFCLOSE(file);
+        }
+        else
+            ret = -7401;
+    }
+
+    if (ret == 0) {
+        if (wc_InitCert(&cert)) {
+            ret = -7402;
+        }
+    }
+
+    if (ret == 0) {
+        ret = wc_SetSubjectBuffer(&cert, der, derSz);
+    }
+
+    if (ret == 0) {
+        if(wc_SetSubjectBuffer(NULL, der, derSz) != BAD_FUNC_ARG)
+            ret = -7403;
+    }
+
+    if (ret == 0) {
+        if (wc_SetSubjectRaw(&cert, der, derSz) != 0)
+            ret = -7404;
+    }
+
+    if (ret == 0) {
+        if(wc_SetSubjectRaw(NULL, der, derSz) != BAD_FUNC_ARG)
+            ret = -7405;
+    }
+
+    if (ret == 0) {
+        if(wc_SetIssuerBuffer(&cert, der, derSz) != 0)
+            ret = -7406;
+    }
+
+    if (ret == 0) {
+        if(wc_SetIssuerBuffer(NULL, der, derSz) != BAD_FUNC_ARG)
+            ret = -7407;
+    }
+
+    if (ret == 0) {
+        if(wc_SetIssuerRaw(&cert, der, derSz) != 0)
+            ret = -7408;
+    }
+
+    if (ret == 0) {
+        if(wc_SetIssuerRaw(NULL, der, derSz) != BAD_FUNC_ARG)
+            ret = -7409;
+    }
+
+#ifdef WOLFSSL_ALT_NAMES
+    if (ret == 0) {
+        if(wc_SetAltNamesBuffer(&cert, der, derSz) != 0)
+            ret = -7410;
+    }
+
+    if (ret == 0) {
+        if(wc_SetAltNamesBuffer(NULL, der, derSz) != BAD_FUNC_ARG)
+            ret = -7411;
+    }
+
+    if (ret == 0) {
+        if(wc_SetDatesBuffer(&cert, der, derSz) != 0)
+            ret = -7412;
+    }
+
+    if (ret == 0) {
+        if(wc_SetDatesBuffer(NULL, der, derSz) != BAD_FUNC_ARG)
+            ret = -7413;
+    }
+#endif
+
+    if (ret == 0) {
+        if(wc_SetAuthKeyIdFromCert(&cert, der, derSz) != 0)
+            ret = -7414;
+    }
+
+    if (ret == 0) {
+        if(wc_SetAuthKeyIdFromCert(NULL, der, derSz) != BAD_FUNC_ARG)
+            ret = -7415;
+    }
+
+    wc_SetCert_Free(&cert);
+    if (ret == 0) {
+        if(cert.decodedCert != NULL)
+            ret = -7416;
+    }
+
+    XFREE(der, HEAP_HINT ,DYNAMIC_TYPE_TMP_BUFFER);
+
+    return ret;
+}
+#endif /* defined(WOLFSSL_CERT_GEN_CACHE) && defined(WOLFSSL_TEST_CERT) &&
+          defined(WOLFSSL_CERT_EXT) && defined(WOLFSSL_CERT_GEN) */
+
+#define RSA_TEST_BYTES 512 /* up to 4096-bit key */
+
+#if !defined(NO_ASN) && !defined(WOLFSSL_RSA_PUBLIC_ONLY)
+static int rsa_flatten_test(RsaKey* key)
+{
+    int    ret;
+    byte   e[RSA_TEST_BYTES];
+    byte   n[RSA_TEST_BYTES];
+    word32 eSz = sizeof(e);
+    word32 nSz = sizeof(n);
+
+    /* Parameter Validation testing. */
+    ret = wc_RsaFlattenPublicKey(NULL, e, &eSz, n, &nSz);
+#ifdef HAVE_USER_RSA
+    /* Implementation using IPP Libraries returns:
+     *     -101 = USER_CRYPTO_ERROR
+     */
+    if (ret == 0)
 #else
-    (void)bytes;
+    if (ret != BAD_FUNC_ARG)
+#endif
+        return -7417;
+    ret = wc_RsaFlattenPublicKey(key, NULL, &eSz, n, &nSz);
+#ifdef HAVE_USER_RSA
+    /* Implementation using IPP Libraries returns:
+     *     -101 = USER_CRYPTO_ERROR
+     */
+    if (ret == 0)
+#else
+    if (ret != BAD_FUNC_ARG)
+#endif
+        return -7418;
+    ret = wc_RsaFlattenPublicKey(key, e, NULL, n, &nSz);
+#ifdef HAVE_USER_RSA
+    /* Implementation using IPP Libraries returns:
+     *     -101 = USER_CRYPTO_ERROR
+     */
+    if (ret == 0)
+#else
+    if (ret != BAD_FUNC_ARG)
 #endif
+        return -7419;
+    ret = wc_RsaFlattenPublicKey(key, e, &eSz, NULL, &nSz);
+#ifdef HAVE_USER_RSA
+    /* Implementation using IPP Libraries returns:
+     *     -101 = USER_CRYPTO_ERROR
+     */
+    if (ret == 0)
+#else
+    if (ret != BAD_FUNC_ARG)
+#endif
+        return -7420;
+    ret = wc_RsaFlattenPublicKey(key, e, &eSz, n, NULL);
+#ifdef HAVE_USER_RSA
+    /* Implementation using IPP Libraries returns:
+     *     -101 = USER_CRYPTO_ERROR
+     */
+    if (ret == 0)
+#else
+    if (ret != BAD_FUNC_ARG)
+#endif
+        return -7421;
+    ret = wc_RsaFlattenPublicKey(key, e, &eSz, n, &nSz);
+    if (ret != 0)
+        return -7422;
+    eSz = 0;
+    ret = wc_RsaFlattenPublicKey(key, e, &eSz, n, &nSz);
+#ifdef HAVE_USER_RSA
+    /* Implementation using IPP Libraries returns:
+     *     -101 = USER_CRYPTO_ERROR
+     */
+    if (ret == 0)
+#elif defined(HAVE_FIPS) && \
+      (!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 2))
+    if (ret != 0)
+#else
+    if (ret != RSA_BUFFER_E)
+#endif
+        return -7423;
+    eSz = sizeof(e);
+    nSz = 0;
+    ret = wc_RsaFlattenPublicKey(key, e, &eSz, n, &nSz);
+#ifdef HAVE_USER_RSA
+    /* Implementation using IPP Libraries returns:
+     *     -101 = USER_CRYPTO_ERROR
+     */
+    if (ret == 0)
+#else
+    if (ret != RSA_BUFFER_E)
+#endif
+        return -7424;
 
+    return 0;
+}
+#endif /* NO_ASN */
 
-#ifdef WOLFSSL_KEY_GEN
-    {
-        byte*  der;
-        byte*  pem;
-        int    derSz = 0;
-        int    pemSz = 0;
-        RsaKey derIn;
-        RsaKey genKey;
-        FILE*  keyFile;
-        FILE*  pemFile;
+#if !defined(HAVE_FIPS) && !defined(HAVE_USER_RSA) && !defined(NO_ASN) \
+    && !defined(WOLFSSL_RSA_VERIFY_ONLY)
+static int rsa_export_key_test(RsaKey* key)
+{
+    int ret;
+    byte e[3];
+    word32 eSz = sizeof(e);
+    byte n[RSA_TEST_BYTES];
+    word32 nSz = sizeof(n);
+    byte d[RSA_TEST_BYTES];
+    word32 dSz = sizeof(d);
+    byte p[RSA_TEST_BYTES/2];
+    word32 pSz = sizeof(p);
+    byte q[RSA_TEST_BYTES/2];
+    word32 qSz = sizeof(q);
+    word32 zero = 0;
+
+    ret = wc_RsaExportKey(NULL, e, &eSz, n, &nSz, d, &dSz, p, &pSz, q, &qSz);
+    if (ret != BAD_FUNC_ARG)
+        return -7425;
+    ret = wc_RsaExportKey(key, NULL, &eSz, n, &nSz, d, &dSz, p, &pSz, q, &qSz);
+    if (ret != BAD_FUNC_ARG)
+        return -7426;
+    ret = wc_RsaExportKey(key, e, NULL, n, &nSz, d, &dSz, p, &pSz, q, &qSz);
+    if (ret != BAD_FUNC_ARG)
+        return -7427;
+    ret = wc_RsaExportKey(key, e, &eSz, NULL, &nSz, d, &dSz, p, &pSz, q, &qSz);
+    if (ret != BAD_FUNC_ARG)
+        return -7428;
+    ret = wc_RsaExportKey(key, e, &eSz, n, NULL, d, &dSz, p, &pSz, q, &qSz);
+    if (ret != BAD_FUNC_ARG)
+        return -7429;
+    ret = wc_RsaExportKey(key, e, &eSz, n, &nSz, NULL, &dSz, p, &pSz, q, &qSz);
+    if (ret != BAD_FUNC_ARG)
+        return -7430;
+    ret = wc_RsaExportKey(key, e, &eSz, n, &nSz, d, NULL, p, &pSz, q, &qSz);
+    if (ret != BAD_FUNC_ARG)
+        return -7431;
+    ret = wc_RsaExportKey(key, e, &eSz, n, &nSz, d, &dSz, NULL, &pSz, q, &qSz);
+    if (ret != BAD_FUNC_ARG)
+        return -7432;
+    ret = wc_RsaExportKey(key, e, &eSz, n, &nSz, d, &dSz, p, NULL, q, &qSz);
+    if (ret != BAD_FUNC_ARG)
+        return -7433;
+    ret = wc_RsaExportKey(key, e, &eSz, n, &nSz, d, &dSz, p, &pSz, NULL, &qSz);
+    if (ret != BAD_FUNC_ARG)
+        return -7434;
+    ret = wc_RsaExportKey(key, e, &eSz, n, &nSz, d, &dSz, p, &pSz, q, NULL);
+    if (ret != BAD_FUNC_ARG)
+        return -7435;
+
+    ret = wc_RsaExportKey(key, e, &zero, n, &nSz, d, &dSz, p, &pSz, q, &qSz);
+    if (ret != RSA_BUFFER_E)
+        return -7436;
+    ret = wc_RsaExportKey(key, e, &eSz, n, &zero, d, &dSz, p, &pSz, q, &qSz);
+    if (ret != RSA_BUFFER_E)
+        return -7437;
+#ifndef WOLFSSL_RSA_PUBLIC_ONLY
+    ret = wc_RsaExportKey(key, e, &eSz, n, &nSz, d, &zero, p, &pSz, q, &qSz);
+    if (ret != RSA_BUFFER_E)
+        return -7438;
+    ret = wc_RsaExportKey(key, e, &eSz, n, &nSz, d, &dSz, p, &zero, q, &qSz);
+    if (ret != RSA_BUFFER_E)
+        return -7439;
+    ret = wc_RsaExportKey(key, e, &eSz, n, &nSz, d, &dSz, p, &pSz, q, &zero);
+    if (ret != RSA_BUFFER_E)
+        return -7440;
+#endif /* WOLFSSL_RSA_PUBLIC_ONLY */
+
+    ret = wc_RsaExportKey(key, e, &eSz, n, &nSz, d, &dSz, p, &pSz, q, &qSz);
+    if (ret != 0)
+        return -7441;
 
-        ret = wc_InitRsaKey(&genKey, 0);
-        if (ret != 0)
-            return -300;
-        ret = wc_MakeRsaKey(&genKey, 1024, 65537, &rng);
-        if (ret != 0)
-            return -301;
+    return 0;
+}
+#endif /* !HAVE_FIPS && !USER_RSA && !NO_ASN */
 
-        der = (byte*)malloc(FOURK_BUF);
-        if (der == NULL) {
-            wc_FreeRsaKey(&genKey);
-            return -307;
+#ifndef NO_SIG_WRAPPER
+static int rsa_sig_test(RsaKey* key, word32 keyLen, int modLen, WC_RNG* rng)
+{
+    int ret;
+    word32 sigSz;
+    const byte in[] = "Everyone gets Friday off.";
+    const byte hash[] = {
+        0xf2, 0x02, 0x95, 0x65, 0xcb, 0xf6, 0x2a, 0x59,
+        0x39, 0x2c, 0x05, 0xff, 0x0e, 0x29, 0xaf, 0xfe,
+        0x47, 0x33, 0x8c, 0x99, 0x8d, 0x58, 0x64, 0x83,
+        0xa6, 0x58, 0x0a, 0x33, 0x0b, 0x84, 0x5f, 0x5f
+    };
+    const byte hashEnc[] = {
+        0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86,
+        0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05,
+        0x00, 0x04, 0x20,
+
+        0xf2, 0x02, 0x95, 0x65, 0xcb, 0xf6, 0x2a, 0x59,
+        0x39, 0x2c, 0x05, 0xff, 0x0e, 0x29, 0xaf, 0xfe,
+        0x47, 0x33, 0x8c, 0x99, 0x8d, 0x58, 0x64, 0x83,
+        0xa6, 0x58, 0x0a, 0x33, 0x0b, 0x84, 0x5f, 0x5f
+    };
+    word32 inLen = (word32)XSTRLEN((char*)in);
+    byte   out[RSA_TEST_BYTES];
+
+    /* Parameter Validation testing. */
+    ret = wc_SignatureGetSize(WC_SIGNATURE_TYPE_NONE, key, keyLen);
+    if (ret != BAD_FUNC_ARG)
+        return -7442;
+    ret = wc_SignatureGetSize(WC_SIGNATURE_TYPE_RSA, key, 0);
+    if (ret != BAD_FUNC_ARG)
+        return -7443;
+
+    sigSz = (word32)modLen;
+    ret = wc_SignatureGenerate(WC_HASH_TYPE_SHA256, WC_SIGNATURE_TYPE_RSA, NULL,
+                               inLen, out, &sigSz, key, keyLen, rng);
+    if (ret != BAD_FUNC_ARG)
+        return -7444;
+    ret = wc_SignatureGenerate(WC_HASH_TYPE_SHA256, WC_SIGNATURE_TYPE_RSA, in,
+                               0, out, &sigSz, key, keyLen, rng);
+    if (ret != BAD_FUNC_ARG)
+        return -7445;
+    ret = wc_SignatureGenerate(WC_HASH_TYPE_SHA256, WC_SIGNATURE_TYPE_RSA, in,
+                               inLen, NULL, &sigSz, key, keyLen, rng);
+    if (ret != BAD_FUNC_ARG)
+        return -7446;
+    ret = wc_SignatureGenerate(WC_HASH_TYPE_SHA256, WC_SIGNATURE_TYPE_RSA, in,
+                               inLen, out, NULL, key, keyLen, rng);
+    if (ret != BAD_FUNC_ARG)
+        return -7447;
+    ret = wc_SignatureGenerate(WC_HASH_TYPE_SHA256, WC_SIGNATURE_TYPE_RSA, in,
+                               inLen, out, &sigSz, NULL, keyLen, rng);
+    if (ret != BAD_FUNC_ARG)
+        return -7448;
+    ret = wc_SignatureGenerate(WC_HASH_TYPE_SHA256, WC_SIGNATURE_TYPE_RSA, in,
+                               inLen, out, &sigSz, key, 0, rng);
+    if (ret != BAD_FUNC_ARG)
+        return -7449;
+    ret = wc_SignatureGenerate(WC_HASH_TYPE_SHA256, WC_SIGNATURE_TYPE_RSA, in,
+                               inLen, out, &sigSz, key, keyLen, NULL);
+#ifdef HAVE_USER_RSA
+    /* Implementation using IPP Libraries returns:
+     *     -101 = USER_CRYPTO_ERROR
+     */
+    if (ret == 0)
+#elif defined(WOLFSSL_AFALG_XILINX_RSA)
+    /* blinding / rng handled with hardware acceleration */
+    if (ret != 0)
+#elif defined(WOLFSSL_ASYNC_CRYPT) || defined(WOLF_CRYPTO_CB)
+    /* async may not require RNG */
+    if (ret != 0 && ret != MISSING_RNG_E)
+#elif defined(HAVE_FIPS) || defined(WOLFSSL_ASYNC_CRYPT) || \
+     !defined(WC_RSA_BLINDING)
+    /* FIPS140 implementation does not do blinding */
+    if (ret != 0)
+#elif defined(WOLFSSL_RSA_PUBLIC_ONLY)
+    if (ret != SIG_TYPE_E)
+#elif defined(WOLFSSL_CRYPTOCELL)
+    /* RNG is handled with the cryptocell */
+    if (ret != 0)
+#else
+    if (ret != MISSING_RNG_E)
+#endif
+        return -7450;
+    sigSz = 0;
+    ret = wc_SignatureGenerate(WC_HASH_TYPE_SHA256, WC_SIGNATURE_TYPE_RSA, in,
+                               inLen, out, &sigSz, key, keyLen, rng);
+    if (ret != BAD_FUNC_ARG)
+        return -7451;
+
+    ret = wc_SignatureVerify(WC_HASH_TYPE_SHA256, WC_SIGNATURE_TYPE_RSA, NULL,
+                             inLen, out, (word32)modLen, key, keyLen);
+    if (ret != BAD_FUNC_ARG)
+        return -7452;
+    ret = wc_SignatureVerify(WC_HASH_TYPE_SHA256, WC_SIGNATURE_TYPE_RSA, in,
+                             0, out, (word32)modLen, key, keyLen);
+    if (ret != BAD_FUNC_ARG)
+        return -7453;
+    ret = wc_SignatureVerify(WC_HASH_TYPE_SHA256, WC_SIGNATURE_TYPE_RSA, in,
+                             inLen, NULL, (word32)modLen, key, keyLen);
+    if (ret != BAD_FUNC_ARG)
+        return -7454;
+    ret = wc_SignatureVerify(WC_HASH_TYPE_SHA256, WC_SIGNATURE_TYPE_RSA, in,
+                             inLen, out, 0, key, keyLen);
+    if (ret != BAD_FUNC_ARG)
+        return -7455;
+    ret = wc_SignatureVerify(WC_HASH_TYPE_SHA256, WC_SIGNATURE_TYPE_RSA, in,
+                             inLen, out, (word32)modLen, NULL, keyLen);
+    if (ret != BAD_FUNC_ARG)
+        return -7456;
+    ret = wc_SignatureVerify(WC_HASH_TYPE_SHA256, WC_SIGNATURE_TYPE_RSA, in,
+                             inLen, out, (word32)modLen, key, 0);
+    if (ret != BAD_FUNC_ARG)
+        return -7457;
+
+#ifndef HAVE_ECC
+    ret = wc_SignatureGetSize(WC_SIGNATURE_TYPE_ECC, key, keyLen);
+    if (ret != SIG_TYPE_E)
+        return -7458;
+#endif
+
+    /* Use APIs. */
+    ret = wc_SignatureGetSize(WC_SIGNATURE_TYPE_RSA, key, keyLen);
+    if (ret != modLen)
+        return -7459;
+    ret = wc_SignatureGetSize(WC_SIGNATURE_TYPE_RSA_W_ENC, key, keyLen);
+    if (ret != modLen)
+        return -7460;
+
+    sigSz = (word32)ret;
+#ifndef WOLFSSL_RSA_PUBLIC_ONLY
+    XMEMSET(out, 0, sizeof(out));
+    ret = wc_SignatureGenerate(WC_HASH_TYPE_SHA256, WC_SIGNATURE_TYPE_RSA, in,
+                               inLen, out, &sigSz, key, keyLen, rng);
+    if (ret != 0)
+        return -7461;
+
+    ret = wc_SignatureVerify(WC_HASH_TYPE_SHA256, WC_SIGNATURE_TYPE_RSA, in,
+                             inLen, out, (word32)modLen, key, keyLen);
+    if (ret != 0)
+        return -7462;
+
+    sigSz = (word32)sizeof(out);
+    ret = wc_SignatureGenerate(WC_HASH_TYPE_SHA256, WC_SIGNATURE_TYPE_RSA_W_ENC,
+                               in, inLen, out, &sigSz, key, keyLen, rng);
+    if (ret != 0)
+        return -7463;
+
+    ret = wc_SignatureVerify(WC_HASH_TYPE_SHA256, WC_SIGNATURE_TYPE_RSA_W_ENC,
+                             in, inLen, out, (word32)modLen, key, keyLen);
+    if (ret != 0)
+        return -7464;
+
+    /* Wrong signature type. */
+    ret = wc_SignatureVerify(WC_HASH_TYPE_SHA256, WC_SIGNATURE_TYPE_RSA, in,
+                             inLen, out, (word32)modLen, key, keyLen);
+    if (ret == 0)
+        return -7465;
+
+    /* check hash functions */
+    sigSz = (word32)sizeof(out);
+    ret = wc_SignatureGenerateHash(WC_HASH_TYPE_SHA256, WC_SIGNATURE_TYPE_RSA,
+        hash, (int)sizeof(hash), out, &sigSz, key, keyLen, rng);
+    if (ret != 0)
+        return -7466;
+
+    ret = wc_SignatureVerifyHash(WC_HASH_TYPE_SHA256, WC_SIGNATURE_TYPE_RSA,
+        hash, (int)sizeof(hash), out, (word32)modLen, key, keyLen);
+    if (ret != 0)
+        return -7467;
+
+    sigSz = (word32)sizeof(out);
+    ret = wc_SignatureGenerateHash(WC_HASH_TYPE_SHA256, WC_SIGNATURE_TYPE_RSA_W_ENC,
+        hashEnc, (int)sizeof(hashEnc), out, &sigSz, key, keyLen, rng);
+    if (ret != 0)
+        return -7468;
+
+    ret = wc_SignatureVerifyHash(WC_HASH_TYPE_SHA256, WC_SIGNATURE_TYPE_RSA_W_ENC,
+        hashEnc, (int)sizeof(hashEnc), out, (word32)modLen, key, keyLen);
+    if (ret != 0)
+        return -7469;
+#else
+    (void)hash;
+    (void)hashEnc;
+#endif /* WOLFSSL_RSA_PUBLIC_ONLY */
+
+    return 0;
+}
+#endif /* !NO_SIG_WRAPPER */
+
+#ifdef WC_RSA_NONBLOCK
+static int rsa_nb_test(RsaKey* key, const byte* in, word32 inLen, byte* out,
+    word32 outSz, byte* plain, word32 plainSz, WC_RNG* rng)
+{
+    int ret = 0, count;
+    int signSz = 0;
+    RsaNb nb;
+    byte* inlinePlain = NULL;
+
+    /* Enable non-blocking RSA mode - provide context */
+    ret = wc_RsaSetNonBlock(key, &nb);
+    if (ret != 0)
+        return ret;
+
+#ifdef WC_RSA_NONBLOCK_TIME
+    /* Enable time based RSA blocking. 8 microseconds max (3.1GHz) */
+    ret = wc_RsaSetNonBlockTime(key, 8, 3100);
+    if (ret != 0)
+        return ret;
+#endif
+
+    count = 0;
+    do {
+        ret = wc_RsaSSL_Sign(in, inLen, out, outSz, key, rng);
+        count++; /* track number of would blocks */
+        if (ret == FP_WOULDBLOCK) {
+            /* do "other" work here */
         }
-        pem = (byte*)malloc(FOURK_BUF);
-        if (pem == NULL) {
-            free(der);
-            wc_FreeRsaKey(&genKey);
-            return -308;
+    } while (ret == FP_WOULDBLOCK);
+    if (ret < 0) {
+        return ret;
+    }
+#ifdef DEBUG_WOLFSSL
+    printf("RSA non-block sign: %d times\n", count);
+#endif
+    signSz = ret;
+
+    /* Test non-blocking verify */
+    XMEMSET(plain, 0, plainSz);
+    count = 0;
+    do {
+        ret = wc_RsaSSL_Verify(out, (word32)signSz, plain, plainSz, key);
+        count++; /* track number of would blocks */
+        if (ret == FP_WOULDBLOCK) {
+            /* do "other" work here */
         }
+    } while (ret == FP_WOULDBLOCK);
+    if (ret < 0) {
+        return ret;
+    }
+#ifdef DEBUG_WOLFSSL
+    printf("RSA non-block verify: %d times\n", count);
+#endif
 
-        derSz = wc_RsaKeyToDer(&genKey, der, FOURK_BUF);
-        if (derSz < 0) {
-            free(der);
-            free(pem);
-            return -302;
+    if (signSz == ret && XMEMCMP(plain, in, (size_t)ret)) {
+        return SIG_VERIFY_E;
+    }
+
+    /* Test inline non-blocking verify */
+    count = 0;
+    do {
+        ret = wc_RsaSSL_VerifyInline(out, (word32)signSz, &inlinePlain, key);
+        count++; /* track number of would blocks */
+        if (ret == FP_WOULDBLOCK) {
+            /* do "other" work here */
         }
+    } while (ret == FP_WOULDBLOCK);
+    if (ret < 0) {
+        return ret;
+    }
+#ifdef DEBUG_WOLFSSL
+    printf("RSA non-block inline verify: %d times\n", count);
+#endif
 
-#ifdef FREESCALE_MQX
-        keyFile = fopen("a:\\certs\\key.der", "wb");
+    if (signSz == ret && XMEMCMP(inlinePlain, in, (size_t)ret)) {
+        return SIG_VERIFY_E;
+    }
+
+    /* Disabling non-block RSA mode */
+    ret = wc_RsaSetNonBlock(key, NULL);
+
+    (void)count;
+
+    return 0;
+}
+#endif
+
+#if !defined(HAVE_USER_RSA) && !defined(NO_ASN)
+static int rsa_decode_test(RsaKey* keyPub)
+{
+    int        ret;
+    word32     inSz;
+    word32     inOutIdx;
+    static const byte n[2] = { 0x00, 0x23 };
+    static const byte e[2] = { 0x00, 0x03 };
+    static const byte good[] = { 0x30, 0x06, 0x02, 0x01, 0x23, 0x02, 0x1,
+           0x03 };
+    static const byte goodAlgId[] = { 0x30, 0x0f, 0x30, 0x0d, 0x06, 0x00,
+            0x03, 0x09, 0x00, 0x30, 0x06, 0x02, 0x01, 0x23, 0x02, 0x1, 0x03 };
+    static const byte goodAlgIdNull[] = { 0x30, 0x11, 0x30, 0x0f, 0x06, 0x00,
+            0x05, 0x00, 0x03, 0x09, 0x00, 0x30, 0x06, 0x02, 0x01, 0x23,
+            0x02, 0x1, 0x03 };
+    static const byte badAlgIdNull[] = { 0x30, 0x12, 0x30, 0x10, 0x06, 0x00,
+            0x05, 0x01, 0x00, 0x03, 0x09, 0x00, 0x30, 0x06, 0x02, 0x01, 0x23,
+            0x02, 0x1, 0x03 };
+    static const byte badNotBitString[] = { 0x30, 0x0f, 0x30, 0x0d, 0x06, 0x00,
+            0x04, 0x09, 0x00, 0x30, 0x06, 0x02, 0x01, 0x23, 0x02, 0x1, 0x03 };
+    static const byte badBitStringLen[] = { 0x30, 0x0f, 0x30, 0x0d, 0x06, 0x00,
+            0x03, 0x0a, 0x00, 0x30, 0x06, 0x02, 0x01, 0x23, 0x02, 0x1, 0x03 };
+    static const byte badNoSeq[] = { 0x30, 0x0d, 0x30, 0x0b, 0x06, 0x00, 0x03,
+            0x07, 0x00, 0x02, 0x01, 0x23, 0x02, 0x1, 0x03 };
+    static const byte badNoObj[] = {
+            0x30, 0x0f, 0x30, 0x0d, 0x05, 0x00, 0x03, 0x09, 0x00, 0x30, 0x06,
+            0x02, 0x01, 0x23, 0x02, 0x1, 0x03 };
+    static const byte badIntN[] = { 0x30, 0x06, 0x02, 0x05, 0x23, 0x02, 0x1,
+            0x03 };
+    static const byte badNotIntE[] = { 0x30, 0x06, 0x02, 0x01, 0x23, 0x04, 0x1,
+            0x03 };
+    static const byte badLength[] = { 0x30, 0x04, 0x02, 0x01, 0x23, 0x02, 0x1,
+            0x03 };
+    static const byte badBitStrNoZero[] = { 0x30, 0x0e, 0x30, 0x0c, 0x06, 0x00,
+            0x03, 0x08, 0x30, 0x06, 0x02, 0x01, 0x23, 0x02, 0x1, 0x03 };
+
+    ret = wc_InitRsaKey(keyPub, NULL);
+    if (ret != 0)
+        return -7470;
+
+    /* Parameter Validation testing. */
+    ret = wc_RsaPublicKeyDecodeRaw(NULL, sizeof(n), e, sizeof(e), keyPub);
+    if (ret != BAD_FUNC_ARG) {
+        ret = -7471;
+        goto done;
+    }
+    ret = wc_RsaPublicKeyDecodeRaw(n, sizeof(n), NULL, sizeof(e), keyPub);
+    if (ret != BAD_FUNC_ARG) {
+        ret = -7472;
+        goto done;
+    }
+    ret = wc_RsaPublicKeyDecodeRaw(n, sizeof(n), e, sizeof(e), NULL);
+    if (ret != BAD_FUNC_ARG) {
+        ret = -7473;
+        goto done;
+    }
+    /* TODO: probably should fail when length is -1! */
+    ret = wc_RsaPublicKeyDecodeRaw(n, (word32)-1, e, sizeof(e), keyPub);
+    if (ret != 0) {
+        ret = -7474;
+        goto done;
+    }
+    wc_FreeRsaKey(keyPub);
+    ret = wc_InitRsaKey(keyPub, NULL);
+    if (ret != 0)
+        return -7475;
+    ret = wc_RsaPublicKeyDecodeRaw(n, sizeof(n), e, (word32)-1, keyPub);
+    if (ret != 0) {
+        ret = -7476;
+        goto done;
+    }
+    wc_FreeRsaKey(keyPub);
+    ret = wc_InitRsaKey(keyPub, NULL);
+    if (ret != 0)
+        return -7477;
+
+    /* Use API. */
+    ret = wc_RsaPublicKeyDecodeRaw(n, sizeof(n), e, sizeof(e), keyPub);
+    if (ret != 0) {
+        ret = -7478;
+        goto done;
+    }
+    wc_FreeRsaKey(keyPub);
+    ret = wc_InitRsaKey(keyPub, NULL);
+    if (ret != 0)
+        return -7479;
+
+    /* Parameter Validation testing. */
+    inSz = sizeof(good);
+    ret = wc_RsaPublicKeyDecode(NULL, &inOutIdx, keyPub, inSz);
+    if (ret != BAD_FUNC_ARG) {
+        ret = -7480;
+        goto done;
+    }
+    ret = wc_RsaPublicKeyDecode(good, NULL, keyPub, inSz);
+    if (ret != BAD_FUNC_ARG) {
+        ret = -7481;
+        goto done;
+    }
+    ret = wc_RsaPublicKeyDecode(good, &inOutIdx, NULL, inSz);
+    if (ret != BAD_FUNC_ARG) {
+        ret = -7482;
+        goto done;
+    }
+
+    /* Use good data and offset to bad data. */
+    inOutIdx = 2;
+    inSz = sizeof(good) - inOutIdx;
+    ret = wc_RsaPublicKeyDecode(good, &inOutIdx, keyPub, inSz);
+    if (ret != ASN_PARSE_E) {
+        ret = -7483;
+        goto done;
+    }
+    inOutIdx = 2;
+    inSz = sizeof(goodAlgId) - inOutIdx;
+    ret = wc_RsaPublicKeyDecode(goodAlgId, &inOutIdx, keyPub, inSz);
+    if (ret != ASN_PARSE_E) {
+        ret = -7484;
+        goto done;
+    }
+    inOutIdx = 2;
+    inSz = sizeof(goodAlgId);
+    ret = wc_RsaPublicKeyDecode(goodAlgId, &inOutIdx, keyPub, inSz);
+#ifndef WOLFSSL_NO_DECODE_EXTRA
+    if (ret != ASN_PARSE_E)
+#else
+    if (ret != ASN_RSA_KEY_E)
+#endif
+    {
+        ret = -7485;
+        goto done;
+    }
+    /* Try different bad data. */
+    inSz = sizeof(badAlgIdNull);
+    inOutIdx = 0;
+    ret = wc_RsaPublicKeyDecode(badAlgIdNull, &inOutIdx, keyPub, inSz);
+    if (ret != ASN_EXPECT_0_E) {
+        ret = -7486;
+        goto done;
+    }
+    inSz = sizeof(badNotBitString);
+    inOutIdx = 0;
+    ret = wc_RsaPublicKeyDecode(badNotBitString, &inOutIdx, keyPub, inSz);
+    if (ret != ASN_BITSTR_E) {
+        ret = -7487;
+        goto done;
+    }
+    inSz = sizeof(badBitStringLen);
+    inOutIdx = 0;
+    ret = wc_RsaPublicKeyDecode(badBitStringLen, &inOutIdx, keyPub, inSz);
+    if (ret != ASN_PARSE_E) {
+        ret = -7488;
+        goto done;
+    }
+    inSz = sizeof(badNoSeq);
+    inOutIdx = 0;
+    ret = wc_RsaPublicKeyDecode(badNoSeq, &inOutIdx, keyPub, inSz);
+    if (ret != ASN_PARSE_E) {
+        ret = -7489;
+        goto done;
+    }
+    inSz = sizeof(badNoObj);
+    inOutIdx = 0;
+    ret = wc_RsaPublicKeyDecode(badNoObj, &inOutIdx, keyPub, inSz);
+    if (ret != ASN_PARSE_E) {
+        ret = -7490;
+        goto done;
+    }
+    inSz = sizeof(badIntN);
+    inOutIdx = 0;
+    ret = wc_RsaPublicKeyDecode(badIntN, &inOutIdx, keyPub, inSz);
+    if (ret != ASN_RSA_KEY_E) {
+        ret = -7491;
+        goto done;
+    }
+    inSz = sizeof(badNotIntE);
+    inOutIdx = 0;
+    ret = wc_RsaPublicKeyDecode(badNotIntE, &inOutIdx, keyPub, inSz);
+    if (ret != ASN_RSA_KEY_E) {
+        ret = -7492;
+        goto done;
+    }
+    /* TODO: Shouldn't pass as the sequence length is too small. */
+    inSz = sizeof(badLength);
+    inOutIdx = 0;
+    ret = wc_RsaPublicKeyDecode(badLength, &inOutIdx, keyPub, inSz);
+    if (ret != 0) {
+        ret = -7493;
+        goto done;
+    }
+    /* TODO: Shouldn't ignore object id's data. */
+    wc_FreeRsaKey(keyPub);
+    ret = wc_InitRsaKey(keyPub, NULL);
+    if (ret != 0)
+        return -7494;
+
+    inSz = sizeof(badBitStrNoZero);
+    inOutIdx = 0;
+    ret = wc_RsaPublicKeyDecode(badBitStrNoZero, &inOutIdx, keyPub, inSz);
+    if (ret != ASN_EXPECT_0_E) {
+        ret = -7495;
+        goto done;
+    }
+    wc_FreeRsaKey(keyPub);
+    ret = wc_InitRsaKey(keyPub, NULL);
+    if (ret != 0)
+        return -7496;
+
+    /* Valid data cases. */
+    inSz = sizeof(good);
+    inOutIdx = 0;
+    ret = wc_RsaPublicKeyDecode(good, &inOutIdx, keyPub, inSz);
+    if (ret != 0) {
+        ret = -7497;
+        goto done;
+    }
+    if (inOutIdx != inSz) {
+        ret = -7498;
+        goto done;
+    }
+    wc_FreeRsaKey(keyPub);
+    ret = wc_InitRsaKey(keyPub, NULL);
+    if (ret != 0)
+        return -7499;
+
+    inSz = sizeof(goodAlgId);
+    inOutIdx = 0;
+    ret = wc_RsaPublicKeyDecode(goodAlgId, &inOutIdx, keyPub, inSz);
+    if (ret != 0) {
+        ret = -7500;
+        goto done;
+    }
+    if (inOutIdx != inSz) {
+        ret = -7501;
+        goto done;
+    }
+    wc_FreeRsaKey(keyPub);
+    ret = wc_InitRsaKey(keyPub, NULL);
+    if (ret != 0)
+        return -7502;
+
+    inSz = sizeof(goodAlgIdNull);
+    inOutIdx = 0;
+    ret = wc_RsaPublicKeyDecode(goodAlgIdNull, &inOutIdx, keyPub, inSz);
+    if (ret != 0) {
+        ret = -7503;
+        goto done;
+    }
+    if (inOutIdx != inSz) {
+        ret = -7504;
+        goto done;
+    }
+
+done:
+    wc_FreeRsaKey(keyPub);
+    return ret;
+}
+#endif
+
+#ifdef WC_RSA_PSS
+static int rsa_pss_test(WC_RNG* rng, RsaKey* key)
+{
+    byte             digest[WC_MAX_DIGEST_SIZE];
+    int              ret     = 0;
+    const char*      inStr   = "Everyone gets Friday off.";
+    word32           inLen   = (word32)XSTRLEN((char*)inStr);
+    word32           outSz;
+    word32           plainSz;
+    word32           digestSz;
+    int              i, j;
+#ifdef RSA_PSS_TEST_WRONG_PARAMS
+    int              k, l;
+#endif
+    int              len;
+    byte*            plain;
+    int              mgf[]   = {
+#ifndef NO_SHA
+                                 WC_MGF1SHA1,
+#endif
+#ifdef WOLFSSL_SHA224
+                                 WC_MGF1SHA224,
+#endif
+                                 WC_MGF1SHA256,
+#ifdef WOLFSSL_SHA384
+                                 WC_MGF1SHA384,
+#endif
+#ifdef WOLFSSL_SHA512
+                                 WC_MGF1SHA512
+#endif
+                               };
+    enum wc_HashType hash[]  = {
+#ifndef NO_SHA
+                                 WC_HASH_TYPE_SHA,
+#endif
+#ifdef WOLFSSL_SHA224
+                                 WC_HASH_TYPE_SHA224,
+#endif
+                                 WC_HASH_TYPE_SHA256,
+#ifdef WOLFSSL_SHA384
+                                 WC_HASH_TYPE_SHA384,
+#endif
+#ifdef WOLFSSL_SHA512
+                                 WC_HASH_TYPE_SHA512,
+#endif
+                               };
+
+    DECLARE_VAR_INIT(in, byte, inLen, inStr, HEAP_HINT);
+    DECLARE_VAR(out, byte, RSA_TEST_BYTES, HEAP_HINT);
+    DECLARE_VAR(sig, byte, RSA_TEST_BYTES, HEAP_HINT);
+
+    /* Test all combinations of hash and MGF. */
+    for (j = 0; j < (int)(sizeof(hash)/sizeof(*hash)); j++) {
+        /* Calculate hash of message. */
+        ret = wc_Hash(hash[j], in, inLen, digest, sizeof(digest));
+        if (ret != 0)
+            ERROR_OUT(-7505, exit_rsa_pss);
+        digestSz = wc_HashGetDigestSize(hash[j]);
+
+        for (i = 0; i < (int)(sizeof(mgf)/sizeof(*mgf)); i++) {
+            outSz = RSA_TEST_BYTES;
+            do {
+            #if defined(WOLFSSL_ASYNC_CRYPT)
+                ret = wc_AsyncWait(ret, &key->asyncDev,
+                    WC_ASYNC_FLAG_CALL_AGAIN);
+            #endif
+                if (ret >= 0) {
+                    ret = wc_RsaPSS_Sign_ex(digest, digestSz, out, outSz,
+                        hash[j], mgf[i], -1, key, rng);
+                }
+            } while (ret == WC_PENDING_E);
+            if (ret <= 0)
+                ERROR_OUT(-7506, exit_rsa_pss);
+            outSz = ret;
+
+            XMEMCPY(sig, out, outSz);
+            plain = NULL;
+            TEST_SLEEP();
+
+            do {
+            #if defined(WOLFSSL_ASYNC_CRYPT)
+                ret = wc_AsyncWait(ret, &key->asyncDev,
+                    WC_ASYNC_FLAG_CALL_AGAIN);
+            #endif
+                if (ret >= 0) {
+                    ret = wc_RsaPSS_VerifyInline_ex(sig, outSz, &plain, hash[j],
+                        mgf[i], -1, key);
+                }
+            } while (ret == WC_PENDING_E);
+            if (ret <= 0)
+                ERROR_OUT(-7507, exit_rsa_pss);
+            plainSz = ret;
+            TEST_SLEEP();
+
+#ifdef HAVE_SELFTEST
+            ret = wc_RsaPSS_CheckPadding_ex(digest, digestSz, plain, plainSz,
+                                         hash[j], -1);
+#else
+            ret = wc_RsaPSS_CheckPadding_ex(digest, digestSz, plain, plainSz,
+                                         hash[j], -1, wc_RsaEncryptSize(key)*8);
+#endif
+            if (ret != 0)
+                ERROR_OUT(-7508, exit_rsa_pss);
+
+#ifdef RSA_PSS_TEST_WRONG_PARAMS
+            for (k = 0; k < (int)(sizeof(mgf)/sizeof(*mgf)); k++) {
+                for (l = 0; l < (int)(sizeof(hash)/sizeof(*hash)); l++) {
+                    if (i == k && j == l)
+                        continue;
+
+                    XMEMCPY(sig, out, outSz);
+
+                    do {
+                    #if defined(WOLFSSL_ASYNC_CRYPT)
+                        ret = wc_AsyncWait(ret, &key->asyncDev,
+                            WC_ASYNC_FLAG_CALL_AGAIN);
+                    #endif
+                        if (ret >= 0) {
+                            ret = wc_RsaPSS_VerifyInline_ex(sig, outSz,
+                                (byte**)&plain, hash[l], mgf[k], -1, key);
+                        }
+                    } while (ret == WC_PENDING_E);
+                    if (ret >= 0)
+                        ERROR_OUT(-7509, exit_rsa_pss);
+                }
+            }
+#endif
+        }
+    }
+
+    /* Test that a salt length of zero works. */
+    digestSz = wc_HashGetDigestSize(hash[0]);
+    outSz = RSA_TEST_BYTES;
+    do {
+    #if defined(WOLFSSL_ASYNC_CRYPT)
+        ret = wc_AsyncWait(ret, &key->asyncDev,
+            WC_ASYNC_FLAG_CALL_AGAIN);
+    #endif
+        if (ret >= 0) {
+            ret = wc_RsaPSS_Sign_ex(digest, digestSz, out, outSz, hash[0],
+                mgf[0], 0, key, rng);
+        }
+    } while (ret == WC_PENDING_E);
+    if (ret <= 0)
+        ERROR_OUT(-7510, exit_rsa_pss);
+    outSz = ret;
+    TEST_SLEEP();
+
+    do {
+    #if defined(WOLFSSL_ASYNC_CRYPT)
+        ret = wc_AsyncWait(ret, &key->asyncDev,
+            WC_ASYNC_FLAG_CALL_AGAIN);
+    #endif
+        if (ret >= 0) {
+            ret = wc_RsaPSS_Verify_ex(out, outSz, sig, outSz, hash[0], mgf[0],
+                0, key);
+        }
+    } while (ret == WC_PENDING_E);
+    if (ret <= 0)
+        ERROR_OUT(-7511, exit_rsa_pss);
+    plainSz = ret;
+    TEST_SLEEP();
+
+    do {
+    #if defined(WOLFSSL_ASYNC_CRYPT)
+        ret = wc_AsyncWait(ret, &key->asyncDev,
+            WC_ASYNC_FLAG_CALL_AGAIN);
+    #endif
+        if (ret >= 0) {
+#ifdef HAVE_SELFTEST
+            ret = wc_RsaPSS_CheckPadding_ex(digest, digestSz, sig, plainSz,
+                hash[0], 0);
 #else
-        keyFile = fopen("./key.der", "wb");
+            ret = wc_RsaPSS_CheckPadding_ex(digest, digestSz, sig, plainSz,
+                hash[0], 0, 0);
 #endif
-        if (!keyFile) {
-            free(der);
-            free(pem);
-            wc_FreeRsaKey(&genKey);
-            return -303;
         }
-        ret = (int)fwrite(der, 1, derSz, keyFile);
-        fclose(keyFile);
-        if (ret != derSz) {
-            free(der);
-            free(pem);
-            wc_FreeRsaKey(&genKey);
-            return -313;
+    } while (ret == WC_PENDING_E);
+    if (ret != 0)
+        ERROR_OUT(-7512, exit_rsa_pss);
+
+    XMEMCPY(sig, out, outSz);
+    plain = NULL;
+    do {
+    #if defined(WOLFSSL_ASYNC_CRYPT)
+        ret = wc_AsyncWait(ret, &key->asyncDev,
+            WC_ASYNC_FLAG_CALL_AGAIN);
+    #endif
+        if (ret >= 0) {
+            ret = wc_RsaPSS_VerifyInline_ex(sig, outSz, &plain, hash[0], mgf[0],
+                0, key);
         }
+    } while (ret == WC_PENDING_E);
+    if (ret <= 0)
+        ERROR_OUT(-7513, exit_rsa_pss);
+    plainSz = ret;
+    TEST_SLEEP();
+
+#ifdef HAVE_SELFTEST
+    ret = wc_RsaPSS_CheckPadding_ex(digest, digestSz, plain, plainSz, hash[0],
+                                    0);
+#else
+    ret = wc_RsaPSS_CheckPadding_ex(digest, digestSz, plain, plainSz, hash[0],
+                                    0, 0);
+#endif
+    if (ret != 0)
+        ERROR_OUT(-7514, exit_rsa_pss);
 
-        pemSz = wc_DerToPem(der, derSz, pem, FOURK_BUF, PRIVATEKEY_TYPE);
-        if (pemSz < 0) {
-            free(der);
-            free(pem);
-            wc_FreeRsaKey(&genKey);
-            return -304;
+    /* Test bad salt lengths in various APIs. */
+    digestSz = wc_HashGetDigestSize(hash[0]);
+    outSz = RSA_TEST_BYTES;
+#ifndef WOLFSSL_PSS_SALT_LEN_DISCOVER
+    len = -2;
+#else
+    len = -3;
+#endif
+    do {
+    #if defined(WOLFSSL_ASYNC_CRYPT)
+        ret = wc_AsyncWait(ret, &key->asyncDev,
+            WC_ASYNC_FLAG_CALL_AGAIN);
+    #endif
+        if (ret >= 0) {
+            ret = wc_RsaPSS_Sign_ex(digest, digestSz, out, outSz, hash[0],
+                mgf[0], len, key, rng);
+        }
+    } while (ret == WC_PENDING_E);
+    if (ret != PSS_SALTLEN_E)
+        ERROR_OUT(-7515, exit_rsa_pss);
+
+    do {
+    #if defined(WOLFSSL_ASYNC_CRYPT)
+        ret = wc_AsyncWait(ret, &key->asyncDev,
+            WC_ASYNC_FLAG_CALL_AGAIN);
+    #endif
+        if (ret >= 0) {
+            ret = wc_RsaPSS_Sign_ex(digest, digestSz, out, outSz, hash[0],
+                mgf[0], digestSz + 1, key, rng);
+        }
+    } while (ret == WC_PENDING_E);
+    if (ret != PSS_SALTLEN_E)
+        ERROR_OUT(-7516, exit_rsa_pss);
+    TEST_SLEEP();
+
+    do {
+    #if defined(WOLFSSL_ASYNC_CRYPT)
+        ret = wc_AsyncWait(ret, &key->asyncDev,
+            WC_ASYNC_FLAG_CALL_AGAIN);
+    #endif
+        if (ret >= 0) {
+            ret = wc_RsaPSS_VerifyInline_ex(sig, outSz, &plain, hash[0],
+                mgf[0], -2, key);
+        }
+    } while (ret == WC_PENDING_E);
+    if (ret != PSS_SALTLEN_E)
+        ERROR_OUT(-7517, exit_rsa_pss);
+    TEST_SLEEP();
+
+    do {
+    #if defined(WOLFSSL_ASYNC_CRYPT)
+        ret = wc_AsyncWait(ret, &key->asyncDev,
+            WC_ASYNC_FLAG_CALL_AGAIN);
+    #endif
+        if (ret >= 0) {
+            ret = wc_RsaPSS_VerifyInline_ex(sig, outSz, &plain, hash[0], mgf[0],
+                digestSz + 1, key);
         }
+    } while (ret == WC_PENDING_E);
+    if (ret != PSS_SALTLEN_E)
+        ERROR_OUT(-7518, exit_rsa_pss);
+    TEST_SLEEP();
 
-#ifdef FREESCALE_MQX
-        pemFile = fopen("a:\\certs\\key.pem", "wb");
+#ifndef WOLFSSL_PSS_SALT_LEN_DISCOVER
+    len = -2;
 #else
-        pemFile = fopen("./key.pem", "wb");
+    len = -3;
 #endif
-        if (!pemFile) {
-            free(der);
-            free(pem);
-            wc_FreeRsaKey(&genKey);
-            return -305;
+#ifdef HAVE_SELFTEST
+    ret = wc_RsaPSS_CheckPadding_ex(digest, digestSz, plain, plainSz, hash[0],
+                                    len);
+#else
+    ret = wc_RsaPSS_CheckPadding_ex(digest, digestSz, plain, plainSz, hash[0],
+                                    len, 0);
+#endif
+    if (ret != PSS_SALTLEN_E)
+        ERROR_OUT(-7519, exit_rsa_pss);
+#ifndef WOLFSSL_PSS_LONG_SALT
+    len = digestSz + 1;
+#else
+    len = plainSz - digestSz - 1;
+#endif
+#ifdef HAVE_SELFTEST
+    ret = wc_RsaPSS_CheckPadding_ex(digest, digestSz, plain, plainSz, hash[0],
+                                    len);
+#else
+    ret = wc_RsaPSS_CheckPadding_ex(digest, digestSz, plain, plainSz, hash[0],
+                                    len, 0);
+#endif
+    if (ret != PSS_SALTLEN_E)
+        ERROR_OUT(-7520, exit_rsa_pss);
+
+    ret = 0;
+exit_rsa_pss:
+    FREE_VAR(sig, HEAP_HINT);
+    FREE_VAR(in, HEAP_HINT);
+    FREE_VAR(out, HEAP_HINT);
+
+    return ret;
+}
+#endif
+
+#ifdef WC_RSA_NO_PADDING
+int rsa_no_pad_test(void)
+{
+    WC_RNG rng;
+    RsaKey key;
+    byte*  tmp;
+    size_t bytes;
+    int    ret;
+    word32 inLen   = 0;
+    word32 idx     = 0;
+    word32 outSz   = RSA_TEST_BYTES;
+    word32 plainSz = RSA_TEST_BYTES;
+#if !defined(USE_CERT_BUFFERS_1024) && !defined(USE_CERT_BUFFERS_2048) && \
+    !defined(USE_CERT_BUFFERS_3072) && !defined(USE_CERT_BUFFERS_4096) && \
+    !defined(NO_FILESYSTEM)
+    XFILE  file;
+#endif
+    DECLARE_VAR(out, byte, RSA_TEST_BYTES, HEAP_HINT);
+    DECLARE_VAR(plain, byte, RSA_TEST_BYTES, HEAP_HINT);
+
+    /* initialize stack structures */
+    XMEMSET(&rng, 0, sizeof(rng));
+    XMEMSET(&key, 0, sizeof(key));
+#ifdef USE_CERT_BUFFERS_1024
+    bytes = (size_t)sizeof_client_key_der_1024;
+	if (bytes < (size_t)sizeof_client_cert_der_1024)
+		bytes = (size_t)sizeof_client_cert_der_1024;
+#elif defined(USE_CERT_BUFFERS_2048)
+    bytes = (size_t)sizeof_client_key_der_2048;
+	if (bytes < (size_t)sizeof_client_cert_der_2048)
+		bytes = (size_t)sizeof_client_cert_der_2048;
+#else
+	bytes = FOURK_BUF;
+#endif
+
+    tmp = (byte*)XMALLOC(bytes, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+    if (tmp == NULL
+    #ifdef WOLFSSL_ASYNC_CRYPT
+        || out == NULL || plain == NULL
+    #endif
+    ) {
+        ERROR_OUT(-7600, exit_rsa_nopadding);
+    }
+
+#ifdef USE_CERT_BUFFERS_1024
+    XMEMCPY(tmp, client_key_der_1024, (size_t)sizeof_client_key_der_1024);
+#elif defined(USE_CERT_BUFFERS_2048)
+    XMEMCPY(tmp, client_key_der_2048, (size_t)sizeof_client_key_der_2048);
+#elif defined(USE_CERT_BUFFERS_3072)
+    XMEMCPY(tmp, client_key_der_3072, (size_t)sizeof_client_key_der_3072);
+#elif defined(USE_CERT_BUFFERS_4096)
+    XMEMCPY(tmp, client_key_der_4096, (size_t)sizeof_client_key_der_4096);
+#elif !defined(NO_FILESYSTEM)
+    file = XFOPEN(clientKey, "rb");
+    if (!file) {
+        err_sys("can't open ./certs/client-key.der, "
+                "Please run from wolfSSL home dir", -40);
+        ERROR_OUT(-7601, exit_rsa_nopadding);
+    }
+
+    bytes = XFREAD(tmp, 1, FOURK_BUF, file);
+    XFCLOSE(file);
+#else
+    /* No key to use. */
+    ERROR_OUT(-7602, exit_rsa_nopadding);
+#endif /* USE_CERT_BUFFERS */
+
+    ret = wc_InitRsaKey_ex(&key, HEAP_HINT, devId);
+    if (ret != 0) {
+        ERROR_OUT(-7603, exit_rsa_nopadding);
+    }
+    ret = wc_RsaPrivateKeyDecode(tmp, &idx, &key, (word32)bytes);
+    if (ret != 0) {
+        ERROR_OUT(-7604, exit_rsa_nopadding);
+    }
+
+    /* after loading in key use tmp as the test buffer */
+
+#ifndef HAVE_FIPS
+    ret = wc_InitRng_ex(&rng, HEAP_HINT, devId);
+#else
+    ret = wc_InitRng(&rng);
+#endif
+    if (ret != 0) {
+        ERROR_OUT(-7605, exit_rsa_nopadding);
+    }
+
+#ifndef WOLFSSL_RSA_VERIFY_ONLY
+    inLen = wc_RsaEncryptSize(&key);
+    outSz   = inLen;
+    plainSz = inLen;
+    XMEMSET(tmp, 7, inLen);
+    do {
+    #if defined(WOLFSSL_ASYNC_CRYPT)
+        ret = wc_AsyncWait(ret, &key.asyncDev, WC_ASYNC_FLAG_CALL_AGAIN);
+    #endif
+        if (ret >= 0) {
+            ret = wc_RsaDirect(tmp, inLen, out, &outSz, &key,
+                    RSA_PRIVATE_ENCRYPT, &rng);
         }
-        ret = (int)fwrite(pem, 1, pemSz, pemFile);
-        fclose(pemFile);
-        if (ret != pemSz) {
-            free(der);
-            free(pem);
-            wc_FreeRsaKey(&genKey);
-            return -314;
+    } while (ret == WC_PENDING_E);
+    if (ret <= 0) {
+        ERROR_OUT(-7606, exit_rsa_nopadding);
+    }
+
+    /* encrypted result should not be the same as input */
+    if (XMEMCMP(out, tmp, inLen) == 0) {
+        ERROR_OUT(-7607, exit_rsa_nopadding);
+    }
+    TEST_SLEEP();
+
+    /* decrypt with public key and compare result */
+    do {
+    #if defined(WOLFSSL_ASYNC_CRYPT)
+        ret = wc_AsyncWait(ret, &key.asyncDev, WC_ASYNC_FLAG_CALL_AGAIN);
+    #endif
+        if (ret >= 0) {
+            ret = wc_RsaDirect(out, outSz, plain, &plainSz, &key,
+                    RSA_PUBLIC_DECRYPT, &rng);
         }
+    } while (ret == WC_PENDING_E);
+    if (ret <= 0) {
+        ERROR_OUT(-7608, exit_rsa_nopadding);
+    }
 
-        ret = wc_InitRsaKey(&derIn, 0);
-        if (ret != 0) {
-            free(der);
-            free(pem);
-            wc_FreeRsaKey(&genKey);
-            return -3060;
+    if (XMEMCMP(plain, tmp, inLen) != 0) {
+        ERROR_OUT(-7609, exit_rsa_nopadding);
+    }
+    TEST_SLEEP();
+#endif
+
+#ifdef WC_RSA_BLINDING
+    ret = wc_RsaSetRNG(NULL, &rng);
+    if (ret != BAD_FUNC_ARG) {
+        ERROR_OUT(-7610, exit_rsa_nopadding);
+    }
+
+    ret = wc_RsaSetRNG(&key, &rng);
+    if (ret < 0) {
+        ERROR_OUT(-7611, exit_rsa_nopadding);
+    }
+#endif
+
+    /* test encrypt and decrypt using WC_RSA_NO_PAD */
+#ifndef WOLFSSL_RSA_VERIFY_ONLY
+    do {
+    #if defined(WOLFSSL_ASYNC_CRYPT)
+        ret = wc_AsyncWait(ret, &key.asyncDev, WC_ASYNC_FLAG_CALL_AGAIN);
+    #endif
+        if (ret >= 0) {
+            ret = wc_RsaPublicEncrypt_ex(tmp, inLen, out, (int)outSz, &key, &rng,
+                WC_RSA_NO_PAD, WC_HASH_TYPE_NONE, WC_MGF1NONE, NULL, 0);
         }
-        idx = 0;
-        ret = wc_RsaPrivateKeyDecode(der, &idx, &derIn, derSz);
-        if (ret != 0) {
-            free(der);
-            free(pem);
-            wc_FreeRsaKey(&derIn);
-            wc_FreeRsaKey(&genKey);
-            return -306;
+    } while (ret == WC_PENDING_E);
+    if (ret < 0) {
+        ERROR_OUT(-7612, exit_rsa_nopadding);
+    }
+    TEST_SLEEP();
+#endif /* WOLFSSL_RSA_VERIFY_ONLY */
+
+#ifndef WOLFSSL_RSA_PUBLIC_ONLY
+    do {
+    #if defined(WOLFSSL_ASYNC_CRYPT)
+        ret = wc_AsyncWait(ret, &key.asyncDev, WC_ASYNC_FLAG_CALL_AGAIN);
+    #endif
+        if (ret >= 0) {
+            ret = wc_RsaPrivateDecrypt_ex(out, outSz, plain, (int)plainSz, &key,
+                WC_RSA_NO_PAD, WC_HASH_TYPE_NONE, WC_MGF1NONE, NULL, 0);
         }
+    } while (ret == WC_PENDING_E);
+    if (ret < 0) {
+        ERROR_OUT(-7613, exit_rsa_nopadding);
+    }
 
-        wc_FreeRsaKey(&derIn);
-        wc_FreeRsaKey(&genKey);
-        free(pem);
-        free(der);
+    if (XMEMCMP(plain, tmp, inLen) != 0) {
+        ERROR_OUT(-7614, exit_rsa_nopadding);
+    }
+    TEST_SLEEP();
+#endif /* WOLFSSL_RSA_PUBLIC_ONLY */
+
+    /* test some bad arguments */
+    ret = wc_RsaDirect(out, outSz, plain, &plainSz, &key, -1,
+            &rng);
+    if (ret != BAD_FUNC_ARG) {
+        ERROR_OUT(-7615, exit_rsa_nopadding);
+    }
+
+    ret = wc_RsaDirect(out, outSz, plain, &plainSz, NULL, RSA_PUBLIC_DECRYPT,
+            &rng);
+    if (ret != BAD_FUNC_ARG) {
+        ERROR_OUT(-7616, exit_rsa_nopadding);
+    }
+
+    ret = wc_RsaDirect(out, outSz, NULL, &plainSz, &key, RSA_PUBLIC_DECRYPT,
+            &rng);
+    if (ret != LENGTH_ONLY_E || plainSz != inLen) {
+        ERROR_OUT(-7617, exit_rsa_nopadding);
+    }
+
+    ret = wc_RsaDirect(out, outSz - 10, plain, &plainSz, &key,
+            RSA_PUBLIC_DECRYPT, &rng);
+    if (ret != BAD_FUNC_ARG) {
+        ERROR_OUT(-7618, exit_rsa_nopadding);
     }
-#endif /* WOLFSSL_KEY_GEN */
 
+    /* if making it to this point of code without hitting an ERROR_OUT then
+     * all tests have passed */
+    ret = 0;
+
+exit_rsa_nopadding:
+    XFREE(tmp, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+    FREE_VAR(out, HEAP_HINT);
+    FREE_VAR(plain, HEAP_HINT);
+    wc_FreeRsaKey(&key);
+    wc_FreeRng(&rng);
+
+    return ret;
+}
+#endif /* WC_RSA_NO_PADDING */
 
 #ifdef WOLFSSL_CERT_GEN
+static int rsa_certgen_test(RsaKey* key, RsaKey* keypub, WC_RNG* rng, byte* tmp)
+{
+    RsaKey      caKey;
+    byte*       der;
+    byte*       pem = NULL;
+    int         ret;
+    Cert*       myCert = NULL;
+    int         certSz;
+    size_t      bytes3;
+    word32      idx3 = 0;
+#if !defined(USE_CERT_BUFFERS_1024) && !defined(USE_CERT_BUFFERS_2048)
+    XFILE       file3;
+#endif
+#ifdef WOLFSSL_TEST_CERT
+    DecodedCert decode;
+#endif
+#if defined(WOLFSSL_ALT_NAMES) && !defined(NO_ASN_TIME)
+    struct tm beforeTime;
+    struct tm afterTime;
+#endif
+    const byte  mySerial[8] = {1,2,3,4,5,6,7,8};
+
+    (void)keypub;
+
+    XMEMSET(&caKey, 0, sizeof(caKey));
+
+    der = (byte*)XMALLOC(FOURK_BUF, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+    if (der == NULL) {
+        ERROR_OUT(-7619, exit_rsa);
+    }
+    pem = (byte*)XMALLOC(FOURK_BUF, HEAP_HINT,DYNAMIC_TYPE_TMP_BUFFER);
+    if (pem == NULL) {
+        ERROR_OUT(-7620, exit_rsa);
+    }
+    myCert = (Cert*)XMALLOC(sizeof(Cert), HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+    if (myCert == NULL) {
+        ERROR_OUT(-7621, exit_rsa);
+    }
+
     /* self signed */
+    if (wc_InitCert(myCert)) {
+        ERROR_OUT(-7622, exit_rsa);
+    }
+
+    XMEMCPY(&myCert->subject, &certDefaultName, sizeof(CertName));
+    XMEMCPY(myCert->serial, mySerial, sizeof(mySerial));
+    myCert->serialSz = (int)sizeof(mySerial);
+    myCert->isCA    = 1;
+#ifndef NO_SHA256
+    myCert->sigType = CTC_SHA256wRSA;
+#else
+    myCert->sigType = CTC_SHAwRSA;
+#endif
+
+
+#ifdef WOLFSSL_CERT_EXT
+    /* add Policies */
+    XSTRNCPY(myCert->certPolicies[0], "2.16.840.1.101.3.4.1.42",
+            CTC_MAX_CERTPOL_SZ);
+    XSTRNCPY(myCert->certPolicies[1], "1.2.840.113549.1.9.16.6.5",
+            CTC_MAX_CERTPOL_SZ);
+    myCert->certPoliciesNb = 2;
+
+    /* add SKID from the Public Key */
+    if (wc_SetSubjectKeyIdFromPublicKey(myCert, keypub, NULL) != 0) {
+        ERROR_OUT(-7623, exit_rsa);
+    }
+
+     /* add AKID from the Public Key */
+     if (wc_SetAuthKeyIdFromPublicKey(myCert, keypub, NULL) != 0) {
+        ERROR_OUT(-7624, exit_rsa);
+    }
+
+    /* add Key Usage */
+    if (wc_SetKeyUsage(myCert,"cRLSign,keyCertSign") != 0) {
+        ERROR_OUT(-7625, exit_rsa);
+    }
+#ifdef WOLFSSL_EKU_OID
     {
-        Cert        myCert;
-        byte*       derCert;
-        byte*       pem;
-        FILE*       derFile;
-        FILE*       pemFile;
-        int         certSz;
-        int         pemSz;
+        const char unique[] = "2.16.840.1.111111.100.1.10.1";
+        if (wc_SetExtKeyUsageOID(myCert, unique, sizeof(unique), 0,
+                    HEAP_HINT) != 0) {
+            ERROR_OUT(-7626, exit_rsa);
+        }
+    }
+#endif /* WOLFSSL_EKU_OID */
+#endif /* WOLFSSL_CERT_EXT */
+
+    ret = 0;
+    do {
+#if defined(WOLFSSL_ASYNC_CRYPT)
+        ret = wc_AsyncWait(ret, &key->asyncDev, WC_ASYNC_FLAG_CALL_AGAIN);
+#endif
+        if (ret >= 0) {
+            ret = wc_MakeSelfCert(myCert, der, FOURK_BUF, key, rng);
+        }
+    } while (ret == WC_PENDING_E);
+    if (ret < 0) {
+        ERROR_OUT(-7627, exit_rsa);
+    }
+    certSz = ret;
+
 #ifdef WOLFSSL_TEST_CERT
-        DecodedCert decode;
+    InitDecodedCert(&decode, der, certSz, HEAP_HINT);
+    ret = ParseCert(&decode, CERT_TYPE, NO_VERIFY, 0);
+    if (ret != 0) {
+        FreeDecodedCert(&decode);
+        ERROR_OUT(-7628, exit_rsa);
+    }
+    FreeDecodedCert(&decode);
 #endif
 
-        derCert = (byte*)malloc(FOURK_BUF);
-        if (derCert == NULL)
-            return -309;
-        pem = (byte*)malloc(FOURK_BUF);
-        if (pem == NULL) {
-            free(derCert);
-            return -310;
-        }
+    ret = SaveDerAndPem(der, certSz, pem, FOURK_BUF, certDerFile,
+        certPemFile, CERT_TYPE, -5578);
+    if (ret != 0) {
+        goto exit_rsa;
+    }
 
-        wc_InitCert(&myCert);
+    /* Setup Certificate */
+    if (wc_InitCert(myCert)) {
+        ERROR_OUT(-7629, exit_rsa);
+    }
 
-        strncpy(myCert.subject.country, "US", CTC_NAME_SIZE);
-        strncpy(myCert.subject.state, "OR", CTC_NAME_SIZE);
-        strncpy(myCert.subject.locality, "Portland", CTC_NAME_SIZE);
-        strncpy(myCert.subject.org, "yaSSL", CTC_NAME_SIZE);
-        strncpy(myCert.subject.unit, "Development", CTC_NAME_SIZE);
-        strncpy(myCert.subject.commonName, "www.yassl.com", CTC_NAME_SIZE);
-        strncpy(myCert.subject.email, "info@yassl.com", CTC_NAME_SIZE);
-        myCert.isCA    = 1;
-        myCert.sigType = CTC_SHA256wRSA;
+#ifdef WOLFSSL_ALT_NAMES
+        /* Get CA Cert for testing */
+    #ifdef USE_CERT_BUFFERS_1024
+        XMEMCPY(tmp, ca_cert_der_1024, sizeof_ca_cert_der_1024);
+        bytes3 = sizeof_ca_cert_der_1024;
+    #elif defined(USE_CERT_BUFFERS_2048)
+        XMEMCPY(tmp, ca_cert_der_2048, sizeof_ca_cert_der_2048);
+        bytes3 = sizeof_ca_cert_der_2048;
+    #else
+        file3 = XFOPEN(rsaCaCertDerFile, "rb");
+        if (!file3) {
+            ERROR_OUT(-7630, exit_rsa);
+        }
+        bytes3 = XFREAD(tmp, 1, FOURK_BUF, file3);
+        XFCLOSE(file3);
+    #endif /* USE_CERT_BUFFERS */
 
-        certSz = wc_MakeSelfCert(&myCert, derCert, FOURK_BUF, &key, &rng);
-        if (certSz < 0) {
-            free(derCert);
-            free(pem);
-            return -401;
+    #if !defined(NO_FILESYSTEM) && !defined(USE_CERT_BUFFERS_1024) && \
+        !defined(USE_CERT_BUFFERS_2048) && !defined(NO_ASN)
+        ret = wc_SetAltNames(myCert, rsaCaCertFile);
+        if (ret != 0) {
+            ERROR_OUT(-7631, exit_rsa);
+        }
+    #endif
+        /* get alt names from der */
+        ret = wc_SetAltNamesBuffer(myCert, tmp, (int)bytes3);
+        if (ret != 0) {
+            ERROR_OUT(-7632, exit_rsa);
         }
 
-#ifdef WOLFSSL_TEST_CERT
-        InitDecodedCert(&decode, derCert, certSz, 0);
-        ret = ParseCert(&decode, CERT_TYPE, NO_VERIFY, 0);
+        /* get dates from der */
+        ret = wc_SetDatesBuffer(myCert, tmp, (int)bytes3);
         if (ret != 0) {
-            free(derCert);
-            free(pem);
-            return -402;
+            ERROR_OUT(-7633, exit_rsa);
         }
-        FreeDecodedCert(&decode);
+
+    #ifndef NO_ASN_TIME
+        ret = wc_GetCertDates(myCert, &beforeTime, &afterTime);
+        if (ret < 0) {
+            ERROR_OUT(-7634, exit_rsa);
+        }
+    #endif
+#endif /* WOLFSSL_ALT_NAMES */
+
+    /* Get CA Key */
+#ifdef USE_CERT_BUFFERS_1024
+    XMEMCPY(tmp, ca_key_der_1024, sizeof_ca_key_der_1024);
+    bytes3 = sizeof_ca_key_der_1024;
+#elif defined(USE_CERT_BUFFERS_2048)
+    XMEMCPY(tmp, ca_key_der_2048, sizeof_ca_key_der_2048);
+    bytes3 = sizeof_ca_key_der_2048;
+#else
+    file3 = XFOPEN(rsaCaKeyFile, "rb");
+    if (!file3) {
+        ERROR_OUT(-7635, exit_rsa);
+    }
+
+    bytes3 = XFREAD(tmp, 1, FOURK_BUF, file3);
+    XFCLOSE(file3);
+#endif /* USE_CERT_BUFFERS */
+
+    ret = wc_InitRsaKey(&caKey, HEAP_HINT);
+    if (ret != 0) {
+        ERROR_OUT(-7636, exit_rsa);
+    }
+    ret = wc_RsaPrivateKeyDecode(tmp, &idx3, &caKey, (word32)bytes3);
+    if (ret != 0) {
+        ERROR_OUT(-7637, exit_rsa);
+    }
+
+#ifndef NO_SHA256
+    myCert->sigType = CTC_SHA256wRSA;
+#else
+    myCert->sigType = CTC_SHAwRSA;
 #endif
 
-#ifdef FREESCALE_MQX
-        derFile = fopen("a:\\certs\\cert.der", "wb");
+    XMEMCPY(&myCert->subject, &certDefaultName, sizeof(CertName));
+
+#ifdef WOLFSSL_CERT_EXT
+    /* add Policies */
+    XSTRNCPY(myCert->certPolicies[0], "2.16.840.1.101.3.4.1.42",
+            CTC_MAX_CERTPOL_SZ);
+    myCert->certPoliciesNb =1;
+
+    /* add SKID from the Public Key */
+    if (wc_SetSubjectKeyIdFromPublicKey(myCert, key, NULL) != 0) {
+        ERROR_OUT(-7638, exit_rsa);
+    }
+
+    /* add AKID from the CA certificate */
+#if defined(USE_CERT_BUFFERS_2048)
+    ret = wc_SetAuthKeyIdFromCert(myCert, ca_cert_der_2048,
+                                        sizeof_ca_cert_der_2048);
+#elif defined(USE_CERT_BUFFERS_1024)
+    ret = wc_SetAuthKeyIdFromCert(myCert, ca_cert_der_1024,
+                                        sizeof_ca_cert_der_1024);
 #else
-        derFile = fopen("./cert.der", "wb");
+    ret = wc_SetAuthKeyId(myCert, rsaCaCertFile);
 #endif
-        if (!derFile) {
-            free(derCert);
-            free(pem);
-            return -403;
-        }
-        ret = (int)fwrite(derCert, 1, certSz, derFile);
-        fclose(derFile);
-        if (ret != certSz) {
-            free(derCert);
-            free(pem);
-            return -414;
-        }
+    if (ret != 0) {
+        ERROR_OUT(-7639, exit_rsa);
+    }
 
-        pemSz = wc_DerToPem(derCert, certSz, pem, FOURK_BUF, CERT_TYPE);
-        if (pemSz < 0) {
-            free(derCert);
-            free(pem);
-            return -404;
+    /* add Key Usage */
+    if (wc_SetKeyUsage(myCert,"keyEncipherment,keyAgreement") != 0) {
+        ERROR_OUT(-7640, exit_rsa);
+    }
+#endif /* WOLFSSL_CERT_EXT */
+
+#if defined(USE_CERT_BUFFERS_2048)
+    ret = wc_SetIssuerBuffer(myCert, ca_cert_der_2048,
+                                      sizeof_ca_cert_der_2048);
+#elif defined(USE_CERT_BUFFERS_1024)
+    ret = wc_SetIssuerBuffer(myCert, ca_cert_der_1024,
+                                      sizeof_ca_cert_der_1024);
+#else
+    ret = wc_SetIssuer(myCert, rsaCaCertFile);
+#endif
+    if (ret < 0) {
+        ERROR_OUT(-7641, exit_rsa);
+    }
+
+    certSz = wc_MakeCert(myCert, der, FOURK_BUF, key, NULL, rng);
+    if (certSz < 0) {
+        ERROR_OUT(-7642, exit_rsa);
+    }
+
+    ret = 0;
+    do {
+    #if defined(WOLFSSL_ASYNC_CRYPT)
+        ret = wc_AsyncWait(ret, &caKey.asyncDev, WC_ASYNC_FLAG_CALL_AGAIN);
+    #endif
+        if (ret >= 0) {
+            ret = wc_SignCert(myCert->bodySz, myCert->sigType, der, FOURK_BUF,
+                      &caKey, NULL, rng);
         }
+    } while (ret == WC_PENDING_E);
+    if (ret < 0) {
+        ERROR_OUT(-7643, exit_rsa);
+    }
+    certSz = ret;
 
-#ifdef FREESCALE_MQX
-        pemFile = fopen("a:\\certs\\cert.pem", "wb");
+#ifdef WOLFSSL_TEST_CERT
+    InitDecodedCert(&decode, der, certSz, HEAP_HINT);
+    ret = ParseCert(&decode, CERT_TYPE, NO_VERIFY, 0);
+    if (ret != 0) {
+        FreeDecodedCert(&decode);
+        ERROR_OUT(-7644, exit_rsa);
+    }
+    FreeDecodedCert(&decode);
+#endif
+
+    ret = SaveDerAndPem(der, certSz, pem, FOURK_BUF, otherCertDerFile,
+        otherCertPemFile, CERT_TYPE, -5598);
+    if (ret != 0) {
+        goto exit_rsa;
+    }
+
+exit_rsa:
+    wc_FreeRsaKey(&caKey);
+
+    XFREE(myCert, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+    XFREE(pem, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+    XFREE(der, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+
+    return ret;
+}
+#endif
+
+#if !defined(NO_RSA) && defined(HAVE_ECC) && defined(WOLFSSL_CERT_GEN)
+/* Make Cert / Sign example for ECC cert and RSA CA */
+static int rsa_ecc_certgen_test(WC_RNG* rng, byte* tmp)
+{
+    RsaKey      caKey;
+    ecc_key     caEccKey;
+    ecc_key     caEccKeyPub;
+    byte*       der;
+    byte*       pem = NULL;
+    Cert*       myCert = NULL;
+    int         certSz;
+    size_t      bytes3;
+    word32      idx3 = 0;
+#if (!defined(USE_CERT_BUFFERS_1024) && !defined(USE_CERT_BUFFERS_2048)) \
+    || !defined(USE_CERT_BUFFERS_256)
+    XFILE       file3;
+#endif
+#ifdef WOLFSSL_TEST_CERT
+    DecodedCert decode;
+#endif
+    int ret;
+
+    XMEMSET(&caKey, 0, sizeof(caKey));
+    XMEMSET(&caEccKey, 0, sizeof(caEccKey));
+    XMEMSET(&caEccKeyPub, 0, sizeof(caEccKeyPub));
+
+    der = (byte*)XMALLOC(FOURK_BUF, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+    if (der == NULL) {
+        ERROR_OUT(-7645, exit_rsa);
+    }
+    pem = (byte*)XMALLOC(FOURK_BUF, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+    if (pem == NULL) {
+        ERROR_OUT(-7646, exit_rsa);
+    }
+    myCert = (Cert*)XMALLOC(sizeof(Cert), HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+    if (myCert == NULL) {
+        ERROR_OUT(-7647, exit_rsa);
+    }
+
+    /* Get CA Key */
+#ifdef USE_CERT_BUFFERS_1024
+    XMEMCPY(tmp, ca_key_der_1024, sizeof_ca_key_der_1024);
+    bytes3 = sizeof_ca_key_der_1024;
+#elif defined(USE_CERT_BUFFERS_2048)
+    XMEMCPY(tmp, ca_key_der_2048, sizeof_ca_key_der_2048);
+    bytes3 = sizeof_ca_key_der_2048;
 #else
-        pemFile = fopen("./cert.pem", "wb");
+    file3 = XFOPEN(rsaCaKeyFile, "rb");
+    if (!file3) {
+        ERROR_OUT(-7648, exit_rsa);
+    }
+
+    bytes3 = XFREAD(tmp, 1, FOURK_BUF, file3);
+    XFCLOSE(file3);
+#endif /* USE_CERT_BUFFERS */
+
+    ret = wc_InitRsaKey(&caKey, HEAP_HINT);
+    if (ret != 0) {
+        ERROR_OUT(-7649, exit_rsa);
+    }
+    ret = wc_RsaPrivateKeyDecode(tmp, &idx3, &caKey, (word32)bytes3);
+    if (ret != 0) {
+        ERROR_OUT(-7650, exit_rsa);
+    }
+
+    /* Get Cert Key */
+#ifdef USE_CERT_BUFFERS_256
+    XMEMCPY(tmp, ecc_key_pub_der_256, sizeof_ecc_key_pub_der_256);
+    bytes3 = sizeof_ecc_key_pub_der_256;
+#else
+    file3 = XFOPEN(eccKeyPubFile, "rb");
+    if (!file3) {
+        ERROR_OUT(-7651, exit_rsa);
+    }
+
+    bytes3 = XFREAD(tmp, 1, FOURK_BUF, file3);
+    XFCLOSE(file3);
 #endif
-        if (!pemFile) {
-            free(derCert);
-            free(pem);
-            return -405;
-        }
-        ret = (int)fwrite(pem, 1, pemSz, pemFile);
-        fclose(pemFile);
-        if (ret != pemSz) {
-            free(derCert);
-            free(pem);
-            return -406;
+
+    ret = wc_ecc_init_ex(&caEccKeyPub, HEAP_HINT, devId);
+    if (ret != 0) {
+        ERROR_OUT(-7652, exit_rsa);
+    }
+
+    idx3 = 0;
+    ret = wc_EccPublicKeyDecode(tmp, &idx3, &caEccKeyPub, (word32)bytes3);
+    if (ret != 0) {
+        ERROR_OUT(-7653, exit_rsa);
+    }
+
+    /* Setup Certificate */
+    if (wc_InitCert(myCert)) {
+        ERROR_OUT(-7654, exit_rsa);
+    }
+
+#ifndef NO_SHA256
+    myCert->sigType = CTC_SHA256wRSA;
+#else
+    myCert->sigType = CTC_SHAwRSA;
+#endif
+
+    XMEMCPY(&myCert->subject, &certDefaultName, sizeof(CertName));
+
+#ifdef WOLFSSL_CERT_EXT
+    /* add Policies */
+    XSTRNCPY(myCert->certPolicies[0], "2.4.589440.587.101.2.1.9632587.1",
+            CTC_MAX_CERTPOL_SZ);
+    XSTRNCPY(myCert->certPolicies[1], "1.2.13025.489.1.113549",
+            CTC_MAX_CERTPOL_SZ);
+    myCert->certPoliciesNb = 2;
+
+    /* add SKID from the Public Key */
+    if (wc_SetSubjectKeyIdFromPublicKey(myCert, NULL, &caEccKeyPub) != 0) {
+        ERROR_OUT(-7655, exit_rsa);
+    }
+
+    /* add AKID from the CA certificate */
+#if defined(USE_CERT_BUFFERS_2048)
+    ret = wc_SetAuthKeyIdFromCert(myCert, ca_cert_der_2048,
+                                           sizeof_ca_cert_der_2048);
+#elif defined(USE_CERT_BUFFERS_1024)
+    ret = wc_SetAuthKeyIdFromCert(myCert, ca_cert_der_1024,
+                                           sizeof_ca_cert_der_1024);
+#else
+    ret = wc_SetAuthKeyId(myCert, rsaCaCertFile);
+#endif
+    if (ret != 0) {
+        ERROR_OUT(-7656, exit_rsa);
+    }
+
+    /* add Key Usage */
+    if (wc_SetKeyUsage(myCert, certKeyUsage) != 0) {
+        ERROR_OUT(-7657, exit_rsa);
+    }
+#endif /* WOLFSSL_CERT_EXT */
+
+#if defined(USE_CERT_BUFFERS_2048)
+    ret = wc_SetIssuerBuffer(myCert, ca_cert_der_2048,
+                                      sizeof_ca_cert_der_2048);
+#elif defined(USE_CERT_BUFFERS_1024)
+    ret = wc_SetIssuerBuffer(myCert, ca_cert_der_1024,
+                                      sizeof_ca_cert_der_1024);
+#else
+    ret = wc_SetIssuer(myCert, rsaCaCertFile);
+#endif
+    if (ret < 0) {
+        ERROR_OUT(-7658, exit_rsa);
+    }
+
+    certSz = wc_MakeCert(myCert, der, FOURK_BUF, NULL, &caEccKeyPub, rng);
+    if (certSz < 0) {
+        ERROR_OUT(-7659, exit_rsa);
+    }
+
+    ret = 0;
+    do {
+    #if defined(WOLFSSL_ASYNC_CRYPT)
+        ret = wc_AsyncWait(ret, &caEccKey.asyncDev, WC_ASYNC_FLAG_CALL_AGAIN);
+    #endif
+        if (ret >= 0) {
+            ret = wc_SignCert(myCert->bodySz, myCert->sigType, der,
+                              FOURK_BUF, &caKey, NULL, rng);
         }
-        free(pem);
-        free(derCert);
+    } while (ret == WC_PENDING_E);
+    if (ret < 0) {
+        ERROR_OUT(-7660, exit_rsa);
     }
-    /* CA style */
-    {
-        RsaKey      caKey;
-        Cert        myCert;
-        byte*       derCert;
-        byte*       pem;
-        FILE*       derFile;
-        FILE*       pemFile;
-        int         certSz;
-        int         pemSz;
-        size_t      bytes3;
-        word32      idx3 = 0;
-        FILE*       file3 ;
+    certSz = ret;
+
 #ifdef WOLFSSL_TEST_CERT
-        DecodedCert decode;
+    InitDecodedCert(&decode, der, certSz, 0);
+    ret = ParseCert(&decode, CERT_TYPE, NO_VERIFY, 0);
+    if (ret != 0) {
+        FreeDecodedCert(&decode);
+        ERROR_OUT(-7661, exit_rsa);
+
+    }
+    FreeDecodedCert(&decode);
 #endif
 
-        derCert = (byte*)malloc(FOURK_BUF);
-        if (derCert == NULL)
-            return -311;
-        pem = (byte*)malloc(FOURK_BUF);
-        if (pem == NULL) {
-            free(derCert);
-            return -312;
-        }
+    ret = SaveDerAndPem(der, certSz, pem, FOURK_BUF, certEccRsaDerFile,
+        certEccRsaPemFile, CERT_TYPE, -5616);
+    if (ret != 0) {
+        goto exit_rsa;
+    }
 
-        file3 = fopen(caKeyFile, "rb");
+exit_rsa:
+    wc_FreeRsaKey(&caKey);
+    wc_ecc_free(&caEccKey);
+    wc_ecc_free(&caEccKeyPub);
 
-        if (!file3) {
-            free(derCert);
-            free(pem);
-            return -412;
-        }
+    XFREE(myCert, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+    myCert = NULL;
+    XFREE(pem, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+    pem = NULL;
+    XFREE(der, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+    der = NULL;
+
+    if (ret >= 0)
+        ret = 0;
+    return ret;
+}
+#endif /* !NO_RSA && HAVE_ECC && WOLFSSL_CERT_GEN */
+
+#ifdef WOLFSSL_KEY_GEN
+static int rsa_keygen_test(WC_RNG* rng)
+{
+    RsaKey genKey;
+    int    ret;
+    byte*  der = NULL;
+    byte*  pem = NULL;
+    word32 idx = 0;
+    int    derSz = 0;
+#if !defined(WOLFSSL_SP_MATH) && !defined(HAVE_FIPS)
+    int    keySz = 1024;
+#else
+    int    keySz = 2048;
+#endif
+
+    XMEMSET(&genKey, 0, sizeof(genKey));
+
+    ret = wc_InitRsaKey_ex(&genKey, HEAP_HINT, devId);
+    if (ret != 0) {
+        ERROR_OUT(-7662, exit_rsa);
+    }
 
-        bytes3 = fread(tmp, 1, FOURK_BUF, file3);
-        fclose(file3);
+    ret = wc_MakeRsaKey(&genKey, keySz, WC_RSA_EXPONENT, rng);
+#if defined(WOLFSSL_ASYNC_CRYPT)
+    ret = wc_AsyncWait(ret, &genKey.asyncDev, WC_ASYNC_FLAG_NONE);
+#endif
+    if (ret != 0) {
+        ERROR_OUT(-7663, exit_rsa);
+    }
+    TEST_SLEEP();
+
+    /* If not using old FIPS, or not using FAST or USER RSA... */
+    #if !defined(HAVE_FAST_RSA) && !defined(HAVE_USER_RSA) && \
+        (!defined(HAVE_FIPS) || \
+         (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2))) && \
+        !defined(HAVE_SELFTEST) && !defined(HAVE_INTEL_QA)
+    ret = wc_CheckRsaKey(&genKey);
+    if (ret != 0) {
+        ERROR_OUT(-7664, exit_rsa);
+    }
+    #endif
+    der = (byte*)XMALLOC(FOURK_BUF, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+    if (der == NULL) {
+        ERROR_OUT(-7665, exit_rsa);
+    }
+    pem = (byte*)XMALLOC(FOURK_BUF, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+    if (pem == NULL) {
+        ERROR_OUT(-7666, exit_rsa);
+    }
+
+    derSz = wc_RsaKeyToDer(&genKey, der, FOURK_BUF);
+    if (derSz < 0) {
+        ERROR_OUT(-7667, exit_rsa);
+    }
+
+    ret = SaveDerAndPem(der, derSz, pem, FOURK_BUF, keyDerFile, keyPemFile,
+        PRIVATEKEY_TYPE, -5555);
+    if (ret != 0) {
+        goto exit_rsa;
+    }
+
+    wc_FreeRsaKey(&genKey);
+    ret = wc_InitRsaKey(&genKey, HEAP_HINT);
+    if (ret != 0) {
+        ERROR_OUT(-7668, exit_rsa);
+    }
+    idx = 0;
+#if !defined(WOLFSSL_CRYPTOCELL)
+    /* The private key part of the key gen pairs from cryptocell can't be exported */
+    ret = wc_RsaPrivateKeyDecode(der, &idx, &genKey, derSz);
+    if (ret != 0) {
+        ERROR_OUT(-7669, exit_rsa);
+    }
+#endif /* WOLFSSL_CRYPTOCELL */
+
+exit_rsa:
+    wc_FreeRsaKey(&genKey);
+    if (pem != NULL) {
+        XFREE(pem, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+        pem = NULL;
+    }
+    if (der != NULL) {
+        XFREE(der, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+        der = NULL;
+    }
+
+    return ret;
+}
+#endif
+
+int rsa_test(void)
+{
+    int    ret;
+    byte*  tmp;
+    byte*  der = NULL;
+    byte*  pem = NULL;
+    size_t bytes;
+    WC_RNG rng;
+    RsaKey key;
+#if defined(WOLFSSL_CERT_EXT) || defined(WOLFSSL_CERT_GEN)
+    RsaKey keypub;
+#endif
+#if defined(HAVE_NTRU)
+    RsaKey caKey;
+#endif
+#if !defined(NO_ASN) || !defined(WOLFSSL_RSA_PUBLIC_ONLY) \
+                     || defined(WOLFSSL_PUBLIC_MP)
+    word32 idx = 0;
+#endif
+#if (!defined(WOLFSSL_RSA_VERIFY_ONLY) || defined(WOLFSSL_PUBLIC_MP)) && \
+                                 !defined(WC_NO_RSA_OAEP) && !defined(WC_NO_RNG)
+    const char* inStr = "Everyone gets Friday off.";
+    word32      inLen = (word32)XSTRLEN((char*)inStr);
+    const word32 outSz   = RSA_TEST_BYTES;
+    const word32 plainSz = RSA_TEST_BYTES;
+#endif
+#if !defined(WOLFSSL_RSA_PUBLIC_ONLY) || defined(WOLFSSL_PUBLIC_MP)
+    byte*  res;
+#endif
+#ifndef NO_SIG_WRAPPER
+    int modLen;
+#endif
+#if !defined(USE_CERT_BUFFERS_1024) && !defined(USE_CERT_BUFFERS_2048) && \
+    !defined(USE_CERT_BUFFERS_3072) && !defined(USE_CERT_BUFFERS_4096) && \
+    !defined(NO_FILESYSTEM)
+    XFILE   file;
+    XFILE   file2;
+#endif
+#ifdef WOLFSSL_TEST_CERT
+    DecodedCert cert;
+#endif
+
+#if (!defined(WOLFSSL_RSA_VERIFY_ONLY) || defined(WOLFSSL_PUBLIC_MP)) && \
+                                 !defined(WC_NO_RSA_OAEP) && !defined(WC_NO_RNG)
+    DECLARE_VAR_INIT(in, byte, inLen, inStr, HEAP_HINT);
+    DECLARE_VAR(out, byte, RSA_TEST_BYTES, HEAP_HINT);
+    DECLARE_VAR(plain, byte, RSA_TEST_BYTES, HEAP_HINT);
+#endif
+
+#ifdef WOLFSSL_ASYNC_CRYPT
+    if (in == NULL)
+        return MEMORY_E;
+#endif
+
+    /* initialize stack structures */
+    XMEMSET(&rng, 0, sizeof(rng));
+    XMEMSET(&key, 0, sizeof(key));
+#ifdef WOLFSSL_CERT_EXT
+    XMEMSET(&keypub, 0, sizeof(keypub));
+#endif
+#if defined(HAVE_NTRU)
+    XMEMSET(&caKey, 0, sizeof(caKey));
+#endif
+
+#if !defined(HAVE_USER_RSA) && !defined(NO_ASN)
+    ret = rsa_decode_test(&key);
+    if (ret != 0)
+        return ret;
+#endif
+
+#ifdef USE_CERT_BUFFERS_1024
+    bytes = (size_t)sizeof_client_key_der_1024;
+    if (bytes < (size_t)sizeof_client_cert_der_1024)
+        bytes = (size_t)sizeof_client_cert_der_1024;
+#elif defined(USE_CERT_BUFFERS_2048)
+    bytes = (size_t)sizeof_client_key_der_2048;
+    if (bytes < (size_t)sizeof_client_cert_der_2048)
+        bytes = (size_t)sizeof_client_cert_der_2048;
+#elif defined(USE_CERT_BUFFERS_3072)
+    bytes = (size_t)sizeof_client_key_der_3072;
+    if (bytes < (size_t)sizeof_client_cert_der_3072)
+        bytes = (size_t)sizeof_client_cert_der_3072;
+#elif defined(USE_CERT_BUFFERS_4096)
+    bytes = (size_t)sizeof_client_key_der_4096;
+    if (bytes < (size_t)sizeof_client_cert_der_4096)
+        bytes = (size_t)sizeof_client_cert_der_4096;
+#else
+	bytes = FOURK_BUF;
+#endif
+
+    tmp = (byte*)XMALLOC(bytes, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+    if (tmp == NULL
+    #ifdef WOLFSSL_ASYNC_CRYPT
+        || out == NULL || plain == NULL
+    #endif
+    ) {
+        return -7700;
+    }
 
-        ret = wc_InitRsaKey(&caKey, 0);
+#ifdef USE_CERT_BUFFERS_1024
+    XMEMCPY(tmp, client_key_der_1024, (size_t)sizeof_client_key_der_1024);
+#elif defined(USE_CERT_BUFFERS_2048)
+    XMEMCPY(tmp, client_key_der_2048, (size_t)sizeof_client_key_der_2048);
+#elif defined(USE_CERT_BUFFERS_3072)
+    XMEMCPY(tmp, client_key_der_3072, (size_t)sizeof_client_key_der_3072);
+#elif defined(USE_CERT_BUFFERS_4096)
+    XMEMCPY(tmp, client_key_der_4096, (size_t)sizeof_client_key_der_4096);
+#elif !defined(NO_FILESYSTEM)
+    file = XFOPEN(clientKey, "rb");
+    if (!file) {
+        err_sys("can't open ./certs/client-key.der, "
+                "Please run from wolfSSL home dir", -40);
+        ERROR_OUT(-7701, exit_rsa);
+    }
+
+    bytes = XFREAD(tmp, 1, FOURK_BUF, file);
+    XFCLOSE(file);
+#else
+    /* No key to use. */
+    ERROR_OUT(-7702, exit_rsa);
+#endif /* USE_CERT_BUFFERS */
+
+    ret = wc_InitRsaKey_ex(&key, HEAP_HINT, devId);
+    if (ret != 0) {
+        ERROR_OUT(-7703, exit_rsa);
+    }
+#ifndef NO_ASN
+    ret = wc_RsaPrivateKeyDecode(tmp, &idx, &key, (word32)bytes);
+    if (ret != 0) {
+        ERROR_OUT(-7704, exit_rsa);
+    }
+#ifndef NO_SIG_WRAPPER
+    modLen = wc_RsaEncryptSize(&key);
+#endif
+#else
+    #ifdef USE_CERT_BUFFERS_2048
+        ret = mp_read_unsigned_bin(&key.n, &tmp[12], 256);
         if (ret != 0) {
-            free(derCert);
-            free(pem);
-            return -411;
+            ERROR_OUT(-7705, exit_rsa);
         }
-        ret = wc_RsaPrivateKeyDecode(tmp, &idx3, &caKey, (word32)bytes3);
+        ret = mp_set_int(&key.e, WC_RSA_EXPONENT);
         if (ret != 0) {
-            free(derCert);
-            free(pem);
-            wc_FreeRsaKey(&caKey);
-            return -413;
+            ERROR_OUT(-7706, exit_rsa);
         }
+#ifndef NO_SIG_WRAPPER
+        modLen = 2048;
+#endif
+    #else
+        #error Not supported yet!
+    #endif
+#endif
+
+#ifndef WC_NO_RNG
+#ifndef HAVE_FIPS
+    ret = wc_InitRng_ex(&rng, HEAP_HINT, devId);
+#else
+    ret = wc_InitRng(&rng);
+#endif
+    if (ret != 0) {
+        ERROR_OUT(-7707, exit_rsa);
+    }
+#endif
 
-        wc_InitCert(&myCert);
+#ifndef NO_SIG_WRAPPER
+    ret = rsa_sig_test(&key, sizeof(RsaKey), modLen, &rng);
+    if (ret != 0)
+        goto exit_rsa;
+#endif
 
-        strncpy(myCert.subject.country, "US", CTC_NAME_SIZE);
-        strncpy(myCert.subject.state, "OR", CTC_NAME_SIZE);
-        strncpy(myCert.subject.locality, "Portland", CTC_NAME_SIZE);
-        strncpy(myCert.subject.org, "yaSSL", CTC_NAME_SIZE);
-        strncpy(myCert.subject.unit, "Development", CTC_NAME_SIZE);
-        strncpy(myCert.subject.commonName, "www.yassl.com", CTC_NAME_SIZE);
-        strncpy(myCert.subject.email, "info@yassl.com", CTC_NAME_SIZE);
+#ifdef WC_RSA_NONBLOCK
+    ret = rsa_nb_test(&key, in, inLen, out, outSz, plain, plainSz, &rng);
+    if (ret != 0)
+        goto exit_rsa;
+#endif
 
-        ret = wc_SetIssuer(&myCert, caCertFile);
-        if (ret < 0) {
-            free(derCert);
-            free(pem);
-            wc_FreeRsaKey(&caKey);
-            return -405;
+#if !defined(WOLFSSL_RSA_VERIFY_ONLY) && !defined(WOLFSSL_RSA_PUBLIC_ONLY)
+    do {
+#if defined(WOLFSSL_ASYNC_CRYPT)
+        ret = wc_AsyncWait(ret, &key.asyncDev, WC_ASYNC_FLAG_CALL_AGAIN);
+#endif
+        if (ret >= 0) {
+            ret = wc_RsaPublicEncrypt(in, inLen, out, outSz, &key, &rng);
         }
+    } while (ret == WC_PENDING_E);
+    if (ret < 0) {
+        ERROR_OUT(-7708, exit_rsa);
+    }
+    TEST_SLEEP();
 
-        certSz = wc_MakeCert(&myCert, derCert, FOURK_BUF, &key, NULL, &rng);
-        if (certSz < 0) {
-            free(derCert);
-            free(pem);
-            wc_FreeRsaKey(&caKey);
-            return -407;
+#ifdef WC_RSA_BLINDING
+    {
+        int tmpret = ret;
+        ret = wc_RsaSetRNG(&key, &rng);
+        if (ret < 0) {
+            ERROR_OUT(-7709, exit_rsa);
         }
+        ret = tmpret;
+    }
+#endif
 
-        certSz = wc_SignCert(myCert.bodySz, myCert.sigType, derCert, FOURK_BUF,
-                          &caKey, NULL, &rng);
-        if (certSz < 0) {
-            free(derCert);
-            free(pem);
-            wc_FreeRsaKey(&caKey);
-            return -408;
+    idx = (word32)ret; /* save off encrypted length */
+    do {
+#if defined(WOLFSSL_ASYNC_CRYPT)
+        ret = wc_AsyncWait(ret, &key.asyncDev, WC_ASYNC_FLAG_CALL_AGAIN);
+#endif
+        if (ret >= 0) {
+            ret = wc_RsaPrivateDecrypt(out, idx, plain, plainSz, &key);
         }
+    } while (ret == WC_PENDING_E);
+    if (ret < 0) {
+        ERROR_OUT(-7710, exit_rsa);
+    }
 
+    if (XMEMCMP(plain, in, inLen)) {
+        ERROR_OUT(-7711, exit_rsa);
+    }
+    TEST_SLEEP();
 
-#ifdef WOLFSSL_TEST_CERT
-        InitDecodedCert(&decode, derCert, certSz, 0);
-        ret = ParseCert(&decode, CERT_TYPE, NO_VERIFY, 0);
-        if (ret != 0) {
-            free(derCert);
-            free(pem);
-            wc_FreeRsaKey(&caKey);
-            return -409;
+    do {
+#if defined(WOLFSSL_ASYNC_CRYPT)
+        ret = wc_AsyncWait(ret, &key.asyncDev, WC_ASYNC_FLAG_CALL_AGAIN);
+#endif
+        if (ret >= 0) {
+            ret = wc_RsaPrivateDecryptInline(out, idx, &res, &key);
         }
-        FreeDecodedCert(&decode);
+    } while (ret == WC_PENDING_E);
+    if (ret < 0) {
+        ERROR_OUT(-7712, exit_rsa);
+    }
+    if (ret != (int)inLen) {
+        ERROR_OUT(-7713, exit_rsa);
+    }
+    if (XMEMCMP(res, in, inLen)) {
+        ERROR_OUT(-7714, exit_rsa);
+    }
+    TEST_SLEEP();
+
+    do {
+#if defined(WOLFSSL_ASYNC_CRYPT)
+        ret = wc_AsyncWait(ret, &key.asyncDev, WC_ASYNC_FLAG_CALL_AGAIN);
 #endif
+        if (ret >= 0) {
+            ret = wc_RsaSSL_Sign(in, inLen, out, outSz, &key, &rng);
+        }
+    } while (ret == WC_PENDING_E);
+    if (ret < 0) {
+        ERROR_OUT(-7715, exit_rsa);
+    }
+    TEST_SLEEP();
 
-#ifdef FREESCALE_MQX
-        derFile = fopen("a:\\certs\\othercert.der", "wb");
+#elif defined(WOLFSSL_PUBLIC_MP)
+    (void)outSz;
+    (void)inLen;
+    (void)res;
+    {
+        byte signature_2048[] = {
+            0x07, 0x6f, 0xc9, 0x85, 0x73, 0x9e, 0x21, 0x79,
+            0x47, 0xf1, 0xa3, 0xd7, 0xf4, 0x27, 0x29, 0xbe,
+            0x99, 0x5d, 0xac, 0xb2, 0x10, 0x3f, 0x95, 0xda,
+            0x89, 0x23, 0xb8, 0x96, 0x13, 0x57, 0x72, 0x30,
+            0xa1, 0xfe, 0x5a, 0x68, 0x9c, 0x99, 0x9d, 0x1e,
+            0x05, 0xa4, 0x80, 0xb0, 0xbb, 0xd9, 0xd9, 0xa1,
+            0x69, 0x97, 0x74, 0xb3, 0x41, 0x21, 0x3b, 0x47,
+            0xf5, 0x51, 0xb1, 0xfb, 0xc7, 0xaa, 0xcc, 0xdc,
+            0xcd, 0x76, 0xa0, 0x28, 0x4d, 0x27, 0x14, 0xa4,
+            0xb9, 0x41, 0x68, 0x7c, 0xb3, 0x66, 0xe6, 0x6f,
+            0x40, 0x76, 0xe4, 0x12, 0xfd, 0xae, 0x29, 0xb5,
+            0x63, 0x60, 0x87, 0xce, 0x49, 0x6b, 0xf3, 0x05,
+            0x9a, 0x14, 0xb5, 0xcc, 0xcd, 0xf7, 0x30, 0x95,
+            0xd2, 0x72, 0x52, 0x1d, 0x5b, 0x7e, 0xef, 0x4a,
+            0x02, 0x96, 0x21, 0x6c, 0x55, 0xa5, 0x15, 0xb1,
+            0x57, 0x63, 0x2c, 0xa3, 0x8e, 0x9d, 0x3d, 0x45,
+            0xcc, 0xb8, 0xe6, 0xa1, 0xc8, 0x59, 0xcd, 0xf5,
+            0xdc, 0x0a, 0x51, 0xb6, 0x9d, 0xfb, 0xf4, 0x6b,
+            0xfd, 0x32, 0x71, 0x6e, 0xcf, 0xcb, 0xb3, 0xd9,
+            0xe0, 0x4a, 0x77, 0x34, 0xd6, 0x61, 0xf5, 0x7c,
+            0xf9, 0xa9, 0xa4, 0xb0, 0x8e, 0x3b, 0xd6, 0x04,
+            0xe0, 0xde, 0x2b, 0x5b, 0x5a, 0xbf, 0xd9, 0xef,
+            0x8d, 0xa3, 0xf5, 0xb1, 0x67, 0xf3, 0xb9, 0x72,
+            0x0a, 0x37, 0x12, 0x35, 0x6c, 0x8e, 0x10, 0x8b,
+            0x38, 0x06, 0x16, 0x4b, 0x20, 0x20, 0x13, 0x00,
+            0x2e, 0x6d, 0xc2, 0x59, 0x23, 0x67, 0x4a, 0x6d,
+            0xa1, 0x46, 0x8b, 0xee, 0xcf, 0x44, 0xb4, 0x3e,
+            0x56, 0x75, 0x00, 0x68, 0xb5, 0x7d, 0x0f, 0x20,
+            0x79, 0x5d, 0x7f, 0x12, 0x15, 0x32, 0x89, 0x61,
+            0x6b, 0x29, 0xb7, 0x52, 0xf5, 0x25, 0xd8, 0x98,
+            0xe8, 0x6f, 0xf9, 0x22, 0xb4, 0xbb, 0xe5, 0xff,
+            0xd0, 0x92, 0x86, 0x9a, 0x88, 0xa2, 0xaf, 0x6b
+        };
+        ret = sizeof(signature_2048);
+        XMEMCPY(out, signature_2048, ret);
+    }
+#endif
+
+#if !defined(WOLFSSL_RSA_PUBLIC_ONLY) || defined(WOLFSSL_PUBLIC_MP)
+    idx = (word32)ret;
+    XMEMSET(plain, 0, plainSz);
+    do {
+#if defined(WOLFSSL_ASYNC_CRYPT)
+        ret = wc_AsyncWait(ret, &key.asyncDev, WC_ASYNC_FLAG_CALL_AGAIN);
+#endif
+        if (ret >= 0) {
+#ifndef WOLFSSL_RSA_VERIFY_INLINE
+
+#if defined(WOLFSSL_CRYPTOCELL)
+        /*
+        Cryptocell requires the input data and signature byte array to verify.
+
+        first argument must be the input data
+        second argument must be the length of input data
+        third argument must be the signature byte array or the output from
+                                                                wc_RsaSSL_Sign()
+        fourth argument must be the length of the signature byte array
+        */
+
+        ret = wc_RsaSSL_Verify(in, inLen, out, outSz, &key);
 #else
-        derFile = fopen("./othercert.der", "wb");
+        ret = wc_RsaSSL_Verify(out, idx, plain, plainSz, &key);
+#endif /* WOLFSSL_CRYPTOCELL */
+#else
+            byte* dec = NULL;
+            ret = wc_RsaSSL_VerifyInline(out, idx, &dec, &key);
+            if (ret > 0) {
+                XMEMCPY(plain, dec, ret);
+            }
 #endif
-        if (!derFile) {
-            free(derCert);
-            free(pem);
-            wc_FreeRsaKey(&caKey);
-            return -410;
-        }
-        ret = (int)fwrite(derCert, 1, certSz, derFile);
-        fclose(derFile);
-        if (ret != certSz) {
-            free(derCert);
-            free(pem);
-            wc_FreeRsaKey(&caKey);
-            return -416;
         }
+    } while (ret == WC_PENDING_E);
+    if (ret < 0) {
+        ERROR_OUT(-7716, exit_rsa);
+    }
 
-        pemSz = wc_DerToPem(derCert, certSz, pem, FOURK_BUF, CERT_TYPE);
-        if (pemSz < 0) {
-            free(derCert);
-            free(pem);
-            wc_FreeRsaKey(&caKey);
-            return -411;
+    if (XMEMCMP(plain, in, (size_t)ret)) {
+        ERROR_OUT(-7717, exit_rsa);
+    }
+    TEST_SLEEP();
+#endif
+
+#ifndef WOLFSSL_RSA_VERIFY_ONLY
+    #if !defined(WC_NO_RSA_OAEP) && !defined(WC_NO_RNG)
+    /* OAEP padding testing */
+    #if !defined(HAVE_FAST_RSA) && !defined(HAVE_USER_RSA) && \
+        (!defined(HAVE_FIPS) || \
+         (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2)))
+    #ifndef NO_SHA
+    XMEMSET(plain, 0, plainSz);
+
+    do {
+#if defined(WOLFSSL_ASYNC_CRYPT)
+        ret = wc_AsyncWait(ret, &key.asyncDev, WC_ASYNC_FLAG_CALL_AGAIN);
+#endif
+        if (ret >= 0) {
+            ret = wc_RsaPublicEncrypt_ex(in, inLen, out, outSz, &key, &rng,
+                       WC_RSA_OAEP_PAD, WC_HASH_TYPE_SHA, WC_MGF1SHA1, NULL, 0);
         }
+    } while (ret == WC_PENDING_E);
+    if (ret < 0) {
+        ERROR_OUT(-7718, exit_rsa);
+    }
+    TEST_SLEEP();
 
-#ifdef FREESCALE_MQX
-        pemFile = fopen("a:\\certs\\othercert.pem", "wb");
-#else
-        pemFile = fopen("./othercert.pem", "wb");
+#ifndef WOLFSSL_RSA_PUBLIC_ONLY
+    idx = (word32)ret;
+    do {
+#if defined(WOLFSSL_ASYNC_CRYPT)
+        ret = wc_AsyncWait(ret, &key.asyncDev, WC_ASYNC_FLAG_CALL_AGAIN);
 #endif
-        if (!pemFile) {
-            free(derCert);
-            free(pem);
-            wc_FreeRsaKey(&caKey);
-            return -412;
+        if (ret >= 0) {
+            ret = wc_RsaPrivateDecrypt_ex(out, idx, plain, plainSz, &key,
+                       WC_RSA_OAEP_PAD, WC_HASH_TYPE_SHA, WC_MGF1SHA1, NULL, 0);
         }
-        ret = (int)fwrite(pem, 1, pemSz, pemFile);
-        if (ret != pemSz) {
-            free(derCert);
-            free(pem);
-            wc_FreeRsaKey(&caKey);
-            return -415;
-        }
-        fclose(pemFile);
-        free(pem);
-        free(derCert);
-        wc_FreeRsaKey(&caKey);
+    } while (ret == WC_PENDING_E);
+    if (ret < 0) {
+        ERROR_OUT(-7719, exit_rsa);
     }
-#ifdef HAVE_ECC
-    /* ECC CA style */
-    {
-        ecc_key     caKey;
-        Cert        myCert;
-        byte*       derCert;
-        byte*       pem;
-        FILE*       derFile;
-        FILE*       pemFile;
-        int         certSz;
-        int         pemSz;
-        size_t      bytes3;
-        word32      idx3 = 0;
-        FILE*       file3;
-#ifdef WOLFSSL_TEST_CERT
-        DecodedCert decode;
+
+    if (XMEMCMP(plain, in, inLen)) {
+        ERROR_OUT(-7720, exit_rsa);
+    }
+    TEST_SLEEP();
+    #endif /* NO_SHA */
 #endif
 
-        derCert = (byte*)malloc(FOURK_BUF);
-        if (derCert == NULL)
-            return -5311;
-        pem = (byte*)malloc(FOURK_BUF);
-        if (pem == NULL) {
-            free(derCert);
-            return -5312;
+    #ifndef NO_SHA256
+    XMEMSET(plain, 0, plainSz);
+#ifndef WOLFSSL_RSA_VERIFY_ONLY
+    do {
+#if defined(WOLFSSL_ASYNC_CRYPT)
+        ret = wc_AsyncWait(ret, &key.asyncDev, WC_ASYNC_FLAG_CALL_AGAIN);
+#endif
+        if (ret >= 0) {
+            ret = wc_RsaPublicEncrypt_ex(in, inLen, out, outSz, &key, &rng,
+                  WC_RSA_OAEP_PAD, WC_HASH_TYPE_SHA256, WC_MGF1SHA256, NULL, 0);
+        }
+    } while (ret == WC_PENDING_E);
+    if (ret < 0) {
+        ERROR_OUT(-7721, exit_rsa);
+    }
+    TEST_SLEEP();
+#endif /* WOLFSSL_RSA_VERIFY_ONLY */
+
+    idx = (word32)ret;
+#ifndef WOLFSSL_RSA_PUBLIC_ONLY
+    do {
+#if defined(WOLFSSL_ASYNC_CRYPT)
+        ret = wc_AsyncWait(ret, &key.asyncDev, WC_ASYNC_FLAG_CALL_AGAIN);
+#endif
+        if (ret >= 0) {
+            ret = wc_RsaPrivateDecrypt_ex(out, idx, plain, plainSz, &key,
+                  WC_RSA_OAEP_PAD, WC_HASH_TYPE_SHA256, WC_MGF1SHA256, NULL, 0);
         }
+    } while (ret == WC_PENDING_E);
+    if (ret < 0) {
+        ERROR_OUT(-7722, exit_rsa);
+    }
 
-        file3 = fopen(eccCaKeyFile, "rb");
+    if (XMEMCMP(plain, in, inLen)) {
+        ERROR_OUT(-7723, exit_rsa);
+    }
+    TEST_SLEEP();
+#endif /* WOLFSSL_RSA_PUBLIC_ONLY */
 
-        if (!file3) {
-            free(derCert);
-            free(pem);
-            return -5412;
+#ifndef WOLFSSL_RSA_PUBLIC_ONLY
+    do {
+#if defined(WOLFSSL_ASYNC_CRYPT)
+        ret = wc_AsyncWait(ret, &key.asyncDev, WC_ASYNC_FLAG_CALL_AGAIN);
+#endif
+        if (ret >= 0) {
+            ret = wc_RsaPrivateDecryptInline_ex(out, idx, &res, &key,
+                WC_RSA_OAEP_PAD, WC_HASH_TYPE_SHA256, WC_MGF1SHA256, NULL, 0);
+        }
+    } while (ret == WC_PENDING_E);
+    if (ret < 0) {
+        ERROR_OUT(-7724, exit_rsa);
+    }
+    if (ret != (int)inLen) {
+        ERROR_OUT(-7725, exit_rsa);
+    }
+    if (XMEMCMP(res, in, inLen)) {
+        ERROR_OUT(-7726, exit_rsa);
+    }
+    TEST_SLEEP();
+#endif /* WOLFSSL_RSA_PUBLIC_ONLY */
+
+    /* check fails if not using the same optional label */
+    XMEMSET(plain, 0, plainSz);
+#ifndef WOLFSSL_RSA_VERIFY_ONLY
+    do {
+#if defined(WOLFSSL_ASYNC_CRYPT)
+        ret = wc_AsyncWait(ret, &key.asyncDev, WC_ASYNC_FLAG_CALL_AGAIN);
+#endif
+        if (ret >= 0) {
+            ret = wc_RsaPublicEncrypt_ex(in, inLen, out, outSz, &key, &rng,
+                  WC_RSA_OAEP_PAD, WC_HASH_TYPE_SHA256, WC_MGF1SHA256, NULL, 0);
         }
+    } while (ret == WC_PENDING_E);
+    if (ret < 0) {
+        ERROR_OUT(-7727, exit_rsa);
+    }
+    TEST_SLEEP();
+#endif /* WOLFSSL_RSA_VERIFY_ONLY */
+
+/* TODO: investigate why Cavium Nitrox doesn't detect decrypt error here */
+#if !defined(HAVE_CAVIUM) && !defined(WOLFSSL_RSA_PUBLIC_ONLY) && \
+    !defined(WOLFSSL_CRYPTOCELL)
+/* label is unused in cryptocell so it won't detect decrypt error due to label */
+    idx = (word32)ret;
+    do {
+#if defined(WOLFSSL_ASYNC_CRYPT)
+        ret = wc_AsyncWait(ret, &key.asyncDev, WC_ASYNC_FLAG_CALL_AGAIN);
+#endif
+        if (ret >= 0) {
+            ret = wc_RsaPrivateDecrypt_ex(out, idx, plain, plainSz, &key,
+               WC_RSA_OAEP_PAD, WC_HASH_TYPE_SHA256, WC_MGF1SHA256, in, inLen);
+        }
+    } while (ret == WC_PENDING_E);
+    if (ret > 0) { /* in this case decrypt should fail */
+        ERROR_OUT(-7728, exit_rsa);
+    }
+    ret = 0;
+    TEST_SLEEP();
+#endif /* !HAVE_CAVIUM */
+
+    /* check using optional label with encrypt/decrypt */
+    XMEMSET(plain, 0, plainSz);
+#ifndef WOLFSSL_RSA_VERIFY_ONLY
+    do {
+#if defined(WOLFSSL_ASYNC_CRYPT)
+        ret = wc_AsyncWait(ret, &key.asyncDev, WC_ASYNC_FLAG_CALL_AGAIN);
+#endif
+        if (ret >= 0) {
+            ret = wc_RsaPublicEncrypt_ex(in, inLen, out, outSz, &key, &rng,
+               WC_RSA_OAEP_PAD, WC_HASH_TYPE_SHA256, WC_MGF1SHA256, in, inLen);
+        }
+    } while (ret == WC_PENDING_E);
+    if (ret < 0) {
+        ERROR_OUT(-7729, exit_rsa);
+    }
+    TEST_SLEEP();
+#endif /* WOLFSSL_RSA_VERIFY_ONLY */
+
+    idx = (word32)ret;
+#ifndef WOLFSSL_RSA_PUBLIC_ONLY
+    do {
+#if defined(WOLFSSL_ASYNC_CRYPT)
+        ret = wc_AsyncWait(ret, &key.asyncDev, WC_ASYNC_FLAG_CALL_AGAIN);
+#endif
+        if (ret >= 0) {
+            ret = wc_RsaPrivateDecrypt_ex(out, idx, plain, plainSz, &key,
+               WC_RSA_OAEP_PAD, WC_HASH_TYPE_SHA256, WC_MGF1SHA256, in, inLen);
+        }
+    } while (ret == WC_PENDING_E);
+    if (ret < 0) {
+        ERROR_OUT(-7730, exit_rsa);
+    }
 
-        bytes3 = fread(tmp, 1, FOURK_BUF, file3);
-        fclose(file3);
+    if (XMEMCMP(plain, in, inLen)) {
+        ERROR_OUT(-7731, exit_rsa);
+    }
+    TEST_SLEEP();
+#endif /* WOLFSSL_RSA_PUBLIC_ONLY */
 
-        wc_ecc_init(&caKey);
-        ret = wc_EccPrivateKeyDecode(tmp, &idx3, &caKey, (word32)bytes3);
-        if (ret != 0) {
-            free(derCert);
-            free(pem);
-            return -5413;
+#ifndef WOLFSSL_RSA_VERIFY_ONLY
+    #ifndef NO_SHA
+        /* check fail using mismatch hash algorithms */
+        XMEMSET(plain, 0, plainSz);
+        do {
+    #if defined(WOLFSSL_ASYNC_CRYPT)
+            ret = wc_AsyncWait(ret, &key.asyncDev, WC_ASYNC_FLAG_CALL_AGAIN);
+    #endif
+            if (ret >= 0) {
+                ret = wc_RsaPublicEncrypt_ex(in, inLen, out, outSz, &key, &rng,
+                    WC_RSA_OAEP_PAD, WC_HASH_TYPE_SHA, WC_MGF1SHA1, in, inLen);
+            }
+        } while (ret == WC_PENDING_E);
+        if (ret < 0) {
+            ERROR_OUT(-7732, exit_rsa);
         }
+        TEST_SLEEP();
+
+/* TODO: investigate why Cavium Nitrox doesn't detect decrypt error here */
+#if !defined(HAVE_CAVIUM) && !defined(WOLFSSL_RSA_PUBLIC_ONLY) && \
+    !defined(WOLFSSL_CRYPTOCELL)
+        idx = (word32)ret;
+        do {
+    #if defined(WOLFSSL_ASYNC_CRYPT)
+            ret = wc_AsyncWait(ret, &key.asyncDev, WC_ASYNC_FLAG_CALL_AGAIN);
+    #endif
+            if (ret >= 0) {
+                ret = wc_RsaPrivateDecrypt_ex(out, idx, plain, plainSz, &key,
+                    WC_RSA_OAEP_PAD, WC_HASH_TYPE_SHA256, WC_MGF1SHA256,
+                    in, inLen);
+            }
+        } while (ret == WC_PENDING_E);
+        if (ret > 0) { /* should fail */
+            ERROR_OUT(-7733, exit_rsa);
+        }
+        ret = 0;
+        TEST_SLEEP();
+    #endif /* !HAVE_CAVIUM */
+    #endif /* NO_SHA */
+#endif /* WOLFSSL_RSA_VERIFY_ONLY */
+#endif /* NO_SHA256 */
 
-        wc_InitCert(&myCert);
-        myCert.sigType = CTC_SHA256wECDSA;
-
-        strncpy(myCert.subject.country, "US", CTC_NAME_SIZE);
-        strncpy(myCert.subject.state, "OR", CTC_NAME_SIZE);
-        strncpy(myCert.subject.locality, "Portland", CTC_NAME_SIZE);
-        strncpy(myCert.subject.org, "wolfSSL", CTC_NAME_SIZE);
-        strncpy(myCert.subject.unit, "Development", CTC_NAME_SIZE);
-        strncpy(myCert.subject.commonName, "www.wolfssl.com", CTC_NAME_SIZE);
-        strncpy(myCert.subject.email, "info@wolfssl.com", CTC_NAME_SIZE);
+#ifdef WOLFSSL_SHA512
+    /* Check valid RSA key size is used while using hash length of SHA512
+       If key size is less than (hash length * 2) + 2 then is invalid use
+       and test, since OAEP padding requires this.
+       BAD_FUNC_ARG is returned when this case is not met */
+    if (wc_RsaEncryptSize(&key) > ((int)WC_SHA512_DIGEST_SIZE * 2) + 2) {
+        XMEMSET(plain, 0, plainSz);
+        do {
+    #if defined(WOLFSSL_ASYNC_CRYPT)
+            ret = wc_AsyncWait(ret, &key.asyncDev, WC_ASYNC_FLAG_CALL_AGAIN);
+    #endif
+            if (ret >= 0) {
+                ret = wc_RsaPublicEncrypt_ex(in, inLen, out, outSz, &key, &rng,
+                  WC_RSA_OAEP_PAD, WC_HASH_TYPE_SHA512, WC_MGF1SHA512, NULL, 0);
+            }
+        } while (ret == WC_PENDING_E);
+        if (ret < 0) {
+            ERROR_OUT(-7734, exit_rsa);
+        }
+        TEST_SLEEP();
 
-        ret = wc_SetIssuer(&myCert, eccCaCertFile);
+        idx = ret;
+#ifndef WOLFSSL_RSA_PUBLIC_ONLY
+        do {
+    #if defined(WOLFSSL_ASYNC_CRYPT)
+            ret = wc_AsyncWait(ret, &key.asyncDev, WC_ASYNC_FLAG_CALL_AGAIN);
+    #endif
+            if (ret >= 0) {
+                ret = wc_RsaPrivateDecrypt_ex(out, idx, plain, plainSz, &key,
+                  WC_RSA_OAEP_PAD, WC_HASH_TYPE_SHA512, WC_MGF1SHA512, NULL, 0);
+            }
+        } while (ret == WC_PENDING_E);
         if (ret < 0) {
-            free(pem);
-            free(derCert);
-            wc_ecc_free(&caKey);
-            return -5405;
+            ERROR_OUT(-7735, exit_rsa);
         }
 
-        certSz = wc_MakeCert(&myCert, derCert, FOURK_BUF, NULL, &caKey, &rng);
-        if (certSz < 0) {
-            free(pem);
-            free(derCert);
-            wc_ecc_free(&caKey);
-            return -5407;
+        if (XMEMCMP(plain, in, inLen)) {
+            ERROR_OUT(-7736, exit_rsa);
         }
+        TEST_SLEEP();
+#endif /* WOLFSSL_RSA_PUBLIC_ONLY */
+    }
+#endif /* WOLFSSL_SHA512 */
 
-        certSz = wc_SignCert(myCert.bodySz, myCert.sigType, derCert, FOURK_BUF,
-                          NULL, &caKey, &rng);
-        if (certSz < 0) {
-            free(pem);
-            free(derCert);
-            wc_ecc_free(&caKey);
-            return -5408;
+    /* check using pkcsv15 padding with _ex API */
+    XMEMSET(plain, 0, plainSz);
+    do {
+#if defined(WOLFSSL_ASYNC_CRYPT)
+        ret = wc_AsyncWait(ret, &key.asyncDev, WC_ASYNC_FLAG_CALL_AGAIN);
+#endif
+        if (ret >= 0) {
+            ret = wc_RsaPublicEncrypt_ex(in, inLen, out, outSz, &key, &rng,
+                  WC_RSA_PKCSV15_PAD, WC_HASH_TYPE_NONE, 0, NULL, 0);
         }
+    } while (ret == WC_PENDING_E);
+    if (ret < 0) {
+        ERROR_OUT(-7737, exit_rsa);
+    }
+    TEST_SLEEP();
 
-#ifdef WOLFSSL_TEST_CERT
-        InitDecodedCert(&decode, derCert, certSz, 0);
-        ret = ParseCert(&decode, CERT_TYPE, NO_VERIFY, 0);
-        if (ret != 0) {
-            free(pem);
-            free(derCert);
-            wc_ecc_free(&caKey);
-            return -5409;
+    idx = (word32)ret;
+#ifndef WOLFSSL_RSA_PUBLIC_ONLY
+    do {
+#if defined(WOLFSSL_ASYNC_CRYPT)
+        ret = wc_AsyncWait(ret, &key.asyncDev, WC_ASYNC_FLAG_CALL_AGAIN);
+#endif
+        if (ret >= 0) {
+            ret = wc_RsaPrivateDecrypt_ex(out, idx, plain, plainSz, &key,
+                  WC_RSA_PKCSV15_PAD, WC_HASH_TYPE_NONE, 0, NULL, 0);
         }
-        FreeDecodedCert(&decode);
+    } while (ret == WC_PENDING_E);
+    if (ret < 0) {
+        ERROR_OUT(-7738, exit_rsa);
+    }
+
+    if (XMEMCMP(plain, in, inLen)) {
+        ERROR_OUT(-7739, exit_rsa);
+    }
+    TEST_SLEEP();
+#endif /* WOLFSSL_RSA_PUBLIC_ONLY */
+    #endif /* !HAVE_FAST_RSA && !HAVE_FIPS */
+    #endif /* WC_NO_RSA_OAEP && !WC_NO_RNG */
+#endif /* WOLFSSL_RSA_VERIFY_ONLY */
+
+#if !defined(HAVE_FIPS) && !defined(HAVE_USER_RSA) && !defined(NO_ASN) \
+    && !defined(WOLFSSL_RSA_VERIFY_ONLY)
+    ret = rsa_export_key_test(&key);
+    if (ret != 0)
+        return ret;
 #endif
 
-#ifdef FREESCALE_MQX
-        derFile = fopen("a:\\certs\\certecc.der", "wb");
+#if !defined(NO_ASN) && !defined(WOLFSSL_RSA_PUBLIC_ONLY)
+    ret = rsa_flatten_test(&key);
+    if (ret != 0)
+        return ret;
+#endif
+
+#if defined(WOLFSSL_MDK_ARM)
+    #define sizeof(s) XSTRLEN((char *)(s))
+#endif
+
+#ifdef USE_CERT_BUFFERS_1024
+    XMEMCPY(tmp, client_cert_der_1024, (size_t)sizeof_client_cert_der_1024);
+    bytes = (size_t)sizeof_client_cert_der_1024;
+#elif defined(USE_CERT_BUFFERS_2048)
+    XMEMCPY(tmp, client_cert_der_2048, (size_t)sizeof_client_cert_der_2048);
+    bytes = (size_t)sizeof_client_cert_der_2048;
+#elif defined(USE_CERT_BUFFERS_3072)
+    XMEMCPY(tmp, client_cert_der_3072, (size_t)sizeof_client_cert_der_3072);
+    bytes = (size_t)sizeof_client_cert_der_3072;
+#elif defined(USE_CERT_BUFFERS_4096)
+    XMEMCPY(tmp, client_cert_der_4096, (size_t)sizeof_client_cert_der_4096);
+    bytes = (size_t)sizeof_client_cert_der_4096;
+#elif !defined(NO_FILESYSTEM)
+    file2 = XFOPEN(clientCert, "rb");
+    if (!file2) {
+        ERROR_OUT(-7740, exit_rsa);
+    }
+
+    bytes = XFREAD(tmp, 1, FOURK_BUF, file2);
+    XFCLOSE(file2);
 #else
-        derFile = fopen("./certecc.der", "wb");
+    /* No certificate to use. */
+    ERROR_OUT(-7741, exit_rsa);
 #endif
-        if (!derFile) {
-            free(pem);
-            free(derCert);
-            wc_ecc_free(&caKey);
-            return -5410;
-        }
-        ret = (int)fwrite(derCert, 1, certSz, derFile);
-        fclose(derFile);
-        if (ret != certSz) {
-            free(pem);
-            free(derCert);
-            wc_ecc_free(&caKey);
-            return -5414;
-        }
 
-        pemSz = wc_DerToPem(derCert, certSz, pem, FOURK_BUF, CERT_TYPE);
-        if (pemSz < 0) {
-            free(pem);
-            free(derCert);
-            wc_ecc_free(&caKey);
-            return -5411;
-        }
+#ifdef sizeof
+    #undef sizeof
+#endif
 
-#ifdef FREESCALE_MQX
-        pemFile = fopen("a:\\certs\\certecc.pem", "wb");
+#ifdef WOLFSSL_TEST_CERT
+    InitDecodedCert(&cert, tmp, (word32)bytes, 0);
+
+    ret = ParseCert(&cert, CERT_TYPE, NO_VERIFY, 0);
+    if (ret != 0) {
+        FreeDecodedCert(&cert);
+        ERROR_OUT(-7742, exit_rsa);
+    }
+
+    FreeDecodedCert(&cert);
 #else
-        pemFile = fopen("./certecc.pem", "wb");
+    (void)bytes;
 #endif
-        if (!pemFile) {
-            free(pem);
-            free(derCert);
-            wc_ecc_free(&caKey);
-            return -5412;
-        }
-        ret = (int)fwrite(pem, 1, pemSz, pemFile);
-        if (ret != pemSz) {
-            free(pem);
-            free(derCert);
-            wc_ecc_free(&caKey);
-            return -5415;
-        }
-        fclose(pemFile);
-        free(pem);
-        free(derCert);
-        wc_ecc_free(&caKey);
+
+#ifdef WOLFSSL_CERT_EXT
+
+#ifdef USE_CERT_BUFFERS_1024
+    XMEMCPY(tmp, client_keypub_der_1024, sizeof_client_keypub_der_1024);
+    bytes = sizeof_client_keypub_der_1024;
+#elif defined(USE_CERT_BUFFERS_2048)
+    XMEMCPY(tmp, client_keypub_der_2048, sizeof_client_keypub_der_2048);
+    bytes = sizeof_client_keypub_der_2048;
+#elif defined(USE_CERT_BUFFERS_3072)
+    XMEMCPY(tmp, client_keypub_der_3072, sizeof_client_keypub_der_3072);
+    bytes = sizeof_client_keypub_der_3072;
+#elif defined(USE_CERT_BUFFERS_4096)
+    XMEMCPY(tmp, client_keypub_der_4096, sizeof_client_keypub_der_4096);
+    bytes = sizeof_client_keypub_der_4096;
+#else
+    file = XFOPEN(clientKeyPub, "rb");
+    if (!file) {
+        err_sys("can't open ./certs/client-keyPub.der, "
+                "Please run from wolfSSL home dir", -40);
+        ERROR_OUT(-7743, exit_rsa);
     }
-#endif /* HAVE_ECC */
+
+    bytes = XFREAD(tmp, 1, FOURK_BUF, file);
+    XFCLOSE(file);
+#endif /* USE_CERT_BUFFERS */
+
+    ret = wc_InitRsaKey(&keypub, HEAP_HINT);
+    if (ret != 0) {
+        ERROR_OUT(-7744, exit_rsa);
+    }
+    idx = 0;
+
+    ret = wc_RsaPublicKeyDecode(tmp, &idx, &keypub, (word32)bytes);
+    if (ret != 0) {
+        ERROR_OUT(-7745, exit_rsa);
+    }
+#endif /* WOLFSSL_CERT_EXT */
+
+#ifdef WOLFSSL_KEY_GEN
+    ret = rsa_keygen_test(&rng);
+    if (ret != 0)
+        goto exit_rsa;
+#endif
+
+#ifdef WOLFSSL_CERT_GEN
+    /* Make Cert / Sign example for RSA cert and RSA CA */
+    ret = rsa_certgen_test(&key, &keypub, &rng, tmp);
+    if (ret != 0)
+        goto exit_rsa;
+
+#if !defined(NO_RSA) && defined(HAVE_ECC)
+    ret = rsa_ecc_certgen_test(&rng, tmp);
+    if (ret != 0)
+        goto exit_rsa;
+#endif
+
 #ifdef HAVE_NTRU
     {
-        RsaKey      caKey;
         Cert        myCert;
-        byte*       derCert;
-        byte*       pem;
-        FILE*       derFile;
-        FILE*       pemFile;
-        FILE*       caFile;
-        FILE*       ntruPrivFile;
+    #if !defined(USE_CERT_BUFFERS_1024) && !defined(USE_CERT_BUFFERS_2048)
+        XFILE       caFile;
+    #endif
+    #if !defined(NO_FILESYSTEM) && !defined(NO_WRITE_TEMP_FILES)
+        XFILE       ntruPrivFile;
+    #endif
         int         certSz;
-        int         pemSz;
-        word32      idx3;
-#ifdef WOLFSSL_TEST_CERT
+        word32      idx3 = 0;
+    #ifdef WOLFSSL_TEST_CERT
         DecodedCert decode;
-#endif
-        derCert = (byte*)malloc(FOURK_BUF);
-        if (derCert == NULL)
-            return -311;
-        pem = (byte*)malloc(FOURK_BUF);
-        if (pem == NULL) {
-            free(derCert);
-            return -312;
-        }
-
+    #endif
         byte   public_key[557];          /* sized for EES401EP2 */
         word16 public_key_len;           /* no. of octets in public key */
         byte   private_key[607];         /* sized for EES401EP2 */
@@ -3973,363 +13599,946 @@ int rsa_test(void)
         word32 rc = ntru_crypto_drbg_instantiate(112, pers_str,
                           sizeof(pers_str), GetEntropy, &drbg);
         if (rc != DRBG_OK) {
-            free(derCert);
-            free(pem);
-            return -448;
+            ERROR_OUT(-7746, exit_rsa);
         }
 
         rc = ntru_crypto_ntru_encrypt_keygen(drbg, NTRU_EES401EP2,
                                              &public_key_len, NULL,
                                              &private_key_len, NULL);
         if (rc != NTRU_OK) {
-            free(derCert);
-            free(pem);
-            return -449;
+            ERROR_OUT(-7747, exit_rsa);
         }
 
         rc = ntru_crypto_ntru_encrypt_keygen(drbg, NTRU_EES401EP2,
                                              &public_key_len, public_key,
                                              &private_key_len, private_key);
         if (rc != NTRU_OK) {
-            free(derCert);
-            free(pem);
-            return -450;
+            ERROR_OUT(-7748, exit_rsa);
         }
 
         rc = ntru_crypto_drbg_uninstantiate(drbg);
-
         if (rc != NTRU_OK) {
-            free(derCert);
-            free(pem);
-            return -451;
+            ERROR_OUT(-7749, exit_rsa);
         }
 
-        caFile = fopen(caKeyFile, "rb");
-
+    #ifdef USE_CERT_BUFFERS_1024
+        XMEMCPY(tmp, ca_key_der_1024, sizeof_ca_key_der_1024);
+        bytes = sizeof_ca_key_der_1024;
+    #elif defined(USE_CERT_BUFFERS_2048)
+        XMEMCPY(tmp, ca_key_der_2048, sizeof_ca_key_der_2048);
+        bytes = sizeof_ca_key_der_2048;
+    #else
+        caFile = XFOPEN(rsaCaKeyFile, "rb");
         if (!caFile) {
-            free(derCert);
-            free(pem);
-            return -452;
+            ERROR_OUT(-7750, exit_rsa);
         }
 
-        bytes = fread(tmp, 1, FOURK_BUF, caFile);
-        fclose(caFile);
+        bytes = XFREAD(tmp, 1, FOURK_BUF, caFile);
+        XFCLOSE(caFile);
+    #endif /* USE_CERT_BUFFERS */
 
-        ret = wc_InitRsaKey(&caKey, 0);
+        ret = wc_InitRsaKey(&caKey, HEAP_HINT);
         if (ret != 0) {
-            free(derCert);
-            free(pem);
-            return -453;
+            ERROR_OUT(-7751, exit_rsa);
         }
         ret = wc_RsaPrivateKeyDecode(tmp, &idx3, &caKey, (word32)bytes);
         if (ret != 0) {
-            free(derCert);
-            free(pem);
-            return -454;
+            ERROR_OUT(-7752, exit_rsa);
         }
 
-        wc_InitCert(&myCert);
+        if (wc_InitCert(&myCert)) {
+            ERROR_OUT(-7753, exit_rsa);
+        }
+
+        XMEMCPY(&myCert.subject, &certDefaultName, sizeof(CertName));
+        myCert.daysValid = 1000;
 
-        strncpy(myCert.subject.country, "US", CTC_NAME_SIZE);
-        strncpy(myCert.subject.state, "OR", CTC_NAME_SIZE);
-        strncpy(myCert.subject.locality, "Portland", CTC_NAME_SIZE);
-        strncpy(myCert.subject.org, "yaSSL", CTC_NAME_SIZE);
-        strncpy(myCert.subject.unit, "Development", CTC_NAME_SIZE);
-        strncpy(myCert.subject.commonName, "www.yassl.com", CTC_NAME_SIZE);
-        strncpy(myCert.subject.email, "info@yassl.com", CTC_NAME_SIZE);
+    #ifdef WOLFSSL_CERT_EXT
+        /* add SKID from the Public Key */
+        if (wc_SetSubjectKeyIdFromNtruPublicKey(&myCert, public_key,
+                                                public_key_len) != 0) {
+            ERROR_OUT(-7754, exit_rsa);
+        }
 
-        ret = wc_SetIssuer(&myCert, caCertFile);
+        /* add AKID from the CA certificate */
+    #if defined(USE_CERT_BUFFERS_2048)
+        ret = wc_SetAuthKeyIdFromCert(&myCert, ca_cert_der_2048,
+                                            sizeof_ca_cert_der_2048);
+    #elif defined(USE_CERT_BUFFERS_1024)
+        ret = wc_SetAuthKeyIdFromCert(&myCert, ca_cert_der_1024,
+                                            sizeof_ca_cert_der_1024);
+    #else
+        ret = wc_SetAuthKeyId(&myCert, rsaCaCertFile);
+    #endif
+        if (ret != 0) {
+            ERROR_OUT(-7755, exit_rsa);
+        }
+
+        /* add Key Usage */
+        if (wc_SetKeyUsage(&myCert, certKeyUsage2) != 0) {
+            ERROR_OUT(-7756, exit_rsa);
+        }
+    #endif /* WOLFSSL_CERT_EXT */
+
+    #if defined(USE_CERT_BUFFERS_2048)
+        ret = wc_SetIssuerBuffer(&myCert, ca_cert_der_2048,
+                                          sizeof_ca_cert_der_2048);
+    #elif defined(USE_CERT_BUFFERS_1024)
+        ret = wc_SetIssuerBuffer(&myCert, ca_cert_der_1024,
+                                          sizeof_ca_cert_der_1024);
+    #else
+        ret = wc_SetIssuer(&myCert, rsaCaCertFile);
+    #endif
         if (ret < 0) {
-            free(derCert);
-            free(pem);
-            wc_FreeRsaKey(&caKey);
-            return -455;
+            ERROR_OUT(-7757, exit_rsa);
+        }
+
+        der = (byte*)XMALLOC(FOURK_BUF, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+        if (der == NULL) {
+            ERROR_OUT(-7758, exit_rsa);
+        }
+        pem = (byte*)XMALLOC(FOURK_BUF, HEAP_HINT,DYNAMIC_TYPE_TMP_BUFFER);
+        if (pem == NULL) {
+            ERROR_OUT(-7759, exit_rsa);
         }
 
-        certSz = wc_MakeNtruCert(&myCert, derCert, FOURK_BUF, public_key,
+        certSz = wc_MakeNtruCert(&myCert, der, FOURK_BUF, public_key,
                               public_key_len, &rng);
         if (certSz < 0) {
-            free(derCert);
-            free(pem);
-            wc_FreeRsaKey(&caKey);
-            return -456;
+            ERROR_OUT(-7760, exit_rsa);
         }
 
-        certSz = wc_SignCert(myCert.bodySz, myCert.sigType, derCert, FOURK_BUF,
+        ret = 0;
+        do {
+        #if defined(WOLFSSL_ASYNC_CRYPT)
+            ret = wc_AsyncWait(ret, &caKey.asyncDev, WC_ASYNC_FLAG_CALL_AGAIN);
+        #endif
+            if (ret >= 0) {
+                ret = wc_SignCert(myCert.bodySz, myCert.sigType, der, FOURK_BUF,
                           &caKey, NULL, &rng);
+            }
+        } while (ret == WC_PENDING_E);
         wc_FreeRsaKey(&caKey);
-        if (certSz < 0) {
-            free(derCert);
-            free(pem);
-            return -457;
+        if (ret < 0) {
+            ERROR_OUT(-7761, exit_rsa);
         }
+        certSz = ret;
 
-
-#ifdef WOLFSSL_TEST_CERT
-        InitDecodedCert(&decode, derCert, certSz, 0);
+    #ifdef WOLFSSL_TEST_CERT
+        InitDecodedCert(&decode, der, certSz, HEAP_HINT);
         ret = ParseCert(&decode, CERT_TYPE, NO_VERIFY, 0);
         if (ret != 0) {
-            free(derCert);
-            free(pem);
-            return -458;
+            FreeDecodedCert(&decode);
+            ERROR_OUT(-7762, exit_rsa);
         }
         FreeDecodedCert(&decode);
-#endif
-        derFile = fopen("./ntru-cert.der", "wb");
-        if (!derFile) {
-            free(derCert);
-            free(pem);
-            return -459;
-        }
-        ret = (int)fwrite(derCert, 1, certSz, derFile);
-        fclose(derFile);
-        if (ret != certSz) {
-            free(derCert);
-            free(pem);
-            return -473;
-        }
-
-        pemSz = wc_DerToPem(derCert, certSz, pem, FOURK_BUF, CERT_TYPE);
-        if (pemSz < 0) {
-            free(derCert);
-            free(pem);
-            return -460;
-        }
+    #endif
 
-        pemFile = fopen("./ntru-cert.pem", "wb");
-        if (!pemFile) {
-            free(derCert);
-            free(pem);
-            return -461;
-        }
-        ret = (int)fwrite(pem, 1, pemSz, pemFile);
-        fclose(pemFile);
-        if (ret != pemSz) {
-            free(derCert);
-            free(pem);
-            return -474;
+        ret = SaveDerAndPem(der, certSz, pem, FOURK_BUF, "./ntru-cert.der",
+            "./ntru-cert.pem", CERT_TYPE, -5637);
+        if (ret != 0) {
+            goto exit_rsa;
         }
 
-        ntruPrivFile = fopen("./ntru-key.raw", "wb");
+    #if !defined(NO_FILESYSTEM) && !defined(NO_WRITE_TEMP_FILES)
+        ntruPrivFile = XFOPEN("./ntru-key.raw", "wb");
         if (!ntruPrivFile) {
-            free(derCert);
-            free(pem);
-            return -462;
+            ERROR_OUT(-7763, exit_rsa);
         }
-        ret = (int)fwrite(private_key, 1, private_key_len, ntruPrivFile);
-        fclose(ntruPrivFile);
+        ret = (int)XFWRITE(private_key, 1, private_key_len, ntruPrivFile);
+        XFCLOSE(ntruPrivFile);
         if (ret != private_key_len) {
-            free(pem);
-            free(derCert);
-            return -475;
+            ERROR_OUT(-7764, exit_rsa);
         }
-        free(pem);
-        free(derCert);
+    #endif
+
+        XFREE(pem, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+        pem = NULL;
+        XFREE(der, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+        der = NULL;
     }
 #endif /* HAVE_NTRU */
 #ifdef WOLFSSL_CERT_REQ
     {
         Cert        req;
-        byte*       der;
-        byte*       pem;
         int         derSz;
-        int         pemSz;
-        FILE*       reqFile;
 
-        der = (byte*)malloc(FOURK_BUF);
-        if (der == NULL)
-            return -463;
-        pem = (byte*)malloc(FOURK_BUF);
+        der = (byte*)XMALLOC(FOURK_BUF, HEAP_HINT,DYNAMIC_TYPE_TMP_BUFFER);
+        if (der == NULL) {
+            ERROR_OUT(-7765, exit_rsa);
+        }
+        pem = (byte*)XMALLOC(FOURK_BUF, HEAP_HINT,DYNAMIC_TYPE_TMP_BUFFER);
         if (pem == NULL) {
-            free(der);
-            return -464;
+            ERROR_OUT(-7766, exit_rsa);
         }
 
-        wc_InitCert(&req);
+        if (wc_InitCert(&req)) {
+            ERROR_OUT(-7767, exit_rsa);
+        }
 
         req.version = 0;
         req.isCA    = 1;
-        strncpy(req.challengePw, "yassl123", CTC_NAME_SIZE);
-        strncpy(req.subject.country, "US", CTC_NAME_SIZE);
-        strncpy(req.subject.state, "OR", CTC_NAME_SIZE);
-        strncpy(req.subject.locality, "Portland", CTC_NAME_SIZE);
-        strncpy(req.subject.org, "yaSSL", CTC_NAME_SIZE);
-        strncpy(req.subject.unit, "Development", CTC_NAME_SIZE);
-        strncpy(req.subject.commonName, "www.yassl.com", CTC_NAME_SIZE);
-        strncpy(req.subject.email, "info@yassl.com", CTC_NAME_SIZE);
+        XSTRNCPY(req.challengePw, "wolf123", CTC_NAME_SIZE);
+        XMEMCPY(&req.subject, &certDefaultName, sizeof(CertName));
+
+    #ifndef NO_SHA256
         req.sigType = CTC_SHA256wRSA;
+    #else
+        req.sigType = CTC_SHAwRSA;
+    #endif
 
-        derSz = wc_MakeCertReq(&req, der, FOURK_BUF, &key, NULL);
-        if (derSz < 0) {
-            free(pem);
-            free(der);
-            return -465;
+    #ifdef WOLFSSL_CERT_EXT
+        /* add SKID from the Public Key */
+        if (wc_SetSubjectKeyIdFromPublicKey(&req, &keypub, NULL) != 0) {
+            ERROR_OUT(-7768, exit_rsa);
         }
 
-        derSz = wc_SignCert(req.bodySz, req.sigType, der, FOURK_BUF,
-                          &key, NULL, &rng);
-        if (derSz < 0) {
-            free(pem);
-            free(der);
-            return -466;
+        /* add Key Usage */
+        if (wc_SetKeyUsage(&req, certKeyUsage2) != 0) {
+            ERROR_OUT(-7769, exit_rsa);
         }
 
-        pemSz = wc_DerToPem(der, derSz, pem, FOURK_BUF, CERTREQ_TYPE);
-        if (pemSz < 0) {
-            free(pem);
-            free(der);
-            return -467;
+        /* add Extended Key Usage */
+        if (wc_SetExtKeyUsage(&req, "serverAuth,clientAuth,codeSigning,"
+                            "emailProtection,timeStamping,OCSPSigning") != 0) {
+            ERROR_OUT(-7770, exit_rsa);
         }
+    #ifdef WOLFSSL_EKU_OID
+        {
+            const char unique[] = "2.16.840.1.111111.100.1.10.1";
+            if (wc_SetExtKeyUsageOID(&req, unique, sizeof(unique), 0,
+                        HEAP_HINT) != 0) {
+                ERROR_OUT(-7771, exit_rsa);
+            }
+        }
+    #endif /* WOLFSSL_EKU_OID */
+    #endif /* WOLFSSL_CERT_EXT */
 
-#ifdef FREESCALE_MQX
-        reqFile = fopen("a:\\certs\\certreq.der", "wb");
-#else
-        reqFile = fopen("./certreq.der", "wb");
-#endif
-        if (!reqFile) {
-            free(pem);
-            free(der);
-            return -468;
+        derSz = wc_MakeCertReq(&req, der, FOURK_BUF, &key, NULL);
+        if (derSz < 0) {
+            ERROR_OUT(-7772, exit_rsa);
         }
 
-        ret = (int)fwrite(der, 1, derSz, reqFile);
-        fclose(reqFile);
-        if (ret != derSz) {
-            free(pem);
-            free(der);
-            return -471;
+    #ifdef WOLFSSL_CERT_EXT
+        /* Try again with "any" flag set, will override all others */
+        if (wc_SetExtKeyUsage(&req, "any") != 0) {
+            ERROR_OUT(-7773, exit_rsa);
         }
+        derSz = wc_MakeCertReq(&req, der, FOURK_BUF, &key, NULL);
+        if (derSz < 0) {
+            ERROR_OUT(-7774, exit_rsa);
+        }
+    #endif /* WOLFSSL_CERT_EXT */
 
-#ifdef FREESCALE_MQX
-        reqFile = fopen("a:\\certs\\certreq.pem", "wb");
-#else
-        reqFile = fopen("./certreq.pem", "wb");
-#endif
-        if (!reqFile) {
-            free(pem);
-            free(der);
-            return -469;
+        ret = 0;
+        do {
+        #if defined(WOLFSSL_ASYNC_CRYPT)
+            ret = wc_AsyncWait(ret, &key.asyncDev, WC_ASYNC_FLAG_CALL_AGAIN);
+        #endif
+            if (ret >= 0) {
+                ret = wc_SignCert(req.bodySz, req.sigType, der, FOURK_BUF,
+                          &key, NULL, &rng);
+            }
+        } while (ret == WC_PENDING_E);
+        if (ret < 0) {
+            ERROR_OUT(-7775, exit_rsa);
         }
-        ret = (int)fwrite(pem, 1, pemSz, reqFile);
-        fclose(reqFile);
-        if (ret != pemSz) {
-            free(pem);
-            free(der);
-            return -470;
+        derSz = ret;
+
+        ret = SaveDerAndPem(der, derSz, pem, FOURK_BUF, certReqDerFile,
+            certReqPemFile, CERTREQ_TYPE, -5650);
+        if (ret != 0) {
+            goto exit_rsa;
         }
 
-        free(pem);
-        free(der);
+        derSz = wc_MakeCertReq_ex(&req, der, FOURK_BUF, RSA_TYPE, &key);
+        if (derSz < 0) {
+            ERROR_OUT(-7776, exit_rsa);
+        }
+
+        XFREE(pem, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+        pem = NULL;
+        XFREE(der, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+        der = NULL;
     }
 #endif /* WOLFSSL_CERT_REQ */
 #endif /* WOLFSSL_CERT_GEN */
 
+#ifdef WC_RSA_PSS
+    ret = rsa_pss_test(&rng, &key);
+#endif
+
+exit_rsa:
     wc_FreeRsaKey(&key);
-#ifdef HAVE_CAVIUM
-    wc_RsaFreeCavium(&key);
+#ifdef WOLFSSL_CERT_EXT
+    wc_FreeRsaKey(&keypub);
 #endif
-    free(tmp);
+#if defined(HAVE_NTRU)
+    wc_FreeRsaKey(&caKey);
+#endif
+
+    XFREE(pem, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+    XFREE(der, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+    XFREE(tmp, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
     wc_FreeRng(&rng);
 
+    FREE_VAR(in, HEAP_HINT);
+    FREE_VAR(out, HEAP_HINT);
+    FREE_VAR(plain, HEAP_HINT);
+
+    /* ret can be greater then 0 with certgen but all negative values should
+     * be returned and treated as an error */
+    if (ret >= 0) {
+        return 0;
+    }
+    else {
+        return ret;
+    }
+}
+
+#endif /* !NO_RSA */
+
+
+#ifndef NO_DH
+
+static int dh_fips_generate_test(WC_RNG *rng)
+{
+    int    ret = 0;
+    DhKey  key;
+    static byte p[] = {
+        0xc5, 0x7c, 0xa2, 0x4f, 0x4b, 0xd6, 0x8c, 0x3c,
+        0xda, 0xc7, 0xba, 0xaa, 0xea, 0x2e, 0x5c, 0x1e,
+        0x18, 0xb2, 0x7b, 0x8c, 0x55, 0x65, 0x9f, 0xea,
+        0xe0, 0xa1, 0x36, 0x53, 0x2b, 0x36, 0xe0, 0x4e,
+        0x3e, 0x64, 0xa9, 0xe4, 0xfc, 0x8f, 0x32, 0x62,
+        0x97, 0xe4, 0xbe, 0xf7, 0xc1, 0xde, 0x07, 0x5a,
+        0x89, 0x28, 0xf3, 0xfe, 0x4f, 0xfe, 0x68, 0xbc,
+        0xfb, 0x0a, 0x7c, 0xa4, 0xb3, 0x14, 0x48, 0x89,
+        0x9f, 0xaf, 0xb8, 0x43, 0xe2, 0xa0, 0x62, 0x5c,
+        0xb4, 0x88, 0x3f, 0x06, 0x50, 0x11, 0xfe, 0x65,
+        0x8d, 0x49, 0xd2, 0xf5, 0x4b, 0x74, 0x79, 0xdb,
+        0x06, 0x62, 0x92, 0x89, 0xed, 0xda, 0xcb, 0x87,
+        0x37, 0x16, 0xd2, 0xa1, 0x7a, 0xe8, 0xde, 0x92,
+        0xee, 0x3e, 0x41, 0x4a, 0x91, 0x5e, 0xed, 0xf3,
+        0x6c, 0x6b, 0x7e, 0xfd, 0x15, 0x92, 0x18, 0xfc,
+        0xa7, 0xac, 0x42, 0x85, 0x57, 0xe9, 0xdc, 0xda,
+        0x55, 0xc9, 0x8b, 0x28, 0x9e, 0xc1, 0xc4, 0x46,
+        0x4d, 0x88, 0xed, 0x62, 0x8e, 0xdb, 0x3f, 0xb9,
+        0xd7, 0xc8, 0xe3, 0xcf, 0xb8, 0x34, 0x2c, 0xd2,
+        0x6f, 0x28, 0x06, 0x41, 0xe3, 0x66, 0x8c, 0xfc,
+        0x72, 0xff, 0x26, 0x3b, 0x6b, 0x6c, 0x6f, 0x73,
+        0xde, 0xf2, 0x90, 0x29, 0xe0, 0x61, 0x32, 0xc4,
+        0x12, 0x74, 0x09, 0x52, 0xec, 0xf3, 0x1b, 0xa6,
+        0x45, 0x98, 0xac, 0xf9, 0x1c, 0x65, 0x8e, 0x3a,
+        0x91, 0x84, 0x4b, 0x23, 0x8a, 0xb2, 0x3c, 0xc9,
+        0xfa, 0xea, 0xf1, 0x38, 0xce, 0xd8, 0x05, 0xe0,
+        0xfa, 0x44, 0x68, 0x1f, 0xeb, 0xd9, 0x57, 0xb8,
+        0x4a, 0x97, 0x5b, 0x88, 0xc5, 0xf1, 0xbb, 0xb0,
+        0x49, 0xc3, 0x91, 0x7c, 0xd3, 0x13, 0xb9, 0x47,
+        0xbb, 0x91, 0x8f, 0xe5, 0x26, 0x07, 0xab, 0xa9,
+        0xc5, 0xd0, 0x3d, 0x95, 0x41, 0x26, 0x92, 0x9d,
+        0x13, 0x67, 0xf2, 0x7e, 0x11, 0x88, 0xdc, 0x2d
+    };
+    static byte g[] = {
+        0x4a, 0x1a, 0xf3, 0xa4, 0x92, 0xe9, 0xee, 0x74,
+        0x6e, 0x57, 0xd5, 0x8c, 0x2c, 0x5b, 0x41, 0x41,
+        0x5e, 0xd4, 0x55, 0x19, 0xdc, 0xd9, 0x32, 0x91,
+        0xf7, 0xfd, 0xc2, 0x57, 0xff, 0x03, 0x14, 0xdb,
+        0xf1, 0xb7, 0x60, 0x0c, 0x43, 0x59, 0x3f, 0xff,
+        0xac, 0xf1, 0x80, 0x9a, 0x15, 0x6f, 0xd8, 0x6e,
+        0xb7, 0x85, 0x18, 0xc8, 0xec, 0x4e, 0x59, 0x4a,
+        0xe2, 0x91, 0x43, 0x4c, 0xeb, 0x95, 0xb6, 0x2e,
+        0x9a, 0xea, 0x53, 0x68, 0x80, 0x64, 0x69, 0x40,
+        0xf9, 0xec, 0xbd, 0x85, 0x89, 0x26, 0x97, 0x67,
+        0xaf, 0xb0, 0xad, 0x00, 0x1b, 0xd4, 0xfd, 0x94,
+        0xd3, 0xe9, 0x92, 0xb1, 0xb4, 0xbc, 0x5a, 0xaa,
+        0x92, 0x80, 0x89, 0x3b, 0x39, 0x05, 0x6c, 0x22,
+        0x26, 0xfe, 0x5a, 0x28, 0x6c, 0x37, 0x50, 0x5a,
+        0x38, 0x99, 0xcf, 0xf3, 0xc1, 0x96, 0x45, 0xdc,
+        0x01, 0xcb, 0x20, 0x87, 0xa5, 0x00, 0x8c, 0xf5,
+        0x4d, 0xc2, 0xef, 0xb8, 0x9b, 0xd1, 0x87, 0xbe,
+        0xed, 0xd5, 0x0a, 0x29, 0x15, 0x34, 0x59, 0x4c,
+        0x3a, 0x05, 0x22, 0x05, 0x44, 0x4f, 0x9f, 0xc8,
+        0x47, 0x12, 0x24, 0x8e, 0xa8, 0x79, 0xe4, 0x67,
+        0xba, 0x4d, 0x5b, 0x75, 0x56, 0x95, 0xeb, 0xe8,
+        0x8a, 0xfa, 0x8e, 0x01, 0x8c, 0x1b, 0x74, 0x63,
+        0xd9, 0x2f, 0xf7, 0xd3, 0x44, 0x8f, 0xa8, 0xf5,
+        0xaf, 0x6c, 0x4f, 0xdb, 0xe7, 0xc9, 0x6c, 0x71,
+        0x22, 0xa3, 0x1d, 0xf1, 0x40, 0xb2, 0xe0, 0x9a,
+        0xb6, 0x72, 0xc9, 0xc0, 0x13, 0x16, 0xa2, 0x4a,
+        0xe1, 0x92, 0xc7, 0x54, 0x23, 0xab, 0x9d, 0xa1,
+        0xa1, 0xe5, 0x0b, 0xed, 0xba, 0xe8, 0x84, 0x37,
+        0xb2, 0xe7, 0xfe, 0x32, 0x8d, 0xfa, 0x1c, 0x53,
+        0x77, 0x97, 0xc7, 0xf3, 0x48, 0xc9, 0xdb, 0x2d,
+        0x75, 0x52, 0x9d, 0x42, 0x51, 0x78, 0x62, 0x68,
+        0x05, 0x45, 0x15, 0xf8, 0xa2, 0x4e, 0xf3, 0x0b
+    };
+    static byte q[] = {
+        0xe0, 0x35, 0x37, 0xaf, 0xb2, 0x50, 0x91, 0x8e,
+        0xf2, 0x62, 0x2b, 0xd9, 0x9f, 0x6c, 0x11, 0x75,
+        0xec, 0x24, 0x5d, 0x78, 0x59, 0xe7, 0x8d, 0xb5,
+        0x40, 0x52, 0xed, 0x41
+    };
+    static byte q0[] = {
+                                                  0x00,
+        0xe0, 0x35, 0x37, 0xaf, 0xb2, 0x50, 0x91, 0x8e,
+        0xf2, 0x62, 0x2b, 0xd9, 0x9f, 0x6c, 0x11, 0x75,
+        0xec, 0x24, 0x5d, 0x78, 0x59, 0xe7, 0x8d, 0xb5,
+        0x40, 0x52, 0xed, 0x41
+    };
+    byte   priv[256];
+    byte   pub[256];
+    word32 privSz = sizeof(priv);
+    word32 pubSz = sizeof(pub);
+
+    /* Parameter Validation testing. */
+    ret = wc_DhGenerateKeyPair(NULL, rng, priv, &privSz, pub, &pubSz);
+    if (ret != BAD_FUNC_ARG)
+        return -7777;
+    ret = wc_DhGenerateKeyPair(&key, NULL, priv, &privSz, pub, &pubSz);
+    if (ret != BAD_FUNC_ARG)
+        return -7778;
+    ret = wc_DhGenerateKeyPair(&key, rng, NULL, &privSz, pub, &pubSz);
+    if (ret != BAD_FUNC_ARG)
+        return -7779;
+    ret = wc_DhGenerateKeyPair(&key, rng, priv, NULL, pub, &pubSz);
+    if (ret != BAD_FUNC_ARG)
+        return -7780;
+    ret = wc_DhGenerateKeyPair(&key, rng, priv, &privSz, NULL, &pubSz);
+    if (ret != BAD_FUNC_ARG)
+        return -7781;
+    ret = wc_DhGenerateKeyPair(&key, rng, priv, &privSz, pub, NULL);
+    if (ret != BAD_FUNC_ARG)
+        return -7782;
+
+    ret = wc_InitDhKey_ex(&key, HEAP_HINT, devId);
+    if (ret != 0)
+        return -7783;
+
+    ret = wc_DhSetKey_ex(&key, p, sizeof(p), g, sizeof(g), q0, sizeof(q0));
+    if (ret != 0) {
+        ERROR_OUT(-7784, exit_gen_test);
+    }
+
+    wc_FreeDhKey(&key);
+
+    ret = wc_InitDhKey_ex(&key, HEAP_HINT, devId);
+    if (ret != 0)
+        return -7785;
+
+    ret = wc_DhSetKey_ex(&key, p, sizeof(p), g, sizeof(g), q, sizeof(q));
+    if (ret != 0) {
+        ERROR_OUT(-7786, exit_gen_test);
+    }
+
+    /* Use API. */
+    ret = wc_DhGenerateKeyPair(&key, rng, priv, &privSz, pub, &pubSz);
+#if defined(WOLFSSL_ASYNC_CRYPT)
+    ret = wc_AsyncWait(ret, &key.asyncDev, WC_ASYNC_FLAG_NONE);
+#endif
+    if (ret != 0) {
+        ERROR_OUT(-7787, exit_gen_test);
+    }
+
+    ret = wc_DhCheckPubKey_ex(&key, pub, pubSz, q0, sizeof(q0));
+    if (ret != 0) {
+        ERROR_OUT(-7788, exit_gen_test);
+    }
+
+    wc_FreeDhKey(&key);
+    ret = wc_InitDhKey_ex(&key, HEAP_HINT, devId);
+    if (ret != 0)
+        return -7789;
+
+    ret = wc_DhSetKey(&key, p, sizeof(p), g, sizeof(g));
+    if (ret != 0) {
+        ERROR_OUT(-7790, exit_gen_test);
+    }
+
+    ret = wc_DhCheckPubKey_ex(&key, pub, pubSz, q, sizeof(q));
+    if (ret != 0) {
+        ERROR_OUT(-7791, exit_gen_test);
+    }
+
+#ifndef HAVE_SELFTEST
+    ret = wc_DhCheckKeyPair(&key, pub, pubSz, priv, privSz);
+    if (ret != 0) {
+        ERROR_OUT(-7792, exit_gen_test);
+    }
+
+    /* Taint the public key so the check fails. */
+    pub[0]++;
+    ret = wc_DhCheckKeyPair(&key, pub, pubSz, priv, privSz);
+    if (ret != MP_CMP_E) {
+        ERROR_OUT(-7793, exit_gen_test);
+    }
+
+#ifdef WOLFSSL_KEY_GEN
+    wc_FreeDhKey(&key);
+    ret = wc_InitDhKey_ex(&key, HEAP_HINT, devId);
+    if (ret != 0)
+        return -7794;
+
+    ret = wc_DhGenerateParams(rng, 2048, &key);
+    if (ret != 0) {
+        ERROR_OUT(-7795, exit_gen_test);
+    }
+
+    privSz = sizeof(priv);
+    pubSz = sizeof(pub);
+
+    ret = wc_DhGenerateKeyPair(&key, rng, priv, &privSz, pub, &pubSz);
+#if defined(WOLFSSL_ASYNC_CRYPT)
+    ret = wc_AsyncWait(ret, &key.asyncDev, WC_ASYNC_FLAG_NONE);
+#endif
+    if (ret != 0) {
+        ERROR_OUT(-7796, exit_gen_test);
+    }
+
+#endif /* WOLFSSL_KEY_GEN */
+#endif /* HAVE_SELFTEST */
+
+    ret = 0;
+
+exit_gen_test:
+    wc_FreeDhKey(&key);
+
+    return ret;
+}
+
+static int dh_generate_test(WC_RNG *rng)
+{
+    int    ret = 0;
+    DhKey  smallKey;
+    byte   p[2] = { 0, 5 };
+    byte   g[2] = { 0, 2 };
+#ifndef WOLFSSL_SP_MATH
+#ifdef WOLFSSL_DH_CONST
+    /* the table for constant DH lookup will round to the lowest byte size 21 */
+    byte   priv[21];
+    byte   pub[21];
+#else
+    byte   priv[2];
+    byte   pub[2];
+#endif
+    word32 privSz = sizeof(priv);
+    word32 pubSz = sizeof(pub);
+#endif
+
+    ret = wc_InitDhKey_ex(&smallKey, HEAP_HINT, devId);
+    if (ret != 0)
+        return -7797;
+
+    /* Parameter Validation testing. */
+    ret = wc_InitDhKey_ex(NULL, HEAP_HINT, devId);
+    if (ret != BAD_FUNC_ARG)
+        return -7798;
+    wc_FreeDhKey(NULL);
+
+    ret = wc_DhSetKey(NULL, p, sizeof(p), g, sizeof(g));
+    if (ret != BAD_FUNC_ARG) {
+        ERROR_OUT(-7799, exit_gen_test);
+    }
+    ret = wc_DhSetKey(&smallKey, NULL, sizeof(p), g, sizeof(g));
+    if (ret != BAD_FUNC_ARG) {
+        ERROR_OUT(-7800, exit_gen_test);
+    }
+    ret = wc_DhSetKey(&smallKey, p, 0, g, sizeof(g));
+    if (ret != BAD_FUNC_ARG) {
+        ERROR_OUT(-7801, exit_gen_test);
+    }
+    ret = wc_DhSetKey(&smallKey, p, sizeof(p), NULL, sizeof(g));
+    if (ret != BAD_FUNC_ARG) {
+        ERROR_OUT(-7802, exit_gen_test);
+    }
+    ret = wc_DhSetKey(&smallKey, p, sizeof(p), g, 0);
+    if (ret != BAD_FUNC_ARG) {
+        ERROR_OUT(-7803, exit_gen_test);
+    }
+    ret = wc_DhSetKey(&smallKey, p, sizeof(p), g, sizeof(g));
+    if (ret != 0) {
+        ERROR_OUT(-7804, exit_gen_test);
+    }
+
+#ifndef WOLFSSL_SP_MATH
+    /* Use API. */
+    ret = wc_DhGenerateKeyPair(&smallKey, rng, priv, &privSz, pub, &pubSz);
+#if defined(WOLFSSL_ASYNC_CRYPT)
+    ret = wc_AsyncWait(ret, &smallKey.asyncDev, WC_ASYNC_FLAG_NONE);
+#endif
+    if (ret != 0) {
+        ret = -7805;
+    }
+#else
+    (void)rng;
+    ret = 0;
+#endif
+
+exit_gen_test:
+    wc_FreeDhKey(&smallKey);
+
+    return ret;
+}
+
+#if !defined(HAVE_FIPS) && !defined(HAVE_SELFTEST)
+typedef struct dh_pubvalue_test {
+    const byte* data;
+    word32 len;
+} dh_pubvalue_test;
+
+static int dh_test_check_pubvalue(void)
+{
+    int ret;
+    word32 i;
+    const byte prime[] = {0x01, 0x00, 0x01};
+    const byte pubValZero[] = { 0x00 };
+    const byte pubValZeroLong[] = { 0x00, 0x00, 0x00 };
+    const byte pubValOne[] = { 0x01 };
+    const byte pubValOneLong[] = { 0x00, 0x00, 0x01 };
+    const byte pubValPrimeMinusOne[] = { 0x01, 0x00, 0x00 };
+    const byte pubValPrimeLong[] = {0x00, 0x01, 0x00, 0x01};
+    const byte pubValPrimePlusOne[] = { 0x01, 0x00, 0x02 };
+    const byte pubValTooBig0[] = { 0x02, 0x00, 0x01 };
+    const byte pubValTooBig1[] = { 0x01, 0x01, 0x01 };
+    const byte pubValTooLong[] = { 0x01, 0x00, 0x00, 0x01 };
+    const dh_pubvalue_test dh_pubval_fail[] = {
+        { prime, sizeof(prime) },
+        { pubValZero, sizeof(pubValZero) },
+        { pubValZeroLong, sizeof(pubValZeroLong) },
+        { pubValOne, sizeof(pubValOne) },
+        { pubValOneLong, sizeof(pubValOneLong) },
+        { pubValPrimeMinusOne, sizeof(pubValPrimeMinusOne) },
+        { pubValPrimeLong, sizeof(pubValPrimeLong) },
+        { pubValPrimePlusOne, sizeof(pubValPrimePlusOne) },
+        { pubValTooBig0, sizeof(pubValTooBig0) },
+        { pubValTooBig1, sizeof(pubValTooBig1) },
+        { pubValTooLong, sizeof(pubValTooLong) },
+    };
+    const byte pubValTwo[] = { 0x02 };
+    const byte pubValTwoLong[] = { 0x00, 0x00, 0x02 };
+    const byte pubValGood[] = { 0x12, 0x34 };
+    const byte pubValGoodLen[] = { 0x00, 0x12, 0x34 };
+    const byte pubValGoodLong[] = { 0x00, 0x00, 0x12, 0x34 };
+    const dh_pubvalue_test dh_pubval_pass[] = {
+        { pubValTwo, sizeof(pubValTwo) },
+        { pubValTwoLong, sizeof(pubValTwoLong) },
+        { pubValGood, sizeof(pubValGood) },
+        { pubValGoodLen, sizeof(pubValGoodLen) },
+        { pubValGoodLong, sizeof(pubValGoodLong) },
+    };
+
+    for (i = 0; i < sizeof(dh_pubval_fail) / sizeof(*dh_pubval_fail); i++) {
+        ret = wc_DhCheckPubValue(prime, sizeof(prime), dh_pubval_fail[i].data,
+                                                         dh_pubval_fail[i].len);
+        if (ret != MP_VAL)
+            return -7806 - (int)i;
+    }
+
+    for (i = 0; i < sizeof(dh_pubval_pass) / sizeof(*dh_pubval_pass); i++) {
+        ret = wc_DhCheckPubValue(prime, sizeof(prime), dh_pubval_pass[i].data,
+                                                         dh_pubval_pass[i].len);
+        if (ret != 0)
+            return -7816 - (int)i;
+    }
+
     return 0;
 }
+#endif
 
+#if defined(HAVE_FFDHE)
+
+#ifdef HAVE_FFDHE_3072
+    #define FFDHE_KEY_SIZE      (3072/8)
+#else
+    #define FFDHE_KEY_SIZE      (2048/8)
 #endif
 
+static int dh_test_ffdhe(WC_RNG *rng, const DhParams* params)
+{
+    int    ret;
+    word32 privSz, pubSz, privSz2, pubSz2;
+    byte   priv[FFDHE_KEY_SIZE];
+    byte   pub[FFDHE_KEY_SIZE];
+    byte   priv2[FFDHE_KEY_SIZE];
+    byte   pub2[FFDHE_KEY_SIZE];
+    byte   agree[FFDHE_KEY_SIZE];
+    byte   agree2[FFDHE_KEY_SIZE];
+    word32 agreeSz = (word32)sizeof(agree);
+    word32 agreeSz2 = (word32)sizeof(agree2);
+    DhKey  key;
+    DhKey  key2;
 
-#ifndef NO_DH
+    XMEMSET(&key, 0, sizeof(DhKey));
+    XMEMSET(&key2, 0, sizeof(DhKey));
 
-#if !defined(USE_CERT_BUFFERS_1024) && !defined(USE_CERT_BUFFERS_2048)
-    #ifdef FREESCALE_MQX
-        static const char* dhKey = "a:\\certs\\dh2048.der";
-    #elif defined(NO_ASN)
-        /* don't use file, no DER parsing */
-    #else
-        static const char* dhKey = "./certs/dh2048.der";
-    #endif
+    ret = wc_InitDhKey_ex(&key, HEAP_HINT, devId);
+    if (ret != 0) {
+        ERROR_OUT(-7826, done);
+    }
+    ret = wc_InitDhKey_ex(&key2, HEAP_HINT, devId);
+    if (ret != 0) {
+        ERROR_OUT(-7827, done);
+    }
+
+    ret = wc_DhSetKey(&key, params->p, params->p_len, params->g, params->g_len);
+    if (ret != 0) {
+        ERROR_OUT(-7828, done);
+    }
+
+    ret = wc_DhSetKey(&key2, params->p, params->p_len, params->g,
+                                                                 params->g_len);
+    if (ret != 0) {
+        ERROR_OUT(-7829, done);
+    }
+
+    ret = wc_DhGenerateKeyPair(&key, rng, priv, &privSz, pub, &pubSz);
+#if defined(WOLFSSL_ASYNC_CRYPT)
+    ret = wc_AsyncWait(ret, &key.asyncDev, WC_ASYNC_FLAG_NONE);
+#endif
+    if (ret != 0) {
+        ERROR_OUT(-7830, done);
+    }
+
+    ret = wc_DhGenerateKeyPair(&key2, rng, priv2, &privSz2, pub2, &pubSz2);
+#if defined(WOLFSSL_ASYNC_CRYPT)
+    ret = wc_AsyncWait(ret, &key2.asyncDev, WC_ASYNC_FLAG_NONE);
 #endif
+    if (ret != 0) {
+        ERROR_OUT(-7831, done);
+    }
+
+    ret = wc_DhAgree(&key, agree, &agreeSz, priv, privSz, pub2, pubSz2);
+#if defined(WOLFSSL_ASYNC_CRYPT)
+    ret = wc_AsyncWait(ret, &key.asyncDev, WC_ASYNC_FLAG_NONE);
+#endif
+    if (ret != 0) {
+        ERROR_OUT(-7832, done);
+    }
+
+    ret = wc_DhAgree(&key2, agree2, &agreeSz2, priv2, privSz2, pub, pubSz);
+#if defined(WOLFSSL_ASYNC_CRYPT)
+    ret = wc_AsyncWait(ret, &key2.asyncDev, WC_ASYNC_FLAG_NONE);
+#endif
+    if (ret != 0) {
+        ERROR_OUT(-7833, done);
+    }
+
+    if (agreeSz != agreeSz2 || XMEMCMP(agree, agree2, agreeSz)) {
+        ERROR_OUT(-7834, done);
+    }
+
+done:
+    wc_FreeDhKey(&key);
+    wc_FreeDhKey(&key2);
+    return ret;
+}
+
+#endif /* HAVE_FFDHE */
 
 int dh_test(void)
 {
     int    ret;
     word32 bytes;
-    word32 idx = 0, privSz, pubSz, privSz2, pubSz2, agreeSz, agreeSz2;
+    word32 idx = 0, privSz, pubSz, privSz2, pubSz2;
     byte   tmp[1024];
+#if !defined(USE_CERT_BUFFERS_3072) && !defined(USE_CERT_BUFFERS_4096)
     byte   priv[256];
     byte   pub[256];
     byte   priv2[256];
     byte   pub2[256];
     byte   agree[256];
     byte   agree2[256];
+#else
+    byte   priv[512];
+    byte   pub[512];
+    byte   priv2[512];
+    byte   pub2[512];
+    byte   agree[512];
+    byte   agree2[512];
+#endif
+    word32 agreeSz = (word32)sizeof(agree);
+    word32 agreeSz2 = (word32)sizeof(agree2);
     DhKey  key;
     DhKey  key2;
-    RNG    rng;
+    WC_RNG rng;
+    int keyInit = 0;
 
 #ifdef USE_CERT_BUFFERS_1024
-    XMEMCPY(tmp, dh_key_der_1024, sizeof_dh_key_der_1024);
-    bytes = sizeof_dh_key_der_1024;
+    XMEMCPY(tmp, dh_key_der_1024, (size_t)sizeof_dh_key_der_1024);
+    bytes = (size_t)sizeof_dh_key_der_1024;
 #elif defined(USE_CERT_BUFFERS_2048)
-    XMEMCPY(tmp, dh_key_der_2048, sizeof_dh_key_der_2048);
-    bytes = sizeof_dh_key_der_2048;
+    XMEMCPY(tmp, dh_key_der_2048, (size_t)sizeof_dh_key_der_2048);
+    bytes = (size_t)sizeof_dh_key_der_2048;
+#elif defined(USE_CERT_BUFFERS_3072)
+    XMEMCPY(tmp, dh_key_der_3072, (size_t)sizeof_dh_key_der_3072);
+    bytes = (size_t)sizeof_dh_key_der_3072;
+#elif defined(USE_CERT_BUFFERS_4096)
+    XMEMCPY(tmp, dh_key_der_4096, (size_t)sizeof_dh_key_der_4096);
+    bytes = (size_t)sizeof_dh_key_der_4096;
 #elif defined(NO_ASN)
     /* don't use file, no DER parsing */
-#else
-    FILE*  file = fopen(dhKey, "rb");
-
+#elif !defined(NO_FILESYSTEM)
+    XFILE  file = XFOPEN(dhKey, "rb");
     if (!file)
-        return -50;
+        return -7900;
 
-    bytes = (word32) fread(tmp, 1, sizeof(tmp), file);
-    fclose(file);
+    bytes = (word32) XFREAD(tmp, 1, sizeof(tmp), file);
+    XFCLOSE(file);
+#else
+    /* No DH key to use. */
+    return -7901;
 #endif /* USE_CERT_BUFFERS */
 
     (void)idx;
     (void)tmp;
     (void)bytes;
 
-    wc_InitDhKey(&key);
-    wc_InitDhKey(&key2);
+    /* Use API for coverage. */
+    ret = wc_InitDhKey(&key);
+    if (ret != 0) {
+        ERROR_OUT(-7902, done);
+    }
+    wc_FreeDhKey(&key);
+
+    ret = wc_InitDhKey_ex(&key, HEAP_HINT, devId);
+    if (ret != 0) {
+        ERROR_OUT(-7903, done);
+    }
+    keyInit = 1;
+    ret = wc_InitDhKey_ex(&key2, HEAP_HINT, devId);
+    if (ret != 0) {
+        ERROR_OUT(-7904, done);
+    }
+
 #ifdef NO_ASN
     ret = wc_DhSetKey(&key, dh_p, sizeof(dh_p), dh_g, sizeof(dh_g));
-    if (ret != 0)
-        return -51;
+    if (ret != 0) {
+        ERROR_OUT(-7905, done);
+    }
 
     ret = wc_DhSetKey(&key2, dh_p, sizeof(dh_p), dh_g, sizeof(dh_g));
-    if (ret != 0)
-        return -51;
+    if (ret != 0) {
+        ERROR_OUT(-7906, done);
+    }
 #else
     ret = wc_DhKeyDecode(tmp, &idx, &key, bytes);
-    if (ret != 0)
-        return -51;
+    if (ret != 0) {
+        ERROR_OUT(-7907, done);
+    }
 
     idx = 0;
     ret = wc_DhKeyDecode(tmp, &idx, &key2, bytes);
-    if (ret != 0)
-        return -52;
+    if (ret != 0) {
+        ERROR_OUT(-7908, done);
+    }
 #endif
 
+#ifndef HAVE_FIPS
+    ret = wc_InitRng_ex(&rng, HEAP_HINT, devId);
+#else
     ret = wc_InitRng(&rng);
-    if (ret != 0)
-        return -53;
+#endif
+    if (ret != 0) {
+        ERROR_OUT(-7909, done);
+    }
 
-    ret =  wc_DhGenerateKeyPair(&key, &rng, priv, &privSz, pub, &pubSz);
-    ret += wc_DhGenerateKeyPair(&key2, &rng, priv2, &privSz2, pub2, &pubSz2);
-    if (ret != 0)
-        return -54;
+    ret = wc_DhGenerateKeyPair(&key, &rng, priv, &privSz, pub, &pubSz);
+#if defined(WOLFSSL_ASYNC_CRYPT)
+    ret = wc_AsyncWait(ret, &key.asyncDev, WC_ASYNC_FLAG_NONE);
+#endif
+    if (ret != 0) {
+        ERROR_OUT(-7910, done);
+    }
 
-    ret =  wc_DhAgree(&key, agree, &agreeSz, priv, privSz, pub2, pubSz2);
-    ret += wc_DhAgree(&key2, agree2, &agreeSz2, priv2, privSz2, pub, pubSz);
-    if (ret != 0)
-        return -55;
+    ret = wc_DhGenerateKeyPair(&key2, &rng, priv2, &privSz2, pub2, &pubSz2);
+#if defined(WOLFSSL_ASYNC_CRYPT)
+    ret = wc_AsyncWait(ret, &key2.asyncDev, WC_ASYNC_FLAG_NONE);
+#endif
+    if (ret != 0) {
+        ERROR_OUT(-7911, done);
+    }
+
+    ret = wc_DhAgree(&key, agree, &agreeSz, priv, privSz, pub2, pubSz2);
+#if defined(WOLFSSL_ASYNC_CRYPT)
+    ret = wc_AsyncWait(ret, &key.asyncDev, WC_ASYNC_FLAG_NONE);
+#endif
+    if (ret != 0) {
+        ERROR_OUT(-7912, done);
+    }
+
+    ret = wc_DhAgree(&key2, agree2, &agreeSz2, priv2, privSz2, pub, pubSz);
+#if defined(WOLFSSL_ASYNC_CRYPT)
+    ret = wc_AsyncWait(ret, &key2.asyncDev, WC_ASYNC_FLAG_NONE);
+#endif
+    if (ret != 0) {
+        ERROR_OUT(-7913, done);
+    }
+
+    if (agreeSz != agreeSz2 || XMEMCMP(agree, agree2, agreeSz)) {
+        ERROR_OUT(-7914, done);
+    }
+
+#if defined(WOLFSSL_KEY_GEN) && !defined(HAVE_FIPS) && !defined(HAVE_SELFTEST)
+    if (wc_DhCheckPrivKey(NULL, NULL, 0) != BAD_FUNC_ARG)
+        return -7915;
+
+    if (wc_DhCheckPrivKey(&key, priv, privSz) != 0)
+        return -7916;
+
+    if (wc_DhExportParamsRaw(NULL, NULL, NULL, NULL, NULL, NULL, NULL) != BAD_FUNC_ARG)
+        return -7917;
+    {
+        word32 pSz, qSz, gSz;
+        if (wc_DhExportParamsRaw(&key, NULL, &pSz, NULL, &qSz, NULL, &gSz) != LENGTH_ONLY_E)
+            return -7918;
+    }
+#endif
 
-    if (memcmp(agree, agree2, agreeSz))
-        return -56;
+    ret = dh_generate_test(&rng);
+    if (ret == 0)
+        ret = dh_fips_generate_test(&rng);
+#if !defined(HAVE_FIPS) && !defined(HAVE_SELFTEST)
+    if (ret == 0)
+        ret = dh_test_check_pubvalue();
+#endif
+
+    /* Specialized code for key gen when using FFDHE-2048 and FFDHE-3072. */
+    #ifdef HAVE_FFDHE_2048
+    if (ret == 0) {
+        ret = dh_test_ffdhe(&rng, wc_Dh_ffdhe2048_Get());
+        if (ret != 0)
+            printf("error with FFDHE 2048\n");
+    }
+    #endif
+    #ifdef HAVE_FFDHE_3072
+    if (ret == 0) {
+        ret = dh_test_ffdhe(&rng, wc_Dh_ffdhe3072_Get());
+        if (ret != 0)
+            printf("error with FFDHE 3072\n");
+    }
+    #endif
 
     wc_FreeDhKey(&key);
+    keyInit = 0;
+
+#if !defined(HAVE_FIPS) && !defined(HAVE_SELFTEST) && \
+    !defined(WOLFSSL_OLD_PRIME_CHECK)
+    if (ret == 0) {
+        /* Test Check Key */
+        ret = wc_DhSetCheckKey(&key, dh_p, sizeof(dh_p), dh_g, sizeof(dh_g),
+            NULL, 0, 0, &rng);
+        keyInit = 1; /* DhSetCheckKey also initializes the key, free it */
+    }
+#endif
+
+done:
+
+    if (keyInit)
+        wc_FreeDhKey(&key);
     wc_FreeDhKey(&key2);
     wc_FreeRng(&rng);
 
-    return 0;
+    return ret;
 }
 
 #endif /* NO_DH */
@@ -4337,14 +14546,6 @@ int dh_test(void)
 
 #ifndef NO_DSA
 
-#if !defined(USE_CERT_BUFFERS_1024) && !defined(USE_CERT_BUFFERS_2048)
-    #ifdef FREESCALE_MQX
-        static const char* dsaKey = "a:\\certs\\dsa2048.der";
-    #else
-        static const char* dsaKey = "./certs/dsa2048.der";
-    #endif
-#endif
-
 int dsa_test(void)
 {
     int    ret, answer;
@@ -4352,12 +14553,11 @@ int dsa_test(void)
     word32 idx = 0;
     byte   tmp[1024];
     DsaKey key;
-    RNG    rng;
-    Sha    sha;
-    byte   hash[SHA_DIGEST_SIZE];
+    WC_RNG rng;
+    wc_Sha sha;
+    byte   hash[WC_SHA_DIGEST_SIZE];
     byte   signature[40];
 
-
 #ifdef USE_CERT_BUFFERS_1024
     XMEMCPY(tmp, dsa_key_der_1024, sizeof_dsa_key_der_1024);
     bytes = sizeof_dsa_key_der_1024;
@@ -4365,66 +14565,1075 @@ int dsa_test(void)
     XMEMCPY(tmp, dsa_key_der_2048, sizeof_dsa_key_der_2048);
     bytes = sizeof_dsa_key_der_2048;
 #else
-    FILE*  file = fopen(dsaKey, "rb");
-
+    XFILE  file = XFOPEN(dsaKey, "rb");
     if (!file)
-        return -60;
+        return -8000;
 
-    bytes = (word32) fread(tmp, 1, sizeof(tmp), file);
-    fclose(file);
+    bytes = (word32) XFREAD(tmp, 1, sizeof(tmp), file);
+    XFCLOSE(file);
 #endif /* USE_CERT_BUFFERS */
 
-    ret = wc_InitSha(&sha);
+    ret = wc_InitSha_ex(&sha, HEAP_HINT, devId);
     if (ret != 0)
-        return -4002;
+        return -8001;
     wc_ShaUpdate(&sha, tmp, bytes);
     wc_ShaFinal(&sha, hash);
+    wc_ShaFree(&sha);
+
+    ret = wc_InitDsaKey(&key);
+    if (ret != 0) return -8002;
 
-    wc_InitDsaKey(&key);
     ret = wc_DsaPrivateKeyDecode(tmp, &idx, &key, bytes);
-    if (ret != 0) return -61;
+    if (ret != 0) return -8003;
 
+#ifndef HAVE_FIPS
+    ret = wc_InitRng_ex(&rng, HEAP_HINT, devId);
+#else
     ret = wc_InitRng(&rng);
-    if (ret != 0) return -62;
+#endif
+    if (ret != 0) return -8004;
 
     ret = wc_DsaSign(hash, signature, &key, &rng);
-    if (ret != 0) return -63;
+    if (ret != 0) return -8005;
 
     ret = wc_DsaVerify(hash, signature, &key, &answer);
-    if (ret != 0) return -64;
-    if (answer != 1) return -65;
+    if (ret != 0) return -8006;
+    if (answer != 1) return -8007;
 
     wc_FreeDsaKey(&key);
-    wc_FreeRng(&rng);
 
+#ifdef WOLFSSL_KEY_GEN
+    {
+    byte*  der;
+    byte*  pem;
+    int    derSz = 0;
+    DsaKey derIn;
+    DsaKey genKey;
+
+    ret = wc_InitDsaKey(&genKey);
+    if (ret != 0) return -8008;
+
+    ret = wc_MakeDsaParameters(&rng, 1024, &genKey);
+    if (ret != 0) {
+        wc_FreeDsaKey(&genKey);
+        return -8009;
+    }
+
+    ret = wc_MakeDsaKey(&rng, &genKey);
+    if (ret != 0) {
+        wc_FreeDsaKey(&genKey);
+        return -8010;
+    }
+
+    der = (byte*)XMALLOC(FOURK_BUF, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+    if (der == NULL) {
+        wc_FreeDsaKey(&genKey);
+        return -8011;
+    }
+    pem = (byte*)XMALLOC(FOURK_BUF, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+    if (pem == NULL) {
+        XFREE(der, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+        wc_FreeDsaKey(&genKey);
+        return -8012;
+    }
+
+    derSz = wc_DsaKeyToDer(&genKey, der, FOURK_BUF);
+    if (derSz < 0) {
+        XFREE(der, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+        XFREE(pem, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+        return -8013;
+    }
+
+    ret = SaveDerAndPem(der, derSz, pem, FOURK_BUF, keyDerFile,
+            keyPemFile, DSA_PRIVATEKEY_TYPE, -5814);
+    if (ret != 0) {
+        XFREE(der, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+        XFREE(pem, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+        wc_FreeDsaKey(&genKey);
+        return ret;
+    }
+
+    ret = wc_InitDsaKey(&derIn);
+    if (ret != 0) {
+        XFREE(der, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+        XFREE(pem, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+        wc_FreeDsaKey(&genKey);
+        return -8014;
+    }
+
+    idx = 0;
+    ret = wc_DsaPrivateKeyDecode(der, &idx, &derIn, derSz);
+    if (ret != 0) {
+        XFREE(der, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+        XFREE(pem, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+        wc_FreeDsaKey(&derIn);
+        wc_FreeDsaKey(&genKey);
+        return -8015;
+    }
+
+    wc_FreeDsaKey(&derIn);
+    wc_FreeDsaKey(&genKey);
+    XFREE(pem, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+    XFREE(der, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+    }
+#endif /* WOLFSSL_KEY_GEN */
+
+    if (wc_InitDsaKey_h(&key, NULL) != 0)
+        return -8016;
+
+    wc_FreeRng(&rng);
     return 0;
 }
 
 #endif /* NO_DSA */
 
+#ifdef WOLFCRYPT_HAVE_SRP
 
-#ifdef OPENSSL_EXTRA
+static int generate_random_salt(byte *buf, word32 size)
+{
+    int ret = -8017;
+    WC_RNG rng;
+
+    if(NULL == buf || !size)
+        return -8018;
+
+    if (buf && size && wc_InitRng_ex(&rng, HEAP_HINT, devId) == 0) {
+        ret = wc_RNG_GenerateBlock(&rng, (byte *)buf, size);
+
+        wc_FreeRng(&rng);
+    }
+
+    return ret;
+}
+
+int srp_test(void)
+{
+    Srp cli, srv;
+    int r;
+
+    byte clientPubKey[80]; /* A */
+    byte serverPubKey[80]; /* B */
+    word32 clientPubKeySz = 80;
+    word32 serverPubKeySz = 80;
+    byte clientProof[SRP_MAX_DIGEST_SIZE]; /* M1 */
+    byte serverProof[SRP_MAX_DIGEST_SIZE]; /* M2 */
+    word32 clientProofSz = SRP_MAX_DIGEST_SIZE;
+    word32 serverProofSz = SRP_MAX_DIGEST_SIZE;
+
+    byte username[] = "user";
+    word32 usernameSz = 4;
+
+    byte password[] = "password";
+    word32 passwordSz = 8;
+
+    byte N[] = {
+        0xC9, 0x4D, 0x67, 0xEB, 0x5B, 0x1A, 0x23, 0x46, 0xE8, 0xAB, 0x42, 0x2F,
+        0xC6, 0xA0, 0xED, 0xAE, 0xDA, 0x8C, 0x7F, 0x89, 0x4C, 0x9E, 0xEE, 0xC4,
+        0x2F, 0x9E, 0xD2, 0x50, 0xFD, 0x7F, 0x00, 0x46, 0xE5, 0xAF, 0x2C, 0xF7,
+        0x3D, 0x6B, 0x2F, 0xA2, 0x6B, 0xB0, 0x80, 0x33, 0xDA, 0x4D, 0xE3, 0x22,
+        0xE1, 0x44, 0xE7, 0xA8, 0xE9, 0xB1, 0x2A, 0x0E, 0x46, 0x37, 0xF6, 0x37,
+        0x1F, 0x34, 0xA2, 0x07, 0x1C, 0x4B, 0x38, 0x36, 0xCB, 0xEE, 0xAB, 0x15,
+        0x03, 0x44, 0x60, 0xFA, 0xA7, 0xAD, 0xF4, 0x83
+    };
+
+    byte g[] = {
+        0x02
+    };
+
+    byte salt[10];
+
+    byte verifier[80];
+    word32 v_size = sizeof(verifier);
+
+    /* set as 0's so if second init on srv not called SrpTerm is not on
+     * garbage values */
+    XMEMSET(&srv, 0, sizeof(Srp));
+    XMEMSET(&cli, 0, sizeof(Srp));
+
+    /* generating random salt */
+
+    r = generate_random_salt(salt, sizeof(salt));
+
+    /* client knows username and password.   */
+    /* server knows N, g, salt and verifier. */
+
+    if (!r) r = wc_SrpInit(&cli, SRP_TYPE_SHA, SRP_CLIENT_SIDE);
+    if (!r) r = wc_SrpSetUsername(&cli, username, usernameSz);
+
+    /* loading N, g and salt in advance to generate the verifier. */
+
+    if (!r) r = wc_SrpSetParams(&cli, N,    sizeof(N),
+                                      g,    sizeof(g),
+                                      salt, sizeof(salt));
+    if (!r) r = wc_SrpSetPassword(&cli, password, passwordSz);
+    if (!r) r = wc_SrpGetVerifier(&cli, verifier, &v_size);
+
+    /* client sends username to server */
+
+    if (!r) r = wc_SrpInit(&srv, SRP_TYPE_SHA, SRP_SERVER_SIDE);
+    if (!r) r = wc_SrpSetUsername(&srv, username, usernameSz);
+    if (!r) r = wc_SrpSetParams(&srv, N,    sizeof(N),
+                                      g,    sizeof(g),
+                                      salt, sizeof(salt));
+    if (!r) r = wc_SrpSetVerifier(&srv, verifier, v_size);
+    if (!r) r = wc_SrpGetPublic(&srv, serverPubKey, &serverPubKeySz);
+
+    /* server sends N, g, salt and B to client */
+
+    if (!r) r = wc_SrpGetPublic(&cli, clientPubKey, &clientPubKeySz);
+    if (!r) r = wc_SrpComputeKey(&cli, clientPubKey, clientPubKeySz,
+                                       serverPubKey, serverPubKeySz);
+    if (!r) r = wc_SrpGetProof(&cli, clientProof, &clientProofSz);
+
+    /* client sends A and M1 to server */
+
+    if (!r) r = wc_SrpComputeKey(&srv, clientPubKey, clientPubKeySz,
+                                       serverPubKey, serverPubKeySz);
+    if (!r) r = wc_SrpVerifyPeersProof(&srv, clientProof, clientProofSz);
+    if (!r) r = wc_SrpGetProof(&srv, serverProof, &serverProofSz);
+
+    /* server sends M2 to client */
+
+    if (!r) r = wc_SrpVerifyPeersProof(&cli, serverProof, serverProofSz);
+
+    wc_SrpTerm(&cli);
+    wc_SrpTerm(&srv);
+
+    return r;
+}
+
+#endif /* WOLFCRYPT_HAVE_SRP */
+
+#if defined(OPENSSL_EXTRA) && !defined(WOLFCRYPT_ONLY)
+
+#if !defined(NO_AES) && !defined(WOLFCRYPT_ONLY)
+static int openssl_aes_test(void)
+{
+#ifdef HAVE_AES_CBC
+#ifdef WOLFSSL_AES_128
+    {
+        /* EVP_CipherUpdate test */
+        const byte cbcPlain[] =
+        {
+            0x6b,0xc1,0xbe,0xe2,0x2e,0x40,0x9f,0x96,
+            0xe9,0x3d,0x7e,0x11,0x73,0x93,0x17,0x2a,
+            0xae,0x2d,0x8a,0x57,0x1e,0x03,0xac,0x9c,
+            0x9e,0xb7,0x6f,0xac,0x45,0xaf,0x8e,0x51,
+            0x30,0xc8,0x1c,0x46,0xa3,0x5c,0xe4,0x11,
+            0xe5,0xfb,0xc1,0x19,0x1a,0x0a,0x52,0xef,
+            0xf6,0x9f,0x24,0x45,0xdf,0x4f,0x9b,0x17,
+            0xad,0x2b,0x41,0x7b,0xe6,0x6c,0x37,0x10
+        };
+
+        byte key[] = "0123456789abcdef   ";  /* align */
+        byte iv[]  = "1234567890abcdef   ";  /* align */
+
+        byte cipher[AES_BLOCK_SIZE * 4];
+        byte plain [AES_BLOCK_SIZE * 4];
+        EVP_CIPHER_CTX en;
+        EVP_CIPHER_CTX de;
+        int outlen ;
+        int total = 0;
+        int i;
+
+        EVP_CIPHER_CTX_init(&en);
+        if (EVP_CipherInit(&en, EVP_aes_128_cbc(),
+            (unsigned char*)key, (unsigned char*)iv, 1) == 0)
+            return -8200;
+        if (EVP_CipherUpdate(&en, (byte*)cipher, &outlen,
+                    (byte*)cbcPlain, 9) == 0)
+            return -8201;
+        if (outlen != 0)
+            return -8202;
+        total += outlen;
+
+        if (EVP_CipherUpdate(&en, (byte*)&cipher[total], &outlen,
+                    (byte*)&cbcPlain[9]  , 9) == 0)
+            return -8203;
+        if (outlen != 16)
+            return -8204;
+        total += outlen;
+
+        if (EVP_CipherFinal(&en, (byte*)&cipher[total], &outlen) == 0)
+            return -8205;
+        if (outlen != 16)
+            return -8206;
+        total += outlen;
+        if (total != 32)
+            return 3408;
+
+        total = 0;
+        EVP_CIPHER_CTX_init(&de);
+        if (EVP_CipherInit(&de, EVP_aes_128_cbc(),
+            (unsigned char*)key, (unsigned char*)iv, 0) == 0)
+            return -8207;
+
+        if (EVP_CipherUpdate(&de, (byte*)plain, &outlen, (byte*)cipher, 6) == 0)
+            return -8208;
+        if (outlen != 0)
+            return -8209;
+        total += outlen;
+
+        if (EVP_CipherUpdate(&de, (byte*)&plain[total], &outlen,
+                    (byte*)&cipher[6], 12) == 0)
+            return -8210;
+        if (outlen != 0)
+        total += outlen;
+
+        if (EVP_CipherUpdate(&de, (byte*)&plain[total], &outlen,
+                    (byte*)&cipher[6+12], 14) == 0)
+            return -8211;
+        if (outlen != 16)
+            return -8212;
+        total += outlen;
+
+        if (EVP_CipherFinal(&de, (byte*)&plain[total], &outlen) == 0)
+            return -8213;
+        if (outlen != 2)
+            return -8214;
+        total += outlen;
+
+        if (total != 18)
+            return 3427;
+
+        if (XMEMCMP(plain, cbcPlain, 18))
+            return -8215;
+
+        /* test with encrypting/decrypting more than 16 bytes at once */
+        total = 0;
+        EVP_CIPHER_CTX_init(&en);
+        if (EVP_CipherInit(&en, EVP_aes_128_cbc(),
+            (unsigned char*)key, (unsigned char*)iv, 1) == 0)
+            return -8216;
+        if (EVP_CipherUpdate(&en, (byte*)cipher, &outlen,
+                    (byte*)cbcPlain, 17) == 0)
+            return -8217;
+        if (outlen != 16)
+            return -8218;
+        total += outlen;
+
+        if (EVP_CipherUpdate(&en, (byte*)&cipher[total], &outlen,
+                    (byte*)&cbcPlain[17]  , 1) == 0)
+            return -8219;
+        if (outlen != 0)
+            return -8220;
+        total += outlen;
+
+        if (EVP_CipherFinal(&en, (byte*)&cipher[total], &outlen) == 0)
+            return -8221;
+        if (outlen != 16)
+            return -8222;
+        total += outlen;
+        if (total != 32)
+            return -8223;
+
+        total = 0;
+        EVP_CIPHER_CTX_init(&de);
+        if (EVP_CipherInit(&de, EVP_aes_128_cbc(),
+            (unsigned char*)key, (unsigned char*)iv, 0) == 0)
+            return -8224;
+
+        if (EVP_CipherUpdate(&de, (byte*)plain, &outlen, (byte*)cipher, 17) == 0)
+            return -8225;
+        if (outlen != 16)
+            return -8226;
+        total += outlen;
+
+        /* final call on non block size should fail */
+        if (EVP_CipherFinal(&de, (byte*)&plain[total], &outlen) != 0)
+            return -8227;
+
+        if (EVP_CipherUpdate(&de, (byte*)&plain[total], &outlen,
+                    (byte*)&cipher[17], 1) == 0)
+            return -8228;
+        if (outlen != 0)
+        total += outlen;
+
+        if (EVP_CipherUpdate(&de, (byte*)&plain[total], &outlen,
+                    (byte*)&cipher[17+1], 14) == 0)
+            return -8229;
+        if (outlen != 0)
+            return -8230;
+        total += outlen;
+
+        if (EVP_CipherFinal(&de, (byte*)&plain[total], &outlen) == 0)
+            return -8231;
+        if (outlen != 2)
+            return -8232;
+        total += outlen;
+
+        if (total != 18)
+            return -8233;
+
+        if (XMEMCMP(plain, cbcPlain, 18))
+            return -8234;
+
+        /* test byte by byte decrypt */
+        for (i = 0; i < AES_BLOCK_SIZE * 3; i++) {
+            plain[i] = i;
+        }
+
+        total = 0;
+        EVP_CIPHER_CTX_init(&en);
+        if (EVP_CipherInit(&en, EVP_aes_128_cbc(),
+            (unsigned char*)key, (unsigned char*)iv, 1) == 0)
+            return -8235;
+        if (EVP_CipherUpdate(&en, (byte*)cipher, &outlen,
+                    (byte*)plain, AES_BLOCK_SIZE * 3) == 0)
+            return -8236;
+        if (outlen != AES_BLOCK_SIZE * 3)
+            return -8237;
+        total += outlen;
+
+        if (EVP_CipherFinal(&en, (byte*)&cipher[total], &outlen) == 0)
+            return -8238;
+        if (outlen != AES_BLOCK_SIZE)
+            return -8239;
+        total += outlen;
+        if (total != sizeof(plain))
+            return -8240;
+
+        total = 0;
+        EVP_CIPHER_CTX_init(&de);
+        if (EVP_CipherInit(&de, EVP_aes_128_cbc(),
+            (unsigned char*)key, (unsigned char*)iv, 0) == 0)
+            return -8241;
+
+        for (i = 0; i < AES_BLOCK_SIZE * 4; i++) {
+            if (EVP_CipherUpdate(&de, (byte*)plain + total, &outlen,
+                        (byte*)cipher + i, 1) == 0)
+                return -8242;
+
+            if (outlen > 0) {
+                int j;
+
+                total += outlen;
+                for (j = 0; j < total; j++) {
+                    if (plain[j] != j) {
+                        return -8243;
+                    }
+                }
+            }
+        }
+
+        if (EVP_CipherFinal(&de, (byte*)&plain[total], &outlen) == 0)
+            return -8244;
+        total += outlen;
+        if (total != AES_BLOCK_SIZE * 3) {
+            return -8245;
+        }
+        for (i = 0; i < AES_BLOCK_SIZE * 3; i++) {
+            if (plain[i] != i) {
+                return -8246;
+            }
+        }
+    }
+
+    /* set buffers to be exact size to catch potential over read/write */
+    {
+        /* EVP_CipherUpdate test */
+        const byte cbcPlain[] =
+        {
+            0x6b,0xc1,0xbe,0xe2,0x2e,0x40,0x9f,0x96,
+            0xe9,0x3d,0x7e,0x11,0x73,0x93,0x17,0x2a,
+            0xae,0x2d,0x8a,0x57,0x1e,0x03,0xac,0x9c,
+            0x9e,0xb7,0x6f,0xac,0x45,0xaf,0x8e,0x51,
+            0x30,0xc8,0x1c,0x46,0xa3,0x5c,0xe4,0x11,
+            0xe5,0xfb,0xc1,0x19,0x1a,0x0a,0x52,0xef,
+            0xf6,0x9f,0x24,0x45,0xdf,0x4f,0x9b,0x17,
+            0xad,0x2b,0x41,0x7b,0xe6,0x6c,0x37,0x10
+        };
+
+        byte key[] = "0123456789abcdef   ";  /* align */
+        byte iv[]  = "1234567890abcdef   ";  /* align */
+
+        #define EVP_TEST_BUF_SZ 18
+        #define EVP_TEST_BUF_PAD 32
+        byte cipher[EVP_TEST_BUF_SZ];
+        byte plain [EVP_TEST_BUF_SZ];
+        byte padded[EVP_TEST_BUF_PAD];
+        EVP_CIPHER_CTX en;
+        EVP_CIPHER_CTX de;
+        int outlen ;
+        int total = 0;
+
+        EVP_CIPHER_CTX_init(&en);
+        if (EVP_CipherInit(&en, EVP_aes_128_cbc(),
+            (unsigned char*)key, (unsigned char*)iv, 1) == 0)
+            return -8247;
+        if (EVP_CIPHER_CTX_set_padding(&en, 0) != 1)
+            return -8248;
+        if (EVP_CipherUpdate(&en, (byte*)cipher, &outlen,
+                    (byte*)cbcPlain, EVP_TEST_BUF_SZ) == 0)
+            return -8249;
+        if (outlen != 16)
+            return -8250;
+        total += outlen;
+
+        /* should fail here */
+        if (EVP_CipherFinal(&en, (byte*)&cipher[total], &outlen) != 0)
+            return -8251;
+
+        /* turn padding back on and do successful encrypt */
+        total = 0;
+        EVP_CIPHER_CTX_init(&en);
+        if (EVP_CipherInit(&en, EVP_aes_128_cbc(),
+            (unsigned char*)key, (unsigned char*)iv, 1) == 0)
+            return -8252;
+        if (EVP_CIPHER_CTX_set_padding(&en, 1) != 1)
+            return -8253;
+        if (EVP_CipherUpdate(&en, (byte*)padded, &outlen,
+                    (byte*)cbcPlain, EVP_TEST_BUF_SZ) == 0)
+            return -8254;
+        if (outlen != 16)
+            return -8255;
+        total += outlen;
+
+        if (EVP_CipherFinal(&en, (byte*)&padded[total], &outlen) == 0)
+            return -8256;
+        total += outlen;
+        if (total != 32)
+            return -8257;
+        XMEMCPY(cipher, padded, EVP_TEST_BUF_SZ);
+
+        /* test out of bounds read on buffers w/o padding during decryption */
+        total = 0;
+        EVP_CIPHER_CTX_init(&de);
+        if (EVP_CipherInit(&de, EVP_aes_128_cbc(),
+            (unsigned char*)key, (unsigned char*)iv, 0) == 0)
+            return -8258;
+
+        if (EVP_CIPHER_CTX_set_padding(&de, 0) != 1)
+            return -8259;
+        if (EVP_CipherUpdate(&de, (byte*)plain, &outlen, (byte*)cipher,
+                    EVP_TEST_BUF_SZ) == 0)
+            return -8260;
+        if (outlen != 16)
+            return -8261;
+        total += outlen;
+
+        /* should fail since not using padding */
+        if (EVP_CipherFinal(&de, (byte*)&plain[total], &outlen) != 0)
+            return -8262;
+
+        total = 0;
+        EVP_CIPHER_CTX_init(&de);
+        if (EVP_CipherInit(&de, EVP_aes_128_cbc(),
+            (unsigned char*)key, (unsigned char*)iv, 0) == 0)
+            return -8263;
+        if (EVP_CIPHER_CTX_set_padding(&de, 1) != 1)
+            return -8264;
+        if (EVP_CipherUpdate(&de, (byte*)padded, &outlen, (byte*)padded,
+                    EVP_TEST_BUF_PAD) == 0)
+            return -8265;
+        if (outlen != 16)
+            return -8266;
+        total += outlen;
+
+        if (EVP_CipherFinal(&de, (byte*)&padded[total], &outlen) == 0)
+            return -8267;
+        if (XMEMCMP(padded, cbcPlain, EVP_TEST_BUF_SZ))
+            return -8268;
+    }
+
+    {  /* evp_cipher test: EVP_aes_128_cbc */
+        EVP_CIPHER_CTX ctx;
+
+        const byte msg[] = { /* "Now is the time for all " w/o trailing 0 */
+            0x6e,0x6f,0x77,0x20,0x69,0x73,0x20,0x74,
+            0x68,0x65,0x20,0x74,0x69,0x6d,0x65,0x20,
+            0x66,0x6f,0x72,0x20,0x61,0x6c,0x6c,0x20
+        };
+
+        const byte verify[] =
+        {
+            0x95,0x94,0x92,0x57,0x5f,0x42,0x81,0x53,
+            0x2c,0xcc,0x9d,0x46,0x77,0xa2,0x33,0xcb
+        };
+
+        byte key[] = "0123456789abcdef   ";  /* align */
+        byte iv[]  = "1234567890abcdef   ";  /* align */
+
+        byte cipher[AES_BLOCK_SIZE * 4];
+        byte plain [AES_BLOCK_SIZE * 4];
+
+        EVP_CIPHER_CTX_init(&ctx);
+        if (EVP_CipherInit(&ctx, EVP_aes_128_cbc(), key, iv, 1) == 0)
+            return -8269;
+
+        if (EVP_Cipher(&ctx, cipher, (byte*)msg, 16) == 0)
+            return -8270;
+
+        if (XMEMCMP(cipher, verify, AES_BLOCK_SIZE))
+            return -8271;
+
+        EVP_CIPHER_CTX_init(&ctx);
+        if (EVP_CipherInit(&ctx, EVP_aes_128_cbc(), key, iv, 0) == 0)
+            return -8272;
+
+        if (EVP_Cipher(&ctx, plain, cipher, 16) == 0)
+            return -8273;
+
+        if (XMEMCMP(plain, msg, AES_BLOCK_SIZE))
+            return -8274;
+
+
+    }  /* end evp_cipher test: EVP_aes_128_cbc*/
+#endif /* WOLFSSL_AES_128 */
+#endif /* HAVE_AES_CBC */
+
+#if defined(HAVE_AES_ECB) && defined(WOLFSSL_AES_256)
+    {  /* evp_cipher test: EVP_aes_256_ecb*/
+        EVP_CIPHER_CTX ctx;
+        const byte msg[] =
+        {
+          0x6b,0xc1,0xbe,0xe2,0x2e,0x40,0x9f,0x96,
+          0xe9,0x3d,0x7e,0x11,0x73,0x93,0x17,0x2a
+        };
+
+        const byte verify[] =
+        {
+            0xf3,0xee,0xd1,0xbd,0xb5,0xd2,0xa0,0x3c,
+            0x06,0x4b,0x5a,0x7e,0x3d,0xb1,0x81,0xf8
+        };
+
+        const byte key[] =
+        {
+          0x60,0x3d,0xeb,0x10,0x15,0xca,0x71,0xbe,
+          0x2b,0x73,0xae,0xf0,0x85,0x7d,0x77,0x81,
+          0x1f,0x35,0x2c,0x07,0x3b,0x61,0x08,0xd7,
+          0x2d,0x98,0x10,0xa3,0x09,0x14,0xdf,0xf4
+        };
+
+
+        byte cipher[AES_BLOCK_SIZE * 4];
+        byte plain [AES_BLOCK_SIZE * 4];
+
+        EVP_CIPHER_CTX_init(&ctx);
+        if (EVP_CipherInit(&ctx, EVP_aes_256_ecb(), (unsigned char*)key, NULL, 1) == 0)
+            return -8275;
+
+        if (EVP_Cipher(&ctx, cipher, (byte*)msg, 16) == 0)
+            return -8276;
+
+        if (XMEMCMP(cipher, verify, AES_BLOCK_SIZE))
+            return -8277;
+
+        EVP_CIPHER_CTX_init(&ctx);
+        if (EVP_CipherInit(&ctx, EVP_aes_256_ecb(), (unsigned char*)key, NULL, 0) == 0)
+            return -8278;
+
+        if (EVP_Cipher(&ctx, plain, cipher, 16) == 0)
+            return -8279;
+
+        if (XMEMCMP(plain, msg, AES_BLOCK_SIZE))
+            return -8280;
+
+    }  /* end evp_cipher test */
+#endif /* HAVE_AES_ECB && WOLFSSL_AES_256 */
+
+#if defined(WOLFSSL_AES_DIRECT) && defined(WOLFSSL_AES_256)
+    /* enable HAVE_AES_DECRYPT for AES_encrypt/decrypt */
+    {
+        /* Test: AES_encrypt/decrypt/set Key */
+        AES_KEY enc;
+        #ifdef HAVE_AES_DECRYPT
+        AES_KEY dec;
+        #endif
+
+        const byte msg[] =
+        {
+            0x6b,0xc1,0xbe,0xe2,0x2e,0x40,0x9f,0x96,
+            0xe9,0x3d,0x7e,0x11,0x73,0x93,0x17,0x2a
+        };
+
+        const byte verify[] =
+        {
+            0xf3,0xee,0xd1,0xbd,0xb5,0xd2,0xa0,0x3c,
+            0x06,0x4b,0x5a,0x7e,0x3d,0xb1,0x81,0xf8
+        };
+
+        const byte key[] =
+        {
+            0x60,0x3d,0xeb,0x10,0x15,0xca,0x71,0xbe,
+            0x2b,0x73,0xae,0xf0,0x85,0x7d,0x77,0x81,
+            0x1f,0x35,0x2c,0x07,0x3b,0x61,0x08,0xd7,
+            0x2d,0x98,0x10,0xa3,0x09,0x14,0xdf,0xf4
+        };
+
+        byte plain[sizeof(msg)];
+        byte cipher[sizeof(msg)];
+
+        AES_set_encrypt_key(key, sizeof(key)*8, &enc);
+        AES_set_decrypt_key(key,  sizeof(key)*8, &dec);
+
+        AES_encrypt(msg, cipher, &enc);
+
+        #ifdef HAVE_AES_DECRYPT
+        AES_decrypt(cipher, plain, &dec);
+        if (XMEMCMP(plain, msg, AES_BLOCK_SIZE))
+            return -8281;
+        #endif /* HAVE_AES_DECRYPT */
+
+        if (XMEMCMP(cipher, verify, AES_BLOCK_SIZE))
+            return -8282;
+    }
+#endif /* WOLFSSL_AES_DIRECT && WOLFSSL_AES_256 */
+
+/* EVP_Cipher with EVP_aes_xxx_ctr() */
+#ifdef WOLFSSL_AES_COUNTER
+    {
+        byte plainBuff [64];
+        byte cipherBuff[64];
+
+#ifdef WOLFSSL_AES_128
+        const byte ctrKey[] =
+        {
+            0x2b,0x7e,0x15,0x16,0x28,0xae,0xd2,0xa6,
+            0xab,0xf7,0x15,0x88,0x09,0xcf,0x4f,0x3c
+        };
+
+        const byte ctrIv[] =
+        {
+            0xf0,0xf1,0xf2,0xf3,0xf4,0xf5,0xf6,0xf7,
+            0xf8,0xf9,0xfa,0xfb,0xfc,0xfd,0xfe,0xff
+        };
+
+
+        const byte ctrPlain[] =
+        {
+            0x6b,0xc1,0xbe,0xe2,0x2e,0x40,0x9f,0x96,
+            0xe9,0x3d,0x7e,0x11,0x73,0x93,0x17,0x2a,
+            0xae,0x2d,0x8a,0x57,0x1e,0x03,0xac,0x9c,
+            0x9e,0xb7,0x6f,0xac,0x45,0xaf,0x8e,0x51,
+            0x30,0xc8,0x1c,0x46,0xa3,0x5c,0xe4,0x11,
+            0xe5,0xfb,0xc1,0x19,0x1a,0x0a,0x52,0xef,
+            0xf6,0x9f,0x24,0x45,0xdf,0x4f,0x9b,0x17,
+            0xad,0x2b,0x41,0x7b,0xe6,0x6c,0x37,0x10
+        };
+
+        const byte ctrCipher[] =
+        {
+            0x87,0x4d,0x61,0x91,0xb6,0x20,0xe3,0x26,
+            0x1b,0xef,0x68,0x64,0x99,0x0d,0xb6,0xce,
+            0x98,0x06,0xf6,0x6b,0x79,0x70,0xfd,0xff,
+            0x86,0x17,0x18,0x7b,0xb9,0xff,0xfd,0xff,
+            0x5a,0xe4,0xdf,0x3e,0xdb,0xd5,0xd3,0x5e,
+            0x5b,0x4f,0x09,0x02,0x0d,0xb0,0x3e,0xab,
+            0x1e,0x03,0x1d,0xda,0x2f,0xbe,0x03,0xd1,
+            0x79,0x21,0x70,0xa0,0xf3,0x00,0x9c,0xee
+        };
+
+        const byte oddCipher[] =
+        {
+            0xb9,0xd7,0xcb,0x08,0xb0,0xe1,0x7b,0xa0,
+            0xc2
+        };
+#endif
+
+        /* test vector from "Recommendation for Block Cipher Modes of Operation"
+         * NIST Special Publication 800-38A */
+#ifdef WOLFSSL_AES_192
+        const byte ctr192Key[] =
+        {
+            0x8e,0x73,0xb0,0xf7,0xda,0x0e,0x64,0x52,
+            0xc8,0x10,0xf3,0x2b,0x80,0x90,0x79,0xe5,
+            0x62,0xf8,0xea,0xd2,0x52,0x2c,0x6b,0x7b
+        };
+
+        const byte ctr192Iv[] =
+        {
+            0xf0,0xf1,0xf2,0xf3,0xf4,0xf5,0xf6,0xf7,
+            0xf8,0xf9,0xfa,0xfb,0xfc,0xfd,0xfe,0xff
+        };
+
+
+        const byte ctr192Plain[] =
+        {
+            0x6b,0xc1,0xbe,0xe2,0x2e,0x40,0x9f,0x96,
+            0xe9,0x3d,0x7e,0x11,0x73,0x93,0x17,0x2a
+        };
+
+        const byte ctr192Cipher[] =
+        {
+            0x1a,0xbc,0x93,0x24,0x17,0x52,0x1c,0xa2,
+            0x4f,0x2b,0x04,0x59,0xfe,0x7e,0x6e,0x0b
+        };
+#endif /* WOLFSSL_AES_192 */
+
+#ifdef WOLFSSL_AES_256
+        /* test vector from "Recommendation for Block Cipher Modes of Operation"
+         * NIST Special Publication 800-38A */
+        const byte ctr256Key[] =
+        {
+            0x60,0x3d,0xeb,0x10,0x15,0xca,0x71,0xbe,
+            0x2b,0x73,0xae,0xf0,0x85,0x7d,0x77,0x81,
+            0x1f,0x35,0x2c,0x07,0x3b,0x61,0x08,0xd7,
+            0x2d,0x98,0x10,0xa3,0x09,0x14,0xdf,0xf4
+        };
+
+        const byte ctr256Iv[] =
+        {
+            0xf0,0xf1,0xf2,0xf3,0xf4,0xf5,0xf6,0xf7,
+            0xf8,0xf9,0xfa,0xfb,0xfc,0xfd,0xfe,0xff
+        };
+
+
+        const byte ctr256Plain[] =
+        {
+            0x6b,0xc1,0xbe,0xe2,0x2e,0x40,0x9f,0x96,
+            0xe9,0x3d,0x7e,0x11,0x73,0x93,0x17,0x2a
+        };
+
+        const byte ctr256Cipher[] =
+        {
+            0x60,0x1e,0xc3,0x13,0x77,0x57,0x89,0xa5,
+            0xb7,0xa7,0xf5,0x04,0xbb,0xf3,0xd2,0x28
+        };
+#endif /* WOLFSSL_AES_256 */
+
+        EVP_CIPHER_CTX en;
+        EVP_CIPHER_CTX de;
+#ifdef WOLFSSL_AES_128
+        EVP_CIPHER_CTX *p_en;
+        EVP_CIPHER_CTX *p_de;
+
+        EVP_CIPHER_CTX_init(&en);
+        if (EVP_CipherInit(&en, EVP_aes_128_ctr(),
+                (unsigned char*)ctrKey, (unsigned char*)ctrIv, 0) == 0)
+            return -8283;
+        if (EVP_Cipher(&en, (byte*)cipherBuff, (byte*)ctrPlain,
+                    AES_BLOCK_SIZE*4) == 0)
+            return -8284;
+        EVP_CIPHER_CTX_init(&de);
+        if (EVP_CipherInit(&de, EVP_aes_128_ctr(),
+                (unsigned char*)ctrKey, (unsigned char*)ctrIv, 0) == 0)
+            return -8285;
+
+        if (EVP_Cipher(&de, (byte*)plainBuff, (byte*)cipherBuff,
+                    AES_BLOCK_SIZE*4) == 0)
+            return -8286;
+
+        if (XMEMCMP(cipherBuff, ctrCipher, AES_BLOCK_SIZE*4))
+            return -8287;
+        if (XMEMCMP(plainBuff, ctrPlain, AES_BLOCK_SIZE*4))
+            return -8288;
+
+        p_en = wolfSSL_EVP_CIPHER_CTX_new();
+        if (p_en == NULL)
+            return -8289;
+        p_de = wolfSSL_EVP_CIPHER_CTX_new();
+        if (p_de == NULL)
+            return -8290;
+
+        if (EVP_CipherInit(p_en, EVP_aes_128_ctr(),
+                (unsigned char*)ctrKey, (unsigned char*)ctrIv, 0) == 0)
+            return -8291;
+        if (EVP_Cipher(p_en, (byte*)cipherBuff, (byte*)ctrPlain,
+                    AES_BLOCK_SIZE*4) == 0)
+            return -8292;
+        if (EVP_CipherInit(p_de, EVP_aes_128_ctr(),
+                (unsigned char*)ctrKey, (unsigned char*)ctrIv, 0) == 0)
+            return -8293;
+
+        if (EVP_Cipher(p_de, (byte*)plainBuff, (byte*)cipherBuff,
+                    AES_BLOCK_SIZE*4) == 0)
+            return -8294;
+
+        wolfSSL_EVP_CIPHER_CTX_free(p_en);
+        wolfSSL_EVP_CIPHER_CTX_free(p_de);
+
+        if (XMEMCMP(cipherBuff, ctrCipher, AES_BLOCK_SIZE*4))
+            return -8295;
+        if (XMEMCMP(plainBuff, ctrPlain, AES_BLOCK_SIZE*4))
+            return -8296;
+
+        EVP_CIPHER_CTX_init(&en);
+        if (EVP_CipherInit(&en, EVP_aes_128_ctr(),
+            (unsigned char*)ctrKey, (unsigned char*)ctrIv, 0) == 0)
+            return -8297;
+        if (EVP_Cipher(&en, (byte*)cipherBuff, (byte*)ctrPlain, 9) == 0)
+            return -8298;
+
+        EVP_CIPHER_CTX_init(&de);
+        if (EVP_CipherInit(&de, EVP_aes_128_ctr(),
+            (unsigned char*)ctrKey, (unsigned char*)ctrIv, 0) == 0)
+            return -8299;
+
+        if (EVP_Cipher(&de, (byte*)plainBuff, (byte*)cipherBuff, 9) == 0)
+            return -8300;
+
+        if (XMEMCMP(plainBuff, ctrPlain, 9))
+            return -8301;
+        if (XMEMCMP(cipherBuff, ctrCipher, 9))
+            return -8302;
+
+        if (EVP_Cipher(&en, (byte*)cipherBuff, (byte*)ctrPlain, 9) == 0)
+            return -8303;
+        if (EVP_Cipher(&de, (byte*)plainBuff, (byte*)cipherBuff, 9) == 0)
+            return -8304;
+
+        if (XMEMCMP(plainBuff, ctrPlain, 9))
+            return -8305;
+        if (XMEMCMP(cipherBuff, oddCipher, 9))
+            return -8306;
+#endif /* WOLFSSL_AES_128 */
+
+#ifdef WOLFSSL_AES_192
+        EVP_CIPHER_CTX_init(&en);
+        if (EVP_CipherInit(&en, EVP_aes_192_ctr(),
+                (unsigned char*)ctr192Key, (unsigned char*)ctr192Iv, 0) == 0)
+            return -8307;
+        if (EVP_Cipher(&en, (byte*)cipherBuff, (byte*)ctr192Plain,
+                    AES_BLOCK_SIZE) == 0)
+            return -8308;
+        EVP_CIPHER_CTX_init(&de);
+        if (EVP_CipherInit(&de, EVP_aes_192_ctr(),
+            (unsigned char*)ctr192Key, (unsigned char*)ctr192Iv, 0) == 0)
+            return -8309;
+
+        XMEMSET(plainBuff, 0, sizeof(plainBuff));
+        if (EVP_Cipher(&de, (byte*)plainBuff, (byte*)cipherBuff,
+                    AES_BLOCK_SIZE) == 0)
+            return -8310;
+
+        if (XMEMCMP(plainBuff, ctr192Plain, sizeof(ctr192Plain)))
+            return -8311;
+        if (XMEMCMP(ctr192Cipher, cipherBuff, sizeof(ctr192Cipher)))
+            return -8312;
+#endif /* WOLFSSL_AES_192 */
+
+#ifdef WOLFSSL_AES_256
+        EVP_CIPHER_CTX_init(&en);
+        if (EVP_CipherInit(&en, EVP_aes_256_ctr(),
+            (unsigned char*)ctr256Key, (unsigned char*)ctr256Iv, 0) == 0)
+            return -8313;
+        if (EVP_Cipher(&en, (byte*)cipherBuff, (byte*)ctr256Plain,
+                    AES_BLOCK_SIZE) == 0)
+            return -8314;
+        EVP_CIPHER_CTX_init(&de);
+        if (EVP_CipherInit(&de, EVP_aes_256_ctr(),
+            (unsigned char*)ctr256Key, (unsigned char*)ctr256Iv, 0) == 0)
+            return -8315;
+
+        XMEMSET(plainBuff, 0, sizeof(plainBuff));
+        if (EVP_Cipher(&de, (byte*)plainBuff, (byte*)cipherBuff,
+                    AES_BLOCK_SIZE) == 0)
+            return -8316;
+
+        if (XMEMCMP(plainBuff, ctr256Plain, sizeof(ctr256Plain)))
+            return -8317;
+        if (XMEMCMP(ctr256Cipher, cipherBuff, sizeof(ctr256Cipher)))
+            return -8318;
+#endif /* WOLFSSL_AES_256 */
+    }
+#endif /* HAVE_AES_COUNTER */
+
+#if defined(WOLFSSL_AES_CFB) && defined(WOLFSSL_AES_128)
+    {
+        AES_KEY enc;
+        AES_KEY dec;
+
+        const byte setIv[] = {
+            0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,
+            0x08,0x09,0x0a,0x0b,0x0c,0x0d,0x0e,0x0f
+        };
+
+        const byte key[] =
+        {
+            0x2b,0x7e,0x15,0x16,0x28,0xae,0xd2,0xa6,
+            0xab,0xf7,0x15,0x88,0x09,0xcf,0x4f,0x3c
+        };
+
+        const byte cipher1[] =
+        {
+            0x3b,0x3f,0xd9,0x2e,0xb7,0x2d,0xad,0x20,
+            0x33,0x34,0x49,0xf8,0xe8,0x3c,0xfb,0x4a,
+            0xc8,0xa6,0x45,0x37,0xa0,0xb3,0xa9,0x3f,
+            0xcd,0xe3,0xcd,0xad,0x9f,0x1c,0xe5,0x8b
+        };
+
+        const byte msg[] =
+        {
+            0x6b,0xc1,0xbe,0xe2,0x2e,0x40,0x9f,0x96,
+            0xe9,0x3d,0x7e,0x11,0x73,0x93,0x17,0x2a,
+            0xae,0x2d,0x8a,0x57,0x1e,0x03,0xac,0x9c,
+            0x9e,0xb7,0x6f,0xac,0x45,0xaf,0x8e,0x51
+        };
+
+        byte cipher[AES_BLOCK_SIZE * 2];
+        byte iv[AES_BLOCK_SIZE]; /* iv buffer is updeated by API */
+        int  num = 0;
+
+        XMEMCPY(iv, setIv, sizeof(setIv));
+        wolfSSL_AES_set_encrypt_key(key, sizeof(key) * 8, &enc);
+        wolfSSL_AES_set_encrypt_key(key, sizeof(key) * 8, &dec);
+
+        wolfSSL_AES_cfb128_encrypt(msg, cipher, AES_BLOCK_SIZE - 1, &enc, iv,
+                &num, AES_ENCRYPT);
+
+        if (XMEMCMP(cipher, cipher1, AES_BLOCK_SIZE - 1))
+            return -8319;
+
+        if (num != 15) /* should have used 15 of the 16 bytes */
+            return -8320;
+
+        wolfSSL_AES_cfb128_encrypt(msg + AES_BLOCK_SIZE - 1,
+                cipher + AES_BLOCK_SIZE - 1, AES_BLOCK_SIZE + 1, &enc, iv,
+                &num, AES_ENCRYPT);
+
+        if (XMEMCMP(cipher, cipher1, AES_BLOCK_SIZE * 2))
+            return -8321;
+
+        if (num != 0)
+            return -8322;
+    }
+#endif /* WOLFSSL_AES_CFB && WOLFSSL_AES_128 */
+    return 0;
+}
+
+
+#endif /* !defined(NO_AES) && !defined(WOLFCRYPT_ONLY) */
 
 int openssl_test(void)
 {
     EVP_MD_CTX md_ctx;
     testVector a, b, c, d, e, f;
-    byte       hash[SHA256_DIGEST_SIZE*2];  /* max size */
+    byte       hash[WC_SHA256_DIGEST_SIZE*2];  /* max size */
+
+    a.inLen = 0;
+    b.inLen = c.inLen = d.inLen = e.inLen = f.inLen = a.inLen;
 
     (void)a;
     (void)b;
     (void)c;
+    (void)d;
     (void)e;
     (void)f;
 
+    /* test malloc / free , 10 is an arbitrary amount of memory chosen */
+    {
+        byte* p;
+        p = (byte*)CRYPTO_malloc(10, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+        if (p == NULL) {
+            return -8400;
+        }
+        XMEMSET(p, 0, 10);
+        #ifdef WOLFSSL_QT
+            CRYPTO_free(p);
+        #else
+            CRYPTO_free(p, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+        #endif
+    }
+
 #ifndef NO_MD5
 
     a.input  = "1234567890123456789012345678901234567890123456789012345678"
                "9012345678901234567890";
     a.output = "\x57\xed\xf4\xa2\x2b\xe3\xc9\x55\xac\x49\xda\x2e\x21\x07\xb6"
                "\x7a";
-    a.inLen  = strlen(a.input);
-    a.outLen = MD5_DIGEST_SIZE;
+    a.inLen  = XSTRLEN(a.input);
+    a.outLen = WC_MD5_DIGEST_SIZE;
 
     EVP_MD_CTX_init(&md_ctx);
     EVP_DigestInit(&md_ctx, EVP_md5());
@@ -4432,8 +15641,8 @@ int openssl_test(void)
     EVP_DigestUpdate(&md_ctx, a.input, (unsigned long)a.inLen);
     EVP_DigestFinal(&md_ctx, hash, 0);
 
-    if (memcmp(hash, a.output, MD5_DIGEST_SIZE) != 0)
-        return -71;
+    if (XMEMCMP(hash, a.output, WC_MD5_DIGEST_SIZE) != 0)
+        return -8401;
 
 #endif /* NO_MD5 */
 
@@ -4444,8 +15653,8 @@ int openssl_test(void)
                "aaaaaaaaaa";
     b.output = "\xAD\x5B\x3F\xDB\xCB\x52\x67\x78\xC2\x83\x9D\x2F\x15\x1E\xA7"
                "\x53\x99\x5E\x26\xA0";
-    b.inLen  = strlen(b.input);
-    b.outLen = SHA_DIGEST_SIZE;
+    b.inLen  = XSTRLEN(b.input);
+    b.outLen = WC_SHA_DIGEST_SIZE;
 
     EVP_MD_CTX_init(&md_ctx);
     EVP_DigestInit(&md_ctx, EVP_sha1());
@@ -4453,18 +15662,38 @@ int openssl_test(void)
     EVP_DigestUpdate(&md_ctx, b.input, (unsigned long)b.inLen);
     EVP_DigestFinal(&md_ctx, hash, 0);
 
-    if (memcmp(hash, b.output, SHA_DIGEST_SIZE) != 0)
-        return -72;
+    if (XMEMCMP(hash, b.output, WC_SHA_DIGEST_SIZE) != 0)
+        return -8402;
 
 #endif /* NO_SHA */
 
+#ifdef WOLFSSL_SHA224
+
+    e.input  = "abcdefghbcdefghicdefghijdefghijkefghijklfghijklmghijklmnhi"
+               "jklmnoijklmnopjklmnopqklmnopqrlmnopqrsmnopqrstnopqrstu";
+    e.output = "\xc9\x7c\xa9\xa5\x59\x85\x0c\xe9\x7a\x04\xa9\x6d\xef\x6d\x99"
+               "\xa9\xe0\xe0\xe2\xab\x14\xe6\xb8\xdf\x26\x5f\xc0\xb3";
+    e.inLen  = XSTRLEN(e.input);
+    e.outLen = WC_SHA224_DIGEST_SIZE;
+
+    EVP_MD_CTX_init(&md_ctx);
+    EVP_DigestInit(&md_ctx, EVP_sha224());
+
+    EVP_DigestUpdate(&md_ctx, e.input, (unsigned long)e.inLen);
+    EVP_DigestFinal(&md_ctx, hash, 0);
+
+    if (XMEMCMP(hash, e.output, WC_SHA224_DIGEST_SIZE) != 0)
+        return -8403;
+
+#endif /* WOLFSSL_SHA224 */
+
 
     d.input  = "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq";
     d.output = "\x24\x8D\x6A\x61\xD2\x06\x38\xB8\xE5\xC0\x26\x93\x0C\x3E\x60"
                "\x39\xA3\x3C\xE4\x59\x64\xFF\x21\x67\xF6\xEC\xED\xD4\x19\xDB"
                "\x06\xC1";
-    d.inLen  = strlen(d.input);
-    d.outLen = SHA256_DIGEST_SIZE;
+    d.inLen  = XSTRLEN(d.input);
+    d.outLen = WC_SHA256_DIGEST_SIZE;
 
     EVP_MD_CTX_init(&md_ctx);
     EVP_DigestInit(&md_ctx, EVP_sha256());
@@ -4472,8 +15701,8 @@ int openssl_test(void)
     EVP_DigestUpdate(&md_ctx, d.input, (unsigned long)d.inLen);
     EVP_DigestFinal(&md_ctx, hash, 0);
 
-    if (memcmp(hash, d.output, SHA256_DIGEST_SIZE) != 0)
-        return -78;
+    if (XMEMCMP(hash, d.output, WC_SHA256_DIGEST_SIZE) != 0)
+        return -8404;
 
 #ifdef WOLFSSL_SHA384
 
@@ -4483,8 +15712,8 @@ int openssl_test(void)
                "\x47\x53\x11\x1b\x17\x3b\x3b\x05\xd2\x2f\xa0\x80\x86\xe3\xb0"
                "\xf7\x12\xfc\xc7\xc7\x1a\x55\x7e\x2d\xb9\x66\xc3\xe9\xfa\x91"
                "\x74\x60\x39";
-    e.inLen  = strlen(e.input);
-    e.outLen = SHA384_DIGEST_SIZE;
+    e.inLen  = XSTRLEN(e.input);
+    e.outLen = WC_SHA384_DIGEST_SIZE;
 
     EVP_MD_CTX_init(&md_ctx);
     EVP_DigestInit(&md_ctx, EVP_sha384());
@@ -4492,8 +15721,8 @@ int openssl_test(void)
     EVP_DigestUpdate(&md_ctx, e.input, (unsigned long)e.inLen);
     EVP_DigestFinal(&md_ctx, hash, 0);
 
-    if (memcmp(hash, e.output, SHA384_DIGEST_SIZE) != 0)
-        return -79;
+    if (XMEMCMP(hash, e.output, WC_SHA384_DIGEST_SIZE) != 0)
+        return -8405;
 
 #endif /* WOLFSSL_SHA384 */
 
@@ -4507,8 +15736,8 @@ int openssl_test(void)
                "\x90\x18\x50\x1d\x28\x9e\x49\x00\xf7\xe4\x33\x1b\x99\xde\xc4"
                "\xb5\x43\x3a\xc7\xd3\x29\xee\xb6\xdd\x26\x54\x5e\x96\xe5\x5b"
                "\x87\x4b\xe9\x09";
-    f.inLen  = strlen(f.input);
-    f.outLen = SHA512_DIGEST_SIZE;
+    f.inLen  = XSTRLEN(f.input);
+    f.outLen = WC_SHA512_DIGEST_SIZE;
 
     EVP_MD_CTX_init(&md_ctx);
     EVP_DigestInit(&md_ctx, EVP_sha512());
@@ -4516,27 +15745,103 @@ int openssl_test(void)
     EVP_DigestUpdate(&md_ctx, f.input, (unsigned long)f.inLen);
     EVP_DigestFinal(&md_ctx, hash, 0);
 
-    if (memcmp(hash, f.output, SHA512_DIGEST_SIZE) != 0)
-        return -80;
+    if (XMEMCMP(hash, f.output, WC_SHA512_DIGEST_SIZE) != 0)
+        return -8406;
 
 #endif /* WOLFSSL_SHA512 */
+#ifdef WOLFSSL_SHA3
+#ifndef WOLFSSL_NOSHA3_224
+
+    e.input  = "abcdefghbcdefghicdefghijdefghijkefghijklfghijklmghijklmnhi"
+               "jklmnoijklmnopjklmnopqklmnopqrlmnopqrsmnopqrstnopqrstu";
+    e.output = "\x54\x3e\x68\x68\xe1\x66\x6c\x1a\x64\x36\x30\xdf\x77\x36\x7a\xe5\xa6\x2a\x85\x07\x0a\x51\xc1\x4c\xbf\x66\x5c\xbc";
+    e.inLen  = XSTRLEN(e.input);
+    e.outLen = WC_SHA3_224_DIGEST_SIZE;
+
+    EVP_MD_CTX_init(&md_ctx);
+    EVP_DigestInit(&md_ctx, EVP_sha3_224());
+
+    EVP_DigestUpdate(&md_ctx, e.input, (unsigned long)e.inLen);
+    EVP_DigestFinal(&md_ctx, hash, 0);
+
+    if (XMEMCMP(hash, e.output, WC_SHA3_224_DIGEST_SIZE) != 0)
+        return -8407;
+
+#endif /* WOLFSSL_NOSHA3_224 */
+
+
+#ifndef WOLFSSL_NOSHA3_256
+    d.input  = "abcdefghbcdefghicdefghijdefghijkefghijklfghijklmghijklmnhi"
+               "jklmnoijklmnopjklmnopqklmnopqrlmnopqrsmnopqrstnopqrstu";
+    d.output = "\x91\x6f\x60\x61\xfe\x87\x97\x41\xca\x64\x69\xb4\x39\x71\xdf"
+               "\xdb\x28\xb1\xa3\x2d\xc3\x6c\xb3\x25\x4e\x81\x2b\xe2\x7a\xad"
+               "\x1d\x18";
+    d.inLen  = XSTRLEN(d.input);
+    d.outLen = WC_SHA3_256_DIGEST_SIZE;
+
+    EVP_MD_CTX_init(&md_ctx);
+    EVP_DigestInit(&md_ctx, EVP_sha3_256());
+
+    EVP_DigestUpdate(&md_ctx, d.input, (unsigned long)d.inLen);
+    EVP_DigestFinal(&md_ctx, hash, 0);
+
+    if (XMEMCMP(hash, d.output, WC_SHA3_256_DIGEST_SIZE) != 0)
+        return -8408;
+#endif /* WOLFSSL_NOSHA3_256 */
+
+
+    e.input  = "abcdefghbcdefghicdefghijdefghijkefghijklfghijklmghijklmnhi"
+               "jklmnoijklmnopjklmnopqklmnopqrlmnopqrsmnopqrstnopqrstu";
+    e.output = "\x79\x40\x7d\x3b\x59\x16\xb5\x9c\x3e\x30\xb0\x98\x22\x97\x47\x91\xc3\x13\xfb\x9e\xcc\x84\x9e\x40\x6f\x23\x59\x2d\x04\xf6\x25\xdc\x8c\x70\x9b\x98\xb4\x3b\x38\x52\xb3\x37\x21\x61\x79\xaa\x7f\xc7";
+    e.inLen  = XSTRLEN(e.input);
+    e.outLen = WC_SHA3_384_DIGEST_SIZE;
+
+    EVP_MD_CTX_init(&md_ctx);
+    EVP_DigestInit(&md_ctx, EVP_sha3_384());
+
+    EVP_DigestUpdate(&md_ctx, e.input, (unsigned long)e.inLen);
+    EVP_DigestFinal(&md_ctx, hash, 0);
+
+    if (XMEMCMP(hash, e.output, WC_SHA3_384_DIGEST_SIZE) != 0)
+        return -8409;
+
 
 
+#ifndef WOLFSSL_NOSHA3_512
+
+    f.input  = "abcdefghbcdefghicdefghijdefghijkefghijklfghijklmghijklmnhi"
+               "jklmnoijklmnopjklmnopqklmnopqrlmnopqrsmnopqrstnopqrstu";
+    f.output = "\xaf\xeb\xb2\xef\x54\x2e\x65\x79\xc5\x0c\xad\x06\xd2\xe5\x78\xf9\xf8\xdd\x68\x81\xd7\xdc\x82\x4d\x26\x36\x0f\xee\xbf\x18\xa4\xfa\x73\xe3\x26\x11\x22\x94\x8e\xfc\xfd\x49\x2e\x74\xe8\x2e\x21\x89\xed\x0f\xb4\x40\xd1\x87\xf3\x82\x27\x0c\xb4\x55\xf2\x1d\xd1\x85";
+    f.inLen  = XSTRLEN(f.input);
+    f.outLen = WC_SHA3_512_DIGEST_SIZE;
+
+    EVP_MD_CTX_init(&md_ctx);
+    EVP_DigestInit(&md_ctx, EVP_sha3_512());
+
+    EVP_DigestUpdate(&md_ctx, f.input, (unsigned long)f.inLen);
+    EVP_DigestFinal(&md_ctx, hash, 0);
+
+    if (XMEMCMP(hash, f.output, WC_SHA3_512_DIGEST_SIZE) != 0)
+        return -8410;
+
+#endif /* WOLFSSL_NOSHA3_512 */
+#endif /* WOLFSSL_SHA3 */
+
 #ifndef NO_MD5
     if (RAND_bytes(hash, sizeof(hash)) != 1)
-        return -73;
+        return -8411;
 
     c.input  = "what do ya want for nothing?";
     c.output = "\x55\x78\xe8\x48\x4b\xcc\x93\x80\x93\xec\x53\xaf\x22\xd6\x14"
                "\x76";
-    c.inLen  = strlen(c.input);
-    c.outLen = MD5_DIGEST_SIZE;
+    c.inLen  = XSTRLEN(c.input);
+    c.outLen = WC_MD5_DIGEST_SIZE;
 
     HMAC(EVP_md5(),
                  "JefeJefeJefeJefe", 16, (byte*)c.input, (int)c.inLen, hash, 0);
 
-    if (memcmp(hash, c.output, MD5_DIGEST_SIZE) != 0)
-        return -74;
+    if (XMEMCMP(hash, c.output, WC_MD5_DIGEST_SIZE) != 0)
+        return -8412;
 
 #endif /* NO_MD5 */
 
@@ -4575,28 +15880,32 @@ int openssl_test(void)
     DES_cbc_encrypt(vector, cipher, sizeof(vector), &sched, &iv, DES_ENCRYPT);
     DES_cbc_encrypt(cipher, plain, sizeof(vector), &sched, &iv, DES_DECRYPT);
 
-    if (memcmp(plain, vector, sizeof(vector)) != 0)
-        return -75;
+    if (XMEMCMP(plain, vector, sizeof(vector)) != 0)
+        return -8413;
 
-    if (memcmp(cipher, verify, sizeof(verify)) != 0)
-        return -76;
+    if (XMEMCMP(cipher, verify, sizeof(verify)) != 0)
+        return -8414;
 
         /* test changing iv */
     DES_ncbc_encrypt(vector, cipher, 8, &sched, &iv, DES_ENCRYPT);
     DES_ncbc_encrypt(vector + 8, cipher + 8, 16, &sched, &iv, DES_ENCRYPT);
 
-    if (memcmp(cipher, verify, sizeof(verify)) != 0)
-        return -77;
+    if (XMEMCMP(cipher, verify, sizeof(verify)) != 0)
+        return -8415;
 
     }  /* end des test */
 
 #endif /* NO_DES3 */
 
-#ifndef NO_AES
+#if !defined(NO_AES) && !defined(WOLFCRYPT_ONLY)
+        if (openssl_aes_test() != 0) {
+            return -8416;
+        }
 
-    {  /* evp_cipher test */
+#if defined(WOLFSSL_AES_128) && defined(HAVE_AES_CBC)
+    {  /* evp_cipher test: EVP_aes_128_cbc */
         EVP_CIPHER_CTX ctx;
-
+        int idx, cipherSz, plainSz;
 
         const byte msg[] = { /* "Now is the time for all " w/o trailing 0 */
             0x6e,0x6f,0x77,0x20,0x69,0x73,0x20,0x74,
@@ -4607,7 +15916,17 @@ int openssl_test(void)
         const byte verify[] =
         {
             0x95,0x94,0x92,0x57,0x5f,0x42,0x81,0x53,
-            0x2c,0xcc,0x9d,0x46,0x77,0xa2,0x33,0xcb
+            0x2c,0xcc,0x9d,0x46,0x77,0xa2,0x33,0xcb,
+            0x3b,0x5d,0x41,0x97,0x94,0x25,0xa4,0xb4,
+            0xae,0x7b,0x34,0xd0,0x3f,0x0c,0xbc,0x06
+        };
+
+        const byte verify2[] =
+        {
+            0x95,0x94,0x92,0x57,0x5f,0x42,0x81,0x53,
+            0x2c,0xcc,0x9d,0x46,0x77,0xa2,0x33,0xcb,
+            0x7d,0x37,0x7b,0x0b,0x44,0xaa,0xb5,0xf0,
+            0x5f,0x34,0xb4,0xde,0xb5,0xbd,0x2a,0xbb
         };
 
         byte key[] = "0123456789abcdef   ";  /* align */
@@ -4618,37 +15937,1412 @@ int openssl_test(void)
 
         EVP_CIPHER_CTX_init(&ctx);
         if (EVP_CipherInit(&ctx, EVP_aes_128_cbc(), key, iv, 1) == 0)
-            return -81;
+            return -8417;
 
-        if (EVP_Cipher(&ctx, cipher, (byte*)msg, 16) == 0)
-            return -82;
+        if (EVP_CipherUpdate(&ctx, cipher, &idx, (byte*)msg, sizeof(msg)) == 0)
+            return -8418;
 
-        if (memcmp(cipher, verify, AES_BLOCK_SIZE))
-            return -83;
+        cipherSz = idx;
+        if (EVP_CipherFinal(&ctx, cipher + cipherSz, &idx) == 0)
+            return -8419;
+        cipherSz += idx;
+
+        if ((cipherSz != (int)sizeof(verify)) &&
+                                             XMEMCMP(cipher, verify, cipherSz))
+            return -8420;
 
         EVP_CIPHER_CTX_init(&ctx);
         if (EVP_CipherInit(&ctx, EVP_aes_128_cbc(), key, iv, 0) == 0)
-            return -84;
+            return -8421;
 
-        if (EVP_Cipher(&ctx, plain, cipher, 16) == 0)
-            return -85;
+        /* check partial decrypt (not enough padding for full block) */
+        if (EVP_CipherUpdate(&ctx, plain, &idx, cipher, 1) == 0)
+            return -8422;
+
+        plainSz = idx;
+        if (EVP_CipherFinal(&ctx, plain + plainSz, &idx) != 0)
+            return -8423;
+
+        EVP_CIPHER_CTX_init(&ctx);
+        if (EVP_CipherInit(&ctx, EVP_aes_128_cbc(), key, iv, 0) == 0)
+            return -8424;
+
+        if (EVP_CipherUpdate(&ctx, plain, &idx, cipher, cipherSz) == 0)
+            return -8425;
+
+        plainSz = idx;
+        if (EVP_CipherFinal(&ctx, plain + plainSz, &idx) == 0)
+            return -8426;
+        plainSz += idx;
+
+        if ((plainSz != sizeof(msg)) || XMEMCMP(plain, msg, sizeof(msg)))
+            return -8427;
+
+        EVP_CIPHER_CTX_init(&ctx);
+        if (EVP_CipherInit(&ctx, EVP_aes_128_cbc(), key, iv, 1) == 0)
+            return -8428;
+
+        if (EVP_CipherUpdate(&ctx, cipher, &idx, msg, AES_BLOCK_SIZE) == 0)
+            return -8429;
+
+        cipherSz = idx;
+        if (EVP_CipherFinal(&ctx, cipher + cipherSz, &idx) == 0)
+            return -8430;
+        cipherSz += idx;
+
+        if ((cipherSz != (int)sizeof(verify2)) ||
+                                            XMEMCMP(cipher, verify2, cipherSz))
+            return -8431;
+
+    }  /* end evp_cipher test: EVP_aes_128_cbc*/
+#endif /* WOLFSSL_AES_128 && HAVE_AES_CBC */
+
+#if defined(HAVE_AES_ECB) && defined(WOLFSSL_AES_256)
+    {  /* evp_cipher test: EVP_aes_256_ecb*/
+        EVP_CIPHER_CTX ctx;
+        const byte msg[] =
+        {
+          0x6b,0xc1,0xbe,0xe2,0x2e,0x40,0x9f,0x96,
+          0xe9,0x3d,0x7e,0x11,0x73,0x93,0x17,0x2a
+        };
+
+        const byte verify[] =
+        {
+            0xf3,0xee,0xd1,0xbd,0xb5,0xd2,0xa0,0x3c,
+            0x06,0x4b,0x5a,0x7e,0x3d,0xb1,0x81,0xf8
+        };
+
+        const byte key[] =
+        {
+          0x60,0x3d,0xeb,0x10,0x15,0xca,0x71,0xbe,
+          0x2b,0x73,0xae,0xf0,0x85,0x7d,0x77,0x81,
+          0x1f,0x35,0x2c,0x07,0x3b,0x61,0x08,0xd7,
+          0x2d,0x98,0x10,0xa3,0x09,0x14,0xdf,0xf4
+        };
 
-        if (memcmp(plain, msg, AES_BLOCK_SIZE))
-            return -86;
 
+        byte cipher[AES_BLOCK_SIZE * 4];
+        byte plain [AES_BLOCK_SIZE * 4];
+
+        EVP_CIPHER_CTX_init(&ctx);
+        if (EVP_CipherInit(&ctx, EVP_aes_256_ecb(), (unsigned char*)key,
+                                                                NULL, 1) == 0)
+            return -8432;
+
+        if (EVP_Cipher(&ctx, cipher, (byte*)msg, 16) == 0)
+            return -8433;
+
+        if (XMEMCMP(cipher, verify, AES_BLOCK_SIZE))
+            return -8434;
+
+        EVP_CIPHER_CTX_init(&ctx);
+        if (EVP_CipherInit(&ctx, EVP_aes_256_ecb(), (unsigned char*)key,
+                                                                NULL, 0) == 0)
+            return -8435;
+
+        if (EVP_Cipher(&ctx, plain, cipher, 16) == 0)
+            return -8436;
+
+        if (XMEMCMP(plain, msg, AES_BLOCK_SIZE))
+            return -8437;
 
     }  /* end evp_cipher test */
+#endif /* HAVE_AES_ECB && WOLFSSL_AES_128 */
+
+#define OPENSSL_TEST_ERROR (-10000)
+
+
+#if defined(WOLFSSL_AES_DIRECT) && defined(WOLFSSL_AES_256)
+  /* enable HAVE_AES_DECRYPT for AES_encrypt/decrypt */
+{
+
+  /* Test: AES_encrypt/decrypt/set Key */
+  AES_KEY enc;
+#ifdef HAVE_AES_DECRYPT
+  AES_KEY dec;
+#endif
+
+  const byte msg[] =
+  {
+      0x6b,0xc1,0xbe,0xe2,0x2e,0x40,0x9f,0x96,
+      0xe9,0x3d,0x7e,0x11,0x73,0x93,0x17,0x2a
+  };
+
+  const byte verify[] =
+  {
+      0xf3,0xee,0xd1,0xbd,0xb5,0xd2,0xa0,0x3c,
+      0x06,0x4b,0x5a,0x7e,0x3d,0xb1,0x81,0xf8
+  };
+
+  const byte key[] =
+  {
+      0x60,0x3d,0xeb,0x10,0x15,0xca,0x71,0xbe,
+      0x2b,0x73,0xae,0xf0,0x85,0x7d,0x77,0x81,
+      0x1f,0x35,0x2c,0x07,0x3b,0x61,0x08,0xd7,
+      0x2d,0x98,0x10,0xa3,0x09,0x14,0xdf,0xf4
+  };
+
+  byte plain[sizeof(msg)];
+  byte cipher[sizeof(msg)];
+
+  printf("openSSL extra test\n") ;
+
+
+  AES_set_encrypt_key(key, sizeof(key)*8, &enc);
+  AES_set_decrypt_key(key,  sizeof(key)*8, &dec);
+
+  AES_encrypt(msg, cipher, &enc);
+
+#ifdef HAVE_AES_DECRYPT
+  AES_decrypt(cipher, plain, &dec);
+  if (XMEMCMP(plain, msg, AES_BLOCK_SIZE))
+      return OPENSSL_TEST_ERROR-60;
+#endif /* HAVE_AES_DECRYPT */
+
+  if (XMEMCMP(cipher, verify, AES_BLOCK_SIZE))
+      return OPENSSL_TEST_ERROR-61;
+}
+
+#endif /* WOLFSSL_AES_DIRECT && WOLFSSL_AES_256 */
+
+/* EVP_Cipher with EVP_aes_xxx_ctr() */
+#ifdef WOLFSSL_AES_COUNTER
+{
+    byte plainBuff [64];
+    byte cipherBuff[64];
+
+#ifdef WOLFSSL_AES_128
+    const byte ctrKey[] =
+    {
+        0x2b,0x7e,0x15,0x16,0x28,0xae,0xd2,0xa6,
+        0xab,0xf7,0x15,0x88,0x09,0xcf,0x4f,0x3c
+    };
+
+    const byte ctrIv[] =
+    {
+        0xf0,0xf1,0xf2,0xf3,0xf4,0xf5,0xf6,0xf7,
+        0xf8,0xf9,0xfa,0xfb,0xfc,0xfd,0xfe,0xff
+    };
+
+    const byte ctrPlain[] =
+    {
+        0x6b,0xc1,0xbe,0xe2,0x2e,0x40,0x9f,0x96,
+        0xe9,0x3d,0x7e,0x11,0x73,0x93,0x17,0x2a,
+        0xae,0x2d,0x8a,0x57,0x1e,0x03,0xac,0x9c,
+        0x9e,0xb7,0x6f,0xac,0x45,0xaf,0x8e,0x51,
+        0x30,0xc8,0x1c,0x46,0xa3,0x5c,0xe4,0x11,
+        0xe5,0xfb,0xc1,0x19,0x1a,0x0a,0x52,0xef,
+        0xf6,0x9f,0x24,0x45,0xdf,0x4f,0x9b,0x17,
+        0xad,0x2b,0x41,0x7b,0xe6,0x6c,0x37,0x10
+    };
+
+    const byte ctrCipher[] =
+    {
+        0x87,0x4d,0x61,0x91,0xb6,0x20,0xe3,0x26,
+        0x1b,0xef,0x68,0x64,0x99,0x0d,0xb6,0xce,
+        0x98,0x06,0xf6,0x6b,0x79,0x70,0xfd,0xff,
+        0x86,0x17,0x18,0x7b,0xb9,0xff,0xfd,0xff,
+        0x5a,0xe4,0xdf,0x3e,0xdb,0xd5,0xd3,0x5e,
+        0x5b,0x4f,0x09,0x02,0x0d,0xb0,0x3e,0xab,
+        0x1e,0x03,0x1d,0xda,0x2f,0xbe,0x03,0xd1,
+        0x79,0x21,0x70,0xa0,0xf3,0x00,0x9c,0xee
+    };
+
+    const byte oddCipher[] =
+    {
+        0xb9,0xd7,0xcb,0x08,0xb0,0xe1,0x7b,0xa0,
+        0xc2
+    };
+#endif /* WOLFSSL_AES_128 */
+
+#ifdef WOLFSSL_AES_192
+    /* test vector from "Recommendation for Block Cipher Modes of Operation"
+     * NIST Special Publication 800-38A */
+    const byte ctr192Key[] =
+    {
+        0x8e,0x73,0xb0,0xf7,0xda,0x0e,0x64,0x52,
+        0xc8,0x10,0xf3,0x2b,0x80,0x90,0x79,0xe5,
+        0x62,0xf8,0xea,0xd2,0x52,0x2c,0x6b,0x7b
+    };
+
+    const byte ctr192Iv[] =
+    {
+        0xf0,0xf1,0xf2,0xf3,0xf4,0xf5,0xf6,0xf7,
+        0xf8,0xf9,0xfa,0xfb,0xfc,0xfd,0xfe,0xff
+    };
+
+
+    const byte ctr192Plain[] =
+    {
+        0x6b,0xc1,0xbe,0xe2,0x2e,0x40,0x9f,0x96,
+        0xe9,0x3d,0x7e,0x11,0x73,0x93,0x17,0x2a
+    };
+
+    const byte ctr192Cipher[] =
+    {
+        0x1a,0xbc,0x93,0x24,0x17,0x52,0x1c,0xa2,
+        0x4f,0x2b,0x04,0x59,0xfe,0x7e,0x6e,0x0b
+    };
+#endif /* WOLFSSL_AES_192 */
+
+#ifdef WOLFSSL_AES_256
+    /* test vector from "Recommendation for Block Cipher Modes of Operation"
+     * NIST Special Publication 800-38A */
+    const byte ctr256Key[] =
+    {
+        0x60,0x3d,0xeb,0x10,0x15,0xca,0x71,0xbe,
+        0x2b,0x73,0xae,0xf0,0x85,0x7d,0x77,0x81,
+        0x1f,0x35,0x2c,0x07,0x3b,0x61,0x08,0xd7,
+        0x2d,0x98,0x10,0xa3,0x09,0x14,0xdf,0xf4
+    };
+
+    const byte ctr256Iv[] =
+    {
+        0xf0,0xf1,0xf2,0xf3,0xf4,0xf5,0xf6,0xf7,
+        0xf8,0xf9,0xfa,0xfb,0xfc,0xfd,0xfe,0xff
+    };
+
+
+    const byte ctr256Plain[] =
+    {
+        0x6b,0xc1,0xbe,0xe2,0x2e,0x40,0x9f,0x96,
+        0xe9,0x3d,0x7e,0x11,0x73,0x93,0x17,0x2a
+    };
+
+    const byte ctr256Cipher[] =
+    {
+        0x60,0x1e,0xc3,0x13,0x77,0x57,0x89,0xa5,
+        0xb7,0xa7,0xf5,0x04,0xbb,0xf3,0xd2,0x28
+    };
+#endif /* WOLFSSL_AES_256 */
+
+    EVP_CIPHER_CTX en;
+    EVP_CIPHER_CTX de;
+#ifdef WOLFSSL_AES_128
+    EVP_CIPHER_CTX *p_en;
+    EVP_CIPHER_CTX *p_de;
+
+    EVP_CIPHER_CTX_init(&en);
+    if (EVP_CipherInit(&en, EVP_aes_128_ctr(),
+            (unsigned char*)ctrKey, (unsigned char*)ctrIv, 0) == 0)
+        return -8438;
+    if (EVP_Cipher(&en, (byte*)cipherBuff, (byte*)ctrPlain,
+                                                        AES_BLOCK_SIZE*4) == 0)
+        return -8439;
+    EVP_CIPHER_CTX_init(&de);
+    if (EVP_CipherInit(&de, EVP_aes_128_ctr(),
+            (unsigned char*)ctrKey, (unsigned char*)ctrIv, 0) == 0)
+        return -8440;
+
+    if (EVP_Cipher(&de, (byte*)plainBuff, (byte*)cipherBuff,
+                                                        AES_BLOCK_SIZE*4) == 0)
+        return -8441;
+
+    if (XMEMCMP(cipherBuff, ctrCipher, AES_BLOCK_SIZE*4))
+        return -8442;
+    if (XMEMCMP(plainBuff, ctrPlain, AES_BLOCK_SIZE*4))
+        return -8443;
+
+    p_en = wolfSSL_EVP_CIPHER_CTX_new();
+    if(p_en == NULL)return -8444;
+    p_de = wolfSSL_EVP_CIPHER_CTX_new();
+    if(p_de == NULL)return -8445;
+
+    if (EVP_CipherInit(p_en, EVP_aes_128_ctr(),
+            (unsigned char*)ctrKey, (unsigned char*)ctrIv, 0) == 0)
+        return -8446;
+    if (EVP_Cipher(p_en, (byte*)cipherBuff, (byte*)ctrPlain,
+                                                        AES_BLOCK_SIZE*4) == 0)
+        return -8447;
+    if (EVP_CipherInit(p_de, EVP_aes_128_ctr(),
+            (unsigned char*)ctrKey, (unsigned char*)ctrIv, 0) == 0)
+        return -8448;
+
+    if (EVP_Cipher(p_de, (byte*)plainBuff, (byte*)cipherBuff,
+                                                        AES_BLOCK_SIZE*4) == 0)
+        return -8449;
+
+    wolfSSL_EVP_CIPHER_CTX_free(p_en);
+    wolfSSL_EVP_CIPHER_CTX_free(p_de);
+
+    if (XMEMCMP(cipherBuff, ctrCipher, AES_BLOCK_SIZE*4))
+        return -8450;
+    if (XMEMCMP(plainBuff, ctrPlain, AES_BLOCK_SIZE*4))
+        return -8451;
+
+    EVP_CIPHER_CTX_init(&en);
+    if (EVP_CipherInit(&en, EVP_aes_128_ctr(),
+        (unsigned char*)ctrKey, (unsigned char*)ctrIv, 0) == 0)
+        return -8452;
+    if (EVP_Cipher(&en, (byte*)cipherBuff, (byte*)ctrPlain, 9) == 0)
+        return -8453;
+
+    EVP_CIPHER_CTX_init(&de);
+    if (EVP_CipherInit(&de, EVP_aes_128_ctr(),
+        (unsigned char*)ctrKey, (unsigned char*)ctrIv, 0) == 0)
+        return -8454;
+
+    if (EVP_Cipher(&de, (byte*)plainBuff, (byte*)cipherBuff, 9) == 0)
+        return -8455;
+
+    if (XMEMCMP(plainBuff, ctrPlain, 9))
+        return -8456;
+    if (XMEMCMP(cipherBuff, ctrCipher, 9))
+        return -8457;
+
+    if (EVP_Cipher(&en, (byte*)cipherBuff, (byte*)ctrPlain, 9) == 0)
+        return -8458;
+    if (EVP_Cipher(&de, (byte*)plainBuff, (byte*)cipherBuff, 9) == 0)
+        return -8459;
+
+    if (XMEMCMP(plainBuff, ctrPlain, 9))
+        return -8460;
+    if (XMEMCMP(cipherBuff, oddCipher, 9))
+        return -8461;
+#endif /* WOLFSSL_AES_128 */
+
+#ifdef WOLFSSL_AES_192
+    EVP_CIPHER_CTX_init(&en);
+    if (EVP_CipherInit(&en, EVP_aes_192_ctr(),
+            (unsigned char*)ctr192Key, (unsigned char*)ctr192Iv, 0) == 0)
+        return -8462;
+    if (EVP_Cipher(&en, (byte*)cipherBuff, (byte*)ctr192Plain,
+                                                        AES_BLOCK_SIZE) == 0)
+        return -8463;
+    EVP_CIPHER_CTX_init(&de);
+    if (EVP_CipherInit(&de, EVP_aes_192_ctr(),
+        (unsigned char*)ctr192Key, (unsigned char*)ctr192Iv, 0) == 0)
+        return -8464;
+
+    XMEMSET(plainBuff, 0, sizeof(plainBuff));
+    if (EVP_Cipher(&de, (byte*)plainBuff, (byte*)cipherBuff,
+                                                        AES_BLOCK_SIZE) == 0)
+        return -8465;
+
+    if (XMEMCMP(plainBuff, ctr192Plain, sizeof(ctr192Plain)))
+        return -8466;
+    if (XMEMCMP(ctr192Cipher, cipherBuff, sizeof(ctr192Cipher)))
+        return -8467;
+#endif /* WOLFSSL_AES_192 */
+
+#ifdef WOLFSSL_AES_256
+    EVP_CIPHER_CTX_init(&en);
+    if (EVP_CipherInit(&en, EVP_aes_256_ctr(),
+        (unsigned char*)ctr256Key, (unsigned char*)ctr256Iv, 0) == 0)
+        return -8468;
+    if (EVP_Cipher(&en, (byte*)cipherBuff, (byte*)ctr256Plain,
+                                                        AES_BLOCK_SIZE) == 0)
+        return -8469;
+    EVP_CIPHER_CTX_init(&de);
+    if (EVP_CipherInit(&de, EVP_aes_256_ctr(),
+        (unsigned char*)ctr256Key, (unsigned char*)ctr256Iv, 0) == 0)
+        return -8470;
+
+    XMEMSET(plainBuff, 0, sizeof(plainBuff));
+    if (EVP_Cipher(&de, (byte*)plainBuff, (byte*)cipherBuff,
+                                                        AES_BLOCK_SIZE) == 0)
+        return -8471;
+
+    if (XMEMCMP(plainBuff, ctr256Plain, sizeof(ctr256Plain)))
+        return -8472;
+    if (XMEMCMP(ctr256Cipher, cipherBuff, sizeof(ctr256Cipher)))
+        return -8473;
+#endif /* WOLFSSL_AES_256 */
+}
+#endif /* HAVE_AES_COUNTER */
+
+#if defined(HAVE_AES_CBC) && defined(WOLFSSL_AES_128)
+{
+      /* EVP_CipherUpdate test */
 
-#endif /* NO_AES */
 
+        const byte cbcPlain[] =
+        {
+            0x6b,0xc1,0xbe,0xe2,0x2e,0x40,0x9f,0x96,
+            0xe9,0x3d,0x7e,0x11,0x73,0x93,0x17,0x2a,
+            0xae,0x2d,0x8a,0x57,0x1e,0x03,0xac,0x9c,
+            0x9e,0xb7,0x6f,0xac,0x45,0xaf,0x8e,0x51,
+            0x30,0xc8,0x1c,0x46,0xa3,0x5c,0xe4,0x11,
+            0xe5,0xfb,0xc1,0x19,0x1a,0x0a,0x52,0xef,
+            0xf6,0x9f,0x24,0x45,0xdf,0x4f,0x9b,0x17,
+            0xad,0x2b,0x41,0x7b,0xe6,0x6c,0x37,0x10
+        };
+
+        byte key[] = "0123456789abcdef   ";  /* align */
+        byte iv[]  = "1234567890abcdef   ";  /* align */
+
+        byte cipher[AES_BLOCK_SIZE * 4];
+        byte plain [AES_BLOCK_SIZE * 4];
+        EVP_CIPHER_CTX en;
+        EVP_CIPHER_CTX de;
+        int outlen ;
+        int total = 0;
+
+        EVP_CIPHER_CTX_init(&en);
+        if (EVP_CipherInit(&en, EVP_aes_128_cbc(),
+            (unsigned char*)key, (unsigned char*)iv, 1) == 0)
+            return -8474;
+        /* openSSL compatibility, if(inlen == 0)return 1; */
+        if (EVP_CipherUpdate(&en, (byte*)cipher, &outlen,
+                                                    (byte*)cbcPlain, 0) != 1)
+            return -8475;
+
+        EVP_CIPHER_CTX_init(&en);
+        if (EVP_CipherInit(&en, EVP_aes_128_cbc(),
+            (unsigned char*)key, (unsigned char*)iv, 1) == 0)
+            return -8476;
+        if (EVP_CipherUpdate(&en, (byte*)cipher, &outlen,
+                                                    (byte*)cbcPlain, 9) == 0)
+            return -8477;
+        if(outlen != 0)
+            return -8478;
+        total += outlen;
+
+        if (EVP_CipherUpdate(&en, (byte*)&cipher[total], &outlen,
+                                                (byte*)&cbcPlain[9]  , 9) == 0)
+            return -8479;
+        if(outlen != 16)
+            return -8480;
+        total += outlen;
+
+        if (EVP_CipherFinal(&en, (byte*)&cipher[total], &outlen) == 0)
+            return -8481;
+        if(outlen != 16)
+            return -8482;
+        total += outlen;
+        if(total != 32)
+            return -8483;
+
+        total = 0;
+        EVP_CIPHER_CTX_init(&de);
+        if (EVP_CipherInit(&de, EVP_aes_128_cbc(),
+            (unsigned char*)key, (unsigned char*)iv, 0) == 0)
+            return -8484;
+
+        if (EVP_CipherUpdate(&de, (byte*)plain, &outlen, (byte*)cipher, 6) == 0)
+            return -8485;
+        if(outlen != 0)
+            return -8486;
+        total += outlen;
+
+        if (EVP_CipherUpdate(&de, (byte*)&plain[total], &outlen,
+                                                    (byte*)&cipher[6], 12) == 0)
+            return -8487;
+        if(outlen != 0)
+        total += outlen;
+
+        if (EVP_CipherUpdate(&de, (byte*)&plain[total], &outlen,
+                                                (byte*)&cipher[6+12], 14) == 0)
+            return -8488;
+        if(outlen != 16)
+            return -8489;
+        total += outlen;
+
+        if (EVP_CipherFinal(&de, (byte*)&plain[total], &outlen) == 0)
+            return -8490;
+        if(outlen != 2)
+            return -8491;
+        total += outlen;
+
+        if(total != 18)
+            return -8492;
+
+        if (XMEMCMP(plain, cbcPlain, 18))
+            return -8493;
+
+        total = 0;
+        EVP_CIPHER_CTX_init(&en);
+        if (EVP_EncryptInit(&en, EVP_aes_128_cbc(),
+            (unsigned char*)key, (unsigned char*)iv) == 0)
+            return -8494;
+        if (EVP_CipherUpdate(&en, (byte*)cipher, &outlen, (byte*)cbcPlain, 9) == 0)
+            return -8495;
+        if(outlen != 0)
+            return -8496;
+        total += outlen;
+
+        if (EVP_CipherUpdate(&en, (byte*)&cipher[total], &outlen, (byte*)&cbcPlain[9]  , 9) == 0)
+            return -8497;
+        if(outlen != 16)
+            return -8498;
+        total += outlen;
+
+        if (EVP_EncryptFinal(&en, (byte*)&cipher[total], &outlen) == 0)
+            return -8499;
+        if(outlen != 16)
+            return -8500;
+        total += outlen;
+        if(total != 32)
+            return 3438;
+
+        total = 0;
+        EVP_CIPHER_CTX_init(&de);
+        if (EVP_DecryptInit(&de, EVP_aes_128_cbc(),
+            (unsigned char*)key, (unsigned char*)iv) == 0)
+            return -8501;
+
+        if (EVP_CipherUpdate(&de, (byte*)plain, &outlen, (byte*)cipher, 6) == 0)
+            return -8502;
+        if(outlen != 0)
+            return -8503;
+        total += outlen;
+
+        if (EVP_CipherUpdate(&de, (byte*)&plain[total], &outlen, (byte*)&cipher[6], 12) == 0)
+            return -8504;
+        if(outlen != 0)
+        total += outlen;
+
+        if (EVP_CipherUpdate(&de, (byte*)&plain[total], &outlen, (byte*)&cipher[6+12], 14) == 0)
+            return -8505;
+        if(outlen != 16)
+            return -8506;
+        total += outlen;
+
+        if (EVP_DecryptFinal(&de, (byte*)&plain[total], &outlen) == 0)
+            return -8507;
+        if(outlen != 2)
+            return -8508;
+        total += outlen;
+
+        if(total != 18)
+            return 3447;
+
+        if (XMEMCMP(plain, cbcPlain, 18))
+            return -8509;
+
+        if (EVP_CIPHER_key_length(NULL) != 0)
+            return -8510;
+
+        if (EVP_CIPHER_key_length(EVP_aes_128_cbc()) != 16)
+            return -8511;
+
+        if (EVP_CIPHER_CTX_mode(NULL) != 0)
+            return -8512;
+
+        if (EVP_CIPHER_CTX_mode(&en) != (en.flags & WOLFSSL_EVP_CIPH_MODE))
+            return -8513;
+
+        EVP_CIPHER_CTX_init(&en);
+        if (EVP_CipherInit_ex(&en, EVP_aes_128_cbc(), NULL,
+            (unsigned char*)key, (unsigned char*)iv, 0) == 0)
+            return -8514;
+
+        EVP_CIPHER_CTX_init(&en);
+        if (EVP_EncryptInit_ex(&en, EVP_aes_128_cbc(), NULL,
+                (unsigned char*)key, (unsigned char*)iv) == 0)
+            return -8515;
+
+        if (wolfSSL_EVP_EncryptFinal_ex(NULL, NULL, NULL) != WOLFSSL_FAILURE)
+            return -8516;
+
+        if (wolfSSL_EVP_EncryptFinal(NULL, NULL, NULL) != WOLFSSL_FAILURE)
+            return -8517;
+
+        EVP_CIPHER_CTX_init(&de);
+        if (EVP_DecryptInit_ex(&de, EVP_aes_128_cbc(), NULL,
+                (unsigned char*)key, (unsigned char*)iv) == 0)
+            return -8518;
+
+        if (wolfSSL_EVP_DecryptFinal(NULL, NULL, NULL) != WOLFSSL_FAILURE)
+            return -8519;
+
+        if (wolfSSL_EVP_DecryptFinal_ex(NULL, NULL, NULL) != WOLFSSL_FAILURE)
+            return -8520;
+
+        if (EVP_CIPHER_CTX_block_size(NULL) != BAD_FUNC_ARG)
+            return -8521;
+
+        EVP_CIPHER_CTX_init(&en);
+        EVP_EncryptInit_ex(&en, EVP_aes_128_cbc(), NULL,
+                (unsigned char*)key, (unsigned char*)iv);
+        if (EVP_CIPHER_CTX_block_size(&en) != en.block_size)
+            return -8522;
+
+        if (EVP_CIPHER_block_size(NULL) != BAD_FUNC_ARG)
+            return -8523;
+
+        if (EVP_CIPHER_block_size(EVP_aes_128_cbc()) != AES_BLOCK_SIZE)
+            return -8524;
+
+        if (WOLFSSL_EVP_CIPHER_mode(NULL) != 0)
+            return -8525;
+
+        if (EVP_CIPHER_flags(EVP_aes_128_cbc()) != WOLFSSL_EVP_CIPH_CBC_MODE)
+            return -8526;
+
+        EVP_CIPHER_CTX_clear_flags(&en, 0xFFFFFFFF);
+        EVP_CIPHER_CTX_set_flags(&en, 42);
+        if (en.flags != 42)
+            return -8527;
+
+        if (EVP_CIPHER_CTX_set_padding(NULL, 0) != BAD_FUNC_ARG)
+            return -8528;
+        if (EVP_CIPHER_CTX_set_padding(&en, 0) != WOLFSSL_SUCCESS)
+            return -8529;
+        if (EVP_CIPHER_CTX_set_padding(&en, 1) != WOLFSSL_SUCCESS)
+            return -8530;
+
+    }
+#endif /* WOLFSSL_AES_128 && HAVE_AES_CBC */
+#endif /* ifndef NO_AES */
     return 0;
 }
 
+int openSSL_evpMD_test(void)
+{
+    int ret = 0;
+#if !defined(NO_SHA256) && !defined(NO_SHA)
+    WOLFSSL_EVP_MD_CTX* ctx;
+    WOLFSSL_EVP_MD_CTX* ctx2;
+
+    ctx = EVP_MD_CTX_create();
+    ctx2 = EVP_MD_CTX_create();
+
+    ret = EVP_DigestInit(ctx, EVP_sha256());
+    if (ret != SSL_SUCCESS) {
+        ret = -8600;
+        goto openSSL_evpMD_test_done;
+    }
+
+    ret = EVP_MD_CTX_copy(ctx2, ctx);
+    if (ret != SSL_SUCCESS) {
+        ret = -8601;
+        goto openSSL_evpMD_test_done;
+    }
+
+    if (EVP_MD_type(EVP_sha256()) != EVP_MD_CTX_type(ctx2)) {
+        ret = -8602;
+        goto openSSL_evpMD_test_done;
+    }
+
+    ret = EVP_DigestInit(ctx, EVP_sha1());
+    if (ret != SSL_SUCCESS) {
+        ret = -8603;
+        goto openSSL_evpMD_test_done;
+    }
+
+    if (EVP_MD_type(EVP_sha256()) != EVP_MD_CTX_type(ctx2)) {
+        ret = -8604;
+        goto openSSL_evpMD_test_done;
+    }
+
+    ret = EVP_MD_CTX_copy_ex(ctx2, ctx);
+    if (ret != SSL_SUCCESS) {
+        ret = -8605;
+        goto openSSL_evpMD_test_done;
+    }
+
+    if (EVP_MD_type(EVP_sha256()) == EVP_MD_CTX_type(ctx2)) {
+        ret = -8606;
+        goto openSSL_evpMD_test_done;
+    }
+
+    if (EVP_MD_type(EVP_sha1()) != EVP_MD_CTX_type(ctx2)) {
+        ret = -8607;
+        goto openSSL_evpMD_test_done;
+    }
+
+    if (EVP_DigestInit_ex(ctx, EVP_sha1(), NULL) != SSL_SUCCESS) {
+        ret = -8608;
+        goto openSSL_evpMD_test_done;
+    }
+
+    if (EVP_add_digest(NULL) != 0) {
+        ret = -8609;
+        goto openSSL_evpMD_test_done;
+    }
+
+    if (wolfSSL_EVP_add_cipher(NULL) != 0) {
+        ret = -8610;
+        goto openSSL_evpMD_test_done;
+    }
+
+    ret = 0; /* got to success state without jumping to end with a fail */
+
+openSSL_evpMD_test_done:
+    EVP_MD_CTX_destroy(ctx);
+    EVP_MD_CTX_destroy(ctx2);
+#endif /* NO_SHA256 */
+
+    return ret;
+}
+
+#ifdef DEBUG_SIGN
+static void show(const char *title, const char *p, unsigned int s) {
+    char* i;
+    printf("%s: ", title);
+    for (i = p;
+            i < p + s;
+            printf("%c", *i), i++);
+    printf("\n");
+}
+#else
+#define show(a,b,c)
+#endif
+
+#define FOURK_BUFF 4096
+
+#define ERR_BASE_PKEY -5000
+int openssl_pkey0_test(void)
+{
+    int ret = 0;
+#if !defined(NO_RSA) && !defined(HAVE_USER_RSA) && !defined(NO_SHA)
+    byte*   prvTmp;
+    byte*   pubTmp;
+    int prvBytes;
+    int pubBytes;
+    RSA *prvRsa = NULL;
+    RSA *pubRsa = NULL;
+    EVP_PKEY *prvPkey = NULL;
+    EVP_PKEY *pubPkey = NULL;
+    EVP_PKEY_CTX *enc = NULL;
+    EVP_PKEY_CTX *dec = NULL;
+
+    byte   in[] = "Everyone gets Friday off.";
+    byte   out[256];
+    size_t outlen;
+    size_t keySz;
+    byte   plain[256];
+#if !defined(USE_CERT_BUFFERS_1024) && !defined(USE_CERT_BUFFERS_2048)
+    XFILE  keyFile;
+    XFILE  keypubFile;
+    char cliKey[]    = "./certs/client-key.der";
+    char cliKeypub[] = "./certs/client-keyPub.der";
+
+#endif
+
+    prvTmp = (byte*)XMALLOC(FOURK_BUFF, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+    if (prvTmp == NULL)
+        return ERR_BASE_PKEY-1;
+    pubTmp = (byte*)XMALLOC(FOURK_BUFF, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+    if (pubTmp == NULL) {
+        XFREE(prvTmp, HEAP_HINT ,DYNAMIC_TYPE_TMP_BUFFER);
+        return ERR_BASE_PKEY-2;
+    }
+
+#ifdef USE_CERT_BUFFERS_1024
+    XMEMCPY(prvTmp, client_key_der_1024, sizeof_client_key_der_1024);
+    prvBytes = sizeof_client_key_der_1024;
+    XMEMCPY(pubTmp, client_keypub_der_1024, sizeof_client_keypub_der_1024);
+    pubBytes = sizeof_client_keypub_der_1024;
+#elif defined(USE_CERT_BUFFERS_2048)
+    XMEMCPY(prvTmp, client_key_der_2048, sizeof_client_key_der_2048);
+    prvBytes = sizeof_client_key_der_2048;
+    XMEMCPY(pubTmp, client_keypub_der_2048, sizeof_client_keypub_der_2048);
+    pubBytes = sizeof_client_keypub_der_2048;
+#else
+    keyFile = XFOPEN(cliKey, "rb");
+    if (!keyFile) {
+        XFREE(prvTmp, HEAP_HINT ,DYNAMIC_TYPE_TMP_BUFFER);
+        XFREE(pubTmp, HEAP_HINT ,DYNAMIC_TYPE_TMP_BUFFER);
+        err_sys("can't open ./certs/client-key.der, "
+                "Please run from wolfSSL home dir", ERR_BASE_PKEY-3);
+        return ERR_BASE_PKEY-3;
+    }
+    prvBytes = (int)XFREAD(prvTmp, 1, (int)FOURK_BUFF, keyFile);
+    XFCLOSE(keyFile);
+    keypubFile = XFOPEN(cliKeypub, "rb");
+    if (!keypubFile) {
+        XFREE(prvTmp, HEAP_HINT ,DYNAMIC_TYPE_TMP_BUFFER);
+        XFREE(pubTmp, HEAP_HINT ,DYNAMIC_TYPE_TMP_BUFFER);
+        err_sys("can't open ./certs/client-cert.der, "
+                "Please run from wolfSSL home dir", -4);
+        return ERR_BASE_PKEY-4;
+    }
+    pubBytes = (int)XFREAD(pubTmp, 1, (int)FOURK_BUFF, keypubFile);
+    XFCLOSE(keypubFile);
+#endif /* USE_CERT_BUFFERS */
+
+        prvRsa = wolfSSL_RSA_new();
+        pubRsa = wolfSSL_RSA_new();
+        if((prvRsa == NULL) || (pubRsa == NULL)){
+            printf("error with RSA_new\n");
+            ret = ERR_BASE_PKEY-10;
+            goto openssl_pkey0_test_done;
+        }
+
+        ret = wolfSSL_RSA_LoadDer_ex(prvRsa, prvTmp, prvBytes, WOLFSSL_RSA_LOAD_PRIVATE);
+        if(ret != SSL_SUCCESS){
+            printf("error with RSA_LoadDer_ex\n");
+            ret = ERR_BASE_PKEY-11;
+            goto openssl_pkey0_test_done;
+        }
+
+        ret = wolfSSL_RSA_LoadDer_ex(pubRsa, pubTmp, pubBytes, WOLFSSL_RSA_LOAD_PUBLIC);
+        if(ret != SSL_SUCCESS){
+            printf("error with RSA_LoadDer_ex\n");
+            ret = ERR_BASE_PKEY-12;
+            goto openssl_pkey0_test_done;
+        }
+        keySz = (size_t)RSA_size(pubRsa);
+
+        prvPkey = wolfSSL_EVP_PKEY_new();
+        pubPkey = wolfSSL_EVP_PKEY_new();
+        if((prvPkey == NULL) || (pubPkey == NULL)){
+            printf("error with PKEY_new\n");
+            ret = ERR_BASE_PKEY-13;
+            goto openssl_pkey0_test_done;
+        }
+        ret  = wolfSSL_EVP_PKEY_set1_RSA(prvPkey, prvRsa);
+        ret += wolfSSL_EVP_PKEY_set1_RSA(pubPkey, pubRsa);
+        if(ret != 2){
+            printf("error with PKEY_set1_RSA\n");
+            ret = ERR_BASE_PKEY-14;
+            goto openssl_pkey0_test_done;
+        }
+
+        dec = EVP_PKEY_CTX_new(prvPkey, NULL);
+        enc = EVP_PKEY_CTX_new(pubPkey, NULL);
+        if((dec == NULL)||(enc==NULL)){
+            printf("error with EVP_PKEY_CTX_new\n");
+            ret = ERR_BASE_PKEY-15;
+            goto openssl_pkey0_test_done;
+        }
+
+        ret = EVP_PKEY_decrypt_init(dec);
+        if (ret != 1) {
+            printf("error with decrypt init\n");
+            ret = ERR_BASE_PKEY-16;
+            goto openssl_pkey0_test_done;
+        }
+        ret = EVP_PKEY_encrypt_init(enc);
+        if (ret != 1) {
+            printf("error with encrypt init\n");
+            ret = ERR_BASE_PKEY-17;
+            goto openssl_pkey0_test_done;
+        }
+        XMEMSET(out, 0, sizeof(out));
+        ret = EVP_PKEY_encrypt(enc, out, &outlen, in, sizeof(in));
+        if (ret != 1) {
+            printf("error encrypting msg\n");
+            ret = ERR_BASE_PKEY-18;
+            goto openssl_pkey0_test_done;
+        }
+
+        show("encrypted msg", out, outlen);
+
+        XMEMSET(plain, 0, sizeof(plain));
+        ret = EVP_PKEY_decrypt(dec, plain, &outlen, out, keySz);
+        if (ret != 1) {
+            printf("error decrypting msg\n");
+            ret = ERR_BASE_PKEY-19;
+            goto openssl_pkey0_test_done;
+        }
+        show("decrypted msg", plain, outlen);
+
+        /* RSA_PKCS1_OAEP_PADDING test */
+        ret = EVP_PKEY_decrypt_init(dec);
+        if (ret != 1) {
+            printf("error with decrypt init\n");
+            ret = ERR_BASE_PKEY-30;
+            goto openssl_pkey0_test_done;
+        }
+        ret = EVP_PKEY_encrypt_init(enc);
+        if (ret != 1) {
+            printf("error with encrypt init\n");
+            ret = ERR_BASE_PKEY-31;
+            goto openssl_pkey0_test_done;
+        }
+
+        if (EVP_PKEY_CTX_set_rsa_padding(dec, RSA_PKCS1_PADDING) <= 0) {
+            printf("first set rsa padding error\n");
+            ret = ERR_BASE_PKEY-32;
+            goto openssl_pkey0_test_done;
+        }
+
+#ifndef HAVE_FIPS
+        if (EVP_PKEY_CTX_set_rsa_padding(dec, RSA_PKCS1_OAEP_PADDING) <= 0){
+            printf("second set rsa padding error\n");
+            ret = ERR_BASE_PKEY-33;
+            goto openssl_pkey0_test_done;
+        }
+
+        if (EVP_PKEY_CTX_set_rsa_padding(enc, RSA_PKCS1_OAEP_PADDING) <= 0) {
+            printf("third set rsa padding error\n");
+            ret = ERR_BASE_PKEY-34;
+            goto openssl_pkey0_test_done;
+        }
+#endif
+
+        XMEMSET(out, 0, sizeof(out));
+        ret = EVP_PKEY_encrypt(enc, out, &outlen, in, sizeof(in));
+        if (ret != 1) {
+            printf("error encrypting msg\n");
+            ret = ERR_BASE_PKEY-35;
+            goto openssl_pkey0_test_done;
+        }
+
+        show("encrypted msg", out, outlen);
+
+        XMEMSET(plain, 0, sizeof(plain));
+        ret = EVP_PKEY_decrypt(dec, plain, &outlen, out, keySz);
+        if (ret != 1) {
+            printf("error decrypting msg\n");
+            ret = ERR_BASE_PKEY-36;
+            goto openssl_pkey0_test_done;
+        }
+
+        show("decrypted msg", plain, outlen);
+
+        ret = 0; /* made it to this point without error then set success */
+openssl_pkey0_test_done:
+
+        wolfSSL_RSA_free(prvRsa);
+        wolfSSL_RSA_free(pubRsa);
+        EVP_PKEY_free(pubPkey);
+        EVP_PKEY_free(prvPkey);
+        EVP_PKEY_CTX_free(dec);
+        EVP_PKEY_CTX_free(enc);
+        XFREE(prvTmp, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+        XFREE(pubTmp, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+#endif /* NO_RSA */
+
+        return ret;
+}
+
+
+int openssl_pkey1_test(void)
+{
+    int ret = 0;
+#if !defined(NO_FILESYSTEM) && !defined(NO_RSA) && !defined(HAVE_USER_RSA) && \
+    !defined(NO_SHA)
+    EVP_PKEY_CTX* dec = NULL;
+    EVP_PKEY_CTX* enc = NULL;
+    EVP_PKEY* pubKey  = NULL;
+    EVP_PKEY* prvKey  = NULL;
+    X509* x509;
+
+    const unsigned char msg[] = "sugar slapped";
+    const unsigned char* clikey;
+    unsigned char tmp[FOURK_BUF];
+    long cliKeySz;
+    unsigned char cipher[RSA_TEST_BYTES];
+    unsigned char plain[RSA_TEST_BYTES];
+    size_t outlen;
+    int keyLenBits = 2048;
+
+#if defined(USE_CERT_BUFFERS_1024)
+    XMEMCPY(tmp, client_key_der_1024, sizeof_client_key_der_1024);
+    cliKeySz = (long)sizeof_client_key_der_1024;
+
+    x509 = wolfSSL_X509_load_certificate_buffer(client_cert_der_1024,
+            sizeof_client_cert_der_1024, SSL_FILETYPE_ASN1);
+    keyLenBits = 1024;
+#elif defined(USE_CERT_BUFFERS_2048)
+    XMEMCPY(tmp, client_key_der_2048, sizeof_client_key_der_2048);
+    cliKeySz = (long)sizeof_client_key_der_2048;
+
+    x509 = wolfSSL_X509_load_certificate_buffer(client_cert_der_2048,
+            sizeof_client_cert_der_2048, SSL_FILETYPE_ASN1);
+#elif defined(USE_CERT_BUFFERS_3072)
+    XMEMCPY(tmp, client_key_der_3072, sizeof_client_key_der_3072);
+    cliKeySz = (long)sizeof_client_key_der_3072;
+
+    x509 = wolfSSL_X509_load_certificate_buffer(client_cert_der_3072,
+            sizeof_client_cert_der_3072, SSL_FILETYPE_ASN1);
+    keyLenBits = 3072;
+#elif defined(USE_CERT_BUFFERS_4096)
+    XMEMCPY(tmp, client_key_der_4096, sizeof_client_key_der_4096);
+    cliKeySz = (long)sizeof_client_key_der_4096;
+
+    x509 = wolfSSL_X509_load_certificate_buffer(client_cert_der_4096,
+            sizeof_client_cert_der_4096, SSL_FILETYPE_ASN1);
+    keyLenBits = 4096;
+#else
+    XFILE f;
+
+    f = XFOPEN(clientKey, "rb");
+
+    if (!f) {
+        err_sys("can't open ./certs/client-key.der, "
+                "Please run from wolfSSL home dir", -41);
+        return -8800;
+    }
+
+    cliKeySz = (long)XFREAD(tmp, 1, FOURK_BUF, f);
+    XFCLOSE(f);
+
+    /* using existing wolfSSL api to get public and private key */
+    x509 = wolfSSL_X509_load_certificate_file(clientCert, SSL_FILETYPE_ASN1);
+#endif /* USE_CERT_BUFFERS */
+    clikey = tmp;
+
+    if ((prvKey = EVP_PKEY_new()) == NULL) {
+        return -8801;
+    }
+    EVP_PKEY_free(prvKey);
+    prvKey = NULL;
+
+    if (x509 == NULL) {
+        ret = -8802;
+        goto openssl_pkey1_test_done;
+    }
+
+    pubKey = X509_get_pubkey(x509);
+    if (pubKey == NULL) {
+        ret = -8803;
+        goto openssl_pkey1_test_done;
+    }
+
+    prvKey = d2i_PrivateKey(EVP_PKEY_RSA, NULL, &clikey, cliKeySz);
+    if (prvKey == NULL) {
+        ret = -8804;
+        goto openssl_pkey1_test_done;
+    }
+
+    /* phase 2 API to create EVP_PKEY_CTX and encrypt/decrypt */
+    if (EVP_PKEY_bits(prvKey) != keyLenBits) {
+        ret = -8805;
+        goto openssl_pkey1_test_done;
+    }
+
+    if (EVP_PKEY_size(prvKey) != keyLenBits/8) {
+        ret = -8806;
+        goto openssl_pkey1_test_done;
+    }
+
+    dec = EVP_PKEY_CTX_new(prvKey, NULL);
+    enc = EVP_PKEY_CTX_new(pubKey, NULL);
+    if (dec == NULL || enc == NULL) {
+        ret = -8807;
+        goto openssl_pkey1_test_done;
+    }
+
+    if (EVP_PKEY_decrypt_init(dec) != 1) {
+        ret = -8808;
+        goto openssl_pkey1_test_done;
+    }
+
+    if (EVP_PKEY_encrypt_init(enc) != 1) {
+        ret = -8809;
+        goto openssl_pkey1_test_done;
+    }
+
+    if (EVP_PKEY_CTX_set_rsa_padding(dec, RSA_PKCS1_PADDING) <= 0) {
+        ret = -8810;
+        goto openssl_pkey1_test_done;
+    }
+
+#ifndef HAVE_FIPS
+    if (EVP_PKEY_CTX_set_rsa_padding(dec, RSA_PKCS1_OAEP_PADDING) <= 0){
+        ret = -8811;
+        goto openssl_pkey1_test_done;
+    }
+
+    if (EVP_PKEY_CTX_set_rsa_padding(enc, RSA_PKCS1_OAEP_PADDING) <= 0) {
+        ret = -8812;
+        goto openssl_pkey1_test_done;
+    }
+#endif
+
+    XMEMSET(cipher, 0, sizeof(cipher));
+    outlen = keyLenBits/8;
+    if (EVP_PKEY_encrypt(enc, cipher, &outlen, msg, sizeof(msg)) < 0) {
+        ret = -8813;
+        goto openssl_pkey1_test_done;
+    }
+
+    XMEMSET(plain, 0, sizeof(plain));
+    if (EVP_PKEY_decrypt(dec, plain, &outlen, cipher, outlen) != 1) {
+        ret = -8814;
+        goto openssl_pkey1_test_done;
+    }
+
+openssl_pkey1_test_done:
+    if (pubKey != NULL) {
+        EVP_PKEY_free(pubKey);
+    }
+    if (prvKey != NULL) {
+        EVP_PKEY_free(prvKey);
+    }
+    if (dec != NULL) {
+        EVP_PKEY_CTX_free(dec);
+    }
+    if (enc != NULL) {
+        EVP_PKEY_CTX_free(enc);
+    }
+    if (x509 != NULL) {
+        X509_free(x509);
+    }
+
+#endif
+    return ret;
+}
+
+
+#define ERR_BASE_EVPSIG -5100
+
+int openssl_evpSig_test(void)
+{
+#if !defined(NO_RSA) && !defined(NO_SHA) && !defined(HAVE_USER_RSA)
+  	byte*   prvTmp;
+	byte*   pubTmp;
+	int prvBytes;
+	int pubBytes;
+    RSA *prvRsa;
+	RSA *pubRsa;
+	EVP_PKEY *prvPkey;
+	EVP_PKEY *pubPkey;
+
+    EVP_MD_CTX* sign;
+    EVP_MD_CTX* verf;
+    char msg[] = "see spot run";
+    unsigned char sig[256];
+    unsigned int sigSz;
+    const void* pt;
+    unsigned int count;
+    int ret, ret1, ret2;
+
+    #if !defined(USE_CERT_BUFFERS_1024) && !defined(USE_CERT_BUFFERS_2048)
+    XFILE   keyFile;
+    XFILE   keypubFile;
+    char cliKey[]    = "./certs/client-key.der";
+    char cliKeypub[] = "./certs/client-keyPub.der";
+    #endif
+
+    prvTmp = (byte*)XMALLOC(FOURK_BUFF, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+    if (prvTmp == NULL)
+        return ERR_BASE_EVPSIG-1;
+    pubTmp = (byte*)XMALLOC(FOURK_BUFF, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+    if (pubTmp == NULL) {
+        XFREE(prvTmp, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+        return ERR_BASE_EVPSIG-2;
+    }
+
+#ifdef USE_CERT_BUFFERS_1024
+    XMEMCPY(prvTmp, client_key_der_1024, sizeof_client_key_der_1024);
+    prvBytes = sizeof_client_key_der_1024;
+    XMEMCPY(pubTmp, client_keypub_der_1024, sizeof_client_keypub_der_1024);
+    pubBytes = sizeof_client_keypub_der_1024;
+#elif defined(USE_CERT_BUFFERS_2048)
+    XMEMCPY(prvTmp, client_key_der_2048, sizeof_client_key_der_2048);
+    prvBytes = sizeof_client_key_der_2048;
+    XMEMCPY(pubTmp, client_keypub_der_2048, sizeof_client_keypub_der_2048);
+    pubBytes = sizeof_client_keypub_der_2048;
+#else
+    keyFile = XFOPEN(cliKey, "rb");
+    if (!keyFile) {
+        XFREE(pubTmp, HEAP_HINT ,DYNAMIC_TYPE_TMP_BUFFER);
+        XFREE(prvTmp, HEAP_HINT ,DYNAMIC_TYPE_TMP_BUFFER);
+        err_sys("can't open ./certs/client-key.der, "
+                "Please run from wolfSSL home dir", -40);
+        return ERR_BASE_EVPSIG-3;
+    }
+    prvBytes = (int)XFREAD(prvTmp, 1, (int)FOURK_BUFF, keyFile);
+    XFCLOSE(keyFile);
+    keypubFile = XFOPEN(cliKeypub, "rb");
+    if (!keypubFile) {
+        XFREE(pubTmp, HEAP_HINT ,DYNAMIC_TYPE_TMP_BUFFER);
+        XFREE(prvTmp, HEAP_HINT ,DYNAMIC_TYPE_TMP_BUFFER);
+        err_sys("can't open ./certs/client-cert.der, "
+                "Please run from wolfSSL home dir", -41);
+        return ERR_BASE_EVPSIG-4;
+    }
+    pubBytes = (int)XFREAD(pubTmp, 1, (int)FOURK_BUFF, keypubFile);
+    XFCLOSE(keypubFile);
+    #endif /* USE_CERT_BUFFERS */
+
+    prvRsa = wolfSSL_RSA_new();
+    pubRsa = wolfSSL_RSA_new();
+    if((prvRsa == NULL) || (pubRsa == NULL)){
+        XFREE(pubTmp, HEAP_HINT ,DYNAMIC_TYPE_TMP_BUFFER);
+        XFREE(prvTmp, HEAP_HINT ,DYNAMIC_TYPE_TMP_BUFFER);
+        err_sys("ERROR with RSA_new", -8900);
+        return ERR_BASE_EVPSIG-5;
+    }
+
+    ret1 = wolfSSL_RSA_LoadDer_ex(prvRsa, prvTmp, prvBytes, WOLFSSL_RSA_LOAD_PRIVATE);
+    ret2 = wolfSSL_RSA_LoadDer_ex(pubRsa, pubTmp, pubBytes, WOLFSSL_RSA_LOAD_PUBLIC);
+    if((ret1 != SSL_SUCCESS) || (ret2 != SSL_SUCCESS)){
+      printf("error with RSA_LoadDer_ex\n");
+      return ERR_BASE_EVPSIG-6;
+    }
+
+    prvPkey = wolfSSL_EVP_PKEY_new();
+    pubPkey = wolfSSL_EVP_PKEY_new();
+    if((prvPkey == NULL) || (pubPkey == NULL)){
+        XFREE(pubTmp, HEAP_HINT ,DYNAMIC_TYPE_TMP_BUFFER);
+        XFREE(prvTmp, HEAP_HINT ,DYNAMIC_TYPE_TMP_BUFFER);
+        printf("error with KEY_new\n");
+        return ERR_BASE_EVPSIG-7;
+    }
+    ret1  = wolfSSL_EVP_PKEY_set1_RSA(prvPkey, prvRsa);
+    ret2  = wolfSSL_EVP_PKEY_set1_RSA(pubPkey, pubRsa);
+    if((ret1 != 1) || (ret2 != 1)){
+        XFREE(pubTmp, HEAP_HINT ,DYNAMIC_TYPE_TMP_BUFFER);
+        XFREE(prvTmp, HEAP_HINT ,DYNAMIC_TYPE_TMP_BUFFER);
+        printf("error with EVP_PKEY_set1_RSA\n");
+        return ERR_BASE_EVPSIG-8;
+    }
+
+    /****************** sign and verify *******************/
+    sign = EVP_MD_CTX_create();
+    verf = EVP_MD_CTX_create();
+    if((sign == NULL)||(verf == NULL)){
+        printf("error with EVP_MD_CTX_create\n");
+        return ERR_BASE_EVPSIG-10;
+    }
+
+    ret = EVP_SignInit(sign, EVP_sha1());
+    if(ret != SSL_SUCCESS){
+      printf("error with EVP_SignInit\n");
+      return ERR_BASE_EVPSIG-11;
+    }
+
+    count = sizeof(msg);
+    show("message = ", (char *)msg, count);
+
+    /* sign */
+    XMEMSET(sig, 0, sizeof(sig));
+    pt = (const void*)msg;
+    ret1 = EVP_SignUpdate(sign, pt, count);
+    ret2 = EVP_SignFinal(sign, sig, &sigSz, prvPkey);
+    if((ret1 != SSL_SUCCESS) || (ret2 != SSL_SUCCESS)){
+        printf("error with EVP_MD_CTX_create\n");
+        return ERR_BASE_EVPSIG-12;
+    }
+    show("signature = ", (char *)sig, sigSz);
+
+    /* verify */
+    pt = (const void*)msg;
+    ret1 = EVP_VerifyInit(verf, EVP_sha1());
+    ret2 = EVP_VerifyUpdate(verf, pt, count);
+    if((ret1 != SSL_SUCCESS) || (ret2 != SSL_SUCCESS)){
+        printf("error with EVP_Verify\n");
+        return ERR_BASE_EVPSIG-13;
+    }
+    if (EVP_VerifyFinal(verf, sig, sigSz, pubPkey) != 1) {
+        XFREE(pubTmp, HEAP_HINT ,DYNAMIC_TYPE_TMP_BUFFER);
+        XFREE(prvTmp, HEAP_HINT ,DYNAMIC_TYPE_TMP_BUFFER);
+        printf("error with EVP_VerifyFinal\n");
+        return ERR_BASE_EVPSIG-14;
+    }
+
+    /* expect fail without update */
+    EVP_VerifyInit(verf, EVP_sha1());
+    if (EVP_VerifyFinal(verf, sig, sigSz, pubPkey) == 1) {
+        XFREE(pubTmp, HEAP_HINT ,DYNAMIC_TYPE_TMP_BUFFER);
+        XFREE(prvTmp, HEAP_HINT ,DYNAMIC_TYPE_TMP_BUFFER);
+        printf("EVP_VerifyInit without update not detected\n");
+        return ERR_BASE_EVPSIG-15;
+    }
+
+    XFREE(pubTmp, HEAP_HINT ,DYNAMIC_TYPE_TMP_BUFFER);
+    XFREE(prvTmp, HEAP_HINT ,DYNAMIC_TYPE_TMP_BUFFER);
+    EVP_MD_CTX_destroy(sign);
+    EVP_MD_CTX_destroy(verf);
+
+    wolfSSL_RSA_free(prvRsa);
+    wolfSSL_RSA_free(pubRsa);
+    EVP_PKEY_free(pubPkey);
+    EVP_PKEY_free(prvPkey);
+
+#endif /* NO_RSA */
+    return 0;
+}
 #endif /* OPENSSL_EXTRA */
 
 
 #ifndef NO_PWDBASED
+#ifdef HAVE_SCRYPT
+/* Test vectors taken from RFC 7914: scrypt PBKDF - Section 12. */
+int scrypt_test(void)
+{
+    int   ret;
+    byte  derived[64];
+
+    const byte verify1[] = {
+        0x77, 0xd6, 0x57, 0x62, 0x38, 0x65, 0x7b, 0x20,
+        0x3b, 0x19, 0xca, 0x42, 0xc1, 0x8a, 0x04, 0x97,
+        0xf1, 0x6b, 0x48, 0x44, 0xe3, 0x07, 0x4a, 0xe8,
+        0xdf, 0xdf, 0xfa, 0x3f, 0xed, 0xe2, 0x14, 0x42,
+        0xfc, 0xd0, 0x06, 0x9d, 0xed, 0x09, 0x48, 0xf8,
+        0x32, 0x6a, 0x75, 0x3a, 0x0f, 0xc8, 0x1f, 0x17,
+        0xe8, 0xd3, 0xe0, 0xfb, 0x2e, 0x0d, 0x36, 0x28,
+        0xcf, 0x35, 0xe2, 0x0c, 0x38, 0xd1, 0x89, 0x06
+    };
+    const byte verify2[] = {
+        0xfd, 0xba, 0xbe, 0x1c, 0x9d, 0x34, 0x72, 0x00,
+        0x78, 0x56, 0xe7, 0x19, 0x0d, 0x01, 0xe9, 0xfe,
+        0x7c, 0x6a, 0xd7, 0xcb, 0xc8, 0x23, 0x78, 0x30,
+        0xe7, 0x73, 0x76, 0x63, 0x4b, 0x37, 0x31, 0x62,
+        0x2e, 0xaf, 0x30, 0xd9, 0x2e, 0x22, 0xa3, 0x88,
+        0x6f, 0xf1, 0x09, 0x27, 0x9d, 0x98, 0x30, 0xda,
+        0xc7, 0x27, 0xaf, 0xb9, 0x4a, 0x83, 0xee, 0x6d,
+        0x83, 0x60, 0xcb, 0xdf, 0xa2, 0xcc, 0x06, 0x40
+    };
+#if !defined(BENCH_EMBEDDED) && !defined(HAVE_INTEL_QA)
+    const byte verify3[] = {
+        0x70, 0x23, 0xbd, 0xcb, 0x3a, 0xfd, 0x73, 0x48,
+        0x46, 0x1c, 0x06, 0xcd, 0x81, 0xfd, 0x38, 0xeb,
+        0xfd, 0xa8, 0xfb, 0xba, 0x90, 0x4f, 0x8e, 0x3e,
+        0xa9, 0xb5, 0x43, 0xf6, 0x54, 0x5d, 0xa1, 0xf2,
+        0xd5, 0x43, 0x29, 0x55, 0x61, 0x3f, 0x0f, 0xcf,
+        0x62, 0xd4, 0x97, 0x05, 0x24, 0x2a, 0x9a, 0xf9,
+        0xe6, 0x1e, 0x85, 0xdc, 0x0d, 0x65, 0x1e, 0x40,
+        0xdf, 0xcf, 0x01, 0x7b, 0x45, 0x57, 0x58, 0x87
+    };
+#endif
+#ifdef SCRYPT_TEST_ALL
+    /* Test case is very slow.
+     * Use for confirmation after code change or new platform.
+     */
+    const byte verify4[] = {
+        0x21, 0x01, 0xcb, 0x9b, 0x6a, 0x51, 0x1a, 0xae,
+        0xad, 0xdb, 0xbe, 0x09, 0xcf, 0x70, 0xf8, 0x81,
+        0xec, 0x56, 0x8d, 0x57, 0x4a, 0x2f, 0xfd, 0x4d,
+        0xab, 0xe5, 0xee, 0x98, 0x20, 0xad, 0xaa, 0x47,
+        0x8e, 0x56, 0xfd, 0x8f, 0x4b, 0xa5, 0xd0, 0x9f,
+        0xfa, 0x1c, 0x6d, 0x92, 0x7c, 0x40, 0xf4, 0xc3,
+        0x37, 0x30, 0x40, 0x49, 0xe8, 0xa9, 0x52, 0xfb,
+        0xcb, 0xf4, 0x5c, 0x6f, 0xa7, 0x7a, 0x41, 0xa4
+    };
+#endif
+
+    ret = wc_scrypt(derived, NULL, 0, NULL, 0, 4, 1, 1, sizeof(verify1));
+    if (ret != 0)
+        return -9000;
+    if (XMEMCMP(derived, verify1, sizeof(verify1)) != 0)
+        return -9001;
+
+    ret = wc_scrypt(derived, (byte*)"password", 8, (byte*)"NaCl", 4, 10, 8, 16,
+                    sizeof(verify2));
+    if (ret != 0)
+        return -9002;
+    if (XMEMCMP(derived, verify2, sizeof(verify2)) != 0)
+        return -9003;
+
+    /* Don't run these test on embedded, since they use large mallocs */
+#if !defined(BENCH_EMBEDDED) && !defined(HAVE_INTEL_QA)
+    ret = wc_scrypt(derived, (byte*)"pleaseletmein", 13,
+                    (byte*)"SodiumChloride", 14, 14, 8, 1, sizeof(verify3));
+    if (ret != 0)
+        return -9004;
+    if (XMEMCMP(derived, verify3, sizeof(verify3)) != 0)
+        return -9005;
+
+#ifdef SCRYPT_TEST_ALL
+    ret = wc_scrypt(derived, (byte*)"pleaseletmein", 13,
+                    (byte*)"SodiumChloride", 14, 20, 8, 1, sizeof(verify4));
+    if (ret != 0)
+        return -9006;
+    if (XMEMCMP(derived, verify4, sizeof(verify4)) != 0)
+        return -9007;
+#endif
+#endif /* !BENCH_EMBEDDED && !HAVE_INTEL_QA */
+
+    ret = wc_scrypt_ex(derived, (byte*)"password", 8, (byte*)"NaCl", 4, 1<<10,
+                       8, 16, sizeof(verify2));
+    if (ret != 0)
+        return -9008;
+    if (XMEMCMP(derived, verify2, sizeof(verify2)) != 0)
+        return -9009;
 
+    return 0;
+}
+#endif
+
+#ifdef HAVE_PKCS12
 int pkcs12_test(void)
 {
     const byte passwd[] = { 0x00, 0x73, 0x00, 0x6d, 0x00, 0x65, 0x00, 0x67,
@@ -4676,27 +17370,33 @@ int pkcs12_test(void)
     int kLen       = 24;
     int iterations =  1;
     int ret = wc_PKCS12_PBKDF(derived, passwd, sizeof(passwd), salt, 8,
-                                                  iterations, kLen, SHA256, id);
+                                                  iterations, kLen, WC_SHA256, id);
 
     if (ret < 0)
-        return -103;
+        return -9100;
 
-    if ( (ret = memcmp(derived, verify, kLen)) != 0)
-        return -104;
+    if ( (ret = XMEMCMP(derived, verify, kLen)) != 0)
+        return -9101;
 
     iterations = 1000;
     ret = wc_PKCS12_PBKDF(derived, passwd2, sizeof(passwd2), salt2, 8,
-                                                  iterations, kLen, SHA256, id);
+                                                  iterations, kLen, WC_SHA256, id);
     if (ret < 0)
-        return -105;
+        return -9102;
 
-    if ( (ret = memcmp(derived, verify2, 24)) != 0)
-        return -106;
+    ret = wc_PKCS12_PBKDF_ex(derived, passwd2, sizeof(passwd2), salt2, 8,
+                                       iterations, kLen, WC_SHA256, id, HEAP_HINT);
+    if (ret < 0)
+        return -9103;
+
+    if ( (ret = XMEMCMP(derived, verify2, 24)) != 0)
+        return -9104;
 
     return 0;
 }
+#endif /* HAVE_PKCS12 */
 
-
+#if defined(HAVE_PBKDF2) && !defined(NO_SHA256)
 int pbkdf2_test(void)
 {
     char passwd[] = "passwordpassword";
@@ -4710,19 +17410,20 @@ int pbkdf2_test(void)
         0x2d, 0xd4, 0xf9, 0x37, 0xd4, 0x95, 0x16, 0xa7, 0x2a, 0x9a, 0x21, 0xd1
     };
 
-    int ret = wc_PBKDF2(derived, (byte*)passwd, (int)strlen(passwd), salt, 8,
-                                                      iterations, kLen, SHA256);
+    int ret = wc_PBKDF2_ex(derived, (byte*)passwd, (int)XSTRLEN(passwd), salt,
+              (int)sizeof(salt), iterations, kLen, WC_SHA256, HEAP_HINT, devId);
     if (ret != 0)
         return ret;
 
-    if (memcmp(derived, verify, sizeof(verify)) != 0)
-        return -102;
+    if (XMEMCMP(derived, verify, sizeof(verify)) != 0)
+        return -9200;
 
     return 0;
-}
 
+}
+#endif /* HAVE_PBKDF2 && !NO_SHA256 */
 
-#ifndef NO_SHA
+#if defined(HAVE_PBKDF1) && !defined(NO_SHA)
 int pbkdf1_test(void)
 {
     char passwd[] = "password";
@@ -4732,30 +17433,48 @@ int pbkdf1_test(void)
     byte  derived[16];
 
     const byte verify[] = {
-        0xDC, 0x19, 0x84, 0x7E, 0x05, 0xC6, 0x4D, 0x2F, 0xAF, 0x10, 0xEB, 0xFB,
-        0x4A, 0x3D, 0x2A, 0x20
+        0xDC, 0x19, 0x84, 0x7E, 0x05, 0xC6, 0x4D, 0x2F,
+        0xAF, 0x10, 0xEB, 0xFB, 0x4A, 0x3D, 0x2A, 0x20
     };
 
-    wc_PBKDF1(derived, (byte*)passwd, (int)strlen(passwd), salt, 8, iterations,
-           kLen, SHA);
+    int ret = wc_PBKDF1_ex(derived, kLen, NULL, 0, (byte*)passwd,
+        (int)XSTRLEN(passwd), salt, (int)sizeof(salt), iterations, WC_SHA,
+        HEAP_HINT);
+    if (ret != 0)
+        return ret;
 
-    if (memcmp(derived, verify, sizeof(verify)) != 0)
-        return -101;
+    if (XMEMCMP(derived, verify, sizeof(verify)) != 0)
+        return -9300;
 
     return 0;
 }
-#endif
-
+#endif /* HAVE_PBKDF2 && !NO_SHA */
 
 int pwdbased_test(void)
 {
    int ret = 0;
-#ifndef NO_SHA
-   ret += pbkdf1_test();
-#endif
-   ret += pbkdf2_test();
 
-   return ret + pkcs12_test();
+#if defined(HAVE_PBKDF1) && !defined(NO_SHA)
+   ret = pbkdf1_test();
+   if (ret != 0)
+      return ret;
+#endif
+#if defined(HAVE_PBKDF2) && !defined(NO_SHA256)
+   ret = pbkdf2_test();
+   if (ret != 0)
+      return ret;
+#endif
+#ifdef HAVE_PKCS12
+   ret = pkcs12_test();
+   if (ret != 0)
+      return ret;
+#endif
+#ifdef HAVE_SCRYPT
+   ret = scrypt_test();
+   if (ret != 0)
+      return ret;
+#endif
+   return ret;
 }
 
 #endif /* NO_PWDBASED */
@@ -4807,40 +17526,40 @@ int hkdf_test(void)
     (void)info1;
 
 #ifndef NO_SHA
-    ret = wc_HKDF(SHA, ikm1, 22, NULL, 0, NULL, 0, okm1, L);
+    ret = wc_HKDF(WC_SHA, ikm1, 22, NULL, 0, NULL, 0, okm1, L);
     if (ret != 0)
-        return -2001;
+        return -9500;
 
-    if (memcmp(okm1, res1, L) != 0)
-        return -2002;
+    if (XMEMCMP(okm1, res1, L) != 0)
+        return -9501;
 
 #ifndef HAVE_FIPS
     /* fips can't have key size under 14 bytes, salt is key too */
-    ret = wc_HKDF(SHA, ikm1, 11, salt1, 13, info1, 10, okm1, L);
+    ret = wc_HKDF(WC_SHA, ikm1, 11, salt1, 13, info1, 10, okm1, L);
     if (ret != 0)
-        return -2003;
+        return -9502;
 
-    if (memcmp(okm1, res2, L) != 0)
-        return -2004;
+    if (XMEMCMP(okm1, res2, L) != 0)
+        return -9503;
 #endif /* HAVE_FIPS */
 #endif /* NO_SHA */
 
 #ifndef NO_SHA256
-    ret = wc_HKDF(SHA256, ikm1, 22, NULL, 0, NULL, 0, okm1, L);
+    ret = wc_HKDF(WC_SHA256, ikm1, 22, NULL, 0, NULL, 0, okm1, L);
     if (ret != 0)
-        return -2005;
+        return -9504;
 
-    if (memcmp(okm1, res3, L) != 0)
-        return -2006;
+    if (XMEMCMP(okm1, res3, L) != 0)
+        return -9505;
 
 #ifndef HAVE_FIPS
     /* fips can't have key size under 14 bytes, salt is key too */
-    ret = wc_HKDF(SHA256, ikm1, 22, salt1, 13, info1, 10, okm1, L);
+    ret = wc_HKDF(WC_SHA256, ikm1, 22, salt1, 13, info1, 10, okm1, L);
     if (ret != 0)
-        return -2007;
+        return -9506;
 
-    if (memcmp(okm1, res4, L) != 0)
-        return -2007;
+    if (XMEMCMP(okm1, res4, L) != 0)
+        return -9507;
 #endif /* HAVE_FIPS */
 #endif /* NO_SHA256 */
 
@@ -4850,279 +17569,2553 @@ int hkdf_test(void)
 #endif /* HAVE_HKDF */
 
 
+#if defined(HAVE_ECC) && defined(HAVE_X963_KDF)
+
+int x963kdf_test(void)
+{
+    int ret;
+    byte kek[128];
+
+#ifndef NO_SHA
+    /* SHA-1, COUNT = 0
+     * shared secret length: 192
+     * SharedInfo length: 0
+     * key data length: 128
+     */
+    const byte Z[] = {
+        0x1c, 0x7d, 0x7b, 0x5f, 0x05, 0x97, 0xb0, 0x3d,
+        0x06, 0xa0, 0x18, 0x46, 0x6e, 0xd1, 0xa9, 0x3e,
+        0x30, 0xed, 0x4b, 0x04, 0xdc, 0x64, 0xcc, 0xdd
+    };
+
+    const byte verify[] = {
+        0xbf, 0x71, 0xdf, 0xfd, 0x8f, 0x4d, 0x99, 0x22,
+        0x39, 0x36, 0xbe, 0xb4, 0x6f, 0xee, 0x8c, 0xcc
+    };
+#endif
+
+#ifndef NO_SHA256
+    /* SHA-256, COUNT = 3
+     * shared secret length: 192
+     * SharedInfo length: 0
+     * key data length: 128
+     */
+    const byte Z2[] = {
+        0xd3, 0x8b, 0xdb, 0xe5, 0xc4, 0xfc, 0x16, 0x4c,
+        0xdd, 0x96, 0x7f, 0x63, 0xc0, 0x4f, 0xe0, 0x7b,
+        0x60, 0xcd, 0xe8, 0x81, 0xc2, 0x46, 0x43, 0x8c
+    };
+
+    const byte verify2[] = {
+        0x5e, 0x67, 0x4d, 0xb9, 0x71, 0xba, 0xc2, 0x0a,
+        0x80, 0xba, 0xd0, 0xd4, 0x51, 0x4d, 0xc4, 0x84
+    };
+#endif
+
+#ifdef WOLFSSL_SHA512
+    /* SHA-512, COUNT = 0
+     * shared secret length: 192
+     * SharedInfo length: 0
+     * key data length: 128
+     */
+    const byte Z3[] = {
+        0x87, 0xfc, 0x0d, 0x8c, 0x44, 0x77, 0x48, 0x5b,
+        0xb5, 0x74, 0xf5, 0xfc, 0xea, 0x26, 0x4b, 0x30,
+        0x88, 0x5d, 0xc8, 0xd9, 0x0a, 0xd8, 0x27, 0x82
+    };
+
+    const byte verify3[] = {
+        0x94, 0x76, 0x65, 0xfb, 0xb9, 0x15, 0x21, 0x53,
+        0xef, 0x46, 0x02, 0x38, 0x50, 0x6a, 0x02, 0x45
+    };
+
+    /* SHA-512, COUNT = 0
+     * shared secret length: 521
+     * SharedInfo length: 128
+     * key data length: 1024
+     */
+    const byte Z4[] = {
+        0x00, 0xaa, 0x5b, 0xb7, 0x9b, 0x33, 0xe3, 0x89,
+        0xfa, 0x58, 0xce, 0xad, 0xc0, 0x47, 0x19, 0x7f,
+        0x14, 0xe7, 0x37, 0x12, 0xf4, 0x52, 0xca, 0xa9,
+        0xfc, 0x4c, 0x9a, 0xdb, 0x36, 0x93, 0x48, 0xb8,
+        0x15, 0x07, 0x39, 0x2f, 0x1a, 0x86, 0xdd, 0xfd,
+        0xb7, 0xc4, 0xff, 0x82, 0x31, 0xc4, 0xbd, 0x0f,
+        0x44, 0xe4, 0x4a, 0x1b, 0x55, 0xb1, 0x40, 0x47,
+        0x47, 0xa9, 0xe2, 0xe7, 0x53, 0xf5, 0x5e, 0xf0,
+        0x5a, 0x2d
+    };
+
+    const byte info4[] = {
+        0xe3, 0xb5, 0xb4, 0xc1, 0xb0, 0xd5, 0xcf, 0x1d,
+        0x2b, 0x3a, 0x2f, 0x99, 0x37, 0x89, 0x5d, 0x31
+    };
+
+    const byte verify4[] = {
+        0x44, 0x63, 0xf8, 0x69, 0xf3, 0xcc, 0x18, 0x76,
+        0x9b, 0x52, 0x26, 0x4b, 0x01, 0x12, 0xb5, 0x85,
+        0x8f, 0x7a, 0xd3, 0x2a, 0x5a, 0x2d, 0x96, 0xd8,
+        0xcf, 0xfa, 0xbf, 0x7f, 0xa7, 0x33, 0x63, 0x3d,
+        0x6e, 0x4d, 0xd2, 0xa5, 0x99, 0xac, 0xce, 0xb3,
+        0xea, 0x54, 0xa6, 0x21, 0x7c, 0xe0, 0xb5, 0x0e,
+        0xef, 0x4f, 0x6b, 0x40, 0xa5, 0xc3, 0x02, 0x50,
+        0xa5, 0xa8, 0xee, 0xee, 0x20, 0x80, 0x02, 0x26,
+        0x70, 0x89, 0xdb, 0xf3, 0x51, 0xf3, 0xf5, 0x02,
+        0x2a, 0xa9, 0x63, 0x8b, 0xf1, 0xee, 0x41, 0x9d,
+        0xea, 0x9c, 0x4f, 0xf7, 0x45, 0xa2, 0x5a, 0xc2,
+        0x7b, 0xda, 0x33, 0xca, 0x08, 0xbd, 0x56, 0xdd,
+        0x1a, 0x59, 0xb4, 0x10, 0x6c, 0xf2, 0xdb, 0xbc,
+        0x0a, 0xb2, 0xaa, 0x8e, 0x2e, 0xfa, 0x7b, 0x17,
+        0x90, 0x2d, 0x34, 0x27, 0x69, 0x51, 0xce, 0xcc,
+        0xab, 0x87, 0xf9, 0x66, 0x1c, 0x3e, 0x88, 0x16
+    };
+#endif
+
+#ifndef NO_SHA
+    ret = wc_X963_KDF(WC_HASH_TYPE_SHA, Z, sizeof(Z), NULL, 0,
+                      kek, sizeof(verify));
+    if (ret != 0)
+        return -9600;
+
+    if (XMEMCMP(verify, kek, sizeof(verify)) != 0)
+        return -9601;
+#endif
+
+#ifndef NO_SHA256
+    ret = wc_X963_KDF(WC_HASH_TYPE_SHA256, Z2, sizeof(Z2), NULL, 0,
+                      kek, sizeof(verify2));
+    if (ret != 0)
+        return -9602;
+
+    if (XMEMCMP(verify2, kek, sizeof(verify2)) != 0)
+        return -9603;
+#endif
+
+#ifdef WOLFSSL_SHA512
+    ret = wc_X963_KDF(WC_HASH_TYPE_SHA512, Z3, sizeof(Z3), NULL, 0,
+                      kek, sizeof(verify3));
+    if (ret != 0)
+        return -9604;
+
+    if (XMEMCMP(verify3, kek, sizeof(verify3)) != 0)
+        return -9605;
+
+    ret = wc_X963_KDF(WC_HASH_TYPE_SHA512, Z4, sizeof(Z4), info4,
+                      sizeof(info4), kek, sizeof(verify4));
+    if (ret != 0)
+        return -9606;
+
+    if (XMEMCMP(verify4, kek, sizeof(verify4)) != 0)
+        return -9607;
+#endif
+
+    return 0;
+}
+
+#endif /* HAVE_X963_KDF */
+
+
 #ifdef HAVE_ECC
 
-typedef struct rawEccVector {
-    const char* msg;
+#ifdef BENCH_EMBEDDED
+    #define ECC_SHARED_SIZE 128
+#else
+    #define ECC_SHARED_SIZE MAX_ECC_BYTES
+#endif
+#define ECC_DIGEST_SIZE     MAX_ECC_BYTES
+#define ECC_SIG_SIZE        ECC_MAX_SIG_SIZE
+
+#ifndef NO_ECC_VECTOR_TEST
+    #if (defined(HAVE_ECC192) || defined(HAVE_ECC224) ||\
+         !defined(NO_ECC256) || defined(HAVE_ECC384) ||\
+         defined(HAVE_ECC521) || defined(HAVE_ALL_CURVES))
+        #define HAVE_ECC_VECTOR_TEST
+    #endif
+#endif
+
+#ifdef HAVE_ECC_VECTOR_TEST
+typedef struct eccVector {
+    const char* msg; /* SHA-1 Encoded Message */
     const char* Qx;
     const char* Qy;
-    const char* d;
+    const char* d; /* Private Key */
     const char* R;
     const char* S;
     const char* curveName;
-    size_t msgLen;
-} rawEccVector;
+    word32 msgLen;
+    word32 keySize;
+#ifndef NO_ASN
+    const byte* r;
+    word32      rSz;
+    const byte* s;
+    word32      sSz;
+#endif
+} eccVector;
 
-int ecc_test(void)
+static int ecc_test_vector_item(const eccVector* vector)
 {
-    RNG     rng;
-    byte    sharedA[1024];
-    byte    sharedB[1024];
-    byte    sig[1024];
-    byte    digest[20];
-    byte    exportBuf[1024];
-    word32  x, y;
-    int     i, verify, ret;
-    ecc_key userA, userB, pubKey;
+    int ret = 0, verify = 0;
+    word32  sigSz;
+    ecc_key userA;
+    DECLARE_VAR(sig, byte, ECC_SIG_SIZE, HEAP_HINT);
+#if !defined(NO_ASN) && !defined(HAVE_SELFTEST)
+    word32  sigRawSz;
+    DECLARE_VAR(sigRaw, byte, ECC_SIG_SIZE, HEAP_HINT);
+#endif
 
-    ret = wc_InitRng(&rng);
+    ret = wc_ecc_init_ex(&userA, HEAP_HINT, devId);
+    if (ret != 0) {
+        FREE_VAR(sig, HEAP_HINT);
+        return ret;
+    }
+
+    ret = wc_ecc_import_raw(&userA, vector->Qx, vector->Qy,
+                                                  vector->d, vector->curveName);
+    if (ret != 0)
+        goto done;
+
+    XMEMSET(sig, 0, ECC_SIG_SIZE);
+    sigSz = ECC_SIG_SIZE;
+    ret = wc_ecc_rs_to_sig(vector->R, vector->S, sig, &sigSz);
+    if (ret != 0)
+        goto done;
+
+#if !defined(NO_ASN) && !defined(HAVE_SELFTEST)
+    XMEMSET(sigRaw, 0, ECC_SIG_SIZE);
+    sigRawSz = ECC_SIG_SIZE;
+    ret = wc_ecc_rs_raw_to_sig(vector->r, vector->rSz, vector->s, vector->sSz,
+                                                             sigRaw, &sigRawSz);
+    if (ret != 0)
+        goto done;
+
+    if (sigSz != sigRawSz || XMEMCMP(sig, sigRaw, sigSz) != 0) {
+        ret = -9608;
+        goto done;
+    }
+#endif
+
+    do {
+    #if defined(WOLFSSL_ASYNC_CRYPT)
+        ret = wc_AsyncWait(ret, &userA.asyncDev, WC_ASYNC_FLAG_CALL_AGAIN);
+    #endif
+        if (ret == 0)
+            ret = wc_ecc_verify_hash(sig, sigSz, (byte*)vector->msg,
+                                               vector->msgLen, &verify, &userA);
+    } while (ret == WC_PENDING_E);
+    if (ret != 0)
+        goto done;
+    TEST_SLEEP();
+
+    if (verify != 1)
+        ret = -9609;
+
+done:
+    wc_ecc_free(&userA);
+
+#if !defined(NO_ASN) && !defined(HAVE_SELFTEST)
+    FREE_VAR(sigRaw, HEAP_HINT);
+#endif
+    FREE_VAR(sig, HEAP_HINT);
+
+    return ret;
+}
+
+static int ecc_test_vector(int keySize)
+{
+    int     ret;
+    eccVector vec;
+
+    XMEMSET(&vec, 0, sizeof(vec));
+    vec.keySize = (word32)keySize;
+
+    switch(keySize) {
+
+#if defined(HAVE_ECC112) || defined(HAVE_ALL_CURVES)
+    case 14:
+        return 0;
+#endif /* HAVE_ECC112 */
+#if defined(HAVE_ECC128) || defined(HAVE_ALL_CURVES)
+    case 16:
+        return 0;
+#endif /* HAVE_ECC128 */
+#if defined(HAVE_ECC160) || defined(HAVE_ALL_CURVES)
+    case 20:
+        return 0;
+#endif /* HAVE_ECC160 */
+
+#if defined(HAVE_ECC192) || defined(HAVE_ALL_CURVES)
+    case 24:
+        /* first [P-192,SHA-1] vector from FIPS 186-3 NIST vectors */
+        #if 1
+            vec.msg = "\x60\x80\x79\x42\x3f\x12\x42\x1d\xe6\x16\xb7\x49\x3e\xbe\x55\x1c\xf4\xd6\x5b\x92";
+            vec.msgLen = 20;
+        #else
+            /* This is the raw message prior to SHA-1 */
+            vec.msg =
+                "\xeb\xf7\x48\xd7\x48\xeb\xbc\xa7\xd2\x9f\xb4\x73\x69\x8a\x6e\x6b"
+                "\x4f\xb1\x0c\x86\x5d\x4a\xf0\x24\xcc\x39\xae\x3d\xf3\x46\x4b\xa4"
+                "\xf1\xd6\xd4\x0f\x32\xbf\x96\x18\xa9\x1b\xb5\x98\x6f\xa1\xa2\xaf"
+                "\x04\x8a\x0e\x14\xdc\x51\xe5\x26\x7e\xb0\x5e\x12\x7d\x68\x9d\x0a"
+                "\xc6\xf1\xa7\xf1\x56\xce\x06\x63\x16\xb9\x71\xcc\x7a\x11\xd0\xfd"
+                "\x7a\x20\x93\xe2\x7c\xf2\xd0\x87\x27\xa4\xe6\x74\x8c\xc3\x2f\xd5"
+                "\x9c\x78\x10\xc5\xb9\x01\x9d\xf2\x1c\xdc\xc0\xbc\xa4\x32\xc0\xa3"
+                "\xee\xd0\x78\x53\x87\x50\x88\x77\x11\x43\x59\xce\xe4\xa0\x71\xcf";
+            vec.msgLen = 128;
+        #endif
+        vec.Qx  = "07008ea40b08dbe76432096e80a2494c94982d2d5bcf98e6";
+        vec.Qy  = "76fab681d00b414ea636ba215de26d98c41bd7f2e4d65477";
+        vec.d   = "e14f37b3d1374ff8b03f41b9b3fdd2f0ebccf275d660d7f3";
+        vec.R   = "6994d962bdd0d793ffddf855ec5bf2f91a9698b46258a63e";
+        vec.S   = "02ba6465a234903744ab02bc8521405b73cf5fc00e1a9f41";
+        vec.curveName = "SECP192R1";
+    #ifndef NO_ASN
+        vec.r   = (byte*)"\x69\x94\xd9\x62\xbd\xd0\xd7\x93\xff\xdd\xf8\x55"
+                         "\xec\x5b\xf2\xf9\x1a\x96\x98\xb4\x62\x58\xa6\x3e";
+        vec.rSz = 24;
+        vec.s   = (byte*)"\x02\xba\x64\x65\xa2\x34\x90\x37\x44\xab\x02\xbc"
+                         "\x85\x21\x40\x5b\x73\xcf\x5f\xc0\x0e\x1a\x9f\x41";
+        vec.sSz = 24;
+    #endif
+        break;
+#endif /* HAVE_ECC192 */
+
+#if defined(HAVE_ECC224) || defined(HAVE_ALL_CURVES)
+    case 28:
+        /* first [P-224,SHA-1] vector from FIPS 186-3 NIST vectors */
+        #if 1
+            vec.msg = "\xb9\xa3\xb8\x6d\xb0\xba\x99\xfd\xc6\xd2\x94\x6b\xfe\xbe\x9c\xe8\x3f\x10\x74\xfc";
+            vec.msgLen = 20;
+        #else
+            /* This is the raw message prior to SHA-1 */
+            vec.msg =
+                "\x36\xc8\xb2\x29\x86\x48\x7f\x67\x7c\x18\xd0\x97\x2a\x9e\x20\x47"
+                "\xb3\xaf\xa5\x9e\xc1\x62\x76\x4e\xc3\x0b\x5b\x69\xe0\x63\x0f\x99"
+                "\x0d\x4e\x05\xc2\x73\xb0\xe5\xa9\xd4\x28\x27\xb6\x95\xfc\x2d\x64"
+                "\xd9\x13\x8b\x1c\xf4\xc1\x21\x55\x89\x4c\x42\x13\x21\xa7\xbb\x97"
+                "\x0b\xdc\xe0\xfb\xf0\xd2\xae\x85\x61\xaa\xd8\x71\x7f\x2e\x46\xdf"
+                "\xe3\xff\x8d\xea\xb4\xd7\x93\x23\x56\x03\x2c\x15\x13\x0d\x59\x9e"
+                "\x26\xc1\x0f\x2f\xec\x96\x30\x31\xac\x69\x38\xa1\x8d\x66\x45\x38"
+                "\xb9\x4d\xac\x55\x34\xef\x7b\x59\x94\x24\xd6\x9b\xe1\xf7\x1c\x20";
+            vec.msgLen = 128;
+        #endif
+        vec.Qx  = "8a4dca35136c4b70e588e23554637ae251077d1365a6ba5db9585de7";
+        vec.Qy  = "ad3dee06de0be8279d4af435d7245f14f3b4f82eb578e519ee0057b1";
+        vec.d   = "97c4b796e1639dd1035b708fc00dc7ba1682cec44a1002a1a820619f";
+        vec.R   = "147b33758321e722a0360a4719738af848449e2c1d08defebc1671a7";
+        vec.S   = "24fc7ed7f1352ca3872aa0916191289e2e04d454935d50fe6af3ad5b";
+        vec.curveName = "SECP224R1";
+    #ifndef NO_ASN
+        vec.r   = (byte*)"\x14\x7b\x33\x75\x83\x21\xe7\x22\xa0\x36\x0a\x47"
+                         "\x19\x73\x8a\xf8\x48\x44\x9e\x2c\x1d\x08\xde\xfe"
+                         "\xbc\x16\x71\xa7";
+        vec.rSz = 28;
+        vec.s   = (byte*)"\x24\xfc\x7e\xd7\xf1\x35\x2c\xa3\x87\x2a\xa0\x91"
+                         "\x61\x91\x28\x9e\x2e\x04\xd4\x54\x93\x5d\x50\xfe"
+                         "\x6a\xf3\xad\x5b";
+        vec.sSz = 28;
+    #endif
+        break;
+#endif /* HAVE_ECC224 */
+
+#if defined(HAVE_ECC239) || defined(HAVE_ALL_CURVES)
+    case 30:
+        return 0;
+#endif /* HAVE_ECC239 */
+
+#if !defined(NO_ECC256) || defined(HAVE_ALL_CURVES)
+    case 32:
+        /* first [P-256,SHA-1] vector from FIPS 186-3 NIST vectors */
+        #if 1
+            vec.msg = "\xa3\xf9\x1a\xe2\x1b\xa6\xb3\x03\x98\x64\x47\x2f\x18\x41\x44\xc6\xaf\x62\xcd\x0e";
+            vec.msgLen = 20;
+        #else
+            /* This is the raw message prior to SHA-1 */
+            vec.msg =
+                "\xa2\x4b\x21\x76\x2e\x6e\xdb\x15\x3c\xc1\x14\x38\xdb\x0e\x92\xcd"
+                "\xf5\x2b\x86\xb0\x6c\xa9\x70\x16\x06\x27\x59\xc7\x0d\x36\xd1\x56"
+                "\x2c\xc9\x63\x0d\x7f\xc7\xc7\x74\xb2\x8b\x54\xe3\x1e\xf5\x58\x72"
+                "\xb2\xa6\x5d\xf1\xd7\xec\x26\xde\xbb\x33\xe7\xd9\x27\xef\xcc\xf4"
+                "\x6b\x63\xde\x52\xa4\xf4\x31\xea\xca\x59\xb0\x5d\x2e\xde\xc4\x84"
+                "\x5f\xff\xc0\xee\x15\x03\x94\xd6\x1f\x3d\xfe\xcb\xcd\xbf\x6f\x5a"
+                "\x73\x38\xd0\xbe\x3f\x2a\x77\x34\x51\x98\x3e\xba\xeb\x48\xf6\x73"
+                "\x8f\xc8\x95\xdf\x35\x7e\x1a\x48\xa6\x53\xbb\x35\x5a\x31\xa1\xb4"
+            vec.msgLen = 128;
+        #endif
+        vec.Qx  = "fa2737fb93488d19caef11ae7faf6b7f4bcd67b286e3fc54e8a65c2b74aeccb0";
+        vec.Qy  = "d4ccd6dae698208aa8c3a6f39e45510d03be09b2f124bfc067856c324f9b4d09";
+        vec.d   = "be34baa8d040a3b991f9075b56ba292f755b90e4b6dc10dad36715c33cfdac25";
+        vec.R   = "2b826f5d44e2d0b6de531ad96b51e8f0c56fdfead3c236892e4d84eacfc3b75c";
+        vec.S   = "a2248b62c03db35a7cd63e8a120a3521a89d3d2f61ff99035a2148ae32e3a248";
+    #ifndef NO_ASN
+        vec.r   = (byte*)"\x2b\x82\x6f\x5d\x44\xe2\xd0\xb6\xde\x53\x1a\xd9"
+                         "\x6b\x51\xe8\xf0\xc5\x6f\xdf\xea\xd3\xc2\x36\x89"
+                         "\x2e\x4d\x84\xea\xcf\xc3\xb7\x5c";
+        vec.rSz = 32;
+        vec.s   = (byte*)"\xa2\x24\x8b\x62\xc0\x3d\xb3\x5a\x7c\xd6\x3e\x8a"
+                         "\x12\x0a\x35\x21\xa8\x9d\x3d\x2f\x61\xff\x99\x03"
+                         "\x5a\x21\x48\xae\x32\xe3\xa2\x48";
+        vec.sSz = 32;
+    #endif
+        vec.curveName = "SECP256R1";
+        break;
+#endif /* !NO_ECC256 */
+
+#if defined(HAVE_ECC320) || defined(HAVE_ALL_CURVES)
+    case 40:
+        return 0;
+#endif /* HAVE_ECC320 */
+
+#if defined(HAVE_ECC384) || defined(HAVE_ALL_CURVES)
+    case 48:
+        /* first [P-384,SHA-1] vector from FIPS 186-3 NIST vectors */
+        #if 1
+            vec.msg = "\x9b\x9f\x8c\x95\x35\xa5\xca\x26\x60\x5d\xb7\xf2\xfa\x57\x3b\xdf\xc3\x2e\xab\x8b";
+            vec.msgLen = 20;
+        #else
+            /* This is the raw message prior to SHA-1 */
+            vec.msg =
+                "\xab\xe1\x0a\xce\x13\xe7\xe1\xd9\x18\x6c\x48\xf7\x88\x9d\x51\x47"
+                "\x3d\x3a\x09\x61\x98\x4b\xc8\x72\xdf\x70\x8e\xcc\x3e\xd3\xb8\x16"
+                "\x9d\x01\xe3\xd9\x6f\xc4\xf1\xd5\xea\x00\xa0\x36\x92\xbc\xc5\xcf"
+                "\xfd\x53\x78\x7c\x88\xb9\x34\xaf\x40\x4c\x03\x9d\x32\x89\xb5\xba"
+                "\xc5\xae\x7d\xb1\x49\x68\x75\xb5\xdc\x73\xc3\x09\xf9\x25\xc1\x3d"
+                "\x1c\x01\xab\xda\xaf\xeb\xcd\xac\x2c\xee\x43\x39\x39\xce\x8d\x4a"
+                "\x0a\x5d\x57\xbb\x70\x5f\x3b\xf6\xec\x08\x47\x95\x11\xd4\xb4\xa3"
+                "\x21\x1f\x61\x64\x9a\xd6\x27\x43\x14\xbf\x0d\x43\x8a\x81\xe0\x60"
+            vec.msgLen = 128;
+        #endif
+        vec.Qx  = "e55fee6c49d8d523f5ce7bf9c0425ce4ff650708b7de5cfb095901523979a7f042602db30854735369813b5c3f5ef868";
+        vec.Qy  = "28f59cc5dc509892a988d38a8e2519de3d0c4fd0fbdb0993e38f18506c17606c5e24249246f1ce94983a5361c5be983e";
+        vec.d   = "a492ce8fa90084c227e1a32f7974d39e9ff67a7e8705ec3419b35fb607582bebd461e0b1520ac76ec2dd4e9b63ebae71";
+        vec.R   = "6820b8585204648aed63bdff47f6d9acebdea62944774a7d14f0e14aa0b9a5b99545b2daee6b3c74ebf606667a3f39b7";
+        vec.S   = "491af1d0cccd56ddd520b233775d0bc6b40a6255cc55207d8e9356741f23c96c14714221078dbd5c17f4fdd89b32a907";
+        vec.curveName = "SECP384R1";
+    #ifndef NO_ASN
+        vec.r   = (byte*)"\x68\x20\xb8\x58\x52\x04\x64\x8a\xed\x63\xbd\xff"
+                         "\x47\xf6\xd9\xac\xeb\xde\xa6\x29\x44\x77\x4a\x7d"
+                         "\x14\xf0\xe1\x4a\xa0\xb9\xa5\xb9\x95\x45\xb2\xda"
+                         "\xee\x6b\x3c\x74\xeb\xf6\x06\x66\x7a\x3f\x39\xb7";
+        vec.rSz = 48;
+        vec.s   = (byte*)"\x49\x1a\xf1\xd0\xcc\xcd\x56\xdd\xd5\x20\xb2\x33"
+                         "\x77\x5d\x0b\xc6\xb4\x0a\x62\x55\xcc\x55\x20\x7d"
+                         "\x8e\x93\x56\x74\x1f\x23\xc9\x6c\x14\x71\x42\x21"
+                         "\x07\x8d\xbd\x5c\x17\xf4\xfd\xd8\x9b\x32\xa9\x07";
+        vec.sSz = 48;
+    #endif
+        break;
+#endif /* HAVE_ECC384 */
+
+#if defined(HAVE_ECC512) || defined(HAVE_ALL_CURVES)
+    case 64:
+        return 0;
+#endif /* HAVE_ECC512 */
+
+#if defined(HAVE_ECC521) || defined(HAVE_ALL_CURVES)
+    case 66:
+        /* first [P-521,SHA-1] vector from FIPS 186-3 NIST vectors */
+        #if 1
+            vec.msg = "\x1b\xf7\x03\x9c\xca\x23\x94\x27\x3f\x11\xa1\xd4\x8d\xcc\xb4\x46\x6f\x31\x61\xdf";
+            vec.msgLen = 20;
+        #else
+            /* This is the raw message prior to SHA-1 */
+            vec.msg =
+                "\x50\x3f\x79\x39\x34\x0a\xc7\x23\xcd\x4a\x2f\x4e\x6c\xcc\x27\x33"
+                "\x38\x3a\xca\x2f\xba\x90\x02\x19\x9d\x9e\x1f\x94\x8b\xe0\x41\x21"
+                "\x07\xa3\xfd\xd5\x14\xd9\x0c\xd4\xf3\x7c\xc3\xac\x62\xef\x00\x3a"
+                "\x2d\xb1\xd9\x65\x7a\xb7\x7f\xe7\x55\xbf\x71\xfa\x59\xe4\xd9\x6e"
+                "\xa7\x2a\xe7\xbf\x9d\xe8\x7d\x79\x34\x3b\xc1\xa4\xbb\x14\x4d\x16"
+                "\x28\xd1\xe9\xe9\xc8\xed\x80\x8b\x96\x2c\x54\xe5\xf9\x6d\x53\xda"
+                "\x14\x7a\x96\x38\xf9\x4a\x91\x75\xd8\xed\x61\x05\x5f\x0b\xa5\x73"
+                "\xa8\x2b\xb7\xe0\x18\xee\xda\xc4\xea\x7b\x36\x2e\xc8\x9c\x38\x2b"
+            vec.msgLen = 128;
+        #endif
+        vec.Qx  = "12fbcaeffa6a51f3ee4d3d2b51c5dec6d7c726ca353fc014ea2bf7cfbb9b910d32cbfa6a00fe39b6cdb8946f22775398b2e233c0cf144d78c8a7742b5c7a3bb5d23";
+        vec.Qy  = "09cdef823dd7bf9a79e8cceacd2e4527c231d0ae5967af0958e931d7ddccf2805a3e618dc3039fec9febbd33052fe4c0fee98f033106064982d88f4e03549d4a64d";
+        vec.d   = "1bd56bd106118eda246155bd43b42b8e13f0a6e25dd3bb376026fab4dc92b6157bc6dfec2d15dd3d0cf2a39aa68494042af48ba9601118da82c6f2108a3a203ad74";
+        vec.R   = "0bd117b4807710898f9dd7778056485777668f0e78e6ddf5b000356121eb7a220e9493c7f9a57c077947f89ac45d5acb6661bbcd17abb3faea149ba0aa3bb1521be";
+        vec.S   = "019cd2c5c3f9870ecdeb9b323abdf3a98cd5e231d85c6ddc5b71ab190739f7f226e6b134ba1d5889ddeb2751dabd97911dff90c34684cdbe7bb669b6c3d22f2480c";
+        vec.curveName = "SECP521R1";
+    #ifndef NO_ASN
+        vec.r   = (byte*)"\x00\xbd\x11\x7b\x48\x07\x71\x08\x98\xf9\xdd\x77"
+                         "\x78\x05\x64\x85\x77\x76\x68\xf0\xe7\x8e\x6d\xdf"
+                         "\x5b\x00\x03\x56\x12\x1e\xb7\xa2\x20\xe9\x49\x3c"
+                         "\x7f\x9a\x57\xc0\x77\x94\x7f\x89\xac\x45\xd5\xac"
+                         "\xb6\x66\x1b\xbc\xd1\x7a\xbb\x3f\xae\xa1\x49\xba"
+                         "\x0a\xa3\xbb\x15\x21\xbe";
+        vec.rSz = 66;
+        vec.s   = (byte*)"\x00\x19\xcd\x2c\x5c\x3f\x98\x70\xec\xde\xb9\xb3"
+                         "\x23\xab\xdf\x3a\x98\xcd\x5e\x23\x1d\x85\xc6\xdd"
+                         "\xc5\xb7\x1a\xb1\x90\x73\x9f\x7f\x22\x6e\x6b\x13"
+                         "\x4b\xa1\xd5\x88\x9d\xde\xb2\x75\x1d\xab\xd9\x79"
+                         "\x11\xdf\xf9\x0c\x34\x68\x4c\xdb\xe7\xbb\x66\x9b"
+                         "\x6c\x3d\x22\xf2\x48\x0c";
+        vec.sSz = 66;
+    #endif
+        break;
+#endif /* HAVE_ECC521 */
+    default:
+        return NOT_COMPILED_IN; /* Invalid key size / Not supported */
+    }; /* Switch */
+
+    ret = ecc_test_vector_item(&vec);
+    if (ret < 0) {
+        return ret;
+    }
+
+    return 0;
+}
+
+#if defined(HAVE_ECC_SIGN) && defined(WOLFSSL_ECDSA_SET_K)
+static int ecc_test_sign_vectors(WC_RNG* rng)
+{
+    int ret;
+    ecc_key key;
+    byte sig[72];
+    word32 sigSz;
+    unsigned char hash[32] = "test wolfSSL deterministic sign";
+    const char* dIUT =   "7d7dc5f71eb29ddaf80d6214632eeae03d9058af1fb6d22ed80badb62bc1a534";
+    const char* QIUTx =  "ead218590119e8876b29146ff89ca61770c4edbbf97d38ce385ed281d8a6b230";
+    const char* QIUTy =  "28af61281fd35e2fa7002523acc85a429cb06ee6648325389f59edfce1405141";
+    const byte k[1] = { 0x02 };
+    const byte expSig[71] = {
+        0x30, 0x45, 0x02, 0x20, 0x7c, 0xf2, 0x7b, 0x18,
+        0x8d, 0x03, 0x4f, 0x7e, 0x8a, 0x52, 0x38, 0x03,
+        0x04, 0xb5, 0x1a, 0xc3, 0xc0, 0x89, 0x69, 0xe2,
+        0x77, 0xf2, 0x1b, 0x35, 0xa6, 0x0b, 0x48, 0xfc,
+        0x47, 0x66, 0x99, 0x78, 0x02, 0x21, 0x00, 0xa8,
+        0x43, 0xa0, 0xce, 0x6c, 0x5e, 0x17, 0x8a, 0x53,
+        0x4d, 0xaf, 0xd2, 0x95, 0x78, 0x9f, 0x84, 0x4f,
+        0x94, 0xb8, 0x75, 0xa3, 0x19, 0xa5, 0xd4, 0xdf,
+        0xe1, 0xd4, 0x5e, 0x9d, 0x97, 0xfe, 0x81
+    };
+
+    ret = wc_ecc_init_ex(&key, HEAP_HINT, devId);
+    if (ret != 0) {
+        return ret;
+    }
+    ret = wc_ecc_import_raw(&key, QIUTx, QIUTy, dIUT, "SECP256R1");
+    if (ret != 0) {
+        goto done;
+    }
+
+    ret = wc_ecc_sign_set_k(k, sizeof(k), &key);
+    if (ret != 0) {
+        goto done;
+    }
+
+    sigSz = sizeof(sig);
+    do {
+    #if defined(WOLFSSL_ASYNC_CRYPT)
+        ret = wc_AsyncWait(ret, &key.asyncDev, WC_ASYNC_FLAG_CALL_AGAIN);
+    #endif
+        if (ret == 0)
+            ret = wc_ecc_sign_hash(hash, sizeof(hash), sig, &sigSz, rng, &key);
+    } while (ret == WC_PENDING_E);
+    if (ret != 0) {
+        goto done;
+    }
+    TEST_SLEEP();
+
+    if (sigSz != sizeof(expSig)) {
+        ret = -9610;
+        goto done;
+    }
+    if (XMEMCMP(sig, expSig, sigSz) != 0) {
+        ret = -9611;
+        goto done;
+    }
+
+    sigSz = sizeof(sig);
+    do {
+    #if defined(WOLFSSL_ASYNC_CRYPT)
+        ret = wc_AsyncWait(ret, &key.asyncDev, WC_ASYNC_FLAG_CALL_AGAIN);
+    #endif
+        if (ret == 0)
+            ret = wc_ecc_sign_hash(hash, sizeof(hash), sig, &sigSz, rng, &key);
+    } while (ret == WC_PENDING_E);
+    if (ret != 0) {
+        goto done;
+    }
+    TEST_SLEEP();
+
+done:
+    wc_ecc_free(&key);
+    return ret;
+}
+#endif
+
+#ifdef HAVE_ECC_CDH
+static int ecc_test_cdh_vectors(void)
+{
+    int ret;
+    ecc_key pub_key, priv_key;
+    byte    sharedA[32] = {0}, sharedB[32] = {0};
+    word32  x, z;
+
+    const char* QCAVSx = "700c48f77f56584c5cc632ca65640db91b6bacce3a4df6b42ce7cc838833d287";
+    const char* QCAVSy = "db71e509e3fd9b060ddb20ba5c51dcc5948d46fbf640dfe0441782cab85fa4ac";
+    const char* dIUT =   "7d7dc5f71eb29ddaf80d6214632eeae03d9058af1fb6d22ed80badb62bc1a534";
+    const char* QIUTx =  "ead218590119e8876b29146ff89ca61770c4edbbf97d38ce385ed281d8a6b230";
+    const char* QIUTy =  "28af61281fd35e2fa7002523acc85a429cb06ee6648325389f59edfce1405141";
+    const char* ZIUT =   "46fc62106420ff012e54a434fbdd2d25ccc5852060561e68040dd7778997bd7b";
+
+    /* setup private and public keys */
+    ret = wc_ecc_init_ex(&pub_key, HEAP_HINT, devId);
     if (ret != 0)
-        return -1001;
+        return ret;
+    ret = wc_ecc_init_ex(&priv_key, HEAP_HINT, devId);
+    if (ret != 0) {
+        wc_ecc_free(&pub_key);
+        return ret;
+    }
+    wc_ecc_set_flags(&pub_key, WC_ECC_FLAG_COFACTOR);
+    wc_ecc_set_flags(&priv_key, WC_ECC_FLAG_COFACTOR);
+    ret = wc_ecc_import_raw(&pub_key, QCAVSx, QCAVSy, NULL, "SECP256R1");
+    if (ret != 0)
+        goto done;
+    ret = wc_ecc_import_raw(&priv_key, QIUTx, QIUTy, dIUT, "SECP256R1");
+    if (ret != 0)
+        goto done;
+
+    /* compute ECC Cofactor shared secret */
+    x = sizeof(sharedA);
+    do {
+    #if defined(WOLFSSL_ASYNC_CRYPT)
+        ret = wc_AsyncWait(ret, &priv_key.asyncDev, WC_ASYNC_FLAG_CALL_AGAIN);
+    #endif
+        if (ret == 0)
+            ret = wc_ecc_shared_secret(&priv_key, &pub_key, sharedA, &x);
+    } while (ret == WC_PENDING_E);
+    if (ret != 0) {
+        goto done;
+    }
+    TEST_SLEEP();
+
+    /* read in expected Z */
+    z = sizeof(sharedB);
+    ret = Base16_Decode((const byte*)ZIUT, (word32)XSTRLEN(ZIUT), sharedB, &z);
+    if (ret != 0)
+        goto done;
+
+    /* compare results */
+    if (x != z || XMEMCMP(sharedA, sharedB, x)) {
+        ERROR_OUT(-9612, done);
+    }
+
+done:
+    wc_ecc_free(&priv_key);
+    wc_ecc_free(&pub_key);
+    return ret;
+}
+#endif /* HAVE_ECC_CDH */
+#endif /* HAVE_ECC_VECTOR_TEST */
+
+#ifdef HAVE_ECC_KEY_IMPORT
+/* returns 0 on success */
+static int ecc_test_make_pub(WC_RNG* rng)
+{
+    ecc_key key;
+    unsigned char* exportBuf;
+    unsigned char* tmp;
+    unsigned char msg[] = "test wolfSSL ECC public gen";
+    word32 x, tmpSz;
+    int ret = 0;
+    ecc_point* pubPoint = NULL;
+#if defined(HAVE_ECC_DHE) && defined(HAVE_ECC_KEY_EXPORT)
+    ecc_key pub;
+#endif
+#ifdef HAVE_ECC_VERIFY
+    int verify = 0;
+#endif
+#ifndef USE_CERT_BUFFERS_256
+    XFILE file;
+#endif
+
+    wc_ecc_init_ex(&key, HEAP_HINT, devId);
+
+#ifdef USE_CERT_BUFFERS_256
+    tmp = (byte*)XMALLOC((size_t)sizeof_ecc_key_der_256, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+    if (tmp == NULL) {
+        return -9613;
+    }
+    exportBuf = (byte*)XMALLOC((size_t)sizeof_ecc_key_der_256, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+    if (exportBuf == NULL) {
+        XFREE(tmp, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+        return -9614;
+    }
+    XMEMCPY(tmp, ecc_key_der_256, (size_t)sizeof_ecc_key_der_256);
+    tmpSz = (size_t)sizeof_ecc_key_der_256;
+#else
+    tmp = (byte*)XMALLOC(FOURK_BUF, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+    if (tmp == NULL) {
+        return -9615;
+    }
+    exportBuf = (byte*)XMALLOC(FOURK_BUF, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+    if (exportBuf == NULL) {
+        XFREE(tmp, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+        return -9616;
+    }
+    file = XFOPEN(eccKeyDerFile, "rb");
+    if (!file) {
+        ERROR_OUT(-9617, done);
+    }
+
+    tmpSz = (word32)XFREAD(tmp, 1, FOURK_BUF, file);
+    XFCLOSE(file);
+#endif /* USE_CERT_BUFFERS_256 */
+
+    /* import private only then test with */
+    ret = wc_ecc_import_private_key(tmp, tmpSz, NULL, 0, NULL);
+    if (ret == 0) {
+        ERROR_OUT(-9618, done);
+    }
+
+    ret = wc_ecc_import_private_key(NULL, tmpSz, NULL, 0, &key);
+    if (ret == 0) {
+        ERROR_OUT(-9619, done);
+    }
+
+    x = 0;
+    ret = wc_EccPrivateKeyDecode(tmp, &x, &key, tmpSz);
+    if (ret != 0) {
+        ERROR_OUT(-9620, done);
+    }
+
+#ifdef HAVE_ECC_KEY_EXPORT
+    x = FOURK_BUF;
+    ret = wc_ecc_export_private_only(&key, exportBuf, &x);
+    if (ret != 0) {
+        ERROR_OUT(-9621, done);
+    }
+
+    /* make private only key */
+    wc_ecc_free(&key);
+    wc_ecc_init_ex(&key, HEAP_HINT, devId);
+    ret = wc_ecc_import_private_key(exportBuf, x, NULL, 0, &key);
+    if (ret != 0) {
+        ERROR_OUT(-9622, done);
+    }
+
+    x = FOURK_BUF;
+    ret = wc_ecc_export_x963_ex(&key, exportBuf, &x, 0);
+    if (ret == 0) {
+        ERROR_OUT(-9623, done);
+    }
+
+#endif /* HAVE_ECC_KEY_EXPORT */
+
+    ret = wc_ecc_make_pub(NULL, NULL);
+    if (ret == 0) {
+        ERROR_OUT(-9624, done);
+    }
+    TEST_SLEEP();
+
+    pubPoint = wc_ecc_new_point_h(HEAP_HINT);
+    if (pubPoint == NULL) {
+        ERROR_OUT(-9625, done);
+    }
+
+    ret = wc_ecc_make_pub(&key, pubPoint);
+    if (ret != 0) {
+        ERROR_OUT(-9626, done);
+    }
+
+    TEST_SLEEP();
+
+#ifdef HAVE_ECC_KEY_EXPORT
+    /* export should still fail, is private only key */
+    x = FOURK_BUF;
+    ret = wc_ecc_export_x963_ex(&key, exportBuf, &x, 0);
+    if (ret == 0) {
+        ERROR_OUT(-9627, done);
+    }
+#endif /* HAVE_ECC_KEY_EXPORT */
+#if defined(WOLFSSL_CRYPTOCELL)
+    /* create a new key since building private key from public key is unsupported */
+    ret  = wc_ecc_make_key(rng, 32, &key);
+    if (ret == 0) {
+        ERROR_OUT(-9628, done);
+    }
+#endif
+#ifdef HAVE_ECC_SIGN
+    tmpSz = FOURK_BUF;
+    ret = 0;
+    do {
+    #if defined(WOLFSSL_ASYNC_CRYPT)
+        ret = wc_AsyncWait(ret, &key.asyncDev, WC_ASYNC_FLAG_CALL_AGAIN);
+    #endif
+        if (ret == 0)
+            ret = wc_ecc_sign_hash(msg, sizeof(msg), tmp, &tmpSz, rng, &key);
+    } while (ret == WC_PENDING_E);
+    if (ret != 0) {
+        ERROR_OUT(-9629, done);
+    }
+    TEST_SLEEP();
+
+#ifdef HAVE_ECC_VERIFY
+    /* try verify with private only key */
+    ret = 0;
+    do {
+    #if defined(WOLFSSL_ASYNC_CRYPT)
+        ret = wc_AsyncWait(ret, &key.asyncDev, WC_ASYNC_FLAG_CALL_AGAIN);
+    #endif
+        if (ret == 0)
+            ret = wc_ecc_verify_hash(tmp, tmpSz, msg, sizeof(msg), &verify, &key);
+    } while (ret == WC_PENDING_E);
+    if (ret != 0) {
+        ERROR_OUT(-9630, done);
+    }
+
+    if (verify != 1) {
+        ERROR_OUT(-9631, done);
+    }
+    TEST_SLEEP();
+#ifdef HAVE_ECC_KEY_EXPORT
+    /* exporting the public part should now work */
+    x = FOURK_BUF;
+    ret = wc_ecc_export_x963_ex(&key, exportBuf, &x, 0);
+    if (ret != 0) {
+        ERROR_OUT(-9632, done);
+    }
+#endif /* HAVE_ECC_KEY_EXPORT */
+#endif /* HAVE_ECC_VERIFY */
+
+#endif /* HAVE_ECC_SIGN */
+
+#if defined(HAVE_ECC_DHE) && defined(HAVE_ECC_KEY_EXPORT)
+    /* now test private only key with creating a shared secret */
+    x = FOURK_BUF;
+    ret = wc_ecc_export_private_only(&key, exportBuf, &x);
+    if (ret != 0) {
+        ERROR_OUT(-9633, done);
+    }
+
+    /* make private only key */
+    wc_ecc_free(&key);
+    wc_ecc_init_ex(&key, HEAP_HINT, devId);
+    ret = wc_ecc_import_private_key(exportBuf, x, NULL, 0, &key);
+    if (ret != 0) {
+        ERROR_OUT(-9634, done);
+    }
+
+    /* check that public export fails with private only key */
+    x = FOURK_BUF;
+    ret = wc_ecc_export_x963_ex(&key, exportBuf, &x, 0);
+    if (ret == 0) {
+        ERROR_OUT(-9635, done);
+    }
+
+    /* make public key for shared secret */
+    wc_ecc_init_ex(&pub, HEAP_HINT, devId);
+    ret = wc_ecc_make_key(rng, 32, &pub);
+#if defined(WOLFSSL_ASYNC_CRYPT)
+    ret = wc_AsyncWait(ret, &pub.asyncDev, WC_ASYNC_FLAG_NONE);
+#endif
+    if (ret != 0) {
+        ERROR_OUT(-9636, done);
+    }
+    TEST_SLEEP();
+
+    x = FOURK_BUF;
+    do {
+    #if defined(WOLFSSL_ASYNC_CRYPT)
+        ret = wc_AsyncWait(ret, &key.asyncDev, WC_ASYNC_FLAG_CALL_AGAIN);
+    #endif
+        if (ret == 0) {
+            ret = wc_ecc_shared_secret(&key, &pub, exportBuf, &x);
+        }
+    } while (ret == WC_PENDING_E);
+    wc_ecc_free(&pub);
+    if (ret != 0) {
+        ERROR_OUT(-9637, done);
+    }
+    TEST_SLEEP();
+#endif /* HAVE_ECC_DHE && HAVE_ECC_KEY_EXPORT */
 
-    wc_ecc_init(&userA);
-    wc_ecc_init(&userB);
-    wc_ecc_init(&pubKey);
+    ret = 0;
 
-    ret = wc_ecc_make_key(&rng, 32, &userA);
+done:
 
+    XFREE(tmp, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+    XFREE(exportBuf, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+
+    wc_ecc_del_point_h(pubPoint, HEAP_HINT);
+    wc_ecc_free(&key);
+
+    return ret;
+}
+#endif /* HAVE_ECC_KEY_IMPORT */
+
+
+#ifdef WOLFSSL_KEY_GEN
+static int ecc_test_key_gen(WC_RNG* rng, int keySize)
+{
+    int    ret = 0;
+    int    derSz;
+#ifdef HAVE_PKCS8
+    word32 pkcs8Sz;
+#endif
+    byte*  der;
+    byte*  pem;
+    ecc_key userA;
+
+    der = (byte*)XMALLOC(FOURK_BUF, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+    if (der == NULL) {
+        return -9638;
+    }
+    pem = (byte*)XMALLOC(FOURK_BUF, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+    if (pem == NULL) {
+        XFREE(der, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+        return -9639;
+    }
+
+    ret = wc_ecc_init_ex(&userA, HEAP_HINT, devId);
+    if (ret != 0)
+        goto done;
+
+    ret = wc_ecc_make_key(rng, keySize, &userA);
+#if defined(WOLFSSL_ASYNC_CRYPT)
+    ret = wc_AsyncWait(ret, &userA.asyncDev, WC_ASYNC_FLAG_NONE);
+#endif
     if (ret != 0)
-        return -1014;
+        goto done;
+    TEST_SLEEP();
 
     ret = wc_ecc_check_key(&userA);
     if (ret != 0)
-        return -1024;
+        goto done;
+    TEST_SLEEP();
 
-    ret = wc_ecc_make_key(&rng, 32, &userB);
+    derSz = wc_EccKeyToDer(&userA, der, FOURK_BUF);
+    if (derSz < 0) {
+        ERROR_OUT(derSz, done);
+    }
+
+    ret = SaveDerAndPem(der, derSz, pem, FOURK_BUF, eccCaKeyTempFile,
+            eccCaKeyPemFile, ECC_PRIVATEKEY_TYPE, -8347);
+    if (ret != 0) {
+        goto done;
+    }
 
+    /* test export of public key */
+    derSz = wc_EccPublicKeyToDer(&userA, der, FOURK_BUF, 1);
+    if (derSz < 0) {
+        ERROR_OUT(derSz, done);
+    }
+    if (derSz == 0) {
+        ERROR_OUT(-9640, done);
+    }
+
+    ret = SaveDerAndPem(der, derSz, NULL, 0, eccPubKeyDerFile,
+        NULL, 0, -8348);
+    if (ret != 0) {
+        goto done;
+    }
+
+#ifdef HAVE_PKCS8
+    /* test export of PKCS#8 unencrypted private key */
+    pkcs8Sz = FOURK_BUF;
+    derSz = wc_EccPrivateKeyToPKCS8(&userA, der, &pkcs8Sz);
+    if (derSz < 0) {
+        ERROR_OUT(derSz, done);
+    }
+
+    if (derSz == 0) {
+        ERROR_OUT(-9641, done);
+    }
+
+    ret = SaveDerAndPem(der, derSz, NULL, 0, eccPkcs8KeyDerFile,
+                        NULL, 0, -8349);
+    if (ret != 0) {
+        goto done;
+    }
+#endif /* HAVE_PKCS8 */
+
+done:
+
+    XFREE(der, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+    XFREE(pem, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+    wc_ecc_free(&userA);
+
+    return ret;
+}
+#endif /* WOLFSSL_KEY_GEN */
+
+static int ecc_test_curve_size(WC_RNG* rng, int keySize, int testVerifyCount,
+    int curve_id, const ecc_set_type* dp)
+{
+#if defined(HAVE_ECC_DHE) || defined(HAVE_ECC_CDH)
+    DECLARE_VAR(sharedA, byte, ECC_SHARED_SIZE, HEAP_HINT);
+    DECLARE_VAR(sharedB, byte, ECC_SHARED_SIZE, HEAP_HINT);
+#endif
+#ifdef HAVE_ECC_KEY_EXPORT
+    byte    exportBuf[MAX_ECC_BYTES * 2 + 32];
+#endif
+    word32  x;
+#if defined(HAVE_ECC_DHE) || defined(HAVE_ECC_CDH)
+    word32  y;
+#endif
+#ifdef HAVE_ECC_SIGN
+    DECLARE_VAR(sig, byte, ECC_SIG_SIZE, HEAP_HINT);
+    DECLARE_VAR(digest, byte, ECC_DIGEST_SIZE, HEAP_HINT);
+    int     i;
+#ifdef HAVE_ECC_VERIFY
+    int     verify;
+#endif /* HAVE_ECC_VERIFY */
+#endif /* HAVE_ECC_SIGN */
+    int     ret;
+    ecc_key userA, userB, pubKey;
+    int     curveSize;
+
+    (void)testVerifyCount;
+    (void)dp;
+    (void)x;
+
+    XMEMSET(&userA, 0, sizeof(ecc_key));
+    XMEMSET(&userB, 0, sizeof(ecc_key));
+    XMEMSET(&pubKey, 0, sizeof(ecc_key));
+
+    ret = wc_ecc_init_ex(&userA, HEAP_HINT, devId);
+    if (ret != 0)
+        goto done;
+    ret = wc_ecc_init_ex(&userB, HEAP_HINT, devId);
     if (ret != 0)
-        return -1002;
+        goto done;
+    ret = wc_ecc_init_ex(&pubKey, HEAP_HINT, devId);
+    if (ret != 0)
+        goto done;
 
-    x = sizeof(sharedA);
-    ret = wc_ecc_shared_secret(&userA, &userB, sharedA, &x);
+#ifdef WOLFSSL_CUSTOM_CURVES
+    if (dp != NULL) {
+        ret = wc_ecc_set_custom_curve(&userA, dp);
+        if (ret != 0)
+            goto done;
+        ret = wc_ecc_set_custom_curve(&userB, dp);
+        if (ret != 0)
+            goto done;
+    }
+#endif
 
+    ret = wc_ecc_make_key_ex(rng, keySize, &userA, curve_id);
+#if defined(WOLFSSL_ASYNC_CRYPT)
+    ret = wc_AsyncWait(ret, &userA.asyncDev, WC_ASYNC_FLAG_NONE);
+#endif
     if (ret != 0)
-        return -1015;
+        goto done;
+    TEST_SLEEP();
+
+    if (wc_ecc_get_curve_idx(curve_id) != -1) {
+        curveSize = wc_ecc_get_curve_size_from_id(userA.dp->id);
+        if (curveSize != userA.dp->size) {
+            ret = -9642;
+            goto done;
+        }
+    }
 
-    y = sizeof(sharedB);
-    ret = wc_ecc_shared_secret(&userB, &userA, sharedB, &y);
+    ret = wc_ecc_check_key(&userA);
+    if (ret != 0)
+        goto done;
+    TEST_SLEEP();
+
+    ret = wc_ecc_make_key_ex(rng, keySize, &userB, curve_id);
+#if defined(WOLFSSL_ASYNC_CRYPT)
+    ret = wc_AsyncWait(ret, &userB.asyncDev, WC_ASYNC_FLAG_NONE);
+#endif
+    if (ret != 0)
+        goto done;
+    TEST_SLEEP();
+
+    /* only perform the below tests if the key size matches */
+    if (dp == NULL && keySize > 0 && wc_ecc_size(&userA) != keySize) {
+        ret = ECC_CURVE_OID_E;
+        goto done;
+    }
+
+#ifdef HAVE_ECC_DHE
+    x = ECC_SHARED_SIZE;
+    do {
+    #if defined(WOLFSSL_ASYNC_CRYPT)
+        ret = wc_AsyncWait(ret, &userA.asyncDev, WC_ASYNC_FLAG_CALL_AGAIN);
+    #endif
+        if (ret == 0)
+            ret = wc_ecc_shared_secret(&userA, &userB, sharedA, &x);
+    } while (ret == WC_PENDING_E);
+    if (ret != 0) {
+        goto done;
+    }
+    TEST_SLEEP();
+
+    y = ECC_SHARED_SIZE;
+    do {
+    #if defined(WOLFSSL_ASYNC_CRYPT)
+        ret = wc_AsyncWait(ret, &userB.asyncDev, WC_ASYNC_FLAG_CALL_AGAIN);
+    #endif
+        if (ret == 0)
+            ret = wc_ecc_shared_secret(&userB, &userA, sharedB, &y);
+    } while (ret == WC_PENDING_E);
+    if (ret != 0)
+        goto done;
+
+    if (y != x)
+        ERROR_OUT(-9643, done);
+
+    if (XMEMCMP(sharedA, sharedB, x))
+        ERROR_OUT(-9644, done);
+    TEST_SLEEP();
+#endif /* HAVE_ECC_DHE */
+
+#ifdef HAVE_ECC_CDH
+    /* add cofactor flag */
+    wc_ecc_set_flags(&userA, WC_ECC_FLAG_COFACTOR);
+    wc_ecc_set_flags(&userB, WC_ECC_FLAG_COFACTOR);
+
+    x = ECC_SHARED_SIZE;
+    do {
+    #if defined(WOLFSSL_ASYNC_CRYPT)
+        ret = wc_AsyncWait(ret, &userA.asyncDev, WC_ASYNC_FLAG_CALL_AGAIN);
+    #endif
+        if (ret == 0)
+            ret = wc_ecc_shared_secret(&userA, &userB, sharedA, &x);
+    } while (ret == WC_PENDING_E);
+    if (ret != 0) {
+        goto done;
+    }
+    TEST_SLEEP();
 
+    y = ECC_SHARED_SIZE;
+    do {
+    #if defined(WOLFSSL_ASYNC_CRYPT)
+        ret = wc_AsyncWait(ret, &userB.asyncDev, WC_ASYNC_FLAG_CALL_AGAIN);
+    #endif
+        if (ret == 0)
+            ret = wc_ecc_shared_secret(&userB, &userA, sharedB, &y);
+    } while (ret == WC_PENDING_E);
     if (ret != 0)
-        return -1003;
+        goto done;
 
     if (y != x)
-        return -1004;
+        ERROR_OUT(-9645, done);
+
+    if (XMEMCMP(sharedA, sharedB, x))
+        ERROR_OUT(-9646, done);
+    TEST_SLEEP();
 
-    if (memcmp(sharedA, sharedB, x))
-        return -1005;
+    /* remove cofactor flag */
+    wc_ecc_set_flags(&userA, 0);
+    wc_ecc_set_flags(&userB, 0);
+#endif /* HAVE_ECC_CDH */
 
+#ifdef HAVE_ECC_KEY_EXPORT
     x = sizeof(exportBuf);
-    ret = wc_ecc_export_x963(&userA, exportBuf, &x);
+    ret = wc_ecc_export_x963_ex(&userA, exportBuf, &x, 0);
     if (ret != 0)
-        return -1006;
+        goto done;
 
-    ret = wc_ecc_import_x963(exportBuf, x, &pubKey);
+#ifdef HAVE_ECC_KEY_IMPORT
+    #ifdef WOLFSSL_CUSTOM_CURVES
+        if (dp != NULL) {
+            ret = wc_ecc_set_custom_curve(&pubKey, dp);
+            if (ret != 0) goto done;
+        }
+    #endif
+    ret = wc_ecc_import_x963_ex(exportBuf, x, &pubKey, curve_id);
+    if (ret != 0)
+        goto done;
 
+#ifdef HAVE_ECC_DHE
+    y = ECC_SHARED_SIZE;
+    do {
+    #if defined(WOLFSSL_ASYNC_CRYPT)
+        ret = wc_AsyncWait(ret, &userB.asyncDev, WC_ASYNC_FLAG_CALL_AGAIN);
+    #endif
+        if (ret == 0)
+            ret = wc_ecc_shared_secret(&userB, &pubKey, sharedB, &y);
+    } while (ret == WC_PENDING_E);
     if (ret != 0)
-        return -1007;
+        goto done;
 
-    y = sizeof(sharedB);
-    ret = wc_ecc_shared_secret(&userB, &pubKey, sharedB, &y);
+    if (XMEMCMP(sharedA, sharedB, y))
+        ERROR_OUT(-9647, done);
+    TEST_SLEEP();
+#endif /* HAVE_ECC_DHE */
+
+    #ifdef HAVE_COMP_KEY
+        /* try compressed export / import too */
+        x = sizeof(exportBuf);
+        ret = wc_ecc_export_x963_ex(&userA, exportBuf, &x, 1);
+        if (ret != 0)
+            goto done;
+        wc_ecc_free(&pubKey);
 
+        ret = wc_ecc_init_ex(&pubKey, HEAP_HINT, devId);
+        if (ret != 0)
+            goto done;
+    #ifdef WOLFSSL_CUSTOM_CURVES
+        if (dp != NULL) {
+            ret = wc_ecc_set_custom_curve(&pubKey, dp);
+            if (ret != 0) goto done;
+        }
+    #endif
+        ret = wc_ecc_import_x963_ex(exportBuf, x, &pubKey, curve_id);
+        if (ret != 0)
+            goto done;
+
+    #ifdef HAVE_ECC_DHE
+        y = ECC_SHARED_SIZE;
+        do {
+        #if defined(WOLFSSL_ASYNC_CRYPT)
+            ret = wc_AsyncWait(ret, &userB.asyncDev, WC_ASYNC_FLAG_CALL_AGAIN);
+        #endif
+            if (ret == 0)
+                ret = wc_ecc_shared_secret(&userB, &pubKey, sharedB, &y);
+        } while (ret == WC_PENDING_E);
+        if (ret != 0)
+            goto done;
+
+        if (XMEMCMP(sharedA, sharedB, y))
+            ERROR_OUT(-9648, done);
+        TEST_SLEEP();
+    #endif /* HAVE_ECC_DHE */
+    #endif /* HAVE_COMP_KEY */
+
+#endif /* HAVE_ECC_KEY_IMPORT */
+#endif /* HAVE_ECC_KEY_EXPORT */
+
+#ifdef HAVE_ECC_SIGN
+    /* ECC w/out Shamir has issue with all 0 digest */
+    /* WC_BIGINT doesn't have 0 len well on hardware */
+#if defined(ECC_SHAMIR) && !defined(WOLFSSL_ASYNC_CRYPT)
+    /* test DSA sign hash with zeros */
+    for (i = 0; i < (int)ECC_DIGEST_SIZE; i++) {
+        digest[i] = 0;
+    }
+
+    x = ECC_SIG_SIZE;
+    do {
+    #if defined(WOLFSSL_ASYNC_CRYPT)
+        ret = wc_AsyncWait(ret, &userA.asyncDev, WC_ASYNC_FLAG_CALL_AGAIN);
+    #endif
+        if (ret == 0)
+            ret = wc_ecc_sign_hash(digest, ECC_DIGEST_SIZE, sig, &x, rng,
+                                                                        &userA);
+    } while (ret == WC_PENDING_E);
     if (ret != 0)
-        return -1008;
+        goto done;
+    TEST_SLEEP();
+
+#ifdef HAVE_ECC_VERIFY
+    for (i=0; i<testVerifyCount; i++) {
+        verify = 0;
+        do {
+        #if defined(WOLFSSL_ASYNC_CRYPT)
+            ret = wc_AsyncWait(ret, &userA.asyncDev, WC_ASYNC_FLAG_CALL_AGAIN);
+        #endif
+            if (ret == 0)
+                ret = wc_ecc_verify_hash(sig, x, digest, ECC_DIGEST_SIZE,
+                                                               &verify, &userA);
+        } while (ret == WC_PENDING_E);
+        if (ret != 0)
+            goto done;
+        if (verify != 1)
+            ERROR_OUT(-9649, done);
+        TEST_SLEEP();
+    }
+#endif /* HAVE_ECC_VERIFY */
+#endif /* ECC_SHAMIR && !WOLFSSL_ASYNC_CRYPT */
+
+    /* test DSA sign hash with sequence (0,1,2,3,4,...) */
+    for (i = 0; i < (int)ECC_DIGEST_SIZE; i++) {
+        digest[i] = (byte)i;
+    }
 
-    if (memcmp(sharedA, sharedB, y))
-        return -1009;
+    x = ECC_SIG_SIZE;
+    do {
+    #if defined(WOLFSSL_ASYNC_CRYPT)
+        ret = wc_AsyncWait(ret, &userA.asyncDev, WC_ASYNC_FLAG_CALL_AGAIN);
+    #endif
+        if (ret == 0)
+            ret = wc_ecc_sign_hash(digest, ECC_DIGEST_SIZE, sig, &x, rng,
+                                                                        &userA);
+    } while (ret == WC_PENDING_E);
+    if (ret != 0)
+        ERROR_OUT(-9650, done);
+    TEST_SLEEP();
+
+#ifdef HAVE_ECC_VERIFY
+    for (i=0; i<testVerifyCount; i++) {
+        verify = 0;
+        do {
+        #if defined(WOLFSSL_ASYNC_CRYPT)
+            ret = wc_AsyncWait(ret, &userA.asyncDev, WC_ASYNC_FLAG_CALL_AGAIN);
+        #endif
+            if (ret == 0)
+                ret = wc_ecc_verify_hash(sig, x, digest, ECC_DIGEST_SIZE,
+                                                               &verify, &userA);
+        } while (ret == WC_PENDING_E);
+        if (ret != 0)
+            goto done;
+        if (verify != 1)
+            ERROR_OUT(-9651, done);
+        TEST_SLEEP();
+    }
+#endif /* HAVE_ECC_VERIFY */
+#endif /* HAVE_ECC_SIGN */
 
-#ifdef HAVE_COMP_KEY
-    /* try compressed export / import too */
+#ifdef HAVE_ECC_KEY_EXPORT
     x = sizeof(exportBuf);
-    ret = wc_ecc_export_x963_ex(&userA, exportBuf, &x, 1);
+    ret = wc_ecc_export_private_only(&userA, exportBuf, &x);
     if (ret != 0)
-        return -1010;
+        goto done;
+#endif /* HAVE_ECC_KEY_EXPORT */
 
+done:
     wc_ecc_free(&pubKey);
-    wc_ecc_init(&pubKey);
-    ret = wc_ecc_import_x963(exportBuf, x, &pubKey);
+    wc_ecc_free(&userB);
+    wc_ecc_free(&userA);
 
-    if (ret != 0)
-        return -1011;
+#if defined(HAVE_ECC_DHE) || defined(HAVE_ECC_CDH)
+    FREE_VAR(sharedA, HEAP_HINT);
+    FREE_VAR(sharedB, HEAP_HINT);
+#endif
+#ifdef HAVE_ECC_SIGN
+    FREE_VAR(sig, HEAP_HINT);
+    FREE_VAR(digest, HEAP_HINT);
 #endif
 
-    y = sizeof(sharedB);
-    ret = wc_ecc_shared_secret(&userB, &pubKey, sharedB, &y);
+    return ret;
+}
 
-    if (ret != 0)
-        return -1012;
+#undef  ECC_TEST_VERIFY_COUNT
+#define ECC_TEST_VERIFY_COUNT 2
+static int ecc_test_curve(WC_RNG* rng, int keySize)
+{
+    int ret;
 
-    if (memcmp(sharedA, sharedB, y))
-        return -1013;
+    ret = ecc_test_curve_size(rng, keySize, ECC_TEST_VERIFY_COUNT,
+        ECC_CURVE_DEF, NULL);
+    if (ret < 0) {
+        if (ret == ECC_CURVE_OID_E) {
+            /* ignore error for curves not found */
+            /* some curve sizes are only available with:
+                HAVE_ECC_SECPR2, HAVE_ECC_SECPR3, HAVE_ECC_BRAINPOOL
+                and HAVE_ECC_KOBLITZ */
+        }
+        else {
+            printf("ecc_test_curve_size %d failed!: %d\n", keySize, ret);
+            return ret;
+        }
+    }
 
-    /* test DSA sign hash */
-    for (i = 0; i < (int)sizeof(digest); i++)
-        digest[i] = (byte)i;
+#ifdef HAVE_ECC_VECTOR_TEST
+    ret = ecc_test_vector(keySize);
+    if (ret < 0) {
+        printf("ecc_test_vector %d failed!: %d\n", keySize, ret);
+        return ret;
+    }
+#endif
 
-    x = sizeof(sig);
-    ret = wc_ecc_sign_hash(digest, sizeof(digest), sig, &x, &rng, &userA);
+#ifdef WOLFSSL_KEY_GEN
+    ret = ecc_test_key_gen(rng, keySize);
+    if (ret < 0) {
+        if (ret == ECC_CURVE_OID_E) {
+            /* ignore error for curves not found */
+        }
+        else {
+            printf("ecc_test_key_gen %d failed!: %d\n", keySize, ret);
+            return ret;
+        }
+    }
+#endif
+
+    return 0;
+}
+
+#if !defined(NO_ECC256) || defined(HAVE_ALL_CURVES)
+#if !defined(WOLFSSL_ATECC508A) && defined(HAVE_ECC_KEY_IMPORT) && \
+     defined(HAVE_ECC_KEY_EXPORT)
+static int ecc_point_test(void)
+{
+    int        ret;
+    ecc_point* point;
+    ecc_point* point2;
+#ifdef HAVE_COMP_KEY
+    ecc_point* point3;
+    ecc_point* point4;
+#endif
+    word32     outLen;
+    byte       out[65];
+    byte       der[] = { 0x04, /* = Uncompressed */
+                         0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
+                         0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
+                         0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
+                         0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
+                         0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
+                         0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
+                         0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
+                         0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08 };
+#ifdef HAVE_COMP_KEY
+    byte       derComp0[] = { 0x02, /* = Compressed, y even */
+                              0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
+                              0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
+                              0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
+                              0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08 };
+    byte       derComp1[] = { 0x03, /* = Compressed, y odd */
+                              0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
+                              0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
+                              0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
+                              0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08 };
+#endif
+    byte       altDer[] = { 0x04, /* = Uncompressed */
+                            0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
+                            0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
+                            0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
+                            0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
+                            0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
+                            0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
+                            0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
+                            0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07 };
+    int curve_idx = wc_ecc_get_curve_idx(ECC_SECP256R1);
+
+    /* if curve P256 is not enabled then test should not fail */
+    if (curve_idx == ECC_CURVE_INVALID)
+        return 0;
+
+    outLen = sizeof(out);
+    point = wc_ecc_new_point();
+    if (point == NULL)
+        return -9700;
+    point2 = wc_ecc_new_point();
+    if (point2 == NULL) {
+        wc_ecc_del_point(point);
+        return -9701;
+    }
+#ifdef HAVE_COMP_KEY
+    point3 = wc_ecc_new_point();
+    if (point3 == NULL) {
+        wc_ecc_del_point(point2);
+        wc_ecc_del_point(point);
+        return -9702;
+    }
+    point4 = wc_ecc_new_point();
+    if (point4 == NULL) {
+        wc_ecc_del_point(point3);
+        wc_ecc_del_point(point2);
+        wc_ecc_del_point(point);
+        return -9703;
+    }
+#endif
+
+    /* Parameter Validation testing. */
+    wc_ecc_del_point(NULL);
+    ret = wc_ecc_import_point_der(NULL, sizeof(der), curve_idx, point);
+    if (ret != ECC_BAD_ARG_E) {
+        ret = -9704;
+        goto done;
+    }
+    ret = wc_ecc_import_point_der(der, sizeof(der), ECC_CURVE_INVALID, point);
+    if (ret != ECC_BAD_ARG_E) {
+        ret = -9705;
+        goto done;
+    }
+    ret = wc_ecc_import_point_der(der, sizeof(der), curve_idx, NULL);
+    if (ret != ECC_BAD_ARG_E) {
+        ret = -9706;
+        goto done;
+    }
+    ret = wc_ecc_export_point_der(-1, point, out, &outLen);
+    if (ret != ECC_BAD_ARG_E) {
+        ret = -9707;
+        goto done;
+    }
+    ret = wc_ecc_export_point_der(curve_idx, NULL, out, &outLen);
+    if (ret != ECC_BAD_ARG_E) {
+        ret = -9708;
+        goto done;
+    }
+    ret = wc_ecc_export_point_der(curve_idx, point, NULL, &outLen);
+    if (ret != LENGTH_ONLY_E || outLen != sizeof(out)) {
+        ret = -9709;
+        goto done;
+    }
+    ret = wc_ecc_export_point_der(curve_idx, point, out, NULL);
+    if (ret != ECC_BAD_ARG_E) {
+        ret = -9710;
+        goto done;
+    }
+    outLen = 0;
+    ret = wc_ecc_export_point_der(curve_idx, point, out, &outLen);
+    if (ret != BUFFER_E) {
+        ret = -9711;
+        goto done;
+    }
+    ret = wc_ecc_copy_point(NULL, NULL);
+    if (ret != ECC_BAD_ARG_E) {
+        ret = -9712;
+        goto done;
+    }
+    ret = wc_ecc_copy_point(NULL, point2);
+    if (ret != ECC_BAD_ARG_E) {
+        ret = -9713;
+        goto done;
+    }
+    ret = wc_ecc_copy_point(point, NULL);
+    if (ret != ECC_BAD_ARG_E) {
+        ret = -9714;
+        goto done;
+    }
+    ret = wc_ecc_cmp_point(NULL, NULL);
+    if (ret != BAD_FUNC_ARG) {
+        ret = -9715;
+        goto done;
+    }
+    ret = wc_ecc_cmp_point(NULL, point2);
+    if (ret != BAD_FUNC_ARG) {
+        ret = -9716;
+        goto done;
+    }
+    ret = wc_ecc_cmp_point(point, NULL);
+    if (ret != BAD_FUNC_ARG) {
+        ret = -9717;
+        goto done;
+    }
 
+    /* Use API. */
+    ret = wc_ecc_import_point_der(der, sizeof(der), curve_idx, point);
+    if (ret != 0) {
+        ret = -9718;
+        goto done;
+    }
+
+    outLen = sizeof(out);
+    ret = wc_ecc_export_point_der(curve_idx, point, out, &outLen);
+    if (ret != 0) {
+        ret = -9719;
+        goto done;
+    }
+    if (outLen != sizeof(der)) {
+        ret = -9720;
+        goto done;
+    }
+    if (XMEMCMP(out, der, outLen) != 0) {
+        ret = -9721;
+        goto done;
+    }
+
+    ret = wc_ecc_copy_point(point2, point);
+    if (ret != MP_OKAY) {
+        ret = -9722;
+        goto done;
+    }
+    ret = wc_ecc_cmp_point(point2, point);
+    if (ret != MP_EQ) {
+        ret = -9723;
+        goto done;
+    }
+
+    ret = wc_ecc_import_point_der(altDer, sizeof(altDer), curve_idx, point2);
+    if (ret != 0) {
+        ret = -9724;
+        goto done;
+    }
+    ret = wc_ecc_cmp_point(point2, point);
+    if (ret != MP_GT) {
+        ret = -9725;
+        goto done;
+    }
+
+#ifdef HAVE_COMP_KEY
+    ret = wc_ecc_import_point_der(derComp0, sizeof(derComp0)*2-1, curve_idx, point3);
+    if (ret != 0) {
+        ret = -9726;
+        goto done;
+    }
+
+    ret = wc_ecc_import_point_der_ex(derComp0, sizeof(derComp0), curve_idx, point4, 0);
+    if (ret != 0) {
+        ret = -9727;
+        goto done;
+    }
+
+    ret = wc_ecc_cmp_point(point3, point4);
+    if (ret != MP_EQ) {
+        ret = -9728;
+        goto done;
+    }
+
+    ret = wc_ecc_import_point_der(derComp1, sizeof(derComp1)*2-1, curve_idx, point3);
+    if (ret != 0) {
+        ret = -9729;
+        goto done;
+    }
+
+    ret = wc_ecc_import_point_der_ex(derComp1, sizeof(derComp1), curve_idx, point4, 0);
+    if (ret != 0) {
+        ret = -9730;
+        goto done;
+    }
+
+    ret = wc_ecc_cmp_point(point3, point4);
+    if (ret != MP_EQ) {
+        ret = -9731;
+        goto done;
+    }
+#endif
+
+done:
+#ifdef HAVE_COMP_KEY
+    wc_ecc_del_point(point4);
+    wc_ecc_del_point(point3);
+#endif
+    wc_ecc_del_point(point2);
+    wc_ecc_del_point(point);
+
+    return ret;
+}
+#endif /* !WOLFSSL_ATECC508A && HAVE_ECC_KEY_IMPORT && HAVE_ECC_KEY_EXPORT */
+
+#ifndef NO_SIG_WRAPPER
+static int ecc_sig_test(WC_RNG* rng, ecc_key* key)
+{
+    int     ret;
+    word32  sigSz;
+    int     size;
+    byte    out[ECC_MAX_SIG_SIZE];
+    byte    in[] = "Everyone gets Friday off.";
+    const byte hash[] = {
+        0xf2, 0x02, 0x95, 0x65, 0xcb, 0xf6, 0x2a, 0x59,
+        0x39, 0x2c, 0x05, 0xff, 0x0e, 0x29, 0xaf, 0xfe,
+        0x47, 0x33, 0x8c, 0x99, 0x8d, 0x58, 0x64, 0x83,
+        0xa6, 0x58, 0x0a, 0x33, 0x0b, 0x84, 0x5f, 0x5f
+    };
+    word32 inLen = (word32)XSTRLEN((char*)in);
+
+    size = wc_ecc_sig_size(key);
+
+    ret = wc_SignatureGetSize(WC_SIGNATURE_TYPE_ECC, key, sizeof(*key));
+    if (ret != size)
+        return -9728;
+
+    sigSz = (word32)ret;
+    ret = wc_SignatureGenerate(WC_HASH_TYPE_SHA256, WC_SIGNATURE_TYPE_ECC, in,
+                               inLen, out, &sigSz, key, sizeof(*key), rng);
     if (ret != 0)
-        return -1014;
+        return -9729;
+    TEST_SLEEP();
 
-    verify = 0;
-    ret = wc_ecc_verify_hash(sig, x, digest, sizeof(digest), &verify, &userA);
+    ret = wc_SignatureVerify(WC_HASH_TYPE_SHA256, WC_SIGNATURE_TYPE_ECC, in,
+                             inLen, out, sigSz, key, sizeof(*key));
+    if (ret != 0)
+        return -9730;
+    TEST_SLEEP();
 
+    sigSz = (word32)sizeof(out);
+    ret = wc_SignatureGenerateHash(WC_HASH_TYPE_SHA256, WC_SIGNATURE_TYPE_ECC,
+        hash, (int)sizeof(hash), out, &sigSz, key, sizeof(*key), rng);
     if (ret != 0)
-        return -1015;
+        return -9731;
+    TEST_SLEEP();
 
-    if (verify != 1)
-        return -1016;
+    ret = wc_SignatureVerifyHash(WC_HASH_TYPE_SHA256, WC_SIGNATURE_TYPE_ECC,
+        hash, (int)sizeof(hash), out, sigSz, key, sizeof(*key));
+    if (ret != 0)
+        return -9732;
+    TEST_SLEEP();
 
-    x = sizeof(exportBuf);
-    ret = wc_ecc_export_private_only(&userA, exportBuf, &x);
+    return 0;
+}
+#endif
+
+#if defined(HAVE_ECC_KEY_IMPORT) && defined(HAVE_ECC_KEY_EXPORT)
+static int ecc_exp_imp_test(ecc_key* key)
+{
+    int        ret;
+    int        curve_id;
+    ecc_key    keyImp;
+    byte       priv[32];
+    word32     privLen;
+    byte       pub[65];
+    word32     pubLen, pubLenX, pubLenY;
+    const char qx[] = "7a4e287890a1a47ad3457e52f2f76a83"
+                      "ce46cbc947616d0cbaa82323818a793d";
+    const char qy[] = "eec4084f5b29ebf29c44cce3b3059610"
+                      "922f8b30ea6e8811742ac7238fe87308";
+    const char d[]  = "8c14b793cb19137e323a6d2e2a870bca"
+                      "2e7a493ec1153b3a95feb8a4873f8d08";
+
+    wc_ecc_init_ex(&keyImp, HEAP_HINT, devId);
+
+    privLen = sizeof(priv);
+    ret = wc_ecc_export_private_only(key, priv, &privLen);
+    if (ret != 0) {
+        ret = -9733;
+        goto done;
+    }
+    pubLen = sizeof(pub);
+    ret = wc_ecc_export_point_der(key->idx, &key->pubkey, pub, &pubLen);
+    if (ret != 0) {
+        ret = -9734;
+        goto done;
+    }
+
+    ret = wc_ecc_import_private_key(priv, privLen, pub, pubLen, &keyImp);
+    if (ret != 0) {
+        ret = -9735;
+        goto done;
+    }
+
+    wc_ecc_free(&keyImp);
+    wc_ecc_init_ex(&keyImp, HEAP_HINT, devId);
+
+    ret = wc_ecc_import_raw_ex(&keyImp, qx, qy, d, ECC_SECP256R1);
+    if (ret != 0) {
+        ret = -9736;
+        goto done;
+    }
+
+    wc_ecc_free(&keyImp);
+    wc_ecc_init_ex(&keyImp, HEAP_HINT, devId);
+
+    curve_id = wc_ecc_get_curve_id(key->idx);
+    if (curve_id < 0) {
+        ret = -9737;
+        goto done;
+    }
+
+    /* test import private only */
+    ret = wc_ecc_import_private_key_ex(priv, privLen, NULL, 0, &keyImp,
+                                       curve_id);
+    if (ret != 0) {
+        ret = -9738;
+        goto done;
+    }
+
+    wc_ecc_free(&keyImp);
+    wc_ecc_init_ex(&keyImp, HEAP_HINT, devId);
+
+    /* test export public raw */
+    pubLenX = pubLenY = 32;
+    ret = wc_ecc_export_public_raw(key, pub, &pubLenX, &pub[32], &pubLenY);
+    if (ret != 0) {
+        ret = -9739;
+        goto done;
+    }
+
+#ifndef HAVE_SELFTEST
+    /* test import of public */
+    ret = wc_ecc_import_unsigned(&keyImp, pub, &pub[32], NULL, ECC_SECP256R1);
+    if (ret != 0) {
+        ret = -9740;
+        goto done;
+    }
+#endif
+
+    wc_ecc_free(&keyImp);
+    wc_ecc_init_ex(&keyImp, HEAP_HINT, devId);
+
+    /* test export private and public raw */
+    pubLenX = pubLenY = privLen = 32;
+    ret = wc_ecc_export_private_raw(key, pub, &pubLenX, &pub[32], &pubLenY,
+        priv, &privLen);
+    if (ret != 0) {
+        ret = -9741;
+        goto done;
+    }
+
+#ifndef HAVE_SELFTEST
+    /* test import of private and public */
+    ret = wc_ecc_import_unsigned(&keyImp, pub, &pub[32], priv, ECC_SECP256R1);
+    if (ret != 0) {
+        ret = -9742;
+        goto done;
+    }
+#endif
+
+done:
+    wc_ecc_free(&keyImp);
+    return ret;
+}
+#endif /* HAVE_ECC_KEY_IMPORT && HAVE_ECC_KEY_EXPORT */
+
+#if !defined(WOLFSSL_ATECC508A) && !defined(WOLFSSL_CRYPTOCELL)
+#if defined(HAVE_ECC_KEY_IMPORT) && !defined(WOLFSSL_VALIDATE_ECC_IMPORT)
+static int ecc_mulmod_test(ecc_key* key1)
+{
+    int ret;
+    ecc_key    key2;
+    ecc_key    key3;
+
+    wc_ecc_init_ex(&key2, HEAP_HINT, devId);
+    wc_ecc_init_ex(&key3, HEAP_HINT, devId);
+
+    /* TODO: Use test data, test with WOLFSSL_VALIDATE_ECC_IMPORT. */
+    /* Need base point (Gx,Gy) and parameter A - load them as the public and
+     * private key in key2.
+     */
+    ret = wc_ecc_import_raw_ex(&key2, key1->dp->Gx, key1->dp->Gy, key1->dp->Af,
+                               ECC_SECP256R1);
     if (ret != 0)
-        return -1017;
+        goto done;
 
-#if !defined(NO_SHA) && \
-    ((defined(HAVE_ECC192) && defined(HAVE_ECC224)) || defined(HAVE_ALL_CURVES))
-    {
-        /* test raw ECC key import */
-        Sha sha;
-        byte hash[SHA_DIGEST_SIZE];
-        rawEccVector a, b;
-        rawEccVector test_ecc[2];
-        int times = sizeof(test_ecc) / sizeof(rawEccVector);
+    /* Need a point (Gx,Gy) and prime - load them as the public and private key
+     * in key3.
+     */
+    ret = wc_ecc_import_raw_ex(&key3, key1->dp->Gx, key1->dp->Gy,
+                               key1->dp->prime, ECC_SECP256R1);
+    if (ret != 0)
+        goto done;
 
-        /* first [P-192,SHA-1] vector from FIPS 186-3 NIST vectors */
-        a.msg = "\xeb\xf7\x48\xd7\x48\xeb\xbc\xa7\xd2\x9f\xb4\x73\x69\x8a"
-                "\x6e\x6b\x4f\xb1\x0c\x86\x5d\x4a\xf0\x24\xcc\x39\xae\x3d"
-                "\xf3\x46\x4b\xa4\xf1\xd6\xd4\x0f\x32\xbf\x96\x18\xa9\x1b"
-                "\xb5\x98\x6f\xa1\xa2\xaf\x04\x8a\x0e\x14\xdc\x51\xe5\x26"
-                "\x7e\xb0\x5e\x12\x7d\x68\x9d\x0a\xc6\xf1\xa7\xf1\x56\xce"
-                "\x06\x63\x16\xb9\x71\xcc\x7a\x11\xd0\xfd\x7a\x20\x93\xe2"
-                "\x7c\xf2\xd0\x87\x27\xa4\xe6\x74\x8c\xc3\x2f\xd5\x9c\x78"
-                "\x10\xc5\xb9\x01\x9d\xf2\x1c\xdc\xc0\xbc\xa4\x32\xc0\xa3"
-                "\xee\xd0\x78\x53\x87\x50\x88\x77\x11\x43\x59\xce\xe4\xa0"
-                "\x71\xcf";
-        a.msgLen = 128;
-        a.Qx = "07008ea40b08dbe76432096e80a2494c94982d2d5bcf98e6";
-        a.Qy = "76fab681d00b414ea636ba215de26d98c41bd7f2e4d65477";
-        a.d  = "e14f37b3d1374ff8b03f41b9b3fdd2f0ebccf275d660d7f3";
-        a.R  = "6994d962bdd0d793ffddf855ec5bf2f91a9698b46258a63e";
-        a.S  = "02ba6465a234903744ab02bc8521405b73cf5fc00e1a9f41";
-        a.curveName = "ECC-192";
+    ret = wc_ecc_mulmod(&key1->k, &key2.pubkey, &key3.pubkey, &key2.k, &key3.k,
+                        1);
+    if (ret != 0) {
+        ret = -9743;
+        goto done;
+    }
 
-        /* first [P-224,SHA-1] vector from FIPS 186-3 NIST vectors */
-        b.msg = "\x36\xc8\xb2\x29\x86\x48\x7f\x67\x7c\x18\xd0\x97\x2a\x9e"
-                "\x20\x47\xb3\xaf\xa5\x9e\xc1\x62\x76\x4e\xc3\x0b\x5b\x69"
-                "\xe0\x63\x0f\x99\x0d\x4e\x05\xc2\x73\xb0\xe5\xa9\xd4\x28"
-                "\x27\xb6\x95\xfc\x2d\x64\xd9\x13\x8b\x1c\xf4\xc1\x21\x55"
-                "\x89\x4c\x42\x13\x21\xa7\xbb\x97\x0b\xdc\xe0\xfb\xf0\xd2"
-                "\xae\x85\x61\xaa\xd8\x71\x7f\x2e\x46\xdf\xe3\xff\x8d\xea"
-                "\xb4\xd7\x93\x23\x56\x03\x2c\x15\x13\x0d\x59\x9e\x26\xc1"
-                "\x0f\x2f\xec\x96\x30\x31\xac\x69\x38\xa1\x8d\x66\x45\x38"
-                "\xb9\x4d\xac\x55\x34\xef\x7b\x59\x94\x24\xd6\x9b\xe1\xf7"
-                "\x1c\x20";
-        b.msgLen = 128;
-        b.Qx = "8a4dca35136c4b70e588e23554637ae251077d1365a6ba5db9585de7";
-        b.Qy = "ad3dee06de0be8279d4af435d7245f14f3b4f82eb578e519ee0057b1";
-        b.d  = "97c4b796e1639dd1035b708fc00dc7ba1682cec44a1002a1a820619f";
-        b.R  = "147b33758321e722a0360a4719738af848449e2c1d08defebc1671a7";
-        b.S  = "24fc7ed7f1352ca3872aa0916191289e2e04d454935d50fe6af3ad5b";
-        b.curveName = "ECC-224";
-
-        test_ecc[0] = a;
-        test_ecc[1] = b;
-
-        for (i = 0; i < times; i++) {
-
-            wc_ecc_free(&userA);
-            wc_ecc_init(&userA);
-
-            memset(sig, 0, sizeof(sig));
-            x = sizeof(sig);
-
-            /* calculate SHA-1 hash of message */
-            ret = wc_InitSha(&sha);
-            if (ret != 0)
-                return -1015 - i;
+done:
+    wc_ecc_free(&key3);
+    wc_ecc_free(&key2);
+    return ret;
+}
+#endif
 
-            wc_ShaUpdate(&sha, (byte*)test_ecc[i].msg, (word32)test_ecc[i].msgLen);
-            wc_ShaFinal(&sha, hash);
+#ifdef HAVE_ECC_DHE
+static int ecc_ssh_test(ecc_key* key)
+{
+    int    ret;
+    byte   out[128];
+    word32 outLen = sizeof(out);
+
+    /* Parameter Validation testing. */
+    ret = wc_ecc_shared_secret_ssh(NULL, &key->pubkey, out, &outLen);
+    if (ret != BAD_FUNC_ARG)
+        return -9744;
+    ret = wc_ecc_shared_secret_ssh(key, NULL, out, &outLen);
+    if (ret != BAD_FUNC_ARG)
+        return -9745;
+    ret = wc_ecc_shared_secret_ssh(key, &key->pubkey, NULL, &outLen);
+    if (ret != BAD_FUNC_ARG)
+        return -9746;
+    ret = wc_ecc_shared_secret_ssh(key, &key->pubkey, out, NULL);
+    if (ret != BAD_FUNC_ARG)
+        return -9747;
+
+    /* Use API. */
+    ret = 0;
+    do {
+    #if defined(WOLFSSL_ASYNC_CRYPT)
+        ret = wc_AsyncWait(ret, &key->asyncDev, WC_ASYNC_FLAG_CALL_AGAIN);
+    #endif
+        if (ret == 0)
+            ret = wc_ecc_shared_secret_ssh(key, &key->pubkey, out, &outLen);
+    } while (ret == WC_PENDING_E);
+    if (ret != 0)
+        return -9748;
+    TEST_SLEEP();
+    return 0;
+}
+#endif /* HAVE_ECC_DHE */
+#endif
 
-            ret = wc_ecc_import_raw(&userA, test_ecc[i].Qx, test_ecc[i].Qy,
-                                 test_ecc[i].d, test_ecc[i].curveName);
-            if (ret != 0)
-                return -1017 - i;
+static int ecc_def_curve_test(WC_RNG *rng)
+{
+    int     ret;
+    ecc_key key;
 
-            ret = wc_ecc_rs_to_sig(test_ecc[i].R, test_ecc[i].S, sig, &x);
-            if (ret != 0)
-                return -1019 - i;
+    wc_ecc_init_ex(&key, HEAP_HINT, devId);
 
-            ret = wc_ecc_verify_hash(sig, x, hash, sizeof(hash), &verify, &userA);
-            if (ret != 0)
-                return -1021 - i;
+    /* Use API */
+    ret = wc_ecc_set_flags(NULL, 0);
+    if (ret != BAD_FUNC_ARG) {
+        ret = -9749;
+        goto done;
+    }
+    ret = wc_ecc_set_flags(&key, 0);
+    if (ret != 0) {
+        ret = -9750;
+        goto done;
+    }
 
-            if (verify != 1)
-                return -1023 - i;
-        }
+    ret = wc_ecc_make_key(rng, 32, &key);
+#if defined(WOLFSSL_ASYNC_CRYPT)
+    ret = wc_AsyncWait(ret, &key.asyncDev, WC_ASYNC_FLAG_NONE);
+#endif
+    if (ret != 0) {
+        ret = -9751;
+        goto done;
+    }
+    TEST_SLEEP();
+
+#ifndef NO_SIG_WRAPPER
+    ret = ecc_sig_test(rng, &key);
+    if (ret < 0)
+        goto done;
+#endif
+#if defined(HAVE_ECC_KEY_IMPORT) && defined(HAVE_ECC_KEY_EXPORT)
+    ret = ecc_exp_imp_test(&key);
+    if (ret < 0)
+        goto done;
+#endif
+#if !defined(WOLFSSL_ATECC508A) && !defined(WOLFSSL_CRYPTOCELL)
+#if defined(HAVE_ECC_KEY_IMPORT) && !defined(WOLFSSL_VALIDATE_ECC_IMPORT)
+    ret = ecc_mulmod_test(&key);
+    if (ret < 0)
+        goto done;
+#endif
+#ifdef HAVE_ECC_DHE
+    ret = ecc_ssh_test(&key);
+    if (ret < 0)
+        goto done;
+#endif
+#endif /* WOLFSSL_ATECC508A */
+done:
+    wc_ecc_free(&key);
+    return ret;
+}
+#endif /* !NO_ECC256 || HAVE_ALL_CURVES */
+
+#ifdef WOLFSSL_CERT_EXT
+static int ecc_decode_test(void)
+{
+    int        ret;
+    word32     inSz;
+    word32     inOutIdx;
+    ecc_key    key;
+
+    /* SECP256R1 OID: 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07 */
+
+    /* This is ecc_clikeypub_der_256. */
+    static const byte good[] = {
+            0x30, 0x59, 0x30, 0x13, 0x06, 0x07, 0x2a, 0x86, 0x48, 0xce,
+            0x3d, 0x02, 0x01, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d,
+            0x03, 0x01, 0x07, 0x03, 0x42, 0x00, 0x04, 0x55, 0xbf, 0xf4,
+            0x0f, 0x44, 0x50, 0x9a, 0x3d, 0xce, 0x9b, 0xb7, 0xf0, 0xc5,
+            0x4d, 0xf5, 0x70, 0x7b, 0xd4, 0xec, 0x24, 0x8e, 0x19, 0x80,
+            0xec, 0x5a, 0x4c, 0xa2, 0x24, 0x03, 0x62, 0x2c, 0x9b, 0xda,
+            0xef, 0xa2, 0x35, 0x12, 0x43, 0x84, 0x76, 0x16, 0xc6, 0x56,
+            0x95, 0x06, 0xcc, 0x01, 0xa9, 0xbd, 0xf6, 0x75, 0x1a, 0x42,
+            0xf7, 0xbd, 0xa9, 0xb2, 0x36, 0x22, 0x5f, 0xc7, 0x5d, 0x7f,
+            0xb4 };
+    static const byte badNoObjId[] = { 0x30, 0x08, 0x30, 0x06, 0x03, 0x04,
+            0x00, 0x04, 0x01, 0x01 };
+    static const byte badOneObjId[] = { 0x30, 0x0a, 0x30, 0x08, 0x06, 0x00,
+            0x03, 0x04, 0x00, 0x04, 0x01, 0x01 };
+    static const byte badObjId1Len[] = { 0x30, 0x0c, 0x30, 0x0a, 0x06, 0x09,
+            0x06, 0x00, 0x03, 0x04, 0x00, 0x04, 0x01, 0x01 };
+    static const byte badObj2d1Len[] = { 0x30, 0x0c, 0x30, 0x0a, 0x06, 0x00,
+            0x06, 0x07, 0x03, 0x04, 0x00, 0x04, 0x01, 0x01 };
+    static const byte badNotBitStr[] = { 0x30, 0x14, 0x30, 0x0b, 0x06, 0x00,
+            0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07,
+            0x04, 0x04, 0x00, 0x04, 0x01, 0x01 };
+    static const byte badBitStrLen[] = { 0x30, 0x14, 0x30, 0x0b, 0x06, 0x00,
+            0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07,
+            0x03, 0x05, 0x00, 0x04, 0x01, 0x01 };
+    static const byte badNoBitStrZero[] = { 0x30, 0x13, 0x30, 0x0a, 0x06, 0x00,
+            0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07,
+            0x03, 0x03, 0x04, 0x01, 0x01 };
+    static const byte badPoint[] = { 0x30, 0x12, 0x30, 0x09, 0x06, 0x00,
+            0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07,
+            0x03, 0x03, 0x00, 0x04, 0x01 };
+
+    XMEMSET(&key, 0, sizeof(key));
+    wc_ecc_init_ex(&key, HEAP_HINT, devId);
+
+    inSz = sizeof(good);
+    ret = wc_EccPublicKeyDecode(NULL, &inOutIdx, &key, inSz);
+    if (ret != BAD_FUNC_ARG) {
+        ret = -9800;
+        goto done;
+    }
+    ret = wc_EccPublicKeyDecode(good, NULL, &key, inSz);
+    if (ret != BAD_FUNC_ARG) {
+        ret = -9801;
+        goto done;
+    }
+    ret = wc_EccPublicKeyDecode(good, &inOutIdx, NULL, inSz);
+    if (ret != BAD_FUNC_ARG) {
+        ret = -9802;
+        goto done;
+    }
+    ret = wc_EccPublicKeyDecode(good, &inOutIdx, &key, 0);
+    if (ret != BAD_FUNC_ARG) {
+        ret = -9803;
+        goto done;
     }
-#endif /* defined(HAVE_ECC192) && defined(HAVE_ECC256) */
 
+    /* Change offset to produce bad input data. */
+    inOutIdx = 2;
+    inSz = sizeof(good) - inOutIdx;
+    ret = wc_EccPublicKeyDecode(good, &inOutIdx, &key, inSz);
+    if (ret != ASN_PARSE_E) {
+        ret = -9804;
+        goto done;
+    }
+    inOutIdx = 4;
+    inSz = sizeof(good) - inOutIdx;
+    ret = wc_EccPublicKeyDecode(good, &inOutIdx, &key, inSz);
+    if (ret != ASN_PARSE_E) {
+        ret = -9805;
+        goto done;
+    }
+    /* Bad data. */
+    inSz = sizeof(badNoObjId);
+    inOutIdx = 0;
+    ret = wc_EccPublicKeyDecode(badNoObjId, &inOutIdx, &key, inSz);
+    if (ret != ASN_OBJECT_ID_E) {
+        ret = -9806;
+        goto done;
+    }
+    inSz = sizeof(badOneObjId);
+    inOutIdx = 0;
+    ret = wc_EccPublicKeyDecode(badOneObjId, &inOutIdx, &key, inSz);
+    if (ret != ASN_OBJECT_ID_E) {
+        ret = -9807;
+        goto done;
+    }
+    inSz = sizeof(badObjId1Len);
+    inOutIdx = 0;
+    ret = wc_EccPublicKeyDecode(badObjId1Len, &inOutIdx, &key, inSz);
+    if (ret != ASN_PARSE_E) {
+        ret = -9808;
+        goto done;
+    }
+    inSz = sizeof(badObj2d1Len);
+    inOutIdx = 0;
+    ret = wc_EccPublicKeyDecode(badObj2d1Len, &inOutIdx, &key, inSz);
+    if (ret != ASN_PARSE_E) {
+        ret = -9809;
+        goto done;
+    }
+    inSz = sizeof(badNotBitStr);
+    inOutIdx = 0;
+    ret = wc_EccPublicKeyDecode(badNotBitStr, &inOutIdx, &key, inSz);
+    if (ret != ASN_BITSTR_E) {
+        ret = -9810;
+        goto done;
+    }
+    inSz = sizeof(badBitStrLen);
+    inOutIdx = 0;
+    ret = wc_EccPublicKeyDecode(badBitStrLen, &inOutIdx, &key, inSz);
+    if (ret != ASN_PARSE_E) {
+        ret = -9811;
+        goto done;
+    }
+    inSz = sizeof(badNoBitStrZero);
+    inOutIdx = 0;
+    ret = wc_EccPublicKeyDecode(badNoBitStrZero, &inOutIdx, &key, inSz);
+    if (ret != ASN_EXPECT_0_E) {
+        ret = -9812;
+        goto done;
+    }
+    inSz = sizeof(badPoint);
+    inOutIdx = 0;
+    ret = wc_EccPublicKeyDecode(badPoint, &inOutIdx, &key, inSz);
+    if (ret != ASN_ECC_KEY_E) {
+        ret = -9813;
+        goto done;
+    }
 
-#ifdef WOLFSSL_KEY_GEN
-    {
-        int   derSz, pemSz;
-        byte  der[FOURK_BUF];
-        byte  pem[FOURK_BUF];
-        FILE* keyFile;
-        FILE* pemFile;
+    inSz = sizeof(good);
+    inOutIdx = 0;
+    ret = wc_EccPublicKeyDecode(good, &inOutIdx, &key, inSz);
+    if (ret != 0) {
+        ret = -9814;
+        goto done;
+    }
 
-        derSz = wc_EccKeyToDer(&userB, der, FOURK_BUF);
-        if (derSz < 0) {
-            return -1024;
-        }
+done:
+    wc_ecc_free(&key);
+    return ret;
+}
+#endif /* WOLFSSL_CERT_EXT */
+
+#ifdef WOLFSSL_CUSTOM_CURVES
+static const byte eccKeyExplicitCurve[] = {
+    0x30, 0x81, 0xf5, 0x30, 0x81, 0xae, 0x06, 0x07,
+    0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02, 0x01, 0x30,
+    0x81, 0xa2, 0x02, 0x01, 0x01, 0x30, 0x2c, 0x06,
+    0x07, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x01, 0x01,
+    0x02, 0x21, 0x00, 0xff, 0xff, 0xff, 0xff, 0xff,
+    0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+    0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+    0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff,
+    0xff, 0xfc, 0x2f, 0x30, 0x06, 0x04, 0x01, 0x00,
+    0x04, 0x01, 0x07, 0x04, 0x41, 0x04, 0x79, 0xbe,
+    0x66, 0x7e, 0xf9, 0xdc, 0xbb, 0xac, 0x55, 0xa0,
+    0x62, 0x95, 0xce, 0x87, 0x0b, 0x07, 0x02, 0x9b,
+    0xfc, 0xdb, 0x2d, 0xce, 0x28, 0xd9, 0x59, 0xf2,
+    0x81, 0x5b, 0x16, 0xf8, 0x17, 0x98, 0x48, 0x3a,
+    0xda, 0x77, 0x26, 0xa3, 0xc4, 0x65, 0x5d, 0xa4,
+    0xfb, 0xfc, 0x0e, 0x11, 0x08, 0xa8, 0xfd, 0x17,
+    0xb4, 0x48, 0xa6, 0x85, 0x54, 0x19, 0x9c, 0x47,
+    0xd0, 0x8f, 0xfb, 0x10, 0xd4, 0xb8, 0x02, 0x21,
+    0x00, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+    0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+    0xfe, 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0,
+    0x3b, 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41,
+    0x41, 0x02, 0x01, 0x01, 0x03, 0x42, 0x00, 0x04,
+    0x3c, 0x4c, 0xc9, 0x5e, 0x2e, 0xa2, 0x3d, 0x49,
+    0xcc, 0x5b, 0xff, 0x4f, 0xc9, 0x2e, 0x1d, 0x4a,
+    0xc6, 0x21, 0xf6, 0xf3, 0xe6, 0x0b, 0x4f, 0xa9,
+    0x9d, 0x74, 0x99, 0xdd, 0x97, 0xc7, 0x6e, 0xbe,
+    0x14, 0x2b, 0x39, 0x9d, 0x63, 0xc7, 0x97, 0x0d,
+    0x45, 0x25, 0x40, 0x30, 0x77, 0x05, 0x76, 0x88,
+    0x38, 0x96, 0x29, 0x7d, 0x9c, 0xe1, 0x50, 0xbe,
+    0xac, 0xf0, 0x1d, 0x86, 0xf4, 0x2f, 0x65, 0x0b
+};
 
-        keyFile = fopen("./ecc-key.der", "wb");
-        if (!keyFile) {
-            return -1025;
-        }
-        ret = (int)fwrite(der, 1, derSz, keyFile);
-        fclose(keyFile);
-        if (ret != derSz) {
-            return -1026;
-        }
+static int ecc_test_custom_curves(WC_RNG* rng)
+{
+    int     ret;
+    word32  inOutIdx;
+    ecc_key key;
 
-        pemSz = wc_DerToPem(der, derSz, pem, FOURK_BUF, ECC_PRIVATEKEY_TYPE);
-        if (pemSz < 0) {
-            return -1027;
+    /* test use of custom curve - using BRAINPOOLP256R1 for test */
+    #ifndef WOLFSSL_ECC_CURVE_STATIC
+        const ecc_oid_t ecc_oid_brainpoolp256r1[] = {
+            0x2B,0x24,0x03,0x03,0x02,0x08,0x01,0x01,0x07
+        };
+        const word32 ecc_oid_brainpoolp256r1_sz =
+            sizeof(ecc_oid_brainpoolp256r1) / sizeof(ecc_oid_t);
+    #else
+        #define ecc_oid_brainpoolp256r1 { \
+            0x2B,0x24,0x03,0x03,0x02,0x08,0x01,0x01,0x07 \
         }
+        #define ecc_oid_brainpoolp256r1_sz 9
+    #endif
+    const word32 ecc_oid_brainpoolp256r1_sum = 104;
+
+    const ecc_set_type ecc_dp_brainpool256r1 = {
+        32,                                                                 /* size/bytes */
+        ECC_CURVE_CUSTOM,                                                   /* ID         */
+        "BRAINPOOLP256R1",                                                  /* curve name */
+        "A9FB57DBA1EEA9BC3E660A909D838D726E3BF623D52620282013481D1F6E5377", /* prime      */
+        "7D5A0975FC2C3057EEF67530417AFFE7FB8055C126DC5C6CE94A4B44F330B5D9", /* A          */
+        "26DC5C6CE94A4B44F330B5D9BBD77CBF958416295CF7E1CE6BCCDC18FF8C07B6", /* B          */
+        "A9FB57DBA1EEA9BC3E660A909D838D718C397AA3B561A6F7901E0E82974856A7", /* order      */
+        "8BD2AEB9CB7E57CB2C4B482FFC81B7AFB9DE27E1E3BD23C23A4453BD9ACE3262", /* Gx         */
+        "547EF835C3DAC4FD97F8461A14611DC9C27745132DED8E545C1D54C72F046997", /* Gy         */
+        ecc_oid_brainpoolp256r1,                                            /* oid/oidSz  */
+        ecc_oid_brainpoolp256r1_sz,
+        ecc_oid_brainpoolp256r1_sum,                                        /* oid sum    */
+        1,                                                                  /* cofactor   */
+    };
 
-        pemFile = fopen("./ecc-key.pem", "wb");
-        if (!pemFile) {
-            return -1028;
+    ret = ecc_test_curve_size(rng, 0, ECC_TEST_VERIFY_COUNT, ECC_CURVE_DEF,
+        &ecc_dp_brainpool256r1);
+    if (ret != 0) {
+        printf("ECC test for custom curve failed! %d\n", ret);
+        return ret;
+    }
+
+    #if defined(HAVE_ECC_BRAINPOOL) || defined(HAVE_ECC_KOBLITZ)
+    {
+        int curve_id;
+        #ifdef HAVE_ECC_BRAINPOOL
+            curve_id = ECC_BRAINPOOLP256R1;
+        #else
+            curve_id = ECC_SECP256K1;
+        #endif
+        /* Test and demonstrate use of non-SECP curve */
+        ret = ecc_test_curve_size(rng, 0, ECC_TEST_VERIFY_COUNT, curve_id, NULL);
+        if (ret < 0) {
+            printf("ECC test for curve_id %d failed! %d\n", curve_id, ret);
+            return ret;
         }
-        ret = (int)fwrite(pem, 1, pemSz, pemFile);
-        fclose(pemFile);
-        if (ret != pemSz) {
-            return -1029;
+    }
+    #endif
+
+    ret = wc_ecc_init_ex(&key, HEAP_HINT, devId);
+    if (ret != 0) {
+        return -9815;
+    }
+
+    inOutIdx = 0;
+    ret = wc_EccPublicKeyDecode(eccKeyExplicitCurve, &inOutIdx, &key,
+                                                   sizeof(eccKeyExplicitCurve));
+    if (ret != 0)
+        return -9816;
+
+    wc_ecc_free(&key);
+
+    return ret;
+}
+#endif /* WOLFSSL_CUSTOM_CURVES */
+
+#ifdef WOLFSSL_CERT_GEN
+
+/* Make Cert / Sign example for ECC cert and ECC CA */
+static int ecc_test_cert_gen(WC_RNG* rng)
+{
+    int ret;
+    Cert        myCert;
+    int         certSz;
+    size_t      bytes;
+    word32      idx = 0;
+#ifndef USE_CERT_BUFFERS_256
+    XFILE       file;
+#endif
+#ifdef WOLFSSL_TEST_CERT
+    DecodedCert decode;
+#endif
+    byte*  der;
+    byte*  pem = NULL;
+    ecc_key caEccKey;
+    ecc_key certPubKey;
+
+    XMEMSET(&caEccKey, 0, sizeof(caEccKey));
+    XMEMSET(&certPubKey, 0, sizeof(certPubKey));
+
+    der = (byte*)XMALLOC(FOURK_BUF, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+    if (der == NULL) {
+        ERROR_OUT(-9817, exit);
+    }
+    pem = (byte*)XMALLOC(FOURK_BUF, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+    if (pem == NULL) {
+        ERROR_OUT(-9818, exit);
+    }
+
+    /* Get cert private key */
+#ifdef ENABLE_ECC384_CERT_GEN_TEST
+    /* Get Cert Key 384 */
+#ifdef USE_CERT_BUFFERS_256
+    XMEMCPY(der, ca_ecc_key_der_384, sizeof_ca_ecc_key_der_384);
+    bytes = sizeof_ca_ecc_key_der_384;
+#else
+    file = XFOPEN(eccCaKey384File, "rb");
+    if (!file) {
+        ERROR_OUT(-9819, exit);
+    }
+
+    bytes = XFREAD(der, 1, FOURK_BUF, file);
+    XFCLOSE(file);
+    (void)eccCaKeyFile;
+#endif /* USE_CERT_BUFFERS_256 */
+#else
+#ifdef USE_CERT_BUFFERS_256
+    XMEMCPY(der, ca_ecc_key_der_256, sizeof_ca_ecc_key_der_256);
+    bytes = sizeof_ca_ecc_key_der_256;
+#else
+    file = XFOPEN(eccCaKeyFile, "rb");
+    if (!file) {
+        ERROR_OUT(-9820, exit);
+    }
+    bytes = XFREAD(der, 1, FOURK_BUF, file);
+    XFCLOSE(file);
+#ifdef ENABLE_ECC384_CERT_GEN_TEST
+    (void)eccCaKey384File;
+#endif
+#endif /* USE_CERT_BUFFERS_256 */
+#endif /* ENABLE_ECC384_CERT_GEN_TEST */
+
+    /* Get CA Key */
+    ret = wc_ecc_init_ex(&caEccKey, HEAP_HINT, devId);
+    if (ret != 0) {
+        ERROR_OUT(-9821, exit);
+    }
+    ret = wc_EccPrivateKeyDecode(der, &idx, &caEccKey, (word32)bytes);
+    if (ret != 0) {
+        ERROR_OUT(-9822, exit);
+    }
+
+    /* Make a public key */
+    ret = wc_ecc_init_ex(&certPubKey, HEAP_HINT, devId);
+    if (ret != 0) {
+        ERROR_OUT(-9823, exit);
+    }
+
+    ret = wc_ecc_make_key(rng, 32, &certPubKey);
+#if defined(WOLFSSL_ASYNC_CRYPT)
+    ret = wc_AsyncWait(ret, &certPubKey.asyncDev, WC_ASYNC_FLAG_NONE);
+#endif
+    if (ret != 0) {
+        ERROR_OUT(-9824, exit);
+    }
+    TEST_SLEEP();
+
+    /* Setup Certificate */
+    if (wc_InitCert(&myCert)) {
+        ERROR_OUT(-9825, exit);
+    }
+
+#ifndef NO_SHA256
+    myCert.sigType = CTC_SHA256wECDSA;
+#else
+    myCert.sigType = CTC_SHAwECDSA;
+#endif
+    XMEMCPY(&myCert.subject, &certDefaultName, sizeof(CertName));
+
+#ifdef WOLFSSL_CERT_EXT
+    /* add Policies */
+    XSTRNCPY(myCert.certPolicies[0], "2.4.589440.587.101.2.1.9632587.1",
+            CTC_MAX_CERTPOL_SZ);
+    XSTRNCPY(myCert.certPolicies[1], "1.2.13025.489.1.113549",
+            CTC_MAX_CERTPOL_SZ);
+    myCert.certPoliciesNb = 2;
+
+    /* add SKID from the Public Key */
+    if (wc_SetSubjectKeyIdFromPublicKey(&myCert, NULL, &certPubKey) != 0) {
+        ERROR_OUT(-9826, exit);
+    }
+
+    /* add AKID from the Public Key */
+    if (wc_SetAuthKeyIdFromPublicKey(&myCert, NULL, &caEccKey) != 0) {
+        ERROR_OUT(-9827, exit);
+    }
+
+    /* add Key Usage */
+    if (wc_SetKeyUsage(&myCert, certKeyUsage) != 0) {
+        ERROR_OUT(-9828, exit);
+    }
+#endif /* WOLFSSL_CERT_EXT */
+
+#ifdef ENABLE_ECC384_CERT_GEN_TEST
+    #if defined(USE_CERT_BUFFERS_256)
+    ret = wc_SetIssuerBuffer(&myCert, ca_ecc_cert_der_384,
+                                      sizeof_ca_ecc_cert_der_384);
+#else
+    ret = wc_SetIssuer(&myCert, eccCaCert384File);
+    (void)eccCaCertFile;
+#endif
+#else
+#if defined(USE_CERT_BUFFERS_256)
+    ret = wc_SetIssuerBuffer(&myCert, ca_ecc_cert_der_256,
+                                      sizeof_ca_ecc_cert_der_256);
+#else
+    ret = wc_SetIssuer(&myCert, eccCaCertFile);
+#ifdef ENABLE_ECC384_CERT_GEN_TEST
+    (void)eccCaCert384File;
+#endif
+#endif
+#endif /* ENABLE_ECC384_CERT_GEN_TEST */
+    if (ret < 0) {
+        ERROR_OUT(-9829, exit);
+    }
+
+    certSz = wc_MakeCert(&myCert, der, FOURK_BUF, NULL, &certPubKey, rng);
+    if (certSz < 0) {
+        ERROR_OUT(-9830, exit);
+    }
+
+    ret = 0;
+    do {
+    #if defined(WOLFSSL_ASYNC_CRYPT)
+        ret = wc_AsyncWait(ret, &caEccKey.asyncDev, WC_ASYNC_FLAG_CALL_AGAIN);
+    #endif
+        if (ret >= 0) {
+            ret = wc_SignCert(myCert.bodySz, myCert.sigType, der,
+                              FOURK_BUF, NULL, &caEccKey, rng);
         }
+    } while (ret == WC_PENDING_E);
+    if (ret < 0) {
+        ERROR_OUT(-9831, exit);
     }
-#endif /* WOLFSSL_KEY_GEN */
+    certSz = ret;
+    TEST_SLEEP();
 
-    wc_ecc_free(&pubKey);
-    wc_ecc_free(&userB);
-    wc_ecc_free(&userA);
+#ifdef WOLFSSL_TEST_CERT
+    InitDecodedCert(&decode, der, certSz, 0);
+    ret = ParseCert(&decode, CERT_TYPE, NO_VERIFY, 0);
+    if (ret != 0) {
+        FreeDecodedCert(&decode);
+        ERROR_OUT(-9832, exit);
+
+    }
+    FreeDecodedCert(&decode);
+#endif
+
+    ret = SaveDerAndPem(der, certSz, pem, FOURK_BUF, certEccDerFile,
+        certEccPemFile, CERT_TYPE, -6735);
+    if (ret != 0) {
+        goto exit;
+    }
+
+exit:
+    wc_ecc_free(&certPubKey);
+    wc_ecc_free(&caEccKey);
+
+    XFREE(pem, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+    XFREE(der, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+
+    return ret;
+}
+#endif /* WOLFSSL_CERT_GEN */
+
+#if !defined(HAVE_FIPS) && !defined(HAVE_SELFTEST)
+/* Test for the wc_ecc_key_new() and wc_ecc_key_free() functions. */
+static int ecc_test_allocator(WC_RNG* rng)
+{
+    int ret = 0;
+    ecc_key* key;
+
+    key = wc_ecc_key_new(HEAP_HINT);
+    if (key == NULL) {
+        ERROR_OUT(-9833, exit);
+    }
+
+    ret = wc_ecc_make_key(rng, 32, key);
+    if (ret != 0) {
+        ERROR_OUT(-9834, exit);
+    }
+
+exit:
+    wc_ecc_key_free(key);
+    return ret;
+}
+#endif
+
+int ecc_test(void)
+{
+    int ret;
+    WC_RNG  rng;
+
+#ifdef WOLFSSL_CERT_EXT
+    ret = ecc_decode_test();
+    if (ret < 0)
+        return ret;
+#endif
+
+#ifndef HAVE_FIPS
+    ret = wc_InitRng_ex(&rng, HEAP_HINT, devId);
+#else
+    ret = wc_InitRng(&rng);
+#endif
+    if (ret != 0)
+        return -9900;
+
+#if defined(HAVE_ECC112) || defined(HAVE_ALL_CURVES)
+    ret = ecc_test_curve(&rng, 14);
+    if (ret < 0) {
+        goto done;
+    }
+#endif /* HAVE_ECC112 */
+#if defined(HAVE_ECC128) || defined(HAVE_ALL_CURVES)
+    ret = ecc_test_curve(&rng, 16);
+    if (ret < 0) {
+        goto done;
+    }
+#endif /* HAVE_ECC128 */
+#if defined(HAVE_ECC160) || defined(HAVE_ALL_CURVES)
+    ret = ecc_test_curve(&rng, 20);
+    if (ret < 0) {
+        goto done;
+    }
+#endif /* HAVE_ECC160 */
+#if defined(HAVE_ECC192) || defined(HAVE_ALL_CURVES)
+    ret = ecc_test_curve(&rng, 24);
+    if (ret < 0) {
+        goto done;
+    }
+#endif /* HAVE_ECC192 */
+#if defined(HAVE_ECC224) || defined(HAVE_ALL_CURVES)
+    ret = ecc_test_curve(&rng, 28);
+    if (ret < 0) {
+        goto done;
+    }
+#endif /* HAVE_ECC224 */
+#if defined(HAVE_ECC239) || defined(HAVE_ALL_CURVES)
+    ret = ecc_test_curve(&rng, 30);
+    if (ret < 0) {
+        goto done;
+    }
+#endif /* HAVE_ECC239 */
+#if !defined(NO_ECC256) || defined(HAVE_ALL_CURVES)
+    ret = ecc_test_curve(&rng, 32);
+    if (ret < 0) {
+        goto done;
+    }
+#if !defined(WOLFSSL_ATECC508A) && defined(HAVE_ECC_KEY_IMPORT) && \
+     defined(HAVE_ECC_KEY_EXPORT)
+    ret = ecc_point_test();
+    if (ret < 0) {
+        goto done;
+    }
+#endif
+    ret = ecc_def_curve_test(&rng);
+    if (ret < 0) {
+        goto done;
+    }
+#endif /* !NO_ECC256 */
+#if defined(HAVE_ECC320) || defined(HAVE_ALL_CURVES)
+    ret = ecc_test_curve(&rng, 40);
+    if (ret < 0) {
+        goto done;
+    }
+#endif /* HAVE_ECC320 */
+#if defined(HAVE_ECC384) || defined(HAVE_ALL_CURVES)
+    ret = ecc_test_curve(&rng, 48);
+    if (ret < 0) {
+        goto done;
+    }
+#endif /* HAVE_ECC384 */
+#if defined(HAVE_ECC512) || defined(HAVE_ALL_CURVES)
+    ret = ecc_test_curve(&rng, 64);
+    if (ret < 0) {
+        goto done;
+    }
+#endif /* HAVE_ECC512 */
+#if defined(HAVE_ECC521) || defined(HAVE_ALL_CURVES)
+    ret = ecc_test_curve(&rng, 66);
+    if (ret < 0) {
+        goto done;
+    }
+#endif /* HAVE_ECC521 */
+
+#if defined(WOLFSSL_CUSTOM_CURVES)
+    ret = ecc_test_custom_curves(&rng);
+    if (ret != 0) {
+        goto done;
+    }
+#endif
+
+#if defined(HAVE_ECC_SIGN) && defined(WOLFSSL_ECDSA_SET_K)
+    ret = ecc_test_sign_vectors(&rng);
+    if (ret != 0) {
+        printf("ecc_test_sign_vectors failed! %d\n", ret);
+        goto done;
+    }
+#endif
+#ifdef HAVE_ECC_CDH
+    ret = ecc_test_cdh_vectors();
+    if (ret != 0) {
+        printf("ecc_test_cdh_vectors failed! %d\n", ret);
+        goto done;
+    }
+#endif
+#if !defined(WOLFSSL_ATECC508A) && !defined(WOLFSSL_STM32_PKA)
+    ret = ecc_test_make_pub(&rng);
+    if (ret != 0) {
+        printf("ecc_test_make_pub failed!: %d\n", ret);
+        goto done;
+    }
+#else
+    (void) ecc_test_make_pub;/* for compiler warning */
+#endif
+#ifdef WOLFSSL_CERT_GEN
+    ret = ecc_test_cert_gen(&rng);
+    if (ret != 0) {
+        printf("ecc_test_cert_gen failed!: %d\n", ret);
+        goto done;
+    }
+#endif
+#if !defined(HAVE_FIPS) && !defined(HAVE_SELFTEST)
+    ret = ecc_test_allocator(&rng);
+    if (ret != 0) {
+        printf("ecc_test_allocator failed!: %d\n", ret);
+    }
+#endif
+
+done:
     wc_FreeRng(&rng);
 
-    return 0;
+    return ret;
 }
 
-#ifdef HAVE_ECC_ENCRYPT
+#if defined(HAVE_ECC_ENCRYPT) && defined(WOLFSSL_AES_128)
 
 int ecc_encrypt_test(void)
 {
-    RNG     rng;
-    int     ret;
+    WC_RNG  rng;
+    int     ret = 0;
     ecc_key userA, userB;
     byte    msg[48];
     byte    plain[48];
@@ -5130,139 +20123,551 @@ int ecc_encrypt_test(void)
     word32  outSz   = sizeof(out);
     word32  plainSz = sizeof(plain);
     int     i;
+    ecEncCtx* cliCtx = NULL;
+    ecEncCtx* srvCtx = NULL;
+    byte cliSalt[EXCHANGE_SALT_SZ];
+    byte srvSalt[EXCHANGE_SALT_SZ];
+    const byte* tmpSalt;
+    byte    msg2[48];
+    byte    plain2[48];
+    byte    out2[80];
+    word32  outSz2   = sizeof(out2);
+    word32  plainSz2 = sizeof(plain2);
 
+#ifndef HAVE_FIPS
+    ret = wc_InitRng_ex(&rng, HEAP_HINT, devId);
+#else
     ret = wc_InitRng(&rng);
+#endif
     if (ret != 0)
-        return -3001;
+        return -10000;
 
-    wc_ecc_init(&userA);
-    wc_ecc_init(&userB);
+    XMEMSET(&userA, 0, sizeof(userA));
+    XMEMSET(&userB, 0, sizeof(userB));
+
+    ret = wc_ecc_init_ex(&userA, HEAP_HINT, devId);
+    if (ret != 0)
+        goto done;
+    ret = wc_ecc_init_ex(&userB, HEAP_HINT, devId);
+    if (ret != 0)
+        goto done;
 
     ret  = wc_ecc_make_key(&rng, 32, &userA);
-    ret += wc_ecc_make_key(&rng, 32, &userB);
+#if defined(WOLFSSL_ASYNC_CRYPT)
+    ret = wc_AsyncWait(ret, &userA.asyncDev, WC_ASYNC_FLAG_NONE);
+#endif
+    if (ret != 0){
+        ret = -10001; goto done;
+    }
 
-    if (ret != 0)
-        return -3002;
+    ret = wc_ecc_make_key(&rng, 32, &userB);
+#if defined(WOLFSSL_ASYNC_CRYPT)
+    ret = wc_AsyncWait(ret, &userB.asyncDev, WC_ASYNC_FLAG_NONE);
+#endif
+    if (ret != 0){
+        ret = -10002; goto done;
+    }
 
-    for (i = 0; i < 48; i++)
+    /* set message to incrementing 0,1,2,etc... */
+    for (i = 0; i < (int)sizeof(msg); i++)
         msg[i] = i;
 
     /* encrypt msg to B */
     ret = wc_ecc_encrypt(&userA, &userB, msg, sizeof(msg), out, &outSz, NULL);
-    if (ret != 0)
-        return -3003;
+    if (ret != 0) {
+        ret = -10003; goto done;
+    }
 
     /* decrypt msg from A */
     ret = wc_ecc_decrypt(&userB, &userA, out, outSz, plain, &plainSz, NULL);
+    if (ret != 0) {
+        ret = -10004; goto done;
+    }
+
+    if (XMEMCMP(plain, msg, sizeof(msg)) != 0) {
+        ret = -10005; goto done;
+    }
+
+    /* let's verify message exchange works, A is client, B is server */
+    cliCtx = wc_ecc_ctx_new(REQ_RESP_CLIENT, &rng);
+    srvCtx = wc_ecc_ctx_new(REQ_RESP_SERVER, &rng);
+    if (cliCtx == NULL || srvCtx == NULL) {
+        ret = -10006; goto done;
+    }
+
+    /* get salt to send to peer */
+    tmpSalt = wc_ecc_ctx_get_own_salt(cliCtx);
+    if (tmpSalt == NULL) {
+        ret = -10007; goto done;
+    }
+    XMEMCPY(cliSalt, tmpSalt, EXCHANGE_SALT_SZ);
+
+    tmpSalt = wc_ecc_ctx_get_own_salt(srvCtx);
+    if (tmpSalt == NULL) {
+        ret = -10008; goto done;
+    }
+    XMEMCPY(srvSalt, tmpSalt, EXCHANGE_SALT_SZ);
+
+    /* in actual use, we'd get the peer's salt over the transport */
+    ret = wc_ecc_ctx_set_peer_salt(cliCtx, srvSalt);
+    if (ret != 0)
+        goto done;
+    ret = wc_ecc_ctx_set_peer_salt(srvCtx, cliSalt);
     if (ret != 0)
-        return -3004;
+        goto done;
 
-    if (memcmp(plain, msg, sizeof(msg)) != 0)
-        return -3005;
+    ret = wc_ecc_ctx_set_info(cliCtx, (byte*)"wolfSSL MSGE", 11);
+    if (ret != 0)
+        goto done;
+    ret = wc_ecc_ctx_set_info(srvCtx, (byte*)"wolfSSL MSGE", 11);
+    if (ret != 0)
+        goto done;
 
+    /* get encrypted msg (request) to send to B */
+    outSz = sizeof(out);
+    ret = wc_ecc_encrypt(&userA, &userB, msg, sizeof(msg), out, &outSz,cliCtx);
+    if (ret != 0)
+        goto done;
 
-    {  /* let's verify message exchange works, A is client, B is server */
-        ecEncCtx* cliCtx = wc_ecc_ctx_new(REQ_RESP_CLIENT, &rng);
-        ecEncCtx* srvCtx = wc_ecc_ctx_new(REQ_RESP_SERVER, &rng);
+    /* B decrypts msg (request) from A */
+    plainSz = sizeof(plain);
+    ret = wc_ecc_decrypt(&userB, &userA, out, outSz, plain, &plainSz, srvCtx);
+    if (ret != 0)
+        goto done;
 
-        byte cliSalt[EXCHANGE_SALT_SZ];
-        byte srvSalt[EXCHANGE_SALT_SZ];
-        const byte* tmpSalt;
+    if (XMEMCMP(plain, msg, sizeof(msg)) != 0) {
+        ret = -10009; goto done;
+    }
 
-        if (cliCtx == NULL || srvCtx == NULL)
-            return -3006;
+    /* msg2 (response) from B to A */
+    for (i = 0; i < (int)sizeof(msg2); i++)
+        msg2[i] = i + sizeof(msg2);
 
-        /* get salt to send to peer */
-        tmpSalt = wc_ecc_ctx_get_own_salt(cliCtx);
-        if (tmpSalt == NULL)
-            return -3007;
-        memcpy(cliSalt, tmpSalt, EXCHANGE_SALT_SZ);
+    /* get encrypted msg (response) to send to B */
+    ret = wc_ecc_encrypt(&userB, &userA, msg2, sizeof(msg2), out2,
+                      &outSz2, srvCtx);
+    if (ret != 0)
+        goto done;
 
-        tmpSalt = wc_ecc_ctx_get_own_salt(srvCtx);
-        if (tmpSalt == NULL)
-            return -3007;
-        memcpy(srvSalt, tmpSalt, EXCHANGE_SALT_SZ);
+    /* A decrypts msg (response) from B */
+    ret = wc_ecc_decrypt(&userA, &userB, out2, outSz2, plain2, &plainSz2,
+                     cliCtx);
+    if (ret != 0)
+        goto done;
 
-        /* in actual use, we'd get the peer's salt over the transport */
-        ret  = wc_ecc_ctx_set_peer_salt(cliCtx, srvSalt);
-        ret += wc_ecc_ctx_set_peer_salt(srvCtx, cliSalt);
+    if (XMEMCMP(plain2, msg2, sizeof(msg2)) != 0) {
+        ret = -10010; goto done;
+    }
 
-        ret += wc_ecc_ctx_set_info(cliCtx, (byte*)"wolfSSL MSGE", 11);
-        ret += wc_ecc_ctx_set_info(srvCtx, (byte*)"wolfSSL MSGE", 11);
+done:
 
-        if (ret != 0)
-            return -3008;
+    /* cleanup */
+    wc_ecc_ctx_free(srvCtx);
+    wc_ecc_ctx_free(cliCtx);
 
-        /* get encrypted msg (request) to send to B */
-        outSz  = sizeof(out);
-        ret = wc_ecc_encrypt(&userA, &userB, msg, sizeof(msg), out, &outSz,cliCtx);
-        if (ret != 0)
-            return -3009;
+    wc_ecc_free(&userB);
+    wc_ecc_free(&userA);
+    wc_FreeRng(&rng);
 
-        /* B decrypts msg (request) from A */
-        plainSz = sizeof(plain);
-        ret = wc_ecc_decrypt(&userB, &userA, out, outSz, plain, &plainSz, srvCtx);
-        if (ret != 0)
-            return -3010;
+    return ret;
+}
 
-        if (memcmp(plain, msg, sizeof(msg)) != 0)
-            return -3011;
+#endif /* HAVE_ECC_ENCRYPT */
 
-        {
-            /* msg2 (response) from B to A */
-            byte    msg2[48];
-            byte    plain2[48];
-            byte    out2[80];
-            word32  outSz2   = sizeof(out2);
-            word32  plainSz2 = sizeof(plain2);
-
-            for (i = 0; i < 48; i++)
-                msg2[i] = i+48;
-
-            /* get encrypted msg (response) to send to B */
-            ret = wc_ecc_encrypt(&userB, &userA, msg2, sizeof(msg2), out2,
-                              &outSz2, srvCtx);
-            if (ret != 0)
-                return -3012;
+#ifdef USE_CERT_BUFFERS_256
+int ecc_test_buffers(void) {
+    size_t bytes;
+    ecc_key cliKey;
+    ecc_key servKey;
+    WC_RNG rng;
+    word32 idx = 0;
+    int    ret;
+    /* pad our test message to 32 bytes so evenly divisible by AES_BLOCK_SZ */
+    byte   in[] = "Everyone gets Friday off. ecc p";
+    word32 inLen = (word32)XSTRLEN((char*)in);
+    byte   out[256];
+    byte   plain[256];
+    int verify = 0;
+    word32 x;
 
-            /* A decrypts msg (response) from B */
-            ret = wc_ecc_decrypt(&userA, &userB, out2, outSz2, plain2, &plainSz2,
-                             cliCtx);
-            if (ret != 0)
-                return -3013;
+    ret = wc_ecc_init_ex(&cliKey, HEAP_HINT, devId);
+    if (ret != 0)
+        return -10011;
+    ret = wc_ecc_init_ex(&servKey, HEAP_HINT, devId);
+    if (ret != 0)
+        return -10012;
 
-            if (memcmp(plain2, msg2, sizeof(msg2)) != 0)
-                return -3014;
-        }
+    bytes = (size_t)sizeof_ecc_clikey_der_256;
+    /* place client key into ecc_key struct cliKey */
+    ret = wc_EccPrivateKeyDecode(ecc_clikey_der_256, &idx, &cliKey,
+                                                                (word32)bytes);
+    if (ret != 0)
+        return -10013;
+
+    idx = 0;
+    bytes = (size_t)sizeof_ecc_key_der_256;
 
-        /* cleanup */
-        wc_ecc_ctx_free(srvCtx);
-        wc_ecc_ctx_free(cliCtx);
+    /* place server key into ecc_key struct servKey */
+    ret = wc_EccPrivateKeyDecode(ecc_key_der_256, &idx, &servKey,
+                                                                (word32)bytes);
+    if (ret != 0)
+        return -10014;
+
+#ifndef HAVE_FIPS
+    ret = wc_InitRng_ex(&rng, HEAP_HINT, devId);
+#else
+    ret = wc_InitRng(&rng);
+#endif
+    if (ret != 0)
+        return -10015;
+
+#if defined(HAVE_ECC_ENCRYPT) && defined(HAVE_HKDF)
+    {
+        word32 y;
+        /* test encrypt and decrypt if they're available */
+        x = sizeof(out);
+        ret = wc_ecc_encrypt(&cliKey, &servKey, in, sizeof(in), out, &x, NULL);
+        if (ret < 0)
+            return -10016;
+
+        y = sizeof(plain);
+        ret = wc_ecc_decrypt(&cliKey, &servKey, out, x, plain, &y, NULL);
+        if (ret < 0)
+            return -10017;
+
+        if (XMEMCMP(plain, in, inLen))
+            return -10018;
     }
+#endif
 
-    /* cleanup */
-    wc_ecc_free(&userB);
-    wc_ecc_free(&userA);
+    x = sizeof(out);
+    do {
+    #if defined(WOLFSSL_ASYNC_CRYPT)
+        ret = wc_AsyncWait(ret, &cliKey.asyncDev, WC_ASYNC_FLAG_CALL_AGAIN);
+    #endif
+        if (ret == 0)
+            ret = wc_ecc_sign_hash(in, inLen, out, &x, &rng, &cliKey);
+    } while (ret == WC_PENDING_E);
+    if (ret < 0)
+        return -10019;
+    TEST_SLEEP();
+
+    XMEMSET(plain, 0, sizeof(plain));
+
+    do {
+    #if defined(WOLFSSL_ASYNC_CRYPT)
+        ret = wc_AsyncWait(ret, &cliKey.asyncDev, WC_ASYNC_FLAG_CALL_AGAIN);
+    #endif
+        if (ret == 0)
+            ret = wc_ecc_verify_hash(out, x, plain, sizeof(plain), &verify,
+                &cliKey);
+    } while (ret == WC_PENDING_E);
+    if (ret < 0)
+        return -10020;
+
+    if (XMEMCMP(plain, in, (word32)ret))
+        return -10021;
+    TEST_SLEEP();
+
+#ifdef WOLFSSL_CERT_EXT
+    idx = 0;
+
+    bytes = sizeof_ecc_clikeypub_der_256;
+
+    ret = wc_EccPublicKeyDecode(ecc_clikeypub_der_256, &idx, &cliKey,
+                                                               (word32) bytes);
+    if (ret != 0)
+        return -10022;
+#endif
+
+    wc_ecc_free(&cliKey);
+    wc_ecc_free(&servKey);
     wc_FreeRng(&rng);
 
     return 0;
 }
-
-#endif /* HAVE_ECC_ENCRYPT */
+#endif /* USE_CERT_BUFFERS_256 */
 #endif /* HAVE_ECC */
 
 
 #ifdef HAVE_CURVE25519
+#if defined(HAVE_CURVE25519_SHARED_SECRET) && \
+                                             defined(HAVE_CURVE25519_KEY_IMPORT)
+#ifdef CURVE25519_OVERFLOW_ALL_TESTS
+#define X25519_TEST_CNT    5
+#else
+#define X25519_TEST_CNT    1
+#endif
+static int curve25519_overflow_test(void)
+{
+    /* secret key for party a */
+    byte sa[X25519_TEST_CNT][32] = {
+        {
+            0x8d,0xaf,0x6e,0x7a,0xc1,0xeb,0x8d,0x30,
+            0x99,0x86,0xd3,0x90,0x47,0x96,0x21,0x3c,
+            0x3a,0x75,0xc0,0x7b,0x75,0x01,0x75,0xa3,
+            0x81,0x4b,0xff,0x5a,0xbc,0x96,0x87,0x28
+        },
+#ifdef CURVE25519_OVERFLOW_ALL_TESTS
+        {
+            0x9d,0x63,0x5f,0xce,0xe2,0xe8,0xd7,0xfb,
+            0x68,0x77,0x0e,0x44,0xd1,0xad,0x87,0x2b,
+            0xf4,0x65,0x06,0xb7,0xbb,0xdb,0xbe,0x6e,
+            0x02,0x43,0x24,0xc7,0x3d,0x7b,0x88,0x60
+        },
+        {
+            0x63,0xbf,0x76,0xa9,0x73,0xa0,0x09,0xb9,
+            0xcc,0xc9,0x4d,0x47,0x2d,0x14,0x0e,0x52,
+            0xa3,0x84,0x55,0xb8,0x7c,0xdb,0xce,0xb1,
+            0xe4,0x5b,0x8a,0xb9,0x30,0xf1,0xa4,0xa0
+        },
+        {
+            0x63,0xbf,0x76,0xa9,0x73,0xa0,0x09,0xb9,
+            0xcc,0xc9,0x4d,0x47,0x2d,0x14,0x0e,0x52,
+            0xa3,0x84,0x55,0xb8,0x7c,0xdb,0xce,0xb1,
+            0xe4,0x5b,0x8a,0xb9,0x30,0xf1,0xa4,0xa0
+        },
+        {
+            0x63,0xbf,0x76,0xa9,0x73,0xa0,0x09,0xb9,
+            0xcc,0xc9,0x4d,0x47,0x2d,0x14,0x0e,0x52,
+            0xa3,0x84,0x55,0xb8,0x7c,0xdb,0xce,0xb1,
+            0xe4,0x5b,0x8a,0xb9,0x30,0xf1,0xa4,0xa0
+        }
+#endif
+    };
+
+    /* public key for party b */
+    byte pb[X25519_TEST_CNT][32] = {
+        {
+            0x7f,0xff,0xff,0xff,0xff,0xff,0xff,0xff,
+            0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,
+            0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,
+            0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xf0
+        },
+#ifdef CURVE25519_OVERFLOW_ALL_TESTS
+        {
+            /* 0xff first byte in original - invalid! */
+            0x7f,0xff,0xff,0xff,0xff,0xff,0xff,0xff,
+            0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,
+            0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,
+            0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xf0
+        },
+        {
+            0x36,0x1a,0x74,0x87,0x28,0x59,0xe0,0xb6,
+            0xe4,0x2b,0x17,0x9b,0x16,0xb0,0x3b,0xf8,
+            0xb8,0x9f,0x2a,0x8f,0xc5,0x33,0x68,0x4f,
+            0xde,0x4d,0xd8,0x80,0x63,0xe7,0xb4,0x0a
+        },
+        {
+            0x00,0x80,0x38,0x59,0x19,0x3a,0x66,0x12,
+            0xfd,0xa1,0xec,0x1c,0x40,0x84,0x40,0xbd,
+            0x64,0x10,0x8b,0x53,0x81,0x21,0x03,0x2d,
+            0x7d,0x33,0xb4,0x01,0x57,0x0d,0xe1,0x89
+        },
+        {
+            0x1d,0xf8,0xf8,0x33,0x89,0x6c,0xb7,0xba,
+            0x94,0x73,0xfa,0xc2,0x36,0xac,0xbe,0x49,
+            0xaf,0x85,0x3e,0x93,0x5f,0xae,0xb2,0xc0,
+            0xc8,0x80,0x8f,0x4a,0xaa,0xd3,0x55,0x2b
+        }
+#endif
+    };
+
+    /* expected shared key */
+    byte ss[X25519_TEST_CNT][32] = {
+        {
+            0x5c,0x4c,0x85,0x5f,0xfb,0x20,0x38,0xcc,
+            0x55,0x16,0x5b,0x8a,0xa7,0xed,0x57,0x6e,
+            0x35,0xaa,0x71,0x67,0x85,0x1f,0xb6,0x28,
+            0x17,0x07,0x7b,0xda,0x76,0xdd,0xe0,0xb4
+        },
+#ifdef CURVE25519_OVERFLOW_ALL_TESTS
+        {
+            0x33,0xf6,0xc1,0x34,0x62,0x92,0x06,0x02,
+            0x95,0xdb,0x91,0x4c,0x5d,0x52,0x54,0xc7,
+            0xd2,0x5b,0x24,0xb5,0x4f,0x33,0x59,0x79,
+            0x9f,0x6d,0x7e,0x4a,0x4c,0x30,0xd6,0x38
+        },
+        {
+            0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+            0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+            0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+            0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x02
+        },
+        {
+            0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+            0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+            0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+            0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x09
+        },
+        {
+            0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+            0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+            0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+            0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x10
+        }
+#endif
+    };
+
+    int            i;
+    word32         y;
+    byte           shared[32];
+    curve25519_key userA;
+
+    wc_curve25519_init(&userA);
+
+    for (i = 0; i < X25519_TEST_CNT; i++) {
+        if (wc_curve25519_import_private_raw(sa[i], sizeof(sa[i]), pb[i],
+                                                    sizeof(pb[i]), &userA) != 0)
+            return -10100 - i;
+
+        /* test against known test vector */
+        XMEMSET(shared, 0, sizeof(shared));
+        y = sizeof(shared);
+        if (wc_curve25519_shared_secret(&userA, &userA, shared, &y) != 0)
+            return -10110 - i;
+
+        if (XMEMCMP(ss[i], shared, y))
+            return -10120 - i;
+    }
+
+    return 0;
+}
+
+/* Test the wc_curve25519_check_public API.
+ *
+ * returns 0 on success and -ve on failure.
+ */
+static int curve25519_check_public_test(void)
+{
+    /* Little-endian values that will fail */
+    byte fail_le[][CURVE25519_KEYSIZE] = {
+        {
+            0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+            0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+            0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+            0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
+        },
+        {
+            0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+            0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+            0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+            0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
+        },
+        {
+            0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+            0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+            0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+            0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x81
+        },
+    };
+    /* Big-endian values that will fail */
+    byte fail_be[][CURVE25519_KEYSIZE] = {
+        {
+            0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+            0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+            0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+            0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
+        },
+        {
+            0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+            0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+            0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+            0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01
+        },
+        {
+            0x81,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+            0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+            0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+            0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01
+        },
+    };
+    /* Good or valid public value */
+    byte good[CURVE25519_KEYSIZE] = {
+        0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+        0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+        0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+        0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01
+    };
+    int i;
+
+    /* Parameter checks */
+    /* NULL pointer */
+    if (wc_curve25519_check_public(NULL, 0, EC25519_LITTLE_ENDIAN) !=
+                                                                 BAD_FUNC_ARG) {
+        return -10200;
+    }
+    if (wc_curve25519_check_public(NULL, 0, EC25519_BIG_ENDIAN) !=
+                                                                 BAD_FUNC_ARG) {
+        return -10201;
+    }
+    /* Length of 0 treated differently to other invalid lengths for TLS */
+    if (wc_curve25519_check_public(good, 0, EC25519_LITTLE_ENDIAN) != BUFFER_E)
+        return -10202;
+    if (wc_curve25519_check_public(good, 0, EC25519_BIG_ENDIAN) != BUFFER_E)
+        return -10203;
+
+    /* Length not CURVE25519_KEYSIZE */
+    for (i = 1; i < CURVE25519_KEYSIZE + 2; i++) {
+        if (i == CURVE25519_KEYSIZE)
+            continue;
+        if (wc_curve25519_check_public(good, i, EC25519_LITTLE_ENDIAN) !=
+                                                                ECC_BAD_ARG_E) {
+            return -10204 - i;
+        }
+        if (wc_curve25519_check_public(good, i, EC25519_BIG_ENDIAN) !=
+                                                                ECC_BAD_ARG_E) {
+            return -10214 - i;
+        }
+    }
+
+    /* Little-endian fail cases */
+    for (i = 0; i < (int)(sizeof(fail_le) / sizeof(*fail_le)); i++) {
+        if (wc_curve25519_check_public(fail_le[i], CURVE25519_KEYSIZE,
+                                                  EC25519_LITTLE_ENDIAN) == 0) {
+            return -10224 - i;
+        }
+    }
+    /* Big-endian fail cases */
+    for (i = 0; i < (int)(sizeof(fail_be) / sizeof(*fail_be)); i++) {
+        if (wc_curve25519_check_public(fail_be[i], CURVE25519_KEYSIZE,
+                                                     EC25519_BIG_ENDIAN) == 0) {
+            return -10234 - i;
+        }
+    }
+
+    /* Check a valid public value works! */
+    if (wc_curve25519_check_public(good, CURVE25519_KEYSIZE,
+                                                  EC25519_LITTLE_ENDIAN) != 0) {
+        return -10244;
+    }
+    if (wc_curve25519_check_public(good, CURVE25519_KEYSIZE,
+                                                     EC25519_BIG_ENDIAN) != 0) {
+        return -10245;
+    }
+
+    return 0;
+}
+
+#endif /* HAVE_CURVE25519_SHARED_SECRET && HAVE_CURVE25519_KEY_IMPORT */
 
 int curve25519_test(void)
 {
-    RNG     rng;
+    WC_RNG  rng;
+    int ret;
+#ifdef HAVE_CURVE25519_SHARED_SECRET
     byte    sharedA[32];
     byte    sharedB[32];
+    word32  y;
+#endif
+#ifdef HAVE_CURVE25519_KEY_EXPORT
     byte    exportBuf[32];
-    word32  x, y;
+#endif
+    word32  x;
     curve25519_key userA, userB, pubKey;
 
+#if defined(HAVE_CURVE25519_SHARED_SECRET) && \
+                                             defined(HAVE_CURVE25519_KEY_IMPORT)
     /* test vectors from
        https://tools.ietf.org/html/draft-josefsson-tls-curve25519-03
      */
@@ -5306,9 +20711,17 @@ int curve25519_test(void)
         0x73,0x8B,0x99,0xF0,0x94,0x68,0xB8,0xD6,
         0xB8,0x51,0x11,0x84,0xD5,0x34,0x94,0xAB
     };
+#endif /* HAVE_CURVE25519_SHARED_SECRET */
 
-    if (wc_InitRng(&rng) != 0)
-        return -1001;
+    (void)x;
+
+#ifndef HAVE_FIPS
+    ret = wc_InitRng_ex(&rng, HEAP_HINT, devId);
+#else
+    ret = wc_InitRng(&rng);
+#endif
+    if (ret != 0)
+        return -10300;
 
     wc_curve25519_init(&userA);
     wc_curve25519_init(&userB);
@@ -5316,64 +20729,109 @@ int curve25519_test(void)
 
     /* make curve25519 keys */
     if (wc_curve25519_make_key(&rng, 32, &userA) != 0)
-        return -1002;
+        return -10301;
 
     if (wc_curve25519_make_key(&rng, 32, &userB) != 0)
-        return -1003;
+        return -10302;
 
+#ifdef HAVE_CURVE25519_SHARED_SECRET
     /* find shared secret key */
+    x = sizeof(sharedA);
     if (wc_curve25519_shared_secret(&userA, &userB, sharedA, &x) != 0)
-        return -1004;
+        return -10303;
 
+    y = sizeof(sharedB);
     if (wc_curve25519_shared_secret(&userB, &userA, sharedB, &y) != 0)
-        return -1005;
+        return -10304;
 
     /* compare shared secret keys to test they are the same */
     if (y != x)
-        return -1006;
+        return -10305;
 
     if (XMEMCMP(sharedA, sharedB, x))
-        return -1007;
+        return -10306;
+#endif
 
+#ifdef HAVE_CURVE25519_KEY_EXPORT
     /* export a public key and import it for another user */
+    x = sizeof(exportBuf);
     if (wc_curve25519_export_public(&userA, exportBuf, &x) != 0)
-        return -1008;
+        return -10307;
 
+#ifdef HAVE_CURVE25519_KEY_IMPORT
     if (wc_curve25519_import_public(exportBuf, x, &pubKey) != 0)
-        return -1009;
+        return -10308;
+#endif
+#endif
 
+#if defined(HAVE_CURVE25519_SHARED_SECRET) && \
+                                             defined(HAVE_CURVE25519_KEY_IMPORT)
     /* test shared key after importing a public key */
     XMEMSET(sharedB, 0, sizeof(sharedB));
+    y = sizeof(sharedB);
     if (wc_curve25519_shared_secret(&userB, &pubKey, sharedB, &y) != 0)
-        return -1010;
+        return -10309;
 
     if (XMEMCMP(sharedA, sharedB, y))
-        return -1011;
+        return -10310;
 
     /* import RFC test vectors and compare shared key */
     if (wc_curve25519_import_private_raw(sa, sizeof(sa), pa, sizeof(pa), &userA)
             != 0)
-        return -1012;
+        return -10311;
 
     if (wc_curve25519_import_private_raw(sb, sizeof(sb), pb, sizeof(pb), &userB)
             != 0)
-        return -1013;
+        return -10312;
 
     /* test against known test vector */
     XMEMSET(sharedB, 0, sizeof(sharedB));
+    y = sizeof(sharedB);
     if (wc_curve25519_shared_secret(&userA, &userB, sharedB, &y) != 0)
-        return -1014;
+        return -10313;
 
     if (XMEMCMP(ss, sharedB, y))
-        return -1015;
+        return -10314;
 
-    /* test swaping roles of keys and generating same shared key */
+    /* test swapping roles of keys and generating same shared key */
     XMEMSET(sharedB, 0, sizeof(sharedB));
+    y = sizeof(sharedB);
     if (wc_curve25519_shared_secret(&userB, &userA, sharedB, &y) != 0)
-        return -1016;
+        return -10315;
 
     if (XMEMCMP(ss, sharedB, y))
-        return -1017;
+        return -10316;
+
+    /* test with 1 generated key and 1 from known test vector */
+    if (wc_curve25519_import_private_raw(sa, sizeof(sa), pa, sizeof(pa), &userA)
+        != 0)
+        return -10317;
+
+    if (wc_curve25519_make_key(&rng, 32, &userB) != 0)
+        return -10318;
+
+    x = sizeof(sharedA);
+    if (wc_curve25519_shared_secret(&userA, &userB, sharedA, &x) != 0)
+        return -10319;
+
+    y = sizeof(sharedB);
+    if (wc_curve25519_shared_secret(&userB, &userA, sharedB, &y) != 0)
+        return -10320;
+
+    /* compare shared secret keys to test they are the same */
+    if (y != x)
+        return -10321;
+
+    if (XMEMCMP(sharedA, sharedB, x))
+        return -10322;
+
+    ret = curve25519_overflow_test();
+    if (ret != 0)
+        return ret;
+    ret = curve25519_check_public_test();
+    if (ret != 0)
+        return ret;
+#endif /* HAVE_CURVE25519_SHARED_SECRET && HAVE_CURVE25519_KEY_IMPORT */
 
     /* clean up keys when done */
     wc_curve25519_free(&pubKey);
@@ -5388,337 +20846,812 @@ int curve25519_test(void)
 
 
 #ifdef HAVE_ED25519
+#ifdef WOLFSSL_TEST_CERT
+static int ed25519_test_cert(void)
+{
+    DecodedCert  cert[2];
+    DecodedCert* serverCert = NULL;
+    DecodedCert* caCert = NULL;
+#ifdef HAVE_ED25519_VERIFY
+    ed25519_key  key;
+    ed25519_key* pubKey = NULL;
+    int          verify;
+#endif /* HAVE_ED25519_VERIFY */
+    int          ret;
+    byte*        tmp;
+    size_t       bytes;
+    XFILE        file;
+
+    tmp = XMALLOC(FOURK_BUF, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+    if (tmp == NULL) {
+        ERROR_OUT(-10323, done);
+    }
+
+#ifdef USE_CERT_BUFFERS_256
+    XMEMCPY(tmp, ca_ed25519_cert, sizeof_ca_ed25519_cert);
+    bytes = sizeof_ca_ed25519_cert;
+#elif !defined(NO_FILESYSTEM)
+    file = XFOPEN(caEd25519Cert, "rb");
+    if (file == NULL) {
+        ERROR_OUT(-10324, done);
+    }
+    bytes = XFREAD(tmp, 1, FOURK_BUF, file);
+    XFCLOSE(file);
+#else
+    /* No certificate to use. */
+    ERROR_OUT(-10325, done);
+#endif
+
+    InitDecodedCert(&cert[0], tmp, (word32)bytes, 0);
+    caCert = &cert[0];
+    ret = ParseCert(caCert, CERT_TYPE, NO_VERIFY, NULL);
+    if (ret != 0) {
+        ERROR_OUT(-10326, done);
+    }
+
+#ifdef USE_CERT_BUFFERS_256
+    XMEMCPY(tmp, server_ed25519_cert, sizeof_server_ed25519_cert);
+    bytes = sizeof_server_ed25519_cert;
+#elif !defined(NO_FILESYSTEM)
+    file = XFOPEN(serverEd25519Cert, "rb");
+    if (file == NULL) {
+        ERROR_OUT(-10327, done);
+    }
+    bytes = XFREAD(tmp, 1, FOURK_BUF, file);
+    XFCLOSE(file);
+#else
+    /* No certificate to use. */
+    ERROR_OUT(-10328, done);
+#endif
+
+    InitDecodedCert(&cert[1], tmp, (word32)bytes, 0);
+    serverCert = &cert[1];
+    ret = ParseCert(serverCert, CERT_TYPE, NO_VERIFY, NULL);
+    if (ret != 0) {
+        ERROR_OUT(-10329, done);
+    }
+
+#ifdef HAVE_ED25519_VERIFY
+    ret = wc_ed25519_init(&key);
+    if (ret < 0) {
+        ERROR_OUT(-10330, done);
+    }
+    pubKey = &key;
+    ret = wc_ed25519_import_public(caCert->publicKey, caCert->pubKeySize,
+                                                                        pubKey);
+    if (ret < 0) {
+        ERROR_OUT(-10331, done);
+    }
+
+    if (wc_ed25519_verify_msg(serverCert->signature, serverCert->sigLength,
+                              serverCert->source + serverCert->certBegin,
+                              serverCert->sigIndex - serverCert->certBegin,
+                              &verify, pubKey) < 0 || verify != 1) {
+        ERROR_OUT(-10332, done);
+    }
+#endif /* HAVE_ED25519_VERIFY */
+
+done:
+    if (tmp != NULL)
+        XFREE(tmp, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+#ifdef HAVE_ED25519_VERIFY
+    wc_ed25519_free(pubKey);
+#endif /* HAVE_ED25519_VERIFY */
+    if (caCert != NULL)
+        FreeDecodedCert(caCert);
+    if (serverCert != NULL)
+        FreeDecodedCert(serverCert);
+
+    return ret;
+}
+
+static int ed25519_test_make_cert(void)
+{
+    WC_RNG       rng;
+    Cert         cert;
+    DecodedCert  decode;
+    ed25519_key  key;
+    ed25519_key* privKey = NULL;
+    int          ret = 0;
+    byte*        tmp = NULL;
+
+    wc_InitCert(&cert);
+
+#ifndef HAVE_FIPS
+    ret = wc_InitRng_ex(&rng, HEAP_HINT, devId);
+#else
+    ret = wc_InitRng(&rng);
+#endif
+    if (ret != 0)
+        return -10333;
+
+    wc_ed25519_init(&key);
+    privKey = &key;
+    wc_ed25519_make_key(&rng, ED25519_KEY_SIZE, privKey);
+
+    cert.daysValid = 365 * 2;
+    cert.selfSigned = 1;
+    XMEMCPY(&cert.issuer, &certDefaultName, sizeof(CertName));
+    XMEMCPY(&cert.subject, &certDefaultName, sizeof(CertName));
+    cert.isCA = 0;
+#ifdef WOLFSSL_CERT_EXT
+    ret = wc_SetKeyUsage(&cert, certKeyUsage);
+    if (ret < 0) {
+        ERROR_OUT(-10334, done);
+    }
+    ret = wc_SetSubjectKeyIdFromPublicKey_ex(&cert, ED25519_TYPE, privKey);
+    if (ret < 0) {
+        ERROR_OUT(-10335, done);
+    }
+    ret = wc_SetAuthKeyIdFromPublicKey_ex(&cert, ED25519_TYPE, privKey);
+    if (ret < 0) {
+        ERROR_OUT(-10336, done);
+    }
+#endif
+    tmp = XMALLOC(FOURK_BUF, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+    if (tmp == NULL) {
+        ERROR_OUT(-10337, done);
+    }
+
+    cert.sigType = CTC_ED25519;
+    ret = wc_MakeCert_ex(&cert, tmp, FOURK_BUF, ED25519_TYPE, privKey, &rng);
+    if (ret < 0) {
+        ERROR_OUT(-10338, done);
+    }
+    ret = wc_SignCert_ex(cert.bodySz, cert.sigType, tmp, FOURK_BUF,
+                                                   ED25519_TYPE, privKey, &rng);
+    if (ret < 0) {
+        ERROR_OUT(-10339, done);
+    }
+
+    InitDecodedCert(&decode, tmp, ret, HEAP_HINT);
+    ret = ParseCert(&decode, CERT_TYPE, NO_VERIFY, 0);
+    FreeDecodedCert(&decode);
+    if (ret != 0) {
+        ERROR_OUT(-10340, done);
+    }
+
+done:
+    if (tmp != NULL)
+        XFREE(tmp, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+    wc_ed25519_free(privKey);
+    wc_FreeRng(&rng);
+    return ret;
+}
+#endif /* WOLFSSL_TEST_CERT */
+
+#if defined(HAVE_ED25519_SIGN) && defined(HAVE_ED25519_KEY_EXPORT) && \
+    defined(HAVE_ED25519_KEY_IMPORT)
+static int ed25519ctx_test(void)
+{
+    byte   out[ED25519_SIG_SIZE];
+    word32 outlen;
+#ifdef HAVE_ED25519_VERIFY
+    int    verify;
+#endif /* HAVE_ED25519_VERIFY */
+    ed25519_key key;
+
+    static const byte sKeyCtx[] = {
+        0x03,0x05,0x33,0x4e,0x38,0x1a,0xf7,0x8f,
+        0x14,0x1c,0xb6,0x66,0xf6,0x19,0x9f,0x57,
+        0xbc,0x34,0x95,0x33,0x5a,0x25,0x6a,0x95,
+        0xbd,0x2a,0x55,0xbf,0x54,0x66,0x63,0xf6
+    };
+
+    static const byte pKeyCtx[] = {
+        0xdf,0xc9,0x42,0x5e,0x4f,0x96,0x8f,0x7f,
+        0x0c,0x29,0xf0,0x25,0x9c,0xf5,0xf9,0xae,
+        0xd6,0x85,0x1c,0x2b,0xb4,0xad,0x8b,0xfb,
+        0x86,0x0c,0xfe,0xe0,0xab,0x24,0x82,0x92
+    };
+
+    static const byte sigCtx1[] = {
+        0x55,0xa4,0xcc,0x2f,0x70,0xa5,0x4e,0x04,
+        0x28,0x8c,0x5f,0x4c,0xd1,0xe4,0x5a,0x7b,
+        0xb5,0x20,0xb3,0x62,0x92,0x91,0x18,0x76,
+        0xca,0xda,0x73,0x23,0x19,0x8d,0xd8,0x7a,
+        0x8b,0x36,0x95,0x0b,0x95,0x13,0x00,0x22,
+        0x90,0x7a,0x7f,0xb7,0xc4,0xe9,0xb2,0xd5,
+        0xf6,0xcc,0xa6,0x85,0xa5,0x87,0xb4,0xb2,
+        0x1f,0x4b,0x88,0x8e,0x4e,0x7e,0xdb,0x0d
+    };
+
+    static const byte sigCtx2[] = {
+        0xcc,0x5e,0x63,0xa2,0x7e,0x94,0xaf,0xd3,
+        0x41,0x83,0x38,0xd2,0x48,0x6f,0xa9,0x2a,
+        0xf9,0x91,0x7c,0x2d,0x98,0x9e,0x06,0xe5,
+        0x02,0x77,0x72,0x1c,0x34,0x38,0x18,0xb4,
+        0x21,0x96,0xbc,0x29,0x2e,0x68,0xf3,0x4d,
+        0x85,0x9b,0xbe,0xad,0x17,0x9f,0x54,0x54,
+        0x2d,0x4b,0x04,0xdc,0xfb,0xfa,0x4a,0x68,
+        0x4e,0x39,0x50,0xfb,0x1c,0xcd,0x8d,0x0d
+    };
+
+    static const byte msgCtx[] = {
+        0xf7,0x26,0x93,0x6d,0x19,0xc8,0x00,0x49,
+        0x4e,0x3f,0xda,0xff,0x20,0xb2,0x76,0xa8
+    };
+
+    static const byte contextCtx[] = {
+        0x66,0x6f,0x6f
+    };
+
+    outlen = sizeof(out);
+    XMEMSET(out, 0, sizeof(out));
+
+    if (wc_ed25519_import_private_key(sKeyCtx, ED25519_KEY_SIZE, pKeyCtx,
+                                      sizeof(pKeyCtx), &key) != 0)
+        return -10400;
+
+    if (wc_ed25519ctx_sign_msg(msgCtx, sizeof(msgCtx), out, &outlen, &key,
+                               contextCtx, sizeof(contextCtx)) != 0)
+        return -10401;
+
+    if (XMEMCMP(out, sigCtx1, 64))
+        return -10402;
+
+#if defined(HAVE_ED25519_VERIFY)
+    /* test verify on good msg */
+    if (wc_ed25519ctx_verify_msg(out, outlen, msgCtx, sizeof(msgCtx), &verify,
+                                 &key, contextCtx, sizeof(contextCtx)) != 0 ||
+            verify != 1)
+        return -10403;
+#endif
+
+    if (wc_ed25519ctx_sign_msg(msgCtx, sizeof(msgCtx), out, &outlen, &key, NULL,
+                               0) != 0)
+        return -10404;
+
+    if (XMEMCMP(out, sigCtx2, 64))
+        return -10405;
+
+#if defined(HAVE_ED25519_VERIFY)
+    /* test verify on good msg */
+    if (wc_ed25519ctx_verify_msg(out, outlen, msgCtx, sizeof(msgCtx), &verify,
+                                 &key, NULL, 0) != 0 || verify != 1)
+        return -10406;
+#endif
+
+    wc_ed25519_free(&key);
+
+    return 0;
+}
+
+static int ed25519ph_test(void)
+{
+    byte   out[ED25519_SIG_SIZE];
+    word32 outlen;
+#ifdef HAVE_ED25519_VERIFY
+    int    verify;
+#endif /* HAVE_ED25519_VERIFY */
+    ed25519_key key;
+
+    static const byte sKeyPh[] = {
+        0x83,0x3f,0xe6,0x24,0x09,0x23,0x7b,0x9d,
+        0x62,0xec,0x77,0x58,0x75,0x20,0x91,0x1e,
+        0x9a,0x75,0x9c,0xec,0x1d,0x19,0x75,0x5b,
+        0x7d,0xa9,0x01,0xb9,0x6d,0xca,0x3d,0x42
+    };
+
+    static const byte pKeyPh[] = {
+        0xec,0x17,0x2b,0x93,0xad,0x5e,0x56,0x3b,
+        0xf4,0x93,0x2c,0x70,0xe1,0x24,0x50,0x34,
+        0xc3,0x54,0x67,0xef,0x2e,0xfd,0x4d,0x64,
+        0xeb,0xf8,0x19,0x68,0x34,0x67,0xe2,0xbf
+    };
+
+    static const byte sigPh1[] = {
+        0x98,0xa7,0x02,0x22,0xf0,0xb8,0x12,0x1a,
+        0xa9,0xd3,0x0f,0x81,0x3d,0x68,0x3f,0x80,
+        0x9e,0x46,0x2b,0x46,0x9c,0x7f,0xf8,0x76,
+        0x39,0x49,0x9b,0xb9,0x4e,0x6d,0xae,0x41,
+        0x31,0xf8,0x50,0x42,0x46,0x3c,0x2a,0x35,
+        0x5a,0x20,0x03,0xd0,0x62,0xad,0xf5,0xaa,
+        0xa1,0x0b,0x8c,0x61,0xe6,0x36,0x06,0x2a,
+        0xaa,0xd1,0x1c,0x2a,0x26,0x08,0x34,0x06
+    };
+
+    static const byte sigPh2[] = {
+        0xe0,0x39,0x70,0x2b,0x4c,0x25,0x95,0xa6,
+        0xa5,0x41,0xac,0x85,0x09,0x23,0x6e,0x29,
+        0x90,0x47,0x47,0x95,0x33,0x0c,0x9b,0x34,
+        0xa7,0x5f,0x58,0xa6,0x60,0x12,0x9e,0x08,
+        0xfd,0x73,0x69,0x43,0xfb,0x19,0x43,0xa5,
+        0x57,0x20,0xb9,0xe0,0x95,0x7b,0x1e,0xd6,
+        0x73,0x48,0x16,0x61,0x9f,0x13,0x88,0xf4,
+        0x3f,0x73,0xe6,0xe3,0xba,0xa8,0x1c,0x0e
+    };
+
+    static const byte msgPh[] = {
+        0x61,0x62,0x63
+    };
+
+    /* SHA-512 hash of msgPh */
+    static const byte hashPh[] = {
+        0xdd,0xaf,0x35,0xa1,0x93,0x61,0x7a,0xba,
+        0xcc,0x41,0x73,0x49,0xae,0x20,0x41,0x31,
+        0x12,0xe6,0xfa,0x4e,0x89,0xa9,0x7e,0xa2,
+        0x0a,0x9e,0xee,0xe6,0x4b,0x55,0xd3,0x9a,
+        0x21,0x92,0x99,0x2a,0x27,0x4f,0xc1,0xa8,
+        0x36,0xba,0x3c,0x23,0xa3,0xfe,0xeb,0xbd,
+        0x45,0x4d,0x44,0x23,0x64,0x3c,0xe8,0x0e,
+        0x2a,0x9a,0xc9,0x4f,0xa5,0x4c,0xa4,0x9f
+    };
+
+    static const byte contextPh2[] = {
+        0x66,0x6f,0x6f
+    };
+
+    outlen = sizeof(out);
+    XMEMSET(out, 0, sizeof(out));
+
+    if (wc_ed25519_import_private_key(sKeyPh, ED25519_KEY_SIZE, pKeyPh,
+                                      sizeof(pKeyPh), &key) != 0) {
+        return -10500;
+    }
+
+    if (wc_ed25519ph_sign_msg(msgPh, sizeof(msgPh), out, &outlen, &key, NULL,
+                              0) != 0) {
+        return -10501;
+    }
+
+    if (XMEMCMP(out, sigPh1, 64))
+        return -10502;
+
+#if defined(HAVE_ED25519_VERIFY)
+    /* test verify on good msg */
+    if (wc_ed25519ph_verify_msg(out, outlen, msgPh, sizeof(msgPh), &verify,
+                                &key, NULL, 0) != 0 ||
+            verify != 1) {
+        return -10503;
+    }
+#endif
+
+    if (wc_ed25519ph_sign_msg(msgPh, sizeof(msgPh), out, &outlen, &key,
+                              contextPh2, sizeof(contextPh2)) != 0) {
+        return -10504;
+    }
+
+    if (XMEMCMP(out, sigPh2, 64))
+        return -10505;
+
+#if defined(HAVE_ED25519_VERIFY)
+    /* test verify on good msg */
+    if (wc_ed25519ph_verify_msg(out, outlen, msgPh, sizeof(msgPh), &verify,
+                                &key, contextPh2, sizeof(contextPh2)) != 0 ||
+            verify != 1) {
+        return -10506;
+    }
+#endif
+
+    if (wc_ed25519ph_sign_hash(hashPh, sizeof(hashPh), out, &outlen, &key, NULL,
+                              0) != 0) {
+        return -10507;
+    }
+
+    if (XMEMCMP(out, sigPh1, 64))
+        return -10508;
+
+#if defined(HAVE_ED25519_VERIFY)
+    if (wc_ed25519ph_verify_hash(out, outlen, hashPh, sizeof(hashPh), &verify,
+                                &key, NULL, 0) != 0 ||
+            verify != 1) {
+        return -10509;
+    }
+#endif
+
+    if (wc_ed25519ph_sign_hash(hashPh, sizeof(hashPh), out, &outlen, &key,
+                              contextPh2, sizeof(contextPh2)) != 0) {
+        return -10510;
+    }
+
+    if (XMEMCMP(out, sigPh2, 64))
+        return -10511;
+
+#if defined(HAVE_ED25519_VERIFY)
+    if (wc_ed25519ph_verify_hash(out, outlen, hashPh, sizeof(hashPh), &verify,
+                                &key, contextPh2, sizeof(contextPh2)) != 0 ||
+            verify != 1) {
+        return -10512;
+    }
+#endif
+
+    wc_ed25519_free(&key);
+
+    return 0;
+}
+#endif /* HAVE_ED25519_SIGN && HAVE_ED25519_KEY_EXPORT && HAVE_ED25519_KEY_IMPORT */
+
 int ed25519_test(void)
 {
-    RNG    rng;
+    int ret;
+    WC_RNG rng;
+#if defined(HAVE_ED25519_SIGN) && defined(HAVE_ED25519_KEY_EXPORT) &&\
+    defined(HAVE_ED25519_KEY_IMPORT)
     byte   out[ED25519_SIG_SIZE];
     byte   exportPKey[ED25519_KEY_SIZE];
     byte   exportSKey[ED25519_KEY_SIZE];
-    word32 outlen;
     word32 exportPSz;
     word32 exportSSz;
+    int    i;
+    word32 outlen;
+#ifdef HAVE_ED25519_VERIFY
+    int    verify;
+#endif /* HAVE_ED25519_VERIFY */
+#endif /* HAVE_ED25519_SIGN && HAVE_ED25519_KEY_EXPORT && HAVE_ED25519_KEY_IMPORT */
     word32 keySz, sigSz;
-    int    i, verify;
     ed25519_key key;
     ed25519_key key2;
 
+#if defined(HAVE_ED25519_SIGN) && defined(HAVE_ED25519_KEY_EXPORT) && \
+    defined(HAVE_ED25519_KEY_IMPORT)
     /* test vectors from
        https://tools.ietf.org/html/draft-josefsson-eddsa-ed25519-02
      */
 
-    const byte sKey1[] = {
-		0x9d,0x61,0xb1,0x9d,0xef,0xfd,0x5a,0x60,
-		0xba,0x84,0x4a,0xf4,0x92,0xec,0x2c,0xc4,
-		0x44,0x49,0xc5,0x69,0x7b,0x32,0x69,0x19,
-		0x70,0x3b,0xac,0x03,0x1c,0xae,0x7f,0x60
+    static const byte sKey1[] = {
+        0x9d,0x61,0xb1,0x9d,0xef,0xfd,0x5a,0x60,
+        0xba,0x84,0x4a,0xf4,0x92,0xec,0x2c,0xc4,
+        0x44,0x49,0xc5,0x69,0x7b,0x32,0x69,0x19,
+        0x70,0x3b,0xac,0x03,0x1c,0xae,0x7f,0x60
     };
 
-    const byte sKey2[] = {
-		0x4c,0xcd,0x08,0x9b,0x28,0xff,0x96,0xda,
-		0x9d,0xb6,0xc3,0x46,0xec,0x11,0x4e,0x0f,
-		0x5b,0x8a,0x31,0x9f,0x35,0xab,0xa6,0x24,
-		0xda,0x8c,0xf6,0xed,0x4f,0xb8,0xa6,0xfb
+    static const byte sKey2[] = {
+        0x4c,0xcd,0x08,0x9b,0x28,0xff,0x96,0xda,
+        0x9d,0xb6,0xc3,0x46,0xec,0x11,0x4e,0x0f,
+        0x5b,0x8a,0x31,0x9f,0x35,0xab,0xa6,0x24,
+        0xda,0x8c,0xf6,0xed,0x4f,0xb8,0xa6,0xfb
     };
 
-    const byte sKey3[] = {
-		0xc5,0xaa,0x8d,0xf4,0x3f,0x9f,0x83,0x7b,
-		0xed,0xb7,0x44,0x2f,0x31,0xdc,0xb7,0xb1,
-		0x66,0xd3,0x85,0x35,0x07,0x6f,0x09,0x4b,
-		0x85,0xce,0x3a,0x2e,0x0b,0x44,0x58,0xf7
+    static const byte sKey3[] = {
+        0xc5,0xaa,0x8d,0xf4,0x3f,0x9f,0x83,0x7b,
+        0xed,0xb7,0x44,0x2f,0x31,0xdc,0xb7,0xb1,
+        0x66,0xd3,0x85,0x35,0x07,0x6f,0x09,0x4b,
+        0x85,0xce,0x3a,0x2e,0x0b,0x44,0x58,0xf7
     };
 
     /* uncompressed test */
-    const byte sKey4[] = {
-		0x9d,0x61,0xb1,0x9d,0xef,0xfd,0x5a,0x60,
-		0xba,0x84,0x4a,0xf4,0x92,0xec,0x2c,0xc4,
-		0x44,0x49,0xc5,0x69,0x7b,0x32,0x69,0x19,
-		0x70,0x3b,0xac,0x03,0x1c,0xae,0x7f,0x60
+    static const byte sKey4[] = {
+        0x9d,0x61,0xb1,0x9d,0xef,0xfd,0x5a,0x60,
+        0xba,0x84,0x4a,0xf4,0x92,0xec,0x2c,0xc4,
+        0x44,0x49,0xc5,0x69,0x7b,0x32,0x69,0x19,
+        0x70,0x3b,0xac,0x03,0x1c,0xae,0x7f,0x60
     };
 
     /* compressed prefix test */
-    const byte sKey5[] = {
-		0x9d,0x61,0xb1,0x9d,0xef,0xfd,0x5a,0x60,
-		0xba,0x84,0x4a,0xf4,0x92,0xec,0x2c,0xc4,
-		0x44,0x49,0xc5,0x69,0x7b,0x32,0x69,0x19,
-		0x70,0x3b,0xac,0x03,0x1c,0xae,0x7f,0x60
+    static const byte sKey5[] = {
+        0x9d,0x61,0xb1,0x9d,0xef,0xfd,0x5a,0x60,
+        0xba,0x84,0x4a,0xf4,0x92,0xec,0x2c,0xc4,
+        0x44,0x49,0xc5,0x69,0x7b,0x32,0x69,0x19,
+        0x70,0x3b,0xac,0x03,0x1c,0xae,0x7f,0x60
     };
 
-    const byte sKey6[] = {
-		0xf5,0xe5,0x76,0x7c,0xf1,0x53,0x31,0x95,
-		0x17,0x63,0x0f,0x22,0x68,0x76,0xb8,0x6c,
-		0x81,0x60,0xcc,0x58,0x3b,0xc0,0x13,0x74,
-		0x4c,0x6b,0xf2,0x55,0xf5,0xcc,0x0e,0xe5
+    static const byte sKey6[] = {
+        0xf5,0xe5,0x76,0x7c,0xf1,0x53,0x31,0x95,
+        0x17,0x63,0x0f,0x22,0x68,0x76,0xb8,0x6c,
+        0x81,0x60,0xcc,0x58,0x3b,0xc0,0x13,0x74,
+        0x4c,0x6b,0xf2,0x55,0xf5,0xcc,0x0e,0xe5
     };
 
-    const byte* sKeys[] = {sKey1, sKey2, sKey3, sKey4, sKey5, sKey6};
+    static const byte* sKeys[] = {sKey1, sKey2, sKey3, sKey4, sKey5, sKey6};
 
-    const byte pKey1[] = {
-		0xd7,0x5a,0x98,0x01,0x82,0xb1,0x0a,0xb7,
-		0xd5,0x4b,0xfe,0xd3,0xc9,0x64,0x07,0x3a,
-		0x0e,0xe1,0x72,0xf3,0xda,0xa6,0x23,0x25,
-		0xaf,0x02,0x1a,0x68,0xf7,0x07,0x51,0x1a
+    static const byte pKey1[] = {
+        0xd7,0x5a,0x98,0x01,0x82,0xb1,0x0a,0xb7,
+        0xd5,0x4b,0xfe,0xd3,0xc9,0x64,0x07,0x3a,
+        0x0e,0xe1,0x72,0xf3,0xda,0xa6,0x23,0x25,
+        0xaf,0x02,0x1a,0x68,0xf7,0x07,0x51,0x1a
     };
 
-    const byte pKey2[] = {
-		0x3d,0x40,0x17,0xc3,0xe8,0x43,0x89,0x5a,
-		0x92,0xb7,0x0a,0xa7,0x4d,0x1b,0x7e,0xbc,
+    static const byte pKey2[] = {
+        0x3d,0x40,0x17,0xc3,0xe8,0x43,0x89,0x5a,
+        0x92,0xb7,0x0a,0xa7,0x4d,0x1b,0x7e,0xbc,
         0x9c,0x98,0x2c,0xcf,0x2e,0xc4,0x96,0x8c,
-		0xc0,0xcd,0x55,0xf1,0x2a,0xf4,0x66,0x0c
+        0xc0,0xcd,0x55,0xf1,0x2a,0xf4,0x66,0x0c
     };
 
-    const byte pKey3[] = {
-		0xfc,0x51,0xcd,0x8e,0x62,0x18,0xa1,0xa3,
-		0x8d,0xa4,0x7e,0xd0,0x02,0x30,0xf0,0x58,
-		0x08,0x16,0xed,0x13,0xba,0x33,0x03,0xac,
-		0x5d,0xeb,0x91,0x15,0x48,0x90,0x80,0x25
+    static const byte pKey3[] = {
+        0xfc,0x51,0xcd,0x8e,0x62,0x18,0xa1,0xa3,
+        0x8d,0xa4,0x7e,0xd0,0x02,0x30,0xf0,0x58,
+        0x08,0x16,0xed,0x13,0xba,0x33,0x03,0xac,
+        0x5d,0xeb,0x91,0x15,0x48,0x90,0x80,0x25
     };
 
     /* uncompressed test */
-    const byte pKey4[] = {
-		0x04,0x55,0xd0,0xe0,0x9a,0x2b,0x9d,0x34,
-		0x29,0x22,0x97,0xe0,0x8d,0x60,0xd0,0xf6,
-		0x20,0xc5,0x13,0xd4,0x72,0x53,0x18,0x7c,
-		0x24,0xb1,0x27,0x86,0xbd,0x77,0x76,0x45,
-		0xce,0x1a,0x51,0x07,0xf7,0x68,0x1a,0x02,
-		0xaf,0x25,0x23,0xa6,0xda,0xf3,0x72,0xe1,
-		0x0e,0x3a,0x07,0x64,0xc9,0xd3,0xfe,0x4b,
-		0xd5,0xb7,0x0a,0xb1,0x82,0x01,0x98,0x5a,
-		0xd7
+    static const byte pKey4[] = {
+        0x04,0x55,0xd0,0xe0,0x9a,0x2b,0x9d,0x34,
+        0x29,0x22,0x97,0xe0,0x8d,0x60,0xd0,0xf6,
+        0x20,0xc5,0x13,0xd4,0x72,0x53,0x18,0x7c,
+        0x24,0xb1,0x27,0x86,0xbd,0x77,0x76,0x45,
+        0xce,0x1a,0x51,0x07,0xf7,0x68,0x1a,0x02,
+        0xaf,0x25,0x23,0xa6,0xda,0xf3,0x72,0xe1,
+        0x0e,0x3a,0x07,0x64,0xc9,0xd3,0xfe,0x4b,
+        0xd5,0xb7,0x0a,0xb1,0x82,0x01,0x98,0x5a,
+        0xd7
     };
 
     /* compressed prefix */
-    const byte pKey5[] = {
-		0x40,0xd7,0x5a,0x98,0x01,0x82,0xb1,0x0a,0xb7,
-		0xd5,0x4b,0xfe,0xd3,0xc9,0x64,0x07,0x3a,
-		0x0e,0xe1,0x72,0xf3,0xda,0xa6,0x23,0x25,
-		0xaf,0x02,0x1a,0x68,0xf7,0x07,0x51,0x1a
+    static const byte pKey5[] = {
+        0x40,0xd7,0x5a,0x98,0x01,0x82,0xb1,0x0a,0xb7,
+        0xd5,0x4b,0xfe,0xd3,0xc9,0x64,0x07,0x3a,
+        0x0e,0xe1,0x72,0xf3,0xda,0xa6,0x23,0x25,
+        0xaf,0x02,0x1a,0x68,0xf7,0x07,0x51,0x1a
     };
 
-    const byte pKey6[] = {
-		0x27,0x81,0x17,0xfc,0x14,0x4c,0x72,0x34,
-		0x0f,0x67,0xd0,0xf2,0x31,0x6e,0x83,0x86,
-		0xce,0xff,0xbf,0x2b,0x24,0x28,0xc9,0xc5,
-		0x1f,0xef,0x7c,0x59,0x7f,0x1d,0x42,0x6e
+    static const byte pKey6[] = {
+        0x27,0x81,0x17,0xfc,0x14,0x4c,0x72,0x34,
+        0x0f,0x67,0xd0,0xf2,0x31,0x6e,0x83,0x86,
+        0xce,0xff,0xbf,0x2b,0x24,0x28,0xc9,0xc5,
+        0x1f,0xef,0x7c,0x59,0x7f,0x1d,0x42,0x6e
     };
 
-    const byte* pKeys[] = {pKey1, pKey2, pKey3, pKey4, pKey5, pKey6};
-    const byte  pKeySz[] = {sizeof(pKey1), sizeof(pKey2), sizeof(pKey3),
+    static const byte* pKeys[] = {pKey1, pKey2, pKey3, pKey4, pKey5, pKey6};
+    static const byte  pKeySz[] = {sizeof(pKey1), sizeof(pKey2), sizeof(pKey3),
                             sizeof(pKey4), sizeof(pKey5), sizeof(pKey6)};
 
-    const byte sig1[] = {
-		0xe5,0x56,0x43,0x00,0xc3,0x60,0xac,0x72,
-		0x90,0x86,0xe2,0xcc,0x80,0x6e,0x82,0x8a,
-		0x84,0x87,0x7f,0x1e,0xb8,0xe5,0xd9,0x74,
-		0xd8,0x73,0xe0,0x65,0x22,0x49,0x01,0x55,
-		0x5f,0xb8,0x82,0x15,0x90,0xa3,0x3b,0xac,
-		0xc6,0x1e,0x39,0x70,0x1c,0xf9,0xb4,0x6b,
-		0xd2,0x5b,0xf5,0xf0,0x59,0x5b,0xbe,0x24,
-		0x65,0x51,0x41,0x43,0x8e,0x7a,0x10,0x0b
-    };
-
-    const byte sig2[] = {
-		0x92,0xa0,0x09,0xa9,0xf0,0xd4,0xca,0xb8,
-		0x72,0x0e,0x82,0x0b,0x5f,0x64,0x25,0x40,
-		0xa2,0xb2,0x7b,0x54,0x16,0x50,0x3f,0x8f,
-		0xb3,0x76,0x22,0x23,0xeb,0xdb,0x69,0xda,
-		0x08,0x5a,0xc1,0xe4,0x3e,0x15,0x99,0x6e,
-		0x45,0x8f,0x36,0x13,0xd0,0xf1,0x1d,0x8c,
-		0x38,0x7b,0x2e,0xae,0xb4,0x30,0x2a,0xee,
-		0xb0,0x0d,0x29,0x16,0x12,0xbb,0x0c,0x00
-    };
-
-    const byte sig3[] = {
-		0x62,0x91,0xd6,0x57,0xde,0xec,0x24,0x02,
-		0x48,0x27,0xe6,0x9c,0x3a,0xbe,0x01,0xa3,
-		0x0c,0xe5,0x48,0xa2,0x84,0x74,0x3a,0x44,
-		0x5e,0x36,0x80,0xd7,0xdb,0x5a,0xc3,0xac,
-		0x18,0xff,0x9b,0x53,0x8d,0x16,0xf2,0x90,
-		0xae,0x67,0xf7,0x60,0x98,0x4d,0xc6,0x59,
-		0x4a,0x7c,0x15,0xe9,0x71,0x6e,0xd2,0x8d,
-		0xc0,0x27,0xbe,0xce,0xea,0x1e,0xc4,0x0a
+    static const byte sig1[] = {
+        0xe5,0x56,0x43,0x00,0xc3,0x60,0xac,0x72,
+        0x90,0x86,0xe2,0xcc,0x80,0x6e,0x82,0x8a,
+        0x84,0x87,0x7f,0x1e,0xb8,0xe5,0xd9,0x74,
+        0xd8,0x73,0xe0,0x65,0x22,0x49,0x01,0x55,
+        0x5f,0xb8,0x82,0x15,0x90,0xa3,0x3b,0xac,
+        0xc6,0x1e,0x39,0x70,0x1c,0xf9,0xb4,0x6b,
+        0xd2,0x5b,0xf5,0xf0,0x59,0x5b,0xbe,0x24,
+        0x65,0x51,0x41,0x43,0x8e,0x7a,0x10,0x0b
+    };
+
+    static const byte sig2[] = {
+        0x92,0xa0,0x09,0xa9,0xf0,0xd4,0xca,0xb8,
+        0x72,0x0e,0x82,0x0b,0x5f,0x64,0x25,0x40,
+        0xa2,0xb2,0x7b,0x54,0x16,0x50,0x3f,0x8f,
+        0xb3,0x76,0x22,0x23,0xeb,0xdb,0x69,0xda,
+        0x08,0x5a,0xc1,0xe4,0x3e,0x15,0x99,0x6e,
+        0x45,0x8f,0x36,0x13,0xd0,0xf1,0x1d,0x8c,
+        0x38,0x7b,0x2e,0xae,0xb4,0x30,0x2a,0xee,
+        0xb0,0x0d,0x29,0x16,0x12,0xbb,0x0c,0x00
+    };
+
+    static const byte sig3[] = {
+        0x62,0x91,0xd6,0x57,0xde,0xec,0x24,0x02,
+        0x48,0x27,0xe6,0x9c,0x3a,0xbe,0x01,0xa3,
+        0x0c,0xe5,0x48,0xa2,0x84,0x74,0x3a,0x44,
+        0x5e,0x36,0x80,0xd7,0xdb,0x5a,0xc3,0xac,
+        0x18,0xff,0x9b,0x53,0x8d,0x16,0xf2,0x90,
+        0xae,0x67,0xf7,0x60,0x98,0x4d,0xc6,0x59,
+        0x4a,0x7c,0x15,0xe9,0x71,0x6e,0xd2,0x8d,
+        0xc0,0x27,0xbe,0xce,0xea,0x1e,0xc4,0x0a
     };
 
     /* uncompressed test */
-    const byte sig4[] = {
-		0xe5,0x56,0x43,0x00,0xc3,0x60,0xac,0x72,
-		0x90,0x86,0xe2,0xcc,0x80,0x6e,0x82,0x8a,
-		0x84,0x87,0x7f,0x1e,0xb8,0xe5,0xd9,0x74,
-		0xd8,0x73,0xe0,0x65,0x22,0x49,0x01,0x55,
-		0x5f,0xb8,0x82,0x15,0x90,0xa3,0x3b,0xac,
-		0xc6,0x1e,0x39,0x70,0x1c,0xf9,0xb4,0x6b,
-		0xd2,0x5b,0xf5,0xf0,0x59,0x5b,0xbe,0x24,
-		0x65,0x51,0x41,0x43,0x8e,0x7a,0x10,0x0b
+    static const byte sig4[] = {
+        0xe5,0x56,0x43,0x00,0xc3,0x60,0xac,0x72,
+        0x90,0x86,0xe2,0xcc,0x80,0x6e,0x82,0x8a,
+        0x84,0x87,0x7f,0x1e,0xb8,0xe5,0xd9,0x74,
+        0xd8,0x73,0xe0,0x65,0x22,0x49,0x01,0x55,
+        0x5f,0xb8,0x82,0x15,0x90,0xa3,0x3b,0xac,
+        0xc6,0x1e,0x39,0x70,0x1c,0xf9,0xb4,0x6b,
+        0xd2,0x5b,0xf5,0xf0,0x59,0x5b,0xbe,0x24,
+        0x65,0x51,0x41,0x43,0x8e,0x7a,0x10,0x0b
     };
 
     /* compressed prefix */
-    const byte sig5[] = {
-		0xe5,0x56,0x43,0x00,0xc3,0x60,0xac,0x72,
-		0x90,0x86,0xe2,0xcc,0x80,0x6e,0x82,0x8a,
-		0x84,0x87,0x7f,0x1e,0xb8,0xe5,0xd9,0x74,
-		0xd8,0x73,0xe0,0x65,0x22,0x49,0x01,0x55,
-		0x5f,0xb8,0x82,0x15,0x90,0xa3,0x3b,0xac,
-		0xc6,0x1e,0x39,0x70,0x1c,0xf9,0xb4,0x6b,
-		0xd2,0x5b,0xf5,0xf0,0x59,0x5b,0xbe,0x24,
-		0x65,0x51,0x41,0x43,0x8e,0x7a,0x10,0x0b
-    };
-
-    const byte sig6[] = {
-		0x0a,0xab,0x4c,0x90,0x05,0x01,0xb3,0xe2,
-		0x4d,0x7c,0xdf,0x46,0x63,0x32,0x6a,0x3a,
-		0x87,0xdf,0x5e,0x48,0x43,0xb2,0xcb,0xdb,
-		0x67,0xcb,0xf6,0xe4,0x60,0xfe,0xc3,0x50,
-		0xaa,0x53,0x71,0xb1,0x50,0x8f,0x9f,0x45,
-		0x28,0xec,0xea,0x23,0xc4,0x36,0xd9,0x4b,
-		0x5e,0x8f,0xcd,0x4f,0x68,0x1e,0x30,0xa6,
-		0xac,0x00,0xa9,0x70,0x4a,0x18,0x8a,0x03
-    };
-
-    const byte* sigs[] = {sig1, sig2, sig3, sig4, sig5, sig6};
-
-    const byte msg1[]  = {};
-    const byte msg2[]  = {0x72};
-    const byte msg3[]  = {0xAF,0x82};
+    static const byte sig5[] = {
+        0xe5,0x56,0x43,0x00,0xc3,0x60,0xac,0x72,
+        0x90,0x86,0xe2,0xcc,0x80,0x6e,0x82,0x8a,
+        0x84,0x87,0x7f,0x1e,0xb8,0xe5,0xd9,0x74,
+        0xd8,0x73,0xe0,0x65,0x22,0x49,0x01,0x55,
+        0x5f,0xb8,0x82,0x15,0x90,0xa3,0x3b,0xac,
+        0xc6,0x1e,0x39,0x70,0x1c,0xf9,0xb4,0x6b,
+        0xd2,0x5b,0xf5,0xf0,0x59,0x5b,0xbe,0x24,
+        0x65,0x51,0x41,0x43,0x8e,0x7a,0x10,0x0b
+    };
+
+    static const byte sig6[] = {
+        0x0a,0xab,0x4c,0x90,0x05,0x01,0xb3,0xe2,
+        0x4d,0x7c,0xdf,0x46,0x63,0x32,0x6a,0x3a,
+        0x87,0xdf,0x5e,0x48,0x43,0xb2,0xcb,0xdb,
+        0x67,0xcb,0xf6,0xe4,0x60,0xfe,0xc3,0x50,
+        0xaa,0x53,0x71,0xb1,0x50,0x8f,0x9f,0x45,
+        0x28,0xec,0xea,0x23,0xc4,0x36,0xd9,0x4b,
+        0x5e,0x8f,0xcd,0x4f,0x68,0x1e,0x30,0xa6,
+        0xac,0x00,0xa9,0x70,0x4a,0x18,0x8a,0x03
+    };
+
+    static const byte* sigs[] = {sig1, sig2, sig3, sig4, sig5, sig6};
+
+    static const byte msg1[]  = {0x0 };
+    static const byte msg2[]  = {0x72};
+    static const byte msg3[]  = {0xAF,0x82};
 
     /* test of a 1024 byte long message */
-    const byte msg4[]  = {
-		0x08,0xb8,0xb2,0xb7,0x33,0x42,0x42,0x43,
-		0x76,0x0f,0xe4,0x26,0xa4,0xb5,0x49,0x08,
-		0x63,0x21,0x10,0xa6,0x6c,0x2f,0x65,0x91,
-		0xea,0xbd,0x33,0x45,0xe3,0xe4,0xeb,0x98,
-		0xfa,0x6e,0x26,0x4b,0xf0,0x9e,0xfe,0x12,
-		0xee,0x50,0xf8,0xf5,0x4e,0x9f,0x77,0xb1,
-		0xe3,0x55,0xf6,0xc5,0x05,0x44,0xe2,0x3f,
-		0xb1,0x43,0x3d,0xdf,0x73,0xbe,0x84,0xd8,
-		0x79,0xde,0x7c,0x00,0x46,0xdc,0x49,0x96,
-		0xd9,0xe7,0x73,0xf4,0xbc,0x9e,0xfe,0x57,
-		0x38,0x82,0x9a,0xdb,0x26,0xc8,0x1b,0x37,
-		0xc9,0x3a,0x1b,0x27,0x0b,0x20,0x32,0x9d,
-		0x65,0x86,0x75,0xfc,0x6e,0xa5,0x34,0xe0,
-		0x81,0x0a,0x44,0x32,0x82,0x6b,0xf5,0x8c,
-		0x94,0x1e,0xfb,0x65,0xd5,0x7a,0x33,0x8b,
-		0xbd,0x2e,0x26,0x64,0x0f,0x89,0xff,0xbc,
-		0x1a,0x85,0x8e,0xfc,0xb8,0x55,0x0e,0xe3,
-		0xa5,0xe1,0x99,0x8b,0xd1,0x77,0xe9,0x3a,
-		0x73,0x63,0xc3,0x44,0xfe,0x6b,0x19,0x9e,
-		0xe5,0xd0,0x2e,0x82,0xd5,0x22,0xc4,0xfe,
-		0xba,0x15,0x45,0x2f,0x80,0x28,0x8a,0x82,
-		0x1a,0x57,0x91,0x16,0xec,0x6d,0xad,0x2b,
-		0x3b,0x31,0x0d,0xa9,0x03,0x40,0x1a,0xa6,
-		0x21,0x00,0xab,0x5d,0x1a,0x36,0x55,0x3e,
-		0x06,0x20,0x3b,0x33,0x89,0x0c,0xc9,0xb8,
-		0x32,0xf7,0x9e,0xf8,0x05,0x60,0xcc,0xb9,
-		0xa3,0x9c,0xe7,0x67,0x96,0x7e,0xd6,0x28,
-		0xc6,0xad,0x57,0x3c,0xb1,0x16,0xdb,0xef,
-		0xef,0xd7,0x54,0x99,0xda,0x96,0xbd,0x68,
-		0xa8,0xa9,0x7b,0x92,0x8a,0x8b,0xbc,0x10,
-		0x3b,0x66,0x21,0xfc,0xde,0x2b,0xec,0xa1,
-		0x23,0x1d,0x20,0x6b,0xe6,0xcd,0x9e,0xc7,
-		0xaf,0xf6,0xf6,0xc9,0x4f,0xcd,0x72,0x04,
-		0xed,0x34,0x55,0xc6,0x8c,0x83,0xf4,0xa4,
-		0x1d,0xa4,0xaf,0x2b,0x74,0xef,0x5c,0x53,
-		0xf1,0xd8,0xac,0x70,0xbd,0xcb,0x7e,0xd1,
-		0x85,0xce,0x81,0xbd,0x84,0x35,0x9d,0x44,
-		0x25,0x4d,0x95,0x62,0x9e,0x98,0x55,0xa9,
-		0x4a,0x7c,0x19,0x58,0xd1,0xf8,0xad,0xa5,
-		0xd0,0x53,0x2e,0xd8,0xa5,0xaa,0x3f,0xb2,
-		0xd1,0x7b,0xa7,0x0e,0xb6,0x24,0x8e,0x59,
-		0x4e,0x1a,0x22,0x97,0xac,0xbb,0xb3,0x9d,
-		0x50,0x2f,0x1a,0x8c,0x6e,0xb6,0xf1,0xce,
-		0x22,0xb3,0xde,0x1a,0x1f,0x40,0xcc,0x24,
-		0x55,0x41,0x19,0xa8,0x31,0xa9,0xaa,0xd6,
-		0x07,0x9c,0xad,0x88,0x42,0x5d,0xe6,0xbd,
-		0xe1,0xa9,0x18,0x7e,0xbb,0x60,0x92,0xcf,
-		0x67,0xbf,0x2b,0x13,0xfd,0x65,0xf2,0x70,
-		0x88,0xd7,0x8b,0x7e,0x88,0x3c,0x87,0x59,
-		0xd2,0xc4,0xf5,0xc6,0x5a,0xdb,0x75,0x53,
-		0x87,0x8a,0xd5,0x75,0xf9,0xfa,0xd8,0x78,
-		0xe8,0x0a,0x0c,0x9b,0xa6,0x3b,0xcb,0xcc,
-		0x27,0x32,0xe6,0x94,0x85,0xbb,0xc9,0xc9,
-		0x0b,0xfb,0xd6,0x24,0x81,0xd9,0x08,0x9b,
-		0xec,0xcf,0x80,0xcf,0xe2,0xdf,0x16,0xa2,
-		0xcf,0x65,0xbd,0x92,0xdd,0x59,0x7b,0x07,
-		0x07,0xe0,0x91,0x7a,0xf4,0x8b,0xbb,0x75,
-		0xfe,0xd4,0x13,0xd2,0x38,0xf5,0x55,0x5a,
-		0x7a,0x56,0x9d,0x80,0xc3,0x41,0x4a,0x8d,
-		0x08,0x59,0xdc,0x65,0xa4,0x61,0x28,0xba,
-		0xb2,0x7a,0xf8,0x7a,0x71,0x31,0x4f,0x31,
-		0x8c,0x78,0x2b,0x23,0xeb,0xfe,0x80,0x8b,
-		0x82,0xb0,0xce,0x26,0x40,0x1d,0x2e,0x22,
-		0xf0,0x4d,0x83,0xd1,0x25,0x5d,0xc5,0x1a,
-		0xdd,0xd3,0xb7,0x5a,0x2b,0x1a,0xe0,0x78,
-		0x45,0x04,0xdf,0x54,0x3a,0xf8,0x96,0x9b,
-		0xe3,0xea,0x70,0x82,0xff,0x7f,0xc9,0x88,
-		0x8c,0x14,0x4d,0xa2,0xaf,0x58,0x42,0x9e,
-		0xc9,0x60,0x31,0xdb,0xca,0xd3,0xda,0xd9,
-		0xaf,0x0d,0xcb,0xaa,0xaf,0x26,0x8c,0xb8,
-		0xfc,0xff,0xea,0xd9,0x4f,0x3c,0x7c,0xa4,
-		0x95,0xe0,0x56,0xa9,0xb4,0x7a,0xcd,0xb7,
-		0x51,0xfb,0x73,0xe6,0x66,0xc6,0xc6,0x55,
-		0xad,0xe8,0x29,0x72,0x97,0xd0,0x7a,0xd1,
-		0xba,0x5e,0x43,0xf1,0xbc,0xa3,0x23,0x01,
-		0x65,0x13,0x39,0xe2,0x29,0x04,0xcc,0x8c,
-		0x42,0xf5,0x8c,0x30,0xc0,0x4a,0xaf,0xdb,
-		0x03,0x8d,0xda,0x08,0x47,0xdd,0x98,0x8d,
-		0xcd,0xa6,0xf3,0xbf,0xd1,0x5c,0x4b,0x4c,
-		0x45,0x25,0x00,0x4a,0xa0,0x6e,0xef,0xf8,
-		0xca,0x61,0x78,0x3a,0xac,0xec,0x57,0xfb,
-		0x3d,0x1f,0x92,0xb0,0xfe,0x2f,0xd1,0xa8,
-		0x5f,0x67,0x24,0x51,0x7b,0x65,0xe6,0x14,
-		0xad,0x68,0x08,0xd6,0xf6,0xee,0x34,0xdf,
-		0xf7,0x31,0x0f,0xdc,0x82,0xae,0xbf,0xd9,
-		0x04,0xb0,0x1e,0x1d,0xc5,0x4b,0x29,0x27,
-		0x09,0x4b,0x2d,0xb6,0x8d,0x6f,0x90,0x3b,
-		0x68,0x40,0x1a,0xde,0xbf,0x5a,0x7e,0x08,
-		0xd7,0x8f,0xf4,0xef,0x5d,0x63,0x65,0x3a,
-		0x65,0x04,0x0c,0xf9,0xbf,0xd4,0xac,0xa7,
-		0x98,0x4a,0x74,0xd3,0x71,0x45,0x98,0x67,
-		0x80,0xfc,0x0b,0x16,0xac,0x45,0x16,0x49,
-		0xde,0x61,0x88,0xa7,0xdb,0xdf,0x19,0x1f,
-		0x64,0xb5,0xfc,0x5e,0x2a,0xb4,0x7b,0x57,
-		0xf7,0xf7,0x27,0x6c,0xd4,0x19,0xc1,0x7a,
-		0x3c,0xa8,0xe1,0xb9,0x39,0xae,0x49,0xe4,
-		0x88,0xac,0xba,0x6b,0x96,0x56,0x10,0xb5,
-		0x48,0x01,0x09,0xc8,0xb1,0x7b,0x80,0xe1,
-		0xb7,0xb7,0x50,0xdf,0xc7,0x59,0x8d,0x5d,
-		0x50,0x11,0xfd,0x2d,0xcc,0x56,0x00,0xa3,
-		0x2e,0xf5,0xb5,0x2a,0x1e,0xcc,0x82,0x0e,
-		0x30,0x8a,0xa3,0x42,0x72,0x1a,0xac,0x09,
-		0x43,0xbf,0x66,0x86,0xb6,0x4b,0x25,0x79,
-		0x37,0x65,0x04,0xcc,0xc4,0x93,0xd9,0x7e,
-		0x6a,0xed,0x3f,0xb0,0xf9,0xcd,0x71,0xa4,
-		0x3d,0xd4,0x97,0xf0,0x1f,0x17,0xc0,0xe2,
-		0xcb,0x37,0x97,0xaa,0x2a,0x2f,0x25,0x66,
-		0x56,0x16,0x8e,0x6c,0x49,0x6a,0xfc,0x5f,
-		0xb9,0x32,0x46,0xf6,0xb1,0x11,0x63,0x98,
-		0xa3,0x46,0xf1,0xa6,0x41,0xf3,0xb0,0x41,
-		0xe9,0x89,0xf7,0x91,0x4f,0x90,0xcc,0x2c,
-		0x7f,0xff,0x35,0x78,0x76,0xe5,0x06,0xb5,
-		0x0d,0x33,0x4b,0xa7,0x7c,0x22,0x5b,0xc3,
-		0x07,0xba,0x53,0x71,0x52,0xf3,0xf1,0x61,
-		0x0e,0x4e,0xaf,0xe5,0x95,0xf6,0xd9,0xd9,
-		0x0d,0x11,0xfa,0xa9,0x33,0xa1,0x5e,0xf1,
-		0x36,0x95,0x46,0x86,0x8a,0x7f,0x3a,0x45,
-		0xa9,0x67,0x68,0xd4,0x0f,0xd9,0xd0,0x34,
-		0x12,0xc0,0x91,0xc6,0x31,0x5c,0xf4,0xfd,
-		0xe7,0xcb,0x68,0x60,0x69,0x37,0x38,0x0d,
-		0xb2,0xea,0xaa,0x70,0x7b,0x4c,0x41,0x85,
-		0xc3,0x2e,0xdd,0xcd,0xd3,0x06,0x70,0x5e,
-		0x4d,0xc1,0xff,0xc8,0x72,0xee,0xee,0x47,
-		0x5a,0x64,0xdf,0xac,0x86,0xab,0xa4,0x1c,
-		0x06,0x18,0x98,0x3f,0x87,0x41,0xc5,0xef,
-		0x68,0xd3,0xa1,0x01,0xe8,0xa3,0xb8,0xca,
-		0xc6,0x0c,0x90,0x5c,0x15,0xfc,0x91,0x08,
-		0x40,0xb9,0x4c,0x00,0xa0,0xb9,0xd0
-    };
-
-    const byte* msgs[] = {msg1, msg2, msg3, msg1, msg1, msg4};
-    const word16 msgSz[] = {sizeof(msg1), sizeof(msg2), sizeof(msg3),
-                            sizeof(msg1), sizeof(msg1), sizeof(msg4)};
+    static const byte msg4[]  = {
+        0x08,0xb8,0xb2,0xb7,0x33,0x42,0x42,0x43,
+        0x76,0x0f,0xe4,0x26,0xa4,0xb5,0x49,0x08,
+        0x63,0x21,0x10,0xa6,0x6c,0x2f,0x65,0x91,
+        0xea,0xbd,0x33,0x45,0xe3,0xe4,0xeb,0x98,
+        0xfa,0x6e,0x26,0x4b,0xf0,0x9e,0xfe,0x12,
+        0xee,0x50,0xf8,0xf5,0x4e,0x9f,0x77,0xb1,
+        0xe3,0x55,0xf6,0xc5,0x05,0x44,0xe2,0x3f,
+        0xb1,0x43,0x3d,0xdf,0x73,0xbe,0x84,0xd8,
+        0x79,0xde,0x7c,0x00,0x46,0xdc,0x49,0x96,
+        0xd9,0xe7,0x73,0xf4,0xbc,0x9e,0xfe,0x57,
+        0x38,0x82,0x9a,0xdb,0x26,0xc8,0x1b,0x37,
+        0xc9,0x3a,0x1b,0x27,0x0b,0x20,0x32,0x9d,
+        0x65,0x86,0x75,0xfc,0x6e,0xa5,0x34,0xe0,
+        0x81,0x0a,0x44,0x32,0x82,0x6b,0xf5,0x8c,
+        0x94,0x1e,0xfb,0x65,0xd5,0x7a,0x33,0x8b,
+        0xbd,0x2e,0x26,0x64,0x0f,0x89,0xff,0xbc,
+        0x1a,0x85,0x8e,0xfc,0xb8,0x55,0x0e,0xe3,
+        0xa5,0xe1,0x99,0x8b,0xd1,0x77,0xe9,0x3a,
+        0x73,0x63,0xc3,0x44,0xfe,0x6b,0x19,0x9e,
+        0xe5,0xd0,0x2e,0x82,0xd5,0x22,0xc4,0xfe,
+        0xba,0x15,0x45,0x2f,0x80,0x28,0x8a,0x82,
+        0x1a,0x57,0x91,0x16,0xec,0x6d,0xad,0x2b,
+        0x3b,0x31,0x0d,0xa9,0x03,0x40,0x1a,0xa6,
+        0x21,0x00,0xab,0x5d,0x1a,0x36,0x55,0x3e,
+        0x06,0x20,0x3b,0x33,0x89,0x0c,0xc9,0xb8,
+        0x32,0xf7,0x9e,0xf8,0x05,0x60,0xcc,0xb9,
+        0xa3,0x9c,0xe7,0x67,0x96,0x7e,0xd6,0x28,
+        0xc6,0xad,0x57,0x3c,0xb1,0x16,0xdb,0xef,
+        0xef,0xd7,0x54,0x99,0xda,0x96,0xbd,0x68,
+        0xa8,0xa9,0x7b,0x92,0x8a,0x8b,0xbc,0x10,
+        0x3b,0x66,0x21,0xfc,0xde,0x2b,0xec,0xa1,
+        0x23,0x1d,0x20,0x6b,0xe6,0xcd,0x9e,0xc7,
+        0xaf,0xf6,0xf6,0xc9,0x4f,0xcd,0x72,0x04,
+        0xed,0x34,0x55,0xc6,0x8c,0x83,0xf4,0xa4,
+        0x1d,0xa4,0xaf,0x2b,0x74,0xef,0x5c,0x53,
+        0xf1,0xd8,0xac,0x70,0xbd,0xcb,0x7e,0xd1,
+        0x85,0xce,0x81,0xbd,0x84,0x35,0x9d,0x44,
+        0x25,0x4d,0x95,0x62,0x9e,0x98,0x55,0xa9,
+        0x4a,0x7c,0x19,0x58,0xd1,0xf8,0xad,0xa5,
+        0xd0,0x53,0x2e,0xd8,0xa5,0xaa,0x3f,0xb2,
+        0xd1,0x7b,0xa7,0x0e,0xb6,0x24,0x8e,0x59,
+        0x4e,0x1a,0x22,0x97,0xac,0xbb,0xb3,0x9d,
+        0x50,0x2f,0x1a,0x8c,0x6e,0xb6,0xf1,0xce,
+        0x22,0xb3,0xde,0x1a,0x1f,0x40,0xcc,0x24,
+        0x55,0x41,0x19,0xa8,0x31,0xa9,0xaa,0xd6,
+        0x07,0x9c,0xad,0x88,0x42,0x5d,0xe6,0xbd,
+        0xe1,0xa9,0x18,0x7e,0xbb,0x60,0x92,0xcf,
+        0x67,0xbf,0x2b,0x13,0xfd,0x65,0xf2,0x70,
+        0x88,0xd7,0x8b,0x7e,0x88,0x3c,0x87,0x59,
+        0xd2,0xc4,0xf5,0xc6,0x5a,0xdb,0x75,0x53,
+        0x87,0x8a,0xd5,0x75,0xf9,0xfa,0xd8,0x78,
+        0xe8,0x0a,0x0c,0x9b,0xa6,0x3b,0xcb,0xcc,
+        0x27,0x32,0xe6,0x94,0x85,0xbb,0xc9,0xc9,
+        0x0b,0xfb,0xd6,0x24,0x81,0xd9,0x08,0x9b,
+        0xec,0xcf,0x80,0xcf,0xe2,0xdf,0x16,0xa2,
+        0xcf,0x65,0xbd,0x92,0xdd,0x59,0x7b,0x07,
+        0x07,0xe0,0x91,0x7a,0xf4,0x8b,0xbb,0x75,
+        0xfe,0xd4,0x13,0xd2,0x38,0xf5,0x55,0x5a,
+        0x7a,0x56,0x9d,0x80,0xc3,0x41,0x4a,0x8d,
+        0x08,0x59,0xdc,0x65,0xa4,0x61,0x28,0xba,
+        0xb2,0x7a,0xf8,0x7a,0x71,0x31,0x4f,0x31,
+        0x8c,0x78,0x2b,0x23,0xeb,0xfe,0x80,0x8b,
+        0x82,0xb0,0xce,0x26,0x40,0x1d,0x2e,0x22,
+        0xf0,0x4d,0x83,0xd1,0x25,0x5d,0xc5,0x1a,
+        0xdd,0xd3,0xb7,0x5a,0x2b,0x1a,0xe0,0x78,
+        0x45,0x04,0xdf,0x54,0x3a,0xf8,0x96,0x9b,
+        0xe3,0xea,0x70,0x82,0xff,0x7f,0xc9,0x88,
+        0x8c,0x14,0x4d,0xa2,0xaf,0x58,0x42,0x9e,
+        0xc9,0x60,0x31,0xdb,0xca,0xd3,0xda,0xd9,
+        0xaf,0x0d,0xcb,0xaa,0xaf,0x26,0x8c,0xb8,
+        0xfc,0xff,0xea,0xd9,0x4f,0x3c,0x7c,0xa4,
+        0x95,0xe0,0x56,0xa9,0xb4,0x7a,0xcd,0xb7,
+        0x51,0xfb,0x73,0xe6,0x66,0xc6,0xc6,0x55,
+        0xad,0xe8,0x29,0x72,0x97,0xd0,0x7a,0xd1,
+        0xba,0x5e,0x43,0xf1,0xbc,0xa3,0x23,0x01,
+        0x65,0x13,0x39,0xe2,0x29,0x04,0xcc,0x8c,
+        0x42,0xf5,0x8c,0x30,0xc0,0x4a,0xaf,0xdb,
+        0x03,0x8d,0xda,0x08,0x47,0xdd,0x98,0x8d,
+        0xcd,0xa6,0xf3,0xbf,0xd1,0x5c,0x4b,0x4c,
+        0x45,0x25,0x00,0x4a,0xa0,0x6e,0xef,0xf8,
+        0xca,0x61,0x78,0x3a,0xac,0xec,0x57,0xfb,
+        0x3d,0x1f,0x92,0xb0,0xfe,0x2f,0xd1,0xa8,
+        0x5f,0x67,0x24,0x51,0x7b,0x65,0xe6,0x14,
+        0xad,0x68,0x08,0xd6,0xf6,0xee,0x34,0xdf,
+        0xf7,0x31,0x0f,0xdc,0x82,0xae,0xbf,0xd9,
+        0x04,0xb0,0x1e,0x1d,0xc5,0x4b,0x29,0x27,
+        0x09,0x4b,0x2d,0xb6,0x8d,0x6f,0x90,0x3b,
+        0x68,0x40,0x1a,0xde,0xbf,0x5a,0x7e,0x08,
+        0xd7,0x8f,0xf4,0xef,0x5d,0x63,0x65,0x3a,
+        0x65,0x04,0x0c,0xf9,0xbf,0xd4,0xac,0xa7,
+        0x98,0x4a,0x74,0xd3,0x71,0x45,0x98,0x67,
+        0x80,0xfc,0x0b,0x16,0xac,0x45,0x16,0x49,
+        0xde,0x61,0x88,0xa7,0xdb,0xdf,0x19,0x1f,
+        0x64,0xb5,0xfc,0x5e,0x2a,0xb4,0x7b,0x57,
+        0xf7,0xf7,0x27,0x6c,0xd4,0x19,0xc1,0x7a,
+        0x3c,0xa8,0xe1,0xb9,0x39,0xae,0x49,0xe4,
+        0x88,0xac,0xba,0x6b,0x96,0x56,0x10,0xb5,
+        0x48,0x01,0x09,0xc8,0xb1,0x7b,0x80,0xe1,
+        0xb7,0xb7,0x50,0xdf,0xc7,0x59,0x8d,0x5d,
+        0x50,0x11,0xfd,0x2d,0xcc,0x56,0x00,0xa3,
+        0x2e,0xf5,0xb5,0x2a,0x1e,0xcc,0x82,0x0e,
+        0x30,0x8a,0xa3,0x42,0x72,0x1a,0xac,0x09,
+        0x43,0xbf,0x66,0x86,0xb6,0x4b,0x25,0x79,
+        0x37,0x65,0x04,0xcc,0xc4,0x93,0xd9,0x7e,
+        0x6a,0xed,0x3f,0xb0,0xf9,0xcd,0x71,0xa4,
+        0x3d,0xd4,0x97,0xf0,0x1f,0x17,0xc0,0xe2,
+        0xcb,0x37,0x97,0xaa,0x2a,0x2f,0x25,0x66,
+        0x56,0x16,0x8e,0x6c,0x49,0x6a,0xfc,0x5f,
+        0xb9,0x32,0x46,0xf6,0xb1,0x11,0x63,0x98,
+        0xa3,0x46,0xf1,0xa6,0x41,0xf3,0xb0,0x41,
+        0xe9,0x89,0xf7,0x91,0x4f,0x90,0xcc,0x2c,
+        0x7f,0xff,0x35,0x78,0x76,0xe5,0x06,0xb5,
+        0x0d,0x33,0x4b,0xa7,0x7c,0x22,0x5b,0xc3,
+        0x07,0xba,0x53,0x71,0x52,0xf3,0xf1,0x61,
+        0x0e,0x4e,0xaf,0xe5,0x95,0xf6,0xd9,0xd9,
+        0x0d,0x11,0xfa,0xa9,0x33,0xa1,0x5e,0xf1,
+        0x36,0x95,0x46,0x86,0x8a,0x7f,0x3a,0x45,
+        0xa9,0x67,0x68,0xd4,0x0f,0xd9,0xd0,0x34,
+        0x12,0xc0,0x91,0xc6,0x31,0x5c,0xf4,0xfd,
+        0xe7,0xcb,0x68,0x60,0x69,0x37,0x38,0x0d,
+        0xb2,0xea,0xaa,0x70,0x7b,0x4c,0x41,0x85,
+        0xc3,0x2e,0xdd,0xcd,0xd3,0x06,0x70,0x5e,
+        0x4d,0xc1,0xff,0xc8,0x72,0xee,0xee,0x47,
+        0x5a,0x64,0xdf,0xac,0x86,0xab,0xa4,0x1c,
+        0x06,0x18,0x98,0x3f,0x87,0x41,0xc5,0xef,
+        0x68,0xd3,0xa1,0x01,0xe8,0xa3,0xb8,0xca,
+        0xc6,0x0c,0x90,0x5c,0x15,0xfc,0x91,0x08,
+        0x40,0xb9,0x4c,0x00,0xa0,0xb9,0xd0
+    };
+
+    static const byte* msgs[] =   {msg1, msg2, msg3, msg1, msg1, msg4};
+    static const word16 msgSz[] = {0 /*sizeof(msg1)*/,
+                                   sizeof(msg2),
+                                   sizeof(msg3),
+                                   0 /*sizeof(msg1)*/,
+                                   0 /*sizeof(msg1)*/,
+                                   sizeof(msg4)
+    };
+#ifndef NO_ASN
+    static byte privateEd25519[] = {
+        0x30,0x2e,0x02,0x01,0x00,0x30,0x05,0x06,
+        0x03,0x2b,0x65,0x70,0x04,0x22,0x04,0x20,
+        0x9d,0x61,0xb1,0x9d,0xef,0xfd,0x5a,0x60,
+        0xba,0x84,0x4a,0xf4,0x92,0xec,0x2c,0xc4,
+        0x44,0x49,0xc5,0x69,0x7b,0x32,0x69,0x19,
+        0x70,0x3b,0xac,0x03,0x1c,0xae,0x7f,0x60
+    };
+    static byte publicEd25519[] = {
+        0x30,0x2a,0x30,0x05,0x06,0x03,0x2b,0x65,
+        0x70,0x03,0x21,0x00,0xd7,0x5a,0x98,0x01,
+        0x82,0xb1,0x0a,0xb7,0xd5,0x4b,0xfe,0xd3,
+        0xc9,0x64,0x07,0x3a,0x0e,0xe1,0x72,0xf3,
+        0xda,0xa6,0x23,0x25,0xaf,0x02,0x1a,0x68,
+        0xf7,0x07,0x51,0x1a
+    };
+    static byte privPubEd25519[] = {
+        0x30,0x52,0x02,0x01,0x00,0x30,0x05,0x06,
+        0x03,0x2b,0x65,0x70,0x04,0x22,0x04,0x20,
+        0x9d,0x61,0xb1,0x9d,0xef,0xfd,0x5a,0x60,
+        0xba,0x84,0x4a,0xf4,0x92,0xec,0x2c,0xc4,
+        0x44,0x49,0xc5,0x69,0x7b,0x32,0x69,0x19,
+        0x70,0x3b,0xac,0x03,0x1c,0xae,0x7f,0x60,
+        0xa1,0x22,0x04,0x20,0xd7,0x5a,0x98,0x01,
+        0x82,0xb1,0x0a,0xb7,0xd5,0x4b,0xfe,0xd3,
+        0xc9,0x64,0x07,0x3a,0x0e,0xe1,0x72,0xf3,
+        0xda,0xa6,0x23,0x25,0xaf,0x02,0x1a,0x68,
+        0xf7,0x07,0x51,0x1a
+    };
+
+    word32 idx;
+    ed25519_key key3;
+#endif /* NO_ASN */
+#endif /* HAVE_ED25519_SIGN && HAVE_ED25519_KEY_EXPORT && HAVE_ED25519_KEY_IMPORT */
 
     /* create ed25519 keys */
-    wc_InitRng(&rng);
+#ifndef HAVE_FIPS
+    ret = wc_InitRng_ex(&rng, HEAP_HINT, devId);
+#else
+    ret = wc_InitRng(&rng);
+#endif
+    if (ret != 0)
+        return -10600;
+
     wc_ed25519_init(&key);
     wc_ed25519_init(&key2);
+#ifndef NO_ASN
+    wc_ed25519_init(&key3);
+#endif
     wc_ed25519_make_key(&rng, ED25519_KEY_SIZE, &key);
     wc_ed25519_make_key(&rng, ED25519_KEY_SIZE, &key2);
 
@@ -5726,62 +21659,122 @@ int ed25519_test(void)
     keySz = wc_ed25519_size(&key);
     sigSz = wc_ed25519_sig_size(&key);
 
+#if defined(HAVE_ED25519_SIGN) && defined(HAVE_ED25519_KEY_EXPORT) &&\
+        defined(HAVE_ED25519_KEY_IMPORT)
     for (i = 0; i < 6; i++) {
         outlen = sizeof(out);
         XMEMSET(out, 0, sizeof(out));
 
         if (wc_ed25519_import_private_key(sKeys[i], ED25519_KEY_SIZE, pKeys[i],
                 pKeySz[i], &key) != 0)
-            return -1021 - i;
+            return -10601 - i;
 
-        if (wc_ed25519_sign_msg(msgs[i], msgSz[i], out, &outlen, &key)
-                != 0)
-            return -1027 - i;
+        if (wc_ed25519_sign_msg(msgs[i], msgSz[i], out, &outlen, &key) != 0)
+            return -10611 - i;
 
         if (XMEMCMP(out, sigs[i], 64))
-            return -1033 - i;
+            return -10621 - i;
 
+#if defined(HAVE_ED25519_VERIFY)
         /* test verify on good msg */
         if (wc_ed25519_verify_msg(out, outlen, msgs[i], msgSz[i], &verify,
                     &key) != 0 || verify != 1)
-            return -1039 - i;
+            return -10631 - i;
 
         /* test verify on bad msg */
         out[outlen-1] = out[outlen-1] + 1;
         if (wc_ed25519_verify_msg(out, outlen, msgs[i], msgSz[i], &verify,
                     &key) == 0 || verify == 1)
-            return -1045 - i;
+            return -10641 - i;
+#endif /* HAVE_ED25519_VERIFY */
 
         /* test api for import/exporting keys */
         exportPSz = sizeof(exportPKey);
         exportSSz = sizeof(exportSKey);
         if (wc_ed25519_export_public(&key, exportPKey, &exportPSz) != 0)
-            return -1051 - i;
+            return -10651 - i;
 
         if (wc_ed25519_import_public(exportPKey, exportPSz, &key2) != 0)
-            return -1057 - i;
+            return -10661 - i;
 
         if (wc_ed25519_export_private_only(&key, exportSKey, &exportSSz) != 0)
-            return -1063 - i;
+            return -10671 - i;
 
         if (wc_ed25519_import_private_key(exportSKey, exportSSz,
                                           exportPKey, exportPSz, &key2) != 0)
-            return -1069 - i;
+            return -10681 - i;
 
         /* clear "out" buffer and test sign with imported keys */
         outlen = sizeof(out);
         XMEMSET(out, 0, sizeof(out));
         if (wc_ed25519_sign_msg(msgs[i], msgSz[i], out, &outlen, &key2) != 0)
-            return -1075 - i;
+            return -10691 - i;
 
+#if defined(HAVE_ED25519_VERIFY)
         if (wc_ed25519_verify_msg(out, outlen, msgs[i], msgSz[i], &verify,
                                   &key2) != 0 || verify != 1)
-            return -1081 - i;
+            return -10701 - i;
 
         if (XMEMCMP(out, sigs[i], 64))
-            return -1087 - i;
+            return -10711 - i;
+#endif /* HAVE_ED25519_VERIFY */
     }
 
+    ret = ed25519ctx_test();
+    if (ret != 0)
+        return ret;
+
+    ret = ed25519ph_test();
+    if (ret != 0)
+        return ret;
+
+#ifndef NO_ASN
+    /* Try ASN.1 encoded private-only key and public key. */
+    idx = 0;
+    if (wc_Ed25519PrivateKeyDecode(privateEd25519, &idx, &key3,
+                                   sizeof(privateEd25519)) != 0)
+        return -10721 - i;
+
+    if (wc_ed25519_sign_msg(msgs[0], msgSz[0], out, &outlen, &key3)
+                != BAD_FUNC_ARG)
+        return -10731 - i;
+
+    idx = 0;
+    if (wc_Ed25519PublicKeyDecode(publicEd25519, &idx, &key3,
+                                  sizeof(publicEd25519)) != 0)
+        return -10741 - i;
+
+    if (wc_ed25519_sign_msg(msgs[0], msgSz[0], out, &outlen, &key3) != 0)
+        return -10751 - i;
+
+    if (XMEMCMP(out, sigs[0], 64))
+        return -10761 - i;
+
+#if defined(HAVE_ED25519_VERIFY)
+    /* test verify on good msg */
+    if (wc_ed25519_verify_msg(out, outlen, msgs[0], msgSz[0], &verify, &key3)
+                != 0 || verify != 1)
+        return -10771 - i;
+#endif /* HAVE_ED25519_VERIFY */
+
+    wc_ed25519_free(&key3);
+    wc_ed25519_init(&key3);
+
+    idx = 0;
+    if (wc_Ed25519PrivateKeyDecode(privPubEd25519, &idx, &key3,
+                                   sizeof(privPubEd25519)) != 0)
+        return -10781 - i;
+
+    if (wc_ed25519_sign_msg(msgs[0], msgSz[0], out, &outlen, &key3) != 0)
+        return -10791 - i;
+
+    if (XMEMCMP(out, sigs[0], 64))
+        return -10801 - i;
+
+    wc_ed25519_free(&key3);
+#endif /* NO_ASN */
+#endif /* HAVE_ED25519_SIGN && HAVE_ED25519_KEY_EXPORT && HAVE_ED25519_KEY_IMPORT */
+
     /* clean up keys when done */
     wc_ed25519_free(&key);
     wc_ed25519_free(&key2);
@@ -5790,14 +21783,1624 @@ int ed25519_test(void)
     wc_FreeRng(&rng);
 #endif
 
-    /* hush warrnings of unused keySz and sigSz */
+    /* hush warnings of unused keySz and sigSz */
     (void)keySz;
     (void)sigSz;
 
+#ifdef WOLFSSL_TEST_CERT
+    ret = ed25519_test_cert();
+    if (ret < 0)
+        return ret;
+#ifdef WOLFSSL_CERT_GEN
+    ret = ed25519_test_make_cert();
+    if (ret < 0)
+        return ret;
+#endif /* WOLFSSL_CERT_GEN */
+#endif /* WOLFSSL_TEST_CERT */
+
     return 0;
 }
 #endif /* HAVE_ED25519 */
 
+#ifdef HAVE_CURVE448
+#if defined(HAVE_CURVE448_SHARED_SECRET) && \
+                                             defined(HAVE_CURVE448_KEY_IMPORT)
+/* Test the wc_curve448_check_public API.
+ *
+ * returns 0 on success and -ve on failure.
+ */
+static int curve448_check_public_test(void)
+{
+    /* Little-endian values that will fail */
+    byte fail_le[][CURVE448_KEY_SIZE] = {
+        {
+            0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+            0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+            0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+            0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+            0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+            0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+            0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
+        },
+        {
+            0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+            0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+            0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+            0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+            0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+            0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+            0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
+        },
+    };
+    /* Big-endian values that will fail */
+    byte fail_be[][CURVE448_KEY_SIZE] = {
+        {
+            0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+            0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+            0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+            0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+            0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+            0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+            0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
+        },
+        {
+            0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+            0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+            0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+            0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+            0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+            0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+            0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01
+        },
+    };
+    /* Good or valid public value */
+    byte good[CURVE448_KEY_SIZE] = {
+        0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+        0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+        0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+        0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+        0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+        0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+        0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01
+    };
+    int i;
+
+    /* Parameter checks */
+    /* NULL pointer */
+    if (wc_curve448_check_public(NULL, 0, EC448_LITTLE_ENDIAN) !=
+                                                                 BAD_FUNC_ARG) {
+        return -10900;
+    }
+    if (wc_curve448_check_public(NULL, 0, EC448_BIG_ENDIAN) != BAD_FUNC_ARG) {
+        return -10901;
+    }
+    /* Length of 0 treated differently to other invalid lengths for TLS */
+    if (wc_curve448_check_public(good, 0, EC448_LITTLE_ENDIAN) != BUFFER_E)
+        return -10902;
+    if (wc_curve448_check_public(good, 0, EC448_BIG_ENDIAN) != BUFFER_E)
+        return -10903;
+
+    /* Length not CURVE448_KEY_SIZE */
+    for (i = 1; i < CURVE448_KEY_SIZE + 2; i++) {
+        if (i == CURVE448_KEY_SIZE)
+            continue;
+        if (wc_curve448_check_public(good, i, EC448_LITTLE_ENDIAN) !=
+                                                                ECC_BAD_ARG_E) {
+            return -10904 - i;
+        }
+        if (wc_curve448_check_public(good, i, EC448_BIG_ENDIAN) !=
+                                                                ECC_BAD_ARG_E) {
+            return -10914 - i;
+        }
+    }
+
+    /* Little-endian fail cases */
+    for (i = 0; i < (int)(sizeof(fail_le) / sizeof(*fail_le)); i++) {
+        if (wc_curve448_check_public(fail_le[i], CURVE448_KEY_SIZE,
+                                                    EC448_LITTLE_ENDIAN) == 0) {
+            return -10924 - i;
+        }
+    }
+    /* Big-endian fail cases */
+    for (i = 0; i < (int)(sizeof(fail_be) / sizeof(*fail_be)); i++) {
+        if (wc_curve448_check_public(fail_be[i], CURVE448_KEY_SIZE,
+                                                       EC448_BIG_ENDIAN) == 0) {
+            return -10934 - i;
+        }
+    }
+
+    /* Check a valid public value works! */
+    if (wc_curve448_check_public(good, CURVE448_KEY_SIZE,
+                                                    EC448_LITTLE_ENDIAN) != 0) {
+        return -10944;
+    }
+    if (wc_curve448_check_public(good, CURVE448_KEY_SIZE,
+                                                       EC448_BIG_ENDIAN) != 0) {
+        return -10945;
+    }
+
+    return 0;
+}
+
+#endif /* HAVE_CURVE448_SHARED_SECRET && HAVE_CURVE448_KEY_IMPORT */
+
+int curve448_test(void)
+{
+    WC_RNG  rng;
+    int ret;
+#ifdef HAVE_CURVE448_SHARED_SECRET
+    byte    sharedA[CURVE448_KEY_SIZE];
+    byte    sharedB[CURVE448_KEY_SIZE];
+    word32  y;
+#endif
+#ifdef HAVE_CURVE448_KEY_EXPORT
+    byte    exportBuf[CURVE448_KEY_SIZE];
+#endif
+    word32  x;
+    curve448_key userA, userB, pubKey;
+
+    (void)x;
+
+#if defined(HAVE_CURVE448_SHARED_SECRET) && \
+                                             defined(HAVE_CURVE448_KEY_IMPORT)
+    /* test vectors from
+       https://www.rfc-editor.org/rfc/rfc7748.html
+     */
+
+    /* secret key for party a */
+    byte sa[] = {
+        0x6b, 0x72, 0x98, 0xa5, 0xc0, 0xd8, 0xc2, 0x9a,
+        0x1d, 0xab, 0x27, 0xf1, 0xa6, 0x82, 0x63, 0x00,
+        0x91, 0x73, 0x89, 0x44, 0x97, 0x41, 0xa9, 0x74,
+        0xf5, 0xba, 0xc9, 0xd9, 0x8d, 0xc2, 0x98, 0xd4,
+        0x65, 0x55, 0xbc, 0xe8, 0xba, 0xe8, 0x9e, 0xee,
+        0xd4, 0x00, 0x58, 0x4b, 0xb0, 0x46, 0xcf, 0x75,
+        0x57, 0x9f, 0x51, 0xd1, 0x25, 0x49, 0x8f, 0x9a,
+    };
+
+    /* public key for party a */
+    byte pa[] = {
+        0xa0, 0x1f, 0xc4, 0x32, 0xe5, 0x80, 0x7f, 0x17,
+        0x53, 0x0d, 0x12, 0x88, 0xda, 0x12, 0x5b, 0x0c,
+        0xd4, 0x53, 0xd9, 0x41, 0x72, 0x64, 0x36, 0xc8,
+        0xbb, 0xd9, 0xc5, 0x22, 0x2c, 0x3d, 0xa7, 0xfa,
+        0x63, 0x9c, 0xe0, 0x3d, 0xb8, 0xd2, 0x3b, 0x27,
+        0x4a, 0x07, 0x21, 0xa1, 0xae, 0xd5, 0x22, 0x7d,
+        0xe6, 0xe3, 0xb7, 0x31, 0xcc, 0xf7, 0x08, 0x9b,
+    };
+
+    /* secret key for party b */
+    byte sb[] = {
+        0x2d, 0x99, 0x73, 0x51, 0xb6, 0x10, 0x6f, 0x36,
+        0xb0, 0xd1, 0x09, 0x1b, 0x92, 0x9c, 0x4c, 0x37,
+        0x21, 0x3e, 0x0d, 0x2b, 0x97, 0xe8, 0x5e, 0xbb,
+        0x20, 0xc1, 0x27, 0x69, 0x1d, 0x0d, 0xad, 0x8f,
+        0x1d, 0x81, 0x75, 0xb0, 0x72, 0x37, 0x45, 0xe6,
+        0x39, 0xa3, 0xcb, 0x70, 0x44, 0x29, 0x0b, 0x99,
+        0xe0, 0xe2, 0xa0, 0xc2, 0x7a, 0x6a, 0x30, 0x1c,
+    };
+
+    /* public key for party b */
+    byte pb[] = {
+        0x09, 0x36, 0xf3, 0x7b, 0xc6, 0xc1, 0xbd, 0x07,
+        0xae, 0x3d, 0xec, 0x7a, 0xb5, 0xdc, 0x06, 0xa7,
+        0x3c, 0xa1, 0x32, 0x42, 0xfb, 0x34, 0x3e, 0xfc,
+        0x72, 0xb9, 0xd8, 0x27, 0x30, 0xb4, 0x45, 0xf3,
+        0xd4, 0xb0, 0xbd, 0x07, 0x71, 0x62, 0xa4, 0x6d,
+        0xcf, 0xec, 0x6f, 0x9b, 0x59, 0x0b, 0xfc, 0xbc,
+        0xf5, 0x20, 0xcd, 0xb0, 0x29, 0xa8, 0xb7, 0x3e,
+    };
+
+    /* expected shared key */
+    byte ss[] = {
+        0x9d, 0x87, 0x4a, 0x51, 0x37, 0x50, 0x9a, 0x44,
+        0x9a, 0xd5, 0x85, 0x30, 0x40, 0x24, 0x1c, 0x52,
+        0x36, 0x39, 0x54, 0x35, 0xc3, 0x64, 0x24, 0xfd,
+        0x56, 0x0b, 0x0c, 0xb6, 0x2b, 0x28, 0x1d, 0x28,
+        0x52, 0x75, 0xa7, 0x40, 0xce, 0x32, 0xa2, 0x2d,
+        0xd1, 0x74, 0x0f, 0x4a, 0xa9, 0x16, 0x1c, 0xec,
+        0x95, 0xcc, 0xc6, 0x1a, 0x18, 0xf4, 0xff, 0x07,
+    };
+#endif /* HAVE_CURVE448_SHARED_SECRET */
+
+#ifndef HAVE_FIPS
+    ret = wc_InitRng_ex(&rng, HEAP_HINT, devId);
+#else
+    ret = wc_InitRng(&rng);
+#endif
+    if (ret != 0)
+        return -11000;
+
+    wc_curve448_init(&userA);
+    wc_curve448_init(&userB);
+    wc_curve448_init(&pubKey);
+
+    /* make curve448 keys */
+    if (wc_curve448_make_key(&rng, CURVE448_KEY_SIZE, &userA) != 0)
+        return -11001;
+
+    if (wc_curve448_make_key(&rng, CURVE448_KEY_SIZE, &userB) != 0)
+        return -11002;
+
+#ifdef HAVE_CURVE448_SHARED_SECRET
+    /* find shared secret key */
+    x = sizeof(sharedA);
+    if (wc_curve448_shared_secret(&userA, &userB, sharedA, &x) != 0)
+        return -11003;
+
+    y = sizeof(sharedB);
+    if (wc_curve448_shared_secret(&userB, &userA, sharedB, &y) != 0)
+        return -11004;
+
+    /* compare shared secret keys to test they are the same */
+    if (y != x)
+        return -11005;
+
+    if (XMEMCMP(sharedA, sharedB, x))
+        return -11006;
+#endif
+
+#ifdef HAVE_CURVE448_KEY_EXPORT
+    /* export a public key and import it for another user */
+    x = sizeof(exportBuf);
+    if (wc_curve448_export_public(&userA, exportBuf, &x) != 0)
+        return -11007;
+
+#ifdef HAVE_CURVE448_KEY_IMPORT
+    if (wc_curve448_import_public(exportBuf, x, &pubKey) != 0)
+        return -11008;
+#endif
+#endif
+
+#if defined(HAVE_CURVE448_SHARED_SECRET) && \
+                                             defined(HAVE_CURVE448_KEY_IMPORT)
+    /* test shared key after importing a public key */
+    XMEMSET(sharedB, 0, sizeof(sharedB));
+    y = sizeof(sharedB);
+    if (wc_curve448_shared_secret(&userB, &pubKey, sharedB, &y) != 0)
+        return -11009;
+
+    if (XMEMCMP(sharedA, sharedB, y))
+        return -11010;
+
+    /* import RFC test vectors and compare shared key */
+    if (wc_curve448_import_private_raw(sa, sizeof(sa), pa, sizeof(pa), &userA)
+            != 0)
+        return -11011;
+
+    if (wc_curve448_import_private_raw(sb, sizeof(sb), pb, sizeof(pb), &userB)
+            != 0)
+        return -11012;
+
+    /* test against known test vector */
+    XMEMSET(sharedB, 0, sizeof(sharedB));
+    y = sizeof(sharedB);
+    if (wc_curve448_shared_secret(&userA, &userB, sharedB, &y) != 0)
+        return -11013;
+
+    if (XMEMCMP(ss, sharedB, y))
+        return -11014;
+
+    /* test swapping roles of keys and generating same shared key */
+    XMEMSET(sharedB, 0, sizeof(sharedB));
+    y = sizeof(sharedB);
+    if (wc_curve448_shared_secret(&userB, &userA, sharedB, &y) != 0)
+        return -11015;
+
+    if (XMEMCMP(ss, sharedB, y))
+        return -11016;
+
+    /* test with 1 generated key and 1 from known test vector */
+    if (wc_curve448_import_private_raw(sa, sizeof(sa), pa, sizeof(pa), &userA)
+        != 0)
+        return -11017;
+
+    if (wc_curve448_make_key(&rng, 56, &userB) != 0)
+        return -11018;
+
+    x = sizeof(sharedA);
+    if (wc_curve448_shared_secret(&userA, &userB, sharedA, &x) != 0)
+        return -11019;
+
+    y = sizeof(sharedB);
+    if (wc_curve448_shared_secret(&userB, &userA, sharedB, &y) != 0)
+        return -11020;
+
+    /* compare shared secret keys to test they are the same */
+    if (y != x)
+        return -11021;
+
+    if (XMEMCMP(sharedA, sharedB, x))
+        return -11022;
+
+    ret = curve448_check_public_test();
+    if (ret != 0)
+        return ret;
+#endif /* HAVE_CURVE448_SHARED_SECRET && HAVE_CURVE448_KEY_IMPORT */
+
+    /* clean up keys when done */
+    wc_curve448_free(&pubKey);
+    wc_curve448_free(&userB);
+    wc_curve448_free(&userA);
+
+    wc_FreeRng(&rng);
+
+    return 0;
+}
+#endif /* HAVE_CURVE448 */
+
+#ifdef HAVE_ED448
+#ifdef WOLFSSL_TEST_CERT
+static int ed448_test_cert(void)
+{
+    DecodedCert  cert[2];
+    DecodedCert* serverCert = NULL;
+    DecodedCert* caCert = NULL;
+#ifdef HAVE_ED448_VERIFY
+    ed448_key  key;
+    ed448_key* pubKey = NULL;
+    int          verify;
+#endif /* HAVE_ED448_VERIFY */
+    int          ret;
+    byte*        tmp;
+    size_t       bytes;
+    XFILE        file;
+
+    tmp = XMALLOC(FOURK_BUF, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+    if (tmp == NULL) {
+        ERROR_OUT(-11023, done);
+    }
+
+#ifdef USE_CERT_BUFFERS_256
+    XMEMCPY(tmp, ca_ed448_cert, sizeof_ca_ed448_cert);
+    bytes = sizeof_ca_ed448_cert;
+#elif !defined(NO_FILESYSTEM)
+    file = XFOPEN(caEd448Cert, "rb");
+    if (file == NULL) {
+        ERROR_OUT(-11024, done);
+    }
+    bytes = XFREAD(tmp, 1, FOURK_BUF, file);
+    XFCLOSE(file);
+#else
+    /* No certificate to use. */
+    ERROR_OUT(-11025, done);
+#endif
+
+    InitDecodedCert(&cert[0], tmp, (word32)bytes, 0);
+    caCert = &cert[0];
+    ret = ParseCert(caCert, CERT_TYPE, NO_VERIFY, NULL);
+    if (ret != 0) {
+        ERROR_OUT(-11026, done);
+    }
+
+#ifdef USE_CERT_BUFFERS_256
+    XMEMCPY(tmp, server_ed448_cert, sizeof_server_ed448_cert);
+    bytes = sizeof_server_ed448_cert;
+#elif !defined(NO_FILESYSTEM)
+    file = XFOPEN(serverEd448Cert, "rb");
+    if (file == NULL) {
+        ERROR_OUT(-11027, done);
+    }
+    bytes = XFREAD(tmp, 1, FOURK_BUF, file);
+    XFCLOSE(file);
+#else
+    /* No certificate to use. */
+    ERROR_OUT(-11028, done);
+#endif
+
+    InitDecodedCert(&cert[1], tmp, (word32)bytes, 0);
+    serverCert = &cert[1];
+    ret = ParseCert(serverCert, CERT_TYPE, NO_VERIFY, NULL);
+    if (ret != 0) {
+        ERROR_OUT(-11029, done);
+    }
+
+#ifdef HAVE_ED448_VERIFY
+    ret = wc_ed448_init(&key);
+    if (ret < 0) {
+        ERROR_OUT(-11030, done);
+    }
+    pubKey = &key;
+    ret = wc_ed448_import_public(caCert->publicKey, caCert->pubKeySize, pubKey);
+    if (ret < 0) {
+        ERROR_OUT(-11031, done);
+    }
+
+    if (wc_ed448_verify_msg(serverCert->signature, serverCert->sigLength,
+                            serverCert->source + serverCert->certBegin,
+                            serverCert->sigIndex - serverCert->certBegin,
+                            &verify, pubKey) < 0 || verify != 1) {
+        ERROR_OUT(-11032, done);
+    }
+#endif /* HAVE_ED448_VERIFY */
+
+done:
+    if (tmp != NULL)
+        XFREE(tmp, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+#ifdef HAVE_ED448_VERIFY
+    wc_ed448_free(pubKey);
+#endif /* HAVE_ED448_VERIFY */
+    if (caCert != NULL)
+        FreeDecodedCert(caCert);
+    if (serverCert != NULL)
+        FreeDecodedCert(serverCert);
+
+    return ret;
+}
+
+static int ed448_test_make_cert(void)
+{
+    WC_RNG       rng;
+    Cert         cert;
+    DecodedCert  decode;
+    ed448_key  key;
+    ed448_key* privKey = NULL;
+    int          ret = 0;
+    byte*        tmp = NULL;
+
+    wc_InitCert(&cert);
+
+#ifndef HAVE_FIPS
+    ret = wc_InitRng_ex(&rng, HEAP_HINT, devId);
+#else
+    ret = wc_InitRng(&rng);
+#endif
+    if (ret != 0)
+        return -11033;
+
+    wc_ed448_init(&key);
+    privKey = &key;
+    wc_ed448_make_key(&rng, ED448_KEY_SIZE, privKey);
+
+    cert.daysValid = 365 * 2;
+    cert.selfSigned = 1;
+    XMEMCPY(&cert.issuer, &certDefaultName, sizeof(CertName));
+    XMEMCPY(&cert.subject, &certDefaultName, sizeof(CertName));
+    cert.isCA = 0;
+#ifdef WOLFSSL_CERT_EXT
+    ret = wc_SetKeyUsage(&cert, certKeyUsage);
+    if (ret < 0) {
+        ERROR_OUT(-11034, done);
+    }
+    ret = wc_SetSubjectKeyIdFromPublicKey_ex(&cert, ED448_TYPE, privKey);
+    if (ret < 0) {
+        ERROR_OUT(-11035, done);
+    }
+    ret = wc_SetAuthKeyIdFromPublicKey_ex(&cert, ED448_TYPE, privKey);
+    if (ret < 0) {
+        ERROR_OUT(-11036, done);
+    }
+#endif
+    tmp = XMALLOC(FOURK_BUF, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+    if (tmp == NULL) {
+        ERROR_OUT(-11037, done);
+    }
+
+    cert.sigType = CTC_ED448;
+    ret = wc_MakeCert_ex(&cert, tmp, FOURK_BUF, ED448_TYPE, privKey, &rng);
+    if (ret < 0) {
+        ERROR_OUT(-11038, done);
+    }
+    ret = wc_SignCert_ex(cert.bodySz, cert.sigType, tmp, FOURK_BUF, ED448_TYPE,
+                                                                 privKey, &rng);
+    if (ret < 0) {
+        ERROR_OUT(-11039, done);
+    }
+
+    InitDecodedCert(&decode, tmp, ret, HEAP_HINT);
+    ret = ParseCert(&decode, CERT_TYPE, NO_VERIFY, 0);
+    FreeDecodedCert(&decode);
+    if (ret != 0) {
+        ERROR_OUT(-11040, done);
+    }
+
+done:
+    if (tmp != NULL)
+        XFREE(tmp, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+    wc_ed448_free(privKey);
+    wc_FreeRng(&rng);
+    return ret;
+}
+#endif /* WOLFSSL_TEST_CERT */
+
+#if defined(HAVE_ED448_SIGN) && defined(HAVE_ED448_KEY_EXPORT) && \
+    defined(HAVE_ED448_KEY_IMPORT)
+static int ed448_ctx_test(void)
+{
+    byte   out[ED448_SIG_SIZE];
+    word32 outlen;
+#ifdef HAVE_ED448_VERIFY
+    int    verify;
+#endif /* HAVE_ED448_VERIFY */
+    ed448_key key;
+
+    static const byte sKeyCtx[] = {
+        0xc4, 0xea, 0xb0, 0x5d, 0x35, 0x70, 0x07, 0xc6,
+        0x32, 0xf3, 0xdb, 0xb4, 0x84, 0x89, 0x92, 0x4d,
+        0x55, 0x2b, 0x08, 0xfe, 0x0c, 0x35, 0x3a, 0x0d,
+        0x4a, 0x1f, 0x00, 0xac, 0xda, 0x2c, 0x46, 0x3a,
+        0xfb, 0xea, 0x67, 0xc5, 0xe8, 0xd2, 0x87, 0x7c,
+        0x5e, 0x3b, 0xc3, 0x97, 0xa6, 0x59, 0x94, 0x9e,
+        0xf8, 0x02, 0x1e, 0x95, 0x4e, 0x0a, 0x12, 0x27,
+        0x4e
+    };
+
+    static const byte pKeyCtx[] = {
+        0x43, 0xba, 0x28, 0xf4, 0x30, 0xcd, 0xff, 0x45,
+        0x6a, 0xe5, 0x31, 0x54, 0x5f, 0x7e, 0xcd, 0x0a,
+        0xc8, 0x34, 0xa5, 0x5d, 0x93, 0x58, 0xc0, 0x37,
+        0x2b, 0xfa, 0x0c, 0x6c, 0x67, 0x98, 0xc0, 0x86,
+        0x6a, 0xea, 0x01, 0xeb, 0x00, 0x74, 0x28, 0x02,
+        0xb8, 0x43, 0x8e, 0xa4, 0xcb, 0x82, 0x16, 0x9c,
+        0x23, 0x51, 0x60, 0x62, 0x7b, 0x4c, 0x3a, 0x94,
+        0x80
+    };
+
+    static const byte sigCtx[] = {
+        0xd4, 0xf8, 0xf6, 0x13, 0x17, 0x70, 0xdd, 0x46,
+        0xf4, 0x08, 0x67, 0xd6, 0xfd, 0x5d, 0x50, 0x55,
+        0xde, 0x43, 0x54, 0x1f, 0x8c, 0x5e, 0x35, 0xab,
+        0xbc, 0xd0, 0x01, 0xb3, 0x2a, 0x89, 0xf7, 0xd2,
+        0x15, 0x1f, 0x76, 0x47, 0xf1, 0x1d, 0x8c, 0xa2,
+        0xae, 0x27, 0x9f, 0xb8, 0x42, 0xd6, 0x07, 0x21,
+        0x7f, 0xce, 0x6e, 0x04, 0x2f, 0x68, 0x15, 0xea,
+        0x00, 0x0c, 0x85, 0x74, 0x1d, 0xe5, 0xc8, 0xda,
+        0x11, 0x44, 0xa6, 0xa1, 0xab, 0xa7, 0xf9, 0x6d,
+        0xe4, 0x25, 0x05, 0xd7, 0xa7, 0x29, 0x85, 0x24,
+        0xfd, 0xa5, 0x38, 0xfc, 0xcb, 0xbb, 0x75, 0x4f,
+        0x57, 0x8c, 0x1c, 0xad, 0x10, 0xd5, 0x4d, 0x0d,
+        0x54, 0x28, 0x40, 0x7e, 0x85, 0xdc, 0xbc, 0x98,
+        0xa4, 0x91, 0x55, 0xc1, 0x37, 0x64, 0xe6, 0x6c,
+        0x3c, 0x00
+    };
+
+    static const byte msgCtx[] = {
+        0x03
+    };
+
+    static const byte contextCtx[] = {
+        0x66,0x6f,0x6f
+    };
+
+    outlen = sizeof(out);
+    XMEMSET(out, 0, sizeof(out));
+
+    if (wc_ed448_import_private_key(sKeyCtx, ED448_KEY_SIZE, pKeyCtx,
+                                    sizeof(pKeyCtx), &key) != 0)
+        return -11100;
+
+    if (wc_ed448_sign_msg(msgCtx, sizeof(msgCtx), out, &outlen, &key,
+                          contextCtx, sizeof(contextCtx)) != 0)
+        return -11101;
+
+    if (XMEMCMP(out, sigCtx, sizeof(sigCtx)))
+        return -11102;
+
+#if defined(HAVE_ED448_VERIFY)
+    /* test verify on good msg */
+    if (wc_ed448_verify_msg(out, outlen, msgCtx, sizeof(msgCtx), &verify, &key,
+                            contextCtx, sizeof(contextCtx)) != 0 || verify != 1)
+        return -11103;
+#endif
+
+    wc_ed448_free(&key);
+
+    return 0;
+}
+
+static int ed448ph_test(void)
+{
+    byte   out[ED448_SIG_SIZE];
+    word32 outlen;
+#ifdef HAVE_ED448_VERIFY
+    int    verify;
+#endif /* HAVE_ED448_VERIFY */
+    ed448_key key;
+
+    static const byte sKeyPh[] = {
+        0x83, 0x3f, 0xe6, 0x24, 0x09, 0x23, 0x7b, 0x9d,
+        0x62, 0xec, 0x77, 0x58, 0x75, 0x20, 0x91, 0x1e,
+        0x9a, 0x75, 0x9c, 0xec, 0x1d, 0x19, 0x75, 0x5b,
+        0x7d, 0xa9, 0x01, 0xb9, 0x6d, 0xca, 0x3d, 0x42,
+        0xef, 0x78, 0x22, 0xe0, 0xd5, 0x10, 0x41, 0x27,
+        0xdc, 0x05, 0xd6, 0xdb, 0xef, 0xde, 0x69, 0xe3,
+        0xab, 0x2c, 0xec, 0x7c, 0x86, 0x7c, 0x6e, 0x2c,
+        0x49
+    };
+
+    static const byte pKeyPh[] = {
+        0x25, 0x9b, 0x71, 0xc1, 0x9f, 0x83, 0xef, 0x77,
+        0xa7, 0xab, 0xd2, 0x65, 0x24, 0xcb, 0xdb, 0x31,
+        0x61, 0xb5, 0x90, 0xa4, 0x8f, 0x7d, 0x17, 0xde,
+        0x3e, 0xe0, 0xba, 0x9c, 0x52, 0xbe, 0xb7, 0x43,
+        0xc0, 0x94, 0x28, 0xa1, 0x31, 0xd6, 0xb1, 0xb5,
+        0x73, 0x03, 0xd9, 0x0d, 0x81, 0x32, 0xc2, 0x76,
+        0xd5, 0xed, 0x3d, 0x5d, 0x01, 0xc0, 0xf5, 0x38,
+        0x80
+    };
+
+    static const byte sigPh1[] = {
+        0x82, 0x2f, 0x69, 0x01, 0xf7, 0x48, 0x0f, 0x3d,
+        0x5f, 0x56, 0x2c, 0x59, 0x29, 0x94, 0xd9, 0x69,
+        0x36, 0x02, 0x87, 0x56, 0x14, 0x48, 0x32, 0x56,
+        0x50, 0x56, 0x00, 0xbb, 0xc2, 0x81, 0xae, 0x38,
+        0x1f, 0x54, 0xd6, 0xbc, 0xe2, 0xea, 0x91, 0x15,
+        0x74, 0x93, 0x2f, 0x52, 0xa4, 0xe6, 0xca, 0xdd,
+        0x78, 0x76, 0x93, 0x75, 0xec, 0x3f, 0xfd, 0x1b,
+        0x80, 0x1a, 0x0d, 0x9b, 0x3f, 0x40, 0x30, 0xcd,
+        0x43, 0x39, 0x64, 0xb6, 0x45, 0x7e, 0xa3, 0x94,
+        0x76, 0x51, 0x12, 0x14, 0xf9, 0x74, 0x69, 0xb5,
+        0x7d, 0xd3, 0x2d, 0xbc, 0x56, 0x0a, 0x9a, 0x94,
+        0xd0, 0x0b, 0xff, 0x07, 0x62, 0x04, 0x64, 0xa3,
+        0xad, 0x20, 0x3d, 0xf7, 0xdc, 0x7c, 0xe3, 0x60,
+        0xc3, 0xcd, 0x36, 0x96, 0xd9, 0xd9, 0xfa, 0xb9,
+        0x0f, 0x00
+    };
+
+    static const byte sigPh2[] = {
+        0xc3, 0x22, 0x99, 0xd4, 0x6e, 0xc8, 0xff, 0x02,
+        0xb5, 0x45, 0x40, 0x98, 0x28, 0x14, 0xdc, 0xe9,
+        0xa0, 0x58, 0x12, 0xf8, 0x19, 0x62, 0xb6, 0x49,
+        0xd5, 0x28, 0x09, 0x59, 0x16, 0xa2, 0xaa, 0x48,
+        0x10, 0x65, 0xb1, 0x58, 0x04, 0x23, 0xef, 0x92,
+        0x7e, 0xcf, 0x0a, 0xf5, 0x88, 0x8f, 0x90, 0xda,
+        0x0f, 0x6a, 0x9a, 0x85, 0xad, 0x5d, 0xc3, 0xf2,
+        0x80, 0xd9, 0x12, 0x24, 0xba, 0x99, 0x11, 0xa3,
+        0x65, 0x3d, 0x00, 0xe4, 0x84, 0xe2, 0xce, 0x23,
+        0x25, 0x21, 0x48, 0x1c, 0x86, 0x58, 0xdf, 0x30,
+        0x4b, 0xb7, 0x74, 0x5a, 0x73, 0x51, 0x4c, 0xdb,
+        0x9b, 0xf3, 0xe1, 0x57, 0x84, 0xab, 0x71, 0x28,
+        0x4f, 0x8d, 0x07, 0x04, 0xa6, 0x08, 0xc5, 0x4a,
+        0x6b, 0x62, 0xd9, 0x7b, 0xeb, 0x51, 0x1d, 0x13,
+        0x21, 0x00
+    };
+
+    static const byte msgPh[] = {
+        0x61,0x62,0x63
+    };
+
+    /* SHA-512 hash of msgPh */
+    static const byte hashPh[] = {
+        0x48, 0x33, 0x66, 0x60, 0x13, 0x60, 0xa8, 0x77,
+        0x1c, 0x68, 0x63, 0x08, 0x0c, 0xc4, 0x11, 0x4d,
+        0x8d, 0xb4, 0x45, 0x30, 0xf8, 0xf1, 0xe1, 0xee,
+        0x4f, 0x94, 0xea, 0x37, 0xe7, 0x8b, 0x57, 0x39,
+        0xd5, 0xa1, 0x5b, 0xef, 0x18, 0x6a, 0x53, 0x86,
+        0xc7, 0x57, 0x44, 0xc0, 0x52, 0x7e, 0x1f, 0xaa,
+        0x9f, 0x87, 0x26, 0xe4, 0x62, 0xa1, 0x2a, 0x4f,
+        0xeb, 0x06, 0xbd, 0x88, 0x01, 0xe7, 0x51, 0xe4
+    };
+
+    static const byte contextPh2[] = {
+        0x66,0x6f,0x6f
+    };
+
+    outlen = sizeof(out);
+    XMEMSET(out, 0, sizeof(out));
+
+    if (wc_ed448_import_private_key(sKeyPh, ED448_KEY_SIZE, pKeyPh,
+                                    sizeof(pKeyPh), &key) != 0) {
+        return -11200;
+    }
+
+    if (wc_ed448ph_sign_msg(msgPh, sizeof(msgPh), out, &outlen, &key, NULL,
+                            0) != 0) {
+        return -11201;
+    }
+
+    if (XMEMCMP(out, sigPh1, sizeof(sigPh1)))
+        return -11202;
+
+#if defined(HAVE_ED448_VERIFY)
+    /* test verify on good msg */
+    if (wc_ed448ph_verify_msg(out, outlen, msgPh, sizeof(msgPh), &verify, &key,
+                              NULL, 0) != 0 || verify != 1) {
+        return -11203;
+    }
+#endif
+
+    if (wc_ed448ph_sign_msg(msgPh, sizeof(msgPh), out, &outlen, &key,
+                            contextPh2, sizeof(contextPh2)) != 0) {
+        return -11204;
+    }
+
+    if (XMEMCMP(out, sigPh2, sizeof(sigPh2)))
+        return -11205;
+
+#if defined(HAVE_ED448_VERIFY)
+    /* test verify on good msg */
+    if (wc_ed448ph_verify_msg(out, outlen, msgPh, sizeof(msgPh), &verify, &key,
+                              contextPh2, sizeof(contextPh2)) != 0 ||
+            verify != 1) {
+        return -11206;
+    }
+#endif
+
+    if (wc_ed448ph_sign_hash(hashPh, sizeof(hashPh), out, &outlen, &key, NULL,
+                             0) != 0) {
+        return -11207;
+    }
+
+    if (XMEMCMP(out, sigPh1, sizeof(sigPh1)))
+        return -11208;
+
+#if defined(HAVE_ED448_VERIFY)
+    if (wc_ed448ph_verify_hash(out, outlen, hashPh, sizeof(hashPh), &verify,
+                               &key, NULL, 0) != 0 || verify != 1) {
+        return -11209;
+    }
+#endif
+
+    if (wc_ed448ph_sign_hash(hashPh, sizeof(hashPh), out, &outlen, &key,
+                             contextPh2, sizeof(contextPh2)) != 0) {
+        return -11210;
+    }
+
+    if (XMEMCMP(out, sigPh2, sizeof(sigPh2)))
+        return -11211;
+
+#if defined(HAVE_ED448_VERIFY)
+    if (wc_ed448ph_verify_hash(out, outlen, hashPh, sizeof(hashPh), &verify,
+                               &key, contextPh2, sizeof(contextPh2)) != 0 ||
+            verify != 1) {
+        return -11212;
+    }
+#endif
+
+    wc_ed448_free(&key);
+
+    return 0;
+}
+#endif /* HAVE_ED448_SIGN && HAVE_ED448_KEY_EXPORT && HAVE_ED448_KEY_IMPORT */
+
+int ed448_test(void)
+{
+    int ret;
+    WC_RNG rng;
+#if defined(HAVE_ED448_SIGN) && defined(HAVE_ED448_KEY_EXPORT) &&\
+    defined(HAVE_ED448_KEY_IMPORT)
+    byte   out[ED448_SIG_SIZE];
+    byte   exportPKey[ED448_KEY_SIZE];
+    byte   exportSKey[ED448_KEY_SIZE];
+    word32 exportPSz;
+    word32 exportSSz;
+    int    i;
+    word32 outlen;
+#ifdef HAVE_ED448_VERIFY
+    int    verify;
+#endif /* HAVE_ED448_VERIFY */
+#endif /* HAVE_ED448_SIGN && HAVE_ED448_KEY_EXPORT && HAVE_ED448_KEY_IMPORT */
+    word32 keySz, sigSz;
+    ed448_key key;
+    ed448_key key2;
+
+#if defined(HAVE_ED448_SIGN) && defined(HAVE_ED448_KEY_EXPORT) && \
+    defined(HAVE_ED448_KEY_IMPORT)
+    /* test vectors from
+       https://tools.ietf.org/html/rfc8032
+     */
+
+    static const byte sKey1[] = {
+        0x6c, 0x82, 0xa5, 0x62, 0xcb, 0x80, 0x8d, 0x10,
+        0xd6, 0x32, 0xbe, 0x89, 0xc8, 0x51, 0x3e, 0xbf,
+        0x6c, 0x92, 0x9f, 0x34, 0xdd, 0xfa, 0x8c, 0x9f,
+        0x63, 0xc9, 0x96, 0x0e, 0xf6, 0xe3, 0x48, 0xa3,
+        0x52, 0x8c, 0x8a, 0x3f, 0xcc, 0x2f, 0x04, 0x4e,
+        0x39, 0xa3, 0xfc, 0x5b, 0x94, 0x49, 0x2f, 0x8f,
+        0x03, 0x2e, 0x75, 0x49, 0xa2, 0x00, 0x98, 0xf9,
+        0x5b
+    };
+
+    static const byte sKey2[] = {
+        0xc4, 0xea, 0xb0, 0x5d, 0x35, 0x70, 0x07, 0xc6,
+        0x32, 0xf3, 0xdb, 0xb4, 0x84, 0x89, 0x92, 0x4d,
+        0x55, 0x2b, 0x08, 0xfe, 0x0c, 0x35, 0x3a, 0x0d,
+        0x4a, 0x1f, 0x00, 0xac, 0xda, 0x2c, 0x46, 0x3a,
+        0xfb, 0xea, 0x67, 0xc5, 0xe8, 0xd2, 0x87, 0x7c,
+        0x5e, 0x3b, 0xc3, 0x97, 0xa6, 0x59, 0x94, 0x9e,
+        0xf8, 0x02, 0x1e, 0x95, 0x4e, 0x0a, 0x12, 0x27,
+        0x4e
+    };
+
+    static const byte sKey3[] = {
+        0x25, 0x8c, 0xdd, 0x4a, 0xda, 0x32, 0xed, 0x9c,
+        0x9f, 0xf5, 0x4e, 0x63, 0x75, 0x6a, 0xe5, 0x82,
+        0xfb, 0x8f, 0xab, 0x2a, 0xc7, 0x21, 0xf2, 0xc8,
+        0xe6, 0x76, 0xa7, 0x27, 0x68, 0x51, 0x3d, 0x93,
+        0x9f, 0x63, 0xdd, 0xdb, 0x55, 0x60, 0x91, 0x33,
+        0xf2, 0x9a, 0xdf, 0x86, 0xec, 0x99, 0x29, 0xdc,
+        0xcb, 0x52, 0xc1, 0xc5, 0xfd, 0x2f, 0xf7, 0xe2,
+        0x1b
+    };
+
+    /* uncompressed test */
+    static const byte sKey4[] = {
+        0x6c, 0x82, 0xa5, 0x62, 0xcb, 0x80, 0x8d, 0x10,
+        0xd6, 0x32, 0xbe, 0x89, 0xc8, 0x51, 0x3e, 0xbf,
+        0x6c, 0x92, 0x9f, 0x34, 0xdd, 0xfa, 0x8c, 0x9f,
+        0x63, 0xc9, 0x96, 0x0e, 0xf6, 0xe3, 0x48, 0xa3,
+        0x52, 0x8c, 0x8a, 0x3f, 0xcc, 0x2f, 0x04, 0x4e,
+        0x39, 0xa3, 0xfc, 0x5b, 0x94, 0x49, 0x2f, 0x8f,
+        0x03, 0x2e, 0x75, 0x49, 0xa2, 0x00, 0x98, 0xf9,
+        0x5b
+    };
+
+    /* compressed prefix test */
+    static const byte sKey5[] = {
+        0x6c, 0x82, 0xa5, 0x62, 0xcb, 0x80, 0x8d, 0x10,
+        0xd6, 0x32, 0xbe, 0x89, 0xc8, 0x51, 0x3e, 0xbf,
+        0x6c, 0x92, 0x9f, 0x34, 0xdd, 0xfa, 0x8c, 0x9f,
+        0x63, 0xc9, 0x96, 0x0e, 0xf6, 0xe3, 0x48, 0xa3,
+        0x52, 0x8c, 0x8a, 0x3f, 0xcc, 0x2f, 0x04, 0x4e,
+        0x39, 0xa3, 0xfc, 0x5b, 0x94, 0x49, 0x2f, 0x8f,
+        0x03, 0x2e, 0x75, 0x49, 0xa2, 0x00, 0x98, 0xf9,
+        0x5b
+    };
+
+    static const byte sKey6[] = {
+        0x87, 0x2d, 0x09, 0x37, 0x80, 0xf5, 0xd3, 0x73,
+        0x0d, 0xf7, 0xc2, 0x12, 0x66, 0x4b, 0x37, 0xb8,
+        0xa0, 0xf2, 0x4f, 0x56, 0x81, 0x0d, 0xaa, 0x83,
+        0x82, 0xcd, 0x4f, 0xa3, 0xf7, 0x76, 0x34, 0xec,
+        0x44, 0xdc, 0x54, 0xf1, 0xc2, 0xed, 0x9b, 0xea,
+        0x86, 0xfa, 0xfb, 0x76, 0x32, 0xd8, 0xbe, 0x19,
+        0x9e, 0xa1, 0x65, 0xf5, 0xad, 0x55, 0xdd, 0x9c,
+        0xe8
+    };
+
+    static const byte* sKeys[] = {sKey1, sKey2, sKey3, sKey4, sKey5, sKey6};
+
+    static const byte pKey1[] = {
+        0x5f, 0xd7, 0x44, 0x9b, 0x59, 0xb4, 0x61, 0xfd,
+        0x2c, 0xe7, 0x87, 0xec, 0x61, 0x6a, 0xd4, 0x6a,
+        0x1d, 0xa1, 0x34, 0x24, 0x85, 0xa7, 0x0e, 0x1f,
+        0x8a, 0x0e, 0xa7, 0x5d, 0x80, 0xe9, 0x67, 0x78,
+        0xed, 0xf1, 0x24, 0x76, 0x9b, 0x46, 0xc7, 0x06,
+        0x1b, 0xd6, 0x78, 0x3d, 0xf1, 0xe5, 0x0f, 0x6c,
+        0xd1, 0xfa, 0x1a, 0xbe, 0xaf, 0xe8, 0x25, 0x61,
+        0x80
+    };
+
+    static const byte pKey2[] = {
+        0x43, 0xba, 0x28, 0xf4, 0x30, 0xcd, 0xff, 0x45,
+        0x6a, 0xe5, 0x31, 0x54, 0x5f, 0x7e, 0xcd, 0x0a,
+        0xc8, 0x34, 0xa5, 0x5d, 0x93, 0x58, 0xc0, 0x37,
+        0x2b, 0xfa, 0x0c, 0x6c, 0x67, 0x98, 0xc0, 0x86,
+        0x6a, 0xea, 0x01, 0xeb, 0x00, 0x74, 0x28, 0x02,
+        0xb8, 0x43, 0x8e, 0xa4, 0xcb, 0x82, 0x16, 0x9c,
+        0x23, 0x51, 0x60, 0x62, 0x7b, 0x4c, 0x3a, 0x94,
+        0x80
+    };
+
+    static const byte pKey3[] = {
+        0x3b, 0xa1, 0x6d, 0xa0, 0xc6, 0xf2, 0xcc, 0x1f,
+        0x30, 0x18, 0x77, 0x40, 0x75, 0x6f, 0x5e, 0x79,
+        0x8d, 0x6b, 0xc5, 0xfc, 0x01, 0x5d, 0x7c, 0x63,
+        0xcc, 0x95, 0x10, 0xee, 0x3f, 0xd4, 0x4a, 0xdc,
+        0x24, 0xd8, 0xe9, 0x68, 0xb6, 0xe4, 0x6e, 0x6f,
+        0x94, 0xd1, 0x9b, 0x94, 0x53, 0x61, 0x72, 0x6b,
+        0xd7, 0x5e, 0x14, 0x9e, 0xf0, 0x98, 0x17, 0xf5,
+        0x80
+    };
+
+    /* uncompressed test */
+    static const byte pKey4[] = {
+        0x5f, 0xd7, 0x44, 0x9b, 0x59, 0xb4, 0x61, 0xfd,
+        0x2c, 0xe7, 0x87, 0xec, 0x61, 0x6a, 0xd4, 0x6a,
+        0x1d, 0xa1, 0x34, 0x24, 0x85, 0xa7, 0x0e, 0x1f,
+        0x8a, 0x0e, 0xa7, 0x5d, 0x80, 0xe9, 0x67, 0x78,
+        0xed, 0xf1, 0x24, 0x76, 0x9b, 0x46, 0xc7, 0x06,
+        0x1b, 0xd6, 0x78, 0x3d, 0xf1, 0xe5, 0x0f, 0x6c,
+        0xd1, 0xfa, 0x1a, 0xbe, 0xaf, 0xe8, 0x25, 0x61,
+        0x80
+    };
+
+    /* compressed prefix */
+    static const byte pKey5[] = {
+        0x5f, 0xd7, 0x44, 0x9b, 0x59, 0xb4, 0x61, 0xfd,
+        0x2c, 0xe7, 0x87, 0xec, 0x61, 0x6a, 0xd4, 0x6a,
+        0x1d, 0xa1, 0x34, 0x24, 0x85, 0xa7, 0x0e, 0x1f,
+        0x8a, 0x0e, 0xa7, 0x5d, 0x80, 0xe9, 0x67, 0x78,
+        0xed, 0xf1, 0x24, 0x76, 0x9b, 0x46, 0xc7, 0x06,
+        0x1b, 0xd6, 0x78, 0x3d, 0xf1, 0xe5, 0x0f, 0x6c,
+        0xd1, 0xfa, 0x1a, 0xbe, 0xaf, 0xe8, 0x25, 0x61,
+        0x80
+    };
+
+    static const byte pKey6[] = {
+        0xa8, 0x1b, 0x2e, 0x8a, 0x70, 0xa5, 0xac, 0x94,
+        0xff, 0xdb, 0xcc, 0x9b, 0xad, 0xfc, 0x3f, 0xeb,
+        0x08, 0x01, 0xf2, 0x58, 0x57, 0x8b, 0xb1, 0x14,
+        0xad, 0x44, 0xec, 0xe1, 0xec, 0x0e, 0x79, 0x9d,
+        0xa0, 0x8e, 0xff, 0xb8, 0x1c, 0x5d, 0x68, 0x5c,
+        0x0c, 0x56, 0xf6, 0x4e, 0xec, 0xae, 0xf8, 0xcd,
+        0xf1, 0x1c, 0xc3, 0x87, 0x37, 0x83, 0x8c, 0xf4,
+        0x00
+    };
+
+    static const byte* pKeys[] = {pKey1, pKey2, pKey3, pKey4, pKey5, pKey6};
+    static const byte  pKeySz[] = {sizeof(pKey1), sizeof(pKey2), sizeof(pKey3),
+                            sizeof(pKey4), sizeof(pKey5), sizeof(pKey6)};
+
+    static const byte sig1[] = {
+        0x53, 0x3a, 0x37, 0xf6, 0xbb, 0xe4, 0x57, 0x25,
+        0x1f, 0x02, 0x3c, 0x0d, 0x88, 0xf9, 0x76, 0xae,
+        0x2d, 0xfb, 0x50, 0x4a, 0x84, 0x3e, 0x34, 0xd2,
+        0x07, 0x4f, 0xd8, 0x23, 0xd4, 0x1a, 0x59, 0x1f,
+        0x2b, 0x23, 0x3f, 0x03, 0x4f, 0x62, 0x82, 0x81,
+        0xf2, 0xfd, 0x7a, 0x22, 0xdd, 0xd4, 0x7d, 0x78,
+        0x28, 0xc5, 0x9b, 0xd0, 0xa2, 0x1b, 0xfd, 0x39,
+        0x80, 0xff, 0x0d, 0x20, 0x28, 0xd4, 0xb1, 0x8a,
+        0x9d, 0xf6, 0x3e, 0x00, 0x6c, 0x5d, 0x1c, 0x2d,
+        0x34, 0x5b, 0x92, 0x5d, 0x8d, 0xc0, 0x0b, 0x41,
+        0x04, 0x85, 0x2d, 0xb9, 0x9a, 0xc5, 0xc7, 0xcd,
+        0xda, 0x85, 0x30, 0xa1, 0x13, 0xa0, 0xf4, 0xdb,
+        0xb6, 0x11, 0x49, 0xf0, 0x5a, 0x73, 0x63, 0x26,
+        0x8c, 0x71, 0xd9, 0x58, 0x08, 0xff, 0x2e, 0x65,
+        0x26, 0x00
+    };
+
+    static const byte sig2[] = {
+        0x26, 0xb8, 0xf9, 0x17, 0x27, 0xbd, 0x62, 0x89,
+        0x7a, 0xf1, 0x5e, 0x41, 0xeb, 0x43, 0xc3, 0x77,
+        0xef, 0xb9, 0xc6, 0x10, 0xd4, 0x8f, 0x23, 0x35,
+        0xcb, 0x0b, 0xd0, 0x08, 0x78, 0x10, 0xf4, 0x35,
+        0x25, 0x41, 0xb1, 0x43, 0xc4, 0xb9, 0x81, 0xb7,
+        0xe1, 0x8f, 0x62, 0xde, 0x8c, 0xcd, 0xf6, 0x33,
+        0xfc, 0x1b, 0xf0, 0x37, 0xab, 0x7c, 0xd7, 0x79,
+        0x80, 0x5e, 0x0d, 0xbc, 0xc0, 0xaa, 0xe1, 0xcb,
+        0xce, 0xe1, 0xaf, 0xb2, 0xe0, 0x27, 0xdf, 0x36,
+        0xbc, 0x04, 0xdc, 0xec, 0xbf, 0x15, 0x43, 0x36,
+        0xc1, 0x9f, 0x0a, 0xf7, 0xe0, 0xa6, 0x47, 0x29,
+        0x05, 0xe7, 0x99, 0xf1, 0x95, 0x3d, 0x2a, 0x0f,
+        0xf3, 0x34, 0x8a, 0xb2, 0x1a, 0xa4, 0xad, 0xaf,
+        0xd1, 0xd2, 0x34, 0x44, 0x1c, 0xf8, 0x07, 0xc0,
+        0x3a, 0x00
+    };
+
+    static const byte sig3[] = {
+        0x7e, 0xee, 0xab, 0x7c, 0x4e, 0x50, 0xfb, 0x79,
+        0x9b, 0x41, 0x8e, 0xe5, 0xe3, 0x19, 0x7f, 0xf6,
+        0xbf, 0x15, 0xd4, 0x3a, 0x14, 0xc3, 0x43, 0x89,
+        0xb5, 0x9d, 0xd1, 0xa7, 0xb1, 0xb8, 0x5b, 0x4a,
+        0xe9, 0x04, 0x38, 0xac, 0xa6, 0x34, 0xbe, 0xa4,
+        0x5e, 0x3a, 0x26, 0x95, 0xf1, 0x27, 0x0f, 0x07,
+        0xfd, 0xcd, 0xf7, 0xc6, 0x2b, 0x8e, 0xfe, 0xaf,
+        0x00, 0xb4, 0x5c, 0x2c, 0x96, 0xba, 0x45, 0x7e,
+        0xb1, 0xa8, 0xbf, 0x07, 0x5a, 0x3d, 0xb2, 0x8e,
+        0x5c, 0x24, 0xf6, 0xb9, 0x23, 0xed, 0x4a, 0xd7,
+        0x47, 0xc3, 0xc9, 0xe0, 0x3c, 0x70, 0x79, 0xef,
+        0xb8, 0x7c, 0xb1, 0x10, 0xd3, 0xa9, 0x98, 0x61,
+        0xe7, 0x20, 0x03, 0xcb, 0xae, 0x6d, 0x6b, 0x8b,
+        0x82, 0x7e, 0x4e, 0x6c, 0x14, 0x30, 0x64, 0xff,
+        0x3c, 0x00
+    };
+
+    /* uncompressed test */
+    static const byte sig4[] = {
+        0x53, 0x3a, 0x37, 0xf6, 0xbb, 0xe4, 0x57, 0x25,
+        0x1f, 0x02, 0x3c, 0x0d, 0x88, 0xf9, 0x76, 0xae,
+        0x2d, 0xfb, 0x50, 0x4a, 0x84, 0x3e, 0x34, 0xd2,
+        0x07, 0x4f, 0xd8, 0x23, 0xd4, 0x1a, 0x59, 0x1f,
+        0x2b, 0x23, 0x3f, 0x03, 0x4f, 0x62, 0x82, 0x81,
+        0xf2, 0xfd, 0x7a, 0x22, 0xdd, 0xd4, 0x7d, 0x78,
+        0x28, 0xc5, 0x9b, 0xd0, 0xa2, 0x1b, 0xfd, 0x39,
+        0x80, 0xff, 0x0d, 0x20, 0x28, 0xd4, 0xb1, 0x8a,
+        0x9d, 0xf6, 0x3e, 0x00, 0x6c, 0x5d, 0x1c, 0x2d,
+        0x34, 0x5b, 0x92, 0x5d, 0x8d, 0xc0, 0x0b, 0x41,
+        0x04, 0x85, 0x2d, 0xb9, 0x9a, 0xc5, 0xc7, 0xcd,
+        0xda, 0x85, 0x30, 0xa1, 0x13, 0xa0, 0xf4, 0xdb,
+        0xb6, 0x11, 0x49, 0xf0, 0x5a, 0x73, 0x63, 0x26,
+        0x8c, 0x71, 0xd9, 0x58, 0x08, 0xff, 0x2e, 0x65,
+        0x26, 0x00
+    };
+
+    /* compressed prefix */
+    static const byte sig5[] = {
+        0x53, 0x3a, 0x37, 0xf6, 0xbb, 0xe4, 0x57, 0x25,
+        0x1f, 0x02, 0x3c, 0x0d, 0x88, 0xf9, 0x76, 0xae,
+        0x2d, 0xfb, 0x50, 0x4a, 0x84, 0x3e, 0x34, 0xd2,
+        0x07, 0x4f, 0xd8, 0x23, 0xd4, 0x1a, 0x59, 0x1f,
+        0x2b, 0x23, 0x3f, 0x03, 0x4f, 0x62, 0x82, 0x81,
+        0xf2, 0xfd, 0x7a, 0x22, 0xdd, 0xd4, 0x7d, 0x78,
+        0x28, 0xc5, 0x9b, 0xd0, 0xa2, 0x1b, 0xfd, 0x39,
+        0x80, 0xff, 0x0d, 0x20, 0x28, 0xd4, 0xb1, 0x8a,
+        0x9d, 0xf6, 0x3e, 0x00, 0x6c, 0x5d, 0x1c, 0x2d,
+        0x34, 0x5b, 0x92, 0x5d, 0x8d, 0xc0, 0x0b, 0x41,
+        0x04, 0x85, 0x2d, 0xb9, 0x9a, 0xc5, 0xc7, 0xcd,
+        0xda, 0x85, 0x30, 0xa1, 0x13, 0xa0, 0xf4, 0xdb,
+        0xb6, 0x11, 0x49, 0xf0, 0x5a, 0x73, 0x63, 0x26,
+        0x8c, 0x71, 0xd9, 0x58, 0x08, 0xff, 0x2e, 0x65,
+        0x26, 0x00
+    };
+
+    static const byte sig6[] = {
+        0xe3, 0x01, 0x34, 0x5a, 0x41, 0xa3, 0x9a, 0x4d,
+        0x72, 0xff, 0xf8, 0xdf, 0x69, 0xc9, 0x80, 0x75,
+        0xa0, 0xcc, 0x08, 0x2b, 0x80, 0x2f, 0xc9, 0xb2,
+        0xb6, 0xbc, 0x50, 0x3f, 0x92, 0x6b, 0x65, 0xbd,
+        0xdf, 0x7f, 0x4c, 0x8f, 0x1c, 0xb4, 0x9f, 0x63,
+        0x96, 0xaf, 0xc8, 0xa7, 0x0a, 0xbe, 0x6d, 0x8a,
+        0xef, 0x0d, 0xb4, 0x78, 0xd4, 0xc6, 0xb2, 0x97,
+        0x00, 0x76, 0xc6, 0xa0, 0x48, 0x4f, 0xe7, 0x6d,
+        0x76, 0xb3, 0xa9, 0x76, 0x25, 0xd7, 0x9f, 0x1c,
+        0xe2, 0x40, 0xe7, 0xc5, 0x76, 0x75, 0x0d, 0x29,
+        0x55, 0x28, 0x28, 0x6f, 0x71, 0x9b, 0x41, 0x3d,
+        0xe9, 0xad, 0xa3, 0xe8, 0xeb, 0x78, 0xed, 0x57,
+        0x36, 0x03, 0xce, 0x30, 0xd8, 0xbb, 0x76, 0x17,
+        0x85, 0xdc, 0x30, 0xdb, 0xc3, 0x20, 0x86, 0x9e,
+        0x1a, 0x00
+    };
+
+    static const byte* sigs[] = {sig1, sig2, sig3, sig4, sig5, sig6};
+
+    static const byte msg1[]  = { };
+    static const byte msg2[]  = { 0x03 };
+    static const byte msg3[]  = { 0x64, 0xa6, 0x5f, 0x3c, 0xde, 0xdc, 0xdd,
+                                  0x66, 0x81, 0x1e, 0x29, 0x15 };
+
+    /* test of a 1023 byte long message */
+    static const byte msg4[]  = {
+        0x6d, 0xdf, 0x80, 0x2e, 0x1a, 0xae, 0x49, 0x86,
+        0x93, 0x5f, 0x7f, 0x98, 0x1b, 0xa3, 0xf0, 0x35,
+        0x1d, 0x62, 0x73, 0xc0, 0xa0, 0xc2, 0x2c, 0x9c,
+        0x0e, 0x83, 0x39, 0x16, 0x8e, 0x67, 0x54, 0x12,
+        0xa3, 0xde, 0xbf, 0xaf, 0x43, 0x5e, 0xd6, 0x51,
+        0x55, 0x80, 0x07, 0xdb, 0x43, 0x84, 0xb6, 0x50,
+        0xfc, 0xc0, 0x7e, 0x3b, 0x58, 0x6a, 0x27, 0xa4,
+        0xf7, 0xa0, 0x0a, 0xc8, 0xa6, 0xfe, 0xc2, 0xcd,
+        0x86, 0xae, 0x4b, 0xf1, 0x57, 0x0c, 0x41, 0xe6,
+        0xa4, 0x0c, 0x93, 0x1d, 0xb2, 0x7b, 0x2f, 0xaa,
+        0x15, 0xa8, 0xce, 0xdd, 0x52, 0xcf, 0xf7, 0x36,
+        0x2c, 0x4e, 0x6e, 0x23, 0xda, 0xec, 0x0f, 0xbc,
+        0x3a, 0x79, 0xb6, 0x80, 0x6e, 0x31, 0x6e, 0xfc,
+        0xc7, 0xb6, 0x81, 0x19, 0xbf, 0x46, 0xbc, 0x76,
+        0xa2, 0x60, 0x67, 0xa5, 0x3f, 0x29, 0x6d, 0xaf,
+        0xdb, 0xdc, 0x11, 0xc7, 0x7f, 0x77, 0x77, 0xe9,
+        0x72, 0x66, 0x0c, 0xf4, 0xb6, 0xa9, 0xb3, 0x69,
+        0xa6, 0x66, 0x5f, 0x02, 0xe0, 0xcc, 0x9b, 0x6e,
+        0xdf, 0xad, 0x13, 0x6b, 0x4f, 0xab, 0xe7, 0x23,
+        0xd2, 0x81, 0x3d, 0xb3, 0x13, 0x6c, 0xfd, 0xe9,
+        0xb6, 0xd0, 0x44, 0x32, 0x2f, 0xee, 0x29, 0x47,
+        0x95, 0x2e, 0x03, 0x1b, 0x73, 0xab, 0x5c, 0x60,
+        0x33, 0x49, 0xb3, 0x07, 0xbd, 0xc2, 0x7b, 0xc6,
+        0xcb, 0x8b, 0x8b, 0xbd, 0x7b, 0xd3, 0x23, 0x21,
+        0x9b, 0x80, 0x33, 0xa5, 0x81, 0xb5, 0x9e, 0xad,
+        0xeb, 0xb0, 0x9b, 0x3c, 0x4f, 0x3d, 0x22, 0x77,
+        0xd4, 0xf0, 0x34, 0x36, 0x24, 0xac, 0xc8, 0x17,
+        0x80, 0x47, 0x28, 0xb2, 0x5a, 0xb7, 0x97, 0x17,
+        0x2b, 0x4c, 0x5c, 0x21, 0xa2, 0x2f, 0x9c, 0x78,
+        0x39, 0xd6, 0x43, 0x00, 0x23, 0x2e, 0xb6, 0x6e,
+        0x53, 0xf3, 0x1c, 0x72, 0x3f, 0xa3, 0x7f, 0xe3,
+        0x87, 0xc7, 0xd3, 0xe5, 0x0b, 0xdf, 0x98, 0x13,
+        0xa3, 0x0e, 0x5b, 0xb1, 0x2c, 0xf4, 0xcd, 0x93,
+        0x0c, 0x40, 0xcf, 0xb4, 0xe1, 0xfc, 0x62, 0x25,
+        0x92, 0xa4, 0x95, 0x88, 0x79, 0x44, 0x94, 0xd5,
+        0x6d, 0x24, 0xea, 0x4b, 0x40, 0xc8, 0x9f, 0xc0,
+        0x59, 0x6c, 0xc9, 0xeb, 0xb9, 0x61, 0xc8, 0xcb,
+        0x10, 0xad, 0xde, 0x97, 0x6a, 0x5d, 0x60, 0x2b,
+        0x1c, 0x3f, 0x85, 0xb9, 0xb9, 0xa0, 0x01, 0xed,
+        0x3c, 0x6a, 0x4d, 0x3b, 0x14, 0x37, 0xf5, 0x20,
+        0x96, 0xcd, 0x19, 0x56, 0xd0, 0x42, 0xa5, 0x97,
+        0xd5, 0x61, 0xa5, 0x96, 0xec, 0xd3, 0xd1, 0x73,
+        0x5a, 0x8d, 0x57, 0x0e, 0xa0, 0xec, 0x27, 0x22,
+        0x5a, 0x2c, 0x4a, 0xaf, 0xf2, 0x63, 0x06, 0xd1,
+        0x52, 0x6c, 0x1a, 0xf3, 0xca, 0x6d, 0x9c, 0xf5,
+        0xa2, 0xc9, 0x8f, 0x47, 0xe1, 0xc4, 0x6d, 0xb9,
+        0xa3, 0x32, 0x34, 0xcf, 0xd4, 0xd8, 0x1f, 0x2c,
+        0x98, 0x53, 0x8a, 0x09, 0xeb, 0xe7, 0x69, 0x98,
+        0xd0, 0xd8, 0xfd, 0x25, 0x99, 0x7c, 0x7d, 0x25,
+        0x5c, 0x6d, 0x66, 0xec, 0xe6, 0xfa, 0x56, 0xf1,
+        0x11, 0x44, 0x95, 0x0f, 0x02, 0x77, 0x95, 0xe6,
+        0x53, 0x00, 0x8f, 0x4b, 0xd7, 0xca, 0x2d, 0xee,
+        0x85, 0xd8, 0xe9, 0x0f, 0x3d, 0xc3, 0x15, 0x13,
+        0x0c, 0xe2, 0xa0, 0x03, 0x75, 0xa3, 0x18, 0xc7,
+        0xc3, 0xd9, 0x7b, 0xe2, 0xc8, 0xce, 0x5b, 0x6d,
+        0xb4, 0x1a, 0x62, 0x54, 0xff, 0x26, 0x4f, 0xa6,
+        0x15, 0x5b, 0xae, 0xe3, 0xb0, 0x77, 0x3c, 0x0f,
+        0x49, 0x7c, 0x57, 0x3f, 0x19, 0xbb, 0x4f, 0x42,
+        0x40, 0x28, 0x1f, 0x0b, 0x1f, 0x4f, 0x7b, 0xe8,
+        0x57, 0xa4, 0xe5, 0x9d, 0x41, 0x6c, 0x06, 0xb4,
+        0xc5, 0x0f, 0xa0, 0x9e, 0x18, 0x10, 0xdd, 0xc6,
+        0xb1, 0x46, 0x7b, 0xae, 0xac, 0x5a, 0x36, 0x68,
+        0xd1, 0x1b, 0x6e, 0xca, 0xa9, 0x01, 0x44, 0x00,
+        0x16, 0xf3, 0x89, 0xf8, 0x0a, 0xcc, 0x4d, 0xb9,
+        0x77, 0x02, 0x5e, 0x7f, 0x59, 0x24, 0x38, 0x8c,
+        0x7e, 0x34, 0x0a, 0x73, 0x2e, 0x55, 0x44, 0x40,
+        0xe7, 0x65, 0x70, 0xf8, 0xdd, 0x71, 0xb7, 0xd6,
+        0x40, 0xb3, 0x45, 0x0d, 0x1f, 0xd5, 0xf0, 0x41,
+        0x0a, 0x18, 0xf9, 0xa3, 0x49, 0x4f, 0x70, 0x7c,
+        0x71, 0x7b, 0x79, 0xb4, 0xbf, 0x75, 0xc9, 0x84,
+        0x00, 0xb0, 0x96, 0xb2, 0x16, 0x53, 0xb5, 0xd2,
+        0x17, 0xcf, 0x35, 0x65, 0xc9, 0x59, 0x74, 0x56,
+        0xf7, 0x07, 0x03, 0x49, 0x7a, 0x07, 0x87, 0x63,
+        0x82, 0x9b, 0xc0, 0x1b, 0xb1, 0xcb, 0xc8, 0xfa,
+        0x04, 0xea, 0xdc, 0x9a, 0x6e, 0x3f, 0x66, 0x99,
+        0x58, 0x7a, 0x9e, 0x75, 0xc9, 0x4e, 0x5b, 0xab,
+        0x00, 0x36, 0xe0, 0xb2, 0xe7, 0x11, 0x39, 0x2c,
+        0xff, 0x00, 0x47, 0xd0, 0xd6, 0xb0, 0x5b, 0xd2,
+        0xa5, 0x88, 0xbc, 0x10, 0x97, 0x18, 0x95, 0x42,
+        0x59, 0xf1, 0xd8, 0x66, 0x78, 0xa5, 0x79, 0xa3,
+        0x12, 0x0f, 0x19, 0xcf, 0xb2, 0x96, 0x3f, 0x17,
+        0x7a, 0xeb, 0x70, 0xf2, 0xd4, 0x84, 0x48, 0x26,
+        0x26, 0x2e, 0x51, 0xb8, 0x02, 0x71, 0x27, 0x20,
+        0x68, 0xef, 0x5b, 0x38, 0x56, 0xfa, 0x85, 0x35,
+        0xaa, 0x2a, 0x88, 0xb2, 0xd4, 0x1f, 0x2a, 0x0e,
+        0x2f, 0xda, 0x76, 0x24, 0xc2, 0x85, 0x02, 0x72,
+        0xac, 0x4a, 0x2f, 0x56, 0x1f, 0x8f, 0x2f, 0x7a,
+        0x31, 0x8b, 0xfd, 0x5c, 0xaf, 0x96, 0x96, 0x14,
+        0x9e, 0x4a, 0xc8, 0x24, 0xad, 0x34, 0x60, 0x53,
+        0x8f, 0xdc, 0x25, 0x42, 0x1b, 0xee, 0xc2, 0xcc,
+        0x68, 0x18, 0x16, 0x2d, 0x06, 0xbb, 0xed, 0x0c,
+        0x40, 0xa3, 0x87, 0x19, 0x23, 0x49, 0xdb, 0x67,
+        0xa1, 0x18, 0xba, 0xda, 0x6c, 0xd5, 0xab, 0x01,
+        0x40, 0xee, 0x27, 0x32, 0x04, 0xf6, 0x28, 0xaa,
+        0xd1, 0xc1, 0x35, 0xf7, 0x70, 0x27, 0x9a, 0x65,
+        0x1e, 0x24, 0xd8, 0xc1, 0x4d, 0x75, 0xa6, 0x05,
+        0x9d, 0x76, 0xb9, 0x6a, 0x6f, 0xd8, 0x57, 0xde,
+        0xf5, 0xe0, 0xb3, 0x54, 0xb2, 0x7a, 0xb9, 0x37,
+        0xa5, 0x81, 0x5d, 0x16, 0xb5, 0xfa, 0xe4, 0x07,
+        0xff, 0x18, 0x22, 0x2c, 0x6d, 0x1e, 0xd2, 0x63,
+        0xbe, 0x68, 0xc9, 0x5f, 0x32, 0xd9, 0x08, 0xbd,
+        0x89, 0x5c, 0xd7, 0x62, 0x07, 0xae, 0x72, 0x64,
+        0x87, 0x56, 0x7f, 0x9a, 0x67, 0xda, 0xd7, 0x9a,
+        0xbe, 0xc3, 0x16, 0xf6, 0x83, 0xb1, 0x7f, 0x2d,
+        0x02, 0xbf, 0x07, 0xe0, 0xac, 0x8b, 0x5b, 0xc6,
+        0x16, 0x2c, 0xf9, 0x46, 0x97, 0xb3, 0xc2, 0x7c,
+        0xd1, 0xfe, 0xa4, 0x9b, 0x27, 0xf2, 0x3b, 0xa2,
+        0x90, 0x18, 0x71, 0x96, 0x25, 0x06, 0x52, 0x0c,
+        0x39, 0x2d, 0xa8, 0xb6, 0xad, 0x0d, 0x99, 0xf7,
+        0x01, 0x3f, 0xbc, 0x06, 0xc2, 0xc1, 0x7a, 0x56,
+        0x95, 0x00, 0xc8, 0xa7, 0x69, 0x64, 0x81, 0xc1,
+        0xcd, 0x33, 0xe9, 0xb1, 0x4e, 0x40, 0xb8, 0x2e,
+        0x79, 0xa5, 0xf5, 0xdb, 0x82, 0x57, 0x1b, 0xa9,
+        0x7b, 0xae, 0x3a, 0xd3, 0xe0, 0x47, 0x95, 0x15,
+        0xbb, 0x0e, 0x2b, 0x0f, 0x3b, 0xfc, 0xd1, 0xfd,
+        0x33, 0x03, 0x4e, 0xfc, 0x62, 0x45, 0xed, 0xdd,
+        0x7e, 0xe2, 0x08, 0x6d, 0xda, 0xe2, 0x60, 0x0d,
+        0x8c, 0xa7, 0x3e, 0x21, 0x4e, 0x8c, 0x2b, 0x0b,
+        0xdb, 0x2b, 0x04, 0x7c, 0x6a, 0x46, 0x4a, 0x56,
+        0x2e, 0xd7, 0x7b, 0x73, 0xd2, 0xd8, 0x41, 0xc4,
+        0xb3, 0x49, 0x73, 0x55, 0x12, 0x57, 0x71, 0x3b,
+        0x75, 0x36, 0x32, 0xef, 0xba, 0x34, 0x81, 0x69,
+        0xab, 0xc9, 0x0a, 0x68, 0xf4, 0x26, 0x11, 0xa4,
+        0x01, 0x26, 0xd7, 0xcb, 0x21, 0xb5, 0x86, 0x95,
+        0x56, 0x81, 0x86, 0xf7, 0xe5, 0x69, 0xd2, 0xff,
+        0x0f, 0x9e, 0x74, 0x5d, 0x04, 0x87, 0xdd, 0x2e,
+        0xb9, 0x97, 0xca, 0xfc, 0x5a, 0xbf, 0x9d, 0xd1,
+        0x02, 0xe6, 0x2f, 0xf6, 0x6c, 0xba, 0x87
+    };
+
+    static const byte* msgs[] =   {msg1, msg2, msg3, msg1, msg1, msg4};
+    static const word16 msgSz[] = {0 /*sizeof(msg1)*/,
+                                   sizeof(msg2),
+                                   sizeof(msg3),
+                                   0 /*sizeof(msg1)*/,
+                                   0 /*sizeof(msg1)*/,
+                                   sizeof(msg4)
+    };
+#ifndef NO_ASN
+    static byte privateEd448[] = {
+        0x30, 0x47, 0x02, 0x01, 0x00, 0x30, 0x05, 0x06,
+        0x03, 0x2b, 0x65, 0x71, 0x04, 0x3b, 0x04, 0x39,
+        0x6c, 0x82, 0xa5, 0x62, 0xcb, 0x80, 0x8d, 0x10,
+        0xd6, 0x32, 0xbe, 0x89, 0xc8, 0x51, 0x3e, 0xbf,
+        0x6c, 0x92, 0x9f, 0x34, 0xdd, 0xfa, 0x8c, 0x9f,
+        0x63, 0xc9, 0x96, 0x0e, 0xf6, 0xe3, 0x48, 0xa3,
+        0x52, 0x8c, 0x8a, 0x3f, 0xcc, 0x2f, 0x04, 0x4e,
+        0x39, 0xa3, 0xfc, 0x5b, 0x94, 0x49, 0x2f, 0x8f,
+        0x03, 0x2e, 0x75, 0x49, 0xa2, 0x00, 0x98, 0xf9,
+        0x5b
+    };
+    static byte publicEd448[] = {
+        0x30, 0x43, 0x30, 0x05, 0x06, 0x03, 0x2b, 0x65,
+        0x71, 0x03, 0x3a, 0x00, 0x5f, 0xd7, 0x44, 0x9b,
+        0x59, 0xb4, 0x61, 0xfd, 0x2c, 0xe7, 0x87, 0xec,
+        0x61, 0x6a, 0xd4, 0x6a, 0x1d, 0xa1, 0x34, 0x24,
+        0x85, 0xa7, 0x0e, 0x1f, 0x8a, 0x0e, 0xa7, 0x5d,
+        0x80, 0xe9, 0x67, 0x78, 0xed, 0xf1, 0x24, 0x76,
+        0x9b, 0x46, 0xc7, 0x06, 0x1b, 0xd6, 0x78, 0x3d,
+        0xf1, 0xe5, 0x0f, 0x6c, 0xd1, 0xfa, 0x1a, 0xbe,
+        0xaf, 0xe8, 0x25, 0x61, 0x80
+    };
+    static byte privPubEd448[] = {
+        0x30, 0x81, 0x84, 0x02, 0x01, 0x00, 0x30, 0x05,
+        0x06, 0x03, 0x2b, 0x65, 0x71, 0x04, 0x3b, 0x04,
+        0x39, 0x6c, 0x82, 0xa5, 0x62, 0xcb, 0x80, 0x8d,
+        0x10, 0xd6, 0x32, 0xbe, 0x89, 0xc8, 0x51, 0x3e,
+        0xbf, 0x6c, 0x92, 0x9f, 0x34, 0xdd, 0xfa, 0x8c,
+        0x9f, 0x63, 0xc9, 0x96, 0x0e, 0xf6, 0xe3, 0x48,
+        0xa3, 0x52, 0x8c, 0x8a, 0x3f, 0xcc, 0x2f, 0x04,
+        0x4e, 0x39, 0xa3, 0xfc, 0x5b, 0x94, 0x49, 0x2f,
+        0x8f, 0x03, 0x2e, 0x75, 0x49, 0xa2, 0x00, 0x98,
+        0xf9, 0x5b, 0xa1, 0x3b, 0x04, 0x39, 0x5f, 0xd7,
+        0x44, 0x9b, 0x59, 0xb4, 0x61, 0xfd, 0x2c, 0xe7,
+        0x87, 0xec, 0x61, 0x6a, 0xd4, 0x6a, 0x1d, 0xa1,
+        0x34, 0x24, 0x85, 0xa7, 0x0e, 0x1f, 0x8a, 0x0e,
+        0xa7, 0x5d, 0x80, 0xe9, 0x67, 0x78, 0xed, 0xf1,
+        0x24, 0x76, 0x9b, 0x46, 0xc7, 0x06, 0x1b, 0xd6,
+        0x78, 0x3d, 0xf1, 0xe5, 0x0f, 0x6c, 0xd1, 0xfa,
+        0x1a, 0xbe, 0xaf, 0xe8, 0x25, 0x61, 0x80
+    };
+
+    word32 idx;
+    ed448_key key3;
+#endif /* NO_ASN */
+#endif /* HAVE_ED448_SIGN && HAVE_ED448_KEY_EXPORT && HAVE_ED448_KEY_IMPORT */
+
+    /* create ed448 keys */
+#ifndef HAVE_FIPS
+    ret = wc_InitRng_ex(&rng, HEAP_HINT, devId);
+#else
+    ret = wc_InitRng(&rng);
+#endif
+    if (ret != 0)
+        return -11300;
+
+    wc_ed448_init(&key);
+    wc_ed448_init(&key2);
+#ifndef NO_ASN
+    wc_ed448_init(&key3);
+#endif
+    wc_ed448_make_key(&rng, ED448_KEY_SIZE, &key);
+    wc_ed448_make_key(&rng, ED448_KEY_SIZE, &key2);
+
+    /* helper functions for signature and key size */
+    keySz = wc_ed448_size(&key);
+    sigSz = wc_ed448_sig_size(&key);
+
+#if defined(HAVE_ED448_SIGN) && defined(HAVE_ED448_KEY_EXPORT) &&\
+        defined(HAVE_ED448_KEY_IMPORT)
+    for (i = 0; i < 6; i++) {
+        outlen = sizeof(out);
+        XMEMSET(out, 0, sizeof(out));
+
+        if (wc_ed448_import_private_key(sKeys[i], ED448_KEY_SIZE, pKeys[i],
+                pKeySz[i], &key) != 0)
+            return -11301 - i;
+
+        if (wc_ed448_sign_msg(msgs[i], msgSz[i], out, &outlen, &key, NULL,
+                                                                      0) != 0) {
+            return -11311 - i;
+        }
+
+        if (XMEMCMP(out, sigs[i], 114))
+            return -11321 - i;
+
+#if defined(HAVE_ED448_VERIFY)
+        /* test verify on good msg */
+        if (wc_ed448_verify_msg(out, outlen, msgs[i], msgSz[i], &verify, &key,
+                                                 NULL, 0) != 0 || verify != 1) {
+            return -11331 - i;
+        }
+
+        /* test verify on bad msg */
+        out[outlen-2] = out[outlen-2] + 1;
+        if (wc_ed448_verify_msg(out, outlen, msgs[i], msgSz[i], &verify, &key,
+                                                 NULL, 0) == 0 || verify == 1) {
+            return -11341 - i;
+        }
+#endif /* HAVE_ED448_VERIFY */
+
+        /* test api for import/exporting keys */
+        exportPSz = sizeof(exportPKey);
+        exportSSz = sizeof(exportSKey);
+        if (wc_ed448_export_public(&key, exportPKey, &exportPSz) != 0)
+            return -11351 - i;
+
+        if (wc_ed448_import_public(exportPKey, exportPSz, &key2) != 0)
+            return -11361 - i;
+
+        if (wc_ed448_export_private_only(&key, exportSKey, &exportSSz) != 0)
+            return -11371 - i;
+
+        if (wc_ed448_import_private_key(exportSKey, exportSSz,
+                                        exportPKey, exportPSz, &key2) != 0)
+            return -11381 - i;
+
+        /* clear "out" buffer and test sign with imported keys */
+        outlen = sizeof(out);
+        XMEMSET(out, 0, sizeof(out));
+        if (wc_ed448_sign_msg(msgs[i], msgSz[i], out, &outlen, &key2, NULL,
+                                                                      0) != 0) {
+            return -11391 - i;
+        }
+
+#if defined(HAVE_ED448_VERIFY)
+        if (wc_ed448_verify_msg(out, outlen, msgs[i], msgSz[i], &verify, &key2,
+                                NULL, 0) != 0 || verify != 1)
+            return -11401 - i;
+
+        if (XMEMCMP(out, sigs[i], sizeof(sigs[i])))
+            return -11411 - i;
+#endif /* HAVE_ED448_VERIFY */
+    }
+
+    ret = ed448_ctx_test();
+    if (ret != 0)
+        return ret;
+
+    ret = ed448ph_test();
+    if (ret != 0)
+        return ret;
+
+#ifndef NO_ASN
+    /* Try ASN.1 encoded private-only key and public key. */
+    idx = 0;
+    if (wc_Ed448PrivateKeyDecode(privateEd448, &idx, &key3,
+                                 sizeof(privateEd448)) != 0)
+        return -11421 - i;
+
+    if (wc_ed448_sign_msg(msgs[0], msgSz[0], out, &outlen, &key3, NULL, 0)
+                != BAD_FUNC_ARG)
+        return -11431 - i;
+
+    idx = 0;
+    if (wc_Ed448PublicKeyDecode(publicEd448, &idx, &key3,
+                                sizeof(publicEd448)) != 0)
+        return -11441 - i;
+
+    if (wc_ed448_sign_msg(msgs[0], msgSz[0], out, &outlen, &key3, NULL, 0) != 0)
+        return -11451 - i;
+
+    if (XMEMCMP(out, sigs[0], sizeof(sigs[0])))
+        return -11461 - i;
+
+#if defined(HAVE_ED448_VERIFY)
+    /* test verify on good msg */
+    if (wc_ed448_verify_msg(out, outlen, msgs[0], msgSz[0], &verify, &key3,
+                NULL, 0) != 0 || verify != 1)
+        return -11471 - i;
+#endif /* HAVE_ED448_VERIFY */
+
+    wc_ed448_free(&key3);
+    wc_ed448_init(&key3);
+
+    idx = 0;
+    if (wc_Ed448PrivateKeyDecode(privPubEd448, &idx, &key3,
+                                 sizeof(privPubEd448)) != 0)
+        return -11481 - i;
+
+    if (wc_ed448_sign_msg(msgs[0], msgSz[0], out, &outlen, &key3, NULL, 0) != 0)
+        return -11491 - i;
+
+    if (XMEMCMP(out, sigs[0], sizeof(sigs[0])))
+        return -11501 - i;
+
+    wc_ed448_free(&key3);
+#endif /* NO_ASN */
+#endif /* HAVE_ED448_SIGN && HAVE_ED448_KEY_EXPORT && HAVE_ED448_KEY_IMPORT */
+
+    /* clean up keys when done */
+    wc_ed448_free(&key);
+    wc_ed448_free(&key2);
+
+#if defined(HAVE_HASHDRBG) || defined(NO_RC4)
+    wc_FreeRng(&rng);
+#endif
+
+    /* hush warnings of unused keySz and sigSz */
+    (void)keySz;
+    (void)sigSz;
+
+#ifdef WOLFSSL_TEST_CERT
+    ret = ed448_test_cert();
+    if (ret < 0)
+        return ret;
+#ifdef WOLFSSL_CERT_GEN
+    ret = ed448_test_make_cert();
+    if (ret < 0)
+        return ret;
+#endif /* WOLFSSL_CERT_GEN */
+#endif /* WOLFSSL_TEST_CERT */
+
+    return 0;
+}
+#endif /* HAVE_ED448 */
+
+#if defined(WOLFSSL_CMAC) && !defined(NO_AES)
+
+typedef struct CMAC_Test_Case {
+    int type;
+    int partial;
+    const byte* m;
+    word32 mSz;
+    const byte* k;
+    word32 kSz;
+    const byte* t;
+    word32 tSz;
+} CMAC_Test_Case;
+
+int cmac_test(void)
+{
+#ifdef WOLFSSL_AES_128
+    const byte k128[] =
+    {
+        0x2b, 0x7e, 0x15, 0x16, 0x28, 0xae, 0xd2, 0xa6,
+        0xab, 0xf7, 0x15, 0x88, 0x09, 0xcf, 0x4f, 0x3c
+    };
+    #define KLEN_128 (sizeof(k128))
+#endif
+#ifdef WOLFSSL_AES_192
+    const byte k192[] =
+    {
+        0x8e, 0x73, 0xb0, 0xf7, 0xda, 0x0e, 0x64, 0x52,
+        0xc8, 0x10, 0xf3, 0x2b, 0x80, 0x90, 0x79, 0xe5,
+        0x62, 0xf8, 0xea, 0xd2, 0x52, 0x2c, 0x6b, 0x7b
+    };
+    #define KLEN_192 (sizeof(k192))
+#endif
+#ifdef WOLFSSL_AES_256
+    const byte k256[] =
+    {
+        0x60, 0x3d, 0xeb, 0x10, 0x15, 0xca, 0x71, 0xbe,
+        0x2b, 0x73, 0xae, 0xf0, 0x85, 0x7d, 0x77, 0x81,
+        0x1f, 0x35, 0x2c, 0x07, 0x3b, 0x61, 0x08, 0xd7,
+        0x2d, 0x98, 0x10, 0xa3, 0x09, 0x14, 0xdf, 0xf4
+    };
+    #define KLEN_256 (sizeof(k256))
+#endif
+
+    const byte m[] =
+    {
+        0x6b, 0xc1, 0xbe, 0xe2, 0x2e, 0x40, 0x9f, 0x96,
+        0xe9, 0x3d, 0x7e, 0x11, 0x73, 0x93, 0x17, 0x2a,
+        0xae, 0x2d, 0x8a, 0x57, 0x1e, 0x03, 0xac, 0x9c,
+        0x9e, 0xb7, 0x6f, 0xac, 0x45, 0xaf, 0x8e, 0x51,
+        0x30, 0xc8, 0x1c, 0x46, 0xa3, 0x5c, 0xe4, 0x11,
+        0xe5, 0xfb, 0xc1, 0x19, 0x1a, 0x0a, 0x52, 0xef,
+        0xf6, 0x9f, 0x24, 0x45, 0xdf, 0x4f, 0x9b, 0x17,
+        0xad, 0x2b, 0x41, 0x7b, 0xe6, 0x6c, 0x37, 0x10
+    };
+    #define MLEN_0 (0)
+    #define MLEN_128 (128/8)
+    #define MLEN_320 (320/8)
+    #define MLEN_319 (MLEN_320 - 1)
+    #define MLEN_512 (512/8)
+
+#ifdef WOLFSSL_AES_128
+    const byte t128_0[] =
+    {
+        0xbb, 0x1d, 0x69, 0x29, 0xe9, 0x59, 0x37, 0x28,
+        0x7f, 0xa3, 0x7d, 0x12, 0x9b, 0x75, 0x67, 0x46
+    };
+    const byte t128_128[] =
+    {
+        0x07, 0x0a, 0x16, 0xb4, 0x6b, 0x4d, 0x41, 0x44,
+        0xf7, 0x9b, 0xdd, 0x9d, 0xd0, 0x4a, 0x28, 0x7c
+    };
+    const byte t128_319[] =
+    {
+        0x2c, 0x17, 0x84, 0x4c, 0x93, 0x1c, 0x07, 0x95,
+        0x15, 0x92, 0x73, 0x0a, 0x34, 0xd0, 0xd9, 0xd2
+    };
+    const byte t128_320[] =
+    {
+        0xdf, 0xa6, 0x67, 0x47, 0xde, 0x9a, 0xe6, 0x30,
+        0x30, 0xca, 0x32, 0x61, 0x14, 0x97, 0xc8, 0x27
+    };
+    const byte t128_512[] =
+    {
+        0x51, 0xf0, 0xbe, 0xbf, 0x7e, 0x3b, 0x9d, 0x92,
+        0xfc, 0x49, 0x74, 0x17, 0x79, 0x36, 0x3c, 0xfe
+    };
+#endif
+#ifdef WOLFSSL_AES_192
+    const byte t192_0[] =
+    {
+        0xd1, 0x7d, 0xdf, 0x46, 0xad, 0xaa, 0xcd, 0xe5,
+        0x31, 0xca, 0xc4, 0x83, 0xde, 0x7a, 0x93, 0x67
+    };
+    const byte t192_128[] =
+    {
+        0x9e, 0x99, 0xa7, 0xbf, 0x31, 0xe7, 0x10, 0x90,
+        0x06, 0x62, 0xf6, 0x5e, 0x61, 0x7c, 0x51, 0x84
+    };
+    const byte t192_320[] =
+    {
+        0x8a, 0x1d, 0xe5, 0xbe, 0x2e, 0xb3, 0x1a, 0xad,
+        0x08, 0x9a, 0x82, 0xe6, 0xee, 0x90, 0x8b, 0x0e
+    };
+    const byte t192_512[] =
+    {
+        0xa1, 0xd5, 0xdf, 0x0e, 0xed, 0x79, 0x0f, 0x79,
+        0x4d, 0x77, 0x58, 0x96, 0x59, 0xf3, 0x9a, 0x11
+    };
+#endif
+#ifdef WOLFSSL_AES_256
+    const byte t256_0[] =
+    {
+        0x02, 0x89, 0x62, 0xf6, 0x1b, 0x7b, 0xf8, 0x9e,
+        0xfc, 0x6b, 0x55, 0x1f, 0x46, 0x67, 0xd9, 0x83
+    };
+    const byte t256_128[] =
+    {
+        0x28, 0xa7, 0x02, 0x3f, 0x45, 0x2e, 0x8f, 0x82,
+        0xbd, 0x4b, 0xf2, 0x8d, 0x8c, 0x37, 0xc3, 0x5c
+    };
+    const byte t256_320[] =
+    {
+        0xaa, 0xf3, 0xd8, 0xf1, 0xde, 0x56, 0x40, 0xc2,
+        0x32, 0xf5, 0xb1, 0x69, 0xb9, 0xc9, 0x11, 0xe6
+    };
+    const byte t256_512[] =
+    {
+        0xe1, 0x99, 0x21, 0x90, 0x54, 0x9f, 0x6e, 0xd5,
+        0x69, 0x6a, 0x2c, 0x05, 0x6c, 0x31, 0x54, 0x10
+    };
+#endif
+    const CMAC_Test_Case testCases[] =
+    {
+#ifdef WOLFSSL_AES_128
+        {WC_CMAC_AES, 0, m, MLEN_0, k128, KLEN_128, t128_0, AES_BLOCK_SIZE},
+        {WC_CMAC_AES, 0, m, MLEN_128, k128, KLEN_128, t128_128, AES_BLOCK_SIZE},
+        {WC_CMAC_AES, 0, m, MLEN_320, k128, KLEN_128, t128_320, AES_BLOCK_SIZE},
+        {WC_CMAC_AES, 0, m, MLEN_512, k128, KLEN_128, t128_512, AES_BLOCK_SIZE},
+        {WC_CMAC_AES, 5, m, MLEN_512, k128, KLEN_128, t128_512, AES_BLOCK_SIZE},
+#endif
+#ifdef WOLFSSL_AES_192
+        {WC_CMAC_AES, 0, m, MLEN_0, k192, KLEN_192, t192_0, AES_BLOCK_SIZE},
+        {WC_CMAC_AES, 0, m, MLEN_128, k192, KLEN_192, t192_128, AES_BLOCK_SIZE},
+        {WC_CMAC_AES, 0, m, MLEN_320, k192, KLEN_192, t192_320, AES_BLOCK_SIZE},
+        {WC_CMAC_AES, 0, m, MLEN_512, k192, KLEN_192, t192_512, AES_BLOCK_SIZE},
+#endif
+#ifdef WOLFSSL_AES_256
+        {WC_CMAC_AES, 0, m, MLEN_0, k256, KLEN_256, t256_0, AES_BLOCK_SIZE},
+        {WC_CMAC_AES, 0, m, MLEN_128, k256, KLEN_256, t256_128, AES_BLOCK_SIZE},
+        {WC_CMAC_AES, 0, m, MLEN_320, k256, KLEN_256, t256_320, AES_BLOCK_SIZE},
+        {WC_CMAC_AES, 0, m, MLEN_512, k256, KLEN_256, t256_512, AES_BLOCK_SIZE},
+#endif
+#ifdef WOLFSSL_AES_128
+        {WC_CMAC_AES, 0, m, MLEN_319, k128, KLEN_128, t128_319, AES_BLOCK_SIZE}
+#endif
+    };
+
+    Cmac cmac;
+    byte tag[AES_BLOCK_SIZE];
+    const CMAC_Test_Case* tc;
+    word32 i, tagSz;
+
+    for (i = 0, tc = testCases;
+         i < sizeof(testCases)/sizeof(CMAC_Test_Case);
+         i++, tc++) {
+
+        XMEMSET(tag, 0, sizeof(tag));
+        tagSz = AES_BLOCK_SIZE;
+        if (wc_InitCmac(&cmac, tc->k, tc->kSz, tc->type, NULL) != 0)
+            return -11600;
+        if (tc->partial) {
+            if (wc_CmacUpdate(&cmac, tc->m,
+                                 tc->mSz/2 - tc->partial) != 0)
+                return -11601;
+            if (wc_CmacUpdate(&cmac, tc->m + tc->mSz/2 - tc->partial,
+                                 tc->mSz/2 + tc->partial) != 0)
+                return -11602;
+        }
+        else {
+            if (wc_CmacUpdate(&cmac, tc->m, tc->mSz) != 0)
+                return -11603;
+        }
+        if (wc_CmacFinal(&cmac, tag, &tagSz) != 0)
+            return -11604;
+        if (XMEMCMP(tag, tc->t, AES_BLOCK_SIZE) != 0)
+            return -11605;
+
+        XMEMSET(tag, 0, sizeof(tag));
+        tagSz = sizeof(tag);
+        if (wc_AesCmacGenerate(tag, &tagSz, tc->m, tc->mSz,
+                               tc->k, tc->kSz) != 0)
+            return -11606;
+        if (XMEMCMP(tag, tc->t, AES_BLOCK_SIZE) != 0)
+            return -11607;
+        if (wc_AesCmacVerify(tc->t, tc->tSz, tc->m, tc->mSz,
+                             tc->k, tc->kSz) != 0)
+            return -11608;
+    }
+
+    return 0;
+}
+
+#endif /* NO_AES && WOLFSSL_CMAC */
 
 #ifdef HAVE_LIBZ
 
@@ -5878,37 +23481,228 @@ const byte sample_text[] =
     "swag consectetur et. Irure skateboard banjo, nulla deserunt messenger\n"
     "bag dolor terry richardson sapiente.\n";
 
+const byte sample_text_gz[] = {
+    0x1F, 0x8B, 0x08, 0x08, 0xC5, 0x49, 0xB5, 0x5B, 0x00, 0x03, 0x63, 0x69, 0x70,
+    0x68, 0x65, 0x72, 0x74, 0x65, 0x78, 0x74, 0x2E, 0x74, 0x78, 0x74, 0x00, 0x8D,
+    0x58, 0xCB, 0x92, 0xE4, 0xB6, 0x11, 0xBC, 0xE3, 0x2B, 0xEA, 0xA6, 0x83, 0xD9,
+    0x1D, 0x72, 0xF8, 0x22, 0x1F, 0xB5, 0x96, 0xA5, 0xDD, 0x90, 0xBC, 0xAB, 0xD0,
+    0x28, 0x36, 0x42, 0x47, 0x90, 0x2C, 0x36, 0xA1, 0x06, 0x09, 0x0A, 0x8F, 0xEE,
+    0xE1, 0xDF, 0x3B, 0x0B, 0xE0, 0x73, 0x2C, 0x4B, 0xBA, 0xCD, 0xCE, 0x80, 0x78,
+    0x64, 0x65, 0x65, 0x66, 0xED, 0x3B, 0xE3, 0x5A, 0xC3, 0x81, 0x2D, 0x35, 0x69,
+    0x32, 0xAD, 0x8E, 0x3A, 0xD2, 0xA0, 0x7D, 0xA7, 0x2B, 0x6A, 0xAC, 0x69, 0x7A,
+    0x26, 0x9D, 0x22, 0xD3, 0x94, 0x22, 0x69, 0xAA, 0x8D, 0x6F, 0xC9, 0x8D, 0x64,
+    0x22, 0x99, 0xB1, 0x31, 0xAD, 0x69, 0xD3, 0x18, 0x89, 0xAD, 0x89, 0x6A, 0x72,
+    0x56, 0x7B, 0x67, 0xDA, 0x2B, 0xBD, 0xC8, 0xEF, 0xB0, 0x4D, 0x74, 0x8E, 0x5B,
+    0xAA, 0x39, 0x4C, 0xEE, 0xCE, 0xE4, 0x79, 0xF2, 0xDC, 0xF3, 0xD8, 0xB2, 0x37,
+    0x11, 0x8B, 0x8C, 0x2C, 0x7A, 0x32, 0x93, 0xF3, 0x37, 0x3D, 0x9A, 0x86, 0x4C,
+    0xAB, 0xF2, 0xB9, 0x57, 0xFA, 0x97, 0x1B, 0x06, 0xD7, 0x3A, 0x7A, 0xF0, 0x68,
+    0xF4, 0x40, 0xBA, 0x25, 0x0E, 0x81, 0xE9, 0xA6, 0x43, 0xF4, 0x6E, 0x4A, 0xF5,
+    0x95, 0xFE, 0x41, 0x4F, 0x67, 0x3B, 0x1A, 0x1C, 0xEE, 0x12, 0xB4, 0x8F, 0xCE,
+    0x1B, 0x6D, 0xB1, 0xDE, 0xBB, 0x4A, 0x4D, 0x56, 0x9B, 0x96, 0x5A, 0xB6, 0xDC,
+    0xC4, 0x14, 0x70, 0xE5, 0xF5, 0x7D, 0xE1, 0xB7, 0x84, 0x3F, 0xFC, 0xED, 0xEF,
+    0xF4, 0x30, 0x0D, 0x5F, 0xE9, 0x47, 0x17, 0xE2, 0xC5, 0x78, 0x27, 0x67, 0xDF,
+    0xB9, 0xEB, 0xCC, 0xCC, 0x3D, 0x59, 0xBE, 0xDD, 0xCC, 0x78, 0x0B, 0x0A, 0x1F,
+    0x74, 0xF8, 0x8C, 0x1A, 0xAF, 0x67, 0xEA, 0xF4, 0x44, 0xBD, 0x93, 0x7D, 0x2A,
+    0xEA, 0x9C, 0xD7, 0x37, 0x80, 0x32, 0x9A, 0x01, 0x37, 0xD5, 0xDE, 0xCA, 0xA2,
+    0x0D, 0xB9, 0xD0, 0x3B, 0xCF, 0xAD, 0x89, 0x4D, 0x5F, 0xD1, 0xE7, 0xF7, 0x2F,
+    0x2A, 0x0C, 0xDA, 0x5A, 0xAA, 0x35, 0x7E, 0x41, 0xC3, 0xB2, 0x37, 0xDD, 0xDD,
+    0xCD, 0x50, 0xEB, 0x2C, 0x96, 0x62, 0x3B, 0xD7, 0x52, 0xF4, 0xA9, 0xB9, 0x6F,
+    0x48, 0xED, 0xEF, 0x54, 0xEA, 0x67, 0xF6, 0x7E, 0x26, 0x8F, 0x3A, 0x68, 0xDF,
+    0x06, 0xBC, 0x56, 0xB7, 0x66, 0x32, 0xC1, 0x34, 0xD8, 0x88, 0x34, 0x1E, 0x88,
+    0xED, 0x67, 0x8A, 0xF3, 0xC4, 0x4F, 0xC0, 0xCA, 0x9E, 0x62, 0x1A, 0x6A, 0xEB,
+    0xAB, 0x02, 0xED, 0xB3, 0xD7, 0x91, 0x81, 0x8A, 0xEA, 0x5C, 0xF2, 0x64, 0xDD,
+    0xDD, 0xD1, 0xEC, 0x12, 0x4D, 0xDE, 0xD5, 0xBA, 0xC6, 0x77, 0xBD, 0x06, 0xC4,
+    0x5F, 0x44, 0xEA, 0x59, 0x4B, 0x5D, 0x3B, 0x8A, 0x3D, 0x0F, 0xD4, 0x9B, 0x1B,
+    0x80, 0x30, 0x1D, 0x30, 0xFA, 0x8F, 0x00, 0x3F, 0xDE, 0xB0, 0x6F, 0xAD, 0x6F,
+    0x6A, 0xDD, 0x6E, 0x2F, 0x6E, 0xCB, 0x3C, 0xD1, 0x83, 0x06, 0x7B, 0x0F, 0xFD,
+    0xFD, 0x4A, 0xEF, 0xBC, 0x73, 0x77, 0x3B, 0x8F, 0x34, 0xA1, 0xBA, 0xEC, 0x39,
+    0x80, 0x33, 0x21, 0xA4, 0x01, 0x55, 0xD7, 0xD4, 0xF4, 0xC6, 0xDA, 0x27, 0x4E,
+    0x54, 0x1C, 0x2B, 0xEC, 0x37, 0xDE, 0xC3, 0x4C, 0xC9, 0x5A, 0x3D, 0x34, 0x0E,
+    0xD8, 0x1C, 0x0E, 0xA2, 0x34, 0xE8, 0xC1, 0xD0, 0xA4, 0x51, 0xD5, 0x88, 0x8B,
+    0xB7, 0xC6, 0xA3, 0x96, 0x40, 0x49, 0xB7, 0xBC, 0xE0, 0x7F, 0x55, 0x3F, 0xEF,
+    0x6F, 0x6E, 0x92, 0x9D, 0x34, 0xFE, 0x3C, 0x5F, 0x04, 0xA5, 0x6A, 0xFF, 0x30,
+    0x08, 0xC9, 0xEA, 0xF5, 0x52, 0x2B, 0xFE, 0x57, 0xFA, 0x8E, 0xC7, 0xE8, 0x4D,
+    0x37, 0xAB, 0x03, 0xFA, 0x23, 0xBF, 0x46, 0x94, 0xFF, 0xC1, 0x16, 0xE0, 0xB9,
+    0x14, 0x2C, 0x9E, 0x27, 0xEC, 0x98, 0x69, 0x14, 0x92, 0xF1, 0x60, 0x5C, 0x34,
+    0x4D, 0xA0, 0x1F, 0xDF, 0xFD, 0x44, 0x1C, 0x7B, 0xD3, 0x80, 0x70, 0x42, 0x02,
+    0x30, 0x84, 0x5B, 0xE5, 0x59, 0xB7, 0xF3, 0x80, 0xFB, 0x01, 0x33, 0xA9, 0x00,
+    0x37, 0x52, 0xDC, 0xDA, 0xA7, 0x11, 0x85, 0xB7, 0x6E, 0x70, 0xE4, 0xDA, 0x96,
+    0xBA, 0x84, 0x5B, 0x81, 0x43, 0x93, 0xF3, 0xD1, 0xEA, 0xB1, 0xDD, 0xB8, 0x1F,
+    0xA5, 0xCC, 0xEA, 0x50, 0x66, 0x69, 0xA9, 0x8D, 0x8C, 0xA7, 0xA2, 0xF3, 0x38,
+    0x26, 0x43, 0x5E, 0x3F, 0x01, 0xBE, 0x1C, 0x0F, 0x20, 0x7F, 0x75, 0xA8, 0x20,
+    0x80, 0xC4, 0xC3, 0x5C, 0x8B, 0x0D, 0xD4, 0x60, 0x5E, 0xA3, 0x9E, 0xD0, 0xB4,
+    0x4B, 0x4F, 0xE6, 0x13, 0x85, 0x60, 0x42, 0x96, 0xED, 0xAA, 0xDB, 0xE9, 0x99,
+    0xE3, 0x07, 0x0E, 0x61, 0xB3, 0x07, 0xE3, 0xB1, 0xFA, 0xC0, 0x9B, 0xAD, 0xF6,
+    0xE0, 0x26, 0x33, 0xEA, 0xEA, 0x23, 0xCD, 0x1E, 0x9D, 0xE1, 0x87, 0x4B, 0x74,
+    0x97, 0x08, 0x3E, 0xA1, 0x28, 0xEA, 0xB3, 0x19, 0x67, 0x8B, 0x76, 0x9A, 0xA3,
+    0xF6, 0xB9, 0xCF, 0x80, 0x65, 0x97, 0xAE, 0xF4, 0x83, 0x6B, 0xF4, 0x43, 0x20,
+    0xF9, 0x0B, 0xFC, 0x9B, 0xD2, 0x4D, 0x4D, 0xA6, 0xB9, 0xA3, 0x02, 0x55, 0x79,
+    0x18, 0x36, 0x19, 0x5F, 0xC9, 0xEA, 0x5A, 0x76, 0x40, 0xB9, 0xBA, 0x0E, 0x9A,
+    0x44, 0xDF, 0x7C, 0xF8, 0x65, 0x61, 0x5E, 0x81, 0xAB, 0x71, 0xA1, 0x9E, 0x29,
+    0x3C, 0x59, 0xCB, 0x23, 0xA4, 0xF6, 0x60, 0x1A, 0x0D, 0x5B, 0x39, 0xAE, 0xF4,
+    0x6F, 0x59, 0x16, 0x9E, 0x60, 0xD8, 0x56, 0xCF, 0xEA, 0x2C, 0x4C, 0x79, 0xD3,
+    0x5D, 0x51, 0x46, 0xA0, 0x4E, 0xE9, 0xD6, 0xAB, 0x91, 0x43, 0x63, 0x44, 0xD7,
+    0x70, 0xB9, 0x23, 0x98, 0x4F, 0x3D, 0x03, 0x02, 0xF6, 0x81, 0x56, 0xC1, 0x58,
+    0x85, 0x07, 0xA7, 0x2D, 0x2C, 0x29, 0xCA, 0x01, 0x45, 0x31, 0x51, 0x8F, 0xD4,
+    0x19, 0xA1, 0x79, 0x88, 0x5A, 0xA4, 0xF5, 0xAE, 0x2D, 0x4B, 0x63, 0x4C, 0x58,
+    0xFE, 0xBF, 0xAD, 0xEE, 0xA3, 0x09, 0xF8, 0xE2, 0x89, 0xBE, 0x81, 0x0E, 0x86,
+    0x3A, 0xF9, 0x5B, 0xA5, 0xD8, 0xA4, 0x00, 0x75, 0x04, 0xF2, 0x23, 0xB8, 0x39,
+    0x69, 0x50, 0xB7, 0xD0, 0x34, 0x63, 0x54, 0xD8, 0x61, 0xDD, 0xA5, 0x33, 0x47,
+    0x85, 0x96, 0x22, 0xD0, 0x2F, 0x9F, 0x7E, 0xF8, 0x74, 0x24, 0xEA, 0x57, 0x97,
+    0x5A, 0xE0, 0x00, 0xCF, 0xC1, 0x67, 0xE1, 0x41, 0xBD, 0x94, 0xA1, 0x03, 0xD3,
+    0xB4, 0x08, 0x64, 0xF2, 0x17, 0x27, 0x35, 0x37, 0x53, 0xEF, 0x46, 0xCE, 0xD8,
+    0xD4, 0x09, 0x52, 0xC6, 0x1E, 0xF7, 0x28, 0xDF, 0x08, 0x0F, 0xD0, 0x6F, 0x71,
+    0xA6, 0xDF, 0xE4, 0x60, 0x8E, 0xC0, 0x1E, 0x78, 0x86, 0x50, 0xB0, 0x9B, 0x84,
+    0x7E, 0xE8, 0x36, 0xFA, 0x95, 0xF1, 0x12, 0x51, 0xC7, 0x18, 0x96, 0xA2, 0x29,
+    0xBB, 0x70, 0x02, 0xB4, 0xF9, 0xA8, 0x3D, 0x08, 0x66, 0xA9, 0xB3, 0xFC, 0x0A,
+    0x94, 0x80, 0xFD, 0x78, 0xDC, 0xAB, 0x82, 0x5A, 0xD2, 0xCD, 0xC2, 0x87, 0xC6,
+    0x4B, 0x07, 0xFA, 0xD1, 0xC3, 0xD9, 0x34, 0x41, 0x85, 0xF8, 0xD0, 0xB6, 0x0A,
+    0x9D, 0x00, 0x91, 0x35, 0x05, 0x88, 0xC3, 0xE3, 0x9B, 0x22, 0xD2, 0xB8, 0xFD,
+    0x95, 0x3E, 0x6D, 0x5D, 0x48, 0xA3, 0x68, 0xCF, 0x02, 0x42, 0x79, 0x79, 0x8A,
+    0xAA, 0x01, 0xD6, 0x09, 0x14, 0x2C, 0xF4, 0x83, 0xA3, 0x80, 0x31, 0x55, 0x46,
+    0x6E, 0xC5, 0xE5, 0x2F, 0x30, 0x58, 0x81, 0xA2, 0x90, 0xBE, 0x2E, 0xA1, 0xC3,
+    0x0F, 0xA6, 0xF5, 0x51, 0x00, 0x39, 0xB6, 0xF2, 0x2A, 0xA3, 0x15, 0x7D, 0x8D,
+    0xF5, 0x66, 0x5C, 0xD9, 0xFC, 0xCF, 0x2F, 0xBF, 0x08, 0x27, 0xE7, 0xD0, 0x03,
+    0xB8, 0xD9, 0x00, 0x13, 0x3D, 0x01, 0x6B, 0xB6, 0xA8, 0xCD, 0x5B, 0x3B, 0x3E,
+    0x93, 0xBF, 0xE6, 0x2E, 0xB7, 0x4A, 0xCF, 0xB3, 0x0A, 0xCE, 0x62, 0x11, 0xD6,
+    0x1F, 0x68, 0x9B, 0x1D, 0x68, 0xD1, 0x8C, 0x97, 0xBD, 0xA1, 0x07, 0x67, 0x73,
+    0x87, 0xE0, 0x36, 0xDA, 0x8C, 0xD2, 0xD2, 0xBB, 0x84, 0x28, 0xA9, 0xFE, 0x52,
+    0x74, 0xD6, 0xB9, 0x0F, 0x0A, 0x6A, 0x2D, 0x28, 0x35, 0x34, 0x3A, 0xD3, 0xE2,
+    0xCD, 0x35, 0x06, 0x7D, 0x1B, 0x35, 0x85, 0x86, 0xD1, 0x3E, 0xF2, 0x6F, 0xA1,
+    0xC4, 0x55, 0xBD, 0x00, 0xD8, 0xC3, 0x5D, 0xC2, 0x1D, 0x6B, 0x6B, 0x27, 0x5B,
+    0x95, 0xF3, 0xAB, 0xB5, 0xD3, 0x37, 0xF2, 0x2C, 0x9C, 0xC7, 0x5D, 0xBD, 0xF1,
+    0x68, 0x1C, 0xAD, 0xF8, 0xB5, 0xE1, 0x29, 0x72, 0x7A, 0x73, 0x62, 0x55, 0x24,
+    0xB9, 0x85, 0xDF, 0x7B, 0x29, 0x7D, 0xDE, 0x08, 0xF5, 0xE4, 0x44, 0xDA, 0x1A,
+    0x30, 0x74, 0xDA, 0xB4, 0x9B, 0x23, 0x9A, 0x3A, 0xC1, 0x53, 0xB2, 0xA2, 0xA3,
+    0x7B, 0x1F, 0xD9, 0x56, 0xD4, 0x4F, 0x9B, 0xB2, 0x1E, 0xEE, 0xB8, 0x6A, 0x4E,
+    0xB5, 0xF4, 0x5A, 0xC9, 0x18, 0x27, 0x9C, 0xDE, 0x14, 0x44, 0xED, 0xC4, 0x3C,
+    0x71, 0x9F, 0x5F, 0xD9, 0x37, 0xA0, 0x78, 0x34, 0x6E, 0xBC, 0xD2, 0x7B, 0x1D,
+    0xFA, 0x08, 0x39, 0x5A, 0x04, 0x73, 0x15, 0xD9, 0x0A, 0x48, 0xC1, 0x2D, 0x15,
+    0x4E, 0x84, 0x30, 0x45, 0x69, 0xB3, 0xE5, 0xF6, 0xAD, 0x09, 0x1E, 0xCC, 0x5F,
+    0x1F, 0x06, 0xD5, 0x58, 0xAD, 0x78, 0xD7, 0x9F, 0xE5, 0xED, 0x3B, 0x09, 0xD5,
+    0xA6, 0x52, 0x6F, 0x92, 0xD3, 0x3C, 0xC6, 0x1E, 0xF2, 0x93, 0x7C, 0xD3, 0x5F,
+    0x70, 0x85, 0x5D, 0xF8, 0xAA, 0x9D, 0xB7, 0x7B, 0x24, 0x5A, 0xE9, 0x0A, 0x35,
+    0x2F, 0xF5, 0xD9, 0x82, 0x02, 0x8A, 0x90, 0x13, 0x5B, 0xB5, 0x67, 0x9C, 0xDD,
+    0xA0, 0x4E, 0x82, 0x27, 0xDA, 0x7E, 0xE8, 0x8E, 0xCD, 0xE1, 0x56, 0x71, 0x2C,
+    0xE6, 0x4E, 0x1F, 0x91, 0xCD, 0x7C, 0x6A, 0xB7, 0x78, 0xD0, 0x26, 0xF3, 0x56,
+    0xA9, 0xD5, 0xA1, 0xC3, 0x3B, 0x98, 0xE9, 0x28, 0x09, 0xEF, 0x50, 0x90, 0xCD,
+    0xC4, 0x8E, 0x75, 0xCC, 0xAC, 0x2D, 0xC9, 0x03, 0x6D, 0xAC, 0xFE, 0xC4, 0x88,
+    0x36, 0xD1, 0x3F, 0xBB, 0x1C, 0x7D, 0xB3, 0x14, 0x61, 0x2C, 0xB7, 0x54, 0x4B,
+    0xDB, 0x64, 0xB6, 0x57, 0x14, 0x16, 0x8E, 0x1E, 0x6C, 0x64, 0xBB, 0x8B, 0x48,
+    0x5D, 0x96, 0x9D, 0xDC, 0x80, 0xA7, 0xF7, 0x54, 0xC7, 0x46, 0x38, 0x3E, 0x44,
+    0xDE, 0x7E, 0x92, 0x8D, 0x07, 0xF6, 0x07, 0x37, 0x4E, 0x16, 0x10, 0xB4, 0x7D,
+    0x88, 0x66, 0x7F, 0xBB, 0xFF, 0xEA, 0x00, 0xF3, 0xFF, 0x97, 0x2C, 0xB5, 0xBE,
+    0x35, 0x4B, 0x5C, 0x36, 0xEC, 0x4C, 0xBD, 0x2B, 0x7D, 0xBF, 0x46, 0xE2, 0x9C,
+    0x0E, 0x8A, 0xA3, 0xEC, 0xB1, 0x0E, 0x9A, 0xDA, 0x9A, 0x9B, 0x28, 0x92, 0x10,
+    0x53, 0x57, 0xEA, 0xEC, 0xA2, 0x32, 0x32, 0x20, 0x1D, 0x97, 0x5C, 0xB6, 0x84,
+    0xA9, 0x93, 0x8D, 0x95, 0x11, 0xA3, 0x24, 0xA3, 0x2D, 0xC6, 0x4A, 0xEF, 0xAA,
+    0x1D, 0x85, 0x2B, 0x7D, 0x28, 0xBE, 0x53, 0xCE, 0x10, 0x1F, 0xAE, 0x0E, 0x41,
+    0x6C, 0x4B, 0x79, 0x12, 0xFB, 0xF7, 0x54, 0xA3, 0x96, 0x54, 0x83, 0x20, 0x96,
+    0x8F, 0x28, 0xA9, 0x3F, 0x8B, 0x3D, 0xBA, 0x77, 0xDC, 0x24, 0xE1, 0xD4, 0x49,
+    0x40, 0xD8, 0x78, 0x31, 0x85, 0x43, 0xF6, 0xFE, 0x5C, 0xA6, 0x8F, 0x90, 0x09,
+    0xB0, 0xE7, 0xC4, 0x95, 0xB2, 0x55, 0x49, 0x97, 0x8F, 0x1C, 0x78, 0x30, 0x20,
+    0xA0, 0xB4, 0xEF, 0x73, 0x56, 0x59, 0x82, 0xFD, 0xCE, 0xBA, 0x6A, 0x8F, 0x2C,
+    0x8B, 0x15, 0xFD, 0xA1, 0x85, 0xA8, 0x5C, 0x0F, 0x11, 0xA5, 0x9D, 0xC2, 0x46,
+    0xC6, 0x9C, 0xC9, 0x40, 0x0B, 0x58, 0x6A, 0x1C, 0x7A, 0x23, 0xF9, 0xE0, 0x95,
+    0x05, 0x13, 0x58, 0x72, 0xE8, 0x9F, 0x30, 0xAC, 0xCD, 0x26, 0xD4, 0x66, 0x13,
+    0xDF, 0x1E, 0x7B, 0x4F, 0x9C, 0xBE, 0x38, 0x79, 0x75, 0x92, 0xA4, 0xDA, 0x26,
+    0x44, 0x55, 0x17, 0xA3, 0xE5, 0x62, 0xDA, 0xEB, 0x86, 0xEA, 0x68, 0xC7, 0xAB,
+    0xFD, 0x2D, 0x43, 0x59, 0x51, 0xC0, 0x75, 0x64, 0x91, 0x01, 0x29, 0x33, 0x28,
+    0xF3, 0x04, 0x83, 0x80, 0x75, 0x37, 0x75, 0x0C, 0x03, 0x7B, 0x0A, 0xAB, 0x8E,
+    0x60, 0x62, 0x8B, 0x4C, 0xAF, 0x2D, 0xA3, 0x2F, 0xFE, 0xAB, 0x45, 0xCF, 0xDA,
+    0xAB, 0xFA, 0xFA, 0x30, 0x3D, 0xE8, 0xA1, 0x96, 0xA5, 0x7B, 0xE2, 0x2A, 0xD0,
+    0xAF, 0x59, 0xF7, 0xD0, 0x32, 0x57, 0x19, 0xBD, 0xCA, 0x9F, 0xD5, 0x1A, 0xC7,
+    0xAA, 0x65, 0x4A, 0x38, 0xB2, 0x70, 0x33, 0xB7, 0x75, 0xD2, 0xCD, 0xD1, 0xF0,
+    0xA8, 0x87, 0x59, 0x20, 0xA5, 0x57, 0x55, 0xB1, 0xB2, 0xC9, 0x4D, 0x97, 0x34,
+    0x41, 0xF3, 0xF0, 0x30, 0xA1, 0x2C, 0x1C, 0x49, 0x3E, 0x89, 0x7D, 0x12, 0xE2,
+    0xC3, 0x04, 0xC3, 0x92, 0xC0, 0xF6, 0x39, 0x10, 0x80, 0x81, 0x8F, 0x08, 0xB4,
+    0xF8, 0xB9, 0x13, 0x4E, 0x2C, 0xAE, 0xB3, 0x71, 0x82, 0x63, 0x98, 0xAB, 0x5C,
+    0x1C, 0x10, 0xEA, 0x66, 0xF9, 0x02, 0x3A, 0x82, 0x61, 0xD0, 0xD4, 0xAE, 0x43,
+    0xD4, 0x01, 0x3E, 0x9D, 0x04, 0x14, 0xF6, 0x60, 0xD8, 0xA7, 0xD6, 0xB8, 0x53,
+    0xC8, 0xDA, 0x80, 0x93, 0xA0, 0x02, 0xDD, 0xCC, 0xE2, 0xF2, 0xBB, 0xFB, 0xE0,
+    0x27, 0xD7, 0x34, 0x9A, 0x71, 0x49, 0xB5, 0x4F, 0x42, 0x1F, 0xB2, 0x9D, 0x6D,
+    0xAA, 0x9D, 0xD3, 0x50, 0xB5, 0x8F, 0x6A, 0x4B, 0xDF, 0x1F, 0xD5, 0x27, 0x8F,
+    0x3B, 0x27, 0xCF, 0x2F, 0x8C, 0xF8, 0x9D, 0x4C, 0x52, 0xBC, 0x32, 0x0F, 0x73,
+    0xD5, 0x51, 0x8E, 0x36, 0x7E, 0xAD, 0x09, 0xF0, 0x94, 0x83, 0x5F, 0x36, 0xFD,
+    0x7C, 0x03, 0xED, 0xF1, 0x5E, 0x4B, 0xF7, 0xAA, 0x55, 0x5C, 0x4A, 0x14, 0x59,
+    0x85, 0x38, 0x2D, 0x8C, 0xDF, 0xEC, 0x65, 0x1B, 0xB8, 0x76, 0x57, 0x96, 0x3C,
+    0x86, 0xED, 0xF2, 0x7F, 0x2D, 0x28, 0x48, 0xDA, 0x49, 0x7F, 0xF7, 0x54, 0x2B,
+    0xD5, 0x39, 0xD5, 0x57, 0x0A, 0x75, 0x7A, 0x3E, 0x5E, 0x5D, 0xBA, 0x4A, 0x15,
+    0xFA, 0xB8, 0x31, 0x80, 0x71, 0x2C, 0xCA, 0xC4, 0x51, 0x10, 0x16, 0x5D, 0x39,
+    0xEC, 0x9D, 0x07, 0xB6, 0x6A, 0x89, 0x9F, 0x9B, 0x5B, 0x6F, 0x03, 0xB0, 0x92,
+    0x01, 0x38, 0x6B, 0x48, 0x99, 0x0A, 0x8F, 0x13, 0xC1, 0xA6, 0x01, 0xEA, 0xBF,
+    0x6F, 0x86, 0x43, 0x51, 0xB6, 0x11, 0x00, 0x00
+};
 
 int compress_test(void)
 {
     int ret = 0;
     word32 dSz = sizeof(sample_text);
     word32 cSz = (dSz + (word32)(dSz * 0.001) + 12);
-    byte *c = NULL;
-    byte *d = NULL;
+    byte *c;
+    byte *d;
 
-    c = calloc(cSz, sizeof(byte));
-    d = calloc(dSz, sizeof(byte));
+    c = XMALLOC(cSz * sizeof(byte), HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+    d = XMALLOC(dSz * sizeof(byte), HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+    if (c == NULL || d == NULL) {
+        ERROR_OUT(-11700, exit);
+    }
 
-    if (c == NULL || d == NULL)
-        ret = -300;
+    /* follow calloc and initialize to 0 */
+    XMEMSET(c, 0, cSz);
+    XMEMSET(d, 0, dSz);
 
-    if (ret == 0 && (ret = wc_Compress(c, cSz, sample_text, dSz, 0)) < 0)
-        ret = -301;
+    if ((ret = wc_Compress(c, cSz, sample_text, dSz, 0)) < 0) {
+        ERROR_OUT(-11701, exit);
+    }
+    cSz = (word32)ret;
 
-    if (ret > 0) {
-        cSz = (word32)ret;
-        ret = 0;
+    if ((ret = wc_DeCompress(d, dSz, c, cSz)) != (int)dSz) {
+        ERROR_OUT(-11702, exit);
     }
 
-    if (ret == 0 && wc_DeCompress(d, dSz, c, cSz) != (int)dSz)
-        ret = -302;
+    if (XMEMCMP(d, sample_text, dSz) != 0) {
+        ERROR_OUT(-11703, exit);
+    }
+
+    /* GZIP tests */
+    cSz = (dSz + (word32)(dSz * 0.001) + 12); /* reset cSz */
+    XMEMSET(c, 0, cSz);
+    XMEMSET(d, 0, dSz);
 
-    if (ret == 0 && memcmp(d, sample_text, dSz))
-        ret = -303;
+    ret = wc_Compress_ex(c, cSz, sample_text, dSz, 0, LIBZ_WINBITS_GZIP);
+    if (ret < 0) {
+        ERROR_OUT(-11704, exit);
+    }
+    cSz = (word32)ret;
 
-    if (c) free(c);
-    if (d) free(d);
+    ret = wc_DeCompress_ex(d, dSz, c, cSz, LIBZ_WINBITS_GZIP);
+    if (ret < 0) {
+        ERROR_OUT(-11705, exit);
+    }
+
+    if (XMEMCMP(d, sample_text, dSz) != 0) {
+        ERROR_OUT(-11706, exit);
+    }
+
+    /* Try with gzip generated output */
+    XMEMSET(d, 0, dSz);
+    ret = wc_DeCompress_ex(d, dSz, sample_text_gz, sizeof(sample_text_gz),
+        LIBZ_WINBITS_GZIP);
+    if (ret < 0) {
+        ERROR_OUT(-11707, exit);
+    }
+    dSz = (word32)ret;
+
+    if (XMEMCMP(d, sample_text, dSz) != 0) {
+        ERROR_OUT(-11708, exit);
+    }
+
+    ret = 0; /* success */
+
+exit:
+    if (c) XFREE(c, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+    if (d) XFREE(d, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
 
     return ret;
 }
@@ -5917,323 +23711,4857 @@ int compress_test(void)
 
 #ifdef HAVE_PKCS7
 
+/* External Debugging/Testing Note:
+ *
+ * PKCS#7 test functions can output generated PKCS#7/CMS bundles for
+ * additional testing. To dump bundles to files DER encoded files, please
+ * define:
+ *
+ * #define PKCS7_OUTPUT_TEST_BUNDLES
+ */
+
+
+/* Loads certs and keys for use with PKCS7 tests, from either files
+ * or buffers.
+ *
+ * rsaClientCertBuf      - output buffer for RSA client cert
+ * rsaClientCertBufSz    - IN/OUT size of output buffer, size of RSA client cert
+ * rsaClientPrivKeyBuf   - output buffer for RSA client private key
+ * rsaClientPrivKeyBufSz - IN/OUT size of output buffer, size of RSA client key
+ *
+ * rsaServerCertBuf      - output buffer for RSA server cert
+ * rsaServerCertBufSz    - IN/OUT size of output buffer, size of RSA server cert
+ * rsaServerPrivKeyBuf   - output buffer for RSA server private key
+ * rsaServerPrivKeyBufSz - IN/OUT size of output buffer, size of RSA server key
+ *
+ * rsaCaCertBuf          - output buffer for RSA CA cert
+ * rsaCaCertBufSz        - IN/OUT size of output buffer, size of RSA ca cert
+ * rsaCaPrivKeyBuf       - output buffer for RSA CA private key
+ * rsaCaPrivKeyBufSz     - IN/OUT size of output buffer, size of RSA CA key
+ *
+ * eccClientCertBuf      - output buffer for ECC cert
+ * eccClientCertBufSz    - IN/OUT size of output buffer, size of ECC cert
+ * eccClientPrivKeyBuf   - output buffer for ECC private key
+ * eccClientPrivKeyBufSz - IN/OUT size of output buffer, size of ECC private key
+ *
+ * Returns 0 on success, negative on error
+ */
+static int pkcs7_load_certs_keys(
+                       byte* rsaClientCertBuf,    word32* rsaClientCertBufSz,
+                       byte* rsaClientPrivKeyBuf, word32* rsaClientPrivKeyBufSz,
+                       byte* rsaServerCertBuf,    word32* rsaServerCertBufSz,
+                       byte* rsaServerPrivKeyBuf, word32* rsaServerPrivKeyBufSz,
+                       byte* rsaCaCertBuf,        word32* rsaCaCertBufSz,
+                       byte* rsaCaPrivKeyBuf,     word32* rsaCaPrivKeyBufSz,
+                       byte* eccClientCertBuf,    word32* eccClientCertBufSz,
+                       byte* eccClientPrivKeyBuf, word32* eccClientPrivKeyBufSz)
+{
+#ifndef NO_FILESYSTEM
+    XFILE  certFile;
+    XFILE  keyFile;
+
+    (void)certFile;
+    (void)keyFile;
+#endif
+
+#ifndef NO_RSA
+    if (rsaClientCertBuf == NULL || rsaClientCertBufSz == NULL ||
+        rsaClientPrivKeyBuf == NULL || rsaClientPrivKeyBufSz == NULL)
+        return BAD_FUNC_ARG;
+#endif
+
+#ifdef HAVE_ECC
+    if (eccClientCertBuf == NULL || eccClientCertBufSz == NULL ||
+        eccClientPrivKeyBuf == NULL || eccClientPrivKeyBufSz == NULL)
+        return BAD_FUNC_ARG;
+#endif
+
+/* RSA */
+#ifndef NO_RSA
+
+#ifdef USE_CERT_BUFFERS_1024
+    if (*rsaClientCertBufSz < (word32)sizeof_client_cert_der_1024)
+        return -11709;
+
+    XMEMCPY(rsaClientCertBuf, client_cert_der_1024,
+            sizeof_client_cert_der_1024);
+    *rsaClientCertBufSz = sizeof_client_cert_der_1024;
+
+    if (rsaServerCertBuf != NULL) {
+        if (*rsaServerCertBufSz < (word32)sizeof_server_cert_der_1024)
+            return -11710;
+
+        XMEMCPY(rsaServerCertBuf, server_cert_der_1024,
+                sizeof_server_cert_der_1024);
+        *rsaServerCertBufSz = sizeof_server_cert_der_1024;
+    }
+
+    if (rsaCaCertBuf != NULL) {
+        if (*rsaCaCertBufSz < (word32)sizeof_ca_cert_der_1024)
+            return -11711;
+
+        XMEMCPY(rsaCaCertBuf, ca_cert_der_1024, sizeof_ca_cert_der_1024);
+        *rsaCaCertBufSz = sizeof_ca_cert_der_1024;
+    }
+#elif defined(USE_CERT_BUFFERS_2048)
+    if (*rsaClientCertBufSz < (word32)sizeof_client_cert_der_2048)
+        return -11712;
+
+    XMEMCPY(rsaClientCertBuf, client_cert_der_2048,
+            sizeof_client_cert_der_2048);
+    *rsaClientCertBufSz = sizeof_client_cert_der_2048;
+
+    if (rsaServerCertBuf != NULL) {
+        if (*rsaServerCertBufSz < (word32)sizeof_server_cert_der_2048)
+            return -11713;
+
+        XMEMCPY(rsaServerCertBuf, server_cert_der_2048,
+                sizeof_server_cert_der_2048);
+        *rsaServerCertBufSz = sizeof_server_cert_der_2048;
+    }
+
+    if (rsaCaCertBuf != NULL) {
+        if (*rsaCaCertBufSz < (word32)sizeof_ca_cert_der_2048)
+            return -11714;
+
+        XMEMCPY(rsaCaCertBuf, ca_cert_der_2048, sizeof_ca_cert_der_2048);
+        *rsaCaCertBufSz = sizeof_ca_cert_der_2048;
+    }
+#else
+    certFile = XFOPEN(clientCert, "rb");
+    if (!certFile)
+        return -11715;
+
+    *rsaClientCertBufSz = (word32)XFREAD(rsaClientCertBuf, 1,
+                                        *rsaClientCertBufSz, certFile);
+    XFCLOSE(certFile);
+
+    if (rsaServerCertBuf != NULL) {
+        certFile = XFOPEN(rsaServerCertDerFile, "rb");
+        if (!certFile)
+            return -11716;
+
+        *rsaServerCertBufSz = (word32)XFREAD(rsaServerCertBuf, 1,
+                                            *rsaServerCertBufSz, certFile);
+        XFCLOSE(certFile);
+    }
+
+    if (rsaCaCertBuf != NULL) {
+        certFile = XFOPEN(rsaCaCertDerFile, "rb");
+        if (!certFile)
+            return -11717;
+
+        *rsaCaCertBufSz = (word32)XFREAD(rsaCaCertBuf, 1, *rsaCaCertBufSz,
+                                        certFile);
+        XFCLOSE(certFile);
+    }
+#endif
+
+#ifdef USE_CERT_BUFFERS_1024
+    if (*rsaClientPrivKeyBufSz < (word32)sizeof_client_key_der_1024)
+        return -11718;
+
+    XMEMCPY(rsaClientPrivKeyBuf, client_key_der_1024,
+            sizeof_client_key_der_1024);
+    *rsaClientPrivKeyBufSz = sizeof_client_key_der_1024;
+
+    if (rsaServerPrivKeyBuf != NULL) {
+        if (*rsaServerPrivKeyBufSz < (word32)sizeof_server_key_der_1024)
+            return -11719;
+
+        XMEMCPY(rsaServerPrivKeyBuf, server_key_der_1024,
+                sizeof_server_key_der_1024);
+        *rsaServerPrivKeyBufSz = sizeof_server_key_der_1024;
+    }
+
+    if (rsaCaPrivKeyBuf != NULL) {
+        if (*rsaCaPrivKeyBufSz < (word32)sizeof_ca_key_der_1024)
+            return -11720;
+
+        XMEMCPY(rsaCaPrivKeyBuf, ca_key_der_1024, sizeof_ca_key_der_1024);
+        *rsaCaPrivKeyBufSz = sizeof_ca_key_der_1024;
+    }
+#elif defined(USE_CERT_BUFFERS_2048)
+    if (*rsaClientPrivKeyBufSz < (word32)sizeof_client_key_der_2048)
+        return -11721;
+
+    XMEMCPY(rsaClientPrivKeyBuf, client_key_der_2048,
+            sizeof_client_key_der_2048);
+    *rsaClientPrivKeyBufSz = sizeof_client_key_der_2048;
+
+    if (rsaServerPrivKeyBuf != NULL) {
+        if (*rsaServerPrivKeyBufSz < (word32)sizeof_server_key_der_2048)
+            return -11722;
+
+        XMEMCPY(rsaServerPrivKeyBuf, server_key_der_2048,
+                sizeof_server_key_der_2048);
+        *rsaServerPrivKeyBufSz = sizeof_server_key_der_2048;
+    }
+
+    if (rsaCaPrivKeyBuf != NULL) {
+        if (*rsaCaPrivKeyBufSz < (word32)sizeof_ca_key_der_2048)
+            return -11723;
+
+        XMEMCPY(rsaCaPrivKeyBuf, ca_key_der_2048, sizeof_ca_key_der_2048);
+        *rsaCaPrivKeyBufSz = sizeof_ca_key_der_2048;
+    }
+#else
+    keyFile = XFOPEN(clientKey, "rb");
+    if (!keyFile)
+        return -11724;
+
+    *rsaClientPrivKeyBufSz = (word32)XFREAD(rsaClientPrivKeyBuf, 1,
+                                           *rsaClientPrivKeyBufSz, keyFile);
+    XFCLOSE(keyFile);
+
+    if (rsaServerPrivKeyBuf != NULL) {
+        keyFile = XFOPEN(rsaServerKeyDerFile, "rb");
+        if (!keyFile)
+            return -11725;
+
+        *rsaServerPrivKeyBufSz = (word32)XFREAD(rsaServerPrivKeyBuf, 1,
+                                               *rsaServerPrivKeyBufSz, keyFile);
+        XFCLOSE(keyFile);
+    }
+
+    if (rsaCaPrivKeyBuf != NULL) {
+        keyFile = XFOPEN(rsaCaKeyFile, "rb");
+        if (!keyFile)
+            return -11726;
+
+        *rsaCaPrivKeyBufSz = (word32)XFREAD(rsaCaPrivKeyBuf, 1,
+                                           *rsaCaPrivKeyBufSz, keyFile);
+        XFCLOSE(keyFile);
+    }
+#endif /* USE_CERT_BUFFERS */
+
+#endif /* NO_RSA */
+
+/* ECC */
+#ifdef HAVE_ECC
+
+#ifdef USE_CERT_BUFFERS_256
+    if (*eccClientCertBufSz < (word32)sizeof_cliecc_cert_der_256)
+        return -11727;
+
+    XMEMCPY(eccClientCertBuf, cliecc_cert_der_256, sizeof_cliecc_cert_der_256);
+    *eccClientCertBufSz = sizeof_cliecc_cert_der_256;
+#else
+    certFile = XFOPEN(eccClientCert, "rb");
+    if (!certFile)
+        return -11728;
+
+    *eccClientCertBufSz = (word32)XFREAD(eccClientCertBuf, 1,
+                                        *eccClientCertBufSz, certFile);
+    XFCLOSE(certFile);
+#endif /* USE_CERT_BUFFERS_256 */
+
+#ifdef USE_CERT_BUFFERS_256
+    if (*eccClientPrivKeyBufSz < (word32)sizeof_ecc_clikey_der_256)
+        return -11729;
+
+    XMEMCPY(eccClientPrivKeyBuf, ecc_clikey_der_256, sizeof_ecc_clikey_der_256);
+    *eccClientPrivKeyBufSz = sizeof_ecc_clikey_der_256;
+#else
+    keyFile = XFOPEN(eccClientKey, "rb");
+    if (!keyFile)
+        return -11730;
+
+    *eccClientPrivKeyBufSz = (word32)XFREAD(eccClientPrivKeyBuf, 1,
+                                           *eccClientPrivKeyBufSz, keyFile);
+    XFCLOSE(keyFile);
+#endif /* USE_CERT_BUFFERS_256 */
+#endif /* HAVE_ECC */
+
+#ifdef NO_RSA
+    (void)rsaClientCertBuf;
+    (void)rsaClientCertBufSz;
+    (void)rsaClientPrivKeyBuf;
+    (void)rsaClientPrivKeyBufSz;
+    (void)rsaServerCertBuf;
+    (void)rsaServerCertBufSz;
+    (void)rsaServerPrivKeyBuf;
+    (void)rsaServerPrivKeyBufSz;
+    (void)rsaCaCertBuf;
+    (void)rsaCaCertBufSz;
+    (void)rsaCaPrivKeyBuf;
+    (void)rsaCaPrivKeyBufSz;
+#endif
+#ifndef HAVE_ECC
+    (void)eccClientCertBuf;
+    (void)eccClientCertBufSz;
+    (void)eccClientPrivKeyBuf;
+    (void)eccClientPrivKeyBufSz;
+#endif
+#ifndef NO_FILESYSTEM
+    (void)certFile;
+    (void)keyFile;
+#endif
+    return 0;
+}
+
+
+typedef struct {
+    const byte*  content;
+    word32       contentSz;
+    int          contentOID;
+    int          encryptOID;
+    int          keyWrapOID;
+    int          keyAgreeOID;
+    byte*        cert;
+    size_t       certSz;
+    byte*        privateKey;
+    word32       privateKeySz;
+    byte*        optionalUkm;
+    word32       optionalUkmSz;
+    int          ktriOptions;    /* KTRI options flags */
+    int          kariOptions;    /* KARI options flags */
+
+    /* KEKRI specific */
+    byte*        secretKey;      /* key, only for kekri RecipientInfo types */
+    word32       secretKeySz;    /* size of secretKey, bytes */
+    byte*        secretKeyId;    /* key identifier */
+    word32       secretKeyIdSz;  /* size of key identifier, bytes */
+    void*        timePtr;        /* time_t pointer */
+    byte*        otherAttrOID;   /* OPTIONAL, other attribute OID */
+    word32       otherAttrOIDSz; /* size of otherAttrOID, bytes */
+    byte*        otherAttr;      /* OPTIONAL, other attribute, ASN.1 encoded */
+    word32       otherAttrSz;    /* size of otherAttr, bytes */
+    int          kekriOptions;   /* KEKRI options flags */
+
+    /* PWRI specific */
+    char*        password;
+    word32       passwordSz;
+    byte*        salt;
+    word32       saltSz;
+    int          kdfOID;
+    int          hashOID;
+    int          kdfIterations;
+    int          pwriOptions;    /* PWRI options flags */
+
+    /* ORI specific */
+    int          isOri;
+    int          oriOptions;     /* ORI options flags */
+
+    const char*  outFileName;
+} pkcs7EnvelopedVector;
+
+
+static const byte asnDataOid[] = {
+    0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x07, 0x01
+};
+
+/* ORI encrypt callback, responsible for encrypting content-encryption key (CEK)
+ * and giving wolfCrypt the value for oriOID and oriValue to place in
+ * OtherRecipientInfo.
+ *
+ * Returns 0 on success, negative upon error. */
+static int myOriEncryptCb(PKCS7* pkcs7, byte* cek, word32 cekSz, byte* oriType,
+                          word32* oriTypeSz, byte* oriValue, word32* oriValueSz,
+                          void* ctx)
+{
+    int i;
+
+    /* make sure buffers are large enough */
+    if ((*oriValueSz < (2 + cekSz)) || (*oriTypeSz < sizeof(oriType)))
+        return -11731;
+
+    /* our simple encryption algorithm will be take the bitwise complement */
+    oriValue[0] = 0x04;         /*ASN OCTET STRING */
+    oriValue[1] = (byte)cekSz;  /* length */
+    for (i = 0; i < (int)cekSz; i++) {
+        oriValue[2 + i] = ~cek[i];
+    }
+    *oriValueSz = 2 + cekSz;
+
+    /* set oriType to ASN.1 encoded data OID */
+    XMEMCPY(oriType, asnDataOid, sizeof(asnDataOid));
+    *oriTypeSz = sizeof(asnDataOid);
+
+    (void)pkcs7;
+    (void)ctx;
+
+    return 0;
+}
+
+
+/* ORI decrypt callback, responsible for providing a decrypted content
+ * encryption key (CEK) placed into decryptedKey and size placed into
+ * decryptedKeySz. oriOID and oriValue are given to the callback to help
+ * in decrypting the encrypted CEK.
+ *
+ * Returns 0 on success, negative upon error. */
+static int myOriDecryptCb(PKCS7* pkcs7, byte* oriType, word32 oriTypeSz,
+                          byte* oriValue, word32 oriValueSz, byte* decryptedKey,
+                          word32* decryptedKeySz, void* ctx)
+{
+    int i;
+
+    /* make sure oriType matches what we expect */
+    if (oriTypeSz != sizeof(asnDataOid))
+        return -11732;
+
+    if (XMEMCMP(oriType, asnDataOid, sizeof(asnDataOid)) != 0)
+        return -11733;
+
+    /* make sure decrypted buffer is large enough */
+    if (*decryptedKeySz < oriValueSz)
+        return -11734;
+
+    /* decrypt encrypted CEK using simple bitwise complement,
+       only for example */
+    for (i = 0; i < (int)oriValueSz - 2; i++) {
+        decryptedKey[i] = ~oriValue[2 + i];
+    }
+
+    *decryptedKeySz = oriValueSz - 2;
+
+    (void)pkcs7;
+    (void)ctx;
+
+    return 0;
+}
+
+
+#ifndef NO_AES
+/* returns 0 on success */
+static int myDecryptionFunc(PKCS7* pkcs7, int encryptOID, byte* iv, int ivSz,
+        byte* aad, word32 aadSz, byte* authTag, word32 authTagSz,
+        byte* in, int inSz, byte* out, void* usrCtx)
+{
+    int keyId = -1, ret, keySz;
+    word32 keyIdSz = 8;
+    const byte*  key;
+    byte   keyIdRaw[8];
+    Aes    aes;
+
+    /* looking for KEY ID
+     * fwDecryptKeyID OID "1.2.840.113549.1.9.16.2.37
+     */
+    const unsigned char OID[] = {
+        /* 0x06, 0x0B do not pass in tag and length */
+        0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D,
+        0x01, 0x09, 0x10, 0x02, 0x25
+    };
+
+    const byte defKey[] = {
+        0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08,
+        0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08,
+        0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08,
+        0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08
+    };
+
+    const byte altKey[] = {
+        0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08,
+        0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08
+    };
+
+    /* test user context passed in */
+    if (usrCtx == NULL || *(int*)usrCtx != 1) {
+        return -11735;
+    }
+
+    /* if needing to find keyIdSz can call with NULL */
+    ret = wc_PKCS7_GetAttributeValue(pkcs7, OID, sizeof(OID), NULL,
+            &keyIdSz);
+    if (ret != LENGTH_ONLY_E) {
+        printf("Unexpected error %d when getting keyIdSz\n", ret);
+        printf("Possibly no KEY ID attribute set\n");
+        return -11736;
+    }
+    else {
+        XMEMSET(keyIdRaw, 0, sizeof(keyIdRaw));
+        ret = wc_PKCS7_GetAttributeValue(pkcs7, OID, sizeof(OID), keyIdRaw,
+                &keyIdSz);
+        if (ret < 0) {
+            return ret;
+        }
+
+        if (keyIdSz < 3) {
+            printf("keyIdSz is smaller than expected\n");
+            return -11737;
+        }
+        if (keyIdSz > 2 + sizeof(int)) {
+            printf("example case was only expecting a keyId of int size\n");
+            return -11738;
+        }
+
+        /* keyIdRaw[0] OCTET TAG */
+        /* keyIdRaw[1] Length */
+#ifdef BIG_ENDIAN_ORDER
+        if (keyIdRaw[1] == 0x01) {
+            keyId = 1;
+        }
+#else
+        keyId = *(int*)(keyIdRaw + 2);
+#endif
+    }
+
+
+    /* Use keyID here if found to select key and decrypt in HSM or in this
+     * example just select key and do software decryption */
+    if (keyId == 1) {
+        key = altKey;
+        keySz = sizeof(altKey);
+    }
+    else {
+        key = defKey;
+        keySz = sizeof(defKey);
+    }
+
+    switch (encryptOID) {
+        case AES256CBCb:
+            if ((keySz != 32 ) || (ivSz  != AES_BLOCK_SIZE))
+                return BAD_FUNC_ARG;
+            break;
+
+        case AES128CBCb:
+            if ((keySz != 16 ) || (ivSz  != AES_BLOCK_SIZE))
+                return BAD_FUNC_ARG;
+            break;
+
+        default:
+            printf("Unsupported content cipher type for example");
+            return ALGO_ID_E;
+    };
+
+    ret = wc_AesInit(&aes, HEAP_HINT, INVALID_DEVID);
+    if (ret == 0) {
+        ret = wc_AesSetKey(&aes, key, keySz, iv, AES_DECRYPTION);
+        if (ret == 0)
+            ret = wc_AesCbcDecrypt(&aes, out, in, inSz);
+        wc_AesFree(&aes);
+    }
+
+    (void)aad;
+    (void)aadSz;
+    (void)authTag;
+    (void)authTagSz;
+    return ret;
+}
+#endif /* NO_AES */
+
+
+static int pkcs7enveloped_run_vectors(byte* rsaCert, word32 rsaCertSz,
+                                      byte* rsaPrivKey,  word32 rsaPrivKeySz,
+                                      byte* eccCert, word32 eccCertSz,
+                                      byte* eccPrivKey,  word32 eccPrivKeySz)
+{
+    int ret, testSz, i;
+    int envelopedSz, decodedSz;
+
+    byte   enveloped[2048];
+    byte   decoded[2048];
+    PKCS7* pkcs7;
+#ifdef PKCS7_OUTPUT_TEST_BUNDLES
+    XFILE  pkcs7File;
+#endif
+
+    const byte data[] = { /* Hello World */
+        0x48,0x65,0x6c,0x6c,0x6f,0x20,0x57,0x6f,
+        0x72,0x6c,0x64
+    };
+
+#if !defined(NO_AES) && defined(WOLFSSL_AES_256) && defined(HAVE_ECC) && \
+    defined(WOLFSSL_SHA512)
+    byte optionalUkm[] = {
+        0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07
+    };
+#endif /* NO_AES */
+
+#if !defined(NO_AES) && !defined(NO_SHA) && defined(WOLFSSL_AES_128)
+    /* encryption key for kekri recipient types */
+    byte secretKey[] = {
+        0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,
+        0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07
+    };
+
+    /* encryption key identifier */
+    byte secretKeyId[] = {
+        0x02,0x02,0x03,0x04
+    };
+#endif
+
+#if !defined(NO_PWDBASED) && !defined(NO_AES) && \
+    !defined(NO_SHA) && defined(WOLFSSL_AES_128)
+
+    char password[] = "password";
+
+    byte salt[] = {
+        0x12, 0x34, 0x56, 0x78, 0x78, 0x56, 0x34, 0x12
+    };
+#endif
+
+    const pkcs7EnvelopedVector testVectors[] =
+    {
+        /* key transport key encryption technique */
+#ifndef NO_RSA
+    #ifndef NO_DES3
+        {data, (word32)sizeof(data), DATA, DES3b, 0, 0, rsaCert, rsaCertSz,
+         rsaPrivKey, rsaPrivKeySz, NULL, 0, 0, 0, NULL, 0, NULL, 0, NULL, NULL,
+         0, NULL, 0, 0, NULL, 0, NULL, 0, 0, 0, 0, 0, 0, 0,
+         "pkcs7envelopedDataDES3.der"},
+    #endif
+
+    #ifndef NO_AES
+        #ifdef WOLFSSL_AES_128
+        {data, (word32)sizeof(data), DATA, AES128CBCb, 0, 0, rsaCert, rsaCertSz,
+         rsaPrivKey, rsaPrivKeySz, NULL, 0, 0, 0, NULL, 0, NULL, 0, NULL, NULL,
+         0, NULL, 0, 0, NULL, 0, NULL, 0, 0, 0, 0, 0, 0, 0,
+         "pkcs7envelopedDataAES128CBC.der"},
+        #endif
+        #ifdef WOLFSSL_AES_192
+        {data, (word32)sizeof(data), DATA, AES192CBCb, 0, 0, rsaCert, rsaCertSz,
+         rsaPrivKey, rsaPrivKeySz, NULL, 0, 0, 0, NULL, 0, NULL, 0, NULL, NULL,
+         0, NULL, 0, 0, NULL, 0, NULL, 0, 0, 0, 0, 0, 0, 0,
+         "pkcs7envelopedDataAES192CBC.der"},
+        #endif
+        #ifdef WOLFSSL_AES_256
+        {data, (word32)sizeof(data), DATA, AES256CBCb, 0, 0, rsaCert, rsaCertSz,
+         rsaPrivKey, rsaPrivKeySz, NULL, 0, 0, 0, NULL, 0, NULL, 0, NULL, NULL,
+         0, NULL, 0, 0, NULL, 0, NULL, 0, 0, 0, 0, 0, 0, 0,
+         "pkcs7envelopedDataAES256CBC.der"},
+
+        /* explicitly using SKID for SubjectKeyIdentifier */
+        {data, (word32)sizeof(data), DATA, AES256CBCb, 0, 0, rsaCert, rsaCertSz,
+         rsaPrivKey, rsaPrivKeySz, NULL, 0, CMS_SKID, 0, NULL, 0, NULL, 0, NULL,
+         NULL, 0, NULL, 0, 0, NULL, 0, NULL, 0, 0, 0, 0, 0, 0, 0,
+         "pkcs7envelopedDataAES256CBC_SKID.der"},
+
+        /* explicitly using IssuerAndSerialNumber for SubjectKeyIdentifier */
+        {data, (word32)sizeof(data), DATA, AES256CBCb, 0, 0, rsaCert, rsaCertSz,
+         rsaPrivKey, rsaPrivKeySz, NULL, 0, CMS_ISSUER_AND_SERIAL_NUMBER, 0,
+         NULL, 0, NULL, 0, NULL, NULL, 0, NULL, 0, 0, NULL, 0, NULL, 0, 0, 0,
+         0, 0, 0, 0, "pkcs7envelopedDataAES256CBC_IANDS.der"},
+        #endif
+    #endif /* NO_AES */
+#endif
+
+        /* key agreement key encryption technique*/
+#ifdef HAVE_ECC
+    #ifndef NO_AES
+        #if !defined(NO_SHA) && defined(WOLFSSL_AES_128)
+        {data, (word32)sizeof(data), DATA, AES128CBCb, AES128_WRAP,
+         dhSinglePass_stdDH_sha1kdf_scheme, eccCert, eccCertSz, eccPrivKey,
+         eccPrivKeySz, NULL, 0, 0, 0, NULL, 0, NULL, 0, NULL, NULL, 0, NULL, 0,
+         0, NULL, 0, NULL, 0, 0, 0, 0, 0, 0, 0,
+         "pkcs7envelopedDataAES128CBC_ECDH_SHA1KDF.der"},
+        #endif
+
+        #if !defined(NO_SHA256) && defined(WOLFSSL_AES_256)
+        {data, (word32)sizeof(data), DATA, AES256CBCb, AES256_WRAP,
+         dhSinglePass_stdDH_sha256kdf_scheme, eccCert, eccCertSz, eccPrivKey,
+         eccPrivKeySz, NULL, 0, 0, 0, NULL, 0, NULL, 0, NULL, NULL, 0, NULL, 0,
+         0, NULL, 0, NULL, 0, 0, 0, 0, 0, 0, 0,
+         "pkcs7envelopedDataAES256CBC_ECDH_SHA256KDF.der"},
+        #endif /* NO_SHA256 && WOLFSSL_AES_256 */
+
+        #if defined(WOLFSSL_SHA512) && defined(WOLFSSL_AES_256)
+        {data, (word32)sizeof(data), DATA, AES256CBCb, AES256_WRAP,
+         dhSinglePass_stdDH_sha512kdf_scheme, eccCert, eccCertSz, eccPrivKey,
+         eccPrivKeySz, NULL, 0, 0, 0, NULL, 0, NULL, 0, NULL, NULL, 0, NULL, 0,
+         0, NULL, 0, NULL, 0, 0, 0, 0, 0, 0, 0,
+         "pkcs7envelopedDataAES256CBC_ECDH_SHA512KDF.der"},
+
+        /* with optional user keying material (ukm) */
+        {data, (word32)sizeof(data), DATA, AES256CBCb, AES256_WRAP,
+         dhSinglePass_stdDH_sha512kdf_scheme, eccCert, eccCertSz, eccPrivKey,
+         eccPrivKeySz, optionalUkm, sizeof(optionalUkm), 0, 0, NULL, 0,
+         NULL, 0, NULL, NULL, 0, NULL, 0, 0, NULL, 0, NULL, 0, 0, 0, 0, 0, 0, 0,
+         "pkcs7envelopedDataAES256CBC_ECDH_SHA512KDF_ukm.der"},
+        #endif /* WOLFSSL_SHA512 && WOLFSSL_AES_256 */
+    #endif /* NO_AES */
+#endif
+
+        /* kekri (KEKRecipientInfo) recipient types */
+#ifndef NO_AES
+        #if !defined(NO_SHA) && defined(WOLFSSL_AES_128)
+        {data, (word32)sizeof(data), DATA, AES128CBCb, AES128_WRAP, 0,
+         NULL, 0, NULL, 0, NULL, 0, 0, 0, secretKey, sizeof(secretKey),
+         secretKeyId, sizeof(secretKeyId), NULL, NULL, 0, NULL, 0,
+         0, NULL, 0, NULL, 0, 0, 0, 0, 0, 0, 0,
+         "pkcs7envelopedDataAES128CBC_KEKRI.der"},
+        #endif
+#endif
+
+        /* pwri (PasswordRecipientInfo) recipient types */
+#if !defined(NO_PWDBASED) && !defined(NO_AES)
+        #if !defined(NO_SHA) && defined(WOLFSSL_AES_128)
+        {data, (word32)sizeof(data), DATA, AES128CBCb, 0, 0,
+         NULL, 0, NULL, 0, NULL, 0, 0, 0, NULL, 0,
+         NULL, 0, NULL, NULL, 0, NULL, 0, 0, password,
+         (word32)XSTRLEN(password), salt, sizeof(salt), PBKDF2_OID, WC_SHA, 5,
+         0, 0, 0, "pkcs7envelopedDataAES128CBC_PWRI.der"},
+        #endif
+#endif
+
+#if !defined(NO_AES) && !defined(NO_AES_128)
+        /* ori (OtherRecipientInfo) recipient types */
+        {data, (word32)sizeof(data), DATA, AES128CBCb, 0, 0, NULL, 0, NULL, 0,
+         NULL, 0, 0, 0, NULL, 0, NULL, 0, NULL, NULL, 0, NULL, 0, 0, NULL, 0,
+         NULL, 0, 0, 0, 0, 0, 1, 0, "pkcs7envelopedDataAES128CBC_ORI.der"},
+#endif
+    };
+
+    testSz = sizeof(testVectors) / sizeof(pkcs7EnvelopedVector);
+
+    for (i = 0; i < testSz; i++) {
+        pkcs7 = wc_PKCS7_New(HEAP_HINT,
+        #ifdef WOLFSSL_ASYNC_CRYPT
+            INVALID_DEVID /* async PKCS7 is not supported */
+        #else
+            devId
+        #endif
+        );
+        if (pkcs7 == NULL)
+            return -11739;
+
+        if (testVectors[i].secretKey != NULL) {
+            /* KEKRI recipient type */
+
+            ret = wc_PKCS7_Init(pkcs7, pkcs7->heap, pkcs7->devId);
+            if (ret != 0) {
+                return -11740;
+            }
+
+            pkcs7->content      = (byte*)testVectors[i].content;
+            pkcs7->contentSz    = testVectors[i].contentSz;
+            pkcs7->contentOID   = testVectors[i].contentOID;
+            pkcs7->encryptOID   = testVectors[i].encryptOID;
+            pkcs7->ukm          = testVectors[i].optionalUkm;
+            pkcs7->ukmSz        = testVectors[i].optionalUkmSz;
+
+            ret = wc_PKCS7_AddRecipient_KEKRI(pkcs7, testVectors[i].keyWrapOID,
+                    testVectors[i].secretKey, testVectors[i].secretKeySz,
+                    testVectors[i].secretKeyId, testVectors[i].secretKeyIdSz,
+                    testVectors[i].timePtr, testVectors[i].otherAttrOID,
+                    testVectors[i].otherAttrOIDSz, testVectors[i].otherAttr,
+                    testVectors[i].otherAttrSz, testVectors[i].kekriOptions);
+
+            if (ret < 0) {
+                wc_PKCS7_Free(pkcs7);
+                return -11741;
+            }
+
+            /* set key, for decryption */
+            ret = wc_PKCS7_SetKey(pkcs7, testVectors[i].secretKey,
+                                  testVectors[i].secretKeySz);
+
+            if (ret != 0) {
+                wc_PKCS7_Free(pkcs7);
+                return -11742;
+            }
+
+        } else if (testVectors[i].password != NULL) {
+        #ifndef NO_PWDBASED
+            /* PWRI recipient type */
+
+            ret = wc_PKCS7_Init(pkcs7, pkcs7->heap, pkcs7->devId);
+            if (ret != 0) {
+                return -11743;
+            }
+
+            pkcs7->content      = (byte*)testVectors[i].content;
+            pkcs7->contentSz    = testVectors[i].contentSz;
+            pkcs7->contentOID   = testVectors[i].contentOID;
+            pkcs7->encryptOID   = testVectors[i].encryptOID;
+            pkcs7->ukm          = testVectors[i].optionalUkm;
+            pkcs7->ukmSz        = testVectors[i].optionalUkmSz;
+
+            ret = wc_PKCS7_AddRecipient_PWRI(pkcs7,
+                    (byte*)testVectors[i].password,
+                    testVectors[i].passwordSz, testVectors[i].salt,
+                    testVectors[i].saltSz, testVectors[i].kdfOID,
+                    testVectors[i].hashOID, testVectors[i].kdfIterations,
+                    testVectors[i].encryptOID, testVectors[i].pwriOptions);
+
+            if (ret < 0) {
+                wc_PKCS7_Free(pkcs7);
+                return -11744;
+            }
+
+            /* set password, for decryption */
+            ret = wc_PKCS7_SetPassword(pkcs7, (byte*)testVectors[i].password,
+                    testVectors[i].passwordSz);
+
+            if (ret < 0) {
+                wc_PKCS7_Free(pkcs7);
+                return -11745;
+            }
+        #endif /* NO_PWDBASED */
+
+        } else if (testVectors[i].isOri == 1) {
+            /* ORI recipient type */
+
+            ret = wc_PKCS7_Init(pkcs7, pkcs7->heap, pkcs7->devId);
+            if (ret != 0) {
+                return -11746;
+            }
+
+            pkcs7->content      = (byte*)testVectors[i].content;
+            pkcs7->contentSz    = testVectors[i].contentSz;
+            pkcs7->contentOID   = testVectors[i].contentOID;
+            pkcs7->encryptOID   = testVectors[i].encryptOID;
+
+            ret = wc_PKCS7_AddRecipient_ORI(pkcs7, myOriEncryptCb,
+                                            testVectors[i].oriOptions);
+
+            if (ret < 0) {
+                wc_PKCS7_Free(pkcs7);
+                return -11747;
+            }
+
+            /* set decrypt callback for decryption */
+            ret = wc_PKCS7_SetOriDecryptCb(pkcs7, myOriDecryptCb);
+
+            if (ret < 0) {
+                wc_PKCS7_Free(pkcs7);
+                return -11748;
+            }
+
+        } else {
+            /* KTRI or KARI recipient types */
+
+            ret = wc_PKCS7_Init(pkcs7, pkcs7->heap, pkcs7->devId);
+            if (ret != 0) {
+                return -11749;
+            }
+
+            ret = wc_PKCS7_InitWithCert(pkcs7, testVectors[i].cert,
+                                        (word32)testVectors[i].certSz);
+            if (ret != 0) {
+                wc_PKCS7_Free(pkcs7);
+                return -11750;
+            }
+
+            pkcs7->keyWrapOID   = testVectors[i].keyWrapOID;
+            pkcs7->keyAgreeOID  = testVectors[i].keyAgreeOID;
+            pkcs7->privateKey   = testVectors[i].privateKey;
+            pkcs7->privateKeySz = testVectors[i].privateKeySz;
+            pkcs7->content      = (byte*)testVectors[i].content;
+            pkcs7->contentSz    = testVectors[i].contentSz;
+            pkcs7->contentOID   = testVectors[i].contentOID;
+            pkcs7->encryptOID   = testVectors[i].encryptOID;
+            pkcs7->ukm          = testVectors[i].optionalUkm;
+            pkcs7->ukmSz        = testVectors[i].optionalUkmSz;
+
+            /* set SubjectIdentifier type for KTRI types */
+            if (testVectors[i].ktriOptions & CMS_SKID) {
+
+                ret = wc_PKCS7_SetSignerIdentifierType(pkcs7, CMS_SKID);
+                if (ret != 0) {
+                    wc_PKCS7_Free(pkcs7);
+                    return -11751;
+                }
+            } else if (testVectors[i].ktriOptions &
+                       CMS_ISSUER_AND_SERIAL_NUMBER) {
+
+                ret = wc_PKCS7_SetSignerIdentifierType(pkcs7,
+                        CMS_ISSUER_AND_SERIAL_NUMBER);
+                if (ret != 0) {
+                    wc_PKCS7_Free(pkcs7);
+                    return -11752;
+                }
+            }
+        }
+
+        /* encode envelopedData */
+        envelopedSz = wc_PKCS7_EncodeEnvelopedData(pkcs7, enveloped,
+                                                   sizeof(enveloped));
+        if (envelopedSz <= 0) {
+            wc_PKCS7_Free(pkcs7);
+            return -11753;
+        }
+
+        /* decode envelopedData */
+        decodedSz = wc_PKCS7_DecodeEnvelopedData(pkcs7, enveloped, envelopedSz,
+                                                 decoded, sizeof(decoded));
+        if (decodedSz <= 0) {
+            wc_PKCS7_Free(pkcs7);
+            return -11754;
+        }
+
+        /* test decode result */
+        if (XMEMCMP(decoded, data, sizeof(data)) != 0){
+            wc_PKCS7_Free(pkcs7);
+            return -11755;
+        }
+
+#ifndef NO_PKCS7_STREAM
+        { /* test reading byte by byte */
+            int z;
+            for (z = 0; z < envelopedSz; z++) {
+                decodedSz = wc_PKCS7_DecodeEnvelopedData(pkcs7, enveloped + z, 1,
+                                                 decoded, sizeof(decoded));
+                if (decodedSz <= 0 && decodedSz != WC_PKCS7_WANT_READ_E) {
+                    printf("unexpected error %d\n", decodedSz);
+                    return -11756;
+                }
+            }
+            /* test decode result */
+            if (XMEMCMP(decoded, data, sizeof(data)) != 0) {
+                printf("stream read compare failed\n");
+                wc_PKCS7_Free(pkcs7);
+                return -11757;
+            }
+        }
+#endif
+#ifdef PKCS7_OUTPUT_TEST_BUNDLES
+        /* output pkcs7 envelopedData for external testing */
+        pkcs7File = XFOPEN(testVectors[i].outFileName, "wb");
+        if (!pkcs7File) {
+            wc_PKCS7_Free(pkcs7);
+            return -11758;
+        }
+
+        ret = (int)XFWRITE(enveloped, 1, envelopedSz, pkcs7File);
+        XFCLOSE(pkcs7File);
+        if (ret != envelopedSz) {
+            wc_PKCS7_Free(pkcs7);
+            return -11759;
+        }
+#endif /* PKCS7_OUTPUT_TEST_BUNDLES */
+
+        wc_PKCS7_Free(pkcs7);
+        pkcs7 = NULL;
+    }
+
+    (void)eccCert;
+    (void)eccCertSz;
+    (void)eccPrivKey;
+    (void)eccPrivKeySz;
+    (void)rsaCert;
+    (void)rsaCertSz;
+    (void)rsaPrivKey;
+    (void)rsaPrivKeySz;
+
+    return 0;
+}
+
+
 int pkcs7enveloped_test(void)
 {
     int ret = 0;
 
-    int cipher = DES3b;
+    byte* rsaCert    = NULL;
+    byte* rsaPrivKey = NULL;
+    word32 rsaCertSz    = 0;
+    word32 rsaPrivKeySz = 0;
+
+    byte* eccCert    = NULL;
+    byte* eccPrivKey = NULL;
+    word32 eccCertSz    = 0;
+    word32 eccPrivKeySz = 0;
+
+#ifndef NO_RSA
+    /* read client RSA cert and key in DER format */
+    rsaCert = (byte*)XMALLOC(FOURK_BUF, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+    if (rsaCert == NULL)
+        return -11800;
+
+    rsaPrivKey = (byte*)XMALLOC(FOURK_BUF, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+    if (rsaPrivKey == NULL) {
+        XFREE(rsaCert, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+        return -11801;
+    }
+
+    rsaCertSz = FOURK_BUF;
+    rsaPrivKeySz = FOURK_BUF;
+#endif /* NO_RSA */
+
+#ifdef HAVE_ECC
+    /* read client ECC cert and key in DER format */
+    eccCert = (byte*)XMALLOC(FOURK_BUF, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+    if (eccCert == NULL) {
+    #ifndef NO_RSA
+        XFREE(rsaCert,    HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+        XFREE(rsaPrivKey, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+    #endif
+        return -11802;
+    }
+
+    eccPrivKey =(byte*)XMALLOC(FOURK_BUF, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+    if (eccPrivKey == NULL) {
+    #ifndef NO_RSA
+        XFREE(rsaCert,    HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+        XFREE(rsaPrivKey, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+    #endif
+        XFREE(eccCert,    HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+        return -11803;
+    }
+
+    eccCertSz = FOURK_BUF;
+    eccPrivKeySz = FOURK_BUF;
+#endif /* HAVE_ECC */
+
+    ret = pkcs7_load_certs_keys(rsaCert, &rsaCertSz, rsaPrivKey,
+                                &rsaPrivKeySz, NULL, NULL, NULL, NULL,
+                                NULL, NULL, NULL, NULL, eccCert, &eccCertSz,
+                                eccPrivKey, &eccPrivKeySz);
+    if (ret < 0) {
+    #ifndef NO_RSA
+        XFREE(rsaCert,    HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+        XFREE(rsaPrivKey, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+    #endif
+    #ifdef HAVE_ECC
+        XFREE(eccCert,    HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+        XFREE(eccPrivKey, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+    #endif
+        return -11804;
+    }
+
+    ret = pkcs7enveloped_run_vectors(rsaCert, (word32)rsaCertSz,
+                                     rsaPrivKey, (word32)rsaPrivKeySz,
+                                     eccCert, (word32)eccCertSz,
+                                     eccPrivKey, (word32)eccPrivKeySz);
+
+#ifndef NO_RSA
+    XFREE(rsaCert,    HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+    XFREE(rsaPrivKey, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+#endif
+#ifdef HAVE_ECC
+    XFREE(eccCert,    HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+    XFREE(eccPrivKey, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+#endif
+
+    return ret;
+}
+
+
+#if defined(HAVE_AESGCM) || defined(HAVE_AESCCM)
+
+typedef struct {
+    const byte*  content;
+    word32       contentSz;
+    int          contentOID;
+    int          encryptOID;
+    int          keyWrapOID;
+    int          keyAgreeOID;
+    byte*        cert;
+    size_t       certSz;
+    byte*        privateKey;
+    word32       privateKeySz;
+    PKCS7Attrib* authAttribs;
+    word32       authAttribsSz;
+    PKCS7Attrib* unauthAttribs;
+    word32       unauthAttribsSz;
+
+    /* KARI / KTRI specific */
+    byte*        optionalUkm;
+    word32       optionalUkmSz;
+    int          ktriOptions;    /* KTRI options flags */
+    int          kariOptions;    /* KARI options flags */
+
+    /* KEKRI specific */
+    byte*        secretKey;      /* key, only for kekri RecipientInfo types */
+    word32       secretKeySz;    /* size of secretKey, bytes */
+    byte*        secretKeyId;    /* key identifier */
+    word32       secretKeyIdSz;  /* size of key identifier, bytes */
+    void*        timePtr;        /* time_t pointer */
+    byte*        otherAttrOID;   /* OPTIONAL, other attribute OID */
+    word32       otherAttrOIDSz; /* size of otherAttrOID, bytes */
+    byte*        otherAttr;      /* OPTIONAL, other attribute, ASN.1 encoded */
+    word32       otherAttrSz;    /* size of otherAttr, bytes */
+    int          kekriOptions;   /* KEKRI options flags */
+
+    /* PWRI specific */
+    char*        password;       /* password */
+    word32       passwordSz;     /* password size, bytes */
+    byte*        salt;           /* KDF salt */
+    word32       saltSz;         /* KDF salt size, bytes */
+    int          kdfOID;         /* KDF OID */
+    int          hashOID;        /* KDF hash algorithm OID */
+    int          kdfIterations;  /* KDF iterations */
+    int          kekEncryptOID;  /* KEK encryption algorithm OID */
+    int          pwriOptions;    /* PWRI options flags */
+
+    /* ORI specific */
+    int          isOri;
+    int          oriOptions;     /* ORI options flags */
+
+    const char*  outFileName;
+} pkcs7AuthEnvelopedVector;
+
+
+static int pkcs7authenveloped_run_vectors(byte* rsaCert, word32 rsaCertSz,
+                                          byte* rsaPrivKey,  word32 rsaPrivKeySz,
+                                          byte* eccCert, word32 eccCertSz,
+                                          byte* eccPrivKey,  word32 eccPrivKeySz)
+{
+    int ret, testSz, i;
     int envelopedSz, decodedSz;
-    PKCS7 pkcs7;
-    byte* cert;
-    byte* privKey;
-    byte  enveloped[2048];
-    byte  decoded[2048];
 
-    size_t certSz;
-    size_t privKeySz;
-    FILE*  certFile;
-    FILE*  keyFile;
-    FILE*  pkcs7File;
-    const char* pkcs7OutFile = "pkcs7envelopedData.der";
+    byte   enveloped[2048];
+    byte   decoded[2048];
+    WC_RNG rng;
+    PKCS7* pkcs7;
+#ifdef PKCS7_OUTPUT_TEST_BUNDLES
+    XFILE  pkcs7File;
+#endif
 
     const byte data[] = { /* Hello World */
         0x48,0x65,0x6c,0x6c,0x6f,0x20,0x57,0x6f,
         0x72,0x6c,0x64
     };
+    byte senderNonce[PKCS7_NONCE_SZ + 2];
+
+#ifdef HAVE_ECC
+    byte senderNonceOid[] =
+               { 0x06, 0x0a, 0x60, 0x86, 0x48, 0x01, 0x86, 0xF8, 0x45, 0x01,
+                 0x09, 0x05 };
+
+    PKCS7Attrib attribs[] =
+    {
+        { senderNonceOid, sizeof(senderNonceOid), senderNonce,
+                                       sizeof(senderNonce) }
+    };
+#endif
+
+#if !defined(NO_AES) && defined(WOLFSSL_AES_256) && defined(HAVE_ECC) && \
+    defined(WOLFSSL_SHA512)
+    byte optionalUkm[] = {
+        0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07
+    };
+#endif /* NO_AES */
+
+#if !defined(NO_AES) && !defined(NO_SHA) && defined(WOLFSSL_AES_128)
+    /* encryption key for kekri recipient types */
+    byte secretKey[] = {
+        0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,
+        0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07
+    };
+
+    /* encryption key identifier */
+    byte secretKeyId[] = {
+        0x02,0x02,0x03,0x04
+    };
+#endif
+
+#if !defined(NO_PWDBASED) && !defined(NO_AES) && defined(HAVE_AESGCM) && \
+    !defined(NO_SHA) && defined(WOLFSSL_AES_128)
+
+    char password[] = "password";
+
+    byte salt[] = {
+        0x12, 0x34, 0x56, 0x78, 0x78, 0x56, 0x34, 0x12
+    };
+#endif
+
+    const pkcs7AuthEnvelopedVector testVectors[] =
+    {
+        /* key transport key encryption technique */
+#ifndef NO_RSA
+    #if !defined(NO_AES) && defined(HAVE_AESGCM)
+        #ifdef WOLFSSL_AES_128
+        {data, (word32)sizeof(data), DATA, AES128GCMb, 0, 0, rsaCert, rsaCertSz,
+         rsaPrivKey, rsaPrivKeySz, NULL, 0, NULL, 0, NULL, 0, 0, 0, NULL, 0,
+         NULL, 0, NULL, NULL, 0, NULL, 0, 0, NULL, 0, NULL, 0, 0, 0, 0, 0, 0,
+         0, 0, "pkcs7authEnvelopedDataAES128GCM.der"},
+        #endif
+        #ifdef WOLFSSL_AES_192
+        {data, (word32)sizeof(data), DATA, AES192GCMb, 0, 0, rsaCert, rsaCertSz,
+         rsaPrivKey, rsaPrivKeySz, NULL, 0, NULL, 0, NULL, 0, 0, 0, NULL, 0,
+         NULL, 0, NULL, NULL, 0, NULL, 0, 0, NULL, 0, NULL, 0, 0, 0, 0, 0, 0,
+         0, 0, "pkcs7authEnvelopedDataAES192GCM.der"},
+        #endif
+        #ifdef WOLFSSL_AES_256
+        {data, (word32)sizeof(data), DATA, AES256GCMb, 0, 0, rsaCert, rsaCertSz,
+         rsaPrivKey, rsaPrivKeySz, NULL, 0, NULL, 0, NULL, 0, 0, 0, NULL, 0,
+         NULL, 0, NULL, NULL, 0, NULL, 0, 0, NULL, 0, NULL, 0, 0, 0, 0, 0, 0,
+         0, 0, "pkcs7authEnvelopedDataAES256GCM.der"},
+
+        /* test with contentType set to FirmwarePkgData */
+        {data, (word32)sizeof(data), FIRMWARE_PKG_DATA, AES256GCMb, 0, 0,
+         rsaCert, rsaCertSz, rsaPrivKey, rsaPrivKeySz, NULL, 0, NULL, 0, NULL,
+         0, 0, 0, NULL, 0, NULL, 0, NULL, NULL, 0, NULL, 0, 0, NULL, 0, NULL,
+         0, 0, 0, 0, 0, 0, 0, 0,
+         "pkcs7authEnvelopedDataAES256GCM_firmwarePkgData.der"},
+
+        /* explicitly using SKID for SubjectKeyIdentifier */
+        {data, (word32)sizeof(data), DATA, AES256GCMb, 0, 0, rsaCert, rsaCertSz,
+         rsaPrivKey, rsaPrivKeySz, NULL, 0, NULL, 0, NULL, 0, CMS_SKID, 0,
+         NULL, 0, NULL, 0, NULL, NULL, 0, NULL, 0, 0, NULL, 0, NULL, 0, 0, 0,
+         0, 0, 0, 0, 0, "pkcs7authEnvelopedDataAES256GCM_SKID.der"},
+
+        /* explicitly using IssuerAndSerialNumber for SubjectKeyIdentifier */
+        {data, (word32)sizeof(data), DATA, AES256GCMb, 0, 0, rsaCert, rsaCertSz,
+         rsaPrivKey, rsaPrivKeySz, NULL, 0, NULL, 0, NULL, 0,
+         CMS_ISSUER_AND_SERIAL_NUMBER, 0, NULL, 0, NULL, 0, NULL, NULL, 0,
+         NULL, 0, 0, NULL, 0, NULL, 0, 0, 0, 0, 0, 0, 0, 0,
+         "pkcs7authEnvelopedDataAES256GCM_IANDS.der"},
+        #endif
+    #endif /* NO_AES */
+#endif
+
+        /* key agreement key encryption technique*/
+#ifdef HAVE_ECC
+    #if !defined(NO_AES) && defined(HAVE_AESGCM)
+        #if !defined(NO_SHA) && defined(WOLFSSL_AES_128)
+        {data, (word32)sizeof(data), DATA, AES128GCMb, AES128_WRAP,
+         dhSinglePass_stdDH_sha1kdf_scheme, eccCert, eccCertSz, eccPrivKey,
+         eccPrivKeySz, NULL, 0, NULL, 0, NULL, 0, 0, 0, NULL, 0, NULL, 0,
+         NULL, NULL, 0, NULL, 0, 0, NULL, 0, NULL, 0, 0, 0, 0, 0, 0, 0, 0,
+         "pkcs7authEnvelopedDataAES128GCM_ECDH_SHA1KDF.der"},
+        #endif
+
+        #if !defined(NO_SHA256) && defined(WOLFSSL_AES_256)
+        {data, (word32)sizeof(data), DATA, AES256GCMb, AES256_WRAP,
+         dhSinglePass_stdDH_sha256kdf_scheme, eccCert, eccCertSz, eccPrivKey,
+         eccPrivKeySz, NULL, 0, NULL, 0, NULL, 0, 0, 0, NULL, 0, NULL, 0,
+         NULL, NULL, 0, NULL, 0, 0, NULL, 0, NULL, 0, 0, 0, 0, 0, 0, 0, 0,
+         "pkcs7authEnvelopedDataAES256GCM_ECDH_SHA256KDF.der"},
+
+        /* with authenticated attributes */
+        {data, (word32)sizeof(data), DATA, AES256GCMb, AES256_WRAP,
+         dhSinglePass_stdDH_sha256kdf_scheme, eccCert, eccCertSz, eccPrivKey,
+         eccPrivKeySz, attribs, (sizeof(attribs) / sizeof(PKCS7Attrib)),
+         NULL, 0, NULL, 0, 0, 0, NULL, 0,
+         NULL, 0, NULL, NULL, 0, NULL, 0, 0, NULL, 0, NULL, 0, 0, 0, 0, 0,
+         0, 0, 0,
+         "pkcs7authEnvelopedDataAES256GCM_ECDH_SHA256KDF_authAttribs.der"},
+
+        /* with unauthenticated attributes */
+        {data, (word32)sizeof(data), DATA, AES256GCMb, AES256_WRAP,
+         dhSinglePass_stdDH_sha256kdf_scheme, eccCert, eccCertSz, eccPrivKey,
+         eccPrivKeySz, NULL, 0, attribs,
+         (sizeof(attribs) / sizeof(PKCS7Attrib)), NULL, 0, 0, 0, NULL, 0,
+         NULL, 0, NULL, NULL, 0, NULL, 0, 0, NULL, 0, NULL, 0, 0, 0, 0, 0,
+         0, 0, 0,
+         "pkcs7authEnvelopedDataAES256GCM_ECDH_SHA256KDF_unauthAttribs.der"},
+
+        /* with authenticated AND unauthenticated attributes */
+        {data, (word32)sizeof(data), DATA, AES256GCMb, AES256_WRAP,
+         dhSinglePass_stdDH_sha256kdf_scheme, eccCert, eccCertSz, eccPrivKey,
+         eccPrivKeySz, attribs, (sizeof(attribs) / sizeof(PKCS7Attrib)),
+         attribs, (sizeof(attribs) / sizeof(PKCS7Attrib)), NULL, 0, 0, 0,
+         NULL, 0, NULL, 0, NULL, NULL, 0, NULL, 0, 0, NULL, 0, NULL, 0, 0,
+         0, 0, 0, 0, 0, 0,
+         "pkcs7authEnvelopedDataAES256GCM_ECDH_SHA256KDF_bothAttribs.der"},
+
+        /* with authenticated AND unauthenticated attributes AND
+         * contentType of FirmwarePkgData */
+        {data, (word32)sizeof(data), FIRMWARE_PKG_DATA, AES256GCMb, AES256_WRAP,
+         dhSinglePass_stdDH_sha256kdf_scheme, eccCert, eccCertSz, eccPrivKey,
+         eccPrivKeySz, attribs, (sizeof(attribs) / sizeof(PKCS7Attrib)),
+         attribs, (sizeof(attribs) / sizeof(PKCS7Attrib)), NULL, 0, 0, 0,
+         NULL, 0, NULL, 0, NULL, NULL, 0, NULL, 0, 0, NULL, 0, NULL, 0, 0,
+         0, 0, 0, 0, 0, 0,
+         "pkcs7authEnvelopedDataAES256GCM_ECDH_SHA256KDF_fw_bothAttribs.der"},
+        #endif /* NO_SHA256 && WOLFSSL_AES_256 */
+
+        #if defined(WOLFSSL_SHA512) && defined(WOLFSSL_AES_256)
+        {data, (word32)sizeof(data), DATA, AES256GCMb, AES256_WRAP,
+         dhSinglePass_stdDH_sha512kdf_scheme, eccCert, eccCertSz, eccPrivKey,
+         eccPrivKeySz, NULL, 0, NULL, 0, NULL, 0, 0, 0, NULL, 0, NULL, 0, NULL,
+         NULL, 0, NULL, 0, 0, NULL, 0, NULL, 0, 0, 0, 0, 0, 0, 0, 0,
+         "pkcs7authEnvelopedDataAES256GCM_ECDH_SHA512KDF.der"},
+
+        /* with optional user keying material (ukm) */
+        {data, (word32)sizeof(data), DATA, AES256GCMb, AES256_WRAP,
+         dhSinglePass_stdDH_sha512kdf_scheme, eccCert, eccCertSz, eccPrivKey,
+         eccPrivKeySz, NULL, 0, NULL, 0, optionalUkm, sizeof(optionalUkm), 0,
+         0, NULL, 0, NULL, 0, NULL, NULL, 0, NULL, 0, 0, NULL, 0, NULL, 0, 0,
+         0, 0, 0, 0, 0, 0,
+         "pkcs7authEnvelopedDataAES256GCM_ECDH_SHA512KDF_ukm.der"},
+        #endif /* WOLFSSL_SHA512 && WOLFSSL_AES_256 */
+    #endif /* NO_AES */
+#endif
+
+        /* kekri (KEKRecipientInfo) recipient types */
+#if !defined(NO_AES) && defined(HAVE_AESGCM)
+        #if !defined(NO_SHA) && defined(WOLFSSL_AES_128)
+        {data, (word32)sizeof(data), DATA, AES128GCMb, AES128_WRAP, 0,
+         NULL, 0, NULL, 0, NULL, 0, NULL, 0, NULL, 0, 0, 0,
+         secretKey, sizeof(secretKey), secretKeyId, sizeof(secretKeyId),
+         NULL, NULL, 0, NULL, 0, 0, NULL, 0, NULL, 0, 0, 0, 0, 0, 0, 0, 0,
+         "pkcs7authEnvelopedDataAES128GCM_KEKRI.der"},
+        #endif
+#endif
+
+        /* pwri (PasswordRecipientInfo) recipient types */
+#if !defined(NO_PWDBASED) && !defined(NO_AES) && defined(HAVE_AESGCM)
+        #if !defined(NO_SHA) && defined(WOLFSSL_AES_128)
+        {data, (word32)sizeof(data), DATA, AES128GCMb, 0, 0,
+         NULL, 0, NULL, 0, NULL, 0, NULL, 0, NULL, 0, 0, 0, NULL, 0,
+         NULL, 0, NULL, NULL, 0, NULL, 0, 0, password,
+         (word32)XSTRLEN(password), salt, sizeof(salt), PBKDF2_OID, WC_SHA, 5,
+         AES128CBCb, 0, 0, 0, "pkcs7authEnvelopedDataAES128GCM_PWRI.der"},
+        #endif
+#endif
+
+#if !defined(NO_AES) && defined(HAVE_AESGCM)
+        #ifdef WOLFSSL_AES_128
+        /* ori (OtherRecipientInfo) recipient types */
+        {data, (word32)sizeof(data), DATA, AES128GCMb, 0, 0, NULL, 0, NULL, 0,
+         NULL, 0, NULL, 0, NULL, 0, 0, 0, NULL, 0, NULL, 0, NULL, NULL, 0,
+         NULL, 0, 0, NULL, 0, NULL, 0, 0, 0, 0, 0, 0, 1, 0,
+         "pkcs7authEnvelopedDataAES128GCM_ORI.der"},
+        #endif
+#endif
+    };
+
+    testSz = sizeof(testVectors) / sizeof(pkcs7AuthEnvelopedVector);
+
+
+    /* generate senderNonce */
+    {
+#ifndef HAVE_FIPS
+        ret = wc_InitRng_ex(&rng, HEAP_HINT, devId);
+#else
+        ret = wc_InitRng(&rng);
+#endif
+        if (ret != 0) {
+            return -11805;
+        }
 
-    /* read client cert and key in DER format */
-    cert = (byte*)malloc(FOURK_BUF);
-    if (cert == NULL)
-        return -201;
+        senderNonce[0] = 0x04;
+        senderNonce[1] = PKCS7_NONCE_SZ;
 
-    privKey = (byte*)malloc(FOURK_BUF);
-    if (privKey == NULL) {
-        free(cert);
-        return -202;
+        ret = wc_RNG_GenerateBlock(&rng, &senderNonce[2], PKCS7_NONCE_SZ);
+        if (ret != 0) {
+            wc_FreeRng(&rng);
+            return -11806;
+        }
+
+        wc_FreeRng(&rng);
     }
 
-    certFile = fopen(clientCert, "rb");
-    if (!certFile) {
-        free(cert);
-        free(privKey);
-        err_sys("can't open ./certs/client-cert.der, "
-                "Please run from wolfSSL home dir", -42);
-        return -42;
+    for (i = 0; i < testSz; i++) {
+        pkcs7 = wc_PKCS7_New(HEAP_HINT,
+        #ifdef WOLFSSL_ASYNC_CRYPT
+            INVALID_DEVID /* async PKCS7 is not supported */
+        #else
+            devId
+        #endif
+        );
+        if (pkcs7 == NULL)
+            return -11807;
+
+        if (testVectors[i].secretKey != NULL) {
+            /* KEKRI recipient type */
+
+            ret = wc_PKCS7_Init(pkcs7, pkcs7->heap, pkcs7->devId);
+            if (ret != 0) {
+                return -11808;
+            }
+
+            pkcs7->content         = (byte*)testVectors[i].content;
+            pkcs7->contentSz       = testVectors[i].contentSz;
+            pkcs7->contentOID      = testVectors[i].contentOID;
+            pkcs7->encryptOID      = testVectors[i].encryptOID;
+            pkcs7->ukm             = testVectors[i].optionalUkm;
+            pkcs7->ukmSz           = testVectors[i].optionalUkmSz;
+            pkcs7->authAttribs     = testVectors[i].authAttribs;
+            pkcs7->authAttribsSz   = testVectors[i].authAttribsSz;
+            pkcs7->unauthAttribs   = testVectors[i].unauthAttribs;
+            pkcs7->unauthAttribsSz = testVectors[i].unauthAttribsSz;
+
+            ret = wc_PKCS7_AddRecipient_KEKRI(pkcs7, testVectors[i].keyWrapOID,
+                    testVectors[i].secretKey, testVectors[i].secretKeySz,
+                    testVectors[i].secretKeyId, testVectors[i].secretKeyIdSz,
+                    testVectors[i].timePtr, testVectors[i].otherAttrOID,
+                    testVectors[i].otherAttrOIDSz, testVectors[i].otherAttr,
+                    testVectors[i].otherAttrSz, testVectors[i].kekriOptions);
+
+            if (ret < 0) {
+                wc_PKCS7_Free(pkcs7);
+                return -11809;
+            }
+
+            /* set key, for decryption */
+            ret = wc_PKCS7_SetKey(pkcs7, testVectors[i].secretKey,
+                                  testVectors[i].secretKeySz);
+
+            if (ret != 0) {
+                wc_PKCS7_Free(pkcs7);
+                return -11810;
+            }
+
+        } else if (testVectors[i].password != NULL) {
+        #ifndef NO_PWDBASED
+            /* PWRI recipient type */
+
+            ret = wc_PKCS7_Init(pkcs7, pkcs7->heap, pkcs7->devId);
+            if (ret != 0) {
+                return -11811;
+            }
+
+            pkcs7->content         = (byte*)testVectors[i].content;
+            pkcs7->contentSz       = testVectors[i].contentSz;
+            pkcs7->contentOID      = testVectors[i].contentOID;
+            pkcs7->encryptOID      = testVectors[i].encryptOID;
+            pkcs7->ukm             = testVectors[i].optionalUkm;
+            pkcs7->ukmSz           = testVectors[i].optionalUkmSz;
+            pkcs7->authAttribs     = testVectors[i].authAttribs;
+            pkcs7->authAttribsSz   = testVectors[i].authAttribsSz;
+            pkcs7->unauthAttribs   = testVectors[i].unauthAttribs;
+            pkcs7->unauthAttribsSz = testVectors[i].unauthAttribsSz;
+
+            ret = wc_PKCS7_AddRecipient_PWRI(pkcs7,
+                    (byte*)testVectors[i].password,
+                    testVectors[i].passwordSz, testVectors[i].salt,
+                    testVectors[i].saltSz, testVectors[i].kdfOID,
+                    testVectors[i].hashOID, testVectors[i].kdfIterations,
+                    testVectors[i].kekEncryptOID, testVectors[i].pwriOptions);
+
+            if (ret < 0) {
+                wc_PKCS7_Free(pkcs7);
+                return -11812;
+            }
+
+            /* set password, for decryption */
+            ret = wc_PKCS7_SetPassword(pkcs7, (byte*)testVectors[i].password,
+                    testVectors[i].passwordSz);
+
+            if (ret < 0) {
+                wc_PKCS7_Free(pkcs7);
+                return -11813;
+            }
+
+        #endif /* NO_PWDBASED */
+        } else if (testVectors[i].isOri == 1) {
+            /* ORI recipient type */
+
+            ret = wc_PKCS7_Init(pkcs7, pkcs7->heap, pkcs7->devId);
+            if (ret != 0) {
+                return -11814;
+            }
+
+            pkcs7->content         = (byte*)testVectors[i].content;
+            pkcs7->contentSz       = testVectors[i].contentSz;
+            pkcs7->contentOID      = testVectors[i].contentOID;
+            pkcs7->encryptOID      = testVectors[i].encryptOID;
+            pkcs7->authAttribs     = testVectors[i].authAttribs;
+            pkcs7->authAttribsSz   = testVectors[i].authAttribsSz;
+            pkcs7->unauthAttribs   = testVectors[i].unauthAttribs;
+            pkcs7->unauthAttribsSz = testVectors[i].unauthAttribsSz;
+
+            ret = wc_PKCS7_AddRecipient_ORI(pkcs7, myOriEncryptCb,
+                                            testVectors[i].oriOptions);
+
+            if (ret < 0) {
+                wc_PKCS7_Free(pkcs7);
+                return -11815;
+            }
+
+            /* set decrypt callback for decryption */
+            ret = wc_PKCS7_SetOriDecryptCb(pkcs7, myOriDecryptCb);
+
+            if (ret < 0) {
+                wc_PKCS7_Free(pkcs7);
+                return -11816;
+            }
+
+        } else {
+            /* KTRI or KARI recipient types */
+
+            ret = wc_PKCS7_InitWithCert(pkcs7, testVectors[i].cert,
+                                        (word32)testVectors[i].certSz);
+            if (ret != 0) {
+                wc_PKCS7_Free(pkcs7);
+                return -11817;
+            }
+
+            pkcs7->keyWrapOID      = testVectors[i].keyWrapOID;
+            pkcs7->keyAgreeOID     = testVectors[i].keyAgreeOID;
+            pkcs7->privateKey      = testVectors[i].privateKey;
+            pkcs7->privateKeySz    = testVectors[i].privateKeySz;
+            pkcs7->content         = (byte*)testVectors[i].content;
+            pkcs7->contentSz       = testVectors[i].contentSz;
+            pkcs7->contentOID      = testVectors[i].contentOID;
+            pkcs7->encryptOID      = testVectors[i].encryptOID;
+            pkcs7->ukm             = testVectors[i].optionalUkm;
+            pkcs7->ukmSz           = testVectors[i].optionalUkmSz;
+            pkcs7->authAttribs     = testVectors[i].authAttribs;
+            pkcs7->authAttribsSz   = testVectors[i].authAttribsSz;
+            pkcs7->unauthAttribs   = testVectors[i].unauthAttribs;
+            pkcs7->unauthAttribsSz = testVectors[i].unauthAttribsSz;
+
+            /* set SubjectIdentifier type for KTRI types */
+            if (testVectors[i].ktriOptions & CMS_SKID) {
+
+                ret = wc_PKCS7_SetSignerIdentifierType(pkcs7, CMS_SKID);
+                if (ret != 0) {
+                    wc_PKCS7_Free(pkcs7);
+                    return -11818;
+                }
+            } else if (testVectors[i].ktriOptions &
+                       CMS_ISSUER_AND_SERIAL_NUMBER) {
+
+                ret = wc_PKCS7_SetSignerIdentifierType(pkcs7,
+                        CMS_ISSUER_AND_SERIAL_NUMBER);
+                if (ret != 0) {
+                    wc_PKCS7_Free(pkcs7);
+                    return -11819;
+                }
+            }
+        }
+
+        /* encode envelopedData */
+        envelopedSz = wc_PKCS7_EncodeAuthEnvelopedData(pkcs7, enveloped,
+                                                       sizeof(enveloped));
+        if (envelopedSz <= 0) {
+            wc_PKCS7_Free(pkcs7);
+            return -11820;
+        }
+#ifndef NO_PKCS7_STREAM
+        { /* test reading byte by byte */
+            int z;
+            for (z = 0; z < envelopedSz; z++) {
+                decodedSz = wc_PKCS7_DecodeAuthEnvelopedData(pkcs7,
+                        enveloped + z, 1, decoded, sizeof(decoded));
+                if (decodedSz <= 0 && decodedSz != WC_PKCS7_WANT_READ_E) {
+                    printf("unexpected error %d\n", decodedSz);
+                    return -11821;
+                }
+            }
+            /* test decode result */
+            if (XMEMCMP(decoded, data, sizeof(data)) != 0) {
+                printf("stream read compare failed\n");
+                wc_PKCS7_Free(pkcs7);
+                return -11822;
+            }
+        }
+#endif
+        /* decode envelopedData */
+        decodedSz = wc_PKCS7_DecodeAuthEnvelopedData(pkcs7, enveloped,
+                                                     envelopedSz, decoded,
+                                                     sizeof(decoded));
+        if (decodedSz <= 0) {
+            wc_PKCS7_Free(pkcs7);
+            return -11823;
+        }
+
+        /* test decode result */
+        if (XMEMCMP(decoded, data, sizeof(data)) != 0){
+            wc_PKCS7_Free(pkcs7);
+            return -11824;
+        }
+
+#ifdef PKCS7_OUTPUT_TEST_BUNDLES
+        /* output pkcs7 envelopedData for external testing */
+        pkcs7File = XFOPEN(testVectors[i].outFileName, "wb");
+        if (!pkcs7File) {
+            wc_PKCS7_Free(pkcs7);
+            return -11825;
+        }
+
+        ret = (int)XFWRITE(enveloped, 1, envelopedSz, pkcs7File);
+        XFCLOSE(pkcs7File);
+        if (ret != envelopedSz) {
+            wc_PKCS7_Free(pkcs7);
+            return -11826;
+        }
+#endif /* PKCS7_OUTPUT_TEST_BUNDLES */
+
+        wc_PKCS7_Free(pkcs7);
+        pkcs7 = NULL;
     }
 
-    certSz = fread(cert, 1, FOURK_BUF, certFile);
-    fclose(certFile);
+#if !defined(HAVE_ECC) || defined(NO_AES)
+    (void)eccCert;
+    (void)eccCertSz;
+    (void)eccPrivKey;
+    (void)eccPrivKeySz;
+    (void)secretKey;
+    (void)secretKeyId;
+#endif
+#ifdef NO_RSA
+    (void)rsaCert;
+    (void)rsaCertSz;
+    (void)rsaPrivKey;
+    (void)rsaPrivKeySz;
+#endif
+    return 0;
+}
 
-    keyFile = fopen(clientKey, "rb");
-    if (!keyFile) {
-        free(cert);
-        free(privKey);
-        err_sys("can't open ./certs/client-key.der, "
-                "Please run from wolfSSL home dir", -43);
-        return -43;
+
+int pkcs7authenveloped_test(void)
+{
+    int ret = 0;
+
+    byte* rsaCert    = NULL;
+    byte* rsaPrivKey = NULL;
+    word32 rsaCertSz    = 0;
+    word32 rsaPrivKeySz = 0;
+
+    byte* eccCert    = NULL;
+    byte* eccPrivKey = NULL;
+    word32 eccCertSz    = 0;
+    word32 eccPrivKeySz = 0;
+
+#ifndef NO_RSA
+    /* read client RSA cert and key in DER format */
+    rsaCert = (byte*)XMALLOC(FOURK_BUF, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+    if (rsaCert == NULL)
+        return -11900;
+
+    rsaPrivKey = (byte*)XMALLOC(FOURK_BUF, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+    if (rsaPrivKey == NULL) {
+        XFREE(rsaCert, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+        return -11901;
+    }
+
+    rsaCertSz = FOURK_BUF;
+    rsaPrivKeySz = FOURK_BUF;
+#endif /* NO_RSA */
+
+#ifdef HAVE_ECC
+    /* read client ECC cert and key in DER format */
+    eccCert = (byte*)XMALLOC(FOURK_BUF, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+    if (eccCert == NULL) {
+    #ifndef NO_RSA
+        XFREE(rsaCert,    HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+        XFREE(rsaPrivKey, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+    #endif
+        return -11902;
+    }
+
+    eccPrivKey =(byte*)XMALLOC(FOURK_BUF, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+    if (eccPrivKey == NULL) {
+    #ifndef NO_RSA
+        XFREE(rsaCert,    HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+        XFREE(rsaPrivKey, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+    #endif
+        XFREE(eccCert,    HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+        return -11903;
+    }
+
+    eccCertSz = FOURK_BUF;
+    eccPrivKeySz = FOURK_BUF;
+#endif /* HAVE_ECC */
+
+    ret = pkcs7_load_certs_keys(rsaCert, &rsaCertSz, rsaPrivKey,
+                                &rsaPrivKeySz, NULL, NULL, NULL, NULL,
+                                NULL, NULL, NULL, NULL, eccCert, &eccCertSz,
+                                eccPrivKey, &eccPrivKeySz);
+    if (ret < 0) {
+    #ifndef NO_RSA
+        XFREE(rsaCert,    HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+        XFREE(rsaPrivKey, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+    #endif
+    #ifdef HAVE_ECC
+        XFREE(eccCert,    HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+        XFREE(eccPrivKey, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+    #endif
+        return -11904;
     }
 
-    privKeySz = fread(privKey, 1, FOURK_BUF, keyFile);
-    fclose(keyFile);
+    ret = pkcs7authenveloped_run_vectors(rsaCert, (word32)rsaCertSz,
+                                         rsaPrivKey, (word32)rsaPrivKeySz,
+                                         eccCert, (word32)eccCertSz,
+                                         eccPrivKey, (word32)eccPrivKeySz);
+
+#ifndef NO_RSA
+    XFREE(rsaCert,    HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+    XFREE(rsaPrivKey, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+#endif
+#ifdef HAVE_ECC
+    XFREE(eccCert,    HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+    XFREE(eccPrivKey, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+#endif
 
-    wc_PKCS7_InitWithCert(&pkcs7, cert, (word32)certSz);
-    pkcs7.content     = (byte*)data;
-    pkcs7.contentSz   = (word32)sizeof(data);
-    pkcs7.contentOID  = DATA;
-    pkcs7.encryptOID  = cipher;
-    pkcs7.privateKey  = privKey;
-    pkcs7.privateKeySz = (word32)privKeySz;
+    return ret;
+}
+
+#endif /* HAVE_AESGCM || HAVE_AESCCM */
+#ifndef NO_AES
+static const byte p7DefKey[] = {
+    0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08,
+    0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08,
+    0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08,
+    0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08
+};
+
+static const byte p7AltKey[] = {
+    0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08,
+    0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08
+};
 
-    /* encode envelopedData */
-    envelopedSz = wc_PKCS7_EncodeEnvelopedData(&pkcs7, enveloped,
-                                            sizeof(enveloped));
-    if (envelopedSz <= 0) {
-        free(cert);
-        free(privKey);
-        return -203;
+static int myCEKwrapFunc(PKCS7* pkcs7, byte* cek, word32 cekSz, byte* keyId,
+        word32 keyIdSz, byte* orginKey, word32 orginKeySz,
+        byte* out, word32 outSz, int keyWrapAlgo, int type, int direction)
+{
+    int ret;
+
+    if (cek == NULL || out == NULL)
+        return BAD_FUNC_ARG;
+
+    /* test case sanity checks */
+    if (keyIdSz != 1) {
+        return -11905;
     }
 
-    /* decode envelopedData */
-    decodedSz = wc_PKCS7_DecodeEnvelopedData(&pkcs7, enveloped, envelopedSz,
-                                          decoded, sizeof(decoded));
-    if (decodedSz <= 0) {
-        free(cert);
-        free(privKey);
-        return -204;
+    if (keyId[0] != 0x00) {
+        return -11906;
     }
 
-    /* test decode result */
-    if (memcmp(decoded, data, sizeof(data)) != 0) {
-        free(cert);
-        free(privKey);
-        return -205;
+    if (type != (int)PKCS7_KEKRI) {
+        return -11907;
+    }
+
+    switch (keyWrapAlgo) {
+        case AES256_WRAP:
+            ret = wc_AesKeyUnWrap(p7DefKey, sizeof(p7DefKey), cek, cekSz,
+                                      out, outSz, NULL);
+            if (ret <= 0)
+                return ret;
+            break;
+
+        default:
+            WOLFSSL_MSG("Unsupported key wrap algorithm in example");
+            return BAD_KEYWRAP_ALG_E;
+    };
+
+    (void)pkcs7;
+    (void)direction;
+    (void)orginKey; /* used with KAKRI */
+    (void)orginKeySz;
+    return ret;
+}
+
+
+/* returns key size on success */
+static int getFirmwareKey(PKCS7* pkcs7, byte* key, word32 keySz)
+{
+    int    ret;
+    word32 atrSz;
+    byte   atr[256];
+
+    /* Additionally can look for fwWrappedFirmwareKey
+     * 1.2.840.113529.1.9.16.1.16 */
+    const unsigned char fwWrappedFirmwareKey[] = {
+        /* 0x06, 0x0B */
+        0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D,
+        0x01, 0x09, 0x10, 0x02, 0x27
+    };
+
+    /* find keyID in fwWrappedFirmwareKey */
+    ret = wc_PKCS7_GetAttributeValue(pkcs7, fwWrappedFirmwareKey,
+            sizeof(fwWrappedFirmwareKey), NULL, &atrSz);
+    if (ret == LENGTH_ONLY_E) {
+        XMEMSET(atr, 0, sizeof(atr));
+        ret = wc_PKCS7_GetAttributeValue(pkcs7, fwWrappedFirmwareKey,
+                sizeof(fwWrappedFirmwareKey), atr, &atrSz);
+
+        /* keyIdRaw[0] OCTET TAG */
+        /* keyIdRaw[1] Length */
+
+        if (ret > 0) {
+            PKCS7* envPkcs7;
+
+            envPkcs7 = wc_PKCS7_New(NULL, 0);
+            if (envPkcs7 == NULL) {
+                return MEMORY_E;
+            }
+
+            wc_PKCS7_Init(envPkcs7, NULL, 0);
+            ret = wc_PKCS7_SetWrapCEKCb(envPkcs7, myCEKwrapFunc);
+            if (ret == 0) {
+                /* expecting FIRMWARE_PKG_DATA content */
+                envPkcs7->contentOID = FIRMWARE_PKG_DATA;
+                ret = wc_PKCS7_DecodeEnvelopedData(envPkcs7, atr, atrSz,
+                    key, keySz);
+            }
+            wc_PKCS7_Free(envPkcs7);
+        }
     }
 
-    /* output pkcs7 envelopedData for external testing */
-    pkcs7File = fopen(pkcs7OutFile, "wb");
-    if (!pkcs7File) {
-        free(cert);
-        free(privKey);
-        return -206;
+    return ret;
+}
+
+/* create a KEKRI enveloped data
+ * return size on success */
+static int envelopedData_encrypt(byte* in, word32 inSz, byte* out,
+        word32 outSz)
+{
+    int ret;
+    PKCS7* pkcs7;
+    const byte keyId[] = { 0x00 };
+
+    pkcs7 = wc_PKCS7_New(NULL, INVALID_DEVID);
+    if (pkcs7 == NULL)
+        return -11908;
+
+    pkcs7->content     = in;
+    pkcs7->contentSz   = inSz;
+    pkcs7->contentOID  = FIRMWARE_PKG_DATA;
+    pkcs7->encryptOID  = AES256CBCb;
+    pkcs7->ukm         = NULL;
+    pkcs7->ukmSz       = 0;
+
+    /* add recipient (KEKRI type) */
+    ret = wc_PKCS7_AddRecipient_KEKRI(pkcs7, AES256_WRAP, (byte*)p7DefKey,
+                                      sizeof(p7DefKey), (byte*)keyId,
+                                      sizeof(keyId), NULL, NULL, 0, NULL, 0, 0);
+    if (ret < 0) {
+        printf("wc_PKCS7_AddRecipient_KEKRI() failed, ret = %d\n", ret);
+        wc_PKCS7_Free(pkcs7);
+        return -11909;
     }
 
-    ret = (int)fwrite(enveloped, envelopedSz, 1, pkcs7File);
-    fclose(pkcs7File);
+    /* encode envelopedData, returns size */
+    ret = wc_PKCS7_EncodeEnvelopedData(pkcs7, out, outSz);
+    if (ret <= 0) {
+        printf("wc_PKCS7_EncodeEnvelopedData() failed, ret = %d\n", ret);
+        wc_PKCS7_Free(pkcs7);
+        return -11910;
 
-    free(cert);
-    free(privKey);
-    wc_PKCS7_Free(&pkcs7);
+    }
 
-    if (ret > 0)
-        return 0;
+    wc_PKCS7_Free(pkcs7);
 
     return ret;
 }
 
-int pkcs7signed_test(void)
+
+/*
+ * keyHint is the KeyID to be set in the fwDecryptKeyID attribute
+ * returns size of buffer output on success
+ */
+static int generateBundle(byte* out, word32 *outSz, const byte* encryptKey,
+        word32 encryptKeySz, byte keyHint, byte* cert, word32 certSz,
+        byte* key, word32 keySz)
+{
+    int ret, attribNum = 1;
+    PKCS7* pkcs7;
+
+    /* KEY ID
+     * fwDecryptKeyID OID 1.2.840.113549.1.9.16.2.37
+     */
+    const unsigned char fwDecryptKeyID[] = {
+        0x06, 0x0B,
+        0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D,
+        0x01, 0x09, 0x10, 0x02, 0x25
+    };
+
+    /* fwWrappedFirmwareKey 1.2.840.113529.1.9.16.1.16 */
+    const unsigned char fwWrappedFirmwareKey[] = {
+        0x06, 0x0B, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D,
+        0x01, 0x09, 0x10, 0x02, 0x27
+    };
+
+    byte keyID[] = { 0x04, 0x01, 0x00 };
+    byte env[256];
+    char data[] = "Test of wolfSSL PKCS7 decrypt callback";
+
+    PKCS7Attrib attribs[] =
+    {
+        { fwDecryptKeyID, sizeof(fwDecryptKeyID), keyID, sizeof(keyID) },
+        { fwWrappedFirmwareKey, sizeof(fwWrappedFirmwareKey), env, 0 }
+    };
+
+    keyID[2] = keyHint;
+
+    /* If using keyHint 0 then create a bundle with fwWrappedFirmwareKey */
+    if (keyHint == 0) {
+        ret = envelopedData_encrypt((byte*)p7DefKey, sizeof(p7DefKey), env,
+                sizeof(env));
+        if (ret <= 0) {
+            return ret;
+        }
+        attribs[1].valueSz = ret;
+        attribNum++;
+    }
+
+    /* init PKCS7 */
+    pkcs7 = wc_PKCS7_New(NULL, INVALID_DEVID);
+    if (pkcs7 == NULL)
+        return -11911;
+
+    ret = wc_PKCS7_InitWithCert(pkcs7, cert, certSz);
+    if (ret != 0) {
+        printf("ERROR: wc_PKCS7_InitWithCert() failed, ret = %d\n", ret);
+        wc_PKCS7_Free(pkcs7);
+        return -11912;
+    }
+
+    ret = wc_PKCS7_SetSignerIdentifierType(pkcs7, CMS_SKID);
+    if (ret != 0) {
+        wc_PKCS7_Free(pkcs7);
+        return -11913;
+    }
+
+    /* encode Signed Encrypted FirmwarePkgData */
+    if (encryptKeySz == 16) {
+        ret = wc_PKCS7_EncodeSignedEncryptedFPD(pkcs7, (byte*)encryptKey,
+                encryptKeySz, key, keySz, AES128CBCb, RSAk, SHA256h,
+                (byte*)data, sizeof(data), NULL, 0,
+                attribs, attribNum, out, *outSz);
+    }
+    else {
+        ret = wc_PKCS7_EncodeSignedEncryptedFPD(pkcs7, (byte*)encryptKey,
+                encryptKeySz, key, keySz, AES256CBCb, RSAk, SHA256h,
+                (byte*)data, sizeof(data), NULL, 0,
+                attribs, attribNum, out, *outSz);
+    }
+    if (ret <= 0) {
+        printf("ERROR: wc_PKCS7_EncodeSignedEncryptedFPD() failed, "
+                "ret = %d\n", ret);
+        wc_PKCS7_Free(pkcs7);
+        return -11914;
+
+    } else {
+        *outSz = ret;
+    }
+
+    wc_PKCS7_Free(pkcs7);
+
+    return ret;
+}
+
+
+/* test verification and decryption of PKCS7 bundle
+ * return 0 on success
+ */
+static int verifyBundle(byte* derBuf, word32 derSz, int keyHint)
 {
     int ret = 0;
+    int usrCtx = 1; /* test value to pass as user context to callback */
+    PKCS7* pkcs7;
+    byte*  sid;
+    word32 sidSz;
+    byte key[256];
+    word32 keySz = sizeof(key);
+
+    byte decoded[FOURK_BUF/2];
+    int  decodedSz = FOURK_BUF/2;
+
+    const byte expectedSid[] = {
+        0x33, 0xD8, 0x45, 0x66, 0xD7, 0x68, 0x87, 0x18,
+        0x7E, 0x54, 0x0D, 0x70, 0x27, 0x91, 0xC7, 0x26,
+        0xD7, 0x85, 0x65, 0xC0
+    };
 
-    FILE* file;
-    byte* certDer;
-    byte* keyDer;
-    byte* out;
-    char data[] = "Hello World";
-    word32 dataSz, outSz, certDerSz, keyDerSz;
-    PKCS7 msg;
-    RNG rng;
-
-    byte transIdOid[] =
+    pkcs7 = wc_PKCS7_New(HEAP_HINT, INVALID_DEVID);
+    if (pkcs7 == NULL) {
+        return MEMORY_E;
+    }
+
+    /* Test verify */
+    ret = wc_PKCS7_Init(pkcs7, HEAP_HINT, INVALID_DEVID);
+    if (ret != 0) {
+        wc_PKCS7_Free(pkcs7);
+        return ret;
+    }
+    ret = wc_PKCS7_InitWithCert(pkcs7, NULL, 0);
+    if (ret != 0) {
+        wc_PKCS7_Free(pkcs7);
+        return ret;
+    }
+    ret = wc_PKCS7_VerifySignedData(pkcs7, derBuf, derSz);
+    if (ret != 0) {
+        wc_PKCS7_Free(pkcs7);
+        return ret;
+    }
+
+    /* Get size of SID and print it out */
+    ret = wc_PKCS7_GetSignerSID(pkcs7, NULL, &sidSz);
+    if (ret != LENGTH_ONLY_E) {
+        wc_PKCS7_Free(pkcs7);
+        return ret;
+    }
+
+    sid = (byte*)XMALLOC(sidSz, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+    if (sid == NULL) {
+        wc_PKCS7_Free(pkcs7);
+        return ret;
+    }
+
+    ret = wc_PKCS7_GetSignerSID(pkcs7, sid, &sidSz);
+    if (ret != 0) {
+        wc_PKCS7_Free(pkcs7);
+        XFREE(sid, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+        return ret;
+    }
+    ret = XMEMCMP(sid, expectedSid, sidSz);
+    XFREE(sid, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+    if (ret != 0) {
+        wc_PKCS7_Free(pkcs7);
+        return ret;
+    }
+
+    /* get expected fwWrappedFirmwareKey */
+    if (keyHint == 0) {
+        ret = getFirmwareKey(pkcs7, key, keySz);
+        if (ret < 0) {
+            wc_PKCS7_Free(pkcs7);
+            return ret;
+        }
+        pkcs7->encryptionKey = key;
+        pkcs7->encryptionKeySz = ret;
+    }
+    else {
+        decodedSz = sizeof(decoded);
+        ret = wc_PKCS7_SetDecodeEncryptedCb(pkcs7, myDecryptionFunc);
+        if (ret != 0) {
+            wc_PKCS7_Free(pkcs7);
+            return ret;
+        }
+
+        ret = wc_PKCS7_SetDecodeEncryptedCtx(pkcs7, (void*)&usrCtx);
+        if (ret != 0) {
+            wc_PKCS7_Free(pkcs7);
+            return ret;
+        }
+    }
+
+    decodedSz = wc_PKCS7_DecodeEncryptedData(pkcs7, pkcs7->content,
+            pkcs7->contentSz, decoded, decodedSz);
+    if (decodedSz < 0) {
+        ret = decodedSz;
+        wc_PKCS7_Free(pkcs7);
+        return ret;
+    }
+
+    wc_PKCS7_Free(pkcs7);
+    return 0;
+}
+
+
+int pkcs7callback_test(byte* cert, word32 certSz, byte* key, word32 keySz)
+{
+
+    int ret = 0;
+    byte derBuf[FOURK_BUF/2];
+    word32 derSz = FOURK_BUF/2;
+
+    /* Doing default generation and verify */
+    ret = generateBundle(derBuf, &derSz, p7DefKey, sizeof(p7DefKey), 0, cert,
+            certSz, key, keySz);
+    if (ret <= 0) {
+        return -11915;
+    }
+
+    ret = verifyBundle(derBuf, derSz, 0);
+    if (ret != 0) {
+        return -11916;
+    }
+
+    /* test choosing other key with keyID */
+    derSz = FOURK_BUF/2;
+    ret = generateBundle(derBuf, &derSz, p7AltKey, sizeof(p7AltKey), 1,
+            cert, certSz, key, keySz);
+    if (ret <= 0) {
+        return -11917;
+    }
+
+    ret = verifyBundle(derBuf, derSz, 1);
+    if (ret != 0) {
+        return -11918;
+    }
+
+    /* test fail case with wrong keyID */
+    derSz = FOURK_BUF/2;
+    ret = generateBundle(derBuf, &derSz, p7DefKey, sizeof(p7DefKey), 1,
+            cert, certSz, key, keySz);
+    if (ret <= 0) {
+        return -11919;
+    }
+
+    ret = verifyBundle(derBuf, derSz, 1);
+    if (ret == 0) {
+        return -11920;
+    }
+
+    return 0;
+}
+#endif /* NO_AES */
+
+#ifndef NO_PKCS7_ENCRYPTED_DATA
+
+typedef struct {
+    const byte*  content;
+    word32       contentSz;
+    int          contentOID;
+    int          encryptOID;
+    byte*        encryptionKey;
+    word32       encryptionKeySz;
+    PKCS7Attrib* attribs;
+    word32       attribsSz;
+    const char*  outFileName;
+} pkcs7EncryptedVector;
+
+
+int pkcs7encrypted_test(void)
+{
+    int ret = 0;
+    int i, testSz;
+    int encryptedSz, decodedSz, attribIdx;
+    PKCS7* pkcs7;
+    byte  encrypted[2048];
+    byte  decoded[2048];
+#ifdef PKCS7_OUTPUT_TEST_BUNDLES
+    XFILE pkcs7File;
+#endif
+
+    PKCS7Attrib* expectedAttrib;
+    PKCS7DecodedAttrib* decodedAttrib;
+
+    const byte data[] = { /* Hello World */
+        0x48,0x65,0x6c,0x6c,0x6f,0x20,0x57,0x6f,
+        0x72,0x6c,0x64
+    };
+
+#ifndef NO_DES3
+    byte desKey[] = {
+        0x01,0x23,0x45,0x67,0x89,0xab,0xcd,0xef
+    };
+    byte des3Key[] = {
+        0x01,0x23,0x45,0x67,0x89,0xab,0xcd,0xef,
+        0xfe,0xde,0xba,0x98,0x76,0x54,0x32,0x10,
+        0x89,0xab,0xcd,0xef,0x01,0x23,0x45,0x67
+    };
+#endif
+
+#ifndef NO_AES
+#ifdef WOLFSSL_AES_128
+    byte aes128Key[] = {
+        0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08,
+        0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08
+    };
+#endif
+#ifdef WOLFSSL_AES_192
+    byte aes192Key[] = {
+        0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08,
+        0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08,
+        0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08
+    };
+#endif
+#ifdef WOLFSSL_AES_256
+    byte aes256Key[] = {
+        0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08,
+        0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08,
+        0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08,
+        0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08
+    };
+#endif
+
+#ifdef WOLFSSL_AES_256
+    /* Attribute example from RFC 4134, Section 7.2
+     * OID = 1.2.5555
+     * OCTET STRING = 'This is a test General ASN Attribute, number 1.' */
+    static byte genAttrOid[] = { 0x06, 0x03, 0x2a, 0xab, 0x33 };
+    static byte genAttr[] = { 0x04, 47,
+                              0x54, 0x68, 0x69, 0x73, 0x20, 0x69, 0x73, 0x20,
+                              0x61, 0x20, 0x74, 0x65, 0x73, 0x74, 0x20, 0x47,
+                              0x65, 0x6e, 0x65, 0x72, 0x61, 0x6c, 0x20, 0x41,
+                              0x53, 0x4e, 0x20, 0x41, 0x74, 0x74, 0x72, 0x69,
+                              0x62, 0x75, 0x74, 0x65, 0x2c, 0x20, 0x6e, 0x75,
+                              0x6d, 0x62, 0x65, 0x72, 0x20, 0x31, 0x2e };
+
+    static byte genAttrOid2[] = { 0x06, 0x03, 0x2a, 0xab, 0x34 };
+    static byte genAttr2[] = { 0x04, 47,
+                              0x54, 0x68, 0x69, 0x73, 0x20, 0x69, 0x73, 0x20,
+                              0x61, 0x20, 0x74, 0x65, 0x73, 0x74, 0x20, 0x47,
+                              0x65, 0x6e, 0x65, 0x72, 0x61, 0x6c, 0x20, 0x41,
+                              0x53, 0x4e, 0x20, 0x41, 0x74, 0x74, 0x72, 0x69,
+                              0x62, 0x75, 0x74, 0x65, 0x2c, 0x20, 0x6e, 0x75,
+                              0x6d, 0x62, 0x65, 0x72, 0x20, 0x32, 0x2e };
+
+    PKCS7Attrib attribs[] =
+    {
+        { genAttrOid, sizeof(genAttrOid), genAttr, sizeof(genAttr) }
+    };
+
+    PKCS7Attrib multiAttribs[] =
+    {
+        { genAttrOid, sizeof(genAttrOid), genAttr, sizeof(genAttr) },
+        { genAttrOid2, sizeof(genAttrOid2), genAttr2, sizeof(genAttr2) }
+    };
+#endif
+#endif /* NO_AES */
+
+    const pkcs7EncryptedVector testVectors[] =
+    {
+#ifndef NO_DES3
+        {data, (word32)sizeof(data), DATA, DES3b, des3Key, sizeof(des3Key),
+         NULL, 0, "pkcs7encryptedDataDES3.der"},
+
+        {data, (word32)sizeof(data), DATA, DESb, desKey, sizeof(desKey),
+         NULL, 0, "pkcs7encryptedDataDES.der"},
+#endif /* NO_DES3 */
+
+#ifndef NO_AES
+    #ifdef WOLFSSL_AES_128
+        {data, (word32)sizeof(data), DATA, AES128CBCb, aes128Key,
+         sizeof(aes128Key), NULL, 0, "pkcs7encryptedDataAES128CBC.der"},
+    #endif
+    #ifdef WOLFSSL_AES_192
+        {data, (word32)sizeof(data), DATA, AES192CBCb, aes192Key,
+         sizeof(aes192Key), NULL, 0, "pkcs7encryptedDataAES192CBC.der"},
+    #endif
+    #ifdef WOLFSSL_AES_256
+        {data, (word32)sizeof(data), DATA, AES256CBCb, aes256Key,
+         sizeof(aes256Key), NULL, 0, "pkcs7encryptedDataAES256CBC.der"},
+
+        /* test with optional unprotected attributes */
+        {data, (word32)sizeof(data), DATA, AES256CBCb, aes256Key,
+         sizeof(aes256Key), attribs, (sizeof(attribs)/sizeof(PKCS7Attrib)),
+         "pkcs7encryptedDataAES256CBC_attribs.der"},
+
+        /* test with multiple optional unprotected attributes */
+        {data, (word32)sizeof(data), DATA, AES256CBCb, aes256Key,
+         sizeof(aes256Key), multiAttribs,
+         (sizeof(multiAttribs)/sizeof(PKCS7Attrib)),
+         "pkcs7encryptedDataAES256CBC_multi_attribs.der"},
+
+        /* test with contentType set to FirmwarePkgData */
+        {data, (word32)sizeof(data), FIRMWARE_PKG_DATA, AES256CBCb, aes256Key,
+         sizeof(aes256Key), NULL, 0,
+         "pkcs7encryptedDataAES256CBC_firmwarePkgData.der"},
+    #endif
+#endif /* NO_AES */
+    };
+
+    testSz = sizeof(testVectors) / sizeof(pkcs7EncryptedVector);
+
+    for (i = 0; i < testSz; i++) {
+        pkcs7 = wc_PKCS7_New(HEAP_HINT, devId);
+        if (pkcs7 == NULL)
+            return -12000;
+
+        pkcs7->content              = (byte*)testVectors[i].content;
+        pkcs7->contentSz            = testVectors[i].contentSz;
+        pkcs7->contentOID           = testVectors[i].contentOID;
+        pkcs7->encryptOID           = testVectors[i].encryptOID;
+        pkcs7->encryptionKey        = testVectors[i].encryptionKey;
+        pkcs7->encryptionKeySz      = testVectors[i].encryptionKeySz;
+        pkcs7->unprotectedAttribs   = testVectors[i].attribs;
+        pkcs7->unprotectedAttribsSz = testVectors[i].attribsSz;
+
+        /* encode encryptedData */
+        encryptedSz = wc_PKCS7_EncodeEncryptedData(pkcs7, encrypted,
+                                                   sizeof(encrypted));
+        if (encryptedSz <= 0) {
+            wc_PKCS7_Free(pkcs7);
+            return -12001;
+        }
+
+        /* decode encryptedData */
+#ifndef NO_PKCS7_STREAM
+        { /* test reading byte by byte */
+            int z;
+            for (z = 0; z < encryptedSz; z++) {
+                decodedSz = wc_PKCS7_DecodeEncryptedData(pkcs7, encrypted + z, 1,
+                                                 decoded, sizeof(decoded));
+                if (decodedSz <= 0 && decodedSz != WC_PKCS7_WANT_READ_E) {
+                    printf("unexpected error %d\n", decodedSz);
+                    return -12002;
+                }
+            }
+            /* test decode result */
+            if (XMEMCMP(decoded, data, sizeof(data)) != 0) {
+                printf("stream read failed\n");
+                wc_PKCS7_Free(pkcs7);
+                return -12003;
+            }
+        }
+#endif
+        decodedSz = wc_PKCS7_DecodeEncryptedData(pkcs7, encrypted, encryptedSz,
+                                                 decoded, sizeof(decoded));
+        if (decodedSz <= 0){
+            wc_PKCS7_Free(pkcs7);
+            return -12004;
+        }
+
+        /* test decode result */
+        if (XMEMCMP(decoded, data, sizeof(data)) != 0) {
+            wc_PKCS7_Free(pkcs7);
+            return -12005;
+        }
+
+        /* verify decoded unprotected attributes */
+        if (pkcs7->decodedAttrib != NULL) {
+            decodedAttrib = pkcs7->decodedAttrib;
+            attribIdx = 1;
+
+            while (decodedAttrib != NULL) {
+
+                /* expected attribute, stored list is reversed */
+                expectedAttrib = &(pkcs7->unprotectedAttribs
+                        [pkcs7->unprotectedAttribsSz - attribIdx]);
+
+                /* verify oid */
+                if (XMEMCMP(decodedAttrib->oid, expectedAttrib->oid,
+                            decodedAttrib->oidSz) != 0) {
+                    wc_PKCS7_Free(pkcs7);
+                    return -12006;
+                }
+
+                /* verify value */
+                if (XMEMCMP(decodedAttrib->value, expectedAttrib->value,
+                            decodedAttrib->valueSz) != 0) {
+                    wc_PKCS7_Free(pkcs7);
+                    return -12007;
+                }
+
+                decodedAttrib = decodedAttrib->next;
+                attribIdx++;
+            }
+        }
+
+#ifdef PKCS7_OUTPUT_TEST_BUNDLES
+        /* output pkcs7 envelopedData for external testing */
+        pkcs7File = XFOPEN(testVectors[i].outFileName, "wb");
+        if (!pkcs7File) {
+            wc_PKCS7_Free(pkcs7);
+            return -12008;
+        }
+
+        ret = (int)XFWRITE(encrypted, encryptedSz, 1, pkcs7File);
+        XFCLOSE(pkcs7File);
+
+        if (ret > 0)
+            ret = 0;
+#endif
+
+        wc_PKCS7_Free(pkcs7);
+    }
+
+    return ret;
+}
+
+#endif /* NO_PKCS7_ENCRYPTED_DATA */
+
+
+#if defined(HAVE_LIBZ) && !defined(NO_PKCS7_COMPRESSED_DATA)
+
+typedef struct {
+    const byte*  content;
+    word32       contentSz;
+    int          contentOID;
+    const char*  outFileName;
+} pkcs7CompressedVector;
+
+
+int pkcs7compressed_test(void)
+{
+    int ret = 0;
+    int i, testSz;
+    int compressedSz, decodedSz;
+    PKCS7* pkcs7;
+    byte  compressed[2048];
+    byte  decoded[2048];
+#ifdef PKCS7_OUTPUT_TEST_BUNDLES
+    XFILE pkcs7File;
+#endif
+
+    const byte data[] = { /* Hello World */
+        0x48,0x65,0x6c,0x6c,0x6f,0x20,0x57,0x6f,
+        0x72,0x6c,0x64
+    };
+
+    const pkcs7CompressedVector testVectors[] =
+    {
+        {data, (word32)sizeof(data), DATA,
+            "pkcs7compressedData_data_zlib.der"},
+        {data, (word32)sizeof(data), FIRMWARE_PKG_DATA,
+            "pkcs7compressedData_firmwarePkgData_zlib.der"},
+    };
+
+    testSz = sizeof(testVectors) / sizeof(pkcs7CompressedVector);
+
+    for (i = 0; i < testSz; i++) {
+        pkcs7 = wc_PKCS7_New(HEAP_HINT, devId);
+        if (pkcs7 == NULL)
+            return -12100;
+
+        pkcs7->content              = (byte*)testVectors[i].content;
+        pkcs7->contentSz            = testVectors[i].contentSz;
+        pkcs7->contentOID           = testVectors[i].contentOID;
+
+        /* encode compressedData */
+        compressedSz = wc_PKCS7_EncodeCompressedData(pkcs7, compressed,
+                                                   sizeof(compressed));
+        if (compressedSz <= 0) {
+            wc_PKCS7_Free(pkcs7);
+            return -12101;
+        }
+
+        /* decode compressedData */
+        decodedSz = wc_PKCS7_DecodeCompressedData(pkcs7, compressed,
+                                                  compressedSz, decoded,
+                                                  sizeof(decoded));
+        if (decodedSz <= 0){
+            wc_PKCS7_Free(pkcs7);
+            return -12102;
+        }
+
+        /* test decode result */
+        if (XMEMCMP(decoded, testVectors[i].content,
+                    testVectors[i].contentSz) != 0) {
+            wc_PKCS7_Free(pkcs7);
+            return -12103;
+        }
+
+        /* make sure content type is the same */
+        if (testVectors[i].contentOID != pkcs7->contentOID)
+            return -12104;
+
+#ifdef PKCS7_OUTPUT_TEST_BUNDLES
+        /* output pkcs7 compressedData for external testing */
+        pkcs7File = XFOPEN(testVectors[i].outFileName, "wb");
+        if (!pkcs7File) {
+            wc_PKCS7_Free(pkcs7);
+            return -12105;
+        }
+
+        ret = (int)XFWRITE(compressed, compressedSz, 1, pkcs7File);
+        XFCLOSE(pkcs7File);
+
+        if (ret > 0)
+            ret = 0;
+#endif
+
+        wc_PKCS7_Free(pkcs7);
+    }
+
+    return ret;
+} /* pkcs7compressed_test() */
+
+#endif /* HAVE_LIBZ */
+
+
+typedef struct {
+    const byte*  content;
+    word32       contentSz;
+    int          hashOID;
+    int          signOID;
+    byte*        privateKey;
+    word32       privateKeySz;
+    byte*        cert;
+    size_t       certSz;
+    byte*        caCert;
+    size_t       caCertSz;
+    PKCS7Attrib* signedAttribs;
+    word32       signedAttribsSz;
+    const char*  outFileName;
+    int          contentOID;
+    byte*        contentType;
+    word32       contentTypeSz;
+    int          sidType;
+    int          encryptOID;   /* for single-shot encrypt alg OID */
+    int          encCompFlag;  /* for single-shot. 1 = enc, 2 = comp, 3 = both*/
+    byte*        encryptKey;   /* for single-shot, encryptedData */
+    word32       encryptKeySz; /* for single-shot, encryptedData */
+    PKCS7Attrib* unprotectedAttribs;   /* for single-shot, encryptedData */
+    word32       unprotectedAttribsSz; /* for single-shot, encryptedData */
+    word16       detachedSignature;    /* generate detached signature (0:1) */
+} pkcs7SignedVector;
+
+
+static int pkcs7signed_run_vectors(
+                        byte* rsaClientCertBuf, word32 rsaClientCertBufSz,
+                        byte* rsaClientPrivKeyBuf, word32 rsaClientPrivKeyBufSz,
+                        byte* rsaServerCertBuf, word32 rsaServerCertBufSz,
+                        byte* rsaServerPrivKeyBuf, word32 rsaServerPrivKeyBufSz,
+                        byte* rsaCaCertBuf, word32 rsaCaCertBufSz,
+                        byte* rsaCaPrivKeyBuf, word32 rsaCaPrivKeyBufSz,
+                        byte* eccClientCertBuf, word32 eccClientCertBufSz,
+                        byte* eccClientPrivKeyBuf, word32 eccClientPrivKeyBufSz)
+{
+    int ret, testSz, i;
+    int encodedSz;
+    byte*  out;
+    word32 outSz;
+    WC_RNG rng;
+    PKCS7* pkcs7;
+#ifdef PKCS7_OUTPUT_TEST_BUNDLES
+    XFILE  file;
+#endif
+
+    const byte data[] = { /* Hello World */
+        0x48,0x65,0x6c,0x6c,0x6f,0x20,0x57,0x6f,
+        0x72,0x6c,0x64
+    };
+
+    static byte transIdOid[] =
                { 0x06, 0x0a, 0x60, 0x86, 0x48, 0x01, 0x86, 0xF8, 0x45, 0x01,
                  0x09, 0x07 };
-    byte messageTypeOid[] =
+    static byte messageTypeOid[] =
                { 0x06, 0x0a, 0x60, 0x86, 0x48, 0x01, 0x86, 0xF8, 0x45, 0x01,
                  0x09, 0x02 };
-    byte senderNonceOid[] =
+    static byte senderNonceOid[] =
                { 0x06, 0x0a, 0x60, 0x86, 0x48, 0x01, 0x86, 0xF8, 0x45, 0x01,
                  0x09, 0x05 };
-    byte transId[(SHA_DIGEST_SIZE + 1) * 2 + 1];
-    byte messageType[] = { 0x13, 2, '1', '9' };
-    byte senderNonce[PKCS7_NONCE_SZ + 2];
+#ifndef NO_SHA
+    static byte transId[(WC_SHA_DIGEST_SIZE + 1) * 2 + 1];
+#else
+    static byte transId[(WC_SHA256_DIGEST_SIZE + 1) * 2 + 1];
+#endif
+    static byte messageType[] = { 0x13, 2, '1', '9' };
+    static byte senderNonce[PKCS7_NONCE_SZ + 2];
 
     PKCS7Attrib attribs[] =
     {
-        { transIdOid, sizeof(transIdOid),
-                     transId, sizeof(transId) - 1 }, /* take off the null */
-        { messageTypeOid, sizeof(messageTypeOid),
-                     messageType, sizeof(messageType) },
-        { senderNonceOid, sizeof(senderNonceOid),
-                     senderNonce, sizeof(senderNonce) }
+        { transIdOid, sizeof(transIdOid), transId,
+                               sizeof(transId) - 1 }, /* take off the null */
+        { messageTypeOid, sizeof(messageTypeOid), messageType,
+                                       sizeof(messageType) },
+        { senderNonceOid, sizeof(senderNonceOid), senderNonce,
+                                       sizeof(senderNonce) }
     };
 
-    dataSz = (word32) strlen(data);
+    /* for testing custom contentType, FirmwarePkgData */
+    byte customContentType[] = { 0x06, 0x0B, 0x2A, 0x86,
+                                 0x48, 0x86, 0xF7, 0x0D,
+                                 0x01, 0x09, 0x10, 0x01, 0x10 };
+
+    const pkcs7SignedVector testVectors[] =
+    {
+#ifndef NO_RSA
+    #ifndef NO_SHA
+        /* RSA with SHA */
+        {data, (word32)sizeof(data), SHAh, RSAk, rsaClientPrivKeyBuf,
+         rsaClientPrivKeyBufSz, rsaClientCertBuf, rsaClientCertBufSz, NULL, 0,
+         attribs, (sizeof(attribs)/sizeof(PKCS7Attrib)),
+         "pkcs7signedData_RSA_SHA.der", 0, NULL, 0, 0, 0, 0, NULL, 0, NULL,
+         0, 0},
+
+        /* RSA with SHA, no signed attributes */
+        {data, (word32)sizeof(data), SHAh, RSAk, rsaClientPrivKeyBuf,
+         rsaClientPrivKeyBufSz, rsaClientCertBuf, rsaClientCertBufSz,
+         NULL, 0, NULL, 0,
+         "pkcs7signedData_RSA_SHA_noattr.der", 0, NULL, 0, 0, 0, 0, NULL, 0,
+         NULL, 0, 0},
+    #endif
+    #ifdef WOLFSSL_SHA224
+        /* RSA with SHA224 */
+        {data, (word32)sizeof(data), SHA224h, RSAk, rsaClientPrivKeyBuf,
+         rsaClientPrivKeyBufSz, rsaClientCertBuf, rsaClientCertBufSz, NULL, 0,
+         attribs, (sizeof(attribs)/sizeof(PKCS7Attrib)),
+         "pkcs7signedData_RSA_SHA224.der", 0, NULL, 0, 0, 0, 0, NULL, 0,
+         NULL, 0, 0},
+    #endif
+    #ifndef NO_SHA256
+        /* RSA with SHA256 */
+        {data, (word32)sizeof(data), SHA256h, RSAk, rsaClientPrivKeyBuf,
+         rsaClientPrivKeyBufSz, rsaClientCertBuf, rsaClientCertBufSz, NULL, 0,
+         attribs, (sizeof(attribs)/sizeof(PKCS7Attrib)),
+         "pkcs7signedData_RSA_SHA256.der", 0, NULL, 0, 0, 0, 0, NULL, 0,
+         NULL, 0, 0},
+
+        /* RSA with SHA256, detached signature */
+        {data, (word32)sizeof(data), SHA256h, RSAk, rsaClientPrivKeyBuf,
+         rsaClientPrivKeyBufSz, rsaClientCertBuf, rsaClientCertBufSz, NULL, 0,
+         attribs, (sizeof(attribs)/sizeof(PKCS7Attrib)),
+         "pkcs7signedData_RSA_SHA256_detachedSig.der", 0, NULL, 0, 0, 0, 0,
+         NULL, 0, NULL, 0, 1},
+
+        /* RSA with SHA256 and SubjectKeyIdentifier in SignerIdentifier */
+        {data, (word32)sizeof(data), SHA256h, RSAk, rsaClientPrivKeyBuf,
+         rsaClientPrivKeyBufSz, rsaClientCertBuf, rsaClientCertBufSz, NULL, 0,
+         attribs, (sizeof(attribs)/sizeof(PKCS7Attrib)),
+         "pkcs7signedData_RSA_SHA256_SKID.der", 0, NULL, 0, CMS_SKID, 0, 0,
+        NULL, 0, NULL, 0, 0},
+
+        /* RSA with SHA256 and custom contentType */
+        {data, (word32)sizeof(data), SHA256h, RSAk, rsaClientPrivKeyBuf,
+         rsaClientPrivKeyBufSz, rsaClientCertBuf, rsaClientCertBufSz, NULL, 0,
+         attribs, (sizeof(attribs)/sizeof(PKCS7Attrib)),
+         "pkcs7signedData_RSA_SHA256_custom_contentType.der", 0,
+         customContentType, sizeof(customContentType), 0, 0, 0, NULL, 0,
+         NULL, 0, 0},
+
+        /* RSA with SHA256 and FirmwarePkgData contentType */
+        {data, (word32)sizeof(data), SHA256h, RSAk, rsaClientPrivKeyBuf,
+         rsaClientPrivKeyBufSz, rsaClientCertBuf, rsaClientCertBufSz, NULL, 0,
+         attribs, (sizeof(attribs)/sizeof(PKCS7Attrib)),
+         "pkcs7signedData_RSA_SHA256_firmwarePkgData.der",
+         FIRMWARE_PKG_DATA, NULL, 0, 0, 0, 0, NULL, 0, NULL, 0, 0},
+
+        /* RSA with SHA256 using server cert and ca cert */
+        {data, (word32)sizeof(data), SHA256h, RSAk, rsaServerPrivKeyBuf,
+         rsaServerPrivKeyBufSz, rsaServerCertBuf, rsaServerCertBufSz,
+         rsaCaCertBuf, rsaCaCertBufSz,
+         attribs, (sizeof(attribs)/sizeof(PKCS7Attrib)),
+         "pkcs7signedData_RSA_SHA256_with_ca_cert.der", 0, NULL, 0, 0, 0, 0,
+        NULL, 0, NULL, 0, 0},
+    #endif
+    #if defined(WOLFSSL_SHA384)
+        /* RSA with SHA384 */
+        {data, (word32)sizeof(data), SHA384h, RSAk, rsaClientPrivKeyBuf,
+         rsaClientPrivKeyBufSz, rsaClientCertBuf, rsaClientCertBufSz, NULL, 0,
+         attribs, (sizeof(attribs)/sizeof(PKCS7Attrib)),
+         "pkcs7signedData_RSA_SHA384.der", 0, NULL, 0, 0, 0, 0, NULL, 0,
+         NULL, 0, 0},
+    #endif
+    #if defined(WOLFSSL_SHA512)
+        /* RSA with SHA512 */
+        {data, (word32)sizeof(data), SHA512h, RSAk, rsaClientPrivKeyBuf,
+         rsaClientPrivKeyBufSz, rsaClientCertBuf, rsaClientCertBufSz, NULL, 0,
+         attribs, (sizeof(attribs)/sizeof(PKCS7Attrib)),
+         "pkcs7signedData_RSA_SHA512.der", 0, NULL, 0, 0, 0, 0, NULL, 0,
+         NULL, 0, 0},
+    #endif
+#endif /* NO_RSA */
+
+#ifdef HAVE_ECC
+    #ifndef NO_SHA
+        /* ECDSA with SHA */
+        {data, (word32)sizeof(data), SHAh, ECDSAk, eccClientPrivKeyBuf,
+         eccClientPrivKeyBufSz, eccClientCertBuf, eccClientCertBufSz, NULL, 0,
+         attribs, (sizeof(attribs)/sizeof(PKCS7Attrib)),
+         "pkcs7signedData_ECDSA_SHA.der", 0, NULL, 0, 0, 0, 0, NULL, 0,
+         NULL, 0, 0},
+
+        /* ECDSA with SHA, no signed attributes */
+        {data, (word32)sizeof(data), SHAh, ECDSAk, eccClientPrivKeyBuf,
+         eccClientPrivKeyBufSz, eccClientCertBuf, eccClientCertBufSz,
+         NULL, 0, NULL, 0,
+         "pkcs7signedData_ECDSA_SHA_noattr.der", 0, NULL, 0, 0, 0, 0, NULL, 0,
+         NULL, 0, 0},
+    #endif
+    #ifdef WOLFSSL_SHA224
+        /* ECDSA with SHA224 */
+        {data, (word32)sizeof(data), SHA224h, ECDSAk, eccClientPrivKeyBuf,
+         eccClientPrivKeyBufSz, eccClientCertBuf, eccClientCertBufSz, NULL, 0,
+         attribs, (sizeof(attribs)/sizeof(PKCS7Attrib)),
+         "pkcs7signedData_ECDSA_SHA224.der", 0, NULL, 0, 0, 0, 0, NULL, 0,
+         NULL, 0, 0},
+    #endif
+    #ifndef NO_SHA256
+        /* ECDSA with SHA256 */
+        {data, (word32)sizeof(data), SHA256h, ECDSAk, eccClientPrivKeyBuf,
+         eccClientPrivKeyBufSz, eccClientCertBuf, eccClientCertBufSz, NULL, 0,
+         attribs, (sizeof(attribs)/sizeof(PKCS7Attrib)),
+         "pkcs7signedData_ECDSA_SHA256.der", 0, NULL, 0, 0, 0, 0, NULL, 0,
+         NULL, 0, 0},
+
+        /* ECDSA with SHA256 and SubjectKeyIdentifier in SigherIdentifier */
+        {data, (word32)sizeof(data), SHA256h, ECDSAk, eccClientPrivKeyBuf,
+         eccClientPrivKeyBufSz, eccClientCertBuf, eccClientCertBufSz, NULL, 0,
+         attribs, (sizeof(attribs)/sizeof(PKCS7Attrib)),
+         "pkcs7signedData_ECDSA_SHA256_SKID.der", 0, NULL, 0, CMS_SKID, 0, 0,
+        NULL, 0, NULL, 0, 0},
+
+        /* ECDSA with SHA256 and custom contentType */
+        {data, (word32)sizeof(data), SHA256h, ECDSAk, eccClientPrivKeyBuf,
+         eccClientPrivKeyBufSz, eccClientCertBuf, eccClientCertBufSz, NULL, 0,
+         attribs, (sizeof(attribs)/sizeof(PKCS7Attrib)),
+         "pkcs7signedData_ECDSA_SHA256_custom_contentType.der", 0,
+         customContentType, sizeof(customContentType), 0, 0, 0, NULL, 0,
+         NULL, 0, 0},
+
+        /* ECDSA with SHA256 and FirmwarePkgData contentType */
+        {data, (word32)sizeof(data), SHA256h, ECDSAk, eccClientPrivKeyBuf,
+         eccClientPrivKeyBufSz, eccClientCertBuf, eccClientCertBufSz, NULL, 0,
+         attribs, (sizeof(attribs)/sizeof(PKCS7Attrib)),
+         "pkcs7signedData_ECDSA_SHA256_firmwarePkgData.der",
+         FIRMWARE_PKG_DATA, NULL, 0, 0, 0, 0, NULL, 0, NULL, 0, 0},
+    #endif
+    #ifdef WOLFSSL_SHA384
+        /* ECDSA with SHA384 */
+        {data, (word32)sizeof(data), SHA384h, ECDSAk, eccClientPrivKeyBuf,
+         eccClientPrivKeyBufSz, eccClientCertBuf, eccClientCertBufSz, NULL, 0,
+         attribs, (sizeof(attribs)/sizeof(PKCS7Attrib)),
+         "pkcs7signedData_ECDSA_SHA384.der", 0, NULL, 0, 0, 0, 0, NULL, 0,
+         NULL, 0, 0},
+    #endif
+    #ifdef WOLFSSL_SHA512
+        /* ECDSA with SHA512 */
+        {data, (word32)sizeof(data), SHA512h, ECDSAk, eccClientPrivKeyBuf,
+         eccClientPrivKeyBufSz, eccClientCertBuf, eccClientCertBufSz, NULL, 0,
+         attribs, (sizeof(attribs)/sizeof(PKCS7Attrib)),
+         "pkcs7signedData_ECDSA_SHA512.der", 0, NULL, 0, 0, 0, 0, NULL, 0,
+         NULL, 0, 0},
+    #endif
+#endif /* HAVE_ECC */
+    };
+
+    testSz = sizeof(testVectors) / sizeof(pkcs7SignedVector);
+
     outSz = FOURK_BUF;
+    out = (byte*)XMALLOC(outSz, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+    if (out == NULL)
+        return -12106;
+
+    XMEMSET(out, 0, outSz);
 
-    certDer = (byte*)malloc(FOURK_BUF);
-    if (certDer == NULL)
-        return -207;
-    keyDer = (byte*)malloc(FOURK_BUF);
-    if (keyDer == NULL) {
-        free(certDer);
-        return -208;
+    ret = wc_PKCS7_PadData((byte*)data, sizeof(data), out, outSz, 16);
+    if (ret < 0) {
+        XFREE(out, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+        return -12107;
     }
-    out = (byte*)malloc(FOURK_BUF);
-    if (out == NULL) {
-        free(certDer);
-        free(keyDer);
-        return -209;
+
+#ifndef HAVE_FIPS
+    ret = wc_InitRng_ex(&rng, HEAP_HINT, devId);
+#else
+    ret = wc_InitRng(&rng);
+#endif
+    if (ret != 0) {
+        XFREE(out, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+        return -12108;
     }
 
-    /* read in DER cert of recipient, into cert of size certSz */
-    file = fopen(clientCert, "rb");
-    if (!file) {
-        free(certDer);
-        free(keyDer);
-        free(out);
-        err_sys("can't open ./certs/client-cert.der, "
-                "Please run from wolfSSL home dir", -44);
-        return -44;
+    for (i = 0; i < testSz; i++) {
+        pkcs7 = wc_PKCS7_New(HEAP_HINT, devId);
+        if (pkcs7 == NULL)
+            return -12109;
+
+        ret = wc_PKCS7_InitWithCert(pkcs7, testVectors[i].cert,
+                                    (word32)testVectors[i].certSz);
+
+        if (ret != 0) {
+            XFREE(out, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+            wc_PKCS7_Free(pkcs7);
+            return -12110;
+        }
+
+        /* load CA certificate, if present */
+        if (testVectors[i].caCert != NULL) {
+            ret = wc_PKCS7_AddCertificate(pkcs7, testVectors[i].caCert,
+                                          (word32)testVectors[i].caCertSz);
+            if (ret != 0) {
+                XFREE(out, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+                wc_PKCS7_Free(pkcs7);
+                return -12111;
+            }
+        }
+
+        pkcs7->rng             = &rng;
+        pkcs7->content         = (byte*)testVectors[i].content;
+        pkcs7->contentSz       = testVectors[i].contentSz;
+        pkcs7->contentOID      = testVectors[i].contentOID;
+        pkcs7->hashOID         = testVectors[i].hashOID;
+        pkcs7->encryptOID      = testVectors[i].signOID;
+        pkcs7->privateKey      = testVectors[i].privateKey;
+        pkcs7->privateKeySz    = testVectors[i].privateKeySz;
+        pkcs7->signedAttribs   = testVectors[i].signedAttribs;
+        pkcs7->signedAttribsSz = testVectors[i].signedAttribsSz;
+
+        /* optional custom contentType, default is DATA,
+           overrides contentOID if set */
+        if (testVectors[i].contentType != NULL) {
+            ret = wc_PKCS7_SetContentType(pkcs7, testVectors[i].contentType,
+                                          testVectors[i].contentTypeSz);
+            if (ret != 0) {
+                XFREE(out, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+                wc_PKCS7_Free(pkcs7);
+                return -12112;
+            }
+        }
+
+        /* set SignerIdentifier to use SubjectKeyIdentifier if desired,
+           default is IssuerAndSerialNumber */
+        if (testVectors[i].sidType == CMS_SKID) {
+            ret = wc_PKCS7_SetSignerIdentifierType(pkcs7, CMS_SKID);
+            if (ret != 0) {
+                XFREE(out, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+                wc_PKCS7_Free(pkcs7);
+                return -12113;
+            }
+        }
+
+        /* generate senderNonce */
+        {
+            senderNonce[0] = 0x04;
+            senderNonce[1] = PKCS7_NONCE_SZ;
+
+            ret = wc_RNG_GenerateBlock(&rng, &senderNonce[2], PKCS7_NONCE_SZ);
+            if (ret != 0) {
+                XFREE(out, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+                wc_PKCS7_Free(pkcs7);
+                return -12114;
+            }
+        }
+
+        /* generate transactionID (used with SCEP) */
+        {
+        #ifndef NO_SHA
+            wc_Sha sha;
+            byte digest[WC_SHA_DIGEST_SIZE];
+        #else
+            wc_Sha256 sha;
+            byte digest[WC_SHA256_DIGEST_SIZE];
+        #endif
+            int j,k;
+
+            transId[0] = 0x13;
+            transId[1] = sizeof(digest) * 2;
+
+        #ifndef NO_SHA
+            ret = wc_InitSha_ex(&sha, HEAP_HINT, devId);
+            if (ret != 0) {
+                XFREE(out, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+                wc_PKCS7_Free(pkcs7);
+                return -12115;
+            }
+            wc_ShaUpdate(&sha, pkcs7->publicKey, pkcs7->publicKeySz);
+            wc_ShaFinal(&sha, digest);
+            wc_ShaFree(&sha);
+        #else
+            ret = wc_InitSha256_ex(&sha, HEAP_HINT, devId);
+            if (ret != 0) {
+                XFREE(out, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+                wc_PKCS7_Free(pkcs7);
+                return -12116;
+            }
+            wc_Sha256Update(&sha, pkcs7->publicKey, pkcs7->publicKeySz);
+            wc_Sha256Final(&sha, digest);
+            wc_Sha256Free(&sha);
+        #endif
+
+            for (j = 0, k = 2; j < (int)sizeof(digest); j++, k += 2) {
+                XSNPRINTF((char*)&transId[k], 3, "%02x", digest[j]);
+            }
+        }
+
+        /* enable detached signature generation, if set */
+        if (testVectors[i].detachedSignature == 1) {
+            ret = wc_PKCS7_SetDetached(pkcs7, 1);
+            if (ret != 0) {
+            XFREE(out, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+            wc_PKCS7_Free(pkcs7);
+            return -12117;
+            }
+        }
+
+        encodedSz = wc_PKCS7_EncodeSignedData(pkcs7, out, outSz);
+        if (encodedSz < 0) {
+            XFREE(out, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+            wc_PKCS7_Free(pkcs7);
+            return -12118;
+        }
+
+    #ifdef PKCS7_OUTPUT_TEST_BUNDLES
+        /* write PKCS#7 to output file for more testing */
+        file = XFOPEN(testVectors[i].outFileName, "wb");
+        if (!file) {
+            XFREE(out, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+            wc_PKCS7_Free(pkcs7);
+            return -12119;
+        }
+        ret = (int)XFWRITE(out, 1, encodedSz, file);
+        XFCLOSE(file);
+        if (ret != (int)encodedSz) {
+            XFREE(out, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+            wc_PKCS7_Free(pkcs7);
+            return -12120;
+        }
+    #endif /* PKCS7_OUTPUT_TEST_BUNDLES */
+
+        wc_PKCS7_Free(pkcs7);
+
+        pkcs7 = wc_PKCS7_New(HEAP_HINT, devId);
+        if (pkcs7 == NULL)
+            return -12121;
+        wc_PKCS7_InitWithCert(pkcs7, NULL, 0);
+
+        if (testVectors[i].detachedSignature == 1) {
+            /* set content for verifying detached signatures */
+            pkcs7->content         = (byte*)testVectors[i].content;
+            pkcs7->contentSz       = testVectors[i].contentSz;
+        }
+
+        ret = wc_PKCS7_VerifySignedData(pkcs7, out, outSz);
+        if (ret < 0) {
+            XFREE(out, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+            wc_PKCS7_Free(pkcs7);
+            return -12122;
+        }
+
+        /* verify contentType extracted successfully for custom content types */
+        if (testVectors[i].contentTypeSz > 0) {
+            if (pkcs7->contentTypeSz != testVectors[i].contentTypeSz) {
+                return -12123;
+            } else if (XMEMCMP(pkcs7->contentType, testVectors[i].contentType,
+                       pkcs7->contentTypeSz) != 0) {
+                return -12124;
+            }
+        }
+
+        if (pkcs7->singleCert == NULL || pkcs7->singleCertSz == 0) {
+            XFREE(out, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+            wc_PKCS7_Free(pkcs7);
+            return -12125;
+        }
+
+        {
+            /* check getting signed attributes */
+        #ifndef NO_SHA
+            byte buf[(WC_SHA_DIGEST_SIZE + 1) * 2 + 1];
+        #else
+            byte buf[(WC_SHA256_DIGEST_SIZE + 1) * 2 + 1];
+        #endif
+            byte* oidPt = transIdOid + 2;  /* skip object id tag and size */
+            int oidSz = (int)sizeof(transIdOid) - 2;
+            int bufSz = 0;
+
+            if (testVectors[i].signedAttribs != NULL &&
+                    wc_PKCS7_GetAttributeValue(pkcs7, oidPt, oidSz,
+                    NULL, (word32*)&bufSz) != LENGTH_ONLY_E) {
+                XFREE(out, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+                wc_PKCS7_Free(pkcs7);
+                return -12126;
+            }
+
+            if (bufSz > (int)sizeof(buf)) {
+                XFREE(out, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+                wc_PKCS7_Free(pkcs7);
+                return -12127;
+            }
+
+            bufSz = wc_PKCS7_GetAttributeValue(pkcs7, oidPt, oidSz,
+                    buf, (word32*)&bufSz);
+            if ((testVectors[i].signedAttribs != NULL && bufSz < 0) ||
+                (testVectors[i].signedAttribs == NULL && bufSz > 0)) {
+                XFREE(out, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+                wc_PKCS7_Free(pkcs7);
+                return -12128;
+            }
+        }
+
+    #ifdef PKCS7_OUTPUT_TEST_BUNDLES
+        file = XFOPEN("./pkcs7cert.der", "wb");
+        if (!file) {
+            XFREE(out, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+            wc_PKCS7_Free(pkcs7);
+            return -12129;
+        }
+        ret = (int)XFWRITE(pkcs7->singleCert, 1, pkcs7->singleCertSz, file);
+        XFCLOSE(file);
+    #endif /* PKCS7_OUTPUT_TEST_BUNDLES */
+
+        wc_PKCS7_Free(pkcs7);
     }
-    certDerSz = (word32)fread(certDer, 1, FOURK_BUF, file);
-    fclose(file);
 
-    file = fopen(clientKey, "rb");
-    if (!file) {
-        free(certDer);
-        free(keyDer);
-        free(out);
-        err_sys("can't open ./certs/client-key.der, "
-                "Please run from wolfSSL home dir", -45);
-        return -45;
+    XFREE(out, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+    wc_FreeRng(&rng);
+
+    if (ret > 0)
+        return 0;
+
+    (void)rsaClientCertBuf;
+    (void)rsaClientCertBufSz;
+    (void)rsaClientPrivKeyBuf;
+    (void)rsaClientPrivKeyBufSz;
+    (void)rsaServerCertBuf;
+    (void)rsaServerCertBufSz;
+    (void)rsaServerPrivKeyBuf;
+    (void)rsaServerPrivKeyBufSz;
+    (void)rsaCaCertBuf;
+    (void)rsaCaCertBufSz;
+    (void)rsaCaPrivKeyBuf;
+    (void)rsaCaPrivKeyBufSz;
+    (void)eccClientCertBuf;
+    (void)eccClientCertBufSz;
+    (void)eccClientPrivKeyBuf;
+    (void)eccClientPrivKeyBufSz;
+
+    return ret;
+}
+
+
+static int pkcs7signed_run_SingleShotVectors(
+                        byte* rsaClientCertBuf, word32 rsaClientCertBufSz,
+                        byte* rsaClientPrivKeyBuf, word32 rsaClientPrivKeyBufSz,
+                        byte* rsaServerCertBuf, word32 rsaServerCertBufSz,
+                        byte* rsaServerPrivKeyBuf, word32 rsaServerPrivKeyBufSz,
+                        byte* rsaCaCertBuf, word32 rsaCaCertBufSz,
+                        byte* rsaCaPrivKeyBuf, word32 rsaCaPrivKeyBufSz,
+                        byte* eccClientCertBuf, word32 eccClientCertBufSz,
+                        byte* eccClientPrivKeyBuf, word32 eccClientPrivKeyBufSz)
+{
+    int ret, testSz, i;
+    int encodedSz;
+    byte*  out;
+    word32 outSz;
+    WC_RNG rng;
+    PKCS7* pkcs7;
+#ifdef PKCS7_OUTPUT_TEST_BUNDLES
+    XFILE  file;
+#endif
+
+    const byte data[] = { /* Hello World */
+        0x48,0x65,0x6c,0x6c,0x6f,0x20,0x57,0x6f,
+        0x72,0x6c,0x64
+    };
+
+#if defined(WOLFSSL_AES_256) && !defined(NO_PKCS7_ENCRYPTED_DATA)
+    byte aes256Key[] = {
+        0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08,
+        0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08,
+        0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08,
+        0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08
+    };
+#endif
+
+    static byte messageTypeOid[] =
+               { 0x06, 0x0a, 0x60, 0x86, 0x48, 0x01, 0x86, 0xF8, 0x45, 0x01,
+                 0x09, 0x02 };
+    static byte messageType[] = { 0x13, 2, '1', '9' };
+
+    PKCS7Attrib attribs[] =
+    {
+        { messageTypeOid, sizeof(messageTypeOid), messageType,
+                                       sizeof(messageType) },
+    };
+
+    const pkcs7SignedVector testVectors[] =
+    {
+#ifndef NO_RSA
+    #ifndef NO_SHA256
+        /* Signed FirmwarePkgData, RSA, SHA256, no attribs */
+        {data, (word32)sizeof(data), SHA256h, RSAk, rsaClientPrivKeyBuf,
+         rsaClientPrivKeyBufSz, rsaClientCertBuf, rsaClientCertBufSz, NULL, 0,
+         NULL, 0,
+         "pkcs7signedFirmwarePkgData_RSA_SHA256_noattr.der", 0, NULL, 0, 0,
+         0, 0, NULL, 0, NULL, 0, 0},
+
+        /* Signed FirmwarePkgData, RSA, SHA256, attrs */
+        {data, (word32)sizeof(data), SHA256h, RSAk, rsaClientPrivKeyBuf,
+         rsaClientPrivKeyBufSz, rsaClientCertBuf, rsaClientCertBufSz, NULL, 0,
+         attribs, (sizeof(attribs)/sizeof(PKCS7Attrib)),
+         "pkcs7signedFirmwarePkgData_RSA_SHA256.der", 0, NULL, 0, 0, 0, 0,
+        NULL, 0, NULL, 0, 0},
+
+        /* Signed FirmwarePkgData, RSA, SHA256, SubjectKeyIdentifier, attrs */
+        {data, (word32)sizeof(data), SHA256h, RSAk, rsaClientPrivKeyBuf,
+         rsaClientPrivKeyBufSz, rsaClientCertBuf, rsaClientCertBufSz, NULL, 0,
+         attribs, (sizeof(attribs)/sizeof(PKCS7Attrib)),
+         "pkcs7signedFirmwarePkgData_RSA_SHA256_SKID.der", 0, NULL,
+         0, CMS_SKID, 0, 0, NULL, 0, NULL, 0, 0},
+
+        /* Signed FirmwraePkgData, RSA, SHA256, server cert and ca cert, attr */
+        {data, (word32)sizeof(data), SHA256h, RSAk, rsaServerPrivKeyBuf,
+         rsaServerPrivKeyBufSz, rsaServerCertBuf, rsaServerCertBufSz,
+         rsaCaCertBuf, rsaCaCertBufSz,
+         attribs, (sizeof(attribs)/sizeof(PKCS7Attrib)),
+         "pkcs7signedFirmwarePkgData_RSA_SHA256_with_ca_cert.der", 0, NULL,
+         0, 0, 0, 0, NULL, 0, NULL, 0, 0},
+
+    #if defined(WOLFSSL_AES_256) && !defined(NO_PKCS7_ENCRYPTED_DATA)
+        /* Signed Encrypted FirmwarePkgData, RSA, SHA256, no attribs */
+        {data, (word32)sizeof(data), SHA256h, RSAk, rsaClientPrivKeyBuf,
+         rsaClientPrivKeyBufSz, rsaClientCertBuf, rsaClientCertBufSz, NULL, 0,
+         NULL, 0,
+         "pkcs7signedEncryptedFirmwarePkgData_RSA_SHA256_noattr.der", 0,
+         NULL, 0, 0, AES256CBCb, 1, aes256Key, sizeof(aes256Key), NULL, 0, 0},
+
+        /* Signed Encrypted FirmwarePkgData, RSA, SHA256, attribs */
+        {data, (word32)sizeof(data), SHA256h, RSAk, rsaClientPrivKeyBuf,
+         rsaClientPrivKeyBufSz, rsaClientCertBuf, rsaClientCertBufSz, NULL, 0,
+         attribs, (sizeof(attribs)/sizeof(PKCS7Attrib)),
+         "pkcs7signedEncryptedFirmwarePkgData_RSA_SHA256.der", 0,
+         NULL, 0, 0, AES256CBCb, 1, aes256Key, sizeof(aes256Key),
+         attribs, (sizeof(attribs)/sizeof(PKCS7Attrib)), 0},
+    #endif /* WOLFSSL_AES_256 && !NO_PKCS7_ENCRYPTED_DATA */
+
+    #if defined(HAVE_LIBZ) && !defined(NO_PKCS7_COMPRESSED_DATA)
+        /* Signed Compressed FirmwarePkgData, RSA, SHA256, no attribs */
+        {data, (word32)sizeof(data), SHA256h, RSAk, rsaClientPrivKeyBuf,
+         rsaClientPrivKeyBufSz, rsaClientCertBuf, rsaClientCertBufSz, NULL, 0,
+         NULL, 0,
+         "pkcs7signedCompressedFirmwarePkgData_RSA_SHA256_noattr.der", 0,
+         NULL, 0, 0, 0, 2, NULL, 0, NULL, 0, 0},
+
+        /* Signed Compressed FirmwarePkgData, RSA, SHA256, attribs */
+        {data, (word32)sizeof(data), SHA256h, RSAk, rsaClientPrivKeyBuf,
+         rsaClientPrivKeyBufSz, rsaClientCertBuf, rsaClientCertBufSz, NULL, 0,
+         attribs, (sizeof(attribs)/sizeof(PKCS7Attrib)),
+         "pkcs7signedCompressedFirmwarePkgData_RSA_SHA256.der", 0,
+         NULL, 0, 0, 0, 2, NULL, 0, NULL, 0, 0},
+
+    #ifndef NO_PKCS7_ENCRYPTED_DATA
+        /* Signed Encrypted Compressed FirmwarePkgData, RSA, SHA256,
+           no attribs */
+        {data, (word32)sizeof(data), SHA256h, RSAk, rsaClientPrivKeyBuf,
+         rsaClientPrivKeyBufSz, rsaClientCertBuf, rsaClientCertBufSz, NULL, 0,
+         NULL, 0,
+         "pkcs7signedEncryptedCompressedFirmwarePkgData_RSA_SHA256_noattr.der",
+         0, NULL, 0, 0, AES256CBCb, 3, aes256Key, sizeof(aes256Key), NULL,
+         0, 0},
+
+        /* Signed Encrypted Compressed FirmwarePkgData, RSA, SHA256,
+           attribs */
+        {data, (word32)sizeof(data), SHA256h, RSAk, rsaClientPrivKeyBuf,
+         rsaClientPrivKeyBufSz, rsaClientCertBuf, rsaClientCertBufSz, NULL, 0,
+         attribs, (sizeof(attribs)/sizeof(PKCS7Attrib)),
+         "pkcs7signedEncryptedCompressedFirmwarePkgData_RSA_SHA256.der",
+         0, NULL, 0, 0, AES256CBCb, 3, aes256Key, sizeof(aes256Key),
+         attribs, (sizeof(attribs)/sizeof(PKCS7Attrib)), 0},
+    #endif /* !NO_PKCS7_ENCRYPTED_DATA */
+
+    #endif /* HAVE_LIBZ && !NO_PKCS7_COMPRESSED_DATA */
+
+    #endif /* NO_SHA256 */
+#endif /* NO_RSA */
+
+#ifdef HAVE_ECC
+    #ifndef NO_SHA256
+        /* Signed FirmwarePkgData, ECDSA, SHA256, no attribs */
+        {data, (word32)sizeof(data), SHA256h, ECDSAk, eccClientPrivKeyBuf,
+         eccClientPrivKeyBufSz, eccClientCertBuf, eccClientCertBufSz, NULL, 0,
+         NULL, 0,
+         "pkcs7signedFirmwarePkgData_ECDSA_SHA256_noattr.der", 0, NULL,
+         0, 0, 0, 0, NULL, 0, NULL, 0, 0},
+
+        /* Signed FirmwarePkgData, ECDSA, SHA256, attribs */
+        {data, (word32)sizeof(data), SHA256h, ECDSAk, eccClientPrivKeyBuf,
+         eccClientPrivKeyBufSz, eccClientCertBuf, eccClientCertBufSz, NULL, 0,
+         attribs, (sizeof(attribs)/sizeof(PKCS7Attrib)),
+         "pkcs7signedFirmwarePkgData_ECDSA_SHA256.der", 0, NULL,
+         0, 0, 0, 0, NULL, 0, NULL, 0, 0},
+
+        /* Signed FirmwarePkgData, ECDSA, SHA256, SubjectKeyIdentifier, attr */
+        {data, (word32)sizeof(data), SHA256h, ECDSAk, eccClientPrivKeyBuf,
+         eccClientPrivKeyBufSz, eccClientCertBuf, eccClientCertBufSz, NULL, 0,
+         attribs, (sizeof(attribs)/sizeof(PKCS7Attrib)),
+         "pkcs7signedFirmwarePkgData_ECDSA_SHA256_SKID.der", 0, NULL,
+         0, CMS_SKID, 0, 0, NULL, 0, NULL, 0, 0},
+
+    #if defined(WOLFSSL_AES_256) && !defined(NO_PKCS7_ENCRYPTED_DATA)
+        /* Signed Encrypted FirmwarePkgData, ECDSA, SHA256, no attribs */
+        {data, (word32)sizeof(data), SHA256h, ECDSAk, eccClientPrivKeyBuf,
+         eccClientPrivKeyBufSz, eccClientCertBuf, eccClientCertBufSz, NULL, 0,
+         NULL, 0,
+         "pkcs7signedEncryptedFirmwarePkgData_ECDSA_SHA256_noattr.der", 0, NULL,
+         0, 0, AES256CBCb, 1, aes256Key, sizeof(aes256Key), NULL, 0, 0},
+
+        /* Signed Encrypted FirmwarePkgData, ECDSA, SHA256, attribs */
+        {data, (word32)sizeof(data), SHA256h, ECDSAk, eccClientPrivKeyBuf,
+         eccClientPrivKeyBufSz, eccClientCertBuf, eccClientCertBufSz, NULL, 0,
+         attribs, (sizeof(attribs)/sizeof(PKCS7Attrib)),
+         "pkcs7signedEncryptedFirmwarePkgData_ECDSA_SHA256.der", 0, NULL,
+         0, 0, AES256CBCb, 1, aes256Key, sizeof(aes256Key),
+         attribs, (sizeof(attribs)/sizeof(PKCS7Attrib)), 0},
+    #endif /* WOLFSSL_AES_256 && !NO_PKCS7_ENCRYPTED_DATA */
+
+    #if defined(HAVE_LIBZ) && !defined(NO_PKCS7_COMPRESSED_DATA)
+        /* Signed Compressed FirmwarePkgData, ECDSA, SHA256, no attribs */
+        {data, (word32)sizeof(data), SHA256h, ECDSAk, eccClientPrivKeyBuf,
+         eccClientPrivKeyBufSz, eccClientCertBuf, eccClientCertBufSz, NULL, 0,
+         NULL, 0,
+         "pkcs7signedCompressedFirmwarePkgData_ECDSA_SHA256_noattr.der", 0, NULL,
+         0, 0, 0, 2, NULL, 0, NULL, 0, 0},
+
+        /* Signed Compressed FirmwarePkgData, ECDSA, SHA256, attrib */
+        {data, (word32)sizeof(data), SHA256h, ECDSAk, eccClientPrivKeyBuf,
+         eccClientPrivKeyBufSz, eccClientCertBuf, eccClientCertBufSz, NULL, 0,
+         attribs, (sizeof(attribs)/sizeof(PKCS7Attrib)),
+         "pkcs7signedCompressedFirmwarePkgData_ECDSA_SHA256.der", 0, NULL,
+         0, 0, 0, 2, NULL, 0, NULL, 0, 0},
+
+    #ifndef NO_PKCS7_ENCRYPTED_DATA
+        /* Signed Encrypted Compressed FirmwarePkgData, ECDSA, SHA256,
+           no attribs */
+        {data, (word32)sizeof(data), SHA256h, ECDSAk, eccClientPrivKeyBuf,
+         eccClientPrivKeyBufSz, eccClientCertBuf, eccClientCertBufSz, NULL, 0,
+         NULL, 0,
+        "pkcs7signedEncryptedCompressedFirmwarePkgData_ECDSA_SHA256_noattr.der",
+         0, NULL, 0, 0, AES256CBCb, 3, aes256Key, sizeof(aes256Key), NULL,
+         0, 0},
+
+        /* Signed Encrypted Compressed FirmwarePkgData, ECDSA, SHA256,
+           attribs */
+        {data, (word32)sizeof(data), SHA256h, ECDSAk, eccClientPrivKeyBuf,
+         eccClientPrivKeyBufSz, eccClientCertBuf, eccClientCertBufSz, NULL, 0,
+         attribs, (sizeof(attribs)/sizeof(PKCS7Attrib)),
+        "pkcs7signedEncryptedCompressedFirmwarePkgData_ECDSA_SHA256.der",
+         0, NULL, 0, 0, AES256CBCb, 3, aes256Key, sizeof(aes256Key),
+         attribs, (sizeof(attribs)/sizeof(PKCS7Attrib)), 0},
+    #endif /* !NO_PKCS7_ENCRYPTED_DATA */
+
+    #endif /* HAVE_LIBZ && !NO_PKCS7_COMPRESSED_DATA */
+
+    #endif /* NO_SHA256 */
+#endif /* HAVE_ECC */
+    };
+
+    testSz = sizeof(testVectors) / sizeof(pkcs7SignedVector);
+
+    outSz = FOURK_BUF;
+    out = (byte*)XMALLOC(outSz, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+    if (out == NULL)
+        return -12130;
+
+    XMEMSET(out, 0, outSz);
+
+    ret = wc_PKCS7_PadData((byte*)data, sizeof(data), out, outSz, 16);
+    if (ret < 0) {
+        XFREE(out, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+        return -12131;
     }
-    keyDerSz = (word32)fread(keyDer, 1, FOURK_BUF, file);
-    fclose(file);
 
+#ifndef HAVE_FIPS
+    ret = wc_InitRng_ex(&rng, HEAP_HINT, devId);
+#else
     ret = wc_InitRng(&rng);
+#endif
     if (ret != 0) {
-        free(certDer);
-        free(keyDer);
-        free(out);
-        return -210;
+        XFREE(out, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+        return -12132;
     }
 
-    senderNonce[0] = 0x04;
-    senderNonce[1] = PKCS7_NONCE_SZ;
+    for (i = 0; i < testSz; i++) {
+        pkcs7 = wc_PKCS7_New(HEAP_HINT, devId);
+        if (pkcs7 == NULL)
+            return -12133;
 
-    ret = wc_RNG_GenerateBlock(&rng, &senderNonce[2], PKCS7_NONCE_SZ);
-    if (ret != 0) {
-        free(certDer);
-        free(keyDer);
-        free(out);
-        return -211;
-    }
+        ret = wc_PKCS7_InitWithCert(pkcs7, testVectors[i].cert,
+                                    (word32)testVectors[i].certSz);
 
-    wc_PKCS7_InitWithCert(&msg, certDer, certDerSz);
-    msg.privateKey = keyDer;
-    msg.privateKeySz = keyDerSz;
-    msg.content = (byte*)data;
-    msg.contentSz = dataSz;
-    msg.hashOID = SHAh;
-    msg.encryptOID = RSAk;
-    msg.signedAttribs = attribs;
-    msg.signedAttribsSz = sizeof(attribs)/sizeof(PKCS7Attrib);
-    msg.rng = &rng;
-    {
-        Sha sha;
-        byte digest[SHA_DIGEST_SIZE];
-        int i,j;
+        if (ret != 0) {
+            XFREE(out, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+            wc_PKCS7_Free(pkcs7);
+            return -12134;
+        }
 
-        transId[0] = 0x13;
-        transId[1] = SHA_DIGEST_SIZE * 2;
+        /* load CA certificate, if present */
+        if (testVectors[i].caCert != NULL) {
+            ret = wc_PKCS7_AddCertificate(pkcs7, testVectors[i].caCert,
+                                          (word32)testVectors[i].caCertSz);
+            if (ret != 0) {
+                XFREE(out, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+                wc_PKCS7_Free(pkcs7);
+                return -12135;
+            }
+        }
 
-        ret = wc_InitSha(&sha);
-        if (ret != 0) {
-            free(certDer);
-            free(keyDer);
-            free(out);
-            return -4003;
+        /* set SignerIdentifier to use SubjectKeyIdentifier if desired,
+           default is IssuerAndSerialNumber */
+        if (testVectors[i].sidType == CMS_SKID) {
+            ret = wc_PKCS7_SetSignerIdentifierType(pkcs7, CMS_SKID);
+            if (ret != 0) {
+                XFREE(out, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+                wc_PKCS7_Free(pkcs7);
+                return -12136;
+            }
         }
-        wc_ShaUpdate(&sha, msg.publicKey, msg.publicKeySz);
-        wc_ShaFinal(&sha, digest);
 
-        for (i = 0, j = 2; i < SHA_DIGEST_SIZE; i++, j += 2) {
-            snprintf((char*)&transId[j], 3, "%02x", digest[i]);
+        if (testVectors[i].encCompFlag == 0) {
+
+            /* encode Signed FirmwarePkgData */
+            encodedSz = wc_PKCS7_EncodeSignedFPD(pkcs7,
+                    testVectors[i].privateKey, testVectors[i].privateKeySz,
+                    testVectors[i].signOID, testVectors[i].hashOID,
+                    (byte*)testVectors[i].content, testVectors[i].contentSz,
+                    testVectors[i].signedAttribs,
+                    testVectors[i].signedAttribsSz, out, outSz);
+
+            if (encodedSz < 0) {
+                XFREE(out, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+                wc_PKCS7_Free(pkcs7);
+                return -12137;
+            }
+
+    #ifndef NO_PKCS7_ENCRYPTED_DATA
+
+        } else if (testVectors[i].encCompFlag == 1) {
+
+            /* encode Signed Encrypted FirmwarePkgData */
+            encodedSz = wc_PKCS7_EncodeSignedEncryptedFPD(pkcs7,
+                    testVectors[i].encryptKey, testVectors[i].encryptKeySz,
+                    testVectors[i].privateKey, testVectors[i].privateKeySz,
+                    testVectors[i].encryptOID, testVectors[i].signOID,
+                    testVectors[i].hashOID, (byte*)testVectors[i].content,
+                    testVectors[i].contentSz, testVectors[i].unprotectedAttribs,
+                    testVectors[i].unprotectedAttribsSz,
+                    testVectors[i].signedAttribs,
+                    testVectors[i].signedAttribsSz, out, outSz);
+
+            if (encodedSz <= 0) {
+                XFREE(out, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+                wc_PKCS7_Free(pkcs7);
+                return -12138;
+            }
+    #endif
+
+    #if defined(HAVE_LIBZ) && !defined(NO_PKCS7_COMPRESSED_DATA)
+        } else if (testVectors[i].encCompFlag == 2) {
+
+            /* encode Signed Compressed FirmwarePkgData */
+            encodedSz = wc_PKCS7_EncodeSignedCompressedFPD(pkcs7,
+                    testVectors[i].privateKey, testVectors[i].privateKeySz,
+                    testVectors[i].signOID, testVectors[i].hashOID,
+                    (byte*)testVectors[i].content, testVectors[i].contentSz,
+                    testVectors[i].signedAttribs,
+                    testVectors[i].signedAttribsSz, out, outSz);
+
+            if (encodedSz <= 0) {
+                XFREE(out, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+                wc_PKCS7_Free(pkcs7);
+                return -12139;
+            }
+
+        #ifndef NO_PKCS7_ENCRYPTED_DATA
+        } else if (testVectors[i].encCompFlag == 3) {
+
+            /* encode Signed Encrypted Compressed FirmwarePkgData */
+            encodedSz = wc_PKCS7_EncodeSignedEncryptedCompressedFPD(pkcs7,
+                    testVectors[i].encryptKey, testVectors[i].encryptKeySz,
+                    testVectors[i].privateKey, testVectors[i].privateKeySz,
+                    testVectors[i].encryptOID, testVectors[i].signOID,
+                    testVectors[i].hashOID, (byte*)testVectors[i].content,
+                    testVectors[i].contentSz, testVectors[i].unprotectedAttribs,
+                    testVectors[i].unprotectedAttribsSz,
+                    testVectors[i].signedAttribs,
+                    testVectors[i].signedAttribsSz, out, outSz);
+
+            if (encodedSz <= 0) {
+                XFREE(out, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+                wc_PKCS7_Free(pkcs7);
+                return -12140;
+            }
+
+        #endif /* NO_PKCS7_ENCRYPTED_DATA */
+    #endif /* HAVE_LIBZ && !NO_PKCS7_COMPRESSED_DATA */
+
+        } else {
+            /* unsupported SignedData single-shot combination */
+            XFREE(out, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+            wc_PKCS7_Free(pkcs7);
+            return -12141;
+        }
+
+    #ifdef PKCS7_OUTPUT_TEST_BUNDLES
+        /* write PKCS#7 to output file for more testing */
+        file = XFOPEN(testVectors[i].outFileName, "wb");
+        if (!file) {
+            XFREE(out, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+            wc_PKCS7_Free(pkcs7);
+            return -12142;
+        }
+        ret = (int)XFWRITE(out, 1, encodedSz, file);
+        XFCLOSE(file);
+        if (ret != (int)encodedSz) {
+            XFREE(out, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+            wc_PKCS7_Free(pkcs7);
+            return -12143;
+        }
+    #endif /* PKCS7_OUTPUT_TEST_BUNDLES */
+
+        wc_PKCS7_Free(pkcs7);
+
+        pkcs7 = wc_PKCS7_New(HEAP_HINT, devId);
+        if (pkcs7 == NULL)
+            return -12144;
+        wc_PKCS7_InitWithCert(pkcs7, NULL, 0);
+
+        ret = wc_PKCS7_VerifySignedData(pkcs7, out, outSz);
+        if (ret < 0) {
+            XFREE(out, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+            wc_PKCS7_Free(pkcs7);
+            return -12145;
+        }
+#ifndef NO_PKCS7_STREAM
+        {
+            word32 z;
+            for (z = 0; z < outSz && ret != 0; z++) {
+                ret = wc_PKCS7_VerifySignedData(pkcs7, out + z, 1);
+                if (ret < 0 && ret != WC_PKCS7_WANT_READ_E) {
+                    XFREE(out, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+                    wc_PKCS7_Free(pkcs7);
+                    printf("unexpected error %d\n", ret);
+                    return -12146;
+                }
+            }
+        }
+#endif
+
+        if (pkcs7->singleCert == NULL || pkcs7->singleCertSz == 0) {
+            XFREE(out, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+            wc_PKCS7_Free(pkcs7);
+            return -12147;
         }
+
+        if (testVectors[i].encCompFlag == 0) {
+            /* verify decoded content matches expected */
+            if ((pkcs7->contentSz != testVectors[i].contentSz) ||
+                XMEMCMP(pkcs7->content, testVectors[i].content,
+                        pkcs7->contentSz)) {
+                XFREE(out, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+                wc_PKCS7_Free(pkcs7);
+                return -12148;
+            }
+
+        }
+    #ifndef NO_PKCS7_ENCRYPTED_DATA
+        else if (testVectors[i].encCompFlag == 1) {
+
+            /* decrypt inner encryptedData */
+            pkcs7->encryptionKey = testVectors[i].encryptKey;
+            pkcs7->encryptionKeySz = testVectors[i].encryptKeySz;
+
+            ret = wc_PKCS7_DecodeEncryptedData(pkcs7, pkcs7->content,
+                                               pkcs7->contentSz, out, outSz);
+            if (ret < 0) {
+                XFREE(out, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+                wc_PKCS7_Free(pkcs7);
+                return -12149;
+            }
+
+            /* compare decrypted to expected */
+            if (((word32)ret != testVectors[i].contentSz) ||
+                XMEMCMP(out, testVectors[i].content, ret)) {
+                XFREE(out, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+                wc_PKCS7_Free(pkcs7);
+                return -12150;
+            }
+        }
+    #endif
+    #if defined(HAVE_LIBZ) && !defined(NO_PKCS7_COMPRESSED_DATA)
+        else if (testVectors[i].encCompFlag == 2) {
+
+            /* decompress inner compressedData */
+            ret = wc_PKCS7_DecodeCompressedData(pkcs7, pkcs7->content,
+                                                pkcs7->contentSz, out, outSz);
+            if (ret < 0) {
+                XFREE(out, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+                wc_PKCS7_Free(pkcs7);
+                return -12151;
+            }
+
+            /* compare decompressed to expected */
+            if (((word32)ret != testVectors[i].contentSz) ||
+                XMEMCMP(out, testVectors[i].content, ret)) {
+                XFREE(out, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+                wc_PKCS7_Free(pkcs7);
+                return -12152;
+            }
+        }
+    #ifndef NO_PKCS7_ENCRYPTED_DATA
+        else if (testVectors[i].encCompFlag == 3) {
+
+            byte* encryptedTmp;
+            int encryptedTmpSz;
+
+            encryptedTmpSz = FOURK_BUF;
+            encryptedTmp = (byte*)XMALLOC(encryptedTmpSz, HEAP_HINT,
+                                          DYNAMIC_TYPE_TMP_BUFFER);
+            if (encryptedTmp == NULL) {
+                XFREE(out, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+                wc_PKCS7_Free(pkcs7);
+                return -12153;
+            }
+
+            XMEMSET(encryptedTmp, 0, encryptedTmpSz);
+
+            /* decrypt inner encryptedData */
+            pkcs7->encryptionKey = testVectors[i].encryptKey;
+            pkcs7->encryptionKeySz = testVectors[i].encryptKeySz;
+
+            encryptedTmpSz = wc_PKCS7_DecodeEncryptedData(pkcs7, pkcs7->content,
+                                               pkcs7->contentSz, encryptedTmp,
+                                               encryptedTmpSz);
+
+            if (encryptedTmpSz < 0) {
+                XFREE(encryptedTmp, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+                XFREE(out, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+                wc_PKCS7_Free(pkcs7);
+                return -12154;
+            }
+
+            /* decompress inner compressedData */
+            ret = wc_PKCS7_DecodeCompressedData(pkcs7, encryptedTmp,
+                                                encryptedTmpSz, out, outSz);
+            if (ret < 0) {
+                XFREE(encryptedTmp, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+                XFREE(out, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+                wc_PKCS7_Free(pkcs7);
+                return -12155;
+            }
+
+            XFREE(encryptedTmp, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+
+            /* compare decompressed to expected */
+            if (((word32)ret != testVectors[i].contentSz) ||
+                XMEMCMP(out, testVectors[i].content, ret)) {
+                XFREE(out, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+                wc_PKCS7_Free(pkcs7);
+                return -12156;
+            }
+        }
+    #endif /* NO_PKCS7_ENCRYPTED_DATA */
+    #endif /* HAVE_LIBZ && !NO_PKCS7_COMPRESSED_DATA */
+
+        wc_PKCS7_Free(pkcs7);
     }
-    ret = wc_PKCS7_EncodeSignedData(&msg, out, outSz);
-    if (ret < 0) {
-        free(certDer);
-        free(keyDer);
-        free(out);
-        wc_PKCS7_Free(&msg);
-        return -212;
+
+    XFREE(out, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+    wc_FreeRng(&rng);
+
+    if (ret > 0)
+        return 0;
+
+    (void)eccClientCertBuf;
+    (void)eccClientCertBufSz;
+    (void)eccClientPrivKeyBuf;
+    (void)eccClientPrivKeyBufSz;
+
+    (void)rsaClientCertBuf;
+    (void)rsaClientCertBufSz;
+    (void)rsaClientPrivKeyBuf;
+    (void)rsaClientPrivKeyBufSz;
+    (void)rsaServerCertBuf;
+    (void)rsaServerCertBufSz;
+    (void)rsaServerPrivKeyBuf;
+    (void)rsaServerPrivKeyBufSz;
+    (void)rsaCaCertBuf;
+    (void)rsaCaCertBufSz;
+    (void)rsaCaPrivKeyBuf;
+    (void)rsaCaPrivKeyBufSz;
+
+    return ret;
+}
+
+
+int pkcs7signed_test(void)
+{
+    int ret = 0;
+
+    byte* rsaClientCertBuf    = NULL;
+    byte* rsaServerCertBuf    = NULL;
+    byte* rsaCaCertBuf        = NULL;
+    byte* eccClientCertBuf    = NULL;
+    byte* rsaClientPrivKeyBuf = NULL;
+    byte* rsaServerPrivKeyBuf = NULL;
+    byte* rsaCaPrivKeyBuf     = NULL;
+    byte* eccClientPrivKeyBuf = NULL;
+
+    word32 rsaClientCertBufSz    = 0;
+    word32 rsaServerCertBufSz    = 0;
+    word32 rsaCaCertBufSz        = 0;
+    word32 eccClientCertBufSz    = 0;
+    word32 rsaClientPrivKeyBufSz = 0;
+    word32 rsaServerPrivKeyBufSz = 0;
+    word32 rsaCaPrivKeyBufSz     = 0;
+    word32 eccClientPrivKeyBufSz = 0;
+
+#ifndef NO_RSA
+    /* read client RSA cert and key in DER format */
+    rsaClientCertBuf = (byte*)XMALLOC(FOURK_BUF, HEAP_HINT,
+                                      DYNAMIC_TYPE_TMP_BUFFER);
+    if (rsaClientCertBuf == NULL)
+        ret = -12200;
+
+    rsaClientPrivKeyBuf = (byte*)XMALLOC(FOURK_BUF, HEAP_HINT,
+                                         DYNAMIC_TYPE_TMP_BUFFER);
+    if (ret == 0 && rsaClientPrivKeyBuf == NULL) {
+        ret = -12201;
     }
-    else
-        outSz = ret;
 
-    /* write PKCS#7 to output file for more testing */
-    file = fopen("./pkcs7signedData.der", "wb");
-    if (!file) {
-        free(certDer);
-        free(keyDer);
-        free(out);
-        wc_PKCS7_Free(&msg);
-        return -213;
-    }
-    ret = (int)fwrite(out, 1, outSz, file);
-    fclose(file);
-    if (ret != (int)outSz) {
-        free(certDer);
-        free(keyDer);
-        free(out);
-        wc_PKCS7_Free(&msg);
-        return -218;
-    }
-
-    wc_PKCS7_Free(&msg);
-    wc_PKCS7_InitWithCert(&msg, NULL, 0);
-
-    ret = wc_PKCS7_VerifySignedData(&msg, out, outSz);
+    rsaClientCertBufSz = FOURK_BUF;
+    rsaClientPrivKeyBufSz = FOURK_BUF;
+
+    /* read server RSA cert and key in DER format */
+    rsaServerCertBuf = (byte*)XMALLOC(FOURK_BUF, HEAP_HINT,
+                                      DYNAMIC_TYPE_TMP_BUFFER);
+    if (ret == 0 && rsaServerCertBuf == NULL)
+        ret = -12202;
+
+    rsaServerPrivKeyBuf = (byte*)XMALLOC(FOURK_BUF, HEAP_HINT,
+                                         DYNAMIC_TYPE_TMP_BUFFER);
+    if (ret == 0 && rsaServerPrivKeyBuf == NULL) {
+        ret = -12203;
+    }
+
+    rsaServerCertBufSz = FOURK_BUF;
+    rsaServerPrivKeyBufSz = FOURK_BUF;
+
+    /* read CA RSA cert and key in DER format, for use with server cert */
+    rsaCaCertBuf = (byte*)XMALLOC(FOURK_BUF, HEAP_HINT,
+                                  DYNAMIC_TYPE_TMP_BUFFER);
+    if (ret == 0 && rsaCaCertBuf == NULL)
+        ret = -12204;
+
+    rsaCaPrivKeyBuf = (byte*)XMALLOC(FOURK_BUF, HEAP_HINT,
+                                     DYNAMIC_TYPE_TMP_BUFFER);
+    if (ret == 0 && rsaCaPrivKeyBuf == NULL) {
+        ret = -12205;
+    }
+
+    rsaCaCertBufSz = FOURK_BUF;
+    rsaCaPrivKeyBufSz = FOURK_BUF;
+#endif /* NO_RSA */
+
+#ifdef HAVE_ECC
+    /* read client ECC cert and key in DER format */
+    eccClientCertBuf = (byte*)XMALLOC(FOURK_BUF, HEAP_HINT,
+                                      DYNAMIC_TYPE_TMP_BUFFER);
+    if (ret == 0 && eccClientCertBuf == NULL) {
+        ret = -12206;
+    }
+
+    eccClientPrivKeyBuf =(byte*)XMALLOC(FOURK_BUF, HEAP_HINT,
+                                        DYNAMIC_TYPE_TMP_BUFFER);
+    if (ret == 0 && eccClientPrivKeyBuf == NULL) {
+        ret = -12207;
+    }
+
+    eccClientCertBufSz = FOURK_BUF;
+    eccClientPrivKeyBufSz = FOURK_BUF;
+#endif /* HAVE_ECC */
+
+    if (ret >= 0)
+        ret = pkcs7_load_certs_keys(rsaClientCertBuf, &rsaClientCertBufSz,
+                                rsaClientPrivKeyBuf, &rsaClientPrivKeyBufSz,
+                                rsaServerCertBuf, &rsaServerCertBufSz,
+                                rsaServerPrivKeyBuf, &rsaServerPrivKeyBufSz,
+                                rsaCaCertBuf, &rsaCaCertBufSz,
+                                rsaCaPrivKeyBuf, &rsaCaPrivKeyBufSz,
+                                eccClientCertBuf, &eccClientCertBufSz,
+                                eccClientPrivKeyBuf, &eccClientPrivKeyBufSz);
     if (ret < 0) {
-        free(certDer);
-        free(keyDer);
-        free(out);
-        wc_PKCS7_Free(&msg);
-        return -214;
+        ret = -12208;
+    }
+
+    if (ret >= 0)
+        ret = pkcs7signed_run_vectors(rsaClientCertBuf, (word32)rsaClientCertBufSz,
+                            rsaClientPrivKeyBuf, (word32)rsaClientPrivKeyBufSz,
+                            rsaServerCertBuf, (word32)rsaServerCertBufSz,
+                            rsaServerPrivKeyBuf, (word32)rsaServerPrivKeyBufSz,
+                            rsaCaCertBuf, (word32)rsaCaCertBufSz,
+                            rsaCaPrivKeyBuf, (word32)rsaCaPrivKeyBufSz,
+                            eccClientCertBuf, (word32)eccClientCertBufSz,
+                            eccClientPrivKeyBuf, (word32)eccClientPrivKeyBufSz);
+
+    if (ret >= 0)
+        ret = pkcs7signed_run_SingleShotVectors(
+                            rsaClientCertBuf, (word32)rsaClientCertBufSz,
+                            rsaClientPrivKeyBuf, (word32)rsaClientPrivKeyBufSz,
+                            rsaServerCertBuf, (word32)rsaServerCertBufSz,
+                            rsaServerPrivKeyBuf, (word32)rsaServerPrivKeyBufSz,
+                            rsaCaCertBuf, (word32)rsaCaCertBufSz,
+                            rsaCaPrivKeyBuf, (word32)rsaCaPrivKeyBufSz,
+                            eccClientCertBuf, (word32)eccClientCertBufSz,
+                            eccClientPrivKeyBuf, (word32)eccClientPrivKeyBufSz);
+
+#ifndef NO_AES
+    if (ret >= 0)
+        ret = pkcs7callback_test(
+                            rsaClientCertBuf, (word32)rsaClientCertBufSz,
+                            rsaClientPrivKeyBuf, (word32)rsaClientPrivKeyBufSz);
+#endif
+
+    XFREE(rsaClientCertBuf,    HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+    XFREE(rsaClientPrivKeyBuf, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+    XFREE(rsaServerCertBuf,    HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+    XFREE(rsaServerPrivKeyBuf, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+    XFREE(rsaCaCertBuf,        HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+    XFREE(rsaCaPrivKeyBuf,     HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+    XFREE(eccClientCertBuf,    HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+    XFREE(eccClientPrivKeyBuf, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+
+    return ret;
+}
+
+#endif /* HAVE_PKCS7 */
+
+#ifdef HAVE_VALGRIND
+/* Need a static build to have access to symbols. */
+
+/* Maximum number of bytes in a number to test. */
+#define MP_MAX_TEST_BYTE_LEN      16
+
+#if defined(HAVE_ECC) || defined(WOLFSSL_KEY_GEN)
+static int randNum(mp_int* n, int len, WC_RNG* rng, void* heap)
+{
+    byte d[MP_MAX_TEST_BYTE_LEN];
+    int  ret;
+
+    (void)heap;
+
+    do {
+        ret = wc_RNG_GenerateBlock(rng, d, len);
+        if (ret != 0)
+            return ret;
+        ret = mp_read_unsigned_bin(n, d, len);
+        if (ret != 0)
+            return ret;
+    } while (mp_iszero(n));
+
+    return 0;
+}
+#endif
+
+int mp_test(void)
+{
+    WC_RNG rng;
+    int    ret;
+#if defined(HAVE_ECC) || defined(WOLFSSL_KEY_GEN)
+    int    i, j, k;
+    mp_digit d;
+#endif
+    mp_int a, b, r1, r2, p;
+
+    ret = mp_init_multi(&a, &b, &r1, &r2, NULL, NULL);
+    if (ret != 0)
+        return -12300;
+
+    mp_init_copy(&p, &a);
+
+#ifndef HAVE_FIPS
+    ret = wc_InitRng_ex(&rng, HEAP_HINT, devId);
+#else
+    ret = wc_InitRng(&rng);
+#endif
+    if (ret != 0)
+        goto done;
+
+#if defined(HAVE_ECC) || defined(WOLFSSL_KEY_GEN)
+    mp_set_int(&a, 0);
+    if (a.used != 0 || a.dp[0] != 0)
+        return -12301;
+
+    for (j = 1; j <= MP_MAX_TEST_BYTE_LEN; j++) {
+        for (i = 0; i < 4 * j; i++) {
+            /* New values to use. */
+            ret = randNum(&p, j, &rng, NULL);
+            if (ret != 0)
+                return -12302;
+            ret = randNum(&a, j, &rng, NULL);
+            if (ret != 0)
+                return -12303;
+            ret = randNum(&b, j, &rng, NULL);
+            if (ret != 0)
+                return -12304;
+            ret = wc_RNG_GenerateBlock(&rng, (byte*)&d, sizeof(d));
+            if (ret != 0)
+                return -12305;
+            d &= MP_MASK;
+
+            /* Ensure sqrmod produce same result as mulmod. */
+            ret = mp_sqrmod(&a, &p, &r1);
+            if (ret != 0)
+                return -12306;
+            ret = mp_mulmod(&a, &a, &p, &r2);
+            if (ret != 0)
+                return -12307;
+            if (mp_cmp(&r1, &r2) != 0)
+                return -12308;
+
+            /* Ensure add with mod produce same result as sub with mod. */
+            ret = mp_addmod(&a, &b, &p, &r1);
+            if (ret != 0)
+                return -12309;
+            b.sign ^= 1;
+            ret = mp_submod(&a, &b, &p, &r2);
+            if (ret != 0)
+                return -12310;
+            if (mp_cmp(&r1, &r2) != 0)
+                return -12311;
+
+            /* Ensure add digit produce same result as sub digit. */
+            ret = mp_add_d(&a, d, &r1);
+            if (ret != 0)
+                return -12312;
+            ret = mp_sub_d(&r1, d, &r2);
+            if (ret != 0)
+                return -12313;
+            if (mp_cmp(&a, &r2) != 0)
+                return -12314;
+
+            /* Invert - if p is even it will use the slow impl.
+             *        - if p and a are even it will fail.
+             */
+            ret = mp_invmod(&a, &p, &r1);
+            if (ret != 0 && ret != MP_VAL)
+                return -12315;
+            ret = 0;
+
+            /* Shift up and down number all bits in a digit. */
+            for (k = 0; k < DIGIT_BIT; k++) {
+                mp_mul_2d(&a, k, &r1);
+                mp_div_2d(&r1, k, &r2, &p);
+                if (mp_cmp(&a, &r2) != 0)
+                    return -12316;
+                if (!mp_iszero(&p))
+                    return -12317;
+                mp_rshb(&r1, k);
+                if (mp_cmp(&a, &r1) != 0)
+                    return -12318;
+            }
+        }
     }
 
-    if (msg.singleCert == NULL || msg.singleCertSz == 0) {
-        free(certDer);
-        free(keyDer);
-        free(out);
-        wc_PKCS7_Free(&msg);
-        return -215;
+    /* Check that setting a 32-bit digit works. */
+    d &= 0xffffffff;
+    mp_set_int(&a, d);
+    if (a.used != 1 || a.dp[0] != d)
+        return -12319;
+
+    /* Check setting a bit and testing a bit works. */
+    for (i = 0; i < MP_MAX_TEST_BYTE_LEN * 8; i++) {
+        mp_zero(&a);
+        mp_set_bit(&a, i);
+        if (!mp_is_bit_set(&a, i))
+            return -12320;
     }
+#endif
 
-    file = fopen("./pkcs7cert.der", "wb");
-    if (!file) {
-        free(certDer);
-        free(keyDer);
-        free(out);
-        wc_PKCS7_Free(&msg);
-        return -216;
+done:
+    mp_clear(&p);
+    mp_clear(&r2);
+    mp_clear(&r1);
+    mp_clear(&b);
+    mp_clear(&a);
+    wc_FreeRng(&rng);
+    return ret;
+}
+#endif
+
+
+#if defined(WOLFSSL_PUBLIC_MP) && defined(WOLFSSL_KEY_GEN)
+
+typedef struct pairs_t {
+    const unsigned char* coeff;
+    int coeffSz;
+    int exp;
+} pairs_t;
+
+
+/*
+n =p1p2p3, where pi = ki(p1−1)+1 with (k2,k3) = (173,293)
+p1 = 2^192 * 0x000000000000e24fd4f6d6363200bf2323ec46285cac1d3a
+   + 2^0   * 0x0b2488b0c29d96c5e67f8bec15b54b189ae5636efe89b45b
+*/
+
+static const unsigned char c192a[] =
+{
+    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xe2, 0x4f,
+    0xd4, 0xf6, 0xd6, 0x36, 0x32, 0x00, 0xbf, 0x23,
+    0x23, 0xec, 0x46, 0x28, 0x5c, 0xac, 0x1d, 0x3a
+};
+static const unsigned char c0a[] =
+{
+    0x0b, 0x24, 0x88, 0xb0, 0xc2, 0x9d, 0x96, 0xc5,
+    0xe6, 0x7f, 0x8b, 0xec, 0x15, 0xb5, 0x4b, 0x18,
+    0x9a, 0xe5, 0x63, 0x6e, 0xfe, 0x89, 0xb4, 0x5b
+};
+
+static const pairs_t ecPairsA[] =
+{
+    {c192a, sizeof(c192a), 192},
+    {c0a, sizeof(c0a), 0}
+};
+
+static const int kA[] = {173, 293};
+
+static const unsigned char controlPrime[] = {
+    0xe1, 0x76, 0x45, 0x80, 0x59, 0xb6, 0xd3, 0x49,
+    0xdf, 0x0a, 0xef, 0x12, 0xd6, 0x0f, 0xf0, 0xb7,
+    0xcb, 0x2a, 0x37, 0xbf, 0xa7, 0xf8, 0xb5, 0x4d,
+    0xf5, 0x31, 0x35, 0xad, 0xe4, 0xa3, 0x94, 0xa1,
+    0xdb, 0xf1, 0x96, 0xad, 0xb5, 0x05, 0x64, 0x85,
+    0x83, 0xfc, 0x1b, 0x5b, 0x29, 0xaa, 0xbe, 0xf8,
+    0x26, 0x3f, 0x76, 0x7e, 0xad, 0x1c, 0xf0, 0xcb,
+    0xd7, 0x26, 0xb4, 0x1b, 0x05, 0x8e, 0x56, 0x86,
+    0x7e, 0x08, 0x62, 0x21, 0xc1, 0x86, 0xd6, 0x47,
+    0x79, 0x3e, 0xb7, 0x5d, 0xa4, 0xc6, 0x3a, 0xd7,
+    0xb1, 0x74, 0x20, 0xf6, 0x50, 0x97, 0x41, 0x04,
+    0x53, 0xed, 0x3f, 0x26, 0xd6, 0x6f, 0x91, 0xfa,
+    0x68, 0x26, 0xec, 0x2a, 0xdc, 0x9a, 0xf1, 0xe7,
+    0xdc, 0xfb, 0x73, 0xf0, 0x79, 0x43, 0x1b, 0x21,
+    0xa3, 0x59, 0x04, 0x63, 0x52, 0x07, 0xc9, 0xd7,
+    0xe6, 0xd1, 0x1b, 0x5d, 0x5e, 0x96, 0xfa, 0x53
+};
+
+static const unsigned char testOne[] = { 1 };
+
+
+static int GenerateNextP(mp_int* p1, mp_int* p2, int k)
+{
+    int ret;
+    mp_int ki;
+
+    ret = mp_init(&ki);
+    if (ret == 0)
+        ret = mp_set(&ki, k);
+    if (ret == 0)
+        ret = mp_sub_d(p1, 1, p2);
+    if (ret == 0)
+        ret = mp_mul(p2, &ki, p2);
+    if (ret == 0)
+        ret = mp_add_d(p2, 1, p2);
+    mp_clear(&ki);
+
+    return ret;
+}
+
+
+static int GenerateP(mp_int* p1, mp_int* p2, mp_int* p3,
+                const pairs_t* ecPairs, int ecPairsSz,
+                const int* k)
+{
+    mp_int x,y;
+    int ret, i;
+
+    ret = mp_init(&x);
+    if (ret == 0) {
+        ret = mp_init(&y);
+        if (ret != 0) {
+            mp_clear(&x);
+            return MP_MEM;
+        }
     }
-    ret = (int)fwrite(msg.singleCert, 1, msg.singleCertSz, file);
-    fclose(file);
+    for (i = 0; ret == 0 && i < ecPairsSz; i++) {
+        ret = mp_read_unsigned_bin(&x, ecPairs[i].coeff, ecPairs[i].coeffSz);
+        /* p1 = 2^exp */
+        if (ret == 0)
+            ret = mp_2expt(&y, ecPairs[i].exp);
+        /* p1 = p1 * m */
+        if (ret == 0)
+            ret = mp_mul(&x, &y, &x);
+        /* p1 +=  */
+        if (ret == 0)
+            ret = mp_add(p1, &x, p1);
+        mp_zero(&x);
+        mp_zero(&y);
+    }
+    mp_clear(&x);
+    mp_clear(&y);
+
+    if (ret == 0)
+        ret = GenerateNextP(p1, p2, k[0]);
+    if (ret == 0)
+        ret = GenerateNextP(p1, p3, k[1]);
 
-    free(certDer);
-    free(keyDer);
-    free(out);
-    wc_PKCS7_Free(&msg);
+    return ret;
+}
+
+int prime_test(void)
+{
+    mp_int n, p1, p2, p3;
+    int ret, isPrime = 0;
+    WC_RNG rng;
+
+    ret = wc_InitRng(&rng);
+    if (ret == 0)
+        ret = mp_init_multi(&n, &p1, &p2, &p3, NULL, NULL);
+    if (ret == 0)
+        ret = GenerateP(&p1, &p2, &p3,
+                ecPairsA, sizeof(ecPairsA) / sizeof(ecPairsA[0]), kA);
+    if (ret == 0)
+        ret = mp_mul(&p1, &p2, &n);
+    if (ret == 0)
+        ret = mp_mul(&n, &p3, &n);
+    if (ret != 0)
+        return -12400;
+
+    /* Check the old prime test using the number that false positives.
+     * This test result should indicate as not prime. */
+    ret = mp_prime_is_prime(&n, 40, &isPrime);
+    if (ret != 0)
+        return -12401;
+    if (isPrime)
+        return -12402;
+
+    /* This test result should fail. It should indicate the value as prime. */
+    ret = mp_prime_is_prime(&n, 8, &isPrime);
+    if (ret != 0)
+        return -12403;
+    if (!isPrime)
+        return -12404;
 
+    /* This test result should indicate the value as not prime. */
+    ret = mp_prime_is_prime_ex(&n, 8, &isPrime, &rng);
+    if (ret != 0)
+        return -12405;
+    if (isPrime)
+        return -12406;
+
+    ret = mp_read_unsigned_bin(&n, controlPrime, sizeof(controlPrime));
+    if (ret != 0)
+        return -12407;
+
+    /* This test result should indicate the value as prime. */
+    ret = mp_prime_is_prime_ex(&n, 8, &isPrime, &rng);
+    if (ret != 0)
+        return -12408;
+    if (!isPrime)
+        return -12409;
+
+    /* This test result should indicate the value as prime. */
+    isPrime = -1;
+    ret = mp_prime_is_prime(&n, 8, &isPrime);
+    if (ret != 0)
+        return -12410;
+    if (!isPrime)
+        return -12411;
+
+    ret = mp_read_unsigned_bin(&n, testOne, sizeof(testOne));
+    if (ret != 0)
+        return -12412;
+
+    /* This test result should indicate the value as not prime. */
+    ret = mp_prime_is_prime_ex(&n, 8, &isPrime, &rng);
+    if (ret != 0)
+        return -12413;
+    if (isPrime)
+        return -12414;
+
+    ret = mp_prime_is_prime(&n, 8, &isPrime);
+    if (ret != 0)
+        return -12415;
+    if (isPrime)
+        return -12416;
+
+    mp_clear(&p3);
+    mp_clear(&p2);
+    mp_clear(&p1);
+    mp_clear(&n);
     wc_FreeRng(&rng);
 
-    if (ret > 0)
-        return 0;
+    return 0;
+}
+
+#endif /* WOLFSSL_PUBLIC_MP */
+
+
+#if defined(ASN_BER_TO_DER) && \
+    (defined(WOLFSSL_TEST_CERT) || defined(OPENSSL_EXTRA) || \
+     defined(OPENSSL_EXTRA_X509_SMALL))
+/* wc_BerToDer is only public facing in the case of test cert or opensslextra */
+typedef struct berDerTestData {
+    const byte *in;
+    word32 inSz;
+    const byte *out;
+    word32 outSz;
+} berDerTestData;
+
+int berder_test(void)
+{
+    int ret;
+    int i;
+    word32 len = 0, l;
+    byte out[32];
+    static const byte good1_in[] = { 0x30, 0x80, 0x00, 0x00 };
+    static const byte good1_out[] = { 0x30, 0x00 };
+    static const byte good2_in[] = { 0x30, 0x80, 0x02, 0x01, 0x01, 0x00, 0x00 };
+    static const byte good2_out[] = { 0x30, 0x03, 0x02, 0x01, 0x01 };
+    static const byte good3_in[] = {
+        0x24, 0x80, 0x04, 0x01, 0x01, 0x00, 0x00
+    };
+    static const byte good3_out[] = { 0x04, 0x1, 0x01 };
+    static const byte good4_in[] = {
+        0x30, 0x80,
+          0x02, 0x01, 0x01,
+          0x30, 0x80,
+            0x24, 0x80,
+              0x04, 0x01, 0x01,
+              0x04, 0x02, 0x02, 0x03,
+              0x00, 0x00,
+            0x06, 0x01, 0x01,
+            0x00, 0x00,
+          0x31, 0x80,
+            0x06, 0x01, 0x01,
+            0x00, 0x00,
+          0x00, 0x00,
+    };
+    static const byte good4_out[] = {
+        0x30, 0x12,
+          0x02, 0x01, 0x01,
+          0x30, 0x08,
+            0x04, 0x03, 0x01, 0x02, 0x03,
+            0x06, 0x01, 0x01,
+          0x31, 0x03,
+            0x06, 0x01, 0x01
+    };
+    static const byte good5_in[] = { 0x30, 0x03, 0x02, 0x01, 0x01 };
+
+    berDerTestData testData[] = {
+        { good1_in, sizeof(good1_in), good1_out, sizeof(good1_out) },
+        { good2_in, sizeof(good2_in), good2_out, sizeof(good2_out) },
+        { good3_in, sizeof(good3_in), good3_out, sizeof(good3_out) },
+        { good4_in, sizeof(good4_in), good4_out, sizeof(good4_out) },
+        { good5_in, sizeof(good5_in), good5_in , sizeof(good5_in ) },
+    };
+
+    for (i = 0; i < (int)(sizeof(testData) / sizeof(*testData)); i++) {
+        ret = wc_BerToDer(testData[i].in, testData[i].inSz, NULL, &len);
+        if (ret != LENGTH_ONLY_E)
+            return -12500 - i;
+        if (len != testData[i].outSz)
+            return -12510 - i;
+        len = testData[i].outSz;
+        ret = wc_BerToDer(testData[i].in, testData[i].inSz, out, &len);
+        if (ret != 0)
+            return -12520 - i;
+        if (XMEMCMP(out, testData[i].out, len) != 0)
+            return -12530 - i;
+
+        for (l = 1; l < testData[i].inSz; l++) {
+            ret = wc_BerToDer(testData[i].in, l, NULL, &len);
+            if (ret != ASN_PARSE_E)
+                 return -12540;
+            len = testData[i].outSz;
+            ret = wc_BerToDer(testData[i].in, l, out, &len);
+            if (ret != ASN_PARSE_E)
+                 return -12541;
+        }
+
+        for (l = 0; l < testData[i].outSz-1; l++) {
+            ret = wc_BerToDer(testData[i].in, testData[i].inSz, out, &l);
+            if (ret != BUFFER_E)
+                 return -12542;
+        }
+    }
+
+    ret = wc_BerToDer(NULL, 4, NULL, NULL);
+    if (ret != BAD_FUNC_ARG)
+        return -12543;
+    ret = wc_BerToDer(out, 4, NULL, NULL);
+    if (ret != BAD_FUNC_ARG)
+        return -12544;
+    ret = wc_BerToDer(NULL, 4, NULL, &len);
+    if (ret != BAD_FUNC_ARG)
+        return -12545;
+    ret = wc_BerToDer(NULL, 4, out, NULL);
+    if (ret != BAD_FUNC_ARG)
+        return -12546;
+    ret = wc_BerToDer(out, 4, out, NULL);
+    if (ret != BAD_FUNC_ARG)
+        return -12547;
+    ret = wc_BerToDer(NULL, 4, out, &len);
+    if (ret != BAD_FUNC_ARG)
+        return -12548;
+
+    for (l = 1; l < sizeof(good4_out); l++) {
+        len = l;
+        ret = wc_BerToDer(good4_in, sizeof(good4_in), out, &len);
+        if (ret != BUFFER_E)
+            return -12549;
+    }
+
+    return 0;
+}
+#endif
+
+#ifdef DEBUG_WOLFSSL
+static THREAD_LS_T int log_cnt = 0;
+static void my_Logging_cb(const int logLevel, const char *const logMessage)
+{
+    (void)logLevel;
+    (void)logMessage;
+    log_cnt++;
+}
+#endif /* DEBUG_WOLFSSL */
+
+int logging_test(void)
+{
+#ifdef DEBUG_WOLFSSL
+    const char* msg = "Testing, testing. 1, 2, 3, 4 ...";
+    byte        a[8] = { 1, 2, 3, 4, 5, 6, 7, 8 };
+    byte        b[256];
+    int         i;
+
+    for (i = 0; i < (int)sizeof(b); i++)
+        b[i] = i;
+
+    if (wolfSSL_Debugging_ON() != 0)
+        return -12600;
+
+    if (wolfSSL_SetLoggingCb(my_Logging_cb) != 0)
+        return -12601;
+
+    WOLFSSL_MSG(msg);
+    WOLFSSL_BUFFER(a, sizeof(a));
+    WOLFSSL_BUFFER(b, sizeof(b));
+    WOLFSSL_BUFFER(NULL, 0);
+    WOLFSSL_ERROR(MEMORY_E);
+    WOLFSSL_ERROR_MSG(msg);
+
+    /* turn off logs */
+    wolfSSL_Debugging_OFF();
+
+    /* capture log count */
+    i = log_cnt;
+
+    /* validate no logs are output when disabled */
+    WOLFSSL_MSG(msg);
+    WOLFSSL_BUFFER(a, sizeof(a));
+    WOLFSSL_BUFFER(b, sizeof(b));
+    WOLFSSL_BUFFER(NULL, 0);
+    WOLFSSL_ERROR(MEMORY_E);
+    WOLFSSL_ERROR_MSG(msg);
+
+    /* check the logs were disabled */
+    if (i != log_cnt)
+        return -12602;
+
+    /* restore callback and leave logging enabled */
+    wolfSSL_SetLoggingCb(NULL);
+    wolfSSL_Debugging_ON();
+
+    /* suppress unused args */
+    (void)a;
+    (void)b;
+
+#else
+    if (wolfSSL_Debugging_ON() != NOT_COMPILED_IN)
+        return -12603;
+    wolfSSL_Debugging_OFF();
+    if (wolfSSL_SetLoggingCb(NULL) != NOT_COMPILED_IN)
+        return -12604;
+#endif /* DEBUG_WOLFSSL */
+    return 0;
+}
+
+
+int mutex_test(void)
+{
+#ifdef WOLFSSL_PTHREADS
+    wolfSSL_Mutex m;
+#endif
+#ifndef WOLFSSL_NO_MALLOC
+    wolfSSL_Mutex *mm = wc_InitAndAllocMutex();
+    if (mm == NULL)
+        return -12700;
+    wc_FreeMutex(mm);
+    XFREE(mm, NULL, DYNAMIC_TYPE_MUTEX);
+#endif
+
+#ifdef WOLFSSL_PTHREADS
+    if (wc_InitMutex(&m) != 0)
+        return -12701;
+    if (wc_LockMutex(&m) != 0)
+        return -12702;
+    if (wc_FreeMutex(&m) != BAD_MUTEX_E)
+        return -12703;
+    if (wc_UnLockMutex(&m) != 0)
+        return -12704;
+    if (wc_FreeMutex(&m) != 0)
+        return -12705;
+#ifndef WOLFSSL_NO_MUTEXLOCK_AFTER_FREE
+    if (wc_LockMutex(&m) != BAD_MUTEX_E)
+        return -12706;
+    if (wc_UnLockMutex(&m) != BAD_MUTEX_E)
+        return -12707;
+#endif
+#endif
+
+    return 0;
+}
+
+#if defined(USE_WOLFSSL_MEMORY) && !defined(FREERTOS)
+
+#ifndef WOLFSSL_NO_MALLOC
+static int malloc_cnt = 0;
+static int realloc_cnt = 0;
+static int free_cnt = 0;
+
+static void *my_Malloc_cb(size_t size)
+{
+    malloc_cnt++;
+    #ifndef WOLFSSL_NO_MALLOC
+        return malloc(size);
+    #else
+        WOLFSSL_MSG("No malloc available");
+        (void)size;
+        return NULL;
+    #endif
+}
+static void my_Free_cb(void *ptr)
+{
+    free_cnt++;
+    #ifndef WOLFSSL_NO_MALLOC
+        free(ptr);
+    #else
+        WOLFSSL_MSG("No free available");
+        (void)ptr;
+    #endif
+}
+static void *my_Realloc_cb(void *ptr, size_t size)
+{
+    realloc_cnt++;
+    #ifndef WOLFSSL_NO_MALLOC
+        return realloc(ptr, size);
+    #else
+        WOLFSSL_MSG("No realloc available");
+        (void)ptr;
+        (void)size;
+        return NULL;
+    #endif
+}
+#endif /* !WOLFSSL_NO_MALLOC */
+
+int memcb_test(void)
+{
+    int ret = 0;
+#ifndef WOLFSSL_NO_MALLOC
+    byte* b = NULL;
+#endif
+    wolfSSL_Malloc_cb  mc;
+    wolfSSL_Free_cb    fc;
+    wolfSSL_Realloc_cb rc;
+
+    /* Save existing memory callbacks */
+    if (wolfSSL_GetAllocators(&mc, &fc, &rc) != 0)
+        return -12800;
+
+#ifndef WOLFSSL_NO_MALLOC
+    /* test realloc */
+    b = (byte*)XREALLOC(b, 1024, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    if (b == NULL) {
+        ERROR_OUT(-12801, exit_memcb);
+    }
+    XFREE(b, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    b = NULL;
+
+    /* Use API. */
+    if (wolfSSL_SetAllocators((wolfSSL_Malloc_cb)(void*)&my_Malloc_cb,
+                              (wolfSSL_Free_cb)(void*)&my_Free_cb,
+                              (wolfSSL_Realloc_cb)(void*)&my_Realloc_cb) != 0) {
+        ERROR_OUT(-12802, exit_memcb);
+    }
+
+    b = (byte*)XMALLOC(1024, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    b = (byte*)XREALLOC(b, 1024, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    XFREE(b, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+
+#ifndef WOLFSSL_STATIC_MEMORY
+    if (malloc_cnt != 1 || free_cnt != 1 || realloc_cnt != 1)
+#else
+    if (malloc_cnt != 0 || free_cnt != 0 || realloc_cnt != 0)
+#endif
+        ret = -12803;
+#endif /* !WOLFSSL_NO_MALLOC */
+
+#ifndef WOLFSSL_NO_MALLOC
+exit_memcb:
+#endif
+
+    /* restore memory callbacks */
+    wolfSSL_SetAllocators(mc, fc, rc);
 
     return ret;
 }
+#endif /* USE_WOLFSSL_MEMORY && !WOLFSSL_NO_MALLOC */
 
-#endif /* HAVE_PKCS7 */
 
+#ifdef WOLFSSL_IMX6_CAAM_BLOB
+int blob_test(void)
+{
+    int ret = 0;
+    byte out[112];
+    byte blob[112];
+    word32 outSz;
+
+    const byte iv[] =
+        {
+            0xf0,0xf1,0xf2,0xf3,0xf4,0xf5,0xf6,0xf7,
+            0xf8,0xf9,0xfa,0xfb,0xfc,0xfd,0xfe,0xff
+        };
+
+    const byte text[] =
+        {
+            0x6b,0xc1,0xbe,0xe2,0x2e,0x40,0x9f,0x96,
+            0xe9,0x3d,0x7e,0x11,0x73,0x93,0x17,0x2a,
+            0xae,0x2d,0x8a,0x57,0x1e,0x03,0xac,0x9c,
+            0x9e,0xb7,0x6f,0xac,0x45,0xaf,0x8e,0x51,
+            0x30,0xc8,0x1c,0x46,0xa3,0x5c,0xe4,0x11,
+            0xe5,0xfb,0xc1,0x19,0x1a,0x0a,0x52,0xef,
+            0xf6,0x9f,0x24,0x45,0xdf,0x4f,0x9b,0x17,
+            0xad,0x2b,0x41,0x7b,0xe6,0x6c,0x37,0x10
+        };
+
+
+    XMEMSET(blob, 0, sizeof(blob));
+    outSz = sizeof(blob);
+    ret = wc_caamCreateBlob((byte*)iv, sizeof(iv), blob, &outSz);
+    if (ret != 0) {
+        ERROR_OUT(-12900, exit_blob);
+    }
+
+    blob[outSz - 2] += 1;
+    ret = wc_caamOpenBlob(blob, outSz, out, &outSz);
+    if (ret == 0) { /* should fail with altered blob */
+        ERROR_OUT(-12901, exit_blob);
+    }
+
+    XMEMSET(blob, 0, sizeof(blob));
+    outSz = sizeof(blob);
+    ret = wc_caamCreateBlob((byte*)iv, sizeof(iv), blob, &outSz);
+    if (ret != 0) {
+        ERROR_OUT(-12902, exit_blob);
+    }
+
+    ret = wc_caamOpenBlob(blob, outSz, out, &outSz);
+    if (ret != 0) {
+        ERROR_OUT(-12903, exit_blob);
+    }
+
+    if (XMEMCMP(out, iv, sizeof(iv))) {
+        ERROR_OUT(-12904, exit_blob);
+    }
+
+    XMEMSET(blob, 0, sizeof(blob));
+    outSz = sizeof(blob);
+    ret = wc_caamCreateBlob((byte*)text, sizeof(text), blob, &outSz);
+    if (ret != 0) {
+        ERROR_OUT(-12905, exit_blob);
+    }
+
+    ret = wc_caamOpenBlob(blob, outSz, out, &outSz);
+    if (ret != 0) {
+        ERROR_OUT(-12906, exit_blob);
+    }
+
+    if (XMEMCMP(out, text, sizeof(text))) {
+        ERROR_OUT(-12907, exit_blob);
+    }
+
+    exit_blob:
+
+    return ret;
+}
+#endif /* WOLFSSL_IMX6_CAAM_BLOB */
+
+#ifdef WOLF_CRYPTO_CB
+
+/* Example custom context for crypto callback */
+typedef struct {
+    int exampleVar; /* example, not used */
+} myCryptoDevCtx;
+
+
+/* Example crypto dev callback function that calls software version */
+static int myCryptoDevCb(int devIdArg, wc_CryptoInfo* info, void* ctx)
+{
+    int ret = NOT_COMPILED_IN; /* return this to bypass HW and use SW */
+    myCryptoDevCtx* myCtx = (myCryptoDevCtx*)ctx;
+
+    if (info == NULL)
+        return BAD_FUNC_ARG;
+
+#ifdef DEBUG_WOLFSSL
+    printf("CryptoDevCb: Algo Type %d\n", info->algo_type);
+#endif
+
+    if (info->algo_type == WC_ALGO_TYPE_RNG) {
+    #ifndef WC_NO_RNG
+        /* set devId to invalid, so software is used */
+        info->rng.rng->devId = INVALID_DEVID;
+
+        ret = wc_RNG_GenerateBlock(info->rng.rng,
+            info->rng.out, info->rng.sz);
+
+        /* reset devId */
+        info->rng.rng->devId = devIdArg;
+    #endif
+    }
+    else if (info->algo_type == WC_ALGO_TYPE_SEED) {
+    #ifndef WC_NO_RNG
+        static byte seed[sizeof(word32)] = { 0x00, 0x00, 0x00, 0x01 };
+        word32* seedWord32 = (word32*)seed;
+        word32 len;
+
+        /* wc_GenerateSeed is a local symbol so we need to fake the entropy. */
+        while (info->seed.sz > 0) {
+            len = (word32)sizeof(seed);
+            if (info->seed.sz < len)
+                len = info->seed.sz;
+            XMEMCPY(info->seed.seed, seed, sizeof(seed));
+            info->seed.seed += len;
+            info->seed.sz -= len;
+            (*seedWord32)++;
+        }
+
+        ret = 0;
+    #endif
+    }
+    else if (info->algo_type == WC_ALGO_TYPE_PK) {
+    #ifdef DEBUG_WOLFSSL
+        printf("CryptoDevCb: Pk Type %d\n", info->pk.type);
+    #endif
+
+    #ifndef NO_RSA
+        if (info->pk.type == WC_PK_TYPE_RSA) {
+            /* set devId to invalid, so software is used */
+            info->pk.rsa.key->devId = INVALID_DEVID;
+
+            switch (info->pk.rsa.type) {
+                case RSA_PUBLIC_ENCRYPT:
+                case RSA_PUBLIC_DECRYPT:
+                    /* perform software based RSA public op */
+                    ret = wc_RsaFunction(
+                        info->pk.rsa.in, info->pk.rsa.inLen,
+                        info->pk.rsa.out, info->pk.rsa.outLen,
+                        info->pk.rsa.type, info->pk.rsa.key, info->pk.rsa.rng);
+                    break;
+                case RSA_PRIVATE_ENCRYPT:
+                case RSA_PRIVATE_DECRYPT:
+                    /* perform software based RSA private op */
+                    ret = wc_RsaFunction(
+                        info->pk.rsa.in, info->pk.rsa.inLen,
+                        info->pk.rsa.out, info->pk.rsa.outLen,
+                        info->pk.rsa.type, info->pk.rsa.key, info->pk.rsa.rng);
+                    break;
+            }
+
+            /* reset devId */
+            info->pk.rsa.key->devId = devIdArg;
+        }
+    #ifdef WOLFSSL_KEY_GEN
+        else if (info->pk.type == WC_PK_TYPE_RSA_KEYGEN) {
+            info->pk.rsakg.key->devId = INVALID_DEVID;
+
+            ret = wc_MakeRsaKey(info->pk.rsakg.key, info->pk.rsakg.size,
+                info->pk.rsakg.e, info->pk.rsakg.rng);
+
+            /* reset devId */
+            info->pk.rsakg.key->devId = devIdArg;
+        }
+    #endif
+    #endif /* !NO_RSA */
+    #ifdef HAVE_ECC
+        if (info->pk.type == WC_PK_TYPE_EC_KEYGEN) {
+            /* set devId to invalid, so software is used */
+            info->pk.eckg.key->devId = INVALID_DEVID;
+
+            ret = wc_ecc_make_key_ex(info->pk.eckg.rng, info->pk.eckg.size,
+                info->pk.eckg.key, info->pk.eckg.curveId);
+
+            /* reset devId */
+            info->pk.eckg.key->devId = devIdArg;
+        }
+        else if (info->pk.type == WC_PK_TYPE_ECDSA_SIGN) {
+            /* set devId to invalid, so software is used */
+            info->pk.eccsign.key->devId = INVALID_DEVID;
+
+            ret = wc_ecc_sign_hash(
+                info->pk.eccsign.in, info->pk.eccsign.inlen,
+                info->pk.eccsign.out, info->pk.eccsign.outlen,
+                info->pk.eccsign.rng, info->pk.eccsign.key);
+
+            /* reset devId */
+            info->pk.eccsign.key->devId = devIdArg;
+        }
+        else if (info->pk.type == WC_PK_TYPE_ECDSA_VERIFY) {
+            /* set devId to invalid, so software is used */
+            info->pk.eccverify.key->devId = INVALID_DEVID;
+
+            ret = wc_ecc_verify_hash(
+                info->pk.eccverify.sig, info->pk.eccverify.siglen,
+                info->pk.eccverify.hash, info->pk.eccverify.hashlen,
+                info->pk.eccverify.res, info->pk.eccverify.key);
+
+            /* reset devId */
+            info->pk.eccverify.key->devId = devIdArg;
+        }
+        else if (info->pk.type == WC_PK_TYPE_ECDH) {
+            /* set devId to invalid, so software is used */
+            info->pk.ecdh.private_key->devId = INVALID_DEVID;
+
+            ret = wc_ecc_shared_secret(
+                info->pk.ecdh.private_key, info->pk.ecdh.public_key,
+                info->pk.ecdh.out, info->pk.ecdh.outlen);
+
+            /* reset devId */
+            info->pk.ecdh.private_key->devId = devIdArg;
+        }
+    #endif /* HAVE_ECC */
+    }
+    else if (info->algo_type == WC_ALGO_TYPE_CIPHER) {
+#if !defined(NO_AES) || !defined(NO_DES3)
+    #ifdef HAVE_AESGCM
+        if (info->cipher.type == WC_CIPHER_AES_GCM) {
+            if (info->cipher.enc) {
+                /* set devId to invalid, so software is used */
+                info->cipher.aesgcm_enc.aes->devId = INVALID_DEVID;
+
+                ret = wc_AesGcmEncrypt(
+                    info->cipher.aesgcm_enc.aes,
+                    info->cipher.aesgcm_enc.out,
+                    info->cipher.aesgcm_enc.in,
+                    info->cipher.aesgcm_enc.sz,
+                    info->cipher.aesgcm_enc.iv,
+                    info->cipher.aesgcm_enc.ivSz,
+                    info->cipher.aesgcm_enc.authTag,
+                    info->cipher.aesgcm_enc.authTagSz,
+                    info->cipher.aesgcm_enc.authIn,
+                    info->cipher.aesgcm_enc.authInSz);
+
+                /* reset devId */
+                info->cipher.aesgcm_enc.aes->devId = devIdArg;
+            }
+            else {
+                /* set devId to invalid, so software is used */
+                info->cipher.aesgcm_dec.aes->devId = INVALID_DEVID;
+
+                ret = wc_AesGcmDecrypt(
+                    info->cipher.aesgcm_dec.aes,
+                    info->cipher.aesgcm_dec.out,
+                    info->cipher.aesgcm_dec.in,
+                    info->cipher.aesgcm_dec.sz,
+                    info->cipher.aesgcm_dec.iv,
+                    info->cipher.aesgcm_dec.ivSz,
+                    info->cipher.aesgcm_dec.authTag,
+                    info->cipher.aesgcm_dec.authTagSz,
+                    info->cipher.aesgcm_dec.authIn,
+                    info->cipher.aesgcm_dec.authInSz);
+
+                /* reset devId */
+                info->cipher.aesgcm_dec.aes->devId = devIdArg;
+            }
+        }
+    #endif /* HAVE_AESGCM */
+    #ifdef HAVE_AES_CBC
+        if (info->cipher.type == WC_CIPHER_AES_CBC) {
+            if (info->cipher.enc) {
+                /* set devId to invalid, so software is used */
+                info->cipher.aescbc.aes->devId = INVALID_DEVID;
+
+                ret = wc_AesCbcEncrypt(
+                    info->cipher.aescbc.aes,
+                    info->cipher.aescbc.out,
+                    info->cipher.aescbc.in,
+                    info->cipher.aescbc.sz);
+
+                /* reset devId */
+                info->cipher.aescbc.aes->devId = devIdArg;
+            }
+            else {
+                /* set devId to invalid, so software is used */
+                info->cipher.aescbc.aes->devId = INVALID_DEVID;
+
+                ret = wc_AesCbcDecrypt(
+                    info->cipher.aescbc.aes,
+                    info->cipher.aescbc.out,
+                    info->cipher.aescbc.in,
+                    info->cipher.aescbc.sz);
+
+                /* reset devId */
+                info->cipher.aescbc.aes->devId = devIdArg;
+            }
+        }
+    #endif /* HAVE_AES_CBC */
+    #ifndef NO_DES3
+        if (info->cipher.type == WC_CIPHER_DES3) {
+            if (info->cipher.enc) {
+                /* set devId to invalid, so software is used */
+                info->cipher.des3.des->devId = INVALID_DEVID;
+
+                ret = wc_Des3_CbcEncrypt(
+                    info->cipher.des3.des,
+                    info->cipher.des3.out,
+                    info->cipher.des3.in,
+                    info->cipher.des3.sz);
+
+                /* reset devId */
+                info->cipher.des3.des->devId = devIdArg;
+            }
+            else {
+                /* set devId to invalid, so software is used */
+                info->cipher.des3.des->devId = INVALID_DEVID;
+
+                ret = wc_Des3_CbcDecrypt(
+                    info->cipher.des3.des,
+                    info->cipher.des3.out,
+                    info->cipher.des3.in,
+                    info->cipher.des3.sz);
+
+                /* reset devId */
+                info->cipher.des3.des->devId = devIdArg;
+            }
+        }
+    #endif /* !NO_DES3 */
+#endif /* !NO_AES || !NO_DES3 */
+    }
+#if !defined(NO_SHA) || !defined(NO_SHA256)
+    else if (info->algo_type == WC_ALGO_TYPE_HASH) {
+    #if !defined(NO_SHA)
+        if (info->hash.type == WC_HASH_TYPE_SHA) {
+            if (info->hash.sha1 == NULL)
+                return NOT_COMPILED_IN;
+
+            /* set devId to invalid, so software is used */
+            info->hash.sha1->devId = INVALID_DEVID;
+
+            if (info->hash.in != NULL) {
+                ret = wc_ShaUpdate(
+                    info->hash.sha1,
+                    info->hash.in,
+                    info->hash.inSz);
+            }
+            if (info->hash.digest != NULL) {
+                ret = wc_ShaFinal(
+                    info->hash.sha1,
+                    info->hash.digest);
+            }
+
+            /* reset devId */
+            info->hash.sha1->devId = devIdArg;
+        }
+        else
+    #endif
+    #if !defined(NO_SHA256)
+        if (info->hash.type == WC_HASH_TYPE_SHA256) {
+            if (info->hash.sha256 == NULL)
+                return NOT_COMPILED_IN;
+
+            /* set devId to invalid, so software is used */
+            info->hash.sha256->devId = INVALID_DEVID;
+
+            if (info->hash.in != NULL) {
+                ret = wc_Sha256Update(
+                    info->hash.sha256,
+                    info->hash.in,
+                    info->hash.inSz);
+            }
+            if (info->hash.digest != NULL) {
+                ret = wc_Sha256Final(
+                    info->hash.sha256,
+                    info->hash.digest);
+            }
+
+            /* reset devId */
+            info->hash.sha256->devId = devIdArg;
+        }
+        else
+    #endif
+        {
+        }
+    }
+#endif /* !NO_SHA || !NO_SHA256 */
+#ifndef NO_HMAC
+    else if (info->algo_type == WC_ALGO_TYPE_HMAC) {
+        if (info->hmac.hmac == NULL)
+            return NOT_COMPILED_IN;
+
+        /* set devId to invalid, so software is used */
+        info->hmac.hmac->devId = INVALID_DEVID;
+
+        if (info->hash.in != NULL) {
+            ret = wc_HmacUpdate(
+                info->hmac.hmac,
+                info->hmac.in,
+                info->hmac.inSz);
+        }
+        else if (info->hash.digest != NULL) {
+            ret = wc_HmacFinal(
+                info->hmac.hmac,
+                info->hmac.digest);
+        }
+
+        /* reset devId */
+        info->hmac.hmac->devId = devIdArg;
+    }
+#endif
+
+    (void)devIdArg;
+    (void)myCtx;
+
+    return ret;
+}
+
+int cryptocb_test(void)
+{
+    int ret = 0;
+    myCryptoDevCtx myCtx;
+
+    /* example data for callback */
+    myCtx.exampleVar = 1;
+
+    /* set devId to something other than INVALID_DEVID */
+    devId = 1;
+    ret = wc_CryptoCb_RegisterDevice(devId, myCryptoDevCb, &myCtx);
+
+#ifndef WC_NO_RNG
+    if (ret == 0)
+        ret = random_test();
+#endif /* WC_NO_RNG */
+#ifndef NO_RSA
+    if (ret == 0)
+        ret = rsa_test();
+#endif
+#ifdef HAVE_ECC
+    if (ret == 0)
+        ret = ecc_test();
+#endif
+#ifndef NO_AES
+    #ifdef HAVE_AESGCM
+    if (ret == 0)
+        ret = aesgcm_test();
+    #endif
+    #ifdef HAVE_AES_CBC
+    if (ret == 0)
+        ret = aes_test();
+    #endif
+#endif /* !NO_AES */
+#ifndef NO_DES3
+    if (ret == 0)
+        ret = des3_test();
+#endif /* !NO_DES3 */
+#if !defined(NO_SHA) || !defined(NO_SHA256)
+    #ifndef NO_SHA
+    if (ret == 0)
+        ret = sha_test();
+    #endif
+    #ifndef NO_SHA256
+    if (ret == 0)
+        ret = sha256_test();
+    #endif
+#endif
+#ifndef NO_HMAC
+    #ifndef NO_SHA
+    if (ret == 0)
+        ret = hmac_sha_test();
+    #endif
+    #ifndef NO_SHA256
+    if (ret == 0)
+        ret = hmac_sha256_test();
+    #endif
+#endif
+#ifndef NO_PWDBASED
+    #if defined(HAVE_PBKDF2) && !defined(NO_SHA256)
+    if (ret == 0)
+        ret = pbkdf2_test();
+    #endif
+#endif
+
+    /* reset devId */
+    devId = INVALID_DEVID;
+
+    return ret;
+}
+#endif /* WOLF_CRYPTO_CB */
+
+#ifdef WOLFSSL_CERT_PIV
+int certpiv_test(void)
+{
+    int ret;
+    wc_CertPIV piv;
+
+    /* Template for Identiv PIV cert, nonce and signature */
+    const byte pivCertIdentiv[] = {
+        0x0A, 0x0D,
+            0x53, 0x04,       /* NIST PIV Cert */
+            0x70, 0x02,       /* Certificate */
+                0x30, 0x00,
+            0x71, 0x01, 0x00, /* Cert Info */
+            0xFE, 0x00,       /* Error Detection */
+        0x0B, 0x01, 0x00,     /* Nonce */
+        0x0C, 0x01, 0x00,     /* Signed Nonce */
+    };
+
+    const byte pivCert[] = {
+        0x53, 0x04,       /* NIST PIV Cert */
+        0x70, 0x02,       /* Certificate */
+            0x30, 0x00,
+        0x71, 0x01, 0x00, /* Cert Info */
+        0xFE, 0x00,       /* Error Detection */
+    };
+
+    /* Test with identiv 0x0A, 0x0B and 0x0C markers */
+    ret = wc_ParseCertPIV(&piv, pivCertIdentiv, sizeof(pivCertIdentiv));
+    if (ret == 0) {
+        /* Test with NIST PIV format */
+        ret = wc_ParseCertPIV(&piv, pivCert, sizeof(pivCert));
+    }
+
+    return ret;
+}
+#endif /* WOLFSSL_CERT_PIV */
+
+
+#undef ERROR_OUT
+
+#else
+    #ifndef NO_MAIN_DRIVER
+        int main() { return 0; }
+    #endif
 #endif /* NO_CRYPT_TEST */
diff --git a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/test/test.h b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/test/test.h
index dbe6e25e0..7a6fc7c84 100644
--- a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/test/test.h
+++ b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/test/test.h
@@ -1,8 +1,8 @@
-/* ctaocrypt/test/test.h
+/* wolfcrypt/test/test.h
  *
- * Copyright (C) 2006-2015 wolfSSL Inc.
+ * Copyright (C) 2006-2020 wolfSSL Inc.
  *
- * This file is part of wolfSSL. (formerly known as CyaSSL)
+ * This file is part of wolfSSL.
  *
  * wolfSSL is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -16,18 +16,28 @@
  *
  * You should have received a copy of the GNU General Public License
  * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
  */
 
-#pragma once
+
+#ifndef WOLFCRYPT_TEST_H
+#define WOLFCRYPT_TEST_H
+
 
 #ifdef __cplusplus
     extern "C" {
 #endif
 
+#ifdef HAVE_STACK_SIZE
+THREAD_RETURN WOLFSSL_THREAD wolfcrypt_test(void* args);
+#else
 int wolfcrypt_test(void* args);
+#endif
 
 #ifdef __cplusplus
     }  /* extern "C" */
 #endif
 
+
+#endif /* WOLFCRYPT_TEST_H */
+
diff --git a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/test/test.sln b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/test/test.sln
index 97b2e8dfd..55b9872f0 100644
--- a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/test/test.sln
+++ b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/test/test.sln
@@ -2,17 +2,56 @@
 Microsoft Visual Studio Solution File, Format Version 9.00
 # Visual C++ Express 2005
 Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "test", "test.vcproj", "{D04BDF66-664A-4D59-BEAC-8AB2D5809C21}"
+	ProjectSection(ProjectDependencies) = postProject
+		{73973223-5EE8-41CA-8E88-1D60E89A237B} = {73973223-5EE8-41CA-8E88-1D60E89A237B}
+	EndProjectSection
+EndProject
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "wolfssl", "..\..\wolfssl.vcxproj", "{73973223-5EE8-41CA-8E88-1D60E89A237B}"
 EndProject
 Global
 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
 		Debug|Win32 = Debug|Win32
+		Debug|x64 = Debug|x64
+		DLL Debug|Win32 = DLL Debug|Win32
+		DLL Debug|x64 = DLL Debug|x64
+		DLL Release|Win32 = DLL Release|Win32
+		DLL Release|x64 = DLL Release|x64
 		Release|Win32 = Release|Win32
+		Release|x64 = Release|x64
 	EndGlobalSection
 	GlobalSection(ProjectConfigurationPlatforms) = postSolution
 		{D04BDF66-664A-4D59-BEAC-8AB2D5809C21}.Debug|Win32.ActiveCfg = Debug|Win32
 		{D04BDF66-664A-4D59-BEAC-8AB2D5809C21}.Debug|Win32.Build.0 = Debug|Win32
+		{D04BDF66-664A-4D59-BEAC-8AB2D5809C21}.Debug|x64.ActiveCfg = Debug|x64
+		{D04BDF66-664A-4D59-BEAC-8AB2D5809C21}.Debug|x64.Build.0 = Debug|x64
+		{D04BDF66-664A-4D59-BEAC-8AB2D5809C21}.DLL Debug|Win32.ActiveCfg = Debug|Win32
+		{D04BDF66-664A-4D59-BEAC-8AB2D5809C21}.DLL Debug|Win32.Build.0 = Debug|Win32
+		{D04BDF66-664A-4D59-BEAC-8AB2D5809C21}.DLL Debug|x64.ActiveCfg = Debug|x64
+		{D04BDF66-664A-4D59-BEAC-8AB2D5809C21}.DLL Debug|x64.Build.0 = Debug|x64
+		{D04BDF66-664A-4D59-BEAC-8AB2D5809C21}.DLL Release|Win32.ActiveCfg = Release|Win32
+		{D04BDF66-664A-4D59-BEAC-8AB2D5809C21}.DLL Release|Win32.Build.0 = Release|Win32
+		{D04BDF66-664A-4D59-BEAC-8AB2D5809C21}.DLL Release|x64.ActiveCfg = Release|x64
+		{D04BDF66-664A-4D59-BEAC-8AB2D5809C21}.DLL Release|x64.Build.0 = Release|x64
 		{D04BDF66-664A-4D59-BEAC-8AB2D5809C21}.Release|Win32.ActiveCfg = Release|Win32
 		{D04BDF66-664A-4D59-BEAC-8AB2D5809C21}.Release|Win32.Build.0 = Release|Win32
+		{D04BDF66-664A-4D59-BEAC-8AB2D5809C21}.Release|x64.ActiveCfg = Release|x64
+		{D04BDF66-664A-4D59-BEAC-8AB2D5809C21}.Release|x64.Build.0 = Release|x64
+		{73973223-5EE8-41CA-8E88-1D60E89A237B}.Debug|Win32.ActiveCfg = Debug|Win32
+		{73973223-5EE8-41CA-8E88-1D60E89A237B}.Debug|Win32.Build.0 = Debug|Win32
+		{73973223-5EE8-41CA-8E88-1D60E89A237B}.Debug|x64.ActiveCfg = Debug|x64
+		{73973223-5EE8-41CA-8E88-1D60E89A237B}.Debug|x64.Build.0 = Debug|x64
+		{73973223-5EE8-41CA-8E88-1D60E89A237B}.DLL Debug|Win32.ActiveCfg = DLL Debug|Win32
+		{73973223-5EE8-41CA-8E88-1D60E89A237B}.DLL Debug|Win32.Build.0 = DLL Debug|Win32
+		{73973223-5EE8-41CA-8E88-1D60E89A237B}.DLL Debug|x64.ActiveCfg = DLL Debug|x64
+		{73973223-5EE8-41CA-8E88-1D60E89A237B}.DLL Debug|x64.Build.0 = DLL Debug|x64
+		{73973223-5EE8-41CA-8E88-1D60E89A237B}.DLL Release|Win32.ActiveCfg = DLL Release|Win32
+		{73973223-5EE8-41CA-8E88-1D60E89A237B}.DLL Release|Win32.Build.0 = DLL Release|Win32
+		{73973223-5EE8-41CA-8E88-1D60E89A237B}.DLL Release|x64.ActiveCfg = DLL Release|x64
+		{73973223-5EE8-41CA-8E88-1D60E89A237B}.DLL Release|x64.Build.0 = DLL Release|x64
+		{73973223-5EE8-41CA-8E88-1D60E89A237B}.Release|Win32.ActiveCfg = Release|Win32
+		{73973223-5EE8-41CA-8E88-1D60E89A237B}.Release|Win32.Build.0 = Release|Win32
+		{73973223-5EE8-41CA-8E88-1D60E89A237B}.Release|x64.ActiveCfg = Release|x64
+		{73973223-5EE8-41CA-8E88-1D60E89A237B}.Release|x64.Build.0 = Release|x64
 	EndGlobalSection
 	GlobalSection(SolutionProperties) = preSolution
 		HideSolutionNode = FALSE
diff --git a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/test/test.vcproj b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/test/test.vcproj
index 38c5c6bed..9758d8b77 100644
--- a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/test/test.vcproj
+++ b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/test/test.vcproj
@@ -38,8 +38,8 @@
 			<Tool
 				Name="VCCLCompilerTool"
 				Optimization="0"
-				AdditionalIncludeDirectories="../include;../../include/openssl"
-				PreprocessorDefinitions="WIN32;_DEBUG;_CONSOLE;"
+				AdditionalIncludeDirectories="../..;../../IDE/WIN;"
+				PreprocessorDefinitions="WIN32;_DEBUG;_CONSOLE;WOLFSSL_LIB;WOLFSSL_USER_SETTINGS;"
 				MinimalRebuild="true"
 				BasicRuntimeChecks="3"
 				RuntimeLibrary="3"
@@ -59,6 +59,7 @@
 			/>
 			<Tool
 				Name="VCLinkerTool"
+				AdditionalDependencies="Ws2_32.lib"
 				LinkIncremental="2"
 				GenerateDebugInformation="true"
 				SubSystem="1"
@@ -112,8 +113,8 @@
 			/>
 			<Tool
 				Name="VCCLCompilerTool"
-				AdditionalIncludeDirectories="../include;../../include/openssl"
-				PreprocessorDefinitions="WIN32;NDEBUG;_CONSOLE;"
+				AdditionalIncludeDirectories="../..;../../IDE/WIN;"
+				PreprocessorDefinitions="WIN32;NDEBUG;_CONSOLE;WOLFSSL_LIB;WOLFSSL_USER_SETTINGS;"
 				RuntimeLibrary="2"
 				UsePrecompiledHeader="0"
 				WarningLevel="3"
@@ -131,6 +132,7 @@
 			/>
 			<Tool
 				Name="VCLinkerTool"
+				AdditionalDependencies="Ws2_32.lib"
 				LinkIncremental="2"
 				GenerateDebugInformation="true"
 				SubSystem="1"
author	lundinc <lundinc@1d2547de-c912-0410-9cb9-b8ca96c0e9e2>	2020-08-12 19:11:51 +0000
committer	lundinc <lundinc@1d2547de-c912-0410-9cb9-b8ca96c0e9e2>	2020-08-12 19:11:51 +0000
commit	42255af1e27a3157d541f0812eaca447c569ca49 (patch)
tree	5c8702c2f0dc1cb9be1a4d5ff285897d96b97dd2 /FreeRTOS-Plus/Source/WolfSSL/wolfcrypt
parent	f5221dff43de249079c2da081723cb7a456f981f (diff)
download	freertos-42255af1e27a3157d541f0812eaca447c569ca49.tar.gz